From 75c6af6d0ef580de999a02e8b02ea57efc47fe45 Mon Sep 17 00:00:00 2001
From: Sergi Granell <xerpi.g.12@gmail.com>
Date: Fri, 16 May 2014 18:24:09 +0200
Subject: [PATCH 001/317] Fixed some printf format Silenced warnings

---
 ctrtool/Makefile               |  2 +-
 ctrtool/exheader.c             |  6 +++---
 makerom/Makefile               |  4 ++--
 makerom/accessdesc.c           | 10 +++++-----
 makerom/dir.c                  |  4 ++--
 makerom/libyaml/yaml_private.h |  2 +-
 makerom/ncsd.c                 |  4 ++--
 makerom/polarssl/base64.c      |  6 +++---
 makerom/polarssl/base64.h      |  1 +
 makerom/polarssl/cipher.c      |  1 +
 makerom/utf.h                  |  4 +---
 makerom/utils.c                |  4 ++--
 12 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 75a44fd6..5fdb2765 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -3,7 +3,7 @@ POLAR_OBJS = polarssl/aes.o polarssl/bignum.o polarssl/rsa.o polarssl/sha2.o
 TINYXML_OBJS = tinyxml/tinystr.o tinyxml/tinyxml.o tinyxml/tinyxmlerror.o tinyxml/tinyxmlparser.o
 LIBS = -lstdc++
 CXXFLAGS = -I. 
-CFLAGS = -Wall -I.
+CFLAGS = -Wall -Wno-unused-variable -Wno-unused-but-set-variable -I.
 OUTPUT = ctrtool
 CC = gcc
 
diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 205a94d9..8c945480 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -581,11 +581,11 @@ void exheader_print(exheader_context* ctx)
 			fprintf(stdout, "Dependency:             %016llX\n", getle64(ctx->header.deplist.programid[i]));
 	}
 	if(savedatasize < sizeKB)
-		fprintf(stdout, "Savedata size:          0x%X\n", savedatasize);
+		fprintf(stdout, "Savedata size:          0x%llX\n", savedatasize);
 	else if(savedatasize < sizeMB)
-		fprintf(stdout, "Savedata size:          %dK\n", savedatasize/sizeKB);
+		fprintf(stdout, "Savedata size:          %lluK\n", savedatasize/sizeKB);
 	else
-		fprintf(stdout, "Savedata size:          %dM\n", savedatasize/sizeMB);
+		fprintf(stdout, "Savedata size:          %lluM\n", savedatasize/sizeMB);
 	fprintf(stdout, "Jump id:                %016llX\n", getle64(ctx->header.systeminfo.jumpid));
 
 	fprintf(stdout, "Program id:             %016llX %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
diff --git a/makerom/Makefile b/makerom/Makefile
index c727cf34..f8f41181 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -15,7 +15,7 @@ YAML_OBJS = libyaml/api.o libyaml/dumper.o libyaml/emitter.o libyaml/loader.o li
 # Compiler Settings
 LIBS = -static-libgcc -static-libstdc++
 CXXFLAGS = -I.
-CFLAGS = --std=c99 -Wall -I. -DMAKEROM_VER_MAJOR=$(VER_MAJOR) -DMAKEROM_VER_MINOR=$(VER_MINOR) $(MAKEROM_BUILD_FLAGS) -m64
+CFLAGS = --std=c99 -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. -DMAKEROM_VER_MAJOR=$(VER_MAJOR) -DMAKEROM_VER_MINOR=$(VER_MINOR) $(MAKEROM_BUILD_FLAGS) -m64
 CC = gcc
  
 # MAKEROM Build Settings
@@ -37,4 +37,4 @@ clean:
 # Windows compatibility
 rebuildwin: cleanwin build
 cleanwin:
-	del /Q objs $(OUTPUT).exe *.o polarssl\*.o libyaml\*.o *.cci *.cia *.cxi *.cfa
\ No newline at end of file
+	del /Q objs $(OUTPUT).exe *.o polarssl\*.o libyaml\*.o *.cci *.cia *.cxi *.cfa
diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index 4405952e..8de78844 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -114,27 +114,27 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset, ncch_settings *ncchse
 	u32 out;
 
 	out = 0x100;
-	result = base64_decode(exhdrset->keys->rsa.cxiHdrPub,&out,(const u8*)exhdrset->rsf->CommonHeaderKey.Modulus,strlen(exhdrset->rsf->CommonHeaderKey.Modulus));
+	result = base64_decode(exhdrset->keys->rsa.cxiHdrPub,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.Modulus,strlen(exhdrset->rsf->CommonHeaderKey.Modulus));
 	if(out != 0x100)
 		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
 	if(result) goto finish;
 
 	out = 0x100;
-	result = base64_decode(exhdrset->keys->rsa.cxiHdrPvt,&out,(const u8*)exhdrset->rsf->CommonHeaderKey.D,strlen(exhdrset->rsf->CommonHeaderKey.D));
+	result = base64_decode(exhdrset->keys->rsa.cxiHdrPvt,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.D,strlen(exhdrset->rsf->CommonHeaderKey.D));
 	if(out != 0x100)
 		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
 	if(result) goto finish;
 
 	/* Set AccessDesc */
 	out = 0x100;
-	result = base64_decode(exhdrset->exHdr->accessDescriptor.signature,&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescSign, strlen( exhdrset->rsf->CommonHeaderKey.AccCtlDescSign));
+	result = base64_decode(exhdrset->exHdr->accessDescriptor.signature,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescSign, strlen( exhdrset->rsf->CommonHeaderKey.AccCtlDescSign));
 	if(out != 0x100)
 		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
 	if(result) goto finish;
 	memcpy(exhdrset->exHdr->accessDescriptor.ncchRsaPubKey,exhdrset->keys->rsa.cxiHdrPub,0x100);
 
 	out = 0x200;
-	result = base64_decode((u8*)&exhdrset->exHdr->accessDescriptor.arm11SystemLocalCapabilities,&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescBin,strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin));
+	result = base64_decode((u8*)&exhdrset->exHdr->accessDescriptor.arm11SystemLocalCapabilities,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescBin,strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin));
 	if(out != 0x200)
 		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
 	if(result) goto finish;
@@ -494,4 +494,4 @@ void b64_strcpy(char *dst, char *src)
 
 	memdump(stdout,"src: ",(u8*)src,src_len+1);
 	memdump(stdout,"dst: ",(u8*)dst,j+1);
-}
\ No newline at end of file
+}
diff --git a/makerom/dir.c b/makerom/dir.c
index 68e5524f..2c2e0b41 100644
--- a/makerom/dir.c
+++ b/makerom/dir.c
@@ -277,7 +277,7 @@ void fs_PrintDir(fs_dir *dir, u32 depth) // This is just for simple debugging, p
 			name = (char*)dir->file[i].name;
 			for(u32 j = 0; j < dir->file[i].name_len; j+=2)
 				putchar(name[j]);
-			printf(" (0x%lx)\n",dir->file[i].size);
+			printf(" (0x%llx)\n",dir->file[i].size);
 #endif
 		}
 	}
@@ -324,4 +324,4 @@ void fs_FreeFiles(fs_dir *dir)
 	fs_dir *tmp = (fs_dir*)dir->dir;
 	for(u32 i = 0; i < dir->u_dir; i++)
 		fs_FreeFiles(&tmp[i]);
-}
\ No newline at end of file
+}
diff --git a/makerom/libyaml/yaml_private.h b/makerom/libyaml/yaml_private.h
index 31ed23cf..92bf799c 100644
--- a/makerom/libyaml/yaml_private.h
+++ b/makerom/libyaml/yaml_private.h
@@ -7,7 +7,7 @@
 
 #include <assert.h>
 #include <limits.h>
-
+#include <string.h>
 
 #define YAML_titleVersion_STRING "0.1.4"
 #define YAML_titleVersion_MAJOR 0
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 45e16a12..ec208567 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -538,12 +538,12 @@ int GetWriteableAddress(cci_settings *cciset, user_settings *usrset)
 	if(cciset->cardinfo.writableAddress == -1){ // If not set manually or is max size
 		if ((cciset->header.mediaSize / 2) < cciset->option.savedataSize){ // If SaveData size is greater than half the MediaSize
 			u64 SavedataSize = cciset->option.savedataSize / KB;
-			fprintf(stderr,"[CCI ERROR] Too large SavedataSize %llK\n",SavedataSize);
+			fprintf(stderr,"[CCI ERROR] Too large SavedataSize %lldK\n",SavedataSize);
 			return SAVE_DATA_TOO_LARGE;
 		}
 		if (cciset->option.savedataSize > (u64)(2047*MB)){ // Limit set by Nintendo
 			u64 SavedataSize = cciset->option.savedataSize / KB;
-			fprintf(stderr,"[CCI ERROR] Too large SavedataSize %llK\n",SavedataSize);
+			fprintf(stderr,"[CCI ERROR] Too large SavedataSize %lldK\n",SavedataSize);
 			return SAVE_DATA_TOO_LARGE;
 		}
 		if(usrset->cci.closeAlignWritableRegion)
diff --git a/makerom/polarssl/base64.c b/makerom/polarssl/base64.c
index f320f3c7..5a98fa9f 100644
--- a/makerom/polarssl/base64.c
+++ b/makerom/polarssl/base64.c
@@ -147,17 +147,17 @@ int base64_decode( unsigned char *dst, size_t *dlen,
             continue;
 
         if( src[i] == '=' && ++j > 2 ){
-			printf("err 0 char[%d] = '%c' (0x%x)\n",i,src[i],src[i]);
+			printf("err 0 char[%lu] = '%c' (0x%x)\n",i,src[i],src[i]);
             return( POLARSSL_ERR_BASE64_INVALID_CHARACTER );
 		}
 
         if( src[i] > 127 || base64_dec_map[src[i]] == 127 ){
-			printf("err 1 char[%d] = '%c' (0x%x)\n",i,src[i],src[i]);
+			printf("err 1 char[%lu] = '%c' (0x%x)\n",i,src[i],src[i]);
             return( POLARSSL_ERR_BASE64_INVALID_CHARACTER );
 		}
 
         if( base64_dec_map[src[i]] < 64 && j != 0 ){
-			printf("err 2 char[%d] = '%c' (0x%x)\n",i,src[i],src[i]);
+			printf("err 2 char[%lu] = '%c' (0x%x)\n",i,src[i],src[i]);
             return( POLARSSL_ERR_BASE64_INVALID_CHARACTER );
 		}
 
diff --git a/makerom/polarssl/base64.h b/makerom/polarssl/base64.h
index fb0d753a..604893eb 100644
--- a/makerom/polarssl/base64.h
+++ b/makerom/polarssl/base64.h
@@ -28,6 +28,7 @@
 #define POLARSSL_BASE64_H
 
 #include <string.h>
+#include <stdio.h>
 
 #define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
 #define POLARSSL_ERR_BASE64_INVALID_CHARACTER              -0x002C  /**< Invalid character in input. */
diff --git a/makerom/polarssl/cipher.c b/makerom/polarssl/cipher.c
index f20cc73b..09c38073 100644
--- a/makerom/polarssl/cipher.c
+++ b/makerom/polarssl/cipher.c
@@ -35,6 +35,7 @@
 #include "polarssl/cipher_wrap.h"
 
 #include <stdlib.h>
+#include <strings.h>
 
 #if defined _MSC_VER && !defined strcasecmp
 #define strcasecmp _stricmp
diff --git a/makerom/utf.h b/makerom/utf.h
index dba3f8ef..0b74f167 100644
--- a/makerom/utf.h
+++ b/makerom/utf.h
@@ -134,8 +134,6 @@ ConversionResult ConvertUTF32toUTF8 (
         const UTF32** sourceStart, const UTF32* sourceEnd, 
         UTF8** targetStart, UTF8* targetEnd, ConversionFlags flags);
 		
-static Boolean isLegalUTF8(const UTF8 *source, int length);
-
 Boolean isLegalUTF8Sequence(const UTF8 *source, const UTF8 *sourceEnd);
 
 unsigned getNumBytesForUTF8(UTF8 first);
@@ -148,4 +146,4 @@ ConversionResult ConvertUTF8toUTF16 (
 		
 ConversionResult ConvertUTF8toUTF32 (
         const UTF8** sourceStart, const UTF8* sourceEnd, 
-        UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags);
\ No newline at end of file
+        UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags);
diff --git a/makerom/utils.c b/makerom/utils.c
index ef7af68b..44dcdbb1 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -171,7 +171,7 @@ int str_utf8_to_u16(u16 **dst, u32 *dst_len, u8 *src, u32 src_len)
 	UTF8 *src_start = (UTF8*)src;
 	UTF8 *src_end = (UTF8*)(src+src_len*sizeof(u8));
 	
-	return ConvertUTF8toUTF16 (&src_start, src_end, &target_start, target_end, strictConversion);
+	return ConvertUTF8toUTF16 ((const UTF8 **)&src_start, src_end, &target_start, target_end, strictConversion);
 }
 #endif
 
@@ -293,7 +293,7 @@ u8* ImportFile(char *file, u64 size)
 	u64 fsize = GetFileSize_u64(file);
 	if(size > 0){
 		if(size != fsize){
-			fprintf(stderr,"[!] %s has an invalid size (0x%llx)\n",fsize);
+			fprintf(stderr,"[!] %s has an invalid size (0x%llx)\n",file, fsize);
 			return NULL;
 		}
 	}

From dc8de388a31e1a957a072873ff33879864c9d7b0 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 21 Jun 2014 18:21:22 +1000
Subject: [PATCH 002/317] Fixed some errors and bad programming

---
 makerom/accessdesc.c | 153 ++++++++++++++++++------------------
 makerom/accessdesc.h |   2 +-
 makerom/cia.c        |  27 +++----
 makerom/cia.h        |   2 +-
 makerom/dir.c        |   2 +-
 makerom/exheader.c   |  59 ++++++--------
 makerom/exheader.h   |  26 ++++---
 makerom/keyset.c     |  45 +++++++----
 makerom/keyset.h     |   2 +-
 makerom/ncch.c       | 179 ++++++++++++++++++++-----------------------
 makerom/ncch.h       |   8 +-
 11 files changed, 246 insertions(+), 259 deletions(-)

diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index 8de78844..7247ab6b 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -15,57 +15,57 @@ const int RSF_RSA_DATA_LEN = 344;
 const int RSF_DESC_DATA_LEN = 684;
 
 
-int accessdesc_SignWithKey(exheader_settings *exhdrset, ncch_settings *ncchset);
-int accessdesc_GetSignFromRsf(exheader_settings *exhdrset, ncch_settings *ncchset);
-int accessdesc_GetSignFromPreset(exheader_settings *exhdrset, ncch_settings *ncchset);
-void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, ncch_settings *ncchset);
+int accessdesc_SignWithKey(exheader_settings *exhdrset);
+int accessdesc_GetSignFromRsf(exheader_settings *exhdrset);
+int accessdesc_GetSignFromPreset(exheader_settings *exhdrset);
+void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, keys_struct *keys);
 #ifndef PUBLIC_BUILD
-void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk, ncch_settings *ncchset);
+void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk, keys_struct *keys);
 #endif
 
 bool IsValidB64Char(char chr);
 u32 b64_strlen(char *str);
 void b64_strcpy(char *dst, char *src);
 
-int set_AccessDesc(exheader_settings *exhdrset, ncch_settings *ncchset)
+int set_AccessDesc(exheader_settings *exhdrset)
 {
 	if(exhdrset->useAccessDescPreset)
-		return accessdesc_GetSignFromPreset(exhdrset,ncchset);
-	else if(ncchset->rsfSet->CommonHeaderKey.Found) // Keydata exists in RSF
-		return accessdesc_GetSignFromRsf(exhdrset,ncchset);
-	else if(!ncchset->keys->rsa.requiresPresignedDesc) // Else if The AccessDesc can be signed with key
-		return accessdesc_SignWithKey(exhdrset,ncchset);
+		return accessdesc_GetSignFromPreset(exhdrset);
+	else if(exhdrset->rsf->CommonHeaderKey.Found) // Keydata exists in RSF
+		return accessdesc_GetSignFromRsf(exhdrset);
+	else if(!exhdrset->keys->rsa.requiresPresignedDesc) // Else if The AccessDesc can be signed with key
+		return accessdesc_SignWithKey(exhdrset);
 	else{ // No way the access desc signature can be 'obtained'
 		fprintf(stderr,"[EXHEADER ERROR] Current keyset cannot sign AccessDesc, please appropriatly setup RSF, or specify a preset with -accessdesc\n");
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 }
 
-int accessdesc_SignWithKey(exheader_settings *exhdrset, ncch_settings *ncchset)
+int accessdesc_SignWithKey(exheader_settings *exhdrset)
 {
 	/* Set RSA Keys */
 	memcpy(exhdrset->keys->rsa.cxiHdrPvt,exhdrset->keys->rsa.cciCfaPvt,0x100);
 	memcpy(exhdrset->keys->rsa.cxiHdrPub,exhdrset->keys->rsa.cciCfaPub,0x100);
-	memcpy(&exhdrset->exHdr->accessDescriptor.ncchRsaPubKey,exhdrset->keys->rsa.cxiHdrPub,0x100);
+	memcpy(&exhdrset->acexDesc->ncchRsaPubKey,exhdrset->keys->rsa.cxiHdrPub,0x100);
 
 	/* Copy Data From ExHeader */
-	memcpy(&exhdrset->exHdr->accessDescriptor.arm11SystemLocalCapabilities,&exhdrset->exHdr->arm11SystemLocalCapabilities,sizeof(exhdr_ARM11SystemLocalCapabilities));
-	memcpy(&exhdrset->exHdr->accessDescriptor.arm11KernelCapabilities,&exhdrset->exHdr->arm11KernelCapabilities,sizeof(exhdr_ARM11KernelCapabilities));
-	memcpy(&exhdrset->exHdr->accessDescriptor.arm9AccessControlInfo,&exhdrset->exHdr->arm9AccessControlInfo,sizeof(exhdr_ARM9AccessControlInfo));
+	memcpy(&exhdrset->acexDesc->arm11SystemLocalCapabilities,&exhdrset->exHdr->arm11SystemLocalCapabilities,sizeof(exhdr_ARM11SystemLocalCapabilities));
+	memcpy(&exhdrset->acexDesc->arm11KernelCapabilities,&exhdrset->exHdr->arm11KernelCapabilities,sizeof(exhdr_ARM11KernelCapabilities));
+	memcpy(&exhdrset->acexDesc->arm9AccessControlInfo,&exhdrset->exHdr->arm9AccessControlInfo,sizeof(exhdr_ARM9AccessControlInfo));
 	
 	/* Adjust Data */
-	u8 *flag = &exhdrset->exHdr->accessDescriptor.arm11SystemLocalCapabilities.flag;
+	u8 *flag = &exhdrset->acexDesc->arm11SystemLocalCapabilities.flag;
 	u8 SystemMode = (*flag>>4)&0xF;
 	u8 AffinityMask = (*flag>>2)&0x3;
 	u8 IdealProcessor = 1<<((*flag>>0)&0x3);
 	*flag = (u8)(SystemMode << 4 | AffinityMask << 2 | IdealProcessor);
-	exhdrset->exHdr->accessDescriptor.arm11SystemLocalCapabilities.priority /= 2;
+	exhdrset->acexDesc->arm11SystemLocalCapabilities.priority /= 2;
 
 	/* Sign AccessDesc */
-	return SignAccessDesc(exhdrset->exHdr,exhdrset->keys);
+	return SignAccessDesc(exhdrset->acexDesc,exhdrset->keys);
 }
 
-int accessdesc_GetSignFromRsf(exheader_settings *exhdrset, ncch_settings *ncchset)
+int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 {
 	/* Yaml Option Sanity Checks */
 	if(!exhdrset->rsf->CommonHeaderKey.Found){
@@ -127,14 +127,14 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset, ncch_settings *ncchse
 
 	/* Set AccessDesc */
 	out = 0x100;
-	result = base64_decode(exhdrset->exHdr->accessDescriptor.signature,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescSign, strlen( exhdrset->rsf->CommonHeaderKey.AccCtlDescSign));
+	result = base64_decode(exhdrset->acexDesc->signature,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescSign, strlen( exhdrset->rsf->CommonHeaderKey.AccCtlDescSign));
 	if(out != 0x100)
 		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
 	if(result) goto finish;
-	memcpy(exhdrset->exHdr->accessDescriptor.ncchRsaPubKey,exhdrset->keys->rsa.cxiHdrPub,0x100);
+	memcpy(exhdrset->acexDesc->ncchRsaPubKey,exhdrset->keys->rsa.cxiHdrPub,0x100);
 
 	out = 0x200;
-	result = base64_decode((u8*)&exhdrset->exHdr->accessDescriptor.arm11SystemLocalCapabilities,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescBin,strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin));
+	result = base64_decode((u8*)&exhdrset->acexDesc->arm11SystemLocalCapabilities,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescBin,strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin));
 	if(out != 0x200)
 		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
 	if(result) goto finish;
@@ -142,7 +142,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset, ncch_settings *ncchse
 	return result;	
 }
 
-int accessdesc_GetSignFromPreset(exheader_settings *exhdrset, ncch_settings *ncchset)
+int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
 {
 	u8 *desc = NULL;
 	u8 *accessDesc = NULL;
@@ -152,9 +152,9 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset, ncch_settings *ncc
 	u8 *cxiPubk = NULL;
 	u8 *cxiPvtk = NULL;
 
-	accessdesc_GetPresetData(&desc,&accessDesc,&depList,ncchset);
+	accessdesc_GetPresetData(&desc,&accessDesc,&depList,exhdrset->keys);
 #ifndef PUBLIC_BUILD
-	accessdesc_GetPresetSigData(&accessDescSig,&cxiPubk,&cxiPvtk,ncchset);
+	accessdesc_GetPresetSigData(&accessDescSig,&cxiPubk,&cxiPvtk,exhdrset->keys);
 #endif
 
 	// Error Checking
@@ -163,11 +163,12 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset, ncch_settings *ncc
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 
-	if((!cxiPubk || !cxiPvtk || !accessDesc || !accessDescSig) && ncchset->keys->rsa.requiresPresignedDesc){
+	if((!cxiPubk || !cxiPvtk || !accessDesc || !accessDescSig) && exhdrset->keys->rsa.requiresPresignedDesc){
 		fprintf(stderr,"[EXHEADER ERROR] This AccessDesc preset needs to be signed, the current keyset is incapable of doing so. Please configure RSF file with the appropriate signature data.\n");
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 	
+	
 	// Setting data in Exheader
 	// Dependency List
 	memcpy(exhdrset->exHdr->dependencyList,depList,0x180);
@@ -191,23 +192,23 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset, ncch_settings *ncc
 
 	// Setting AccessDesc Area
 	// Signing normally if possible
-	if(!ncchset->keys->rsa.requiresPresignedDesc) 
-		return accessdesc_SignWithKey(exhdrset,ncchset);
+	if(!exhdrset->keys->rsa.requiresPresignedDesc) 
+		return accessdesc_SignWithKey(exhdrset);
 
 	// Otherwise set static data & ncch hdr sig info
 	memcpy(exhdrset->keys->rsa.cxiHdrPub,cxiPubk,0x100);
 	memcpy(exhdrset->keys->rsa.cxiHdrPvt,cxiPvtk,0x100);
-	memcpy(&exhdrset->exHdr->accessDescriptor.signature,accessDescSig,0x100);
-	memcpy(&exhdrset->exHdr->accessDescriptor.ncchRsaPubKey,cxiPubk,0x100);
-	memcpy(&exhdrset->exHdr->accessDescriptor.arm11SystemLocalCapabilities,accessDesc,0x200);
+	memcpy(&exhdrset->acexDesc->signature,accessDescSig,0x100);
+	memcpy(&exhdrset->acexDesc->ncchRsaPubKey,cxiPubk,0x100);
+	memcpy(&exhdrset->acexDesc->arm11SystemLocalCapabilities,accessDesc,0x200);
 
 	return 0;
 }
 
-void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, ncch_settings *ncchset)
+void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, keys_struct *keys)
 {
-	if(ncchset->keys->accessDescSign.presetType == desc_preset_APP){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	if(keys->accessDescSign.presetType == desc_preset_APP){
+		switch(keys->accessDescSign.targetFirmware){
 			case 0x1B:
 			case 0x1C:
 				*desc = (u8*)app_fw1B_desc_data;
@@ -247,8 +248,8 @@ void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, ncch_set
 			
 		}
 	}
-	else if(ncchset->keys->accessDescSign.presetType == desc_preset_EC_APP){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	else if(keys->accessDescSign.presetType == desc_preset_EC_APP){
+		switch(keys->accessDescSign.targetFirmware){
 			case 0x20:
 				*desc = (u8*)ecapp_fw20_desc_data;
 				*accessDesc = (u8*)ecapp_fw20_acex_data;
@@ -261,8 +262,8 @@ void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, ncch_set
 				break;
 		}
 	}
-	else if(ncchset->keys->accessDescSign.presetType == desc_preset_DLP){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	else if(keys->accessDescSign.presetType == desc_preset_DLP){
+		switch(keys->accessDescSign.targetFirmware){
 			case 0x1B:
 			case 0x1C:
 				*desc = (u8*)dlp_fw1B_desc_data;
@@ -281,8 +282,8 @@ void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, ncch_set
 				break;
 		}
 	}
-	else if(ncchset->keys->accessDescSign.presetType == desc_preset_DEMO){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	else if(keys->accessDescSign.presetType == desc_preset_DEMO){
+		switch(keys->accessDescSign.targetFirmware){
 			case 0x1E:
 				*desc = (u8*)demo_fw1E_desc_data;
 				*accessDesc = (u8*)demo_fw1E_acex_data;
@@ -295,8 +296,8 @@ void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, ncch_set
 				break;
 		}
 	}
-	else if(ncchset->keys->accessDescSign.presetType == desc_preset_FIRM){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	else if(keys->accessDescSign.presetType == desc_preset_FIRM){
+		switch(keys->accessDescSign.targetFirmware){
 			default:
 				*desc = (u8*)firm_fw26_desc_data;
 				*accessDesc = (u8*)firm_fw26_acex_data;
@@ -307,75 +308,75 @@ void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, ncch_set
 }
 
 #ifndef PUBLIC_BUILD
-void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk, ncch_settings *ncchset)
+void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk, keys_struct *keys)
 {
-	if(ncchset->keys->accessDescSign.presetType == desc_preset_APP){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	if(keys->accessDescSign.presetType == desc_preset_APP){
+		switch(keys->accessDescSign.targetFirmware){
 			case 0x1B:
 			case 0x1C:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)app_fw1B_dev_acexsig;
 					*cxiPubk = (u8*)app_fw1B_dev_hdrpub;
 					*cxiPvtk = (u8*)app_fw1B_dev_hdrpvt;
 				}
 				break;
 			case 0x1D:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)app_fw1D_dev_acexsig;
 					*cxiPubk = (u8*)app_fw1D_dev_hdrpub;
 					*cxiPvtk = (u8*)app_fw1D_dev_hdrpvt;
 				}
-				if(ncchset->keys->keyset == pki_PRODUCTION){
+				if(keys->keyset == pki_PRODUCTION){
 					*accessDescSig = (u8*)app_fw1D_prod_acexsig;
 					*cxiPubk = (u8*)app_fw1D_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
 				break;
 			case 0x1E:
-				if(ncchset->keys->keyset == pki_PRODUCTION){
+				if(keys->keyset == pki_PRODUCTION){
 					*accessDescSig = (u8*)app_fw1E_prod_acexsig;
 					*cxiPubk = (u8*)app_fw1E_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
 				break;
 			case 0x20:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)app_fw20_dev_acexsig;
 					*cxiPubk = (u8*)app_fw20_dev_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				else if(ncchset->keys->keyset == pki_PRODUCTION){
+				else if(keys->keyset == pki_PRODUCTION){
 					*accessDescSig = (u8*)app_fw20_prod_acexsig;
 					*cxiPubk = (u8*)app_fw20_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
 				break;
 			case 0x21:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)app_fw21_dev_acexsig;
 					*cxiPubk = (u8*)app_fw21_dev_hdrpub;
 					*cxiPvtk = (u8*)app_fw21_dev_hdrpvt;
 				}
-				else if(ncchset->keys->keyset == pki_PRODUCTION){
+				else if(keys->keyset == pki_PRODUCTION){
 					*accessDescSig = (u8*)app_fw21_prod_acexsig;
 					*cxiPubk = (u8*)app_fw21_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
 				break;
 			case 0x23:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)app_fw23_dev_acexsig;
 					*cxiPubk = (u8*)app_fw23_dev_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				else if(ncchset->keys->keyset == pki_PRODUCTION){
+				else if(keys->keyset == pki_PRODUCTION){
 					*accessDescSig = (u8*)app_fw23_prod_acexsig;
 					*cxiPubk = (u8*)app_fw23_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
 				break;
 			case 0x27:
-				if(ncchset->keys->keyset == pki_PRODUCTION){
+				if(keys->keyset == pki_PRODUCTION){
 					*accessDescSig = (u8*)app_fw27_prod_acexsig;
 					*cxiPubk = (u8*)app_fw27_prod_hdrpub;
 					*cxiPvtk = NULL;
@@ -384,17 +385,17 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 			
 		}
 	}
-	else if(ncchset->keys->accessDescSign.presetType == desc_preset_EC_APP){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	else if(keys->accessDescSign.presetType == desc_preset_EC_APP){
+		switch(keys->accessDescSign.targetFirmware){
 			case 0x20:
-				if(ncchset->keys->keyset == pki_PRODUCTION){
+				if(keys->keyset == pki_PRODUCTION){
 					*accessDescSig = (u8*)ecapp_fw20_prod_acexsig;
 					*cxiPubk = (u8*)ecapp_fw20_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
 				break;
 			case 0x23:
-				if(ncchset->keys->keyset == pki_PRODUCTION){
+				if(keys->keyset == pki_PRODUCTION){
 					*accessDescSig = (u8*)ecapp_fw23_prod_acexsig;
 					*cxiPubk = (u8*)ecapp_fw23_prod_hdrpub;
 					*cxiPvtk = NULL;
@@ -402,25 +403,25 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 				break;
 		}
 	}
-	else if(ncchset->keys->accessDescSign.presetType == desc_preset_DLP){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	else if(keys->accessDescSign.presetType == desc_preset_DLP){
+		switch(keys->accessDescSign.targetFirmware){
 			case 0x1B:
 			case 0x1C:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)dlp_fw1B_dev_acexsig;
 					*cxiPubk = (u8*)dlp_fw1B_dev_hdrpub;
 					*cxiPvtk = (u8*)dlp_fw1B_dev_hdrpvt;
 				}
 				break;
 			case 0x1D:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)dlp_fw1D_dev_acexsig;
 					*cxiPubk = (u8*)dlp_fw1D_dev_hdrpub;
 					*cxiPvtk = (u8*)dlp_fw1D_dev_hdrpvt;
 				}
 				break;
 			case 0x21:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)dlp_fw21_dev_acexsig;
 					*cxiPubk = (u8*)dlp_fw21_dev_hdrpub;
 					*cxiPvtk = (u8*)dlp_fw21_dev_hdrpvt;
@@ -428,17 +429,17 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 				break;
 		}
 	}
-	else if(ncchset->keys->accessDescSign.presetType == desc_preset_DEMO){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	else if(keys->accessDescSign.presetType == desc_preset_DEMO){
+		switch(keys->accessDescSign.targetFirmware){
 			case 0x1E:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)demo_fw1E_dev_acexsig;
 					*cxiPubk = (u8*)demo_fw1E_dev_hdrpub;
 					*cxiPvtk = NULL;
 				}
  				break;
 			case 0x21:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)demo_fw21_dev_acexsig;
 					*cxiPubk = (u8*)demo_fw21_dev_hdrpub;
 					*cxiPvtk = (u8*)demo_fw21_dev_hdrpvt;
@@ -446,10 +447,10 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
  				break;
 		}
 	}
-	else if(ncchset->keys->accessDescSign.presetType == desc_preset_FIRM){
-		switch(ncchset->keys->accessDescSign.targetFirmware){
+	else if(keys->accessDescSign.presetType == desc_preset_FIRM){
+		switch(keys->accessDescSign.targetFirmware){
 			case 0x26:
-				if(ncchset->keys->keyset == pki_DEVELOPMENT){
+				if(keys->keyset == pki_DEVELOPMENT){
 					*accessDescSig = (u8*)firm_fw26_dev_acexsig;
 					*cxiPubk = (u8*)firm_fw26_dev_hdrpub;
 					*cxiPvtk = NULL;
@@ -492,6 +493,6 @@ void b64_strcpy(char *dst, char *src)
 	}
 	dst[j] = 0;
 
-	memdump(stdout,"src: ",(u8*)src,src_len+1);
-	memdump(stdout,"dst: ",(u8*)dst,j+1);
-}
+	//memdump(stdout,"src: ",(u8*)src,src_len+1);
+	//memdump(stdout,"dst: ",(u8*)dst,j+1);
+}
\ No newline at end of file
diff --git a/makerom/accessdesc.h b/makerom/accessdesc.h
index c3324f4b..a5f01f24 100644
--- a/makerom/accessdesc.h
+++ b/makerom/accessdesc.h
@@ -1,3 +1,3 @@
 #pragma once
 
-int set_AccessDesc(exheader_settings *exhdrset, ncch_settings *ncchset);
\ No newline at end of file
+int set_AccessDesc(exheader_settings *exhdrset);
\ No newline at end of file
diff --git a/makerom/cia.c b/makerom/cia.c
index 30df01dc..55967dc4 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -160,6 +160,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 {
 	// General Stuff
 	ciaset->keys = &usrset->common.keys;
+	ciaset->rsf = &usrset->common.rsfSet;
 	ciaset->ciaSections.content.buffer = usrset->common.workingFile.buffer;
 	ciaset->ciaSections.content.size = usrset->common.workingFile.size;
 	usrset->common.workingFile.buffer = NULL;
@@ -180,8 +181,6 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 		ciaset->common.titleVersion[i] = usrset->cia.titleVersion[i];
 	}
 
-	ciaset->content.overrideSaveDataSize = usrset->cia.overideSaveDataSize;
-
 	// Ticket Data
 	u64_to_u8(ciaset->tik.ticketId,u64GetRand(),BE);
 	if(usrset->cia.randomTitleKey)
@@ -264,9 +263,7 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 	u8 *ncchkey = NULL;
 	if(!ciaset->content.keyNotFound){
 		SetNcchUnfixedKeys(ciaset->keys,ncch0);
-		ncchkey = GetNCCHKey(keyType,ciaset->keys);
-		if(keyType == KeyIsUnFixed2)
-			ncchkey = GetNCCHKey(KeyIsUnFixed,ciaset->keys);
+		ncchkey = GetNCCHKey0(keyType,ciaset->keys);
 	}
 
 	/* Get TMD Data from ncch */
@@ -289,11 +286,14 @@ int GetCIADataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8
 		CryptNCCHSection((u8*)exhdr,0x400,0,ncch_ctx,key,ncch_exhdr);
 
 	u16 Category = u8_to_u16((ciaset->common.titleId+2),BE);
-	if(IsPatch(Category)||ciaset->content.IsCfa||ciaset->content.keyNotFound) u32_to_u8(ciaset->tmd.savedataSize,0,LE);
-	else u32_to_u8(ciaset->tmd.savedataSize,(u32)GetSaveDataSize_frm_exhdr(exhdr),LE);
-	if(ciaset->content.overrideSaveDataSize){
+	if(IsPatch(Category)||ciaset->content.IsCfa||ciaset->content.keyNotFound) 
+		u32_to_u8(ciaset->tmd.savedataSize,0,LE);
+	else 
+		u32_to_u8(ciaset->tmd.savedataSize,(u32)GetSaveDataSize_frm_exhdr(exhdr),LE);
+		
+	if(ciaset->rsf->SystemControlInfo.SaveDataSize && !ciaset->content.IsCfa && ciaset->content.keyNotFound){
 		u64 size = 0;
-		GetSaveDataSizeFromString(&size,ciaset->content.overrideSaveDataSize,"CIA");
+		GetSaveDataSizeFromString(&size,ciaset->rsf->SystemControlInfo.SaveDataSize,"CIA");
 		u32_to_u8(ciaset->tmd.savedataSize,(u32)size,LE);
 	}
 	
@@ -524,14 +524,9 @@ int GetSettingsFromCci(cia_settings *ciaset)
 	
 	u64 cciContentOffsets[CCI_MAX_CONTENT];
 	cciContentOffsets[0] = ncch0_offset;
-	ncch_hdr *hdr;
 	for(int i = 1; i < 8; i++){
 		if(GetPartitionSize(ciaset->ciaSections.content.buffer,i)){
 			cciContentOffsets[j] = GetPartitionOffset(ciaset->ciaSections.content.buffer,i);
-
-			// Get Data from ncch HDR
-			GetNCCH_CommonHDR(hdr,NULL,GetPartition(ciaset->ciaSections.content.buffer,i));
-			hdr = (ncch_hdr*)(ciaset->ciaSections.content.buffer + cciContentOffsets[j] + 0x100);
 			
 			// Get Size
 			ciaset->content.size[j] =  GetPartitionSize(ciaset->ciaSections.content.buffer,i);
@@ -540,9 +535,7 @@ int GetSettingsFromCci(cia_settings *ciaset)
 			ciaset->content.totalSize += ciaset->content.size[j];
 			
 			// Get ID
-			u8 hash[0x20];
-			ctr_sha((u8*)hdr,0x200,hash,CTR_SHA_256);
-			ciaset->content.id[j] = u8_to_u32(hash,BE);
+			ciaset->content.id[j] = u32GetRand();
 
 			// Get Index
 			ciaset->content.index[j] = i;
diff --git a/makerom/cia.h b/makerom/cia.h
index ce59bd15..57bc0ba7 100644
--- a/makerom/cia.h
+++ b/makerom/cia.h
@@ -40,6 +40,7 @@ typedef struct
 
 	FILE *out;
 
+	rsf_settings *rsf;
 	keys_struct *keys;
 
 	struct{
@@ -83,7 +84,6 @@ typedef struct
 		bool IsCfa;
 		bool IsDlc;
 		bool encryptCia;
-		char *overrideSaveDataSize;
 
 		bool keyNotFound;
 
diff --git a/makerom/dir.c b/makerom/dir.c
index 2c2e0b41..bcd57b2e 100644
--- a/makerom/dir.c
+++ b/makerom/dir.c
@@ -324,4 +324,4 @@ void fs_FreeFiles(fs_dir *dir)
 	fs_dir *tmp = (fs_dir*)dir->dir;
 	for(u32 i = 0; i < dir->u_dir; i++)
 		fs_FreeFiles(&tmp[i]);
-}
+}
\ No newline at end of file
diff --git a/makerom/exheader.c b/makerom/exheader.c
index 72391ec8..0270b359 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -6,10 +6,9 @@
 
 
 /* Prototypes */
-void init_ExHeaderSettings(exheader_settings *exhdrset);
 void free_ExHeaderSettings(exheader_settings *exhdrset);
 int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *ncchset);
-int get_ExHeaderSettingsFromYaml(exheader_settings *exhdrset);
+int get_ExHeaderSettingsFromRsf(exheader_settings *exhdrset);
 
 int get_ExHeaderCodeSetInfo(exhdr_CodeSetInfo *CodeSetInfo, rsf_settings *rsf);
 int get_ExHeaderDependencyList(u8 *DependencyList, rsf_settings *rsf);
@@ -52,17 +51,17 @@ u32 GetDescPrefixBits(int numPrefixBits, u32 PrefixVal);
 int get_ExHeaderARM9AccessControlInfo(exhdr_ARM9AccessControlInfo *arm9, rsf_settings *rsf);
 
 /* ExHeader Signature Functions */
-int SignAccessDesc(extended_hdr *exHdr, keys_struct *keys)
+int SignAccessDesc(access_descriptor *acexDesc, keys_struct *keys)
 {
-	u8 *AccessDesc = (u8*) &exHdr->accessDescriptor.ncchRsaPubKey;
-	u8 *Signature = (u8*) &exHdr->accessDescriptor.signature;
+	u8 *AccessDesc = (u8*) &acexDesc->ncchRsaPubKey;
+	u8 *Signature = (u8*) &acexDesc->signature;
 	return ctr_sig(AccessDesc,0x300,Signature,keys->rsa.acexPub,keys->rsa.acexPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
-int CheckaccessDescSignature(extended_hdr *exHdr, keys_struct *keys)
+int CheckAccessDescSignature(access_descriptor *acexDesc, keys_struct *keys)
 {
-	u8 *AccessDesc = (u8*) &exHdr->accessDescriptor.ncchRsaPubKey;
-	u8 *Signature = (u8*) &exHdr->accessDescriptor.signature;
+	u8 *AccessDesc = (u8*) &acexDesc->ncchRsaPubKey;
+	u8 *Signature = (u8*) &acexDesc->signature;
 	return ctr_sig(AccessDesc,0x300,Signature,keys->rsa.acexPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
 }
 
@@ -74,21 +73,20 @@ int BuildExHeader(ncch_settings *ncchset)
 	if(ncchset->options.IsCfa)
 		return 0;
 
-	exheader_settings *exhdrset = malloc(sizeof(exheader_settings));
+	exheader_settings *exhdrset = calloc(1,sizeof(exheader_settings));
 	if(!exhdrset) {
 		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
 	}
-	init_ExHeaderSettings(exhdrset);
 
 	// Get Settings
 	result = get_ExHeaderSettingsFromNcchset(exhdrset,ncchset);
 	if(result) goto finish;
 
-	result = get_ExHeaderSettingsFromYaml(exhdrset);
+	result = get_ExHeaderSettingsFromRsf(exhdrset);
 	if(result) goto finish;
 
-	result = set_AccessDesc(exhdrset,ncchset);
+	result = set_AccessDesc(exhdrset);
 	if(result) goto finish;
 
 finish:
@@ -97,12 +95,6 @@ int BuildExHeader(ncch_settings *ncchset)
 	return result;
 }
 
-
-void init_ExHeaderSettings(exheader_settings *exhdrset)
-{
-	memset(exhdrset,0,sizeof(exheader_settings));
-}
-
 void free_ExHeaderSettings(exheader_settings *exhdrset)
 {
 	free(exhdrset);
@@ -116,13 +108,19 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 	exhdrset->useAccessDescPreset = ncchset->keys->accessDescSign.presetType != desc_preset_NONE;
 
 	/* Creating Output Buffer */
-	ncchset->sections.exhdr.size = 0x800;
-	ncchset->sections.exhdr.buffer = malloc(ncchset->sections.exhdr.size);
+	ncchset->sections.exhdr.size = sizeof(extended_hdr);
+	ncchset->sections.exhdr.buffer = calloc(1,ncchset->sections.exhdr.size);
 	if(!ncchset->sections.exhdr.buffer) {
 		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
 	}
-	memset(ncchset->sections.exhdr.buffer,0,ncchset->sections.exhdr.size);
+	
+	ncchset->sections.acexDesc.size = sizeof(access_descriptor);
+	ncchset->sections.acexDesc.buffer = calloc(1,ncchset->sections.acexDesc.size);
+	if(!ncchset->sections.acexDesc.buffer) {
+		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n"); 
+		return MEM_ERROR;
+	}
 	
 	/* Import ExHeader Code Section template */
 	if(ncchset->componentFilePtrs.exhdrSize){ 
@@ -137,6 +135,7 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 
 	/* Create ExHeader Struct for output */
 	exhdrset->exHdr = (extended_hdr*)ncchset->sections.exhdr.buffer;
+	exhdrset->acexDesc = (access_descriptor*)ncchset->sections.acexDesc.buffer;
 
 	/* Set Code Info if Code Section was built not imported */
 	if(ncchset->options.IsBuildingCodeSection){
@@ -167,7 +166,7 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 	return 0;
 }
 
-int get_ExHeaderSettingsFromYaml(exheader_settings *exhdrset)
+int get_ExHeaderSettingsFromRsf(exheader_settings *exhdrset)
 {
 	int result = 0;
 	result = get_ExHeaderCodeSetInfo(&exhdrset->exHdr->codeSetInfo, exhdrset->rsf);
@@ -1171,22 +1170,14 @@ void exhdr_Print_ServiceAccessControl(extended_hdr *hdr)
 }
 
 /* ExHeader Binary Read Functions */
-u8* GetAccessDescSig_frm_exhdr(extended_hdr *hdr)
-{
-	if(!hdr) return NULL;
-	return hdr->accessDescriptor.signature ;
-}
-
-u8* GetNcchHdrPubKey_frm_exhdr(extended_hdr *hdr)
+u8* GetAcexRsaSig(access_descriptor *acexDesc)
 {
-	if(!hdr) return NULL;
-	return hdr->accessDescriptor.ncchRsaPubKey;
+	return acexDesc->signature ;
 }
 
-u8* GetAccessDesc_frm_exhdr(extended_hdr *hdr)
+u8* GetAcexNcchPubKey(access_descriptor *acexDesc)
 {
-	if(!hdr) return NULL;
-	return hdr->accessDescriptor.ncchRsaPubKey;
+	return acexDesc->ncchRsaPubKey;
 }
 
 u16 GetRemasterVersion_frm_exhdr(extended_hdr *hdr)
diff --git a/makerom/exheader.h b/makerom/exheader.h
index 431c7764..82e778f4 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -186,15 +186,17 @@ typedef struct
 	exhdr_ARM11KernelCapabilities arm11KernelCapabilities;
 	exhdr_ARM9AccessControlInfo arm9AccessControlInfo;
 	// }
-	struct {
-		u8 signature[0x100];
-		u8 ncchRsaPubKey[0x100];
-		exhdr_ARM11SystemLocalCapabilities arm11SystemLocalCapabilities;
-		exhdr_ARM11KernelCapabilities arm11KernelCapabilities;
-		exhdr_ARM9AccessControlInfo arm9AccessControlInfo;
-	} accessDescriptor;
 } extended_hdr;
 
+typedef struct 
+{
+	u8 signature[0x100];
+	u8 ncchRsaPubKey[0x100];
+	exhdr_ARM11SystemLocalCapabilities arm11SystemLocalCapabilities;
+	exhdr_ARM11KernelCapabilities arm11KernelCapabilities;
+	exhdr_ARM9AccessControlInfo arm9AccessControlInfo;
+} access_descriptor;
+
 typedef struct
 {
 	keys_struct *keys;
@@ -203,12 +205,13 @@ typedef struct
 
 	/* Output */
 	extended_hdr *exHdr; // is the exheader output buffer ptr(in ncchset) cast as exheader struct ptr;
+	access_descriptor *acexDesc;
 } exheader_settings;
 
 
 /* ExHeader Signature Functions */
-int SignAccessDesc(extended_hdr *ExHdr, keys_struct *keys);
-int CheckaccessDescSignature(extended_hdr *ExHdr, keys_struct *keys);
+int SignAccessDesc(access_descriptor *acexDesc, keys_struct *keys);
+int CheckAccessDescSignature(access_descriptor *acexDesc, keys_struct *keys);
 
 /* ExHeader Build Functions */
 int BuildExHeader(ncch_settings *ncchset);
@@ -217,9 +220,8 @@ int BuildExHeader(ncch_settings *ncchset);
 void exhdr_Print_ServiceAccessControl(extended_hdr *hdr);
 
 /* ExHeader Binary Read Functions */
-u8* GetAccessDescSig_frm_exhdr(extended_hdr *hdr);
-u8* GetNcchHdrPubKey_frm_exhdr(extended_hdr *hdr);
-u8* GetAccessDesc_frm_exhdr(extended_hdr *hdr);
+u8* GetAcexRsaSig(access_descriptor *acexDesc);
+u8* GetAcexNcchPubKey(access_descriptor *acexDesc);
 u16 GetRemasterVersion_frm_exhdr(extended_hdr *hdr);
 u64 GetSaveDataSize_frm_exhdr(extended_hdr *hdr);
 int GetDependencyList_frm_exhdr(u8 *Dest,extended_hdr *hdr);
diff --git a/makerom/keyset.c b/makerom/keyset.c
index ce59b2d4..38e5cf84 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -26,6 +26,7 @@ int SetTikCert(keys_struct *keys, u8 *Cert);
 int SetTmdCert(keys_struct *keys, u8 *Cert);
 
 int LoadKeysFromResources(keys_struct *keys);
+void SetDummyRsaData(keys_struct *keys);
 int LoadKeysFromKeyfile(keys_struct *keys);
 void CheckAccessDescKey(keys_struct *keys);
 void DumpKeyset(keys_struct *keys);
@@ -56,6 +57,9 @@ int SetKeys(keys_struct *keys)
 		result = LoadKeysFromKeyfile(keys);
 		if(result) return KEYSET_ERROR;
 	}
+	
+	if(keys->rsa.isFalseSign)
+		SetDummyRsaData(keys);
 
 	CheckAccessDescKey(keys);
 	
@@ -82,19 +86,7 @@ int LoadKeysFromResources(keys_struct *keys)
 		//SetSystemFixedKey(keys,(u8*)zeros_aesKey);
 
 		/* RSA Keys */
-		keys->rsa.isFalseSign = true;
-		// CIA
-		SetTIK_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
-		SetTMD_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
-		// CCI/CFA
-		Set_CCI_CFA_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
-		// CXI
-		SetAccessDesc_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
-	
-		/* Certs */
-		SetCaCert(keys,(u8*)ca3_tpki_cert);
-		SetTikCert(keys,(u8*)xsC_tpki_cert);
-		SetTmdCert(keys,(u8*)cpB_tpki_cert);
+		keys->rsa.isFalseSign = true;		
 	}
 	#ifndef PUBLIC_BUILD
 	else if(keys->keyset == pki_DEVELOPMENT){
@@ -166,11 +158,32 @@ int LoadKeysFromResources(keys_struct *keys)
 	return 0;
 }
 
+void SetDummyRsaData(keys_struct *keys)
+{
+	if(!keys->rsa.xsPvt || !keys->rsa.xsPub)
+		SetTIK_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
+	if(!keys->rsa.cpPvt || !keys->rsa.cpPub)
+		SetTMD_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
+		
+	if(!keys->rsa.cciCfaPvt || !keys->rsa.cciCfaPub)
+		Set_CCI_CFA_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
+	
+	if(!keys->rsa.acexPvt || !keys->rsa.acexPub)
+		SetAccessDesc_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
+
+	/* Certs */
+	if(!keys->certs.caCert)
+		SetCaCert(keys,(u8*)ca3_tpki_cert);
+	if(!keys->certs.xsCert)
+		SetTikCert(keys,(u8*)xsC_tpki_cert);
+	if(!keys->certs.cpCert)
+		SetTmdCert(keys,(u8*)cpB_tpki_cert);
+}
+
 int LoadKeysFromKeyfile(keys_struct *keys)
 {
-	//else
-		printf("[KEYSET ERROR] Target not supported\n");
-	return 0;
+	printf("[KEYSET ERROR] Custom keys not supported\n");
+	return -1;
 }
 
 void CheckAccessDescKey(keys_struct *keys)
diff --git a/makerom/keyset.h b/makerom/keyset.h
index 58291b00..81741a33 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -65,7 +65,7 @@ typedef struct
 	{
 		bool isFalseSign;
 		// CIA RSA
-		u8 *cpPvt; //cpPvt
+		u8 *cpPvt;
 		u8 *cpPub;
 		u8 *xsPvt;
 		u8 *xsPub;
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 7eac1db6..e8156db5 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -366,20 +366,28 @@ int ImportLogo(ncch_settings *ncchset)
 int SetupNcch(ncch_settings *ncchset, romfs_buildctx *romfs)
 {
 	u64 ncchSize = 0;
-	u64 exhdrSize,logoSize,plnRgnSize,exefsSize,romfsSize;
-	u64 exhdrOffset,logoOffset,plnRgnOffset,exefsOffset,romfsOffset;
+	u64 exhdrSize,acexSize,logoSize,plnRgnSize,exefsSize,romfsSize;
+	u64 exhdrOffset,acexOffset,logoOffset,plnRgnOffset,exefsOffset,romfsOffset;
 	u32 exefsHashSize,romfsHashSize;
 
 	ncchSize += 0x200; // Sig+Hdr
 
 	// Sizes for NCCH hdr
 	if(ncchset->sections.exhdr.size){
-		exhdrSize = 0x400;
+		exhdrSize = ncchset->sections.exhdr.size;
 		exhdrOffset = ncchSize;
-		ncchSize += ncchset->sections.exhdr.size;
+		ncchSize += exhdrSize;
 	}
 	else
 		exhdrSize = 0;
+		
+	if(ncchset->sections.acexDesc.size){
+		acexSize = ncchset->sections.acexDesc.size;
+		acexOffset = ncchSize;
+		ncchSize += acexSize;
+	}
+	else
+		acexSize = 0;
 
 	if(ncchset->sections.logo.size){
 		logoSize = ncchset->sections.logo.size;
@@ -443,6 +451,11 @@ int SetupNcch(ncch_settings *ncchset, romfs_buildctx *romfs)
 		ncchset->sections.exhdr.buffer = NULL;
 		u32_to_u8(hdr->exhdrSize,exhdrSize,LE);
 	}
+	if(acexSize){
+		memcpy((u8*)(ncch+acexOffset),ncchset->sections.acexDesc.buffer,ncchset->sections.acexDesc.size);
+		free(ncchset->sections.acexDesc.buffer);
+		ncchset->sections.acexDesc.buffer = NULL;
+	}
 
 	if(logoSize){
 		memcpy((u8*)(ncch+logoOffset),ncchset->sections.logo.buffer,ncchset->sections.logo.size);
@@ -496,13 +509,14 @@ int FinaliseNcch(ncch_settings *ncchset)
 
 	ncch_hdr *hdr = (ncch_hdr*)(ncch + 0x100);
 	u8 *exhdr = (u8*)(ncch + ncchset->cryptoDetails.exhdrOffset);
+	u8 *acexDesc = (u8*)(ncch + ncchset->cryptoDetails.acexOffset);
 	u8 *logo = (u8*)(ncch + ncchset->cryptoDetails.logoOffset);
 	u8 *exefs = (u8*)(ncch + ncchset->cryptoDetails.exefsOffset);
 	u8 *romfs = (u8*)(ncch + ncchset->cryptoDetails.romfsOffset);
 
 	// Taking Hashes\n");
 	if(ncchset->cryptoDetails.exhdrSize)
-		ctr_sha(exhdr,0x400,hdr->exhdrHash,CTR_SHA_256);
+		ctr_sha(exhdr,ncchset->cryptoDetails.exhdrSize,hdr->exhdrHash,CTR_SHA_256);
 	if(ncchset->cryptoDetails.logoSize)
 		ctr_sha(logo,ncchset->cryptoDetails.logoSize,hdr->logoHash,CTR_SHA_256);
 	if(ncchset->cryptoDetails.exefsHashDataSize)
@@ -527,10 +541,8 @@ int FinaliseNcch(ncch_settings *ncchset)
 		SetNcchUnfixedKeys(ncchset->keys, ncch);
 
 		// Getting AES Keys
-		u8 *key0 = GetNCCHKey(keyType, ncchset->keys);
-		u8 *key1 = GetNCCHKey(keyType, ncchset->keys);
-		if(keyType == KeyIsUnFixed2)
-			key0 = GetNCCHKey(KeyIsUnFixed, ncchset->keys);
+		u8 *key0 = GetNCCHKey0(keyType, ncchset->keys);
+		u8 *key1 = GetNCCHKey1(keyType, ncchset->keys);
 
 		if(key0 == NULL || key1 == NULL){
 			fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key\n");
@@ -543,9 +555,11 @@ int FinaliseNcch(ncch_settings *ncchset)
 		memdump(stdout,"key1: ",key1,16);
 		*/
 
-		// Crypting Exheader
-		if(ncchset->cryptoDetails.exhdrSize)
+		// Crypting Exheader/AcexDesc
+		if(ncchset->cryptoDetails.exhdrSize){
 			CryptNCCHSection(exhdr,ncchset->cryptoDetails.exhdrSize,0x0,&ncchset->cryptoDetails,key0,ncch_exhdr);
+			CryptNCCHSection(acexDesc,ncchset->cryptoDetails.acexSize,ncchset->cryptoDetails.exhdrSize,&ncchset->cryptoDetails,key0,ncch_exhdr);
+		}			
 
 		// Crypting ExeFs Files
 		if(ncchset->cryptoDetails.exefsSize){
@@ -618,12 +632,12 @@ int SetCommonHeaderBasicData(ncch_settings *ncchset, ncch_hdr *hdr)
 		hdr->flags[OtherFlag] = (NoCrypto|FixedCryptoKey);
 	else if(ncchset->keys->aes.ncchKeyX0){
 		hdr->flags[OtherFlag] = UnFixedCryptoKey;
-		if(ncchset->keys->aes.ncchKeyX1)
+		if(ncchset->keys->aes.ncchKeyX1 && !ncchset->options.IsCfa)
 			hdr->flags[SecureCrypto2] = 1;
 	}
 	else{
 		hdr->flags[OtherFlag] = FixedCryptoKey;	
-		u8 *key = GetNCCHKey(GetNCCHKeyType(hdr),ncchset->keys);
+		u8 *key = GetNCCHKey0(GetNCCHKeyType(hdr),ncchset->keys);
 		if(!key){ // for detecting absense of fixed aes keys
 			hdr->flags[OtherFlag] = (NoCrypto|FixedCryptoKey);
 			fprintf(stderr,"[NCCH WARNING] NCCH AES Key could not be loaded, NCCH will not be encrypted\n");
@@ -702,15 +716,13 @@ int VerifyNCCH(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 	if(keyType != NoKey){
 		//memdump(stdout,"ncch: ",ncch,0x200);
 		SetNcchUnfixedKeys(keys,ncch);
-		if(GetNCCHKey(keyType,keys) == NULL){
+		if(GetNCCHKey0(keyType,keys) == NULL){
 			if(!SuppressOutput) 
 				fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key.\n");
 			return UNABLE_TO_LOAD_NCCH_KEY;
 		}
-		key0 = GetNCCHKey(keyType,keys);
-		key1 = GetNCCHKey(keyType,keys);
-		if(keyType == KeyIsUnFixed2)
-			key0 = GetNCCHKey(KeyIsUnFixed,keys);
+		key0 = GetNCCHKey0(keyType,keys);
+		key1 = GetNCCHKey1(keyType,keys);
 	}
 
 	//memdump(stdout,"key0: ",key0,16);
@@ -744,48 +756,60 @@ int VerifyNCCH(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 			free(ncch_ctx);
 			return NO_EXEFS_IN_CXI;
 		}
-		// Get ExHeader
-		extended_hdr *ExHeader = malloc(ncch_ctx->exhdrSize);
-		if(!ExHeader){ 
+		// Get ExHeader/AcexDesc
+		extended_hdr *exHdr = malloc(ncch_ctx->exhdrSize);
+		if(!exHdr){ 
 			fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
 			free(ncch_ctx);
 			return MEM_ERROR; 
 		}
-		memcpy(ExHeader,ncch+ncch_ctx->exhdrOffset,ncch_ctx->exhdrSize);
+		memcpy(exHdr,ncch+ncch_ctx->exhdrOffset,ncch_ctx->exhdrSize);
 		if(key0 != NULL)
-			CryptNCCHSection((u8*)ExHeader,ncch_ctx->exhdrSize,0,ncch_ctx,key0,ncch_exhdr);
+			CryptNCCHSection((u8*)exHdr,ncch_ctx->exhdrSize,0,ncch_ctx,key0,ncch_exhdr);
 
 		// Checking Exheader Hash to see if decryption was sucessful
-		ctr_sha(ExHeader,0x400,Hash,CTR_SHA_256);
+		ctr_sha(exHdr,0x400,Hash,CTR_SHA_256);
 		if(memcmp(Hash,hdr->exhdrHash,0x20) != 0){
 			//memdump(stdout,"Expected Hash: ",hdr->extended_header_sha_256_hash,0x20);
 			//memdump(stdout,"Actual Hash:   ",Hash,0x20);
-			//memdump(stdout,"Exheader:      ",(u8*)ExHeader,0x400);
+			//memdump(stdout,"Exheader:      ",(u8*)exHdr,0x400);
 			if(!SuppressOutput) {
 				fprintf(stderr,"[NCCH ERROR] ExHeader Hashcheck Failed\n");
 				fprintf(stderr,"[NCCH ERROR] CXI is corrupt\n");
 			}
 			free(ncch_ctx);
-			free(ExHeader);
+			free(exHdr);
 			return ExHeader_Hashfail;
 		}
-
+		free(exHdr);
+		
 		// Checking RSA Sigs
-		u8 *hdr_pubk = GetNcchHdrPubKey_frm_exhdr(ExHeader);
+		access_descriptor *acexDesc = malloc(ncch_ctx->acexSize);
+		if(!acexDesc){ 
+			fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
+			free(ncch_ctx);
+			free(exHdr);
+			return MEM_ERROR; 
+		}
+		memcpy(acexDesc,ncch+ncch_ctx->acexOffset,ncch_ctx->acexSize);
+		if(key0 != NULL)
+			CryptNCCHSection((u8*)acexDesc,ncch_ctx->acexSize,ncch_ctx->exhdrOffset,ncch_ctx,key0,ncch_exhdr);
 
-		if(CheckaccessDescSignature(ExHeader,keys) != 0 && !keys->rsa.isFalseSign){
+		if(CheckAccessDescSignature(acexDesc,keys) != 0 && !keys->rsa.isFalseSign){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] AccessDesc Sigcheck Failed\n");
 			free(ncch_ctx);
-			free(ExHeader);
+			free(acexDesc);
 			return ACCESSDESC_SIG_BAD;
 		}
-		if(CheckCXISignature(hdr_sig,(u8*)hdr,hdr_pubk) != 0 /* && !keys->rsa.isFalseSign*/){ // This should always be correct
+		
+		u8 *hdr_pubk = GetAcexNcchPubKey(acexDesc);
+		
+		if(CheckCXISignature(hdr_sig,(u8*)hdr,hdr_pubk) != 0 && !keys->rsa.isFalseSign){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] CXI Header Sigcheck Failed\n");
-			free(ncch_ctx);
-			free(ExHeader);
+			free(ncch_ctx);			
+			free(acexDesc);
 			return NCCH_HDR_SIG_BAD;
 		}
-		free(ExHeader);
 	}
 
 	if(!CheckHash)
@@ -904,7 +928,7 @@ int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 		GetNCCHStruct(&ncch_struct,hdr);
 		romfs = (ncch+ncch_struct.romfsOffset);
 		SetNcchUnfixedKeys(keys, ncch); // For Secure Crypto
-		key = GetNCCHKey(keytype,keys);
+		key = GetNCCHKey1(keytype,keys);
 		if(key == NULL){
 			fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key\n");
 			//free(ncch);
@@ -928,7 +952,7 @@ int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 		GetNCCHStruct(&ncch_struct,hdr);
 		romfs = (ncch+ncch_struct.romfsOffset);
 		SetNcchUnfixedKeys(keys, ncch); // For Secure Crypto
-		key = GetNCCHKey(keytype,keys);
+		key = GetNCCHKey1(keytype,keys);
 		if(key == NULL){
 			fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key\n");
 			//free(ncch);
@@ -1013,7 +1037,25 @@ ncch_key_type GetNCCHKeyType(ncch_hdr* hdr)
 	return KeyIsUnFixed;
 }
 
-u8* GetNCCHKey(ncch_key_type keytype, keys_struct *keys)
+u8* GetNCCHKey0(ncch_key_type keytype, keys_struct *keys)
+{
+	switch(keytype){
+		case NoKey: return NULL;
+		case KeyIsNormalFixed:
+			return keys->aes.normalKey;
+		case KeyIsSystemFixed:
+			return keys->aes.systemFixedKey;
+		case KeyIsUnFixed:
+		case KeyIsUnFixed2:
+			if(keys->aes.ncchKeyX0)
+				return keys->aes.unFixedKey0;
+			else
+				return NULL;
+	}
+	return NULL;
+}
+
+u8* GetNCCHKey1(ncch_key_type keytype, keys_struct *keys)
 {
 	switch(keytype){
 		case NoKey: return NULL;
@@ -1035,65 +1077,6 @@ u8* GetNCCHKey(ncch_key_type keytype, keys_struct *keys)
 	return NULL;
 }
 
-int GetNCCHSection(u8 *dest, u64 dest_max_size, u64 src_pos, u8 *ncch, ncch_struct *ncch_ctx, keys_struct *keys, ncch_section section)
-{
-	if(!ncch) return MEM_ERROR;
-	u8 *key = NULL;
-	ncch_hdr* hdr = GetNCCH_CommonHDR(NULL,NULL,ncch);
-	ncch_key_type keytype = GetNCCHKeyType(hdr);
-
-	if(keytype != NoKey && (section == ncch_exhdr || section == ncch_exefs || section == ncch_romfs)){
-		key = GetNCCHKey(keytype,keys);
-		if(key == NULL){
-			//fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key.\n");
-			return UNABLE_TO_LOAD_NCCH_KEY;
-		}
-	}
-	//printf("detecting section type\n");
-	u64 offset = 0;
-	u64 size = 0;
-	switch(section){
-		case ncch_exhdr:
-			offset = ncch_ctx->exhdrOffset;
-			size = ncch_ctx->exhdrSize;
-			break;
-		case ncch_Logo:
-			offset = ncch_ctx->logoOffset;
-			size = ncch_ctx->logoSize;
-			break;
-		case ncch_PlainRegion:
-			offset = ncch_ctx->plainRegionOffset;
-			size = ncch_ctx->plainRegionSize;
-			break;
-		case ncch_exefs:
-			offset = ncch_ctx->exefsOffset;
-			size = ncch_ctx->exefsSize;
-			break;
-		case ncch_romfs:
-			offset = ncch_ctx->romfsOffset;
-			size = ncch_ctx->romfsSize;
-			break;
-	}
-	if(!offset || !size) return NCCH_SECTION_NOT_EXIST; 
-
-	if(src_pos > size) return DATA_POS_DNE;
-
-	size = min_u64(size-src_pos,dest_max_size);
-
-	//printf("Copying data\n");
-	u8 *section_pos = (ncch + offset + src_pos);
-	memcpy(dest,section_pos,size);
-
-	//printf("decrypting if needed\n");
-	if(keytype != NoKey && (section == ncch_exhdr || section == ncch_exefs || section == ncch_romfs)){ // Decrypt
-		//memdump(stdout,"Key: ",key,16);
-		CryptNCCHSection(dest,size,src_pos,ncch_ctx,key,section);
-		//printf("no cigar\n");
-	}
-	//printf("Got thing okay\n");
-	return 0;
-}
-
 int GetNCCHStruct(ncch_struct *ctx, ncch_hdr *header)
 {
 	memcpy(ctx->titleId,header->titleId,8);
@@ -1105,7 +1088,9 @@ int GetNCCHStruct(ncch_struct *ctx, ncch_hdr *header)
 	ctx->formatVersion = u8_to_u16(header->formatVersion,LE);
 	if(!IsCfa(header)){
 		ctx->exhdrOffset = 0x200;
-		ctx->exhdrSize = u8_to_u32(header->exhdrSize,LE) + 0x400;
+		ctx->exhdrSize = u8_to_u32(header->exhdrSize,LE);
+		ctx->acexOffset = (ctx->exhdrOffset + ctx->exhdrSize);
+		ctx->acexSize = sizeof(access_descriptor);
 		ctx->plainRegionOffset = (u64)(u8_to_u32(header->plainRegionOffset,LE)*media_unit);
 		ctx->plainRegionSize = (u64)(u8_to_u32(header->plainRegionSize,LE)*media_unit);
 	}
diff --git a/makerom/ncch.h b/makerom/ncch.h
index 1baef1fe..232a228e 100644
--- a/makerom/ncch.h
+++ b/makerom/ncch.h
@@ -74,6 +74,8 @@ typedef struct
 	u16 formatVersion;
 	u32 exhdrOffset;
 	u32 exhdrSize;
+	u32 acexOffset;
+	u32 acexSize;
 	u64 logoOffset;
 	u64 logoSize;
 	u64 plainRegionOffset;
@@ -126,7 +128,6 @@ typedef struct
 	buffer_struct *out;
 	keys_struct *keys;
 	rsf_settings *rsfSet;
-	
 
 	struct
 	{
@@ -192,6 +193,7 @@ typedef struct
 	struct
 	{
 		buffer_struct exhdr;
+		buffer_struct acexDesc;
 		buffer_struct logo;
 		buffer_struct plainRegion;
 		buffer_struct exeFs;
@@ -220,8 +222,8 @@ u32 GetNCCH_MediaUnitSize(ncch_hdr* hdr);
 u32 GetNCCH_MediaSize(ncch_hdr* hdr);
 ncch_key_type GetNCCHKeyType(ncch_hdr* hdr);
 
-int GetNCCHSection(u8 *dest, u64 dest_max_size, u64 src_pos, u8 *ncch, ncch_struct *ncch_ctx, keys_struct *keys, ncch_section section);
-u8* GetNCCHKey(ncch_key_type keytype, keys_struct *keys);
+u8* GetNCCHKey0(ncch_key_type keytype, keys_struct *keys);
+u8* GetNCCHKey1(ncch_key_type keytype, keys_struct *keys);
 
 int GetNCCHStruct(ncch_struct *ctx, ncch_hdr *header);
 void ncch_get_counter(ncch_struct *ctx, u8 counter[16], u8 type);

From 8411e7e5336e2d0ca4072cdd8bc4821071a12ba8 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 21 Jun 2014 18:26:43 +1000
Subject: [PATCH 003/317] Forgot two files

---
 makerom/usersettings.c | 18 +++++++++---------
 makerom/usersettings.h |  1 -
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/makerom/usersettings.c b/makerom/usersettings.c
index 39ff9cd4..db9a3ef6 100644
--- a/makerom/usersettings.c
+++ b/makerom/usersettings.c
@@ -210,6 +210,14 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		set->common.keys.dumpkeys = true;
 		return 1;
 	}
+	else if(strcmp(argv[i],"-fsign") == 0){
+		if(ParamNum){
+			PrintNoNeedParam("-fsign");
+			return USR_BAD_ARG;
+		}
+		set->common.keys.rsa.isFalseSign = true;
+		return 1;
+	}
 
 	// Ncch Options
 	else if(strcmp(argv[i],"-elf") == 0){
@@ -450,14 +458,6 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		set->cia.titleVersion[1] = tmp & 63;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-savesize") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam("-savesize",1);
-			return USR_ARG_REQ_PARAM;
-		}
-		set->cia.overideSaveDataSize = argv[i+1];
-		return 2;
-	}
 	else if(strcmp(argv[i],"-rand") == 0){
 		if(ParamNum){
 			PrintNoNeedParam("-rand");
@@ -983,6 +983,7 @@ void DisplayHelp(char *app_name)
 	printf("                                    'c' Custom Keys & Certs\n");
 	printf(" -ckeyID        <u8 value>          Override the automatic commonKey selection\n");
 	printf(" -showkeys                          Display the loaded keychain\n");
+	printf(" -fsign                             Ignore invalid signatures\n");
 	printf("NCCH OPTIONS:\n");
 	printf(" -elf           <file>              ELF File\n");
 	printf(" -icon          <file>              Icon File\n");
@@ -1016,7 +1017,6 @@ void DisplayHelp(char *app_name)
 	printf(" -minor         <minor version>     Specify Minor Version\n");
 	printf(" -micro         <micro version>     Specify Micro Version\n");
 	printf(" -dver          <datatitle ver>     Specify Data Title Version\n");
-	printf(" -savesize      <size>              Savedata size\n");
 	printf(" -rand                              Use a random title key\n");
 	printf(" -cci           <cci path>          Convert CCI to CIA\n");
 	printf(" -srl           <srl path>          Use TWL SRL as Content0\n");
diff --git a/makerom/usersettings.h b/makerom/usersettings.h
index 577d76ce..54985f37 100644
--- a/makerom/usersettings.h
+++ b/makerom/usersettings.h
@@ -275,7 +275,6 @@ typedef struct
 	} cci; // CCI Settings
 	
 	struct{
-		char *overideSaveDataSize;
 		bool randomTitleKey;
 		bool encryptCia;
 		bool DlcContent;

From efd71def1c0a0f080fe70b44e0e9cac5d4385613 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Wed, 25 Jun 2014 12:31:01 +1000
Subject: [PATCH 004/317] fixes

---
 makerom/Makefile                            |   4 +-
 makerom/lib.h                               |   4 +-
 makerom/ncch.c                              |  25 +--
 makerom/ncsd.c                              |  26 ++-
 makerom/{yamlsettings.c => rsf_settings.c}  |  40 ++--
 makerom/{yamlsettings.h => rsf_settings.h}  |   0
 makerom/titleid.c                           | 226 +++++++++-----------
 makerom/titleid.h                           |  12 +-
 makerom/{usersettings.c => user_settings.c} |   0
 makerom/{usersettings.h => user_settings.h} |   0
 makerom/{yaml_ctr.c => yaml_parser.c}       |  20 +-
 makerom/{yaml_ctr.h => yaml_parser.h}       |   2 +-
 12 files changed, 175 insertions(+), 184 deletions(-)
 rename makerom/{yamlsettings.c => rsf_settings.c} (87%)
 rename makerom/{yamlsettings.h => rsf_settings.h} (100%)
 rename makerom/{usersettings.c => user_settings.c} (100%)
 rename makerom/{usersettings.h => user_settings.h} (100%)
 rename makerom/{yaml_ctr.c => yaml_parser.c} (97%)
 rename makerom/{yaml_ctr.h => yaml_parser.h} (96%)

diff --git a/makerom/Makefile b/makerom/Makefile
index f8f41181..5c417042 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -3,8 +3,8 @@ UTILS_OBJS = utils.o dir.o utf.o keyset.o titleid.o
 CIA_OBJS = cia.o cia_read.o certs.o tik.o tmd.o tmd_read.o
 NCCH_OBJS = ncch.o exheader.o accessdesc.o exefs.o elf.o romfs.o romfs_import.o romfs_binary.o  
 NCSD_OBJS = ncsd.o  
-SETTINGS_OBJS = usersettings.o yamlsettings.o
-LIB_API_OBJS = crypto.o yaml_ctr.o blz.o
+SETTINGS_OBJS = user_settings.o rsf_settings.o
+LIB_API_OBJS = crypto.o yaml_parser.o blz.o
 
 OBJS = makerom.o $(UTILS_OBJS) $(LIB_API_OBJS) $(SETTINGS_OBJS) $(NCSD_OBJS) $(NCCH_OBJS) $(CIA_OBJS)
 
diff --git a/makerom/lib.h b/makerom/lib.h
index d4b87812..15a0284a 100644
--- a/makerom/lib.h
+++ b/makerom/lib.h
@@ -29,8 +29,8 @@
 #include "crypto.h"
 
 #include "keyset.h"
-#include "usersettings.h"
+#include "user_settings.h"
 #include "libyaml/yaml.h"
-#include "yaml_ctr.h"
+#include "yaml_parser.h"
 
 
diff --git a/makerom/ncch.c b/makerom/ncch.c
index e8156db5..231451dc 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -9,6 +9,8 @@
 
 #include "logo_data.h" // Contains Logos
 
+const u32 MEDIA_UNIT = 0x200;
+
 // Private Prototypes
 int SignCFA(u8 *Signature, u8 *CFA_HDR, keys_struct *keys);
 int CheckCFASignature(u8 *Signature, u8 *CFA_HDR, keys_struct *keys);
@@ -173,27 +175,14 @@ int SetBasicOptions(ncch_settings *ncchset, user_settings *usrset)
 	int result = 0;
 
 	/* Options */
-	ncchset->options.mediaSize = 0x200;
-
+	ncchset->options.mediaSize = MEDIA_UNIT;
 	ncchset->options.IncludeExeFsLogo = usrset->ncch.includeExefsLogo;
-	
-	if(usrset->common.rsfSet.Option.EnableCompress != -1) ncchset->options.CompressCode = usrset->common.rsfSet.Option.EnableCompress;
-	else ncchset->options.CompressCode = true;
-
-	if(usrset->common.rsfSet.Option.UseOnSD != -1) ncchset->options.UseOnSD = usrset->common.rsfSet.Option.UseOnSD;
-	else ncchset->options.UseOnSD = false;
-	usrset->common.rsfSet.Option.UseOnSD = ncchset->options.UseOnSD;
-
-	if(usrset->common.rsfSet.Option.EnableCrypt != -1) ncchset->options.Encrypt = usrset->common.rsfSet.Option.EnableCrypt;
-	else ncchset->options.Encrypt = true;
-
-	if(usrset->common.rsfSet.Option.FreeProductCode != -1) ncchset->options.FreeProductCode = usrset->common.rsfSet.Option.FreeProductCode;
-	else ncchset->options.FreeProductCode = false;
-
+	ncchset->options.CompressCode = usrset->common.rsfSet.Option.EnableCompress;
+	ncchset->options.UseOnSD = usrset->common.rsfSet.Option.UseOnSD;
+	ncchset->options.Encrypt = usrset->common.rsfSet.Option.EnableCrypt;
+	ncchset->options.FreeProductCode = usrset->common.rsfSet.Option.FreeProductCode;
 	ncchset->options.IsCfa = (usrset->ncch.ncchType == CFA);
-	
 	ncchset->options.IsBuildingCodeSection = (usrset->ncch.elfPath != NULL);
-
 	ncchset->options.UseRomFS = ((ncchset->rsfSet->Rom.HostRoot && strlen(ncchset->rsfSet->Rom.HostRoot) > 0) || usrset->ncch.romfsPath);
 	
 	if(ncchset->options.IsCfa && !ncchset->options.UseRomFS){
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index ec208567..34aac36f 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -222,20 +222,30 @@ int ImportNcchPartitions(cci_settings *cciset)
 	return 0;
 }
 
+void WriteCCIDummyData(cci_settings *cciset)
+{
+	// Creating Buffer of Dummy Bytes
+	u64 len = NCCH0_OFFSET - 0x1200;
+	u8 *dummy_bytes = malloc(len);
+	memset(dummy_bytes,0xff,len);
+	WriteBuffer(dummy_bytes,len,0x1200,cciset->out);	
+}
+
+void WriteDevCardInfoData(cci_settings *cciset)
+{
+	WriteBuffer((u8*)&ctx.devcardinfo,sizeof(devcardinfo_hdr),0x1200,cciset->out);	
+}
+
 int WriteHeaderToFile(cci_settings *cciset)
 {
 	WriteBuffer(ctx.signature,0x100,0,cciset->out);
 	WriteBuffer((u8*)&ctx.cciHdr,sizeof(cci_hdr),0x100,cciset->out);
 	WriteBuffer((u8*)&ctx.cardinfo,sizeof(cardinfo_hdr),0x200,cciset->out);
-	if(!cciset->option.useDevCardInfo){
-		// Creating Buffer of Dummy Bytes
-		u64 len = NCCH0_OFFSET - 0x1200;
-		u8 *dummy_bytes = malloc(len);
-		memset(dummy_bytes,0xff,len);
-		WriteBuffer(dummy_bytes,len,0x1200,cciset->out);
-	}
+	if(cciset->option.useDevCardInfo)
+		WriteDevCardInfoData(cciset);
 	else
-		WriteBuffer((u8*)&ctx.devcardinfo,sizeof(devcardinfo_hdr),0x1200,cciset->out);
+		WriteCCIDummyData(cciset);
+		
 	return 0;
 }
 
diff --git a/makerom/yamlsettings.c b/makerom/rsf_settings.c
similarity index 87%
rename from makerom/yamlsettings.c
rename to makerom/rsf_settings.c
index 71f522ac..7d876ee2 100644
--- a/makerom/yamlsettings.c
+++ b/makerom/rsf_settings.c
@@ -1,5 +1,5 @@
 #include "lib.h"
-#include "yamlsettings.h"
+#include "rsf_settings.h"
 
 void EvaluateRSF(rsf_settings *rsf, ctr_yaml_context *ctx)
 {
@@ -52,13 +52,13 @@ void GET_Option(ctr_yaml_context *ctx, rsf_settings *rsf)
 	while(ctx->Level == InitLevel){
 		if(ctx->error || ctx->done) return;
 		// Handle childs
-		if(cmpYamlValue("AllowUnalignedSection",ctx)) rsf->Option.AllowUnalignedSection = SetBoolYAMLValue("AllowUnalignedSection",ctx);
-		if(cmpYamlValue("MediaFootPadding",ctx)) rsf->Option.MediaFootPadding = SetBoolYAMLValue("MediaFootPadding",ctx);
-		//else if(cmpYamlValue("NoPadding",ctx)) rsf->Option.NoPadding = SetBoolYAMLValue("NoPadding",ctx);
-		else if(cmpYamlValue("EnableCrypt",ctx)) rsf->Option.EnableCrypt = SetBoolYAMLValue("EnableCrypt",ctx);
-		else if(cmpYamlValue("EnableCompress",ctx)) rsf->Option.EnableCompress = SetBoolYAMLValue("EnableCompress",ctx);
-		else if(cmpYamlValue("FreeProductCode",ctx)) rsf->Option.FreeProductCode = SetBoolYAMLValue("FreeProductCode",ctx);
-		else if(cmpYamlValue("UseOnSD",ctx)) rsf->Option.UseOnSD = SetBoolYAMLValue("UseOnSD",ctx);
+		if(cmpYamlValue("AllowUnalignedSection",ctx)) SetBoolYAMLValue(&rsf->Option.AllowUnalignedSection,"AllowUnalignedSection",ctx);
+		else if(cmpYamlValue("MediaFootPadding",ctx)) SetBoolYAMLValue(&rsf->Option.MediaFootPadding,"MediaFootPadding",ctx);
+		//else if(cmpYamlValue("NoPadding",ctx)) SetBoolYAMLValue(&rsf->Option.NoPadding,"NoPadding",ctx);
+		else if(cmpYamlValue("EnableCrypt",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCrypt,"EnableCrypt",ctx);
+		else if(cmpYamlValue("EnableCompress",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCompress,"EnableCompress",ctx);
+		else if(cmpYamlValue("FreeProductCode",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCompress,"FreeProductCode",ctx);
+		else if(cmpYamlValue("UseOnSD",ctx)) SetBoolYAMLValue(&rsf->Option.UseOnSD,"UseOnSD",ctx);
 		else if(cmpYamlValue("PageSize",ctx)) SetSimpleYAMLValue(&rsf->Option.PageSize,"PageSize",ctx,0);
 		//else if(cmpYamlValue("AppendSystemCall",ctx)) rsf->Option.AppendSystemCallNum = SetYAMLSequence(&rsf->Option.AppendSystemCall,"AppendSystemCall",ctx);
 		else{
@@ -84,18 +84,18 @@ void GET_AccessControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 	while(ctx->Level == InitLevel){
 		if(ctx->error || ctx->done) return;
 		// Handle childs
-		if(cmpYamlValue("DisableDebug",ctx)) rsf->AccessControlInfo.DisableDebug = SetBoolYAMLValue("DisableDebug",ctx);
-		else if(cmpYamlValue("EnableForceDebug",ctx)) rsf->AccessControlInfo.EnableForceDebug = SetBoolYAMLValue("EnableForceDebug",ctx);
-		else if(cmpYamlValue("CanWriteSharedPage",ctx)) rsf->AccessControlInfo.CanWriteSharedPage = SetBoolYAMLValue("CanWriteSharedPage",ctx);
-		else if(cmpYamlValue("CanUsePrivilegedPriority",ctx)) rsf->AccessControlInfo.CanUsePrivilegedPriority = SetBoolYAMLValue("CanUsePrivilegedPriority",ctx);
-		else if(cmpYamlValue("CanUseNonAlphabetAndNumber",ctx)) rsf->AccessControlInfo.CanUseNonAlphabetAndNumber = SetBoolYAMLValue("CanUseNonAlphabetAndNumber",ctx);
-		else if(cmpYamlValue("PermitMainFunctionArgument",ctx)) rsf->AccessControlInfo.PermitMainFunctionArgument = SetBoolYAMLValue("PermitMainFunctionArgument",ctx);
-		else if(cmpYamlValue("CanShareDeviceMemory",ctx)) rsf->AccessControlInfo.CanShareDeviceMemory = SetBoolYAMLValue("CanShareDeviceMemory",ctx);
-		else if(cmpYamlValue("UseOtherVariationSaveData",ctx)) rsf->AccessControlInfo.UseOtherVariationSaveData = SetBoolYAMLValue("UseOtherVariationSaveData",ctx);
-		else if(cmpYamlValue("UseExtSaveData",ctx)) rsf->AccessControlInfo.UseExtSaveData = SetBoolYAMLValue("UseExtSaveData",ctx);
-		else if(cmpYamlValue("UseExtendedSaveDataAccessControl",ctx)) rsf->AccessControlInfo.UseExtendedSaveDataAccessControl = SetBoolYAMLValue("UseExtendedSaveDataAccessControl",ctx);
-		else if(cmpYamlValue("RunnableOnSleep",ctx)) rsf->AccessControlInfo.RunnableOnSleep = SetBoolYAMLValue("RunnableOnSleep",ctx);
-		else if(cmpYamlValue("SpecialMemoryArrange",ctx)) rsf->AccessControlInfo.SpecialMemoryArrange = SetBoolYAMLValue("SpecialMemoryArrange",ctx);
+		if(cmpYamlValue("DisableDebug",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.DisableDebug,"DisableDebug",ctx);
+		else if(cmpYamlValue("EnableForceDebug",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.EnableForceDebug,"EnableForceDebug",ctx);
+		else if(cmpYamlValue("CanWriteSharedPage",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.CanWriteSharedPage,"CanWriteSharedPage",ctx);
+		else if(cmpYamlValue("CanUsePrivilegedPriority",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.CanUsePrivilegedPriority,"CanUsePrivilegedPriority",ctx);
+		else if(cmpYamlValue("CanUseNonAlphabetAndNumber",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.CanUseNonAlphabetAndNumber,"CanUseNonAlphabetAndNumber",ctx);
+		else if(cmpYamlValue("PermitMainFunctionArgument",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.PermitMainFunctionArgument,"PermitMainFunctionArgument",ctx);
+		else if(cmpYamlValue("CanShareDeviceMemory",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.CanShareDeviceMemory,"CanShareDeviceMemory",ctx);
+		else if(cmpYamlValue("UseOtherVariationSaveData",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseOtherVariationSaveData,"UseOtherVariationSaveData",ctx);
+		else if(cmpYamlValue("UseExtSaveData",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseExtSaveData,"UseExtSaveData",ctx);
+		else if(cmpYamlValue("UseExtendedSaveDataAccessControl",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseExtendedSaveDataAccessControl,"UseExtendedSaveDataAccessControl",ctx);
+		else if(cmpYamlValue("RunnableOnSleep",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.RunnableOnSleep,"RunnableOnSleep",ctx);
+		else if(cmpYamlValue("SpecialMemoryArrange",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.SpecialMemoryArrange,"SpecialMemoryArrange",ctx);
 		
 		
 		//else if(cmpYamlValue("ProgramId",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.ProgramId,"ProgramId",ctx,0); 
diff --git a/makerom/yamlsettings.h b/makerom/rsf_settings.h
similarity index 100%
rename from makerom/yamlsettings.h
rename to makerom/rsf_settings.h
diff --git a/makerom/titleid.c b/makerom/titleid.c
index 0c2346bd..071b13ee 100644
--- a/makerom/titleid.c
+++ b/makerom/titleid.c
@@ -2,141 +2,153 @@
 #include "ncch.h"
 #include "titleid.h"
 
-u32 SetPIDCategoryFromName(char *Category);
-u32 SetPIDCategoryFromFlags(char **CategoryFlags, u32 FlagNum);
-u32 SetPIDCategoryFromFlag(u32 Category, u32 Flag, char *FlagName);
+void SetPIDType(u16 *type);
+int SetPIDCategoryFromName(u16 *cat, char *CategoryStr);
+int SetPIDCategoryFromFlags(u16 *cat, char **CategoryFlags, u32 FlagNum);
+int SetPIDCategoryFromFlag(u16 *cat, u16 flag, char *flagName);
 u32 SetPIDUniqueId(char *UniqueIdStr);
-u16 SetTitleVariation(u16 Category, rsf_settings *yaml_set);
+int SetTitleVariation(u8 *var, u16 cat, rsf_settings *rsf);
 
 u64 ConvertTwlIdToCtrId(u64 pgid)
 {
 	return 0x0004800000000000 | (pgid & 0x00007FFFFFFFFFFF);
 }
 
-int GetProgramID(u64 *dest, rsf_settings *yaml, bool IsForExheader)
+int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader)
 {
-	if(yaml->TitleInfo.Category && yaml->TitleInfo.CategoryFlags){
+	int ret;
+	u32 uniqueId;
+	u16 type,category;
+	u8 variation;
+
+	if(rsf->TitleInfo.Category && rsf->TitleInfo.CategoryFlags){
 		fprintf(stderr,"[ID ERROR] Can not set \"Cateory\" and \"CategoryFlags\" at the same time.\n");
-		return PID_BAD_YAML_SET;
+		return PID_BAD_RSF_SET;
 	}
-	u16 Type = 0x0004;
-	u32 m_Category = 0;
-	u32 UniqueId = 0;
-	u16 m_Variation = 0;
 
+	// Getting Type
+	SetPIDType(&type);
+	
 	// Getting Category
-	if(yaml->TitleInfo.Category) 
-		m_Category = SetPIDCategoryFromName(yaml->TitleInfo.Category);
-	else if(yaml->TitleInfo.CategoryFlags) 
-		m_Category = SetPIDCategoryFromFlags(yaml->TitleInfo.CategoryFlags,yaml->TitleInfo.CategoryFlagsNum);
-	if(IsForExheader && yaml->TitleInfo.TargetCategory)
-		m_Category = SetPIDCategoryFromName(yaml->TitleInfo.TargetCategory);
-	if(m_Category == PID_INVALID_CATEGORY) // Error occured
-		return PID_BAD_YAML_SET;
+	if(rsf->TitleInfo.Category) 
+		ret = SetPIDCategoryFromName(&category,rsf->TitleInfo.Category);
+	else if(rsf->TitleInfo.CategoryFlags) 
+		ret = SetPIDCategoryFromFlags(&category,rsf->TitleInfo.CategoryFlags,rsf->TitleInfo.CategoryFlagsNum);
+	if(IsForExheader && rsf->TitleInfo.TargetCategory)
+		ret = SetPIDCategoryFromName(&category,rsf->TitleInfo.TargetCategory);
+	if(ret == PID_INVALID_CATEGORY) // Error occured
+		return PID_BAD_RSF_SET;
 
 	// Getting UniqueId
-	if(yaml->TitleInfo.UniqueId) UniqueId = SetPIDUniqueId(yaml->TitleInfo.UniqueId);
+	if(rsf->TitleInfo.UniqueId) 
+		GetUniqueID(&uniqueId,rsf);
 	else{
 		fprintf(stderr,"[ID ERROR] ParameterNotFound: \"TitleInfo/UniqueId\"\n");
-		return PID_BAD_YAML_SET;
+		return PID_BAD_RSF_SET;
 	}
 
-	m_Variation = SetTitleVariation(m_Category,yaml);
-	if(m_Variation == PID_INVALID_VARIATION) // Error occured
-		return PID_BAD_YAML_SET;
+	// Getting Variation
+	if(SetTitleVariation(&variation,category,rsf) == PID_INVALID_VARIATION)
+		return PID_BAD_RSF_SET;
 
-	u16 Category = (u16)m_Category;
-	u8 Variation = (u8)m_Variation;
+	u64 programId = 0;
+	programId |= (u64)variation<<0;
+	programId |= (u64)uniqueId<<8;
+	programId |= (u64)category<<32;
+	programId |= (u64)type<<48;
 
-	u64 ProgramID = 0;
-	ProgramID |= (u64)Variation<<0;
-	ProgramID |= (u64)UniqueId<<8;
-	ProgramID |= (u64)Category<<32;
-	ProgramID |= (u64)Type<<48;
-
-	*dest = ProgramID;
+	*dest = programId;
 
 	return 0;
 }
 
-int GetUniqueID(u32 *dest, rsf_settings *yaml)
+void SetPIDType(u16 *type)
 {
-	if(yaml->TitleInfo.UniqueId) *dest = 0xffffff & SetPIDUniqueId(yaml->TitleInfo.UniqueId);
+	*type = 0x0004;
+}
+
+int GetUniqueID(u32 *uid, rsf_settings *rsf)
+{
+	if(rsf->TitleInfo.UniqueId) *uid = 0xffffff & SetPIDUniqueId(rsf->TitleInfo.UniqueId);
 	else{
 		fprintf(stderr,"[ID ERROR] ParameterNotFound: \"TitleInfo/UniqueId\"\n");
-		return PID_BAD_YAML_SET;
+		return PID_BAD_RSF_SET;
 	}
 	return 0;
 }
 
-u32 SetPIDCategoryFromName(char *Category)
+int SetPIDCategoryFromName(u16 *cat, char *CategoryStr)
 {
-	if(strcmp(Category,"Application") == 0) return PROGRAM_ID_CATEGORY_APPLICATION;
-	else if(strcmp(Category,"SystemApplication") == 0) return PROGRAM_ID_CATEGORY_SYSTEM_APPLICATION;
-	else if(strcmp(Category,"Applet") == 0) return PROGRAM_ID_CATEGORY_APPLET;
-	else if(strcmp(Category,"Firmware") == 0) return PROGRAM_ID_CATEGORY_FIRMWARE;
-	else if(strcmp(Category,"Base") == 0) return PROGRAM_ID_CATEGORY_BASE;
-	else if(strcmp(Category,"DlpChild") == 0) return PROGRAM_ID_CATEGORY_DLP_CHILD;
-	else if(strcmp(Category,"Demo") == 0) return PROGRAM_ID_CATEGORY_DEMO;
-	else if(strcmp(Category,"Contents") == 0) return PROGRAM_ID_CATEGORY_CONTENTS;
-	else if(strcmp(Category,"SystemContents") == 0) return PROGRAM_ID_CATEGORY_SYSTEM_CONTENT;
-	else if(strcmp(Category,"SharedContents") == 0) return PROGRAM_ID_CATEGORY_SHARED_CONTENT;
-	else if(strcmp(Category,"AddOnContents") == 0) return PROGRAM_ID_CATEGORY_ADD_ON_CONTENTS;
-	else if(strcmp(Category,"Patch") == 0) return PROGRAM_ID_CATEGORY_PATCH;
-	else if(strcmp(Category,"AutoUpdateContents") == 0) return PROGRAM_ID_CATEGORY_AUTO_UPDATE_CONTENT;
+	if(strcmp(CategoryStr,"Application") == 0) *cat = PROGRAM_ID_CATEGORY_APPLICATION;
+	else if(strcmp(CategoryStr,"SystemApplication") == 0) *cat = PROGRAM_ID_CATEGORY_SYSTEM_APPLICATION;
+	else if(strcmp(CategoryStr,"Applet") == 0) *cat = PROGRAM_ID_CATEGORY_APPLET;
+	else if(strcmp(CategoryStr,"Firmware") == 0) *cat = PROGRAM_ID_CATEGORY_FIRMWARE;
+	else if(strcmp(CategoryStr,"Base") == 0) *cat = PROGRAM_ID_CATEGORY_BASE;
+	else if(strcmp(CategoryStr,"DlpChild") == 0) *cat = PROGRAM_ID_CATEGORY_DLP_CHILD;
+	else if(strcmp(CategoryStr,"Demo") == 0) *cat = PROGRAM_ID_CATEGORY_DEMO;
+	else if(strcmp(CategoryStr,"Contents") == 0) *cat = PROGRAM_ID_CATEGORY_CONTENTS;
+	else if(strcmp(CategoryStr,"SystemContents") == 0) *cat = PROGRAM_ID_CATEGORY_SYSTEM_CONTENT;
+	else if(strcmp(CategoryStr,"SharedContents") == 0) *cat = PROGRAM_ID_CATEGORY_SHARED_CONTENT;
+	else if(strcmp(CategoryStr,"AddOnContents") == 0) *cat = PROGRAM_ID_CATEGORY_ADD_ON_CONTENTS;
+	else if(strcmp(CategoryStr,"Patch") == 0) *cat = PROGRAM_ID_CATEGORY_PATCH;
+	else if(strcmp(CategoryStr,"AutoUpdateContents") == 0) *cat = PROGRAM_ID_CATEGORY_AUTO_UPDATE_CONTENT;
 	else {
-		fprintf(stderr,"[ID ERROR] Invalid Category: \"%s\"\n",Category);
+		fprintf(stderr,"[ID ERROR] Invalid Category: \"%s\"\n",CategoryStr);
 		return PID_INVALID_CATEGORY;
 	}
+	
+	return 0;
 }
 
-u32 SetPIDCategoryFromFlags(char **CategoryFlags, u32 FlagNum)
+int SetPIDCategoryFromFlags(u16 *cat, char **CategoryFlags, u32 FlagNum)
 {
-	u32 Category = 0;
+	int ret = 0;
 	for(u32 i = 0; i < FlagNum; i++){
 		if(strcmp(CategoryFlags[i],"Normal") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_NORMAL,"Normal");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_NORMAL,"Normal");
 		else if(strcmp(CategoryFlags[i],"DlpChild") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_DLP_CHILD,"DlpChild");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_DLP_CHILD,"DlpChild");
 		else if(strcmp(CategoryFlags[i],"Demo") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_DEMO,"Demo");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_DEMO,"Demo");
 		else if(strcmp(CategoryFlags[i],"Contents") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_CONTENTS,"Contents");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_CONTENTS,"Contents");
 		else if(strcmp(CategoryFlags[i],"AddOnContents") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_ADD_ON_CONTENTS,"AddOnContents");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_ADD_ON_CONTENTS,"AddOnContents");
 		else if(strcmp(CategoryFlags[i],"Patch") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_PATCH,"Patch");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_PATCH,"Patch");
 		else if(strcmp(CategoryFlags[i],"CannotExecution") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_CANNOT_EXECUTION,"CannotExecution");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_CANNOT_EXECUTION,"CannotExecution");
 		else if(strcmp(CategoryFlags[i],"System") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_SYSTEM,"System");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_SYSTEM,"System");
 		else if(strcmp(CategoryFlags[i],"RequireBatchUpdate") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_REQUIRE_BATCH_UPDATE,"RequireBatchUpdate");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_REQUIRE_BATCH_UPDATE,"RequireBatchUpdate");
 		else if(strcmp(CategoryFlags[i],"NotRequireUserApproval") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_NOT_REQUIRE_USER_APPROVAL,"NotRequireUserApproval");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_NOT_REQUIRE_USER_APPROVAL,"NotRequireUserApproval");
 		else if(strcmp(CategoryFlags[i],"NotRequireRightForMount") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_NOT_REQUIRE_RIGHT_FOR_MOUNT,"NotRequireRightForMount");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_NOT_REQUIRE_RIGHT_FOR_MOUNT,"NotRequireRightForMount");
 		else if(strcmp(CategoryFlags[i],"CanSkipConvertJumpId") == 0)
-			Category = SetPIDCategoryFromFlag(Category,PROGRAM_ID_CATEGORY_FLAG_CAN_SKIP_CONVERT_JUMP_ID,"CanSkipConvertJumpId");
+			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_CAN_SKIP_CONVERT_JUMP_ID,"CanSkipConvertJumpId");
+		
+		if(ret == PID_INVALID_CATEGORY) break;
 		
 		else {
 			fprintf(stderr,"[ID ERROR] Invalid CategoryFlag: \"%s\"\n",CategoryFlags[i]);
 			return PID_INVALID_CATEGORY;
 		}
-
-		if(Category == PID_INVALID_CATEGORY) return PID_INVALID_CATEGORY;
 	}
-	return Category;
+	return ret;
 }
 
-u32 SetPIDCategoryFromFlag(u32 Category, u32 Flag, char *FlagName)
+int SetPIDCategoryFromFlag(u16 *cat, u16 flag, char *flagName)
 {
-	if(!Flag) return Category;
-	if((Category & Flag) == Flag){
-		fprintf(stderr,"[ID ERROR] Failed to set \"%s\" for category. CategoryFlag was already set.\n",FlagName);
+	if(!flag) return 0;
+	if((*cat & flag) == flag){
+		fprintf(stderr,"[ID ERROR] Failed to set \"%s\" for category. CategoryFlag was already set.\n",flagName);
 		return PID_INVALID_CATEGORY;
 	}
-	return Category |= Flag;
+	*cat |= flag;
+	
+	return 0;
 }
 
 u32 SetPIDUniqueId(char *UniqueIdStr)
@@ -144,16 +156,16 @@ u32 SetPIDUniqueId(char *UniqueIdStr)
 	return 0xffffff & strtoull(UniqueIdStr,NULL,0);
 }
 
-u16 SetTitleVariation(u16 Category, rsf_settings *yaml_set)
+int SetTitleVariation(u8 *var, u16 cat, rsf_settings *rsf)
 {
-	if(IsDemo(Category)){
-		if(yaml_set->TitleInfo.DemoIndex){
-			u16 DemoIndex = strtol(yaml_set->TitleInfo.DemoIndex,NULL,10);
-			if(DemoIndex > 255 || DemoIndex == 0){
+	if(IsDemo(cat)){
+		if(rsf->TitleInfo.DemoIndex){
+			u8 DemoIndex = 0xff & strtol(rsf->TitleInfo.DemoIndex,NULL,10);
+			if(DemoIndex == 0){
 				fprintf(stderr,"[ID ERROR] Invalid demo index \"%d\"\n",DemoIndex);
 				return PID_INVALID_VARIATION;
 			}
-			return DemoIndex;
+			*var = DemoIndex;
 		}
 		else{
 			fprintf(stderr,"[ID ERROR] ParameterNotFound: \"TitleInfo/DemoIndex\"\n");
@@ -161,55 +173,31 @@ u16 SetTitleVariation(u16 Category, rsf_settings *yaml_set)
 		}
 	}
 	
-	else if(IsDlpChild(Category)){
-		if(yaml_set->TitleInfo.ChildIndex){
-			u16 ChildIndex = strtol(yaml_set->TitleInfo.ChildIndex,NULL,10);
-			if(ChildIndex > 255){
-				fprintf(stderr,"[ID ERROR] Invalid child index \"%d\"\n",ChildIndex);
-				return PID_INVALID_VARIATION;
-			}
-			return ChildIndex;
-		}
+	else if(IsDlpChild(cat)){
+		if(rsf->TitleInfo.ChildIndex)
+			*var = 0xff & strtol(rsf->TitleInfo.ChildIndex,NULL,10);
 		else
-			return 0;
+			*var = 0;
 	}
-	else if(IsAddOnContent(Category)){
-		if(yaml_set->TitleInfo.Variation){ // Might Rename to DataTitleIndex
-			u16 DataTitleIndex = strtol(yaml_set->TitleInfo.Variation,NULL,10);
-			if(DataTitleIndex > 255){
-				fprintf(stderr,"[ID ERROR] Invalid variation \"%d\"\n",DataTitleIndex);
-				return PID_INVALID_VARIATION;
-			}
-			return DataTitleIndex;
-		}
+	else if(IsAddOnContent(cat)){
+		if(rsf->TitleInfo.Variation) // Might Rename to DataTitleIndex
+			*var = 0xff & strtol(rsf->TitleInfo.Variation,NULL,10);
 		else
-			return 0;
+			*var = 0;
 	}
-	else if(IsContents(Category)){
-		if(yaml_set->TitleInfo.ContentsIndex){
-			u16 ContentsIndex = strtol(yaml_set->TitleInfo.ContentsIndex,NULL,10);
-			if(ContentsIndex > 255){
-				fprintf(stderr,"[ID ERROR] Invalid content index \"%d\"\n",ContentsIndex);
-				return PID_INVALID_VARIATION;
-			}
-			return ContentsIndex;
-		}
+	else if(IsContents(cat)){
+		if(rsf->TitleInfo.ContentsIndex)
+			*var = 0xff & strtol(rsf->TitleInfo.ContentsIndex,NULL,10);
 		else
-			return 0;
+			*var = 0;
 	}
 	else{
-		if(yaml_set->TitleInfo.Version){
-			u16 Version = strtol(yaml_set->TitleInfo.Version,NULL,10);
-			if(Version > 255){
-				fprintf(stderr,"[ID ERROR] Invalid Version \"%d\"\n",Version);
-				return PID_INVALID_VARIATION;
-			}
-			return Version;
-		}
+		if(rsf->TitleInfo.Version)
+			*var = 0xff & strtol(rsf->TitleInfo.Version,NULL,10);
 		else
-			return 0;
+			*var = 0;
 	}
-	return PID_INVALID_VARIATION;
+	return 0;
 }
 
 bool IsDemo(u16 Category)
diff --git a/makerom/titleid.h b/makerom/titleid.h
index 6da3516c..ecfd7823 100644
--- a/makerom/titleid.h
+++ b/makerom/titleid.h
@@ -2,10 +2,10 @@
 
 typedef enum
 {
-	PID_BAD_YAML_SET = -1,
-	PID_INVALID_CATEGORY = 0x10000,
-	PID_INVALID_UNIQUE_ID = 0x1000000,
-	PID_INVALID_VARIATION = 0x100,
+	PID_BAD_RSF_SET = -1,
+	PID_INVALID_CATEGORY = -2,
+	PID_INVALID_UNIQUE_ID = -3,
+	PID_INVALID_VARIATION = -4,
 } Pid_Errors;
 
 typedef enum
@@ -85,8 +85,8 @@ typedef enum
 
 u64 ConvertTwlIdToCtrId(u64 pgid);
 
-int GetProgramID(u64 *dest, rsf_settings *yaml, bool IsForExheader);
-int GetUniqueID(u32 *dest, rsf_settings *yaml);
+int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader);
+int GetUniqueID(u32 *dest, rsf_settings *rsf);
 
 bool IsDemo(u16 Category);
 bool IsSystem(u16 Category);
diff --git a/makerom/usersettings.c b/makerom/user_settings.c
similarity index 100%
rename from makerom/usersettings.c
rename to makerom/user_settings.c
diff --git a/makerom/usersettings.h b/makerom/user_settings.h
similarity index 100%
rename from makerom/usersettings.h
rename to makerom/user_settings.h
diff --git a/makerom/yaml_ctr.c b/makerom/yaml_parser.c
similarity index 97%
rename from makerom/yaml_ctr.c
rename to makerom/yaml_parser.c
index 5924a217..9eafb571 100644
--- a/makerom/yaml_ctr.c
+++ b/makerom/yaml_parser.c
@@ -1,5 +1,5 @@
 #include "lib.h"
-#include "yamlsettings.h"
+#include "rsf_settings.h"
 
 // Private Prototypes
 void InitYamlContext(ctr_yaml_context *ctx);
@@ -410,10 +410,10 @@ void SetSimpleYAMLValue(char **dest, char *key, ctr_yaml_context *ctx, u32 size_
 	
 }
 
-bool SetBoolYAMLValue(char *key, ctr_yaml_context *ctx)
+void SetBoolYAMLValue(bool *dest, char *key, ctr_yaml_context *ctx)
 {
 	GetEvent(ctx);
-	if(ctx->error || ctx->done) return false;
+	if(ctx->error || ctx->done) return;
 	if(!EventIsScalar(ctx)){
 		fprintf(stderr,"[RSF ERROR] '%s' requires a value\n",key);
 		ctx->error = YAML_BAD_FORMATTING;
@@ -425,12 +425,16 @@ bool SetBoolYAMLValue(char *key, ctr_yaml_context *ctx)
 		return false;
 	}
 	
-	if(casecmpYamlValue("true",ctx)) return true;
-	if(casecmpYamlValue("false",ctx)) return false;
+	if(casecmpYamlValue("true",ctx))
+		*dest = true;
+	else if(casecmpYamlValue("false",ctx))
+		*dest = false;
+	else{
+		fprintf(stderr,"[RSF ERROR] Invalid '%s'\n",key);
+		ctx->error = YAML_BAD_FORMATTING;
+	}
 	
-	fprintf(stderr,"[RSF ERROR] Invalid '%s'\n",key);
-	ctx->error = YAML_BAD_FORMATTING;
-	return false;
+	return;
 	
 }
 
diff --git a/makerom/yaml_ctr.h b/makerom/yaml_parser.h
similarity index 96%
rename from makerom/yaml_ctr.h
rename to makerom/yaml_parser.h
index 9c34cdc7..35f3dcfe 100644
--- a/makerom/yaml_ctr.h
+++ b/makerom/yaml_parser.h
@@ -54,7 +54,7 @@ bool CheckSequenceEvent(ctr_yaml_context *ctx); // With extra implement, use if
 
 // Functions which store values
 void SetSimpleYAMLValue(char **dest, char *key, ctr_yaml_context *ctx, u32 size_limit);
-bool SetBoolYAMLValue(char *key, ctr_yaml_context *ctx);
+void SetBoolYAMLValue(bool *dest, char *key, ctr_yaml_context *ctx);
 u32 SetYAMLSequence(char ***dest, char *key, ctr_yaml_context *ctx);
 u32 SetYAMLSequenceFromMapping(char ***dest, char *key, ctr_yaml_context *ctx, bool StoreKey);
 //void SkipYAMLGroup(ctr_yaml_context *ctx);
\ No newline at end of file

From df5c7f500c45435ffd820de5dff4f1f27a22ca61 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Wed, 25 Jun 2014 12:32:28 +1000
Subject: [PATCH 005/317] commented "custom" key option

until it is supported
---
 makerom/user_settings.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index db9a3ef6..9ec263ed 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -181,8 +181,8 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			set->common.keys.keyset = pki_DEVELOPMENT;
 		else if(strcasecmp(argv[i+1],"retail") == 0 || strcasecmp(argv[i+1],"production") == 0 || strcasecmp(argv[i+1],"p") == 0)
 			set->common.keys.keyset = pki_PRODUCTION;
-		else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0)
-			set->common.keys.keyset = pki_CUSTOM;
+		//else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0)
+		//	set->common.keys.keyset = pki_CUSTOM;
 		else{
 			fprintf(stderr,"[SETTING ERROR] Unrecognised target '%s'\n",argv[i+1]);
 			return USR_BAD_ARG;
@@ -980,7 +980,7 @@ void DisplayHelp(char *app_name)
 	printf("                                    't' Test(false) Keys & prod Certs\n");
 	printf("                                    'd' Development Keys & Certs\n");
 	printf("                                    'p' Production Keys & Certs\n");
-	printf("                                    'c' Custom Keys & Certs\n");
+	//printf("                                    'c' Custom Keys & Certs\n");
 	printf(" -ckeyID        <u8 value>          Override the automatic commonKey selection\n");
 	printf(" -showkeys                          Display the loaded keychain\n");
 	printf(" -fsign                             Ignore invalid signatures\n");

From 65038633e4768a15e918f4eba093bbd6f470e55e Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 28 Jun 2014 18:38:52 +1000
Subject: [PATCH 006/317] many small changes

added function to fill memory with random bytes (cleaning some code with
that). Removed public build #ifdefs since 3dsguy apparently uploaded the
entire source with all "private" things.
---
 makerom/Makefile        |  4 ++--
 makerom/accessdesc.c    |  8 --------
 makerom/cia.c           |  9 +++------
 makerom/crypto.c        |  2 --
 makerom/keyset.c        |  4 ----
 makerom/ncch.c          |  2 +-
 makerom/ncsd.c          | 24 +++---------------------
 makerom/tik.c           | 16 +++++++---------
 makerom/tmd.c           |  6 +++---
 makerom/user_settings.c | 20 ++++++--------------
 makerom/utils.c         | 12 ++++++++++++
 makerom/utils.h         |  2 ++
 12 files changed, 39 insertions(+), 70 deletions(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index 5c417042..79e3eadb 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -19,9 +19,9 @@ CFLAGS = --std=c99 -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. -DMA
 CC = gcc
  
 # MAKEROM Build Settings
-MAKEROM_BUILD_FLAGS = #-DPUBLIC_BUILD #-DDEBUG
+MAKEROM_BUILD_FLAGS = #-DDEBUG
 VER_MAJOR = 0
-VER_MINOR = 8
+VER_MINOR = 9
 OUTPUT = makerom
 
 main: build
diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index 7247ab6b..8c316c5a 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -6,10 +6,8 @@
 #include "polarssl/base64.h"
 
 #include "desc_presets.h"
-#ifndef PUBLIC_BUILD
 #include "desc_dev_sigdata.h"
 #include "desc_prod_sigdata.h"
-#endif
 
 const int RSF_RSA_DATA_LEN = 344;
 const int RSF_DESC_DATA_LEN = 684;
@@ -19,9 +17,7 @@ int accessdesc_SignWithKey(exheader_settings *exhdrset);
 int accessdesc_GetSignFromRsf(exheader_settings *exhdrset);
 int accessdesc_GetSignFromPreset(exheader_settings *exhdrset);
 void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, keys_struct *keys);
-#ifndef PUBLIC_BUILD
 void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk, keys_struct *keys);
-#endif
 
 bool IsValidB64Char(char chr);
 u32 b64_strlen(char *str);
@@ -153,9 +149,7 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
 	u8 *cxiPvtk = NULL;
 
 	accessdesc_GetPresetData(&desc,&accessDesc,&depList,exhdrset->keys);
-#ifndef PUBLIC_BUILD
 	accessdesc_GetPresetSigData(&accessDescSig,&cxiPubk,&cxiPvtk,exhdrset->keys);
-#endif
 
 	// Error Checking
 	if(!desc || !depList){
@@ -307,7 +301,6 @@ void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, keys_str
 	}
 }
 
-#ifndef PUBLIC_BUILD
 void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk, keys_struct *keys)
 {
 	if(keys->accessDescSign.presetType == desc_preset_APP){
@@ -459,7 +452,6 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 		}
 	}
 }
-#endif
 
 bool IsValidB64Char(char chr)
 {
diff --git a/makerom/cia.c b/makerom/cia.c
index 55967dc4..7d539326 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -182,14 +182,11 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	}
 
 	// Ticket Data
-	u64_to_u8(ciaset->tik.ticketId,u64GetRand(),BE);
+	rndset(ciaset->tik.ticketId,16);
 	if(usrset->cia.randomTitleKey)
-	{
-		u64_to_u8(ciaset->common.titleKey,u64GetRand(),BE);
-		u64_to_u8((ciaset->common.titleKey+8),u64GetRand(),BE);
-	}
+		rndset(ciaset->common.titleKey,16);
 	else
-		memset(ciaset->common.titleKey,0,16);
+		clrmem(ciaset->common.titleKey,16);
 
 	ciaset->tik.formatVersion = 1;
 
diff --git a/makerom/crypto.c b/makerom/crypto.c
index e3cdf469..fc482e0e 100644
--- a/makerom/crypto.c
+++ b/makerom/crypto.c
@@ -15,13 +15,11 @@ u8* AesKeyScrambler(u8 *Key, u8 *KeyX, u8 *KeyY)
 	for(int i = 0; i < 16; i++)
 		Key[i] = KeyX[i] ^ ((KeyY[i] >> 2) | ((KeyY[i < 15 ? i+1 : 0] & 3) << 6));
 
-#ifndef PUBLIC_BUILD
 	const u8 SCRAMBLE_SECRET[16] = {0x51, 0xD7, 0x5D, 0xBE, 0xFD, 0x07, 0x57, 0x6A, 0x1C, 0xFC, 0x2A, 0xF0, 0x94, 0x4B, 0xD5, 0x6C};
 
 	// Apply Secret to get final normal key
 	for(int i = 0; i < 16; i++)
 		Key[i] = Key[i] ^ SCRAMBLE_SECRET[i];
-#endif
 
 	return Key;
 }
diff --git a/makerom/keyset.c b/makerom/keyset.c
index 38e5cf84..b44ecb68 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -2,10 +2,8 @@
 
 // KeyData
 #include "tpki.h" // Test PKI
-#ifndef PUBLIC_BUILD
 #include "ppki.h" // Production PKI
 #include "dpki.h" // Development PKI
-#endif
 
 // Private Prototypes
 int SetRsaKeySet(u8 **PrivDest, u8 *PrivSource, u8 **PubDest, u8 *PubSource);
@@ -88,7 +86,6 @@ int LoadKeysFromResources(keys_struct *keys)
 		/* RSA Keys */
 		keys->rsa.isFalseSign = true;		
 	}
-	#ifndef PUBLIC_BUILD
 	else if(keys->keyset == pki_DEVELOPMENT){
 		keys->keysetLoaded = true;
 		/* AES Keys */
@@ -154,7 +151,6 @@ int LoadKeysFromResources(keys_struct *keys)
 		SetTikCert(keys,(u8*)xsC_ppki_cert);
 		SetTmdCert(keys,(u8*)cpB_ppki_cert);
 	}
-#endif
 	return 0;
 }
 
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 231451dc..cc53630d 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -64,7 +64,7 @@ int build_NCCH(user_settings *usrset)
 	int result;
 
 	// Init Settings\n");
-	ncch_settings *ncchset = malloc(sizeof(ncch_settings));
+	ncch_settings *ncchset = calloc(1,sizeof(ncch_settings));
 	if(!ncchset) {
 		fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 34aac36f..f8ee18e2 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -367,34 +367,16 @@ int GetDataFromContent0(cci_settings *cciset, user_settings *usrset)
 	
 	memcpy(cciset->header.mediaId,hdr->titleId,8);
 	memcpy(&cciset->content.titleId[0],hdr->titleId,8);
-#ifndef PUBLIC_BUILD
 	if(usrset->cci.useSDKStockData){
 		memcpy(cciset->cardinfo.initialData,stock_initial_data,0x30);
 		memcpy(cciset->cardinfo.titleKey,stock_title_key,0x10);
 		cciset->option.useDevCardInfo = true;
 	}
 	else{
-		for(int i = 0; i < 0x2c/sizeof(u32); i++)
-		{
-			u32 val = u32GetRand();
-			memcpy((cciset->cardinfo.initialData+i*sizeof(u32)),&val,4);
-		}
-		/*
-		for(int i = 0; i < 2; i++)
-		{
-			u64 val = u64GetRand();
-			memcpy((cciset->cardinfo.titleKey+i*8),&val,8);
-		}
-		cciset->option.useDevCardInfo = true;
-		*/
-	}
-#else
-	for(int i = 0; i < 0x2c/sizeof(u32); i++)
-	{
-		u32 val = u32GetRand();
-		memcpy((cciset->cardinfo.initialData+i*sizeof(u32)),&val,4);
+		rndset(cciset->cardinfo.initialData,0x2c);
+		//rndset(cciset->cardinfo.titleKey,0x10);
+		//cciset->option.useDevCardInfo = true;
 	}
-#endif
 	
 	cciset->header.flags[MediaUnitSize] = hdr->flags[ContentUnitSize];
 	cciset->option.mediaUnit = GetNCCH_MediaUnitSize(hdr);
diff --git a/makerom/tik.c b/makerom/tik.c
index 5d47d5e1..ea312f09 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -39,7 +39,7 @@ int SetupTicketBuffer(buffer_struct *tik)
 
 int SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 {
-	memset(hdr,0,sizeof(tik_hdr));
+	clrmem(hdr,sizeof(tik_hdr));
 
 	memcpy(hdr->issuer,ciaset->tik.issuer,0x40);
 	hdr->formatVersion = ciaset->tik.formatVersion;
@@ -47,10 +47,8 @@ int SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 	hdr->signerCrlVersion = ciaset->cert.signerCrlVersion;
 	if(ciaset->content.encryptCia)
 		CryptTitleKey(hdr->encryptedTitleKey, ciaset->common.titleKey,ciaset->common.titleId,ciaset->keys,ENC);
-	else{
-		u64_to_u8(hdr->encryptedTitleKey,u64GetRand(),BE);
-		u64_to_u8((hdr->encryptedTitleKey+8),u64GetRand(),BE);
-	}
+	else
+		rndset(hdr->encryptedTitleKey,16);
 	memcpy(hdr->ticketId,ciaset->tik.ticketId,8);
 	memcpy(hdr->deviceId,ciaset->tik.deviceId,8);
 	memcpy(hdr->titleId,ciaset->common.titleId,8);
@@ -66,7 +64,7 @@ int SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 
 int SignTicketHeader(tik_hdr *hdr, tik_signature *sig, keys_struct *keys)
 {
-	memset(sig,0,sizeof(tik_signature));
+	clrmem(sig,sizeof(tik_signature));
 	u32_to_u8(sig->sigType,RSA_2048_SHA256,BE);
 	return ctr_sig((u8*)hdr,sizeof(tik_hdr),sig->data,keys->rsa.xsPub,keys->rsa.xsPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
@@ -80,7 +78,7 @@ int CryptTitleKey(u8 *EncTitleKey, u8 *DecTitleKey, u8 *TitleID, keys_struct *ke
 	
 	//Setting up Aes Context
 	ctr_aes_context ctx;
-	memset(&ctx,0x0,sizeof(ctr_aes_context));
+	clrmem(&ctx,sizeof(ctr_aes_context));
 	
 	//Crypting TitleKey
 	ctr_init_aes_cbc(&ctx,keys->aes.commonKey[keys->aes.currentCommonKey],iv,mode);
@@ -91,12 +89,12 @@ int CryptTitleKey(u8 *EncTitleKey, u8 *DecTitleKey, u8 *TitleID, keys_struct *ke
 	return 0;
 }
 
-void SetLimits(tik_hdr *hdr, cia_settings *ciaset)
+void SetLimits(tik_hdr *hdr, cia_settings *ciaset) // TODO?
 {
 	memset(hdr->limits,0,0x40);
 }
 
-void SetContentIndexData(tik_hdr *hdr, cia_settings *ciaset)
+void SetContentIndexData(tik_hdr *hdr, cia_settings *ciaset) // TODO?
 {
 	memset(hdr->contentIndex,0,0xAC);
 	memcpy(hdr->contentIndex,default_contentIndex,0x30);
diff --git a/makerom/tmd.c b/makerom/tmd.c
index 744fe055..173c1e44 100644
--- a/makerom/tmd.c
+++ b/makerom/tmd.c
@@ -48,7 +48,7 @@ int SetupTMDBuffer(buffer_struct *tmd)
 
 int SetupTMDHeader(tmd_hdr *hdr, tmd_content_info_record *info_record, cia_settings *ciaset)
 {
-	memset(hdr,0,sizeof(tmd_hdr));
+	clrmem(hdr,sizeof(tmd_hdr));
 
 	memcpy(hdr->issuer,ciaset->tmd.issuer,0x40);
 	hdr->formatVersion = ciaset->tmd.formatVersion;
@@ -67,14 +67,14 @@ int SetupTMDHeader(tmd_hdr *hdr, tmd_content_info_record *info_record, cia_setti
 
 int SignTMDHeader(tmd_hdr *hdr, tmd_signature *sig, keys_struct *keys)
 {
-	memset(sig,0,sizeof(tmd_signature));
+	clrmem(sig,sizeof(tmd_signature));
 	u32_to_u8(sig->sigType,RSA_2048_SHA256,BE);
 	return ctr_sig((u8*)hdr,sizeof(tmd_hdr),sig->data,keys->rsa.cpPub,keys->rsa.cpPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
 int SetupTMDInfoRecord(tmd_content_info_record *info_record, u8 *content_record, u16 ContentCount)
 {
-	memset(info_record,0x0,sizeof(tmd_content_info_record)*0x40);
+	clrmem(info_record,sizeof(tmd_content_info_record)*0x40);
 	u16_to_u8(info_record->contentIndexOffset,0x0,BE);
 	u16_to_u8(info_record->contentCommandCount,ContentCount,BE);
 	ctr_sha(content_record,sizeof(tmd_content_chunk)*ContentCount,info_record->contentChunkHash,CTR_SHA_256);
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 9ec263ed..13762930 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -29,12 +29,11 @@ int ParseArgs(int argc, char *argv[], user_settings *usr_settings)
 	}
 	
 	// Allocating Memory for Content Path Ptrs
-	usr_settings->common.contentPath = malloc(CIA_MAX_CONTENT*sizeof(char*));
+	usr_settings->common.contentPath = calloc(CIA_MAX_CONTENT,sizeof(char*));
 	if(usr_settings->common.contentPath == NULL){
 		fprintf(stderr,"[SETTING ERROR] Not Enough Memory\n");
 		return USR_MEM_ERROR;
 	}
-	memset(usr_settings->common.contentPath,0,CIA_MAX_CONTENT*sizeof(char*));
 	
 	// Initialise Keys
 	InitKeys(&usr_settings->common.keys);
@@ -81,7 +80,7 @@ int ParseArgs(int argc, char *argv[], user_settings *usr_settings)
 		else if(usr_settings->common.workingFileType == infile_ncsd || usr_settings->common.workingFileType == infile_srl) source_path = usr_settings->common.workingFilePath;
 		else source_path = usr_settings->common.contentPath[0];
 		u16 outfile_len = strlen(source_path) + 3;
-		usr_settings->common.outFileName = malloc(outfile_len);
+		usr_settings->common.outFileName = calloc(outfile_len,sizeof(char));
 		if(!usr_settings->common.outFileName){
 			fprintf(stderr,"[SETTING ERROR] Not Enough Memory\n");
 			return USR_MEM_ERROR;
@@ -270,8 +269,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		}
 
 		u32 app_type_len = (u32)(tmp2-tmp);
-		char *app_type = malloc(app_type_len+1);
-		memset(app_type,0,app_type_len+1);
+		char *app_type = calloc(app_type_len+1,sizeof(char));
 		memcpy(app_type,tmp,app_type_len);
 
 		if(strcasecmp(app_type,"App") == 0 || strcasecmp(app_type,"SDApp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_APP;
@@ -366,7 +364,6 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		return 2;
 	}
 	// Cci Options
-#ifndef PUBLIC_BUILD
 	else if(strcmp(argv[i],"-devcardcci") == 0){
 		if(ParamNum){
 			PrintNoNeedParam("-devcardcci");
@@ -375,7 +372,6 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		set->cci.useSDKStockData = true;
 		return 1;
 	}
-#endif
 	else if(strcmp(argv[i],"-nomodtid") == 0){
 		if(ParamNum){
 			PrintNoNeedParam("-nomodtid");
@@ -958,15 +954,12 @@ void PrintNoNeedParam(char *arg)
 void DisplayHelp(char *app_name)
 {
 	printf("CTR MAKEROM %d.%d",MAKEROM_VER_MAJOR,MAKEROM_VER_MINOR);
-#ifndef PUBLIC_BUILD
-	printf(" PRIVATE BUILD");
-#endif
 	printf("\n(C) 3DSGuy 2014\n");
 	printf("Usage: %s [options... ]\n",app_name);
 	printf("Option          Parameter           Explanation\n");
 	printf("GLOBAL OPTIONS:\n");
 	printf(" -help                              Display this text\n");
-	printf(" -rsf           <file>              RSF File\n");
+	printf(" -rsf           <file>              Rom Specification File (*.rsf)\n");
 	printf(" -f             <cxi|cfa|cci|cia>   Output Format, defaults to 'cxi'\n");
 	//printf("                                    'cxi' CTR Executable Image\n");
 	//printf("                                    'cfa' CTR File Archive\n");
@@ -976,7 +969,8 @@ void DisplayHelp(char *app_name)
 	//printf(" -v                                 Verbose\n");
 	printf(" -DNAME=VALUE                       Substitute values in Spec files\n");
 	printf("KEY OPTIONS:\n");
-	printf(" -target        <t|d|p|c>           Target for crypto, defaults to 't'\n");
+	//printf(" -target        <t|d|p|c>           Target for crypto, defaults to 't'\n");
+	printf(" -target        <t|d|p>             Target for crypto, defaults to 't'\n");
 	printf("                                    't' Test(false) Keys & prod Certs\n");
 	printf("                                    'd' Development Keys & Certs\n");
 	printf("                                    'p' Production Keys & Certs\n");
@@ -1005,9 +999,7 @@ void DisplayHelp(char *app_name)
 	printf(" -romfs         <romfs path>        RomFS File\n");	
 	printf("CCI OPTIONS:\n");
 	printf(" -content       <filepath>:<index>  Specify content files\n");
-#ifndef PUBLIC_BUILD
 	printf(" -devcardcci                        Use SDK CardInfo Method\n");
-#endif
 	printf(" -nomodtid                          Don't Modify Content TitleIDs\n");
 	printf(" -alignwr                           Align Writeable Region to the end of last NCCH\n");
 	printf(" -genupdatenote <cver cia path>     Create Update Partition Notes\n");
diff --git a/makerom/utils.c b/makerom/utils.c
index 44dcdbb1..45b509d6 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -44,6 +44,18 @@ int CopyData(u8 **dest, u8 *source, u64 size)
 	return 0;
 }
 
+void rndset(void *ptr, u64 num)
+{
+	u8 *tmp = (u8*)ptr;
+	for(u64 i = 0; i < num ; i++)
+		tmp[i] = u8GetRand();
+}
+
+void clrmem(void *ptr, u64 num)
+{
+	memset(ptr,0,num);
+}
+
 // Misc
 u64 align(u64 value, u64 alignment)
 {
diff --git a/makerom/utils.h b/makerom/utils.h
index 930e31bc..5d3f10a1 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -10,6 +10,8 @@ typedef struct
 void char_to_u8_array(unsigned char destination[], char source[], int size, int endianness, int base);
 void endian_memcpy(u8 *destination, u8 *source, u32 size, int endianness);
 int CopyData(u8 **dest, u8 *source, u64 size);
+void rndset(void *ptr, u64 num);
+void clrmem(void *ptr, u64 num);
 
 // MISC
 u64 align(u64 value, u64 alignment);

From 21f83ca636603d40161d483c9431dfb1f38fe0e7 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 28 Jun 2014 18:41:00 +1000
Subject: [PATCH 007/317] misc

---
 makerom/user_settings.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 13762930..6bee1306 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -953,8 +953,8 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayHelp(char *app_name)
 {
-	printf("CTR MAKEROM %d.%d",MAKEROM_VER_MAJOR,MAKEROM_VER_MINOR);
-	printf("\n(C) 3DSGuy 2014\n");
+	printf("CTR MAKEROM %d.%d\n",MAKEROM_VER_MAJOR,MAKEROM_VER_MINOR);
+	printf("(C) 3DSGuy 2014\n");
 	printf("Usage: %s [options... ]\n",app_name);
 	printf("Option          Parameter           Explanation\n");
 	printf("GLOBAL OPTIONS:\n");

From 7d4f1a4092f3326564feecfe1a35ff9fd13dbcbf Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 28 Jun 2014 18:43:22 +1000
Subject: [PATCH 008/317] cleaned romfs_binary.c

---
 makerom/romfs_binary.c | 44 +++---------------------------------------
 1 file changed, 3 insertions(+), 41 deletions(-)

diff --git a/makerom/romfs_binary.c b/makerom/romfs_binary.c
index b087f207..b9cc1f02 100644
--- a/makerom/romfs_binary.c
+++ b/makerom/romfs_binary.c
@@ -58,7 +58,7 @@ int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 	FilterRomFS(fs_raw,ctx->fs,filter_criteria);
 	
 	// free unfiltered FS
-	fs_PrintDir(fs_raw,0);
+	//fs_PrintDir(fs_raw,0);
 	//printf("free discarded file ptrs\n");
 	fs_FreeFiles(fs_raw); // All important FPs have been moved with FilterRomFS, so only un-wanted FPs are closed here
 	//printf("free structs in fs_raw\n");
@@ -75,7 +75,7 @@ int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 	
 	// Print Filtered FS
 	//printf("print filtered FS\n");
-	fs_PrintDir(ctx->fs,0);
+	//fs_PrintDir(ctx->fs,0);
 	
 	//printf("predict romfs size\n");
 	CalcRomfsSize(ctx);
@@ -469,42 +469,4 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 	}
 	
 	return;
-}
-
-/*
-int main(int argc, char **argv)
-{
-	if(argc!=3){
-		if(argc == 2) 
-			return old_main(argc,argv);
-		printf("usage: %s <dir> <out file>\n",argv[0]);
-		return -1;
-	}
-	
-	romfs_buildctx *ctx = calloc(1,sizeof(romfs_buildctx));
-	//memset(&ctx,0,sizeof(romfs_buildctx));
-	PrepareRomfsBuild(NULL, ctx, argv[1]);
-	
-	if(ctx->romfsSize){
-		ctx->output = calloc(1,ctx->romfsSize);
-		
-		int ret = RomfsBuild(ctx);
-		if(ret!=0) return -1;
-		
-		FILE *romfs = fopen(argv[2],"wb");
-		fwrite(ctx->output,ctx->romfsSize,1,romfs);
-		fclose(romfs);
-		
-		//printf("free output ptr\n");
-		free(ctx->output);
-	}
-	
-	//printf("free output\n");
-	FreeRomfsCtx(ctx);
-	//printf("free ctx\n");
-	free(ctx);
-	
-	//printf("return\n");
-	return 0;
-}
-*/
\ No newline at end of file
+}
\ No newline at end of file

From d5edefd765c9c87aeba8692bbffef11d7bd1a9ac Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 28 Jun 2014 23:34:12 +1000
Subject: [PATCH 009/317] git ignore and description

---
 .gitignore | 10 ++++++++++
 README.md  |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/.gitignore b/.gitignore
index 1598f76e..21388103 100644
--- a/.gitignore
+++ b/.gitignore
@@ -215,3 +215,13 @@ pip-log.txt
 .mr.developer.cfg
 
 *.o
+
+#CTR
+*.cxi
+*.cfa
+*.cci
+*.3ds
+*.cia
+
+#exec
+*.exe
\ No newline at end of file
diff --git a/README.md b/README.md
index 0f48df27..bbbe88e9 100644
--- a/README.md
+++ b/README.md
@@ -2,3 +2,5 @@ Project_CTR
 ===========
 
 ctrtool - updated version of neimod's ctrtool.
+
+makerom - creates CTR cxi/cfa/cci/cia files.

From 3d3bbf9bf4c8468920647e5940b9e2acc639b7a2 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sun, 29 Jun 2014 01:39:52 +1000
Subject: [PATCH 010/317] deleted empty files

---
 makerom/makerom.h    | 0
 makerom/romfs_spec.h | 2 --
 2 files changed, 2 deletions(-)
 delete mode 100644 makerom/makerom.h
 delete mode 100644 makerom/romfs_spec.h

diff --git a/makerom/makerom.h b/makerom/makerom.h
deleted file mode 100644
index e69de29b..00000000
diff --git a/makerom/romfs_spec.h b/makerom/romfs_spec.h
deleted file mode 100644
index 3f59c932..00000000
--- a/makerom/romfs_spec.h
+++ /dev/null
@@ -1,2 +0,0 @@
-#pragma once
-

From 44ccbedee3ab4e7d7438761e0a568082a30caba0 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Mon, 14 Jul 2014 01:58:09 +1000
Subject: [PATCH 011/317] fixed deviceId corruption bug

---
 makerom/cia.c | 7 ++++++-
 makerom/cia.h | 2 +-
 makerom/tik.c | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index 7d539326..f3db6be1 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -182,7 +182,12 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	}
 
 	// Ticket Data
-	rndset(ciaset->tik.ticketId,16);
+	rndset(ciaset->tik.ticketId,8);
+	clrmem(ciaset->tik.deviceId,4);
+	clrmem(ciaset->tik.eshopAccId,4);
+	ciaset->tik.licenceType = 0;
+	ciaset->tik.audit = 0;
+	
 	if(usrset->cia.randomTitleKey)
 		rndset(ciaset->common.titleKey,16);
 	else
diff --git a/makerom/cia.h b/makerom/cia.h
index 57bc0ba7..6907deaf 100644
--- a/makerom/cia.h
+++ b/makerom/cia.h
@@ -62,7 +62,7 @@ typedef struct
 		u16 version;
 
 		u8 ticketId[8];
-		u8 deviceId[8];
+		u8 deviceId[4];
 		u8 licenceType;
 		u8 audit;
 		u8 eshopAccId[4];
diff --git a/makerom/tik.c b/makerom/tik.c
index ea312f09..ba95e232 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -50,7 +50,7 @@ int SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 	else
 		rndset(hdr->encryptedTitleKey,16);
 	memcpy(hdr->ticketId,ciaset->tik.ticketId,8);
-	memcpy(hdr->deviceId,ciaset->tik.deviceId,8);
+	memcpy(hdr->deviceId,ciaset->tik.deviceId,4);
 	memcpy(hdr->titleId,ciaset->common.titleId,8);
 	u16_to_u8(hdr->ticketVersion,ciaset->tik.version,BE);
 	hdr->licenceType = ciaset->tik.licenceType;

From 1c8f323a1a577e2665ee29ca8d984d208d8f0b08 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Mon, 14 Jul 2014 02:35:02 +1000
Subject: [PATCH 012/317] fixed invalid return type

---
 makerom/yaml_parser.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/yaml_parser.c b/makerom/yaml_parser.c
index 9eafb571..3107cd24 100644
--- a/makerom/yaml_parser.c
+++ b/makerom/yaml_parser.c
@@ -417,12 +417,12 @@ void SetBoolYAMLValue(bool *dest, char *key, ctr_yaml_context *ctx)
 	if(!EventIsScalar(ctx)){
 		fprintf(stderr,"[RSF ERROR] '%s' requires a value\n",key);
 		ctx->error = YAML_BAD_FORMATTING;
-		return false;
+		return;
 	}
 	if(!GetYamlStringSize(ctx)){
 		fprintf(stderr,"[RSF ERROR] '%s' requires a value\n",key);
 		ctx->error = YAML_BAD_FORMATTING;
-		return false;
+		return;
 	}
 	
 	if(casecmpYamlValue("true",ctx))

From 0d65ce286ea1bdf73b07ef0e7da9a990db361ce0 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 15 Jul 2014 15:16:43 +1000
Subject: [PATCH 013/317] got rid of magic numbers

---
 makerom/cia.c           | 30 ++++++++++++------------
 makerom/cia.h           |  1 +
 makerom/types.h         |  8 +++++++
 makerom/user_settings.c | 51 ++++++++++++++++++++++-------------------
 makerom/user_settings.h | 21 +++++++++++++++--
 5 files changed, 70 insertions(+), 41 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index f3db6be1..e820a9df 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -199,7 +199,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	if(result) return result;
 	
 	// Tmd Stuff
-	if(usrset->cia.contentId[0] > 0xffffffff)
+	if(usrset->cia.contentId[0] > MAX_U32)
 		ciaset->content.id[0] = u32GetRand();
 	else 
 		ciaset->content.id[0] = usrset->cia.contentId[0];
@@ -282,10 +282,10 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 
 int GetCIADataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8 *key)
 {
-	extended_hdr *exhdr = malloc(0x400);
-	memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,0x400);
+	extended_hdr *exhdr = malloc(sizeof(extended_hdr));
+	memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,sizeof(extended_hdr));
 	if(key != NULL)
-		CryptNCCHSection((u8*)exhdr,0x400,0,ncch_ctx,key,ncch_exhdr);
+		CryptNCCHSection((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx,key,ncch_exhdr);
 
 	u16 Category = u8_to_u16((ciaset->common.titleId+2),BE);
 	if(IsPatch(Category)||ciaset->content.IsCfa||ciaset->content.keyNotFound) 
@@ -300,25 +300,25 @@ int GetCIADataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8
 	}
 	
 	if(ciaset->content.IsCfa||ciaset->content.keyNotFound){
-		if(ciaset->common.titleVersion[0] == 0xffff){ // '-major' wasn't set
+		if(ciaset->common.titleVersion[VER_MAJOR] == MAX_U16){ // '-major' wasn't set
 			if(ciaset->content.IsCfa){ // Is a CFA and can be decrypted
 				fprintf(stderr,"[CIA ERROR] Invalid major version. Use \"-major\" option.\n");
 				return CIA_BAD_VERSION;
 			}
 			else // CXI which cannot be decrypted
-				ciaset->common.titleVersion[0] = 0;
+				ciaset->common.titleVersion[VER_MAJOR] = 0;
 		}
 	}
 	else{ // Is a CXI and can be decrypted
-		if(ciaset->common.titleVersion[0] != 0xffff){ // '-major' was set
+		if(ciaset->common.titleVersion[VER_MAJOR] != MAX_U16){ // '-major' was set
 			fprintf(stderr,"[CIA ERROR] Option \"-major\" cannot be applied for cxi.\n");
 			return CIA_BAD_VERSION;
 		}
 		// Setting remaster ver
-		ciaset->common.titleVersion[0] = GetRemasterVersion_frm_exhdr(exhdr);
+		ciaset->common.titleVersion[VER_MAJOR] = GetRemasterVersion_frm_exhdr(exhdr);
 	}
 
-	u16 version = SetupVersion(ciaset->common.titleVersion[0],ciaset->common.titleVersion[1],ciaset->common.titleVersion[2]);
+	u16 version = SetupVersion(ciaset->common.titleVersion[VER_MAJOR],ciaset->common.titleVersion[VER_MINOR],ciaset->common.titleVersion[VER_MICRO]);
 	ciaset->tik.version = version;
 	ciaset->tmd.version = version;
 
@@ -331,10 +331,10 @@ int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8 *key
 	if(ciaset->content.IsCfa || ciaset->content.keyNotFound) 
 		return 0;
 
-	extended_hdr *exhdr = malloc(0x400);
-	memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,0x400);
+	extended_hdr *exhdr = malloc(sizeof(extended_hdr));
+	memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,sizeof(extended_hdr));
 	if(key != NULL)
-		CryptNCCHSection((u8*)exhdr,0x400,0,ncch_ctx,key,ncch_exhdr);
+		CryptNCCHSection((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx,key,ncch_exhdr);
 
 	exefs_hdr *exefsHdr = malloc(sizeof(exefs_hdr));
 	memcpy(exefsHdr,ncch+ncch_ctx->exefsOffset,sizeof(exefs_hdr));
@@ -346,7 +346,7 @@ int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8 *key
 	for(int i = 0; i < MAX_EXEFS_SECTIONS; i++){
 		if(strncmp(exefsHdr->fileHdr[i].name,"icon",8) == 0){
 			icon_size = u8_to_u32(exefsHdr->fileHdr[i].size,LE);
-			icon_offset = u8_to_u32(exefsHdr->fileHdr[i].offset,LE) + 0x200;
+			icon_offset = u8_to_u32(exefsHdr->fileHdr[i].offset,LE) + sizeof(exefs_hdr);
 		}
 	}
 
@@ -392,7 +392,7 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 			ciaset->content.fileSize[j] = GetFileSize_u64(usrset->common.contentPath[i]);
 			ciaset->content.filePtrs[j] = fopen(usrset->common.contentPath[i],"rb");
 			
-			if(usrset->cia.contentId[i] == 0x100000000)
+			if(usrset->cia.contentId[i] > MAX_U32)
 				ciaset->content.id[j] = u32GetRand(); 
 			else 
 				ciaset->content.id[j] = (u32)usrset->cia.contentId[i];
@@ -409,7 +409,7 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 				return FAILED_TO_OPEN_FILE; 
 			}
 
-			ciaset->content.size[j] = align(calcSize,0x10);
+			ciaset->content.size[j] = align(calcSize,CIA_CONTENT_ALIGN);
 			ciaset->content.offset[j] = ciaset->content.totalSize;
 			
 			ciaset->content.totalSize += ciaset->content.size[j];
diff --git a/makerom/cia.h b/makerom/cia.h
index 6907deaf..b810049d 100644
--- a/makerom/cia.h
+++ b/makerom/cia.h
@@ -1,6 +1,7 @@
 #pragma once
 
 static const int CIA_ALIGN_SIZE = 0x40;
+static const int CIA_CONTENT_ALIGN = 0x10;
 
 // Enums
 typedef enum
diff --git a/makerom/types.h b/makerom/types.h
index 8c4123d9..c12d2427 100644
--- a/makerom/types.h
+++ b/makerom/types.h
@@ -28,6 +28,14 @@ typedef enum
 	GB = 1073741824
 } file_unit_size;
 
+typedef enum
+{
+	MAX_U8 = 0xff,
+	MAX_U16 = 0xffff,
+	MAX_U32 = 0xffffffff,
+	MAX_U64 = 0xffffffffffffffff,
+} data_type_max;
+
 typedef unsigned char   u8;
 typedef unsigned short  u16;
 typedef unsigned int    u32;
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 6bee1306..a5ebd120 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -76,9 +76,12 @@ int ParseArgs(int argc, char *argv[], user_settings *usr_settings)
 
 	if(!usr_settings->common.outFileName){
 		char *source_path = NULL;
-		if(usr_settings->ncch.buildNcch0) source_path = usr_settings->common.rsfPath;
-		else if(usr_settings->common.workingFileType == infile_ncsd || usr_settings->common.workingFileType == infile_srl) source_path = usr_settings->common.workingFilePath;
-		else source_path = usr_settings->common.contentPath[0];
+		if(usr_settings->ncch.buildNcch0) 
+			source_path = usr_settings->common.rsfPath;
+		else if(usr_settings->common.workingFileType == infile_ncsd || usr_settings->common.workingFileType == infile_srl) 
+			source_path = usr_settings->common.workingFilePath;
+		else 
+			source_path = usr_settings->common.contentPath[0];
 		u16 outfile_len = strlen(source_path) + 3;
 		usr_settings->common.outFileName = calloc(outfile_len,sizeof(char));
 		if(!usr_settings->common.outFileName){
@@ -117,11 +120,11 @@ void SetDefaults(user_settings *set)
 
 	// CIA Info
 	set->cia.useDataTitleVer = false;
-	set->cia.titleVersion[0] = 0xffff; // invalid for detection
+	set->cia.titleVersion[VER_MAJOR] = MAX_U16 // invalid so changes can be detected
 	set->cia.randomTitleKey = false;
-	set->common.keys.aes.currentCommonKey = 0x100; // invalid for detection
+	set->common.keys.aes.currentCommonKey = MAX_U8 + 1; // invalid so changes can be detected
 	for(int i = 0; i < CIA_MAX_CONTENT; i++){
-		set->cia.contentId[i] = 0x100000000;
+		set->cia.contentId[i] = MAX_U32 + 1; // invalid so changes can be detected
 	}
 }
 
@@ -276,7 +279,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		else if(strcasecmp(app_type,"ECApp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_EC_APP;
 		else if(strcasecmp(app_type,"Demo") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DEMO;
 		else if(strcasecmp(app_type,"DlpChild") == 0 || strcasecmp(app_type,"Dlp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DLP;
-		else if(strcasecmp(app_type,"FIRM") == 0) set->common.keys.accessDescSign.presetType = desc_preset_FIRM;
+		//else if(strcasecmp(app_type,"FIRM") == 0) set->common.keys.accessDescSign.presetType = desc_preset_FIRM;
 		else{
 			fprintf(stderr,"[SETTING ERROR] Accessdesc AppType preset '%s' not valid, please manually configure RSF\n",app_type);
 			return USR_BAD_ARG;
@@ -404,12 +407,12 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useNormTitleVer = true;
-		u32 tmp = strtoul(argv[i+1],NULL,10);
-		if(tmp > 63){
-			fprintf(stderr,"[SETTING ERROR] Major version: '%d' is too large, max: '63'\n",tmp);
+		u32 ver = strtoul(argv[i+1],NULL,10);
+		if(ver > VER_MAJOR_MAX){
+			fprintf(stderr,"[SETTING ERROR] Major version: '%d' is too large, max: '%d'\n",ver,VER_MAJOR_MAX);
 			return USR_BAD_ARG;
 		}
-		set->cia.titleVersion[0] = tmp;
+		set->cia.titleVersion[VER_MAJOR] = ver;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-minor") == 0){
@@ -418,12 +421,12 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useNormTitleVer = true;
-		u32 tmp = strtoul(argv[i+1],NULL,10);
-		if(tmp > 63){
-			fprintf(stderr,"[SETTING ERROR] Minor version: '%d' is too large, max: '63'\n",tmp);
+		u32 ver = strtoul(argv[i+1],NULL,10);
+		if(ver > VER_MINOR_MAX){
+			fprintf(stderr,"[SETTING ERROR] Minor version: '%d' is too large, max: '%d'\n",ver,VER_MINOR_MAX);
 			return USR_BAD_ARG;
 		}
-		set->cia.titleVersion[1] = tmp;
+		set->cia.titleVersion[VER_MINOR] = ver;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-micro") == 0){
@@ -431,12 +434,12 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			PrintArgReqParam("-micro",1);
 			return USR_ARG_REQ_PARAM;
 		}
-		u32 tmp = strtoul(argv[i+1],NULL,10);
-		if(tmp > 15){
-			fprintf(stderr,"[SETTING ERROR] Micro version: '%d' is too large, max: '15'\n",tmp);
+		u32 ver = strtoul(argv[i+1],NULL,10);
+		if(ver > VER_MICRO_MAX){
+			fprintf(stderr,"[SETTING ERROR] Micro version: '%d' is too large, max: '%d'\n",ver,VER_MICRO_MAX);
 			return USR_BAD_ARG;
 		}
-		set->cia.titleVersion[2] = tmp;
+		set->cia.titleVersion[VER_MICRO] = ver;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-dver") == 0){
@@ -445,13 +448,13 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useDataTitleVer = true;
-		u32 tmp = strtoul(argv[i+1],NULL,10);
-		if(tmp > 4095){
-			fprintf(stderr,"[SETTING ERROR] Data version: '%d' is too large, max: '4095'\n",tmp);
+		u32 ver = strtoul(argv[i+1],NULL,10);
+		if(ver > VER_DVER_MAX){
+			fprintf(stderr,"[SETTING ERROR] Data version: '%d' is too large, max: '%d'\n",ver,VER_DVER_MAX);
 			return USR_BAD_ARG;
 		}
-		set->cia.titleVersion[0] = (tmp >> 6) & 63;
-		set->cia.titleVersion[1] = tmp & 63;
+		set->cia.titleVersion[VER_MAJOR] = (ver >> 6) & VER_MAJOR_MAX;
+		set->cia.titleVersion[VER_MINOR] = ver & VER_MAJOR_MAX;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-rand") == 0){
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index 54985f37..19342db5 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -1,8 +1,25 @@
 #pragma once
 
-#define CCI_MAX_CONTENT 8
-#define CIA_MAX_CONTENT 65536
+typedef enum
+{
+	CCI_MAX_CONTENT = 8,
+	CIA_MAX_CONTENT = MAX_U16,
+} content_limits;
 
+typedef enum
+{
+	VER_MAJOR,
+	VER_MINOR,
+	VER_MICRO
+} title_ver_index;
+
+typedef enum
+{
+	VER_MAJOR_MAX = 63,
+	VER_MINOR_MAX = 63,
+	VER_MICRO_MAX = 15,
+	VER_DVER_MAX = 4095,
+} title_ver_max;
 
 typedef enum
 {

From 1b11fb881a12c3fa1f4d7dfc612b87645b7e3066 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 15 Jul 2014 19:31:58 +1000
Subject: [PATCH 014/317] misc

---
 makerom/user_settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index a5ebd120..435d0057 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -120,7 +120,7 @@ void SetDefaults(user_settings *set)
 
 	// CIA Info
 	set->cia.useDataTitleVer = false;
-	set->cia.titleVersion[VER_MAJOR] = MAX_U16 // invalid so changes can be detected
+	set->cia.titleVersion[VER_MAJOR] = MAX_U16; // invalid so changes can be detected
 	set->cia.randomTitleKey = false;
 	set->common.keys.aes.currentCommonKey = MAX_U8 + 1; // invalid so changes can be detected
 	for(int i = 0; i < CIA_MAX_CONTENT; i++){

From a021c82330c714128b075a561b7bebc2135ff497 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 15 Jul 2014 19:34:14 +1000
Subject: [PATCH 015/317] makefile misc

removed windows makefile functions, proper mingw setups include "rm" and
the likes.
---
 makerom/Makefile | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index 79e3eadb..73ea76fc 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -32,9 +32,4 @@ build: $(OBJS) $(POLAR_OBJS) $(YAML_OBJS)
 	g++ -o $(OUTPUT) $(LIBS) $(OBJS) $(POLAR_OBJS) $(YAML_OBJS) -m64
 
 clean:
-	rm -rf $(OUTPUT) $(OBJS) $(POLAR_OBJS) $(YAML_OBJS) *.cci *.cia *.cxi *.cfa
-	
-# Windows compatibility
-rebuildwin: cleanwin build
-cleanwin:
-	del /Q objs $(OUTPUT).exe *.o polarssl\*.o libyaml\*.o *.cci *.cia *.cxi *.cfa
+	rm -rf $(OUTPUT) $(OBJS) $(POLAR_OBJS) $(YAML_OBJS) *.cci *.cia *.cxi *.cfa
\ No newline at end of file

From fc2ed91ad16b0d7da17ec8b2f0cc9efb000f8c16 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 15 Jul 2014 20:56:33 +1000
Subject: [PATCH 016/317] makerom: cxi or cfa now detected

no need to specify cxi/cfa, it is now implied by the CLI args. "-elf",
"-code" or "-exheader" imply cxi,
---
 makerom/Makefile        |  2 +-
 makerom/user_settings.c | 84 +++++++++++++++++++++--------------------
 makerom/user_settings.h |  3 +-
 3 files changed, 46 insertions(+), 43 deletions(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index 73ea76fc..36c952e0 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -21,7 +21,7 @@ CC = gcc
 # MAKEROM Build Settings
 MAKEROM_BUILD_FLAGS = #-DDEBUG
 VER_MAJOR = 0
-VER_MINOR = 9
+VER_MINOR = 10
 OUTPUT = makerom
 
 main: build
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 435d0057..b1af1e8e 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -101,12 +101,12 @@ void SetDefaults(user_settings *set)
 	set->common.keys.accessDescSign.presetType = desc_preset_NONE;
 
 	// Build NCCH Info
-	set->ncch.buildNcch0 = true;
+	set->ncch.buildNcch0 = false;
 	set->ncch.includeExefsLogo = false;
-	set->common.outFormat = CXI;
+	set->common.outFormat = NCCH;
 	set->ncch.ncchType = format_not_set;
 
-	// Yaml Settings
+	// RSF Settings
 	set->common.rsfSet.Option.EnableCompress = true;
 	set->common.rsfSet.Option.EnableCrypt = true;
 	set->common.rsfSet.Option.UseOnSD = false;
@@ -131,12 +131,8 @@ void SetDefaults(user_settings *set)
 int SetArgument(int argc, int i, char *argv[], user_settings *set)
 {
 	u16 ParamNum = 0;
-	for(int j = i+1; j < argc; j++)
-	{
-		if(argv[j][0] == '-')
-			break;
+	for(int j = i+1; j < argc && argv[j][0] != '-'; j++)
 		ParamNum++;
-	}
 
 	// Global Settings
 	if(strcmp(argv[i],"-rsf") == 0){
@@ -152,10 +148,12 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			PrintArgReqParam("-f",1);
 			return USR_ARG_REQ_PARAM;
 		}
-		if(strcasecmp(argv[i+1],"cxi") == 0 || strcasecmp(argv[i+1],"exec") == 0 ) set->common.outFormat = CXI;
-		else if(strcasecmp(argv[i+1],"cfa") == 0 || strcasecmp(argv[i+1],"data") == 0 ) set->common.outFormat = CFA;
-		else if(strcasecmp(argv[i+1],"cci") == 0 || strcasecmp(argv[i+1],"card") == 0 ) set->common.outFormat = CCI;
-		else if(strcasecmp(argv[i+1],"cia") == 0) set->common.outFormat = CIA;
+		if(strcasecmp(argv[i+1],"ncch") == 0) 
+			set->common.outFormat = NCCH;
+		else if(strcasecmp(argv[i+1],"cci") == 0)
+			set->common.outFormat = CCI;
+		else if(strcasecmp(argv[i+1],"cia") == 0)
+			set->common.outFormat = CIA;
 		else {
 			fprintf(stderr,"[SETTING ERROR] Invalid output format '%s'\n",argv[i+1]);
 			return USR_BAD_ARG;
@@ -228,6 +226,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.elfPath = argv[i+1];
+		set->ncch.ncchType |= CXI;
 		return 2;
 	}
 	
@@ -237,6 +236,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.iconPath = argv[i+1];
+		set->ncch.ncchType |= CFA;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-banner") == 0){
@@ -245,6 +245,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.bannerPath = argv[i+1];
+		set->ncch.ncchType |= CFA;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-logo") == 0){
@@ -253,6 +254,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.logoPath = argv[i+1];
+		set->ncch.ncchType |= CFA;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-desc") == 0){
@@ -313,7 +315,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			default:
 				break;
 		}
-
+		set->ncch.ncchType |= CXI;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-exefslogo") == 0){
@@ -322,14 +324,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_BAD_ARG;
 		}
 		set->ncch.includeExefsLogo = true;
-		return 1;
-	}
-	else if(strcmp(argv[i],"-data") == 0){
-		if(ParamNum){
-			PrintNoNeedParam("-data");
-			return USR_ARG_REQ_PARAM;
-		}
-		set->ncch.ncchType = CFA;
+		set->ncch.ncchType |= CFA;
 		return 1;
 	}
 
@@ -340,6 +335,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.codePath = argv[i+1];
+		set->ncch.ncchType |= CXI;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-exheader") == 0){
@@ -348,6 +344,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.exheaderPath = argv[i+1];
+		set->ncch.ncchType |= CXI;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-plain-region") == 0){
@@ -356,6 +353,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.plainRegionPath = argv[i+1];
+		set->ncch.ncchType |= CXI;
 		return 2;
 	}
 	else if(strcmp(argv[i],"-romfs") == 0){
@@ -364,6 +362,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.romfsPath = argv[i+1];
+		set->ncch.ncchType |= CFA;
 		return 2;
 	}
 	// Cci Options
@@ -618,6 +617,23 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 
 int CheckArgumentCombination(user_settings *set)
 {
+	if(set->ncch.ncchType & (CXI|CFA)){
+		set->ncch.buildNcch0 = true;
+		if(set->ncch.ncchType & CXI)
+			set->ncch.ncchType = CXI;
+		else
+			set->ncch.ncchType = CFA;			
+	}		
+	
+	if(set->common.outFormat == NCCH){
+		if(set->ncch.ncchType)
+			set->common.outFormat = set->ncch.ncchType;
+		else{
+			set->ncch.ncchType = CXI;
+			set->common.outFormat = CXI;
+		}
+	}
+
 	for(int i = 0; i < CIA_MAX_CONTENT; i++){
 		if( i > CCI_MAX_CONTENT-1 && set->common.contentPath[i] && set->common.outFormat == CCI){
 			fprintf(stderr,"[SETTING ERROR] Content indexes > %d are invalid for CCI\n",CCI_MAX_CONTENT-1);
@@ -628,12 +644,9 @@ int CheckArgumentCombination(user_settings *set)
 			return USR_BAD_ARG;
 		}
 	}
-	if((set->common.outFormat == CXI || set->common.outFormat == CFA) && set->ncch.ncchType != format_not_set){
-		fprintf(stderr,"[SETTING ERROR] Arguments \"-f cxi|cfa\" and \"-data\" cannot be used together\n");
-		return USR_BAD_ARG;
-	}
-	if(set->ncch.ncchType != format_not_set && !set->ncch.buildNcch0){
-		fprintf(stderr,"[SETTING ERROR] Arguments \"-content %s:0\" and \"-data\" cannot be used together\n",set->common.contentPath[0]);
+	
+	if(set->common.contentPath[0] && set->ncch.buildNcch0){
+		fprintf(stderr,"[SETTING ERROR] You cannot both import and build content 0\n");
 		return USR_BAD_ARG;
 	}
 
@@ -652,12 +665,6 @@ int CheckArgumentCombination(user_settings *set)
 		return USR_BAD_ARG;
 	}
 
-	// Setting set->build_ncch_type if it isn't already set
-	if(set->ncch.buildNcch0 && set->ncch.ncchType == format_not_set){
-		if(set->common.outFormat == CCI || set->common.outFormat  == CIA) set->ncch.ncchType = CXI;
-		else set->ncch.ncchType = set->common.outFormat;
-	}
-
 	bool buildCXI = set->ncch.ncchType == CXI;
 	bool buildCFA = set->ncch.ncchType == CFA;
 	// Detecting Required Arguments
@@ -944,7 +951,7 @@ void PrintArgInvalid(char *arg)
 void PrintArgReqParam(char *arg, u32 paramNum)
 {
 	if(paramNum == 1)
-		fprintf(stderr,"[SETTING ERROR] \"%s\" requires a parameter\n",arg);
+		fprintf(stderr,"[SETTING ERROR] \"%s\" takes one parameter\n",arg);
 	else
 		fprintf(stderr,"[SETTING ERROR] \"%s\" requires %d parameters\n",arg,paramNum);
 }
@@ -963,14 +970,10 @@ void DisplayHelp(char *app_name)
 	printf("GLOBAL OPTIONS:\n");
 	printf(" -help                              Display this text\n");
 	printf(" -rsf           <file>              Rom Specification File (*.rsf)\n");
-	printf(" -f             <cxi|cfa|cci|cia>   Output Format, defaults to 'cxi'\n");
-	//printf("                                    'cxi' CTR Executable Image\n");
-	//printf("                                    'cfa' CTR File Archive\n");
-	//printf("                                    'cci' CTR Card Image\n");
-	//printf("                                    'cia' CTR Importable Archive\n");
+	printf(" -f             <ncch|cci|cia>      Output Format, defaults to 'ncch'\n");
 	printf(" -o             <file>              Output File\n");
 	//printf(" -v                                 Verbose\n");
-	printf(" -DNAME=VALUE                       Substitute values in Spec files\n");
+	printf(" -DNAME=VALUE                       Substitute values in Spec file\n");
 	printf("KEY OPTIONS:\n");
 	//printf(" -target        <t|d|p|c>           Target for crypto, defaults to 't'\n");
 	printf(" -target        <t|d|p>             Target for crypto, defaults to 't'\n");
@@ -994,7 +997,6 @@ void DisplayHelp(char *app_name)
 	//printf("                                    'Dlp'   NAND DLP Child Application\n");
 	//printf("                                    'FIRM'  FIRM CXI\n");
 	printf(" -exefslogo                         Include Logo in ExeFs (Required for usage on <5.X Systems)\n");
-	printf(" -data                              Specify if building a Data Archive when \"-f cia\"\n");
 	printf("NCCH REBUILD OPTIONS:\n");
 	printf(" -code          <code path>         Specify ExeFs code File\n");
 	printf(" -exheader      <exhdr path>        ExHeader Template File\n");
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index 19342db5..ab9caa96 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -45,7 +45,8 @@ typedef enum
 	CXI,
 	CFA,
 	CCI,
-	CIA
+	CIA,
+	NCCH
 } output_format;
 
 typedef struct

From 83ac682594b494d22c0d7c0aac5e8fe99f9a95ae Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 15 Jul 2014 21:19:58 +1000
Subject: [PATCH 017/317] moved rsf stuff from user_set to rsf_set

---
 makerom/lib.h           |   3 +-
 makerom/rsf_settings.c  | 187 +++++++++++++++++++++++++++++++++++++++-
 makerom/rsf_settings.h  |   5 +-
 makerom/user_settings.c | 187 ----------------------------------------
 makerom/user_settings.h |  36 ++++----
 makerom/yaml_parser.h   |   2 +
 6 files changed, 208 insertions(+), 212 deletions(-)

diff --git a/makerom/lib.h b/makerom/lib.h
index 15a0284a..1799a9f3 100644
--- a/makerom/lib.h
+++ b/makerom/lib.h
@@ -30,7 +30,8 @@
 
 #include "keyset.h"
 #include "user_settings.h"
-#include "libyaml/yaml.h"
 #include "yaml_parser.h"
+#include "rsf_settings.h"
+
 
 
diff --git a/makerom/rsf_settings.c b/makerom/rsf_settings.c
index 7d876ee2..84c3edc6 100644
--- a/makerom/rsf_settings.c
+++ b/makerom/rsf_settings.c
@@ -1,5 +1,4 @@
 #include "lib.h"
-#include "rsf_settings.h"
 
 void EvaluateRSF(rsf_settings *rsf, ctr_yaml_context *ctx)
 {
@@ -372,4 +371,190 @@ void GET_CommonHeaderKey(ctr_yaml_context *ctx, rsf_settings *rsf)
 		GetEvent(ctx);
 	}
 	FinishEvent(ctx);
+}
+
+void free_RsfSettings(rsf_settings *set)
+{
+	//Option
+	free(set->Option.PageSize);
+	/*
+	for(u32 i = 0; i < set->Option.AppendSystemCallNum; i++){
+		free(set->Option.AppendSystemCall[i]);
+	}
+	free(set->Option.AppendSystemCall);
+	*/
+
+	//AccessControlInfo
+	//free(set->AccessControlInfo.ProgramId);
+	free(set->AccessControlInfo.IdealProcessor);
+	free(set->AccessControlInfo.Priority);
+	free(set->AccessControlInfo.MemoryType);
+	free(set->AccessControlInfo.SystemMode);
+	free(set->AccessControlInfo.CoreVersion);
+	free(set->AccessControlInfo.HandleTableSize);
+	free(set->AccessControlInfo.SystemSaveDataId1);
+	free(set->AccessControlInfo.SystemSaveDataId2);
+	free(set->AccessControlInfo.OtherUserSaveDataId1);
+	free(set->AccessControlInfo.OtherUserSaveDataId2);
+	free(set->AccessControlInfo.OtherUserSaveDataId3);
+	free(set->AccessControlInfo.ExtSaveDataId);
+	free(set->AccessControlInfo.SystemMode);	
+	free(set->AccessControlInfo.AffinityMask);
+	free(set->AccessControlInfo.DescVersion);
+	//free(set->AccessControlInfo.CryptoKey);
+	free(set->AccessControlInfo.ResourceLimitCategory);
+	free(set->AccessControlInfo.ReleaseKernelMajor);
+	free(set->AccessControlInfo.ReleaseKernelMinor);
+	free(set->AccessControlInfo.MaxCpu);
+
+	for(u32 i = 0; i < set->AccessControlInfo.MemoryMappingNum; i++){
+		free(set->AccessControlInfo.MemoryMapping[i]);
+	}
+	free(set->AccessControlInfo.MemoryMapping);
+	
+	for(u32 i = 0; i < set->AccessControlInfo.IORegisterMappingNum; i++){
+		free(set->AccessControlInfo.IORegisterMapping[i]);
+	}
+	free(set->AccessControlInfo.IORegisterMapping);
+	
+	for(u32 i = 0; i < set->AccessControlInfo.FileSystemAccessNum; i++){
+		free(set->AccessControlInfo.FileSystemAccess[i]);
+	}
+	free(set->AccessControlInfo.FileSystemAccess);
+	
+	for(u32 i = 0; i < set->AccessControlInfo.IoAccessControlNum; i++){
+		free(set->AccessControlInfo.IoAccessControl[i]);
+	}
+	free(set->AccessControlInfo.IoAccessControl);
+	
+	for(u32 i = 0; i < set->AccessControlInfo.InterruptNumbersNum; i++){
+		free(set->AccessControlInfo.InterruptNumbers[i]);
+	}
+	free(set->AccessControlInfo.InterruptNumbers);
+	
+	for(u32 i = 0; i < set->AccessControlInfo.SystemCallAccessNum; i++){
+		free(set->AccessControlInfo.SystemCallAccess[i]);
+	}
+	free(set->AccessControlInfo.SystemCallAccess);
+	
+	for(u32 i = 0; i < set->AccessControlInfo.ServiceAccessControlNum; i++){
+		free(set->AccessControlInfo.ServiceAccessControl[i]);
+	}
+	free(set->AccessControlInfo.ServiceAccessControl);
+	
+	for(u32 i = 0; i < set->AccessControlInfo.StorageIdNum; i++){
+		free(set->AccessControlInfo.StorageId[i]);
+	}
+	free(set->AccessControlInfo.StorageId);
+
+	for(u32 i = 0; i < set->AccessControlInfo.AccessibleSaveDataIdsNum; i++){
+		free(set->AccessControlInfo.AccessibleSaveDataIds[i]);
+	}
+	free(set->AccessControlInfo.AccessibleSaveDataIds);
+	
+	//SystemControlInfo
+	free(set->SystemControlInfo.AppType);
+	free(set->SystemControlInfo.StackSize);
+	free(set->SystemControlInfo.RemasterVersion);
+	free(set->SystemControlInfo.SaveDataSize);
+	free(set->SystemControlInfo.JumpId);
+	
+	for(u32 i = 0; i < set->SystemControlInfo.DependencyNum; i++){
+		free(set->SystemControlInfo.Dependency[i]);
+	}
+	free(set->SystemControlInfo.Dependency);
+	
+	//BasicInfo
+	free(set->BasicInfo.Title);
+	free(set->BasicInfo.CompanyCode);
+	free(set->BasicInfo.ProductCode);
+	free(set->BasicInfo.ContentType);
+	free(set->BasicInfo.Logo);
+	//free(set->BasicInfo.BackupMemoryType);
+	//free(set->BasicInfo.InitialCode);
+	
+	//Rom
+	free(set->Rom.HostRoot);
+	//free(set->Rom.Padding);
+	
+	for(u32 i = 0; i < set->Rom.DefaultRejectNum; i++){
+		free(set->Rom.DefaultReject[i]);
+	}
+	free(set->Rom.DefaultReject);
+	
+	for(u32 i = 0; i < set->Rom.RejectNum; i++){
+		free(set->Rom.Reject[i]);
+	}
+	free(set->Rom.Reject);
+	
+	for(u32 i = 0; i < set->Rom.IncludeNum; i++){
+		free(set->Rom.Include[i]);
+	}
+	free(set->Rom.Include);
+	
+	for(u32 i = 0; i < set->Rom.FileNum; i++){
+		free(set->Rom.File[i]);
+	}
+	free(set->Rom.File);
+	
+	//ExeFs
+	for(u32 i = 0; i < set->ExeFs.TextNum; i++){
+		free(set->ExeFs.Text[i]);
+	}
+	free(set->ExeFs.Text);
+	
+	for(u32 i = 0; i < set->ExeFs.ReadOnlyNum; i++){
+		free(set->ExeFs.ReadOnly[i]);
+	}
+	free(set->ExeFs.ReadOnly);
+	
+	for(u32 i = 0; i < set->ExeFs.ReadWriteNum; i++){
+		free(set->ExeFs.ReadWrite[i]);
+	}
+	free(set->ExeFs.ReadWrite);
+	
+	//PlainRegion
+	for(u32 i = 0; i < set->PlainRegionNum; i++){
+		free(set->PlainRegion[i]);
+	}
+	free(set->PlainRegion);
+	
+	//TitleInfo
+	//free(set->TitleInfo.Platform);
+	free(set->TitleInfo.Category);
+	free(set->TitleInfo.UniqueId);
+	free(set->TitleInfo.Version);
+	free(set->TitleInfo.ContentsIndex);
+	free(set->TitleInfo.Variation);
+	//free(set->TitleInfo.Use);
+	free(set->TitleInfo.ChildIndex);
+	free(set->TitleInfo.DemoIndex);
+	free(set->TitleInfo.TargetCategory);
+	
+	for(u32 i = 0; i < set->TitleInfo.CategoryFlagsNum; i++){
+		free(set->TitleInfo.CategoryFlags[i]);
+	}
+	free(set->TitleInfo.CategoryFlags);
+	
+	//CardInfo
+	free(set->CardInfo.WritableAddress);
+	free(set->CardInfo.CardType);
+	free(set->CardInfo.CryptoType);
+	free(set->CardInfo.CardDevice);
+	free(set->CardInfo.MediaType);
+	free(set->CardInfo.MediaSize);
+	free(set->CardInfo.BackupWriteWaitTime);
+	free(set->CardInfo.SaveCrypto);
+
+	//CommonHeaderKey
+	free(set->CommonHeaderKey.D);
+	free(set->CommonHeaderKey.P);
+	free(set->CommonHeaderKey.Q);
+	free(set->CommonHeaderKey.DP);
+	free(set->CommonHeaderKey.DQ);
+	free(set->CommonHeaderKey.InverseQ);
+	free(set->CommonHeaderKey.Modulus);
+	free(set->CommonHeaderKey.Exponent);
+	free(set->CommonHeaderKey.AccCtlDescSign);
+	free(set->CommonHeaderKey.AccCtlDescBin);
 }
\ No newline at end of file
diff --git a/makerom/rsf_settings.h b/makerom/rsf_settings.h
index 9ef4015b..2b355fcd 100644
--- a/makerom/rsf_settings.h
+++ b/makerom/rsf_settings.h
@@ -1,6 +1,5 @@
 #pragma once
 
-int MergeSpecData(rsf_settings *out, rsf_settings *desc, rsf_settings *rsf);
 void EvaluateRSF(rsf_settings *rsf, ctr_yaml_context *ctx);
 
 void GET_Option(ctr_yaml_context *ctx, rsf_settings *rsf);
@@ -12,4 +11,6 @@ void GET_ExeFs(ctr_yaml_context *ctx, rsf_settings *rsf);
 void GET_PlainRegion(ctr_yaml_context *ctx, rsf_settings *rsf);
 void GET_TitleInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
 void GET_CardInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_CommonHeaderKey(ctr_yaml_context *ctx, rsf_settings *rsf);
\ No newline at end of file
+void GET_CommonHeaderKey(ctr_yaml_context *ctx, rsf_settings *rsf);
+
+void free_RsfSettings(rsf_settings *set);
\ No newline at end of file
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index b1af1e8e..a2e8ffdd 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -715,193 +715,6 @@ void init_UserSettings(user_settings *usr_settings)
 	memset(usr_settings,0,sizeof(user_settings));
 }
 
-
-void free_RsfSettings(rsf_settings *set)
-{
-	//Option
-	free(set->Option.PageSize);
-	/*
-	for(u32 i = 0; i < set->Option.AppendSystemCallNum; i++){
-		free(set->Option.AppendSystemCall[i]);
-	}
-	free(set->Option.AppendSystemCall);
-	*/
-
-	//AccessControlInfo
-	//free(set->AccessControlInfo.ProgramId);
-	free(set->AccessControlInfo.IdealProcessor);
-	free(set->AccessControlInfo.Priority);
-	free(set->AccessControlInfo.MemoryType);
-	free(set->AccessControlInfo.SystemMode);
-	free(set->AccessControlInfo.CoreVersion);
-	free(set->AccessControlInfo.HandleTableSize);
-	free(set->AccessControlInfo.SystemSaveDataId1);
-	free(set->AccessControlInfo.SystemSaveDataId2);
-	free(set->AccessControlInfo.OtherUserSaveDataId1);
-	free(set->AccessControlInfo.OtherUserSaveDataId2);
-	free(set->AccessControlInfo.OtherUserSaveDataId3);
-	free(set->AccessControlInfo.ExtSaveDataId);
-	free(set->AccessControlInfo.SystemMode);	
-	free(set->AccessControlInfo.AffinityMask);
-	free(set->AccessControlInfo.DescVersion);
-	//free(set->AccessControlInfo.CryptoKey);
-	free(set->AccessControlInfo.ResourceLimitCategory);
-	free(set->AccessControlInfo.ReleaseKernelMajor);
-	free(set->AccessControlInfo.ReleaseKernelMinor);
-	free(set->AccessControlInfo.MaxCpu);
-
-	for(u32 i = 0; i < set->AccessControlInfo.MemoryMappingNum; i++){
-		free(set->AccessControlInfo.MemoryMapping[i]);
-	}
-	free(set->AccessControlInfo.MemoryMapping);
-	
-	for(u32 i = 0; i < set->AccessControlInfo.IORegisterMappingNum; i++){
-		free(set->AccessControlInfo.IORegisterMapping[i]);
-	}
-	free(set->AccessControlInfo.IORegisterMapping);
-	
-	for(u32 i = 0; i < set->AccessControlInfo.FileSystemAccessNum; i++){
-		free(set->AccessControlInfo.FileSystemAccess[i]);
-	}
-	free(set->AccessControlInfo.FileSystemAccess);
-	
-	for(u32 i = 0; i < set->AccessControlInfo.IoAccessControlNum; i++){
-		free(set->AccessControlInfo.IoAccessControl[i]);
-	}
-	free(set->AccessControlInfo.IoAccessControl);
-	
-	for(u32 i = 0; i < set->AccessControlInfo.InterruptNumbersNum; i++){
-		free(set->AccessControlInfo.InterruptNumbers[i]);
-	}
-	free(set->AccessControlInfo.InterruptNumbers);
-	
-	for(u32 i = 0; i < set->AccessControlInfo.SystemCallAccessNum; i++){
-		free(set->AccessControlInfo.SystemCallAccess[i]);
-	}
-	free(set->AccessControlInfo.SystemCallAccess);
-	
-	for(u32 i = 0; i < set->AccessControlInfo.ServiceAccessControlNum; i++){
-		free(set->AccessControlInfo.ServiceAccessControl[i]);
-	}
-	free(set->AccessControlInfo.ServiceAccessControl);
-	
-	for(u32 i = 0; i < set->AccessControlInfo.StorageIdNum; i++){
-		free(set->AccessControlInfo.StorageId[i]);
-	}
-	free(set->AccessControlInfo.StorageId);
-
-	for(u32 i = 0; i < set->AccessControlInfo.AccessibleSaveDataIdsNum; i++){
-		free(set->AccessControlInfo.AccessibleSaveDataIds[i]);
-	}
-	free(set->AccessControlInfo.AccessibleSaveDataIds);
-	
-	//SystemControlInfo
-	free(set->SystemControlInfo.AppType);
-	free(set->SystemControlInfo.StackSize);
-	free(set->SystemControlInfo.RemasterVersion);
-	free(set->SystemControlInfo.SaveDataSize);
-	free(set->SystemControlInfo.JumpId);
-	
-	for(u32 i = 0; i < set->SystemControlInfo.DependencyNum; i++){
-		free(set->SystemControlInfo.Dependency[i]);
-	}
-	free(set->SystemControlInfo.Dependency);
-	
-	//BasicInfo
-	free(set->BasicInfo.Title);
-	free(set->BasicInfo.CompanyCode);
-	free(set->BasicInfo.ProductCode);
-	free(set->BasicInfo.ContentType);
-	free(set->BasicInfo.Logo);
-	//free(set->BasicInfo.BackupMemoryType);
-	//free(set->BasicInfo.InitialCode);
-	
-	//Rom
-	free(set->Rom.HostRoot);
-	//free(set->Rom.Padding);
-	
-	for(u32 i = 0; i < set->Rom.DefaultRejectNum; i++){
-		free(set->Rom.DefaultReject[i]);
-	}
-	free(set->Rom.DefaultReject);
-	
-	for(u32 i = 0; i < set->Rom.RejectNum; i++){
-		free(set->Rom.Reject[i]);
-	}
-	free(set->Rom.Reject);
-	
-	for(u32 i = 0; i < set->Rom.IncludeNum; i++){
-		free(set->Rom.Include[i]);
-	}
-	free(set->Rom.Include);
-	
-	for(u32 i = 0; i < set->Rom.FileNum; i++){
-		free(set->Rom.File[i]);
-	}
-	free(set->Rom.File);
-	
-	//ExeFs
-	for(u32 i = 0; i < set->ExeFs.TextNum; i++){
-		free(set->ExeFs.Text[i]);
-	}
-	free(set->ExeFs.Text);
-	
-	for(u32 i = 0; i < set->ExeFs.ReadOnlyNum; i++){
-		free(set->ExeFs.ReadOnly[i]);
-	}
-	free(set->ExeFs.ReadOnly);
-	
-	for(u32 i = 0; i < set->ExeFs.ReadWriteNum; i++){
-		free(set->ExeFs.ReadWrite[i]);
-	}
-	free(set->ExeFs.ReadWrite);
-	
-	//PlainRegion
-	for(u32 i = 0; i < set->PlainRegionNum; i++){
-		free(set->PlainRegion[i]);
-	}
-	free(set->PlainRegion);
-	
-	//TitleInfo
-	//free(set->TitleInfo.Platform);
-	free(set->TitleInfo.Category);
-	free(set->TitleInfo.UniqueId);
-	free(set->TitleInfo.Version);
-	free(set->TitleInfo.ContentsIndex);
-	free(set->TitleInfo.Variation);
-	//free(set->TitleInfo.Use);
-	free(set->TitleInfo.ChildIndex);
-	free(set->TitleInfo.DemoIndex);
-	free(set->TitleInfo.TargetCategory);
-	
-	for(u32 i = 0; i < set->TitleInfo.CategoryFlagsNum; i++){
-		free(set->TitleInfo.CategoryFlags[i]);
-	}
-	free(set->TitleInfo.CategoryFlags);
-	
-	//CardInfo
-	free(set->CardInfo.WritableAddress);
-	free(set->CardInfo.CardType);
-	free(set->CardInfo.CryptoType);
-	free(set->CardInfo.CardDevice);
-	free(set->CardInfo.MediaType);
-	free(set->CardInfo.MediaSize);
-	free(set->CardInfo.BackupWriteWaitTime);
-	free(set->CardInfo.SaveCrypto);
-
-	//CommonHeaderKey
-	free(set->CommonHeaderKey.D);
-	free(set->CommonHeaderKey.P);
-	free(set->CommonHeaderKey.Q);
-	free(set->CommonHeaderKey.DP);
-	free(set->CommonHeaderKey.DQ);
-	free(set->CommonHeaderKey.InverseQ);
-	free(set->CommonHeaderKey.Modulus);
-	free(set->CommonHeaderKey.Exponent);
-	free(set->CommonHeaderKey.AccCtlDescSign);
-	free(set->CommonHeaderKey.AccCtlDescBin);
-}
-
 void free_UserSettings(user_settings *usr_settings)
 {
 	// Free Content Paths
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index ab9caa96..95d83173 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -49,20 +49,6 @@ typedef enum
 	NCCH
 } output_format;
 
-typedef struct
-{
-	char *name;
-	char *value;
-} dname_item;
-
-
-typedef struct
-{ 
-	dname_item *items;
-	u32 m_items;
-	u32 u_items;
-} dname_struct; 
-
 static const char output_extention[4][5] = {".cxi",".cfa",".cci",".cia"};
 
 /* This does not follow style, so the rsf string names match the variables where they're stored */
@@ -244,6 +230,19 @@ typedef struct
 	} CommonHeaderKey;
 } rsf_settings;
 
+typedef struct
+{
+	char *name;
+	char *value;
+} dname_item;
+
+typedef struct
+{ 
+	dname_item *items;
+	u32 m_items;
+	u32 u_items;
+} dname_struct; 
+
 typedef struct
 {
 	struct{
@@ -302,16 +301,11 @@ typedef struct
 		u16 titleVersion[3];
 
 		u64 contentId[CIA_MAX_CONTENT]; // For CIA
-	} cia; // CIA Settings
-	
-	
+	} cia; // CIA Settings	
 } user_settings;
 
 // Prototypes
 
 void init_UserSettings(user_settings *usr_settings);
 void free_UserSettings(user_settings *usr_settings);
-int ParseArgs(int argc, char *argv[], user_settings *usr_settings);
-void ReadYAMLtest(char *filepath);
-
-void free_RsfSettings(rsf_settings *set);
+int ParseArgs(int argc, char *argv[], user_settings *usr_settings);
\ No newline at end of file
diff --git a/makerom/yaml_parser.h b/makerom/yaml_parser.h
index 35f3dcfe..9d9db540 100644
--- a/makerom/yaml_parser.h
+++ b/makerom/yaml_parser.h
@@ -1,5 +1,7 @@
 #pragma once
 
+#include "libyaml/yaml.h"
+
 typedef enum
 {
 	YAML_API_ERROR = -1,

From 5b08a4311bd671015960c2a266e09af4fe63340c Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Wed, 16 Jul 2014 01:19:34 +1000
Subject: [PATCH 018/317] misc

now properly defaults to cfa when no cxi CLI options were applied
---
 makerom/user_settings.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index a2e8ffdd..89669e42 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -626,11 +626,12 @@ int CheckArgumentCombination(user_settings *set)
 	}		
 	
 	if(set->common.outFormat == NCCH){
+		set->ncch.buildNcch0 = true;
 		if(set->ncch.ncchType)
 			set->common.outFormat = set->ncch.ncchType;
 		else{
-			set->ncch.ncchType = CXI;
-			set->common.outFormat = CXI;
+			set->ncch.ncchType = CFA;
+			set->common.outFormat = CFA;
 		}
 	}
 

From 1833434a4e6a7376149856d81a901a16eb485d2e Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Fri, 18 Jul 2014 23:03:16 +1000
Subject: [PATCH 019/317] added fw8 (2.44) to the desc preset list

---
 makerom/user_settings.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 89669e42..c644f801 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -289,7 +289,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 
 
 		char *target_firmware = (tmp2+1);
-		set->common.keys.accessDescSign.targetFirmware = strtoul(target_firmware,NULL,10);
+		set->common.keys.accessDescSign.targetFirmware = strtoul(target_firmware,NULL,0);
 		switch(set->common.keys.accessDescSign.targetFirmware){
 			case 1: 
 				set->common.keys.accessDescSign.targetFirmware = 0x1B; // or 0x1C
@@ -310,11 +310,15 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 				set->common.keys.accessDescSign.targetFirmware = 0x25; // or 0x26
 				break;
 			case 7: 
-				set->common.keys.accessDescSign.targetFirmware = 0x27;
+				set->common.keys.accessDescSign.targetFirmware = 0x27; // or 0x28
+				break;
+			case 8: 
+				set->common.keys.accessDescSign.targetFirmware = 0x2C;
 				break;
 			default:
 				break;
 		}
+		
 		set->ncch.ncchType |= CXI;
 		return 2;
 	}

From 756fa2b84df6fb68b49119cee03ca8aec67e3c4b Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Fri, 18 Jul 2014 23:47:40 +1000
Subject: [PATCH 020/317] Fixed handling of writable region calculation

---
 makerom/ncsd.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index f8ee18e2..bb8f3c06 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -425,7 +425,8 @@ u64 GetUnusedSize(u64 MediaSize, u8 CardType)
 			case (u64)GB*2: return (u64)147324928;
 			case (u64)GB*4: return (u64)294649856;
 			case (u64)GB*8: return (u64)587202560;
-			default: return (u64)((MediaSize/MB)*0x11800); // Aprox
+			//default: return (u64)((MediaSize/MB)*0x11800); // Aprox
+			default: return 0;
 		}
 	}
 	else if(CardType == CARD2){
@@ -435,7 +436,8 @@ u64 GetUnusedSize(u64 MediaSize, u8 CardType)
 			case (u64)GB*2: return (u64)147324928;
 			case (u64)GB*4: return (u64)294649856;
 			case (u64)GB*8: return (u64)587202560;
-			default: return (u64)((MediaSize/MB)*0x11800); // Aprox
+			//default: return (u64)((MediaSize/MB)*0x11800); // Aprox
+			default: return 0;
 		}
 	}
 	return 0;
@@ -512,10 +514,10 @@ int GetNCSDFlags(cci_settings *cciset, rsf_settings *yaml)
 
 int GetWriteableAddress(cci_settings *cciset, user_settings *usrset)
 {
-	int result = GetSaveDataSizeFromString(&cciset->option.savedataSize,usrset->common.rsfSet.SystemControlInfo.SaveDataSize,"NCSD");
+	int result = GetSaveDataSizeFromString(&cciset->option.savedataSize,usrset->common.rsfSet.SystemControlInfo.SaveDataSize,"CCI");
 	if(result) return result;
 
-	char *WriteableAddressStr = usrset->common.rsfSet.CardInfo.WritableAddress;;
+	char *WriteableAddressStr = usrset->common.rsfSet.CardInfo.WritableAddress;
 	
 	cciset->cardinfo.writableAddress = -1;
 	if(cciset->header.flags[MediaTypeIndex] != CARD2) return 0; // Can only be set for Card2 Media
@@ -525,7 +527,7 @@ int GetWriteableAddress(cci_settings *cciset, user_settings *usrset)
 			fprintf(stderr,"[CCI ERROR] WritableAddress requires a Hexadecimal value\n");
 			return INVALID_YAML_OPT;
 		}	
-		cciset->cardinfo.writableAddress = strtoull((WriteableAddressStr+2),NULL,16);
+		cciset->cardinfo.writableAddress = strtoull(WriteableAddressStr,NULL,16);
 	}
 	if(cciset->cardinfo.writableAddress == -1){ // If not set manually or is max size
 		if ((cciset->header.mediaSize / 2) < cciset->option.savedataSize){ // If SaveData size is greater than half the MediaSize
@@ -539,10 +541,15 @@ int GetWriteableAddress(cci_settings *cciset, user_settings *usrset)
 			return SAVE_DATA_TOO_LARGE;
 		}
 		if(usrset->cci.closeAlignWritableRegion)
-			cciset->cardinfo.writableAddress = align(cciset->cardinfo.cciTotalSize, cciset->option.mediaUnit);
+			cciset->cardinfo.writableAddress = align(cciset->cardinfo.cciTotalSize, cciset->option.mediaUnit); // invalid for "real" chips
 		else{
-			u64 UnusedSize = GetUnusedSize(cciset->header.mediaSize,cciset->header.flags[MediaTypeIndex]); // Need to look into this
-			cciset->cardinfo.writableAddress = cciset->header.mediaSize - UnusedSize - cciset->option.savedataSize;
+			u64 UnusedSize = GetUnusedSize(cciset->header.mediaSize,cciset->header.flags[MediaTypeIndex]); // Some value related to the physical implementation of gamecards
+			if(UnusedSize > 0)
+				cciset->cardinfo.writableAddress = cciset->header.mediaSize - UnusedSize - cciset->option.savedataSize; // Nintendo's method for calculating writable region offset
+			else{
+				fprintf(stderr,"[CCI WARNING] Nintendo has no CARD2 writable region configurations for this media size, writable region will be aligned to last ncch partition\n");
+				cciset->cardinfo.writableAddress = align(cciset->cardinfo.cciTotalSize, cciset->option.mediaUnit); // invalid for "real" chips
+			}
 		}
 	}
 	return 0;

From 291accd63d7e097709abe056adb8a09f4cf10149 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 19 Jul 2014 00:46:34 +1000
Subject: [PATCH 021/317] fixed displaying u64 values in printf

---
 makerom/lib.h   | 1 +
 makerom/utils.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/makerom/lib.h b/makerom/lib.h
index 1799a9f3..e0ef089e 100644
--- a/makerom/lib.h
+++ b/makerom/lib.h
@@ -13,6 +13,7 @@
 #include <math.h>
 #include <dirent.h>
 #include <wchar.h>
+#include <inttypes.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
diff --git a/makerom/utils.c b/makerom/utils.c
index 45b509d6..1321168e 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -305,7 +305,7 @@ u8* ImportFile(char *file, u64 size)
 	u64 fsize = GetFileSize_u64(file);
 	if(size > 0){
 		if(size != fsize){
-			fprintf(stderr,"[!] %s has an invalid size (0x%llx)\n",file, fsize);
+			fprintf(stderr,"[!] %s has an invalid size (0x%"PRIx64")\n",file, fsize);
 			return NULL;
 		}
 	}

From c6e98ca578c416d2b5cbad114c8b5c7816332621 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 19 Jul 2014 01:25:11 +1000
Subject: [PATCH 022/317] renamed "-genupdatenote" to "-cverinfo"

---
 makerom/user_settings.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index c644f801..2486c4c8 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -394,9 +394,9 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		set->cci.closeAlignWritableRegion = true;
 		return 1;
 	}
-	else if(strcmp(argv[i],"-genupdatenote") == 0){
+	else if(strcmp(argv[i],"-cverinfo") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-genupdatenote",1);
+			PrintArgReqParam("-cverinfo",1);
 			return USR_BAD_ARG;
 		}
 		set->cci.cverCiaPath = argv[i+1];
@@ -656,7 +656,7 @@ int CheckArgumentCombination(user_settings *set)
 	}
 
 	if(set->common.outFormat == CIA && set->cci.cverCiaPath){
-		fprintf(stderr,"[SETTING ERROR] You cannot use argument \"-genupdatenote\" when generating a CIA\n");
+		fprintf(stderr,"[SETTING ERROR] You cannot use argument \"-cverinfo\" when generating a CIA\n");
 		return USR_BAD_ARG;
 	}
 
@@ -825,7 +825,7 @@ void DisplayHelp(char *app_name)
 	printf(" -devcardcci                        Use SDK CardInfo Method\n");
 	printf(" -nomodtid                          Don't Modify Content TitleIDs\n");
 	printf(" -alignwr                           Align Writeable Region to the end of last NCCH\n");
-	printf(" -genupdatenote <cver cia path>     Create Update Partition Notes\n");
+	printf(" -cverinfo      <cver cia path>     Include CVer title info\n");
 	printf("CIA OPTIONS:\n");
 	printf(" -content <filepath>:<index>:<id>   Specify content files\n");
 	printf(" -major         <major version>     Specify Major Version\n");

From 9c548197c1f4dbdf5a170a68882b26cae986a79d Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 26 Aug 2014 00:34:28 +1000
Subject: [PATCH 023/317] big update

lots cleaned, added cia to cci conv, it
's called a block, separated reading from building, improved ncch keyx
stuff, and basic verbose for keys, elf checking and romfs
---
 makerom/Makefile                              |   10 +-
 makerom/accessdesc.c                          |  111 +-
 makerom/cardinfo.c                            |  207 ++++
 makerom/cardinfo.h                            |   53 +
 makerom/cia.c                                 |  287 +++--
 makerom/cia.h                                 |  116 +-
 makerom/cia_build.h                           |  107 ++
 makerom/cia_read.c                            |   61 -
 makerom/cia_read.h                            |   21 +
 makerom/crypto.c                              |   22 +-
 makerom/crypto.h                              |    2 +-
 makerom/ctr_utils.c                           |   14 +
 makerom/ctr_utils.h                           |    4 +
 .../dev_sigdata.h}                            |    0
 makerom/{desc_presets.h => desc/presets.h}    |    0
 .../prod_sigdata.h}                           |    0
 makerom/dir.c                                 |    4 +-
 makerom/elf.c                                 |  623 +++++-----
 makerom/elf.h                                 |   21 +-
 makerom/exefs.c                               |   15 +-
 makerom/exefs.h                               |   34 -
 makerom/exefs_build.h                         |   28 +
 makerom/exefs_read.h                          |    9 +
 makerom/exheader.c                            |    8 +-
 makerom/exheader.h                            |   35 +-
 makerom/exheader_build.h                      |   23 +
 makerom/exheader_read.h                       |   13 +
 makerom/keyset.c                              |  110 +-
 makerom/keyset.h                              |   19 +-
 makerom/lib.h                                 |    1 +
 makerom/makerom.c                             |   89 +-
 makerom/ncch.c                                |  935 +++++++--------
 makerom/ncch.h                                |  157 +--
 makerom/ncch_build.h                          |   88 ++
 makerom/{logo_data.h => ncch_logo.h}          |    0
 makerom/ncch_read.h                           |    2 +
 makerom/ncsd.c                                | 1062 +++++++++--------
 makerom/ncsd.h                                |  197 +--
 makerom/ncsd_build.h                          |   72 ++
 makerom/ncsd_read.h                           |    8 +
 makerom/{dpki.h => pki/dev.h}                 |    2 +-
 makerom/{dpki_legacy.h => pki/dev_legacy.h}   |    0
 makerom/{ppki.h => pki/prod.h}                |    5 +-
 makerom/{ppki_legacy.h => pki/prod_legacy.h}  |    0
 makerom/{tpki.h => pki/test.h}                |    0
 makerom/romfs.c                               |    4 +-
 makerom/{romfs_binary.c => romfs_gen.c}       |    9 +-
 makerom/{romfs_binary.h => romfs_gen.h}       |    0
 makerom/romfs_import.c                        |    6 +-
 makerom/rsf_settings.c                        |    2 +-
 makerom/tik.c                                 |   35 +-
 makerom/tik.h                                 |   15 +-
 makerom/tik_build.h                           |   16 +
 makerom/tik_read.h                            |    5 +
 makerom/titleid.c                             |    4 +-
 makerom/tmd.c                                 |   99 +-
 makerom/tmd.h                                 |   19 +-
 makerom/tmd_build.h                           |    6 +
 makerom/tmd_read.c                            |   22 -
 makerom/tmd_read.h                            |   19 +
 makerom/user_settings.c                       |  380 +++---
 makerom/user_settings.h                       |   29 +-
 makerom/utils.c                               |  128 +-
 makerom/utils.h                               |   19 +-
 makerom/yaml_parser.c                         |    7 +-
 makerom/yaml_parser.h                         |    2 +-
 66 files changed, 2910 insertions(+), 2491 deletions(-)
 create mode 100644 makerom/cardinfo.c
 create mode 100644 makerom/cardinfo.h
 create mode 100644 makerom/cia_build.h
 delete mode 100644 makerom/cia_read.c
 create mode 100644 makerom/cia_read.h
 create mode 100644 makerom/ctr_utils.c
 create mode 100644 makerom/ctr_utils.h
 rename makerom/{desc_dev_sigdata.h => desc/dev_sigdata.h} (100%)
 rename makerom/{desc_presets.h => desc/presets.h} (100%)
 rename makerom/{desc_prod_sigdata.h => desc/prod_sigdata.h} (100%)
 create mode 100644 makerom/exefs_build.h
 create mode 100644 makerom/exefs_read.h
 create mode 100644 makerom/exheader_build.h
 create mode 100644 makerom/exheader_read.h
 create mode 100644 makerom/ncch_build.h
 rename makerom/{logo_data.h => ncch_logo.h} (100%)
 create mode 100644 makerom/ncch_read.h
 create mode 100644 makerom/ncsd_build.h
 create mode 100644 makerom/ncsd_read.h
 rename makerom/{dpki.h => pki/dev.h} (99%)
 rename makerom/{dpki_legacy.h => pki/dev_legacy.h} (100%)
 rename makerom/{ppki.h => pki/prod.h} (99%)
 rename makerom/{ppki_legacy.h => pki/prod_legacy.h} (100%)
 rename makerom/{tpki.h => pki/test.h} (100%)
 rename makerom/{romfs_binary.c => romfs_gen.c} (98%)
 rename makerom/{romfs_binary.h => romfs_gen.h} (100%)
 create mode 100644 makerom/tik_build.h
 create mode 100644 makerom/tik_read.h
 create mode 100644 makerom/tmd_build.h
 delete mode 100644 makerom/tmd_read.c
 create mode 100644 makerom/tmd_read.h

diff --git a/makerom/Makefile b/makerom/Makefile
index 36c952e0..5293084a 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -1,8 +1,8 @@
 # Makerom Sources
-UTILS_OBJS = utils.o dir.o utf.o keyset.o titleid.o
-CIA_OBJS = cia.o cia_read.o certs.o tik.o tmd.o tmd_read.o
-NCCH_OBJS = ncch.o exheader.o accessdesc.o exefs.o elf.o romfs.o romfs_import.o romfs_binary.o  
-NCSD_OBJS = ncsd.o  
+UTILS_OBJS = utils.o ctr_utils.o dir.o utf.o keyset.o titleid.o
+CIA_OBJS = cia.o certs.o tik.o tmd.o
+NCCH_OBJS = ncch.o exheader.o accessdesc.o exefs.o elf.o romfs.o romfs_import.o romfs_gen.o  
+NCSD_OBJS = ncsd.o cardinfo.o
 SETTINGS_OBJS = user_settings.o rsf_settings.o
 LIB_API_OBJS = crypto.o yaml_parser.o blz.o
 
@@ -21,7 +21,7 @@ CC = gcc
 # MAKEROM Build Settings
 MAKEROM_BUILD_FLAGS = #-DDEBUG
 VER_MAJOR = 0
-VER_MINOR = 10
+VER_MINOR = 11
 OUTPUT = makerom
 
 main: build
diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index 8c316c5a..f02d9f10 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -1,13 +1,11 @@
 #include "lib.h"
-#include "ncch.h"
-#include "exheader.h"
+#include "ncch_build.h"
+#include "exheader_build.h"
 #include "accessdesc.h"
 
-#include "polarssl/base64.h"
-
-#include "desc_presets.h"
-#include "desc_dev_sigdata.h"
-#include "desc_prod_sigdata.h"
+#include "desc/presets.h"
+#include "desc/dev_sigdata.h"
+#include "desc/prod_sigdata.h"
 
 const int RSF_RSA_DATA_LEN = 344;
 const int RSF_DESC_DATA_LEN = 684;
@@ -19,20 +17,16 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset);
 void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, keys_struct *keys);
 void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk, keys_struct *keys);
 
-bool IsValidB64Char(char chr);
-u32 b64_strlen(char *str);
-void b64_strcpy(char *dst, char *src);
-
 int set_AccessDesc(exheader_settings *exhdrset)
 {
-	if(exhdrset->useAccessDescPreset)
+	if(exhdrset->useAccessDescPreset) // Use AccessDesc Template
 		return accessdesc_GetSignFromPreset(exhdrset);
 	else if(exhdrset->rsf->CommonHeaderKey.Found) // Keydata exists in RSF
 		return accessdesc_GetSignFromRsf(exhdrset);
 	else if(!exhdrset->keys->rsa.requiresPresignedDesc) // Else if The AccessDesc can be signed with key
 		return accessdesc_SignWithKey(exhdrset);
 	else{ // No way the access desc signature can be 'obtained'
-		fprintf(stderr,"[EXHEADER ERROR] Current keyset cannot sign AccessDesc, please appropriatly setup RSF, or specify a preset with -accessdesc\n");
+		fprintf(stderr,"[ACEXDESC ERROR] Current keyset cannot sign AccessDesc, please appropriately set-up RSF, or specify a preset with \"-desc\"\n");
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 }
@@ -65,7 +59,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 {
 	/* Yaml Option Sanity Checks */
 	if(!exhdrset->rsf->CommonHeaderKey.Found){
-		fprintf(stderr,"[EXHEADER ERROR] RSF Section \"CommonHeaderKey\" not found\n");
+		fprintf(stderr,"[ACEXDESC ERROR] RSF Section \"CommonHeaderKey\" not found\n");
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 
@@ -74,7 +68,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 	if(b64_strlen(exhdrset->rsf->CommonHeaderKey.D) != RSF_RSA_DATA_LEN){
-		fprintf(stderr,"[EXHEADER ERROR] \"CommonHeaderKey/D\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.D));
+		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/D\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.D));
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 
@@ -83,7 +77,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 	if(b64_strlen(exhdrset->rsf->CommonHeaderKey.Modulus) != RSF_RSA_DATA_LEN){
-		fprintf(stderr,"[EXHEADER ERROR] \"CommonHeaderKey/Modulus\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.Modulus));
+		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/Modulus\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.Modulus));
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 
@@ -92,7 +86,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 	if(b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescSign) != RSF_RSA_DATA_LEN){
-		fprintf(stderr,"[EXHEADER ERROR] \"CommonHeaderKey/Signature\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescSign));
+		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/Signature\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescSign));
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 
@@ -101,41 +95,30 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 	if(b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin) != RSF_DESC_DATA_LEN){
-		fprintf(stderr,"[EXHEADER ERROR] \"CommonHeaderKey/Descriptor\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin));
+		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/Descriptor\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin));
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 
 	/* Set RSA Keys */
 	int result = 0;
-	u32 out;
-
-	out = 0x100;
-	result = base64_decode(exhdrset->keys->rsa.cxiHdrPub,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.Modulus,strlen(exhdrset->rsf->CommonHeaderKey.Modulus));
-	if(out != 0x100)
-		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
-	if(result) goto finish;
-
-	out = 0x100;
-	result = base64_decode(exhdrset->keys->rsa.cxiHdrPvt,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.D,strlen(exhdrset->rsf->CommonHeaderKey.D));
-	if(out != 0x100)
-		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
-	if(result) goto finish;
+	// NCCH Header pubk
+	result = b64_decode(exhdrset->keys->rsa.cxiHdrPub,exhdrset->rsf->CommonHeaderKey.Modulus,0x100);
+	if(result) return result;
+	// NCCH Header privk
+	result = b64_decode(exhdrset->keys->rsa.cxiHdrPvt,exhdrset->rsf->CommonHeaderKey.D,0x100);
+	if(result) return result;
 
 	/* Set AccessDesc */
-	out = 0x100;
-	result = base64_decode(exhdrset->acexDesc->signature,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescSign, strlen( exhdrset->rsf->CommonHeaderKey.AccCtlDescSign));
-	if(out != 0x100)
-		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
-	if(result) goto finish;
+	// Signature
+	result = b64_decode(exhdrset->acexDesc->signature,exhdrset->rsf->CommonHeaderKey.AccCtlDescSign,0x100);
+	if(result) return result;
+	// NCCH Header pubk
 	memcpy(exhdrset->acexDesc->ncchRsaPubKey,exhdrset->keys->rsa.cxiHdrPub,0x100);
-
-	out = 0x200;
-	result = base64_decode((u8*)&exhdrset->acexDesc->arm11SystemLocalCapabilities,(size_t *)&out,(const u8*)exhdrset->rsf->CommonHeaderKey.AccCtlDescBin,strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin));
-	if(out != 0x200)
-		result = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
-	if(result) goto finish;
-finish:
-	return result;	
+	// Access Control
+	result = b64_decode((u8*)&exhdrset->acexDesc->arm11SystemLocalCapabilities,exhdrset->rsf->CommonHeaderKey.AccCtlDescBin,0x200);
+	if(result) return result;
+	
+	return 0;	
 }
 
 int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
@@ -153,12 +136,12 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
 
 	// Error Checking
 	if(!desc || !depList){
-		fprintf(stderr,"[EXHEADER ERROR] AccessDesc preset is unavailable, please configure RSF file\n");
+		fprintf(stderr,"[ACEXDESC ERROR] AccessDesc template is unavailable, please configure RSF file\n");
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 
 	if((!cxiPubk || !cxiPvtk || !accessDesc || !accessDescSig) && exhdrset->keys->rsa.requiresPresignedDesc){
-		fprintf(stderr,"[EXHEADER ERROR] This AccessDesc preset needs to be signed, the current keyset is incapable of doing so. Please configure RSF file with the appropriate signature data.\n");
+		fprintf(stderr,"[ACEXDESC ERROR] This AccessDesc template needs to be signed, the current keyset is incapable of doing so. Please configure RSF file with the appropriate signature data.\n");
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 	
@@ -451,40 +434,4 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
  				break;
 		}
 	}
-}
-
-bool IsValidB64Char(char chr)
-{
-	return (isalnum(chr) || chr == '+' || chr == '/' || chr == '=');
-}
-
-u32 b64_strlen(char *str)
-{
-	u32 count = 0;
-	u32 i = 0;
-	while(str[i] != 0x0){
-		if(IsValidB64Char(str[i])) {
-			//printf("Is Valid: %c\n",str[i]);
-			count++;
-		}
-		i++;
-	}
-
-	return count;
-}
-
-void b64_strcpy(char *dst, char *src)
-{
-	u32 src_len = strlen(src);
-	u32 j = 0;
-	for(u32 i = 0; i < src_len; i++){
-		if(IsValidB64Char(src[i])){
-			dst[j] = src[i];
-			j++;
-		}
-	}
-	dst[j] = 0;
-
-	//memdump(stdout,"src: ",(u8*)src,src_len+1);
-	//memdump(stdout,"dst: ",(u8*)dst,j+1);
 }
\ No newline at end of file
diff --git a/makerom/cardinfo.c b/makerom/cardinfo.c
new file mode 100644
index 00000000..f2ac692f
--- /dev/null
+++ b/makerom/cardinfo.c
@@ -0,0 +1,207 @@
+#include "lib.h"
+#include "ncch_read.h"
+#include "ncsd_build.h"
+#include "cardinfo.h"
+
+void InitCardInfoHdr(cardinfo_hdr **cihdr, devcardinfo_hdr **dcihdr, cci_settings *set);
+int SetWriteableAddress(cardinfo_hdr *hdr, cci_settings *set);
+int SetCardInfoBitmask(cardinfo_hdr *hdr, cci_settings *set);
+int SetCardInfoNotes(cardinfo_hdr *hdr, cci_settings *set);
+void ImportNcch0Data(cardinfo_hdr *hdr, cci_settings *set);
+void SetInitialData(cardinfo_hdr *hdr, cci_settings *set);
+void SetDevCardInfo(devcardinfo_hdr *hdr, cci_settings *set);
+
+
+int GenCardInfoHdr(cci_settings *set)
+{
+	cardinfo_hdr *cihdr;
+	devcardinfo_hdr *dcihdr;
+	
+	InitCardInfoHdr(&cihdr,&dcihdr,set);
+	
+	if(SetWriteableAddress(cihdr,set))
+		return GEN_HDR_FAIL;
+	if(SetCardInfoBitmask(cihdr,set))
+		return GEN_HDR_FAIL;
+	if(SetCardInfoNotes(cihdr,set))
+		return GEN_HDR_FAIL;
+	ImportNcch0Data(cihdr,set);
+	SetInitialData(cihdr,set);
+	
+	if(dcihdr)
+		SetDevCardInfo(dcihdr,set);
+	
+	return 0;
+}
+
+void InitCardInfoHdr(cardinfo_hdr **cihdr, devcardinfo_hdr **dcihdr, cci_settings *set)
+{
+	set->headers.cardinfohdr.size = sizeof(cardinfo_hdr);
+	if(set->options.useExternalSdkCardInfo)
+		set->headers.cardinfohdr.size += sizeof(devcardinfo_hdr);
+		
+	set->headers.cardinfohdr.buffer = calloc(1,set->headers.cardinfohdr.size);
+	
+	*cihdr = (cardinfo_hdr*)set->headers.cardinfohdr.buffer;
+	
+	if(set->headers.cardinfohdr.size > sizeof(cardinfo_hdr))
+		*dcihdr = (devcardinfo_hdr*)(set->headers.cardinfohdr.buffer+sizeof(cardinfo_hdr));
+	else
+		*dcihdr = NULL;
+	
+	return;
+}
+
+u64 GetCciUnusedSize(u64 mediaSize, u8 cardType)
+{
+	if(cardType == mediatype_CARD1){
+		switch(mediaSize){
+			case (u64)MB*128: return (u64)2621440;
+			case (u64)MB*256: return (u64)5242880;
+			case (u64)MB*512: return (u64)10485760;
+			case (u64)GB*1: return (u64)73924608;
+			case (u64)GB*2: return (u64)147324928;
+			case (u64)GB*4: return (u64)294649856;
+			case (u64)GB*8: return (u64)587202560;
+			default: return 0;
+		}
+	}
+	else if(cardType == mediatype_CARD2){
+		switch(mediaSize){
+			case (u64)MB*512: return (u64)37224448;
+			case (u64)GB*1: return (u64)73924608;
+			case (u64)GB*2: return (u64)147324928;
+			case (u64)GB*4: return (u64)294649856;
+			case (u64)GB*8: return (u64)587202560;
+			default: return 0;
+		}
+	}
+	return 0;
+}
+
+int SetWriteableAddress(cardinfo_hdr *hdr, cci_settings *set)
+{
+	if(set->romInfo.mediaType != mediatype_CARD2){ // Can only be set for Card2 Media
+		u32_to_u8(hdr->writableAddress,(u32)-1,LE);
+		return 0;
+	} 
+	
+	char *str = set->rsf->CardInfo.WritableAddress;
+	set->romInfo.card2SaveOffset = -1;
+	
+	if(str){
+		if(strncmp(str,"0x",2) != 0){
+			fprintf(stderr,"[CCI ERROR] WritableAddress requires a Hexadecimal value\n");
+			return INVALID_RSF_OPT;
+		}	
+		set->romInfo.card2SaveOffset = strtoull(str,NULL,16);
+	}
+	else{
+		if ((set->romInfo.mediaSize / 2) < set->romInfo.saveSize || set->romInfo.saveSize > (u64)(2047*MB)){
+			u64 saveDataSize = set->romInfo.saveSize / KB;
+			fprintf(stderr,"[CCI ERROR] Too large SavedataSize %"PRIu64"K\n",saveDataSize);
+			return SAVE_DATA_TOO_LARGE;
+		}
+		if(set->options.closeAlignWR)
+			set->romInfo.card2SaveOffset = align(set->romInfo.usedSize, set->romInfo.blockSize); // invalid for "real" chips
+		else{
+			u64 unusedSize = GetCciUnusedSize(set->romInfo.mediaSize,set->romInfo.mediaType); // Some value related to the physical implementation of gamecards
+			if(unusedSize > 0)
+				set->romInfo.card2SaveOffset = set->romInfo.mediaSize - unusedSize - set->romInfo.saveSize; // Nintendo's method for calculating writable region offset
+			else{
+				fprintf(stderr,"[CCI WARNING] Nintendo does not support CARD2 for the current MediaSize, aligning save offset after last NCCH\n");
+				set->romInfo.card2SaveOffset = align(set->romInfo.usedSize, set->romInfo.blockSize); // invalid for "real" chips
+			}
+		}
+	}
+	
+	u32_to_u8(hdr->writableAddress,(u32)(set->romInfo.card2SaveOffset/set->romInfo.blockSize),LE);
+	
+	return 0;
+}
+
+int SetCardInfoBitmask(cardinfo_hdr *hdr, cci_settings *set)
+{
+	u32 bitmask = 0;
+
+	char *str = set->rsf->CardInfo.CardType;
+	if(!str) 
+		bitmask |= 0;
+	else{
+		if(strcasecmp(str,"s1") == 0) 
+			bitmask |= 0;
+		else if(strcasecmp(str,"s2") == 0) 
+			bitmask |= 0x20;
+		else {
+			fprintf(stderr,"[CCI ERROR] Invalid CardType: %s\n",str);
+			return INVALID_RSF_OPT;
+		}
+	}
+	
+	str = set->rsf->CardInfo.CryptoType;
+	if(!str) 
+		bitmask |= 0;//(3*0x40);
+	else{
+		int val = strtol(str,NULL,10);
+		if(val < 0 || val > 3) {
+			fprintf(stderr,"[CCI ERROR] Invalid CryptoType: %s\n",str);
+			return INVALID_RSF_OPT;
+		}
+		if(val != 3)
+			fprintf(stderr,"[CCI WARNING] Card crypto type = '%d'\n",val);
+		bitmask |= val * 0x40;
+	}
+	
+	u32_to_u8(hdr->cardInfoBitmask,bitmask,BE);
+	
+	return 0;
+}
+
+int SetCardInfoNotes(cardinfo_hdr *hdr, cci_settings *set)
+{
+	u64_to_u8(hdr->notes.mediaSizeUsed,set->romInfo.usedSize,LE);
+	u32_to_u8(hdr->notes.unknown,0,LE);
+	
+	if(set->options.tmdHdr){
+		u64_to_u8(hdr->notes.cverTitleId,GetTmdTitleId(set->options.tmdHdr),LE);
+		u16_to_u8(hdr->notes.cverTitleId,GetTmdVersion(set->options.tmdHdr),LE);
+	}
+		
+	return 0;
+}
+
+void ImportNcch0Data(cardinfo_hdr *hdr, cci_settings *set)
+{
+	u8 *ncch;
+	ncch_hdr *ncchHdr;
+	
+	ncch = set->content.data + set->content.dOffset[0];
+	ncchHdr = (ncch_hdr*)ncch;
+	
+	memcpy(hdr->ncch0TitleId,ncchHdr->titleId,8);
+	memcpy(hdr->ncch0Hdr,GetNcchHdrData(ncchHdr),GetNcchHdrDataLen(ncchHdr));
+	
+	return;
+}
+
+void SetInitialData(cardinfo_hdr *hdr, cci_settings *set)
+{
+	clrmem(hdr->initialData,0x30);
+	if(set->options.useExternalSdkCardInfo)
+		memcpy(hdr->initialData,(u8*)stock_initial_data,0x30);
+	else
+		rndset(hdr->initialData,0x2c);
+		
+	return;
+}
+
+void SetDevCardInfo(devcardinfo_hdr *hdr, cci_settings *set)
+{
+	clrmem(hdr,sizeof(devcardinfo_hdr));
+	if(set->options.useExternalSdkCardInfo)
+		memcpy(hdr->titleKey,(u8*)stock_title_key,0x10);
+	else
+		rndset(hdr->titleKey,0x10);
+		
+	return;
+}
\ No newline at end of file
diff --git a/makerom/cardinfo.h b/makerom/cardinfo.h
new file mode 100644
index 00000000..271edac8
--- /dev/null
+++ b/makerom/cardinfo.h
@@ -0,0 +1,53 @@
+#pragma once
+
+typedef struct
+{
+	u8 reserved0[0xf8];
+	u8 mediaSizeUsed[8];
+	u8 reserved1[0x8];
+	u8 unknown[0x4];
+	u8 reserved2[0xc];
+	u8 cverTitleId[8];
+	u8 cverTitleVersion[2];
+	u8 reserved3[0xcd6];
+} cardinfo_notes; // reserved[0xDF8];
+
+typedef struct
+{
+	u8 writableAddress[4];
+	u8 cardInfoBitmask[4];
+	cardinfo_notes notes;
+	u8 ncch0TitleId[8];
+	u8 reserved0[8];
+	u8 initialData[0x30];
+	u8 reserved1[0xc0];
+	u8 ncch0Hdr[0x100];
+} cardinfo_hdr;
+
+typedef struct
+{
+	u8 cardDeviceReserved1[0x200];
+	u8 titleKey[0x10];
+	u8 cardDeviceReserved2[0xf0];
+} devcardinfo_hdr;
+
+static const u8 stock_initial_data[0x30] = 
+{
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+	0x00, 0x00, 0x00, 0x00, 0xAD, 0x88, 
+	0xAC, 0x41, 0xA2, 0xB1, 0x5E, 0x8F, 
+	0x66, 0x9C, 0x97, 0xE5, 0xE1, 0x5E, 
+	0xA3, 0xEB, 0x00, 0x00, 0x00, 0x00, 
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+static const u8 stock_title_key[0x10] = 
+{
+	0x6E, 0xC7, 0x5F, 0xB2, 0xE2, 0xB4, 
+	0x87, 0x46, 0x1E, 0xDD, 0xCB, 0xB8, 
+	0x97, 0x11, 0x92, 0xBA
+};
+
+int GenCardInfoHdr(cci_settings *set);
\ No newline at end of file
diff --git a/makerom/cia.c b/makerom/cia.c
index e820a9df..b9ab061c 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -1,41 +1,44 @@
 #include "lib.h"
-#include "ncch.h"
-#include "exheader.h"
-#include "exefs.h"
-#include "certs.h"
-#include "cia.h"
-#include "tik.h"
-#include "tmd.h"
-#include "titleid.h"
+
 #include "srl.h"
-#include "ncsd.h"
+#include "ncsd_read.h"
+#include "ncch_read.h"
+#include "exheader_read.h"
+#include "exefs_read.h"
+
+#include "cia_build.h"
+#include "cia_read.h"
+#include "tik_build.h"
+#include "tmd_build.h"
+#include "titleid.h"
+#include "certs.h"
+
+const int CIA_ALIGN_SIZE = 0x40;
+const int CIA_CONTENT_ALIGN = 0x10;
 
 // Private Prototypes
-/* cia_settings tools */
-void init_CIASettings(cia_settings *set);
-void free_CIASettings(cia_settings *set);
-int get_CIASettings(cia_settings *ciaset, user_settings *usrset);
+void InitCiaSettings(cia_settings *set);
+void FreeCiaSettings(cia_settings *set);
+int GetCiaSettings(cia_settings *ciaset, user_settings *usrset);
 
 int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset);
 int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset);
-int GetCIADataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8 *key);
-int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8 *key);
+int GetTmdDataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *key);
+int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *key);
 int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset);
 int ImportNcchContent(cia_settings *ciaset);
 int GetSettingsFromSrl(cia_settings *ciaset);
 int GetSettingsFromCci(cia_settings *ciaset);
 
-u16 SetupVersion(u16 Major, u16 Minor, u16 Micro);
+u16 SetupVersion(u16 major, u16 minor, u16 micro);
 
 void GetContentHashes(cia_settings *ciaset);
 void EncryptContent(cia_settings *ciaset);
 
-int BuildCIA_CertChain(cia_settings *ciaset);
-int BuildCIA_Header(cia_settings *ciaset);
-
-int WriteCIAtoFile(cia_settings *ciaset);
+int BuildCiaCertChain(cia_settings *ciaset);
+int BuildCiaHdr(cia_settings *ciaset);
 
-int CryptContent(u8 *EncBuffer,u8 *DecBuffer,u64 size,u8 *title_key, u16 index, u8 mode);
+int WriteCiaToFile(cia_settings *ciaset);
 
 
 int build_CIA(user_settings *usrset)
@@ -50,8 +53,8 @@ int build_CIA(user_settings *usrset)
 	}
 
 	// Get Settings
-	init_CIASettings(ciaset);
-	result = get_CIASettings(ciaset,usrset);
+	InitCiaSettings(ciaset);
+	result = GetCiaSettings(ciaset,usrset);
 	if(result) goto finish;
 
 	// Create Output File
@@ -65,7 +68,7 @@ int build_CIA(user_settings *usrset)
 	// Create CIA Sections
 
 	/* Certificate Chain */
-	result = BuildCIA_CertChain(ciaset);
+	result = BuildCiaCertChain(ciaset);
 	if(result) goto finish;
 
 	/* Ticket */
@@ -77,28 +80,28 @@ int build_CIA(user_settings *usrset)
 	if(result) goto finish;
 
 	/* CIA Header */
-	result = BuildCIA_Header(ciaset);
+	result = BuildCiaHdr(ciaset);
 	if(result) goto finish;
 	
 	/* Write To File */
-	result = WriteCIAtoFile(ciaset);
+	result = WriteCiaToFile(ciaset);
 	if(result) goto finish;
 
 finish:
 	if(result != FAILED_TO_CREATE_OUTFILE && ciaset->out) 
 		fclose(ciaset->out);
 
-	free_CIASettings(ciaset);
+	FreeCiaSettings(ciaset);
 
 	return result;
 }
 
-void init_CIASettings(cia_settings *set)
+void InitCiaSettings(cia_settings *set)
 {
 	memset(set,0,sizeof(cia_settings));
 }
 
-void free_CIASettings(cia_settings *set)
+void FreeCiaSettings(cia_settings *set)
 {
 	if(set->content.filePtrs){
 		for(u32 i = 1; i < set->content.count; i++){
@@ -117,7 +120,7 @@ void free_CIASettings(cia_settings *set)
 	free(set);
 }
 
-int get_CIASettings(cia_settings *ciaset, user_settings *usrset)
+int GetCiaSettings(cia_settings *ciaset, user_settings *usrset)
 {
 	int result = 0;
 
@@ -125,26 +128,21 @@ int get_CIASettings(cia_settings *ciaset, user_settings *usrset)
 	result = GetSettingsFromUsrset(ciaset,usrset);
 
 	if(usrset->common.workingFileType == infile_ncch){
-		result = GetSettingsFromNcch0(ciaset,0);
-		if(result) 
+		if((result = GetSettingsFromNcch0(ciaset,0)) != 0) 
 			return result;
-		result = GetContentFilePtrs(ciaset,usrset);
-		if(result) 
+		if((result = GetContentFilePtrs(ciaset,usrset)) != 0) 
 			return result;
-		result = ImportNcchContent(ciaset);
-		if(result) 
+		if((result = ImportNcchContent(ciaset)) != 0) 
 			return result;
 	}
 
 	else if(usrset->common.workingFileType == infile_srl){
-		result = GetSettingsFromSrl(ciaset);
-		if(result) 
+		if((result = GetSettingsFromSrl(ciaset)) != 0) 
 			return result;
 	}
 
 	else if(usrset->common.workingFileType == infile_ncsd){
-		result = GetSettingsFromCci(ciaset);
-		if(result)
+		if((result = GetSettingsFromCci(ciaset)) != 0) 
 			return result;
 	}
 	
@@ -165,7 +163,9 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	ciaset->ciaSections.content.size = usrset->common.workingFile.size;
 	usrset->common.workingFile.buffer = NULL;
 	ciaset->ciaSections.content.size = 0;
-
+	ciaset->content.includeUpdateNcch = usrset->cia.includeUpdateNcch;
+	ciaset->verbose = usrset->common.verbose;
+	
 	u32_to_u8(ciaset->tmd.titleType,TYPE_CTR,BE);
 	ciaset->content.encryptCia = usrset->common.rsfSet.Option.EnableCrypt;
 	ciaset->content.IsDlc = usrset->cia.DlcContent;
@@ -183,16 +183,19 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 
 	// Ticket Data
 	rndset(ciaset->tik.ticketId,8);
-	clrmem(ciaset->tik.deviceId,4);
-	clrmem(ciaset->tik.eshopAccId,4);
+	u32_to_u8(ciaset->tik.deviceId,usrset->cia.deviceId,BE);
+	u32_to_u8(ciaset->tik.eshopAccId,usrset->cia.eshopAccId,BE);
 	ciaset->tik.licenceType = 0;
 	ciaset->tik.audit = 0;
 	
 	if(usrset->cia.randomTitleKey)
-		rndset(ciaset->common.titleKey,16);
+		rndset(ciaset->common.titleKey,AES_128_KEY_SIZE);
 	else
-		clrmem(ciaset->common.titleKey,16);
+		clrmem(ciaset->common.titleKey,AES_128_KEY_SIZE);
 
+	if(ciaset->verbose)
+		memdump(stdout,"[CIA] CIA title key: ",ciaset->common.titleKey,AES_128_KEY_SIZE);
+		
 	ciaset->tik.formatVersion = 1;
 
 	int result = GenCertChildIssuer(ciaset->tik.issuer,ciaset->keys->certs.xsCert);
@@ -217,33 +220,29 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 
 	u8 *ncch0 = (u8*)(ciaset->ciaSections.content.buffer+ncch0_offset);
 
-	if(!IsNCCH(NULL,ncch0)){
+	if(!IsNcch(NULL,ncch0)){
 		fprintf(stderr,"[CIA ERROR] Content0 is not NCCH\n");
 		return CIA_INVALID_NCCH0;
 	}
 
 	/* Get Ncch0 Header */
-	ncch_hdr *hdr = NULL;
-	hdr = GetNCCH_CommonHDR(hdr,NULL,ncch0);
-	if(IsCfa(hdr)){
-		ciaset->content.IsCfa = true;
-	}
+	ncch_hdr *hdr = (ncch_hdr*)ncch0;
+	ciaset->content.IsCfa = IsCfa(hdr);
 
 	ciaset->content.offset[0] = 0;
-	ciaset->content.size[0] = align(GetNCCH_MediaSize(hdr)*GetNCCH_MediaUnitSize(hdr),0x10);
+	ciaset->content.size[0] = align(GetNcchSize(hdr),0x10);
 	ciaset->content.totalSize = ciaset->content.size[0];
 
 	/* Get Ncch0 Import Context */
-	ncch_struct *ncch_ctx = malloc(sizeof(ncch_struct));
-	if(!ncch_ctx){ 
+	ncch_info *info = calloc(1,sizeof(ncch_info));
+	if(!info){ 
 		fprintf(stderr,"[CIA ERROR] Not enough memory\n"); 
 		return MEM_ERROR; 
 	}
-	memset(ncch_ctx,0x0,sizeof(ncch_struct));
-	GetNCCHStruct(ncch_ctx,hdr);
+	GetNcchInfo(info,hdr);
 
 	/* Verify Ncch0 (Sig&Hash Checks) */
-	int result = VerifyNCCH(ncch0,ciaset->keys,false,true);
+	int result = VerifyNcch(ncch0,ciaset->keys,false,true);
 	if(result == UNABLE_TO_LOAD_NCCH_KEY){
 		ciaset->content.keyNotFound = true;
 		if(!ciaset->content.IsCfa){
@@ -261,31 +260,35 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 
 
 	/* Getting ncch key */
-	ncch_key_type keyType = GetNCCHKeyType(hdr);
 	u8 *ncchkey = NULL;
-	if(!ciaset->content.keyNotFound){
-		SetNcchUnfixedKeys(ciaset->keys,ncch0);
-		ncchkey = GetNCCHKey0(keyType,ciaset->keys);
+	if(!ciaset->content.keyNotFound || IsNcchEncrypted(hdr)){
+		SetNcchKeys(ciaset->keys,hdr);
+		ncchkey = ciaset->keys->aes.ncchKey0;
+		if(ciaset->verbose){
+			printf("[CIA] NCCH AES keys:\n");
+			memdump(stdout," > key0: ",ciaset->keys->aes.ncchKey0,AES_128_KEY_SIZE);
+			memdump(stdout," > key1: ",ciaset->keys->aes.ncchKey1,AES_128_KEY_SIZE);
+		}
 	}
 
 	/* Get TMD Data from ncch */
-	result = GetCIADataFromNcch(ciaset,ncch0,ncch_ctx,ncchkey); // Data For TMD
+	result = GetTmdDataFromNcch(ciaset,ncch0,info,ncchkey); // Data For TMD
 	if(result) goto finish;
 	/* Get META Region from ncch */
-	result = GetMetaRegion(ciaset,ncch0,ncch_ctx,ncchkey); // Meta Region
+	result = GetMetaRegion(ciaset,ncch0,info,ncchkey); // Meta Region
 	/* Finish */
 finish:
 	/* Return */
-	free(ncch_ctx);
+	free(info);
 	return result;	
 }
 
-int GetCIADataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8 *key)
+int GetTmdDataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *key)
 {
 	extended_hdr *exhdr = malloc(sizeof(extended_hdr));
 	memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,sizeof(extended_hdr));
 	if(key != NULL)
-		CryptNCCHSection((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx,key,ncch_exhdr);
+		CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx,key,ncch_exhdr);
 
 	u16 Category = u8_to_u16((ciaset->common.titleId+2),BE);
 	if(IsPatch(Category)||ciaset->content.IsCfa||ciaset->content.keyNotFound) 
@@ -318,28 +321,26 @@ int GetCIADataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8
 		ciaset->common.titleVersion[VER_MAJOR] = GetRemasterVersion_frm_exhdr(exhdr);
 	}
 
-	u16 version = SetupVersion(ciaset->common.titleVersion[VER_MAJOR],ciaset->common.titleVersion[VER_MINOR],ciaset->common.titleVersion[VER_MICRO]);
-	ciaset->tik.version = version;
-	ciaset->tmd.version = version;
+	ciaset->tmd.version = ciaset->tik.version = SetupVersion(ciaset->common.titleVersion[VER_MAJOR],ciaset->common.titleVersion[VER_MINOR],ciaset->common.titleVersion[VER_MICRO]);
 
 	free(exhdr);
 	return 0;
 }
 
-int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8 *key)
+int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_info *info, u8 *key)
 {
 	if(ciaset->content.IsCfa || ciaset->content.keyNotFound) 
 		return 0;
 
 	extended_hdr *exhdr = malloc(sizeof(extended_hdr));
-	memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,sizeof(extended_hdr));
+	memcpy(exhdr,ncch+info->exhdrOffset,sizeof(extended_hdr));
 	if(key != NULL)
-		CryptNCCHSection((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx,key,ncch_exhdr);
+		CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,info,key,ncch_exhdr);
 
 	exefs_hdr *exefsHdr = malloc(sizeof(exefs_hdr));
-	memcpy(exefsHdr,ncch+ncch_ctx->exefsOffset,sizeof(exefs_hdr));
+	memcpy(exefsHdr,ncch+info->exefsOffset,sizeof(exefs_hdr));
 	if(key != NULL)
-		CryptNCCHSection((u8*)exefsHdr,sizeof(exefs_hdr),0,ncch_ctx,key,ncch_exefs);
+		CryptNcchRegion((u8*)exefsHdr,sizeof(exefs_hdr),0,info,key,ncch_exefs);
 
 	u32 icon_size = 0;
 	u32 icon_offset = 0;
@@ -349,7 +350,7 @@ int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8 *key
 			icon_offset = u8_to_u32(exefsHdr->fileHdr[i].offset,LE) + sizeof(exefs_hdr);
 		}
 	}
-
+	
 	ciaset->ciaSections.meta.size = sizeof(cia_metadata) + icon_size;
 	ciaset->ciaSections.meta.buffer = malloc(ciaset->ciaSections.meta.size);
 	if(!ciaset->ciaSections.meta.buffer){
@@ -362,9 +363,9 @@ int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_struct *ncch_ctx, u8 *key
 	GetCoreVersion_frm_exhdr(hdr->coreVersion,exhdr);
 	if(icon_size > 0){
 		u8 *IconDestPos = (ciaset->ciaSections.meta.buffer + sizeof(cia_metadata));
-		memcpy(IconDestPos,ncch+ncch_ctx->exefsOffset+icon_offset,icon_size);
+		memcpy(IconDestPos,ncch+info->exefsOffset+icon_offset,icon_size);
 		if(key != NULL)
-			CryptNCCHSection(IconDestPos,icon_size,icon_offset,ncch_ctx,key,ncch_exefs);
+			CryptNcchRegion(IconDestPos,icon_size,icon_offset,info,key,ncch_exefs);
 		//memdump(stdout,"Icon: ",IconDestPos,0x10);
 	}
 
@@ -389,7 +390,7 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 				fprintf(stderr,"[CIA ERROR] Failed to open \"%s\"\n",usrset->common.contentPath[i]); 
 				return FAILED_TO_OPEN_FILE; 
 			}
-			ciaset->content.fileSize[j] = GetFileSize_u64(usrset->common.contentPath[i]);
+			ciaset->content.fileSize[j] = GetFileSize64(usrset->common.contentPath[i]);
 			ciaset->content.filePtrs[j] = fopen(usrset->common.contentPath[i],"rb");
 			
 			if(usrset->cia.contentId[i] > MAX_U32)
@@ -400,10 +401,10 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 			ciaset->content.index[j] = (u16)i;
 
 			// Get Data from ncch HDR
-			GetNCCH_CommonHDR(hdr,ciaset->content.filePtrs[j],NULL);
+			ReadNcchHdr(hdr,ciaset->content.filePtrs[j]);
 			
 			// Get Size
-			u64 calcSize = (u64)GetNCCH_MediaSize(hdr) * (u64)GetNCCH_MediaUnitSize(hdr);
+			u64 calcSize = GetNcchSize(hdr);
 			if(calcSize != ciaset->content.fileSize[j]){
 				fprintf(stderr,"[CIA ERROR] \"%s\" is corrupt\n",usrset->common.contentPath[i]); 
 				return FAILED_TO_OPEN_FILE; 
@@ -447,7 +448,7 @@ int ImportNcchContent(cia_settings *ciaset)
 		// Import
 		u8 *ncchpos = (u8*)(ciaset->ciaSections.content.buffer+ciaset->content.offset[i]);
 
-		ReadFile_64(ncchpos, ciaset->content.fileSize[i], 0, ciaset->content.filePtrs[i]);
+		ReadFile64(ncchpos, ciaset->content.fileSize[i], 0, ciaset->content.filePtrs[i]);
 		if(ModifyNcchIds(ncchpos, NULL, ncch0hdr->programId, ciaset->keys) != 0)
 			return -1;
 		
@@ -528,6 +529,11 @@ int GetSettingsFromCci(cia_settings *ciaset)
 	cciContentOffsets[0] = ncch0_offset;
 	for(int i = 1; i < 8; i++){
 		if(GetPartitionSize(ciaset->ciaSections.content.buffer,i)){
+			ncch_hdr *ncchHdr = (ncch_hdr*)GetPartition(ciaset->ciaSections.content.buffer, i);
+			
+			if(IsUpdateCfa(ncchHdr) && !ciaset->content.includeUpdateNcch)
+				continue;
+			
 			cciContentOffsets[j] = GetPartitionOffset(ciaset->ciaSections.content.buffer,i);
 			
 			// Get Size
@@ -557,9 +563,9 @@ int GetSettingsFromCci(cia_settings *ciaset)
 	return 0;
 }
 
-u16 SetupVersion(u16 Major, u16 Minor, u16 Micro)
+u16 SetupVersion(u16 major, u16 minor, u16 micro)
 {
-	return (((Major << 10) & 0xFC00) | ((Minor << 4) & 0x3F0) | (Micro & 0xf));
+	return (((major << 10) & 0xFC00) | ((minor << 4) & 0x3F0) | (micro & 0xf));
 }
 
 void GetContentHashes(cia_settings *ciaset)
@@ -577,7 +583,7 @@ void EncryptContent(cia_settings *ciaset)
 	}
 }
 
-int BuildCIA_CertChain(cia_settings *ciaset)
+int BuildCiaCertChain(cia_settings *ciaset)
 {
 	ciaset->ciaSections.certChain.size = GetCertSize(ciaset->keys->certs.caCert) + GetCertSize(ciaset->keys->certs.xsCert) + GetCertSize(ciaset->keys->certs.cpCert);
 	ciaset->ciaSections.certChain.buffer = malloc(ciaset->ciaSections.certChain.size);
@@ -591,7 +597,7 @@ int BuildCIA_CertChain(cia_settings *ciaset)
 	return 0;
 }
 
-int BuildCIA_Header(cia_settings *ciaset)
+int BuildCiaHdr(cia_settings *ciaset)
 {
 	// Allocating memory for header
 	ciaset->ciaSections.ciaHdr.size = sizeof(cia_hdr);
@@ -644,7 +650,7 @@ int BuildCIA_Header(cia_settings *ciaset)
 	return 0;
 }
 
-int WriteCIAtoFile(cia_settings *ciaset)
+int WriteCiaToFile(cia_settings *ciaset)
 {
 	WriteBuffer(ciaset->ciaSections.ciaHdr.buffer,ciaset->ciaSections.ciaHdr.size,0,ciaset->out);
 	WriteBuffer(ciaset->ciaSections.certChain.buffer,ciaset->ciaSections.certChain.size,ciaset->ciaSections.certChainOffset,ciaset->out);
@@ -656,7 +662,7 @@ int WriteCIAtoFile(cia_settings *ciaset)
 }
 
 
-int CryptContent(u8 *EncBuffer,u8 *DecBuffer,u64 size,u8 *title_key, u16 index, u8 mode)
+int CryptContent(u8 *enc, u8 *dec, u64 size, u8 *title_key, u16 index, u8 mode)
 {
 	//generating IV
 	u8 iv[16];
@@ -667,7 +673,110 @@ int CryptContent(u8 *EncBuffer,u8 *DecBuffer,u64 size,u8 *title_key, u16 index,
 	ctr_aes_context ctx;
 	memset(&ctx,0x0,sizeof(ctr_aes_context));
 	ctr_init_aes_cbc(&ctx,title_key,iv,mode);
-	if(mode == ENC) ctr_aes_cbc(&ctx,DecBuffer,EncBuffer,size,ENC);
-	else ctr_aes_cbc(&ctx,EncBuffer,DecBuffer,size,DEC);
+	if(mode == ENC) ctr_aes_cbc(&ctx,dec,enc,size,ENC);
+	else ctr_aes_cbc(&ctx,enc,dec,size,DEC);
 	return 0;
+}
+
+bool IsCia(u8 *cia)
+{
+	if(!cia)
+		return false;
+	
+	cia_hdr *hdr = (cia_hdr*)cia;
+	
+	if(u8_to_u32(hdr->hdrSize,LE) != sizeof(cia_hdr) || u8_to_u16(hdr->type,LE) != 0 || u8_to_u16(hdr->version,LE) != 0)
+		return false;
+	
+	if(!GetCiaCertSize(hdr) || !GetCiaTikSize(hdr) || !GetCiaTmdSize(hdr) || !GetCiaContentSize(hdr))
+		return false;
+		
+	return true;
+}
+
+u64 GetCiaCertOffset(cia_hdr *hdr)
+{
+	u64 hdrSize = u8_to_u32(hdr->hdrSize,LE);
+	return align(hdrSize,CIA_ALIGN_SIZE);
+}
+
+u64 GetCiaCertSize(cia_hdr *hdr)
+{
+	return u8_to_u32(hdr->certChainSize,LE);
+}
+
+u64 GetCiaTikOffset(cia_hdr *hdr)
+{
+	u64 certOffset = GetCiaCertOffset(hdr);
+	u64 certSize = GetCiaCertSize(hdr);
+	return align(certOffset + certSize,CIA_ALIGN_SIZE);
+}
+
+u64 GetCiaTikSize(cia_hdr *hdr)
+{
+	return u8_to_u32(hdr->tikSize,LE);
+}
+
+u64 GetCiaTmdOffset(cia_hdr *hdr)
+{
+	u64 tikOffset = GetCiaTikOffset(hdr);
+	u64 tikSize = GetCiaTikSize(hdr);
+	return align(tikOffset + tikSize,CIA_ALIGN_SIZE);
+}
+
+u64 GetCiaTmdSize(cia_hdr *hdr)
+{
+	return u8_to_u32(hdr->tmdSize,LE);
+}
+
+u64 GetCiaContentOffset(cia_hdr *hdr)
+{
+	u64 tmdOffset = GetCiaTmdOffset(hdr);
+	u64 tmdSize = GetCiaTmdSize(hdr);
+	return align(tmdOffset + tmdSize,CIA_ALIGN_SIZE);
+}
+
+u64 GetCiaContentSize(cia_hdr *hdr)
+{
+	return u8_to_u64(hdr->contentSize,LE);
+}
+
+u64 GetCiaMetaOffset(cia_hdr *hdr)
+{
+	u64 contentOffset = GetCiaContentOffset(hdr);
+	u64 contentSize = GetCiaContentSize(hdr);
+	return align(contentOffset + contentSize,CIA_ALIGN_SIZE);
+}
+
+u64 GetCiaMetaSize(cia_hdr *hdr)
+{
+	return u8_to_u32(hdr->metaSize,LE);
+}
+
+u8* GetCiaCert(u8 *cia)
+{
+	return cia + GetCiaCertOffset((cia_hdr*)cia);
+}
+
+u8* GetCiaTik(u8 *cia)
+{
+	return cia + GetCiaTikOffset((cia_hdr*)cia);
+}
+
+u8* GetCiaTmd(u8 *cia)
+{
+	return cia + GetCiaTmdOffset((cia_hdr*)cia);
+}
+
+u8* GetCiaContent(u8 *cia)
+{
+	return cia + GetCiaContentOffset((cia_hdr*)cia);
+}
+
+u8* GetCiaMeta(u8 *cia)
+{
+	if(GetCiaMetaSize((cia_hdr*)cia))
+		return cia + GetCiaMetaOffset((cia_hdr*)cia);
+	else
+		return NULL;
 }
\ No newline at end of file
diff --git a/makerom/cia.h b/makerom/cia.h
index b810049d..b7dc6c2c 100644
--- a/makerom/cia.h
+++ b/makerom/cia.h
@@ -1,17 +1,5 @@
 #pragma once
 
-static const int CIA_ALIGN_SIZE = 0x40;
-static const int CIA_CONTENT_ALIGN = 0x10;
-
-// Enums
-typedef enum
-{
-	CIA_NO_NCCH0 = -1,
-	CIA_INVALID_NCCH0 = -2,
-	CIA_CONFILCTING_CONTENT_IDS = -3,
-	CIA_BAD_VERSION = -4,
-} cia_errors;
-
 // Structs
 typedef struct
 {
@@ -34,107 +22,5 @@ typedef struct
 	u8 padding1[0xfc];
 } cia_metadata;
 
-typedef struct
-{
-	u8 *inFile;
-	u64 inFileSize;
-
-	FILE *out;
-
-	rsf_settings *rsf;
-	keys_struct *keys;
-
-	struct{
-		u8 titleId[8];
-		u16 titleVersion[4];
-		u8 titleKey[16];
-	} common;
-	
-
-	struct{
-		u8 caCrlVersion;
-		u8 signerCrlVersion;
-	} cert;
-
-	struct{
-		u8 issuer[0x40];
-		u8 formatVersion;
-
-		u16 version;
-
-		u8 ticketId[8];
-		u8 deviceId[4];
-		u8 licenceType;
-		u8 audit;
-		u8 eshopAccId[4];
-	} tik;
-
-	struct{
-		u8 issuer[0x40];
-		u8 formatVersion;
-
-		u16 version;
-
-		u8 titleType[4];
-		u8 savedataSize[4];
-		u8 privSavedataSize[4];
-		u8 twlFlag;
-	} tmd;
-
-	struct{
-		bool IsCfa;
-		bool IsDlc;
-		bool encryptCia;
-
-		bool keyNotFound;
-
-		FILE **filePtrs;
-		u64 fileSize[CIA_MAX_CONTENT];
-
-		/* Misc Records */
-		u16 count;
-		u64 offset[CIA_MAX_CONTENT];
-		u64 totalSize;
-
-		/* Content Chunk Records */
-		u64 size[CIA_MAX_CONTENT];
-		u16 index[CIA_MAX_CONTENT];
-		u16 flags[CIA_MAX_CONTENT];
-		u32 id[CIA_MAX_CONTENT];
-		u8 hash[CIA_MAX_CONTENT][0x20];		
-	} content;
-
-	struct{
-		buffer_struct ciaHdr;
-		
-		u32 certChainOffset;
-		buffer_struct certChain;
-
-		u32 tikOffset;
-		buffer_struct tik;
-
-		u32 tmdOffset;
-		buffer_struct tmd;
-
-		u32 metaOffset;
-		buffer_struct meta;
-
-		u64 contentOffset;
-		buffer_struct content;
-	} ciaSections;
-} cia_settings;
-
-// Public Prototypes
-int build_CIA(user_settings *usrset);
+int CryptContent(u8 *enc, u8 *dec, u64 size, u8 *title_key, u16 index, u8 mode);
 
-// Cia Read Functions
-u64 GetCiaCertOffset(cia_hdr *hdr);
-u64 GetCiaCertSize(cia_hdr *hdr);
-u64 GetTikOffset(cia_hdr *hdr);
-u64 GetTikSize(cia_hdr *hdr);
-u64 GetTmdOffset(cia_hdr *hdr);
-u64 GetTmdSize(cia_hdr *hdr);
-u64 GetContentOffset(cia_hdr *hdr);
-u64 GetContentSize(cia_hdr *hdr);
-u64 GetMetaOffset(cia_hdr *hdr);
-u64 GetMetaSize(cia_hdr *hdr);
\ No newline at end of file
diff --git a/makerom/cia_build.h b/makerom/cia_build.h
new file mode 100644
index 00000000..a33717d7
--- /dev/null
+++ b/makerom/cia_build.h
@@ -0,0 +1,107 @@
+#pragma once
+#include "cia.h"
+
+// Enums
+typedef enum
+{
+	CIA_NO_NCCH0 = -1,
+	CIA_INVALID_NCCH0 = -2,
+	CIA_CONFILCTING_CONTENT_IDS = -3,
+	CIA_BAD_VERSION = -4,
+} cia_errors;
+
+typedef struct
+{
+	u8 *inFile;
+	u64 inFileSize;
+
+	FILE *out;
+	
+	rsf_settings *rsf;
+	keys_struct *keys;
+
+	bool verbose;
+	
+	struct{
+		u8 titleId[8];
+		u16 titleVersion[4];
+		u8 titleKey[16];
+	} common;
+	
+
+	struct{
+		u8 caCrlVersion;
+		u8 signerCrlVersion;
+	} cert;
+
+	struct{
+		u8 issuer[0x40];
+		u8 formatVersion;
+
+		u16 version;
+
+		u8 ticketId[8];
+		u8 deviceId[4];
+		u8 licenceType;
+		u8 audit;
+		u8 eshopAccId[4];
+	} tik;
+
+	struct{
+		u8 issuer[0x40];
+		u8 formatVersion;
+
+		u16 version;
+
+		u8 titleType[4];
+		u8 savedataSize[4];
+		u8 privSavedataSize[4];
+		u8 twlFlag;
+	} tmd;
+
+	struct{
+		bool IsCfa;
+		bool IsDlc;
+		bool encryptCia;
+		bool includeUpdateNcch; // for cci -> cia conversions
+
+		bool keyNotFound;
+
+		FILE **filePtrs;
+		u64 fileSize[CIA_MAX_CONTENT];
+
+		/* Misc Records */
+		u16 count;
+		u64 offset[CIA_MAX_CONTENT];
+		u64 totalSize;
+
+		/* Content Chunk Records */
+		u64 size[CIA_MAX_CONTENT];
+		u16 index[CIA_MAX_CONTENT];
+		u16 flags[CIA_MAX_CONTENT];
+		u32 id[CIA_MAX_CONTENT];
+		u8 hash[CIA_MAX_CONTENT][0x20];		
+	} content;
+
+	struct{
+		buffer_struct ciaHdr;
+		
+		u32 certChainOffset;
+		buffer_struct certChain;
+
+		u32 tikOffset;
+		buffer_struct tik;
+
+		u32 tmdOffset;
+		buffer_struct tmd;
+
+		u32 metaOffset;
+		buffer_struct meta;
+
+		u64 contentOffset;
+		buffer_struct content;
+	} ciaSections;
+} cia_settings;
+
+// Public Prototypes
+int build_CIA(user_settings *usrset);
\ No newline at end of file
diff --git a/makerom/cia_read.c b/makerom/cia_read.c
deleted file mode 100644
index dbf27aa7..00000000
--- a/makerom/cia_read.c
+++ /dev/null
@@ -1,61 +0,0 @@
-#include "lib.h"
-#include "cia.h"
-
-u64 GetCiaCertOffset(cia_hdr *hdr)
-{
-	u64 hdrSize = u8_to_u32(hdr->hdrSize,LE);
-	return align(hdrSize,CIA_ALIGN_SIZE);
-}
-
-u64 GetCiaCertSize(cia_hdr *hdr)
-{
-	return u8_to_u32(hdr->certChainSize,LE);
-}
-
-u64 GetTikOffset(cia_hdr *hdr)
-{
-	u64 certOffset = GetCiaCertOffset(hdr);
-	u64 certSize = GetCiaCertSize(hdr);
-	return align(certOffset + certSize,CIA_ALIGN_SIZE);
-}
-
-u64 GetTikSize(cia_hdr *hdr)
-{
-	return u8_to_u32(hdr->tikSize,LE);
-}
-
-u64 GetTmdOffset(cia_hdr *hdr)
-{
-	u64 tikOffset = GetTikOffset(hdr);
-	u64 tikSize = GetTikSize(hdr);
-	return align(tikOffset + tikSize,CIA_ALIGN_SIZE);
-}
-
-u64 GetTmdSize(cia_hdr *hdr)
-{
-	return u8_to_u32(hdr->tmdSize,LE);
-}
-
-u64 GetContentOffset(cia_hdr *hdr)
-{
-	u64 tmdOffset = GetTmdOffset(hdr);
-	u64 tmdSize = GetTmdSize(hdr);
-	return align(tmdOffset + tmdSize,CIA_ALIGN_SIZE);
-}
-
-u64 GetContentSize(cia_hdr *hdr)
-{
-	return u8_to_u64(hdr->contentSize,LE);
-}
-
-u64 GetMetaOffset(cia_hdr *hdr)
-{
-	u64 contentOffset = GetContentOffset(hdr);
-	u64 contentSize = GetContentSize(hdr);
-	return align(contentOffset + contentSize,CIA_ALIGN_SIZE);
-}
-
-u64 GetMetaSize(cia_hdr *hdr)
-{
-	return u8_to_u32(hdr->metaSize,LE);
-}
\ No newline at end of file
diff --git a/makerom/cia_read.h b/makerom/cia_read.h
new file mode 100644
index 00000000..c75090ab
--- /dev/null
+++ b/makerom/cia_read.h
@@ -0,0 +1,21 @@
+#pragma once
+#include "cia.h"
+
+// Cia Read Functions
+bool IsCia(u8 *cia);
+u64 GetCiaCertOffset(cia_hdr *hdr);
+u64 GetCiaCertSize(cia_hdr *hdr);
+u64 GetCiaTikOffset(cia_hdr *hdr);
+u64 GetCiaTikSize(cia_hdr *hdr);
+u64 GetCiaTmdOffset(cia_hdr *hdr);
+u64 GetCiaTmdSize(cia_hdr *hdr);
+u64 GetCiaContentOffset(cia_hdr *hdr);
+u64 GetCiaContentSize(cia_hdr *hdr);
+u64 GetCiaMetaOffset(cia_hdr *hdr);
+u64 GetCiaMetaSize(cia_hdr *hdr);
+
+u8* GetCiaCert(u8 *cia);
+u8* GetCiaTik(u8 *cia);
+u8* GetCiaTmd(u8 *cia);
+u8* GetCiaContent(u8 *cia);
+u8* GetCiaMeta(u8 *cia);
diff --git a/makerom/crypto.c b/makerom/crypto.c
index fc482e0e..bbc977e6 100644
--- a/makerom/crypto.c
+++ b/makerom/crypto.c
@@ -1,6 +1,13 @@
 #include "lib.h"
 #include "crypto.h"
 
+bool VerifySha256(void *data, u64 size, u8 hash[32])
+{
+	u8 calchash[32];
+	ctr_sha(data, size, calchash, CTR_SHA_256);
+	return memcmp(hash,calchash,32) == 0;
+}
+
 void ctr_sha(void *data, u64 size, u8 *hash, int mode)
 {
 	switch(mode){
@@ -9,21 +16,6 @@ void ctr_sha(void *data, u64 size, u8 *hash, int mode)
 	}
 }
 
-u8* AesKeyScrambler(u8 *Key, u8 *KeyX, u8 *KeyY)
-{
-	// Process KeyX/KeyY to get raw normal key
-	for(int i = 0; i < 16; i++)
-		Key[i] = KeyX[i] ^ ((KeyY[i] >> 2) | ((KeyY[i < 15 ? i+1 : 0] & 3) << 6));
-
-	const u8 SCRAMBLE_SECRET[16] = {0x51, 0xD7, 0x5D, 0xBE, 0xFD, 0x07, 0x57, 0x6A, 0x1C, 0xFC, 0x2A, 0xF0, 0x94, 0x4B, 0xD5, 0x6C};
-
-	// Apply Secret to get final normal key
-	for(int i = 0; i < 16; i++)
-		Key[i] = Key[i] ^ SCRAMBLE_SECRET[i];
-
-	return Key;
-}
-
 void ctr_add_counter(ctr_aes_context* ctx, u32 carry)
 {
 	u32 counter[4];
diff --git a/makerom/crypto.h b/makerom/crypto.h
index 19b5163e..3d5aaeed 100644
--- a/makerom/crypto.h
+++ b/makerom/crypto.h
@@ -71,9 +71,9 @@ typedef struct
 extern "C" {
 #endif
 // SHA
+bool VerifySha256(void *data, u64 size, u8 hash[32]);
 void ctr_sha(void *data, u64 size, u8 *hash, int mode);
 // AES
-u8* AesKeyScrambler(u8 *Key, u8 *KeyX, u8 *KeyY);
 void ctr_add_counter(ctr_aes_context* ctx, u32 carry);
 void ctr_init_counter(ctr_aes_context* ctx, u8 key[16],u8 ctr[16]);
 void ctr_crypt_counter_block(ctr_aes_context* ctx, u8 input[16], u8 output[16]);
diff --git a/makerom/ctr_utils.c b/makerom/ctr_utils.c
new file mode 100644
index 00000000..d8e9610b
--- /dev/null
+++ b/makerom/ctr_utils.c
@@ -0,0 +1,14 @@
+#include "lib.h"
+
+u32 GetCtrBlockSize(u8 flag)
+{
+	return 1 << (flag + 9);
+}
+
+u8 GetCtrBlockSizeFlag(u32 size)
+{
+	u8 ret = 0;
+	for(u32 tmp = size; tmp > 0x200; tmp = tmp >> 1)
+		ret++;
+	return ret;
+}
\ No newline at end of file
diff --git a/makerom/ctr_utils.h b/makerom/ctr_utils.h
new file mode 100644
index 00000000..3c92de40
--- /dev/null
+++ b/makerom/ctr_utils.h
@@ -0,0 +1,4 @@
+#pragma once
+
+u32 GetCtrBlockSize(u8 flag);
+u8 GetCtrBlockSizeFlag(u32 size);
\ No newline at end of file
diff --git a/makerom/desc_dev_sigdata.h b/makerom/desc/dev_sigdata.h
similarity index 100%
rename from makerom/desc_dev_sigdata.h
rename to makerom/desc/dev_sigdata.h
diff --git a/makerom/desc_presets.h b/makerom/desc/presets.h
similarity index 100%
rename from makerom/desc_presets.h
rename to makerom/desc/presets.h
diff --git a/makerom/desc_prod_sigdata.h b/makerom/desc/prod_sigdata.h
similarity index 100%
rename from makerom/desc_prod_sigdata.h
rename to makerom/desc/prod_sigdata.h
diff --git a/makerom/dir.c b/makerom/dir.c
index bcd57b2e..b0fb1e74 100644
--- a/makerom/dir.c
+++ b/makerom/dir.c
@@ -118,10 +118,10 @@ fs_entry* fs_GetEntry(fs_DIR *dp)
 	{
 		entry->IsDir = false;
 #ifdef _WIN32
-		entry->size = wGetFileSize_u64(entry->fs_name);
+		entry->size = wGetFileSize64(entry->fs_name);
 		entry->fp = _wfopen(entry->fs_name,L"rb");
 #else
-		entry->size = GetFileSize_u64(entry->fs_name);
+		entry->size = GetFileSize64(entry->fs_name);
 		entry->fp = fopen(entry->fs_name,"rb");
 #endif
 	}
diff --git a/makerom/elf.c b/makerom/elf.c
index 2ef515ca..3f5a91c0 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -1,125 +1,111 @@
 #include "lib.h"
-#include "ncch.h"
+#include "ncch_build.h"
 #include "elf_hdr.h"
 #include "elf.h"
 #include "blz.h"
 
-int ImportPlainRegionFromFile(ncch_settings *ncchset);
-int ImportExeFsCodeBinaryFromFile(ncch_settings *ncchset);
+int ImportPlainRegionFromFile(ncch_settings *set);
+int ImportExeFsCodeBinaryFromFile(ncch_settings *set);
 
-u32 GetPageSize(ncch_settings *ncchset);
-u32 SizeToPage(u32 memorySize, ElfContext *elf);
+u32 GetPageSize(ncch_settings *set);
+u32 SizeToPage(u32 memorySize, elf_context *elf);
 
-int GetBSS_SizeFromElf(ElfContext *elf, u8 *ElfFile, ncch_settings *ncchset);
-int ImportPlainRegionFromElf(ElfContext *elf, u8 *ElfFile, ncch_settings *ncchset);
-int CreateExeFsCode(ElfContext *elf, u8 *ElfFile, ncch_settings *ncchset);
-int CreateCodeSegmentFromElf(CodeSegment *out, ElfContext *elf, u8 *ElfFile, char **Names, u32 NameNum);
-ElfSegment** GetContinuousSegments(u16 *ContinuousSegmentNum, ElfContext *elf, char **Names, u32 NameNum);
-ElfSegment** GetSegments(u16 *SegmentNum, ElfContext *elf, char **Names, u32 NameNum);
+int GetBSSFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set);
+int ImportPlainRegionFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set);
+int CreateExeFsCode(elf_context *elf, u8 *elfFile, ncch_settings *set);
+int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u8 *elfFile, char **names, u32 nameNum);
+elf_segment** GetContinuousSegments(u16 *ContinuousSegmentNum, elf_context *elf, char **names, u32 nameNum);
+elf_segment** GetSegments(u16 *SegmentNum, elf_context *elf, char **names, u32 nameNum);
 
 // ELF Functions
-int GetElfContext(ElfContext *elf, u8 *ElfFile);
-int GetElfSectionEntries(ElfContext *elf, u8 *ElfFile);
-int GetElfProgramEntries(ElfContext *elf, u8 *ElfFile);
-#ifdef DEBUG
-void PrintElfContext(ElfContext *elf, u8 *ElfFile);
-#endif
-int ReadElfHdr(ElfContext *elf, u8 *ElfFile);
+int GetElfContext(elf_context *elf, u8 *elfFile);
+int GetElfSectionEntries(elf_context *elf, u8 *elfFile);
+int GetElfProgramEntries(elf_context *elf, u8 *elfFile);
+void PrintElfContext(elf_context *elf, u8 *elfFile);
+int ReadElfHdr(elf_context *elf, u8 *elfFile);
 
-int CreateElfSegments(ElfContext *elf, u8 *ElfFile);
-bool IsIgnoreSection(ElfSectionEntry info);
+int CreateElfSegments(elf_context *elf, u8 *elfFile);
+bool IsIgnoreSection(elf_section_entry info);
 
 /* ELF Section Entry Functions */
-u8* GetELFSectionHeader(u16 Index, ElfContext *elf, u8 *ElfFile);
-u8* GetELFSectionEntry(u16 Index, ElfContext *elf, u8 *ElfFile);
-char* GetELFSectionEntryName(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFSectionEntryType(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFSectionEntryFlags(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFSectionEntryAddress(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFSectionEntryFileOffset(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFSectionEntrySize(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFSectionEntryAlignment(u16 Index, ElfContext *elf, u8 *ElfFile);
-
-u16 GetElfSectionIndexFromName(char *Name, ElfContext *elf, u8 *ElfFile);
-
-bool IsBss(ElfSectionEntry *Section);
-bool IsData(ElfSectionEntry *Section);
-bool IsRO(ElfSectionEntry *Section);
-bool IsText(ElfSectionEntry *Section);
+u8* GetELFSectionHeader(u16 index, elf_context *elf, u8 *elfFile);
+u8* GetELFSectionEntry(u16 index, elf_context *elf, u8 *elfFile);
+char* GetELFSectionEntryName(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFSectionEntryType(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFSectionEntryFlags(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFSectionEntryAddress(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFSectionEntryFileOffset(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFSectionEntrySize(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFSectionEntryAlignment(u16 index, elf_context *elf, u8 *elfFile);
+
+u16 GetElfSectionIndexFromName(char *name, elf_context *elf, u8 *elfFile);
+
+bool IsBss(elf_section_entry *section);
+bool IsData(elf_section_entry *section);
+bool IsRoData(elf_section_entry *section);
+bool IsText(elf_section_entry *section);
 
 /* ELF Program Entry Functions */
-u8* GetELFProgramHeader(u16 Index, ElfContext *elf, u8 *ElfFile);
-u8* GetELFProgramEntry(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFProgramEntryType(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFProgramEntryFlags(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFProgramEntryFileSize(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFProgramEntryFileOffset(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFProgramEntryMemorySize(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFProgramEntryVAddress(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFProgramEntryPAddress(u16 Index, ElfContext *elf, u8 *ElfFile);
-u64 GetELFProgramEntryAlignment(u16 Index, ElfContext *elf, u8 *ElfFile);
+u8* GetELFProgramHeader(u16 index, elf_context *elf, u8 *elfFile);
+u8* GetELFProgramEntry(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFProgramEntryType(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFProgramEntryFlags(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFProgramEntryFileSize(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFProgramEntryFileOffset(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFProgramEntryMemorySize(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFProgramEntryVAddress(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFProgramEntryPAddress(u16 index, elf_context *elf, u8 *elfFile);
+u64 GetELFProgramEntryAlignment(u16 index, elf_context *elf, u8 *elfFile);
 
 
-int BuildExeFsCode(ncch_settings *ncchset)
+int BuildExeFsCode(ncch_settings *set)
 {
 	int result = 0;
-	if(ncchset->options.IsCfa)
+	if(set->options.IsCfa)
 		return result;
-	if(ncchset->componentFilePtrs.plainregion){ // Import PlainRegion from file
-		result = ImportPlainRegionFromFile(ncchset);
+	if(set->componentFilePtrs.plainregion){ // Import PlainRegion from file
+		result = ImportPlainRegionFromFile(set);
 		if(result) return result;
 	}
-	if(!ncchset->options.IsBuildingCodeSection){ // Import ExeFs Code from file and return
-		result = ImportExeFsCodeBinaryFromFile(ncchset);
+	if(!set->options.IsBuildingCodeSection){ // Import ExeFs Code from file and return
+		result = ImportExeFsCodeBinaryFromFile(set);
 		return result;
 	}
 
-#ifdef DEBUG
-	printf("[DEBUG] Import ELF\n");
-#endif
 	/* Import ELF */
-	u8 *ElfFile = malloc(ncchset->componentFilePtrs.elfSize);
-	if(!ElfFile) {
+	u8 *elfFile = malloc(set->componentFilePtrs.elfSize);
+	if(!elfFile) {
 		fprintf(stderr,"[ELF ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
 	}
-	ReadFile_64(ElfFile,ncchset->componentFilePtrs.elfSize,0,ncchset->componentFilePtrs.elf);
+	ReadFile64(elfFile,set->componentFilePtrs.elfSize,0,set->componentFilePtrs.elf);
 
-#ifdef DEBUG
-	printf("[DEBUG] Create ELF Context\n");
-#endif
 	/* Create ELF Context */
-	ElfContext *elf = calloc(1,sizeof(ElfContext));
+	elf_context *elf = calloc(1,sizeof(elf_context));
 	if(!elf) {
 		fprintf(stderr,"[ELF ERROR] Not enough memory\n"); 
-		free(ElfFile); 
+		free(elfFile); 
 		return MEM_ERROR;
 	}
 	
-	result = GetElfContext(elf,ElfFile);
+	result = GetElfContext(elf,elfFile);
 	if(result) goto finish;
 
 	/* Setting Page Size */
-	elf->pageSize = GetPageSize(ncchset);
+	elf->pageSize = GetPageSize(set);
 
-	if(!ncchset->componentFilePtrs.plainregion){
-		result = ImportPlainRegionFromElf(elf,ElfFile,ncchset);
+	if(!set->componentFilePtrs.plainregion){
+		result = ImportPlainRegionFromElf(elf,elfFile,set);
 		if(result) goto finish;
 	}
 
-#ifdef DEBUG
-	PrintElfContext(elf,ElfFile);
-#endif
+	if(set->options.verbose)
+		PrintElfContext(elf,elfFile);
 
-#ifdef DEBUG
-	printf("[DEBUG] Create ExeFs Code\n");
-#endif
-	result = CreateExeFsCode(elf,ElfFile,ncchset);
+	result = CreateExeFsCode(elf,elfFile,set);
 	if(result) goto finish;
-#ifdef DEBUG
-	printf("[DEBUG] Get BSS Size\n");
-#endif
-	result = GetBSS_SizeFromElf(elf,ElfFile,ncchset);
+
+	result = GetBSSFromElf(elf,elfFile,set);
 	if(result) goto finish;
 
 finish:
@@ -131,19 +117,9 @@ int BuildExeFsCode(ncch_settings *ncchset)
 		else if(result == NOT_FIND_CODE_SECTIONS) fprintf(stderr,"[ELF ERROR] Failed to retrieve code sections from ELF\n");
 		else fprintf(stderr,"[ELF ERROR] Failed to process ELF file (%d)\n",result);
 	}
-#ifdef DEBUG
-	printf("[DEBUG] Free Segment Header/Sections\n");
-#endif
-	for(int i = 0; i < elf->activeSegments; i++){
-#ifdef DEBUG
-	printf("[DEBUG] %d\n",i);
-#endif
+	for(int i = 0; i < elf->activeSegments; i++)
 		free(elf->segments[i].sections);
-	}
-#ifdef DEBUG
-	printf("[DEBUG] Free others\n");
-#endif
-	free(ElfFile);
+	free(elfFile);
 	free(elf->sections);
 	free(elf->programHeaders);
 	free(elf->segments);
@@ -151,168 +127,168 @@ int BuildExeFsCode(ncch_settings *ncchset)
 	return result;	
 }
 
-int ImportPlainRegionFromFile(ncch_settings *ncchset)
+int ImportPlainRegionFromFile(ncch_settings *set)
 {
-	ncchset->sections.plainRegion.size = align(ncchset->componentFilePtrs.plainregionSize,ncchset->options.mediaSize);
-	ncchset->sections.plainRegion.buffer = malloc(ncchset->sections.plainRegion.size);
-	if(!ncchset->sections.plainRegion.buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
-	ReadFile_64(ncchset->sections.plainRegion.buffer,ncchset->componentFilePtrs.plainregionSize,0,ncchset->componentFilePtrs.plainregion);
+	set->sections.plainRegion.size = align(set->componentFilePtrs.plainregionSize,set->options.blockSize);
+	set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
+	if(!set->sections.plainRegion.buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
+	ReadFile64(set->sections.plainRegion.buffer,set->componentFilePtrs.plainregionSize,0,set->componentFilePtrs.plainregion);
 	return 0;
 }
 
-int ImportExeFsCodeBinaryFromFile(ncch_settings *ncchset)
+int ImportExeFsCodeBinaryFromFile(ncch_settings *set)
 {
-	u32 size = ncchset->componentFilePtrs.codeSize;
+	u32 size = set->componentFilePtrs.codeSize;
 	u8 *buffer = malloc(size);
 	if(!buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
-	ReadFile_64(buffer,size,0,ncchset->componentFilePtrs.code);
+	ReadFile64(buffer,size,0,set->componentFilePtrs.code);
 
-	ncchset->exefsSections.code.size = ncchset->componentFilePtrs.codeSize;
-	ncchset->exefsSections.code.buffer = malloc(ncchset->exefsSections.code.size);
-	if(!ncchset->exefsSections.code.buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
-	ReadFile_64(ncchset->exefsSections.code.buffer,ncchset->exefsSections.code.size,0,ncchset->componentFilePtrs.code);
-	if(ncchset->options.CompressCode){
+	set->exefsSections.code.size = set->componentFilePtrs.codeSize;
+	set->exefsSections.code.buffer = malloc(set->exefsSections.code.size);
+	if(!set->exefsSections.code.buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
+	ReadFile64(set->exefsSections.code.buffer,set->exefsSections.code.size,0,set->componentFilePtrs.code);
+	if(set->options.CompressCode){
 		u32 new_len;
-		ncchset->exefsSections.code.buffer = BLZ_Code(buffer,size,&new_len,BLZ_NORMAL);
-		ncchset->exefsSections.code.size = new_len;
+		set->exefsSections.code.buffer = BLZ_Code(buffer,size,&new_len,BLZ_NORMAL);
+		set->exefsSections.code.size = new_len;
 		free(buffer);
 	}
 	else{
-		ncchset->exefsSections.code.size = size;
-		ncchset->exefsSections.code.buffer = buffer;
+		set->exefsSections.code.size = size;
+		set->exefsSections.code.buffer = buffer;
 	}
 	return 0;
 }
 
-u32 GetPageSize(ncch_settings *ncchset)
+u32 GetPageSize(ncch_settings *set)
 {
-	if(ncchset->rsfSet->Option.PageSize)
-		return strtoul(ncchset->rsfSet->Option.PageSize,NULL,10);
+	if(set->rsfSet->Option.PageSize)
+		return strtoul(set->rsfSet->Option.PageSize,NULL,10);
 	return 0x1000;
 }
 
-u32 SizeToPage(u32 memorySize, ElfContext *elf)
+u32 SizeToPage(u32 memorySize, elf_context *elf)
 {
 	return align(memorySize,elf->pageSize)/elf->pageSize;
 }
 
 
-int GetBSS_SizeFromElf(ElfContext *elf, u8 *ElfFile, ncch_settings *ncchset)
+int GetBSSFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set)
 {
 	for(int i = 0; i < elf->sectionTableEntryCount; i++){
 		if(IsBss(&elf->sections[i])) {
-			ncchset->codeDetails.bssSize = elf->sections[i].size;
+			set->codeDetails.bssSize = elf->sections[i].size;
 			return 0;
 		}
 	}
 	return NOT_FIND_BSS_SIZE;
 }
 
-int ImportPlainRegionFromElf(ElfContext *elf, u8 *ElfFile, ncch_settings *ncchset) // Doesn't work same as N makerom
+int ImportPlainRegionFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set) // Doesn't work same as N makerom
 {
-	if(!ncchset->rsfSet->PlainRegionNum) return 0;
-	u16 *Index = calloc(ncchset->rsfSet->PlainRegionNum,sizeof(u16));
+	if(!set->rsfSet->PlainRegionNum) return 0;
+	u16 *index = calloc(set->rsfSet->PlainRegionNum,sizeof(u16));
 
-	/* Getting Index Values for each section */
-	for(int i = 0; i < ncchset->rsfSet->PlainRegionNum; i++){
-		Index[i] = GetElfSectionIndexFromName(ncchset->rsfSet->PlainRegion[i],elf,ElfFile);
+	/* Getting index Values for each section */
+	for(int i = 0; i < set->rsfSet->PlainRegionNum; i++){
+		index[i] = GetElfSectionIndexFromName(set->rsfSet->PlainRegion[i],elf,elfFile);
 	}
 
 	// Eliminating Duplicated Sections
-	for(int i = ncchset->rsfSet->PlainRegionNum - 1; i >= 0; i--){
+	for(int i = set->rsfSet->PlainRegionNum - 1; i >= 0; i--){
 		for(int j = i-1; j >= 0; j--){
-			if(Index[i] == Index[j]) Index[i] = 0;
+			if(index[i] == index[j]) index[i] = 0;
 		}
 	}
 
 	/* Calculating Total Size of Data */
-	u64 TotalSize = 0;
-	for(int i = 0; i < ncchset->rsfSet->PlainRegionNum; i++){
-		TotalSize += elf->sections[Index[i]].size;
+	u64 totalSize = 0;
+	for(int i = 0; i < set->rsfSet->PlainRegionNum; i++){
+		totalSize += elf->sections[index[i]].size;
 	}
 	
 	/* Creating Output Buffer */
-	ncchset->sections.plainRegion.size = align(TotalSize,ncchset->options.mediaSize);
-	ncchset->sections.plainRegion.buffer = malloc(ncchset->sections.plainRegion.size);
-	if(!ncchset->sections.plainRegion.buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
-	memset(ncchset->sections.plainRegion.buffer,0,ncchset->sections.plainRegion.size);
+	set->sections.plainRegion.size = align(totalSize,set->options.blockSize);
+	set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
+	if(!set->sections.plainRegion.buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
+	memset(set->sections.plainRegion.buffer,0,set->sections.plainRegion.size);
 
 	/* Storing Sections */
 	u64 pos = 0;
-	for(int i = 0; i < ncchset->rsfSet->PlainRegionNum; i++){
-		memcpy((ncchset->sections.plainRegion.buffer+pos),elf->sections[Index[i]].ptr,elf->sections[Index[i]].size);
-		pos += elf->sections[Index[i]].size;
+	for(int i = 0; i < set->rsfSet->PlainRegionNum; i++){
+		memcpy((set->sections.plainRegion.buffer+pos),elf->sections[index[i]].ptr,elf->sections[index[i]].size);
+		pos += elf->sections[index[i]].size;
 	}
 	return 0;
 }
 
-int CreateExeFsCode(ElfContext *elf, u8 *ElfFile, ncch_settings *ncchset)
+int CreateExeFsCode(elf_context *elf, u8 *elfFile, ncch_settings *set)
 {
 	/* Getting Code Segments */
-	CodeSegment Text;
-	memset(&Text,0,sizeof(CodeSegment));
-	CodeSegment RO;
-	memset(&RO,0,sizeof(CodeSegment));
-	CodeSegment Data;
-	memset(&Data,0,sizeof(CodeSegment));
-
-	int result = CreateCodeSegmentFromElf(&Text,elf,ElfFile,ncchset->rsfSet->ExeFs.Text,ncchset->rsfSet->ExeFs.TextNum);
+	code_segment text;
+	memset(&text,0,sizeof(code_segment));
+	code_segment rodata;
+	memset(&rodata,0,sizeof(code_segment));
+	code_segment rwdata;
+	memset(&rwdata,0,sizeof(code_segment));
+
+	int result = CreateCodeSegmentFromElf(&text,elf,elfFile,set->rsfSet->ExeFs.Text,set->rsfSet->ExeFs.TextNum);
 	if(result) return result;
-	result = CreateCodeSegmentFromElf(&RO,elf,ElfFile,ncchset->rsfSet->ExeFs.ReadOnly,ncchset->rsfSet->ExeFs.ReadOnlyNum);
+	result = CreateCodeSegmentFromElf(&rodata,elf,elfFile,set->rsfSet->ExeFs.ReadOnly,set->rsfSet->ExeFs.ReadOnlyNum);
 	if(result) return result;
-	result = CreateCodeSegmentFromElf(&Data,elf,ElfFile,ncchset->rsfSet->ExeFs.ReadWrite,ncchset->rsfSet->ExeFs.ReadWriteNum);
+	result = CreateCodeSegmentFromElf(&rwdata,elf,elfFile,set->rsfSet->ExeFs.ReadWrite,set->rsfSet->ExeFs.ReadWriteNum);
 	if(result) return result;
 
 	/* Allocating Buffer for ExeFs Code */
-	u32 size = (Text.maxPageNum + RO.maxPageNum + Data.maxPageNum)*elf->pageSize;
+	u32 size = (text.maxPageNum + rodata.maxPageNum + rwdata.maxPageNum)*elf->pageSize;
 	u8 *code = malloc(size);
 
 	/* Writing Code into Buffer */
-	u8 *TextPos = (code + 0);
-	u8 *ROPos = (code + Text.maxPageNum*elf->pageSize);
-	u8 *DataPos = (code + (Text.maxPageNum + RO.maxPageNum)*elf->pageSize);
-	if(Text.size) memcpy(TextPos,Text.data,Text.size);
-	if(RO.size) memcpy(ROPos,RO.data,RO.size);
-	if(Data.size) memcpy(DataPos,Data.data,Data.size);
+	u8 *textPos = (code + 0);
+	u8 *rodataPos = (code + text.maxPageNum*elf->pageSize);
+	u8 *rwdataPos = (code + (text.maxPageNum + rodata.maxPageNum)*elf->pageSize);
+	if(text.size) memcpy(textPos,text.data,text.size);
+	if(rodata.size) memcpy(rodataPos,rodata.data,rodata.size);
+	if(rwdata.size) memcpy(rwdataPos,rwdata.data,rwdata.size);
 
 
 	/* Compressing If needed */
-	if(ncchset->options.CompressCode){
+	if(set->options.CompressCode){
 		u32 new_len;
-		ncchset->exefsSections.code.buffer = BLZ_Code(code,size,&new_len,BLZ_NORMAL);
-		ncchset->exefsSections.code.size = new_len;
+		set->exefsSections.code.buffer = BLZ_Code(code,size,&new_len,BLZ_NORMAL);
+		set->exefsSections.code.size = new_len;
 		free(code);
 	}
 	else{
-		ncchset->exefsSections.code.size = size;
-		ncchset->exefsSections.code.buffer = code;
+		set->exefsSections.code.size = size;
+		set->exefsSections.code.buffer = code;
 	}
 
-	/* Setting CodeSegment Data and freeing original buffers */
-	ncchset->codeDetails.textAddress = Text.address;
-	ncchset->codeDetails.textMaxPages = Text.maxPageNum;
-	ncchset->codeDetails.textSize = Text.size;
-	if(Text.size) free(Text.data);
+	/* Setting code_segment rwdata and freeing original buffers */
+	set->codeDetails.textAddress = text.address;
+	set->codeDetails.textMaxPages = text.maxPageNum;
+	set->codeDetails.textSize = text.size;
+	if(text.size) free(text.data);
 
-	ncchset->codeDetails.roAddress = RO.address;
-	ncchset->codeDetails.roMaxPages = RO.maxPageNum;
-	ncchset->codeDetails.roSize = RO.size;
-	if(RO.size) free(RO.data);
+	set->codeDetails.roAddress = rodata.address;
+	set->codeDetails.roMaxPages = rodata.maxPageNum;
+	set->codeDetails.roSize = rodata.size;
+	if(rodata.size) free(rodata.data);
 
-	ncchset->codeDetails.rwAddress = Data.address;
-	ncchset->codeDetails.rwMaxPages = Data.maxPageNum;
-	ncchset->codeDetails.rwSize = Data.size;
-	if(Data.size) free(Data.data);
+	set->codeDetails.rwAddress = rwdata.address;
+	set->codeDetails.rwMaxPages = rwdata.maxPageNum;
+	set->codeDetails.rwSize = rwdata.size;
+	if(rwdata.size) free(rwdata.data);
 
 	/* Return */
 	return 0;
 }
 
-int CreateCodeSegmentFromElf(CodeSegment *out, ElfContext *elf, u8 *ElfFile, char **Names, u32 NameNum)
+int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u8 *elfFile, char **names, u32 nameNum)
 {
 	u16 ContinuousSegmentNum = 0;
-	memset(out,0,sizeof(CodeSegment));
-	ElfSegment **ContinuousSegments = GetContinuousSegments(&ContinuousSegmentNum,elf,Names,NameNum);
+	memset(out,0,sizeof(code_segment));
+	elf_segment **ContinuousSegments = GetContinuousSegments(&ContinuousSegmentNum,elf,names,nameNum);
 	if (ContinuousSegments == NULL){
 		if(!ContinuousSegmentNum){// Nothing Was Found
 			//printf("Nothing was found\n");
@@ -366,17 +342,17 @@ int CreateCodeSegmentFromElf(CodeSegment *out, ElfContext *elf, u8 *ElfFile, cha
 		*/
 		//u32 size = 0;
 		for (int j = 0; j < ContinuousSegments[i]->sectionNum; j++){
-			ElfSectionEntry *Section = &ContinuousSegments[i]->sections[j];
-			if (!IsBss(Section)){				
-				u8 *pos = (out->data + (Section->address - ContinuousSegments[i]->vAddr));
-				memcpy(pos,Section->ptr,Section->size);
-				//size += Section->size;
+			elf_section_entry *section = &ContinuousSegments[i]->sections[j];
+			if (!IsBss(section)){				
+				u8 *pos = (out->data + (section->address - ContinuousSegments[i]->vAddr));
+				memcpy(pos,section->ptr,section->size);
+				//size += section->size;
 			}
 
 			//else if (j == (ContinuousSegments[i]->sectionNum-1))
-				//memorySize -= Section->size;
+				//memorySize -= section->size;
 			//'else
-				//size += Section->size;
+				//size += section->size;
 		}
 	}
 
@@ -385,10 +361,10 @@ int CreateCodeSegmentFromElf(CodeSegment *out, ElfContext *elf, u8 *ElfFile, cha
 }
 
 
-ElfSegment** GetContinuousSegments(u16 *ContinuousSegmentNum, ElfContext *elf, char **Names, u32 NameNum)
+elf_segment** GetContinuousSegments(u16 *ContinuousSegmentNum, elf_context *elf, char **names, u32 nameNum)
 {
 	u16 SegmentNum = 0;
-	ElfSegment **Segments = GetSegments(&SegmentNum, elf, Names, NameNum);
+	elf_segment **Segments = GetSegments(&SegmentNum, elf, names, nameNum);
 	if (Segments == NULL || SegmentNum == 0){ // No Segments for the names were found
 		//printf("Not Found Segment\n");
 		return NULL;
@@ -413,18 +389,18 @@ ElfSegment** GetContinuousSegments(u16 *ContinuousSegmentNum, ElfContext *elf, c
 }
 
 
-ElfSegment** GetSegments(u16 *SegmentNum, ElfContext *elf, char **Names, u32 NameNum)
+elf_segment** GetSegments(u16 *SegmentNum, elf_context *elf, char **names, u32 nameNum)
 {
-	if (Names == NULL)
+	if (names == NULL)
 	{
 		return NULL;
 	}
 
-	ElfSegment **Segments = calloc(NameNum,sizeof(ElfSegment*)); 
-	*SegmentNum = 0; // There can be a max of NameNum Segments, however, they might not all exist
-	for (int i = 0; i < NameNum; i++){
+	elf_segment **Segments = calloc(nameNum,sizeof(elf_segment*)); 
+	*SegmentNum = 0; // There can be a max of nameNum Segments, however, they might not all exist
+	for (int i = 0; i < nameNum; i++){
 		for(int j = 0; j < elf->activeSegments; j++){
-			if(strcmp(Names[i],elf->segments[j].name) == 0){ // If there is a match, store Segment data pointer & increment index
+			if(strcmp(names[i],elf->segments[j].name) == 0){ // If there is a match, store Segment data pointer & increment index
 				Segments[*SegmentNum] = &elf->segments[j];
 				*SegmentNum = *SegmentNum + 1;
 			}
@@ -435,95 +411,93 @@ ElfSegment** GetSegments(u16 *SegmentNum, ElfContext *elf, char **Names, u32 Nam
 
 // ELF Functions
 
-int GetElfContext(ElfContext *elf, u8 *ElfFile)
+int GetElfContext(elf_context *elf, u8 *elfFile)
 {
-	if(u8_to_u32(ElfFile,BE) != ELF_MAGIC) return NOT_ELF_FILE;
+	if(u8_to_u32(elfFile,BE) != ELF_MAGIC) return NOT_ELF_FILE;
 	
-	elf->Is64bit = (ElfFile[4] == elf_64_bit);
-	elf->IsLittleEndian = (ElfFile[5] == elf_little_endian);
+	elf->Is64bit = (elfFile[4] == elf_64_bit);
+	elf->IsLittleEndian = (elfFile[5] == elf_little_endian);
 	
-	int result = ReadElfHdr(elf,ElfFile);
+	int result = ReadElfHdr(elf,elfFile);
 	if(result) return result;
 
-	result = GetElfSectionEntries(elf,ElfFile);
+	result = GetElfSectionEntries(elf,elfFile);
 	if(result) return result;
 
-	result = GetElfProgramEntries(elf,ElfFile);
+	result = GetElfProgramEntries(elf,elfFile);
 	if(result) return result;
 
-	result = CreateElfSegments(elf,ElfFile);
+	result = CreateElfSegments(elf,elfFile);
 	if(result) return result;
 
 	return 0;
 }
 
-int GetElfSectionEntries(ElfContext *elf, u8 *ElfFile)
+int GetElfSectionEntries(elf_context *elf, u8 *elfFile)
 {
-	elf->sections = calloc(elf->sectionTableEntryCount,sizeof(ElfSectionEntry));
+	elf->sections = calloc(elf->sectionTableEntryCount,sizeof(elf_section_entry));
 	if(!elf->sections) {
 		fprintf(stderr,"[ELF ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
 	}
 
 	for(int i = 0; i < elf->sectionTableEntryCount; i++){
-		elf->sections[i].name = GetELFSectionEntryName(i,elf,ElfFile);
-		elf->sections[i].type = GetELFSectionEntryType(i,elf,ElfFile);
-		elf->sections[i].flags = GetELFSectionEntryFlags(i,elf,ElfFile);
-		elf->sections[i].ptr = GetELFSectionEntry(i,elf,ElfFile);
-		elf->sections[i].offsetInFile = GetELFSectionEntryFileOffset(i,elf,ElfFile);
-		elf->sections[i].size = GetELFSectionEntrySize(i,elf,ElfFile);
-		elf->sections[i].address = GetELFSectionEntryAddress(i,elf,ElfFile);
-		elf->sections[i].alignment = GetELFSectionEntryAlignment(i,elf,ElfFile);
+		elf->sections[i].name = GetELFSectionEntryName(i,elf,elfFile);
+		elf->sections[i].type = GetELFSectionEntryType(i,elf,elfFile);
+		elf->sections[i].flags = GetELFSectionEntryFlags(i,elf,elfFile);
+		elf->sections[i].ptr = GetELFSectionEntry(i,elf,elfFile);
+		elf->sections[i].offsetInFile = GetELFSectionEntryFileOffset(i,elf,elfFile);
+		elf->sections[i].size = GetELFSectionEntrySize(i,elf,elfFile);
+		elf->sections[i].address = GetELFSectionEntryAddress(i,elf,elfFile);
+		elf->sections[i].alignment = GetELFSectionEntryAlignment(i,elf,elfFile);
 	}
 	return 0;
 }
 
-int GetElfProgramEntries(ElfContext *elf, u8 *ElfFile)
+int GetElfProgramEntries(elf_context *elf, u8 *elfFile)
 {
-	elf->programHeaders = calloc(elf->programTableEntryCount,sizeof(ElfProgramEntry));
+	elf->programHeaders = calloc(elf->programTableEntryCount,sizeof(elf_program_entry));
 	if(!elf->programHeaders) {
 		fprintf(stderr,"[ELF ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
 	}
 
 	for(int i = 0; i < elf->programTableEntryCount; i++){
-		elf->programHeaders[i].type = GetELFProgramEntryType(i,elf,ElfFile);
-		elf->programHeaders[i].flags = GetELFProgramEntryFlags(i,elf,ElfFile);
-		elf->programHeaders[i].ptr = GetELFProgramEntry(i,elf,ElfFile);
-		elf->programHeaders[i].offsetInFile = GetELFProgramEntryFileOffset(i,elf,ElfFile);
-		elf->programHeaders[i].sizeInFile = GetELFProgramEntryFileSize(i,elf,ElfFile);
-		elf->programHeaders[i].physicalAddress = GetELFProgramEntryPAddress(i,elf,ElfFile);
-		elf->programHeaders[i].virtualAddress = GetELFProgramEntryVAddress(i,elf,ElfFile);
-		elf->programHeaders[i].sizeInMemory = GetELFProgramEntryMemorySize(i,elf,ElfFile);
-		elf->programHeaders[i].alignment = GetELFProgramEntryAlignment(i,elf,ElfFile);
+		elf->programHeaders[i].type = GetELFProgramEntryType(i,elf,elfFile);
+		elf->programHeaders[i].flags = GetELFProgramEntryFlags(i,elf,elfFile);
+		elf->programHeaders[i].ptr = GetELFProgramEntry(i,elf,elfFile);
+		elf->programHeaders[i].offsetInFile = GetELFProgramEntryFileOffset(i,elf,elfFile);
+		elf->programHeaders[i].sizeInFile = GetELFProgramEntryFileSize(i,elf,elfFile);
+		elf->programHeaders[i].physicalAddress = GetELFProgramEntryPAddress(i,elf,elfFile);
+		elf->programHeaders[i].virtualAddress = GetELFProgramEntryVAddress(i,elf,elfFile);
+		elf->programHeaders[i].sizeInMemory = GetELFProgramEntryMemorySize(i,elf,elfFile);
+		elf->programHeaders[i].alignment = GetELFProgramEntryAlignment(i,elf,elfFile);
 	}
 
 	return 0;
 }
 
-#ifdef DEBUG
-void PrintElfContext(ElfContext *elf, u8 *ElfFile)
+void PrintElfContext(elf_context *elf, u8 *elfFile)
 {
-	printf("[+] Basic Details\n");
+	printf("[ELF] Basic Details\n");
 	printf(" Class:  %s\n",elf->Is64bit ? "64-bit" : "32-bit");
 	printf(" Data:   %s\n",elf->IsLittleEndian ? "Little Endian" : "Big Endian");
-	printf("\n[+] Program Table Data\n");
-	printf(" Offset: 0x%lx\n",elf->programTableOffset);
+	printf("[ELF] Program Table Data\n");
+	printf(" Offset: 0x%"PRIX64"\n",elf->programTableOffset);
 	printf(" Size:   0x%x\n",elf->programTableEntrySize);
 	printf(" Count:  0x%x\n",elf->programTableEntryCount);
-	printf("\n[+] Section Table Data\n");
-	printf(" Offset: 0x%lx\n",elf->sectionTableOffset);
+	printf("[ELF] Section Table Data\n");
+	printf(" Offset: 0x%"PRIX64"\n",elf->sectionTableOffset);
 	printf(" Size:   0x%x\n",elf->sectionTableEntrySize);
 	printf(" Count:  0x%x\n",elf->sectionTableEntryCount);
-	printf(" Lable Index: 0x%x\n",elf->sectionHeaderNameEntryIndex);
+	printf(" Label index: 0x%x\n",elf->sectionHeaderNameEntryIndex);
 	for(int i = 0; i < elf->activeSegments; i++){
 		printf(" Segment [%d][%s]\n",i,elf->segments[i].name);
-		printf(" > Size :     0x%x\n",elf->segments[i].header->sizeInFile);
-		printf(" > Address :  0x%x\n",elf->segments[i].vAddr);
+		printf(" > Size :     0x%"PRIX64"\n",elf->segments[i].header->sizeInFile);
+		printf(" > Address :  0x%"PRIX64"\n",elf->segments[i].vAddr);
 		printf(" > Sections : %d\n",elf->segments[i].sectionNum);  
-		for(int j = 0; j < elf->segments[i].sectionNum; j++){
+		for(int j = 0; j < elf->segments[i].sectionNum; j++)
 			printf("    > Section [%d][%s]\n",j,elf->segments[i].sections[j].name);
-		}
 		
 		/*
 		char outpath[100];
@@ -538,12 +512,11 @@ void PrintElfContext(ElfContext *elf, u8 *ElfFile)
 	}
 
 }
-#endif
 
-int ReadElfHdr(ElfContext *elf, u8 *ElfFile)
+int ReadElfHdr(elf_context *elf, u8 *elfFile)
 {
 	if(elf->Is64bit){
-		elf_64_hdr *hdr = (elf_64_hdr*)ElfFile;
+		elf_64_hdr *hdr = (elf_64_hdr*)elfFile;
 
 		u16 Architecture = u8_to_u16(hdr->targetArchitecture,elf->IsLittleEndian);
 		u16 Type = u8_to_u16(hdr->type,elf->IsLittleEndian);
@@ -561,7 +534,7 @@ int ReadElfHdr(ElfContext *elf, u8 *ElfFile)
 		elf->sectionHeaderNameEntryIndex = u8_to_u16(hdr->sectionHeaderNameEntryIndex,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_hdr *hdr = (elf_32_hdr*)ElfFile;
+		elf_32_hdr *hdr = (elf_32_hdr*)elfFile;
 
 		u16 Architecture = u8_to_u16(hdr->targetArchitecture,elf->IsLittleEndian);
 		u16 Type = u8_to_u16(hdr->type,elf->IsLittleEndian);
@@ -583,129 +556,129 @@ int ReadElfHdr(ElfContext *elf, u8 *ElfFile)
 
 /* Section Hdr Functions */
 
-u8* GetELFSectionHeader(u16 Index, ElfContext *elf, u8 *ElfFile)
+u8* GetELFSectionHeader(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->sectionTableEntryCount) return NULL;
+	if(index >= elf->sectionTableEntryCount) return NULL;
 
-	return (ElfFile + elf->sectionTableOffset + elf->sectionTableEntrySize*Index);
+	return (elfFile + elf->sectionTableOffset + elf->sectionTableEntrySize*index);
 }
 
-u8* GetELFSectionEntry(u16 Index, ElfContext *elf, u8 *ElfFile)
+u8* GetELFSectionEntry(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->sectionTableEntryCount) return NULL;
+	if(index >= elf->sectionTableEntryCount) return NULL;
 
-	return (u8*) (ElfFile + GetELFSectionEntryFileOffset(Index,elf,ElfFile));
+	return (u8*) (elfFile + GetELFSectionEntryFileOffset(index,elf,elfFile));
 }
 
-char* GetELFSectionEntryName(u16 Index, ElfContext *elf, u8 *ElfFile)
+char* GetELFSectionEntryName(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->sectionTableEntryCount) return 0;
+	if(index >= elf->sectionTableEntryCount) return 0;
 
 	u64 NameIndex = 0;
 	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		NameIndex = u8_to_u64(shdr->sh_name,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		NameIndex = u8_to_u32(shdr->sh_name,elf->IsLittleEndian);
 	}
 
-	u8 *NameTable = GetELFSectionEntry(elf->sectionHeaderNameEntryIndex,elf,ElfFile);
+	u8 *NameTable = GetELFSectionEntry(elf->sectionHeaderNameEntryIndex,elf,elfFile);
 	
 	return (char*)(NameTable+NameIndex);
 }
 
-u64 GetELFSectionEntryType(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFSectionEntryType(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->sectionTableEntryCount) return 0;
+	if(index >= elf->sectionTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u64(shdr->sh_type,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u32(shdr->sh_type,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFSectionEntryFlags(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFSectionEntryFlags(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->sectionTableEntryCount) return 0;
+	if(index >= elf->sectionTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u64(shdr->sh_flags,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u32(shdr->sh_flags,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFSectionEntryAddress(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFSectionEntryAddress(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->sectionTableEntryCount) return 0;
+	if(index >= elf->sectionTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u64(shdr->sh_addr,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u32(shdr->sh_addr,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFSectionEntryFileOffset(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFSectionEntryFileOffset(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->sectionTableEntryCount) return 0;
+	if(index >= elf->sectionTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u64(shdr->sh_offset,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u32(shdr->sh_offset,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFSectionEntrySize(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFSectionEntrySize(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->sectionTableEntryCount) return 0;
+	if(index >= elf->sectionTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u64(shdr->sh_size,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u32(shdr->sh_size,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFSectionEntryAlignment(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFSectionEntryAlignment(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->sectionTableEntryCount) return 0;
+	if(index >= elf->sectionTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u64(shdr->sh_addralign,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(Index,elf,ElfFile);
+		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
 		return u8_to_u32(shdr->sh_addralign,elf->IsLittleEndian);
 	}
 
@@ -713,166 +686,166 @@ u64 GetELFSectionEntryAlignment(u16 Index, ElfContext *elf, u8 *ElfFile)
 }
 
 
-u16 GetElfSectionIndexFromName(char *Name, ElfContext *elf, u8 *ElfFile)
+u16 GetElfSectionIndexFromName(char *name, elf_context *elf, u8 *elfFile)
 {
 	for(int i = 0; i < elf->sectionTableEntryCount; i++){
-		if(strcmp(Name,elf->sections[i].name) == 0) return i;
+		if(strcmp(name,elf->sections[i].name) == 0) return i;
 	}
 	return 0; // Assuming 0 is always empty
 }
 
-bool IsBss(ElfSectionEntry *Section)
+bool IsBss(elf_section_entry *section)
 {
-	if(Section->type == 8 && Section->flags == 3)
+	if(section->type == 8 && section->flags == 3)
 		return true;
 	return false;
 }
 
-bool IsData(ElfSectionEntry *Section)
+bool IsData(elf_section_entry *section)
 {
-	if(Section->type == 1 && Section->flags == 3)
+	if(section->type == 1 && section->flags == 3)
 		return true;
 	return false;
 }
 
-bool IsRO(ElfSectionEntry *Section)
+bool IsRoData(elf_section_entry *section)
 {
-	if(Section->type == 1 && Section->flags == 2)
+	if(section->type == 1 && section->flags == 2)
 		return true;
 	return false;
 }
 
-bool IsText(ElfSectionEntry *Section)
+bool IsText(elf_section_entry *section)
 {
-	if(Section->type == 1 && Section->flags == 6)
+	if(section->type == 1 && section->flags == 6)
 		return true;
 	return false;
 }
 
 /* ProgramHeader Functions */
 
-u8* GetELFProgramHeader(u16 Index, ElfContext *elf, u8 *ElfFile)
+u8* GetELFProgramHeader(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return NULL;
+	if(index >= elf->programTableEntryCount) return NULL;
 
-	return (ElfFile + elf->programTableOffset + elf->programTableEntrySize*Index);
+	return (elfFile + elf->programTableOffset + elf->programTableEntrySize*index);
 }
 
-u8* GetELFProgramEntry(u16 Index, ElfContext *elf, u8 *ElfFile)
+u8* GetELFProgramEntry(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return NULL;
+	if(index >= elf->programTableEntryCount) return NULL;
 
-	return (u8*) (ElfFile + GetELFProgramEntryFileOffset(Index,elf,ElfFile));
+	return (u8*) (elfFile + GetELFProgramEntryFileOffset(index,elf,elfFile));
 
 	return NULL;
 }
 
-u64 GetELFProgramEntryType(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFProgramEntryType(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return 0;
+	if(index >= elf->programTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u64(phdr->p_type,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u32(phdr->p_type,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFProgramEntryFlags(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFProgramEntryFlags(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return 0;
+	if(index >= elf->programTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u64(phdr->p_flags,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u32(phdr->p_flags,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFProgramEntryFileSize(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFProgramEntryFileSize(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return 0;
+	if(index >= elf->programTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u64(phdr->p_filesz,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u32(phdr->p_filesz,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFProgramEntryFileOffset(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFProgramEntryFileOffset(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return 0;
+	if(index >= elf->programTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u64(phdr->p_offset,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u32(phdr->p_offset,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFProgramEntryMemorySize(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFProgramEntryMemorySize(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return 0;
+	if(index >= elf->programTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u64(phdr->p_memsz,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u32(phdr->p_memsz,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFProgramEntryVAddress(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFProgramEntryVAddress(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return 0;
+	if(index >= elf->programTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u64(phdr->p_vaddr,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u32(phdr->p_vaddr,elf->IsLittleEndian);
 	}
 
 	return 0;
 }
 
-u64 GetELFProgramEntryPAddress(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFProgramEntryPAddress(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return 0;
+	if(index >= elf->programTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u64(phdr->p_paddr,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u32(phdr->p_paddr,elf->IsLittleEndian);
 	}
 
@@ -880,16 +853,16 @@ u64 GetELFProgramEntryPAddress(u16 Index, ElfContext *elf, u8 *ElfFile)
 }
 
 
-u64 GetELFProgramEntryAlignment(u16 Index, ElfContext *elf, u8 *ElfFile)
+u64 GetELFProgramEntryAlignment(u16 index, elf_context *elf, u8 *elfFile)
 {
-	if(Index >= elf->programTableEntryCount) return 0;
+	if(index >= elf->programTableEntryCount) return 0;
 
 	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u64(phdr->p_align,elf->IsLittleEndian);
 	}
 	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(Index,elf,ElfFile);
+		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
 		return u8_to_u32(phdr->p_align,elf->IsLittleEndian);
 	}
 
@@ -897,16 +870,16 @@ u64 GetELFProgramEntryAlignment(u16 Index, ElfContext *elf, u8 *ElfFile)
 }
 
 
-int CreateElfSegments(ElfContext *elf, u8 *ElfFile)
+int CreateElfSegments(elf_context *elf, u8 *elfFile)
 {
 	int num = 0;
 	// Interate through Each Program Header
 	elf->activeSegments = 0;
-	elf->segments = calloc(elf->programTableEntryCount,sizeof(ElfSegment));
-	ElfSegment *segment = malloc(sizeof(ElfSegment)); // Temporary Buffer
+	elf->segments = calloc(elf->programTableEntryCount,sizeof(elf_segment));
+	elf_segment *segment = malloc(sizeof(elf_segment)); // Temporary Buffer
 	for (int i = 0; i < elf->programTableEntryCount; i++){
 		if (elf->programHeaders[i].sizeInMemory != 0 && elf->programHeaders[i].type == 1){
-			memset(segment,0,sizeof(ElfSegment));
+			memset(segment,0,sizeof(elf_segment));
 
 			bool foundFirstSection = false;
 			u32 size = 0;
@@ -917,7 +890,7 @@ int CreateElfSegments(ElfContext *elf, u8 *ElfFile)
 			
 			u16 SectionInfoCapacity = 10;
 			segment->sectionNum = 0;
-			segment->sections = calloc(SectionInfoCapacity,sizeof(ElfSectionEntry));
+			segment->sections = calloc(SectionInfoCapacity,sizeof(elf_section_entry));
 
 			// Itterate Through Section Headers
 			for (int j = num; j < elf->sectionTableEntryCount; j++){
@@ -936,15 +909,15 @@ int CreateElfSegments(ElfContext *elf, u8 *ElfFile)
                 }
 
 				if(segment->sectionNum < SectionInfoCapacity)
-					memcpy(&segment->sections[segment->sectionNum],&elf->sections[j],sizeof(ElfSectionEntry));
+					memcpy(&segment->sections[segment->sectionNum],&elf->sections[j],sizeof(elf_section_entry));
 				else{
 					SectionInfoCapacity = SectionInfoCapacity*2;
-					ElfSectionEntry *tmp = calloc(SectionInfoCapacity,sizeof(ElfSectionEntry));
+					elf_section_entry *tmp = calloc(SectionInfoCapacity,sizeof(elf_section_entry));
 					for(int k = 0; k < segment->sectionNum; k++)
-						memcpy(&tmp[k],&segment->sections[k],sizeof(ElfSectionEntry));
+						memcpy(&tmp[k],&segment->sections[k],sizeof(elf_section_entry));
 					free(segment->sections);
 					segment->sections = tmp;
-					memcpy(&segment->sections[segment->sectionNum],&elf->sections[j],sizeof(ElfSectionEntry));
+					memcpy(&segment->sections[segment->sectionNum],&elf->sections[j],sizeof(elf_section_entry));
 				}
 				segment->sectionNum++;
 
@@ -955,7 +928,7 @@ int CreateElfSegments(ElfContext *elf, u8 *ElfFile)
 					size += padding + elf->sections[j].size;
 				}
 					
-				//printf("Section Name: %s",elf->sections[j].name);
+				//printf("Section name: %s",elf->sections[j].name);
 				//printf(" 0x%lx",elf->sections[j].size);
 				//printf(" (Total Size: 0x%x)\n",size);
 
@@ -969,7 +942,7 @@ int CreateElfSegments(ElfContext *elf, u8 *ElfFile)
             }
 			if(segment->sectionNum){
 				segment->header = &elf->programHeaders[i];
-				memcpy(&elf->segments[elf->activeSegments],segment,sizeof(ElfSegment));
+				memcpy(&elf->segments[elf->activeSegments],segment,sizeof(elf_segment));
 				elf->activeSegments++;
 			}
 			else{
@@ -985,7 +958,7 @@ int CreateElfSegments(ElfContext *elf, u8 *ElfFile)
 	return 0;
 }
 
-bool IsIgnoreSection(ElfSectionEntry info)
+bool IsIgnoreSection(elf_section_entry info)
 {
 	if (info.address)
 		return false;
diff --git a/makerom/elf.h b/makerom/elf.h
index 431a3ed7..d3a24640 100644
--- a/makerom/elf.h
+++ b/makerom/elf.h
@@ -23,7 +23,7 @@ typedef struct
 	u64 size;
 	u64 address;
 	u64 alignment;
-} ElfSectionEntry;
+} elf_section_entry;
 
 typedef struct
 {
@@ -36,18 +36,17 @@ typedef struct
 	u64 physicalAddress;
 	u64 sizeInMemory;
 	u64 alignment;
-	
-} ElfProgramEntry;
+} elf_program_entry;
 
 typedef struct
 {
 	char *name;
 	u64 vAddr;
 
-	ElfProgramEntry *header;
+	elf_program_entry *header;
 	u32 sectionNum;
-	ElfSectionEntry *sections;
-} ElfSegment;
+	elf_section_entry *sections;
+} elf_segment;
 
 typedef struct
 {
@@ -55,7 +54,7 @@ typedef struct
 	u32 size;
 	u32 maxPageNum;
 	u8 *data;
-} CodeSegment;
+} code_segment;
 
 typedef struct
 {
@@ -73,12 +72,12 @@ typedef struct
 	
 	u16 sectionHeaderNameEntryIndex;
 
-	ElfSectionEntry *sections;
-	ElfProgramEntry *programHeaders;
+	elf_section_entry *sections;
+	elf_program_entry *programHeaders;
 
 	u16 activeSegments;
-	ElfSegment *segments;
+	elf_segment *segments;
 
-} ElfContext;
+} elf_context;
 
 int BuildExeFsCode(ncch_settings *ncchset);
\ No newline at end of file
diff --git a/makerom/exefs.c b/makerom/exefs.c
index c1e53284..1d3f2304 100644
--- a/makerom/exefs.c
+++ b/makerom/exefs.c
@@ -1,6 +1,6 @@
 #include "lib.h"
-#include "ncch.h"
-#include "exefs.h"
+#include "ncch_build.h"
+#include "exefs_build.h"
 
 // Private Prototypes
 u32 PredictExeFS_Size(exefs_buildctx *ctx);
@@ -18,7 +18,7 @@ int BuildExeFs(ncch_settings *ncchset)
 		fprintf(stderr,"[EXEFS ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
 	}
-	ctx->mediaUnit = ncchset->options.mediaSize;
+	ctx->blockSize = ncchset->options.blockSize;
 
 	/* Importing ExeFs */
 	if(ncchset->exefsSections.code.size) 
@@ -56,10 +56,9 @@ int BuildExeFs(ncch_settings *ncchset)
 
 u32 PredictExeFS_Size(exefs_buildctx *ctx)
 {
-	u32 exefs_size = 0x200; // Size of header
-	for(int i = 0; i < ctx->fileCount; i++){
-		exefs_size += align(ctx->fileSize[i],ctx->mediaUnit);
-	}
+	u32 exefs_size = sizeof(exefs_hdr); // Size of header
+	for(int i = 0; i < ctx->fileCount; i++)
+		exefs_size += align(ctx->fileSize[i],ctx->blockSize);
 	//exefs_size = align(ctx->exefs_size,ctx->mediaUnit);
 	return exefs_size;
 }
@@ -70,7 +69,7 @@ int GenerateExeFS_Header(exefs_buildctx *ctx, u8 *outbuff)
 		if(i == 0)
 			ctx->fileOffset[i] = 0;
 		else
-			ctx->fileOffset[i] = align((ctx->fileOffset[i-1]+ctx->fileSize[i-1]),ctx->mediaUnit);
+			ctx->fileOffset[i] = align((ctx->fileOffset[i-1]+ctx->fileSize[i-1]),ctx->blockSize);
 		
 		memcpy(ctx->fileHdr[i].name,ctx->fileName[i],8);
 		u32_to_u8(ctx->fileHdr[i].offset,ctx->fileOffset[i],LE);
diff --git a/makerom/exefs.h b/makerom/exefs.h
index 52afe84b..f6e6c136 100644
--- a/makerom/exefs.h
+++ b/makerom/exefs.h
@@ -2,14 +2,6 @@
 
 #define MAX_EXEFS_SECTIONS 10 // DO NOT CHANGE
 
-typedef enum
-{
-	PTR_ERROR = -10,
-	EXEFS_MAX_REACHED = -11,
-	EXEFS_SECTION_NAME_ERROR = -12,
-
-} exefs_errors;
-
 typedef struct
 {
 	char name[8];
@@ -23,29 +15,3 @@ typedef struct
 	u8 reserved[0x20];
 	u8 fileHashes[MAX_EXEFS_SECTIONS][0x20];
 } exefs_hdr;
-
-typedef struct
-{
-	//Input
-	int fileCount;
-	u8 *file[MAX_EXEFS_SECTIONS];
-	u32 fileSize[MAX_EXEFS_SECTIONS];
-	u32 fileOffset[MAX_EXEFS_SECTIONS];
-	char fileName[MAX_EXEFS_SECTIONS][8];
-	u32 mediaUnit;
-	
-	//Working Data
-	exefs_filehdr fileHdr[MAX_EXEFS_SECTIONS];
-	u8 fileHashes[MAX_EXEFS_SECTIONS][0x20];
-	
-} exefs_buildctx;
-
-/* ExeFs Build Functions */
-int BuildExeFs(ncch_settings *ncchset);
-
-/* ExeFs Read Functions */
-bool DoesExeFsSectionExist(char *section, u8 *ExeFs);
-u8* GetExeFsSection(char *section, u8 *ExeFs);
-u8* GetExeFsSectionHash(char *section, u8 *ExeFs);
-u32 GetExeFsSectionSize(char *section, u8 *ExeFs);
-u32 GetExeFsSectionOffset(char *section, u8 *ExeFs);
diff --git a/makerom/exefs_build.h b/makerom/exefs_build.h
new file mode 100644
index 00000000..93f45a44
--- /dev/null
+++ b/makerom/exefs_build.h
@@ -0,0 +1,28 @@
+#pragma once
+#include "exefs.h"
+
+typedef enum
+{
+	PTR_ERROR = -10,
+	EXEFS_MAX_REACHED = -11,
+	EXEFS_SECTION_NAME_ERROR = -12,
+} exefs_errors;
+
+typedef struct
+{
+	//Input
+	int fileCount;
+	u8 *file[MAX_EXEFS_SECTIONS];
+	u32 fileSize[MAX_EXEFS_SECTIONS];
+	u32 fileOffset[MAX_EXEFS_SECTIONS];
+	char fileName[MAX_EXEFS_SECTIONS][8];
+	u32 blockSize;
+	
+	//Working Data
+	exefs_filehdr fileHdr[MAX_EXEFS_SECTIONS];
+	u8 fileHashes[MAX_EXEFS_SECTIONS][0x20];
+	
+} exefs_buildctx;
+
+/* ExeFs Build Functions */
+int BuildExeFs(ncch_settings *ncchset);
\ No newline at end of file
diff --git a/makerom/exefs_read.h b/makerom/exefs_read.h
new file mode 100644
index 00000000..990729b8
--- /dev/null
+++ b/makerom/exefs_read.h
@@ -0,0 +1,9 @@
+#pragma once
+#include "exefs.h"
+
+/* ExeFs Read Functions */
+bool DoesExeFsSectionExist(char *section, u8 *ExeFs);
+u8* GetExeFsSection(char *section, u8 *ExeFs);
+u8* GetExeFsSectionHash(char *section, u8 *ExeFs);
+u32 GetExeFsSectionSize(char *section, u8 *ExeFs);
+u32 GetExeFsSectionOffset(char *section, u8 *ExeFs);
\ No newline at end of file
diff --git a/makerom/exheader.c b/makerom/exheader.c
index 0270b359..9c99f258 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -1,6 +1,6 @@
 #include "lib.h"
-#include "ncch.h"
-#include "exheader.h"
+#include "ncch_build.h"
+#include "exheader_build.h"
 #include "accessdesc.h"
 #include "titleid.h"
 
@@ -124,13 +124,13 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 	
 	/* Import ExHeader Code Section template */
 	if(ncchset->componentFilePtrs.exhdrSize){ 
-		u32 import_size = 0x30; //min_u64(0x30,ncchset->componentFilePtrs.exhdrSize);
+		u32 import_size = 0x30; //min64(0x30,ncchset->componentFilePtrs.exhdrSize);
 		u32 import_offset = 0x10;
 		if((import_size+import_offset) > ncchset->componentFilePtrs.exhdrSize){
 			fprintf(stderr,"[EXHEADER ERROR] Exheader Template is too small\n");
 			return FAILED_TO_IMPORT_FILE;
 		}
-		ReadFile_64((ncchset->sections.exhdr.buffer+import_offset),import_size,import_offset,ncchset->componentFilePtrs.exhdr);
+		ReadFile64((ncchset->sections.exhdr.buffer+import_offset),import_size,import_offset,ncchset->componentFilePtrs.exhdr);
 	}
 
 	/* Create ExHeader Struct for output */
diff --git a/makerom/exheader.h b/makerom/exheader.h
index 82e778f4..d2d216fb 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -1,12 +1,5 @@
 #pragma once
 
-typedef enum
-{
-	COMMON_HEADER_KEY_NOT_FOUND = -10,
-	EXHDR_BAD_YAML_OPT = -11,
-	CANNOT_SIGN_ACCESSDESC = -12
-} exheader_errors;
-
 typedef enum
 {
 	infoflag_COMPRESS_EXEFS_0 = 1,
@@ -197,37 +190,11 @@ typedef struct
 	exhdr_ARM9AccessControlInfo arm9AccessControlInfo;
 } access_descriptor;
 
-typedef struct
-{
-	keys_struct *keys;
-	rsf_settings *rsf;
-	bool useAccessDescPreset;
-
-	/* Output */
-	extended_hdr *exHdr; // is the exheader output buffer ptr(in ncchset) cast as exheader struct ptr;
-	access_descriptor *acexDesc;
-} exheader_settings;
-
-
 /* ExHeader Signature Functions */
 int SignAccessDesc(access_descriptor *acexDesc, keys_struct *keys);
 int CheckAccessDescSignature(access_descriptor *acexDesc, keys_struct *keys);
 
-/* ExHeader Build Functions */
-int BuildExHeader(ncch_settings *ncchset);
-
-/* ExHeader Binary Print Functions */
-void exhdr_Print_ServiceAccessControl(extended_hdr *hdr);
-
-/* ExHeader Binary Read Functions */
-u8* GetAcexRsaSig(access_descriptor *acexDesc);
-u8* GetAcexNcchPubKey(access_descriptor *acexDesc);
-u16 GetRemasterVersion_frm_exhdr(extended_hdr *hdr);
-u64 GetSaveDataSize_frm_exhdr(extended_hdr *hdr);
-int GetDependencyList_frm_exhdr(u8 *Dest,extended_hdr *hdr);
-void GetCoreVersion_frm_exhdr(u8 *Dest, extended_hdr *hdr);
-
-/* ExHeader Settings Read from Yaml */
+/* ExHeader Settings Read from Rsf */
 int GetSaveDataSizeFromString(u64 *out, char *string, char *moduleName);
 int GetRemasterVersion_rsf(u16 *RemasterVersion, user_settings *usrset);
 
diff --git a/makerom/exheader_build.h b/makerom/exheader_build.h
new file mode 100644
index 00000000..f7fd894c
--- /dev/null
+++ b/makerom/exheader_build.h
@@ -0,0 +1,23 @@
+#pragma once
+#include "exheader.h"
+
+typedef enum
+{
+	COMMON_HEADER_KEY_NOT_FOUND = -10,
+	EXHDR_BAD_YAML_OPT = -11,
+	CANNOT_SIGN_ACCESSDESC = -12
+} exheader_errors;
+
+typedef struct
+{
+	keys_struct *keys;
+	rsf_settings *rsf;
+	bool useAccessDescPreset;
+
+	/* Output, these ptrs where created originally in ncchset */
+	extended_hdr *exHdr;
+	access_descriptor *acexDesc;
+} exheader_settings;
+
+/* ExHeader Build Functions */
+int BuildExHeader(ncch_settings *ncchset);
\ No newline at end of file
diff --git a/makerom/exheader_read.h b/makerom/exheader_read.h
new file mode 100644
index 00000000..9c09ca91
--- /dev/null
+++ b/makerom/exheader_read.h
@@ -0,0 +1,13 @@
+#pragma once
+#include "exheader.h"
+
+/* ExHeader Binary Print Functions */
+void exhdr_Print_ServiceAccessControl(extended_hdr *hdr);
+
+/* ExHeader Binary Read Functions */
+u8* GetAcexRsaSig(access_descriptor *acexDesc);
+u8* GetAcexNcchPubKey(access_descriptor *acexDesc);
+u16 GetRemasterVersion_frm_exhdr(extended_hdr *hdr);
+u64 GetSaveDataSize_frm_exhdr(extended_hdr *hdr);
+int GetDependencyList_frm_exhdr(u8 *Dest,extended_hdr *hdr);
+void GetCoreVersion_frm_exhdr(u8 *Dest, extended_hdr *hdr);
diff --git a/makerom/keyset.c b/makerom/keyset.c
index b44ecb68..a39ce548 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -1,14 +1,16 @@
 #include "lib.h"
 
 // KeyData
-#include "tpki.h" // Test PKI
-#include "ppki.h" // Production PKI
-#include "dpki.h" // Development PKI
+#include "pki/test.h" // Test PKI
+#include "pki/prod.h" // Production PKI
+#include "pki/dev.h" // Development PKI
 
 // Private Prototypes
 int SetRsaKeySet(u8 **PrivDest, u8 *PrivSource, u8 **PubDest, u8 *PubSource);
 int SetunFixedKey(keys_struct *keys, u8 *unFixedKey);
-void InitcommonKeySlots(keys_struct *keys);
+void InitCommonKeySlots(keys_struct *keys);
+void InitNcchKeyXSlots(keys_struct *keys);
+int SetNcchKeyX(keys_struct *keys, u8 *keyX, u8 index);
 
 FILE* keyset_OpenFile(char *dir, char *name, bool FileRequired);
 void keysetOpenError(char *file);
@@ -33,11 +35,12 @@ void DumpKeyset(keys_struct *keys);
 void InitKeys(keys_struct *keys)
 {
 	memset(keys,0,sizeof(keys_struct));
-	InitcommonKeySlots(keys);
+	InitCommonKeySlots(keys);
+	InitNcchKeyXSlots(keys);
 	keys->rsa.cxiHdrPub = malloc(RSA_2048_KEY_SIZE);
 	keys->rsa.cxiHdrPvt = malloc(RSA_2048_KEY_SIZE);
-	keys->aes.unFixedKey0 = malloc(16);
-	keys->aes.unFixedKey1 = malloc(16);
+	keys->aes.ncchKey0 = malloc(AES_128_KEY_SIZE);
+	keys->aes.ncchKey1 = malloc(AES_128_KEY_SIZE);
 }
 
 void PrintBadKeySize(char *path, u32 size)
@@ -45,6 +48,21 @@ void PrintBadKeySize(char *path, u32 size)
 	fprintf(stderr,"[KEYSET ERROR] %s has invalid size (0x%x)\n",path,size);
 }
 
+u8* AesKeyScrambler(u8 *key, u8 *keyX, u8 *keyY)
+{
+	// Process keyX/keyY to get raw normal key
+	for(int i = 0; i < 16; i++)
+		key[i] = keyX[i] ^ ((keyY[i] >> 2) | ((keyY[i < 15 ? i+1 : 0] & 3) << 6)); // keyX[i] ^
+
+	const u8 SCRAMBLE_SECRET[16] = {0x51, 0xD7, 0x5D, 0xBE, 0xFD, 0x07, 0x57, 0x6A, 0x1C, 0xFC, 0x2A, 0xF0, 0x94, 0x4B, 0xD5, 0x6C};
+
+	// Apply Secret to get final normal key
+	for(int i = 0; i < 16; i++)
+		key[i] = key[i] ^ SCRAMBLE_SECRET[i];
+
+	return key;
+}
+
 int SetKeys(keys_struct *keys)
 {	
 	int result = 0;
@@ -90,9 +108,9 @@ int LoadKeysFromResources(keys_struct *keys)
 		keys->keysetLoaded = true;
 		/* AES Keys */
 		// CIA
-		for(int i = 0; i < 2; i++){
+		for(int i = 0; i < 2; i++)
 			SetCommonKey(keys,(u8*)ctr_common_etd_key_dpki[i],i);
-		}
+
 		if(keys->aes.currentCommonKey > 0xff)
 			SetCurrentCommonKey(keys,0);
 	
@@ -100,10 +118,9 @@ int LoadKeysFromResources(keys_struct *keys)
 		SetNormalKey(keys,(u8*)dev_fixed_ncch_key[0]);
 		SetSystemFixedKey(keys,(u8*)dev_fixed_ncch_key[1]);
 		
-		/*
-		keys->aes.ncchKeyX0 = (u8*)dev_unfixed_ncch_keyX[0];
-		keys->aes.ncchKeyX1 = (u8*)dev_unfixed_ncch_keyX[1];
-		*/
+		for(int i = 0; i < 2; i++)
+			SetNcchKeyX(keys,(u8*)dev_unfixed_ncch_keyX[i],i);
+		
 
 		/* RSA Keys */
 		// CIA
@@ -123,18 +140,19 @@ int LoadKeysFromResources(keys_struct *keys)
 		keys->keysetLoaded = true;
 		/* AES Keys */
 		// CIA
-		for(int i = 0; i < 6; i++){
-			keys->aes.commonKey[i] = malloc(16);
-			AesKeyScrambler(keys->aes.commonKey[i],(u8*)ctr_common_etd_keyX_ppki,(u8*)ctr_common_etd_keyY_ppki[i]);
-		}
-		SetCurrentCommonKey(keys,1);
+		//for(int i = 0; i < 6; i++){
+		//	keys->aes.commonKey[i] = malloc(16);
+		//	AesKeyScrambler(keys->aes.commonKey[i],(u8*)ctr_common_etd_keyX_ppki,(u8*)ctr_common_etd_keyY_ppki[i]);
+		//}
+		if(keys->aes.currentCommonKey > 0xff)
+			SetCurrentCommonKey(keys,0);
 	
 		// NCCH
 		keys->aes.normalKey = NULL;
 		keys->aes.systemFixedKey = NULL;
 		/*
-		keys->aes.ncchKeyX0 = (u8*)prod_unfixed_ncch_keyX[0];
-		keys->aes.ncchKeyX1 = (u8*)prod_unfixed_ncch_keyX[1];
+		for(int i = 0; i < 2; i++)
+			SetNcchKeyX(keys,(u8*)prod_unfixed_ncch_keyX[i],i);
 		*/
 
 		/* RSA Keys */
@@ -264,15 +282,19 @@ void FreeKeys(keys_struct *keys)
 {
 	// AES
 	if(keys->aes.commonKey){
-		for(int i = 0; i < 256; i++){
+		for(int i = 0; i <= MAX_CMN_KEY; i++)
 			free(keys->aes.commonKey[i]);
-		}
 	}
 	free(keys->aes.commonKey);
 	free(keys->aes.normalKey);
 	free(keys->aes.systemFixedKey);
-	free(keys->aes.unFixedKey0);
-	free(keys->aes.unFixedKey1);
+	if(keys->aes.ncchKeyX){
+		for(int i = 0; i <= MAX_NCCH_KEYX; i++)
+			free(keys->aes.ncchKeyX[i]);
+	}
+	free(keys->aes.ncchKeyX);
+	free(keys->aes.ncchKey0);
+	free(keys->aes.ncchKey1);
 	
 	// RSA
 	free(keys->rsa.xsPvt);
@@ -309,18 +331,28 @@ int SetRsaKeySet(u8 **PrivDest, u8 *PrivSource, u8 **PubDest, u8 *PubSource)
 	return 0;
 }
 
-int SetCommonKey(keys_struct *keys, u8 *commonKey, u8 Index)
+int SetCommonKey(keys_struct *keys, u8 *commonKey, u8 index)
 {
 	if(!keys) return -1;
-	return CopyData(&keys->aes.commonKey[Index],commonKey,16);
+	return CopyData(&keys->aes.commonKey[index],commonKey,AES_128_KEY_SIZE);
 }
 
-void InitcommonKeySlots(keys_struct *keys)
+void InitCommonKeySlots(keys_struct *keys)
 {
-	if(!keys->aes.commonKey){
-		keys->aes.commonKey = malloc(sizeof(u8*)*256);
-		memset(keys->aes.commonKey,0,sizeof(u8*)*256);
-	}
+	if(!keys->aes.commonKey)
+		keys->aes.commonKey = calloc(MAX_CMN_KEY+1,sizeof(u8*));
+}
+
+int SetNcchKeyX(keys_struct *keys, u8 *keyX, u8 index)
+{
+	if(!keys) return -1;
+	return CopyData(&keys->aes.ncchKeyX[index],keyX,AES_128_KEY_SIZE);
+}
+
+void InitNcchKeyXSlots(keys_struct *keys)
+{
+	if(!keys->aes.ncchKeyX)
+		keys->aes.ncchKeyX = calloc(MAX_NCCH_KEYX+1,sizeof(u8*));
 }
 
 int SetCurrentCommonKey(keys_struct *keys, u8 Index)
@@ -342,22 +374,6 @@ int SetSystemFixedKey(keys_struct *keys, u8 *systemFixedKey)
 	return CopyData(&keys->aes.systemFixedKey,systemFixedKey,16);
 }
 
-int SetNcchUnfixedKeys(keys_struct *keys, u8 *ncchSig)
-{
-	if(!keys) return -1;
-
-	//memdump(stdout,"keyY:  ",ncchSig,16);
-	//memdump(stdout,"keyX0: ",keys->aes.ncchKeyX0,16);
-	//memdump(stdout,"keyX1: ",keys->aes.ncchKeyX1,16);
-
-	if(keys->aes.ncchKeyX0)
-		AesKeyScrambler(keys->aes.unFixedKey0,keys->aes.ncchKeyX0,ncchSig);
-	if(keys->aes.ncchKeyX1)
-		AesKeyScrambler(keys->aes.unFixedKey1,keys->aes.ncchKeyX1,ncchSig);
-
-	return 0;
-}
-
 int SetTIK_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod)
 {
 	if(!keys) return -1;
diff --git a/makerom/keyset.h b/makerom/keyset.h
index 81741a33..9d6c0c60 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -1,5 +1,12 @@
 #pragma once
 
+typedef enum
+{
+	AES_128_KEY_SIZE = 16,
+	MAX_CMN_KEY = MAX_U8,
+	MAX_NCCH_KEYX = MAX_U8
+} keydata_limits;
+
 typedef enum
 {
 	KEYSET_ERROR = -10,
@@ -54,11 +61,10 @@ typedef struct
 		// NCCH Keys
 		u8 *normalKey;
 		u8 *systemFixedKey;
-
-		u8 *ncchKeyX0;
-		u8 *ncchKeyX1;
-		u8 *unFixedKey0;
-		u8 *unFixedKey1;
+		u8 **ncchKeyX;
+		
+		u8 *ncchKey0;
+		u8 *ncchKey1;
 	} aes;
 	
 	struct
@@ -101,5 +107,4 @@ int SetCurrentCommonKey(keys_struct *keys, u8 Index);
 int SetNormalKey(keys_struct *keys, u8 *systemFixedKey);
 int SetSystemFixedKey(keys_struct *keys, u8 *systemFixedKey);
 
-
-int SetNcchUnfixedKeys(keys_struct *keys, u8 *ncchSig);
\ No newline at end of file
+u8* AesKeyScrambler(u8 *key, u8 *keyX, u8 *keyY);
diff --git a/makerom/lib.h b/makerom/lib.h
index e0ef089e..a35a1463 100644
--- a/makerom/lib.h
+++ b/makerom/lib.h
@@ -27,6 +27,7 @@
 
 #include "types.h"
 #include "utils.h"
+#include "ctr_utils.h"
 #include "crypto.h"
 
 #include "keyset.h"
diff --git a/makerom/makerom.c b/makerom/makerom.c
index fe72bb8f..3d891ce9 100644
--- a/makerom/makerom.c
+++ b/makerom/makerom.c
@@ -1,73 +1,66 @@
 #include "lib.h"
-#include "ncch.h"
-#include "ncsd.h"
-#include "cia.h"
+#include "ncch_build.h"
+#include "ncsd_build.h"
+#include "cia_build.h"
 
 int main(int argc, char *argv[])
 {
 	// Setting up user settings
-	user_settings *usrset = calloc(1,sizeof(user_settings));
-	if(usrset == NULL) {
+	user_settings *set = calloc(1,sizeof(user_settings));
+	if(set == NULL) {
 		fprintf(stderr,"[!] Not enough memory\n"); 
 		return -1;
 	}	
-	init_UserSettings(usrset);
+	init_UserSettings(set);
 	initRand();
 	
 	int result;
-	
-#ifdef DEBUG
-	printf("[DEBUG] Parseing Args\n");
-#endif
 
 	// Parsing command args
-	result = ParseArgs(argc,argv,usrset);
-	if(result < 0) goto finish;
+	if((result = ParseArgs(argc,argv,set)) < 0) 
+		goto finish;
 	
-#ifdef DEBUG
-	printf("[DEBUG] Importing Yaml Settings\n");
-#endif
 
 	// Import RSF Settings if present
-	result = GetYamlSettings(usrset);
-	if(result < 0) goto finish;
+	if((result = GetRsfSettings(set)) < 0) 
+		goto finish;
 
 	// Setup Content 0
-	if(!usrset->ncch.buildNcch0){ // Import Content
-		if(usrset->common.workingFileType == infile_ncch){
-			if(!AssertFile(usrset->common.contentPath[0])){
-				fprintf(stderr,"[MAKEROM ERROR] Failed to open Content 0: %s\n",usrset->common.contentPath[0]); 
+	if(!set->ncch.buildNcch0){ // Import Content
+		if(set->common.workingFileType == infile_ncch){
+			if(!AssertFile(set->common.contentPath[0])){
+				fprintf(stderr,"[MAKEROM ERROR] Failed to open Content 0: %s\n",set->common.contentPath[0]); 
 				goto finish;
 			}
-			u64 fileSize = GetFileSize_u64(usrset->common.contentPath[0]);
+			u64 fileSize = GetFileSize64(set->common.contentPath[0]);
 			u64 calcSize = 0;
 
-			FILE *ncch0 = fopen(usrset->common.contentPath[0],"rb");
+			FILE *ncch0 = fopen(set->common.contentPath[0],"rb");
 			
 			ncch_hdr hdr;
-			GetNCCH_CommonHDR(&hdr,ncch0,NULL);
-			calcSize = GetNCCH_MediaSize(&hdr) * GetNCCH_MediaUnitSize(&hdr);
+			ReadNcchHdr(&hdr,ncch0);
+			calcSize = GetNcchSize(&hdr);
 			if(calcSize != fileSize){
 				fprintf(stderr,"[MAKEROM ERROR] Content 0 is corrupt\n"); 
 				fclose(ncch0);
 				goto finish;
 			}
 
-			usrset->common.workingFile.size = fileSize;
-			usrset->common.workingFile.buffer = malloc(fileSize);
-			ReadFile_64(usrset->common.workingFile.buffer, usrset->common.workingFile.size,0,ncch0);
+			set->common.workingFile.size = fileSize;
+			set->common.workingFile.buffer = malloc(fileSize);
+			ReadFile64(set->common.workingFile.buffer, set->common.workingFile.size,0,ncch0);
 			fclose(ncch0);
 		}
-		else if(usrset->common.workingFileType == infile_srl || usrset->common.workingFileType == infile_ncsd){
-			if(!AssertFile(usrset->common.workingFilePath)) {
-				fprintf(stderr,"[MAKEROM ERROR] Failed to open %s: %s\n",usrset->common.workingFileType == infile_srl? "SRL":"CCI",usrset->common.workingFilePath); 
+		else{
+			if(!AssertFile(set->common.workingFilePath)) {
+				fprintf(stderr,"[MAKEROM ERROR] Failed to open: %s\n",set->common.workingFilePath); 
 				goto finish;
 			}
-			u64 size = GetFileSize_u64(usrset->common.workingFilePath);
-			usrset->common.workingFile.size = align(size,0x10);
-			usrset->common.workingFile.buffer = malloc(usrset->common.workingFile.size);
-			FILE *fp = fopen(usrset->common.workingFilePath,"rb");
-			ReadFile_64(usrset->common.workingFile.buffer,size,0,fp);
+			u64 size = GetFileSize64(set->common.workingFilePath);
+			set->common.workingFile.size = align(size,0x10);
+			set->common.workingFile.buffer = malloc(set->common.workingFile.size);
+			FILE *fp = fopen(set->common.workingFilePath,"rb");
+			ReadFile64(set->common.workingFile.buffer,size,0,fp);
 			fclose(fp);
 		}
 	}
@@ -75,48 +68,48 @@ int main(int argc, char *argv[])
 #ifdef DEBUG
 	printf("[DEBUG] Build NCCH0\n");
 #endif
-		result = build_NCCH(usrset);
+		result = build_NCCH(set);
 		if(result < 0) { 
-			//fprintf(stderr,"[ERROR] %s generation failed\n",usrset->build_ncch_type == CXI? "CXI" : "CFA"); 
+			//fprintf(stderr,"[ERROR] %s generation failed\n",set->build_ncch_type == CXI? "CXI" : "CFA"); 
 			fprintf(stderr,"[RESULT] Failed to build outfile\n"); 
 			goto finish; 
 		}	
 	}
 	// Make CCI
-	if(usrset->common.outFormat == CCI){
+	if(set->common.outFormat == CCI){
 #ifdef DEBUG
 	printf("[DEBUG] Building CCI\n");
 #endif
-		result = build_CCI(usrset);
+		result = build_CCI(set);
 		if(result < 0) { 
 			fprintf(stderr,"[RESULT] Failed to build CCI\n");
 			goto finish; 
 		}
 	}
 	// Make CIA
-	else if(usrset->common.outFormat == CIA){
+	else if(set->common.outFormat == CIA){
 #ifdef DEBUG
 	printf("[DEBUG] Building CIA\n");
 #endif
-		result = build_CIA(usrset);
+		result = build_CIA(set);
 		if(result < 0) { 
 			fprintf(stderr,"[RESULT] Failed to build CIA\n"); 
 			goto finish; 
 		}
 	}
 	// No Container Raw CXI/CFA
-	else if(usrset->common.outFormat == CXI || usrset->common.outFormat == CFA){
+	else if(set->common.outFormat == CXI || set->common.outFormat == CFA){
 #ifdef DEBUG
 	printf("[DEBUG] Outputting NCCH, because No Container\n");
 #endif
-		FILE *ncch_out = fopen(usrset->common.outFileName,"wb");
+		FILE *ncch_out = fopen(set->common.outFileName,"wb");
 		if(!ncch_out) {
-			fprintf(stderr,"[MAKEROM ERROR] Failed to create '%s'\n",usrset->common.outFileName); 
-			fprintf(stderr,"[RESULT] Failed to build '%s'\n",usrset->common.outFormat == CXI? "CXI" : "CFA"); 
+			fprintf(stderr,"[MAKEROM ERROR] Failed to create '%s'\n",set->common.outFileName); 
+			fprintf(stderr,"[RESULT] Failed to build '%s'\n",set->common.outFormat == CXI? "CXI" : "CFA"); 
 			result = FAILED_TO_CREATE_OUTFILE; 
 			goto finish;
 		}
-		WriteBuffer(usrset->common.workingFile.buffer,usrset->common.workingFile.size,0,ncch_out);
+		WriteBuffer(set->common.workingFile.buffer,set->common.workingFile.size,0,ncch_out);
 		fclose(ncch_out);
 	}
 	
@@ -124,7 +117,7 @@ int main(int argc, char *argv[])
 #ifdef DEBUG
 	printf("[DEBUG] Free Context\n");
 #endif
-	free_UserSettings(usrset);
+	free_UserSettings(set);
 #ifdef DEBUG
 	printf("[DEBUG] Finished returning (result=%d)\n",result);
 #endif
diff --git a/makerom/ncch.c b/makerom/ncch.c
index cc53630d..e81ede85 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -1,26 +1,28 @@
 #include "lib.h"
 #include "dir.h"
-#include "ncch.h"
-#include "exheader.h"
+#include "ncch_build.h"
+#include "exheader_build.h"
+#include "exheader_read.h"
 #include "elf.h"
-#include "exefs.h"
+#include "exefs_build.h"
+#include "exefs_read.h"
 #include "romfs.h"
 #include "titleid.h"
 
-#include "logo_data.h" // Contains Logos
+#include "ncch_logo.h" // Contains Logos
 
-const u32 MEDIA_UNIT = 0x200;
+const u32 NCCH_BLOCK_SIZE = 0x200;
 
 // Private Prototypes
-int SignCFA(u8 *Signature, u8 *CFA_HDR, keys_struct *keys);
-int CheckCFASignature(u8 *Signature, u8 *CFA_HDR, keys_struct *keys);
-int SignCXI(u8 *Signature, u8 *CXI_HDR, keys_struct *keys);
-int CheckCXISignature(u8 *Signature, u8 *CXI_HDR, u8 *PubK);
-
-void init_NCCHSettings(ncch_settings *set);
-void free_NCCHSettings(ncch_settings *set);
-int get_NCCHSettings(ncch_settings *ncchset, user_settings *usrset);
-int SetBasicOptions(ncch_settings *ncchset, user_settings *usrset);
+int SignCFA(ncch_hdr *hdr, keys_struct *keys);
+int CheckCFASignature(ncch_hdr *hdr, keys_struct *keys);
+int SignCXI(ncch_hdr *hdr, keys_struct *keys);
+int CheckCXISignature(ncch_hdr *hdr, u8 *pubk);
+
+void InitNcchSettings(ncch_settings *set);
+void FreeNcchSettings(ncch_settings *set);
+int GetNcchSettings(ncch_settings *ncchset, user_settings *usrset);
+int GetBasicOptions(ncch_settings *ncchset, user_settings *usrset);
 int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset);
 int ImportNonCodeExeFsSections(ncch_settings *ncchset);	
 int ImportLogo(ncch_settings *ncchset);
@@ -31,29 +33,29 @@ int SetCommonHeaderBasicData(ncch_settings *ncchset, ncch_hdr *hdr);
 bool IsValidProductCode(char *ProductCode, bool FreeProductCode);
 
 int BuildCommonHeader(ncch_settings *ncchset);
-int EncryptNCCHSections(ncch_settings *ncchset);
+int EnCryptNcchRegions(ncch_settings *ncchset);
 int WriteNCCHSectionsToBuffer(ncch_settings *ncchset);
 
 // Code
 
-int SignCFA(u8 *Signature, u8 *CFA_HDR, keys_struct *keys)
+int SignCFA(ncch_hdr *hdr, keys_struct *keys)
 {
-	return ctr_sig(CFA_HDR,sizeof(ncch_hdr),Signature,keys->rsa.cciCfaPub,keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	return ctr_sig(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfaPub,keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
-int CheckCFASignature(u8 *Signature, u8 *CFA_HDR, keys_struct *keys)
+int CheckCFASignature(ncch_hdr *hdr, keys_struct *keys)
 {
-	return ctr_sig(CFA_HDR,sizeof(ncch_hdr),Signature,keys->rsa.cciCfaPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
+	return ctr_sig(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfaPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
 }
 
-int SignCXI(u8 *Signature, u8 *CXI_HDR, keys_struct *keys)
+int SignCXI(ncch_hdr *hdr, keys_struct *keys)
 {
-	return ctr_sig(CXI_HDR,sizeof(ncch_hdr),Signature,keys->rsa.cxiHdrPub,keys->rsa.cxiHdrPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	return ctr_sig(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cxiHdrPub,keys->rsa.cxiHdrPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
-int CheckCXISignature(u8 *Signature, u8 *CXI_HDR, u8 *PubK)
+int CheckCXISignature(ncch_hdr *hdr, u8 *pubk)
 {
-	int result = ctr_sig(CXI_HDR,sizeof(ncch_hdr),Signature,PubK,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
+	int result = ctr_sig(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),pubk,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
 	return result;
 }
 
@@ -63,21 +65,26 @@ int build_NCCH(user_settings *usrset)
 {
 	int result;
 
-	// Init Settings\n");
+	// Init Settings
 	ncch_settings *ncchset = calloc(1,sizeof(ncch_settings));
 	if(!ncchset) {
 		fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
 	}
-	init_NCCHSettings(ncchset);
+	InitNcchSettings(ncchset);
 
-	// Get Settings\n");
-	result = get_NCCHSettings(ncchset,usrset);
+	// Get Settings
+	result = GetNcchSettings(ncchset,usrset);
 	if(result) goto finish;
 
+	// Import Data
+	result = ImportNonCodeExeFsSections(ncchset);
+	if(result) return result;
 	
+	result = ImportLogo(ncchset);
+	if(result) return result;
 
-	if(!ncchset->options.IsCfa){ // CXI Specfic Sections
+	if(!ncchset->options.IsCfa){ // CXI Specific Sections
 		// Build ExeFs Code Section\n");
 		result = BuildExeFsCode(ncchset);
 		if(result) goto finish;
@@ -94,18 +101,18 @@ int build_NCCH(user_settings *usrset)
 
 	
 	// Prepare for RomFs\n");
-	romfs_buildctx romfs_ctx;
-	memset(&romfs_ctx,0,sizeof(romfs_buildctx));
-	result = SetupRomFs(ncchset,&romfs_ctx);
+	romfs_buildctx romfs;
+	memset(&romfs,0,sizeof(romfs_buildctx));
+	result = SetupRomFs(ncchset,&romfs);
 	if(result) goto finish;
 
 	
 	// Setup NCCH including final memory allocation\n");
-	result = SetupNcch(ncchset,&romfs_ctx);
+	result = SetupNcch(ncchset,&romfs);
 	if(result) goto finish;
 
 	// Build RomFs\n");
-	result = BuildRomFs(&romfs_ctx);
+	result = BuildRomFs(&romfs);
 	if(result) goto finish;
 	
 	// Finalise NCCH (Hashes/Signatures and crypto)\n");
@@ -115,16 +122,16 @@ int build_NCCH(user_settings *usrset)
 finish:
 	if(result) 
 		fprintf(stderr,"[NCCH ERROR] NCCH Build Process Failed\n");
-	free_NCCHSettings(ncchset);
+	FreeNcchSettings(ncchset);
 	return result;
 }
 
-void init_NCCHSettings(ncch_settings *set)
+void InitNcchSettings(ncch_settings *set)
 {
 	memset(set,0,sizeof(ncch_settings));
 }
 
-void free_NCCHSettings(ncch_settings *set)
+void FreeNcchSettings(ncch_settings *set)
 {
 	if(set->componentFilePtrs.elf) fclose(set->componentFilePtrs.elf);
 	if(set->componentFilePtrs.banner) fclose(set->componentFilePtrs.banner);
@@ -149,7 +156,7 @@ void free_NCCHSettings(ncch_settings *set)
 	free(set);
 }
 
-int get_NCCHSettings(ncch_settings *ncchset, user_settings *usrset)
+int GetNcchSettings(ncch_settings *ncchset, user_settings *usrset)
 {
 	int result = 0;
 	ncchset->out = &usrset->common.workingFile;
@@ -157,33 +164,32 @@ int get_NCCHSettings(ncch_settings *ncchset, user_settings *usrset)
 	ncchset->rsfSet = &usrset->common.rsfSet;
 	ncchset->keys = &usrset->common.keys;
 
-	result = SetBasicOptions(ncchset,usrset);
+	result = GetBasicOptions(ncchset,usrset);
 	if(result) return result;
 	result = CreateInputFilePtrs(ncchset,usrset);
 	if(result) return result;
-	result = ImportNonCodeExeFsSections(ncchset);
-	if(result) return result;
-	result = ImportLogo(ncchset);
-	if(result) return result;
 	
 
 	return 0;
 }
 
-int SetBasicOptions(ncch_settings *ncchset, user_settings *usrset)
+int GetBasicOptions(ncch_settings *ncchset, user_settings *usrset)
 {
 	int result = 0;
 
 	/* Options */
-	ncchset->options.mediaSize = MEDIA_UNIT;
+	ncchset->options.blockSize = NCCH_BLOCK_SIZE;
+	ncchset->options.verbose = usrset->common.verbose;
 	ncchset->options.IncludeExeFsLogo = usrset->ncch.includeExefsLogo;
-	ncchset->options.CompressCode = usrset->common.rsfSet.Option.EnableCompress;
-	ncchset->options.UseOnSD = usrset->common.rsfSet.Option.UseOnSD;
-	ncchset->options.Encrypt = usrset->common.rsfSet.Option.EnableCrypt;
-	ncchset->options.FreeProductCode = usrset->common.rsfSet.Option.FreeProductCode;
+	ncchset->options.CompressCode = ncchset->rsfSet->Option.EnableCompress;
+	ncchset->options.UseOnSD = ncchset->rsfSet->Option.UseOnSD;
+	ncchset->options.Encrypt = ncchset->rsfSet->Option.EnableCrypt;
+	ncchset->options.FreeProductCode = ncchset->rsfSet->Option.FreeProductCode;
 	ncchset->options.IsCfa = (usrset->ncch.ncchType == CFA);
 	ncchset->options.IsBuildingCodeSection = (usrset->ncch.elfPath != NULL);
 	ncchset->options.UseRomFS = ((ncchset->rsfSet->Rom.HostRoot && strlen(ncchset->rsfSet->Rom.HostRoot) > 0) || usrset->ncch.romfsPath);
+	ncchset->options.useSecCrypto = usrset->ncch.useSecCrypto;
+	ncchset->options.keyXID = usrset->ncch.keyXID;
 	
 	if(ncchset->options.IsCfa && !ncchset->options.UseRomFS){
 		fprintf(stderr,"[NCCH ERROR] \"Rom/HostRoot\" must be set\n");
@@ -196,7 +202,7 @@ int SetBasicOptions(ncch_settings *ncchset, user_settings *usrset)
 int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset)
 {
 	if(usrset->ncch.romfsPath){
-		ncchset->componentFilePtrs.romfsSize = GetFileSize_u64(usrset->ncch.romfsPath);
+		ncchset->componentFilePtrs.romfsSize = GetFileSize64(usrset->ncch.romfsPath);
 		ncchset->componentFilePtrs.romfs = fopen(usrset->ncch.romfsPath,"rb");
 		if(!ncchset->componentFilePtrs.romfs){
 			fprintf(stderr,"[NCCH ERROR] Failed to open RomFs file '%s'\n",usrset->ncch.romfsPath);
@@ -204,7 +210,7 @@ int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset)
 		}
 	}
 	if(usrset->ncch.elfPath){
-		ncchset->componentFilePtrs.elfSize = GetFileSize_u64(usrset->ncch.elfPath);
+		ncchset->componentFilePtrs.elfSize = GetFileSize64(usrset->ncch.elfPath);
 		ncchset->componentFilePtrs.elf = fopen(usrset->ncch.elfPath,"rb");
 		if(!ncchset->componentFilePtrs.elf){
 			fprintf(stderr,"[NCCH ERROR] Failed to open elf file '%s'\n",usrset->ncch.elfPath);
@@ -212,7 +218,7 @@ int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset)
 		}
 	}
 	if(usrset->ncch.bannerPath){
-		ncchset->componentFilePtrs.bannerSize = GetFileSize_u64(usrset->ncch.bannerPath);
+		ncchset->componentFilePtrs.bannerSize = GetFileSize64(usrset->ncch.bannerPath);
 		ncchset->componentFilePtrs.banner = fopen(usrset->ncch.bannerPath,"rb");
 		if(!ncchset->componentFilePtrs.banner){
 			fprintf(stderr,"[NCCH ERROR] Failed to open banner file '%s'\n",usrset->ncch.bannerPath);
@@ -220,7 +226,7 @@ int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset)
 		}
 	}
 	if(usrset->ncch.iconPath){
-		ncchset->componentFilePtrs.iconSize = GetFileSize_u64(usrset->ncch.iconPath);
+		ncchset->componentFilePtrs.iconSize = GetFileSize64(usrset->ncch.iconPath);
 		ncchset->componentFilePtrs.icon = fopen(usrset->ncch.iconPath,"rb");
 		if(!ncchset->componentFilePtrs.icon){
 			fprintf(stderr,"[NCCH ERROR] Failed to open icon file '%s'\n",usrset->ncch.iconPath);
@@ -228,7 +234,7 @@ int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset)
 		}
 	}
 	if(usrset->ncch.logoPath){
-		ncchset->componentFilePtrs.logoSize = GetFileSize_u64(usrset->ncch.logoPath);
+		ncchset->componentFilePtrs.logoSize = GetFileSize64(usrset->ncch.logoPath);
 		ncchset->componentFilePtrs.logo = fopen(usrset->ncch.logoPath,"rb");
 		if(!ncchset->componentFilePtrs.logo){
 			fprintf(stderr,"[NCCH ERROR] Failed to open logo file '%s'\n",usrset->ncch.logoPath);
@@ -237,7 +243,7 @@ int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset)
 	}
 
 	if(usrset->ncch.codePath){
-		ncchset->componentFilePtrs.codeSize = GetFileSize_u64(usrset->ncch.codePath);
+		ncchset->componentFilePtrs.codeSize = GetFileSize64(usrset->ncch.codePath);
 		ncchset->componentFilePtrs.code = fopen(usrset->ncch.codePath,"rb");
 		if(!ncchset->componentFilePtrs.code){
 			fprintf(stderr,"[NCCH ERROR] Failed to open ExeFs Code file '%s'\n",usrset->ncch.codePath);
@@ -245,7 +251,7 @@ int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset)
 		}
 	}
 	if(usrset->ncch.exheaderPath){
-		ncchset->componentFilePtrs.exhdrSize = GetFileSize_u64(usrset->ncch.exheaderPath);
+		ncchset->componentFilePtrs.exhdrSize = GetFileSize64(usrset->ncch.exheaderPath);
 		ncchset->componentFilePtrs.exhdr = fopen(usrset->ncch.exheaderPath,"rb");
 		if(!ncchset->componentFilePtrs.exhdr){
 			fprintf(stderr,"[NCCH ERROR] Failed to open ExHeader file '%s'\n",usrset->ncch.exheaderPath);
@@ -253,7 +259,7 @@ int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset)
 		}
 	}
 	if(usrset->ncch.plainRegionPath){
-		ncchset->componentFilePtrs.plainregionSize = GetFileSize_u64(usrset->ncch.plainRegionPath);
+		ncchset->componentFilePtrs.plainregionSize = GetFileSize64(usrset->ncch.plainRegionPath);
 		ncchset->componentFilePtrs.plainregion = fopen(usrset->ncch.plainRegionPath,"rb");
 		if(!ncchset->componentFilePtrs.plainregion){
 			fprintf(stderr,"[NCCH ERROR] Failed to open PlainRegion file '%s'\n",usrset->ncch.plainRegionPath);
@@ -263,88 +269,88 @@ int CreateInputFilePtrs(ncch_settings *ncchset, user_settings *usrset)
 	return 0;
 }
 
-int ImportNonCodeExeFsSections(ncch_settings *ncchset)
+int ImportNonCodeExeFsSections(ncch_settings *set)
 {
-	if(ncchset->componentFilePtrs.banner){
-		ncchset->exefsSections.banner.size = ncchset->componentFilePtrs.bannerSize;
-		ncchset->exefsSections.banner.buffer = malloc(ncchset->exefsSections.banner.size);
-		if(!ncchset->exefsSections.banner.buffer) {
+	if(set->componentFilePtrs.banner){
+		set->exefsSections.banner.size = set->componentFilePtrs.bannerSize;
+		set->exefsSections.banner.buffer = malloc(set->exefsSections.banner.size);
+		if(!set->exefsSections.banner.buffer) {
 			fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
 			return MEM_ERROR;
 		}
-		ReadFile_64(ncchset->exefsSections.banner.buffer,ncchset->exefsSections.banner.size,0,ncchset->componentFilePtrs.banner);
+		ReadFile64(set->exefsSections.banner.buffer,set->exefsSections.banner.size,0,set->componentFilePtrs.banner);
 	}
-	if(ncchset->componentFilePtrs.icon){
-		ncchset->exefsSections.icon.size = ncchset->componentFilePtrs.iconSize;
-		ncchset->exefsSections.icon.buffer = malloc(ncchset->exefsSections.icon.size);
-		if(!ncchset->exefsSections.icon.buffer) {
+	if(set->componentFilePtrs.icon){
+		set->exefsSections.icon.size = set->componentFilePtrs.iconSize;
+		set->exefsSections.icon.buffer = malloc(set->exefsSections.icon.size);
+		if(!set->exefsSections.icon.buffer) {
 			fprintf(stderr,"[NCCH ERROR] Not enough memory\n");
 			return MEM_ERROR;
 		}
-		ReadFile_64(ncchset->exefsSections.icon.buffer,ncchset->exefsSections.icon.size,0,ncchset->componentFilePtrs.icon);
+		ReadFile64(set->exefsSections.icon.buffer,set->exefsSections.icon.size,0,set->componentFilePtrs.icon);
 	}
 	return 0;
 }
 
-int ImportLogo(ncch_settings *ncchset)
+int ImportLogo(ncch_settings *set)
 {
-	if(ncchset->componentFilePtrs.logo){
-		ncchset->sections.logo.size = align(ncchset->componentFilePtrs.logoSize,ncchset->options.mediaSize);
-		ncchset->sections.logo.buffer = malloc(ncchset->sections.logo.size);
-		if(!ncchset->sections.logo.buffer) {
+	if(set->componentFilePtrs.logo){
+		set->sections.logo.size = align(set->componentFilePtrs.logoSize,set->options.blockSize);
+		set->sections.logo.buffer = malloc(set->sections.logo.size);
+		if(!set->sections.logo.buffer) {
 			fprintf(stderr,"[NCCH ERROR] Not enough memory\n");
 			return MEM_ERROR;
 		}
-		memset(ncchset->sections.logo.buffer,0,ncchset->sections.logo.size);
-		ReadFile_64(ncchset->sections.logo.buffer,ncchset->componentFilePtrs.logoSize,0,ncchset->componentFilePtrs.logo);
+		memset(set->sections.logo.buffer,0,set->sections.logo.size);
+		ReadFile64(set->sections.logo.buffer,set->componentFilePtrs.logoSize,0,set->componentFilePtrs.logo);
 	}
-	else if(ncchset->rsfSet->BasicInfo.Logo){
-		if(strcasecmp(ncchset->rsfSet->BasicInfo.Logo,"nintendo") == 0){
-			ncchset->sections.logo.size = 0x2000;
-			ncchset->sections.logo.buffer = malloc(ncchset->sections.logo.size);
-			if(!ncchset->sections.logo.buffer) {
+	else if(set->rsfSet->BasicInfo.Logo){
+		if(strcasecmp(set->rsfSet->BasicInfo.Logo,"nintendo") == 0){
+			set->sections.logo.size = 0x2000;
+			set->sections.logo.buffer = malloc(set->sections.logo.size);
+			if(!set->sections.logo.buffer) {
 				fprintf(stderr,"[NCCH ERROR] Not enough memory\n");
 				return MEM_ERROR;
 			}
-			memcpy(ncchset->sections.logo.buffer,Nintendo_LZ,0x2000);
+			memcpy(set->sections.logo.buffer,Nintendo_LZ,0x2000);
 		}
-		else if(strcasecmp(ncchset->rsfSet->BasicInfo.Logo,"licensed") == 0){
-			ncchset->sections.logo.size = 0x2000;
-			ncchset->sections.logo.buffer = malloc(ncchset->sections.logo.size);
-			if(!ncchset->sections.logo.buffer) {
+		else if(strcasecmp(set->rsfSet->BasicInfo.Logo,"licensed") == 0){
+			set->sections.logo.size = 0x2000;
+			set->sections.logo.buffer = malloc(set->sections.logo.size);
+			if(!set->sections.logo.buffer) {
 				fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
 				return MEM_ERROR;
 			}
-			memcpy(ncchset->sections.logo.buffer,Nintendo_LicensedBy_LZ,0x2000);
+			memcpy(set->sections.logo.buffer,Nintendo_LicensedBy_LZ,0x2000);
 		}
-		else if(strcasecmp(ncchset->rsfSet->BasicInfo.Logo,"distributed") == 0){
-			ncchset->sections.logo.size = 0x2000;
-			ncchset->sections.logo.buffer = malloc(ncchset->sections.logo.size);
-			if(!ncchset->sections.logo.buffer) {
+		else if(strcasecmp(set->rsfSet->BasicInfo.Logo,"distributed") == 0){
+			set->sections.logo.size = 0x2000;
+			set->sections.logo.buffer = malloc(set->sections.logo.size);
+			if(!set->sections.logo.buffer) {
 				fprintf(stderr,"[NCCH ERROR] Not enough memory\n");
 				return MEM_ERROR;
 			}
-			memcpy(ncchset->sections.logo.buffer,Nintendo_DistributedBy_LZ,0x2000);
+			memcpy(set->sections.logo.buffer,Nintendo_DistributedBy_LZ,0x2000);
 		}
-		else if(strcasecmp(ncchset->rsfSet->BasicInfo.Logo,"ique") == 0){
-			ncchset->sections.logo.size = 0x2000;
-			ncchset->sections.logo.buffer = malloc(ncchset->sections.logo.size);
-			if(!ncchset->sections.logo.buffer) {
+		else if(strcasecmp(set->rsfSet->BasicInfo.Logo,"ique") == 0){
+			set->sections.logo.size = 0x2000;
+			set->sections.logo.buffer = malloc(set->sections.logo.size);
+			if(!set->sections.logo.buffer) {
 				fprintf(stderr,"[NCCH ERROR] Not enough memory\n");
 				return MEM_ERROR;
 			}
-			memcpy(ncchset->sections.logo.buffer,iQue_with_ISBN_LZ,0x2000);
+			memcpy(set->sections.logo.buffer,iQue_with_ISBN_LZ,0x2000);
 		}
-		else if(strcasecmp(ncchset->rsfSet->BasicInfo.Logo,"iqueforsystem") == 0){
-			ncchset->sections.logo.size = 0x2000;
-			ncchset->sections.logo.buffer = malloc(ncchset->sections.logo.size);
-			if(!ncchset->sections.logo.buffer) {
+		else if(strcasecmp(set->rsfSet->BasicInfo.Logo,"iqueforsystem") == 0){
+			set->sections.logo.size = 0x2000;
+			set->sections.logo.buffer = malloc(set->sections.logo.size);
+			if(!set->sections.logo.buffer) {
 				fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
 				return MEM_ERROR;
 			}
-			memcpy(ncchset->sections.logo.buffer,iQue_without_ISBN_LZ,0x2000);
+			memcpy(set->sections.logo.buffer,iQue_without_ISBN_LZ,0x2000);
 		}
-		else if(strcasecmp(ncchset->rsfSet->BasicInfo.Logo,"none") != 0){
+		else if(strcasecmp(set->rsfSet->BasicInfo.Logo,"none") != 0){
 			fprintf(stderr,"[NCCH ERROR] Invalid logo name\n");
 			return NCCH_BAD_YAML_SET;
 		}
@@ -352,61 +358,61 @@ int ImportLogo(ncch_settings *ncchset)
 	return 0;
 }
 
-int SetupNcch(ncch_settings *ncchset, romfs_buildctx *romfs)
+int SetupNcch(ncch_settings *set, romfs_buildctx *romfs)
 {
 	u64 ncchSize = 0;
 	u64 exhdrSize,acexSize,logoSize,plnRgnSize,exefsSize,romfsSize;
 	u64 exhdrOffset,acexOffset,logoOffset,plnRgnOffset,exefsOffset,romfsOffset;
 	u32 exefsHashSize,romfsHashSize;
 
-	ncchSize += 0x200; // Sig+Hdr
-
+	ncchSize += sizeof(ncch_hdr); // Sig+Hdr
+	
 	// Sizes for NCCH hdr
-	if(ncchset->sections.exhdr.size){
-		exhdrSize = ncchset->sections.exhdr.size;
+	if(set->sections.exhdr.size){
+		exhdrSize = set->sections.exhdr.size;
 		exhdrOffset = ncchSize;
 		ncchSize += exhdrSize;
 	}
 	else
 		exhdrSize = 0;
 		
-	if(ncchset->sections.acexDesc.size){
-		acexSize = ncchset->sections.acexDesc.size;
+	if(set->sections.acexDesc.size){
+		acexSize = set->sections.acexDesc.size;
 		acexOffset = ncchSize;
 		ncchSize += acexSize;
 	}
 	else
 		acexSize = 0;
 
-	if(ncchset->sections.logo.size){
-		logoSize = ncchset->sections.logo.size;
-		logoOffset = align(ncchSize,ncchset->options.mediaSize);
+	if(set->sections.logo.size){
+		logoSize = set->sections.logo.size;
+		logoOffset = align(ncchSize,set->options.blockSize);
 		ncchSize = logoOffset + logoSize;
 	}
 	else
 		logoSize = 0;
 
-	if(ncchset->sections.plainRegion.size){
-		plnRgnSize = align(ncchset->sections.plainRegion.size,ncchset->options.mediaSize);
-		plnRgnOffset = align(ncchSize,ncchset->options.mediaSize);
+	if(set->sections.plainRegion.size){
+		plnRgnSize = align(set->sections.plainRegion.size,set->options.blockSize);
+		plnRgnOffset = align(ncchSize,set->options.blockSize);
 		ncchSize = plnRgnOffset + plnRgnSize;
 	}
 	else
 		plnRgnSize = 0;
 
-	if(ncchset->sections.exeFs.size){
-		exefsHashSize = align(sizeof(exefs_hdr),ncchset->options.mediaSize);
-		exefsSize = align(ncchset->sections.exeFs.size,ncchset->options.mediaSize);
-		exefsOffset = align(ncchSize,ncchset->options.mediaSize);
+	if(set->sections.exeFs.size){
+		exefsHashSize = align(sizeof(exefs_hdr),set->options.blockSize);
+		exefsSize = align(set->sections.exeFs.size,set->options.blockSize);
+		exefsOffset = align(ncchSize,set->options.blockSize);
 		ncchSize = exefsOffset + exefsSize;
 	}
 	else
 		exefsSize = 0;
 
 	if(romfs->romfsSize){
-		romfsHashSize = align(romfs->romfsHeaderSize,ncchset->options.mediaSize);
-		romfsSize = align(romfs->romfsSize,ncchset->options.mediaSize);
-		//romfsOffset = align(ncchSize,0x200); // Old makerom method, SDK 2.x and prior
+		romfsHashSize = align(romfs->romfsHeaderSize,set->options.blockSize);
+		romfsSize = align(romfs->romfsSize,set->options.blockSize);
+		//romfsOffset = align(ncchSize,set->options.blockSize); // Old makerom method, SDK 2.x and prior
 		romfsOffset = align(ncchSize,0x1000);
 		ncchSize = romfsOffset + romfsSize;
 	}
@@ -416,7 +422,8 @@ int SetupNcch(ncch_settings *ncchset, romfs_buildctx *romfs)
 
 
 	// Aligning Total NCCH Size
-	ncchSize = align(ncchSize,ncchset->options.mediaSize);
+	ncchSize = align(ncchSize,set->options.blockSize);
+	
 	u8 *ncch = calloc(1,ncchSize);
 	if(!ncch){
 		fprintf(stderr,"[NCCH ERROR] Not enough memory\n");
@@ -424,240 +431,231 @@ int SetupNcch(ncch_settings *ncchset, romfs_buildctx *romfs)
 	}
 	
 	// Setting up hdr\n");
-	ncch_hdr *hdr = (ncch_hdr*)(ncch+0x100);
-	int ret = SetCommonHeaderBasicData(ncchset,hdr);
+	ncch_hdr *hdr = (ncch_hdr*)ncch;
+	int ret = SetCommonHeaderBasicData(set,hdr);
 	if(ret != 0){
 		free(ncch);
 		return ret;
 	}
-	u32_to_u8(hdr->ncchSize,ncchSize/ncchset->options.mediaSize,LE);
+	u32_to_u8(hdr->ncchSize,ncchSize/set->options.blockSize,LE);
 
 
-	// Copy already built sections to ncch\n");
+	// Copy already built sections to ncch
 	if(exhdrSize){
-		memcpy((u8*)(ncch+exhdrOffset),ncchset->sections.exhdr.buffer,ncchset->sections.exhdr.size);
-		free(ncchset->sections.exhdr.buffer);
-		ncchset->sections.exhdr.buffer = NULL;
+		memcpy((u8*)(ncch+exhdrOffset),set->sections.exhdr.buffer,set->sections.exhdr.size);
+		free(set->sections.exhdr.buffer);
+		set->sections.exhdr.buffer = NULL;
 		u32_to_u8(hdr->exhdrSize,exhdrSize,LE);
 	}
 	if(acexSize){
-		memcpy((u8*)(ncch+acexOffset),ncchset->sections.acexDesc.buffer,ncchset->sections.acexDesc.size);
-		free(ncchset->sections.acexDesc.buffer);
-		ncchset->sections.acexDesc.buffer = NULL;
+		memcpy((u8*)(ncch+acexOffset),set->sections.acexDesc.buffer,set->sections.acexDesc.size);
+		free(set->sections.acexDesc.buffer);
+		set->sections.acexDesc.buffer = NULL;
 	}
 
 	if(logoSize){
-		memcpy((u8*)(ncch+logoOffset),ncchset->sections.logo.buffer,ncchset->sections.logo.size);
-		free(ncchset->sections.logo.buffer);
-		ncchset->sections.logo.buffer = NULL;
-		u32_to_u8(hdr->logoOffset,logoOffset/ncchset->options.mediaSize,LE);
-		u32_to_u8(hdr->logoSize,logoSize/ncchset->options.mediaSize,LE);
+		memcpy((u8*)(ncch+logoOffset),set->sections.logo.buffer,set->sections.logo.size);
+		free(set->sections.logo.buffer);
+		set->sections.logo.buffer = NULL;
+		u32_to_u8(hdr->logoOffset,logoOffset/set->options.blockSize,LE);
+		u32_to_u8(hdr->logoSize,logoSize/set->options.blockSize,LE);
 	}
 
 	if(plnRgnSize){		
-		memcpy((u8*)(ncch+plnRgnOffset),ncchset->sections.plainRegion.buffer,ncchset->sections.plainRegion.size);
-		free(ncchset->sections.plainRegion.buffer);
-		ncchset->sections.plainRegion.buffer = NULL;
-		u32_to_u8(hdr->plainRegionOffset,plnRgnOffset/ncchset->options.mediaSize,LE);
-		u32_to_u8(hdr->plainRegionSize,plnRgnSize/ncchset->options.mediaSize,LE);
+		memcpy((u8*)(ncch+plnRgnOffset),set->sections.plainRegion.buffer,set->sections.plainRegion.size);
+		free(set->sections.plainRegion.buffer);
+		set->sections.plainRegion.buffer = NULL;
+		u32_to_u8(hdr->plainRegionOffset,plnRgnOffset/set->options.blockSize,LE);
+		u32_to_u8(hdr->plainRegionSize,plnRgnSize/set->options.blockSize,LE);
 	}
 
 	if(exefsSize){	
-		memcpy((u8*)(ncch+exefsOffset),ncchset->sections.exeFs.buffer,ncchset->sections.exeFs.size);
-		free(ncchset->sections.exeFs.buffer);
+		memcpy((u8*)(ncch+exefsOffset),set->sections.exeFs.buffer,set->sections.exeFs.size);
+		free(set->sections.exeFs.buffer);
 		
-		ncchset->sections.exeFs.buffer = NULL;
+		set->sections.exeFs.buffer = NULL;
 		
-		u32_to_u8(hdr->exefsOffset,exefsOffset/ncchset->options.mediaSize,LE);
+		u32_to_u8(hdr->exefsOffset,exefsOffset/set->options.blockSize,LE);
 		
-		u32_to_u8(hdr->exefsSize,exefsSize/ncchset->options.mediaSize,LE);
+		u32_to_u8(hdr->exefsSize,exefsSize/set->options.blockSize,LE);
 		
-		u32_to_u8(hdr->exefsHashSize,exefsHashSize/ncchset->options.mediaSize,LE);
+		u32_to_u8(hdr->exefsHashSize,exefsHashSize/set->options.blockSize,LE);
 		
 	}
 
 	// Point Romfs CTX to output buffer, if exists\n");
 	if(romfsSize){
 		romfs->output = ncch + romfsOffset;
-		u32_to_u8(hdr->romfsOffset,romfsOffset/ncchset->options.mediaSize,LE);
-		u32_to_u8(hdr->romfsSize,romfsSize/ncchset->options.mediaSize,LE);
-		u32_to_u8(hdr->romfsHashSize,romfsHashSize/ncchset->options.mediaSize,LE);
+		u32_to_u8(hdr->romfsOffset,romfsOffset/set->options.blockSize,LE);
+		u32_to_u8(hdr->romfsSize,romfsSize/set->options.blockSize,LE);
+		u32_to_u8(hdr->romfsHashSize,romfsHashSize/set->options.blockSize,LE);
 	}
 	
-	ncchset->out->buffer = ncch;
-	ncchset->out->size = ncchSize;
+	set->out->buffer = ncch;
+	set->out->size = ncchSize;
 
-	GetNCCHStruct(&ncchset->cryptoDetails,hdr);
+	GetNcchInfo(&set->cryptoDetails,hdr);
 
 	return 0;
 }
 
-int FinaliseNcch(ncch_settings *ncchset)
+int FinaliseNcch(ncch_settings *set)
 {
-	u8 *ncch = ncchset->out->buffer;
-
-	ncch_hdr *hdr = (ncch_hdr*)(ncch + 0x100);
-	u8 *exhdr = (u8*)(ncch + ncchset->cryptoDetails.exhdrOffset);
-	u8 *acexDesc = (u8*)(ncch + ncchset->cryptoDetails.acexOffset);
-	u8 *logo = (u8*)(ncch + ncchset->cryptoDetails.logoOffset);
-	u8 *exefs = (u8*)(ncch + ncchset->cryptoDetails.exefsOffset);
-	u8 *romfs = (u8*)(ncch + ncchset->cryptoDetails.romfsOffset);
-
-	// Taking Hashes\n");
-	if(ncchset->cryptoDetails.exhdrSize)
-		ctr_sha(exhdr,ncchset->cryptoDetails.exhdrSize,hdr->exhdrHash,CTR_SHA_256);
-	if(ncchset->cryptoDetails.logoSize)
-		ctr_sha(logo,ncchset->cryptoDetails.logoSize,hdr->logoHash,CTR_SHA_256);
-	if(ncchset->cryptoDetails.exefsHashDataSize)
-		ctr_sha(exefs,ncchset->cryptoDetails.exefsHashDataSize,hdr->exefsHash,CTR_SHA_256);
-	if(ncchset->cryptoDetails.romfsHashDataSize)
-		ctr_sha(romfs,ncchset->cryptoDetails.romfsHashDataSize,hdr->romfsHash,CTR_SHA_256);
-
-	// Signing NCCH\n");
+	u8 *ncch = set->out->buffer;
+
+	ncch_hdr *hdr = (ncch_hdr*)ncch;
+	u8 *exhdr = (u8*)(ncch + set->cryptoDetails.exhdrOffset);
+	u8 *acexDesc = (u8*)(ncch + set->cryptoDetails.acexOffset);
+	u8 *logo = (u8*)(ncch + set->cryptoDetails.logoOffset);
+	u8 *exefs = (u8*)(ncch + set->cryptoDetails.exefsOffset);
+	u8 *romfs = (u8*)(ncch + set->cryptoDetails.romfsOffset);
+
+	// Taking Hashes
+	if(set->cryptoDetails.exhdrSize)
+		ctr_sha(exhdr,set->cryptoDetails.exhdrSize,hdr->exhdrHash,CTR_SHA_256);
+	if(set->cryptoDetails.logoSize)
+		ctr_sha(logo,set->cryptoDetails.logoSize,hdr->logoHash,CTR_SHA_256);
+	if(set->cryptoDetails.exefsHashDataSize)
+		ctr_sha(exefs,set->cryptoDetails.exefsHashDataSize,hdr->exefsHash,CTR_SHA_256);
+	if(set->cryptoDetails.romfsHashDataSize)
+		ctr_sha(romfs,set->cryptoDetails.romfsHashDataSize,hdr->romfsHash,CTR_SHA_256);
+
+	// Signing NCCH
 	int sig_result = Good;
-	if(ncchset->options.IsCfa) sig_result = SignCFA(ncch,(u8*)hdr,ncchset->keys);
-	else sig_result = SignCXI(ncch,(u8*)hdr,ncchset->keys);
+	if(set->options.IsCfa) 
+		sig_result = SignCFA(hdr,set->keys);
+	else 
+		sig_result = SignCXI(hdr,set->keys);
 	if(sig_result != Good){
-		fprintf(stderr,"[NCCH ERROR] Failed to sign %s header\n",ncchset->options.IsCfa ? "CFA" : "CXI");
+		fprintf(stderr,"[NCCH ERROR] Failed to sign %s header\n",set->options.IsCfa ? "CFA" : "CXI");
 		return sig_result;
 	}
 
-	//memdump(stdout,"ncch: ",ncch,0x200);
 
 	// Crypting NCCH\n");
-	ncch_key_type keyType = GetNCCHKeyType(hdr);
-	if(keyType != NoKey){
-		SetNcchUnfixedKeys(ncchset->keys, ncch);
-
-		// Getting AES Keys
-		u8 *key0 = GetNCCHKey0(keyType, ncchset->keys);
-		u8 *key1 = GetNCCHKey1(keyType, ncchset->keys);
-
-		if(key0 == NULL || key1 == NULL){
-			fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key\n");
-			free(ncch);
+	if(IsNcchEncrypted(hdr)){
+		if(!SetNcchKeys(set->keys, hdr)){
+			fprintf(stderr,"[NCCH ERROR] Failed to load NCCH AES key\n");
 			return -1;
 		}
 
-		/*
-		memdump(stdout,"key0: ",key0,16);
-		memdump(stdout,"key1: ",key1,16);
-		*/
+		if(set->options.verbose){
+			printf("[NCCH] NCCH AES keys:\n");
+			memdump(stdout," > key0: ",set->keys->aes.ncchKey0,AES_128_KEY_SIZE);
+			memdump(stdout," > key1: ",set->keys->aes.ncchKey1,AES_128_KEY_SIZE);
+		}
 
 		// Crypting Exheader/AcexDesc
-		if(ncchset->cryptoDetails.exhdrSize){
-			CryptNCCHSection(exhdr,ncchset->cryptoDetails.exhdrSize,0x0,&ncchset->cryptoDetails,key0,ncch_exhdr);
-			CryptNCCHSection(acexDesc,ncchset->cryptoDetails.acexSize,ncchset->cryptoDetails.exhdrSize,&ncchset->cryptoDetails,key0,ncch_exhdr);
+		if(set->cryptoDetails.exhdrSize){
+			CryptNcchRegion(exhdr,set->cryptoDetails.exhdrSize,0x0,&set->cryptoDetails,set->keys->aes.ncchKey0,ncch_exhdr);
+			CryptNcchRegion(acexDesc,set->cryptoDetails.acexSize,set->cryptoDetails.exhdrSize,&set->cryptoDetails,set->keys->aes.ncchKey0,ncch_exhdr);
 		}			
 
 		// Crypting ExeFs Files
-		if(ncchset->cryptoDetails.exefsSize){
+		if(set->cryptoDetails.exefsSize){
 			exefs_hdr *exefsHdr = (exefs_hdr*)exefs;
 			for(int i = 0; i < MAX_EXEFS_SECTIONS; i++){
 				u8 *key = NULL;
 				if(strncmp(exefsHdr->fileHdr[i].name,"icon",8) == 0 || strncmp(exefsHdr->fileHdr[i].name,"banner",8) == 0)
-					key = key0;
+					key = set->keys->aes.ncchKey0;
 				else
-					key = key1;
-
-				u32 offset = u8_to_u32(exefsHdr->fileHdr[i].offset,LE) + 0x200;
+					key = set->keys->aes.ncchKey1;
+								
+				u32 offset = u8_to_u32(exefsHdr->fileHdr[i].offset,LE) + sizeof(exefs_hdr);
 				u32 size = u8_to_u32(exefsHdr->fileHdr[i].size,LE);
 
 				if(size)
-					CryptNCCHSection((exefs+offset),align(size,ncchset->options.mediaSize),offset,&ncchset->cryptoDetails,key,ncch_exefs);
+					CryptNcchRegion((exefs+offset),align(size,set->options.blockSize),offset,&set->cryptoDetails,key,ncch_exefs);
 
 			}
 			// Crypting ExeFs Header
-			CryptNCCHSection(exefs,0x200,0x0,&ncchset->cryptoDetails,key0,ncch_exefs);
+			CryptNcchRegion(exefs,sizeof(exefs_hdr),0x0,&set->cryptoDetails,set->keys->aes.ncchKey0,ncch_exefs);
 		}
 
 		// Crypting RomFs
-		if(ncchset->cryptoDetails.romfsSize)
-			CryptNCCHSection(romfs,ncchset->cryptoDetails.romfsSize,0x0,&ncchset->cryptoDetails,key1,ncch_romfs);
+		if(set->cryptoDetails.romfsSize)
+			CryptNcchRegion(romfs,set->cryptoDetails.romfsSize,0x0,&set->cryptoDetails,set->keys->aes.ncchKey1,ncch_romfs);
 	}
 
 	return 0;
 }
 
-int SetCommonHeaderBasicData(ncch_settings *ncchset, ncch_hdr *hdr)
+int SetCommonHeaderBasicData(ncch_settings *set, ncch_hdr *hdr)
 {
 	/* NCCH Magic */
 	memcpy(hdr->magic,"NCCH",4);
 
 	/* NCCH Format Version */
-	if(!ncchset->options.IsCfa)
+	if(!set->options.IsCfa)
 		u16_to_u8(hdr->formatVersion,0x2,LE);
 
 	
 	/* Setting ProgramId/TitleId */
 	u64 ProgramId = 0;
-	int result = GetProgramID(&ProgramId,ncchset->rsfSet,false); 
+	int result = GetProgramID(&ProgramId,set->rsfSet,false); 
 	if(result) return result;
 
 	u64_to_u8(hdr->programId,ProgramId,LE);
 	u64_to_u8(hdr->titleId,ProgramId,LE);
 
 	/* Get Product Code and Maker Code */
-	if(ncchset->rsfSet->BasicInfo.ProductCode){
-		if(!IsValidProductCode((char*)ncchset->rsfSet->BasicInfo.ProductCode,ncchset->options.FreeProductCode)){
+	if(set->rsfSet->BasicInfo.ProductCode){
+		if(!IsValidProductCode((char*)set->rsfSet->BasicInfo.ProductCode,set->options.FreeProductCode)){
 			fprintf(stderr,"[NCCH ERROR] Invalid Product Code\n");
 			return NCCH_BAD_YAML_SET;
 		}
-		memcpy(hdr->productCode,ncchset->rsfSet->BasicInfo.ProductCode,strlen((char*)ncchset->rsfSet->BasicInfo.ProductCode));
+		memcpy(hdr->productCode,set->rsfSet->BasicInfo.ProductCode,strlen((char*)set->rsfSet->BasicInfo.ProductCode));
 	}
 	else memcpy(hdr->productCode,"CTR-P-CTAP",10);
 
-	if(ncchset->rsfSet->BasicInfo.CompanyCode){
-		if(strlen((char*)ncchset->rsfSet->BasicInfo.CompanyCode) != 2){
+	if(set->rsfSet->BasicInfo.CompanyCode){
+		if(strlen((char*)set->rsfSet->BasicInfo.CompanyCode) != 2){
 			fprintf(stderr,"[NCCH ERROR] CompanyCode length must be 2\n");
 			return NCCH_BAD_YAML_SET;
 		}
-		memcpy(hdr->makerCode,ncchset->rsfSet->BasicInfo.CompanyCode,2);
+		memcpy(hdr->makerCode,set->rsfSet->BasicInfo.CompanyCode,2);
 	}
 	else memcpy(hdr->makerCode,"00",2);
 
 	// Setting Encryption Settings
-	if(!ncchset->options.Encrypt)
-		hdr->flags[OtherFlag] = (NoCrypto|FixedCryptoKey);
-	else if(ncchset->keys->aes.ncchKeyX0){
-		hdr->flags[OtherFlag] = UnFixedCryptoKey;
-		if(ncchset->keys->aes.ncchKeyX1 && !ncchset->options.IsCfa)
-			hdr->flags[SecureCrypto2] = 1;
+	if(!set->options.Encrypt)
+		hdr->flags[ncchflag_OTHER_FLAG] = (otherflag_NoCrypto|otherflag_FixedCryptoKey);
+	else if(set->options.useSecCrypto){
+		hdr->flags[ncchflag_OTHER_FLAG] = otherflag_Clear;
+		hdr->flags[ncchflag_CONTENT_KEYX] = set->options.keyXID;
 	}
-	else{
-		hdr->flags[OtherFlag] = FixedCryptoKey;	
-		u8 *key = GetNCCHKey0(GetNCCHKeyType(hdr),ncchset->keys);
-		if(!key){ // for detecting absense of fixed aes keys
-			hdr->flags[OtherFlag] = (NoCrypto|FixedCryptoKey);
-			fprintf(stderr,"[NCCH WARNING] NCCH AES Key could not be loaded, NCCH will not be encrypted\n");
-		}
+	else
+		hdr->flags[ncchflag_OTHER_FLAG] = otherflag_FixedCryptoKey;	
+		
+	if(!SetNcchKeys(set->keys,hdr) && set->options.Encrypt){
+		hdr->flags[ncchflag_OTHER_FLAG] = (otherflag_NoCrypto|otherflag_FixedCryptoKey);
+		set->options.Encrypt = false;
+		fprintf(stderr,"[NCCH WARNING] NCCH AES Key could not be loaded, NCCH will not be encrypted\n");
 	}
 
-	
-
 	/* Set ContentUnitSize */
-	hdr->flags[ContentUnitSize] = 0; // 0x200
+	hdr->flags[ncchflag_CONTENT_BLOCK_SIZE] = GetCtrBlockSizeFlag(set->options.blockSize);
 
 	/* Setting ContentPlatform */
-	hdr->flags[ContentPlatform] = 1; // CTR
+	hdr->flags[ncchflag_CONTENT_PLATFORM] = 1; // CTR
 
 	/* Setting OtherFlag */
-	if(!ncchset->options.UseRomFS) 
-		hdr->flags[OtherFlag] |= NoMountRomFs;
+	if(!set->options.UseRomFS) 
+		hdr->flags[ncchflag_OTHER_FLAG] |= otherflag_NoMountRomFs;
 
 
 	/* Setting ContentType */
-	hdr->flags[ContentType] = 0;
-	if(ncchset->options.UseRomFS) hdr->flags[ContentType] |= content_Data;
-	if(!ncchset->options.IsCfa) hdr->flags[ContentType] |= content_Executable;
-	if(ncchset->rsfSet->BasicInfo.ContentType){
-		if(strcmp(ncchset->rsfSet->BasicInfo.ContentType,"Application") == 0) hdr->flags[ContentType] |= 0;
-		else if(strcmp(ncchset->rsfSet->BasicInfo.ContentType,"SystemUpdate") == 0) hdr->flags[ContentType] |= content_SystemUpdate;
-		else if(strcmp(ncchset->rsfSet->BasicInfo.ContentType,"Manual") == 0) hdr->flags[ContentType] |= content_Manual;
-		else if(strcmp(ncchset->rsfSet->BasicInfo.ContentType,"Child") == 0) hdr->flags[ContentType] |= content_Child;
-		else if(strcmp(ncchset->rsfSet->BasicInfo.ContentType,"Trial") == 0) hdr->flags[ContentType] |= content_Trial;
+	hdr->flags[ncchflag_CONTENT_TYPE] = 0;
+	if(set->options.UseRomFS) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Data;
+	if(!set->options.IsCfa) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Executable;
+	if(set->rsfSet->BasicInfo.ContentType){
+		if(strcmp(set->rsfSet->BasicInfo.ContentType,"Application") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= 0;
+		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"SystemUpdate") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= content_SystemUpdate;
+		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Manual") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Manual;
+		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Child") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Child;
+		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Trial") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Trial;
 		else{
-			fprintf(stderr,"[NCCH ERROR] Invalid ContentType '%s'\n",ncchset->rsfSet->BasicInfo.ContentType);
+			fprintf(stderr,"[NCCH ERROR] Invalid ContentType '%s'\n",set->rsfSet->BasicInfo.ContentType);
 			return NCCH_BAD_YAML_SET;
 		}
 	}
@@ -667,17 +665,27 @@ int SetCommonHeaderBasicData(ncch_settings *ncchset, ncch_hdr *hdr)
 
 bool IsValidProductCode(char *ProductCode, bool FreeProductCode)
 {
-	if(strlen(ProductCode) > 16) return false;
+	if(strlen(ProductCode) > 16) 
+		return false;
 
 	if(FreeProductCode)
 		return true;
-
-	if(strlen(ProductCode) < 10) return false;
-	if(strncmp(ProductCode,"CTR-",4) != 0) return false;
-	if(ProductCode[5] != '-') return false;
-	if(!isdigit(ProductCode[4]) && !isupper(ProductCode[4])) return false;
-	for(int i = 6; i < 10; i++){
-		if(!isdigit(ProductCode[i]) && !isupper(ProductCode[i])) return false;
+		
+	if(strlen(ProductCode) < 10) 
+		return false;
+		
+	if(strncmp(ProductCode,"CTR",3) != 0) 
+		return false;
+	
+	for(int i = 3; i < 10; i++){
+		if(i == 3 || i == 5){
+			if(ProductCode[i] != '-') 
+				return false;
+		}
+		else{
+			if(!isdigit(ProductCode[i]) && !isupper(ProductCode[i])) 
+				return false;
+		}
 	}
 
 	return true;
@@ -685,80 +693,64 @@ bool IsValidProductCode(char *ProductCode, bool FreeProductCode)
 
 // NCCH Read Functions
 
-int VerifyNCCH(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
+int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 {
 	// Setup
-	u8 Hash[0x20];
-	u8 *hdr_sig = ncch;
-	ncch_hdr* hdr = GetNCCH_CommonHDR(NULL,NULL,ncch);
+	ncch_hdr* hdr = (ncch_hdr*)ncch;
 
-	ncch_struct *ncch_ctx = calloc(1,sizeof(ncch_struct));
-	if(!ncch_ctx){ 
+	ncch_info *ncchInfo = calloc(1,sizeof(ncch_info));
+	if(!ncchInfo){ 
 		fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
 		return MEM_ERROR; 
 	}
-	GetNCCHStruct(ncch_ctx,hdr);
-
-	ncch_key_type keyType = GetNCCHKeyType(hdr);
-	u8 *key0 = NULL;
-	u8 *key1 = NULL;
-	if(keyType != NoKey){
-		//memdump(stdout,"ncch: ",ncch,0x200);
-		SetNcchUnfixedKeys(keys,ncch);
-		if(GetNCCHKey0(keyType,keys) == NULL){
-			if(!SuppressOutput) 
-				fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key.\n");
-			return UNABLE_TO_LOAD_NCCH_KEY;
-		}
-		key0 = GetNCCHKey0(keyType,keys);
-		key1 = GetNCCHKey1(keyType,keys);
-	}
+	GetNcchInfo(ncchInfo,hdr);
 
-	//memdump(stdout,"key0: ",key0,16);
-	//memdump(stdout,"key1: ",key1,16);
+	if(!SetNcchKeys(keys, hdr)){
+		fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key\n");
+		return UNABLE_TO_LOAD_NCCH_KEY;
+	}
 
 	if(IsCfa(hdr)){
-		if(CheckCFASignature(hdr_sig,(u8*)hdr,keys) != Good && !keys->rsa.isFalseSign){
+		if(CheckCFASignature(hdr,keys) != Good && !keys->rsa.isFalseSign){
 			if(!SuppressOutput) 
 				fprintf(stderr,"[NCCH ERROR] CFA Sigcheck Failed\n");
-			free(ncch_ctx);
+			free(ncchInfo);
 			return NCCH_HDR_SIG_BAD;
 		}
-		if(!ncch_ctx->romfsSize){
+		if(!ncchInfo->romfsSize){
 			if(!SuppressOutput) 
 				fprintf(stderr,"[NCCH ERROR] CFA is corrupt\n");
-			free(ncch_ctx);
+			free(ncchInfo);
 			return NO_ROMFS_IN_CFA;
 		}
 	}
 	else{ // IsCxi
 		// Checking for necessary sections
-		if(!ncch_ctx->exhdrSize){
+		if(!ncchInfo->exhdrSize){
 			if(!SuppressOutput) 
 				fprintf(stderr,"[NCCH ERROR] CXI is corrupt\n");
-			free(ncch_ctx);
+			free(ncchInfo);
 			return NO_EXHEADER_IN_CXI;
 		}
-		if(!ncch_ctx->exefsSize){
+		if(!ncchInfo->exefsSize){
 			if(!SuppressOutput) 
 				fprintf(stderr,"[NCCH ERROR] CXI is corrupt\n");
-			free(ncch_ctx);
+			free(ncchInfo);
 			return NO_EXEFS_IN_CXI;
 		}
 		// Get ExHeader/AcexDesc
-		extended_hdr *exHdr = malloc(ncch_ctx->exhdrSize);
+		extended_hdr *exHdr = malloc(ncchInfo->exhdrSize);
 		if(!exHdr){ 
 			fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
-			free(ncch_ctx);
+			free(ncchInfo);
 			return MEM_ERROR; 
 		}
-		memcpy(exHdr,ncch+ncch_ctx->exhdrOffset,ncch_ctx->exhdrSize);
-		if(key0 != NULL)
-			CryptNCCHSection((u8*)exHdr,ncch_ctx->exhdrSize,0,ncch_ctx,key0,ncch_exhdr);
+		memcpy(exHdr,ncch+ncchInfo->exhdrOffset,ncchInfo->exhdrSize);
+		if(IsNcchEncrypted(hdr))
+			CryptNcchRegion((u8*)exHdr,ncchInfo->exhdrSize,0,ncchInfo,keys->aes.ncchKey0,ncch_exhdr);
 
 		// Checking Exheader Hash to see if decryption was sucessful
-		ctr_sha(exHdr,0x400,Hash,CTR_SHA_256);
-		if(memcmp(Hash,hdr->exhdrHash,0x20) != 0){
+		if(!VerifySha256(exHdr, ncchInfo->exhdrSize, hdr->exhdrHash)){
 			//memdump(stdout,"Expected Hash: ",hdr->extended_header_sha_256_hash,0x20);
 			//memdump(stdout,"Actual Hash:   ",Hash,0x20);
 			//memdump(stdout,"Exheader:      ",(u8*)exHdr,0x400);
@@ -766,36 +758,34 @@ int VerifyNCCH(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 				fprintf(stderr,"[NCCH ERROR] ExHeader Hashcheck Failed\n");
 				fprintf(stderr,"[NCCH ERROR] CXI is corrupt\n");
 			}
-			free(ncch_ctx);
+			free(ncchInfo);
 			free(exHdr);
-			return ExHeader_Hashfail;
+			return EXHDR_CORRUPT;
 		}
 		free(exHdr);
 		
 		// Checking RSA Sigs
-		access_descriptor *acexDesc = malloc(ncch_ctx->acexSize);
+		access_descriptor *acexDesc = malloc(ncchInfo->acexSize);
 		if(!acexDesc){ 
 			fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
-			free(ncch_ctx);
+			free(ncchInfo);
 			free(exHdr);
 			return MEM_ERROR; 
 		}
-		memcpy(acexDesc,ncch+ncch_ctx->acexOffset,ncch_ctx->acexSize);
-		if(key0 != NULL)
-			CryptNCCHSection((u8*)acexDesc,ncch_ctx->acexSize,ncch_ctx->exhdrOffset,ncch_ctx,key0,ncch_exhdr);
+		memcpy(acexDesc,ncch+ncchInfo->acexOffset,ncchInfo->acexSize);
+		if(IsNcchEncrypted(hdr))
+			CryptNcchRegion((u8*)acexDesc,ncchInfo->acexSize,ncchInfo->exhdrSize,ncchInfo,keys->aes.ncchKey0,ncch_exhdr);
 
 		if(CheckAccessDescSignature(acexDesc,keys) != 0 && !keys->rsa.isFalseSign){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] AccessDesc Sigcheck Failed\n");
-			free(ncch_ctx);
+			free(ncchInfo);
 			free(acexDesc);
 			return ACCESSDESC_SIG_BAD;
 		}
-		
-		u8 *hdr_pubk = GetAcexNcchPubKey(acexDesc);
-		
-		if(CheckCXISignature(hdr_sig,(u8*)hdr,hdr_pubk) != 0 && !keys->rsa.isFalseSign){
+				
+		if(CheckCXISignature(hdr,GetAcexNcchPubKey(acexDesc)) != 0 && !keys->rsa.isFalseSign){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] CXI Header Sigcheck Failed\n");
-			free(ncch_ctx);			
+			free(ncchInfo);			
 			free(acexDesc);
 			return NCCH_HDR_SIG_BAD;
 		}
@@ -805,93 +795,70 @@ int VerifyNCCH(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 		return 0;
 
 	/* Checking ExeFs Hash, if present */
-	if(ncch_ctx->exefsSize)
+	if(ncchInfo->exefsSize)
 	{
-		u8 *ExeFs = malloc(ncch_ctx->exefsHashDataSize);
-		if(!ExeFs){ 
+		u8 *exefs = malloc(ncchInfo->exefsHashDataSize);
+		if(!exefs){ 
 			fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
-			free(ncch_ctx);
+			free(ncchInfo);
 			return MEM_ERROR; 
 		}
-		memcpy(ExeFs,ncch+ncch_ctx->exefsOffset,ncch_ctx->exefsHashDataSize);
-		if(key0 != NULL)
-			CryptNCCHSection(ExeFs,ncch_ctx->exefsHashDataSize,0,ncch_ctx,key0,ncch_exefs);
-		ctr_sha(ExeFs,ncch_ctx->exefsHashDataSize,Hash,CTR_SHA_256);
-		free(ExeFs);
-		if(memcmp(Hash,hdr->exefsHash,0x20) != 0){
+		memcpy(exefs,ncch+ncchInfo->exefsOffset,ncchInfo->exefsHashDataSize);
+		if(IsNcchEncrypted(hdr))
+			CryptNcchRegion(exefs,ncchInfo->exefsHashDataSize,0,ncchInfo,keys->aes.ncchKey0,ncch_exefs);
+		if(!VerifySha256(exefs, ncchInfo->exefsHashDataSize, hdr->exefsHash)){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] ExeFs Hashcheck Failed\n");
-			free(ncch_ctx);
-			return ExeFs_Hashfail;
+			free(ncchInfo);
+			free(exefs);
+			return EXEFS_CORRUPT;
 		}
+		free(exefs);
 	}
 
 	/* Checking RomFs hash, if present */
-	if(ncch_ctx->romfsSize){
-		u8 *RomFs = malloc(ncch_ctx->romfsHashDataSize);
-		if(!RomFs){ 
+	if(ncchInfo->romfsSize){
+		u8 *romfs = malloc(ncchInfo->romfsHashDataSize);
+		if(!romfs){ 
 			fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
-			free(ncch_ctx);
+			free(ncchInfo);
 			return MEM_ERROR; 
 		}
-		memcpy(RomFs,ncch+ncch_ctx->romfsOffset,ncch_ctx->romfsHashDataSize);
-		if(key1 != NULL)
-			CryptNCCHSection(RomFs,ncch_ctx->romfsHashDataSize,0,ncch_ctx,key1,ncch_romfs);
-		ctr_sha(RomFs,ncch_ctx->romfsHashDataSize,Hash,CTR_SHA_256);
-		free(RomFs);
-		if(memcmp(Hash,hdr->romfsHash,0x20) != 0){
+		memcpy(romfs,ncch+ncchInfo->romfsOffset,ncchInfo->romfsHashDataSize);
+		if(IsNcchEncrypted(hdr))
+			CryptNcchRegion(romfs,ncchInfo->romfsHashDataSize,0,ncchInfo,keys->aes.ncchKey1,ncch_romfs);
+		if(!VerifySha256(romfs,ncchInfo->romfsHashDataSize,hdr->romfsHash)){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] RomFs Hashcheck Failed\n");
-			free(ncch_ctx);
-			return ExeFs_Hashfail;
+			free(ncchInfo);
+			free(romfs);
+			return ROMFS_CORRUPT;
 		}
+		free(romfs);
 	}
 
 	/* Checking the Logo Hash, if present */
-	if(ncch_ctx->logoSize){
-		u8 *logo = (ncch+ncch_ctx->logoOffset);
-		ctr_sha(logo,ncch_ctx->logoSize,Hash,CTR_SHA_256);
-		if(memcmp(Hash,hdr->logoHash,0x20) != 0){
+	if(ncchInfo->logoSize){
+		u8 *logo = (ncch+ncchInfo->logoOffset);
+		if(!VerifySha256(logo,ncchInfo->logoSize,hdr->logoHash)){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] Logo Hashcheck Failed\n");
-			free(ncch_ctx);
-			return Logo_Hashfail;
+			free(ncchInfo);
+			return LOGO_CORRUPT;
 		}
 	} 
 	
 	
-	free(ncch_ctx);
+	free(ncchInfo);
 	return 0;
 }
 
-
-u8* RetargetNCCH(FILE *fp, u64 size, u8 *TitleId, u8 *ProgramId, keys_struct *keys)
-{
-	u8 *ncch = calloc(1,size);
-	if(!ncch){
-		fprintf(stderr,"[NCCH ERROR] Not enough memory\n");
-		return NULL;
-	}
-	ReadFile_64(ncch,size,0,fp); // Importing
-	
-	if(ModifyNcchIds(ncch,TitleId, ProgramId, keys) != 0){
-		free(ncch);
-		return NULL;
-	}
-
-	return ncch;
-}
-
 int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 {
-	if(!IsNCCH(NULL,ncch)){
-		//free(ncch);
+	if(!IsNcch(NULL,ncch))
 		return -1;
-	}
 		
-	ncch_hdr *hdr = NULL;
-	hdr = GetNCCH_CommonHDR(NULL,NULL,ncch);
+	ncch_hdr *hdr = (ncch_hdr*)ncch;
 	
 	if(/*keys->rsa.requiresPresignedDesc && */!IsCfa(hdr)){
 		fprintf(stderr,"[NCCH ERROR] CXI's ID cannot be modified without the ability to resign the AccessDesc\n"); // Not yet yet, requires AccessDesc Privk, may implement anyway later
-		//free(ncch);
 		return -1;
 	}
 	
@@ -901,29 +868,19 @@ int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 	if(titleIdMatches && programIdMatches) 
 		return 0;// if no modification is required don't do anything
 
-	if(titleIdMatches){ // If TitleID Same, no crypto required, just resign.
-		memcpy(hdr->programId,programId,8);
-		SignCFA(ncch,(u8*)hdr,keys);
-		return 0;
-	}
 
-	ncch_key_type keytype = GetNCCHKeyType(hdr);
-	ncch_struct ncch_struct;
-	u8 *key = NULL;
+	ncch_info ncchInfo;
 	u8 *romfs = NULL;
 	
 	//Decrypting if necessary
-	if(keytype != NoKey){
-		GetNCCHStruct(&ncch_struct,hdr);
-		romfs = (ncch+ncch_struct.romfsOffset);
-		SetNcchUnfixedKeys(keys, ncch); // For Secure Crypto
-		key = GetNCCHKey1(keytype,keys);
-		if(key == NULL){
+	if(IsNcchEncrypted(hdr)){
+		GetNcchInfo(&ncchInfo,hdr);
+		romfs = (ncch+ncchInfo.romfsOffset);
+		if(!SetNcchKeys(keys, hdr)){
 			fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key\n");
-			//free(ncch);
 			return -1;
 		}
-		CryptNCCHSection(romfs,ncch_struct.romfsSize,0,&ncch_struct,key,ncch_romfs);
+		CryptNcchRegion(romfs,ncchInfo.romfsSize,0,&ncchInfo,keys->aes.ncchKey1,ncch_romfs);
 	}
 	
 	// Editing data and resigning
@@ -931,192 +888,188 @@ int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 		memcpy(hdr->titleId,titleId,8);
 	if(programId)
 		memcpy(hdr->programId,programId,8);
-	SignCFA(ncch,(u8*)hdr,keys);
-
-	//Checking New Key Type
-	keytype = GetNCCHKeyType(hdr);
+	SignCFA(hdr,keys);
 	
 	// Re-encrypting if necessary
-	if(keytype != NoKey){
-		GetNCCHStruct(&ncch_struct,hdr);
-		romfs = (ncch+ncch_struct.romfsOffset);
-		SetNcchUnfixedKeys(keys, ncch); // For Secure Crypto
-		key = GetNCCHKey1(keytype,keys);
-		if(key == NULL){
+	if(IsNcchEncrypted(hdr)){
+		GetNcchInfo(&ncchInfo,hdr);
+		romfs = (ncch+ncchInfo.romfsOffset);
+		if(!SetNcchKeys(keys, hdr)){
 			fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key\n");
-			//free(ncch);
 			return -1;
 		}
-		CryptNCCHSection(romfs,ncch_struct.romfsSize,0,&ncch_struct,key,ncch_romfs);
+		CryptNcchRegion(romfs,ncchInfo.romfsSize,0,&ncchInfo,keys->aes.ncchKey1,ncch_romfs);
 	}
 
 	return 0;
 }
 
 
-ncch_hdr* GetNCCH_CommonHDR(void *out, FILE *fp, u8 *buf)
+void ReadNcchHdr(ncch_hdr *hdr, FILE *fp)
 {
-	if(!fp && !buf) return NULL;
-	if(fp){
-		if(!out) return NULL;
-		ReadFile_64(out,0x100,0x100,fp);
-		return (ncch_hdr*)out;
-	}
-	else{
-		return (ncch_hdr*)(buf+0x100);
-	}
+	if(!fp || !hdr)
+		return;
+		
+	ReadFile64(hdr,sizeof(ncch_hdr),0,fp);
+	
+	return;
 }
 
+u8* GetNcchHdrSig(ncch_hdr *hdr)
+{
+	return (u8*)hdr->signature;
+}
+
+u8* GetNcchHdrData(ncch_hdr *hdr)
+{
+	return (u8*)hdr->magic;
+}
 
-bool IsNCCH(FILE *fp, u8 *buf)
+u32 GetNcchHdrSigLen(ncch_hdr *hdr)
 {
-	if(!fp && !buf) return false;
-	ncch_hdr *ncchHDR = NULL;
+	return 0x100;
+}
+
+u32 GetNcchHdrDataLen(ncch_hdr *hdr)
+{
+	return 0x100;
+}
+
+bool IsNcch(FILE *fp, u8 *buf)
+{
+	if(!fp && !buf) 
+		return false;
+		
+	ncch_hdr *hdr;
 	bool result;
+	
 	if(fp) {
-		ncchHDR = malloc(sizeof(ncch_hdr));
-		GetNCCH_CommonHDR(ncchHDR,fp,NULL);
-		result = (memcmp(ncchHDR->magic,"NCCH",4) == 0);
-		free(ncchHDR);
+		hdr = malloc(sizeof(ncch_hdr));
+		ReadNcchHdr(hdr,fp);
+		result = (memcmp(hdr->magic,"NCCH",4) == 0);
+		free(hdr);
 	}
 	else {
-		ncchHDR = GetNCCH_CommonHDR(ncchHDR,NULL,buf);
-		result = (memcmp(ncchHDR->magic,"NCCH",4) == 0);
+		hdr = (ncch_hdr*)buf;
+		result = (memcmp(hdr->magic,"NCCH",4) == 0);
 	}
 	return result;
 }
 
 bool IsCfa(ncch_hdr* hdr)
 {
-	return (((hdr->flags[ContentType] & content_Data) == content_Data) && ((hdr->flags[ContentType] & content_Executable) != content_Executable));
+	return (((hdr->flags[ncchflag_CONTENT_TYPE] & content_Data) == content_Data) && ((hdr->flags[ncchflag_CONTENT_TYPE] & content_Executable) != content_Executable));
 }
 
-u32 GetNCCH_MediaUnitSize(ncch_hdr* hdr)
+bool IsUpdateCfa(ncch_hdr* hdr)
 {
-	u16 formatVersion = u8_to_u16(hdr->formatVersion,LE);
-	u32 ret = 0;
-	if (formatVersion == 1)
-		ret = 1;
-	else if (formatVersion == 2 || formatVersion == 0)
-		ret = 1 << (hdr->flags[ContentUnitSize] + 9);
-	return ret;
-	//return 0x200*pow(2,hdr->flags[ContentUnitSize]);
+	return (((hdr->flags[ncchflag_CONTENT_TYPE] & content_SystemUpdate) == content_SystemUpdate) && ((hdr->flags[ncchflag_CONTENT_TYPE] & content_Child) != content_Child) && IsCfa(hdr));
 }
 
-u32 GetNCCH_MediaSize(ncch_hdr* hdr)
+u32 GetNcchBlockSize(ncch_hdr* hdr)
 {
-	return u8_to_u32(hdr->ncchSize,LE);
+	/*
+	u16 formatVersion = u8_to_u16(hdr->formatVersion,LE);
+	if (formatVersion == 1)
+		return 1;
+	*/
+	return GetCtrBlockSize(hdr->flags[ncchflag_CONTENT_BLOCK_SIZE]); //formatVersion == 2 || formatVersion == 0
 }
 
-ncch_key_type GetNCCHKeyType(ncch_hdr* hdr)
-{	
-	// Non-Secure Key Options
-	if((hdr->flags[OtherFlag] & NoCrypto) == NoCrypto) 
-		return NoKey;
-	if((hdr->flags[OtherFlag] & FixedCryptoKey) == FixedCryptoKey){
-		if((hdr->programId[4] & 0x10) == 0x10) 
-			return KeyIsSystemFixed;
-		else 
-			return KeyIsNormalFixed;
-	}
-
-	// Secure Key Options
-	if(hdr->flags[SecureCrypto2]) 
-		return KeyIsUnFixed2;
-	return KeyIsUnFixed;
+u64 GetNcchSize(ncch_hdr* hdr)
+{
+	return (u64)u8_to_u32(hdr->ncchSize,LE) * (u64)GetNcchBlockSize(hdr);
 }
 
-u8* GetNCCHKey0(ncch_key_type keytype, keys_struct *keys)
+bool IsNcchEncrypted(ncch_hdr *hdr)
 {
-	switch(keytype){
-		case NoKey: return NULL;
-		case KeyIsNormalFixed:
-			return keys->aes.normalKey;
-		case KeyIsSystemFixed:
-			return keys->aes.systemFixedKey;
-		case KeyIsUnFixed:
-		case KeyIsUnFixed2:
-			if(keys->aes.ncchKeyX0)
-				return keys->aes.unFixedKey0;
-			else
-				return NULL;
-	}
-	return NULL;
+	return (hdr->flags[ncchflag_OTHER_FLAG] & otherflag_NoCrypto) != otherflag_NoCrypto;
 }
 
-u8* GetNCCHKey1(ncch_key_type keytype, keys_struct *keys)
+bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr)
 {
-	switch(keytype){
-		case NoKey: return NULL;
-		case KeyIsNormalFixed:
-			return keys->aes.normalKey;
-		case KeyIsSystemFixed:
-			return keys->aes.systemFixedKey;
-		case KeyIsUnFixed:
-			if(keys->aes.ncchKeyX0)
-				return keys->aes.unFixedKey0;
-			else
-				return NULL;
-		case KeyIsUnFixed2:
-			if(keys->aes.ncchKeyX1)
-				return keys->aes.unFixedKey1;
-			else
-				return NULL;
+	if(!IsNcchEncrypted(hdr)) 
+		return true;
+		
+	if((hdr->flags[ncchflag_OTHER_FLAG] & otherflag_FixedCryptoKey) == otherflag_FixedCryptoKey){
+		if((hdr->programId[4] & 0x10) == 0x10 && keys->aes.systemFixedKey){
+			memcpy(keys->aes.ncchKey0,keys->aes.systemFixedKey,AES_128_KEY_SIZE);
+			memcpy(keys->aes.ncchKey1,keys->aes.systemFixedKey,AES_128_KEY_SIZE);
+			return true;
+		}
+		else if(keys->aes.normalKey){
+			memcpy(keys->aes.ncchKey0,keys->aes.normalKey,AES_128_KEY_SIZE);
+			memcpy(keys->aes.ncchKey1,keys->aes.normalKey,AES_128_KEY_SIZE);
+			return true;
+		}
+		return false;
 	}
-	return NULL;
+	
+	if(keys->aes.ncchKeyX[0])
+		AesKeyScrambler(keys->aes.ncchKey0,keys->aes.ncchKeyX[0],hdr->signature);
+	else
+		return false;
+	
+	if(keys->aes.ncchKeyX[hdr->flags[ncchflag_CONTENT_KEYX]])
+		AesKeyScrambler(keys->aes.ncchKey1,keys->aes.ncchKeyX[hdr->flags[ncchflag_CONTENT_KEYX]],hdr->signature);
+	else
+		return false;
+		
+	return true;
 }
 
-int GetNCCHStruct(ncch_struct *ctx, ncch_hdr *header)
+int GetNcchInfo(ncch_info *info, ncch_hdr *hdr)
 {
-	memcpy(ctx->titleId,header->titleId,8);
-	memcpy(ctx->programId,header->programId,8);
+	memcpy(info->titleId,hdr->titleId,8);
+	memcpy(info->programId,hdr->programId,8);
 
 	
-	u32 media_unit = GetNCCH_MediaUnitSize(header);
+	u32 media_unit = GetNcchBlockSize(hdr);
 	
-	ctx->formatVersion = u8_to_u16(header->formatVersion,LE);
-	if(!IsCfa(header)){
-		ctx->exhdrOffset = 0x200;
-		ctx->exhdrSize = u8_to_u32(header->exhdrSize,LE);
-		ctx->acexOffset = (ctx->exhdrOffset + ctx->exhdrSize);
-		ctx->acexSize = sizeof(access_descriptor);
-		ctx->plainRegionOffset = (u64)(u8_to_u32(header->plainRegionOffset,LE)*media_unit);
-		ctx->plainRegionSize = (u64)(u8_to_u32(header->plainRegionSize,LE)*media_unit);
+	info->formatVersion = u8_to_u16(hdr->formatVersion,LE);
+	if(!IsCfa(hdr)){
+		info->exhdrOffset = 0x200;
+		info->exhdrSize = u8_to_u32(hdr->exhdrSize,LE);
+		info->acexOffset = (info->exhdrOffset + info->exhdrSize);
+		info->acexSize = sizeof(access_descriptor);
+		info->plainRegionOffset = (u64)(u8_to_u32(hdr->plainRegionOffset,LE)*media_unit);
+		info->plainRegionSize = (u64)(u8_to_u32(hdr->plainRegionSize,LE)*media_unit);
 	}
 
-	ctx->logoOffset = (u64)(u8_to_u32(header->logoOffset,LE)*media_unit);
-	ctx->logoSize = (u64)(u8_to_u32(header->logoSize,LE)*media_unit);
-	ctx->exefsOffset = (u64)(u8_to_u32(header->exefsOffset,LE)*media_unit);
-	ctx->exefsSize = (u64)(u8_to_u32(header->exefsSize,LE)*media_unit);
-	ctx->exefsHashDataSize = (u64)(u8_to_u32(header->exefsHashSize,LE)*media_unit);
-	ctx->romfsOffset = (u64) (u8_to_u32(header->romfsOffset,LE)*media_unit);
-	ctx->romfsSize = (u64) (u8_to_u32(header->romfsSize,LE)*media_unit);
-	ctx->romfsHashDataSize = (u64)(u8_to_u32(header->romfsHashSize,LE)*media_unit);
+	info->logoOffset = (u64)(u8_to_u32(hdr->logoOffset,LE)*media_unit);
+	info->logoSize = (u64)(u8_to_u32(hdr->logoSize,LE)*media_unit);
+	info->exefsOffset = (u64)(u8_to_u32(hdr->exefsOffset,LE)*media_unit);
+	info->exefsSize = (u64)(u8_to_u32(hdr->exefsSize,LE)*media_unit);
+	info->exefsHashDataSize = (u64)(u8_to_u32(hdr->exefsHashSize,LE)*media_unit);
+	info->romfsOffset = (u64) (u8_to_u32(hdr->romfsOffset,LE)*media_unit);
+	info->romfsSize = (u64) (u8_to_u32(hdr->romfsSize,LE)*media_unit);
+	info->romfsHashDataSize = (u64)(u8_to_u32(hdr->romfsHashSize,LE)*media_unit);
 	return 0;
 }
 
-void CryptNCCHSection(u8 *buffer, u64 size, u64 src_pos, ncch_struct *ctx, u8 key[16], u8 type)
+void CryptNcchRegion(u8 *buffer, u64 size, u64 src_pos, ncch_info *ctx, u8 key[16], u8 type)
 {
 	if(type < 1 || type > 3)
 		return;
 	u8 counter[0x10];
-	ncch_get_counter(ctx,counter,type);	
 	ctr_aes_context aes_ctx;
 	memset(&aes_ctx,0x0,sizeof(ctr_aes_context));
+	
+	GetNcchAesCounter(ctx,counter,type);	
 	ctr_init_counter(&aes_ctx, key, counter);
+	
 	if(src_pos > 0){
 		u32 carry = 0;
 		carry = align(src_pos,0x10);
 		carry /= 0x10;
 		ctr_add_counter(&aes_ctx,carry);
 	}
-
 	
 	ctr_crypt_counter(&aes_ctx, buffer, buffer, size);
 	return;
 }
 
-void ncch_get_counter(ncch_struct *ctx, u8 counter[16], u8 type)
+void GetNcchAesCounter(ncch_info *ctx, u8 counter[16], u8 type)
 {
 	u8 *titleId = ctx->titleId;
 	u32 i;
diff --git a/makerom/ncch.h b/makerom/ncch.h
index 232a228e..e87ae48e 100644
--- a/makerom/ncch.h
+++ b/makerom/ncch.h
@@ -15,10 +15,10 @@ typedef enum
 	ACCESSDESC_SIG_BAD = -10,
 	NCCH_HDR_SIG_BAD = -11,
 	// HashCheck Errors
-	ExHeader_Hashfail = -12,
-	Logo_Hashfail = -13,
-	ExeFs_Hashfail = -14,
-	RomFs_Hashfail = -15,
+	EXHDR_CORRUPT = -12,
+	LOGO_CORRUPT = -13,
+	EXEFS_CORRUPT = -14,
+	ROMFS_CORRUPT = -15,
 	// Others
 	NCCH_BAD_YAML_SET = -16,
 	DATA_POS_DNE = -17,
@@ -29,34 +29,23 @@ typedef enum
 	ncch_exhdr = 1,
 	ncch_exefs,
 	ncch_romfs,
-	ncch_Logo,
-	ncch_PlainRegion,
 } ncch_section;
 
 typedef enum
 {
-	NoKey,
-	KeyIsNormalFixed,
-	KeyIsSystemFixed,
-	KeyIsUnFixed,
-	KeyIsUnFixed2,
-} ncch_key_type;
-
-typedef enum
-{
-	SecureCrypto2 = 3,
-	ContentPlatform = 4,
-	ContentType = 5,
-	ContentUnitSize = 6,
-	OtherFlag = 7
+	ncchflag_CONTENT_KEYX = 3,
+	ncchflag_CONTENT_PLATFORM = 4,
+	ncchflag_CONTENT_TYPE = 5,
+	ncchflag_CONTENT_BLOCK_SIZE = 6,
+	ncchflag_OTHER_FLAG = 7
 } ncch_flags;
 
 typedef enum
 {
-	UnFixedCryptoKey = 0x0,
-	FixedCryptoKey = 0x1,
-	NoMountRomFs = 0x2,
-	NoCrypto = 0x4,
+	otherflag_Clear = 0,
+	otherflag_FixedCryptoKey = (1 << 0),
+	otherflag_NoMountRomFs = (1 << 1),
+	otherflag_NoCrypto = (1 << 2),
 } ncch_otherflag_bitmask;
 
 typedef enum
@@ -88,10 +77,11 @@ typedef struct
 	u64 romfsHashDataSize;
 	u8 titleId[8];
 	u8 programId[8];
-} ncch_struct;
+} ncch_info;
 
 typedef struct
 {
+	u8 signature[0x100];
 	u8 magic[4];
 	u8 ncchSize[4];
 	u8 titleId[8];
@@ -122,109 +112,24 @@ typedef struct
 	u8 romfsHash[0x20];
 } ncch_hdr;
 
-
-typedef struct
-{
-	buffer_struct *out;
-	keys_struct *keys;
-	rsf_settings *rsfSet;
-
-	struct
-	{
-		u32 mediaSize;
-		bool IncludeExeFsLogo;
-		bool CompressCode;
-		bool UseOnSD;
-		bool Encrypt;
-		bool FreeProductCode;
-		bool IsCfa;
-		bool IsBuildingCodeSection;
-		bool UseRomFS;
-	} options;
-
-	struct
-	{
-		FILE *elf;
-		u64 elfSize;
-
-		FILE *banner;
-		u64 bannerSize;
-
-		FILE *icon;
-		u64 iconSize;
-
-		FILE *logo;
-		u64 logoSize;
-
-		FILE *code;
-		u64 codeSize;
-
-		FILE *exhdr;
-		u64 exhdrSize;
-
-		FILE *romfs;
-		u64 romfsSize;
-
-		FILE *plainregion;
-		u64 plainregionSize;
-	} componentFilePtrs;
-
-	struct
-	{
-		buffer_struct code;
-		buffer_struct banner;
-		buffer_struct icon;
-	} exefsSections;
-
-	struct
-	{
-		u32 textAddress;
-		u32 textSize;
-		u32 textMaxPages;
-		u32 roAddress;
-		u32 roSize;
-		u32 roMaxPages;
-		u32 rwAddress;
-		u32 rwSize;
-		u32 rwMaxPages;
-		u32 bssSize;
-	} codeDetails;
-
-	struct
-	{
-		buffer_struct exhdr;
-		buffer_struct acexDesc;
-		buffer_struct logo;
-		buffer_struct plainRegion;
-		buffer_struct exeFs;
-	} sections;
-	
-	ncch_struct cryptoDetails;
-
-
-} ncch_settings;
-
-// NCCH Build Functions
-int build_NCCH(user_settings *usrset);
-
-
 // NCCH Read Functions
-int VerifyNCCH(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput);
+int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput);
 
-u8* RetargetNCCH(FILE *fp, u64 size, u8 *TitleId, u8 *ProgramId, keys_struct *keys);
 int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys);
 
-
-ncch_hdr* GetNCCH_CommonHDR(void *out, FILE *fp, u8 *buf);
-bool IsNCCH(FILE *fp, u8 *buf);
+void ReadNcchHdr(ncch_hdr *hdr, FILE *fp);
+u8* GetNcchHdrSig(ncch_hdr *hdr);
+u8* GetNcchHdrData(ncch_hdr *hdr);
+u32 GetNcchHdrSigLen(ncch_hdr *hdr);
+u32 GetNcchHdrDataLen(ncch_hdr *hdr);
+bool IsNcch(FILE *fp, u8 *buf);
 bool IsCfa(ncch_hdr* hdr);
-u32 GetNCCH_MediaUnitSize(ncch_hdr* hdr);
-u32 GetNCCH_MediaSize(ncch_hdr* hdr);
-ncch_key_type GetNCCHKeyType(ncch_hdr* hdr);
-
-u8* GetNCCHKey0(ncch_key_type keytype, keys_struct *keys);
-u8* GetNCCHKey1(ncch_key_type keytype, keys_struct *keys);
-
-int GetNCCHStruct(ncch_struct *ctx, ncch_hdr *header);
-void ncch_get_counter(ncch_struct *ctx, u8 counter[16], u8 type);
-void CryptNCCHSection(u8 *buffer, u64 size, u64 src_pos, ncch_struct *ctx, u8 key[16], u8 type);
\ No newline at end of file
+bool IsUpdateCfa(ncch_hdr* hdr);
+u32 GetNcchBlockSize(ncch_hdr* hdr);
+u8 GetBlockSizeFlag(u32 size);
+u64 GetNcchSize(ncch_hdr* hdr);
+bool IsNcchEncrypted(ncch_hdr *hdr);
+bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr);
+int GetNcchInfo(ncch_info *ctx, ncch_hdr *header);
+void GetNcchAesCounter(ncch_info *ctx, u8 counter[16], u8 type);
+void CryptNcchRegion(u8 *buffer, u64 size, u64 src_pos, ncch_info *ctx, u8 key[16], u8 type);
\ No newline at end of file
diff --git a/makerom/ncch_build.h b/makerom/ncch_build.h
new file mode 100644
index 00000000..96f47c4e
--- /dev/null
+++ b/makerom/ncch_build.h
@@ -0,0 +1,88 @@
+#pragma once
+#include "ncch.h"
+
+typedef struct
+{
+	buffer_struct *out;
+	keys_struct *keys;
+	rsf_settings *rsfSet;
+
+	struct
+	{
+		u32 blockSize;
+		bool verbose;
+		bool IncludeExeFsLogo;
+		bool CompressCode;
+		bool UseOnSD;
+		bool Encrypt;
+		bool FreeProductCode;
+		bool IsCfa;
+		bool IsBuildingCodeSection;
+		bool UseRomFS;
+		
+		bool useSecCrypto;
+		u8 keyXID;
+	} options;
+
+	struct
+	{
+		FILE *elf;
+		u64 elfSize;
+
+		FILE *banner;
+		u64 bannerSize;
+
+		FILE *icon;
+		u64 iconSize;
+
+		FILE *logo;
+		u64 logoSize;
+
+		FILE *code;
+		u64 codeSize;
+
+		FILE *exhdr;
+		u64 exhdrSize;
+
+		FILE *romfs;
+		u64 romfsSize;
+
+		FILE *plainregion;
+		u64 plainregionSize;
+	} componentFilePtrs;
+
+	struct
+	{
+		buffer_struct code;
+		buffer_struct banner;
+		buffer_struct icon;
+	} exefsSections;
+
+	struct
+	{
+		u32 textAddress;
+		u32 textSize;
+		u32 textMaxPages;
+		u32 roAddress;
+		u32 roSize;
+		u32 roMaxPages;
+		u32 rwAddress;
+		u32 rwSize;
+		u32 rwMaxPages;
+		u32 bssSize;
+	} codeDetails;
+
+	struct
+	{
+		buffer_struct exhdr;
+		buffer_struct acexDesc;
+		buffer_struct logo;
+		buffer_struct plainRegion;
+		buffer_struct exeFs;
+	} sections;
+	
+	ncch_info cryptoDetails;
+} ncch_settings;
+
+// NCCH Build Functions
+int build_NCCH(user_settings *usrset);
\ No newline at end of file
diff --git a/makerom/logo_data.h b/makerom/ncch_logo.h
similarity index 100%
rename from makerom/logo_data.h
rename to makerom/ncch_logo.h
diff --git a/makerom/ncch_read.h b/makerom/ncch_read.h
new file mode 100644
index 00000000..a185bd04
--- /dev/null
+++ b/makerom/ncch_read.h
@@ -0,0 +1,2 @@
+#pragma once
+#include "ncch.h"
\ No newline at end of file
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index bb8f3c06..2827f5b4 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -1,684 +1,700 @@
 #include "lib.h"
-#include "ncch.h"
-#include "exheader.h"
-#include "ncsd.h"
-#include "cia.h"
-#include "tmd.h"
-
-// Private Prototypes
-
-/* RSA Crypto */
-int SignCCI(u8 *Signature, u8 *NCSD_HDR, keys_struct *keys);
-int CheckCCISignature(u8 *Signature, u8 *NCSD_HDR, keys_struct *keys);
-
-/* cci_settings tools */
-void init_CCISettings(cci_settings *set);
-int get_CCISettings(cci_settings *cciset, user_settings *usrset);
-void free_CCISettings(cci_settings *set);
-
-/* CCI Data Gen/Write */
-int BuildCCIHeader(cci_settings *cciset, user_settings *usrset);
-int BuildCardInfoHeader(cci_settings *cciset, user_settings *usrset);
-int WriteHeaderToFile(cci_settings *cciset);
-int WriteContentToFile(cci_settings *cciset,user_settings *usrset);
-int WriteDummyBytes(cci_settings *cciset);
-
-/* Get Data from Content Files */
-int CheckContent0(cci_settings *cciset, user_settings *usrset);
-int GetDataFromContent0(cci_settings *cciset, user_settings *usrset);
-int GetContentFP(cci_settings *cciset, user_settings *usrset);
-int ImportNcchPartitions(cci_settings *cciset);
-int ImportCverDetails(cci_settings *cciset, user_settings *usrset);
-
-/* Get Data from YAML Settings */
-int GetNCSDFlags(cci_settings *cciset, rsf_settings *yaml);
-int GetMediaSize(cci_settings *cciset, user_settings *usrset);
-u64 GetUnusedSize(u64 MediaSize, u8 CardType);
-int GetWriteableAddress(cci_settings *cciset, user_settings *usrset);
-int GetCardInfoBitmask(cci_settings *cciset, user_settings *usrset);
-
-int CheckMediaSize(cci_settings *cciset);
-
-static InternalCCI_Context ctx;
+
+#include "ncch_read.h"
+#include "exheader_read.h"
+#include "tik_read.h"
+#include "tmd_read.h"
+#include "cia_read.h"
+
+#include "ncsd_build.h"
+#include "cardinfo.h"
+#include "titleid.h"
+
+
 const int NCCH0_OFFSET = 0x4000;
+const int CCI_BLOCK_SIZE = 0x200;
+
+void ImportCciSettings(cci_settings *set, user_settings *usrset);
+void FreeCciSettings(cci_settings *set);
+int ImportCciNcch(cci_settings *set);
+int ProcessNcchForCci(cci_settings *set);
+int GenCciHdr(cci_settings *set);
+int CheckRomConfig(cci_settings *set);
+void WriteCciDataToOutput(cci_settings *set);
 
-// Code
 int build_CCI(user_settings *usrset)
 {
 	int result = 0;
-
-	// Init Settings
-	cci_settings *cciset = calloc(1,sizeof(cci_settings));
-	if(!cciset) {
-		fprintf(stderr,"[CCI ERROR] Not enough memory\n"); 
+	cci_settings *set = calloc(1,sizeof(cci_settings));
+	if(!set){
+		fprintf(stderr,"[CCI ERROR] Not enough memory\n");
 		return MEM_ERROR;
 	}
-	init_CCISettings(cciset);
+	ImportCciSettings(set,usrset);
 	
-	// Get Settings
-	result = get_CCISettings(cciset,usrset);
-	if(result) goto finish;
-
-	// Import Content
-	result = ImportNcchPartitions(cciset);
-	if(result) goto finish;
-
-	// Create Output File
-	cciset->out = fopen(usrset->common.outFileName,"wb");
-	if(!cciset->out){
-		fprintf(stderr,"[CCI ERROR] Failed to create '%s'\n",usrset->common.outFileName);
-		result = FAILED_TO_CREATE_OUTFILE;
+	if(ImportCciNcch(set)){
+		result = FAILED_TO_IMPORT_FILE;
+		goto finish;
+	}
+		
+	if(ProcessNcchForCci(set)){
+		result = FAILED_TO_IMPORT_FILE;
+		goto finish;
+	}
+	
+	if(GenCciHdr(set)){
+		result = GEN_HDR_FAIL;
+		goto finish;
+	}
+	
+	if(CheckRomConfig(set)){
+		result = CCI_CONFIG_FAIL;
+		goto finish;
+	}
+	
+	if(GenCardInfoHdr(set)){
+		result = GEN_HDR_FAIL;
 		goto finish;
 	}
-
-	// Generate NCSD Header and Additional Header
-	result = BuildCCIHeader(cciset,usrset);
-	if(result) goto finish;
-	BuildCardInfoHeader(cciset,usrset);
 	
-	// Write to File
-	WriteHeaderToFile(cciset);
-	result = WriteContentToFile(cciset,usrset);
-	if(result) 
+	set->out = fopen(usrset->common.outFileName,"wb");
+	if(!set->out){
+		fprintf(stderr,"[CCI ERROR] Failed to create '%s'\n",usrset->common.outFileName);
+		result = FAILED_TO_CREATE_OUTFILE;
 		goto finish;
+	}
 	
-	// Fill out file if necessary 
-	if(cciset->option.fillOutCci) 
-		WriteDummyBytes(cciset);
+	WriteCciDataToOutput(set);
 	
-	// Close output file
 finish:
-	if(result != FAILED_TO_CREATE_OUTFILE && cciset->out) fclose(cciset->out);
-	free_CCISettings(cciset);
+	FreeCciSettings(set);
 	return result;
 }
 
-
-int SignCCI(u8 *Signature, u8 *NCSD_HDR, keys_struct *keys)
-{
-	return ctr_sig(NCSD_HDR,sizeof(cci_hdr),Signature,keys->rsa.cciCfaPub,keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
-}
-
-int CheckCCISignature(u8 *Signature, u8 *NCSD_HDR, keys_struct *keys)
+void ImportCciSettings(cci_settings *set, user_settings *usrset)
 {
-	return ctr_sig(NCSD_HDR,sizeof(cci_hdr),Signature,keys->rsa.cciCfaPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
-}
-
-void init_CCISettings(cci_settings *set)
-{
-	memset(set,0,sizeof(cci_settings));
-	memset(&ctx,0,sizeof(InternalCCI_Context));
-}
-
-int get_CCISettings(cci_settings *cciset, user_settings *usrset)
-{
-	cciset->keys = &usrset->common.keys;
-	int result = 0;
-
-	/* Importing Data from Content */
-	result = CheckContent0(cciset,usrset);
-	if(result) return result;
-
-	result = GetDataFromContent0(cciset,usrset);
-	if(result) return result;
-
-	result = GetContentFP(cciset,usrset);
-	if(result) return result;
+	set->keys = &usrset->common.keys;
+	set->rsf = &usrset->common.rsfSet;
 	
-
-	/* Getting Data from YAML */
-	result = GetNCSDFlags(cciset,&usrset->common.rsfSet);
-	if(result) return result;
-
-	result = GetMediaSize(cciset,usrset);
-	if(result) return result;
-
-	result = CheckMediaSize(cciset);
-	if(result) return result;
-
-	/** Card Info Header Data **/
-	result = GetWriteableAddress(cciset,usrset);
-	if(result) return result;
-
-	result = GetCardInfoBitmask(cciset,usrset);
-	if(result) return result;
+	set->content.data = usrset->common.workingFile.buffer;
+	set->content.dataLen = usrset->common.workingFile.size;
+	set->content.dataType = usrset->common.workingFileType;
 	
-	result = ImportCverDetails(cciset,usrset);
-	if(result) return result;
-
-	/* All Done */
-	return 0;
+	set->content.path = usrset->common.contentPath;
+	set->content.dSize = usrset->common.contentSize;
+	
+	usrset->common.workingFile.buffer = NULL;
+	usrset->common.workingFile.size = 0;
+	
+	set->options.verbose = usrset->common.verbose;
+	set->options.padCci = set->rsf->Option.MediaFootPadding;
+	set->options.noModTid = usrset->cci.dontModifyNcchTitleID;
+	set->options.useExternalSdkCardInfo = usrset->cci.useSDKStockData;
+	set->options.closeAlignWR = usrset->cci.closeAlignWritableRegion;
+	
+	set->options.cverDataType = usrset->cci.cverDataType;
+	set->options.cverDataPath = usrset->cci.cverDataPath;
+	
+	set->romInfo.blockSize = CCI_BLOCK_SIZE;
+	set->romInfo.saveSize = 0;
 }
 
-void free_CCISettings(cci_settings *set)
+void FreeCciSettings(cci_settings *set)
 {
-	if(set->content.filePtrs){
-		for(int i = 1; i < 8; i++) {
-			if(set->content.filePtrs[i]) fclose(set->content.filePtrs[i]);
-		}
-		free(set->content.filePtrs);
-	}
+	free(set->options.tmdHdr);
+	free(set->content.data);
+	free(set->headers.ccihdr.buffer);
+	free(set->headers.cardinfohdr.buffer);
+	if(set->out)
+		fclose(set->out);
 	free(set);
 }
 
-int BuildCCIHeader(cci_settings *cciset, user_settings *usrset)
+int ImportNcchForCci(cci_settings *set)
 {
-	memcpy((u8*)ctx.cciHdr.magic,"NCSD",4);
-	u32_to_u8((u8*)ctx.cciHdr.mediaSize,(cciset->header.mediaSize/cciset->option.mediaUnit),LE); 
-	memcpy((u8*)ctx.cciHdr.titleId,cciset->header.mediaId,8);
-	memcpy((u8*)ctx.cciHdr.flags,cciset->header.flags,8);
-
-	// Content
-	for(int i = 0; i < 8; i++){
-		u32_to_u8((u8*)ctx.cciHdr.offset_sizeTable[i].offset,(cciset->content.offset[i]/cciset->option.mediaUnit),LE);
-		u32_to_u8((u8*)ctx.cciHdr.offset_sizeTable[i].size,(cciset->content.size[i]/cciset->option.mediaUnit),LE);
-		memcpy((u8*)ctx.cciHdr.contentIdTable[i],cciset->content.titleId[i],8);
-		ctx.cciHdr.contentFsType[i] = cciset->content.fsType[i];
-		ctx.cciHdr.contentCryptoType[i] = cciset->content.cryptoType[i];
-	}
-	
-	// Signature
-	if(SignCCI(ctx.signature,(u8*)&ctx.cciHdr,cciset->keys) != Good){
-		fprintf(stderr,"[CCI ERROR] Failed to sign CCI\n");
-		return CCI_SIG_FAIL;
+	for(int i = 0; i < CCI_MAX_CONTENT; i++){
+		if(i == 0){
+			set->content.active[i] = true;
+			set->content.dSize[i] = set->content.dataLen;
+			set->content.dOffset[i] = 0;
+		}
+		else if(set->content.dSize[i] && set->content.path[i]){
+			set->content.active[i] = true;
+			set->content.dOffset[i] = set->content.dataLen;
+			set->content.dataLen += set->content.dSize[i];
+		}
+		else
+			set->content.active[i] = false;
 	}
-	return 0;
-}
-
-int BuildCardInfoHeader(cci_settings *cciset, user_settings *usrset)
-{
-	u32_to_u8((u8*)ctx.cardinfo.writableAddress,(cciset->cardinfo.writableAddress/cciset->option.mediaUnit),LE); 
-	u32_to_u8((u8*)ctx.cardinfo.cardInfoBitmask,cciset->cardinfo.cardInfoBitmask,BE);
-	u32_to_u8((u8*)ctx.cardinfo.mediaSizeUsed,cciset->cardinfo.cciTotalSize,LE);
-	memcpy(ctx.cardinfo.cverTitleId,cciset->cardinfo.cverTitleId,8);
-	memcpy(ctx.cardinfo.cverTitleVersion,cciset->cardinfo.cverTitleVersion,2);
-	memcpy((u8*)ctx.cardinfo.ncch0TitleId,cciset->content.titleId[0],8);
-	memcpy((u8*)ctx.cardinfo.initialData,cciset->cardinfo.initialData,0x30);
-	memcpy((u8*)ctx.cardinfo.ncch0Hdr,&cciset->cardinfo.ncchHdr,0x100);
-	memcpy((u8*)ctx.devcardinfo.titleKey,cciset->cardinfo.titleKey,0x10);
 
-	return 0;
-}
-
-int ImportNcchPartitions(cci_settings *cciset)
-{
-	cciset->content.data->buffer = realloc(cciset->content.data->buffer,cciset->content.data->size);
-	if(!cciset->content.data->buffer){
+	set->content.data = realloc(set->content.data,set->content.dataLen);
+	if(!set->content.data){
 		fprintf(stderr,"[CCI ERROR] Not enough memory\n");
 		return MEM_ERROR;
 	}
 
-	ncch_hdr *ncch0hdr = (ncch_hdr*)(cciset->content.data->buffer+0x100);
+	FILE *ncch;
 	for(int i = 1; i < CCI_MAX_CONTENT; i++){
-		if(!cciset->content.size[i])
+		if(!set->content.active[i])
 			continue;
 
-		u8 *ncchpos = (u8*)(cciset->content.data->buffer+cciset->content.offset[i]-cciset->content.offset[0]);
+		u8 *ncchpos = (u8*)(set->content.data+set->content.dOffset[i]);
 
-		ReadFile_64(ncchpos, cciset->content.fileSize[i], 0, cciset->content.filePtrs[i]);
-		if(ModifyNcchIds(ncchpos, cciset->content.titleId[i], ncch0hdr->programId, cciset->keys) != 0)
-			return -1;
+		ncch = fopen(set->content.path[i],"rb");
+		
+		ReadFile64(ncchpos, set->content.dSize[i], 0, ncch);
+		
+		fclose(ncch);
 	}
+	
 	return 0;
 }
 
-void WriteCCIDummyData(cci_settings *cciset)
-{
-	// Creating Buffer of Dummy Bytes
-	u64 len = NCCH0_OFFSET - 0x1200;
-	u8 *dummy_bytes = malloc(len);
-	memset(dummy_bytes,0xff,len);
-	WriteBuffer(dummy_bytes,len,0x1200,cciset->out);	
-}
-
-void WriteDevCardInfoData(cci_settings *cciset)
-{
-	WriteBuffer((u8*)&ctx.devcardinfo,sizeof(devcardinfo_hdr),0x1200,cciset->out);	
-}
-
-int WriteHeaderToFile(cci_settings *cciset)
+bool CanCiaBeCci(u16 cat, u16 count, tmd_content_chunk *content)
 {
-	WriteBuffer(ctx.signature,0x100,0,cciset->out);
-	WriteBuffer((u8*)&ctx.cciHdr,sizeof(cci_hdr),0x100,cciset->out);
-	WriteBuffer((u8*)&ctx.cardinfo,sizeof(cardinfo_hdr),0x200,cciset->out);
-	if(cciset->option.useDevCardInfo)
-		WriteDevCardInfoData(cciset);
-	else
-		WriteCCIDummyData(cciset);
+	if(cat != PROGRAM_ID_CATEGORY_APPLICATION && cat != PROGRAM_ID_CATEGORY_SYSTEM_APPLICATION)
+		return false;
 		
-	return 0;
-}
-
-int WriteContentToFile(cci_settings *cciset,user_settings *usrset)
-{
-	// Write Content 0
-	WriteBuffer(cciset->content.data->buffer,cciset->content.data->size,NCCH0_OFFSET,cciset->out);
-	free(cciset->content.data->buffer);
-	cciset->content.data->buffer = NULL;
-	cciset->content.data->size = 0;
-	return 0;
+	if(count > CCI_MAX_CONTENT)
+		return false;
+		
+	for(int i = 0; i < count; i++){
+		if(GetTmdContentIndex(content[i]) >= CCI_MAX_CONTENT)
+			return false;
+	}
+	
+	return true;
 }
 
-int WriteDummyBytes(cci_settings *cciset)
+void GenRsfInputFromTmd(tmd_hdr *tmd, tmd_content_chunk *info, cci_settings *set)
 {
-	// Seeking end of CCI Data
-	fseek_64(cciset->out,cciset->cardinfo.cciTotalSize);
-
-	// Determining Size of Dummy Bytes
-	u64 len = cciset->header.mediaSize - cciset->cardinfo.cciTotalSize;
+	if(!set->rsf->CardInfo.MediaSize){
+		set->rsf->CardInfo.MediaSize = calloc(20,sizeof(char));
+		u64 contentSize = NCCH0_OFFSET;
+		u16 contentNum = GetTmdContentCount(tmd);
+		for(int i = 0; i < contentNum; i++)
+			contentSize += GetTmdContentSize(info[i]);
+		
+		if(contentSize < (u64)128*MB)
+			strcpy(set->rsf->CardInfo.MediaSize,"128MB");
+		else if(contentSize < (u64)256*MB)
+			strcpy(set->rsf->CardInfo.MediaSize,"256MB");
+		else if(contentSize < (u64)512*MB)
+			strcpy(set->rsf->CardInfo.MediaSize,"512MB");
+		else if(contentSize < (u64)1*GB)
+			strcpy(set->rsf->CardInfo.MediaSize,"1GB");
+		else if(contentSize < (u64)2*GB)
+			strcpy(set->rsf->CardInfo.MediaSize,"2GB");
+		else if(contentSize < (u64)4*GB)
+			strcpy(set->rsf->CardInfo.MediaSize,"4GB");
+		else if(contentSize < (u64)8*GB)
+			strcpy(set->rsf->CardInfo.MediaSize,"8GB");
+		else{
+			free(set->rsf->CardInfo.MediaSize);
+			set->rsf->CardInfo.MediaSize = NULL;
+		}
+		
+		if(set->options.verbose && set->rsf->CardInfo.MediaSize)
+			printf("[CCI] Auto generating RSF setting \"CardInfo/MediaSize: %s\" \n",set->rsf->CardInfo.MediaSize);
+	}
 	
-	// Creating Buffer of Dummy Bytes
-	u8 *dummy_bytes = malloc(cciset->option.mediaUnit);
-	memset(dummy_bytes,0xff,cciset->option.mediaUnit);
+	if(!set->rsf->CardInfo.MediaType){
+		set->rsf->CardInfo.MediaType = calloc(20,sizeof(char));
+		if(set->romInfo.saveSize < (u64)1*MB)
+			strcpy(set->rsf->CardInfo.MediaType,"Card1");
+		else
+			strcpy(set->rsf->CardInfo.MediaType,"Card2");
+			
+		if(set->options.verbose)
+			printf("[CCI] Auto generating RSF setting \"CardInfo/MediaType: %s\" \n",set->rsf->CardInfo.MediaType);
+	}
 	
-	// Writing Dummy Bytes to file
-	for(u64 i = 0; i < len; i += cciset->option.mediaUnit)
-		fwrite(dummy_bytes,cciset->option.mediaUnit,1,cciset->out);
+	if(!set->rsf->CardInfo.CardDevice){
+		set->rsf->CardInfo.CardDevice = calloc(20,sizeof(char));
+		if(set->romInfo.saveSize < (u64)1*MB && set->romInfo.saveSize > 0)
+			strcpy(set->rsf->CardInfo.CardDevice,"NorFlash");
+		else
+			strcpy(set->rsf->CardInfo.CardDevice,"None");
+			
+		if(set->options.verbose)
+			printf("[CCI] Auto generating RSF setting \"CardInfo/CardDevice: %s\" \n",set->rsf->CardInfo.CardDevice);
+	}
 	
-	return 0;
+	return;
 }
 
-int GetContentFP(cci_settings *cciset, user_settings *usrset)
+int ProcessCiaForCci(cci_settings *set)
 {
-	cciset->content.filePtrs = calloc(8,sizeof(FILE*));
-	if(!cciset->content.filePtrs){
-		fprintf(stderr,"[CCI ERROR] Not enough memory\n");
-		return MEM_ERROR;
+	if(!IsCia(set->content.data)){
+		fprintf(stderr,"[CCI ERROR] CIA is corrupt\n");
+		return FAILED_TO_IMPORT_FILE;
 	}
+		
+	tik_hdr *tik = GetTikHdr(GetCiaTik(set->content.data));
+	tmd_hdr *tmd = GetTmdHdr(GetCiaTmd(set->content.data));
+	tmd_content_chunk *contentInfo = GetTmdContentInfo(GetCiaTmd(set->content.data));
+	u64 contentOffset = GetCiaContentOffset((cia_hdr*)set->content.data);
 	
-	for(int i = 1; i < 8; i++){
-		if(usrset->common.contentPath[i]){
-			if(!AssertFile(usrset->common.contentPath[i])){ // Checking if file could be opened
-				fprintf(stderr,"[CCI ERROR] Failed to open '%s'\n",usrset->common.contentPath[i]);
-				return FAILED_TO_OPEN_FILE;
-			}
-
-			cciset->content.fileSize[i] = GetFileSize_u64(usrset->common.contentPath[i]);
-			cciset->content.filePtrs[i] = fopen(usrset->common.contentPath[i],"rb");
-			/*
-			if(!cciset->content.filePtrs[i]){ // Checking if file could be opened
-				fprintf(stderr,"[CCI ERROR] Failed to open '%s'\n",usrset->common.contentPath[i]);
-				return FAILED_TO_OPEN_FILE;
-			}
-			*/
-			if(!IsNCCH(cciset->content.filePtrs[i],NULL)){ // Checking if NCCH
-				fprintf(stderr,"[CCI ERROR] Content '%s' is invalid\n",usrset->common.contentPath[i]);
-				return NCSD_INVALID_NCCH;
+	u16 titleCat = (GetTmdTitleId(tmd) >> 32) & 0xffff;
+	u16 contentCount = GetTmdContentCount(tmd);
+	set->romInfo.saveSize = GetTmdSaveSize(tmd);
+	if(set->romInfo.saveSize > 0 && set->romInfo.saveSize < (u64)(128*KB))
+		set->romInfo.saveSize = (u64)(128*KB);
+	else if(set->romInfo.saveSize > (u64)(128*KB) && set->romInfo.saveSize < (u64)(512*KB))
+		set->romInfo.saveSize = (u64)(512*KB);
+	else if(set->romInfo.saveSize > (u64)(512*KB))
+		set->romInfo.saveSize = align(set->romInfo.saveSize,MB);
+	
+	if(!CanCiaBeCci(titleCat,contentCount,contentInfo)){
+		fprintf(stderr,"[CCI ERROR] This CIA cannot be converted to CCI\n");
+		return INCOMPAT_CIA;
+	}
+	
+	GenRsfInputFromTmd(tmd,contentInfo,set);
+	
+	bool canDecrypt;
+	u8 titleKey[AES_128_KEY_SIZE];
+	canDecrypt = GetTikTitleKey(titleKey,tik,set->keys);
+	if(set->options.verbose){
+		if(canDecrypt)
+			memdump(stdout,"[CCI] CIA title key: ",titleKey,AES_128_KEY_SIZE);
+		else
+			fprintf(stdout,"[CCI] CIA title key could not be decrypted\n");
+	}
+	
+	for(u16 i = 0; i < contentCount; i++){
+		u16 index = GetTmdContentIndex(contentInfo[i]);
+		set->content.active[index] = true;
+		set->content.dOffset[index] = contentOffset;
+		set->content.dSize[index] = GetTmdContentSize(contentInfo[i]);
+		u8 *content = set->content.data + contentOffset;
+		if(IsTmdContentEncrypted(contentInfo[i])){
+			if(canDecrypt){
+				CryptContent(content,content,set->content.dSize[index],titleKey,i,DEC);
 			}
-			
-			// Getting NCCH Header
-			ncch_hdr *hdr = malloc(sizeof(ncch_hdr));
-			GetNCCH_CommonHDR(hdr,cciset->content.filePtrs[i],NULL);
-			
-			if(usrset->cci.dontModifyNcchTitleID)
-				memcpy(&cciset->content.titleId[i], hdr->titleId, 8);
 			else{
-				memcpy(&cciset->content.titleId[i], cciset->header.mediaId, 8); // Set TitleID			
-				u16_to_u8(&cciset->content.titleId[i][6], (i+4), LE);
-			}
-
-			u64 contentSize = (u64)GetNCCH_MediaSize(hdr)* (u64)GetNCCH_MediaUnitSize(hdr);
-			if(contentSize != cciset->content.fileSize[i]){
-				fprintf(stderr,"[CCI ERROR] Content '%s' is corrupt\n",usrset->common.contentPath[i]);
-				return NCSD_INVALID_NCCH;
+				fprintf(stderr,"[CCI ERROR] Failed to decrypt CIA content: 0x%08x\n",GetTmdContentId(contentInfo[i]));
+				return INCOMPAT_CIA;
 			}
-
-			cciset->content.size[i] =  align(contentSize,cciset->option.mediaUnit);
-			cciset->content.offset[i] = cciset->cardinfo.cciTotalSize;
-			
-			cciset->content.data->size += cciset->content.size[i];
-			cciset->cardinfo.cciTotalSize += cciset->content.size[i];
-			
-			free(hdr);
 		}
+		if(!ValidateTmdContent(content,contentInfo[i])){
+			fprintf(stderr,"[CCI ERROR] CIA content: 0x%08x is corrupt\n",GetTmdContentId(contentInfo[i]));
+			return NCSD_INVALID_NCCH;
+		}
+		
+		contentOffset += set->content.dSize[index];
 	}
+	
 	return 0;
 }
 
-int CheckContent0(cci_settings *cciset, user_settings *usrset)
+int ImportCciNcch(cci_settings *set)
 {
-	if(!usrset->common.workingFile.buffer || !usrset->common.workingFile.size) 
-		return NCSD_NO_NCCH0;
-	cciset->content.data = &usrset->common.workingFile;
+	if(set->content.dataType == infile_ncch)
+		return ImportNcchForCci(set);
+	else if(set->content.dataType == infile_cia)
+		return ProcessCiaForCci(set);
+	else
+		fprintf(stderr,"[CCI ERROR] Unrecognised input data type\n");
 	
-	if(!IsNCCH(NULL,cciset->content.data->buffer)) 
-		return NCSD_INVALID_NCCH0;
+	if(set->rsf->SystemControlInfo.SaveDataSize)
+		GetSaveDataSizeFromString(&set->romInfo.saveSize,set->rsf->SystemControlInfo.SaveDataSize,"CCI");
 	
-	return 0;
+	return FAILED_TO_IMPORT_FILE;
 }
 
-int GetDataFromContent0(cci_settings *cciset, user_settings *usrset)
-{	
-	cciset->cardinfo.cciTotalSize = NCCH0_OFFSET; 
-	ncch_hdr *hdr;
+int ProcessCverDataForCci(cci_settings *set)
+{
+	u64 tmdSize,tmdOffset;
 	
-	hdr = GetNCCH_CommonHDR(NULL,NULL,cciset->content.data->buffer);
+	u64 dataSize = GetFileSize64(set->options.cverDataPath);
+	FILE *data = fopen(set->options.cverDataPath,"rb");
 	
-	memcpy(&cciset->cardinfo.ncchHdr,hdr,sizeof(ncch_hdr));
 	
-	u16 ncch_format_ver = u8_to_u16(hdr->formatVersion,LE);
-	if(ncch_format_ver > 2){
-		fprintf(stderr,"[CCI ERROR] NCCH type %d not supported\n",ncch_format_ver);
-		return FAILED_TO_IMPORT_FILE;
-	}
-
-	//memdump(stdout,"ncch0 head: ",(cciset->ncch0+0x100),0x100);
-	//memdump(stdout,"ncch0 head: ",(u8*)(hdr),0x100);
+	if(set->options.cverDataType == CVER_DTYPE_CIA){
+		cia_hdr *ciaHdr = calloc(1,sizeof(cia_hdr));
+		ReadFile64(ciaHdr,sizeof(cia_hdr),0,data);
 	
-	memcpy(cciset->header.mediaId,hdr->titleId,8);
-	memcpy(&cciset->content.titleId[0],hdr->titleId,8);
-	if(usrset->cci.useSDKStockData){
-		memcpy(cciset->cardinfo.initialData,stock_initial_data,0x30);
-		memcpy(cciset->cardinfo.titleKey,stock_title_key,0x10);
-		cciset->option.useDevCardInfo = true;
+		tmdSize = GetCiaTmdSize(ciaHdr);
+		tmdOffset = GetCiaTmdOffset(ciaHdr);
+		
+		free(ciaHdr);
 	}
 	else{
-		rndset(cciset->cardinfo.initialData,0x2c);
-		//rndset(cciset->cardinfo.titleKey,0x10);
-		//cciset->option.useDevCardInfo = true;
+		tmdSize = dataSize;
+		tmdOffset = 0;
 	}
 	
-	cciset->header.flags[MediaUnitSize] = hdr->flags[ContentUnitSize];
-	cciset->option.mediaUnit = GetNCCH_MediaUnitSize(hdr);
+	u8 *tmd = calloc(1,tmdSize);
+	
+	ReadFile64(tmd,tmdSize,tmdOffset,data);
+	fclose(data);
 	
-	cciset->content.size[0] = (u64)(GetNCCH_MediaSize(hdr) * cciset->option.mediaUnit);
-	cciset->content.offset[0] = cciset->cardinfo.cciTotalSize;
+	tmd_hdr *tmdHdr = GetTmdHdr(tmd);
+	if(!tmdHdr){
+		fprintf(stderr,"[CCI ERROR] Corrupt cver TMD\n");
+		free(tmd);
+		return FAILED_TO_IMPORT_FILE;
+	}
+	
+	set->options.tmdHdr = calloc(1,sizeof(tmd_hdr));
+	memcpy(set->options.tmdHdr,tmdHdr,sizeof(tmd_hdr));
 	
-	cciset->content.data->size = cciset->content.size[0];
-	cciset->cardinfo.cciTotalSize += cciset->content.size[0];
+	free(tmd);
+
 	return 0;
 }
 
-int GetMediaSize(cci_settings *cciset, user_settings *usrset)
+void GetNewNcchIdForCci(u8 *newTid, u8 *srcTid, u8 index, tmd_hdr *tmdHdr)
 {
-	char *mediaSizeStr = usrset->common.rsfSet.CardInfo.MediaSize;
-	if(!mediaSizeStr) cciset->header.mediaSize = (u64)GB*2;
-	else{
-		if(strcasecmp(mediaSizeStr,"128MB") == 0) cciset->header.mediaSize = (u64)MB*128;
-		else if(strcasecmp(mediaSizeStr,"256MB") == 0) cciset->header.mediaSize = (u64)MB*256;
-		else if(strcasecmp(mediaSizeStr,"512MB") == 0) cciset->header.mediaSize = (u64)MB*512;
-		else if(strcasecmp(mediaSizeStr,"1GB") == 0) cciset->header.mediaSize = (u64)GB*1;
-		else if(strcasecmp(mediaSizeStr,"2GB") == 0) cciset->header.mediaSize = (u64)GB*2;
-		else if(strcasecmp(mediaSizeStr,"4GB") == 0) cciset->header.mediaSize = (u64)GB*4;
-		else if(strcasecmp(mediaSizeStr,"8GB") == 0) cciset->header.mediaSize = (u64)GB*8;
-		else if(strcasecmp(mediaSizeStr,"16GB") == 0) cciset->header.mediaSize = (u64)GB*16;
-		else if(strcasecmp(mediaSizeStr,"32GB") == 0) cciset->header.mediaSize = (u64)GB*32;
-		else {
-			fprintf(stderr,"[CCI ERROR] Invalid MediaSize: %s\n",mediaSizeStr);
-			return INVALID_YAML_OPT;
-		}
+	u64 titleId = u8_to_u64(srcTid,LE) & 0xffffffffffff;
+	if(tmdHdr && index == 7)
+		titleId |= (u64)(GetTmdVersion(tmdHdr)) << 48;
+	else
+		titleId |= (u64)(index+4) << 48;
+		
+	u64_to_u8(newTid,titleId,LE);
+}
+
+int ProcessNcchForCci(cci_settings *set)
+{
+	u8 *ncch;
+	ncch_hdr *hdr;
+	
+	u8 titleId[8];
+	u8 srcId[8];
+	
+	if(set->options.cverDataPath && set->content.active[7]){
+		if(ProcessCverDataForCci(set))
+			return FAILED_TO_IMPORT_FILE;
 	}
 	
-	cciset->option.fillOutCci = usrset->common.rsfSet.Option.MediaFootPadding;
+	for(int i = 0; i < CCI_MAX_CONTENT; i++){
+		if(set->content.active[i]){
+			ncch = set->content.data + set->content.dOffset[i];
+			if(!IsNcch(NULL,ncch)){
+				fprintf(stderr,"[CCI ERROR] NCCH %d is corrupt\n",i);
+				return NCSD_INVALID_NCCH;
+			}
+			hdr = (ncch_hdr*)ncch;
+			if(i > 0 && !set->options.noModTid){
+				if(set->options.verbose){
+					printf("[CCI] Modifying NCCH %d IDs\n",i);
+					printf("[Old Ids]\n");
+					memdump(stdout," > TitleId:   0x",hdr->titleId,8);
+					memdump(stdout," > ProgramId: 0x",hdr->programId,8);
+				}
+				GetNewNcchIdForCci(titleId,srcId,i,set->options.tmdHdr);
+				if(ModifyNcchIds(ncch, titleId, srcId, set->keys))
+					return -1;
+				if(set->options.verbose){
+					printf("[New Ids]\n");
+					memdump(stdout," > TitleId:   0x",hdr->titleId,8);
+					memdump(stdout," > ProgramId: 0x",hdr->programId,8);
+				}
+			}
+			set->content.titleId[i] = u8_to_u64(hdr->titleId,LE);
+			if(i == 0)
+				memcpy(srcId,hdr->titleId,8);
+		}
+	}
 	
 	return 0;
 }
 
-u64 GetUnusedSize(u64 MediaSize, u8 CardType)
-{
-	if(CardType == CARD1){
-		switch(MediaSize){
-			case (u64)MB*128: return (u64)2621440;
-			case (u64)MB*256: return (u64)5242880;
-			case (u64)MB*512: return (u64)10485760;
-			case (u64)GB*1: return (u64)73924608;
-			case (u64)GB*2: return (u64)147324928;
-			case (u64)GB*4: return (u64)294649856;
-			case (u64)GB*8: return (u64)587202560;
-			//default: return (u64)((MediaSize/MB)*0x11800); // Aprox
-			default: return 0;
-		}
-	}
-	else if(CardType == CARD2){
-		switch(MediaSize){
-			case (u64)MB*512: return (u64)37224448;
-			case (u64)GB*1: return (u64)73924608;
-			case (u64)GB*2: return (u64)147324928;
-			case (u64)GB*4: return (u64)294649856;
-			case (u64)GB*8: return (u64)587202560;
-			//default: return (u64)((MediaSize/MB)*0x11800); // Aprox
-			default: return 0;
+int SetMediaSize(u8 *mediaSize, cci_settings *set)
+{	
+	char *str = set->rsf->CardInfo.MediaSize;
+	if(!str) 
+		set->romInfo.mediaSize = (u64)GB*2;
+	else{
+		if(strcasecmp(str,"128MB") == 0) set->romInfo.mediaSize = (u64)MB*128;
+		else if(strcasecmp(str,"256MB") == 0) set->romInfo.mediaSize = (u64)MB*256;
+		else if(strcasecmp(str,"512MB") == 0) set->romInfo.mediaSize = (u64)MB*512;
+		else if(strcasecmp(str,"1GB") == 0) set->romInfo.mediaSize = (u64)GB*1;
+		else if(strcasecmp(str,"2GB") == 0) set->romInfo.mediaSize = (u64)GB*2;
+		else if(strcasecmp(str,"4GB") == 0) set->romInfo.mediaSize = (u64)GB*4;
+		else if(strcasecmp(str,"8GB") == 0) set->romInfo.mediaSize = (u64)GB*8;
+		//else if(strcasecmp(str,"16GB") == 0) set->romInfo.mediaSize = (u64)GB*16;
+		//else if(strcasecmp(str,"32GB") == 0) set->romInfo.mediaSize = (u64)GB*32;
+		else {
+			fprintf(stderr,"[CCI ERROR] Invalid MediaSize: %s\n",str);
+			return INVALID_RSF_OPT;
 		}
 	}
+		
+	u32_to_u8(mediaSize,(set->romInfo.mediaSize/set->romInfo.blockSize),LE);
+
 	return 0;
 }
 
-int GetNCSDFlags(cci_settings *cciset, rsf_settings *yaml)
+int SetBackupWriteWaitTime(u8 *flag, rsf_settings *rsf)
 {
-	/* BackupWriteWaitTime */
-	cciset->header.flags[FW6x_BackupWriteWaitTime] = 0;
-	if(yaml->CardInfo.BackupWriteWaitTime){
-		u32 WaitTime = strtoul(yaml->CardInfo.BackupWriteWaitTime,NULL,0);
-		if(WaitTime > 255){
-			fprintf(stderr,"[CCI ERROR] Invalid Card BackupWriteWaitTime (%d) : must 0-255\n",WaitTime);
-			return EXHDR_BAD_YAML_OPT;
+	char *str = rsf->CardInfo.BackupWriteWaitTime;
+	if(!str)
+		*flag = 0;
+	else{
+		u32 waitTime = strtoul(str,NULL,0);
+		if(waitTime > 255){
+			fprintf(stderr,"[CCI ERROR] Invalid Card BackupWriteWaitTime (%d) : must 0-255\n",waitTime);
+			return INVALID_RSF_OPT;
 		}
-		cciset->header.flags[FW6x_BackupWriteWaitTime] = (u8)WaitTime;
+		*flag = (u8)waitTime;
 	}
+	
+	return 0;
+}
+
+int SetMediaType(u8 *flag, cci_settings *set)
+{
+	char *str = set->rsf->CardInfo.MediaType;
 
-	/* MediaType */
-	if(!yaml->CardInfo.MediaType) cciset->header.flags[MediaTypeIndex] = CARD1;
+	if(!str) 
+		*flag = mediatype_CARD1;
 	else{
-		if(strcasecmp(yaml->CardInfo.MediaType,"Card1") == 0) cciset->header.flags[MediaTypeIndex] = CARD1;
-		else if(strcasecmp(yaml->CardInfo.MediaType,"Card2") == 0) cciset->header.flags[MediaTypeIndex] = CARD2;
+		if(strcasecmp(str,"Card1") == 0) 
+			*flag = mediatype_CARD1;
+		else if(strcasecmp(str,"Card2") == 0)
+			*flag = mediatype_CARD2;
 		else {
-			fprintf(stderr,"[CCI ERROR] Invalid MediaType: %s\n",yaml->CardInfo.MediaType);
-			return INVALID_YAML_OPT;
+			fprintf(stderr,"[CCI ERROR] Invalid MediaType: %s\n",str);
+			return INVALID_RSF_OPT;
 		}
 	}
+	
+	return 0;
+}
 
-	/* Platform */
-	cciset->header.flags[MediaPlatformIndex] = CTR;
-
+int SetCardDevice(u8 *flags, u64 saveSize, rsf_settings *rsf)
+{
 	u8 saveCrypto;
 
-	if(!yaml->CardInfo.SaveCrypto) saveCrypto = 3;
+	if(!rsf->CardInfo.SaveCrypto) 
+		saveCrypto = 3;
 	else{
-		if(strcasecmp(yaml->CardInfo.SaveCrypto,"fw1") == 0 || strcasecmp(yaml->CardInfo.SaveCrypto,"ctr fail") == 0 ) saveCrypto = 1;
-		else if(strcasecmp(yaml->CardInfo.SaveCrypto,"fw2") == 0) saveCrypto = 2;
-		else if(strcasecmp(yaml->CardInfo.SaveCrypto,"fw3") == 0) saveCrypto = 3;
-		else if(strcasecmp(yaml->CardInfo.SaveCrypto,"fw6") == 0) saveCrypto = 6;
+		if(strcasecmp(rsf->CardInfo.SaveCrypto,"fw1") == 0 || strcasecmp(rsf->CardInfo.SaveCrypto,"ctr fail") == 0 ) saveCrypto = 1;
+		else if(strcasecmp(rsf->CardInfo.SaveCrypto,"fw2") == 0) saveCrypto = 2;
+		else if(strcasecmp(rsf->CardInfo.SaveCrypto,"fw3") == 0) saveCrypto = 3;
+		else if(strcasecmp(rsf->CardInfo.SaveCrypto,"fw6") == 0) saveCrypto = 6;
 		else {
-			fprintf(stderr,"[CCI ERROR] Invalid SaveCrypto: %s\n",yaml->CardInfo.SaveCrypto);
-			return INVALID_YAML_OPT;
+			fprintf(stderr,"[CCI ERROR] Invalid SaveCrypto: %s\n",rsf->CardInfo.SaveCrypto);
+			return INVALID_RSF_OPT;
 		}
 	}
 	
 
 	/* FW6x SaveCrypto */
-	cciset->header.flags[FW6x_SaveCryptoFlag] = saveCrypto == 6;
+	if(saveCrypto == 6)
+		flags[cciflag_FW6_SAVE_CRYPTO] = 1;
+	else
+		flags[cciflag_FW6_SAVE_CRYPTO] = 0;
 
 	/* CardDevice */
-	if(saveCrypto > 1){
-		u8 flag = CardDeviceFlag;
-		if(saveCrypto == 2) flag = OldCardDeviceFlag;
-		if(!yaml->CardInfo.CardDevice) cciset->header.flags[flag] = CARD_DEVICE_NONE;
-		else{
-			if(strcmp(yaml->CardInfo.CardDevice,"NorFlash") == 0) {
-				cciset->header.flags[flag] = CARD_DEVICE_NOR_FLASH;
-				if(cciset->header.flags[MediaTypeIndex] == CARD2){
-					fprintf(stderr,"[CCI WARNING] 'CardDevice: NorFlash' is invalid on Card2\n");
-					cciset->header.flags[flag] = CARD_DEVICE_NONE;
-				}
-			}
-			else if(strcmp(yaml->CardInfo.CardDevice,"None") == 0) cciset->header.flags[flag] = CARD_DEVICE_NONE;
-			else if(strcmp(yaml->CardInfo.CardDevice,"BT") == 0) cciset->header.flags[flag] = CARD_DEVICE_BT;
-			else {
-				fprintf(stderr,"[CCI ERROR] Invalid CardDevice: %s\n",yaml->CardInfo.CardDevice);
-				return INVALID_YAML_OPT;
-			}
+	u8 cardDevice = 0;
+	if(!rsf->CardInfo.CardDevice) 
+		cardDevice = carddevice_NONE;
+	else{
+		if(strcmp(rsf->CardInfo.CardDevice,"NorFlash") == 0)
+			cardDevice = carddevice_NOR_FLASH;
+		else if(strcmp(rsf->CardInfo.CardDevice,"None") == 0) 
+			cardDevice = carddevice_NONE;
+		else if(strcmp(rsf->CardInfo.CardDevice,"BT") == 0) 
+			cardDevice = carddevice_BT;
+		else {
+			fprintf(stderr,"[CCI ERROR] Invalid CardDevice: %s\n",rsf->CardInfo.CardDevice);
+			return INVALID_RSF_OPT;
 		}
 	}
-	return 0;
-}
-
-int GetWriteableAddress(cci_settings *cciset, user_settings *usrset)
-{
-	int result = GetSaveDataSizeFromString(&cciset->option.savedataSize,usrset->common.rsfSet.SystemControlInfo.SaveDataSize,"CCI");
-	if(result) return result;
-
-	char *WriteableAddressStr = usrset->common.rsfSet.CardInfo.WritableAddress;
-	
-	cciset->cardinfo.writableAddress = -1;
-	if(cciset->header.flags[MediaTypeIndex] != CARD2) return 0; // Can only be set for Card2 Media
-	
-	if(WriteableAddressStr){
-		if(strncmp(WriteableAddressStr,"0x",2) != 0){
-			fprintf(stderr,"[CCI ERROR] WritableAddress requires a Hexadecimal value\n");
-			return INVALID_YAML_OPT;
-		}	
-		cciset->cardinfo.writableAddress = strtoull(WriteableAddressStr,NULL,16);
-	}
-	if(cciset->cardinfo.writableAddress == -1){ // If not set manually or is max size
-		if ((cciset->header.mediaSize / 2) < cciset->option.savedataSize){ // If SaveData size is greater than half the MediaSize
-			u64 SavedataSize = cciset->option.savedataSize / KB;
-			fprintf(stderr,"[CCI ERROR] Too large SavedataSize %lldK\n",SavedataSize);
-			return SAVE_DATA_TOO_LARGE;
-		}
-		if (cciset->option.savedataSize > (u64)(2047*MB)){ // Limit set by Nintendo
-			u64 SavedataSize = cciset->option.savedataSize / KB;
-			fprintf(stderr,"[CCI ERROR] Too large SavedataSize %lldK\n",SavedataSize);
-			return SAVE_DATA_TOO_LARGE;
+	
+	if(flags[cciflag_MEDIA_TYPE] == mediatype_CARD1){
+		if(saveSize != (u64)(128*KB) && saveSize != (u64)(512*KB) && cardDevice == carddevice_NOR_FLASH){
+			fprintf(stderr,"[CCI ERROR] 'CardDevice: NorFlash' can only be used with save-data sizes: 128K & 512K\n");
+			return INVALID_RSF_OPT;
 		}
-		if(usrset->cci.closeAlignWritableRegion)
-			cciset->cardinfo.writableAddress = align(cciset->cardinfo.cciTotalSize, cciset->option.mediaUnit); // invalid for "real" chips
-		else{
-			u64 UnusedSize = GetUnusedSize(cciset->header.mediaSize,cciset->header.flags[MediaTypeIndex]); // Some value related to the physical implementation of gamecards
-			if(UnusedSize > 0)
-				cciset->cardinfo.writableAddress = cciset->header.mediaSize - UnusedSize - cciset->option.savedataSize; // Nintendo's method for calculating writable region offset
-			else{
-				fprintf(stderr,"[CCI WARNING] Nintendo has no CARD2 writable region configurations for this media size, writable region will be aligned to last ncch partition\n");
-				cciset->cardinfo.writableAddress = align(cciset->cardinfo.cciTotalSize, cciset->option.mediaUnit); // invalid for "real" chips
-			}
+	}
+	if(flags[cciflag_MEDIA_TYPE] == mediatype_CARD2){
+		if(cardDevice == carddevice_NOR_FLASH){
+			fprintf(stderr,"[CCI WARNING] 'CardDevice: NorFlash' is invalid for Card2\n");
+			cardDevice = carddevice_NONE;
 		}
 	}
+	
+	if(saveCrypto > 1)
+		flags[saveCrypto == 2? cciflag_CARD_DEVICE_OLD : cciflag_CARD_DEVICE] = cardDevice;
+	
 	return 0;
 }
 
-int GetCardInfoBitmask(cci_settings *cciset, user_settings *usrset)
+int SetCciFlags(u8 *flags, cci_settings *set)
 {
-	char *str = usrset->common.rsfSet.CardInfo.CardType;
-	if(!str) cciset->cardinfo.cardInfoBitmask |= 0;
-	else{
-		if(strcasecmp(str,"s1") == 0) cciset->cardinfo.cardInfoBitmask |= 0;
-		else if(strcasecmp(str,"s2") == 0) cciset->cardinfo.cardInfoBitmask |= 0x20;
-		else {
-			fprintf(stderr,"[CCI ERROR] Invalid CardType: %s\n",str);
-			return INVALID_YAML_OPT;
-		}
-	}
+	// Backup Write Wait Time
+	if(SetBackupWriteWaitTime(&flags[cciflag_BACKUP_WRITE_WAIT_TIME], set->rsf))
+		return INVALID_RSF_OPT;
+	// Platform
+	flags[cciflag_MEDIA_PLATFORM] = cciplatform_CTR;
+	// Card Type
+	if(SetMediaType(&flags[cciflag_MEDIA_TYPE], set))
+		return INVALID_RSF_OPT;
+	// Media Unit
+	flags[cciflag_MEDIA_BLOCK_SIZE] = GetCtrBlockSizeFlag(set->romInfo.blockSize);
+	// Card Device
+	if(SetCardDevice(flags, set->romInfo.saveSize, set->rsf))
+		return INVALID_RSF_OPT;
 	
-	str = usrset->common.rsfSet.CardInfo.CryptoType;
-	if(!str) cciset->cardinfo.cardInfoBitmask |= 0;//(3*0x40);
-	else{
-		int Value = strtol(str,NULL,10);
-		if(Value < 0 || Value > 3) {
-			fprintf(stderr,"[CCI ERROR] Invalid CryptoType: %s\n",str);
-			return INVALID_YAML_OPT;
-		}
-		if(Value != 3){
-			fprintf(stderr,"[CCI WARNING] Card crypto type = '%d'\n",Value);
-		}
-		cciset->cardinfo.cardInfoBitmask |= (Value*0x40);
-	}
+	set->romInfo.mediaType = flags[cciflag_MEDIA_TYPE];
+	set->romInfo.cardDevice = flags[cciflag_CARD_DEVICE] | flags[cciflag_CARD_DEVICE_OLD];
 	
 	return 0;
 }
 
-int ImportCverDetails(cci_settings *cciset, user_settings *usrset)
+void SetCciNcchInfo(cci_hdr *hdr, cci_settings *set)
 {
-	if(!usrset->cci.cverCiaPath){
-		memset(cciset->cardinfo.cverTitleId,0,8);
-		memset(cciset->cardinfo.cverTitleVersion,0,2);
-		return 0;
-	}
-	if(!cciset->content.size[7]){
-		fprintf(stderr,"[CCI WARNING] Update Partition (content 7) is not specified, cver details will not be set\n");
-		memset(cciset->cardinfo.cverTitleId,0,8);
-		memset(cciset->cardinfo.cverTitleVersion,0,2);
-		return 0;
-	}
+	u64 ncchSize,ncchOffset;
 	
-	if(!AssertFile(usrset->cci.cverCiaPath)){
-		fprintf(stderr,"[CCI ERROR] Failed to open \"%s\"\n",usrset->cci.cverCiaPath);
-		return FAILED_TO_IMPORT_FILE;
+	ncchOffset = NCCH0_OFFSET;
+	
+	for(int i = 0; i < CCI_MAX_CONTENT; i++){
+		if(set->content.active[i]){
+			set->content.cOffset[i] = ncchOffset;
+			ncchSize = align(set->content.dSize[i],set->romInfo.blockSize);
+			
+			u32_to_u8(hdr->offset_sizeTable[i].offset,(ncchOffset/set->romInfo.blockSize),LE);
+			u32_to_u8(hdr->offset_sizeTable[i].size,(ncchSize/set->romInfo.blockSize),LE);
+			u64_to_u8(hdr->ncchIdTable[i],set->content.titleId[i],LE);
+			
+			ncchOffset += ncchSize;
+		}
 	}
-	FILE *cia = fopen(usrset->cci.cverCiaPath,"rb");
-	cia_hdr *ciaHdr = calloc(1,sizeof(cia_hdr));
-	ReadFile_64(ciaHdr,sizeof(cia_hdr),0,cia);
 	
-	u64 tmdSize = GetTmdSize(ciaHdr);
-	u64 tmdOffset = GetTmdOffset(ciaHdr);
-	u8 *tmd = calloc(1,tmdSize);
-	ReadFile_64(tmd,tmdSize,tmdOffset,cia);
-	tmd_hdr *tmdHdr = GetTmdHdr(tmd);
-	//memdump(stdout,"tmd: ",(u8*)tmdHdr,sizeof(tmd_hdr));
-
+	set->romInfo.usedSize = ncchOffset;
+	
+	return;
+}
 
-	endian_memcpy(cciset->cardinfo.cverTitleId,tmdHdr->titleID,8,LE);
-	endian_memcpy(cciset->cardinfo.cverTitleVersion,tmdHdr->titleVersion,2,LE);
 
-	if(!usrset->cci.dontModifyNcchTitleID)
-		endian_memcpy(&cciset->content.titleId[7][6],tmdHdr->titleVersion,2,LE);
+int GenCciHdr(cci_settings *set)
+{
+	set->headers.ccihdr.size = sizeof(cci_hdr);
+	set->headers.ccihdr.buffer = calloc(1,set->headers.ccihdr.size);
+	if(!set->headers.ccihdr.buffer){
+		set->headers.ccihdr.size = 0;
+		fprintf(stderr,"[CCI ERROR] Not enough memory\n");
+		return MEM_ERROR;
+	}
 	
-	fclose(cia);
-	free(ciaHdr);
-	free(tmd);
+	cci_hdr *hdr = (cci_hdr*)set->headers.ccihdr.buffer;
+	
+	// Magic & TitleId
+	memcpy(hdr->magic,"NCSD",4);
+	u64_to_u8(hdr->titleId,set->content.titleId[0],LE);
+	
+	
+	if(SetMediaSize(hdr->mediaSize,set))
+		return GEN_HDR_FAIL;
+	if(SetCciFlags(hdr->flags,set))
+		return GEN_HDR_FAIL;
+	SetCciNcchInfo(hdr,set);
+	
+	// Sign Header
+	ctr_sig(&hdr->magic,sizeof(cci_hdr)-RSA_2048_KEY_SIZE,hdr->signature,set->keys->rsa.cciCfaPub,set->keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	
+	return 0;
+}
 
+int CheckRomConfig(cci_settings *set)
+{
+	u64 cciUsedSize;
+	if(set->romInfo.mediaType == mediatype_CARD2)
+		cciUsedSize = set->romInfo.card2SaveOffset + set->romInfo.saveSize;
+	else
+		cciUsedSize = set->romInfo.usedSize;
+		
+	if(cciUsedSize > set->romInfo.mediaSize){
+		char *str = set->rsf->CardInfo.MediaSize;
+		if(!str)
+			str = "2GB";
+			
+		fprintf(stderr,"[CCI ERROR] MediaSize '%s' is insufficient for the CCI data\n",str);
+		return CCI_CONFIG_FAIL;
+	}
 	return 0;
 }
 
-int CheckMediaSize(cci_settings *cciset)
+void WriteCciDataToOutput(cci_settings *set)
 {
-	if(cciset->cardinfo.cciTotalSize > cciset->header.mediaSize){
-		char *MediaSizeStr = NULL;
-		switch(cciset->header.mediaSize){
-			case (u64)128*MB: MediaSizeStr = " '128MB'"; break;
-			case (u64)256*MB: MediaSizeStr = " '256MB'"; break;
-			case (u64)512*MB: MediaSizeStr = " '512MB'"; break;
-			case (u64)1*GB: MediaSizeStr = " '1GB'"; break;
-			case (u64)2*GB: MediaSizeStr = " '2GB'"; break;
-			case (u64)4*GB: MediaSizeStr = " '4GB'"; break;
-			case (u64)8*GB: MediaSizeStr = " '8GB'"; break;
-			case (u64)16*GB: MediaSizeStr = " '16GB'"; break;
-			case (u64)32*GB: MediaSizeStr = " '32GB'"; break;
-			default:  MediaSizeStr = ""; break;
+	// NCSD Header
+	WriteBuffer(set->headers.ccihdr.buffer, set->headers.ccihdr.size, 0, set->out);
+	// Card Info Header
+	WriteBuffer(set->headers.cardinfohdr.buffer, set->headers.cardinfohdr.size, set->headers.ccihdr.size, set->out);
+	
+	// Dummy data between header and first NCCH
+	u64 len = set->content.cOffset[0] - (set->headers.ccihdr.size + set->headers.cardinfohdr.size);
+	u8 *dummy_data = malloc(len);
+	if(set->headers.cardinfohdr.size > sizeof(cardinfo_hdr)) // additional debug header data exists
+		memset(dummy_data, 0x00, len);
+	else // normal production cci image
+		memset(dummy_data, 0xff, len);
+	WriteBuffer(dummy_data, len, (set->headers.ccihdr.size + set->headers.cardinfohdr.size),set->out);	
+	free(dummy_data);
+	
+	// NCCH Partitions
+	u8 *ncch;
+	for(int i = 0; i < CCI_MAX_CONTENT; i++){
+		if(set->content.active[i]){
+			ncch = set->content.data + set->content.dOffset[i];
+			WriteBuffer(ncch, set->content.dSize[i], set->content.cOffset[i], set->out);
 		}
-		fprintf(stderr,"[CCI ERROR] MediaSize%s is too Small\n",MediaSizeStr);
-		return INVALID_YAML_OPT;
+	}	
+	
+	// Cci Padding
+	if(set->options.padCci){
+		fseek_64(set->out,set->romInfo.usedSize);
+
+		// Determining Size of Padding
+		u64 len = set->romInfo.mediaSize - set->romInfo.usedSize;
+		
+		// Create Padding chunk
+		u8 *pad = malloc(set->romInfo.blockSize);
+		memset(pad,0xff,set->romInfo.blockSize);
+		
+		// Writing Dummy Bytes to file
+		for(u64 i = 0; i < len; i += set->romInfo.blockSize)
+			fwrite(pad,set->romInfo.blockSize,1,set->out);
+			
+		free(pad);
 	}
-	return 0;
+	
+	return;
 }
 
 bool IsCci(u8 *ncsd)
 {
-	cci_hdr *hdr = (cci_hdr*)(ncsd+0x100);
+	cci_hdr *hdr = (cci_hdr*)ncsd;
 	if(!hdr) return false;
 	if(memcmp(hdr->magic,"NCSD",4)!=0) return false;
-	if(hdr->flags[MediaPlatformIndex] != CTR) return false;
-	if(hdr->flags[MediaTypeIndex] != CARD1 && hdr->flags[MediaTypeIndex] != CARD2) return false;
+	if(hdr->flags[cciflag_MEDIA_PLATFORM] != cciplatform_CTR) return false;
+	if(hdr->flags[cciflag_MEDIA_TYPE] != mediatype_CARD1 && hdr->flags[cciflag_MEDIA_TYPE] != mediatype_CARD2) return false;
 
 	return true;
 }
 
-u8* GetPartition(u8 *ncsd, u8 index)
-{
-	return (u8*)(ncsd+GetPartitionOffset(ncsd,index));
-}
-
-
 u64 GetPartitionOffset(u8 *ncsd, u8 index)
 {
-	cci_hdr *hdr = (cci_hdr*)(ncsd+0x100);
-	u32 media_size = 0x200*pow(2,hdr->flags[MediaUnitSize]);
+	cci_hdr *hdr = (cci_hdr*)ncsd;
+	u32 media_size = 1 << (hdr->flags[cciflag_MEDIA_BLOCK_SIZE] + 9);
 	u32 offset = u8_to_u64(hdr->offset_sizeTable[index].offset,LE);
-	return offset*media_size;
+	return (u64)offset*(u64)media_size;
 }
 
 u64 GetPartitionSize(u8 *ncsd, u8 index)
 {
-	cci_hdr *hdr = (cci_hdr*)(ncsd+0x100);
-	u32 media_size = 0x200*pow(2,hdr->flags[MediaUnitSize]);
+	cci_hdr *hdr = (cci_hdr*)ncsd;
+	u32 media_size = 1 << (hdr->flags[cciflag_MEDIA_BLOCK_SIZE] + 9);
 	u32 size = u8_to_u64(hdr->offset_sizeTable[index].size,LE);
-	return size*media_size;
+	return (u64)size*(u64)media_size;
 }
+
+u8* GetPartition(u8 *ncsd, u8 index)
+{
+	return ncsd + GetPartitionOffset(ncsd,index);
+}
\ No newline at end of file
diff --git a/makerom/ncsd.h b/makerom/ncsd.h
index d86a1bb0..3b20f657 100644
--- a/makerom/ncsd.h
+++ b/makerom/ncsd.h
@@ -1,199 +1,54 @@
 #pragma once
 
-// Enums
 typedef enum
 {
-	NCSD_NO_NCCH0 = -1,
-	NCSD_INVALID_NCCH0 = -2,
-	NCSD_INVALID_NCCH = -3,
-	INVALID_YAML_OPT = -4,
-	CCI_SIG_FAIL = -5,
-	
-} ncsd_errors;
+	cciflag_BACKUP_WRITE_WAIT_TIME = 0,
+	cciflag_FW6_SAVE_CRYPTO = 1,
+	cciflag_CARD_DEVICE = 3,
+	cciflag_MEDIA_PLATFORM = 4,
+	cciflag_MEDIA_TYPE = 5,
+	cciflag_MEDIA_BLOCK_SIZE = 6,
+	cciflag_CARD_DEVICE_OLD = 7
+} cci_flagindex;
 
 typedef enum
 {
-	FW6x_BackupWriteWaitTime = 0,
-	FW6x_SaveCryptoFlag = 1,
-	CardDeviceFlag = 3,
-	MediaPlatformIndex = 4,
-	MediaTypeIndex = 5,
-	MediaUnitSize = 6,
-	OldCardDeviceFlag = 7
-} FlagIndex;
+	carddevice_NOR_FLASH = 1,
+	carddevice_NONE = 2,
+	carddevice_BT = 3
+} cci_carddevice;
 
 typedef enum
 {
-	CARD_DEVICE_NOR_FLASH = 1,
-	CARD_DEVICE_NONE = 2,
-	CARD_DEVICE_BT = 3
-} _CardDevice;
+	cciplatform_CTR = 1,
+} cci_platform;
 
 typedef enum
 {
-	CTR = 1,
-} _PlatformIndex;
-
-typedef enum
-{
-	INNER_DEVICE,
-	CARD1,
-	CARD2,
-	EXTENDED_DEVICE
-} _TypeIndex;
+	mediatype_INNER_DEVICE, // NAND
+	mediatype_CARD1,
+	mediatype_CARD2,
+	mediatype_EXTENDED_DEVICE
+} cci_mediatype;
 
 // Structs
 typedef struct
 {
 	u8 offset[4];
 	u8 size[4];
-} partition_offsetsize;
-
-typedef struct
-{
-	u8 magic[4];
-	u8 mediaSize[4];
-	u8 titleId[8];
-	u8 partitionsFsType[8];
-	u8 partitionsCryptoType[8];
-	partition_offsetsize offset_sizeTable[8];
-	u8 exhdrHash[0x20];
-	u8 additionalHdrSize[0x4];
-	u8 sectorZeroOffset[0x4];
-	u8 partitionFlags[8];
-	u8 partitionIdTable[8][8];
-	u8 padding[0x30];
-} ncsd_hdr;
+} ncch_offsetsize;
 
 typedef struct
 {
+	u8 signature[0x100];
 	u8 magic[4];
 	u8 mediaSize[4];
 	u8 titleId[8];
-	u8 contentFsType[8];
-	u8 contentCryptoType[8];
-	partition_offsetsize offset_sizeTable[8];
-	u8 padding0[0x28];
+	u8 padding0[0x10];
+	ncch_offsetsize offset_sizeTable[8];
+	u8 padding1[0x28];
 	u8 flags[8];
-	u8 contentIdTable[8][8];
-	u8 padding1[0x30];
+	u8 ncchIdTable[8][8];
+	u8 padding2[0x30];
 } cci_hdr;
 
-typedef struct
-{
-	u8 writableAddress[4];
-	u8 cardInfoBitmask[4];
-	// Notes: reserved[0xDF8];
-	u8 reserved0[0xf8];
-	u8 mediaSizeUsed[8];
-	u8 reserved1[0x8];
-	u8 unknown[0x4];
-	u8 reserved2[0xc];
-	u8 cverTitleId[8];
-	u8 cverTitleVersion[2];
-	u8 reserved3[0xcd6];
-	//
-	u8 ncch0TitleId[8];
-	u8 reserved4[8];
-	u8 initialData[0x30];
-	u8 reserved5[0xc0];
-	u8 ncch0Hdr[0x100];
-} cardinfo_hdr;
-
-typedef struct
-{
-	u8 cardDeviceReserved1[0x200];
-	u8 titleKey[0x10];
-	u8 cardDeviceReserved2[0xf0];
-} devcardinfo_hdr;
-
-typedef struct
-{
-	u8 signature[0x100];
-	cci_hdr cciHdr;
-	cardinfo_hdr cardinfo;
-	devcardinfo_hdr devcardinfo;
-} InternalCCI_Context;
-
-typedef struct
-{
-	FILE *out;
-	keys_struct *keys;
-
-	struct{
-		bool fillOutCci;
-		bool useDevCardInfo;
-		u32 mediaUnit;
-
-		u64 savedataSize;
-	} option;
-
-	struct{
-		/* Data */
-		buffer_struct *data;
-
-		/* Misc Records */
-		FILE **filePtrs;
-		u64 fileSize[CCI_MAX_CONTENT];
-		u16 count;
-
-		/* Details for NCSD header */
-		u8 fsType[CCI_MAX_CONTENT];
-		u8 cryptoType[CCI_MAX_CONTENT];
-		u64 offset[CCI_MAX_CONTENT];
-		u64 size[CCI_MAX_CONTENT];
-		u8 titleId[CCI_MAX_CONTENT][8];
-	} content;
-
-	struct{
-		u64 mediaSize;
-		u8 mediaId[8];
-		u8 flags[8];
-	} header;
-	
-	struct{
-		u64 writableAddress;
-		u32 cardInfoBitmask;
-
-		u64 cciTotalSize;
-
-		// cver details
-		u8 cverTitleId[8];
-		u8 cverTitleVersion[2];
-
-		u8 initialData[0x30];
-		ncch_hdr ncchHdr;
-		u8 titleKey[0x10];
-	} cardinfo;
-} cci_settings;
-
-#ifndef PUBLIC_BUILD
-static const u8 stock_initial_data[0x30] = 
-{
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0xAD, 0x88, 
-	0xAC, 0x41, 0xA2, 0xB1, 0x5E, 0x8F, 
-	0x66, 0x9C, 0x97, 0xE5, 0xE1, 0x5E, 
-	0xA3, 0xEB, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-static const u8 stock_title_key[0x10] = 
-{
-	0x6E, 0xC7, 0x5F, 0xB2, 0xE2, 0xB4, 
-	0x87, 0x46, 0x1E, 0xDD, 0xCB, 0xB8, 
-	0x97, 0x11, 0x92, 0xBA
-};
-#endif
-
-// Public Prototypes
-// Build Functions
-int build_CCI(user_settings *usrset);
-
-// Read Functions
-bool IsCci(u8 *ncsd);
-u8* GetPartition(u8 *ncsd, u8 index);
-u64 GetPartitionOffset(u8 *ncsd, u8 index);
-u64 GetPartitionSize(u8 *ncsd, u8 index);
\ No newline at end of file
diff --git a/makerom/ncsd_build.h b/makerom/ncsd_build.h
new file mode 100644
index 00000000..35d2677e
--- /dev/null
+++ b/makerom/ncsd_build.h
@@ -0,0 +1,72 @@
+#pragma once
+#include "ncsd.h"
+#include "tmd_read.h"
+
+
+// Enums
+typedef enum
+{
+	NCSD_NO_NCCH0 = -1,
+	NCSD_INVALID_NCCH0 = -2,
+	NCSD_INVALID_NCCH = -3,
+	INVALID_RSF_OPT = -4,
+	GEN_HDR_FAIL = -5,
+	INCOMPAT_CIA = -6,
+	CCI_CONFIG_FAIL = -7,
+} ncsd_errors;
+
+typedef struct
+{
+	rsf_settings *rsf;
+	keys_struct *keys;
+	
+	FILE *out;
+	
+	struct{
+		bool verbose;
+		bool padCci;
+		bool noModTid;
+		bool useExternalSdkCardInfo;
+		bool closeAlignWR;
+		
+		u8 cverDataType;
+		char *cverDataPath;
+		tmd_hdr *tmdHdr;
+	} options;
+	
+	struct{
+		u32 blockSize;
+	
+		u64 mediaSize;
+		u64 usedSize;
+		
+		u8 mediaType;
+		u8 cardDevice;
+		u64 saveSize;
+		u64 card2SaveOffset;
+	} romInfo;
+	
+	struct{
+		u8 *data;
+		u64 dataLen;
+		infile_type dataType;
+	
+		char **path;
+	
+		bool active[CCI_MAX_CONTENT];
+		u64 dOffset[CCI_MAX_CONTENT];
+		u64 *dSize;
+		u64 titleId[CCI_MAX_CONTENT];
+		
+		u64 cOffset[CCI_MAX_CONTENT];
+	} content;
+	
+	struct{
+		buffer_struct ccihdr;
+		buffer_struct cardinfohdr;
+	} headers;
+} cci_settings;
+
+// Public Prototypes
+// Build Functions
+int build_CCI(user_settings *usrset);
\ No newline at end of file
diff --git a/makerom/ncsd_read.h b/makerom/ncsd_read.h
new file mode 100644
index 00000000..ac152e35
--- /dev/null
+++ b/makerom/ncsd_read.h
@@ -0,0 +1,8 @@
+#pragma once
+#include "ncsd.h"
+
+// Read Functions
+bool IsCci(u8 *ncsd);
+u8* GetPartition(u8 *ncsd, u8 index);
+u64 GetPartitionOffset(u8 *ncsd, u8 index);
+u64 GetPartitionSize(u8 *ncsd, u8 index);
\ No newline at end of file
diff --git a/makerom/dpki.h b/makerom/pki/dev.h
similarity index 99%
rename from makerom/dpki.h
rename to makerom/pki/dev.h
index 867a7076..db7d9761 100644
--- a/makerom/dpki.h
+++ b/makerom/pki/dev.h
@@ -1,7 +1,7 @@
 #pragma once
 
 #ifdef PKI_LEGACY
-#include "dpki_legacy.h"
+#include "pki/dev_legacy.h"
 #endif
 
 // AES KEYS
diff --git a/makerom/dpki_legacy.h b/makerom/pki/dev_legacy.h
similarity index 100%
rename from makerom/dpki_legacy.h
rename to makerom/pki/dev_legacy.h
diff --git a/makerom/ppki.h b/makerom/pki/prod.h
similarity index 99%
rename from makerom/ppki.h
rename to makerom/pki/prod.h
index 41380edc..6935a951 100644
--- a/makerom/ppki.h
+++ b/makerom/pki/prod.h
@@ -1,7 +1,7 @@
 #pragma once
 
 #ifdef PKI_LEGACY
-#include "ppki_legacy.h"
+#include "pki/prod_legacy.h"
 #endif
 
 // AES KEYS
@@ -13,8 +13,7 @@ static const unsigned char prod_unfixed_ncch_keyX[2][16] = // Dummy
 
 static const unsigned char ctr_common_etd_keyX_ppki[16] = // Dummy
 {
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
 static const unsigned char ctr_common_etd_keyY_ppki[6][16] =
diff --git a/makerom/ppki_legacy.h b/makerom/pki/prod_legacy.h
similarity index 100%
rename from makerom/ppki_legacy.h
rename to makerom/pki/prod_legacy.h
diff --git a/makerom/tpki.h b/makerom/pki/test.h
similarity index 100%
rename from makerom/tpki.h
rename to makerom/pki/test.h
diff --git a/makerom/romfs.c b/makerom/romfs.c
index b09a2cdb..64190c44 100644
--- a/makerom/romfs.c
+++ b/makerom/romfs.c
@@ -1,8 +1,8 @@
 #include "lib.h"
 #include "dir.h"
-#include "ncch.h"
+#include "ncch_build.h"
 #include "romfs.h"
-#include "romfs_binary.h"
+#include "romfs_gen.h"
 #include "romfs_import.h"
 
 void FreeRomFsCtx(romfs_buildctx *ctx);
diff --git a/makerom/romfs_binary.c b/makerom/romfs_gen.c
similarity index 98%
rename from makerom/romfs_binary.c
rename to makerom/romfs_gen.c
index b9cc1f02..49718950 100644
--- a/makerom/romfs_binary.c
+++ b/makerom/romfs_gen.c
@@ -1,6 +1,6 @@
 #include "lib.h"
 #include "dir.h"
-#include "ncch.h"
+#include "ncch_build.h"
 #include "romfs.h"
 
 const int ROMFS_BLOCK_SIZE = 0x1000;
@@ -75,7 +75,10 @@ int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 	
 	// Print Filtered FS
 	//printf("print filtered FS\n");
-	//fs_PrintDir(ctx->fs,0);
+	if(ncchset->options.verbose){
+		printf("[ROMFS] File System:\n");
+		fs_PrintDir(ctx->fs,0);
+	}
 	
 	//printf("predict romfs size\n");
 	CalcRomfsSize(ctx);
@@ -349,7 +352,7 @@ int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 		u64_to_u8(entry->dataoffset,ctx->u_dataLen,LE);
 		u64_to_u8(entry->datasize,file->size,LE);
 		u8 *data_pos = (ctx->data + ctx->u_dataLen);
-		ReadFile_64(data_pos,file->size,0,file->fp);
+		ReadFile64(data_pos,file->size,0,file->fp);
 		ctx->u_dataLen += file->size; // adding file size
 	}
 	else
diff --git a/makerom/romfs_binary.h b/makerom/romfs_gen.h
similarity index 100%
rename from makerom/romfs_binary.h
rename to makerom/romfs_gen.h
diff --git a/makerom/romfs_import.c b/makerom/romfs_import.c
index f4dd71b9..48d68f64 100644
--- a/makerom/romfs_import.c
+++ b/makerom/romfs_import.c
@@ -1,6 +1,6 @@
 #include "lib.h"
 #include "dir.h"
-#include "ncch.h"
+#include "ncch_build.h"
 #include "romfs.h"
 
 int PrepareImportRomFsBinaryFromFile(ncch_settings *ncchset, romfs_buildctx *ctx)
@@ -11,7 +11,7 @@ int PrepareImportRomFsBinaryFromFile(ncch_settings *ncchset, romfs_buildctx *ctx
 
 	ivfc_hdr *hdr = calloc(1,sizeof(ivfc_hdr));
 
-	ReadFile_64(hdr,sizeof(ivfc_hdr),0,ctx->romfsBinary);
+	ReadFile64(hdr,sizeof(ivfc_hdr),0,ctx->romfsBinary);
 	if(memcmp(hdr->magic,"IVFC",4) != 0){
 		fprintf(stderr,"[ROMFS ERROR] Invalid RomFS Binary.\n");
 		return INVALID_ROMFS_FILE;
@@ -24,7 +24,7 @@ int PrepareImportRomFsBinaryFromFile(ncch_settings *ncchset, romfs_buildctx *ctx
 
 int ImportRomFsBinaryFromFile(romfs_buildctx *ctx)
 {
-	ReadFile_64(ctx->output,ctx->romfsSize,0,ctx->romfsBinary);
+	ReadFile64(ctx->output,ctx->romfsSize,0,ctx->romfsBinary);
 	if(memcmp(ctx->output,"IVFC",4) != 0){
 		fprintf(stderr,"[ROMFS ERROR] Invalid RomFS Binary.\n");
 		return INVALID_ROMFS_FILE;
diff --git a/makerom/rsf_settings.c b/makerom/rsf_settings.c
index 84c3edc6..aa7e9388 100644
--- a/makerom/rsf_settings.c
+++ b/makerom/rsf_settings.c
@@ -56,7 +56,7 @@ void GET_Option(ctr_yaml_context *ctx, rsf_settings *rsf)
 		//else if(cmpYamlValue("NoPadding",ctx)) SetBoolYAMLValue(&rsf->Option.NoPadding,"NoPadding",ctx);
 		else if(cmpYamlValue("EnableCrypt",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCrypt,"EnableCrypt",ctx);
 		else if(cmpYamlValue("EnableCompress",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCompress,"EnableCompress",ctx);
-		else if(cmpYamlValue("FreeProductCode",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCompress,"FreeProductCode",ctx);
+		else if(cmpYamlValue("FreeProductCode",ctx)) SetBoolYAMLValue(&rsf->Option.FreeProductCode,"FreeProductCode",ctx);
 		else if(cmpYamlValue("UseOnSD",ctx)) SetBoolYAMLValue(&rsf->Option.UseOnSD,"UseOnSD",ctx);
 		else if(cmpYamlValue("PageSize",ctx)) SetSimpleYAMLValue(&rsf->Option.PageSize,"PageSize",ctx,0);
 		//else if(cmpYamlValue("AppendSystemCall",ctx)) rsf->Option.AppendSystemCallNum = SetYAMLSequence(&rsf->Option.AppendSystemCall,"AppendSystemCall",ctx);
diff --git a/makerom/tik.c b/makerom/tik.c
index ba95e232..352d5565 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -1,6 +1,6 @@
 #include "lib.h"
-#include "cia.h"
-#include "tik.h"
+#include "cia_build.h"
+#include "tik_build.h"
 
 // Private Prototypes
 int SetupTicketBuffer(buffer_struct *tik);
@@ -99,3 +99,34 @@ void SetContentIndexData(tik_hdr *hdr, cia_settings *ciaset) // TODO?
 	memset(hdr->contentIndex,0,0xAC);
 	memcpy(hdr->contentIndex,default_contentIndex,0x30);
 }
+
+tik_hdr *GetTikHdr(u8 *tik)
+{
+	u32 sigType = u8_to_u32(tik,BE);
+
+	switch(sigType){
+		case(RSA_4096_SHA1):
+		case(RSA_4096_SHA256):
+			return (tik_hdr*)(tik+0x240);
+		case(RSA_2048_SHA1):
+		case(RSA_2048_SHA256):
+			return (tik_hdr*)(tik+0x140);
+		case(ECC_SHA1):
+		case(ECC_SHA256):
+			return (tik_hdr*)(tik+0x7C);
+	}
+
+	return NULL;
+}
+
+bool GetTikTitleKey(u8 *titleKey, tik_hdr *hdr, keys_struct *keys)
+{
+	if(keys->aes.commonKey[hdr->keyId] == NULL)
+		return false;
+		
+	keys->aes.currentCommonKey = hdr->keyId;
+	
+	CryptTitleKey(hdr->encryptedTitleKey, titleKey, hdr->titleId, keys, DEC);
+	
+	return true;
+}
\ No newline at end of file
diff --git a/makerom/tik.h b/makerom/tik.h
index d6d6b1e3..d8b7c054 100644
--- a/makerom/tik.h
+++ b/makerom/tik.h
@@ -1,15 +1,5 @@
 #pragma once
 
-static const unsigned char default_contentIndex[0x30] =
-{
-	0x00, 0x01, 0x00, 0x14, 0x00, 0x00, 0x00, 0xAC, 
-	0x00, 0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0x14, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 
-	0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x84, 
-	0x00, 0x00, 0x00, 0x84, 0x00, 0x03, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
-};
-
 typedef enum
 {
 	lic_Permanent = 0,
@@ -63,6 +53,5 @@ typedef struct
 	u8 contentIndex[0xAC];
 } tik_hdr;
 
-// Prototypes
-int BuildTicket(cia_settings *ciaset);
-int CryptTitleKey(u8 *EncTitleKey, u8 *DecTitleKey, u8 *TitleID, keys_struct *keys, u8 mode);
\ No newline at end of file
+
+
diff --git a/makerom/tik_build.h b/makerom/tik_build.h
new file mode 100644
index 00000000..ecea0222
--- /dev/null
+++ b/makerom/tik_build.h
@@ -0,0 +1,16 @@
+#pragma once
+#include "tik.h"
+
+static const unsigned char default_contentIndex[0x30] =
+{
+	0x00, 0x01, 0x00, 0x14, 0x00, 0x00, 0x00, 0xAC, 
+	0x00, 0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0x14, 
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 
+	0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x84, 
+	0x00, 0x00, 0x00, 0x84, 0x00, 0x03, 0x00, 0x00, 
+	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
+};
+
+// Prototypes
+int BuildTicket(cia_settings *ciaset);
+int CryptTitleKey(u8 *EncTitleKey, u8 *DecTitleKey, u8 *TitleID, keys_struct *keys, u8 mode);
\ No newline at end of file
diff --git a/makerom/tik_read.h b/makerom/tik_read.h
new file mode 100644
index 00000000..ab4c6e12
--- /dev/null
+++ b/makerom/tik_read.h
@@ -0,0 +1,5 @@
+#pragma once
+#include "tik.h"
+
+tik_hdr *GetTikHdr(u8 *tik);
+bool GetTikTitleKey(u8 *titleKey, tik_hdr *hdr, keys_struct *keys);
\ No newline at end of file
diff --git a/makerom/titleid.c b/makerom/titleid.c
index 071b13ee..d4479c42 100644
--- a/makerom/titleid.c
+++ b/makerom/titleid.c
@@ -1,5 +1,5 @@
 #include "lib.h"
-#include "ncch.h"
+#include "ncch_read.h"
 #include "titleid.h"
 
 void SetPIDType(u16 *type);
@@ -22,7 +22,7 @@ int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader)
 	u8 variation;
 
 	if(rsf->TitleInfo.Category && rsf->TitleInfo.CategoryFlags){
-		fprintf(stderr,"[ID ERROR] Can not set \"Cateory\" and \"CategoryFlags\" at the same time.\n");
+		fprintf(stderr,"[ID ERROR] Can not set \"Category\" and \"CategoryFlags\" at the same time.\n");
 		return PID_BAD_RSF_SET;
 	}
 
diff --git a/makerom/tmd.c b/makerom/tmd.c
index 173c1e44..e81f6688 100644
--- a/makerom/tmd.c
+++ b/makerom/tmd.c
@@ -1,6 +1,6 @@
 #include "lib.h"
-#include "cia.h"
-#include "tmd.h"
+#include "cia_build.h"
+#include "tmd_build.h"
 
 // Private Prototypes
 int SetupTMDBuffer(buffer_struct *tik);
@@ -85,11 +85,96 @@ int SetupTMDContentRecord(u8 *content_record, cia_settings *ciaset)
 {
 	for(int i = 0; i < ciaset->content.count; i++){
 		tmd_content_chunk *ptr = (tmd_content_chunk*)(content_record+sizeof(tmd_content_chunk)*i);
-		u32_to_u8(ptr->contentID,ciaset->content.id[i],BE);
-		u16_to_u8(ptr->contentIndex,ciaset->content.index[i],BE);
-		u16_to_u8(ptr->contentFlags,ciaset->content.flags[i],BE);
-		u64_to_u8(ptr->contentSize,ciaset->content.size[i],BE);
-		memcpy(ptr->contentHash,ciaset->content.hash[i],0x20);
+		u32_to_u8(ptr->id,ciaset->content.id[i],BE);
+		u16_to_u8(ptr->index,ciaset->content.index[i],BE);
+		u16_to_u8(ptr->flags,ciaset->content.flags[i],BE);
+		u64_to_u8(ptr->size,ciaset->content.size[i],BE);
+		memcpy(ptr->hash,ciaset->content.hash[i],0x20);
 	}
 	return 0;
+}
+
+tmd_hdr *GetTmdHdr(u8 *tmd)
+{
+	u32 sigType = u8_to_u32(tmd,BE);
+
+	switch(sigType){
+		case(RSA_4096_SHA1):
+		case(RSA_4096_SHA256):
+			return (tmd_hdr*)(tmd+0x240);
+		case(RSA_2048_SHA1):
+		case(RSA_2048_SHA256):
+			return (tmd_hdr*)(tmd+0x140);
+		case(ECC_SHA1):
+		case(ECC_SHA256):
+			return (tmd_hdr*)(tmd+0x7C);
+	}
+
+	return NULL;
+}
+
+tmd_content_chunk* GetTmdContentInfo(u8 *tmd)
+{
+	tmd_hdr *hdr = GetTmdHdr(tmd);
+	if(!hdr)
+		return NULL;
+		
+	return (tmd_content_chunk*)((u8*)hdr + sizeof(tmd_hdr) + (sizeof(tmd_content_info_record)*64));
+}
+
+u64 GetTmdTitleId(tmd_hdr *hdr)
+{
+	return u8_to_u64(hdr->titleID,BE);
+}
+
+u32 GetTmdSaveSize(tmd_hdr *hdr)
+{
+	return u8_to_u32(hdr->savedataSize,BE);
+}
+
+u16 GetTmdContentCount(tmd_hdr *hdr)
+{
+	return u8_to_u16(hdr->contentCount,BE);
+}
+
+u16 GetTmdVersion(tmd_hdr *hdr)
+{
+	return u8_to_u16(hdr->titleVersion,BE);
+}
+
+u32 GetTmdContentId(tmd_content_chunk info)
+{
+	return u8_to_u32(info.id,BE);
+}
+
+u16 GetTmdContentIndex(tmd_content_chunk info)
+{
+	return u8_to_u16(info.index,BE);
+}
+
+u16 GetTmdContentFlags(tmd_content_chunk info)
+{
+	return u8_to_u16(info.flags,BE);
+}
+
+u64 GetTmdContentSize(tmd_content_chunk info)
+{
+	return u8_to_u64(info.size,BE);
+}
+
+u8* GetTmdContentHash(tmd_content_chunk *info)
+{
+	return (u8*)info->hash;
+}
+
+bool IsTmdContentEncrypted(tmd_content_chunk info)
+{
+	return  (GetTmdContentFlags(info) & content_Encrypted) == content_Encrypted;
+}
+
+bool ValidateTmdContent(u8 *data, tmd_content_chunk info)
+{
+	u8 hash[32];
+	ctr_sha(data,GetTmdContentSize(info),hash,CTR_SHA_256);
+	return memcmp(hash,GetTmdContentHash(&info),32) == 0;
 }
\ No newline at end of file
diff --git a/makerom/tmd.h b/makerom/tmd.h
index 6f16e024..db24cdbc 100644
--- a/makerom/tmd.h
+++ b/makerom/tmd.h
@@ -15,11 +15,11 @@ typedef enum
 
 typedef struct
 {
-	u8 contentID[4];
-	u8 contentIndex[2];
-	u8 contentFlags[2];
-	u8 contentSize[8];
-	u8 contentHash[0x20]; // SHA 256
+	u8 id[4];
+	u8 index[2];
+	u8 flags[2];
+	u8 size[8];
+	u8 hash[0x20]; // SHA 256
 } tmd_content_chunk;
 
 typedef struct
@@ -58,11 +58,4 @@ typedef struct
 	u8 bootContent[2];
 	u8 padding3[2];
 	u8 infoRecordHash[0x20]; // SHA-256
-} tmd_hdr;
-
-// Prototypes
-u32 PredictTMDSize(u16 ContentCount);
-int BuildTMD(cia_settings *ciaset);
-
-// Read TMD
-tmd_hdr *GetTmdHdr(u8 *tmd);
\ No newline at end of file
+} tmd_hdr;
\ No newline at end of file
diff --git a/makerom/tmd_build.h b/makerom/tmd_build.h
new file mode 100644
index 00000000..52c7bb6b
--- /dev/null
+++ b/makerom/tmd_build.h
@@ -0,0 +1,6 @@
+#pragma once
+#include "tmd.h"
+
+// Prototypes
+u32 PredictTMDSize(u16 ContentCount);
+int BuildTMD(cia_settings *ciaset);
diff --git a/makerom/tmd_read.c b/makerom/tmd_read.c
deleted file mode 100644
index 54276478..00000000
--- a/makerom/tmd_read.c
+++ /dev/null
@@ -1,22 +0,0 @@
-#include "lib.h"
-#include "cia.h"
-#include "tmd.h"
-
-tmd_hdr *GetTmdHdr(u8 *tmd)
-{
-	u32 sigType = u8_to_u32(tmd,BE);
-
-	switch(sigType){
-		case(RSA_4096_SHA1):
-		case(RSA_4096_SHA256):
-			return (tmd_hdr*)(tmd+0x240);
-		case(RSA_2048_SHA1):
-		case(RSA_2048_SHA256):
-			return (tmd_hdr*)(tmd+0x140);
-		case(ECC_SHA1):
-		case(ECC_SHA256):
-			return (tmd_hdr*)(tmd+0x7C);
-	}
-
-	return NULL;
-}
\ No newline at end of file
diff --git a/makerom/tmd_read.h b/makerom/tmd_read.h
new file mode 100644
index 00000000..e09f4713
--- /dev/null
+++ b/makerom/tmd_read.h
@@ -0,0 +1,19 @@
+#pragma once
+#include "tmd.h"
+
+// Read TMD
+tmd_hdr *GetTmdHdr(u8 *tmd);
+tmd_content_chunk* GetTmdContentInfo(u8 *tmd);
+u64 GetTmdTitleId(tmd_hdr *hdr);
+u32 GetTmdSaveSize(tmd_hdr *hdr);
+u16 GetTmdContentCount(tmd_hdr *hdr);
+u16 GetTmdVersion(tmd_hdr *hdr);
+
+u32 GetTmdContentId(tmd_content_chunk info);
+u16 GetTmdContentIndex(tmd_content_chunk info);
+u16 GetTmdContentFlags(tmd_content_chunk info);
+u64 GetTmdContentSize(tmd_content_chunk info);
+u8* GetTmdContentHash(tmd_content_chunk info);
+
+bool IsTmdContentEncrypted(tmd_content_chunk info);
+bool ValidateTmdContent(u8 *data, tmd_content_chunk info);
\ No newline at end of file
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 2486c4c8..423278bf 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -10,9 +10,9 @@ void PrintArgInvalid(char *arg);
 void PrintArgReqParam(char *arg, u32 paramNum);
 void PrintNoNeedParam(char *arg);
 
-int ParseArgs(int argc, char *argv[], user_settings *usr_settings)
+int ParseArgs(int argc, char *argv[], user_settings *set)
 {
-	if(argv == NULL || usr_settings == NULL)
+	if(argv == NULL || set == NULL)
 		return USR_PTR_PASS_FAIL;
 		
 	if(argc < 2){
@@ -29,26 +29,23 @@ int ParseArgs(int argc, char *argv[], user_settings *usr_settings)
 	}
 	
 	// Allocating Memory for Content Path Ptrs
-	usr_settings->common.contentPath = calloc(CIA_MAX_CONTENT,sizeof(char*));
-	if(usr_settings->common.contentPath == NULL){
+	set->common.contentPath = calloc(CIA_MAX_CONTENT,sizeof(char*));
+	if(set->common.contentPath == NULL){
 		fprintf(stderr,"[SETTING ERROR] Not Enough Memory\n");
 		return USR_MEM_ERROR;
 	}
 	
 	// Initialise Keys
-	InitKeys(&usr_settings->common.keys);
+	InitKeys(&set->common.keys);
 
 	// Setting Defaults
-	SetDefaults(usr_settings);
+	SetDefaults(set);
 	
 	// Parsing Arguments
-#ifdef DEBUG
-	fprintf(stdout,"[DEBUG] Parsing Args\n");
-#endif
 	int set_result;
 	int i = 1;
 	while(i < argc){
-		set_result = SetArgument(argc,i,argv,usr_settings);
+		set_result = SetArgument(argc,i,argv,set);
 		if(set_result < 1){
 			fprintf(stderr,"[RESULT] Invalid arguments, see '%s -help'\n",argv[0]);
 			return set_result;
@@ -57,39 +54,30 @@ int ParseArgs(int argc, char *argv[], user_settings *usr_settings)
 	}
 	
 	// Checking arguments
-#ifdef DEBUG
-	fprintf(stdout,"[DEBUG] Checking Args\n");
-#endif
-	set_result = CheckArgumentCombination(usr_settings);
-	if(set_result) return set_result;
+	if((set_result = CheckArgumentCombination(set)) != 0) 
+		return set_result;
 	
 	// Setting Keys
-#ifdef DEBUG
-	fprintf(stdout,"[DEBUG] Setting Keys\n");
-#endif
-	set_result = SetKeys(&usr_settings->common.keys);
-	if(set_result) return set_result;
+	if((set_result = SetKeys(&set->common.keys)) != 0) 
+		return set_result;
 
-#ifdef DEBUG
-	fprintf(stdout,"[DEBUG] Generating output path name if required\n");
-#endif
-
-	if(!usr_settings->common.outFileName){
+	// Generating outpath if required
+	if(!set->common.outFileName){
 		char *source_path = NULL;
-		if(usr_settings->ncch.buildNcch0) 
-			source_path = usr_settings->common.rsfPath;
-		else if(usr_settings->common.workingFileType == infile_ncsd || usr_settings->common.workingFileType == infile_srl) 
-			source_path = usr_settings->common.workingFilePath;
+		if(set->ncch.buildNcch0) 
+			source_path = set->common.rsfPath;
+		else if(set->common.workingFileType == infile_ncsd || set->common.workingFileType == infile_cia || set->common.workingFileType == infile_srl) 
+			source_path = set->common.workingFilePath;
 		else 
-			source_path = usr_settings->common.contentPath[0];
-		u16 outfile_len = strlen(source_path) + 3;
-		usr_settings->common.outFileName = calloc(outfile_len,sizeof(char));
-		if(!usr_settings->common.outFileName){
+			source_path = set->common.contentPath[0];
+		u16 outfile_len = strlen(source_path) + 0x10;
+		set->common.outFileName = calloc(outfile_len,sizeof(char));
+		if(!set->common.outFileName){
 			fprintf(stderr,"[SETTING ERROR] Not Enough Memory\n");
 			return USR_MEM_ERROR;
 		}
-		usr_settings->common.outFileName_mallocd = true;
-		append_filextention(usr_settings->common.outFileName,outfile_len,source_path,(char*)&output_extention[usr_settings->common.outFormat-1]);
+		set->common.outFileName_mallocd = true;
+		append_filextention(set->common.outFileName,outfile_len,source_path,(char*)&output_extention[set->common.outFormat-1]);
 	}
 	return 0;
 }
@@ -101,12 +89,14 @@ void SetDefaults(user_settings *set)
 	set->common.keys.accessDescSign.presetType = desc_preset_NONE;
 
 	// Build NCCH Info
+	set->ncch.useSecCrypto = false;
 	set->ncch.buildNcch0 = false;
 	set->ncch.includeExefsLogo = false;
 	set->common.outFormat = NCCH;
 	set->ncch.ncchType = format_not_set;
 
 	// RSF Settings
+	clrmem(&set->common.rsfSet,sizeof(rsf_settings));
 	set->common.rsfSet.Option.EnableCompress = true;
 	set->common.rsfSet.Option.EnableCrypt = true;
 	set->common.rsfSet.Option.UseOnSD = false;
@@ -119,13 +109,15 @@ void SetDefaults(user_settings *set)
 	set->cci.useSDKStockData = false;
 
 	// CIA Info
+	set->cia.includeUpdateNcch = false;
+	set->cia.deviceId = 0;
+	set->cia.eshopAccId = 0;
 	set->cia.useDataTitleVer = false;
 	set->cia.titleVersion[VER_MAJOR] = MAX_U16; // invalid so changes can be detected
 	set->cia.randomTitleKey = false;
 	set->common.keys.aes.currentCommonKey = MAX_U8 + 1; // invalid so changes can be detected
-	for(int i = 0; i < CIA_MAX_CONTENT; i++){
+	for(int i = 0; i < CIA_MAX_CONTENT; i++)
 		set->cia.contentId[i] = MAX_U32 + 1; // invalid so changes can be detected
-	}
 }
 
 int SetArgument(int argc, int i, char *argv[], user_settings *set)
@@ -137,7 +129,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	// Global Settings
 	if(strcmp(argv[i],"-rsf") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-rsf",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->common.rsfPath = argv[i+1];
@@ -145,7 +137,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-f") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-f",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		if(strcasecmp(argv[i+1],"ncch") == 0) 
@@ -162,17 +154,25 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-o") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-o",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->common.outFileName = argv[i+1];
 		set->common.outFileName_mallocd = false;
 		return 2;
 	}
+	else if(strcmp(argv[i],"-v") == 0){
+		if(ParamNum){
+			PrintNoNeedParam(argv[i]);
+			return USR_BAD_ARG;
+		}
+		set->common.verbose = true;
+		return 1;
+	}
 	// Key Options
 	else if(strcmp(argv[i],"-target") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-target",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		if(strcasecmp(argv[i+1],"test") == 0 || strcasecmp(argv[i+1],"t") == 0)
@@ -181,7 +181,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			set->common.keys.keyset = pki_DEVELOPMENT;
 		else if(strcasecmp(argv[i+1],"retail") == 0 || strcasecmp(argv[i+1],"production") == 0 || strcasecmp(argv[i+1],"p") == 0)
 			set->common.keys.keyset = pki_PRODUCTION;
-		//else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0)
+		//else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0) // given all known keys are here, this isn't needed
 		//	set->common.keys.keyset = pki_CUSTOM;
 		else{
 			fprintf(stderr,"[SETTING ERROR] Unrecognised target '%s'\n",argv[i+1]);
@@ -189,22 +189,36 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		}
 		return 2;
 	}
-	else if(strcmp(argv[i],"-ckeyID") == 0){
+	else if(strcmp(argv[i],"-ckeyid") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-ckeyID",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->common.keys.aes.currentCommonKey = strtol(argv[i+1],NULL,0);
-		if(set->common.keys.aes.currentCommonKey > 0xff)
+		if(set->common.keys.aes.currentCommonKey > MAX_CMN_KEY)
+		{
+			fprintf(stderr,"[SETTING ERROR] Invalid Common Key Index: 0x%x\n",set->common.keys.aes.currentCommonKey);
+			return USR_BAD_ARG;
+		}
+		return 2;
+	}
+	else if(strcmp(argv[i],"-ncchseckey") == 0){
+		if(ParamNum != 1){
+			PrintArgReqParam(argv[i],1);
+			return USR_ARG_REQ_PARAM;
+		}
+		set->ncch.useSecCrypto = true;
+		set->ncch.keyXID = strtol(argv[i+1],NULL,0);
+		if(set->ncch.keyXID > MAX_NCCH_KEYX)
 		{
-			fprintf(stderr,"[SETTING ERROR] Invalid Common Key ID: 0x%x\n",set->common.keys.aes.currentCommonKey);
+			fprintf(stderr,"[SETTING ERROR] Invalid NCCH KeyX Index: 0x%x\n",set->ncch.keyXID);
 			return USR_BAD_ARG;
 		}
 		return 2;
 	}
 	else if(strcmp(argv[i],"-showkeys") == 0){
 		if(ParamNum){
-			PrintNoNeedParam("-showkeys");
+			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->common.keys.dumpkeys = true;
@@ -212,7 +226,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-fsign") == 0){
 		if(ParamNum){
-			PrintNoNeedParam("-fsign");
+			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->common.keys.rsa.isFalseSign = true;
@@ -222,7 +236,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	// Ncch Options
 	else if(strcmp(argv[i],"-elf") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-elf",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.elfPath = argv[i+1];
@@ -232,7 +246,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	
 	else if(strcmp(argv[i],"-icon") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-icon",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.iconPath = argv[i+1];
@@ -241,7 +255,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-banner") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-banner",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.bannerPath = argv[i+1];
@@ -250,7 +264,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-logo") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-logo",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.logoPath = argv[i+1];
@@ -259,7 +273,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-desc") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-desc",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		char *tmp = argv[i+1];
@@ -281,7 +295,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		else if(strcasecmp(app_type,"ECApp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_EC_APP;
 		else if(strcasecmp(app_type,"Demo") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DEMO;
 		else if(strcasecmp(app_type,"DlpChild") == 0 || strcasecmp(app_type,"Dlp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DLP;
-		//else if(strcasecmp(app_type,"FIRM") == 0) set->common.keys.accessDescSign.presetType = desc_preset_FIRM;
+		else if(strcasecmp(app_type,"FIRM") == 0) set->common.keys.accessDescSign.presetType = desc_preset_FIRM;
 		else{
 			fprintf(stderr,"[SETTING ERROR] Accessdesc AppType preset '%s' not valid, please manually configure RSF\n",app_type);
 			return USR_BAD_ARG;
@@ -324,7 +338,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-exefslogo") == 0){
 		if(ParamNum){
-			PrintNoNeedParam("-exefslogo");
+			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->ncch.includeExefsLogo = true;
@@ -335,7 +349,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	// Ncch Rebuild Options
 	else if(strcmp(argv[i],"-code") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-code",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.codePath = argv[i+1];
@@ -344,16 +358,16 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-exheader") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-exheader",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.exheaderPath = argv[i+1];
 		set->ncch.ncchType |= CXI;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-plain-region") == 0){
+	else if(strcmp(argv[i],"-plainrgn") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-plain-region",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.plainRegionPath = argv[i+1];
@@ -362,7 +376,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-romfs") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-romfs",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.romfsPath = argv[i+1];
@@ -370,9 +384,9 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		return 2;
 	}
 	// Cci Options
-	else if(strcmp(argv[i],"-devcardcci") == 0){
+	else if(strcmp(argv[i],"-devcci") == 0){
 		if(ParamNum){
-			PrintNoNeedParam("-devcardcci");
+			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cci.useSDKStockData = true;
@@ -380,7 +394,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-nomodtid") == 0){
 		if(ParamNum){
-			PrintNoNeedParam("-nomodtid");
+			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cci.dontModifyNcchTitleID = true;
@@ -388,7 +402,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-alignwr") == 0){
 		if(ParamNum){
-			PrintNoNeedParam("-alignwr");
+			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cci.closeAlignWritableRegion = true;
@@ -396,17 +410,42 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-cverinfo") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-cverinfo",1);
+			PrintArgReqParam(argv[i],1);
+			return USR_BAD_ARG;
+		}
+		char *pos = strstr(argv[i+1],":");
+		if(!pos || strlen(pos) < 2){
+			fprintf(stderr,"[SETTING ERROR] Bad argument '%s %s', correct format:\n",argv[i],argv[i+1]);
+			fprintf(stderr,"	%s <DATA PATH>:<'cia'/'tmd'>\n",argv[i]);
 			return USR_BAD_ARG;
 		}
-		set->cci.cverCiaPath = argv[i+1];
+		
+		char *dtype = pos + 1;
+		if(strcasecmp(dtype,"tmd") == 0)
+			set->cci.cverDataType = CVER_DTYPE_TMD;
+		else if(strcasecmp(dtype,"cia") == 0)
+			set->cci.cverDataType = CVER_DTYPE_CIA;
+		else{
+			fprintf(stderr,"[SETTING ERROR] Unrecognised cver data type:\"%s\"\n",dtype);
+			return USR_BAD_ARG;
+		}
+		
+		u32 path_len = (pos-argv[i+1])+1;
+		set->cci.cverDataPath = calloc(path_len,sizeof(char));
+		strncpy(set->cci.cverDataPath,argv[i+1],path_len-1);
+		
+		if(!AssertFile(set->cci.cverDataPath)){
+			fprintf(stderr,"[SETTING ERROR] Failed to open '%s'\n",set->cci.cverDataPath);
+			return USR_BAD_ARG;
+		}
+		
 		return 2;
 	}
 
 	// Cia Options
 	else if(strcmp(argv[i],"-major") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-major",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useNormTitleVer = true;
@@ -420,7 +459,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-minor") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-minor",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useNormTitleVer = true;
@@ -434,7 +473,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-micro") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-micro",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		u32 ver = strtoul(argv[i+1],NULL,10);
@@ -447,7 +486,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	else if(strcmp(argv[i],"-dver") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-dver",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useDataTitleVer = true;
@@ -457,70 +496,100 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_BAD_ARG;
 		}
 		set->cia.titleVersion[VER_MAJOR] = (ver >> 6) & VER_MAJOR_MAX;
-		set->cia.titleVersion[VER_MINOR] = ver & VER_MAJOR_MAX;
+		set->cia.titleVersion[VER_MINOR] = ver & VER_MINOR_MAX;
+		return 2;
+	}
+	else if(strcmp(argv[i],"-deviceid") == 0){
+		if(ParamNum != 1){
+			PrintArgReqParam(argv[i],1);
+			return USR_ARG_REQ_PARAM;
+		}
+		set->cia.deviceId = strtoul(argv[i+1],NULL,16);
+		return 2;
+	}
+	else if(strcmp(argv[i],"-esaccid") == 0){
+		if(ParamNum != 1){
+			PrintArgReqParam(argv[i],1);
+			return USR_ARG_REQ_PARAM;
+		}
+		set->cia.eshopAccId = strtoul(argv[i+1],NULL,16);
 		return 2;
 	}
 	else if(strcmp(argv[i],"-rand") == 0){
 		if(ParamNum){
-			PrintNoNeedParam("-rand");
+			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cia.randomTitleKey = true;
 		return 1;
 	}
-	else if(strcmp(argv[i],"-cci") == 0){
+	else if(strcmp(argv[i],"-dlc") == 0){
+		if(ParamNum){
+			PrintNoNeedParam(argv[i]);
+			return USR_BAD_ARG;
+		}
+		set->cia.DlcContent = true;
+		return 1;
+	}
+	else if(strcmp(argv[i],"-srl") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-cci",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.buildNcch0 = false;
-		set->common.workingFileType = infile_ncsd;
+		set->common.workingFileType = infile_srl;
 		set->common.workingFilePath = argv[i+1];
 		set->common.outFormat = CIA;
 		return 2;
+
 	}
-	else if(strcmp(argv[i],"-srl") == 0){
+
+	// Ncch Container Conversion
+	else if(strcmp(argv[i],"-ccitocia") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-srl",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.buildNcch0 = false;
-		set->common.workingFileType = infile_srl;
+		set->common.workingFileType = infile_ncsd;
 		set->common.workingFilePath = argv[i+1];
 		set->common.outFormat = CIA;
 		return 2;
-
 	}
-	else if(strcmp(argv[i],"-dlc") == 0){
+	else if(strcmp(argv[i],"-ciatocci") == 0){
+		if(ParamNum != 1){
+			PrintArgReqParam(argv[i],1);
+			return USR_ARG_REQ_PARAM;
+		}
+		set->ncch.buildNcch0 = false;
+		set->common.workingFileType = infile_cia;
+		set->common.workingFilePath = argv[i+1];
+		set->common.outFormat = CCI;
+		return 2;
+	}
+	else if(strcmp(argv[i],"-inclupd") == 0){
 		if(ParamNum){
-			PrintNoNeedParam("-dlc");
+			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
-		set->cia.DlcContent = true;
+		set->cia.includeUpdateNcch = true;
 		return 1;
 	}
-
+	
 	// Other Setting
 	else if(strcmp(argv[i],"-content") == 0){
 		if(ParamNum != 1){
-			PrintArgReqParam("-content",1);
+			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
 		char *pos = strstr(argv[i+1],":");
-		if(!pos){
+		if(!pos || strlen(pos) < 2){
 			fprintf(stderr,"[SETTING ERROR] Bad argument '%s %s', correct format:\n",argv[i],argv[i+1]);
-			fprintf(stderr,"	-content <CONTENT PATH>:<INDEX>\n");
+			fprintf(stderr,"	%s <CONTENT PATH>:<INDEX>\n",argv[i]);
 			fprintf(stderr,"  If generating a CIA, then use the format:\n");
-			fprintf(stderr,"	-content <CONTENT PATH>:<INDEX>:<ID>\n");
+			fprintf(stderr,"	%s <CONTENT PATH>:<INDEX>:<ID>\n",argv[i]);
 			return USR_BAD_ARG;
 		}		
-		if(strlen(pos) < 2){
-			fprintf(stderr,"[SETTING ERROR] Bad argument '%s %s', correct format:\n",argv[i],argv[i+1]);
-			fprintf(stderr,"	-content <CONTENT PATH>:<INDEX>\n");
-			fprintf(stderr,"  If generating a CIA, then use the format:\n");
-			fprintf(stderr,"	-content <CONTENT PATH>:<INDEX>:<ID>\n");
-			return USR_BAD_ARG;
-		}
 
 		/* Getting Content Index */
 		u16 content_index = strtol((char*)(pos+1),NULL,0);
@@ -528,7 +597,6 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		/* Storing Content Filepath */
 		u32 path_len = (u32)(pos-argv[i+1])+1;
 		
-		if(content_index == 0) set->ncch.buildNcch0 = false;
 		if(set->common.contentPath[content_index] != NULL){
 			fprintf(stderr,"[SETTING ERROR] Content %d is already specified\n",content_index);
 			return USR_BAD_ARG;
@@ -539,12 +607,16 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_MEM_ERROR;
 		}
 		strncpy(set->common.contentPath[content_index],argv[i+1],path_len-1);	
-
+		if(!AssertFile(set->common.contentPath[content_index])){
+			fprintf(stderr,"[SETTING ERROR] '%s' could not be opened\n",set->common.contentPath[content_index]);
+			return USR_BAD_ARG;
+		}
+		set->common.contentSize[content_index] = GetFileSize64(set->common.contentPath[content_index]);
+		
 		/* Get ContentID for CIA gen */
 		char *pos2 = strstr(pos+1,":"); 
-		if(pos2) {
+		if(pos2) 
 			set->cia.contentId[content_index] = strtoul((pos2+1),NULL,0);
-		}
 		
 		/* Return Next Arg Pos*/
 		return 2;
@@ -563,7 +635,6 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 				fprintf(stderr,"[SETTING ERROR] Not enough memory\n");
 				return MEM_ERROR;
 			}
-			//memset(set->dname.items,0,sizeof(dname_item)*set->dname.m_items);
 		}
 		else if(set->dname.m_items == set->dname.u_items){
 			set->dname.m_items *= 2;
@@ -655,7 +726,7 @@ int CheckArgumentCombination(user_settings *set)
 		return USR_BAD_ARG;
 	}
 
-	if(set->common.outFormat == CIA && set->cci.cverCiaPath){
+	if(set->common.outFormat == CIA && set->cci.cverDataPath){
 		fprintf(stderr,"[SETTING ERROR] You cannot use argument \"-cverinfo\" when generating a CIA\n");
 		return USR_BAD_ARG;
 	}
@@ -700,7 +771,7 @@ int CheckArgumentCombination(user_settings *set)
 		return USR_BAD_ARG;
 	}
 	if(!buildCXI && set->ncch.plainRegionPath){
-		PrintArgInvalid("-plain-region");
+		PrintArgInvalid("-plainrgn");
 		return USR_BAD_ARG;
 	}
 	if(!set->ncch.buildNcch0 && set->ncch.includeExefsLogo){
@@ -715,45 +786,47 @@ int CheckArgumentCombination(user_settings *set)
 	return 0;
 }
 
-void init_UserSettings(user_settings *usr_settings)
+void init_UserSettings(user_settings *set)
 {
-	memset(usr_settings,0,sizeof(user_settings));
+	memset(set,0,sizeof(user_settings));
 }
 
-void free_UserSettings(user_settings *usr_settings)
+void free_UserSettings(user_settings *set)
 {
 	// Free Content Paths
-	if(usr_settings->common.contentPath){
+	if(set->common.contentPath){
 		for(int i = 0; i < CIA_MAX_CONTENT; i++)
-			free(usr_settings->common.contentPath[i]);
-		free(usr_settings->common.contentPath);
+			free(set->common.contentPath[i]);
+		free(set->common.contentPath);
 	}
 
 	// free -DNAME=VALUE
-	for(u32 i = 0; i < usr_settings->dname.u_items; i++){
-		free(usr_settings->dname.items[i].name);
-		free(usr_settings->dname.items[i].value);
+	for(u32 i = 0; i < set->dname.u_items; i++){
+		free(set->dname.items[i].name);
+		free(set->dname.items[i].value);
 	}
-	free(usr_settings->dname.items);
+	free(set->dname.items);
 
+	free(set->cci.cverDataPath);
+	
 	// Free Spec File Setting
-	free_RsfSettings(&usr_settings->common.rsfSet);
+	free_RsfSettings(&set->common.rsfSet);
 
 	// Free Key Data
-	FreeKeys(&usr_settings->common.keys);
+	FreeKeys(&set->common.keys);
 	
 	// Free Working File
-	free(usr_settings->common.workingFile.buffer);
+	free(set->common.workingFile.buffer);
 		
 	// Free outfile path, if malloc'd
-	if(usr_settings->common.outFileName_mallocd) 
-		free(usr_settings->common.outFileName);
+	if(set->common.outFileName_mallocd) 
+		free(set->common.outFileName);
 	
 	// Clear settings
-	init_UserSettings(usr_settings);
+	init_UserSettings(set);
 	
 	// Free
-	free(usr_settings);
+	free(set);
 }
 
 void PrintNeedsArg(char *arg)
@@ -787,53 +860,52 @@ void DisplayHelp(char *app_name)
 	printf("Option          Parameter           Explanation\n");
 	printf("GLOBAL OPTIONS:\n");
 	printf(" -help                              Display this text\n");
-	printf(" -rsf           <file>              Rom Specification File (*.rsf)\n");
-	printf(" -f             <ncch|cci|cia>      Output Format, defaults to 'ncch'\n");
-	printf(" -o             <file>              Output File\n");
-	//printf(" -v                                 Verbose\n");
-	printf(" -DNAME=VALUE                       Substitute values in Spec file\n");
+	printf(" -rsf           <file>              ROM Spec File (*.rsf)\n");
+	printf(" -f             <ncch|cci|cia>      Output format, defaults to 'ncch'\n");
+	printf(" -o             <file>              Output file\n");
+	printf(" -v                                 Verbose output\n");
+	printf(" -DNAME=VALUE                       Substitute values in RSF file\n");
 	printf("KEY OPTIONS:\n");
-	//printf(" -target        <t|d|p|c>           Target for crypto, defaults to 't'\n");
 	printf(" -target        <t|d|p>             Target for crypto, defaults to 't'\n");
 	printf("                                    't' Test(false) Keys & prod Certs\n");
 	printf("                                    'd' Development Keys & Certs\n");
 	printf("                                    'p' Production Keys & Certs\n");
-	//printf("                                    'c' Custom Keys & Certs\n");
-	printf(" -ckeyID        <u8 value>          Override the automatic commonKey selection\n");
-	printf(" -showkeys                          Display the loaded keychain\n");
+	printf(" -ckeyid        <index>             Override the automatic common key selection\n");
+	printf(" -ncchseckey    <index>             Ncch keyX index ('0'=1.0+, '1'=7.0+)\n");
+	printf(" -showkeys                          Display the loaded key chain\n");
 	printf(" -fsign                             Ignore invalid signatures\n");
 	printf("NCCH OPTIONS:\n");
-	printf(" -elf           <file>              ELF File\n");
-	printf(" -icon          <file>              Icon File\n");
-	printf(" -banner        <file>              Banner File\n");
-	printf(" -logo          <file>              Logo File (Overrides \"BasicInfo/Logo\" in RSF)\n");
-	printf(" -desc          <apptype>:<fw>      Specify Access Descriptor Preset\n");
-	//printf("                                    AppTypes:\n");
-	//printf("                                    'SDApp' Normal SD Application\n");
-	//printf("                                    'ECApp' SD Application with DLC Capability\n");
-	//printf("                                    'Demo'  SD Demo Application\n");
-	//printf("                                    'Dlp'   NAND DLP Child Application\n");
-	//printf("                                    'FIRM'  FIRM CXI\n");
-	printf(" -exefslogo                         Include Logo in ExeFs (Required for usage on <5.X Systems)\n");
+	printf(" -elf           <file>              ELF file\n");
+	printf(" -icon          <file>              Icon file\n");
+	printf(" -banner        <file>              Banner file\n");
+	printf(" -logo          <file>              Logo file (Overrides \"BasicInfo/Logo\" in RSF)\n");
+	printf(" -desc          <apptype>:<fw>      Specify Access Descriptor template\n");
+	printf(" -exefslogo                         Include Logo in ExeFS (Required for usage on <5.0 systems)\n");
 	printf("NCCH REBUILD OPTIONS:\n");
-	printf(" -code          <code path>         Specify ExeFs code File\n");
-	printf(" -exheader      <exhdr path>        ExHeader Template File\n");
-	printf(" -plain-region  <pln region path>   PlainRegion File\n");
-	printf(" -romfs         <romfs path>        RomFS File\n");	
+	printf(" -code          <file>              Decompressed ExeFS \".code\"\n");
+	printf(" -exheader      <file>              Exheader template\n");
+	printf(" -plainrgn      <file>              Plain Region binary\n");
+	printf(" -romfs         <file>              RomFS binary\n");	
 	printf("CCI OPTIONS:\n");
-	printf(" -content       <filepath>:<index>  Specify content files\n");
-	printf(" -devcardcci                        Use SDK CardInfo Method\n");
+	printf(" -content       <file>:<index>      Specify content files\n");
+	printf(" -devcci                            Use external CTRSDK \"CardInfo\" method\n");
 	printf(" -nomodtid                          Don't Modify Content TitleIDs\n");
-	printf(" -alignwr                           Align Writeable Region to the end of last NCCH\n");
-	printf(" -cverinfo      <cver cia path>     Include CVer title info\n");
+	printf(" -alignwr                           Align writeable region to the end of last NCCH\n");
+	printf(" -cverinfo      <file>:<cia|tmd>    Include cver title info\n");
 	printf("CIA OPTIONS:\n");
-	printf(" -content <filepath>:<index>:<id>   Specify content files\n");
-	printf(" -major         <major version>     Specify Major Version\n");
-	printf(" -minor         <minor version>     Specify Minor Version\n");
-	printf(" -micro         <micro version>     Specify Micro Version\n");
-	printf(" -dver          <datatitle ver>     Specify Data Title Version\n");
+	printf(" -content       <file>:<index>:<id> Specify content files\n");
+	printf(" -major         <version>           Major version\n");
+	printf(" -minor         <version>           Minor version\n");
+	printf(" -micro         <version>           Micro version\n");
+	printf(" -dver          <version>           Data-title version\n");
+	printf(" -deviceid      <hex id>            3DS unique device ID\n");
+	printf(" -esaccid       <hex id>            e-Shop account ID\n");
 	printf(" -rand                              Use a random title key\n");
-	printf(" -cci           <cci path>          Convert CCI to CIA\n");
-	printf(" -srl           <srl path>          Use TWL SRL as Content0\n");
 	printf(" -dlc                               Create DLC CIA\n");
+	printf(" -srl           <srl file>          Package a TWL SRL in a CIA\n");
+	printf("NCCH CONTAINER CONVERSION:\n");
+	printf(" -ccitocia      <cci file>          Convert CCI to CIA\n");
+	printf(" -ciatocci      <cia file>          Convert CIA to CCI\n");
+	printf(" -inclupd                           Include \"Update NCCH\" in CCI to CIA conversion\n");
+	
 }
\ No newline at end of file
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index 95d83173..89d9a9ef 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -21,6 +21,12 @@ typedef enum
 	VER_DVER_MAX = 4095,
 } title_ver_max;
 
+typedef enum
+{
+	CVER_DTYPE_TMD,
+	CVER_DTYPE_CIA,
+} cver_data_type;
+
 typedef enum
 {
 	USR_PTR_PASS_FAIL = -1,
@@ -37,6 +43,7 @@ typedef enum
 	infile_ncch,
 	infile_ncsd,
 	infile_srl,
+	infile_cia,
 } infile_type;
 
 typedef enum
@@ -49,7 +56,7 @@ typedef enum
 	NCCH
 } output_format;
 
-static const char output_extention[4][5] = {".cxi",".cfa",".cci",".cia"};
+static const char output_extention[5][5] = {".cxi",".cfa",".cci",".cia",".app"};
 
 /* This does not follow style, so the rsf string names match the variables where they're stored */
 typedef struct
@@ -246,6 +253,8 @@ typedef struct
 typedef struct
 {
 	struct{
+		bool verbose;
+	
 		char *rsfPath;
 		bool outFileName_mallocd;
 		char *outFileName;
@@ -259,9 +268,10 @@ typedef struct
 
 		// Content Details
 		char **contentPath;
+		u64 contentSize[CIA_MAX_CONTENT];
 
 		char *workingFilePath;
-		infile_type workingFileType; // Could Be ncch/ncsd/srl. This is mainly used for CIA gen
+		infile_type workingFileType; // Could Be ncch/ncsd/srl/cia.
 		buffer_struct workingFile;
 	} common;
 	
@@ -282,23 +292,32 @@ typedef struct
 		char *exheaderPath; // for .code details
 		char *plainRegionPath; // prebuilt Plain Region
 		char *romfsPath; // Prebuild _cleartext_ romfs binary
+		
+		bool useSecCrypto;
+		u8 keyXID;
 	} ncch; // Ncch0 Build
 	
 	struct{ 
 		bool useSDKStockData;  // incase we want to use the SDK stock data, for whatever reason.
 		bool dontModifyNcchTitleID;
 		bool closeAlignWritableRegion;
-		char *cverCiaPath;
+		
+		u8 cverDataType;
+		char *cverDataPath;
 	} cci; // CCI Settings
 	
 	struct{
 		bool randomTitleKey;
 		bool encryptCia;
 		bool DlcContent;
+		bool includeUpdateNcch;
 
 		bool useNormTitleVer;
 		bool useDataTitleVer;
 		u16 titleVersion[3];
+		
+		u32 deviceId;
+		u32 eshopAccId;
 
 		u64 contentId[CIA_MAX_CONTENT]; // For CIA
 	} cia; // CIA Settings	
@@ -306,6 +325,6 @@ typedef struct
 
 // Prototypes
 
-void init_UserSettings(user_settings *usr_settings);
-void free_UserSettings(user_settings *usr_settings);
+void init_UserSettings(user_settings *set);
+void free_UserSettings(user_settings *set);
 int ParseArgs(int argc, char *argv[], user_settings *usr_settings);
\ No newline at end of file
diff --git a/makerom/utils.c b/makerom/utils.c
index 1321168e..bda3076b 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -1,25 +1,9 @@
 #include "lib.h"
 #include "utf.h"
 
-// Memory
-void char_to_u8_array(unsigned char destination[], char source[], int size, int endianness, int base)
-{	
-	char tmp[size][2];
-    unsigned char *byte_array = malloc(size*sizeof(unsigned char));
-	memset(byte_array, 0, size);
-	memset(destination, 0, size);
-	memset(tmp, 0, size*2);
-    
-    for (int i = 0; i < size; i ++){
-		tmp[i][0] = source[(i*2)];
-        tmp[i][1] = source[((i*2)+1)];
-		tmp[i][2] = '\0';
-        byte_array[i] = (unsigned char)strtol(tmp[i], NULL, base);
-    }
-	endian_memcpy(destination,byte_array,size,endianness);
-	free(byte_array);
-}
+#include "polarssl/base64.h"
 
+// Memory
 void endian_memcpy(u8 *destination, u8 *source, u32 size, int endianness)
 { 
     for (u32 i = 0; i < size; i++){
@@ -65,13 +49,13 @@ u64 align(u64 value, u64 alignment)
 		return value;
 }
 
-u64 min_u64(u64 a, u64 b)
+u64 min64(u64 a, u64 b)
 {
 	if(a < b) return a;
 	return b;
 }
 
-u64 max_u64(u64 a, u64 b)
+u64 max64(u64 a, u64 b)
 {
 	if(a > b) return a;
 	return b;
@@ -187,6 +171,56 @@ int str_utf8_to_u16(u16 **dst, u32 *dst_len, u8 *src, u32 src_len)
 }
 #endif
 
+// Base64
+bool IsValidB64Char(char chr)
+{
+	return (isalnum(chr) || chr == '+' || chr == '/' || chr == '=');
+}
+
+u32 b64_strlen(char *str)
+{
+	u32 count = 0;
+	u32 i = 0;
+	while(str[i] != 0x0){
+		if(IsValidB64Char(str[i])) {
+			//printf("Is Valid: %c\n",str[i]);
+			count++;
+		}
+		i++;
+	}
+
+	return count;
+}
+
+void b64_strcpy(char *dst, char *src)
+{
+	u32 src_len = strlen(src);
+	u32 j = 0;
+	for(u32 i = 0; i < src_len; i++){
+		if(IsValidB64Char(src[i])){
+			dst[j] = src[i];
+			j++;
+		}
+	}
+	dst[j] = 0;
+
+	//memdump(stdout,"src: ",(u8*)src,src_len+1);
+	//memdump(stdout,"dst: ",(u8*)dst,j+1);
+}
+
+int b64_decode(u8 *dst, char *src, u32 dst_size)
+{
+	int ret;
+	u32 size = dst_size;
+	
+	ret = base64_decode(dst,(size_t*)&size,(const u8*)src,strlen(src));
+	
+	if(size != dst_size)
+		ret = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
+	
+	return ret;
+}
+
 // Pseudo-Random Number Generator
 void initRand(void)
 {
@@ -227,7 +261,7 @@ bool AssertFile(char *filename)
 #endif
 }
 
-u64 GetFileSize_u64(char *filename)
+u64 GetFileSize64(char *filename)
 {
 #ifdef _WIN32
 	struct _stat64 st;
@@ -262,7 +296,7 @@ char *getcwdir(char *buffer,int maxlen)
 #endif
 }
 
-int TruncateFile_u64(char *filename, u64 filelen)
+int TruncateFile64(char *filename, u64 filelen)
 {
 #ifdef _WIN32
 	HANDLE fh;
@@ -291,7 +325,7 @@ int TruncateFile_u64(char *filename, u64 filelen)
 
 // Wide Char IO
 #ifdef _WIN32
-u64 wGetFileSize_u64(u16 *filename)
+u64 wGetFileSize64(u16 *filename)
 {
 	struct _stat64 st;
 	_wstat64((wchar_t*)filename, &st);
@@ -302,12 +336,10 @@ u64 wGetFileSize_u64(u16 *filename)
 //IO Misc
 u8* ImportFile(char *file, u64 size)
 {
-	u64 fsize = GetFileSize_u64(file);
-	if(size > 0){
-		if(size != fsize){
-			fprintf(stderr,"[!] %s has an invalid size (0x%"PRIx64")\n",file, fsize);
-			return NULL;
-		}
+	u64 fsize = GetFileSize64(file);
+	if(size > 0 && size != fsize){
+		fprintf(stderr,"[!] %s has an invalid size (0x%"PRIx64")\n",file, fsize);
+		return NULL;
 	}
 
 	u8 *data = (u8*)calloc(1,fsize);
@@ -328,7 +360,7 @@ void WriteBuffer(void *buffer, u64 size, u64 offset, FILE *output)
 	fwrite(buffer,size,1,output);
 } 
 
-void ReadFile_64(void *outbuff, u64 size, u64 offset, FILE *file)
+void ReadFile64(void *outbuff, u64 size, u64 offset, FILE *file)
 {
 	fseek_64(file,offset);
 	fread(outbuff,size,1,file);
@@ -368,32 +400,32 @@ u32 u8_to_u32(u8 *value, u8 endianness)
 
 u64 u8_to_u64(u8 *value, u8 endianness)
 {
-	u64 u64_return = 0;
+	u64 ret = 0;
 	switch(endianness){
 		case(BE): 
-			u64_return |= (u64)value[7]<<0;
-			u64_return |= (u64)value[6]<<8;
-			u64_return |= (u64)value[5]<<16;
-			u64_return |= (u64)value[4]<<24;
-			u64_return |= (u64)value[3]<<32;
-			u64_return |= (u64)value[2]<<40;
-			u64_return |= (u64)value[1]<<48;
-			u64_return |= (u64)value[0]<<56;
+			ret |= (u64)value[7]<<0;
+			ret |= (u64)value[6]<<8;
+			ret |= (u64)value[5]<<16;
+			ret |= (u64)value[4]<<24;
+			ret |= (u64)value[3]<<32;
+			ret |= (u64)value[2]<<40;
+			ret |= (u64)value[1]<<48;
+			ret |= (u64)value[0]<<56;
 			break;
 			//return (value[7]<<0) | (value[6]<<8) | (value[5]<<16) | (value[4]<<24) | (value[3]<<32) | (value[2]<<40) | (value[1]<<48) | (value[0]<<56);
 		case(LE): 
-			u64_return |= (u64)value[0]<<0;
-			u64_return |= (u64)value[1]<<8;
-			u64_return |= (u64)value[2]<<16;
-			u64_return |= (u64)value[3]<<24;
-			u64_return |= (u64)value[4]<<32;
-			u64_return |= (u64)value[5]<<40;
-			u64_return |= (u64)value[6]<<48;
-			u64_return |= (u64)value[7]<<56;
+			ret |= (u64)value[0]<<0;
+			ret |= (u64)value[1]<<8;
+			ret |= (u64)value[2]<<16;
+			ret |= (u64)value[3]<<24;
+			ret |= (u64)value[4]<<32;
+			ret |= (u64)value[5]<<40;
+			ret |= (u64)value[6]<<48;
+			ret |= (u64)value[7]<<56;
 			break;
 			//return (value[0]<<0) | (value[1]<<8) | (value[2]<<16) | (value[3]<<24) | (value[4]<<32) | (value[5]<<40) | (value[6]<<48) | (value[7]<<56);
 	}
-	return u64_return;
+	return ret;
 }
 
 int u16_to_u8(u8 *out_value, u16 in_value, u8 endianness)
diff --git a/makerom/utils.h b/makerom/utils.h
index 5d3f10a1..8c7d5a44 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -7,7 +7,6 @@ typedef struct
 } buffer_struct;
 
 // Memory
-void char_to_u8_array(unsigned char destination[], char source[], int size, int endianness, int base);
 void endian_memcpy(u8 *destination, u8 *source, u32 size, int endianness);
 int CopyData(u8 **dest, u8 *source, u64 size);
 void rndset(void *ptr, u64 num);
@@ -15,8 +14,8 @@ void clrmem(void *ptr, u64 num);
 
 // MISC
 u64 align(u64 value, u64 alignment);
-u64 min_u64(u64 a, u64 b);
-u64 max_u64(u64 a, u64 b);
+u64 min64(u64 a, u64 b);
+u64 max64(u64 a, u64 b);
 
 // Strings
 void memdump(FILE* fout, const char* prefix, const u8* data, u32 size);
@@ -28,6 +27,12 @@ int str_u32_to_u16(u16 **dst, u32 *dst_len, u32 *src, u32 src_len);
 int str_utf8_to_u16(u16 **dst, u32 *dst_len, u8 *src, u32 src_len);
 #endif
 
+// Base64
+bool IsValidB64Char(char chr);
+u32 b64_strlen(char *str);
+void b64_strcpy(char *dst, char *src);
+int b64_decode(u8 *dst, char *src, u32 dst_size);
+
 // Pseudo-Random Number Generator
 void initRand(void);
 u8 u8GetRand(void);
@@ -37,20 +42,20 @@ u64 u64GetRand(void);
 
 //Char IO
 bool AssertFile(char *filename);
-u64 GetFileSize_u64(char *filename);
+u64 GetFileSize64(char *filename);
 int makedir(const char* dir);
 char *getcwdir(char *buffer,int maxlen);
-int TruncateFile_u64(char *filename, u64 filelen);
+int TruncateFile64(char *filename, u64 filelen);
 
 //Wide Char IO
 #ifdef _WIN32
-u64 wGetFileSize_u64(u16 *filename);
+u64 wGetFileSize64(u16 *filename);
 #endif
 
 //IO Misc
 u8* ImportFile(char *file, u64 size);
 void WriteBuffer(void *buffer, u64 size, u64 offset, FILE *output);
-void ReadFile_64(void *outbuff, u64 size, u64 offset, FILE *file);
+void ReadFile64(void *outbuff, u64 size, u64 offset, FILE *file);
 int fseek_64(FILE *fp, u64 file_pos);
 
 //Data Size conversion
diff --git a/makerom/yaml_parser.c b/makerom/yaml_parser.c
index 3107cd24..9ebc645a 100644
--- a/makerom/yaml_parser.c
+++ b/makerom/yaml_parser.c
@@ -11,17 +11,14 @@ void CheckEvent(ctr_yaml_context *ctx);
 void BadYamlFormatting(void);
 
 // Code
-int GetYamlSettings(user_settings *set)
+int GetRsfSettings(user_settings *set)
 {
-	memset(&set->common.rsfSet,0,sizeof(rsf_settings));
 	int ret = 0;
 	if(set->common.rsfPath) {
-		FILE *rsf = fopen(set->common.rsfPath,"rb");
-		if(!rsf) {
+		if(!AssertFile(set->common.rsfPath)) {
 			fprintf(stderr,"[RSF ERROR] Failed to open %s\n",set->common.rsfPath);
 			return FAILED_TO_OPEN_FILE;
 		}
-		fclose(rsf);
 		ret = ParseSpecFile(&set->common.rsfSet,set->common.rsfPath, &set->dname);
 	}
 	return ret;
diff --git a/makerom/yaml_parser.h b/makerom/yaml_parser.h
index 9d9db540..d9cd5d34 100644
--- a/makerom/yaml_parser.h
+++ b/makerom/yaml_parser.h
@@ -31,7 +31,7 @@ typedef struct
 } ctr_yaml_context;
 
 // Public Prototypes
-int GetYamlSettings(user_settings *set);
+int GetRsfSettings(user_settings *set);
 
 // For scalar events
 char *GetYamlString(ctr_yaml_context *ctx);

From 35b2865b084e300a2230d548fd5dcc294a894fdd Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 26 Aug 2014 00:54:59 +1000
Subject: [PATCH 024/317] commented debug code

---
 makerom/keyset.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/makerom/keyset.c b/makerom/keyset.c
index a39ce548..66ebeff6 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -118,9 +118,10 @@ int LoadKeysFromResources(keys_struct *keys)
 		SetNormalKey(keys,(u8*)dev_fixed_ncch_key[0]);
 		SetSystemFixedKey(keys,(u8*)dev_fixed_ncch_key[1]);
 		
+		/*
 		for(int i = 0; i < 2; i++)
 			SetNcchKeyX(keys,(u8*)dev_unfixed_ncch_keyX[i],i);
-		
+		*/
 
 		/* RSA Keys */
 		// CIA

From e04414b853aa56e1596d91a81be4667767d8b491 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 26 Aug 2014 01:08:57 +1000
Subject: [PATCH 025/317] misc

---
 makerom/ncch.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/makerom/ncch.h b/makerom/ncch.h
index e87ae48e..c54ced2e 100644
--- a/makerom/ncch.h
+++ b/makerom/ncch.h
@@ -126,7 +126,6 @@ bool IsNcch(FILE *fp, u8 *buf);
 bool IsCfa(ncch_hdr* hdr);
 bool IsUpdateCfa(ncch_hdr* hdr);
 u32 GetNcchBlockSize(ncch_hdr* hdr);
-u8 GetBlockSizeFlag(u32 size);
 u64 GetNcchSize(ncch_hdr* hdr);
 bool IsNcchEncrypted(ncch_hdr *hdr);
 bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr);

From 291b64b5985d0a46ec25f6ca21232585bd53d4ac Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 26 Aug 2014 13:32:55 +1000
Subject: [PATCH 026/317] ncch key stuff

---
 makerom/ncch.c | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/makerom/ncch.c b/makerom/ncch.c
index e81ede85..98778727 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -629,6 +629,7 @@ int SetCommonHeaderBasicData(ncch_settings *set, ncch_hdr *hdr)
 		
 	if(!SetNcchKeys(set->keys,hdr) && set->options.Encrypt){
 		hdr->flags[ncchflag_OTHER_FLAG] = (otherflag_NoCrypto|otherflag_FixedCryptoKey);
+		hdr->flags[ncchflag_CONTENT_KEYX] = 0;
 		set->options.Encrypt = false;
 		fprintf(stderr,"[NCCH WARNING] NCCH AES Key could not be loaded, NCCH will not be encrypted\n");
 	}
@@ -992,17 +993,20 @@ bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr)
 		return true;
 		
 	if((hdr->flags[ncchflag_OTHER_FLAG] & otherflag_FixedCryptoKey) == otherflag_FixedCryptoKey){
-		if((hdr->programId[4] & 0x10) == 0x10 && keys->aes.systemFixedKey){
+		if((hdr->programId[4] & 0x10) == 0x10){
+			if(!keys->aes.systemFixedKey)
+				return false;
 			memcpy(keys->aes.ncchKey0,keys->aes.systemFixedKey,AES_128_KEY_SIZE);
 			memcpy(keys->aes.ncchKey1,keys->aes.systemFixedKey,AES_128_KEY_SIZE);
 			return true;
 		}
-		else if(keys->aes.normalKey){
+		else{
+			if(!keys->aes.normalKey)
+				return false;
 			memcpy(keys->aes.ncchKey0,keys->aes.normalKey,AES_128_KEY_SIZE);
 			memcpy(keys->aes.ncchKey1,keys->aes.normalKey,AES_128_KEY_SIZE);
 			return true;
 		}
-		return false;
 	}
 	
 	if(keys->aes.ncchKeyX[0])
@@ -1024,7 +1028,7 @@ int GetNcchInfo(ncch_info *info, ncch_hdr *hdr)
 	memcpy(info->programId,hdr->programId,8);
 
 	
-	u32 media_unit = GetNcchBlockSize(hdr);
+	u32 block_size = GetNcchBlockSize(hdr);
 	
 	info->formatVersion = u8_to_u16(hdr->formatVersion,LE);
 	if(!IsCfa(hdr)){
@@ -1032,18 +1036,18 @@ int GetNcchInfo(ncch_info *info, ncch_hdr *hdr)
 		info->exhdrSize = u8_to_u32(hdr->exhdrSize,LE);
 		info->acexOffset = (info->exhdrOffset + info->exhdrSize);
 		info->acexSize = sizeof(access_descriptor);
-		info->plainRegionOffset = (u64)(u8_to_u32(hdr->plainRegionOffset,LE)*media_unit);
-		info->plainRegionSize = (u64)(u8_to_u32(hdr->plainRegionSize,LE)*media_unit);
+		info->plainRegionOffset = (u64)(u8_to_u32(hdr->plainRegionOffset,LE)*block_size);
+		info->plainRegionSize = (u64)(u8_to_u32(hdr->plainRegionSize,LE)*block_size);
 	}
 
-	info->logoOffset = (u64)(u8_to_u32(hdr->logoOffset,LE)*media_unit);
-	info->logoSize = (u64)(u8_to_u32(hdr->logoSize,LE)*media_unit);
-	info->exefsOffset = (u64)(u8_to_u32(hdr->exefsOffset,LE)*media_unit);
-	info->exefsSize = (u64)(u8_to_u32(hdr->exefsSize,LE)*media_unit);
-	info->exefsHashDataSize = (u64)(u8_to_u32(hdr->exefsHashSize,LE)*media_unit);
-	info->romfsOffset = (u64) (u8_to_u32(hdr->romfsOffset,LE)*media_unit);
-	info->romfsSize = (u64) (u8_to_u32(hdr->romfsSize,LE)*media_unit);
-	info->romfsHashDataSize = (u64)(u8_to_u32(hdr->romfsHashSize,LE)*media_unit);
+	info->logoOffset = (u64)(u8_to_u32(hdr->logoOffset,LE)*block_size);
+	info->logoSize = (u64)(u8_to_u32(hdr->logoSize,LE)*block_size);
+	info->exefsOffset = (u64)(u8_to_u32(hdr->exefsOffset,LE)*block_size);
+	info->exefsSize = (u64)(u8_to_u32(hdr->exefsSize,LE)*block_size);
+	info->exefsHashDataSize = (u64)(u8_to_u32(hdr->exefsHashSize,LE)*block_size);
+	info->romfsOffset = (u64) (u8_to_u32(hdr->romfsOffset,LE)*block_size);
+	info->romfsSize = (u64) (u8_to_u32(hdr->romfsSize,LE)*block_size);
+	info->romfsHashDataSize = (u64)(u8_to_u32(hdr->romfsHashSize,LE)*block_size);
 	return 0;
 }
 
@@ -1079,8 +1083,7 @@ void GetNcchAesCounter(ncch_info *ctx, u8 counter[16], u8 type)
 
 	if (ctx->formatVersion == 2 || ctx->formatVersion == 0)
 	{
-		for(i=0; i<8; i++)
-			counter[i] = titleId[7-i];
+		endian_memcpy(counter,titleId,8,LE);
 		counter[8] = type;
 	}
 	else if (ctx->formatVersion == 1)

From b239091cd2339956ad5132c62a3500078e8cba93 Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Tue, 26 Aug 2014 06:02:11 +0200
Subject: [PATCH 027/317] Format string fixes for GCC on Windows

---
 ctrtool/cia.c      |  3 ++-
 ctrtool/exheader.c | 15 ++++++++-------
 ctrtool/ivfc.c     |  7 ++++---
 ctrtool/ncch.c     |  7 ++++---
 ctrtool/ncsd.c     |  3 ++-
 ctrtool/tmd.c      |  3 ++-
 6 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index dd205a89..f1e97038 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -4,6 +4,7 @@
 #include "types.h"
 #include "utils.h"
 #include "cia.h"
+#include <inttypes.h>
 
 
 void cia_init(cia_context* ctx)
@@ -304,5 +305,5 @@ void cia_print(cia_context* ctx)
 	fprintf(stdout, "Meta offset:            0x%04x\n", ctx->offsetmeta);
 	fprintf(stdout, "Meta size:              0x%04x\n", ctx->sizemeta);
 	fprintf(stdout, "Content offset:         0x%08x\n", ctx->offsetcontent);
-	fprintf(stdout, "Content size:           0x%016llx\n", getle64(header->contentsize));
+	fprintf(stdout, "Content size:           0x%016"PRIx64"\n", getle64(header->contentsize));
 }
diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 8c945480..33d54b38 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -5,6 +5,7 @@
 #include "exheader.h"
 #include "utils.h"
 #include "ncch.h"
+#include <inttypes.h>
 
 void exheader_init(exheader_context* ctx)
 {
@@ -428,7 +429,7 @@ void exheader_print_arm11storageinfo(exheader_context* ctx)
 			accessiblesaveID[i] = 0;
 	}
 
-	fprintf(stdout, "Ext savedata id:        0x%08llX\n",extdataID);
+	fprintf(stdout, "Ext savedata id:        0x%08"PRIX64"\n",extdataID);
 	for(i = 0; i < 2; i++)
 		fprintf(stdout, "System savedata id %d:   0x%08x %s\n",i+1,systemsaveID[i],exheader_getvalidstring(ctx->validsystemsaveID[i]));
 	for(i = 0; i < 3; i++)
@@ -578,17 +579,17 @@ void exheader_print(exheader_context* ctx)
 	for(i=0; i<0x30; i++)
 	{
 		if (getle64(ctx->header.deplist.programid[i]) != 0x0000000000000000UL)
-			fprintf(stdout, "Dependency:             %016llX\n", getle64(ctx->header.deplist.programid[i]));
+			fprintf(stdout, "Dependency:             %016"PRIX64"\n", getle64(ctx->header.deplist.programid[i]));
 	}
 	if(savedatasize < sizeKB)
-		fprintf(stdout, "Savedata size:          0x%llX\n", savedatasize);
+		fprintf(stdout, "Savedata size:          0x%"PRIX64"\n", savedatasize);
 	else if(savedatasize < sizeMB)
-		fprintf(stdout, "Savedata size:          %lluK\n", savedatasize/sizeKB);
+		fprintf(stdout, "Savedata size:          %"PRIu64"K\n", savedatasize/sizeKB);
 	else
-		fprintf(stdout, "Savedata size:          %lluM\n", savedatasize/sizeMB);
-	fprintf(stdout, "Jump id:                %016llX\n", getle64(ctx->header.systeminfo.jumpid));
+		fprintf(stdout, "Savedata size:          %"PRIu64"M\n", savedatasize/sizeMB);
+	fprintf(stdout, "Jump id:                %016"PRIx64"\n", getle64(ctx->header.systeminfo.jumpid));
 
-	fprintf(stdout, "Program id:             %016llX %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
+	fprintf(stdout, "Program id:             %016"PRIx64" %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
 	fprintf(stdout, "Core version:           0x%X\n", getle32(ctx->header.arm11systemlocalcaps.coreversion));
 	fprintf(stdout, "System mode:            0x%X\n", (ctx->header.arm11systemlocalcaps.flag>>4)&0xF);
 	fprintf(stdout, "Ideal processor:        %d %s\n", (ctx->header.arm11systemlocalcaps.flag>>0)&0x3, exheader_getvalidstring(ctx->valididealprocessor));
diff --git a/ctrtool/ivfc.c b/ctrtool/ivfc.c
index 5ba15b8c..a4796ac3 100644
--- a/ctrtool/ivfc.c
+++ b/ctrtool/ivfc.c
@@ -5,6 +5,7 @@
 #include "utils.h"
 #include "ivfc.h"
 #include "ctr.h"
+#include <inttypes.h>
 
 void ivfc_init(ivfc_context* ctx)
 {
@@ -168,9 +169,9 @@ void ivfc_print(ivfc_context* ctx)
 			fprintf(stdout, "Level %d:               \n", i);
 		else
 			fprintf(stdout, "Level %d (%s):          \n", i, level->hashcheck == Good? "GOOD" : "FAIL");
-		fprintf(stdout, " Data offset:           0x%016llx\n", ctx->offset + level->dataoffset);
-		fprintf(stdout, " Data size:             0x%016llx\n", level->datasize);
-		fprintf(stdout, " Hash offset:           0x%016llx\n", ctx->offset + level->hashoffset);
+		fprintf(stdout, " Data offset:           0x%016"PRIx64"\n", ctx->offset + level->dataoffset);
+		fprintf(stdout, " Data size:             0x%016"PRIx64"\n", level->datasize);
+		fprintf(stdout, " Hash offset:           0x%016"PRIx64"\n", ctx->offset + level->hashoffset);
 		fprintf(stdout, " Hash block size:       0x%08x\n", level->hashblocksize);
 	}
 }
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 1f0c4520..de2328d3 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -6,6 +6,7 @@
 #include "utils.h"
 #include "ctr.h"
 #include "settings.h"
+#include <inttypes.h>
 
 static int programid_is_system(u8 programid[8])
 {
@@ -561,10 +562,10 @@ void ncch_print(ncch_context* ctx)
 	else
 		memdump(stdout, "Signature (FAIL):       ", header->signature, 0x100);
 	fprintf(stdout, "Content size:           0x%08x\n", getle32(header->contentsize)*mediaunitsize);
-	fprintf(stdout, "Partition id:           %016llx\n", getle64(header->partitionid));
+	fprintf(stdout, "Partition id:           %016"PRIx64"\n", getle64(header->partitionid));
 	fprintf(stdout, "Maker code:             %04x\n", getle16(header->makercode));
 	fprintf(stdout, "Version:                %04x\n", getle16(header->version));
-	fprintf(stdout, "Program id:             %016llx\n", getle64(header->programid));
+	fprintf(stdout, "Program id:             %016"PRIx64"\n", getle64(header->programid));
 	if(ctx->logohashcheck == Unchecked)
 		memdump(stdout, "Logo hash:              ", header->logohash, 0x20);
 	else if(ctx->logohashcheck == Good)
@@ -579,7 +580,7 @@ void ncch_print(ncch_context* ctx)
 		memdump(stdout, "Exheader hash (GOOD):   ", header->extendedheaderhash, 0x20);
 	else
 		memdump(stdout, "Exheader hash (FAIL):   ", header->extendedheaderhash, 0x20);
-	fprintf(stdout, "Flags:                  %016llx\n", getle64(header->flags));
+	fprintf(stdout, "Flags:                  %016"PRIx64"\n", getle64(header->flags));
 	fprintf(stdout, " > Mediaunit size:      0x%x\n", mediaunitsize);
 	if (header->flags[7] & 4)
 		fprintf(stdout, " > Crypto key:          None\n");
diff --git a/ctrtool/ncsd.c b/ctrtool/ncsd.c
index d1ece64c..cf2336c2 100644
--- a/ctrtool/ncsd.c
+++ b/ctrtool/ncsd.c
@@ -5,6 +5,7 @@
 #include "ncsd.h"
 #include "utils.h"
 #include "ctr.h"
+#include <inttypes.h>
 
 
 void ncsd_init(ncsd_context* ctx)
@@ -122,7 +123,7 @@ void ncsd_print(ncsd_context* ctx)
 	else
 		memdump(stdout, "Signature (FAIL):       ", header->signature, 0x100);       
 	fprintf(stdout, "Media size:             0x%08x\n", getle32(header->mediasize));
-	fprintf(stdout, "Media id:               %016llx\n", getle64(header->mediaid));
+	fprintf(stdout, "Media id:               %016"PRIX64"\n", getle64(header->mediaid));
 	//memdump(stdout, "Partition FS type:      ", header->partitionfstype, 8);
 	//memdump(stdout, "Partition crypt type:   ", header->partitioncrypttype, 8);
 	//memdump(stdout, "Partition offset/size:  ", header->partitionoffsetandsize, 0x40);
diff --git a/ctrtool/tmd.c b/ctrtool/tmd.c
index 572331b4..d86d4a5f 100644
--- a/ctrtool/tmd.c
+++ b/ctrtool/tmd.c
@@ -4,6 +4,7 @@
 #include <time.h>
 #include "tmd.h"
 #include "utils.h"
+#include <inttypes.h>
 
 
 void tmd_init(tmd_context* ctx)
@@ -158,7 +159,7 @@ void tmd_print(tmd_context* ctx)
 				fprintf(stdout, "[shared]");
 		}
 		fprintf(stdout, "\n");
-		fprintf(stdout, "Content size:           %016llx\n", getbe64(chunk->size));
+		fprintf(stdout, "Content size:           %016"PRIx64"\n", getbe64(chunk->size));
 
 		switch(ctx->content_hash_stat[getbe16(chunk->index)]) {
 			case 1:  memdump(stdout, "Content hash [OK]:      ", chunk->hash, 32); break;

From 1a925d98bc2c9c6b6ab066b2b96eb15754373075 Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Tue, 26 Aug 2014 06:08:47 +0200
Subject: [PATCH 028/317] Nitpicking

---
 ctrtool/exheader.c | 2 +-
 ctrtool/ncsd.c     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 33d54b38..593af092 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -589,7 +589,7 @@ void exheader_print(exheader_context* ctx)
 		fprintf(stdout, "Savedata size:          %"PRIu64"M\n", savedatasize/sizeMB);
 	fprintf(stdout, "Jump id:                %016"PRIx64"\n", getle64(ctx->header.systeminfo.jumpid));
 
-	fprintf(stdout, "Program id:             %016"PRIx64" %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
+	fprintf(stdout, "Program id:             %016"PRIX64" %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
 	fprintf(stdout, "Core version:           0x%X\n", getle32(ctx->header.arm11systemlocalcaps.coreversion));
 	fprintf(stdout, "System mode:            0x%X\n", (ctx->header.arm11systemlocalcaps.flag>>4)&0xF);
 	fprintf(stdout, "Ideal processor:        %d %s\n", (ctx->header.arm11systemlocalcaps.flag>>0)&0x3, exheader_getvalidstring(ctx->valididealprocessor));
diff --git a/ctrtool/ncsd.c b/ctrtool/ncsd.c
index cf2336c2..07c211f6 100644
--- a/ctrtool/ncsd.c
+++ b/ctrtool/ncsd.c
@@ -123,7 +123,7 @@ void ncsd_print(ncsd_context* ctx)
 	else
 		memdump(stdout, "Signature (FAIL):       ", header->signature, 0x100);       
 	fprintf(stdout, "Media size:             0x%08x\n", getle32(header->mediasize));
-	fprintf(stdout, "Media id:               %016"PRIX64"\n", getle64(header->mediaid));
+	fprintf(stdout, "Media id:               %016"PRIx64"\n", getle64(header->mediaid));
 	//memdump(stdout, "Partition FS type:      ", header->partitionfstype, 8);
 	//memdump(stdout, "Partition crypt type:   ", header->partitioncrypttype, 8);
 	//memdump(stdout, "Partition offset/size:  ", header->partitionoffsetandsize, 0x40);

From a90378b6f4db83569a8953765146310fe398e3bf Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 26 Aug 2014 15:44:15 +1000
Subject: [PATCH 029/317] misc

---
 makerom/ncsd.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 2827f5b4..4f01c649 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -681,17 +681,14 @@ bool IsCci(u8 *ncsd)
 u64 GetPartitionOffset(u8 *ncsd, u8 index)
 {
 	cci_hdr *hdr = (cci_hdr*)ncsd;
-	u32 media_size = 1 << (hdr->flags[cciflag_MEDIA_BLOCK_SIZE] + 9);
-	u32 offset = u8_to_u64(hdr->offset_sizeTable[index].offset,LE);
-	return (u64)offset*(u64)media_size;
+	u32 offset = ;
+	return (u64)u8_to_u64(hdr->offset_sizeTable[index].offset,LE) * (u64)GetCtrBlockSize(hdr->flags[cciflag_MEDIA_BLOCK_SIZE]);
 }
 
 u64 GetPartitionSize(u8 *ncsd, u8 index)
 {
 	cci_hdr *hdr = (cci_hdr*)ncsd;
-	u32 media_size = 1 << (hdr->flags[cciflag_MEDIA_BLOCK_SIZE] + 9);
-	u32 size = u8_to_u64(hdr->offset_sizeTable[index].size,LE);
-	return (u64)size*(u64)media_size;
+	return (u64)u8_to_u64(hdr->offset_sizeTable[index].size,LE) * (u64)GetCtrBlockSize(hdr->flags[cciflag_MEDIA_BLOCK_SIZE]);
 }
 
 u8* GetPartition(u8 *ncsd, u8 index)

From e5b6a1bd722814204d831cd13c7279b122eaaf3a Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 26 Aug 2014 16:03:06 +1000
Subject: [PATCH 030/317] misc

---
 makerom/ncsd.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 4f01c649..c554eb0e 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -681,7 +681,6 @@ bool IsCci(u8 *ncsd)
 u64 GetPartitionOffset(u8 *ncsd, u8 index)
 {
 	cci_hdr *hdr = (cci_hdr*)ncsd;
-	u32 offset = ;
 	return (u64)u8_to_u64(hdr->offset_sizeTable[index].offset,LE) * (u64)GetCtrBlockSize(hdr->flags[cciflag_MEDIA_BLOCK_SIZE]);
 }
 

From d0f4ea17f86f02a965415bfbbf25b6192ed5bec3 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Wed, 27 Aug 2014 00:25:01 +1000
Subject: [PATCH 031/317] standardized case for PRIx64 macro

---
 ctrtool/exheader.c | 8 ++++----
 makerom/elf.c      | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 593af092..afb19279 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -429,7 +429,7 @@ void exheader_print_arm11storageinfo(exheader_context* ctx)
 			accessiblesaveID[i] = 0;
 	}
 
-	fprintf(stdout, "Ext savedata id:        0x%08"PRIX64"\n",extdataID);
+	fprintf(stdout, "Ext savedata id:        0x%08"PRIx64"\n",extdataID);
 	for(i = 0; i < 2; i++)
 		fprintf(stdout, "System savedata id %d:   0x%08x %s\n",i+1,systemsaveID[i],exheader_getvalidstring(ctx->validsystemsaveID[i]));
 	for(i = 0; i < 3; i++)
@@ -579,17 +579,17 @@ void exheader_print(exheader_context* ctx)
 	for(i=0; i<0x30; i++)
 	{
 		if (getle64(ctx->header.deplist.programid[i]) != 0x0000000000000000UL)
-			fprintf(stdout, "Dependency:             %016"PRIX64"\n", getle64(ctx->header.deplist.programid[i]));
+			fprintf(stdout, "Dependency:             %016"PRIx64"\n", getle64(ctx->header.deplist.programid[i]));
 	}
 	if(savedatasize < sizeKB)
-		fprintf(stdout, "Savedata size:          0x%"PRIX64"\n", savedatasize);
+		fprintf(stdout, "Savedata size:          0x%"PRIx64"\n", savedatasize);
 	else if(savedatasize < sizeMB)
 		fprintf(stdout, "Savedata size:          %"PRIu64"K\n", savedatasize/sizeKB);
 	else
 		fprintf(stdout, "Savedata size:          %"PRIu64"M\n", savedatasize/sizeMB);
 	fprintf(stdout, "Jump id:                %016"PRIx64"\n", getle64(ctx->header.systeminfo.jumpid));
 
-	fprintf(stdout, "Program id:             %016"PRIX64" %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
+	fprintf(stdout, "Program id:             %016"PRIx64" %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
 	fprintf(stdout, "Core version:           0x%X\n", getle32(ctx->header.arm11systemlocalcaps.coreversion));
 	fprintf(stdout, "System mode:            0x%X\n", (ctx->header.arm11systemlocalcaps.flag>>4)&0xF);
 	fprintf(stdout, "Ideal processor:        %d %s\n", (ctx->header.arm11systemlocalcaps.flag>>0)&0x3, exheader_getvalidstring(ctx->valididealprocessor));
diff --git a/makerom/elf.c b/makerom/elf.c
index 3f5a91c0..532d6669 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -483,18 +483,18 @@ void PrintElfContext(elf_context *elf, u8 *elfFile)
 	printf(" Class:  %s\n",elf->Is64bit ? "64-bit" : "32-bit");
 	printf(" Data:   %s\n",elf->IsLittleEndian ? "Little Endian" : "Big Endian");
 	printf("[ELF] Program Table Data\n");
-	printf(" Offset: 0x%"PRIX64"\n",elf->programTableOffset);
+	printf(" Offset: 0x%"PRIx64"\n",elf->programTableOffset);
 	printf(" Size:   0x%x\n",elf->programTableEntrySize);
 	printf(" Count:  0x%x\n",elf->programTableEntryCount);
 	printf("[ELF] Section Table Data\n");
-	printf(" Offset: 0x%"PRIX64"\n",elf->sectionTableOffset);
+	printf(" Offset: 0x%"PRIx64"\n",elf->sectionTableOffset);
 	printf(" Size:   0x%x\n",elf->sectionTableEntrySize);
 	printf(" Count:  0x%x\n",elf->sectionTableEntryCount);
 	printf(" Label index: 0x%x\n",elf->sectionHeaderNameEntryIndex);
 	for(int i = 0; i < elf->activeSegments; i++){
 		printf(" Segment [%d][%s]\n",i,elf->segments[i].name);
-		printf(" > Size :     0x%"PRIX64"\n",elf->segments[i].header->sizeInFile);
-		printf(" > Address :  0x%"PRIX64"\n",elf->segments[i].vAddr);
+		printf(" > Size :     0x%"PRIx64"\n",elf->segments[i].header->sizeInFile);
+		printf(" > Address :  0x%"PRIx64"\n",elf->segments[i].vAddr);
 		printf(" > Sections : %d\n",elf->segments[i].sectionNum);  
 		for(int j = 0; j < elf->segments[i].sectionNum; j++)
 			printf("    > Section [%d][%s]\n",j,elf->segments[i].sections[j].name);

From 2448dee471750d17e786b2c5e1348e7b938ac522 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Thu, 28 Aug 2014 22:35:20 +1000
Subject: [PATCH 032/317] made bss optional

---
 makerom/elf.c | 10 +++++-----
 makerom/elf.h |  9 ++++-----
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/makerom/elf.c b/makerom/elf.c
index 532d6669..d30db0a5 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -113,7 +113,6 @@ int BuildExeFsCode(ncch_settings *set)
 		if(result == NOT_ELF_FILE) fprintf(stderr,"[ELF ERROR] Not ELF File\n");
 		else if(result == NOT_ARM_ELF) fprintf(stderr,"[ELF ERROR] Not ARM ELF\n");
 		else if(result == NON_EXECUTABLE_ELF) fprintf(stderr,"[ELF ERROR] Not Executeable ELF\n");
-		else if(result == NOT_FIND_BSS_SIZE) fprintf(stderr,"[ELF ERROR] BSS Size Could not be found\n");
 		else if(result == NOT_FIND_CODE_SECTIONS) fprintf(stderr,"[ELF ERROR] Failed to retrieve code sections from ELF\n");
 		else fprintf(stderr,"[ELF ERROR] Failed to process ELF file (%d)\n",result);
 	}
@@ -175,13 +174,14 @@ u32 SizeToPage(u32 memorySize, elf_context *elf)
 
 int GetBSSFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set)
 {
+	set->codeDetails.bssSize = 0;
+	
 	for(int i = 0; i < elf->sectionTableEntryCount; i++){
-		if(IsBss(&elf->sections[i])) {
+		if(IsBss(&elf->sections[i]))
 			set->codeDetails.bssSize = elf->sections[i].size;
-			return 0;
-		}
 	}
-	return NOT_FIND_BSS_SIZE;
+	
+	return 0;
 }
 
 int ImportPlainRegionFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set) // Doesn't work same as N makerom
diff --git a/makerom/elf.h b/makerom/elf.h
index d3a24640..4ce9121b 100644
--- a/makerom/elf.h
+++ b/makerom/elf.h
@@ -6,11 +6,10 @@ typedef enum
 	NOT_ARM_ELF = -11,
 	NON_EXECUTABLE_ELF = -12,
 	ELF_SECTION_NOT_FOUND = -13,
-	NOT_FIND_BSS_SIZE = -14,
-	NOT_FIND_CODE_SECTIONS = -15,
-	ELF_SEGMENT_SECTION_SIZE_MISMATCH = -16,
-	ELF_SEGMENTS_NOT_CONTINUOUS = -17,
-	ELF_SEGMENTS_NOT_FOUND = -18,
+	NOT_FIND_CODE_SECTIONS = -14,
+	ELF_SEGMENT_SECTION_SIZE_MISMATCH = -15,
+	ELF_SEGMENTS_NOT_CONTINUOUS = -16,
+	ELF_SEGMENTS_NOT_FOUND = -17,
 } elf_errors;
 
 typedef struct

From 64665019c38da0ff294c167135a814a36fc2a997 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Thu, 28 Aug 2014 22:38:18 +1000
Subject: [PATCH 033/317] removed debug printf statments

this isn't a prototype anymore, idk why they were there
---
 makerom/makerom.c | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/makerom/makerom.c b/makerom/makerom.c
index 3d891ce9..321f4aec 100644
--- a/makerom/makerom.c
+++ b/makerom/makerom.c
@@ -65,9 +65,6 @@ int main(int argc, char *argv[])
 		}
 	}
 	else{// Build Content 0
-#ifdef DEBUG
-	printf("[DEBUG] Build NCCH0\n");
-#endif
 		result = build_NCCH(set);
 		if(result < 0) { 
 			//fprintf(stderr,"[ERROR] %s generation failed\n",set->build_ncch_type == CXI? "CXI" : "CFA"); 
@@ -77,9 +74,6 @@ int main(int argc, char *argv[])
 	}
 	// Make CCI
 	if(set->common.outFormat == CCI){
-#ifdef DEBUG
-	printf("[DEBUG] Building CCI\n");
-#endif
 		result = build_CCI(set);
 		if(result < 0) { 
 			fprintf(stderr,"[RESULT] Failed to build CCI\n");
@@ -88,9 +82,6 @@ int main(int argc, char *argv[])
 	}
 	// Make CIA
 	else if(set->common.outFormat == CIA){
-#ifdef DEBUG
-	printf("[DEBUG] Building CIA\n");
-#endif
 		result = build_CIA(set);
 		if(result < 0) { 
 			fprintf(stderr,"[RESULT] Failed to build CIA\n"); 
@@ -99,9 +90,6 @@ int main(int argc, char *argv[])
 	}
 	// No Container Raw CXI/CFA
 	else if(set->common.outFormat == CXI || set->common.outFormat == CFA){
-#ifdef DEBUG
-	printf("[DEBUG] Outputting NCCH, because No Container\n");
-#endif
 		FILE *ncch_out = fopen(set->common.outFileName,"wb");
 		if(!ncch_out) {
 			fprintf(stderr,"[MAKEROM ERROR] Failed to create '%s'\n",set->common.outFileName); 
@@ -114,12 +102,6 @@ int main(int argc, char *argv[])
 	}
 	
 finish:
-#ifdef DEBUG
-	printf("[DEBUG] Free Context\n");
-#endif
 	free_UserSettings(set);
-#ifdef DEBUG
-	printf("[DEBUG] Finished returning (result=%d)\n",result);
-#endif
 	return result;
 }
\ No newline at end of file

From 61da4a110758837ccd5b48d569800162f35d6eb1 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Fri, 29 Aug 2014 21:50:18 +1000
Subject: [PATCH 034/317] made text and data ELF regions compulsory

---
 makerom/elf.c | 9 +++++++--
 makerom/elf.h | 9 +++++----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/makerom/elf.c b/makerom/elf.c
index d30db0a5..03adee20 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -113,7 +113,8 @@ int BuildExeFsCode(ncch_settings *set)
 		if(result == NOT_ELF_FILE) fprintf(stderr,"[ELF ERROR] Not ELF File\n");
 		else if(result == NOT_ARM_ELF) fprintf(stderr,"[ELF ERROR] Not ARM ELF\n");
 		else if(result == NON_EXECUTABLE_ELF) fprintf(stderr,"[ELF ERROR] Not Executeable ELF\n");
-		else if(result == NOT_FIND_CODE_SECTIONS) fprintf(stderr,"[ELF ERROR] Failed to retrieve code sections from ELF\n");
+		else if(result == NOT_FIND_TEXT_SEGMENT) fprintf(stderr,"[ELF ERROR] Failed to retrieve text sections from ELF\n");
+		else if(result == NOT_FIND_DATA_SEGMENT) fprintf(stderr,"[ELF ERROR] Failed to retrieve data sections from ELF\n");
 		else fprintf(stderr,"[ELF ERROR] Failed to process ELF file (%d)\n",result);
 	}
 	for(int i = 0; i < elf->activeSegments; i++)
@@ -239,9 +240,13 @@ int CreateExeFsCode(elf_context *elf, u8 *elfFile, ncch_settings *set)
 	result = CreateCodeSegmentFromElf(&rwdata,elf,elfFile,set->rsfSet->ExeFs.ReadWrite,set->rsfSet->ExeFs.ReadWriteNum);
 	if(result) return result;
 
+	/* Checking the existence of essential ELF Segments */
+	if(!text.size) return NOT_FIND_TEXT_SEGMENT;
+	if(!rwdata.size) return NOT_FIND_DATA_SEGMENT;
+	
 	/* Allocating Buffer for ExeFs Code */
 	u32 size = (text.maxPageNum + rodata.maxPageNum + rwdata.maxPageNum)*elf->pageSize;
-	u8 *code = malloc(size);
+	u8 *code = calloc(1,size);
 
 	/* Writing Code into Buffer */
 	u8 *textPos = (code + 0);
diff --git a/makerom/elf.h b/makerom/elf.h
index 4ce9121b..585af39f 100644
--- a/makerom/elf.h
+++ b/makerom/elf.h
@@ -6,10 +6,11 @@ typedef enum
 	NOT_ARM_ELF = -11,
 	NON_EXECUTABLE_ELF = -12,
 	ELF_SECTION_NOT_FOUND = -13,
-	NOT_FIND_CODE_SECTIONS = -14,
-	ELF_SEGMENT_SECTION_SIZE_MISMATCH = -15,
-	ELF_SEGMENTS_NOT_CONTINUOUS = -16,
-	ELF_SEGMENTS_NOT_FOUND = -17,
+	NOT_FIND_TEXT_SEGMENT = -14,
+	NOT_FIND_DATA_SEGMENT = -15
+	ELF_SEGMENT_SECTION_SIZE_MISMATCH = -16,
+	ELF_SEGMENTS_NOT_CONTINUOUS = -17,
+	ELF_SEGMENTS_NOT_FOUND = -18,
 } elf_errors;
 
 typedef struct

From 5e9c14621b737263c17d1c63e68a01f344d59df5 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 00:07:47 +1000
Subject: [PATCH 035/317] fix

---
 makerom/elf.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/elf.h b/makerom/elf.h
index 585af39f..269f2093 100644
--- a/makerom/elf.h
+++ b/makerom/elf.h
@@ -7,7 +7,7 @@ typedef enum
 	NON_EXECUTABLE_ELF = -12,
 	ELF_SECTION_NOT_FOUND = -13,
 	NOT_FIND_TEXT_SEGMENT = -14,
-	NOT_FIND_DATA_SEGMENT = -15
+	NOT_FIND_DATA_SEGMENT = -15,
 	ELF_SEGMENT_SECTION_SIZE_MISMATCH = -16,
 	ELF_SEGMENTS_NOT_CONTINUOUS = -17,
 	ELF_SEGMENTS_NOT_FOUND = -18,

From 5ae26c3436425424988a4f30cbafbbcba90389ca Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 00:23:11 +1000
Subject: [PATCH 036/317] moved error detection to proper place

---
 makerom/ncch.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/makerom/ncch.c b/makerom/ncch.c
index 98778727..10c4a92f 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -858,17 +858,16 @@ int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 		
 	ncch_hdr *hdr = (ncch_hdr*)ncch;
 	
-	if(/*keys->rsa.requiresPresignedDesc && */!IsCfa(hdr)){
-		fprintf(stderr,"[NCCH ERROR] CXI's ID cannot be modified without the ability to resign the AccessDesc\n"); // Not yet yet, requires AccessDesc Privk, may implement anyway later
-		return -1;
-	}
-	
 	bool titleIdMatches = titleId == NULL? true : memcmp(titleId,hdr->titleId,8) == 0;
 	bool programIdMatches = programId == NULL? true : memcmp(programId,hdr->programId,8) == 0;
 
 	if(titleIdMatches && programIdMatches) 
 		return 0;// if no modification is required don't do anything
 
+	if(/*keys->rsa.requiresPresignedDesc && */!IsCfa(hdr)){
+		fprintf(stderr,"[NCCH ERROR] CXI's ID cannot be modified without the ability to resign the AccessDesc\n"); // Not yet yet, requires AccessDesc Privk, may implement anyway later
+		return -1;
+	}
 
 	ncch_info ncchInfo;
 	u8 *romfs = NULL;

From 1320a06bd0c548b803ced9c67ddd426532462cf3 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 00:56:00 +1000
Subject: [PATCH 037/317] added roundup() to utils

---
 makerom/utils.c | 7 ++++++-
 makerom/utils.h | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/makerom/utils.c b/makerom/utils.c
index bda3076b..450427fd 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -41,10 +41,15 @@ void clrmem(void *ptr, u64 num)
 }
 
 // Misc
+u64 roundup(u64 value, u64 alignment)
+{
+	return value + alignment - value % alignment;
+}
+
 u64 align(u64 value, u64 alignment)
 {
 	if(value % alignment != 0)
-		return value + alignment - value % alignment;
+		return roundup(value,alignment);
 	else
 		return value;
 }
diff --git a/makerom/utils.h b/makerom/utils.h
index 8c7d5a44..da32454f 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -13,6 +13,7 @@ void rndset(void *ptr, u64 num);
 void clrmem(void *ptr, u64 num);
 
 // MISC
+u64 roundup(u64 value, u64 alignment);
 u64 align(u64 value, u64 alignment);
 u64 min64(u64 a, u64 b);
 u64 max64(u64 a, u64 b);

From 1858c055c284547f414fafc2736d5e41aa51bc21 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 00:56:19 +1000
Subject: [PATCH 038/317] implemented proper tik content idx generation

---
 makerom/tik.c | 110 ++++++++++++++++++++++++++++++++++++++++----------
 makerom/tik.h |  21 +++++++++-
 2 files changed, 108 insertions(+), 23 deletions(-)

diff --git a/makerom/tik.c b/makerom/tik.c
index 352d5565..5f2e233c 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -3,32 +3,42 @@
 #include "tik_build.h"
 
 // Private Prototypes
-int SetupTicketBuffer(buffer_struct *tik);
-int SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset);
-int SignTicketHeader(tik_hdr *hdr, tik_signature *sig, keys_struct *keys);
+int SetupTicketBuffer(cia_settings *set);
+void SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset);
+int SignTicketHeader(buffer_struct *tik, keys_struct *keys);
 void SetLimits(tik_hdr *hdr, cia_settings *ciaset);
-void SetContentIndexData(tik_hdr *hdr, cia_settings *ciaset);
+u32 GetContentIndexSegNum(cia_settings *set);
+void SetContentIndexHeader(tik_content_index_hdr *hdr, cia_settings *set);
+void SetContentIndexData(tik_content_index_struct *data, cia_settings *set);
 
 
-int BuildTicket(cia_settings *ciaset)
+int BuildTicket(cia_settings *set)
 {
 	int result = 0;
-	result = SetupTicketBuffer(&ciaset->ciaSections.tik);
+	result = SetupTicketBuffer(set);
 	if(result) return result;
 	
 	// Setting Ticket Struct Ptrs
-	tik_signature *sig = (tik_signature*)ciaset->ciaSections.tik.buffer;
-	tik_hdr *hdr = (tik_hdr*)(ciaset->ciaSections.tik.buffer+sizeof(tik_signature));
-
-	result = SetupTicketHeader(hdr,ciaset);
-	if(result) return result;
-	result = SignTicketHeader(hdr,sig,ciaset->keys);
+	buffer_struct *tik = &set->ciaSections.tik;
+	
+	tik_hdr *hdr = (tik_hdr*) (tik->buffer + sizeof(tik_signature));
+	tik_content_index_hdr *idxHdr = (tik_content_index_hdr*) (tik->buffer + sizeof(tik_signature) + sizeof(tik_hdr));
+	tik_content_index_struct *idxData = (tik_content_index_struct*) (tik->buffer + sizeof(tik_signature) + sizeof(tik_hdr) + sizeof(tik_content_index_hdr));
+	
+	
+	SetupTicketHeader(hdr,set);
+	SetContentIndexHeader(idxHdr,set);
+	SetContentIndexData(idxData,set);
+	
+	result = SignTicketHeader(tik,set->keys);
 	return 0;
 }
 
-int SetupTicketBuffer(buffer_struct *tik)
+int SetupTicketBuffer(cia_settings *set)
 {
-	tik->size = sizeof(tik_signature) + sizeof(tik_hdr);
+	buffer_struct *tik = &set->ciaSections.tik;
+	
+	tik->size = sizeof(tik_signature) + sizeof(tik_hdr) + sizeof(tik_content_index_hdr) + sizeof(tik_content_index_struct)*GetContentIndexSegNum(set);
 	tik->buffer = calloc(1,tik->size);
 	if(!tik->buffer) { 
 		fprintf(stderr,"[TIK ERROR] Not enough memory\n"); 
@@ -37,7 +47,7 @@ int SetupTicketBuffer(buffer_struct *tik)
 	return 0;
 }
 
-int SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
+void SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 {
 	clrmem(hdr,sizeof(tik_hdr));
 
@@ -58,15 +68,19 @@ int SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 	memcpy(hdr->eshopAccId,ciaset->tik.eshopAccId,4);
 	hdr->audit = ciaset->tik.audit;
 	SetLimits(hdr,ciaset);
-	SetContentIndexData(hdr,ciaset);
-	return 0;
 }
 
-int SignTicketHeader(tik_hdr *hdr, tik_signature *sig, keys_struct *keys)
+int SignTicketHeader(buffer_struct *tik, keys_struct *keys)
 {
+	tik_signature *sig = (tik_signature*)tik->buffer;
+	u8 *data = tik->buffer + sizeof(tik_signature);
+	u32 len = tik->size - sizeof(tik_signature);
+	
+
 	clrmem(sig,sizeof(tik_signature));
 	u32_to_u8(sig->sigType,RSA_2048_SHA256,BE);
-	return ctr_sig((u8*)hdr,sizeof(tik_hdr),sig->data,keys->rsa.xsPub,keys->rsa.xsPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	
+	return ctr_sig(data,len,sig->data,keys->rsa.xsPub,keys->rsa.xsPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
 int CryptTitleKey(u8 *EncTitleKey, u8 *DecTitleKey, u8 *TitleID, keys_struct *keys, u8 mode)
@@ -94,10 +108,62 @@ void SetLimits(tik_hdr *hdr, cia_settings *ciaset) // TODO?
 	memset(hdr->limits,0,0x40);
 }
 
-void SetContentIndexData(tik_hdr *hdr, cia_settings *ciaset) // TODO?
+u32 GetContentIndexSegNum(cia_settings *set)
 {
-	memset(hdr->contentIndex,0,0xAC);
-	memcpy(hdr->contentIndex,default_contentIndex,0x30);
+	u32 num, level, i;
+	
+	num = level = 0;
+	
+	for( i = 0; i < set->content.count; i++)
+	{
+		if(set->content.index[i] >= level)
+		{
+			level = roundup(set->content.index[i],0x400);
+			num++;
+		}
+	}
+	return num;
+}
+
+void SetContentIndexHeader(tik_content_index_hdr *hdr, cia_settings *set)
+{
+	u32 hdrSize = sizeof(tik_content_index_hdr);
+	u32 segNum = GetContentIndexSegNum(set);
+	u32 segSize = sizeof(tik_content_index_struct);
+	u32 segTotalSize = segSize * segNum;
+	u32 totalSize = hdrSize + segTotalSize;
+	
+	u32_to_u8(hdr->unk0,0x00010014,BE);
+	u32_to_u8(hdr->totalSize,totalSize,BE);
+	u32_to_u8(hdr->unk1,0x00000014,BE);
+	u32_to_u8(hdr->unk2,0x00010014,BE);
+	u32_to_u8(hdr->unk3,0x00000000,BE);
+	u32_to_u8(hdr->hdrSize,hdrSize,BE);
+	u32_to_u8(hdr->segNum,segNum,BE);
+	u32_to_u8(hdr->segSize,segSize,BE);
+	u32_to_u8(hdr->segTotalSize,segTotalSize,BE);
+	u32_to_u8(hdr->unk4,0x00030000,BE);
+}
+
+void SetContentIndexData(tik_content_index_struct *data, cia_settings *set)
+{
+	u32 level, i;
+	int j;
+	
+	j = -1;
+	level = 0;
+	
+	for( i = 0; i < set->content.count; i++)
+	{
+		if(set->content.index[i] >= level)
+		{
+			level = roundup(set->content.index[i],0x400);
+			j++;
+			u32_to_u8(data[j].level,(set->content.index[i]/0x400)*0x400,BE);
+		}
+		data[j].index[(set->content.index[i] & 0x3ff)/8] |= 1 << (set->content.index[i] & 0x7);
+	}
+	
 }
 
 tik_hdr *GetTikHdr(u8 *tik)
diff --git a/makerom/tik.h b/makerom/tik.h
index d8b7c054..8cc351d5 100644
--- a/makerom/tik.h
+++ b/makerom/tik.h
@@ -20,6 +20,26 @@ typedef enum
 	right_AccessTitle = 5
 } tik_item_rights;
 
+typedef struct
+{
+	u8 unk0[4];
+	u8 totalSize[4];
+	u8 unk1[4];
+	u8 unk2[4];
+	u8 unk3[4];
+	u8 hdrSize[4];
+	u8 segNum[4];
+	u8 segSize[4];
+	u8 segTotalSize[4];
+	u8 unk4[4];
+} tik_content_index_hdr;
+
+typedef struct
+{
+    u8 level[4];
+	u8 index[0x80];
+} tik_content_index_struct;
+
 typedef struct
 {
 	u8 sigType[4];
@@ -50,7 +70,6 @@ typedef struct
 	u8 audit;
 	u8 padding5[0x42];
 	u8 limits[0x40];
-	u8 contentIndex[0xAC];
 } tik_hdr;
 
 

From a6c4112ee198c9302be9d49f538b9cc7b6aabe71 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 00:58:58 +1000
Subject: [PATCH 039/317] fixed ptr misalignment

---
 makerom/cia.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index b9ab061c..4c65e0b7 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -443,7 +443,7 @@ int ImportNcchContent(cia_settings *ciaset)
 		return MEM_ERROR;
 	}
 
-	ncch_hdr *ncch0hdr = (ncch_hdr*)(ciaset->ciaSections.content.buffer+0x100);
+	ncch_hdr *ncch0hdr = (ncch_hdr*)ciaset->ciaSections.content.buffer;
 	for(int i = 1; i < ciaset->content.count; i++){
 		// Import
 		u8 *ncchpos = (u8*)(ciaset->ciaSections.content.buffer+ciaset->content.offset[i]);

From 7f8c1f92a4ebf8c91ce1b8bb341fb1a0999496b1 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 01:05:12 +1000
Subject: [PATCH 040/317] simplified cia hdr content idx calc

---
 makerom/cia.c | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index 4c65e0b7..095fb28f 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -629,24 +629,9 @@ int BuildCiaHdr(cia_settings *ciaset)
 	ciaset->ciaSections.contentOffset = align(ciaset->ciaSections.tmdOffset+ciaset->ciaSections.tmd.size,0x40);
 	ciaset->ciaSections.metaOffset = align(ciaset->ciaSections.contentOffset+ciaset->content.totalSize,0x40);
 	
-	for(int i = 0; i < ciaset->content.count; i++){
-		// This works by treating the 0x2000 byte index array as an array of 2048 u32 values
-		
-		// Used for determining which u32 chunk to write the value to
-		u16 section = ciaset->content.index[i]/32;
-		
-		// Calculating the value added to the u32
-		u32 value = 1 << (0x1F-ciaset->content.index[i]);
-
-		// Retrieving current u32 block
-		u32 cur_content_index_section = u8_to_u32(hdr->contentIndex+(sizeof(u32)*section),BE);
-		
-		// Adding value to block
-		cur_content_index_section += value;
+	for(int i = 0; i < ciaset->content.count; i++)
+		hdr->contentIndex[ciaset->content.index[i]/8] |= 1 << (7 - (ciaset->content.index[i] & 7));
 		
-		// Returning block
-		u32_to_u8(hdr->contentIndex+(sizeof(u32)*section),cur_content_index_section,BE);
-	}
 	return 0;
 }
 

From 9828b8b06136890426f7319f8b911b706b0604e6 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 01:41:42 +1000
Subject: [PATCH 041/317] relaxed -f argument

-f cxi and -f cfa can be used, but has same effect as -f ncch
---
 makerom/user_settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 423278bf..97505ab0 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -140,7 +140,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;
 		}
-		if(strcasecmp(argv[i+1],"ncch") == 0) 
+		if(strcasecmp(argv[i+1],"ncch") == 0 || strcasecmp(argv[i+1],"cxi") == 0 || strcasecmp(argv[i+1],"cfa") == 0) 
 			set->common.outFormat = NCCH;
 		else if(strcasecmp(argv[i+1],"cci") == 0)
 			set->common.outFormat = CCI;

From 8eb185915837d567fc59971ce483137a37e3a8ac Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 01:47:03 +1000
Subject: [PATCH 042/317] completely moved "code"+"exhdr" parsing to elf.c

---
 makerom/elf.c      | 38 ++++++++++++++++++++++++++++++++++++--
 makerom/exheader.c | 29 +++++++++--------------------
 makerom/exheader.h |  6 +++---
 3 files changed, 48 insertions(+), 25 deletions(-)

diff --git a/makerom/elf.c b/makerom/elf.c
index 03adee20..7bd07ded 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -1,5 +1,6 @@
 #include "lib.h"
 #include "ncch_build.h"
+#include "exheader_read.h"
 #include "elf_hdr.h"
 #include "elf.h"
 #include "blz.h"
@@ -140,7 +141,10 @@ int ImportExeFsCodeBinaryFromFile(ncch_settings *set)
 {
 	u32 size = set->componentFilePtrs.codeSize;
 	u8 *buffer = malloc(size);
-	if(!buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
+	if(!buffer) {
+		fprintf(stderr,"[ELF ERROR] Not enough memory\n");
+		return MEM_ERROR;
+	}
 	ReadFile64(buffer,size,0,set->componentFilePtrs.code);
 
 	set->exefsSections.code.size = set->componentFilePtrs.codeSize;
@@ -157,6 +161,36 @@ int ImportExeFsCodeBinaryFromFile(ncch_settings *set)
 		set->exefsSections.code.size = size;
 		set->exefsSections.code.buffer = buffer;
 	}
+	
+	size = set->componentFilePtrs.exhdrSize;
+	if(size < sizeof(extended_hdr)){
+		fprintf(stderr,"[ELF ERROR] Exheader code info template is too small\n");
+		return FAILED_TO_IMPORT_FILE;
+	}
+	extended_hdr *exhdr = malloc(size);
+	if(!exhdr) {
+		fprintf(stderr,"[ELF ERROR] Not enough memory\n");
+		return MEM_ERROR;
+	}
+	ReadFile64(exhdr,size,0,set->componentFilePtrs.exhdr);
+	
+	/* Setting code_segment data */
+	set->codeDetails.textAddress = u8_to_u32(exhdr->codeSetInfo.text.address,LE);
+	set->codeDetails.textMaxPages = u8_to_u32(exhdr->codeSetInfo.text.numMaxPages,LE);
+	set->codeDetails.textSize = u8_to_u32(exhdr->codeSetInfo.text.codeSize,LE);
+
+	set->codeDetails.roAddress = u8_to_u32(exhdr->codeSetInfo.rodata.address,LE);
+	set->codeDetails.roMaxPages = u8_to_u32(exhdr->codeSetInfo.rodata.numMaxPages,LE);
+	set->codeDetails.roSize = u8_to_u32(exhdr->codeSetInfo.rodata.codeSize,LE);
+
+	set->codeDetails.rwAddress = u8_to_u32(exhdr->codeSetInfo.data.address,LE);
+	set->codeDetails.rwMaxPages = u8_to_u32(exhdr->codeSetInfo.data.numMaxPages,LE);
+	set->codeDetails.rwSize = u8_to_u32(exhdr->codeSetInfo.data.codeSize,LE);
+	
+	set->codeDetails.bssSize = u8_to_u32(exhdr->codeSetInfo.bssSize,LE);
+	
+	free(exhdr);
+	
 	return 0;
 }
 
@@ -269,7 +303,7 @@ int CreateExeFsCode(elf_context *elf, u8 *elfFile, ncch_settings *set)
 		set->exefsSections.code.buffer = code;
 	}
 
-	/* Setting code_segment rwdata and freeing original buffers */
+	/* Setting code_segment data and freeing original buffers */
 	set->codeDetails.textAddress = text.address;
 	set->codeDetails.textMaxPages = text.maxPageNum;
 	set->codeDetails.textSize = text.size;
diff --git a/makerom/exheader.c b/makerom/exheader.c
index 9c99f258..d7dba89a 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -121,17 +121,6 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
 	}
-	
-	/* Import ExHeader Code Section template */
-	if(ncchset->componentFilePtrs.exhdrSize){ 
-		u32 import_size = 0x30; //min64(0x30,ncchset->componentFilePtrs.exhdrSize);
-		u32 import_offset = 0x10;
-		if((import_size+import_offset) > ncchset->componentFilePtrs.exhdrSize){
-			fprintf(stderr,"[EXHEADER ERROR] Exheader Template is too small\n");
-			return FAILED_TO_IMPORT_FILE;
-		}
-		ReadFile64((ncchset->sections.exhdr.buffer+import_offset),import_size,import_offset,ncchset->componentFilePtrs.exhdr);
-	}
 
 	/* Create ExHeader Struct for output */
 	exhdrset->exHdr = (extended_hdr*)ncchset->sections.exhdr.buffer;
@@ -142,17 +131,17 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 		/* BSS Size */
 		u32_to_u8(exhdrset->exHdr->codeSetInfo.bssSize,ncchset->codeDetails.bssSize,LE);
 		/* Data */
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.dataSectionInfo.address,ncchset->codeDetails.rwAddress,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.dataSectionInfo.codeSize,ncchset->codeDetails.rwSize,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.dataSectionInfo.numMaxPages,ncchset->codeDetails.rwMaxPages,LE);
+		u32_to_u8(exhdrset->exHdr->codeSetInfo.data.address,ncchset->codeDetails.rwAddress,LE);
+		u32_to_u8(exhdrset->exHdr->codeSetInfo.data.codeSize,ncchset->codeDetails.rwSize,LE);
+		u32_to_u8(exhdrset->exHdr->codeSetInfo.data.numMaxPages,ncchset->codeDetails.rwMaxPages,LE);
 		/* RO */
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.readOnlySectionInfo.address,ncchset->codeDetails.roAddress,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.readOnlySectionInfo.codeSize,ncchset->codeDetails.roSize,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.readOnlySectionInfo.numMaxPages,ncchset->codeDetails.roMaxPages,LE);
+		u32_to_u8(exhdrset->exHdr->codeSetInfo.rodata.address,ncchset->codeDetails.roAddress,LE);
+		u32_to_u8(exhdrset->exHdr->codeSetInfo.rodata.codeSize,ncchset->codeDetails.roSize,LE);
+		u32_to_u8(exhdrset->exHdr->codeSetInfo.rodata.numMaxPages,ncchset->codeDetails.roMaxPages,LE);
 		/* Text */
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.textSectionInfo.address,ncchset->codeDetails.textAddress,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.textSectionInfo.codeSize,ncchset->codeDetails.textSize,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.textSectionInfo.numMaxPages,ncchset->codeDetails.textMaxPages,LE);
+		u32_to_u8(exhdrset->exHdr->codeSetInfo.text.address,ncchset->codeDetails.textAddress,LE);
+		u32_to_u8(exhdrset->exHdr->codeSetInfo.text.codeSize,ncchset->codeDetails.textSize,LE);
+		u32_to_u8(exhdrset->exHdr->codeSetInfo.text.numMaxPages,ncchset->codeDetails.textMaxPages,LE);
 	}
 
 	/* Set Simple Flags */
diff --git a/makerom/exheader.h b/makerom/exheader.h
index d2d216fb..ee1e2d45 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -99,11 +99,11 @@ typedef struct
 	u8 padding0[5];
 	u8 flag;
 	u8 remasterVersion[2]; // le u16
-	exhdr_CodeSegmentInfo textSectionInfo;
+	exhdr_CodeSegmentInfo text;
 	u8 stackSize[4]; // le u32
-	exhdr_CodeSegmentInfo readOnlySectionInfo;
+	exhdr_CodeSegmentInfo rodata;
 	u8 padding1[4];
-	exhdr_CodeSegmentInfo dataSectionInfo;
+	exhdr_CodeSegmentInfo data;
 	u8 bssSize[4]; // le u32
 } exhdr_CodeSetInfo;
 

From 652a50744a01dd5e8dc2e96a1c677ecc2184b116 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 01:47:47 +1000
Subject: [PATCH 043/317] makerom 0.12

bug fixes and proper cia ticket generation
---
 makerom/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index 5293084a..48ecc523 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -1,7 +1,7 @@
 # Makerom Sources
 UTILS_OBJS = utils.o ctr_utils.o dir.o utf.o keyset.o titleid.o
 CIA_OBJS = cia.o certs.o tik.o tmd.o
-NCCH_OBJS = ncch.o exheader.o accessdesc.o exefs.o elf.o romfs.o romfs_import.o romfs_gen.o  
+NCCH_OBJS = ncch.o exheader.o accessdesc.o exefs.o elf.o romfs.o romfs_import.o romfs_gen.o
 NCSD_OBJS = ncsd.o cardinfo.o
 SETTINGS_OBJS = user_settings.o rsf_settings.o
 LIB_API_OBJS = crypto.o yaml_parser.o blz.o
@@ -21,7 +21,7 @@ CC = gcc
 # MAKEROM Build Settings
 MAKEROM_BUILD_FLAGS = #-DDEBUG
 VER_MAJOR = 0
-VER_MINOR = 11
+VER_MINOR = 12
 OUTPUT = makerom
 
 main: build

From 96960526e8208dc0bf0863309a4e1759b3ff444f Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 12:34:24 +1000
Subject: [PATCH 044/317] refactored cia code

an attempt make errors in tik/tmd values rarer in occurence
---
 makerom/cia.c       | 36 +++++++++++++++++-------------------
 makerom/cia_build.h | 19 ++++++++++---------
 makerom/tik.c       | 30 ++++++++++++++++--------------
 makerom/titleid.c   | 10 ++++++++++
 makerom/titleid.h   |  3 +++
 makerom/tmd.c       | 11 ++++++-----
 6 files changed, 62 insertions(+), 47 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index 095fb28f..07eefdf3 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -166,7 +166,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	ciaset->content.includeUpdateNcch = usrset->cia.includeUpdateNcch;
 	ciaset->verbose = usrset->common.verbose;
 	
-	u32_to_u8(ciaset->tmd.titleType,TYPE_CTR,BE);
+	ciaset->tmd.titleType = TYPE_CTR;
 	ciaset->content.encryptCia = usrset->common.rsfSet.Option.EnableCrypt;
 	ciaset->content.IsDlc = usrset->cia.DlcContent;
 	if(ciaset->keys->aes.commonKey[ciaset->keys->aes.currentCommonKey] == NULL && ciaset->content.encryptCia){
@@ -182,10 +182,10 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	}
 
 	// Ticket Data
-	rndset(ciaset->tik.ticketId,8);
-	u32_to_u8(ciaset->tik.deviceId,usrset->cia.deviceId,BE);
-	u32_to_u8(ciaset->tik.eshopAccId,usrset->cia.eshopAccId,BE);
-	ciaset->tik.licenceType = 0;
+	ciaset->tik.ticketId = u64GetRand();
+	ciaset->tik.deviceId = usrset->cia.deviceId;
+	ciaset->tik.eshopAccId = usrset->cia.eshopAccId;
+	ciaset->tik.licenceType = lic_Permanent;
 	ciaset->tik.audit = 0;
 	
 	if(usrset->cia.randomTitleKey)
@@ -208,6 +208,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 		ciaset->content.id[0] = usrset->cia.contentId[0];
 
 	ciaset->tmd.formatVersion = 1;
+	ciaset->tmd.accessRights = 0;
 	result = GenCertChildIssuer(ciaset->tmd.issuer,ciaset->keys->certs.cpCert);
 	return 0;
 }
@@ -256,7 +257,7 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 	}
 
 	/* Gen Settings From Ncch0 */
-	endian_memcpy(ciaset->common.titleId,hdr->titleId,8,LE);
+	ciaset->common.titleId = u8_to_u64(hdr->titleId,LE);
 
 
 	/* Getting ncch key */
@@ -289,19 +290,17 @@ int GetTmdDataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *
 	memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,sizeof(extended_hdr));
 	if(key != NULL)
 		CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx,key,ncch_exhdr);
-
-	u16 Category = u8_to_u16((ciaset->common.titleId+2),BE);
-	if(IsPatch(Category)||ciaset->content.IsCfa||ciaset->content.keyNotFound) 
-		u32_to_u8(ciaset->tmd.savedataSize,0,LE);
-	else 
-		u32_to_u8(ciaset->tmd.savedataSize,(u32)GetSaveDataSize_frm_exhdr(exhdr),LE);
 		
-	if(ciaset->rsf->SystemControlInfo.SaveDataSize && !ciaset->content.IsCfa && ciaset->content.keyNotFound){
+	if(IsPatch(GetTidCategory(ciaset->common.titleId))||ciaset->content.IsCfa) 
+		ciaset->tmd.savedataSize = 0;
+	else if(ciaset->content.keyNotFound && ciaset->rsf->SystemControlInfo.SaveDataSize){ // if it's a title which can have save data, but save data size could not be read from exhdr
 		u64 size = 0;
 		GetSaveDataSizeFromString(&size,ciaset->rsf->SystemControlInfo.SaveDataSize,"CIA");
-		u32_to_u8(ciaset->tmd.savedataSize,(u32)size,LE);
+		ciaset->tmd.savedataSize = (u32)(size & MAX_U32);
 	}
-	
+	else 
+		ciaset->tmd.savedataSize = (u32)(GetSaveDataSize_frm_exhdr(exhdr) & MAX_U32);
+			
 	if(ciaset->content.IsCfa||ciaset->content.keyNotFound){
 		if(ciaset->common.titleVersion[VER_MAJOR] == MAX_U16){ // '-major' wasn't set
 			if(ciaset->content.IsCfa){ // Is a CFA and can be decrypted
@@ -479,8 +478,7 @@ int GetSettingsFromSrl(cia_settings *ciaset)
 	}
 
 	// Generate and store Converted TitleID
-	u64_to_u8(ciaset->common.titleId,ConvertTwlIdToCtrId(u8_to_u64(hdr->title_id,LE)),BE);
-	//memdump(stdout,"SRL TID: ",ciaset->TitleID,8);
+	ciaset->common.titleId = ConvertTwlIdToCtrId(u8_to_u64(hdr->title_id,LE));
 
 	// Get TWL Flag
 	ciaset->tmd.twlFlag = ((hdr->reserved_flags[3] & 6) >> 1);
@@ -491,8 +489,8 @@ int GetSettingsFromSrl(cia_settings *ciaset)
 	ciaset->tmd.version = version;
 
 	// Get SaveDataSize (Public and Private)
-	memcpy(ciaset->tmd.savedataSize,hdr->pubSaveDataSize,4);
-	memcpy(ciaset->tmd.privSavedataSize,hdr->privSaveDataSize,4);
+	ciaset->tmd.savedataSize = u8_to_u32(hdr->pubSaveDataSize,LE);
+	ciaset->tmd.privSavedataSize = u8_to_u32(hdr->privSaveDataSize,LE);
 
 	// Setting CIA Content Settings
 	ciaset->content.count = 1;
diff --git a/makerom/cia_build.h b/makerom/cia_build.h
index a33717d7..ad0de783 100644
--- a/makerom/cia_build.h
+++ b/makerom/cia_build.h
@@ -23,7 +23,7 @@ typedef struct
 	bool verbose;
 	
 	struct{
-		u8 titleId[8];
+		u64 titleId;
 		u16 titleVersion[4];
 		u8 titleKey[16];
 	} common;
@@ -39,12 +39,12 @@ typedef struct
 		u8 formatVersion;
 
 		u16 version;
-
-		u8 ticketId[8];
-		u8 deviceId[4];
+		
+		u64 ticketId;
+		u32 deviceId;
 		u8 licenceType;
 		u8 audit;
-		u8 eshopAccId[4];
+		u32 eshopAccId;
 	} tik;
 
 	struct{
@@ -52,10 +52,11 @@ typedef struct
 		u8 formatVersion;
 
 		u16 version;
-
-		u8 titleType[4];
-		u8 savedataSize[4];
-		u8 privSavedataSize[4];
+		u32 accessRights;
+		
+		u32 titleType;
+		u32 savedataSize;
+		u32 privSavedataSize;
 		u8 twlFlag;
 	} tmd;
 
diff --git a/makerom/tik.c b/makerom/tik.c
index 5f2e233c..db1f974e 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -50,24 +50,26 @@ int SetupTicketBuffer(cia_settings *set)
 void SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 {
 	clrmem(hdr,sizeof(tik_hdr));
-
+	
 	memcpy(hdr->issuer,ciaset->tik.issuer,0x40);
 	hdr->formatVersion = ciaset->tik.formatVersion;
 	hdr->caCrlVersion = ciaset->cert.caCrlVersion;
 	hdr->signerCrlVersion = ciaset->cert.signerCrlVersion;
-	if(ciaset->content.encryptCia)
-		CryptTitleKey(hdr->encryptedTitleKey, ciaset->common.titleKey,ciaset->common.titleId,ciaset->keys,ENC);
-	else
-		rndset(hdr->encryptedTitleKey,16);
-	memcpy(hdr->ticketId,ciaset->tik.ticketId,8);
-	memcpy(hdr->deviceId,ciaset->tik.deviceId,4);
-	memcpy(hdr->titleId,ciaset->common.titleId,8);
+	u64_to_u8(hdr->ticketId,ciaset->tik.ticketId,BE);
+	u32_to_u8(hdr->deviceId,ciaset->tik.deviceId,BE);
+	u64_to_u8(hdr->titleId,ciaset->common.titleId,BE);
 	u16_to_u8(hdr->ticketVersion,ciaset->tik.version,BE);
 	hdr->licenceType = ciaset->tik.licenceType;
 	hdr->keyId = ciaset->keys->aes.currentCommonKey;
-	memcpy(hdr->eshopAccId,ciaset->tik.eshopAccId,4);
+	u32_to_u8(hdr->eshopAccId,ciaset->tik.eshopAccId,BE);
 	hdr->audit = ciaset->tik.audit;
 	SetLimits(hdr,ciaset);
+	
+	// Crypt TitleKey
+	if(ciaset->content.encryptCia)
+		CryptTitleKey(hdr->encryptedTitleKey, ciaset->common.titleKey, hdr->titleId, ciaset->keys, ENC);
+	else
+		rndset(hdr->encryptedTitleKey,AES_128_KEY_SIZE);
 }
 
 int SignTicketHeader(buffer_struct *tik, keys_struct *keys)
@@ -83,12 +85,12 @@ int SignTicketHeader(buffer_struct *tik, keys_struct *keys)
 	return ctr_sig(data,len,sig->data,keys->rsa.xsPub,keys->rsa.xsPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
-int CryptTitleKey(u8 *EncTitleKey, u8 *DecTitleKey, u8 *TitleID, keys_struct *keys, u8 mode)
+int CryptTitleKey(u8 *encKey, u8 *decKey, u8 *titleId, keys_struct *keys, u8 mode)
 {
 	//Generating IV
 	u8 iv[16];
 	memset(&iv,0x0,16);
-	memcpy(iv,TitleID,0x8);
+	memcpy(iv,titleId,0x8);
 	
 	//Setting up Aes Context
 	ctr_aes_context ctx;
@@ -96,9 +98,9 @@ int CryptTitleKey(u8 *EncTitleKey, u8 *DecTitleKey, u8 *TitleID, keys_struct *ke
 	
 	//Crypting TitleKey
 	ctr_init_aes_cbc(&ctx,keys->aes.commonKey[keys->aes.currentCommonKey],iv,mode);
-	if(mode == ENC) ctr_aes_cbc(&ctx,DecTitleKey,EncTitleKey,0x10,ENC);
-	else ctr_aes_cbc(&ctx,EncTitleKey,DecTitleKey,0x10,DEC);
-
+	if(mode == ENC) ctr_aes_cbc(&ctx,decKey,encKey,0x10,ENC);
+	else ctr_aes_cbc(&ctx,encKey,decKey,0x10,DEC);
+	
 	// Return
 	return 0;
 }
diff --git a/makerom/titleid.c b/makerom/titleid.c
index d4479c42..b9045341 100644
--- a/makerom/titleid.c
+++ b/makerom/titleid.c
@@ -14,6 +14,16 @@ u64 ConvertTwlIdToCtrId(u64 pgid)
 	return 0x0004800000000000 | (pgid & 0x00007FFFFFFFFFFF);
 }
 
+u16 GetTidCategory(u64 titleId)
+{
+	return (titleId>>32) & MAX_U16; 
+}
+
+u32 GetTidUniqueId(u64 titleId)
+{
+	return (titleId>>8) & 0xFFFFFF; 
+}
+
 int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader)
 {
 	int ret;
diff --git a/makerom/titleid.h b/makerom/titleid.h
index ecfd7823..8f96d537 100644
--- a/makerom/titleid.h
+++ b/makerom/titleid.h
@@ -88,6 +88,9 @@ u64 ConvertTwlIdToCtrId(u64 pgid);
 int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader);
 int GetUniqueID(u32 *dest, rsf_settings *rsf);
 
+u16 GetTidCategory(u64 titleId);
+u32 GetTidUniqueId(u64 titleId);
+
 bool IsDemo(u16 Category);
 bool IsSystem(u16 Category);
 bool IsDlpChild(u16 Category);
diff --git a/makerom/tmd.c b/makerom/tmd.c
index e81f6688..6abb6e53 100644
--- a/makerom/tmd.c
+++ b/makerom/tmd.c
@@ -54,11 +54,12 @@ int SetupTMDHeader(tmd_hdr *hdr, tmd_content_info_record *info_record, cia_setti
 	hdr->formatVersion = ciaset->tmd.formatVersion;
 	hdr->caCrlVersion = ciaset->cert.caCrlVersion;
 	hdr->signerCrlVersion = ciaset->cert.signerCrlVersion;
-	memcpy(hdr->titleID,ciaset->common.titleId,8);
-	memcpy(hdr->titleType,ciaset->tmd.titleType,4);
-	memcpy(hdr->savedataSize,ciaset->tmd.savedataSize,4);
-	memcpy(hdr->privSavedataSize,ciaset->tmd.privSavedataSize,4);
+	u64_to_u8(hdr->titleID,ciaset->common.titleId,BE);
+	u32_to_u8(hdr->titleType,ciaset->tmd.titleType,BE);
+	u32_to_u8(hdr->savedataSize,ciaset->tmd.savedataSize,LE);
+	u32_to_u8(hdr->privSavedataSize,ciaset->tmd.privSavedataSize,LE);
 	hdr->twlFlag = ciaset->tmd.twlFlag;
+	u32_to_u8(hdr->accessRights,ciaset->tmd.accessRights,BE);
 	u16_to_u8(hdr->titleVersion,ciaset->tmd.version,BE);
 	u16_to_u8(hdr->contentCount,ciaset->content.count,BE);
 	ctr_sha(info_record,sizeof(tmd_content_info_record)*64,hdr->infoRecordHash,CTR_SHA_256);
@@ -129,7 +130,7 @@ u64 GetTmdTitleId(tmd_hdr *hdr)
 
 u32 GetTmdSaveSize(tmd_hdr *hdr)
 {
-	return u8_to_u32(hdr->savedataSize,BE);
+	return u8_to_u32(hdr->savedataSize,LE);
 }
 
 u16 GetTmdContentCount(tmd_hdr *hdr)

From a624b6db8b37898a435fa4b7b7ecae55ae031ec8 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 30 Aug 2014 12:56:11 +1000
Subject: [PATCH 045/317] bug fix

prevented cia from "decrypting" cleartext ncch images
---
 makerom/cia.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index 07eefdf3..b0051af1 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -262,7 +262,7 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 
 	/* Getting ncch key */
 	u8 *ncchkey = NULL;
-	if(!ciaset->content.keyNotFound || IsNcchEncrypted(hdr)){
+	if(!ciaset->content.keyNotFound && IsNcchEncrypted(hdr)){
 		SetNcchKeys(ciaset->keys,hdr);
 		ncchkey = ciaset->keys->aes.ncchKey0;
 		if(ciaset->verbose){

From 1cf7485274dac2b67ffcbc14a4abfb7c27357acd Mon Sep 17 00:00:00 2001
From: sbJFn5r <bernardjrubble@yahoo.com>
Date: Sun, 31 Aug 2014 22:24:09 -0400
Subject: [PATCH 046/317] Update ctr.h

---
 ctrtool/ctr.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ctrtool/ctr.h b/ctrtool/ctr.h
index 724f4c02..93210517 100644
--- a/ctrtool/ctr.h
+++ b/ctrtool/ctr.h
@@ -26,6 +26,7 @@ typedef enum
 	FILETYPE_LZSS,
 	FILETYPE_FIRM,
 	FILETYPE_CWAV,
+	FILETYPE_EXEFS,
 	FILETYPE_ROMFS
 } ctr_filetypes;
 

From 7210dbc7d8af454485b269579dbcf4cde83734f3 Mon Sep 17 00:00:00 2001
From: sbJFn5r <bernardjrubble@yahoo.com>
Date: Sun, 31 Aug 2014 22:24:56 -0400
Subject: [PATCH 047/317] Update types.h

---
 ctrtool/types.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ctrtool/types.h b/ctrtool/types.h
index 0ec14420..bade7f15 100644
--- a/ctrtool/types.h
+++ b/ctrtool/types.h
@@ -21,7 +21,8 @@ enum flags
 	VerboseFlag = (1<<3),
 	VerifyFlag = (1<<4),
 	RawFlag = (1<<5),
-	ShowKeysFlag = (1<<6)
+	ShowKeysFlag = (1<<6),
+	DecompressCodeFlag = (1<<7)
 };
 
 enum validstate

From ea2dbc023bf30f381d0242b199dd5c5d67d5dce9 Mon Sep 17 00:00:00 2001
From: sbJFn5r <bernardjrubble@yahoo.com>
Date: Sun, 31 Aug 2014 22:26:38 -0400
Subject: [PATCH 048/317] Update main.c

---
 ctrtool/main.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/ctrtool/main.c b/ctrtool/main.c
index 2f837f0a..5846fa2a 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -78,6 +78,9 @@ static void usage(const char *argv0)
 		   "CWAV options:\n"
 		   "  --wav=file         Specify wav output file.\n"
 		   "  --wavloops=count   Specify wav loop count, default 0.\n"
+		   "EXEFS options:\n"
+		   "  --decompresscode   Decompress .code section\n"
+		   "                     (only needed when using raw EXEFS file)\n"
 		   "ROMFS options:\n"
 		   "  --romfsdir=dir     Specify RomFS directory path.\n"
 		   "  --listromfs        List files in RomFS.\n"
@@ -142,6 +145,7 @@ int main(int argc, char* argv[])
 			{"listromfs", 0, NULL, 18},
 			{"wavloops", 1, NULL, 19},
 			{"logo", 1, NULL, 20},
+			{"decompresscode", 0, NULL, 21},
 			{NULL},
 		};
 
@@ -201,6 +205,8 @@ int main(int argc, char* argv[])
 					ctx.filetype = FILETYPE_FIRM;
 				else if (!strcmp(optarg, "cwav"))
 					ctx.filetype = FILETYPE_CWAV;
+				else if (!strcmp(optarg, "exefs"))
+					ctx.filetype = FILETYPE_EXEFS;
 				else if (!strcmp(optarg, "romfs"))
 					ctx.filetype = FILETYPE_ROMFS;
 			break;
@@ -226,6 +232,7 @@ int main(int argc, char* argv[])
 			case 18: settings_set_list_romfs_files(&ctx.usersettings, 1); break;
 			case 19: settings_set_cwav_loopcount(&ctx.usersettings, strtoul(optarg, 0, 0)); break;
 			case 20: settings_set_logo_path(&ctx.usersettings, optarg); break;
+			case 21: ctx.actions |= DecompressCodeFlag; break;
 
 			default:
 				usage(argv[0]);
@@ -424,6 +431,19 @@ int main(int argc, char* argv[])
 	
 			break;
 		}
+		
+		case FILETYPE_EXEFS:
+		{
+			exefs_context exefsctx;
+
+			exefs_init(&exefsctx);
+			exefs_set_file(&exefsctx, ctx.infile);
+			exefs_set_size(&exefsctx, ctx.infilesize);
+			exefs_set_usersettings(&exefsctx, &ctx.usersettings);
+			exefs_process(&exefsctx, ctx.actions);
+	
+			break;
+		}
 
 		case FILETYPE_ROMFS:
 		{

From 2b4a79f517606a2ff334e6d7d8a99d0fd69c26e7 Mon Sep 17 00:00:00 2001
From: sbJFn5r <bernardjrubble@yahoo.com>
Date: Sun, 31 Aug 2014 22:27:36 -0400
Subject: [PATCH 049/317] Update exefs.c

---
 ctrtool/exefs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ctrtool/exefs.c b/ctrtool/exefs.c
index a4dce903..78070710 100644
--- a/ctrtool/exefs.c
+++ b/ctrtool/exefs.c
@@ -129,7 +129,7 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
 	ctr_add_counter(&ctx->aes, offset / 0x10);
 
-	if (index == 0 && ctx->compressedflag && ((flags & RawFlag) == 0))
+	if (index == 0 && (ctx->compressedflag || (flags & DecompressCodeFlag)) && ((flags & RawFlag) == 0))
 	{
 		fprintf(stdout, "Decompressing section %s to %s...\n", name, outfname);
 
@@ -200,6 +200,8 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 	}
 
 clean:
+	if (fout)
+		fclose(fout);
 	free(compressedbuffer);
 	free(decompressedbuffer);
 	return;

From 030b638c923eba6162f562178aef4dd7a6aecfbf Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Mon, 1 Sep 2014 13:05:05 +1000
Subject: [PATCH 050/317] misc

---
 makerom/ncch.c | 17 +++++------------
 makerom/ncch.h |  2 +-
 2 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/makerom/ncch.c b/makerom/ncch.c
index 10c4a92f..2398c27e 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -19,7 +19,6 @@ int CheckCFASignature(ncch_hdr *hdr, keys_struct *keys);
 int SignCXI(ncch_hdr *hdr, keys_struct *keys);
 int CheckCXISignature(ncch_hdr *hdr, u8 *pubk);
 
-void InitNcchSettings(ncch_settings *set);
 void FreeNcchSettings(ncch_settings *set);
 int GetNcchSettings(ncch_settings *ncchset, user_settings *usrset);
 int GetBasicOptions(ncch_settings *ncchset, user_settings *usrset);
@@ -71,7 +70,6 @@ int build_NCCH(user_settings *usrset)
 		fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
 		return MEM_ERROR;
 	}
-	InitNcchSettings(ncchset);
 
 	// Get Settings
 	result = GetNcchSettings(ncchset,usrset);
@@ -126,11 +124,6 @@ int build_NCCH(user_settings *usrset)
 	return result;
 }
 
-void InitNcchSettings(ncch_settings *set)
-{
-	memset(set,0,sizeof(ncch_settings));
-}
-
 void FreeNcchSettings(ncch_settings *set)
 {
 	if(set->componentFilePtrs.elf) fclose(set->componentFilePtrs.elf);
@@ -193,7 +186,7 @@ int GetBasicOptions(ncch_settings *ncchset, user_settings *usrset)
 	
 	if(ncchset->options.IsCfa && !ncchset->options.UseRomFS){
 		fprintf(stderr,"[NCCH ERROR] \"Rom/HostRoot\" must be set\n");
-		return NCCH_BAD_YAML_SET;
+		return NCCH_BAD_RSF_SET;
 	}
 
 	return result;
@@ -352,7 +345,7 @@ int ImportLogo(ncch_settings *set)
 		}
 		else if(strcasecmp(set->rsfSet->BasicInfo.Logo,"none") != 0){
 			fprintf(stderr,"[NCCH ERROR] Invalid logo name\n");
-			return NCCH_BAD_YAML_SET;
+			return NCCH_BAD_RSF_SET;
 		}
 	}
 	return 0;
@@ -602,7 +595,7 @@ int SetCommonHeaderBasicData(ncch_settings *set, ncch_hdr *hdr)
 	if(set->rsfSet->BasicInfo.ProductCode){
 		if(!IsValidProductCode((char*)set->rsfSet->BasicInfo.ProductCode,set->options.FreeProductCode)){
 			fprintf(stderr,"[NCCH ERROR] Invalid Product Code\n");
-			return NCCH_BAD_YAML_SET;
+			return NCCH_BAD_RSF_SET;
 		}
 		memcpy(hdr->productCode,set->rsfSet->BasicInfo.ProductCode,strlen((char*)set->rsfSet->BasicInfo.ProductCode));
 	}
@@ -611,7 +604,7 @@ int SetCommonHeaderBasicData(ncch_settings *set, ncch_hdr *hdr)
 	if(set->rsfSet->BasicInfo.CompanyCode){
 		if(strlen((char*)set->rsfSet->BasicInfo.CompanyCode) != 2){
 			fprintf(stderr,"[NCCH ERROR] CompanyCode length must be 2\n");
-			return NCCH_BAD_YAML_SET;
+			return NCCH_BAD_RSF_SET;
 		}
 		memcpy(hdr->makerCode,set->rsfSet->BasicInfo.CompanyCode,2);
 	}
@@ -657,7 +650,7 @@ int SetCommonHeaderBasicData(ncch_settings *set, ncch_hdr *hdr)
 		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Trial") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Trial;
 		else{
 			fprintf(stderr,"[NCCH ERROR] Invalid ContentType '%s'\n",set->rsfSet->BasicInfo.ContentType);
-			return NCCH_BAD_YAML_SET;
+			return NCCH_BAD_RSF_SET;
 		}
 	}
 
diff --git a/makerom/ncch.h b/makerom/ncch.h
index c54ced2e..be77e95c 100644
--- a/makerom/ncch.h
+++ b/makerom/ncch.h
@@ -20,7 +20,7 @@ typedef enum
 	EXEFS_CORRUPT = -14,
 	ROMFS_CORRUPT = -15,
 	// Others
-	NCCH_BAD_YAML_SET = -16,
+	NCCH_BAD_RSF_SET = -16,
 	DATA_POS_DNE = -17,
 } ncch_errors;
 

From 2e6341ac0da493ed8537adff6f1e27b664167ab2 Mon Sep 17 00:00:00 2001
From: sbJFn5r <sbJFn5r@users.noreply.github.com>
Date: Mon, 1 Sep 2014 14:09:28 -0400
Subject: [PATCH 051/317] Forgot to add 'exefs' to the '-t' options display

---
 ctrtool/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/main.c b/ctrtool/main.c
index 5846fa2a..f80823a7 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -57,7 +57,7 @@ static void usage(const char *argv0)
 		   "  --ncchsyskey=key   Set ncch fixed system key.\n"
 		   "  --showkeys         Show the keys being used.\n"
 		   "  -t, --intype=type	 Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
-		   "                        firm, cwav, romfs]\n"
+		   "                        firm, cwav, exefs, romfs]\n"
 		   "LZSS options:\n"
 		   "  --lzssout=file	 Specify lzss output file\n"
 		   "CXI/CCI options:\n"

From 6d3ad5cfe4619710d50980cafc1e994de6b1ea11 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sun, 7 Sep 2014 21:10:55 +1000
Subject: [PATCH 052/317] implementation fixes

cleaned AES interface, corrected some header files, other misc
---
 makerom/cia.c       |  20 +++----
 makerom/cia.h       |   2 +-
 makerom/crypto.c    | 128 ++++++++++----------------------------------
 makerom/crypto.h    |  15 +-----
 makerom/ncch.c      |  96 ++++++++++-----------------------
 makerom/ncch.h      |  10 ++--
 makerom/ncsd.c      |  10 ++--
 makerom/tik.c       |  17 +++---
 makerom/tik_build.h |  13 +----
 makerom/tmd.c       |   4 +-
 10 files changed, 83 insertions(+), 232 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index b0051af1..a1d182a2 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -289,7 +289,7 @@ int GetTmdDataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *
 	extended_hdr *exhdr = malloc(sizeof(extended_hdr));
 	memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,sizeof(extended_hdr));
 	if(key != NULL)
-		CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx,key,ncch_exhdr);
+		CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx->titleId,key,ncch_exhdr);
 		
 	if(IsPatch(GetTidCategory(ciaset->common.titleId))||ciaset->content.IsCfa) 
 		ciaset->tmd.savedataSize = 0;
@@ -334,12 +334,12 @@ int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_info *info, u8 *key)
 	extended_hdr *exhdr = malloc(sizeof(extended_hdr));
 	memcpy(exhdr,ncch+info->exhdrOffset,sizeof(extended_hdr));
 	if(key != NULL)
-		CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,info,key,ncch_exhdr);
+		CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,info->titleId,key,ncch_exhdr);
 
 	exefs_hdr *exefsHdr = malloc(sizeof(exefs_hdr));
 	memcpy(exefsHdr,ncch+info->exefsOffset,sizeof(exefs_hdr));
 	if(key != NULL)
-		CryptNcchRegion((u8*)exefsHdr,sizeof(exefs_hdr),0,info,key,ncch_exefs);
+		CryptNcchRegion((u8*)exefsHdr,sizeof(exefs_hdr),0,info->titleId,key,ncch_exefs);
 
 	u32 icon_size = 0;
 	u32 icon_offset = 0;
@@ -364,7 +364,7 @@ int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_info *info, u8 *key)
 		u8 *IconDestPos = (ciaset->ciaSections.meta.buffer + sizeof(cia_metadata));
 		memcpy(IconDestPos,ncch+info->exefsOffset+icon_offset,icon_size);
 		if(key != NULL)
-			CryptNcchRegion(IconDestPos,icon_size,icon_offset,info,key,ncch_exefs);
+			CryptNcchRegion(IconDestPos,icon_size,icon_offset,info->titleId,key,ncch_exefs);
 		//memdump(stdout,"Icon: ",IconDestPos,0x10);
 	}
 
@@ -628,7 +628,7 @@ int BuildCiaHdr(cia_settings *ciaset)
 	ciaset->ciaSections.metaOffset = align(ciaset->ciaSections.contentOffset+ciaset->content.totalSize,0x40);
 	
 	for(int i = 0; i < ciaset->content.count; i++)
-		hdr->contentIndex[ciaset->content.index[i]/8] |= 1 << (7 - (ciaset->content.index[i] & 7));
+		hdr->contentIndex[ciaset->content.index[i]/8] |= 0x80 >> (ciaset->content.index[i] & 7);
 		
 	return 0;
 }
@@ -645,19 +645,15 @@ int WriteCiaToFile(cia_settings *ciaset)
 }
 
 
-int CryptContent(u8 *enc, u8 *dec, u64 size, u8 *title_key, u16 index, u8 mode)
+int CryptContent(u8 *input, u8 *output, u64 size, u8 *title_key, u16 index, u8 mode)
 {
 	//generating IV
 	u8 iv[16];
-	memset(&iv,0x0,16);
+	clrmem(&iv,16);
 	iv[0] = (index >> 8) & 0xff;
 	iv[1] = index & 0xff;
 	//Crypting content
-	ctr_aes_context ctx;
-	memset(&ctx,0x0,sizeof(ctr_aes_context));
-	ctr_init_aes_cbc(&ctx,title_key,iv,mode);
-	if(mode == ENC) ctr_aes_cbc(&ctx,dec,enc,size,ENC);
-	else ctr_aes_cbc(&ctx,enc,dec,size,DEC);
+	AesCbc(title_key,iv,input,output,size,mode);
 	return 0;
 }
 
diff --git a/makerom/cia.h b/makerom/cia.h
index b7dc6c2c..29da9567 100644
--- a/makerom/cia.h
+++ b/makerom/cia.h
@@ -22,5 +22,5 @@ typedef struct
 	u8 padding1[0xfc];
 } cia_metadata;
 
-int CryptContent(u8 *enc, u8 *dec, u64 size, u8 *title_key, u16 index, u8 mode);
+int CryptContent(u8 *input, u8 *output, u64 size, u8 *title_key, u16 index, u8 mode);
 
diff --git a/makerom/crypto.c b/makerom/crypto.c
index bbc977e6..71dbdd39 100644
--- a/makerom/crypto.c
+++ b/makerom/crypto.c
@@ -16,115 +16,43 @@ void ctr_sha(void *data, u64 size, u8 *hash, int mode)
 	}
 }
 
-void ctr_add_counter(ctr_aes_context* ctx, u32 carry)
+void SetAesCtrOffset(u8 *ctr, u64 offset)
 {
-	u32 counter[4];
-	u32 sum;
-	int i;
-
-	for(i=0; i<4; i++)
-		counter[i] = (ctx->ctr[i*4+0]<<24) | (ctx->ctr[i*4+1]<<16) | (ctx->ctr[i*4+2]<<8) | (ctx->ctr[i*4+3]<<0);
-
-	for(i=3; i>=0; i--)
-	{
-		sum = counter[i] + carry;
-
-		if (sum < counter[i])
-			carry = 1;
-		else
-			carry = 0;
-
-		counter[i] = sum;
-	}
-
-	for(i=0; i<4; i++)
-	{
-		ctx->ctr[i*4+0] = counter[i]>>24;
-		ctx->ctr[i*4+1] = counter[i]>>16;
-		ctx->ctr[i*4+2] = counter[i]>>8;
-		ctx->ctr[i*4+3] = counter[i]>>0;
-	}
-}
-
-void ctr_init_counter(ctr_aes_context* ctx, u8 key[16], u8 ctr[16])
-{
-	aes_setkey_enc(&ctx->aes, key, 128);
-	memcpy(ctx->ctr, ctr, 16);
+	u64_to_u8(ctr+8,u8_to_u64(ctr+8,BE)|align(offset,16)/16,BE);
 }
 
-void ctr_crypt_counter_block(ctr_aes_context* ctx, u8 input[16], u8 output[16])
+void AesCtr(u8 *key, u8 *ctr, u8 *input, u8 *output, u64 length, u64 offset)
 {
-	int i;
 	u8 stream[16];
-
-
-	aes_crypt_ecb(&ctx->aes, AES_ENCRYPT, ctx->ctr, stream);
-
-
-	if (input)
-	{
-		for(i=0; i<16; i++)
-		{
-			output[i] = stream[i] ^ input[i];
-		}
-	}
-	else
-	{
-		for(i=0; i<16; i++)
-			output[i] = stream[i];
-	}
-
-	ctr_add_counter(ctx, 1);
-}
-
-void ctr_crypt_counter(ctr_aes_context* ctx, u8* input,  u8* output, u32 size)
-{
-	u8 stream[16];
-	u32 i;
-
-	while(size >= 16)
-	{
-		ctr_crypt_counter_block(ctx, input, output);
-
-		if (input)
-			input += 16;
-		if (output)
-			output += 16;
-
-		size -= 16;
-	}
-
-	if (size)
-	{
-		memset(stream, 0, 16);
-		ctr_crypt_counter_block(ctx, stream, stream);
-
-		if (input)
-		{
-			for(i=0; i<size; i++)
-				output[i] = input[i] ^ stream[i];
-		}
-		else
-		{
-			memcpy(output, stream, size);
-		}
-	}
-}
-
-void ctr_init_aes_cbc(ctr_aes_context* ctx,u8 key[16],u8 iv[16], u8 mode)
-{
-	switch(mode){
-		case(ENC): aes_setkey_enc(&ctx->aes, key, 128); break;
-		case(DEC): aes_setkey_dec(&ctx->aes, key, 128); break;
-	}
-	memcpy(ctx->iv, iv, 16);
+	aes_context aes;
+	u64 nc_off = 0;
+	
+	clrmem(&aes,sizeof(aes_context));
+	aes_setkey_enc(&aes, key, 128);
+	SetAesCtrOffset(ctr,offset);
+	
+	aes_crypt_ctr(&aes, length, &nc_off, ctr, stream, input, output);
+	
+	
+	return;
 }
 
-void ctr_aes_cbc(ctr_aes_context* ctx,u8* input,u8* output,u32 size,u8 mode)
+void AesCbc(u8 *key, u8 *iv, u8 *input, u8 *output, u64 length, u8 mode)
 {
+	aes_context aes;
+	clrmem(&aes,sizeof(aes_context));
+	
 	switch(mode){
-		case(ENC): aes_crypt_cbc(&ctx->aes, AES_ENCRYPT, size, ctx->iv, input, output); break;
-		case(DEC): aes_crypt_cbc(&ctx->aes, AES_DECRYPT, size, ctx->iv, input, output); break;
+		case(ENC): 
+			aes_setkey_enc(&aes, key, 128);
+			aes_crypt_cbc(&aes, AES_ENCRYPT, length, iv, input, output);
+			return;
+		case(DEC):
+			aes_setkey_dec(&aes, key, 128);
+			aes_crypt_cbc(&aes, AES_DECRYPT, length, iv, input, output); 
+			return;
+		default:
+			return;
 	}
 }
 
diff --git a/makerom/crypto.h b/makerom/crypto.h
index 3d5aaeed..9a29a107 100644
--- a/makerom/crypto.h
+++ b/makerom/crypto.h
@@ -55,13 +55,6 @@ typedef enum
 	RSAKEY_PUB
 } rsakeytype;
 
-typedef struct
-{
-	u8 ctr[16];
-	u8 iv[16];
-	aes_context aes;
-} ctr_aes_context;
-
 typedef struct
 {
 	rsa_context rsa;
@@ -74,12 +67,8 @@ extern "C" {
 bool VerifySha256(void *data, u64 size, u8 hash[32]);
 void ctr_sha(void *data, u64 size, u8 *hash, int mode);
 // AES
-void ctr_add_counter(ctr_aes_context* ctx, u32 carry);
-void ctr_init_counter(ctr_aes_context* ctx, u8 key[16],u8 ctr[16]);
-void ctr_crypt_counter_block(ctr_aes_context* ctx, u8 input[16], u8 output[16]);
-void ctr_crypt_counter(ctr_aes_context* ctx, u8* input,  u8* output, u32 size);
-void ctr_init_aes_cbc(ctr_aes_context* ctx,u8 key[16],u8 iv[16], u8 mode);
-void ctr_aes_cbc(ctr_aes_context* ctx,u8* input,u8* output,u32 size,u8 mode);
+void AesCtr(u8 *key, u8 *ctr, u8 *input, u8 *output, u64 length, u64 offset);
+void AesCbc(u8 *key, u8 *iv, u8 *input, u8 *output, u64 length, u8 mode);
 // RSA
 void ctr_rsa_free(ctr_rsa_context* ctx);
 int ctr_rsa_init(ctr_rsa_context* ctx, u8 *modulus, u8 *private_exp, u8 *exponent, u8 rsa_type, u8 mode);
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 2398c27e..5688842e 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -31,12 +31,7 @@ int FinaliseNcch(ncch_settings *ncchset);
 int SetCommonHeaderBasicData(ncch_settings *ncchset, ncch_hdr *hdr);
 bool IsValidProductCode(char *ProductCode, bool FreeProductCode);
 
-int BuildCommonHeader(ncch_settings *ncchset);
-int EnCryptNcchRegions(ncch_settings *ncchset);
-int WriteNCCHSectionsToBuffer(ncch_settings *ncchset);
-
 // Code
-
 int SignCFA(ncch_hdr *hdr, keys_struct *keys)
 {
 	return ctr_sig(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfaPub,keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
@@ -540,8 +535,8 @@ int FinaliseNcch(ncch_settings *set)
 
 		// Crypting Exheader/AcexDesc
 		if(set->cryptoDetails.exhdrSize){
-			CryptNcchRegion(exhdr,set->cryptoDetails.exhdrSize,0x0,&set->cryptoDetails,set->keys->aes.ncchKey0,ncch_exhdr);
-			CryptNcchRegion(acexDesc,set->cryptoDetails.acexSize,set->cryptoDetails.exhdrSize,&set->cryptoDetails,set->keys->aes.ncchKey0,ncch_exhdr);
+			CryptNcchRegion(exhdr,set->cryptoDetails.exhdrSize,0x0,set->cryptoDetails.titleId,set->keys->aes.ncchKey0,ncch_exhdr);
+			CryptNcchRegion(acexDesc,set->cryptoDetails.acexSize,set->cryptoDetails.exhdrSize,set->cryptoDetails.titleId,set->keys->aes.ncchKey0,ncch_exhdr);
 		}			
 
 		// Crypting ExeFs Files
@@ -558,16 +553,16 @@ int FinaliseNcch(ncch_settings *set)
 				u32 size = u8_to_u32(exefsHdr->fileHdr[i].size,LE);
 
 				if(size)
-					CryptNcchRegion((exefs+offset),align(size,set->options.blockSize),offset,&set->cryptoDetails,key,ncch_exefs);
+					CryptNcchRegion((exefs+offset),align(size,set->options.blockSize),offset,set->cryptoDetails.titleId,key,ncch_exefs);
 
 			}
 			// Crypting ExeFs Header
-			CryptNcchRegion(exefs,sizeof(exefs_hdr),0x0,&set->cryptoDetails,set->keys->aes.ncchKey0,ncch_exefs);
+			CryptNcchRegion(exefs,sizeof(exefs_hdr),0x0,set->cryptoDetails.titleId,set->keys->aes.ncchKey0,ncch_exefs);
 		}
 
 		// Crypting RomFs
 		if(set->cryptoDetails.romfsSize)
-			CryptNcchRegion(romfs,set->cryptoDetails.romfsSize,0x0,&set->cryptoDetails,set->keys->aes.ncchKey1,ncch_romfs);
+			CryptNcchRegion(romfs,set->cryptoDetails.romfsSize,0x0,set->cryptoDetails.titleId,set->keys->aes.ncchKey1,ncch_romfs);
 	}
 
 	return 0;
@@ -584,12 +579,12 @@ int SetCommonHeaderBasicData(ncch_settings *set, ncch_hdr *hdr)
 
 	
 	/* Setting ProgramId/TitleId */
-	u64 ProgramId = 0;
-	int result = GetProgramID(&ProgramId,set->rsfSet,false); 
+	u64 programId = 0;
+	int result = GetProgramID(&programId,set->rsfSet,false); 
 	if(result) return result;
 
-	u64_to_u8(hdr->programId,ProgramId,LE);
-	u64_to_u8(hdr->titleId,ProgramId,LE);
+	u64_to_u8(hdr->programId,programId,LE);
+	u64_to_u8(hdr->titleId,programId,LE);
 
 	/* Get Product Code and Maker Code */
 	if(set->rsfSet->BasicInfo.ProductCode){
@@ -741,7 +736,7 @@ int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 		}
 		memcpy(exHdr,ncch+ncchInfo->exhdrOffset,ncchInfo->exhdrSize);
 		if(IsNcchEncrypted(hdr))
-			CryptNcchRegion((u8*)exHdr,ncchInfo->exhdrSize,0,ncchInfo,keys->aes.ncchKey0,ncch_exhdr);
+			CryptNcchRegion((u8*)exHdr,ncchInfo->exhdrSize,0,ncchInfo->titleId,keys->aes.ncchKey0,ncch_exhdr);
 
 		// Checking Exheader Hash to see if decryption was sucessful
 		if(!VerifySha256(exHdr, ncchInfo->exhdrSize, hdr->exhdrHash)){
@@ -768,7 +763,7 @@ int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 		}
 		memcpy(acexDesc,ncch+ncchInfo->acexOffset,ncchInfo->acexSize);
 		if(IsNcchEncrypted(hdr))
-			CryptNcchRegion((u8*)acexDesc,ncchInfo->acexSize,ncchInfo->exhdrSize,ncchInfo,keys->aes.ncchKey0,ncch_exhdr);
+			CryptNcchRegion((u8*)acexDesc,ncchInfo->acexSize,ncchInfo->exhdrSize,ncchInfo->titleId,keys->aes.ncchKey0,ncch_exhdr);
 
 		if(CheckAccessDescSignature(acexDesc,keys) != 0 && !keys->rsa.isFalseSign){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] AccessDesc Sigcheck Failed\n");
@@ -799,7 +794,7 @@ int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 		}
 		memcpy(exefs,ncch+ncchInfo->exefsOffset,ncchInfo->exefsHashDataSize);
 		if(IsNcchEncrypted(hdr))
-			CryptNcchRegion(exefs,ncchInfo->exefsHashDataSize,0,ncchInfo,keys->aes.ncchKey0,ncch_exefs);
+			CryptNcchRegion(exefs,ncchInfo->exefsHashDataSize,0,ncchInfo->titleId,keys->aes.ncchKey0,ncch_exefs);
 		if(!VerifySha256(exefs, ncchInfo->exefsHashDataSize, hdr->exefsHash)){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] ExeFs Hashcheck Failed\n");
 			free(ncchInfo);
@@ -819,7 +814,7 @@ int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 		}
 		memcpy(romfs,ncch+ncchInfo->romfsOffset,ncchInfo->romfsHashDataSize);
 		if(IsNcchEncrypted(hdr))
-			CryptNcchRegion(romfs,ncchInfo->romfsHashDataSize,0,ncchInfo,keys->aes.ncchKey1,ncch_romfs);
+			CryptNcchRegion(romfs,ncchInfo->romfsHashDataSize,0,ncchInfo->titleId,keys->aes.ncchKey1,ncch_romfs);
 		if(!VerifySha256(romfs,ncchInfo->romfsHashDataSize,hdr->romfsHash)){
 			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] RomFs Hashcheck Failed\n");
 			free(ncchInfo);
@@ -873,7 +868,7 @@ int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 			fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key\n");
 			return -1;
 		}
-		CryptNcchRegion(romfs,ncchInfo.romfsSize,0,&ncchInfo,keys->aes.ncchKey1,ncch_romfs);
+		CryptNcchRegion(romfs,ncchInfo.romfsSize,0,ncchInfo.titleId,keys->aes.ncchKey1,ncch_romfs);
 	}
 	
 	// Editing data and resigning
@@ -891,7 +886,7 @@ int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 			fprintf(stderr,"[NCCH ERROR] Failed to load ncch aes key\n");
 			return -1;
 		}
-		CryptNcchRegion(romfs,ncchInfo.romfsSize,0,&ncchInfo,keys->aes.ncchKey1,ncch_romfs);
+		CryptNcchRegion(romfs,ncchInfo.romfsSize,0,ncchInfo.titleId,keys->aes.ncchKey1,ncch_romfs);
 	}
 
 	return 0;
@@ -1016,15 +1011,14 @@ bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr)
 
 int GetNcchInfo(ncch_info *info, ncch_hdr *hdr)
 {
-	memcpy(info->titleId,hdr->titleId,8);
-	memcpy(info->programId,hdr->programId,8);
+	info->titleId = u8_to_u64(hdr->titleId,LE);
+	info->programId = u8_to_u64(hdr->programId,LE);
 
-	
 	u32 block_size = GetNcchBlockSize(hdr);
 	
 	info->formatVersion = u8_to_u16(hdr->formatVersion,LE);
 	if(!IsCfa(hdr)){
-		info->exhdrOffset = 0x200;
+		info->exhdrOffset = sizeof(ncch_hdr);
 		info->exhdrSize = u8_to_u32(hdr->exhdrSize,LE);
 		info->acexOffset = (info->exhdrOffset + info->exhdrSize);
 		info->acexSize = sizeof(access_descriptor);
@@ -1043,53 +1037,17 @@ int GetNcchInfo(ncch_info *info, ncch_hdr *hdr)
 	return 0;
 }
 
-void CryptNcchRegion(u8 *buffer, u64 size, u64 src_pos, ncch_info *ctx, u8 key[16], u8 type)
+void GetNcchAesCounter(u8 ctr[16], u64 titleId, u8 type)
 {
-	if(type < 1 || type > 3)
-		return;
-	u8 counter[0x10];
-	ctr_aes_context aes_ctx;
-	memset(&aes_ctx,0x0,sizeof(ctr_aes_context));
-	
-	GetNcchAesCounter(ctx,counter,type);	
-	ctr_init_counter(&aes_ctx, key, counter);
-	
-	if(src_pos > 0){
-		u32 carry = 0;
-		carry = align(src_pos,0x10);
-		carry /= 0x10;
-		ctr_add_counter(&aes_ctx,carry);
-	}
-	
-	ctr_crypt_counter(&aes_ctx, buffer, buffer, size);
-	return;
+	clrmem(ctr,16);	
+	u64_to_u8(ctr,titleId,BE);
+	ctr[8] = type;
 }
 
-void GetNcchAesCounter(ncch_info *ctx, u8 counter[16], u8 type)
+void CryptNcchRegion(u8 *buffer, u64 size, u64 src_pos, u64 titleId, u8 key[16], u8 type)
 {
-	u8 *titleId = ctx->titleId;
-	u32 i;
-	u32 x = 0;
-
-	memset(counter, 0, 16);
-
-	if (ctx->formatVersion == 2 || ctx->formatVersion == 0)
-	{
-		endian_memcpy(counter,titleId,8,LE);
-		counter[8] = type;
-	}
-	else if (ctx->formatVersion == 1)
-	{
-		switch(type){
-			case ncch_exhdr : x = ctx->exhdrOffset; break;
-			case ncch_exefs : x = ctx->exefsOffset; break;
-			case ncch_romfs : x = ctx->romfsOffset; break;
-		}
-		for(i=0; i<8; i++)
-			counter[i] = titleId[i];
-		for(i=0; i<4; i++)
-			counter[12+i] = x>>((3-i)*8);
-	}
-	
-	//memdump(stdout,"CTR: ",counter,16);
+	u8 ctr[0x10];
+	GetNcchAesCounter(ctr,titleId,type);	
+	AesCtr(key,ctr,buffer,buffer,size,src_pos);
+	return;
 }
\ No newline at end of file
diff --git a/makerom/ncch.h b/makerom/ncch.h
index be77e95c..f2918830 100644
--- a/makerom/ncch.h
+++ b/makerom/ncch.h
@@ -75,8 +75,8 @@ typedef struct
 	u64 romfsOffset;
 	u64 romfsSize;
 	u64 romfsHashDataSize;
-	u8 titleId[8];
-	u8 programId[8];
+	u64 titleId;
+	u64 programId;
 } ncch_info;
 
 typedef struct
@@ -113,7 +113,7 @@ typedef struct
 } ncch_hdr;
 
 // NCCH Read Functions
-int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput);
+int VerifyNcch(u8 *ncch, keys_struct *keys, bool checkHash, bool suppressOutput);
 
 int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys);
 
@@ -130,5 +130,5 @@ u64 GetNcchSize(ncch_hdr* hdr);
 bool IsNcchEncrypted(ncch_hdr *hdr);
 bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr);
 int GetNcchInfo(ncch_info *ctx, ncch_hdr *header);
-void GetNcchAesCounter(ncch_info *ctx, u8 counter[16], u8 type);
-void CryptNcchRegion(u8 *buffer, u64 size, u64 src_pos, ncch_info *ctx, u8 key[16], u8 type);
\ No newline at end of file
+void GetNcchAesCounter(u8 ctr[16], u64 titleId, u8 type);
+void CryptNcchRegion(u8 *buffer, u64 size, u64 src_pos, u64 titleId, u8 key[16], u8 type);
\ No newline at end of file
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index c554eb0e..cc8cfaf5 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -150,9 +150,9 @@ int ImportNcchForCci(cci_settings *set)
 	return 0;
 }
 
-bool CanCiaBeCci(u16 cat, u16 count, tmd_content_chunk *content)
+bool CanCiaBeCci(u64 titleId, u16 count, tmd_content_chunk *content)
 {
-	if(cat != PROGRAM_ID_CATEGORY_APPLICATION && cat != PROGRAM_ID_CATEGORY_SYSTEM_APPLICATION)
+	if(GetTidCategory(titleId) != PROGRAM_ID_CATEGORY_APPLICATION && GetTidCategory(titleId) != PROGRAM_ID_CATEGORY_SYSTEM_APPLICATION)
 		return false;
 		
 	if(count > CCI_MAX_CONTENT)
@@ -235,7 +235,6 @@ int ProcessCiaForCci(cci_settings *set)
 	tmd_content_chunk *contentInfo = GetTmdContentInfo(GetCiaTmd(set->content.data));
 	u64 contentOffset = GetCiaContentOffset((cia_hdr*)set->content.data);
 	
-	u16 titleCat = (GetTmdTitleId(tmd) >> 32) & 0xffff;
 	u16 contentCount = GetTmdContentCount(tmd);
 	set->romInfo.saveSize = GetTmdSaveSize(tmd);
 	if(set->romInfo.saveSize > 0 && set->romInfo.saveSize < (u64)(128*KB))
@@ -245,7 +244,7 @@ int ProcessCiaForCci(cci_settings *set)
 	else if(set->romInfo.saveSize > (u64)(512*KB))
 		set->romInfo.saveSize = align(set->romInfo.saveSize,MB);
 	
-	if(!CanCiaBeCci(titleCat,contentCount,contentInfo)){
+	if(!CanCiaBeCci(GetTmdTitleId(tmd),contentCount,contentInfo)){
 		fprintf(stderr,"[CCI ERROR] This CIA cannot be converted to CCI\n");
 		return INCOMPAT_CIA;
 	}
@@ -269,9 +268,8 @@ int ProcessCiaForCci(cci_settings *set)
 		set->content.dSize[index] = GetTmdContentSize(contentInfo[i]);
 		u8 *content = set->content.data + contentOffset;
 		if(IsTmdContentEncrypted(contentInfo[i])){
-			if(canDecrypt){
+			if(canDecrypt)
 				CryptContent(content,content,set->content.dSize[index],titleKey,i,DEC);
-			}
 			else{
 				fprintf(stderr,"[CCI ERROR] Failed to decrypt CIA content: 0x%08x\n",GetTmdContentId(contentInfo[i]));
 				return INCOMPAT_CIA;
diff --git a/makerom/tik.c b/makerom/tik.c
index db1f974e..16cb963e 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -11,6 +11,7 @@ u32 GetContentIndexSegNum(cia_settings *set);
 void SetContentIndexHeader(tik_content_index_hdr *hdr, cia_settings *set);
 void SetContentIndexData(tik_content_index_struct *data, cia_settings *set);
 
+int CryptTitleKey(u8 *input, u8 *output, u8 *titleId, keys_struct *keys, u8 mode);
 
 int BuildTicket(cia_settings *set)
 {
@@ -67,7 +68,7 @@ void SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 	
 	// Crypt TitleKey
 	if(ciaset->content.encryptCia)
-		CryptTitleKey(hdr->encryptedTitleKey, ciaset->common.titleKey, hdr->titleId, ciaset->keys, ENC);
+		CryptTitleKey(ciaset->common.titleKey, hdr->encryptedTitleKey, hdr->titleId, ciaset->keys, ENC);
 	else
 		rndset(hdr->encryptedTitleKey,AES_128_KEY_SIZE);
 }
@@ -85,21 +86,15 @@ int SignTicketHeader(buffer_struct *tik, keys_struct *keys)
 	return ctr_sig(data,len,sig->data,keys->rsa.xsPub,keys->rsa.xsPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
-int CryptTitleKey(u8 *encKey, u8 *decKey, u8 *titleId, keys_struct *keys, u8 mode)
+int CryptTitleKey(u8 *input, u8 *output, u8 *titleId, keys_struct *keys, u8 mode)
 {
 	//Generating IV
 	u8 iv[16];
-	memset(&iv,0x0,16);
+	clrmem(&iv,16);
 	memcpy(iv,titleId,0x8);
-	
-	//Setting up Aes Context
-	ctr_aes_context ctx;
-	clrmem(&ctx,sizeof(ctr_aes_context));
-	
+		
 	//Crypting TitleKey
-	ctr_init_aes_cbc(&ctx,keys->aes.commonKey[keys->aes.currentCommonKey],iv,mode);
-	if(mode == ENC) ctr_aes_cbc(&ctx,decKey,encKey,0x10,ENC);
-	else ctr_aes_cbc(&ctx,encKey,decKey,0x10,DEC);
+	AesCbc(keys->aes.commonKey[keys->aes.currentCommonKey],iv,input,output,0x10,mode);
 	
 	// Return
 	return 0;
diff --git a/makerom/tik_build.h b/makerom/tik_build.h
index ecea0222..471f56e6 100644
--- a/makerom/tik_build.h
+++ b/makerom/tik_build.h
@@ -1,16 +1,5 @@
 #pragma once
 #include "tik.h"
 
-static const unsigned char default_contentIndex[0x30] =
-{
-	0x00, 0x01, 0x00, 0x14, 0x00, 0x00, 0x00, 0xAC, 
-	0x00, 0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0x14, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 
-	0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x84, 
-	0x00, 0x00, 0x00, 0x84, 0x00, 0x03, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
-};
-
 // Prototypes
-int BuildTicket(cia_settings *ciaset);
-int CryptTitleKey(u8 *EncTitleKey, u8 *DecTitleKey, u8 *TitleID, keys_struct *keys, u8 mode);
\ No newline at end of file
+int BuildTicket(cia_settings *ciaset);
\ No newline at end of file
diff --git a/makerom/tmd.c b/makerom/tmd.c
index 6abb6e53..f3b7f114 100644
--- a/makerom/tmd.c
+++ b/makerom/tmd.c
@@ -175,7 +175,5 @@ bool IsTmdContentEncrypted(tmd_content_chunk info)
 
 bool ValidateTmdContent(u8 *data, tmd_content_chunk info)
 {
-	u8 hash[32];
-	ctr_sha(data,GetTmdContentSize(info),hash,CTR_SHA_256);
-	return memcmp(hash,GetTmdContentHash(&info),32) == 0;
+	return VerifySha256(data, GetTmdContentSize(info), GetTmdContentHash(&info));
 }
\ No newline at end of file

From 475cda33ed0ae7514a7f4414728a11e1632af79e Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sun, 7 Sep 2014 21:47:34 +1000
Subject: [PATCH 053/317] ctrtool: added cci ncch selection

---
 ctrtool/main.c |  7 ++++---
 ctrtool/ncsd.c | 15 +++++++++++++--
 ctrtool/ncsd.h |  2 ++
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/ctrtool/main.c b/ctrtool/main.c
index f80823a7..9f2b766a 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -61,7 +61,7 @@ static void usage(const char *argv0)
 		   "LZSS options:\n"
 		   "  --lzssout=file	 Specify lzss output file\n"
 		   "CXI/CCI options:\n"
-		   "  -n, --ncch=offs    Specify offset for NCCH header.\n"
+		   "  -n, --ncch=index   Specify NCCH partition index.\n"
 		   "  --exefs=file       Specify ExeFS file path.\n"
 		   "  --exefsdir=dir     Specify ExeFS directory path.\n"
 		   "  --romfs=file       Specify RomFS file path.\n"
@@ -96,7 +96,7 @@ int main(int argc, char* argv[])
 	u8 magic[4];
 	char infname[512];
 	int c;
-	u32 ncchoffset = ~0;
+	u32 ncchindex = 0;
 	char keysetfname[512] = "keys.xml";
 	keyset tmpkeys;
 	unsigned int checkkeysetfile = 0;
@@ -180,7 +180,7 @@ int main(int argc, char* argv[])
 			break;
 
 			case 'n':
-				ncchoffset = strtoul(optarg, 0, 0);
+				ncchindex = strtoul(optarg, 0, 0);
 			break;
 
 			case 'k':
@@ -331,6 +331,7 @@ int main(int argc, char* argv[])
 			ncsd_init(&ncsdctx);
 			ncsd_set_file(&ncsdctx, ctx.infile);
 			ncsd_set_size(&ncsdctx, ctx.infilesize);
+			ncsd_set_ncch_index(&ncsdctx, ncchindex);
 			ncsd_set_usersettings(&ncsdctx, &ctx.usersettings);
 			ncsd_process(&ncsdctx, ctx.actions);
 			
diff --git a/ctrtool/ncsd.c b/ctrtool/ncsd.c
index 07c211f6..cfa55a34 100644
--- a/ctrtool/ncsd.c
+++ b/ctrtool/ncsd.c
@@ -28,6 +28,11 @@ void ncsd_set_size(ncsd_context* ctx, u32 size)
 	ctx->size = size;
 }
 
+void ncsd_set_ncch_index(ncsd_context* ctx, u32 ncch_index)
+{
+	ctx->ncch_index = ncch_index;
+}
+
 void ncsd_set_usersettings(ncsd_context* ctx, settings* usersettings)
 {
 	ctx->usersettings = usersettings;
@@ -74,9 +79,15 @@ void ncsd_process(ncsd_context* ctx, u32 actions)
 	if (actions & InfoFlag)
 		ncsd_print(ctx);
 
+	if(ctx->ncch_index > 7 || ctx->header.partitiongeometry[ctx->ncch_index].size == 0)
+	{
+		fprintf(stderr," ERROR NCSD partition %d, does not exist\n",ctx->ncch_index);
+		return;
+	}
+		
 	ncch_set_file(&ctx->ncch, ctx->file);
-	ncch_set_offset(&ctx->ncch, ctx->header.partitiongeometry[0].offset * ncsd_get_mediaunit_size(ctx));
-	ncch_set_size(&ctx->ncch, ctx->header.partitiongeometry[0].size * ncsd_get_mediaunit_size(ctx));
+	ncch_set_offset(&ctx->ncch, ctx->header.partitiongeometry[ctx->ncch_index].offset * ncsd_get_mediaunit_size(ctx));
+	ncch_set_size(&ctx->ncch, ctx->header.partitiongeometry[ctx->ncch_index].size * ncsd_get_mediaunit_size(ctx));
 	ncch_set_usersettings(&ctx->ncch, ctx->usersettings);
 	ncch_process(&ctx->ncch, actions);
 }
diff --git a/ctrtool/ncsd.h b/ctrtool/ncsd.h
index d8862139..58b85061 100644
--- a/ctrtool/ncsd.h
+++ b/ctrtool/ncsd.h
@@ -35,6 +35,7 @@ typedef struct
 	FILE* file;
 	u32 offset;
 	u32 size;
+	u32 ncch_index;
 	ctr_ncsdheader header;
 	settings* usersettings;
 	int headersigcheck;
@@ -45,6 +46,7 @@ typedef struct
 void ncsd_init(ncsd_context* ctx);
 void ncsd_set_offset(ncsd_context* ctx, u32 offset);
 void ncsd_set_size(ncsd_context* ctx, u32 size);
+void ncsd_set_ncch_index(ncsd_context* ctx, u32 ncch_index);
 void ncsd_set_file(ncsd_context* ctx, FILE* file);
 void ncsd_set_usersettings(ncsd_context* ctx, settings* usersettings);
 int ncsd_signature_verify(const void* blob, rsakey2048* key);

From 7113ade91dd30dc4b2c3c74cacf6231bf4f7eca4 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sun, 7 Sep 2014 22:39:02 +1000
Subject: [PATCH 054/317] makerom: exefs

corrected max exefs sections to 8
---
 makerom/exefs.c | 11 +++++------
 makerom/exefs.h |  4 ++--
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/makerom/exefs.c b/makerom/exefs.c
index 1d3f2304..591d3f55 100644
--- a/makerom/exefs.c
+++ b/makerom/exefs.c
@@ -65,19 +65,18 @@ u32 PredictExeFS_Size(exefs_buildctx *ctx)
 
 int GenerateExeFS_Header(exefs_buildctx *ctx, u8 *outbuff)
 {
+	exefs_hdr *exefs = (exefs_hdr*)outbuff;
 	for(int i = 0; i < ctx->fileCount; i++){
 		if(i == 0)
 			ctx->fileOffset[i] = 0;
 		else
 			ctx->fileOffset[i] = align((ctx->fileOffset[i-1]+ctx->fileSize[i-1]),ctx->blockSize);
 		
-		memcpy(ctx->fileHdr[i].name,ctx->fileName[i],8);
-		u32_to_u8(ctx->fileHdr[i].offset,ctx->fileOffset[i],LE);
-		u32_to_u8(ctx->fileHdr[i].size,ctx->fileSize[i],LE);
-		ctr_sha(ctx->file[i],ctx->fileSize[i],ctx->fileHashes[9-i],CTR_SHA_256);
+		memcpy(exefs->fileHdr[i].name,ctx->fileName[i],8);
+		u32_to_u8(exefs->fileHdr[i].offset,ctx->fileOffset[i],LE);
+		u32_to_u8(exefs->fileHdr[i].size,ctx->fileSize[i],LE);
+		ctr_sha(ctx->file[i],ctx->fileSize[i],exefs->fileHashes[MAX_EXEFS_SECTIONS-1-i],CTR_SHA_256);
 	}
-	memcpy(outbuff,ctx->fileHdr,sizeof(exefs_filehdr)*10);
-	memcpy(outbuff+0xc0,ctx->fileHashes,0x20*10);
 	return 0;
 }
 
diff --git a/makerom/exefs.h b/makerom/exefs.h
index f6e6c136..75b61f92 100644
--- a/makerom/exefs.h
+++ b/makerom/exefs.h
@@ -1,6 +1,6 @@
 #pragma once
 
-#define MAX_EXEFS_SECTIONS 10 // DO NOT CHANGE
+#define MAX_EXEFS_SECTIONS 8
 
 typedef struct
 {
@@ -12,6 +12,6 @@ typedef struct
 typedef struct
 {
 	exefs_filehdr fileHdr[MAX_EXEFS_SECTIONS];
-	u8 reserved[0x20];
+	u8 reserved[0x80];
 	u8 fileHashes[MAX_EXEFS_SECTIONS][0x20];
 } exefs_hdr;

From 5c2144187762cad5d63bdec652eb7bd357534fac Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Mon, 8 Sep 2014 11:20:50 +1000
Subject: [PATCH 055/317] cleaned makefiles

---
 ctrtool/Makefile | 2 +-
 makerom/Makefile | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 5fdb2765..f1a4e603 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -1,7 +1,7 @@
 OBJS = keyset.o main.o ctr.o ncsd.o cia.o tik.o tmd.o filepath.o lzss.o exheader.o exefs.o ncch.o utils.o settings.o firm.o cwav.o stream.o romfs.o ivfc.o
 POLAR_OBJS = polarssl/aes.o polarssl/bignum.o polarssl/rsa.o polarssl/sha2.o
 TINYXML_OBJS = tinyxml/tinystr.o tinyxml/tinyxml.o tinyxml/tinyxmlerror.o tinyxml/tinyxmlparser.o
-LIBS = -lstdc++
+LIBS = -static-libstdc++
 CXXFLAGS = -I. 
 CFLAGS = -Wall -Wno-unused-variable -Wno-unused-but-set-variable -I.
 OUTPUT = ctrtool
diff --git a/makerom/Makefile b/makerom/Makefile
index 48ecc523..4cf0a1c9 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -9,7 +9,7 @@ LIB_API_OBJS = crypto.o yaml_parser.o blz.o
 OBJS = makerom.o $(UTILS_OBJS) $(LIB_API_OBJS) $(SETTINGS_OBJS) $(NCSD_OBJS) $(NCCH_OBJS) $(CIA_OBJS)
 
 # Libraries
-POLAR_OBJS = polarssl/aes.o polarssl/bignum.o polarssl/rsa.o polarssl/sha1.o polarssl/sha2.o polarssl/padlock.o polarssl/md.o polarssl/md_wrap.o polarssl/md2.o polarssl/md4.o polarssl/md5.o polarssl/sha4.o polarssl/base64.o polarssl/cipher.o polarssl/cipher_wrap.o polarssl/camellia.o polarssl/des.o polarssl/blowfish.o
+POLAR_OBJS = polarssl/aes.o polarssl/rsa.o  polarssl/sha1.o polarssl/sha2.o polarssl/base64.o polarssl/bignum.o polarssl/padlock.o polarssl/md.o polarssl/md_wrap.o polarssl/md5.o polarssl/sha4.o 
 YAML_OBJS = libyaml/api.o libyaml/dumper.o libyaml/emitter.o libyaml/loader.o libyaml/parser.o libyaml/reader.o libyaml/scanner.o libyaml/writer.o
 
 # Compiler Settings

From 07aa854e60dbd46c310e144dfc27a077d58b8be3 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 9 Sep 2014 13:43:17 +1000
Subject: [PATCH 056/317] ctrtool: tmd bug fix

---
 ctrtool/cia.c | 2 +-
 ctrtool/tmd.c | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index f1e97038..030b09da 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -222,7 +222,7 @@ void cia_process(cia_context* ctx, u32 actions)
 	tmd_set_offset(&ctx->tmd, ctx->offsettmd);
 	tmd_set_size(&ctx->tmd, ctx->sizetmd);
 	tmd_set_usersettings(&ctx->tmd, ctx->usersettings);
-	tmd_process(&ctx->tmd, actions);
+	tmd_process(&ctx->tmd, (actions & ~InfoFlag));
 
 	if (actions & VerifyFlag)
 	{
diff --git a/ctrtool/tmd.c b/ctrtool/tmd.c
index d86d4a5f..e6a2b15e 100644
--- a/ctrtool/tmd.c
+++ b/ctrtool/tmd.c
@@ -42,12 +42,10 @@ void tmd_process(tmd_context* ctx, u32 actions)
 		fseek(ctx->file, ctx->offset, SEEK_SET);
 		fread(ctx->buffer, 1, ctx->size, ctx->file);
 
-		/*
 		if (actions & InfoFlag)
 		{
 			tmd_print(ctx);
 		}
-		*/
 	}
 }
 

From b4b22944a40508f2117070e107c466f20aadb192 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 9 Sep 2014 14:12:55 +1000
Subject: [PATCH 057/317] ctrtool: allow specify tik titlekey

---
 ctrtool/cia.c      |  4 +++-
 ctrtool/keyset.cpp | 12 ++++++++++++
 ctrtool/keyset.h   |  3 +++
 ctrtool/main.c     |  3 +++
 ctrtool/settings.c |  7 +++++++
 ctrtool/settings.h |  1 +
 6 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index 030b09da..c0963a54 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -217,7 +217,9 @@ void cia_process(cia_context* ctx, u32 actions)
 
 	if (settings_get_common_key(ctx->usersettings))
 		tik_get_decrypted_titlekey(&ctx->tik, ctx->titlekey);
-
+	else if(settings_get_title_key(ctx->usersettings))
+		memcpy(ctx->titlekey, settings_get_title_key(ctx->usersettings), 16);
+		
 	tmd_set_file(&ctx->tmd, ctx->file);
 	tmd_set_offset(&ctx->tmd, ctx->offsettmd);
 	tmd_set_size(&ctx->tmd, ctx->sizetmd);
diff --git a/ctrtool/keyset.cpp b/ctrtool/keyset.cpp
index bc7e23cc..f11e185d 100644
--- a/ctrtool/keyset.cpp
+++ b/ctrtool/keyset.cpp
@@ -175,6 +175,8 @@ void keyset_merge(keyset* keys, keyset* src)
 		keyset_set_key128(&keys->ncchfixedsystemkey, src->ncchfixedsystemkey.data);
 	if (src->commonkey.valid)
 		keyset_set_key128(&keys->commonkey, src->commonkey.data);
+	if (src->titlekey.valid)
+		keyset_set_key128(&keys->titlekey, src->titlekey.data);
 }
 
 void keyset_set_key128(key128* key, unsigned char* keydata)
@@ -198,6 +200,16 @@ void keyset_parse_commonkey(keyset* keys, char* keytext, int keylen)
 	keyset_parse_key128(&keys->commonkey, keytext, keylen);
 }
 
+void keyset_set_titlekey(keyset* keys, unsigned char* keydata)
+{
+	keyset_set_key128(&keys->titlekey, keydata);
+}
+
+void keyset_parse_titlekey(keyset* keys, char* keytext, int keylen)
+{
+	keyset_parse_key128(&keys->titlekey, keytext, keylen);
+}
+
 void keyset_set_ncchkey(keyset* keys, unsigned char* keydata)
 {
 	keyset_set_key128(&keys->ncchkey, keydata);
diff --git a/ctrtool/keyset.h b/ctrtool/keyset.h
index f695f541..2cf28668 100644
--- a/ctrtool/keyset.h
+++ b/ctrtool/keyset.h
@@ -43,6 +43,7 @@ typedef struct
 typedef struct
 {
 	key128 commonkey;
+	key128 titlekey;
 	key128 ncchkey;
 	key128 ncchfixedsystemkey;
 	rsakey2048 ncsdrsakey;
@@ -56,6 +57,8 @@ int keyset_load(keyset* keys, const char* fname, int verbose);
 void keyset_merge(keyset* keys, keyset* src);
 void keyset_set_commonkey(keyset* keys, unsigned char* keydata);
 void keyset_parse_commonkey(keyset* keys, char* keytext, int keylen);
+void keyset_set_titlekey(keyset* keys, unsigned char* keydata);
+void keyset_parse_titlekey(keyset* keys, char* keytext, int keylen);
 void keyset_set_ncchkey(keyset* keys, unsigned char* keydata);
 void keyset_parse_ncchkey(keyset* keys, char* keytext, int keylen);
 void keyset_set_ncchfixedsystemkey(keyset* keys, unsigned char* keydata);
diff --git a/ctrtool/main.c b/ctrtool/main.c
index 9f2b766a..98671ab4 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -53,6 +53,7 @@ static void usage(const char *argv0)
 		   "  -y, --verify       Verify hashes and signatures.\n"
 		   "  --unitsize=size    Set media unit size (default 0x200).\n"
 		   "  --commonkey=key    Set common key.\n"
+		   "  --titlekey=key     Set tik title key.\n"
 		   "  --ncchkey=key      Set ncch key.\n"
 		   "  --ncchsyskey=key   Set ncch fixed system key.\n"
 		   "  --showkeys         Show the keys being used.\n"
@@ -146,6 +147,7 @@ int main(int argc, char* argv[])
 			{"wavloops", 1, NULL, 19},
 			{"logo", 1, NULL, 20},
 			{"decompresscode", 0, NULL, 21},
+			{"titlekey", 1, NULL, 22},
 			{NULL},
 		};
 
@@ -233,6 +235,7 @@ int main(int argc, char* argv[])
 			case 19: settings_set_cwav_loopcount(&ctx.usersettings, strtoul(optarg, 0, 0)); break;
 			case 20: settings_set_logo_path(&ctx.usersettings, optarg); break;
 			case 21: ctx.actions |= DecompressCodeFlag; break;
+			case 22: keyset_parse_titlekey(&tmpkeys, optarg, strlen(optarg)); break;
 
 			default:
 				usage(argv[0]);
diff --git a/ctrtool/settings.c b/ctrtool/settings.c
index 888bdc94..cbc7aec1 100644
--- a/ctrtool/settings.c
+++ b/ctrtool/settings.c
@@ -152,6 +152,13 @@ unsigned char* settings_get_common_key(settings* usersettings)
 		return 0;
 }
 
+unsigned char* settings_get_title_key(settings* usersettings)
+{
+	if (usersettings && usersettings->keys.titlekey.valid)
+		return usersettings->keys.titlekey.data;
+	else
+		return 0;
+}
 
 int settings_get_ignore_programid(settings* usersettings)
 {
diff --git a/ctrtool/settings.h b/ctrtool/settings.h
index 39d3c2de..c75bb94b 100644
--- a/ctrtool/settings.h
+++ b/ctrtool/settings.h
@@ -47,6 +47,7 @@ unsigned int settings_get_mediaunit_size(settings* usersettings);
 unsigned char* settings_get_ncch_key(settings* usersettings);
 unsigned char* settings_get_ncch_fixedsystemkey(settings* usersettings);
 unsigned char* settings_get_common_key(settings* usersettings);
+unsigned char* settings_get_title_key(settings* usersettings);
 int settings_get_ignore_programid(settings* usersettings);
 int settings_get_list_romfs_files(settings* usersettings);
 int settings_get_cwav_loopcount(settings* usersettings);

From c7c2c3f73e62dfb0430d12480a4e59134da36caf Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Tue, 16 Sep 2014 19:15:55 +1000
Subject: [PATCH 058/317] makerom: fixes

Moved away from ctrtool's polarssl api completely. Brought certs.c/h
inline with code style, fixed bugs relating to tmd savedata field
generation and not recording savedata size from rsf (ncsd.c)
---
 makerom/certs.c     | 142 ++++++++++----------------
 makerom/certs.h     |  29 +++---
 makerom/cia.c       |  26 ++---
 makerom/crypto.c    | 240 ++++++++++++++++++++------------------------
 makerom/crypto.h    |  53 ++++------
 makerom/exefs.c     |   2 +-
 makerom/exheader.c  |  12 +--
 makerom/ncch.c      |  18 ++--
 makerom/ncsd.c      |  11 +-
 makerom/romfs_gen.c |   2 +-
 makerom/tik.c       |  12 +--
 makerom/tmd.c       |   7 +-
 12 files changed, 237 insertions(+), 317 deletions(-)

diff --git a/makerom/certs.c b/makerom/certs.c
index f02b3b5a..199461bb 100644
--- a/makerom/certs.c
+++ b/makerom/certs.c
@@ -2,57 +2,64 @@
 #include "certs.h"
 
 // Cert Sizes
-
-u32 GetCertSize(u8 *cert)
-{
-	u32 SigSize = 0;
-	u32 SigPadding = 0;
-	GetCertSigSectionSizes(&SigSize,&SigPadding,cert);
-	if(!SigSize || !SigPadding) return 0;
-
-	Cert_Struct *certcore = (Cert_Struct*)(cert+4+SigSize+SigPadding);
-
-	u32 PubKSectionSize = GetCertPubkSectionSize((pubk_types)u8_to_u32(certcore->KeyType,BE));
-
-	return (4+SigSize+SigPadding+sizeof(Cert_Struct)+PubKSectionSize);
-}
-
-void GetCertSigSectionSizes(u32 *SigSize, u32 *SigPadding, u8 *cert)
+void GetCertSigSectionSizes(u32 *sign_size, u32 *sign_padlen, u8 *cert)
 {
-	sig_types sig = (sig_types)u8_to_u32(cert,BE);
+	u32 sig = u8_to_u32(cert,BE);
 	switch(sig){
 		case RSA_4096_SHA1 :
-			*SigSize = 0x200;
-			*SigPadding = 0x3C;
+			*sign_size = 0x200;
+			*sign_padlen = 0x3C;
 			break;
 		case RSA_2048_SHA1 :
-			*SigSize = 0x100;
-			*SigPadding = 0x3C;
+			*sign_size = 0x100;
+			*sign_padlen = 0x3C;
 			break;
 		case ECC_SHA1 :
-			*SigSize = 0x3C;
-			*SigPadding = 0x40;
+			*sign_size = 0x3C;
+			*sign_padlen = 0x40;
 			break;
 		case RSA_4096_SHA256 :
-			*SigSize = 0x200;
-			*SigPadding = 0x3C;
+			*sign_size = 0x200;
+			*sign_padlen = 0x3C;
 			break;
 		case RSA_2048_SHA256 :
-			*SigSize = 0x100;
-			*SigPadding = 0x3C;
+			*sign_size = 0x100;
+			*sign_padlen = 0x3C;
 			break;
 		case ECC_SHA256 :
-			*SigSize = 0x3C;
-			*SigPadding = 0x40;
+			*sign_size = 0x3C;
+			*sign_padlen = 0x40;
 			break;
 		default :
-			*SigSize = 0;
-			*SigPadding = 0;
+			*sign_size = 0;
+			*sign_padlen = 0;
 			break;
 	}
 	return;
 }
 
+u32 GetCertSize(u8 *cert)
+{
+	u32 sign_size = 0;
+	u32 sign_padlen = 0;
+	GetCertSigSectionSizes(&sign_size,&sign_padlen,cert);
+	if(!sign_size || !sign_padlen)
+		return 0;
+
+	return sizeof(u32) + sign_size + sign_padlen + sizeof(cert_hdr) + GetCertPubkSectionSize(GetCertPubkType(cert));
+}
+
+
+cert_hdr* GetCertHdr(u8 *cert)
+{
+	u32 sign_size = 0;
+	u32 sign_padlen = 0;
+	GetCertSigSectionSizes(&sign_size,&sign_padlen,cert);
+	if(!sign_size || !sign_padlen) return NULL;
+
+	return (cert_hdr*)(cert+4+sign_size+sign_padlen);
+}
+
 u32 GetCertPubkSectionSize(pubk_types type)
 {
 	switch(type){
@@ -66,80 +73,41 @@ u32 GetCertPubkSectionSize(pubk_types type)
 // Issuer/Name Functions
 u8 *GetCertIssuer(u8 *cert)
 {
-	u32 SigSize = 0;
-	u32 SigPadding = 0;
-	GetCertSigSectionSizes(&SigSize,&SigPadding,cert);
-	if(!SigSize || !SigPadding) return 0;
-
-	Cert_Struct *certcore = (Cert_Struct*)(cert+4+SigSize+SigPadding);
-	return certcore->Issuer;
+	cert_hdr *hdr = GetCertHdr(cert);
+	return hdr->issuer;
 }
 u8 *GetCertName(u8 *cert)
 {
-	u32 SigSize = 0;
-	u32 SigPadding = 0;
-	GetCertSigSectionSizes(&SigSize,&SigPadding,cert);
-	if(!SigSize || !SigPadding) return 0;
-
-	Cert_Struct *certcore = (Cert_Struct*)(cert+4+SigSize+SigPadding);
-	return certcore->Name;
+	cert_hdr *hdr = GetCertHdr(cert);
+	return hdr->name;
 }
 
-int GenCertChildIssuer(u8 *dest, u8 *cert)
+void GenCertChildIssuer(u8 *dest, u8 *cert)
 {
-	u8 *issuer = GetCertIssuer(cert);
-	u8 *name = GetCertName(cert);
-
-	/*
-	u32 out_size = strlen((char*)issuer) + strlen((char*)name) + 1;
-	if(out_size > 0x40) return MEM_ERROR;
-	*/
-
-	snprintf((char*)dest,0x40,"%s-%s",issuer,name);
-
-	/*
-	strcat((char*)dest,(char*)issuer);
-	strcat((char*)dest,"-");
-	strcat((char*)dest,(char*)name);
-	*/
-	return 0;
+	snprintf((char*)dest,0x40,"%s-%s",GetCertIssuer(cert),GetCertName(cert));
 }
 
 // Pubk
 pubk_types GetCertPubkType(u8 *cert)
 {
-	u32 SigSize = 0;
-	u32 SigPadding = 0;
-	GetCertSigSectionSizes(&SigSize,&SigPadding,cert);
-	if(!SigSize || !SigPadding) return 0;
-
-	Cert_Struct *certcore = (Cert_Struct*)(cert+4+SigSize+SigPadding);
+	cert_hdr *hdr = GetCertHdr(cert);
 
-	return (pubk_types)u8_to_u32(certcore->KeyType,BE);
+	return (pubk_types)u8_to_u32(hdr->keyType,BE);
 }
 u8 *GetCertPubk(u8 *cert)
 {
-	u32 SigSize = 0;
-	u32 SigPadding = 0;
-	GetCertSigSectionSizes(&SigSize,&SigPadding,cert);
-	if(!SigSize || !SigPadding) return 0;
-	return (cert+4+SigSize+SigPadding+sizeof(Cert_Struct));
+	if(!GetCertHdr(cert)) 
+		return NULL;
+	return ((u8*)GetCertHdr(cert)) + sizeof(cert_hdr);
 }
 
 bool VerifyCert(u8 *cert, u8 *pubk)
 {
-	u32 SigSize = 0;
-	u32 SigPadding = 0;
-	GetCertSigSectionSizes(&SigSize,&SigPadding,cert);
-	if(!SigSize || !SigPadding) return 0;
-
-
-	u8 *signature = (cert+4);
-	u8 *data = (cert+4+SigSize+SigPadding);
-	u32 datasize = sizeof(Cert_Struct) + GetCertPubkSectionSize(GetCertPubkType(cert));
-
-	int result = ctr_sig(data,datasize,signature,pubk,NULL,u8_to_u32(cert,BE),CTR_RSA_VERIFY);
+	if(!GetCertHdr(cert)) 
+		return false;
+	u8 *signature = (cert+sizeof(u32));
+	u8 *data = (u8*)GetCertHdr(cert);
+	u32 datasize = sizeof(cert_hdr) + GetCertPubkSectionSize(GetCertPubkType(cert));
 
-	if(result == 0) return true;
-	else return false;
+	return RsaSignVerify(data,datasize,signature,pubk,NULL,u8_to_u32(cert,BE),CTR_RSA_VERIFY);
 }
\ No newline at end of file
diff --git a/makerom/certs.h b/makerom/certs.h
index 0ab05d15..b88b3324 100644
--- a/makerom/certs.h
+++ b/makerom/certs.h
@@ -2,41 +2,40 @@
 
 typedef struct
 {
-	u8 Issuer[0x40];
-	u8 KeyType[4];
-	u8 Name[0x40];
-	u8 Unknown[4];
-} Cert_Struct;
+	u8 issuer[0x40];
+	u8 keyType[4];
+	u8 name[0x40];
+	u8 id[4];
+} cert_hdr;
 
 typedef struct
 {
-	u8 Modulus[0x200];
-	u8 PubExponent[4];
-	u8 Padding[0x34];
+	u8 modulus[0x200];
+	u8 pubExponent[4];
+	u8 padding[0x34];
 } rsa_4096_pubk_struct;
 
 typedef struct
 {
-	u8 Modulus[0x100];
-	u8 PubExponent[4];
-	u8 Padding[0x34];
+	u8 modulus[0x100];
+	u8 pubExponent[4];
+	u8 padding[0x34];
 } rsa_2048_pubk_struct;
 
 typedef struct
 {
-	u8 PubK[0x3C];
-	u8 Padding[0x3C];
+	u8 pubK[0x3C];
+	u8 padding[0x3C];
 } ecc_pubk_struct;
 
 // Cert Sizes
 u32 GetCertSize(u8 *cert);
-void GetCertSigSectionSizes(u32 *SigSize, u32 *SigPadding, u8 *cert);
 u32 GetCertPubkSectionSize(pubk_types type);
 
 // Issuer/Name Functions
 u8 *GetCertIssuer(u8 *cert);
 u8 *GetCertName(u8 *cert);
-int GenCertChildIssuer(u8 *dest, u8 *cert);
+void GenCertChildIssuer(u8 *dest, u8 *cert);
 
 // Pubk
 pubk_types GetCertPubkType(u8 *cert);
diff --git a/makerom/cia.c b/makerom/cia.c
index a1d182a2..64925c1e 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -17,7 +17,6 @@ const int CIA_ALIGN_SIZE = 0x40;
 const int CIA_CONTENT_ALIGN = 0x10;
 
 // Private Prototypes
-void InitCiaSettings(cia_settings *set);
 void FreeCiaSettings(cia_settings *set);
 int GetCiaSettings(cia_settings *ciaset, user_settings *usrset);
 
@@ -53,7 +52,6 @@ int build_CIA(user_settings *usrset)
 	}
 
 	// Get Settings
-	InitCiaSettings(ciaset);
 	result = GetCiaSettings(ciaset,usrset);
 	if(result) goto finish;
 
@@ -96,11 +94,6 @@ int build_CIA(user_settings *usrset)
 	return result;
 }
 
-void InitCiaSettings(cia_settings *set)
-{
-	memset(set,0,sizeof(cia_settings));
-}
-
 void FreeCiaSettings(cia_settings *set)
 {
 	if(set->content.filePtrs){
@@ -198,8 +191,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 		
 	ciaset->tik.formatVersion = 1;
 
-	int result = GenCertChildIssuer(ciaset->tik.issuer,ciaset->keys->certs.xsCert);
-	if(result) return result;
+	GenCertChildIssuer(ciaset->tik.issuer,ciaset->keys->certs.xsCert);
 	
 	// Tmd Stuff
 	if(usrset->cia.contentId[0] > MAX_U32)
@@ -209,7 +201,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 
 	ciaset->tmd.formatVersion = 1;
 	ciaset->tmd.accessRights = 0;
-	result = GenCertChildIssuer(ciaset->tmd.issuer,ciaset->keys->certs.cpCert);
+	GenCertChildIssuer(ciaset->tmd.issuer,ciaset->keys->certs.cpCert);
 	return 0;
 }
 
@@ -293,14 +285,16 @@ int GetTmdDataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *
 		
 	if(IsPatch(GetTidCategory(ciaset->common.titleId))||ciaset->content.IsCfa) 
 		ciaset->tmd.savedataSize = 0;
-	else if(ciaset->content.keyNotFound && ciaset->rsf->SystemControlInfo.SaveDataSize){ // if it's a title which can have save data, but save data size could not be read from exhdr
+	else if(!ciaset->content.keyNotFound) 
+		ciaset->tmd.savedataSize = (u32)(GetSaveDataSize_frm_exhdr(exhdr) & MAX_U32);
+	else if(ciaset->rsf->SystemControlInfo.SaveDataSize){ // if it's a title which can have save data, but save data size could not be read from exhdr
 		u64 size = 0;
 		GetSaveDataSizeFromString(&size,ciaset->rsf->SystemControlInfo.SaveDataSize,"CIA");
 		ciaset->tmd.savedataSize = (u32)(size & MAX_U32);
 	}
-	else 
-		ciaset->tmd.savedataSize = (u32)(GetSaveDataSize_frm_exhdr(exhdr) & MAX_U32);
-			
+	else
+		ciaset->tmd.savedataSize = 0;
+		
 	if(ciaset->content.IsCfa||ciaset->content.keyNotFound){
 		if(ciaset->common.titleVersion[VER_MAJOR] == MAX_U16){ // '-major' wasn't set
 			if(ciaset->content.IsCfa){ // Is a CFA and can be decrypted
@@ -569,7 +563,7 @@ u16 SetupVersion(u16 major, u16 minor, u16 micro)
 void GetContentHashes(cia_settings *ciaset)
 {
 	for(int i = 0; i < ciaset->content.count; i++)
-		ctr_sha(ciaset->ciaSections.content.buffer+ciaset->content.offset[i],ciaset->content.size[i],ciaset->content.hash[i],CTR_SHA_256);
+		ShaCalc(ciaset->ciaSections.content.buffer+ciaset->content.offset[i],ciaset->content.size[i],ciaset->content.hash[i],CTR_SHA_256);
 }
 
 void EncryptContent(cia_settings *ciaset)
@@ -653,7 +647,7 @@ int CryptContent(u8 *input, u8 *output, u64 size, u8 *title_key, u16 index, u8 m
 	iv[0] = (index >> 8) & 0xff;
 	iv[1] = index & 0xff;
 	//Crypting content
-	AesCbc(title_key,iv,input,output,size,mode);
+	AesCbcCrypt(title_key,iv,input,output,size,mode);
 	return 0;
 }
 
diff --git a/makerom/crypto.c b/makerom/crypto.c
index 71dbdd39..9fd99ee7 100644
--- a/makerom/crypto.c
+++ b/makerom/crypto.c
@@ -1,14 +1,24 @@
 #include "lib.h"
 #include "crypto.h"
 
+const u8 RSA_PUB_EXP[0x3] = {0x01,0x00,0x01};
+const int HASH_MAX_LEN = 0x20;
+
+int ctr_rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
+                               int mode,
+                               int hash_id,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               unsigned char *sig );
+
 bool VerifySha256(void *data, u64 size, u8 hash[32])
 {
 	u8 calchash[32];
-	ctr_sha(data, size, calchash, CTR_SHA_256);
+	ShaCalc(data, size, calchash, CTR_SHA_256);
 	return memcmp(hash,calchash,32) == 0;
 }
 
-void ctr_sha(void *data, u64 size, u8 *hash, int mode)
+void ShaCalc(void *data, u64 size, u8 *hash, int mode)
 {
 	switch(mode){
 		case(CTR_SHA_1): sha1((u8*)data, size, hash); break;
@@ -21,7 +31,7 @@ void SetAesCtrOffset(u8 *ctr, u64 offset)
 	u64_to_u8(ctr+8,u8_to_u64(ctr+8,BE)|align(offset,16)/16,BE);
 }
 
-void AesCtr(u8 *key, u8 *ctr, u8 *input, u8 *output, u64 length, u64 offset)
+void AesCtrCrypt(u8 *key, u8 *ctr, u8 *input, u8 *output, u64 length, u64 offset)
 {
 	u8 stream[16];
 	aes_context aes;
@@ -37,7 +47,7 @@ void AesCtr(u8 *key, u8 *ctr, u8 *input, u8 *output, u64 length, u64 offset)
 	return;
 }
 
-void AesCbc(u8 *key, u8 *iv, u8 *input, u8 *output, u64 length, u8 mode)
+void AesCbcCrypt(u8 *key, u8 *iv, u8 *input, u8 *output, u64 length, u8 mode)
 {
 	aes_context aes;
 	clrmem(&aes,sizeof(aes_context));
@@ -56,168 +66,138 @@ void AesCbc(u8 *key, u8 *iv, u8 *input, u8 *output, u64 length, u8 mode)
 	}
 }
 
-void ctr_rsa_free(ctr_rsa_context* ctx)
-{
-	rsa_free(&ctx->rsa);
-}
-
-int ctr_rsa_init(ctr_rsa_context* ctx, u8 *modulus, u8 *private_exp, u8 *exponent, u8 rsa_type, u8 mode)
+bool RsaKeyInit(rsa_context* ctx, u8 *modulus, u8 *private_exp, u8 *exponent, u8 rsa_type)
 {
 	// Sanity Check
-	if(ctx == NULL || modulus == NULL ||(private_exp == NULL && mode == RSAKEY_PRIV) || (exponent == NULL && mode == RSAKEY_PUB))
-		return Fail;
-	rsa_init(&ctx->rsa, RSA_PKCS_V15, 0);
+	if(!ctx)
+		return false;
+	
+	rsa_init(ctx, RSA_PKCS_V15, 0);
+	
 	u16 n_size = 0;
 	u16 d_size = 0;
 	u16 e_size = 0;
+	
 	switch(rsa_type){
 		case RSA_2048:
-			ctx->rsa.len = 0x100;
+			ctx->len = 0x100;
 			n_size = 0x100;
 			d_size = 0x100;
 			e_size = 3;
 			break;
 		case RSA_4096:
-			ctx->rsa.len = 0x200;
+			ctx->len = 0x200;
 			n_size = 0x200;
 			d_size = 0x200;
 			e_size = 3;
 			break;
-		default: return Fail;
-	}
-		
-	switch(mode){
-		case(RSAKEY_PUB):
-			if (mpi_read_binary(&ctx->rsa.N, modulus, n_size))
-				goto clean;
-			if (mpi_read_binary(&ctx->rsa.E, exponent, e_size))
-				goto clean;
-			break;
-		case(RSAKEY_PRIV):
-			if (mpi_read_binary(&ctx->rsa.N, modulus, n_size))
-				goto clean;
-			if (mpi_read_binary(&ctx->rsa.D, private_exp, d_size))
-				goto clean;
-			break;
-		default: return Fail;
+		default: return false;
 	}
+	
+	if (modulus && mpi_read_binary(&ctx->N, modulus, n_size))
+		goto clean;
+	if (exponent && mpi_read_binary(&ctx->E, exponent, e_size))
+		goto clean;
+	if (private_exp && mpi_read_binary(&ctx->D, private_exp, d_size))
+		goto clean;
+	
 
-	return Good;
+	return true;
 clean:
-	ctr_rsa_free(ctx);
-	return Fail;
+	rsa_free(ctx);
+	return false;
 }
 
-int ctr_sig(void *data, u64 size, u8 *signature, u8 *modulus, u8 *private_exp, u32 type, u8 mode)
+u8 GetRsaType(u32 sig_type)
 {
-	int result = 0;
-	int hashtype, hashlen, sigtype;
-	if(data == NULL || signature == NULL || modulus == NULL ||(private_exp == NULL && mode == CTR_RSA_SIGN))
-		return Fail;
-		
-	switch(type){
+	switch(sig_type){
 		case RSA_4096_SHA1:
-			hashtype = CTR_SHA_1;
-			hashlen = 0x14;
-			sigtype = RSA_4096;
 		case RSA_4096_SHA256:
-			hashtype = CTR_SHA_256;
-			hashlen = 0x20;
-			sigtype = RSA_4096;
-			break;
+			return RSA_4096;
 		case RSA_2048_SHA1:
-			hashtype = CTR_SHA_1;
-			hashlen = 0x14;
-			sigtype = RSA_2048;
 		case RSA_2048_SHA256:
-			hashtype = CTR_SHA_256;
-			hashlen = 0x20;
-			sigtype = RSA_2048;
-			break;
+			return RSA_2048;			
+	}
+	return INVALID_SIG_TYPE;
+}
+
+u32 GetSigHashType(u32 sig_type)
+{
+	switch(sig_type){
+		case RSA_4096_SHA1:
+		case RSA_2048_SHA1:
 		case ECC_SHA1:
-			hashtype = CTR_SHA_1;
-			hashlen = 0x14;
-			sigtype = ECC;
+			return CTR_SHA_1;
+		case RSA_4096_SHA256:
+		case RSA_2048_SHA256:
 		case ECC_SHA256:
-			hashtype = CTR_SHA_256;
-			hashlen = 0x20;
-			sigtype = ECC;
-			break;
-		default: return Fail;
+			return CTR_SHA_256;
 	}
-	
-	u8 hash[hashlen];
-	memset(hash,0,hashlen);
-	ctr_sha(data,size,hash,hashtype);
-	//memdump(stdout,"Data:        ",data,size);
-	//memdump(stdout,"HashFor Sig: ",hash,hashlen);
-	
-	if(sigtype == RSA_2048 || sigtype == RSA_4096)
-		result = ctr_rsa(hash,signature,modulus,private_exp,type,mode);
-	else if(sigtype == ECC){
-		printf("[!] ECC is not yet implemented\n");
-		result = Fail;
-	}
-	return result;
+	return 0;
 }
 
-int ctr_rsa(u8 *hash, u8 *signature, u8 *modulus, u8 *private_exp, u32 type, u8 mode)
+int GetRsaHashType(u32 sig_type)
 {
-	int result = 0;
-	// Sanity Check
-	if(hash == NULL || signature == NULL || modulus == NULL ||(private_exp == NULL && mode == CTR_RSA_SIGN))
-		return Fail;
-	
-	// Getting details from sig type
-	int hashtype;
-	int hashlen;
-	int sigtype;
-	switch(type){
-			case RSA_4096_SHA1:
-				hashtype = SIG_RSA_SHA1;
-				hashlen = 0x14;
-				sigtype = RSA_4096;
-				break;
-			case RSA_4096_SHA256:
-				hashtype = SIG_RSA_SHA256;
-				hashlen = 0x14;
-				sigtype = RSA_4096;
-				break;
-			case RSA_2048_SHA1:
-				hashtype = SIG_RSA_SHA1;
-				hashlen = 0x20;
-				sigtype = RSA_2048;
-				break;
-			case RSA_2048_SHA256:
-				hashtype = SIG_RSA_SHA256;
-				hashlen = 0x20;
-				sigtype = RSA_2048;
-				break;
-			default: return Fail;
+	switch(sig_type){
+		case RSA_4096_SHA1:
+		case RSA_2048_SHA1:
+			return SIG_RSA_SHA1;
+		case RSA_4096_SHA256:
+		case RSA_2048_SHA256:
+			return SIG_RSA_SHA256;
 	}
-	
-	// Setting up
-	ctr_rsa_context ctx;
-	u8 exponent[3] = {0x01,0x00,0x01};
-	switch(mode){
-		case CTR_RSA_VERIFY: 
-			result = ctr_rsa_init(&ctx,modulus,NULL,(u8*)exponent,sigtype,RSAKEY_PUB);
-			break;
-		case CTR_RSA_SIGN: 
-			result = ctr_rsa_init(&ctx,modulus,private_exp,NULL,sigtype,RSAKEY_PRIV);
-			break;
+	return 0;
+}
+
+u32 GetSigHashLen(u32 sig_type)
+{
+	switch(sig_type){
+		case RSA_4096_SHA1:
+			return 0x14;
+		case RSA_4096_SHA256:
+			return 0x20;
+		case RSA_2048_SHA1:
+			return 0x14;
+		case RSA_2048_SHA256:
+			return 0x20;
+		case ECC_SHA1:
+			return 0x14;
+		case ECC_SHA256:
+			return 0x20;
 	}
-	if(result)return result;
+	return 0;
+}
+
+bool CalcHashForSign(void *data, u64 len, u8 *hash, u32 sig_type)
+{
+	if(GetSigHashType(sig_type) == 0)
+		return false;
+
+	ShaCalc(data, len, hash, GetSigHashType(sig_type));
 	
-	switch(mode){
-		case CTR_RSA_VERIFY: 
-			return rsa_pkcs1_verify(&ctx.rsa,RSA_PUBLIC,hashtype,hashlen,hash,signature);
-		case CTR_RSA_SIGN: 
-			return ctr_rsa_rsassa_pkcs1_v15_sign(&ctx.rsa,RSA_PRIVATE,hashtype,hashlen,hash,signature);
-	}
-	return Fail;
-} 
+	return true;
+}
+
+int RsaSignVerify(void *data, u64 len, u8 *sign, u8 *mod, u8 *priv_exp, u32 sig_type, u8 rsa_mode)
+{
+	int rsa_result = 0;
+	rsa_context ctx;
+	u8 hash[HASH_MAX_LEN];
+		
+	if(!RsaKeyInit(&ctx, mod, priv_exp, (u8*)RSA_PUB_EXP, GetRsaType(sig_type)))
+		return -1;
+		
+	if(!CalcHashForSign(data, len, hash, sig_type))
+		return -1;		
 
+	if(rsa_mode == CTR_RSA_VERIFY)
+		rsa_result = rsa_pkcs1_verify(&ctx, RSA_PUBLIC, GetRsaHashType(sig_type), 0, hash, sign);
+	else // CTR_RSA_SIGN
+		rsa_result = ctr_rsa_rsassa_pkcs1_v15_sign(&ctx, RSA_PRIVATE, GetRsaHashType(sig_type), 0, hash, sign);
+	
+	rsa_free(&ctx);
+	return rsa_result;
+}
 
 /**
 *  Hacked from rsa.c, polarssl doesn't like generating signatures when only D and N are present
diff --git a/makerom/crypto.h b/makerom/crypto.h
index 9a29a107..617fdc84 100644
--- a/makerom/crypto.h
+++ b/makerom/crypto.h
@@ -14,25 +14,26 @@ typedef enum
 	RSA_4096_SHA256 = 0x00010003,
 	RSA_2048_SHA256 = 0x00010004,
 	ECC_SHA256 = 0x00010005
-} sig_types;
+} ctr_sig_types;
 
 typedef enum
 {
-	RSA_2048 = 0,
-	RSA_4096 = 1,
-	ECC = 2,
-} ctr_sig_types;
+	CTR_RSA_VERIFY,
+	CTR_RSA_SIGN,
+} ctr_rsa_mode;
 
 typedef enum
 {
-	CTR_RSA_VERIFY = 0,
-	CTR_RSA_SIGN = 1,
-} ctr_rsa_functions;
+	RSA_4096,
+	RSA_2048,
+	ECC,
+	INVALID_SIG_TYPE,
+} sig_types;
 
 typedef enum
 {
-	CTR_SHA_1 = 1,
-	CTR_SHA_256 = 256,
+	CTR_SHA_1,
+	CTR_SHA_256,
 } ctr_sha_modes;
 
 typedef enum
@@ -46,42 +47,22 @@ typedef enum
 {
 	ENC,
 	DEC
-} aescbcmode;
+} aes_mode;
 
-typedef enum
-{
-	RSAKEY_INVALID,
-	RSAKEY_PRIV,
-	RSAKEY_PUB
-} rsakeytype;
-
-typedef struct
-{
-	rsa_context rsa;
-} ctr_rsa_context;
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 // SHA
 bool VerifySha256(void *data, u64 size, u8 hash[32]);
-void ctr_sha(void *data, u64 size, u8 *hash, int mode);
+void ShaCalc(void *data, u64 size, u8 *hash, int mode);
 // AES
-void AesCtr(u8 *key, u8 *ctr, u8 *input, u8 *output, u64 length, u64 offset);
-void AesCbc(u8 *key, u8 *iv, u8 *input, u8 *output, u64 length, u8 mode);
+void AesCtrCrypt(u8 *key, u8 *ctr, u8 *input, u8 *output, u64 length, u64 offset);
+void AesCbcCrypt(u8 *key, u8 *iv, u8 *input, u8 *output, u64 length, u8 mode);
 // RSA
-void ctr_rsa_free(ctr_rsa_context* ctx);
-int ctr_rsa_init(ctr_rsa_context* ctx, u8 *modulus, u8 *private_exp, u8 *exponent, u8 rsa_type, u8 mode);
-int ctr_rsa(u8 *hash, u8 *signature, u8 *modulus, u8 *private_exp, u32 type, u8 mode);
-int ctr_rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
-                               int mode,
-                               int hash_id,
-                               unsigned int hashlen,
-                               const unsigned char *hash,
-                               unsigned char *sig );
+int RsaSignVerify(void *data, u64 len, u8 *sign, u8 *mod, u8 *priv_exp, u32 sig_type, u8 rsa_mode);
+
 
-// Signature Functions
-int ctr_sig(void *data, u64 size, u8 *signature, u8 *modulus, u8 *private_exp, u32 type, u8 mode);
 					
 #ifdef __cplusplus
 }
diff --git a/makerom/exefs.c b/makerom/exefs.c
index 591d3f55..e11f5681 100644
--- a/makerom/exefs.c
+++ b/makerom/exefs.c
@@ -75,7 +75,7 @@ int GenerateExeFS_Header(exefs_buildctx *ctx, u8 *outbuff)
 		memcpy(exefs->fileHdr[i].name,ctx->fileName[i],8);
 		u32_to_u8(exefs->fileHdr[i].offset,ctx->fileOffset[i],LE);
 		u32_to_u8(exefs->fileHdr[i].size,ctx->fileSize[i],LE);
-		ctr_sha(ctx->file[i],ctx->fileSize[i],exefs->fileHashes[MAX_EXEFS_SECTIONS-1-i],CTR_SHA_256);
+		ShaCalc(ctx->file[i],ctx->fileSize[i],exefs->fileHashes[MAX_EXEFS_SECTIONS-1-i],CTR_SHA_256);
 	}
 	return 0;
 }
diff --git a/makerom/exheader.c b/makerom/exheader.c
index d7dba89a..730a03aa 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -53,16 +53,16 @@ int get_ExHeaderARM9AccessControlInfo(exhdr_ARM9AccessControlInfo *arm9, rsf_set
 /* ExHeader Signature Functions */
 int SignAccessDesc(access_descriptor *acexDesc, keys_struct *keys)
 {
-	u8 *AccessDesc = (u8*) &acexDesc->ncchRsaPubKey;
-	u8 *Signature = (u8*) &acexDesc->signature;
-	return ctr_sig(AccessDesc,0x300,Signature,keys->rsa.acexPub,keys->rsa.acexPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	u8 *data = (u8*) &acexDesc->ncchRsaPubKey;
+	u8 *sign = (u8*) &acexDesc->signature;
+	return RsaSignVerify(data,0x300,sign,keys->rsa.acexPub,keys->rsa.acexPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
 int CheckAccessDescSignature(access_descriptor *acexDesc, keys_struct *keys)
 {
-	u8 *AccessDesc = (u8*) &acexDesc->ncchRsaPubKey;
-	u8 *Signature = (u8*) &acexDesc->signature;
-	return ctr_sig(AccessDesc,0x300,Signature,keys->rsa.acexPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
+	u8 *data = (u8*) &acexDesc->ncchRsaPubKey;
+	u8 *sign = (u8*) &acexDesc->signature;
+	return RsaSignVerify(data,0x300,sign,keys->rsa.acexPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
 }
 
 /* ExHeader Build Functions */
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 5688842e..e79e041f 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -34,22 +34,22 @@ bool IsValidProductCode(char *ProductCode, bool FreeProductCode);
 // Code
 int SignCFA(ncch_hdr *hdr, keys_struct *keys)
 {
-	return ctr_sig(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfaPub,keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfaPub,keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
 int CheckCFASignature(ncch_hdr *hdr, keys_struct *keys)
 {
-	return ctr_sig(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfaPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
+	return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfaPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
 }
 
 int SignCXI(ncch_hdr *hdr, keys_struct *keys)
 {
-	return ctr_sig(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cxiHdrPub,keys->rsa.cxiHdrPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cxiHdrPub,keys->rsa.cxiHdrPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
 int CheckCXISignature(ncch_hdr *hdr, u8 *pubk)
 {
-	int result = ctr_sig(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),pubk,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
+	int result = RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),pubk,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
 	return result;
 }
 
@@ -500,13 +500,13 @@ int FinaliseNcch(ncch_settings *set)
 
 	// Taking Hashes
 	if(set->cryptoDetails.exhdrSize)
-		ctr_sha(exhdr,set->cryptoDetails.exhdrSize,hdr->exhdrHash,CTR_SHA_256);
+		ShaCalc(exhdr,set->cryptoDetails.exhdrSize,hdr->exhdrHash,CTR_SHA_256);
 	if(set->cryptoDetails.logoSize)
-		ctr_sha(logo,set->cryptoDetails.logoSize,hdr->logoHash,CTR_SHA_256);
+		ShaCalc(logo,set->cryptoDetails.logoSize,hdr->logoHash,CTR_SHA_256);
 	if(set->cryptoDetails.exefsHashDataSize)
-		ctr_sha(exefs,set->cryptoDetails.exefsHashDataSize,hdr->exefsHash,CTR_SHA_256);
+		ShaCalc(exefs,set->cryptoDetails.exefsHashDataSize,hdr->exefsHash,CTR_SHA_256);
 	if(set->cryptoDetails.romfsHashDataSize)
-		ctr_sha(romfs,set->cryptoDetails.romfsHashDataSize,hdr->romfsHash,CTR_SHA_256);
+		ShaCalc(romfs,set->cryptoDetails.romfsHashDataSize,hdr->romfsHash,CTR_SHA_256);
 
 	// Signing NCCH
 	int sig_result = Good;
@@ -1048,6 +1048,6 @@ void CryptNcchRegion(u8 *buffer, u64 size, u64 src_pos, u64 titleId, u8 key[16],
 {
 	u8 ctr[0x10];
 	GetNcchAesCounter(ctr,titleId,type);	
-	AesCtr(key,ctr,buffer,buffer,size,src_pos);
+	AesCtrCrypt(key,ctr,buffer,buffer,size,src_pos);
 	return;
 }
\ No newline at end of file
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index cc8cfaf5..39d70364 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -10,7 +10,6 @@
 #include "cardinfo.h"
 #include "titleid.h"
 
-
 const int NCCH0_OFFSET = 0x4000;
 const int CCI_BLOCK_SIZE = 0x200;
 
@@ -288,15 +287,15 @@ int ProcessCiaForCci(cci_settings *set)
 
 int ImportCciNcch(cci_settings *set)
 {
+	if(set->rsf->SystemControlInfo.SaveDataSize)
+		GetSaveDataSizeFromString(&set->romInfo.saveSize,set->rsf->SystemControlInfo.SaveDataSize,"CCI");
+
 	if(set->content.dataType == infile_ncch)
 		return ImportNcchForCci(set);
 	else if(set->content.dataType == infile_cia)
 		return ProcessCiaForCci(set);
 	else
-		fprintf(stderr,"[CCI ERROR] Unrecognised input data type\n");
-	
-	if(set->rsf->SystemControlInfo.SaveDataSize)
-		GetSaveDataSizeFromString(&set->romInfo.saveSize,set->rsf->SystemControlInfo.SaveDataSize,"CCI");
+		fprintf(stderr,"[CCI ERROR] Unrecognised input data type\n");	
 	
 	return FAILED_TO_IMPORT_FILE;
 }
@@ -594,7 +593,7 @@ int GenCciHdr(cci_settings *set)
 	SetCciNcchInfo(hdr,set);
 	
 	// Sign Header
-	ctr_sig(&hdr->magic,sizeof(cci_hdr)-RSA_2048_KEY_SIZE,hdr->signature,set->keys->rsa.cciCfaPub,set->keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	RsaSignVerify(&hdr->magic,sizeof(cci_hdr)-RSA_2048_KEY_SIZE,hdr->signature,set->keys->rsa.cciCfaPub,set->keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 	
 	return 0;
 }
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 49718950..6a9498f0 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -467,7 +467,7 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 		for(u32 j = 0; j < numHashes; j++){
 			u8 *datapos = (u8*)(ctx->level[i+1].pos + ROMFS_BLOCK_SIZE * j);
 			u8 *hashpos = (u8*)(ctx->level[i].pos + 0x20 * j);
-			ctr_sha(datapos, ROMFS_BLOCK_SIZE, hashpos, CTR_SHA_256);
+			ShaCalc(datapos, ROMFS_BLOCK_SIZE, hashpos, CTR_SHA_256);
 		}
 	}
 	
diff --git a/makerom/tik.c b/makerom/tik.c
index 16cb963e..9267baa9 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -15,9 +15,8 @@ int CryptTitleKey(u8 *input, u8 *output, u8 *titleId, keys_struct *keys, u8 mode
 
 int BuildTicket(cia_settings *set)
 {
-	int result = 0;
-	result = SetupTicketBuffer(set);
-	if(result) return result;
+	if(SetupTicketBuffer(set)) 
+		return MEM_ERROR;
 	
 	// Setting Ticket Struct Ptrs
 	buffer_struct *tik = &set->ciaSections.tik;
@@ -31,8 +30,7 @@ int BuildTicket(cia_settings *set)
 	SetContentIndexHeader(idxHdr,set);
 	SetContentIndexData(idxData,set);
 	
-	result = SignTicketHeader(tik,set->keys);
-	return 0;
+	return SignTicketHeader(tik,set->keys);
 }
 
 int SetupTicketBuffer(cia_settings *set)
@@ -83,7 +81,7 @@ int SignTicketHeader(buffer_struct *tik, keys_struct *keys)
 	clrmem(sig,sizeof(tik_signature));
 	u32_to_u8(sig->sigType,RSA_2048_SHA256,BE);
 	
-	return ctr_sig(data,len,sig->data,keys->rsa.xsPub,keys->rsa.xsPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	return RsaSignVerify(data,len,sig->data,keys->rsa.xsPub,keys->rsa.xsPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
 int CryptTitleKey(u8 *input, u8 *output, u8 *titleId, keys_struct *keys, u8 mode)
@@ -94,7 +92,7 @@ int CryptTitleKey(u8 *input, u8 *output, u8 *titleId, keys_struct *keys, u8 mode
 	memcpy(iv,titleId,0x8);
 		
 	//Crypting TitleKey
-	AesCbc(keys->aes.commonKey[keys->aes.currentCommonKey],iv,input,output,0x10,mode);
+	AesCbcCrypt(keys->aes.commonKey[keys->aes.currentCommonKey],iv,input,output,0x10,mode);
 	
 	// Return
 	return 0;
diff --git a/makerom/tmd.c b/makerom/tmd.c
index f3b7f114..9407ef60 100644
--- a/makerom/tmd.c
+++ b/makerom/tmd.c
@@ -62,7 +62,7 @@ int SetupTMDHeader(tmd_hdr *hdr, tmd_content_info_record *info_record, cia_setti
 	u32_to_u8(hdr->accessRights,ciaset->tmd.accessRights,BE);
 	u16_to_u8(hdr->titleVersion,ciaset->tmd.version,BE);
 	u16_to_u8(hdr->contentCount,ciaset->content.count,BE);
-	ctr_sha(info_record,sizeof(tmd_content_info_record)*64,hdr->infoRecordHash,CTR_SHA_256);
+	ShaCalc(info_record,sizeof(tmd_content_info_record)*64,hdr->infoRecordHash,CTR_SHA_256);
 	return 0;
 }
 
@@ -70,7 +70,8 @@ int SignTMDHeader(tmd_hdr *hdr, tmd_signature *sig, keys_struct *keys)
 {
 	clrmem(sig,sizeof(tmd_signature));
 	u32_to_u8(sig->sigType,RSA_2048_SHA256,BE);
-	return ctr_sig((u8*)hdr,sizeof(tmd_hdr),sig->data,keys->rsa.cpPub,keys->rsa.cpPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	
+	return RsaSignVerify((u8*)hdr,sizeof(tmd_hdr),sig->data,keys->rsa.cpPub,keys->rsa.cpPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
 }
 
 int SetupTMDInfoRecord(tmd_content_info_record *info_record, u8 *content_record, u16 ContentCount)
@@ -78,7 +79,7 @@ int SetupTMDInfoRecord(tmd_content_info_record *info_record, u8 *content_record,
 	clrmem(info_record,sizeof(tmd_content_info_record)*0x40);
 	u16_to_u8(info_record->contentIndexOffset,0x0,BE);
 	u16_to_u8(info_record->contentCommandCount,ContentCount,BE);
-	ctr_sha(content_record,sizeof(tmd_content_chunk)*ContentCount,info_record->contentChunkHash,CTR_SHA_256);
+	ShaCalc(content_record,sizeof(tmd_content_chunk)*ContentCount,info_record->contentChunkHash,CTR_SHA_256);
 	return 0;
 }
 

From 1e8e4666b591905a8e367daa7401f29843117d71 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Wed, 17 Sep 2014 11:23:07 +1000
Subject: [PATCH 059/317] makerom: fixed cxi rebuild bug

---
 makerom/exheader.c | 31 ++++++++++++++-----------------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/makerom/exheader.c b/makerom/exheader.c
index 730a03aa..ac902768 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -126,23 +126,20 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 	exhdrset->exHdr = (extended_hdr*)ncchset->sections.exhdr.buffer;
 	exhdrset->acexDesc = (access_descriptor*)ncchset->sections.acexDesc.buffer;
 
-	/* Set Code Info if Code Section was built not imported */
-	if(ncchset->options.IsBuildingCodeSection){
-		/* BSS Size */
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.bssSize,ncchset->codeDetails.bssSize,LE);
-		/* Data */
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.data.address,ncchset->codeDetails.rwAddress,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.data.codeSize,ncchset->codeDetails.rwSize,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.data.numMaxPages,ncchset->codeDetails.rwMaxPages,LE);
-		/* RO */
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.rodata.address,ncchset->codeDetails.roAddress,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.rodata.codeSize,ncchset->codeDetails.roSize,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.rodata.numMaxPages,ncchset->codeDetails.roMaxPages,LE);
-		/* Text */
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.text.address,ncchset->codeDetails.textAddress,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.text.codeSize,ncchset->codeDetails.textSize,LE);
-		u32_to_u8(exhdrset->exHdr->codeSetInfo.text.numMaxPages,ncchset->codeDetails.textMaxPages,LE);
-	}
+	/* BSS Size */
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.bssSize,ncchset->codeDetails.bssSize,LE);
+	/* Data */
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.data.address,ncchset->codeDetails.rwAddress,LE);
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.data.codeSize,ncchset->codeDetails.rwSize,LE);
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.data.numMaxPages,ncchset->codeDetails.rwMaxPages,LE);
+	/* RO */
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.rodata.address,ncchset->codeDetails.roAddress,LE);
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.rodata.codeSize,ncchset->codeDetails.roSize,LE);
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.rodata.numMaxPages,ncchset->codeDetails.roMaxPages,LE);
+	/* Text */
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.text.address,ncchset->codeDetails.textAddress,LE);
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.text.codeSize,ncchset->codeDetails.textSize,LE);
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.text.numMaxPages,ncchset->codeDetails.textMaxPages,LE);
 
 	/* Set Simple Flags */
 	if(ncchset->options.CompressCode)

From 744abbe8525ef377ef6bebc2958b736b802a4bb4 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Wed, 17 Sep 2014 11:30:19 +1000
Subject: [PATCH 060/317] makerom: new cmd line arg

introduced "-i", works the same way as "-content", but is shorter and is
what ctr_makecia uses
---
 makerom/user_settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 97505ab0..ff987a13 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -577,7 +577,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 	
 	// Other Setting
-	else if(strcmp(argv[i],"-content") == 0){
+	else if(strcmp(argv[i],"-content") == 0 || strcmp(argv[i],"-i") == 0){
 		if(ParamNum != 1){
 			PrintArgReqParam(argv[i],1);
 			return USR_ARG_REQ_PARAM;

From 274b523e9c6a81b68eefaa0de5749cb20677e6b6 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Thu, 18 Sep 2014 11:03:57 +1000
Subject: [PATCH 061/317] makerom: misc and small changes

Altered behaviour to make CIA file generated to more closely match CIAs
made by Nintendo's private CIA generator. As seen in gamecard updates.
---
 makerom/cia.c       | 110 +++++++++++++++++++++++++++-----------------
 makerom/cia_build.h |   2 +-
 makerom/ncch.c      |   2 +
 3 files changed, 71 insertions(+), 43 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index 64925c1e..251e027e 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -175,7 +175,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	}
 
 	// Ticket Data
-	ciaset->tik.ticketId = u64GetRand();
+	ciaset->tik.ticketId = u64GetRand() & 0x0004FFFFFFFFFFFF;
 	ciaset->tik.deviceId = usrset->cia.deviceId;
 	ciaset->tik.eshopAccId = usrset->cia.eshopAccId;
 	ciaset->tik.licenceType = lic_Permanent;
@@ -235,9 +235,9 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 	GetNcchInfo(info,hdr);
 
 	/* Verify Ncch0 (Sig&Hash Checks) */
-	int result = VerifyNcch(ncch0,ciaset->keys,false,true);
+	int result = VerifyNcch(ncch0, ciaset->keys, false, ciaset->verbose == false);
 	if(result == UNABLE_TO_LOAD_NCCH_KEY){
-		ciaset->content.keyNotFound = true;
+		ciaset->content.keyFound = false;
 		if(!ciaset->content.IsCfa){
 			fprintf(stderr,"[CIA WARNING] CXI AES Key could not be loaded\n");
 			fprintf(stderr,"      Meta Region, SaveDataSize, Remaster Version cannot be obtained\n");
@@ -254,7 +254,7 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 
 	/* Getting ncch key */
 	u8 *ncchkey = NULL;
-	if(!ciaset->content.keyNotFound && IsNcchEncrypted(hdr)){
+	if(ciaset->content.keyFound && IsNcchEncrypted(hdr)){
 		SetNcchKeys(ciaset->keys,hdr);
 		ncchkey = ciaset->keys->aes.ncchKey0;
 		if(ciaset->verbose){
@@ -278,90 +278,116 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 
 int GetTmdDataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *key)
 {
-	extended_hdr *exhdr = malloc(sizeof(extended_hdr));
-	memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,sizeof(extended_hdr));
-	if(key != NULL)
-		CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx->titleId,key,ncch_exhdr);
+	int result = 0;
+	extended_hdr *exhdr = NULL;
+
+	if(!ciaset->content.IsCfa && ciaset->content.keyFound){
+		exhdr = malloc(sizeof(extended_hdr));
+		memcpy(exhdr,ncch+ncch_ctx->exhdrOffset,sizeof(extended_hdr));
+		if(key != NULL)
+			CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,ncch_ctx->titleId,key,ncch_exhdr);
+	}
 		
-	if(IsPatch(GetTidCategory(ciaset->common.titleId))||ciaset->content.IsCfa) 
+	// If this title is a Patch or a CFA SaveData size cannot be set in TMD
+	if( IsPatch(GetTidCategory(ciaset->common.titleId)) || ciaset->content.IsCfa ) 
 		ciaset->tmd.savedataSize = 0;
-	else if(!ciaset->content.keyNotFound) 
+	// Otherwise read Savedata size from exheader, but only first word of savesize is read
+	else if(ciaset->content.keyFound) 
 		ciaset->tmd.savedataSize = (u32)(GetSaveDataSize_frm_exhdr(exhdr) & MAX_U32);
-	else if(ciaset->rsf->SystemControlInfo.SaveDataSize){ // if it's a title which can have save data, but save data size could not be read from exhdr
+	// if it's a title which can have save data, but save data size could not be read from exhdr
+	else if(ciaset->rsf->SystemControlInfo.SaveDataSize){
 		u64 size = 0;
 		GetSaveDataSizeFromString(&size,ciaset->rsf->SystemControlInfo.SaveDataSize,"CIA");
 		ciaset->tmd.savedataSize = (u32)(size & MAX_U32);
 	}
+	// the user has neglected to provide any means of determining the savedata size
 	else
 		ciaset->tmd.savedataSize = 0;
 		
-	if(ciaset->content.IsCfa||ciaset->content.keyNotFound){
+	// Process title version
+	// If this is a CFA, the -major must be set, since CFAs don't have an exheader
+	if(ciaset->content.IsCfa){
 		if(ciaset->common.titleVersion[VER_MAJOR] == MAX_U16){ // '-major' wasn't set
-			if(ciaset->content.IsCfa){ // Is a CFA and can be decrypted
-				fprintf(stderr,"[CIA ERROR] Invalid major version. Use \"-major\" option.\n");
-				return CIA_BAD_VERSION;
-			}
-			else // CXI which cannot be decrypted
-				ciaset->common.titleVersion[VER_MAJOR] = 0;
+			fprintf(stderr,"[CIA ERROR] Invalid major version. Use \"-major\" option.\n");
+			result = CIA_BAD_VERSION;
+			goto cleanup;
 		}
 	}
-	else{ // Is a CXI and can be decrypted
+	// Otherwise this is a CXI, if it can be decrypted, -major cannot be set and must be read from exheader
+	else if(ciaset->content.keyFound){
 		if(ciaset->common.titleVersion[VER_MAJOR] != MAX_U16){ // '-major' was set
 			fprintf(stderr,"[CIA ERROR] Option \"-major\" cannot be applied for cxi.\n");
-			return CIA_BAD_VERSION;
+			result = CIA_BAD_VERSION;
+			goto cleanup;
 		}
 		// Setting remaster ver
 		ciaset->common.titleVersion[VER_MAJOR] = GetRemasterVersion_frm_exhdr(exhdr);
 	}
 
+	// CXI which cannot be decrypted
+	else{
+		if(ciaset->common.titleVersion[VER_MAJOR] == MAX_U16) // '-major' wasn't set
+			ciaset->common.titleVersion[VER_MAJOR] = 0;
+	}
+	
+	// Calculate u16 title version
 	ciaset->tmd.version = ciaset->tik.version = SetupVersion(ciaset->common.titleVersion[VER_MAJOR],ciaset->common.titleVersion[VER_MINOR],ciaset->common.titleVersion[VER_MICRO]);
 
+cleanup:
 	free(exhdr);
-	return 0;
+	return result;
 }
 
 int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_info *info, u8 *key)
 {
-	if(ciaset->content.IsCfa || ciaset->content.keyNotFound) 
+	extended_hdr *exhdr;
+	exefs_hdr *exefsHdr;
+	cia_metadata *hdr;
+	u32 icon_size, icon_offset;
+	
+	// Do not proceed if this is a CFA or can't be decrypted
+	if(ciaset->content.IsCfa || !ciaset->content.keyFound) 
 		return 0;
 
-	extended_hdr *exhdr = malloc(sizeof(extended_hdr));
+	// Obtain (&decrypt) exheader
+	exhdr = malloc(sizeof(extended_hdr));
 	memcpy(exhdr,ncch+info->exhdrOffset,sizeof(extended_hdr));
 	if(key != NULL)
 		CryptNcchRegion((u8*)exhdr,sizeof(extended_hdr),0,info->titleId,key,ncch_exhdr);
 
-	exefs_hdr *exefsHdr = malloc(sizeof(exefs_hdr));
+	// Obtain (&decrypt) exefs header
+	exefsHdr = malloc(sizeof(exefs_hdr));
 	memcpy(exefsHdr,ncch+info->exefsOffset,sizeof(exefs_hdr));
 	if(key != NULL)
 		CryptNcchRegion((u8*)exefsHdr,sizeof(exefs_hdr),0,info->titleId,key,ncch_exefs);
 
-	u32 icon_size = 0;
-	u32 icon_offset = 0;
-	for(int i = 0; i < MAX_EXEFS_SECTIONS; i++){
-		if(strncmp(exefsHdr->fileHdr[i].name,"icon",8) == 0){
-			icon_size = u8_to_u32(exefsHdr->fileHdr[i].size,LE);
-			icon_offset = u8_to_u32(exefsHdr->fileHdr[i].offset,LE) + sizeof(exefs_hdr);
-		}
-	}
+	// Only continue if icon exists
+	if(!DoesExeFsSectionExist("icon",(u8*)exefsHdr))
+		goto cleanup;
+		
+	icon_size = GetExeFsSectionSize("icon",(u8*)exefsHdr);
+	icon_offset = GetExeFsSectionOffset("icon",(u8*)exefsHdr);
 	
+	// Allocating memory for Meta region
 	ciaset->ciaSections.meta.size = sizeof(cia_metadata) + icon_size;
-	ciaset->ciaSections.meta.buffer = malloc(ciaset->ciaSections.meta.size);
+	ciaset->ciaSections.meta.buffer = calloc(1,ciaset->ciaSections.meta.size);
 	if(!ciaset->ciaSections.meta.buffer){
 		fprintf(stderr,"[CIA ERROR] Not enough memory\n");
 		return MEM_ERROR; 
 	}
-	cia_metadata *hdr = (cia_metadata*)ciaset->ciaSections.meta.buffer;
-	memset(hdr,0,sizeof(cia_metadata));
+
+	// Writing Dependency List & Core Version to Meta region
+	hdr = (cia_metadata*)ciaset->ciaSections.meta.buffer;
 	GetDependencyList_frm_exhdr(hdr->dependencyList,exhdr);
 	GetCoreVersion_frm_exhdr(hdr->coreVersion,exhdr);
-	if(icon_size > 0){
-		u8 *IconDestPos = (ciaset->ciaSections.meta.buffer + sizeof(cia_metadata));
-		memcpy(IconDestPos,ncch+info->exefsOffset+icon_offset,icon_size);
-		if(key != NULL)
-			CryptNcchRegion(IconDestPos,icon_size,icon_offset,info->titleId,key,ncch_exefs);
-		//memdump(stdout,"Icon: ",IconDestPos,0x10);
-	}
+	
+	// Writing Icon data to Meta region
+	u8 *iconPos = (ciaset->ciaSections.meta.buffer + sizeof(cia_metadata));
+	memcpy(iconPos,ncch+info->exefsOffset+icon_offset,icon_size);
+	if(key != NULL)
+		CryptNcchRegion(iconPos,icon_size,icon_offset,info->titleId,key,ncch_exefs);
 
+cleanup:
 	free(exefsHdr);
 	free(exhdr);
 	return 0;
diff --git a/makerom/cia_build.h b/makerom/cia_build.h
index ad0de783..0c24277e 100644
--- a/makerom/cia_build.h
+++ b/makerom/cia_build.h
@@ -66,7 +66,7 @@ typedef struct
 		bool encryptCia;
 		bool includeUpdateNcch; // for cci -> cia conversions
 
-		bool keyNotFound;
+		bool keyFound;
 
 		FILE **filePtrs;
 		u64 fileSize[CIA_MAX_CONTENT];
diff --git a/makerom/ncch.c b/makerom/ncch.c
index e79e041f..2fc5c0ca 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -1011,6 +1011,8 @@ bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr)
 
 int GetNcchInfo(ncch_info *info, ncch_hdr *hdr)
 {
+	clrmem(info, sizeof(ncch_info));
+
 	info->titleId = u8_to_u64(hdr->titleId,LE);
 	info->programId = u8_to_u64(hdr->programId,LE);
 

From 3c97d7dae392def40cb7d169c5475bf35435ff86 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Thu, 18 Sep 2014 11:07:44 +1000
Subject: [PATCH 062/317] makerom: misc

---
 makerom/cia.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/makerom/cia.c b/makerom/cia.c
index 251e027e..d27cfc1b 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -235,6 +235,7 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 	GetNcchInfo(info,hdr);
 
 	/* Verify Ncch0 (Sig&Hash Checks) */
+	ciaset->content.keyFound = true;
 	int result = VerifyNcch(ncch0, ciaset->keys, false, ciaset->verbose == false);
 	if(result == UNABLE_TO_LOAD_NCCH_KEY){
 		ciaset->content.keyFound = false;

From a513fb32cbe2458c6f0152dd2d8b681eaa14f4ae Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Fri, 19 Sep 2014 10:55:58 +1000
Subject: [PATCH 063/317] makerom: misc

tik id bug fix
---
 makerom/cia.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index d27cfc1b..8c496bc3 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -175,7 +175,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	}
 
 	// Ticket Data
-	ciaset->tik.ticketId = u64GetRand() & 0x0004FFFFFFFFFFFF;
+	ciaset->tik.ticketId = 0x0004000000000000 | (u64GetRand() & 0x0000FFFFFFFFFFFF);
 	ciaset->tik.deviceId = usrset->cia.deviceId;
 	ciaset->tik.eshopAccId = usrset->cia.eshopAccId;
 	ciaset->tik.licenceType = lic_Permanent;
@@ -253,7 +253,7 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 	ciaset->common.titleId = u8_to_u64(hdr->titleId,LE);
 
 
-	/* Getting ncch key */
+	/* Getting NCCH key */
 	u8 *ncchkey = NULL;
 	if(ciaset->content.keyFound && IsNcchEncrypted(hdr)){
 		SetNcchKeys(ciaset->keys,hdr);
@@ -265,11 +265,11 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 		}
 	}
 
-	/* Get TMD Data from ncch */
-	result = GetTmdDataFromNcch(ciaset,ncch0,info,ncchkey); // Data For TMD
+	/* Get TMD Data from NCCH */
+	result = GetTmdDataFromNcch(ciaset,ncch0,info,ncchkey);
 	if(result) goto finish;
-	/* Get META Region from ncch */
-	result = GetMetaRegion(ciaset,ncch0,info,ncchkey); // Meta Region
+	/* Get Meta Region from NCCH */
+	result = GetMetaRegion(ciaset,ncch0,info,ncchkey);
 	/* Finish */
 finish:
 	/* Return */
@@ -387,7 +387,7 @@ int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_info *info, u8 *key)
 	memcpy(iconPos,ncch+info->exefsOffset+icon_offset,icon_size);
 	if(key != NULL)
 		CryptNcchRegion(iconPos,icon_size,icon_offset,info->titleId,key,ncch_exefs);
-
+		
 cleanup:
 	free(exefsHdr);
 	free(exhdr);

From ce6c1754ab2eeba520b60c45b71e16061fcabbb1 Mon Sep 17 00:00:00 2001
From: enler <enler2011@gmail.com>
Date: Sat, 20 Sep 2014 00:06:04 +0800
Subject: [PATCH 064/317] Update romfs_gen.c

a bit fix
---
 makerom/romfs_gen.c | 87 ++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 79 insertions(+), 8 deletions(-)

diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 6a9498f0..cc5aacc0 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -18,6 +18,7 @@ int PopulateRomfs(romfs_buildctx *ctx);
 void BuildRomfsHeader(romfs_buildctx *ctx);
 void BuildIvfcHeader(romfs_buildctx *ctx);
 void GenIvfcHashTree(romfs_buildctx *ctx);
+u32 CalcPathHash(u32 parent,wchar_t * path,u32 start,u32 length);
 
 
 int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
@@ -328,6 +329,52 @@ u32 GetDirUTableIndex(romfs_buildctx *ctx, fs_dir *dir)
 	return ret;
 }
 
+void AddDirHashKey(romfs_buildctx *ctx,u32 parent,wchar_t * path,u32 dirOffset)
+{
+	u32 hash = CalcPathHash(parent,path,0,wcslen(path));
+	u32 index = hash % ctx->m_dirUTableEntry;
+	if(ctx->dirUTable[index] == 0xffffffff) ctx->dirUTable[index] = dirOffset;
+	else
+	{
+		romfs_direntry * curdir = (romfs_direntry*)(ctx->dirTable + ctx->dirUTable[index]);
+		while(1)
+		{
+			if(*(u32*)curdir->weirdoffset == 0xffffffff)
+			{
+				*(u32*)curdir->weirdoffset = dirOffset;
+				break;
+			}
+			else
+			{
+				curdir = (romfs_direntry*)(ctx->dirTable + *(u32*)curdir->weirdoffset);
+			}
+		}
+	}
+}
+
+void AddFileHashKey(romfs_buildctx *ctx,u32 parent,wchar_t * path,u32 fileOffset)
+{
+	u32 hash = CalcPathHash(parent,path,0,wcslen(path));
+	u32 index = hash % ctx->m_fileUTableEntry;
+	if(ctx->fileUTable[index] == 0xffffffff) ctx->fileUTable[index] = fileOffset;
+	else
+	{
+		romfs_fileentry * curfile = (romfs_fileentry*)(ctx->fileTable + ctx->fileUTable[index]);
+		while(1)
+		{
+			if(*(u32*)curfile->weirdoffset == 0xffffffff)
+			{
+				*(u32*)curfile->weirdoffset = fileOffset;
+				break;
+			}
+			else
+			{
+				curfile = (romfs_fileentry*)(ctx->fileTable + *(u32*)curfile->weirdoffset);
+			}
+		}
+	}
+}
+
 int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 {
 	romfs_fileentry *entry = (romfs_fileentry*)(ctx->fileTable + ctx->u_fileTableLen);
@@ -335,9 +382,9 @@ int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 	u32_to_u8(entry->parentdiroffset,parent,LE);
 	u32_to_u8(entry->siblingoffset,sibling,LE);
 	
-	u32 uTableIndex = GetFileUTableIndex(ctx,file);
-	u32_to_u8(entry->weirdoffset,ctx->fileUTable[uTableIndex],LE);
-	ctx->fileUTable[uTableIndex] = ctx->u_fileTableLen;
+	//u32 uTableIndex = GetFileUTableIndex(ctx,file);
+	u32_to_u8(entry->weirdoffset,0xffffffff,LE);
+	//ctx->fileUTable[uTableIndex] = ctx->u_fileTableLen;
 	
 	// Import Name
 	u32_to_u8(entry->namesize,file->name_len,LE);
@@ -357,7 +404,7 @@ int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 	}
 	else
 		u64_to_u8(entry->dataoffset,0x40,LE);
-	
+	AddFileHashKey(ctx,parent,file->name,ctx->u_fileTableLen);
 	ctx->u_fileTableLen += sizeof(romfs_fileentry) + align(file->name_len,4);
 		
 	return 0;
@@ -371,15 +418,16 @@ int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 	u32_to_u8(entry->parentoffset,parent,LE);
 	u32_to_u8(entry->siblingoffset,sibling,LE);
 	
-	u32 uTableIndex = GetDirUTableIndex(ctx,fs);
-	u32_to_u8(entry->weirdoffset,ctx->dirUTable[uTableIndex],LE);
-	ctx->dirUTable[uTableIndex] = ctx->u_dirTableLen;
+	//u32 uTableIndex = GetDirUTableIndex(ctx,fs);
+	u32_to_u8(entry->weirdoffset,0xffffffff,LE);
+	//ctx->dirUTable[uTableIndex] = ctx->u_dirTableLen;
 
 	u32 Currentdir = ctx->u_dirTableLen;
 	
 	if(Currentdir == 0)
 	{
 		u32_to_u8(entry->namesize,0,LE);
+		AddDirHashKey(ctx,parent,L"",ctx->u_dirTableLen);
 		ctx->u_dirTableLen += sizeof(romfs_direntry);
 	}
 	else
@@ -388,14 +436,17 @@ int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 		u8 *name_pos = (u8*)(ctx->dirTable + ctx->u_dirTableLen + sizeof(romfs_direntry));
 		memset(name_pos,0,(u32)align(fs->name_len,4));
 		memcpy(name_pos,(u8*)fs->name,fs->name_len);
+		AddDirHashKey(ctx,parent,fs->name,ctx->u_dirTableLen);
 		ctx->u_dirTableLen += sizeof(romfs_direntry) + (u32)align(fs->name_len,4);
 	}
 	
 	if(fs->u_file)
 	{
 		u32_to_u8(entry->fileoffset,ctx->u_fileTableLen,LE);
+		
 		for(u32 i = 0; i < fs->u_file; i++)
 		{
+			
 			u32 file_sibling = 0;
 			if(i >= fs->u_file-1)
 				file_sibling = ROMFS_UNUSED_ENTRY;
@@ -404,6 +455,7 @@ int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 			//wprintf(L"adding %s (0x%lx)\n",fs->file[i].name,fs->file[i].size);
 			AddFileToRomfs(ctx,&fs->file[i],Currentdir,file_sibling);
 			//wprintf(L"added %s (0x%lx)\n",fs->file[i].name,fs->file[i].size);
+
 		}
 	}
 	else
@@ -418,6 +470,7 @@ int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 		for(u32 i = 0; i < fs->u_dir; i++)
 		{
 			u32 dir_sibling = 0;
+			romfs_direntry *temp_entry = (romfs_direntry*)(ctx->dirTable + ctx->u_dirTableLen);
 			if(i >= fs->u_dir-1)
 				dir_sibling = ROMFS_UNUSED_ENTRY;
 			else
@@ -426,6 +479,11 @@ int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 				dir_sibling = ctx->u_dirTableLen + sizeof(romfs_direntry) + (u32)align(dir[i].name_len,4);
 			}
 			AddDirToRomfs(ctx,&dir[i],Currentdir,dir_sibling);
+			if(dir_sibling != ROMFS_UNUSED_ENTRY)
+			{
+				dir_sibling = ctx->u_dirTableLen;//修复同目录文件夹偏移
+				u32_to_u8(temp_entry->siblingoffset,dir_sibling,LE);
+			}
 		}
 	}
 	else
@@ -472,4 +530,17 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 	}
 	
 	return;
-}
\ No newline at end of file
+}
+
+u32 CalcPathHash(u32 parent,wchar_t * path,u32 start,u32 length)
+{
+	u32 hash = parent ^ 123456789;
+	u32 index = 0;
+	while(index < length)
+	{
+		hash = (u32)((hash >> 5) | (hash << 27));//ror
+		hash ^= (u16)path[start + index];
+		index++;
+	}
+	return hash;
+}

From de12f54762bfbef96027db4b17420fcaf1a405fc Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 20 Sep 2014 17:29:52 +1000
Subject: [PATCH 065/317] makerom: romfs

made fixes by enler platform independent
---
 makerom/dir.c       |  9 +++++++--
 makerom/dir.h       |  3 ++-
 makerom/romfs_gen.c | 10 +++++-----
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/makerom/dir.c b/makerom/dir.c
index b0fb1e74..f44a397d 100644
--- a/makerom/dir.c
+++ b/makerom/dir.c
@@ -3,8 +3,6 @@
 #include "utf.h"
 
 /* This is mainly a FS interface for ROMFS generation */
-
-
 int fs_InitDir(u16 *path, u32 pathlen, fs_dir *dir);
 int fs_ManageDirSlot(fs_dir *dir);
 int fs_ManageFileSlot(fs_dir *dir);
@@ -15,6 +13,13 @@ bool fs_EntryIsDirNav(fs_entry *entry);
 int fs_AddDir(fs_entry *entry, fs_dir *dir);
 int fs_AddFile(fs_entry *entry, fs_dir *dir);
 
+int fs_u16StrLen(fs_romfs_char *str)
+{
+	int i;
+	for( i = 0; str[i] != 0x0; i++ );
+	return i;
+}
+
 int fs_InitDir(u16 *path, u32 pathlen, fs_dir *dir)
 {
 	dir->name_len = pathlen;
diff --git a/makerom/dir.h b/makerom/dir.h
index 6ee72e17..8dcb2c57 100644
--- a/makerom/dir.h
+++ b/makerom/dir.h
@@ -33,7 +33,7 @@ typedef struct
 
 typedef struct
 {
-	u16 *name;
+	fs_romfs_char *name;
 	u32 name_len;
 	u64 size;
 	FILE *fp;
@@ -57,6 +57,7 @@ typedef struct
 int fs_u8String_to_u16String(u16 **dst, u32 *dst_len, u8 *src, u32 src_len);
 int fs_u16String_to_u16String(u16 **dst, u32 *dst_len, u16 *src, u32 src_len);
 int fs_u32String_to_u16String(u16 **dst, u32 *dst_len, u32 *src, u32 src_len);
+int fs_u16StrLen(fs_romfs_char *str);
 
 int fs_OpenDir(fs_char *fs_path, fs_romfs_char *path, u32 pathlen, fs_dir *dir);
 void fs_PrintDir(fs_dir *dir, u32 depth);
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index cc5aacc0..3d46dc70 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -329,9 +329,9 @@ u32 GetDirUTableIndex(romfs_buildctx *ctx, fs_dir *dir)
 	return ret;
 }
 
-void AddDirHashKey(romfs_buildctx *ctx,u32 parent,wchar_t * path,u32 dirOffset)
+void AddDirHashKey(romfs_buildctx *ctx, u32 parent, fs_romfs_char* path, u32 dirOffset)
 {
-	u32 hash = CalcPathHash(parent,path,0,wcslen(path));
+	u32 hash = CalcPathHash(parent,path,0,fs_u16StrLen(path));
 	u32 index = hash % ctx->m_dirUTableEntry;
 	if(ctx->dirUTable[index] == 0xffffffff) ctx->dirUTable[index] = dirOffset;
 	else
@@ -352,9 +352,9 @@ void AddDirHashKey(romfs_buildctx *ctx,u32 parent,wchar_t * path,u32 dirOffset)
 	}
 }
 
-void AddFileHashKey(romfs_buildctx *ctx,u32 parent,wchar_t * path,u32 fileOffset)
+void AddFileHashKey(romfs_buildctx *ctx,u32 parent, fs_romfs_char *path, u32 fileOffset)
 {
-	u32 hash = CalcPathHash(parent,path,0,wcslen(path));
+	u32 hash = CalcPathHash(parent,path,0,fs_u16StrLen(path));
 	u32 index = hash % ctx->m_fileUTableEntry;
 	if(ctx->fileUTable[index] == 0xffffffff) ctx->fileUTable[index] = fileOffset;
 	else
@@ -532,7 +532,7 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 	return;
 }
 
-u32 CalcPathHash(u32 parent,wchar_t * path,u32 start,u32 length)
+u32 CalcPathHash(u32 parent, fs_romfs_char * path, u32 start, u32 length)
 {
 	u32 hash = parent ^ 123456789;
 	u32 index = 0;

From ded7f036bb70e6f652296c5b5ef7c05d1ca47cbc Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 20 Sep 2014 17:32:23 +1000
Subject: [PATCH 066/317] makerom: misc

---
 makerom/romfs_gen.c | 19 +------------------
 1 file changed, 1 insertion(+), 18 deletions(-)

diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 3d46dc70..a2157ed7 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -315,20 +315,6 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 	return;
 }
 
-u32 GetFileUTableIndex(romfs_buildctx *ctx, fs_file *file)
-{
-	u32 ret = ctx->u_fileUTableEntry;
-	ctx->u_fileUTableEntry++;
-	return ret;
-}
-
-u32 GetDirUTableIndex(romfs_buildctx *ctx, fs_dir *dir)
-{
-	u32 ret = ctx->u_dirUTableEntry;
-	ctx->u_dirUTableEntry++;
-	return ret;
-}
-
 void AddDirHashKey(romfs_buildctx *ctx, u32 parent, fs_romfs_char* path, u32 dirOffset)
 {
 	u32 hash = CalcPathHash(parent,path,0,fs_u16StrLen(path));
@@ -380,11 +366,8 @@ int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 	romfs_fileentry *entry = (romfs_fileentry*)(ctx->fileTable + ctx->u_fileTableLen);
 	
 	u32_to_u8(entry->parentdiroffset,parent,LE);
-	u32_to_u8(entry->siblingoffset,sibling,LE);
-	
-	//u32 uTableIndex = GetFileUTableIndex(ctx,file);
+	u32_to_u8(entry->siblingoffset,sibling,LE);	
 	u32_to_u8(entry->weirdoffset,0xffffffff,LE);
-	//ctx->fileUTable[uTableIndex] = ctx->u_fileTableLen;
 	
 	// Import Name
 	u32_to_u8(entry->namesize,file->name_len,LE);

From 1723d4fc8fa5441991f8e1b26db3c318c540fd1b Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 20 Sep 2014 22:55:48 +1000
Subject: [PATCH 067/317] makerom: build 0.13

in rsf: "Rom" renamed to "RomFs" and "HostRoot" renamed to "RootPath".
Cci rsf settings "MediaSize"/"CardDevice" are automatically decided if
not specified manually. Also some bug fixes.
---
 makerom/Makefile        |   2 +-
 makerom/accessdesc.c    |  42 +++++++-
 makerom/dir.h           |   2 +-
 makerom/keyset.c        |  25 +++++
 makerom/keyset.h        |   1 +
 makerom/ncch.c          |   2 +-
 makerom/ncsd.c          | 225 ++++++++++++++++++++--------------------
 makerom/romfs_gen.c     |  20 ++--
 makerom/rsf_settings.c  |  72 ++++++-------
 makerom/rsf_settings.h  |  12 ---
 makerom/user_settings.c |   7 +-
 makerom/user_settings.h |  19 +---
 12 files changed, 229 insertions(+), 200 deletions(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index 4cf0a1c9..669476ae 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -21,7 +21,7 @@ CC = gcc
 # MAKEROM Build Settings
 MAKEROM_BUILD_FLAGS = #-DDEBUG
 VER_MAJOR = 0
-VER_MINOR = 12
+VER_MINOR = 13
 OUTPUT = makerom
 
 main: build
diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index f02d9f10..f3b10563 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -307,6 +307,11 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw1D_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
+				if(keys->keyset == pki_GATEWAY3DS){
+					*accessDescSig = (u8*)app_fw1D_prod_acexsig;
+					*cxiPubk = (u8*)app_fw1D_prod_hdrpub;
+					*cxiPvtk = (u8*)app_fw1D_prod_hdrpub;
+				}
 				break;
 			case 0x1E:
 				if(keys->keyset == pki_PRODUCTION){
@@ -314,6 +319,11 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw1E_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
+				if(keys->keyset == pki_GATEWAY3DS){
+					*accessDescSig = (u8*)app_fw1E_prod_acexsig;
+					*cxiPubk = (u8*)app_fw1E_prod_hdrpub;
+					*cxiPvtk = (u8*)app_fw1E_prod_hdrpub;
+				}
 				break;
 			case 0x20:
 				if(keys->keyset == pki_DEVELOPMENT){
@@ -321,11 +331,16 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw20_dev_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				else if(keys->keyset == pki_PRODUCTION){
+				if(keys->keyset == pki_PRODUCTION){
 					*accessDescSig = (u8*)app_fw20_prod_acexsig;
 					*cxiPubk = (u8*)app_fw20_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
+				if(keys->keyset == pki_GATEWAY3DS){
+					*accessDescSig = (u8*)app_fw20_prod_acexsig;
+					*cxiPubk = (u8*)app_fw20_prod_hdrpub;
+					*cxiPvtk = (u8*)app_fw20_prod_hdrpub;
+				}
 				break;
 			case 0x21:
 				if(keys->keyset == pki_DEVELOPMENT){
@@ -338,6 +353,11 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw21_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
+				if(keys->keyset == pki_GATEWAY3DS){
+					*accessDescSig = (u8*)app_fw21_prod_acexsig;
+					*cxiPubk = (u8*)app_fw21_prod_hdrpub;
+					*cxiPvtk = (u8*)app_fw21_prod_hdrpub;
+				}
 				break;
 			case 0x23:
 				if(keys->keyset == pki_DEVELOPMENT){
@@ -350,6 +370,11 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw23_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
+				if(keys->keyset == pki_GATEWAY3DS){
+					*accessDescSig = (u8*)app_fw23_prod_acexsig;
+					*cxiPubk = (u8*)app_fw23_prod_hdrpub;
+					*cxiPvtk = (u8*)app_fw23_prod_hdrpub;
+				}
 				break;
 			case 0x27:
 				if(keys->keyset == pki_PRODUCTION){
@@ -357,6 +382,11 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw27_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
+				if(keys->keyset == pki_GATEWAY3DS){
+					*accessDescSig = (u8*)app_fw27_prod_acexsig;
+					*cxiPubk = (u8*)app_fw27_prod_hdrpub;
+					*cxiPvtk = (u8*)app_fw27_prod_hdrpub;
+				}
 				break;
 			
 		}
@@ -369,6 +399,11 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)ecapp_fw20_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
+				if(keys->keyset == pki_GATEWAY3DS){
+					*accessDescSig = (u8*)ecapp_fw20_prod_acexsig;
+					*cxiPubk = (u8*)ecapp_fw20_prod_hdrpub;
+					*cxiPvtk = (u8*)ecapp_fw20_prod_hdrpub;
+				}
 				break;
 			case 0x23:
 				if(keys->keyset == pki_PRODUCTION){
@@ -376,6 +411,11 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)ecapp_fw23_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
+				if(keys->keyset == pki_GATEWAY3DS){
+					*accessDescSig = (u8*)ecapp_fw23_prod_acexsig;
+					*cxiPubk = (u8*)ecapp_fw23_prod_hdrpub;
+					*cxiPvtk = (u8*)ecapp_fw23_prod_hdrpub;
+				}
 				break;
 		}
 	}
diff --git a/makerom/dir.h b/makerom/dir.h
index 8dcb2c57..c6e16f6b 100644
--- a/makerom/dir.h
+++ b/makerom/dir.h
@@ -41,7 +41,7 @@ typedef struct
 
 typedef struct
 {
-	u16 *name;
+	fs_romfs_char *name;
 	u32 name_len;
 	
 	void *dir; // treated as type 'fs_dir'. This officially type 'void' to prevent self referencing problems
diff --git a/makerom/keyset.c b/makerom/keyset.c
index 66ebeff6..eaa31168 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -170,6 +170,31 @@ int LoadKeysFromResources(keys_struct *keys)
 		SetTikCert(keys,(u8*)xsC_ppki_cert);
 		SetTmdCert(keys,(u8*)cpB_ppki_cert);
 	}
+	else if(keys->keyset == pki_GATEWAY3DS){
+		keys->keysetLoaded = true;
+		/* AES Keys */
+		// CIA
+		if(keys->aes.currentCommonKey > 0xff)
+			SetCurrentCommonKey(keys,0);
+	
+		// NCCH
+		SetNormalKey(keys,(u8*)dev_fixed_ncch_key[0]);
+		SetSystemFixedKey(keys,(u8*)dev_fixed_ncch_key[0]);
+
+		/* RSA Keys */
+		// CIA
+		SetTIK_RsaKey(keys,(u8*)xsC_ppki_rsa_priv,(u8*)xsC_ppki_rsa_pub);
+		SetTMD_RsaKey(keys,(u8*)cpB_ppki_rsa_priv,(u8*)cpB_ppki_rsa_pub);
+		// CCI/CFA
+		Set_CCI_CFA_RsaKey(keys,(u8*)prod_ncsd_cfa_priv,(u8*)prod_ncsd_cfa_pub);
+		// CXI
+		SetAccessDesc_RsaKey(keys,(u8*)prod_acex_priv,(u8*)prod_acex_pub);
+	
+		/* Certs */
+		SetCaCert(keys,(u8*)ca3_ppki_cert);
+		SetTikCert(keys,(u8*)xsC_ppki_cert);
+		SetTmdCert(keys,(u8*)cpB_ppki_cert);
+	}
 	return 0;
 }
 
diff --git a/makerom/keyset.h b/makerom/keyset.h
index 9d6c0c60..e8c92301 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -26,6 +26,7 @@ typedef enum
 	pki_DEVELOPMENT,
 	pki_PRODUCTION,
 	pki_CUSTOM,
+	pki_GATEWAY3DS
 } pki_keyset;
 
 typedef enum
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 2fc5c0ca..8f15f91d 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -175,7 +175,7 @@ int GetBasicOptions(ncch_settings *ncchset, user_settings *usrset)
 	ncchset->options.FreeProductCode = ncchset->rsfSet->Option.FreeProductCode;
 	ncchset->options.IsCfa = (usrset->ncch.ncchType == CFA);
 	ncchset->options.IsBuildingCodeSection = (usrset->ncch.elfPath != NULL);
-	ncchset->options.UseRomFS = ((ncchset->rsfSet->Rom.HostRoot && strlen(ncchset->rsfSet->Rom.HostRoot) > 0) || usrset->ncch.romfsPath);
+	ncchset->options.UseRomFS = ((ncchset->rsfSet->RomFs.RootPath && strlen(ncchset->rsfSet->RomFs.RootPath) > 0) || usrset->ncch.romfsPath);
 	ncchset->options.useSecCrypto = usrset->ncch.useSecCrypto;
 	ncchset->options.keyXID = usrset->ncch.keyXID;
 	
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 39d70364..204587b4 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -13,6 +13,8 @@
 const int NCCH0_OFFSET = 0x4000;
 const int CCI_BLOCK_SIZE = 0x200;
 
+const char MEDIA_SIZE_STR[10][6] = {"128MB","256MB","512MB","1GB","2GB","4GB","8GB","16GB","32GB"};
+
 void ImportCciSettings(cci_settings *set, user_settings *usrset);
 void FreeCciSettings(cci_settings *set);
 int ImportCciNcch(cci_settings *set);
@@ -46,13 +48,13 @@ int build_CCI(user_settings *usrset)
 		goto finish;
 	}
 	
-	if(CheckRomConfig(set)){
-		result = CCI_CONFIG_FAIL;
+	if(GenCardInfoHdr(set)){
+		result = GEN_HDR_FAIL;
 		goto finish;
 	}
 	
-	if(GenCardInfoHdr(set)){
-		result = GEN_HDR_FAIL;
+	if(CheckRomConfig(set)){
+		result = CCI_CONFIG_FAIL;
 		goto finish;
 	}
 	
@@ -165,63 +167,6 @@ bool CanCiaBeCci(u64 titleId, u16 count, tmd_content_chunk *content)
 	return true;
 }
 
-void GenRsfInputFromTmd(tmd_hdr *tmd, tmd_content_chunk *info, cci_settings *set)
-{
-	if(!set->rsf->CardInfo.MediaSize){
-		set->rsf->CardInfo.MediaSize = calloc(20,sizeof(char));
-		u64 contentSize = NCCH0_OFFSET;
-		u16 contentNum = GetTmdContentCount(tmd);
-		for(int i = 0; i < contentNum; i++)
-			contentSize += GetTmdContentSize(info[i]);
-		
-		if(contentSize < (u64)128*MB)
-			strcpy(set->rsf->CardInfo.MediaSize,"128MB");
-		else if(contentSize < (u64)256*MB)
-			strcpy(set->rsf->CardInfo.MediaSize,"256MB");
-		else if(contentSize < (u64)512*MB)
-			strcpy(set->rsf->CardInfo.MediaSize,"512MB");
-		else if(contentSize < (u64)1*GB)
-			strcpy(set->rsf->CardInfo.MediaSize,"1GB");
-		else if(contentSize < (u64)2*GB)
-			strcpy(set->rsf->CardInfo.MediaSize,"2GB");
-		else if(contentSize < (u64)4*GB)
-			strcpy(set->rsf->CardInfo.MediaSize,"4GB");
-		else if(contentSize < (u64)8*GB)
-			strcpy(set->rsf->CardInfo.MediaSize,"8GB");
-		else{
-			free(set->rsf->CardInfo.MediaSize);
-			set->rsf->CardInfo.MediaSize = NULL;
-		}
-		
-		if(set->options.verbose && set->rsf->CardInfo.MediaSize)
-			printf("[CCI] Auto generating RSF setting \"CardInfo/MediaSize: %s\" \n",set->rsf->CardInfo.MediaSize);
-	}
-	
-	if(!set->rsf->CardInfo.MediaType){
-		set->rsf->CardInfo.MediaType = calloc(20,sizeof(char));
-		if(set->romInfo.saveSize < (u64)1*MB)
-			strcpy(set->rsf->CardInfo.MediaType,"Card1");
-		else
-			strcpy(set->rsf->CardInfo.MediaType,"Card2");
-			
-		if(set->options.verbose)
-			printf("[CCI] Auto generating RSF setting \"CardInfo/MediaType: %s\" \n",set->rsf->CardInfo.MediaType);
-	}
-	
-	if(!set->rsf->CardInfo.CardDevice){
-		set->rsf->CardInfo.CardDevice = calloc(20,sizeof(char));
-		if(set->romInfo.saveSize < (u64)1*MB && set->romInfo.saveSize > 0)
-			strcpy(set->rsf->CardInfo.CardDevice,"NorFlash");
-		else
-			strcpy(set->rsf->CardInfo.CardDevice,"None");
-			
-		if(set->options.verbose)
-			printf("[CCI] Auto generating RSF setting \"CardInfo/CardDevice: %s\" \n",set->rsf->CardInfo.CardDevice);
-	}
-	
-	return;
-}
-
 int ProcessCiaForCci(cci_settings *set)
 {
 	if(!IsCia(set->content.data)){
@@ -247,9 +192,7 @@ int ProcessCiaForCci(cci_settings *set)
 		fprintf(stderr,"[CCI ERROR] This CIA cannot be converted to CCI\n");
 		return INCOMPAT_CIA;
 	}
-	
-	GenRsfInputFromTmd(tmd,contentInfo,set);
-	
+		
 	bool canDecrypt;
 	u8 titleKey[AES_128_KEY_SIZE];
 	canDecrypt = GetTikTitleKey(titleKey,tik,set->keys);
@@ -285,19 +228,37 @@ int ProcessCiaForCci(cci_settings *set)
 	return 0;
 }
 
-int ImportCciNcch(cci_settings *set)
+void GetTitleSaveSize(cci_settings *set)
 {
 	if(set->rsf->SystemControlInfo.SaveDataSize)
 		GetSaveDataSizeFromString(&set->romInfo.saveSize,set->rsf->SystemControlInfo.SaveDataSize,"CCI");
+		
+	// Adjusting save size
+		
+	if(set->romInfo.saveSize <= (u64)128*KB)
+		set->romInfo.saveSize = (u64)128*KB;
+	else if(set->romInfo.saveSize <= (u64)512*KB)
+		set->romInfo.saveSize = (u64)512*KB;
+	else
+		set->romInfo.saveSize = align(set->romInfo.saveSize,MB);
+}
+
+int ImportCciNcch(cci_settings *set)
+{
+	int ret = 0;
 
 	if(set->content.dataType == infile_ncch)
-		return ImportNcchForCci(set);
+		ret = ImportNcchForCci(set);
 	else if(set->content.dataType == infile_cia)
-		return ProcessCiaForCci(set);
-	else
+		ret = ProcessCiaForCci(set);
+	else{
 		fprintf(stderr,"[CCI ERROR] Unrecognised input data type\n");	
+		return FAILED_TO_IMPORT_FILE;
+	}
 	
-	return FAILED_TO_IMPORT_FILE;
+	GetTitleSaveSize(set);
+	
+	return ret;
 }
 
 int ProcessCverDataForCci(cci_settings *set)
@@ -399,12 +360,34 @@ int ProcessNcchForCci(cci_settings *set)
 	return 0;
 }
 
+void SetCciNcchInfo(cci_hdr *hdr, cci_settings *set)
+{
+	u64 ncchSize,ncchOffset;
+	
+	ncchOffset = NCCH0_OFFSET;
+	
+	for(int i = 0; i < CCI_MAX_CONTENT; i++){
+		if(set->content.active[i]){
+			set->content.cOffset[i] = ncchOffset;
+			ncchSize = align(set->content.dSize[i],set->romInfo.blockSize);
+			
+			u32_to_u8(hdr->offset_sizeTable[i].offset,(ncchOffset/set->romInfo.blockSize),LE);
+			u32_to_u8(hdr->offset_sizeTable[i].size,(ncchSize/set->romInfo.blockSize),LE);
+			u64_to_u8(hdr->ncchIdTable[i],set->content.titleId[i],LE);
+			
+			ncchOffset += ncchSize;
+		}
+	}
+	
+	set->romInfo.usedSize = ncchOffset;
+	
+	return;
+}
+
 int SetMediaSize(u8 *mediaSize, cci_settings *set)
 {	
 	char *str = set->rsf->CardInfo.MediaSize;
-	if(!str) 
-		set->romInfo.mediaSize = (u64)GB*2;
-	else{
+	if(str){
 		if(strcasecmp(str,"128MB") == 0) set->romInfo.mediaSize = (u64)MB*128;
 		else if(strcasecmp(str,"256MB") == 0) set->romInfo.mediaSize = (u64)MB*256;
 		else if(strcasecmp(str,"512MB") == 0) set->romInfo.mediaSize = (u64)MB*512;
@@ -419,6 +402,31 @@ int SetMediaSize(u8 *mediaSize, cci_settings *set)
 			return INVALID_RSF_OPT;
 		}
 	}
+	else{
+		u64 dataSize = set->romInfo.usedSize + (set->romInfo.saveSize >= MB ? set->romInfo.saveSize : 0);
+		if(dataSize < (u64)MB*128)
+			set->romInfo.mediaSize = (u64)MB*128;
+		else if(dataSize < (u64)MB*256)
+			set->romInfo.mediaSize = (u64)MB*256;
+		else if(dataSize < (u64)MB*512)
+			set->romInfo.mediaSize = (u64)MB*512;
+		else if(dataSize < (u64)GB*1)
+			set->romInfo.mediaSize = (u64)GB*1;
+		else if(dataSize < (u64)GB*2)
+			set->romInfo.mediaSize = (u64)GB*2;
+		else if(dataSize < (u64)GB*4)
+			set->romInfo.mediaSize = (u64)GB*4;
+		else if(dataSize < (u64)GB*8)
+			set->romInfo.mediaSize = (u64)GB*8;
+		//else if(dataSize < (u64)GB*16)
+		//	set->romInfo.mediaSize = (u64)GB*16;
+		//else if(dataSize < (u64)GB*32)
+		//	set->romInfo.mediaSize = (u64)GB*32;
+		else {
+			fprintf(stderr,"[CCI ERROR] NCCH Partitions are too large\n");
+			return INVALID_RSF_OPT;
+		}
+	}
 		
 	u32_to_u8(mediaSize,(set->romInfo.mediaSize/set->romInfo.blockSize),LE);
 
@@ -446,9 +454,7 @@ int SetMediaType(u8 *flag, cci_settings *set)
 {
 	char *str = set->rsf->CardInfo.MediaType;
 
-	if(!str) 
-		*flag = mediatype_CARD1;
-	else{
+	if(str){
 		if(strcasecmp(str,"Card1") == 0) 
 			*flag = mediatype_CARD1;
 		else if(strcasecmp(str,"Card2") == 0)
@@ -458,6 +464,12 @@ int SetMediaType(u8 *flag, cci_settings *set)
 			return INVALID_RSF_OPT;
 		}
 	}
+	else{
+		if(set->romInfo.saveSize >= (u64)1*MB)
+			*flag = mediatype_CARD2;
+		else
+			*flag = mediatype_CARD1;
+	}
 	
 	return 0;
 }
@@ -488,9 +500,7 @@ int SetCardDevice(u8 *flags, u64 saveSize, rsf_settings *rsf)
 
 	/* CardDevice */
 	u8 cardDevice = 0;
-	if(!rsf->CardInfo.CardDevice) 
-		cardDevice = carddevice_NONE;
-	else{
+	if(rsf->CardInfo.CardDevice){
 		if(strcmp(rsf->CardInfo.CardDevice,"NorFlash") == 0)
 			cardDevice = carddevice_NOR_FLASH;
 		else if(strcmp(rsf->CardInfo.CardDevice,"None") == 0) 
@@ -502,6 +512,12 @@ int SetCardDevice(u8 *flags, u64 saveSize, rsf_settings *rsf)
 			return INVALID_RSF_OPT;
 		}
 	}
+	else{
+		if(saveSize == 0 || saveSize >= (u64)1*MB)
+			cardDevice = carddevice_NONE;
+		else
+			cardDevice = carddevice_NOR_FLASH;
+	}
 	
 	if(flags[cciflag_MEDIA_TYPE] == mediatype_CARD1){
 		if(saveSize != (u64)(128*KB) && saveSize != (u64)(512*KB) && cardDevice == carddevice_NOR_FLASH){
@@ -544,31 +560,6 @@ int SetCciFlags(u8 *flags, cci_settings *set)
 	return 0;
 }
 
-void SetCciNcchInfo(cci_hdr *hdr, cci_settings *set)
-{
-	u64 ncchSize,ncchOffset;
-	
-	ncchOffset = NCCH0_OFFSET;
-	
-	for(int i = 0; i < CCI_MAX_CONTENT; i++){
-		if(set->content.active[i]){
-			set->content.cOffset[i] = ncchOffset;
-			ncchSize = align(set->content.dSize[i],set->romInfo.blockSize);
-			
-			u32_to_u8(hdr->offset_sizeTable[i].offset,(ncchOffset/set->romInfo.blockSize),LE);
-			u32_to_u8(hdr->offset_sizeTable[i].size,(ncchSize/set->romInfo.blockSize),LE);
-			u64_to_u8(hdr->ncchIdTable[i],set->content.titleId[i],LE);
-			
-			ncchOffset += ncchSize;
-		}
-	}
-	
-	set->romInfo.usedSize = ncchOffset;
-	
-	return;
-}
-
-
 int GenCciHdr(cci_settings *set)
 {
 	set->headers.ccihdr.size = sizeof(cci_hdr);
@@ -586,11 +577,12 @@ int GenCciHdr(cci_settings *set)
 	u64_to_u8(hdr->titleId,set->content.titleId[0],LE);
 	
 	
+	SetCciNcchInfo(hdr,set);
 	if(SetMediaSize(hdr->mediaSize,set))
 		return GEN_HDR_FAIL;
 	if(SetCciFlags(hdr->flags,set))
 		return GEN_HDR_FAIL;
-	SetCciNcchInfo(hdr,set);
+	
 	
 	// Sign Header
 	RsaSignVerify(&hdr->magic,sizeof(cci_hdr)-RSA_2048_KEY_SIZE,hdr->signature,set->keys->rsa.cciCfaPub,set->keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
@@ -598,20 +590,31 @@ int GenCciHdr(cci_settings *set)
 	return 0;
 }
 
-int CheckRomConfig(cci_settings *set)
+char* GetMediaSizeStr(u64 mediaSize)
 {
+	//MEDIA_SIZE_STR
+	switch(mediaSize){
+		case (u64)MB*128: return (char*)MEDIA_SIZE_STR[0];
+		case (u64)MB*256: return (char*)MEDIA_SIZE_STR[1];
+		case (u64)MB*512: return (char*)MEDIA_SIZE_STR[2];
+		case (u64)GB*1: return (char*)MEDIA_SIZE_STR[3];
+		case (u64)GB*2: return (char*)MEDIA_SIZE_STR[4];
+		case (u64)GB*4: return (char*)MEDIA_SIZE_STR[5];
+		case (u64)GB*8: return (char*)MEDIA_SIZE_STR[6];
+		default: return 0;
+	}
+}
+
+int CheckRomConfig(cci_settings *set)
+{		
 	u64 cciUsedSize;
 	if(set->romInfo.mediaType == mediatype_CARD2)
 		cciUsedSize = set->romInfo.card2SaveOffset + set->romInfo.saveSize;
 	else
 		cciUsedSize = set->romInfo.usedSize;
 		
-	if(cciUsedSize > set->romInfo.mediaSize){
-		char *str = set->rsf->CardInfo.MediaSize;
-		if(!str)
-			str = "2GB";
-			
-		fprintf(stderr,"[CCI ERROR] MediaSize '%s' is insufficient for the CCI data\n",str);
+	if(cciUsedSize > set->romInfo.mediaSize){			
+		fprintf(stderr,"[CCI ERROR] MediaSize '%s' is insufficient for the CCI data\n",GetMediaSizeStr(set->romInfo.mediaSize));
 		return CCI_CONFIG_FAIL;
 	}
 	return 0;
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index a2157ed7..04f81b67 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -5,6 +5,7 @@
 
 const int ROMFS_BLOCK_SIZE = 0x1000;
 const unsigned int ROMFS_UNUSED_ENTRY = 0xffffffff;
+const fs_romfs_char ROMFS_EMPTY_PATH[2] = {0x0000, 0x0000};
 
 // Build
 bool IsFileWanted(fs_file *file, void *filter_criteria);
@@ -18,7 +19,7 @@ int PopulateRomfs(romfs_buildctx *ctx);
 void BuildRomfsHeader(romfs_buildctx *ctx);
 void BuildIvfcHeader(romfs_buildctx *ctx);
 void GenIvfcHashTree(romfs_buildctx *ctx);
-u32 CalcPathHash(u32 parent,wchar_t * path,u32 start,u32 length);
+u32 CalcPathHash(u32 parent, fs_romfs_char* path, u32 start, u32 length);
 
 
 int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
@@ -30,7 +31,7 @@ int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 	char *cwd = calloc(CWD_MAX_LEN,sizeof(char));
 	getcwd(cwd,CWD_MAX_LEN);
 
-	char *dir = ncchset->rsfSet->Rom.HostRoot;
+	char *dir = ncchset->rsfSet->RomFs.RootPath;
 
 	fs_char *fs_path;
 	fs_romfs_char *path;
@@ -399,18 +400,15 @@ int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 	romfs_direntry *entry = (romfs_direntry*)(ctx->dirTable + ctx->u_dirTableLen);
 	
 	u32_to_u8(entry->parentoffset,parent,LE);
-	u32_to_u8(entry->siblingoffset,sibling,LE);
-	
-	//u32 uTableIndex = GetDirUTableIndex(ctx,fs);
+	u32_to_u8(entry->siblingoffset,sibling,LE);	
 	u32_to_u8(entry->weirdoffset,0xffffffff,LE);
-	//ctx->dirUTable[uTableIndex] = ctx->u_dirTableLen;
 
 	u32 Currentdir = ctx->u_dirTableLen;
 	
 	if(Currentdir == 0)
 	{
 		u32_to_u8(entry->namesize,0,LE);
-		AddDirHashKey(ctx,parent,L"",ctx->u_dirTableLen);
+		AddDirHashKey(ctx,parent,(fs_romfs_char*)ROMFS_EMPTY_PATH,ctx->u_dirTableLen);
 		ctx->u_dirTableLen += sizeof(romfs_direntry);
 	}
 	else
@@ -464,7 +462,7 @@ int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 			AddDirToRomfs(ctx,&dir[i],Currentdir,dir_sibling);
 			if(dir_sibling != ROMFS_UNUSED_ENTRY)
 			{
-				dir_sibling = ctx->u_dirTableLen;//修复同目录文件夹偏移
+				dir_sibling = ctx->u_dirTableLen;//修复同目录文件夹偏移 (Repair the same directory folder offset)
 				u32_to_u8(temp_entry->siblingoffset,dir_sibling,LE);
 			}
 		}
@@ -515,15 +513,13 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 	return;
 }
 
-u32 CalcPathHash(u32 parent, fs_romfs_char * path, u32 start, u32 length)
+u32 CalcPathHash(u32 parent, fs_romfs_char* path, u32 start, u32 length)
 {
 	u32 hash = parent ^ 123456789;
-	u32 index = 0;
-	while(index < length)
+	for( u32 index = 0; index < length; index++ )
 	{
 		hash = (u32)((hash >> 5) | (hash << 27));//ror
 		hash ^= (u16)path[start + index];
-		index++;
 	}
 	return hash;
 }
diff --git a/makerom/rsf_settings.c b/makerom/rsf_settings.c
index aa7e9388..c0cdbb22 100644
--- a/makerom/rsf_settings.c
+++ b/makerom/rsf_settings.c
@@ -1,5 +1,16 @@
 #include "lib.h"
 
+void GET_Option(ctr_yaml_context *ctx, rsf_settings *rsf);
+void GET_AccessControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
+void GET_SystemControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
+void GET_BasicInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
+void GET_RomFs(ctr_yaml_context *ctx, rsf_settings *rsf);
+void GET_ExeFs(ctr_yaml_context *ctx, rsf_settings *rsf);
+void GET_PlainRegion(ctr_yaml_context *ctx, rsf_settings *rsf);
+void GET_TitleInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
+void GET_CardInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
+void GET_CommonHeaderKey(ctr_yaml_context *ctx, rsf_settings *rsf);
+
 void EvaluateRSF(rsf_settings *rsf, ctr_yaml_context *ctx)
 {
 	u32 start_level = ctx->Level-1;
@@ -11,7 +22,7 @@ void EvaluateRSF(rsf_settings *rsf, ctr_yaml_context *ctx)
 	else if(cmpYamlValue("AccessControlInfo",ctx)) {FinishEvent(ctx); GET_AccessControlInfo(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("SystemControlInfo",ctx)) {FinishEvent(ctx); GET_SystemControlInfo(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("BasicInfo",ctx)) {FinishEvent(ctx); GET_BasicInfo(ctx,rsf); goto GET_NextGroup;}
-	else if(cmpYamlValue("Rom",ctx)) {FinishEvent(ctx); GET_Rom(ctx,rsf); goto GET_NextGroup;}
+	else if(cmpYamlValue("RomFs",ctx)) {FinishEvent(ctx); GET_RomFs(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("ExeFs",ctx)) {FinishEvent(ctx); GET_ExeFs(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("PlainRegion",ctx)) {FinishEvent(ctx); GET_PlainRegion(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("TitleInfo",ctx)) {FinishEvent(ctx); GET_TitleInfo(ctx,rsf); goto GET_NextGroup;}
@@ -202,7 +213,7 @@ void GET_BasicInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 	FinishEvent(ctx);
 }
 
-void GET_Rom(ctr_yaml_context *ctx, rsf_settings *rsf)
+void GET_RomFs(ctr_yaml_context *ctx, rsf_settings *rsf)
 {
 	/* Checking That Group is in a map */
 	if(!CheckMappingEvent(ctx)) return;
@@ -213,13 +224,12 @@ void GET_Rom(ctr_yaml_context *ctx, rsf_settings *rsf)
 		if(ctx->error || ctx->done) return;
 		// Handle childs
 		
-		if(cmpYamlValue("HostRoot",ctx)) SetSimpleYAMLValue(&rsf->Rom.HostRoot,"HostRoot",ctx,0);
-		//else if(cmpYamlValue("Padding",ctx)) SetSimpleYAMLValue(&rsf->Rom.Padding,"Padding",ctx,0);
+		if(cmpYamlValue("RootPath",ctx)) SetSimpleYAMLValue(&rsf->RomFs.RootPath,"RootPath",ctx,0);
 		
-		else if(cmpYamlValue("DefaultReject",ctx)) rsf->Rom.DefaultRejectNum = SetYAMLSequence(&rsf->Rom.DefaultReject,"DefaultReject",ctx);
-		else if(cmpYamlValue("Reject",ctx)) rsf->Rom.RejectNum = SetYAMLSequence(&rsf->Rom.Reject,"Reject",ctx);
-		else if(cmpYamlValue("Include",ctx)) rsf->Rom.IncludeNum = SetYAMLSequence(&rsf->Rom.Include,"Include",ctx);
-		else if(cmpYamlValue("File",ctx)) rsf->Rom.FileNum = SetYAMLSequence(&rsf->Rom.File,"File",ctx);
+		else if(cmpYamlValue("DefaultReject",ctx)) rsf->RomFs.DefaultRejectNum = SetYAMLSequence(&rsf->RomFs.DefaultReject,"DefaultReject",ctx);
+		else if(cmpYamlValue("Reject",ctx)) rsf->RomFs.RejectNum = SetYAMLSequence(&rsf->RomFs.Reject,"Reject",ctx);
+		else if(cmpYamlValue("Include",ctx)) rsf->RomFs.IncludeNum = SetYAMLSequence(&rsf->RomFs.Include,"Include",ctx);
+		else if(cmpYamlValue("File",ctx)) rsf->RomFs.FileNum = SetYAMLSequence(&rsf->RomFs.File,"File",ctx);
 		
 		else{
 			fprintf(stderr,"[RSF ERROR] Unrecognised key '%s'\n",GetYamlString(ctx));
@@ -279,12 +289,10 @@ void GET_TitleInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 		// Handle childs
 		
 		if(cmpYamlValue("Category",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.Category,"Category",ctx,0);
-		//else if(cmpYamlValue("Platform",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.Platform,"Platform",ctx,0);
 		else if(cmpYamlValue("UniqueId",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.UniqueId,"UniqueId",ctx,0);
 		else if(cmpYamlValue("Version",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.Version,"Version",ctx,0);
 		else if(cmpYamlValue("ContentsIndex",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.ContentsIndex,"ContentsIndex",ctx,0);
 		else if(cmpYamlValue("Variation",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.Variation,"Variation",ctx,0);
-		//else if(cmpYamlValue("Use",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.Use,"Use",ctx,0);
 		else if(cmpYamlValue("ChildIndex",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.ChildIndex,"ChildIndex",ctx,0);
 		else if(cmpYamlValue("DemoIndex",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.DemoIndex,"DemoIndex",ctx,0);
 		else if(cmpYamlValue("TargetCategory",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.TargetCategory,"TargetCategory",ctx,0);
@@ -377,15 +385,8 @@ void free_RsfSettings(rsf_settings *set)
 {
 	//Option
 	free(set->Option.PageSize);
-	/*
-	for(u32 i = 0; i < set->Option.AppendSystemCallNum; i++){
-		free(set->Option.AppendSystemCall[i]);
-	}
-	free(set->Option.AppendSystemCall);
-	*/
 
 	//AccessControlInfo
-	//free(set->AccessControlInfo.ProgramId);
 	free(set->AccessControlInfo.IdealProcessor);
 	free(set->AccessControlInfo.Priority);
 	free(set->AccessControlInfo.MemoryType);
@@ -401,7 +402,6 @@ void free_RsfSettings(rsf_settings *set)
 	free(set->AccessControlInfo.SystemMode);	
 	free(set->AccessControlInfo.AffinityMask);
 	free(set->AccessControlInfo.DescVersion);
-	//free(set->AccessControlInfo.CryptoKey);
 	free(set->AccessControlInfo.ResourceLimitCategory);
 	free(set->AccessControlInfo.ReleaseKernelMajor);
 	free(set->AccessControlInfo.ReleaseKernelMinor);
@@ -441,11 +441,6 @@ void free_RsfSettings(rsf_settings *set)
 		free(set->AccessControlInfo.ServiceAccessControl[i]);
 	}
 	free(set->AccessControlInfo.ServiceAccessControl);
-	
-	for(u32 i = 0; i < set->AccessControlInfo.StorageIdNum; i++){
-		free(set->AccessControlInfo.StorageId[i]);
-	}
-	free(set->AccessControlInfo.StorageId);
 
 	for(u32 i = 0; i < set->AccessControlInfo.AccessibleSaveDataIdsNum; i++){
 		free(set->AccessControlInfo.AccessibleSaveDataIds[i]);
@@ -470,32 +465,29 @@ void free_RsfSettings(rsf_settings *set)
 	free(set->BasicInfo.ProductCode);
 	free(set->BasicInfo.ContentType);
 	free(set->BasicInfo.Logo);
-	//free(set->BasicInfo.BackupMemoryType);
-	//free(set->BasicInfo.InitialCode);
 	
 	//Rom
-	free(set->Rom.HostRoot);
-	//free(set->Rom.Padding);
+	free(set->RomFs.RootPath);
 	
-	for(u32 i = 0; i < set->Rom.DefaultRejectNum; i++){
-		free(set->Rom.DefaultReject[i]);
+	for(u32 i = 0; i < set->RomFs.DefaultRejectNum; i++){
+		free(set->RomFs.DefaultReject[i]);
 	}
-	free(set->Rom.DefaultReject);
+	free(set->RomFs.DefaultReject);
 	
-	for(u32 i = 0; i < set->Rom.RejectNum; i++){
-		free(set->Rom.Reject[i]);
+	for(u32 i = 0; i < set->RomFs.RejectNum; i++){
+		free(set->RomFs.Reject[i]);
 	}
-	free(set->Rom.Reject);
+	free(set->RomFs.Reject);
 	
-	for(u32 i = 0; i < set->Rom.IncludeNum; i++){
-		free(set->Rom.Include[i]);
+	for(u32 i = 0; i < set->RomFs.IncludeNum; i++){
+		free(set->RomFs.Include[i]);
 	}
-	free(set->Rom.Include);
+	free(set->RomFs.Include);
 	
-	for(u32 i = 0; i < set->Rom.FileNum; i++){
-		free(set->Rom.File[i]);
+	for(u32 i = 0; i < set->RomFs.FileNum; i++){
+		free(set->RomFs.File[i]);
 	}
-	free(set->Rom.File);
+	free(set->RomFs.File);
 	
 	//ExeFs
 	for(u32 i = 0; i < set->ExeFs.TextNum; i++){
@@ -520,13 +512,11 @@ void free_RsfSettings(rsf_settings *set)
 	free(set->PlainRegion);
 	
 	//TitleInfo
-	//free(set->TitleInfo.Platform);
 	free(set->TitleInfo.Category);
 	free(set->TitleInfo.UniqueId);
 	free(set->TitleInfo.Version);
 	free(set->TitleInfo.ContentsIndex);
 	free(set->TitleInfo.Variation);
-	//free(set->TitleInfo.Use);
 	free(set->TitleInfo.ChildIndex);
 	free(set->TitleInfo.DemoIndex);
 	free(set->TitleInfo.TargetCategory);
diff --git a/makerom/rsf_settings.h b/makerom/rsf_settings.h
index 2b355fcd..e77f3011 100644
--- a/makerom/rsf_settings.h
+++ b/makerom/rsf_settings.h
@@ -1,16 +1,4 @@
 #pragma once
 
 void EvaluateRSF(rsf_settings *rsf, ctr_yaml_context *ctx);
-
-void GET_Option(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_AccessControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_SystemControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_BasicInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_Rom(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_ExeFs(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_PlainRegion(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_TitleInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_CardInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_CommonHeaderKey(ctr_yaml_context *ctx, rsf_settings *rsf);
-
 void free_RsfSettings(rsf_settings *set);
\ No newline at end of file
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index ff987a13..1efbc0c3 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -181,8 +181,8 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			set->common.keys.keyset = pki_DEVELOPMENT;
 		else if(strcasecmp(argv[i+1],"retail") == 0 || strcasecmp(argv[i+1],"production") == 0 || strcasecmp(argv[i+1],"p") == 0)
 			set->common.keys.keyset = pki_PRODUCTION;
-		//else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0) // given all known keys are here, this isn't needed
-		//	set->common.keys.keyset = pki_CUSTOM;
+		else if(strcasecmp(argv[i+1],"gw") == 0 || strcasecmp(argv[i+1],"gateway3ds") == 0 || strcasecmp(argv[i+1],"g") == 0)
+			set->common.keys.keyset = pki_GATEWAY3DS;
 		else{
 			fprintf(stderr,"[SETTING ERROR] Unrecognised target '%s'\n",argv[i+1]);
 			return USR_BAD_ARG;
@@ -866,10 +866,11 @@ void DisplayHelp(char *app_name)
 	printf(" -v                                 Verbose output\n");
 	printf(" -DNAME=VALUE                       Substitute values in RSF file\n");
 	printf("KEY OPTIONS:\n");
-	printf(" -target        <t|d|p>             Target for crypto, defaults to 't'\n");
+	printf(" -target        <t|d|p|g>           Target for crypto, defaults to 't'\n");
 	printf("                                    't' Test(false) Keys & prod Certs\n");
 	printf("                                    'd' Development Keys & Certs\n");
 	printf("                                    'p' Production Keys & Certs\n");
+	printf("                                    'g' Production Keys & Certs for GW3DS only\n");
 	printf(" -ckeyid        <index>             Override the automatic common key selection\n");
 	printf(" -ncchseckey    <index>             Ncch keyX index ('0'=1.0+, '1'=7.0+)\n");
 	printf(" -showkeys                          Display the loaded key chain\n");
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index 89d9a9ef..92838a03 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -62,10 +62,8 @@ static const char output_extention[5][5] = {".cxi",".cfa",".cci",".cia",".app"};
 typedef struct
 {	
 	struct{
-		// Booleans
 		// Booleans
 		bool MediaFootPadding;
-		//bool NoPadding; // DELETE
 		bool AllowUnalignedSection;
 		bool EnableCrypt;
 		bool EnableCompress;
@@ -74,10 +72,6 @@ typedef struct
 
 		// Strings
 		char *PageSize;
-		
-		// String Collections
-		//u32 AppendSystemCallNum; // DELETE
-		//char **AppendSystemCall; // DELETE
 	} Option;
 	
 	struct{
@@ -96,7 +90,6 @@ typedef struct
 		bool SpecialMemoryArrange;
 		
 		// Strings
-		//char *ProgramId; // DELETE
 		char *IdealProcessor;
 		char *Priority;
 		char *MemoryType;
@@ -112,7 +105,6 @@ typedef struct
 		char *AffinityMask;
 		// Strings From DESC
 		char *DescVersion;
-		//char *CryptoKey; // DELETE
 		char *ResourceLimitCategory;
 		char *ReleaseKernelMajor;
 		char *ReleaseKernelMinor;
@@ -133,8 +125,6 @@ typedef struct
 		char **SystemCallAccess;
 		u32 ServiceAccessControlNum;
 		char **ServiceAccessControl;
-		u32 StorageIdNum; // DELETE
-		char **StorageId; // DELETE
 		u32 AccessibleSaveDataIdsNum;
 		char **AccessibleSaveDataIds;
 	} AccessControlInfo;
@@ -159,14 +149,11 @@ typedef struct
 		char *ProductCode;
 		char *ContentType;
 		char *Logo;
-		//char *BackupMemoryType;// Delete
-		//char *InitialCode;// Delete
 	} BasicInfo;
 	
 	struct{
 		// Strings
-		char *HostRoot;
-		//char *Padding; // DELETE
+		char *RootPath;
 		
 		// String Collections
 		u32 DefaultRejectNum;
@@ -177,7 +164,7 @@ typedef struct
 		char **Include;
 		u32 FileNum;
 		char **File;
-	} Rom;
+	} RomFs;
 	
 	struct{
 		u32 TextNum;
@@ -193,13 +180,11 @@ typedef struct
 	
 	struct{
 		// Strings
-		//char *Platform; // DELETE
 		char *Category;
 		char *UniqueId;
 		char *Version;
 		char *ContentsIndex;
 		char *Variation;
-		//char *Use; // DELETE
 		char *ChildIndex;
 		char *DemoIndex;
 		char *TargetCategory;

From 666ed4d3142034cf45fedd7a5273f701757e6450 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 20 Sep 2014 22:58:37 +1000
Subject: [PATCH 068/317] makerom: fix bug

removed remaining reference to wchar_t in romfs_gen.c
---
 makerom/romfs_gen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index a2157ed7..5f418019 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -18,7 +18,7 @@ int PopulateRomfs(romfs_buildctx *ctx);
 void BuildRomfsHeader(romfs_buildctx *ctx);
 void BuildIvfcHeader(romfs_buildctx *ctx);
 void GenIvfcHashTree(romfs_buildctx *ctx);
-u32 CalcPathHash(u32 parent,wchar_t * path,u32 start,u32 length);
+u32 CalcPathHash(u32 parent, fs_romfs_char* path, u32 start, u32 length);
 
 
 int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)

From 63852a6ed143e30914872d4f4dcbecba0c45d98f Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sat, 20 Sep 2014 23:37:11 +1000
Subject: [PATCH 069/317] makerom: misc

---
 makerom/ncsd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 204587b4..968f1552 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -235,7 +235,9 @@ void GetTitleSaveSize(cci_settings *set)
 		
 	// Adjusting save size
 		
-	if(set->romInfo.saveSize <= (u64)128*KB)
+	if(set->romInfo.saveSize == 0)
+		set->romInfo.saveSize == 0;
+	else if(set->romInfo.saveSize <= (u64)128*KB)
 		set->romInfo.saveSize = (u64)128*KB;
 	else if(set->romInfo.saveSize <= (u64)512*KB)
 		set->romInfo.saveSize = (u64)512*KB;

From 13381800162c92854c424148a4c2952ae8f84e31 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sun, 21 Sep 2014 02:03:08 +1000
Subject: [PATCH 070/317] makerom: refactoring

refactor exheader/rsf code
---
 makerom/exheader.c       | 859 +++++++++++++++++++--------------------
 makerom/exheader.h       |   4 +-
 makerom/exheader_build.h |   2 +-
 makerom/rsf_settings.c   |   9 -
 makerom/user_settings.h  |   2 -
 5 files changed, 420 insertions(+), 456 deletions(-)

diff --git a/makerom/exheader.c b/makerom/exheader.c
index ac902768..d18c1ac3 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -11,23 +11,25 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 int get_ExHeaderSettingsFromRsf(exheader_settings *exhdrset);
 
 int get_ExHeaderCodeSetInfo(exhdr_CodeSetInfo *CodeSetInfo, rsf_settings *rsf);
-int get_ExHeaderDependencyList(u8 *DependencyList, rsf_settings *rsf);
-int get_ExHeaderSystemInfo(exhdr_SystemInfo *SystemInfo, rsf_settings *rsf);
-int get_ExHeaderARM11SystemLocalInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf, bool useAccessDescPreset);
+int get_ExHeaderDependencyList(u8 *depList, rsf_settings *rsf);
+int get_ExHeaderSystemInfo(exhdr_SystemInfo *systemInfo, rsf_settings *rsf);
+int get_ExHeaderARM11SystemLocalInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
+int get_ExHeaderARM11SystemLocalInfoLimited(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
 int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
-int GetAppType(int *AppType, rsf_settings *rsf);
+int GetAppType(rsf_settings *rsf);
 int SetARM11ResLimitDesc(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
 int SetARM11StorageInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
-int SetARM11StorageInfoSystemSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
-int SetARM11StorageInfoExtSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
-int SetARM11StorageInfoOtherUserSaveData(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
+void SetARM11StorageInfoSystemSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
+int SetARM11StorageInfoFsAccessInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
+void SetARM11StorageInfoExtSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
+void SetARM11StorageInfoOtherUserSaveData(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
 bool CheckCondiditionsForNewAccessibleSaveDataIds(rsf_settings *rsf);
-int SetARM11StorageInfoAccessibleSaveDataIds(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
+void SetARM11StorageInfoAccessibleSaveDataIds(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
 int SetARM11ServiceAccessControl(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf);
 int get_ExHeaderARM11KernelInfo(exhdr_ARM11KernelCapabilities *arm11, rsf_settings *rsf);
 int SetARM11KernelDescSysCallControl(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf);
 int GetARM11SysCalls(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf);
-void EnableSystemCall(ARM11KernelCapabilityDescriptor *desc, int SysCall);
+void EnableSystemCall(ARM11KernelCapabilityDescriptor *desc, int sysCall);
 void DisableSystemCall(ARM11KernelCapabilityDescriptor *desc, int SysCall);
 int SetARM11KernelDescInteruptNumList(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf);
 int GetARM11Interupts(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf);
@@ -37,17 +39,17 @@ int GetARM11IOMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 int GetARM11StaticMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf);
 bool IsEndAddress(u32 Address);
 bool IsStartAddress(u32 Address);
-u32 GetIOMappingDesc(u32 Address);
-u32 GetStaticMappingDesc(u32 Address, bool IsReadOnly);
-u32 GetMappingDesc(u32 Address, u32 PrefixVal, s32 numPrefixBits, bool IsRO);
+u32 GetIOMappingDesc(u32 address);
+u32 GetStaticMappingDesc(u32 address, bool IsReadOnly);
+u32 GetMappingDesc(u32 address, u32 prefixVal, s32 numPrefixBits, bool IsRO);
 int SetARM11KernelDescOtherCapabilities(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf);
 int SetARM11KernelDescHandleTableSize(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf);
 int SetARM11KernelDescReleaseKernelVersion(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf);
-void SetARM11KernelDescValue(ARM11KernelCapabilityDescriptor *desc, u16 Index, u32 Value);
-void SetARM11KernelDescBitmask(ARM11KernelCapabilityDescriptor *desc, u32 Bitmask);
-void AllocateARM11KernelDescMemory(ARM11KernelCapabilityDescriptor *desc, u16 Num);
+void SetARM11KernelDescValue(ARM11KernelCapabilityDescriptor *desc, u16 index, u32 value);
+void SetARM11KernelDescBitmask(ARM11KernelCapabilityDescriptor *desc, u32 bitmask);
+void AllocateARM11KernelDescMemory(ARM11KernelCapabilityDescriptor *desc, u16 num);
 u32 GetDescPrefixMask(int numPrefixBits);
-u32 GetDescPrefixBits(int numPrefixBits, u32 PrefixVal);
+u32 GetDescPrefixBits(int numPrefixBits, u32 prefixVal);
 int get_ExHeaderARM9AccessControlInfo(exhdr_ARM9AccessControlInfo *arm9, rsf_settings *rsf);
 
 /* ExHeader Signature Functions */
@@ -146,7 +148,7 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 		exhdrset->exHdr->codeSetInfo.flag |= infoflag_COMPRESS_EXEFS_0;
 	if(ncchset->options.UseOnSD)
 		exhdrset->exHdr->codeSetInfo.flag |= infoflag_SD_APPLICATION;
-	if(!ncchset->options.UseRomFS) // Move this later
+	if(!ncchset->options.UseRomFS)
 		exhdrset->exHdr->arm11SystemLocalCapabilities.storageInfo.otherAttributes |= attribute_NOT_USE_ROMFS;
 
 	return 0;
@@ -155,26 +157,30 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 int get_ExHeaderSettingsFromRsf(exheader_settings *exhdrset)
 {
 	int result = 0;
-	result = get_ExHeaderCodeSetInfo(&exhdrset->exHdr->codeSetInfo, exhdrset->rsf);
-	if(result) goto finish;
-
 	if(!exhdrset->useAccessDescPreset){
-		result = get_ExHeaderDependencyList((u8*)&exhdrset->exHdr->dependencyList[0], exhdrset->rsf);
-		if(result) goto finish;
+		if((result = get_ExHeaderCodeSetInfo(&exhdrset->exHdr->codeSetInfo, exhdrset->rsf))) 
+			goto finish;
+		if((result = get_ExHeaderDependencyList((u8*)exhdrset->exHdr->dependencyList, exhdrset->rsf))) 
+			goto finish;
+		if((result = get_ExHeaderSystemInfo(&exhdrset->exHdr->systemInfo, exhdrset->rsf))) 
+			goto finish;
+		if((result = get_ExHeaderARM11SystemLocalInfo(&exhdrset->exHdr->arm11SystemLocalCapabilities, exhdrset->rsf))) 
+			goto finish;
+		if((result = get_ExHeaderARM11KernelInfo(&exhdrset->exHdr->arm11KernelCapabilities, exhdrset->rsf)))
+			goto finish;
+		if((result = get_ExHeaderARM9AccessControlInfo(&exhdrset->exHdr->arm9AccessControlInfo, exhdrset->rsf))) 
+			goto finish;
 	}
-
-	result = get_ExHeaderSystemInfo(&exhdrset->exHdr->systemInfo, exhdrset->rsf);
-	if(result) goto finish;
-
-	result = get_ExHeaderARM11SystemLocalInfo(&exhdrset->exHdr->arm11SystemLocalCapabilities, exhdrset->rsf, exhdrset->useAccessDescPreset);
-	if(result) goto finish;
-
-	if(!exhdrset->useAccessDescPreset){
-		result = get_ExHeaderARM11KernelInfo(&exhdrset->exHdr->arm11KernelCapabilities, exhdrset->rsf);
-		if(result) goto finish;
+	else{
+		if((result = get_ExHeaderCodeSetInfo(&exhdrset->exHdr->codeSetInfo, exhdrset->rsf))) 
+			goto finish;
+		if((result = get_ExHeaderSystemInfo(&exhdrset->exHdr->systemInfo, exhdrset->rsf))) 
+			goto finish;
+		if((result = get_ExHeaderARM11SystemLocalInfoLimited(&exhdrset->exHdr->arm11SystemLocalCapabilities, exhdrset->rsf))) 
+			goto finish;
+		if((result = get_ExHeaderARM9AccessControlInfo(&exhdrset->exHdr->arm9AccessControlInfo, exhdrset->rsf))) 
+			goto finish;
 	}
-	result = get_ExHeaderARM9AccessControlInfo(&exhdrset->exHdr->arm9AccessControlInfo, exhdrset->rsf);
-		if(result) goto finish;
 
 finish:
 	return result;
@@ -186,109 +192,117 @@ int get_ExHeaderCodeSetInfo(exhdr_CodeSetInfo *CodeSetInfo, rsf_settings *rsf)
 	if(rsf->BasicInfo.Title){
 		//if(strlen(rsf->BasicInfo.Title) > 8){
 		//	fprintf(stderr,"[EXHEADER ERROR] Parameter Too Long \"BasicInfo/Title\"\n");
-		//	return EXHDR_BAD_YAML_OPT;
+		//	return EXHDR_BAD_RSF_OPT;
 		//}
 		strncpy((char*)CodeSetInfo->name,rsf->BasicInfo.Title,8);
 	}
 	else{
 		ErrorParamNotFound("BasicInfo/Title");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
+	
 	/* Stack Size */
-	if(rsf->SystemControlInfo.StackSize){
-		u32 StackSize = strtoul(rsf->SystemControlInfo.StackSize,NULL,0);
-		u32_to_u8(CodeSetInfo->stackSize,StackSize,LE);
-	}
+	if(rsf->SystemControlInfo.StackSize)
+		u32_to_u8(CodeSetInfo->stackSize, strtoul(rsf->SystemControlInfo.StackSize,NULL,0), LE);
 	else{
 		ErrorParamNotFound("SystemControlInfo/StackSize");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
 	/* Remaster Version */
-	if(rsf->SystemControlInfo.RemasterVersion){
-		u16 RemasterVersion = strtol(rsf->SystemControlInfo.RemasterVersion,NULL,0);
-		u16_to_u8(CodeSetInfo->remasterVersion,RemasterVersion,LE);
-	}
-	else{
-		u16_to_u8(CodeSetInfo->remasterVersion,0,LE);
-	}
+	if(rsf->SystemControlInfo.RemasterVersion)
+		u16_to_u8(CodeSetInfo->remasterVersion, strtol(rsf->SystemControlInfo.RemasterVersion,NULL,0), LE);
+	else
+		u16_to_u8(CodeSetInfo->remasterVersion, 0, LE);
+		
 	return 0;
 }
 
-int get_ExHeaderDependencyList(u8 *DependencyList, rsf_settings *rsf)
+int get_ExHeaderDependencyList(u8 *depList, rsf_settings *rsf)
 {
 	if(rsf->SystemControlInfo.DependencyNum > 0x30){
 		fprintf(stderr,"[EXHEADER ERROR] Too Many Dependency IDs\n");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
 	for(int i = 0; i < rsf->SystemControlInfo.DependencyNum; i++){
-		u8 *pos = (DependencyList + 0x8*i);
-		u64 TitleID = strtoull(rsf->SystemControlInfo.Dependency[i],NULL,0);
-		u64_to_u8(pos,TitleID,LE);
+		u8 *pos = (depList + 0x8*i);
+		u64_to_u8(pos, strtoull(rsf->SystemControlInfo.Dependency[i],NULL,0), LE);
 	}
 	return 0;
 }
 
-int get_ExHeaderSystemInfo(exhdr_SystemInfo *SystemInfo, rsf_settings *rsf)
+int get_ExHeaderSystemInfo(exhdr_SystemInfo *systemInfo, rsf_settings *rsf)
 {
 	/* SaveDataSize */
 	if(rsf->SystemControlInfo.SaveDataSize){
-		u64 SaveDataSize = 0;
-		int ret = GetSaveDataSizeFromString(&SaveDataSize,rsf->SystemControlInfo.SaveDataSize,"EXHEADER");
-		if(ret) return ret;
-		u64_to_u8(SystemInfo->savedataSize,SaveDataSize,LE);
-	}
-	else{
-		u64_to_u8(SystemInfo->savedataSize,0,LE);
+		u64 saveSize = 0;
+		if(GetSaveDataSizeFromString(&saveSize,rsf->SystemControlInfo.SaveDataSize,"EXHEADER")) 
+			return EXHDR_BAD_RSF_OPT;
+		u64_to_u8(systemInfo->savedataSize, saveSize, LE);
 	}
+	else
+		u64_to_u8(systemInfo->savedataSize,0,LE);
+	
 	/* Jump Id */
-	if(rsf->SystemControlInfo.JumpId){
-		u64 JumpId = strtoull(rsf->SystemControlInfo.JumpId,NULL,0);
-		u64_to_u8(SystemInfo->jumpId,JumpId,LE);
-	}
+	if(rsf->SystemControlInfo.JumpId)
+		u64_to_u8(systemInfo->jumpId, strtoull(rsf->SystemControlInfo.JumpId,NULL,0), LE);
+	
 	else{
-		u64 JumpId = 0;
-		int result = GetProgramID(&JumpId,rsf,false); 
-		if(result) return result;
-		u64_to_u8(SystemInfo->jumpId,JumpId,LE);
+		u64 jumpId = 0;
+		if(GetProgramID(&jumpId,rsf,false)) 
+			return EXHDR_BAD_RSF_OPT;
+		u64_to_u8(systemInfo->jumpId,jumpId,LE);
 	}
 	return 0;
 }
 
-int get_ExHeaderARM11SystemLocalInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf, bool useAccessDescPreset)
+int get_ExHeaderARM11SystemLocalInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
 	/* Program Id */
-	u64 ProgramId = 0;
-	int result = GetProgramID(&ProgramId,rsf,true); 
-	if(result) return result;
-	u64_to_u8(arm11->programId,ProgramId,LE);
+	u64 programId = 0;
+	if(GetProgramID(&programId,rsf,true)) 
+		return EXHDR_BAD_RSF_OPT;
+	u64_to_u8(arm11->programId,programId,LE);
 	
-	if(!useAccessDescPreset){
-		/* Flags */
-		result = SetARM11SystemLocalInfoFlags(arm11, rsf);
-		if(result) return result;
-
-		/* Resource Limit Descriptors */
-		result = SetARM11ResLimitDesc(arm11, rsf);
-		if(result) return result;
-	}
+	/* Flags */
+	if(SetARM11SystemLocalInfoFlags(arm11, rsf)) 
+		return EXHDR_BAD_RSF_OPT;
+
+	/* Resource Limit Descriptors */
+	if(SetARM11ResLimitDesc(arm11, rsf)) 
+		return EXHDR_BAD_RSF_OPT;
 
 	/* Storage Info */
-	result = SetARM11StorageInfo(arm11, rsf);
-	if(result) return result;
-
-	if(!useAccessDescPreset){
-		/* Service Access Control */
-		result = SetARM11ServiceAccessControl(arm11, rsf);
-		if(result) return result;
-
-		/* Resource Limit Category */
-		if(rsf->AccessControlInfo.ResourceLimitCategory){
-			if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"application") == 0) arm11->resourceLimitCategory = resrc_limit_APPLICATION;
-			else if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"sysapplet") == 0) arm11->resourceLimitCategory = resrc_limit_SYS_APPLET;
-			else if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"libapplet") == 0) arm11->resourceLimitCategory = resrc_limit_LIB_APPLET;
-			else if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"other") == 0) arm11->resourceLimitCategory = resrc_limit_OTHER;
-		}
+	if(SetARM11StorageInfo(arm11, rsf)) 
+		return EXHDR_BAD_RSF_OPT;
+
+	/* Service Access Control */
+	if(SetARM11ServiceAccessControl(arm11, rsf))
+		return EXHDR_BAD_RSF_OPT;
+
+	/* Resource Limit Category */
+	if(rsf->AccessControlInfo.ResourceLimitCategory){
+		if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"application") == 0) arm11->resourceLimitCategory = resrc_limit_APPLICATION;
+		else if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"sysapplet") == 0) arm11->resourceLimitCategory = resrc_limit_SYS_APPLET;
+		else if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"libapplet") == 0) arm11->resourceLimitCategory = resrc_limit_LIB_APPLET;
+		else if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"other") == 0) arm11->resourceLimitCategory = resrc_limit_OTHER;
 	}
+	
+	/* Finish */
+	return 0;
+}
+
+int get_ExHeaderARM11SystemLocalInfoLimited(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
+{
+	/* Program Id */
+	u64 programId = 0;
+	if(GetProgramID(&programId,rsf,true)) 
+		return EXHDR_BAD_RSF_OPT;
+	u64_to_u8(arm11->programId,programId,LE);
+
+	/* Storage Info */
+	if(SetARM11StorageInfo(arm11, rsf)) 
+		return EXHDR_BAD_RSF_OPT;
+
 	/* Finish */
 	return 0;
 }
@@ -296,72 +310,69 @@ int get_ExHeaderARM11SystemLocalInfo(exhdr_ARM11SystemLocalCapabilities *arm11,
 int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
 	/* Core Version */
-	if(rsf->AccessControlInfo.CoreVersion){
-		u32 Version = strtoul(rsf->AccessControlInfo.CoreVersion,NULL,0);
-		u32_to_u8(arm11->coreVersion,Version,LE);
-	}
+	if(rsf->AccessControlInfo.CoreVersion)
+		u32_to_u8(arm11->coreVersion,strtoul(rsf->AccessControlInfo.CoreVersion,NULL,0),LE);
 	else{
 		ErrorParamNotFound("AccessControlInfo/CoreVersion");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
 
 	/* Flag */
-	u8 AffinityMask = 0;
-	u8 IdealProcessor = 0;
-	u8 SystemMode = 0;
+	u8 affinityMask = 0;
+	u8 idealProcessor = 0;
+	u8 systemMode = 0;
+	
 	if(rsf->AccessControlInfo.AffinityMask){
-		AffinityMask = strtol(rsf->AccessControlInfo.AffinityMask,NULL,0);
-		if(AffinityMask > 1){
-			fprintf(stderr,"[EXHEADER ERROR] Unexpected AffinityMask: %d. Expected range: 0x0 - 0x1\n",AffinityMask);
-			return EXHDR_BAD_YAML_OPT;
+		affinityMask = strtol(rsf->AccessControlInfo.AffinityMask,NULL,0);
+		if(affinityMask > 1){
+			fprintf(stderr,"[EXHEADER ERROR] Unexpected AffinityMask: %d. Expected range: 0x0 - 0x1\n",affinityMask);
+			return EXHDR_BAD_RSF_OPT;
 		}
 	}
 	if(rsf->AccessControlInfo.IdealProcessor){
-		IdealProcessor = strtol(rsf->AccessControlInfo.IdealProcessor,NULL,0);
-		if(IdealProcessor > 1){
-			fprintf(stderr,"[EXHEADER ERROR] Unexpected IdealProcessor: %d. Expected range: 0x0 - 0x1\n",IdealProcessor);
-			return EXHDR_BAD_YAML_OPT;
+		idealProcessor = strtol(rsf->AccessControlInfo.IdealProcessor,NULL,0);
+		if(idealProcessor > 1){
+			fprintf(stderr,"[EXHEADER ERROR] Unexpected IdealProcessor: %d. Expected range: 0x0 - 0x1\n",idealProcessor);
+			return EXHDR_BAD_RSF_OPT;
 		}
 	}
 	if(rsf->AccessControlInfo.SystemMode){
-		SystemMode = strtol(rsf->AccessControlInfo.SystemMode,NULL,0);
-		if(SystemMode > 15){
-			fprintf(stderr,"[EXHEADER ERROR] Unexpected SystemMode: 0x%x. Expected range: 0x0 - 0xf\n",SystemMode);
-			return EXHDR_BAD_YAML_OPT;
+		systemMode = strtol(rsf->AccessControlInfo.SystemMode,NULL,0);
+		if(systemMode > 15){
+			fprintf(stderr,"[EXHEADER ERROR] Unexpected SystemMode: 0x%x. Expected range: 0x0 - 0xf\n",systemMode);
+			return EXHDR_BAD_RSF_OPT;
 		}
 	}
-	arm11->flag = (u8)(SystemMode << 4 | AffinityMask << 2 | IdealProcessor);
+	arm11->flag = (u8)(systemMode << 4 | affinityMask << 2 | idealProcessor);
 
 	/* Thread Priority */
 	if(rsf->AccessControlInfo.Priority){
-		u8 Priority = strtoul(rsf->AccessControlInfo.Priority,NULL,0);
-		int ProccessType = 0;
-		GetAppType(&ProccessType,rsf);
-		if(ProccessType == processtype_APPLICATION || ProccessType == processtype_DEFAULT){
-			Priority += 32;
-		}
-		if(Priority > 127){
-			fprintf(stderr,"[EXHEADER ERROR] Invalid Priority: %d\n",Priority);
-			return EXHDR_BAD_YAML_OPT;
+		u8 priority = strtoul(rsf->AccessControlInfo.Priority,NULL,0);
+		if(GetAppType(rsf) == processtype_APPLICATION)
+			priority += 32;
+		if(priority > 127){
+			fprintf(stderr,"[EXHEADER ERROR] Invalid Priority: %d\n",priority);
+			return EXHDR_BAD_RSF_OPT;
 		}
-		arm11->priority = Priority;
+		arm11->priority = priority;
 	}
 	else{
 		ErrorParamNotFound("AccessControlInfo/Priority");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
 
 	return 0;
 }
 
-int GetAppType(int *AppType, rsf_settings *rsf)
-{
-	*AppType = processtype_DEFAULT;
+int GetAppType(rsf_settings *rsf)
+{	
 	if(rsf->SystemControlInfo.AppType){
-		if(strcasecmp(rsf->SystemControlInfo.AppType,"application") == 0) *AppType = processtype_APPLICATION;
-		else if(strcasecmp(rsf->SystemControlInfo.AppType,"system") == 0) *AppType = processtype_SYSTEM;
+		if(strcasecmp(rsf->SystemControlInfo.AppType,"application") == 0) 
+			return processtype_APPLICATION;
+		else if(strcasecmp(rsf->SystemControlInfo.AppType,"system") == 0) 
+			return processtype_SYSTEM;
 	}
-	return 0;
+	return processtype_APPLICATION;
 }
 
 int SetARM11ResLimitDesc(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
@@ -381,16 +392,15 @@ int SetARM11ResLimitDesc(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings
 
 int SetARM11StorageInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
-	if(rsf->AccessControlInfo.UseExtendedSaveDataAccessControl || rsf->AccessControlInfo.AccessibleSaveDataIds){
+	if(rsf->AccessControlInfo.AccessibleSaveDataIds){
 		/* Accessible SaveData IDs */
 		if(!CheckCondiditionsForNewAccessibleSaveDataIds(rsf))
-			return EXHDR_BAD_YAML_OPT;
+			return EXHDR_BAD_RSF_OPT;
 		SetARM11StorageInfoAccessibleSaveDataIds(arm11,rsf);
 	}
 	else{
 		/* Extdata Id */
-		int ret = SetARM11StorageInfoExtSaveDataId(arm11,rsf);
-		if(ret) return ret;
+		SetARM11StorageInfoExtSaveDataId(arm11,rsf);
 		/* OtherUserSaveData */
 		SetARM11StorageInfoOtherUserSaveData(arm11,rsf);
 	}
@@ -399,172 +409,142 @@ int SetARM11StorageInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings
 	SetARM11StorageInfoSystemSaveDataId(arm11,rsf);	
 
 	/* FileSystem Access Info */
-	u32 AccessInfo = 0;
+	return SetARM11StorageInfoFsAccessInfo(arm11,rsf);		
+}
+
+int SetARM11StorageInfoFsAccessInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
+{
+	u32 accessInfo = 0;
 	for(int i = 0; i < rsf->AccessControlInfo.FileSystemAccessNum; i++){
 		if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CategorySystemApplication") == 0)
-			AccessInfo |= fsaccess_CATEGORY_SYSTEM_APPLICATION;
+			accessInfo |= fsaccess_CATEGORY_SYSTEM_APPLICATION;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CategoryHardwareCheck") == 0)
-			AccessInfo |= fsaccess_CATEGORY_HARDWARE_CHECK;
+			accessInfo |= fsaccess_CATEGORY_HARDWARE_CHECK;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CategoryFileSystemTool") == 0)
-			AccessInfo |= fsaccess_CATEGORY_FILE_SYSTEM_TOOL;
+			accessInfo |= fsaccess_CATEGORY_FILE_SYSTEM_TOOL;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"Debug") == 0)
-			AccessInfo |= fsaccess_DEBUG;
+			accessInfo |= fsaccess_DEBUG;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"TwlCardBackup") == 0)
-			AccessInfo |= fsaccess_TWL_CARD_BACKUP;
+			accessInfo |= fsaccess_TWL_CARD_BACKUP;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"TwlNandData") == 0)
-			AccessInfo |= fsaccess_TWL_NAND_DATA;
+			accessInfo |= fsaccess_TWL_NAND_DATA;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"Boss") == 0)
-			AccessInfo |= fsaccess_BOSS;
+			accessInfo |= fsaccess_BOSS;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"DirectSdmc") == 0)
-			AccessInfo |= fsaccess_DIRECT_SDMC;
+			accessInfo |= fsaccess_DIRECT_SDMC;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"Core") == 0)
-			AccessInfo |= fsaccess_CORE;
+			accessInfo |= fsaccess_CORE;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CtrNandRo") == 0)
-			AccessInfo |= fsaccess_CTR_NAND_RO;
+			accessInfo |= fsaccess_CTR_NAND_RO;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CtrNandRw") == 0)
-			AccessInfo |= fsaccess_CTR_NAND_RW;
+			accessInfo |= fsaccess_CTR_NAND_RW;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CtrNandRoWrite") == 0)
-			AccessInfo |= fsaccess_CTR_NAND_RO_WRITE;
+			accessInfo |= fsaccess_CTR_NAND_RO_WRITE;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CategorySystemSettings") == 0)
-			AccessInfo |= fsaccess_CATEGORY_SYSTEM_SETTINGS;
+			accessInfo |= fsaccess_CATEGORY_SYSTEM_SETTINGS;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CardBoard") == 0)
-			AccessInfo |= fsaccess_CARD_BOARD;
+			accessInfo |= fsaccess_CARD_BOARD;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"ExportImportIvs") == 0)
-			AccessInfo |= fsaccess_EXPORT_IMPORT_IVS;
+			accessInfo |= fsaccess_EXPORT_IMPORT_IVS;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"DirectSdmcWrite") == 0)
-			AccessInfo |= fsaccess_DIRECT_SDMC_WRITE;
+			accessInfo |= fsaccess_DIRECT_SDMC_WRITE;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"SwitchCleanup") == 0)
-			AccessInfo |= fsaccess_SWITCH_CLEANUP;
+			accessInfo |= fsaccess_SWITCH_CLEANUP;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"SaveDataMove") == 0)
-			AccessInfo |= fsaccess_SAVE_DATA_MOVE;
+			accessInfo |= fsaccess_SAVE_DATA_MOVE;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"Shop") == 0)
-			AccessInfo |= fsaccess_SHOP;
+			accessInfo |= fsaccess_SHOP;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"Shell") == 0)
-			AccessInfo |= fsaccess_SHELL;
+			accessInfo |= fsaccess_SHELL;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CategoryHomeMenu") == 0)
-			AccessInfo |= fsaccess_CATEGORY_HOME_MENU;
+			accessInfo |= fsaccess_CATEGORY_HOME_MENU;
 		else{
 			fprintf(stderr,"[EXHEADER ERROR] Invalid FileSystemAccess Name: \"%s\"\n",rsf->AccessControlInfo.FileSystemAccess[i]);
-			return EXHDR_BAD_YAML_OPT;
+			return EXHDR_BAD_RSF_OPT;
 		}
 	}
-	u32_to_u8(arm11->storageInfo.accessInfo,AccessInfo,LE);
+	u32_to_u8(arm11->storageInfo.accessInfo,accessInfo,LE);
+	
 	return 0;
 }
 
-int SetARM11StorageInfoSystemSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
+void SetARM11StorageInfoSystemSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
-	if(rsf->AccessControlInfo.SystemSaveDataId1){
-		u32 SaveId = strtoul(rsf->AccessControlInfo.SystemSaveDataId1,NULL,0);
-		u32_to_u8(arm11->storageInfo.systemSavedataId,SaveId,LE);
-	}
-	if(rsf->AccessControlInfo.SystemSaveDataId2){
-		u32 SaveId = strtoul(rsf->AccessControlInfo.SystemSaveDataId2,NULL,0);
-		u32_to_u8(&arm11->storageInfo.systemSavedataId[4],SaveId,LE);
-	}
-	return 0;
+	if(rsf->AccessControlInfo.SystemSaveDataId1)
+		u32_to_u8(arm11->storageInfo.systemSavedataId[0], strtoul(rsf->AccessControlInfo.SystemSaveDataId1,NULL,0), LE);
+	
+	if(rsf->AccessControlInfo.SystemSaveDataId2)
+		u32_to_u8(arm11->storageInfo.systemSavedataId[1], strtoul(rsf->AccessControlInfo.SystemSaveDataId2,NULL,0), LE);
 }
 
-int SetARM11StorageInfoExtSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
+void SetARM11StorageInfoExtSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
-	if(rsf->AccessControlInfo.ExtSaveDataId){
-		if(!rsf->AccessControlInfo.UseExtSaveData){
-			fprintf(stderr,"[EXHEADER ERROR] Failed to set ExtSaveDataId. UseExtSaveData must be true.\n");
-			return EXHDR_BAD_YAML_OPT;
-		}
-		u64 ExtdataId = strtoull(rsf->AccessControlInfo.ExtSaveDataId,NULL,0);
-		u64_to_u8(arm11->storageInfo.extSavedataId,ExtdataId,LE);
-	}
-	return 0;
+	if(rsf->AccessControlInfo.ExtSaveDataId)
+		u64_to_u8(arm11->storageInfo.extSavedataId, strtoull(rsf->AccessControlInfo.ExtSaveDataId,NULL,0), LE);
 }
 
-int SetARM11StorageInfoOtherUserSaveData(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
+void SetARM11StorageInfoOtherUserSaveData(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
-	u64 Value = 0; 
+	u64 value = 0; 
 	if(rsf->AccessControlInfo.OtherUserSaveDataId1)
-		Value = 0xffffff & strtoul(rsf->AccessControlInfo.OtherUserSaveDataId1,NULL,0);
-	Value = Value << 20;
+		value = 0xffffff & strtoul(rsf->AccessControlInfo.OtherUserSaveDataId1,NULL,0);
+	value = value << 20;
 	if(rsf->AccessControlInfo.OtherUserSaveDataId2)
-		Value |= 0xffffff & strtoul(rsf->AccessControlInfo.OtherUserSaveDataId2,NULL,0);
-	Value = Value << 20;
+		value |= 0xffffff & strtoul(rsf->AccessControlInfo.OtherUserSaveDataId2,NULL,0);
+	value = value << 20;
 	if(rsf->AccessControlInfo.OtherUserSaveDataId3)
-		Value |= 0xffffff & strtoul(rsf->AccessControlInfo.OtherUserSaveDataId3,NULL,0);
+		value |= 0xffffff & strtoul(rsf->AccessControlInfo.OtherUserSaveDataId3,NULL,0);
 
 	/* UseOtherVariationSaveData Flag */
 	if(rsf->AccessControlInfo.UseOtherVariationSaveData)
-		Value |= 0x1000000000000000;
+		value |= 0x1000000000000000;
 	
-	u64_to_u8(arm11->storageInfo.storageAccessableUniqueIds,Value,LE);
-	return 0;
+	u64_to_u8(arm11->storageInfo.storageAccessableUniqueIds,value,LE);
 }
 
 bool CheckCondiditionsForNewAccessibleSaveDataIds(rsf_settings *rsf)
 {
-	if(!rsf->AccessControlInfo.UseExtendedSaveDataAccessControl){
-		if(rsf->AccessControlInfo.AccessibleSaveDataIds)
-			fprintf(stderr,"[EXHEADER ERROR] AccessibleSaveDataIds is unavailable if UseExtendedSaveDataAccessControl is false.\n");
-		return false;
-	}
-
-	/*
-	if(rsf->AccessControlInfo.AccessibleSaveDataIdsNum == 0){
-		fprintf(stderr,"[EXHEADER ERROR] AccessibleSaveDataIds must be specified if UseExtendedSaveDataAccessControl is true.\n");
-		return false;
-	}
-	*/
-
 	if(rsf->AccessControlInfo.AccessibleSaveDataIdsNum > 6){
 		fprintf(stderr,"[EXHEADER ERROR] Too many UniqueId in \"AccessibleSaveDataIds\".\n");
 		return false;
 	}
-
-	if(rsf->AccessControlInfo.UseExtSaveData){
-		fprintf(stderr,"[EXHEADER ERROR] UseExtSaveData must be false if AccessibleSaveDataIds is specified.\n");
-		return false;
-	}
 	if (rsf->AccessControlInfo.ExtSaveDataId){
 		fprintf(stderr,"[EXHEADER ERROR] ExtSaveDataId is unavailable if AccessibleSaveDataIds is specified.\n");
 		return false;
 	}
-	if (rsf->AccessControlInfo.OtherUserSaveDataId1){
-		if(strtoul(rsf->AccessControlInfo.OtherUserSaveDataId1,NULL,0) > 0){
-			fprintf(stderr,"[EXHEADER ERROR] OtherUserSaveDataId1 must be 0 if AccessibleSaveDataIds is specified.\n");
-			return false;
-		}
+	if (rsf->AccessControlInfo.OtherUserSaveDataId1 && strtoul(rsf->AccessControlInfo.OtherUserSaveDataId1,NULL,0) > 0){
+		fprintf(stderr,"[EXHEADER ERROR] OtherUserSaveDataId1 must be 0 if AccessibleSaveDataIds is specified.\n");
+		return false;
 	}
-	if (rsf->AccessControlInfo.OtherUserSaveDataId2){
-		if(strtoul(rsf->AccessControlInfo.OtherUserSaveDataId2,NULL,0) > 0){
-			fprintf(stderr,"[EXHEADER ERROR] OtherUserSaveDataId2 must be 0 if AccessibleSaveDataIds is specified.\n");
-			return false;
-		}
+	if (rsf->AccessControlInfo.OtherUserSaveDataId2 && strtoul(rsf->AccessControlInfo.OtherUserSaveDataId2,NULL,0) > 0){
+		fprintf(stderr,"[EXHEADER ERROR] OtherUserSaveDataId2 must be 0 if AccessibleSaveDataIds is specified.\n");
+		return false;
 	}
-	if (rsf->AccessControlInfo.OtherUserSaveDataId3){
-		if(strtoul(rsf->AccessControlInfo.OtherUserSaveDataId3,NULL,0) > 0){
-			fprintf(stderr,"[EXHEADER ERROR] OtherUserSaveDataId3 must be 0 if AccessibleSaveDataIds is specified.\n");
-			return false;
-		}
+	if (rsf->AccessControlInfo.OtherUserSaveDataId3 && strtoul(rsf->AccessControlInfo.OtherUserSaveDataId3,NULL,0) > 0){
+		fprintf(stderr,"[EXHEADER ERROR] OtherUserSaveDataId3 must be 0 if AccessibleSaveDataIds is specified.\n");
+		return false;
 	}
 	return true;
 }
 
-int SetARM11StorageInfoAccessibleSaveDataIds(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
+void SetARM11StorageInfoAccessibleSaveDataIds(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
-	u64 RegionExtSaveDataId = 0;
-	u64 RegionOtherUseSaveData = 0;
+	u64 region_ExtSaveDataId = 0;
+	u64 region_OtherUseSaveData = 0;
 
 	if(rsf->AccessControlInfo.AccessibleSaveDataIdsNum > 0){
-		u32 Max = rsf->AccessControlInfo.AccessibleSaveDataIdsNum < 3 ? rsf->AccessControlInfo.AccessibleSaveDataIdsNum : 3;
-		for(int i = 0; i < Max; i++){
-			u32 UniqueID = 0xffffff & strtoul(rsf->AccessControlInfo.AccessibleSaveDataIds[i],NULL,0);
-			RegionOtherUseSaveData = RegionOtherUseSaveData << 20;
-			RegionOtherUseSaveData |= UniqueID;
+		u32 max = rsf->AccessControlInfo.AccessibleSaveDataIdsNum < 3 ? rsf->AccessControlInfo.AccessibleSaveDataIdsNum : 3;
+		for(int i = 0; i < max; i++){
+			u32 uniqueID = 0xffffff & strtoul(rsf->AccessControlInfo.AccessibleSaveDataIds[i],NULL,0);
+			region_OtherUseSaveData = region_OtherUseSaveData << 20;
+			region_OtherUseSaveData |= uniqueID;
 		}
 	}
 	if(rsf->AccessControlInfo.AccessibleSaveDataIdsNum > 3){
 		for(int i = 3; i < rsf->AccessControlInfo.AccessibleSaveDataIdsNum; i++){
-			u32 UniqueID = 0xffffff & strtoul(rsf->AccessControlInfo.AccessibleSaveDataIds[i],NULL,0);
-			RegionExtSaveDataId = RegionExtSaveDataId << 20;
-			RegionExtSaveDataId |= UniqueID;
+			u32 uniqueID = 0xffffff & strtoul(rsf->AccessControlInfo.AccessibleSaveDataIds[i],NULL,0);
+			region_ExtSaveDataId = region_ExtSaveDataId << 20;
+			region_ExtSaveDataId |= uniqueID;
 		}
 	}
 
@@ -572,11 +552,10 @@ int SetARM11StorageInfoAccessibleSaveDataIds(exhdr_ARM11SystemLocalCapabilities
 
 	/* UseOtherVariationSaveData Flag */
 	if(rsf->AccessControlInfo.UseOtherVariationSaveData)
-		RegionOtherUseSaveData |= 0x1000000000000000;
+		region_OtherUseSaveData |= 0x1000000000000000;
 
-	u64_to_u8(arm11->storageInfo.extSavedataId,RegionExtSaveDataId,LE);
-	u64_to_u8(arm11->storageInfo.storageAccessableUniqueIds,RegionOtherUseSaveData,LE);
-	return 0;
+	u64_to_u8(arm11->storageInfo.extSavedataId,region_ExtSaveDataId,LE);
+	u64_to_u8(arm11->storageInfo.storageAccessableUniqueIds,region_OtherUseSaveData,LE);
 }
 
 int SetARM11ServiceAccessControl(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
@@ -584,20 +563,19 @@ int SetARM11ServiceAccessControl(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 	if(rsf->AccessControlInfo.ServiceAccessControl){
 		if(rsf->AccessControlInfo.ServiceAccessControlNum > 32){
 			fprintf(stderr,"[EXHEADER ERROR] Too Many Service Names, maximum is 32\n");
-			return EXHDR_BAD_YAML_OPT;
+			return EXHDR_BAD_RSF_OPT;
 		}
 		for(int i = 0; i < rsf->AccessControlInfo.ServiceAccessControlNum; i++){
-			int svc_handle_len = strlen(rsf->AccessControlInfo.ServiceAccessControl[i]);
-			if(svc_handle_len > 8){
+			if(strlen(rsf->AccessControlInfo.ServiceAccessControl[i]) > 8){
 				fprintf(stderr,"[EXHEADER ERROR] Service Name: \"%s\" is too long\n",rsf->AccessControlInfo.ServiceAccessControl[i]);
-				return EXHDR_BAD_YAML_OPT;
+				return EXHDR_BAD_RSF_OPT;
 			}
-			memcpy(arm11->serviceAccessControl[i],rsf->AccessControlInfo.ServiceAccessControl[i],svc_handle_len);
+			strncpy((char*)arm11->serviceAccessControl[i],rsf->AccessControlInfo.ServiceAccessControl[i],8);
 		}
 	}
 	else{
 		ErrorParamNotFound("AccessControlInfo/ServiceAccessControl");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
 	return 0;
 }
@@ -605,87 +583,89 @@ int SetARM11ServiceAccessControl(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 int get_ExHeaderARM11KernelInfo(exhdr_ARM11KernelCapabilities *arm11, rsf_settings *rsf)
 {
 	int result = 0;
+	u16 totalDesc, descIndex;
 	ARM11KernelCapabilityDescriptor desc[6];
-	memset(&desc,0,sizeof(ARM11KernelCapabilityDescriptor)*6);
+	clrmem(&desc,sizeof(ARM11KernelCapabilityDescriptor)*6);
 
 	/* Get Descriptors */
-	result = SetARM11KernelDescSysCallControl(&desc[0],rsf);
-	if(result) goto finish;
-	result = SetARM11KernelDescInteruptNumList(&desc[1],rsf);
-	if(result) goto finish;
-	result = SetARM11KernelDescAddressMapping(&desc[2],rsf);
-	if(result) goto finish;
-	result = SetARM11KernelDescOtherCapabilities(&desc[3],rsf);
-	if(result) goto finish;
-	result = SetARM11KernelDescHandleTableSize(&desc[4],rsf);
-	if(result) goto finish;
-	result = SetARM11KernelDescReleaseKernelVersion(&desc[5],rsf);
+	if((result = SetARM11KernelDescSysCallControl(&desc[0],rsf)))
+		goto finish;
+	if((result = SetARM11KernelDescInteruptNumList(&desc[1],rsf)))
+		goto finish;
+	if((result = SetARM11KernelDescAddressMapping(&desc[2],rsf)))
+		goto finish;
+	if((result = SetARM11KernelDescOtherCapabilities(&desc[3],rsf)))
+		goto finish;
+	if((result = SetARM11KernelDescHandleTableSize(&desc[4],rsf)))
+		goto finish;
+	if((result = SetARM11KernelDescReleaseKernelVersion(&desc[5],rsf)))
+		goto finish;
 
 	/* Write Descriptors To Exheader */
-	u16 TotalDesc = 0;
-	for(int i = 0; i < 6; i++){
-		TotalDesc += desc[i].num;
-	}
-	if(TotalDesc >= 28){
+	totalDesc = 0;
+	for(int i = 0; i < 6; i++)
+		totalDesc += desc[i].num;
+		
+	if(totalDesc >= 28){
 		fprintf(stderr,"[EXHEADER ERROR] Too many Kernel Capabilities.\n");
-		result = EXHDR_BAD_YAML_OPT;
+		result = EXHDR_BAD_RSF_OPT;
 		goto finish;
 	}
-	u16 DescIndex = 0;
+	
+	descIndex = 0;
 	for(int i = 0; i < 6; i++){
 		for(int j = 0; j < desc[i].num; j++){
-			u32_to_u8(arm11->descriptors[DescIndex],desc[i].Data[j],LE);
-			DescIndex++;
+			u32_to_u8(arm11->descriptors[descIndex],desc[i].data[j],LE);
+			descIndex++;
 		}
 	}
 
 	/* Fill Remaining Descriptors with 0xffffffff */ 
-	for(int i = DescIndex; i < 28; i++){
+	for(int i = descIndex; i < 28; i++)
 		u32_to_u8(arm11->descriptors[i],0xffffffff,LE);
-	}
 
 finish:
-	for(int i = 0; i < 6; i++){
-		free(desc[i].Data);
-	}
+	for(int i = 0; i < 6; i++)
+		free(desc[i].data);
 	return result;
 }
 
 int SetARM11KernelDescSysCallControl(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
 	int ret = 0;
+	u16 activeSysCallDesc, sysCallDescPos;
 
 	// Create Temporary Descriptor
 	ARM11KernelCapabilityDescriptor tmp;
-	memset(&tmp,0,sizeof(ARM11KernelCapabilityDescriptor));
+	clrmem(&tmp,sizeof(ARM11KernelCapabilityDescriptor));
 
 	AllocateARM11KernelDescMemory(&tmp,8);
 	for(int i = 0; i < 8; i++)
 		SetARM11KernelDescValue(&tmp,i,desc_SysCallControl | (i << 24));
 
 	// Get SysCalls
-	ret = GetARM11SysCalls(&tmp,rsf);
-	if(ret) goto finish;
+	if((ret = GetARM11SysCalls(&tmp,rsf)))
+		goto finish;
 
 	// Count Active Syscall Descs
-	u16 ActiveSysCallDesc = 0;
+	activeSysCallDesc = 0;
 	for(int i = 0; i < 8; i++)
-		if((tmp.Data[i] & 0x00ffffff) != 0) 
-			ActiveSysCallDesc++;
+		if((tmp.data[i] & 0x00ffffff) != 0) 
+			activeSysCallDesc++;
 	
 	// Transfer Active Syscall Descs to out Descriptor
-	AllocateARM11KernelDescMemory(desc,ActiveSysCallDesc);
-	u16 SysCallDescPos = 0;
+	AllocateARM11KernelDescMemory(desc,activeSysCallDesc);
+	sysCallDescPos = 0;
 	for(int i = 0; i < 8; i++){
-		if((tmp.Data[i] & 0x00ffffff) != 0) {
-			SetARM11KernelDescValue(desc,SysCallDescPos,tmp.Data[i]);
-			SysCallDescPos++;
+		if((tmp.data[i] & 0x00ffffff) != 0) {
+			SetARM11KernelDescValue(desc,sysCallDescPos,tmp.data[i]);
+			sysCallDescPos++;
 		}
 	}
 
 finish:
 	// Free data in Temporary Descriptor
-	free(tmp.Data);
+	free(tmp.data);
 	return ret;
 }
 
@@ -693,38 +673,39 @@ int GetARM11SysCalls(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
 	if(!rsf->AccessControlInfo.SystemCallAccess){
 		ErrorParamNotFound("AccessControlInfo/SystemCallAccess");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
 	for(int i = 0; i < rsf->AccessControlInfo.SystemCallAccessNum; i++){
-		int SysCall = strtoul(rsf->AccessControlInfo.SystemCallAccess[i],NULL,0);
-		if(SysCall > 184){
-			fprintf(stderr,"[EXHEADER ERROR] Unexpected Syscall: 0x%02x. Expected Range: 0x00 - 0xB8\n",SysCall);
-			return EXHDR_BAD_YAML_OPT;
+		int sysCall = strtoul(rsf->AccessControlInfo.SystemCallAccess[i],NULL,0);
+		if(sysCall > 184){
+			fprintf(stderr,"[EXHEADER ERROR] Unexpected Syscall: 0x%02x. Expected Range: 0x00 - 0xB8\n",sysCall);
+			return EXHDR_BAD_RSF_OPT;
 		}
-		EnableSystemCall(desc,SysCall);
+		EnableSystemCall(desc,sysCall);
 	}
 
 	return 0;
 }
 
-void EnableSystemCall(ARM11KernelCapabilityDescriptor *desc, int SysCall)
+void EnableSystemCall(ARM11KernelCapabilityDescriptor *desc, int sysCall)
 {
-	int num = SysCall / 24;
-	int num1 = SysCall % 24;
-	desc->Data[num] |= 1 << (num1 & 31);
+	int num = sysCall / 24;
+	int num1 = sysCall % 24;
+	desc->data[num] |= 1 << (num1 & 31);
 }
 
-void DisableSystemCall(ARM11KernelCapabilityDescriptor *desc, int SysCall)
+void DisableSystemCall(ARM11KernelCapabilityDescriptor *desc, int sysCall)
 {
-	int num = SysCall / 24;
-	int num1 = SysCall % 24;
-	desc->Data[num] = desc->Data[num] & ~(1 << (num1 & 31));
+	int num = sysCall / 24;
+	int num1 = sysCall % 24;
+	desc->data[num] = desc->data[num] & ~(1 << (num1 & 31));
 }
 
 int SetARM11KernelDescInteruptNumList(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {	
 	int ret = 0;
-
+	u16 activeInteruptDesc, interuptDescPos;
+	
 	// Create Temporary Descriptor
 	ARM11KernelCapabilityDescriptor tmp;
 	memset(&tmp,0,sizeof(ARM11KernelCapabilityDescriptor));
@@ -736,43 +717,43 @@ int SetARM11KernelDescInteruptNumList(ARM11KernelCapabilityDescriptor *desc, rsf
 	if(ret) goto finish;
 
 	// Count Active Interupt Descs
-	u16 ActiveInteruptDesc = 0;
+	activeInteruptDesc = 0;
 	for(int i = 0; i < 8; i++)
-		if(tmp.Data[i]) 
-			ActiveInteruptDesc++;
+		if(tmp.data[i]) 
+			activeInteruptDesc++;
 	
 	// Transfer Active Interupt Descs to output Descriptor
-	AllocateARM11KernelDescMemory(desc,ActiveInteruptDesc);
-	u16 InteruptDescPos = 0;
+	AllocateARM11KernelDescMemory(desc,activeInteruptDesc);
+	interuptDescPos = 0;
 	for(int i = 0; i < 8; i++){
-		if(tmp.Data[i]) {
-			SetARM11KernelDescValue(desc,InteruptDescPos,(tmp.Data[i] & 0x0fffffff) | desc_InteruptNumList);
-			InteruptDescPos++;
+		if(tmp.data[i]) {
+			SetARM11KernelDescValue(desc,interuptDescPos,(tmp.data[i] & 0x0fffffff) | desc_InteruptNumList);
+			interuptDescPos++;
 		}
 	}
 
 finish:
 	// Free data in Temporary Descriptor
-	free(tmp.Data);
+	free(tmp.data);
 	return ret;
 }
 
 int GetARM11Interupts(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
-	if(!rsf->AccessControlInfo.InterruptNumbers){
+	if(!rsf->AccessControlInfo.InterruptNumbers)
 		return 0;
-	}
+	
 	if(rsf->AccessControlInfo.InterruptNumbersNum > 32){
 		fprintf(stderr,"[EXHEADER ERROR] Too many Interupts. Maximum is 32\n");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
 	for(int i = 0; i < rsf->AccessControlInfo.InterruptNumbersNum; i++){
-		int Interrupt = strtoul(rsf->AccessControlInfo.InterruptNumbers[i],NULL,0);
-		if(Interrupt > 0x7f){
-			fprintf(stderr,"[EXHEADER ERROR] Unexpected Interupt: 0x%02x. Expected Range: 0x00 - 0x7f\n",Interrupt);
-			return EXHDR_BAD_YAML_OPT;
+		int interrupt = strtoul(rsf->AccessControlInfo.InterruptNumbers[i],NULL,0);
+		if(interrupt > 0x7f){
+			fprintf(stderr,"[EXHEADER ERROR] Unexpected Interupt: 0x%02x. Expected Range: 0x00 - 0x7f\n",interrupt);
+			return EXHDR_BAD_RSF_OPT;
 		}
-		EnableInterupt(desc,Interrupt,i);
+		EnableInterupt(desc,interrupt,i);
 	}
 
 	return 0;
@@ -781,44 +762,46 @@ int GetARM11Interupts(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 void EnableInterupt(ARM11KernelCapabilityDescriptor *desc, int Interrupt, int i)
 {
 	int num = i / 4;
-	if(num*4 == i) desc->Data[num] |= 0xffffffff;
-	desc->Data[num] = desc->Data[num] << 7;
-	desc->Data[num] |= Interrupt;
+	if(num*4 == i) desc->data[num] |= 0xffffffff;
+	desc->data[num] = desc->data[num] << 7;
+	desc->data[num] |= Interrupt;
 }
 
 int SetARM11KernelDescAddressMapping(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
 	int ret = 0;
+	u16 memMapDescPos;
+	
 	// Create Temporary Descriptors
 	ARM11KernelCapabilityDescriptor io_tmp;
-	memset(&io_tmp,0,sizeof(ARM11KernelCapabilityDescriptor));
+	clrmem(&io_tmp,sizeof(ARM11KernelCapabilityDescriptor));
 	ARM11KernelCapabilityDescriptor static_tmp;
-	memset(&static_tmp,0,sizeof(ARM11KernelCapabilityDescriptor));
+	clrmem(&static_tmp,sizeof(ARM11KernelCapabilityDescriptor));
 
 	// Getting IO Mapping
-	ret = GetARM11IOMappings(&io_tmp,rsf);
-	if(ret) goto finish;
+	if((ret = GetARM11IOMappings(&io_tmp,rsf)))
+		goto finish;
 
 	// Getting Static Mapping
-	ret = GetARM11StaticMappings(&static_tmp,rsf);
-	if(ret) goto finish;
+	if((ret = GetARM11StaticMappings(&static_tmp,rsf)))
+		goto finish;
 
 
 	// Creating Output Descriptor and Combining the two MemMap Descriptors
 	AllocateARM11KernelDescMemory(desc,io_tmp.num+static_tmp.num);
-	u16 MemMapDescPos = 0;
+	memMapDescPos = 0;
 	for(int i = 0; i < io_tmp.num; i++){
-		SetARM11KernelDescValue(desc,MemMapDescPos,io_tmp.Data[i]);
-		MemMapDescPos++;
+		SetARM11KernelDescValue(desc,memMapDescPos,io_tmp.data[i]);
+		memMapDescPos++;
 	}
 	for(int i = 0; i < static_tmp.num; i++){
-		SetARM11KernelDescValue(desc,MemMapDescPos,static_tmp.Data[i]);
-		MemMapDescPos++;
+		SetARM11KernelDescValue(desc,memMapDescPos,static_tmp.data[i]);
+		memMapDescPos++;
 	}
 
 finish:
-	free(io_tmp.Data);
-	free(static_tmp.Data);
+	free(io_tmp.data);
+	free(static_tmp.data);
 	return ret;
 }
 
@@ -826,9 +809,10 @@ int GetARM11IOMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
 	if(!rsf->AccessControlInfo.IORegisterMapping)
 		return 0;
-
+		
 	AllocateARM11KernelDescMemory(desc,rsf->AccessControlInfo.IORegisterMappingNum*2);
-	u16 DescUsed = 0;
+	u16 descUsed = 0;
+	
 	for(int i = 0; i < rsf->AccessControlInfo.IORegisterMappingNum; i++){
 		if(strlen(rsf->AccessControlInfo.IORegisterMapping[i])){
 			// Parse Address String
@@ -845,38 +829,36 @@ int GetARM11IOMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 			u32 AddressStart = strtoul(AddressStartStr,NULL,16);
 			if(!IsStartAddress(AddressStart)){
 				fprintf(stderr,"[EXHEADER ERROR] Address 0x%x is not valid mapping start address.\n",AddressStart);
-				return EXHDR_BAD_YAML_OPT;
+				return EXHDR_BAD_RSF_OPT;
 			}
 			if(!AddressEndStr){ // No End Addr Was Specified
-				SetARM11KernelDescValue(desc,DescUsed,GetIOMappingDesc(AddressStart));
-				DescUsed++;
-				goto skip;
+				SetARM11KernelDescValue(desc,descUsed,GetIOMappingDesc(AddressStart));
+				descUsed++;
+				continue;
 			}
 
 			u32 AddressEnd = strtoul(AddressEndStr,NULL,16);
 			if(!IsEndAddress(AddressEnd)){
 				fprintf(stderr,"[EXHEADER ERROR] Address 0x%x is not valid mapping end address.\n",AddressEnd);
-				return EXHDR_BAD_YAML_OPT;
+				return EXHDR_BAD_RSF_OPT;
 			}
 
 			u32 DescStartAddr = GetStaticMappingDesc(AddressStart,false);
 			u32 DescEndAddr = GetStaticMappingDesc(AddressEnd+0x1000,false);
 			if(DescStartAddr != DescEndAddr){
-				SetARM11KernelDescValue(desc,DescUsed,DescStartAddr);
-				SetARM11KernelDescValue(desc,DescUsed+1,DescEndAddr);
-				DescUsed += 2;
-				goto skip;
+				SetARM11KernelDescValue(desc,descUsed,DescStartAddr);
+				SetARM11KernelDescValue(desc,descUsed+1,DescEndAddr);
+				descUsed += 2;
+				continue;
 			}
 			else{
-				SetARM11KernelDescValue(desc,DescUsed,GetIOMappingDesc(AddressStart));
-				DescUsed++;
-				goto skip;
+				SetARM11KernelDescValue(desc,descUsed,GetIOMappingDesc(AddressStart));
+				descUsed++;
+				continue;
 			}
 		}
-
-		skip: ;
 	}
-	desc->num = DescUsed;
+	desc->num = descUsed;
 	return 0;
 }
 
@@ -886,7 +868,7 @@ int GetARM11StaticMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *
 		return 0;
 
 	AllocateARM11KernelDescMemory(desc,rsf->AccessControlInfo.MemoryMappingNum*2);
-	u16 DescUsed = 0;
+	u16 descUsed = 0;
 	for(int i = 0; i < rsf->AccessControlInfo.MemoryMappingNum; i++){
 		if(strlen(rsf->AccessControlInfo.MemoryMapping[i])){
 			char *AddressStartStr = rsf->AccessControlInfo.MemoryMapping[i];
@@ -908,115 +890,113 @@ int GetARM11StaticMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *
 			u32 AddressStart = strtoul(AddressStartStr,NULL,16);
 			if(!IsStartAddress(AddressStart)){
 				fprintf(stderr,"[EXHEADER ERROR] Address 0x%x (%s) is not valid mapping start address.\n",AddressStart,AddressStartStr);
-				return EXHDR_BAD_YAML_OPT;
+				return EXHDR_BAD_RSF_OPT;
 			}
 			if(!AddressEndStr){ // No End Addr Was Specified
-				SetARM11KernelDescValue(desc,DescUsed,GetStaticMappingDesc(AddressStart,IsRO));
-				SetARM11KernelDescValue(desc,DescUsed+1,GetStaticMappingDesc(AddressStart+0x1000, true));
-				DescUsed += 2;
-				goto skip;
+				SetARM11KernelDescValue(desc,descUsed,GetStaticMappingDesc(AddressStart,IsRO));
+				SetARM11KernelDescValue(desc,descUsed+1,GetStaticMappingDesc(AddressStart+0x1000, true));
+				descUsed += 2;
+				continue;
 			}
 
 			u32 AddressEnd = strtoul(AddressEndStr,NULL,16);
 			if(!IsEndAddress(AddressEnd)){
 				fprintf(stderr,"[EXHEADER ERROR] Address 0x%x (%s) is not valid mapping end address.\n",AddressEnd,AddressEndStr);
-				return EXHDR_BAD_YAML_OPT;
+				return EXHDR_BAD_RSF_OPT;
 			}
 
 			u32 DescStartAddr = GetStaticMappingDesc(AddressStart,IsRO);
 			u32 DescEndAddr = GetStaticMappingDesc(AddressEnd+0x1000,true);
 			if(DescStartAddr != DescEndAddr){
-				SetARM11KernelDescValue(desc,DescUsed,DescStartAddr);
-				SetARM11KernelDescValue(desc,DescUsed+1,DescEndAddr);
-				DescUsed += 2;
-				goto skip;
+				SetARM11KernelDescValue(desc,descUsed,DescStartAddr);
+				SetARM11KernelDescValue(desc,descUsed+1,DescEndAddr);
+				descUsed += 2;
+				continue;
 			}
 			else{
-				SetARM11KernelDescValue(desc,DescUsed,GetStaticMappingDesc(AddressStart,IsRO));
-				SetARM11KernelDescValue(desc,DescUsed+1,GetStaticMappingDesc(AddressStart+0x1000, true));
-				DescUsed += 2;
-				goto skip;
+				SetARM11KernelDescValue(desc,descUsed,GetStaticMappingDesc(AddressStart,IsRO));
+				SetARM11KernelDescValue(desc,descUsed+1,GetStaticMappingDesc(AddressStart+0x1000, true));
+				descUsed += 2;
+				continue;
 			}
 		}
-
-		skip: ;
 	}
-	desc->num = DescUsed;
+	desc->num = descUsed;
 	return 0;
 }
 
-bool IsEndAddress(u32 Address)
+bool IsEndAddress(u32 address)
 {
-	return (Address & 0x0fff) == 0x0fff;
+	return (address & 0x0fff) == 0x0fff;
 }
 
-bool IsStartAddress(u32 Address)
+bool IsStartAddress(u32 address)
 {
-	return (Address & 0x0fff) == 0;
+	return (address & 0x0fff) == 0;
 }
 
-u32 GetIOMappingDesc(u32 Address)
+u32 GetIOMappingDesc(u32 address)
 {
-	return GetMappingDesc(Address,0xFFE,0xC,false);
+	return GetMappingDesc(address,0xFFE,0xC,false);
 }
 
-u32 GetStaticMappingDesc(u32 Address, bool IsReadOnly)
+u32 GetStaticMappingDesc(u32 address, bool IsReadOnly)
 {
-	return GetMappingDesc(Address,0x7FC,0xB,IsReadOnly);
+	return GetMappingDesc(address,0x7FC,0xB,IsReadOnly);
 }
 
-u32 GetMappingDesc(u32 Address, u32 PrefixVal, s32 numPrefixBits, bool IsRO)
+u32 GetMappingDesc(u32 address, u32 prefixVal, s32 numPrefixBits, bool IsRO)
 {
-	u32 PrefixMask = GetDescPrefixMask(numPrefixBits);
-	u32 PrefixBits = GetDescPrefixBits(numPrefixBits,PrefixVal);
-	u32 Desc = (Address >> 12 & ~PrefixMask) | PrefixBits;
+	u32 prefixMask = GetDescPrefixMask(numPrefixBits);
+	u32 prefixBits = GetDescPrefixBits(numPrefixBits,prefixVal);
+	u32 desc = (address >> 12 & ~prefixMask) | prefixBits;
 	if (IsRO)
-		Desc |= 0x100000;
-	return Desc;
+		desc |= 0x100000;
+	return desc;
 }
 
 int SetARM11KernelDescOtherCapabilities(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
-	u32 OtherCapabilities = 0;
+	u32 otherCapabilities = 0;
+	u32 memType = 0; 
 	
 	if(!rsf->AccessControlInfo.DisableDebug)
-		OtherCapabilities |= othcap_PERMIT_DEBUG;
+		otherCapabilities |= othcap_PERMIT_DEBUG;
 	if(rsf->AccessControlInfo.EnableForceDebug)
-		OtherCapabilities |= othcap_FORCE_DEBUG;
+		otherCapabilities |= othcap_FORCE_DEBUG;
 	if(rsf->AccessControlInfo.CanUseNonAlphabetAndNumber)
-		OtherCapabilities |= othcap_CAN_USE_NON_ALPHABET_AND_NUMBER;
+		otherCapabilities |= othcap_CAN_USE_NON_ALPHABET_AND_NUMBER;
 	if(rsf->AccessControlInfo.CanWriteSharedPage)
-		OtherCapabilities |= othcap_CAN_WRITE_SHARED_PAGE;
+		otherCapabilities |= othcap_CAN_WRITE_SHARED_PAGE;
 	if(rsf->AccessControlInfo.CanUsePrivilegedPriority)
-		OtherCapabilities |= othcap_CAN_USE_PRIVILEGE_PRIORITY;
+		otherCapabilities |= othcap_CAN_USE_PRIVILEGE_PRIORITY;
 	if(rsf->AccessControlInfo.PermitMainFunctionArgument)
-		OtherCapabilities |= othcap_PERMIT_MAIN_FUNCTION_ARGUMENT;
+		otherCapabilities |= othcap_PERMIT_MAIN_FUNCTION_ARGUMENT;
 	if(rsf->AccessControlInfo.CanShareDeviceMemory)
-		OtherCapabilities |= othcap_CAN_SHARE_DEVICE_MEMORY;
+		otherCapabilities |= othcap_CAN_SHARE_DEVICE_MEMORY;
 	if(rsf->AccessControlInfo.RunnableOnSleep)
-		OtherCapabilities |= othcap_RUNNABLE_ON_SLEEP;
+		otherCapabilities |= othcap_RUNNABLE_ON_SLEEP;
 	if(rsf->AccessControlInfo.SpecialMemoryArrange)
-		OtherCapabilities |= othcap_SPECIAL_MEMORY_ARRANGE;
+		otherCapabilities |= othcap_SPECIAL_MEMORY_ARRANGE;
 
 	if(rsf->AccessControlInfo.MemoryType){
-		u32 MemType = 0; 
 		if(strcasecmp(rsf->AccessControlInfo.MemoryType,"application") == 0)
-			MemType = memtype_APPLICATION;
+			memType = memtype_APPLICATION;
 		else if(strcasecmp(rsf->AccessControlInfo.MemoryType,"system") == 0)
-			MemType = memtype_SYSTEM;
+			memType = memtype_SYSTEM;
 		else if(strcasecmp(rsf->AccessControlInfo.MemoryType,"base") == 0)
-			MemType = memtype_BASE;
+			memType = memtype_BASE;
 		else{
 			fprintf(stderr,"[EXHEADER ERROR] Invalid memory type: \"%s\"\n",rsf->AccessControlInfo.MemoryType);
-			return EXHDR_BAD_YAML_OPT;
+			return EXHDR_BAD_RSF_OPT;
 		}
-		OtherCapabilities = (OtherCapabilities & 0xffffff0f) | MemType << 8;
+		otherCapabilities = (otherCapabilities & 0xffffff0f) | memType << 8;
 	}
 
-	if(OtherCapabilities){
+	if(otherCapabilities){
 		AllocateARM11KernelDescMemory(desc,1);
 		SetARM11KernelDescBitmask(desc,desc_OtherCapabilities);
-		SetARM11KernelDescValue(desc,0,OtherCapabilities);
+		SetARM11KernelDescValue(desc,0,otherCapabilities);
 	}
 	return 0;
 }
@@ -1024,18 +1004,18 @@ int SetARM11KernelDescOtherCapabilities(ARM11KernelCapabilityDescriptor *desc, r
 int SetARM11KernelDescHandleTableSize(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
 	if(rsf->AccessControlInfo.HandleTableSize){
-		u16 HandleTableSize = strtoul(rsf->AccessControlInfo.HandleTableSize,NULL,0);
-		if(HandleTableSize > 1023){
+		u16 handleTableSize = strtoul(rsf->AccessControlInfo.HandleTableSize,NULL,0);
+		if(handleTableSize > 1023){
 			fprintf(stderr,"[EXHEADER ERROR] Too large handle table size\n");
-			return EXHDR_BAD_YAML_OPT;
+			return EXHDR_BAD_RSF_OPT;
 		}
 		AllocateARM11KernelDescMemory(desc,1);
 		SetARM11KernelDescBitmask(desc,desc_HandleTableSize);
-		SetARM11KernelDescValue(desc,0,HandleTableSize);
+		SetARM11KernelDescValue(desc,0,handleTableSize);
 	}
 	else{
 		ErrorParamNotFound("AccessControlInfo/HandleTableSize");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}	
 	return 0;
 }
@@ -1055,24 +1035,24 @@ int SetARM11KernelDescReleaseKernelVersion(ARM11KernelCapabilityDescriptor *desc
 	return 0;
 }
 
-void SetARM11KernelDescValue(ARM11KernelCapabilityDescriptor *desc, u16 Index, u32 Value)
+void SetARM11KernelDescValue(ARM11KernelCapabilityDescriptor *desc, u16 index, u32 value)
 {
-	if(Index >= desc->num) return;
-	desc->Data[Index] |= Value; 
+	if(index >= desc->num) return;
+	desc->data[index] |= value; 
 }
 
-void SetARM11KernelDescBitmask(ARM11KernelCapabilityDescriptor *desc, u32 Bitmask)
+void SetARM11KernelDescBitmask(ARM11KernelCapabilityDescriptor *desc, u32 bitmask)
 {
 	for(int i = 0; i < desc->num; i++)
-		SetARM11KernelDescValue(desc,i,Bitmask);
+		SetARM11KernelDescValue(desc,i,bitmask);
 }
 
-void AllocateARM11KernelDescMemory(ARM11KernelCapabilityDescriptor *desc, u16 Num)
+void AllocateARM11KernelDescMemory(ARM11KernelCapabilityDescriptor *desc, u16 num)
 {
-	if(Num == 0) return;
-	desc->num = Num;
-	desc->Data = malloc(sizeof(u32)*Num);
-	memset(desc->Data,0,sizeof(u32)*Num);
+	if(num == 0) return;
+	desc->num = num;
+	desc->data = malloc(sizeof(u32)*num);
+	clrmem(desc->data,sizeof(u32)*num);
 	return;
 }
 
@@ -1081,63 +1061,58 @@ u32 GetDescPrefixMask(int numPrefixBits)
 	return (u32)(~((1 << (32 - (numPrefixBits & 31))) - 1));
 }
 
-u32 GetDescPrefixBits(int numPrefixBits, u32 PrefixVal)
+u32 GetDescPrefixBits(int numPrefixBits, u32 prefixVal)
 {
-	return PrefixVal << (32 - (numPrefixBits & 31));
+	return prefixVal << (32 - (numPrefixBits & 31));
 }
 
 int get_ExHeaderARM9AccessControlInfo(exhdr_ARM9AccessControlInfo *arm9, rsf_settings *rsf)
 {
-	u32 Arm9AccessControl = 0;
+	u32 arm9AccessControl = 0;
 	for(int i = 0; i < rsf->AccessControlInfo.IoAccessControlNum; i++){
 		if(strcmp(rsf->AccessControlInfo.IoAccessControl[i],"FsMountNand") == 0)
-			Arm9AccessControl |= arm9cap_FS_MOUNT_NAND;
+			arm9AccessControl |= arm9cap_FS_MOUNT_NAND;
 		else if(strcmp(rsf->AccessControlInfo.IoAccessControl[i],"FsMountNandRoWrite") == 0)
-			Arm9AccessControl |= arm9cap_FS_MOUNT_NAND_RO_WRITE;
+			arm9AccessControl |= arm9cap_FS_MOUNT_NAND_RO_WRITE;
 		else if(strcmp(rsf->AccessControlInfo.IoAccessControl[i],"FsMountTwln") == 0)
-			Arm9AccessControl |= arm9cap_FS_MOUNT_TWLN;
+			arm9AccessControl |= arm9cap_FS_MOUNT_TWLN;
 		else if(strcmp(rsf->AccessControlInfo.IoAccessControl[i],"FsMountWnand") == 0)
-			Arm9AccessControl |= arm9cap_FS_MOUNT_WNAND;
+			arm9AccessControl |= arm9cap_FS_MOUNT_WNAND;
 		else if(strcmp(rsf->AccessControlInfo.IoAccessControl[i],"FsMountCardSpi") == 0)
-			Arm9AccessControl |= arm9cap_FS_MOUNT_CARD_SPI;
+			arm9AccessControl |= arm9cap_FS_MOUNT_CARD_SPI;
 		else if(strcmp(rsf->AccessControlInfo.IoAccessControl[i],"UseSdif3") == 0)
-			Arm9AccessControl |= arm9cap_USE_SDIF3;
+			arm9AccessControl |= arm9cap_USE_SDIF3;
 		else if(strcmp(rsf->AccessControlInfo.IoAccessControl[i],"CreateSeed") == 0)
-			Arm9AccessControl |= arm9cap_CREATE_SEED;
+			arm9AccessControl |= arm9cap_CREATE_SEED;
 		else if(strcmp(rsf->AccessControlInfo.IoAccessControl[i],"UseCardSpi") == 0)
-			Arm9AccessControl |= arm9cap_USE_CARD_SPI;
+			arm9AccessControl |= arm9cap_USE_CARD_SPI;
 		else{
 			fprintf(stderr,"[EXHEADER ERROR] Invalid IoAccessControl Name: \"%s\"\n",rsf->AccessControlInfo.IoAccessControl[i]);
-			return EXHDR_BAD_YAML_OPT;
+			return EXHDR_BAD_RSF_OPT;
 		}
 	}
 	
 	for(int i = 0; i < rsf->AccessControlInfo.FileSystemAccessNum; i++){
 		if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"DirectSdmc") == 0)
-			Arm9AccessControl |= arm9cap_USE_DIRECT_SDMC;
+			arm9AccessControl |= arm9cap_USE_DIRECT_SDMC;
 	}
 
 	if(rsf->Option.UseOnSD)
-		Arm9AccessControl |= arm9cap_SD_APPLICATION;
+		arm9AccessControl |= arm9cap_SD_APPLICATION;
 
-	u32_to_u8(arm9->descriptors,Arm9AccessControl,LE);
+	u32_to_u8(arm9->descriptors,arm9AccessControl,LE);
 
-	if(rsf->AccessControlInfo.DescVersion){
+	if(rsf->AccessControlInfo.DescVersion)
 		arm9->descriptors[15] = strtol(rsf->AccessControlInfo.DescVersion,NULL,0);
-	}
 	else{
 		//ErrorParamNotFound("AccessControlInfo/DescVersion");
-		//return EXHDR_BAD_YAML_OPT;
+		//return EXHDR_BAD_RSF_OPT;
 		arm9->descriptors[15] = 2; // Makerom generates a desc version 2 anyway, so if not specified, it will be set to 2
 	}
 
 	return 0;
 }
 
-
-
-
-
 /* Generic Exheader Errors */
 void ErrorParamNotFound(char *string)
 {
@@ -1222,14 +1197,14 @@ int GetSaveDataSizeFromString(u64 *out, char *string, char *moduleName)
 			fprintf(stderr,"[%s ERROR] Invalid save data size format.\n",moduleName);
 		else
 			fprintf(stderr,"[ERROR] Invalid save data size format.\n");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
 	if((SaveDataSize & 65536) != 0){
 		if(moduleName)
 			fprintf(stderr,"[%s ERROR] Save data size must be aligned to 64K.\n",moduleName);
 		else
 			fprintf(stderr,"[ERROR] Save data size must be aligned to 64K.\n");
-		return EXHDR_BAD_YAML_OPT;
+		return EXHDR_BAD_RSF_OPT;
 	}
 	*out = SaveDataSize;
 	return 0;
@@ -1260,11 +1235,11 @@ int GetSaveDataSize_rsf(u64 *SaveDataSize, user_settings *usrset)
 		}
 		else{
 			fprintf(stderr,"[EXHEADER ERROR] Invalid save data size format.\n");
-			return EXHDR_BAD_YAML_OPT;
+			return EXHDR_BAD_RSF_OPT;
 		}
 		if((*SaveDataSize & 65536) != 0){
 			fprintf(stderr,"[EXHEADER ERROR] Save data size must be aligned to 64K.\n");
-			return EXHDR_BAD_YAML_OPT;
+			return EXHDR_BAD_RSF_OPT;
 		}
 	}
 	else{
diff --git a/makerom/exheader.h b/makerom/exheader.h
index ee1e2d45..d33639c6 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -117,7 +117,7 @@ typedef struct
 typedef struct
 {
 	u8 extSavedataId[8];
-	u8 systemSavedataId[8];
+	u8 systemSavedataId[2][4];
 	u8 storageAccessableUniqueIds[8];
 	u8 accessInfo[7];
 	u8 otherAttributes;
@@ -140,7 +140,7 @@ typedef struct
 typedef struct
 {
 	u16 num;
-	u32 *Data;
+	u32 *data;
 } ARM11KernelCapabilityDescriptor;
 
 typedef enum
diff --git a/makerom/exheader_build.h b/makerom/exheader_build.h
index f7fd894c..4645c075 100644
--- a/makerom/exheader_build.h
+++ b/makerom/exheader_build.h
@@ -4,7 +4,7 @@
 typedef enum
 {
 	COMMON_HEADER_KEY_NOT_FOUND = -10,
-	EXHDR_BAD_YAML_OPT = -11,
+	EXHDR_BAD_RSF_OPT = -11,
 	CANNOT_SIGN_ACCESSDESC = -12
 } exheader_errors;
 
diff --git a/makerom/rsf_settings.c b/makerom/rsf_settings.c
index c0cdbb22..fdfa291e 100644
--- a/makerom/rsf_settings.c
+++ b/makerom/rsf_settings.c
@@ -64,13 +64,11 @@ void GET_Option(ctr_yaml_context *ctx, rsf_settings *rsf)
 		// Handle childs
 		if(cmpYamlValue("AllowUnalignedSection",ctx)) SetBoolYAMLValue(&rsf->Option.AllowUnalignedSection,"AllowUnalignedSection",ctx);
 		else if(cmpYamlValue("MediaFootPadding",ctx)) SetBoolYAMLValue(&rsf->Option.MediaFootPadding,"MediaFootPadding",ctx);
-		//else if(cmpYamlValue("NoPadding",ctx)) SetBoolYAMLValue(&rsf->Option.NoPadding,"NoPadding",ctx);
 		else if(cmpYamlValue("EnableCrypt",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCrypt,"EnableCrypt",ctx);
 		else if(cmpYamlValue("EnableCompress",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCompress,"EnableCompress",ctx);
 		else if(cmpYamlValue("FreeProductCode",ctx)) SetBoolYAMLValue(&rsf->Option.FreeProductCode,"FreeProductCode",ctx);
 		else if(cmpYamlValue("UseOnSD",ctx)) SetBoolYAMLValue(&rsf->Option.UseOnSD,"UseOnSD",ctx);
 		else if(cmpYamlValue("PageSize",ctx)) SetSimpleYAMLValue(&rsf->Option.PageSize,"PageSize",ctx,0);
-		//else if(cmpYamlValue("AppendSystemCall",ctx)) rsf->Option.AppendSystemCallNum = SetYAMLSequence(&rsf->Option.AppendSystemCall,"AppendSystemCall",ctx);
 		else{
 			fprintf(stderr,"[RSF ERROR] Unrecognised key '%s'\n",GetYamlString(ctx));
 			ctx->error = YAML_UNKNOWN_KEY;
@@ -102,13 +100,10 @@ void GET_AccessControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 		else if(cmpYamlValue("PermitMainFunctionArgument",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.PermitMainFunctionArgument,"PermitMainFunctionArgument",ctx);
 		else if(cmpYamlValue("CanShareDeviceMemory",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.CanShareDeviceMemory,"CanShareDeviceMemory",ctx);
 		else if(cmpYamlValue("UseOtherVariationSaveData",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseOtherVariationSaveData,"UseOtherVariationSaveData",ctx);
-		else if(cmpYamlValue("UseExtSaveData",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseExtSaveData,"UseExtSaveData",ctx);
-		else if(cmpYamlValue("UseExtendedSaveDataAccessControl",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseExtendedSaveDataAccessControl,"UseExtendedSaveDataAccessControl",ctx);
 		else if(cmpYamlValue("RunnableOnSleep",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.RunnableOnSleep,"RunnableOnSleep",ctx);
 		else if(cmpYamlValue("SpecialMemoryArrange",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.SpecialMemoryArrange,"SpecialMemoryArrange",ctx);
 		
 		
-		//else if(cmpYamlValue("ProgramId",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.ProgramId,"ProgramId",ctx,0); 
 		else if(cmpYamlValue("IdealProcessor",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.IdealProcessor,"IdealProcessor",ctx,0); 
 		else if(cmpYamlValue("Priority",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.Priority,"Priority",ctx,0); 
 		else if(cmpYamlValue("MemoryType",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.MemoryType,"MemoryType",ctx,0); 
@@ -123,7 +118,6 @@ void GET_AccessControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 		else if(cmpYamlValue("ExtSaveDataId",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.ExtSaveDataId,"ExtSaveDataId",ctx,0); 
 		else if(cmpYamlValue("AffinityMask",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.AffinityMask,"AffinityMask",ctx,0); 
 		else if(cmpYamlValue("DescVersion",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.DescVersion,"DescVersion",ctx,0); 
-		//else if(cmpYamlValue("CryptoKey",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.CryptoKey,"CryptoKey",ctx,0); 
 		else if(cmpYamlValue("ResourceLimitCategory",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.ResourceLimitCategory,"ResourceLimitCategory",ctx,0); 		
 		else if(cmpYamlValue("ReleaseKernelMajor",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.ReleaseKernelMajor,"ReleaseKernelMajor",ctx,0);
 		else if(cmpYamlValue("ReleaseKernelMinor",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.ReleaseKernelMinor,"ReleaseKernelMinor",ctx,0); 
@@ -137,7 +131,6 @@ void GET_AccessControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 		else if(cmpYamlValue("InterruptNumbers",ctx)) rsf->AccessControlInfo.InterruptNumbersNum = SetYAMLSequence(&rsf->AccessControlInfo.InterruptNumbers,"InterruptNumbers",ctx);
 		else if(cmpYamlValue("SystemCallAccess",ctx)) rsf->AccessControlInfo.SystemCallAccessNum = SetYAMLSequenceFromMapping(&rsf->AccessControlInfo.SystemCallAccess,"SystemCallAccess",ctx,false);
 		else if(cmpYamlValue("ServiceAccessControl",ctx)) rsf->AccessControlInfo.ServiceAccessControlNum = SetYAMLSequence(&rsf->AccessControlInfo.ServiceAccessControl,"ServiceAccessControl",ctx);
-		//else if(cmpYamlValue("StorageId",ctx)) rsf->AccessControlInfo.StorageIdNum = SetYAMLSequence(&rsf->AccessControlInfo.StorageId,"StorageId",ctx);
 		else if(cmpYamlValue("AccessibleSaveDataIds",ctx)) rsf->AccessControlInfo.AccessibleSaveDataIdsNum = SetYAMLSequence(&rsf->AccessControlInfo.AccessibleSaveDataIds,"AccessibleSaveDataIds",ctx);
 
 		else{
@@ -198,8 +191,6 @@ void GET_BasicInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 		else if(cmpYamlValue("ProductCode",ctx)) SetSimpleYAMLValue(&rsf->BasicInfo.ProductCode,"ProductCode",ctx,0);
 		else if(cmpYamlValue("ContentType",ctx)) SetSimpleYAMLValue(&rsf->BasicInfo.ContentType,"ContentType",ctx,0);
 		else if(cmpYamlValue("Logo",ctx)) SetSimpleYAMLValue(&rsf->BasicInfo.Logo,"Logo",ctx,0);
-		//else if(cmpYamlValue("BackupMemoryType",ctx)) SetSimpleYAMLValue(&rsf->BasicInfo.BackupMemoryType,"BackupMemoryType",ctx,0);
-		//else if(cmpYamlValue("InitialCode",ctx)) SetSimpleYAMLValue(&rsf->BasicInfo.InitialCode,"InitialCode",ctx,0);
 		else{
 			fprintf(stderr,"[RSF ERROR] Unrecognised key '%s'\n",GetYamlString(ctx));
 			ctx->error = YAML_UNKNOWN_KEY;
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index 92838a03..561429a5 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -84,8 +84,6 @@ typedef struct
 		bool PermitMainFunctionArgument;
 		bool CanShareDeviceMemory;
 		bool UseOtherVariationSaveData;
-		bool UseExtSaveData;
-		bool UseExtendedSaveDataAccessControl;
 		bool RunnableOnSleep;
 		bool SpecialMemoryArrange;
 		

From 0545c49530734bf0d313eb56b6ccf92c3c9e448d Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sun, 21 Sep 2014 02:34:39 +1000
Subject: [PATCH 071/317] makerom: bug fix

---
 makerom/exheader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/exheader.c b/makerom/exheader.c
index d18c1ac3..7db6f31a 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -990,7 +990,7 @@ int SetARM11KernelDescOtherCapabilities(ARM11KernelCapabilityDescriptor *desc, r
 			fprintf(stderr,"[EXHEADER ERROR] Invalid memory type: \"%s\"\n",rsf->AccessControlInfo.MemoryType);
 			return EXHDR_BAD_RSF_OPT;
 		}
-		otherCapabilities = (otherCapabilities & 0xffffff0f) | memType << 8;
+		otherCapabilities = (otherCapabilities & 0xfffff0ff) | (memType & 7) << 8;
 	}
 
 	if(otherCapabilities){

From 0fa5af0af065ee4f5b406f28317c9403bd2c95b6 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sun, 21 Sep 2014 02:39:12 +1000
Subject: [PATCH 072/317] makerom: misc

---
 makerom/ncsd.c | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 968f1552..23d7dfe1 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -181,12 +181,6 @@ int ProcessCiaForCci(cci_settings *set)
 	
 	u16 contentCount = GetTmdContentCount(tmd);
 	set->romInfo.saveSize = GetTmdSaveSize(tmd);
-	if(set->romInfo.saveSize > 0 && set->romInfo.saveSize < (u64)(128*KB))
-		set->romInfo.saveSize = (u64)(128*KB);
-	else if(set->romInfo.saveSize > (u64)(128*KB) && set->romInfo.saveSize < (u64)(512*KB))
-		set->romInfo.saveSize = (u64)(512*KB);
-	else if(set->romInfo.saveSize > (u64)(512*KB))
-		set->romInfo.saveSize = align(set->romInfo.saveSize,MB);
 	
 	if(!CanCiaBeCci(GetTmdTitleId(tmd),contentCount,contentInfo)){
 		fprintf(stderr,"[CCI ERROR] This CIA cannot be converted to CCI\n");
@@ -234,14 +228,11 @@ void GetTitleSaveSize(cci_settings *set)
 		GetSaveDataSizeFromString(&set->romInfo.saveSize,set->rsf->SystemControlInfo.SaveDataSize,"CCI");
 		
 	// Adjusting save size
-		
-	if(set->romInfo.saveSize == 0)
-		set->romInfo.saveSize == 0;
-	else if(set->romInfo.saveSize <= (u64)128*KB)
-		set->romInfo.saveSize = (u64)128*KB;
-	else if(set->romInfo.saveSize <= (u64)512*KB)
-		set->romInfo.saveSize = (u64)512*KB;
-	else
+	if(set->romInfo.saveSize > 0 && set->romInfo.saveSize < (u64)(128*KB))
+		set->romInfo.saveSize = (u64)(128*KB);
+	else if(set->romInfo.saveSize > (u64)(128*KB) && set->romInfo.saveSize < (u64)(512*KB))
+		set->romInfo.saveSize = (u64)(512*KB);
+	else if(set->romInfo.saveSize > (u64)(512*KB))
 		set->romInfo.saveSize = align(set->romInfo.saveSize,MB);
 }
 

From 0e950c42740d654fbc1b5d508dcc6ab5fd56712d Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Sun, 21 Sep 2014 02:40:05 +1000
Subject: [PATCH 073/317] makerom: misc

---
 makerom/exheader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/exheader.c b/makerom/exheader.c
index 7db6f31a..87d78f77 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -990,7 +990,7 @@ int SetARM11KernelDescOtherCapabilities(ARM11KernelCapabilityDescriptor *desc, r
 			fprintf(stderr,"[EXHEADER ERROR] Invalid memory type: \"%s\"\n",rsf->AccessControlInfo.MemoryType);
 			return EXHDR_BAD_RSF_OPT;
 		}
-		otherCapabilities = (otherCapabilities & 0xfffff0ff) | (memType & 7) << 8;
+		otherCapabilities = (otherCapabilities & 0xfffff0ff) | (memType & 0xf) << 8;
 	}
 
 	if(otherCapabilities){

From b240ea80459ee57c8678e68ece948ff32b0dd0b5 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Mon, 22 Sep 2014 20:54:26 +1000
Subject: [PATCH 074/317] makerom: misc

---
 makerom/cardinfo.c  |  8 ++++++--
 makerom/crypto.c    | 12 ++++--------
 makerom/crypto.h    |  6 ++++++
 makerom/romfs_gen.c | 23 ++++++++++++-----------
 4 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/makerom/cardinfo.c b/makerom/cardinfo.c
index f2ac692f..e9b80a41 100644
--- a/makerom/cardinfo.c
+++ b/makerom/cardinfo.c
@@ -139,8 +139,12 @@ int SetCardInfoBitmask(cardinfo_hdr *hdr, cci_settings *set)
 	}
 	
 	str = set->rsf->CardInfo.CryptoType;
-	if(!str) 
-		bitmask |= 0;//(3*0x40);
+	if(!str) {
+		if(set->options.useExternalSdkCardInfo)
+			bitmask |= (3*0x40);
+		else
+			bitmask |= 0;
+	}
 	else{
 		int val = strtol(str,NULL,10);
 		if(val < 0 || val > 3) {
diff --git a/makerom/crypto.c b/makerom/crypto.c
index 9fd99ee7..e83b9f71 100644
--- a/makerom/crypto.c
+++ b/makerom/crypto.c
@@ -153,17 +153,13 @@ u32 GetSigHashLen(u32 sig_type)
 {
 	switch(sig_type){
 		case RSA_4096_SHA1:
-			return 0x14;
-		case RSA_4096_SHA256:
-			return 0x20;
 		case RSA_2048_SHA1:
-			return 0x14;
-		case RSA_2048_SHA256:
-			return 0x20;
 		case ECC_SHA1:
-			return 0x14;
+			return SHA_1_LEN;
+		case RSA_4096_SHA256:
+		case RSA_2048_SHA256:
 		case ECC_SHA256:
-			return 0x20;
+			return SHA_256_LEN;
 	}
 	return 0;
 }
diff --git a/makerom/crypto.h b/makerom/crypto.h
index 617fdc84..95b1ea5f 100644
--- a/makerom/crypto.h
+++ b/makerom/crypto.h
@@ -36,6 +36,12 @@ typedef enum
 	CTR_SHA_256,
 } ctr_sha_modes;
 
+typedef enum
+{
+	SHA_1_LEN = 0x14,
+	SHA_256_LEN = 0x20,
+} sha_hash_len;
+
 typedef enum
 {
 	RSA_4096_PUBK = 0,
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 04f81b67..3ad516c0 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -202,9 +202,9 @@ int CalcRomfsSize(romfs_buildctx *ctx)
 	
 	//printf("predict level sizes\n");
 	ctx->level[3].size = romfsHdrSize + ctx->m_dataLen; // data
-	ctx->level[2].size = align(ctx->level[3].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE * 0x20 ;
-	ctx->level[1].size = align(ctx->level[2].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE * 0x20 ;
-	ctx->level[0].size = align(ctx->level[1].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE * 0x20 + align(sizeof(ivfc_hdr),0x10); // hdr
+	ctx->level[2].size = align(ctx->level[3].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE * SHA_256_LEN ;
+	ctx->level[1].size = align(ctx->level[2].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE * SHA_256_LEN ;
+	ctx->level[0].size = align(ctx->level[1].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE * SHA_256_LEN + align(sizeof(ivfc_hdr),0x10); // hdr
 	
 	ctx->romfsHeaderSize = ctx->level[0].size;
 
@@ -320,13 +320,13 @@ void AddDirHashKey(romfs_buildctx *ctx, u32 parent, fs_romfs_char* path, u32 dir
 {
 	u32 hash = CalcPathHash(parent,path,0,fs_u16StrLen(path));
 	u32 index = hash % ctx->m_dirUTableEntry;
-	if(ctx->dirUTable[index] == 0xffffffff) ctx->dirUTable[index] = dirOffset;
+	if(ctx->dirUTable[index] == ROMFS_UNUSED_ENTRY) ctx->dirUTable[index] = dirOffset;
 	else
 	{
 		romfs_direntry * curdir = (romfs_direntry*)(ctx->dirTable + ctx->dirUTable[index]);
 		while(1)
 		{
-			if(*(u32*)curdir->weirdoffset == 0xffffffff)
+			if(*(u32*)curdir->weirdoffset == ROMFS_UNUSED_ENTRY)
 			{
 				*(u32*)curdir->weirdoffset = dirOffset;
 				break;
@@ -343,13 +343,13 @@ void AddFileHashKey(romfs_buildctx *ctx,u32 parent, fs_romfs_char *path, u32 fil
 {
 	u32 hash = CalcPathHash(parent,path,0,fs_u16StrLen(path));
 	u32 index = hash % ctx->m_fileUTableEntry;
-	if(ctx->fileUTable[index] == 0xffffffff) ctx->fileUTable[index] = fileOffset;
+	if(ctx->fileUTable[index] == ROMFS_UNUSED_ENTRY) ctx->fileUTable[index] = fileOffset;
 	else
 	{
 		romfs_fileentry * curfile = (romfs_fileentry*)(ctx->fileTable + ctx->fileUTable[index]);
 		while(1)
 		{
-			if(*(u32*)curfile->weirdoffset == 0xffffffff)
+			if(*(u32*)curfile->weirdoffset == ROMFS_UNUSED_ENTRY)
 			{
 				*(u32*)curfile->weirdoffset = fileOffset;
 				break;
@@ -368,7 +368,7 @@ int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 	
 	u32_to_u8(entry->parentdiroffset,parent,LE);
 	u32_to_u8(entry->siblingoffset,sibling,LE);	
-	u32_to_u8(entry->weirdoffset,0xffffffff,LE);
+	u32_to_u8(entry->weirdoffset,ROMFS_UNUSED_ENTRY,LE);
 	
 	// Import Name
 	u32_to_u8(entry->namesize,file->name_len,LE);
@@ -388,6 +388,7 @@ int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 	}
 	else
 		u64_to_u8(entry->dataoffset,0x40,LE);
+		
 	AddFileHashKey(ctx,parent,file->name,ctx->u_fileTableLen);
 	ctx->u_fileTableLen += sizeof(romfs_fileentry) + align(file->name_len,4);
 		
@@ -401,7 +402,7 @@ int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 	
 	u32_to_u8(entry->parentoffset,parent,LE);
 	u32_to_u8(entry->siblingoffset,sibling,LE);	
-	u32_to_u8(entry->weirdoffset,0xffffffff,LE);
+	u32_to_u8(entry->weirdoffset,ROMFS_UNUSED_ENTRY,LE);
 
 	u32 Currentdir = ctx->u_dirTableLen;
 	
@@ -485,7 +486,7 @@ void BuildIvfcHeader(romfs_buildctx *ctx)
 	memcpy(ctx->ivfcHdr->magic,"IVFC",4);
 	u32_to_u8(ctx->ivfcHdr->id,0x10000,LE);
 	
-	u32 masterHashSize = ( align(ctx->level[1].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE ) * 0x20 ;
+	u32 masterHashSize = ( align(ctx->level[1].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE ) * SHA_256_LEN ;
 	u32_to_u8(ctx->ivfcHdr->masterHashSize,masterHashSize,LE);
 	
 	for(int i = 1; i < 4; i++){
@@ -505,7 +506,7 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 		u32 numHashes = align(ctx->level[i+1].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE;
 		for(u32 j = 0; j < numHashes; j++){
 			u8 *datapos = (u8*)(ctx->level[i+1].pos + ROMFS_BLOCK_SIZE * j);
-			u8 *hashpos = (u8*)(ctx->level[i].pos + 0x20 * j);
+			u8 *hashpos = (u8*)(ctx->level[i].pos + SHA_256_LEN * j);
 			ShaCalc(datapos, ROMFS_BLOCK_SIZE, hashpos, CTR_SHA_256);
 		}
 	}

From c7f8b1833e7d352d628bcf0971eaec4d8cd31bc5 Mon Sep 17 00:00:00 2001
From: applestash <applestash@mail.com>
Date: Mon, 22 Sep 2014 21:42:33 +1000
Subject: [PATCH 075/317] ctrtool: tmd savesize detection & smarter exheader
 pre check

---
 ctrtool/exheader.c | 18 ++++++++++++++++++
 ctrtool/exheader.h |  3 +++
 ctrtool/ncch.c     |  3 ++-
 ctrtool/tmd.c      | 10 +++++++++-
 ctrtool/tmd.h      |  8 ++++++--
 5 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index afb19279..6f064d97 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -42,6 +42,11 @@ void exheader_set_programid(exheader_context* ctx, u8 programid[8])
 	memcpy(ctx->programid, programid, 8);
 }
 
+void exheader_set_hash(exheader_context* ctx, u8 hash[32])
+{
+	memcpy(ctx->hash, hash, 32);
+}
+
 void exheader_set_counter(exheader_context* ctx, u8 counter[16])
 {
 	memcpy(ctx->counter, counter, 16);
@@ -94,6 +99,19 @@ void exheader_read(exheader_context* ctx, u32 actions)
 	}
 }
 
+int exheader_hash_valid(exheader_context* ctx)
+{
+	u8 hash[32];
+	ctr_sha_256((u8*)&ctx->header, 0x400, hash);
+
+	if(memcmp(ctx->hash,hash,0x20)){
+		fprintf(stderr, "Error, exheader hash mismatch. Wrong key?\n");
+		return 0;
+	}
+	
+	return 1;
+}
+
 int exheader_programid_valid(exheader_context* ctx)
 {
 	if (!settings_get_ignore_programid(ctx->usersettings))
diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
index 6cebdeba..436a8d72 100644
--- a/ctrtool/exheader.h
+++ b/ctrtool/exheader.h
@@ -109,6 +109,7 @@ typedef struct
 	settings* usersettings;
 	u8 partitionid[8];
 	u8 programid[8];
+	u8 hash[32];
 	u8 counter[16];
 	u8 key[16];
 	u32 offset;
@@ -134,6 +135,7 @@ void exheader_set_size(exheader_context* ctx, u32 size);
 void exheader_set_partitionid(exheader_context* ctx, u8 partitionid[8]);
 void exheader_set_counter(exheader_context* ctx, u8 counter[16]);
 void exheader_set_programid(exheader_context* ctx, u8 programid[8]);
+void exheader_set_hash(exheader_context* ctx, u8 hash[32]);
 void exheader_set_encrypted(exheader_context* ctx, u32 encrypted);
 void exheader_set_key(exheader_context* ctx, u8 key[16]);
 void exheader_set_usersettings(exheader_context* ctx, settings* usersettings);
@@ -143,6 +145,7 @@ int exheader_process(exheader_context* ctx, u32 actions);
 const char* exheader_getvalidstring(int valid);
 void exheader_print(exheader_context* ctx);
 void exheader_verify(exheader_context* ctx);
+int exheader_hash_valid(exheader_context* ctx);
 int exheader_programid_valid(exheader_context* ctx);
 void exheader_determine_key(exheader_context* ctx, u32 actions);
 
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index de2328d3..f8e8dc2d 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -328,6 +328,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	exheader_set_usersettings(&ctx->exheader, ctx->usersettings);
 	exheader_set_partitionid(&ctx->exheader, ctx->header.partitionid);
 	exheader_set_programid(&ctx->exheader, ctx->header.programid);
+	exheader_set_hash(&ctx->exheader, ctx->header.extendedheaderhash);
 	exheader_set_counter(&ctx->exheader, exheadercounter);
 	exheader_set_key(&ctx->exheader, ctx->key);
 	exheader_set_encrypted(&ctx->exheader, ctx->encrypted);
@@ -361,7 +362,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 
 	if (result && ncch_get_exheader_size(ctx))
 	{
-		if (!exheader_programid_valid(&ctx->exheader))
+		if (!exheader_hash_valid(&ctx->exheader))
 			return;
 
 		result = exheader_process(&ctx->exheader, actions);
diff --git a/ctrtool/tmd.c b/ctrtool/tmd.c
index e6a2b15e..8ba2dd24 100644
--- a/ctrtool/tmd.c
+++ b/ctrtool/tmd.c
@@ -86,6 +86,7 @@ void tmd_print(tmd_context* ctx)
 	ctr_tmd_header_2048* header2048 = 0;
 	ctr_tmd_body* body = 0;
 	unsigned int contentcount = 0;
+	unsigned int savesize = 0;
 	unsigned int i;
 
 	if (type == TMD_RSA_2048_SHA256 || type == TMD_RSA_2048_SHA1)
@@ -104,7 +105,8 @@ void tmd_print(tmd_context* ctx)
 	body = tmd_get_body(ctx);
 
 	contentcount = getbe16(body->contentcount);
-
+	savesize = getle32(body->savedatasize);
+	
 	fprintf(stdout, "\nTMD header:\n");
 	fprintf(stdout, "Signature type:         %s\n", tmd_get_type_string(type));
 	fprintf(stdout, "Issuer:                 %s\n", body->issuer);
@@ -115,6 +117,12 @@ void tmd_print(tmd_context* ctx)
 	memdump(stdout, "Title id:               ", body->titleid, 8);
 	fprintf(stdout, "Title type:             %08x\n", getbe32(body->titletype));
 	fprintf(stdout, "Group id:               %04x\n", getbe16(body->groupid));
+	if(savesize < sizeKB)
+		fprintf(stdout, "Save Size:              %08x\n", savesize);
+	else if(savesize < sizeMB)
+		fprintf(stdout, "Save Size:              %dKB (%08x)\n", savesize/sizeKB, savesize);
+	else
+		fprintf(stdout, "Save Size:              %dMB (%08x)\n", savesize/sizeMB, savesize);
 	fprintf(stdout, "Access rights:          %08x\n", getbe32(body->accessrights));
 	fprintf(stdout, "Title version:          %04x\n", getbe16(body->titleversion));
 	fprintf(stdout, "Content count:          %04x\n", getbe16(body->contentcount));
diff --git a/ctrtool/tmd.h b/ctrtool/tmd.h
index 5d9f475e..6272429d 100644
--- a/ctrtool/tmd.h
+++ b/ctrtool/tmd.h
@@ -27,12 +27,16 @@ typedef struct
 	unsigned char titleid[8];
 	unsigned char titletype[4];
 	unsigned char groupid[2];
-	unsigned char padding3[62];
+	unsigned char savedatasize[4];
+	unsigned char privsavedatasize[4];
+	unsigned char padding3[4];
+	unsigned char twlflag;
+	unsigned char padding4[0x31];
 	unsigned char accessrights[4];
 	unsigned char titleversion[2];
 	unsigned char contentcount[2];
 	unsigned char bootcontent[2];
-	unsigned char padding4[2];
+	unsigned char padding5[2];
 	unsigned char hash[32];
 	unsigned char contentinfo[36*64];
 } ctr_tmd_body;

From 2e48695ef6abd417e142d85cfc0dcaee3e9fe375 Mon Sep 17 00:00:00 2001
From: 3DSGuy <devguy@hotmail.com.au>
Date: Tue, 23 Sep 2014 13:15:07 +0800
Subject: [PATCH 076/317] reversed (un)intentional vandalism

I should have known better than to trust someone who hadn't REd the
format from scratch.
---
 makerom/accessdesc.c    | 40 ----------------------------------------
 makerom/keyset.c        | 25 -------------------------
 makerom/keyset.h        |  1 -
 makerom/user_settings.c |  9 +++++----
 4 files changed, 5 insertions(+), 70 deletions(-)

diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index f3b10563..317f759e 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -307,11 +307,6 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw1D_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				if(keys->keyset == pki_GATEWAY3DS){
-					*accessDescSig = (u8*)app_fw1D_prod_acexsig;
-					*cxiPubk = (u8*)app_fw1D_prod_hdrpub;
-					*cxiPvtk = (u8*)app_fw1D_prod_hdrpub;
-				}
 				break;
 			case 0x1E:
 				if(keys->keyset == pki_PRODUCTION){
@@ -319,11 +314,6 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw1E_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				if(keys->keyset == pki_GATEWAY3DS){
-					*accessDescSig = (u8*)app_fw1E_prod_acexsig;
-					*cxiPubk = (u8*)app_fw1E_prod_hdrpub;
-					*cxiPvtk = (u8*)app_fw1E_prod_hdrpub;
-				}
 				break;
 			case 0x20:
 				if(keys->keyset == pki_DEVELOPMENT){
@@ -336,11 +326,6 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw20_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				if(keys->keyset == pki_GATEWAY3DS){
-					*accessDescSig = (u8*)app_fw20_prod_acexsig;
-					*cxiPubk = (u8*)app_fw20_prod_hdrpub;
-					*cxiPvtk = (u8*)app_fw20_prod_hdrpub;
-				}
 				break;
 			case 0x21:
 				if(keys->keyset == pki_DEVELOPMENT){
@@ -353,11 +338,6 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw21_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				if(keys->keyset == pki_GATEWAY3DS){
-					*accessDescSig = (u8*)app_fw21_prod_acexsig;
-					*cxiPubk = (u8*)app_fw21_prod_hdrpub;
-					*cxiPvtk = (u8*)app_fw21_prod_hdrpub;
-				}
 				break;
 			case 0x23:
 				if(keys->keyset == pki_DEVELOPMENT){
@@ -370,11 +350,6 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw23_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				if(keys->keyset == pki_GATEWAY3DS){
-					*accessDescSig = (u8*)app_fw23_prod_acexsig;
-					*cxiPubk = (u8*)app_fw23_prod_hdrpub;
-					*cxiPvtk = (u8*)app_fw23_prod_hdrpub;
-				}
 				break;
 			case 0x27:
 				if(keys->keyset == pki_PRODUCTION){
@@ -382,11 +357,6 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)app_fw27_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				if(keys->keyset == pki_GATEWAY3DS){
-					*accessDescSig = (u8*)app_fw27_prod_acexsig;
-					*cxiPubk = (u8*)app_fw27_prod_hdrpub;
-					*cxiPvtk = (u8*)app_fw27_prod_hdrpub;
-				}
 				break;
 			
 		}
@@ -399,11 +369,6 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)ecapp_fw20_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				if(keys->keyset == pki_GATEWAY3DS){
-					*accessDescSig = (u8*)ecapp_fw20_prod_acexsig;
-					*cxiPubk = (u8*)ecapp_fw20_prod_hdrpub;
-					*cxiPvtk = (u8*)ecapp_fw20_prod_hdrpub;
-				}
 				break;
 			case 0x23:
 				if(keys->keyset == pki_PRODUCTION){
@@ -411,11 +376,6 @@ void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk,
 					*cxiPubk = (u8*)ecapp_fw23_prod_hdrpub;
 					*cxiPvtk = NULL;
 				}
-				if(keys->keyset == pki_GATEWAY3DS){
-					*accessDescSig = (u8*)ecapp_fw23_prod_acexsig;
-					*cxiPubk = (u8*)ecapp_fw23_prod_hdrpub;
-					*cxiPvtk = (u8*)ecapp_fw23_prod_hdrpub;
-				}
 				break;
 		}
 	}
diff --git a/makerom/keyset.c b/makerom/keyset.c
index eaa31168..66ebeff6 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -170,31 +170,6 @@ int LoadKeysFromResources(keys_struct *keys)
 		SetTikCert(keys,(u8*)xsC_ppki_cert);
 		SetTmdCert(keys,(u8*)cpB_ppki_cert);
 	}
-	else if(keys->keyset == pki_GATEWAY3DS){
-		keys->keysetLoaded = true;
-		/* AES Keys */
-		// CIA
-		if(keys->aes.currentCommonKey > 0xff)
-			SetCurrentCommonKey(keys,0);
-	
-		// NCCH
-		SetNormalKey(keys,(u8*)dev_fixed_ncch_key[0]);
-		SetSystemFixedKey(keys,(u8*)dev_fixed_ncch_key[0]);
-
-		/* RSA Keys */
-		// CIA
-		SetTIK_RsaKey(keys,(u8*)xsC_ppki_rsa_priv,(u8*)xsC_ppki_rsa_pub);
-		SetTMD_RsaKey(keys,(u8*)cpB_ppki_rsa_priv,(u8*)cpB_ppki_rsa_pub);
-		// CCI/CFA
-		Set_CCI_CFA_RsaKey(keys,(u8*)prod_ncsd_cfa_priv,(u8*)prod_ncsd_cfa_pub);
-		// CXI
-		SetAccessDesc_RsaKey(keys,(u8*)prod_acex_priv,(u8*)prod_acex_pub);
-	
-		/* Certs */
-		SetCaCert(keys,(u8*)ca3_ppki_cert);
-		SetTikCert(keys,(u8*)xsC_ppki_cert);
-		SetTmdCert(keys,(u8*)cpB_ppki_cert);
-	}
 	return 0;
 }
 
diff --git a/makerom/keyset.h b/makerom/keyset.h
index e8c92301..9d6c0c60 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -26,7 +26,6 @@ typedef enum
 	pki_DEVELOPMENT,
 	pki_PRODUCTION,
 	pki_CUSTOM,
-	pki_GATEWAY3DS
 } pki_keyset;
 
 typedef enum
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 1efbc0c3..792611a3 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -177,12 +177,14 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		}
 		if(strcasecmp(argv[i+1],"test") == 0 || strcasecmp(argv[i+1],"t") == 0)
 			set->common.keys.keyset = pki_TEST;
+		//else if(strcasecmp(argv[i+1],"beta") == 0 || strcasecmp(argv[i+1],"b") == 0)
+		//	set->common.keys.keyset = pki_BETA;
 		else if(strcasecmp(argv[i+1],"debug") == 0 || strcasecmp(argv[i+1],"development") == 0 || strcasecmp(argv[i+1],"d") == 0)
 			set->common.keys.keyset = pki_DEVELOPMENT;
 		else if(strcasecmp(argv[i+1],"retail") == 0 || strcasecmp(argv[i+1],"production") == 0 || strcasecmp(argv[i+1],"p") == 0)
 			set->common.keys.keyset = pki_PRODUCTION;
-		else if(strcasecmp(argv[i+1],"gw") == 0 || strcasecmp(argv[i+1],"gateway3ds") == 0 || strcasecmp(argv[i+1],"g") == 0)
-			set->common.keys.keyset = pki_GATEWAY3DS;
+		//else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0)
+		//	set->common.keys.keyset = pki_CUSTOM;
 		else{
 			fprintf(stderr,"[SETTING ERROR] Unrecognised target '%s'\n",argv[i+1]);
 			return USR_BAD_ARG;
@@ -866,11 +868,10 @@ void DisplayHelp(char *app_name)
 	printf(" -v                                 Verbose output\n");
 	printf(" -DNAME=VALUE                       Substitute values in RSF file\n");
 	printf("KEY OPTIONS:\n");
-	printf(" -target        <t|d|p|g>           Target for crypto, defaults to 't'\n");
+	printf(" -target        <t|d|p>             Target for crypto, defaults to 't'\n");
 	printf("                                    't' Test(false) Keys & prod Certs\n");
 	printf("                                    'd' Development Keys & Certs\n");
 	printf("                                    'p' Production Keys & Certs\n");
-	printf("                                    'g' Production Keys & Certs for GW3DS only\n");
 	printf(" -ckeyid        <index>             Override the automatic common key selection\n");
 	printf(" -ncchseckey    <index>             Ncch keyX index ('0'=1.0+, '1'=7.0+)\n");
 	printf(" -showkeys                          Display the loaded key chain\n");

From e6f84e1b323d368a230cd05c40b5aa6eb08bc2cb Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Wed, 12 Nov 2014 01:11:23 +0100
Subject: [PATCH 077/317] Don't free twice

---
 makerom/rsf_settings.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/makerom/rsf_settings.c b/makerom/rsf_settings.c
index fdfa291e..47696b49 100644
--- a/makerom/rsf_settings.c
+++ b/makerom/rsf_settings.c
@@ -389,8 +389,7 @@ void free_RsfSettings(rsf_settings *set)
 	free(set->AccessControlInfo.OtherUserSaveDataId1);
 	free(set->AccessControlInfo.OtherUserSaveDataId2);
 	free(set->AccessControlInfo.OtherUserSaveDataId3);
-	free(set->AccessControlInfo.ExtSaveDataId);
-	free(set->AccessControlInfo.SystemMode);	
+	free(set->AccessControlInfo.ExtSaveDataId);	
 	free(set->AccessControlInfo.AffinityMask);
 	free(set->AccessControlInfo.DescVersion);
 	free(set->AccessControlInfo.ResourceLimitCategory);

From 038aca268ac82d43a9142db7cfc6b6746a142698 Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Wed, 24 Dec 2014 04:17:56 +0100
Subject: [PATCH 078/317] Added detection for secure3 (New 3DS) crypto.

---
 ctrtool/ncch.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index f8e8dc2d..4a781be2 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -589,6 +589,8 @@ void ncch_print(ncch_context* ctx)
 		fprintf(stdout, " > Crypto key:          %s\n", programid_is_system(header->programid)? "Fixed":"Zeros");
 	else if (header->flags[3] & 1)
 		fprintf(stdout, " > Crypto key:          Secure2\n");
+	else if (header->flags[3] & 10)
+		fprintf(stdout, " > Crypto key:          secure3 (New 3DS)\n");
 	else
 		fprintf(stdout, " > Crypto key:          Secure\n");
 	fprintf(stdout, " > Form type:           %s\n", formtypetostring(header->flags[5]));

From f8993e198a8439ad3e6883414cc3c7cfb5cdd9d0 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 14 Sep 2015 21:52:04 +0800
Subject: [PATCH 079/317] ctrtool: Updated exheader validation and ncch
 spec/flag recognition

---
 ctrtool/ctrtool.vcxproj |   6 +-
 ctrtool/exheader.c      | 213 ++++++++++++++++++++++------------------
 ctrtool/exheader.h      |  44 ++++++++-
 ctrtool/ncch.c          |  21 ++--
 ctrtool/ncch.h          |   2 +-
 5 files changed, 172 insertions(+), 114 deletions(-)

diff --git a/ctrtool/ctrtool.vcxproj b/ctrtool/ctrtool.vcxproj
index 75b72886..628d52fe 100644
--- a/ctrtool/ctrtool.vcxproj
+++ b/ctrtool/ctrtool.vcxproj
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
       <Configuration>Debug</Configuration>
@@ -18,13 +18,13 @@
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v140</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
     <WholeProgramOptimization>true</WholeProgramOptimization>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v110</PlatformToolset>
+    <PlatformToolset>v140</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 6f064d97..92db1a65 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -126,6 +126,58 @@ int exheader_programid_valid(exheader_context* ctx)
 	return 1;
 }
 
+void exheader_deserialise_arm11localcaps_permissions(exheader_arm11systemlocalcaps_deserialised *caps, const exheader_arm11systemlocalcaps *arm11)
+{
+	int i;
+
+	memset(caps, 0, sizeof(exheader_arm11systemlocalcaps_deserialised));
+
+	memcpy(caps->program_id, arm11->programid, 8);
+	caps->core_version = getle32(arm11->coreversion);
+
+	caps->enable_l2_cache = (arm11->flag[0] >> 0) & 1;
+	caps->use_additional_cores = (arm11->flag[0] >> 1) & 1;
+	caps->new3ds_systemmode = (arm11->flag[1] >> 0) & 15;
+
+	caps->ideal_processor = (arm11->flag[2] >> 0) & 3;
+	caps->affinity_mask = (arm11->flag[2] >> 2) & 3;
+	caps->old3ds_systemmode = (arm11->flag[2] >> 4) & 15;
+
+	caps->priority = (s8)arm11->flag[3];
+
+	// storage info
+	if (arm11->storageinfo.otherattributes & 2) {
+		caps->extdata_id = 0;
+		for (i = 0; i < 3; i++)
+			caps->other_user_saveid[i] = 0;
+		caps->use_other_variation_savedata = 0;
+
+		for (i = 0; i < 3; i++)
+			caps->accessible_saveid[i] = 0xfffff & (getle64(arm11->storageinfo.accessibleuniqueids) >> 20 * (2 - i));
+		for (i = 0; i < 3; i++)
+			caps->accessible_saveid[i+3] = 0xfffff & (getle64(arm11->storageinfo.extsavedataid) >> 20 * (2 - i));
+	}
+	else {
+		caps->extdata_id = getle64(arm11->storageinfo.extsavedataid);
+		for (i = 0; i < 3; i++)
+			caps->other_user_saveid[i] = 0xfffff & (getle64(arm11->storageinfo.accessibleuniqueids) >> 20 * (2 - i));
+		caps->use_other_variation_savedata = (getle64(arm11->storageinfo.accessibleuniqueids) >> 60) & 1;
+
+		for (i = 0; i < 6; i++)
+			caps->accessible_saveid[i] = 0;
+	}
+
+	caps->system_saveid[0] = getle32(arm11->storageinfo.systemsavedataid);
+	caps->system_saveid[1] = getle32(arm11->storageinfo.systemsavedataid + 4);
+	caps->accessinfo = getle64(arm11->storageinfo.accessinfo) & ~((u64)0xff00000000000000);
+
+	// Service Access Control
+	for (i = 0; i < 34; i++)
+		strncpy(caps->service_access_control[i], (char*)arm11->serviceaccesscontrol[i], 8);
+
+	caps->resource_limit_category = arm11->resourcelimitcategory;
+}
+
 int exheader_process(exheader_context* ctx, u32 actions)
 {
 	exheader_determine_key(ctx, actions);
@@ -135,13 +187,13 @@ int exheader_process(exheader_context* ctx, u32 actions)
 	if (ctx->header.codesetinfo.flags.flag & 1)
 		ctx->compressedflag = 1;
 
+	exheader_deserialise_arm11localcaps_permissions(&ctx->system_local_caps, &ctx->header.arm11systemlocalcaps);
+
 	if (actions & VerifyFlag)
 		exheader_verify(ctx);
 
 	if (actions & InfoFlag)
-	{
-		exheader_print(ctx);		
-	}
+		exheader_print(ctx);
 
 	return 1;
 }
@@ -397,11 +449,10 @@ void exheader_print_arm11accessinfo(exheader_context* ctx)
 {
 	char str[100];
 	u64 i, bit;
-	u64 accessinfo = 0xffffffffffffff & getle64(ctx->header.arm11systemlocalcaps.storageinfo.accessinfo);
 	for(i = 0; i < 56; i++)
 	{
 		bit = ((u64)1 << i);
-		if((accessinfo & bit) == bit)
+		if((ctx->system_local_caps.accessinfo & bit) == bit)
 			fprintf(stdout, " > %s\n",exheader_print_accessinfobit((u32)i,str)); 
 	}
 }
@@ -410,72 +461,21 @@ void exheader_print_arm11storageinfo(exheader_context* ctx)
 {
 	u32 i;
 
-	// Storage Info
-	u32 systemsaveID[2];
-	u64 extdataID;
-	u32 otherusersaveID[3];
-	u32 accessiblesaveID[6];
-
-	u8 otherattibutes = ctx->header.arm11systemlocalcaps.storageinfo.otherattributes;
-	u8 accessOtherVariationSavedata = (getle64(ctx->header.arm11systemlocalcaps.storageinfo.accessibleuniqueids) & 0x1000000000000000) == 0x1000000000000000;	
-
-	systemsaveID[0] = getle32(ctx->header.arm11systemlocalcaps.storageinfo.systemsavedataid);
-	systemsaveID[1] = getle32(ctx->header.arm11systemlocalcaps.storageinfo.systemsavedataid+4);
-
-	extdataID = getle64(ctx->header.arm11systemlocalcaps.storageinfo.extsavedataid);
-
-	for(i = 0; i < 3; i++)
-	{
-		accessiblesaveID[i] = 0xfffff & (getle64(ctx->header.arm11systemlocalcaps.storageinfo.accessibleuniqueids) >> 20*(2-i));
-		otherusersaveID[i] = 0xfffff & (getle64(ctx->header.arm11systemlocalcaps.storageinfo.accessibleuniqueids) >> 20*(2-i));
-	}
-
-	for(i = 0; i < 3; i++)
-	{
-		accessiblesaveID[i+3] = 0xfffff & (getle64(ctx->header.arm11systemlocalcaps.storageinfo.extsavedataid) >> 20*(2-i));
-	}
-
-	if(otherattibutes & 2)
-	{
-		extdataID = 0;
-		for(i = 0; i < 3; i++)
-			otherusersaveID[i] = 0;
-	}
-	else
-	{
-		for(i = 0; i < 6; i++)
-			accessiblesaveID[i] = 0;
-	}
-
-	fprintf(stdout, "Ext savedata id:        0x%08"PRIx64"\n",extdataID);
+	fprintf(stdout, "Ext savedata id:        0x%"PRIx64"\n",ctx->system_local_caps.extdata_id);
 	for(i = 0; i < 2; i++)
-		fprintf(stdout, "System savedata id %d:   0x%08x %s\n",i+1,systemsaveID[i],exheader_getvalidstring(ctx->validsystemsaveID[i]));
+		fprintf(stdout, "System savedata id %d:   0x%x %s\n",i+1, ctx->system_local_caps.system_saveid[i],exheader_getvalidstring(ctx->validsystemsaveID[i]));
 	for(i = 0; i < 3; i++)
-		fprintf(stdout, "OtherUserSaveDataId%d:   0x%05x\n",i+1,otherusersaveID[i]);
+		fprintf(stdout, "OtherUserSaveDataId%d:   0x%x\n",i+1, ctx->system_local_caps.other_user_saveid[i]);
 	fprintf(stdout, "Accessible Savedata Ids:\n");
 	for(i = 0; i < 6; i++)
 	{
-		if(accessiblesaveID[i] != 0x00000)
-			fprintf(stdout, " > 0x%05x\n",accessiblesaveID[i]);
+		if(ctx->system_local_caps.accessible_saveid[i] != 0x00000)
+			fprintf(stdout, " > 0x%05x\n", ctx->system_local_caps.accessible_saveid[i]);
 	}
 	
-	fprintf(stdout, "Other Variation Saves:  %s\n", accessOtherVariationSavedata ? "Accessible" : "Inaccessible");
-	if(ctx->validaccessinfo == Unchecked)
-		memdump(stdout, "Access info:            ", ctx->header.arm11systemlocalcaps.storageinfo.accessinfo, 7);
-	else if(ctx->validaccessinfo == Good)
-		memdump(stdout, "Access info (GOOD):     ", ctx->header.arm11systemlocalcaps.storageinfo.accessinfo, 7);
-	else
-		memdump(stdout, "Access info (FAIL):     ", ctx->header.arm11systemlocalcaps.storageinfo.accessinfo, 7);
-	exheader_print_arm11accessinfo(ctx);
-	
-	fprintf(stdout, "Other attributes:       %02X", ctx->header.arm11systemlocalcaps.storageinfo.otherattributes);
-	/*
-	if(otherattibutes & 1)
-		fprintf(stdout," [no use romfs]");
-	if(otherattibutes & 2)
-		fprintf(stdout," [use extended savedata access control]");
-	*/
-	printf("\n");
+	fprintf(stdout, "Other Variation Saves:  %s\n", ctx->system_local_caps.use_other_variation_savedata ? "Accessible" : "Inaccessible");
+	fprintf(stdout, "Access info:            0x%"PRIx64" %s\n", ctx->system_local_caps.accessinfo,exheader_getvalidstring(ctx->validaccessinfo));
+	exheader_print_arm11accessinfo(ctx);	
 }
 
 int exheader_signature_verify(exheader_context* ctx, rsakey2048* key)
@@ -486,61 +486,78 @@ int exheader_signature_verify(exheader_context* ctx, rsakey2048* key)
 	return ctr_rsa_verify_hash(ctx->header.accessdesc.signature, hash, key);
 }
 
-
 void exheader_verify(exheader_context* ctx)
 {
-	unsigned int i;
-	u8 exheaderflag6[3];
-	u8 descflag6[3];
+	unsigned int i, j;
+	exheader_arm11systemlocalcaps_deserialised accessdesc;
+
+	exheader_deserialise_arm11localcaps_permissions(&accessdesc, &ctx->header.accessdesc.arm11systemlocalcaps);
 
 	ctx->validsystemsaveID[0] = Good;
 	ctx->validsystemsaveID[1] = Good;
 	ctx->validaccessinfo = Good;
+	ctx->validcoreversion = Good;
 	ctx->validprogramid = Good;
 	ctx->validpriority = Good;
 	ctx->validaffinitymask = Good;
 	ctx->valididealprocessor = Good;
+	ctx->validold3dssystemmode = Good;
+	ctx->validnew3dssystemmode = Good;
+	ctx->validenablel2cache = Good;
+	ctx->validuseadditionalcores = Good;
+	ctx->validservicecontrol = Good;
 
 	for(i=0; i<8; i++)
 	{
-		if (0 == (ctx->header.arm11systemlocalcaps.programid[i] & ~ctx->header.accessdesc.arm11systemlocalcaps.programid[i]))
+		if (ctx->system_local_caps.program_id[i] == accessdesc.program_id[i] || accessdesc.program_id[i] == 0xFF)
 			continue;
 		ctx->validprogramid = Fail;
 		break;
 	}
 
-	// Ideal Proccessor
-	exheaderflag6[0] = (ctx->header.arm11systemlocalcaps.flag>>0)&0x3;
-	descflag6[0] = (ctx->header.accessdesc.arm11systemlocalcaps.flag>>0)&0x3;
-	// Affinity Mask
-	exheaderflag6[1] = (ctx->header.arm11systemlocalcaps.flag>>2)&0x3;
-	descflag6[1] = (ctx->header.accessdesc.arm11systemlocalcaps.flag>>2)&0x3;
-	// System Mode
-	//exheaderflag6[2] = (ctx->header.arm11systemlocalcaps.flag>>4)&0xf;
-	//descflag6[2] = (ctx->header.accessdesc.arm11systemlocalcaps.flag>>4)&0xf;
-
-	if (ctx->header.accessdesc.arm11systemlocalcaps.priority > ctx->header.arm11systemlocalcaps.priority ||  ctx->header.arm11systemlocalcaps.priority > 127)
+	if (ctx->system_local_caps.core_version != accessdesc.core_version)
+		ctx->validcoreversion = Fail;
+
+	if (ctx->system_local_caps.priority < accessdesc.priority)
 		ctx->validpriority = Fail;
 
-	if((1<<exheaderflag6[0] & descflag6[0]) == 0)
+	if((1<<ctx->system_local_caps.ideal_processor & accessdesc.ideal_processor) == 0)
 		ctx->valididealprocessor = Fail;
 
-	if (exheaderflag6[1] & ~descflag6[1])
+	if (ctx->system_local_caps.affinity_mask & ~accessdesc.affinity_mask)
 		ctx->validaffinitymask = Fail;
 
+	if (ctx->system_local_caps.old3ds_systemmode > accessdesc.old3ds_systemmode)
+		ctx->validold3dssystemmode = Fail;
+
+	if (ctx->system_local_caps.new3ds_systemmode > accessdesc.new3ds_systemmode)
+		ctx->validnew3dssystemmode = Fail;
+
 
 	// Storage Info Verify
-	if(0 != (getle32(ctx->header.arm11systemlocalcaps.storageinfo.systemsavedataid) & ~getle32(ctx->header.accessdesc.arm11systemlocalcaps.storageinfo.systemsavedataid)))
+	if(ctx->system_local_caps.system_saveid[0] & ~accessdesc.system_saveid[0])
 		ctx->validsystemsaveID[0] = Fail;
-	if(0 != (getle32(ctx->header.arm11systemlocalcaps.storageinfo.systemsavedataid+4) & ~getle32(ctx->header.accessdesc.arm11systemlocalcaps.storageinfo.systemsavedataid+4)))
+	if(ctx->system_local_caps.system_saveid[1] & ~accessdesc.system_saveid[1])
 		ctx->validsystemsaveID[1] = Fail;
 
-	for(i=0; i<7; i++)
-	{
-		if(0 == (ctx->header.arm11systemlocalcaps.storageinfo.accessinfo[i] & ~ctx->header.accessdesc.arm11systemlocalcaps.storageinfo.accessinfo[i]))
-			continue;
+
+	if (ctx->system_local_caps.accessinfo & ~accessdesc.accessinfo)
 		ctx->validaccessinfo = Fail;
-		break;
+
+	// Service Access Control
+	for (i = 0; i < 34; i++) {
+		if (strlen(ctx->system_local_caps.service_access_control[i]) == 0)
+			continue;
+
+		for (j = 0; j < 34; j++) {
+			if (strcmp(ctx->system_local_caps.service_access_control[i], accessdesc.service_access_control[j]) == 0)
+				break;
+		}
+
+		if (strcmp(ctx->system_local_caps.service_access_control[i], accessdesc.service_access_control[j]) == 0)
+			continue;
+
+		ctx->validservicecontrol = Fail;
 	}
 
 	if (ctx->usersettings)
@@ -609,21 +626,21 @@ void exheader_print(exheader_context* ctx)
 
 	fprintf(stdout, "Program id:             %016"PRIx64" %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
 	fprintf(stdout, "Core version:           0x%X\n", getle32(ctx->header.arm11systemlocalcaps.coreversion));
-	fprintf(stdout, "System mode:            0x%X\n", (ctx->header.arm11systemlocalcaps.flag>>4)&0xF);
-	fprintf(stdout, "Ideal processor:        %d %s\n", (ctx->header.arm11systemlocalcaps.flag>>0)&0x3, exheader_getvalidstring(ctx->valididealprocessor));
-	fprintf(stdout, "Affinity mask:          %d %s\n", (ctx->header.arm11systemlocalcaps.flag>>2)&0x3, exheader_getvalidstring(ctx->validaffinitymask));
-	fprintf(stdout, "Main thread priority:   %d %s\n", ctx->header.arm11systemlocalcaps.priority, exheader_getvalidstring(ctx->validpriority));
+	fprintf(stdout, "System mode:            %d %s\n", ctx->system_local_caps.old3ds_systemmode, exheader_getvalidstring(ctx->validold3dssystemmode));
+	fprintf(stdout, "System mode (New3DS):   %d %s\n", ctx->system_local_caps.new3ds_systemmode, exheader_getvalidstring(ctx->validnew3dssystemmode));
+	fprintf(stdout, "Ideal processor:        %d %s\n", ctx->system_local_caps.ideal_processor, exheader_getvalidstring(ctx->valididealprocessor));
+	fprintf(stdout, "Affinity mask:          %d %s\n", ctx->system_local_caps.affinity_mask, exheader_getvalidstring(ctx->validaffinitymask));
+	fprintf(stdout, "Main thread priority:   %d %s\n", ctx->system_local_caps.priority, exheader_getvalidstring(ctx->validpriority));
 	// print resource limit descriptor too? currently mostly zeroes...
 	exheader_print_arm11storageinfo(ctx);
 	exheader_print_arm11kernelcapabilities(ctx);
 	exheader_print_arm9accesscontrol(ctx);
 
-		
-	
-	for(i=0; i<0x20; i++)
+	fprintf(stdout, "Service access: %s\n", exheader_getvalidstring(ctx->validservicecontrol));
+	for(i=0; i<34; i++)
 	{
-		if (getle64(ctx->header.arm11systemlocalcaps.serviceaccesscontrol[i]) != 0x0000000000000000UL)
-			fprintf(stdout, "Service access:         %.8s\n", ctx->header.arm11systemlocalcaps.serviceaccesscontrol[i]);
+		if (strlen(ctx->system_local_caps.service_access_control[i]) > 0)
+			fprintf(stdout, " > %s\n", ctx->system_local_caps.service_access_control[i]);
 	}
 	fprintf(stdout, "Reslimit category:      %02X\n", ctx->header.arm11systemlocalcaps.resourcelimitcategory);
 }
diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
index 436a8d72..a4432c26 100644
--- a/ctrtool/exheader.h
+++ b/ctrtool/exheader.h
@@ -57,16 +57,41 @@ typedef struct
 {
 	u8 programid[8];
 	u8 coreversion[4];
-	u8 reserved0[2];
-	u8 flag;
-	u8 priority;
+	u8 flag[4];
 	u8 resourcelimitdescriptor[0x10][2];
 	exheader_storageinfo storageinfo;
-	u8 serviceaccesscontrol[0x20][8];
-	u8 reserved[0x1f];
+	u8 serviceaccesscontrol[34][8];
+	u8 reserved[0xf];
 	u8 resourcelimitcategory;
 } exheader_arm11systemlocalcaps;
 
+typedef struct 
+{
+	u8 program_id[8];
+	u32 core_version;
+
+	// flag
+	u8 enable_l2_cache;
+	u8 use_additional_cores;
+	u8 new3ds_systemmode;
+	u8 ideal_processor;
+	u8 affinity_mask;
+	u8 old3ds_systemmode;
+	s8 priority;
+
+	// storageinfo
+	u64 extdata_id;
+	u32 other_user_saveid[3];
+	u8 use_other_variation_savedata;
+	u32 accessible_saveid[3];
+	u32 system_saveid[2];
+	u64 accessinfo;
+
+
+	char service_access_control[34][10];
+	u8 resource_limit_category;
+} exheader_arm11systemlocalcaps_deserialised;
+
 typedef struct
 {
 	u8 descriptors[28][4];
@@ -115,6 +140,9 @@ typedef struct
 	u32 offset;
 	u32 size;
 	exheader_header header;
+
+	exheader_arm11systemlocalcaps_deserialised system_local_caps;
+
 	ctr_aes_context aes;
 	ctr_rsa_context rsa;
 	int compressedflag;
@@ -123,8 +151,14 @@ typedef struct
 	int validpriority;
 	int validaffinitymask;
 	int valididealprocessor;
+	int validold3dssystemmode;
+	int validnew3dssystemmode;
+	int validenablel2cache;
+	int validuseadditionalcores;
+	int validcoreversion;
 	int validsystemsaveID[2];
 	int validaccessinfo;
+	int validservicecontrol;
 	int validsignature;
 } exheader_context;
 
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 4a781be2..07f8755d 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -540,6 +540,17 @@ static const char* contenttypetostring(unsigned char flags)
 	case 2: return "Manual";
 	case 3: return "Child";
 	case 4: return "Trial";
+	case 5: return "Extended System Update";
+	default: return "Unknown";
+	}
+}
+
+static const char* contentplatformtostring(unsigned char platform)
+{
+	switch (platform)
+	{
+	case 1: return "CTR";
+	case 2: return "SNAKE";
 	default: return "Unknown";
 	}
 }
@@ -566,6 +577,7 @@ void ncch_print(ncch_context* ctx)
 	fprintf(stdout, "Partition id:           %016"PRIx64"\n", getle64(header->partitionid));
 	fprintf(stdout, "Maker code:             %04x\n", getle16(header->makercode));
 	fprintf(stdout, "Version:                %04x\n", getle16(header->version));
+	fprintf(stdout, "Title seed check:       %08x\n", getle32(header->seedcheck));
 	fprintf(stdout, "Program id:             %016"PRIx64"\n", getle64(header->programid));
 	if(ctx->logohashcheck == Unchecked)
 		memdump(stdout, "Logo hash:              ", header->logohash, 0x20);
@@ -587,16 +599,11 @@ void ncch_print(ncch_context* ctx)
 		fprintf(stdout, " > Crypto key:          None\n");
 	else if (header->flags[7] & 1)
 		fprintf(stdout, " > Crypto key:          %s\n", programid_is_system(header->programid)? "Fixed":"Zeros");
-	else if (header->flags[3] & 1)
-		fprintf(stdout, " > Crypto key:          Secure2\n");
-	else if (header->flags[3] & 10)
-		fprintf(stdout, " > Crypto key:          secure3 (New 3DS)\n");
 	else
-		fprintf(stdout, " > Crypto key:          Secure\n");
+		fprintf(stdout, " > Crypto key:          Secure (%d)%s\n", header->flags[3], header->flags[7] & 32? " (KeyY seeded)" : "");
 	fprintf(stdout, " > Form type:           %s\n", formtypetostring(header->flags[5]));
 	fprintf(stdout, " > Content type:        %s\n", contenttypetostring(header->flags[5]));
-	if (header->flags[4] & 1)
-		fprintf(stdout, " > Content platform:    CTR\n");
+	fprintf(stdout, " > Content platform:    %s\n", contentplatformtostring(header->flags[4]));
 	if (header->flags[7] & 2)
 		fprintf(stdout, " > No RomFS mount\n");
 
diff --git a/ctrtool/ncch.h b/ctrtool/ncch.h
index b6539e06..f453bb58 100644
--- a/ctrtool/ncch.h
+++ b/ctrtool/ncch.h
@@ -26,7 +26,7 @@ typedef struct
 	u8 partitionid[8];
 	u8 makercode[2];
 	u8 version[2];
-	u8 reserved0[4];
+	u8 seedcheck[4];
 	u8 programid[8];
 	u8 reserved1[0x10];
 	u8 logohash[0x20];

From e636db7397484413372b28325fb5c822eaa2c9bb Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 14 Sep 2015 23:48:59 +0800
Subject: [PATCH 080/317] makerom: updated to latest SDK specs.

---
 makerom/accessdesc.c            |   4 +-
 makerom/exheader.c              |  52 ++-
 makerom/exheader.h              |  14 +-
 makerom/makerom.vcxproj         | 272 +++++++++++++++
 makerom/makerom.vcxproj.filters | 584 ++++++++++++++++++++++++++++++++
 makerom/ncch.c                  |  44 ++-
 makerom/ncch.h                  |  26 +-
 makerom/readme.txt              |  29 ++
 makerom/rsf_settings.c          |  12 +-
 makerom/user_settings.h         |   7 +-
 10 files changed, 1008 insertions(+), 36 deletions(-)
 create mode 100644 makerom/makerom.vcxproj
 create mode 100644 makerom/makerom.vcxproj.filters
 create mode 100644 makerom/readme.txt

diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index 317f759e..fcb17be3 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -44,12 +44,12 @@ int accessdesc_SignWithKey(exheader_settings *exhdrset)
 	memcpy(&exhdrset->acexDesc->arm9AccessControlInfo,&exhdrset->exHdr->arm9AccessControlInfo,sizeof(exhdr_ARM9AccessControlInfo));
 	
 	/* Adjust Data */
-	u8 *flag = &exhdrset->acexDesc->arm11SystemLocalCapabilities.flag;
+	u8 *flag = &exhdrset->acexDesc->arm11SystemLocalCapabilities.flag[2];
 	u8 SystemMode = (*flag>>4)&0xF;
 	u8 AffinityMask = (*flag>>2)&0x3;
 	u8 IdealProcessor = 1<<((*flag>>0)&0x3);
 	*flag = (u8)(SystemMode << 4 | AffinityMask << 2 | IdealProcessor);
-	exhdrset->acexDesc->arm11SystemLocalCapabilities.priority /= 2;
+	exhdrset->acexDesc->arm11SystemLocalCapabilities.flag[3] /= 2;
 
 	/* Sign AccessDesc */
 	return SignAccessDesc(exhdrset->acexDesc,exhdrset->keys);
diff --git a/makerom/exheader.c b/makerom/exheader.c
index 87d78f77..e159ebe8 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -317,7 +317,34 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 		return EXHDR_BAD_RSF_OPT;
 	}
 
-	/* Flag */
+	/* Flag[0] */
+	arm11->flag[0] |= rsf->AccessControlInfo.EnableL2Cache;
+
+	if (rsf->AccessControlInfo.CpuSpeed) {
+		if(strcasecmp(rsf->AccessControlInfo.CpuSpeed, "256mhz") == 0)
+			arm11->flag[0] |= cpuspeed_268MHz << 1;
+		else if(strcasecmp(rsf->AccessControlInfo.CpuSpeed, "804mhz") == 0)
+			arm11->flag[0] |= cpuspeed_804MHz << 1;
+		else {
+			fprintf(stderr, "[EXHEADER ERROR] Invalid cpu speed: 0x%s\n", rsf->AccessControlInfo.CpuSpeed);
+			return EXHDR_BAD_RSF_OPT;
+		}
+	}
+	else
+		arm11->flag[0] |= cpuspeed_268MHz << 1;
+
+	/* Flag[1] (SystemModeExt) */
+	u8 systemModeExt = 0;
+	if (rsf->AccessControlInfo.SystemModeExt) {
+		systemModeExt = strtol(rsf->AccessControlInfo.SystemModeExt, NULL, 0);
+		if (systemModeExt > 15) {
+			fprintf(stderr, "[EXHEADER ERROR] Unexpected SystemModeExt: 0x%x. Expected range: 0x0 - 0xf\n", systemModeExt);
+			return EXHDR_BAD_RSF_OPT;
+		}
+		arm11->flag[1] = systemModeExt & 0xf;
+	}
+
+	/* Flag[2] */
 	u8 affinityMask = 0;
 	u8 idealProcessor = 0;
 	u8 systemMode = 0;
@@ -343,9 +370,9 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 			return EXHDR_BAD_RSF_OPT;
 		}
 	}
-	arm11->flag = (u8)(systemMode << 4 | affinityMask << 2 | idealProcessor);
+	arm11->flag[2] = (u8)(systemMode << 4 | affinityMask << 2 | idealProcessor);
 
-	/* Thread Priority */
+	/* flag[3] (Thread Priority) */
 	if(rsf->AccessControlInfo.Priority){
 		u8 priority = strtoul(rsf->AccessControlInfo.Priority,NULL,0);
 		if(GetAppType(rsf) == processtype_APPLICATION)
@@ -354,7 +381,7 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 			fprintf(stderr,"[EXHEADER ERROR] Invalid Priority: %d\n",priority);
 			return EXHDR_BAD_RSF_OPT;
 		}
-		arm11->priority = priority;
+		arm11->flag[3] = priority;
 	}
 	else{
 		ErrorParamNotFound("AccessControlInfo/Priority");
@@ -479,8 +506,13 @@ void SetARM11StorageInfoSystemSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm
 
 void SetARM11StorageInfoExtSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
-	if(rsf->AccessControlInfo.ExtSaveDataId)
-		u64_to_u8(arm11->storageInfo.extSavedataId, strtoull(rsf->AccessControlInfo.ExtSaveDataId,NULL,0), LE);
+	if (rsf->AccessControlInfo.UseExtSaveData || rsf->AccessControlInfo.ExtSaveDataId) {
+		if (rsf->AccessControlInfo.ExtSaveDataId)
+			u64_to_u8(arm11->storageInfo.extSavedataId, strtoull(rsf->AccessControlInfo.ExtSaveDataId, NULL, 0), LE);
+		else
+			u32_to_u8(arm11->storageInfo.extSavedataId, GetTidUniqueId(u8_to_u64(arm11->programId,LE)), LE);
+	}
+	
 }
 
 void SetARM11StorageInfoOtherUserSaveData(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
@@ -508,6 +540,10 @@ bool CheckCondiditionsForNewAccessibleSaveDataIds(rsf_settings *rsf)
 		fprintf(stderr,"[EXHEADER ERROR] Too many UniqueId in \"AccessibleSaveDataIds\".\n");
 		return false;
 	}
+	if (rsf->AccessControlInfo.UseExtSaveData) {
+		fprintf(stderr, "[EXHEADER ERROR] UseExtSaveData must be false if AccessibleSaveDataIds is specified.\n");
+		return false;
+	}
 	if (rsf->AccessControlInfo.ExtSaveDataId){
 		fprintf(stderr,"[EXHEADER ERROR] ExtSaveDataId is unavailable if AccessibleSaveDataIds is specified.\n");
 		return false;
@@ -561,8 +597,8 @@ void SetARM11StorageInfoAccessibleSaveDataIds(exhdr_ARM11SystemLocalCapabilities
 int SetARM11ServiceAccessControl(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
 	if(rsf->AccessControlInfo.ServiceAccessControl){
-		if(rsf->AccessControlInfo.ServiceAccessControlNum > 32){
-			fprintf(stderr,"[EXHEADER ERROR] Too Many Service Names, maximum is 32\n");
+		if(rsf->AccessControlInfo.ServiceAccessControlNum > 34){
+			fprintf(stderr,"[EXHEADER ERROR] Too Many Service Names, maximum is 34\n");
 			return EXHDR_BAD_RSF_OPT;
 		}
 		for(int i = 0; i < rsf->AccessControlInfo.ServiceAccessControlNum; i++){
diff --git a/makerom/exheader.h b/makerom/exheader.h
index d33639c6..8e6ef3ce 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -28,6 +28,12 @@ typedef enum
 	resrc_limit_OTHER
 } resource_limit_category;
 
+typedef enum
+{
+	cpuspeed_268MHz,
+	cpuspeed_804MHz
+};
+
 typedef enum
 {
 	othcap_PERMIT_DEBUG = (1 << 0),
@@ -127,13 +133,11 @@ typedef struct
 {
 	u8 programId[8];
 	u8 coreVersion[4];
-	u8 padding0[2];
-	u8 flag;
-	u8 priority;
+	u8 flag[4];
 	u8 resourceLimitDescriptor[16][2];
 	exhdr_StorageInfo storageInfo;
-	u8 serviceAccessControl[32][8]; // Those char[8] server names
-	u8 padding1[0x1f];
+	u8 serviceAccessControl[34][8]; // Those char[8] server names
+	u8 padding1[0xf];
 	u8 resourceLimitCategory;
 } exhdr_ARM11SystemLocalCapabilities;
 
diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
new file mode 100644
index 00000000..aa4d41d6
--- /dev/null
+++ b/makerom/makerom.vcxproj
@@ -0,0 +1,272 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{21926330-F5A5-4643-AD32-D4F167CE226B}</ProjectGuid>
+    <Keyword>MakeFileProj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Makefile</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Makefile</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <NMakeBuildCommandLine>make</NMakeBuildCommandLine>
+    <NMakeOutput>makerom.exe</NMakeOutput>
+    <NMakeCleanCommandLine>make clean</NMakeCleanCommandLine>
+    <NMakeReBuildCommandLine>make rebuild</NMakeReBuildCommandLine>
+    <NMakePreprocessorDefinitions>WIN32;_DEBUG;$(NMakePreprocessorDefinitions)</NMakePreprocessorDefinitions>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <NMakeBuildCommandLine>make</NMakeBuildCommandLine>
+    <NMakeOutput>makerom.exe</NMakeOutput>
+    <NMakeCleanCommandLine>make clean</NMakeCleanCommandLine>
+    <NMakeReBuildCommandLine>make rebuild</NMakeReBuildCommandLine>
+    <NMakePreprocessorDefinitions>WIN32;NDEBUG;$(NMakePreprocessorDefinitions)</NMakePreprocessorDefinitions>
+  </PropertyGroup>
+  <ItemDefinitionGroup>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <Text Include="readme.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="accessdesc.h" />
+    <ClInclude Include="blz.h" />
+    <ClInclude Include="cardinfo.h" />
+    <ClInclude Include="certs.h" />
+    <ClInclude Include="cia.h" />
+    <ClInclude Include="cia_build.h" />
+    <ClInclude Include="cia_read.h" />
+    <ClInclude Include="crr.h" />
+    <ClInclude Include="crypto.h" />
+    <ClInclude Include="ctr_utils.h" />
+    <ClInclude Include="desc\dev_sigdata.h" />
+    <ClInclude Include="desc\presets.h" />
+    <ClInclude Include="desc\prod_sigdata.h" />
+    <ClInclude Include="dir.h" />
+    <ClInclude Include="elf.h" />
+    <ClInclude Include="elf_hdr.h" />
+    <ClInclude Include="exefs.h" />
+    <ClInclude Include="exefs_build.h" />
+    <ClInclude Include="exefs_read.h" />
+    <ClInclude Include="exheader.h" />
+    <ClInclude Include="exheader_build.h" />
+    <ClInclude Include="exheader_read.h" />
+    <ClInclude Include="keyset.h" />
+    <ClInclude Include="lib.h" />
+    <ClInclude Include="libyaml\yaml.h" />
+    <ClInclude Include="libyaml\yaml_private.h" />
+    <ClInclude Include="ncch.h" />
+    <ClInclude Include="ncch_build.h" />
+    <ClInclude Include="ncch_logo.h" />
+    <ClInclude Include="ncch_read.h" />
+    <ClInclude Include="ncsd.h" />
+    <ClInclude Include="ncsd_build.h" />
+    <ClInclude Include="ncsd_read.h" />
+    <ClInclude Include="pki\dev.h" />
+    <ClInclude Include="pki\dev_legacy.h" />
+    <ClInclude Include="pki\prod.h" />
+    <ClInclude Include="pki\prod_legacy.h" />
+    <ClInclude Include="pki\test.h" />
+    <ClInclude Include="polarssl\aes.h" />
+    <ClInclude Include="polarssl\arc4.h" />
+    <ClInclude Include="polarssl\asn1.h" />
+    <ClInclude Include="polarssl\asn1write.h" />
+    <ClInclude Include="polarssl\base64.h" />
+    <ClInclude Include="polarssl\bignum.h" />
+    <ClInclude Include="polarssl\blowfish.h" />
+    <ClInclude Include="polarssl\bn_mul.h" />
+    <ClInclude Include="polarssl\camellia.h" />
+    <ClInclude Include="polarssl\certs.h" />
+    <ClInclude Include="polarssl\cipher.h" />
+    <ClInclude Include="polarssl\cipher_wrap.h" />
+    <ClInclude Include="polarssl\config.h" />
+    <ClInclude Include="polarssl\ctr_drbg.h" />
+    <ClInclude Include="polarssl\debug.h" />
+    <ClInclude Include="polarssl\des.h" />
+    <ClInclude Include="polarssl\dhm.h" />
+    <ClInclude Include="polarssl\entropy.h" />
+    <ClInclude Include="polarssl\entropy_poll.h" />
+    <ClInclude Include="polarssl\error.h" />
+    <ClInclude Include="polarssl\gcm.h" />
+    <ClInclude Include="polarssl\havege.h" />
+    <ClInclude Include="polarssl\md.h" />
+    <ClInclude Include="polarssl\md2.h" />
+    <ClInclude Include="polarssl\md4.h" />
+    <ClInclude Include="polarssl\md5.h" />
+    <ClInclude Include="polarssl\md_wrap.h" />
+    <ClInclude Include="polarssl\net.h" />
+    <ClInclude Include="polarssl\openssl.h" />
+    <ClInclude Include="polarssl\padlock.h" />
+    <ClInclude Include="polarssl\pbkdf2.h" />
+    <ClInclude Include="polarssl\pem.h" />
+    <ClInclude Include="polarssl\pkcs11.h" />
+    <ClInclude Include="polarssl\pkcs12.h" />
+    <ClInclude Include="polarssl\pkcs5.h" />
+    <ClInclude Include="polarssl\rsa.h" />
+    <ClInclude Include="polarssl\sha1.h" />
+    <ClInclude Include="polarssl\sha2.h" />
+    <ClInclude Include="polarssl\sha4.h" />
+    <ClInclude Include="polarssl\ssl.h" />
+    <ClInclude Include="polarssl\ssl_cache.h" />
+    <ClInclude Include="polarssl\timing.h" />
+    <ClInclude Include="polarssl\version.h" />
+    <ClInclude Include="polarssl\x509.h" />
+    <ClInclude Include="polarssl\x509write.h" />
+    <ClInclude Include="polarssl\xtea.h" />
+    <ClInclude Include="romfs.h" />
+    <ClInclude Include="romfs_gen.h" />
+    <ClInclude Include="romfs_import.h" />
+    <ClInclude Include="rsf_settings.h" />
+    <ClInclude Include="srl.h" />
+    <ClInclude Include="tik.h" />
+    <ClInclude Include="tik_build.h" />
+    <ClInclude Include="tik_read.h" />
+    <ClInclude Include="titleid.h" />
+    <ClInclude Include="tmd.h" />
+    <ClInclude Include="tmd_build.h" />
+    <ClInclude Include="tmd_read.h" />
+    <ClInclude Include="types.h" />
+    <ClInclude Include="user_settings.h" />
+    <ClInclude Include="utf.h" />
+    <ClInclude Include="utils.h" />
+    <ClInclude Include="yaml_parser.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="accessdesc.c" />
+    <ClCompile Include="blz.c" />
+    <ClCompile Include="cardinfo.c" />
+    <ClCompile Include="certs.c" />
+    <ClCompile Include="cia.c" />
+    <ClCompile Include="crypto.c" />
+    <ClCompile Include="ctr_utils.c" />
+    <ClCompile Include="dir.c" />
+    <ClCompile Include="elf.c" />
+    <ClCompile Include="exefs.c" />
+    <ClCompile Include="exheader.c" />
+    <ClCompile Include="keyset.c" />
+    <ClCompile Include="libyaml\api.c" />
+    <ClCompile Include="libyaml\dumper.c" />
+    <ClCompile Include="libyaml\emitter.c" />
+    <ClCompile Include="libyaml\loader.c" />
+    <ClCompile Include="libyaml\parser.c" />
+    <ClCompile Include="libyaml\reader.c" />
+    <ClCompile Include="libyaml\scanner.c" />
+    <ClCompile Include="libyaml\writer.c" />
+    <ClCompile Include="makerom.c" />
+    <ClCompile Include="ncch.c" />
+    <ClCompile Include="ncsd.c" />
+    <ClCompile Include="polarssl\arc4.c" />
+    <ClCompile Include="polarssl\asn1parse.c" />
+    <ClCompile Include="polarssl\asn1write.c" />
+    <ClCompile Include="polarssl\base64.c" />
+    <ClCompile Include="polarssl\bignum.c" />
+    <ClCompile Include="polarssl\blowfish.c" />
+    <ClCompile Include="polarssl\camellia.c" />
+    <ClCompile Include="polarssl\certs.c" />
+    <ClCompile Include="polarssl\cipher.c" />
+    <ClCompile Include="polarssl\cipher_wrap.c" />
+    <ClCompile Include="polarssl\ctr_drbg.c" />
+    <ClCompile Include="polarssl\debug.c" />
+    <ClCompile Include="polarssl\des.c" />
+    <ClCompile Include="polarssl\dhm.c" />
+    <ClCompile Include="polarssl\entropy.c" />
+    <ClCompile Include="polarssl\entropy_poll.c" />
+    <ClCompile Include="polarssl\error.c" />
+    <ClCompile Include="polarssl\gcm.c" />
+    <ClCompile Include="polarssl\havege.c" />
+    <ClCompile Include="polarssl\md.c" />
+    <ClCompile Include="polarssl\md2.c" />
+    <ClCompile Include="polarssl\md4.c" />
+    <ClCompile Include="polarssl\md5.c" />
+    <ClCompile Include="polarssl\md_wrap.c" />
+    <ClCompile Include="polarssl\net.c" />
+    <ClCompile Include="polarssl\padlock.c" />
+    <ClCompile Include="polarssl\pbkdf2.c" />
+    <ClCompile Include="polarssl\pem.c" />
+    <ClCompile Include="polarssl\pkcs11.c" />
+    <ClCompile Include="polarssl\pkcs12.c" />
+    <ClCompile Include="polarssl\pkcs5.c" />
+    <ClCompile Include="polarssl\rsa.c" />
+    <ClCompile Include="polarssl\sha1.c" />
+    <ClCompile Include="polarssl\sha2.c" />
+    <ClCompile Include="polarssl\sha4.c" />
+    <ClCompile Include="polarssl\ssl_cache.c" />
+    <ClCompile Include="polarssl\ssl_cli.c" />
+    <ClCompile Include="polarssl\ssl_srv.c" />
+    <ClCompile Include="polarssl\ssl_tls.c" />
+    <ClCompile Include="polarssl\timing.c" />
+    <ClCompile Include="polarssl\version.c" />
+    <ClCompile Include="polarssl\x509parse.c" />
+    <ClCompile Include="polarssl\x509write.c" />
+    <ClCompile Include="polarssl\xtea.c" />
+    <ClCompile Include="romfs.c" />
+    <ClCompile Include="romfs_gen.c" />
+    <ClCompile Include="romfs_import.c" />
+    <ClCompile Include="rsf_settings.c" />
+    <ClCompile Include="tik.c" />
+    <ClCompile Include="titleid.c" />
+    <ClCompile Include="tmd.c" />
+    <ClCompile Include="user_settings.c" />
+    <ClCompile Include="utf.c" />
+    <ClCompile Include="utils.c" />
+    <ClCompile Include="yaml_parser.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="Makefile" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
new file mode 100644
index 00000000..0f4ba0ba
--- /dev/null
+++ b/makerom/makerom.vcxproj.filters
@@ -0,0 +1,584 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Header Files\polarssl">
+      <UniqueIdentifier>{bab0486d-d6e9-48e4-b4a5-ab1c9a917a15}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\libyaml">
+      <UniqueIdentifier>{e3b6ff03-546a-4f9c-8246-ee2a5a6b5c20}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\libyaml">
+      <UniqueIdentifier>{2bf08da5-c0b2-4b6f-a07a-0f3a03b79f14}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\polarssl">
+      <UniqueIdentifier>{7545c89e-a9ce-4c04-989e-ae726a518efd}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Resource Files\PKI">
+      <UniqueIdentifier>{49964d4d-b429-41e6-a85f-e4d361de0faf}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Resource Files\DESC">
+      <UniqueIdentifier>{a0455bf4-2a1e-4ced-9d42-88d7ce131c22}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <Text Include="readme.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="accessdesc.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="blz.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="cardinfo.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="certs.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="cia.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="cia_build.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="cia_read.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="crr.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="crypto.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ctr_utils.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="dir.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="elf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="elf_hdr.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="exefs.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="exefs_build.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="exefs_read.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="exheader.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="exheader_build.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="exheader_read.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="keyset.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="lib.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ncch.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ncch_build.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ncch_logo.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ncch_read.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ncsd.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ncsd_build.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ncsd_read.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="romfs.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="romfs_gen.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="romfs_import.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="rsf_settings.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="srl.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="tik.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="tik_build.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="tik_read.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="titleid.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="tmd.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="tmd_build.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="tmd_read.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="user_settings.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="utf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="utils.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="yaml_parser.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\aes.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\arc4.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\asn1.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\asn1write.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\base64.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\bignum.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\blowfish.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\bn_mul.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\camellia.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\certs.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\cipher.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\cipher_wrap.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\config.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\ctr_drbg.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\debug.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\des.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\dhm.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\entropy.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\entropy_poll.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\error.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\gcm.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\havege.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\md.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\md_wrap.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\md2.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\md4.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\md5.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\net.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\openssl.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\padlock.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\pbkdf2.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\pem.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\pkcs5.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\pkcs11.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\pkcs12.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\rsa.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\sha1.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\sha2.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\sha4.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\ssl.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\ssl_cache.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\timing.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\version.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\x509.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\x509write.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="polarssl\xtea.h">
+      <Filter>Header Files\polarssl</Filter>
+    </ClInclude>
+    <ClInclude Include="libyaml\yaml.h">
+      <Filter>Header Files\libyaml</Filter>
+    </ClInclude>
+    <ClInclude Include="libyaml\yaml_private.h">
+      <Filter>Header Files\libyaml</Filter>
+    </ClInclude>
+    <ClInclude Include="pki\dev.h">
+      <Filter>Resource Files\PKI</Filter>
+    </ClInclude>
+    <ClInclude Include="pki\dev_legacy.h">
+      <Filter>Resource Files\PKI</Filter>
+    </ClInclude>
+    <ClInclude Include="pki\prod.h">
+      <Filter>Resource Files\PKI</Filter>
+    </ClInclude>
+    <ClInclude Include="pki\prod_legacy.h">
+      <Filter>Resource Files\PKI</Filter>
+    </ClInclude>
+    <ClInclude Include="pki\test.h">
+      <Filter>Resource Files\PKI</Filter>
+    </ClInclude>
+    <ClInclude Include="desc\dev_sigdata.h">
+      <Filter>Resource Files\DESC</Filter>
+    </ClInclude>
+    <ClInclude Include="desc\presets.h">
+      <Filter>Resource Files\DESC</Filter>
+    </ClInclude>
+    <ClInclude Include="desc\prod_sigdata.h">
+      <Filter>Resource Files\DESC</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="accessdesc.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="blz.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="cardinfo.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="certs.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="cia.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="crypto.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ctr_utils.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="dir.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="elf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="exefs.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="exheader.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="keyset.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="makerom.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ncch.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ncsd.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="romfs.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="romfs_gen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="romfs_import.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="rsf_settings.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="tik.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="titleid.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="tmd.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="user_settings.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="utf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="utils.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="yaml_parser.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="libyaml\api.c">
+      <Filter>Source Files\libyaml</Filter>
+    </ClCompile>
+    <ClCompile Include="libyaml\dumper.c">
+      <Filter>Source Files\libyaml</Filter>
+    </ClCompile>
+    <ClCompile Include="libyaml\emitter.c">
+      <Filter>Source Files\libyaml</Filter>
+    </ClCompile>
+    <ClCompile Include="libyaml\loader.c">
+      <Filter>Source Files\libyaml</Filter>
+    </ClCompile>
+    <ClCompile Include="libyaml\parser.c">
+      <Filter>Source Files\libyaml</Filter>
+    </ClCompile>
+    <ClCompile Include="libyaml\reader.c">
+      <Filter>Source Files\libyaml</Filter>
+    </ClCompile>
+    <ClCompile Include="libyaml\scanner.c">
+      <Filter>Source Files\libyaml</Filter>
+    </ClCompile>
+    <ClCompile Include="libyaml\writer.c">
+      <Filter>Source Files\libyaml</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\arc4.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\asn1parse.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\asn1write.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\base64.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\bignum.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\blowfish.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\camellia.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\certs.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\cipher.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\cipher_wrap.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\ctr_drbg.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\debug.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\des.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\dhm.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\entropy.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\entropy_poll.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\error.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\gcm.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\havege.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\md.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\md_wrap.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\md2.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\md4.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\md5.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\net.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\padlock.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\pbkdf2.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\pem.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\pkcs5.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\pkcs11.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\pkcs12.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\rsa.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\sha1.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\sha2.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\sha4.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\ssl_cache.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\ssl_cli.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\ssl_srv.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\ssl_tls.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\timing.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\version.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\x509parse.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\x509write.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\xtea.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="Makefile">
+      <Filter>Resource Files</Filter>
+    </None>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 8f15f91d..438940bf 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -626,28 +626,48 @@ int SetCommonHeaderBasicData(ncch_settings *set, ncch_hdr *hdr)
 	hdr->flags[ncchflag_CONTENT_BLOCK_SIZE] = GetCtrBlockSizeFlag(set->options.blockSize);
 
 	/* Setting ContentPlatform */
-	hdr->flags[ncchflag_CONTENT_PLATFORM] = 1; // CTR
+	if(set->rsfSet->TitleInfo.Platform){
+		if(strcasecmp(set->rsfSet->TitleInfo.Platform, "ctr") == 0)
+			hdr->flags[ncchflag_CONTENT_PLATFORM] = platform_CTR;
+		else if (strcasecmp(set->rsfSet->TitleInfo.Platform, "snake") == 0)
+			hdr->flags[ncchflag_CONTENT_PLATFORM] = platform_SNAKE;
+		else{
+			fprintf(stderr, "[NCCH ERROR] Invalid Platform '%s'\n", set->rsfSet->TitleInfo.Platform);
+			return NCCH_BAD_RSF_SET;
+		}
+	}
+	else
+		hdr->flags[ncchflag_CONTENT_PLATFORM] = platform_CTR;
 
 	/* Setting OtherFlag */
 	if(!set->options.UseRomFS) 
 		hdr->flags[ncchflag_OTHER_FLAG] |= otherflag_NoMountRomFs;
 
 
+	/* Setting FormType */
+	hdr->flags[ncchflag_CONTENT_TYPE] = form_Unassigned;
+	if(set->options.IsCfa)
+		hdr->flags[ncchflag_CONTENT_TYPE] = form_SimpleContent;
+	else if (set->options.UseRomFS)
+		hdr->flags[ncchflag_CONTENT_TYPE] = form_Executable;
+	else
+		hdr->flags[ncchflag_CONTENT_TYPE] = form_ExecutableWithoutRomfs;
+	
 	/* Setting ContentType */
-	hdr->flags[ncchflag_CONTENT_TYPE] = 0;
-	if(set->options.UseRomFS) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Data;
-	if(!set->options.IsCfa) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Executable;
 	if(set->rsfSet->BasicInfo.ContentType){
-		if(strcmp(set->rsfSet->BasicInfo.ContentType,"Application") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= 0;
-		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"SystemUpdate") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= content_SystemUpdate;
-		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Manual") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Manual;
-		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Child") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Child;
-		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Trial") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= content_Trial;
+		if(strcmp(set->rsfSet->BasicInfo.ContentType,"Application") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= (content_Application << 2);
+		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"SystemUpdate") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= (content_SystemUpdate << 2);
+		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Manual") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= (content_Manual << 2);
+		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Child") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= (content_Child << 2);
+		else if(strcmp(set->rsfSet->BasicInfo.ContentType,"Trial") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= (content_Trial << 2);
+		else if (strcmp(set->rsfSet->BasicInfo.ContentType, "ExtendedSystemUpdate") == 0) hdr->flags[ncchflag_CONTENT_TYPE] |= (content_ExtendedSystemUpdate << 2);
 		else{
 			fprintf(stderr,"[NCCH ERROR] Invalid ContentType '%s'\n",set->rsfSet->BasicInfo.ContentType);
 			return NCCH_BAD_RSF_SET;
 		}
 	}
+	else 
+		hdr->flags[ncchflag_CONTENT_TYPE] |= (content_Application << 2);
 
 	return 0;
 }
@@ -663,7 +683,7 @@ bool IsValidProductCode(char *ProductCode, bool FreeProductCode)
 	if(strlen(ProductCode) < 10) 
 		return false;
 		
-	if(strncmp(ProductCode,"CTR",3) != 0) 
+	if(strncmp(ProductCode,"CTR",3) != 0 && strncmp(ProductCode, "KTR", 3) != 0)
 		return false;
 	
 	for(int i = 3; i < 10; i++){
@@ -946,12 +966,12 @@ bool IsNcch(FILE *fp, u8 *buf)
 
 bool IsCfa(ncch_hdr* hdr)
 {
-	return (((hdr->flags[ncchflag_CONTENT_TYPE] & content_Data) == content_Data) && ((hdr->flags[ncchflag_CONTENT_TYPE] & content_Executable) != content_Executable));
+	return (hdr->flags[ncchflag_CONTENT_TYPE] & 3) == form_SimpleContent;
 }
 
 bool IsUpdateCfa(ncch_hdr* hdr)
 {
-	return (((hdr->flags[ncchflag_CONTENT_TYPE] & content_SystemUpdate) == content_SystemUpdate) && ((hdr->flags[ncchflag_CONTENT_TYPE] & content_Child) != content_Child) && IsCfa(hdr));
+	return (hdr->flags[ncchflag_CONTENT_TYPE] >> 2) == content_SystemUpdate || (hdr->flags[ncchflag_CONTENT_TYPE] >> 2) == content_ExtendedSystemUpdate;
 }
 
 u32 GetNcchBlockSize(ncch_hdr* hdr)
diff --git a/makerom/ncch.h b/makerom/ncch.h
index f2918830..baf220f5 100644
--- a/makerom/ncch.h
+++ b/makerom/ncch.h
@@ -50,14 +50,28 @@ typedef enum
 
 typedef enum
 {
-	content_Data = 0x1,
-	content_Executable = 0x2,
-	content_SystemUpdate = 0x4,
-	content_Manual = 0x8,
-	content_Child = (0x4|0x8),
-	content_Trial = 0x10
+	form_Unassigned,
+	form_SimpleContent,
+	form_ExecutableWithoutRomfs,
+	form_Executable
+};
+
+typedef enum
+{
+	content_Application,
+	content_SystemUpdate,
+	content_Manual,
+	content_Child,
+	content_Trial,
+	content_ExtendedSystemUpdate
 } ncch_content_bitmask;
 
+typedef enum
+{
+	platform_CTR = 0x1,
+	platform_SNAKE = 0x2
+} ncch_platform;
+
 typedef struct
 {
 	u16 formatVersion;
diff --git a/makerom/readme.txt b/makerom/readme.txt
new file mode 100644
index 00000000..8b7b09e3
--- /dev/null
+++ b/makerom/readme.txt
@@ -0,0 +1,29 @@
+========================================================================
+    MAKEFILE PROJECT : makerom Project Overview
+========================================================================
+
+AppWizard has created this makerom project for you.  
+
+This file contains a summary of what you will find in each of the files that
+make up your makerom project.
+
+
+makerom.vcxproj
+    This is the main project file for VC++ projects generated using an Application Wizard. 
+    It contains information about the version of Visual C++ that generated the file, and 
+    information about the platforms, configurations, and project features selected with the
+    Application Wizard.
+
+makerom.vcxproj.filters
+    This is the filters file for VC++ projects generated using an Application Wizard. 
+    It contains information about the association between the files in your project 
+    and the filters. This association is used in the IDE to show grouping of files with
+    similar extensions under a specific node (for e.g. ".cpp" files are associated with the
+    "Source Files" filter).
+
+This project allows you to build/clean/rebuild from within Visual Studio by calling the commands you have input 
+in the wizard. The build command can be nmake or any other tool you use.
+
+This project does not contain any files, so there are none displayed in Solution Explorer.
+
+/////////////////////////////////////////////////////////////////////////////
diff --git a/makerom/rsf_settings.c b/makerom/rsf_settings.c
index 47696b49..8240b456 100644
--- a/makerom/rsf_settings.c
+++ b/makerom/rsf_settings.c
@@ -102,12 +102,16 @@ void GET_AccessControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 		else if(cmpYamlValue("UseOtherVariationSaveData",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseOtherVariationSaveData,"UseOtherVariationSaveData",ctx);
 		else if(cmpYamlValue("RunnableOnSleep",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.RunnableOnSleep,"RunnableOnSleep",ctx);
 		else if(cmpYamlValue("SpecialMemoryArrange",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.SpecialMemoryArrange,"SpecialMemoryArrange",ctx);
-		
+		else if(cmpYamlValue("UseExtSaveData", ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseExtSaveData, "UseExtSaveData", ctx);
+		else if(cmpYamlValue("EnableL2Cache", ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.EnableL2Cache, "EnableL2Cache", ctx);
+
 		
 		else if(cmpYamlValue("IdealProcessor",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.IdealProcessor,"IdealProcessor",ctx,0); 
 		else if(cmpYamlValue("Priority",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.Priority,"Priority",ctx,0); 
 		else if(cmpYamlValue("MemoryType",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.MemoryType,"MemoryType",ctx,0); 
 		else if(cmpYamlValue("SystemMode",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.SystemMode,"SystemMode",ctx,0); 
+		else if(cmpYamlValue("SystemModeExt", ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.SystemModeExt, "SystemModeExt", ctx, 0);
+		else if(cmpYamlValue("CpuSpeed", ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.CpuSpeed, "CpuSpeed", ctx, 0);
 		else if(cmpYamlValue("CoreVersion",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.CoreVersion,"CoreVersion",ctx,0); 
 		else if(cmpYamlValue("HandleTableSize",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.HandleTableSize,"HandleTableSize",ctx,0); 
 		else if(cmpYamlValue("SystemSaveDataId1",ctx)) SetSimpleYAMLValue(&rsf->AccessControlInfo.SystemSaveDataId1,"SystemSaveDataId1",ctx,0); 
@@ -279,7 +283,8 @@ void GET_TitleInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 		if(ctx->error || ctx->done) return;
 		// Handle childs
 		
-		if(cmpYamlValue("Category",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.Category,"Category",ctx,0);
+		if (cmpYamlValue("Platform", ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.Platform, "Platform", ctx, 0);
+		else if(cmpYamlValue("Category",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.Category,"Category",ctx,0);
 		else if(cmpYamlValue("UniqueId",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.UniqueId,"UniqueId",ctx,0);
 		else if(cmpYamlValue("Version",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.Version,"Version",ctx,0);
 		else if(cmpYamlValue("ContentsIndex",ctx)) SetSimpleYAMLValue(&rsf->TitleInfo.ContentsIndex,"ContentsIndex",ctx,0);
@@ -382,6 +387,8 @@ void free_RsfSettings(rsf_settings *set)
 	free(set->AccessControlInfo.Priority);
 	free(set->AccessControlInfo.MemoryType);
 	free(set->AccessControlInfo.SystemMode);
+	free(set->AccessControlInfo.SystemModeExt);
+	free(set->AccessControlInfo.CpuSpeed);
 	free(set->AccessControlInfo.CoreVersion);
 	free(set->AccessControlInfo.HandleTableSize);
 	free(set->AccessControlInfo.SystemSaveDataId1);
@@ -502,6 +509,7 @@ void free_RsfSettings(rsf_settings *set)
 	free(set->PlainRegion);
 	
 	//TitleInfo
+	free(set->TitleInfo.Platform);
 	free(set->TitleInfo.Category);
 	free(set->TitleInfo.UniqueId);
 	free(set->TitleInfo.Version);
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index 561429a5..299f5ef9 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -86,12 +86,16 @@ typedef struct
 		bool UseOtherVariationSaveData;
 		bool RunnableOnSleep;
 		bool SpecialMemoryArrange;
-		
+		bool UseExtSaveData;
+		bool EnableL2Cache;
+
 		// Strings
 		char *IdealProcessor;
 		char *Priority;
 		char *MemoryType;
 		char *SystemMode;
+		char *SystemModeExt;
+		char *CpuSpeed;
 		char *CoreVersion;
 		char *HandleTableSize;
 		char *SystemSaveDataId1;
@@ -178,6 +182,7 @@ typedef struct
 	
 	struct{
 		// Strings
+		char *Platform;
 		char *Category;
 		char *UniqueId;
 		char *Version;

From 2abefe56355ccbbf4b7780ebf9cc76535377577e Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 15 Sep 2015 22:05:00 +0800
Subject: [PATCH 081/317] makerom: misc, gave names to enums

---
 makerom/exheader.h | 2 +-
 makerom/ncch.h     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/exheader.h b/makerom/exheader.h
index 8e6ef3ce..4bac931d 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -32,7 +32,7 @@ typedef enum
 {
 	cpuspeed_268MHz,
 	cpuspeed_804MHz
-};
+} cpu_speed;
 
 typedef enum
 {
diff --git a/makerom/ncch.h b/makerom/ncch.h
index baf220f5..93c56860 100644
--- a/makerom/ncch.h
+++ b/makerom/ncch.h
@@ -54,7 +54,7 @@ typedef enum
 	form_SimpleContent,
 	form_ExecutableWithoutRomfs,
 	form_Executable
-};
+} ncch_form_type;
 
 typedef enum
 {

From 3a9d4b700b4586d975576bf7615466e94d7f69ee Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 15 Sep 2015 22:06:43 +0800
Subject: [PATCH 082/317] makerom: fixed romfs generation

---
 makerom/makerom.vcxproj |   1 +
 makerom/romfs.h         |  27 ++---
 makerom/romfs_gen.c     | 232 +++++++++++++++++++++-------------------
 3 files changed, 129 insertions(+), 131 deletions(-)

diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index aa4d41d6..97ca195f 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -67,6 +67,7 @@
     <NMakeCleanCommandLine>make clean</NMakeCleanCommandLine>
     <NMakeReBuildCommandLine>make rebuild</NMakeReBuildCommandLine>
     <NMakePreprocessorDefinitions>WIN32;_DEBUG;$(NMakePreprocessorDefinitions)</NMakePreprocessorDefinitions>
+    <IncludePath>C:\Program Files\mingw-w64\x86_64-5.2.0-win32-seh-rt_v4-rev0\mingw64\x86_64-w64-mingw32\include;$(IncludePath)</IncludePath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <NMakeBuildCommandLine>make</NMakeBuildCommandLine>
diff --git a/makerom/romfs.h b/makerom/romfs.h
index fecb2da7..54bc218e 100644
--- a/makerom/romfs.h
+++ b/makerom/romfs.h
@@ -54,7 +54,7 @@ typedef struct
 	u8 siblingoffset[4];
 	u8 childoffset[4];
 	u8 fileoffset[4];
-	u8 weirdoffset[4]; // this one is weird. it always points to a dir entry, but seems unrelated to the romfs structure.
+	u8 hashoffset[4];
 	u8 namesize[4];
 	//u8 name[ROMFS_MAXNAMESIZE];
 } romfs_direntry; //sizeof(romfs_direntry)  = 0x18
@@ -65,7 +65,7 @@ typedef struct
 	u8 siblingoffset[4];
 	u8 dataoffset[8];
 	u8 datasize[8];
-	u8 weirdoffset[4]; // this one is also weird. it always points to a file entry, but seems unrelated to the romfs structure.
+	u8 hashoffset[4];
 	u8 namesize[4];
 	//u8 name[ROMFS_MAXNAMESIZE];
 } romfs_fileentry; //sizeof(romfs_fileentry)  = 0x20
@@ -86,18 +86,18 @@ typedef struct
 	
 	fs_dir *fs;
 	
-	u32 *dirUTable;
-	u32 m_dirUTableEntry;
-	u32 u_dirUTableEntry;
+	u32 *dirHashTable;
+	u32 m_dirHashTable;
+	u32 u_dirHashTable;
 	
 	u8 *dirTable;
 	u32 dirNum;
 	u32 m_dirTableLen;
 	u32 u_dirTableLen;
 	
-	u32 *fileUTable;
-	u32 m_fileUTableEntry;
-	u32 u_fileUTableEntry;
+	u32 *fileHashTable;
+	u32 m_fileHashTable;
+	u32 u_fileHashTable;
 	
 	u8 *fileTable;
 	u32 fileNum;
@@ -112,16 +112,5 @@ typedef struct
 	ivfc_level level[4];
 } romfs_buildctx;
 
-/*
-typedef struct
-{
-	u8 *output;
-	u64 romfsSize;
-	u64 romfsHeaderSize;
-
-	bool ImportRomfsBinary;
-	FILE *romfsBinary;
-} romfs_buildctx;
-*/
 int SetupRomFs(ncch_settings *ncchset, romfs_buildctx *ctx);
 int BuildRomFs(romfs_buildctx *ctx);
\ No newline at end of file
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 3ad516c0..ed45daa5 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -11,11 +11,13 @@ const fs_romfs_char ROMFS_EMPTY_PATH[2] = {0x0000, 0x0000};
 bool IsFileWanted(fs_file *file, void *filter_criteria);
 bool IsDirWanted(fs_dir *dir, void *filter_criteria);
 void CalcDirSize(romfs_buildctx *ctx, fs_dir *fs);
-int CalcRomfsSize(romfs_buildctx *ctx);
-int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling);
-int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling);
+void CalcRomfsSize(romfs_buildctx *ctx);
 int FilterRomFS(fs_dir *fs_raw, fs_dir *fs_filtered, void *filter_criteria);
-int PopulateRomfs(romfs_buildctx *ctx);
+void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling);
+void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling);
+void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir);
+void PopulateHashTable(romfs_buildctx *ctx);
+void PopulateRomfs(romfs_buildctx *ctx);
 void BuildRomfsHeader(romfs_buildctx *ctx);
 void BuildIvfcHeader(romfs_buildctx *ctx);
 void GenIvfcHashTree(romfs_buildctx *ctx);
@@ -69,7 +71,9 @@ int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 	free(fs_raw);
 	
 	//printf("leave if no ROMFS needs to be made\n");
-	if(ctx->fs->u_file == 0){
+	// If no wanted directory or file exists in root, don't make romfs
+	// a directory can be wanted if a wanted file exists somewhere under it
+	if(ctx->fs->u_file == 0 && ctx->fs->u_dir == 0){
 		ctx->romfsSize = 0;
 		goto finish;
 	}
@@ -116,8 +120,7 @@ int BuildRomFsBinary(romfs_buildctx *ctx)
 	// Build Romfs
 	ctx->romfsHdr = (romfs_infoheader*)(ctx->level[3].pos);
 	BuildRomfsHeader(ctx);
-	if(PopulateRomfs(ctx) != 0)
-		return -1;
+	PopulateRomfs(ctx);
 	
 	
 	// Finalise by building IVFC hash tree
@@ -180,25 +183,35 @@ void CalcDirSize(romfs_buildctx *ctx, fs_dir *fs)
 	ctx->dirNum += fs->u_dir;
 }
 
-int CalcRomfsSize(romfs_buildctx *ctx)
+u32 GetHashTableCount(u32 num)
+{
+	u32 count = num;
+	if (num < 3)
+		count = 3;
+	else if (count < 19)
+		count |= 1;
+	else {
+		while (count % 2 == 0 || count % 3 == 0 || count % 5 == 0 || count % 7 == 0 || count % 11 == 0 || count % 13 == 0 || count % 17 == 0)
+			count++;
+	}
+	return count;
+}
+
+void CalcRomfsSize(romfs_buildctx *ctx)
 {
 	ctx->dirNum = 1; // root dir
 	//printf("Recursively get FS sizes\n");
 	CalcDirSize(ctx,ctx->fs);
 	
 	//printf("check U tables\n");
-	ctx->u_dirUTableEntry = 0;
-	ctx->m_dirUTableEntry = 3;
-	if(ctx->dirNum > 3)
-		ctx->m_dirUTableEntry += align(ctx->dirNum-3,2);
+	ctx->u_dirHashTable = 0;
+	ctx->m_dirHashTable = GetHashTableCount(ctx->dirNum);
 		
-	ctx->u_fileUTableEntry = 0;
-	ctx->m_fileUTableEntry = 3;
-	if(ctx->fileNum > 3)
-		ctx->m_fileUTableEntry += align(ctx->fileNum-3,2);
+	ctx->u_fileHashTable = 0;
+	ctx->m_fileHashTable = GetHashTableCount(ctx->fileNum);
 	
 	//printf("calc romfs header size\n");
-	u32 romfsHdrSize = align(sizeof(romfs_infoheader) + ctx->m_dirUTableEntry*sizeof(u32) + ctx->m_dirTableLen + ctx->m_fileUTableEntry*sizeof(u32) + ctx->m_fileTableLen,0x10); 
+	u32 romfsHdrSize = align(sizeof(romfs_infoheader) + ctx->m_dirHashTable*sizeof(u32) + ctx->m_dirTableLen + ctx->m_fileHashTable*sizeof(u32) + ctx->m_fileTableLen,0x10); 
 	
 	//printf("predict level sizes\n");
 	ctx->level[3].size = romfsHdrSize + ctx->m_dataLen; // data
@@ -214,7 +227,6 @@ int CalcRomfsSize(romfs_buildctx *ctx)
 		ctx->romfsSize += align(ctx->level[i].size,ROMFS_BLOCK_SIZE);
 		
 	//printf("return from CalcRomfsSize();\n");
-	return 0;
 }
 
 int FilterRomFS(fs_dir *fs_raw, fs_dir *fs_filtered, void *filter_criteria)
@@ -278,10 +290,10 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 	
 	for(int i = 0; i < 4; i++){
 		if(i == 0){
-			ctx->dirUTable = (u32*)(ctx->level[3].pos + level3_pos);
+			ctx->dirHashTable = (u32*)(ctx->level[3].pos + level3_pos);
 			u32_to_u8(ctx->romfsHdr->section[i].offset,level3_pos,LE);
-			u32_to_u8(ctx->romfsHdr->section[i].size,ctx->m_dirUTableEntry*sizeof(u32),LE);
-			level3_pos += ctx->m_dirUTableEntry*sizeof(u32);
+			u32_to_u8(ctx->romfsHdr->section[i].size,ctx->m_dirHashTable*sizeof(u32),LE);
+			level3_pos += ctx->m_dirHashTable*sizeof(u32);
 		}
 		else if(i == 1 && ctx->m_dirTableLen){
 			ctx->dirTable = ctx->level[3].pos + level3_pos;
@@ -290,10 +302,10 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 			level3_pos += ctx->m_dirTableLen;
 		}
 		else if(i == 2){
-			ctx->fileUTable = (u32*)(ctx->level[3].pos + level3_pos);
+			ctx->fileHashTable = (u32*)(ctx->level[3].pos + level3_pos);
 			u32_to_u8(ctx->romfsHdr->section[i].offset,level3_pos,LE);
-			u32_to_u8(ctx->romfsHdr->section[i].size,ctx->m_fileUTableEntry*sizeof(u32),LE);
-			level3_pos += ctx->m_fileUTableEntry*sizeof(u32);
+			u32_to_u8(ctx->romfsHdr->section[i].size,ctx->m_fileHashTable*sizeof(u32),LE);
+			level3_pos += ctx->m_fileHashTable*sizeof(u32);
 		}
 		else if(i == 3 && ctx->m_fileTableLen){
 			ctx->fileTable = ctx->level[3].pos + level3_pos;
@@ -310,71 +322,45 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 	ctx->data = ctx->level[3].pos + align(level3_pos,0x10);
 	u32_to_u8(ctx->romfsHdr->dataoffset,align(level3_pos,0x10),LE);
 	
-	memset(ctx->dirUTable,0xff,ctx->m_dirUTableEntry*sizeof(u32));
-	memset(ctx->fileUTable,0xff,ctx->m_fileUTableEntry*sizeof(u32));
-	
-	return;
+	for (u32 i = 0; i < ctx->m_dirHashTable; i++) {
+		ctx->dirHashTable[i] = ROMFS_UNUSED_ENTRY;
+	}
+
+	for (u32 i = 0; i < ctx->m_fileHashTable; i++) {
+		ctx->fileHashTable[i] = ROMFS_UNUSED_ENTRY;
+	}
 }
 
-void AddDirHashKey(romfs_buildctx *ctx, u32 parent, fs_romfs_char* path, u32 dirOffset)
+u32 GetFileHashTableIndex(romfs_buildctx *ctx, u32 parent, fs_romfs_char *path)
 {
-	u32 hash = CalcPathHash(parent,path,0,fs_u16StrLen(path));
-	u32 index = hash % ctx->m_dirUTableEntry;
-	if(ctx->dirUTable[index] == ROMFS_UNUSED_ENTRY) ctx->dirUTable[index] = dirOffset;
-	else
-	{
-		romfs_direntry * curdir = (romfs_direntry*)(ctx->dirTable + ctx->dirUTable[index]);
-		while(1)
-		{
-			if(*(u32*)curdir->weirdoffset == ROMFS_UNUSED_ENTRY)
-			{
-				*(u32*)curdir->weirdoffset = dirOffset;
-				break;
-			}
-			else
-			{
-				curdir = (romfs_direntry*)(ctx->dirTable + *(u32*)curdir->weirdoffset);
-			}
-		}
-	}
+	u32 hash = CalcPathHash(parent, path, 0, fs_u16StrLen(path));
+	return hash % ctx->m_fileHashTable;
 }
 
-void AddFileHashKey(romfs_buildctx *ctx,u32 parent, fs_romfs_char *path, u32 fileOffset)
+u32 GetDirHashTableIndex(romfs_buildctx *ctx, u32 parent, fs_romfs_char* path)
 {
-	u32 hash = CalcPathHash(parent,path,0,fs_u16StrLen(path));
-	u32 index = hash % ctx->m_fileUTableEntry;
-	if(ctx->fileUTable[index] == ROMFS_UNUSED_ENTRY) ctx->fileUTable[index] = fileOffset;
-	else
-	{
-		romfs_fileentry * curfile = (romfs_fileentry*)(ctx->fileTable + ctx->fileUTable[index]);
-		while(1)
-		{
-			if(*(u32*)curfile->weirdoffset == ROMFS_UNUSED_ENTRY)
-			{
-				*(u32*)curfile->weirdoffset = fileOffset;
-				break;
-			}
-			else
-			{
-				curfile = (romfs_fileentry*)(ctx->fileTable + *(u32*)curfile->weirdoffset);
-			}
-		}
-	}
+	u32 hash = CalcPathHash(parent, path, 0, fs_u16StrLen(path));
+	return hash % ctx->m_dirHashTable;
 }
 
-int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
+void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 {
 	romfs_fileentry *entry = (romfs_fileentry*)(ctx->fileTable + ctx->u_fileTableLen);
 	
 	u32_to_u8(entry->parentdiroffset,parent,LE);
 	u32_to_u8(entry->siblingoffset,sibling,LE);	
-	u32_to_u8(entry->weirdoffset,ROMFS_UNUSED_ENTRY,LE);
 	
 	// Import Name
 	u32_to_u8(entry->namesize,file->name_len,LE);
 	u8 *name_pos = (u8*)(ctx->fileTable + ctx->u_fileTableLen + sizeof(romfs_fileentry));
 	memset(name_pos,0,align(file->name_len,4));
 	memcpy(name_pos,(u8*)file->name,file->name_len);
+
+	// Set Hash Data
+	u32 hashindex = GetFileHashTableIndex(ctx, parent, file->name);
+	u32_to_u8(entry->hashoffset, ctx->fileHashTable[hashindex], LE);
+	ctx->fileHashTable[hashindex] = ctx->u_fileTableLen;
+	
 	
 	// Import Data
 	if(file->size)
@@ -387,29 +373,31 @@ int AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 		ctx->u_dataLen += file->size; // adding file size
 	}
 	else
-		u64_to_u8(entry->dataoffset,0x40,LE);
+		u64_to_u8(entry->dataoffset,0x00,LE);
 		
-	AddFileHashKey(ctx,parent,file->name,ctx->u_fileTableLen);
+	//AddFileHashKey(ctx,parent,file->name,ctx->u_fileTableLen);
 	ctx->u_fileTableLen += sizeof(romfs_fileentry) + align(file->name_len,4);
-		
-	return 0;
 }
 
-int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
+void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 {
 	//wprintf(L"adding %s \n",fs->name);
-	romfs_direntry *entry = (romfs_direntry*)(ctx->dirTable + ctx->u_dirTableLen);
+	u32 offset = ctx->u_dirTableLen;
+	romfs_direntry *entry = (romfs_direntry*)(ctx->dirTable + offset);
 	
 	u32_to_u8(entry->parentoffset,parent,LE);
 	u32_to_u8(entry->siblingoffset,sibling,LE);	
-	u32_to_u8(entry->weirdoffset,ROMFS_UNUSED_ENTRY,LE);
-
-	u32 Currentdir = ctx->u_dirTableLen;
+	u32_to_u8(entry->childoffset, ROMFS_UNUSED_ENTRY, LE);
+	u32_to_u8(entry->fileoffset, ROMFS_UNUSED_ENTRY, LE);
 	
-	if(Currentdir == 0)
+	if(offset == 0)
 	{
 		u32_to_u8(entry->namesize,0,LE);
-		AddDirHashKey(ctx,parent,(fs_romfs_char*)ROMFS_EMPTY_PATH,ctx->u_dirTableLen);
+
+		u32 index = GetFileHashTableIndex(ctx, parent, (fs_romfs_char*)ROMFS_EMPTY_PATH);
+		u32_to_u8(entry->hashoffset, ctx->dirHashTable[index], LE);
+		ctx->dirHashTable[index] = ctx->u_dirTableLen;
+
 		ctx->u_dirTableLen += sizeof(romfs_direntry);
 	}
 	else
@@ -418,67 +406,87 @@ int AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 		u8 *name_pos = (u8*)(ctx->dirTable + ctx->u_dirTableLen + sizeof(romfs_direntry));
 		memset(name_pos,0,(u32)align(fs->name_len,4));
 		memcpy(name_pos,(u8*)fs->name,fs->name_len);
-		AddDirHashKey(ctx,parent,fs->name,ctx->u_dirTableLen);
+
+		u32 index = GetFileHashTableIndex(ctx, parent, fs->name);
+		u32_to_u8(entry->hashoffset, ctx->dirHashTable[index], LE);
+		ctx->dirHashTable[index] = ctx->u_dirTableLen;
+
 		ctx->u_dirTableLen += sizeof(romfs_direntry) + (u32)align(fs->name_len,4);
 	}
+
+	//wprintf(L"added %s \n",fs->name);
+}
+
+void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)
+{
+	//wprintf(L"adding %s \n",fs->name);
+	romfs_direntry *entry = (romfs_direntry*)(ctx->dirTable + dir);
 	
-	if(fs->u_file)
+	if (fs->u_file)
 	{
-		u32_to_u8(entry->fileoffset,ctx->u_fileTableLen,LE);
-		
-		for(u32 i = 0; i < fs->u_file; i++)
+		u32_to_u8(entry->fileoffset, ctx->u_fileTableLen, LE);
+
+		for (u32 i = 0; i < fs->u_file; i++)
 		{
-			
+
 			u32 file_sibling = 0;
-			if(i >= fs->u_file-1)
+			if (i >= fs->u_file - 1)
 				file_sibling = ROMFS_UNUSED_ENTRY;
 			else
-				file_sibling = ctx->u_fileTableLen + sizeof(romfs_fileentry) + (u32)align(fs->file[i].name_len,4);
+				file_sibling = ctx->u_fileTableLen + sizeof(romfs_fileentry) + (u32)align(fs->file[i].name_len, 4);
 			//wprintf(L"adding %s (0x%lx)\n",fs->file[i].name,fs->file[i].size);
-			AddFileToRomfs(ctx,&fs->file[i],Currentdir,file_sibling);
+			AddFileToRomfs(ctx, &fs->file[i], dir, file_sibling);
 			//wprintf(L"added %s (0x%lx)\n",fs->file[i].name,fs->file[i].size);
 
 		}
 	}
-	else
-		u32_to_u8(entry->fileoffset,ROMFS_UNUSED_ENTRY,LE);
-	
+
 	//printf("Checking if to add dirs\n");
-	if(fs->u_dir)
+	if (fs->u_dir)
 	{
+		u32 *childs = calloc(fs->u_dir, sizeof(u32));
+		u32 dir_sibling;
+		romfs_direntry *temp_entry;
+
 		//printf(" is adding dirs \n");
-		u32_to_u8(entry->childoffset,ctx->u_dirTableLen,LE);
-		fs_dir *dir = (fs_dir*)fs->dir;
-		for(u32 i = 0; i < fs->u_dir; i++)
+		u32_to_u8(entry->childoffset, ctx->u_dirTableLen, LE);
+		fs_dir *subdir = (fs_dir*)fs->dir;
+		for (u32 i = 0; i < fs->u_dir; i++)
 		{
-			u32 dir_sibling = 0;
-			romfs_direntry *temp_entry = (romfs_direntry*)(ctx->dirTable + ctx->u_dirTableLen);
-			if(i >= fs->u_dir-1)
+			childs[i] = ctx->u_dirTableLen;
+			dir_sibling = 0;
+			temp_entry = (romfs_direntry*)(ctx->dirTable + ctx->u_dirTableLen);
+			
+			if (i >= fs->u_dir - 1)
 				dir_sibling = ROMFS_UNUSED_ENTRY;
 			else
-			{
-				//printf(" dir has sibling\n");
-				dir_sibling = ctx->u_dirTableLen + sizeof(romfs_direntry) + (u32)align(dir[i].name_len,4);
-			}
-			AddDirToRomfs(ctx,&dir[i],Currentdir,dir_sibling);
-			if(dir_sibling != ROMFS_UNUSED_ENTRY)
+				dir_sibling = ctx->u_dirTableLen + sizeof(romfs_direntry) + (u32)align(subdir[i].name_len, 4);
+			AddDirToRomfs(ctx, &subdir[i], dir, dir_sibling);
+			/* unnecessisary as the above prediction is correct
+			if (dir_sibling != ROMFS_UNUSED_ENTRY)
 			{
 				dir_sibling = ctx->u_dirTableLen;//修复同目录文件夹偏移 (Repair the same directory folder offset)
-				u32_to_u8(temp_entry->siblingoffset,dir_sibling,LE);
+				u32_to_u8(temp_entry->siblingoffset, dir_sibling, LE);
 			}
+			*/
+		}
+		for (u32 i = 0; i < fs->u_dir; i++)
+		{
+			AddDirChildrenToRomfs(ctx, &subdir[i], dir, childs[i]);
 		}
+
+		free(childs);
 	}
-	else
-		u32_to_u8(entry->childoffset,ROMFS_UNUSED_ENTRY,LE);
+
 	//printf(" finished adding dirs \n");
 
 	//wprintf(L"added %s \n",fs->name);
-	return 0;
 }
 
-int PopulateRomfs(romfs_buildctx *ctx)
+void PopulateRomfs(romfs_buildctx *ctx)
 {
-	return AddDirToRomfs(ctx,ctx->fs,0x0,ROMFS_UNUSED_ENTRY);
+	AddDirToRomfs(ctx, ctx->fs, 0x0, ROMFS_UNUSED_ENTRY);
+	AddDirChildrenToRomfs(ctx, ctx->fs, 0x0, 0);
 }
 
 void BuildIvfcHeader(romfs_buildctx *ctx)

From 4f47d71d9def0612b20495d3c6b0163b338b34b1 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 15 Sep 2015 22:28:49 +0800
Subject: [PATCH 083/317] makerom: cleaned romfs_gen.c

---
 makerom/romfs_gen.c | 113 +++++++++++++++++---------------------------
 1 file changed, 44 insertions(+), 69 deletions(-)

diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index ed45daa5..5a99ba4a 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -26,9 +26,7 @@ u32 CalcPathHash(u32 parent, fs_romfs_char* path, u32 start, u32 length);
 
 int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 {
-	// Input Path
-	//printf("Get input path\n");
-
+	/* Input Path */
 	const int CWD_MAX_LEN = 1024;
 	char *cwd = calloc(CWD_MAX_LEN,sizeof(char));
 	getcwd(cwd,CWD_MAX_LEN);
@@ -46,47 +44,33 @@ int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 	fs_path = dir;
 #endif
 
-	// FS Structures
+	/* FS Structures */
 	void *filter_criteria = NULL;
-	//printf("calloc fs_raw\n");
 	fs_dir *fs_raw = calloc(1,sizeof(fs_dir));
-	//printf("calloc ctx->fs\n");
 	ctx->fs = calloc(1,sizeof(fs_dir));
-	//memdump(stdout,"ctx->fs: ",(u8*)ctx->fs,sizeof(fs_dir));
-	//printf("ctx->fs = 0x%x\n",ctx->fs);
 
-	// Import FS and process
-	//printf("open fs into fs_raw\n");
+	/* Import FS and process */
 	fs_OpenDir(fs_path,path,path_len,fs_raw);
-	//printf("filter fs_raw into ctx->fs\n");
 	FilterRomFS(fs_raw,ctx->fs,filter_criteria);
 	
-	// free unfiltered FS
-	//fs_PrintDir(fs_raw,0);
-	//printf("free discarded file ptrs\n");
+	/* free unfiltered FS */
 	fs_FreeFiles(fs_raw); // All important FPs have been moved with FilterRomFS, so only un-wanted FPs are closed here
-	//printf("free structs in fs_raw\n");
 	fs_FreeDir(fs_raw);
-	//printf("free fs_raw\n");
 	free(fs_raw);
 	
-	//printf("leave if no ROMFS needs to be made\n");
-	// If no wanted directory or file exists in root, don't make romfs
-	// a directory can be wanted if a wanted file exists somewhere under it
+	/* Abort romfs making, if no wanted files/directories were found */
 	if(ctx->fs->u_file == 0 && ctx->fs->u_dir == 0){
 		ctx->romfsSize = 0;
 		goto finish;
 	}
 	
 	
-	// Print Filtered FS
-	//printf("print filtered FS\n");
+	/* Print Filtered FS */
 	if(ncchset->options.verbose){
 		printf("[ROMFS] File System:\n");
 		fs_PrintDir(ctx->fs,0);
 	}
 	
-	//printf("predict romfs size\n");
 	CalcRomfsSize(ctx);
 	
 finish:
@@ -96,13 +80,13 @@ int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 
 int BuildRomFsBinary(romfs_buildctx *ctx)
 {
-	// Decide IVFC Level Actual Offsets
+	/* Decide IVFC Level Actual Offsets */
 	ctx->level[0].offset = 0;
 	ctx->level[3].offset = ctx->level[0].offset + align(ctx->level[0].size, ROMFS_BLOCK_SIZE);
 	ctx->level[1].offset = ctx->level[3].offset + align(ctx->level[3].size, ROMFS_BLOCK_SIZE);
 	ctx->level[2].offset = ctx->level[1].offset + align(ctx->level[1].size, ROMFS_BLOCK_SIZE);
 	
-	// Decide IVFC Level Logical Offsets
+	/* Decide IVFC Level Logical Offsets */
 	for(int i = 1; i < 4; i++){
 		if(i == 1)
 			ctx->level[i].logicalOffset = 0;
@@ -110,20 +94,20 @@ int BuildRomFsBinary(romfs_buildctx *ctx)
 			ctx->level[i].logicalOffset = align(ctx->level[i-1].logicalOffset + ctx->level[i-1].size,ROMFS_BLOCK_SIZE);
 	}
 	
-	// Setup IVFC Level Ptrs
+	/* Setup IVFC Level Ptrs */
 	for(int i = 0; i < 4; i++){
 		ctx->level[i].pos = (ctx->output + ctx->level[i].offset);
 		if(i == 0)
 			ctx->level[i].pos += align(sizeof(ivfc_hdr),0x10);
 	}
 	
-	// Build Romfs
+	/* Build Romfs */
 	ctx->romfsHdr = (romfs_infoheader*)(ctx->level[3].pos);
 	BuildRomfsHeader(ctx);
 	PopulateRomfs(ctx);
 	
 	
-	// Finalise by building IVFC hash tree
+	/* Finalise by building IVFC hash tree */
 	ctx->ivfcHdr = (ivfc_hdr*)(ctx->output + ctx->level[0].offset);
 	BuildIvfcHeader(ctx);
 	GenIvfcHashTree(ctx);
@@ -200,20 +184,16 @@ u32 GetHashTableCount(u32 num)
 void CalcRomfsSize(romfs_buildctx *ctx)
 {
 	ctx->dirNum = 1; // root dir
-	//printf("Recursively get FS sizes\n");
 	CalcDirSize(ctx,ctx->fs);
 	
-	//printf("check U tables\n");
 	ctx->u_dirHashTable = 0;
 	ctx->m_dirHashTable = GetHashTableCount(ctx->dirNum);
 		
 	ctx->u_fileHashTable = 0;
 	ctx->m_fileHashTable = GetHashTableCount(ctx->fileNum);
 	
-	//printf("calc romfs header size\n");
 	u32 romfsHdrSize = align(sizeof(romfs_infoheader) + ctx->m_dirHashTable*sizeof(u32) + ctx->m_dirTableLen + ctx->m_fileHashTable*sizeof(u32) + ctx->m_fileTableLen,0x10); 
 	
-	//printf("predict level sizes\n");
 	ctx->level[3].size = romfsHdrSize + ctx->m_dataLen; // data
 	ctx->level[2].size = align(ctx->level[3].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE * SHA_256_LEN ;
 	ctx->level[1].size = align(ctx->level[2].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE * SHA_256_LEN ;
@@ -221,12 +201,9 @@ void CalcRomfsSize(romfs_buildctx *ctx)
 	
 	ctx->romfsHeaderSize = ctx->level[0].size;
 
-	//printf("calc total ROMFS size\n");
 	ctx->romfsSize = 0;
 	for(int i = 0; i < 4; i++)
-		ctx->romfsSize += align(ctx->level[i].size,ROMFS_BLOCK_SIZE);
-		
-	//printf("return from CalcRomfsSize();\n");
+		ctx->romfsSize += align(ctx->level[i].size,ROMFS_BLOCK_SIZE);		
 }
 
 int FilterRomFS(fs_dir *fs_raw, fs_dir *fs_filtered, void *filter_criteria)
@@ -350,19 +327,19 @@ void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 	u32_to_u8(entry->parentdiroffset,parent,LE);
 	u32_to_u8(entry->siblingoffset,sibling,LE);	
 	
-	// Import Name
+	/* Import name */
 	u32_to_u8(entry->namesize,file->name_len,LE);
 	u8 *name_pos = (u8*)(ctx->fileTable + ctx->u_fileTableLen + sizeof(romfs_fileentry));
 	memset(name_pos,0,align(file->name_len,4));
 	memcpy(name_pos,(u8*)file->name,file->name_len);
 
-	// Set Hash Data
+	/* Set hash data */
 	u32 hashindex = GetFileHashTableIndex(ctx, parent, file->name);
 	u32_to_u8(entry->hashoffset, ctx->fileHashTable[hashindex], LE);
 	ctx->fileHashTable[hashindex] = ctx->u_fileTableLen;
 	
 	
-	// Import Data
+	/* Import data */
 	if(file->size)
 	{
 		ctx->u_dataLen = align(ctx->u_dataLen,0x10); // Padding
@@ -375,101 +352,103 @@ void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 	else
 		u64_to_u8(entry->dataoffset,0x00,LE);
 		
-	//AddFileHashKey(ctx,parent,file->name,ctx->u_fileTableLen);
+	/* Increment used file table length */
 	ctx->u_fileTableLen += sizeof(romfs_fileentry) + align(file->name_len,4);
 }
 
 void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 {
-	//wprintf(L"adding %s \n",fs->name);
 	u32 offset = ctx->u_dirTableLen;
+	u32 hashindex;
 	romfs_direntry *entry = (romfs_direntry*)(ctx->dirTable + offset);
 	
+	/* Set entry data */
 	u32_to_u8(entry->parentoffset,parent,LE);
 	u32_to_u8(entry->siblingoffset,sibling,LE);	
 	u32_to_u8(entry->childoffset, ROMFS_UNUSED_ENTRY, LE);
 	u32_to_u8(entry->fileoffset, ROMFS_UNUSED_ENTRY, LE);
 	
+
+	/* If root dir ... */
 	if(offset == 0)
 	{
+		/* Import name (root dir has no name) */
 		u32_to_u8(entry->namesize,0,LE);
 
-		u32 index = GetFileHashTableIndex(ctx, parent, (fs_romfs_char*)ROMFS_EMPTY_PATH);
-		u32_to_u8(entry->hashoffset, ctx->dirHashTable[index], LE);
-		ctx->dirHashTable[index] = ctx->u_dirTableLen;
+		/* Get hash table index */
+		hashindex = GetFileHashTableIndex(ctx, parent, (fs_romfs_char*)ROMFS_EMPTY_PATH);
 
+		/* Increment used dir table length */
 		ctx->u_dirTableLen += sizeof(romfs_direntry);
 	}
 	else
 	{
+		/* Import name */
 		u32_to_u8(entry->namesize,fs->name_len,LE);
 		u8 *name_pos = (u8*)(ctx->dirTable + ctx->u_dirTableLen + sizeof(romfs_direntry));
 		memset(name_pos,0,(u32)align(fs->name_len,4));
 		memcpy(name_pos,(u8*)fs->name,fs->name_len);
 
-		u32 index = GetFileHashTableIndex(ctx, parent, fs->name);
-		u32_to_u8(entry->hashoffset, ctx->dirHashTable[index], LE);
-		ctx->dirHashTable[index] = ctx->u_dirTableLen;
+		/* Get hash table index */
+		hashindex = GetFileHashTableIndex(ctx, parent, fs->name);
 
+		/* Increment used dir table length */
 		ctx->u_dirTableLen += sizeof(romfs_direntry) + (u32)align(fs->name_len,4);
 	}
 
-	//wprintf(L"added %s \n",fs->name);
+	/* Set hash data */
+	u32_to_u8(entry->hashoffset, ctx->dirHashTable[hashindex], LE);
+	ctx->dirHashTable[hashindex] = offset;
 }
 
 void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)
 {
-	//wprintf(L"adding %s \n",fs->name);
 	romfs_direntry *entry = (romfs_direntry*)(ctx->dirTable + dir);
 	
 	if (fs->u_file)
 	{
 		u32_to_u8(entry->fileoffset, ctx->u_fileTableLen, LE);
 
+		/* Create file entries*/
 		for (u32 i = 0; i < fs->u_file; i++)
 		{
-
+			/* If is the last file, no more siblings */
 			u32 file_sibling = 0;
 			if (i >= fs->u_file - 1)
 				file_sibling = ROMFS_UNUSED_ENTRY;
 			else
 				file_sibling = ctx->u_fileTableLen + sizeof(romfs_fileentry) + (u32)align(fs->file[i].name_len, 4);
-			//wprintf(L"adding %s (0x%lx)\n",fs->file[i].name,fs->file[i].size);
-			AddFileToRomfs(ctx, &fs->file[i], dir, file_sibling);
-			//wprintf(L"added %s (0x%lx)\n",fs->file[i].name,fs->file[i].size);
 
+			/* Create file entry */
+			AddFileToRomfs(ctx, &fs->file[i], dir, file_sibling);
 		}
 	}
 
-	//printf("Checking if to add dirs\n");
 	if (fs->u_dir)
 	{
+		/* Prepare to store child addresses */
 		u32 *childs = calloc(fs->u_dir, sizeof(u32));
-		u32 dir_sibling;
-		romfs_direntry *temp_entry;
 
-		//printf(" is adding dirs \n");
+		/* Create child directory entries*/
 		u32_to_u8(entry->childoffset, ctx->u_dirTableLen, LE);
 		fs_dir *subdir = (fs_dir*)fs->dir;
 		for (u32 i = 0; i < fs->u_dir; i++)
 		{
+			/* Store address fo child */
 			childs[i] = ctx->u_dirTableLen;
-			dir_sibling = 0;
-			temp_entry = (romfs_direntry*)(ctx->dirTable + ctx->u_dirTableLen);
 			
+			
+			u32 dir_sibling = 0;
 			if (i >= fs->u_dir - 1)
 				dir_sibling = ROMFS_UNUSED_ENTRY;
 			else
 				dir_sibling = ctx->u_dirTableLen + sizeof(romfs_direntry) + (u32)align(subdir[i].name_len, 4);
+			
+			/* Create child directory entry */
 			AddDirToRomfs(ctx, &subdir[i], dir, dir_sibling);
-			/* unnecessisary as the above prediction is correct
-			if (dir_sibling != ROMFS_UNUSED_ENTRY)
-			{
-				dir_sibling = ctx->u_dirTableLen;//修复同目录文件夹偏移 (Repair the same directory folder offset)
-				u32_to_u8(temp_entry->siblingoffset, dir_sibling, LE);
-			}
-			*/
 		}
+
+		/* Populate child's childs */
 		for (u32 i = 0; i < fs->u_dir; i++)
 		{
 			AddDirChildrenToRomfs(ctx, &subdir[i], dir, childs[i]);
@@ -477,10 +456,6 @@ void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)
 
 		free(childs);
 	}
-
-	//printf(" finished adding dirs \n");
-
-	//wprintf(L"added %s \n",fs->name);
 }
 
 void PopulateRomfs(romfs_buildctx *ctx)

From 66203c674bce6f1a76d9c615b6d5d9f216858017 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 15 Sep 2015 23:05:17 +0800
Subject: [PATCH 084/317] makerom: removed unnecessary polarssl files & updated
 makefile

---
 makerom/Makefile                |   26 +-
 makerom/polarssl/arc4.c         |  173 --
 makerom/polarssl/asn1parse.c    |  260 --
 makerom/polarssl/asn1write.c    |  241 --
 makerom/polarssl/blowfish.c     |  632 -----
 makerom/polarssl/camellia.c     | 1035 --------
 makerom/polarssl/certs.c        |  196 --
 makerom/polarssl/cipher.c       |  602 -----
 makerom/polarssl/cipher_wrap.c  |  711 ------
 makerom/polarssl/ctr_drbg.c     |  562 -----
 makerom/polarssl/debug.c        |  238 --
 makerom/polarssl/des.c          |  997 --------
 makerom/polarssl/dhm.c          |  302 ---
 makerom/polarssl/entropy.c      |  204 --
 makerom/polarssl/entropy_poll.c |  136 --
 makerom/polarssl/error.c        |  612 -----
 makerom/polarssl/gcm.c          |  621 -----
 makerom/polarssl/havege.c       |  231 --
 makerom/polarssl/md2.c          |  368 ---
 makerom/polarssl/md4.c          |  464 ----
 makerom/polarssl/net.c          |  374 ---
 makerom/polarssl/padlock.c      |  162 --
 makerom/polarssl/pbkdf2.c       |   60 -
 makerom/polarssl/pem.c          |  355 ---
 makerom/polarssl/pkcs11.c       |  238 --
 makerom/polarssl/pkcs12.c       |  330 ---
 makerom/polarssl/pkcs5.c        |  415 ----
 makerom/polarssl/ssl_cache.c    |  221 --
 makerom/polarssl/ssl_cli.c      | 1386 -----------
 makerom/polarssl/ssl_srv.c      | 1623 -------------
 makerom/polarssl/ssl_tls.c      | 3991 -------------------------------
 makerom/polarssl/timing.c       |  312 ---
 makerom/polarssl/version.c      |   50 -
 makerom/polarssl/x509parse.c    | 3809 -----------------------------
 makerom/polarssl/x509write.c    |  285 ---
 makerom/polarssl/xtea.c         |  251 --
 36 files changed, 8 insertions(+), 22465 deletions(-)
 delete mode 100644 makerom/polarssl/arc4.c
 delete mode 100644 makerom/polarssl/asn1parse.c
 delete mode 100644 makerom/polarssl/asn1write.c
 delete mode 100644 makerom/polarssl/blowfish.c
 delete mode 100644 makerom/polarssl/camellia.c
 delete mode 100644 makerom/polarssl/certs.c
 delete mode 100644 makerom/polarssl/cipher.c
 delete mode 100644 makerom/polarssl/cipher_wrap.c
 delete mode 100644 makerom/polarssl/ctr_drbg.c
 delete mode 100644 makerom/polarssl/debug.c
 delete mode 100644 makerom/polarssl/des.c
 delete mode 100644 makerom/polarssl/dhm.c
 delete mode 100644 makerom/polarssl/entropy.c
 delete mode 100644 makerom/polarssl/entropy_poll.c
 delete mode 100644 makerom/polarssl/error.c
 delete mode 100644 makerom/polarssl/gcm.c
 delete mode 100644 makerom/polarssl/havege.c
 delete mode 100644 makerom/polarssl/md2.c
 delete mode 100644 makerom/polarssl/md4.c
 delete mode 100644 makerom/polarssl/net.c
 delete mode 100644 makerom/polarssl/padlock.c
 delete mode 100644 makerom/polarssl/pbkdf2.c
 delete mode 100644 makerom/polarssl/pem.c
 delete mode 100644 makerom/polarssl/pkcs11.c
 delete mode 100644 makerom/polarssl/pkcs12.c
 delete mode 100644 makerom/polarssl/pkcs5.c
 delete mode 100644 makerom/polarssl/ssl_cache.c
 delete mode 100644 makerom/polarssl/ssl_cli.c
 delete mode 100644 makerom/polarssl/ssl_srv.c
 delete mode 100644 makerom/polarssl/ssl_tls.c
 delete mode 100644 makerom/polarssl/timing.c
 delete mode 100644 makerom/polarssl/version.c
 delete mode 100644 makerom/polarssl/x509parse.c
 delete mode 100644 makerom/polarssl/x509write.c
 delete mode 100644 makerom/polarssl/xtea.c

diff --git a/makerom/Makefile b/makerom/Makefile
index 669476ae..ef47794a 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -1,19 +1,9 @@
-# Makerom Sources
-UTILS_OBJS = utils.o ctr_utils.o dir.o utf.o keyset.o titleid.o
-CIA_OBJS = cia.o certs.o tik.o tmd.o
-NCCH_OBJS = ncch.o exheader.o accessdesc.o exefs.o elf.o romfs.o romfs_import.o romfs_gen.o
-NCSD_OBJS = ncsd.o cardinfo.o
-SETTINGS_OBJS = user_settings.o rsf_settings.o
-LIB_API_OBJS = crypto.o yaml_parser.o blz.o
-
-OBJS = makerom.o $(UTILS_OBJS) $(LIB_API_OBJS) $(SETTINGS_OBJS) $(NCSD_OBJS) $(NCCH_OBJS) $(CIA_OBJS)
-
-# Libraries
-POLAR_OBJS = polarssl/aes.o polarssl/rsa.o  polarssl/sha1.o polarssl/sha2.o polarssl/base64.o polarssl/bignum.o polarssl/padlock.o polarssl/md.o polarssl/md_wrap.o polarssl/md5.o polarssl/sha4.o 
-YAML_OBJS = libyaml/api.o libyaml/dumper.o libyaml/emitter.o libyaml/loader.o libyaml/parser.o libyaml/reader.o libyaml/scanner.o libyaml/writer.o
+# Sources
+SRC_DIR = . polarssl libyaml
+OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 
 # Compiler Settings
-LIBS = -static-libgcc -static-libstdc++
+LIBS = -static-libgcc
 CXXFLAGS = -I.
 CFLAGS = --std=c99 -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. -DMAKEROM_VER_MAJOR=$(VER_MAJOR) -DMAKEROM_VER_MINOR=$(VER_MINOR) $(MAKEROM_BUILD_FLAGS) -m64
 CC = gcc
@@ -21,15 +11,15 @@ CC = gcc
 # MAKEROM Build Settings
 MAKEROM_BUILD_FLAGS = #-DDEBUG
 VER_MAJOR = 0
-VER_MINOR = 13
+VER_MINOR = 14
 OUTPUT = makerom
 
 main: build
 
 rebuild: clean build
 
-build: $(OBJS) $(POLAR_OBJS) $(YAML_OBJS)
-	g++ -o $(OUTPUT) $(LIBS) $(OBJS) $(POLAR_OBJS) $(YAML_OBJS) -m64
+build: $(OBJS)
+	g++ -o $(OUTPUT) $(LIBS) $(OBJS) -m64
 
 clean:
-	rm -rf $(OUTPUT) $(OBJS) $(POLAR_OBJS) $(YAML_OBJS) *.cci *.cia *.cxi *.cfa
\ No newline at end of file
+	rm -rf $(OUTPUT) $(OBJS) *.cci *.cia *.cxi *.cfa
\ No newline at end of file
diff --git a/makerom/polarssl/arc4.c b/makerom/polarssl/arc4.c
deleted file mode 100644
index 85b78f5b..00000000
--- a/makerom/polarssl/arc4.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- *  An implementation of the ARCFOUR algorithm
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The ARCFOUR algorithm was publicly disclosed on 94/09.
- *
- *  http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_ARC4_C)
-
-#include "polarssl/arc4.h"
-
-#if !defined(POLARSSL_ARC4_ALT)
-
-/*
- * ARC4 key schedule
- */
-void arc4_setup( arc4_context *ctx, const unsigned char *key, unsigned int keylen )
-{
-    int i, j, a;
-    unsigned int k;
-    unsigned char *m;
-
-    ctx->x = 0;
-    ctx->y = 0;
-    m = ctx->m;
-
-    for( i = 0; i < 256; i++ )
-        m[i] = (unsigned char) i;
-
-    j = k = 0;
-
-    for( i = 0; i < 256; i++, k++ )
-    {
-        if( k >= keylen ) k = 0;
-
-        a = m[i];
-        j = ( j + a + key[k] ) & 0xFF;
-        m[i] = m[j];
-        m[j] = (unsigned char) a;
-    }
-}
-
-/*
- * ARC4 cipher function
- */
-int arc4_crypt( arc4_context *ctx, size_t length, const unsigned char *input,
-                unsigned char *output )
-{
-    int x, y, a, b;
-    size_t i;
-    unsigned char *m;
-
-    x = ctx->x;
-    y = ctx->y;
-    m = ctx->m;
-
-    for( i = 0; i < length; i++ )
-    {
-        x = ( x + 1 ) & 0xFF; a = m[x];
-        y = ( y + a ) & 0xFF; b = m[y];
-
-        m[x] = (unsigned char) b;
-        m[y] = (unsigned char) a;
-
-        output[i] = (unsigned char)
-            ( input[i] ^ m[(unsigned char)( a + b )] );
-    }
-
-    ctx->x = x;
-    ctx->y = y;
-
-    return( 0 );
-}
-
-#endif /* !POLARSSL_ARC4_ALT */
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <string.h>
-#include <stdio.h>
-
-/*
- * ARC4 tests vectors as posted by Eric Rescorla in sep. 1994:
- *
- * http://groups.google.com/group/comp.security.misc/msg/10a300c9d21afca0
- */
-static const unsigned char arc4_test_key[3][8] =
-{
-    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
-    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-};
-
-static const unsigned char arc4_test_pt[3][8] =
-{
-    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-};
-
-static const unsigned char arc4_test_ct[3][8] =
-{
-    { 0x75, 0xB7, 0x87, 0x80, 0x99, 0xE0, 0xC5, 0x96 },
-    { 0x74, 0x94, 0xC2, 0xE7, 0x10, 0x4B, 0x08, 0x79 },
-    { 0xDE, 0x18, 0x89, 0x41, 0xA3, 0x37, 0x5D, 0x3A }
-};
-
-/*
- * Checkup routine
- */
-int arc4_self_test( int verbose )
-{
-    int i;
-    unsigned char ibuf[8];
-    unsigned char obuf[8];
-    arc4_context ctx;
-
-    for( i = 0; i < 3; i++ )
-    {
-        if( verbose != 0 )
-            printf( "  ARC4 test #%d: ", i + 1 );
-
-        memcpy( ibuf, arc4_test_pt[i], 8 );
-
-        arc4_setup( &ctx, arc4_test_key[i], 8 );
-        arc4_crypt( &ctx, 8, ibuf, obuf );
-
-        if( memcmp( obuf, arc4_test_ct[i], 8 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/asn1parse.c b/makerom/polarssl/asn1parse.c
deleted file mode 100644
index 2584774a..00000000
--- a/makerom/polarssl/asn1parse.c
+++ /dev/null
@@ -1,260 +0,0 @@
-/*
- *  Generic ASN.1 parsing
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_ASN1_PARSE_C)
-
-#include "polarssl/asn1.h"
-
-#if defined(POLARSSL_BIGNUM_C)
-#include "polarssl/bignum.h"
-#endif
-
-#include <string.h>
-#include <stdlib.h>
-#include <time.h>
-
-/*
- * ASN.1 DER decoding routines
- */
-int asn1_get_len( unsigned char **p,
-                  const unsigned char *end,
-                  size_t *len )
-{
-    if( ( end - *p ) < 1 )
-        return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-    if( ( **p & 0x80 ) == 0 )
-        *len = *(*p)++;
-    else
-    {
-        switch( **p & 0x7F )
-        {
-        case 1:
-            if( ( end - *p ) < 2 )
-                return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-            *len = (*p)[1];
-            (*p) += 2;
-            break;
-
-        case 2:
-            if( ( end - *p ) < 3 )
-                return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-            *len = ( (*p)[1] << 8 ) | (*p)[2];
-            (*p) += 3;
-            break;
-
-        case 3:
-            if( ( end - *p ) < 4 )
-                return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-            *len = ( (*p)[1] << 16 ) | ( (*p)[2] << 8 ) | (*p)[3];
-            (*p) += 4;
-            break;
-
-        case 4:
-            if( ( end - *p ) < 5 )
-                return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-            *len = ( (*p)[1] << 24 ) | ( (*p)[2] << 16 ) | ( (*p)[3] << 8 ) | (*p)[4];
-            (*p) += 5;
-            break;
-
-        default:
-            return( POLARSSL_ERR_ASN1_INVALID_LENGTH );
-        }
-    }
-
-    if( *len > (size_t) ( end - *p ) )
-        return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-    return( 0 );
-}
-
-int asn1_get_tag( unsigned char **p,
-                  const unsigned char *end,
-                  size_t *len, int tag )
-{
-    if( ( end - *p ) < 1 )
-        return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-    if( **p != tag )
-        return( POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
-
-    (*p)++;
-
-    return( asn1_get_len( p, end, len ) );
-}
-
-int asn1_get_bool( unsigned char **p,
-                   const unsigned char *end,
-                   int *val )
-{
-    int ret;
-    size_t len;
-
-    if( ( ret = asn1_get_tag( p, end, &len, ASN1_BOOLEAN ) ) != 0 )
-        return( ret );
-
-    if( len != 1 )
-        return( POLARSSL_ERR_ASN1_INVALID_LENGTH );
-
-    *val = ( **p != 0 ) ? 1 : 0;
-    (*p)++;
-
-    return( 0 );
-}
-
-int asn1_get_int( unsigned char **p,
-                  const unsigned char *end,
-                  int *val )
-{
-    int ret;
-    size_t len;
-
-    if( ( ret = asn1_get_tag( p, end, &len, ASN1_INTEGER ) ) != 0 )
-        return( ret );
-
-    if( len > sizeof( int ) || ( **p & 0x80 ) != 0 )
-        return( POLARSSL_ERR_ASN1_INVALID_LENGTH );
-
-    *val = 0;
-
-    while( len-- > 0 )
-    {
-        *val = ( *val << 8 ) | **p;
-        (*p)++;
-    }
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_BIGNUM_C)
-int asn1_get_mpi( unsigned char **p,
-                  const unsigned char *end,
-                  mpi *X )
-{
-    int ret;
-    size_t len;
-
-    if( ( ret = asn1_get_tag( p, end, &len, ASN1_INTEGER ) ) != 0 )
-        return( ret );
-
-    ret = mpi_read_binary( X, *p, len );
-
-    *p += len;
-
-    return( ret );
-}
-#endif /* POLARSSL_BIGNUM_C */
-
-int asn1_get_bitstring( unsigned char **p, const unsigned char *end,
-                        asn1_bitstring *bs)
-{
-    int ret;
-
-    /* Certificate type is a single byte bitstring */
-    if( ( ret = asn1_get_tag( p, end, &bs->len, ASN1_BIT_STRING ) ) != 0 )
-        return( ret );
-
-    /* Check length, subtract one for actual bit string length */
-    if ( bs->len < 1 )
-        return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
-    bs->len -= 1;
-
-    /* Get number of unused bits, ensure unused bits <= 7 */
-    bs->unused_bits = **p;
-    if( bs->unused_bits > 7 )
-        return( POLARSSL_ERR_ASN1_INVALID_LENGTH );
-    (*p)++;
-
-    /* Get actual bitstring */
-    bs->p = *p;
-    *p += bs->len;
-
-    if( *p != end )
-        return( POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return 0;
-}
-
-
-/*
- *  Parses and splits an ASN.1 "SEQUENCE OF <tag>"
- */
-int asn1_get_sequence_of( unsigned char **p,
-                          const unsigned char *end,
-                          asn1_sequence *cur,
-                          int tag)
-{
-    int ret;
-    size_t len;
-    asn1_buf *buf;
-
-    /* Get main sequence tag */
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-        return( ret );
-
-    if( *p + len != end )
-        return( POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    while( *p < end )
-    {
-        buf = &(cur->buf);
-        buf->tag = **p;
-
-        if( ( ret = asn1_get_tag( p, end, &buf->len, tag ) ) != 0 )
-            return( ret );
-
-        buf->p = *p;
-        *p += buf->len;
-
-        /* Allocate and assign next pointer */
-        if (*p < end)
-        {
-            cur->next = (asn1_sequence *) malloc(
-                 sizeof( asn1_sequence ) );
-
-            if( cur->next == NULL )
-                return( POLARSSL_ERR_ASN1_MALLOC_FAILED );
-
-            cur = cur->next;
-        }
-    }
-
-    /* Set final sequence entry's next pointer to NULL */
-    cur->next = NULL;
-
-    if( *p != end )
-        return( POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-#endif
diff --git a/makerom/polarssl/asn1write.c b/makerom/polarssl/asn1write.c
deleted file mode 100644
index e50c17c5..00000000
--- a/makerom/polarssl/asn1write.c
+++ /dev/null
@@ -1,241 +0,0 @@
-/*
- * ASN.1 buffer writing functionality
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_ASN1_WRITE_C)
-
-#include "polarssl/asn1write.h"
-
-int asn1_write_len( unsigned char **p, unsigned char *start, size_t len )
-{
-    if( len < 0x80 )
-    {
-        if( *p - start < 1 )
-            return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-        *--(*p) = len;
-        return( 1 );
-    }
-
-    if( len <= 0xFF )
-    {
-        if( *p - start < 2 )
-            return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-        *--(*p) = len;
-        *--(*p) = 0x81;
-        return( 2 );
-    }
-
-    if( *p - start < 3 )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    // We assume we never have lengths larger than 65535 bytes
-    //
-    *--(*p) = len % 256;
-    *--(*p) = ( len / 256 ) % 256;
-    *--(*p) = 0x82;
-
-    return( 3 );
-}
-
-int asn1_write_tag( unsigned char **p, unsigned char *start, unsigned char tag )
-{
-    if( *p - start < 1 )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    *--(*p) = tag;
-
-    return( 1 );
-}
-
-int asn1_write_mpi( unsigned char **p, unsigned char *start, mpi *X )
-{
-    int ret;
-    size_t len = 0;
-
-    // Write the MPI
-    //
-    len = mpi_size( X );
-
-    if( *p - start < (int) len )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    (*p) -= len;
-    mpi_write_binary( X, *p, len );
-
-    // DER format assumes 2s complement for numbers, so the leftmost bit
-    // should be 0 for positive numbers and 1 for negative numbers.
-    //
-    if ( X->s ==1 && **p & 0x80 )
-    {
-        if( *p - start < 1 )
-            return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-        *--(*p) = 0x00;
-        len += 1;
-    }
-
-    ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_INTEGER ) );
-
-    return( len );
-}
-    
-int asn1_write_null( unsigned char **p, unsigned char *start )
-{
-    int ret;
-    size_t len = 0;
-
-    // Write NULL
-    //
-    ASN1_CHK_ADD( len, asn1_write_len( p, start, 0) );
-    ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_NULL ) );
-
-    return( len );
-}
-
-int asn1_write_oid( unsigned char **p, unsigned char *start, char *oid )
-{
-    int ret;
-    size_t len = 0;
-
-    // Write OID
-    //
-    len = strlen( oid );
-
-    if( *p - start < (int) len )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    (*p) -= len;
-    memcpy( *p, oid, len );
-
-    ASN1_CHK_ADD( len , asn1_write_len( p, start, len ) );
-    ASN1_CHK_ADD( len , asn1_write_tag( p, start, ASN1_OID ) );
-
-    return( len );
-}
-
-int asn1_write_algorithm_identifier( unsigned char **p, unsigned char *start,
-                                     char *algorithm_oid )
-{
-    int ret;
-    size_t null_len = 0;
-    size_t oid_len = 0;
-    size_t len = 0;
-
-    // Write NULL
-    //
-    ASN1_CHK_ADD( null_len, asn1_write_null( p, start ) );
-
-    // Write OID
-    //
-    ASN1_CHK_ADD( oid_len, asn1_write_oid( p, start, algorithm_oid ) );
-
-    len = oid_len + null_len;
-    ASN1_CHK_ADD( len, asn1_write_len( p, start, oid_len + null_len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( p, start,
-                                       ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-
-    return( len );
-}
-
-int asn1_write_int( unsigned char **p, unsigned char *start, int val )
-{
-    int ret;
-    size_t len = 0;
-
-    // TODO negative values and values larger than 128
-    // DER format assumes 2s complement for numbers, so the leftmost bit
-    // should be 0 for positive numbers and 1 for negative numbers.
-    //
-    if( *p - start < 1 )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    len += 1;
-    *--(*p) = val;
-
-    if ( val > 0 && **p & 0x80 )
-    {
-        if( *p - start < 1 )
-            return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-        *--(*p) = 0x00;
-        len += 1;
-    }
-
-    ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_INTEGER ) );
-
-    return( len );
-}
-
-int asn1_write_printable_string( unsigned char **p, unsigned char *start,
-                                 char *text )
-{
-    int ret;
-    size_t len = 0;
-
-    // Write string
-    //
-    len = strlen( text );
-
-    if( *p - start < (int) len )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    (*p) -= len;
-    memcpy( *p, text, len );
-
-    ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_PRINTABLE_STRING ) );
-
-    return( len );
-}
-    
-int asn1_write_ia5_string( unsigned char **p, unsigned char *start,
-                          char *text )
-{
-    int ret;
-    size_t len = 0;
-
-    // Write string
-    //
-    len = strlen( text );
-
-    if( *p - start < (int) len )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    (*p) -= len;
-    memcpy( *p, text, len );
-
-    ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_IA5_STRING ) );
-
-    return( len );
-}
-    
-
-#endif
diff --git a/makerom/polarssl/blowfish.c b/makerom/polarssl/blowfish.c
deleted file mode 100644
index 719aea61..00000000
--- a/makerom/polarssl/blowfish.c
+++ /dev/null
@@ -1,632 +0,0 @@
-/*
- *  Blowfish implementation
- *
- *  Copyright (C) 2012-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The Blowfish block cipher was designed by Bruce Schneier in 1993.
- *  http://www.schneier.com/blowfish.html
- *  http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
- *
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_BLOWFISH_C)
-
-#include "polarssl/blowfish.h"
-
-#if !defined(POLARSSL_BLOWFISH_ALT)
-
-/*
- * 32-bit integer manipulation macros (big endian)
- */
-#ifndef GET_UINT32_BE
-#define GET_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 3]       );            \
-}
-#endif
-
-#ifndef PUT_UINT32_BE
-#define PUT_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-}
-#endif
-
-static const uint32_t P[BLOWFISH_ROUNDS + 2] = {
-        0x243F6A88L, 0x85A308D3L, 0x13198A2EL, 0x03707344L,
-        0xA4093822L, 0x299F31D0L, 0x082EFA98L, 0xEC4E6C89L,
-        0x452821E6L, 0x38D01377L, 0xBE5466CFL, 0x34E90C6CL,
-        0xC0AC29B7L, 0xC97C50DDL, 0x3F84D5B5L, 0xB5470917L,
-        0x9216D5D9L, 0x8979FB1BL
-};
-
-/* declarations of data at the end of this file */
-static const uint32_t S[4][256];
-
-static uint32_t F(blowfish_context *ctx, uint32_t x) 
-{
-   unsigned short a, b, c, d;
-   uint32_t  y;
-
-   d = (unsigned short)(x & 0xFF);
-   x >>= 8;
-   c = (unsigned short)(x & 0xFF);
-   x >>= 8;
-   b = (unsigned short)(x & 0xFF);
-   x >>= 8;
-   a = (unsigned short)(x & 0xFF);
-   y = ctx->S[0][a] + ctx->S[1][b];
-   y = y ^ ctx->S[2][c];
-   y = y + ctx->S[3][d];
-
-   return y;
-}
-
-static void blowfish_enc(blowfish_context *ctx, uint32_t *xl, uint32_t *xr) 
-{
-    uint32_t  Xl, Xr, temp;
-    short i;
-
-    Xl = *xl;
-    Xr = *xr;
-
-    for (i = 0; i < BLOWFISH_ROUNDS; ++i) 
-    {
-        Xl = Xl ^ ctx->P[i];
-        Xr = F(ctx, Xl) ^ Xr;
-
-        temp = Xl;
-        Xl = Xr;
-        Xr = temp;
-    }
-
-    temp = Xl;
-    Xl = Xr;
-    Xr = temp;
-
-    Xr = Xr ^ ctx->P[BLOWFISH_ROUNDS];
-    Xl = Xl ^ ctx->P[BLOWFISH_ROUNDS + 1];
-
-    *xl = Xl;
-    *xr = Xr;
-}
-
-static void blowfish_dec(blowfish_context *ctx, uint32_t *xl, uint32_t *xr) 
-{
-    uint32_t  Xl, Xr, temp;
-    short i;
-
-    Xl = *xl;
-    Xr = *xr;
-
-    for (i = BLOWFISH_ROUNDS + 1; i > 1; --i) 
-    {
-        Xl = Xl ^ ctx->P[i];
-        Xr = F(ctx, Xl) ^ Xr;
-
-        temp = Xl;
-        Xl = Xr;
-        Xr = temp;
-    }
-
-    temp = Xl;
-    Xl = Xr;
-    Xr = temp;
-
-    Xr = Xr ^ ctx->P[1];
-    Xl = Xl ^ ctx->P[0];
-
-    *xl = Xl;
-    *xr = Xr;
-}
-
-/*
- * Blowfish key schedule
- */
-int blowfish_setkey( blowfish_context *ctx, const unsigned char *key, unsigned int keysize )
-{
-    unsigned int i, j, k;
-    uint32_t data, datal, datar;
-
-    if( keysize < BLOWFISH_MIN_KEY || keysize > BLOWFISH_MAX_KEY ||
-        ( keysize % 8 ) ) 
-    {
-        return POLARSSL_ERR_BLOWFISH_INVALID_KEY_LENGTH;
-    }
-
-    keysize >>= 3;
-
-    for( i = 0; i < 4; i++ ) 
-    {
-        for( j = 0; j < 256; j++ )
-            ctx->S[i][j] = S[i][j];
-    }
-
-    j = 0;
-    for( i = 0; i < BLOWFISH_ROUNDS + 2; ++i )
-    {
-        data = 0x00000000;
-        for( k = 0; k < 4; ++k )
-        {
-            data = ( data << 8 ) | key[j++];
-            if( j >= keysize )
-                j = 0;
-        }
-        ctx->P[i] = P[i] ^ data;
-    }
-
-    datal = 0x00000000;
-    datar = 0x00000000;
-
-    for( i = 0; i < BLOWFISH_ROUNDS + 2; i += 2 )
-    {
-        blowfish_enc( ctx, &datal, &datar );
-        ctx->P[i] = datal;
-        ctx->P[i + 1] = datar;
-    }
-
-    for( i = 0; i < 4; i++ )
-    {
-       for( j = 0; j < 256; j += 2 )
-       {
-            blowfish_enc( ctx, &datal, &datar );
-            ctx->S[i][j] = datal;
-            ctx->S[i][j + 1] = datar;
-        }
-    }
-    return( 0 );
-}
-
-/*
- * Blowfish-ECB block encryption/decryption
- */
-int blowfish_crypt_ecb( blowfish_context *ctx,
-                    int mode,
-                    const unsigned char input[BLOWFISH_BLOCKSIZE],
-                    unsigned char output[BLOWFISH_BLOCKSIZE] )
-{
-    uint32_t X0, X1;
-
-    GET_UINT32_BE( X0, input,  0 ); 
-    GET_UINT32_BE( X1, input,  4 ); 
-
-    if( mode == BLOWFISH_DECRYPT )
-    {
-        blowfish_dec(ctx, &X0, &X1);
-    }
-    else /* BLOWFISH_ENCRYPT */
-    {
-        blowfish_enc(ctx, &X0, &X1);
-    }
-
-    PUT_UINT32_BE( X0, output,  0 );
-    PUT_UINT32_BE( X1, output,  4 );
-
-    return( 0 );
-}
-
-/*
- * Blowfish-CBC buffer encryption/decryption
- */
-int blowfish_crypt_cbc( blowfish_context *ctx,
-                    int mode,
-                    size_t length,
-                    unsigned char iv[BLOWFISH_BLOCKSIZE],
-                    const unsigned char *input,
-                    unsigned char *output )
-{
-    int i;
-    unsigned char temp[BLOWFISH_BLOCKSIZE];
-
-    if( length % BLOWFISH_BLOCKSIZE )
-        return( POLARSSL_ERR_BLOWFISH_INVALID_INPUT_LENGTH );
-
-    if( mode == BLOWFISH_DECRYPT )
-    {
-        while( length > 0 )
-        {
-            memcpy( temp, input, BLOWFISH_BLOCKSIZE );
-            blowfish_crypt_ecb( ctx, mode, input, output );
-
-            for( i = 0; i < BLOWFISH_BLOCKSIZE;i++ )
-                output[i] = (unsigned char)( output[i] ^ iv[i] );
-
-            memcpy( iv, temp, BLOWFISH_BLOCKSIZE );
-
-            input  += BLOWFISH_BLOCKSIZE;
-            output += BLOWFISH_BLOCKSIZE;
-            length -= BLOWFISH_BLOCKSIZE;
-        }
-    }
-    else
-    {
-        while( length > 0 )
-        {
-            for( i = 0; i < BLOWFISH_BLOCKSIZE; i++ )
-                output[i] = (unsigned char)( input[i] ^ iv[i] );
-
-            blowfish_crypt_ecb( ctx, mode, output, output );
-            memcpy( iv, output, BLOWFISH_BLOCKSIZE );
-
-            input  += BLOWFISH_BLOCKSIZE;
-            output += BLOWFISH_BLOCKSIZE;
-            length -= BLOWFISH_BLOCKSIZE;
-        }
-    }
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-/*
- * Blowfish CFB buffer encryption/decryption
- */
-int blowfish_crypt_cfb64( blowfish_context *ctx,
-                       int mode,
-                       size_t length,
-                       size_t *iv_off,
-                       unsigned char iv[BLOWFISH_BLOCKSIZE],
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int c;
-    size_t n = *iv_off;
-
-    if( mode == BLOWFISH_DECRYPT )
-    {
-        while( length-- )
-        {
-            if( n == 0 )
-                blowfish_crypt_ecb( ctx, BLOWFISH_ENCRYPT, iv, iv );
-
-            c = *input++;
-            *output++ = (unsigned char)( c ^ iv[n] );
-            iv[n] = (unsigned char) c;
-
-            n = (n + 1) % BLOWFISH_BLOCKSIZE;
-        }
-    }
-    else
-    {
-        while( length-- )
-        {
-            if( n == 0 )
-                blowfish_crypt_ecb( ctx, BLOWFISH_ENCRYPT, iv, iv );
-
-            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
-
-            n = (n + 1) % BLOWFISH_BLOCKSIZE;
-        }
-    }
-
-    *iv_off = n;
-
-    return( 0 );
-}
-#endif /*POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-/*
- * Blowfish CTR buffer encryption/decryption
- */
-int blowfish_crypt_ctr( blowfish_context *ctx,
-                       size_t length,
-                       size_t *nc_off,
-                       unsigned char nonce_counter[BLOWFISH_BLOCKSIZE],
-                       unsigned char stream_block[BLOWFISH_BLOCKSIZE],
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int c, i;
-    size_t n = *nc_off;
-
-    while( length-- )
-    {
-        if( n == 0 ) {
-            blowfish_crypt_ecb( ctx, BLOWFISH_ENCRYPT, nonce_counter, stream_block );
-
-            for( i = BLOWFISH_BLOCKSIZE; i > 0; i-- )
-                if( ++nonce_counter[i - 1] != 0 )
-                    break;
-        }
-        c = *input++;
-        *output++ = (unsigned char)( c ^ stream_block[n] );
-
-        n = (n + 1) % BLOWFISH_BLOCKSIZE;
-    }
-
-    *nc_off = n;
-
-    return( 0 );
-}
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-
-static const uint32_t S[4][256] = {
-    {   0xD1310BA6L, 0x98DFB5ACL, 0x2FFD72DBL, 0xD01ADFB7L,
-        0xB8E1AFEDL, 0x6A267E96L, 0xBA7C9045L, 0xF12C7F99L,
-        0x24A19947L, 0xB3916CF7L, 0x0801F2E2L, 0x858EFC16L,
-        0x636920D8L, 0x71574E69L, 0xA458FEA3L, 0xF4933D7EL,
-        0x0D95748FL, 0x728EB658L, 0x718BCD58L, 0x82154AEEL,
-        0x7B54A41DL, 0xC25A59B5L, 0x9C30D539L, 0x2AF26013L,
-        0xC5D1B023L, 0x286085F0L, 0xCA417918L, 0xB8DB38EFL,
-        0x8E79DCB0L, 0x603A180EL, 0x6C9E0E8BL, 0xB01E8A3EL,
-        0xD71577C1L, 0xBD314B27L, 0x78AF2FDAL, 0x55605C60L,
-        0xE65525F3L, 0xAA55AB94L, 0x57489862L, 0x63E81440L,
-        0x55CA396AL, 0x2AAB10B6L, 0xB4CC5C34L, 0x1141E8CEL,
-        0xA15486AFL, 0x7C72E993L, 0xB3EE1411L, 0x636FBC2AL,
-        0x2BA9C55DL, 0x741831F6L, 0xCE5C3E16L, 0x9B87931EL,
-        0xAFD6BA33L, 0x6C24CF5CL, 0x7A325381L, 0x28958677L,
-        0x3B8F4898L, 0x6B4BB9AFL, 0xC4BFE81BL, 0x66282193L,
-        0x61D809CCL, 0xFB21A991L, 0x487CAC60L, 0x5DEC8032L,
-        0xEF845D5DL, 0xE98575B1L, 0xDC262302L, 0xEB651B88L,
-        0x23893E81L, 0xD396ACC5L, 0x0F6D6FF3L, 0x83F44239L,
-        0x2E0B4482L, 0xA4842004L, 0x69C8F04AL, 0x9E1F9B5EL,
-        0x21C66842L, 0xF6E96C9AL, 0x670C9C61L, 0xABD388F0L,
-        0x6A51A0D2L, 0xD8542F68L, 0x960FA728L, 0xAB5133A3L,
-        0x6EEF0B6CL, 0x137A3BE4L, 0xBA3BF050L, 0x7EFB2A98L,
-        0xA1F1651DL, 0x39AF0176L, 0x66CA593EL, 0x82430E88L,
-        0x8CEE8619L, 0x456F9FB4L, 0x7D84A5C3L, 0x3B8B5EBEL,
-        0xE06F75D8L, 0x85C12073L, 0x401A449FL, 0x56C16AA6L,
-        0x4ED3AA62L, 0x363F7706L, 0x1BFEDF72L, 0x429B023DL,
-        0x37D0D724L, 0xD00A1248L, 0xDB0FEAD3L, 0x49F1C09BL,
-        0x075372C9L, 0x80991B7BL, 0x25D479D8L, 0xF6E8DEF7L,
-        0xE3FE501AL, 0xB6794C3BL, 0x976CE0BDL, 0x04C006BAL,
-        0xC1A94FB6L, 0x409F60C4L, 0x5E5C9EC2L, 0x196A2463L,
-        0x68FB6FAFL, 0x3E6C53B5L, 0x1339B2EBL, 0x3B52EC6FL,
-        0x6DFC511FL, 0x9B30952CL, 0xCC814544L, 0xAF5EBD09L,
-        0xBEE3D004L, 0xDE334AFDL, 0x660F2807L, 0x192E4BB3L,
-        0xC0CBA857L, 0x45C8740FL, 0xD20B5F39L, 0xB9D3FBDBL,
-        0x5579C0BDL, 0x1A60320AL, 0xD6A100C6L, 0x402C7279L,
-        0x679F25FEL, 0xFB1FA3CCL, 0x8EA5E9F8L, 0xDB3222F8L,
-        0x3C7516DFL, 0xFD616B15L, 0x2F501EC8L, 0xAD0552ABL,
-        0x323DB5FAL, 0xFD238760L, 0x53317B48L, 0x3E00DF82L,
-        0x9E5C57BBL, 0xCA6F8CA0L, 0x1A87562EL, 0xDF1769DBL,
-        0xD542A8F6L, 0x287EFFC3L, 0xAC6732C6L, 0x8C4F5573L,
-        0x695B27B0L, 0xBBCA58C8L, 0xE1FFA35DL, 0xB8F011A0L,
-        0x10FA3D98L, 0xFD2183B8L, 0x4AFCB56CL, 0x2DD1D35BL,
-        0x9A53E479L, 0xB6F84565L, 0xD28E49BCL, 0x4BFB9790L,
-        0xE1DDF2DAL, 0xA4CB7E33L, 0x62FB1341L, 0xCEE4C6E8L,
-        0xEF20CADAL, 0x36774C01L, 0xD07E9EFEL, 0x2BF11FB4L,
-        0x95DBDA4DL, 0xAE909198L, 0xEAAD8E71L, 0x6B93D5A0L,
-        0xD08ED1D0L, 0xAFC725E0L, 0x8E3C5B2FL, 0x8E7594B7L,
-        0x8FF6E2FBL, 0xF2122B64L, 0x8888B812L, 0x900DF01CL,
-        0x4FAD5EA0L, 0x688FC31CL, 0xD1CFF191L, 0xB3A8C1ADL,
-        0x2F2F2218L, 0xBE0E1777L, 0xEA752DFEL, 0x8B021FA1L,
-        0xE5A0CC0FL, 0xB56F74E8L, 0x18ACF3D6L, 0xCE89E299L,
-        0xB4A84FE0L, 0xFD13E0B7L, 0x7CC43B81L, 0xD2ADA8D9L,
-        0x165FA266L, 0x80957705L, 0x93CC7314L, 0x211A1477L,
-        0xE6AD2065L, 0x77B5FA86L, 0xC75442F5L, 0xFB9D35CFL,
-        0xEBCDAF0CL, 0x7B3E89A0L, 0xD6411BD3L, 0xAE1E7E49L,
-        0x00250E2DL, 0x2071B35EL, 0x226800BBL, 0x57B8E0AFL,
-        0x2464369BL, 0xF009B91EL, 0x5563911DL, 0x59DFA6AAL,
-        0x78C14389L, 0xD95A537FL, 0x207D5BA2L, 0x02E5B9C5L,
-        0x83260376L, 0x6295CFA9L, 0x11C81968L, 0x4E734A41L,
-        0xB3472DCAL, 0x7B14A94AL, 0x1B510052L, 0x9A532915L,
-        0xD60F573FL, 0xBC9BC6E4L, 0x2B60A476L, 0x81E67400L,
-        0x08BA6FB5L, 0x571BE91FL, 0xF296EC6BL, 0x2A0DD915L,
-        0xB6636521L, 0xE7B9F9B6L, 0xFF34052EL, 0xC5855664L,
-        0x53B02D5DL, 0xA99F8FA1L, 0x08BA4799L, 0x6E85076AL   },
-    {   0x4B7A70E9L, 0xB5B32944L, 0xDB75092EL, 0xC4192623L,
-        0xAD6EA6B0L, 0x49A7DF7DL, 0x9CEE60B8L, 0x8FEDB266L,
-        0xECAA8C71L, 0x699A17FFL, 0x5664526CL, 0xC2B19EE1L,
-        0x193602A5L, 0x75094C29L, 0xA0591340L, 0xE4183A3EL,
-        0x3F54989AL, 0x5B429D65L, 0x6B8FE4D6L, 0x99F73FD6L,
-        0xA1D29C07L, 0xEFE830F5L, 0x4D2D38E6L, 0xF0255DC1L,
-        0x4CDD2086L, 0x8470EB26L, 0x6382E9C6L, 0x021ECC5EL,
-        0x09686B3FL, 0x3EBAEFC9L, 0x3C971814L, 0x6B6A70A1L,
-        0x687F3584L, 0x52A0E286L, 0xB79C5305L, 0xAA500737L,
-        0x3E07841CL, 0x7FDEAE5CL, 0x8E7D44ECL, 0x5716F2B8L,
-        0xB03ADA37L, 0xF0500C0DL, 0xF01C1F04L, 0x0200B3FFL,
-        0xAE0CF51AL, 0x3CB574B2L, 0x25837A58L, 0xDC0921BDL,
-        0xD19113F9L, 0x7CA92FF6L, 0x94324773L, 0x22F54701L,
-        0x3AE5E581L, 0x37C2DADCL, 0xC8B57634L, 0x9AF3DDA7L,
-        0xA9446146L, 0x0FD0030EL, 0xECC8C73EL, 0xA4751E41L,
-        0xE238CD99L, 0x3BEA0E2FL, 0x3280BBA1L, 0x183EB331L,
-        0x4E548B38L, 0x4F6DB908L, 0x6F420D03L, 0xF60A04BFL,
-        0x2CB81290L, 0x24977C79L, 0x5679B072L, 0xBCAF89AFL,
-        0xDE9A771FL, 0xD9930810L, 0xB38BAE12L, 0xDCCF3F2EL,
-        0x5512721FL, 0x2E6B7124L, 0x501ADDE6L, 0x9F84CD87L,
-        0x7A584718L, 0x7408DA17L, 0xBC9F9ABCL, 0xE94B7D8CL,
-        0xEC7AEC3AL, 0xDB851DFAL, 0x63094366L, 0xC464C3D2L,
-        0xEF1C1847L, 0x3215D908L, 0xDD433B37L, 0x24C2BA16L,
-        0x12A14D43L, 0x2A65C451L, 0x50940002L, 0x133AE4DDL,
-        0x71DFF89EL, 0x10314E55L, 0x81AC77D6L, 0x5F11199BL,
-        0x043556F1L, 0xD7A3C76BL, 0x3C11183BL, 0x5924A509L,
-        0xF28FE6EDL, 0x97F1FBFAL, 0x9EBABF2CL, 0x1E153C6EL,
-        0x86E34570L, 0xEAE96FB1L, 0x860E5E0AL, 0x5A3E2AB3L,
-        0x771FE71CL, 0x4E3D06FAL, 0x2965DCB9L, 0x99E71D0FL,
-        0x803E89D6L, 0x5266C825L, 0x2E4CC978L, 0x9C10B36AL,
-        0xC6150EBAL, 0x94E2EA78L, 0xA5FC3C53L, 0x1E0A2DF4L,
-        0xF2F74EA7L, 0x361D2B3DL, 0x1939260FL, 0x19C27960L,
-        0x5223A708L, 0xF71312B6L, 0xEBADFE6EL, 0xEAC31F66L,
-        0xE3BC4595L, 0xA67BC883L, 0xB17F37D1L, 0x018CFF28L,
-        0xC332DDEFL, 0xBE6C5AA5L, 0x65582185L, 0x68AB9802L,
-        0xEECEA50FL, 0xDB2F953BL, 0x2AEF7DADL, 0x5B6E2F84L,
-        0x1521B628L, 0x29076170L, 0xECDD4775L, 0x619F1510L,
-        0x13CCA830L, 0xEB61BD96L, 0x0334FE1EL, 0xAA0363CFL,
-        0xB5735C90L, 0x4C70A239L, 0xD59E9E0BL, 0xCBAADE14L,
-        0xEECC86BCL, 0x60622CA7L, 0x9CAB5CABL, 0xB2F3846EL,
-        0x648B1EAFL, 0x19BDF0CAL, 0xA02369B9L, 0x655ABB50L,
-        0x40685A32L, 0x3C2AB4B3L, 0x319EE9D5L, 0xC021B8F7L,
-        0x9B540B19L, 0x875FA099L, 0x95F7997EL, 0x623D7DA8L,
-        0xF837889AL, 0x97E32D77L, 0x11ED935FL, 0x16681281L,
-        0x0E358829L, 0xC7E61FD6L, 0x96DEDFA1L, 0x7858BA99L,
-        0x57F584A5L, 0x1B227263L, 0x9B83C3FFL, 0x1AC24696L,
-        0xCDB30AEBL, 0x532E3054L, 0x8FD948E4L, 0x6DBC3128L,
-        0x58EBF2EFL, 0x34C6FFEAL, 0xFE28ED61L, 0xEE7C3C73L,
-        0x5D4A14D9L, 0xE864B7E3L, 0x42105D14L, 0x203E13E0L,
-        0x45EEE2B6L, 0xA3AAABEAL, 0xDB6C4F15L, 0xFACB4FD0L,
-        0xC742F442L, 0xEF6ABBB5L, 0x654F3B1DL, 0x41CD2105L,
-        0xD81E799EL, 0x86854DC7L, 0xE44B476AL, 0x3D816250L,
-        0xCF62A1F2L, 0x5B8D2646L, 0xFC8883A0L, 0xC1C7B6A3L,
-        0x7F1524C3L, 0x69CB7492L, 0x47848A0BL, 0x5692B285L,
-        0x095BBF00L, 0xAD19489DL, 0x1462B174L, 0x23820E00L,
-        0x58428D2AL, 0x0C55F5EAL, 0x1DADF43EL, 0x233F7061L,
-        0x3372F092L, 0x8D937E41L, 0xD65FECF1L, 0x6C223BDBL,
-        0x7CDE3759L, 0xCBEE7460L, 0x4085F2A7L, 0xCE77326EL,
-        0xA6078084L, 0x19F8509EL, 0xE8EFD855L, 0x61D99735L,
-        0xA969A7AAL, 0xC50C06C2L, 0x5A04ABFCL, 0x800BCADCL,
-        0x9E447A2EL, 0xC3453484L, 0xFDD56705L, 0x0E1E9EC9L,
-        0xDB73DBD3L, 0x105588CDL, 0x675FDA79L, 0xE3674340L,
-        0xC5C43465L, 0x713E38D8L, 0x3D28F89EL, 0xF16DFF20L,
-        0x153E21E7L, 0x8FB03D4AL, 0xE6E39F2BL, 0xDB83ADF7L   },
-    {   0xE93D5A68L, 0x948140F7L, 0xF64C261CL, 0x94692934L,
-        0x411520F7L, 0x7602D4F7L, 0xBCF46B2EL, 0xD4A20068L,
-        0xD4082471L, 0x3320F46AL, 0x43B7D4B7L, 0x500061AFL,
-        0x1E39F62EL, 0x97244546L, 0x14214F74L, 0xBF8B8840L,
-        0x4D95FC1DL, 0x96B591AFL, 0x70F4DDD3L, 0x66A02F45L,
-        0xBFBC09ECL, 0x03BD9785L, 0x7FAC6DD0L, 0x31CB8504L,
-        0x96EB27B3L, 0x55FD3941L, 0xDA2547E6L, 0xABCA0A9AL,
-        0x28507825L, 0x530429F4L, 0x0A2C86DAL, 0xE9B66DFBL,
-        0x68DC1462L, 0xD7486900L, 0x680EC0A4L, 0x27A18DEEL,
-        0x4F3FFEA2L, 0xE887AD8CL, 0xB58CE006L, 0x7AF4D6B6L,
-        0xAACE1E7CL, 0xD3375FECL, 0xCE78A399L, 0x406B2A42L,
-        0x20FE9E35L, 0xD9F385B9L, 0xEE39D7ABL, 0x3B124E8BL,
-        0x1DC9FAF7L, 0x4B6D1856L, 0x26A36631L, 0xEAE397B2L,
-        0x3A6EFA74L, 0xDD5B4332L, 0x6841E7F7L, 0xCA7820FBL,
-        0xFB0AF54EL, 0xD8FEB397L, 0x454056ACL, 0xBA489527L,
-        0x55533A3AL, 0x20838D87L, 0xFE6BA9B7L, 0xD096954BL,
-        0x55A867BCL, 0xA1159A58L, 0xCCA92963L, 0x99E1DB33L,
-        0xA62A4A56L, 0x3F3125F9L, 0x5EF47E1CL, 0x9029317CL,
-        0xFDF8E802L, 0x04272F70L, 0x80BB155CL, 0x05282CE3L,
-        0x95C11548L, 0xE4C66D22L, 0x48C1133FL, 0xC70F86DCL,
-        0x07F9C9EEL, 0x41041F0FL, 0x404779A4L, 0x5D886E17L,
-        0x325F51EBL, 0xD59BC0D1L, 0xF2BCC18FL, 0x41113564L,
-        0x257B7834L, 0x602A9C60L, 0xDFF8E8A3L, 0x1F636C1BL,
-        0x0E12B4C2L, 0x02E1329EL, 0xAF664FD1L, 0xCAD18115L,
-        0x6B2395E0L, 0x333E92E1L, 0x3B240B62L, 0xEEBEB922L,
-        0x85B2A20EL, 0xE6BA0D99L, 0xDE720C8CL, 0x2DA2F728L,
-        0xD0127845L, 0x95B794FDL, 0x647D0862L, 0xE7CCF5F0L,
-        0x5449A36FL, 0x877D48FAL, 0xC39DFD27L, 0xF33E8D1EL,
-        0x0A476341L, 0x992EFF74L, 0x3A6F6EABL, 0xF4F8FD37L,
-        0xA812DC60L, 0xA1EBDDF8L, 0x991BE14CL, 0xDB6E6B0DL,
-        0xC67B5510L, 0x6D672C37L, 0x2765D43BL, 0xDCD0E804L,
-        0xF1290DC7L, 0xCC00FFA3L, 0xB5390F92L, 0x690FED0BL,
-        0x667B9FFBL, 0xCEDB7D9CL, 0xA091CF0BL, 0xD9155EA3L,
-        0xBB132F88L, 0x515BAD24L, 0x7B9479BFL, 0x763BD6EBL,
-        0x37392EB3L, 0xCC115979L, 0x8026E297L, 0xF42E312DL,
-        0x6842ADA7L, 0xC66A2B3BL, 0x12754CCCL, 0x782EF11CL,
-        0x6A124237L, 0xB79251E7L, 0x06A1BBE6L, 0x4BFB6350L,
-        0x1A6B1018L, 0x11CAEDFAL, 0x3D25BDD8L, 0xE2E1C3C9L,
-        0x44421659L, 0x0A121386L, 0xD90CEC6EL, 0xD5ABEA2AL,
-        0x64AF674EL, 0xDA86A85FL, 0xBEBFE988L, 0x64E4C3FEL,
-        0x9DBC8057L, 0xF0F7C086L, 0x60787BF8L, 0x6003604DL,
-        0xD1FD8346L, 0xF6381FB0L, 0x7745AE04L, 0xD736FCCCL,
-        0x83426B33L, 0xF01EAB71L, 0xB0804187L, 0x3C005E5FL,
-        0x77A057BEL, 0xBDE8AE24L, 0x55464299L, 0xBF582E61L,
-        0x4E58F48FL, 0xF2DDFDA2L, 0xF474EF38L, 0x8789BDC2L,
-        0x5366F9C3L, 0xC8B38E74L, 0xB475F255L, 0x46FCD9B9L,
-        0x7AEB2661L, 0x8B1DDF84L, 0x846A0E79L, 0x915F95E2L,
-        0x466E598EL, 0x20B45770L, 0x8CD55591L, 0xC902DE4CL,
-        0xB90BACE1L, 0xBB8205D0L, 0x11A86248L, 0x7574A99EL,
-        0xB77F19B6L, 0xE0A9DC09L, 0x662D09A1L, 0xC4324633L,
-        0xE85A1F02L, 0x09F0BE8CL, 0x4A99A025L, 0x1D6EFE10L,
-        0x1AB93D1DL, 0x0BA5A4DFL, 0xA186F20FL, 0x2868F169L,
-        0xDCB7DA83L, 0x573906FEL, 0xA1E2CE9BL, 0x4FCD7F52L,
-        0x50115E01L, 0xA70683FAL, 0xA002B5C4L, 0x0DE6D027L,
-        0x9AF88C27L, 0x773F8641L, 0xC3604C06L, 0x61A806B5L,
-        0xF0177A28L, 0xC0F586E0L, 0x006058AAL, 0x30DC7D62L,
-        0x11E69ED7L, 0x2338EA63L, 0x53C2DD94L, 0xC2C21634L,
-        0xBBCBEE56L, 0x90BCB6DEL, 0xEBFC7DA1L, 0xCE591D76L,
-        0x6F05E409L, 0x4B7C0188L, 0x39720A3DL, 0x7C927C24L,
-        0x86E3725FL, 0x724D9DB9L, 0x1AC15BB4L, 0xD39EB8FCL,
-        0xED545578L, 0x08FCA5B5L, 0xD83D7CD3L, 0x4DAD0FC4L,
-        0x1E50EF5EL, 0xB161E6F8L, 0xA28514D9L, 0x6C51133CL,
-        0x6FD5C7E7L, 0x56E14EC4L, 0x362ABFCEL, 0xDDC6C837L,
-        0xD79A3234L, 0x92638212L, 0x670EFA8EL, 0x406000E0L  },
-    {   0x3A39CE37L, 0xD3FAF5CFL, 0xABC27737L, 0x5AC52D1BL,
-        0x5CB0679EL, 0x4FA33742L, 0xD3822740L, 0x99BC9BBEL,
-        0xD5118E9DL, 0xBF0F7315L, 0xD62D1C7EL, 0xC700C47BL,
-        0xB78C1B6BL, 0x21A19045L, 0xB26EB1BEL, 0x6A366EB4L,
-        0x5748AB2FL, 0xBC946E79L, 0xC6A376D2L, 0x6549C2C8L,
-        0x530FF8EEL, 0x468DDE7DL, 0xD5730A1DL, 0x4CD04DC6L,
-        0x2939BBDBL, 0xA9BA4650L, 0xAC9526E8L, 0xBE5EE304L,
-        0xA1FAD5F0L, 0x6A2D519AL, 0x63EF8CE2L, 0x9A86EE22L,
-        0xC089C2B8L, 0x43242EF6L, 0xA51E03AAL, 0x9CF2D0A4L,
-        0x83C061BAL, 0x9BE96A4DL, 0x8FE51550L, 0xBA645BD6L,
-        0x2826A2F9L, 0xA73A3AE1L, 0x4BA99586L, 0xEF5562E9L,
-        0xC72FEFD3L, 0xF752F7DAL, 0x3F046F69L, 0x77FA0A59L,
-        0x80E4A915L, 0x87B08601L, 0x9B09E6ADL, 0x3B3EE593L,
-        0xE990FD5AL, 0x9E34D797L, 0x2CF0B7D9L, 0x022B8B51L,
-        0x96D5AC3AL, 0x017DA67DL, 0xD1CF3ED6L, 0x7C7D2D28L,
-        0x1F9F25CFL, 0xADF2B89BL, 0x5AD6B472L, 0x5A88F54CL,
-        0xE029AC71L, 0xE019A5E6L, 0x47B0ACFDL, 0xED93FA9BL,
-        0xE8D3C48DL, 0x283B57CCL, 0xF8D56629L, 0x79132E28L,
-        0x785F0191L, 0xED756055L, 0xF7960E44L, 0xE3D35E8CL,
-        0x15056DD4L, 0x88F46DBAL, 0x03A16125L, 0x0564F0BDL,
-        0xC3EB9E15L, 0x3C9057A2L, 0x97271AECL, 0xA93A072AL,
-        0x1B3F6D9BL, 0x1E6321F5L, 0xF59C66FBL, 0x26DCF319L,
-        0x7533D928L, 0xB155FDF5L, 0x03563482L, 0x8ABA3CBBL,
-        0x28517711L, 0xC20AD9F8L, 0xABCC5167L, 0xCCAD925FL,
-        0x4DE81751L, 0x3830DC8EL, 0x379D5862L, 0x9320F991L,
-        0xEA7A90C2L, 0xFB3E7BCEL, 0x5121CE64L, 0x774FBE32L,
-        0xA8B6E37EL, 0xC3293D46L, 0x48DE5369L, 0x6413E680L,
-        0xA2AE0810L, 0xDD6DB224L, 0x69852DFDL, 0x09072166L,
-        0xB39A460AL, 0x6445C0DDL, 0x586CDECFL, 0x1C20C8AEL,
-        0x5BBEF7DDL, 0x1B588D40L, 0xCCD2017FL, 0x6BB4E3BBL,
-        0xDDA26A7EL, 0x3A59FF45L, 0x3E350A44L, 0xBCB4CDD5L,
-        0x72EACEA8L, 0xFA6484BBL, 0x8D6612AEL, 0xBF3C6F47L,
-        0xD29BE463L, 0x542F5D9EL, 0xAEC2771BL, 0xF64E6370L,
-        0x740E0D8DL, 0xE75B1357L, 0xF8721671L, 0xAF537D5DL,
-        0x4040CB08L, 0x4EB4E2CCL, 0x34D2466AL, 0x0115AF84L,
-        0xE1B00428L, 0x95983A1DL, 0x06B89FB4L, 0xCE6EA048L,
-        0x6F3F3B82L, 0x3520AB82L, 0x011A1D4BL, 0x277227F8L,
-        0x611560B1L, 0xE7933FDCL, 0xBB3A792BL, 0x344525BDL,
-        0xA08839E1L, 0x51CE794BL, 0x2F32C9B7L, 0xA01FBAC9L,
-        0xE01CC87EL, 0xBCC7D1F6L, 0xCF0111C3L, 0xA1E8AAC7L,
-        0x1A908749L, 0xD44FBD9AL, 0xD0DADECBL, 0xD50ADA38L,
-        0x0339C32AL, 0xC6913667L, 0x8DF9317CL, 0xE0B12B4FL,
-        0xF79E59B7L, 0x43F5BB3AL, 0xF2D519FFL, 0x27D9459CL,
-        0xBF97222CL, 0x15E6FC2AL, 0x0F91FC71L, 0x9B941525L,
-        0xFAE59361L, 0xCEB69CEBL, 0xC2A86459L, 0x12BAA8D1L,
-        0xB6C1075EL, 0xE3056A0CL, 0x10D25065L, 0xCB03A442L,
-        0xE0EC6E0EL, 0x1698DB3BL, 0x4C98A0BEL, 0x3278E964L,
-        0x9F1F9532L, 0xE0D392DFL, 0xD3A0342BL, 0x8971F21EL,
-        0x1B0A7441L, 0x4BA3348CL, 0xC5BE7120L, 0xC37632D8L,
-        0xDF359F8DL, 0x9B992F2EL, 0xE60B6F47L, 0x0FE3F11DL,
-        0xE54CDA54L, 0x1EDAD891L, 0xCE6279CFL, 0xCD3E7E6FL,
-        0x1618B166L, 0xFD2C1D05L, 0x848FD2C5L, 0xF6FB2299L,
-        0xF523F357L, 0xA6327623L, 0x93A83531L, 0x56CCCD02L,
-        0xACF08162L, 0x5A75EBB5L, 0x6E163697L, 0x88D273CCL,
-        0xDE966292L, 0x81B949D0L, 0x4C50901BL, 0x71C65614L,
-        0xE6C6C7BDL, 0x327A140AL, 0x45E1D006L, 0xC3F27B9AL,
-        0xC9AA53FDL, 0x62A80F00L, 0xBB25BFE2L, 0x35BDD2F6L,
-        0x71126905L, 0xB2040222L, 0xB6CBCF7CL, 0xCD769C2BL,
-        0x53113EC0L, 0x1640E3D3L, 0x38ABBD60L, 0x2547ADF0L,
-        0xBA38209CL, 0xF746CE76L, 0x77AFA1C5L, 0x20756060L,
-        0x85CBFE4EL, 0x8AE88DD8L, 0x7AAAF9B0L, 0x4CF9AA7EL,
-        0x1948C25CL, 0x02FB8A8CL, 0x01C36AE4L, 0xD6EBE1F9L,
-        0x90D4F869L, 0xA65CDEA0L, 0x3F09252DL, 0xC208E69FL,
-        0xB74E6132L, 0xCE77E25BL, 0x578FDFE3L, 0x3AC372E6L  }
-};
-
-#endif /* !POLARSSL_BLOWFISH_ALT */
-#endif /* POLARSSL_BLOWFISH_C */
diff --git a/makerom/polarssl/camellia.c b/makerom/polarssl/camellia.c
deleted file mode 100644
index bb878750..00000000
--- a/makerom/polarssl/camellia.c
+++ /dev/null
@@ -1,1035 +0,0 @@
-/*
- *  Camellia implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
- *  Corporation.
- *
- *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_CAMELLIA_C)
-
-#include "polarssl/camellia.h"
-
-#if !defined(POLARSSL_CAMELLIA_ALT)
-
-/*
- * 32-bit integer manipulation macros (big endian)
- */
-#ifndef GET_UINT32_BE
-#define GET_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 3]       );            \
-}
-#endif
-
-#ifndef PUT_UINT32_BE
-#define PUT_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-}
-#endif
-
-static const unsigned char SIGMA_CHARS[6][8] =
-{
-    { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
-    { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
-    { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
-    { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
-    { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
-    { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
-};
-
-#if defined(POLARSSL_CAMELLIA_SMALL_MEMORY)
-
-static const unsigned char FSb[256] =
-{
-    112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
-     35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
-    134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
-    166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
-    139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
-    223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
-     20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
-    254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
-    170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
-     16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
-    135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
-     82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
-    233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
-    120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
-    114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
-     64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
-};
-
-#define SBOX1(n) FSb[(n)]
-#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
-#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
-#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
-
-#else
-
-static const unsigned char FSb[256] =
-{
-    112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
-    35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
-    134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
-    166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
-    139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
-    223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
-    20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
-    254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
-    170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
-    16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
-    135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
-    82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
-    233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
-    120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
-    114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
-    64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
-};
-
-static const unsigned char FSb2[256] =
-{
-    224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
-    70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
-    13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
-    77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
-    23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
-    191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
-    40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
-    253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
-    85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
-    32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
-    15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
-    164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
-    211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
-    240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
-    228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
-    128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
-};
-
-static const unsigned char FSb3[256] =
-{
-    56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
-    145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
-    67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
-    83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
-    197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
-    239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
-    10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
-    127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
-    85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
-    8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
-    195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
-    41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
-    244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
-    60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
-    57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
-    32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
-};
-
-static const unsigned char FSb4[256] =
-{
-    112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
-    134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
-    139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
-    20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
-    170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
-    135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
-    233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
-    114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
-    130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
-    184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
-    13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
-    88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
-    208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
-    92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
-    121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
-    7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
-};
-
-#define SBOX1(n) FSb[(n)]
-#define SBOX2(n) FSb2[(n)]
-#define SBOX3(n) FSb3[(n)]
-#define SBOX4(n) FSb4[(n)]
-
-#endif
-
-static const unsigned char shifts[2][4][4] =
-{
-    {
-        { 1, 1, 1, 1 }, /* KL */
-        { 0, 0, 0, 0 }, /* KR */
-        { 1, 1, 1, 1 }, /* KA */
-        { 0, 0, 0, 0 }  /* KB */
-    },
-    {
-        { 1, 0, 1, 1 }, /* KL */
-        { 1, 1, 0, 1 }, /* KR */
-        { 1, 1, 1, 0 }, /* KA */
-        { 1, 1, 0, 1 }  /* KB */
-    }
-};
-
-static const signed char indexes[2][4][20] =
-{
-    {
-        {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
-          36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
-        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
-        {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
-          18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
-        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
-    },
-    {
-        {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
-          -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
-        { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
-          18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
-        { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
-          56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
-        {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
-          22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }  /* KB -> RK */
-    }
-};
-
-static const signed char transposes[2][20] =
-{
-    {
-        21, 22, 23, 20,
-        -1, -1, -1, -1,
-        18, 19, 16, 17,
-        11,  8,  9, 10,
-        15, 12, 13, 14
-    },
-    {
-        25, 26, 27, 24,
-        29, 30, 31, 28,
-        18, 19, 16, 17,
-        -1, -1, -1, -1,
-        -1, -1, -1, -1
-    }
-};
-
-/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
-#define ROTL(DEST, SRC, SHIFT)                                      \
-{                                                                   \
-    (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
-    (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
-    (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
-    (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
-}
-
-#define FL(XL, XR, KL, KR)                                          \
-{                                                                   \
-    (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
-    (XL) = ((XR) | (KR)) ^ (XL);                                    \
-}
-    
-#define FLInv(YL, YR, KL, KR)                                       \
-{                                                                   \
-    (YL) = ((YR) | (KR)) ^ (YL);                                    \
-    (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
-}
-    
-#define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
-{                                                           \
-    TK[0] = KC[(OFFSET) * 4 + 0];                           \
-    TK[1] = KC[(OFFSET) * 4 + 1];                           \
-    TK[2] = KC[(OFFSET) * 4 + 2];                           \
-    TK[3] = KC[(OFFSET) * 4 + 3];                           \
-                                                            \
-    for ( i = 1; i <= 4; i++ )                              \
-        if (shifts[(INDEX)][(OFFSET)][i -1])                \
-            ROTL(TK + i * 4, TK, (15 * i) % 32);            \
-                                                            \
-    for ( i = 0; i < 20; i++ )                              \
-        if (indexes[(INDEX)][(OFFSET)][i] != -1) {          \
-        RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];        \
-    }                                                       \
-}
-
-static void camellia_feistel(const uint32_t x[2], const uint32_t k[2], uint32_t z[2])
-{
-    uint32_t I0, I1;
-    I0 = x[0] ^ k[0];
-    I1 = x[1] ^ k[1];
-
-    I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
-         (SBOX2((I0 >> 16) & 0xFF) << 16) |
-         (SBOX3((I0 >>  8) & 0xFF) <<  8) |
-         (SBOX4((I0      ) & 0xFF)      );
-    I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
-         (SBOX3((I1 >> 16) & 0xFF) << 16) |
-         (SBOX4((I1 >>  8) & 0xFF) <<  8) |
-         (SBOX1((I1      ) & 0xFF)      );
-
-    I0 ^= (I1 << 8) | (I1 >> 24);
-    I1 ^= (I0 << 16) | (I0 >> 16);
-    I0 ^= (I1 >> 8) | (I1 << 24);
-    I1 ^= (I0 >> 8) | (I0 << 24);
-
-    z[0] ^= I1;
-    z[1] ^= I0;
-}
-
-/*
- * Camellia key schedule (encryption)
- */
-int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
-{
-    int idx;
-    size_t i;
-    uint32_t *RK;
-    unsigned char t[64];
-    uint32_t SIGMA[6][2];
-    uint32_t KC[16];
-    uint32_t TK[20];
-
-    RK = ctx->rk;
-
-    memset(t, 0, 64);
-    memset(RK, 0, sizeof(ctx->rk));
-
-    switch( keysize )
-    {
-        case 128: ctx->nr = 3; idx = 0; break;
-        case 192:
-        case 256: ctx->nr = 4; idx = 1; break;
-        default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
-    }
-
-    for( i = 0; i < keysize / 8; ++i)
-        t[i] = key[i];
-
-    if (keysize == 192) {
-        for (i = 0; i < 8; i++)
-            t[24 + i] = ~t[16 + i];
-    }
-
-    /*
-     * Prepare SIGMA values
-     */
-    for (i = 0; i < 6; i++) {
-        GET_UINT32_BE(SIGMA[i][0], SIGMA_CHARS[i], 0);
-        GET_UINT32_BE(SIGMA[i][1], SIGMA_CHARS[i], 4);
-    }
-
-    /*
-     * Key storage in KC
-     * Order: KL, KR, KA, KB
-     */
-    memset(KC, 0, sizeof(KC));
-
-    /* Store KL, KR */
-    for (i = 0; i < 8; i++)
-        GET_UINT32_BE(KC[i], t, i * 4);
-
-    /* Generate KA */
-    for( i = 0; i < 4; ++i)
-        KC[8 + i] = KC[i] ^ KC[4 + i];
-
-    camellia_feistel(KC + 8, SIGMA[0], KC + 10);
-    camellia_feistel(KC + 10, SIGMA[1], KC + 8);
-
-    for( i = 0; i < 4; ++i)
-        KC[8 + i] ^= KC[i];
-
-    camellia_feistel(KC + 8, SIGMA[2], KC + 10);
-    camellia_feistel(KC + 10, SIGMA[3], KC + 8);
-
-    if (keysize > 128) {
-        /* Generate KB */
-        for( i = 0; i < 4; ++i)
-            KC[12 + i] = KC[4 + i] ^ KC[8 + i];
-
-        camellia_feistel(KC + 12, SIGMA[4], KC + 14);
-        camellia_feistel(KC + 14, SIGMA[5], KC + 12);
-    }
-
-    /*
-     * Generating subkeys
-     */ 
-
-    /* Manipulating KL */
-    SHIFT_AND_PLACE(idx, 0);
-
-    /* Manipulating KR */
-    if (keysize > 128) {
-        SHIFT_AND_PLACE(idx, 1);
-    }
-
-    /* Manipulating KA */
-    SHIFT_AND_PLACE(idx, 2);
-
-    /* Manipulating KB */
-    if (keysize > 128) {
-        SHIFT_AND_PLACE(idx, 3);
-    }
-
-    /* Do transpositions */
-    for ( i = 0; i < 20; i++ ) {
-        if (transposes[idx][i] != -1) {
-            RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
-        }
-    }
-
-    return( 0 );
-}
-
-/*
- * Camellia key schedule (decryption)
- */
-int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize )
-{
-    int idx;
-    size_t i;
-    camellia_context cty;
-    uint32_t *RK;
-    uint32_t *SK;
-    int ret;
-
-    switch( keysize )
-    {
-        case 128: ctx->nr = 3; idx = 0; break;
-        case 192:
-        case 256: ctx->nr = 4; idx = 1; break;
-        default : return( POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH );
-    }
-
-    RK = ctx->rk;
-
-    ret = camellia_setkey_enc(&cty, key, keysize);
-    if( ret != 0 )
-        return( ret );
-
-    SK = cty.rk + 24 * 2 + 8 * idx * 2;
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-
-    for (i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4)
-    {
-        *RK++ = *SK++;
-        *RK++ = *SK++;
-    }
-
-    SK -= 2;
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-
-    memset( &cty, 0, sizeof( camellia_context ) );
-
-    return( 0 );
-}
-
-/*
- * Camellia-ECB block encryption/decryption
- */
-int camellia_crypt_ecb( camellia_context *ctx,
-                    int mode,
-                    const unsigned char input[16],
-                    unsigned char output[16] )
-{
-    int NR;
-    uint32_t *RK, X[4];
-
-    ( (void) mode );
-
-    NR = ctx->nr;
-    RK = ctx->rk;
-
-    GET_UINT32_BE( X[0], input,  0 );
-    GET_UINT32_BE( X[1], input,  4 );
-    GET_UINT32_BE( X[2], input,  8 );
-    GET_UINT32_BE( X[3], input, 12 );
-
-    X[0] ^= *RK++;
-    X[1] ^= *RK++;
-    X[2] ^= *RK++;
-    X[3] ^= *RK++;
-
-    while (NR) {
-        --NR;
-        camellia_feistel(X, RK, X + 2);
-        RK += 2;
-        camellia_feistel(X + 2, RK, X);
-        RK += 2;
-        camellia_feistel(X, RK, X + 2);
-        RK += 2;
-        camellia_feistel(X + 2, RK, X);
-        RK += 2;
-        camellia_feistel(X, RK, X + 2);
-        RK += 2;
-        camellia_feistel(X + 2, RK, X);
-        RK += 2;
-
-        if (NR) {
-            FL(X[0], X[1], RK[0], RK[1]);
-            RK += 2;
-            FLInv(X[2], X[3], RK[0], RK[1]);
-            RK += 2;
-        }
-    }
-
-    X[2] ^= *RK++;
-    X[3] ^= *RK++;
-    X[0] ^= *RK++;
-    X[1] ^= *RK++;
-
-    PUT_UINT32_BE( X[2], output,  0 );
-    PUT_UINT32_BE( X[3], output,  4 );
-    PUT_UINT32_BE( X[0], output,  8 );
-    PUT_UINT32_BE( X[1], output, 12 );
-
-    return( 0 );
-}
-
-/*
- * Camellia-CBC buffer encryption/decryption
- */
-int camellia_crypt_cbc( camellia_context *ctx,
-                    int mode,
-                    size_t length,
-                    unsigned char iv[16],
-                    const unsigned char *input,
-                    unsigned char *output )
-{
-    int i;
-    unsigned char temp[16];
-
-    if( length % 16 )
-        return( POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
-
-    if( mode == CAMELLIA_DECRYPT )
-    {
-        while( length > 0 )
-        {
-            memcpy( temp, input, 16 );
-            camellia_crypt_ecb( ctx, mode, input, output );
-
-            for( i = 0; i < 16; i++ )
-                output[i] = (unsigned char)( output[i] ^ iv[i] );
-
-            memcpy( iv, temp, 16 );
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-    }
-    else
-    {
-        while( length > 0 )
-        {
-            for( i = 0; i < 16; i++ )
-                output[i] = (unsigned char)( input[i] ^ iv[i] );
-
-            camellia_crypt_ecb( ctx, mode, output, output );
-            memcpy( iv, output, 16 );
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-    }
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-/*
- * Camellia-CFB128 buffer encryption/decryption
- */
-int camellia_crypt_cfb128( camellia_context *ctx,
-                       int mode,
-                       size_t length,
-                       size_t *iv_off,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int c;
-    size_t n = *iv_off;
-
-    if( mode == CAMELLIA_DECRYPT )
-    {
-        while( length-- )
-        {
-            if( n == 0 )
-                camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
-
-            c = *input++;
-            *output++ = (unsigned char)( c ^ iv[n] );
-            iv[n] = (unsigned char) c;
-
-            n = (n + 1) & 0x0F;
-        }
-    }
-    else
-    {
-        while( length-- )
-        {
-            if( n == 0 )
-                camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, iv, iv );
-
-            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
-
-            n = (n + 1) & 0x0F;
-        }
-    }
-
-    *iv_off = n;
-
-    return( 0 );
-}
-#endif /* POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-/*
- * Camellia-CTR buffer encryption/decryption
- */
-int camellia_crypt_ctr( camellia_context *ctx,
-                       size_t length,
-                       size_t *nc_off,
-                       unsigned char nonce_counter[16],
-                       unsigned char stream_block[16],
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int c, i;
-    size_t n = *nc_off;
-
-    while( length-- )
-    {
-        if( n == 0 ) {
-            camellia_crypt_ecb( ctx, CAMELLIA_ENCRYPT, nonce_counter, stream_block );
-
-            for( i = 16; i > 0; i-- )
-                if( ++nonce_counter[i - 1] != 0 )
-                    break;
-        }
-        c = *input++;
-        *output++ = (unsigned char)( c ^ stream_block[n] );
-
-        n = (n + 1) & 0x0F;
-    }
-
-    *nc_off = n;
-
-    return( 0 );
-}
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-#endif /* !POLARSSL_CAMELLIA_ALT */
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <stdio.h>
-
-/*
- * Camellia test vectors from:
- *
- * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
- *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
- *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
- *                      (For each bitlength: Key 0, Nr 39)
- */
-#define CAMELLIA_TESTS_ECB  2
-
-static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
-{
-    {
-        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
-          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
-        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-    },
-    {
-        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
-          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
-          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
-        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-    },
-    {
-        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
-          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
-          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
-          0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
-        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-    },
-};
-
-static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
-{
-    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
-      0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
-    { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
-};
-
-static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
-{
-    {
-        { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
-          0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
-        { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
-          0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
-    },
-    {
-        { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
-          0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
-        { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
-          0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
-    },
-    {
-        { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
-          0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
-        { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
-          0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
-    }
-};
-
-#define CAMELLIA_TESTS_CBC  3
-
-static const unsigned char camellia_test_cbc_key[3][32] =
-{
-        { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
-          0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
-    ,
-        { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
-          0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
-          0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
-    ,
-        { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
-          0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
-          0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
-          0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
-};
-
-static const unsigned char camellia_test_cbc_iv[16] =
-
-    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
-;
-
-static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
-{
-    { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
-      0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
-    { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
-      0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
-    { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
-      0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
-
-};
-
-static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
-{
-    {
-        { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
-          0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
-        { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
-          0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
-        { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
-          0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
-    },
-    {
-        { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
-          0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
-        { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
-          0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
-        { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
-          0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
-    },
-    {
-        { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
-          0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
-        { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
-          0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
-        { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
-          0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
-    }
-};
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-/*
- * Camellia-CTR test vectors from:
- *
- * http://www.faqs.org/rfcs/rfc5528.html
- */
-
-static const unsigned char camellia_test_ctr_key[3][16] =
-{
-    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
-      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
-    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
-      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
-    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
-      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
-};
-
-static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
-{
-    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
-    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
-      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
-    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
-      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
-};
-
-static const unsigned char camellia_test_ctr_pt[3][48] =
-{
-    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
-      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
-
-    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
-
-    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
-      0x20, 0x21, 0x22, 0x23 }
-};
-
-static const unsigned char camellia_test_ctr_ct[3][48] =
-{
-    { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
-      0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
-    { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
-      0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
-      0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
-      0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
-    { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
-      0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
-      0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
-      0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
-      0xDF, 0x50, 0x86, 0x96 }
-};
-
-static const int camellia_test_ctr_len[3] =
-    { 16, 32, 36 };
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-
-/*
- * Checkup routine
- */
-int camellia_self_test( int verbose )
-{
-    int i, j, u, v;
-    unsigned char key[32];
-    unsigned char buf[64];
-    unsigned char src[16];
-    unsigned char dst[16];
-    unsigned char iv[16];
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    size_t offset, len;
-    unsigned char nonce_counter[16];
-    unsigned char stream_block[16];
-#endif
-
-    camellia_context ctx;
-
-    memset( key, 0, 32 );
-
-    for (j = 0; j < 6; j++) {
-        u = j >> 1;
-    v = j & 1;
-
-    if( verbose != 0 )
-        printf( "  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
-                (v == CAMELLIA_DECRYPT) ? "dec" : "enc");
-
-    for (i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
-        memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u);
-
-        if (v == CAMELLIA_DECRYPT) {
-            camellia_setkey_dec(&ctx, key, 128 + u * 64);
-            memcpy(src, camellia_test_ecb_cipher[u][i], 16);
-            memcpy(dst, camellia_test_ecb_plain[i], 16);
-        } else { /* CAMELLIA_ENCRYPT */
-            camellia_setkey_enc(&ctx, key, 128 + u * 64);
-            memcpy(src, camellia_test_ecb_plain[i], 16);
-            memcpy(dst, camellia_test_ecb_cipher[u][i], 16);
-        }
-
-        camellia_crypt_ecb(&ctx, v, src, buf);
-
-        if( memcmp( buf, dst, 16 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    /*
-     * CBC mode
-     */
-    for( j = 0; j < 6; j++ )
-    {
-        u = j >> 1;
-        v = j  & 1;
-
-        if( verbose != 0 )
-            printf( "  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
-                    ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
-
-    memcpy( src, camellia_test_cbc_iv, 16);
-    memcpy( dst, camellia_test_cbc_iv, 16);
-    memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u);
-
-    if (v == CAMELLIA_DECRYPT) {
-        camellia_setkey_dec(&ctx, key, 128 + u * 64);
-    } else {
-        camellia_setkey_enc(&ctx, key, 128 + u * 64);
-    }
-
-    for (i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
-
-        if (v == CAMELLIA_DECRYPT) {
-            memcpy( iv , src, 16 );
-            memcpy(src, camellia_test_cbc_cipher[u][i], 16);
-            memcpy(dst, camellia_test_cbc_plain[i], 16);
-        } else { /* CAMELLIA_ENCRYPT */
-            memcpy( iv , dst, 16 );
-            memcpy(src, camellia_test_cbc_plain[i], 16);
-            memcpy(dst, camellia_test_cbc_cipher[u][i], 16);
-        }
-
-        camellia_crypt_cbc(&ctx, v, 16, iv, src, buf);
-
-        if( memcmp( buf, dst, 16 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-    }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    /*
-     * CTR mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  CAMELLIA-CTR-128 (%s): ",
-                    ( v == CAMELLIA_DECRYPT ) ? "dec" : "enc" );
-
-        memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
-        memcpy( key, camellia_test_ctr_key[u], 16 );
-
-        offset = 0;
-        camellia_setkey_enc( &ctx, key, 128 );
-
-        if( v == CAMELLIA_DECRYPT )
-        {
-            len = camellia_test_ctr_len[u];
-            memcpy( buf, camellia_test_ctr_ct[u], len );
-
-            camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
-
-            if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-        else
-        {
-            len = camellia_test_ctr_len[u];
-            memcpy( buf, camellia_test_ctr_pt[u], len );
-
-            camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
-
-            if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-
-    return ( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/certs.c b/makerom/polarssl/certs.c
deleted file mode 100644
index e2d07f76..00000000
--- a/makerom/polarssl/certs.c
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
- *  X.509 test certificates
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_CERTS_C)
-
-const char test_ca_crt[] =
-"-----BEGIN CERTIFICATE-----\r\n"
-"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-"MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n"
-"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n"
-"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n"
-"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n"
-"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n"
-"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n"
-"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n"
-"gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n"
-"/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\n"
-"BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\n"
-"dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\n"
-"SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\n"
-"DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\n"
-"pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\n"
-"m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n"
-"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n"
-"-----END CERTIFICATE-----\r\n";
-
-const char test_ca_key[] =
-"-----BEGIN RSA PRIVATE KEY-----\r\n"
-"Proc-Type: 4,ENCRYPTED\r\n"
-"DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"
-"\r\n"
-"9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n"
-"7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n"
-"Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n"
-"PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n"
-"GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n"
-"gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n"
-"QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n"
-"PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n"
-"vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n"
-"WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n"
-"JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n"
-"KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n"
-"Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n"
-"9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n"
-"iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n"
-"tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n"
-"P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n"
-"1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n"
-"nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n"
-"X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n"
-"rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n"
-"L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n"
-"I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n"
-"wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n"
-"P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n"
-"-----END RSA PRIVATE KEY-----\r\n";
-
-const char test_ca_pwd[] = "PolarSSLTest";
-
-const char test_srv_crt[] =
-"-----BEGIN CERTIFICATE-----\r\n"
-"MIIDPzCCAiegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN\r\n"
-"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/\r\n"
-"uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD\r\n"
-"d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf\r\n"
-"CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr\r\n"
-"lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w\r\n"
-"bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB\r\n"
-"o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf\r\n"
-"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC\r\n"
-"AQEAvc+WwZUemsJu2IiI2Cp6liA+UAvIx98dQe3kZs2zAoF9VwQbXcYzWQ/BILkj\r\n"
-"NImKbPL9x0g2jIDn4ZvGYFywMwIO/d++YbwYiQw42/v7RiMy94zBPnzeHi86dy/0\r\n"
-"jpOOJUx3IXRsGLdyjb/1T11klcFqGnARiK+8VYolMPP6afKvLXX7K4kiUpsFQhUp\r\n"
-"E5VeM5pV1Mci2ETOJau2cO40FJvI/C9W/wR+GAArMaw2fxG77E3laaa0LAOlexM6\r\n"
-"A4KOb5f5cGTM5Ih6tEF5FVq3/9vzNIYMa1FqzacBLZF8zSHYLEimXBdzjBoN4qDU\r\n"
-"/WzRyYRBRjAI49mzHX6raleqnw==\r\n"
-"-----END CERTIFICATE-----\r\n";
-
-const char test_srv_key[] =
-"-----BEGIN RSA PRIVATE KEY-----\r\n"
-"MIIEogIBAAKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/uOhFkNvuiBZS0/FDUEeW\r\n"
-"Ellkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFDd185fAkER4KwVzlw7aPs\r\n"
-"FRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVfCrFTxjB+FTms+Vruf5Ke\r\n"
-"pgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTrlZvc/kFeF6babFtpzAK6\r\n"
-"FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9wbp7OvViJ4lNZnm5akmXi\r\n"
-"iD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQABAoIBABaJ9eiRQq4Ypv+w\r\n"
-"UTcVpLC0oTueWzcpor1i1zjG4Vzqe/Ok2FqyGToGKMlFK7Hwwa+LEyeJ3xyV5yd4\r\n"
-"v1Mw9bDZFdJC1eCBjoUAHtX6k9HOE0Vd6woVQ4Vi6OPI1g7B5Mnr/58rNrnN6TMs\r\n"
-"x58NF6euecwTU811QJrZtLbX7j2Cr28yB2Vs8qyYlHwVw5jbDOv43D7vU5gmlIDN\r\n"
-"0JQRuWAnOuPzZNoJr4SfJKqHNGxYYY6pHZ1s0dOTLIDb/B8KQWapA2kRmZyid2EH\r\n"
-"nwzgLbAsHJCf+bQnhXjXuxtUsrcIL8noZLazlOMxwNEammglVWW23Ud/QRnFgJg5\r\n"
-"UgcAcRECgYEA19uYetht5qmwdJ+12oC6zeO+vXLcyD9gon23T5J6w2YThld7/OW0\r\n"
-"oArQJGgkAdaq0pcTyOIjtTQVMFygdVmCEJmxh/3RutPcTeydqW9fphKDMej32J8e\r\n"
-"GniGmNGiclbcfNOS8E5TGp445yZb9P1+7AHng16bGg3Ykj5EA4G+HCcCgYEAyHAl\r\n"
-"//ekk8YjQElm+8izLtFkymIK0aCtEe9C/RIRhFYBeFaotC5dStNhBOncn4ovMAPD\r\n"
-"lX/92yDi9OP8PPLN3a4B9XpW3k/SS5GrbT5cwOivBHNllZSmu/2qz5WPGcjVCOrB\r\n"
-"LYl3YWr2h3EGKICT03kEoTkiDBvCeOpW7cCGl2cCgYBD5whoXHz1+ptPlI4YVjZt\r\n"
-"Xh86aU+ajpVPiEyJ84I6xXmO4SZXv8q6LaycR0ZMbcL+zBelMb4Z2nBv7jNrtuR7\r\n"
-"ZF28cdPv+YVr3esaybZE/73VjXup4SQPH6r3l7qKTVi+y6+FeJ4b2Xn8/MwgnT23\r\n"
-"8EFrye7wmzpthrjOgZnUMQKBgE9Lhsz/5J0Nis6Y+2Pqn3CLKEukg9Ewtqdct2y0\r\n"
-"5Dcta0F3TyCRIxlCDKTL/BslqMtfAdY4H268UO0+8IAQMn9boqzBrHIgs/pvc5kx\r\n"
-"TbKHmw2wtWR6vYersBKVgVpbCGSRssDYHGFu1n74qM4HJ/RGcR1zI9QUe1gopSFD\r\n"
-"xDtLAoGAVAdWvrqDwgoL2hHW3scGpxdE/ygJDOwHnf+1B9goKAOP5lf2FJaiAxf3\r\n"
-"ectoPOgZbCmm/iiDmigu703ld3O+VoCLDD4qx3R+KyALL78gtVJYzSRiKhzgCZ3g\r\n"
-"mKsIVRBq4IfwiwyMNG2BYZQAwbSDjjPtn/kPBduPzPj7eriByhI=\r\n"
-"-----END RSA PRIVATE KEY-----\r\n";
-
-const char test_cli_crt[] =
-"-----BEGIN CERTIFICATE-----\r\n"
-"MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
-"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
-"MTEwMjEyMTQ0NDA3WhcNMjEwMjEyMTQ0NDA3WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
-"A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
-"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n"
-"M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n"
-"1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n"
-"MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n"
-"4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n"
-"/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n"
-"o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n"
-"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC\r\n"
-"AQEAAn86isAM8X+mVwJqeItt6E9slhEQbAofyk+diH1Lh8Y9iLlWQSKbw/UXYjx5\r\n"
-"LLPZcniovxIcARC/BjyZR9g3UwTHNGNm+rwrqa15viuNOFBchykX/Orsk02EH7NR\r\n"
-"Alw5WLPorYjED6cdVQgBl9ot93HdJogRiXCxErM7NC8/eP511mjq+uLDjLKH8ZPQ\r\n"
-"8I4ekHJnroLsDkIwXKGIsvIBHQy2ac/NwHLCQOK6mfum1pRx52V4Utu5dLLjD5bM\r\n"
-"xOBC7KU4xZKuMXXZM6/93Yb51K/J4ahf1TxJlTWXtnzDr9saEYdNy2SKY/6ZiDNH\r\n"
-"D+stpAKiQLAWaAusIWKYEyw9MQ==\r\n"
-"-----END CERTIFICATE-----\r\n";
-
-const char test_cli_key[] =
-"-----BEGIN RSA PRIVATE KEY-----\r\n"
-"MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n"
-"B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n"
-"bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n"
-"Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n"
-"7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n"
-"dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n"
-"yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n"
-"4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n"
-"ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n"
-"zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n"
-"l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n"
-"DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n"
-"VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n"
-"Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n"
-"wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n"
-"c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n"
-"33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n"
-"ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n"
-"BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n"
-"KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n"
-"UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n"
-"7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n"
-"gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n"
-"bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"
-"8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"
-"-----END RSA PRIVATE KEY-----\r\n";
-
-const char test_dhm_params[] =
-"-----BEGIN DH PARAMETERS-----\r\n"
-"MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
-"1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
-"9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
-"-----END DH PARAMETERS-----\r\n";
-
-#endif
diff --git a/makerom/polarssl/cipher.c b/makerom/polarssl/cipher.c
deleted file mode 100644
index 09c38073..00000000
--- a/makerom/polarssl/cipher.c
+++ /dev/null
@@ -1,602 +0,0 @@
-/**
- * \file cipher.c
- * 
- * \brief Generic cipher wrapper for PolarSSL
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_CIPHER_C)
-
-#include "polarssl/cipher.h"
-#include "polarssl/cipher_wrap.h"
-
-#include <stdlib.h>
-#include <strings.h>
-
-#if defined _MSC_VER && !defined strcasecmp
-#define strcasecmp _stricmp
-#endif
-
-static const int supported_ciphers[] = {
-
-#if defined(POLARSSL_AES_C)
-        POLARSSL_CIPHER_AES_128_CBC,
-        POLARSSL_CIPHER_AES_192_CBC,
-        POLARSSL_CIPHER_AES_256_CBC,
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-        POLARSSL_CIPHER_AES_128_CFB128,
-        POLARSSL_CIPHER_AES_192_CFB128,
-        POLARSSL_CIPHER_AES_256_CFB128,
-#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-        POLARSSL_CIPHER_AES_128_CTR,
-        POLARSSL_CIPHER_AES_192_CTR,
-        POLARSSL_CIPHER_AES_256_CTR,
-#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
-
-#endif /* defined(POLARSSL_AES_C) */
-
-#if defined(POLARSSL_CAMELLIA_C)
-        POLARSSL_CIPHER_CAMELLIA_128_CBC,
-        POLARSSL_CIPHER_CAMELLIA_192_CBC,
-        POLARSSL_CIPHER_CAMELLIA_256_CBC,
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-        POLARSSL_CIPHER_CAMELLIA_128_CFB128,
-        POLARSSL_CIPHER_CAMELLIA_192_CFB128,
-        POLARSSL_CIPHER_CAMELLIA_256_CFB128,
-#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-        POLARSSL_CIPHER_CAMELLIA_128_CTR,
-        POLARSSL_CIPHER_CAMELLIA_192_CTR,
-        POLARSSL_CIPHER_CAMELLIA_256_CTR,
-#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
-
-#endif /* defined(POLARSSL_CAMELLIA_C) */
-
-#if defined(POLARSSL_DES_C)
-        POLARSSL_CIPHER_DES_CBC,
-        POLARSSL_CIPHER_DES_EDE_CBC,
-        POLARSSL_CIPHER_DES_EDE3_CBC,
-#endif /* defined(POLARSSL_DES_C) */
-
-#if defined(POLARSSL_BLOWFISH_C)
-        POLARSSL_CIPHER_BLOWFISH_CBC,
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-        POLARSSL_CIPHER_BLOWFISH_CFB64,
-#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-        POLARSSL_CIPHER_BLOWFISH_CTR,
-#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
-
-#endif /* defined(POLARSSL_BLOWFISH_C) */
-
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-        POLARSSL_CIPHER_NULL,
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-        0
-};
-
-const int *cipher_list( void )
-{
-    return supported_ciphers;
-}
-
-const cipher_info_t *cipher_info_from_type( const cipher_type_t cipher_type )
-{
-    /* Find static cipher information */
-    switch ( cipher_type )
-    {
-#if defined(POLARSSL_AES_C)
-        case POLARSSL_CIPHER_AES_128_CBC:
-            return &aes_128_cbc_info;
-        case POLARSSL_CIPHER_AES_192_CBC:
-            return &aes_192_cbc_info;
-        case POLARSSL_CIPHER_AES_256_CBC:
-            return &aes_256_cbc_info;
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-        case POLARSSL_CIPHER_AES_128_CFB128:
-            return &aes_128_cfb128_info;
-        case POLARSSL_CIPHER_AES_192_CFB128:
-            return &aes_192_cfb128_info;
-        case POLARSSL_CIPHER_AES_256_CFB128:
-            return &aes_256_cfb128_info;
-#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-        case POLARSSL_CIPHER_AES_128_CTR:
-            return &aes_128_ctr_info;
-        case POLARSSL_CIPHER_AES_192_CTR:
-            return &aes_192_ctr_info;
-        case POLARSSL_CIPHER_AES_256_CTR:
-            return &aes_256_ctr_info;
-#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
-
-#endif
-
-#if defined(POLARSSL_CAMELLIA_C)
-        case POLARSSL_CIPHER_CAMELLIA_128_CBC:
-            return &camellia_128_cbc_info;
-        case POLARSSL_CIPHER_CAMELLIA_192_CBC:
-            return &camellia_192_cbc_info;
-        case POLARSSL_CIPHER_CAMELLIA_256_CBC:
-            return &camellia_256_cbc_info;
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-        case POLARSSL_CIPHER_CAMELLIA_128_CFB128:
-            return &camellia_128_cfb128_info;
-        case POLARSSL_CIPHER_CAMELLIA_192_CFB128:
-            return &camellia_192_cfb128_info;
-        case POLARSSL_CIPHER_CAMELLIA_256_CFB128:
-            return &camellia_256_cfb128_info;
-#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-        case POLARSSL_CIPHER_CAMELLIA_128_CTR:
-            return &camellia_128_ctr_info;
-        case POLARSSL_CIPHER_CAMELLIA_192_CTR:
-            return &camellia_192_ctr_info;
-        case POLARSSL_CIPHER_CAMELLIA_256_CTR:
-            return &camellia_256_ctr_info;
-#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
-
-#endif
-
-#if defined(POLARSSL_DES_C)
-        case POLARSSL_CIPHER_DES_CBC:
-            return &des_cbc_info;
-        case POLARSSL_CIPHER_DES_EDE_CBC:
-            return &des_ede_cbc_info;
-        case POLARSSL_CIPHER_DES_EDE3_CBC:
-            return &des_ede3_cbc_info;
-#endif
-
-#if defined(POLARSSL_BLOWFISH_C)
-        case POLARSSL_CIPHER_BLOWFISH_CBC:
-            return &blowfish_cbc_info;
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-        case POLARSSL_CIPHER_BLOWFISH_CFB64:
-            return &blowfish_cfb64_info;
-#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-        case POLARSSL_CIPHER_BLOWFISH_CTR:
-            return &blowfish_ctr_info;
-#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
-
-#endif
-
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-        case POLARSSL_CIPHER_NULL:
-            return &null_cipher_info;
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-        default:
-            return NULL;
-    }
-}
-
-const cipher_info_t *cipher_info_from_string( const char *cipher_name )
-{
-    if( NULL == cipher_name )
-        return NULL;
-
-    /* Get the appropriate cipher information */
-#if defined(POLARSSL_CAMELLIA_C)
-    if( !strcasecmp( "CAMELLIA-128-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_CAMELLIA_128_CBC );
-    if( !strcasecmp( "CAMELLIA-192-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_CAMELLIA_192_CBC );
-    if( !strcasecmp( "CAMELLIA-256-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_CAMELLIA_256_CBC );
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-    if( !strcasecmp( "CAMELLIA-128-CFB128", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_CAMELLIA_128_CFB128 );
-    if( !strcasecmp( "CAMELLIA-192-CFB128", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_CAMELLIA_192_CFB128 );
-    if( !strcasecmp( "CAMELLIA-256-CFB128", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_CAMELLIA_256_CFB128 );
-#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    if( !strcasecmp( "CAMELLIA-128-CTR", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_CAMELLIA_128_CTR );
-    if( !strcasecmp( "CAMELLIA-192-CTR", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_CAMELLIA_192_CTR );
-    if( !strcasecmp( "CAMELLIA-256-CTR", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_CAMELLIA_256_CTR );
-#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
-#endif
-
-#if defined(POLARSSL_AES_C)
-    if( !strcasecmp( "AES-128-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_AES_128_CBC );
-    if( !strcasecmp( "AES-192-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_AES_192_CBC );
-    if( !strcasecmp( "AES-256-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_AES_256_CBC );
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-    if( !strcasecmp( "AES-128-CFB128", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_AES_128_CFB128 );
-    if( !strcasecmp( "AES-192-CFB128", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_AES_192_CFB128 );
-    if( !strcasecmp( "AES-256-CFB128", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_AES_256_CFB128 );
-#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    if( !strcasecmp( "AES-128-CTR", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_AES_128_CTR );
-    if( !strcasecmp( "AES-192-CTR", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_AES_192_CTR );
-    if( !strcasecmp( "AES-256-CTR", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_AES_256_CTR );
-#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
-#endif
-
-#if defined(POLARSSL_DES_C)
-    if( !strcasecmp( "DES-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_DES_CBC );
-    if( !strcasecmp( "DES-EDE-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_DES_EDE_CBC );
-    if( !strcasecmp( "DES-EDE3-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_DES_EDE3_CBC );
-#endif
-
-#if defined(POLARSSL_BLOWFISH_C)
-    if( !strcasecmp( "BLOWFISH-CBC", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CBC );
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-    if( !strcasecmp( "BLOWFISH-CFB64", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CFB64 );
-#endif /* defined(POLARSSL_CIPHER_MODE_CFB) */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    if( !strcasecmp( "BLOWFISH-CTR", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_BLOWFISH_CTR );
-#endif /* defined(POLARSSL_CIPHER_MODE_CTR) */
-#endif
-
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-    if( !strcasecmp( "NULL", cipher_name ) )
-        return cipher_info_from_type( POLARSSL_CIPHER_NULL );
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-    return NULL;
-}
-
-int cipher_init_ctx( cipher_context_t *ctx, const cipher_info_t *cipher_info )
-{
-    if( NULL == cipher_info || NULL == ctx )
-        return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
-
-    memset( ctx, 0, sizeof( cipher_context_t ) );
-
-    if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
-        return POLARSSL_ERR_CIPHER_ALLOC_FAILED;
-
-    ctx->cipher_info = cipher_info;
-
-    return 0;
-}
-
-int cipher_free_ctx( cipher_context_t *ctx )
-{
-    if( ctx == NULL || ctx->cipher_info == NULL )
-        return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
-
-    ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
-
-    return 0;
-}
-
-int cipher_setkey( cipher_context_t *ctx, const unsigned char *key,
-        int key_length, const operation_t operation )
-{
-    if( NULL == ctx || NULL == ctx->cipher_info )
-        return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
-
-    ctx->key_length = key_length;
-    ctx->operation = operation;
-
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-    if( ctx->cipher_info->mode == POLARSSL_MODE_NULL )
-        return 0;
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-    /*
-     * For CFB and CTR mode always use the encryption key schedule
-     */
-    if( POLARSSL_ENCRYPT == operation ||
-        POLARSSL_MODE_CFB == ctx->cipher_info->mode ||
-        POLARSSL_MODE_CTR == ctx->cipher_info->mode )
-    {
-        return ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
-                ctx->key_length );
-    }
-
-    if( POLARSSL_DECRYPT == operation )
-        return ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
-                ctx->key_length );
-
-    return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
-}
-
-int cipher_reset( cipher_context_t *ctx, const unsigned char *iv )
-{
-    if( NULL == ctx || NULL == ctx->cipher_info || NULL == iv )
-        return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
-
-    ctx->unprocessed_len = 0;
-
-    memcpy( ctx->iv, iv, cipher_get_iv_size( ctx ) );
-
-    return 0;
-}
-
-int cipher_update( cipher_context_t *ctx, const unsigned char *input, size_t ilen,
-        unsigned char *output, size_t *olen )
-{
-    int ret;
-    size_t copy_len = 0;
-
-    if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen ||
-        input == output )
-    {
-        return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
-    }
-
-    *olen = 0;
-
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-    if( ctx->cipher_info->mode == POLARSSL_MODE_NULL )
-    {
-        memcpy( output, input, ilen );
-        *olen = ilen;
-        return 0;
-    }
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-    if( ctx->cipher_info->mode == POLARSSL_MODE_CBC )
-    {
-        /*
-         * If there is not enough data for a full block, cache it.
-         */
-        if( ( ctx->operation == POLARSSL_DECRYPT &&
-                ilen + ctx->unprocessed_len <= cipher_get_block_size( ctx ) ) ||
-             ( ctx->operation == POLARSSL_ENCRYPT &&
-                ilen + ctx->unprocessed_len < cipher_get_block_size( ctx ) ) )
-        {
-            memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
-                    ilen );
-
-            ctx->unprocessed_len += ilen;
-            return 0;
-        }
-
-        /*
-         * Process cached data first
-         */
-        if( ctx->unprocessed_len != 0 )
-        {
-            copy_len = cipher_get_block_size( ctx ) - ctx->unprocessed_len;
-
-            memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
-                    copy_len );
-
-            if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
-                    ctx->operation, cipher_get_block_size( ctx ), ctx->iv,
-                    ctx->unprocessed_data, output ) ) )
-            {
-                return ret;
-            }
-
-            *olen += cipher_get_block_size( ctx );
-            output += cipher_get_block_size( ctx );
-            ctx->unprocessed_len = 0;
-
-            input += copy_len;
-            ilen -= copy_len;
-        }
-
-        /*
-         * Cache final, incomplete block
-         */
-        if( 0 != ilen )
-        {
-            copy_len = ilen % cipher_get_block_size( ctx );
-            if( copy_len == 0 && ctx->operation == POLARSSL_DECRYPT )
-                copy_len = cipher_get_block_size(ctx);
-
-            memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
-                    copy_len );
-
-            ctx->unprocessed_len += copy_len;
-            ilen -= copy_len;
-        }
-
-        /*
-         * Process remaining full blocks
-         */
-        if( ilen )
-        {
-            if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
-                    ctx->operation, ilen, ctx->iv, input, output ) ) )
-            {
-                return ret;
-            }
-            *olen += ilen;
-        }
-
-        return 0;
-    }
-
-    if( ctx->cipher_info->mode == POLARSSL_MODE_CFB )
-    {
-        if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
-                ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
-                input, output ) ) )
-        {
-            return ret;
-        }
-
-        *olen = ilen;
-
-        return 0;
-    }
-
-    if( ctx->cipher_info->mode == POLARSSL_MODE_CTR )
-    {
-        if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
-                ilen, &ctx->unprocessed_len, ctx->iv,
-                ctx->unprocessed_data, input, output ) ) )
-        {
-            return ret;
-        }
-
-        *olen = ilen;
-
-        return 0;
-    }
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-
-static void add_pkcs_padding( unsigned char *output, size_t output_len,
-        size_t data_len )
-{
-    size_t padding_len = output_len - data_len;
-    unsigned char i = 0;
-
-    for( i = 0; i < padding_len; i++ )
-        output[data_len + i] = (unsigned char) padding_len;
-}
-
-static int get_pkcs_padding( unsigned char *input, unsigned int input_len,
-        size_t *data_len)
-{
-    unsigned int i, padding_len = 0;
-
-    if( NULL == input || NULL == data_len )
-        return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
-
-    padding_len = input[input_len - 1];
-
-    if( padding_len > input_len )
-        return POLARSSL_ERR_CIPHER_INVALID_PADDING;
-
-    for( i = input_len - padding_len; i < input_len; i++ )
-        if( input[i] != padding_len )
-            return POLARSSL_ERR_CIPHER_INVALID_PADDING;
-
-    *data_len = input_len - padding_len;
-
-    return 0;
-}
-
-int cipher_finish( cipher_context_t *ctx, unsigned char *output, size_t *olen)
-{
-    int ret = 0;
-
-    if( NULL == ctx || NULL == ctx->cipher_info || NULL == olen )
-        return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
-
-    *olen = 0;
-
-    if( POLARSSL_MODE_CFB == ctx->cipher_info->mode ||
-        POLARSSL_MODE_CTR == ctx->cipher_info->mode ||
-        POLARSSL_MODE_NULL == ctx->cipher_info->mode )
-    {
-        return 0;
-    }
-
-    if( POLARSSL_MODE_CBC == ctx->cipher_info->mode )
-    {
-        if( POLARSSL_ENCRYPT == ctx->operation )
-        {
-            add_pkcs_padding( ctx->unprocessed_data, cipher_get_iv_size( ctx ),
-                    ctx->unprocessed_len );
-        }
-        else if ( cipher_get_block_size( ctx ) != ctx->unprocessed_len )
-        {
-            /* For decrypt operations, expect a full block */
-            return POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED;
-        }
-
-        /* cipher block */
-        if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
-                ctx->operation, cipher_get_block_size( ctx ), ctx->iv,
-                ctx->unprocessed_data, output ) ) )
-        {
-            return ret;
-        }
-
-        /* Set output size for decryption */
-        if( POLARSSL_DECRYPT == ctx->operation )
-            return get_pkcs_padding( output, cipher_get_block_size( ctx ), olen );
-
-        /* Set output size for encryption */
-        *olen = cipher_get_block_size( ctx );
-        return 0;
-    }
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <stdio.h>
-
-#define ASSERT(x) if (!(x)) { \
-        printf( "failed with %i at %s\n", value, (#x) ); \
-    return( 1 ); \
-}
-/*
- * Checkup routine
- */
-
-int cipher_self_test( int verbose )
-{
-    ((void) verbose);
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/cipher_wrap.c b/makerom/polarssl/cipher_wrap.c
deleted file mode 100644
index 94372127..00000000
--- a/makerom/polarssl/cipher_wrap.c
+++ /dev/null
@@ -1,711 +0,0 @@
-/**
- * \file md_wrap.c
- * 
- * \brief Generic cipher wrapper for PolarSSL
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_CIPHER_C)
-
-#include "polarssl/cipher_wrap.h"
-
-#if defined(POLARSSL_AES_C)
-#include "polarssl/aes.h"
-#endif
-
-#if defined(POLARSSL_CAMELLIA_C)
-#include "polarssl/camellia.h"
-#endif
-
-#if defined(POLARSSL_DES_C)
-#include "polarssl/des.h"
-#endif
-
-#if defined(POLARSSL_BLOWFISH_C)
-#include "polarssl/blowfish.h"
-#endif
-
-#include <stdlib.h>
-
-#if defined(POLARSSL_AES_C)
-
-int aes_crypt_cbc_wrap( void *ctx, operation_t operation, size_t length,
-        unsigned char *iv, const unsigned char *input, unsigned char *output )
-{
-    return aes_crypt_cbc( (aes_context *) ctx, operation, length, iv, input, output );
-}
-
-int aes_crypt_cfb128_wrap( void *ctx, operation_t operation, size_t length,
-        size_t *iv_off, unsigned char *iv, const unsigned char *input, unsigned char *output )
-{
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-    return aes_crypt_cfb128( (aes_context *) ctx, operation, length, iv_off, iv, input, output );
-#else
-    ((void) ctx);
-    ((void) operation);
-    ((void) length);
-    ((void) iv_off);
-    ((void) iv);
-    ((void) input);
-    ((void) output);
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-#endif
-}
-
-int aes_crypt_ctr_wrap( void *ctx, size_t length,
-        size_t *nc_off, unsigned char *nonce_counter, unsigned char *stream_block,
-        const unsigned char *input, unsigned char *output )
-{
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    return aes_crypt_ctr( (aes_context *) ctx, length, nc_off, nonce_counter,
-                          stream_block, input, output );
-#else
-    ((void) ctx);
-    ((void) length);
-    ((void) nc_off);
-    ((void) nonce_counter);
-    ((void) stream_block);
-    ((void) input);
-    ((void) output);
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-#endif
-}
-
-int aes_setkey_dec_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    return aes_setkey_dec( (aes_context *) ctx, key, key_length );
-}
-
-int aes_setkey_enc_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    return aes_setkey_enc( (aes_context *) ctx, key, key_length );
-}
-
-static void * aes_ctx_alloc( void )
-{
-    return malloc( sizeof( aes_context ) );
-}
-
-static void aes_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const cipher_base_t aes_info = {
-    POLARSSL_CIPHER_ID_AES,
-    aes_crypt_cbc_wrap,
-    aes_crypt_cfb128_wrap,
-    aes_crypt_ctr_wrap,
-    aes_setkey_enc_wrap,
-    aes_setkey_dec_wrap,
-    aes_ctx_alloc,
-    aes_ctx_free
-};
-
-const cipher_info_t aes_128_cbc_info = {
-    POLARSSL_CIPHER_AES_128_CBC,
-    POLARSSL_MODE_CBC,
-    128,
-    "AES-128-CBC",
-    16,
-    16,
-    &aes_info
-};
-
-const cipher_info_t aes_192_cbc_info = {
-    POLARSSL_CIPHER_AES_192_CBC,
-    POLARSSL_MODE_CBC,
-    192,
-    "AES-192-CBC",
-    16,
-    16,
-    &aes_info
-};
-
-const cipher_info_t aes_256_cbc_info = {
-    POLARSSL_CIPHER_AES_256_CBC,
-    POLARSSL_MODE_CBC,
-    256,
-    "AES-256-CBC",
-    16,
-    16,
-    &aes_info
-};
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-const cipher_info_t aes_128_cfb128_info = {
-    POLARSSL_CIPHER_AES_128_CFB128,
-    POLARSSL_MODE_CFB,
-    128,
-    "AES-128-CFB128",
-    16,
-    16,
-    &aes_info
-};
-
-const cipher_info_t aes_192_cfb128_info = {
-    POLARSSL_CIPHER_AES_192_CFB128,
-    POLARSSL_MODE_CFB,
-    192,
-    "AES-192-CFB128",
-    16,
-    16,
-    &aes_info
-};
-
-const cipher_info_t aes_256_cfb128_info = {
-    POLARSSL_CIPHER_AES_256_CFB128,
-    POLARSSL_MODE_CFB,
-    256,
-    "AES-256-CFB128",
-    16,
-    16,
-    &aes_info
-};
-#endif /* POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-const cipher_info_t aes_128_ctr_info = {
-    POLARSSL_CIPHER_AES_128_CTR,
-    POLARSSL_MODE_CTR,
-    128,
-    "AES-128-CTR",
-    16,
-    16,
-    &aes_info
-};
-
-const cipher_info_t aes_192_ctr_info = {
-    POLARSSL_CIPHER_AES_192_CTR,
-    POLARSSL_MODE_CTR,
-    192,
-    "AES-192-CTR",
-    16,
-    16,
-    &aes_info
-};
-
-const cipher_info_t aes_256_ctr_info = {
-    POLARSSL_CIPHER_AES_256_CTR,
-    POLARSSL_MODE_CTR,
-    256,
-    "AES-256-CTR",
-    16,
-    16,
-    &aes_info
-};
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-
-#endif
-
-#if defined(POLARSSL_CAMELLIA_C)
-
-int camellia_crypt_cbc_wrap( void *ctx, operation_t operation, size_t length,
-        unsigned char *iv, const unsigned char *input, unsigned char *output )
-{
-    return camellia_crypt_cbc( (camellia_context *) ctx, operation, length, iv, input, output );
-}
-
-int camellia_crypt_cfb128_wrap( void *ctx, operation_t operation, size_t length,
-        size_t *iv_off, unsigned char *iv, const unsigned char *input, unsigned char *output )
-{
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-    return camellia_crypt_cfb128( (camellia_context *) ctx, operation, length, iv_off, iv, input, output );
-#else
-    ((void) ctx);
-    ((void) operation);
-    ((void) length);
-    ((void) iv_off);
-    ((void) iv);
-    ((void) input);
-    ((void) output);
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-#endif
-}
-
-int camellia_crypt_ctr_wrap( void *ctx, size_t length,
-        size_t *nc_off, unsigned char *nonce_counter, unsigned char *stream_block,
-        const unsigned char *input, unsigned char *output )
-{
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    return camellia_crypt_ctr( (camellia_context *) ctx, length, nc_off, nonce_counter,
-                          stream_block, input, output );
-#else
-    ((void) ctx);
-    ((void) length);
-    ((void) nc_off);
-    ((void) nonce_counter);
-    ((void) stream_block);
-    ((void) input);
-    ((void) output);
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-#endif
-}
-
-int camellia_setkey_dec_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    return camellia_setkey_dec( (camellia_context *) ctx, key, key_length );
-}
-
-int camellia_setkey_enc_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    return camellia_setkey_enc( (camellia_context *) ctx, key, key_length );
-}
-
-static void * camellia_ctx_alloc( void )
-{
-    return malloc( sizeof( camellia_context ) );
-}
-
-static void camellia_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const cipher_base_t camellia_info = {
-    POLARSSL_CIPHER_ID_CAMELLIA,
-    camellia_crypt_cbc_wrap,
-    camellia_crypt_cfb128_wrap,
-    camellia_crypt_ctr_wrap,
-    camellia_setkey_enc_wrap,
-    camellia_setkey_dec_wrap,
-    camellia_ctx_alloc,
-    camellia_ctx_free
-};
-
-const cipher_info_t camellia_128_cbc_info = {
-    POLARSSL_CIPHER_CAMELLIA_128_CBC,
-    POLARSSL_MODE_CBC,
-    128,
-    "CAMELLIA-128-CBC",
-    16,
-    16,
-    &camellia_info
-};
-
-const cipher_info_t camellia_192_cbc_info = {
-    POLARSSL_CIPHER_CAMELLIA_192_CBC,
-    POLARSSL_MODE_CBC,
-    192,
-    "CAMELLIA-192-CBC",
-    16,
-    16,
-    &camellia_info
-};
-
-const cipher_info_t camellia_256_cbc_info = {
-    POLARSSL_CIPHER_CAMELLIA_256_CBC,
-    POLARSSL_MODE_CBC,
-    256,
-    "CAMELLIA-256-CBC",
-    16,
-    16,
-    &camellia_info
-};
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-const cipher_info_t camellia_128_cfb128_info = {
-    POLARSSL_CIPHER_CAMELLIA_128_CFB128,
-    POLARSSL_MODE_CFB,
-    128,
-    "CAMELLIA-128-CFB128",
-    16,
-    16,
-    &camellia_info
-};
-
-const cipher_info_t camellia_192_cfb128_info = {
-    POLARSSL_CIPHER_CAMELLIA_192_CFB128,
-    POLARSSL_MODE_CFB,
-    192,
-    "CAMELLIA-192-CFB128",
-    16,
-    16,
-    &camellia_info
-};
-
-const cipher_info_t camellia_256_cfb128_info = {
-    POLARSSL_CIPHER_CAMELLIA_256_CFB128,
-    POLARSSL_MODE_CFB,
-    256,
-    "CAMELLIA-256-CFB128",
-    16,
-    16,
-    &camellia_info
-};
-#endif /* POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-const cipher_info_t camellia_128_ctr_info = {
-    POLARSSL_CIPHER_CAMELLIA_128_CTR,
-    POLARSSL_MODE_CTR,
-    128,
-    "CAMELLIA-128-CTR",
-    16,
-    16,
-    &camellia_info
-};
-
-const cipher_info_t camellia_192_ctr_info = {
-    POLARSSL_CIPHER_CAMELLIA_192_CTR,
-    POLARSSL_MODE_CTR,
-    192,
-    "CAMELLIA-192-CTR",
-    16,
-    16,
-    &camellia_info
-};
-
-const cipher_info_t camellia_256_ctr_info = {
-    POLARSSL_CIPHER_CAMELLIA_256_CTR,
-    POLARSSL_MODE_CTR,
-    256,
-    "CAMELLIA-256-CTR",
-    16,
-    16,
-    &camellia_info
-};
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-
-#endif
-
-#if defined(POLARSSL_DES_C)
-
-int des_crypt_cbc_wrap( void *ctx, operation_t operation, size_t length,
-        unsigned char *iv, const unsigned char *input, unsigned char *output )
-{
-    return des_crypt_cbc( (des_context *) ctx, operation, length, iv, input, output );
-}
-
-int des3_crypt_cbc_wrap( void *ctx, operation_t operation, size_t length,
-        unsigned char *iv, const unsigned char *input, unsigned char *output )
-{
-    return des3_crypt_cbc( (des3_context *) ctx, operation, length, iv, input, output );
-}
-
-int des_crypt_cfb128_wrap( void *ctx, operation_t operation, size_t length,
-        size_t *iv_off, unsigned char *iv, const unsigned char *input, unsigned char *output )
-{
-    ((void) ctx);
-    ((void) operation);
-    ((void) length);
-    ((void) iv_off);
-    ((void) iv);
-    ((void) input);
-    ((void) output);
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-
-int des_crypt_ctr_wrap( void *ctx, size_t length,
-        size_t *nc_off, unsigned char *nonce_counter, unsigned char *stream_block,
-        const unsigned char *input, unsigned char *output )
-{
-    ((void) ctx);
-    ((void) length);
-    ((void) nc_off);
-    ((void) nonce_counter);
-    ((void) stream_block);
-    ((void) input);
-    ((void) output);
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-}
-
-
-int des_setkey_dec_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    ((void) key_length);
-
-    return des_setkey_dec( (des_context *) ctx, key );
-}
-
-int des_setkey_enc_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    ((void) key_length);
-
-    return des_setkey_enc( (des_context *) ctx, key );
-}
-
-int des3_set2key_dec_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    ((void) key_length);
-
-    return des3_set2key_dec( (des3_context *) ctx, key );
-}
-
-int des3_set2key_enc_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    ((void) key_length);
-
-    return des3_set2key_enc( (des3_context *) ctx, key );
-}
-
-int des3_set3key_dec_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    ((void) key_length);
-
-    return des3_set3key_dec( (des3_context *) ctx, key );
-}
-
-int des3_set3key_enc_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    ((void) key_length);
-
-    return des3_set3key_enc( (des3_context *) ctx, key );
-}
-
-static void * des_ctx_alloc( void )
-{
-    return malloc( sizeof( des_context ) );
-}
-
-static void * des3_ctx_alloc( void )
-{
-    return malloc( sizeof( des3_context ) );
-}
-
-static void des_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const cipher_base_t des_info = {
-    POLARSSL_CIPHER_ID_DES,
-    des_crypt_cbc_wrap,
-    des_crypt_cfb128_wrap,
-    des_crypt_ctr_wrap,
-    des_setkey_enc_wrap,
-    des_setkey_dec_wrap,
-    des_ctx_alloc,
-    des_ctx_free
-};
-
-const cipher_info_t des_cbc_info = {
-    POLARSSL_CIPHER_DES_CBC,
-    POLARSSL_MODE_CBC,
-    POLARSSL_KEY_LENGTH_DES,
-    "DES-CBC",
-    8,
-    8,
-    &des_info
-};
-
-const cipher_base_t des_ede_info = {
-    POLARSSL_CIPHER_ID_DES,
-    des3_crypt_cbc_wrap,
-    des_crypt_cfb128_wrap,
-    des_crypt_ctr_wrap,
-    des3_set2key_enc_wrap,
-    des3_set2key_dec_wrap,
-    des3_ctx_alloc,
-    des_ctx_free
-};
-
-const cipher_info_t des_ede_cbc_info = {
-    POLARSSL_CIPHER_DES_EDE_CBC,
-    POLARSSL_MODE_CBC,
-    POLARSSL_KEY_LENGTH_DES_EDE,
-    "DES-EDE-CBC",
-    8,
-    8,
-    &des_ede_info
-};
-
-const cipher_base_t des_ede3_info = {
-    POLARSSL_CIPHER_ID_DES,
-    des3_crypt_cbc_wrap,
-    des_crypt_cfb128_wrap,
-    des_crypt_ctr_wrap,
-    des3_set3key_enc_wrap,
-    des3_set3key_dec_wrap,
-    des3_ctx_alloc,
-    des_ctx_free
-};
-
-const cipher_info_t des_ede3_cbc_info = {
-    POLARSSL_CIPHER_DES_EDE3_CBC,
-    POLARSSL_MODE_CBC,
-    POLARSSL_KEY_LENGTH_DES_EDE3,
-    "DES-EDE3-CBC",
-    8,
-    8,
-    &des_ede3_info
-};
-#endif
-
-#if defined(POLARSSL_BLOWFISH_C)
-
-int blowfish_crypt_cbc_wrap( void *ctx, operation_t operation, size_t length,
-        unsigned char *iv, const unsigned char *input, unsigned char *output )
-{
-    return blowfish_crypt_cbc( (blowfish_context *) ctx, operation, length, iv, input, output );
-}
-
-int blowfish_crypt_cfb64_wrap( void *ctx, operation_t operation, size_t length,
-        size_t *iv_off, unsigned char *iv, const unsigned char *input, unsigned char *output )
-{
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-    return blowfish_crypt_cfb64( (blowfish_context *) ctx, operation, length, iv_off, iv, input, output );
-#else
-    ((void) ctx);
-    ((void) operation);
-    ((void) length);
-    ((void) iv_off);
-    ((void) iv);
-    ((void) input);
-    ((void) output);
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-#endif
-}
-
-int blowfish_crypt_ctr_wrap( void *ctx, size_t length,
-        size_t *nc_off, unsigned char *nonce_counter, unsigned char *stream_block,
-        const unsigned char *input, unsigned char *output )
-{
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    return blowfish_crypt_ctr( (blowfish_context *) ctx, length, nc_off, nonce_counter,
-                          stream_block, input, output );
-#else
-    ((void) ctx);
-    ((void) length);
-    ((void) nc_off);
-    ((void) nonce_counter);
-    ((void) stream_block);
-    ((void) input);
-    ((void) output);
-
-    return POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE;
-#endif
-}
-
-int blowfish_setkey_dec_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    return blowfish_setkey( (blowfish_context *) ctx, key, key_length );
-}
-
-int blowfish_setkey_enc_wrap( void *ctx, const unsigned char *key, unsigned int key_length )
-{
-    return blowfish_setkey( (blowfish_context *) ctx, key, key_length );
-}
-
-static void * blowfish_ctx_alloc( void )
-{
-    return malloc( sizeof( blowfish_context ) );
-}
-
-static void blowfish_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const cipher_base_t blowfish_info = {
-    POLARSSL_CIPHER_ID_BLOWFISH,
-    blowfish_crypt_cbc_wrap,
-    blowfish_crypt_cfb64_wrap,
-    blowfish_crypt_ctr_wrap,
-    blowfish_setkey_enc_wrap,
-    blowfish_setkey_dec_wrap,
-    blowfish_ctx_alloc,
-    blowfish_ctx_free
-};
-
-const cipher_info_t blowfish_cbc_info = {
-    POLARSSL_CIPHER_BLOWFISH_CBC,
-    POLARSSL_MODE_CBC,
-    128,
-    "BLOWFISH-CBC",
-    8,
-    8,
-    &blowfish_info
-};
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-const cipher_info_t blowfish_cfb64_info = {
-    POLARSSL_CIPHER_BLOWFISH_CFB64,
-    POLARSSL_MODE_CFB,
-    128,
-    "BLOWFISH-CFB64",
-    8,
-    8,
-    &blowfish_info
-};
-#endif /* POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-const cipher_info_t blowfish_ctr_info = {
-    POLARSSL_CIPHER_BLOWFISH_CTR,
-    POLARSSL_MODE_CTR,
-    128,
-    "BLOWFISH-CTR",
-    8,
-    8,
-    &blowfish_info
-};
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-#endif /* POLARSSL_BLOWFISH_C */
-
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-static void * null_ctx_alloc( void )
-{
-    return (void *) 1;
-}
-
-
-static void null_ctx_free( void *ctx )
-{
-    ((void) ctx);
-}
-
-const cipher_base_t null_base_info = {
-    POLARSSL_CIPHER_ID_NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    null_ctx_alloc,
-    null_ctx_free
-};
-
-const cipher_info_t null_cipher_info = {
-    POLARSSL_CIPHER_NULL,
-    POLARSSL_MODE_NULL,
-    0,
-    "NULL",
-    1,
-    1,
-    &null_base_info
-};
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-#endif
diff --git a/makerom/polarssl/ctr_drbg.c b/makerom/polarssl/ctr_drbg.c
deleted file mode 100644
index 8cf03712..00000000
--- a/makerom/polarssl/ctr_drbg.c
+++ /dev/null
@@ -1,562 +0,0 @@
-/*
- *  CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The NIST SP 800-90 DRBGs are described in the following publucation.
- *
- *  http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_CTR_DRBG_C)
-
-#include "polarssl/ctr_drbg.h"
-
-#if defined(POLARSSL_FS_IO)
-#include <stdio.h>
-#endif
-
-/*
- * Non-public function wrapped by ctr_crbg_init(). Necessary to allow NIST
- * tests to succeed (which require known length fixed entropy)
- */
-int ctr_drbg_init_entropy_len(
-                   ctr_drbg_context *ctx,
-                   int (*f_entropy)(void *, unsigned char *, size_t),
-                   void *p_entropy,
-                   const unsigned char *custom,
-                   size_t len,
-                   size_t entropy_len )
-{
-    int ret;
-    unsigned char key[CTR_DRBG_KEYSIZE];
-
-    memset( ctx, 0, sizeof(ctr_drbg_context) );
-    memset( key, 0, CTR_DRBG_KEYSIZE );
-
-    ctx->f_entropy = f_entropy;
-    ctx->p_entropy = p_entropy;
-
-    ctx->entropy_len = entropy_len;
-    ctx->reseed_interval = CTR_DRBG_RESEED_INTERVAL;
-
-    /*
-     * Initialize with an empty key
-     */
-    aes_setkey_enc( &ctx->aes_ctx, key, CTR_DRBG_KEYBITS );
-
-    if( ( ret = ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
-        return( ret );
-
-    return( 0 );
-}
-
-int ctr_drbg_init( ctr_drbg_context *ctx,
-                   int (*f_entropy)(void *, unsigned char *, size_t),
-                   void *p_entropy,
-                   const unsigned char *custom,
-                   size_t len )
-{
-    return( ctr_drbg_init_entropy_len( ctx, f_entropy, p_entropy, custom, len,
-                                       CTR_DRBG_ENTROPY_LEN ) );
-}
-
-void ctr_drbg_set_prediction_resistance( ctr_drbg_context *ctx, int resistance )
-{
-    ctx->prediction_resistance = resistance;
-}
-
-void ctr_drbg_set_entropy_len( ctr_drbg_context *ctx, size_t len )
-{
-    ctx->entropy_len = len;
-}
-    
-void ctr_drbg_set_reseed_interval( ctr_drbg_context *ctx, int interval )
-{
-    ctx->reseed_interval = interval;
-}
-    
-int block_cipher_df( unsigned char *output,
-                     const unsigned char *data, size_t data_len )
-{
-    unsigned char buf[CTR_DRBG_MAX_SEED_INPUT + CTR_DRBG_BLOCKSIZE + 16];
-    unsigned char tmp[CTR_DRBG_SEEDLEN];
-    unsigned char key[CTR_DRBG_KEYSIZE];
-    unsigned char chain[CTR_DRBG_BLOCKSIZE];
-    unsigned char *p = buf, *iv;
-    aes_context aes_ctx;
-
-    int i, j, buf_len, use_len;
-
-    memset( buf, 0, CTR_DRBG_MAX_SEED_INPUT + CTR_DRBG_BLOCKSIZE + 16 );
-
-    /*
-     * Construct IV (16 bytes) and S in buffer
-     * IV = Counter (in 32-bits) padded to 16 with zeroes
-     * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
-     *     data || 0x80
-     *     (Total is padded to a multiple of 16-bytes with zeroes)
-     */
-    p = buf + CTR_DRBG_BLOCKSIZE;
-    *p++ = ( data_len >> 24 ) & 0xff;
-    *p++ = ( data_len >> 16 ) & 0xff;
-    *p++ = ( data_len >> 8  ) & 0xff;
-    *p++ = ( data_len       ) & 0xff;
-    p += 3;
-    *p++ = CTR_DRBG_SEEDLEN;
-    memcpy( p, data, data_len );
-    p[data_len] = 0x80;
-
-    buf_len = CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
-
-    for( i = 0; i < CTR_DRBG_KEYSIZE; i++ )
-        key[i] = i;
-
-    aes_setkey_enc( &aes_ctx, key, CTR_DRBG_KEYBITS );
-
-    /*
-     * Reduce data to POLARSSL_CTR_DRBG_SEEDLEN bytes of data
-     */
-    for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE )
-    {
-        p = buf;
-        memset( chain, 0, CTR_DRBG_BLOCKSIZE );
-        use_len = buf_len;
-
-        while( use_len > 0 )
-        {
-            for( i = 0; i < CTR_DRBG_BLOCKSIZE; i++ )
-                chain[i] ^= p[i];
-            p += CTR_DRBG_BLOCKSIZE;
-            use_len -= CTR_DRBG_BLOCKSIZE;
-
-            aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, chain, chain );
-        }
-        
-        memcpy( tmp + j, chain, CTR_DRBG_BLOCKSIZE );
-
-        /*
-         * Update IV
-         */
-        buf[3]++;
-    }
-
-    /*
-     * Do final encryption with reduced data
-     */
-    aes_setkey_enc( &aes_ctx, tmp, CTR_DRBG_KEYBITS );
-    iv = tmp + CTR_DRBG_KEYSIZE;
-    p = output;
-
-    for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE )
-    {
-        aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, iv, iv );
-        memcpy( p, iv, CTR_DRBG_BLOCKSIZE );
-        p += CTR_DRBG_BLOCKSIZE;
-    }
-
-    return( 0 );
-}
-
-int ctr_drbg_update_internal( ctr_drbg_context *ctx,
-                              const unsigned char data[CTR_DRBG_SEEDLEN] )
-{
-    unsigned char tmp[CTR_DRBG_SEEDLEN];
-    unsigned char *p = tmp;
-    int i, j;
-
-    memset( tmp, 0, CTR_DRBG_SEEDLEN );
-
-    for( j = 0; j < CTR_DRBG_SEEDLEN; j += CTR_DRBG_BLOCKSIZE )
-    {
-        /*
-         * Increase counter
-         */
-        for( i = CTR_DRBG_BLOCKSIZE; i > 0; i-- )
-            if( ++ctx->counter[i - 1] != 0 )
-                break;
-
-        /*
-         * Crypt counter block
-         */
-        aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, ctx->counter, p );
-
-        p += CTR_DRBG_BLOCKSIZE;
-    }
-
-    for( i = 0; i < CTR_DRBG_SEEDLEN; i++ )
-        tmp[i] ^= data[i];
-
-    /*
-     * Update key and counter
-     */
-    aes_setkey_enc( &ctx->aes_ctx, tmp, CTR_DRBG_KEYBITS );
-    memcpy( ctx->counter, tmp + CTR_DRBG_KEYSIZE, CTR_DRBG_BLOCKSIZE );
-
-    return( 0 );
-}
-
-void ctr_drbg_update( ctr_drbg_context *ctx,
-                      const unsigned char *additional, size_t add_len )
-{
-    unsigned char add_input[CTR_DRBG_SEEDLEN];
-
-    if( add_len > 0 )
-    {
-        block_cipher_df( add_input, additional, add_len );
-        ctr_drbg_update_internal( ctx, add_input );
-    }
-}
-
-int ctr_drbg_reseed( ctr_drbg_context *ctx,
-                     const unsigned char *additional, size_t len )
-{
-    unsigned char seed[CTR_DRBG_MAX_SEED_INPUT];
-    size_t seedlen = 0;
-
-    if( ctx->entropy_len + len > CTR_DRBG_MAX_SEED_INPUT )
-        return( POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG );
-
-    memset( seed, 0, CTR_DRBG_MAX_SEED_INPUT );
-
-    /*
-     * Gather enropy_len bytes of entropy to seed state
-     */
-    if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
-                             ctx->entropy_len ) )
-    {
-        return( POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
-    }
-
-    seedlen += ctx->entropy_len;
-
-    /*
-     * Add additional data
-     */
-    if( additional && len )
-    {
-        memcpy( seed + seedlen, additional, len );
-        seedlen += len;
-    }
-
-    /*
-     * Reduce to 384 bits
-     */
-    block_cipher_df( seed, seed, seedlen );
-
-    /*
-     * Update state
-     */
-    ctr_drbg_update_internal( ctx, seed );
-    ctx->reseed_counter = 1;
-
-    return( 0 );
-}
-    
-int ctr_drbg_random_with_add( void *p_rng,
-                              unsigned char *output, size_t output_len,
-                              const unsigned char *additional, size_t add_len )
-{
-    int ret = 0;
-    ctr_drbg_context *ctx = (ctr_drbg_context *) p_rng;
-    unsigned char add_input[CTR_DRBG_SEEDLEN];
-    unsigned char *p = output;
-    unsigned char tmp[CTR_DRBG_BLOCKSIZE];
-    int i;
-    size_t use_len;
-
-    if( output_len > CTR_DRBG_MAX_REQUEST )
-        return( POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG );
-
-    if( add_len > CTR_DRBG_MAX_INPUT )
-        return( POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG );
-
-    memset( add_input, 0, CTR_DRBG_SEEDLEN );
-
-    if( ctx->reseed_counter > ctx->reseed_interval ||
-        ctx->prediction_resistance )
-    {
-        if( ( ret = ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
-            return( ret );
-
-        add_len = 0;
-    }
-
-    if( add_len > 0 )
-    {
-        block_cipher_df( add_input, additional, add_len );
-        ctr_drbg_update_internal( ctx, add_input );
-    }
-
-    while( output_len > 0 )
-    {
-        /*
-         * Increase counter
-         */
-        for( i = CTR_DRBG_BLOCKSIZE; i > 0; i-- )
-            if( ++ctx->counter[i - 1] != 0 )
-                break;
-
-        /*
-         * Crypt counter block
-         */
-        aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, ctx->counter, tmp );
-
-        use_len = (output_len > CTR_DRBG_BLOCKSIZE ) ? CTR_DRBG_BLOCKSIZE : output_len;
-        /*
-         * Copy random block to destination
-         */
-        memcpy( p, tmp, use_len );
-        p += use_len;
-        output_len -= use_len;
-    }
-
-    ctr_drbg_update_internal( ctx, add_input );
-
-    ctx->reseed_counter++;
-
-    return( 0 );
-}
-
-int ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
-{
-    return ctr_drbg_random_with_add( p_rng, output, output_len, NULL, 0 );
-}
-
-#if defined(POLARSSL_FS_IO)
-int ctr_drbg_write_seed_file( ctr_drbg_context *ctx, const char *path )
-{
-    int ret;
-    FILE *f;
-    unsigned char buf[ CTR_DRBG_MAX_INPUT ];
-
-    if( ( f = fopen( path, "wb" ) ) == NULL )
-        return( POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR );
-
-    if( ( ret = ctr_drbg_random( ctx, buf, CTR_DRBG_MAX_INPUT ) ) != 0 )
-        return( ret );
-
-    if( fwrite( buf, 1, CTR_DRBG_MAX_INPUT, f ) != CTR_DRBG_MAX_INPUT )
-    {
-        fclose( f );
-        return( POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR );
-    }
-
-    fclose( f );
-    return( 0 );
-}
-
-int ctr_drbg_update_seed_file( ctr_drbg_context *ctx, const char *path )
-{
-    FILE *f;
-    size_t n;
-    unsigned char buf[ CTR_DRBG_MAX_INPUT ];
-
-    if( ( f = fopen( path, "rb" ) ) == NULL )
-        return( POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR );
-
-    fseek( f, 0, SEEK_END );
-    n = (size_t) ftell( f );
-    fseek( f, 0, SEEK_SET );
-
-    if( n > CTR_DRBG_MAX_INPUT )
-        return( POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG );
-
-    if( fread( buf, 1, n, f ) != n )
-    {
-        fclose( f );
-        return( POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR );
-    }
-
-    ctr_drbg_update( ctx, buf, n );
-    
-    fclose( f );
-    
-    return( ctr_drbg_write_seed_file( ctx, path ) );
-}
-#endif /* POLARSSL_FS_IO */
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <stdio.h>
-
-unsigned char entropy_source_pr[96] =
-    { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
-      0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
-      0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
-      0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
-      0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
-      0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
-      0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
-      0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
-      0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
-      0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
-      0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
-      0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
-
-unsigned char entropy_source_nopr[64] =
-    { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
-      0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
-      0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
-      0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
-      0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
-      0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
-      0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
-      0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
-
-unsigned char nonce_pers_pr[16] =
-    { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
-      0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
-
-unsigned char nonce_pers_nopr[16] =
-    { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
-      0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
-
-unsigned char result_pr[16] =
-    { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
-      0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
-
-unsigned char result_nopr[16] =
-    { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
-      0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
-
-int test_offset;
-int ctr_drbg_self_test_entropy( void *data, unsigned char *buf, size_t len )
-{
-    unsigned char *p = data;
-    memcpy( buf, p + test_offset, len );
-    test_offset += 32;
-    return( 0 );
-}
-
-/*
- * Checkup routine
- */
-int ctr_drbg_self_test( int verbose )
-{
-    ctr_drbg_context ctx;
-    unsigned char buf[16];
-
-    /*
-     * Based on a NIST CTR_DRBG test vector (PR = True)
-     */
-    if( verbose != 0 )
-        printf( "  CTR_DRBG (PR = TRUE) : " );
-
-    test_offset = 0;
-    if( ctr_drbg_init_entropy_len( &ctx, ctr_drbg_self_test_entropy, entropy_source_pr, nonce_pers_pr, 16, 32 ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-    ctr_drbg_set_prediction_resistance( &ctx, CTR_DRBG_PR_ON );
-
-    if( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( ctr_drbg_random( &ctx, buf, CTR_DRBG_BLOCKSIZE ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( memcmp( buf, result_pr, CTR_DRBG_BLOCKSIZE ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-    
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-    /*
-     * Based on a NIST CTR_DRBG test vector (PR = FALSE)
-     */
-    if( verbose != 0 )
-        printf( "  CTR_DRBG (PR = FALSE): " );
-
-    test_offset = 0;
-    if( ctr_drbg_init_entropy_len( &ctx, ctr_drbg_self_test_entropy, entropy_source_nopr, nonce_pers_nopr, 16, 32 ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( ctr_drbg_random( &ctx, buf, 16 ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( ctr_drbg_reseed( &ctx, NULL, 0 ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( ctr_drbg_random( &ctx, buf, 16 ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( memcmp( buf, result_nopr, 16 ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-    
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-    if( verbose != 0 )
-            printf( "\n" );
-
-    return( 0 );
-}
-#endif
-
-#endif
diff --git a/makerom/polarssl/debug.c b/makerom/polarssl/debug.c
deleted file mode 100644
index 81ee6490..00000000
--- a/makerom/polarssl/debug.c
+++ /dev/null
@@ -1,238 +0,0 @@
-/*
- *  Debugging routines
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_DEBUG_C)
-
-#include "polarssl/debug.h"
-
-#include <stdarg.h>
-#include <stdlib.h>
-
-#if defined _MSC_VER && !defined  snprintf
-#define  snprintf  _snprintf
-#endif
-
-#if defined _MSC_VER && !defined vsnprintf
-#define vsnprintf _vsnprintf
-#endif
-
-char *debug_fmt( const char *format, ... )
-{
-    va_list argp;
-    static char str[512];
-    int maxlen = sizeof( str ) - 1;
-
-    va_start( argp, format );
-    vsnprintf( str, maxlen, format, argp );
-    va_end( argp );
-
-    str[maxlen] = '\0';
-    return( str );
-}
-
-void debug_print_msg( const ssl_context *ssl, int level,
-                      const char *file, int line, const char *text )
-{
-    char str[512];
-    int maxlen = sizeof( str ) - 1;
-
-    if( ssl->f_dbg == NULL )
-        return;
-
-    snprintf( str, maxlen, "%s(%04d): %s\n", file, line, text );
-    str[maxlen] = '\0';
-    ssl->f_dbg( ssl->p_dbg, level, str );
-}
-
-void debug_print_ret( const ssl_context *ssl, int level,
-                      const char *file, int line,
-                      const char *text, int ret )
-{
-    char str[512];
-    int maxlen = sizeof( str ) - 1;
-
-    if( ssl->f_dbg == NULL )
-        return;
-
-    snprintf( str, maxlen, "%s(%04d): %s() returned %d (0x%x)\n",
-              file, line, text, ret, ret );
-
-    str[maxlen] = '\0';
-    ssl->f_dbg( ssl->p_dbg, level, str );
-}
-
-void debug_print_buf( const ssl_context *ssl, int level,
-                      const char *file, int line, const char *text,
-                      unsigned char *buf, size_t len )
-{
-    char str[512];
-    size_t i, maxlen = sizeof( str ) - 1;
-
-    if( ssl->f_dbg == NULL )
-        return;
-
-    snprintf( str, maxlen, "%s(%04d): dumping '%s' (%d bytes)\n",
-              file, line, text, (unsigned int) len );
-
-    str[maxlen] = '\0';
-    ssl->f_dbg( ssl->p_dbg, level, str );
-
-    for( i = 0; i < len; i++ )
-    {
-        if( i >= 4096 )
-            break;
-
-        if( i % 16 == 0 )
-        {
-            if( i > 0 )
-                ssl->f_dbg( ssl->p_dbg, level, "\n" );
-
-            snprintf( str, maxlen, "%s(%04d): %04x: ", file, line,
-                      (unsigned int) i );
-
-            str[maxlen] = '\0';
-            ssl->f_dbg( ssl->p_dbg, level, str );
-        }
-
-        snprintf( str, maxlen, " %02x", (unsigned int) buf[i] );
-
-        str[maxlen] = '\0';
-        ssl->f_dbg( ssl->p_dbg, level, str );
-    }
-
-    if( len > 0 )
-        ssl->f_dbg( ssl->p_dbg, level, "\n" );
-}
-
-void debug_print_mpi( const ssl_context *ssl, int level,
-                      const char *file, int line,
-                      const char *text, const mpi *X )
-{
-    char str[512];
-    int j, k, maxlen = sizeof( str ) - 1, zeros = 1;
-    size_t i, n;
-
-    if( ssl->f_dbg == NULL || X == NULL )
-        return;
-
-    for( n = X->n - 1; n > 0; n-- )
-        if( X->p[n] != 0 )
-            break;
-
-    for( j = ( sizeof(t_uint) << 3 ) - 1; j >= 0; j-- )
-        if( ( ( X->p[n] >> j ) & 1 ) != 0 )
-            break;
-
-    snprintf( str, maxlen, "%s(%04d): value of '%s' (%d bits) is:\n",
-              file, line, text, 
-              (int) ( ( n * ( sizeof(t_uint) << 3 ) ) + j + 1 ) );
-
-    str[maxlen] = '\0';
-    ssl->f_dbg( ssl->p_dbg, level, str );
-
-    for( i = n + 1, j = 0; i > 0; i-- )
-    {
-        if( zeros && X->p[i - 1] == 0 )
-            continue;
-
-        for( k = sizeof( t_uint ) - 1; k >= 0; k-- )
-        {
-            if( zeros && ( ( X->p[i - 1] >> (k << 3) ) & 0xFF ) == 0 )
-                continue;
-            else
-                zeros = 0;
-
-            if( j % 16 == 0 )
-            {
-                if( j > 0 )
-                    ssl->f_dbg( ssl->p_dbg, level, "\n" );
-
-                snprintf( str, maxlen, "%s(%04d): ", file, line );
-
-                str[maxlen] = '\0';
-                ssl->f_dbg( ssl->p_dbg, level, str );
-            }
-
-            snprintf( str, maxlen, " %02x", (unsigned int)
-                      ( X->p[i - 1] >> (k << 3) ) & 0xFF );
-
-            str[maxlen] = '\0';
-            ssl->f_dbg( ssl->p_dbg, level, str );
-
-            j++;
-        }
-
-    }
-
-    if( zeros == 1 )
-    {
-        snprintf( str, maxlen, "%s(%04d): ", file, line );
-
-        str[maxlen] = '\0';
-        ssl->f_dbg( ssl->p_dbg, level, str );
-        ssl->f_dbg( ssl->p_dbg, level, " 00" );
-    }
-
-    ssl->f_dbg( ssl->p_dbg, level, "\n" );
-}
-
-void debug_print_crt( const ssl_context *ssl, int level,
-                      const char *file, int line,
-                      const char *text, const x509_cert *crt )
-{
-    char str[1024], prefix[64];
-    int i = 0, maxlen = sizeof( prefix ) - 1;
-
-    if( ssl->f_dbg == NULL || crt == NULL )
-        return;
-
-    snprintf( prefix, maxlen, "%s(%04d): ", file, line );
-    prefix[maxlen] = '\0';
-    maxlen = sizeof( str ) - 1;
-
-    while( crt != NULL )
-    {
-        char buf[1024];
-        x509parse_cert_info( buf, sizeof( buf ) - 1, prefix, crt );
-
-        snprintf( str, maxlen, "%s(%04d): %s #%d:\n%s",
-                  file, line, text, ++i, buf );
-
-        str[maxlen] = '\0';
-        ssl->f_dbg( ssl->p_dbg, level, str );
-
-        debug_print_mpi( ssl, level, file, line,
-                         "crt->rsa.N", &crt->rsa.N );
-
-        debug_print_mpi( ssl, level, file, line,
-                         "crt->rsa.E", &crt->rsa.E );
-
-        crt = crt->next;
-    }
-}
-
-#endif
diff --git a/makerom/polarssl/des.c b/makerom/polarssl/des.c
deleted file mode 100644
index 0cf4b3d5..00000000
--- a/makerom/polarssl/des.c
+++ /dev/null
@@ -1,997 +0,0 @@
-/*
- *  FIPS-46-3 compliant Triple-DES implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  DES, on which TDES is based, was originally designed by Horst Feistel
- *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
- *
- *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_DES_C)
-
-#include "polarssl/des.h"
-
-#if !defined(POLARSSL_DES_ALT)
-
-/*
- * 32-bit integer manipulation macros (big endian)
- */
-#ifndef GET_UINT32_BE
-#define GET_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 3]       );            \
-}
-#endif
-
-#ifndef PUT_UINT32_BE
-#define PUT_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-}
-#endif
-
-/*
- * Expanded DES S-boxes
- */
-static const uint32_t SB1[64] =
-{
-    0x01010400, 0x00000000, 0x00010000, 0x01010404,
-    0x01010004, 0x00010404, 0x00000004, 0x00010000,
-    0x00000400, 0x01010400, 0x01010404, 0x00000400,
-    0x01000404, 0x01010004, 0x01000000, 0x00000004,
-    0x00000404, 0x01000400, 0x01000400, 0x00010400,
-    0x00010400, 0x01010000, 0x01010000, 0x01000404,
-    0x00010004, 0x01000004, 0x01000004, 0x00010004,
-    0x00000000, 0x00000404, 0x00010404, 0x01000000,
-    0x00010000, 0x01010404, 0x00000004, 0x01010000,
-    0x01010400, 0x01000000, 0x01000000, 0x00000400,
-    0x01010004, 0x00010000, 0x00010400, 0x01000004,
-    0x00000400, 0x00000004, 0x01000404, 0x00010404,
-    0x01010404, 0x00010004, 0x01010000, 0x01000404,
-    0x01000004, 0x00000404, 0x00010404, 0x01010400,
-    0x00000404, 0x01000400, 0x01000400, 0x00000000,
-    0x00010004, 0x00010400, 0x00000000, 0x01010004
-};
-
-static const uint32_t SB2[64] =
-{
-    0x80108020, 0x80008000, 0x00008000, 0x00108020,
-    0x00100000, 0x00000020, 0x80100020, 0x80008020,
-    0x80000020, 0x80108020, 0x80108000, 0x80000000,
-    0x80008000, 0x00100000, 0x00000020, 0x80100020,
-    0x00108000, 0x00100020, 0x80008020, 0x00000000,
-    0x80000000, 0x00008000, 0x00108020, 0x80100000,
-    0x00100020, 0x80000020, 0x00000000, 0x00108000,
-    0x00008020, 0x80108000, 0x80100000, 0x00008020,
-    0x00000000, 0x00108020, 0x80100020, 0x00100000,
-    0x80008020, 0x80100000, 0x80108000, 0x00008000,
-    0x80100000, 0x80008000, 0x00000020, 0x80108020,
-    0x00108020, 0x00000020, 0x00008000, 0x80000000,
-    0x00008020, 0x80108000, 0x00100000, 0x80000020,
-    0x00100020, 0x80008020, 0x80000020, 0x00100020,
-    0x00108000, 0x00000000, 0x80008000, 0x00008020,
-    0x80000000, 0x80100020, 0x80108020, 0x00108000
-};
-
-static const uint32_t SB3[64] =
-{
-    0x00000208, 0x08020200, 0x00000000, 0x08020008,
-    0x08000200, 0x00000000, 0x00020208, 0x08000200,
-    0x00020008, 0x08000008, 0x08000008, 0x00020000,
-    0x08020208, 0x00020008, 0x08020000, 0x00000208,
-    0x08000000, 0x00000008, 0x08020200, 0x00000200,
-    0x00020200, 0x08020000, 0x08020008, 0x00020208,
-    0x08000208, 0x00020200, 0x00020000, 0x08000208,
-    0x00000008, 0x08020208, 0x00000200, 0x08000000,
-    0x08020200, 0x08000000, 0x00020008, 0x00000208,
-    0x00020000, 0x08020200, 0x08000200, 0x00000000,
-    0x00000200, 0x00020008, 0x08020208, 0x08000200,
-    0x08000008, 0x00000200, 0x00000000, 0x08020008,
-    0x08000208, 0x00020000, 0x08000000, 0x08020208,
-    0x00000008, 0x00020208, 0x00020200, 0x08000008,
-    0x08020000, 0x08000208, 0x00000208, 0x08020000,
-    0x00020208, 0x00000008, 0x08020008, 0x00020200
-};
-
-static const uint32_t SB4[64] =
-{
-    0x00802001, 0x00002081, 0x00002081, 0x00000080,
-    0x00802080, 0x00800081, 0x00800001, 0x00002001,
-    0x00000000, 0x00802000, 0x00802000, 0x00802081,
-    0x00000081, 0x00000000, 0x00800080, 0x00800001,
-    0x00000001, 0x00002000, 0x00800000, 0x00802001,
-    0x00000080, 0x00800000, 0x00002001, 0x00002080,
-    0x00800081, 0x00000001, 0x00002080, 0x00800080,
-    0x00002000, 0x00802080, 0x00802081, 0x00000081,
-    0x00800080, 0x00800001, 0x00802000, 0x00802081,
-    0x00000081, 0x00000000, 0x00000000, 0x00802000,
-    0x00002080, 0x00800080, 0x00800081, 0x00000001,
-    0x00802001, 0x00002081, 0x00002081, 0x00000080,
-    0x00802081, 0x00000081, 0x00000001, 0x00002000,
-    0x00800001, 0x00002001, 0x00802080, 0x00800081,
-    0x00002001, 0x00002080, 0x00800000, 0x00802001,
-    0x00000080, 0x00800000, 0x00002000, 0x00802080
-};
-
-static const uint32_t SB5[64] =
-{
-    0x00000100, 0x02080100, 0x02080000, 0x42000100,
-    0x00080000, 0x00000100, 0x40000000, 0x02080000,
-    0x40080100, 0x00080000, 0x02000100, 0x40080100,
-    0x42000100, 0x42080000, 0x00080100, 0x40000000,
-    0x02000000, 0x40080000, 0x40080000, 0x00000000,
-    0x40000100, 0x42080100, 0x42080100, 0x02000100,
-    0x42080000, 0x40000100, 0x00000000, 0x42000000,
-    0x02080100, 0x02000000, 0x42000000, 0x00080100,
-    0x00080000, 0x42000100, 0x00000100, 0x02000000,
-    0x40000000, 0x02080000, 0x42000100, 0x40080100,
-    0x02000100, 0x40000000, 0x42080000, 0x02080100,
-    0x40080100, 0x00000100, 0x02000000, 0x42080000,
-    0x42080100, 0x00080100, 0x42000000, 0x42080100,
-    0x02080000, 0x00000000, 0x40080000, 0x42000000,
-    0x00080100, 0x02000100, 0x40000100, 0x00080000,
-    0x00000000, 0x40080000, 0x02080100, 0x40000100
-};
-
-static const uint32_t SB6[64] =
-{
-    0x20000010, 0x20400000, 0x00004000, 0x20404010,
-    0x20400000, 0x00000010, 0x20404010, 0x00400000,
-    0x20004000, 0x00404010, 0x00400000, 0x20000010,
-    0x00400010, 0x20004000, 0x20000000, 0x00004010,
-    0x00000000, 0x00400010, 0x20004010, 0x00004000,
-    0x00404000, 0x20004010, 0x00000010, 0x20400010,
-    0x20400010, 0x00000000, 0x00404010, 0x20404000,
-    0x00004010, 0x00404000, 0x20404000, 0x20000000,
-    0x20004000, 0x00000010, 0x20400010, 0x00404000,
-    0x20404010, 0x00400000, 0x00004010, 0x20000010,
-    0x00400000, 0x20004000, 0x20000000, 0x00004010,
-    0x20000010, 0x20404010, 0x00404000, 0x20400000,
-    0x00404010, 0x20404000, 0x00000000, 0x20400010,
-    0x00000010, 0x00004000, 0x20400000, 0x00404010,
-    0x00004000, 0x00400010, 0x20004010, 0x00000000,
-    0x20404000, 0x20000000, 0x00400010, 0x20004010
-};
-
-static const uint32_t SB7[64] =
-{
-    0x00200000, 0x04200002, 0x04000802, 0x00000000,
-    0x00000800, 0x04000802, 0x00200802, 0x04200800,
-    0x04200802, 0x00200000, 0x00000000, 0x04000002,
-    0x00000002, 0x04000000, 0x04200002, 0x00000802,
-    0x04000800, 0x00200802, 0x00200002, 0x04000800,
-    0x04000002, 0x04200000, 0x04200800, 0x00200002,
-    0x04200000, 0x00000800, 0x00000802, 0x04200802,
-    0x00200800, 0x00000002, 0x04000000, 0x00200800,
-    0x04000000, 0x00200800, 0x00200000, 0x04000802,
-    0x04000802, 0x04200002, 0x04200002, 0x00000002,
-    0x00200002, 0x04000000, 0x04000800, 0x00200000,
-    0x04200800, 0x00000802, 0x00200802, 0x04200800,
-    0x00000802, 0x04000002, 0x04200802, 0x04200000,
-    0x00200800, 0x00000000, 0x00000002, 0x04200802,
-    0x00000000, 0x00200802, 0x04200000, 0x00000800,
-    0x04000002, 0x04000800, 0x00000800, 0x00200002
-};
-
-static const uint32_t SB8[64] =
-{
-    0x10001040, 0x00001000, 0x00040000, 0x10041040,
-    0x10000000, 0x10001040, 0x00000040, 0x10000000,
-    0x00040040, 0x10040000, 0x10041040, 0x00041000,
-    0x10041000, 0x00041040, 0x00001000, 0x00000040,
-    0x10040000, 0x10000040, 0x10001000, 0x00001040,
-    0x00041000, 0x00040040, 0x10040040, 0x10041000,
-    0x00001040, 0x00000000, 0x00000000, 0x10040040,
-    0x10000040, 0x10001000, 0x00041040, 0x00040000,
-    0x00041040, 0x00040000, 0x10041000, 0x00001000,
-    0x00000040, 0x10040040, 0x00001000, 0x00041040,
-    0x10001000, 0x00000040, 0x10000040, 0x10040000,
-    0x10040040, 0x10000000, 0x00040000, 0x10001040,
-    0x00000000, 0x10041040, 0x00040040, 0x10000040,
-    0x10040000, 0x10001000, 0x10001040, 0x00000000,
-    0x10041040, 0x00041000, 0x00041000, 0x00001040,
-    0x00001040, 0x00040040, 0x10000000, 0x10041000
-};
-
-/*
- * PC1: left and right halves bit-swap
- */
-static const uint32_t LHs[16] =
-{
-    0x00000000, 0x00000001, 0x00000100, 0x00000101,
-    0x00010000, 0x00010001, 0x00010100, 0x00010101,
-    0x01000000, 0x01000001, 0x01000100, 0x01000101,
-    0x01010000, 0x01010001, 0x01010100, 0x01010101
-};
-
-static const uint32_t RHs[16] =
-{
-    0x00000000, 0x01000000, 0x00010000, 0x01010000,
-    0x00000100, 0x01000100, 0x00010100, 0x01010100,
-    0x00000001, 0x01000001, 0x00010001, 0x01010001,
-    0x00000101, 0x01000101, 0x00010101, 0x01010101,
-};
-
-/*
- * Initial Permutation macro
- */
-#define DES_IP(X,Y)                                             \
-{                                                               \
-    T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
-    T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
-    T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
-    T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
-    Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF;                    \
-    T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T;                   \
-    X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF;                    \
-}
-
-/*
- * Final Permutation macro
- */
-#define DES_FP(X,Y)                                             \
-{                                                               \
-    X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF;                    \
-    T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T;                   \
-    Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF;                    \
-    T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
-    T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
-    T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
-    T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
-}
-
-/*
- * DES round macro
- */
-#define DES_ROUND(X,Y)                          \
-{                                               \
-    T = *SK++ ^ X;                              \
-    Y ^= SB8[ (T      ) & 0x3F ] ^              \
-         SB6[ (T >>  8) & 0x3F ] ^              \
-         SB4[ (T >> 16) & 0x3F ] ^              \
-         SB2[ (T >> 24) & 0x3F ];               \
-                                                \
-    T = *SK++ ^ ((X << 28) | (X >> 4));         \
-    Y ^= SB7[ (T      ) & 0x3F ] ^              \
-         SB5[ (T >>  8) & 0x3F ] ^              \
-         SB3[ (T >> 16) & 0x3F ] ^              \
-         SB1[ (T >> 24) & 0x3F ];               \
-}
-
-#define SWAP(a,b) { uint32_t t = a; a = b; b = t; t = 0; }
-
-static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
-        11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
-        47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
-        82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
-        115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
-        143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
-        171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
-        199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
-        227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
-        254 };
-
-void des_key_set_parity( unsigned char key[DES_KEY_SIZE] )
-{
-    int i;
-
-    for( i = 0; i < DES_KEY_SIZE; i++ )
-        key[i] = odd_parity_table[key[i] / 2];
-}
-
-/*
- * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
- */
-int des_key_check_key_parity( const unsigned char key[DES_KEY_SIZE] )
-{
-    int i;
-
-    for( i = 0; i < DES_KEY_SIZE; i++ )
-        if ( key[i] != odd_parity_table[key[i] / 2] )
-            return( 1 );
-
-    return( 0 );
-}
-
-/*
- * Table of weak and semi-weak keys
- *
- * Source: http://en.wikipedia.org/wiki/Weak_key
- *
- * Weak:
- * Alternating ones + zeros (0x0101010101010101)
- * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
- * '0xE0E0E0E0F1F1F1F1'
- * '0x1F1F1F1F0E0E0E0E'
- *
- * Semi-weak:
- * 0x011F011F010E010E and 0x1F011F010E010E01
- * 0x01E001E001F101F1 and 0xE001E001F101F101
- * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
- * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
- * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
- * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
- *
- */
-
-#define WEAK_KEY_COUNT 16
-
-static const unsigned char weak_key_table[WEAK_KEY_COUNT][DES_KEY_SIZE] =
-{
-    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
-    { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
-    { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
-    { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
-
-    { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
-    { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
-    { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
-    { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
-    { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
-    { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
-    { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
-    { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
-    { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
-    { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
-    { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
-    { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
-};
-
-int des_key_check_weak( const unsigned char key[DES_KEY_SIZE] )
-{
-    int i;
-
-    for( i = 0; i < WEAK_KEY_COUNT; i++ )
-        if( memcmp( weak_key_table[i], key, DES_KEY_SIZE) == 0)
-            return( 1 );
-
-    return( 0 );
-}
-
-static void des_setkey( uint32_t SK[32], const unsigned char key[DES_KEY_SIZE] )
-{
-    int i;
-    uint32_t X, Y, T;
-
-    GET_UINT32_BE( X, key, 0 );
-    GET_UINT32_BE( Y, key, 4 );
-
-    /*
-     * Permuted Choice 1
-     */
-    T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
-    T =  ((Y      ) ^ X) & 0x10101010;  X ^= T; Y ^= (T      );
-
-    X =   (LHs[ (X      ) & 0xF] << 3) | (LHs[ (X >>  8) & 0xF ] << 2)
-        | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ]     )
-        | (LHs[ (X >>  5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
-        | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
-
-    Y =   (RHs[ (Y >>  1) & 0xF] << 3) | (RHs[ (Y >>  9) & 0xF ] << 2)
-        | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ]     )
-        | (RHs[ (Y >>  4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
-        | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
-
-    X &= 0x0FFFFFFF;
-    Y &= 0x0FFFFFFF;
-
-    /*
-     * calculate subkeys
-     */
-    for( i = 0; i < 16; i++ )
-    {
-        if( i < 2 || i == 8 || i == 15 )
-        {
-            X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
-            Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
-        }
-        else
-        {
-            X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
-            Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
-        }
-
-        *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
-                | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
-                | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
-                | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
-                | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
-                | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
-                | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
-                | ((Y >> 14) & 0x00000200) | ((Y      ) & 0x00000100)
-                | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
-                | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
-                | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
-
-        *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
-                | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
-                | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
-                | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
-                | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
-                | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
-                | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
-                | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
-                | ((Y      ) & 0x00000200) | ((Y <<  7) & 0x00000100)
-                | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
-                | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
-    }
-}
-
-/*
- * DES key schedule (56-bit, encryption)
- */
-int des_setkey_enc( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
-{
-    des_setkey( ctx->sk, key );
-
-    return( 0 );
-}
-
-/*
- * DES key schedule (56-bit, decryption)
- */
-int des_setkey_dec( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
-{
-    int i;
-
-    des_setkey( ctx->sk, key );
-
-    for( i = 0; i < 16; i += 2 )
-    {
-        SWAP( ctx->sk[i    ], ctx->sk[30 - i] );
-        SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
-    }
-
-    return( 0 );
-}
-
-static void des3_set2key( uint32_t esk[96],
-                          uint32_t dsk[96],
-                          const unsigned char key[DES_KEY_SIZE*2] )
-{
-    int i;
-
-    des_setkey( esk, key );
-    des_setkey( dsk + 32, key + 8 );
-
-    for( i = 0; i < 32; i += 2 )
-    {
-        dsk[i     ] = esk[30 - i];
-        dsk[i +  1] = esk[31 - i];
-
-        esk[i + 32] = dsk[62 - i];
-        esk[i + 33] = dsk[63 - i];
-
-        esk[i + 64] = esk[i    ];
-        esk[i + 65] = esk[i + 1];
-
-        dsk[i + 64] = dsk[i    ];
-        dsk[i + 65] = dsk[i + 1];
-    }
-}
-
-/*
- * Triple-DES key schedule (112-bit, encryption)
- */
-int des3_set2key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] )
-{
-    uint32_t sk[96];
-
-    des3_set2key( ctx->sk, sk, key );
-    memset( sk,  0, sizeof( sk ) );
-
-    return( 0 );
-}
-
-/*
- * Triple-DES key schedule (112-bit, decryption)
- */
-int des3_set2key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] )
-{
-    uint32_t sk[96];
-
-    des3_set2key( sk, ctx->sk, key );
-    memset( sk,  0, sizeof( sk ) );
-
-    return( 0 );
-}
-
-static void des3_set3key( uint32_t esk[96],
-                          uint32_t dsk[96],
-                          const unsigned char key[24] )
-{
-    int i;
-
-    des_setkey( esk, key );
-    des_setkey( dsk + 32, key +  8 );
-    des_setkey( esk + 64, key + 16 );
-
-    for( i = 0; i < 32; i += 2 )
-    {
-        dsk[i     ] = esk[94 - i];
-        dsk[i +  1] = esk[95 - i];
-
-        esk[i + 32] = dsk[62 - i];
-        esk[i + 33] = dsk[63 - i];
-
-        dsk[i + 64] = esk[30 - i];
-        dsk[i + 65] = esk[31 - i];
-    }
-}
-
-/*
- * Triple-DES key schedule (168-bit, encryption)
- */
-int des3_set3key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] )
-{
-    uint32_t sk[96];
-
-    des3_set3key( ctx->sk, sk, key );
-    memset( sk, 0, sizeof( sk ) );
-
-    return( 0 );
-}
-
-/*
- * Triple-DES key schedule (168-bit, decryption)
- */
-int des3_set3key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] )
-{
-    uint32_t sk[96];
-
-    des3_set3key( sk, ctx->sk, key );
-    memset( sk, 0, sizeof( sk ) );
-
-    return( 0 );
-}
-
-/*
- * DES-ECB block encryption/decryption
- */
-int des_crypt_ecb( des_context *ctx,
-                    const unsigned char input[8],
-                    unsigned char output[8] )
-{
-    int i;
-    uint32_t X, Y, T, *SK;
-
-    SK = ctx->sk;
-
-    GET_UINT32_BE( X, input, 0 );
-    GET_UINT32_BE( Y, input, 4 );
-
-    DES_IP( X, Y );
-
-    for( i = 0; i < 8; i++ )
-    {
-        DES_ROUND( Y, X );
-        DES_ROUND( X, Y );
-    }
-
-    DES_FP( Y, X );
-
-    PUT_UINT32_BE( Y, output, 0 );
-    PUT_UINT32_BE( X, output, 4 );
-
-    return( 0 );
-}
-
-/*
- * DES-CBC buffer encryption/decryption
- */
-int des_crypt_cbc( des_context *ctx,
-                    int mode,
-                    size_t length,
-                    unsigned char iv[8],
-                    const unsigned char *input,
-                    unsigned char *output )
-{
-    int i;
-    unsigned char temp[8];
-
-    if( length % 8 )
-        return( POLARSSL_ERR_DES_INVALID_INPUT_LENGTH );
-
-    if( mode == DES_ENCRYPT )
-    {
-        while( length > 0 )
-        {
-            for( i = 0; i < 8; i++ )
-                output[i] = (unsigned char)( input[i] ^ iv[i] );
-
-            des_crypt_ecb( ctx, output, output );
-            memcpy( iv, output, 8 );
-
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    }
-    else /* DES_DECRYPT */
-    {
-        while( length > 0 )
-        {
-            memcpy( temp, input, 8 );
-            des_crypt_ecb( ctx, input, output );
-
-            for( i = 0; i < 8; i++ )
-                output[i] = (unsigned char)( output[i] ^ iv[i] );
-
-            memcpy( iv, temp, 8 );
-
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    }
-
-    return( 0 );
-}
-
-/*
- * 3DES-ECB block encryption/decryption
- */
-int des3_crypt_ecb( des3_context *ctx,
-                     const unsigned char input[8],
-                     unsigned char output[8] )
-{
-    int i;
-    uint32_t X, Y, T, *SK;
-
-    SK = ctx->sk;
-
-    GET_UINT32_BE( X, input, 0 );
-    GET_UINT32_BE( Y, input, 4 );
-
-    DES_IP( X, Y );
-
-    for( i = 0; i < 8; i++ )
-    {
-        DES_ROUND( Y, X );
-        DES_ROUND( X, Y );
-    }
-
-    for( i = 0; i < 8; i++ )
-    {
-        DES_ROUND( X, Y );
-        DES_ROUND( Y, X );
-    }
-
-    for( i = 0; i < 8; i++ )
-    {
-        DES_ROUND( Y, X );
-        DES_ROUND( X, Y );
-    }
-
-    DES_FP( Y, X );
-
-    PUT_UINT32_BE( Y, output, 0 );
-    PUT_UINT32_BE( X, output, 4 );
-
-    return( 0 );
-}
-
-/*
- * 3DES-CBC buffer encryption/decryption
- */
-int des3_crypt_cbc( des3_context *ctx,
-                     int mode,
-                     size_t length,
-                     unsigned char iv[8],
-                     const unsigned char *input,
-                     unsigned char *output )
-{
-    int i;
-    unsigned char temp[8];
-
-    if( length % 8 )
-        return( POLARSSL_ERR_DES_INVALID_INPUT_LENGTH );
-
-    if( mode == DES_ENCRYPT )
-    {
-        while( length > 0 )
-        {
-            for( i = 0; i < 8; i++ )
-                output[i] = (unsigned char)( input[i] ^ iv[i] );
-
-            des3_crypt_ecb( ctx, output, output );
-            memcpy( iv, output, 8 );
-
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    }
-    else /* DES_DECRYPT */
-    {
-        while( length > 0 )
-        {
-            memcpy( temp, input, 8 );
-            des3_crypt_ecb( ctx, input, output );
-
-            for( i = 0; i < 8; i++ )
-                output[i] = (unsigned char)( output[i] ^ iv[i] );
-
-            memcpy( iv, temp, 8 );
-
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    }
-
-    return( 0 );
-}
-
-#endif /* !POLARSSL_DES_ALT */
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <stdio.h>
-
-/*
- * DES and 3DES test vectors from:
- *
- * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
- */
-static const unsigned char des3_test_keys[24] =
-{
-    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
-    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
-    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
-};
-
-static const unsigned char des3_test_iv[8] =
-{
-    0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
-};
-
-static const unsigned char des3_test_buf[8] =
-{
-    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
-};
-
-static const unsigned char des3_test_ecb_dec[3][8] =
-{
-    { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
-    { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
-    { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
-};
-
-static const unsigned char des3_test_ecb_enc[3][8] =
-{
-    { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
-    { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
-    { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
-};
-
-static const unsigned char des3_test_cbc_dec[3][8] =
-{
-    { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
-    { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
-    { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
-};
-
-static const unsigned char des3_test_cbc_enc[3][8] =
-{
-    { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
-    { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
-    { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
-};
-
-/*
- * Checkup routine
- */
-int des_self_test( int verbose )
-{
-    int i, j, u, v;
-    des_context ctx;
-    des3_context ctx3;
-    unsigned char key[24];
-    unsigned char buf[8];
-    unsigned char prv[8];
-    unsigned char iv[8];
-
-    memset( key, 0, 24 );
-
-    /*
-     * ECB mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  DES%c-ECB-%3d (%s): ",
-                    ( u == 0 ) ? ' ' : '3', 56 + u * 56,
-                    ( v == DES_DECRYPT ) ? "dec" : "enc" );
-
-        memcpy( buf, des3_test_buf, 8 );
-
-        switch( i )
-        {
-        case 0:
-            des_setkey_dec( &ctx, des3_test_keys );
-            break;
-
-        case 1:
-            des_setkey_enc( &ctx, des3_test_keys );
-            break;
-
-        case 2:
-            des3_set2key_dec( &ctx3, des3_test_keys );
-            break;
-
-        case 3:
-            des3_set2key_enc( &ctx3, des3_test_keys );
-            break;
-
-        case 4:
-            des3_set3key_dec( &ctx3, des3_test_keys );
-            break;
-
-        case 5:
-            des3_set3key_enc( &ctx3, des3_test_keys );
-            break;
-
-        default:
-            return( 1 );
-        }
-
-        for( j = 0; j < 10000; j++ )
-        {
-            if( u == 0 )
-                des_crypt_ecb( &ctx, buf, buf );
-            else
-                des3_crypt_ecb( &ctx3, buf, buf );
-        }
-
-        if( ( v == DES_DECRYPT &&
-                memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
-            ( v != DES_DECRYPT &&
-                memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    /*
-     * CBC mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  DES%c-CBC-%3d (%s): ",
-                    ( u == 0 ) ? ' ' : '3', 56 + u * 56,
-                    ( v == DES_DECRYPT ) ? "dec" : "enc" );
-
-        memcpy( iv,  des3_test_iv,  8 );
-        memcpy( prv, des3_test_iv,  8 );
-        memcpy( buf, des3_test_buf, 8 );
-
-        switch( i )
-        {
-        case 0:
-            des_setkey_dec( &ctx, des3_test_keys );
-            break;
-
-        case 1:
-            des_setkey_enc( &ctx, des3_test_keys );
-            break;
-
-        case 2:
-            des3_set2key_dec( &ctx3, des3_test_keys );
-            break;
-
-        case 3:
-            des3_set2key_enc( &ctx3, des3_test_keys );
-            break;
-
-        case 4:
-            des3_set3key_dec( &ctx3, des3_test_keys );
-            break;
-
-        case 5:
-            des3_set3key_enc( &ctx3, des3_test_keys );
-            break;
-
-        default:
-            return( 1 );
-        }
-
-        if( v == DES_DECRYPT )
-        {
-            for( j = 0; j < 10000; j++ )
-            {
-                if( u == 0 )
-                    des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
-                else
-                    des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
-            }
-        }
-        else
-        {
-            for( j = 0; j < 10000; j++ )
-            {
-                unsigned char tmp[8];
-
-                if( u == 0 )
-                    des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
-                else
-                    des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
-
-                memcpy( tmp, prv, 8 );
-                memcpy( prv, buf, 8 );
-                memcpy( buf, tmp, 8 );
-            }
-
-            memcpy( buf, prv, 8 );
-        }
-
-        if( ( v == DES_DECRYPT &&
-                memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
-            ( v != DES_DECRYPT &&
-                memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/dhm.c b/makerom/polarssl/dhm.c
deleted file mode 100644
index 90e5b4b1..00000000
--- a/makerom/polarssl/dhm.c
+++ /dev/null
@@ -1,302 +0,0 @@
-/*
- *  Diffie-Hellman-Merkle key exchange
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  Reference:
- *
- *  http://www.cacr.math.uwaterloo.ca/hac/ (chapter 12)
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_DHM_C)
-
-#include "polarssl/dhm.h"
-
-/*
- * helper to validate the mpi size and import it
- */
-static int dhm_read_bignum( mpi *X,
-                            unsigned char **p,
-                            const unsigned char *end )
-{
-    int ret, n;
-
-    if( end - *p < 2 )
-        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
-
-    n = ( (*p)[0] << 8 ) | (*p)[1];
-    (*p) += 2;
-
-    if( (int)( end - *p ) < n )
-        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
-
-    if( ( ret = mpi_read_binary( X, *p, n ) ) != 0 )
-        return( POLARSSL_ERR_DHM_READ_PARAMS_FAILED + ret );
-
-    (*p) += n;
-
-    return( 0 );
-}
-
-/*
- * Verify sanity of parameter with regards to P
- *
- * Parameter should be: 2 <= public_param <= P - 2
- *
- * For more information on the attack, see:
- *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
- *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
- */
-static int dhm_check_range( const mpi *param, const mpi *P )
-{
-    mpi L, U;
-    int ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
-
-    mpi_init( &L ); mpi_init( &U );
-    mpi_lset( &L, 2 );
-    mpi_sub_int( &U, P, 2 );
-
-    if( mpi_cmp_mpi( param, &L ) >= 0 &&
-        mpi_cmp_mpi( param, &U ) <= 0 )
-    {
-        ret = 0;
-    }
-
-    mpi_free( &L ); mpi_free( &U );
-
-    return( ret );
-}
-
-/*
- * Parse the ServerKeyExchange parameters
- */
-int dhm_read_params( dhm_context *ctx,
-                     unsigned char **p,
-                     const unsigned char *end )
-{
-    int ret;
-
-    memset( ctx, 0, sizeof( dhm_context ) );
-
-    if( ( ret = dhm_read_bignum( &ctx->P,  p, end ) ) != 0 ||
-        ( ret = dhm_read_bignum( &ctx->G,  p, end ) ) != 0 ||
-        ( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 )
-        return( ret );
-
-    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
-        return( ret );
-
-    ctx->len = mpi_size( &ctx->P );
-
-    if( end - *p < 2 )
-        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
-
-    return( 0 );
-}
-
-/*
- * Setup and write the ServerKeyExchange parameters
- */
-int dhm_make_params( dhm_context *ctx, int x_size,
-                     unsigned char *output, size_t *olen,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng )
-{
-    int ret, count = 0;
-    size_t n1, n2, n3;
-    unsigned char *p;
-
-    if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
-        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
-
-    /*
-     * Generate X as large as possible ( < P )
-     */
-    do
-    {
-        mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
-
-        while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
-            mpi_shift_r( &ctx->X, 1 );
-
-        if( count++ > 10 )
-            return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED );
-    }
-    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
-
-    /*
-     * Calculate GX = G^X mod P
-     */
-    MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
-                          &ctx->P , &ctx->RP ) );
-
-    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
-        return( ret );
-
-    /*
-     * export P, G, GX
-     */
-#define DHM_MPI_EXPORT(X,n)                     \
-    MPI_CHK( mpi_write_binary( X, p + 2, n ) ); \
-    *p++ = (unsigned char)( n >> 8 );           \
-    *p++ = (unsigned char)( n      ); p += n;
-
-    n1 = mpi_size( &ctx->P  );
-    n2 = mpi_size( &ctx->G  );
-    n3 = mpi_size( &ctx->GX );
-
-    p = output;
-    DHM_MPI_EXPORT( &ctx->P , n1 );
-    DHM_MPI_EXPORT( &ctx->G , n2 );
-    DHM_MPI_EXPORT( &ctx->GX, n3 );
-
-    *olen  = p - output;
-
-    ctx->len = n1;
-
-cleanup:
-
-    if( ret != 0 )
-        return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED + ret );
-
-    return( 0 );
-}
-
-/*
- * Import the peer's public value G^Y
- */
-int dhm_read_public( dhm_context *ctx,
-                     const unsigned char *input, size_t ilen )
-{
-    int ret;
-
-    if( ctx == NULL || ilen < 1 || ilen > ctx->len )
-        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
-
-    if( ( ret = mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
-        return( POLARSSL_ERR_DHM_READ_PUBLIC_FAILED + ret );
-
-    return( 0 );
-}
-
-/*
- * Create own private value X and export G^X
- */
-int dhm_make_public( dhm_context *ctx, int x_size,
-                     unsigned char *output, size_t olen,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng )
-{
-    int ret, count = 0;
-
-    if( ctx == NULL || olen < 1 || olen > ctx->len )
-        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
-
-    if( mpi_cmp_int( &ctx->P, 0 ) == 0 )
-        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
-
-    /*
-     * generate X and calculate GX = G^X mod P
-     */
-    do
-    {
-        mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
-
-        while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
-            mpi_shift_r( &ctx->X, 1 );
-
-        if( count++ > 10 )
-            return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED );
-    }
-    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
-
-    MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
-                          &ctx->P , &ctx->RP ) );
-
-    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
-        return( ret );
-
-    MPI_CHK( mpi_write_binary( &ctx->GX, output, olen ) );
-
-cleanup:
-
-    if( ret != 0 )
-        return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
-
-    return( 0 );
-}
-
-/*
- * Derive and export the shared secret (G^Y)^X mod P
- */
-int dhm_calc_secret( dhm_context *ctx,
-                     unsigned char *output, size_t *olen )
-{
-    int ret;
-
-    if( ctx == NULL || *olen < ctx->len )
-        return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
-
-    MPI_CHK( mpi_exp_mod( &ctx->K, &ctx->GY, &ctx->X,
-                          &ctx->P, &ctx->RP ) );
-
-    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
-        return( ret );
-
-    *olen = mpi_size( &ctx->K );
-
-    MPI_CHK( mpi_write_binary( &ctx->K, output, *olen ) );
-
-cleanup:
-
-    if( ret != 0 )
-        return( POLARSSL_ERR_DHM_CALC_SECRET_FAILED + ret );
-
-    return( 0 );
-}
-
-/*
- * Free the components of a DHM key
- */
-void dhm_free( dhm_context *ctx )
-{
-    mpi_free( &ctx->RP ); mpi_free( &ctx->K ); mpi_free( &ctx->GY );
-    mpi_free( &ctx->GX ); mpi_free( &ctx->X ); mpi_free( &ctx->G );
-    mpi_free( &ctx->P );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-/*
- * Checkup routine
- */
-int dhm_self_test( int verbose )
-{
-    return( verbose++ );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/entropy.c b/makerom/polarssl/entropy.c
deleted file mode 100644
index 96624547..00000000
--- a/makerom/polarssl/entropy.c
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- *  Entropy accumulator implementation
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_ENTROPY_C)
-
-#include "polarssl/entropy.h"
-#include "polarssl/entropy_poll.h"
-
-#if defined(POLARSSL_HAVEGE_C)
-#include "polarssl/havege.h"
-#endif
-
-#define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
-
-void entropy_init( entropy_context *ctx )
-{
-    memset( ctx, 0, sizeof(entropy_context) );
-
-    sha4_starts( &ctx->accumulator, 0 );
-#if defined(POLARSSL_HAVEGE_C)
-    havege_init( &ctx->havege_data );
-#endif
-
-#if !defined(POLARSSL_NO_DEFAULT_ENTROPY_SOURCES)
-#if !defined(POLARSSL_NO_PLATFORM_ENTROPY)
-    entropy_add_source( ctx, platform_entropy_poll, NULL,
-                        ENTROPY_MIN_PLATFORM );
-#endif
-#if defined(POLARSSL_TIMING_C)
-    entropy_add_source( ctx, hardclock_poll, NULL, ENTROPY_MIN_HARDCLOCK );
-#endif
-#if defined(POLARSSL_HAVEGE_C)
-    entropy_add_source( ctx, havege_poll, &ctx->havege_data,
-                        ENTROPY_MIN_HAVEGE );
-#endif
-#endif /* POLARSSL_NO_DEFAULT_ENTROPY_SOURCES */
-}
-
-int entropy_add_source( entropy_context *ctx,
-                        f_source_ptr f_source, void *p_source,
-                        size_t threshold )
-{
-    int index = ctx->source_count;
-
-    if( index >= ENTROPY_MAX_SOURCES )
-        return( POLARSSL_ERR_ENTROPY_MAX_SOURCES );
-
-    ctx->source[index].f_source = f_source;
-    ctx->source[index].p_source = p_source;
-    ctx->source[index].threshold = threshold;
-
-    ctx->source_count++;
-
-    return( 0 );
-}
-
-/*
- * Entropy accumulator update
- */
-int entropy_update( entropy_context *ctx, unsigned char source_id,
-                    const unsigned char *data, size_t len )
-{
-    unsigned char header[2];
-    unsigned char tmp[ENTROPY_BLOCK_SIZE];
-    size_t use_len = len;
-    const unsigned char *p = data;
-   
-    if( use_len > ENTROPY_BLOCK_SIZE )
-    {
-        sha4( data, len, tmp, 0 );
-
-        p = tmp;
-        use_len = ENTROPY_BLOCK_SIZE;
-    }
-
-    header[0] = source_id;
-    header[1] = use_len & 0xFF;
-
-    sha4_update( &ctx->accumulator, header, 2 );
-    sha4_update( &ctx->accumulator, p, use_len );
-    
-    return( 0 );
-}
-
-int entropy_update_manual( entropy_context *ctx,
-                           const unsigned char *data, size_t len )
-{
-    return entropy_update( ctx, ENTROPY_SOURCE_MANUAL, data, len );
-}
-
-/*
- * Run through the different sources to add entropy to our accumulator
- */
-int entropy_gather( entropy_context *ctx )
-{
-    int ret, i;
-    unsigned char buf[ENTROPY_MAX_GATHER];
-    size_t olen;
-    
-    if( ctx->source_count == 0 )
-        return( POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED );
-
-    /*
-     * Run through our entropy sources
-     */
-    for( i = 0; i < ctx->source_count; i++ )
-    {
-        olen = 0;
-        if ( ( ret = ctx->source[i].f_source( ctx->source[i].p_source,
-                        buf, ENTROPY_MAX_GATHER, &olen ) ) != 0 )
-        {
-            return( ret );
-        }
-
-        /*
-         * Add if we actually gathered something
-         */
-        if( olen > 0 )
-        {
-            entropy_update( ctx, (unsigned char) i, buf, olen );
-            ctx->source[i].size += olen;
-        }
-    }
-
-    return( 0 );
-}
-
-int entropy_func( void *data, unsigned char *output, size_t len )
-{
-    int ret, count = 0, i, reached;
-    entropy_context *ctx = (entropy_context *) data;
-    unsigned char buf[ENTROPY_BLOCK_SIZE];
-
-    if( len > ENTROPY_BLOCK_SIZE )
-        return( POLARSSL_ERR_ENTROPY_SOURCE_FAILED );
-
-    /*
-     * Always gather extra entropy before a call
-     */
-    do
-    {
-        if( count++ > ENTROPY_MAX_LOOP )
-            return( POLARSSL_ERR_ENTROPY_SOURCE_FAILED );
-
-        if( ( ret = entropy_gather( ctx ) ) != 0 )
-            return( ret );
-
-        reached = 0;
-
-        for( i = 0; i < ctx->source_count; i++ )
-            if( ctx->source[i].size >= ctx->source[i].threshold )
-                reached++;
-    }
-    while( reached != ctx->source_count );
-
-    memset( buf, 0, ENTROPY_BLOCK_SIZE );
-
-    sha4_finish( &ctx->accumulator, buf );
-                
-    /*
-     * Perform second SHA-512 on entropy
-     */
-    sha4( buf, ENTROPY_BLOCK_SIZE, buf, 0 );
-
-    /*
-     * Reset accumulator and counters and recycle existing entropy
-     */
-    memset( &ctx->accumulator, 0, sizeof( sha4_context ) );
-    sha4_starts( &ctx->accumulator, 0 );
-    sha4_update( &ctx->accumulator, buf, ENTROPY_BLOCK_SIZE );
-
-    for( i = 0; i < ctx->source_count; i++ )
-        ctx->source[i].size = 0;
-
-    memcpy( output, buf, len );
-
-    return( 0 );
-}
-
-#endif
diff --git a/makerom/polarssl/entropy_poll.c b/makerom/polarssl/entropy_poll.c
deleted file mode 100644
index b5d9f787..00000000
--- a/makerom/polarssl/entropy_poll.c
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- *  Platform-specific and custom entropy polling functions
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_ENTROPY_C)
-
-#include "polarssl/entropy.h"
-#include "polarssl/entropy_poll.h"
-
-#if defined(POLARSSL_TIMING_C)
-#include "polarssl/timing.h"
-#endif
-#if defined(POLARSSL_HAVEGE_C)
-#include "polarssl/havege.h"
-#endif
-
-#if !defined(POLARSSL_NO_PLATFORM_ENTROPY)
-#if defined(_WIN32)
-
-#if !defined(_WIN32_WINNT)
-#define _WIN32_WINNT 0x0400
-#endif
-#include <windows.h>
-#include <wincrypt.h>
-
-int platform_entropy_poll( void *data, unsigned char *output, size_t len,
-                           size_t *olen )
-{
-    HCRYPTPROV provider;
-    ((void) data);
-    *olen = 0;
-
-    if( CryptAcquireContext( &provider, NULL, NULL,
-                              PROV_RSA_FULL, CRYPT_VERIFYCONTEXT ) == FALSE )
-    {
-        return POLARSSL_ERR_ENTROPY_SOURCE_FAILED;
-    }
-
-    if( CryptGenRandom( provider, len, output ) == FALSE )
-        return POLARSSL_ERR_ENTROPY_SOURCE_FAILED;
-
-    CryptReleaseContext( provider, 0 );
-    *olen = len;
-
-    return( 0 );
-}
-#else
-
-#include <stdio.h>
-
-int platform_entropy_poll( void *data,
-                           unsigned char *output, size_t len, size_t *olen )
-{
-    FILE *file;
-    size_t ret;
-    ((void) data);
-
-    *olen = 0;
-
-    file = fopen( "/dev/urandom", "rb" );
-    if( file == NULL )
-        return POLARSSL_ERR_ENTROPY_SOURCE_FAILED;
-    
-    ret = fread( output, 1, len, file );
-    if( ret != len )
-    {
-        fclose( file );
-        return POLARSSL_ERR_ENTROPY_SOURCE_FAILED;
-    }
-
-    fclose( file );
-    *olen = len;
-
-    return( 0 );
-}
-#endif
-#endif
-
-#if defined(POLARSSL_TIMING_C)
-int hardclock_poll( void *data,
-                    unsigned char *output, size_t len, size_t *olen )
-{
-    unsigned long timer = hardclock();
-    ((void) data);
-    *olen = 0;
-
-    if( len < sizeof(unsigned long) )
-        return( 0 );
-
-    memcpy( output, &timer, sizeof(unsigned long) );
-    *olen = sizeof(unsigned long);
-
-    return( 0 );
-}
-#endif
-
-#if defined(POLARSSL_HAVEGE_C)
-int havege_poll( void *data,
-                 unsigned char *output, size_t len, size_t *olen )
-{
-    havege_state *hs = (havege_state *) data;
-    *olen = 0;
-
-    if( havege_random( hs, output, len ) != 0 )
-        return POLARSSL_ERR_ENTROPY_SOURCE_FAILED;
-
-    *olen = len;
-
-    return( 0 );
-}
-#endif
-
-#endif /* POLARSSL_ENTROPY_C */
diff --git a/makerom/polarssl/error.c b/makerom/polarssl/error.c
deleted file mode 100644
index 036b834f..00000000
--- a/makerom/polarssl/error.c
+++ /dev/null
@@ -1,612 +0,0 @@
-/*
- *  Error message information
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_ERROR_C)
-
-#include "polarssl/error.h"
-
-#if defined(POLARSSL_AES_C)
-#include "polarssl/aes.h"
-#endif
-
-#if defined(POLARSSL_BASE64_C)
-#include "polarssl/base64.h"
-#endif
-
-#if defined(POLARSSL_BIGNUM_C)
-#include "polarssl/bignum.h"
-#endif
-
-#if defined(POLARSSL_BLOWFISH_C)
-#include "polarssl/blowfish.h"
-#endif
-
-#if defined(POLARSSL_CAMELLIA_C)
-#include "polarssl/camellia.h"
-#endif
-
-#if defined(POLARSSL_CIPHER_C)
-#include "polarssl/cipher.h"
-#endif
-
-#if defined(POLARSSL_CTR_DRBG_C)
-#include "polarssl/ctr_drbg.h"
-#endif
-
-#if defined(POLARSSL_DES_C)
-#include "polarssl/des.h"
-#endif
-
-#if defined(POLARSSL_DHM_C)
-#include "polarssl/dhm.h"
-#endif
-
-#if defined(POLARSSL_ENTROPY_C)
-#include "polarssl/entropy.h"
-#endif
-
-#if defined(POLARSSL_GCM_C)
-#include "polarssl/gcm.h"
-#endif
-
-#if defined(POLARSSL_MD_C)
-#include "polarssl/md.h"
-#endif
-
-#if defined(POLARSSL_MD2_C)
-#include "polarssl/md2.h"
-#endif
-
-#if defined(POLARSSL_MD4_C)
-#include "polarssl/md4.h"
-#endif
-
-#if defined(POLARSSL_MD5_C)
-#include "polarssl/md5.h"
-#endif
-
-#if defined(POLARSSL_NET_C)
-#include "polarssl/net.h"
-#endif
-
-#if defined(POLARSSL_PADLOCK_C)
-#include "polarssl/padlock.h"
-#endif
-
-#if defined(POLARSSL_PBKDF2_C)
-#include "polarssl/pbkdf2.h"
-#endif
-
-#if defined(POLARSSL_PEM_C)
-#include "polarssl/pem.h"
-#endif
-
-#if defined(POLARSSL_PKCS12_C)
-#include "polarssl/pkcs12.h"
-#endif
-
-#if defined(POLARSSL_PKCS5_C)
-#include "polarssl/pkcs5.h"
-#endif
-
-#if defined(POLARSSL_RSA_C)
-#include "polarssl/rsa.h"
-#endif
-
-#if defined(POLARSSL_SHA1_C)
-#include "polarssl/sha1.h"
-#endif
-
-#if defined(POLARSSL_SHA2_C)
-#include "polarssl/sha2.h"
-#endif
-
-#if defined(POLARSSL_SHA4_C)
-#include "polarssl/sha4.h"
-#endif
-
-#if defined(POLARSSL_SSL_TLS_C)
-#include "polarssl/ssl.h"
-#endif
-
-#if defined(POLARSSL_X509_PARSE_C)
-#include "polarssl/x509.h"
-#endif
-
-#if defined(POLARSSL_XTEA_C)
-#include "polarssl/xtea.h"
-#endif
-
-
-#include <string.h>
-
-#if defined _MSC_VER && !defined  snprintf
-#define  snprintf  _snprintf
-#endif
-
-void error_strerror( int ret, char *buf, size_t buflen )
-{
-    size_t len;
-    int use_ret;
-
-    memset( buf, 0x00, buflen );
-     
-    if( ret < 0 )
-        ret = -ret;
-
-    if( ret & 0xFF80 )
-    {
-        use_ret = ret & 0xFF80;
-
-        // High level error codes
-        //
-#if defined(POLARSSL_CIPHER_C)
-        if( use_ret == -(POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE) )
-            snprintf( buf, buflen, "CIPHER - The selected feature is not available" );
-        if( use_ret == -(POLARSSL_ERR_CIPHER_BAD_INPUT_DATA) )
-            snprintf( buf, buflen, "CIPHER - Bad input parameters to function" );
-        if( use_ret == -(POLARSSL_ERR_CIPHER_ALLOC_FAILED) )
-            snprintf( buf, buflen, "CIPHER - Failed to allocate memory" );
-        if( use_ret == -(POLARSSL_ERR_CIPHER_INVALID_PADDING) )
-            snprintf( buf, buflen, "CIPHER - Input data contains invalid padding and is rejected" );
-        if( use_ret == -(POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED) )
-            snprintf( buf, buflen, "CIPHER - Decryption of block requires a full block" );
-#endif /* POLARSSL_CIPHER_C */
-
-#if defined(POLARSSL_DHM_C)
-        if( use_ret == -(POLARSSL_ERR_DHM_BAD_INPUT_DATA) )
-            snprintf( buf, buflen, "DHM - Bad input parameters to function" );
-        if( use_ret == -(POLARSSL_ERR_DHM_READ_PARAMS_FAILED) )
-            snprintf( buf, buflen, "DHM - Reading of the DHM parameters failed" );
-        if( use_ret == -(POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED) )
-            snprintf( buf, buflen, "DHM - Making of the DHM parameters failed" );
-        if( use_ret == -(POLARSSL_ERR_DHM_READ_PUBLIC_FAILED) )
-            snprintf( buf, buflen, "DHM - Reading of the public values failed" );
-        if( use_ret == -(POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED) )
-            snprintf( buf, buflen, "DHM - Making of the public value failed" );
-        if( use_ret == -(POLARSSL_ERR_DHM_CALC_SECRET_FAILED) )
-            snprintf( buf, buflen, "DHM - Calculation of the DHM secret failed" );
-#endif /* POLARSSL_DHM_C */
-
-#if defined(POLARSSL_MD_C)
-        if( use_ret == -(POLARSSL_ERR_MD_FEATURE_UNAVAILABLE) )
-            snprintf( buf, buflen, "MD - The selected feature is not available" );
-        if( use_ret == -(POLARSSL_ERR_MD_BAD_INPUT_DATA) )
-            snprintf( buf, buflen, "MD - Bad input parameters to function" );
-        if( use_ret == -(POLARSSL_ERR_MD_ALLOC_FAILED) )
-            snprintf( buf, buflen, "MD - Failed to allocate memory" );
-        if( use_ret == -(POLARSSL_ERR_MD_FILE_IO_ERROR) )
-            snprintf( buf, buflen, "MD - Opening or reading of file failed" );
-#endif /* POLARSSL_MD_C */
-
-#if defined(POLARSSL_PEM_C)
-        if( use_ret == -(POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT) )
-            snprintf( buf, buflen, "PEM - No PEM header or footer found" );
-        if( use_ret == -(POLARSSL_ERR_PEM_INVALID_DATA) )
-            snprintf( buf, buflen, "PEM - PEM string is not as expected" );
-        if( use_ret == -(POLARSSL_ERR_PEM_MALLOC_FAILED) )
-            snprintf( buf, buflen, "PEM - Failed to allocate memory" );
-        if( use_ret == -(POLARSSL_ERR_PEM_INVALID_ENC_IV) )
-            snprintf( buf, buflen, "PEM - RSA IV is not in hex-format" );
-        if( use_ret == -(POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG) )
-            snprintf( buf, buflen, "PEM - Unsupported key encryption algorithm" );
-        if( use_ret == -(POLARSSL_ERR_PEM_PASSWORD_REQUIRED) )
-            snprintf( buf, buflen, "PEM - Private key password can't be empty" );
-        if( use_ret == -(POLARSSL_ERR_PEM_PASSWORD_MISMATCH) )
-            snprintf( buf, buflen, "PEM - Given private key password does not allow for correct decryption" );
-        if( use_ret == -(POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE) )
-            snprintf( buf, buflen, "PEM - Unavailable feature, e.g. hashing/encryption combination" );
-        if( use_ret == -(POLARSSL_ERR_PEM_BAD_INPUT_DATA) )
-            snprintf( buf, buflen, "PEM - Bad input parameters to function" );
-#endif /* POLARSSL_PEM_C */
-
-#if defined(POLARSSL_PKCS12_C)
-        if( use_ret == -(POLARSSL_ERR_PKCS12_BAD_INPUT_DATA) )
-            snprintf( buf, buflen, "PKCS12 - Bad input parameters to function" );
-        if( use_ret == -(POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE) )
-            snprintf( buf, buflen, "PKCS12 - Feature not available, e.g. unsupported encryption scheme" );
-        if( use_ret == -(POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT) )
-            snprintf( buf, buflen, "PKCS12 - PBE ASN.1 data not as expected" );
-        if( use_ret == -(POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH) )
-            snprintf( buf, buflen, "PKCS12 - Given private key password does not allow for correct decryption" );
-#endif /* POLARSSL_PKCS12_C */
-
-#if defined(POLARSSL_PKCS5_C)
-        if( use_ret == -(POLARSSL_ERR_PKCS5_BAD_INPUT_DATA) )
-            snprintf( buf, buflen, "PKCS5 - Bad input parameters to function" );
-        if( use_ret == -(POLARSSL_ERR_PKCS5_INVALID_FORMAT) )
-            snprintf( buf, buflen, "PKCS5 - Unexpected ASN.1 data" );
-        if( use_ret == -(POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE) )
-            snprintf( buf, buflen, "PKCS5 - Requested encryption or digest alg not available" );
-        if( use_ret == -(POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH) )
-            snprintf( buf, buflen, "PKCS5 - Given private key password does not allow for correct decryption" );
-#endif /* POLARSSL_PKCS5_C */
-
-#if defined(POLARSSL_RSA_C)
-        if( use_ret == -(POLARSSL_ERR_RSA_BAD_INPUT_DATA) )
-            snprintf( buf, buflen, "RSA - Bad input parameters to function" );
-        if( use_ret == -(POLARSSL_ERR_RSA_INVALID_PADDING) )
-            snprintf( buf, buflen, "RSA - Input data contains invalid padding and is rejected" );
-        if( use_ret == -(POLARSSL_ERR_RSA_KEY_GEN_FAILED) )
-            snprintf( buf, buflen, "RSA - Something failed during generation of a key" );
-        if( use_ret == -(POLARSSL_ERR_RSA_KEY_CHECK_FAILED) )
-            snprintf( buf, buflen, "RSA - Key failed to pass the libraries validity check" );
-        if( use_ret == -(POLARSSL_ERR_RSA_PUBLIC_FAILED) )
-            snprintf( buf, buflen, "RSA - The public key operation failed" );
-        if( use_ret == -(POLARSSL_ERR_RSA_PRIVATE_FAILED) )
-            snprintf( buf, buflen, "RSA - The private key operation failed" );
-        if( use_ret == -(POLARSSL_ERR_RSA_VERIFY_FAILED) )
-            snprintf( buf, buflen, "RSA - The PKCS#1 verification failed" );
-        if( use_ret == -(POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE) )
-            snprintf( buf, buflen, "RSA - The output buffer for decryption is not large enough" );
-        if( use_ret == -(POLARSSL_ERR_RSA_RNG_FAILED) )
-            snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" );
-#endif /* POLARSSL_RSA_C */
-
-#if defined(POLARSSL_SSL_TLS_C)
-        if( use_ret == -(POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE) )
-            snprintf( buf, buflen, "SSL - The requested feature is not available" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_INPUT_DATA) )
-            snprintf( buf, buflen, "SSL - Bad input parameters to function" );
-        if( use_ret == -(POLARSSL_ERR_SSL_INVALID_MAC) )
-            snprintf( buf, buflen, "SSL - Verification of the message MAC failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_INVALID_RECORD) )
-            snprintf( buf, buflen, "SSL - An invalid SSL record was received" );
-        if( use_ret == -(POLARSSL_ERR_SSL_CONN_EOF) )
-            snprintf( buf, buflen, "SSL - The connection indicated an EOF" );
-        if( use_ret == -(POLARSSL_ERR_SSL_UNKNOWN_CIPHER) )
-            snprintf( buf, buflen, "SSL - An unknown cipher was received" );
-        if( use_ret == -(POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN) )
-            snprintf( buf, buflen, "SSL - The server has no ciphersuites in common with the client" );
-        if( use_ret == -(POLARSSL_ERR_SSL_NO_SESSION_FOUND) )
-            snprintf( buf, buflen, "SSL - No session to recover was found" );
-        if( use_ret == -(POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE) )
-            snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
-        if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE) )
-            snprintf( buf, buflen, "SSL - DESCRIPTION MISSING" );
-        if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED) )
-            snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
-        if( use_ret == -(POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED) )
-            snprintf( buf, buflen, "SSL - The own private key is not set, but needed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED) )
-            snprintf( buf, buflen, "SSL - No CA Chain is set, but required to operate" );
-        if( use_ret == -(POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE) )
-            snprintf( buf, buflen, "SSL - An unexpected message was received from our peer" );
-        if( use_ret == -(POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE) )
-        {
-            snprintf( buf, buflen, "SSL - A fatal alert message was received from our peer" );
-            return;
-        }
-        if( use_ret == -(POLARSSL_ERR_SSL_PEER_VERIFY_FAILED) )
-            snprintf( buf, buflen, "SSL - Verification of our peer failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY) )
-            snprintf( buf, buflen, "SSL - The peer notified us that the connection is going to be closed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO) )
-            snprintf( buf, buflen, "SSL - Processing of the ClientHello handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO) )
-            snprintf( buf, buflen, "SSL - Processing of the ServerHello handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE) )
-            snprintf( buf, buflen, "SSL - Processing of the Certificate handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST) )
-            snprintf( buf, buflen, "SSL - Processing of the CertificateRequest handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE) )
-            snprintf( buf, buflen, "SSL - Processing of the ServerKeyExchange handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE) )
-            snprintf( buf, buflen, "SSL - Processing of the ServerHelloDone handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE) )
-            snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP) )
-            snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM Read Public" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS) )
-            snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM Calculate Secret" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY) )
-            snprintf( buf, buflen, "SSL - Processing of the CertificateVerify handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC) )
-            snprintf( buf, buflen, "SSL - Processing of the ChangeCipherSpec handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_FINISHED) )
-            snprintf( buf, buflen, "SSL - Processing of the Finished handshake message failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_MALLOC_FAILED) )
-            snprintf( buf, buflen, "SSL - Memory allocation failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_HW_ACCEL_FAILED) )
-            snprintf( buf, buflen, "SSL - Hardware acceleration function returned with error" );
-        if( use_ret == -(POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH) )
-            snprintf( buf, buflen, "SSL - Hardware acceleration function skipped / left alone data" );
-        if( use_ret == -(POLARSSL_ERR_SSL_COMPRESSION_FAILED) )
-            snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
-        if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
-            snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
-#endif /* POLARSSL_SSL_TLS_C */
-
-#if defined(POLARSSL_X509_PARSE_C)
-        if( use_ret == -(POLARSSL_ERR_X509_FEATURE_UNAVAILABLE) )
-            snprintf( buf, buflen, "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_PEM) )
-            snprintf( buf, buflen, "X509 - The PEM-encoded certificate contains invalid elements, e.g. invalid character" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_FORMAT) )
-            snprintf( buf, buflen, "X509 - The certificate format is invalid, e.g. different type expected" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_VERSION) )
-            snprintf( buf, buflen, "X509 - The certificate version element is invalid" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_SERIAL) )
-            snprintf( buf, buflen, "X509 - The serial tag or value is invalid" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_ALG) )
-            snprintf( buf, buflen, "X509 - The algorithm tag or value is invalid" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_NAME) )
-            snprintf( buf, buflen, "X509 - The name tag or value is invalid" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_DATE) )
-            snprintf( buf, buflen, "X509 - The date tag or value is invalid" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_PUBKEY) )
-            snprintf( buf, buflen, "X509 - The pubkey tag or value is invalid (only RSA is supported)" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE) )
-            snprintf( buf, buflen, "X509 - The signature tag or value invalid" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS) )
-            snprintf( buf, buflen, "X509 - The extension tag or value is invalid" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION) )
-            snprintf( buf, buflen, "X509 - Certificate or CRL has an unsupported version number" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG) )
-            snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
-        if( use_ret == -(POLARSSL_ERR_X509_UNKNOWN_PK_ALG) )
-            snprintf( buf, buflen, "X509 - Key algorithm is unsupported (only RSA is supported)" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_SIG_MISMATCH) )
-            snprintf( buf, buflen, "X509 - Certificate signature algorithms do not match. (see \\c ::x509_cert sig_oid)" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_VERIFY_FAILED) )
-            snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
-        if( use_ret == -(POLARSSL_ERR_X509_KEY_INVALID_VERSION) )
-            snprintf( buf, buflen, "X509 - Unsupported RSA key version" );
-        if( use_ret == -(POLARSSL_ERR_X509_KEY_INVALID_FORMAT) )
-            snprintf( buf, buflen, "X509 - Invalid RSA key tag or value" );
-        if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT) )
-            snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" );
-        if( use_ret == -(POLARSSL_ERR_X509_INVALID_INPUT) )
-            snprintf( buf, buflen, "X509 - Input invalid" );
-        if( use_ret == -(POLARSSL_ERR_X509_MALLOC_FAILED) )
-            snprintf( buf, buflen, "X509 - Allocation of memory failed" );
-        if( use_ret == -(POLARSSL_ERR_X509_FILE_IO_ERROR) )
-            snprintf( buf, buflen, "X509 - Read/write of file failed" );
-        if( use_ret == -(POLARSSL_ERR_X509_PASSWORD_REQUIRED) )
-            snprintf( buf, buflen, "X509 - Private key password can't be empty" );
-        if( use_ret == -(POLARSSL_ERR_X509_PASSWORD_MISMATCH) )
-            snprintf( buf, buflen, "X509 - Given private key password does not allow for correct decryption" );
-#endif /* POLARSSL_X509_PARSE_C */
-
-        if( strlen( buf ) == 0 )
-            snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
-    }
-
-    use_ret = ret & ~0xFF80;
-
-    if( use_ret == 0 )
-        return;
-
-    // If high level code is present, make a concatenation between both
-    // error strings.
-    //
-    len = strlen( buf );
-
-    if( len > 0 )
-    {
-        if( buflen - len < 5 )
-            return;
-
-        snprintf( buf + len, buflen - len, " : " );
-
-        buf += len + 3;
-        buflen -= len + 3;
-    }
-
-    // Low level error codes
-    //
-#if defined(POLARSSL_AES_C)
-    if( use_ret == -(POLARSSL_ERR_AES_INVALID_KEY_LENGTH) )
-        snprintf( buf, buflen, "AES - Invalid key length" );
-    if( use_ret == -(POLARSSL_ERR_AES_INVALID_INPUT_LENGTH) )
-        snprintf( buf, buflen, "AES - Invalid data input length" );
-#endif /* POLARSSL_AES_C */
-
-#if defined(POLARSSL_ASN1_PARSE_C)
-    if( use_ret == -(POLARSSL_ERR_ASN1_OUT_OF_DATA) )
-        snprintf( buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure" );
-    if( use_ret == -(POLARSSL_ERR_ASN1_UNEXPECTED_TAG) )
-        snprintf( buf, buflen, "ASN1 - ASN1 tag was of an unexpected value" );
-    if( use_ret == -(POLARSSL_ERR_ASN1_INVALID_LENGTH) )
-        snprintf( buf, buflen, "ASN1 - Error when trying to determine the length or invalid length" );
-    if( use_ret == -(POLARSSL_ERR_ASN1_LENGTH_MISMATCH) )
-        snprintf( buf, buflen, "ASN1 - Actual length differs from expected length" );
-    if( use_ret == -(POLARSSL_ERR_ASN1_INVALID_DATA) )
-        snprintf( buf, buflen, "ASN1 - Data is invalid. (not used)" );
-    if( use_ret == -(POLARSSL_ERR_ASN1_MALLOC_FAILED) )
-        snprintf( buf, buflen, "ASN1 - Memory allocation failed" );
-    if( use_ret == -(POLARSSL_ERR_ASN1_BUF_TOO_SMALL) )
-        snprintf( buf, buflen, "ASN1 - Buffer too small when writing ASN.1 data structure" );
-#endif /* POLARSSL_ASN1_PARSE_C */
-
-#if defined(POLARSSL_BASE64_C)
-    if( use_ret == -(POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL) )
-        snprintf( buf, buflen, "BASE64 - Output buffer too small" );
-    if( use_ret == -(POLARSSL_ERR_BASE64_INVALID_CHARACTER) )
-        snprintf( buf, buflen, "BASE64 - Invalid character in input" );
-#endif /* POLARSSL_BASE64_C */
-
-#if defined(POLARSSL_BIGNUM_C)
-    if( use_ret == -(POLARSSL_ERR_MPI_FILE_IO_ERROR) )
-        snprintf( buf, buflen, "BIGNUM - An error occurred while reading from or writing to a file" );
-    if( use_ret == -(POLARSSL_ERR_MPI_BAD_INPUT_DATA) )
-        snprintf( buf, buflen, "BIGNUM - Bad input parameters to function" );
-    if( use_ret == -(POLARSSL_ERR_MPI_INVALID_CHARACTER) )
-        snprintf( buf, buflen, "BIGNUM - There is an invalid character in the digit string" );
-    if( use_ret == -(POLARSSL_ERR_MPI_BUFFER_TOO_SMALL) )
-        snprintf( buf, buflen, "BIGNUM - The buffer is too small to write to" );
-    if( use_ret == -(POLARSSL_ERR_MPI_NEGATIVE_VALUE) )
-        snprintf( buf, buflen, "BIGNUM - The input arguments are negative or result in illegal output" );
-    if( use_ret == -(POLARSSL_ERR_MPI_DIVISION_BY_ZERO) )
-        snprintf( buf, buflen, "BIGNUM - The input argument for division is zero, which is not allowed" );
-    if( use_ret == -(POLARSSL_ERR_MPI_NOT_ACCEPTABLE) )
-        snprintf( buf, buflen, "BIGNUM - The input arguments are not acceptable" );
-    if( use_ret == -(POLARSSL_ERR_MPI_MALLOC_FAILED) )
-        snprintf( buf, buflen, "BIGNUM - Memory allocation failed" );
-#endif /* POLARSSL_BIGNUM_C */
-
-#if defined(POLARSSL_BLOWFISH_C)
-    if( use_ret == -(POLARSSL_ERR_BLOWFISH_INVALID_KEY_LENGTH) )
-        snprintf( buf, buflen, "BLOWFISH - Invalid key length" );
-    if( use_ret == -(POLARSSL_ERR_BLOWFISH_INVALID_INPUT_LENGTH) )
-        snprintf( buf, buflen, "BLOWFISH - Invalid data input length" );
-#endif /* POLARSSL_BLOWFISH_C */
-
-#if defined(POLARSSL_CAMELLIA_C)
-    if( use_ret == -(POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH) )
-        snprintf( buf, buflen, "CAMELLIA - Invalid key length" );
-    if( use_ret == -(POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH) )
-        snprintf( buf, buflen, "CAMELLIA - Invalid data input length" );
-#endif /* POLARSSL_CAMELLIA_C */
-
-#if defined(POLARSSL_CTR_DRBG_C)
-    if( use_ret == -(POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) )
-        snprintf( buf, buflen, "CTR_DRBG - The entropy source failed" );
-    if( use_ret == -(POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG) )
-        snprintf( buf, buflen, "CTR_DRBG - Too many random requested in single call" );
-    if( use_ret == -(POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG) )
-        snprintf( buf, buflen, "CTR_DRBG - Input too large (Entropy + additional)" );
-    if( use_ret == -(POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR) )
-        snprintf( buf, buflen, "CTR_DRBG - Read/write error in file" );
-#endif /* POLARSSL_CTR_DRBG_C */
-
-#if defined(POLARSSL_DES_C)
-    if( use_ret == -(POLARSSL_ERR_DES_INVALID_INPUT_LENGTH) )
-        snprintf( buf, buflen, "DES - The data input has an invalid length" );
-#endif /* POLARSSL_DES_C */
-
-#if defined(POLARSSL_ENTROPY_C)
-    if( use_ret == -(POLARSSL_ERR_ENTROPY_SOURCE_FAILED) )
-        snprintf( buf, buflen, "ENTROPY - Critical entropy source failure" );
-    if( use_ret == -(POLARSSL_ERR_ENTROPY_MAX_SOURCES) )
-        snprintf( buf, buflen, "ENTROPY - No more sources can be added" );
-    if( use_ret == -(POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED) )
-        snprintf( buf, buflen, "ENTROPY - No sources have been added to poll" );
-#endif /* POLARSSL_ENTROPY_C */
-
-#if defined(POLARSSL_GCM_C)
-    if( use_ret == -(POLARSSL_ERR_GCM_AUTH_FAILED) )
-        snprintf( buf, buflen, "GCM - Authenticated decryption failed" );
-    if( use_ret == -(POLARSSL_ERR_GCM_BAD_INPUT) )
-        snprintf( buf, buflen, "GCM - Bad input parameters to function" );
-#endif /* POLARSSL_GCM_C */
-
-#if defined(POLARSSL_MD2_C)
-    if( use_ret == -(POLARSSL_ERR_MD2_FILE_IO_ERROR) )
-        snprintf( buf, buflen, "MD2 - Read/write error in file" );
-#endif /* POLARSSL_MD2_C */
-
-#if defined(POLARSSL_MD4_C)
-    if( use_ret == -(POLARSSL_ERR_MD4_FILE_IO_ERROR) )
-        snprintf( buf, buflen, "MD4 - Read/write error in file" );
-#endif /* POLARSSL_MD4_C */
-
-#if defined(POLARSSL_MD5_C)
-    if( use_ret == -(POLARSSL_ERR_MD5_FILE_IO_ERROR) )
-        snprintf( buf, buflen, "MD5 - Read/write error in file" );
-#endif /* POLARSSL_MD5_C */
-
-#if defined(POLARSSL_NET_C)
-    if( use_ret == -(POLARSSL_ERR_NET_UNKNOWN_HOST) )
-        snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" );
-    if( use_ret == -(POLARSSL_ERR_NET_SOCKET_FAILED) )
-        snprintf( buf, buflen, "NET - Failed to open a socket" );
-    if( use_ret == -(POLARSSL_ERR_NET_CONNECT_FAILED) )
-        snprintf( buf, buflen, "NET - The connection to the given server / port failed" );
-    if( use_ret == -(POLARSSL_ERR_NET_BIND_FAILED) )
-        snprintf( buf, buflen, "NET - Binding of the socket failed" );
-    if( use_ret == -(POLARSSL_ERR_NET_LISTEN_FAILED) )
-        snprintf( buf, buflen, "NET - Could not listen on the socket" );
-    if( use_ret == -(POLARSSL_ERR_NET_ACCEPT_FAILED) )
-        snprintf( buf, buflen, "NET - Could not accept the incoming connection" );
-    if( use_ret == -(POLARSSL_ERR_NET_RECV_FAILED) )
-        snprintf( buf, buflen, "NET - Reading information from the socket failed" );
-    if( use_ret == -(POLARSSL_ERR_NET_SEND_FAILED) )
-        snprintf( buf, buflen, "NET - Sending information through the socket failed" );
-    if( use_ret == -(POLARSSL_ERR_NET_CONN_RESET) )
-        snprintf( buf, buflen, "NET - Connection was reset by peer" );
-    if( use_ret == -(POLARSSL_ERR_NET_WANT_READ) )
-        snprintf( buf, buflen, "NET - Connection requires a read call" );
-    if( use_ret == -(POLARSSL_ERR_NET_WANT_WRITE) )
-        snprintf( buf, buflen, "NET - Connection requires a write call" );
-#endif /* POLARSSL_NET_C */
-
-#if defined(POLARSSL_PADLOCK_C)
-    if( use_ret == -(POLARSSL_ERR_PADLOCK_DATA_MISALIGNED) )
-        snprintf( buf, buflen, "PADLOCK - Input data should be aligned" );
-#endif /* POLARSSL_PADLOCK_C */
-
-#if defined(POLARSSL_PBKDF2_C)
-    if( use_ret == -(POLARSSL_ERR_PBKDF2_BAD_INPUT_DATA) )
-        snprintf( buf, buflen, "PBKDF2 - Bad input parameters to function" );
-#endif /* POLARSSL_PBKDF2_C */
-
-#if defined(POLARSSL_SHA1_C)
-    if( use_ret == -(POLARSSL_ERR_SHA1_FILE_IO_ERROR) )
-        snprintf( buf, buflen, "SHA1 - Read/write error in file" );
-#endif /* POLARSSL_SHA1_C */
-
-#if defined(POLARSSL_SHA2_C)
-    if( use_ret == -(POLARSSL_ERR_SHA2_FILE_IO_ERROR) )
-        snprintf( buf, buflen, "SHA2 - Read/write error in file" );
-#endif /* POLARSSL_SHA2_C */
-
-#if defined(POLARSSL_SHA4_C)
-    if( use_ret == -(POLARSSL_ERR_SHA4_FILE_IO_ERROR) )
-        snprintf( buf, buflen, "SHA4 - Read/write error in file" );
-#endif /* POLARSSL_SHA4_C */
-
-#if defined(POLARSSL_XTEA_C)
-    if( use_ret == -(POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH) )
-        snprintf( buf, buflen, "XTEA - The data input has an invalid length" );
-#endif /* POLARSSL_XTEA_C */
-
-    if( strlen( buf ) != 0 )
-        return;
-
-    snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
-}
-
-#else /* POLARSSL_ERROR_C */
-
-#if defined(POLARSSL_ERROR_STRERROR_DUMMY)
-
-#include <string.h>
-
-/*
- * Provide an non-function in case POLARSSL_ERROR_C is not defined
- */
-void error_strerror( int ret, char *buf, size_t buflen )
-{
-    ((void) ret);
-
-    if( buflen > 0 )
-        buf[0] = '\0';
-}
-
-#endif /* POLARSSL_ERROR_STRERROR_DUMMY */
-#endif /* POLARSSL_ERROR_C */
diff --git a/makerom/polarssl/gcm.c b/makerom/polarssl/gcm.c
deleted file mode 100644
index 60dc0cd0..00000000
--- a/makerom/polarssl/gcm.c
+++ /dev/null
@@ -1,621 +0,0 @@
-/*
- *  NIST SP800-38D compliant GCM implementation
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
- */
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_GCM_C)
-
-#include "polarssl/gcm.h"
-
-/*
- * 32-bit integer manipulation macros (big endian)
- */
-#ifndef GET_UINT32_BE
-#define GET_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 3]       );            \
-}
-#endif
-
-#ifndef PUT_UINT32_BE
-#define PUT_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-}
-#endif
-
-static void gcm_gen_table( gcm_context *ctx )
-{
-    int i, j;
-    uint64_t hi, lo;
-    uint64_t vl, vh;
-    unsigned char h[16];
-    
-    memset( h, 0, 16 );
-    aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, h, h );
-
-    ctx->HH[0] = 0;
-    ctx->HL[0] = 0;
-
-    GET_UINT32_BE( hi, h,  0  );
-    GET_UINT32_BE( lo, h,  4  );
-    vh = (uint64_t) hi << 32 | lo;
-
-    GET_UINT32_BE( hi, h,  8  );
-    GET_UINT32_BE( lo, h,  12 );
-    vl = (uint64_t) hi << 32 | lo;
-    
-    ctx->HL[8] = vl;
-    ctx->HH[8] = vh;
-
-    for( i = 4; i > 0; i >>= 1 )
-    {
-        uint32_t T = ( vl & 1 ) * 0xe1000000U;
-        vl  = ( vh << 63 ) | ( vl >> 1 );
-        vh  = ( vh >> 1 ) ^ ( (uint64_t) T << 32);
-
-        ctx->HL[i] = vl;
-        ctx->HH[i] = vh;
-    }
-
-    for (i = 2; i < 16; i <<= 1 )
-    {
-        uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i;
-        vh = *HiH;
-        vl = *HiL;
-        for( j = 1; j < i; j++ )
-        {
-            HiH[j] = vh ^ ctx->HH[j];
-            HiL[j] = vl ^ ctx->HL[j];
-        }
-    }
-    
-}
-
-int gcm_init( gcm_context *ctx, const unsigned char *key, unsigned int keysize )
-{
-    int ret;
-
-    memset( ctx, 0, sizeof(gcm_context) );
-
-    if( ( ret = aes_setkey_enc( &ctx->aes_ctx, key, keysize ) ) != 0 )
-        return( ret );
-
-    gcm_gen_table( ctx );
-
-    return( 0 );
-}
-
-static const uint64_t last4[16] =
-{
-    0x0000, 0x1c20, 0x3840, 0x2460,
-    0x7080, 0x6ca0, 0x48c0, 0x54e0,
-    0xe100, 0xfd20, 0xd940, 0xc560,
-    0x9180, 0x8da0, 0xa9c0, 0xb5e0
-};
-
-void gcm_mult( gcm_context *ctx, const unsigned char x[16], unsigned char output[16] )
-{
-    int i = 0;
-    unsigned char z[16];
-    unsigned char lo, hi, rem;
-    uint64_t zh, zl;
-
-    memset( z, 0x00, 16 );
-
-    lo = x[15] & 0xf;
-    hi = x[15] >> 4;
-
-    zh = ctx->HH[lo];
-    zl = ctx->HL[lo];
-
-    for( i = 15; i >= 0; i-- )
-    {
-        lo = x[i] & 0xf;
-        hi = x[i] >> 4;
-
-        if( i != 15 )
-        {
-            rem = (unsigned char) zl & 0xf;
-            zl = ( zh << 60 ) | ( zl >> 4 );
-            zh = ( zh >> 4 );
-            zh ^= (uint64_t) last4[rem] << 48;
-            zh ^= ctx->HH[lo];
-            zl ^= ctx->HL[lo];
-
-        }
-
-        rem = (unsigned char) zl & 0xf;
-        zl = ( zh << 60 ) | ( zl >> 4 );
-        zh = ( zh >> 4 );
-        zh ^= (uint64_t) last4[rem] << 48;
-        zh ^= ctx->HH[hi];
-        zl ^= ctx->HL[hi];
-    }
-
-    PUT_UINT32_BE( zh >> 32, output, 0 );
-    PUT_UINT32_BE( zh, output, 4 );
-    PUT_UINT32_BE( zl >> 32, output, 8 );
-    PUT_UINT32_BE( zl, output, 12 );
-}
-
-int gcm_crypt_and_tag( gcm_context *ctx,
-                       int mode,
-                       size_t length,
-                       const unsigned char *iv,
-                       size_t iv_len,
-                       const unsigned char *add,
-                       size_t add_len,
-                       const unsigned char *input,
-                       unsigned char *output,
-                       size_t tag_len,
-                       unsigned char *tag )
-{
-    unsigned char y[16];
-    unsigned char ectr[16];
-    unsigned char buf[16];
-    unsigned char work_buf[16];
-    size_t i;
-    const unsigned char *p;
-    unsigned char *out_p = output;
-    size_t use_len;
-    uint64_t orig_len = length * 8;
-    uint64_t orig_add_len = add_len * 8;
-
-    memset( y, 0x00, 16 );
-    memset( work_buf, 0x00, 16 );
-    memset( tag, 0x00, tag_len );
-    memset( buf, 0x00, 16 );
-
-    if( ( mode == GCM_DECRYPT && output <= input && ( input - output ) < 8 ) ||
-        ( output > input && (size_t) ( output - input ) < length ) )
-    {
-        return( POLARSSL_ERR_GCM_BAD_INPUT );
-    }
-
-    if( iv_len == 12 )
-    {
-        memcpy( y, iv, iv_len );
-        y[15] = 1;
-    }
-    else
-    {
-        memset( work_buf, 0x00, 16 );
-        PUT_UINT32_BE( iv_len * 8, work_buf, 12 );
-
-        p = iv;
-        while( iv_len > 0 )
-        {
-            use_len = ( iv_len < 16 ) ? iv_len : 16;
-
-            for( i = 0; i < use_len; i++ )
-                y[i] ^= p[i];
-        
-            gcm_mult( ctx, y, y );
-
-            iv_len -= use_len;
-            p += use_len;
-        }
-
-        for( i = 0; i < 16; i++ )
-            y[i] ^= work_buf[i];
-
-        gcm_mult( ctx, y, y );
-    }
-
-    aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, y, ectr );
-    memcpy( tag, ectr, tag_len );
-
-    p = add;
-    while( add_len > 0 )
-    {
-        use_len = ( add_len < 16 ) ? add_len : 16;
-
-        for( i = 0; i < use_len; i++ )
-            buf[i] ^= p[i];
-        
-        gcm_mult( ctx, buf, buf );
-
-        add_len -= use_len;
-        p += use_len;
-    }
-
-    p = input;
-    while( length > 0 )
-    {
-        use_len = ( length < 16 ) ? length : 16;
-
-        for( i = 16; i > 12; i-- )
-            if( ++y[i - 1] != 0 )
-                break;
-
-        aes_crypt_ecb( &ctx->aes_ctx, AES_ENCRYPT, y, ectr );
-
-        for( i = 0; i < use_len; i++ )
-        {
-            out_p[i] = ectr[i] ^ p[i];
-            if( mode == GCM_ENCRYPT )
-                buf[i] ^= out_p[i];
-            else
-                buf[i] ^= p[i];
-        }
-        
-        gcm_mult( ctx, buf, buf );
-        
-        length -= use_len;
-        p += use_len;
-        out_p += use_len;
-    }
-
-    if( orig_len || orig_add_len )
-    {
-        memset( work_buf, 0x00, 16 );
-
-        PUT_UINT32_BE( ( orig_add_len >> 32 ), work_buf, 0  );
-        PUT_UINT32_BE( ( orig_add_len       ), work_buf, 4  );
-        PUT_UINT32_BE( ( orig_len     >> 32 ), work_buf, 8  );
-        PUT_UINT32_BE( ( orig_len           ), work_buf, 12 );
-
-        for( i = 0; i < 16; i++ )
-            buf[i] ^= work_buf[i];
-
-        gcm_mult( ctx, buf, buf );
-
-        for( i = 0; i < tag_len; i++ )
-            tag[i] ^= buf[i];
-    }
-
-    return( 0 );
-}
-
-int gcm_auth_decrypt( gcm_context *ctx,
-                      size_t length,
-                      const unsigned char *iv,
-                      size_t iv_len,
-                      const unsigned char *add,
-                      size_t add_len,
-                      const unsigned char *tag, 
-                      size_t tag_len,
-                      const unsigned char *input,
-                      unsigned char *output )
-{
-    unsigned char check_tag[16];
-
-    gcm_crypt_and_tag( ctx, GCM_DECRYPT, length, iv, iv_len, add, add_len, input, output, tag_len, check_tag );
-
-    if( memcmp( check_tag, tag, tag_len ) == 0 )
-        return( 0 );
-
-    memset( output, 0, length );
-
-    return( POLARSSL_ERR_GCM_AUTH_FAILED );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <stdio.h>
-
-/*
- * GCM test vectors from:
- *
- * http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
- */
-#define MAX_TESTS   6
-
-int key_index[MAX_TESTS] =
-    { 0, 0, 1, 1, 1, 1 };
-
-unsigned char key[MAX_TESTS][32] =
-{
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
-      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
-      0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
-      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 },  
-};
-
-size_t iv_len[MAX_TESTS] =
-    { 12, 12, 12, 12, 8, 60 };
-
-int iv_index[MAX_TESTS] =
-    { 0, 0, 1, 1, 1, 2 };
-
-unsigned char iv[MAX_TESTS][64] =
-{
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00 },
-    { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
-      0xde, 0xca, 0xf8, 0x88 },
-    { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
-      0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa, 
-      0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
-      0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28, 
-      0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
-      0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54, 
-      0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
-      0xa6, 0x37, 0xb3, 0x9b }, 
-};
-
-size_t add_len[MAX_TESTS] =
-    { 0, 0, 0, 20, 20, 20 };
-
-int add_index[MAX_TESTS] =
-    { 0, 0, 0, 1, 1, 1 };
-
-unsigned char additional[MAX_TESTS][64] =
-{
-    { 0x00 },
-    { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
-      0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef, 
-      0xab, 0xad, 0xda, 0xd2 },
-};
-
-size_t pt_len[MAX_TESTS] =
-    { 0, 16, 64, 60, 60, 60 };
-
-int pt_index[MAX_TESTS] =
-    { 0, 0, 1, 1, 1, 1 };
-
-unsigned char pt[MAX_TESTS][64] =
-{
-    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
-      0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
-      0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
-      0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
-      0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
-      0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
-      0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
-      0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
-};
-
-unsigned char ct[MAX_TESTS * 3][64] =
-{
-    { 0x00 },
-    { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
-      0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
-    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
-      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 
-      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
-      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 
-      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
-      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 
-      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
-      0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 },
-    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
-      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 
-      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
-      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 
-      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
-      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 
-      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
-      0x3d, 0x58, 0xe0, 0x91 },
-    { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
-      0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55, 
-      0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
-      0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23, 
-      0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
-      0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42, 
-      0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
-      0xc2, 0x3f, 0x45, 0x98 },
-    { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
-      0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94, 
-      0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
-      0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7, 
-      0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
-      0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f, 
-      0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
-      0x4c, 0x34, 0xae, 0xe5 },
-    { 0x00 },
-    { 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
-      0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 }, 
-    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
-      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57, 
-      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
-      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c, 
-      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
-      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47, 
-      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
-      0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 },
-    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
-      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57, 
-      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
-      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c, 
-      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25, 
-      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47, 
-      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
-      0xcc, 0xda, 0x27, 0x10 }, 
-    { 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
-      0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8, 
-      0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
-      0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57, 
-      0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
-      0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9, 
-      0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
-      0xa0, 0xf0, 0x62, 0xf7 }, 
-    { 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
-      0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff, 
-      0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
-      0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45, 
-      0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
-      0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3, 
-      0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
-      0xe9, 0xb7, 0x37, 0x3b }, 
-    { 0x00 },
-    { 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e, 
-      0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 }, 
-    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, 
-      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d, 
-      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9, 
-      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa, 
-      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d, 
-      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38, 
-      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a, 
-      0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad }, 
-    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, 
-      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,  
-      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9, 
-      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa, 
-      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d, 
-      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38, 
-      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a, 
-      0xbc, 0xc9, 0xf6, 0x62 }, 
-    { 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
-      0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb, 
-      0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
-      0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0, 
-      0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
-      0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78, 
-      0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
-      0xf4, 0x7c, 0x9b, 0x1f }, 
-    { 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
-      0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20, 
-      0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
-      0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4, 
-      0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
-      0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde, 
-      0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
-      0x44, 0xae, 0x7e, 0x3f }, 
-};
-
-unsigned char tag[MAX_TESTS * 3][16] =
-{
-    { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
-      0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
-    { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
-      0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf },
-    { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
-      0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 }, 
-    { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
-      0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 },
-    { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
-      0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
-    { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
-      0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
-    { 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
-      0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
-    { 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
-      0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb }, 
-    { 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
-      0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 },
-    { 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
-      0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c }, 
-    { 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
-      0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 }, 
-    { 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
-      0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 }, 
-    { 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
-      0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b }, 
-    { 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
-      0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 }, 
-    { 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
-      0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c }, 
-    { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
-      0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b }, 
-    { 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
-      0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 }, 
-    { 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
-      0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a }, 
-};
-
-int gcm_self_test( int verbose )
-{
-    gcm_context ctx;
-    unsigned char buf[64];
-    unsigned char tag_buf[16];
-    int i, j, ret;
-
-    for( j = 0; j < 3; j++ )
-    {
-        int key_len = 128 + 64 * j;
-
-        for( i = 0; i < MAX_TESTS; i++ )
-        {
-            printf( "  AES-GCM-%3d #%d (%s): ", key_len, i, "enc" );
-            gcm_init( &ctx, key[key_index[i]], key_len );
-
-            ret = gcm_crypt_and_tag( &ctx, GCM_ENCRYPT,
-                                     pt_len[i],
-                                     iv[iv_index[i]], iv_len[i],
-                                     additional[add_index[i]], add_len[i],
-                                     pt[pt_index[i]], buf, 16, tag_buf );
-
-            if( ret != 0 ||
-                memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 ||
-                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-
-            if( verbose != 0 )
-                printf( "passed\n" );
-
-            printf( "  AES-GCM-%3d #%d (%s): ", key_len, i, "dec" );
-            gcm_init( &ctx, key[key_index[i]], key_len );
-
-            ret = gcm_crypt_and_tag( &ctx, GCM_DECRYPT,
-                                     pt_len[i],
-                                     iv[iv_index[i]], iv_len[i],
-                                     additional[add_index[i]], add_len[i],
-                                     ct[j * 6 + i], buf, 16, tag_buf );
-
-            if( ret != 0 ||
-                memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 ||
-                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-
-            if( verbose != 0 )
-                printf( "passed\n" );
-        }
-    }
-    
-    printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/havege.c b/makerom/polarssl/havege.c
deleted file mode 100644
index ff302c57..00000000
--- a/makerom/polarssl/havege.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/**
- *  \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The HAVEGE RNG was designed by Andre Seznec in 2002.
- *
- *  http://www.irisa.fr/caps/projects/hipsor/publi.php
- *
- *  Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_HAVEGE_C)
-
-#include "polarssl/havege.h"
-#include "polarssl/timing.h"
-
-#include <string.h>
-#include <time.h>
-
-/* ------------------------------------------------------------------------
- * On average, one iteration accesses two 8-word blocks in the havege WALK
- * table, and generates 16 words in the RES array.
- *
- * The data read in the WALK table is updated and permuted after each use.
- * The result of the hardware clock counter read is used  for this update.
- *
- * 25 conditional tests are present.  The conditional tests are grouped in
- * two nested  groups of 12 conditional tests and 1 test that controls the
- * permutation; on average, there should be 6 tests executed and 3 of them
- * should be mispredicted.
- * ------------------------------------------------------------------------
- */
-
-#define SWAP(X,Y) { int *T = X; X = Y; Y = T; }
-
-#define TST1_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
-#define TST2_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
-
-#define TST1_LEAVE U1++; }
-#define TST2_LEAVE U2++; }
-
-#define ONE_ITERATION                                   \
-                                                        \
-    PTEST = PT1 >> 20;                                  \
-                                                        \
-    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
-    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
-    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
-                                                        \
-    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
-    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
-    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
-                                                        \
-    PTX = (PT1 >> 18) & 7;                              \
-    PT1 &= 0x1FFF;                                      \
-    PT2 &= 0x1FFF;                                      \
-    CLK = (int) hardclock();                            \
-                                                        \
-    i = 0;                                              \
-    A = &WALK[PT1    ]; RES[i++] ^= *A;                 \
-    B = &WALK[PT2    ]; RES[i++] ^= *B;                 \
-    C = &WALK[PT1 ^ 1]; RES[i++] ^= *C;                 \
-    D = &WALK[PT2 ^ 4]; RES[i++] ^= *D;                 \
-                                                        \
-    IN = (*A >> (1)) ^ (*A << (31)) ^ CLK;              \
-    *A = (*B >> (2)) ^ (*B << (30)) ^ CLK;              \
-    *B = IN ^ U1;                                       \
-    *C = (*C >> (3)) ^ (*C << (29)) ^ CLK;              \
-    *D = (*D >> (4)) ^ (*D << (28)) ^ CLK;              \
-                                                        \
-    A = &WALK[PT1 ^ 2]; RES[i++] ^= *A;                 \
-    B = &WALK[PT2 ^ 2]; RES[i++] ^= *B;                 \
-    C = &WALK[PT1 ^ 3]; RES[i++] ^= *C;                 \
-    D = &WALK[PT2 ^ 6]; RES[i++] ^= *D;                 \
-                                                        \
-    if( PTEST & 1 ) SWAP( A, C );                       \
-                                                        \
-    IN = (*A >> (5)) ^ (*A << (27)) ^ CLK;              \
-    *A = (*B >> (6)) ^ (*B << (26)) ^ CLK;              \
-    *B = IN; CLK = (int) hardclock();                   \
-    *C = (*C >> (7)) ^ (*C << (25)) ^ CLK;              \
-    *D = (*D >> (8)) ^ (*D << (24)) ^ CLK;              \
-                                                        \
-    A = &WALK[PT1 ^ 4];                                 \
-    B = &WALK[PT2 ^ 1];                                 \
-                                                        \
-    PTEST = PT2 >> 1;                                   \
-                                                        \
-    PT2 = (RES[(i - 8) ^ PTY] ^ WALK[PT2 ^ PTY ^ 7]);   \
-    PT2 = ((PT2 & 0x1FFF) & (~8)) ^ ((PT1 ^ 8) & 0x8);  \
-    PTY = (PT2 >> 10) & 7;                              \
-                                                        \
-    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
-    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
-    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
-                                                        \
-    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
-    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
-    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
-                                                        \
-    C = &WALK[PT1 ^ 5];                                 \
-    D = &WALK[PT2 ^ 5];                                 \
-                                                        \
-    RES[i++] ^= *A;                                     \
-    RES[i++] ^= *B;                                     \
-    RES[i++] ^= *C;                                     \
-    RES[i++] ^= *D;                                     \
-                                                        \
-    IN = (*A >> ( 9)) ^ (*A << (23)) ^ CLK;             \
-    *A = (*B >> (10)) ^ (*B << (22)) ^ CLK;             \
-    *B = IN ^ U2;                                       \
-    *C = (*C >> (11)) ^ (*C << (21)) ^ CLK;             \
-    *D = (*D >> (12)) ^ (*D << (20)) ^ CLK;             \
-                                                        \
-    A = &WALK[PT1 ^ 6]; RES[i++] ^= *A;                 \
-    B = &WALK[PT2 ^ 3]; RES[i++] ^= *B;                 \
-    C = &WALK[PT1 ^ 7]; RES[i++] ^= *C;                 \
-    D = &WALK[PT2 ^ 7]; RES[i++] ^= *D;                 \
-                                                        \
-    IN = (*A >> (13)) ^ (*A << (19)) ^ CLK;             \
-    *A = (*B >> (14)) ^ (*B << (18)) ^ CLK;             \
-    *B = IN;                                            \
-    *C = (*C >> (15)) ^ (*C << (17)) ^ CLK;             \
-    *D = (*D >> (16)) ^ (*D << (16)) ^ CLK;             \
-                                                        \
-    PT1 = ( RES[(i - 8) ^ PTX] ^                        \
-            WALK[PT1 ^ PTX ^ 7] ) & (~1);               \
-    PT1 ^= (PT2 ^ 0x10) & 0x10;                         \
-                                                        \
-    for( n++, i = 0; i < 16; i++ )                      \
-        hs->pool[n % COLLECT_SIZE] ^= RES[i];
-
-/*
- * Entropy gathering function
- */
-static void havege_fill( havege_state *hs )
-{
-    int i, n = 0;
-    int  U1,  U2, *A, *B, *C, *D;
-    int PT1, PT2, *WALK, RES[16];
-    int PTX, PTY, CLK, PTEST, IN;
-
-    WALK = hs->WALK;
-    PT1  = hs->PT1;
-    PT2  = hs->PT2;
-
-    PTX  = U1 = 0;
-    PTY  = U2 = 0;
-
-    memset( RES, 0, sizeof( RES ) );
-
-    while( n < COLLECT_SIZE * 4 )
-    {
-        ONE_ITERATION
-        ONE_ITERATION
-        ONE_ITERATION
-        ONE_ITERATION
-    }
-
-    hs->PT1 = PT1;
-    hs->PT2 = PT2;
-
-    hs->offset[0] = 0;
-    hs->offset[1] = COLLECT_SIZE / 2;
-}
-
-/*
- * HAVEGE initialization
- */
-void havege_init( havege_state *hs )
-{
-    memset( hs, 0, sizeof( havege_state ) );
-
-    havege_fill( hs );
-}
-
-/*
- * HAVEGE rand function
- */
-int havege_random( void *p_rng, unsigned char *buf, size_t len )
-{
-    int val;
-    size_t use_len;
-    havege_state *hs = (havege_state *) p_rng;
-    unsigned char *p = buf;
-
-    while( len > 0 )
-    {
-        use_len = len;
-        if( use_len > sizeof(int) )
-            use_len = sizeof(int);
-
-        if( hs->offset[1] >= COLLECT_SIZE )
-            havege_fill( hs );
-
-        val  = hs->pool[hs->offset[0]++];
-        val ^= hs->pool[hs->offset[1]++];
-
-        memcpy( p, &val, use_len );
-        
-        len -= use_len;
-        p += use_len;
-    }
-
-    return( 0 );
-}
-
-#endif
diff --git a/makerom/polarssl/md2.c b/makerom/polarssl/md2.c
deleted file mode 100644
index 2c8754a8..00000000
--- a/makerom/polarssl/md2.c
+++ /dev/null
@@ -1,368 +0,0 @@
-/*
- *  RFC 1115/1319 compliant MD2 implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The MD2 algorithm was designed by Ron Rivest in 1989.
- *
- *  http://www.ietf.org/rfc/rfc1115.txt
- *  http://www.ietf.org/rfc/rfc1319.txt
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_MD2_C)
-
-#include "polarssl/md2.h"
-
-#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
-#include <stdio.h>
-#endif
-
-#if !defined(POLARSSL_MD2_ALT)
-
-static const unsigned char PI_SUBST[256] =
-{
-    0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01, 0x3D, 0x36,
-    0x54, 0xA1, 0xEC, 0xF0, 0x06, 0x13, 0x62, 0xA7, 0x05, 0xF3,
-    0xC0, 0xC7, 0x73, 0x8C, 0x98, 0x93, 0x2B, 0xD9, 0xBC, 0x4C,
-    0x82, 0xCA, 0x1E, 0x9B, 0x57, 0x3C, 0xFD, 0xD4, 0xE0, 0x16,
-    0x67, 0x42, 0x6F, 0x18, 0x8A, 0x17, 0xE5, 0x12, 0xBE, 0x4E,
-    0xC4, 0xD6, 0xDA, 0x9E, 0xDE, 0x49, 0xA0, 0xFB, 0xF5, 0x8E,
-    0xBB, 0x2F, 0xEE, 0x7A, 0xA9, 0x68, 0x79, 0x91, 0x15, 0xB2,
-    0x07, 0x3F, 0x94, 0xC2, 0x10, 0x89, 0x0B, 0x22, 0x5F, 0x21,
-    0x80, 0x7F, 0x5D, 0x9A, 0x5A, 0x90, 0x32, 0x27, 0x35, 0x3E,
-    0xCC, 0xE7, 0xBF, 0xF7, 0x97, 0x03, 0xFF, 0x19, 0x30, 0xB3,
-    0x48, 0xA5, 0xB5, 0xD1, 0xD7, 0x5E, 0x92, 0x2A, 0xAC, 0x56,
-    0xAA, 0xC6, 0x4F, 0xB8, 0x38, 0xD2, 0x96, 0xA4, 0x7D, 0xB6,
-    0x76, 0xFC, 0x6B, 0xE2, 0x9C, 0x74, 0x04, 0xF1, 0x45, 0x9D,
-    0x70, 0x59, 0x64, 0x71, 0x87, 0x20, 0x86, 0x5B, 0xCF, 0x65,
-    0xE6, 0x2D, 0xA8, 0x02, 0x1B, 0x60, 0x25, 0xAD, 0xAE, 0xB0,
-    0xB9, 0xF6, 0x1C, 0x46, 0x61, 0x69, 0x34, 0x40, 0x7E, 0x0F,
-    0x55, 0x47, 0xA3, 0x23, 0xDD, 0x51, 0xAF, 0x3A, 0xC3, 0x5C,
-    0xF9, 0xCE, 0xBA, 0xC5, 0xEA, 0x26, 0x2C, 0x53, 0x0D, 0x6E,
-    0x85, 0x28, 0x84, 0x09, 0xD3, 0xDF, 0xCD, 0xF4, 0x41, 0x81,
-    0x4D, 0x52, 0x6A, 0xDC, 0x37, 0xC8, 0x6C, 0xC1, 0xAB, 0xFA,
-    0x24, 0xE1, 0x7B, 0x08, 0x0C, 0xBD, 0xB1, 0x4A, 0x78, 0x88,
-    0x95, 0x8B, 0xE3, 0x63, 0xE8, 0x6D, 0xE9, 0xCB, 0xD5, 0xFE,
-    0x3B, 0x00, 0x1D, 0x39, 0xF2, 0xEF, 0xB7, 0x0E, 0x66, 0x58,
-    0xD0, 0xE4, 0xA6, 0x77, 0x72, 0xF8, 0xEB, 0x75, 0x4B, 0x0A,
-    0x31, 0x44, 0x50, 0xB4, 0x8F, 0xED, 0x1F, 0x1A, 0xDB, 0x99,
-    0x8D, 0x33, 0x9F, 0x11, 0x83, 0x14
-};
-
-/*
- * MD2 context setup
- */
-void md2_starts( md2_context *ctx )
-{
-    memset( ctx->cksum, 0, 16 );
-    memset( ctx->state, 0, 46 );
-    memset( ctx->buffer, 0, 16 );
-    ctx->left = 0;
-}
-
-static void md2_process( md2_context *ctx )
-{
-    int i, j;
-    unsigned char t = 0;
-
-    for( i = 0; i < 16; i++ )
-    {
-        ctx->state[i + 16] = ctx->buffer[i];
-        ctx->state[i + 32] =
-            (unsigned char)( ctx->buffer[i] ^ ctx->state[i]);
-    }
-
-    for( i = 0; i < 18; i++ )
-    {
-        for( j = 0; j < 48; j++ )
-        {
-            ctx->state[j] = (unsigned char)
-               ( ctx->state[j] ^ PI_SUBST[t] );
-            t  = ctx->state[j];
-        }
-
-        t = (unsigned char)( t + i );
-    }
-
-    t = ctx->cksum[15];
-
-    for( i = 0; i < 16; i++ )
-    {
-        ctx->cksum[i] = (unsigned char)
-           ( ctx->cksum[i] ^ PI_SUBST[ctx->buffer[i] ^ t] );
-        t  = ctx->cksum[i];
-    }
-}
-
-/*
- * MD2 process buffer
- */
-void md2_update( md2_context *ctx, const unsigned char *input, size_t ilen )
-{
-    size_t fill;
-
-    while( ilen > 0 )
-    {
-        if( ctx->left + ilen > 16 )
-            fill = 16 - ctx->left;
-        else
-            fill = ilen;
-
-        memcpy( ctx->buffer + ctx->left, input, fill );
-
-        ctx->left += fill;
-        input += fill;
-        ilen  -= fill;
-
-        if( ctx->left == 16 )
-        {
-            ctx->left = 0;
-            md2_process( ctx );
-        }
-    }
-}
-
-/*
- * MD2 final digest
- */
-void md2_finish( md2_context *ctx, unsigned char output[16] )
-{
-    size_t i;
-    unsigned char x;
-
-    x = (unsigned char)( 16 - ctx->left );
-
-    for( i = ctx->left; i < 16; i++ )
-        ctx->buffer[i] = x;
-
-    md2_process( ctx );
-
-    memcpy( ctx->buffer, ctx->cksum, 16 );
-    md2_process( ctx );
-
-    memcpy( output, ctx->state, 16 );
-}
-
-#endif /* !POLARSSL_MD2_ALT */
-
-/*
- * output = MD2( input buffer )
- */
-void md2( const unsigned char *input, size_t ilen, unsigned char output[16] )
-{
-    md2_context ctx;
-
-    md2_starts( &ctx );
-    md2_update( &ctx, input, ilen );
-    md2_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( md2_context ) );
-}
-
-#if defined(POLARSSL_FS_IO)
-/*
- * output = MD2( file contents )
- */
-int md2_file( const char *path, unsigned char output[16] )
-{
-    FILE *f;
-    size_t n;
-    md2_context ctx;
-    unsigned char buf[1024];
-
-    if( ( f = fopen( path, "rb" ) ) == NULL )
-        return( POLARSSL_ERR_MD2_FILE_IO_ERROR );
-
-    md2_starts( &ctx );
-
-    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
-        md2_update( &ctx, buf, n );
-
-    md2_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( md2_context ) );
-
-    if( ferror( f ) != 0 )
-    {
-        fclose( f );
-        return( POLARSSL_ERR_MD2_FILE_IO_ERROR );
-    }
-
-    fclose( f );
-    return( 0 );
-}
-#endif /* POLARSSL_FS_IO */
-
-/*
- * MD2 HMAC context setup
- */
-void md2_hmac_starts( md2_context *ctx, const unsigned char *key, size_t keylen )
-{
-    size_t i;
-    unsigned char sum[16];
-
-    if( keylen > 16 )
-    {
-        md2( key, keylen, sum );
-        keylen = 16;
-        key = sum;
-    }
-
-    memset( ctx->ipad, 0x36, 16 );
-    memset( ctx->opad, 0x5C, 16 );
-
-    for( i = 0; i < keylen; i++ )
-    {
-        ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
-        ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
-    }
-
-    md2_starts( ctx );
-    md2_update( ctx, ctx->ipad, 16 );
-
-    memset( sum, 0, sizeof( sum ) );
-}
-
-/*
- * MD2 HMAC process buffer
- */
-void md2_hmac_update( md2_context *ctx, const unsigned char *input, size_t ilen )
-{
-    md2_update( ctx, input, ilen );
-}
-
-/*
- * MD2 HMAC final digest
- */
-void md2_hmac_finish( md2_context *ctx, unsigned char output[16] )
-{
-    unsigned char tmpbuf[16];
-
-    md2_finish( ctx, tmpbuf );
-    md2_starts( ctx );
-    md2_update( ctx, ctx->opad, 16 );
-    md2_update( ctx, tmpbuf, 16 );
-    md2_finish( ctx, output );
-
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
-}
-
-/*
- * MD2 HMAC context reset
- */
-void md2_hmac_reset( md2_context *ctx )
-{
-    md2_starts( ctx );
-    md2_update( ctx, ctx->ipad, 16 );
-}
-
-/*
- * output = HMAC-MD2( hmac key, input buffer )
- */
-void md2_hmac( const unsigned char *key, size_t keylen,
-               const unsigned char *input, size_t ilen,
-               unsigned char output[16] )
-{
-    md2_context ctx;
-
-    md2_hmac_starts( &ctx, key, keylen );
-    md2_hmac_update( &ctx, input, ilen );
-    md2_hmac_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( md2_context ) );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-/*
- * RFC 1319 test vectors
- */
-static const char md2_test_str[7][81] =
-{
-    { "" },
-    { "a" },
-    { "abc" },
-    { "message digest" },
-    { "abcdefghijklmnopqrstuvwxyz" },
-    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
-    { "12345678901234567890123456789012345678901234567890123456789012" \
-      "345678901234567890" }
-};
-
-static const unsigned char md2_test_sum[7][16] =
-{
-    { 0x83, 0x50, 0xE5, 0xA3, 0xE2, 0x4C, 0x15, 0x3D,
-      0xF2, 0x27, 0x5C, 0x9F, 0x80, 0x69, 0x27, 0x73 },
-    { 0x32, 0xEC, 0x01, 0xEC, 0x4A, 0x6D, 0xAC, 0x72,
-      0xC0, 0xAB, 0x96, 0xFB, 0x34, 0xC0, 0xB5, 0xD1 },
-    { 0xDA, 0x85, 0x3B, 0x0D, 0x3F, 0x88, 0xD9, 0x9B,
-      0x30, 0x28, 0x3A, 0x69, 0xE6, 0xDE, 0xD6, 0xBB },
-    { 0xAB, 0x4F, 0x49, 0x6B, 0xFB, 0x2A, 0x53, 0x0B,
-      0x21, 0x9F, 0xF3, 0x30, 0x31, 0xFE, 0x06, 0xB0 },
-    { 0x4E, 0x8D, 0xDF, 0xF3, 0x65, 0x02, 0x92, 0xAB,
-      0x5A, 0x41, 0x08, 0xC3, 0xAA, 0x47, 0x94, 0x0B },
-    { 0xDA, 0x33, 0xDE, 0xF2, 0xA4, 0x2D, 0xF1, 0x39,
-      0x75, 0x35, 0x28, 0x46, 0xC3, 0x03, 0x38, 0xCD },
-    { 0xD5, 0x97, 0x6F, 0x79, 0xD8, 0x3D, 0x3A, 0x0D,
-      0xC9, 0x80, 0x6C, 0x3C, 0x66, 0xF3, 0xEF, 0xD8 }
-};
-
-/*
- * Checkup routine
- */
-int md2_self_test( int verbose )
-{
-    int i;
-    unsigned char md2sum[16];
-
-    for( i = 0; i < 7; i++ )
-    {
-        if( verbose != 0 )
-            printf( "  MD2 test #%d: ", i + 1 );
-
-        md2( (unsigned char *) md2_test_str[i],
-             strlen( md2_test_str[i] ), md2sum );
-
-        if( memcmp( md2sum, md2_test_sum[i], 16 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/md4.c b/makerom/polarssl/md4.c
deleted file mode 100644
index 980f5e46..00000000
--- a/makerom/polarssl/md4.c
+++ /dev/null
@@ -1,464 +0,0 @@
-/*
- *  RFC 1186/1320 compliant MD4 implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The MD4 algorithm was designed by Ron Rivest in 1990.
- *
- *  http://www.ietf.org/rfc/rfc1186.txt
- *  http://www.ietf.org/rfc/rfc1320.txt
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_MD4_C)
-
-#include "polarssl/md4.h"
-
-#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
-#include <stdio.h>
-#endif
-
-#if !defined(POLARSSL_MD4_ALT)
-
-/*
- * 32-bit integer manipulation macros (little endian)
- */
-#ifndef GET_UINT32_LE
-#define GET_UINT32_LE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ]       )             \
-        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
-}
-#endif
-
-#ifndef PUT_UINT32_LE
-#define PUT_UINT32_LE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n)       );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
-}
-#endif
-
-/*
- * MD4 context setup
- */
-void md4_starts( md4_context *ctx )
-{
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    ctx->state[0] = 0x67452301;
-    ctx->state[1] = 0xEFCDAB89;
-    ctx->state[2] = 0x98BADCFE;
-    ctx->state[3] = 0x10325476;
-}
-
-static void md4_process( md4_context *ctx, const unsigned char data[64] )
-{
-    uint32_t X[16], A, B, C, D;
-
-    GET_UINT32_LE( X[ 0], data,  0 );
-    GET_UINT32_LE( X[ 1], data,  4 );
-    GET_UINT32_LE( X[ 2], data,  8 );
-    GET_UINT32_LE( X[ 3], data, 12 );
-    GET_UINT32_LE( X[ 4], data, 16 );
-    GET_UINT32_LE( X[ 5], data, 20 );
-    GET_UINT32_LE( X[ 6], data, 24 );
-    GET_UINT32_LE( X[ 7], data, 28 );
-    GET_UINT32_LE( X[ 8], data, 32 );
-    GET_UINT32_LE( X[ 9], data, 36 );
-    GET_UINT32_LE( X[10], data, 40 );
-    GET_UINT32_LE( X[11], data, 44 );
-    GET_UINT32_LE( X[12], data, 48 );
-    GET_UINT32_LE( X[13], data, 52 );
-    GET_UINT32_LE( X[14], data, 56 );
-    GET_UINT32_LE( X[15], data, 60 );
-
-#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
-
-    A = ctx->state[0];
-    B = ctx->state[1];
-    C = ctx->state[2];
-    D = ctx->state[3];
-
-#define F(x, y, z) ((x & y) | ((~x) & z))
-#define P(a,b,c,d,x,s) { a += F(b,c,d) + x; a = S(a,s); }
-
-    P( A, B, C, D, X[ 0],  3 );
-    P( D, A, B, C, X[ 1],  7 );
-    P( C, D, A, B, X[ 2], 11 );
-    P( B, C, D, A, X[ 3], 19 );
-    P( A, B, C, D, X[ 4],  3 );
-    P( D, A, B, C, X[ 5],  7 );
-    P( C, D, A, B, X[ 6], 11 );
-    P( B, C, D, A, X[ 7], 19 );
-    P( A, B, C, D, X[ 8],  3 );
-    P( D, A, B, C, X[ 9],  7 );
-    P( C, D, A, B, X[10], 11 );
-    P( B, C, D, A, X[11], 19 );
-    P( A, B, C, D, X[12],  3 );
-    P( D, A, B, C, X[13],  7 );
-    P( C, D, A, B, X[14], 11 );
-    P( B, C, D, A, X[15], 19 );
-
-#undef P
-#undef F
-
-#define F(x,y,z) ((x & y) | (x & z) | (y & z))
-#define P(a,b,c,d,x,s) { a += F(b,c,d) + x + 0x5A827999; a = S(a,s); }
-
-    P( A, B, C, D, X[ 0],  3 );
-    P( D, A, B, C, X[ 4],  5 );
-    P( C, D, A, B, X[ 8],  9 );
-    P( B, C, D, A, X[12], 13 );
-    P( A, B, C, D, X[ 1],  3 );
-    P( D, A, B, C, X[ 5],  5 );
-    P( C, D, A, B, X[ 9],  9 );
-    P( B, C, D, A, X[13], 13 );
-    P( A, B, C, D, X[ 2],  3 );
-    P( D, A, B, C, X[ 6],  5 );
-    P( C, D, A, B, X[10],  9 );
-    P( B, C, D, A, X[14], 13 );
-    P( A, B, C, D, X[ 3],  3 );
-    P( D, A, B, C, X[ 7],  5 );
-    P( C, D, A, B, X[11],  9 );
-    P( B, C, D, A, X[15], 13 );
-
-#undef P
-#undef F
-
-#define F(x,y,z) (x ^ y ^ z)
-#define P(a,b,c,d,x,s) { a += F(b,c,d) + x + 0x6ED9EBA1; a = S(a,s); }
-
-    P( A, B, C, D, X[ 0],  3 );
-    P( D, A, B, C, X[ 8],  9 );
-    P( C, D, A, B, X[ 4], 11 );
-    P( B, C, D, A, X[12], 15 );
-    P( A, B, C, D, X[ 2],  3 );
-    P( D, A, B, C, X[10],  9 );
-    P( C, D, A, B, X[ 6], 11 );
-    P( B, C, D, A, X[14], 15 );
-    P( A, B, C, D, X[ 1],  3 );
-    P( D, A, B, C, X[ 9],  9 );
-    P( C, D, A, B, X[ 5], 11 );
-    P( B, C, D, A, X[13], 15 );
-    P( A, B, C, D, X[ 3],  3 );
-    P( D, A, B, C, X[11],  9 );
-    P( C, D, A, B, X[ 7], 11 );
-    P( B, C, D, A, X[15], 15 );
-
-#undef F
-#undef P
-
-    ctx->state[0] += A;
-    ctx->state[1] += B;
-    ctx->state[2] += C;
-    ctx->state[3] += D;
-}
-
-/*
- * MD4 process buffer
- */
-void md4_update( md4_context *ctx, const unsigned char *input, size_t ilen )
-{
-    size_t fill;
-    uint32_t left;
-
-    if( ilen <= 0 )
-        return;
-
-    left = ctx->total[0] & 0x3F;
-    fill = 64 - left;
-
-    ctx->total[0] += (uint32_t) ilen;
-    ctx->total[0] &= 0xFFFFFFFF;
-
-    if( ctx->total[0] < (uint32_t) ilen )
-        ctx->total[1]++;
-
-    if( left && ilen >= fill )
-    {
-        memcpy( (void *) (ctx->buffer + left),
-                (void *) input, fill );
-        md4_process( ctx, ctx->buffer );
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while( ilen >= 64 )
-    {
-        md4_process( ctx, input );
-        input += 64;
-        ilen  -= 64;
-    }
-
-    if( ilen > 0 )
-    {
-        memcpy( (void *) (ctx->buffer + left),
-                (void *) input, ilen );
-    }
-}
-
-static const unsigned char md4_padding[64] =
-{
- 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/*
- * MD4 final digest
- */
-void md4_finish( md4_context *ctx, unsigned char output[16] )
-{
-    uint32_t last, padn;
-    uint32_t high, low;
-    unsigned char msglen[8];
-
-    high = ( ctx->total[0] >> 29 )
-         | ( ctx->total[1] <<  3 );
-    low  = ( ctx->total[0] <<  3 );
-
-    PUT_UINT32_LE( low,  msglen, 0 );
-    PUT_UINT32_LE( high, msglen, 4 );
-
-    last = ctx->total[0] & 0x3F;
-    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
-
-    md4_update( ctx, (unsigned char *) md4_padding, padn );
-    md4_update( ctx, msglen, 8 );
-
-    PUT_UINT32_LE( ctx->state[0], output,  0 );
-    PUT_UINT32_LE( ctx->state[1], output,  4 );
-    PUT_UINT32_LE( ctx->state[2], output,  8 );
-    PUT_UINT32_LE( ctx->state[3], output, 12 );
-}
-
-#endif /* !POLARSSL_MD4_ALT */
-
-/*
- * output = MD4( input buffer )
- */
-void md4( const unsigned char *input, size_t ilen, unsigned char output[16] )
-{
-    md4_context ctx;
-
-    md4_starts( &ctx );
-    md4_update( &ctx, input, ilen );
-    md4_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( md4_context ) );
-}
-
-#if defined(POLARSSL_FS_IO)
-/*
- * output = MD4( file contents )
- */
-int md4_file( const char *path, unsigned char output[16] )
-{
-    FILE *f;
-    size_t n;
-    md4_context ctx;
-    unsigned char buf[1024];
-
-    if( ( f = fopen( path, "rb" ) ) == NULL )
-        return( POLARSSL_ERR_MD4_FILE_IO_ERROR );
-
-    md4_starts( &ctx );
-
-    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
-        md4_update( &ctx, buf, n );
-
-    md4_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( md4_context ) );
-
-    if( ferror( f ) != 0 )
-    {
-        fclose( f );
-        return( POLARSSL_ERR_MD4_FILE_IO_ERROR );
-    }
-
-    fclose( f );
-    return( 0 );
-}
-#endif /* POLARSSL_FS_IO */
-
-/*
- * MD4 HMAC context setup
- */
-void md4_hmac_starts( md4_context *ctx, const unsigned char *key, size_t keylen )
-{
-    size_t i;
-    unsigned char sum[16];
-
-    if( keylen > 64 )
-    {
-        md4( key, keylen, sum );
-        keylen = 16;
-        key = sum;
-    }
-
-    memset( ctx->ipad, 0x36, 64 );
-    memset( ctx->opad, 0x5C, 64 );
-
-    for( i = 0; i < keylen; i++ )
-    {
-        ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
-        ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
-    }
-
-    md4_starts( ctx );
-    md4_update( ctx, ctx->ipad, 64 );
-
-    memset( sum, 0, sizeof( sum ) );
-}
-
-/*
- * MD4 HMAC process buffer
- */
-void md4_hmac_update( md4_context *ctx, const unsigned char *input, size_t ilen )
-{
-    md4_update( ctx, input, ilen );
-}
-
-/*
- * MD4 HMAC final digest
- */
-void md4_hmac_finish( md4_context *ctx, unsigned char output[16] )
-{
-    unsigned char tmpbuf[16];
-
-    md4_finish( ctx, tmpbuf );
-    md4_starts( ctx );
-    md4_update( ctx, ctx->opad, 64 );
-    md4_update( ctx, tmpbuf, 16 );
-    md4_finish( ctx, output );
-
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
-}
-
-/*
- * MD4 HMAC context reset
- */
-void md4_hmac_reset( md4_context *ctx )
-{
-    md4_starts( ctx );
-    md4_update( ctx, ctx->ipad, 64 );
-}
-
-/*
- * output = HMAC-MD4( hmac key, input buffer )
- */
-void md4_hmac( const unsigned char *key, size_t keylen,
-               const unsigned char *input, size_t ilen,
-               unsigned char output[16] )
-{
-    md4_context ctx;
-
-    md4_hmac_starts( &ctx, key, keylen );
-    md4_hmac_update( &ctx, input, ilen );
-    md4_hmac_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( md4_context ) );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-/*
- * RFC 1320 test vectors
- */
-static const char md4_test_str[7][81] =
-{
-    { "" }, 
-    { "a" },
-    { "abc" },
-    { "message digest" },
-    { "abcdefghijklmnopqrstuvwxyz" },
-    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
-    { "12345678901234567890123456789012345678901234567890123456789012" \
-      "345678901234567890" }
-};
-
-static const unsigned char md4_test_sum[7][16] =
-{
-    { 0x31, 0xD6, 0xCF, 0xE0, 0xD1, 0x6A, 0xE9, 0x31,
-      0xB7, 0x3C, 0x59, 0xD7, 0xE0, 0xC0, 0x89, 0xC0 },
-    { 0xBD, 0xE5, 0x2C, 0xB3, 0x1D, 0xE3, 0x3E, 0x46,
-      0x24, 0x5E, 0x05, 0xFB, 0xDB, 0xD6, 0xFB, 0x24 },
-    { 0xA4, 0x48, 0x01, 0x7A, 0xAF, 0x21, 0xD8, 0x52,
-      0x5F, 0xC1, 0x0A, 0xE8, 0x7A, 0xA6, 0x72, 0x9D },
-    { 0xD9, 0x13, 0x0A, 0x81, 0x64, 0x54, 0x9F, 0xE8,
-      0x18, 0x87, 0x48, 0x06, 0xE1, 0xC7, 0x01, 0x4B },
-    { 0xD7, 0x9E, 0x1C, 0x30, 0x8A, 0xA5, 0xBB, 0xCD,
-      0xEE, 0xA8, 0xED, 0x63, 0xDF, 0x41, 0x2D, 0xA9 },
-    { 0x04, 0x3F, 0x85, 0x82, 0xF2, 0x41, 0xDB, 0x35,
-      0x1C, 0xE6, 0x27, 0xE1, 0x53, 0xE7, 0xF0, 0xE4 },
-    { 0xE3, 0x3B, 0x4D, 0xDC, 0x9C, 0x38, 0xF2, 0x19,
-      0x9C, 0x3E, 0x7B, 0x16, 0x4F, 0xCC, 0x05, 0x36 }
-};
-
-/*
- * Checkup routine
- */
-int md4_self_test( int verbose )
-{
-    int i;
-    unsigned char md4sum[16];
-
-    for( i = 0; i < 7; i++ )
-    {
-        if( verbose != 0 )
-            printf( "  MD4 test #%d: ", i + 1 );
-
-        md4( (unsigned char *) md4_test_str[i],
-             strlen( md4_test_str[i] ), md4sum );
-
-        if( memcmp( md4sum, md4_test_sum[i], 16 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/net.c b/makerom/polarssl/net.c
deleted file mode 100644
index 7a1818df..00000000
--- a/makerom/polarssl/net.c
+++ /dev/null
@@ -1,374 +0,0 @@
-/*
- *  TCP networking functions
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_NET_C)
-
-#include "polarssl/net.h"
-
-#if defined(_WIN32) || defined(_WIN32_WCE)
-
-#include <winsock2.h>
-#include <windows.h>
-
-#if defined(_WIN32_WCE)
-#pragma comment( lib, "ws2.lib" )
-#else
-#pragma comment( lib, "ws2_32.lib" )
-#endif
-
-#define read(fd,buf,len)        recv(fd,(char*)buf,(int) len,0)
-#define write(fd,buf,len)       send(fd,(char*)buf,(int) len,0)
-#define close(fd)               closesocket(fd)
-
-static int wsa_init_done = 0;
-
-#else
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <sys/time.h>
-#include <unistd.h>
-#include <signal.h>
-#include <fcntl.h>
-#include <netdb.h>
-#include <errno.h>
-
-#if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) ||  \
-    defined(__DragonflyBSD__)
-#include <sys/endian.h>
-#elif defined(__APPLE__)
-#include <machine/endian.h>
-#elif defined(sun)
-#include <sys/isa_defs.h>
-#else
-#include <endian.h>
-#endif
-
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <time.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-/*
- * htons() is not always available.
- * By default go for LITTLE_ENDIAN variant. Otherwise hope for _BYTE_ORDER and __BIG_ENDIAN
- * to help determine endianess.
- */
-#if defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && __BYTE_ORDER == __BIG_ENDIAN
-#define POLARSSL_HTONS(n) (n)
-#define POLARSSL_HTONL(n) (n)
-#else
-#define POLARSSL_HTONS(n) ((((unsigned short)(n) & 0xFF      ) << 8 ) | \
-                           (((unsigned short)(n) & 0xFF00    ) >> 8 ))
-#define POLARSSL_HTONL(n) ((((unsigned long )(n) & 0xFF      ) << 24) | \
-                           (((unsigned long )(n) & 0xFF00    ) << 8 ) | \
-                           (((unsigned long )(n) & 0xFF0000  ) >> 8 ) | \
-                           (((unsigned long )(n) & 0xFF000000) >> 24))
-#endif
-
-unsigned short net_htons(unsigned short n);
-unsigned long  net_htonl(unsigned long  n);
-#define net_htons(n) POLARSSL_HTONS(n)
-#define net_htonl(n) POLARSSL_HTONL(n)
-
-/*
- * Initiate a TCP connection with host:port
- */
-int net_connect( int *fd, const char *host, int port )
-{
-    struct sockaddr_in server_addr;
-    struct hostent *server_host;
-
-#if defined(_WIN32) || defined(_WIN32_WCE)
-    WSADATA wsaData;
-
-    if( wsa_init_done == 0 )
-    {
-        if( WSAStartup( MAKEWORD(2,0), &wsaData ) == SOCKET_ERROR )
-            return( POLARSSL_ERR_NET_SOCKET_FAILED );
-
-        wsa_init_done = 1;
-    }
-#else
-    signal( SIGPIPE, SIG_IGN );
-#endif
-
-    if( ( server_host = gethostbyname( host ) ) == NULL )
-        return( POLARSSL_ERR_NET_UNKNOWN_HOST );
-
-    if( ( *fd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP ) ) < 0 )
-        return( POLARSSL_ERR_NET_SOCKET_FAILED );
-
-    memcpy( (void *) &server_addr.sin_addr,
-            (void *) server_host->h_addr,
-                     server_host->h_length );
-
-    server_addr.sin_family = AF_INET;
-    server_addr.sin_port   = net_htons( port );
-
-    if( connect( *fd, (struct sockaddr *) &server_addr,
-                 sizeof( server_addr ) ) < 0 )
-    {
-        close( *fd );
-        return( POLARSSL_ERR_NET_CONNECT_FAILED );
-    }
-
-    return( 0 );
-}
-
-/*
- * Create a listening socket on bind_ip:port
- */
-int net_bind( int *fd, const char *bind_ip, int port )
-{
-    int n, c[4];
-    struct sockaddr_in server_addr;
-
-#if defined(_WIN32) || defined(_WIN32_WCE)
-    WSADATA wsaData;
-
-    if( wsa_init_done == 0 )
-    {
-        if( WSAStartup( MAKEWORD(2,0), &wsaData ) == SOCKET_ERROR )
-            return( POLARSSL_ERR_NET_SOCKET_FAILED );
-
-        wsa_init_done = 1;
-    }
-#else
-    signal( SIGPIPE, SIG_IGN );
-#endif
-
-    if( ( *fd = socket( AF_INET, SOCK_STREAM, IPPROTO_IP ) ) < 0 )
-        return( POLARSSL_ERR_NET_SOCKET_FAILED );
-
-    n = 1;
-    setsockopt( *fd, SOL_SOCKET, SO_REUSEADDR,
-                (const char *) &n, sizeof( n ) );
-
-    server_addr.sin_addr.s_addr = net_htonl( INADDR_ANY );
-    server_addr.sin_family      = AF_INET;
-    server_addr.sin_port        = net_htons( port );
-
-    if( bind_ip != NULL )
-    {
-        memset( c, 0, sizeof( c ) );
-        sscanf( bind_ip, "%d.%d.%d.%d", &c[0], &c[1], &c[2], &c[3] );
-
-        for( n = 0; n < 4; n++ )
-            if( c[n] < 0 || c[n] > 255 )
-                break;
-
-        if( n == 4 )
-            server_addr.sin_addr.s_addr = net_htonl(
-                ( (uint32_t) c[0] << 24 ) |
-                ( (uint32_t) c[1] << 16 ) |
-                ( (uint32_t) c[2] <<  8 ) |
-                ( (uint32_t) c[3]       ) );
-    }
-
-    if( bind( *fd, (struct sockaddr *) &server_addr,
-              sizeof( server_addr ) ) < 0 )
-    {
-        close( *fd );
-        return( POLARSSL_ERR_NET_BIND_FAILED );
-    }
-
-    if( listen( *fd, POLARSSL_NET_LISTEN_BACKLOG ) != 0 )
-    {
-        close( *fd );
-        return( POLARSSL_ERR_NET_LISTEN_FAILED );
-    }
-
-    return( 0 );
-}
-
-/*
- * Check if the current operation is blocking
- */
-static int net_is_blocking( void )
-{
-#if defined(_WIN32) || defined(_WIN32_WCE)
-    return( WSAGetLastError() == WSAEWOULDBLOCK );
-#else
-    switch( errno )
-    {
-#if defined EAGAIN
-        case EAGAIN:
-#endif
-#if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
-        case EWOULDBLOCK:
-#endif
-            return( 1 );
-    }
-    return( 0 );
-#endif
-}
-
-/*
- * Accept a connection from a remote client
- */
-int net_accept( int bind_fd, int *client_fd, void *client_ip )
-{
-    struct sockaddr_in client_addr;
-
-#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) ||  \
-    defined(_SOCKLEN_T_DECLARED)
-    socklen_t n = (socklen_t) sizeof( client_addr );
-#else
-    int n = (int) sizeof( client_addr );
-#endif
-
-    *client_fd = accept( bind_fd, (struct sockaddr *)
-                         &client_addr, &n );
-
-    if( *client_fd < 0 )
-    {
-        if( net_is_blocking() != 0 )
-            return( POLARSSL_ERR_NET_WANT_READ );
-
-        return( POLARSSL_ERR_NET_ACCEPT_FAILED );
-    }
-
-    if( client_ip != NULL )
-        memcpy( client_ip, &client_addr.sin_addr.s_addr,
-                    sizeof( client_addr.sin_addr.s_addr ) );
-
-    return( 0 );
-}
-
-/*
- * Set the socket blocking or non-blocking
- */
-int net_set_block( int fd )
-{
-#if defined(_WIN32) || defined(_WIN32_WCE)
-    u_long n = 0;
-    return( ioctlsocket( fd, FIONBIO, &n ) );
-#else
-    return( fcntl( fd, F_SETFL, fcntl( fd, F_GETFL ) & ~O_NONBLOCK ) );
-#endif
-}
-
-int net_set_nonblock( int fd )
-{
-#if defined(_WIN32) || defined(_WIN32_WCE)
-    u_long n = 1;
-    return( ioctlsocket( fd, FIONBIO, &n ) );
-#else
-    return( fcntl( fd, F_SETFL, fcntl( fd, F_GETFL ) | O_NONBLOCK ) );
-#endif
-}
-
-/*
- * Portable usleep helper
- */
-void net_usleep( unsigned long usec )
-{
-    struct timeval tv;
-    tv.tv_sec  = 0;
-    tv.tv_usec = usec;
-    select( 0, NULL, NULL, NULL, &tv );
-}
-
-/*
- * Read at most 'len' characters
- */
-int net_recv( void *ctx, unsigned char *buf, size_t len )
-{ 
-    int ret = read( *((int *) ctx), buf, len );
-
-    if( ret < 0 )
-    {
-        if( net_is_blocking() != 0 )
-            return( POLARSSL_ERR_NET_WANT_READ );
-
-#if defined(_WIN32) || defined(_WIN32_WCE)
-        if( WSAGetLastError() == WSAECONNRESET )
-            return( POLARSSL_ERR_NET_CONN_RESET );
-#else
-        if( errno == EPIPE || errno == ECONNRESET )
-            return( POLARSSL_ERR_NET_CONN_RESET );
-
-        if( errno == EINTR )
-            return( POLARSSL_ERR_NET_WANT_READ );
-#endif
-
-        return( POLARSSL_ERR_NET_RECV_FAILED );
-    }
-
-    return( ret );
-}
-
-/*
- * Write at most 'len' characters
- */
-int net_send( void *ctx, const unsigned char *buf, size_t len )
-{
-    int ret = write( *((int *) ctx), buf, len );
-
-    if( ret < 0 )
-    {
-        if( net_is_blocking() != 0 )
-            return( POLARSSL_ERR_NET_WANT_WRITE );
-
-#if defined(_WIN32) || defined(_WIN32_WCE)
-        if( WSAGetLastError() == WSAECONNRESET )
-            return( POLARSSL_ERR_NET_CONN_RESET );
-#else
-        if( errno == EPIPE || errno == ECONNRESET )
-            return( POLARSSL_ERR_NET_CONN_RESET );
-
-        if( errno == EINTR )
-            return( POLARSSL_ERR_NET_WANT_WRITE );
-#endif
-
-        return( POLARSSL_ERR_NET_SEND_FAILED );
-    }
-
-    return( ret );
-}
-
-/*
- * Gracefully close the connection
- */
-void net_close( int fd )
-{
-    shutdown( fd, 2 );
-    close( fd );
-}
-
-#endif
diff --git a/makerom/polarssl/padlock.c b/makerom/polarssl/padlock.c
deleted file mode 100644
index 9ddac15e..00000000
--- a/makerom/polarssl/padlock.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- *  VIA PadLock support functions
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  This implementation is based on the VIA PadLock Programming Guide:
- *
- *  http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/
- *  programming_guide.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_PADLOCK_C)
-
-#include "polarssl/padlock.h"
-
-#if defined(POLARSSL_HAVE_X86)
-
-/*
- * PadLock detection routine
- */
-int padlock_supports( int feature )
-{
-    static int flags = -1;
-    int ebx, edx;
-
-    if( flags == -1 )
-    {
-        __asm__( "movl  %%ebx, %0           \n"     \
-             "movl  $0xC0000000, %%eax  \n"     \
-             "cpuid                     \n"     \
-             "cmpl  $0xC0000001, %%eax  \n"     \
-             "movl  $0, %%edx           \n"     \
-             "jb    unsupported         \n"     \
-             "movl  $0xC0000001, %%eax  \n"     \
-             "cpuid                     \n"     \
-             "unsupported:              \n"     \
-             "movl  %%edx, %1           \n"     \
-             "movl  %2, %%ebx           \n"
-             : "=m" (ebx), "=m" (edx)
-             :  "m" (ebx)
-             : "eax", "ecx", "edx" );
-
-        flags = edx;
-    }
-
-    return( flags & feature );
-}
-
-/*
- * PadLock AES-ECB block en(de)cryption
- */
-int padlock_xcryptecb( aes_context *ctx,
-                       int mode,
-                       const unsigned char input[16],
-                       unsigned char output[16] )
-{
-    int ebx;
-    uint32_t *rk;
-    uint32_t *blk;
-    uint32_t *ctrl;
-    unsigned char buf[256];
-
-    rk  = ctx->rk;
-    blk = PADLOCK_ALIGN16( buf );
-    memcpy( blk, input, 16 );
-
-     ctrl = blk + 4;
-    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + ( mode^1 ) - 10 ) << 9 );
-
-    __asm__( "pushfl; popfl         \n"     \
-         "movl    %%ebx, %0     \n"     \
-         "movl    $1, %%ecx     \n"     \
-         "movl    %2, %%edx     \n"     \
-         "movl    %3, %%ebx     \n"     \
-         "movl    %4, %%esi     \n"     \
-         "movl    %4, %%edi     \n"     \
-         ".byte  0xf3,0x0f,0xa7,0xc8\n" \
-         "movl    %1, %%ebx     \n"
-         : "=m" (ebx)
-         :  "m" (ebx), "m" (ctrl), "m" (rk), "m" (blk)
-         : "ecx", "edx", "esi", "edi" );
-
-    memcpy( output, blk, 16 );
-
-    return( 0 );
-}
-
-/*
- * PadLock AES-CBC buffer en(de)cryption
- */
-int padlock_xcryptcbc( aes_context *ctx,
-                       int mode,
-                       size_t length,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int ebx;
-    size_t count;
-    uint32_t *rk;
-    uint32_t *iw;
-    uint32_t *ctrl;
-    unsigned char buf[256];
-
-    if( ( (long) input  & 15 ) != 0 ||
-        ( (long) output & 15 ) != 0 )
-        return( POLARSSL_ERR_PADLOCK_DATA_MISALIGNED );
-
-    rk = ctx->rk;
-    iw = PADLOCK_ALIGN16( buf );
-    memcpy( iw, iv, 16 );
-
-     ctrl = iw + 4;
-    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + (mode^1) - 10 ) << 9 );
-
-    count = (length + 15) >> 4;
-
-    __asm__( "pushfl; popfl         \n"     \
-         "movl    %%ebx, %0     \n"     \
-         "movl    %2, %%ecx     \n"     \
-         "movl    %3, %%edx     \n"     \
-         "movl    %4, %%ebx     \n"     \
-         "movl    %5, %%esi     \n"     \
-         "movl    %6, %%edi     \n"     \
-         "movl    %7, %%eax     \n"     \
-         ".byte  0xf3,0x0f,0xa7,0xd0\n" \
-         "movl    %1, %%ebx     \n"
-         : "=m" (ebx)
-         :  "m" (ebx), "m" (count), "m" (ctrl),
-            "m"  (rk), "m" (input), "m" (output), "m" (iw)
-         : "eax", "ecx", "edx", "esi", "edi" );
-
-    memcpy( iv, iw, 16 );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/pbkdf2.c b/makerom/polarssl/pbkdf2.c
deleted file mode 100644
index 09e56dfa..00000000
--- a/makerom/polarssl/pbkdf2.c
+++ /dev/null
@@ -1,60 +0,0 @@
-/**
- * \file pbkdf2.c
- *
- * \brief Password-Based Key Derivation Function 2 (from PKCS#5)
- *        DEPRECATED: Use pkcs5.c instead
- *
- * \author Mathias Olsson <mathias@kompetensum.com>
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- * PBKDF2 is part of PKCS#5
- *
- * http://tools.ietf.org/html/rfc2898 (Specification)
- * http://tools.ietf.org/html/rfc6070 (Test vectors)
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_PBKDF2_C)
-
-#include "polarssl/pbkdf2.h"
-#include "polarssl/pkcs5.h"
-
-int pbkdf2_hmac( md_context_t *ctx, const unsigned char *password, size_t plen,
-                 const unsigned char *salt, size_t slen,
-                 unsigned int iteration_count,
-                 uint32_t key_length, unsigned char *output )
-{
-    return pkcs5_pbkdf2_hmac( ctx, password, plen, salt, slen, iteration_count,
-                              key_length, output );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-int pbkdf2_self_test( int verbose )
-{
-    return pkcs5_self_test( verbose );
-}
-#endif /* POLARSSL_SELF_TEST */
-
-#endif /* POLARSSL_PBKDF2_C */
diff --git a/makerom/polarssl/pem.c b/makerom/polarssl/pem.c
deleted file mode 100644
index e2e39980..00000000
--- a/makerom/polarssl/pem.c
+++ /dev/null
@@ -1,355 +0,0 @@
-/*
- *  Privacy Enhanced Mail (PEM) decoding
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_PEM_C)
-
-#include "polarssl/pem.h"
-#include "polarssl/base64.h"
-#include "polarssl/des.h"
-#include "polarssl/aes.h"
-#include "polarssl/md5.h"
-#include "polarssl/cipher.h"
-
-#include <stdlib.h>
-
-void pem_init( pem_context *ctx )
-{
-    memset( ctx, 0, sizeof( pem_context ) );
-}
-
-#if defined(POLARSSL_MD5_C) && (defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C))
-/*
- * Read a 16-byte hex string and convert it to binary
- */
-static int pem_get_iv( const unsigned char *s, unsigned char *iv, size_t iv_len )
-{
-    size_t i, j, k;
-
-    memset( iv, 0, iv_len );
-
-    for( i = 0; i < iv_len * 2; i++, s++ )
-    {
-        if( *s >= '0' && *s <= '9' ) j = *s - '0'; else
-        if( *s >= 'A' && *s <= 'F' ) j = *s - '7'; else
-        if( *s >= 'a' && *s <= 'f' ) j = *s - 'W'; else
-            return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
-
-        k = ( ( i & 1 ) != 0 ) ? j : j << 4;
-
-        iv[i >> 1] = (unsigned char)( iv[i >> 1] | k );
-    }
-
-    return( 0 );
-}
-
-static void pem_pbkdf1( unsigned char *key, size_t keylen,
-                        unsigned char *iv,
-                        const unsigned char *pwd, size_t pwdlen )
-{
-    md5_context md5_ctx;
-    unsigned char md5sum[16];
-    size_t use_len;
-
-    /*
-     * key[ 0..15] = MD5(pwd || IV)
-     */
-    md5_starts( &md5_ctx );
-    md5_update( &md5_ctx, pwd, pwdlen );
-    md5_update( &md5_ctx, iv,  8 );
-    md5_finish( &md5_ctx, md5sum );
-
-    if( keylen <= 16 )
-    {
-        memcpy( key, md5sum, keylen );
-
-        memset( &md5_ctx, 0, sizeof(  md5_ctx ) );
-        memset( md5sum, 0, 16 );
-        return;
-    }
-
-    memcpy( key, md5sum, 16 );
-
-    /*
-     * key[16..23] = MD5(key[ 0..15] || pwd || IV])
-     */
-    md5_starts( &md5_ctx );
-    md5_update( &md5_ctx, md5sum,  16 );
-    md5_update( &md5_ctx, pwd, pwdlen );
-    md5_update( &md5_ctx, iv,  8 );
-    md5_finish( &md5_ctx, md5sum );
-
-    use_len = 16;
-    if( keylen < 32 )
-        use_len = keylen - 16;
-
-    memcpy( key + 16, md5sum, use_len );
-
-    memset( &md5_ctx, 0, sizeof(  md5_ctx ) );
-    memset( md5sum, 0, 16 );
-}
-
-#if defined(POLARSSL_DES_C)
-/*
- * Decrypt with DES-CBC, using PBKDF1 for key derivation
- */
-static void pem_des_decrypt( unsigned char des_iv[8],
-                               unsigned char *buf, size_t buflen,
-                               const unsigned char *pwd, size_t pwdlen )
-{
-    des_context des_ctx;
-    unsigned char des_key[8];
-
-    pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen );
-
-    des_setkey_dec( &des_ctx, des_key );
-    des_crypt_cbc( &des_ctx, DES_DECRYPT, buflen,
-                     des_iv, buf, buf );
-
-    memset( &des_ctx, 0, sizeof( des_ctx ) );
-    memset( des_key, 0, 8 );
-}
-
-/*
- * Decrypt with 3DES-CBC, using PBKDF1 for key derivation
- */
-static void pem_des3_decrypt( unsigned char des3_iv[8],
-                               unsigned char *buf, size_t buflen,
-                               const unsigned char *pwd, size_t pwdlen )
-{
-    des3_context des3_ctx;
-    unsigned char des3_key[24];
-
-    pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen );
-
-    des3_set3key_dec( &des3_ctx, des3_key );
-    des3_crypt_cbc( &des3_ctx, DES_DECRYPT, buflen,
-                     des3_iv, buf, buf );
-
-    memset( &des3_ctx, 0, sizeof( des3_ctx ) );
-    memset( des3_key, 0, 24 );
-}
-#endif /* POLARSSL_DES_C */
-
-#if defined(POLARSSL_AES_C)
-/*
- * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
- */
-static void pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
-                               unsigned char *buf, size_t buflen,
-                               const unsigned char *pwd, size_t pwdlen )
-{
-    aes_context aes_ctx;
-    unsigned char aes_key[32];
-
-    pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen );
-
-    aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 );
-    aes_crypt_cbc( &aes_ctx, AES_DECRYPT, buflen,
-                     aes_iv, buf, buf );
-
-    memset( &aes_ctx, 0, sizeof( aes_ctx ) );
-    memset( aes_key, 0, keylen );
-}
-#endif /* POLARSSL_AES_C */
-
-#endif /* POLARSSL_MD5_C && (POLARSSL_AES_C || POLARSSL_DES_C) */
-
-int pem_read_buffer( pem_context *ctx, char *header, char *footer, const unsigned char *data, const unsigned char *pwd, size_t pwdlen, size_t *use_len )
-{
-    int ret, enc;
-    size_t len;
-    unsigned char *buf;
-    const unsigned char *s1, *s2, *end;
-#if defined(POLARSSL_MD5_C) && (defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C))
-    unsigned char pem_iv[16];
-    cipher_type_t enc_alg = POLARSSL_CIPHER_NONE;
-#else
-    ((void) pwd);
-    ((void) pwdlen);
-#endif /* POLARSSL_MD5_C && (POLARSSL_AES_C || POLARSSL_DES_C) */
-
-    if( ctx == NULL )
-        return( POLARSSL_ERR_PEM_BAD_INPUT_DATA );
-
-    s1 = (unsigned char *) strstr( (const char *) data, header );
-
-    if( s1 == NULL )
-        return( POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
-
-    s2 = (unsigned char *) strstr( (const char *) data, footer );
-
-    if( s2 == NULL || s2 <= s1 )
-        return( POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
-
-    s1 += strlen( header );
-    if( *s1 == '\r' ) s1++;
-    if( *s1 == '\n' ) s1++;
-    else return( POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
-
-    end = s2;
-    end += strlen( footer );
-    if( *end == '\r' ) end++;
-    if( *end == '\n' ) end++;
-    *use_len = end - data;
-
-    enc = 0;
-
-    if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
-    {
-#if defined(POLARSSL_MD5_C) && (defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C))
-        enc++;
-
-        s1 += 22;
-        if( *s1 == '\r' ) s1++;
-        if( *s1 == '\n' ) s1++;
-        else return( POLARSSL_ERR_PEM_INVALID_DATA );
-
-
-#if defined(POLARSSL_DES_C)
-        if( memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
-        {
-            enc_alg = POLARSSL_CIPHER_DES_EDE3_CBC;
-
-            s1 += 23;
-            if( pem_get_iv( s1, pem_iv, 8 ) != 0 )
-                return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
-
-            s1 += 16;
-        }
-        else if( memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
-        {
-            enc_alg = POLARSSL_CIPHER_DES_CBC;
-
-            s1 += 18;
-            if( pem_get_iv( s1, pem_iv, 8) != 0 )
-                return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
-
-            s1 += 16;
-        }
-#endif /* POLARSSL_DES_C */
-
-#if defined(POLARSSL_AES_C)
-        if( memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
-        {
-            if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
-                enc_alg = POLARSSL_CIPHER_AES_128_CBC;
-            else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
-                enc_alg = POLARSSL_CIPHER_AES_192_CBC;
-            else if( memcmp( s1, "DEK-Info: AES-256-CBC,", 22 ) == 0 )
-                enc_alg = POLARSSL_CIPHER_AES_256_CBC;
-            else
-                return( POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG );
-
-            s1 += 22;
-            if( pem_get_iv( s1, pem_iv, 16 ) != 0 )
-                return( POLARSSL_ERR_PEM_INVALID_ENC_IV );
-
-            s1 += 32;
-        }
-#endif /* POLARSSL_AES_C */
-        
-        if( enc_alg == POLARSSL_CIPHER_NONE )
-            return( POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG );
-
-        if( *s1 == '\r' ) s1++;
-        if( *s1 == '\n' ) s1++;
-        else return( POLARSSL_ERR_PEM_INVALID_DATA );
-#else
-        return( POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE );
-#endif /* POLARSSL_MD5_C && (POLARSSL_AES_C || POLARSSL_DES_C) */
-    }
-
-    len = 0;
-    ret = base64_decode( NULL, &len, s1, s2 - s1 );
-
-    if( ret == POLARSSL_ERR_BASE64_INVALID_CHARACTER )
-        return( POLARSSL_ERR_PEM_INVALID_DATA + ret );
-
-    if( ( buf = (unsigned char *) malloc( len ) ) == NULL )
-        return( POLARSSL_ERR_PEM_MALLOC_FAILED );
-
-    if( ( ret = base64_decode( buf, &len, s1, s2 - s1 ) ) != 0 )
-    {
-        free( buf );
-        return( POLARSSL_ERR_PEM_INVALID_DATA + ret );
-    }
-    
-    if( enc != 0 )
-    {
-#if defined(POLARSSL_MD5_C) && (defined(POLARSSL_DES_C) || defined(POLARSSL_AES_C))
-        if( pwd == NULL )
-        {
-            free( buf );
-            return( POLARSSL_ERR_PEM_PASSWORD_REQUIRED );
-        }
-
-#if defined(POLARSSL_DES_C)
-        if( enc_alg == POLARSSL_CIPHER_DES_EDE3_CBC )
-            pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen );
-        else if( enc_alg == POLARSSL_CIPHER_DES_CBC )
-            pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen );
-#endif /* POLARSSL_DES_C */
-
-#if defined(POLARSSL_AES_C)
-        if( enc_alg == POLARSSL_CIPHER_AES_128_CBC )
-            pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen );
-        else if( enc_alg == POLARSSL_CIPHER_AES_192_CBC )
-            pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen );
-        else if( enc_alg == POLARSSL_CIPHER_AES_256_CBC )
-            pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen );
-#endif /* POLARSSL_AES_C */
-
-        if( buf[0] != 0x30 || buf[1] != 0x82 ||
-            buf[4] != 0x02 || buf[5] != 0x01 )
-        {
-            free( buf );
-            return( POLARSSL_ERR_PEM_PASSWORD_MISMATCH );
-        }
-#else
-        free( buf );
-        return( POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE );
-#endif
-    }
-
-    ctx->buf = buf;
-    ctx->buflen = len;
-
-    return( 0 );
-}
-
-void pem_free( pem_context *ctx )
-{
-    if( ctx->buf )
-        free( ctx->buf );
-
-    if( ctx->info )
-        free( ctx->info );
-
-    memset( ctx, 0, sizeof( pem_context ) );
-}
-
-#endif
diff --git a/makerom/polarssl/pkcs11.c b/makerom/polarssl/pkcs11.c
deleted file mode 100644
index b68d6881..00000000
--- a/makerom/polarssl/pkcs11.c
+++ /dev/null
@@ -1,238 +0,0 @@
-/**
- * \file pkcs11.c
- *
- * \brief Wrapper for PKCS#11 library libpkcs11-helper
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/pkcs11.h"
-
-#if defined(POLARSSL_PKCS11_C)
-
-#include <stdlib.h>
-
-int pkcs11_x509_cert_init( x509_cert *cert, pkcs11h_certificate_t pkcs11_cert )
-{
-    int ret = 1;
-    unsigned char *cert_blob = NULL;
-    size_t cert_blob_size = 0;
-
-    if( cert == NULL )
-    {
-        ret = 2;
-        goto cleanup;
-    }
-
-    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL, &cert_blob_size ) != CKR_OK )
-    {
-        ret = 3;
-        goto cleanup;
-    }
-
-    cert_blob = malloc( cert_blob_size );
-    if( NULL == cert_blob )
-    {
-        ret = 4;
-        goto cleanup;
-    }
-
-    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob, &cert_blob_size ) != CKR_OK )
-    {
-        ret = 5;
-        goto cleanup;
-    }
-
-    if( 0 != x509parse_crt(cert, cert_blob, cert_blob_size ) )
-    {
-        ret = 6;
-        goto cleanup;
-    }
-
-    ret = 0;
-
-cleanup:
-    if( NULL != cert_blob )
-        free( cert_blob );
-
-    return ret;
-}
-
-
-int pkcs11_priv_key_init( pkcs11_context *priv_key,
-        pkcs11h_certificate_t pkcs11_cert )
-{
-    int ret = 1;
-    x509_cert cert;
-
-    memset( &cert, 0, sizeof( cert ) );
-
-    if( priv_key == NULL )
-        goto cleanup;
-
-    if( 0 != pkcs11_x509_cert_init( &cert, pkcs11_cert ) )
-        goto cleanup;
-
-    priv_key->len = cert.rsa.len;
-    priv_key->pkcs11h_cert = pkcs11_cert;
-
-    ret = 0;
-
-cleanup:
-    x509_free( &cert );
-
-    return ret;
-}
-
-void pkcs11_priv_key_free( pkcs11_context *priv_key )
-{
-    if( NULL != priv_key )
-        pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
-}
-
-int pkcs11_decrypt( pkcs11_context *ctx,
-                       int mode, size_t *olen,
-                       const unsigned char *input,
-                       unsigned char *output,
-                       size_t output_max_len )
-{
-    size_t input_len, output_len;
-
-    if( NULL == ctx )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    if( RSA_PUBLIC == mode )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    output_len = input_len = ctx->len;
-
-    if( input_len < 16 || input_len > output_max_len )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    /* Determine size of output buffer */
-    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
-            input_len, NULL, &output_len ) != CKR_OK )
-    {
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    if( output_len > output_max_len )
-        return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
-
-    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
-            input_len, output, &output_len ) != CKR_OK )
-    {
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-    *olen = output_len;
-    return( 0 );
-}
-
-int pkcs11_sign( pkcs11_context *ctx,
-                    int mode,
-                    int hash_id,
-                    unsigned int hashlen,
-                    const unsigned char *hash,
-                    unsigned char *sig )
-{
-    size_t olen, asn_len;
-    unsigned char *p = sig;
-
-    if( NULL == ctx )
-        return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
-
-    if( RSA_PUBLIC == mode )
-        return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
-
-    olen = ctx->len;
-
-    switch( hash_id )
-    {
-        case SIG_RSA_RAW:
-            asn_len = 0;
-            memcpy( p, hash, hashlen );
-            break;
-
-        case SIG_RSA_MD2:
-            asn_len = OID_SIZE(ASN1_HASH_MDX);
-            memcpy( p, ASN1_HASH_MDX, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[13] = 2; break;
-
-        case SIG_RSA_MD4:
-            asn_len = OID_SIZE(ASN1_HASH_MDX);
-            memcpy( p, ASN1_HASH_MDX, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[13] = 4; break;
-
-        case SIG_RSA_MD5:
-            asn_len = OID_SIZE(ASN1_HASH_MDX);
-            memcpy( p, ASN1_HASH_MDX, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[13] = 5; break;
-
-        case SIG_RSA_SHA1:
-            asn_len = OID_SIZE(ASN1_HASH_SHA1);
-            memcpy( p, ASN1_HASH_SHA1, asn_len );
-            memcpy( p + 15, hash, hashlen );
-            break;
-
-        case SIG_RSA_SHA224:
-            asn_len = OID_SIZE(ASN1_HASH_SHA2X);
-            memcpy( p, ASN1_HASH_SHA2X, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[1] += hashlen; p[14] = 4; p[18] += hashlen; break;
-
-        case SIG_RSA_SHA256:
-            asn_len = OID_SIZE(ASN1_HASH_SHA2X);
-            memcpy( p, ASN1_HASH_SHA2X, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[1] += hashlen; p[14] = 1; p[18] += hashlen; break;
-
-        case SIG_RSA_SHA384:
-            asn_len = OID_SIZE(ASN1_HASH_SHA2X);
-            memcpy( p, ASN1_HASH_SHA2X, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[1] += hashlen; p[14] = 2; p[18] += hashlen; break;
-
-        case SIG_RSA_SHA512:
-            asn_len = OID_SIZE(ASN1_HASH_SHA2X);
-            memcpy( p, ASN1_HASH_SHA2X, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[1] += hashlen; p[14] = 3; p[18] += hashlen; break;
-
-        default:
-            return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
-            asn_len + hashlen, sig, &olen ) != CKR_OK )
-    {
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    return( 0 );
-}
-
-#endif /* defined(POLARSSL_PKCS11_C) */
diff --git a/makerom/polarssl/pkcs12.c b/makerom/polarssl/pkcs12.c
deleted file mode 100644
index 2ee9c5ea..00000000
--- a/makerom/polarssl/pkcs12.c
+++ /dev/null
@@ -1,330 +0,0 @@
-/*
- *  PKCS#12 Personal Information Exchange Syntax
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The PKCS #12 Personal Information Exchange Syntax Standard v1.1
- *
- *  http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
- *  ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_PKCS12_C)
-
-#include "polarssl/pkcs12.h"
-#include "polarssl/asn1.h"
-#include "polarssl/cipher.h"
-
-#if defined(POLARSSL_ARC4_C)
-#include "polarssl/arc4.h"
-#endif
-
-#if defined(POLARSSL_DES_C)
-#include "polarssl/des.h"
-#endif
-
-static int pkcs12_parse_pbe_params( unsigned char **p,
-                                    const unsigned char *end,
-                                    asn1_buf *salt, int *iterations )
-{
-    int ret;
-    size_t len = 0;
-
-    /*
-     *  pkcs-12PbeParams ::= SEQUENCE {
-     *    salt          OCTET STRING,
-     *    iterations    INTEGER
-     *  }
-     *
-     */
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        return( POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
-    }
-
-    end = *p + len;
-
-    if( ( ret = asn1_get_tag( p, end, &salt->len, ASN1_OCTET_STRING ) ) != 0 )
-        return( POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
-
-    salt->p = *p;
-    *p += salt->len;
-
-    if( ( ret = asn1_get_int( p, end, iterations ) ) != 0 )
-        return( POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
-
-    if( *p != end )
-        return( POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-static int pkcs12_pbe_derive_key_iv( asn1_buf *pbe_params, md_type_t md_type,
-                                     const unsigned char *pwd,  size_t pwdlen,
-                                     unsigned char *key, size_t keylen,
-                                     unsigned char *iv,  size_t ivlen )
-{
-    int ret, iterations;
-    asn1_buf salt;
-    size_t i;
-    unsigned char *p, *end;
-    unsigned char unipwd[258];
-
-    memset(&salt, 0, sizeof(asn1_buf));
-    memset(&unipwd, 0, sizeof(unipwd));
-
-    p = pbe_params->p;
-    end = p + pbe_params->len;
-
-    if( ( ret = pkcs12_parse_pbe_params( &p, end, &salt, &iterations ) ) != 0 )
-        return( ret );
-
-    for(i = 0; i < pwdlen; i++)
-        unipwd[i * 2 + 1] = pwd[i];
-
-    if( ( ret = pkcs12_derivation( key, keylen, unipwd, pwdlen * 2 + 2,
-                                   salt.p, salt.len, md_type,
-                                   PKCS12_DERIVE_KEY, iterations ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    if( iv == NULL || ivlen == 0 )
-        return( 0 );
-
-    if( ( ret = pkcs12_derivation( iv, ivlen, unipwd, pwdlen * 2 + 2,
-                                   salt.p, salt.len, md_type,
-                                   PKCS12_DERIVE_IV, iterations ) ) != 0 )
-    {
-        return( ret );
-    }
-    return( 0 );
-}
-
-int pkcs12_pbe_sha1_rc4_128( asn1_buf *pbe_params, int mode,
-                             const unsigned char *pwd,  size_t pwdlen,
-                             const unsigned char *data, size_t len,
-                             unsigned char *output )
-{
-#if !defined(POLARSSL_ARC4_C)
-    ((void) pbe_params);
-    ((void) mode);
-    ((void) pwd);
-    ((void) pwdlen);
-    ((void) data);
-    ((void) len);
-    ((void) output);
-    return( POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE );
-#else
-    int ret;
-    unsigned char key[16];
-    arc4_context ctx;
-    ((void) mode);
-
-    if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, POLARSSL_MD_SHA1,
-                                          pwd, pwdlen,
-                                          key, 16, NULL, 0 ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    arc4_setup( &ctx, key, 16 );
-    if( ( ret = arc4_crypt( &ctx, len, data, output ) ) != 0 )
-        return( ret );
-
-    return( 0 );
-#endif /* POLARSSL_ARC4_C */
-}
-
-int pkcs12_pbe( asn1_buf *pbe_params, int mode,
-                cipher_type_t cipher_type, md_type_t md_type,
-                const unsigned char *pwd,  size_t pwdlen,
-                const unsigned char *data, size_t len,
-                unsigned char *output )
-{
-    int ret, keylen = 0;
-    unsigned char key[32];
-    unsigned char iv[16];
-    const cipher_info_t *cipher_info;
-    cipher_context_t cipher_ctx;
-    size_t olen = 0;
-
-    cipher_info = cipher_info_from_type( cipher_type );
-    if( cipher_info == NULL )
-        return( POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE );
-
-    keylen = cipher_info->key_length / 8;
-
-    if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, md_type, pwd, pwdlen,
-                                          key, keylen,
-                                          iv, cipher_info->iv_size ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    if( ( ret = cipher_init_ctx( &cipher_ctx, cipher_info ) ) != 0 )
-        return( ret );
-
-    if( ( ret = cipher_setkey( &cipher_ctx, key, keylen, mode ) ) != 0 )
-        return( ret );
-
-    if( ( ret = cipher_reset( &cipher_ctx, iv ) ) != 0 )
-        return( ret );
-
-    if( ( ret = cipher_update( &cipher_ctx, data, len,
-                                output, &olen ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    if( ( ret = cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 )
-        return( POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH );
-
-    return( 0 );
-}
-
-static void pkcs12_fill_buffer( unsigned char *data, size_t data_len,
-                                const unsigned char *filler, size_t fill_len )
-{
-    unsigned char *p = data;
-    size_t use_len;
-
-    while( data_len > 0 )
-    {
-        use_len = ( data_len > fill_len ) ? fill_len : data_len;
-        memcpy( p, filler, use_len );
-        p += use_len;
-        data_len -= use_len;
-    }
-}
-
-int pkcs12_derivation( unsigned char *data, size_t datalen,
-                       const unsigned char *pwd, size_t pwdlen,
-                       const unsigned char *salt, size_t saltlen,
-                       md_type_t md_type, int id, int iterations )
-{
-    int ret, i;
-    unsigned int j;
-
-    unsigned char diversifier[128];
-    unsigned char salt_block[128], pwd_block[128], hash_block[128];
-    unsigned char hash_output[POLARSSL_MD_MAX_SIZE];
-    unsigned char *p;
-    unsigned char c;
-
-    size_t hlen, use_len, v;
-
-    const md_info_t *md_info;
-    md_context_t md_ctx;
-
-    // This version only allows max of 64 bytes of password or salt
-    if( datalen > 128 || pwdlen > 64 || saltlen > 64 )
-        return( POLARSSL_ERR_PKCS12_BAD_INPUT_DATA );
-
-    md_info = md_info_from_type( md_type );
-    if( md_info == NULL )
-        return( POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE );
-
-    if ( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
-        return( ret );
-    hlen = md_get_size( md_info );
-
-    if( hlen <= 32 )
-        v = 64;
-    else
-        v = 128;
-
-    memset( diversifier, (unsigned char) id, v );
-
-    pkcs12_fill_buffer( salt_block, v, salt, saltlen );
-    pkcs12_fill_buffer( pwd_block,  v, pwd,  pwdlen  );
-
-    p = data;
-    while( datalen > 0 )
-    {
-        // Calculate hash( diversifier || salt_block || pwd_block )
-        if( ( ret = md_starts( &md_ctx ) ) != 0 )
-            return( ret );
-
-        if( ( ret = md_update( &md_ctx, diversifier, v ) ) != 0 )
-            return( ret );
-
-        if( ( ret = md_update( &md_ctx, salt_block, v ) ) != 0 )
-            return( ret );
-
-        if( ( ret = md_update( &md_ctx, pwd_block, v ) ) != 0 )
-            return( ret );
-
-        if( ( ret = md_finish( &md_ctx, hash_output ) ) != 0 )
-            return( ret );
-
-        // Perform remaining ( iterations - 1 ) recursive hash calculations
-        for( i = 1; i < iterations; i++ )
-        {
-            if( ( ret = md( md_info, hash_output, hlen, hash_output ) ) != 0 )
-                return( ret );
-        }
-
-        use_len = ( datalen > hlen ) ? hlen : datalen;
-        memcpy( p, hash_output, use_len );
-        datalen -= use_len;
-        p += use_len;
-
-        if( datalen == 0 )
-            break;
-
-        // Concatenating copies of hash_output into hash_block (B)
-        pkcs12_fill_buffer( hash_block, v, hash_output, hlen );
-
-        // B += 1
-        for( i = v; i > 0; i-- )
-            if( ++hash_block[i - 1] != 0 )
-                break;
-
-        // salt_block += B
-        c = 0;
-        for( i = v; i > 0; i-- )
-        {
-            j = salt_block[i - 1] + hash_block[i - 1] + c;
-            c = (unsigned char) (j >> 8);
-            salt_block[i - 1] = j & 0xFF;
-        }
-
-        // pwd_block  += B
-        c = 0;
-        for( i = v; i > 0; i-- )
-        {
-            j = pwd_block[i - 1] + hash_block[i - 1] + c;
-            c = (unsigned char) (j >> 8);
-            pwd_block[i - 1] = j & 0xFF;
-        }
-    }
-
-    return( 0 );
-}
-
-#endif /* POLARSSL_PKCS12_C */
diff --git a/makerom/polarssl/pkcs5.c b/makerom/polarssl/pkcs5.c
deleted file mode 100644
index 8e55415b..00000000
--- a/makerom/polarssl/pkcs5.c
+++ /dev/null
@@ -1,415 +0,0 @@
-/**
- * \file pkcs5.c
- *
- * \brief PKCS#5 functions
- *
- * \author Mathias Olsson <mathias@kompetensum.com>
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- * PKCS#5 includes PBKDF2 and more
- *
- * http://tools.ietf.org/html/rfc2898 (Specification)
- * http://tools.ietf.org/html/rfc6070 (Test vectors)
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_PKCS5_C)
-
-#include "polarssl/pkcs5.h"
-#include "polarssl/asn1.h"
-#include "polarssl/cipher.h"
-
-#define OID_CMP(oid_str, oid_buf) \
-        ( ( OID_SIZE(oid_str) == (oid_buf)->len ) && \
-                memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) == 0)
-
-static int pkcs5_parse_pbkdf2_params( unsigned char **p,
-                                      const unsigned char *end,
-                                      asn1_buf *salt, int *iterations,
-                                      int *keylen, md_type_t *md_type )
-{
-    int ret;
-    size_t len = 0;
-    asn1_buf prf_alg_oid;
-
-    /*
-     *  PBKDF2-params ::= SEQUENCE {
-     *    salt              OCTET STRING,
-     *    iterationCount    INTEGER,
-     *    keyLength         INTEGER OPTIONAL
-     *    prf               AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
-     *  }
-     *
-     */
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-    }
-
-    end = *p + len;
-
-    if( ( ret = asn1_get_tag( p, end, &salt->len, ASN1_OCTET_STRING ) ) != 0 )
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-
-    salt->p = *p;
-    *p += salt->len;
-
-    if( ( ret = asn1_get_int( p, end, iterations ) ) != 0 )
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-
-    if( *p == end )
-        return( 0 );
-
-    if( ( ret = asn1_get_int( p, end, keylen ) ) != 0 )
-    {
-        if( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-            return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-    }
-
-    if( *p == end )
-        return( 0 );
-
-    if( ( ret = asn1_get_tag( p, end, &prf_alg_oid.len, ASN1_OID ) ) != 0 )
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-
-    if( !OID_CMP( OID_HMAC_SHA1, &prf_alg_oid ) )
-        return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
-
-    *md_type = POLARSSL_MD_SHA1;
-
-    if( *p != end )
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-int pkcs5_pbes2( asn1_buf *pbe_params, int mode,
-                 const unsigned char *pwd,  size_t pwdlen,
-                 const unsigned char *data, size_t datalen,
-                 unsigned char *output )
-{
-    int ret, iterations = 0, keylen = 0;
-    unsigned char *p, *end, *end2;
-    asn1_buf kdf_alg_oid, enc_scheme_oid, salt;
-    md_type_t md_type = POLARSSL_MD_SHA1;
-    unsigned char key[32], iv[32];
-    size_t len = 0, olen = 0;
-    const md_info_t *md_info;
-    const cipher_info_t *cipher_info;
-    md_context_t md_ctx;
-    cipher_context_t cipher_ctx;
-
-    p = pbe_params->p;
-    end = p + pbe_params->len;
-
-    /*
-     *  PBES2-params ::= SEQUENCE {
-     *    keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
-     *    encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
-     *  }
-     */
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-    }
-
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-    }
-
-    end2 = p + len;
-
-    if( ( ret = asn1_get_tag( &p, end2, &kdf_alg_oid.len, ASN1_OID ) ) != 0 )
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-
-    kdf_alg_oid.p = p;
-    p += kdf_alg_oid.len;
-
-    // Only PBKDF2 supported at the moment
-    //
-    if( !OID_CMP( OID_PKCS5_PBKDF2, &kdf_alg_oid ) )
-        return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
-
-    if( ( ret = pkcs5_parse_pbkdf2_params( &p, end2,
-                                           &salt, &iterations, &keylen,
-                                           &md_type ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    md_info = md_info_from_type( md_type );
-    if( md_info == NULL )
-        return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
-
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-    }
-
-    end2 = p + len;
-
-    if( ( ret = asn1_get_tag( &p, end2, &enc_scheme_oid.len, ASN1_OID ) ) != 0 )
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-
-    enc_scheme_oid.p = p;
-    p += enc_scheme_oid.len;
-
-#if defined(POLARSSL_DES_C)
-    // Only DES-CBC and DES-EDE3-CBC supported at the moment
-    //
-    if( OID_CMP( OID_DES_EDE3_CBC, &enc_scheme_oid ) )
-    {
-        cipher_info = cipher_info_from_type( POLARSSL_CIPHER_DES_EDE3_CBC );
-    }
-    else if( OID_CMP( OID_DES_CBC, &enc_scheme_oid ) )
-    {
-        cipher_info = cipher_info_from_type( POLARSSL_CIPHER_DES_CBC );
-    }
-    else
-#endif /* POLARSSL_DES_C */
-        return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
-
-    if( cipher_info == NULL )
-        return( POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE );
-
-    keylen = cipher_info->key_length / 8;
-
-    if( ( ret = asn1_get_tag( &p, end2, &len, ASN1_OCTET_STRING ) ) != 0 )
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT + ret );
-
-    if( len != cipher_info->iv_size )
-        return( POLARSSL_ERR_PKCS5_INVALID_FORMAT );
-
-    memcpy( iv, p, len );
-
-    if( ( ret = md_init_ctx( &md_ctx, md_info ) ) != 0 )
-        return( ret );
-
-    if( ( ret = cipher_init_ctx( &cipher_ctx, cipher_info ) ) != 0 )
-        return( ret );
-
-    if ( ( ret = pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len,
-                                    iterations, keylen, key ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    if( ( ret = cipher_setkey( &cipher_ctx, key, keylen, mode ) ) != 0 )
-        return( ret );
-
-    if( ( ret = cipher_reset( &cipher_ctx, iv ) ) != 0 )
-        return( ret );
-
-    if( ( ret = cipher_update( &cipher_ctx, data, datalen,
-                                output, &olen ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    if( ( ret = cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 )
-        return( POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH );
-
-    return( 0 );
-}
-
-int pkcs5_pbkdf2_hmac( md_context_t *ctx, const unsigned char *password,
-                       size_t plen, const unsigned char *salt, size_t slen,
-                       unsigned int iteration_count,
-                       uint32_t key_length, unsigned char *output )
-{
-    int ret, j;
-    unsigned int i;
-    unsigned char md1[POLARSSL_MD_MAX_SIZE];
-    unsigned char work[POLARSSL_MD_MAX_SIZE];
-    unsigned char md_size = md_get_size( ctx->md_info );
-    size_t use_len;
-    unsigned char *out_p = output;
-    unsigned char counter[4];
-
-    memset( counter, 0, 4 );
-    counter[3] = 1;
-
-    if( iteration_count > 0xFFFFFFFF )
-        return( POLARSSL_ERR_PKCS5_BAD_INPUT_DATA );
-
-    while( key_length )
-    {
-        // U1 ends up in work
-        //
-        if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 )
-            return( ret );
-
-        if( ( ret = md_hmac_update( ctx, salt, slen ) ) != 0 )
-            return( ret );
-
-        if( ( ret = md_hmac_update( ctx, counter, 4 ) ) != 0 )
-            return( ret );
-
-        if( ( ret = md_hmac_finish( ctx, work ) ) != 0 )
-            return( ret );
-
-        memcpy( md1, work, md_size );
-
-        for ( i = 1; i < iteration_count; i++ )
-        {
-            // U2 ends up in md1
-            //
-            if( ( ret = md_hmac_starts( ctx, password, plen ) ) != 0 )
-                return( ret );
-
-            if( ( ret = md_hmac_update( ctx, md1, md_size ) ) != 0 )
-                return( ret );
-
-            if( ( ret = md_hmac_finish( ctx, md1 ) ) != 0 )
-                return( ret );
-
-            // U1 xor U2
-            //
-            for( j = 0; j < md_size; j++ )
-                work[j] ^= md1[j];
-        }
-
-        use_len = ( key_length < md_size ) ? key_length : md_size;
-        memcpy( out_p, work, use_len );
-
-        key_length -= use_len;
-        out_p += use_len;
-
-        for( i = 4; i > 0; i-- )
-            if( ++counter[i - 1] != 0 )
-                break;
-    }
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <stdio.h>
-
-#define MAX_TESTS   6
-
-size_t plen[MAX_TESTS] =
-    { 8, 8, 8, 8, 24, 9 };
-
-unsigned char password[MAX_TESTS][32] =
-{
-    "password",
-    "password",
-    "password",
-    "password",
-    "passwordPASSWORDpassword",
-    "pass\0word",
-};
-
-size_t slen[MAX_TESTS] =
-    { 4, 4, 4, 4, 36, 5 };
-
-unsigned char salt[MAX_TESTS][40] =
-{
-    "salt",
-    "salt",
-    "salt",
-    "salt",
-    "saltSALTsaltSALTsaltSALTsaltSALTsalt",
-    "sa\0lt",
-};
-
-uint32_t it_cnt[MAX_TESTS] =
-    { 1, 2, 4096, 16777216, 4096, 4096 };
-
-uint32_t key_len[MAX_TESTS] =
-    { 20, 20, 20, 20, 25, 16 };
-
-
-unsigned char result_key[MAX_TESTS][32] = 
-{
-    { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
-      0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
-      0x2f, 0xe0, 0x37, 0xa6 },
-    { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
-      0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
-      0xd8, 0xde, 0x89, 0x57 },
-    { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
-      0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
-      0x65, 0xa4, 0x29, 0xc1 },
-    { 0xee, 0xfe, 0x3d, 0x61, 0xcd, 0x4d, 0xa4, 0xe4,
-      0xe9, 0x94, 0x5b, 0x3d, 0x6b, 0xa2, 0x15, 0x8c,
-      0x26, 0x34, 0xe9, 0x84 },
-    { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
-      0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
-      0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
-      0x38 },
-    { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
-      0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
-};
-
-int pkcs5_self_test( int verbose )
-{
-    md_context_t sha1_ctx;
-    const md_info_t *info_sha1;
-    int ret, i;
-    unsigned char key[64];
-
-    info_sha1 = md_info_from_type( POLARSSL_MD_SHA1 );
-    if( info_sha1 == NULL )
-        return( 1 );
-
-    if( ( ret = md_init_ctx( &sha1_ctx, info_sha1 ) ) != 0 )
-        return( 1 );
-
-    for( i = 0; i < MAX_TESTS; i++ )
-    {
-        printf( "  PBKDF2 (SHA1) #%d: ", i );
-
-        ret = pkcs5_pbkdf2_hmac( &sha1_ctx, password[i], plen[i], salt[i],
-                                  slen[i], it_cnt[i], key_len[i], key );
-        if( ret != 0 ||
-            memcmp( result_key[i], key, key_len[i] ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    printf( "\n" );
-
-    return( 0 );
-}
-
-#endif /* POLARSSL_SELF_TEST */
-
-#endif /* POLARSSL_PKCS5_C */
diff --git a/makerom/polarssl/ssl_cache.c b/makerom/polarssl/ssl_cache.c
deleted file mode 100644
index f5686be0..00000000
--- a/makerom/polarssl/ssl_cache.c
+++ /dev/null
@@ -1,221 +0,0 @@
-/*
- *  SSL session cache implementation
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- * These session callbacks use a simple chained list
- * to store and retrieve the session information.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_SSL_CACHE_C)
-
-#include "polarssl/ssl_cache.h"
-
-#include <stdlib.h>
-
-void ssl_cache_init( ssl_cache_context *cache )
-{
-    memset( cache, 0, sizeof( ssl_cache_context ) );
-
-    cache->timeout = SSL_CACHE_DEFAULT_TIMEOUT;
-    cache->max_entries = SSL_CACHE_DEFAULT_MAX_ENTRIES;
-}
-
-int ssl_cache_get( void *data, ssl_session *session )
-{
-    time_t t = time( NULL );
-    ssl_cache_context *cache = (ssl_cache_context *) data;
-    ssl_cache_entry *cur, *entry;
-
-    cur = cache->chain;
-    entry = NULL;
-
-    while( cur != NULL )
-    {
-        entry = cur;
-        cur = cur->next;
-
-        if( cache->timeout != 0 &&
-            (int) ( t - entry->timestamp ) > cache->timeout )
-            continue;
-
-        if( session->ciphersuite != entry->session.ciphersuite ||
-            session->compression != entry->session.compression ||
-            session->length != entry->session.length )
-            continue;
-
-        if( memcmp( session->id, entry->session.id,
-                    entry->session.length ) != 0 )
-            continue;
-
-        memcpy( session->master, entry->session.master, 48 );
-
-        /*
-         * Restore peer certificate (without rest of the original chain)
-         */
-        if( entry->peer_cert.p != NULL )
-        {
-            session->peer_cert = (x509_cert *) malloc( sizeof(x509_cert) );
-            if( session->peer_cert == NULL )
-                return( 1 );
-
-            memset( session->peer_cert, 0, sizeof(x509_cert) );
-            if( x509parse_crt( session->peer_cert, entry->peer_cert.p,
-                               entry->peer_cert.len ) != 0 )
-            {
-                free( session->peer_cert );
-                session->peer_cert = NULL;
-                return( 1 );
-            }
-        }
-
-        return( 0 );
-    }
-
-    return( 1 );
-}
-
-int ssl_cache_set( void *data, const ssl_session *session )
-{
-    time_t t = time( NULL ), oldest = 0;
-    ssl_cache_context *cache = (ssl_cache_context *) data;
-    ssl_cache_entry *cur, *prv, *old = NULL;
-    int count = 0;
-
-    cur = cache->chain;
-    prv = NULL;
-
-    while( cur != NULL )
-    {
-        count++;
-
-        if( cache->timeout != 0 &&
-            (int) ( t - cur->timestamp ) > cache->timeout )
-        {
-            cur->timestamp = t;
-            break; /* expired, reuse this slot, update timestamp */
-        }
-
-        if( memcmp( session->id, cur->session.id, cur->session.length ) == 0 )
-            break; /* client reconnected, keep timestamp for session id */
-
-        if( oldest == 0 || cur->timestamp < oldest )
-        {
-            oldest = cur->timestamp;
-            old = cur;
-        }
-
-        prv = cur;
-        cur = cur->next;
-    }
-
-    if( cur == NULL )
-    {
-        /*
-         * Reuse oldest entry if max_entries reached
-         */
-        if( old != NULL && count >= cache->max_entries )
-        {
-            cur = old;
-            memset( &cur->session, 0, sizeof(ssl_session) );
-            if( cur->peer_cert.p != NULL )
-            {
-                free( cur->peer_cert.p );
-                memset( &cur->peer_cert, 0, sizeof(x509_buf) );
-            }
-        }
-        else
-        {
-            cur = (ssl_cache_entry *) malloc( sizeof(ssl_cache_entry) );
-            if( cur == NULL )
-                return( 1 );
-
-            memset( cur, 0, sizeof(ssl_cache_entry) );
-
-            if( prv == NULL )
-                cache->chain = cur;
-            else
-                prv->next = cur;
-        }
-
-        cur->timestamp = t;
-    }
-
-    memcpy( &cur->session, session, sizeof( ssl_session ) );
-    
-    /*
-     * Store peer certificate
-     */
-    if( session->peer_cert != NULL )
-    {
-        cur->peer_cert.p = (unsigned char *) malloc( session->peer_cert->raw.len );
-        if( cur->peer_cert.p == NULL )
-            return( 1 );
-
-        memcpy( cur->peer_cert.p, session->peer_cert->raw.p,
-                session->peer_cert->raw.len );
-        cur->peer_cert.len = session->peer_cert->raw.len;
-
-        cur->session.peer_cert = NULL;
-    }
-
-    return( 0 );
-}
-
-void ssl_cache_set_timeout( ssl_cache_context *cache, int timeout )
-{
-    if( timeout < 0 ) timeout = 0;
-
-    cache->timeout = timeout;
-}
-
-void ssl_cache_set_max_entries( ssl_cache_context *cache, int max )
-{
-    if( max < 0 ) max = 0;
-
-    cache->max_entries = max;
-}
-
-void ssl_cache_free( ssl_cache_context *cache )
-{
-    ssl_cache_entry *cur, *prv;
-
-    cur = cache->chain;
-
-    while( cur != NULL )
-    {
-        prv = cur;
-        cur = cur->next;
-
-        ssl_session_free( &prv->session );
-
-        if( prv->peer_cert.p != NULL )
-            free( prv->peer_cert.p );
-
-        free( prv );
-    }
-}
-
-#endif /* POLARSSL_SSL_CACHE_C */
diff --git a/makerom/polarssl/ssl_cli.c b/makerom/polarssl/ssl_cli.c
deleted file mode 100644
index e4a102b9..00000000
--- a/makerom/polarssl/ssl_cli.c
+++ /dev/null
@@ -1,1386 +0,0 @@
-/*
- *  SSLv3/TLSv1 client-side functions
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_SSL_CLI_C)
-
-#include "polarssl/debug.h"
-#include "polarssl/ssl.h"
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <time.h>
-
-#if defined(POLARSSL_SHA4_C)
-#include "polarssl/sha4.h"
-#endif
-
-static int ssl_write_client_hello( ssl_context *ssl )
-{
-    int ret;
-    size_t i, n, ext_len = 0;
-    unsigned char *buf;
-    unsigned char *p;
-    time_t t;
-    unsigned char sig_alg_list[20];
-    size_t sig_alg_len = 0;
-
-    SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
-
-    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-    {
-        ssl->major_ver = ssl->min_major_ver;
-        ssl->minor_ver = ssl->min_minor_ver;
-    }
-
-    if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
-    {
-        ssl->max_major_ver = SSL_MAJOR_VERSION_3;
-        ssl->max_minor_ver = SSL_MINOR_VERSION_3;
-    }
-
-    /*
-     *     0  .   0   handshake type
-     *     1  .   3   handshake length
-     *     4  .   5   highest version supported
-     *     6  .   9   current UNIX time
-     *    10  .  37   random bytes
-     */
-    buf = ssl->out_msg;
-    p = buf + 4;
-
-    *p++ = (unsigned char) ssl->max_major_ver;
-    *p++ = (unsigned char) ssl->max_minor_ver;
-
-    SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
-                   buf[4], buf[5] ) );
-
-    t = time( NULL );
-    *p++ = (unsigned char)( t >> 24 );
-    *p++ = (unsigned char)( t >> 16 );
-    *p++ = (unsigned char)( t >>  8 );
-    *p++ = (unsigned char)( t       );
-
-    SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
-
-    if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
-        return( ret );
-
-    p += 28;
-
-    memcpy( ssl->handshake->randbytes, buf + 6, 32 );
-
-    SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 6, 32 );
-
-    /*
-     *    38  .  38   session id length
-     *    39  . 39+n  session id
-     *   40+n . 41+n  ciphersuitelist length
-     *   42+n . ..    ciphersuitelist
-     *   ..   . ..    compression methods length
-     *   ..   . ..    compression methods
-     *   ..   . ..    extensions length
-     *   ..   . ..    extensions
-     */
-    n = ssl->session_negotiate->length;
-
-    if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 ||
-        ssl->handshake->resume == 0 )
-        n = 0;
-
-    *p++ = (unsigned char) n;
-
-    for( i = 0; i < n; i++ )
-        *p++ = ssl->session_negotiate->id[i];
-
-    SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
-    SSL_DEBUG_BUF( 3,   "client hello, session id", buf + 39, n );
-
-    for( n = 0; ssl->ciphersuites[ssl->minor_ver][n] != 0; n++ );
-    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++;
-    *p++ = (unsigned char)( n >> 7 );
-    *p++ = (unsigned char)( n << 1 );
-
-    /*
-     * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
-     */
-    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-    {
-        *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
-        *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO      );
-        n--;
-    }
-
-    SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
-
-    for( i = 0; i < n; i++ )
-    {
-        SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
-                       ssl->ciphersuites[ssl->minor_ver][i] ) );
-
-        *p++ = (unsigned char)( ssl->ciphersuites[ssl->minor_ver][i] >> 8 );
-        *p++ = (unsigned char)( ssl->ciphersuites[ssl->minor_ver][i]      );
-    }
-
-#if defined(POLARSSL_ZLIB_SUPPORT)
-    SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
-    SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
-                        SSL_COMPRESS_DEFLATE, SSL_COMPRESS_NULL ) );
-
-    *p++ = 2;
-    *p++ = SSL_COMPRESS_DEFLATE;
-    *p++ = SSL_COMPRESS_NULL;
-#else
-    SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
-    SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d", SSL_COMPRESS_NULL ) );
-
-    *p++ = 1;
-    *p++ = SSL_COMPRESS_NULL;
-#endif
-
-    if ( ssl->hostname != NULL )
-    {
-        SSL_DEBUG_MSG( 3, ( "client hello, prepping for server name extension: %s",
-                       ssl->hostname ) );
-
-        ext_len += ssl->hostname_len + 9;
-    }
-
-    if( ssl->renegotiation == SSL_RENEGOTIATION )
-    {
-        SSL_DEBUG_MSG( 3, ( "client hello, prepping for renegotiation extension" ) );
-        ext_len += 5 + ssl->verify_data_len;
-    }
-
-    /*
-     * Prepare signature_algorithms extension (TLS 1.2)
-     */
-    if( ssl->max_minor_ver == SSL_MINOR_VERSION_3 )
-    {
-#if defined(POLARSSL_SHA4_C)
-        sig_alg_list[sig_alg_len++] = SSL_HASH_SHA512;
-        sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
-        sig_alg_list[sig_alg_len++] = SSL_HASH_SHA384;
-        sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
-#endif
-#if defined(POLARSSL_SHA2_C)
-        sig_alg_list[sig_alg_len++] = SSL_HASH_SHA256;
-        sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
-        sig_alg_list[sig_alg_len++] = SSL_HASH_SHA224;
-        sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
-#endif
-#if defined(POLARSSL_SHA1_C)
-        sig_alg_list[sig_alg_len++] = SSL_HASH_SHA1;
-        sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
-#endif
-#if defined(POLARSSL_MD5_C)
-        sig_alg_list[sig_alg_len++] = SSL_HASH_MD5;
-        sig_alg_list[sig_alg_len++] = SSL_SIG_RSA;
-#endif
-        ext_len += 6 + sig_alg_len;
-    }
-
-    SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
-                   ext_len ) );
-
-    *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
-    *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
-
-    if ( ssl->hostname != NULL )
-    {
-        /*
-         * struct {
-         *     NameType name_type;
-         *     select (name_type) {
-         *         case host_name: HostName;
-         *     } name;
-         * } ServerName;
-         *
-         * enum {
-         *     host_name(0), (255)
-         * } NameType;
-         *
-         * opaque HostName<1..2^16-1>;
-         *
-         * struct {
-         *     ServerName server_name_list<1..2^16-1>
-         * } ServerNameList;
-         */
-        SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
-                       ssl->hostname ) );
-
-        *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME      ) & 0xFF );
-
-        *p++ = (unsigned char)( ( (ssl->hostname_len + 5) >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( (ssl->hostname_len + 5)      ) & 0xFF );
-
-        *p++ = (unsigned char)( ( (ssl->hostname_len + 3) >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( (ssl->hostname_len + 3)      ) & 0xFF );
-
-        *p++ = (unsigned char)( ( TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
-        *p++ = (unsigned char)( ( ssl->hostname_len >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( ssl->hostname_len      ) & 0xFF );
-
-        memcpy( p, ssl->hostname, ssl->hostname_len );
-        p += ssl->hostname_len;
-    }
-
-    if( ssl->renegotiation == SSL_RENEGOTIATION )
-    {
-        /*
-         * Secure renegotiation
-         */
-        SSL_DEBUG_MSG( 3, ( "client hello, renegotiation info extension" ) );
-
-        *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
-
-        *p++ = 0x00;
-        *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
-        *p++ = ssl->verify_data_len & 0xFF;
-
-        memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
-        p += ssl->verify_data_len;
-    }
-
-    if( ssl->max_minor_ver == SSL_MINOR_VERSION_3 )
-    {
-        /*
-         * enum {
-         *     none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
-         *     sha512(6), (255)
-         * } HashAlgorithm;
-         *
-         * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
-         *   SignatureAlgorithm;
-         *
-         * struct {
-         *     HashAlgorithm hash;
-         *     SignatureAlgorithm signature;
-         * } SignatureAndHashAlgorithm;
-         *
-         * SignatureAndHashAlgorithm
-         *   supported_signature_algorithms<2..2^16-2>;
-         */
-        SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
-
-        *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( TLS_EXT_SIG_ALG      ) & 0xFF );
-
-        *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( ( sig_alg_len + 2 )      ) & 0xFF );
-
-        *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( sig_alg_len      ) & 0xFF );
-
-        memcpy( p, sig_alg_list, sig_alg_len );
-
-        p += sig_alg_len;
-    }
-
-    ssl->out_msglen  = p - buf;
-    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
-    ssl->out_msg[0]  = SSL_HS_CLIENT_HELLO;
-
-    ssl->state++;
-
-    if( ( ret = ssl_write_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
-
-    return( 0 );
-}
-
-static int ssl_parse_renegotiation_info( ssl_context *ssl,
-                                         unsigned char *buf,
-                                         size_t len )
-{
-    int ret;
-
-    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-    {
-        if( len != 1 || buf[0] != 0x0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
-
-            if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-                return( ret );
-
-            return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-        }
-
-        ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
-    }
-    else
-    {
-        if( len    != 1 + ssl->verify_data_len * 2 ||
-            buf[0] !=     ssl->verify_data_len * 2 ||
-            memcmp( buf + 1, ssl->own_verify_data,  ssl->verify_data_len ) != 0 ||
-            memcmp( buf + 1 + ssl->verify_data_len,
-                    ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
-
-            if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-                return( ret );
-
-            return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-        }
-    }
-
-    return( 0 );
-}
-
-static int ssl_parse_server_hello( ssl_context *ssl )
-{
-#if defined(POLARSSL_DEBUG_C)
-    time_t t;
-#endif
-    int ret, i, comp;
-    size_t n;
-    size_t ext_len = 0;
-    unsigned char *buf, *ext;
-    int renegotiation_info_seen = 0;
-    int handshake_failure = 0;
-
-    SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
-
-    /*
-     *     0  .   0   handshake type
-     *     1  .   3   handshake length
-     *     4  .   5   protocol version
-     *     6  .   9   UNIX time()
-     *    10  .  37   random bytes
-     */
-    buf = ssl->in_msg;
-
-    if( ( ret = ssl_read_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-        return( ret );
-    }
-
-    if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
-        return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
-    }
-
-    SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
-                   buf[4], buf[5] ) );
-
-    if( ssl->in_hslen < 42 ||
-        buf[0] != SSL_HS_SERVER_HELLO ||
-        buf[4] != SSL_MAJOR_VERSION_3 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-    }
-
-    if( buf[5] > ssl->max_minor_ver )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-    }
-
-    ssl->minor_ver = buf[5];
-
-    if( ssl->minor_ver < ssl->min_minor_ver )
-    {
-        SSL_DEBUG_MSG( 1, ( "server only supports ssl smaller than minimum"
-                            " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
-                            buf[4], buf[5] ) );
-
-        ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
-                                     SSL_ALERT_MSG_PROTOCOL_VERSION );
-
-        return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
-    }
-
-#if defined(POLARSSL_DEBUG_C)
-    t = ( (time_t) buf[6] << 24 )
-      | ( (time_t) buf[7] << 16 )
-      | ( (time_t) buf[8] <<  8 )
-      | ( (time_t) buf[9]       );
-#endif
-
-    memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
-
-    n = buf[38];
-
-    SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
-    SSL_DEBUG_BUF( 3,   "server hello, random bytes", buf + 6, 32 );
-
-    if( n > 32 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-    }
-
-    /*
-     *    38  .  38   session id length
-     *    39  . 38+n  session id
-     *   39+n . 40+n  chosen ciphersuite
-     *   41+n . 41+n  chosen compression alg.
-     *   42+n . 43+n  extensions length
-     *   44+n . 44+n+m extensions
-     */
-    if( ssl->in_hslen > 42 + n )
-    {
-        ext_len = ( ( buf[42 + n] <<  8 )
-                  | ( buf[43 + n]       ) );
-
-        if( ( ext_len > 0 && ext_len < 4 ) ||
-            ssl->in_hslen != 44 + n + ext_len )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-        }
-    }
-
-    i = ( buf[39 + n] << 8 ) | buf[40 + n];
-    comp = buf[41 + n];
-
-    /*
-     * Initialize update checksum functions
-     */
-    ssl_optimize_checksum( ssl, i );
-
-    SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
-    SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
-
-    /*
-     * Check if the session can be resumed
-     */
-    if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
-        ssl->handshake->resume == 0 || n == 0 ||
-        ssl->session_negotiate->ciphersuite != i ||
-        ssl->session_negotiate->compression != comp ||
-        ssl->session_negotiate->length != n ||
-        memcmp( ssl->session_negotiate->id, buf + 39, n ) != 0 )
-    {
-        ssl->state++;
-        ssl->handshake->resume = 0;
-        ssl->session_negotiate->start = time( NULL );
-        ssl->session_negotiate->ciphersuite = i;
-        ssl->session_negotiate->compression = comp;
-        ssl->session_negotiate->length = n;
-        memcpy( ssl->session_negotiate->id, buf + 39, n );
-    }
-    else
-    {
-        ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
-
-        if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
-            return( ret );
-        }
-    }
-
-    SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
-                   ssl->handshake->resume ? "a" : "no" ) );
-
-    SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d", i ) );
-    SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[41 + n] ) );
-
-    i = 0;
-    while( 1 )
-    {
-        if( ssl->ciphersuites[ssl->minor_ver][i] == 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-        }
-
-        if( ssl->ciphersuites[ssl->minor_ver][i++] == ssl->session_negotiate->ciphersuite )
-            break;
-    }
-
-    if( comp != SSL_COMPRESS_NULL
-#if defined(POLARSSL_ZLIB_SUPPORT)
-        && comp != SSL_COMPRESS_DEFLATE
-#endif
-      )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-    }
-    ssl->session_negotiate->compression = comp;
-
-    ext = buf + 44 + n;
-
-    while( ext_len )
-    {
-        unsigned int ext_id   = ( ( ext[0] <<  8 )
-                                | ( ext[1]       ) );
-        unsigned int ext_size = ( ( ext[2] <<  8 )
-                                | ( ext[3]       ) );
-
-        if( ext_size + 4 > ext_len )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-        }
-
-        switch( ext_id )
-        {
-        case TLS_EXT_RENEGOTIATION_INFO:
-            SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
-            renegotiation_info_seen = 1;
-
-            if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ) ) != 0 )
-                return( ret );
-
-            break;
-
-        default:
-            SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
-                           ext_id ) );
-        }
-
-        ext_len -= 4 + ext_size;
-        ext += 4 + ext_size;
-
-        if( ext_len > 0 && ext_len < 4 )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-        }
-    }
-
-    /*
-     * Renegotiation security checks
-     */
-    if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
-        ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
-        handshake_failure = 1;
-    } 
-    else if( ssl->renegotiation == SSL_RENEGOTIATION &&
-             ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
-             renegotiation_info_seen == 0 )
-    {
-        SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
-        handshake_failure = 1;
-    }
-    else if( ssl->renegotiation == SSL_RENEGOTIATION &&
-             ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
-             ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
-    {
-        SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
-        handshake_failure = 1;
-    }
-    else if( ssl->renegotiation == SSL_RENEGOTIATION &&
-             ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
-             renegotiation_info_seen == 1 )
-    {
-        SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
-        handshake_failure = 1;
-    }
-
-    if( handshake_failure == 1 )
-    {
-        if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-            return( ret );
-
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
-
-    return( 0 );
-}
-
-static int ssl_parse_server_key_exchange( ssl_context *ssl )
-{
-#if defined(POLARSSL_DHM_C)
-    int ret;
-    size_t n;
-    unsigned char *p, *end;
-    unsigned char hash[64];
-    md5_context md5;
-    sha1_context sha1;
-    int hash_id = SIG_RSA_RAW;
-    unsigned int hashlen = 0;
-#endif
-
-    SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
-
-    if( ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_DES_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-    {
-        SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
-        ssl->state++;
-        return( 0 );
-    }
-
-#if !defined(POLARSSL_DHM_C)
-    SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
-    return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-#else
-    if( ( ret = ssl_read_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-        return( ret );
-    }
-
-    if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
-        return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
-    }
-
-    if( ssl->in_msg[0] != SSL_HS_SERVER_KEY_EXCHANGE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
-    }
-
-    SSL_DEBUG_BUF( 3,   "server key exchange", ssl->in_msg + 4, ssl->in_hslen - 4 );
-
-    /*
-     * Ephemeral DH parameters:
-     *
-     * struct {
-     *     opaque dh_p<1..2^16-1>;
-     *     opaque dh_g<1..2^16-1>;
-     *     opaque dh_Ys<1..2^16-1>;
-     * } ServerDHParams;
-     */
-    p   = ssl->in_msg + 4;
-    end = ssl->in_msg + ssl->in_hslen;
-
-    if( ( ret = dhm_read_params( &ssl->handshake->dhm_ctx, &p, end ) ) != 0 )
-    {
-        SSL_DEBUG_MSG( 2, ( "DHM Read Params returned -0x%x", -ret ) );
-        SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 
-    }
-
-    if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
-    {
-        if( p[1] != SSL_SIG_RSA )
-        {
-            SSL_DEBUG_MSG( 2, ( "server used unsupported SignatureAlgorithm %d", p[1] ) );
-            SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 
-        }
-
-        switch( p[0] )
-        {
-#if defined(POLARSSL_MD5_C)
-            case SSL_HASH_MD5:
-                hash_id = SIG_RSA_MD5;
-                break;
-#endif
-#if defined(POLARSSL_SHA1_C)
-            case SSL_HASH_SHA1:
-                hash_id = SIG_RSA_SHA1;
-                break;
-#endif
-#if defined(POLARSSL_SHA2_C)
-            case SSL_HASH_SHA224:
-                hash_id = SIG_RSA_SHA224;
-                break;
-            case SSL_HASH_SHA256:
-                hash_id = SIG_RSA_SHA256;
-                break;
-#endif
-#if defined(POLARSSL_SHA4_C)
-            case SSL_HASH_SHA384:
-                hash_id = SIG_RSA_SHA384;
-                break;
-            case SSL_HASH_SHA512:
-                hash_id = SIG_RSA_SHA512;
-                break;
-#endif
-            default:
-                SSL_DEBUG_MSG( 2, ( "Server used unsupported HashAlgorithm %d", p[0] ) );
-                SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
-                return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); 
-        }      
-
-        SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", p[1] ) );
-        SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", p[0] ) );
-        p += 2;
-    }
-
-    n = ( p[0] << 8 ) | p[1];
-    p += 2;
-
-    if( end != p + n )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
-    }
-
-    if( (unsigned int)( end - p ) !=
-        ssl->session_negotiate->peer_cert->rsa.len )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
-    }
-
-    if( ssl->handshake->dhm_ctx.len < 64 || ssl->handshake->dhm_ctx.len > 512 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
-    }
-
-    SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
-    SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
-    SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
-
-    if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
-    {
-        /*
-         * digitally-signed struct {
-         *     opaque md5_hash[16];
-         *     opaque sha_hash[20];
-         * };
-         *
-         * md5_hash
-         *     MD5(ClientHello.random + ServerHello.random
-         *                            + ServerParams);
-         * sha_hash
-         *     SHA(ClientHello.random + ServerHello.random
-         *                            + ServerParams);
-         */
-        n = ssl->in_hslen - ( end - p ) - 6;
-
-        md5_starts( &md5 );
-        md5_update( &md5, ssl->handshake->randbytes, 64 );
-        md5_update( &md5, ssl->in_msg + 4, n );
-        md5_finish( &md5, hash );
-
-        sha1_starts( &sha1 );
-        sha1_update( &sha1, ssl->handshake->randbytes, 64 );
-        sha1_update( &sha1, ssl->in_msg + 4, n );
-        sha1_finish( &sha1, hash + 16 );
-
-        hash_id = SIG_RSA_RAW;
-        hashlen = 36;
-    }
-    else
-    {
-        sha2_context sha2;
-#if defined(POLARSSL_SHA4_C)
-        sha4_context sha4;
-#endif
-
-        n = ssl->in_hslen - ( end - p ) - 8;
-
-        /*
-         * digitally-signed struct {
-         *     opaque client_random[32];
-         *     opaque server_random[32];
-         *     ServerDHParams params;
-         * };
-         */
-        switch( hash_id )
-        {
-#if defined(POLARSSL_MD5_C)
-            case SIG_RSA_MD5:
-                md5_starts( &md5 );
-                md5_update( &md5, ssl->handshake->randbytes, 64 );
-                md5_update( &md5, ssl->in_msg + 4, n );
-                md5_finish( &md5, hash );
-                hashlen = 16;
-                break;
-#endif
-#if defined(POLARSSL_SHA1_C)
-            case SIG_RSA_SHA1:
-                sha1_starts( &sha1 );
-                sha1_update( &sha1, ssl->handshake->randbytes, 64 );
-                sha1_update( &sha1, ssl->in_msg + 4, n );
-                sha1_finish( &sha1, hash );
-                hashlen = 20;
-                break;
-#endif
-#if defined(POLARSSL_SHA2_C)
-            case SIG_RSA_SHA224:
-                sha2_starts( &sha2, 1 );
-                sha2_update( &sha2, ssl->handshake->randbytes, 64 );
-                sha2_update( &sha2, ssl->in_msg + 4, n );
-                sha2_finish( &sha2, hash );
-                hashlen = 28;
-                break;
-            case SIG_RSA_SHA256:
-                sha2_starts( &sha2, 0 );
-                sha2_update( &sha2, ssl->handshake->randbytes, 64 );
-                sha2_update( &sha2, ssl->in_msg + 4, n );
-                sha2_finish( &sha2, hash );
-                hashlen = 32;
-                break;
-#endif
-#if defined(POLARSSL_SHA4_C)
-            case SIG_RSA_SHA384:
-                sha4_starts( &sha4, 1 );
-                sha4_update( &sha4, ssl->handshake->randbytes, 64 );
-                sha4_update( &sha4, ssl->in_msg + 4, n );
-                sha4_finish( &sha4, hash );
-                hashlen = 48;
-                break;
-            case SIG_RSA_SHA512:
-                sha4_starts( &sha4, 0 );
-                sha4_update( &sha4, ssl->handshake->randbytes, 64 );
-                sha4_update( &sha4, ssl->in_msg + 4, n );
-                sha4_finish( &sha4, hash );
-                hashlen = 64;
-                break;
-#endif
-        }
-    }
-    
-    SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
-
-    if( ( ret = rsa_pkcs1_verify( &ssl->session_negotiate->peer_cert->rsa,
-                                  RSA_PUBLIC,
-                                  hash_id, hashlen, hash, p ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
-        return( ret );
-    }
-
-    ssl->state++;
-
-    SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
-
-    return( 0 );
-#endif
-}
-
-static int ssl_parse_certificate_request( ssl_context *ssl )
-{
-    int ret;
-    unsigned char *buf, *p;
-    size_t n = 0, m = 0;
-    size_t cert_type_len = 0, sig_alg_len = 0, dn_len = 0;
-
-    SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
-
-    /*
-     *     0  .   0   handshake type
-     *     1  .   3   handshake length
-     *     4  .   4   cert type count
-     *     5  .. m-1  cert types
-     *     m  .. m+1  sig alg length (TLS 1.2 only)
-     *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
-     *     n  .. n+1  length of all DNs
-     *    n+2 .. n+3  length of DN 1
-     *    n+4 .. ...  Distinguished Name #1
-     *    ... .. ...  length of DN 2, etc.
-     */
-    if( ( ret = ssl_read_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-        return( ret );
-    }
-
-    if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
-        return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
-    }
-
-    ssl->client_auth = 0;
-    ssl->state++;
-
-    if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
-        ssl->client_auth++;
-
-    SSL_DEBUG_MSG( 3, ( "got %s certificate request",
-                        ssl->client_auth ? "a" : "no" ) );
-
-    if( ssl->client_auth == 0 )
-        goto exit;
-
-    // TODO: handshake_failure alert for an anonymous server to request
-    // client authentication
-
-    buf = ssl->in_msg;
-    
-    // Retrieve cert types
-    //
-    cert_type_len = buf[4];
-    n = cert_type_len;
-
-    if( ssl->in_hslen < 6 + n )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
-    }
-
-    p = buf + 5;
-    while( cert_type_len > 0 )
-    {
-        if( *p == SSL_CERT_TYPE_RSA_SIGN )
-        {
-            ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN;
-            break;
-        }
-
-        cert_type_len--;
-        p++;
-    }
-
-    if( ssl->handshake->cert_type == 0 )
-    {
-        SSL_DEBUG_MSG( 1, ( "no known cert_type provided" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
-    }
-
-    if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
-    {
-        sig_alg_len = ( ( buf[5 + n] <<  8 )
-                      | ( buf[6 + n]       ) );
-
-        p = buf + 7 + n;
-        m += 2;
-        n += sig_alg_len;
-
-        if( ssl->in_hslen < 6 + n )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
-        }
-    } 
-
-    dn_len = ( ( buf[5 + m + n] <<  8 )
-             | ( buf[6 + m + n]       ) );
-
-    n += dn_len;
-    if( ssl->in_hslen != 7 + m + n )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
-    }
-
-exit:
-    SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
-
-    return( 0 );
-}
-
-static int ssl_parse_server_hello_done( ssl_context *ssl )
-{
-    int ret;
-
-    SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
-
-    if( ssl->client_auth != 0 )
-    {
-        if( ( ret = ssl_read_record( ssl ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-            return( ret );
-        }
-
-        if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
-            return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
-        }
-    }
-
-    if( ssl->in_hslen  != 4 ||
-        ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
-    }
-
-    ssl->state++;
-
-    SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
-
-    return( 0 );
-}
-
-static int ssl_write_client_key_exchange( ssl_context *ssl )
-{
-    int ret;
-    size_t i, n;
-
-    SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
-
-    if( ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_DES_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-    {
-#if !defined(POLARSSL_DHM_C)
-        SSL_DEBUG_MSG( 1, ( "support for dhm in not available" ) );
-        return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-#else
-        /*
-         * DHM key exchange -- send G^X mod P
-         */
-        n = ssl->handshake->dhm_ctx.len;
-
-        ssl->out_msg[4] = (unsigned char)( n >> 8 );
-        ssl->out_msg[5] = (unsigned char)( n      );
-        i = 6;
-
-        ret = dhm_make_public( &ssl->handshake->dhm_ctx,
-                                mpi_size( &ssl->handshake->dhm_ctx.P ),
-                               &ssl->out_msg[i], n,
-                                ssl->f_rng, ssl->p_rng );
-        if( ret != 0 )
-        {
-            SSL_DEBUG_RET( 1, "dhm_make_public", ret );
-            return( ret );
-        }
-
-        SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
-        SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
-
-        ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
-
-        if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
-                                      ssl->handshake->premaster,
-                                     &ssl->handshake->pmslen ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
-            return( ret );
-        }
-
-        SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
-#endif
-    }
-    else
-    {
-        /*
-         * RSA key exchange -- send rsa_public(pkcs1 v1.5(premaster))
-         */
-        ssl->handshake->premaster[0] = (unsigned char) ssl->max_major_ver;
-        ssl->handshake->premaster[1] = (unsigned char) ssl->max_minor_ver;
-        ssl->handshake->pmslen = 48;
-
-        ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster + 2,
-                          ssl->handshake->pmslen - 2 );
-        if( ret != 0 )
-            return( ret );
-
-        i = 4;
-        n = ssl->session_negotiate->peer_cert->rsa.len;
-
-        if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
-        {
-            i += 2;
-            ssl->out_msg[4] = (unsigned char)( n >> 8 );
-            ssl->out_msg[5] = (unsigned char)( n      );
-        }
-
-        ret = rsa_pkcs1_encrypt( &ssl->session_negotiate->peer_cert->rsa,
-                                  ssl->f_rng, ssl->p_rng,
-                                  RSA_PUBLIC,
-                                  ssl->handshake->pmslen,
-                                  ssl->handshake->premaster,
-                                  ssl->out_msg + i );
-        if( ret != 0 )
-        {
-            SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret );
-            return( ret );
-        }
-    }
-
-    if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
-        return( ret );
-    }
-
-    ssl->out_msglen  = i + n;
-    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
-    ssl->out_msg[0]  = SSL_HS_CLIENT_KEY_EXCHANGE;
-
-    ssl->state++;
-
-    if( ( ret = ssl_write_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
-
-    return( 0 );
-}
-
-static int ssl_write_certificate_verify( ssl_context *ssl )
-{
-    int ret = 0;
-    size_t n = 0, offset = 0;
-    unsigned char hash[48];
-    int hash_id = SIG_RSA_RAW;
-    unsigned int hashlen = 36;
-
-    SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
-
-    if( ssl->client_auth == 0 || ssl->own_cert == NULL )
-    {
-        SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
-        ssl->state++;
-        return( 0 );
-    }
-
-    if( ssl->rsa_key == NULL )
-    {
-        SSL_DEBUG_MSG( 1, ( "got no private key" ) );
-        return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
-    }
-
-    /*
-     * Make an RSA signature of the handshake digests
-     */
-    ssl->handshake->calc_verify( ssl, hash );
-
-    if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
-    {
-        /*
-         * digitally-signed struct {
-         *     opaque md5_hash[16];
-         *     opaque sha_hash[20];
-         * };
-         *
-         * md5_hash
-         *     MD5(handshake_messages);
-         *
-         * sha_hash
-         *     SHA(handshake_messages);
-         */
-        hashlen = 36;
-        hash_id = SIG_RSA_RAW;
-    }
-    else
-    {
-        /*
-         * digitally-signed struct {
-         *     opaque handshake_messages[handshake_messages_length];
-         * };
-         *
-         * Taking shortcut here. We assume that the server always allows the
-         * PRF Hash function and has sent it in the allowed signature
-         * algorithms list received in the Certificate Request message.
-         *
-         * Until we encounter a server that does not, we will take this
-         * shortcut.
-         *
-         * Reason: Otherwise we should have running hashes for SHA512 and SHA224
-         *         in order to satisfy 'weird' needs from the server side.
-         */
-        if( ssl->session_negotiate->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
-            ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-        {
-            hash_id = SIG_RSA_SHA384;
-            hashlen = 48;
-            ssl->out_msg[4] = SSL_HASH_SHA384;
-            ssl->out_msg[5] = SSL_SIG_RSA;
-        }
-        else
-        {
-            hash_id = SIG_RSA_SHA256;
-            hashlen = 32;
-            ssl->out_msg[4] = SSL_HASH_SHA256;
-            ssl->out_msg[5] = SSL_SIG_RSA;
-        }
-
-        offset = 2;
-    }
-
-    if ( ssl->rsa_key )
-        n = ssl->rsa_key_len ( ssl->rsa_key );
-
-    ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
-    ssl->out_msg[5 + offset] = (unsigned char)( n      );
-
-    if( ssl->rsa_key )
-    {
-        ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
-                             RSA_PRIVATE, hash_id,
-                             hashlen, hash, ssl->out_msg + 6 + offset );
-    }
-
-    if (ret != 0)
-    {
-        SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
-        return( ret );
-    }
-
-    ssl->out_msglen  = 6 + n + offset;
-    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
-    ssl->out_msg[0]  = SSL_HS_CERTIFICATE_VERIFY;
-
-    ssl->state++;
-
-    if( ( ret = ssl_write_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
-
-    return( 0 );
-}
-
-/*
- * SSL handshake -- client side -- single step
- */
-int ssl_handshake_client_step( ssl_context *ssl )
-{
-    int ret = 0;
-
-    if( ssl->state == SSL_HANDSHAKE_OVER )
-        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-
-    SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
-
-    if( ( ret = ssl_flush_output( ssl ) ) != 0 )
-        return( ret );
-
-    switch( ssl->state )
-    {
-        case SSL_HELLO_REQUEST:
-            ssl->state = SSL_CLIENT_HELLO;
-            break;
-
-       /*
-        *  ==>   ClientHello
-        */
-       case SSL_CLIENT_HELLO:
-           ret = ssl_write_client_hello( ssl );
-           break;
-
-       /*
-        *  <==   ServerHello
-        *        Certificate
-        *      ( ServerKeyExchange  )
-        *      ( CertificateRequest )
-        *        ServerHelloDone
-        */
-       case SSL_SERVER_HELLO:
-           ret = ssl_parse_server_hello( ssl );
-           break;
-
-       case SSL_SERVER_CERTIFICATE:
-           ret = ssl_parse_certificate( ssl );
-           break;
-
-       case SSL_SERVER_KEY_EXCHANGE:
-           ret = ssl_parse_server_key_exchange( ssl );
-           break;
-
-       case SSL_CERTIFICATE_REQUEST:
-           ret = ssl_parse_certificate_request( ssl );
-           break;
-
-       case SSL_SERVER_HELLO_DONE:
-           ret = ssl_parse_server_hello_done( ssl );
-           break;
-
-       /*
-        *  ==> ( Certificate/Alert  )
-        *        ClientKeyExchange
-        *      ( CertificateVerify  )
-        *        ChangeCipherSpec
-        *        Finished
-        */
-       case SSL_CLIENT_CERTIFICATE:
-           ret = ssl_write_certificate( ssl );
-           break;
-
-       case SSL_CLIENT_KEY_EXCHANGE:
-           ret = ssl_write_client_key_exchange( ssl );
-           break;
-
-       case SSL_CERTIFICATE_VERIFY:
-           ret = ssl_write_certificate_verify( ssl );
-           break;
-
-       case SSL_CLIENT_CHANGE_CIPHER_SPEC:
-           ret = ssl_write_change_cipher_spec( ssl );
-           break;
-
-       case SSL_CLIENT_FINISHED:
-           ret = ssl_write_finished( ssl );
-           break;
-
-       /*
-        *  <==   ChangeCipherSpec
-        *        Finished
-        */
-       case SSL_SERVER_CHANGE_CIPHER_SPEC:
-           ret = ssl_parse_change_cipher_spec( ssl );
-           break;
-
-       case SSL_SERVER_FINISHED:
-           ret = ssl_parse_finished( ssl );
-           break;
-
-       case SSL_FLUSH_BUFFERS:
-           SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
-           ssl->state = SSL_HANDSHAKE_WRAPUP;
-           break;
-
-       case SSL_HANDSHAKE_WRAPUP:
-           ssl_handshake_wrapup( ssl );
-           break;
-
-       default:
-           SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
-           return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-   }
-
-    return( ret );
-}
-#endif
diff --git a/makerom/polarssl/ssl_srv.c b/makerom/polarssl/ssl_srv.c
deleted file mode 100644
index 9ba22949..00000000
--- a/makerom/polarssl/ssl_srv.c
+++ /dev/null
@@ -1,1623 +0,0 @@
-/*
- *  SSLv3/TLSv1 server-side functions
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_SSL_SRV_C)
-
-#include "polarssl/debug.h"
-#include "polarssl/ssl.h"
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <time.h>
-
-static int ssl_parse_servername_ext( ssl_context *ssl,
-                                     const unsigned char *buf,
-                                     size_t len )
-{
-    int ret;
-    size_t servername_list_size, hostname_len;
-    const unsigned char *p;
-
-    servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
-    if( servername_list_size + 2 != len )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    p = buf + 2;
-    while( servername_list_size > 0 )
-    {
-        hostname_len = ( ( p[1] << 8 ) | p[2] );
-        if( hostname_len + 3 > servername_list_size )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-        }
-
-        if( p[0] == TLS_EXT_SERVERNAME_HOSTNAME )
-        {
-            ret = ssl->f_sni( ssl->p_sni, ssl, p + 3, hostname_len );
-            if( ret != 0 )
-            {
-                ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
-                        SSL_ALERT_MSG_UNRECOGNIZED_NAME );
-                return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-            }
-            return( 0 );
-        }
-
-        servername_list_size -= hostname_len + 3;
-        p += hostname_len + 3;
-    }
-
-    if( servername_list_size != 0 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    return( 0 );
-}
-
-static int ssl_parse_renegotiation_info( ssl_context *ssl,
-                                         const unsigned char *buf,
-                                         size_t len )
-{
-    int ret;
-
-    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-    {
-        if( len != 1 || buf[0] != 0x0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
-
-            if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-                return( ret );
-
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-        }
-
-        ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
-    }
-    else
-    {
-        if( len    != 1 + ssl->verify_data_len ||
-            buf[0] !=     ssl->verify_data_len ||
-            memcmp( buf + 1, ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
-
-            if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-                return( ret );
-
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-        }
-    }
-
-    return( 0 );
-}
-
-static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
-                                               const unsigned char *buf,
-                                               size_t len )
-{
-    size_t sig_alg_list_size;
-    const unsigned char *p;
-
-    sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
-    if( sig_alg_list_size + 2 != len ||
-        sig_alg_list_size %2 != 0 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    p = buf + 2;
-    while( sig_alg_list_size > 0 )
-    {
-        if( p[1] != SSL_SIG_RSA )
-        {
-            sig_alg_list_size -= 2;
-            p += 2;
-            continue;
-        }
-#if defined(POLARSSL_SHA4_C)
-        if( p[0] == SSL_HASH_SHA512 )
-        {
-            ssl->handshake->sig_alg = SSL_HASH_SHA512;
-            break;
-        }
-        if( p[0] == SSL_HASH_SHA384 )
-        {
-            ssl->handshake->sig_alg = SSL_HASH_SHA384;
-            break;
-        }
-#endif
-#if defined(POLARSSL_SHA2_C)
-        if( p[0] == SSL_HASH_SHA256 )
-        {
-            ssl->handshake->sig_alg = SSL_HASH_SHA256;
-            break;
-        }
-        if( p[0] == SSL_HASH_SHA224 )
-        {
-            ssl->handshake->sig_alg = SSL_HASH_SHA224;
-            break;
-        }
-#endif
-        if( p[0] == SSL_HASH_SHA1 )
-        {
-            ssl->handshake->sig_alg = SSL_HASH_SHA1;
-            break;
-        }
-        if( p[0] == SSL_HASH_MD5 )
-        {
-            ssl->handshake->sig_alg = SSL_HASH_MD5;
-            break;
-        }
-
-        sig_alg_list_size -= 2;
-        p += 2;
-    }
-
-    SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
-                   ssl->handshake->sig_alg ) );
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
-static int ssl_parse_client_hello_v2( ssl_context *ssl )
-{
-    int ret;
-    unsigned int i, j;
-    size_t n;
-    unsigned int ciph_len, sess_len, chal_len;
-    unsigned char *buf, *p;
-
-    SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
-
-    if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
-
-        if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-            return( ret );
-
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    buf = ssl->in_hdr;
-
-    SSL_DEBUG_BUF( 4, "record header", buf, 5 );
-
-    SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
-                   buf[2] ) );
-    SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
-                   ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
-    SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
-                   buf[3], buf[4] ) );
-
-    /*
-     * SSLv2 Client Hello
-     *
-     * Record layer:
-     *     0  .   1   message length
-     *
-     * SSL layer:
-     *     2  .   2   message type
-     *     3  .   4   protocol version
-     */
-    if( buf[2] != SSL_HS_CLIENT_HELLO ||
-        buf[3] != SSL_MAJOR_VERSION_3 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
-
-    if( n < 17 || n > 512 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    ssl->major_ver = SSL_MAJOR_VERSION_3;
-    ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_3 )
-                     ? buf[4]  : SSL_MINOR_VERSION_3;
-
-    if( ssl->minor_ver < ssl->min_minor_ver )
-    {
-        SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
-                            " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
-                            ssl->min_major_ver, ssl->min_minor_ver ) );
-
-        ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
-                                     SSL_ALERT_MSG_PROTOCOL_VERSION );
-        return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
-    }
-
-    ssl->max_major_ver = buf[3];
-    ssl->max_minor_ver = buf[4];
-
-    if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
-        return( ret );
-    }
-
-    ssl->handshake->update_checksum( ssl, buf + 2, n );
-
-    buf = ssl->in_msg;
-    n = ssl->in_left - 5;
-
-    /*
-     *    0  .   1   ciphersuitelist length
-     *    2  .   3   session id length
-     *    4  .   5   challenge length
-     *    6  .  ..   ciphersuitelist
-     *   ..  .  ..   session id
-     *   ..  .  ..   challenge
-     */
-    SSL_DEBUG_BUF( 4, "record contents", buf, n );
-
-    ciph_len = ( buf[0] << 8 ) | buf[1];
-    sess_len = ( buf[2] << 8 ) | buf[3];
-    chal_len = ( buf[4] << 8 ) | buf[5];
-
-    SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
-                   ciph_len, sess_len, chal_len ) );
-
-    /*
-     * Make sure each parameter length is valid
-     */
-    if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    if( sess_len > 32 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    if( chal_len < 8 || chal_len > 32 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    if( n != 6 + ciph_len + sess_len + chal_len )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
-                   buf + 6, ciph_len );
-    SSL_DEBUG_BUF( 3, "client hello, session id",
-                   buf + 6 + ciph_len, sess_len );
-    SSL_DEBUG_BUF( 3, "client hello, challenge",
-                   buf + 6 + ciph_len + sess_len, chal_len );
-
-    p = buf + 6 + ciph_len;
-    ssl->session_negotiate->length = sess_len;
-    memset( ssl->session_negotiate->id, 0, sizeof( ssl->session_negotiate->id ) );
-    memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->length );
-
-    p += sess_len;
-    memset( ssl->handshake->randbytes, 0, 64 );
-    memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
-
-    /*
-     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
-     */
-    for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
-    {
-        if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
-        {
-            SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
-            if( ssl->renegotiation == SSL_RENEGOTIATION )
-            {
-                SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
-
-                if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-                    return( ret );
-
-                return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-            }
-            ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
-            break;
-        }
-    }
-
-    for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
-    {
-        for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
-        {
-            if( p[0] == 0 &&
-                p[1] == 0 &&
-                p[2] == ssl->ciphersuites[ssl->minor_ver][i] )
-                goto have_ciphersuite_v2;
-        }
-    }
-
-    SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
-
-    return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
-
-have_ciphersuite_v2:
-    ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
-    ssl_optimize_checksum( ssl, ssl->session_negotiate->ciphersuite );
-
-    /*
-     * SSLv2 Client Hello relevant renegotiation security checks
-     */
-    if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
-        ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
-
-        if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-            return( ret );
-
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    ssl->in_left = 0;
-    ssl->state++;
-
-    SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
-
-    return( 0 );
-}
-#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
-
-static int ssl_parse_client_hello( ssl_context *ssl )
-{
-    int ret;
-    unsigned int i, j;
-    size_t n;
-    unsigned int ciph_len, sess_len;
-    unsigned int comp_len;
-    unsigned int ext_len = 0;
-    unsigned char *buf, *p, *ext;
-    int renegotiation_info_seen = 0;
-    int handshake_failure = 0;
-
-    SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
-
-    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
-        ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
-        return( ret );
-    }
-
-    buf = ssl->in_hdr;
-
-#if defined(POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
-    if( ( buf[0] & 0x80 ) != 0 )
-        return ssl_parse_client_hello_v2( ssl );
-#endif
-
-    SSL_DEBUG_BUF( 4, "record header", buf, 5 );
-
-    SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
-                   buf[0] ) );
-    SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
-                   ( buf[3] << 8 ) | buf[4] ) );
-    SSL_DEBUG_MSG( 3, ( "client hello v3, protocol ver: [%d:%d]",
-                   buf[1], buf[2] ) );
-
-    /*
-     * SSLv3 Client Hello
-     *
-     * Record layer:
-     *     0  .   0   message type
-     *     1  .   2   protocol version
-     *     3  .   4   message length
-     */
-    if( buf[0] != SSL_MSG_HANDSHAKE ||
-        buf[1] != SSL_MAJOR_VERSION_3 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    n = ( buf[3] << 8 ) | buf[4];
-
-    if( n < 45 || n > 512 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
-        ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
-        return( ret );
-    }
-
-    buf = ssl->in_msg;
-    if( !ssl->renegotiation )
-        n = ssl->in_left - 5;
-    else
-        n = ssl->in_msglen;
-
-    ssl->handshake->update_checksum( ssl, buf, n );
-
-    /*
-     * SSL layer:
-     *     0  .   0   handshake type
-     *     1  .   3   handshake length
-     *     4  .   5   protocol version
-     *     6  .   9   UNIX time()
-     *    10  .  37   random bytes
-     *    38  .  38   session id length
-     *    39  . 38+x  session id
-     *   39+x . 40+x  ciphersuitelist length
-     *   41+x .  ..   ciphersuitelist
-     *    ..  .  ..   compression alg.
-     *    ..  .  ..   extensions
-     */
-    SSL_DEBUG_BUF( 4, "record contents", buf, n );
-
-    SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d",
-                   buf[0] ) );
-    SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
-                   ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
-    SSL_DEBUG_MSG( 3, ( "client hello v3, max. version: [%d:%d]",
-                   buf[4], buf[5] ) );
-
-    /*
-     * Check the handshake type and protocol version
-     */
-    if( buf[0] != SSL_HS_CLIENT_HELLO ||
-        buf[4] != SSL_MAJOR_VERSION_3 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    ssl->major_ver = SSL_MAJOR_VERSION_3;
-    ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_3 )
-                     ? buf[5]  : SSL_MINOR_VERSION_3;
-
-    if( ssl->minor_ver < ssl->min_minor_ver )
-    {
-        SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
-                            " [%d:%d] < [%d:%d]", ssl->major_ver, ssl->minor_ver,
-                            ssl->min_major_ver, ssl->min_minor_ver ) );
-
-        ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
-                                     SSL_ALERT_MSG_PROTOCOL_VERSION );
-
-        return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
-    }
-
-    ssl->max_major_ver = buf[4];
-    ssl->max_minor_ver = buf[5];
-
-    memcpy( ssl->handshake->randbytes, buf + 6, 32 );
-
-    /*
-     * Check the handshake message length
-     */
-    if( buf[1] != 0 || n != (unsigned int) 4 + ( ( buf[2] << 8 ) | buf[3] ) )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    /*
-     * Check the session length
-     */
-    sess_len = buf[38];
-
-    if( sess_len > 32 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    ssl->session_negotiate->length = sess_len;
-    memset( ssl->session_negotiate->id, 0,
-            sizeof( ssl->session_negotiate->id ) );
-    memcpy( ssl->session_negotiate->id, buf + 39,
-            ssl->session_negotiate->length );
-
-    /*
-     * Check the ciphersuitelist length
-     */
-    ciph_len = ( buf[39 + sess_len] << 8 )
-             | ( buf[40 + sess_len]      );
-
-    if( ciph_len < 2 || ciph_len > 256 || ( ciph_len % 2 ) != 0 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    /*
-     * Check the compression algorithms length
-     */
-    comp_len = buf[41 + sess_len + ciph_len];
-
-    if( comp_len < 1 || comp_len > 16 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    /*
-     * Check the extension length
-     */
-    if( n > 42 + sess_len + ciph_len + comp_len )
-    {
-        ext_len = ( buf[42 + sess_len + ciph_len + comp_len] << 8 )
-                | ( buf[43 + sess_len + ciph_len + comp_len]      );
-
-        if( ( ext_len > 0 && ext_len < 4 ) ||
-            n != 44 + sess_len + ciph_len + comp_len + ext_len )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-            SSL_DEBUG_BUF( 3, "Ext", buf + 44 + sess_len + ciph_len + comp_len, ext_len);
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-        }
-    }
-
-    ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
-#if defined(POLARSSL_ZLIB_SUPPORT)
-    for( i = 0; i < comp_len; ++i )
-    {
-        if( buf[42 + sess_len + ciph_len + i] == SSL_COMPRESS_DEFLATE )
-        {
-            ssl->session_negotiate->compression = SSL_COMPRESS_DEFLATE;
-            break;
-        }
-    }
-#endif
-
-    SSL_DEBUG_BUF( 3, "client hello, random bytes",
-                   buf +  6,  32 );
-    SSL_DEBUG_BUF( 3, "client hello, session id",
-                   buf + 38,  sess_len );
-    SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
-                   buf + 41 + sess_len,  ciph_len );
-    SSL_DEBUG_BUF( 3, "client hello, compression",
-                   buf + 42 + sess_len + ciph_len, comp_len );
-
-    /*
-     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
-     */
-    for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
-    {
-        if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
-        {
-            SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
-            if( ssl->renegotiation == SSL_RENEGOTIATION )
-            {
-                SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
-
-                if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-                    return( ret );
-
-                return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-            }
-            ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
-            break;
-        }
-    }
-
-    /*
-     * Search for a matching ciphersuite
-     */
-    for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
-    {
-        for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
-            j += 2, p += 2 )
-        {
-            if( p[0] == 0 && p[1] == ssl->ciphersuites[ssl->minor_ver][i] )
-                goto have_ciphersuite;
-        }
-    }
-
-    SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
-
-    return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
-
-have_ciphersuite:
-    ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
-    ssl_optimize_checksum( ssl, ssl->session_negotiate->ciphersuite );
-
-    ext = buf + 44 + sess_len + ciph_len + comp_len;
-
-    while( ext_len )
-    {
-        unsigned int ext_id   = ( ( ext[0] <<  8 )
-                                | ( ext[1]       ) );
-        unsigned int ext_size = ( ( ext[2] <<  8 )
-                                | ( ext[3]       ) );
-
-        if( ext_size + 4 > ext_len )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-        }
-        switch( ext_id )
-        {
-        case TLS_EXT_SERVERNAME:
-            SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
-            if( ssl->f_sni == NULL )
-                break;
-
-            ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
-            if( ret != 0 )
-                return( ret );
-            break;
-
-        case TLS_EXT_RENEGOTIATION_INFO:
-            SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
-            renegotiation_info_seen = 1;
-
-            ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
-            if( ret != 0 )
-                return( ret );
-            break;
-
-        case TLS_EXT_SIG_ALG:
-            SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
-            if( ssl->renegotiation == SSL_RENEGOTIATION )
-                break;
-
-            ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
-            if( ret != 0 )
-                return( ret );
-            break;
-
-        default:
-            SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
-                           ext_id ) );
-        }
-
-        ext_len -= 4 + ext_size;
-        ext += 4 + ext_size;
-
-        if( ext_len > 0 && ext_len < 4 )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-        }
-    }
-
-    /*
-     * Renegotiation security checks
-     */
-    if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
-        ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
-        handshake_failure = 1;
-    }
-    else if( ssl->renegotiation == SSL_RENEGOTIATION &&
-             ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
-             renegotiation_info_seen == 0 )
-    {
-        SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
-        handshake_failure = 1;
-    }
-    else if( ssl->renegotiation == SSL_RENEGOTIATION &&
-             ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
-             ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION )
-    {
-        SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
-        handshake_failure = 1;
-    }
-    else if( ssl->renegotiation == SSL_RENEGOTIATION &&
-             ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
-             renegotiation_info_seen == 1 )
-    {
-        SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
-        handshake_failure = 1;
-    }
-
-    if( handshake_failure == 1 )
-    {
-        if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-            return( ret );
-
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
-    }
-
-    ssl->in_left = 0;
-    ssl->state++;
-
-    SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
-
-    return( 0 );
-}
-
-static int ssl_write_server_hello( ssl_context *ssl )
-{
-    time_t t;
-    int ret, n;
-    size_t ext_len = 0;
-    unsigned char *buf, *p;
-
-    SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
-
-    /*
-     *     0  .   0   handshake type
-     *     1  .   3   handshake length
-     *     4  .   5   protocol version
-     *     6  .   9   UNIX time()
-     *    10  .  37   random bytes
-     */
-    buf = ssl->out_msg;
-    p = buf + 4;
-
-    *p++ = (unsigned char) ssl->major_ver;
-    *p++ = (unsigned char) ssl->minor_ver;
-
-    SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
-                   buf[4], buf[5] ) );
-
-    t = time( NULL );
-    *p++ = (unsigned char)( t >> 24 );
-    *p++ = (unsigned char)( t >> 16 );
-    *p++ = (unsigned char)( t >>  8 );
-    *p++ = (unsigned char)( t       );
-
-    SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
-
-    if( ( ret = ssl->f_rng( ssl->p_rng, p, 28 ) ) != 0 )
-        return( ret );
-
-    p += 28;
-
-    memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
-
-    SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
-
-    /*
-     *    38  .  38   session id length
-     *    39  . 38+n  session id
-     *   39+n . 40+n  chosen ciphersuite
-     *   41+n . 41+n  chosen compression alg.
-     */
-    ssl->session_negotiate->length = n = 32;
-    *p++ = (unsigned char) ssl->session_negotiate->length;
-
-    if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
-        ssl->f_get_cache == NULL ||
-        ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) != 0 )
-    {
-        /*
-         * Not found, create a new session id
-         */
-        ssl->handshake->resume = 0;
-        ssl->state++;
-
-        if( ( ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id,
-                                n ) ) != 0 )
-            return( ret );
-    }
-    else
-    {
-        /*
-         * Found a matching session, resuming it
-         */
-        ssl->handshake->resume = 1;
-        ssl->state = SSL_SERVER_CHANGE_CIPHER_SPEC;
-
-        if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
-            return( ret );
-        }
-    }
-
-    memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->length );
-    p += ssl->session_negotiate->length;
-
-    SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
-    SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
-    SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
-                   ssl->handshake->resume ? "a" : "no" ) );
-
-    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
-    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
-    *p++ = (unsigned char)( ssl->session_negotiate->compression      );
-
-    SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %d",
-                   ssl->session_negotiate->ciphersuite ) );
-    SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
-                   ssl->session_negotiate->compression ) );
-
-    if( ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION )
-    {
-        SSL_DEBUG_MSG( 3, ( "server hello, prepping for secure renegotiation extension" ) );
-        ext_len += 5 + ssl->verify_data_len * 2;
-
-        SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d",
-                       ext_len ) );
-
-        *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
-
-        /*
-         * Secure renegotiation
-         */
-        SSL_DEBUG_MSG( 3, ( "client hello, secure renegotiation extension" ) );
-
-        *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
-        *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
-
-        *p++ = 0x00;
-        *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
-        *p++ = ssl->verify_data_len * 2 & 0xFF;
-
-        memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
-        p += ssl->verify_data_len;
-        memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
-        p += ssl->verify_data_len;
-    }
-
-    ssl->out_msglen  = p - buf;
-    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
-    ssl->out_msg[0]  = SSL_HS_SERVER_HELLO;
-
-    ret = ssl_write_record( ssl );
-
-    SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
-
-    return( ret );
-}
-
-static int ssl_write_certificate_request( ssl_context *ssl )
-{
-    int ret;
-    size_t n = 0, dn_size, total_dn_size;
-    unsigned char *buf, *p;
-    const x509_cert *crt;
-
-    SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
-
-    ssl->state++;
-
-    if( ssl->authmode == SSL_VERIFY_NONE )
-    {
-        SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
-        return( 0 );
-    }
-
-    /*
-     *     0  .   0   handshake type
-     *     1  .   3   handshake length
-     *     4  .   4   cert type count
-     *     5  .. m-1  cert types
-     *     m  .. m+1  sig alg length (TLS 1.2 only)
-     *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only) 
-     *     n  .. n+1  length of all DNs
-     *    n+2 .. n+3  length of DN 1
-     *    n+4 .. ...  Distinguished Name #1
-     *    ... .. ...  length of DN 2, etc.
-     */
-    buf = ssl->out_msg;
-    p = buf + 4;
-
-    /*
-     * At the moment, only RSA certificates are supported
-     */
-    *p++ = 1;
-    *p++ = SSL_CERT_TYPE_RSA_SIGN;
-
-    /*
-     * Add signature_algorithms for verify (TLS 1.2)
-     * Only add current running algorithm that is already required for
-     * requested ciphersuite.
-     *
-     * Length is always 2
-     */
-    if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
-    {
-        ssl->handshake->verify_sig_alg = SSL_HASH_SHA256;
-
-        *p++ = 0;
-        *p++ = 2;
-
-        if( ssl->session_negotiate->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
-            ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-        {
-            ssl->handshake->verify_sig_alg = SSL_HASH_SHA384;
-        }
-        
-        *p++ = ssl->handshake->verify_sig_alg;
-        *p++ = SSL_SIG_RSA;
-
-        n += 4;
-    }
-
-    p += 2;
-    crt = ssl->ca_chain;
-
-    total_dn_size = 0;
-    while( crt != NULL && crt->version != 0)
-    {
-        if( p - buf > 4096 )
-            break;
-
-        dn_size = crt->subject_raw.len;
-        *p++ = (unsigned char)( dn_size >> 8 );
-        *p++ = (unsigned char)( dn_size      );
-        memcpy( p, crt->subject_raw.p, dn_size );
-        p += dn_size;
-
-        SSL_DEBUG_BUF( 3, "requested DN", p, dn_size );
-
-        total_dn_size += 2 + dn_size;
-        crt = crt->next;
-    }
-
-    ssl->out_msglen  = p - buf;
-    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
-    ssl->out_msg[0]  = SSL_HS_CERTIFICATE_REQUEST;
-    ssl->out_msg[6 + n]  = (unsigned char)( total_dn_size  >> 8 );
-    ssl->out_msg[7 + n]  = (unsigned char)( total_dn_size       );
-
-    ret = ssl_write_record( ssl );
-
-    SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
-
-    return( ret );
-}
-
-static int ssl_write_server_key_exchange( ssl_context *ssl )
-{
-#if defined(POLARSSL_DHM_C)
-    int ret;
-    size_t n, rsa_key_len = 0;
-    unsigned char hash[64];
-    int hash_id = 0;
-    unsigned int hashlen = 0;
-#endif
-
-    SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
-
-    if( ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_DES_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 &&
-        ssl->session_negotiate->ciphersuite != TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-    {
-        SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
-        ssl->state++;
-        return( 0 );
-    }
-
-#if !defined(POLARSSL_DHM_C)
-    SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
-    return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-#else
-
-    if( ssl->rsa_key == NULL )
-    {
-        SSL_DEBUG_MSG( 1, ( "got no private key" ) );
-        return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
-    }
-
-    /*
-     * Ephemeral DH parameters:
-     *
-     * struct {
-     *     opaque dh_p<1..2^16-1>;
-     *     opaque dh_g<1..2^16-1>;
-     *     opaque dh_Ys<1..2^16-1>;
-     * } ServerDHParams;
-     */
-    if( ( ret = mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->dhm_P ) ) != 0 ||
-        ( ret = mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->dhm_G ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "mpi_copy", ret );
-        return( ret );
-    }
-
-    if( ( ret = dhm_make_params( &ssl->handshake->dhm_ctx,
-                                  mpi_size( &ssl->handshake->dhm_ctx.P ),
-                                  ssl->out_msg + 4,
-                                  &n, ssl->f_rng, ssl->p_rng ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "dhm_make_params", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
-    SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
-    SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
-    SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
-
-    if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
-    {
-        md5_context md5;
-        sha1_context sha1;
-
-        /*
-         * digitally-signed struct {
-         *     opaque md5_hash[16];
-         *     opaque sha_hash[20];
-         * };
-         *
-         * md5_hash
-         *     MD5(ClientHello.random + ServerHello.random
-         *                            + ServerParams);
-         * sha_hash
-         *     SHA(ClientHello.random + ServerHello.random
-         *                            + ServerParams);
-         */
-        md5_starts( &md5 );
-        md5_update( &md5, ssl->handshake->randbytes,  64 );
-        md5_update( &md5, ssl->out_msg + 4, n );
-        md5_finish( &md5, hash );
-
-        sha1_starts( &sha1 );
-        sha1_update( &sha1, ssl->handshake->randbytes,  64 );
-        sha1_update( &sha1, ssl->out_msg + 4, n );
-        sha1_finish( &sha1, hash + 16 );
-
-        hashlen = 36;
-        hash_id = SIG_RSA_RAW;
-    }
-    else
-    {
-        /*
-         * digitally-signed struct {
-         *     opaque client_random[32];
-         *     opaque server_random[32];
-         *     ServerDHParams params;
-         * };
-         */
-#if defined(POLARSSL_SHA4_C)
-        if( ssl->handshake->sig_alg == SSL_HASH_SHA512 )
-        {
-            sha4_context sha4;
-
-            sha4_starts( &sha4, 0 );
-            sha4_update( &sha4, ssl->handshake->randbytes, 64 );
-            sha4_update( &sha4, ssl->out_msg + 4, n );
-            sha4_finish( &sha4, hash );
-
-            hashlen = 64;
-            hash_id = SIG_RSA_SHA512;
-        }
-        else if( ssl->handshake->sig_alg == SSL_HASH_SHA384 )
-        {
-            sha4_context sha4;
-
-            sha4_starts( &sha4, 1 );
-            sha4_update( &sha4, ssl->handshake->randbytes, 64 );
-            sha4_update( &sha4, ssl->out_msg + 4, n );
-            sha4_finish( &sha4, hash );
-
-            hashlen = 48;
-            hash_id = SIG_RSA_SHA384;
-        }
-        else
-#endif
-#if defined(POLARSSL_SHA2_C)
-        if( ssl->handshake->sig_alg == SSL_HASH_SHA256 )
-        {
-            sha2_context sha2;
-
-            sha2_starts( &sha2, 0 );
-            sha2_update( &sha2, ssl->handshake->randbytes, 64 );
-            sha2_update( &sha2, ssl->out_msg + 4, n );
-            sha2_finish( &sha2, hash );
-
-            hashlen = 32;
-            hash_id = SIG_RSA_SHA256;
-        }
-        else if( ssl->handshake->sig_alg == SSL_HASH_SHA224 )
-        {
-            sha2_context sha2;
-
-            sha2_starts( &sha2, 1 );
-            sha2_update( &sha2, ssl->handshake->randbytes, 64 );
-            sha2_update( &sha2, ssl->out_msg + 4, n );
-            sha2_finish( &sha2, hash );
-
-            hashlen = 24;
-            hash_id = SIG_RSA_SHA224;
-        }
-        else
-#endif
-        if( ssl->handshake->sig_alg == SSL_HASH_SHA1 )
-        {
-            sha1_context sha1;
-
-            sha1_starts( &sha1 );
-            sha1_update( &sha1, ssl->handshake->randbytes, 64 );
-            sha1_update( &sha1, ssl->out_msg + 4, n );
-            sha1_finish( &sha1, hash );
-
-            hashlen = 20;
-            hash_id = SIG_RSA_SHA1;
-        }
-        else if( ssl->handshake->sig_alg == SSL_HASH_MD5 )
-        {
-            md5_context md5;
-
-            md5_starts( &md5 );
-            md5_update( &md5, ssl->handshake->randbytes, 64 );
-            md5_update( &md5, ssl->out_msg + 4, n );
-            md5_finish( &md5, hash );
-
-            hashlen = 16;
-            hash_id = SIG_RSA_MD5;
-        }
-    }
-
-    SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
-
-    if ( ssl->rsa_key )
-        rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
-
-    if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
-    {
-        ssl->out_msg[4 + n] = ssl->handshake->sig_alg;
-        ssl->out_msg[5 + n] = SSL_SIG_RSA;
-
-        n += 2;
-    }
-
-    ssl->out_msg[4 + n] = (unsigned char)( rsa_key_len >> 8 );
-    ssl->out_msg[5 + n] = (unsigned char)( rsa_key_len      );
-
-    if ( ssl->rsa_key )
-    {
-        ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
-                             RSA_PRIVATE,
-                             hash_id, hashlen, hash,
-                             ssl->out_msg + 6 + n );
-    }
-
-    if( ret != 0 )
-    {
-        SSL_DEBUG_RET( 1, "pkcs1_sign", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_BUF( 3, "my RSA sig", ssl->out_msg + 6 + n, rsa_key_len );
-
-    ssl->out_msglen  = 6 + n + rsa_key_len;
-    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
-    ssl->out_msg[0]  = SSL_HS_SERVER_KEY_EXCHANGE;
-
-    ssl->state++;
-
-    if( ( ret = ssl_write_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
-
-    return( 0 );
-#endif
-}
-
-static int ssl_write_server_hello_done( ssl_context *ssl )
-{
-    int ret;
-
-    SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
-
-    ssl->out_msglen  = 4;
-    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
-    ssl->out_msg[0]  = SSL_HS_SERVER_HELLO_DONE;
-
-    ssl->state++;
-
-    if( ( ret = ssl_write_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
-
-    return( 0 );
-}
-
-static int ssl_parse_client_key_exchange( ssl_context *ssl )
-{
-    int ret;
-    size_t i, n = 0;
-
-    SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
-
-    if( ( ret = ssl_read_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-        return( ret );
-    }
-
-    if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
-    }
-
-    if( ssl->in_msg[0] != SSL_HS_CLIENT_KEY_EXCHANGE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
-    }
-
-    if( ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_DES_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ||
-        ssl->session_negotiate->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-    {
-#if !defined(POLARSSL_DHM_C)
-        SSL_DEBUG_MSG( 1, ( "support for dhm is not available" ) );
-        return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-#else
-        /*
-         * Receive G^Y mod P, premaster = (G^Y)^X mod P
-         */
-        n = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
-
-        if( n < 1 || n > ssl->handshake->dhm_ctx.len ||
-            n + 6 != ssl->in_hslen )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
-        }
-
-        if( ( ret = dhm_read_public( &ssl->handshake->dhm_ctx,
-                                      ssl->in_msg + 6, n ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "dhm_read_public", ret );
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP );
-        }
-
-        SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
-
-        ssl->handshake->pmslen = ssl->handshake->dhm_ctx.len;
-
-        if( ( ret = dhm_calc_secret( &ssl->handshake->dhm_ctx,
-                                      ssl->handshake->premaster,
-                                     &ssl->handshake->pmslen ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "dhm_calc_secret", ret );
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS );
-        }
-
-        SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
-#endif
-    }
-    else
-    {
-        if( ssl->rsa_key == NULL )
-        {
-            SSL_DEBUG_MSG( 1, ( "got no private key" ) );
-            return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
-        }
-
-        /*
-         * Decrypt the premaster using own private RSA key
-         */
-        i = 4;
-        if( ssl->rsa_key )
-            n = ssl->rsa_key_len( ssl->rsa_key );
-        ssl->handshake->pmslen = 48;
-
-        if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
-        {
-            i += 2;
-            if( ssl->in_msg[4] != ( ( n >> 8 ) & 0xFF ) ||
-                ssl->in_msg[5] != ( ( n      ) & 0xFF ) )
-            {
-                SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
-                return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
-            }
-        }
-
-        if( ssl->in_hslen != i + n )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
-        }
-
-        if( ssl->rsa_key ) {
-            ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
-                                   &ssl->handshake->pmslen,
-                                    ssl->in_msg + i,
-                                    ssl->handshake->premaster,
-                                    sizeof(ssl->handshake->premaster) );
-        }
-
-        if( ret != 0 || ssl->handshake->pmslen != 48 ||
-            ssl->handshake->premaster[0] != ssl->max_major_ver ||
-            ssl->handshake->premaster[1] != ssl->max_minor_ver )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
-
-            /*
-             * Protection against Bleichenbacher's attack:
-             * invalid PKCS#1 v1.5 padding must not cause
-             * the connection to end immediately; instead,
-             * send a bad_record_mac later in the handshake.
-             */
-            ssl->handshake->pmslen = 48;
-
-            ret = ssl->f_rng( ssl->p_rng, ssl->handshake->premaster,
-                              ssl->handshake->pmslen );
-            if( ret != 0 )
-                return( ret );
-        }
-    }
-
-    if( ( ret = ssl_derive_keys( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_derive_keys", ret );
-        return( ret );
-    }
-
-    ssl->state++;
-
-    SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
-
-    return( 0 );
-}
-
-static int ssl_parse_certificate_verify( ssl_context *ssl )
-{
-    int ret;
-    size_t n = 0, n1, n2;
-    unsigned char hash[48];
-    int hash_id;
-    unsigned int hashlen;
-
-    SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
-
-    if( ssl->session_negotiate->peer_cert == NULL )
-    {
-        SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
-        ssl->state++;
-        return( 0 );
-    }
-
-    ssl->handshake->calc_verify( ssl, hash );
-
-    if( ( ret = ssl_read_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-        return( ret );
-    }
-
-    ssl->state++;
-
-    if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
-    }
-
-    if( ssl->in_msg[0] != SSL_HS_CERTIFICATE_VERIFY )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
-    }
-
-    if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
-    {
-        /*
-         * As server we know we either have SSL_HASH_SHA384 or
-         * SSL_HASH_SHA256
-         */
-        if( ssl->in_msg[4] != ssl->handshake->verify_sig_alg ||
-            ssl->in_msg[5] != SSL_SIG_RSA )
-        {
-            SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg for verify message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
-        }
-
-        if( ssl->handshake->verify_sig_alg == SSL_HASH_SHA384 )
-        {
-            hashlen = 48;
-            hash_id = SIG_RSA_SHA384;
-        }
-        else
-        {
-            hashlen = 32;
-            hash_id = SIG_RSA_SHA256;
-        }
-
-        n += 2;
-    }
-    else
-    {
-        hashlen = 36;
-        hash_id = SIG_RSA_RAW;
-    }
-
-    n1 = ssl->session_negotiate->peer_cert->rsa.len;
-    n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n];
-
-    if( n + n1 + 6 != ssl->in_hslen || n1 != n2 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
-    }
-
-    ret = rsa_pkcs1_verify( &ssl->session_negotiate->peer_cert->rsa, RSA_PUBLIC,
-                            hash_id, hashlen, hash, ssl->in_msg + 6 + n );
-    if( ret != 0 )
-    {
-        SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
-
-    return( 0 );
-}
-
-/*
- * SSL handshake -- server side -- single step
- */
-int ssl_handshake_server_step( ssl_context *ssl )
-{
-    int ret = 0;
-
-    if( ssl->state == SSL_HANDSHAKE_OVER )
-        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-
-    SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
-
-    if( ( ret = ssl_flush_output( ssl ) ) != 0 )
-        return( ret );
-
-    switch( ssl->state )
-    {
-        case SSL_HELLO_REQUEST:
-            ssl->state = SSL_CLIENT_HELLO;
-            break;
-
-        /*
-         *  <==   ClientHello
-         */
-        case SSL_CLIENT_HELLO:
-            ret = ssl_parse_client_hello( ssl );
-            break;
-
-        /*
-         *  ==>   ServerHello
-         *        Certificate
-         *      ( ServerKeyExchange  )
-         *      ( CertificateRequest )
-         *        ServerHelloDone
-         */
-        case SSL_SERVER_HELLO:
-            ret = ssl_write_server_hello( ssl );
-            break;
-
-        case SSL_SERVER_CERTIFICATE:
-            ret = ssl_write_certificate( ssl );
-            break;
-
-        case SSL_SERVER_KEY_EXCHANGE:
-            ret = ssl_write_server_key_exchange( ssl );
-            break;
-
-        case SSL_CERTIFICATE_REQUEST:
-            ret = ssl_write_certificate_request( ssl );
-            break;
-
-        case SSL_SERVER_HELLO_DONE:
-            ret = ssl_write_server_hello_done( ssl );
-            break;
-
-        /*
-         *  <== ( Certificate/Alert  )
-         *        ClientKeyExchange
-         *      ( CertificateVerify  )
-         *        ChangeCipherSpec
-         *        Finished
-         */
-        case SSL_CLIENT_CERTIFICATE:
-            ret = ssl_parse_certificate( ssl );
-            break;
-
-        case SSL_CLIENT_KEY_EXCHANGE:
-            ret = ssl_parse_client_key_exchange( ssl );
-            break;
-
-        case SSL_CERTIFICATE_VERIFY:
-            ret = ssl_parse_certificate_verify( ssl );
-            break;
-
-        case SSL_CLIENT_CHANGE_CIPHER_SPEC:
-            ret = ssl_parse_change_cipher_spec( ssl );
-            break;
-
-        case SSL_CLIENT_FINISHED:
-            ret = ssl_parse_finished( ssl );
-            break;
-
-        /*
-         *  ==>   ChangeCipherSpec
-         *        Finished
-         */
-        case SSL_SERVER_CHANGE_CIPHER_SPEC:
-            ret = ssl_write_change_cipher_spec( ssl );
-            break;
-
-        case SSL_SERVER_FINISHED:
-            ret = ssl_write_finished( ssl );
-            break;
-
-        case SSL_FLUSH_BUFFERS:
-            SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
-            ssl->state = SSL_HANDSHAKE_WRAPUP;
-            break;
-
-        case SSL_HANDSHAKE_WRAPUP:
-            ssl_handshake_wrapup( ssl );
-            break;
-
-        default:
-            SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
-            return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-    }
-
-    return( ret );
-}
-#endif
diff --git a/makerom/polarssl/ssl_tls.c b/makerom/polarssl/ssl_tls.c
deleted file mode 100644
index cde6795f..00000000
--- a/makerom/polarssl/ssl_tls.c
+++ /dev/null
@@ -1,3991 +0,0 @@
-/*
- *  SSLv3/TLSv1 shared functions
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The SSL 3.0 specification was drafted by Netscape in 1996,
- *  and became an IETF standard in 1999.
- *
- *  http://wp.netscape.com/eng/ssl3/
- *  http://www.ietf.org/rfc/rfc2246.txt
- *  http://www.ietf.org/rfc/rfc4346.txt
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_SSL_TLS_C)
-
-#include "polarssl/aes.h"
-#include "polarssl/arc4.h"
-#include "polarssl/camellia.h"
-#include "polarssl/des.h"
-#include "polarssl/debug.h"
-#include "polarssl/ssl.h"
-#include "polarssl/sha2.h"
-
-#if defined(POLARSSL_GCM_C)
-#include "polarssl/gcm.h"
-#endif
-
-#include <stdlib.h>
-#include <time.h>
-
-#if defined _MSC_VER && !defined strcasecmp
-#define strcasecmp _stricmp
-#endif
-
-#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
-int (*ssl_hw_record_init)(ssl_context *ssl,
-                       const unsigned char *key_enc, const unsigned char *key_dec,
-                       const unsigned char *iv_enc,  const unsigned char *iv_dec,
-                       const unsigned char *mac_enc, const unsigned char *mac_dec) = NULL;
-int (*ssl_hw_record_reset)(ssl_context *ssl) = NULL;
-int (*ssl_hw_record_write)(ssl_context *ssl) = NULL;
-int (*ssl_hw_record_read)(ssl_context *ssl) = NULL;
-int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
-#endif
-
-static int ssl_rsa_decrypt( void *ctx, int mode, size_t *olen,
-                        const unsigned char *input, unsigned char *output,
-                        size_t output_max_len )
-{
-    return rsa_pkcs1_decrypt( (rsa_context *) ctx, mode, olen, input, output,
-                              output_max_len );
-}
-
-static int ssl_rsa_sign( void *ctx,
-                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                    int mode, int hash_id, unsigned int hashlen,
-                    const unsigned char *hash, unsigned char *sig )
-{
-    return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
-                           hashlen, hash, sig );
-}
-
-static size_t ssl_rsa_key_len( void *ctx )
-{
-    return ( (rsa_context *) ctx )->len;
-}
-
-/*
- * Key material generation
- */
-static int ssl3_prf( unsigned char *secret, size_t slen, char *label,
-                     unsigned char *random, size_t rlen,
-                     unsigned char *dstbuf, size_t dlen )
-{
-    size_t i;
-    md5_context md5;
-    sha1_context sha1;
-    unsigned char padding[16];
-    unsigned char sha1sum[20];
-    ((void)label);
-
-    /*
-     *  SSLv3:
-     *    block =
-     *      MD5( secret + SHA1( 'A'    + secret + random ) ) +
-     *      MD5( secret + SHA1( 'BB'   + secret + random ) ) +
-     *      MD5( secret + SHA1( 'CCC'  + secret + random ) ) +
-     *      ...
-     */
-    for( i = 0; i < dlen / 16; i++ )
-    {
-        memset( padding, 'A' + i, 1 + i );
-
-        sha1_starts( &sha1 );
-        sha1_update( &sha1, padding, 1 + i );
-        sha1_update( &sha1, secret, slen );
-        sha1_update( &sha1, random, rlen );
-        sha1_finish( &sha1, sha1sum );
-
-        md5_starts( &md5 );
-        md5_update( &md5, secret, slen );
-        md5_update( &md5, sha1sum, 20 );
-        md5_finish( &md5, dstbuf + i * 16 );
-    }
-
-    memset( &md5,  0, sizeof( md5  ) );
-    memset( &sha1, 0, sizeof( sha1 ) );
-
-    memset( padding, 0, sizeof( padding ) );
-    memset( sha1sum, 0, sizeof( sha1sum ) );
-
-    return( 0 );
-}
-
-static int tls1_prf( unsigned char *secret, size_t slen, char *label,
-                     unsigned char *random, size_t rlen,
-                     unsigned char *dstbuf, size_t dlen )
-{
-    size_t nb, hs;
-    size_t i, j, k;
-    unsigned char *S1, *S2;
-    unsigned char tmp[128];
-    unsigned char h_i[20];
-
-    if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
-        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-
-    hs = ( slen + 1 ) / 2;
-    S1 = secret;
-    S2 = secret + slen - hs;
-
-    nb = strlen( label );
-    memcpy( tmp + 20, label, nb );
-    memcpy( tmp + 20 + nb, random, rlen );
-    nb += rlen;
-
-    /*
-     * First compute P_md5(secret,label+random)[0..dlen]
-     */
-    md5_hmac( S1, hs, tmp + 20, nb, 4 + tmp );
-
-    for( i = 0; i < dlen; i += 16 )
-    {
-        md5_hmac( S1, hs, 4 + tmp, 16 + nb, h_i );
-        md5_hmac( S1, hs, 4 + tmp, 16,  4 + tmp );
-
-        k = ( i + 16 > dlen ) ? dlen % 16 : 16;
-
-        for( j = 0; j < k; j++ )
-            dstbuf[i + j]  = h_i[j];
-    }
-
-    /*
-     * XOR out with P_sha1(secret,label+random)[0..dlen]
-     */
-    sha1_hmac( S2, hs, tmp + 20, nb, tmp );
-
-    for( i = 0; i < dlen; i += 20 )
-    {
-        sha1_hmac( S2, hs, tmp, 20 + nb, h_i );
-        sha1_hmac( S2, hs, tmp, 20,      tmp );
-
-        k = ( i + 20 > dlen ) ? dlen % 20 : 20;
-
-        for( j = 0; j < k; j++ )
-            dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
-    }
-
-    memset( tmp, 0, sizeof( tmp ) );
-    memset( h_i, 0, sizeof( h_i ) );
-
-    return( 0 );
-}
-
-static int tls_prf_sha256( unsigned char *secret, size_t slen, char *label,
-                           unsigned char *random, size_t rlen,
-                           unsigned char *dstbuf, size_t dlen )
-{
-    size_t nb;
-    size_t i, j, k;
-    unsigned char tmp[128];
-    unsigned char h_i[32];
-
-    if( sizeof( tmp ) < 32 + strlen( label ) + rlen )
-        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-
-    nb = strlen( label );
-    memcpy( tmp + 32, label, nb );
-    memcpy( tmp + 32 + nb, random, rlen );
-    nb += rlen;
-
-    /*
-     * Compute P_<hash>(secret, label + random)[0..dlen]
-     */
-    sha2_hmac( secret, slen, tmp + 32, nb, tmp, 0 );
-
-    for( i = 0; i < dlen; i += 32 )
-    {
-        sha2_hmac( secret, slen, tmp, 32 + nb, h_i, 0 );
-        sha2_hmac( secret, slen, tmp, 32,      tmp, 0 );
-
-        k = ( i + 32 > dlen ) ? dlen % 32 : 32;
-
-        for( j = 0; j < k; j++ )
-            dstbuf[i + j]  = h_i[j];
-    }
-
-    memset( tmp, 0, sizeof( tmp ) );
-    memset( h_i, 0, sizeof( h_i ) );
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_SHA4_C)
-static int tls_prf_sha384( unsigned char *secret, size_t slen, char *label,
-                           unsigned char *random, size_t rlen,
-                           unsigned char *dstbuf, size_t dlen )
-{
-    size_t nb;
-    size_t i, j, k;
-    unsigned char tmp[128];
-    unsigned char h_i[48];
-
-    if( sizeof( tmp ) < 48 + strlen( label ) + rlen )
-        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-
-    nb = strlen( label );
-    memcpy( tmp + 48, label, nb );
-    memcpy( tmp + 48 + nb, random, rlen );
-    nb += rlen;
-
-    /*
-     * Compute P_<hash>(secret, label + random)[0..dlen]
-     */
-    sha4_hmac( secret, slen, tmp + 48, nb, tmp, 1 );
-
-    for( i = 0; i < dlen; i += 48 )
-    {
-        sha4_hmac( secret, slen, tmp, 48 + nb, h_i, 1 );
-        sha4_hmac( secret, slen, tmp, 48,      tmp, 1 );
-
-        k = ( i + 48 > dlen ) ? dlen % 48 : 48;
-
-        for( j = 0; j < k; j++ )
-            dstbuf[i + j]  = h_i[j];
-    }
-
-    memset( tmp, 0, sizeof( tmp ) );
-    memset( h_i, 0, sizeof( h_i ) );
-
-    return( 0 );
-}
-#endif
-
-static void ssl_update_checksum_start(ssl_context *, unsigned char *, size_t);
-static void ssl_update_checksum_md5sha1(ssl_context *, unsigned char *, size_t);
-static void ssl_update_checksum_sha256(ssl_context *, unsigned char *, size_t);
-
-static void ssl_calc_verify_ssl(ssl_context *,unsigned char *);
-static void ssl_calc_verify_tls(ssl_context *,unsigned char *);
-static void ssl_calc_verify_tls_sha256(ssl_context *,unsigned char *);
-
-static void ssl_calc_finished_ssl(ssl_context *,unsigned char *,int);
-static void ssl_calc_finished_tls(ssl_context *,unsigned char *,int);
-static void ssl_calc_finished_tls_sha256(ssl_context *,unsigned char *,int);
-
-#if defined(POLARSSL_SHA4_C)
-static void ssl_update_checksum_sha384(ssl_context *, unsigned char *, size_t);
-static void ssl_calc_verify_tls_sha384(ssl_context *,unsigned char *);
-static void ssl_calc_finished_tls_sha384(ssl_context *,unsigned char *,int);
-#endif
-
-int ssl_derive_keys( ssl_context *ssl )
-{
-    unsigned char tmp[64];
-    unsigned char keyblk[256];
-    unsigned char *key1;
-    unsigned char *key2;
-    unsigned int iv_copy_len;
-    ssl_session *session = ssl->session_negotiate;
-    ssl_transform *transform = ssl->transform_negotiate;
-    ssl_handshake_params *handshake = ssl->handshake;
-
-    SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
-
-    /*
-     * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
-     */
-    if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
-    {
-        handshake->tls_prf = ssl3_prf;
-        handshake->calc_verify = ssl_calc_verify_ssl;
-        handshake->calc_finished = ssl_calc_finished_ssl;
-    }
-    else if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
-    {
-        handshake->tls_prf = tls1_prf;
-        handshake->calc_verify = ssl_calc_verify_tls;
-        handshake->calc_finished = ssl_calc_finished_tls;
-    }
-#if defined(POLARSSL_SHA4_C)
-    else if( session->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
-             session->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-    {
-        handshake->tls_prf = tls_prf_sha384;
-        handshake->calc_verify = ssl_calc_verify_tls_sha384;
-        handshake->calc_finished = ssl_calc_finished_tls_sha384;
-    }
-#endif
-    else
-    {
-        handshake->tls_prf = tls_prf_sha256;
-        handshake->calc_verify = ssl_calc_verify_tls_sha256;
-        handshake->calc_finished = ssl_calc_finished_tls_sha256;
-    }
-
-    /*
-     * SSLv3:
-     *   master =
-     *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
-     *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
-     *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
-     *   
-     * TLSv1:
-     *   master = PRF( premaster, "master secret", randbytes )[0..47]
-     */
-    if( handshake->resume == 0 )
-    {
-        SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
-                       handshake->pmslen );
-
-        handshake->tls_prf( handshake->premaster, handshake->pmslen,
-                            "master secret",
-                            handshake->randbytes, 64, session->master, 48 );
-
-        memset( handshake->premaster, 0, sizeof( handshake->premaster ) );
-    }
-    else
-        SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
-
-    /*
-     * Swap the client and server random values.
-     */
-    memcpy( tmp, handshake->randbytes, 64 );
-    memcpy( handshake->randbytes, tmp + 32, 32 );
-    memcpy( handshake->randbytes + 32, tmp, 32 );
-    memset( tmp, 0, sizeof( tmp ) );
-
-    /*
-     *  SSLv3:
-     *    key block =
-     *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
-     *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
-     *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
-     *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
-     *      ...
-     *
-     *  TLSv1:
-     *    key block = PRF( master, "key expansion", randbytes )
-     */
-    handshake->tls_prf( session->master, 48, "key expansion",
-                        handshake->randbytes, 64, keyblk, 256 );
-
-    SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
-                   ssl_get_ciphersuite_name( session->ciphersuite ) ) );
-    SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
-    SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
-    SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
-
-    memset( handshake->randbytes, 0, sizeof( handshake->randbytes ) );
-
-    /*
-     * Determine the appropriate key, IV and MAC length.
-     */
-    switch( session->ciphersuite )
-    {
-#if defined(POLARSSL_ARC4_C)
-        case TLS_RSA_WITH_RC4_128_MD5:
-            transform->keylen = 16; transform->minlen = 16;
-            transform->ivlen  =  0; transform->maclen = 16;
-            break;
-
-        case TLS_RSA_WITH_RC4_128_SHA:
-            transform->keylen = 16; transform->minlen = 20;
-            transform->ivlen  =  0; transform->maclen = 20;
-            break;
-#endif
-
-#if defined(POLARSSL_DES_C)
-        case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
-        case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
-            transform->keylen = 24; transform->minlen = 24;
-            transform->ivlen  =  8; transform->maclen = 20;
-            break;
-#endif
-
-#if defined(POLARSSL_AES_C)
-        case TLS_RSA_WITH_AES_128_CBC_SHA:
-        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
-            transform->keylen = 16; transform->minlen = 32;
-            transform->ivlen  = 16; transform->maclen = 20;
-            break;
-
-        case TLS_RSA_WITH_AES_256_CBC_SHA:
-        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
-            transform->keylen = 32; transform->minlen = 32;
-            transform->ivlen  = 16; transform->maclen = 20;
-            break;
-
-#if defined(POLARSSL_SHA2_C)
-        case TLS_RSA_WITH_AES_128_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
-            transform->keylen = 16; transform->minlen = 32;
-            transform->ivlen  = 16; transform->maclen = 32;
-            break;
-
-        case TLS_RSA_WITH_AES_256_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
-            transform->keylen = 32; transform->minlen = 32;
-            transform->ivlen  = 16; transform->maclen = 32;
-            break;
-#endif
-#if defined(POLARSSL_GCM_C)
-        case TLS_RSA_WITH_AES_128_GCM_SHA256:
-        case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
-            transform->keylen = 16; transform->minlen = 1;
-            transform->ivlen  = 12; transform->maclen = 0;
-            transform->fixed_ivlen = 4;
-            break;
-
-        case TLS_RSA_WITH_AES_256_GCM_SHA384:
-        case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
-            transform->keylen = 32; transform->minlen = 1;
-            transform->ivlen  = 12; transform->maclen = 0;
-            transform->fixed_ivlen = 4;
-            break;
-#endif
-#endif
-
-#if defined(POLARSSL_CAMELLIA_C)
-        case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA:
-        case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA:
-            transform->keylen = 16; transform->minlen = 32;
-            transform->ivlen  = 16; transform->maclen = 20;
-            break;
-
-        case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA:
-        case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA:
-            transform->keylen = 32; transform->minlen = 32;
-            transform->ivlen  = 16; transform->maclen = 20;
-            break;
-
-#if defined(POLARSSL_SHA2_C)
-        case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256:
-            transform->keylen = 16; transform->minlen = 32;
-            transform->ivlen  = 16; transform->maclen = 32;
-            break;
-
-        case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256:
-            transform->keylen = 32; transform->minlen = 32;
-            transform->ivlen  = 16; transform->maclen = 32;
-            break;
-#endif
-#endif
-
-#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-        case TLS_RSA_WITH_NULL_MD5:
-            transform->keylen = 0; transform->minlen = 0;
-            transform->ivlen  = 0; transform->maclen = 16;
-            break;
-
-        case TLS_RSA_WITH_NULL_SHA:
-            transform->keylen = 0; transform->minlen = 0;
-            transform->ivlen  = 0; transform->maclen = 20;
-            break;
-
-        case TLS_RSA_WITH_NULL_SHA256:
-            transform->keylen = 0; transform->minlen = 0;
-            transform->ivlen  = 0; transform->maclen = 32;
-            break;
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-#if defined(POLARSSL_DES_C)
-        case TLS_RSA_WITH_DES_CBC_SHA:
-        case TLS_DHE_RSA_WITH_DES_CBC_SHA:
-            transform->keylen =  8; transform->minlen = 8;
-            transform->ivlen  =  8; transform->maclen = 20;
-            break;
-#endif
-#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
-
-        default:
-            SSL_DEBUG_MSG( 1, ( "ciphersuite %s is not available",
-                           ssl_get_ciphersuite_name( session->ciphersuite ) ) );
-            return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-    }
-
-    SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
-                   transform->keylen, transform->minlen, transform->ivlen,
-                   transform->maclen ) );
-
-    /*
-     * Finally setup the cipher contexts, IVs and MAC secrets.
-     */
-    if( ssl->endpoint == SSL_IS_CLIENT )
-    {
-        key1 = keyblk + transform->maclen * 2;
-        key2 = keyblk + transform->maclen * 2 + transform->keylen;
-
-        memcpy( transform->mac_enc, keyblk,  transform->maclen );
-        memcpy( transform->mac_dec, keyblk + transform->maclen,
-                transform->maclen );
-
-        /*
-         * This is not used in TLS v1.1.
-         */
-        iv_copy_len = ( transform->fixed_ivlen ) ?
-                            transform->fixed_ivlen : transform->ivlen;
-        memcpy( transform->iv_enc, key2 + transform->keylen,  iv_copy_len );
-        memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
-                iv_copy_len );
-    }
-    else
-    {
-        key1 = keyblk + transform->maclen * 2 + transform->keylen;
-        key2 = keyblk + transform->maclen * 2;
-
-        memcpy( transform->mac_dec, keyblk,  transform->maclen );
-        memcpy( transform->mac_enc, keyblk + transform->maclen,
-                transform->maclen );
-
-        /*
-         * This is not used in TLS v1.1.
-         */
-        iv_copy_len = ( transform->fixed_ivlen ) ?
-                            transform->fixed_ivlen : transform->ivlen;
-        memcpy( transform->iv_dec, key1 + transform->keylen,  iv_copy_len );
-        memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
-                iv_copy_len );
-    }
-
-#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
-    if( ssl_hw_record_init != NULL)
-    {
-        int ret = 0;
-
-        SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_init()" ) );
-
-        if( ( ret = ssl_hw_record_init( ssl, key1, key2, transform->iv_enc,
-                                        transform->iv_dec, transform->mac_enc,
-                                        transform->mac_dec ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_hw_record_init", ret );
-            return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
-        }
-    }
-#endif
-
-    switch( session->ciphersuite )
-    {
-#if defined(POLARSSL_ARC4_C)
-        case TLS_RSA_WITH_RC4_128_MD5:
-        case TLS_RSA_WITH_RC4_128_SHA:
-            arc4_setup( (arc4_context *) transform->ctx_enc, key1,
-                        transform->keylen );
-            arc4_setup( (arc4_context *) transform->ctx_dec, key2,
-                        transform->keylen );
-            break;
-#endif
-
-#if defined(POLARSSL_DES_C)
-        case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
-        case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
-            des3_set3key_enc( (des3_context *) transform->ctx_enc, key1 );
-            des3_set3key_dec( (des3_context *) transform->ctx_dec, key2 );
-            break;
-#endif
-
-#if defined(POLARSSL_AES_C)
-        case TLS_RSA_WITH_AES_128_CBC_SHA:
-        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
-        case TLS_RSA_WITH_AES_128_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
-            aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 128 );
-            aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 128 );
-            break;
-
-        case TLS_RSA_WITH_AES_256_CBC_SHA:
-        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
-        case TLS_RSA_WITH_AES_256_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
-            aes_setkey_enc( (aes_context *) transform->ctx_enc, key1, 256 );
-            aes_setkey_dec( (aes_context *) transform->ctx_dec, key2, 256 );
-            break;
-
-#if defined(POLARSSL_GCM_C)
-        case TLS_RSA_WITH_AES_128_GCM_SHA256:
-        case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
-            gcm_init( (gcm_context *) transform->ctx_enc, key1, 128 );
-            gcm_init( (gcm_context *) transform->ctx_dec, key2, 128 );
-            break;
-
-        case TLS_RSA_WITH_AES_256_GCM_SHA384:
-        case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
-            gcm_init( (gcm_context *) transform->ctx_enc, key1, 256 );
-            gcm_init( (gcm_context *) transform->ctx_dec, key2, 256 );
-            break;
-#endif
-#endif
-
-#if defined(POLARSSL_CAMELLIA_C)
-        case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA:
-        case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA:
-        case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256:
-            camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 128 );
-            camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 128 );
-            break;
-
-        case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA:
-        case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA:
-        case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256:
-        case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256:
-            camellia_setkey_enc( (camellia_context *) transform->ctx_enc, key1, 256 );
-            camellia_setkey_dec( (camellia_context *) transform->ctx_dec, key2, 256 );
-            break;
-#endif
-
-#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-        case TLS_RSA_WITH_NULL_MD5:
-        case TLS_RSA_WITH_NULL_SHA:
-        case TLS_RSA_WITH_NULL_SHA256:
-            break;
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-#if defined(POLARSSL_DES_C)
-        case TLS_RSA_WITH_DES_CBC_SHA:
-        case TLS_DHE_RSA_WITH_DES_CBC_SHA:
-            des_setkey_enc( (des_context *) transform->ctx_enc, key1 );
-            des_setkey_dec( (des_context *) transform->ctx_dec, key2 );
-            break;
-#endif
-#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
-
-        default:
-            return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-    }
-
-    memset( keyblk, 0, sizeof( keyblk ) );
-
-#if defined(POLARSSL_ZLIB_SUPPORT)
-    // Initialize compression
-    //
-    if( session->compression == SSL_COMPRESS_DEFLATE )
-    {
-        SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
-
-        memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
-        memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
-
-        if( deflateInit( &transform->ctx_deflate, Z_DEFAULT_COMPRESSION ) != Z_OK ||
-            inflateInit( &transform->ctx_inflate ) != Z_OK )
-        {
-            SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
-            return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
-        }
-    }
-#endif /* POLARSSL_ZLIB_SUPPORT */
-
-    SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
-
-    return( 0 );
-}
-
-void ssl_calc_verify_ssl( ssl_context *ssl, unsigned char hash[36] )
-{
-    md5_context md5;
-    sha1_context sha1;
-    unsigned char pad_1[48];
-    unsigned char pad_2[48];
-
-    SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
-
-    memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context)  );
-    memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
-
-    memset( pad_1, 0x36, 48 );
-    memset( pad_2, 0x5C, 48 );
-
-    md5_update( &md5, ssl->session_negotiate->master, 48 );
-    md5_update( &md5, pad_1, 48 );
-    md5_finish( &md5, hash );
-
-    md5_starts( &md5 );
-    md5_update( &md5, ssl->session_negotiate->master, 48 );
-    md5_update( &md5, pad_2, 48 );
-    md5_update( &md5, hash,  16 );
-    md5_finish( &md5, hash );
-
-    sha1_update( &sha1, ssl->session_negotiate->master, 48 );
-    sha1_update( &sha1, pad_1, 40 );
-    sha1_finish( &sha1, hash + 16 );
-
-    sha1_starts( &sha1 );
-    sha1_update( &sha1, ssl->session_negotiate->master, 48 );
-    sha1_update( &sha1, pad_2, 40 );
-    sha1_update( &sha1, hash + 16, 20 );
-    sha1_finish( &sha1, hash + 16 );
-
-    SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
-    SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
-
-    return;
-}
-
-void ssl_calc_verify_tls( ssl_context *ssl, unsigned char hash[36] )
-{
-    md5_context md5;
-    sha1_context sha1;
-
-    SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
-
-    memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context)  );
-    memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
-
-     md5_finish( &md5,  hash );
-    sha1_finish( &sha1, hash + 16 );
-
-    SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
-    SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
-
-    return;
-}
-
-void ssl_calc_verify_tls_sha256( ssl_context *ssl, unsigned char hash[32] )
-{
-    sha2_context sha2;
-
-    SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
-
-    memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
-    sha2_finish( &sha2, hash );
-
-    SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
-    SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
-
-    return;
-}
-
-#if defined(POLARSSL_SHA4_C)
-void ssl_calc_verify_tls_sha384( ssl_context *ssl, unsigned char hash[48] )
-{
-    sha4_context sha4;
-
-    SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
-
-    memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
-    sha4_finish( &sha4, hash );
-
-    SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
-    SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
-
-    return;
-}
-#endif
-
-/*
- * SSLv3.0 MAC functions
- */
-static void ssl_mac_md5( unsigned char *secret,
-                         unsigned char *buf, size_t len,
-                         unsigned char *ctr, int type )
-{
-    unsigned char header[11];
-    unsigned char padding[48];
-    md5_context md5;
-
-    memcpy( header, ctr, 8 );
-    header[ 8] = (unsigned char)  type;
-    header[ 9] = (unsigned char)( len >> 8 );
-    header[10] = (unsigned char)( len      );
-
-    memset( padding, 0x36, 48 );
-    md5_starts( &md5 );
-    md5_update( &md5, secret,  16 );
-    md5_update( &md5, padding, 48 );
-    md5_update( &md5, header,  11 );
-    md5_update( &md5, buf,  len );
-    md5_finish( &md5, buf + len );
-
-    memset( padding, 0x5C, 48 );
-    md5_starts( &md5 );
-    md5_update( &md5, secret,  16 );
-    md5_update( &md5, padding, 48 );
-    md5_update( &md5, buf + len, 16 );
-    md5_finish( &md5, buf + len );
-}
-
-static void ssl_mac_sha1( unsigned char *secret,
-                          unsigned char *buf, size_t len,
-                          unsigned char *ctr, int type )
-{
-    unsigned char header[11];
-    unsigned char padding[40];
-    sha1_context sha1;
-
-    memcpy( header, ctr, 8 );
-    header[ 8] = (unsigned char)  type;
-    header[ 9] = (unsigned char)( len >> 8 );
-    header[10] = (unsigned char)( len      );
-
-    memset( padding, 0x36, 40 );
-    sha1_starts( &sha1 );
-    sha1_update( &sha1, secret,  20 );
-    sha1_update( &sha1, padding, 40 );
-    sha1_update( &sha1, header,  11 );
-    sha1_update( &sha1, buf,  len );
-    sha1_finish( &sha1, buf + len );
-
-    memset( padding, 0x5C, 40 );
-    sha1_starts( &sha1 );
-    sha1_update( &sha1, secret,  20 );
-    sha1_update( &sha1, padding, 40 );
-    sha1_update( &sha1, buf + len, 20 );
-    sha1_finish( &sha1, buf + len );
-}
-
-static void ssl_mac_sha2( unsigned char *secret,
-                          unsigned char *buf, size_t len,
-                          unsigned char *ctr, int type )
-{
-    unsigned char header[11];
-    unsigned char padding[32];
-    sha2_context sha2;
-
-    memcpy( header, ctr, 8 );
-    header[ 8] = (unsigned char)  type;
-    header[ 9] = (unsigned char)( len >> 8 );
-    header[10] = (unsigned char)( len      );
-
-    memset( padding, 0x36, 32 );
-    sha2_starts( &sha2, 0 );
-    sha2_update( &sha2, secret,  32 );
-    sha2_update( &sha2, padding, 32 );
-    sha2_update( &sha2, header,  11 );
-    sha2_update( &sha2, buf,  len );
-    sha2_finish( &sha2, buf + len );
-
-    memset( padding, 0x5C, 32 );
-    sha2_starts( &sha2, 0 );
-    sha2_update( &sha2, secret,  32 );
-    sha2_update( &sha2, padding, 32 );
-    sha2_update( &sha2, buf + len, 32 );
-    sha2_finish( &sha2, buf + len );
-}
-
-/*
- * Encryption/decryption functions
- */ 
-static int ssl_encrypt_buf( ssl_context *ssl )
-{
-    size_t i, padlen;
-
-    SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
-
-    /*
-     * Add MAC then encrypt
-     */
-    if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
-    {
-        if( ssl->transform_out->maclen == 16 )
-             ssl_mac_md5( ssl->transform_out->mac_enc,
-                          ssl->out_msg, ssl->out_msglen,
-                          ssl->out_ctr, ssl->out_msgtype );
-        else if( ssl->transform_out->maclen == 20 )
-            ssl_mac_sha1( ssl->transform_out->mac_enc,
-                          ssl->out_msg, ssl->out_msglen,
-                          ssl->out_ctr, ssl->out_msgtype );
-        else if( ssl->transform_out->maclen == 32 )
-            ssl_mac_sha2( ssl->transform_out->mac_enc,
-                          ssl->out_msg, ssl->out_msglen,
-                          ssl->out_ctr, ssl->out_msgtype );
-        else if( ssl->transform_out->maclen != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
-                                ssl->transform_out->maclen ) );
-            return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-        }
-    }
-    else
-    {
-        if( ssl->transform_out->maclen == 16 )
-        {
-            md5_context ctx;
-            md5_hmac_starts( &ctx, ssl->transform_out->mac_enc, 16 );
-            md5_hmac_update( &ctx, ssl->out_ctr, 13 );
-            md5_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
-            md5_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
-            memset( &ctx, 0, sizeof(md5_context));
-        }
-        else if( ssl->transform_out->maclen == 20 )
-        {
-            sha1_context ctx;
-            sha1_hmac_starts( &ctx, ssl->transform_out->mac_enc, 20 );
-            sha1_hmac_update( &ctx, ssl->out_ctr, 13 );
-            sha1_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
-            sha1_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
-            memset( &ctx, 0, sizeof(sha1_context));
-        }
-        else if( ssl->transform_out->maclen == 32 )
-        {
-            sha2_context ctx;
-            sha2_hmac_starts( &ctx, ssl->transform_out->mac_enc, 32, 0 );
-            sha2_hmac_update( &ctx, ssl->out_ctr, 13 );
-            sha2_hmac_update( &ctx, ssl->out_msg, ssl->out_msglen );
-            sha2_hmac_finish( &ctx, ssl->out_msg + ssl->out_msglen );
-            memset( &ctx, 0, sizeof(sha2_context));
-        }
-        else if( ssl->transform_out->maclen != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
-                                ssl->transform_out->maclen ) );
-            return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-        }
-    }
-
-    SSL_DEBUG_BUF( 4, "computed mac",
-                   ssl->out_msg + ssl->out_msglen, ssl->transform_out->maclen );
-
-    ssl->out_msglen += ssl->transform_out->maclen;
-
-    if( ssl->transform_out->ivlen == 0 )
-    {
-        padlen = 0;
-
-        SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
-                            "including %d bytes of padding",
-                       ssl->out_msglen, 0 ) );
-
-        SSL_DEBUG_BUF( 4, "before encrypt: output payload",
-                       ssl->out_msg, ssl->out_msglen );
-
-#if defined(POLARSSL_ARC4_C)
-        if( ssl->session_out->ciphersuite == TLS_RSA_WITH_RC4_128_MD5 ||
-            ssl->session_out->ciphersuite == TLS_RSA_WITH_RC4_128_SHA )
-        {
-            arc4_crypt( (arc4_context *) ssl->transform_out->ctx_enc,
-                        ssl->out_msglen, ssl->out_msg,
-                        ssl->out_msg );
-        } else
-#endif
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-        if( ssl->session_out->ciphersuite == TLS_RSA_WITH_NULL_MD5 ||
-            ssl->session_out->ciphersuite == TLS_RSA_WITH_NULL_SHA ||
-            ssl->session_out->ciphersuite == TLS_RSA_WITH_NULL_SHA256 )
-        {
-        } else
-#endif
-        return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-    }
-    else if( ssl->transform_out->ivlen == 12 )
-    {
-        size_t enc_msglen;
-        unsigned char *enc_msg;
-        unsigned char add_data[13];
-        int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
-
-        padlen = 0;
-        enc_msglen = ssl->out_msglen;
-
-        memcpy( add_data, ssl->out_ctr, 8 );
-        add_data[8]  = ssl->out_msgtype;
-        add_data[9]  = ssl->major_ver;
-        add_data[10] = ssl->minor_ver;
-        add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
-        add_data[12] = ssl->out_msglen & 0xFF;
-
-        SSL_DEBUG_BUF( 4, "additional data used for AEAD",
-                       add_data, 13 );
-
-#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
-
-        if( ssl->session_out->ciphersuite == TLS_RSA_WITH_AES_128_GCM_SHA256 ||
-            ssl->session_out->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
-            ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ||
-            ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-        {
-            /*
-             * Generate IV
-             */
-            ret = ssl->f_rng( ssl->p_rng,
-                        ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
-                        ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
-            if( ret != 0 )
-                return( ret );
-
-            /*
-             * Shift message for ivlen bytes and prepend IV
-             */
-            memmove( ssl->out_msg + ssl->transform_out->ivlen -
-                     ssl->transform_out->fixed_ivlen,
-                     ssl->out_msg, ssl->out_msglen );
-            memcpy( ssl->out_msg,
-                    ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
-                    ssl->transform_out->ivlen  - ssl->transform_out->fixed_ivlen );
-
-            /*
-             * Fix pointer positions and message length with added IV
-             */
-            enc_msg = ssl->out_msg + ssl->transform_out->ivlen -
-                      ssl->transform_out->fixed_ivlen;
-            enc_msglen = ssl->out_msglen;
-            ssl->out_msglen += ssl->transform_out->ivlen -
-                               ssl->transform_out->fixed_ivlen;
-
-            SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
-                                "including %d bytes of padding",
-                           ssl->out_msglen, 0 ) );
-
-            SSL_DEBUG_BUF( 4, "before encrypt: output payload",
-                           ssl->out_msg, ssl->out_msglen );
-
-            /*
-             * Adjust for tag
-             */
-            ssl->out_msglen += 16;
-            
-            gcm_crypt_and_tag( (gcm_context *) ssl->transform_out->ctx_enc,
-                    GCM_ENCRYPT, enc_msglen,
-                    ssl->transform_out->iv_enc, ssl->transform_out->ivlen,
-                    add_data, 13,
-                    enc_msg, enc_msg,
-                    16, enc_msg + enc_msglen );
-
-            SSL_DEBUG_BUF( 4, "after encrypt: tag",
-                           enc_msg + enc_msglen, 16 );
-
-        } else
-#endif
-        return( ret );
-    }
-    else
-    {
-        unsigned char *enc_msg;
-        size_t enc_msglen;
-
-        padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
-                 ssl->transform_out->ivlen;
-        if( padlen == ssl->transform_out->ivlen )
-            padlen = 0;
-
-        for( i = 0; i <= padlen; i++ )
-            ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
-
-        ssl->out_msglen += padlen + 1;
-
-        enc_msglen = ssl->out_msglen;
-        enc_msg = ssl->out_msg;
-
-        /*
-         * Prepend per-record IV for block cipher in TLS v1.1 and up as per
-         * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
-         */
-        if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
-        {
-            /*
-             * Generate IV
-             */
-            int ret = ssl->f_rng( ssl->p_rng, ssl->transform_out->iv_enc,
-                                  ssl->transform_out->ivlen );
-            if( ret != 0 )
-                return( ret );
-
-            /*
-             * Shift message for ivlen bytes and prepend IV
-             */
-            memmove( ssl->out_msg + ssl->transform_out->ivlen, ssl->out_msg,
-                     ssl->out_msglen );
-            memcpy( ssl->out_msg, ssl->transform_out->iv_enc,
-                    ssl->transform_out->ivlen );
-
-            /*
-             * Fix pointer positions and message length with added IV
-             */
-            enc_msg = ssl->out_msg + ssl->transform_out->ivlen;
-            enc_msglen = ssl->out_msglen;
-            ssl->out_msglen += ssl->transform_out->ivlen;
-        }
-
-        SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
-                            "including %d bytes of IV and %d bytes of padding",
-                       ssl->out_msglen, ssl->transform_out->ivlen, padlen + 1 ) );
-
-        SSL_DEBUG_BUF( 4, "before encrypt: output payload",
-                       ssl->out_msg, ssl->out_msglen );
-
-        switch( ssl->transform_out->ivlen )
-        {
-#if defined(POLARSSL_DES_C)
-            case  8:
-#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
-                if( ssl->session_out->ciphersuite == TLS_RSA_WITH_DES_CBC_SHA ||
-                    ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_DES_CBC_SHA )
-                {
-                    des_crypt_cbc( (des_context *) ssl->transform_out->ctx_enc,
-                                   DES_ENCRYPT, enc_msglen,
-                                   ssl->transform_out->iv_enc, enc_msg, enc_msg );
-                }
-                else
-#endif
-                    des3_crypt_cbc( (des3_context *) ssl->transform_out->ctx_enc,
-                                    DES_ENCRYPT, enc_msglen,
-                                    ssl->transform_out->iv_enc, enc_msg, enc_msg );
-                break;
-#endif
-
-            case 16:
-#if defined(POLARSSL_AES_C)
-        if ( ssl->session_out->ciphersuite == TLS_RSA_WITH_AES_128_CBC_SHA ||
-             ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA ||
-             ssl->session_out->ciphersuite == TLS_RSA_WITH_AES_256_CBC_SHA ||
-             ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA ||
-             ssl->session_out->ciphersuite == TLS_RSA_WITH_AES_128_CBC_SHA256 ||
-             ssl->session_out->ciphersuite == TLS_RSA_WITH_AES_256_CBC_SHA256 ||
-             ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 ||
-             ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 )
-        {
-                    aes_crypt_cbc( (aes_context *) ssl->transform_out->ctx_enc,
-                        AES_ENCRYPT, enc_msglen,
-                        ssl->transform_out->iv_enc, enc_msg, enc_msg);
-                    break;
-        }
-#endif
-
-#if defined(POLARSSL_CAMELLIA_C)
-        if ( ssl->session_out->ciphersuite == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA ||
-             ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA ||
-             ssl->session_out->ciphersuite == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ||
-             ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA ||
-             ssl->session_out->ciphersuite == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 ||
-             ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ||
-             ssl->session_out->ciphersuite == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 ||
-             ssl->session_out->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 )
-        {
-                    camellia_crypt_cbc( (camellia_context *) ssl->transform_out->ctx_enc,
-                        CAMELLIA_ENCRYPT, enc_msglen,
-                        ssl->transform_out->iv_enc, enc_msg, enc_msg );
-                    break;
-        }
-#endif
-
-            default:
-                return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-        }
-    }
-
-    for( i = 8; i > 0; i-- )
-        if( ++ssl->out_ctr[i - 1] != 0 )
-            break;
-
-    SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
-
-    return( 0 );
-}
-
-/*
- * TODO: Use digest version when integrated!
- */
-#define POLARSSL_SSL_MAX_MAC_SIZE   32
-
-static int ssl_decrypt_buf( ssl_context *ssl )
-{
-    size_t i, padlen = 0, correct = 1;
-    unsigned char tmp[POLARSSL_SSL_MAX_MAC_SIZE];
-
-    SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
-
-    if( ssl->in_msglen < ssl->transform_in->minlen )
-    {
-        SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
-                       ssl->in_msglen, ssl->transform_in->minlen ) );
-        return( POLARSSL_ERR_SSL_INVALID_MAC );
-    }
-
-    if( ssl->transform_in->ivlen == 0 )
-    {
-#if defined(POLARSSL_ARC4_C)
-        if( ssl->session_in->ciphersuite == TLS_RSA_WITH_RC4_128_MD5 ||
-            ssl->session_in->ciphersuite == TLS_RSA_WITH_RC4_128_SHA )
-        {
-            arc4_crypt( (arc4_context *) ssl->transform_in->ctx_dec,
-                    ssl->in_msglen, ssl->in_msg,
-                    ssl->in_msg );
-        } else
-#endif
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-        if( ssl->session_in->ciphersuite == TLS_RSA_WITH_NULL_MD5 ||
-            ssl->session_in->ciphersuite == TLS_RSA_WITH_NULL_SHA ||
-            ssl->session_in->ciphersuite == TLS_RSA_WITH_NULL_SHA256 )
-        {
-        } else
-#endif
-        return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-    }
-    else if( ssl->transform_in->ivlen == 12 )
-    {
-        unsigned char *dec_msg;
-        unsigned char *dec_msg_result;
-        size_t dec_msglen;
-        unsigned char add_data[13];
-        int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
-
-#if defined(POLARSSL_AES_C) && defined(POLARSSL_GCM_C)
-        if( ssl->session_in->ciphersuite == TLS_RSA_WITH_AES_128_GCM_SHA256 ||
-            ssl->session_in->ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
-            ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ||
-            ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-        {
-            dec_msglen = ssl->in_msglen - ( ssl->transform_in->ivlen -
-                                            ssl->transform_in->fixed_ivlen );
-            dec_msglen -= 16;
-            dec_msg = ssl->in_msg + ( ssl->transform_in->ivlen -
-                                      ssl->transform_in->fixed_ivlen );
-            dec_msg_result = ssl->in_msg;
-            ssl->in_msglen = dec_msglen;
-
-            memcpy( add_data, ssl->in_ctr, 8 );
-            add_data[8]  = ssl->in_msgtype;
-            add_data[9]  = ssl->major_ver;
-            add_data[10] = ssl->minor_ver;
-            add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
-            add_data[12] = ssl->in_msglen & 0xFF;
-
-            SSL_DEBUG_BUF( 4, "additional data used for AEAD",
-                           add_data, 13 );
-
-            memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
-                    ssl->in_msg,
-                    ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
-
-            SSL_DEBUG_BUF( 4, "IV used", ssl->transform_in->iv_dec,
-                                         ssl->transform_in->ivlen );
-            SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, 16 );
-
-            memcpy( ssl->transform_in->iv_dec + ssl->transform_in->fixed_ivlen,
-                    ssl->in_msg,
-                    ssl->transform_in->ivlen - ssl->transform_in->fixed_ivlen );
-
-            ret = gcm_auth_decrypt( (gcm_context *) ssl->transform_in->ctx_dec,
-                                     dec_msglen,
-                                     ssl->transform_in->iv_dec,
-                                     ssl->transform_in->ivlen,
-                                     add_data, 13,
-                                     dec_msg + dec_msglen, 16,
-                                     dec_msg, dec_msg_result );
-            
-            if( ret != 0 )
-            {
-                SSL_DEBUG_MSG( 1, ( "AEAD decrypt failed on validation (ret = -0x%02x)",
-                                    -ret ) );
-
-                return( POLARSSL_ERR_SSL_INVALID_MAC );
-            }
-        } else
-#endif
-        return( ret );
-    }
-    else
-    {
-        /*
-         * Decrypt and check the padding
-         */
-        unsigned char *dec_msg;
-        unsigned char *dec_msg_result;
-        size_t dec_msglen;
-        size_t minlen = 0;
-
-        /*
-         * Check immediate ciphertext sanity
-         */
-        if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
-                           ssl->in_msglen, ssl->transform_in->ivlen ) );
-            return( POLARSSL_ERR_SSL_INVALID_MAC );
-        }
-
-        if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
-            minlen += ssl->transform_in->ivlen;
-
-        if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
-            ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
-        {
-            SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )",
-                           ssl->in_msglen, ssl->transform_in->ivlen, ssl->transform_in->maclen ) );
-            return( POLARSSL_ERR_SSL_INVALID_MAC );
-        }
-
-        dec_msglen = ssl->in_msglen;
-        dec_msg = ssl->in_msg;
-        dec_msg_result = ssl->in_msg;
-
-        /*
-         * Initialize for prepended IV for block cipher in TLS v1.1 and up
-         */
-        if( ssl->minor_ver >= SSL_MINOR_VERSION_2 )
-        {
-            dec_msg += ssl->transform_in->ivlen;
-            dec_msglen -= ssl->transform_in->ivlen;
-            ssl->in_msglen -= ssl->transform_in->ivlen;
-
-            for( i = 0; i < ssl->transform_in->ivlen; i++ )
-                ssl->transform_in->iv_dec[i] = ssl->in_msg[i];
-        }
-
-        switch( ssl->transform_in->ivlen )
-        {
-#if defined(POLARSSL_DES_C)
-            case  8:
-#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
-                if( ssl->session_in->ciphersuite == TLS_RSA_WITH_DES_CBC_SHA ||
-                    ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_DES_CBC_SHA )
-                {
-                    des_crypt_cbc( (des_context *) ssl->transform_in->ctx_dec,
-                                   DES_DECRYPT, dec_msglen,
-                                   ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
-                }
-                else
-#endif
-                    des3_crypt_cbc( (des3_context *) ssl->transform_in->ctx_dec,
-                        DES_DECRYPT, dec_msglen,
-                        ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
-                break;
-#endif
-
-            case 16:
-#if defined(POLARSSL_AES_C)
-        if ( ssl->session_in->ciphersuite == TLS_RSA_WITH_AES_128_CBC_SHA ||
-             ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA ||
-             ssl->session_in->ciphersuite == TLS_RSA_WITH_AES_256_CBC_SHA ||
-             ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA ||
-             ssl->session_in->ciphersuite == TLS_RSA_WITH_AES_128_CBC_SHA256 ||
-             ssl->session_in->ciphersuite == TLS_RSA_WITH_AES_256_CBC_SHA256 ||
-             ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 ||
-             ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 )
-        {
-                    aes_crypt_cbc( (aes_context *) ssl->transform_in->ctx_dec,
-                       AES_DECRYPT, dec_msglen,
-                       ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
-                    break;
-        }
-#endif
-
-#if defined(POLARSSL_CAMELLIA_C)
-        if ( ssl->session_in->ciphersuite == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA ||
-             ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA ||
-             ssl->session_in->ciphersuite == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ||
-             ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA ||
-             ssl->session_in->ciphersuite == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 ||
-             ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ||
-             ssl->session_in->ciphersuite == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 ||
-             ssl->session_in->ciphersuite == TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 )
-        {
-                    camellia_crypt_cbc( (camellia_context *) ssl->transform_in->ctx_dec,
-                       CAMELLIA_DECRYPT, dec_msglen,
-                       ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
-                    break;
-        }
-#endif
-
-            default:
-                return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-        }
-
-        padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
-
-        if( ssl->in_msglen < ssl->transform_in->maclen + padlen )
-        {
-#if defined(POLARSSL_SSL_DEBUG_ALL)
-            SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
-                        ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
-#endif
-            padlen = 0;
-            correct = 0;
-        }
-
-        if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
-        {
-            if( padlen > ssl->transform_in->ivlen )
-            {
-#if defined(POLARSSL_SSL_DEBUG_ALL)
-                SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
-                                    "should be no more than %d",
-                               padlen, ssl->transform_in->ivlen ) );
-#endif
-                correct = 0;
-            }
-        }
-        else
-        {
-            /*
-             * TLSv1+: always check the padding up to the first failure
-             * and fake check up to 256 bytes of padding
-             */
-            size_t pad_count = 0, fake_pad_count = 0;
-            size_t padding_idx = ssl->in_msglen - padlen - 1;
-
-            for( i = 1; i <= padlen; i++ )
-                pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
-
-            for( ; i <= 256; i++ )
-                fake_pad_count += ( ssl->in_msg[padding_idx + i] == padlen - 1 );
-
-            correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
-            correct &= ( pad_count + fake_pad_count < 512 ); /* Always 1 */
-
-#if defined(POLARSSL_SSL_DEBUG_ALL)
-            if( padlen > 0 && correct == 0)
-                SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
-#endif
-            padlen &= correct * 0x1FF;
-        }
-    }
-
-    SSL_DEBUG_BUF( 4, "raw buffer after decryption",
-                   ssl->in_msg, ssl->in_msglen );
-
-    /*
-     * Always compute the MAC (RFC4346, CBCTIME).
-     */
-    ssl->in_msglen -= ( ssl->transform_in->maclen + padlen );
-
-    ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
-    ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen      );
-
-    memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen );
-
-    if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
-    {
-        if( ssl->transform_in->maclen == 16 )
-             ssl_mac_md5( ssl->transform_in->mac_dec,
-                          ssl->in_msg, ssl->in_msglen,
-                          ssl->in_ctr, ssl->in_msgtype );
-        else if( ssl->transform_in->maclen == 20 )
-            ssl_mac_sha1( ssl->transform_in->mac_dec,
-                          ssl->in_msg, ssl->in_msglen,
-                          ssl->in_ctr, ssl->in_msgtype );
-        else if( ssl->transform_in->maclen == 32 )
-            ssl_mac_sha2( ssl->transform_in->mac_dec,
-                          ssl->in_msg, ssl->in_msglen,
-                          ssl->in_ctr, ssl->in_msgtype );
-        else if( ssl->transform_in->maclen != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
-                                ssl->transform_in->maclen ) );
-            return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-        }
-    }
-    else
-    {
-        /*
-         * Process MAC and always update for padlen afterwards to make
-         * total time independent of padlen
-         *
-         * extra_run compensates MAC check for padlen 
-         *
-         * Known timing attacks:
-         *  - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
-         *
-         * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
-         * correctly. (We round down instead of up, so -56 is the correct
-         * value for our calculations instead of -55)
-         */
-        int j, extra_run = 0;
-        extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
-                    ( 13 + ssl->in_msglen          + 8 ) / 64;
-
-        extra_run &= correct * 0xFF;
-
-        if( ssl->transform_in->maclen == 16 )
-        {
-            md5_context ctx;
-            md5_hmac_starts( &ctx, ssl->transform_in->mac_dec, 16 );
-            md5_hmac_update( &ctx, ssl->in_ctr,  ssl->in_msglen + 13 );
-            md5_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
-
-            for( j = 0; j < extra_run; j++ )
-                md5_process( &ctx, ssl->in_msg ); 
-        }
-        else if( ssl->transform_in->maclen == 20 )
-        {
-            sha1_context ctx;
-            sha1_hmac_starts( &ctx, ssl->transform_in->mac_dec, 20 );
-            sha1_hmac_update( &ctx, ssl->in_ctr,  ssl->in_msglen + 13 );
-            sha1_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
-
-            for( j = 0; j < extra_run; j++ )
-                sha1_process( &ctx, ssl->in_msg ); 
-        }
-        else if( ssl->transform_in->maclen == 32 )
-        {
-            sha2_context ctx;
-            sha2_hmac_starts( &ctx, ssl->transform_in->mac_dec, 32, 0 );
-            sha2_hmac_update( &ctx, ssl->in_ctr,  ssl->in_msglen + 13 );
-            sha2_hmac_finish( &ctx, ssl->in_msg + ssl->in_msglen );
-
-            for( j = 0; j < extra_run; j++ )
-                sha2_process( &ctx, ssl->in_msg ); 
-        }
-        else if( ssl->transform_in->maclen != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "invalid MAC len: %d",
-                                ssl->transform_in->maclen ) );
-            return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
-        }
-    }
-
-    SSL_DEBUG_BUF( 4, "message  mac", tmp, ssl->transform_in->maclen );
-    SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen,
-                   ssl->transform_in->maclen );
-
-    if( memcmp( tmp, ssl->in_msg + ssl->in_msglen,
-                     ssl->transform_in->maclen ) != 0 )
-    {
-#if defined(POLARSSL_SSL_DEBUG_ALL)
-        SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
-#endif
-        correct = 0;
-    }
-
-    /*
-     * Finally check the correct flag
-     */
-    if( correct == 0 )
-        return( POLARSSL_ERR_SSL_INVALID_MAC );
-
-    if( ssl->in_msglen == 0 )
-    {
-        ssl->nb_zero++;
-
-        /*
-         * Three or more empty messages may be a DoS attack
-         * (excessive CPU consumption).
-         */
-        if( ssl->nb_zero > 3 )
-        {
-            SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
-                                "messages, possible DoS attack" ) );
-            return( POLARSSL_ERR_SSL_INVALID_MAC );
-        }
-    }
-    else
-        ssl->nb_zero = 0;
-            
-    for( i = 8; i > 0; i-- )
-        if( ++ssl->in_ctr[i - 1] != 0 )
-            break;
-
-    SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_ZLIB_SUPPORT)
-/*
- * Compression/decompression functions
- */
-static int ssl_compress_buf( ssl_context *ssl )
-{
-    int ret;
-    unsigned char *msg_post = ssl->out_msg;
-    size_t len_pre = ssl->out_msglen;
-    unsigned char *msg_pre;
-
-    SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
-
-    msg_pre = (unsigned char*) malloc( len_pre );
-    if( msg_pre == NULL )
-    {
-        SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-    }
-
-    memcpy( msg_pre, ssl->out_msg, len_pre );
-
-    SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
-                   ssl->out_msglen ) );
-
-    SSL_DEBUG_BUF( 4, "before compression: output payload",
-                   ssl->out_msg, ssl->out_msglen );
-
-    ssl->transform_out->ctx_deflate.next_in = msg_pre;
-    ssl->transform_out->ctx_deflate.avail_in = len_pre;
-    ssl->transform_out->ctx_deflate.next_out = msg_post;
-    ssl->transform_out->ctx_deflate.avail_out = SSL_BUFFER_LEN;
-
-    ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
-    if( ret != Z_OK )
-    {
-        SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
-        return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
-    }
-
-    ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
-
-    free( msg_pre );
-
-    SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
-                   ssl->out_msglen ) );
-
-    SSL_DEBUG_BUF( 4, "after compression: output payload",
-                   ssl->out_msg, ssl->out_msglen );
-
-    SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
-
-    return( 0 );
-}
-
-static int ssl_decompress_buf( ssl_context *ssl )
-{
-    int ret;
-    unsigned char *msg_post = ssl->in_msg;
-    size_t len_pre = ssl->in_msglen;
-    unsigned char *msg_pre;
-
-    SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
-
-    msg_pre = (unsigned char*) malloc( len_pre );
-    if( msg_pre == NULL )
-    {
-        SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-    }
-
-    memcpy( msg_pre, ssl->in_msg, len_pre );
-
-    SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
-                   ssl->in_msglen ) );
-
-    SSL_DEBUG_BUF( 4, "before decompression: input payload",
-                   ssl->in_msg, ssl->in_msglen );
-
-    ssl->transform_in->ctx_inflate.next_in = msg_pre;
-    ssl->transform_in->ctx_inflate.avail_in = len_pre;
-    ssl->transform_in->ctx_inflate.next_out = msg_post;
-    ssl->transform_in->ctx_inflate.avail_out = SSL_MAX_CONTENT_LEN;
-
-    ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
-    if( ret != Z_OK )
-    {
-        SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
-        return( POLARSSL_ERR_SSL_COMPRESSION_FAILED );
-    }
-
-    ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
-
-    free( msg_pre );
-
-    SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
-                   ssl->in_msglen ) );
-
-    SSL_DEBUG_BUF( 4, "after decompression: input payload",
-                   ssl->in_msg, ssl->in_msglen );
-
-    SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
-
-    return( 0 );
-}
-#endif /* POLARSSL_ZLIB_SUPPORT */
-
-/*
- * Fill the input message buffer
- */
-int ssl_fetch_input( ssl_context *ssl, size_t nb_want )
-{
-    int ret;
-    size_t len;
-
-    SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
-
-    while( ssl->in_left < nb_want )
-    {
-        len = nb_want - ssl->in_left;
-        ret = ssl->f_recv( ssl->p_recv, ssl->in_hdr + ssl->in_left, len );
-
-        SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
-                       ssl->in_left, nb_want ) );
-        SSL_DEBUG_RET( 2, "ssl->f_recv", ret );
-
-        if( ret == 0 )
-            return( POLARSSL_ERR_SSL_CONN_EOF );
-
-        if( ret < 0 )
-            return( ret );
-
-        ssl->in_left += ret;
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
-
-    return( 0 );
-}
-
-/*
- * Flush any data not yet written
- */
-int ssl_flush_output( ssl_context *ssl )
-{
-    int ret;
-    unsigned char *buf;
-
-    SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
-
-    while( ssl->out_left > 0 )
-    {
-        SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
-                       5 + ssl->out_msglen, ssl->out_left ) );
-
-        if( ssl->out_msglen < ssl->out_left )
-        {
-            size_t header_left = ssl->out_left - ssl->out_msglen;
-
-            buf = ssl->out_hdr + 5 - header_left;
-            ret = ssl->f_send( ssl->p_send, buf, header_left );
-            
-            SSL_DEBUG_RET( 2, "ssl->f_send (header)", ret );
-
-            if( ret <= 0 )
-                return( ret );
-
-            ssl->out_left -= ret;
-        }
-        
-        buf = ssl->out_msg + ssl->out_msglen - ssl->out_left;
-        ret = ssl->f_send( ssl->p_send, buf, ssl->out_left );
-
-        SSL_DEBUG_RET( 2, "ssl->f_send", ret );
-
-        if( ret <= 0 )
-            return( ret );
-
-        ssl->out_left -= ret;
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
-
-    return( 0 );
-}
-
-/*
- * Record layer functions
- */
-int ssl_write_record( ssl_context *ssl )
-{
-    int ret, done = 0;
-    size_t len = ssl->out_msglen;
-
-    SSL_DEBUG_MSG( 2, ( "=> write record" ) );
-
-    if( ssl->out_msgtype == SSL_MSG_HANDSHAKE )
-    {
-        ssl->out_msg[1] = (unsigned char)( ( len - 4 ) >> 16 );
-        ssl->out_msg[2] = (unsigned char)( ( len - 4 ) >>  8 );
-        ssl->out_msg[3] = (unsigned char)( ( len - 4 )       );
-
-        ssl->handshake->update_checksum( ssl, ssl->out_msg, len );
-    }
-
-#if defined(POLARSSL_ZLIB_SUPPORT)
-    if( ssl->transform_out != NULL &&
-        ssl->session_out->compression == SSL_COMPRESS_DEFLATE )
-    {
-        if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
-            return( ret );
-        }
-
-        len = ssl->out_msglen;
-    }
-#endif /*POLARSSL_ZLIB_SUPPORT */
-
-#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
-    if( ssl_hw_record_write != NULL)
-    {
-        SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_write()" ) );
-
-        ret = ssl_hw_record_write( ssl );
-        if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
-        {
-            SSL_DEBUG_RET( 1, "ssl_hw_record_write", ret );
-            return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
-        }
-        done = 1;
-    }
-#endif
-    if( !done )
-    {
-        ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
-        ssl->out_hdr[1] = (unsigned char) ssl->major_ver;
-        ssl->out_hdr[2] = (unsigned char) ssl->minor_ver;
-        ssl->out_hdr[3] = (unsigned char)( len >> 8 );
-        ssl->out_hdr[4] = (unsigned char)( len      );
-
-        if( ssl->transform_out != NULL )
-        {
-            if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
-            {
-                SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
-                return( ret );
-            }
-
-            len = ssl->out_msglen;
-            ssl->out_hdr[3] = (unsigned char)( len >> 8 );
-            ssl->out_hdr[4] = (unsigned char)( len      );
-        }
-
-        ssl->out_left = 5 + ssl->out_msglen;
-
-        SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
-                            "version = [%d:%d], msglen = %d",
-                       ssl->out_hdr[0], ssl->out_hdr[1], ssl->out_hdr[2],
-                     ( ssl->out_hdr[3] << 8 ) | ssl->out_hdr[4] ) );
-
-        SSL_DEBUG_BUF( 4, "output record header sent to network",
-                       ssl->out_hdr, 5 );
-        SSL_DEBUG_BUF( 4, "output record sent to network",
-                       ssl->out_hdr + 32, ssl->out_msglen );
-    }
-
-    if( ( ret = ssl_flush_output( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write record" ) );
-
-    return( 0 );
-}
-
-int ssl_read_record( ssl_context *ssl )
-{
-    int ret, done = 0;
-
-    SSL_DEBUG_MSG( 2, ( "=> read record" ) );
-
-    if( ssl->in_hslen != 0 &&
-        ssl->in_hslen < ssl->in_msglen )
-    {
-        /*
-         * Get next Handshake message in the current record
-         */
-        ssl->in_msglen -= ssl->in_hslen;
-
-        memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
-                 ssl->in_msglen );
-
-        ssl->in_hslen  = 4;
-        ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
-
-        SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
-                            " %d, type = %d, hslen = %d",
-                       ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
-
-        if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
-            return( POLARSSL_ERR_SSL_INVALID_RECORD );
-        }
-
-        if( ssl->in_msglen < ssl->in_hslen )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
-            return( POLARSSL_ERR_SSL_INVALID_RECORD );
-        }
-
-        ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
-
-        return( 0 );
-    }
-
-    ssl->in_hslen = 0;
-
-    /*
-     * Read the record header and validate it
-     */
-    if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
-        return( ret );
-    }
-
-    ssl->in_msgtype =  ssl->in_hdr[0];
-    ssl->in_msglen = ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4];
-
-    SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
-                        "version = [%d:%d], msglen = %d",
-                     ssl->in_hdr[0], ssl->in_hdr[1], ssl->in_hdr[2],
-                   ( ssl->in_hdr[3] << 8 ) | ssl->in_hdr[4] ) );
-
-    if( ssl->in_hdr[1] != ssl->major_ver )
-    {
-        SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
-        return( POLARSSL_ERR_SSL_INVALID_RECORD );
-    }
-
-    if( ssl->in_hdr[2] > ssl->max_minor_ver )
-    {
-        SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
-        return( POLARSSL_ERR_SSL_INVALID_RECORD );
-    }
-
-    /*
-     * Make sure the message length is acceptable
-     */
-    if( ssl->transform_in == NULL )
-    {
-        if( ssl->in_msglen < 1 ||
-            ssl->in_msglen > SSL_MAX_CONTENT_LEN )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-            return( POLARSSL_ERR_SSL_INVALID_RECORD );
-        }
-    }
-    else
-    {
-        if( ssl->in_msglen < ssl->transform_in->minlen )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-            return( POLARSSL_ERR_SSL_INVALID_RECORD );
-        }
-
-        if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
-            ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-            return( POLARSSL_ERR_SSL_INVALID_RECORD );
-        }
-
-        /*
-         * TLS encrypted messages can have up to 256 bytes of padding
-         */
-        if( ssl->minor_ver >= SSL_MINOR_VERSION_1 &&
-            ssl->in_msglen > ssl->transform_in->minlen + SSL_MAX_CONTENT_LEN + 256 )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-            return( POLARSSL_ERR_SSL_INVALID_RECORD );
-        }
-    }
-
-    /*
-     * Read and optionally decrypt the message contents
-     */
-    if( ( ret = ssl_fetch_input( ssl, 5 + ssl->in_msglen ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_BUF( 4, "input record from network",
-                   ssl->in_hdr, 5 + ssl->in_msglen );
-
-#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
-    if( ssl_hw_record_read != NULL)
-    {
-        SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_read()" ) );
-
-        ret = ssl_hw_record_read( ssl );
-        if( ret != 0 && ret != POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH )
-        {
-            SSL_DEBUG_RET( 1, "ssl_hw_record_read", ret );
-            return POLARSSL_ERR_SSL_HW_ACCEL_FAILED;
-        }
-        done = 1;
-    }
-#endif
-    if( !done && ssl->transform_in != NULL )
-    {
-        if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
-        {
-#if defined(POLARSSL_SSL_ALERT_MESSAGES)
-            if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
-            {
-                ssl_send_alert_message( ssl,
-                                        SSL_ALERT_LEVEL_FATAL,
-                                        SSL_ALERT_MSG_BAD_RECORD_MAC );
-            }
-#endif
-            SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
-            return( ret );
-        }
-
-        SSL_DEBUG_BUF( 4, "input payload after decrypt",
-                       ssl->in_msg, ssl->in_msglen );
-
-        if( ssl->in_msglen > SSL_MAX_CONTENT_LEN )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad message length" ) );
-            return( POLARSSL_ERR_SSL_INVALID_RECORD );
-        }
-    }
-
-#if defined(POLARSSL_ZLIB_SUPPORT)
-    if( ssl->transform_in != NULL &&
-        ssl->session_in->compression == SSL_COMPRESS_DEFLATE )
-    {
-        if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
-            return( ret );
-        }
-
-        ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
-        ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen      );
-    }
-#endif /* POLARSSL_ZLIB_SUPPORT */
-
-    if( ssl->in_msgtype != SSL_MSG_HANDSHAKE &&
-        ssl->in_msgtype != SSL_MSG_ALERT &&
-        ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC &&
-        ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
-    {
-        SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
-
-        if( ( ret = ssl_send_alert_message( ssl,
-                        SSL_ALERT_LEVEL_FATAL,
-                        SSL_ALERT_MSG_UNEXPECTED_MESSAGE ) ) != 0 )
-        {
-            return( ret );
-        }
-
-        return( POLARSSL_ERR_SSL_INVALID_RECORD );
-    }
-
-    if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
-    {
-        ssl->in_hslen  = 4;
-        ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
-
-        SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
-                            " %d, type = %d, hslen = %d",
-                       ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
-
-        /*
-         * Additional checks to validate the handshake header
-         */
-        if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
-            return( POLARSSL_ERR_SSL_INVALID_RECORD );
-        }
-
-        if( ssl->in_msglen < ssl->in_hslen )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
-            return( POLARSSL_ERR_SSL_INVALID_RECORD );
-        }
-
-        if( ssl->state != SSL_HANDSHAKE_OVER )
-            ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
-    }
-
-    if( ssl->in_msgtype == SSL_MSG_ALERT )
-    {
-        SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
-                       ssl->in_msg[0], ssl->in_msg[1] ) );
-
-        /*
-         * Ignore non-fatal alerts, except close_notify
-         */
-        if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
-        {
-            SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
-                           ssl->in_msg[1] ) );
-            /**
-             * Subtract from error code as ssl->in_msg[1] is 7-bit positive
-             * error identifier.
-             */
-            return( POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE );
-        }
-
-        if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
-            ssl->in_msg[1] == SSL_ALERT_MSG_CLOSE_NOTIFY )
-        {
-            SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
-            return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
-        }
-    }
-
-    ssl->in_left = 0;
-
-    SSL_DEBUG_MSG( 2, ( "<= read record" ) );
-
-    return( 0 );
-}
-
-int ssl_send_fatal_handshake_failure( ssl_context *ssl )
-{
-    int ret;
-
-    if( ( ret = ssl_send_alert_message( ssl,
-                    SSL_ALERT_LEVEL_FATAL,
-                    SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
-    {
-        return( ret );
-    }
-
-    return( 0 );
-}
-
-int ssl_send_alert_message( ssl_context *ssl,
-                            unsigned char level,
-                            unsigned char message )
-{
-    int ret;
-
-    SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
-
-    ssl->out_msgtype = SSL_MSG_ALERT;
-    ssl->out_msglen = 2;
-    ssl->out_msg[0] = level;
-    ssl->out_msg[1] = message;
-
-    if( ( ret = ssl_write_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
-
-    return( 0 );
-}
-
-/*
- * Handshake functions
- */
-int ssl_write_certificate( ssl_context *ssl )
-{
-    int ret;
-    size_t i, n;
-    const x509_cert *crt;
-
-    SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
-
-    if( ssl->endpoint == SSL_IS_CLIENT )
-    {
-        if( ssl->client_auth == 0 )
-        {
-            SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
-            ssl->state++;
-            return( 0 );
-        }
-
-        /*
-         * If using SSLv3 and got no cert, send an Alert message
-         * (otherwise an empty Certificate message will be sent).
-         */
-        if( ssl->own_cert  == NULL &&
-            ssl->minor_ver == SSL_MINOR_VERSION_0 )
-        {
-            ssl->out_msglen  = 2;
-            ssl->out_msgtype = SSL_MSG_ALERT;
-            ssl->out_msg[0]  = SSL_ALERT_LEVEL_WARNING;
-            ssl->out_msg[1]  = SSL_ALERT_MSG_NO_CERT;
-
-            SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
-            goto write_msg;
-        }
-    }
-    else /* SSL_IS_SERVER */
-    {
-        if( ssl->own_cert == NULL )
-        {
-            SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
-            return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
-        }
-    }
-
-    SSL_DEBUG_CRT( 3, "own certificate", ssl->own_cert );
-
-    /*
-     *     0  .  0    handshake type
-     *     1  .  3    handshake length
-     *     4  .  6    length of all certs
-     *     7  .  9    length of cert. 1
-     *    10  . n-1   peer certificate
-     *     n  . n+2   length of cert. 2
-     *    n+3 . ...   upper level cert, etc.
-     */
-    i = 7;
-    crt = ssl->own_cert;
-
-    while( crt != NULL )
-    {
-        n = crt->raw.len;
-        if( i + 3 + n > SSL_MAX_CONTENT_LEN )
-        {
-            SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
-                           i + 3 + n, SSL_MAX_CONTENT_LEN ) );
-            return( POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE );
-        }
-
-        ssl->out_msg[i    ] = (unsigned char)( n >> 16 );
-        ssl->out_msg[i + 1] = (unsigned char)( n >>  8 );
-        ssl->out_msg[i + 2] = (unsigned char)( n       );
-
-        i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
-        i += n; crt = crt->next;
-    }
-
-    ssl->out_msg[4]  = (unsigned char)( ( i - 7 ) >> 16 );
-    ssl->out_msg[5]  = (unsigned char)( ( i - 7 ) >>  8 );
-    ssl->out_msg[6]  = (unsigned char)( ( i - 7 )       );
-
-    ssl->out_msglen  = i;
-    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
-    ssl->out_msg[0]  = SSL_HS_CERTIFICATE;
-
-write_msg:
-
-    ssl->state++;
-
-    if( ( ret = ssl_write_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
-
-    return( 0 );
-}
-
-int ssl_parse_certificate( ssl_context *ssl )
-{
-    int ret;
-    size_t i, n;
-
-    SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
-
-    if( ssl->endpoint == SSL_IS_SERVER &&
-        ssl->authmode == SSL_VERIFY_NONE )
-    {
-        ssl->verify_result = BADCERT_SKIP_VERIFY;
-        SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
-        ssl->state++;
-        return( 0 );
-    }
-
-    if( ( ret = ssl_read_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-        return( ret );
-    }
-
-    ssl->state++;
-
-    /*
-     * Check if the client sent an empty certificate
-     */
-    if( ssl->endpoint  == SSL_IS_SERVER &&
-        ssl->minor_ver == SSL_MINOR_VERSION_0 )
-    {
-        if( ssl->in_msglen  == 2                        &&
-            ssl->in_msgtype == SSL_MSG_ALERT            &&
-            ssl->in_msg[0]  == SSL_ALERT_LEVEL_WARNING  &&
-            ssl->in_msg[1]  == SSL_ALERT_MSG_NO_CERT )
-        {
-            SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
-
-            ssl->verify_result = BADCERT_MISSING;
-            if( ssl->authmode == SSL_VERIFY_OPTIONAL )
-                return( 0 );
-            else
-                return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
-        }
-    }
-
-    if( ssl->endpoint  == SSL_IS_SERVER &&
-        ssl->minor_ver != SSL_MINOR_VERSION_0 )
-    {
-        if( ssl->in_hslen   == 7                    &&
-            ssl->in_msgtype == SSL_MSG_HANDSHAKE    &&
-            ssl->in_msg[0]  == SSL_HS_CERTIFICATE   &&
-            memcmp( ssl->in_msg + 4, "\0\0\0", 3 ) == 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
-
-            ssl->verify_result = BADCERT_MISSING;
-            if( ssl->authmode == SSL_VERIFY_REQUIRED )
-                return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
-            else
-                return( 0 );
-        }
-    }
-
-    if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
-        return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
-    }
-
-    if( ssl->in_msg[0] != SSL_HS_CERTIFICATE || ssl->in_hslen < 10 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
-    }
-
-    /*
-     * Same message structure as in ssl_write_certificate()
-     */
-    n = ( ssl->in_msg[5] << 8 ) | ssl->in_msg[6];
-
-    if( ssl->in_msg[4] != 0 || ssl->in_hslen != 7 + n )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
-    }
-
-    if( ( ssl->session_negotiate->peer_cert = (x509_cert *) malloc(
-                    sizeof( x509_cert ) ) ) == NULL )
-    {
-        SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
-                       sizeof( x509_cert ) ) );
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-    }
-
-    memset( ssl->session_negotiate->peer_cert, 0, sizeof( x509_cert ) );
-
-    i = 7;
-
-    while( i < ssl->in_hslen )
-    {
-        if( ssl->in_msg[i] != 0 )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
-        }
-
-        n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
-            | (unsigned int) ssl->in_msg[i + 2];
-        i += 3;
-
-        if( n < 128 || i + n > ssl->in_hslen )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
-            return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
-        }
-
-        ret = x509parse_crt_der( ssl->session_negotiate->peer_cert,
-                                 ssl->in_msg + i, n );
-        if( ret != 0 )
-        {
-            SSL_DEBUG_RET( 1, " x509parse_crt", ret );
-            return( ret );
-        }
-
-        i += n;
-    }
-
-    SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
-
-    if( ssl->authmode != SSL_VERIFY_NONE )
-    {
-        if( ssl->ca_chain == NULL )
-        {
-            SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
-            return( POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED );
-        }
-
-        ret = x509parse_verify( ssl->session_negotiate->peer_cert,
-                                ssl->ca_chain, ssl->ca_crl,
-                                ssl->peer_cn,  &ssl->verify_result,
-                                ssl->f_vrfy, ssl->p_vrfy );
-
-        if( ret != 0 )
-            SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
-
-        if( ssl->authmode != SSL_VERIFY_REQUIRED )
-            ret = 0;
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
-
-    return( ret );
-}
-
-int ssl_write_change_cipher_spec( ssl_context *ssl )
-{
-    int ret;
-
-    SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
-
-    ssl->out_msgtype = SSL_MSG_CHANGE_CIPHER_SPEC;
-    ssl->out_msglen  = 1;
-    ssl->out_msg[0]  = 1;
-
-    ssl->state++;
-
-    if( ( ret = ssl_write_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
-
-    return( 0 );
-}
-
-int ssl_parse_change_cipher_spec( ssl_context *ssl )
-{
-    int ret;
-
-    SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
-
-    if( ( ret = ssl_read_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-        return( ret );
-    }
-
-    if( ssl->in_msgtype != SSL_MSG_CHANGE_CIPHER_SPEC )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
-        return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
-    }
-
-    if( ssl->in_msglen != 1 || ssl->in_msg[0] != 1 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC );
-    }
-
-    ssl->state++;
-
-    SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
-
-    return( 0 );
-}
-
-void ssl_optimize_checksum( ssl_context *ssl, int ciphersuite )
-{
-#if !defined(POLARSSL_SHA4_C)
-    ((void) ciphersuite);
-#endif
-
-    if( ssl->minor_ver < SSL_MINOR_VERSION_3 )
-        ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
-#if defined(POLARSSL_SHA4_C)
-    else if ( ciphersuite == TLS_RSA_WITH_AES_256_GCM_SHA384 ||
-              ciphersuite == TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 )
-    {
-        ssl->handshake->update_checksum = ssl_update_checksum_sha384;
-    }
-#endif
-    else
-        ssl->handshake->update_checksum = ssl_update_checksum_sha256;
-}
-    
-static void ssl_update_checksum_start( ssl_context *ssl, unsigned char *buf,
-                                       size_t len )
-{
-     md5_update( &ssl->handshake->fin_md5 , buf, len );
-    sha1_update( &ssl->handshake->fin_sha1, buf, len );
-    sha2_update( &ssl->handshake->fin_sha2, buf, len );
-#if defined(POLARSSL_SHA4_C)
-    sha4_update( &ssl->handshake->fin_sha4, buf, len );
-#endif
-}
-
-static void ssl_update_checksum_md5sha1( ssl_context *ssl, unsigned char *buf,
-                                         size_t len )
-{
-     md5_update( &ssl->handshake->fin_md5 , buf, len );
-    sha1_update( &ssl->handshake->fin_sha1, buf, len );
-}
-
-static void ssl_update_checksum_sha256( ssl_context *ssl, unsigned char *buf,
-                                        size_t len )
-{
-    sha2_update( &ssl->handshake->fin_sha2, buf, len );
-}
-
-#if defined(POLARSSL_SHA4_C)
-static void ssl_update_checksum_sha384( ssl_context *ssl, unsigned char *buf,
-                                        size_t len )
-{
-    sha4_update( &ssl->handshake->fin_sha4, buf, len );
-}
-#endif
-
-static void ssl_calc_finished_ssl(
-                ssl_context *ssl, unsigned char *buf, int from )
-{
-    const char *sender;
-    md5_context  md5;
-    sha1_context sha1;
-
-    unsigned char padbuf[48];
-    unsigned char md5sum[16];
-    unsigned char sha1sum[20];
-
-    ssl_session *session = ssl->session_negotiate;
-    if( !session )
-        session = ssl->session;
-
-    SSL_DEBUG_MSG( 2, ( "=> calc  finished ssl" ) );
-
-    memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context)  );
-    memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
-
-    /*
-     * SSLv3:
-     *   hash =
-     *      MD5( master + pad2 +
-     *          MD5( handshake + sender + master + pad1 ) )
-     *   + SHA1( master + pad2 +
-     *         SHA1( handshake + sender + master + pad1 ) )
-     */
-
-#if !defined(POLARSSL_MD5_ALT)
-    SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
-                    md5.state, sizeof(  md5.state ) );
-#endif
-
-#if !defined(POLARSSL_SHA1_ALT)
-    SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
-                   sha1.state, sizeof( sha1.state ) );
-#endif
-
-    sender = ( from == SSL_IS_CLIENT ) ? "CLNT"
-                                       : "SRVR";
-
-    memset( padbuf, 0x36, 48 );
-
-    md5_update( &md5, (const unsigned char *) sender, 4 );
-    md5_update( &md5, session->master, 48 );
-    md5_update( &md5, padbuf, 48 );
-    md5_finish( &md5, md5sum );
-
-    sha1_update( &sha1, (const unsigned char *) sender, 4 );
-    sha1_update( &sha1, session->master, 48 );
-    sha1_update( &sha1, padbuf, 40 );
-    sha1_finish( &sha1, sha1sum );
-
-    memset( padbuf, 0x5C, 48 );
-
-    md5_starts( &md5 );
-    md5_update( &md5, session->master, 48 );
-    md5_update( &md5, padbuf, 48 );
-    md5_update( &md5, md5sum, 16 );
-    md5_finish( &md5, buf );
-
-    sha1_starts( &sha1 );
-    sha1_update( &sha1, session->master, 48 );
-    sha1_update( &sha1, padbuf , 40 );
-    sha1_update( &sha1, sha1sum, 20 );
-    sha1_finish( &sha1, buf + 16 );
-
-    SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
-
-    memset(  &md5, 0, sizeof(  md5_context ) );
-    memset( &sha1, 0, sizeof( sha1_context ) );
-
-    memset(  padbuf, 0, sizeof(  padbuf ) );
-    memset(  md5sum, 0, sizeof(  md5sum ) );
-    memset( sha1sum, 0, sizeof( sha1sum ) );
-
-    SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
-}
-
-static void ssl_calc_finished_tls(
-                ssl_context *ssl, unsigned char *buf, int from )
-{
-    int len = 12;
-    const char *sender;
-    md5_context  md5;
-    sha1_context sha1;
-    unsigned char padbuf[36];
-
-    ssl_session *session = ssl->session_negotiate;
-    if( !session )
-        session = ssl->session;
-
-    SSL_DEBUG_MSG( 2, ( "=> calc  finished tls" ) );
-
-    memcpy( &md5 , &ssl->handshake->fin_md5 , sizeof(md5_context)  );
-    memcpy( &sha1, &ssl->handshake->fin_sha1, sizeof(sha1_context) );
-
-    /*
-     * TLSv1:
-     *   hash = PRF( master, finished_label,
-     *               MD5( handshake ) + SHA1( handshake ) )[0..11]
-     */
-
-#if !defined(POLARSSL_MD5_ALT)
-    SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
-                    md5.state, sizeof(  md5.state ) );
-#endif
-
-#if !defined(POLARSSL_SHA1_ALT)
-    SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
-                   sha1.state, sizeof( sha1.state ) );
-#endif
-
-    sender = ( from == SSL_IS_CLIENT )
-             ? "client finished"
-             : "server finished";
-
-    md5_finish(  &md5, padbuf );
-    sha1_finish( &sha1, padbuf + 16 );
-
-    ssl->handshake->tls_prf( session->master, 48, (char *) sender,
-                             padbuf, 36, buf, len );
-
-    SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
-
-    memset(  &md5, 0, sizeof(  md5_context ) );
-    memset( &sha1, 0, sizeof( sha1_context ) );
-
-    memset(  padbuf, 0, sizeof(  padbuf ) );
-
-    SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
-}
-
-static void ssl_calc_finished_tls_sha256(
-                ssl_context *ssl, unsigned char *buf, int from )
-{
-    int len = 12;
-    const char *sender;
-    sha2_context sha2;
-    unsigned char padbuf[32];
-
-    ssl_session *session = ssl->session_negotiate;
-    if( !session )
-        session = ssl->session;
-
-    SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha256" ) );
-
-    memcpy( &sha2, &ssl->handshake->fin_sha2, sizeof(sha2_context) );
-
-    /*
-     * TLSv1.2:
-     *   hash = PRF( master, finished_label,
-     *               Hash( handshake ) )[0.11]
-     */
-
-#if !defined(POLARSSL_SHA2_ALT)
-    SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
-                   sha2.state, sizeof( sha2.state ) );
-#endif
-
-    sender = ( from == SSL_IS_CLIENT )
-             ? "client finished"
-             : "server finished";
-
-    sha2_finish( &sha2, padbuf );
-
-    ssl->handshake->tls_prf( session->master, 48, (char *) sender,
-                             padbuf, 32, buf, len );
-
-    SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
-
-    memset( &sha2, 0, sizeof( sha2_context ) );
-
-    memset(  padbuf, 0, sizeof(  padbuf ) );
-
-    SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
-}
-
-#if defined(POLARSSL_SHA4_C)
-static void ssl_calc_finished_tls_sha384(
-                ssl_context *ssl, unsigned char *buf, int from )
-{
-    int len = 12;
-    const char *sender;
-    sha4_context sha4;
-    unsigned char padbuf[48];
-
-    ssl_session *session = ssl->session_negotiate;
-    if( !session )
-        session = ssl->session;
-
-    SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha384" ) );
-
-    memcpy( &sha4, &ssl->handshake->fin_sha4, sizeof(sha4_context) );
-
-    /*
-     * TLSv1.2:
-     *   hash = PRF( master, finished_label,
-     *               Hash( handshake ) )[0.11]
-     */
-
-#if !defined(POLARSSL_SHA4_ALT)
-    SSL_DEBUG_BUF( 4, "finished sha4 state", (unsigned char *)
-                   sha4.state, sizeof( sha4.state ) );
-#endif
-
-    sender = ( from == SSL_IS_CLIENT )
-             ? "client finished"
-             : "server finished";
-
-    sha4_finish( &sha4, padbuf );
-
-    ssl->handshake->tls_prf( session->master, 48, (char *) sender,
-                             padbuf, 48, buf, len );
-
-    SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
-
-    memset( &sha4, 0, sizeof( sha4_context ) );
-
-    memset(  padbuf, 0, sizeof(  padbuf ) );
-
-    SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
-}
-#endif
-
-void ssl_handshake_wrapup( ssl_context *ssl )
-{
-    SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
-
-    /*
-     * Free our handshake params
-     */
-    ssl_handshake_free( ssl->handshake );
-    free( ssl->handshake );
-    ssl->handshake = NULL;
-
-    /*
-     * Switch in our now active transform context
-     */
-    if( ssl->transform )
-    {
-        ssl_transform_free( ssl->transform );
-        free( ssl->transform );
-    }
-    ssl->transform = ssl->transform_negotiate;
-    ssl->transform_negotiate = NULL;
-
-    if( ssl->session )
-    {
-        ssl_session_free( ssl->session );
-        free( ssl->session );
-    }
-    ssl->session = ssl->session_negotiate;
-    ssl->session_negotiate = NULL;
-
-    /*
-     * Add cache entry
-     */
-    if( ssl->f_set_cache != NULL )
-        if( ssl->f_set_cache( ssl->p_set_cache, ssl->session ) != 0 )
-            SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
-
-    ssl->state++;
-
-    SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
-}
-
-int ssl_write_finished( ssl_context *ssl )
-{
-    int ret, hash_len;
-
-    SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
-
-    ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->endpoint );
-
-    // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
-    hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
-
-    ssl->verify_data_len = hash_len;
-    memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
-
-    ssl->out_msglen  = 4 + hash_len;
-    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
-    ssl->out_msg[0]  = SSL_HS_FINISHED;
-
-    /*
-     * In case of session resuming, invert the client and server
-     * ChangeCipherSpec messages order.
-     */
-    if( ssl->handshake->resume != 0 )
-    {
-        if( ssl->endpoint == SSL_IS_CLIENT )
-            ssl->state = SSL_HANDSHAKE_WRAPUP;
-        else
-            ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
-    }
-    else
-        ssl->state++;
-
-    /*
-     * Switch to our negotiated transform and session parameters for outbound data.
-     */
-    SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
-    ssl->transform_out = ssl->transform_negotiate;
-    ssl->session_out = ssl->session_negotiate;
-    memset( ssl->out_ctr, 0, 8 );
-
-    if( ( ret = ssl_write_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
-
-    return( 0 );
-}
-
-int ssl_parse_finished( ssl_context *ssl )
-{
-    int ret;
-    unsigned int hash_len;
-    unsigned char buf[36];
-
-    SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
-
-    ssl->handshake->calc_finished( ssl, buf, ssl->endpoint ^ 1 );
-
-    /*
-     * Switch to our negotiated transform and session parameters for inbound data.
-     */
-    SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
-    ssl->transform_in = ssl->transform_negotiate;
-    ssl->session_in = ssl->session_negotiate;
-    memset( ssl->in_ctr, 0, 8 );
-
-    if( ( ret = ssl_read_record( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-        return( ret );
-    }
-
-    if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
-        return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
-    }
-
-    // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
-    hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
-
-    if( ssl->in_msg[0] != SSL_HS_FINISHED ||
-        ssl->in_hslen  != 4 + hash_len )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
-    }
-
-    if( memcmp( ssl->in_msg + 4, buf, hash_len ) != 0 )
-    {
-        SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
-        return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
-    }
-
-    ssl->verify_data_len = hash_len;
-    memcpy( ssl->peer_verify_data, buf, hash_len );
-
-    if( ssl->handshake->resume != 0 )
-    {
-        if( ssl->endpoint == SSL_IS_CLIENT )
-            ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
-
-        if( ssl->endpoint == SSL_IS_SERVER )
-            ssl->state = SSL_HANDSHAKE_WRAPUP;
-    }
-    else
-        ssl->state++;
-
-    SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
-
-    return( 0 );
-}
-
-int ssl_handshake_init( ssl_context *ssl )
-{
-    if( ssl->transform_negotiate )
-        ssl_transform_free( ssl->transform_negotiate );
-    else
-        ssl->transform_negotiate = malloc( sizeof(ssl_transform) );
-
-    if( ssl->session_negotiate )
-        ssl_session_free( ssl->session_negotiate );
-    else
-        ssl->session_negotiate = malloc( sizeof(ssl_session) );
-
-    if( ssl->handshake )
-        ssl_handshake_free( ssl->handshake );
-    else
-        ssl->handshake = malloc( sizeof(ssl_handshake_params) );
-
-    if( ssl->handshake == NULL ||
-        ssl->transform_negotiate == NULL ||
-        ssl->session_negotiate == NULL )
-    {
-        SSL_DEBUG_MSG( 1, ( "malloc() of ssl sub-contexts failed" ) );
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-    }
-
-    memset( ssl->handshake, 0, sizeof(ssl_handshake_params) );
-    memset( ssl->transform_negotiate, 0, sizeof(ssl_transform) );
-    memset( ssl->session_negotiate, 0, sizeof(ssl_session) );
-
-     md5_starts( &ssl->handshake->fin_md5 );
-    sha1_starts( &ssl->handshake->fin_sha1 );
-    sha2_starts( &ssl->handshake->fin_sha2, 0 );
-#if defined(POLARSSL_SHA4_C)
-    sha4_starts( &ssl->handshake->fin_sha4, 1 );
-#endif
-
-    ssl->handshake->update_checksum = ssl_update_checksum_start;
-    ssl->handshake->sig_alg = SSL_HASH_SHA1;
-    
-    return( 0 );
-}
-
-/*
- * Initialize an SSL context
- */
-int ssl_init( ssl_context *ssl )
-{
-    int ret;
-    int len = SSL_BUFFER_LEN;
-
-    memset( ssl, 0, sizeof( ssl_context ) );
-
-    /*
-     * Sane defaults
-     */
-    ssl->rsa_decrypt = ssl_rsa_decrypt;
-    ssl->rsa_sign = ssl_rsa_sign;
-    ssl->rsa_key_len = ssl_rsa_key_len;
-
-    ssl->min_major_ver = SSL_MAJOR_VERSION_3;
-    ssl->min_minor_ver = SSL_MINOR_VERSION_0;
-
-    ssl->ciphersuites = malloc( sizeof(int *) * 4 );
-    ssl_set_ciphersuites( ssl, ssl_default_ciphersuites );
-
-#if defined(POLARSSL_DHM_C)
-    if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
-                                 POLARSSL_DHM_RFC5114_MODP_1024_P) ) != 0 ||
-        ( ret = mpi_read_string( &ssl->dhm_G, 16,
-                                 POLARSSL_DHM_RFC5114_MODP_1024_G) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "mpi_read_string", ret );
-        return( ret );
-    }
-#endif
-
-    /*
-     * Prepare base structures
-     */
-    ssl->in_ctr = (unsigned char *) malloc( len );
-    ssl->in_hdr = ssl->in_ctr +  8;
-    ssl->in_msg = ssl->in_ctr + 13;
-
-    if( ssl->in_ctr == NULL )
-    {
-        SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-    }
-
-    ssl->out_ctr = (unsigned char *) malloc( len );
-    ssl->out_hdr = ssl->out_ctr +  8;
-    ssl->out_msg = ssl->out_ctr + 40;
-
-    if( ssl->out_ctr == NULL )
-    {
-        SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) );
-        free( ssl-> in_ctr );
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-    }
-
-    memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN );
-    memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
-
-    ssl->hostname = NULL;
-    ssl->hostname_len = 0;
-
-    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
-        return( ret );
-
-    return( 0 );
-}
-
-/*
- * Reset an initialized and used SSL context for re-use while retaining
- * all application-set variables, function pointers and data.
- */
-int ssl_session_reset( ssl_context *ssl )
-{
-    int ret;
-
-    ssl->state = SSL_HELLO_REQUEST;
-    ssl->renegotiation = SSL_INITIAL_HANDSHAKE;
-    ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;
-
-    ssl->verify_data_len = 0;
-    memset( ssl->own_verify_data, 0, 36 );
-    memset( ssl->peer_verify_data, 0, 36 );
-
-    ssl->in_offt = NULL;
-
-    ssl->in_msgtype = 0;
-    ssl->in_msglen = 0;
-    ssl->in_left = 0;
-
-    ssl->in_hslen = 0;
-    ssl->nb_zero = 0;
-
-    ssl->out_msgtype = 0;
-    ssl->out_msglen = 0;
-    ssl->out_left = 0;
-
-    ssl->transform_in = NULL;
-    ssl->transform_out = NULL;
-
-    memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
-    memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
-
-#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
-    if( ssl_hw_record_reset != NULL)
-    {
-        SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_reset()" ) );
-        if( ssl_hw_record_reset( ssl ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_hw_record_reset", ret );
-            return( POLARSSL_ERR_SSL_HW_ACCEL_FAILED );
-        }
-    }
-#endif
-
-    if( ssl->transform )
-    {
-        ssl_transform_free( ssl->transform );
-        free( ssl->transform );
-        ssl->transform = NULL;
-    }
-
-    if( ssl->session )
-    {
-        ssl_session_free( ssl->session );
-        free( ssl->session );
-        ssl->session = NULL;
-    }
-
-    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
-        return( ret );
-
-    return( 0 );
-}
-
-/*
- * SSL set accessors
- */
-void ssl_set_endpoint( ssl_context *ssl, int endpoint )
-{
-    ssl->endpoint   = endpoint;
-}
-
-void ssl_set_authmode( ssl_context *ssl, int authmode )
-{
-    ssl->authmode   = authmode;
-}
-
-void ssl_set_verify( ssl_context *ssl,
-                     int (*f_vrfy)(void *, x509_cert *, int, int *),
-                     void *p_vrfy )
-{
-    ssl->f_vrfy      = f_vrfy;
-    ssl->p_vrfy      = p_vrfy;
-}
-
-void ssl_set_rng( ssl_context *ssl,
-                  int (*f_rng)(void *, unsigned char *, size_t),
-                  void *p_rng )
-{
-    ssl->f_rng      = f_rng;
-    ssl->p_rng      = p_rng;
-}
-
-void ssl_set_dbg( ssl_context *ssl,
-                  void (*f_dbg)(void *, int, const char *),
-                  void  *p_dbg )
-{
-    ssl->f_dbg      = f_dbg;
-    ssl->p_dbg      = p_dbg;
-}
-
-void ssl_set_bio( ssl_context *ssl,
-            int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
-            int (*f_send)(void *, const unsigned char *, size_t), void *p_send )
-{
-    ssl->f_recv     = f_recv;
-    ssl->f_send     = f_send;
-    ssl->p_recv     = p_recv;
-    ssl->p_send     = p_send;
-}
-
-void ssl_set_session_cache( ssl_context *ssl,
-        int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
-        int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
-{
-    ssl->f_get_cache = f_get_cache;
-    ssl->p_get_cache = p_get_cache;
-    ssl->f_set_cache = f_set_cache;
-    ssl->p_set_cache = p_set_cache;
-}
-
-void ssl_set_session( ssl_context *ssl, const ssl_session *session )
-{
-    memcpy( ssl->session_negotiate, session, sizeof(ssl_session) );
-    ssl->handshake->resume = 1;
-}
-
-void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
-{
-    ssl->ciphersuites[SSL_MINOR_VERSION_0] = ciphersuites;
-    ssl->ciphersuites[SSL_MINOR_VERSION_1] = ciphersuites;
-    ssl->ciphersuites[SSL_MINOR_VERSION_2] = ciphersuites;
-    ssl->ciphersuites[SSL_MINOR_VERSION_3] = ciphersuites;
-}
-
-void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
-                                       int major, int minor )
-{
-    if( major != SSL_MAJOR_VERSION_3 )
-        return;
-
-    if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
-        return;
-
-    ssl->ciphersuites[minor] = ciphersuites;
-}
-
-void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
-                       x509_crl *ca_crl, const char *peer_cn )
-{
-    ssl->ca_chain   = ca_chain;
-    ssl->ca_crl     = ca_crl;
-    ssl->peer_cn    = peer_cn;
-}
-
-void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
-                       rsa_context *rsa_key )
-{
-    ssl->own_cert   = own_cert;
-    ssl->rsa_key    = rsa_key;
-}
-
-void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
-                           void *rsa_key,
-                           rsa_decrypt_func rsa_decrypt,
-                           rsa_sign_func rsa_sign,
-                           rsa_key_len_func rsa_key_len )
-{
-    ssl->own_cert   = own_cert;
-    ssl->rsa_key    = rsa_key;
-    ssl->rsa_decrypt = rsa_decrypt;
-    ssl->rsa_sign = rsa_sign;
-    ssl->rsa_key_len = rsa_key_len;
-}
-
-
-#if defined(POLARSSL_DHM_C)
-int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )
-{
-    int ret;
-
-    if( ( ret = mpi_read_string( &ssl->dhm_P, 16, dhm_P ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "mpi_read_string", ret );
-        return( ret );
-    }
-
-    if( ( ret = mpi_read_string( &ssl->dhm_G, 16, dhm_G ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "mpi_read_string", ret );
-        return( ret );
-    }
-
-    return( 0 );
-}
-
-int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx )
-{
-    int ret;
-
-    if( ( ret = mpi_copy(&ssl->dhm_P, &dhm_ctx->P) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "mpi_copy", ret );
-        return( ret );
-    }
-
-    if( ( ret = mpi_copy(&ssl->dhm_G, &dhm_ctx->G) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "mpi_copy", ret );
-        return( ret );
-    }
-
-    return( 0 );
-}
-#endif /* POLARSSL_DHM_C */
-
-int ssl_set_hostname( ssl_context *ssl, const char *hostname )
-{
-    if( hostname == NULL )
-        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-
-    ssl->hostname_len = strlen( hostname );
-    ssl->hostname = (unsigned char *) malloc( ssl->hostname_len + 1 );
-
-    if( ssl->hostname == NULL )
-        return( POLARSSL_ERR_SSL_MALLOC_FAILED );
-
-    memcpy( ssl->hostname, (const unsigned char *) hostname,
-            ssl->hostname_len );
-    
-    ssl->hostname[ssl->hostname_len] = '\0';
-
-    return( 0 );
-}
-
-void ssl_set_sni( ssl_context *ssl,
-                  int (*f_sni)(void *, ssl_context *,
-                                const unsigned char *, size_t),
-                  void *p_sni )
-{
-    ssl->f_sni = f_sni;
-    ssl->p_sni = p_sni;
-}
-
-void ssl_set_max_version( ssl_context *ssl, int major, int minor )
-{
-    ssl->max_major_ver = major;
-    ssl->max_minor_ver = minor;
-}
-
-void ssl_set_min_version( ssl_context *ssl, int major, int minor )
-{
-    ssl->min_major_ver = major;
-    ssl->min_minor_ver = minor;
-}
-
-void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
-{
-    ssl->disable_renegotiation = renegotiation;
-}
-
-void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
-{
-    ssl->allow_legacy_renegotiation = allow_legacy;
-}
-
-/*
- * SSL get accessors
- */
-size_t ssl_get_bytes_avail( const ssl_context *ssl )
-{
-    return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
-}
-
-int ssl_get_verify_result( const ssl_context *ssl )
-{
-    return( ssl->verify_result );
-}
-
-const char *ssl_get_ciphersuite_name( const int ciphersuite_id )
-{
-    switch( ciphersuite_id )
-    {
-#if defined(POLARSSL_ARC4_C)
-        case TLS_RSA_WITH_RC4_128_MD5:
-            return( "TLS-RSA-WITH-RC4-128-MD5" );
-
-        case TLS_RSA_WITH_RC4_128_SHA:
-            return( "TLS-RSA-WITH-RC4-128-SHA" );
-#endif
-
-#if defined(POLARSSL_DES_C)
-        case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
-            return( "TLS-RSA-WITH-3DES-EDE-CBC-SHA" );
-
-        case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
-            return( "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA" );
-#endif
-
-#if defined(POLARSSL_AES_C)
-        case TLS_RSA_WITH_AES_128_CBC_SHA:
-            return( "TLS-RSA-WITH-AES-128-CBC-SHA" );
-
-        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
-            return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA" );
-
-        case TLS_RSA_WITH_AES_256_CBC_SHA:
-            return( "TLS-RSA-WITH-AES-256-CBC-SHA" );
-
-        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
-            return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA" );
-
-#if defined(POLARSSL_SHA2_C)
-        case TLS_RSA_WITH_AES_128_CBC_SHA256:
-            return( "TLS-RSA-WITH-AES-128-CBC-SHA256" );
-
-        case TLS_RSA_WITH_AES_256_CBC_SHA256:
-            return( "TLS-RSA-WITH-AES-256-CBC-SHA256" );
-
-        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
-            return( "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" );
-
-        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
-            return( "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256" );
-#endif
-
-#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
-        case TLS_RSA_WITH_AES_128_GCM_SHA256:
-            return( "TLS-RSA-WITH-AES-128-GCM-SHA256" );
-
-        case TLS_RSA_WITH_AES_256_GCM_SHA384:
-            return( "TLS-RSA-WITH-AES-256-GCM-SHA384" );
-#endif
-
-#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
-        case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
-            return( "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" );
-
-        case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
-            return( "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" );
-#endif
-#endif /* POLARSSL_AES_C */
-
-#if defined(POLARSSL_CAMELLIA_C)
-        case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA:
-            return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA" );
-
-        case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA:
-            return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA" );
-
-        case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA:
-            return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA" );
-
-        case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA:
-            return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA" );
-
-#if defined(POLARSSL_SHA2_C)
-        case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256:
-            return( "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
-
-        case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256:
-            return( "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256" );
-
-        case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256:
-            return( "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
-
-        case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256:
-            return( "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256" );
-#endif
-#endif
-
-#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-        case TLS_RSA_WITH_NULL_MD5:
-            return( "TLS-RSA-WITH-NULL-MD5" );
-        case TLS_RSA_WITH_NULL_SHA:
-            return( "TLS-RSA-WITH-NULL-SHA" );
-        case TLS_RSA_WITH_NULL_SHA256:
-            return( "TLS-RSA-WITH-NULL-SHA256" );
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-#if defined(POLARSSL_DES_C)
-        case TLS_RSA_WITH_DES_CBC_SHA:
-            return( "TLS-RSA-WITH-DES-CBC-SHA" );
-        case TLS_DHE_RSA_WITH_DES_CBC_SHA:
-            return( "TLS-DHE-RSA-WITH-DES-CBC-SHA" );
-#endif
-#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
-
-    default:
-        break;
-    }
-
-    return( "unknown" );
-}
-
-int ssl_get_ciphersuite_id( const char *ciphersuite_name )
-{
-#if defined(POLARSSL_ARC4_C)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-MD5"))
-        return( TLS_RSA_WITH_RC4_128_MD5 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-RC4-128-SHA"))
-        return( TLS_RSA_WITH_RC4_128_SHA );
-#endif
-
-#if defined(POLARSSL_DES_C)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-3DES-EDE-CBC-SHA"))
-        return( TLS_RSA_WITH_3DES_EDE_CBC_SHA );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"))
-        return( TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA );
-#endif
-
-#if defined(POLARSSL_AES_C)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA"))
-        return( TLS_RSA_WITH_AES_128_CBC_SHA );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"))
-        return( TLS_DHE_RSA_WITH_AES_128_CBC_SHA );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA"))
-        return( TLS_RSA_WITH_AES_256_CBC_SHA );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"))
-        return( TLS_DHE_RSA_WITH_AES_256_CBC_SHA );
-
-#if defined(POLARSSL_SHA2_C)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-CBC-SHA256"))
-        return( TLS_RSA_WITH_AES_128_CBC_SHA256 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-CBC-SHA256"))
-        return( TLS_RSA_WITH_AES_256_CBC_SHA256 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"))
-        return( TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"))
-        return( TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 );
-#endif
-
-#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-128-GCM-SHA256"))
-        return( TLS_RSA_WITH_AES_128_GCM_SHA256 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-AES-256-GCM-SHA384"))
-        return( TLS_RSA_WITH_AES_256_GCM_SHA384 );
-#endif
-
-#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"))
-        return( TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"))
-        return( TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 );
-#endif
-#endif
-
-#if defined(POLARSSL_CAMELLIA_C)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"))
-        return( TLS_RSA_WITH_CAMELLIA_128_CBC_SHA );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"))
-        return( TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"))
-        return( TLS_RSA_WITH_CAMELLIA_256_CBC_SHA );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"))
-        return( TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA );
-
-#if defined(POLARSSL_SHA2_C)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
-        return( TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"))
-        return( TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
-        return( TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"))
-        return( TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 );
-#endif
-#endif
-
-#if defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES)
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-MD5"))
-        return( TLS_RSA_WITH_NULL_MD5 );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA"))
-        return( TLS_RSA_WITH_NULL_SHA );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-NULL-SHA256"))
-        return( TLS_RSA_WITH_NULL_SHA256 );
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-#if defined(POLARSSL_DES_C)
-    if (0 == strcasecmp(ciphersuite_name, "TLS-RSA-WITH-DES-CBC-SHA"))
-        return( TLS_RSA_WITH_DES_CBC_SHA );
-    if (0 == strcasecmp(ciphersuite_name, "TLS-DHE-RSA-WITH-DES-CBC-SHA"))
-        return( TLS_DHE_RSA_WITH_DES_CBC_SHA );
-#endif
-#endif /* defined(POLARSSL_ENABLE_WEAK_CIPHERSUITES) */
-
-    return( 0 );
-}
-
-const char *ssl_get_ciphersuite( const ssl_context *ssl )
-{
-    if( ssl == NULL || ssl->session == NULL )
-        return NULL;
-
-    return ssl_get_ciphersuite_name( ssl->session->ciphersuite );
-}
-
-const char *ssl_get_version( const ssl_context *ssl )
-{
-    switch( ssl->minor_ver )
-    {
-        case SSL_MINOR_VERSION_0:
-            return( "SSLv3.0" );
-
-        case SSL_MINOR_VERSION_1:
-            return( "TLSv1.0" );
-
-        case SSL_MINOR_VERSION_2:
-            return( "TLSv1.1" );
-
-        case SSL_MINOR_VERSION_3:
-            return( "TLSv1.2" );
-
-        default:
-            break;
-    }
-    return( "unknown" );
-}
-
-const x509_cert *ssl_get_peer_cert( const ssl_context *ssl )
-{
-    if( ssl == NULL || ssl->session == NULL )
-        return NULL;
-
-    return ssl->session->peer_cert;
-}
-
-const int ssl_default_ciphersuites[] =
-{
-#if defined(POLARSSL_DHM_C)
-#if defined(POLARSSL_AES_C)
-#if defined(POLARSSL_SHA2_C)
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-#endif /* POLARSSL_SHA2_C */
-#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
-    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
-#endif
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-#if defined(POLARSSL_SHA2_C)
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
-#endif
-#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
-    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
-#endif
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-#endif
-#if defined(POLARSSL_CAMELLIA_C)
-#if defined(POLARSSL_SHA2_C)
-    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
-#endif /* POLARSSL_SHA2_C */
-    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-#if defined(POLARSSL_SHA2_C)
-    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
-#endif /* POLARSSL_SHA2_C */
-    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
-#endif
-#if defined(POLARSSL_DES_C)
-    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-#endif
-#endif
-
-#if defined(POLARSSL_AES_C)
-#if defined(POLARSSL_SHA2_C)
-    TLS_RSA_WITH_AES_256_CBC_SHA256,
-#endif /* POLARSSL_SHA2_C */
-#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA4_C)
-    TLS_RSA_WITH_AES_256_GCM_SHA384,
-#endif /* POLARSSL_SHA2_C */
-    TLS_RSA_WITH_AES_256_CBC_SHA,
-#endif
-#if defined(POLARSSL_CAMELLIA_C)
-#if defined(POLARSSL_SHA2_C)
-    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
-#endif /* POLARSSL_SHA2_C */
-    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
-#endif
-#if defined(POLARSSL_AES_C)
-#if defined(POLARSSL_SHA2_C)
-    TLS_RSA_WITH_AES_128_CBC_SHA256,
-#endif /* POLARSSL_SHA2_C */
-#if defined(POLARSSL_GCM_C) && defined(POLARSSL_SHA2_C)
-    TLS_RSA_WITH_AES_128_GCM_SHA256,
-#endif /* POLARSSL_SHA2_C */
-    TLS_RSA_WITH_AES_128_CBC_SHA,
-#endif
-#if defined(POLARSSL_CAMELLIA_C)
-#if defined(POLARSSL_SHA2_C)
-    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
-#endif /* POLARSSL_SHA2_C */
-    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
-#endif
-#if defined(POLARSSL_DES_C)
-    TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-#endif
-#if defined(POLARSSL_ARC4_C)
-    TLS_RSA_WITH_RC4_128_SHA,
-    TLS_RSA_WITH_RC4_128_MD5,
-#endif
-    0
-};
-
-/*
- * Perform a single step of the SSL handshake
- */
-int ssl_handshake_step( ssl_context *ssl )
-{
-    int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
-
-#if defined(POLARSSL_SSL_CLI_C)
-    if( ssl->endpoint == SSL_IS_CLIENT )
-        ret = ssl_handshake_client_step( ssl );
-#endif
-
-#if defined(POLARSSL_SSL_SRV_C)
-    if( ssl->endpoint == SSL_IS_SERVER )
-        ret = ssl_handshake_server_step( ssl );
-#endif
-
-    return( ret );
-}
-
-/*
- * Perform the SSL handshake
- */
-int ssl_handshake( ssl_context *ssl )
-{
-    int ret = 0;
-
-    SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
-
-    while( ssl->state != SSL_HANDSHAKE_OVER )
-    {
-        ret = ssl_handshake_step( ssl );
-
-        if( ret != 0 )
-            break;
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
-
-    return( ret );
-}
-
-/*
- * Renegotiate current connection
- */
-int ssl_renegotiate( ssl_context *ssl )
-{
-    int ret;
-
-    SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
-
-    if( ssl->state != SSL_HANDSHAKE_OVER )
-        return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
-
-    ssl->state = SSL_HELLO_REQUEST;
-    ssl->renegotiation = SSL_RENEGOTIATION;
-
-    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
-        return( ret );
-
-    if( ( ret = ssl_handshake( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_handshake", ret );
-        return( ret );
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
-
-    return( 0 );
-}
-
-/*
- * Receive application data decrypted from the SSL layer
- */
-int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
-{
-    int ret;
-    size_t n;
-
-    SSL_DEBUG_MSG( 2, ( "=> read" ) );
-
-    if( ssl->state != SSL_HANDSHAKE_OVER )
-    {
-        if( ( ret = ssl_handshake( ssl ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_handshake", ret );
-            return( ret );
-        }
-    }
-
-    if( ssl->in_offt == NULL )
-    {
-        if( ( ret = ssl_read_record( ssl ) ) != 0 )
-        {
-            if( ret == POLARSSL_ERR_SSL_CONN_EOF )
-                return( 0 );
-
-            SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-            return( ret );
-        }
-
-        if( ssl->in_msglen  == 0 &&
-            ssl->in_msgtype == SSL_MSG_APPLICATION_DATA )
-        {
-            /*
-             * OpenSSL sends empty messages to randomize the IV
-             */
-            if( ( ret = ssl_read_record( ssl ) ) != 0 )
-            {
-                if( ret == POLARSSL_ERR_SSL_CONN_EOF )
-                    return( 0 );
-
-                SSL_DEBUG_RET( 1, "ssl_read_record", ret );
-                return( ret );
-            }
-        }
-
-        if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
-        {
-            SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
-
-            if( ssl->endpoint == SSL_IS_CLIENT &&
-                ( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
-                  ssl->in_hslen != 4 ) )
-            {
-                SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
-                return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
-            }
-
-            if( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
-                ( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
-                  ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) )
-            {
-                SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
-
-                if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
-                {
-                    /*
-                     * SSLv3 does not have a "no_renegotiation" alert
-                     */
-                    if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
-                        return( ret );
-                }
-                else
-                {
-                    if( ( ret = ssl_send_alert_message( ssl,
-                                    SSL_ALERT_LEVEL_WARNING,
-                                    SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
-                    {
-                        return( ret );
-                    }
-                }
-            }
-            else
-            {
-                if( ( ret = ssl_renegotiate( ssl ) ) != 0 )
-                {
-                    SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
-                    return( ret );
-                }
-
-                return( POLARSSL_ERR_NET_WANT_READ );
-            }
-        }
-        else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
-        {
-            SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
-            return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
-        }
-
-        ssl->in_offt = ssl->in_msg;
-    }
-
-    n = ( len < ssl->in_msglen )
-        ? len : ssl->in_msglen;
-
-    memcpy( buf, ssl->in_offt, n );
-    ssl->in_msglen -= n;
-
-    if( ssl->in_msglen == 0 )
-        /* all bytes consumed  */
-        ssl->in_offt = NULL;
-    else
-        /* more data available */
-        ssl->in_offt += n;
-
-    SSL_DEBUG_MSG( 2, ( "<= read" ) );
-
-    return( (int) n );
-}
-
-/*
- * Send application data to be encrypted by the SSL layer
- */
-int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
-{
-    int ret;
-    size_t n;
-
-    SSL_DEBUG_MSG( 2, ( "=> write" ) );
-
-    if( ssl->state != SSL_HANDSHAKE_OVER )
-    {
-        if( ( ret = ssl_handshake( ssl ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_handshake", ret );
-            return( ret );
-        }
-    }
-
-    n = ( len < SSL_MAX_CONTENT_LEN )
-        ? len : SSL_MAX_CONTENT_LEN;
-
-    if( ssl->out_left != 0 )
-    {
-        if( ( ret = ssl_flush_output( ssl ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
-            return( ret );
-        }
-    }
-    else
-    {
-        ssl->out_msglen  = n;
-        ssl->out_msgtype = SSL_MSG_APPLICATION_DATA;
-        memcpy( ssl->out_msg, buf, n );
-
-        if( ( ret = ssl_write_record( ssl ) ) != 0 )
-        {
-            SSL_DEBUG_RET( 1, "ssl_write_record", ret );
-            return( ret );
-        }
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write" ) );
-
-    return( (int) n );
-}
-
-/*
- * Notify the peer that the connection is being closed
- */
-int ssl_close_notify( ssl_context *ssl )
-{
-    int ret;
-
-    SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
-
-    if( ( ret = ssl_flush_output( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
-        return( ret );
-    }
-
-    if( ssl->state == SSL_HANDSHAKE_OVER )
-    {
-        if( ( ret = ssl_send_alert_message( ssl,
-                        SSL_ALERT_LEVEL_WARNING,
-                        SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
-        {
-            return( ret );
-        }
-    }
-
-    SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
-
-    return( ret );
-}
-
-void ssl_transform_free( ssl_transform *transform )
-{
-#if defined(POLARSSL_ZLIB_SUPPORT)
-    deflateEnd( &transform->ctx_deflate );
-    inflateEnd( &transform->ctx_inflate );
-#endif
-
-    memset( transform, 0, sizeof( ssl_transform ) );
-}
-
-void ssl_handshake_free( ssl_handshake_params *handshake )
-{
-#if defined(POLARSSL_DHM_C)
-    dhm_free( &handshake->dhm_ctx );
-#endif
-    memset( handshake, 0, sizeof( ssl_handshake_params ) );
-}
-
-void ssl_session_free( ssl_session *session )
-{
-    if( session->peer_cert != NULL )
-    {
-        x509_free( session->peer_cert );
-        free( session->peer_cert );
-    }
-
-    memset( session, 0, sizeof( ssl_session ) );
-}
-
-/*
- * Free an SSL context
- */
-void ssl_free( ssl_context *ssl )
-{
-    SSL_DEBUG_MSG( 2, ( "=> free" ) );
-
-    free( ssl->ciphersuites );
-
-    if( ssl->out_ctr != NULL )
-    {
-        memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
-          free( ssl->out_ctr );
-    }
-
-    if( ssl->in_ctr != NULL )
-    {
-        memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
-          free( ssl->in_ctr );
-    }
-
-#if defined(POLARSSL_DHM_C)
-    mpi_free( &ssl->dhm_P );
-    mpi_free( &ssl->dhm_G );
-#endif
-
-    if( ssl->transform )
-    {
-        ssl_transform_free( ssl->transform );
-        free( ssl->transform );
-    }
-
-    if( ssl->handshake )
-    {
-        ssl_handshake_free( ssl->handshake );
-        ssl_transform_free( ssl->transform_negotiate );
-        ssl_session_free( ssl->session_negotiate );
-
-        free( ssl->handshake );
-        free( ssl->transform_negotiate );
-        free( ssl->session_negotiate );
-    }
-
-    if( ssl->session )
-    {
-        ssl_session_free( ssl->session );
-        free( ssl->session );
-    }
-
-    if ( ssl->hostname != NULL)
-    {
-        memset( ssl->hostname, 0, ssl->hostname_len );
-        free( ssl->hostname );
-        ssl->hostname_len = 0;
-    }
-
-#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
-    if( ssl_hw_record_finish != NULL )
-    {
-        SSL_DEBUG_MSG( 2, ( "going for ssl_hw_record_finish()" ) );
-        ssl_hw_record_finish( ssl );
-    }
-#endif
-
-    SSL_DEBUG_MSG( 2, ( "<= free" ) );
-
-    /* Actually clear after last debug message */
-    memset( ssl, 0, sizeof( ssl_context ) );
-}
-
-#endif
diff --git a/makerom/polarssl/timing.c b/makerom/polarssl/timing.c
deleted file mode 100644
index 0273d1af..00000000
--- a/makerom/polarssl/timing.c
+++ /dev/null
@@ -1,312 +0,0 @@
-/*
- *  Portable interface to the CPU cycle counter
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_TIMING_C)
-
-#include "polarssl/timing.h"
-
-#if defined(_WIN32)
-
-#include <windows.h>
-#include <winbase.h>
-
-struct _hr_time
-{
-    LARGE_INTEGER start;
-};
-
-#else
-
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <signal.h>
-#include <time.h>
-
-struct _hr_time
-{
-    struct timeval start;
-};
-
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK) && defined(POLARSSL_HAVE_ASM) &&  \
-	(defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
-
-#define POLARSSL_HAVE_HARDCLOCK
-
-unsigned long hardclock( void )
-{
-    unsigned long tsc;
-    __asm   rdtsc
-    __asm   mov  [tsc], eax
-    return( tsc );
-}
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK) && defined(POLARSSL_HAVE_ASM) &&  \
-    defined(__GNUC__) && defined(__i386__)
-
-#define POLARSSL_HAVE_HARDCLOCK
-
-unsigned long hardclock( void )
-{
-    unsigned long lo, hi;
-    asm( "rdtsc" : "=a" (lo), "=d" (hi) );
-    return( lo );
-}
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK) && defined(POLARSSL_HAVE_ASM) &&  \
-    defined(__GNUC__) && (defined(__amd64__) || defined(__x86_64__))
-
-#define POLARSSL_HAVE_HARDCLOCK
-
-unsigned long hardclock( void )
-{
-    unsigned long lo, hi;
-    asm( "rdtsc" : "=a" (lo), "=d" (hi) ); 
-    return( lo | (hi << 32) );
-}
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK) && defined(POLARSSL_HAVE_ASM) &&  \
-    defined(__GNUC__) && (defined(__powerpc__) || defined(__ppc__))
-
-#define POLARSSL_HAVE_HARDCLOCK
-
-unsigned long hardclock( void )
-{
-    unsigned long tbl, tbu0, tbu1;
-
-    do
-    {
-        asm( "mftbu %0" : "=r" (tbu0) );
-        asm( "mftb  %0" : "=r" (tbl ) );
-        asm( "mftbu %0" : "=r" (tbu1) );
-    }
-    while( tbu0 != tbu1 );
-
-    return( tbl );
-}
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK) && defined(POLARSSL_HAVE_ASM) &&  \
-    defined(__GNUC__) && defined(__sparc64__)
-
-#if defined(__OpenBSD__)
-#warning OpenBSD does not allow access to tick register using software version instead
-#else
-#define POLARSSL_HAVE_HARDCLOCK
-
-unsigned long hardclock( void )
-{
-    unsigned long tick;
-    asm( "rdpr %%tick, %0;" : "=&r" (tick) );
-    return( tick );
-}
-#endif
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK) && defined(POLARSSL_HAVE_ASM) &&  \
-    defined(__GNUC__) && defined(__sparc__) && !defined(__sparc64__)
-
-#define POLARSSL_HAVE_HARDCLOCK
-
-unsigned long hardclock( void )
-{
-    unsigned long tick;
-    asm( ".byte 0x83, 0x41, 0x00, 0x00" );
-    asm( "mov   %%g1, %0" : "=r" (tick) );
-    return( tick );
-}
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK) && defined(POLARSSL_HAVE_ASM) &&      \
-    defined(__GNUC__) && defined(__alpha__)
-
-#define POLARSSL_HAVE_HARDCLOCK
-
-unsigned long hardclock( void )
-{
-    unsigned long cc;
-    asm( "rpcc %0" : "=r" (cc) );
-    return( cc & 0xFFFFFFFF );
-}
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK) && defined(POLARSSL_HAVE_ASM) &&      \
-    defined(__GNUC__) && defined(__ia64__)
-
-#define POLARSSL_HAVE_HARDCLOCK
-
-unsigned long hardclock( void )
-{
-    unsigned long itc;
-    asm( "mov %0 = ar.itc" : "=r" (itc) );
-    return( itc );
-}
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK) && defined(_MSC_VER)
-
-#define POLARSSL_HAVE_HARDCLOCK
-
-unsigned long hardclock( void )
-{
-    LARGE_INTEGER offset;
-    
-	QueryPerformanceCounter( &offset );
-
-	return (unsigned long)( offset.QuadPart );
-}
-#endif
-
-#if !defined(POLARSSL_HAVE_HARDCLOCK)
-
-#define POLARSSL_HAVE_HARDCLOCK
-
-static int hardclock_init = 0;
-static struct timeval tv_init;
-
-unsigned long hardclock( void )
-{
-    struct timeval tv_cur;
-
-    if( hardclock_init == 0 )
-    {
-        gettimeofday( &tv_init, NULL );
-        hardclock_init = 1;
-    }
-
-    gettimeofday( &tv_cur, NULL );
-    return( ( tv_cur.tv_sec  - tv_init.tv_sec  ) * 1000000
-          + ( tv_cur.tv_usec - tv_init.tv_usec ) );
-}
-#endif
-
-volatile int alarmed = 0;
-
-#if defined(_WIN32)
-
-unsigned long get_timer( struct hr_time *val, int reset )
-{
-    unsigned long delta;
-    LARGE_INTEGER offset, hfreq;
-    struct _hr_time *t = (struct _hr_time *) val;
-
-    QueryPerformanceCounter(  &offset );
-    QueryPerformanceFrequency( &hfreq );
-
-    delta = (unsigned long)( ( 1000 *
-        ( offset.QuadPart - t->start.QuadPart ) ) /
-           hfreq.QuadPart );
-
-    if( reset )
-        QueryPerformanceCounter( &t->start );
-
-    return( delta );
-}
-
-DWORD WINAPI TimerProc( LPVOID uElapse )
-{   
-    Sleep( (DWORD) uElapse );
-    alarmed = 1; 
-    return( TRUE );
-}
-
-void set_alarm( int seconds )
-{   
-    DWORD ThreadId;
-
-    alarmed = 0; 
-    CloseHandle( CreateThread( NULL, 0, TimerProc,
-        (LPVOID) ( seconds * 1000 ), 0, &ThreadId ) );
-}
-
-void m_sleep( int milliseconds )
-{
-    Sleep( milliseconds );
-}
-
-#else
-
-unsigned long get_timer( struct hr_time *val, int reset )
-{
-    unsigned long delta;
-    struct timeval offset;
-    struct _hr_time *t = (struct _hr_time *) val;
-
-    gettimeofday( &offset, NULL );
-
-    delta = ( offset.tv_sec  - t->start.tv_sec  ) * 1000
-          + ( offset.tv_usec - t->start.tv_usec ) / 1000;
-
-    if( reset )
-    {
-        t->start.tv_sec  = offset.tv_sec;
-        t->start.tv_usec = offset.tv_usec;
-    }
-
-    return( delta );
-}
-
-#if defined(INTEGRITY)
-void m_sleep( int milliseconds )
-{
-    usleep( milliseconds * 1000 );
-}
-
-#else
-
-static void sighandler( int signum )
-{   
-    alarmed = 1;
-    signal( signum, sighandler );
-}
-
-void set_alarm( int seconds )
-{
-    alarmed = 0;
-    signal( SIGALRM, sighandler );
-    alarm( seconds );
-}
-
-void m_sleep( int milliseconds )
-{
-    struct timeval tv;
-
-    tv.tv_sec  = milliseconds / 1000;
-    tv.tv_usec = milliseconds * 1000;
-
-    select( 0, NULL, NULL, NULL, &tv );
-}
-#endif /* INTEGRITY */
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/version.c b/makerom/polarssl/version.c
deleted file mode 100644
index c1080b78..00000000
--- a/makerom/polarssl/version.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- *  Version information
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_VERSION_C)
-
-#include "polarssl/version.h"
-#include <string.h>
-
-const char version[] = POLARSSL_VERSION_STRING;
-
-unsigned int version_get_number()
-{
-    return POLARSSL_VERSION_NUMBER;
-}
-
-void version_get_string( char *string )
-{
-    memcpy( string, POLARSSL_VERSION_STRING, sizeof( POLARSSL_VERSION_STRING ) );
-}
-
-void version_get_string_full( char *string )
-{
-    memcpy( string, POLARSSL_VERSION_STRING_FULL, sizeof( POLARSSL_VERSION_STRING_FULL ) );
-}
-
-#endif /* POLARSSL_VERSION_C */
diff --git a/makerom/polarssl/x509parse.c b/makerom/polarssl/x509parse.c
deleted file mode 100644
index 77725e06..00000000
--- a/makerom/polarssl/x509parse.c
+++ /dev/null
@@ -1,3809 +0,0 @@
-/*
- *  X.509 certificate and private key decoding
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The ITU-T X.509 standard defines a certificate format for PKI.
- *
- *  http://www.ietf.org/rfc/rfc3279.txt
- *  http://www.ietf.org/rfc/rfc3280.txt
- *
- *  ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-1v2.asc
- *
- *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
- *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_X509_PARSE_C)
-
-#include "polarssl/x509.h"
-#include "polarssl/asn1.h"
-#include "polarssl/pem.h"
-#include "polarssl/des.h"
-#if defined(POLARSSL_MD2_C)
-#include "polarssl/md2.h"
-#endif
-#if defined(POLARSSL_MD4_C)
-#include "polarssl/md4.h"
-#endif
-#if defined(POLARSSL_MD5_C)
-#include "polarssl/md5.h"
-#endif
-#if defined(POLARSSL_SHA1_C)
-#include "polarssl/sha1.h"
-#endif
-#if defined(POLARSSL_SHA2_C)
-#include "polarssl/sha2.h"
-#endif
-#if defined(POLARSSL_SHA4_C)
-#include "polarssl/sha4.h"
-#endif
-#include "polarssl/dhm.h"
-#if defined(POLARSSL_PKCS5_C)
-#include "polarssl/pkcs5.h"
-#endif
-#if defined(POLARSSL_PKCS12_C)
-#include "polarssl/pkcs12.h"
-#endif
-
-#include <string.h>
-#include <stdlib.h>
-#if defined(_WIN32)
-#include <windows.h>
-#else
-#include <time.h>
-#endif
-
-#if defined(POLARSSL_FS_IO)
-#include <stdio.h>
-#if !defined(_WIN32)
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <dirent.h>
-#endif
-#endif
-
-/* Compare a given OID string with an OID x509_buf * */
-#define OID_CMP(oid_str, oid_buf) \
-        ( ( OID_SIZE(oid_str) == (oid_buf)->len ) && \
-                memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) == 0)
-
-/*
- *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
- */
-static int x509_get_version( unsigned char **p,
-                             const unsigned char *end,
-                             int *ver )
-{
-    int ret;
-    size_t len;
-
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0 ) ) != 0 )
-    {
-        if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-        {
-            *ver = 0;
-            return( 0 );
-        }
-
-        return( ret );
-    }
-
-    end = *p + len;
-
-    if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + ret );
-
-    if( *p != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_VERSION +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-/*
- *  Version  ::=  INTEGER  {  v1(0), v2(1)  }
- */
-static int x509_crl_get_version( unsigned char **p,
-                             const unsigned char *end,
-                             int *ver )
-{
-    int ret;
-
-    if( ( ret = asn1_get_int( p, end, ver ) ) != 0 )
-    {
-        if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-        {
-            *ver = 0;
-            return( 0 );
-        }
-
-        return( POLARSSL_ERR_X509_CERT_INVALID_VERSION + ret );
-    }
-
-    return( 0 );
-}
-
-/*
- *  CertificateSerialNumber  ::=  INTEGER
- */
-static int x509_get_serial( unsigned char **p,
-                            const unsigned char *end,
-                            x509_buf *serial )
-{
-    int ret;
-
-    if( ( end - *p ) < 1 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL +
-                POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-    if( **p != ( ASN1_CONTEXT_SPECIFIC | ASN1_PRIMITIVE | 2 ) &&
-        **p !=   ASN1_INTEGER )
-        return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL +
-                POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
-
-    serial->tag = *(*p)++;
-
-    if( ( ret = asn1_get_len( p, end, &serial->len ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_SERIAL + ret );
-
-    serial->p = *p;
-    *p += serial->len;
-
-    return( 0 );
-}
-
-/*
- *  AlgorithmIdentifier  ::=  SEQUENCE  {
- *       algorithm               OBJECT IDENTIFIER,
- *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
- */
-static int x509_get_alg( unsigned char **p,
-                         const unsigned char *end,
-                         x509_buf *alg )
-{
-    int ret;
-    size_t len;
-
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret );
-
-    end = *p + len;
-    alg->tag = **p;
-
-    if( ( ret = asn1_get_tag( p, end, &alg->len, ASN1_OID ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret );
-
-    alg->p = *p;
-    *p += alg->len;
-
-    if( *p == end )
-        return( 0 );
-
-    /*
-     * assume the algorithm parameters must be NULL
-     */
-    if( ( ret = asn1_get_tag( p, end, &len, ASN1_NULL ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_ALG + ret );
-
-    if( *p != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_ALG +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-/*
- *  AttributeTypeAndValue ::= SEQUENCE {
- *    type     AttributeType,
- *    value    AttributeValue }
- *
- *  AttributeType ::= OBJECT IDENTIFIER
- *
- *  AttributeValue ::= ANY DEFINED BY AttributeType
- */
-static int x509_get_attr_type_value( unsigned char **p,
-                                     const unsigned char *end,
-                                     x509_name *cur )
-{
-    int ret;
-    size_t len;
-    x509_buf *oid;
-    x509_buf *val;
-
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
-
-    oid = &cur->oid;
-    oid->tag = **p;
-
-    if( ( ret = asn1_get_tag( p, end, &oid->len, ASN1_OID ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
-
-    oid->p = *p;
-    *p += oid->len;
-
-    if( ( end - *p ) < 1 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_NAME +
-                POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-    if( **p != ASN1_BMP_STRING && **p != ASN1_UTF8_STRING      &&
-        **p != ASN1_T61_STRING && **p != ASN1_PRINTABLE_STRING &&
-        **p != ASN1_IA5_STRING && **p != ASN1_UNIVERSAL_STRING )
-        return( POLARSSL_ERR_X509_CERT_INVALID_NAME +
-                POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
-
-    val = &cur->val;
-    val->tag = *(*p)++;
-
-    if( ( ret = asn1_get_len( p, end, &val->len ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
-
-    val->p = *p;
-    *p += val->len;
-
-    cur->next = NULL;
-
-    return( 0 );
-}
-
-/*
- *  RelativeDistinguishedName ::=
- *    SET OF AttributeTypeAndValue
- *
- *  AttributeTypeAndValue ::= SEQUENCE {
- *    type     AttributeType,
- *    value    AttributeValue }
- *
- *  AttributeType ::= OBJECT IDENTIFIER
- *
- *  AttributeValue ::= ANY DEFINED BY AttributeType
- */
-static int x509_get_name( unsigned char **p,
-                          const unsigned char *end,
-                          x509_name *cur )
-{
-    int ret;
-    size_t len;
-    const unsigned char *end2;
-    x509_name *use; 
-    
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
-
-    end2 = end;
-    end  = *p + len;
-    use = cur;
-
-    do
-    {
-        if( ( ret = x509_get_attr_type_value( p, end, use ) ) != 0 )
-            return( ret );
-        
-        if( *p != end )
-        {
-            use->next = (x509_name *) malloc(
-                    sizeof( x509_name ) );
-
-            if( use->next == NULL )
-                return( POLARSSL_ERR_X509_MALLOC_FAILED );
-            
-            memset( use->next, 0, sizeof( x509_name ) );
-
-            use = use->next;
-        }
-    }
-    while( *p != end );
-
-    /*
-     * recurse until end of SEQUENCE is reached
-     */
-    if( *p == end2 )
-        return( 0 );
-
-    cur->next = (x509_name *) malloc(
-         sizeof( x509_name ) );
-
-    if( cur->next == NULL )
-        return( POLARSSL_ERR_X509_MALLOC_FAILED );
-
-    memset( cur->next, 0, sizeof( x509_name ) );
-
-    return( x509_get_name( p, end2, cur->next ) );
-}
-
-/*
- *  Time ::= CHOICE {
- *       utcTime        UTCTime,
- *       generalTime    GeneralizedTime }
- */
-static int x509_get_time( unsigned char **p,
-                          const unsigned char *end,
-                          x509_time *time )
-{
-    int ret;
-    size_t len;
-    char date[64];
-    unsigned char tag;
-
-    if( ( end - *p ) < 1 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_DATE +
-                POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-    tag = **p;
-
-    if ( tag == ASN1_UTC_TIME )
-    {
-        (*p)++;
-        ret = asn1_get_len( p, end, &len );
-        
-        if( ret != 0 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret );
-
-        memset( date,  0, sizeof( date ) );
-        memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
-                len : sizeof( date ) - 1 );
-
-        if( sscanf( date, "%2d%2d%2d%2d%2d%2d",
-                    &time->year, &time->mon, &time->day,
-                    &time->hour, &time->min, &time->sec ) < 5 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_DATE );
-
-        time->year +=  100 * ( time->year < 50 );
-        time->year += 1900;
-
-        *p += len;
-
-        return( 0 );
-    }
-    else if ( tag == ASN1_GENERALIZED_TIME )
-    {
-        (*p)++;
-        ret = asn1_get_len( p, end, &len );
-        
-        if( ret != 0 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret );
-
-        memset( date,  0, sizeof( date ) );
-        memcpy( date, *p, ( len < sizeof( date ) - 1 ) ?
-                len : sizeof( date ) - 1 );
-
-        if( sscanf( date, "%4d%2d%2d%2d%2d%2d",
-                    &time->year, &time->mon, &time->day,
-                    &time->hour, &time->min, &time->sec ) < 5 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_DATE );
-
-        *p += len;
-
-        return( 0 );
-    }
-    else
-        return( POLARSSL_ERR_X509_CERT_INVALID_DATE + POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
-}
-
-
-/*
- *  Validity ::= SEQUENCE {
- *       notBefore      Time,
- *       notAfter       Time }
- */
-static int x509_get_dates( unsigned char **p,
-                           const unsigned char *end,
-                           x509_time *from,
-                           x509_time *to )
-{
-    int ret;
-    size_t len;
-
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_DATE + ret );
-
-    end = *p + len;
-
-    if( ( ret = x509_get_time( p, end, from ) ) != 0 )
-        return( ret );
-
-    if( ( ret = x509_get_time( p, end, to ) ) != 0 )
-        return( ret );
-
-    if( *p != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_DATE +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-/*
- *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
- *       algorithm            AlgorithmIdentifier,
- *       subjectPublicKey     BIT STRING }
- */
-static int x509_get_pubkey( unsigned char **p,
-                            const unsigned char *end,
-                            x509_buf *pk_alg_oid,
-                            mpi *N, mpi *E )
-{
-    int ret;
-    size_t len;
-    unsigned char *end2;
-
-    if( ( ret = x509_get_alg( p, end, pk_alg_oid ) ) != 0 )
-        return( ret );
-
-    /*
-     * only RSA public keys handled at this time
-     */
-    if( pk_alg_oid->len != 9 ||
-        memcmp( pk_alg_oid->p, OID_PKCS1_RSA, 9 ) != 0 )
-    {
-        return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG );
-    }
-
-    if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret );
-
-    if( ( end - *p ) < 1 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY +
-                POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-    end2 = *p + len;
-
-    if( *(*p)++ != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY );
-
-    /*
-     *  RSAPublicKey ::= SEQUENCE {
-     *      modulus           INTEGER,  -- n
-     *      publicExponent    INTEGER   -- e
-     *  }
-     */
-    if( ( ret = asn1_get_tag( p, end2, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret );
-
-    if( *p + len != end2 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    if( ( ret = asn1_get_mpi( p, end2, N ) ) != 0 ||
-        ( ret = asn1_get_mpi( p, end2, E ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret );
-
-    if( *p != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-static int x509_get_sig( unsigned char **p,
-                         const unsigned char *end,
-                         x509_buf *sig )
-{
-    int ret;
-    size_t len;
-
-    if( ( end - *p ) < 1 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE +
-                POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-    sig->tag = **p;
-
-    if( ( ret = asn1_get_tag( p, end, &len, ASN1_BIT_STRING ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE + ret );
-
-
-    if( --len < 1 || *(*p)++ != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE );
-
-    sig->len = len;
-    sig->p = *p;
-
-    *p += len;
-
-    return( 0 );
-}
-
-/*
- * X.509 v2/v3 unique identifier (not parsed)
- */
-static int x509_get_uid( unsigned char **p,
-                         const unsigned char *end,
-                         x509_buf *uid, int n )
-{
-    int ret;
-
-    if( *p == end )
-        return( 0 );
-
-    uid->tag = **p;
-
-    if( ( ret = asn1_get_tag( p, end, &uid->len,
-            ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | n ) ) != 0 )
-    {
-        if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-            return( 0 );
-
-        return( ret );
-    }
-
-    uid->p = *p;
-    *p += uid->len;
-
-    return( 0 );
-}
-
-/*
- * X.509 Extensions (No parsing of extensions, pointer should
- * be either manually updated or extensions should be parsed!
- */
-static int x509_get_ext( unsigned char **p,
-                         const unsigned char *end,
-                         x509_buf *ext, int tag )
-{
-    int ret;
-    size_t len;
-
-    if( *p == end )
-        return( 0 );
-
-    ext->tag = **p;
-
-    if( ( ret = asn1_get_tag( p, end, &ext->len,
-            ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | tag ) ) != 0 )
-        return( ret );
-
-    ext->p = *p;
-    end = *p + ext->len;
-
-    /*
-     * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
-     *
-     * Extension  ::=  SEQUENCE  {
-     *      extnID      OBJECT IDENTIFIER,
-     *      critical    BOOLEAN DEFAULT FALSE,
-     *      extnValue   OCTET STRING  }
-     */
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-    if( end != *p + len )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-/*
- * X.509 CRL v2 extensions (no extensions parsed yet.)
- */
-static int x509_get_crl_ext( unsigned char **p,
-                             const unsigned char *end,
-                             x509_buf *ext )
-{
-    int ret;
-    size_t len = 0;
-
-    /* Get explicit tag */
-    if( ( ret = x509_get_ext( p, end, ext, 0) ) != 0 )
-    {
-        if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-            return( 0 );
-
-        return( ret );
-    }
-
-    while( *p < end )
-    {
-        if( ( ret = asn1_get_tag( p, end, &len,
-                ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-        *p += len;
-    }
-
-    if( *p != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-/*
- * X.509 CRL v2 entry extensions (no extensions parsed yet.)
- */
-static int x509_get_crl_entry_ext( unsigned char **p,
-                             const unsigned char *end,
-                             x509_buf *ext )
-{
-    int ret;
-    size_t len = 0;
-
-    /* OPTIONAL */
-    if (end <= *p)
-        return( 0 );
-
-    ext->tag = **p;
-    ext->p = *p;
-
-    /*
-     * Get CRL-entry extension sequence header
-     * crlEntryExtensions      Extensions OPTIONAL  -- if present, MUST be v2
-     */
-    if( ( ret = asn1_get_tag( p, end, &ext->len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-        {
-            ext->p = NULL;
-            return( 0 );
-        }
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-    }
-
-	end = *p + ext->len;
-
-    if( end != *p + ext->len )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    while( *p < end )
-    {
-        if( ( ret = asn1_get_tag( p, end, &len,
-                ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-        *p += len;
-    }
-
-    if( *p != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-static int x509_get_basic_constraints( unsigned char **p,
-                                       const unsigned char *end,
-                                       int *ca_istrue,
-                                       int *max_pathlen )
-{
-    int ret;
-    size_t len;
-
-    /*
-     * BasicConstraints ::= SEQUENCE {
-     *      cA                      BOOLEAN DEFAULT FALSE,
-     *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
-     */
-    *ca_istrue = 0; /* DEFAULT FALSE */
-    *max_pathlen = 0; /* endless */
-
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-    if( *p == end )
-        return 0;
-
-    if( ( ret = asn1_get_bool( p, end, ca_istrue ) ) != 0 )
-    {
-        if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-            ret = asn1_get_int( p, end, ca_istrue );
-
-        if( ret != 0 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-        if( *ca_istrue != 0 )
-            *ca_istrue = 1;
-    }
-
-    if( *p == end )
-        return 0;
-
-    if( ( ret = asn1_get_int( p, end, max_pathlen ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-    if( *p != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    (*max_pathlen)++;
-
-    return 0;
-}
-
-static int x509_get_ns_cert_type( unsigned char **p,
-                                       const unsigned char *end,
-                                       unsigned char *ns_cert_type)
-{
-    int ret;
-    x509_bitstring bs = { 0, 0, NULL };
-
-    if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-    if( bs.len != 1 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_INVALID_LENGTH );
-
-    /* Get actual bitstring */
-    *ns_cert_type = *bs.p;
-    return 0;
-}
-
-static int x509_get_key_usage( unsigned char **p,
-                               const unsigned char *end,
-                               unsigned char *key_usage)
-{
-    int ret;
-    x509_bitstring bs = { 0, 0, NULL };
-
-    if( ( ret = asn1_get_bitstring( p, end, &bs ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-    if( bs.len < 1 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_INVALID_LENGTH );
-
-    /* Get actual bitstring */
-    *key_usage = *bs.p;
-    return 0;
-}
-
-/*
- * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
- *
- * KeyPurposeId ::= OBJECT IDENTIFIER
- */
-static int x509_get_ext_key_usage( unsigned char **p,
-                               const unsigned char *end,
-                               x509_sequence *ext_key_usage)
-{
-    int ret;
-
-    if( ( ret = asn1_get_sequence_of( p, end, ext_key_usage, ASN1_OID ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-    /* Sequence length must be >= 1 */
-    if( ext_key_usage->buf.p == NULL )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_INVALID_LENGTH );
-
-    return 0;
-}
-
-/*
- * SubjectAltName ::= GeneralNames
- *
- * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
- *
- * GeneralName ::= CHOICE {
- *      otherName                       [0]     OtherName,
- *      rfc822Name                      [1]     IA5String,
- *      dNSName                         [2]     IA5String,
- *      x400Address                     [3]     ORAddress,
- *      directoryName                   [4]     Name,
- *      ediPartyName                    [5]     EDIPartyName,
- *      uniformResourceIdentifier       [6]     IA5String,
- *      iPAddress                       [7]     OCTET STRING,
- *      registeredID                    [8]     OBJECT IDENTIFIER }
- *
- * OtherName ::= SEQUENCE {
- *      type-id    OBJECT IDENTIFIER,
- *      value      [0] EXPLICIT ANY DEFINED BY type-id }
- *
- * EDIPartyName ::= SEQUENCE {
- *      nameAssigner            [0]     DirectoryString OPTIONAL,
- *      partyName               [1]     DirectoryString }
- *
- * NOTE: PolarSSL only parses and uses dNSName at this point.
- */
-static int x509_get_subject_alt_name( unsigned char **p,
-                                      const unsigned char *end,
-                                      x509_sequence *subject_alt_name )
-{
-    int ret;
-    size_t len, tag_len;
-    asn1_buf *buf;
-    unsigned char tag;
-    asn1_sequence *cur = subject_alt_name;
-
-    /* Get main sequence tag */
-    if( ( ret = asn1_get_tag( p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-    if( *p + len != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    while( *p < end )
-    {
-        if( ( end - *p ) < 1 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                    POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-        tag = **p;
-        (*p)++;
-        if( ( ret = asn1_get_len( p, end, &tag_len ) ) != 0 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-        if( ( tag & ASN1_CONTEXT_SPECIFIC ) != ASN1_CONTEXT_SPECIFIC )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                    POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
-
-        if( tag != ( ASN1_CONTEXT_SPECIFIC | 2 ) )
-        {
-            *p += tag_len;
-            continue;
-        }
-
-        buf = &(cur->buf);
-        buf->tag = tag;
-        buf->p = *p;
-        buf->len = tag_len;
-        *p += buf->len;
-
-        /* Allocate and assign next pointer */
-        if (*p < end)
-        {
-            cur->next = (asn1_sequence *) malloc(
-                 sizeof( asn1_sequence ) );
-
-            if( cur->next == NULL )
-                return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                        POLARSSL_ERR_ASN1_MALLOC_FAILED );
-
-            memset( cur->next, 0, sizeof( asn1_sequence ) );
-            cur = cur->next;
-        }
-    }
-
-    /* Set final sequence entry's next pointer to NULL */
-    cur->next = NULL;
-
-    if( *p != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-/*
- * X.509 v3 extensions
- *
- * TODO: Perform all of the basic constraints tests required by the RFC
- * TODO: Set values for undetected extensions to a sane default?
- *
- */
-static int x509_get_crt_ext( unsigned char **p,
-                             const unsigned char *end,
-                             x509_cert *crt )
-{
-    int ret;
-    size_t len;
-    unsigned char *end_ext_data, *end_ext_octet;
-
-    if( ( ret = x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
-    {
-        if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-            return( 0 );
-
-        return( ret );
-    }
-
-    while( *p < end )
-    {
-        /*
-         * Extension  ::=  SEQUENCE  {
-         *      extnID      OBJECT IDENTIFIER,
-         *      critical    BOOLEAN DEFAULT FALSE,
-         *      extnValue   OCTET STRING  }
-         */
-        x509_buf extn_oid = {0, 0, NULL};
-        int is_critical = 0; /* DEFAULT FALSE */
-
-        if( ( ret = asn1_get_tag( p, end, &len,
-                ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-        end_ext_data = *p + len;
-
-        /* Get extension ID */
-        extn_oid.tag = **p;
-
-        if( ( ret = asn1_get_tag( p, end, &extn_oid.len, ASN1_OID ) ) != 0 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-        extn_oid.p = *p;
-        *p += extn_oid.len;
-
-        if( ( end - *p ) < 1 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                    POLARSSL_ERR_ASN1_OUT_OF_DATA );
-
-        /* Get optional critical */
-        if( ( ret = asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
-            ( ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-        /* Data should be octet string type */
-        if( ( ret = asn1_get_tag( p, end_ext_data, &len,
-                ASN1_OCTET_STRING ) ) != 0 )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS + ret );
-
-        end_ext_octet = *p + len;
-
-        if( end_ext_octet != end_ext_data )
-            return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                    POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-        /*
-         * Detect supported extensions
-         */
-        if( ( OID_SIZE( OID_BASIC_CONSTRAINTS ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_BASIC_CONSTRAINTS, extn_oid.len ) == 0 )
-        {
-            /* Parse basic constraints */
-            if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
-                    &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_BASIC_CONSTRAINTS;
-        }
-        else if( ( OID_SIZE( OID_NS_CERT_TYPE ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_NS_CERT_TYPE, extn_oid.len ) == 0 )
-        {
-            /* Parse netscape certificate type */
-            if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
-                    &crt->ns_cert_type ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_NS_CERT_TYPE;
-        }
-        else if( ( OID_SIZE( OID_KEY_USAGE ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_KEY_USAGE, extn_oid.len ) == 0 )
-        {
-            /* Parse key usage */
-            if( ( ret = x509_get_key_usage( p, end_ext_octet,
-                    &crt->key_usage ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_KEY_USAGE;
-        }
-        else if( ( OID_SIZE( OID_EXTENDED_KEY_USAGE ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_EXTENDED_KEY_USAGE, extn_oid.len ) == 0 )
-        {
-            /* Parse extended key usage */
-            if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
-                    &crt->ext_key_usage ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_EXTENDED_KEY_USAGE;
-        }
-        else if( ( OID_SIZE( OID_SUBJECT_ALT_NAME ) == extn_oid.len ) &&
-                memcmp( extn_oid.p, OID_SUBJECT_ALT_NAME, extn_oid.len ) == 0 )
-        {
-            /* Parse extended key usage */
-            if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
-                    &crt->subject_alt_names ) ) != 0 )
-                return ( ret );
-            crt->ext_types |= EXT_SUBJECT_ALT_NAME;
-        }
-        else
-        {
-            /* No parser found, skip extension */
-            *p = end_ext_octet;
-
-#if !defined(POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
-            if( is_critical )
-            {
-                /* Data is marked as critical: fail */
-                return ( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                        POLARSSL_ERR_ASN1_UNEXPECTED_TAG );
-            }
-#endif
-        }
-    }
-
-    if( *p != end )
-        return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-
-    return( 0 );
-}
-
-/*
- * X.509 CRL Entries
- */
-static int x509_get_entries( unsigned char **p,
-                             const unsigned char *end,
-                             x509_crl_entry *entry )
-{
-    int ret;
-    size_t entry_len;
-    x509_crl_entry *cur_entry = entry;
-
-    if( *p == end )
-        return( 0 );
-
-    if( ( ret = asn1_get_tag( p, end, &entry_len,
-            ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
-    {
-        if( ret == POLARSSL_ERR_ASN1_UNEXPECTED_TAG )
-            return( 0 );
-
-        return( ret );
-    }
-
-    end = *p + entry_len;
-
-    while( *p < end )
-    {
-        size_t len2;
-        const unsigned char *end2;
-
-        if( ( ret = asn1_get_tag( p, end, &len2,
-                ASN1_SEQUENCE | ASN1_CONSTRUCTED ) ) != 0 )
-        {
-            return( ret );
-        }
-
-        cur_entry->raw.tag = **p;
-        cur_entry->raw.p = *p;
-        cur_entry->raw.len = len2;
-        end2 = *p + len2;
-
-        if( ( ret = x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
-            return( ret );
-
-        if( ( ret = x509_get_time( p, end2, &cur_entry->revocation_date ) ) != 0 )
-            return( ret );
-
-        if( ( ret = x509_get_crl_entry_ext( p, end2, &cur_entry->entry_ext ) ) != 0 )
-            return( ret );
-
-        if ( *p < end )
-        {
-            cur_entry->next = malloc( sizeof( x509_crl_entry ) );
-
-            if( cur_entry->next == NULL )
-                return( POLARSSL_ERR_X509_MALLOC_FAILED );
-
-            cur_entry = cur_entry->next;
-            memset( cur_entry, 0, sizeof( x509_crl_entry ) );
-        }
-    }
-
-    return( 0 );
-}
-
-static int x509_get_sig_alg( const x509_buf *sig_oid, int *sig_alg )
-{
-    if( sig_oid->len == 9 &&
-        memcmp( sig_oid->p, OID_PKCS1, 8 ) == 0 )
-    {
-        if( sig_oid->p[8] >= 2 && sig_oid->p[8] <= 5 )
-        {
-            *sig_alg = sig_oid->p[8];
-            return( 0 );
-        }
-
-        if ( sig_oid->p[8] >= 11 && sig_oid->p[8] <= 14 )
-        {
-            *sig_alg = sig_oid->p[8];
-            return( 0 );
-        }
-
-        return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
-    }
-    if( sig_oid->len == 5 &&
-        memcmp( sig_oid->p, OID_RSA_SHA_OBS, 5 ) == 0 )
-    {
-        *sig_alg = SIG_RSA_SHA1;
-        return( 0 );
-    }
-
-    return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
-}
-
-/*
- * Parse and fill a single X.509 certificate in DER format
- */
-int x509parse_crt_der_core( x509_cert *crt, const unsigned char *buf,
-                            size_t buflen )
-{
-    int ret;
-    size_t len;
-    unsigned char *p, *end, *crt_end;
-
-    /*
-     * Check for valid input
-     */
-    if( crt == NULL || buf == NULL )
-        return( POLARSSL_ERR_X509_INVALID_INPUT );
-
-    p = (unsigned char *) malloc( len = buflen );
-
-    if( p == NULL )
-        return( POLARSSL_ERR_X509_MALLOC_FAILED );
-
-    memcpy( p, buf, buflen );
-
-    buflen = 0;
-
-    crt->raw.p = p;
-    crt->raw.len = len;
-    end = p + len;
-
-    /*
-     * Certificate  ::=  SEQUENCE  {
-     *      tbsCertificate       TBSCertificate,
-     *      signatureAlgorithm   AlgorithmIdentifier,
-     *      signatureValue       BIT STRING  }
-     */
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT );
-    }
-
-    if( len > (size_t) ( end - p ) )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-    }
-    crt_end = p + len;
-
-    /*
-     * TBSCertificate  ::=  SEQUENCE  {
-     */
-    crt->tbs.p = p;
-
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
-    }
-
-    end = p + len;
-    crt->tbs.len = end - crt->tbs.p;
-
-    /*
-     * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
-     *
-     * CertificateSerialNumber  ::=  INTEGER
-     *
-     * signature            AlgorithmIdentifier
-     */
-    if( ( ret = x509_get_version( &p, end, &crt->version ) ) != 0 ||
-        ( ret = x509_get_serial(  &p, end, &crt->serial  ) ) != 0 ||
-        ( ret = x509_get_alg(  &p, end, &crt->sig_oid1   ) ) != 0 )
-    {
-        x509_free( crt );
-        return( ret );
-    }
-
-    crt->version++;
-
-    if( crt->version > 3 )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION );
-    }
-
-    if( ( ret = x509_get_sig_alg( &crt->sig_oid1, &crt->sig_alg ) ) != 0 )
-    {
-        x509_free( crt );
-        return( ret );
-    }
-
-    /*
-     * issuer               Name
-     */
-    crt->issuer_raw.p = p;
-
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
-    }
-
-    if( ( ret = x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
-    {
-        x509_free( crt );
-        return( ret );
-    }
-
-    crt->issuer_raw.len = p - crt->issuer_raw.p;
-
-    /*
-     * Validity ::= SEQUENCE {
-     *      notBefore      Time,
-     *      notAfter       Time }
-     *
-     */
-    if( ( ret = x509_get_dates( &p, end, &crt->valid_from,
-                                         &crt->valid_to ) ) != 0 )
-    {
-        x509_free( crt );
-        return( ret );
-    }
-
-    /*
-     * subject              Name
-     */
-    crt->subject_raw.p = p;
-
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
-    }
-
-    if( len && ( ret = x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
-    {
-        x509_free( crt );
-        return( ret );
-    }
-
-    crt->subject_raw.len = p - crt->subject_raw.p;
-
-    /*
-     * SubjectPublicKeyInfo  ::=  SEQUENCE
-     *      algorithm            AlgorithmIdentifier,
-     *      subjectPublicKey     BIT STRING  }
-     */
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
-    }
-
-    if( ( ret = x509_get_pubkey( &p, p + len, &crt->pk_oid,
-                                 &crt->rsa.N, &crt->rsa.E ) ) != 0 )
-    {
-        x509_free( crt );
-        return( ret );
-    }
-
-    if( ( ret = rsa_check_pubkey( &crt->rsa ) ) != 0 )
-    {
-        x509_free( crt );
-        return( ret );
-    }
-
-    crt->rsa.len = mpi_size( &crt->rsa.N );
-
-    /*
-     *  issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
-     *                       -- If present, version shall be v2 or v3
-     *  subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
-     *                       -- If present, version shall be v2 or v3
-     *  extensions      [3]  EXPLICIT Extensions OPTIONAL
-     *                       -- If present, version shall be v3
-     */
-    if( crt->version == 2 || crt->version == 3 )
-    {
-        ret = x509_get_uid( &p, end, &crt->issuer_id,  1 );
-        if( ret != 0 )
-        {
-            x509_free( crt );
-            return( ret );
-        }
-    }
-
-    if( crt->version == 2 || crt->version == 3 )
-    {
-        ret = x509_get_uid( &p, end, &crt->subject_id,  2 );
-        if( ret != 0 )
-        {
-            x509_free( crt );
-            return( ret );
-        }
-    }
-
-    if( crt->version == 3 )
-    {
-        ret = x509_get_crt_ext( &p, end, crt);
-        if( ret != 0 )
-        {
-            x509_free( crt );
-            return( ret );
-        }
-    }
-
-    if( p != end )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-    }
-
-    end = crt_end;
-
-    /*
-     *  signatureAlgorithm   AlgorithmIdentifier,
-     *  signatureValue       BIT STRING
-     */
-    if( ( ret = x509_get_alg( &p, end, &crt->sig_oid2 ) ) != 0 )
-    {
-        x509_free( crt );
-        return( ret );
-    }
-
-    if( crt->sig_oid1.len != crt->sig_oid2.len ||
-        memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
-    }
-
-    if( ( ret = x509_get_sig( &p, end, &crt->sig ) ) != 0 )
-    {
-        x509_free( crt );
-        return( ret );
-    }
-
-    if( p != end )
-    {
-        x509_free( crt );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-    }
-
-    return( 0 );
-}
-
-/*
- * Parse one X.509 certificate in DER format from a buffer and add them to a
- * chained list
- */
-int x509parse_crt_der( x509_cert *chain, const unsigned char *buf, size_t buflen )
-{
-    int ret;
-    x509_cert *crt = chain, *prev = NULL;
-
-    /*
-     * Check for valid input
-     */
-    if( crt == NULL || buf == NULL )
-        return( POLARSSL_ERR_X509_INVALID_INPUT );
-
-    while( crt->version != 0 && crt->next != NULL )
-    {
-        prev = crt;
-        crt = crt->next;
-    }
-
-    /*
-     * Add new certificate on the end of the chain if needed.
-     */
-    if ( crt->version != 0 && crt->next == NULL)
-    {
-        crt->next = (x509_cert *) malloc( sizeof( x509_cert ) );
-
-        if( crt->next == NULL )
-            return( POLARSSL_ERR_X509_MALLOC_FAILED );
-
-        prev = crt;
-        crt = crt->next;
-        memset( crt, 0, sizeof( x509_cert ) );
-    }
-
-    if( ( ret = x509parse_crt_der_core( crt, buf, buflen ) ) != 0 )
-    {
-        if( prev )
-            prev->next = NULL;
-
-        if( crt != chain )
-            free( crt );
-
-        return( ret );
-    }
-
-    return( 0 );
-}
-
-/*
- * Parse one or more PEM certificates from a buffer and add them to the chained list
- */
-int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen )
-{
-    int ret, success = 0, first_error = 0, total_failed = 0;
-    int buf_format = X509_FORMAT_DER;
-
-    /*
-     * Check for valid input
-     */
-    if( chain == NULL || buf == NULL )
-        return( POLARSSL_ERR_X509_INVALID_INPUT );
-
-    /*
-     * Determine buffer content. Buffer contains either one DER certificate or
-     * one or more PEM certificates.
-     */
-#if defined(POLARSSL_PEM_C)
-    if( strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
-        buf_format = X509_FORMAT_PEM;
-#endif
-
-    if( buf_format == X509_FORMAT_DER )
-        return x509parse_crt_der( chain, buf, buflen );
-
-#if defined(POLARSSL_PEM_C)
-    if( buf_format == X509_FORMAT_PEM )
-    {
-        pem_context pem;
-
-        while( buflen > 0 )
-        {
-            size_t use_len;
-            pem_init( &pem );
-
-            ret = pem_read_buffer( &pem,
-                           "-----BEGIN CERTIFICATE-----",
-                           "-----END CERTIFICATE-----",
-                           buf, NULL, 0, &use_len );
-
-            if( ret == 0 )
-            {
-                /*
-                 * Was PEM encoded
-                 */
-                buflen -= use_len;
-                buf += use_len;
-            }
-            else if( ret == POLARSSL_ERR_PEM_BAD_INPUT_DATA )
-            {
-                return( ret );
-            }
-            else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
-            {
-                pem_free( &pem );
-
-                /*
-                 * PEM header and footer were found
-                 */
-                buflen -= use_len;
-                buf += use_len;
-
-                if( first_error == 0 )
-                    first_error = ret;
-
-                continue;
-            }
-            else
-                break;
-
-            ret = x509parse_crt_der( chain, pem.buf, pem.buflen );
-
-            pem_free( &pem );
-
-            if( ret != 0 )
-            {
-                /*
-                 * Quit parsing on a memory error
-                 */
-                if( ret == POLARSSL_ERR_X509_MALLOC_FAILED )
-                    return( ret );
-
-                if( first_error == 0 )
-                    first_error = ret;
-
-                total_failed++;
-                continue;
-            }
-
-            success = 1;
-        }
-    }
-#endif
-
-    if( success )
-        return( total_failed );
-    else if( first_error )
-        return( first_error );
-    else
-        return( POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT );
-}
-
-/*
- * Parse one or more CRLs and add them to the chained list
- */
-int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen )
-{
-    int ret;
-    size_t len;
-    unsigned char *p, *end;
-    x509_crl *crl;
-#if defined(POLARSSL_PEM_C)
-    size_t use_len;
-    pem_context pem;
-#endif
-
-    crl = chain;
-
-    /*
-     * Check for valid input
-     */
-    if( crl == NULL || buf == NULL )
-        return( POLARSSL_ERR_X509_INVALID_INPUT );
-
-    while( crl->version != 0 && crl->next != NULL )
-        crl = crl->next;
-
-    /*
-     * Add new CRL on the end of the chain if needed.
-     */
-    if ( crl->version != 0 && crl->next == NULL)
-    {
-        crl->next = (x509_crl *) malloc( sizeof( x509_crl ) );
-
-        if( crl->next == NULL )
-        {
-            x509_crl_free( crl );
-            return( POLARSSL_ERR_X509_MALLOC_FAILED );
-        }
-
-        crl = crl->next;
-        memset( crl, 0, sizeof( x509_crl ) );
-    }
-
-#if defined(POLARSSL_PEM_C)
-    pem_init( &pem );
-    ret = pem_read_buffer( &pem,
-                           "-----BEGIN X509 CRL-----",
-                           "-----END X509 CRL-----",
-                           buf, NULL, 0, &use_len );
-
-    if( ret == 0 )
-    {
-        /*
-         * Was PEM encoded
-         */
-        buflen -= use_len;
-        buf += use_len;
-
-        /*
-         * Steal PEM buffer
-         */
-        p = pem.buf;
-        pem.buf = NULL;
-        len = pem.buflen;
-        pem_free( &pem );
-    }
-    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
-    {
-        pem_free( &pem );
-        return( ret );
-    }
-    else
-    {
-        /*
-         * nope, copy the raw DER data
-         */
-        p = (unsigned char *) malloc( len = buflen );
-
-        if( p == NULL )
-            return( POLARSSL_ERR_X509_MALLOC_FAILED );
-
-        memcpy( p, buf, buflen );
-
-        buflen = 0;
-    }
-#else
-    p = (unsigned char *) malloc( len = buflen );
-
-    if( p == NULL )
-        return( POLARSSL_ERR_X509_MALLOC_FAILED );
-
-    memcpy( p, buf, buflen );
-
-    buflen = 0;
-#endif
-
-    crl->raw.p = p;
-    crl->raw.len = len;
-    end = p + len;
-
-    /*
-     * CertificateList  ::=  SEQUENCE  {
-     *      tbsCertList          TBSCertList,
-     *      signatureAlgorithm   AlgorithmIdentifier,
-     *      signatureValue       BIT STRING  }
-     */
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT );
-    }
-
-    if( len != (size_t) ( end - p ) )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-    }
-
-    /*
-     * TBSCertList  ::=  SEQUENCE  {
-     */
-    crl->tbs.p = p;
-
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
-    }
-
-    end = p + len;
-    crl->tbs.len = end - crl->tbs.p;
-
-    /*
-     * Version  ::=  INTEGER  OPTIONAL {  v1(0), v2(1)  }
-     *               -- if present, MUST be v2
-     *
-     * signature            AlgorithmIdentifier
-     */
-    if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
-        ( ret = x509_get_alg(  &p, end, &crl->sig_oid1   ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( ret );
-    }
-
-    crl->version++;
-
-    if( crl->version > 2 )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION );
-    }
-
-    if( ( ret = x509_get_sig_alg( &crl->sig_oid1, &crl->sig_alg ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG );
-    }
-
-    /*
-     * issuer               Name
-     */
-    crl->issuer_raw.p = p;
-
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
-    }
-
-    if( ( ret = x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( ret );
-    }
-
-    crl->issuer_raw.len = p - crl->issuer_raw.p;
-
-    /*
-     * thisUpdate          Time
-     * nextUpdate          Time OPTIONAL
-     */
-    if( ( ret = x509_get_time( &p, end, &crl->this_update ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( ret );
-    }
-
-    if( ( ret = x509_get_time( &p, end, &crl->next_update ) ) != 0 )
-    {
-        if ( ret != ( POLARSSL_ERR_X509_CERT_INVALID_DATE +
-                        POLARSSL_ERR_ASN1_UNEXPECTED_TAG ) &&
-             ret != ( POLARSSL_ERR_X509_CERT_INVALID_DATE +
-                        POLARSSL_ERR_ASN1_OUT_OF_DATA ) )
-        {
-            x509_crl_free( crl );
-            return( ret );
-        }
-    }
-
-    /*
-     * revokedCertificates    SEQUENCE OF SEQUENCE   {
-     *      userCertificate        CertificateSerialNumber,
-     *      revocationDate         Time,
-     *      crlEntryExtensions     Extensions OPTIONAL
-     *                                   -- if present, MUST be v2
-     *                        } OPTIONAL
-     */
-    if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( ret );
-    }
-
-    /*
-     * crlExtensions          EXPLICIT Extensions OPTIONAL
-     *                              -- if present, MUST be v2
-     */
-    if( crl->version == 2 )
-    {
-        ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
-                            
-        if( ret != 0 )
-        {
-            x509_crl_free( crl );
-            return( ret );
-        }
-    }
-
-    if( p != end )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-    }
-
-    end = crl->raw.p + crl->raw.len;
-
-    /*
-     *  signatureAlgorithm   AlgorithmIdentifier,
-     *  signatureValue       BIT STRING
-     */
-    if( ( ret = x509_get_alg( &p, end, &crl->sig_oid2 ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( ret );
-    }
-
-    if( crl->sig_oid1.len != crl->sig_oid2.len ||
-        memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
-    }
-
-    if( ( ret = x509_get_sig( &p, end, &crl->sig ) ) != 0 )
-    {
-        x509_crl_free( crl );
-        return( ret );
-    }
-
-    if( p != end )
-    {
-        x509_crl_free( crl );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-    }
-
-    if( buflen > 0 )
-    {
-        crl->next = (x509_crl *) malloc( sizeof( x509_crl ) );
-
-        if( crl->next == NULL )
-        {
-            x509_crl_free( crl );
-            return( POLARSSL_ERR_X509_MALLOC_FAILED );
-        }
-
-        crl = crl->next;
-        memset( crl, 0, sizeof( x509_crl ) );
-
-        return( x509parse_crl( crl, buf, buflen ) );
-    }
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_FS_IO)
-/*
- * Load all data from a file into a given buffer.
- */
-int load_file( const char *path, unsigned char **buf, size_t *n )
-{
-    FILE *f;
-
-    if( ( f = fopen( path, "rb" ) ) == NULL )
-        return( POLARSSL_ERR_X509_FILE_IO_ERROR );
-
-    fseek( f, 0, SEEK_END );
-    *n = (size_t) ftell( f );
-    fseek( f, 0, SEEK_SET );
-
-    if( ( *buf = (unsigned char *) malloc( *n + 1 ) ) == NULL )
-        return( POLARSSL_ERR_X509_MALLOC_FAILED );
-
-    if( fread( *buf, 1, *n, f ) != *n )
-    {
-        fclose( f );
-        free( *buf );
-        return( POLARSSL_ERR_X509_FILE_IO_ERROR );
-    }
-
-    fclose( f );
-
-    (*buf)[*n] = '\0';
-
-    return( 0 );
-}
-
-/*
- * Load one or more certificates and add them to the chained list
- */
-int x509parse_crtfile( x509_cert *chain, const char *path )
-{
-    int ret;
-    size_t n;
-    unsigned char *buf;
-
-    if ( (ret = load_file( path, &buf, &n ) ) != 0 )
-        return( ret );
-
-    ret = x509parse_crt( chain, buf, n );
-
-    memset( buf, 0, n + 1 );
-    free( buf );
-
-    return( ret );
-}
-
-int x509parse_crtpath( x509_cert *chain, const char *path )
-{
-    int ret = 0;
-#if defined(_WIN32)
-    int w_ret;
-    WCHAR szDir[MAX_PATH];
-    char filename[MAX_PATH];
-	char *p;
-    int len = strlen( path );
-
-	WIN32_FIND_DATAW file_data;
-    HANDLE hFind;
-
-    if( len > MAX_PATH - 3 )
-        return( POLARSSL_ERR_X509_INVALID_INPUT );
-
-	memset( szDir, 0, sizeof(szDir) );
-	memset( filename, 0, MAX_PATH );
-	memcpy( filename, path, len );
-	filename[len++] = '\\';
-	p = filename + len;
-    filename[len++] = '*';
-
-	w_ret = MultiByteToWideChar( CP_ACP, 0, path, len, szDir, MAX_PATH - 3 );
-
-    hFind = FindFirstFileW( szDir, &file_data );
-    if (hFind == INVALID_HANDLE_VALUE) 
-        return( POLARSSL_ERR_X509_FILE_IO_ERROR );
-
-    len = MAX_PATH - len;
-    do
-    {
-		memset( p, 0, len );
-
-        if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
-            continue;
-
-		w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
-									 lstrlenW(file_data.cFileName),
-									 p, len - 1,
-									 NULL, NULL );
-
-        w_ret = x509parse_crtfile( chain, filename );
-        if( w_ret < 0 )
-            ret++;
-        else
-            ret += w_ret;
-    }
-    while( FindNextFileW( hFind, &file_data ) != 0 );
-
-    if (GetLastError() != ERROR_NO_MORE_FILES) 
-        ret = POLARSSL_ERR_X509_FILE_IO_ERROR;
-
-cleanup:
-    FindClose( hFind );
-#else
-    int t_ret, i;
-    struct stat sb;
-    struct dirent entry, *result = NULL;
-    char entry_name[255];
-    DIR *dir = opendir( path );
-
-    if( dir == NULL)
-        return( POLARSSL_ERR_X509_FILE_IO_ERROR );
-
-    while( ( t_ret = readdir_r( dir, &entry, &result ) ) == 0 )
-    {
-        if( result == NULL )
-            break;
-
-        snprintf( entry_name, sizeof(entry_name), "%s/%s", path, entry.d_name );
-
-        i = stat( entry_name, &sb );
-
-        if( i == -1 )
-            return( POLARSSL_ERR_X509_FILE_IO_ERROR );
-
-        if( !S_ISREG( sb.st_mode ) )
-            continue;
-
-        // Ignore parse errors
-        //
-        t_ret = x509parse_crtfile( chain, entry_name );
-        if( t_ret < 0 )
-            ret++;
-        else
-            ret += t_ret;
-    }
-    closedir( dir );
-#endif
-
-    return( ret );
-}
-
-/*
- * Load one or more CRLs and add them to the chained list
- */
-int x509parse_crlfile( x509_crl *chain, const char *path )
-{
-    int ret;
-    size_t n;
-    unsigned char *buf;
-
-    if ( (ret = load_file( path, &buf, &n ) ) != 0 )
-        return( ret );
-
-    ret = x509parse_crl( chain, buf, n );
-
-    memset( buf, 0, n + 1 );
-    free( buf );
-
-    return( ret );
-}
-
-/*
- * Load and parse a private RSA key
- */
-int x509parse_keyfile( rsa_context *rsa, const char *path, const char *pwd )
-{
-    int ret;
-    size_t n;
-    unsigned char *buf;
-
-    if ( (ret = load_file( path, &buf, &n ) ) != 0 )
-        return( ret );
-
-    if( pwd == NULL )
-        ret = x509parse_key( rsa, buf, n, NULL, 0 );
-    else
-        ret = x509parse_key( rsa, buf, n,
-                (unsigned char *) pwd, strlen( pwd ) );
-
-    memset( buf, 0, n + 1 );
-    free( buf );
-
-    return( ret );
-}
-
-/*
- * Load and parse a public RSA key
- */
-int x509parse_public_keyfile( rsa_context *rsa, const char *path )
-{
-    int ret;
-    size_t n;
-    unsigned char *buf;
-
-    if ( (ret = load_file( path, &buf, &n ) ) != 0 )
-        return( ret );
-
-    ret = x509parse_public_key( rsa, buf, n );
-
-    memset( buf, 0, n + 1 );
-    free( buf );
-
-    return( ret );
-}
-#endif /* POLARSSL_FS_IO */
-
-/*
- * Parse a PKCS#1 encoded private RSA key
- */
-static int x509parse_key_pkcs1_der( rsa_context *rsa,
-                                    const unsigned char *key,
-                                    size_t keylen )
-{
-    int ret;
-    size_t len;
-    unsigned char *p, *end;
-
-    p = (unsigned char *) key;
-    end = p + keylen;
-
-    /*
-     * This function parses the RSAPrivateKey (PKCS#1)
-     *
-     *  RSAPrivateKey ::= SEQUENCE {
-     *      version           Version,
-     *      modulus           INTEGER,  -- n
-     *      publicExponent    INTEGER,  -- e
-     *      privateExponent   INTEGER,  -- d
-     *      prime1            INTEGER,  -- p
-     *      prime2            INTEGER,  -- q
-     *      exponent1         INTEGER,  -- d mod (p-1)
-     *      exponent2         INTEGER,  -- d mod (q-1)
-     *      coefficient       INTEGER,  -- (inverse of q) mod p
-     *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
-     *  }
-     */
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    end = p + len;
-
-    if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    if( rsa->ver != 0 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_VERSION + ret );
-    }
-
-    if( ( ret = asn1_get_mpi( &p, end, &rsa->N  ) ) != 0 ||
-        ( ret = asn1_get_mpi( &p, end, &rsa->E  ) ) != 0 ||
-        ( ret = asn1_get_mpi( &p, end, &rsa->D  ) ) != 0 ||
-        ( ret = asn1_get_mpi( &p, end, &rsa->P  ) ) != 0 ||
-        ( ret = asn1_get_mpi( &p, end, &rsa->Q  ) ) != 0 ||
-        ( ret = asn1_get_mpi( &p, end, &rsa->DP ) ) != 0 ||
-        ( ret = asn1_get_mpi( &p, end, &rsa->DQ ) ) != 0 ||
-        ( ret = asn1_get_mpi( &p, end, &rsa->QP ) ) != 0 )
-    {
-        rsa_free( rsa );
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    rsa->len = mpi_size( &rsa->N );
-
-    if( p != end )
-    {
-        rsa_free( rsa );
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-    }
-
-    if( ( ret = rsa_check_privkey( rsa ) ) != 0 )
-    {
-        rsa_free( rsa );
-        return( ret );
-    }
-
-    return( 0 );
-}
-
-/*
- * Parse an unencrypted PKCS#8 encoded private RSA key
- */
-static int x509parse_key_pkcs8_unencrypted_der(
-                                    rsa_context *rsa,
-                                    const unsigned char *key,
-                                    size_t keylen )
-{
-    int ret;
-    size_t len;
-    unsigned char *p, *end;
-    x509_buf pk_alg_oid;
-
-    p = (unsigned char *) key;
-    end = p + keylen;
-
-    /*
-     * This function parses the PrivatKeyInfo object (PKCS#8)
-     *
-     *  PrivateKeyInfo ::= SEQUENCE {
-     *    version           Version,
-     *    algorithm       AlgorithmIdentifier,
-     *    PrivateKey      BIT STRING
-     *  }
-     *
-     *  AlgorithmIdentifier ::= SEQUENCE {
-     *    algorithm       OBJECT IDENTIFIER,
-     *    parameters      ANY DEFINED BY algorithm OPTIONAL
-     *  }
-     *
-     *  The PrivateKey BIT STRING is a PKCS#1 RSAPrivateKey
-     */
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    end = p + len;
-
-    if( ( ret = asn1_get_int( &p, end, &rsa->ver ) ) != 0 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    if( rsa->ver != 0 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_VERSION + ret );
-    }
-
-    if( ( ret = x509_get_alg( &p, end, &pk_alg_oid ) ) != 0 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    /*
-     * only RSA keys handled at this time
-     */
-    if( pk_alg_oid.len != 9 ||
-        memcmp( pk_alg_oid.p, OID_PKCS1_RSA, 9 ) != 0 )
-    {
-        return( POLARSSL_ERR_X509_UNKNOWN_PK_ALG );
-    }
-
-    /*
-     * Get the OCTET STRING and parse the PKCS#1 format inside
-     */
-    if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 )
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-
-    if( ( end - p ) < 1 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_OUT_OF_DATA );
-    }
-
-    end = p + len;
-
-    if( ( ret = x509parse_key_pkcs1_der( rsa, p, end - p ) ) != 0 )
-        return( ret );
-
-    return( 0 );
-}
-
-/*
- * Parse an encrypted PKCS#8 encoded private RSA key
- */
-static int x509parse_key_pkcs8_encrypted_der(
-                                    rsa_context *rsa,
-                                    const unsigned char *key,
-                                    size_t keylen,
-                                    const unsigned char *pwd,
-                                    size_t pwdlen )
-{
-    int ret;
-    size_t len;
-    unsigned char *p, *end, *end2;
-    x509_buf pbe_alg_oid, pbe_params;
-    unsigned char buf[2048];
-
-    memset(buf, 0, 2048);
-
-    p = (unsigned char *) key;
-    end = p + keylen;
-
-    if( pwdlen == 0 )
-        return( POLARSSL_ERR_X509_PASSWORD_REQUIRED );
-
-    /*
-     * This function parses the EncryptedPrivatKeyInfo object (PKCS#8)
-     *
-     *  EncryptedPrivateKeyInfo ::= SEQUENCE {
-     *    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
-     *    encryptedData        EncryptedData
-     *  }
-     *
-     *  EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
-     *
-     *  EncryptedData ::= OCTET STRING
-     *
-     *  The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
-     */
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    end = p + len;
-
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    end2 = p + len;
-
-    if( ( ret = asn1_get_tag( &p, end, &pbe_alg_oid.len, ASN1_OID ) ) != 0 )
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-
-    pbe_alg_oid.p = p;
-    p += pbe_alg_oid.len;
-
-    /*
-     * Store the algorithm parameters
-     */
-    pbe_params.p = p;
-    pbe_params.len = end2 - p;
-    p += pbe_params.len;
-
-    if( ( ret = asn1_get_tag( &p, end, &len, ASN1_OCTET_STRING ) ) != 0 )
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-
-    // buf has been sized to 2048 bytes
-    if( len > 2048 )
-        return( POLARSSL_ERR_X509_INVALID_INPUT );
-
-    /*
-     * Decrypt EncryptedData with appropriate PDE
-     */
-#if defined(POLARSSL_PKCS12_C)
-    if( OID_CMP( OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, &pbe_alg_oid ) )
-    {
-        if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
-                                POLARSSL_CIPHER_DES_EDE3_CBC, POLARSSL_MD_SHA1,
-                                pwd, pwdlen, p, len, buf ) ) != 0 )
-        {
-            if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
-                return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
-
-            return( ret );
-        }
-    }
-    else if( OID_CMP( OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, &pbe_alg_oid ) )
-    {
-        if( ( ret = pkcs12_pbe( &pbe_params, PKCS12_PBE_DECRYPT,
-                                POLARSSL_CIPHER_DES_EDE_CBC, POLARSSL_MD_SHA1,
-                                pwd, pwdlen, p, len, buf ) ) != 0 )
-        {
-            if( ret == POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH )
-                return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
-
-            return( ret );
-        }
-    }
-    else if( OID_CMP( OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) )
-    {
-        if( ( ret = pkcs12_pbe_sha1_rc4_128( &pbe_params,
-                                             PKCS12_PBE_DECRYPT,
-                                             pwd, pwdlen,
-                                             p, len, buf ) ) != 0 )
-        {
-            return( ret );
-        }
-
-        // Best guess for password mismatch when using RC4. If first tag is
-        // not ASN1_CONSTRUCTED | ASN1_SEQUENCE
-        //
-        if( *buf != ( ASN1_CONSTRUCTED | ASN1_SEQUENCE ) )
-            return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
-    }
-    else
-#endif /* POLARSSL_PKCS12_C */
-#if defined(POLARSSL_PKCS5_C)
-    if( OID_CMP( OID_PKCS5_PBES2, &pbe_alg_oid ) )
-    {
-        if( ( ret = pkcs5_pbes2( &pbe_params, PKCS5_DECRYPT, pwd, pwdlen,
-                                  p, len, buf ) ) != 0 )
-        {
-            if( ret == POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH )
-                return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
-
-            return( ret );
-        }
-    }
-    else
-#endif /* POLARSSL_PKCS5_C */
-        return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
-
-    return x509parse_key_pkcs8_unencrypted_der( rsa, buf, len );
-}
-
-/*
- * Parse a private RSA key
- */
-int x509parse_key( rsa_context *rsa, const unsigned char *key, size_t keylen,
-                                     const unsigned char *pwd, size_t pwdlen )
-{
-    int ret;
-
-#if defined(POLARSSL_PEM_C)
-    size_t len;
-    pem_context pem;
-
-    pem_init( &pem );
-    ret = pem_read_buffer( &pem,
-                           "-----BEGIN RSA PRIVATE KEY-----",
-                           "-----END RSA PRIVATE KEY-----",
-                           key, pwd, pwdlen, &len );
-    if( ret == 0 )
-    {
-        if( ( ret = x509parse_key_pkcs1_der( rsa, pem.buf, pem.buflen ) ) != 0 )
-        {
-            rsa_free( rsa );
-        }
-
-        pem_free( &pem );
-        return( ret );
-    }
-    else if( ret == POLARSSL_ERR_PEM_PASSWORD_MISMATCH )
-        return( POLARSSL_ERR_X509_PASSWORD_MISMATCH );
-    else if( ret == POLARSSL_ERR_PEM_PASSWORD_REQUIRED )
-        return( POLARSSL_ERR_X509_PASSWORD_REQUIRED );
-    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
-        return( ret );
-
-    ret = pem_read_buffer( &pem,
-                           "-----BEGIN PRIVATE KEY-----",
-                           "-----END PRIVATE KEY-----",
-                           key, NULL, 0, &len );
-    if( ret == 0 )
-    {
-        if( ( ret = x509parse_key_pkcs8_unencrypted_der( rsa,
-                                                pem.buf, pem.buflen ) ) != 0 )
-        {
-            rsa_free( rsa );
-        }
-
-        pem_free( &pem );
-        return( ret );
-    }
-    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
-        return( ret );
-
-    ret = pem_read_buffer( &pem,
-                           "-----BEGIN ENCRYPTED PRIVATE KEY-----",
-                           "-----END ENCRYPTED PRIVATE KEY-----",
-                           key, NULL, 0, &len );
-    if( ret == 0 )
-    {
-        if( ( ret = x509parse_key_pkcs8_encrypted_der( rsa,
-                                                pem.buf, pem.buflen,
-                                                pwd, pwdlen ) ) != 0 )
-        {
-            rsa_free( rsa );
-        }
-
-        pem_free( &pem );
-        return( ret );
-    }
-    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
-        return( ret );
-#else
-    ((void) pwd);
-    ((void) pwdlen);
-#endif /* POLARSSL_PEM_C */
-
-    // At this point we only know it's not a PEM formatted key. Could be any
-    // of the known DER encoded private key formats
-    //
-    // We try the different DER format parsers to see if one passes without
-    // error
-    //
-    if( ( ret = x509parse_key_pkcs8_encrypted_der( rsa, key, keylen,
-                                                   pwd, pwdlen ) ) == 0 )
-    {
-        return( 0 );
-    }
-
-    rsa_free( rsa );
-
-    if( ret == POLARSSL_ERR_X509_PASSWORD_MISMATCH )
-    {
-        return( ret );
-    }
-
-    if( ( ret = x509parse_key_pkcs8_unencrypted_der( rsa, key, keylen ) ) == 0 )
-        return( 0 );
-
-    rsa_free( rsa );
-
-    if( ( ret = x509parse_key_pkcs1_der( rsa, key, keylen ) ) == 0 )
-        return( 0 );
-
-    rsa_free( rsa );
-
-    return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT );
-}
-
-/*
- * Parse a public RSA key
- */
-int x509parse_public_key( rsa_context *rsa, const unsigned char *key, size_t keylen )
-{
-    int ret;
-    size_t len;
-    unsigned char *p, *end;
-    x509_buf alg_oid;
-#if defined(POLARSSL_PEM_C)
-    pem_context pem;
-
-    pem_init( &pem );
-    ret = pem_read_buffer( &pem,
-            "-----BEGIN PUBLIC KEY-----",
-            "-----END PUBLIC KEY-----",
-            key, NULL, 0, &len );
-
-    if( ret == 0 )
-    {
-        /*
-         * Was PEM encoded
-         */
-        keylen = pem.buflen;
-    }
-    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
-    {
-        pem_free( &pem );
-        return( ret );
-    }
-
-    p = ( ret == 0 ) ? pem.buf : (unsigned char *) key;
-#else
-    p = (unsigned char *) key;
-#endif
-    end = p + keylen;
-
-    /*
-     *  PublicKeyInfo ::= SEQUENCE {
-     *    algorithm       AlgorithmIdentifier,
-     *    PublicKey       BIT STRING
-     *  }
-     *
-     *  AlgorithmIdentifier ::= SEQUENCE {
-     *    algorithm       OBJECT IDENTIFIER,
-     *    parameters      ANY DEFINED BY algorithm OPTIONAL
-     *  }
-     *
-     *  RSAPublicKey ::= SEQUENCE {
-     *      modulus           INTEGER,  -- n
-     *      publicExponent    INTEGER   -- e
-     *  }
-     */
-
-    if( ( ret = asn1_get_tag( &p, end, &len,
-                    ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-#if defined(POLARSSL_PEM_C)
-        pem_free( &pem );
-#endif
-        rsa_free( rsa );
-        return( POLARSSL_ERR_X509_CERT_INVALID_FORMAT + ret );
-    }
-
-    if( ( ret = x509_get_pubkey( &p, end, &alg_oid, &rsa->N, &rsa->E ) ) != 0 )
-    {
-#if defined(POLARSSL_PEM_C)
-        pem_free( &pem );
-#endif
-        rsa_free( rsa );
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    if( ( ret = rsa_check_pubkey( rsa ) ) != 0 )
-    {
-#if defined(POLARSSL_PEM_C)
-        pem_free( &pem );
-#endif
-        rsa_free( rsa );
-        return( ret );
-    }
-
-    rsa->len = mpi_size( &rsa->N );
-
-#if defined(POLARSSL_PEM_C)
-    pem_free( &pem );
-#endif
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_DHM_C)
-/*
- * Parse DHM parameters
- */
-int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen )
-{
-    int ret;
-    size_t len;
-    unsigned char *p, *end;
-#if defined(POLARSSL_PEM_C)
-    pem_context pem;
-
-    pem_init( &pem );
-
-    ret = pem_read_buffer( &pem, 
-                           "-----BEGIN DH PARAMETERS-----",
-                           "-----END DH PARAMETERS-----",
-                           dhmin, NULL, 0, &dhminlen );
-
-    if( ret == 0 )
-    {
-        /*
-         * Was PEM encoded
-         */
-        dhminlen = pem.buflen;
-    }
-    else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
-    {
-        pem_free( &pem );
-        return( ret );
-    }
-
-    p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
-#else
-    p = (unsigned char *) dhmin;
-#endif
-    end = p + dhminlen;
-
-    memset( dhm, 0, sizeof( dhm_context ) );
-
-    /*
-     *  DHParams ::= SEQUENCE {
-     *      prime            INTEGER,  -- P
-     *      generator        INTEGER,  -- g
-     *  }
-     */
-    if( ( ret = asn1_get_tag( &p, end, &len,
-            ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
-    {
-#if defined(POLARSSL_PEM_C)
-        pem_free( &pem );
-#endif
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    end = p + len;
-
-    if( ( ret = asn1_get_mpi( &p, end, &dhm->P  ) ) != 0 ||
-        ( ret = asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
-    {
-#if defined(POLARSSL_PEM_C)
-        pem_free( &pem );
-#endif
-        dhm_free( dhm );
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT + ret );
-    }
-
-    if( p != end )
-    {
-#if defined(POLARSSL_PEM_C)
-        pem_free( &pem );
-#endif
-        dhm_free( dhm );
-        return( POLARSSL_ERR_X509_KEY_INVALID_FORMAT +
-                POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
-    }
-
-#if defined(POLARSSL_PEM_C)
-    pem_free( &pem );
-#endif
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_FS_IO)
-/*
- * Load and parse a private RSA key
- */
-int x509parse_dhmfile( dhm_context *dhm, const char *path )
-{
-    int ret;
-    size_t n;
-    unsigned char *buf;
-
-    if ( ( ret = load_file( path, &buf, &n ) ) != 0 )
-        return( ret );
-
-    ret = x509parse_dhm( dhm, buf, n );
-
-    memset( buf, 0, n + 1 );
-    free( buf );
-
-    return( ret );
-}
-#endif /* POLARSSL_FS_IO */
-#endif /* POLARSSL_DHM_C */
-
-#if defined _MSC_VER && !defined snprintf
-#include <stdarg.h>
-
-#if !defined vsnprintf
-#define vsnprintf _vsnprintf
-#endif // vsnprintf
-
-/*
- * Windows _snprintf and _vsnprintf are not compatible to linux versions.
- * Result value is not size of buffer needed, but -1 if no fit is possible.
- *
- * This fuction tries to 'fix' this by at least suggesting enlarging the
- * size by 20.
- */
-int compat_snprintf(char *str, size_t size, const char *format, ...)
-{
-    va_list ap;
-    int res = -1;
-
-    va_start( ap, format );
-
-    res = vsnprintf( str, size, format, ap );
-
-    va_end( ap );
-
-    // No quick fix possible
-    if ( res < 0 )
-        return( (int) size + 20 );
-    
-    return res;
-}
-
-#define snprintf compat_snprintf
-#endif
-
-#define POLARSSL_ERR_DEBUG_BUF_TOO_SMALL    -2
-
-#define SAFE_SNPRINTF()                         \
-{                                               \
-    if( ret == -1 )                             \
-        return( -1 );                           \
-                                                \
-    if ( (unsigned int) ret > n ) {             \
-        p[n - 1] = '\0';                        \
-        return POLARSSL_ERR_DEBUG_BUF_TOO_SMALL;\
-    }                                           \
-                                                \
-    n -= (unsigned int) ret;                    \
-    p += (unsigned int) ret;                    \
-}
-
-/*
- * Store the name in printable form into buf; no more
- * than size characters will be written
- */
-int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn )
-{
-    int ret;
-    size_t i, n;
-    unsigned char c;
-    const x509_name *name;
-    char s[128], *p;
-
-    memset( s, 0, sizeof( s ) );
-
-    name = dn;
-    p = buf;
-    n = size;
-
-    while( name != NULL )
-    {
-        if( !name->oid.p )
-        {
-            name = name->next;
-            continue;
-        }
-
-        if( name != dn )
-        {
-            ret = snprintf( p, n, ", " );
-            SAFE_SNPRINTF();
-        }
-
-        if( name->oid.len == 3 &&
-            memcmp( name->oid.p, OID_X520, 2 ) == 0 )
-        {
-            switch( name->oid.p[2] )
-            {
-            case X520_COMMON_NAME:
-                ret = snprintf( p, n, "CN=" ); break;
-
-            case X520_COUNTRY:
-                ret = snprintf( p, n, "C="  ); break;
-
-            case X520_LOCALITY:
-                ret = snprintf( p, n, "L="  ); break;
-
-            case X520_STATE:
-                ret = snprintf( p, n, "ST=" ); break;
-
-            case X520_ORGANIZATION:
-                ret = snprintf( p, n, "O="  ); break;
-
-            case X520_ORG_UNIT:
-                ret = snprintf( p, n, "OU=" ); break;
-
-            default:
-                ret = snprintf( p, n, "0x%02X=",
-                               name->oid.p[2] );
-                break;
-            }
-        SAFE_SNPRINTF();
-        }
-        else if( name->oid.len == 9 &&
-                 memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
-        {
-            switch( name->oid.p[8] )
-            {
-            case PKCS9_EMAIL:
-                ret = snprintf( p, n, "emailAddress=" ); break;
-
-            default:
-                ret = snprintf( p, n, "0x%02X=",
-                               name->oid.p[8] );
-                break;
-            }
-        SAFE_SNPRINTF();
-        }
-        else
-        {
-            ret = snprintf( p, n, "\?\?=" );
-            SAFE_SNPRINTF();
-        }
-
-        for( i = 0; i < name->val.len; i++ )
-        {
-            if( i >= sizeof( s ) - 1 )
-                break;
-
-            c = name->val.p[i];
-            if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
-                 s[i] = '?';
-            else s[i] = c;
-        }
-        s[i] = '\0';
-        ret = snprintf( p, n, "%s", s );
-    SAFE_SNPRINTF();
-        name = name->next;
-    }
-
-    return( (int) ( size - n ) );
-}
-
-/*
- * Store the serial in printable form into buf; no more
- * than size characters will be written
- */
-int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial )
-{
-    int ret;
-    size_t i, n, nr;
-    char *p;
-
-    p = buf;
-    n = size;
-
-    nr = ( serial->len <= 32 )
-        ? serial->len  : 28;
-
-    for( i = 0; i < nr; i++ )
-    {
-        if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
-            continue;
-
-        ret = snprintf( p, n, "%02X%s",
-                serial->p[i], ( i < nr - 1 ) ? ":" : "" );
-        SAFE_SNPRINTF();
-    }
-
-    if( nr != serial->len )
-    {
-        ret = snprintf( p, n, "...." );
-        SAFE_SNPRINTF();
-    }
-
-    return( (int) ( size - n ) );
-}
-
-/*
- * Return an informational string about the certificate.
- */
-int x509parse_cert_info( char *buf, size_t size, const char *prefix,
-                         const x509_cert *crt )
-{
-    int ret;
-    size_t n;
-    char *p;
-
-    p = buf;
-    n = size;
-
-    ret = snprintf( p, n, "%scert. version : %d\n",
-                               prefix, crt->version );
-    SAFE_SNPRINTF();
-    ret = snprintf( p, n, "%sserial number : ",
-                               prefix );
-    SAFE_SNPRINTF();
-
-    ret = x509parse_serial_gets( p, n, &crt->serial);
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n%sissuer name   : ", prefix );
-    SAFE_SNPRINTF();
-    ret = x509parse_dn_gets( p, n, &crt->issuer  );
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n%ssubject name  : ", prefix );
-    SAFE_SNPRINTF();
-    ret = x509parse_dn_gets( p, n, &crt->subject );
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n%sissued  on    : " \
-                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
-                   crt->valid_from.year, crt->valid_from.mon,
-                   crt->valid_from.day,  crt->valid_from.hour,
-                   crt->valid_from.min,  crt->valid_from.sec );
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n%sexpires on    : " \
-                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
-                   crt->valid_to.year, crt->valid_to.mon,
-                   crt->valid_to.day,  crt->valid_to.hour,
-                   crt->valid_to.min,  crt->valid_to.sec );
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n%ssigned using  : RSA+", prefix );
-    SAFE_SNPRINTF();
-
-    switch( crt->sig_alg )
-    {
-        case SIG_RSA_MD2    : ret = snprintf( p, n, "MD2"    ); break;
-        case SIG_RSA_MD4    : ret = snprintf( p, n, "MD4"    ); break;
-        case SIG_RSA_MD5    : ret = snprintf( p, n, "MD5"    ); break;
-        case SIG_RSA_SHA1   : ret = snprintf( p, n, "SHA1"   ); break;
-        case SIG_RSA_SHA224 : ret = snprintf( p, n, "SHA224" ); break;
-        case SIG_RSA_SHA256 : ret = snprintf( p, n, "SHA256" ); break;
-        case SIG_RSA_SHA384 : ret = snprintf( p, n, "SHA384" ); break;
-        case SIG_RSA_SHA512 : ret = snprintf( p, n, "SHA512" ); break;
-        default: ret = snprintf( p, n, "???"  ); break;
-    }
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n%sRSA key size  : %d bits\n", prefix,
-                   (int) crt->rsa.N.n * (int) sizeof( t_uint ) * 8 );
-    SAFE_SNPRINTF();
-
-    return( (int) ( size - n ) );
-}
-
-/*
- * Return an informational string describing the given OID
- */
-const char *x509_oid_get_description( x509_buf *oid )
-{
-    if ( oid == NULL )
-        return ( NULL );
-    
-    else if( OID_CMP( OID_SERVER_AUTH, oid ) )
-        return( STRING_SERVER_AUTH );
-    
-    else if( OID_CMP( OID_CLIENT_AUTH, oid ) )
-        return( STRING_CLIENT_AUTH );
-    
-    else if( OID_CMP( OID_CODE_SIGNING, oid ) )
-        return( STRING_CODE_SIGNING );
-    
-    else if( OID_CMP( OID_EMAIL_PROTECTION, oid ) )
-        return( STRING_EMAIL_PROTECTION );
-    
-    else if( OID_CMP( OID_TIME_STAMPING, oid ) )
-        return( STRING_TIME_STAMPING );
-
-    else if( OID_CMP( OID_OCSP_SIGNING, oid ) )
-        return( STRING_OCSP_SIGNING );
-
-    return( NULL );
-}
-
-/* Return the x.y.z.... style numeric string for the given OID */
-int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid )
-{
-    int ret;
-    size_t i, n;
-    unsigned int value;
-    char *p;
-
-    p = buf;
-    n = size;
-
-    /* First byte contains first two dots */
-    if( oid->len > 0 )
-    {
-        ret = snprintf( p, n, "%d.%d", oid->p[0]/40, oid->p[0]%40 );
-        SAFE_SNPRINTF();
-    }
-
-    /* TODO: value can overflow in value. */
-    value = 0;
-    for( i = 1; i < oid->len; i++ )
-    {
-        value <<= 7;
-        value += oid->p[i] & 0x7F;
-
-        if( !( oid->p[i] & 0x80 ) )
-        {
-            /* Last byte */
-            ret = snprintf( p, n, ".%d", value );
-            SAFE_SNPRINTF();
-            value = 0;
-        }
-    }
-
-    return( (int) ( size - n ) );
-}
-
-/*
- * Return an informational string about the CRL.
- */
-int x509parse_crl_info( char *buf, size_t size, const char *prefix,
-                        const x509_crl *crl )
-{
-    int ret;
-    size_t n;
-    char *p;
-    const x509_crl_entry *entry;
-
-    p = buf;
-    n = size;
-
-    ret = snprintf( p, n, "%sCRL version   : %d",
-                               prefix, crl->version );
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n%sissuer name   : ", prefix );
-    SAFE_SNPRINTF();
-    ret = x509parse_dn_gets( p, n, &crl->issuer );
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n%sthis update   : " \
-                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
-                   crl->this_update.year, crl->this_update.mon,
-                   crl->this_update.day,  crl->this_update.hour,
-                   crl->this_update.min,  crl->this_update.sec );
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n%snext update   : " \
-                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
-                   crl->next_update.year, crl->next_update.mon,
-                   crl->next_update.day,  crl->next_update.hour,
-                   crl->next_update.min,  crl->next_update.sec );
-    SAFE_SNPRINTF();
-
-    entry = &crl->entry;
-
-    ret = snprintf( p, n, "\n%sRevoked certificates:",
-                               prefix );
-    SAFE_SNPRINTF();
-
-    while( entry != NULL && entry->raw.len != 0 )
-    {
-        ret = snprintf( p, n, "\n%sserial number: ",
-                               prefix );
-        SAFE_SNPRINTF();
-
-        ret = x509parse_serial_gets( p, n, &entry->serial);
-        SAFE_SNPRINTF();
-
-        ret = snprintf( p, n, " revocation date: " \
-                   "%04d-%02d-%02d %02d:%02d:%02d",
-                   entry->revocation_date.year, entry->revocation_date.mon,
-                   entry->revocation_date.day,  entry->revocation_date.hour,
-                   entry->revocation_date.min,  entry->revocation_date.sec );
-        SAFE_SNPRINTF();
-
-        entry = entry->next;
-    }
-
-    ret = snprintf( p, n, "\n%ssigned using  : RSA+", prefix );
-    SAFE_SNPRINTF();
-
-    switch( crl->sig_alg )
-    {
-        case SIG_RSA_MD2    : ret = snprintf( p, n, "MD2"    ); break;
-        case SIG_RSA_MD4    : ret = snprintf( p, n, "MD4"    ); break;
-        case SIG_RSA_MD5    : ret = snprintf( p, n, "MD5"    ); break;
-        case SIG_RSA_SHA1   : ret = snprintf( p, n, "SHA1"   ); break;
-        case SIG_RSA_SHA224 : ret = snprintf( p, n, "SHA224" ); break;
-        case SIG_RSA_SHA256 : ret = snprintf( p, n, "SHA256" ); break;
-        case SIG_RSA_SHA384 : ret = snprintf( p, n, "SHA384" ); break;
-        case SIG_RSA_SHA512 : ret = snprintf( p, n, "SHA512" ); break;
-        default: ret = snprintf( p, n, "???"  ); break;
-    }
-    SAFE_SNPRINTF();
-
-    ret = snprintf( p, n, "\n" );
-    SAFE_SNPRINTF();
-
-    return( (int) ( size - n ) );
-}
-
-/*
- * Return 0 if the x509_time is still valid, or 1 otherwise.
- */
-int x509parse_time_expired( const x509_time *to )
-{
-    int year, mon, day;
-    int hour, min, sec;
-
-#if defined(_WIN32)
-    SYSTEMTIME st;
-
-    GetLocalTime(&st);
-
-    year = st.wYear;
-    mon = st.wMonth;
-    day = st.wDay;
-    hour = st.wHour;
-    min = st.wMinute;
-    sec = st.wSecond;
-#else
-    struct tm *lt;
-    time_t tt;
-
-    tt = time( NULL );
-    lt = localtime( &tt );
-
-    year = lt->tm_year + 1900;
-    mon = lt->tm_mon + 1;
-    day = lt->tm_mday;
-    hour = lt->tm_hour;
-    min = lt->tm_min;
-    sec = lt->tm_sec;
-#endif
-
-    if( year  > to->year )
-        return( 1 );
-
-    if( year == to->year &&
-        mon   > to->mon )
-        return( 1 );
-
-    if( year == to->year &&
-        mon  == to->mon  &&
-        day   > to->day )
-        return( 1 );
-
-    if( year == to->year &&
-        mon  == to->mon  &&
-        day  == to->day  &&
-        hour  > to->hour )
-        return( 1 );
-
-    if( year == to->year &&
-        mon  == to->mon  &&
-        day  == to->day  &&
-        hour == to->hour &&
-        min   > to->min  )
-        return( 1 );
-
-    if( year == to->year &&
-        mon  == to->mon  &&
-        day  == to->day  &&
-        hour == to->hour &&
-        min  == to->min  &&
-        sec   > to->sec  )
-        return( 1 );
-
-    return( 0 );
-}
-
-/*
- * Return 1 if the certificate is revoked, or 0 otherwise.
- */
-int x509parse_revoked( const x509_cert *crt, const x509_crl *crl )
-{
-    const x509_crl_entry *cur = &crl->entry;
-
-    while( cur != NULL && cur->serial.len != 0 )
-    {
-        if( crt->serial.len == cur->serial.len &&
-            memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
-        {
-            if( x509parse_time_expired( &cur->revocation_date ) )
-                return( 1 );
-        }
-
-        cur = cur->next;
-    }
-
-    return( 0 );
-}
-
-/*
- * Wrapper for x509 hashes.
- */
-static void x509_hash( const unsigned char *in, size_t len, int alg,
-                       unsigned char *out )
-{
-    switch( alg )
-    {
-#if defined(POLARSSL_MD2_C)
-        case SIG_RSA_MD2    :  md2( in, len, out ); break;
-#endif
-#if defined(POLARSSL_MD4_C)
-        case SIG_RSA_MD4    :  md4( in, len, out ); break;
-#endif
-#if defined(POLARSSL_MD5_C)
-        case SIG_RSA_MD5    :  md5( in, len, out ); break;
-#endif
-#if defined(POLARSSL_SHA1_C)
-        case SIG_RSA_SHA1   : sha1( in, len, out ); break;
-#endif
-#if defined(POLARSSL_SHA2_C)
-        case SIG_RSA_SHA224 : sha2( in, len, out, 1 ); break;
-        case SIG_RSA_SHA256 : sha2( in, len, out, 0 ); break;
-#endif
-#if defined(POLARSSL_SHA4_C)
-        case SIG_RSA_SHA384 : sha4( in, len, out, 1 ); break;
-        case SIG_RSA_SHA512 : sha4( in, len, out, 0 ); break;
-#endif
-        default:
-            memset( out, '\xFF', 64 );
-            break;
-    }
-}
-
-/*
- * Check that the given certificate is valid accoring to the CRL.
- */
-static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca,
-        x509_crl *crl_list)
-{
-    int flags = 0;
-    int hash_id;
-    unsigned char hash[64];
-
-    if( ca == NULL )
-        return( flags );
-
-    /*
-     * TODO: What happens if no CRL is present?
-     * Suggestion: Revocation state should be unknown if no CRL is present.
-     * For backwards compatibility this is not yet implemented.
-     */
-
-    while( crl_list != NULL )
-    {
-        if( crl_list->version == 0 ||
-            crl_list->issuer_raw.len != ca->subject_raw.len ||
-            memcmp( crl_list->issuer_raw.p, ca->subject_raw.p,
-                    crl_list->issuer_raw.len ) != 0 )
-        {
-            crl_list = crl_list->next;
-            continue;
-        }
-
-        /*
-         * Check if CRL is correctly signed by the trusted CA
-         */
-        hash_id = crl_list->sig_alg;
-
-        x509_hash( crl_list->tbs.p, crl_list->tbs.len, hash_id, hash );
-
-        if( !rsa_pkcs1_verify( &ca->rsa, RSA_PUBLIC, hash_id,
-                              0, hash, crl_list->sig.p ) == 0 )
-        {
-            /*
-             * CRL is not trusted
-             */
-            flags |= BADCRL_NOT_TRUSTED;
-            break;
-        }
-
-        /*
-         * Check for validity of CRL (Do not drop out)
-         */
-        if( x509parse_time_expired( &crl_list->next_update ) )
-            flags |= BADCRL_EXPIRED;
-
-        /*
-         * Check if certificate is revoked
-         */
-        if( x509parse_revoked(crt, crl_list) )
-        {
-            flags |= BADCERT_REVOKED;
-            break;
-        }
-
-        crl_list = crl_list->next;
-    }
-    return flags;
-}
-
-int x509_wildcard_verify( const char *cn, x509_buf *name )
-{
-    size_t i;
-    size_t cn_idx = 0;
-
-    if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' )
-        return( 0 );
-
-    for( i = 0; i < strlen( cn ); ++i )
-    {
-        if( cn[i] == '.' )
-        {
-            cn_idx = i;
-            break;
-        }
-    }
-
-    if( cn_idx == 0 )
-        return( 0 );
-
-    if( strlen( cn ) - cn_idx == name->len - 1 &&
-        memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
-    {
-        return( 1 );
-    }
-
-    return( 0 );
-}
-
-static int x509parse_verify_top(
-                x509_cert *child, x509_cert *trust_ca,
-                x509_crl *ca_crl, int path_cnt, int *flags,
-                int (*f_vrfy)(void *, x509_cert *, int, int *),
-                void *p_vrfy )
-{
-    int hash_id, ret;
-    int ca_flags = 0, check_path_cnt = path_cnt + 1;
-    unsigned char hash[64];
-
-    if( x509parse_time_expired( &child->valid_to ) )
-        *flags |= BADCERT_EXPIRED;
-
-    /*
-     * Child is the top of the chain. Check against the trust_ca list.
-     */
-    *flags |= BADCERT_NOT_TRUSTED;
-
-    while( trust_ca != NULL )
-    {
-        if( trust_ca->version == 0 ||
-            child->issuer_raw.len != trust_ca->subject_raw.len ||
-            memcmp( child->issuer_raw.p, trust_ca->subject_raw.p,
-                    child->issuer_raw.len ) != 0 )
-        {
-            trust_ca = trust_ca->next;
-            continue;
-        }
-
-        /*
-         * Reduce path_len to check against if top of the chain is
-         * the same as the trusted CA
-         */
-        if( child->subject_raw.len == trust_ca->subject_raw.len &&
-            memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
-                            child->issuer_raw.len ) == 0 ) 
-        {
-            check_path_cnt--;
-        }
-
-        if( trust_ca->max_pathlen > 0 &&
-            trust_ca->max_pathlen < check_path_cnt )
-        {
-            trust_ca = trust_ca->next;
-            continue;
-        }
-
-        hash_id = child->sig_alg;
-
-        x509_hash( child->tbs.p, child->tbs.len, hash_id, hash );
-
-        if( rsa_pkcs1_verify( &trust_ca->rsa, RSA_PUBLIC, hash_id,
-                    0, hash, child->sig.p ) != 0 )
-        {
-            trust_ca = trust_ca->next;
-            continue;
-        }
-
-        /*
-         * Top of chain is signed by a trusted CA
-         */
-        *flags &= ~BADCERT_NOT_TRUSTED;
-        break;
-    }
-
-    /*
-     * If top of chain is not the same as the trusted CA send a verify request
-     * to the callback for any issues with validity and CRL presence for the
-     * trusted CA certificate.
-     */
-    if( trust_ca != NULL &&
-        ( child->subject_raw.len != trust_ca->subject_raw.len ||
-          memcmp( child->subject_raw.p, trust_ca->subject_raw.p,
-                            child->issuer_raw.len ) != 0 ) )
-    {
-        /* Check trusted CA's CRL for then chain's top crt */
-        *flags |= x509parse_verifycrl( child, trust_ca, ca_crl );
-
-        if( x509parse_time_expired( &trust_ca->valid_to ) )
-            ca_flags |= BADCERT_EXPIRED;
-
-        if( NULL != f_vrfy )
-        {
-            if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 )
-                return( ret );
-        }
-    }
-
-    /* Call callback on top cert */
-    if( NULL != f_vrfy )
-    {
-        if( ( ret = f_vrfy(p_vrfy, child, path_cnt, flags ) ) != 0 )
-            return( ret );
-    }
-
-    *flags |= ca_flags;
-
-    return( 0 );
-}
-
-static int x509parse_verify_child(
-                x509_cert *child, x509_cert *parent, x509_cert *trust_ca,
-                x509_crl *ca_crl, int path_cnt, int *flags,
-                int (*f_vrfy)(void *, x509_cert *, int, int *),
-                void *p_vrfy )
-{
-    int hash_id, ret;
-    int parent_flags = 0;
-    unsigned char hash[64];
-    x509_cert *grandparent;
-
-    if( x509parse_time_expired( &child->valid_to ) )
-        *flags |= BADCERT_EXPIRED;
-
-    hash_id = child->sig_alg;
-
-    x509_hash( child->tbs.p, child->tbs.len, hash_id, hash );
-
-    if( rsa_pkcs1_verify( &parent->rsa, RSA_PUBLIC, hash_id, 0, hash,
-                           child->sig.p ) != 0 )
-        *flags |= BADCERT_NOT_TRUSTED;
-        
-    /* Check trusted CA's CRL for the given crt */
-    *flags |= x509parse_verifycrl(child, parent, ca_crl);
-
-    grandparent = parent->next;
-
-    while( grandparent != NULL )
-    {
-        if( grandparent->version == 0 ||
-            grandparent->ca_istrue == 0 ||
-            parent->issuer_raw.len != grandparent->subject_raw.len ||
-            memcmp( parent->issuer_raw.p, grandparent->subject_raw.p,
-                    parent->issuer_raw.len ) != 0 )
-        {
-            grandparent = grandparent->next;
-            continue;
-        }
-        break;
-    }
-
-    if( grandparent != NULL )
-    {
-        /*
-         * Part of the chain
-         */
-        ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
-        if( ret != 0 )
-            return( ret );
-    } 
-    else
-    {
-        ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy );
-        if( ret != 0 )
-            return( ret );
-    }
-
-    /* child is verified to be a child of the parent, call verify callback */
-    if( NULL != f_vrfy )
-        if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 )
-            return( ret );
-
-    *flags |= parent_flags;
-
-    return( 0 );
-}
-
-/*
- * Verify the certificate validity
- */
-int x509parse_verify( x509_cert *crt,
-                      x509_cert *trust_ca,
-                      x509_crl *ca_crl,
-                      const char *cn, int *flags,
-                      int (*f_vrfy)(void *, x509_cert *, int, int *),
-                      void *p_vrfy )
-{
-    size_t cn_len;
-    int ret;
-    int pathlen = 0;
-    x509_cert *parent;
-    x509_name *name;
-    x509_sequence *cur = NULL;
-
-    *flags = 0;
-
-    if( cn != NULL )
-    {
-        name = &crt->subject;
-        cn_len = strlen( cn );
-
-        if( crt->ext_types & EXT_SUBJECT_ALT_NAME )
-        {
-            cur = &crt->subject_alt_names;
-
-            while( cur != NULL )
-            {
-                if( cur->buf.len == cn_len &&
-                    memcmp( cn, cur->buf.p, cn_len ) == 0 )
-                    break;
-
-                if( cur->buf.len > 2 &&
-                    memcmp( cur->buf.p, "*.", 2 ) == 0 &&
-                            x509_wildcard_verify( cn, &cur->buf ) )
-                    break;
-
-                cur = cur->next;
-            }
-
-            if( cur == NULL )
-                *flags |= BADCERT_CN_MISMATCH;
-        }
-        else
-        {
-            while( name != NULL )
-            {
-                if( name->oid.len == 3 &&
-                    memcmp( name->oid.p, OID_CN,  3 ) == 0 )
-                {
-                    if( name->val.len == cn_len &&
-                        memcmp( name->val.p, cn, cn_len ) == 0 )
-                        break;
-
-                    if( name->val.len > 2 &&
-                        memcmp( name->val.p, "*.", 2 ) == 0 &&
-                                x509_wildcard_verify( cn, &name->val ) )
-                        break;
-                }
-
-                name = name->next;
-            }
-
-            if( name == NULL )
-                *flags |= BADCERT_CN_MISMATCH;
-        }
-    }
-
-    /*
-     * Iterate upwards in the given cert chain, to find our crt parent.
-     * Ignore any upper cert with CA != TRUE.
-     */
-    parent = crt->next;
-
-    while( parent != NULL && parent->version != 0 )
-    {
-        if( parent->ca_istrue == 0 ||
-            crt->issuer_raw.len != parent->subject_raw.len ||
-            memcmp( crt->issuer_raw.p, parent->subject_raw.p,
-                    crt->issuer_raw.len ) != 0 )
-        {
-            parent = parent->next;
-            continue;
-        }
-        break;
-    }
-
-    if( parent != NULL )
-    {
-        /*
-         * Part of the chain
-         */
-        ret = x509parse_verify_child( crt, parent, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy );
-        if( ret != 0 )
-            return( ret );
-    } 
-    else
-    {
-        ret = x509parse_verify_top( crt, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy );
-        if( ret != 0 )
-            return( ret );
-    }
-
-    if( *flags != 0 )
-        return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
-
-    return( 0 );
-}
-
-/*
- * Unallocate all certificate data
- */
-void x509_free( x509_cert *crt )
-{
-    x509_cert *cert_cur = crt;
-    x509_cert *cert_prv;
-    x509_name *name_cur;
-    x509_name *name_prv;
-    x509_sequence *seq_cur;
-    x509_sequence *seq_prv;
-
-    if( crt == NULL )
-        return;
-
-    do
-    {
-        rsa_free( &cert_cur->rsa );
-
-        name_cur = cert_cur->issuer.next;
-        while( name_cur != NULL )
-        {
-            name_prv = name_cur;
-            name_cur = name_cur->next;
-            memset( name_prv, 0, sizeof( x509_name ) );
-            free( name_prv );
-        }
-
-        name_cur = cert_cur->subject.next;
-        while( name_cur != NULL )
-        {
-            name_prv = name_cur;
-            name_cur = name_cur->next;
-            memset( name_prv, 0, sizeof( x509_name ) );
-            free( name_prv );
-        }
-
-        seq_cur = cert_cur->ext_key_usage.next;
-        while( seq_cur != NULL )
-        {
-            seq_prv = seq_cur;
-            seq_cur = seq_cur->next;
-            memset( seq_prv, 0, sizeof( x509_sequence ) );
-            free( seq_prv );
-        }
-
-        seq_cur = cert_cur->subject_alt_names.next;
-        while( seq_cur != NULL )
-        {
-            seq_prv = seq_cur;
-            seq_cur = seq_cur->next;
-            memset( seq_prv, 0, sizeof( x509_sequence ) );
-            free( seq_prv );
-        }
-
-        if( cert_cur->raw.p != NULL )
-        {
-            memset( cert_cur->raw.p, 0, cert_cur->raw.len );
-            free( cert_cur->raw.p );
-        }
-
-        cert_cur = cert_cur->next;
-    }
-    while( cert_cur != NULL );
-
-    cert_cur = crt;
-    do
-    {
-        cert_prv = cert_cur;
-        cert_cur = cert_cur->next;
-
-        memset( cert_prv, 0, sizeof( x509_cert ) );
-        if( cert_prv != crt )
-            free( cert_prv );
-    }
-    while( cert_cur != NULL );
-}
-
-/*
- * Unallocate all CRL data
- */
-void x509_crl_free( x509_crl *crl )
-{
-    x509_crl *crl_cur = crl;
-    x509_crl *crl_prv;
-    x509_name *name_cur;
-    x509_name *name_prv;
-    x509_crl_entry *entry_cur;
-    x509_crl_entry *entry_prv;
-
-    if( crl == NULL )
-        return;
-
-    do
-    {
-        name_cur = crl_cur->issuer.next;
-        while( name_cur != NULL )
-        {
-            name_prv = name_cur;
-            name_cur = name_cur->next;
-            memset( name_prv, 0, sizeof( x509_name ) );
-            free( name_prv );
-        }
-
-        entry_cur = crl_cur->entry.next;
-        while( entry_cur != NULL )
-        {
-            entry_prv = entry_cur;
-            entry_cur = entry_cur->next;
-            memset( entry_prv, 0, sizeof( x509_crl_entry ) );
-            free( entry_prv );
-        }
-
-        if( crl_cur->raw.p != NULL )
-        {
-            memset( crl_cur->raw.p, 0, crl_cur->raw.len );
-            free( crl_cur->raw.p );
-        }
-
-        crl_cur = crl_cur->next;
-    }
-    while( crl_cur != NULL );
-
-    crl_cur = crl;
-    do
-    {
-        crl_prv = crl_cur;
-        crl_cur = crl_cur->next;
-
-        memset( crl_prv, 0, sizeof( x509_crl ) );
-        if( crl_prv != crl )
-            free( crl_prv );
-    }
-    while( crl_cur != NULL );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include "polarssl/certs.h"
-
-/*
- * Checkup routine
- */
-int x509_self_test( int verbose )
-{
-#if defined(POLARSSL_CERTS_C) && defined(POLARSSL_MD5_C)
-    int ret;
-    int flags;
-    size_t i, j;
-    x509_cert cacert;
-    x509_cert clicert;
-    rsa_context rsa;
-#if defined(POLARSSL_DHM_C)
-    dhm_context dhm;
-#endif
-
-    if( verbose != 0 )
-        printf( "  X.509 certificate load: " );
-
-    memset( &clicert, 0, sizeof( x509_cert ) );
-
-    ret = x509parse_crt( &clicert, (const unsigned char *) test_cli_crt,
-                         strlen( test_cli_crt ) );
-    if( ret != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( ret );
-    }
-
-    memset( &cacert, 0, sizeof( x509_cert ) );
-
-    ret = x509parse_crt( &cacert, (const unsigned char *) test_ca_crt,
-                         strlen( test_ca_crt ) );
-    if( ret != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( ret );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n  X.509 private key load: " );
-
-    i = strlen( test_ca_key );
-    j = strlen( test_ca_pwd );
-
-    rsa_init( &rsa, RSA_PKCS_V15, 0 );
-
-    if( ( ret = x509parse_key( &rsa,
-                    (const unsigned char *) test_ca_key, i,
-                    (const unsigned char *) test_ca_pwd, j ) ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( ret );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n  X.509 signature verify: ");
-
-    ret = x509parse_verify( &clicert, &cacert, NULL, "PolarSSL Client 2", &flags, NULL, NULL );
-    if( ret != 0 )
-    {
-        printf("%02x", flags);
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( ret );
-    }
-
-#if defined(POLARSSL_DHM_C)
-    if( verbose != 0 )
-        printf( "passed\n  X.509 DHM parameter load: " );
-
-    i = strlen( test_dhm_params );
-    j = strlen( test_ca_pwd );
-
-    if( ( ret = x509parse_dhm( &dhm, (const unsigned char *) test_dhm_params, i ) ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( ret );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n\n" );
-#endif
-
-    x509_free( &cacert  );
-    x509_free( &clicert );
-    rsa_free( &rsa );
-#if defined(POLARSSL_DHM_C)
-    dhm_free( &dhm );
-#endif
-
-    return( 0 );
-#else
-    ((void) verbose);
-    return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
-#endif
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/x509write.c b/makerom/polarssl/x509write.c
deleted file mode 100644
index 9f5a9100..00000000
--- a/makerom/polarssl/x509write.c
+++ /dev/null
@@ -1,285 +0,0 @@
-/*
- * X509 buffer writing functionality
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_X509_WRITE_C)
-
-#include "polarssl/asn1write.h"
-#include "polarssl/x509write.h"
-#include "polarssl/x509.h"
-#include "polarssl/sha1.h"
-#include "polarssl/sha2.h"
-#include "polarssl/sha4.h"
-#include "polarssl/md4.h"
-#include "polarssl/md5.h"
-
-int x509_write_pubkey_der( unsigned char *buf, size_t size, rsa_context *rsa )
-{
-    int ret;
-    unsigned char *c;
-    size_t len = 0;
-
-    c = buf + size - 1;
-
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->E ) );
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->N ) );
-
-    ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-
-    if( c - buf < 1 )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    *--c = 0;
-    len += 1;
-
-    ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_BIT_STRING ) );
-
-    ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( &c, buf, OID_PKCS1_RSA ) );
-
-    ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-
-    return( len );
-}
-
-int x509_write_key_der( unsigned char *buf, size_t size, rsa_context *rsa )
-{
-    int ret;
-    unsigned char *c;
-    size_t len = 0;
-
-    c = buf + size - 1;
-
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->QP ) );
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->DQ ) );
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->DP ) );
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->Q ) );
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->P ) );
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->D ) );
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->E ) );
-    ASN1_CHK_ADD( len, asn1_write_mpi( &c, buf, &rsa->N ) );
-    ASN1_CHK_ADD( len, asn1_write_int( &c, buf, 0 ) );
-
-    ASN1_CHK_ADD( len, asn1_write_len( &c, buf, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( &c, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-
-    // TODO: Make NON RSA Specific variant later on
-/*    *--c = 0;
-    len += 1;
-
-    len += asn1_write_len( &c, len);
-    len += asn1_write_tag( &c, ASN1_BIT_STRING );
-
-    len += asn1_write_oid( &c, OID_PKCS1_RSA );
-
-    len += asn1_write_int( &c, 0 );
-
-    len += asn1_write_len( &c, len);
-    len += asn1_write_tag( &c, ASN1_CONSTRUCTED | ASN1_SEQUENCE );*/
-
-/*    for(i = 0; i < len; ++i)
-    {
-        if (i % 16 == 0 ) printf("\n");
-        printf("%02x ", c[i]);
-    }
-    printf("\n");*/
-
-    return( len );
-}
-
-int x509_write_name( unsigned char **p, unsigned char *start, char *oid,
-                     char *name )
-{
-    int ret;
-    size_t string_len = 0;
-    size_t oid_len = 0;
-    size_t len = 0;
-
-    // Write PrintableString for all except OID_PKCS9_EMAIL
-    //
-    if( OID_SIZE( OID_PKCS9_EMAIL ) == strlen( oid ) &&
-        memcmp( oid, OID_PKCS9_EMAIL, strlen( oid ) ) == 0 )
-    {
-        ASN1_CHK_ADD( string_len, asn1_write_ia5_string( p, start, name ) );
-    }
-    else
-        ASN1_CHK_ADD( string_len, asn1_write_printable_string( p, start, name ) );
-
-    // Write OID
-    //
-    ASN1_CHK_ADD( oid_len, asn1_write_oid( p, start, oid ) );
-
-    len = oid_len + string_len;
-    ASN1_CHK_ADD( len, asn1_write_len( p, start, oid_len + string_len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-
-    ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_CONSTRUCTED | ASN1_SET ) );
-
-    return( len );
-}
-
-/*
- * Wrapper for x509 hashes.
- */
-static void x509_hash( const unsigned char *in, size_t len, int alg,
-                       unsigned char *out )
-{
-    switch( alg )
-    {
-#if defined(POLARSSL_MD2_C)
-        case SIG_RSA_MD2    :  md2( in, len, out ); break;
-#endif
-#if defined(POLARSSL_MD4_C)
-        case SIG_RSA_MD4    :  md4( in, len, out ); break;
-#endif
-#if defined(POLARSSL_MD5_C)
-        case SIG_RSA_MD5    :  md5( in, len, out ); break;
-#endif
-#if defined(POLARSSL_SHA1_C)
-        case SIG_RSA_SHA1   : sha1( in, len, out ); break;
-#endif
-#if defined(POLARSSL_SHA2_C)
-        case SIG_RSA_SHA224 : sha2( in, len, out, 1 ); break;
-        case SIG_RSA_SHA256 : sha2( in, len, out, 0 ); break;
-#endif
-#if defined(POLARSSL_SHA4_C)
-        case SIG_RSA_SHA384 : sha4( in, len, out, 1 ); break;
-        case SIG_RSA_SHA512 : sha4( in, len, out, 0 ); break;
-#endif
-        default:
-            memset( out, '\xFF', 64 );
-            break;
-    }
-}
-
-int x509_write_sig( unsigned char **p, unsigned char *start, char *oid,
-                    unsigned char *sig, size_t size )
-{
-    int ret;
-    size_t len = 0;
-
-    if( *p - start < (int) size + 1 )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    len = size;
-    (*p) -= len;
-    memcpy( *p, sig, len );
-
-    *--(*p) = 0;
-    len += 1;
-
-    ASN1_CHK_ADD( len, asn1_write_len( p, start, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( p, start, ASN1_BIT_STRING ) );
-
-    // Write OID
-    //
-    ASN1_CHK_ADD( len, asn1_write_algorithm_identifier( p, start, oid ) );
-
-    return( len );
-}
-
-int x509_write_cert_req( unsigned char *buf, size_t size, rsa_context *rsa,
-                         x509_req_name *req_name, int hash_id )
-{
-    int ret;
-    char sig_oid[10];
-    unsigned char *c, *c2;
-    unsigned char hash[64];
-    unsigned char sig[POLARSSL_MPI_MAX_SIZE];
-    unsigned char tmp_buf[2048];
-    size_t sub_len = 0, pub_len = 0, sig_len = 0;
-    size_t len = 0;
-    x509_req_name *cur = req_name;
-
-    c = tmp_buf + 2048 - 1;
-
-    ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, 0 ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC ) );
-
-    ASN1_CHK_ADD( pub_len, asn1_write_mpi( &c, tmp_buf, &rsa->E ) );
-    ASN1_CHK_ADD( pub_len, asn1_write_mpi( &c, tmp_buf, &rsa->N ) );
-
-    ASN1_CHK_ADD( pub_len, asn1_write_len( &c, tmp_buf, pub_len ) );
-    ASN1_CHK_ADD( pub_len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-
-    if( c - tmp_buf < 1 )
-        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
-
-    *--c = 0;
-    pub_len += 1;
-
-    ASN1_CHK_ADD( pub_len, asn1_write_len( &c, tmp_buf, pub_len ) );
-    ASN1_CHK_ADD( pub_len, asn1_write_tag( &c, tmp_buf, ASN1_BIT_STRING ) );
-
-    ASN1_CHK_ADD( pub_len, asn1_write_algorithm_identifier( &c, tmp_buf, OID_PKCS1_RSA ) );
-
-    len += pub_len;
-    ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, pub_len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-
-    while( cur != NULL )
-    {
-        ASN1_CHK_ADD( sub_len, x509_write_name( &c, tmp_buf, cur->oid, cur->name ) );
-        
-        cur = cur->next;
-    }
-
-    len += sub_len;
-    ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, sub_len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-
-    ASN1_CHK_ADD( len, asn1_write_int( &c, tmp_buf, 0 ) );
-
-    ASN1_CHK_ADD( len, asn1_write_len( &c, tmp_buf, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( &c, tmp_buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-    
-    x509_hash( c, len, hash_id, hash );
-
-    rsa_pkcs1_sign( rsa, NULL, NULL, RSA_PRIVATE, hash_id, 0, hash, sig );
-
-    // Generate correct OID
-    //
-    memcpy( sig_oid, OID_PKCS1, 8 );
-    sig_oid[8] = hash_id;
-    sig_oid[9] = '\0';
-
-    c2 = buf + size - 1;
-    ASN1_CHK_ADD( sig_len, x509_write_sig( &c2, buf, sig_oid, sig, rsa->len ) );
-    
-    c2 -= len;
-    memcpy( c2, c, len ); 
-    
-    len += sig_len;
-    ASN1_CHK_ADD( len, asn1_write_len( &c2, buf, len ) );
-    ASN1_CHK_ADD( len, asn1_write_tag( &c2, buf, ASN1_CONSTRUCTED | ASN1_SEQUENCE ) );
-
-    return( len );
-}
-
-#endif
diff --git a/makerom/polarssl/xtea.c b/makerom/polarssl/xtea.c
deleted file mode 100644
index f8ab014f..00000000
--- a/makerom/polarssl/xtea.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- *  An 32-bit implementation of the XTEA algorithm
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_XTEA_C)
-
-#include "polarssl/xtea.h"
-
-#if !defined(POLARSSL_XTEA_ALT)
-
-/*
- * 32-bit integer manipulation macros (big endian)
- */
-#ifndef GET_UINT32_BE
-#define GET_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 3]       );            \
-}
-#endif
-
-#ifndef PUT_UINT32_BE
-#define PUT_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-}
-#endif
-
-/*
- * XTEA key schedule
- */
-void xtea_setup( xtea_context *ctx, unsigned char key[16] )
-{
-    int i;
-
-    memset(ctx, 0, sizeof(xtea_context));
-
-    for( i = 0; i < 4; i++ )
-    {
-        GET_UINT32_BE( ctx->k[i], key, i << 2 );
-    }
-}
-
-/*
- * XTEA encrypt function
- */
-int xtea_crypt_ecb( xtea_context *ctx, int mode, unsigned char input[8],
-                     unsigned char output[8])
-{
-    uint32_t *k, v0, v1, i;
-
-    k = ctx->k;
-    
-    GET_UINT32_BE( v0, input, 0 );
-    GET_UINT32_BE( v1, input, 4 );
-
-    if( mode == XTEA_ENCRYPT )
-    {
-        uint32_t sum = 0, delta = 0x9E3779B9;
-
-        for( i = 0; i < 32; i++ )
-        {
-            v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
-            sum += delta;
-            v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum>>11) & 3]);
-        }
-    }
-    else /* XTEA_DECRYPT */
-    {
-        uint32_t delta = 0x9E3779B9, sum = delta * 32;
-
-        for( i = 0; i < 32; i++ )
-        {
-            v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum>>11) & 3]);
-            sum -= delta;
-            v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
-        }
-    }
-
-    PUT_UINT32_BE( v0, output, 0 );
-    PUT_UINT32_BE( v1, output, 4 );
-
-    return( 0 );
-}
-
-/*
- * XTEA-CBC buffer encryption/decryption
- */
-int xtea_crypt_cbc( xtea_context *ctx,
-                    int mode,
-                    size_t length,
-                    unsigned char iv[8],
-                    unsigned char *input,
-                    unsigned char *output)
-{
-    int i;
-    unsigned char temp[8];
-
-    if(length % 8)
-        return( POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH );
-
-    if( mode == XTEA_DECRYPT ) 
-    {
-        while( length > 0 )
-        {
-            memcpy( temp, input, 8 );
-            xtea_crypt_ecb( ctx, mode, input, output );
-
-            for(i = 0; i < 8; i++) 
-                output[i] = (unsigned char)( output[i] ^ iv[i] );
-
-            memcpy( iv, temp, 8 );
-
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    } 
-    else 
-    {
-        while( length > 0 )
-        {
-            for( i = 0; i < 8; i++ )
-                output[i] = (unsigned char)( input[i] ^ iv[i] );
-
-            xtea_crypt_ecb( ctx, mode, output, output );
-            memcpy( iv, output, 8 );
-            
-            input  += 8;
-            output += 8;
-            length -= 8;
-        }
-    }
-
-    return( 0 );
-}
-#endif /* !POLARSSL_XTEA_ALT */
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <string.h>
-#include <stdio.h>
-
-/*
- * XTEA tests vectors (non-official)
- */
-
-static const unsigned char xtea_test_key[6][16] =
-{
-   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
-     0x0c, 0x0d, 0x0e, 0x0f },
-   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
-     0x0c, 0x0d, 0x0e, 0x0f },
-   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
-     0x0c, 0x0d, 0x0e, 0x0f },
-   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-     0x00, 0x00, 0x00, 0x00 },
-   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-     0x00, 0x00, 0x00, 0x00 },
-   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-     0x00, 0x00, 0x00, 0x00 }
-};
-
-static const unsigned char xtea_test_pt[6][8] =
-{
-    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
-    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
-    { 0x5a, 0x5b, 0x6e, 0x27, 0x89, 0x48, 0xd7, 0x7f },
-    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
-    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
-    { 0x70, 0xe1, 0x22, 0x5d, 0x6e, 0x4e, 0x76, 0x55 }
-};
-
-static const unsigned char xtea_test_ct[6][8] =
-{
-    { 0x49, 0x7d, 0xf3, 0xd0, 0x72, 0x61, 0x2c, 0xb5 },
-    { 0xe7, 0x8f, 0x2d, 0x13, 0x74, 0x43, 0x41, 0xd8 },
-    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
-    { 0xa0, 0x39, 0x05, 0x89, 0xf8, 0xb8, 0xef, 0xa5 },
-    { 0xed, 0x23, 0x37, 0x5a, 0x82, 0x1a, 0x8c, 0x2d },
-    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 }
-};
-
-/*
- * Checkup routine
- */
-int xtea_self_test( int verbose )
-{
-    int i;
-    unsigned char buf[8];
-    xtea_context ctx;
-
-    for( i = 0; i < 6; i++ )
-    {
-        if( verbose != 0 )
-            printf( "  XTEA test #%d: ", i + 1 );
-
-        memcpy( buf, xtea_test_pt[i], 8 );
-
-        xtea_setup( &ctx, (unsigned char *) xtea_test_key[i] );
-        xtea_crypt_ecb( &ctx, XTEA_ENCRYPT, buf, buf );
-
-        if( memcmp( buf, xtea_test_ct[i], 8 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif

From 9823dfd2d85899c28546c79ffc6c200324ee7ef8 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 17 Sep 2015 08:11:36 +0800
Subject: [PATCH 085/317] makerom: added VS2015 solution file.

---
 makerom/makerom.sln | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 makerom/makerom.sln

diff --git a/makerom/makerom.sln b/makerom/makerom.sln
new file mode 100644
index 00000000..ff089e36
--- /dev/null
+++ b/makerom/makerom.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.23107.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "makerom", "makerom.vcxproj", "{21926330-F5A5-4643-AD32-D4F167CE226B}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{21926330-F5A5-4643-AD32-D4F167CE226B}.Debug|x64.ActiveCfg = Debug|x64
+		{21926330-F5A5-4643-AD32-D4F167CE226B}.Debug|x64.Build.0 = Debug|x64
+		{21926330-F5A5-4643-AD32-D4F167CE226B}.Debug|x86.ActiveCfg = Debug|Win32
+		{21926330-F5A5-4643-AD32-D4F167CE226B}.Debug|x86.Build.0 = Debug|Win32
+		{21926330-F5A5-4643-AD32-D4F167CE226B}.Release|x64.ActiveCfg = Release|x64
+		{21926330-F5A5-4643-AD32-D4F167CE226B}.Release|x64.Build.0 = Release|x64
+		{21926330-F5A5-4643-AD32-D4F167CE226B}.Release|x86.ActiveCfg = Release|Win32
+		{21926330-F5A5-4643-AD32-D4F167CE226B}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

From 49e12c8d69aca964b208cabd293041a63fef3237 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 19 Sep 2015 19:46:58 +0800
Subject: [PATCH 086/317] makerom: misc VS2015 stuff

---
 makerom/makerom.vcxproj         |  47 +++-----------
 makerom/makerom.vcxproj.filters | 105 --------------------------------
 2 files changed, 10 insertions(+), 142 deletions(-)

diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index 97ca195f..472d5b49 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -39,7 +39,7 @@
     <PlatformToolset>v140</PlatformToolset>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>Makefile</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>v140</PlatformToolset>
   </PropertyGroup>
@@ -76,7 +76,15 @@
     <NMakeReBuildCommandLine>make rebuild</NMakeReBuildCommandLine>
     <NMakePreprocessorDefinitions>WIN32;NDEBUG;$(NMakePreprocessorDefinitions)</NMakePreprocessorDefinitions>
   </PropertyGroup>
-  <ItemDefinitionGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <IncludePath>C:\Program Files\mingw-w64\x86_64-4.9.2-win32-seh-rt_v4-rev2\mingw64\x86_64-w64-mingw32\include;$(IncludePath)</IncludePath>
+    <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
+    <RunCodeAnalysis>true</RunCodeAnalysis>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <EnablePREfast>true</EnablePREfast>
+    </ClCompile>
   </ItemDefinitionGroup>
   <ItemGroup>
     <Text Include="readme.txt" />
@@ -208,50 +216,15 @@
     <ClCompile Include="makerom.c" />
     <ClCompile Include="ncch.c" />
     <ClCompile Include="ncsd.c" />
-    <ClCompile Include="polarssl\arc4.c" />
-    <ClCompile Include="polarssl\asn1parse.c" />
-    <ClCompile Include="polarssl\asn1write.c" />
     <ClCompile Include="polarssl\base64.c" />
     <ClCompile Include="polarssl\bignum.c" />
-    <ClCompile Include="polarssl\blowfish.c" />
-    <ClCompile Include="polarssl\camellia.c" />
-    <ClCompile Include="polarssl\certs.c" />
-    <ClCompile Include="polarssl\cipher.c" />
-    <ClCompile Include="polarssl\cipher_wrap.c" />
-    <ClCompile Include="polarssl\ctr_drbg.c" />
-    <ClCompile Include="polarssl\debug.c" />
-    <ClCompile Include="polarssl\des.c" />
-    <ClCompile Include="polarssl\dhm.c" />
-    <ClCompile Include="polarssl\entropy.c" />
-    <ClCompile Include="polarssl\entropy_poll.c" />
-    <ClCompile Include="polarssl\error.c" />
-    <ClCompile Include="polarssl\gcm.c" />
-    <ClCompile Include="polarssl\havege.c" />
     <ClCompile Include="polarssl\md.c" />
-    <ClCompile Include="polarssl\md2.c" />
-    <ClCompile Include="polarssl\md4.c" />
     <ClCompile Include="polarssl\md5.c" />
     <ClCompile Include="polarssl\md_wrap.c" />
-    <ClCompile Include="polarssl\net.c" />
-    <ClCompile Include="polarssl\padlock.c" />
-    <ClCompile Include="polarssl\pbkdf2.c" />
-    <ClCompile Include="polarssl\pem.c" />
-    <ClCompile Include="polarssl\pkcs11.c" />
-    <ClCompile Include="polarssl\pkcs12.c" />
-    <ClCompile Include="polarssl\pkcs5.c" />
     <ClCompile Include="polarssl\rsa.c" />
     <ClCompile Include="polarssl\sha1.c" />
     <ClCompile Include="polarssl\sha2.c" />
     <ClCompile Include="polarssl\sha4.c" />
-    <ClCompile Include="polarssl\ssl_cache.c" />
-    <ClCompile Include="polarssl\ssl_cli.c" />
-    <ClCompile Include="polarssl\ssl_srv.c" />
-    <ClCompile Include="polarssl\ssl_tls.c" />
-    <ClCompile Include="polarssl\timing.c" />
-    <ClCompile Include="polarssl\version.c" />
-    <ClCompile Include="polarssl\x509parse.c" />
-    <ClCompile Include="polarssl\x509write.c" />
-    <ClCompile Include="polarssl\xtea.c" />
     <ClCompile Include="romfs.c" />
     <ClCompile Include="romfs_gen.c" />
     <ClCompile Include="romfs_import.c" />
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
index 0f4ba0ba..5fb196a6 100644
--- a/makerom/makerom.vcxproj.filters
+++ b/makerom/makerom.vcxproj.filters
@@ -443,99 +443,21 @@
     <ClCompile Include="libyaml\writer.c">
       <Filter>Source Files\libyaml</Filter>
     </ClCompile>
-    <ClCompile Include="polarssl\arc4.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\asn1parse.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\asn1write.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
     <ClCompile Include="polarssl\base64.c">
       <Filter>Source Files\polarssl</Filter>
     </ClCompile>
     <ClCompile Include="polarssl\bignum.c">
       <Filter>Source Files\polarssl</Filter>
     </ClCompile>
-    <ClCompile Include="polarssl\blowfish.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\camellia.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\certs.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\cipher.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\cipher_wrap.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\ctr_drbg.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\debug.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\des.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\dhm.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\entropy.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\entropy_poll.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\error.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\gcm.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\havege.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
     <ClCompile Include="polarssl\md.c">
       <Filter>Source Files\polarssl</Filter>
     </ClCompile>
     <ClCompile Include="polarssl\md_wrap.c">
       <Filter>Source Files\polarssl</Filter>
     </ClCompile>
-    <ClCompile Include="polarssl\md2.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\md4.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
     <ClCompile Include="polarssl\md5.c">
       <Filter>Source Files\polarssl</Filter>
     </ClCompile>
-    <ClCompile Include="polarssl\net.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\padlock.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\pbkdf2.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\pem.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\pkcs5.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\pkcs11.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\pkcs12.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
     <ClCompile Include="polarssl\rsa.c">
       <Filter>Source Files\polarssl</Filter>
     </ClCompile>
@@ -548,33 +470,6 @@
     <ClCompile Include="polarssl\sha4.c">
       <Filter>Source Files\polarssl</Filter>
     </ClCompile>
-    <ClCompile Include="polarssl\ssl_cache.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\ssl_cli.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\ssl_srv.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\ssl_tls.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\timing.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\version.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\x509parse.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\x509write.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\xtea.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="Makefile">

From 1bcc5de71c617729adf9863f929adaaafd9d31fe Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 19 Sep 2015 19:50:26 +0800
Subject: [PATCH 087/317] makerom: now supports unstripped ELFs

---
 makerom/elf.c     | 178 ++++++++++++++++++++++------------------------
 makerom/elf.h     |   1 +
 makerom/elf_hdr.h |  38 ++++++----
 3 files changed, 112 insertions(+), 105 deletions(-)

diff --git a/makerom/elf.c b/makerom/elf.c
index 7bd07ded..8625215e 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -110,13 +110,26 @@ int BuildExeFsCode(ncch_settings *set)
 	if(result) goto finish;
 
 finish:
-	if(result){
-		if(result == NOT_ELF_FILE) fprintf(stderr,"[ELF ERROR] Not ELF File\n");
-		else if(result == NOT_ARM_ELF) fprintf(stderr,"[ELF ERROR] Not ARM ELF\n");
-		else if(result == NON_EXECUTABLE_ELF) fprintf(stderr,"[ELF ERROR] Not Executeable ELF\n");
-		else if(result == NOT_FIND_TEXT_SEGMENT) fprintf(stderr,"[ELF ERROR] Failed to retrieve text sections from ELF\n");
-		else if(result == NOT_FIND_DATA_SEGMENT) fprintf(stderr,"[ELF ERROR] Failed to retrieve data sections from ELF\n");
-		else fprintf(stderr,"[ELF ERROR] Failed to process ELF file (%d)\n",result);
+	switch (result) {
+		case (0) :
+			break;
+		case (NOT_ELF_FILE) :
+			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			break;
+		case (NOT_ARM_ELF) :
+			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			break;
+		case (NON_EXECUTABLE_ELF) :
+			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			break;
+		case (NOT_FIND_TEXT_SEGMENT) :
+			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			break;
+		case (NOT_FIND_DATA_SEGMENT) :
+			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			break;
+		default:
+			fprintf(stderr, "[ELF ERROR] Failed to process ELF file (%d)\n", result);
 	}
 	for(int i = 0; i < elf->activeSegments; i++)
 		free(elf->segments[i].sections);
@@ -735,30 +748,22 @@ u16 GetElfSectionIndexFromName(char *name, elf_context *elf, u8 *elfFile)
 
 bool IsBss(elf_section_entry *section)
 {
-	if(section->type == 8 && section->flags == 3)
-		return true;
-	return false;
+	return (section->type == SHT_NOBITS && section->flags == (SHF_WRITE | SHF_ALLOC));
 }
 
 bool IsData(elf_section_entry *section)
 {
-	if(section->type == 1 && section->flags == 3)
-		return true;
-	return false;
+	return (section->type == SHT_PROGBITS && section->flags == (SHF_WRITE | SHF_ALLOC));
 }
 
 bool IsRoData(elf_section_entry *section)
 {
-	if(section->type == 1 && section->flags == 2)
-		return true;
-	return false;
+	return (section->type == SHT_PROGBITS && section->flags == SHF_ALLOC);
 }
 
 bool IsText(elf_section_entry *section)
 {
-	if(section->type == 1 && section->flags == 6)
-		return true;
-	return false;
+	return (section->type == SHT_PROGBITS && section->flags == (SHF_ALLOC | SHF_EXECINSTR));
 }
 
 /* ProgramHeader Functions */
@@ -908,108 +913,99 @@ u64 GetELFProgramEntryAlignment(u16 index, elf_context *elf, u8 *elfFile)
 	return 0;
 }
 
+void InitSegment(elf_segment *segment)
+{
+	memset(segment, 0, sizeof(elf_segment));
+
+	segment->sectionNumMax = 10;
+	segment->sectionNum = 0;
+	segment->sections = calloc(segment->sectionNumMax, sizeof(elf_section_entry));
+}
+
+void AddSegmentSection(elf_segment *segment, elf_section_entry *section)
+{
+	if (segment->sectionNum < segment->sectionNumMax)
+		memcpy(&segment->sections[segment->sectionNum], section, sizeof(elf_section_entry));
+	else {
+		segment->sectionNumMax *= 2;
+		elf_section_entry *tmp = calloc(segment->sectionNumMax, sizeof(elf_section_entry));
+		for (int k = 0; k < segment->sectionNum; k++)
+			memcpy(&tmp[k], &segment->sections[k], sizeof(elf_section_entry));
+		free(segment->sections);
+		segment->sections = tmp;
+		memcpy(&segment->sections[segment->sectionNum], section, sizeof(elf_section_entry));
+	}
+
+	segment->sectionNum++;
+}
 
 int CreateElfSegments(elf_context *elf, u8 *elfFile)
 {
-	int num = 0;
 	// Interate through Each Program Header
 	elf->activeSegments = 0;
 	elf->segments = calloc(elf->programTableEntryCount,sizeof(elf_segment));
-	elf_segment *segment = malloc(sizeof(elf_segment)); // Temporary Buffer
+
+	elf_segment segment;
+
+	bool foundFirstSection = false;
+	int curr, prev;
+	u32 padding, size, sizeInMemory;
+
 	for (int i = 0; i < elf->programTableEntryCount; i++){
-		if (elf->programHeaders[i].sizeInMemory != 0 && elf->programHeaders[i].type == 1){
-			memset(segment,0,sizeof(elf_segment));
-
-			bool foundFirstSection = false;
-			u32 size = 0;
-			u32 vAddr = elf->programHeaders[i].virtualAddress;
- 			u32 memorySize = elf->programHeaders[i].sizeInMemory;
-			//printf("Segment Size in memory: 0x%x\n",memorySize);
-			//printf("Segment Alignment:      0x%x\n",elf->programHeaders[i].alignment);
-			
-			u16 SectionInfoCapacity = 10;
-			segment->sectionNum = 0;
-			segment->sections = calloc(SectionInfoCapacity,sizeof(elf_section_entry));
+		if (elf->programHeaders[i].sizeInMemory != 0 && elf->programHeaders[i].type == PF_X){
+			InitSegment(&segment);
+
+			foundFirstSection = false;
+			size = 0;
+			sizeInMemory = elf->programHeaders[i].sizeInMemory;
 
 			// Itterate Through Section Headers
-			for (int j = num; j < elf->sectionTableEntryCount; j++){
-				if (!foundFirstSection){
-					if (elf->sections[j].address != vAddr)
-                        continue;
-                    
-					while (j < (int)elf->sections[j].size && elf->sections[j].address == vAddr && !IsIgnoreSection(elf->sections[j]))
-                        j++;
+			for (curr = 0; curr < elf->sectionTableEntryCount && size != sizeInMemory; curr++){
+				// Skip irrelevant sections
+				if (IsIgnoreSection(elf->sections[curr]))
+					continue;
 
-					j--;
+				if (!foundFirstSection) {
+					if (elf->sections[curr].address != elf->programHeaders[i].virtualAddress)
+						continue;
 
 					foundFirstSection = true;
-					segment->vAddr = elf->sections[j].address;
-					segment->name = elf->sections[j].name;
-                }
-
-				if(segment->sectionNum < SectionInfoCapacity)
-					memcpy(&segment->sections[segment->sectionNum],&elf->sections[j],sizeof(elf_section_entry));
-				else{
-					SectionInfoCapacity = SectionInfoCapacity*2;
-					elf_section_entry *tmp = calloc(SectionInfoCapacity,sizeof(elf_section_entry));
-					for(int k = 0; k < segment->sectionNum; k++)
-						memcpy(&tmp[k],&segment->sections[k],sizeof(elf_section_entry));
-					free(segment->sections);
-					segment->sections = tmp;
-					memcpy(&segment->sections[segment->sectionNum],&elf->sections[j],sizeof(elf_section_entry));
-				}
-				segment->sectionNum++;
+					segment.vAddr = elf->sections[curr].address;
+					segment.name = elf->sections[curr].name;
 
-				if(size == 0)
-					size += elf->sections[j].size;
-				else{
-					u32 padding = elf->sections[j].address - (elf->sections[j-1].address + elf->sections[j-1].size);
-					size += padding + elf->sections[j].size;
+					AddSegmentSection(&segment, &elf->sections[curr]);
+					size = elf->sections[curr].size;
 				}
-					
-				//printf("Section name: %s",elf->sections[j].name);
-				//printf(" 0x%lx",elf->sections[j].size);
-				//printf(" (Total Size: 0x%x)\n",size);
-
-                if (size == memorySize)
-					break;
+				else {
+					AddSegmentSection(&segment, &elf->sections[curr]);
+					padding = elf->sections[curr].address - (elf->sections[prev].address + elf->sections[prev].size);
+					size += padding + elf->sections[curr].size;
+				}
+				prev = curr;
 
-				if (size > memorySize){
-					fprintf(stderr,"[ELF ERROR] Too large section size.\n Segment size = 0x%x\n Section Size = 0x%x\n", memorySize, size);
+				// Catch section parsing fails
+				if (size > sizeInMemory){
+					fprintf(stderr,"[ELF ERROR] Too large section size.\n Segment size = 0x%x\n Section Size = 0x%x\n", sizeInMemory, size);
 					return ELF_SEGMENT_SECTION_SIZE_MISMATCH;
 				}
             }
-			if(segment->sectionNum){
-				segment->header = &elf->programHeaders[i];
-				memcpy(&elf->segments[elf->activeSegments],segment,sizeof(elf_segment));
+			if(segment.sectionNum){
+				segment.header = &elf->programHeaders[i];
+				memcpy(&elf->segments[elf->activeSegments],&segment,sizeof(elf_segment));
 				elf->activeSegments++;
 			}
 			else{
-				free(segment->sections);
-				free(segment);
+				free(segment.sections);
 				fprintf(stderr,"[ELF ERROR] Program Header Has no corresponding Sections, ELF Cannot be proccessed\n");
 				return ELF_SEGMENTS_NOT_FOUND;
 			}
 		}
 	}
 
-	free(segment);
 	return 0;
 }
 
 bool IsIgnoreSection(elf_section_entry info)
 {
-	if (info.address)
-		return false;
-
-	if (info.type != 1 && info.type != 0)
-		return true;
-
-	char IgnoreSectionNames[7][20] = { ".debug_abbrev", ".debug_frame", ".debug_info", ".debug_line", ".debug_loc", ".debug_pubnames", ".comment" };
-	for (int i = 0; i < 7; i++){
-		if (strcmp(IgnoreSectionNames[i],info.name) == 0)
-			return true;
-	}
-	return false;
-
+	return (info.type != SHT_PROGBITS && info.type != SHT_NOBITS && info.type != SHT_INIT_ARRAY && info.type != SHT_FINI_ARRAY);
 }
diff --git a/makerom/elf.h b/makerom/elf.h
index 269f2093..a6b856af 100644
--- a/makerom/elf.h
+++ b/makerom/elf.h
@@ -45,6 +45,7 @@ typedef struct
 
 	elf_program_entry *header;
 	u32 sectionNum;
+	u32 sectionNumMax;
 	elf_section_entry *sections;
 } elf_segment;
 
diff --git a/makerom/elf_hdr.h b/makerom/elf_hdr.h
index a4a76d1e..eb6aa897 100644
--- a/makerom/elf_hdr.h
+++ b/makerom/elf_hdr.h
@@ -91,20 +91,25 @@ typedef struct
 #define SHT_REL		 9		/* Relocation entries, no addends */
 #define SHT_SHLIB	 10		/* Reserved */
 #define SHT_DYNSYM	 11		/* Dynamic linker symbol table */
-#define	SHT_NUM		 12		/* Number of defined types.  */
-#define SHT_LOOS	 0x60000000	/* Start OS-specific */
-#define SHT_LOSUNW	 0x6ffffffb	/* Sun-specific low bound.  */
-#define SHT_SUNW_COMDAT  0x6ffffffb
-#define SHT_SUNW_syminfo 0x6ffffffc
-#define SHT_GNU_verdef	 0x6ffffffd	/* titleVersion definition section.  */
-#define SHT_GNU_verneed	 0x6ffffffe	/* titleVersion needs section.  */
-#define SHT_GNU_versym	 0x6fffffff	/* titleVersion symbol table.  */
-#define SHT_HISUNW	 0x6fffffff	/* Sun-specific high bound.  */
-#define SHT_HIOS	 0x6fffffff	/* End OS-specific type */
-#define SHT_LOPROC	 0x70000000	/* Start of processor-specific */
-#define SHT_HIPROC	 0x7fffffff	/* End of processor-specific */
-#define SHT_LOUSER	 0x80000000	/* Start of application-specific */
-#define SHT_HIUSER	 0x8fffffff	/* End of application-specific */
+#define	SHT_UNKNOWN12		12
+#define	SHT_UNKNOWN13		13
+#define	SHT_INIT_ARRAY		14
+#define	SHT_FINI_ARRAY		15
+#define	SHT_PREINIT_ARRAY	16
+#define	SHT_GROUP		17
+#define	SHT_SYMTAB_SHNDX	18
+#define	SHT_NUM			19
+
+#define	SHF_WRITE		0x01		/* sh_flags */
+#define	SHF_ALLOC		0x02
+#define	SHF_EXECINSTR		0x04
+#define	SHF_MERGE		0x10
+#define	SHF_STRINGS		0x20
+#define	SHF_INFO_LINK		0x40
+#define	SHF_LINK_ORDER		0x80
+#define	SHF_OS_NONCONFORMING	0x100
+#define	SHF_GROUP		0x200
+#define	SHF_TLS			0x400
 
 
 typedef struct
@@ -151,6 +156,11 @@ typedef struct
 #define PT_LOPROC	0x70000000	/* Start of processor-specific */
 #define PT_HIPROC	0x7fffffff	/* End of processor-specific */
 
+#define	PF_R		0x4		/* p_flags */
+#define	PF_W		0x2
+#define	PF_X		0x1
+
+
 typedef struct
 {
   u8 p_type[4];			/* Segment type */

From a7e874647fcd8de940a9785ff18d826a7bc6e3fb Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 19 Sep 2015 22:22:41 +0800
Subject: [PATCH 088/317] makerom: fixed type

---
 makerom/elf.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/makerom/elf.c b/makerom/elf.c
index 8625215e..c7306be9 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -117,16 +117,16 @@ int BuildExeFsCode(ncch_settings *set)
 			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
 			break;
 		case (NOT_ARM_ELF) :
-			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			fprintf(stderr, "[ELF ERROR] Not ARM ELF\n");
 			break;
 		case (NON_EXECUTABLE_ELF) :
-			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			fprintf(stderr, "[ELF ERROR] Not Executeable ELF\n");
 			break;
 		case (NOT_FIND_TEXT_SEGMENT) :
-			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			fprintf(stderr, "[ELF ERROR] Failed to retrieve text sections from ELF\n");
 			break;
 		case (NOT_FIND_DATA_SEGMENT) :
-			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			fprintf(stderr, "[ELF ERROR] Failed to retrieve data sections from ELF\n");
 			break;
 		default:
 			fprintf(stderr, "[ELF ERROR] Failed to process ELF file (%d)\n", result);

From 8d7cbe60bc5fdee36c401bbd840819bca378d641 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 19 Sep 2015 22:26:34 +0800
Subject: [PATCH 089/317] makerom: fixed typo

---
 makerom/elf.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/makerom/elf.c b/makerom/elf.c
index 8625215e..c7306be9 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -117,16 +117,16 @@ int BuildExeFsCode(ncch_settings *set)
 			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
 			break;
 		case (NOT_ARM_ELF) :
-			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			fprintf(stderr, "[ELF ERROR] Not ARM ELF\n");
 			break;
 		case (NON_EXECUTABLE_ELF) :
-			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			fprintf(stderr, "[ELF ERROR] Not Executeable ELF\n");
 			break;
 		case (NOT_FIND_TEXT_SEGMENT) :
-			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			fprintf(stderr, "[ELF ERROR] Failed to retrieve text sections from ELF\n");
 			break;
 		case (NOT_FIND_DATA_SEGMENT) :
-			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
+			fprintf(stderr, "[ELF ERROR] Failed to retrieve data sections from ELF\n");
 			break;
 		default:
 			fprintf(stderr, "[ELF ERROR] Failed to process ELF file (%d)\n", result);

From c1fb98960e36374c05ca034dd484647f9c6bb14d Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 28 Sep 2015 22:04:47 +0800
Subject: [PATCH 090/317] ctrtool: added cpuspeed/enablel2cache to exheader
 output

---
 ctrtool/exheader.c | 14 ++++++++++++--
 ctrtool/exheader.h |  4 ++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 92db1a65..e7fee984 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -136,7 +136,7 @@ void exheader_deserialise_arm11localcaps_permissions(exheader_arm11systemlocalca
 	caps->core_version = getle32(arm11->coreversion);
 
 	caps->enable_l2_cache = (arm11->flag[0] >> 0) & 1;
-	caps->use_additional_cores = (arm11->flag[0] >> 1) & 1;
+	caps->new3ds_cpu_speed = (arm11->flag[0] >> 1) & 1;
 	caps->new3ds_systemmode = (arm11->flag[1] >> 0) & 15;
 
 	caps->ideal_processor = (arm11->flag[2] >> 0) & 3;
@@ -504,7 +504,7 @@ void exheader_verify(exheader_context* ctx)
 	ctx->validold3dssystemmode = Good;
 	ctx->validnew3dssystemmode = Good;
 	ctx->validenablel2cache = Good;
-	ctx->validuseadditionalcores = Good;
+	ctx->validnew3dscpuspeed = Good;
 	ctx->validservicecontrol = Good;
 
 	for(i=0; i<8; i++)
@@ -533,6 +533,14 @@ void exheader_verify(exheader_context* ctx)
 	if (ctx->system_local_caps.new3ds_systemmode > accessdesc.new3ds_systemmode)
 		ctx->validnew3dssystemmode = Fail;
 
+	if (ctx->system_local_caps.enable_l2_cache != accessdesc.enable_l2_cache)
+		ctx->validenablel2cache = Fail;
+
+	if (ctx->system_local_caps.new3ds_cpu_speed != accessdesc.new3ds_cpu_speed)
+		ctx->validnew3dscpuspeed = Fail;
+
+
+
 
 	// Storage Info Verify
 	if(ctx->system_local_caps.system_saveid[0] & ~accessdesc.system_saveid[0])
@@ -628,6 +636,8 @@ void exheader_print(exheader_context* ctx)
 	fprintf(stdout, "Core version:           0x%X\n", getle32(ctx->header.arm11systemlocalcaps.coreversion));
 	fprintf(stdout, "System mode:            %d %s\n", ctx->system_local_caps.old3ds_systemmode, exheader_getvalidstring(ctx->validold3dssystemmode));
 	fprintf(stdout, "System mode (New3DS):   %d %s\n", ctx->system_local_caps.new3ds_systemmode, exheader_getvalidstring(ctx->validnew3dssystemmode));
+	fprintf(stdout, "CPU Speed (New3DS):     %d %s\n", ctx->system_local_caps.new3ds_cpu_speed? "804MHz" : "268MHz", exheader_getvalidstring(ctx->validnew3dscpuspeed));
+	fprintf(stdout, "Enable L2 Cache:        %d %s\n", ctx->system_local_caps.enable_l2_cache ? "YES" : "NO", exheader_getvalidstring(ctx->validnew3dscpuspeed));
 	fprintf(stdout, "Ideal processor:        %d %s\n", ctx->system_local_caps.ideal_processor, exheader_getvalidstring(ctx->valididealprocessor));
 	fprintf(stdout, "Affinity mask:          %d %s\n", ctx->system_local_caps.affinity_mask, exheader_getvalidstring(ctx->validaffinitymask));
 	fprintf(stdout, "Main thread priority:   %d %s\n", ctx->system_local_caps.priority, exheader_getvalidstring(ctx->validpriority));
diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
index a4432c26..f0ac02c5 100644
--- a/ctrtool/exheader.h
+++ b/ctrtool/exheader.h
@@ -72,7 +72,7 @@ typedef struct
 
 	// flag
 	u8 enable_l2_cache;
-	u8 use_additional_cores;
+	u8 new3ds_cpu_speed;
 	u8 new3ds_systemmode;
 	u8 ideal_processor;
 	u8 affinity_mask;
@@ -154,7 +154,7 @@ typedef struct
 	int validold3dssystemmode;
 	int validnew3dssystemmode;
 	int validenablel2cache;
-	int validuseadditionalcores;
+	int validnew3dscpuspeed;
 	int validcoreversion;
 	int validsystemsaveID[2];
 	int validaccessinfo;

From af7789f7e80e8d03f4a38fc20dc9acefe27101d1 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 28 Sep 2015 22:05:41 +0800
Subject: [PATCH 091/317] makerom: fixed romfs bug

---
 makerom/romfs_gen.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 5a99ba4a..9f35c606 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -376,7 +376,7 @@ void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 		u32_to_u8(entry->namesize,0,LE);
 
 		/* Get hash table index */
-		hashindex = GetFileHashTableIndex(ctx, parent, (fs_romfs_char*)ROMFS_EMPTY_PATH);
+		hashindex = GetDirHashTableIndex(ctx, parent, (fs_romfs_char*)ROMFS_EMPTY_PATH);
 
 		/* Increment used dir table length */
 		ctx->u_dirTableLen += sizeof(romfs_direntry);
@@ -390,7 +390,7 @@ void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 		memcpy(name_pos,(u8*)fs->name,fs->name_len);
 
 		/* Get hash table index */
-		hashindex = GetFileHashTableIndex(ctx, parent, fs->name);
+		hashindex = GetDirHashTableIndex(ctx, parent, fs->name);
 
 		/* Increment used dir table length */
 		ctx->u_dirTableLen += sizeof(romfs_direntry) + (u32)align(fs->name_len,4);

From 91cdb199f944a664fcbf39810d29cf2fb5a4a87d Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 28 Sep 2015 22:48:31 +0800
Subject: [PATCH 092/317] makerom: added n3ds core2 access flag

---
 makerom/exheader.c      | 2 ++
 makerom/exheader.h      | 1 +
 makerom/rsf_settings.c  | 1 +
 makerom/user_settings.h | 1 +
 4 files changed, 5 insertions(+)

diff --git a/makerom/exheader.c b/makerom/exheader.c
index e159ebe8..3a9f5f63 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -1014,6 +1014,8 @@ int SetARM11KernelDescOtherCapabilities(ARM11KernelCapabilityDescriptor *desc, r
 		otherCapabilities |= othcap_RUNNABLE_ON_SLEEP;
 	if(rsf->AccessControlInfo.SpecialMemoryArrange)
 		otherCapabilities |= othcap_SPECIAL_MEMORY_ARRANGE;
+	if (rsf->AccessControlInfo.CanAccessCore2)
+		otherCapabilities |= othcap_CAN_ACCESS_CORE2;
 
 	if(rsf->AccessControlInfo.MemoryType){
 		if(strcasecmp(rsf->AccessControlInfo.MemoryType,"application") == 0)
diff --git a/makerom/exheader.h b/makerom/exheader.h
index 4bac931d..d9cfd616 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -45,6 +45,7 @@ typedef enum
 	othcap_CAN_SHARE_DEVICE_MEMORY = (1 << 6),
 	othcap_RUNNABLE_ON_SLEEP = (1 << 7),
 	othcap_SPECIAL_MEMORY_ARRANGE = (1 << 12),
+	othcap_CAN_ACCESS_CORE2 = (1 << 13),
 } other_capabilities_flags;
 
 typedef enum
diff --git a/makerom/rsf_settings.c b/makerom/rsf_settings.c
index 8240b456..ede105d5 100644
--- a/makerom/rsf_settings.c
+++ b/makerom/rsf_settings.c
@@ -102,6 +102,7 @@ void GET_AccessControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 		else if(cmpYamlValue("UseOtherVariationSaveData",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseOtherVariationSaveData,"UseOtherVariationSaveData",ctx);
 		else if(cmpYamlValue("RunnableOnSleep",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.RunnableOnSleep,"RunnableOnSleep",ctx);
 		else if(cmpYamlValue("SpecialMemoryArrange",ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.SpecialMemoryArrange,"SpecialMemoryArrange",ctx);
+		else if(cmpYamlValue("CanAccessCore2", ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.CanAccessCore2, "CanAccessCore2", ctx);
 		else if(cmpYamlValue("UseExtSaveData", ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.UseExtSaveData, "UseExtSaveData", ctx);
 		else if(cmpYamlValue("EnableL2Cache", ctx)) SetBoolYAMLValue(&rsf->AccessControlInfo.EnableL2Cache, "EnableL2Cache", ctx);
 
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index 299f5ef9..a2cacb81 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -86,6 +86,7 @@ typedef struct
 		bool UseOtherVariationSaveData;
 		bool RunnableOnSleep;
 		bool SpecialMemoryArrange;
+		bool CanAccessCore2;
 		bool UseExtSaveData;
 		bool EnableL2Cache;
 

From 0c19bcddb68d349cd5ce6f52572b7dee2dadba92 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 28 Sep 2015 23:05:56 +0800
Subject: [PATCH 093/317] makerom: allow encrypting ncch with test PKI

---
 makerom/keyset.c | 6 ++----
 makerom/ncch.c   | 3 +--
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/makerom/keyset.c b/makerom/keyset.c
index 66ebeff6..a270d38d 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -96,10 +96,8 @@ int LoadKeysFromResources(keys_struct *keys)
 			SetCurrentCommonKey(keys,0);
 	
 		// NCCH
-		keys->aes.normalKey = NULL;
-		keys->aes.systemFixedKey = NULL;
-		//SetNormalKey(keys,zeros_aesKey);
-		//SetSystemFixedKey(keys,(u8*)zeros_aesKey);
+		SetNormalKey(keys,zeros_aesKey);
+		SetSystemFixedKey(keys,zeros_aesKey);
 
 		/* RSA Keys */
 		keys->rsa.isFalseSign = true;		
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 438940bf..0cc87ecf 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -49,8 +49,7 @@ int SignCXI(ncch_hdr *hdr, keys_struct *keys)
 
 int CheckCXISignature(ncch_hdr *hdr, u8 *pubk)
 {
-	int result = RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),pubk,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
-	return result;
+	return RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), pubk, NULL, RSA_2048_SHA256, CTR_RSA_VERIFY);
 }
 
 // NCCH Build Functions

From 0fa36aa7dde14ffe10608504b40b807b736f6877 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 29 Sep 2015 00:08:46 +0800
Subject: [PATCH 094/317] ctrtool: n3ds core 2 access flag detection.

---
 ctrtool/exheader.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index e7fee984..7312f036 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -278,6 +278,7 @@ void exheader_print_arm11kernelcapabilities(exheader_context* ctx)
 			fprintf(stdout, " > Shared device mem:   %s\n", (descriptor&(1<<6))?"YES":"NO");
 			fprintf(stdout, " > Runnable on sleep:   %s\n", (descriptor&(1<<7))?"YES":"NO");
 			fprintf(stdout, " > Special memory:      %s\n", (descriptor&(1<<12))?"YES":"NO");
+			fprintf(stdout, " > Access Core 2:       %s\n", (descriptor&(1<<13))?"YES":"NO");
 			
 
 			switch(memorytype)

From 02e43005f8b9440a3dada6f07f88f4c10b020a5d Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 29 Sep 2015 00:22:42 +0800
Subject: [PATCH 095/317] makerom: fixed romfs little endian dependent code

---
 makerom/romfs.h     |  6 ++----
 makerom/romfs_gen.c | 19 ++++++++-----------
 2 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/makerom/romfs.h b/makerom/romfs.h
index 54bc218e..96ec1233 100644
--- a/makerom/romfs.h
+++ b/makerom/romfs.h
@@ -86,18 +86,16 @@ typedef struct
 	
 	fs_dir *fs;
 	
-	u32 *dirHashTable;
+	u8 *dirHashTable;
 	u32 m_dirHashTable;
-	u32 u_dirHashTable;
 	
 	u8 *dirTable;
 	u32 dirNum;
 	u32 m_dirTableLen;
 	u32 u_dirTableLen;
 	
-	u32 *fileHashTable;
+	u8 *fileHashTable;
 	u32 m_fileHashTable;
-	u32 u_fileHashTable;
 	
 	u8 *fileTable;
 	u32 fileNum;
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 9f35c606..552a932f 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -186,10 +186,8 @@ void CalcRomfsSize(romfs_buildctx *ctx)
 	ctx->dirNum = 1; // root dir
 	CalcDirSize(ctx,ctx->fs);
 	
-	ctx->u_dirHashTable = 0;
 	ctx->m_dirHashTable = GetHashTableCount(ctx->dirNum);
 		
-	ctx->u_fileHashTable = 0;
 	ctx->m_fileHashTable = GetHashTableCount(ctx->fileNum);
 	
 	u32 romfsHdrSize = align(sizeof(romfs_infoheader) + ctx->m_dirHashTable*sizeof(u32) + ctx->m_dirTableLen + ctx->m_fileHashTable*sizeof(u32) + ctx->m_fileTableLen,0x10); 
@@ -267,7 +265,7 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 	
 	for(int i = 0; i < 4; i++){
 		if(i == 0){
-			ctx->dirHashTable = (u32*)(ctx->level[3].pos + level3_pos);
+			ctx->dirHashTable = ctx->level[3].pos + level3_pos;
 			u32_to_u8(ctx->romfsHdr->section[i].offset,level3_pos,LE);
 			u32_to_u8(ctx->romfsHdr->section[i].size,ctx->m_dirHashTable*sizeof(u32),LE);
 			level3_pos += ctx->m_dirHashTable*sizeof(u32);
@@ -279,7 +277,7 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 			level3_pos += ctx->m_dirTableLen;
 		}
 		else if(i == 2){
-			ctx->fileHashTable = (u32*)(ctx->level[3].pos + level3_pos);
+			ctx->fileHashTable = ctx->level[3].pos + level3_pos;
 			u32_to_u8(ctx->romfsHdr->section[i].offset,level3_pos,LE);
 			u32_to_u8(ctx->romfsHdr->section[i].size,ctx->m_fileHashTable*sizeof(u32),LE);
 			level3_pos += ctx->m_fileHashTable*sizeof(u32);
@@ -300,11 +298,11 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 	u32_to_u8(ctx->romfsHdr->dataoffset,align(level3_pos,0x10),LE);
 	
 	for (u32 i = 0; i < ctx->m_dirHashTable; i++) {
-		ctx->dirHashTable[i] = ROMFS_UNUSED_ENTRY;
+		u32_to_u8(ctx->dirHashTable+i*4, ROMFS_UNUSED_ENTRY, LE);
 	}
 
 	for (u32 i = 0; i < ctx->m_fileHashTable; i++) {
-		ctx->fileHashTable[i] = ROMFS_UNUSED_ENTRY;
+		u32_to_u8(ctx->fileHashTable+i*4, ROMFS_UNUSED_ENTRY, LE);
 	}
 }
 
@@ -335,9 +333,8 @@ void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 
 	/* Set hash data */
 	u32 hashindex = GetFileHashTableIndex(ctx, parent, file->name);
-	u32_to_u8(entry->hashoffset, ctx->fileHashTable[hashindex], LE);
-	ctx->fileHashTable[hashindex] = ctx->u_fileTableLen;
-	
+	u32_to_u8(entry->hashoffset, u8_to_u32(ctx->fileHashTable + hashindex*4, LE), LE);
+	u32_to_u8(ctx->fileHashTable + hashindex*4, ctx->u_fileTableLen, LE);
 	
 	/* Import data */
 	if(file->size)
@@ -397,8 +394,8 @@ void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 	}
 
 	/* Set hash data */
-	u32_to_u8(entry->hashoffset, ctx->dirHashTable[hashindex], LE);
-	ctx->dirHashTable[hashindex] = offset;
+	u32_to_u8(entry->hashoffset, u8_to_u32(ctx->dirHashTable + hashindex*4, LE), LE);
+	u32_to_u8(ctx->dirHashTable + hashindex*4, offset, LE);
 }
 
 void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)

From 2d30a8583257ba46de1d8cbdaa5b09408b3e23c9 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 29 Sep 2015 01:26:54 +0800
Subject: [PATCH 096/317] ctrtool: fixed fprintf fail

---
 ctrtool/exheader.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 7312f036..d35f0bb2 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -637,8 +637,8 @@ void exheader_print(exheader_context* ctx)
 	fprintf(stdout, "Core version:           0x%X\n", getle32(ctx->header.arm11systemlocalcaps.coreversion));
 	fprintf(stdout, "System mode:            %d %s\n", ctx->system_local_caps.old3ds_systemmode, exheader_getvalidstring(ctx->validold3dssystemmode));
 	fprintf(stdout, "System mode (New3DS):   %d %s\n", ctx->system_local_caps.new3ds_systemmode, exheader_getvalidstring(ctx->validnew3dssystemmode));
-	fprintf(stdout, "CPU Speed (New3DS):     %d %s\n", ctx->system_local_caps.new3ds_cpu_speed? "804MHz" : "268MHz", exheader_getvalidstring(ctx->validnew3dscpuspeed));
-	fprintf(stdout, "Enable L2 Cache:        %d %s\n", ctx->system_local_caps.enable_l2_cache ? "YES" : "NO", exheader_getvalidstring(ctx->validnew3dscpuspeed));
+	fprintf(stdout, "CPU Speed (New3DS):     %s %s\n", ctx->system_local_caps.new3ds_cpu_speed? "804MHz" : "268MHz", exheader_getvalidstring(ctx->validnew3dscpuspeed));
+	fprintf(stdout, "Enable L2 Cache:        %s %s\n", ctx->system_local_caps.enable_l2_cache ? "YES" : "NO", exheader_getvalidstring(ctx->validnew3dscpuspeed));
 	fprintf(stdout, "Ideal processor:        %d %s\n", ctx->system_local_caps.ideal_processor, exheader_getvalidstring(ctx->valididealprocessor));
 	fprintf(stdout, "Affinity mask:          %d %s\n", ctx->system_local_caps.affinity_mask, exheader_getvalidstring(ctx->validaffinitymask));
 	fprintf(stdout, "Main thread priority:   %d %s\n", ctx->system_local_caps.priority, exheader_getvalidstring(ctx->validpriority));

From a8635fc601b5d4d7b3f588549d933891686bd65d Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 29 Sep 2015 16:24:44 +0800
Subject: [PATCH 097/317] makerom: fixed linux segfault when using prebuilt
 romfs binaries.

---
 makerom/romfs.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/makerom/romfs.c b/makerom/romfs.c
index 64190c44..9e3956a1 100644
--- a/makerom/romfs.c
+++ b/makerom/romfs.c
@@ -45,8 +45,6 @@ int BuildRomFs(romfs_buildctx *ctx)
 
 void FreeRomFsCtx(romfs_buildctx *ctx)
 {
-	if(ctx->romfsBinary)
-		fclose(ctx->romfsBinary);
 	if(ctx->fs){
 		fs_FreeFiles(ctx->fs);
 		fs_FreeDir(ctx->fs);	

From 7ab299b57f3de03ea23388a113e8bf2db411d60c Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 6 Oct 2015 10:42:28 +0800
Subject: [PATCH 098/317] [makerom] Fixed ELF parsing bug.
 https://github.com/profi200/Project_CTR/pull/2#issuecomment-145699191

---
 makerom/elf.c     | 13 ++++++++++++-
 makerom/elf_hdr.h | 33 +++++++++++++++++++--------------
 2 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/makerom/elf.c b/makerom/elf.c
index c7306be9..c281a086 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -955,6 +955,8 @@ int CreateElfSegments(elf_context *elf, u8 *elfFile)
 		if (elf->programHeaders[i].sizeInMemory != 0 && elf->programHeaders[i].type == PF_X){
 			InitSegment(&segment);
 
+			printf("new segment\n");
+
 			foundFirstSection = false;
 			size = 0;
 			sizeInMemory = elf->programHeaders[i].sizeInMemory;
@@ -965,10 +967,14 @@ int CreateElfSegments(elf_context *elf, u8 *elfFile)
 				if (IsIgnoreSection(elf->sections[curr]))
 					continue;
 
+
 				if (!foundFirstSection) {
 					if (elf->sections[curr].address != elf->programHeaders[i].virtualAddress)
 						continue;
 
+					printf("first section name: %s (vaddr = 0x%llx, size = 0x%llx)\n", elf->sections[curr].name, elf->sections[curr].address, elf->sections[curr].size);
+
+
 					foundFirstSection = true;
 					segment.vAddr = elf->sections[curr].address;
 					segment.name = elf->sections[curr].name;
@@ -977,6 +983,9 @@ int CreateElfSegments(elf_context *elf, u8 *elfFile)
 					size = elf->sections[curr].size;
 				}
 				else {
+
+					printf("follw section name: %s (vaddr = 0x%llx, size = 0x%llx)\n", elf->sections[curr].name, elf->sections[curr].address, elf->sections[curr].size);
+
 					AddSegmentSection(&segment, &elf->sections[curr]);
 					padding = elf->sections[curr].address - (elf->sections[prev].address + elf->sections[prev].size);
 					size += padding + elf->sections[curr].size;
@@ -1007,5 +1016,7 @@ int CreateElfSegments(elf_context *elf, u8 *elfFile)
 
 bool IsIgnoreSection(elf_section_entry info)
 {
-	return (info.type != SHT_PROGBITS && info.type != SHT_NOBITS && info.type != SHT_INIT_ARRAY && info.type != SHT_FINI_ARRAY);
+	printf("%s:0x%x,0x%x\n", info.name, info.type, info.flags);
+
+	return (info.type != SHT_PROGBITS && info.type != SHT_NOBITS && info.type != SHT_INIT_ARRAY && info.type != SHT_FINI_ARRAY && info.type != SHT_ARM_EXIDX);
 }
diff --git a/makerom/elf_hdr.h b/makerom/elf_hdr.h
index eb6aa897..eac9d64e 100644
--- a/makerom/elf_hdr.h
+++ b/makerom/elf_hdr.h
@@ -79,26 +79,31 @@ typedef struct
 
 /* Legal values for sh_type (section type).  */
 
-#define SHT_NULL	 0		/* Section header table entry unused */
-#define SHT_PROGBITS	 1		/* Program data */
-#define SHT_SYMTAB	 2		/* Symbol table */
-#define SHT_STRTAB	 3		/* String table */
-#define SHT_RELA	 4		/* Relocation entries with addends */
-#define SHT_HASH	 5		/* Symbol hash table */
-#define SHT_DYNAMIC	 6		/* Dynamic linking information */
-#define SHT_NOTE	 7		/* Notes */
-#define SHT_NOBITS	 8		/* Program space with no data (bss) */
-#define SHT_REL		 9		/* Relocation entries, no addends */
-#define SHT_SHLIB	 10		/* Reserved */
-#define SHT_DYNSYM	 11		/* Dynamic linker symbol table */
+#define SHT_NULL			0		/* Section header table entry unused */
+#define SHT_PROGBITS		1		/* Program data */
+#define SHT_SYMTAB			2		/* Symbol table */
+#define SHT_STRTAB			3		/* String table */
+#define SHT_RELA			4		/* Relocation entries with addends */
+#define SHT_HASH			5		/* Symbol hash table */
+#define SHT_DYNAMIC			6		/* Dynamic linking information */
+#define SHT_NOTE			7		/* Notes */
+#define SHT_NOBITS			8		/* Program space with no data (bss) */
+#define SHT_REL				9		/* Relocation entries, no addends */
+#define SHT_SHLIB			10		/* Reserved */
+#define SHT_DYNSYM			11		/* Dynamic linker symbol table */
 #define	SHT_UNKNOWN12		12
 #define	SHT_UNKNOWN13		13
 #define	SHT_INIT_ARRAY		14
 #define	SHT_FINI_ARRAY		15
 #define	SHT_PREINIT_ARRAY	16
-#define	SHT_GROUP		17
+#define	SHT_GROUP			17
 #define	SHT_SYMTAB_SHNDX	18
-#define	SHT_NUM			19
+#define	SHT_NUM				19
+#define SHT_ARM_EXIDX		0x70000001 /* Exception Index table */
+#define SHT_ARM_PREEMPTMAP	0x70000002 /* BPABI DLL dynamic linking pre-emption map*/
+#define SHT_ARM_ATTRIBUTES	0x70000003 /* Object file compatibility attributes */
+#define SHT_ARM_DEBUGOVERLAY	0x70000004
+#define SHT_ARM_OVERLAYSECTION	0x70000005
 
 #define	SHF_WRITE		0x01		/* sh_flags */
 #define	SHF_ALLOC		0x02

From ea695ba66acf66b5f194328b3d15041cd51c75c5 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 6 Oct 2015 10:55:59 +0800
Subject: [PATCH 099/317] [makerom] Removed debug code.

---
 makerom/elf.c | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/makerom/elf.c b/makerom/elf.c
index c281a086..17168e29 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -955,8 +955,6 @@ int CreateElfSegments(elf_context *elf, u8 *elfFile)
 		if (elf->programHeaders[i].sizeInMemory != 0 && elf->programHeaders[i].type == PF_X){
 			InitSegment(&segment);
 
-			printf("new segment\n");
-
 			foundFirstSection = false;
 			size = 0;
 			sizeInMemory = elf->programHeaders[i].sizeInMemory;
@@ -972,9 +970,6 @@ int CreateElfSegments(elf_context *elf, u8 *elfFile)
 					if (elf->sections[curr].address != elf->programHeaders[i].virtualAddress)
 						continue;
 
-					printf("first section name: %s (vaddr = 0x%llx, size = 0x%llx)\n", elf->sections[curr].name, elf->sections[curr].address, elf->sections[curr].size);
-
-
 					foundFirstSection = true;
 					segment.vAddr = elf->sections[curr].address;
 					segment.name = elf->sections[curr].name;
@@ -983,9 +978,6 @@ int CreateElfSegments(elf_context *elf, u8 *elfFile)
 					size = elf->sections[curr].size;
 				}
 				else {
-
-					printf("follw section name: %s (vaddr = 0x%llx, size = 0x%llx)\n", elf->sections[curr].name, elf->sections[curr].address, elf->sections[curr].size);
-
 					AddSegmentSection(&segment, &elf->sections[curr]);
 					padding = elf->sections[curr].address - (elf->sections[prev].address + elf->sections[prev].size);
 					size += padding + elf->sections[curr].size;
@@ -1016,7 +1008,5 @@ int CreateElfSegments(elf_context *elf, u8 *elfFile)
 
 bool IsIgnoreSection(elf_section_entry info)
 {
-	printf("%s:0x%x,0x%x\n", info.name, info.type, info.flags);
-
 	return (info.type != SHT_PROGBITS && info.type != SHT_NOBITS && info.type != SHT_INIT_ARRAY && info.type != SHT_FINI_ARRAY && info.type != SHT_ARM_EXIDX);
 }

From 954c0cf1260f014e673ac52c0618014fc03591b2 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Wed, 7 Oct 2015 20:23:36 +0800
Subject: [PATCH 100/317] [makerom/ctrtool] Made SystemMode(Ext) more
 meaningful.

---
 ctrtool/exheader.c | 39 +++++++++++++++++++++++++++++++++++++--
 ctrtool/exheader.h | 17 +++++++++++++++++
 makerom/exheader.c | 38 ++++++++++++++++++++++++++++++--------
 makerom/exheader.h | 17 +++++++++++++++++
 4 files changed, 101 insertions(+), 10 deletions(-)

diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index d35f0bb2..a7e16b16 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -583,6 +583,41 @@ const char* exheader_getvalidstring(int valid)
 		return "(FAIL)";
 }
 
+const char* exheader_getsystemmodestring(u8 systemmode)
+{
+	switch (systemmode)
+	{
+	case (sysmode_64MB) :
+		return "64MB";
+	case (sysmode_96MB) :
+		return "96MB";
+	case (sysmode_80MB) :
+		return "80MB";
+	case (sysmode_72MB) :
+		return "72MB";
+	case (sysmode_32MB) :
+		return "32MB";
+	default:
+		return "Unknown";
+	}
+}
+
+const char* exheader_getsystemmodeextstring(u8 systemmodeext, u8 systemmode)
+{
+	switch (systemmodeext)
+	{
+	case (sysmode_ext_LEGACY) :
+		return exheader_getsystemmodestring(systemmode);
+	case (sysmode_ext_124MB) :
+		return "124MB";
+	case (sysmode_ext_178MB) :
+		return "178MB";
+	default:
+		return "124MB";
+	}
+}
+
+
 void exheader_print(exheader_context* ctx)
 {
 	u32 i;
@@ -635,8 +670,8 @@ void exheader_print(exheader_context* ctx)
 
 	fprintf(stdout, "Program id:             %016"PRIx64" %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
 	fprintf(stdout, "Core version:           0x%X\n", getle32(ctx->header.arm11systemlocalcaps.coreversion));
-	fprintf(stdout, "System mode:            %d %s\n", ctx->system_local_caps.old3ds_systemmode, exheader_getvalidstring(ctx->validold3dssystemmode));
-	fprintf(stdout, "System mode (New3DS):   %d %s\n", ctx->system_local_caps.new3ds_systemmode, exheader_getvalidstring(ctx->validnew3dssystemmode));
+	fprintf(stdout, "System mode:            %s %s\n", exheader_getsystemmodestring(ctx->system_local_caps.old3ds_systemmode), exheader_getvalidstring(ctx->validold3dssystemmode));
+	fprintf(stdout, "System mode (New3DS):   %s %s\n", exheader_getsystemmodeextstring(ctx->system_local_caps.new3ds_systemmode, ctx->system_local_caps.old3ds_systemmode), exheader_getvalidstring(ctx->validnew3dssystemmode));
 	fprintf(stdout, "CPU Speed (New3DS):     %s %s\n", ctx->system_local_caps.new3ds_cpu_speed? "804MHz" : "268MHz", exheader_getvalidstring(ctx->validnew3dscpuspeed));
 	fprintf(stdout, "Enable L2 Cache:        %s %s\n", ctx->system_local_caps.enable_l2_cache ? "YES" : "NO", exheader_getvalidstring(ctx->validnew3dscpuspeed));
 	fprintf(stdout, "Ideal processor:        %d %s\n", ctx->system_local_caps.ideal_processor, exheader_getvalidstring(ctx->valididealprocessor));
diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
index f0ac02c5..feffa2ce 100644
--- a/ctrtool/exheader.h
+++ b/ctrtool/exheader.h
@@ -6,6 +6,23 @@
 #include "ctr.h"
 #include "settings.h"
 
+typedef enum
+{
+	sysmode_64MB,
+	sysmode_UNK,
+	sysmode_96MB,
+	sysmode_80MB,
+	sysmode_72MB,
+	sysmode_32MB,
+} exheader_systemmode;
+
+typedef enum
+{
+	sysmode_ext_LEGACY,
+	sysmode_ext_124MB,
+	sysmode_ext_178MB,
+} exheader_systemmodeext;
+
 typedef struct
 {
 	u8 reserved[5];
diff --git a/makerom/exheader.c b/makerom/exheader.c
index 3a9f5f63..d994c1ec 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -334,14 +334,21 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 		arm11->flag[0] |= cpuspeed_268MHz << 1;
 
 	/* Flag[1] (SystemModeExt) */
-	u8 systemModeExt = 0;
 	if (rsf->AccessControlInfo.SystemModeExt) {
-		systemModeExt = strtol(rsf->AccessControlInfo.SystemModeExt, NULL, 0);
-		if (systemModeExt > 15) {
-			fprintf(stderr, "[EXHEADER ERROR] Unexpected SystemModeExt: 0x%x. Expected range: 0x0 - 0xf\n", systemModeExt);
+		if (strcasecmp(rsf->AccessControlInfo.SystemModeExt, "Legacy") == 0)
+			arm11->flag[1] = sysmode_ext_LEGACY;
+		else if (strcasecmp(rsf->AccessControlInfo.SystemModeExt, "124MB") == 0)
+			arm11->flag[1] = sysmode_ext_124MB;
+		else if (strcasecmp(rsf->AccessControlInfo.SystemModeExt, "178MB") == 0)
+			arm11->flag[1] = sysmode_ext_178MB;
+		
+		else {
+			fprintf(stderr, "[EXHEADER ERROR] Unexpected SystemModeExt: %s\n", rsf->AccessControlInfo.SystemModeExt);
 			return EXHDR_BAD_RSF_OPT;
 		}
-		arm11->flag[1] = systemModeExt & 0xf;
+	} 
+	else {
+		arm11->flag[1] = sysmode_ext_LEGACY;
 	}
 
 	/* Flag[2] */
@@ -364,12 +371,27 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 		}
 	}
 	if(rsf->AccessControlInfo.SystemMode){
-		systemMode = strtol(rsf->AccessControlInfo.SystemMode,NULL,0);
-		if(systemMode > 15){
-			fprintf(stderr,"[EXHEADER ERROR] Unexpected SystemMode: 0x%x. Expected range: 0x0 - 0xf\n",systemMode);
+		if (strcasecmp(rsf->AccessControlInfo.SystemMode, "64MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "prod") == 0)
+			systemMode = sysmode_64MB;
+		//else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "UNK") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "null") == 0)
+		//	systemMode = sysmode_UNK;
+		else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "96MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "dev1") == 0)
+			systemMode = sysmode_96MB;
+		else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "80MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "dev2") == 0)
+			systemMode = sysmode_80MB;
+		else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "72MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "dev3") == 0)
+			systemMode = sysmode_72MB;
+		else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "32MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "dev4") == 0)
+			systemMode = sysmode_32MB;
+
+		else {
+			fprintf(stderr, "[EXHEADER ERROR] Unexpected SystemMode: %s\n", rsf->AccessControlInfo.SystemMode);
 			return EXHDR_BAD_RSF_OPT;
 		}
 	}
+	else {
+		systemMode = sysmode_64MB;
+	}
 	arm11->flag[2] = (u8)(systemMode << 4 | affinityMask << 2 | idealProcessor);
 
 	/* flag[3] (Thread Priority) */
diff --git a/makerom/exheader.h b/makerom/exheader.h
index d9cfd616..8d91e564 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -6,6 +6,23 @@ typedef enum
 	infoflag_SD_APPLICATION = 2,
 } system_info_flags;
 
+typedef enum
+{
+	sysmode_64MB, // prod
+	sysmode_UNK, // null
+	sysmode_96MB, // dev1
+	sysmode_80MB, // dev2
+	sysmode_72MB, // dev3
+	sysmode_32MB, // dev4
+} system_mode;
+
+typedef enum
+{
+	sysmode_ext_LEGACY,
+	sysmode_ext_124MB, // snake Prod
+	sysmode_ext_178MB, // snake Dev1
+} system_mode_ext;
+
 typedef enum
 {
 	memtype_APPLICATION = 1,

From d5f0d2c096cf5b13e212e98150b31b5dc3065007 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 9 Oct 2015 21:35:27 +0800
Subject: [PATCH 101/317] [makerom] RSF key: "ExeFs" & "PlainRegion" (and
 childs), are no longer needed.

---
 makerom/elf.c           | 203 ++++++++++++++--------------------------
 makerom/elf_hdr.h       |   1 +
 makerom/rsf_settings.c  |  59 ------------
 makerom/user_settings.h |  12 ---
 4 files changed, 73 insertions(+), 202 deletions(-)

diff --git a/makerom/elf.c b/makerom/elf.c
index 17168e29..aae35399 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -5,6 +5,8 @@
 #include "elf.h"
 #include "blz.h"
 
+const char *SDK_PLAINREGION_SEGMENT_NAME = ".module_id";
+
 int ImportPlainRegionFromFile(ncch_settings *set);
 int ImportExeFsCodeBinaryFromFile(ncch_settings *set);
 
@@ -14,9 +16,7 @@ u32 SizeToPage(u32 memorySize, elf_context *elf);
 int GetBSSFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set);
 int ImportPlainRegionFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set);
 int CreateExeFsCode(elf_context *elf, u8 *elfFile, ncch_settings *set);
-int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u8 *elfFile, char **names, u32 nameNum);
-elf_segment** GetContinuousSegments(u16 *ContinuousSegmentNum, elf_context *elf, char **names, u32 nameNum);
-elf_segment** GetSegments(u16 *SegmentNum, elf_context *elf, char **names, u32 nameNum);
+int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u8 *elfFile, u64 segment_flags);
 
 // ELF Functions
 int GetElfContext(elf_context *elf, u8 *elfFile);
@@ -234,39 +234,28 @@ int GetBSSFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set)
 
 int ImportPlainRegionFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set) // Doesn't work same as N makerom
 {
-	if(!set->rsfSet->PlainRegionNum) return 0;
-	u16 *index = calloc(set->rsfSet->PlainRegionNum,sizeof(u16));
-
-	/* Getting index Values for each section */
-	for(int i = 0; i < set->rsfSet->PlainRegionNum; i++){
-		index[i] = GetElfSectionIndexFromName(set->rsfSet->PlainRegion[i],elf,elfFile);
-	}
-
-	// Eliminating Duplicated Sections
-	for(int i = set->rsfSet->PlainRegionNum - 1; i >= 0; i--){
-		for(int j = i-1; j >= 0; j--){
-			if(index[i] == index[j]) index[i] = 0;
+	u64 size = 0;
+	u64 offset = 0;
+	for (u16 i = 0; i < elf->activeSegments; i++) {
+		if (strcmp(elf->segments[i].name, SDK_PLAINREGION_SEGMENT_NAME) == 0) {
+			size = elf->segments[i].header->sizeInFile;
+			offset = elf->segments[i].header->offsetInFile;
+			break;
 		}
 	}
-
-	/* Calculating Total Size of Data */
-	u64 totalSize = 0;
-	for(int i = 0; i < set->rsfSet->PlainRegionNum; i++){
-		totalSize += elf->sections[index[i]].size;
-	}
 	
-	/* Creating Output Buffer */
-	set->sections.plainRegion.size = align(totalSize,set->options.blockSize);
-	set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
-	if(!set->sections.plainRegion.buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
-	memset(set->sections.plainRegion.buffer,0,set->sections.plainRegion.size);
+	
+	if (size > 0) {
+		/* Creating Output Buffer */
+		set->sections.plainRegion.size = align(size, set->options.blockSize);
+		set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
+		if (!set->sections.plainRegion.buffer) { fprintf(stderr, "[ELF ERROR] Not enough memory\n"); return MEM_ERROR; }
+		memset(set->sections.plainRegion.buffer, 0, set->sections.plainRegion.size);
 
-	/* Storing Sections */
-	u64 pos = 0;
-	for(int i = 0; i < set->rsfSet->PlainRegionNum; i++){
-		memcpy((set->sections.plainRegion.buffer+pos),elf->sections[index[i]].ptr,elf->sections[index[i]].size);
-		pos += elf->sections[index[i]].size;
+		/* Copy Plain Region */
+		memcpy(set->sections.plainRegion.buffer, elfFile+offset, size);
 	}
+
 	return 0;
 }
 
@@ -280,11 +269,11 @@ int CreateExeFsCode(elf_context *elf, u8 *elfFile, ncch_settings *set)
 	code_segment rwdata;
 	memset(&rwdata,0,sizeof(code_segment));
 
-	int result = CreateCodeSegmentFromElf(&text,elf,elfFile,set->rsfSet->ExeFs.Text,set->rsfSet->ExeFs.TextNum);
+	int result = CreateCodeSegmentFromElf(&text,elf,elfFile,(PF_R|PF_X));
 	if(result) return result;
-	result = CreateCodeSegmentFromElf(&rodata,elf,elfFile,set->rsfSet->ExeFs.ReadOnly,set->rsfSet->ExeFs.ReadOnlyNum);
+	result = CreateCodeSegmentFromElf(&rodata,elf,elfFile,(PF_R));
 	if(result) return result;
-	result = CreateCodeSegmentFromElf(&rwdata,elf,elfFile,set->rsfSet->ExeFs.ReadWrite,set->rsfSet->ExeFs.ReadWriteNum);
+	result = CreateCodeSegmentFromElf(&rwdata,elf,elfFile,(PF_R | PF_W));
 	if(result) return result;
 
 	/* Checking the existence of essential ELF Segments */
@@ -336,131 +325,81 @@ int CreateExeFsCode(elf_context *elf, u8 *elfFile, ncch_settings *set)
 	return 0;
 }
 
-int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u8 *elfFile, char **names, u32 nameNum)
+int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u8 *elfFile, u64 segment_flags)
 {
-	u16 ContinuousSegmentNum = 0;
-	memset(out,0,sizeof(code_segment));
-	elf_segment **ContinuousSegments = GetContinuousSegments(&ContinuousSegmentNum,elf,names,nameNum);
-	if (ContinuousSegments == NULL){
-		if(!ContinuousSegmentNum){// Nothing Was Found
-			//printf("Nothing was found\n");
-			return 0;
+	memset(out, 0, sizeof(code_segment));
+
+	u16 seg_num = 0;
+	elf_segment **seg = calloc(elf->activeSegments, sizeof(elf_segment*));
+
+	for (u16 i = 0; i < elf->activeSegments; i++) {
+		// Skip SDK ELF plain region
+		if (strcmp(elf->segments[i].name, SDK_PLAINREGION_SEGMENT_NAME) == 0)
+			continue;
+
+		//printf("SegName: %s (flags: %x)\n", elf->segments[i].name, elf->segments[i].header->flags);
+		if ((elf->segments[i].header->flags & ~PF_CTRSDK) == segment_flags) {
+			if (seg_num == 0) {
+				seg[seg_num] = &elf->segments[i];
+				seg_num++;
+			}
+			else if (elf->segments[i].vAddr == (u32)align(seg[seg_num - 1]->vAddr, seg[seg_num-1]->header->alignment)) {
+				seg[seg_num] = &elf->segments[i];
+				seg_num++;
+			}
 		}
-		else // Error with found segments
-			return ELF_SEGMENTS_NOT_CONTINUOUS;
 	}
-	
+
+	/* Return if there are no applicable segment */
+	if (seg_num == 0)
+		return 0;
+
 	/* Getting Segment Size/Settings */
 	u32 vAddr = 0;
 	u32 memorySize = 0;
-	for(int i = 0; i < ContinuousSegmentNum; i++){
-		if (i==0){
-			vAddr = ContinuousSegments[i]->vAddr;
+	for (u16 i = 0; i < seg_num; i++) {
+		if (i == 0) {
+			vAddr = seg[i]->vAddr;
 		}
-		else{ // Add rounded size from previous segment
-			u32 padding = ContinuousSegments[i]->vAddr - (vAddr + memorySize);
+		else { // Add rounded size from previous segment
+			u32 padding = seg[i]->vAddr - (vAddr + memorySize);
 			memorySize += padding;
 		}
 
-		memorySize += ContinuousSegments[i]->header->sizeInMemory;
+		memorySize += seg[i]->header->sizeInMemory;
 
-		if(IsBss(&ContinuousSegments[i]->sections[ContinuousSegments[i]->sectionNum-1]))
-			memorySize -= ContinuousSegments[i]->sections[ContinuousSegments[i]->sectionNum-1].size;
+		if (IsBss(&seg[i]->sections[seg[i]->sectionNum - 1]))
+			memorySize -= seg[i]->sections[seg[i]->sectionNum - 1].size;
 	}
-	
+
 	// For Check
 #ifdef DEBUG
-	printf("Address: 0x%x\n",vAddr);
-	printf("Size:    0x%x\n",memorySize);
+	printf("Address: 0x%x\n", vAddr);
+	printf("Size:    0x%x\n", memorySize);
 #endif
 
 	out->address = vAddr;
 	out->size = memorySize;
-	out->maxPageNum = SizeToPage(memorySize,elf);
+	out->maxPageNum = SizeToPage(memorySize, elf);
 	out->data = malloc(memorySize);
-	
+
 	/* Writing Segment to Buffer */
-	//vAddr = 0;
-	//memorySize = 0;
-	for(int i = 0; i < ContinuousSegmentNum; i++){
-		/*
-		if (i==0)
-			vAddr = ContinuousSegments[i]->vAddr;
+	for (int i = 0; i < seg_num; i++) {
 		
-		else{
-			u32 num = ContinuousSegments[i]->vAddr - (vAddr + memorySize);
-			memorySize += num;
-		}
-		*/
-		//u32 size = 0;
-		for (int j = 0; j < ContinuousSegments[i]->sectionNum; j++){
-			elf_section_entry *section = &ContinuousSegments[i]->sections[j];
-			if (!IsBss(section)){				
-				u8 *pos = (out->data + (section->address - ContinuousSegments[i]->vAddr));
-				memcpy(pos,section->ptr,section->size);
+		for (int j = 0; j < seg[i]->sectionNum; j++) {
+			elf_section_entry *section = &seg[i]->sections[j];
+			if (!IsBss(section)) {
+				u8 *pos = (out->data + (section->address - seg[i]->vAddr));
+				memcpy(pos, section->ptr, section->size);
 				//size += section->size;
 			}
-
-			//else if (j == (ContinuousSegments[i]->sectionNum-1))
-				//memorySize -= section->size;
-			//'else
-				//size += section->size;
 		}
 	}
 
-	free(ContinuousSegments);
+	free(seg);
 	return 0;
 }
 
-
-elf_segment** GetContinuousSegments(u16 *ContinuousSegmentNum, elf_context *elf, char **names, u32 nameNum)
-{
-	u16 SegmentNum = 0;
-	elf_segment **Segments = GetSegments(&SegmentNum, elf, names, nameNum);
-	if (Segments == NULL || SegmentNum == 0){ // No Segments for the names were found
-		//printf("Not Found Segment\n");
-		return NULL;
-	}
-
-	if (SegmentNum == 1){ //Return as there is no need to check
-		*ContinuousSegmentNum = SegmentNum;
-		return Segments;
-	}
-
-	u32 vAddr = Segments[0]->vAddr + Segments[0]->header->sizeInMemory;
-	for (int i = 1; i < SegmentNum; i++){
-		if (Segments[i]->vAddr != (u32)align(vAddr,Segments[i]->header->alignment)){ //Each Segment must start after each other
-			fprintf(stderr,"[ELF ERROR] %s segment and %s segment are not continuous\n", Segments[i]->name, Segments[i - 1]->name);
-			free(Segments);
-			*ContinuousSegmentNum = 0xffff; // Signify to function that an error occured
-			return NULL;
-		}
-	}
-	*ContinuousSegmentNum = SegmentNum;
-	return Segments;
-}
-
-
-elf_segment** GetSegments(u16 *SegmentNum, elf_context *elf, char **names, u32 nameNum)
-{
-	if (names == NULL)
-	{
-		return NULL;
-	}
-
-	elf_segment **Segments = calloc(nameNum,sizeof(elf_segment*)); 
-	*SegmentNum = 0; // There can be a max of nameNum Segments, however, they might not all exist
-	for (int i = 0; i < nameNum; i++){
-		for(int j = 0; j < elf->activeSegments; j++){
-			if(strcmp(names[i],elf->segments[j].name) == 0){ // If there is a match, store Segment data pointer & increment index
-				Segments[*SegmentNum] = &elf->segments[j];
-				*SegmentNum = *SegmentNum + 1;
-			}
-		}
-	}
-	return Segments;
-}
-
 // ELF Functions
 
 int GetElfContext(elf_context *elf, u8 *elfFile)
@@ -547,9 +486,11 @@ void PrintElfContext(elf_context *elf, u8 *elfFile)
 		printf(" Segment [%d][%s]\n",i,elf->segments[i].name);
 		printf(" > Size :     0x%"PRIx64"\n",elf->segments[i].header->sizeInFile);
 		printf(" > Address :  0x%"PRIx64"\n",elf->segments[i].vAddr);
+		printf(" > Flags:     0x%"PRIx64"\n", elf->segments[i].header->flags);
+		printf(" > Type:      0x%"PRIx64"\n", elf->segments[i].header->type);
 		printf(" > Sections : %d\n",elf->segments[i].sectionNum);  
 		for(int j = 0; j < elf->segments[i].sectionNum; j++)
-			printf("    > Section [%d][%s]\n",j,elf->segments[i].sections[j].name);
+			printf("    > Section [%d][%s][0x%"PRIx64"][0x%"PRIx64"]\n",j,elf->segments[i].sections[j].name, elf->segments[i].sections[j].flags, elf->segments[i].sections[j].type);
 		
 		/*
 		char outpath[100];
diff --git a/makerom/elf_hdr.h b/makerom/elf_hdr.h
index eac9d64e..4fb772d7 100644
--- a/makerom/elf_hdr.h
+++ b/makerom/elf_hdr.h
@@ -161,6 +161,7 @@ typedef struct
 #define PT_LOPROC	0x70000000	/* Start of processor-specific */
 #define PT_HIPROC	0x7fffffff	/* End of processor-specific */
 
+#define PF_CTRSDK	0x80000000
 #define	PF_R		0x4		/* p_flags */
 #define	PF_W		0x2
 #define	PF_X		0x1
diff --git a/makerom/rsf_settings.c b/makerom/rsf_settings.c
index ede105d5..66fcc0f2 100644
--- a/makerom/rsf_settings.c
+++ b/makerom/rsf_settings.c
@@ -5,8 +5,6 @@ void GET_AccessControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
 void GET_SystemControlInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
 void GET_BasicInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
 void GET_RomFs(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_ExeFs(ctr_yaml_context *ctx, rsf_settings *rsf);
-void GET_PlainRegion(ctr_yaml_context *ctx, rsf_settings *rsf);
 void GET_TitleInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
 void GET_CardInfo(ctr_yaml_context *ctx, rsf_settings *rsf);
 void GET_CommonHeaderKey(ctr_yaml_context *ctx, rsf_settings *rsf);
@@ -23,8 +21,6 @@ void EvaluateRSF(rsf_settings *rsf, ctr_yaml_context *ctx)
 	else if(cmpYamlValue("SystemControlInfo",ctx)) {FinishEvent(ctx); GET_SystemControlInfo(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("BasicInfo",ctx)) {FinishEvent(ctx); GET_BasicInfo(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("RomFs",ctx)) {FinishEvent(ctx); GET_RomFs(ctx,rsf); goto GET_NextGroup;}
-	else if(cmpYamlValue("ExeFs",ctx)) {FinishEvent(ctx); GET_ExeFs(ctx,rsf); goto GET_NextGroup;}
-	else if(cmpYamlValue("PlainRegion",ctx)) {FinishEvent(ctx); GET_PlainRegion(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("TitleInfo",ctx)) {FinishEvent(ctx); GET_TitleInfo(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("CardInfo",ctx)) {FinishEvent(ctx); GET_CardInfo(ctx,rsf); goto GET_NextGroup;}
 	else if(cmpYamlValue("CommonHeaderKey",ctx)) {FinishEvent(ctx); GET_CommonHeaderKey(ctx,rsf); goto GET_NextGroup;}
@@ -240,39 +236,6 @@ void GET_RomFs(ctr_yaml_context *ctx, rsf_settings *rsf)
 	FinishEvent(ctx);
 }
 
-void GET_ExeFs(ctr_yaml_context *ctx, rsf_settings *rsf)
-{
-	/* Checking That Group is in a map */
-	if(!CheckMappingEvent(ctx)) return;
-	u32 InitLevel = ctx->Level;
-	/* Checking each child */
-	GetEvent(ctx);
-	while(ctx->Level == InitLevel){
-		if(ctx->error || ctx->done) return;
-		// Handle childs
-		
-		if(cmpYamlValue("Text",ctx)) rsf->ExeFs.TextNum = SetYAMLSequence(&rsf->ExeFs.Text,"Text",ctx);
-		else if(cmpYamlValue("ReadOnly",ctx)) rsf->ExeFs.ReadOnlyNum = SetYAMLSequence(&rsf->ExeFs.ReadOnly,"ReadOnly",ctx);
-		else if(cmpYamlValue("ReadWrite",ctx)) rsf->ExeFs.ReadWriteNum = SetYAMLSequence(&rsf->ExeFs.ReadWrite,"ReadWrite",ctx);
-		
-		else{
-			fprintf(stderr,"[RSF ERROR] Unrecognised key '%s'\n",GetYamlString(ctx));
-			ctx->error = YAML_UNKNOWN_KEY;
-			FinishEvent(ctx);
-			return;
-		}
-		// Finish event start next
-		FinishEvent(ctx);
-		GetEvent(ctx);
-	}
-	FinishEvent(ctx);
-}
-
-void GET_PlainRegion(ctr_yaml_context *ctx, rsf_settings *rsf)
-{
-	rsf->PlainRegionNum = SetYAMLSequence(&rsf->PlainRegion,"PlainRegion",ctx);
-}
-
 void GET_TitleInfo(ctr_yaml_context *ctx, rsf_settings *rsf)
 {
 	/* Checking That Group is in a map */
@@ -487,28 +450,6 @@ void free_RsfSettings(rsf_settings *set)
 	}
 	free(set->RomFs.File);
 	
-	//ExeFs
-	for(u32 i = 0; i < set->ExeFs.TextNum; i++){
-		free(set->ExeFs.Text[i]);
-	}
-	free(set->ExeFs.Text);
-	
-	for(u32 i = 0; i < set->ExeFs.ReadOnlyNum; i++){
-		free(set->ExeFs.ReadOnly[i]);
-	}
-	free(set->ExeFs.ReadOnly);
-	
-	for(u32 i = 0; i < set->ExeFs.ReadWriteNum; i++){
-		free(set->ExeFs.ReadWrite[i]);
-	}
-	free(set->ExeFs.ReadWrite);
-	
-	//PlainRegion
-	for(u32 i = 0; i < set->PlainRegionNum; i++){
-		free(set->PlainRegion[i]);
-	}
-	free(set->PlainRegion);
-	
 	//TitleInfo
 	free(set->TitleInfo.Platform);
 	free(set->TitleInfo.Category);
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index a2cacb81..6e18c986 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -169,18 +169,6 @@ typedef struct
 		char **File;
 	} RomFs;
 	
-	struct{
-		u32 TextNum;
-		char **Text;
-		u32 ReadOnlyNum;
-		char **ReadOnly;
-		u32 ReadWriteNum;
-		char **ReadWrite;
-	} ExeFs;
-	
-	u32 PlainRegionNum;
-	char **PlainRegion;
-	
 	struct{
 		// Strings
 		char *Platform;

From aa694f20f9ef3d940b581d6a6619127b7d9b77ff Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 9 Oct 2015 21:35:54 +0800
Subject: [PATCH 102/317] [makerom] Relaxed RSF requirements.

---
 makerom/exheader.c | 16 +++++-----------
 makerom/ncch.c     | 12 ++++++++----
 makerom/titleid.c  |  8 ++++----
 3 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/makerom/exheader.c b/makerom/exheader.c
index d994c1ec..a52fa42a 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -4,6 +4,7 @@
 #include "accessdesc.h"
 #include "titleid.h"
 
+const char *DEFAULT_EXHEADER_NAME = "CtrApp";
 
 /* Prototypes */
 void free_ExHeaderSettings(exheader_settings *exhdrset);
@@ -189,17 +190,10 @@ int get_ExHeaderSettingsFromRsf(exheader_settings *exhdrset)
 int get_ExHeaderCodeSetInfo(exhdr_CodeSetInfo *CodeSetInfo, rsf_settings *rsf)
 {
 	/* Name */
-	if(rsf->BasicInfo.Title){
-		//if(strlen(rsf->BasicInfo.Title) > 8){
-		//	fprintf(stderr,"[EXHEADER ERROR] Parameter Too Long \"BasicInfo/Title\"\n");
-		//	return EXHDR_BAD_RSF_OPT;
-		//}
-		strncpy((char*)CodeSetInfo->name,rsf->BasicInfo.Title,8);
-	}
-	else{
-		ErrorParamNotFound("BasicInfo/Title");
-		return EXHDR_BAD_RSF_OPT;
-	}
+	if (rsf->BasicInfo.Title)
+		strncpy((char*)CodeSetInfo->name, rsf->BasicInfo.Title, 8);
+	else
+		strncpy((char*)CodeSetInfo->name, DEFAULT_EXHEADER_NAME, 8);
 	
 	/* Stack Size */
 	if(rsf->SystemControlInfo.StackSize)
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 0cc87ecf..4a8d00e3 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -12,6 +12,8 @@
 #include "ncch_logo.h" // Contains Logos
 
 const u32 NCCH_BLOCK_SIZE = 0x200;
+const char *DEFAULT_PRODUCT_CODE = "CTR-P-CTAP";
+const char *DEFAULT_MAKER_CODE = "00";
 
 // Private Prototypes
 int SignCFA(ncch_hdr *hdr, keys_struct *keys);
@@ -591,18 +593,20 @@ int SetCommonHeaderBasicData(ncch_settings *set, ncch_hdr *hdr)
 			fprintf(stderr,"[NCCH ERROR] Invalid Product Code\n");
 			return NCCH_BAD_RSF_SET;
 		}
-		memcpy(hdr->productCode,set->rsfSet->BasicInfo.ProductCode,strlen((char*)set->rsfSet->BasicInfo.ProductCode));
+		strncpy((char*)hdr->productCode,set->rsfSet->BasicInfo.ProductCode, 16);
 	}
-	else memcpy(hdr->productCode,"CTR-P-CTAP",10);
+	else
+		strncpy((char*)hdr->productCode, DEFAULT_PRODUCT_CODE, 16);
 
 	if(set->rsfSet->BasicInfo.CompanyCode){
 		if(strlen((char*)set->rsfSet->BasicInfo.CompanyCode) != 2){
 			fprintf(stderr,"[NCCH ERROR] CompanyCode length must be 2\n");
 			return NCCH_BAD_RSF_SET;
 		}
-		memcpy(hdr->makerCode,set->rsfSet->BasicInfo.CompanyCode,2);
+		strncpy((char*)hdr->makerCode, set->rsfSet->BasicInfo.CompanyCode, 2);
 	}
-	else memcpy(hdr->makerCode,"00",2);
+	else
+		strncpy((char*)hdr->makerCode, DEFAULT_MAKER_CODE, 2);
 
 	// Setting Encryption Settings
 	if(!set->options.Encrypt)
diff --git a/makerom/titleid.c b/makerom/titleid.c
index b9045341..9bf82174 100644
--- a/makerom/titleid.c
+++ b/makerom/titleid.c
@@ -2,6 +2,8 @@
 #include "ncch_read.h"
 #include "titleid.h"
 
+const u32 DEFAULT_UNIQUE_ID = 0xff3ff;
+
 void SetPIDType(u16 *type);
 int SetPIDCategoryFromName(u16 *cat, char *CategoryStr);
 int SetPIDCategoryFromFlags(u16 *cat, char **CategoryFlags, u32 FlagNum);
@@ -52,10 +54,8 @@ int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader)
 	// Getting UniqueId
 	if(rsf->TitleInfo.UniqueId) 
 		GetUniqueID(&uniqueId,rsf);
-	else{
-		fprintf(stderr,"[ID ERROR] ParameterNotFound: \"TitleInfo/UniqueId\"\n");
-		return PID_BAD_RSF_SET;
-	}
+	else
+		uniqueId = DEFAULT_UNIQUE_ID;
 
 	// Getting Variation
 	if(SetTitleVariation(&variation,category,rsf) == PID_INVALID_VARIATION)

From 0e6a981b72de6baf036355f7c40a244fbaed9d3e Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 9 Oct 2015 21:40:35 +0800
Subject: [PATCH 103/317] [ctrtool] NCCH MakerCode is now displayed as a
 string.

---
 ctrtool/ncch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 07f8755d..5de61cef 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -575,7 +575,7 @@ void ncch_print(ncch_context* ctx)
 		memdump(stdout, "Signature (FAIL):       ", header->signature, 0x100);
 	fprintf(stdout, "Content size:           0x%08x\n", getle32(header->contentsize)*mediaunitsize);
 	fprintf(stdout, "Partition id:           %016"PRIx64"\n", getle64(header->partitionid));
-	fprintf(stdout, "Maker code:             %04x\n", getle16(header->makercode));
+	fprintf(stdout, "Maker code:             %.2s\n", header->makercode);
 	fprintf(stdout, "Version:                %04x\n", getle16(header->version));
 	fprintf(stdout, "Title seed check:       %08x\n", getle32(header->seedcheck));
 	fprintf(stdout, "Program id:             %016"PRIx64"\n", getle64(header->programid));

From 2e2f1b09f7c13957a155e94016bc0dbbd328bce4 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 12 Oct 2015 09:28:41 +0800
Subject: [PATCH 104/317] [makerom] Fixed CpuSpeed typo.

---
 makerom/exheader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/exheader.c b/makerom/exheader.c
index a52fa42a..0d4b0bf0 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -315,7 +315,7 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 	arm11->flag[0] |= rsf->AccessControlInfo.EnableL2Cache;
 
 	if (rsf->AccessControlInfo.CpuSpeed) {
-		if(strcasecmp(rsf->AccessControlInfo.CpuSpeed, "256mhz") == 0)
+		if(strcasecmp(rsf->AccessControlInfo.CpuSpeed, "268mhz") == 0)
 			arm11->flag[0] |= cpuspeed_268MHz << 1;
 		else if(strcasecmp(rsf->AccessControlInfo.CpuSpeed, "804mhz") == 0)
 			arm11->flag[0] |= cpuspeed_804MHz << 1;

From 2444715bc2c60f02ffda79c355bca94bec6c706e Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Tue, 20 Oct 2015 16:26:57 +0200
Subject: [PATCH 105/317] Fixed static linking of ctrtool & added a few more
 gcc flags.

---
 ctrtool/Makefile | 4 ++--
 makerom/Makefile | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index f1a4e603..599ec8b8 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -1,9 +1,9 @@
 OBJS = keyset.o main.o ctr.o ncsd.o cia.o tik.o tmd.o filepath.o lzss.o exheader.o exefs.o ncch.o utils.o settings.o firm.o cwav.o stream.o romfs.o ivfc.o
 POLAR_OBJS = polarssl/aes.o polarssl/bignum.o polarssl/rsa.o polarssl/sha2.o
 TINYXML_OBJS = tinyxml/tinystr.o tinyxml/tinyxml.o tinyxml/tinyxmlerror.o tinyxml/tinyxmlparser.o
-LIBS = -static-libstdc++
+LIBS = -static-libgcc -static-libstdc++
 CXXFLAGS = -I. 
-CFLAGS = -Wall -Wno-unused-variable -Wno-unused-but-set-variable -I.
+CFLAGS = -Wall -O2 -flto -static -Wno-unused-variable -Wno-unused-but-set-variable -I.
 OUTPUT = ctrtool
 CC = gcc
 
diff --git a/makerom/Makefile b/makerom/Makefile
index ef47794a..741a3f11 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -5,7 +5,7 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 # Compiler Settings
 LIBS = -static-libgcc
 CXXFLAGS = -I.
-CFLAGS = --std=c99 -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. -DMAKEROM_VER_MAJOR=$(VER_MAJOR) -DMAKEROM_VER_MINOR=$(VER_MINOR) $(MAKEROM_BUILD_FLAGS) -m64
+CFLAGS = --std=c99 -Wall -O2 -flto -static -Wno-unused-but-set-variable -Wno-unused-value -I. -DMAKEROM_VER_MAJOR=$(VER_MAJOR) -DMAKEROM_VER_MINOR=$(VER_MINOR) $(MAKEROM_BUILD_FLAGS) -m64
 CC = gcc
  
 # MAKEROM Build Settings
@@ -22,4 +22,4 @@ build: $(OBJS)
 	g++ -o $(OUTPUT) $(LIBS) $(OBJS) -m64
 
 clean:
-	rm -rf $(OUTPUT) $(OBJS) *.cci *.cia *.cxi *.cfa
\ No newline at end of file
+	rm -rf $(OUTPUT) $(OBJS) *.cci *.cia *.cxi *.cfa

From 1e8a0a23919824615097ab1c1baaf126c799c436 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 22 Oct 2015 01:08:13 +0800
Subject: [PATCH 106/317] [ctrtool] Corrected array size.

---
 ctrtool/exheader.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
index feffa2ce..63bb1690 100644
--- a/ctrtool/exheader.h
+++ b/ctrtool/exheader.h
@@ -100,7 +100,7 @@ typedef struct
 	u64 extdata_id;
 	u32 other_user_saveid[3];
 	u8 use_other_variation_savedata;
-	u32 accessible_saveid[3];
+	u32 accessible_saveid[6];
 	u32 system_saveid[2];
 	u64 accessinfo;
 

From 4dba06b3be508fe5518939af5da165fedb69e2e3 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 22 Oct 2015 01:09:00 +0800
Subject: [PATCH 107/317] [ctrtool] Made makefile consistent with makerom.

---
 ctrtool/Makefile | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 599ec8b8..165afc5e 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -1,15 +1,17 @@
-OBJS = keyset.o main.o ctr.o ncsd.o cia.o tik.o tmd.o filepath.o lzss.o exheader.o exefs.o ncch.o utils.o settings.o firm.o cwav.o stream.o romfs.o ivfc.o
-POLAR_OBJS = polarssl/aes.o polarssl/bignum.o polarssl/rsa.o polarssl/sha2.o
-TINYXML_OBJS = tinyxml/tinystr.o tinyxml/tinyxml.o tinyxml/tinyxmlerror.o tinyxml/tinyxmlparser.o
+# Sources
+SRC_DIR = . polarssl tinyxml
+OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c))) $(foreach dir,$(SRC_DIR),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp)))
+
+# Compiler Settings
 LIBS = -static-libgcc -static-libstdc++
 CXXFLAGS = -I. 
-CFLAGS = -Wall -O2 -flto -static -Wno-unused-variable -Wno-unused-but-set-variable -I.
+CFLAGS = -O2 -flto -Wall -Wno-unused-variable -Wno-unused-but-set-variable -I.
 OUTPUT = ctrtool
 CC = gcc
+CXX = g++
 
-main: $(OBJS) $(POLAR_OBJS) $(TINYXML_OBJS)
-	g++ -o $(OUTPUT) $(LIBS) $(OBJS) $(POLAR_OBJS) $(TINYXML_OBJS)
-
+main: $(OBJS)
+	$(CXX) -o $(OUTPUT) $(LIBS) $(OBJS)
 
 clean:
-	rm -rf $(OUTPUT) $(OBJS) $(POLAR_OBJS) $(TINYXML_OBJS)
+	rm -rf $(OUTPUT) $(OBJS)

From dd9538b0969cdae99a6290ce4a9181349ccaad76 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 22 Oct 2015 01:30:33 +0800
Subject: [PATCH 108/317] [makerom] Fixed "self referencing problems" work
 around.

---
 makerom/dir.c       | 22 +++++++++-------------
 makerom/dir.h       | 24 ++++++++++++------------
 makerom/romfs_gen.c |  4 ++--
 3 files changed, 23 insertions(+), 27 deletions(-)

diff --git a/makerom/dir.c b/makerom/dir.c
index f44a397d..46580a79 100644
--- a/makerom/dir.c
+++ b/makerom/dir.c
@@ -2,7 +2,8 @@
 #include "dir.h"
 #include "utf.h"
 
-/* This is mainly a FS interface for ROMFS generation */
+/* This is the FS interface for ROMFS generation */
+/* Tested working on Windows/Linux/OSX */
 int fs_InitDir(u16 *path, u32 pathlen, fs_dir *dir);
 int fs_ManageDirSlot(fs_dir *dir);
 int fs_ManageFileSlot(fs_dir *dir);
@@ -13,7 +14,7 @@ bool fs_EntryIsDirNav(fs_entry *entry);
 int fs_AddDir(fs_entry *entry, fs_dir *dir);
 int fs_AddFile(fs_entry *entry, fs_dir *dir);
 
-int fs_u16StrLen(fs_romfs_char *str)
+int fs_RomFsStrLen(fs_romfs_char *str)
 {
 	int i;
 	for( i = 0; str[i] != 0x0; i++ );
@@ -159,8 +160,7 @@ int fs_AddDir(fs_entry *entry, fs_dir *dir)
 	fs_ManageDirSlot(dir);
 	u32 current_slot = dir->u_dir;
 	dir->u_dir++;
-	fs_dir *tmp = (fs_dir*)dir->dir;
-	return fs_OpenDir(entry->fs_name,entry->name,entry->name_len,&tmp[current_slot]);
+	return fs_OpenDir(entry->fs_name,entry->name,entry->name_len,&dir->dir[current_slot]);
 }
 
 int fs_AddFile(fs_entry *entry, fs_dir *dir)
@@ -288,9 +288,8 @@ void fs_PrintDir(fs_dir *dir, u32 depth) // This is just for simple debugging, p
 	}
 	if(dir->u_dir)
 	{
-		fs_dir *tmp = (fs_dir*)dir->dir;
 		for(u32 i = 0; i < dir->u_dir; i++)
-			fs_PrintDir(&tmp[i],depth+1);
+			fs_PrintDir(&dir->dir[i],depth+1);
 	}
 }
 
@@ -305,13 +304,11 @@ void fs_FreeDir(fs_dir *dir)
 	free(dir->file);
 	
 	
-	fs_dir *tmp = (fs_dir*)dir->dir;
-	//printf("free dir names\n");
+	//printf("free dir names and\n");
 	for(u32 i = 0; i < dir->u_dir; i++)
 	{	
-		//wprintf(L"freeing: %s\n",tmp[i].name);
-		free(tmp[i].name);
-		fs_FreeDir(&tmp[i]);
+		free(dir->dir[i].name);
+		fs_FreeDir(&dir->dir[i]);
 	}
 	//printf("free dir struct\n");
 	free(dir->dir);
@@ -326,7 +323,6 @@ void fs_FreeFiles(fs_dir *dir)
 			fclose(dir->file[i].fp);
 	}
 	
-	fs_dir *tmp = (fs_dir*)dir->dir;
 	for(u32 i = 0; i < dir->u_dir; i++)
-		fs_FreeFiles(&tmp[i]);
+		fs_FreeFiles(&dir->dir[i]);
 }
\ No newline at end of file
diff --git a/makerom/dir.h b/makerom/dir.h
index c6e16f6b..1279b362 100644
--- a/makerom/dir.h
+++ b/makerom/dir.h
@@ -21,7 +21,7 @@
 #endif
 	
 
-typedef struct
+struct fs_entry
 {
 	bool IsDir;
 	fs_char *fs_name;
@@ -29,35 +29,35 @@ typedef struct
 	u32 name_len;
 	u64 size;
 	FILE *fp;
-} fs_entry;
+};
 
-typedef struct
+struct fs_file
 {
 	fs_romfs_char *name;
 	u32 name_len;
 	u64 size;
 	FILE *fp;
-} fs_file;
+};
 
-typedef struct
+struct fs_dir
 {
 	fs_romfs_char *name;
 	u32 name_len;
 	
-	void *dir; // treated as type 'fs_dir'. This officially type 'void' to prevent self referencing problems
+	struct fs_dir *dir;
 	u32 m_dir;
 	u32 u_dir;
 	
-	fs_file *file;
+	struct fs_file *file;
 	u32 m_file;
 	u32 u_file;
-} fs_dir;
+};
 
+typedef struct fs_entry fs_entry;
+typedef struct fs_file fs_file;
+typedef struct fs_dir fs_dir;
 
-int fs_u8String_to_u16String(u16 **dst, u32 *dst_len, u8 *src, u32 src_len);
-int fs_u16String_to_u16String(u16 **dst, u32 *dst_len, u16 *src, u32 src_len);
-int fs_u32String_to_u16String(u16 **dst, u32 *dst_len, u32 *src, u32 src_len);
-int fs_u16StrLen(fs_romfs_char *str);
+int fs_RomFsStrLen(fs_romfs_char *str);
 
 int fs_OpenDir(fs_char *fs_path, fs_romfs_char *path, u32 pathlen, fs_dir *dir);
 void fs_PrintDir(fs_dir *dir, u32 depth);
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 552a932f..dc86a716 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -308,13 +308,13 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 
 u32 GetFileHashTableIndex(romfs_buildctx *ctx, u32 parent, fs_romfs_char *path)
 {
-	u32 hash = CalcPathHash(parent, path, 0, fs_u16StrLen(path));
+	u32 hash = CalcPathHash(parent, path, 0, fs_RomFsStrLen(path));
 	return hash % ctx->m_fileHashTable;
 }
 
 u32 GetDirHashTableIndex(romfs_buildctx *ctx, u32 parent, fs_romfs_char* path)
 {
-	u32 hash = CalcPathHash(parent, path, 0, fs_u16StrLen(path));
+	u32 hash = CalcPathHash(parent, path, 0, fs_RomFsStrLen(path));
 	return hash % ctx->m_dirHashTable;
 }
 

From d7d45411babed772b1a78f5085d47f7999a870bb Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 22 Oct 2015 01:35:53 +0800
Subject: [PATCH 109/317] [makerom/ctrtool] Updated usage text. (now with build
 datestamp)

---
 ctrtool/main.c          |   5 +-
 makerom/Makefile        |   9 +-
 makerom/user_settings.c | 727 +++++++++++++++++++++-------------------
 3 files changed, 383 insertions(+), 358 deletions(-)

diff --git a/ctrtool/main.c b/ctrtool/main.c
index 98671ab4..dabd615e 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -38,9 +38,10 @@ typedef struct
 static void usage(const char *argv0)
 {
 	fprintf(stderr,
-		   "Usage: %s [options...] <file>\n"
 		   "CTRTOOL (c) neimod, 3DSGuy.\n"
+		   "Built: %s %s\n"
            "\n"
+		   "Usage: %s [options...] <file>\n"
            "Options:\n"
            "  -i, --info         Show file info.\n"
 		   "                          This is the default action.\n"
@@ -86,7 +87,7 @@ static void usage(const char *argv0)
 		   "  --romfsdir=dir     Specify RomFS directory path.\n"
 		   "  --listromfs        List files in RomFS.\n"
            "\n",
-		   argv0);
+		   __TIME__, __DATE__, argv0);
    exit(1);
 }
 
diff --git a/makerom/Makefile b/makerom/Makefile
index 741a3f11..e68a81c4 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -5,13 +5,12 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 # Compiler Settings
 LIBS = -static-libgcc
 CXXFLAGS = -I.
-CFLAGS = --std=c99 -Wall -O2 -flto -static -Wno-unused-but-set-variable -Wno-unused-value -I. -DMAKEROM_VER_MAJOR=$(VER_MAJOR) -DMAKEROM_VER_MINOR=$(VER_MINOR) $(MAKEROM_BUILD_FLAGS) -m64
+CFLAGS = --std=c99 -O2 -flto -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. $(MAKEROM_BUILD_FLAGS)
 CC = gcc
- 
+CXX = g++
+
 # MAKEROM Build Settings
 MAKEROM_BUILD_FLAGS = #-DDEBUG
-VER_MAJOR = 0
-VER_MINOR = 14
 OUTPUT = makerom
 
 main: build
@@ -19,7 +18,7 @@ main: build
 rebuild: clean build
 
 build: $(OBJS)
-	g++ -o $(OUTPUT) $(LIBS) $(OBJS) -m64
+	$(CXX) -o $(OUTPUT) $(LIBS) $(OBJS)
 
 clean:
 	rm -rf $(OUTPUT) $(OBJS) *.cci *.cia *.cxi *.cfa
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 792611a3..7477b821 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -2,6 +2,7 @@
 
 // Private Prototypes
 void DisplayHelp(char *app_name);
+void DisplayExtendedHelp(char *app_name);
 void SetDefaults(user_settings *set);
 int SetArgument(int argc, int i, char *argv[], user_settings *set);
 int CheckArgumentCombination(user_settings *set);
@@ -12,72 +13,76 @@ void PrintNoNeedParam(char *arg);
 
 int ParseArgs(int argc, char *argv[], user_settings *set)
 {
-	if(argv == NULL || set == NULL)
+	if (argv == NULL || set == NULL)
 		return USR_PTR_PASS_FAIL;
-		
-	if(argc < 2){
+
+	if (argc < 2) {
 		DisplayHelp(argv[0]);
 		return USR_HELP;
 	}
-		
+
 	// Detecting Help Requried
-	for(int i = 1; i < argc; i++){
-		if(strcmp(argv[i],"-help") == 0){
+	for (int i = 1; i < argc; i++) {
+		if (strcmp(argv[i], "-help") == 0) {
 			DisplayHelp(argv[0]);
 			return USR_HELP;
 		}
+		else if (strcmp(argv[i], "-exthelp") == 0) {
+			DisplayExtendedHelp(argv[0]);
+			return USR_HELP;
+		}
 	}
-	
+
 	// Allocating Memory for Content Path Ptrs
-	set->common.contentPath = calloc(CIA_MAX_CONTENT,sizeof(char*));
-	if(set->common.contentPath == NULL){
-		fprintf(stderr,"[SETTING ERROR] Not Enough Memory\n");
+	set->common.contentPath = calloc(CIA_MAX_CONTENT, sizeof(char*));
+	if (set->common.contentPath == NULL) {
+		fprintf(stderr, "[SETTING ERROR] Not Enough Memory\n");
 		return USR_MEM_ERROR;
 	}
-	
+
 	// Initialise Keys
 	InitKeys(&set->common.keys);
 
 	// Setting Defaults
 	SetDefaults(set);
-	
+
 	// Parsing Arguments
 	int set_result;
 	int i = 1;
-	while(i < argc){
-		set_result = SetArgument(argc,i,argv,set);
-		if(set_result < 1){
-			fprintf(stderr,"[RESULT] Invalid arguments, see '%s -help'\n",argv[0]);
+	while (i < argc) {
+		set_result = SetArgument(argc, i, argv, set);
+		if (set_result < 1) {
+			fprintf(stderr, "[RESULT] Invalid arguments, see '%s -help'\n", argv[0]);
 			return set_result;
 		}
 		i += set_result;
 	}
-	
+
 	// Checking arguments
-	if((set_result = CheckArgumentCombination(set)) != 0) 
+	if ((set_result = CheckArgumentCombination(set)) != 0)
 		return set_result;
-	
+
 	// Setting Keys
-	if((set_result = SetKeys(&set->common.keys)) != 0) 
+	if ((set_result = SetKeys(&set->common.keys)) != 0)
 		return set_result;
 
 	// Generating outpath if required
-	if(!set->common.outFileName){
+	if (!set->common.outFileName) {
 		char *source_path = NULL;
-		if(set->ncch.buildNcch0) 
+		if (set->ncch.buildNcch0)
 			source_path = set->common.rsfPath;
-		else if(set->common.workingFileType == infile_ncsd || set->common.workingFileType == infile_cia || set->common.workingFileType == infile_srl) 
+		else if (set->common.workingFileType == infile_ncsd || set->common.workingFileType == infile_cia || set->common.workingFileType == infile_srl)
 			source_path = set->common.workingFilePath;
-		else 
+		else
 			source_path = set->common.contentPath[0];
 		u16 outfile_len = strlen(source_path) + 0x10;
-		set->common.outFileName = calloc(outfile_len,sizeof(char));
-		if(!set->common.outFileName){
-			fprintf(stderr,"[SETTING ERROR] Not Enough Memory\n");
+		set->common.outFileName = calloc(outfile_len, sizeof(char));
+		if (!set->common.outFileName) {
+			fprintf(stderr, "[SETTING ERROR] Not Enough Memory\n");
 			return USR_MEM_ERROR;
 		}
 		set->common.outFileName_mallocd = true;
-		append_filextention(set->common.outFileName,outfile_len,source_path,(char*)&output_extention[set->common.outFormat-1]);
+		append_filextention(set->common.outFileName, outfile_len, source_path, (char*)&output_extention[set->common.outFormat - 1]);
 	}
 	return 0;
 }
@@ -96,7 +101,7 @@ void SetDefaults(user_settings *set)
 	set->ncch.ncchType = format_not_set;
 
 	// RSF Settings
-	clrmem(&set->common.rsfSet,sizeof(rsf_settings));
+	clrmem(&set->common.rsfSet, sizeof(rsf_settings));
 	set->common.rsfSet.Option.EnableCompress = true;
 	set->common.rsfSet.Option.EnableCrypt = true;
 	set->common.rsfSet.Option.UseOnSD = false;
@@ -116,53 +121,53 @@ void SetDefaults(user_settings *set)
 	set->cia.titleVersion[VER_MAJOR] = MAX_U16; // invalid so changes can be detected
 	set->cia.randomTitleKey = false;
 	set->common.keys.aes.currentCommonKey = MAX_U8 + 1; // invalid so changes can be detected
-	for(int i = 0; i < CIA_MAX_CONTENT; i++)
+	for (int i = 0; i < CIA_MAX_CONTENT; i++)
 		set->cia.contentId[i] = MAX_U32 + 1; // invalid so changes can be detected
 }
 
 int SetArgument(int argc, int i, char *argv[], user_settings *set)
 {
 	u16 ParamNum = 0;
-	for(int j = i+1; j < argc && argv[j][0] != '-'; j++)
+	for (int j = i + 1; j < argc && argv[j][0] != '-'; j++)
 		ParamNum++;
 
 	// Global Settings
-	if(strcmp(argv[i],"-rsf") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	if (strcmp(argv[i], "-rsf") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->common.rsfPath = argv[i+1];
+		set->common.rsfPath = argv[i + 1];
 		return 2;
 	}
-	else if(strcmp(argv[i],"-f") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-f") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		if(strcasecmp(argv[i+1],"ncch") == 0 || strcasecmp(argv[i+1],"cxi") == 0 || strcasecmp(argv[i+1],"cfa") == 0) 
+		if (strcasecmp(argv[i + 1], "ncch") == 0 || strcasecmp(argv[i + 1], "cxi") == 0 || strcasecmp(argv[i + 1], "cfa") == 0)
 			set->common.outFormat = NCCH;
-		else if(strcasecmp(argv[i+1],"cci") == 0)
+		else if (strcasecmp(argv[i + 1], "cci") == 0)
 			set->common.outFormat = CCI;
-		else if(strcasecmp(argv[i+1],"cia") == 0)
+		else if (strcasecmp(argv[i + 1], "cia") == 0)
 			set->common.outFormat = CIA;
 		else {
-			fprintf(stderr,"[SETTING ERROR] Invalid output format '%s'\n",argv[i+1]);
+			fprintf(stderr, "[SETTING ERROR] Invalid output format '%s'\n", argv[i + 1]);
 			return USR_BAD_ARG;
-		}		
+		}
 		return 2;
 	}
-	else if(strcmp(argv[i],"-o") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-o") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->common.outFileName = argv[i+1];
+		set->common.outFileName = argv[i + 1];
 		set->common.outFileName_mallocd = false;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-v") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-v") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
@@ -170,64 +175,64 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		return 1;
 	}
 	// Key Options
-	else if(strcmp(argv[i],"-target") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-target") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		if(strcasecmp(argv[i+1],"test") == 0 || strcasecmp(argv[i+1],"t") == 0)
+		if (strcasecmp(argv[i + 1], "test") == 0 || strcasecmp(argv[i + 1], "t") == 0)
 			set->common.keys.keyset = pki_TEST;
 		//else if(strcasecmp(argv[i+1],"beta") == 0 || strcasecmp(argv[i+1],"b") == 0)
 		//	set->common.keys.keyset = pki_BETA;
-		else if(strcasecmp(argv[i+1],"debug") == 0 || strcasecmp(argv[i+1],"development") == 0 || strcasecmp(argv[i+1],"d") == 0)
+		else if (strcasecmp(argv[i + 1], "debug") == 0 || strcasecmp(argv[i + 1], "development") == 0 || strcasecmp(argv[i + 1], "d") == 0)
 			set->common.keys.keyset = pki_DEVELOPMENT;
-		else if(strcasecmp(argv[i+1],"retail") == 0 || strcasecmp(argv[i+1],"production") == 0 || strcasecmp(argv[i+1],"p") == 0)
+		else if (strcasecmp(argv[i + 1], "retail") == 0 || strcasecmp(argv[i + 1], "production") == 0 || strcasecmp(argv[i + 1], "p") == 0)
 			set->common.keys.keyset = pki_PRODUCTION;
 		//else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0)
 		//	set->common.keys.keyset = pki_CUSTOM;
-		else{
-			fprintf(stderr,"[SETTING ERROR] Unrecognised target '%s'\n",argv[i+1]);
+		else {
+			fprintf(stderr, "[SETTING ERROR] Unrecognised target '%s'\n", argv[i + 1]);
 			return USR_BAD_ARG;
 		}
 		return 2;
 	}
-	else if(strcmp(argv[i],"-ckeyid") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-ckeyid") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->common.keys.aes.currentCommonKey = strtol(argv[i+1],NULL,0);
-		if(set->common.keys.aes.currentCommonKey > MAX_CMN_KEY)
+		set->common.keys.aes.currentCommonKey = strtol(argv[i + 1], NULL, 0);
+		if (set->common.keys.aes.currentCommonKey > MAX_CMN_KEY)
 		{
-			fprintf(stderr,"[SETTING ERROR] Invalid Common Key Index: 0x%x\n",set->common.keys.aes.currentCommonKey);
+			fprintf(stderr, "[SETTING ERROR] Invalid Common Key Index: 0x%x\n", set->common.keys.aes.currentCommonKey);
 			return USR_BAD_ARG;
 		}
 		return 2;
 	}
-	else if(strcmp(argv[i],"-ncchseckey") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-ncchseckey") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.useSecCrypto = true;
-		set->ncch.keyXID = strtol(argv[i+1],NULL,0);
-		if(set->ncch.keyXID > MAX_NCCH_KEYX)
+		set->ncch.keyXID = strtol(argv[i + 1], NULL, 0);
+		if (set->ncch.keyXID > MAX_NCCH_KEYX)
 		{
-			fprintf(stderr,"[SETTING ERROR] Invalid NCCH KeyX Index: 0x%x\n",set->ncch.keyXID);
+			fprintf(stderr, "[SETTING ERROR] Invalid NCCH KeyX Index: 0x%x\n", set->ncch.keyXID);
 			return USR_BAD_ARG;
 		}
 		return 2;
 	}
-	else if(strcmp(argv[i],"-showkeys") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-showkeys") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->common.keys.dumpkeys = true;
 		return 1;
 	}
-	else if(strcmp(argv[i],"-fsign") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-fsign") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
@@ -236,110 +241,110 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 
 	// Ncch Options
-	else if(strcmp(argv[i],"-elf") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-elf") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->ncch.elfPath = argv[i+1];
+		set->ncch.elfPath = argv[i + 1];
 		set->ncch.ncchType |= CXI;
 		return 2;
 	}
-	
-	else if(strcmp(argv[i],"-icon") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+
+	else if (strcmp(argv[i], "-icon") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->ncch.iconPath = argv[i+1];
+		set->ncch.iconPath = argv[i + 1];
 		set->ncch.ncchType |= CFA;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-banner") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-banner") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->ncch.bannerPath = argv[i+1];
+		set->ncch.bannerPath = argv[i + 1];
 		set->ncch.ncchType |= CFA;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-logo") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-logo") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->ncch.logoPath = argv[i+1];
+		set->ncch.logoPath = argv[i + 1];
 		set->ncch.ncchType |= CFA;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-desc") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-desc") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		char *tmp = argv[i+1];
-		char *tmp2 = strstr(tmp,":");
-		if(!tmp2){
-			fprintf(stderr,"[SETTING ERROR] Bad argument '%s %s', correct format:\n",argv[i],argv[i+1]);
-			fprintf(stderr,"	-desc <APP TYPE>:<TARGET FIRMWARE>\n");
+		char *tmp = argv[i + 1];
+		char *tmp2 = strstr(tmp, ":");
+		if (!tmp2) {
+			fprintf(stderr, "[SETTING ERROR] Bad argument '%s %s', correct format:\n", argv[i], argv[i + 1]);
+			fprintf(stderr, "	-desc <APP TYPE>:<TARGET FIRMWARE>\n");
 		}
-		if(strlen(tmp2) < 2){
-			fprintf(stderr,"[SETTING ERROR] Bad argument '%s %s', correct format:\n",argv[i],argv[i+1]);
-			fprintf(stderr,"	-desc <APP TYPE>:<TARGET FIRMWARE>\n");
+		if (strlen(tmp2) < 2) {
+			fprintf(stderr, "[SETTING ERROR] Bad argument '%s %s', correct format:\n", argv[i], argv[i + 1]);
+			fprintf(stderr, "	-desc <APP TYPE>:<TARGET FIRMWARE>\n");
 		}
 
-		u32 app_type_len = (u32)(tmp2-tmp);
-		char *app_type = calloc(app_type_len+1,sizeof(char));
-		memcpy(app_type,tmp,app_type_len);
+		u32 app_type_len = (u32)(tmp2 - tmp);
+		char *app_type = calloc(app_type_len + 1, sizeof(char));
+		memcpy(app_type, tmp, app_type_len);
 
-		if(strcasecmp(app_type,"App") == 0 || strcasecmp(app_type,"SDApp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_APP;
-		else if(strcasecmp(app_type,"ECApp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_EC_APP;
-		else if(strcasecmp(app_type,"Demo") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DEMO;
-		else if(strcasecmp(app_type,"DlpChild") == 0 || strcasecmp(app_type,"Dlp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DLP;
-		else if(strcasecmp(app_type,"FIRM") == 0) set->common.keys.accessDescSign.presetType = desc_preset_FIRM;
-		else{
-			fprintf(stderr,"[SETTING ERROR] Accessdesc AppType preset '%s' not valid, please manually configure RSF\n",app_type);
+		if (strcasecmp(app_type, "App") == 0 || strcasecmp(app_type, "SDApp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_APP;
+		else if (strcasecmp(app_type, "ECApp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_EC_APP;
+		else if (strcasecmp(app_type, "Demo") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DEMO;
+		else if (strcasecmp(app_type, "DlpChild") == 0 || strcasecmp(app_type, "Dlp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DLP;
+		else if (strcasecmp(app_type, "FIRM") == 0) set->common.keys.accessDescSign.presetType = desc_preset_FIRM;
+		else {
+			fprintf(stderr, "[SETTING ERROR] Accessdesc AppType preset '%s' not valid, please manually configure RSF\n", app_type);
 			return USR_BAD_ARG;
 		}
 
 
-		char *target_firmware = (tmp2+1);
-		set->common.keys.accessDescSign.targetFirmware = strtoul(target_firmware,NULL,0);
-		switch(set->common.keys.accessDescSign.targetFirmware){
-			case 1: 
-				set->common.keys.accessDescSign.targetFirmware = 0x1B; // or 0x1C
-				break;
-			case 2: 
-				set->common.keys.accessDescSign.targetFirmware = 0x1D; // or 0x1E/0x1F
-				break;
-			case 3: 
-				set->common.keys.accessDescSign.targetFirmware = 0x20;
-				break;
-			case 4: 
-				set->common.keys.accessDescSign.targetFirmware = 0x21; // or 0x22
-				break;
-			case 5: 
-				set->common.keys.accessDescSign.targetFirmware = 0x23; // or 0x24
-				break;
-			case 6: 
-				set->common.keys.accessDescSign.targetFirmware = 0x25; // or 0x26
-				break;
-			case 7: 
-				set->common.keys.accessDescSign.targetFirmware = 0x27; // or 0x28
-				break;
-			case 8: 
-				set->common.keys.accessDescSign.targetFirmware = 0x2C;
-				break;
-			default:
-				break;
-		}
-		
+		char *target_firmware = (tmp2 + 1);
+		set->common.keys.accessDescSign.targetFirmware = strtoul(target_firmware, NULL, 0);
+		switch (set->common.keys.accessDescSign.targetFirmware) {
+		case 1:
+			set->common.keys.accessDescSign.targetFirmware = 0x1B; // or 0x1C
+			break;
+		case 2:
+			set->common.keys.accessDescSign.targetFirmware = 0x1D; // or 0x1E/0x1F
+			break;
+		case 3:
+			set->common.keys.accessDescSign.targetFirmware = 0x20;
+			break;
+		case 4:
+			set->common.keys.accessDescSign.targetFirmware = 0x21; // or 0x22
+			break;
+		case 5:
+			set->common.keys.accessDescSign.targetFirmware = 0x23; // or 0x24
+			break;
+		case 6:
+			set->common.keys.accessDescSign.targetFirmware = 0x25; // or 0x26
+			break;
+		case 7:
+			set->common.keys.accessDescSign.targetFirmware = 0x27; // or 0x28
+			break;
+		case 8:
+			set->common.keys.accessDescSign.targetFirmware = 0x2C;
+			break;
+		default:
+			break;
+		}
+
 		set->ncch.ncchType |= CXI;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-exefslogo") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-exefslogo") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
@@ -349,438 +354,427 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 
 	// Ncch Rebuild Options
-	else if(strcmp(argv[i],"-code") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-code") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->ncch.codePath = argv[i+1];
+		set->ncch.codePath = argv[i + 1];
 		set->ncch.ncchType |= CXI;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-exheader") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-exheader") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->ncch.exheaderPath = argv[i+1];
+		set->ncch.exheaderPath = argv[i + 1];
 		set->ncch.ncchType |= CXI;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-plainrgn") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-plainrgn") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->ncch.plainRegionPath = argv[i+1];
+		set->ncch.plainRegionPath = argv[i + 1];
 		set->ncch.ncchType |= CXI;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-romfs") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-romfs") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->ncch.romfsPath = argv[i+1];
+		set->ncch.romfsPath = argv[i + 1];
 		set->ncch.ncchType |= CFA;
 		return 2;
 	}
 	// Cci Options
-	else if(strcmp(argv[i],"-devcci") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-devcci") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cci.useSDKStockData = true;
 		return 1;
 	}
-	else if(strcmp(argv[i],"-nomodtid") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-nomodtid") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cci.dontModifyNcchTitleID = true;
 		return 1;
 	}
-	else if(strcmp(argv[i],"-alignwr") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-alignwr") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cci.closeAlignWritableRegion = true;
 		return 1;
 	}
-	else if(strcmp(argv[i],"-cverinfo") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-cverinfo") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_BAD_ARG;
 		}
-		char *pos = strstr(argv[i+1],":");
-		if(!pos || strlen(pos) < 2){
-			fprintf(stderr,"[SETTING ERROR] Bad argument '%s %s', correct format:\n",argv[i],argv[i+1]);
-			fprintf(stderr,"	%s <DATA PATH>:<'cia'/'tmd'>\n",argv[i]);
+		char *pos = strstr(argv[i + 1], ":");
+		if (!pos || strlen(pos) < 2) {
+			fprintf(stderr, "[SETTING ERROR] Bad argument '%s %s', correct format:\n", argv[i], argv[i + 1]);
+			fprintf(stderr, "	%s <DATA PATH>:<'cia'/'tmd'>\n", argv[i]);
 			return USR_BAD_ARG;
 		}
-		
+
 		char *dtype = pos + 1;
-		if(strcasecmp(dtype,"tmd") == 0)
+		if (strcasecmp(dtype, "tmd") == 0)
 			set->cci.cverDataType = CVER_DTYPE_TMD;
-		else if(strcasecmp(dtype,"cia") == 0)
+		else if (strcasecmp(dtype, "cia") == 0)
 			set->cci.cverDataType = CVER_DTYPE_CIA;
-		else{
-			fprintf(stderr,"[SETTING ERROR] Unrecognised cver data type:\"%s\"\n",dtype);
+		else {
+			fprintf(stderr, "[SETTING ERROR] Unrecognised cver data type:\"%s\"\n", dtype);
 			return USR_BAD_ARG;
 		}
-		
-		u32 path_len = (pos-argv[i+1])+1;
-		set->cci.cverDataPath = calloc(path_len,sizeof(char));
-		strncpy(set->cci.cverDataPath,argv[i+1],path_len-1);
-		
-		if(!AssertFile(set->cci.cverDataPath)){
-			fprintf(stderr,"[SETTING ERROR] Failed to open '%s'\n",set->cci.cverDataPath);
+
+		u32 path_len = (pos - argv[i + 1]) + 1;
+		set->cci.cverDataPath = calloc(path_len, sizeof(char));
+		strncpy(set->cci.cverDataPath, argv[i + 1], path_len - 1);
+
+		if (!AssertFile(set->cci.cverDataPath)) {
+			fprintf(stderr, "[SETTING ERROR] Failed to open '%s'\n", set->cci.cverDataPath);
 			return USR_BAD_ARG;
 		}
-		
+
 		return 2;
 	}
 
 	// Cia Options
-	else if(strcmp(argv[i],"-major") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-major") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useNormTitleVer = true;
-		u32 ver = strtoul(argv[i+1],NULL,10);
-		if(ver > VER_MAJOR_MAX){
-			fprintf(stderr,"[SETTING ERROR] Major version: '%d' is too large, max: '%d'\n",ver,VER_MAJOR_MAX);
+		u32 ver = strtoul(argv[i + 1], NULL, 10);
+		if (ver > VER_MAJOR_MAX) {
+			fprintf(stderr, "[SETTING ERROR] Major version: '%d' is too large, max: '%d'\n", ver, VER_MAJOR_MAX);
 			return USR_BAD_ARG;
 		}
 		set->cia.titleVersion[VER_MAJOR] = ver;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-minor") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-minor") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useNormTitleVer = true;
-		u32 ver = strtoul(argv[i+1],NULL,10);
-		if(ver > VER_MINOR_MAX){
-			fprintf(stderr,"[SETTING ERROR] Minor version: '%d' is too large, max: '%d'\n",ver,VER_MINOR_MAX);
+		u32 ver = strtoul(argv[i + 1], NULL, 10);
+		if (ver > VER_MINOR_MAX) {
+			fprintf(stderr, "[SETTING ERROR] Minor version: '%d' is too large, max: '%d'\n", ver, VER_MINOR_MAX);
 			return USR_BAD_ARG;
 		}
 		set->cia.titleVersion[VER_MINOR] = ver;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-micro") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-micro") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		u32 ver = strtoul(argv[i+1],NULL,10);
-		if(ver > VER_MICRO_MAX){
-			fprintf(stderr,"[SETTING ERROR] Micro version: '%d' is too large, max: '%d'\n",ver,VER_MICRO_MAX);
+		u32 ver = strtoul(argv[i + 1], NULL, 10);
+		if (ver > VER_MICRO_MAX) {
+			fprintf(stderr, "[SETTING ERROR] Micro version: '%d' is too large, max: '%d'\n", ver, VER_MICRO_MAX);
 			return USR_BAD_ARG;
 		}
 		set->cia.titleVersion[VER_MICRO] = ver;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-dver") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-dver") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useDataTitleVer = true;
-		u32 ver = strtoul(argv[i+1],NULL,10);
-		if(ver > VER_DVER_MAX){
-			fprintf(stderr,"[SETTING ERROR] Data version: '%d' is too large, max: '%d'\n",ver,VER_DVER_MAX);
+		u32 ver = strtoul(argv[i + 1], NULL, 10);
+		if (ver > VER_DVER_MAX) {
+			fprintf(stderr, "[SETTING ERROR] Data version: '%d' is too large, max: '%d'\n", ver, VER_DVER_MAX);
 			return USR_BAD_ARG;
 		}
 		set->cia.titleVersion[VER_MAJOR] = (ver >> 6) & VER_MAJOR_MAX;
 		set->cia.titleVersion[VER_MINOR] = ver & VER_MINOR_MAX;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-deviceid") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-deviceid") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->cia.deviceId = strtoul(argv[i+1],NULL,16);
+		set->cia.deviceId = strtoul(argv[i + 1], NULL, 16);
 		return 2;
 	}
-	else if(strcmp(argv[i],"-esaccid") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-esaccid") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		set->cia.eshopAccId = strtoul(argv[i+1],NULL,16);
+		set->cia.eshopAccId = strtoul(argv[i + 1], NULL, 16);
 		return 2;
 	}
-	else if(strcmp(argv[i],"-rand") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-rand") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cia.randomTitleKey = true;
 		return 1;
 	}
-	else if(strcmp(argv[i],"-dlc") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-dlc") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cia.DlcContent = true;
 		return 1;
 	}
-	else if(strcmp(argv[i],"-srl") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-srl") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.buildNcch0 = false;
 		set->common.workingFileType = infile_srl;
-		set->common.workingFilePath = argv[i+1];
+		set->common.workingFilePath = argv[i + 1];
 		set->common.outFormat = CIA;
 		return 2;
 
 	}
 
 	// Ncch Container Conversion
-	else if(strcmp(argv[i],"-ccitocia") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-ccitocia") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.buildNcch0 = false;
 		set->common.workingFileType = infile_ncsd;
-		set->common.workingFilePath = argv[i+1];
+		set->common.workingFilePath = argv[i + 1];
 		set->common.outFormat = CIA;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-ciatocci") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-ciatocci") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->ncch.buildNcch0 = false;
 		set->common.workingFileType = infile_cia;
-		set->common.workingFilePath = argv[i+1];
+		set->common.workingFilePath = argv[i + 1];
 		set->common.outFormat = CCI;
 		return 2;
 	}
-	else if(strcmp(argv[i],"-inclupd") == 0){
-		if(ParamNum){
+	else if (strcmp(argv[i], "-inclupd") == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
 		set->cia.includeUpdateNcch = true;
 		return 1;
 	}
-	
+
 	// Other Setting
-	else if(strcmp(argv[i],"-content") == 0 || strcmp(argv[i],"-i") == 0){
-		if(ParamNum != 1){
-			PrintArgReqParam(argv[i],1);
+	else if (strcmp(argv[i], "-content") == 0 || strcmp(argv[i], "-i") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		char *pos = strstr(argv[i+1],":");
-		if(!pos || strlen(pos) < 2){
-			fprintf(stderr,"[SETTING ERROR] Bad argument '%s %s', correct format:\n",argv[i],argv[i+1]);
-			fprintf(stderr,"	%s <CONTENT PATH>:<INDEX>\n",argv[i]);
-			fprintf(stderr,"  If generating a CIA, then use the format:\n");
-			fprintf(stderr,"	%s <CONTENT PATH>:<INDEX>:<ID>\n",argv[i]);
+		char *pos = strstr(argv[i + 1], ":");
+		if (!pos || strlen(pos) < 2) {
+			fprintf(stderr, "[SETTING ERROR] Bad argument '%s %s', correct format:\n", argv[i], argv[i + 1]);
+			fprintf(stderr, "	%s <CONTENT PATH>:<INDEX>\n", argv[i]);
+			fprintf(stderr, "  If generating a CIA, then use the format:\n");
+			fprintf(stderr, "	%s <CONTENT PATH>:<INDEX>:<ID>\n", argv[i]);
 			return USR_BAD_ARG;
-		}		
+		}
 
 		/* Getting Content Index */
-		u16 content_index = strtol((char*)(pos+1),NULL,0);
+		u16 content_index = strtol((char*)(pos + 1), NULL, 0);
 
 		/* Storing Content Filepath */
-		u32 path_len = (u32)(pos-argv[i+1])+1;
-		
-		if(set->common.contentPath[content_index] != NULL){
-			fprintf(stderr,"[SETTING ERROR] Content %d is already specified\n",content_index);
+		u32 path_len = (u32)(pos - argv[i + 1]) + 1;
+
+		if (set->common.contentPath[content_index] != NULL) {
+			fprintf(stderr, "[SETTING ERROR] Content %d is already specified\n", content_index);
 			return USR_BAD_ARG;
 		}
-		set->common.contentPath[content_index] = calloc(path_len,sizeof(char));
-		if(set->common.contentPath[content_index] == NULL){
-			fprintf(stderr,"[SETTING ERROR] Not enough memory\n");
+		set->common.contentPath[content_index] = calloc(path_len, sizeof(char));
+		if (set->common.contentPath[content_index] == NULL) {
+			fprintf(stderr, "[SETTING ERROR] Not enough memory\n");
 			return USR_MEM_ERROR;
 		}
-		strncpy(set->common.contentPath[content_index],argv[i+1],path_len-1);	
-		if(!AssertFile(set->common.contentPath[content_index])){
-			fprintf(stderr,"[SETTING ERROR] '%s' could not be opened\n",set->common.contentPath[content_index]);
+		strncpy(set->common.contentPath[content_index], argv[i + 1], path_len - 1);
+		if (!AssertFile(set->common.contentPath[content_index])) {
+			fprintf(stderr, "[SETTING ERROR] '%s' could not be opened\n", set->common.contentPath[content_index]);
 			return USR_BAD_ARG;
 		}
 		set->common.contentSize[content_index] = GetFileSize64(set->common.contentPath[content_index]);
-		
+
 		/* Get ContentID for CIA gen */
-		char *pos2 = strstr(pos+1,":"); 
-		if(pos2) 
-			set->cia.contentId[content_index] = strtoul((pos2+1),NULL,0);
-		
+		char *pos2 = strstr(pos + 1, ":");
+		if (pos2)
+			set->cia.contentId[content_index] = strtoul((pos2 + 1), NULL, 0);
+
 		/* Return Next Arg Pos*/
 		return 2;
 	}
 	// RSF Value Substitution
-	else if(strncmp(argv[i],"-D",2) == 0){
-		if(ParamNum){
+	else if (strncmp(argv[i], "-D", 2) == 0) {
+		if (ParamNum) {
 			PrintNoNeedParam("-DNAME=VALUE");
 			return USR_BAD_ARG;
 		}
-		if(set->dname.m_items == 0){
+		if (set->dname.m_items == 0) {
 			set->dname.m_items = 10;
 			set->dname.u_items = 0;
-			set->dname.items = calloc(set->dname.m_items,sizeof(dname_item));
-			if(!set->dname.items){
-				fprintf(stderr,"[SETTING ERROR] Not enough memory\n");
+			set->dname.items = calloc(set->dname.m_items, sizeof(dname_item));
+			if (!set->dname.items) {
+				fprintf(stderr, "[SETTING ERROR] Not enough memory\n");
 				return MEM_ERROR;
 			}
 		}
-		else if(set->dname.m_items == set->dname.u_items){
+		else if (set->dname.m_items == set->dname.u_items) {
 			set->dname.m_items *= 2;
-			/*
-			dname_item *tmp = malloc(sizeof(dname_item)*set->dname.m_items);
-			if(!tmp){
-				fprintf(stderr,"[SETTING ERROR] Not enough memory\n");
-				return MEM_ERROR;
-			}
-			memset(tmp,0,sizeof(dname_item)*set->dname.m_items);
-			memcpy(tmp,set->dname.items,sizeof(dname_item)*set->dname.u_items);
-			free(set->dname.items);
-			set->dname.items = tmp;
-			*/
-			set->dname.items = realloc(set->dname.items,sizeof(dname_item)*set->dname.m_items);
-			if(!set->dname.items){
-				fprintf(stderr,"[SETTING ERROR] Not enough memory\n");
+			set->dname.items = realloc(set->dname.items, sizeof(dname_item)*set->dname.m_items);
+			if (!set->dname.items) {
+				fprintf(stderr, "[SETTING ERROR] Not enough memory\n");
 				return MEM_ERROR;
 			}
 		}
 
-		char *name_pos = (char*)(argv[i]+2);
+		char *name_pos = (char*)(argv[i] + 2);
 		u32 name_len = 0;
-		char *val_pos = strstr(name_pos,"=");
+		char *val_pos = strstr(name_pos, "=");
 		u32 val_len = 0;
-		if(!val_pos){
-			fprintf(stderr,"[SETTING ERROR] Format: '%s' is invalid\n",argv[i]);
+		if (!val_pos) {
+			fprintf(stderr, "[SETTING ERROR] Format: '%s' is invalid\n", argv[i]);
 			return USR_BAD_ARG;
 		}
-		if(strlen(val_pos) < 2){
-			fprintf(stderr,"[SETTING ERROR] Format: '%s' is invalid\n",argv[i]);
+		if (strlen(val_pos) < 2) {
+			fprintf(stderr, "[SETTING ERROR] Format: '%s' is invalid\n", argv[i]);
 			return USR_BAD_ARG;
 		}
 		val_pos = (val_pos + 1);
 		name_len = (val_pos - 1 - name_pos);
-		set->dname.items[set->dname.u_items].name = malloc(name_len+1);
-		memset(set->dname.items[set->dname.u_items].name,0,name_len+1);
-		memcpy(set->dname.items[set->dname.u_items].name,name_pos,name_len);
+		set->dname.items[set->dname.u_items].name = malloc(name_len + 1);
+		memset(set->dname.items[set->dname.u_items].name, 0, name_len + 1);
+		memcpy(set->dname.items[set->dname.u_items].name, name_pos, name_len);
 
 		val_len = strlen(val_pos);
-		set->dname.items[set->dname.u_items].value = malloc(val_len+1);
-		memset(set->dname.items[set->dname.u_items].value,0,val_len+1);
-		memcpy(set->dname.items[set->dname.u_items].value,val_pos,val_len);
+		set->dname.items[set->dname.u_items].value = malloc(val_len + 1);
+		memset(set->dname.items[set->dname.u_items].value, 0, val_len + 1);
+		memcpy(set->dname.items[set->dname.u_items].value, val_pos, val_len);
 
 		set->dname.u_items++;
 
 		return 1;
 	}
-	
+
 
 	// If not a valid argument
-	fprintf(stderr,"[SETTING ERROR] Unrecognised argument '%s'\n",argv[i]);
+	fprintf(stderr, "[SETTING ERROR] Unrecognised argument '%s'\n", argv[i]);
 	return USR_UNK_ARG;
 }
 
 int CheckArgumentCombination(user_settings *set)
 {
-	if(set->ncch.ncchType & (CXI|CFA)){
+	if (set->ncch.ncchType & (CXI | CFA)) {
 		set->ncch.buildNcch0 = true;
-		if(set->ncch.ncchType & CXI)
+		if (set->ncch.ncchType & CXI)
 			set->ncch.ncchType = CXI;
 		else
-			set->ncch.ncchType = CFA;			
-	}		
-	
-	if(set->common.outFormat == NCCH){
+			set->ncch.ncchType = CFA;
+	}
+
+	if (set->common.outFormat == NCCH) {
 		set->ncch.buildNcch0 = true;
-		if(set->ncch.ncchType)
+		if (set->ncch.ncchType)
 			set->common.outFormat = set->ncch.ncchType;
-		else{
+		else {
 			set->ncch.ncchType = CFA;
 			set->common.outFormat = CFA;
 		}
 	}
 
-	for(int i = 0; i < CIA_MAX_CONTENT; i++){
-		if( i > CCI_MAX_CONTENT-1 && set->common.contentPath[i] && set->common.outFormat == CCI){
-			fprintf(stderr,"[SETTING ERROR] Content indexes > %d are invalid for CCI\n",CCI_MAX_CONTENT-1);
+	for (int i = 0; i < CIA_MAX_CONTENT; i++) {
+		if (i > CCI_MAX_CONTENT - 1 && set->common.contentPath[i] && set->common.outFormat == CCI) {
+			fprintf(stderr, "[SETTING ERROR] Content indexes > %d are invalid for CCI\n", CCI_MAX_CONTENT - 1);
 			return USR_BAD_ARG;
 		}
-		if(set->common.contentPath[i] && (set->common.outFormat == CXI || set->common.outFormat == CFA)){
-			fprintf(stderr,"[SETTING ERROR] You cannot specify content while outputting CXI/CFA files\n");
+		if (set->common.contentPath[i] && (set->common.outFormat == CXI || set->common.outFormat == CFA)) {
+			fprintf(stderr, "[SETTING ERROR] You cannot specify content while outputting CXI/CFA files\n");
 			return USR_BAD_ARG;
 		}
 	}
-	
-	if(set->common.contentPath[0] && set->ncch.buildNcch0){
-		fprintf(stderr,"[SETTING ERROR] You cannot both import and build content 0\n");
+
+	if (set->common.contentPath[0] && set->ncch.buildNcch0) {
+		fprintf(stderr, "[SETTING ERROR] You cannot both import and build content 0\n");
 		return USR_BAD_ARG;
 	}
 
-	if(set->common.outFormat == CIA && set->cci.cverDataPath){
-		fprintf(stderr,"[SETTING ERROR] You cannot use argument \"-cverinfo\" when generating a CIA\n");
+	if (set->common.outFormat == CIA && set->cci.cverDataPath) {
+		fprintf(stderr, "[SETTING ERROR] You cannot use argument \"-cverinfo\" when generating a CIA\n");
 		return USR_BAD_ARG;
 	}
 
-	if(set->cia.useDataTitleVer && set->cia.useNormTitleVer){
-		fprintf(stderr,"[SETTING ERROR] Arguments \"-dver\" and \"-major\"/\"-minor\" cannot be used together\n");
+	if (set->cia.useDataTitleVer && set->cia.useNormTitleVer) {
+		fprintf(stderr, "[SETTING ERROR] Arguments \"-dver\" and \"-major\"/\"-minor\" cannot be used together\n");
 		return USR_BAD_ARG;
 	}
 
-	if(set->ncch.elfPath && set->ncch.codePath){
-		fprintf(stderr,"[SETTING ERROR] Arguments \"-elf\" and \"-code\" cannot be used together\n");
+	if (set->ncch.elfPath && set->ncch.codePath) {
+		fprintf(stderr, "[SETTING ERROR] Arguments \"-elf\" and \"-code\" cannot be used together\n");
 		return USR_BAD_ARG;
 	}
 
 	bool buildCXI = set->ncch.ncchType == CXI;
 	bool buildCFA = set->ncch.ncchType == CFA;
 	// Detecting Required Arguments
-	if(buildCXI && !set->ncch.elfPath && !set->ncch.codePath){
+	if (buildCXI && !set->ncch.elfPath && !set->ncch.codePath) {
 		PrintNeedsArg("-elf");
 		return USR_BAD_ARG;
 	}
-	if((buildCXI || buildCFA) && !set->common.rsfPath){
+	if ((buildCXI || buildCFA) && !set->common.rsfPath) {
 		PrintNeedsArg("-rsf");
 		return USR_BAD_ARG;
 	}
-	if(buildCXI && set->ncch.codePath && !set->ncch.exheaderPath){
+	if (buildCXI && set->ncch.codePath && !set->ncch.exheaderPath) {
 		PrintNeedsArg("-exheader");
 		return USR_BAD_ARG;
 	}
 
 	// Reporting bad arguments
-	if(!buildCXI && set->ncch.elfPath){
+	if (!buildCXI && set->ncch.elfPath) {
 		PrintArgInvalid("-elf");
 		return USR_BAD_ARG;
 	}
-	if(!buildCXI && set->ncch.codePath){
+	if (!buildCXI && set->ncch.codePath) {
 		PrintArgInvalid("-code");
 		return USR_BAD_ARG;
 	}
-	if(!buildCXI && set->ncch.exheaderPath){
+	if (!buildCXI && set->ncch.exheaderPath) {
 		PrintArgInvalid("-exheader");
 		return USR_BAD_ARG;
 	}
-	if(!buildCXI && set->ncch.plainRegionPath){
+	if (!buildCXI && set->ncch.plainRegionPath) {
 		PrintArgInvalid("-plainrgn");
 		return USR_BAD_ARG;
 	}
-	if(!set->ncch.buildNcch0 && set->ncch.includeExefsLogo){
+	if (!set->ncch.buildNcch0 && set->ncch.includeExefsLogo) {
 		PrintArgInvalid("-exefslogo");
 		return USR_BAD_ARG;
 	}
-	if(!set->ncch.buildNcch0 && set->ncch.romfsPath){
+	if (!set->ncch.buildNcch0 && set->ncch.romfsPath) {
 		PrintArgInvalid("-romfs");
 		return USR_BAD_ARG;
 	}
@@ -790,78 +784,110 @@ int CheckArgumentCombination(user_settings *set)
 
 void init_UserSettings(user_settings *set)
 {
-	memset(set,0,sizeof(user_settings));
+	memset(set, 0, sizeof(user_settings));
 }
 
 void free_UserSettings(user_settings *set)
 {
 	// Free Content Paths
-	if(set->common.contentPath){
-		for(int i = 0; i < CIA_MAX_CONTENT; i++)
+	if (set->common.contentPath) {
+		for (int i = 0; i < CIA_MAX_CONTENT; i++)
 			free(set->common.contentPath[i]);
 		free(set->common.contentPath);
 	}
 
 	// free -DNAME=VALUE
-	for(u32 i = 0; i < set->dname.u_items; i++){
+	for (u32 i = 0; i < set->dname.u_items; i++) {
 		free(set->dname.items[i].name);
 		free(set->dname.items[i].value);
 	}
 	free(set->dname.items);
 
 	free(set->cci.cverDataPath);
-	
+
 	// Free Spec File Setting
 	free_RsfSettings(&set->common.rsfSet);
 
 	// Free Key Data
 	FreeKeys(&set->common.keys);
-	
+
 	// Free Working File
 	free(set->common.workingFile.buffer);
-		
+
 	// Free outfile path, if malloc'd
-	if(set->common.outFileName_mallocd) 
+	if (set->common.outFileName_mallocd)
 		free(set->common.outFileName);
-	
+
 	// Clear settings
 	init_UserSettings(set);
-	
+
 	// Free
 	free(set);
 }
 
 void PrintNeedsArg(char *arg)
 {
-	fprintf(stderr,"[SETTING ERROR] Argument \"%s\" is required\n",arg);
+	fprintf(stderr, "[SETTING ERROR] Argument \"%s\" is required\n", arg);
 }
 
 void PrintArgInvalid(char *arg)
 {
-	fprintf(stderr,"[SETTING ERROR] Argument \"%s\" is invalid\n",arg);
+	fprintf(stderr, "[SETTING ERROR] Argument \"%s\" is invalid\n", arg);
 }
 
 void PrintArgReqParam(char *arg, u32 paramNum)
 {
-	if(paramNum == 1)
-		fprintf(stderr,"[SETTING ERROR] \"%s\" takes one parameter\n",arg);
+	if (paramNum == 1)
+		fprintf(stderr, "[SETTING ERROR] \"%s\" takes one parameter\n", arg);
 	else
-		fprintf(stderr,"[SETTING ERROR] \"%s\" requires %d parameters\n",arg,paramNum);
+		fprintf(stderr, "[SETTING ERROR] \"%s\" requires %d parameters\n", arg, paramNum);
 }
 
 void PrintNoNeedParam(char *arg)
 {
-	fprintf(stderr,"[SETTING ERROR] \"%s\" does not take a parameter\n",arg);
+	fprintf(stderr, "[SETTING ERROR] \"%s\" does not take a parameter\n", arg);
+}
+
+void DisplayBanner(void)
+{
+	printf("CTR MAKEROM v0.14 (C) 3DSGuy 2014\n");
+	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 
 void DisplayHelp(char *app_name)
 {
-	printf("CTR MAKEROM %d.%d\n",MAKEROM_VER_MAJOR,MAKEROM_VER_MINOR);
-	printf("(C) 3DSGuy 2014\n");
-	printf("Usage: %s [options... ]\n",app_name);
+	DisplayBanner();
+	printf("Usage: %s [options... ]\n", app_name);
 	printf("Option          Parameter           Explanation\n");
 	printf("GLOBAL OPTIONS:\n");
 	printf(" -help                              Display this text\n");
+	printf(" -exthelp                           Display extended usage help\n");
+	printf(" -rsf           <file>              ROM Spec File (*.rsf)\n");
+	printf(" -f             <ncch|cci|cia>      Output format, defaults to 'ncch'\n");
+	printf(" -o             <file>              Output file\n");
+	printf(" -v                                 Verbose output\n");
+	printf(" -DNAME=VALUE                       Substitute values in RSF file\n");
+	printf("NCCH OPTIONS:\n");
+	printf(" -elf           <file>              ELF file\n");
+	printf(" -icon          <file>              Icon file\n");
+	printf(" -banner        <file>              Banner file\n");
+	printf(" -desc          <apptype>:<fw>      Specify Access Descriptor template\n");
+	printf("NCCH REBUILD OPTIONS:\n");
+	printf(" -code          <file>              Decompressed ExeFS \".code\"\n");
+	printf(" -exheader      <file>              Exheader template\n");
+	printf(" -romfs         <file>              RomFS binary\n");
+	printf("CIA/CCI OPTIONS:\n");
+	printf(" -content       <file>:<index>      Specify content files\n");
+}
+
+void DisplayExtendedHelp(char *app_name)
+{
+	DisplayBanner();
+	printf("Usage: %s [options... ]\n", app_name);
+	printf("Option          Parameter           Explanation\n");
+	printf("GLOBAL OPTIONS:\n");
+	printf(" -help                              Display simple usage help\n");
+	printf(" -exthelp                           Display this text\n");
 	printf(" -rsf           <file>              ROM Spec File (*.rsf)\n");
 	printf(" -f             <ncch|cci|cia>      Output format, defaults to 'ncch'\n");
 	printf(" -o             <file>              Output file\n");
@@ -887,7 +913,7 @@ void DisplayHelp(char *app_name)
 	printf(" -code          <file>              Decompressed ExeFS \".code\"\n");
 	printf(" -exheader      <file>              Exheader template\n");
 	printf(" -plainrgn      <file>              Plain Region binary\n");
-	printf(" -romfs         <file>              RomFS binary\n");	
+	printf(" -romfs         <file>              RomFS binary\n");
 	printf("CCI OPTIONS:\n");
 	printf(" -content       <file>:<index>      Specify content files\n");
 	printf(" -devcci                            Use external CTRSDK \"CardInfo\" method\n");
@@ -896,7 +922,7 @@ void DisplayHelp(char *app_name)
 	printf(" -cverinfo      <file>:<cia|tmd>    Include cver title info\n");
 	printf("CIA OPTIONS:\n");
 	printf(" -content       <file>:<index>:<id> Specify content files\n");
-	printf(" -major         <version>           Major version\n");
+	printf(" -ver           <version>           Title Version\n");
 	printf(" -minor         <version>           Minor version\n");
 	printf(" -micro         <version>           Micro version\n");
 	printf(" -dver          <version>           Data-title version\n");
@@ -909,5 +935,4 @@ void DisplayHelp(char *app_name)
 	printf(" -ccitocia      <cci file>          Convert CCI to CIA\n");
 	printf(" -ciatocci      <cia file>          Convert CIA to CCI\n");
 	printf(" -inclupd                           Include \"Update NCCH\" in CCI to CIA conversion\n");
-	
 }
\ No newline at end of file

From 4c965b8c9237855e98520be1c854b54f131edef1 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 22 Oct 2015 01:45:08 +0800
Subject: [PATCH 110/317] [makerom] Simplified CIA version logic.

---
 makerom/cia.c           | 26 ++++----------------------
 makerom/cia_build.h     |  4 ++--
 makerom/user_settings.c | 38 +++++++++++++++++++++++++++++++++-----
 makerom/user_settings.h |  2 ++
 4 files changed, 41 insertions(+), 29 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index 8c496bc3..719c91b4 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -170,6 +170,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	ciaset->cert.caCrlVersion = 0;
 	ciaset->cert.signerCrlVersion = 0;
 
+	ciaset->common.useCxiRemasterVersion = !usrset->cia.useFullTitleVer;
 	for(int i = 0; i < 3; i++){
 		ciaset->common.titleVersion[i] = usrset->cia.titleVersion[i];
 	}
@@ -239,6 +240,7 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset)
 	int result = VerifyNcch(ncch0, ciaset->keys, false, ciaset->verbose == false);
 	if(result == UNABLE_TO_LOAD_NCCH_KEY){
 		ciaset->content.keyFound = false;
+		ciaset->common.useCxiRemasterVersion = false;
 		if(!ciaset->content.IsCfa){
 			fprintf(stderr,"[CIA WARNING] CXI AES Key could not be loaded\n");
 			fprintf(stderr,"      Meta Region, SaveDataSize, Remaster Version cannot be obtained\n");
@@ -306,35 +308,15 @@ int GetTmdDataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *
 		ciaset->tmd.savedataSize = 0;
 		
 	// Process title version
-	// If this is a CFA, the -major must be set, since CFAs don't have an exheader
-	if(ciaset->content.IsCfa){
-		if(ciaset->common.titleVersion[VER_MAJOR] == MAX_U16){ // '-major' wasn't set
-			fprintf(stderr,"[CIA ERROR] Invalid major version. Use \"-major\" option.\n");
-			result = CIA_BAD_VERSION;
-			goto cleanup;
-		}
-	}
-	// Otherwise this is a CXI, if it can be decrypted, -major cannot be set and must be read from exheader
-	else if(ciaset->content.keyFound){
-		if(ciaset->common.titleVersion[VER_MAJOR] != MAX_U16){ // '-major' was set
-			fprintf(stderr,"[CIA ERROR] Option \"-major\" cannot be applied for cxi.\n");
-			result = CIA_BAD_VERSION;
-			goto cleanup;
-		}
+	// If this is a CXI, and we have to pull version major from exheader...
+	if(!ciaset->content.IsCfa && ciaset->common.useCxiRemasterVersion){
 		// Setting remaster ver
 		ciaset->common.titleVersion[VER_MAJOR] = GetRemasterVersion_frm_exhdr(exhdr);
 	}
-
-	// CXI which cannot be decrypted
-	else{
-		if(ciaset->common.titleVersion[VER_MAJOR] == MAX_U16) // '-major' wasn't set
-			ciaset->common.titleVersion[VER_MAJOR] = 0;
-	}
 	
 	// Calculate u16 title version
 	ciaset->tmd.version = ciaset->tik.version = SetupVersion(ciaset->common.titleVersion[VER_MAJOR],ciaset->common.titleVersion[VER_MINOR],ciaset->common.titleVersion[VER_MICRO]);
 
-cleanup:
 	free(exhdr);
 	return result;
 }
diff --git a/makerom/cia_build.h b/makerom/cia_build.h
index 0c24277e..f25f1562 100644
--- a/makerom/cia_build.h
+++ b/makerom/cia_build.h
@@ -7,7 +7,6 @@ typedef enum
 	CIA_NO_NCCH0 = -1,
 	CIA_INVALID_NCCH0 = -2,
 	CIA_CONFILCTING_CONTENT_IDS = -3,
-	CIA_BAD_VERSION = -4,
 } cia_errors;
 
 typedef struct
@@ -23,8 +22,9 @@ typedef struct
 	bool verbose;
 	
 	struct{
+		bool useCxiRemasterVersion;
 		u64 titleId;
-		u16 titleVersion[4];
+		u16 titleVersion[3];
 		u8 titleKey[16];
 	} common;
 	
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 7477b821..aa5bc468 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -118,7 +118,7 @@ void SetDefaults(user_settings *set)
 	set->cia.deviceId = 0;
 	set->cia.eshopAccId = 0;
 	set->cia.useDataTitleVer = false;
-	set->cia.titleVersion[VER_MAJOR] = MAX_U16; // invalid so changes can be detected
+	set->cia.useFullTitleVer = false;
 	set->cia.randomTitleKey = false;
 	set->common.keys.aes.currentCommonKey = MAX_U8 + 1; // invalid so changes can be detected
 	for (int i = 0; i < CIA_MAX_CONTENT; i++)
@@ -450,13 +450,29 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 	}
 
 	// Cia Options
+	else if (strcmp(argv[i], "-ver") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
+			return USR_ARG_REQ_PARAM;
+		}
+		set->cia.useFullTitleVer = true;
+		u32 ver = strtoul(argv[i + 1], NULL, 0);
+		if (ver > VER_MAX) {
+			fprintf(stderr, "[SETTING ERROR] Version: '%d' is too large, max: '%d'\n", ver, VER_MAX);
+			return USR_BAD_ARG;
+		}
+		set->cia.titleVersion[VER_MAJOR] = (ver >> 10) & VER_MAJOR_MAX;
+		set->cia.titleVersion[VER_MINOR] = (ver >> 4) & VER_MINOR_MAX;
+		set->cia.titleVersion[VER_MICRO] = ver & VER_MICRO_MAX;
+		return 2;
+	}
 	else if (strcmp(argv[i], "-major") == 0) {
 		if (ParamNum != 1) {
 			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useNormTitleVer = true;
-		u32 ver = strtoul(argv[i + 1], NULL, 10);
+		u32 ver = strtoul(argv[i + 1], NULL, 0);
 		if (ver > VER_MAJOR_MAX) {
 			fprintf(stderr, "[SETTING ERROR] Major version: '%d' is too large, max: '%d'\n", ver, VER_MAJOR_MAX);
 			return USR_BAD_ARG;
@@ -470,7 +486,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useNormTitleVer = true;
-		u32 ver = strtoul(argv[i + 1], NULL, 10);
+		u32 ver = strtoul(argv[i + 1], NULL, 0);
 		if (ver > VER_MINOR_MAX) {
 			fprintf(stderr, "[SETTING ERROR] Minor version: '%d' is too large, max: '%d'\n", ver, VER_MINOR_MAX);
 			return USR_BAD_ARG;
@@ -483,7 +499,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		u32 ver = strtoul(argv[i + 1], NULL, 10);
+		u32 ver = strtoul(argv[i + 1], NULL, 0);
 		if (ver > VER_MICRO_MAX) {
 			fprintf(stderr, "[SETTING ERROR] Micro version: '%d' is too large, max: '%d'\n", ver, VER_MICRO_MAX);
 			return USR_BAD_ARG;
@@ -497,7 +513,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			return USR_ARG_REQ_PARAM;
 		}
 		set->cia.useDataTitleVer = true;
-		u32 ver = strtoul(argv[i + 1], NULL, 10);
+		u32 ver = strtoul(argv[i + 1], NULL, 0);
 		if (ver > VER_DVER_MAX) {
 			fprintf(stderr, "[SETTING ERROR] Data version: '%d' is too large, max: '%d'\n", ver, VER_DVER_MAX);
 			return USR_BAD_ARG;
@@ -732,6 +748,16 @@ int CheckArgumentCombination(user_settings *set)
 		return USR_BAD_ARG;
 	}
 
+	if (set->cia.useDataTitleVer && set->cia.useFullTitleVer) {
+		fprintf(stderr, "[SETTING ERROR] Arguments \"-dver\" and \"-ver\" cannot be used together\n");
+		return USR_BAD_ARG;
+	}
+
+	if (set->cia.useNormTitleVer && set->cia.useFullTitleVer) {
+		fprintf(stderr, "[SETTING ERROR] Arguments \"-ver\" and \"-major\"/\"-minor\" cannot be used together\n");
+		return USR_BAD_ARG;
+	}
+
 	if (set->ncch.elfPath && set->ncch.codePath) {
 		fprintf(stderr, "[SETTING ERROR] Arguments \"-elf\" and \"-code\" cannot be used together\n");
 		return USR_BAD_ARG;
@@ -878,6 +904,7 @@ void DisplayHelp(char *app_name)
 	printf(" -romfs         <file>              RomFS binary\n");
 	printf("CIA/CCI OPTIONS:\n");
 	printf(" -content       <file>:<index>      Specify content files\n");
+	printf(" -ver           <version>           Title Version\n");
 }
 
 void DisplayExtendedHelp(char *app_name)
@@ -923,6 +950,7 @@ void DisplayExtendedHelp(char *app_name)
 	printf("CIA OPTIONS:\n");
 	printf(" -content       <file>:<index>:<id> Specify content files\n");
 	printf(" -ver           <version>           Title Version\n");
+	printf(" -major         <version>           Major version\n");
 	printf(" -minor         <version>           Minor version\n");
 	printf(" -micro         <version>           Micro version\n");
 	printf(" -dver          <version>           Data-title version\n");
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index 6e18c986..f06f95ff 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -15,6 +15,7 @@ typedef enum
 
 typedef enum
 {
+	VER_MAX = 65535,
 	VER_MAJOR_MAX = 63,
 	VER_MINOR_MAX = 63,
 	VER_MICRO_MAX = 15,
@@ -291,6 +292,7 @@ typedef struct
 
 		bool useNormTitleVer;
 		bool useDataTitleVer;
+		bool useFullTitleVer;
 		u16 titleVersion[3];
 		
 		u32 deviceId;

From 3702b58db37d8a471d304c9be06bbb636a563628 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 24 Oct 2015 01:32:08 +0800
Subject: [PATCH 111/317] [makerom] Cleaned keyset.c

---
 makerom/keyset.c | 149 ++++++++++++++++++++++++-----------------------
 makerom/keyset.h |   8 +--
 makerom/utils.c  |  16 +----
 makerom/utils.h  |   3 +-
 4 files changed, 81 insertions(+), 95 deletions(-)

diff --git a/makerom/keyset.c b/makerom/keyset.c
index a270d38d..cdb32a6b 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -6,24 +6,23 @@
 #include "pki/dev.h" // Development PKI
 
 // Private Prototypes
-int SetRsaKeySet(u8 **PrivDest, u8 *PrivSource, u8 **PubDest, u8 *PubSource);
-int SetunFixedKey(keys_struct *keys, u8 *unFixedKey);
+int SetRsaKeySet(u8 **priv_exp_dst, const u8 *priv_exp_src, u8 **modulus_dst, const u8 *modulus_src);
 void InitCommonKeySlots(keys_struct *keys);
 void InitNcchKeyXSlots(keys_struct *keys);
-int SetNcchKeyX(keys_struct *keys, u8 *keyX, u8 index);
+int SetNcchKeyX(keys_struct *keys, const u8 *keyX, u8 index);
 
-FILE* keyset_OpenFile(char *dir, char *name, bool FileRequired);
 void keysetOpenError(char *file);
+FILE* keyset_OpenFile(char *dir, char *name, bool FileRequired);
 
-int SetTIK_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod);
-int SetTMD_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod);
-int Set_CCI_CFA_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod);
-int SetAccessDesc_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod);
-int SetCXI_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod);
+int SetTIK_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
+int SetTMD_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
+int Set_CCI_CFA_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
+int SetAccessDesc_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
+int SetCXI_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
 
-int SetCaCert(keys_struct *keys, u8 *Cert);
-int SetTikCert(keys_struct *keys, u8 *Cert);
-int SetTmdCert(keys_struct *keys, u8 *Cert);
+int SetCaCert(keys_struct *keys, const u8 *cert);
+int SetTikCert(keys_struct *keys, const u8 *cert);
+int SetTmdCert(keys_struct *keys, const u8 *cert);
 
 int LoadKeysFromResources(keys_struct *keys);
 void SetDummyRsaData(keys_struct *keys);
@@ -48,7 +47,7 @@ void PrintBadKeySize(char *path, u32 size)
 	fprintf(stderr,"[KEYSET ERROR] %s has invalid size (0x%x)\n",path,size);
 }
 
-u8* AesKeyScrambler(u8 *key, u8 *keyX, u8 *keyY)
+u8* AesKeyScrambler(u8 *key, const u8 *keyX, const u8 *keyY)
 {
 	// Process keyX/keyY to get raw normal key
 	for(int i = 0; i < 16; i++)
@@ -91,7 +90,7 @@ int LoadKeysFromResources(keys_struct *keys)
 		keys->keysetLoaded = true;
 		/* AES Keys */
 		// CIA
-		//SetCommonKey(keys,(u8*)zeros_aesKey,1);
+		//SetCommonKey(keys, zeros_aesKey,1);
 		if(keys->aes.currentCommonKey > 0xff)
 			SetCurrentCommonKey(keys,0);
 	
@@ -107,33 +106,33 @@ int LoadKeysFromResources(keys_struct *keys)
 		/* AES Keys */
 		// CIA
 		for(int i = 0; i < 2; i++)
-			SetCommonKey(keys,(u8*)ctr_common_etd_key_dpki[i],i);
+			SetCommonKey(keys, ctr_common_etd_key_dpki[i],i);
 
 		if(keys->aes.currentCommonKey > 0xff)
 			SetCurrentCommonKey(keys,0);
 	
 		// NCCH
-		SetNormalKey(keys,(u8*)dev_fixed_ncch_key[0]);
-		SetSystemFixedKey(keys,(u8*)dev_fixed_ncch_key[1]);
+		SetNormalKey(keys, dev_fixed_ncch_key[0]);
+		SetSystemFixedKey(keys, dev_fixed_ncch_key[1]);
 		
 		/*
 		for(int i = 0; i < 2; i++)
-			SetNcchKeyX(keys,(u8*)dev_unfixed_ncch_keyX[i],i);
+			SetNcchKeyX(keys, dev_unfixed_ncch_keyX[i],i);
 		*/
 
 		/* RSA Keys */
 		// CIA
-		SetTIK_RsaKey(keys,(u8*)xs9_dpki_rsa_priv,(u8*)xs9_dpki_rsa_pub);
-		SetTMD_RsaKey(keys,(u8*)cpA_dpki_rsa_priv,(u8*)cpA_dpki_rsa_pub);
+		SetTIK_RsaKey(keys, xs9_dpki_rsa_priv, xs9_dpki_rsa_pub);
+		SetTMD_RsaKey(keys, cpA_dpki_rsa_priv, cpA_dpki_rsa_pub);
 		// CCI/CFA
-		Set_CCI_CFA_RsaKey(keys,(u8*)dev_ncsd_cfa_priv,(u8*)dev_ncsd_cfa_pub);
+		Set_CCI_CFA_RsaKey(keys, dev_ncsd_cfa_priv, dev_ncsd_cfa_pub);
 		// CXI
-		SetAccessDesc_RsaKey(keys,(u8*)dev_acex_priv,(u8*)dev_acex_pub);
+		SetAccessDesc_RsaKey(keys, dev_acex_priv, dev_acex_pub);
 	
 		/* Certs */
-		SetCaCert(keys,(u8*)ca4_dpki_cert);
-		SetTikCert(keys,(u8*)xs9_dpki_cert);
-		SetTmdCert(keys,(u8*)cpA_dpki_cert);
+		SetCaCert(keys, ca4_dpki_cert);
+		SetTikCert(keys, xs9_dpki_cert);
+		SetTmdCert(keys, cpA_dpki_cert);
 	}
 	else if(keys->keyset == pki_PRODUCTION){
 		keys->keysetLoaded = true;
@@ -141,7 +140,7 @@ int LoadKeysFromResources(keys_struct *keys)
 		// CIA
 		//for(int i = 0; i < 6; i++){
 		//	keys->aes.commonKey[i] = malloc(16);
-		//	AesKeyScrambler(keys->aes.commonKey[i],(u8*)ctr_common_etd_keyX_ppki,(u8*)ctr_common_etd_keyY_ppki[i]);
+		//	AesKeyScrambler(keys->aes.commonKey[i], ctr_common_etd_keyX_ppki, ctr_common_etd_keyY_ppki[i]);
 		//}
 		if(keys->aes.currentCommonKey > 0xff)
 			SetCurrentCommonKey(keys,0);
@@ -151,22 +150,22 @@ int LoadKeysFromResources(keys_struct *keys)
 		keys->aes.systemFixedKey = NULL;
 		/*
 		for(int i = 0; i < 2; i++)
-			SetNcchKeyX(keys,(u8*)prod_unfixed_ncch_keyX[i],i);
+			SetNcchKeyX(keys, prod_unfixed_ncch_keyX[i],i);
 		*/
 
 		/* RSA Keys */
 		// CIA
-		SetTIK_RsaKey(keys,(u8*)xsC_ppki_rsa_priv,(u8*)xsC_ppki_rsa_pub);
-		SetTMD_RsaKey(keys,(u8*)cpB_ppki_rsa_priv,(u8*)cpB_ppki_rsa_pub);
+		SetTIK_RsaKey(keys, xsC_ppki_rsa_priv, xsC_ppki_rsa_pub);
+		SetTMD_RsaKey(keys, cpB_ppki_rsa_priv, cpB_ppki_rsa_pub);
 		// CCI/CFA
-		Set_CCI_CFA_RsaKey(keys,(u8*)prod_ncsd_cfa_priv,(u8*)prod_ncsd_cfa_pub);
+		Set_CCI_CFA_RsaKey(keys, prod_ncsd_cfa_priv, prod_ncsd_cfa_pub);
 		// CXI
-		SetAccessDesc_RsaKey(keys,(u8*)prod_acex_priv,(u8*)prod_acex_pub);
+		SetAccessDesc_RsaKey(keys, prod_acex_priv, prod_acex_pub);
 	
 		/* Certs */
-		SetCaCert(keys,(u8*)ca3_ppki_cert);
-		SetTikCert(keys,(u8*)xsC_ppki_cert);
-		SetTmdCert(keys,(u8*)cpB_ppki_cert);
+		SetCaCert(keys, ca3_ppki_cert);
+		SetTikCert(keys, xsC_ppki_cert);
+		SetTmdCert(keys, cpB_ppki_cert);
 	}
 	return 0;
 }
@@ -174,23 +173,23 @@ int LoadKeysFromResources(keys_struct *keys)
 void SetDummyRsaData(keys_struct *keys)
 {
 	if(!keys->rsa.xsPvt || !keys->rsa.xsPub)
-		SetTIK_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
+		SetTIK_RsaKey(keys, tpki_rsa_privExp, tpki_rsa_pubMod);
 	if(!keys->rsa.cpPvt || !keys->rsa.cpPub)
-		SetTMD_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
+		SetTMD_RsaKey(keys, tpki_rsa_privExp, tpki_rsa_pubMod);
 		
 	if(!keys->rsa.cciCfaPvt || !keys->rsa.cciCfaPub)
-		Set_CCI_CFA_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
+		Set_CCI_CFA_RsaKey(keys, tpki_rsa_privExp, tpki_rsa_pubMod);
 	
 	if(!keys->rsa.acexPvt || !keys->rsa.acexPub)
-		SetAccessDesc_RsaKey(keys,(u8*)tpki_rsa_privExp,(u8*)tpki_rsa_pubMod);
+		SetAccessDesc_RsaKey(keys, tpki_rsa_privExp, tpki_rsa_pubMod);
 
 	/* Certs */
 	if(!keys->certs.caCert)
-		SetCaCert(keys,(u8*)ca3_tpki_cert);
+		SetCaCert(keys, ca3_tpki_cert);
 	if(!keys->certs.xsCert)
-		SetTikCert(keys,(u8*)xsC_tpki_cert);
+		SetTikCert(keys, xsC_tpki_cert);
 	if(!keys->certs.cpCert)
-		SetTmdCert(keys,(u8*)cpB_tpki_cert);
+		SetTmdCert(keys, cpB_tpki_cert);
 }
 
 int LoadKeysFromKeyfile(keys_struct *keys)
@@ -255,7 +254,12 @@ void DumpKeyset(keys_struct *keys)
 	memdump(stdout," [PVT]      ",keys->rsa.cciCfaPvt,0x100);
 }
 
-FILE* keyset_OpenFile(char *dir, char *name, bool FileRequired)
+void keysetOpenError(char *file)
+{
+	fprintf(stderr, "[KEYSET ERROR] Failed to open: %s\n", file);
+}
+
+FILE* keyset_OpenFile(char *dir, char *name, bool is_required)
 {
 	int file_path_len = sizeof(char)*(strlen(dir)+strlen(name)+1);
 	char *file_path = malloc(file_path_len);
@@ -265,17 +269,14 @@ FILE* keyset_OpenFile(char *dir, char *name, bool FileRequired)
 
 	FILE *fp = fopen(file_path,"rb");
 	
-	if(!fp && FileRequired)
-		fprintf(stderr,"[KEYSET ERROR] Failed to open: %s\n",file_path);
+	if (!fp && is_required)
+		keysetOpenError(file_path);
 
 	free(file_path);
 	return fp;
 }
 
-void keysetOpenError(char *file)
-{
-	fprintf(stderr,"[KEYSET ERROR] Failed to open: %s\n",file);
-}
+
 
 void FreeKeys(keys_struct *keys)
 {
@@ -316,24 +317,24 @@ void FreeKeys(keys_struct *keys)
 	memset(keys,0,sizeof(keys_struct));
 }
 
-int SetRsaKeySet(u8 **PrivDest, u8 *PrivSource, u8 **PubDest, u8 *PubSource)
+int SetRsaKeySet(u8 **priv_exp_dst, const u8 *priv_exp_src, u8 **modulus_dst, const u8 *modulus_src)
 {
 	int result = 0;
-	if(PrivSource){
-		result = CopyData(PrivDest,PrivSource,0x100);
+	if(priv_exp_src){
+		result = CopyData(priv_exp_dst,priv_exp_src,0x100);
 		if(result) return result;
 	}
-	if(PubSource){
-		result = CopyData(PubDest,PubSource,0x100);
+	if(modulus_src){
+		result = CopyData(modulus_dst,modulus_src,0x100);
 		if(result) return result;
 	}
 	return 0;
 }
 
-int SetCommonKey(keys_struct *keys, u8 *commonKey, u8 index)
+int SetCommonKey(keys_struct *keys, const u8 *key, u8 index)
 {
 	if(!keys) return -1;
-	return CopyData(&keys->aes.commonKey[index],commonKey,AES_128_KEY_SIZE);
+	return CopyData(&keys->aes.commonKey[index],key,AES_128_KEY_SIZE);
 }
 
 void InitCommonKeySlots(keys_struct *keys)
@@ -342,7 +343,7 @@ void InitCommonKeySlots(keys_struct *keys)
 		keys->aes.commonKey = calloc(MAX_CMN_KEY+1,sizeof(u8*));
 }
 
-int SetNcchKeyX(keys_struct *keys, u8 *keyX, u8 index)
+int SetNcchKeyX(keys_struct *keys, const u8 *keyX, u8 index)
 {
 	if(!keys) return -1;
 	return CopyData(&keys->aes.ncchKeyX[index],keyX,AES_128_KEY_SIZE);
@@ -361,55 +362,55 @@ int SetCurrentCommonKey(keys_struct *keys, u8 Index)
 	return 0;
 }
 
-int SetNormalKey(keys_struct *keys, u8 *systemFixedKey)
+int SetNormalKey(keys_struct *keys, const u8 *key)
 {
 	if(!keys) return -1;
-	return CopyData(&keys->aes.normalKey,systemFixedKey,16);
+	return CopyData(&keys->aes.normalKey,key,16);
 }
 
-int SetSystemFixedKey(keys_struct *keys, u8 *systemFixedKey)
+int SetSystemFixedKey(keys_struct *keys, const u8 *key)
 {
 	if(!keys) return -1;
-	return CopyData(&keys->aes.systemFixedKey,systemFixedKey,16);
+	return CopyData(&keys->aes.systemFixedKey,key,16);
 }
 
-int SetTIK_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod)
+int SetTIK_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus)
 {
 	if(!keys) return -1;
-	return SetRsaKeySet(&keys->rsa.xsPvt,PrivateExp,&keys->rsa.xsPub,PublicMod);
+	return SetRsaKeySet(&keys->rsa.xsPvt,priv_exp,&keys->rsa.xsPub,modulus);
 }
 
-int SetTMD_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod)
+int SetTMD_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus)
 {
 	if(!keys) return -1;
-	return SetRsaKeySet(&keys->rsa.cpPvt,PrivateExp,&keys->rsa.cpPub,PublicMod);
+	return SetRsaKeySet(&keys->rsa.cpPvt,priv_exp,&keys->rsa.cpPub,modulus);
 }
 
-int Set_CCI_CFA_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod)
+int Set_CCI_CFA_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus)
 {
 	if(!keys) return -1;
-	return SetRsaKeySet(&keys->rsa.cciCfaPvt,PrivateExp,&keys->rsa.cciCfaPub,PublicMod);
+	return SetRsaKeySet(&keys->rsa.cciCfaPvt,priv_exp,&keys->rsa.cciCfaPub,modulus);
 }
 
-int SetAccessDesc_RsaKey(keys_struct *keys, u8 *PrivateExp, u8 *PublicMod)
+int SetAccessDesc_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus)
 {
 	if(!keys) return -1;
-	return SetRsaKeySet(&keys->rsa.acexPvt,PrivateExp,&keys->rsa.acexPub,PublicMod);
+	return SetRsaKeySet(&keys->rsa.acexPvt,priv_exp,&keys->rsa.acexPub,modulus);
 }
 
-int SetCaCert(keys_struct *keys, u8 *Cert)
+int SetCaCert(keys_struct *keys, const u8 *cert)
 {
 	if(!keys) return -1;
-	return CopyData(&keys->certs.caCert,Cert,0x400);
+	return CopyData(&keys->certs.caCert,cert,0x400);
 }
-int SetTikCert(keys_struct *keys, u8 *Cert)
+int SetTikCert(keys_struct *keys, const u8 *cert)
 {
 	if(!keys) return -1;
-	return CopyData(&keys->certs.xsCert,Cert,0x300);
+	return CopyData(&keys->certs.xsCert,cert,0x300);
 }
 
-int SetTmdCert(keys_struct *keys, u8 *Cert)
+int SetTmdCert(keys_struct *keys, const u8 *cert)
 {
 	if(!keys) return -1;
-	return CopyData(&keys->certs.cpCert,Cert,0x400);
+	return CopyData(&keys->certs.cpCert,cert,0x400);
 }
\ No newline at end of file
diff --git a/makerom/keyset.h b/makerom/keyset.h
index 9d6c0c60..54d38fcc 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -102,9 +102,9 @@ void InitKeys(keys_struct *keys);
 int SetKeys(keys_struct *keys);
 void FreeKeys(keys_struct *keys);
 
-int SetCommonKey(keys_struct *keys, u8 *commonKey, u8 Index);
+int SetCommonKey(keys_struct *keys, const u8 *key, u8 Index);
 int SetCurrentCommonKey(keys_struct *keys, u8 Index);
-int SetNormalKey(keys_struct *keys, u8 *systemFixedKey);
-int SetSystemFixedKey(keys_struct *keys, u8 *systemFixedKey);
+int SetNormalKey(keys_struct *keys, const u8 *key);
+int SetSystemFixedKey(keys_struct *keys, const u8 *key);
 
-u8* AesKeyScrambler(u8 *key, u8 *keyX, u8 *keyY);
+u8* AesKeyScrambler(u8 *key, const u8 *keyX, const u8 *keyY);
diff --git a/makerom/utils.c b/makerom/utils.c
index 450427fd..5a97fb66 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -4,21 +4,7 @@
 #include "polarssl/base64.h"
 
 // Memory
-void endian_memcpy(u8 *destination, u8 *source, u32 size, int endianness)
-{ 
-    for (u32 i = 0; i < size; i++){
-        switch (endianness){
-            case(BE):
-                destination[i] = source[i];
-                break;
-            case(LE):
-                destination[i] = source[((size-1)-i)];
-                break;
-        }
-    }
-}
-
-int CopyData(u8 **dest, u8 *source, u64 size)
+int CopyData(u8 **dest, const u8 *source, u64 size)
 {
 	if(!*dest){
 		*dest = malloc(size);
diff --git a/makerom/utils.h b/makerom/utils.h
index da32454f..c479f113 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -7,8 +7,7 @@ typedef struct
 } buffer_struct;
 
 // Memory
-void endian_memcpy(u8 *destination, u8 *source, u32 size, int endianness);
-int CopyData(u8 **dest, u8 *source, u64 size);
+int CopyData(u8 **dest, const u8 *source, u64 size);
 void rndset(void *ptr, u64 num);
 void clrmem(void *ptr, u64 num);
 

From 3f3418e8402be61825a14dbf5d1fc88b2b9f0d21 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 24 Oct 2015 13:50:05 +0800
Subject: [PATCH 112/317] [makerom] Updated NCSD spec, as per 3dbrew.org
 contributor research.

---
 makerom/cardinfo.c | 38 ++++++++++++++++++++++++++------------
 makerom/cardinfo.h | 20 +++++++-------------
 2 files changed, 33 insertions(+), 25 deletions(-)

diff --git a/makerom/cardinfo.c b/makerom/cardinfo.c
index e9b80a41..4a278b7a 100644
--- a/makerom/cardinfo.c
+++ b/makerom/cardinfo.c
@@ -7,8 +7,8 @@ void InitCardInfoHdr(cardinfo_hdr **cihdr, devcardinfo_hdr **dcihdr, cci_setting
 int SetWriteableAddress(cardinfo_hdr *hdr, cci_settings *set);
 int SetCardInfoBitmask(cardinfo_hdr *hdr, cci_settings *set);
 int SetCardInfoNotes(cardinfo_hdr *hdr, cci_settings *set);
-void ImportNcch0Data(cardinfo_hdr *hdr, cci_settings *set);
-void SetInitialData(cardinfo_hdr *hdr, cci_settings *set);
+void SetNcchHeader(cardinfo_hdr *hdr, cci_settings *set);
+void SetCardSeedData(cardinfo_hdr *hdr, cci_settings *set);
 void SetDevCardInfo(devcardinfo_hdr *hdr, cci_settings *set);
 
 
@@ -25,8 +25,8 @@ int GenCardInfoHdr(cci_settings *set)
 		return GEN_HDR_FAIL;
 	if(SetCardInfoNotes(cihdr,set))
 		return GEN_HDR_FAIL;
-	ImportNcch0Data(cihdr,set);
-	SetInitialData(cihdr,set);
+	SetNcchHeader(cihdr,set);
+	SetCardSeedData(cihdr,set);
 	
 	if(dcihdr)
 		SetDevCardInfo(dcihdr,set);
@@ -49,6 +49,8 @@ void InitCardInfoHdr(cardinfo_hdr **cihdr, devcardinfo_hdr **dcihdr, cci_setting
 	else
 		*dcihdr = NULL;
 	
+	//clrmem(set->headers.cardinfohdr.buffer, set->headers.cardinfohdr.size);
+
 	return;
 }
 
@@ -174,7 +176,7 @@ int SetCardInfoNotes(cardinfo_hdr *hdr, cci_settings *set)
 	return 0;
 }
 
-void ImportNcch0Data(cardinfo_hdr *hdr, cci_settings *set)
+void SetNcchHeader(cardinfo_hdr *hdr, cci_settings *set)
 {
 	u8 *ncch;
 	ncch_hdr *ncchHdr;
@@ -182,19 +184,31 @@ void ImportNcch0Data(cardinfo_hdr *hdr, cci_settings *set)
 	ncch = set->content.data + set->content.dOffset[0];
 	ncchHdr = (ncch_hdr*)ncch;
 	
-	memcpy(hdr->ncch0TitleId,ncchHdr->titleId,8);
 	memcpy(hdr->ncch0Hdr,GetNcchHdrData(ncchHdr),GetNcchHdrDataLen(ncchHdr));
 	
 	return;
 }
 
-void SetInitialData(cardinfo_hdr *hdr, cci_settings *set)
+void SetCardSeedData(cardinfo_hdr *hdr, cci_settings *set)
 {
-	clrmem(hdr->initialData,0x30);
-	if(set->options.useExternalSdkCardInfo)
-		memcpy(hdr->initialData,(u8*)stock_initial_data,0x30);
-	else
-		rndset(hdr->initialData,0x2c);
+	u8 *ncch;
+	ncch_hdr *ncchHdr;
+
+	ncch = set->content.data + set->content.dOffset[0];
+	ncchHdr = (ncch_hdr*)ncch;
+
+	if (set->options.useExternalSdkCardInfo) {
+		memcpy(hdr->cardSeedKeyY, ncchHdr->titleId, 8);
+		clrmem(hdr->encCardSeed, 0x10);
+		memcpy(hdr->cardSeedMac, stock_card_seed_mac, 0x10);
+		clrmem(hdr->cardSeedNonce, 0xC);
+	}
+	else {
+		memcpy(hdr->cardSeedKeyY, ncchHdr->titleId, 8);
+		rndset(hdr->encCardSeed, 0x10);
+		rndset(hdr->cardSeedMac, 0x10);
+		rndset(hdr->cardSeedNonce, 0xC);
+	}
 		
 	return;
 }
diff --git a/makerom/cardinfo.h b/makerom/cardinfo.h
index 271edac8..1b368056 100644
--- a/makerom/cardinfo.h
+++ b/makerom/cardinfo.h
@@ -17,10 +17,11 @@ typedef struct
 	u8 writableAddress[4];
 	u8 cardInfoBitmask[4];
 	cardinfo_notes notes;
-	u8 ncch0TitleId[8];
-	u8 reserved0[8];
-	u8 initialData[0x30];
-	u8 reserved1[0xc0];
+	u8 cardSeedKeyY[0x10];
+	u8 encCardSeed[0x10];
+	u8 cardSeedMac[0x10];
+	u8 cardSeedNonce[0xc];
+	u8 reserved1[0xc4];
 	u8 ncch0Hdr[0x100];
 } cardinfo_hdr;
 
@@ -31,16 +32,9 @@ typedef struct
 	u8 cardDeviceReserved2[0xf0];
 } devcardinfo_hdr;
 
-static const u8 stock_initial_data[0x30] = 
+static const u8 stock_card_seed_mac[0x30] = 
 {
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0xAD, 0x88, 
-	0xAC, 0x41, 0xA2, 0xB1, 0x5E, 0x8F, 
-	0x66, 0x9C, 0x97, 0xE5, 0xE1, 0x5E, 
-	0xA3, 0xEB, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	0xAD, 0x88, 0xAC, 0x41, 0xA2, 0xB1, 0x5E, 0x8F, 0x66, 0x9C, 0x97, 0xE5, 0xE1, 0x5E, 0xA3, 0xEB
 };
 
 static const u8 stock_title_key[0x10] = 

From a4b261bde7801b48a1fe5ee5619ca5a380361da4 Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Sat, 31 Oct 2015 13:10:46 +0100
Subject: [PATCH 113/317] Added padlock.c back. Fixes building for x86 targets.

---
 makerom/polarssl/padlock.c | 162 +++++++++++++++++++++++++++++++++++++
 1 file changed, 162 insertions(+)
 create mode 100644 makerom/polarssl/padlock.c

diff --git a/makerom/polarssl/padlock.c b/makerom/polarssl/padlock.c
new file mode 100644
index 00000000..9ddac15e
--- /dev/null
+++ b/makerom/polarssl/padlock.c
@@ -0,0 +1,162 @@
+/*
+ *  VIA PadLock support functions
+ *
+ *  Copyright (C) 2006-2010, Brainspark B.V.
+ *
+ *  This file is part of PolarSSL (http://www.polarssl.org)
+ *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
+ *
+ *  All rights reserved.
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+/*
+ *  This implementation is based on the VIA PadLock Programming Guide:
+ *
+ *  http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/
+ *  programming_guide.pdf
+ */
+
+#include "polarssl/config.h"
+
+#if defined(POLARSSL_PADLOCK_C)
+
+#include "polarssl/padlock.h"
+
+#if defined(POLARSSL_HAVE_X86)
+
+/*
+ * PadLock detection routine
+ */
+int padlock_supports( int feature )
+{
+    static int flags = -1;
+    int ebx, edx;
+
+    if( flags == -1 )
+    {
+        __asm__( "movl  %%ebx, %0           \n"     \
+             "movl  $0xC0000000, %%eax  \n"     \
+             "cpuid                     \n"     \
+             "cmpl  $0xC0000001, %%eax  \n"     \
+             "movl  $0, %%edx           \n"     \
+             "jb    unsupported         \n"     \
+             "movl  $0xC0000001, %%eax  \n"     \
+             "cpuid                     \n"     \
+             "unsupported:              \n"     \
+             "movl  %%edx, %1           \n"     \
+             "movl  %2, %%ebx           \n"
+             : "=m" (ebx), "=m" (edx)
+             :  "m" (ebx)
+             : "eax", "ecx", "edx" );
+
+        flags = edx;
+    }
+
+    return( flags & feature );
+}
+
+/*
+ * PadLock AES-ECB block en(de)cryption
+ */
+int padlock_xcryptecb( aes_context *ctx,
+                       int mode,
+                       const unsigned char input[16],
+                       unsigned char output[16] )
+{
+    int ebx;
+    uint32_t *rk;
+    uint32_t *blk;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    rk  = ctx->rk;
+    blk = PADLOCK_ALIGN16( buf );
+    memcpy( blk, input, 16 );
+
+     ctrl = blk + 4;
+    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + ( mode^1 ) - 10 ) << 9 );
+
+    __asm__( "pushfl; popfl         \n"     \
+         "movl    %%ebx, %0     \n"     \
+         "movl    $1, %%ecx     \n"     \
+         "movl    %2, %%edx     \n"     \
+         "movl    %3, %%ebx     \n"     \
+         "movl    %4, %%esi     \n"     \
+         "movl    %4, %%edi     \n"     \
+         ".byte  0xf3,0x0f,0xa7,0xc8\n" \
+         "movl    %1, %%ebx     \n"
+         : "=m" (ebx)
+         :  "m" (ebx), "m" (ctrl), "m" (rk), "m" (blk)
+         : "ecx", "edx", "esi", "edi" );
+
+    memcpy( output, blk, 16 );
+
+    return( 0 );
+}
+
+/*
+ * PadLock AES-CBC buffer en(de)cryption
+ */
+int padlock_xcryptcbc( aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int ebx;
+    size_t count;
+    uint32_t *rk;
+    uint32_t *iw;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    if( ( (long) input  & 15 ) != 0 ||
+        ( (long) output & 15 ) != 0 )
+        return( POLARSSL_ERR_PADLOCK_DATA_MISALIGNED );
+
+    rk = ctx->rk;
+    iw = PADLOCK_ALIGN16( buf );
+    memcpy( iw, iv, 16 );
+
+     ctrl = iw + 4;
+    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + (mode^1) - 10 ) << 9 );
+
+    count = (length + 15) >> 4;
+
+    __asm__( "pushfl; popfl         \n"     \
+         "movl    %%ebx, %0     \n"     \
+         "movl    %2, %%ecx     \n"     \
+         "movl    %3, %%edx     \n"     \
+         "movl    %4, %%ebx     \n"     \
+         "movl    %5, %%esi     \n"     \
+         "movl    %6, %%edi     \n"     \
+         "movl    %7, %%eax     \n"     \
+         ".byte  0xf3,0x0f,0xa7,0xd0\n" \
+         "movl    %1, %%ebx     \n"
+         : "=m" (ebx)
+         :  "m" (ebx), "m" (count), "m" (ctrl),
+            "m"  (rk), "m" (input), "m" (output), "m" (iw)
+         : "eax", "ecx", "edx", "esi", "edi" );
+
+    memcpy( iv, iw, 16 );
+
+    return( 0 );
+}
+
+#endif
+
+#endif

From 7116b5549fa108d2ea92dda7924801fc21b60b3e Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 3 Nov 2015 16:14:27 +0800
Subject: [PATCH 114/317] [ctrtool] Changed TMD title version representation.

---
 ctrtool/tmd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ctrtool/tmd.c b/ctrtool/tmd.c
index 8ba2dd24..af5691ff 100644
--- a/ctrtool/tmd.c
+++ b/ctrtool/tmd.c
@@ -87,6 +87,7 @@ void tmd_print(tmd_context* ctx)
 	ctr_tmd_body* body = 0;
 	unsigned int contentcount = 0;
 	unsigned int savesize = 0;
+	unsigned int titlever = 0;
 	unsigned int i;
 
 	if (type == TMD_RSA_2048_SHA256 || type == TMD_RSA_2048_SHA1)
@@ -106,6 +107,7 @@ void tmd_print(tmd_context* ctx)
 
 	contentcount = getbe16(body->contentcount);
 	savesize = getle32(body->savedatasize);
+	titlever = getbe16(body->titleversion);
 	
 	fprintf(stdout, "\nTMD header:\n");
 	fprintf(stdout, "Signature type:         %s\n", tmd_get_type_string(type));
@@ -124,7 +126,7 @@ void tmd_print(tmd_context* ctx)
 	else
 		fprintf(stdout, "Save Size:              %dMB (%08x)\n", savesize/sizeMB, savesize);
 	fprintf(stdout, "Access rights:          %08x\n", getbe32(body->accessrights));
-	fprintf(stdout, "Title version:          %04x\n", getbe16(body->titleversion));
+	fprintf(stdout, "Title version:          %d.%d.%d (v%d)\n", (titlever >> 10) & 0x3F, (titlever >> 4) & 0x3F, titlever & 0xF, titlever);
 	fprintf(stdout, "Content count:          %04x\n", getbe16(body->contentcount));
 	fprintf(stdout, "Boot content:           %04x\n", getbe16(body->bootcontent));
 	memdump(stdout, "Hash:                   ", body->hash, 32);

From 3cb804ee6a2dc58829206ded1ddf606d9b1f7e3b Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 3 Nov 2015 16:18:01 +0800
Subject: [PATCH 115/317] [makerom] Separated ELF processing from code segment
 construction. StackSize now read from exheader template.

---
 makerom/accessdesc.c            |  10 +-
 makerom/code.c                  | 388 +++++++++++++
 makerom/code.h                  |   3 +
 makerom/elf.c                   | 937 +++++---------------------------
 makerom/elf.h                   | 139 +++--
 makerom/elf_hdr.h               | 192 -------
 makerom/exheader.c              |  91 ++--
 makerom/exheader.h              |  27 +-
 makerom/makerom.vcxproj         |   3 +-
 makerom/makerom.vcxproj.filters |   9 +-
 makerom/ncch.c                  |   2 +-
 makerom/ncch_build.h            |   1 +
 makerom/utils.c                 |   6 +-
 makerom/utils.h                 |   6 +-
 14 files changed, 726 insertions(+), 1088 deletions(-)
 create mode 100644 makerom/code.c
 create mode 100644 makerom/code.h
 delete mode 100644 makerom/elf_hdr.h

diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index fcb17be3..dde1b58b 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -44,12 +44,10 @@ int accessdesc_SignWithKey(exheader_settings *exhdrset)
 	memcpy(&exhdrset->acexDesc->arm9AccessControlInfo,&exhdrset->exHdr->arm9AccessControlInfo,sizeof(exhdr_ARM9AccessControlInfo));
 	
 	/* Adjust Data */
-	u8 *flag = &exhdrset->acexDesc->arm11SystemLocalCapabilities.flag[2];
-	u8 SystemMode = (*flag>>4)&0xF;
-	u8 AffinityMask = (*flag>>2)&0x3;
-	u8 IdealProcessor = 1<<((*flag>>0)&0x3);
-	*flag = (u8)(SystemMode << 4 | AffinityMask << 2 | IdealProcessor);
-	exhdrset->acexDesc->arm11SystemLocalCapabilities.flag[3] /= 2;
+	exhdr_ARM11SystemLocalCapabilities *arm11 = &exhdrset->acexDesc->arm11SystemLocalCapabilities;
+
+	arm11->idealProcessor = 1 << arm11->idealProcessor;
+	arm11->threadPriority /= 2;
 
 	/* Sign AccessDesc */
 	return SignAccessDesc(exhdrset->acexDesc,exhdrset->keys);
diff --git a/makerom/code.c b/makerom/code.c
new file mode 100644
index 00000000..ea31b2c0
--- /dev/null
+++ b/makerom/code.c
@@ -0,0 +1,388 @@
+#include "lib.h"
+#include "elf.h"
+#include "blz.h"
+#include "ncch_build.h"
+#include "exheader_read.h"
+#include "code.h"
+
+const char *SDK_PLAINREGION_SEGMENT_NAME = ".module_id";
+
+typedef struct code_segment
+{
+	u32 address;
+	u32 size;
+	u32 maxPageNum;
+	u8 *data;
+} code_segment;
+
+u32 GetPageSize(ncch_settings *set)
+{
+	if (set->rsfSet->Option.PageSize)
+		return strtoul(set->rsfSet->Option.PageSize, NULL, 10);
+	return 0x1000;
+}
+
+u32 SizeToPage(u32 memorySize, elf_context *elf)
+{
+	return align(memorySize, elf->pageSize) / elf->pageSize;
+}
+
+int ImportPlainRegionFromFile(ncch_settings *set)
+{
+	set->sections.plainRegion.size = align(set->componentFilePtrs.plainregionSize, set->options.blockSize);
+	set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
+	if (!set->sections.plainRegion.buffer) { fprintf(stderr, "[ELF ERROR] Not enough memory\n"); return MEM_ERROR; }
+	ReadFile64(set->sections.plainRegion.buffer, set->componentFilePtrs.plainregionSize, 0, set->componentFilePtrs.plainregion);
+	return 0;
+}
+
+int ImportExeFsCodeBinaryFromFile(ncch_settings *set)
+{
+	u32 size = set->componentFilePtrs.codeSize;
+	u8 *buffer = malloc(size);
+	if (!buffer) {
+		fprintf(stderr, "[ELF ERROR] Not enough memory\n");
+		return MEM_ERROR;
+	}
+	ReadFile64(buffer, size, 0, set->componentFilePtrs.code);
+
+	set->exefsSections.code.size = set->componentFilePtrs.codeSize;
+	set->exefsSections.code.buffer = malloc(set->exefsSections.code.size);
+	if (!set->exefsSections.code.buffer) { fprintf(stderr, "[ELF ERROR] Not enough memory\n"); return MEM_ERROR; }
+	ReadFile64(set->exefsSections.code.buffer, set->exefsSections.code.size, 0, set->componentFilePtrs.code);
+	if (set->options.CompressCode) {
+		u32 new_len;
+		set->exefsSections.code.buffer = BLZ_Code(buffer, size, &new_len, BLZ_NORMAL);
+		set->exefsSections.code.size = new_len;
+		free(buffer);
+	}
+	else {
+		set->exefsSections.code.size = size;
+		set->exefsSections.code.buffer = buffer;
+	}
+
+	size = set->componentFilePtrs.exhdrSize;
+	if (size < sizeof(extended_hdr)) {
+		fprintf(stderr, "[ELF ERROR] Exheader code info template is too small\n");
+		return FAILED_TO_IMPORT_FILE;
+	}
+	extended_hdr *exhdr = malloc(size);
+	if (!exhdr) {
+		fprintf(stderr, "[ELF ERROR] Not enough memory\n");
+		return MEM_ERROR;
+	}
+	ReadFile64(exhdr, size, 0, set->componentFilePtrs.exhdr);
+
+	/* Setting code_segment data */
+	set->codeDetails.textAddress = u8_to_u32(exhdr->codeSetInfo.text.address, LE);
+	set->codeDetails.textMaxPages = u8_to_u32(exhdr->codeSetInfo.text.numMaxPages, LE);
+	set->codeDetails.textSize = u8_to_u32(exhdr->codeSetInfo.text.codeSize, LE);
+
+	set->codeDetails.roAddress = u8_to_u32(exhdr->codeSetInfo.rodata.address, LE);
+	set->codeDetails.roMaxPages = u8_to_u32(exhdr->codeSetInfo.rodata.numMaxPages, LE);
+	set->codeDetails.roSize = u8_to_u32(exhdr->codeSetInfo.rodata.codeSize, LE);
+
+	set->codeDetails.rwAddress = u8_to_u32(exhdr->codeSetInfo.data.address, LE);
+	set->codeDetails.rwMaxPages = u8_to_u32(exhdr->codeSetInfo.data.numMaxPages, LE);
+	set->codeDetails.rwSize = u8_to_u32(exhdr->codeSetInfo.data.codeSize, LE);
+
+	set->codeDetails.bssSize = u8_to_u32(exhdr->codeSetInfo.bssSize, LE);
+
+	set->codeDetails.stackSize = u8_to_u32(exhdr->codeSetInfo.stackSize, LE);
+
+	free(exhdr);
+
+	return 0;
+}
+
+int GetBSSFromElf(elf_context *elf, ncch_settings *set)
+{
+	set->codeDetails.bssSize = 0;
+
+	for (int i = 0; i < elf->sectionTableEntryCount; i++) {
+		if (IsBss(&elf->sections[i]))
+			set->codeDetails.bssSize = elf->sections[i].size;
+	}
+
+	return 0;
+}
+
+int ImportPlainRegionFromElf(elf_context *elf, ncch_settings *set) // Doesn't work same as N makerom
+{
+	u64 size = 0;
+	u64 offset = 0;
+	for (u16 i = 0; i < elf->activeSegments; i++) {
+		if (strcmp(elf->segments[i].name, SDK_PLAINREGION_SEGMENT_NAME) == 0) {
+			size = elf->segments[i].header->sizeInFile;
+			offset = elf->segments[i].header->offsetInFile;
+			break;
+		}
+	}
+
+
+	if (size > 0) {
+		/* Creating Output Buffer */
+		set->sections.plainRegion.size = align(size, set->options.blockSize);
+		set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
+		if (!set->sections.plainRegion.buffer) { fprintf(stderr, "[ELF ERROR] Not enough memory\n"); return MEM_ERROR; }
+		memset(set->sections.plainRegion.buffer, 0, set->sections.plainRegion.size);
+
+		/* Copy Plain Region */
+		memcpy(set->sections.plainRegion.buffer, elf->file + offset, size);
+	}
+
+	return 0;
+}
+
+int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_flags)
+{
+	memset(out, 0, sizeof(code_segment));
+
+	u16 seg_num = 0;
+	elf_segment **seg = calloc(elf->activeSegments, sizeof(elf_segment*));
+
+	for (u16 i = 0; i < elf->activeSegments; i++) {
+		// Skip SDK ELF plain region
+		if (strcmp(elf->segments[i].name, SDK_PLAINREGION_SEGMENT_NAME) == 0)
+			continue;
+
+		//printf("SegName: %s (flags: %x)\n", elf->segments[i].name, elf->segments[i].header->flags);
+		if ((elf->segments[i].header->flags & ~PF_CTRSDK) == segment_flags) {
+			if (seg_num == 0) {
+				seg[seg_num] = &elf->segments[i];
+				seg_num++;
+			}
+			else if (elf->segments[i].vAddr == (u32)align(seg[seg_num - 1]->vAddr, seg[seg_num - 1]->header->alignment)) {
+				seg[seg_num] = &elf->segments[i];
+				seg_num++;
+			}
+		}
+	}
+
+	/* Return if there are no applicable segment */
+	if (seg_num == 0)
+		return 0;
+
+	/* Getting Segment Size/Settings */
+	u32 vAddr = 0;
+	u32 memorySize = 0;
+	for (u16 i = 0; i < seg_num; i++) {
+		if (i == 0) {
+			vAddr = seg[i]->vAddr;
+		}
+		else { // Add rounded size from previous segment
+			u32 padding = seg[i]->vAddr - (vAddr + memorySize);
+			memorySize += padding;
+		}
+
+		memorySize += seg[i]->header->sizeInMemory;
+
+		if (IsBss(&seg[i]->sections[seg[i]->sectionNum - 1]))
+			memorySize -= seg[i]->sections[seg[i]->sectionNum - 1].size;
+	}
+
+	// For Check
+#ifdef DEBUG
+	printf("Address: 0x%x\n", vAddr);
+	printf("Size:    0x%x\n", memorySize);
+#endif
+
+	out->address = vAddr;
+	out->size = memorySize;
+	out->maxPageNum = SizeToPage(memorySize, elf);
+	out->data = malloc(memorySize);
+
+	/* Writing Segment to Buffer */
+	for (int i = 0; i < seg_num; i++) {
+
+		for (int j = 0; j < seg[i]->sectionNum; j++) {
+			elf_section_entry *section = &seg[i]->sections[j];
+			if (!IsBss(section)) {
+				u8 *pos = (out->data + (section->address - seg[i]->vAddr));
+				memcpy(pos, section->ptr, section->size);
+				//size += section->size;
+			}
+		}
+	}
+
+	free(seg);
+	return 0;
+}
+
+int CreateExeFsCode(elf_context *elf, ncch_settings *set)
+{
+	/* Getting Code Segments */
+	code_segment text;
+	memset(&text, 0, sizeof(code_segment));
+	code_segment rodata;
+	memset(&rodata, 0, sizeof(code_segment));
+	code_segment rwdata;
+	memset(&rwdata, 0, sizeof(code_segment));
+
+	int result = CreateCodeSegmentFromElf(&text, elf, PF_TEXT);
+	if (result) return result;
+	result = CreateCodeSegmentFromElf(&rodata, elf, PF_RODATA);
+	if (result) return result;
+	result = CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA);
+	if (result) return result;
+
+	/* Checking the existence of essential ELF Segments */
+	if (!text.size) return NOT_FIND_TEXT_SEGMENT;
+	if (!rwdata.size) return NOT_FIND_DATA_SEGMENT;
+
+	/* Allocating Buffer for ExeFs Code */
+	u32 size = (text.maxPageNum + rodata.maxPageNum + rwdata.maxPageNum)*elf->pageSize;
+	u8 *code = calloc(1, size);
+
+	/* Writing Code into Buffer */
+	u8 *textPos = (code + 0);
+	u8 *rodataPos = (code + text.maxPageNum*elf->pageSize);
+	u8 *rwdataPos = (code + (text.maxPageNum + rodata.maxPageNum)*elf->pageSize);
+	if (text.size) memcpy(textPos, text.data, text.size);
+	if (rodata.size) memcpy(rodataPos, rodata.data, rodata.size);
+	if (rwdata.size) memcpy(rwdataPos, rwdata.data, rwdata.size);
+
+
+	/* Compressing If needed */
+	if (set->options.CompressCode) {
+		u32 new_len;
+		set->exefsSections.code.buffer = BLZ_Code(code, size, &new_len, BLZ_NORMAL);
+		set->exefsSections.code.size = new_len;
+		free(code);
+	}
+	else {
+		set->exefsSections.code.size = size;
+		set->exefsSections.code.buffer = code;
+	}
+
+	/* Setting code_segment data and freeing original buffers */
+	set->codeDetails.textAddress = text.address;
+	set->codeDetails.textMaxPages = text.maxPageNum;
+	set->codeDetails.textSize = text.size;
+	if (text.size) free(text.data);
+
+	set->codeDetails.roAddress = rodata.address;
+	set->codeDetails.roMaxPages = rodata.maxPageNum;
+	set->codeDetails.roSize = rodata.size;
+	if (rodata.size) free(rodata.data);
+
+	set->codeDetails.rwAddress = rwdata.address;
+	set->codeDetails.rwMaxPages = rwdata.maxPageNum;
+	set->codeDetails.rwSize = rwdata.size;
+	if (rwdata.size) free(rwdata.data);
+
+	if (set->rsfSet->SystemControlInfo.StackSize)
+		set->codeDetails.stackSize = strtoul(set->rsfSet->SystemControlInfo.StackSize, NULL, 0);
+	else {
+		fprintf(stderr, "[CODE ERROR] RSF Parameter Not Found: \"SystemControlInfo/StackSize\"\n");
+		return 1;
+	}
+
+	/* Return */
+	return 0;
+}
+
+void PrintElfContext(elf_context *elf)
+{
+	printf("[ELF] Program Table Data\n");
+	printf(" Offset: 0x%x\n", elf->programTableOffset);
+	printf(" Size:   0x%x\n", elf->programTableEntrySize);
+	printf(" Count:  0x%x\n", elf->programTableEntryCount);
+	printf("[ELF] Section Table Data\n");
+	printf(" Offset: 0x%x\n", elf->sectionTableOffset);
+	printf(" Size:   0x%x\n", elf->sectionTableEntrySize);
+	printf(" Count:  0x%x\n", elf->sectionTableEntryCount);
+	printf(" Label index: 0x%x\n", elf->sectionHeaderNameEntryIndex);
+	for (int i = 0; i < elf->activeSegments; i++) {
+		printf(" Segment [%d][%s]\n", i, elf->segments[i].name);
+		printf(" > Size :     0x%x\n", elf->segments[i].header->sizeInFile);
+		printf(" > Address :  0x%x\n", elf->segments[i].vAddr);
+		printf(" > Flags:     0x%x\n", elf->segments[i].header->flags);
+		printf(" > Type:      0x%x\n", elf->segments[i].header->type);
+		printf(" > Sections : %d\n", elf->segments[i].sectionNum);
+		for (int j = 0; j < elf->segments[i].sectionNum; j++)
+			printf("    > Section [%d][%s][0x%x][0x%x]\n", j, elf->segments[i].sections[j].name, elf->segments[i].sections[j].flags, elf->segments[i].sections[j].type);
+
+		/*
+		char outpath[100];
+		memset(&outpath,0,100);
+		sprintf(outpath,"%s.bin",elf->sections[i].name);
+		chdir("elfsections");
+		FILE *tmp = fopen(outpath,"wb");
+		WriteBuffer(elf->sections[i].ptr,elf->sections[i].size,0,tmp);
+		fclose(tmp);
+		chdir("..");
+		*/
+	}
+
+}
+
+int BuildExeFsCode(ncch_settings *set)
+{
+	int result = 0;
+	if (set->options.IsCfa)
+		return result;
+
+	if (set->componentFilePtrs.plainregion) // Import PlainRegion from file
+		if ((result = ImportPlainRegionFromFile(set))) return result;
+	if (!set->options.IsBuildingCodeSection) // Import ExeFs Code from file and return
+		return ImportExeFsCodeBinaryFromFile(set);
+
+	/* Import ELF */
+	u8 *elfFile = malloc(set->componentFilePtrs.elfSize);
+	if (!elfFile) {
+		fprintf(stderr, "[CODE ERROR] Not enough memory\n");
+		return MEM_ERROR;
+	}
+	ReadFile64(elfFile, set->componentFilePtrs.elfSize, 0, set->componentFilePtrs.elf);
+
+	/* Create ELF Context */
+	elf_context *elf = calloc(1, sizeof(elf_context));
+	if (!elf) {
+		fprintf(stderr, "[CODE ERROR] Not enough memory\n");
+		free(elfFile);
+		return MEM_ERROR;
+	}
+
+	if ((result = GetElfContext(elf, elfFile))) goto finish;
+
+	/* Setting Page Size */
+	elf->pageSize = GetPageSize(set);
+
+	if (!set->componentFilePtrs.plainregion)
+		if ((result = ImportPlainRegionFromElf(elf, set))) goto finish;
+
+	if (set->options.verbose)
+		PrintElfContext(elf);
+
+	if ((result = CreateExeFsCode(elf, set))) goto finish;
+	if ((result = GetBSSFromElf(elf, set))) goto finish;
+
+finish:
+	switch (result) {
+	case (0) :
+		break;
+	case (NOT_ELF_FILE) :
+		fprintf(stderr, "[CODE ERROR] Not ELF File\n");
+		break;
+	case (NOT_CTR_ARM_ELF) :
+		fprintf(stderr, "[CODE ERROR] Not CTR ARM ELF\n");
+		break;
+	case (NON_EXECUTABLE_ELF) :
+		fprintf(stderr, "[CODE ERROR] Not Executeable ELF\n");
+		break;
+	case (NOT_FIND_TEXT_SEGMENT) :
+		fprintf(stderr, "[CODE ERROR] Failed to retrieve text sections from ELF\n");
+		break;
+	case (NOT_FIND_DATA_SEGMENT) :
+		fprintf(stderr, "[CODE ERROR] Failed to retrieve data sections from ELF\n");
+		break;
+	default:
+		fprintf(stderr, "[CODE ERROR] Failed to process ELF file (%d)\n", result);
+	}
+	
+	FreeElfContext(elf);
+	free(elfFile);
+	free(elf);
+	return result;
+}
diff --git a/makerom/code.h b/makerom/code.h
new file mode 100644
index 00000000..fdad0498
--- /dev/null
+++ b/makerom/code.h
@@ -0,0 +1,3 @@
+#pragma once
+
+int BuildExeFsCode(ncch_settings *ncchset);
\ No newline at end of file
diff --git a/makerom/elf.c b/makerom/elf.c
index aae35399..6aad3ef1 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -1,430 +1,149 @@
 #include "lib.h"
-#include "ncch_build.h"
-#include "exheader_read.h"
-#include "elf_hdr.h"
 #include "elf.h"
-#include "blz.h"
 
-const char *SDK_PLAINREGION_SEGMENT_NAME = ".module_id";
-
-int ImportPlainRegionFromFile(ncch_settings *set);
-int ImportExeFsCodeBinaryFromFile(ncch_settings *set);
-
-u32 GetPageSize(ncch_settings *set);
-u32 SizeToPage(u32 memorySize, elf_context *elf);
-
-int GetBSSFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set);
-int ImportPlainRegionFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set);
-int CreateExeFsCode(elf_context *elf, u8 *elfFile, ncch_settings *set);
-int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u8 *elfFile, u64 segment_flags);
+static const u32 ELF_MAGIC = 0x7f454c46;
+
+typedef enum elf_bit_format_types
+{
+	elf_32_bit = 1,
+	elf_64_bit = 2,
+} elf_bit_format_types;
+
+typedef enum elf_endianness
+{
+	elf_little_endian = 1,
+	elf_big_endian = 2,
+} elf_endianness;
+
+typedef enum elf_type
+{
+	elf_relocatable = 1,
+	elf_executeable = 2,
+	elf_shared = 3,
+	elf_core = 4,
+} elf_type;
+
+typedef enum elf_target_architecture
+{
+	elf_arm = 0x28,
+} elf_target_architecture;
+
+typedef struct elf_hdr
+{
+	u8 magic[4];
+	u8 bitFormat;
+	u8 endianness;
+	u8 elfVersion;
+	u8 os;
+	u8 padding0[8];
+	u8 type[2];
+	u8 targetArchitecture[2];
+	u8 version[4];
+	u8 entryPoint[4];
+	u8 programHeaderTableOffset[4];
+	u8 sectionHeaderTableOffset[4];
+	u8 flags[4];
+	u8 headerSize[2];
+	u8 programHeaderEntrySize[2];
+	u8 programHeaderEntryCount[2];
+	u8 sectionTableEntrySize[2];
+	u8 sectionHeaderEntryCount[2];
+	u8 sectionHeaderNameEntryIndex[2];
+} elf_hdr;
+
+/* taken from elf specs, will not follow global style */
+
+/* Section header.  */
+typedef struct elf_shdr
+{
+	u8 name[4];		/* Section name (string tbl index) */
+	u8 type[4];		/* Section type */
+	u8 flags[4];		/* Section flags */
+	u8 addr[4];		/* Section virtual addr at execution */
+	u8 offset[4];		/* Section file offset */
+	u8 size[4];		/* Section size in bytes */
+	u8 link[4];		/* Link to another section */
+	u8 info[4];		/* Additional section information */
+	u8 addralign[4];		/* Section alignment */
+	u8 entsize[4];		/* Entry size if section holds table */
+} elf_shdr;
+
+/* Program segment header.  */
+typedef struct elf_phdr
+{
+	u8 type[4];			/* Segment type */
+	u8 offset[4];		/* Segment file offset */
+	u8 vaddr[4];		/* Segment virtual address */
+	u8 paddr[4];		/* Segment physical address */
+	u8 filesz[4];		/* Segment size in file */
+	u8 memsz[4];		/* Segment size in memory */
+	u8 flags[4];		/* Segment flags */
+	u8 align[4];		/* Segment alignment */
+} elf_phdr;
 
 // ELF Functions
-int GetElfContext(elf_context *elf, u8 *elfFile);
-int GetElfSectionEntries(elf_context *elf, u8 *elfFile);
-int GetElfProgramEntries(elf_context *elf, u8 *elfFile);
-void PrintElfContext(elf_context *elf, u8 *elfFile);
-int ReadElfHdr(elf_context *elf, u8 *elfFile);
+int GetElfSectionEntries(elf_context *elf);
+int GetElfProgramEntries(elf_context *elf);
+void PrintElfContext(elf_context *elf);
+int ReadElfHdr(elf_context *elf);
 
-int CreateElfSegments(elf_context *elf, u8 *elfFile);
+int CreateElfSegments(elf_context *elf);
 bool IsIgnoreSection(elf_section_entry info);
 
-/* ELF Section Entry Functions */
-u8* GetELFSectionHeader(u16 index, elf_context *elf, u8 *elfFile);
-u8* GetELFSectionEntry(u16 index, elf_context *elf, u8 *elfFile);
-char* GetELFSectionEntryName(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFSectionEntryType(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFSectionEntryFlags(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFSectionEntryAddress(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFSectionEntryFileOffset(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFSectionEntrySize(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFSectionEntryAlignment(u16 index, elf_context *elf, u8 *elfFile);
-
-u16 GetElfSectionIndexFromName(char *name, elf_context *elf, u8 *elfFile);
-
-bool IsBss(elf_section_entry *section);
-bool IsData(elf_section_entry *section);
-bool IsRoData(elf_section_entry *section);
-bool IsText(elf_section_entry *section);
-
-/* ELF Program Entry Functions */
-u8* GetELFProgramHeader(u16 index, elf_context *elf, u8 *elfFile);
-u8* GetELFProgramEntry(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFProgramEntryType(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFProgramEntryFlags(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFProgramEntryFileSize(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFProgramEntryFileOffset(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFProgramEntryMemorySize(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFProgramEntryVAddress(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFProgramEntryPAddress(u16 index, elf_context *elf, u8 *elfFile);
-u64 GetELFProgramEntryAlignment(u16 index, elf_context *elf, u8 *elfFile);
-
-
-int BuildExeFsCode(ncch_settings *set)
-{
-	int result = 0;
-	if(set->options.IsCfa)
-		return result;
-	if(set->componentFilePtrs.plainregion){ // Import PlainRegion from file
-		result = ImportPlainRegionFromFile(set);
-		if(result) return result;
-	}
-	if(!set->options.IsBuildingCodeSection){ // Import ExeFs Code from file and return
-		result = ImportExeFsCodeBinaryFromFile(set);
-		return result;
-	}
-
-	/* Import ELF */
-	u8 *elfFile = malloc(set->componentFilePtrs.elfSize);
-	if(!elfFile) {
-		fprintf(stderr,"[ELF ERROR] Not enough memory\n"); 
-		return MEM_ERROR;
-	}
-	ReadFile64(elfFile,set->componentFilePtrs.elfSize,0,set->componentFilePtrs.elf);
-
-	/* Create ELF Context */
-	elf_context *elf = calloc(1,sizeof(elf_context));
-	if(!elf) {
-		fprintf(stderr,"[ELF ERROR] Not enough memory\n"); 
-		free(elfFile); 
-		return MEM_ERROR;
-	}
-	
-	result = GetElfContext(elf,elfFile);
-	if(result) goto finish;
-
-	/* Setting Page Size */
-	elf->pageSize = GetPageSize(set);
-
-	if(!set->componentFilePtrs.plainregion){
-		result = ImportPlainRegionFromElf(elf,elfFile,set);
-		if(result) goto finish;
-	}
-
-	if(set->options.verbose)
-		PrintElfContext(elf,elfFile);
-
-	result = CreateExeFsCode(elf,elfFile,set);
-	if(result) goto finish;
-
-	result = GetBSSFromElf(elf,elfFile,set);
-	if(result) goto finish;
-
-finish:
-	switch (result) {
-		case (0) :
-			break;
-		case (NOT_ELF_FILE) :
-			fprintf(stderr, "[ELF ERROR] Not ELF File\n");
-			break;
-		case (NOT_ARM_ELF) :
-			fprintf(stderr, "[ELF ERROR] Not ARM ELF\n");
-			break;
-		case (NON_EXECUTABLE_ELF) :
-			fprintf(stderr, "[ELF ERROR] Not Executeable ELF\n");
-			break;
-		case (NOT_FIND_TEXT_SEGMENT) :
-			fprintf(stderr, "[ELF ERROR] Failed to retrieve text sections from ELF\n");
-			break;
-		case (NOT_FIND_DATA_SEGMENT) :
-			fprintf(stderr, "[ELF ERROR] Failed to retrieve data sections from ELF\n");
-			break;
-		default:
-			fprintf(stderr, "[ELF ERROR] Failed to process ELF file (%d)\n", result);
-	}
-	for(int i = 0; i < elf->activeSegments; i++)
-		free(elf->segments[i].sections);
-	free(elfFile);
-	free(elf->sections);
-	free(elf->programHeaders);
-	free(elf->segments);
-	free(elf);
-	return result;	
-}
-
-int ImportPlainRegionFromFile(ncch_settings *set)
-{
-	set->sections.plainRegion.size = align(set->componentFilePtrs.plainregionSize,set->options.blockSize);
-	set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
-	if(!set->sections.plainRegion.buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
-	ReadFile64(set->sections.plainRegion.buffer,set->componentFilePtrs.plainregionSize,0,set->componentFilePtrs.plainregion);
-	return 0;
-}
-
-int ImportExeFsCodeBinaryFromFile(ncch_settings *set)
-{
-	u32 size = set->componentFilePtrs.codeSize;
-	u8 *buffer = malloc(size);
-	if(!buffer) {
-		fprintf(stderr,"[ELF ERROR] Not enough memory\n");
-		return MEM_ERROR;
-	}
-	ReadFile64(buffer,size,0,set->componentFilePtrs.code);
-
-	set->exefsSections.code.size = set->componentFilePtrs.codeSize;
-	set->exefsSections.code.buffer = malloc(set->exefsSections.code.size);
-	if(!set->exefsSections.code.buffer) {fprintf(stderr,"[ELF ERROR] Not enough memory\n"); return MEM_ERROR;}
-	ReadFile64(set->exefsSections.code.buffer,set->exefsSections.code.size,0,set->componentFilePtrs.code);
-	if(set->options.CompressCode){
-		u32 new_len;
-		set->exefsSections.code.buffer = BLZ_Code(buffer,size,&new_len,BLZ_NORMAL);
-		set->exefsSections.code.size = new_len;
-		free(buffer);
-	}
-	else{
-		set->exefsSections.code.size = size;
-		set->exefsSections.code.buffer = buffer;
-	}
-	
-	size = set->componentFilePtrs.exhdrSize;
-	if(size < sizeof(extended_hdr)){
-		fprintf(stderr,"[ELF ERROR] Exheader code info template is too small\n");
-		return FAILED_TO_IMPORT_FILE;
-	}
-	extended_hdr *exhdr = malloc(size);
-	if(!exhdr) {
-		fprintf(stderr,"[ELF ERROR] Not enough memory\n");
-		return MEM_ERROR;
-	}
-	ReadFile64(exhdr,size,0,set->componentFilePtrs.exhdr);
-	
-	/* Setting code_segment data */
-	set->codeDetails.textAddress = u8_to_u32(exhdr->codeSetInfo.text.address,LE);
-	set->codeDetails.textMaxPages = u8_to_u32(exhdr->codeSetInfo.text.numMaxPages,LE);
-	set->codeDetails.textSize = u8_to_u32(exhdr->codeSetInfo.text.codeSize,LE);
-
-	set->codeDetails.roAddress = u8_to_u32(exhdr->codeSetInfo.rodata.address,LE);
-	set->codeDetails.roMaxPages = u8_to_u32(exhdr->codeSetInfo.rodata.numMaxPages,LE);
-	set->codeDetails.roSize = u8_to_u32(exhdr->codeSetInfo.rodata.codeSize,LE);
-
-	set->codeDetails.rwAddress = u8_to_u32(exhdr->codeSetInfo.data.address,LE);
-	set->codeDetails.rwMaxPages = u8_to_u32(exhdr->codeSetInfo.data.numMaxPages,LE);
-	set->codeDetails.rwSize = u8_to_u32(exhdr->codeSetInfo.data.codeSize,LE);
-	
-	set->codeDetails.bssSize = u8_to_u32(exhdr->codeSetInfo.bssSize,LE);
-	
-	free(exhdr);
-	
-	return 0;
-}
-
-u32 GetPageSize(ncch_settings *set)
-{
-	if(set->rsfSet->Option.PageSize)
-		return strtoul(set->rsfSet->Option.PageSize,NULL,10);
-	return 0x1000;
-}
-
-u32 SizeToPage(u32 memorySize, elf_context *elf)
-{
-	return align(memorySize,elf->pageSize)/elf->pageSize;
-}
-
+// ELF Functions
 
-int GetBSSFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set)
+int GetElfContext(elf_context *elf, const u8 *elfFile)
 {
-	set->codeDetails.bssSize = 0;
+	elf->file = elfFile;
 	
-	for(int i = 0; i < elf->sectionTableEntryCount; i++){
-		if(IsBss(&elf->sections[i]))
-			set->codeDetails.bssSize = elf->sections[i].size;
-	}
-	
-	return 0;
-}
+	int result;
 
-int ImportPlainRegionFromElf(elf_context *elf, u8 *elfFile, ncch_settings *set) // Doesn't work same as N makerom
-{
-	u64 size = 0;
-	u64 offset = 0;
-	for (u16 i = 0; i < elf->activeSegments; i++) {
-		if (strcmp(elf->segments[i].name, SDK_PLAINREGION_SEGMENT_NAME) == 0) {
-			size = elf->segments[i].header->sizeInFile;
-			offset = elf->segments[i].header->offsetInFile;
-			break;
-		}
-	}
-	
-	
-	if (size > 0) {
-		/* Creating Output Buffer */
-		set->sections.plainRegion.size = align(size, set->options.blockSize);
-		set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
-		if (!set->sections.plainRegion.buffer) { fprintf(stderr, "[ELF ERROR] Not enough memory\n"); return MEM_ERROR; }
-		memset(set->sections.plainRegion.buffer, 0, set->sections.plainRegion.size);
-
-		/* Copy Plain Region */
-		memcpy(set->sections.plainRegion.buffer, elfFile+offset, size);
-	}
+	if((result = ReadElfHdr(elf))) return result;
+	if((result = GetElfSectionEntries(elf))) return result;
+	if((result = GetElfProgramEntries(elf))) return result;
+	if((result = CreateElfSegments(elf))) return result;
 
 	return 0;
 }
 
-int CreateExeFsCode(elf_context *elf, u8 *elfFile, ncch_settings *set)
+void FreeElfContext(elf_context *elf)
 {
-	/* Getting Code Segments */
-	code_segment text;
-	memset(&text,0,sizeof(code_segment));
-	code_segment rodata;
-	memset(&rodata,0,sizeof(code_segment));
-	code_segment rwdata;
-	memset(&rwdata,0,sizeof(code_segment));
-
-	int result = CreateCodeSegmentFromElf(&text,elf,elfFile,(PF_R|PF_X));
-	if(result) return result;
-	result = CreateCodeSegmentFromElf(&rodata,elf,elfFile,(PF_R));
-	if(result) return result;
-	result = CreateCodeSegmentFromElf(&rwdata,elf,elfFile,(PF_R | PF_W));
-	if(result) return result;
-
-	/* Checking the existence of essential ELF Segments */
-	if(!text.size) return NOT_FIND_TEXT_SEGMENT;
-	if(!rwdata.size) return NOT_FIND_DATA_SEGMENT;
-	
-	/* Allocating Buffer for ExeFs Code */
-	u32 size = (text.maxPageNum + rodata.maxPageNum + rwdata.maxPageNum)*elf->pageSize;
-	u8 *code = calloc(1,size);
-
-	/* Writing Code into Buffer */
-	u8 *textPos = (code + 0);
-	u8 *rodataPos = (code + text.maxPageNum*elf->pageSize);
-	u8 *rwdataPos = (code + (text.maxPageNum + rodata.maxPageNum)*elf->pageSize);
-	if(text.size) memcpy(textPos,text.data,text.size);
-	if(rodata.size) memcpy(rodataPos,rodata.data,rodata.size);
-	if(rwdata.size) memcpy(rwdataPos,rwdata.data,rwdata.size);
-
-
-	/* Compressing If needed */
-	if(set->options.CompressCode){
-		u32 new_len;
-		set->exefsSections.code.buffer = BLZ_Code(code,size,&new_len,BLZ_NORMAL);
-		set->exefsSections.code.size = new_len;
-		free(code);
-	}
-	else{
-		set->exefsSections.code.size = size;
-		set->exefsSections.code.buffer = code;
-	}
-
-	/* Setting code_segment data and freeing original buffers */
-	set->codeDetails.textAddress = text.address;
-	set->codeDetails.textMaxPages = text.maxPageNum;
-	set->codeDetails.textSize = text.size;
-	if(text.size) free(text.data);
-
-	set->codeDetails.roAddress = rodata.address;
-	set->codeDetails.roMaxPages = rodata.maxPageNum;
-	set->codeDetails.roSize = rodata.size;
-	if(rodata.size) free(rodata.data);
-
-	set->codeDetails.rwAddress = rwdata.address;
-	set->codeDetails.rwMaxPages = rwdata.maxPageNum;
-	set->codeDetails.rwSize = rwdata.size;
-	if(rwdata.size) free(rwdata.data);
-
-	/* Return */
-	return 0;
+	for (int i = 0; i < elf->activeSegments; i++)
+		free(elf->segments[i].sections);
+	free(elf->sections);
+	free(elf->programHeaders);
+	free(elf->segments);
 }
 
-int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u8 *elfFile, u64 segment_flags)
+int ReadElfHdr(elf_context *elf)
 {
-	memset(out, 0, sizeof(code_segment));
-
-	u16 seg_num = 0;
-	elf_segment **seg = calloc(elf->activeSegments, sizeof(elf_segment*));
-
-	for (u16 i = 0; i < elf->activeSegments; i++) {
-		// Skip SDK ELF plain region
-		if (strcmp(elf->segments[i].name, SDK_PLAINREGION_SEGMENT_NAME) == 0)
-			continue;
-
-		//printf("SegName: %s (flags: %x)\n", elf->segments[i].name, elf->segments[i].header->flags);
-		if ((elf->segments[i].header->flags & ~PF_CTRSDK) == segment_flags) {
-			if (seg_num == 0) {
-				seg[seg_num] = &elf->segments[i];
-				seg_num++;
-			}
-			else if (elf->segments[i].vAddr == (u32)align(seg[seg_num - 1]->vAddr, seg[seg_num-1]->header->alignment)) {
-				seg[seg_num] = &elf->segments[i];
-				seg_num++;
-			}
-		}
-	}
+	const elf_hdr *hdr = (const elf_hdr*)elf->file;
 
-	/* Return if there are no applicable segment */
-	if (seg_num == 0)
-		return 0;
+	if (u8_to_u32(hdr->magic, BE) != ELF_MAGIC)
+		return NOT_ELF_FILE;
+	if (hdr->bitFormat != elf_32_bit)
+		return NOT_CTR_ARM_ELF;
+	if (hdr->endianness != elf_little_endian)
+		return NOT_CTR_ARM_ELF;
+	if (u8_to_u16(hdr->targetArchitecture, LE) != elf_arm)
+		return NOT_CTR_ARM_ELF;
+	if (u8_to_u16(hdr->type, LE) != elf_executeable)
+		return NON_EXECUTABLE_ELF;
 
-	/* Getting Segment Size/Settings */
-	u32 vAddr = 0;
-	u32 memorySize = 0;
-	for (u16 i = 0; i < seg_num; i++) {
-		if (i == 0) {
-			vAddr = seg[i]->vAddr;
-		}
-		else { // Add rounded size from previous segment
-			u32 padding = seg[i]->vAddr - (vAddr + memorySize);
-			memorySize += padding;
-		}
+	elf->programTableOffset = u8_to_u32(hdr->programHeaderTableOffset, LE);
+	elf->programTableEntrySize = u8_to_u16(hdr->programHeaderEntrySize, LE);
+	elf->programTableEntryCount = u8_to_u16(hdr->programHeaderEntryCount, LE);
 
-		memorySize += seg[i]->header->sizeInMemory;
+	elf->sectionTableOffset = u8_to_u32(hdr->sectionHeaderTableOffset, LE);
+	elf->sectionTableEntrySize = u8_to_u16(hdr->sectionTableEntrySize, LE);
+	elf->sectionTableEntryCount = u8_to_u16(hdr->sectionHeaderEntryCount, LE);
 
-		if (IsBss(&seg[i]->sections[seg[i]->sectionNum - 1]))
-			memorySize -= seg[i]->sections[seg[i]->sectionNum - 1].size;
-	}
+	elf->sectionHeaderNameEntryIndex = u8_to_u16(hdr->sectionHeaderNameEntryIndex, LE);
 
-	// For Check
-#ifdef DEBUG
-	printf("Address: 0x%x\n", vAddr);
-	printf("Size:    0x%x\n", memorySize);
-#endif
-
-	out->address = vAddr;
-	out->size = memorySize;
-	out->maxPageNum = SizeToPage(memorySize, elf);
-	out->data = malloc(memorySize);
-
-	/* Writing Segment to Buffer */
-	for (int i = 0; i < seg_num; i++) {
-		
-		for (int j = 0; j < seg[i]->sectionNum; j++) {
-			elf_section_entry *section = &seg[i]->sections[j];
-			if (!IsBss(section)) {
-				u8 *pos = (out->data + (section->address - seg[i]->vAddr));
-				memcpy(pos, section->ptr, section->size);
-				//size += section->size;
-			}
-		}
-	}
-
-	free(seg);
 	return 0;
 }
 
-// ELF Functions
-
-int GetElfContext(elf_context *elf, u8 *elfFile)
-{
-	if(u8_to_u32(elfFile,BE) != ELF_MAGIC) return NOT_ELF_FILE;
-	
-	elf->Is64bit = (elfFile[4] == elf_64_bit);
-	elf->IsLittleEndian = (elfFile[5] == elf_little_endian);
-	
-	int result = ReadElfHdr(elf,elfFile);
-	if(result) return result;
-
-	result = GetElfSectionEntries(elf,elfFile);
-	if(result) return result;
-
-	result = GetElfProgramEntries(elf,elfFile);
-	if(result) return result;
-
-	result = CreateElfSegments(elf,elfFile);
-	if(result) return result;
-
-	return 0;
-}
-
-int GetElfSectionEntries(elf_context *elf, u8 *elfFile)
+int GetElfSectionEntries(elf_context *elf)
 {
 	elf->sections = calloc(elf->sectionTableEntryCount,sizeof(elf_section_entry));
 	if(!elf->sections) {
@@ -432,20 +151,23 @@ int GetElfSectionEntries(elf_context *elf, u8 *elfFile)
 		return MEM_ERROR;
 	}
 
+	const elf_shdr *shdr = (const elf_shdr *)(elf->file + elf->sectionTableOffset);
+	const char *nameTable = (const char*)(elf->file + u8_to_u32(shdr[elf->sectionHeaderNameEntryIndex].offset, LE));
+
 	for(int i = 0; i < elf->sectionTableEntryCount; i++){
-		elf->sections[i].name = GetELFSectionEntryName(i,elf,elfFile);
-		elf->sections[i].type = GetELFSectionEntryType(i,elf,elfFile);
-		elf->sections[i].flags = GetELFSectionEntryFlags(i,elf,elfFile);
-		elf->sections[i].ptr = GetELFSectionEntry(i,elf,elfFile);
-		elf->sections[i].offsetInFile = GetELFSectionEntryFileOffset(i,elf,elfFile);
-		elf->sections[i].size = GetELFSectionEntrySize(i,elf,elfFile);
-		elf->sections[i].address = GetELFSectionEntryAddress(i,elf,elfFile);
-		elf->sections[i].alignment = GetELFSectionEntryAlignment(i,elf,elfFile);
+		elf->sections[i].name = nameTable + u8_to_u32(shdr[i].name, LE);
+		elf->sections[i].type = u8_to_u32(shdr[i].type, LE);
+		elf->sections[i].flags = u8_to_u32(shdr[i].flags, LE);
+		elf->sections[i].offsetInFile = u8_to_u32(shdr[i].offset, LE);
+		elf->sections[i].size = u8_to_u32(shdr[i].size, LE);
+		elf->sections[i].ptr = elf->file + elf->sections[i].offsetInFile;
+		elf->sections[i].address = u8_to_u32(shdr[i].addr, LE);
+		elf->sections[i].alignment = u8_to_u32(shdr[i].addralign, LE);
 	}
 	return 0;
 }
 
-int GetElfProgramEntries(elf_context *elf, u8 *elfFile)
+int GetElfProgramEntries(elf_context *elf)
 {
 	elf->programHeaders = calloc(elf->programTableEntryCount,sizeof(elf_program_entry));
 	if(!elf->programHeaders) {
@@ -453,240 +175,25 @@ int GetElfProgramEntries(elf_context *elf, u8 *elfFile)
 		return MEM_ERROR;
 	}
 
-	for(int i = 0; i < elf->programTableEntryCount; i++){
-		elf->programHeaders[i].type = GetELFProgramEntryType(i,elf,elfFile);
-		elf->programHeaders[i].flags = GetELFProgramEntryFlags(i,elf,elfFile);
-		elf->programHeaders[i].ptr = GetELFProgramEntry(i,elf,elfFile);
-		elf->programHeaders[i].offsetInFile = GetELFProgramEntryFileOffset(i,elf,elfFile);
-		elf->programHeaders[i].sizeInFile = GetELFProgramEntryFileSize(i,elf,elfFile);
-		elf->programHeaders[i].physicalAddress = GetELFProgramEntryPAddress(i,elf,elfFile);
-		elf->programHeaders[i].virtualAddress = GetELFProgramEntryVAddress(i,elf,elfFile);
-		elf->programHeaders[i].sizeInMemory = GetELFProgramEntryMemorySize(i,elf,elfFile);
-		elf->programHeaders[i].alignment = GetELFProgramEntryAlignment(i,elf,elfFile);
-	}
+	const elf_phdr *phdr = (const elf_phdr*)(elf->file + elf->programTableOffset);
 
-	return 0;
-}
-
-void PrintElfContext(elf_context *elf, u8 *elfFile)
-{
-	printf("[ELF] Basic Details\n");
-	printf(" Class:  %s\n",elf->Is64bit ? "64-bit" : "32-bit");
-	printf(" Data:   %s\n",elf->IsLittleEndian ? "Little Endian" : "Big Endian");
-	printf("[ELF] Program Table Data\n");
-	printf(" Offset: 0x%"PRIx64"\n",elf->programTableOffset);
-	printf(" Size:   0x%x\n",elf->programTableEntrySize);
-	printf(" Count:  0x%x\n",elf->programTableEntryCount);
-	printf("[ELF] Section Table Data\n");
-	printf(" Offset: 0x%"PRIx64"\n",elf->sectionTableOffset);
-	printf(" Size:   0x%x\n",elf->sectionTableEntrySize);
-	printf(" Count:  0x%x\n",elf->sectionTableEntryCount);
-	printf(" Label index: 0x%x\n",elf->sectionHeaderNameEntryIndex);
-	for(int i = 0; i < elf->activeSegments; i++){
-		printf(" Segment [%d][%s]\n",i,elf->segments[i].name);
-		printf(" > Size :     0x%"PRIx64"\n",elf->segments[i].header->sizeInFile);
-		printf(" > Address :  0x%"PRIx64"\n",elf->segments[i].vAddr);
-		printf(" > Flags:     0x%"PRIx64"\n", elf->segments[i].header->flags);
-		printf(" > Type:      0x%"PRIx64"\n", elf->segments[i].header->type);
-		printf(" > Sections : %d\n",elf->segments[i].sectionNum);  
-		for(int j = 0; j < elf->segments[i].sectionNum; j++)
-			printf("    > Section [%d][%s][0x%"PRIx64"][0x%"PRIx64"]\n",j,elf->segments[i].sections[j].name, elf->segments[i].sections[j].flags, elf->segments[i].sections[j].type);
-		
-		/*
-		char outpath[100];
-		memset(&outpath,0,100);
-		sprintf(outpath,"%s.bin",elf->sections[i].name);
-		chdir("elfsections");
-		FILE *tmp = fopen(outpath,"wb");
-		WriteBuffer(elf->sections[i].ptr,elf->sections[i].size,0,tmp);
-		fclose(tmp);
-		chdir("..");
-		*/
-	}
-
-}
-
-int ReadElfHdr(elf_context *elf, u8 *elfFile)
-{
-	if(elf->Is64bit){
-		elf_64_hdr *hdr = (elf_64_hdr*)elfFile;
-
-		u16 Architecture = u8_to_u16(hdr->targetArchitecture,elf->IsLittleEndian);
-		u16 Type = u8_to_u16(hdr->type,elf->IsLittleEndian);
-		if(Architecture != elf_arm) return NOT_ARM_ELF;
-		if(Type != elf_executeable) return NON_EXECUTABLE_ELF;
-
-		elf->programTableOffset = u8_to_u64(hdr->programHeaderTableOffset,elf->IsLittleEndian);
-		elf->programTableEntrySize = u8_to_u16(hdr->programHeaderEntrySize,elf->IsLittleEndian);
-		elf->programTableEntryCount = u8_to_u16(hdr->programHeaderEntryCount,elf->IsLittleEndian);
-
-		elf->sectionTableOffset = u8_to_u64(hdr->sectionHeaderTableOffset,elf->IsLittleEndian);
-		elf->sectionTableEntrySize = u8_to_u16(hdr->sectionTableEntrySize,elf->IsLittleEndian);
-		elf->sectionTableEntryCount = u8_to_u16(hdr->sectionHeaderEntryCount,elf->IsLittleEndian);
-
-		elf->sectionHeaderNameEntryIndex = u8_to_u16(hdr->sectionHeaderNameEntryIndex,elf->IsLittleEndian);
+	for(int i = 0; i < elf->programTableEntryCount; i++){
+		elf->programHeaders[i].type = u8_to_u32(phdr[i].type, LE);
+		elf->programHeaders[i].flags = u8_to_u32(phdr[i].flags, LE);
+		elf->programHeaders[i].offsetInFile = u8_to_u32(phdr[i].offset, LE);
+		elf->programHeaders[i].sizeInFile = u8_to_u32(phdr[i].filesz, LE);
+		elf->programHeaders[i].ptr = elf->file + elf->programHeaders[i].offsetInFile;
+		elf->programHeaders[i].physicalAddress = u8_to_u32(phdr[i].paddr, LE);
+		elf->programHeaders[i].virtualAddress = u8_to_u32(phdr[i].vaddr, LE);
+		elf->programHeaders[i].sizeInMemory = u8_to_u32(phdr[i].memsz, LE);
+		elf->programHeaders[i].alignment = u8_to_u32(phdr[i].align, LE);
 	}
-	else{
-		elf_32_hdr *hdr = (elf_32_hdr*)elfFile;
-
-		u16 Architecture = u8_to_u16(hdr->targetArchitecture,elf->IsLittleEndian);
-		u16 Type = u8_to_u16(hdr->type,elf->IsLittleEndian);
-		if(Architecture != elf_arm) return NOT_ARM_ELF;
-		if(Type != elf_executeable) return NON_EXECUTABLE_ELF;
-
-		elf->programTableOffset = u8_to_u32(hdr->programHeaderTableOffset,elf->IsLittleEndian);
-		elf->programTableEntrySize = u8_to_u16(hdr->programHeaderEntrySize,elf->IsLittleEndian);
-		elf->programTableEntryCount = u8_to_u16(hdr->programHeaderEntryCount,elf->IsLittleEndian);
-
-		elf->sectionTableOffset = u8_to_u32(hdr->sectionHeaderTableOffset,elf->IsLittleEndian);
-		elf->sectionTableEntrySize = u8_to_u16(hdr->sectionTableEntrySize,elf->IsLittleEndian);
-		elf->sectionTableEntryCount = u8_to_u16(hdr->sectionHeaderEntryCount,elf->IsLittleEndian);
 
-		elf->sectionHeaderNameEntryIndex = u8_to_u16(hdr->sectionHeaderNameEntryIndex,elf->IsLittleEndian);
-	}
 	return 0;
 }
 
 /* Section Hdr Functions */
 
-u8* GetELFSectionHeader(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->sectionTableEntryCount) return NULL;
-
-	return (elfFile + elf->sectionTableOffset + elf->sectionTableEntrySize*index);
-}
-
-u8* GetELFSectionEntry(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->sectionTableEntryCount) return NULL;
-
-	return (u8*) (elfFile + GetELFSectionEntryFileOffset(index,elf,elfFile));
-}
-
-char* GetELFSectionEntryName(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->sectionTableEntryCount) return 0;
-
-	u64 NameIndex = 0;
-	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		NameIndex = u8_to_u64(shdr->sh_name,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		NameIndex = u8_to_u32(shdr->sh_name,elf->IsLittleEndian);
-	}
-
-	u8 *NameTable = GetELFSectionEntry(elf->sectionHeaderNameEntryIndex,elf,elfFile);
-	
-	return (char*)(NameTable+NameIndex);
-}
-
-u64 GetELFSectionEntryType(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->sectionTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u64(shdr->sh_type,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u32(shdr->sh_type,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFSectionEntryFlags(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->sectionTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u64(shdr->sh_flags,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u32(shdr->sh_flags,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFSectionEntryAddress(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->sectionTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u64(shdr->sh_addr,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u32(shdr->sh_addr,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFSectionEntryFileOffset(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->sectionTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u64(shdr->sh_offset,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u32(shdr->sh_offset,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFSectionEntrySize(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->sectionTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u64(shdr->sh_size,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u32(shdr->sh_size,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFSectionEntryAlignment(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->sectionTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_shdr *shdr = (elf_64_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u64(shdr->sh_addralign,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_shdr *shdr = (elf_32_shdr*)GetELFSectionHeader(index,elf,elfFile);
-		return u8_to_u32(shdr->sh_addralign,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-
-u16 GetElfSectionIndexFromName(char *name, elf_context *elf, u8 *elfFile)
-{
-	for(int i = 0; i < elf->sectionTableEntryCount; i++){
-		if(strcmp(name,elf->sections[i].name) == 0) return i;
-	}
-	return 0; // Assuming 0 is always empty
-}
-
 bool IsBss(elf_section_entry *section)
 {
 	return (section->type == SHT_NOBITS && section->flags == (SHF_WRITE | SHF_ALLOC));
@@ -707,153 +214,7 @@ bool IsText(elf_section_entry *section)
 	return (section->type == SHT_PROGBITS && section->flags == (SHF_ALLOC | SHF_EXECINSTR));
 }
 
-/* ProgramHeader Functions */
-
-u8* GetELFProgramHeader(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return NULL;
-
-	return (elfFile + elf->programTableOffset + elf->programTableEntrySize*index);
-}
-
-u8* GetELFProgramEntry(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return NULL;
-
-	return (u8*) (elfFile + GetELFProgramEntryFileOffset(index,elf,elfFile));
-
-	return NULL;
-}
-
-u64 GetELFProgramEntryType(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u64(phdr->p_type,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u32(phdr->p_type,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFProgramEntryFlags(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u64(phdr->p_flags,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u32(phdr->p_flags,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFProgramEntryFileSize(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u64(phdr->p_filesz,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u32(phdr->p_filesz,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFProgramEntryFileOffset(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u64(phdr->p_offset,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u32(phdr->p_offset,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFProgramEntryMemorySize(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u64(phdr->p_memsz,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u32(phdr->p_memsz,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFProgramEntryVAddress(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u64(phdr->p_vaddr,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u32(phdr->p_vaddr,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-u64 GetELFProgramEntryPAddress(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u64(phdr->p_paddr,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u32(phdr->p_paddr,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
-
-u64 GetELFProgramEntryAlignment(u16 index, elf_context *elf, u8 *elfFile)
-{
-	if(index >= elf->programTableEntryCount) return 0;
-
-	if(elf->Is64bit){
-		elf_64_phdr *phdr = (elf_64_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u64(phdr->p_align,elf->IsLittleEndian);
-	}
-	else{
-		elf_32_phdr *phdr = (elf_32_phdr*)GetELFProgramHeader(index,elf,elfFile);
-		return u8_to_u32(phdr->p_align,elf->IsLittleEndian);
-	}
-
-	return 0;
-}
-
+/* Program Segment Functions */
 void InitSegment(elf_segment *segment)
 {
 	memset(segment, 0, sizeof(elf_segment));
@@ -880,7 +241,12 @@ void AddSegmentSection(elf_segment *segment, elf_section_entry *section)
 	segment->sectionNum++;
 }
 
-int CreateElfSegments(elf_context *elf, u8 *elfFile)
+bool IsIgnoreSection(elf_section_entry info)
+{
+	return !(info.flags & SHF_ALLOC);//(info.type != SHT_PROGBITS && info.type != SHT_NOBITS && info.type != SHT_INIT_ARRAY && info.type != SHT_FINI_ARRAY && info.type != SHT_ARM_EXIDX);
+}
+
+int CreateElfSegments(elf_context *elf)
 {
 	// Interate through Each Program Header
 	elf->activeSegments = 0;
@@ -945,9 +311,4 @@ int CreateElfSegments(elf_context *elf, u8 *elfFile)
 	}
 
 	return 0;
-}
-
-bool IsIgnoreSection(elf_section_entry info)
-{
-	return (info.type != SHT_PROGBITS && info.type != SHT_NOBITS && info.type != SHT_INIT_ARRAY && info.type != SHT_FINI_ARRAY && info.type != SHT_ARM_EXIDX);
-}
+}
\ No newline at end of file
diff --git a/makerom/elf.h b/makerom/elf.h
index a6b856af..c568a5b5 100644
--- a/makerom/elf.h
+++ b/makerom/elf.h
@@ -1,9 +1,9 @@
 #pragma once
 
-typedef enum
+typedef enum elf_errors
 {
 	NOT_ELF_FILE = -10,
-	NOT_ARM_ELF = -11,
+	NOT_CTR_ARM_ELF = -11,
 	NON_EXECUTABLE_ELF = -12,
 	ELF_SECTION_NOT_FOUND = -13,
 	NOT_FIND_TEXT_SEGMENT = -14,
@@ -13,35 +13,101 @@ typedef enum
 	ELF_SEGMENTS_NOT_FOUND = -18,
 } elf_errors;
 
-typedef struct
+typedef enum elf_section_type
 {
-	char *name;
-	u64 type;
-	u64 flags;
-	u8 *ptr;
-	u64 offsetInFile;
-	u64 size;
-	u64 address;
-	u64 alignment;
+	SHT_NULL,
+	SHT_PROGBITS,
+	SHT_SYMTAB,
+	SHT_STRTAB,
+	SHT_RELA,
+	SHT_HASH,
+	SHT_DYNAMIC,
+	SHT_NOTE,
+	SHT_NOBITS,
+	SHT_REL,
+	SHT_SHLIB,
+	SHT_DYNSYM,
+	SHT_UNKNOWN12,
+	SHT_UNKNOWN13,
+	SHT_INIT_ARRAY,
+	SHT_FINI_ARRAY,
+	SHT_PREINIT_ARRAY,
+	SHT_GROUP,
+	SHT_SYMTAB_SHNDX,
+	SHT_NUM,
+	SHT_ARM_EXIDX = 0x70000001,
+	SHT_ARM_PREEMPTMAP,
+	SHT_ARM_ATTRIBUTES,
+	SHT_ARM_DEBUGOVERLAY,
+	SHT_ARM_OVERLAYSECTION
+} elf_section_type;
+
+typedef enum elf_section_flag
+{
+	SHF_WRITE = 0x1,
+	SHF_ALLOC = 0x2,
+	SHF_EXECINSTR = 0x4,
+	SHF_MERGE = 0x10,
+	SHF_STRINGS = 0x20,
+	SHF_INFO_LINK = 0x40,
+	SHF_LINK_ORDER = 0x80,
+	SHF_OS_NONCONFORMING = 0x100,
+	SHF_GROUP = 0x200,
+	SHF_TLS = 0x400
+} elf_section_flag;
+
+typedef struct elf_section_entry
+{
+	const char *name;
+	u32 type;
+	u32 flags;
+	const u8 *ptr;
+	u32 offsetInFile;
+	u32 size;
+	u32 address;
+	u32 alignment;
 } elf_section_entry;
 
-typedef struct
+typedef enum elf_program_type
+{
+	PT_NULL,
+	PT_LOAD,
+	PT_DYNAMIC,
+	PT_INTERP,
+	PT_NOTE,
+	PT_SHLIB,
+	PT_PHDR,
+} elf_program_type;
+
+typedef enum elf_program_flag
 {
-	u64 type;
-	u64 flags;
-	u8 *ptr;
-	u64 offsetInFile;
-	u64 sizeInFile;
-	u64 virtualAddress;
-	u64 physicalAddress;
-	u64 sizeInMemory;
-	u64 alignment;
+	PF_X = 0x1,
+	PF_W = 0x2,
+	PF_R = 0x4,
+	PF_CTRSDK = 0x80000000,
+
+	PF_TEXT = (PF_R|PF_X),
+	PF_DATA = (PF_R|PF_W),
+	PF_RODATA = PF_R
+} elf_program_flag;
+
+typedef struct elf_program_entry
+{
+	u32 type;
+	u32 flags;
+	const u8 *ptr;
+	u32 offsetInFile;
+	u32 sizeInFile;
+	u32 virtualAddress;
+	u32 physicalAddress;
+	u32 sizeInMemory;
+	u32 alignment;
 } elf_program_entry;
 
-typedef struct
+typedef struct elf_segment
 {
-	char *name;
-	u64 vAddr;
+	const char *name;
+	u32 vAddr;
 
 	elf_program_entry *header;
 	u32 sectionNum;
@@ -49,25 +115,17 @@ typedef struct
 	elf_section_entry *sections;
 } elf_segment;
 
-typedef struct
+typedef struct elf_context
 {
-	u32 address;
-	u32 size;
-	u32 maxPageNum;
-	u8 *data;
-} code_segment;
+	const u8 *file;
 
-typedef struct
-{
 	u32 pageSize;
-	bool IsLittleEndian;
-	bool Is64bit;
 		
-	u64 programTableOffset;
+	u32 programTableOffset;
 	u16 programTableEntrySize;
 	u16 programTableEntryCount;
 	
-	u64 sectionTableOffset;
+	u32 sectionTableOffset;
 	u16 sectionTableEntrySize;
 	u16 sectionTableEntryCount;
 	
@@ -78,7 +136,12 @@ typedef struct
 
 	u16 activeSegments;
 	elf_segment *segments;
-
 } elf_context;
 
-int BuildExeFsCode(ncch_settings *ncchset);
\ No newline at end of file
+bool IsBss(elf_section_entry *section);
+bool IsData(elf_section_entry *section);
+bool IsRoData(elf_section_entry *section);
+bool IsText(elf_section_entry *section);
+
+int GetElfContext(elf_context *elf, const u8 *elfFile);
+void FreeElfContext(elf_context *elf);
\ No newline at end of file
diff --git a/makerom/elf_hdr.h b/makerom/elf_hdr.h
deleted file mode 100644
index 4fb772d7..00000000
--- a/makerom/elf_hdr.h
+++ /dev/null
@@ -1,192 +0,0 @@
-#pragma once
-
-static const u32 ELF_MAGIC = 0x7f454c46;
-
-typedef enum
-{
-	elf_32_bit = 1,
-	elf_64_bit = 2,
-} elf_bit_format_types;
-
-typedef enum
-{
-	elf_little_endian = 1,
-	elf_big_endian = 2,
-} elf_endianness;
-
-typedef enum
-{
-	elf_relocatable = 1,
-	elf_executeable = 2,
-	elf_shared = 3,
-	elf_core = 4,
-} elf_type;
-
-typedef enum
-{
-	elf_arm = 0x28,
-} elf_target_architecture;
-
-typedef struct
-{
-	u8 magic[4];
-	u8 bitFormat;
-	u8 endianness;
-	u8 elfVersion;
-	u8 os;
-	u8 padding0[8];
-	u8 type[2];
-	u8 targetArchitecture[2];
-	u8 version[4];
-	u8 entryPoint[4];
-	u8 programHeaderTableOffset[4];
-	u8 sectionHeaderTableOffset[4];
-	u8 flags[4];
-	u8 headerSize[2];
-	u8 programHeaderEntrySize[2];
-	u8 programHeaderEntryCount[2];
-	u8 sectionTableEntrySize[2];
-	u8 sectionHeaderEntryCount[2];
-	u8 sectionHeaderNameEntryIndex[2];
-} elf_32_hdr;
-
-typedef struct
-{
-	u8 magic[4];
-	u8 bitFormat;
-	u8 endianness;
-	u8 elfVersion;
-	u8 os;
-	u8 padding0[8];
-	u8 type[2];
-	u8 targetArchitecture[2];
-	u8 version[4];
-	u8 entryPoint[8];
-	u8 programHeaderTableOffset[8];
-	u8 sectionHeaderTableOffset[8];
-	u8 flags[4];
-	u8 headerSize[2];
-	u8 programHeaderEntrySize[2];
-	u8 programHeaderEntryCount[2];
-	u8 sectionTableEntrySize[2];
-	u8 sectionHeaderEntryCount[2];
-	u8 sectionHeaderNameEntryIndex[2];
-} elf_64_hdr;
-
-/* taken from elf specs, will not follow global style */
-
-/* Section header.  */
-
-/* Legal values for sh_type (section type).  */
-
-#define SHT_NULL			0		/* Section header table entry unused */
-#define SHT_PROGBITS		1		/* Program data */
-#define SHT_SYMTAB			2		/* Symbol table */
-#define SHT_STRTAB			3		/* String table */
-#define SHT_RELA			4		/* Relocation entries with addends */
-#define SHT_HASH			5		/* Symbol hash table */
-#define SHT_DYNAMIC			6		/* Dynamic linking information */
-#define SHT_NOTE			7		/* Notes */
-#define SHT_NOBITS			8		/* Program space with no data (bss) */
-#define SHT_REL				9		/* Relocation entries, no addends */
-#define SHT_SHLIB			10		/* Reserved */
-#define SHT_DYNSYM			11		/* Dynamic linker symbol table */
-#define	SHT_UNKNOWN12		12
-#define	SHT_UNKNOWN13		13
-#define	SHT_INIT_ARRAY		14
-#define	SHT_FINI_ARRAY		15
-#define	SHT_PREINIT_ARRAY	16
-#define	SHT_GROUP			17
-#define	SHT_SYMTAB_SHNDX	18
-#define	SHT_NUM				19
-#define SHT_ARM_EXIDX		0x70000001 /* Exception Index table */
-#define SHT_ARM_PREEMPTMAP	0x70000002 /* BPABI DLL dynamic linking pre-emption map*/
-#define SHT_ARM_ATTRIBUTES	0x70000003 /* Object file compatibility attributes */
-#define SHT_ARM_DEBUGOVERLAY	0x70000004
-#define SHT_ARM_OVERLAYSECTION	0x70000005
-
-#define	SHF_WRITE		0x01		/* sh_flags */
-#define	SHF_ALLOC		0x02
-#define	SHF_EXECINSTR		0x04
-#define	SHF_MERGE		0x10
-#define	SHF_STRINGS		0x20
-#define	SHF_INFO_LINK		0x40
-#define	SHF_LINK_ORDER		0x80
-#define	SHF_OS_NONCONFORMING	0x100
-#define	SHF_GROUP		0x200
-#define	SHF_TLS			0x400
-
-
-typedef struct
-{
-  u8 sh_name[4];		/* Section name (string tbl index) */
-  u8 sh_type[4];		/* Section type */
-  u8 sh_flags[4];		/* Section flags */
-  u8 sh_addr[4];		/* Section virtual addr at execution */
-  u8 sh_offset[4];		/* Section file offset */
-  u8 sh_size[4];		/* Section size in bytes */
-  u8 sh_link[4];		/* Link to another section */
-  u8 sh_info[4];		/* Additional section information */
-  u8 sh_addralign[4];		/* Section alignment */
-  u8 sh_entsize[4];		/* Entry size if section holds table */
-} elf_32_shdr;
-
-typedef struct
-{
-  u8 sh_name[8];		/* Section name (string tbl index) */
-  u8 sh_type[8];		/* Section type */
-  u8 sh_flags[8];		/* Section flags */
-  u8 sh_addr[8];		/* Section virtual addr at execution */
-  u8 sh_offset[8];		/* Section file offset */
-  u8 sh_size[8];		/* Section size in bytes */
-  u8 sh_link[8];		/* Link to another section */
-  u8 sh_info[8];		/* Additional section information */
-  u8 sh_addralign[8];		/* Section alignment */
-  u8 sh_entsize[8];		/* Entry size if section holds table */
-} elf_64_shdr;
-
-/* Program segment header.  */
-
-/* p_type legal values */
-#define	PT_NULL		0		/* Program header table entry unused */
-#define PT_LOAD		1		/* Loadable program segment */
-#define PT_DYNAMIC	2		/* Dynamic linking information */
-#define PT_INTERP	3		/* Program interpreter */
-#define PT_NOTE		4		/* Auxiliary information */
-#define PT_SHLIB	5		/* Reserved */
-#define PT_PHDR		6		/* Entry for header table itself */
-#define	PT_NUM		7		/* Number of defined types.  */
-#define PT_LOOS		0x60000000	/* Start of OS-specific */
-#define PT_HIOS		0x6fffffff	/* End of OS-specific */
-#define PT_LOPROC	0x70000000	/* Start of processor-specific */
-#define PT_HIPROC	0x7fffffff	/* End of processor-specific */
-
-#define PF_CTRSDK	0x80000000
-#define	PF_R		0x4		/* p_flags */
-#define	PF_W		0x2
-#define	PF_X		0x1
-
-
-typedef struct
-{
-  u8 p_type[4];			/* Segment type */
-  u8 p_offset[4];		/* Segment file offset */
-  u8 p_vaddr[4];		/* Segment virtual address */
-  u8 p_paddr[4];		/* Segment physical address */
-  u8 p_filesz[4];		/* Segment size in file */
-  u8 p_memsz[4];		/* Segment size in memory */
-  u8 p_flags[4];		/* Segment flags */
-  u8 p_align[4];		/* Segment alignment */
-} elf_32_phdr;
-
-typedef struct
-{
-  u8 p_type[8];			/* Segment type */
-  u8 p_flags[8];		/* Segment flags */
-  u8 p_offset[8];		/* Segment file offset */
-  u8 p_vaddr[8];		/* Segment virtual address */
-  u8 p_paddr[8];		/* Segment physical address */
-  u8 p_filesz[8];		/* Segment size in file */
-  u8 p_memsz[8];		/* Segment size in memory */
-  u8 p_align[8];		/* Segment alignment */
-} elf_64_phdr;
\ No newline at end of file
diff --git a/makerom/exheader.c b/makerom/exheader.c
index 0d4b0bf0..0d8065b7 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -129,8 +129,6 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 	exhdrset->exHdr = (extended_hdr*)ncchset->sections.exhdr.buffer;
 	exhdrset->acexDesc = (access_descriptor*)ncchset->sections.acexDesc.buffer;
 
-	/* BSS Size */
-	u32_to_u8(exhdrset->exHdr->codeSetInfo.bssSize,ncchset->codeDetails.bssSize,LE);
 	/* Data */
 	u32_to_u8(exhdrset->exHdr->codeSetInfo.data.address,ncchset->codeDetails.rwAddress,LE);
 	u32_to_u8(exhdrset->exHdr->codeSetInfo.data.codeSize,ncchset->codeDetails.rwSize,LE);
@@ -143,12 +141,16 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 	u32_to_u8(exhdrset->exHdr->codeSetInfo.text.address,ncchset->codeDetails.textAddress,LE);
 	u32_to_u8(exhdrset->exHdr->codeSetInfo.text.codeSize,ncchset->codeDetails.textSize,LE);
 	u32_to_u8(exhdrset->exHdr->codeSetInfo.text.numMaxPages,ncchset->codeDetails.textMaxPages,LE);
+	/* BSS Size */
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.bssSize, ncchset->codeDetails.bssSize, LE);
+	/* Stack Size */
+	u32_to_u8(exhdrset->exHdr->codeSetInfo.stackSize, ncchset->codeDetails.stackSize, LE);
 
 	/* Set Simple Flags */
 	if(ncchset->options.CompressCode)
-		exhdrset->exHdr->codeSetInfo.flag |= infoflag_COMPRESS_EXEFS_0;
-	if(ncchset->options.UseOnSD)
-		exhdrset->exHdr->codeSetInfo.flag |= infoflag_SD_APPLICATION;
+		exhdrset->exHdr->codeSetInfo.compressExeFs0 = true;
+	if (ncchset->options.UseOnSD)
+		exhdrset->exHdr->codeSetInfo.useOnSd = true;
 	if(!ncchset->options.UseRomFS)
 		exhdrset->exHdr->arm11SystemLocalCapabilities.storageInfo.otherAttributes |= attribute_NOT_USE_ROMFS;
 
@@ -195,13 +197,6 @@ int get_ExHeaderCodeSetInfo(exhdr_CodeSetInfo *CodeSetInfo, rsf_settings *rsf)
 	else
 		strncpy((char*)CodeSetInfo->name, DEFAULT_EXHEADER_NAME, 8);
 	
-	/* Stack Size */
-	if(rsf->SystemControlInfo.StackSize)
-		u32_to_u8(CodeSetInfo->stackSize, strtoul(rsf->SystemControlInfo.StackSize,NULL,0), LE);
-	else{
-		ErrorParamNotFound("SystemControlInfo/StackSize");
-		return EXHDR_BAD_RSF_OPT;
-	}
 	/* Remaster Version */
 	if(rsf->SystemControlInfo.RemasterVersion)
 		u16_to_u8(CodeSetInfo->remasterVersion, strtol(rsf->SystemControlInfo.RemasterVersion,NULL,0), LE);
@@ -311,93 +306,87 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 		return EXHDR_BAD_RSF_OPT;
 	}
 
-	/* Flag[0] */
-	arm11->flag[0] |= rsf->AccessControlInfo.EnableL2Cache;
+	/* Defaults */
+	arm11->enableL2Cache = false;
+	arm11->cpuSpeed = cpuspeed_268MHz;
+	arm11->systemModeExt = sysmode_ext_LEGACY;
+	arm11->affinityMask = 0;
+	arm11->idealProcessor = 0;
+	arm11->systemMode = sysmode_64MB;
+
+	/* flag[0] */
+	arm11->enableL2Cache |= rsf->AccessControlInfo.EnableL2Cache;
 
 	if (rsf->AccessControlInfo.CpuSpeed) {
 		if(strcasecmp(rsf->AccessControlInfo.CpuSpeed, "268mhz") == 0)
-			arm11->flag[0] |= cpuspeed_268MHz << 1;
+			arm11->cpuSpeed |= cpuspeed_268MHz;
 		else if(strcasecmp(rsf->AccessControlInfo.CpuSpeed, "804mhz") == 0)
-			arm11->flag[0] |= cpuspeed_804MHz << 1;
+			arm11->cpuSpeed |= cpuspeed_804MHz;
 		else {
 			fprintf(stderr, "[EXHEADER ERROR] Invalid cpu speed: 0x%s\n", rsf->AccessControlInfo.CpuSpeed);
 			return EXHDR_BAD_RSF_OPT;
 		}
 	}
-	else
-		arm11->flag[0] |= cpuspeed_268MHz << 1;
 
-	/* Flag[1] (SystemModeExt) */
+	/* flag[1] (SystemModeExt) */
 	if (rsf->AccessControlInfo.SystemModeExt) {
 		if (strcasecmp(rsf->AccessControlInfo.SystemModeExt, "Legacy") == 0)
-			arm11->flag[1] = sysmode_ext_LEGACY;
+			arm11->systemModeExt = sysmode_ext_LEGACY;
 		else if (strcasecmp(rsf->AccessControlInfo.SystemModeExt, "124MB") == 0)
-			arm11->flag[1] = sysmode_ext_124MB;
+			arm11->systemModeExt = sysmode_ext_124MB;
 		else if (strcasecmp(rsf->AccessControlInfo.SystemModeExt, "178MB") == 0)
-			arm11->flag[1] = sysmode_ext_178MB;
+			arm11->systemModeExt = sysmode_ext_178MB;
 		
 		else {
 			fprintf(stderr, "[EXHEADER ERROR] Unexpected SystemModeExt: %s\n", rsf->AccessControlInfo.SystemModeExt);
 			return EXHDR_BAD_RSF_OPT;
 		}
 	} 
-	else {
-		arm11->flag[1] = sysmode_ext_LEGACY;
-	}
 
-	/* Flag[2] */
-	u8 affinityMask = 0;
-	u8 idealProcessor = 0;
-	u8 systemMode = 0;
-	
+	/* flag[2] */
 	if(rsf->AccessControlInfo.AffinityMask){
-		affinityMask = strtol(rsf->AccessControlInfo.AffinityMask,NULL,0);
-		if(affinityMask > 1){
-			fprintf(stderr,"[EXHEADER ERROR] Unexpected AffinityMask: %d. Expected range: 0x0 - 0x1\n",affinityMask);
+		arm11->affinityMask = strtol(rsf->AccessControlInfo.AffinityMask,NULL,0);
+		if(arm11->affinityMask > 1){
+			fprintf(stderr,"[EXHEADER ERROR] Unexpected AffinityMask: %d. Expected range: 0x0 - 0x1\n", arm11->affinityMask);
 			return EXHDR_BAD_RSF_OPT;
 		}
 	}
 	if(rsf->AccessControlInfo.IdealProcessor){
-		idealProcessor = strtol(rsf->AccessControlInfo.IdealProcessor,NULL,0);
-		if(idealProcessor > 1){
-			fprintf(stderr,"[EXHEADER ERROR] Unexpected IdealProcessor: %d. Expected range: 0x0 - 0x1\n",idealProcessor);
+		arm11->idealProcessor = strtol(rsf->AccessControlInfo.IdealProcessor,NULL,0);
+		if(arm11->idealProcessor > 1){
+			fprintf(stderr,"[EXHEADER ERROR] Unexpected IdealProcessor: %d. Expected range: 0x0 - 0x1\n", arm11->idealProcessor);
 			return EXHDR_BAD_RSF_OPT;
 		}
 	}
 	if(rsf->AccessControlInfo.SystemMode){
 		if (strcasecmp(rsf->AccessControlInfo.SystemMode, "64MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "prod") == 0)
-			systemMode = sysmode_64MB;
+			arm11->systemMode = sysmode_64MB;
 		//else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "UNK") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "null") == 0)
-		//	systemMode = sysmode_UNK;
+		//	arm11->systemMode = sysmode_UNK;
 		else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "96MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "dev1") == 0)
-			systemMode = sysmode_96MB;
+			arm11->systemMode = sysmode_96MB;
 		else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "80MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "dev2") == 0)
-			systemMode = sysmode_80MB;
+			arm11->systemMode = sysmode_80MB;
 		else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "72MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "dev3") == 0)
-			systemMode = sysmode_72MB;
+			arm11->systemMode = sysmode_72MB;
 		else if (strcasecmp(rsf->AccessControlInfo.SystemMode, "32MB") == 0 || strcasecmp(rsf->AccessControlInfo.SystemMode, "dev4") == 0)
-			systemMode = sysmode_32MB;
+			arm11->systemMode = sysmode_32MB;
 
 		else {
 			fprintf(stderr, "[EXHEADER ERROR] Unexpected SystemMode: %s\n", rsf->AccessControlInfo.SystemMode);
 			return EXHDR_BAD_RSF_OPT;
 		}
 	}
-	else {
-		systemMode = sysmode_64MB;
-	}
-	arm11->flag[2] = (u8)(systemMode << 4 | affinityMask << 2 | idealProcessor);
 
 	/* flag[3] (Thread Priority) */
 	if(rsf->AccessControlInfo.Priority){
-		u8 priority = strtoul(rsf->AccessControlInfo.Priority,NULL,0);
+		arm11->threadPriority = strtoul(rsf->AccessControlInfo.Priority,NULL,0);
 		if(GetAppType(rsf) == processtype_APPLICATION)
-			priority += 32;
-		if(priority > 127){
-			fprintf(stderr,"[EXHEADER ERROR] Invalid Priority: %d\n",priority);
+			arm11->threadPriority += 32;
+		if(arm11->threadPriority < 0){
+			fprintf(stderr,"[EXHEADER ERROR] Invalid Priority: %d\n", arm11->threadPriority);
 			return EXHDR_BAD_RSF_OPT;
 		}
-		arm11->flag[3] = priority;
 	}
 	else{
 		ErrorParamNotFound("AccessControlInfo/Priority");
diff --git a/makerom/exheader.h b/makerom/exheader.h
index 8d91e564..d3ef983b 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -121,7 +121,14 @@ typedef struct
 {
 	u8 name[8];
 	u8 padding0[5];
-	u8 flag;
+	union {
+		u8 flag;
+		struct {
+			u8 compressExeFs0 : 1;
+			u8 useOnSd : 1;
+		};
+	};
+	
 	u8 remasterVersion[2]; // le u16
 	exhdr_CodeSegmentInfo text;
 	u8 stackSize[4]; // le u32
@@ -151,7 +158,23 @@ typedef struct
 {
 	u8 programId[8];
 	u8 coreVersion[4];
-	u8 flag[4];
+	union {
+		u8 flag[4];
+		struct {
+			u8 enableL2Cache : 1;
+			u8 cpuSpeed : 1;
+			u8: 6;
+
+			u8 systemModeExt : 4;
+			u8: 4;
+
+			u8 idealProcessor : 2;
+			u8 affinityMask : 2;
+			u8 systemMode : 4;
+
+			s8 threadPriority;
+		};
+	};
 	u8 resourceLimitDescriptor[16][2];
 	exhdr_StorageInfo storageInfo;
 	u8 serviceAccessControl[34][8]; // Those char[8] server names
diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index 472d5b49..ecc931c2 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -97,6 +97,7 @@
     <ClInclude Include="cia.h" />
     <ClInclude Include="cia_build.h" />
     <ClInclude Include="cia_read.h" />
+    <ClInclude Include="code.h" />
     <ClInclude Include="crr.h" />
     <ClInclude Include="crypto.h" />
     <ClInclude Include="ctr_utils.h" />
@@ -105,7 +106,6 @@
     <ClInclude Include="desc\prod_sigdata.h" />
     <ClInclude Include="dir.h" />
     <ClInclude Include="elf.h" />
-    <ClInclude Include="elf_hdr.h" />
     <ClInclude Include="exefs.h" />
     <ClInclude Include="exefs_build.h" />
     <ClInclude Include="exefs_read.h" />
@@ -198,6 +198,7 @@
     <ClCompile Include="cardinfo.c" />
     <ClCompile Include="certs.c" />
     <ClCompile Include="cia.c" />
+    <ClCompile Include="code.c" />
     <ClCompile Include="crypto.c" />
     <ClCompile Include="ctr_utils.c" />
     <ClCompile Include="dir.c" />
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
index 5fb196a6..049b9f80 100644
--- a/makerom/makerom.vcxproj.filters
+++ b/makerom/makerom.vcxproj.filters
@@ -72,9 +72,6 @@
     <ClInclude Include="elf.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="elf_hdr.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="exefs.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -339,6 +336,9 @@
     <ClInclude Include="desc\prod_sigdata.h">
       <Filter>Resource Files\DESC</Filter>
     </ClInclude>
+    <ClInclude Include="code.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="accessdesc.c">
@@ -470,6 +470,9 @@
     <ClCompile Include="polarssl\sha4.c">
       <Filter>Source Files\polarssl</Filter>
     </ClCompile>
+    <ClCompile Include="code.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="Makefile">
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 4a8d00e3..69621d46 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -3,7 +3,7 @@
 #include "ncch_build.h"
 #include "exheader_build.h"
 #include "exheader_read.h"
-#include "elf.h"
+#include "code.h"
 #include "exefs_build.h"
 #include "exefs_read.h"
 #include "romfs.h"
diff --git a/makerom/ncch_build.h b/makerom/ncch_build.h
index 96f47c4e..d97ab7b7 100644
--- a/makerom/ncch_build.h
+++ b/makerom/ncch_build.h
@@ -70,6 +70,7 @@ typedef struct
 		u32 rwSize;
 		u32 rwMaxPages;
 		u32 bssSize;
+		u32 stackSize;
 	} codeDetails;
 
 	struct
diff --git a/makerom/utils.c b/makerom/utils.c
index 5a97fb66..dd08733b 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -368,7 +368,7 @@ int fseek_64(FILE *fp, u64 file_pos)
 }
 
 //Data Size conversion
-u16 u8_to_u16(u8 *value, u8 endianness)
+u16 u8_to_u16(const u8 *value, u8 endianness)
 {
 	u16 new_value;
 	switch(endianness){
@@ -378,7 +378,7 @@ u16 u8_to_u16(u8 *value, u8 endianness)
 	return new_value;
 }
 
-u32 u8_to_u32(u8 *value, u8 endianness)
+u32 u8_to_u32(const u8 *value, u8 endianness)
 {
 	u32 new_value;
 	switch(endianness){
@@ -389,7 +389,7 @@ u32 u8_to_u32(u8 *value, u8 endianness)
 }
 
 
-u64 u8_to_u64(u8 *value, u8 endianness)
+u64 u8_to_u64(const u8 *value, u8 endianness)
 {
 	u64 ret = 0;
 	switch(endianness){
diff --git a/makerom/utils.h b/makerom/utils.h
index c479f113..6d30d511 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -59,9 +59,9 @@ void ReadFile64(void *outbuff, u64 size, u64 offset, FILE *file);
 int fseek_64(FILE *fp, u64 file_pos);
 
 //Data Size conversion
-u16 u8_to_u16(u8 *value, u8 endianness);
-u32 u8_to_u32(u8 *value, u8 endianness);
-u64 u8_to_u64(u8 *value, u8 endianness);
+u16 u8_to_u16(const u8 *value, u8 endianness);
+u32 u8_to_u32(const u8 *value, u8 endianness);
+u64 u8_to_u64(const u8 *value, u8 endianness);
 int u16_to_u8(u8 *out_value, u16 in_value, u8 endianness);
 int u32_to_u8(u8 *out_value, u32 in_value, u8 endianness);
 int u64_to_u8(u8 *out_value, u64 in_value, u8 endianness);

From 88c0f66c4a8cf82f570582aab40f43e05b9729be Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Wed, 11 Nov 2015 01:55:20 +0800
Subject: [PATCH 116/317] [makerom] Misc

---
 makerom/dir.c       | 42 +++++++++++++++++++--------------------
 makerom/dir.h       |  6 +++---
 makerom/romfs_gen.c | 48 ++++++++++++++++++++-------------------------
 3 files changed, 45 insertions(+), 51 deletions(-)

diff --git a/makerom/dir.c b/makerom/dir.c
index 46580a79..8d8027b3 100644
--- a/makerom/dir.c
+++ b/makerom/dir.c
@@ -28,9 +28,9 @@ int fs_InitDir(u16 *path, u32 pathlen, fs_dir *dir)
 	memcpy(dir->name,path,dir->name_len);
 	
 	
-	dir->m_dir = 10;
-	dir->u_dir = 0;
-	dir->dir = calloc(dir->m_dir,sizeof(fs_dir));
+	dir->m_child = 10;
+	dir->u_child = 0;
+	dir->child = calloc(dir->m_child,sizeof(fs_dir));
 	
 	dir->m_file = 10;
 	dir->u_file = 0;
@@ -41,13 +41,13 @@ int fs_InitDir(u16 *path, u32 pathlen, fs_dir *dir)
 
 int fs_ManageDirSlot(fs_dir *dir)
 {
-	if(dir->u_dir >= dir->m_dir)
+	if(dir->u_child >= dir->m_child)
 	{
-		dir->m_dir *= 2;
-		fs_dir *tmp = calloc(dir->m_dir,sizeof(fs_dir));
-		memcpy(tmp,dir->dir,sizeof(fs_dir)*dir->u_dir);
-		free(dir->dir);
-		dir->dir = tmp;
+		dir->m_child *= 2;
+		fs_dir *tmp = calloc(dir->m_child,sizeof(fs_dir));
+		memcpy(tmp,dir->child,sizeof(fs_dir)*dir->u_child);
+		free(dir->child);
+		dir->child = tmp;
 	}
 	return 0;
 }
@@ -158,9 +158,9 @@ bool fs_EntryIsDirNav(fs_entry *entry)
 int fs_AddDir(fs_entry *entry, fs_dir *dir)
 {
 	fs_ManageDirSlot(dir);
-	u32 current_slot = dir->u_dir;
-	dir->u_dir++;
-	return fs_OpenDir(entry->fs_name,entry->name,entry->name_len,&dir->dir[current_slot]);
+	u32 current_slot = dir->u_child;
+	dir->u_child++;
+	return fs_OpenDir(entry->fs_name,entry->name,entry->name_len,&dir->child[current_slot]);
 }
 
 int fs_AddFile(fs_entry *entry, fs_dir *dir)
@@ -286,10 +286,10 @@ void fs_PrintDir(fs_dir *dir, u32 depth) // This is just for simple debugging, p
 #endif
 		}
 	}
-	if(dir->u_dir)
+	if(dir->u_child)
 	{
-		for(u32 i = 0; i < dir->u_dir; i++)
-			fs_PrintDir(&dir->dir[i],depth+1);
+		for(u32 i = 0; i < dir->u_child; i++)
+			fs_PrintDir(&dir->child[i],depth+1);
 	}
 }
 
@@ -305,13 +305,13 @@ void fs_FreeDir(fs_dir *dir)
 	
 	
 	//printf("free dir names and\n");
-	for(u32 i = 0; i < dir->u_dir; i++)
+	for(u32 i = 0; i < dir->u_child; i++)
 	{	
-		free(dir->dir[i].name);
-		fs_FreeDir(&dir->dir[i]);
+		free(dir->child[i].name);
+		fs_FreeDir(&dir->child[i]);
 	}
 	//printf("free dir struct\n");
-	free(dir->dir);
+	free(dir->child);
 	
 }
 
@@ -323,6 +323,6 @@ void fs_FreeFiles(fs_dir *dir)
 			fclose(dir->file[i].fp);
 	}
 	
-	for(u32 i = 0; i < dir->u_dir; i++)
-		fs_FreeFiles(&dir->dir[i]);
+	for(u32 i = 0; i < dir->u_child; i++)
+		fs_FreeFiles(&dir->child[i]);
 }
\ No newline at end of file
diff --git a/makerom/dir.h b/makerom/dir.h
index 1279b362..f7c6938d 100644
--- a/makerom/dir.h
+++ b/makerom/dir.h
@@ -44,9 +44,9 @@ struct fs_dir
 	fs_romfs_char *name;
 	u32 name_len;
 	
-	struct fs_dir *dir;
-	u32 m_dir;
-	u32 u_dir;
+	struct fs_dir *child;
+	u32 m_child;
+	u32 u_child;
 	
 	struct fs_file *file;
 	u32 m_file;
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index dc86a716..3db457bf 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -59,7 +59,7 @@ int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 	free(fs_raw);
 	
 	/* Abort romfs making, if no wanted files/directories were found */
-	if(ctx->fs->u_file == 0 && ctx->fs->u_dir == 0){
+	if(ctx->fs->u_file == 0 && ctx->fs->u_child == 0){
 		ctx->romfsSize = 0;
 		goto finish;
 	}
@@ -132,10 +132,9 @@ bool IsDirWanted(fs_dir *dir, void *filter_criteria)
 			break;
 		}
 	}
-	fs_dir *tmp = (fs_dir*)dir->dir;
-	for(u32 i = 0; i < dir->u_dir; i++)
+	for(u32 i = 0; i < dir->u_child; i++)
 	{
-		if(IsDirWanted(&tmp[i],filter_criteria))
+		if(IsDirWanted(&dir->child[i],filter_criteria))
 		{
 			ret = true;
 			break;
@@ -158,13 +157,12 @@ void CalcDirSize(romfs_buildctx *ctx, fs_dir *fs)
 			ctx->m_dataLen =  align(ctx->m_dataLen,0x10) + fs->file[i].size;
 	}
 	
-	fs_dir *dir = (fs_dir*)fs->dir;
-	for(u32 i = 0; i < fs->u_dir; i++)
+	for(u32 i = 0; i < fs->u_child; i++)
 	{
-		CalcDirSize(ctx,&dir[i]);
+		CalcDirSize(ctx,&fs->child[i]);
 	}
 	ctx->fileNum += fs->u_file;
-	ctx->dirNum += fs->u_dir;
+	ctx->dirNum += fs->u_child;
 }
 
 u32 GetHashTableCount(u32 num)
@@ -214,23 +212,20 @@ int FilterRomFS(fs_dir *fs_raw, fs_dir *fs_filtered, void *filter_criteria)
 	fs_filtered->name = calloc(fs_filtered->name_len+2,1);
 	memcpy(fs_filtered->name,fs_raw->name,fs_filtered->name_len);
 	
-	fs_filtered->u_dir = 0;
-	fs_filtered->m_dir = fs_raw->u_dir;
-	fs_filtered->dir = calloc(fs_filtered->m_dir,sizeof(fs_dir));
+	fs_filtered->u_child = 0;
+	fs_filtered->m_child = fs_raw->u_child;
+	fs_filtered->child = calloc(fs_filtered->m_child,sizeof(fs_dir));
 	
 	fs_filtered->u_file = 0;
 	fs_filtered->m_file = fs_raw->u_file;
 	fs_filtered->file = calloc(fs_filtered->m_file,sizeof(fs_file));
 	
-	
-	fs_dir *dir_raw = (fs_dir*)fs_raw->dir;
-	fs_dir *dir_filtered = (fs_dir*)fs_filtered->dir;
-	for(u32 i = 0; i < fs_raw->u_dir; i++)
+	for(u32 i = 0; i < fs_raw->u_child; i++)
 	{
-		if(IsDirWanted(&dir_raw[i],filter_criteria))
+		if(IsDirWanted(&fs_raw->child[i],filter_criteria))
 		{
-			FilterRomFS(&dir_raw[i],&dir_filtered[fs_filtered->u_dir],filter_criteria);
-			fs_filtered->u_dir++;
+			FilterRomFS(&fs_raw->child[i],&fs_filtered->child[fs_filtered->u_child],filter_criteria);
+			fs_filtered->u_child++;
 		}
 	}
 	
@@ -421,34 +416,33 @@ void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)
 		}
 	}
 
-	if (fs->u_dir)
+	if (fs->u_child)
 	{
 		/* Prepare to store child addresses */
-		u32 *childs = calloc(fs->u_dir, sizeof(u32));
+		u32 *childs = calloc(fs->u_child, sizeof(u32));
 
 		/* Create child directory entries*/
 		u32_to_u8(entry->childoffset, ctx->u_dirTableLen, LE);
-		fs_dir *subdir = (fs_dir*)fs->dir;
-		for (u32 i = 0; i < fs->u_dir; i++)
+		for (u32 i = 0; i < fs->u_child; i++)
 		{
 			/* Store address fo child */
 			childs[i] = ctx->u_dirTableLen;
 			
 			
 			u32 dir_sibling = 0;
-			if (i >= fs->u_dir - 1)
+			if (i >= fs->u_child - 1)
 				dir_sibling = ROMFS_UNUSED_ENTRY;
 			else
-				dir_sibling = ctx->u_dirTableLen + sizeof(romfs_direntry) + (u32)align(subdir[i].name_len, 4);
+				dir_sibling = ctx->u_dirTableLen + sizeof(romfs_direntry) + (u32)align(fs->child[i].name_len, 4);
 			
 			/* Create child directory entry */
-			AddDirToRomfs(ctx, &subdir[i], dir, dir_sibling);
+			AddDirToRomfs(ctx, &fs->child[i], dir, dir_sibling);
 		}
 
 		/* Populate child's childs */
-		for (u32 i = 0; i < fs->u_dir; i++)
+		for (u32 i = 0; i < fs->u_child; i++)
 		{
-			AddDirChildrenToRomfs(ctx, &subdir[i], dir, childs[i]);
+			AddDirChildrenToRomfs(ctx, &fs->child[i], dir, childs[i]);
 		}
 
 		free(childs);

From e7dc460436fcf8fd4a71f1936df1545bea61b993 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Wed, 11 Nov 2015 23:20:03 +0800
Subject: [PATCH 117/317] [makerom] Fixed makerom ROMFS file limitation.
 +Several bug fixes.

---
 makerom/Makefile        |   2 +-
 makerom/cia.c           |  23 +++-
 makerom/code.c          |  14 +-
 makerom/dir.c           | 287 +++++++++++++++++++++++-----------------
 makerom/dir.h           |  28 +++-
 makerom/ncch.c          |  19 ++-
 makerom/ncsd.c          |  24 ++++
 makerom/romfs.c         |   2 +-
 makerom/romfs.h         |   2 +
 makerom/romfs_gen.c     | 125 +++++++----------
 makerom/titleid.c       |  14 +-
 makerom/user_settings.c |  43 +++---
 makerom/utils.c         |  44 +++---
 makerom/utils.h         |  12 +-
 14 files changed, 368 insertions(+), 271 deletions(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index e68a81c4..d15d60f4 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -5,7 +5,7 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 # Compiler Settings
 LIBS = -static-libgcc
 CXXFLAGS = -I.
-CFLAGS = --std=c99 -O2 -flto -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. $(MAKEROM_BUILD_FLAGS)
+CFLAGS = --std=c99 -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. $(MAKEROM_BUILD_FLAGS)
 CC = gcc
 CXX = g++
 
diff --git a/makerom/cia.c b/makerom/cia.c
index 719c91b4..36b54d92 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -571,16 +571,27 @@ u16 SetupVersion(u16 major, u16 minor, u16 micro)
 
 void GetContentHashes(cia_settings *ciaset)
 {
-	for(int i = 0; i < ciaset->content.count; i++)
-		ShaCalc(ciaset->ciaSections.content.buffer+ciaset->content.offset[i],ciaset->content.size[i],ciaset->content.hash[i],CTR_SHA_256);
+	for (int i = 0; i < ciaset->content.count; i++) {
+		if (ciaset->verbose)
+			printf("[CIA] Hashing content %d... ", i);
+		ShaCalc(ciaset->ciaSections.content.buffer + ciaset->content.offset[i], ciaset->content.size[i], ciaset->content.hash[i], CTR_SHA_256);
+		if (ciaset->verbose)
+			printf("Done!\n");
+	}
 }
 
 void EncryptContent(cia_settings *ciaset)
 {
 	for(int i = 0; i < ciaset->content.count; i++){
+		if (ciaset->verbose)
+			printf("[CIA] Encrypting content %d... ", i);
+
 		ciaset->content.flags[i] |= content_Encrypted;
 		u8 *content = ciaset->ciaSections.content.buffer+ciaset->content.offset[i];
 		CryptContent(content, content, ciaset->content.size[i], ciaset->common.titleKey, i, ENC);
+
+		if (ciaset->verbose)
+			printf("Done!\n");
 	}
 }
 
@@ -638,12 +649,20 @@ int BuildCiaHdr(cia_settings *ciaset)
 
 int WriteCiaToFile(cia_settings *ciaset)
 {
+	if (ciaset->verbose) {
+		printf("[CIA] Writing to file... ");
+	}
 	WriteBuffer(ciaset->ciaSections.ciaHdr.buffer,ciaset->ciaSections.ciaHdr.size,0,ciaset->out);
 	WriteBuffer(ciaset->ciaSections.certChain.buffer,ciaset->ciaSections.certChain.size,ciaset->ciaSections.certChainOffset,ciaset->out);
 	WriteBuffer(ciaset->ciaSections.tik.buffer,ciaset->ciaSections.tik.size,ciaset->ciaSections.tikOffset,ciaset->out);
 	WriteBuffer(ciaset->ciaSections.tmd.buffer,ciaset->ciaSections.tmd.size,ciaset->ciaSections.tmdOffset,ciaset->out);
 	WriteBuffer(ciaset->ciaSections.content.buffer,ciaset->ciaSections.content.size,ciaset->ciaSections.contentOffset,ciaset->out);
 	WriteBuffer(ciaset->ciaSections.meta.buffer,ciaset->ciaSections.meta.size,ciaset->ciaSections.metaOffset,ciaset->out);
+
+	if (ciaset->verbose) {
+		printf("Done!\n");
+	}
+
 	return 0;
 }
 
diff --git a/makerom/code.c b/makerom/code.c
index ea31b2c0..07ee74a7 100644
--- a/makerom/code.c
+++ b/makerom/code.c
@@ -41,7 +41,7 @@ int ImportExeFsCodeBinaryFromFile(ncch_settings *set)
 	u32 size = set->componentFilePtrs.codeSize;
 	u8 *buffer = malloc(size);
 	if (!buffer) {
-		fprintf(stderr, "[ELF ERROR] Not enough memory\n");
+		fprintf(stderr, "[CODE ERROR] Not enough memory\n");
 		return MEM_ERROR;
 	}
 	ReadFile64(buffer, size, 0, set->componentFilePtrs.code);
@@ -51,10 +51,14 @@ int ImportExeFsCodeBinaryFromFile(ncch_settings *set)
 	if (!set->exefsSections.code.buffer) { fprintf(stderr, "[ELF ERROR] Not enough memory\n"); return MEM_ERROR; }
 	ReadFile64(set->exefsSections.code.buffer, set->exefsSections.code.size, 0, set->componentFilePtrs.code);
 	if (set->options.CompressCode) {
+		if (set->options.verbose)
+			printf("[CODE] Compressing code... ");
 		u32 new_len;
 		set->exefsSections.code.buffer = BLZ_Code(buffer, size, &new_len, BLZ_NORMAL);
 		set->exefsSections.code.size = new_len;
 		free(buffer);
+		if (set->options.verbose)
+			printf("Done!\n");
 	}
 	else {
 		set->exefsSections.code.size = size;
@@ -63,12 +67,12 @@ int ImportExeFsCodeBinaryFromFile(ncch_settings *set)
 
 	size = set->componentFilePtrs.exhdrSize;
 	if (size < sizeof(extended_hdr)) {
-		fprintf(stderr, "[ELF ERROR] Exheader code info template is too small\n");
+		fprintf(stderr, "[CODE ERROR] Exheader code info template is too small\n");
 		return FAILED_TO_IMPORT_FILE;
 	}
 	extended_hdr *exhdr = malloc(size);
 	if (!exhdr) {
-		fprintf(stderr, "[ELF ERROR] Not enough memory\n");
+		fprintf(stderr, "[CODE ERROR] Not enough memory\n");
 		return MEM_ERROR;
 	}
 	ReadFile64(exhdr, size, 0, set->componentFilePtrs.exhdr);
@@ -245,10 +249,14 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 
 	/* Compressing If needed */
 	if (set->options.CompressCode) {
+		if (set->options.verbose)
+			printf("[CODE] Compressing code... ");
 		u32 new_len;
 		set->exefsSections.code.buffer = BLZ_Code(code, size, &new_len, BLZ_NORMAL);
 		set->exefsSections.code.size = new_len;
 		free(code);
+		if (set->options.verbose)
+			printf("Done!\n");
 	}
 	else {
 		set->exefsSections.code.size = size;
diff --git a/makerom/dir.c b/makerom/dir.c
index 8d8027b3..097c44ec 100644
--- a/makerom/dir.c
+++ b/makerom/dir.c
@@ -2,31 +2,125 @@
 #include "dir.h"
 #include "utf.h"
 
+const fs_romfs_char FS_CURRENT_DIR_PATH = 0x2E;
+const fs_romfs_char FS_PARENT_DIR_PATH[2] = { 0x2E,0x2E };
+
 /* This is the FS interface for ROMFS generation */
 /* Tested working on Windows/Linux/OSX */
-int fs_InitDir(u16 *path, u32 pathlen, fs_dir *dir);
+int fs_InitDir(const fs_entry *entry, fs_dir *dir);
 int fs_ManageDirSlot(fs_dir *dir);
 int fs_ManageFileSlot(fs_dir *dir);
 void fs_chdirUp(void);
-fs_entry* fs_GetEntry(fs_DIR *dp);
+fs_entry* fs_GetEntry(const fs_char *parent_path, fs_DIR *dp);
 void fs_FreeEntry(fs_entry *entry);
 bool fs_EntryIsDirNav(fs_entry *entry);
 int fs_AddDir(fs_entry *entry, fs_dir *dir);
 int fs_AddFile(fs_entry *entry, fs_dir *dir);
 
-int fs_RomFsStrLen(fs_romfs_char *str)
+u32 fs_romfs_strlen(const fs_romfs_char *str)
 {
-	int i;
+	u32 i;
 	for( i = 0; str[i] != 0x0; i++ );
 	return i;
 }
 
-int fs_InitDir(u16 *path, u32 pathlen, fs_dir *dir)
+u32 fs_strlen(const fs_char *str)
 {
-	dir->name_len = pathlen;
-	dir->name = calloc(dir->name_len+2,1);	
-	memcpy(dir->name,path,dir->name_len);
-	
+	u32 i;
+	for (i = 0; str[i] != 0x0; i++);
+	return i;
+}
+
+FILE* fs_fopen(fs_char *path)
+{
+#ifdef _WIN32
+	return _wfopen(path, L"rb");
+#else
+	return fopen(path, "rb");
+#endif
+}
+
+u64 fs_fsize(fs_char *path)
+{
+#ifdef _WIN32
+	return wGetFileSize64(path);
+#else
+	return GetFileSize64(path);
+#endif
+}
+
+fs_char* fs_AppendToPath(const fs_char *src, const fs_char *add)
+{
+	u32 src_len, add_len;
+	fs_char *new_path;
+
+	src_len = fs_strlen(src);
+	add_len = fs_strlen(add);
+	new_path = calloc(src_len + add_len + 0x10, sizeof(fs_char));
+
+#ifdef _WIN32
+	_snwprintf(new_path, src_len + add_len + 0x10, L"%s%c%s", src, FS_PATH_SEPARATOR, add);
+#else
+	snprintf(new_path, src_len + add_len + 0x10, "%s%c%s", src, FS_PATH_SEPARATOR, add);
+#endif
+
+	return new_path;
+}
+
+fs_char* fs_CopyPath(const fs_char *src)
+{
+	u32 src_len;
+	fs_char *new_path;
+
+	src_len = fs_strlen(src);
+	new_path = calloc(src_len + 0x10, sizeof(fs_char));
+
+	for (u32 i = 0; i < src_len; i++)
+		new_path[i] = src[i];
+
+	return new_path;
+}
+
+fs_romfs_char* fs_CopyRomfsName(const fs_romfs_char *src)
+{
+	u32 src_len;
+	fs_romfs_char *new_path;
+
+	src_len = fs_strlen(src);
+	new_path = calloc(src_len + 0x10, sizeof(fs_romfs_char));
+
+	for (u32 i = 0; i < src_len; i++)
+		new_path[i] = src[i];
+
+	return new_path;
+}
+
+void fs_fputs(FILE *out, const fs_char *str)
+{
+#ifdef _WIN32
+	wprintf(L"%s", str);
+#else
+	printf("%s", str);
+#endif
+}
+
+void fs_romfs_fputs(FILE *out, const fs_romfs_char *str)
+{
+#ifdef _WIN32
+	wprintf(L"%s", str);
+#else
+	const char *name = (const char*)str;
+	for (u32 i = 0; i < fs_romfs_strlen(str)*2; i += 2)
+		putchar(name[i]);
+#endif
+}
+
+int fs_InitDir(const fs_entry *entry, fs_dir *dir)
+{
+	dir->fs_path = fs_CopyPath(entry->fs_path);
+
+	dir->name_len = entry->name_len;
+	dir->name = fs_CopyRomfsName(entry->name);
 	
 	dir->m_child = 10;
 	dir->u_child = 0;
@@ -65,16 +159,7 @@ int fs_ManageFileSlot(fs_dir *dir)
 	return 0;
 }
 
-void fs_chdirUp(void)
-{
-#ifdef _WIN32
-	fs_chdir(L"..");
-#else
-	fs_chdir("..");
-#endif
-}
-
-fs_entry* fs_GetEntry(fs_DIR *dp)
+fs_entry* fs_GetEntry(const fs_char *parent_path, fs_DIR *dp)
 {
 	// Directory structs
 	struct fs_dirent *tmp_entry;
@@ -99,9 +184,9 @@ fs_entry* fs_GetEntry(fs_DIR *dp)
 	memset(entry,0,sizeof(fs_entry));
 	
 	//Copy FS compatible Entry name
-	entry->fs_name = malloc(sizeof(fs_char)*(namlen+1));
-	memset(entry->fs_name,0,sizeof(fs_char)*(namlen+1));
-	memcpy(entry->fs_name,tmp_entry->d_name,sizeof(fs_char)*namlen);
+	fs_char *fs_name = calloc(sizeof(fs_char)*(namlen+1),1);
+	memcpy(fs_name,tmp_entry->d_name,sizeof(fs_char)*namlen);
+	entry->fs_path = fs_AppendToPath(parent_path, fs_name);
 	
 	// Convert Entry name into RomFS u16 char (windows wchar_t, thanks Nintendo)
 #if _WIN32
@@ -111,45 +196,41 @@ fs_entry* fs_GetEntry(fs_DIR *dp)
 #endif
 	
 	//printf("get dir entry from dir ptr to check if dir\n");
-	tmp_dptr = fs_opendir(entry->fs_name);
+	tmp_dptr = fs_opendir(entry->fs_path);
 	if(tmp_dptr)
 	{
 		//printf("is dir\n");
 		fs_closedir(tmp_dptr);
 		entry->IsDir = true;
 		entry->size = 0;
-		entry->fp = NULL;
 	}
 	else // Open file if it is a file
 	{
 		entry->IsDir = false;
-#ifdef _WIN32
-		entry->size = wGetFileSize64(entry->fs_name);
-		entry->fp = _wfopen(entry->fs_name,L"rb");
-#else
-		entry->size = GetFileSize64(entry->fs_name);
-		entry->fp = fopen(entry->fs_name,"rb");
-#endif
+		entry->size = fs_fsize(entry->fs_path);
+	}
+	
+	// Don't bother returning current entry, if it is useless
+	if (fs_EntryIsDirNav(entry)) {
+		fs_FreeEntry(entry);
+		return fs_GetEntry(parent_path, dp);
 	}
-	//printf("fs_GetEntry() return\n");
+
 	return entry;
 }
 
 void fs_FreeEntry(fs_entry *entry)
 {
-	free(entry->fs_name);
+	free(entry->fs_path);
 	free(entry->name);
 	free(entry);
 }
 
 bool fs_EntryIsDirNav(fs_entry *entry)
 {
-	//memdump(stdout,"Entry RomFS Name: ",(u8*)entry->name,entry->name_len);
-	const fs_romfs_char currentdir = 0x2E;
-	const fs_romfs_char upperdir[2] = {0x2E,0x2E};
-	if(entry->name_len == sizeof(fs_romfs_char)*1 && memcmp(entry->name,&currentdir,sizeof(fs_romfs_char)*1) == 0)
+	if(entry->name_len == sizeof(fs_romfs_char)*1 && memcmp(entry->name,&FS_CURRENT_DIR_PATH,sizeof(fs_romfs_char)*1) == 0)
 		return true;
-	if(entry->name_len == sizeof(fs_romfs_char)*2 && memcmp(entry->name,upperdir,sizeof(fs_romfs_char)*2) == 0)
+	if(entry->name_len == sizeof(fs_romfs_char)*2 && memcmp(entry->name,FS_PARENT_DIR_PATH,sizeof(fs_romfs_char)*2) == 0)
 		return true;
 	return false;
 	
@@ -159,84 +240,70 @@ int fs_AddDir(fs_entry *entry, fs_dir *dir)
 {
 	fs_ManageDirSlot(dir);
 	u32 current_slot = dir->u_child;
+
 	dir->u_child++;
-	return fs_OpenDir(entry->fs_name,entry->name,entry->name_len,&dir->child[current_slot]);
+	return fs_OpenDir(entry,&dir->child[current_slot]);
 }
 
 int fs_AddFile(fs_entry *entry, fs_dir *dir)
 {
 	fs_ManageFileSlot(dir);
+	dir->file[dir->u_file].fs_path = fs_CopyPath(entry->fs_path);
 	dir->file[dir->u_file].name_len = entry->name_len;
-	dir->file[dir->u_file].name = malloc(entry->name_len+2);
-	memset(dir->file[dir->u_file].name,0,entry->name_len+2);	
-	memcpy(dir->file[dir->u_file].name,entry->name,entry->name_len);
-	
+	dir->file[dir->u_file].name = fs_CopyRomfsName(entry->name);
 	dir->file[dir->u_file].size = entry->size;
-	dir->file[dir->u_file].fp = entry->fp;
 	
 	dir->u_file++;
 	return 0;
 }
 
-int fs_OpenDir(fs_char *fs_path, fs_romfs_char *path, u32 pathlen, fs_dir *dir)
+int fs_OpenRootDir(const char *path, fs_dir *dir)
+{
+	fs_entry *root = calloc(1, sizeof(fs_entry));
+	u32 nul;
+
+	root->IsDir = true;
+	root->size = 0;
+
+	str_u16_to_u16(&root->name, &root->name_len, ROMFS_EMPTY_PATH, 0);
+#ifdef _WIN32
+	str_u8_to_u16(&root->fs_path, &nul, (u8*)path, strlen(path));
+#else
+	str_u8_to_u8(&root->fs_path, &nul, (u8*)path, strlen(path));
+#endif
+
+
+	int ret = fs_OpenDir(root, dir);
+
+	fs_FreeEntry(root);
+
+	return ret;
+}
+
+int fs_OpenDir(fs_entry *curr_dir_entry, fs_dir *dir)
 {
 	//printf("init open dir\n");
 	int ret = 0;
 	fs_DIR *dp;
 	fs_entry *entry;
 	
+	//printf("do some more init\n");
+	fs_InitDir(curr_dir_entry, dir);
+	//wprintf(L" rec: \"%s\" (%d)\n",dir->name,dir->name_len);
+
 	//printf("check if path exists\n");
-	dp = fs_opendir(fs_path);
+	dp = fs_opendir(dir->fs_path);
 	if(!dp)
 	{
-		//wprintf(L"[!] Failed to open directory: \"%s\"\n",path);
+		wprintf(L"[!] Failed to open directory: \"%s\"\n",dir->fs_path);
 		return -1;
 	}
 	
-	//printf("do some more init\n");
-	fs_InitDir(path,pathlen,dir);
-	//wprintf(L" rec: \"%s\" (%d)\n",dir->name,dir->name_len);
-	
-	//printf("chdir\n");
-	fs_chdir(fs_path);
-	
 	//printf("read entries\n");
-	while((entry = fs_GetEntry(dp)))
-	{
-		if(!entry)
-		{
-			ret = -1;
-			break;
-		}
-		
-		if(entry->IsDir)
-		{		
-			//printf("Found Dir ");
-			if(!fs_EntryIsDirNav(entry))
-			{
-#ifdef _WIN32
-			//wprintf(L"is a dir: \"%s\" (%d)\n",entry->fs_name,entry->name_len);
-#else
-			//printf("is a dir: \"%s\" (%d)\n",entry->fs_name,entry->name_len);
-#endif
-				ret = fs_AddDir(entry,dir);
-			}
-			else
-			{
-				//printf("Not wanted dir\n");
-				ret = 0;
-			}
-		}
-		else
-		{
-#ifdef _WIN32
-			//wprintf(L"is a file: \"%s\" (%d)\n",entry->fs_name,entry->name_len);
-#else
-			//printf("is a file: \"%s\" (%d)\n",entry->fs_name,entry->name_len);
-#endif
-			ret = fs_AddFile(entry,dir);
-		}
-		
+	while((entry = fs_GetEntry(dir->fs_path, dp)) != NULL)
+	{		
+		ret = entry->IsDir? fs_AddDir(entry, dir) : fs_AddFile(entry, dir);
+
 		//printf("free entry\n");		
 		fs_FreeEntry(entry);
 		
@@ -246,11 +313,7 @@ int fs_OpenDir(fs_char *fs_path, fs_romfs_char *path, u32 pathlen, fs_dir *dir)
 			break;
 		}
 	}
-	//printf("close dir ptr\n");
 	fs_closedir(dp);
-	//printf("return up dir\n");
-	fs_chdirUp();
-	//printf("return from fs_OpenDir();\n");
 	return ret;
 }
 
@@ -260,14 +323,11 @@ void fs_PrintDir(fs_dir *dir, u32 depth) // This is just for simple debugging, p
 	for(u32 i = 0; i < depth; i++)
 		printf(" ");
 
-#ifdef _WIN32
-	wprintf(L"%s\n",dir->name);
-#else
-	char *name = (char*)dir->name;
-	for(u32 i = 0; i < dir->name_len; i+=2)
-		putchar(name[i]);
+	if (depth > 0)
+		fs_romfs_fputs(stdout, dir->name);
+	else
+		printf("romfs:");
 	putchar('\n');
-#endif
 	
 	if(dir->u_file)
 	{
@@ -275,15 +335,8 @@ void fs_PrintDir(fs_dir *dir, u32 depth) // This is just for simple debugging, p
 		{
 			for(u32 j = 0; j < depth+1; j++)
 				printf(" ");
-			
-#ifdef _WIN32
-			wprintf(L"%s (0x%lx)\n",dir->file[i].name,dir->file[i].size);
-#else
-			name = (char*)dir->file[i].name;
-			for(u32 j = 0; j < dir->file[i].name_len; j+=2)
-				putchar(name[j]);
-			printf(" (0x%llx)\n",dir->file[i].size);
-#endif
+			fs_romfs_fputs(stdout, dir->file[i].name);
+			printf(" (0x%"PRIx64")\n", dir->file[i].size);
 		}
 	}
 	if(dir->u_child)
@@ -298,6 +351,7 @@ void fs_FreeDir(fs_dir *dir)
 	//printf("DIR!! free file names\n");
 	for(u32 i = 0; i < dir->u_file; i++)
 	{
+		free(dir->file[i].fs_path);
 		free(dir->file[i].name);
 	}
 	//printf("free file struct\n");
@@ -307,22 +361,11 @@ void fs_FreeDir(fs_dir *dir)
 	//printf("free dir names and\n");
 	for(u32 i = 0; i < dir->u_child; i++)
 	{	
+		free(dir->child[i].fs_path);
 		free(dir->child[i].name);
 		fs_FreeDir(&dir->child[i]);
 	}
 	//printf("free dir struct\n");
 	free(dir->child);
 	
-}
-
-void fs_FreeFiles(fs_dir *dir)
-{
-	for(u32 i = 0; i < dir->u_file; i++)
-	{
-		if(dir->file[i].fp)
-			fclose(dir->file[i].fp);
-	}
-	
-	for(u32 i = 0; i < dir->u_child; i++)
-		fs_FreeFiles(&dir->child[i]);
 }
\ No newline at end of file
diff --git a/makerom/dir.h b/makerom/dir.h
index f7c6938d..aadd98f7 100644
--- a/makerom/dir.h
+++ b/makerom/dir.h
@@ -9,6 +9,7 @@
 	#define fs_chdir _wchdir
 	#define fs_opendir _wopendir
 	#define fs_closedir _wclosedir
+	#define FS_PATH_SEPARATOR '\\'
 #else
 	#define fs_romfs_char u16
 	#define fs_char char
@@ -18,29 +19,30 @@
 	#define fs_chdir chdir
 	#define fs_opendir opendir
 	#define fs_closedir closedir
+	#define FS_PATH_SEPARATOR '/'
 #endif
 	
 
 struct fs_entry
 {
 	bool IsDir;
-	fs_char *fs_name;
+	fs_char *fs_path;
 	fs_romfs_char *name;
 	u32 name_len;
 	u64 size;
-	FILE *fp;
 };
 
 struct fs_file
 {
+	fs_char *fs_path;
 	fs_romfs_char *name;
 	u32 name_len;
 	u64 size;
-	FILE *fp;
 };
 
 struct fs_dir
 {
+	fs_char *fs_path;
 	fs_romfs_char *name;
 	u32 name_len;
 	
@@ -57,9 +59,21 @@ typedef struct fs_entry fs_entry;
 typedef struct fs_file fs_file;
 typedef struct fs_dir fs_dir;
 
-int fs_RomFsStrLen(fs_romfs_char *str);
+static const fs_romfs_char ROMFS_EMPTY_PATH[2] = { 0 };
+static const fs_char FS_EMPTY_PATH[2] = { 0 };
 
-int fs_OpenDir(fs_char *fs_path, fs_romfs_char *path, u32 pathlen, fs_dir *dir);
+u32 fs_romfs_strlen(const fs_romfs_char *str);
+u32 fs_strlen(const fs_char *str);
+FILE* fs_fopen(fs_char *path);
+u64 fs_fsize(fs_char *path);
+
+fs_char* fs_AppendToPath(const fs_char *src, const fs_char *add);
+fs_char* fs_CopyPath(const fs_char *src);
+fs_romfs_char* fs_CopyRomfsName(const fs_romfs_char *src);
+void fs_fputs(FILE *out, const fs_char *str);
+void fs_romfs_fputs(FILE *out, const fs_romfs_char *str);
+
+int fs_OpenRootDir(const char *path, fs_dir *dir);
+int fs_OpenDir(fs_entry *entry, fs_dir *dir);
 void fs_PrintDir(fs_dir *dir, u32 depth);
-void fs_FreeDir(fs_dir *dir);
-void fs_FreeFiles(fs_dir *dir);
\ No newline at end of file
+void fs_FreeDir(fs_dir *dir);
\ No newline at end of file
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 69621d46..384c9de5 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -536,12 +536,19 @@ int FinaliseNcch(ncch_settings *set)
 
 		// Crypting Exheader/AcexDesc
 		if(set->cryptoDetails.exhdrSize){
+			if (set->options.verbose)
+				printf("[NCCH] Encypting Exheader... ");
 			CryptNcchRegion(exhdr,set->cryptoDetails.exhdrSize,0x0,set->cryptoDetails.titleId,set->keys->aes.ncchKey0,ncch_exhdr);
 			CryptNcchRegion(acexDesc,set->cryptoDetails.acexSize,set->cryptoDetails.exhdrSize,set->cryptoDetails.titleId,set->keys->aes.ncchKey0,ncch_exhdr);
+			if (set->options.verbose)
+				printf("Done!\n");
 		}			
 
 		// Crypting ExeFs Files
 		if(set->cryptoDetails.exefsSize){
+			if (set->options.verbose)
+				printf("[NCCH] Encrypting ExeFS... ");
+
 			exefs_hdr *exefsHdr = (exefs_hdr*)exefs;
 			for(int i = 0; i < MAX_EXEFS_SECTIONS; i++){
 				u8 *key = NULL;
@@ -559,11 +566,19 @@ int FinaliseNcch(ncch_settings *set)
 			}
 			// Crypting ExeFs Header
 			CryptNcchRegion(exefs,sizeof(exefs_hdr),0x0,set->cryptoDetails.titleId,set->keys->aes.ncchKey0,ncch_exefs);
+
+			if (set->options.verbose)
+				printf("Done!\n");
 		}
 
 		// Crypting RomFs
-		if(set->cryptoDetails.romfsSize)
-			CryptNcchRegion(romfs,set->cryptoDetails.romfsSize,0x0,set->cryptoDetails.titleId,set->keys->aes.ncchKey1,ncch_romfs);
+		if (set->cryptoDetails.romfsSize) {
+			if (set->options.verbose)
+				printf("[NCCH] Encrypting RomFS... ");
+			CryptNcchRegion(romfs, set->cryptoDetails.romfsSize, 0x0, set->cryptoDetails.titleId, set->keys->aes.ncchKey1, ncch_romfs);
+			if (set->options.verbose)
+				printf("Done!\n");
+		}
 	}
 
 	return 0;
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 23d7dfe1..29e4f76e 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -615,6 +615,10 @@ int CheckRomConfig(cci_settings *set)
 
 void WriteCciDataToOutput(cci_settings *set)
 {
+	if (set->options.verbose) {
+		printf("[CCI] Writing header to file... ");
+	}
+
 	// NCSD Header
 	WriteBuffer(set->headers.ccihdr.buffer, set->headers.ccihdr.size, 0, set->out);
 	// Card Info Header
@@ -629,18 +633,34 @@ void WriteCciDataToOutput(cci_settings *set)
 		memset(dummy_data, 0xff, len);
 	WriteBuffer(dummy_data, len, (set->headers.ccihdr.size + set->headers.cardinfohdr.size),set->out);	
 	free(dummy_data);
+
+	if (set->options.verbose) {
+		printf("Done!\n");
+	}
 	
 	// NCCH Partitions
 	u8 *ncch;
 	for(int i = 0; i < CCI_MAX_CONTENT; i++){
 		if(set->content.active[i]){
+			if (set->options.verbose) {
+				printf("[CCI] Writing content %d to file... ", i);
+			}
+
 			ncch = set->content.data + set->content.dOffset[i];
 			WriteBuffer(ncch, set->content.dSize[i], set->content.cOffset[i], set->out);
+
+			if (set->options.verbose) {
+				printf("Done!\n");
+			}
 		}
 	}	
 	
 	// Cci Padding
 	if(set->options.padCci){
+		if (set->options.verbose) {
+			printf("[CCI] Writing padding to file... ");
+		}
+
 		fseek_64(set->out,set->romInfo.usedSize);
 
 		// Determining Size of Padding
@@ -655,6 +675,10 @@ void WriteCciDataToOutput(cci_settings *set)
 			fwrite(pad,set->romInfo.blockSize,1,set->out);
 			
 		free(pad);
+
+		if (set->options.verbose) {
+			printf("Done!");
+		}
 	}
 	
 	return;
diff --git a/makerom/romfs.c b/makerom/romfs.c
index 9e3956a1..bf174fc8 100644
--- a/makerom/romfs.c
+++ b/makerom/romfs.c
@@ -10,6 +10,7 @@ void FreeRomFsCtx(romfs_buildctx *ctx);
 // RomFs Build Functions
 int SetupRomFs(ncch_settings *ncchset, romfs_buildctx *ctx)
 {
+	ctx->verbose = ncchset->options.verbose;
 	ctx->output = NULL;
 	ctx->romfsSize = 0;
 
@@ -46,7 +47,6 @@ int BuildRomFs(romfs_buildctx *ctx)
 void FreeRomFsCtx(romfs_buildctx *ctx)
 {
 	if(ctx->fs){
-		fs_FreeFiles(ctx->fs);
 		fs_FreeDir(ctx->fs);	
 		free(ctx->fs);
 	}
diff --git a/makerom/romfs.h b/makerom/romfs.h
index 96ec1233..48d5400d 100644
--- a/makerom/romfs.h
+++ b/makerom/romfs.h
@@ -72,6 +72,8 @@ typedef struct
 
 typedef struct
 {
+	bool verbose;
+
 	u8 *output;
 	u64 romfsSize;
 	u64 romfsHeaderSize;
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 3db457bf..8eba46cc 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -5,7 +5,6 @@
 
 const int ROMFS_BLOCK_SIZE = 0x1000;
 const unsigned int ROMFS_UNUSED_ENTRY = 0xffffffff;
-const fs_romfs_char ROMFS_EMPTY_PATH[2] = {0x0000, 0x0000};
 
 // Build
 bool IsFileWanted(fs_file *file, void *filter_criteria);
@@ -21,60 +20,39 @@ void PopulateRomfs(romfs_buildctx *ctx);
 void BuildRomfsHeader(romfs_buildctx *ctx);
 void BuildIvfcHeader(romfs_buildctx *ctx);
 void GenIvfcHashTree(romfs_buildctx *ctx);
-u32 CalcPathHash(u32 parent, fs_romfs_char* path, u32 start, u32 length);
+u32 CalcPathHash(u32 parent, const fs_romfs_char* path, u32 start, u32 length);
 
 
 int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 {
-	/* Input Path */
-	const int CWD_MAX_LEN = 1024;
-	char *cwd = calloc(CWD_MAX_LEN,sizeof(char));
-	getcwd(cwd,CWD_MAX_LEN);
-
-	char *dir = ncchset->rsfSet->RomFs.RootPath;
-
-	fs_char *fs_path;
-	fs_romfs_char *path;
-	u32 path_len;
-#ifdef _WIN32
-	str_u8_to_u16(&path,&path_len,(u8*)dir,strlen(dir));
-	fs_path = path;
-#else
-	str_utf8_to_u16(&path,&path_len,(u8*)dir,strlen(dir));
-	fs_path = dir;
-#endif
-
 	/* FS Structures */
 	void *filter_criteria = NULL;
 	fs_dir *fs_raw = calloc(1,sizeof(fs_dir));
 	ctx->fs = calloc(1,sizeof(fs_dir));
 
 	/* Import FS and process */
-	fs_OpenDir(fs_path,path,path_len,fs_raw);
+	fs_OpenRootDir(ncchset->rsfSet->RomFs.RootPath,fs_raw);
 	FilterRomFS(fs_raw,ctx->fs,filter_criteria);
 	
 	/* free unfiltered FS */
-	fs_FreeFiles(fs_raw); // All important FPs have been moved with FilterRomFS, so only un-wanted FPs are closed here
 	fs_FreeDir(fs_raw);
 	free(fs_raw);
 	
 	/* Abort romfs making, if no wanted files/directories were found */
 	if(ctx->fs->u_file == 0 && ctx->fs->u_child == 0){
 		ctx->romfsSize = 0;
-		goto finish;
+		return 0;
 	}
 	
+	CalcRomfsSize(ctx);
 	
-	/* Print Filtered FS */
-	if(ncchset->options.verbose){
+	if (ctx->verbose) {
 		printf("[ROMFS] File System:\n");
-		fs_PrintDir(ctx->fs,0);
+		printf(" > Size:         %"PRIx64"\n", ctx->romfsSize);
+		printf(" > Directories:  %d\n", ctx->dirNum);
+		printf(" > Files:        %d\n", ctx->fileNum);
 	}
-	
-	CalcRomfsSize(ctx);
-	
-finish:
-	chdir(cwd);
+
 	return 0;
 }
 
@@ -208,9 +186,10 @@ int FilterRomFS(fs_dir *fs_raw, fs_dir *fs_filtered, void *filter_criteria)
 	if(!IsDirWanted(fs_raw,filter_criteria))
 		return 0;
 	
+	fs_filtered->fs_path = fs_CopyPath(fs_raw->fs_path);
+
 	fs_filtered->name_len = fs_raw->name_len;
-	fs_filtered->name = calloc(fs_filtered->name_len+2,1);
-	memcpy(fs_filtered->name,fs_raw->name,fs_filtered->name_len);
+	fs_filtered->name = fs_CopyRomfsName(fs_raw->name);
 	
 	fs_filtered->u_child = 0;
 	fs_filtered->m_child = fs_raw->u_child;
@@ -233,16 +212,13 @@ int FilterRomFS(fs_dir *fs_raw, fs_dir *fs_filtered, void *filter_criteria)
 	{
 		if(IsFileWanted(&fs_raw->file[i],filter_criteria))
 		{
+			fs_filtered->file[fs_filtered->u_file].fs_path = fs_CopyPath(fs_raw->file[i].fs_path);
+
 			fs_filtered->file[fs_filtered->u_file].name_len = fs_raw->file[i].name_len;
-			fs_filtered->file[fs_filtered->u_file].name = malloc(fs_filtered->file[fs_filtered->u_file].name_len+2);
-			memset(fs_filtered->file[fs_filtered->u_file].name,0,fs_filtered->file[fs_filtered->u_file].name_len+2);
-			memcpy(fs_filtered->file[fs_filtered->u_file].name,fs_raw->file[i].name,fs_filtered->file[fs_filtered->u_file].name_len);
+			fs_filtered->file[fs_filtered->u_file].name = fs_CopyRomfsName(fs_raw->file[i].name);
 			
 			fs_filtered->file[fs_filtered->u_file].size = fs_raw->file[i].size;
 			
-			fs_filtered->file[fs_filtered->u_file].fp = fs_raw->file[i].fp;
-			fs_raw->file[i].fp = NULL;
-			
 			fs_filtered->u_file++;
 		}
 	}
@@ -301,15 +277,15 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 	}
 }
 
-u32 GetFileHashTableIndex(romfs_buildctx *ctx, u32 parent, fs_romfs_char *path)
+u32 GetFileHashTableIndex(romfs_buildctx *ctx, u32 parent, const fs_romfs_char *path)
 {
-	u32 hash = CalcPathHash(parent, path, 0, fs_RomFsStrLen(path));
+	u32 hash = CalcPathHash(parent, path, 0, fs_romfs_strlen(path));
 	return hash % ctx->m_fileHashTable;
 }
 
-u32 GetDirHashTableIndex(romfs_buildctx *ctx, u32 parent, fs_romfs_char* path)
+u32 GetDirHashTableIndex(romfs_buildctx *ctx, u32 parent, const fs_romfs_char* path)
 {
-	u32 hash = CalcPathHash(parent, path, 0, fs_RomFsStrLen(path));
+	u32 hash = CalcPathHash(parent, path, 0, fs_romfs_strlen(path));
 	return hash % ctx->m_dirHashTable;
 }
 
@@ -338,7 +314,21 @@ void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 		u64_to_u8(entry->dataoffset,ctx->u_dataLen,LE);
 		u64_to_u8(entry->datasize,file->size,LE);
 		u8 *data_pos = (ctx->data + ctx->u_dataLen);
-		ReadFile64(data_pos,file->size,0,file->fp);
+
+		if (ctx->verbose) {
+			printf("[ROMFS] Reading \"");
+			fs_fputs(stdout, file->fs_path);
+			printf("\"... ");
+		}
+
+		FILE *fp = fs_fopen(file->fs_path);
+		fread(data_pos, file->size, 1, fp);
+		fclose(fp);
+
+		if (ctx->verbose) {
+			printf("Done!\n");
+		}
+
 		ctx->u_dataLen += file->size; // adding file size
 	}
 	else
@@ -351,7 +341,6 @@ void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 {
 	u32 offset = ctx->u_dirTableLen;
-	u32 hashindex;
 	romfs_direntry *entry = (romfs_direntry*)(ctx->dirTable + offset);
 	
 	/* Set entry data */
@@ -360,37 +349,19 @@ void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 	u32_to_u8(entry->childoffset, ROMFS_UNUSED_ENTRY, LE);
 	u32_to_u8(entry->fileoffset, ROMFS_UNUSED_ENTRY, LE);
 	
-
-	/* If root dir ... */
-	if(offset == 0)
-	{
-		/* Import name (root dir has no name) */
-		u32_to_u8(entry->namesize,0,LE);
-
-		/* Get hash table index */
-		hashindex = GetDirHashTableIndex(ctx, parent, (fs_romfs_char*)ROMFS_EMPTY_PATH);
-
-		/* Increment used dir table length */
-		ctx->u_dirTableLen += sizeof(romfs_direntry);
-	}
-	else
-	{
-		/* Import name */
-		u32_to_u8(entry->namesize,fs->name_len,LE);
-		u8 *name_pos = (u8*)(ctx->dirTable + ctx->u_dirTableLen + sizeof(romfs_direntry));
-		memset(name_pos,0,(u32)align(fs->name_len,4));
-		memcpy(name_pos,(u8*)fs->name,fs->name_len);
-
-		/* Get hash table index */
-		hashindex = GetDirHashTableIndex(ctx, parent, fs->name);
-
-		/* Increment used dir table length */
-		ctx->u_dirTableLen += sizeof(romfs_direntry) + (u32)align(fs->name_len,4);
-	}
+	/* Import name */
+	u32_to_u8(entry->namesize,fs->name_len,LE);
+	u8 *name_pos = (u8*)(ctx->dirTable + ctx->u_dirTableLen + sizeof(romfs_direntry));
+	memset(name_pos,0,(u32)align(fs->name_len,4));
+	memcpy(name_pos,(u8*)fs->name,fs->name_len);
 
 	/* Set hash data */
-	u32_to_u8(entry->hashoffset, u8_to_u32(ctx->dirHashTable + hashindex*4, LE), LE);
-	u32_to_u8(ctx->dirHashTable + hashindex*4, offset, LE);
+	u32 hashindex = GetDirHashTableIndex(ctx, parent, fs->name);
+	u32_to_u8(entry->hashoffset, u8_to_u32(ctx->dirHashTable + hashindex * 4, LE), LE);
+	u32_to_u8(ctx->dirHashTable + hashindex * 4, offset, LE);
+
+	/* Increment used dir table length */
+	ctx->u_dirTableLen += sizeof(romfs_direntry) + (u32)align(fs->name_len,4);
 }
 
 void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)
@@ -425,10 +396,10 @@ void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)
 		u32_to_u8(entry->childoffset, ctx->u_dirTableLen, LE);
 		for (u32 i = 0; i < fs->u_child; i++)
 		{
-			/* Store address fo child */
+			/* Store address for child */
 			childs[i] = ctx->u_dirTableLen;
 			
-			
+			/* If is the last child directory, no more siblings  */
 			u32 dir_sibling = 0;
 			if (i >= fs->u_child - 1)
 				dir_sibling = ROMFS_UNUSED_ENTRY;
@@ -488,7 +459,7 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 	return;
 }
 
-u32 CalcPathHash(u32 parent, fs_romfs_char* path, u32 start, u32 length)
+u32 CalcPathHash(u32 parent, const fs_romfs_char* path, u32 start, u32 length)
 {
 	u32 hash = parent ^ 123456789;
 	for( u32 index = 0; index < length; index++ )
diff --git a/makerom/titleid.c b/makerom/titleid.c
index 9bf82174..33961a4e 100644
--- a/makerom/titleid.c
+++ b/makerom/titleid.c
@@ -2,6 +2,7 @@
 #include "ncch_read.h"
 #include "titleid.h"
 
+const u16 DEFAULT_CATEGORY = PROGRAM_ID_CATEGORY_APPLICATION;
 const u32 DEFAULT_UNIQUE_ID = 0xff3ff;
 
 void SetPIDType(u16 *type);
@@ -28,7 +29,7 @@ u32 GetTidUniqueId(u64 titleId)
 
 int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader)
 {
-	int ret;
+	int ret = 0;
 	u32 uniqueId;
 	u16 type,category;
 	u8 variation;
@@ -42,12 +43,15 @@ int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader)
 	SetPIDType(&type);
 	
 	// Getting Category
-	if(rsf->TitleInfo.Category) 
-		ret = SetPIDCategoryFromName(&category,rsf->TitleInfo.Category);
-	else if(rsf->TitleInfo.CategoryFlags) 
-		ret = SetPIDCategoryFromFlags(&category,rsf->TitleInfo.CategoryFlags,rsf->TitleInfo.CategoryFlagsNum);
 	if(IsForExheader && rsf->TitleInfo.TargetCategory)
 		ret = SetPIDCategoryFromName(&category,rsf->TitleInfo.TargetCategory);
+	else if (rsf->TitleInfo.Category)
+		ret = SetPIDCategoryFromName(&category, rsf->TitleInfo.Category);
+	else if (rsf->TitleInfo.CategoryFlags)
+		ret = SetPIDCategoryFromFlags(&category, rsf->TitleInfo.CategoryFlags, rsf->TitleInfo.CategoryFlagsNum);
+	else
+		category = DEFAULT_CATEGORY;
+
 	if(ret == PID_INVALID_CATEGORY) // Error occured
 		return PID_BAD_RSF_SET;
 
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index aa5bc468..8bfe595a 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -6,6 +6,7 @@ void DisplayExtendedHelp(char *app_name);
 void SetDefaults(user_settings *set);
 int SetArgument(int argc, int i, char *argv[], user_settings *set);
 int CheckArgumentCombination(user_settings *set);
+const char* GetOutputExtention(u8 file_type);
 void PrintNeedsArg(char *arg);
 void PrintArgInvalid(char *arg);
 void PrintArgReqParam(char *arg, u32 paramNum);
@@ -75,14 +76,7 @@ int ParseArgs(int argc, char *argv[], user_settings *set)
 			source_path = set->common.workingFilePath;
 		else
 			source_path = set->common.contentPath[0];
-		u16 outfile_len = strlen(source_path) + 0x10;
-		set->common.outFileName = calloc(outfile_len, sizeof(char));
-		if (!set->common.outFileName) {
-			fprintf(stderr, "[SETTING ERROR] Not Enough Memory\n");
-			return USR_MEM_ERROR;
-		}
-		set->common.outFileName_mallocd = true;
-		append_filextention(set->common.outFileName, outfile_len, source_path, (char*)&output_extention[set->common.outFormat - 1]);
+		set->common.outFileName = replace_filextention(source_path, GetOutputExtention(set->common.outFormat));
 	}
 	return 0;
 }
@@ -95,7 +89,7 @@ void SetDefaults(user_settings *set)
 
 	// Build NCCH Info
 	set->ncch.useSecCrypto = false;
-	set->ncch.buildNcch0 = false;
+	set->ncch.buildNcch0 = true;
 	set->ncch.includeExefsLogo = false;
 	set->common.outFormat = NCCH;
 	set->ncch.ncchType = format_not_set;
@@ -704,22 +698,18 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 
 int CheckArgumentCombination(user_settings *set)
 {
-	if (set->ncch.ncchType & (CXI | CFA)) {
+	if (set->common.contentPath[0] == NULL) {
 		set->ncch.buildNcch0 = true;
 		if (set->ncch.ncchType & CXI)
 			set->ncch.ncchType = CXI;
 		else
 			set->ncch.ncchType = CFA;
-	}
 
-	if (set->common.outFormat == NCCH) {
-		set->ncch.buildNcch0 = true;
-		if (set->ncch.ncchType)
+		if (set->common.outFormat == NCCH) 
 			set->common.outFormat = set->ncch.ncchType;
-		else {
-			set->ncch.ncchType = CFA;
-			set->common.outFormat = CFA;
-		}
+	}
+	else {
+		set->ncch.buildNcch0 = false;
 	}
 
 	for (int i = 0; i < CIA_MAX_CONTENT; i++) {
@@ -733,11 +723,6 @@ int CheckArgumentCombination(user_settings *set)
 		}
 	}
 
-	if (set->common.contentPath[0] && set->ncch.buildNcch0) {
-		fprintf(stderr, "[SETTING ERROR] You cannot both import and build content 0\n");
-		return USR_BAD_ARG;
-	}
-
 	if (set->common.outFormat == CIA && set->cci.cverDataPath) {
 		fprintf(stderr, "[SETTING ERROR] You cannot use argument \"-cverinfo\" when generating a CIA\n");
 		return USR_BAD_ARG;
@@ -808,6 +793,18 @@ int CheckArgumentCombination(user_settings *set)
 	return 0;
 }
 
+const char* GetOutputExtention(u8 file_type)
+{
+	switch (file_type) {
+	case(NCCH) : return ".app";
+	case(CXI) : return ".cxi";
+	case(CFA) : return ".cfa";
+	case(CIA) : return ".cia";
+	case(CCI) : return ".cci";
+	default: return ".bin";
+	}
+}
+
 void init_UserSettings(user_settings *set)
 {
 	memset(set, 0, sizeof(user_settings));
diff --git a/makerom/utils.c b/makerom/utils.c
index dd08733b..2899b770 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -53,27 +53,27 @@ u64 max64(u64 a, u64 b)
 }
 
 // Strings
-int append_filextention(char *output, u16 max_outlen, char *input, char extention[])
+char* replace_filextention(const char *input, const char *new_ext)
 {
-	if(output == NULL || input == NULL){
-		printf("[!] Memory Error\n");
-		return Fail;
-	}
-	memset(output,0,max_outlen);
-	u16 extention_point = strlen(input)+1;
-	for(int i = strlen(input)-1; i > 0; i--){
-		if(input[i] == '.'){
-			extention_point = i;
-			break;
-		}
+	if(input == NULL || new_ext == NULL)
+		return NULL;
+
+	char *new_name;
+	char *ext = strrchr(input, '.');
+
+	// If there is no existing extention, just append new_ext
+	if (!ext) {
+		new_name = calloc(strlen(input) + strlen(new_ext), 1);
+		sprintf(new_name, "%s%s", input, new_ext);
 	}
-	if(extention_point+strlen(extention) >= max_outlen){
-		printf("[!] Input File Name Too Large for Output buffer\n");
-		return Fail;
+	else {
+		u32 size = ext - input;
+		new_name = calloc(size + strlen(new_ext), 1);
+		snprintf(new_name, size, "%s", input);
+		sprintf(new_name, "%s%s", new_name, new_ext);
 	}
-	memcpy(output,input,extention_point);
-	sprintf(output,"%s%s",output,extention);
-	return 0;
+	
+	return new_name;
 }
 
 void memdump(FILE* fout, const char* prefix, const u8* data, u32 size)
@@ -104,7 +104,7 @@ void memdump(FILE* fout, const char* prefix, const u8* data, u32 size)
 	}
 }
 
-int str_u8_to_u16(u16 **dst, u32 *dst_len, u8 *src, u32 src_len)
+int str_u8_to_u16(u16 **dst, u32 *dst_len, const u8 *src, u32 src_len)
 {
 	*dst_len = src_len*sizeof(u16);
 	*dst = malloc((*dst_len)+sizeof(u16));
@@ -117,7 +117,7 @@ int str_u8_to_u16(u16 **dst, u32 *dst_len, u8 *src, u32 src_len)
 	return 0;
 }
 
-int str_u16_to_u16(u16 **dst, u32 *dst_len, u16 *src, u32 src_len)
+int str_u16_to_u16(u16 **dst, u32 *dst_len, const u16 *src, u32 src_len)
 {
 	*dst_len = src_len*sizeof(u16);
 	*dst = malloc((*dst_len)+sizeof(u16));
@@ -130,7 +130,7 @@ int str_u16_to_u16(u16 **dst, u32 *dst_len, u16 *src, u32 src_len)
 	return 0;
 }
 
-int str_u32_to_u16(u16 **dst, u32 *dst_len, u32 *src, u32 src_len)
+int str_u32_to_u16(u16 **dst, u32 *dst_len, const u32 *src, u32 src_len)
 {
 	*dst_len = src_len*sizeof(u16);
 	*dst = malloc((*dst_len)+sizeof(u16));
@@ -144,7 +144,7 @@ int str_u32_to_u16(u16 **dst, u32 *dst_len, u32 *src, u32 src_len)
 }
 
 #ifndef _WIN32
-int str_utf8_to_u16(u16 **dst, u32 *dst_len, u8 *src, u32 src_len)
+int str_utf8_to_u16(u16 **dst, u32 *dst_len, const u8 *src, u32 src_len)
 {
 	*dst_len = src_len*sizeof(u16);
 	*dst = malloc((*dst_len)+sizeof(u16));
diff --git a/makerom/utils.h b/makerom/utils.h
index 6d30d511..1a89100e 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -18,13 +18,13 @@ u64 min64(u64 a, u64 b);
 u64 max64(u64 a, u64 b);
 
 // Strings
-void memdump(FILE* fout, const char* prefix, const u8* data, u32 size);
-int append_filextention(char *output, u16 max_outlen, char *input, char extention[]);
-int str_u8_to_u16(u16 **dst, u32 *dst_len, u8 *src, u32 src_len);
-int str_u16_to_u16(u16 **dst, u32 *dst_len, u16 *src, u32 src_len);
-int str_u32_to_u16(u16 **dst, u32 *dst_len, u32 *src, u32 src_len);
+void memdump(FILE* fout, const char* prefix, const const u8* data, u32 size);
+char* replace_filextention(const char *input, const char *extention);
+int str_u8_to_u16(u16 **dst, u32 *dst_len, const u8 *src, u32 src_len);
+int str_u16_to_u16(u16 **dst, u32 *dst_len, const u16 *src, u32 src_len);
+int str_u32_to_u16(u16 **dst, u32 *dst_len, const u32 *src, u32 src_len);
 #ifndef _WIN32
-int str_utf8_to_u16(u16 **dst, u32 *dst_len, u8 *src, u32 src_len);
+int str_utf8_to_u16(u16 **dst, u32 *dst_len, const u8 *src, u32 src_len);
 #endif
 
 // Base64

From 7270990f66edaa7e2b45ded7412cf757b4383b67 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Wed, 11 Nov 2015 23:24:12 +0800
Subject: [PATCH 118/317] [makerom] misc

---
 makerom/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index d15d60f4..e68a81c4 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -5,7 +5,7 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 # Compiler Settings
 LIBS = -static-libgcc
 CXXFLAGS = -I.
-CFLAGS = --std=c99 -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. $(MAKEROM_BUILD_FLAGS)
+CFLAGS = --std=c99 -O2 -flto -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. $(MAKEROM_BUILD_FLAGS)
 CC = gcc
 CXX = g++
 

From 7c3b5faed6230e8c90fb0a87c35520ad9ecd65ba Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 12 Nov 2015 08:33:05 +0800
Subject: [PATCH 119/317] [makerom] misc

---
 makerom/user_settings.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 8bfe595a..c2655684 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -76,6 +76,7 @@ int ParseArgs(int argc, char *argv[], user_settings *set)
 			source_path = set->common.workingFilePath;
 		else
 			source_path = set->common.contentPath[0];
+		set->common.outFileName_mallocd = true;
 		set->common.outFileName = replace_filextention(source_path, GetOutputExtention(set->common.outFormat));
 	}
 	return 0;
@@ -676,13 +677,11 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		}
 		val_pos = (val_pos + 1);
 		name_len = (val_pos - 1 - name_pos);
-		set->dname.items[set->dname.u_items].name = malloc(name_len + 1);
-		memset(set->dname.items[set->dname.u_items].name, 0, name_len + 1);
+		set->dname.items[set->dname.u_items].name = calloc(name_len + 1, sizeof(char));
 		memcpy(set->dname.items[set->dname.u_items].name, name_pos, name_len);
 
 		val_len = strlen(val_pos);
-		set->dname.items[set->dname.u_items].value = malloc(val_len + 1);
-		memset(set->dname.items[set->dname.u_items].value, 0, val_len + 1);
+		set->dname.items[set->dname.u_items].value = calloc(val_len + 1, sizeof(char));
 		memcpy(set->dname.items[set->dname.u_items].value, val_pos, val_len);
 
 		set->dname.u_items++;

From 0854cbe5d1bd94b8da4638ce1120780e6cfacff4 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 15 Nov 2015 03:19:53 +0800
Subject: [PATCH 120/317] [makerom] fixed romfs (for linux)

---
 makerom/dir.c                   | 343 ++++++++++++--------------------
 makerom/dir.h                   |  61 +++---
 makerom/makerom.vcxproj.filters |  12 +-
 makerom/romfs.c                 |   2 +-
 makerom/romfs.h                 |   2 +-
 makerom/romfs_gen.c             |  95 ++++-----
 makerom/utils.c                 | 121 ++++++-----
 makerom/utils.h                 |   9 +-
 8 files changed, 285 insertions(+), 360 deletions(-)

diff --git a/makerom/dir.c b/makerom/dir.c
index 097c44ec..7cb724d2 100644
--- a/makerom/dir.c
+++ b/makerom/dir.c
@@ -2,35 +2,36 @@
 #include "dir.h"
 #include "utf.h"
 
-const fs_romfs_char FS_CURRENT_DIR_PATH = 0x2E;
-const fs_romfs_char FS_PARENT_DIR_PATH[2] = { 0x2E,0x2E };
-
 /* This is the FS interface for ROMFS generation */
 /* Tested working on Windows/Linux/OSX */
-int fs_InitDir(const fs_entry *entry, fs_dir *dir);
-int fs_ManageDirSlot(fs_dir *dir);
-int fs_ManageFileSlot(fs_dir *dir);
-void fs_chdirUp(void);
-fs_entry* fs_GetEntry(const fs_char *parent_path, fs_DIR *dp);
-void fs_FreeEntry(fs_entry *entry);
-bool fs_EntryIsDirNav(fs_entry *entry);
-int fs_AddDir(fs_entry *entry, fs_dir *dir);
-int fs_AddFile(fs_entry *entry, fs_dir *dir);
-
-u32 fs_romfs_strlen(const fs_romfs_char *str)
+int OpenDir(romfs_dir *dir);
+int InitDir(romfs_dir *dir);
+int ManageDir(romfs_dir *dir);
+
+u32 fs_strlen(const fs_char *str)
 {
-	u32 i;
-	for( i = 0; str[i] != 0x0; i++ );
-	return i;
+#ifdef _WIN32
+	return strlen_char16(str);
+#else
+	return strlen(str);
+#endif
 }
 
-u32 fs_strlen(const fs_char *str)
+u32 romfs_strlen(const romfs_char *str)
 {
-	u32 i;
-	for (i = 0; str[i] != 0x0; i++);
-	return i;
+	return strlen_char16(str);
 }
 
+int fs_strcmp(const fs_char *str1, const fs_char *str2)
+{
+#ifdef _WIN32
+	return wcscmp(str1, str2);
+#else
+	return strcmp(str1, str2);
+#endif
+}
+
+
 FILE* fs_fopen(fs_char *path)
 {
 #ifdef _WIN32
@@ -67,264 +68,164 @@ fs_char* fs_AppendToPath(const fs_char *src, const fs_char *add)
 	return new_path;
 }
 
-fs_char* fs_CopyPath(const fs_char *src)
+fs_char* fs_CopyStr(const fs_char *src)
 {
-	u32 src_len;
-	fs_char *new_path;
-
-	src_len = fs_strlen(src);
-	new_path = calloc(src_len + 0x10, sizeof(fs_char));
-
-	for (u32 i = 0; i < src_len; i++)
-		new_path[i] = src[i];
-
-	return new_path;
+#ifdef _WIN32
+	return strcopy_16to16(src);
+#else
+	return strcopy_8to8(src);
+#endif
 }
 
-fs_romfs_char* fs_CopyRomfsName(const fs_romfs_char *src)
+romfs_char* romfs_CopyConvertStr(const fs_char *src)
 {
-	u32 src_len;
-	fs_romfs_char *new_path;
-
-	src_len = fs_strlen(src);
-	new_path = calloc(src_len + 0x10, sizeof(fs_romfs_char));
+#ifdef _WIN32
+	return strcopy_16to16(src);
+#else
+	return strcopy_utf8to16(src);
+#endif
+}
 
-	for (u32 i = 0; i < src_len; i++)
-		new_path[i] = src[i];
 
-	return new_path;
+romfs_char* romfs_CopyStr(const romfs_char *src)
+{
+	return strcopy_16to16(src);
 }
 
-void fs_fputs(FILE *out, const fs_char *str)
+void fs_fputs(const fs_char *str, FILE *out)
 {
 #ifdef _WIN32
-	wprintf(L"%s", str);
+	fwprintf(out,L"%s", str);
 #else
-	printf("%s", str);
+	fprintf(out,"%s", str);
 #endif
 }
 
-void fs_romfs_fputs(FILE *out, const fs_romfs_char *str)
+void romfs_fputs(const romfs_char *str, FILE *out)
 {
 #ifdef _WIN32
-	wprintf(L"%s", str);
+	fwprintf(out,L"%s", str);
 #else
 	const char *name = (const char*)str;
-	for (u32 i = 0; i < fs_romfs_strlen(str)*2; i += 2)
-		putchar(name[i]);
+	for (u32 i = 0; i < romfs_strlen(str)*2; i += 2)
+		fputc(name[i],out);
 #endif
 }
 
-int fs_InitDir(const fs_entry *entry, fs_dir *dir)
+int InitDir(romfs_dir *dir)
 {
-	dir->fs_path = fs_CopyPath(entry->fs_path);
-
-	dir->name_len = entry->name_len;
-	dir->name = fs_CopyRomfsName(entry->name);
-	
 	dir->m_child = 10;
 	dir->u_child = 0;
-	dir->child = calloc(dir->m_child,sizeof(fs_dir));
+	dir->child = calloc(dir->m_child,sizeof(romfs_dir));
 	
 	dir->m_file = 10;
 	dir->u_file = 0;
-	dir->file = calloc(dir->m_file,sizeof(fs_file));
-	
-	return 0;
-}
+	dir->file = calloc(dir->m_file,sizeof(romfs_file));
 
-int fs_ManageDirSlot(fs_dir *dir)
-{
-	if(dir->u_child >= dir->m_child)
-	{
-		dir->m_child *= 2;
-		fs_dir *tmp = calloc(dir->m_child,sizeof(fs_dir));
-		memcpy(tmp,dir->child,sizeof(fs_dir)*dir->u_child);
-		free(dir->child);
-		dir->child = tmp;
-	}
-	return 0;
-}
-
-int fs_ManageFileSlot(fs_dir *dir)
-{
-	if(dir->u_file >= dir->m_file)
-	{
-		dir->m_file *= 2;
-		fs_file *tmp = calloc(dir->m_file,sizeof(fs_file));
-		memcpy(tmp,dir->file,sizeof(fs_file)*dir->u_file);
-		free(dir->file);
-		dir->file = tmp;
-	}
+	if (dir->child == NULL || dir->file == NULL)
+		return MEM_ERROR;
+	
 	return 0;
 }
 
-fs_entry* fs_GetEntry(const fs_char *parent_path, fs_DIR *dp)
+int ManageDir(romfs_dir *dir)
 {
-	// Directory structs
-	struct fs_dirent *tmp_entry;
-	fs_DIR *tmp_dptr;
-	u32 namlen = 0;
-	
-	//printf("get api dir entry from dir ptr\n");
-	tmp_entry = fs_readdir(dp);
-	
-	//printf("if null, return\n");
-	if(!tmp_entry) 
-		return NULL;
-		
-#ifdef _WIN32
-	namlen = tmp_entry->d_namlen;
-#else
-	namlen = strlen(tmp_entry->d_name);
-#endif
-		
-	//printf("allocate memory for entry\n");
-	fs_entry *entry  = malloc(sizeof(fs_entry));
-	memset(entry,0,sizeof(fs_entry));
-	
-	//Copy FS compatible Entry name
-	fs_char *fs_name = calloc(sizeof(fs_char)*(namlen+1),1);
-	memcpy(fs_name,tmp_entry->d_name,sizeof(fs_char)*namlen);
-	entry->fs_path = fs_AppendToPath(parent_path, fs_name);
-	
-	// Convert Entry name into RomFS u16 char (windows wchar_t, thanks Nintendo)
-#if _WIN32
-	str_u16_to_u16(&entry->name,&entry->name_len,tmp_entry->d_name,namlen);
-#else
-	str_utf8_to_u16(&entry->name,&entry->name_len,(u8*)tmp_entry->d_name,namlen);
-#endif
-	
-	//printf("get dir entry from dir ptr to check if dir\n");
-	tmp_dptr = fs_opendir(entry->fs_path);
-	if(tmp_dptr)
-	{
-		//printf("is dir\n");
-		fs_closedir(tmp_dptr);
-		entry->IsDir = true;
-		entry->size = 0;
-	}
-	else // Open file if it is a file
-	{
-		entry->IsDir = false;
-		entry->size = fs_fsize(entry->fs_path);
+	if (dir->u_child >= dir->m_child) {
+		dir->m_child = 2 * dir->u_child;
+		dir->child = realloc(dir->child, dir->m_child*sizeof(romfs_dir));
 	}
-	
-	// Don't bother returning current entry, if it is useless
-	if (fs_EntryIsDirNav(entry)) {
-		fs_FreeEntry(entry);
-		return fs_GetEntry(parent_path, dp);
+	if (dir->u_file >= dir->m_file) {
+		dir->m_file = 2 * dir->u_file;
+		dir->file = realloc(dir->file, dir->m_file*sizeof(romfs_file));
 	}
 
-	return entry;
-}
-
-void fs_FreeEntry(fs_entry *entry)
-{
-	free(entry->fs_path);
-	free(entry->name);
-	free(entry);
-}
-
-bool fs_EntryIsDirNav(fs_entry *entry)
-{
-	if(entry->name_len == sizeof(fs_romfs_char)*1 && memcmp(entry->name,&FS_CURRENT_DIR_PATH,sizeof(fs_romfs_char)*1) == 0)
-		return true;
-	if(entry->name_len == sizeof(fs_romfs_char)*2 && memcmp(entry->name,FS_PARENT_DIR_PATH,sizeof(fs_romfs_char)*2) == 0)
-		return true;
-	return false;
-	
-}
-
-int fs_AddDir(fs_entry *entry, fs_dir *dir)
-{
-	fs_ManageDirSlot(dir);
-	u32 current_slot = dir->u_child;
-
-	dir->u_child++;
-	return fs_OpenDir(entry,&dir->child[current_slot]);
-}
+	if (dir->child == NULL || dir->file == NULL)
+		return MEM_ERROR;
 
-int fs_AddFile(fs_entry *entry, fs_dir *dir)
-{
-	fs_ManageFileSlot(dir);
-	dir->file[dir->u_file].fs_path = fs_CopyPath(entry->fs_path);
-	dir->file[dir->u_file].name_len = entry->name_len;
-	dir->file[dir->u_file].name = fs_CopyRomfsName(entry->name);
-	dir->file[dir->u_file].size = entry->size;
-	
-	dir->u_file++;
 	return 0;
 }
 
-int fs_OpenRootDir(const char *path, fs_dir *dir)
+int OpenRootDir(const char *path, romfs_dir *dir)
 {
-	fs_entry *root = calloc(1, sizeof(fs_entry));
-	u32 nul;
-
-	root->IsDir = true;
-	root->size = 0;
-
-	str_u16_to_u16(&root->name, &root->name_len, ROMFS_EMPTY_PATH, 0);
+	// Create native FS path
 #ifdef _WIN32
-	str_u8_to_u16(&root->fs_path, &nul, (u8*)path, strlen(path));
+	dir->path = strcopy_8to16(path);
 #else
-	str_u8_to_u8(&root->fs_path, &nul, (u8*)path, strlen(path));
+	dir->path = strcopy_8to8(path);
 #endif
-
-
-	int ret = fs_OpenDir(root, dir);
-
-	fs_FreeEntry(root);
-
-	return ret;
+	// Copy romfs name (empty string)
+	dir->name = romfs_CopyStr(ROMFS_EMPTY_PATH);
+	dir->namesize = 0;
+	
+	return OpenDir(dir);
 }
 
-int fs_OpenDir(fs_entry *curr_dir_entry, fs_dir *dir)
+int OpenDir(romfs_dir *dir)
 {
-	//printf("init open dir\n");
-	int ret = 0;
-	fs_DIR *dp;
-	fs_entry *entry;
-	
-	//printf("do some more init\n");
-	fs_InitDir(curr_dir_entry, dir);
-	//wprintf(L" rec: \"%s\" (%d)\n",dir->name,dir->name_len);
+	fs_DIR *dp, *tmp_dp;
+	struct fs_dirent *entry;
 
-	//printf("check if path exists\n");
-	dp = fs_opendir(dir->fs_path);
-	if(!dp)
+	if (InitDir(dir))
+		return MEM_ERROR;
+
+	// Open Directory
+	if((dp = fs_opendir(dir->path)) == NULL)
 	{
-		wprintf(L"[!] Failed to open directory: \"%s\"\n",dir->fs_path);
+		printf("[ROMFS] Failed to open directory: \"");
+		fs_fputs(dir->path, stdout);
+		printf("\"\n");
 		return -1;
 	}
 	
-	//printf("read entries\n");
-	while((entry = fs_GetEntry(dir->fs_path, dp)) != NULL)
-	{		
-		ret = entry->IsDir? fs_AddDir(entry, dir) : fs_AddFile(entry, dir);
+	// Process Entries
+	while ((entry = fs_readdir(dp)) != NULL)
+	{
+		// Skip if "." or ".."
+		if (fs_strcmp(entry->d_name, FS_CURRENT_DIR_PATH) == 0 || fs_strcmp(entry->d_name, FS_PARENT_DIR_PATH) == 0)
+			continue;
+
+		// Ensures that there is always memory for child directory and file structs
+		if (ManageDir(dir))
+			return MEM_ERROR;
 
-		//printf("free entry\n");		
-		fs_FreeEntry(entry);
+		// Get native FS path
+		fs_char *path = fs_AppendToPath(dir->path, entry->d_name);
 		
-		if(ret)
-		{
-			//printf("error parsing entry\n");
-			break;
+		// Opening directory with fs path to test if directory
+		if ((tmp_dp = fs_opendir(path)) != NULL) {
+			fs_closedir(tmp_dp);
+
+			dir->child[dir->u_child].path = path;
+			dir->child[dir->u_child].name = romfs_CopyConvertStr(entry->d_name);
+			dir->child[dir->u_child].namesize = fs_strlen(entry->d_name)*sizeof(romfs_char);
+			dir->u_child++;
+			
+			// Populate directory
+			OpenDir(&dir->child[dir->u_child-1]);
+		}
+		// Otherwise this is a file
+		else {
+			dir->file[dir->u_file].path = path;
+			dir->file[dir->u_file].name = romfs_CopyConvertStr(entry->d_name);
+			dir->file[dir->u_file].namesize = fs_strlen(entry->d_name)*sizeof(romfs_char);
+			dir->file[dir->u_file].size = fs_fsize(path);
+			dir->u_file++;
 		}
 	}
+
 	fs_closedir(dp);
-	return ret;
+
+	return 0;
 }
 
 
-void fs_PrintDir(fs_dir *dir, u32 depth) // This is just for simple debugging, please don't shoot me
+void PrintDir(romfs_dir *dir, u32 depth)
 {
 	for(u32 i = 0; i < depth; i++)
 		printf(" ");
 
 	if (depth > 0)
-		fs_romfs_fputs(stdout, dir->name);
+		romfs_fputs(dir->name, stdout);
 	else
 		printf("romfs:");
 	putchar('\n');
@@ -335,23 +236,23 @@ void fs_PrintDir(fs_dir *dir, u32 depth) // This is just for simple debugging, p
 		{
 			for(u32 j = 0; j < depth+1; j++)
 				printf(" ");
-			fs_romfs_fputs(stdout, dir->file[i].name);
+			romfs_fputs(dir->file[i].name, stdout);
 			printf(" (0x%"PRIx64")\n", dir->file[i].size);
 		}
 	}
 	if(dir->u_child)
 	{
 		for(u32 i = 0; i < dir->u_child; i++)
-			fs_PrintDir(&dir->child[i],depth+1);
+			PrintDir(&dir->child[i],depth+1);
 	}
 }
 
-void fs_FreeDir(fs_dir *dir)
+void FreeDir(romfs_dir *dir)
 {
 	//printf("DIR!! free file names\n");
 	for(u32 i = 0; i < dir->u_file; i++)
 	{
-		free(dir->file[i].fs_path);
+		free(dir->file[i].path);
 		free(dir->file[i].name);
 	}
 	//printf("free file struct\n");
@@ -361,9 +262,9 @@ void fs_FreeDir(fs_dir *dir)
 	//printf("free dir names and\n");
 	for(u32 i = 0; i < dir->u_child; i++)
 	{	
-		free(dir->child[i].fs_path);
+		free(dir->child[i].path);
 		free(dir->child[i].name);
-		fs_FreeDir(&dir->child[i]);
+		FreeDir(&dir->child[i]);
 	}
 	//printf("free dir struct\n");
 	free(dir->child);
diff --git a/makerom/dir.h b/makerom/dir.h
index aadd98f7..0826f21d 100644
--- a/makerom/dir.h
+++ b/makerom/dir.h
@@ -1,7 +1,7 @@
 #pragma once
 
 #ifdef _WIN32
-	#define fs_romfs_char u16
+	#define romfs_char u16
 	#define fs_char wchar_t
 	#define fs_dirent _wdirent
 	#define fs_DIR _WDIR
@@ -11,7 +11,7 @@
 	#define fs_closedir _wclosedir
 	#define FS_PATH_SEPARATOR '\\'
 #else
-	#define fs_romfs_char u16
+	#define romfs_char u16
 	#define fs_char char
 	#define fs_dirent dirent
 	#define fs_DIR DIR
@@ -21,59 +21,50 @@
 	#define fs_closedir closedir
 	#define FS_PATH_SEPARATOR '/'
 #endif
-	
-
-struct fs_entry
-{
-	bool IsDir;
-	fs_char *fs_path;
-	fs_romfs_char *name;
-	u32 name_len;
-	u64 size;
-};
 
-struct fs_file
+struct romfs_file
 {
-	fs_char *fs_path;
-	fs_romfs_char *name;
-	u32 name_len;
+	fs_char *path;
+	romfs_char *name;
+	u32 namesize;
 	u64 size;
 };
 
-struct fs_dir
+struct romfs_dir
 {
-	fs_char *fs_path;
-	fs_romfs_char *name;
-	u32 name_len;
+	fs_char *path;
+	romfs_char *name;
+	u32 namesize;
 	
-	struct fs_dir *child;
+	struct romfs_dir *child;
 	u32 m_child;
 	u32 u_child;
 	
-	struct fs_file *file;
+	struct romfs_file *file;
 	u32 m_file;
 	u32 u_file;
 };
 
-typedef struct fs_entry fs_entry;
-typedef struct fs_file fs_file;
-typedef struct fs_dir fs_dir;
+typedef struct romfs_file romfs_file;
+typedef struct romfs_dir romfs_dir;
 
-static const fs_romfs_char ROMFS_EMPTY_PATH[2] = { 0 };
+static const romfs_char ROMFS_EMPTY_PATH[2] = { 0 };
 static const fs_char FS_EMPTY_PATH[2] = { 0 };
+static const fs_char FS_CURRENT_DIR_PATH[2] = { '.' };
+static const fs_char FS_PARENT_DIR_PATH[3] = { '.', '.' };
 
-u32 fs_romfs_strlen(const fs_romfs_char *str);
+u32 romfs_strlen(const romfs_char *str);
 u32 fs_strlen(const fs_char *str);
+int fs_strcmp(const fs_char *str1, const fs_char *str2);
 FILE* fs_fopen(fs_char *path);
 u64 fs_fsize(fs_char *path);
 
 fs_char* fs_AppendToPath(const fs_char *src, const fs_char *add);
-fs_char* fs_CopyPath(const fs_char *src);
-fs_romfs_char* fs_CopyRomfsName(const fs_romfs_char *src);
-void fs_fputs(FILE *out, const fs_char *str);
-void fs_romfs_fputs(FILE *out, const fs_romfs_char *str);
+fs_char* fs_CopyStr(const fs_char *src);
+romfs_char* romfs_CopyStr(const romfs_char *src);
+void fs_fputs(const fs_char *str, FILE *out);
+void romfs_fputs(const romfs_char *str, FILE *out);
 
-int fs_OpenRootDir(const char *path, fs_dir *dir);
-int fs_OpenDir(fs_entry *entry, fs_dir *dir);
-void fs_PrintDir(fs_dir *dir, u32 depth);
-void fs_FreeDir(fs_dir *dir);
\ No newline at end of file
+int OpenRootDir(const char *path, romfs_dir *dir);
+void PrintDir(romfs_dir *dir, u32 depth);
+void FreeDir(romfs_dir *dir);
\ No newline at end of file
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
index 049b9f80..a4f1f217 100644
--- a/makerom/makerom.vcxproj.filters
+++ b/makerom/makerom.vcxproj.filters
@@ -66,9 +66,6 @@
     <ClInclude Include="ctr_utils.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="dir.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="elf.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -339,6 +336,9 @@
     <ClInclude Include="code.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="dir.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="accessdesc.c">
@@ -362,9 +362,6 @@
     <ClCompile Include="ctr_utils.c">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="dir.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
     <ClCompile Include="elf.c">
       <Filter>Source Files</Filter>
     </ClCompile>
@@ -473,6 +470,9 @@
     <ClCompile Include="code.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="dir.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="Makefile">
diff --git a/makerom/romfs.c b/makerom/romfs.c
index bf174fc8..205db6f2 100644
--- a/makerom/romfs.c
+++ b/makerom/romfs.c
@@ -47,7 +47,7 @@ int BuildRomFs(romfs_buildctx *ctx)
 void FreeRomFsCtx(romfs_buildctx *ctx)
 {
 	if(ctx->fs){
-		fs_FreeDir(ctx->fs);	
+		FreeDir(ctx->fs);	
 		free(ctx->fs);
 	}
 }
\ No newline at end of file
diff --git a/makerom/romfs.h b/makerom/romfs.h
index 48d5400d..e170b180 100644
--- a/makerom/romfs.h
+++ b/makerom/romfs.h
@@ -86,7 +86,7 @@ typedef struct
 	ivfc_hdr *ivfcHdr;
 	romfs_infoheader *romfsHdr;
 	
-	fs_dir *fs;
+	romfs_dir *fs;
 	
 	u8 *dirHashTable;
 	u32 m_dirHashTable;
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 8eba46cc..bfa1371d 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -7,35 +7,36 @@ const int ROMFS_BLOCK_SIZE = 0x1000;
 const unsigned int ROMFS_UNUSED_ENTRY = 0xffffffff;
 
 // Build
-bool IsFileWanted(fs_file *file, void *filter_criteria);
-bool IsDirWanted(fs_dir *dir, void *filter_criteria);
-void CalcDirSize(romfs_buildctx *ctx, fs_dir *fs);
+bool IsFileWanted(romfs_file *file, void *filter_criteria);
+bool IsDirWanted(romfs_dir *dir, void *filter_criteria);
+void CalcDirSize(romfs_buildctx *ctx, romfs_dir *fs);
 void CalcRomfsSize(romfs_buildctx *ctx);
-int FilterRomFS(fs_dir *fs_raw, fs_dir *fs_filtered, void *filter_criteria);
-void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling);
-void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling);
-void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir);
+int FilterRomFS(romfs_dir *fs_raw, romfs_dir *fs_filtered, void *filter_criteria);
+void AddFileToRomfs(romfs_buildctx *ctx, romfs_file *file, u32 parent, u32 sibling);
+void AddDirToRomfs(romfs_buildctx *ctx, romfs_dir *fs, u32 parent, u32 sibling);
+void AddDirChildrenToRomfs(romfs_buildctx *ctx, romfs_dir *fs, u32 parent, u32 dir);
 void PopulateHashTable(romfs_buildctx *ctx);
 void PopulateRomfs(romfs_buildctx *ctx);
 void BuildRomfsHeader(romfs_buildctx *ctx);
 void BuildIvfcHeader(romfs_buildctx *ctx);
 void GenIvfcHashTree(romfs_buildctx *ctx);
-u32 CalcPathHash(u32 parent, const fs_romfs_char* path, u32 start, u32 length);
+u32 CalcPathHash(u32 parent, const romfs_char* path, u32 start, u32 length);
 
 
 int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 {
 	/* FS Structures */
 	void *filter_criteria = NULL;
-	fs_dir *fs_raw = calloc(1,sizeof(fs_dir));
-	ctx->fs = calloc(1,sizeof(fs_dir));
+	romfs_dir *fs_raw = calloc(1,sizeof(romfs_dir));
+	ctx->fs = calloc(1,sizeof(romfs_dir));
 
 	/* Import FS and process */
-	fs_OpenRootDir(ncchset->rsfSet->RomFs.RootPath,fs_raw);
+	OpenRootDir(ncchset->rsfSet->RomFs.RootPath,fs_raw);
 	FilterRomFS(fs_raw,ctx->fs,filter_criteria);
+
 	
 	/* free unfiltered FS */
-	fs_FreeDir(fs_raw);
+	FreeDir(fs_raw);
 	free(fs_raw);
 	
 	/* Abort romfs making, if no wanted files/directories were found */
@@ -94,12 +95,12 @@ int BuildRomFsBinary(romfs_buildctx *ctx)
 }
 
 
-bool IsFileWanted(fs_file *file, void *filter_criteria)
+bool IsFileWanted(romfs_file *file, void *filter_criteria)
 {
 	return true;
 }
 
-bool IsDirWanted(fs_dir *dir, void *filter_criteria)
+bool IsDirWanted(romfs_dir *dir, void *filter_criteria)
 {
 	bool ret = false;
 	for(u32 i = 0; i < dir->u_file; i++)
@@ -121,16 +122,16 @@ bool IsDirWanted(fs_dir *dir, void *filter_criteria)
 	return ret;
 }
 
-void CalcDirSize(romfs_buildctx *ctx, fs_dir *fs)
+void CalcDirSize(romfs_buildctx *ctx, romfs_dir *fs)
 {
 	if(ctx->m_dirTableLen == 0)
 		ctx->m_dirTableLen = sizeof(romfs_direntry);
 	else
-		ctx->m_dirTableLen += sizeof(romfs_direntry) + align(fs->name_len,4);
+		ctx->m_dirTableLen += sizeof(romfs_direntry) + align(fs->namesize,4);
 		
 	for(u32 i = 0; i < fs->u_file; i++)
 	{
-		ctx->m_fileTableLen += sizeof(romfs_fileentry) + align(fs->file[i].name_len,4);
+		ctx->m_fileTableLen += sizeof(romfs_fileentry) + align(fs->file[i].namesize,4);
 		if(fs->file[i].size)
 			ctx->m_dataLen =  align(ctx->m_dataLen,0x10) + fs->file[i].size;
 	}
@@ -180,24 +181,24 @@ void CalcRomfsSize(romfs_buildctx *ctx)
 		ctx->romfsSize += align(ctx->level[i].size,ROMFS_BLOCK_SIZE);		
 }
 
-int FilterRomFS(fs_dir *fs_raw, fs_dir *fs_filtered, void *filter_criteria)
+int FilterRomFS(romfs_dir *fs_raw, romfs_dir *fs_filtered, void *filter_criteria)
 {
-	memset(fs_filtered,0,sizeof(fs_dir));
+	memset(fs_filtered,0,sizeof(romfs_dir));
 	if(!IsDirWanted(fs_raw,filter_criteria))
 		return 0;
 	
-	fs_filtered->fs_path = fs_CopyPath(fs_raw->fs_path);
+	fs_filtered->path = fs_CopyStr(fs_raw->path);
 
-	fs_filtered->name_len = fs_raw->name_len;
-	fs_filtered->name = fs_CopyRomfsName(fs_raw->name);
+	fs_filtered->namesize = fs_raw->namesize;
+	fs_filtered->name = romfs_CopyStr(fs_raw->name);
 	
 	fs_filtered->u_child = 0;
 	fs_filtered->m_child = fs_raw->u_child;
-	fs_filtered->child = calloc(fs_filtered->m_child,sizeof(fs_dir));
+	fs_filtered->child = calloc(fs_filtered->m_child,sizeof(romfs_dir));
 	
 	fs_filtered->u_file = 0;
 	fs_filtered->m_file = fs_raw->u_file;
-	fs_filtered->file = calloc(fs_filtered->m_file,sizeof(fs_file));
+	fs_filtered->file = calloc(fs_filtered->m_file,sizeof(romfs_file));
 	
 	for(u32 i = 0; i < fs_raw->u_child; i++)
 	{
@@ -212,10 +213,10 @@ int FilterRomFS(fs_dir *fs_raw, fs_dir *fs_filtered, void *filter_criteria)
 	{
 		if(IsFileWanted(&fs_raw->file[i],filter_criteria))
 		{
-			fs_filtered->file[fs_filtered->u_file].fs_path = fs_CopyPath(fs_raw->file[i].fs_path);
+			fs_filtered->file[fs_filtered->u_file].path = fs_CopyStr(fs_raw->file[i].path);
 
-			fs_filtered->file[fs_filtered->u_file].name_len = fs_raw->file[i].name_len;
-			fs_filtered->file[fs_filtered->u_file].name = fs_CopyRomfsName(fs_raw->file[i].name);
+			fs_filtered->file[fs_filtered->u_file].namesize = fs_raw->file[i].namesize;
+			fs_filtered->file[fs_filtered->u_file].name = romfs_CopyStr(fs_raw->file[i].name);
 			
 			fs_filtered->file[fs_filtered->u_file].size = fs_raw->file[i].size;
 			
@@ -277,19 +278,19 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 	}
 }
 
-u32 GetFileHashTableIndex(romfs_buildctx *ctx, u32 parent, const fs_romfs_char *path)
+u32 GetFileHashTableIndex(romfs_buildctx *ctx, u32 parent, const romfs_char *path)
 {
-	u32 hash = CalcPathHash(parent, path, 0, fs_romfs_strlen(path));
+	u32 hash = CalcPathHash(parent, path, 0, romfs_strlen(path));
 	return hash % ctx->m_fileHashTable;
 }
 
-u32 GetDirHashTableIndex(romfs_buildctx *ctx, u32 parent, const fs_romfs_char* path)
+u32 GetDirHashTableIndex(romfs_buildctx *ctx, u32 parent, const romfs_char* path)
 {
-	u32 hash = CalcPathHash(parent, path, 0, fs_romfs_strlen(path));
+	u32 hash = CalcPathHash(parent, path, 0, romfs_strlen(path));
 	return hash % ctx->m_dirHashTable;
 }
 
-void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
+void AddFileToRomfs(romfs_buildctx *ctx, romfs_file *file, u32 parent, u32 sibling)
 {
 	romfs_fileentry *entry = (romfs_fileentry*)(ctx->fileTable + ctx->u_fileTableLen);
 	
@@ -297,10 +298,10 @@ void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 	u32_to_u8(entry->siblingoffset,sibling,LE);	
 	
 	/* Import name */
-	u32_to_u8(entry->namesize,file->name_len,LE);
+	u32_to_u8(entry->namesize,file->namesize,LE);
 	u8 *name_pos = (u8*)(ctx->fileTable + ctx->u_fileTableLen + sizeof(romfs_fileentry));
-	memset(name_pos,0,align(file->name_len,4));
-	memcpy(name_pos,(u8*)file->name,file->name_len);
+	memset(name_pos,0,align(file->namesize,4));
+	memcpy(name_pos,(u8*)file->name,file->namesize);
 
 	/* Set hash data */
 	u32 hashindex = GetFileHashTableIndex(ctx, parent, file->name);
@@ -317,11 +318,11 @@ void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 
 		if (ctx->verbose) {
 			printf("[ROMFS] Reading \"");
-			fs_fputs(stdout, file->fs_path);
+			fs_fputs(file->path, stdout);
 			printf("\"... ");
 		}
 
-		FILE *fp = fs_fopen(file->fs_path);
+		FILE *fp = fs_fopen(file->path);
 		fread(data_pos, file->size, 1, fp);
 		fclose(fp);
 
@@ -335,10 +336,10 @@ void AddFileToRomfs(romfs_buildctx *ctx, fs_file *file, u32 parent, u32 sibling)
 		u64_to_u8(entry->dataoffset,0x00,LE);
 		
 	/* Increment used file table length */
-	ctx->u_fileTableLen += sizeof(romfs_fileentry) + align(file->name_len,4);
+	ctx->u_fileTableLen += sizeof(romfs_fileentry) + align(file->namesize,4);
 }
 
-void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
+void AddDirToRomfs(romfs_buildctx *ctx, romfs_dir *fs, u32 parent, u32 sibling)
 {
 	u32 offset = ctx->u_dirTableLen;
 	romfs_direntry *entry = (romfs_direntry*)(ctx->dirTable + offset);
@@ -350,10 +351,10 @@ void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 	u32_to_u8(entry->fileoffset, ROMFS_UNUSED_ENTRY, LE);
 	
 	/* Import name */
-	u32_to_u8(entry->namesize,fs->name_len,LE);
+	u32_to_u8(entry->namesize,fs->namesize,LE);
 	u8 *name_pos = (u8*)(ctx->dirTable + ctx->u_dirTableLen + sizeof(romfs_direntry));
-	memset(name_pos,0,(u32)align(fs->name_len,4));
-	memcpy(name_pos,(u8*)fs->name,fs->name_len);
+	memset(name_pos,0,(u32)align(fs->namesize,4));
+	memcpy(name_pos,(u8*)fs->name,fs->namesize);
 
 	/* Set hash data */
 	u32 hashindex = GetDirHashTableIndex(ctx, parent, fs->name);
@@ -361,10 +362,10 @@ void AddDirToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 sibling)
 	u32_to_u8(ctx->dirHashTable + hashindex * 4, offset, LE);
 
 	/* Increment used dir table length */
-	ctx->u_dirTableLen += sizeof(romfs_direntry) + (u32)align(fs->name_len,4);
+	ctx->u_dirTableLen += sizeof(romfs_direntry) + (u32)align(fs->namesize,4);
 }
 
-void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)
+void AddDirChildrenToRomfs(romfs_buildctx *ctx, romfs_dir *fs, u32 parent, u32 dir)
 {
 	romfs_direntry *entry = (romfs_direntry*)(ctx->dirTable + dir);
 	
@@ -380,7 +381,7 @@ void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)
 			if (i >= fs->u_file - 1)
 				file_sibling = ROMFS_UNUSED_ENTRY;
 			else
-				file_sibling = ctx->u_fileTableLen + sizeof(romfs_fileentry) + (u32)align(fs->file[i].name_len, 4);
+				file_sibling = ctx->u_fileTableLen + sizeof(romfs_fileentry) + (u32)align(fs->file[i].namesize, 4);
 
 			/* Create file entry */
 			AddFileToRomfs(ctx, &fs->file[i], dir, file_sibling);
@@ -404,7 +405,7 @@ void AddDirChildrenToRomfs(romfs_buildctx *ctx, fs_dir *fs, u32 parent, u32 dir)
 			if (i >= fs->u_child - 1)
 				dir_sibling = ROMFS_UNUSED_ENTRY;
 			else
-				dir_sibling = ctx->u_dirTableLen + sizeof(romfs_direntry) + (u32)align(fs->child[i].name_len, 4);
+				dir_sibling = ctx->u_dirTableLen + sizeof(romfs_direntry) + (u32)align(fs->child[i].namesize, 4);
 			
 			/* Create child directory entry */
 			AddDirToRomfs(ctx, &fs->child[i], dir, dir_sibling);
@@ -459,7 +460,7 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 	return;
 }
 
-u32 CalcPathHash(u32 parent, const fs_romfs_char* path, u32 start, u32 length)
+u32 CalcPathHash(u32 parent, const romfs_char* path, u32 start, u32 length)
 {
 	u32 hash = parent ^ 123456789;
 	for( u32 index = 0; index < length; index++ )
diff --git a/makerom/utils.c b/makerom/utils.c
index 2899b770..f552c5f0 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -68,8 +68,8 @@ char* replace_filextention(const char *input, const char *new_ext)
 	}
 	else {
 		u32 size = ext - input;
-		new_name = calloc(size + strlen(new_ext), 1);
-		snprintf(new_name, size, "%s", input);
+		new_name = calloc(size + strlen(new_ext) + 1, 1);
+		strncpy(new_name, input, size);
 		sprintf(new_name, "%s%s", new_name, new_ext);
 	}
 	
@@ -104,61 +104,92 @@ void memdump(FILE* fout, const char* prefix, const u8* data, u32 size)
 	}
 }
 
-int str_u8_to_u16(u16 **dst, u32 *dst_len, const u8 *src, u32 src_len)
+u32 strlen_char16(const u16 *str)
 {
-	*dst_len = src_len*sizeof(u16);
-	*dst = malloc((*dst_len)+sizeof(u16));
-	if(*dst == NULL)
-		return -1;
-	memset(*dst,0,(*dst_len)+sizeof(u16));
-	u16 *tmp = *dst;
-	for(int i=0; i<src_len; i++)
-		tmp[i] = (u16)src[i];
-	return 0;
+	u32 i;
+	for (i = 0; str[i] != 0x0; i++);
+	return i;
 }
 
-int str_u16_to_u16(u16 **dst, u32 *dst_len, const u16 *src, u32 src_len)
+char* strcopy_8to8(const char *src)
 {
-	*dst_len = src_len*sizeof(u16);
-	*dst = malloc((*dst_len)+sizeof(u16));
-	if(*dst == NULL)
-		return -1;
-	memset(*dst,0,(*dst_len)+sizeof(u16));
-	u16 *tmp = *dst;
-	for(int i=0; i<src_len; i++)
-		tmp[i] = src[i];
-	return 0;
+	if (!src)
+		return NULL;
+
+	u32 src_len = strlen(src);
+
+	// Allocate memory for expanded string
+	char *dst = calloc(src_len + 1, sizeof(u8));
+	if (!dst)
+		return NULL;
+
+	// Copy elements from src into dst
+	strncpy(dst, src, src_len);
+
+	return dst;
 }
 
-int str_u32_to_u16(u16 **dst, u32 *dst_len, const u32 *src, u32 src_len)
+u16* strcopy_8to16(const char *src)
 {
-	*dst_len = src_len*sizeof(u16);
-	*dst = malloc((*dst_len)+sizeof(u16));
-	if(*dst == NULL)
-		return -1;
-	memset(*dst,0,(*dst_len)+sizeof(u16));
-	u16 *tmp = *dst;
-	for(int i=0; i<src_len; i++)
-		tmp[i] = (u16)src[i];
-	return 0;
+	if (!src)
+		return NULL;
+
+	u32 src_len = strlen(src);
+
+	// Allocate memory for expanded string
+	u16 *dst = calloc(src_len+1, sizeof(u16));
+	if (!dst)
+		return NULL;
+
+	// Copy elements from src into dst
+	for (u32 i = 0; i < src_len; i++)
+		dst[i] = src[i];
+
+	return dst;
+}
+
+
+u16* strcopy_16to16(const u16 *src)
+{
+	if (!src)
+		return NULL;
+
+	u32 src_len = strlen_char16(src);
+
+	// Allocate memory for expanded string
+	u16 *dst = calloc(src_len + 1, sizeof(u16));
+	if (!dst)
+		return NULL;
+
+	// Copy elements from src into dst
+	for (u32 i = 0; i < src_len; i++)
+		dst[i] = src[i];
+
+	return dst;
 }
 
 #ifndef _WIN32
-int str_utf8_to_u16(u16 **dst, u32 *dst_len, const u8 *src, u32 src_len)
+u16* strcopy_utf8to16(const char *src)
 {
-	*dst_len = src_len*sizeof(u16);
-	*dst = malloc((*dst_len)+sizeof(u16));
-	if(*dst == NULL)
-		return -1;
-	memset(*dst,0,(*dst_len)+sizeof(u16));
-	
-	UTF16 *target_start = *dst;
-	UTF16 *target_end = (target_start + *dst_len);
-	
+	if (!src)
+		return NULL;
+
+	u32 src_len = strlen(src);
+
+	// Allocate memory for expanded string
+	u16 *dst = calloc(src_len + 1, sizeof(u16));
+	if (!dst)
+		return NULL;
+
+	UTF16 *target_start = dst;
+	UTF16 *target_end = (target_start + (src_len*sizeof(u16)));
+
 	UTF8 *src_start = (UTF8*)src;
-	UTF8 *src_end = (UTF8*)(src+src_len*sizeof(u8));
-	
-	return ConvertUTF8toUTF16 ((const UTF8 **)&src_start, src_end, &target_start, target_end, strictConversion);
+	UTF8 *src_end = (UTF8*)(src + src_len*sizeof(char));
+
+	ConvertUTF8toUTF16((const UTF8 **)&src_start, src_end, &target_start, target_end, strictConversion);
+
+	return dst;
 }
 #endif
 
diff --git a/makerom/utils.h b/makerom/utils.h
index 1a89100e..b46d0a49 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -20,11 +20,12 @@ u64 max64(u64 a, u64 b);
 // Strings
 void memdump(FILE* fout, const char* prefix, const const u8* data, u32 size);
 char* replace_filextention(const char *input, const char *extention);
-int str_u8_to_u16(u16 **dst, u32 *dst_len, const u8 *src, u32 src_len);
-int str_u16_to_u16(u16 **dst, u32 *dst_len, const u16 *src, u32 src_len);
-int str_u32_to_u16(u16 **dst, u32 *dst_len, const u32 *src, u32 src_len);
+u32 strlen_char16(const u16 *str);
+char* strcopy_8to8(const char *src);
+u16* strcopy_8to16(const char *src);
+u16* strcopy_16to16(const u16 *src);
 #ifndef _WIN32
-int str_utf8_to_u16(u16 **dst, u32 *dst_len, const u8 *src, u32 src_len);
+u16* strcopy_utf8to16(const char *src);
 #endif
 
 // Base64

From 9ca12816ef8541c5122659c831329f8949a8180a Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 15 Nov 2015 03:26:25 +0800
Subject: [PATCH 121/317] [makerom] renamed dir.c/dir.h to
 romfs_fs.c/romfs_fs.h

---
 makerom/makerom.vcxproj         | 4 ++--
 makerom/makerom.vcxproj.filters | 4 ++--
 makerom/ncch.c                  | 1 -
 makerom/romfs.c                 | 1 -
 makerom/romfs.h                 | 1 +
 makerom/{dir.c => romfs_fs.c}   | 2 +-
 makerom/{dir.h => romfs_fs.h}   | 0
 makerom/romfs_gen.c             | 1 -
 8 files changed, 6 insertions(+), 8 deletions(-)
 rename makerom/{dir.c => romfs_fs.c} (99%)
 rename makerom/{dir.h => romfs_fs.h} (100%)

diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index ecc931c2..195b75f9 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -104,7 +104,7 @@
     <ClInclude Include="desc\dev_sigdata.h" />
     <ClInclude Include="desc\presets.h" />
     <ClInclude Include="desc\prod_sigdata.h" />
-    <ClInclude Include="dir.h" />
+    <ClInclude Include="romfs_fs.h" />
     <ClInclude Include="elf.h" />
     <ClInclude Include="exefs.h" />
     <ClInclude Include="exefs_build.h" />
@@ -201,7 +201,7 @@
     <ClCompile Include="code.c" />
     <ClCompile Include="crypto.c" />
     <ClCompile Include="ctr_utils.c" />
-    <ClCompile Include="dir.c" />
+    <ClCompile Include="romfs_fs.c" />
     <ClCompile Include="elf.c" />
     <ClCompile Include="exefs.c" />
     <ClCompile Include="exheader.c" />
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
index a4f1f217..b0c347c1 100644
--- a/makerom/makerom.vcxproj.filters
+++ b/makerom/makerom.vcxproj.filters
@@ -336,7 +336,7 @@
     <ClInclude Include="code.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="dir.h">
+    <ClInclude Include="romfs_fs.h">
       <Filter>Header Files</Filter>
     </ClInclude>
   </ItemGroup>
@@ -470,7 +470,7 @@
     <ClCompile Include="code.c">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="dir.c">
+    <ClCompile Include="romfs_fs.c">
       <Filter>Source Files</Filter>
     </ClCompile>
   </ItemGroup>
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 384c9de5..7182f539 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -1,5 +1,4 @@
 #include "lib.h"
-#include "dir.h"
 #include "ncch_build.h"
 #include "exheader_build.h"
 #include "exheader_read.h"
diff --git a/makerom/romfs.c b/makerom/romfs.c
index 205db6f2..7ab6ba17 100644
--- a/makerom/romfs.c
+++ b/makerom/romfs.c
@@ -1,5 +1,4 @@
 #include "lib.h"
-#include "dir.h"
 #include "ncch_build.h"
 #include "romfs.h"
 #include "romfs_gen.h"
diff --git a/makerom/romfs.h b/makerom/romfs.h
index e170b180..eacac3a8 100644
--- a/makerom/romfs.h
+++ b/makerom/romfs.h
@@ -1,4 +1,5 @@
 #pragma once
+#include "romfs_fs.h"
 
 typedef enum
 {
diff --git a/makerom/dir.c b/makerom/romfs_fs.c
similarity index 99%
rename from makerom/dir.c
rename to makerom/romfs_fs.c
index 7cb724d2..8c21e3ad 100644
--- a/makerom/dir.c
+++ b/makerom/romfs_fs.c
@@ -1,5 +1,5 @@
 #include "lib.h"
-#include "dir.h"
+#include "romfs_fs.h"
 #include "utf.h"
 
 /* This is the FS interface for ROMFS generation */
diff --git a/makerom/dir.h b/makerom/romfs_fs.h
similarity index 100%
rename from makerom/dir.h
rename to makerom/romfs_fs.h
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index bfa1371d..5bed2204 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -1,5 +1,4 @@
 #include "lib.h"
-#include "dir.h"
 #include "ncch_build.h"
 #include "romfs.h"
 

From f8e3b4723162ca9194889b2e2c57003a1d724fea Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 15 Nov 2015 03:41:47 +0800
Subject: [PATCH 122/317] [makerom] misc

---
 makerom/romfs_gen.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 5bed2204..74cdaa90 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -19,7 +19,7 @@ void PopulateRomfs(romfs_buildctx *ctx);
 void BuildRomfsHeader(romfs_buildctx *ctx);
 void BuildIvfcHeader(romfs_buildctx *ctx);
 void GenIvfcHashTree(romfs_buildctx *ctx);
-u32 CalcPathHash(u32 parent, const romfs_char* path, u32 start, u32 length);
+u32 CalcPathHash(u32 parent, const romfs_char* path);
 
 
 int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
@@ -279,13 +279,13 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 
 u32 GetFileHashTableIndex(romfs_buildctx *ctx, u32 parent, const romfs_char *path)
 {
-	u32 hash = CalcPathHash(parent, path, 0, romfs_strlen(path));
+	u32 hash = CalcPathHash(parent, path);
 	return hash % ctx->m_fileHashTable;
 }
 
 u32 GetDirHashTableIndex(romfs_buildctx *ctx, u32 parent, const romfs_char* path)
 {
-	u32 hash = CalcPathHash(parent, path, 0, romfs_strlen(path));
+	u32 hash = CalcPathHash(parent, path);
 	return hash % ctx->m_dirHashTable;
 }
 
@@ -459,13 +459,14 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 	return;
 }
 
-u32 CalcPathHash(u32 parent, const romfs_char* path, u32 start, u32 length)
+u32 CalcPathHash(u32 parent, const romfs_char* path)
 {
+	u32 len = romfs_strlen(path);
 	u32 hash = parent ^ 123456789;
-	for( u32 index = 0; index < length; index++ )
+	for( u32 i = 0; i < len; i++ )
 	{
 		hash = (u32)((hash >> 5) | (hash << 27));//ror
-		hash ^= (u16)path[start + index];
+		hash ^= (u16)path[i];
 	}
 	return hash;
 }

From 4e6cbfbd8003128e304ee6626fbe509477c98913 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 15 Nov 2015 03:53:01 +0800
Subject: [PATCH 123/317] [makerom] made function name more accurate.

---
 makerom/romfs_fs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/makerom/romfs_fs.c b/makerom/romfs_fs.c
index 8c21e3ad..4c092652 100644
--- a/makerom/romfs_fs.c
+++ b/makerom/romfs_fs.c
@@ -4,7 +4,7 @@
 
 /* This is the FS interface for ROMFS generation */
 /* Tested working on Windows/Linux/OSX */
-int OpenDir(romfs_dir *dir);
+int PopulateDir(romfs_dir *dir);
 int InitDir(romfs_dir *dir);
 int ManageDir(romfs_dir *dir);
 
@@ -157,10 +157,10 @@ int OpenRootDir(const char *path, romfs_dir *dir)
 	dir->name = romfs_CopyStr(ROMFS_EMPTY_PATH);
 	dir->namesize = 0;
 	
-	return OpenDir(dir);
+	return PopulateDir(dir);
 }
 
-int OpenDir(romfs_dir *dir)
+int PopulateDir(romfs_dir *dir)
 {
 	fs_DIR *dp, *tmp_dp;
 	struct fs_dirent *entry;
@@ -201,7 +201,7 @@ int OpenDir(romfs_dir *dir)
 			dir->u_child++;
 			
 			// Populate directory
-			OpenDir(&dir->child[dir->u_child-1]);
+			PopulateDir(&dir->child[dir->u_child-1]);
 		}
 		// Otherwise this is a file
 		else {

From bb10fd8ab3eebb55d1bdeb051e6822d4dd2d2f33 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 15 Nov 2015 05:25:41 +0800
Subject: [PATCH 124/317] [makerom] Changed ReadFile64 & WriteBuffer to
 read/write data in blocks. (Works around fread/fwrite buffer size
 limitations)

---
 makerom/utils.c | 22 +++++++++++++++-------
 makerom/utils.h |  2 +-
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/makerom/utils.c b/makerom/utils.c
index f552c5f0..849126cc 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -3,6 +3,8 @@
 
 #include "polarssl/base64.h"
 
+#define IO_BLOCKSIZE 5*MB
+
 // Memory
 int CopyData(u8 **dest, const u8 *source, u64 size)
 {
@@ -370,22 +372,28 @@ u8* ImportFile(char *file, u64 size)
 			return NULL;
 	}
 	FILE *fp = fopen(file,"rb");
-	fread(data,fsize,1,fp);
+	ReadFile64(data, fsize, 0, fp);
 	fclose(fp);
 
 	return data;
 }
 
-void WriteBuffer(void *buffer, u64 size, u64 offset, FILE *output)
+void WriteBuffer(const void *buffer, u64 size, u64 offset, FILE *fp)
 {
-	fseek_64(output,offset);
-	fwrite(buffer,size,1,output);
+	const u8* _buffer = (const u8*)buffer;
+	fseek_64(fp,offset);
+	for (; size > IO_BLOCKSIZE; size -= IO_BLOCKSIZE, _buffer += IO_BLOCKSIZE)
+		fwrite(_buffer, IO_BLOCKSIZE, 1, fp);
+	fwrite(_buffer,size,1,fp);
 } 
 
-void ReadFile64(void *outbuff, u64 size, u64 offset, FILE *file)
+void ReadFile64(void *outbuff, u64 size, u64 offset, FILE *fp)
 {
-	fseek_64(file,offset);
-	fread(outbuff,size,1,file);
+	u8* _buffer = (u8*)outbuff;
+	fseek_64(fp, offset);
+	for (; size > IO_BLOCKSIZE; size -= IO_BLOCKSIZE, _buffer += IO_BLOCKSIZE)
+		fread(_buffer, IO_BLOCKSIZE, 1, fp);
+	fread(_buffer, size, 1, fp);
 }
 
 int fseek_64(FILE *fp, u64 file_pos)
diff --git a/makerom/utils.h b/makerom/utils.h
index b46d0a49..e21a8af4 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -55,7 +55,7 @@ u64 wGetFileSize64(u16 *filename);
 
 //IO Misc
 u8* ImportFile(char *file, u64 size);
-void WriteBuffer(void *buffer, u64 size, u64 offset, FILE *output);
+void WriteBuffer(const void *buffer, u64 size, u64 offset, FILE *output);
 void ReadFile64(void *outbuff, u64 size, u64 offset, FILE *file);
 int fseek_64(FILE *fp, u64 file_pos);
 

From 2dd838b693f0b0c13540b858cff1c09c35479b35 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 15 Nov 2015 05:26:25 +0800
Subject: [PATCH 125/317] [makerom] Added IVFC hash generation to verbose
 output.

---
 makerom/romfs_gen.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 74cdaa90..9d8a97e7 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -448,12 +448,16 @@ void BuildIvfcHeader(romfs_buildctx *ctx)
 void GenIvfcHashTree(romfs_buildctx *ctx)
 {
 	for(int i = 2; i >= 0; i--){
+		if (ctx->verbose)
+			printf("[ROMFS] Generating IVFC level %d hashes... ", i+1);
 		u32 numHashes = align(ctx->level[i+1].size,ROMFS_BLOCK_SIZE) / ROMFS_BLOCK_SIZE;
 		for(u32 j = 0; j < numHashes; j++){
 			u8 *datapos = (u8*)(ctx->level[i+1].pos + ROMFS_BLOCK_SIZE * j);
 			u8 *hashpos = (u8*)(ctx->level[i].pos + SHA_256_LEN * j);
 			ShaCalc(datapos, ROMFS_BLOCK_SIZE, hashpos, CTR_SHA_256);
 		}
+		if (ctx->verbose)
+			printf("Done!\n");
 	}
 	
 	return;

From 7e04a8249e423e80bde2137a7b5a7578561166c4 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 20 Nov 2015 03:10:00 +0800
Subject: [PATCH 126/317] [makerom] Fixed size limitation on NCCH encryption.

---
 makerom/crypto.c                |  2 +-
 makerom/makerom.vcxproj         |  2 ++
 makerom/makerom.vcxproj.filters |  6 ++++++
 makerom/ncch.c                  | 22 +++++++++++-----------
 makerom/polarssl/aes.c          |  6 +++---
 makerom/polarssl/aes.h          |  6 +++---
 makerom/romfs_import.c          |  4 ++--
 makerom/types.h                 | 16 ++++++++--------
 8 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/makerom/crypto.c b/makerom/crypto.c
index e83b9f71..f654efe2 100644
--- a/makerom/crypto.c
+++ b/makerom/crypto.c
@@ -35,7 +35,7 @@ void AesCtrCrypt(u8 *key, u8 *ctr, u8 *input, u8 *output, u64 length, u64 offset
 {
 	u8 stream[16];
 	aes_context aes;
-	u64 nc_off = 0;
+	size_t nc_off = 0;
 	
 	clrmem(&aes,sizeof(aes_context));
 	aes_setkey_enc(&aes, key, 128);
diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index 195b75f9..7ec49cdc 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -201,6 +201,8 @@
     <ClCompile Include="code.c" />
     <ClCompile Include="crypto.c" />
     <ClCompile Include="ctr_utils.c" />
+    <ClCompile Include="polarssl\aes.c" />
+    <ClCompile Include="polarssl\padlock.c" />
     <ClCompile Include="romfs_fs.c" />
     <ClCompile Include="elf.c" />
     <ClCompile Include="exefs.c" />
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
index b0c347c1..6603f558 100644
--- a/makerom/makerom.vcxproj.filters
+++ b/makerom/makerom.vcxproj.filters
@@ -473,6 +473,12 @@
     <ClCompile Include="romfs_fs.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="polarssl\aes.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
+    <ClCompile Include="polarssl\padlock.c">
+      <Filter>Source Files\polarssl</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="Makefile">
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 7182f539..ecfd7eea 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -1053,7 +1053,7 @@ int GetNcchInfo(ncch_info *info, ncch_hdr *hdr)
 	info->titleId = u8_to_u64(hdr->titleId,LE);
 	info->programId = u8_to_u64(hdr->programId,LE);
 
-	u32 block_size = GetNcchBlockSize(hdr);
+	u64 block_size = GetNcchBlockSize(hdr);
 	
 	info->formatVersion = u8_to_u16(hdr->formatVersion,LE);
 	if(!IsCfa(hdr)){
@@ -1061,18 +1061,18 @@ int GetNcchInfo(ncch_info *info, ncch_hdr *hdr)
 		info->exhdrSize = u8_to_u32(hdr->exhdrSize,LE);
 		info->acexOffset = (info->exhdrOffset + info->exhdrSize);
 		info->acexSize = sizeof(access_descriptor);
-		info->plainRegionOffset = (u64)(u8_to_u32(hdr->plainRegionOffset,LE)*block_size);
-		info->plainRegionSize = (u64)(u8_to_u32(hdr->plainRegionSize,LE)*block_size);
+		info->plainRegionOffset = ((u64)u8_to_u32(hdr->plainRegionOffset,LE))*block_size;
+		info->plainRegionSize = ((u64)u8_to_u32(hdr->plainRegionSize,LE))*block_size;
 	}
 
-	info->logoOffset = (u64)(u8_to_u32(hdr->logoOffset,LE)*block_size);
-	info->logoSize = (u64)(u8_to_u32(hdr->logoSize,LE)*block_size);
-	info->exefsOffset = (u64)(u8_to_u32(hdr->exefsOffset,LE)*block_size);
-	info->exefsSize = (u64)(u8_to_u32(hdr->exefsSize,LE)*block_size);
-	info->exefsHashDataSize = (u64)(u8_to_u32(hdr->exefsHashSize,LE)*block_size);
-	info->romfsOffset = (u64) (u8_to_u32(hdr->romfsOffset,LE)*block_size);
-	info->romfsSize = (u64) (u8_to_u32(hdr->romfsSize,LE)*block_size);
-	info->romfsHashDataSize = (u64)(u8_to_u32(hdr->romfsHashSize,LE)*block_size);
+	info->logoOffset = ((u64)u8_to_u32(hdr->logoOffset,LE))*block_size;
+	info->logoSize = ((u64)u8_to_u32(hdr->logoSize,LE))*block_size;
+	info->exefsOffset = ((u64)u8_to_u32(hdr->exefsOffset,LE))*block_size;
+	info->exefsSize = ((u64)u8_to_u32(hdr->exefsSize,LE))*block_size;
+	info->exefsHashDataSize = ((u64)u8_to_u32(hdr->exefsHashSize,LE))*block_size;
+	info->romfsOffset = ((u64)u8_to_u32(hdr->romfsOffset,LE))*block_size;
+	info->romfsSize = ((u64)u8_to_u32(hdr->romfsSize,LE))*block_size;
+	info->romfsHashDataSize = ((u64)u8_to_u32(hdr->romfsHashSize,LE))*block_size;
 	return 0;
 }
 
diff --git a/makerom/polarssl/aes.c b/makerom/polarssl/aes.c
index 6456c54d..8d8ebb63 100644
--- a/makerom/polarssl/aes.c
+++ b/makerom/polarssl/aes.c
@@ -839,14 +839,14 @@ int aes_crypt_cbc( aes_context *ctx,
  */
 int aes_crypt_cfb128( aes_context *ctx,
                        int mode,
-                       size_t length,
+                       uint64_t length,
                        size_t *iv_off,
                        unsigned char iv[16],
                        const unsigned char *input,
                        unsigned char *output )
 {
     int c;
-    size_t n = *iv_off;
+	size_t n = *iv_off;
 
     if( mode == AES_DECRYPT )
     {
@@ -886,7 +886,7 @@ int aes_crypt_cfb128( aes_context *ctx,
  * AES-CTR buffer encryption/decryption
  */
 int aes_crypt_ctr( aes_context *ctx,
-                       size_t length,
+                       uint64_t length,
                        size_t *nc_off,
                        unsigned char nonce_counter[16],
                        unsigned char stream_block[16],
diff --git a/makerom/polarssl/aes.h b/makerom/polarssl/aes.h
index 0a4519cf..469bef32 100644
--- a/makerom/polarssl/aes.h
+++ b/makerom/polarssl/aes.h
@@ -116,7 +116,7 @@ int aes_crypt_ecb( aes_context *ctx,
  */
 int aes_crypt_cbc( aes_context *ctx,
                     int mode,
-                    size_t length,
+                    uint64_t length,
                     unsigned char iv[16],
                     const unsigned char *input,
                     unsigned char *output );
@@ -141,7 +141,7 @@ int aes_crypt_cbc( aes_context *ctx,
  */
 int aes_crypt_cfb128( aes_context *ctx,
                        int mode,
-                       size_t length,
+                       uint64_t length,
                        size_t *iv_off,
                        unsigned char iv[16],
                        const unsigned char *input,
@@ -169,7 +169,7 @@ int aes_crypt_cfb128( aes_context *ctx,
  * \return         0 if successful
  */
 int aes_crypt_ctr( aes_context *ctx,
-                       size_t length,
+                       uint64_t length,
                        size_t *nc_off,
                        unsigned char nonce_counter[16],
                        unsigned char stream_block[16],
diff --git a/makerom/romfs_import.c b/makerom/romfs_import.c
index 48d68f64..37762bfb 100644
--- a/makerom/romfs_import.c
+++ b/makerom/romfs_import.c
@@ -1,5 +1,5 @@
 #include "lib.h"
-#include "dir.h"
+#include "romfs_fs.h"
 #include "ncch_build.h"
 #include "romfs.h"
 
@@ -30,4 +30,4 @@ int ImportRomFsBinaryFromFile(romfs_buildctx *ctx)
 		return INVALID_ROMFS_FILE;
 	}
 	return 0;
-}
\ No newline at end of file
+}
diff --git a/makerom/types.h b/makerom/types.h
index c12d2427..4f8696ff 100644
--- a/makerom/types.h
+++ b/makerom/types.h
@@ -36,12 +36,12 @@ typedef enum
 	MAX_U64 = 0xffffffffffffffff,
 } data_type_max;
 
-typedef unsigned char   u8;
-typedef unsigned short  u16;
-typedef unsigned int    u32;
-typedef unsigned long long      u64;
+typedef uint8_t                 u8;
+typedef uint16_t                u16;
+typedef uint32_t                u32;
+typedef uint64_t                u64;
 
-typedef signed char     s8;
-typedef signed short    s16;
-typedef signed int      s32;
-typedef signed long long        s64;
+typedef int8_t                  s8;
+typedef int16_t                 s16;
+typedef int32_t                 s32;
+typedef int64_t                 s64;

From 127d1161e54863f2b8218843909069a54165306a Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 20 Nov 2015 03:13:31 +0800
Subject: [PATCH 127/317] [ctrtool] Fixed issue #7

---
 ctrtool/cia.c      |  41 +++++++++---------
 ctrtool/cia.h      |  22 +++++-----
 ctrtool/ctr.c      |  37 ++++++----------
 ctrtool/ctr.h      |   2 +-
 ctrtool/cwav.c     |  14 +++---
 ctrtool/cwav.h     |   8 ++--
 ctrtool/exefs.c    |  12 +++---
 ctrtool/exefs.h    |   8 ++--
 ctrtool/exheader.c |   6 +--
 ctrtool/exheader.h |   8 ++--
 ctrtool/firm.c     |   8 ++--
 ctrtool/firm.h     |   4 +-
 ctrtool/ivfc.c     |  41 ++++++++----------
 ctrtool/ivfc.h     |  13 +++---
 ctrtool/lzss.c     |   2 +-
 ctrtool/main.c     |  14 ++----
 ctrtool/ncch.c     | 105 +++++++++++++++++++++------------------------
 ctrtool/ncch.h     |  28 ++++++------
 ctrtool/ncsd.c     |   8 ++--
 ctrtool/ncsd.h     |  10 ++---
 ctrtool/romfs.c    |  23 ++++------
 ctrtool/romfs.h    |   8 ++--
 ctrtool/tik.c      |   4 +-
 ctrtool/tik.h      |   4 +-
 ctrtool/tmd.c      |   4 +-
 ctrtool/tmd.h      |   4 +-
 ctrtool/types.h    |  17 ++++----
 ctrtool/utils.c    |  33 +++++++++-----
 ctrtool/utils.h    |   6 +++
 29 files changed, 241 insertions(+), 253 deletions(-)

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index c0963a54..91333bde 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -20,12 +20,12 @@ void cia_set_file(cia_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
-void cia_set_offset(cia_context* ctx, u32 offset)
+void cia_set_offset(cia_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
 
-void cia_set_size(cia_context* ctx, u32 size)
+void cia_set_size(cia_context* ctx, u64 size)
 {
 	ctx->size = size;
 }
@@ -39,8 +39,8 @@ void cia_set_usersettings(cia_context* ctx, settings* usersettings)
 
 void cia_save(cia_context* ctx, u32 type, u32 flags)
 {
-	u32 offset;
-	u32 size;
+	u64 offset;
+	u64 size;
 	u16 contentflags;
 	u8 docrypto;
 	filepath* path = 0;
@@ -133,14 +133,13 @@ void cia_save(cia_context* ctx, u32 type, u32 flags)
 	cia_save_blob(ctx, path->pathname, offset, size, 0);
 }
 
-void cia_save_blob(cia_context *ctx, char *out_path, u32 offset, u32 size, int do_cbc) 
+void cia_save_blob(cia_context *ctx, char *out_path, u64 offset, u64 size, int do_cbc) 
 {
 	FILE *fout = 0;
 	u8 buffer[16*1024];
 
-	fseek(ctx->file, ctx->offset + offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
 
-	
 	fout = fopen(out_path, "wb");
 	if (fout == NULL)
 	{
@@ -180,7 +179,7 @@ void cia_save_blob(cia_context *ctx, char *out_path, u32 offset, u32 size, int d
 
 void cia_process(cia_context* ctx, u32 actions)
 {	
-	fseek(ctx->file, 0, SEEK_SET);
+	fseeko64(ctx->file, 0, SEEK_SET);
 
 	if (fread(&ctx->header, 1, sizeof(ctr_ciaheader), ctx->file) != sizeof(ctr_ciaheader))
 	{
@@ -192,14 +191,14 @@ void cia_process(cia_context* ctx, u32 actions)
 	ctx->sizecert = getle32(ctx->header.certsize);
 	ctx->sizetik = getle32(ctx->header.ticketsize);
 	ctx->sizetmd = getle32(ctx->header.tmdsize);
-	ctx->sizecontent = (u32)getle64(ctx->header.contentsize);
+	ctx->sizecontent = getle64(ctx->header.contentsize);
 	ctx->sizemeta = getle32(ctx->header.metasize);
 	
 	ctx->offsetcerts = align(ctx->sizeheader, 64);
 	ctx->offsettik = align(ctx->offsetcerts + ctx->sizecert, 64);
 	ctx->offsettmd = align(ctx->offsettik + ctx->sizetik, 64);
 	ctx->offsetcontent = align(ctx->offsettmd + ctx->sizetmd, 64);
-	ctx->offsetmeta = align(ctx->offsetcontent + ctx->sizecontent, 64);
+	ctx->offsetmeta = align64(ctx->offsetcontent + ctx->sizecontent, 64);
 
 	if (actions & InfoFlag)
 		cia_print(ctx);
@@ -260,7 +259,7 @@ void cia_verify_contents(cia_context *ctx, u32 actions)
 	body  = tmd_get_body(&ctx->tmd);
 	chunk = (ctr_tmd_contentchunk*)(body->contentinfo + (sizeof(ctr_tmd_contentinfo) * TMD_MAX_CONTENTS));
 
-	fseek(ctx->file, ctx->offset + ctx->offsetcontent, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset + ctx->offsetcontent, SEEK_SET);
 	for(i = 0; i < getbe16(body->contentcount); i++) 
 	{
 		content_size = getbe64(chunk->size) & 0xffffffff;
@@ -298,14 +297,14 @@ void cia_print(cia_context* ctx)
 	fprintf(stdout, "Header size             0x%08x\n", getle32(header->headersize));
 	fprintf(stdout, "Type                    %04x\n", getle16(header->type));
 	fprintf(stdout, "Version                 %04x\n", getle16(header->version));
-	fprintf(stdout, "Certificates offset:    0x%08x\n", ctx->offsetcerts);
-	fprintf(stdout, "Certificates size:      0x%04x\n", ctx->sizecert);
-	fprintf(stdout, "Ticket offset:          0x%08x\n", ctx->offsettik);
-	fprintf(stdout, "Ticket size             0x%04x\n", ctx->sizetik);
-	fprintf(stdout, "TMD offset:             0x%08x\n", ctx->offsettmd);
-	fprintf(stdout, "TMD size:               0x%04x\n", ctx->sizetmd);
-	fprintf(stdout, "Meta offset:            0x%04x\n", ctx->offsetmeta);
-	fprintf(stdout, "Meta size:              0x%04x\n", ctx->sizemeta);
-	fprintf(stdout, "Content offset:         0x%08x\n", ctx->offsetcontent);
-	fprintf(stdout, "Content size:           0x%016"PRIx64"\n", getle64(header->contentsize));
+	fprintf(stdout, "Certificates offset:    0x%"PRIx64"\n", ctx->offsetcerts);
+	fprintf(stdout, "Certificates size:      0x%x\n", ctx->sizecert);
+	fprintf(stdout, "Ticket offset:          0x%"PRIx64"n", ctx->offsettik);
+	fprintf(stdout, "Ticket size             0x%x\n", ctx->sizetik);
+	fprintf(stdout, "TMD offset:             0x%"PRIx64"\n", ctx->offsettmd);
+	fprintf(stdout, "TMD size:               0x%x\n", ctx->sizetmd);
+	fprintf(stdout, "Meta offset:            0x%"PRIx64"\n", ctx->offsetmeta);
+	fprintf(stdout, "Meta size:              0x%x\n", ctx->sizemeta);
+	fprintf(stdout, "Content offset:         0x%"PRIx64"\n", ctx->offsetcontent);
+	fprintf(stdout, "Content size:           0x%"PRIx64"\n", ctx->sizecontent);
 }
diff --git a/ctrtool/cia.h b/ctrtool/cia.h
index 531c7c18..52b01521 100644
--- a/ctrtool/cia.h
+++ b/ctrtool/cia.h
@@ -33,8 +33,8 @@ typedef struct
 typedef struct
 {
 	FILE* file;
-	u32 offset;
-	u32 size;
+	u64 offset;
+	u64 size;
 	u8 titlekey[16];
 	u8 iv[16];
 	ctr_ciaheader header;
@@ -48,25 +48,25 @@ typedef struct
 	u32 sizecert;
 	u32 sizetik;
 	u32 sizetmd;
-	u32 sizecontent;
+	u64 sizecontent;
 	u32 sizemeta;
 	
-	u32 offsetcerts;
-	u32 offsettik;
-	u32 offsettmd;
-	u32 offsetcontent;
-	u32 offsetmeta;
+	u64 offsetcerts;
+	u64 offsettik;
+	u64 offsettmd;
+	u64 offsetcontent;
+	u64 offsetmeta;
 } cia_context;
 
 void cia_init(cia_context* ctx);
 void cia_set_file(cia_context* ctx, FILE* file);
-void cia_set_offset(cia_context* ctx, u32 offset);
-void cia_set_size(cia_context* ctx, u32 size);
+void cia_set_offset(cia_context* ctx, u64 offset);
+void cia_set_size(cia_context* ctx, u64 size);
 void cia_set_usersettings(cia_context* ctx, settings* usersettings);
 void cia_print(cia_context* ctx);
 void cia_save(cia_context* ctx, u32 type, u32 flags);
 void cia_process(cia_context* ctx, u32 actions);
-void cia_save_blob(cia_context *ctx, char *out_path, u32 offset, u32 size, int do_cbc);
+void cia_save_blob(cia_context *ctx, char *out_path, u64 offset, u64 size, int do_cbc);
 void cia_verify_contents(cia_context *ctx, u32 actions);
 
 #endif // _CIA_H_
diff --git a/ctrtool/ctr.c b/ctrtool/ctr.c
index 417d03fe..6948bf8f 100644
--- a/ctrtool/ctr.c
+++ b/ctrtool/ctr.c
@@ -13,33 +13,24 @@ void ctr_set_iv( ctr_aes_context* ctx,
 }
 
 void ctr_add_counter( ctr_aes_context* ctx,
-				      u32 carry )
+				      u32 block_num )
 {
-	u32 counter[4];
-	u32 sum;
-	int i;
-
-	for(i=0; i<4; i++)
-		counter[i] = (ctx->ctr[i*4+0]<<24) | (ctx->ctr[i*4+1]<<16) | (ctx->ctr[i*4+2]<<8) | (ctx->ctr[i*4+3]<<0);
-
-	for(i=3; i>=0; i--)
-	{
-		sum = counter[i] + carry;
+	u32 i, j;
+	for (i = 0; i < block_num; i++) {
+		for (j = 0x10; j > 0; j--) {
+			// increment u8 by 1
+			ctx->ctr[j - 1]++;
 
-		if (sum < counter[i])
-			carry = 1;
-		else
-			carry = 0;
+			// if it didn't overflow to 0, then we can exit now
+			if (ctx->ctr[j - 1])
+				break;
 
-		counter[i] = sum;
-	}
+			// if we reach here, the next u8 needs to be incremented
 
-	for(i=0; i<4; i++)
-	{
-		ctx->ctr[i*4+0] = counter[i]>>24;
-		ctx->ctr[i*4+1] = counter[i]>>16;
-		ctx->ctr[i*4+2] = counter[i]>>8;
-		ctx->ctr[i*4+3] = counter[i]>>0;
+			// Loop to beginning back if needed
+			if (j == 1)
+				j = 0x10;
+		}
 	}
 }
 				  
diff --git a/ctrtool/ctr.h b/ctrtool/ctr.h
index 93210517..66caff7b 100644
--- a/ctrtool/ctr.h
+++ b/ctrtool/ctr.h
@@ -56,7 +56,7 @@ void		ctr_set_iv( ctr_aes_context* ctx,
 						 u8 iv[16] );
 
 void		ctr_add_counter( ctr_aes_context* ctx,
-						     u32 carry );
+						     u32 block_num );
 
 void		ctr_set_counter( ctr_aes_context* ctx, 
 						 u8 ctr[16] );
diff --git a/ctrtool/cwav.c b/ctrtool/cwav.c
index e532db0a..4c1242d7 100644
--- a/ctrtool/cwav.c
+++ b/ctrtool/cwav.c
@@ -37,12 +37,12 @@ void cwav_set_file(cwav_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
-void cwav_set_offset(cwav_context* ctx, u32 offset)
+void cwav_set_offset(cwav_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
 
-void cwav_set_size(cwav_context* ctx, u32 size)
+void cwav_set_size(cwav_context* ctx, u64 size)
 {
 	ctx->size = size;
 }
@@ -57,12 +57,12 @@ void cwav_process(cwav_context* ctx, u32 actions)
 	u32 i;
 	u32 infoheaderoffset;
 
-	fseek(ctx->file, ctx->offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread(&ctx->header, 1, sizeof(cwav_header), ctx->file);
 
 	infoheaderoffset = getle32(ctx->header.infoblockref.offset);
 
-	fseek(ctx->file, ctx->offset + infoheaderoffset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset + infoheaderoffset, SEEK_SET);
 	fread(&ctx->infoheader, 1, sizeof(cwav_infoheader), ctx->file);
 
 	ctx->channelcount = getle32(ctx->infoheader.channelcount);
@@ -79,7 +79,7 @@ void cwav_process(cwav_context* ctx, u32 actions)
 		{
 			u32 channeloffset = infoheaderoffset + 0x1C + getle32(ctx->channel[i].inforef.offset);
 
-			fseek(ctx->file, ctx->offset + channeloffset, SEEK_SET);
+			fseeko64(ctx->file, ctx->offset + channeloffset, SEEK_SET);
 			fread(&ctx->channel[i].info, sizeof(cwav_channelinfo), 1, ctx->file);
 
 			if (ctx->infoheader.encoding == CWAV_ENCODING_DSPADPCM)
@@ -88,7 +88,7 @@ void cwav_process(cwav_context* ctx, u32 actions)
 				{
 					u32 codecoffset = channeloffset + getle32(ctx->channel[i].info.codecref.offset);
 
-					fseek(ctx->file, ctx->offset + codecoffset, SEEK_SET);
+					fseeko64(ctx->file, ctx->offset + codecoffset, SEEK_SET);
 					fread(&ctx->channel[i].infodspadpcm, sizeof(cwav_dspadpcminfo), 1, ctx->file);
 				}
 			}
@@ -98,7 +98,7 @@ void cwav_process(cwav_context* ctx, u32 actions)
 				{
 					u32 codecoffset = channeloffset + getle32(ctx->channel[i].info.codecref.offset);
 
-					fseek(ctx->file, ctx->offset + codecoffset, SEEK_SET);
+					fseeko64(ctx->file, ctx->offset + codecoffset, SEEK_SET);
 					fread(&ctx->channel[i].infoimaadpcm, sizeof(cwav_imaadpcminfo), 1, ctx->file);
 				}
 			}
diff --git a/ctrtool/cwav.h b/ctrtool/cwav.h
index e75f22cb..180f4b00 100644
--- a/ctrtool/cwav.h
+++ b/ctrtool/cwav.h
@@ -165,8 +165,8 @@ typedef struct
 {
 	FILE* file;
 	settings* usersettings;
-	u32 offset;
-	u32 size;
+	u64 offset;
+	u64 size;
 	u32 channelcount;
 	cwav_header header;
 	cwav_infoheader infoheader;
@@ -175,8 +175,8 @@ typedef struct
 
 void cwav_init(cwav_context* ctx);
 void cwav_set_file(cwav_context* ctx, FILE* file);
-void cwav_set_offset(cwav_context* ctx, u32 offset);
-void cwav_set_size(cwav_context* ctx, u32 size);
+void cwav_set_offset(cwav_context* ctx, u64 offset);
+void cwav_set_size(cwav_context* ctx, u64 size);
 void cwav_set_usersettings(cwav_context* ctx, settings* usersettings);
 void cwav_process(cwav_context* ctx, u32 actions);
 void cwav_dspadpcm_init(cwav_dspadpcmstate* state);
diff --git a/ctrtool/exefs.c b/ctrtool/exefs.c
index 78070710..36180438 100644
--- a/ctrtool/exefs.c
+++ b/ctrtool/exefs.c
@@ -18,12 +18,12 @@ void exefs_set_file(exefs_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
-void exefs_set_offset(exefs_context* ctx, u32 offset)
+void exefs_set_offset(exefs_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
 
-void exefs_set_size(exefs_context* ctx, u32 size)
+void exefs_set_size(exefs_context* ctx, u64 size)
 {
 	ctx->size = size;
 }
@@ -122,10 +122,8 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 		fprintf(stderr, "Error, failed to create file %s\n", outfname);
 		goto clean;
 	}
-	
-	
 
-	fseek(ctx->file, ctx->offset + offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
 	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
 	ctr_add_counter(&ctx->aes, offset / 0x10);
 
@@ -209,7 +207,7 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 
 void exefs_read_header(exefs_context* ctx, u32 flags)
 {
-	fseek(ctx->file, ctx->offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread(&ctx->header, 1, sizeof(exefs_header), ctx->file);
 
 	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
@@ -270,7 +268,7 @@ int exefs_verify(exefs_context* ctx, u32 index, u32 flags)
 	if (size == 0)
 		return 0;
 
-	fseek(ctx->file, ctx->offset + offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
 	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
 	ctr_add_counter(&ctx->aes, offset / 0x10);
 
diff --git a/ctrtool/exefs.h b/ctrtool/exefs.h
index a0624783..28afffb6 100644
--- a/ctrtool/exefs.h
+++ b/ctrtool/exefs.h
@@ -30,8 +30,8 @@ typedef struct
 	u8 partitionid[8];
 	u8 counter[16];
 	u8 key[16];
-	u32 offset;
-	u32 size;
+	u64 offset;
+	u64 size;
 	exefs_header header;
 	ctr_aes_context aes;
 	ctr_sha256_context sha;
@@ -42,8 +42,8 @@ typedef struct
 
 void exefs_init(exefs_context* ctx);
 void exefs_set_file(exefs_context* ctx, FILE* file);
-void exefs_set_offset(exefs_context* ctx, u32 offset);
-void exefs_set_size(exefs_context* ctx, u32 size);
+void exefs_set_offset(exefs_context* ctx, u64 offset);
+void exefs_set_size(exefs_context* ctx, u64 size);
 void exefs_set_usersettings(exefs_context* ctx, settings* usersettings);
 void exefs_set_partitionid(exefs_context* ctx, u8 partitionid[8]);
 void exefs_set_counter(exefs_context* ctx, u8 counter[16]);
diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index a7e16b16..9715616f 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -17,12 +17,12 @@ void exheader_set_file(exheader_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
-void exheader_set_offset(exheader_context* ctx, u32 offset)
+void exheader_set_offset(exheader_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
 
-void exheader_set_size(exheader_context* ctx, u32 size)
+void exheader_set_size(exheader_context* ctx, u64 size)
 {
 	ctx->size = size;
 }
@@ -88,7 +88,7 @@ void exheader_read(exheader_context* ctx, u32 actions)
 {
 	if (ctx->haveread == 0)
 	{
-		fseek(ctx->file, ctx->offset, SEEK_SET);
+		fseeko64(ctx->file, ctx->offset, SEEK_SET);
 		fread(&ctx->header, 1, sizeof(exheader_header), ctx->file);
 
 		ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
index 63bb1690..9691e0f1 100644
--- a/ctrtool/exheader.h
+++ b/ctrtool/exheader.h
@@ -154,8 +154,8 @@ typedef struct
 	u8 hash[32];
 	u8 counter[16];
 	u8 key[16];
-	u32 offset;
-	u32 size;
+	u64 offset;
+	u64 size;
 	exheader_header header;
 
 	exheader_arm11systemlocalcaps_deserialised system_local_caps;
@@ -181,8 +181,8 @@ typedef struct
 
 void exheader_init(exheader_context* ctx);
 void exheader_set_file(exheader_context* ctx, FILE* file);
-void exheader_set_offset(exheader_context* ctx, u32 offset);
-void exheader_set_size(exheader_context* ctx, u32 size);
+void exheader_set_offset(exheader_context* ctx, u64 offset);
+void exheader_set_size(exheader_context* ctx, u64 size);
 void exheader_set_partitionid(exheader_context* ctx, u8 partitionid[8]);
 void exheader_set_counter(exheader_context* ctx, u8 counter[16]);
 void exheader_set_programid(exheader_context* ctx, u8 programid[8]);
diff --git a/ctrtool/firm.c b/ctrtool/firm.c
index 5c3d07d7..e865cc0e 100644
--- a/ctrtool/firm.c
+++ b/ctrtool/firm.c
@@ -16,7 +16,7 @@ void firm_set_file(firm_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
-void firm_set_offset(firm_context* ctx, u32 offset)
+void firm_set_offset(firm_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
@@ -66,7 +66,7 @@ void firm_save(firm_context* ctx, u32 index, u32 flags)
 	
 	
 
-	fseek(ctx->file, ctx->offset + offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
 	fprintf(stdout, "Saving section %d to %s...\n", index, outpath.pathname);
 
 	while(size)
@@ -100,7 +100,7 @@ void firm_process(firm_context* ctx, u32 actions)
 {
 	u32 i;
 
-	fseek(ctx->file, ctx->offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread(&ctx->header, 1, sizeof(firm_header), ctx->file);
 
 	if (getle32(ctx->header.magic) != MAGIC_FIRM)
@@ -154,7 +154,7 @@ int firm_verify(firm_context* ctx, u32 flags)
 		if (size == 0)
 			return 0;
 
-		fseek(ctx->file, ctx->offset + offset, SEEK_SET);
+		fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
 
 		ctr_sha_256_init(&ctx->sha);
 
diff --git a/ctrtool/firm.h b/ctrtool/firm.h
index c663f71b..29af98f4 100644
--- a/ctrtool/firm.h
+++ b/ctrtool/firm.h
@@ -35,7 +35,7 @@ typedef struct
 {
 	FILE* file;
 	settings* usersettings;
-	u32 offset;
+	u64 offset;
 	u32 size;
 	firm_header header;
 	ctr_sha256_context sha;
@@ -45,7 +45,7 @@ typedef struct
 
 void firm_init(firm_context* ctx);
 void firm_set_file(firm_context* ctx, FILE* file);
-void firm_set_offset(firm_context* ctx, u32 offset);
+void firm_set_offset(firm_context* ctx, u64 offset);
 void firm_set_size(firm_context* ctx, u32 size);
 void firm_set_usersettings(firm_context* ctx, settings* usersettings);
 void firm_process(firm_context* ctx, u32 actions);
diff --git a/ctrtool/ivfc.c b/ctrtool/ivfc.c
index a4796ac3..7fbb5fc8 100644
--- a/ctrtool/ivfc.c
+++ b/ctrtool/ivfc.c
@@ -17,12 +17,12 @@ void ivfc_set_usersettings(ivfc_context* ctx, settings* usersettings)
 	ctx->usersettings = usersettings;
 }
 
-void ivfc_set_offset(ivfc_context* ctx, u32 offset)
+void ivfc_set_offset(ivfc_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
 
-void ivfc_set_size(ivfc_context* ctx, u32 size)
+void ivfc_set_size(ivfc_context* ctx, u64 size)
 {
 	ctx->size = size;
 }
@@ -35,9 +35,7 @@ void ivfc_set_file(ivfc_context* ctx, FILE* file)
 
 void ivfc_process(ivfc_context* ctx, u32 actions)
 {
-
-
-	fseek(ctx->file, ctx->offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread(&ctx->header, 1, sizeof(ivfc_header), ctx->file);
 
 	if (getle32(ctx->header.magic) != MAGIC_IVFC)
@@ -55,22 +53,22 @@ void ivfc_process(ivfc_context* ctx, u32 actions)
 		ctx->level[2].hashblocksize = 1 << getle32(ctx->romfsheader.level3.blocksize);
 		ctx->level[1].hashblocksize = 1 << getle32(ctx->romfsheader.level2.blocksize);
 		ctx->level[0].hashblocksize = 1 << getle32(ctx->romfsheader.level1.blocksize);
-		ctx->level[0].hashoffset = 0x60;
 
-		ctx->bodyoffset = align64(ctx->level[0].hashoffset + getle32(ctx->romfsheader.masterhashsize), ctx->level[2].hashblocksize);
+		ctx->bodyoffset = align64(IVFC_HEADER_SIZE + getle32(ctx->romfsheader.masterhashsize), ctx->level[2].hashblocksize);
 		ctx->bodysize = getle64(ctx->romfsheader.level3.hashdatasize);
 		
 		ctx->level[2].dataoffset = ctx->bodyoffset;
 		ctx->level[2].datasize = align64(ctx->bodysize, ctx->level[2].hashblocksize);
 
-		ctx->level[1].hashoffset = align64(ctx->bodyoffset + ctx->bodysize, ctx->level[2].hashblocksize);
-		ctx->level[2].hashoffset = ctx->level[1].hashoffset + getle64(ctx->romfsheader.level2.logicaloffset) - getle64(ctx->romfsheader.level1.logicaloffset);
+		ctx->level[0].dataoffset = ctx->level[2].dataoffset + ctx->level[2].datasize;
+		ctx->level[0].datasize = align64(getle64(ctx->romfsheader.level1.hashdatasize), ctx->level[0].hashblocksize);
 
-		ctx->level[1].dataoffset = ctx->level[2].hashoffset;
+		ctx->level[1].dataoffset = ctx->level[0].dataoffset + ctx->level[0].datasize;
 		ctx->level[1].datasize = align64(getle64(ctx->romfsheader.level2.hashdatasize), ctx->level[1].hashblocksize);
 
-		ctx->level[0].dataoffset = ctx->level[1].hashoffset;
-		ctx->level[0].datasize = align64(getle64(ctx->romfsheader.level1.hashdatasize), ctx->level[0].hashblocksize);
+		ctx->level[0].hashoffset = IVFC_HEADER_SIZE;
+		ctx->level[1].hashoffset = ctx->level[0].dataoffset;
+		ctx->level[2].hashoffset = ctx->level[1].dataoffset;
 	}
 
 	if (actions & VerifyFlag)
@@ -98,7 +96,7 @@ void ivfc_verify(ivfc_context* ctx, u32 flags)
 		ivfc_level* level = ctx->level + i;
 
 		blockcount = level->datasize / level->hashblocksize;
-		if (blockcount * level->hashblocksize != level->datasize)
+		if (level->datasize % level->hashblocksize != 0)
 		{
 			fprintf(stderr, "Error, IVFC block size mismatch\n");
 			return;
@@ -110,7 +108,6 @@ void ivfc_verify(ivfc_context* ctx, u32 flags)
 		{
 			u8 calchash[32];
 			u8 testhash[32];
-
 			
 			ivfc_hash(ctx, level->dataoffset + level->hashblocksize * j, level->hashblocksize, calchash);
 			ivfc_read(ctx, level->hashoffset + 0x20 * j, 0x20, testhash);
@@ -121,15 +118,15 @@ void ivfc_verify(ivfc_context* ctx, u32 flags)
 	}
 }
 
-void ivfc_read(ivfc_context* ctx, u32 offset, u32 size, u8* buffer)
+void ivfc_read(ivfc_context* ctx, u64 offset, u64 size, u8* buffer)
 {
 	if ( (offset > ctx->size) || (offset+size > ctx->size) )
 	{
-		fprintf(stderr, "Error, IVFC offset out of range (offset=0x%08x, size=0x%08x)\n", offset, size);
+		fprintf(stderr, "Error, IVFC offset out of range (offset=0x%08"PRIx64", size=0x%08"PRIx64")\n", offset, size);
 		return;
 	}
 
-	fseek(ctx->file, ctx->offset + offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
 	if (size != fread(buffer, 1, size, ctx->file))
 	{
 		fprintf(stderr, "Error, IVFC could not read file\n");
@@ -137,7 +134,7 @@ void ivfc_read(ivfc_context* ctx, u32 offset, u32 size, u8* buffer)
 	}
 }
 
-void ivfc_hash(ivfc_context* ctx, u32 offset, u32 size, u8* hash)
+void ivfc_hash(ivfc_context* ctx, u64 offset, u64 size, u8* hash)
 {
 	if (size > IVFC_MAX_BUFFERSIZE)
 	{
@@ -157,7 +154,7 @@ void ivfc_print(ivfc_context* ctx)
 
 	fprintf(stdout, "\nIVFC:\n");
 
-	fprintf(stdout, "Header:                 %c%c%c%c\n", header->magic[0], header->magic[1], header->magic[2], header->magic[3]);
+	fprintf(stdout, "Header:                 %.4s\n", header->magic);
 	fprintf(stdout, "Id:                     %08x\n", getle32(header->id));
 
 	for(i=0; i<ctx->levelcount; i++)
@@ -169,9 +166,9 @@ void ivfc_print(ivfc_context* ctx)
 			fprintf(stdout, "Level %d:               \n", i);
 		else
 			fprintf(stdout, "Level %d (%s):          \n", i, level->hashcheck == Good? "GOOD" : "FAIL");
-		fprintf(stdout, " Data offset:           0x%016"PRIx64"\n", ctx->offset + level->dataoffset);
-		fprintf(stdout, " Data size:             0x%016"PRIx64"\n", level->datasize);
-		fprintf(stdout, " Hash offset:           0x%016"PRIx64"\n", ctx->offset + level->hashoffset);
+		fprintf(stdout, " Data offset:           0x%08"PRIx64"\n", ctx->offset + level->dataoffset);
+		fprintf(stdout, " Data size:             0x%08"PRIx64"\n", level->datasize);
+		fprintf(stdout, " Hash offset:           0x%08"PRIx64"\n", ctx->offset + level->hashoffset);
 		fprintf(stdout, " Hash block size:       0x%08x\n", level->hashblocksize);
 	}
 }
diff --git a/ctrtool/ivfc.h b/ctrtool/ivfc.h
index e4e92569..5c0aa1b1 100644
--- a/ctrtool/ivfc.h
+++ b/ctrtool/ivfc.h
@@ -4,6 +4,7 @@
 #include "types.h"
 #include "settings.h"
 
+#define IVFC_HEADER_SIZE 0x60
 #define IVFC_MAX_LEVEL 4
 #define IVFC_MAX_BUFFERSIZE 0x4000
 
@@ -43,8 +44,8 @@ typedef struct
 typedef struct
 {
 	FILE* file;
-	u32 offset;
-	u32 size;
+	u64 offset;
+	u64 size;
 	settings* usersettings;
 
 	ivfc_header header;
@@ -59,14 +60,14 @@ typedef struct
 
 void ivfc_init(ivfc_context* ctx);
 void ivfc_process(ivfc_context* ctx, u32 actions);
-void ivfc_set_offset(ivfc_context* ctx, u32 offset);
-void ivfc_set_size(ivfc_context* ctx, u32 size);
+void ivfc_set_offset(ivfc_context* ctx, u64 offset);
+void ivfc_set_size(ivfc_context* ctx, u64 size);
 void ivfc_set_file(ivfc_context* ctx, FILE* file);
 void ivfc_set_usersettings(ivfc_context* ctx, settings* usersettings);
 void ivfc_verify(ivfc_context* ctx, u32 flags);
 void ivfc_print(ivfc_context* ctx);
 
-void ivfc_read(ivfc_context* ctx, u32 offset, u32 size, u8* buffer);
-void ivfc_hash(ivfc_context* ctx, u32 offset, u32 size, u8* hash);
+void ivfc_read(ivfc_context* ctx, u64 offset, u64 size, u8* buffer);
+void ivfc_hash(ivfc_context* ctx, u64 offset, u64 size, u8* hash);
 
 #endif // __IVFC_H__
diff --git a/ctrtool/lzss.c b/ctrtool/lzss.c
index 93bc7696..1a853a5b 100644
--- a/ctrtool/lzss.c
+++ b/ctrtool/lzss.c
@@ -40,7 +40,7 @@ void lzss_process(lzss_context* ctx, u32 actions)
 	FILE* fout = 0;
 
 
-	fseek(ctx->file, ctx->offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	
 
 	if (actions & ExtractFlag)
diff --git a/ctrtool/main.c b/ctrtool/main.c
index dabd615e..c5ef33cf 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -31,7 +31,7 @@ typedef struct
 	int actions;
 	u32 filetype;
 	FILE* infile;
-	u32 infilesize;
+	u64 infilesize;
 	settings usersettings;
 } toolcontext;
 
@@ -259,6 +259,7 @@ int main(int argc, char* argv[])
 	if (ctx.actions & ShowKeysFlag)
 		keyset_dump(&ctx.usersettings.keys);
 
+	ctx.infilesize = _fsize(infname);
 	ctx.infile = fopen(infname, "rb");
 
 	if (ctx.infile == 0) 
@@ -267,16 +268,9 @@ int main(int argc, char* argv[])
 		return -1;
 	}
 
-	fseek(ctx.infile, 0, SEEK_END);
-	ctx.infilesize = ftell(ctx.infile);
-	fseek(ctx.infile, 0, SEEK_SET);
-
-
-
-
 	if (ctx.filetype == FILETYPE_UNKNOWN)
 	{
-		fseek(ctx.infile, 0x100, SEEK_SET);
+		fseeko64(ctx.infile, 0x100, SEEK_SET);
 		fread(&magic, 1, 4, ctx.infile);
 
 		switch(getle32(magic))
@@ -296,7 +290,7 @@ int main(int argc, char* argv[])
 
 	if (ctx.filetype == FILETYPE_UNKNOWN)
 	{
-		fseek(ctx.infile, 0, SEEK_SET);
+		fseeko64(ctx.infile, 0, SEEK_SET);
 		fread(magic, 1, 4, ctx.infile);
 		
 		switch(getle32(magic))
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 5de61cef..991afc3a 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -30,12 +30,12 @@ void ncch_set_usersettings(ncch_context* ctx, settings* usersettings)
 	ctx->usersettings = usersettings;
 }
 
-void ncch_set_offset(ncch_context* ctx, u32 offset)
+void ncch_set_offset(ncch_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
 
-void ncch_set_size(ncch_context* ctx, u32 size)
+void ncch_set_size(ncch_context* ctx, u64 size)
 {
 	ctx->size = size;
 }
@@ -51,7 +51,7 @@ void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type)
 	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
 	u8* partitionid = ctx->header.partitionid;
 	u32 i;
-	u32 x = 0;
+	u64 x = 0;
 
 	memset(counter, 0, 16);
 
@@ -81,8 +81,8 @@ void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type)
 
 int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 {
-	u32 offset = 0;
-	u32 size = 0;
+	u64 offset = 0;
+	u64 size = 0;
 	u8 counter[16];
 
 
@@ -126,7 +126,7 @@ int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 
 	ctx->extractsize = size;
 	ctx->extractflags = flags;
-	fseek(ctx->file, offset, SEEK_SET);
+	fseeko64(ctx->file, offset, SEEK_SET);
 	ncch_get_counter(ctx, counter, type);
 	ctr_init_counter(&ctx->aes, ctx->key, counter);
 
@@ -138,25 +138,25 @@ int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 
 int ncch_extract_buffer(ncch_context* ctx, u8* buffer, u32 buffersize, u32* outsize, u8 nocrypto)
 {
-	u32 max = buffersize;
+	u32 read_len = buffersize;
 
-	if (max > ctx->extractsize)
-		max = ctx->extractsize;
+	if (read_len > ctx->extractsize)
+		read_len = ctx->extractsize;
 
-	*outsize = max;
+	*outsize = read_len;
 
 	if (ctx->extractsize)
 	{
-		if (max != fread(buffer, 1, max, ctx->file))
+		if (read_len != fread(buffer, 1, read_len, ctx->file))
 		{
 			fprintf(stdout, "Error reading input file\n");
 			goto clean;
 		}
 
 		if (ctx->encrypted && !nocrypto)
-			ctr_crypt_counter(&ctx->aes, buffer, buffer, max);
+			ctr_crypt_counter(&ctx->aes, buffer, buffer, read_len);
 
-		ctx->extractsize -= max;
+		ctx->extractsize -= read_len;
 	}
 
 	return 1;
@@ -203,15 +203,15 @@ void ncch_save(ncch_context* ctx, u32 type, u32 flags)
 
 	while(1)
 	{
-		u32 max;
+		u32 read_len;
 
-		if (0 == ncch_extract_buffer(ctx, buffer, sizeof(buffer), &max, type == NCCHTYPE_LOGO))
+		if (0 == ncch_extract_buffer(ctx, buffer, sizeof(buffer), &read_len, type == NCCHTYPE_LOGO))
 			goto clean;
 
-		if (max == 0)
+		if (read_len == 0)
 			break;
 
-		if (max != fwrite(buffer, 1, max, fout))
+		if (read_len != fwrite(buffer, 1, read_len, fout))
 		{
 			fprintf(stdout, "Error writing output file\n");
 			goto clean;
@@ -307,7 +307,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	int result = 1;
 
 
-	fseek(ctx->file, ctx->offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread(&ctx->header, 1, 0x200, ctx->file);
 
 	if (getle32(ctx->header.magic) != MAGIC_NCCH)
@@ -385,53 +385,47 @@ int ncch_signature_verify(ncch_context* ctx, rsakey2048* key)
 }
 
 
-u32 ncch_get_exefs_offset(ncch_context* ctx)
+u64 ncch_get_exefs_offset(ncch_context* ctx)
 {
-	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
-	return ctx->offset + getle32(ctx->header.exefsoffset) * mediaunitsize;
+	return ctx->offset + getle32(ctx->header.exefsoffset) * ncch_get_mediaunit_size(ctx);
 }
 
-u32 ncch_get_exefs_size(ncch_context* ctx)
+u64 ncch_get_exefs_size(ncch_context* ctx)
 {
-	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
-	return getle32(ctx->header.exefssize) * mediaunitsize;
+	return getle32(ctx->header.exefssize) * ncch_get_mediaunit_size(ctx);
 }
 
-u32 ncch_get_romfs_offset(ncch_context* ctx)
+u64 ncch_get_romfs_offset(ncch_context* ctx)
 {
-	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
-	return ctx->offset + getle32(ctx->header.romfsoffset) * mediaunitsize;
+	return ctx->offset + getle32(ctx->header.romfsoffset) * ncch_get_mediaunit_size(ctx);
 }
 
-u32 ncch_get_romfs_size(ncch_context* ctx)
+u64 ncch_get_romfs_size(ncch_context* ctx)
 {
-	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
-	return getle32(ctx->header.romfssize) * mediaunitsize;
+	return getle32(ctx->header.romfssize) * ncch_get_mediaunit_size(ctx);
 }
 
-u32 ncch_get_exheader_offset(ncch_context* ctx)
+u64 ncch_get_exheader_offset(ncch_context* ctx)
 {
 	return ctx->offset + 0x200;
 }
 
-u32 ncch_get_exheader_size(ncch_context* ctx)
+u64 ncch_get_exheader_size(ncch_context* ctx)
 {
 	return getle32(ctx->header.extendedheadersize);
 }
 
-u32 ncch_get_logo_offset(ncch_context* ctx)
+u64 ncch_get_logo_offset(ncch_context* ctx)
 {
-	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
-	return ctx->offset + getle32(ctx->header.logooffset) * mediaunitsize;
+	return ctx->offset + getle32(ctx->header.logooffset) * ncch_get_mediaunit_size(ctx);
 }
 
-u32 ncch_get_logo_size(ncch_context* ctx)
+u64 ncch_get_logo_size(ncch_context* ctx)
 {
-	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
-	return getle32(ctx->header.logosize) * mediaunitsize;
+	return getle32(ctx->header.logosize) * ncch_get_mediaunit_size(ctx);
 }
 
-u32 ncch_get_mediaunit_size(ncch_context* ctx)
+u64 ncch_get_mediaunit_size(ncch_context* ctx)
 {
 	unsigned int mediaunitsize = settings_get_mediaunit_size(ctx->usersettings);
 
@@ -473,7 +467,7 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 
 		// Firstly, check if the NCCH is already decrypted, by reading the programid in the exheader
 		// Otherwise, use determination rules
-		fseek(ctx->file, ncch_get_exheader_offset(ctx), SEEK_SET);
+		fseeko64(ctx->file, ncch_get_exheader_offset(ctx), SEEK_SET);
 		memset(&exheader, 0, sizeof(exheader));
 		fread(&exheader, 1, sizeof(exheader), ctx->file);
 
@@ -560,9 +554,8 @@ static const char* contentplatformtostring(unsigned char platform)
 void ncch_print(ncch_context* ctx)
 {
 	ctr_ncchheader *header = &ctx->header;
-	u32 offset = ctx->offset;
-	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
-
+	u64 offset = ctx->offset;
+	u64 mediaunitsize = ncch_get_mediaunit_size(ctx);
 
 	fprintf(stdout, "\nNCCH:\n");
 
@@ -573,10 +566,10 @@ void ncch_print(ncch_context* ctx)
 		memdump(stdout, "Signature (GOOD):       ", header->signature, 0x100);
 	else
 		memdump(stdout, "Signature (FAIL):       ", header->signature, 0x100);
-	fprintf(stdout, "Content size:           0x%08x\n", getle32(header->contentsize)*mediaunitsize);
+	fprintf(stdout, "Content size:           0x%08"PRIx64"\n", getle32(header->contentsize)*mediaunitsize);
 	fprintf(stdout, "Partition id:           %016"PRIx64"\n", getle64(header->partitionid));
 	fprintf(stdout, "Maker code:             %.2s\n", header->makercode);
-	fprintf(stdout, "Version:                %04x\n", getle16(header->version));
+	fprintf(stdout, "Version:                %d\n", getle16(header->version));
 	fprintf(stdout, "Title seed check:       %08x\n", getle32(header->seedcheck));
 	fprintf(stdout, "Program id:             %016"PRIx64"\n", getle64(header->programid));
 	if(ctx->logohashcheck == Unchecked)
@@ -594,7 +587,7 @@ void ncch_print(ncch_context* ctx)
 	else
 		memdump(stdout, "Exheader hash (FAIL):   ", header->extendedheaderhash, 0x20);
 	fprintf(stdout, "Flags:                  %016"PRIx64"\n", getle64(header->flags));
-	fprintf(stdout, " > Mediaunit size:      0x%x\n", mediaunitsize);
+	fprintf(stdout, " > Mediaunit size:      0x%x\n", (u32)mediaunitsize);
 	if (header->flags[7] & 4)
 		fprintf(stdout, " > Crypto key:          None\n");
 	else if (header->flags[7] & 1)
@@ -608,16 +601,16 @@ void ncch_print(ncch_context* ctx)
 		fprintf(stdout, " > No RomFS mount\n");
 
 
-	fprintf(stdout, "Plain region offset:    0x%08x\n", getle32(header->plainregionsize)? offset+getle32(header->plainregionoffset)*mediaunitsize : 0);
-	fprintf(stdout, "Plain region size:      0x%08x\n", getle32(header->plainregionsize)*mediaunitsize);
-	fprintf(stdout, "Logo offset:            0x%08x\n", getle32(header->logosize)? offset+getle32(header->logooffset)*mediaunitsize : 0);
-	fprintf(stdout, "Logo size:              0x%08x\n", getle32(header->logosize)*mediaunitsize);
-	fprintf(stdout, "ExeFS offset:           0x%08x\n", getle32(header->exefssize)? offset+getle32(header->exefsoffset)*mediaunitsize : 0);
-	fprintf(stdout, "ExeFS size:             0x%08x\n", getle32(header->exefssize)*mediaunitsize);
-	fprintf(stdout, "ExeFS hash region size: 0x%08x\n", getle32(header->exefshashregionsize)*mediaunitsize);
-	fprintf(stdout, "RomFS offset:           0x%08x\n", getle32(header->romfssize)? offset+getle32(header->romfsoffset)*mediaunitsize : 0);
-	fprintf(stdout, "RomFS size:             0x%08x\n", getle32(header->romfssize)*mediaunitsize);
-	fprintf(stdout, "RomFS hash region size: 0x%08x\n", getle32(header->romfshashregionsize)*mediaunitsize);
+	fprintf(stdout, "Plain region offset:    0x%08"PRIx64"\n", getle32(header->plainregionsize)? offset+getle32(header->plainregionoffset)*mediaunitsize : 0);
+	fprintf(stdout, "Plain region size:      0x%08"PRIx64"\n", getle32(header->plainregionsize)*mediaunitsize);
+	fprintf(stdout, "Logo offset:            0x%08"PRIx64"\n", getle32(header->logosize)? offset+getle32(header->logooffset)*mediaunitsize : 0);
+	fprintf(stdout, "Logo size:              0x%08"PRIx64"\n", getle32(header->logosize)*mediaunitsize);
+	fprintf(stdout, "ExeFS offset:           0x%08"PRIx64"\n", getle32(header->exefssize)? offset+getle32(header->exefsoffset)*mediaunitsize : 0);
+	fprintf(stdout, "ExeFS size:             0x%08"PRIx64"\n", getle32(header->exefssize)*mediaunitsize);
+	fprintf(stdout, "ExeFS hash region size: 0x%08"PRIx64"\n", getle32(header->exefshashregionsize)*mediaunitsize);
+	fprintf(stdout, "RomFS offset:           0x%08"PRIx64"\n", getle32(header->romfssize)? offset+getle32(header->romfsoffset)*mediaunitsize : 0);
+	fprintf(stdout, "RomFS size:             0x%08"PRIx64"\n", getle32(header->romfssize)*mediaunitsize);
+	fprintf(stdout, "RomFS hash region size: 0x%08"PRIx64"\n", getle32(header->romfshashregionsize)*mediaunitsize);
 	if (ctx->exefshashcheck == Unchecked)
 		memdump(stdout, "ExeFS Hash:             ", header->exefssuperblockhash, 0x20);
 	else if (ctx->exefshashcheck == Good)
diff --git a/ctrtool/ncch.h b/ctrtool/ncch.h
index f453bb58..4bad2be1 100644
--- a/ctrtool/ncch.h
+++ b/ctrtool/ncch.h
@@ -57,8 +57,8 @@ typedef struct
 	FILE* file;
 	u8 key[16];
 	u32 encrypted;
-	u32 offset;
-	u32 size;
+	u64 offset;
+	u64 size;
 	settings* usersettings;
 	ctr_ncchheader header;
 	ctr_aes_context aes;
@@ -69,31 +69,31 @@ typedef struct
 	int exheaderhashcheck;
 	int logohashcheck;
 	int headersigcheck;
-	u32 extractsize;
+	u64 extractsize;
 	u32 extractflags;
 } ncch_context;
 
 void ncch_init(ncch_context* ctx);
 void ncch_process(ncch_context* ctx, u32 actions);
-void ncch_set_offset(ncch_context* ctx, u32 offset);
-void ncch_set_size(ncch_context* ctx, u32 size);
+void ncch_set_offset(ncch_context* ctx, u64 offset);
+void ncch_set_size(ncch_context* ctx, u64 size);
 void ncch_set_file(ncch_context* ctx, FILE* file);
 void ncch_set_usersettings(ncch_context* ctx, settings* usersettings);
-u32 ncch_get_exefs_offset(ncch_context* ctx);
-u32 ncch_get_exefs_size(ncch_context* ctx);
-u32 ncch_get_romfs_offset(ncch_context* ctx);
-u32 ncch_get_romfs_size(ncch_context* ctx);
-u32 ncch_get_exheader_offset(ncch_context* ctx);
-u32 ncch_get_exheader_size(ncch_context* ctx);
-u32 ncch_get_logo_offset(ncch_context* ctx);
-u32 ncch_get_logo_size(ncch_context* ctx);
+u64 ncch_get_exefs_offset(ncch_context* ctx);
+u64 ncch_get_exefs_size(ncch_context* ctx);
+u64 ncch_get_romfs_offset(ncch_context* ctx);
+u64 ncch_get_romfs_size(ncch_context* ctx);
+u64 ncch_get_exheader_offset(ncch_context* ctx);
+u64 ncch_get_exheader_size(ncch_context* ctx);
+u64 ncch_get_logo_offset(ncch_context* ctx);
+u64 ncch_get_logo_size(ncch_context* ctx);
 void ncch_print(ncch_context* ctx);
 int ncch_signature_verify(ncch_context* ctx, rsakey2048* key);
 void ncch_verify(ncch_context* ctx, u32 flags);
 void ncch_save(ncch_context* ctx, u32 type, u32 flags);
 int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags);
 int ncch_extract_buffer(ncch_context* ctx, u8* buffer, u32 buffersize, u32* outsize, u8 nocrypto);
-u32 ncch_get_mediaunit_size(ncch_context* ctx);
+u64 ncch_get_mediaunit_size(ncch_context* ctx);
 void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type);
 void ncch_determine_key(ncch_context* ctx, u32 actions);
 #endif // _NCCH_H_
diff --git a/ctrtool/ncsd.c b/ctrtool/ncsd.c
index cfa55a34..384216a1 100644
--- a/ctrtool/ncsd.c
+++ b/ctrtool/ncsd.c
@@ -13,7 +13,7 @@ void ncsd_init(ncsd_context* ctx)
 	memset(ctx, 0, sizeof(ncsd_context));
 }
 
-void ncsd_set_offset(ncsd_context* ctx, u32 offset)
+void ncsd_set_offset(ncsd_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
@@ -23,7 +23,7 @@ void ncsd_set_file(ncsd_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
-void ncsd_set_size(ncsd_context* ctx, u32 size)
+void ncsd_set_size(ncsd_context* ctx, u64 size)
 {
 	ctx->size = size;
 }
@@ -48,7 +48,7 @@ int ncsd_signature_verify(const void* blob, rsakey2048* key)
 	return ctr_rsa_verify_hash(sig, hash, key);
 }
 
-unsigned int ncsd_get_mediaunit_size(ncsd_context* ctx)
+u64 ncsd_get_mediaunit_size(ncsd_context* ctx)
 {
 	unsigned int mediaunitsize = settings_get_mediaunit_size(ctx->usersettings);
 
@@ -60,7 +60,7 @@ unsigned int ncsd_get_mediaunit_size(ncsd_context* ctx)
 
 void ncsd_process(ncsd_context* ctx, u32 actions)
 {
-	fseek(ctx->file, ctx->offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread(&ctx->header, 1, 0x200, ctx->file);
 
 	if (getle32(ctx->header.magic) != MAGIC_NCSD)
diff --git a/ctrtool/ncsd.h b/ctrtool/ncsd.h
index 58b85061..afd895a6 100644
--- a/ctrtool/ncsd.h
+++ b/ctrtool/ncsd.h
@@ -33,8 +33,8 @@ typedef struct
 typedef struct
 {
 	FILE* file;
-	u32 offset;
-	u32 size;
+	u64 offset;
+	u64 size;
 	u32 ncch_index;
 	ctr_ncsdheader header;
 	settings* usersettings;
@@ -44,14 +44,14 @@ typedef struct
 
 
 void ncsd_init(ncsd_context* ctx);
-void ncsd_set_offset(ncsd_context* ctx, u32 offset);
-void ncsd_set_size(ncsd_context* ctx, u32 size);
+void ncsd_set_offset(ncsd_context* ctx, u64 offset);
+void ncsd_set_size(ncsd_context* ctx, u64 size);
 void ncsd_set_ncch_index(ncsd_context* ctx, u32 ncch_index);
 void ncsd_set_file(ncsd_context* ctx, FILE* file);
 void ncsd_set_usersettings(ncsd_context* ctx, settings* usersettings);
 int ncsd_signature_verify(const void* blob, rsakey2048* key);
 void ncsd_process(ncsd_context* ctx, u32 actions);
 void ncsd_print(ncsd_context* ctx);
-unsigned int ncsd_get_mediaunit_size(ncsd_context* ctx);
+u64 ncsd_get_mediaunit_size(ncsd_context* ctx);
 
 #endif // _NCSD_H_
diff --git a/ctrtool/romfs.c b/ctrtool/romfs.c
index ad451817..df95fdc5 100644
--- a/ctrtool/romfs.c
+++ b/ctrtool/romfs.c
@@ -18,12 +18,12 @@ void romfs_set_file(romfs_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
-void romfs_set_offset(romfs_context* ctx, u32 offset)
+void romfs_set_offset(romfs_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
 
-void romfs_set_size(romfs_context* ctx, u32 size)
+void romfs_set_size(romfs_context* ctx, u64 size)
 {
 	ctx->size = size;
 }
@@ -49,7 +49,7 @@ void romfs_process(romfs_context* ctx, u32 actions)
 	ivfc_set_usersettings(&ctx->ivfc, ctx->usersettings);
 	ivfc_process(&ctx->ivfc, actions);
 
-	fseek(ctx->file, ctx->offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread(&ctx->header, 1, sizeof(romfs_header), ctx->file);
 
 	if (getle32(ctx->header.magic) != MAGIC_IVFC)
@@ -60,7 +60,7 @@ void romfs_process(romfs_context* ctx, u32 actions)
 
 	ctx->infoblockoffset = ctx->offset + 0x1000;
 
-	fseek(ctx->file, ctx->infoblockoffset, SEEK_SET);
+	fseeko64(ctx->file, ctx->infoblockoffset, SEEK_SET);
 	fread(&ctx->infoheader, 1, sizeof(romfs_infoheader), ctx->file);
 	
 	if (getle32(ctx->infoheader.headersize) != sizeof(romfs_infoheader))
@@ -83,13 +83,13 @@ void romfs_process(romfs_context* ctx, u32 actions)
 
 	if (ctx->dirblock)
 	{
-		fseek(ctx->file, dirblockoffset, SEEK_SET);
+		fseeko64(ctx->file, dirblockoffset, SEEK_SET);
 		fread(ctx->dirblock, 1, dirblocksize, ctx->file);
 	}
 
 	if (ctx->fileblock)
 	{
-		fseek(ctx->file, fileblockoffset, SEEK_SET);
+		fseeko64(ctx->file, fileblockoffset, SEEK_SET);
 		fread(ctx->fileblock, 1, fileblocksize, ctx->file);
 	}
 
@@ -295,13 +295,8 @@ void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, filepath*
 		goto clean;
 
 	offset += ctx->datablockoffset;
-	if ( (offset >> 32) )
-	{
-		fprintf(stderr, "Error, support for 64-bit offset not yet implemented.\n");
-		goto clean;
-	}
 
-	fseek(ctx->file, offset, SEEK_SET);
+	fseeko64(ctx->file, offset, SEEK_SET);
 	outfile = fopen(path->pathname, "wb");
 	if (outfile == 0)
 	{
@@ -344,9 +339,9 @@ void romfs_print(romfs_context* ctx)
 	fprintf(stdout, "Header size:            0x%08X\n", getle32(ctx->infoheader.headersize));
 	for(i=0; i<4; i++)
 	{
-		fprintf(stdout, "Section %d offset:       0x%08X\n", i, ctx->offset + 0x1000 + getle32(ctx->infoheader.section[i].offset));
+		fprintf(stdout, "Section %d offset:       0x%08"PRIX64"\n", i, ctx->offset + 0x1000 + getle32(ctx->infoheader.section[i].offset));
 		fprintf(stdout, "Section %d size:         0x%08X\n", i, getle32(ctx->infoheader.section[i].size));
 	}
 
-	fprintf(stdout, "Data offset:            0x%08X\n", ctx->offset + 0x1000 + getle32(ctx->infoheader.dataoffset));
+	fprintf(stdout, "Data offset:            0x%08"PRIX64"\n", ctx->offset + 0x1000 + getle32(ctx->infoheader.dataoffset));
 }
diff --git a/ctrtool/romfs.h b/ctrtool/romfs.h
index 93256351..fa84bdfe 100644
--- a/ctrtool/romfs.h
+++ b/ctrtool/romfs.h
@@ -56,8 +56,8 @@ typedef struct
 {
 	FILE* file;
 	settings* usersettings;
-	u32 offset;
-	u32 size;
+	u64 offset;
+	u64 size;
 	romfs_header header;
 	romfs_infoheader infoheader;
 	u8* dirblock;
@@ -73,8 +73,8 @@ typedef struct
 
 void romfs_init(romfs_context* ctx);
 void romfs_set_file(romfs_context* ctx, FILE* file);
-void romfs_set_offset(romfs_context* ctx, u32 offset);
-void romfs_set_size(romfs_context* ctx, u32 size);
+void romfs_set_offset(romfs_context* ctx, u64 offset);
+void romfs_set_size(romfs_context* ctx, u64 size);
 void romfs_set_usersettings(romfs_context* ctx, settings* usersettings);
 void romfs_test(romfs_context* ctx);
 int  romfs_dirblock_read(romfs_context* ctx, u32 diroffset, u32 dirsize, void* buffer);
diff --git a/ctrtool/tik.c b/ctrtool/tik.c
index 2f3c4ef6..ce582c38 100644
--- a/ctrtool/tik.c
+++ b/ctrtool/tik.c
@@ -16,7 +16,7 @@ void tik_set_file(tik_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
-void tik_set_offset(tik_context* ctx, u32 offset)
+void tik_set_offset(tik_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
@@ -76,7 +76,7 @@ void tik_process(tik_context* ctx, u32 actions)
 		goto clean;
 	}
 
-	fseek(ctx->file, ctx->offset, SEEK_SET);
+	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread((u8*)&ctx->tik, 1, sizeof(eticket), ctx->file);
 
 	tik_decrypt_titlekey(ctx, ctx->titlekey);
diff --git a/ctrtool/tik.h b/ctrtool/tik.h
index 78b93f06..edd72c5b 100644
--- a/ctrtool/tik.h
+++ b/ctrtool/tik.h
@@ -41,7 +41,7 @@ typedef struct
 typedef struct
 {
 	FILE* file;
-	u32 offset;
+	u64 offset;
 	u32 size;
 	u8 titlekey[16];
 	eticket tik;
@@ -51,7 +51,7 @@ typedef struct
 
 void tik_init(tik_context* ctx);
 void tik_set_file(tik_context* ctx, FILE* file);
-void tik_set_offset(tik_context* ctx, u32 offset);
+void tik_set_offset(tik_context* ctx, u64 offset);
 void tik_set_size(tik_context* ctx, u32 size);
 void tik_set_usersettings(tik_context* ctx, settings* usersettings);
 void tik_get_decrypted_titlekey(tik_context* ctx, u8 decryptedkey[0x10]);
diff --git a/ctrtool/tmd.c b/ctrtool/tmd.c
index af5691ff..bcb687f1 100644
--- a/ctrtool/tmd.c
+++ b/ctrtool/tmd.c
@@ -17,7 +17,7 @@ void tmd_set_file(tmd_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
-void tmd_set_offset(tmd_context* ctx, u32 offset)
+void tmd_set_offset(tmd_context* ctx, u64 offset)
 {
 	ctx->offset = offset;
 }
@@ -39,7 +39,7 @@ void tmd_process(tmd_context* ctx, u32 actions)
 
 	if (ctx->buffer)
 	{
-		fseek(ctx->file, ctx->offset, SEEK_SET);
+		fseeko64(ctx->file, ctx->offset, SEEK_SET);
 		fread(ctx->buffer, 1, ctx->size, ctx->file);
 
 		if (actions & InfoFlag)
diff --git a/ctrtool/tmd.h b/ctrtool/tmd.h
index 6272429d..d9701a7d 100644
--- a/ctrtool/tmd.h
+++ b/ctrtool/tmd.h
@@ -74,7 +74,7 @@ typedef struct
 typedef struct
 {
 	FILE* file;
-	u32 offset;
+	u64 offset;
 	u32 size;
 	u8* buffer;
 	u8 content_hash_stat[64];
@@ -89,7 +89,7 @@ extern "C" {
 
 void tmd_init(tmd_context* ctx);
 void tmd_set_file(tmd_context* ctx, FILE* file);
-void tmd_set_offset(tmd_context* ctx, u32 offset);
+void tmd_set_offset(tmd_context* ctx, u64 offset);
 void tmd_set_size(tmd_context* ctx, u32 size);
 void tmd_set_usersettings(tmd_context* ctx, settings* usersettings);
 void tmd_print(tmd_context* ctx);
diff --git a/ctrtool/types.h b/ctrtool/types.h
index bade7f15..9234fe1f 100644
--- a/ctrtool/types.h
+++ b/ctrtool/types.h
@@ -2,16 +2,17 @@
 #define __TYPES_H__
 
 #include <stdint.h>
+#include <inttypes.h>
 
-typedef unsigned char		u8;
-typedef unsigned short		u16;
-typedef unsigned int		u32;
-typedef unsigned long long	u64;
+typedef uint8_t			u8;
+typedef uint16_t		u16;
+typedef uint32_t		u32;
+typedef uint64_t		u64;
 
-typedef signed char			s8;
-typedef signed short		s16;
-typedef signed int			s32;
-typedef signed long long	s64;
+typedef int8_t			s8;
+typedef int16_t			s16;
+typedef int32_t			s32;
+typedef int64_t			s64;
 
 enum flags
 {
diff --git a/ctrtool/utils.c b/ctrtool/utils.c
index a7f2897b..c0435866 100644
--- a/ctrtool/utils.c
+++ b/ctrtool/utils.c
@@ -1,13 +1,13 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 #include "utils.h"
 
 #ifdef _WIN32
 #include <direct.h>
-#else
-#include <sys/stat.h>
-#include <sys/types.h>
+#include <wchar.h>
 #endif
 
 
@@ -20,7 +20,7 @@ u32 align(u32 offset, u32 alignment)
 
 u64 align64(u64 offset, u32 alignment)
 {
-	u64 mask = ~(alignment-1);
+	u64 mask = ~(u64)(alignment-1);
 
 	return (offset + (alignment-1)) & mask;
 }
@@ -91,19 +91,15 @@ void putle32(u8* p, u32 n)
 
 void readkeyfile(u8* key, const char* keyfname)
 {
+	u32 keysize = _fsize(keyfname);
 	FILE* f = fopen(keyfname, "rb");
-	u32 keysize = 0;
-
+	
 	if (0 == f)
 	{
 		fprintf(stdout, "Error opening key file\n");
 		goto clean;
 	}
 
-	fseek(f, 0, SEEK_END);
-	keysize = ftell(f);
-	fseek(f, 0, SEEK_SET);
-
 	if (keysize != 16)
 	{
 		fprintf(stdout, "Error key size mismatch, got %d, expected %d\n", keysize, 16);
@@ -190,3 +186,20 @@ int makedir(const char* dir)
 	return mkdir(dir, 0777);
 #endif
 }
+
+u64 _fsize(const char *filename)
+{
+#ifdef _WIN32
+	struct _stat64 st;
+	if (_stat64(filename, &st) != 0)
+		return 0;
+	else
+		return st.st_size;
+#else
+	struct stat st;
+	if (stat(filename, &st) != 0)
+		return 0;
+	else
+		return st.st_size;
+#endif
+}
diff --git a/ctrtool/utils.h b/ctrtool/utils.h
index 31a06fb0..519a95e5 100644
--- a/ctrtool/utils.h
+++ b/ctrtool/utils.h
@@ -35,6 +35,12 @@ int key_load(char *name, u8 *out_buf);
 
 int makedir(const char* dir);
 
+u64 _fsize(const char *filename);
+
+#ifndef _WIN32
+extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence);
+#endif
+
 #ifdef __cplusplus
 }
 #endif

From c2b89979c9bca7dad7db55a659893c635ea1f009 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 20 Nov 2015 15:07:58 +0800
Subject: [PATCH 128/317] [makerom] Fixes issue #11

---
 makerom/polarssl/aes.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/polarssl/aes.c b/makerom/polarssl/aes.c
index 8d8ebb63..7c1f0fd1 100644
--- a/makerom/polarssl/aes.c
+++ b/makerom/polarssl/aes.c
@@ -774,7 +774,7 @@ int aes_crypt_ecb( aes_context *ctx,
  */
 int aes_crypt_cbc( aes_context *ctx,
                     int mode,
-                    size_t length,
+                    uint64_t length,
                     unsigned char iv[16],
                     const unsigned char *input,
                     unsigned char *output )

From 40dabc5a4609ed86cffac2ac1b59aaa3602095b2 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 23 Nov 2015 00:32:24 +0800
Subject: [PATCH 129/317] [makerom/ctrool] Implemented ROMFS unicode support.
 (oschar.c)

---
 ctrtool/ctrtool.vcxproj         |   2 +
 ctrtool/ctrtool.vcxproj.filters |   6 +
 ctrtool/main.c                  |   2 +-
 ctrtool/oschar.c                | 204 ++++++++++++
 ctrtool/oschar.h                |  97 ++++++
 ctrtool/romfs.c                 |  80 +++--
 ctrtool/romfs.h                 |   9 +-
 ctrtool/utils.c                 |   4 +-
 makerom/makerom.vcxproj         |   6 +-
 makerom/makerom.vcxproj.filters |  12 +-
 makerom/ncsd.c                  |   3 +-
 makerom/oschar.c                | 204 ++++++++++++
 makerom/oschar.h                |  97 ++++++
 makerom/romfs_fs.c              | 146 ++-------
 makerom/romfs_fs.h              |  51 +--
 makerom/romfs_gen.c             |  23 +-
 makerom/romfs_gen.h             |   1 +
 makerom/types.h                 |   2 +-
 makerom/utf.c                   | 563 --------------------------------
 makerom/utf.h                   | 149 ---------
 makerom/utils.c                 | 102 +-----
 makerom/utils.h                 |  13 -
 22 files changed, 725 insertions(+), 1051 deletions(-)
 create mode 100644 ctrtool/oschar.c
 create mode 100644 ctrtool/oschar.h
 create mode 100644 makerom/oschar.c
 create mode 100644 makerom/oschar.h
 delete mode 100644 makerom/utf.c
 delete mode 100644 makerom/utf.h

diff --git a/ctrtool/ctrtool.vcxproj b/ctrtool/ctrtool.vcxproj
index 628d52fe..d16bc575 100644
--- a/ctrtool/ctrtool.vcxproj
+++ b/ctrtool/ctrtool.vcxproj
@@ -99,6 +99,7 @@
     <ClCompile Include="exheader.c" />
     <ClCompile Include="filepath.c" />
     <ClCompile Include="firm.c" />
+    <ClCompile Include="oschar.c" />
     <ClCompile Include="windows\getopt.c" />
     <ClCompile Include="windows\getopt1.c" />
     <ClCompile Include="ivfc.c" />
@@ -130,6 +131,7 @@
     <ClInclude Include="exheader.h" />
     <ClInclude Include="filepath.h" />
     <ClInclude Include="firm.h" />
+    <ClInclude Include="oschar.h" />
     <ClInclude Include="windows\getopt.h" />
     <ClInclude Include="info.h" />
     <ClInclude Include="ivfc.h" />
diff --git a/ctrtool/ctrtool.vcxproj.filters b/ctrtool/ctrtool.vcxproj.filters
index c51e94eb..075c29de 100644
--- a/ctrtool/ctrtool.vcxproj.filters
+++ b/ctrtool/ctrtool.vcxproj.filters
@@ -114,6 +114,9 @@
     <ClCompile Include="tinyxml\tinyxmlparser.cpp">
       <Filter>Source Files\tinyxml</Filter>
     </ClCompile>
+    <ClCompile Include="oschar.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="cia.h">
@@ -203,5 +206,8 @@
     <ClInclude Include="tinyxml\tinyxml.h">
       <Filter>Header Files\tinyxml</Filter>
     </ClInclude>
+    <ClInclude Include="oschar.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/ctrtool/main.c b/ctrtool/main.c
index c5ef33cf..25b688d5 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -102,7 +102,7 @@ int main(int argc, char* argv[])
 	char keysetfname[512] = "keys.xml";
 	keyset tmpkeys;
 	unsigned int checkkeysetfile = 0;
-	
+
 	memset(&ctx, 0, sizeof(toolcontext));
 	ctx.actions = InfoFlag | ExtractFlag;
 	ctx.filetype = FILETYPE_UNKNOWN;
diff --git a/ctrtool/oschar.c b/ctrtool/oschar.c
new file mode 100644
index 00000000..1ef05ddb
--- /dev/null
+++ b/ctrtool/oschar.c
@@ -0,0 +1,204 @@
+#include <stdlib.h>
+#ifndef _WIN32
+#include <iconv.h>
+#endif
+#include "oschar.h"
+
+int os_fstat(const oschar_t *path)
+{
+	struct _osstat st;
+	return os_stat(path, &st);
+}
+
+uint64_t os_fsize(const oschar_t *path)
+{
+	struct _osstat st;
+	if (os_stat(path, &st) != 0)
+		return 0;
+	else
+		return st.st_size;
+}
+
+int os_makedir(const oschar_t *dir)
+{
+#ifdef _WIN32
+	return _wmkdir(dir);
+#else
+	return mkdir(dir, 0777);
+#endif
+}
+
+uint32_t utf16_strlen(const utf16char_t *str)
+{
+	uint32_t i;
+	for (i = 0; str[i] != 0x0; i++);
+	return i;
+}
+
+void utf16_fputs(const utf16char_t *str, FILE *out)
+{
+	oschar_t *_str = os_CopyConvertUTF16Str(str);
+	os_fputs(_str, out);
+	free(_str);
+}
+
+char* strcopy_8to8(const char *src)
+{
+	uint32_t src_len;
+	char *dst;
+
+	if (!src)
+		return NULL;
+
+	src_len = strlen(src);
+
+	// Allocate memory for expanded string
+	dst = calloc(src_len + 1, sizeof(char));
+	if (!dst)
+		return NULL;
+
+	// Copy elements from src into dst
+	strncpy(dst, src, src_len);
+
+	return dst;
+}
+
+utf16char_t* strcopy_8to16(const char *src)
+{
+	uint32_t src_len, i;
+	utf16char_t *dst;
+
+	if (!src)
+		return NULL;
+
+	src_len = strlen(src);
+
+	// Allocate memory for expanded string
+	dst = calloc(src_len + 1, sizeof(utf16char_t));
+	if (!dst)
+		return NULL;
+
+	// Copy elements from src into dst
+	for (i = 0; i < src_len; i++)
+		dst[i] = src[i];
+
+	return dst;
+}
+
+
+utf16char_t* strcopy_16to16(const utf16char_t *src)
+{
+	uint32_t src_len, i;
+	utf16char_t *dst;
+
+	if (!src)
+		return NULL;
+
+	src_len = utf16_strlen(src);
+
+	// Allocate memory for expanded string
+	dst = calloc(src_len + 1, sizeof(utf16char_t));
+	if (!dst)
+		return NULL;
+
+	// Copy elements from src into dst
+	for (i = 0; i < src_len; i++)
+		dst[i] = src[i];
+
+	return dst;
+}
+
+#ifndef _WIN32
+utf16char_t* strcopy_UTF8toUTF16(const char *src)
+{
+	uint32_t src_len, dst_len;
+	size_t in_bytes, out_bytes;
+	utf16char_t *dst;
+	char *in, *out;
+
+	if (!src)
+		return NULL;
+
+	src_len = strlen(src);
+	dst_len = src_len + 1;
+
+	// Allocate memory for string
+	dst = calloc(dst_len, sizeof(utf16char_t));
+	if (!dst)
+		return NULL;
+
+	in = (char*)src;
+	out = (char*)dst;
+	in_bytes = src_len*sizeof(char);
+	out_bytes = dst_len*sizeof(utf16char_t);
+
+	iconv_t cd = iconv_open("UTF-16LE", "UTF-8");
+	iconv(cd, &in, &in_bytes, &out, &out_bytes);
+	return dst;
+}
+
+char* strcopy_UTF16toUTF8(const utf16char_t *src)
+{
+	uint32_t src_len, dst_len;
+	size_t in_bytes, out_bytes;
+	char *dst;
+	char *in, *out;
+
+	if (!src)
+		return NULL;
+
+	src_len = utf16_strlen(src);
+	dst_len = src_len * 2;
+
+	// Allocate memory for string
+	dst = calloc(dst_len, sizeof(char)); // twice the size, as UTF-8 will use up to two bytes for converted UTF16 chars afaik
+	if (!dst)
+		return NULL;
+
+	in = (char*)src;
+	out = (char*)dst;
+	in_bytes = src_len*sizeof(uint16_t);
+	out_bytes = dst_len*sizeof(char);
+
+	iconv_t cd = iconv_open("UTF-8", "UTF-16LE");
+	iconv(cd, &in, &in_bytes, &out, &out_bytes);
+	return dst;
+}
+#endif
+
+oschar_t* os_AppendToPath(const oschar_t *src, const oschar_t *add)
+{
+	uint32_t len;
+	oschar_t *new_path;
+
+	len = os_strlen(src) + os_strlen(add) + 0x10;
+	new_path = calloc(len, sizeof(oschar_t));
+
+#ifdef _WIN32
+	_snwprintf(new_path, len, L"%s%c%s", src, OS_PATH_SEPARATOR, add);
+#else
+	snprintf(new_path, len, "%s%c%s", src, OS_PATH_SEPARATOR, add);
+#endif
+
+	return new_path;
+}
+
+oschar_t* os_AppendUTF16StrToPath(const oschar_t *src, const utf16char_t *add)
+{
+	uint32_t len;
+	oschar_t *new_path, *_add;
+
+	_add = os_CopyConvertUTF16Str(add);
+
+	len = os_strlen(src) + os_strlen(_add) + 0x10;
+	new_path = calloc(len, sizeof(oschar_t));
+
+#ifdef _WIN32
+	_snwprintf(new_path, len, L"%s%c%s", src, OS_PATH_SEPARATOR, _add);
+#else
+	snprintf(new_path, len, "%s%c%s", src, OS_PATH_SEPARATOR, _add);
+#endif
+
+	free(_add);
+	return new_path;
+}
\ No newline at end of file
diff --git a/ctrtool/oschar.h b/ctrtool/oschar.h
new file mode 100644
index 00000000..570a6ca6
--- /dev/null
+++ b/ctrtool/oschar.h
@@ -0,0 +1,97 @@
+#pragma once
+#include <stdio.h>
+#include <string.h>
+#include <inttypes.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#ifdef _WIN32
+#include <direct.h>
+#include <wchar.h>
+#endif
+
+// Nintendo uses UTF16-LE chars for extended ASCII support
+typedef uint16_t utf16char_t;
+
+// Native OS char type for unicode support
+#ifdef _WIN32
+typedef wchar_t oschar_t; // UTF16-LE
+#else
+typedef char oschar_t; // UTF8
+#endif
+
+					   // Simple redirect macros for functions and types
+#ifdef _WIN32
+#define os_strlen wcslen
+#define os_strcmp wcscmp
+#define os_fputs fputws
+
+#define os_CopyStr strcopy_16to16
+#define os_CopyConvertCharStr strcopy_8to16
+#define os_CopyConvertUTF16Str strcopy_16to16
+#define utf16_CopyStr strcopy_16to16
+#define utf16_CopyConvertOsStr strcopy_16to16
+
+#define _osdirent _wdirent
+#define _OSDIR _WDIR
+#define os_readdir _wreaddir
+#define os_opendir _wopendir
+#define os_closedir _wclosedir
+#define os_chdir _wchdir
+
+#define _osstat _stat64
+#define os_stat _wstat64
+
+#define os_fopen _wfopen
+#define OS_MODE_READ L"rb"
+#define OS_MODE_WRITE L"wb"
+#define OS_MODE_EDIT L"rb+"
+#define OS_PATH_SEPARATOR '\\'
+#else
+#define os_strlen strlen
+#define os_strcmp strcmp
+#define os_fputs fputs
+
+#define os_CopyStr strcopy_8to8
+#define os_CopyConvertUTF16Str strcopy_UTF16toUTF8
+#define os_CopyConvertCharStr strcopy_8to8
+#define utf16_CopyStr strcopy_16to16
+#define utf16_CopyConvertOsStr strcopy_UTF8toUTF16
+
+#define _osdirent dirent
+#define _OSDIR DIR
+#define os_readdir readdir
+#define os_opendir opendir
+#define os_closedir closedir
+#define os_chdir chdir
+
+#define _osstat stat
+#define os_stat stat
+
+#define os_fopen fopen
+#define OS_MODE_READ "rb"
+#define OS_MODE_WRITE "wb"
+#define OS_MODE_EDIT "rb+"
+#define OS_PATH_SEPARATOR '/'
+#endif
+
+/* File related */
+int os_fstat(const oschar_t* path);
+uint64_t os_fsize(const oschar_t* path);
+int os_makedir(const oschar_t *dir);
+
+/* UTF16 String property functions */
+uint32_t utf16_strlen(const utf16char_t* str);
+void utf16_fputs(const utf16char_t *str, FILE *out);
+
+/* String Copy and Conversion */
+char* strcopy_8to8(const char *src);
+utf16char_t* strcopy_8to16(const char *src);
+utf16char_t* strcopy_16to16(const utf16char_t *src);
+#ifndef _WIN32
+utf16char_t* strcopy_UTF8toUTF16(const char *src);
+char* strcopy_UTF16toUTF8(const utf16char_t *src);
+#endif
+
+/* String Append and Create */
+oschar_t* os_AppendToPath(const oschar_t *src, const oschar_t *add);
+oschar_t* os_AppendUTF16StrToPath(const oschar_t *src, const utf16char_t *add);
\ No newline at end of file
diff --git a/ctrtool/romfs.c b/ctrtool/romfs.c
index df95fdc5..3ff49df3 100644
--- a/ctrtool/romfs.c
+++ b/ctrtool/romfs.c
@@ -96,8 +96,13 @@ void romfs_process(romfs_context* ctx, u32 actions)
 	if (actions & InfoFlag)
 		romfs_print(ctx);
 
-	romfs_visit_dir(ctx, 0, 0, actions, settings_get_romfs_dir_path(ctx->usersettings));
+	if (settings_get_romfs_dir_path(ctx->usersettings)->valid)
+		ctx->extractdir = os_CopyConvertCharStr(settings_get_romfs_dir_path(ctx->usersettings)->pathname);
+	else
+		ctx->extractdir = NULL;
 
+	romfs_visit_dir(ctx, 0, 0, actions, ctx->extractdir);
+	free(ctx->extractdir);
 }
 
 int romfs_dirblock_read(romfs_context* ctx, u32 diroffset, u32 dirsize, void* buffer)
@@ -171,12 +176,12 @@ int romfs_fileblock_readentry(romfs_context* ctx, u32 fileoffset, romfs_fileentr
 
 
 
-void romfs_visit_dir(romfs_context* ctx, u32 diroffset, u32 depth, u32 actions, filepath* rootpath)
+void romfs_visit_dir(romfs_context* ctx, u32 diroffset, u32 depth, u32 actions, const oschar_t* rootpath)
 {
 	u32 siblingoffset;
 	u32 childoffset;
 	u32 fileoffset;
-	filepath currentpath;
+	oschar_t* currentpath;
 	romfs_direntry* entry = &ctx->direntry;
 
 
@@ -190,32 +195,39 @@ void romfs_visit_dir(romfs_context* ctx, u32 diroffset, u32 depth, u32 actions,
 //	fwprintf(stdout, L"%ls\n", entry->name);
 
 
-	if (rootpath && rootpath->valid)
+	if (rootpath && os_strlen(rootpath))
 	{
-		filepath_copy(&currentpath, rootpath);
-		filepath_append_utf16(&currentpath, entry->name);
-		if (currentpath.valid)
+		if (utf16_strlen((const utf16char_t*)entry->name) > 0)
+			currentpath = os_AppendUTF16StrToPath(rootpath, (const utf16char_t*)entry->name);
+		else // root dir, use the provided extract path instead of the empty root name.
+			currentpath = os_CopyStr(rootpath);
+
+		if (currentpath)
 		{
-			makedir(currentpath.pathname);
+			os_makedir(currentpath);
 		}
 		else
 		{
-			fprintf(stderr, "Error creating directory in root %s\n", rootpath->pathname);
+			fputs("Error creating directory in root ", stderr);
+			os_fputs(rootpath, stderr);
+			fputs("\n", stderr);
 			return;
 		}
 	}
 	else
 	{
-		filepath_init(&currentpath);
-
+		currentpath = os_CopyConvertUTF16Str((const utf16char_t*)entry->name);
 		if (settings_get_list_romfs_files(ctx->usersettings))
 		{
 			u32 i;
 
 			for(i=0; i<depth; i++)
 				printf(" ");
-			fwprintf(stdout, L"%ls\n", entry->name);
+			os_fputs(currentpath, stdout);
+			fputs("\n", stdout);
 		}
+		free(currentpath);
+		currentpath = NULL;
 	}
 	
 
@@ -224,20 +236,22 @@ void romfs_visit_dir(romfs_context* ctx, u32 diroffset, u32 depth, u32 actions,
 	fileoffset = getle32(entry->fileoffset);
 
 	if (fileoffset != (~0))
-		romfs_visit_file(ctx, fileoffset, depth+1, actions, &currentpath);
+		romfs_visit_file(ctx, fileoffset, depth+1, actions, currentpath);
 
 	if (childoffset != (~0))
-		romfs_visit_dir(ctx, childoffset, depth+1, actions, &currentpath);
+		romfs_visit_dir(ctx, childoffset, depth+1, actions, currentpath);
 
 	if (siblingoffset != (~0))
 		romfs_visit_dir(ctx, siblingoffset, depth, actions, rootpath);
+
+	free(currentpath);
 }
 
 
-void romfs_visit_file(romfs_context* ctx, u32 fileoffset, u32 depth, u32 actions, filepath* rootpath)
+void romfs_visit_file(romfs_context* ctx, u32 fileoffset, u32 depth, u32 actions, const oschar_t* rootpath)
 {
 	u32 siblingoffset = 0;
-	filepath currentpath;
+	oschar_t* currentpath = NULL;
 	romfs_fileentry* entry = &ctx->fileentry;
 
 
@@ -250,55 +264,63 @@ void romfs_visit_file(romfs_context* ctx, u32 fileoffset, u32 depth, u32 actions
 //			getle64(entry->datasize), getle32(entry->unknown));
 //	fwprintf(stdout, L"%ls\n", entry->name);
 
-	if (rootpath && rootpath->valid)
+	if (rootpath && os_strlen(rootpath))
 	{
-		filepath_copy(&currentpath, rootpath);
-		filepath_append_utf16(&currentpath, entry->name);
-		if (currentpath.valid)
+		currentpath = os_AppendUTF16StrToPath(rootpath, (const utf16char_t*)entry->name);
+		if (currentpath)
 		{
-			fprintf(stdout, "Saving %s...\n", currentpath.pathname);
-			romfs_extract_datafile(ctx, getle64(entry->dataoffset), getle64(entry->datasize), &currentpath);
+			fputs("Saving ", stdout);
+			os_fputs(currentpath, stdout);
+			fputs("...\n", stdout);
+			romfs_extract_datafile(ctx, getle64(entry->dataoffset), getle64(entry->datasize), currentpath);
 		}
 		else
 		{
-			fprintf(stderr, "Error creating directory in root %s\n", rootpath->pathname);
+			fputs("Error creating file in root ", stderr);
+			os_fputs(rootpath, stderr);
+			fputs("\n", stderr);
 			return;
 		}
 	}
 	else
 	{
-		filepath_init(&currentpath);
+		currentpath = os_CopyConvertUTF16Str((const utf16char_t*)entry->name);
 		if (settings_get_list_romfs_files(ctx->usersettings))
 		{
 			u32 i;
 
 			for(i=0; i<depth; i++)
 				printf(" ");
-			fwprintf(stdout, L"%ls\n", entry->name);
+			os_fputs(currentpath, stdout);
+			fputs("\n", stdout);
 		}
+		free(currentpath);
+		currentpath = NULL;
 	}
 
 	siblingoffset = getle32(entry->siblingoffset);
 
 	if (siblingoffset != (~0))
 		romfs_visit_file(ctx, siblingoffset, depth, actions, rootpath);
+
+	free(currentpath);
 }
 
-void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, filepath* path)
+void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, const oschar_t* path)
 {
 	FILE* outfile = 0;
 	u32 max;
 	u8 buffer[4096];
 
 
-	if (path == 0 || path->valid == 0)
+	if (path == NULL || os_strlen(path) == 0)
 		goto clean;
 
 	offset += ctx->datablockoffset;
 
 	fseeko64(ctx->file, offset, SEEK_SET);
-	outfile = fopen(path->pathname, "wb");
-	if (outfile == 0)
+	outfile = os_fopen(path, OS_MODE_WRITE);
+	if (outfile == NULL)
 	{
 		fprintf(stderr, "Error opening file for writing\n");
 		goto clean;
diff --git a/ctrtool/romfs.h b/ctrtool/romfs.h
index fa84bdfe..c560ab4b 100644
--- a/ctrtool/romfs.h
+++ b/ctrtool/romfs.h
@@ -4,7 +4,7 @@
 #include "types.h"
 #include "info.h"
 #include "ctr.h"
-#include "filepath.h"
+#include "oschar.h"
 #include "settings.h"
 #include "ivfc.h"
 
@@ -55,6 +55,7 @@ typedef struct
 typedef struct
 {
 	FILE* file;
+	oschar_t* extractdir;
 	settings* usersettings;
 	u64 offset;
 	u64 size;
@@ -81,9 +82,9 @@ int  romfs_dirblock_read(romfs_context* ctx, u32 diroffset, u32 dirsize, void* b
 int  romfs_dirblock_readentry(romfs_context* ctx, u32 diroffset, romfs_direntry* entry);
 int  romfs_fileblock_read(romfs_context* ctx, u32 fileoffset, u32 filesize, void* buffer);
 int  romfs_fileblock_readentry(romfs_context* ctx, u32 fileoffset, romfs_fileentry* entry);
-void romfs_visit_dir(romfs_context* ctx, u32 diroffset, u32 depth, u32 actions, filepath* rootpath);
-void romfs_visit_file(romfs_context* ctx, u32 fileoffset, u32 depth, u32 actions, filepath* rootpath);
-void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, filepath* path);
+void romfs_visit_dir(romfs_context* ctx, u32 diroffset, u32 depth, u32 actions, const oschar_t* rootpath);
+void romfs_visit_file(romfs_context* ctx, u32 fileoffset, u32 depth, u32 actions, const oschar_t* rootpath);
+void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, const oschar_t* path);
 void romfs_process(romfs_context* ctx, u32 actions);
 void romfs_print(romfs_context* ctx);
 
diff --git a/ctrtool/utils.c b/ctrtool/utils.c
index c0435866..bda20d93 100644
--- a/ctrtool/utils.c
+++ b/ctrtool/utils.c
@@ -1,6 +1,8 @@
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
+#include <strings.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include "utils.h"
@@ -202,4 +204,4 @@ u64 _fsize(const char *filename)
 	else
 		return st.st_size;
 #endif
-}
+}
\ No newline at end of file
diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index 7ec49cdc..896eb095 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -67,7 +67,7 @@
     <NMakeCleanCommandLine>make clean</NMakeCleanCommandLine>
     <NMakeReBuildCommandLine>make rebuild</NMakeReBuildCommandLine>
     <NMakePreprocessorDefinitions>WIN32;_DEBUG;$(NMakePreprocessorDefinitions)</NMakePreprocessorDefinitions>
-    <IncludePath>C:\Program Files\mingw-w64\x86_64-5.2.0-win32-seh-rt_v4-rev0\mingw64\x86_64-w64-mingw32\include;$(IncludePath)</IncludePath>
+    <IncludePath>C:\Program Files\mingw-w64\x86_64-4.9.2-win32-seh-rt_v4-rev2\mingw64\x86_64-w64-mingw32\include</IncludePath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <NMakeBuildCommandLine>make</NMakeBuildCommandLine>
@@ -104,6 +104,7 @@
     <ClInclude Include="desc\dev_sigdata.h" />
     <ClInclude Include="desc\presets.h" />
     <ClInclude Include="desc\prod_sigdata.h" />
+    <ClInclude Include="oschar.h" />
     <ClInclude Include="romfs_fs.h" />
     <ClInclude Include="elf.h" />
     <ClInclude Include="exefs.h" />
@@ -188,7 +189,6 @@
     <ClInclude Include="tmd_read.h" />
     <ClInclude Include="types.h" />
     <ClInclude Include="user_settings.h" />
-    <ClInclude Include="utf.h" />
     <ClInclude Include="utils.h" />
     <ClInclude Include="yaml_parser.h" />
   </ItemGroup>
@@ -201,6 +201,7 @@
     <ClCompile Include="code.c" />
     <ClCompile Include="crypto.c" />
     <ClCompile Include="ctr_utils.c" />
+    <ClCompile Include="oschar.c" />
     <ClCompile Include="polarssl\aes.c" />
     <ClCompile Include="polarssl\padlock.c" />
     <ClCompile Include="romfs_fs.c" />
@@ -236,7 +237,6 @@
     <ClCompile Include="titleid.c" />
     <ClCompile Include="tmd.c" />
     <ClCompile Include="user_settings.c" />
-    <ClCompile Include="utf.c" />
     <ClCompile Include="utils.c" />
     <ClCompile Include="yaml_parser.c" />
   </ItemGroup>
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
index 6603f558..bcb59c1f 100644
--- a/makerom/makerom.vcxproj.filters
+++ b/makerom/makerom.vcxproj.filters
@@ -156,9 +156,6 @@
     <ClInclude Include="user_settings.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="utf.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="utils.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -339,6 +336,9 @@
     <ClInclude Include="romfs_fs.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="oschar.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="accessdesc.c">
@@ -407,9 +407,6 @@
     <ClCompile Include="user_settings.c">
       <Filter>Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="utf.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
     <ClCompile Include="utils.c">
       <Filter>Source Files</Filter>
     </ClCompile>
@@ -479,6 +476,9 @@
     <ClCompile Include="polarssl\padlock.c">
       <Filter>Source Files\polarssl</Filter>
     </ClCompile>
+    <ClCompile Include="oschar.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="Makefile">
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 29e4f76e..ba2a23bb 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -153,7 +153,7 @@ int ImportNcchForCci(cci_settings *set)
 
 bool CanCiaBeCci(u64 titleId, u16 count, tmd_content_chunk *content)
 {
-	if(GetTidCategory(titleId) != PROGRAM_ID_CATEGORY_APPLICATION && GetTidCategory(titleId) != PROGRAM_ID_CATEGORY_SYSTEM_APPLICATION)
+	if(GetTidCategory(titleId) != PROGRAM_ID_CATEGORY_APPLICATION)
 		return false;
 		
 	if(count > CCI_MAX_CONTENT)
@@ -222,6 +222,7 @@ int ProcessCiaForCci(cci_settings *set)
 	return 0;
 }
 
+/* This need to be more automagical */
 void GetTitleSaveSize(cci_settings *set)
 {
 	if(set->rsf->SystemControlInfo.SaveDataSize)
diff --git a/makerom/oschar.c b/makerom/oschar.c
new file mode 100644
index 00000000..1ef05ddb
--- /dev/null
+++ b/makerom/oschar.c
@@ -0,0 +1,204 @@
+#include <stdlib.h>
+#ifndef _WIN32
+#include <iconv.h>
+#endif
+#include "oschar.h"
+
+int os_fstat(const oschar_t *path)
+{
+	struct _osstat st;
+	return os_stat(path, &st);
+}
+
+uint64_t os_fsize(const oschar_t *path)
+{
+	struct _osstat st;
+	if (os_stat(path, &st) != 0)
+		return 0;
+	else
+		return st.st_size;
+}
+
+int os_makedir(const oschar_t *dir)
+{
+#ifdef _WIN32
+	return _wmkdir(dir);
+#else
+	return mkdir(dir, 0777);
+#endif
+}
+
+uint32_t utf16_strlen(const utf16char_t *str)
+{
+	uint32_t i;
+	for (i = 0; str[i] != 0x0; i++);
+	return i;
+}
+
+void utf16_fputs(const utf16char_t *str, FILE *out)
+{
+	oschar_t *_str = os_CopyConvertUTF16Str(str);
+	os_fputs(_str, out);
+	free(_str);
+}
+
+char* strcopy_8to8(const char *src)
+{
+	uint32_t src_len;
+	char *dst;
+
+	if (!src)
+		return NULL;
+
+	src_len = strlen(src);
+
+	// Allocate memory for expanded string
+	dst = calloc(src_len + 1, sizeof(char));
+	if (!dst)
+		return NULL;
+
+	// Copy elements from src into dst
+	strncpy(dst, src, src_len);
+
+	return dst;
+}
+
+utf16char_t* strcopy_8to16(const char *src)
+{
+	uint32_t src_len, i;
+	utf16char_t *dst;
+
+	if (!src)
+		return NULL;
+
+	src_len = strlen(src);
+
+	// Allocate memory for expanded string
+	dst = calloc(src_len + 1, sizeof(utf16char_t));
+	if (!dst)
+		return NULL;
+
+	// Copy elements from src into dst
+	for (i = 0; i < src_len; i++)
+		dst[i] = src[i];
+
+	return dst;
+}
+
+
+utf16char_t* strcopy_16to16(const utf16char_t *src)
+{
+	uint32_t src_len, i;
+	utf16char_t *dst;
+
+	if (!src)
+		return NULL;
+
+	src_len = utf16_strlen(src);
+
+	// Allocate memory for expanded string
+	dst = calloc(src_len + 1, sizeof(utf16char_t));
+	if (!dst)
+		return NULL;
+
+	// Copy elements from src into dst
+	for (i = 0; i < src_len; i++)
+		dst[i] = src[i];
+
+	return dst;
+}
+
+#ifndef _WIN32
+utf16char_t* strcopy_UTF8toUTF16(const char *src)
+{
+	uint32_t src_len, dst_len;
+	size_t in_bytes, out_bytes;
+	utf16char_t *dst;
+	char *in, *out;
+
+	if (!src)
+		return NULL;
+
+	src_len = strlen(src);
+	dst_len = src_len + 1;
+
+	// Allocate memory for string
+	dst = calloc(dst_len, sizeof(utf16char_t));
+	if (!dst)
+		return NULL;
+
+	in = (char*)src;
+	out = (char*)dst;
+	in_bytes = src_len*sizeof(char);
+	out_bytes = dst_len*sizeof(utf16char_t);
+
+	iconv_t cd = iconv_open("UTF-16LE", "UTF-8");
+	iconv(cd, &in, &in_bytes, &out, &out_bytes);
+	return dst;
+}
+
+char* strcopy_UTF16toUTF8(const utf16char_t *src)
+{
+	uint32_t src_len, dst_len;
+	size_t in_bytes, out_bytes;
+	char *dst;
+	char *in, *out;
+
+	if (!src)
+		return NULL;
+
+	src_len = utf16_strlen(src);
+	dst_len = src_len * 2;
+
+	// Allocate memory for string
+	dst = calloc(dst_len, sizeof(char)); // twice the size, as UTF-8 will use up to two bytes for converted UTF16 chars afaik
+	if (!dst)
+		return NULL;
+
+	in = (char*)src;
+	out = (char*)dst;
+	in_bytes = src_len*sizeof(uint16_t);
+	out_bytes = dst_len*sizeof(char);
+
+	iconv_t cd = iconv_open("UTF-8", "UTF-16LE");
+	iconv(cd, &in, &in_bytes, &out, &out_bytes);
+	return dst;
+}
+#endif
+
+oschar_t* os_AppendToPath(const oschar_t *src, const oschar_t *add)
+{
+	uint32_t len;
+	oschar_t *new_path;
+
+	len = os_strlen(src) + os_strlen(add) + 0x10;
+	new_path = calloc(len, sizeof(oschar_t));
+
+#ifdef _WIN32
+	_snwprintf(new_path, len, L"%s%c%s", src, OS_PATH_SEPARATOR, add);
+#else
+	snprintf(new_path, len, "%s%c%s", src, OS_PATH_SEPARATOR, add);
+#endif
+
+	return new_path;
+}
+
+oschar_t* os_AppendUTF16StrToPath(const oschar_t *src, const utf16char_t *add)
+{
+	uint32_t len;
+	oschar_t *new_path, *_add;
+
+	_add = os_CopyConvertUTF16Str(add);
+
+	len = os_strlen(src) + os_strlen(_add) + 0x10;
+	new_path = calloc(len, sizeof(oschar_t));
+
+#ifdef _WIN32
+	_snwprintf(new_path, len, L"%s%c%s", src, OS_PATH_SEPARATOR, _add);
+#else
+	snprintf(new_path, len, "%s%c%s", src, OS_PATH_SEPARATOR, _add);
+#endif
+
+	free(_add);
+	return new_path;
+}
\ No newline at end of file
diff --git a/makerom/oschar.h b/makerom/oschar.h
new file mode 100644
index 00000000..570a6ca6
--- /dev/null
+++ b/makerom/oschar.h
@@ -0,0 +1,97 @@
+#pragma once
+#include <stdio.h>
+#include <string.h>
+#include <inttypes.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#ifdef _WIN32
+#include <direct.h>
+#include <wchar.h>
+#endif
+
+// Nintendo uses UTF16-LE chars for extended ASCII support
+typedef uint16_t utf16char_t;
+
+// Native OS char type for unicode support
+#ifdef _WIN32
+typedef wchar_t oschar_t; // UTF16-LE
+#else
+typedef char oschar_t; // UTF8
+#endif
+
+					   // Simple redirect macros for functions and types
+#ifdef _WIN32
+#define os_strlen wcslen
+#define os_strcmp wcscmp
+#define os_fputs fputws
+
+#define os_CopyStr strcopy_16to16
+#define os_CopyConvertCharStr strcopy_8to16
+#define os_CopyConvertUTF16Str strcopy_16to16
+#define utf16_CopyStr strcopy_16to16
+#define utf16_CopyConvertOsStr strcopy_16to16
+
+#define _osdirent _wdirent
+#define _OSDIR _WDIR
+#define os_readdir _wreaddir
+#define os_opendir _wopendir
+#define os_closedir _wclosedir
+#define os_chdir _wchdir
+
+#define _osstat _stat64
+#define os_stat _wstat64
+
+#define os_fopen _wfopen
+#define OS_MODE_READ L"rb"
+#define OS_MODE_WRITE L"wb"
+#define OS_MODE_EDIT L"rb+"
+#define OS_PATH_SEPARATOR '\\'
+#else
+#define os_strlen strlen
+#define os_strcmp strcmp
+#define os_fputs fputs
+
+#define os_CopyStr strcopy_8to8
+#define os_CopyConvertUTF16Str strcopy_UTF16toUTF8
+#define os_CopyConvertCharStr strcopy_8to8
+#define utf16_CopyStr strcopy_16to16
+#define utf16_CopyConvertOsStr strcopy_UTF8toUTF16
+
+#define _osdirent dirent
+#define _OSDIR DIR
+#define os_readdir readdir
+#define os_opendir opendir
+#define os_closedir closedir
+#define os_chdir chdir
+
+#define _osstat stat
+#define os_stat stat
+
+#define os_fopen fopen
+#define OS_MODE_READ "rb"
+#define OS_MODE_WRITE "wb"
+#define OS_MODE_EDIT "rb+"
+#define OS_PATH_SEPARATOR '/'
+#endif
+
+/* File related */
+int os_fstat(const oschar_t* path);
+uint64_t os_fsize(const oschar_t* path);
+int os_makedir(const oschar_t *dir);
+
+/* UTF16 String property functions */
+uint32_t utf16_strlen(const utf16char_t* str);
+void utf16_fputs(const utf16char_t *str, FILE *out);
+
+/* String Copy and Conversion */
+char* strcopy_8to8(const char *src);
+utf16char_t* strcopy_8to16(const char *src);
+utf16char_t* strcopy_16to16(const utf16char_t *src);
+#ifndef _WIN32
+utf16char_t* strcopy_UTF8toUTF16(const char *src);
+char* strcopy_UTF16toUTF8(const utf16char_t *src);
+#endif
+
+/* String Append and Create */
+oschar_t* os_AppendToPath(const oschar_t *src, const oschar_t *add);
+oschar_t* os_AppendUTF16StrToPath(const oschar_t *src, const utf16char_t *add);
\ No newline at end of file
diff --git a/makerom/romfs_fs.c b/makerom/romfs_fs.c
index 4c092652..19c121a1 100644
--- a/makerom/romfs_fs.c
+++ b/makerom/romfs_fs.c
@@ -1,6 +1,5 @@
 #include "lib.h"
 #include "romfs_fs.h"
-#include "utf.h"
 
 /* This is the FS interface for ROMFS generation */
 /* Tested working on Windows/Linux/OSX */
@@ -8,109 +7,6 @@ int PopulateDir(romfs_dir *dir);
 int InitDir(romfs_dir *dir);
 int ManageDir(romfs_dir *dir);
 
-u32 fs_strlen(const fs_char *str)
-{
-#ifdef _WIN32
-	return strlen_char16(str);
-#else
-	return strlen(str);
-#endif
-}
-
-u32 romfs_strlen(const romfs_char *str)
-{
-	return strlen_char16(str);
-}
-
-int fs_strcmp(const fs_char *str1, const fs_char *str2)
-{
-#ifdef _WIN32
-	return wcscmp(str1, str2);
-#else
-	return strcmp(str1, str2);
-#endif
-}
-
-
-FILE* fs_fopen(fs_char *path)
-{
-#ifdef _WIN32
-	return _wfopen(path, L"rb");
-#else
-	return fopen(path, "rb");
-#endif
-}
-
-u64 fs_fsize(fs_char *path)
-{
-#ifdef _WIN32
-	return wGetFileSize64(path);
-#else
-	return GetFileSize64(path);
-#endif
-}
-
-fs_char* fs_AppendToPath(const fs_char *src, const fs_char *add)
-{
-	u32 src_len, add_len;
-	fs_char *new_path;
-
-	src_len = fs_strlen(src);
-	add_len = fs_strlen(add);
-	new_path = calloc(src_len + add_len + 0x10, sizeof(fs_char));
-
-#ifdef _WIN32
-	_snwprintf(new_path, src_len + add_len + 0x10, L"%s%c%s", src, FS_PATH_SEPARATOR, add);
-#else
-	snprintf(new_path, src_len + add_len + 0x10, "%s%c%s", src, FS_PATH_SEPARATOR, add);
-#endif
-
-	return new_path;
-}
-
-fs_char* fs_CopyStr(const fs_char *src)
-{
-#ifdef _WIN32
-	return strcopy_16to16(src);
-#else
-	return strcopy_8to8(src);
-#endif
-}
-
-romfs_char* romfs_CopyConvertStr(const fs_char *src)
-{
-#ifdef _WIN32
-	return strcopy_16to16(src);
-#else
-	return strcopy_utf8to16(src);
-#endif
-}
-
-
-romfs_char* romfs_CopyStr(const romfs_char *src)
-{
-	return strcopy_16to16(src);
-}
-
-void fs_fputs(const fs_char *str, FILE *out)
-{
-#ifdef _WIN32
-	fwprintf(out,L"%s", str);
-#else
-	fprintf(out,"%s", str);
-#endif
-}
-
-void romfs_fputs(const romfs_char *str, FILE *out)
-{
-#ifdef _WIN32
-	fwprintf(out,L"%s", str);
-#else
-	const char *name = (const char*)str;
-	for (u32 i = 0; i < romfs_strlen(str)*2; i += 2)
-		fputc(name[i],out);
-#endif
-}
 
 int InitDir(romfs_dir *dir)
 {
@@ -148,13 +44,9 @@ int ManageDir(romfs_dir *dir)
 int OpenRootDir(const char *path, romfs_dir *dir)
 {
 	// Create native FS path
-#ifdef _WIN32
-	dir->path = strcopy_8to16(path);
-#else
-	dir->path = strcopy_8to8(path);
-#endif
+	dir->path = os_CopyConvertCharStr(path);
 	// Copy romfs name (empty string)
-	dir->name = romfs_CopyStr(ROMFS_EMPTY_PATH);
+	dir->name = utf16_CopyStr(ROMFS_EMPTY_PATH);
 	dir->namesize = 0;
 	
 	return PopulateDir(dir);
@@ -162,26 +54,26 @@ int OpenRootDir(const char *path, romfs_dir *dir)
 
 int PopulateDir(romfs_dir *dir)
 {
-	fs_DIR *dp, *tmp_dp;
-	struct fs_dirent *entry;
+	_OSDIR *dp, *tmp_dp;
+	struct _osdirent *entry;
 
 	if (InitDir(dir))
 		return MEM_ERROR;
 
 	// Open Directory
-	if((dp = fs_opendir(dir->path)) == NULL)
+	if((dp = os_opendir(dir->path)) == NULL)
 	{
 		printf("[ROMFS] Failed to open directory: \"");
-		fs_fputs(dir->path, stdout);
+		os_fputs(dir->path, stdout);
 		printf("\"\n");
 		return -1;
 	}
 	
 	// Process Entries
-	while ((entry = fs_readdir(dp)) != NULL)
+	while ((entry = os_readdir(dp)) != NULL)
 	{
 		// Skip if "." or ".."
-		if (fs_strcmp(entry->d_name, FS_CURRENT_DIR_PATH) == 0 || fs_strcmp(entry->d_name, FS_PARENT_DIR_PATH) == 0)
+		if (os_strcmp(entry->d_name, OS_CURRENT_DIR_PATH) == 0 || os_strcmp(entry->d_name, OS_PARENT_DIR_PATH) == 0)
 			continue;
 
 		// Ensures that there is always memory for child directory and file structs
@@ -189,15 +81,15 @@ int PopulateDir(romfs_dir *dir)
 			return MEM_ERROR;
 
 		// Get native FS path
-		fs_char *path = fs_AppendToPath(dir->path, entry->d_name);
+		oschar_t *path = os_AppendToPath(dir->path, entry->d_name);
 		
 		// Opening directory with fs path to test if directory
-		if ((tmp_dp = fs_opendir(path)) != NULL) {
-			fs_closedir(tmp_dp);
+		if ((tmp_dp = os_opendir(path)) != NULL) {
+			os_closedir(tmp_dp);
 
 			dir->child[dir->u_child].path = path;
-			dir->child[dir->u_child].name = romfs_CopyConvertStr(entry->d_name);
-			dir->child[dir->u_child].namesize = fs_strlen(entry->d_name)*sizeof(romfs_char);
+			dir->child[dir->u_child].name = utf16_CopyConvertOsStr(entry->d_name);
+			dir->child[dir->u_child].namesize = os_strlen(entry->d_name)*sizeof(utf16char_t);
 			dir->u_child++;
 			
 			// Populate directory
@@ -206,14 +98,14 @@ int PopulateDir(romfs_dir *dir)
 		// Otherwise this is a file
 		else {
 			dir->file[dir->u_file].path = path;
-			dir->file[dir->u_file].name = romfs_CopyConvertStr(entry->d_name);
-			dir->file[dir->u_file].namesize = fs_strlen(entry->d_name)*sizeof(romfs_char);
-			dir->file[dir->u_file].size = fs_fsize(path);
+			dir->file[dir->u_file].name = utf16_CopyConvertOsStr(entry->d_name);
+			dir->file[dir->u_file].namesize = os_strlen(entry->d_name)*sizeof(utf16char_t);
+			dir->file[dir->u_file].size = os_fsize(path);
 			dir->u_file++;
 		}
 	}
 
-	fs_closedir(dp);
+	os_closedir(dp);
 
 	return 0;
 }
@@ -225,7 +117,7 @@ void PrintDir(romfs_dir *dir, u32 depth)
 		printf(" ");
 
 	if (depth > 0)
-		romfs_fputs(dir->name, stdout);
+		utf16_fputs(dir->name, stdout);
 	else
 		printf("romfs:");
 	putchar('\n');
@@ -236,7 +128,7 @@ void PrintDir(romfs_dir *dir, u32 depth)
 		{
 			for(u32 j = 0; j < depth+1; j++)
 				printf(" ");
-			romfs_fputs(dir->file[i].name, stdout);
+			utf16_fputs(dir->file[i].name, stdout);
 			printf(" (0x%"PRIx64")\n", dir->file[i].size);
 		}
 	}
diff --git a/makerom/romfs_fs.h b/makerom/romfs_fs.h
index 0826f21d..cd7704f2 100644
--- a/makerom/romfs_fs.h
+++ b/makerom/romfs_fs.h
@@ -1,39 +1,18 @@
 #pragma once
-
-#ifdef _WIN32
-	#define romfs_char u16
-	#define fs_char wchar_t
-	#define fs_dirent _wdirent
-	#define fs_DIR _WDIR
-	#define fs_readdir _wreaddir
-	#define fs_chdir _wchdir
-	#define fs_opendir _wopendir
-	#define fs_closedir _wclosedir
-	#define FS_PATH_SEPARATOR '\\'
-#else
-	#define romfs_char u16
-	#define fs_char char
-	#define fs_dirent dirent
-	#define fs_DIR DIR
-	#define fs_readdir readdir
-	#define fs_chdir chdir
-	#define fs_opendir opendir
-	#define fs_closedir closedir
-	#define FS_PATH_SEPARATOR '/'
-#endif
+#include "oschar.h"
 
 struct romfs_file
 {
-	fs_char *path;
-	romfs_char *name;
+	oschar_t *path;
+	utf16char_t *name;
 	u32 namesize;
 	u64 size;
 };
 
 struct romfs_dir
 {
-	fs_char *path;
-	romfs_char *name;
+	oschar_t *path;
+	utf16char_t *name;
 	u32 namesize;
 	
 	struct romfs_dir *child;
@@ -48,22 +27,10 @@ struct romfs_dir
 typedef struct romfs_file romfs_file;
 typedef struct romfs_dir romfs_dir;
 
-static const romfs_char ROMFS_EMPTY_PATH[2] = { 0 };
-static const fs_char FS_EMPTY_PATH[2] = { 0 };
-static const fs_char FS_CURRENT_DIR_PATH[2] = { '.' };
-static const fs_char FS_PARENT_DIR_PATH[3] = { '.', '.' };
-
-u32 romfs_strlen(const romfs_char *str);
-u32 fs_strlen(const fs_char *str);
-int fs_strcmp(const fs_char *str1, const fs_char *str2);
-FILE* fs_fopen(fs_char *path);
-u64 fs_fsize(fs_char *path);
-
-fs_char* fs_AppendToPath(const fs_char *src, const fs_char *add);
-fs_char* fs_CopyStr(const fs_char *src);
-romfs_char* romfs_CopyStr(const romfs_char *src);
-void fs_fputs(const fs_char *str, FILE *out);
-void romfs_fputs(const romfs_char *str, FILE *out);
+static const utf16char_t ROMFS_EMPTY_PATH[2] = { 0 };
+static const oschar_t OS_EMPTY_PATH[2] = { 0 };
+static const oschar_t OS_CURRENT_DIR_PATH[2] = { '.' };
+static const oschar_t OS_PARENT_DIR_PATH[3] = { '.', '.' };
 
 int OpenRootDir(const char *path, romfs_dir *dir);
 void PrintDir(romfs_dir *dir, u32 depth);
diff --git a/makerom/romfs_gen.c b/makerom/romfs_gen.c
index 9d8a97e7..30a7d913 100644
--- a/makerom/romfs_gen.c
+++ b/makerom/romfs_gen.c
@@ -19,7 +19,7 @@ void PopulateRomfs(romfs_buildctx *ctx);
 void BuildRomfsHeader(romfs_buildctx *ctx);
 void BuildIvfcHeader(romfs_buildctx *ctx);
 void GenIvfcHashTree(romfs_buildctx *ctx);
-u32 CalcPathHash(u32 parent, const romfs_char* path);
+u32 CalcPathHash(u32 parent, const utf16char_t* path);
 
 
 int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
@@ -32,7 +32,6 @@ int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx)
 	/* Import FS and process */
 	OpenRootDir(ncchset->rsfSet->RomFs.RootPath,fs_raw);
 	FilterRomFS(fs_raw,ctx->fs,filter_criteria);
-
 	
 	/* free unfiltered FS */
 	FreeDir(fs_raw);
@@ -186,10 +185,10 @@ int FilterRomFS(romfs_dir *fs_raw, romfs_dir *fs_filtered, void *filter_criteria
 	if(!IsDirWanted(fs_raw,filter_criteria))
 		return 0;
 	
-	fs_filtered->path = fs_CopyStr(fs_raw->path);
+	fs_filtered->path = os_CopyStr(fs_raw->path);
 
 	fs_filtered->namesize = fs_raw->namesize;
-	fs_filtered->name = romfs_CopyStr(fs_raw->name);
+	fs_filtered->name = utf16_CopyStr(fs_raw->name);
 	
 	fs_filtered->u_child = 0;
 	fs_filtered->m_child = fs_raw->u_child;
@@ -212,10 +211,10 @@ int FilterRomFS(romfs_dir *fs_raw, romfs_dir *fs_filtered, void *filter_criteria
 	{
 		if(IsFileWanted(&fs_raw->file[i],filter_criteria))
 		{
-			fs_filtered->file[fs_filtered->u_file].path = fs_CopyStr(fs_raw->file[i].path);
+			fs_filtered->file[fs_filtered->u_file].path = os_CopyStr(fs_raw->file[i].path);
 
 			fs_filtered->file[fs_filtered->u_file].namesize = fs_raw->file[i].namesize;
-			fs_filtered->file[fs_filtered->u_file].name = romfs_CopyStr(fs_raw->file[i].name);
+			fs_filtered->file[fs_filtered->u_file].name = utf16_CopyStr(fs_raw->file[i].name);
 			
 			fs_filtered->file[fs_filtered->u_file].size = fs_raw->file[i].size;
 			
@@ -277,13 +276,13 @@ void BuildRomfsHeader(romfs_buildctx *ctx)
 	}
 }
 
-u32 GetFileHashTableIndex(romfs_buildctx *ctx, u32 parent, const romfs_char *path)
+u32 GetFileHashTableIndex(romfs_buildctx *ctx, u32 parent, const utf16char_t *path)
 {
 	u32 hash = CalcPathHash(parent, path);
 	return hash % ctx->m_fileHashTable;
 }
 
-u32 GetDirHashTableIndex(romfs_buildctx *ctx, u32 parent, const romfs_char* path)
+u32 GetDirHashTableIndex(romfs_buildctx *ctx, u32 parent, const utf16char_t* path)
 {
 	u32 hash = CalcPathHash(parent, path);
 	return hash % ctx->m_dirHashTable;
@@ -317,11 +316,11 @@ void AddFileToRomfs(romfs_buildctx *ctx, romfs_file *file, u32 parent, u32 sibli
 
 		if (ctx->verbose) {
 			printf("[ROMFS] Reading \"");
-			fs_fputs(file->path, stdout);
+			os_fputs(file->path, stdout);
 			printf("\"... ");
 		}
 
-		FILE *fp = fs_fopen(file->path);
+		FILE *fp = os_fopen(file->path, OS_MODE_READ);
 		fread(data_pos, file->size, 1, fp);
 		fclose(fp);
 
@@ -463,9 +462,9 @@ void GenIvfcHashTree(romfs_buildctx *ctx)
 	return;
 }
 
-u32 CalcPathHash(u32 parent, const romfs_char* path)
+u32 CalcPathHash(u32 parent, const utf16char_t* path)
 {
-	u32 len = romfs_strlen(path);
+	u32 len = utf16_strlen(path);
 	u32 hash = parent ^ 123456789;
 	for( u32 i = 0; i < len; i++ )
 	{
diff --git a/makerom/romfs_gen.h b/makerom/romfs_gen.h
index b3559341..75db968d 100644
--- a/makerom/romfs_gen.h
+++ b/makerom/romfs_gen.h
@@ -1,4 +1,5 @@
 #pragma once
+#include "romfs.h"
 
 int PrepareBuildRomFsBinary(ncch_settings *ncchset, romfs_buildctx *ctx);
 int BuildRomFsBinary(romfs_buildctx *ctx);
diff --git a/makerom/types.h b/makerom/types.h
index 4f8696ff..e9984b5e 100644
--- a/makerom/types.h
+++ b/makerom/types.h
@@ -44,4 +44,4 @@ typedef uint64_t                u64;
 typedef int8_t                  s8;
 typedef int16_t                 s16;
 typedef int32_t                 s32;
-typedef int64_t                 s64;
+typedef int64_t                 s64;
\ No newline at end of file
diff --git a/makerom/utf.c b/makerom/utf.c
deleted file mode 100644
index 6ecadefd..00000000
--- a/makerom/utf.c
+++ /dev/null
@@ -1,563 +0,0 @@
-/*
- * Copyright 2001-2004 Unicode, Inc.
- * 
- * Disclaimer
- * 
- * This source code is provided as is by Unicode, Inc. No claims are
- * made as to fitness for any particular purpose. No warranties of any
- * kind are expressed or implied. The recipient agrees to determine
- * applicability of information provided. If this file has been
- * purchased on magnetic or optical media from Unicode, Inc., the
- * sole remedy for any claim will be exchange of defective media
- * within 90 days of receipt.
- * 
- * Limitations on Rights to Redistribute This Code
- * 
- * Unicode, Inc. hereby grants the right to freely use the information
- * supplied in this file in the creation of products supporting the
- * Unicode Standard, and to make copies of this file in any form
- * for internal or external distribution as long as this notice
- * remains attached.
- */
-
-/* ---------------------------------------------------------------------
-
-    Conversions between UTF32, UTF-16, and UTF-8. Source code file.
-    Author: Mark E. Davis, 1994.
-    Rev History: Rick McGowan, fixes & updates May 2001.
-    Sept 2001: fixed const & error conditions per
-        mods suggested by S. Parent & A. Lillich.
-    June 2002: Tim Dodd added detection and handling of incomplete
-        source sequences, enhanced error detection, added casts
-        to eliminate compiler warnings.
-    July 2003: slight mods to back out aggressive FFFE detection.
-    Jan 2004: updated switches in from-UTF8 conversions.
-    Oct 2004: updated to use UNI_MAX_LEGAL_UTF32 in UTF-32 conversions.
-
-    See the header file "utf.h" for complete documentation.
-
------------------------------------------------------------------------- */
-
-
-#include "utf.h"
-#ifdef CVTUTF_DEBUG
-#include <stdio.h>
-#endif
-
-static const int halfShift  = 10; /* used for shifting by 10 bits */
-
-static const UTF32 halfBase = 0x0010000UL;
-static const UTF32 halfMask = 0x3FFUL;
-
-#define UNI_SUR_HIGH_START  (UTF32)0xD800
-#define UNI_SUR_HIGH_END    (UTF32)0xDBFF
-#define UNI_SUR_LOW_START   (UTF32)0xDC00
-#define UNI_SUR_LOW_END     (UTF32)0xDFFF
-#define false      0
-#define true        1
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Index into the table below with the first byte of a UTF-8 sequence to
- * get the number of trailing bytes that are supposed to follow it.
- * Note that *legal* UTF-8 values can't have 4 or 5-bytes. The table is
- * left as-is for anyone who may want to do such conversion, which was
- * allowed in earlier algorithms.
- */
-static const char trailingBytesForUTF8[256] = {
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
-    2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 3,3,3,3,3,3,3,3,4,4,4,4,5,5,5,5
-};
-
-/*
- * Magic values subtracted from a buffer value during UTF8 conversion.
- * This table contains as many values as there might be trailing bytes
- * in a UTF-8 sequence.
- */
-static const UTF32 offsetsFromUTF8[6] = { 0x00000000UL, 0x00003080UL, 0x000E2080UL, 
-                     0x03C82080UL, 0xFA082080UL, 0x82082080UL };
-
-/*
- * Once the bits are split out into bytes of UTF-8, this is a mask OR-ed
- * into the first byte, depending on how many bytes follow.  There are
- * as many entries in this table as there are UTF-8 sequence types.
- * (I.e., one byte sequence, two byte... etc.). Remember that sequencs
- * for *legal* UTF-8 will be 4 or fewer bytes total.
- */
-static const UTF8 firstByteMark[7] = { 0x00, 0x00, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC };
-
-/* --------------------------------------------------------------------- */
-
-/* The interface converts a whole buffer to avoid function-call overhead.
- * Constants have been gathered. Loops & conditionals have been removed as
- * much as possible for efficiency, in favor of drop-through switches.
- * (See "Note A" at the bottom of the file for equivalent code.)
- * If your compiler supports it, the "isLegalUTF8" call can be turned
- * into an inline function.
- */
-
-
-/* --------------------------------------------------------------------- */
-
-ConversionResult ConvertUTF32toUTF16 (
-        const UTF32** sourceStart, const UTF32* sourceEnd, 
-        UTF16** targetStart, UTF16* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF32* source = *sourceStart;
-    UTF16* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch;
-        if (target >= targetEnd) {
-            result = targetExhausted; break;
-        }
-        ch = *source++;
-        if (ch <= UNI_MAX_BMP) { /* Target is a character <= 0xFFFF */
-            /* UTF-16 surrogate values are illegal in UTF-32; 0xffff or 0xfffe are both reserved values */
-            if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_LOW_END) {
-                if (flags == strictConversion) {
-                    --source; /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                } else {
-                    *target++ = UNI_REPLACEMENT_CHAR;
-                }
-            } else {
-                *target++ = (UTF16)ch; /* normal case */
-            }
-        } else if (ch > UNI_MAX_LEGAL_UTF32) {
-            if (flags == strictConversion) {
-                result = sourceIllegal;
-            } else {
-                *target++ = UNI_REPLACEMENT_CHAR;
-            }
-        } else {
-            /* target is a character in range 0xFFFF - 0x10FFFF. */
-            if (target + 1 >= targetEnd) {
-                --source; /* Back up source pointer! */
-                result = targetExhausted; break;
-            }
-            ch -= halfBase;
-            *target++ = (UTF16)((ch >> halfShift) + UNI_SUR_HIGH_START);
-            *target++ = (UTF16)((ch & halfMask) + UNI_SUR_LOW_START);
-        }
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-/* --------------------------------------------------------------------- */
-
-ConversionResult ConvertUTF16toUTF32 (
-        const UTF16** sourceStart, const UTF16* sourceEnd, 
-        UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF16* source = *sourceStart;
-    UTF32* target = *targetStart;
-    UTF32 ch, ch2;
-    while (source < sourceEnd) {
-        const UTF16* oldSource = source; /*  In case we have to back up because of target overflow. */
-        ch = *source++;
-        /* If we have a surrogate pair, convert to UTF32 first. */
-        if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_HIGH_END) {
-            /* If the 16 bits following the high surrogate are in the source buffer... */
-            if (source < sourceEnd) {
-                ch2 = *source;
-                /* If it's a low surrogate, convert to UTF32. */
-                if (ch2 >= UNI_SUR_LOW_START && ch2 <= UNI_SUR_LOW_END) {
-                    ch = ((ch - UNI_SUR_HIGH_START) << halfShift)
-                        + (ch2 - UNI_SUR_LOW_START) + halfBase;
-                    ++source;
-                } else if (flags == strictConversion) { /* it's an unpaired high surrogate */
-                    --source; /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                }
-            } else { /* We don't have the 16 bits following the high surrogate. */
-                --source; /* return to the high surrogate */
-                result = sourceExhausted;
-                break;
-            }
-        } else if (flags == strictConversion) {
-            /* UTF-16 surrogate values are illegal in UTF-32 */
-            if (ch >= UNI_SUR_LOW_START && ch <= UNI_SUR_LOW_END) {
-                --source; /* return to the illegal value itself */
-                result = sourceIllegal;
-                break;
-            }
-        }
-        if (target >= targetEnd) {
-            source = oldSource; /* Back up source pointer! */
-            result = targetExhausted; break;
-        }
-        *target++ = ch;
-    }
-    *sourceStart = source;
-    *targetStart = target;
-#ifdef CVTUTF_DEBUG
-if (result == sourceIllegal) {
-    fprintf(stderr, "ConvertUTF16toUTF32 illegal seq 0x%04x,%04x\n", ch, ch2);
-    fflush(stderr);
-}
-#endif
-    return result;
-}
-ConversionResult ConvertUTF16toUTF8 (
-        const UTF16** sourceStart, const UTF16* sourceEnd, 
-        UTF8** targetStart, UTF8* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF16* source = *sourceStart;
-    UTF8* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch;
-        unsigned short bytesToWrite = 0;
-        const UTF32 byteMask = 0xBF;
-        const UTF32 byteMark = 0x80; 
-        const UTF16* oldSource = source; /* In case we have to back up because of target overflow. */
-        ch = *source++;
-        /* If we have a surrogate pair, convert to UTF32 first. */
-        if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_HIGH_END) {
-            /* If the 16 bits following the high surrogate are in the source buffer... */
-            if (source < sourceEnd) {
-                UTF32 ch2 = *source;
-                /* If it's a low surrogate, convert to UTF32. */
-                if (ch2 >= UNI_SUR_LOW_START && ch2 <= UNI_SUR_LOW_END) {
-                    ch = ((ch - UNI_SUR_HIGH_START) << halfShift)
-                        + (ch2 - UNI_SUR_LOW_START) + halfBase;
-                    ++source;
-                } else if (flags == strictConversion) { /* it's an unpaired high surrogate */
-                    --source; /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                }
-            } else { /* We don't have the 16 bits following the high surrogate. */
-                --source; /* return to the high surrogate */
-                result = sourceExhausted;
-                break;
-            }
-        } else if (flags == strictConversion) {
-            /* UTF-16 surrogate values are illegal in UTF-32 */
-            if (ch >= UNI_SUR_LOW_START && ch <= UNI_SUR_LOW_END) {
-                --source; /* return to the illegal value itself */
-                result = sourceIllegal;
-                break;
-            }
-        }
-        /* Figure out how many bytes the result will require */
-        if (ch < (UTF32)0x80) {      bytesToWrite = 1;
-        } else if (ch < (UTF32)0x800) {     bytesToWrite = 2;
-        } else if (ch < (UTF32)0x10000) {   bytesToWrite = 3;
-        } else if (ch < (UTF32)0x110000) {  bytesToWrite = 4;
-        } else {                            bytesToWrite = 3;
-                                            ch = UNI_REPLACEMENT_CHAR;
-        }
-
-        target += bytesToWrite;
-        if (target > targetEnd) {
-            source = oldSource; /* Back up source pointer! */
-            target -= bytesToWrite; result = targetExhausted; break;
-        }
-        switch (bytesToWrite) { /* note: everything falls through. */
-            case 4: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 3: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 2: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 1: *--target =  (UTF8)(ch | firstByteMark[bytesToWrite]);
-        }
-        target += bytesToWrite;
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-/* --------------------------------------------------------------------- */
-
-ConversionResult ConvertUTF32toUTF8 (
-        const UTF32** sourceStart, const UTF32* sourceEnd, 
-        UTF8** targetStart, UTF8* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF32* source = *sourceStart;
-    UTF8* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch;
-        unsigned short bytesToWrite = 0;
-        const UTF32 byteMask = 0xBF;
-        const UTF32 byteMark = 0x80; 
-        ch = *source++;
-        if (flags == strictConversion ) {
-            /* UTF-16 surrogate values are illegal in UTF-32 */
-            if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_LOW_END) {
-                --source; /* return to the illegal value itself */
-                result = sourceIllegal;
-                break;
-            }
-        }
-        /*
-         * Figure out how many bytes the result will require. Turn any
-         * illegally large UTF32 things (> Plane 17) into replacement chars.
-         */
-        if (ch < (UTF32)0x80) {      bytesToWrite = 1;
-        } else if (ch < (UTF32)0x800) {     bytesToWrite = 2;
-        } else if (ch < (UTF32)0x10000) {   bytesToWrite = 3;
-        } else if (ch <= UNI_MAX_LEGAL_UTF32) {  bytesToWrite = 4;
-        } else {                            bytesToWrite = 3;
-                                            ch = UNI_REPLACEMENT_CHAR;
-                                            result = sourceIllegal;
-        }
-        
-        target += bytesToWrite;
-        if (target > targetEnd) {
-            --source; /* Back up source pointer! */
-            target -= bytesToWrite; result = targetExhausted; break;
-        }
-        switch (bytesToWrite) { /* note: everything falls through. */
-            case 4: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 3: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 2: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 1: *--target = (UTF8) (ch | firstByteMark[bytesToWrite]);
-        }
-        target += bytesToWrite;
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Utility routine to tell whether a sequence of bytes is legal UTF-8.
- * This must be called with the length pre-determined by the first byte.
- * If not calling this from ConvertUTF8to*, then the length can be set by:
- *  length = trailingBytesForUTF8[*source]+1;
- * and the sequence is illegal right away if there aren't that many bytes
- * available.
- * If presented with a length > 4, this returns false.  The Unicode
- * definition of UTF-8 goes up to 4-byte sequences.
- */
-
-static Boolean isLegalUTF8(const UTF8 *source, int length) {
-    UTF8 a;
-    const UTF8 *srcptr = source+length;
-    switch (length) {
-    default: return false;
-        /* Everything else falls through when "true"... */
-    case 4: if ((a = (*--srcptr)) < 0x80 || a > 0xBF) return false;
-    case 3: if ((a = (*--srcptr)) < 0x80 || a > 0xBF) return false;
-    case 2: if ((a = (*--srcptr)) < 0x80 || a > 0xBF) return false;
-
-        switch (*source) {
-            /* no fall-through in this inner switch */
-            case 0xE0: if (a < 0xA0) return false; break;
-            case 0xED: if (a > 0x9F) return false; break;
-            case 0xF0: if (a < 0x90) return false; break;
-            case 0xF4: if (a > 0x8F) return false; break;
-            default:   if (a < 0x80) return false;
-        }
-
-    case 1: if (*source >= 0x80 && *source < 0xC2) return false;
-    }
-    if (*source > 0xF4) return false;
-    return true;
-}
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Exported function to return whether a UTF-8 sequence is legal or not.
- * This is not used here; it's just exported.
- */
-Boolean isLegalUTF8Sequence(const UTF8 *source, const UTF8 *sourceEnd) {
-    int length = trailingBytesForUTF8[*source]+1;
-    if (length > sourceEnd - source) {
-        return false;
-    }
-    return isLegalUTF8(source, length);
-}
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Exported function to return the total number of bytes in a codepoint
- * represented in UTF-8, given the value of the first byte.
- */
-unsigned getNumBytesForUTF8(UTF8 first) {
-  return trailingBytesForUTF8[first] + 1;
-}
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Exported function to return whether a UTF-8 string is legal or not.
- * This is not used here; it's just exported.
- */
-Boolean isLegalUTF8String(const UTF8 **source, const UTF8 *sourceEnd) {
-    while (*source != sourceEnd) {
-        int length = trailingBytesForUTF8[**source] + 1;
-        if (length > sourceEnd - *source || !isLegalUTF8(*source, length))
-            return false;
-        *source += length;
-    }
-    return true;
-}
-
-/* --------------------------------------------------------------------- */
-
-ConversionResult ConvertUTF8toUTF16 (
-        const UTF8** sourceStart, const UTF8* sourceEnd, 
-        UTF16** targetStart, UTF16* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF8* source = *sourceStart;
-    UTF16* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch = 0;
-        unsigned short extraBytesToRead = trailingBytesForUTF8[*source];
-        if (extraBytesToRead >= sourceEnd - source) {
-            result = sourceExhausted; break;
-        }
-        /* Do this check whether lenient or strict */
-        if (!isLegalUTF8(source, extraBytesToRead+1)) {
-            result = sourceIllegal;
-            break;
-        }
-        /*
-         * The cases all fall through. See "Note A" below.
-         */
-        switch (extraBytesToRead) {
-            case 5: ch += *source++; ch <<= 6; /* remember, illegal UTF-8 */
-            case 4: ch += *source++; ch <<= 6; /* remember, illegal UTF-8 */
-            case 3: ch += *source++; ch <<= 6;
-            case 2: ch += *source++; ch <<= 6;
-            case 1: ch += *source++; ch <<= 6;
-            case 0: ch += *source++;
-        }
-        ch -= offsetsFromUTF8[extraBytesToRead];
-
-        if (target >= targetEnd) {
-            source -= (extraBytesToRead+1); /* Back up source pointer! */
-            result = targetExhausted; break;
-        }
-        if (ch <= UNI_MAX_BMP) { /* Target is a character <= 0xFFFF */
-            /* UTF-16 surrogate values are illegal in UTF-32 */
-            if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_LOW_END) {
-                if (flags == strictConversion) {
-                    source -= (extraBytesToRead+1); /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                } else {
-                    *target++ = UNI_REPLACEMENT_CHAR;
-                }
-            } else {
-                *target++ = (UTF16)ch; /* normal case */
-            }
-        } else if (ch > UNI_MAX_UTF16) {
-            if (flags == strictConversion) {
-                result = sourceIllegal;
-                source -= (extraBytesToRead+1); /* return to the start */
-                break; /* Bail out; shouldn't continue */
-            } else {
-                *target++ = UNI_REPLACEMENT_CHAR;
-            }
-        } else {
-            /* target is a character in range 0xFFFF - 0x10FFFF. */
-            if (target + 1 >= targetEnd) {
-                source -= (extraBytesToRead+1); /* Back up source pointer! */
-                result = targetExhausted; break;
-            }
-            ch -= halfBase;
-            *target++ = (UTF16)((ch >> halfShift) + UNI_SUR_HIGH_START);
-            *target++ = (UTF16)((ch & halfMask) + UNI_SUR_LOW_START);
-        }
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-/* --------------------------------------------------------------------- */
-
-ConversionResult ConvertUTF8toUTF32 (
-        const UTF8** sourceStart, const UTF8* sourceEnd, 
-        UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF8* source = *sourceStart;
-    UTF32* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch = 0;
-        unsigned short extraBytesToRead = trailingBytesForUTF8[*source];
-        if (extraBytesToRead >= sourceEnd - source) {
-            result = sourceExhausted; break;
-        }
-        /* Do this check whether lenient or strict */
-        if (!isLegalUTF8(source, extraBytesToRead+1)) {
-            result = sourceIllegal;
-            break;
-        }
-        /*
-         * The cases all fall through. See "Note A" below.
-         */
-        switch (extraBytesToRead) {
-            case 5: ch += *source++; ch <<= 6;
-            case 4: ch += *source++; ch <<= 6;
-            case 3: ch += *source++; ch <<= 6;
-            case 2: ch += *source++; ch <<= 6;
-            case 1: ch += *source++; ch <<= 6;
-            case 0: ch += *source++;
-        }
-        ch -= offsetsFromUTF8[extraBytesToRead];
-
-        if (target >= targetEnd) {
-            source -= (extraBytesToRead+1); /* Back up the source pointer! */
-            result = targetExhausted; break;
-        }
-        if (ch <= UNI_MAX_LEGAL_UTF32) {
-            /*
-             * UTF-16 surrogate values are illegal in UTF-32, and anything
-             * over Plane 17 (> 0x10FFFF) is illegal.
-             */
-            if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_LOW_END) {
-                if (flags == strictConversion) {
-                    source -= (extraBytesToRead+1); /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                } else {
-                    *target++ = UNI_REPLACEMENT_CHAR;
-                }
-            } else {
-                *target++ = ch;
-            }
-        } else { /* i.e., ch > UNI_MAX_LEGAL_UTF32 */
-            result = sourceIllegal;
-            *target++ = UNI_REPLACEMENT_CHAR;
-        }
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-/* ---------------------------------------------------------------------
-
-    Note A.
-    The fall-through switches in UTF-8 reading code save a
-    temp variable, some decrements & conditionals.  The switches
-    are equivalent to the following loop:
-        {
-            int tmpBytesToRead = extraBytesToRead+1;
-            do {
-                ch += *source++;
-                --tmpBytesToRead;
-                if (tmpBytesToRead) ch <<= 6;
-            } while (tmpBytesToRead > 0);
-        }
-    In UTF-8 writing code, the switches on "bytesToWrite" are
-    similarly unrolled loops.
-
-   --------------------------------------------------------------------- */
diff --git a/makerom/utf.h b/makerom/utf.h
deleted file mode 100644
index 0b74f167..00000000
--- a/makerom/utf.h
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Copyright 2001-2004 Unicode, Inc.
- *
- * Disclaimer
- *
- * This source code is provided as is by Unicode, Inc. No claims are
- * made as to fitness for any particular purpose. No warranties of any
- * kind are expressed or implied. The recipient agrees to determine
- * applicability of information provided. If this file has been
- * purchased on magnetic or optical media from Unicode, Inc., the
- * sole remedy for any claim will be exchange of defective media
- * within 90 days of receipt.
- *
- * Limitations on Rights to Redistribute This Code
- *
- * Unicode, Inc. hereby grants the right to freely use the information
- * supplied in this file in the creation of products supporting the
- * Unicode Standard, and to make copies of this file in any form
- * for internal or external distribution as long as this notice
- * remains attached.
- */
-
-/* ---------------------------------------------------------------------
-
-    Conversions between UTF32, UTF-16, and UTF-8.  Header file.
-
-    Several funtions are included here, forming a complete set of
-    conversions between the three formats.  UTF-7 is not included
-    here, but is handled in a separate source file.
-
-    Each of these routines takes pointers to input buffers and output
-    buffers.  The input buffers are const.
-
-    Each routine converts the text between *sourceStart and sourceEnd,
-    putting the result into the buffer between *targetStart and
-    targetEnd. Note: the end pointers are *after* the last item: e.g.
-    *(sourceEnd - 1) is the last item.
-
-    The return result indicates whether the conversion was successful,
-    and if not, whether the problem was in the source or target buffers.
-    (Only the first encountered problem is indicated.)
-
-    After the conversion, *sourceStart and *targetStart are both
-    updated to point to the end of last text successfully converted in
-    the respective buffers.
-
-    Input parameters:
-        sourceStart - pointer to a pointer to the source buffer.
-                The contents of this are modified on return so that
-                it points at the next thing to be converted.
-        targetStart - similarly, pointer to pointer to the target buffer.
-        sourceEnd, targetEnd - respectively pointers to the ends of the
-                two buffers, for overflow checking only.
-
-    These conversion functions take a ConversionFlags argument. When this
-    flag is set to strict, both irregular sequences and isolated surrogates
-    will cause an error.  When the flag is set to lenient, both irregular
-    sequences and isolated surrogates are converted.
-
-    Whether the flag is strict or lenient, all illegal sequences will cause
-    an error return. This includes sequences such as: <F4 90 80 80>, <C0 80>,
-    or <A0> in UTF-8, and values above 0x10FFFF in UTF-32. Conformant code
-    must check for illegal sequences.
-
-    When the flag is set to lenient, characters over 0x10FFFF are converted
-    to the replacement character; otherwise (when the flag is set to strict)
-    they constitute an error.
-
-    Output parameters:
-        The value "sourceIllegal" is returned from some routines if the input
-        sequence is malformed.  When "sourceIllegal" is returned, the source
-        value will point to the illegal value that caused the problem. E.g.,
-        in UTF-8 when a sequence is malformed, it points to the start of the
-        malformed sequence.
-
-    Author: Mark E. Davis, 1994.
-    Rev History: Rick McGowan, fixes & updates May 2001.
-         Fixes & updates, Sept 2001.
-
------------------------------------------------------------------------- */
-
-#pragma once
-
-/* ---------------------------------------------------------------------
-    The following 4 definitions are compiler-specific.
-    The C standard does not guarantee that wchar_t has at least
-    16 bits, so wchar_t is no less portable than unsigned short!
-    All should be unsigned values to avoid sign extension during
-    bit mask & shift operations.
------------------------------------------------------------------------- */
-
-typedef unsigned int    UTF32;  /* at least 32 bits */
-typedef unsigned short  UTF16;  /* at least 16 bits */
-typedef unsigned char   UTF8;   /* typically 8 bits */
-typedef unsigned char   Boolean; /* 0 or 1 */
-
-/* Some fundamental constants */
-#define UNI_REPLACEMENT_CHAR (UTF32)0x0000FFFD
-#define UNI_MAX_BMP (UTF32)0x0000FFFF
-#define UNI_MAX_UTF16 (UTF32)0x0010FFFF
-#define UNI_MAX_UTF32 (UTF32)0x7FFFFFFF
-#define UNI_MAX_LEGAL_UTF32 (UTF32)0x0010FFFF
-
-#define UNI_MAX_UTF8_BYTES_PER_CODE_POINT 4
-
-#define UNI_UTF16_BYTE_ORDER_MARK_NATIVE  0xFEFF
-#define UNI_UTF16_BYTE_ORDER_MARK_SWAPPED 0xFFFE
-
-typedef enum {
-  conversionOK,           /* conversion successful */
-  sourceExhausted,        /* partial character in source, but hit end */
-  targetExhausted,        /* insuff. room in target for conversion */
-  sourceIllegal           /* source sequence is illegal/malformed */
-} ConversionResult;
-
-typedef enum {
-  strictConversion = 0,
-  lenientConversion
-} ConversionFlags;
-
-ConversionResult ConvertUTF32toUTF16 (
-        const UTF32** sourceStart, const UTF32* sourceEnd, 
-        UTF16** targetStart, UTF16* targetEnd, ConversionFlags flags);
-
-ConversionResult ConvertUTF16toUTF32 (
-        const UTF16** sourceStart, const UTF16* sourceEnd, 
-        UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags);
-		
-ConversionResult ConvertUTF16toUTF8 (
-        const UTF16** sourceStart, const UTF16* sourceEnd, 
-        UTF8** targetStart, UTF8* targetEnd, ConversionFlags flags);
-		
-ConversionResult ConvertUTF32toUTF8 (
-        const UTF32** sourceStart, const UTF32* sourceEnd, 
-        UTF8** targetStart, UTF8* targetEnd, ConversionFlags flags);
-		
-Boolean isLegalUTF8Sequence(const UTF8 *source, const UTF8 *sourceEnd);
-
-unsigned getNumBytesForUTF8(UTF8 first);
-
-Boolean isLegalUTF8String(const UTF8 **source, const UTF8 *sourceEnd);
-
-ConversionResult ConvertUTF8toUTF16 (
-        const UTF8** sourceStart, const UTF8* sourceEnd, 
-        UTF16** targetStart, UTF16* targetEnd, ConversionFlags flags);
-		
-ConversionResult ConvertUTF8toUTF32 (
-        const UTF8** sourceStart, const UTF8* sourceEnd, 
-        UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags);
diff --git a/makerom/utils.c b/makerom/utils.c
index 849126cc..92303ed2 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -1,5 +1,7 @@
 #include "lib.h"
-#include "utf.h"
+#ifndef _WIN32
+#include <iconv.h>
+#endif
 
 #include "polarssl/base64.h"
 
@@ -106,95 +108,6 @@ void memdump(FILE* fout, const char* prefix, const u8* data, u32 size)
 	}
 }
 
-u32 strlen_char16(const u16 *str)
-{
-	u32 i;
-	for (i = 0; str[i] != 0x0; i++);
-	return i;
-}
-
-char* strcopy_8to8(const char *src)
-{
-	if (!src)
-		return NULL;
-
-	u32 src_len = strlen(src);
-
-	// Allocate memory for expanded string
-	char *dst = calloc(src_len + 1, sizeof(u8));
-	if (!dst)
-		return NULL;
-
-	// Copy elements from src into dst
-	strncpy(dst, src, src_len);
-
-	return dst;
-}
-
-u16* strcopy_8to16(const char *src)
-{
-	if (!src)
-		return NULL;
-
-	u32 src_len = strlen(src);
-
-	// Allocate memory for expanded string
-	u16 *dst = calloc(src_len+1, sizeof(u16));
-	if (!dst)
-		return NULL;
-
-	// Copy elements from src into dst
-	for (u32 i = 0; i < src_len; i++)
-		dst[i] = src[i];
-
-	return dst;
-}
-
-
-u16* strcopy_16to16(const u16 *src)
-{
-	if (!src)
-		return NULL;
-
-	u32 src_len = strlen_char16(src);
-
-	// Allocate memory for expanded string
-	u16 *dst = calloc(src_len + 1, sizeof(u16));
-	if (!dst)
-		return NULL;
-
-	// Copy elements from src into dst
-	for (u32 i = 0; i < src_len; i++)
-		dst[i] = src[i];
-
-	return dst;
-}
-
-#ifndef _WIN32
-u16* strcopy_utf8to16(const char *src)
-{
-	if (!src)
-		return NULL;
-
-	u32 src_len = strlen(src);
-
-	// Allocate memory for expanded string
-	u16 *dst = calloc(src_len + 1, sizeof(u16));
-	if (!dst)
-		return NULL;
-
-	UTF16 *target_start = dst;
-	UTF16 *target_end = (target_start + (src_len*sizeof(u16)));
-
-	UTF8 *src_start = (UTF8*)src;
-	UTF8 *src_end = (UTF8*)(src + src_len*sizeof(char));
-
-	ConvertUTF8toUTF16((const UTF8 **)&src_start, src_end, &target_start, target_end, strictConversion);
-
-	return dst;
-}
-#endif
-
 // Base64
 bool IsValidB64Char(char chr)
 {
@@ -347,15 +260,6 @@ int TruncateFile64(char *filename, u64 filelen)
 #endif	
 }
 
-// Wide Char IO
-#ifdef _WIN32
-u64 wGetFileSize64(u16 *filename)
-{
-	struct _stat64 st;
-	_wstat64((wchar_t*)filename, &st);
-	return st.st_size;
-}
-#endif
 
 //IO Misc
 u8* ImportFile(char *file, u64 size)
diff --git a/makerom/utils.h b/makerom/utils.h
index e21a8af4..6370e415 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -20,13 +20,6 @@ u64 max64(u64 a, u64 b);
 // Strings
 void memdump(FILE* fout, const char* prefix, const const u8* data, u32 size);
 char* replace_filextention(const char *input, const char *extention);
-u32 strlen_char16(const u16 *str);
-char* strcopy_8to8(const char *src);
-u16* strcopy_8to16(const char *src);
-u16* strcopy_16to16(const u16 *src);
-#ifndef _WIN32
-u16* strcopy_utf8to16(const char *src);
-#endif
 
 // Base64
 bool IsValidB64Char(char chr);
@@ -45,14 +38,8 @@ u64 u64GetRand(void);
 bool AssertFile(char *filename);
 u64 GetFileSize64(char *filename);
 int makedir(const char* dir);
-char *getcwdir(char *buffer,int maxlen);
 int TruncateFile64(char *filename, u64 filelen);
 
-//Wide Char IO
-#ifdef _WIN32
-u64 wGetFileSize64(u16 *filename);
-#endif
-
 //IO Misc
 u8* ImportFile(char *file, u64 size);
 void WriteBuffer(const void *buffer, u64 size, u64 offset, FILE *output);

From 9d29a4ba62c5e7326f15736faa48192aba1b6990 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Wed, 25 Nov 2015 11:54:05 +0800
Subject: [PATCH 130/317] [makerom/ctrtool] Misc #include cleanup.

---
 ctrtool/ivfc.c   |  1 -
 ctrtool/oschar.h |  4 +---
 ctrtool/romfs.c  |  3 ---
 ctrtool/utils.c  | 10 ++--------
 makerom/oschar.h |  4 +---
 makerom/utils.c  |  4 ----
 6 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/ctrtool/ivfc.c b/ctrtool/ivfc.c
index 7fbb5fc8..90df3810 100644
--- a/ctrtool/ivfc.c
+++ b/ctrtool/ivfc.c
@@ -5,7 +5,6 @@
 #include "utils.h"
 #include "ivfc.h"
 #include "ctr.h"
-#include <inttypes.h>
 
 void ivfc_init(ivfc_context* ctx)
 {
diff --git a/ctrtool/oschar.h b/ctrtool/oschar.h
index 570a6ca6..9c788b07 100644
--- a/ctrtool/oschar.h
+++ b/ctrtool/oschar.h
@@ -3,9 +3,7 @@
 #include <string.h>
 #include <inttypes.h>
 #include <sys/stat.h>
-#include <dirent.h>
 #ifdef _WIN32
-#include <direct.h>
 #include <wchar.h>
 #endif
 
@@ -19,7 +17,7 @@ typedef wchar_t oschar_t; // UTF16-LE
 typedef char oschar_t; // UTF8
 #endif
 
-					   // Simple redirect macros for functions and types
+// Simple redirect macros for functions and types
 #ifdef _WIN32
 #define os_strlen wcslen
 #define os_strcmp wcscmp
diff --git a/ctrtool/romfs.c b/ctrtool/romfs.c
index 3ff49df3..05ce5c60 100644
--- a/ctrtool/romfs.c
+++ b/ctrtool/romfs.c
@@ -1,8 +1,5 @@
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
-#include <wchar.h>
-
 #include "types.h"
 #include "romfs.h"
 #include "utils.h"
diff --git a/ctrtool/utils.c b/ctrtool/utils.c
index bda20d93..d2d4adb6 100644
--- a/ctrtool/utils.c
+++ b/ctrtool/utils.c
@@ -1,16 +1,10 @@
-
 #include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <strings.h>
 #include <sys/stat.h>
-#include <sys/types.h>
-#include "utils.h"
-
 #ifdef _WIN32
 #include <direct.h>
-#include <wchar.h>
 #endif
+#include "utils.h"
+
 
 
 u32 align(u32 offset, u32 alignment)
diff --git a/makerom/oschar.h b/makerom/oschar.h
index 570a6ca6..9c788b07 100644
--- a/makerom/oschar.h
+++ b/makerom/oschar.h
@@ -3,9 +3,7 @@
 #include <string.h>
 #include <inttypes.h>
 #include <sys/stat.h>
-#include <dirent.h>
 #ifdef _WIN32
-#include <direct.h>
 #include <wchar.h>
 #endif
 
@@ -19,7 +17,7 @@ typedef wchar_t oschar_t; // UTF16-LE
 typedef char oschar_t; // UTF8
 #endif
 
-					   // Simple redirect macros for functions and types
+// Simple redirect macros for functions and types
 #ifdef _WIN32
 #define os_strlen wcslen
 #define os_strcmp wcscmp
diff --git a/makerom/utils.c b/makerom/utils.c
index 92303ed2..999433e7 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -1,8 +1,4 @@
 #include "lib.h"
-#ifndef _WIN32
-#include <iconv.h>
-#endif
-
 #include "polarssl/base64.h"
 
 #define IO_BLOCKSIZE 5*MB

From c8023e202b1e8762b8a4419f510c81332f48e3ef Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 26 Nov 2015 11:28:09 +0800
Subject: [PATCH 131/317] [makerom] Misc, added code comments.

---
 makerom/user_settings.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index c2655684..8eada633 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -697,13 +697,16 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 
 int CheckArgumentCombination(user_settings *set)
 {
+	// If content 0 was not specified, we must build it (a NCCH file)
 	if (set->common.contentPath[0] == NULL) {
 		set->ncch.buildNcch0 = true;
+		// A CXI can contain elements of a CFA, but not the other way round.
 		if (set->ncch.ncchType & CXI)
 			set->ncch.ncchType = CXI;
 		else
 			set->ncch.ncchType = CFA;
 
+		// If we are creating a NCCH file (as opposed to CIA/CCI), specify which NCCH type is the output format
 		if (set->common.outFormat == NCCH) 
 			set->common.outFormat = set->ncch.ncchType;
 	}

From 085e37296e42443f55461047f5dddf4ff1ce3a26 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 26 Nov 2015 11:39:23 +0800
Subject: [PATCH 132/317] [makerom] Added Homebrew NCCH Logo (credit:
 yellows8). Accessible via "BasicInfo/Logo: Homebrew"

---
 makerom/ncch.c      | 9 +++++++++
 makerom/ncch_logo.h | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/makerom/ncch.c b/makerom/ncch.c
index ecfd7eea..577843b2 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -338,6 +338,15 @@ int ImportLogo(ncch_settings *set)
 			}
 			memcpy(set->sections.logo.buffer,iQue_without_ISBN_LZ,0x2000);
 		}
+		else if (strcasecmp(set->rsfSet->BasicInfo.Logo, "homebrew") == 0) {
+			set->sections.logo.size = 0x2000;
+			set->sections.logo.buffer = malloc(set->sections.logo.size);
+			if (!set->sections.logo.buffer) {
+				fprintf(stderr, "[NCCH ERROR] Not enough memory\n");
+				return MEM_ERROR;
+			}
+			memcpy(set->sections.logo.buffer, Homebrew_LZ, 0x2000);
+		}
 		else if(strcasecmp(set->rsfSet->BasicInfo.Logo,"none") != 0){
 			fprintf(stderr,"[NCCH ERROR] Invalid logo name\n");
 			return NCCH_BAD_RSF_SET;
diff --git a/makerom/ncch_logo.h b/makerom/ncch_logo.h
index 3ba94388..018d2a86 100644
--- a/makerom/ncch_logo.h
+++ b/makerom/ncch_logo.h
@@ -23,4 +23,9 @@ static const unsigned char iQue_with_ISBN_LZ[0x2000] =
 static const unsigned char iQue_without_ISBN_LZ[0x2000] = 
 {
 	0x11, 0x48, 0x65, 0x00, 0x00, 0x64, 0x61, 0x72, 0x63, 0xFF, 0xFE, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x28, 0x65, 0x00, 0x00, 0x83, 0x30, 0x09, 0x1C, 0x04, 0x00, 0x00, 0x40, 0x20, 0x03, 0x30, 0x13, 0xAB, 0x30, 0x18, 0x15, 0x20, 0x1D, 0x02, 0xA0, 0x0B, 0x06, 0x20, 0x2B, 0x30, 0x18, 0x5A, 0x09, 0x20, 0x35, 0x10, 0x20, 0x39, 0x30, 0x2B, 0xF8, 0x20, 0x41, 0x54, 0x85, 0x30, 0x0B, 0x05, 0x00, 0x00, 0xEC, 0x20, 0x4D, 0x98, 0x30, 0x17, 0xD0, 0x20, 0x28, 0x30, 0x17, 0xDC, 0x30, 0x23, 0x07, 0x00, 0x00, 0xCC, 0x09, 0x0C, 0x00, 0x00, 0x20, 0x20, 0x51, 0x20, 0x14, 0x20, 0x2B, 0xA0, 0x20, 0x0B, 0x64, 0x20, 0x5D, 0x80, 0x20, 0x00, 0x00, 0x4C, 0x99, 0x20, 0x5C, 0xA8, 0x01, 0x50, 0x53, 0x20, 0x22, 0x00, 0xB2, 0x20, 0x75, 0x34, 0xE0, 0x22, 0x20, 0x13, 0x20, 0x74, 0xE2, 0x20, 0x81, 0xA0, 0x25, 0x13, 0x00, 0x00, 0x3C, 0x20, 0x68, 0x12, 0x02, 0x50, 0x77, 0x30, 0x8F, 0x41, 0x1C, 0x20, 0x90, 0x00, 0x36, 0x00, 0x00, 0x28, 0x20, 0xAB, 0x4D, 0x3E, 0x20, 0x9C, 0x80, 0x3A, 0x20, 0x0B, 0x20, 0xAD, 0x60, 0x30, 0x17, 0x54, 0x3C, 0x50, 0x17, 0x82, 0x30, 0x17, 0x40, 0x20, 0x23, 0x08, 0x00, 0x2D, 0x00, 0xA4, 0x30, 0x2F, 0x49, 0x20, 0x67, 0x20, 0xE9, 0xC4, 0x30, 0x3B, 0x56, 0x4A, 0x50, 0x17, 0xDC, 0x30, 0x3B, 0x52, 0x20, 0x47, 0x20, 0xE0, 0xF4, 0xB2, 0x30, 0x53, 0x55, 0x20, 0x53, 0x30, 0xD4, 0x00, 0x2E, 0x21, 0x13, 0x61, 0x02, 0x00, 0x6E, 0x00, 0x69, 0x00, 0x6D, 0x21, 0x1D, 0x4E, 0x82, 0x20, 0x07, 0x6E, 0x00, 0x74, 0x00, 0x65, 0x20, 0x11, 0x64, 0x0A, 0x00, 0x6F, 0x00, 0x4C, 0x20, 0x03, 0x67, 0x20, 0x07, 0x5F, 0x28, 0x00, 0x44, 0x20, 0x03, 0x30, 0x20, 0x01, 0x5F, 0x00, 0x53, 0x20, 0x00, 0x63, 0x40, 0x1F, 0x65, 0x00, 0x4F, 0x00, 0x75, 0xAB, 0x20, 0x2B, 0x41, 0x20, 0x43, 0x62, 0x20, 0x13, 0x6C, 0x40, 0x47, 0x02, 0x50, 0x43, 0x57, 0x42, 0x03, 0x20, 0x43, 0x43, 0x01, 0x80, 0x87, 0x55, 0x03, 0x20, 0xCB, 0x00, 0x90, 0x43, 0x01, 0x90, 0xCB, 0xD7, 0x00, 0x90, 0x87, 0xF0, 0xCB, 0x62, 0x21, 0x5D, 0x79, 0x21, 0x97, 0x01, 0x31, 0xA1, 0x71, 0x8D, 0xEA, 0x00, 0xF0, 0x2F, 0x71, 0x05, 0xD0, 0x2F, 0x74, 0x42, 0x09, 0x67, 0x23, 0x29, 0x33, 0xBD, 0x22, 0x01, 0x73, 0xA2, 0x01, 0xB0, 0x5B, 0x52, 0x2D, 0x00, 0x10, 0x21, 0x31, 0x01, 0x00, 0x21, 0x55, 0x32, 0x01, 0x00, 0x43, 0x33, 0xE0, 0x65, 0x4C, 0x23, 0x71, 0x4D, 0x22, 0xA3, 0x1F, 0x73, 0x00, 0x6B, 0x00, 0x40, 0x85, 0x30, 0x1F, 0x00, 0xB0, 0x17, 0xF0, 0x93, 0xF2, 0xE3, 0x41, 0x5F, 0x20, 0xB5, 0x32, 0x00, 0x38, 0x00, 0x78, 0x23, 0x68, 0x60, 0x34, 0xE0, 0xE1, 0x70, 0x02, 0x43, 0x4C, 0x41, 0x4E, 0xFF, 0x46, 0xFE, 0x23, 0xD0, 0x00, 0x02, 0x02, 0x34, 0x03, 0x33, 0x96, 0x70, 0x1D, 0x61, 0x74, 0x31, 0x23, 0x82, 0x44, 0x3E, 0x34, 0x59, 0x28, 0x33, 0x73, 0x10, 0xFF, 0xFF, 0xFF, 0x34, 0x4C, 0x53, 0x63, 0x65, 0x6E, 0x04, 0x65, 0x4F, 0x75, 0x74, 0x41, 0x24, 0x71, 0x47, 0x5F, 0x0C, 0x41, 0x5F, 0x30, 0x30, 0xA0, 0x4C, 0x40, 0x3B, 0x69, 0x31, 0xCD, 0x33, 0xA3, 0x50, 0x3F, 0x02, 0x00, 0x30, 0x59, 0x34, 0x9D, 0x68, 0x24, 0xA1, 0x00, 0x50, 0x5F, 0x4E, 0x69, 0x6E, 0x4C, 0x6F, 0x67, 0x70, 0x6F, 0xA0, 0x35, 0x34, 0xA0, 0x34, 0xBD, 0x43, 0x4C, 0x56, 0x43, 0x8F, 0x74, 0x3F, 0x00, 0x10, 0x02, 0x40, 0x87, 0x40, 0x0B, 0xD0, 0x5D, 0x20, 0x76, 0x20, 0x7F, 0x43, 0x34, 0xEC, 0x4E, 0x5F, 0x52, 0x6F, 0x6F, 0x73, 0x74, 0xD0, 0x7E, 0x00, 0x70, 0x4B, 0x80, 0x57, 0x00, 0x20, 0x20, 0x3B, 0x50, 0x3F, 0xF8, 0x00, 0x30, 0xFF, 0x34, 0xF7, 0xB0, 0xFF, 0x24, 0xD2, 0x80, 0xFF, 0x00, 0x00, 0x1E, 0xD5, 0x45, 0x4C, 0x70, 0xFF, 0x42, 0x40, 0xFF, 0x42, 0x00, 0x40, 0xFF, 0x9C, 0x80, 0x2D, 0xB2, 0x90, 0xFF, 0x5C, 0x01, 0xE0, 0xFF, 0x90, 0xB3, 0x34, 0xC2, 0x02, 0xD0, 0xF3, 0xC8, 0xFD, 0x20, 0xAA, 0xD0, 0xF3, 0x00, 0x70, 0xFF, 0xF1, 0xFF, 0x31, 0x39, 0x71, 0xFF, 0x65, 0x23, 0x31, 0xC5, 0xB1, 0xFF, 0x31, 0x84, 0x47, 0x5F, 0x43, 0x00, 0x81, 0xFF, 0x0F, 0xE1, 0xFF, 0x99, 0x02, 0x90, 0xFF, 0x12, 0xC3, 0x02, 0x31, 0xF3, 0x92, 0x3F, 0x80, 0xBF, 0x91, 0xF3, 0x7B, 0x60, 0x32, 0xB6, 0x00, 0x80, 0xFF, 0x36, 0xDF, 0x03, 0x32, 0xFF, 0x7C, 0x27, 0x27, 0x53, 0x3F, 0x55, 0x0D, 0x42, 0xFF, 0x48, 0x27, 0x9D, 0xB0, 0x27, 0xA1, 0xA4, 0x27, 0x8D, 0x60, 0x24, 0x27, 0x88, 0x36, 0xCB, 0x30, 0x03, 0x00, 0x00, 0xBC, 0xAD, 0x20, 0x03, 0x24, 0x27, 0xAB, 0x88, 0x37, 0x73, 0x27, 0x94, 0xB0, 0x26, 0xE7, 0x02, 0x74, 0x0A, 0x00, 0x00, 0x78, 0x0B, 0x32, 0xDF, 0x57, 0xF9, 0x00, 0x03, 0x5B, 0x37, 0x32, 0x27, 0x6E, 0x26, 0xB1, 0x33, 0xB7, 0x50, 0x41, 0x83, 0x2F, 0x71, 0x02, 0xF2, 0xE3, 0x73, 0xDB, 0x01, 0x13, 0x07, 0x50, 0x5F, 0x33, 0x00, 0x80, 0x67, 0x77, 0xB8, 0x60, 0x67, 0x20, 0xAA, 0x43, 0xC7, 0x38, 0x63, 0xC7, 0x30, 0x6F, 0x93, 0x9F, 0x53, 0xA0, 0x24, 0x0A, 0xA0, 0x27, 0xA5, 0x80, 0xBE, 0x24, 0x39, 0x23, 0x16, 0x23, 0xA0, 0xC0, 0x48, 0x79, 0x06, 0x02, 0x00, 0x30, 0x37, 0x70, 0x23, 0x00, 0x33, 0x33, 0xB3, 0x3F, 0xFC, 0x2D, 0xEC, 0xBC, 0x8C, 0x70, 0x0B, 0x0A, 0xD7, 0x23, 0x20, 0x0B, 0x30, 0x2F, 0x80, 0x3F, 0xBC, 0x48, 0xA9, 0x07, 0x01, 0xD0, 0x2F, 0xF4, 0x2F, 0xB0, 0x6B, 0x39, 0x0C, 0x40, 0x9D, 0x6F, 0x1C, 0x30, 0x97, 0x61, 0xEF, 0xCC, 0x28, 0x45, 0x30, 0x9B, 0x70, 0xF3, 0x24, 0x87, 0xDC, 0xE4, 0xB9, 0x71, 0x5B, 0x50, 0xF1, 0x5B, 0x29, 0x39, 0xD4, 0x8B, 0x70, 0xC1, 0x14, 0xCD, 0xCC, 0xCC, 0x20, 0xEB, 0x20, 0x24, 0x02, 0xF8, 0xC1, 0xF9, 0x00, 0x31, 0x67, 0x00, 0x14, 0xBB, 0x30, 0x7F, 0x30, 0x2F, 0x71, 0x73, 0x44, 0x73, 0xF5, 0x38, 0x94, 0x01, 0x90, 0x7F, 0x3C, 0xC2, 0x20, 0x7F, 0x3E, 0x02, 0xD0, 0x7F, 0x52, 0x65, 0x70, 0x64, 0x01, 0x70, 0xFF, 0xC1, 0xEB, 0x45, 0x43, 0xC2, 0xB7, 0x6D, 0xDB, 0xAE, 0x20, 0x7F, 0x8C, 0x25, 0x02, 0x20, 0x00, 0x40, 0xFF, 0x91, 0xF7, 0xB6, 0x1B, 0x5C, 0xA0, 0xA4, 0x87, 0xB4, 0x35, 0x3E, 0x00, 0x92, 0x24, 0xE9, 0xC0, 0xBD, 0x60, 0x8B, 0x31, 0x00, 0x32, 0xE7, 0x35, 0x33, 0xF2, 0xE7, 0x92, 0x53, 0xF0, 0x26, 0x82, 0x7F, 0x20, 0x25, 0x1B, 0x90, 0x0B, 0x50, 0x97, 0x34, 0xEF, 0x00, 0x50, 0x97, 0x96, 0x53, 0x30, 0x3B, 0xAF, 0x77, 0x04, 0xAA, 0xF1, 0x17, 0x32, 0x02, 0x13, 0x73, 0x32, 0xF7, 0x50, 0x8B, 0x00, 0x96, 0x7B, 0xF9, 0x33, 0x1B, 0x57, 0x78, 0x00, 0x31, 0x7F, 0x3B, 0x90, 0x57, 0x07, 0x54, 0x53, 0x2A, 0xEE, 0xB7, 0x47, 0x73, 0x4C, 0x37, 0x8B, 0x2B, 0xD9, 0x94, 0x63, 0x8B, 0x3B, 0x87, 0x3B, 0xD1, 0x61, 0x24, 0x4B, 0xD5, 0x00, 0x01, 0x97, 0xC0, 0x39, 0x8E, 0xE3, 0x2B, 0x39, 0xE8, 0x51, 0x5B, 0x5B, 0xFD, 0x01, 0x20, 0x23, 0x03, 0xF7, 0x6B, 0x40, 0x41, 0x9E, 0x11, 0x15, 0x8D, 0xBD, 0x31, 0xA3, 0x9A, 0x99, 0xB9, 0x2B, 0x7D, 0xAA, 0x2C, 0x5A, 0x04, 0x01, 0x10, 0x23, 0x01, 0x01, 0x20, 0x8F, 0x01, 0x01, 0x20, 0x8F, 0x01, 0xAD, 0x00, 0x10, 0x8F, 0xC1, 0x20, 0x8F, 0x3D, 0x60, 0x8F, 0x44, 0x5B, 0x01, 0x00, 0x10, 0x8F, 0x82, 0x00, 0x00, 0x23, 0x50, 0x5F, 0x42, 0x6C, 0x6B, 0x03, 0xE1, 0x63, 0x9A, 0x03, 0x99, 0x19, 0xC0, 0x0E, 0x74, 0xDA, 0x00, 0xC1, 0x63, 0x00, 0x40, 0x23, 0xFE, 0x04, 0x61, 0x63, 0x00, 0x30, 0x8F, 0xF1, 0x63, 0x00, 0x40, 0x23, 0x03, 0x81, 0x63, 0x00, 0x13, 0xBB, 0x00, 0x32, 0xC7, 0x58, 0xAA, 0x2E, 0x9D, 0x88, 0x66, 0x4F, 0xE8, 0x2E, 0xA9, 0x18, 0x2E, 0x95, 0x48, 0xBE, 0x2E, 0x99, 0x78, 0x62, 0xC7, 0xE3, 0xD3, 0x56, 0x3F, 0x60, 0x0B, 0x52, 0xD3, 0xF0, 0xF7, 0xC2, 0xD3, 0x01, 0xC0, 0x2F, 0x22, 0xDF, 0xD4, 0x33, 0x40, 0x68, 0x03, 0x50, 0x0B, 0x52, 0xEB, 0x7F, 0xF0, 0xC2, 0xEB, 0x01, 0xB0, 0x2F, 0x32, 0xF7, 0x01, 0xB0, 0xBF, 0x33, 0x03, 0x01, 0xC0, 0x2F, 0x00, 0x10, 0xBF, 0xFF, 0x46, 0x73, 0x70, 0x0B, 0x53, 0x1B, 0x40, 0xBF, 0x83, 0x1B, 0x01, 0xB0, 0x2F, 0x63, 0x27, 0x03, 0xC1, 0xC3, 0xFF, 0x33, 0x27, 0x75, 0x97, 0x93, 0x33, 0x00, 0x91, 0xC3, 0x01, 0x00, 0x2F, 0x05, 0xE1, 0xC3, 0x00, 0xF0, 0xBF, 0xF1, 0xC3, 0xFF, 0x01, 0x00, 0x2F, 0x05, 0x01, 0xC3, 0x00, 0x16, 0xB7, 0x00, 0x36, 0x4F, 0x35, 0xCC, 0x33, 0x8B, 0x36, 0x53, 0x33, 0x8F, 0x5F, 0xA0, 0x69, 0xE3, 0xD0, 0x6D, 0xAB, 0xE6, 0xCF, 0x59, 0xC7, 0x26, 0x43, 0x00, 0x40, 0x17, 0xFF, 0x26, 0x37, 0xD6, 0xFF, 0x63, 0x57, 0x26, 0x2B, 0x00, 0x30, 0x17, 0x36, 0x1F, 0x00, 0x30, 0x5F, 0x36, 0x13, 0xFF, 0x00, 0x40, 0x17, 0x00, 0x10, 0x5F, 0x49, 0x6B, 0x35, 0xFB, 0x00, 0x30, 0x17, 0x65, 0xEF, 0x03, 0xC1, 0x03, 0x82, 0xC7, 0xFF, 0xE1, 0x03, 0x82, 0xDF, 0x02, 0xE1, 0x03, 0x73, 0x27, 0xF1, 0x03, 0x80, 0x17, 0x01, 0xE1, 0x03, 0x00, 0xFD, 0xDF, 0x6E, 0x54, 0xEC, 0xDF, 0x02, 0x7E, 0xDF, 0x04, 0x2F, 0xA4, 0x5F, 0x0D, 0xDC, 0xDF, 0x50, 0xAA, 0x2F, 0xCC, 0xB8, 0x2F, 0xD0, 0x20, 0x2F, 0xBC, 0xA0, 0x2F, 0xC0, 0x2C, 0xAA, 0x2C, 0xE3, 0xAC, 0x2C, 0xE7, 0x10, 0x2C, 0xDF, 0x74, 0x2C, 0xDF, 0xD8, 0x5F, 0x07, 0x2D, 0x17, 0x09, 0x2C, 0x31, 0x2C, 0xE3, 0x02, 0x9C, 0xDF, 0x3E, 0xCF, 0x00, 0xFC, 0xDF, 0xD7, 0x9E, 0xF3, 0x00, 0xBC, 0xDF, 0x7C, 0xEC, 0xDF, 0x2C, 0x6D, 0x5B, 0xDD, 0x4F, 0x4C, 0xE3, 0xFF, 0x8C, 0xD3, 0xD0, 0x17, 0x9C, 0xBB, 0x00, 0x30, 0x17, 0x00, 0x9F, 0xD3, 0x3F, 0xFD, 0x01, 0x1C, 0x8B, 0x00, 0x0D, 0xE7, 0xBF, 0xC3, 0xA3, 0xA0, 0x2C, 0x7B, 0x00, 0x5C, 0x7F, 0xD0, 0x23, 0x01, 0x1C, 0x73, 0x03, 0xD0, 0x67, 0x02, 0x7C, 0x5B, 0x6F, 0x70, 0x2B, 0xCB, 0x7C, 0x5B, 0x20, 0x3B, 0xDB, 0x00, 0xED, 0x5B, 0x3E, 0x67, 0x7F, 0xD7, 0xEF, 0x5B, 0xCF, 0x00, 0xFC, 0x4F, 0x00, 0xDC, 0xDB, 0xF0, 0x2D, 0xCB, 0x80, 0x7F, 0x01, 0x2C, 0xDB, 0x30, 0x2F, 0xBF, 0x7F, 0xFB, 0xC8, 0x2F, 0x03, 0x7C, 0xDB, 0x5B, 0xE7, 0xAC, 0xDB, 0x00, 0x4C, 0x4F, 0x03, 0x3D, 0x67, 0xFF, 0x00, 0x1E, 0x67, 0xDD, 0x67, 0x04, 0x1C, 0x67, 0x41, 0xA3, 0x79, 0x93, 0x9D, 0x43, 0xCC, 0x67, 0x00, 0x60, 0x23, 0xFF, 0xCC, 0x67, 0x31, 0xEB, 0x89, 0x7B, 0x28, 0x2F, 0x00, 0x3C, 0x67, 0x00, 0x50, 0x23, 0xDC, 0x67, 0x00, 0x50, 0x8F, 0xFF, 0xDC, 0x67, 0x00, 0x60, 0x23, 0x00, 0x10, 0x8F, 0x79, 0x4B, 0x30, 0x8F, 0x00, 0x2C, 0x67, 0x00, 0x50, 0x23, 0x04, 0x1C, 0x67, 0x3F, 0x70, 0xC2, 0xA9, 0x33, 0x00, 0x81, 0x63, 0x00, 0x40, 0x23, 0x04, 0x61, 0x63, 0x00, 0x30, 0x8F, 0xF1, 0x63, 0xFF, 0x00, 0x40, 0x23, 0x03, 0x81, 0x63, 0x01, 0x5C, 0x67, 0x01, 0x9F, 0x2F, 0x43, 0xEB, 0x6F, 0x2F, 0x9F, 0x97, 0xDF, 0x2F, 0xFF, 0x00, 0x60, 0x23, 0xCF, 0x2F, 0x34, 0x33, 0x7F, 0x2F, 0x38, 0x2F, 0x00, 0x3F, 0x2F, 0x00, 0x50, 0x23, 0xDF, 0x2F, 0xFF, 0x00, 0x50, 0x8F, 0xDF, 0x2F, 0x00, 0x60, 0x23, 0x00, 0x10, 0x8F, 0x6F, 0x2F, 0x40, 0x8F, 0x00, 0x2F, 0x2F, 0x00, 0x50, 0x23, 0xFF, 0x01, 0x7C, 0x07, 0x01, 0xB1, 0x63, 0x9F, 0x2F, 0x00, 0x91, 0x63, 0x00, 0x40, 0x23, 0x04, 0x61, 0x63, 0x00, 0x30, 0x8F, 0xF1, 0x63, 0xFF, 0x00, 0x40, 0x23, 0x03, 0x81, 0x63, 0x01, 0x5B, 0xA7, 0x01, 0x95, 0x8F, 0x46, 0x27, 0x6F, 0x23, 0x9F, 0xDF, 0xD5, 0x8F, 0xFF, 0x00, 0x60, 0x23, 0xC5, 0x8F, 0x4F, 0xDF, 0x6F, 0x0B, 0x4F, 0xDF, 0x00, 0x25, 0x8F, 0x00, 0x50, 0x23, 0xD5, 0x8F, 0xFF, 0x00, 0x50, 0x8F, 0xD5, 0x8F, 0x00, 0x60, 0x23, 0x00, 0x10, 0x8F, 0x6E, 0xDB, 0x40, 0x8F, 0x00, 0x25, 0x8F, 0x00, 0x50, 0x23, 0xFF, 0x01, 0x7C, 0x07, 0x01, 0xB1, 0x63, 0x9E, 0xC3, 0x00, 0x91, 0x63, 0x00, 0x40, 0x23, 0x04, 0x61, 0x63, 0x00, 0x30, 0x8F, 0xF1, 0x63, 0xEF, 0x00, 0x40, 0x23, 0x03, 0x61, 0x63, 0x00, 0x7C, 0x5F, 0x4C, 0x2C, 0x5C, 0xBC, 0x5F, 0x3E, 0x51, 0x7C, 0x5F, 0x18, 0x65, 0x00, 0x73, 0xCC, 0x5F, 0x3B, 0x9C, 0x47, 0x5F, 0x43, 0xAF, 0x00, 0x4C, 0x5F, 0xFC, 0x2E, 0xBB, 0x0F, 0x5B, 0x58, 0x4C, 0x5F, 0x3C, 0x82, 0x3B, 0xAB, 0x55, 0xBC, 0x2F, 0xFF, 0xFC, 0x2F, 0xF8, 0x3C, 0x2E, 0xDB, 0x7C, 0x2E, 0xDF, 0x7C, 0xBC, 0x2E, 0xE3, 0x00, 0x3C, 0x47, 0x3E, 0xC7, 0x5E, 0xFB, 0x00, 0x7A, 0x3B, 0x80, 0xBF, 0xBD, 0x9A, 0x3B, 0x60, 0x88, 0xC7, 0x00, 0x3C, 0x2B, 0x00, 0x70, 0x4B, 0x9F, 0x2B, 0xCA, 0x2A, 0xB7, 0xDF, 0x00, 0x9B, 0xCB, 0x01, 0x10, 0x3F, 0xF2, 0xA0, 0x3F, 0x00, 0x1B, 0xA3, 0x01, 0xD0, 0x3F, 0x00, 0x29, 0xEF, 0x01, 0x00, 0xBF, 0x7B, 0x8E, 0x2B, 0x77, 0x70, 0xFF, 0x00, 0x27, 0x67, 0x01, 0x00, 0xFF, 0x24, 0xF0, 0x3F, 0xDF, 0x83, 0xB2, 0x01, 0x01, 0x3F, 0x30, 0x00, 0x8E, 0xBB, 0x5E, 0xBF, 0x59, 0x54, 0x7E, 0xBF, 0xA8, 0xA1, 0x2E, 0xBC, 0x10, 0x2F, 0xFB, 0x6C, 0x79, 0x74, 0x31, 0x3E, 0xD1, 0x90, 0x4A, 0x9E, 0x00, 0xA0, 0x2D, 0xE7, 0x70, 0x43, 0x74, 0x78, 0x36, 0x6C, 0x31, 0x3F, 0xDF, 0x3F, 0xBF, 0x04, 0x2F, 0xFF, 0x2D, 0x55, 0x74, 0x00, 0x65, 0x6E, 0x64, 0x6F, 0x5F, 0x31, 0x32, 0x38, 0x00, 0x78, 0x36, 0x34, 0x2E, 0x62, 0x63, 0x6C, 0x69, 0x57, 0x6D, 0x2F, 0xFF, 0x6D, 0x2E, 0xFB, 0x60, 0x62, 0x23, 0x30, 0x4B, 0x4D, 0x7F, 0x08, 0x4C, 0x6F, 0x67, 0x6F, 0xAE, 0xE9, 0xFF, 0xFF, 0xFF, 0xDF, 0x30, 0x03, 0x00, 0x40, 0x02, 0x15, 0x5F, 0xE0, 0x30, 0x62, 0xAF, 0x72, 0x3E, 0x07, 0x5E, 0x0B, 0x08, 0x70, 0x61, 0x6E, 0x31, 0x3B, 0x4F, 0x01, 0x04, 0xFF, 0x00, 0x00, 0x52, 0x6F, 0x6F, 0x74, 0x50, 0x61, 0x6E, 0x70, 0x65, 0x00, 0xB0, 0xDF, 0x00, 0x50, 0x47, 0x50, 0xD3, 0x70, 0x61, 0x73, 0x31, 0xD3, 0x3B, 0xA3, 0x70, 0x53, 0x03, 0x20, 0x53, 0x4E, 0x5F, 0x30, 0x55, 0x00, 0x0F, 0x96, 0xD0, 0x01, 0x20, 0x53, 0x4C, 0xD3, 0x42, 0x80, 0x53, 0x69, 0x63, 0x31, 0x80, 0x9F, 0x3C, 0x0F, 0x07, 0xFF, 0x00, 0x41, 0x03, 0x7E, 0xE0, 0x2D, 0x5B, 0x82, 0x1F, 0x00, 0x20, 0xEF, 0x9E, 0x2F, 0x63, 0x80, 0x42, 0xF1, 0x2B, 0x71, 0x99, 0xCF, 0x23, 0xC1, 0x27, 0x80, 0x0C, 0x3F, 0x70, 0x61, 0x65, 0x60, 0xDB, 0x50, 0x07, 0x67, 0x72, 0x30, 0x70, 0x31, 0x3C, 0x97, 0x31, 0x33, 0x47, 0x72, 0x6F, 0x75, 0xCE, 0x3C, 0x8F, 0x7F, 0xE7, 0x67, 0x72, 0x51, 0x07, 0x30, 0x23, 0x34, 0x57, 0x47, 0x3F, 0x5F, 0x41, 0xCF, 0xD3, 0x3F, 0xCF, 0xF1, 0x17, 0xF1, 0xD7, 0x30, 0x5F, 0x3F, 0xDF, 0x1F, 0x47, 0x5F, 0x42, 0xCF, 0x6D, 0x3F, 0xE7, 0x00, 0x90, 0x2B, 0xD4, 0x9F, 0x3F, 0xFB, 0x9A, 0xF1, 0x7F, 0x67, 0x72, 0x50, 0xC7, 0x01, 0x32, 0xBF, 0x3C, 0x22, 0xBC, 0x22, 0xB5, 0x00, 0x02, 0xBF, 0xC8, 0x82, 0xBF, 0x3D, 0x7F, 0x07, 0x64, 0xBB, 0x2D, 0x2F, 0xFF, 0x9D, 0x2F, 0x08, 0x00, 0x4F, 0x34, 0xA1, 0x32, 0xF3, 0x2F, 0xFF, 0x78, 0x2F, 0xFB, 0x1D, 0x33, 0x64, 0x73, 0x62, 0xAD, 0x62, 0xD2, 0x80, 0x10, 0x31, 0xF0, 0x10, 0x53, 0x32, 0xF0, 0x21, 0x33, 0x63, 0x05, 0x4C, 0x54, 0x90, 0x3E, 0x30, 0x0B, 0x83, 0x70, 0x39, 0x4C, 0x54, 0x4D, 0x61, 0x73, 0x3C, 0xCC, 0x63, 0x2D, 0x82, 0x33, 0x2B, 0xA8, 0x06, 0x00, 0x00, 0x0B, 0x2F, 0xFC, 0x38, 0xAA, 0x2F, 0xFF, 0x88, 0x2F, 0xFB, 0x08, 0x2F, 0xF4, 0x88, 0x2F, 0xF8, 0x08, 0xAA, 0x2F, 0xD4, 0x88, 0x2F, 0xD8, 0x4C, 0x2F, 0x10, 0xE8, 0x2F, 0x14, 0xAC, 0x9D, 0x23, 0x74, 0x48, 0x05, 0x2F, 0xD7, 0x20, 0x2F, 0x00, 0x35, 0x47, 0xAA, 0x53, 0x57, 0xBB, 0x00, 0x83, 0x53, 0x02, 0x00, 0xA3, 0x53, 0x00, 0x35, 0x57, 0x00, 0xB3, 0xA3, 0xD5, 0x20, 0xB3, 0x00, 0xB3, 0xA3, 0x68, 0x40, 0x24, 0x20, 0x30, 0x03, 0x11, 0x2F, 0xFB, 0x74, 0x06, 0x00, 0x61, 0x04, 0x30, 0x03, 0x30, 0x0B, 0x65, 0x06, 0x00, 0x01, 0x30, 0x03, 0xE9, 0x30, 0x17, 0x31, 0x87, 0x5E, 0x03, 0x05, 0x2F, 0x47, 0x4F, 0x5F, 0x31, 0x32, 0xB0, 0x01, 0xB0, 0x7F, 0x01, 0x03, 0xE0, 0x7F, 0xD2, 0xB5, 0x00, 0x00, 0x8C, 0x8C, 0x77, 0x8C, 0x05, 0xA0, 0x7F, 0x00, 0x16, 0x97, 0x00, 0xF1, 0x7F, 0x03, 0x03, 0xC1, 0x7F, 0x00, 0x16, 0xD7, 0x45, 0xA7, 0xCB, 0x2F, 0xB4, 0x00, 0x25, 0xA7, 0x80, 0x3F, 0x23, 0x44, 0x04, 0x25, 0xA3, 0x30, 0x03, 0x00, 0x06, 0x00, 0x06, 0x06, 0x73, 0x09, 0xED, 0xBE, 0xC3, 0x30, 0x03, 0x3F, 0xFB, 0x3A, 0x57, 0xDE, 0x40, 0x30, 0x03, 0xE0, 0x13, 0x70, 0xC0, 0x30, 0x03, 0x00, 0x75, 0xD3, 0x78, 0x54, 0x10, 0x04, 0x00, 0x01, 0x0A, 0x10, 0x04, 0x10, 0x02, 0xA2, 0x37, 0x46, 0xF2, 0x37, 0x26, 0x0F, 0x06, 0x02, 0x05, 0x66, 0x23, 0x33, 0x00, 0x12, 0x43, 0x4D, 0x5F, 0x00, 0x35, 0xB6, 0x96, 0x00, 0x36, 0x6A, 0x80, 0xEA, 0x23, 0x77, 0x05, 0x26, 0x67, 0x30, 0x03, 0x30, 0x1F, 0x8E, 0xE3, 0xBE, 0x30, 0x03, 0xB0, 0xBF, 0xE0, 0x13, 0xC0, 0xBF, 0x50, 0xA7, 0x78, 0x00, 0x00, 0xC0, 0xA7, 0x00, 0x21, 0x5F, 0xCF, 0x5F, 0x01, 0xB1, 0x5F, 0x2F, 0xA1, 0xBD, 0x61, 0xBF, 0x30, 0x03, 0x3F, 0xF7, 0xCE, 0x95, 0x17, 0x41, 0x30, 0x03, 0xBC, 0xE0, 0x13, 0xC1, 0x30, 0x03, 0x05, 0x21, 0x5F, 0x00, 0x00, 0xC3, 0x01, 0x31, 0x5F, 0x61, 0x0B, 0x3F, 0xB6, 0xBF, 0x30, 0x03, 0xB0, 0xBF, 0xE0, 0x13, 0xC0, 0xBF, 0x02, 0x61, 0x5F, 0xCD, 0xF7, 0xFF, 0x01, 0xB2, 0xBF, 0x3F, 0xF7, 0x50, 0x03, 0x5D, 0xA7, 0x50, 0x03, 0xC0, 0x13, 0x4F, 0xF7, 0x05, 0x22, 0xBF, 0xFF, 0x00, 0x00, 0xC3, 0x01, 0x32, 0xBF, 0x3F, 0xE3, 0x3F, 0xE7, 0xB0, 0xBF, 0xE0, 0x13, 0xC0, 0xBF, 0x01, 0xF2, 0xBF, 0xFF, 0x03, 0x59, 0x73, 0x57, 0x87, 0x00, 0x59, 0x73, 0x00, 0x1C, 0x63, 0x99, 0x1F, 0x40, 0x03, 0x00, 0x79, 0x1F, 0x3F, 0x93, 0xAC, 0xC9, 0x73, 0xA0, 0x4E, 0xC7, 0xF5, 0x00, 0x84, 0xD3, 0x70, 0x53, 0x46, 0x31, 0x74, 0x32, 0x00, 0x63, 0x2F, 0x58, 0x2F, 0xFA, 0x9F, 0x05, 0x4F, 0xF1, 0x00, 0x00, 0x13, 0xCD, 0xCC, 0x4C, 0x28, 0x36, 0x80, 0x3F, 0x50, 0x07, 0x40, 0x0F, 0xFF, 0x4A, 0x9B, 0x50, 0x07, 0x9F, 0xEC, 0xE0, 0x0B, 0x40, 0x03, 0x00, 0x0A, 0x1B, 0x2A, 0xC3, 0x00, 0xA4, 0xB7, 0xBE, 0x60, 0xFB, 0x20, 0x01, 0xC0, 0xA7, 0x27, 0x62, 0x01, 0x00, 0xA7, 0x8A, 0x1B, 0x81, 0x2F, 0x91, 0xC5, 0x00, 0x84, 0xA3, 0x71, 0x83, 0x10, 0xF4, 0xBF, 0x01, 0xC1, 0x2F, 0x07, 0x04, 0xD1, 0x2F, 0xDF, 0x00, 0x80, 0xA7, 0x01, 0xF1, 0x2F, 0x08, 0x02, 0x41, 0x2F, 0x00, 0x5D, 0x8B, 0xE1, 0xB7, 0xEB, 0xD7, 0x00, 0xD2, 0x5F, 0x77, 0x09, 0x04, 0xD2, 0x5F, 0x00, 0xB0, 0xA7, 0x01, 0xC3, 0x07, 0x0A, 0x01, 0xE2, 0x5F, 0x92, 0xE7, 0x00, 0x1F, 0xFB, 0xAD, 0xDD, 0x07, 0xA0, 0x00, 0x68, 0x1F, 0x10, 0x43, 0xE3, 0x00, 0x5D, 0x03, 0x50, 0x43, 0x83, 0x1F, 0x00, 0x00, 0x44, 0x6D, 0x03, 0x30, 0x0F, 0x3E, 0x2B, 0x30, 0x0F, 0x2D, 0x03, 0x9B, 0x6D, 0x83, 0x03, 0x05, 0x6D, 0x83, 0x00, 0x4D, 0xD6, 0xF8, 0x3F, 0x1F, 0x00, 0xA0, 0x7F, 0x5E, 0x80, 0x00, 0x40, 0x7F, 0x01, 0x01, 0x4D, 0x83, 0x00, 0x3E, 0x0B, 0x00, 0x1A, 0xEB, 0x01, 0x94, 0xEB, 0x80, 0x7B, 0x41, 0xFF, 0x37, 0x5F, 0xE9, 0x00, 0xEE, 0x0B, 0x7E, 0x8B, 0x01, 0x50, 0x7F, 0xFA, 0xEB, 0xBD, 0x02, 0xB0, 0x7F, 0x03, 0x8E, 0x8B, 0x9E, 0x7B, 0xFE, 0x9B, 0x00, 0x02, 0x0F, 0x03, 0x3F, 0x13, 0xFD, 0x00, 0x1A, 0xF3, 0x01, 0x51, 0x8F, 0x3F, 0x13, 0x00, 0x12, 0x0F, 0x2A, 0x3A, 0x04, 0x8F, 0x13, 0xDC, 0x00, 0x2F, 0x13, 0x7F, 0x0C, 0x4F, 0x13, 0xD6, 0xB7, 0xFD, 0x97, 0xFD, 0x57, 0xFC, 0xE7, 0xFC, 0x77, 0xFC, 0x07, 0xFE, 0xFB, 0x97, 0xFA, 0xE3, 0xFA, 0x57, 0xF9, 0xA3, 0xF9, 0x17, 0xF8, 0x63, 0x3F, 0xEF, 0xCC, 0xEB, 0x00, 0x2F, 0xB3, 0x3E, 0x8F, 0x0A, 0x30, 0xCB, 0x2C, 0x41, 0xA7, 0x43, 0xCF, 0x1B, 0x37, 0x0D, 0x98, 0xF8, 0x5F, 0x67, 0x72, 0x56, 0xFF, 0x04, 0x40, 0x02, 0x60, 0x00, 0x5A, 0x3C, 0xF8, 0xFA, 0x34, 0x9F, 0x2C, 0x5F, 0x4F, 0x27, 0x00, 0x0C, 0x91, 0x82, 0xA0, 0x00, 0xFC, 0xFF, 0x5F, 0x00, 0xFE, 0x00, 0xFF, 0x5A, 0xC0, 0x48, 0xBE, 0xED, 0x75, 0xDF, 0x00, 0x28, 0xF9, 0x20, 0xFF, 0x4C, 0xFE, 0x3F, 0xDD, 0x1A, 0xEF, 0x68, 0x74, 0x08, 0x40, 0x04, 0x20, 0x50, 0x84, 0x3F, 0xFF, 0xF6, 0x40, 0xFF, 0x26, 0x2F, 0xFF, 0x63, 0x03, 0x00, 0x00, 0xC0, 0xF4, 0x00, 0x10, 0xFD, 0xFF, 0xE8, 0x80, 0x2F, 0xB8, 0xF5, 0xF0, 0xFF, 0xFF, 0x20, 0x50, 0xFF, 0x12, 0xFF, 0x30, 0x20, 0x58, 0x09, 0x9F, 0x6F, 0x9F, 0xD9, 0x4F, 0x04, 0x4F, 0x00, 0x00, 0x6F, 0xAF, 0xBF, 0xE9, 0xF2, 0x60, 0x86, 0x5F, 0xEF, 0x0E, 0x8F, 0xFF, 0xF9, 0x51, 0x37, 0x3F, 0xFF, 0xF5, 0x0C, 0xF2, 0xFF, 0xFF, 0xF2, 0x20, 0x03, 0x4F, 0xE3, 0x26, 0x00, 0x64, 0x22, 0x4F, 0xEB, 0x29, 0x82, 0xFF, 0x58, 0x28, 0xE3, 0x06, 0xFF, 0x06, 0xFF, 0x2F, 0x2F, 0x00, 0x00, 0x30, 0x03, 0x4F, 0xFF, 0x22, 0xA0, 0xA0, 0x1F, 0xC1, 0x50, 0x77, 0x0A, 0x0A, 0x00, 0x30, 0x0A, 0x14, 0x0A, 0xD0, 0xF3, 0x6F, 0xE6, 0x64, 0x4F, 0xEE, 0x46, 0x00, 0x20, 0x00, 0xE3, 0x24, 0x2A, 0x8F, 0x9F, 0x00, 0x66, 0xFF, 0x06, 0xF4, 0x2D, 0xDF, 0xC0, 0xC6, 0x90, 0x6F, 0xBF, 0xFB, 0x04, 0xC7, 0x01, 0x52, 0x1C, 0x20, 0xB7, 0x20, 0x00, 0xF0, 0x20, 0xEB, 0x30, 0x03, 0x2F, 0xB1, 0x60, 0xF8, 0x30, 0xCB, 0x20, 0xB6, 0xFF, 0x66, 0x00, 0x66, 0x00, 0x70, 0x02, 0x20, 0xE3, 0x20, 0x6E, 0x2F, 0xC7, 0x00, 0x04, 0xFF, 0xFF, 0x20, 0x0D, 0x8F, 0x7F, 0xDC, 0xF7, 0x30, 0xFF, 0xFD, 0x00, 0x00, 0x00, 0x30, 0x00, 0x19, 0xFF, 0x00, 0xAA, 0xE6, 0xC1, 0x61, 0xE7, 0x2E, 0xF9, 0xC0, 0xF5, 0xF9, 0xFF, 0xDF, 0x20, 0xD5, 0x00, 0x07, 0x10, 0xFC, 0xFC, 0xAF, 0xDF, 0xFF, 0x02, 0x21, 0x9F, 0x6F, 0x3A, 0x6E, 0x35, 0x00, 0xD7, 0x02, 0x30, 0x41, 0x18, 0x00, 0xFF, 0xFD, 0x40, 0xEF, 0x21, 0x3B, 0x00, 0x00, 0xF9, 0x00, 0xF2, 0x01, 0x0B, 0x20, 0x00, 0xCF, 0xFF, 0x21, 0x02, 0xFF, 0xA8, 0x00, 0x5A, 0x00, 0x20, 0x21, 0x63, 0x20, 0x80, 0x2F, 0xA5, 0x0B, 0x0A, 0xF6, 0xF6, 0x0A, 0x0C, 0xF6, 0x00, 0xF2, 0xF7, 0x8E, 0xFF, 0xFF, 0x21, 0x00, 0x69, 0x02, 0x00, 0x8F, 0xFF, 0xA2, 0x06, 0x12, 0x3F, 0xC3, 0x4F, 0x01, 0xFF, 0x00, 0xDF, 0xFF, 0x00, 0x1C, 0xFF, 0x3F, 0xCD, 0x00, 0x00, 0x00, 0xC3, 0xFF, 0xFC, 0xFF, 0xFF, 0x40, 0x00, 0x00, 0xA9, 0x00, 0xFB, 0xFF, 0xFF, 0x4F, 0x6A, 0xAB, 0x2F, 0x74, 0x0A, 0x3F, 0x7A, 0x09, 0x9F, 0xF9, 0x03, 0x04, 0x82, 0x70, 0xEF, 0xFE, 0x81, 0x7F, 0x9C, 0xF6, 0xFF, 0xFF, 0x10, 0x00, 0xC6, 0x3F, 0xA4, 0x1C, 0x6F, 0xFF, 0x00, 0xA0, 0x88, 0x05, 0x00, 0x8F, 0x01, 0x5C, 0xC1, 0x43, 0x4C, 0x04, 0x49, 0x4D, 0xFF, 0xFE, 0x14, 0x32, 0x7C, 0x02, 0x28, 0xC1, 0x29, 0xF7, 0x3B, 0x5D, 0x69, 0x6D, 0x61, 0x67, 0x10, 0x4B, 0xE4, 0x18, 0x20, 0x00, 0x0D, 0x42, 0x30, 0x07, 0x03, 0x8B, 0xA0, 0x00, 0x71, 0x05, 0x00, 0x88, 0xFE, 0xFF, 0xFF, 0x25, 0xCE, 0xC0, 0x2E, 0xCB, 0x01, 0xC0, 0xC0, 0xAF, 0x9F, 0x00, 0x00, 0x9F, 0x20, 0x03, 0x03, 0x00, 0x88, 0x00, 0x88, 0xFF, 0xCC, 0x20, 0x17, 0x70, 0x07, 0x81, 0xFF, 0xC0, 0x78, 0x00, 0x02, 0xFF, 0xFC, 0x3E, 0x4F, 0x9B, 0x87, 0x3F, 0xEE, 0x90, 0x90, 0xDF, 0xDF, 0x30, 0x03, 0x01, 0xA1, 0xD7, 0x40, 0x6F, 0xC8, 0x30, 0x6B, 0x40, 0x6F, 0x00, 0xB0, 0x43, 0xCF, 0xDF, 0xFF, 0x55, 0x0A, 0xFF, 0xD7, 0x00, 0xEE, 0x00, 0x0E, 0xCE, 0x55, 0x20, 0x17, 0xEE, 0xE8, 0x20, 0x17, 0x70, 0x07, 0x40, 0x6F, 0x80, 0x90, 0x6F, 0xC5, 0xFF, 0xCF, 0x1E, 0x7F, 0xDE, 0x00, 0x95, 0x9D, 0xC1, 0x7F, 0x2F, 0x63, 0xB1, 0x7F, 0x20, 0x3A, 0x00, 0x10, 0x51, 0x7F, 0xB9, 0x8A, 0x06, 0xC5, 0x30, 0x50, 0xA8, 0x42, 0x70, 0xC2, 0x28, 0x4E, 0x2E, 0x06, 0x10, 0x00, 0x43, 0xFD, 0x3A, 0xAF, 0x76, 0x24, 0x00, 0x98, 0x6F, 0xC8, 0xCE, 0x47, 0x2D, 0xA3, 0xFF, 0x7A, 0x22, 0xFF, 0x45, 0x4F, 0xFE, 0xAA, 0x00, 0xBB, 0x4A, 0xCF, 0xBB, 0x8A, 0x50, 0x07, 0xFF, 0x23, 0xEF, 0x3F, 0x96, 0x00, 0x23, 0xDE, 0x53, 0x8A, 0x4F, 0xFF, 0x9A, 0x00, 0x68, 0x4A, 0xEF, 0x24, 0x35, 0x23, 0xAD, 0x14, 0xFF, 0xFF, 0xC8, 0x3A, 0xFB, 0xB3, 0x33, 0x2F, 0xFF, 0xFF, 0x87, 0x66, 0x67, 0x27, 0xFF, 0x00, 0x4B, 0x83, 0x4F, 0x7B, 0xA7, 0x21, 0xD1, 0xE0, 0x2E, 0x0D, 0x37, 0xCA, 0x08, 0x46, 0x42, 0x21, 0xF6, 0x22, 0xFF, 0xF7, 0x44, 0xF7, 0x00, 0x15, 0x7F, 0x22, 0xFF, 0x32, 0x4F, 0x7A, 0x43, 0xFF, 0x60, 0x97, 0x6B, 0xE7, 0x36, 0x6A, 0x10, 0xE7, 0xF2, 0xF4, 0xFF, 0xF8, 0x34, 0xBA, 0x40, 0x03, 0x9F, 0x9B, 0x25, 0x32, 0x8F, 0xA8, 0x0C, 0x09, 0xFF, 0x40, 0x4F, 0x25, 0x2D, 0xAD, 0xBF, 0x04, 0x28, 0xFF, 0x00, 0x62, 0x6C, 0x06, 0xF4, 0x37, 0xFF, 0xCF, 0xD6, 0x00, 0xDD, 0x00, 0x4C, 0xFC, 0xDD, 0x35, 0x00, 0xEE, 0x34, 0x4A, 0x31, 0xEF, 0x54, 0x00, 0x45, 0x1F, 0xB8, 0x38, 0x0B, 0x48, 0x51, 0x41, 0xEF, 0xFD, 0xA0, 0x97, 0x1F, 0x10, 0x00, 0xFE, 0x18, 0xFC, 0x10, 0xA0, 0x23, 0xF1, 0x6F, 0xFF, 0x2C, 0xEF, 0x00, 0x05, 0x03, 0xFF, 0xFF, 0x1E, 0x8F, 0xA1, 0x1B, 0xEF, 0x21, 0x1F, 0xCE, 0xC7, 0x69, 0x04, 0xD8, 0x4B, 0xA1, 0xF2, 0x27, 0xCB, 0x20, 0x03, 0x7F, 0xD5, 0xE1, 0x84, 0x40, 0xD7, 0x37, 0xFF, 0x01, 0xBE, 0x4D, 0xAF, 0x58, 0x00, 0x44, 0x23, 0x4F, 0x7B, 0x64, 0xFF, 0xA7, 0x47, 0xEF, 0xDC, 0xFF, 0x59, 0xED, 0x79, 0xA0, 0xDE, 0x24, 0xA0, 0x37, 0x04, 0xCC, 0xFF, 0x50, 0xCF, 0x10, 0x21, 0x00, 0x32, 0x42, 0xDF, 0x33, 0x00, 0x33, 0x00, 0x13, 0x00, 0x73, 0x30, 0x26, 0xAA, 0xFF, 0xFF, 0x40, 0x04, 0x63, 0x3F, 0x9C, 0x46, 0xD7, 0x7A, 0xEF, 0x35, 0x94, 0x72, 0xEF, 0x26, 0xF5, 0x2F, 0x05, 0x5C, 0x4D, 0x2F, 0xCA, 0x6B, 0x03, 0xE4, 0x0C, 0x09, 0x55, 0xFF, 0x08, 0xC0, 0x7F, 0x91, 0x00, 0x01, 0x00, 0xF3, 0xF3, 0x00, 0x99, 0x00, 0x99, 0x5F, 0xB7, 0xFC, 0x20, 0x0B, 0x20, 0x0F, 0x8F, 0xC7, 0x70, 0x17, 0x60, 0x1F, 0x8F, 0xE7, 0x56, 0xFF, 0x34, 0x55, 0x01, 0x3A, 0xFD, 0x90, 0x1F, 0x78, 0x4F, 0xFF, 0x55, 0xFF, 0x46, 0x65, 0x4A, 0x2F, 0x97, 0xFF, 0xFC, 0x35, 0x5C, 0x29, 0x23, 0x02, 0xC6, 0x34, 0x07, 0x3F, 0xFF, 0x8B, 0xFF, 0x03, 0x44, 0x10, 0x28, 0x4D, 0xD4, 0xD0, 0x80, 0x5F, 0x3F, 0xF0, 0x17, 0x9F, 0xF5, 0xEF, 0xFF, 0x07, 0xCF, 0xD1, 0x45, 0x6F, 0x2B, 0x59, 0x3E, 0xFB, 0x5F, 0x30, 0x20, 0xFB, 0x5F, 0x87, 0x12, 0xF3, 0xF9, 0xF8, 0x90, 0x3F, 0x31, 0xB7, 0x22, 0x97, 0x00, 0x60, 0x75, 0x85, 0xBF, 0x2F, 0xFF, 0xAF, 0x0D, 0xFF, 0x9E, 0xFF, 0x45, 0x45, 0x4F, 0x79, 0xA9, 0x00, 0x9A, 0x45, 0xBF, 0x89, 0x55, 0xA7, 0x10, 0xFF, 0x22, 0xFF, 0x3E, 0x9F, 0x00, 0xFF, 0x75, 0xFF, 0x52, 0xDA, 0x4F, 0xE3, 0x23, 0x3A, 0xDB, 0x5E, 0x7F, 0x95, 0x9F, 0x7F, 0x3E, 0x8F, 0x52, 0x23, 0x0C, 0x0D, 0x92, 0x31, 0xE1, 0xEF, 0xE1, 0xFF, 0x7F, 0xC7, 0x02, 0xF8, 0x2C, 0xE9, 0x30, 0x03, 0xF0, 0x0F, 0x01, 0x1D, 0xA6, 0x45, 0x3E, 0x00, 0xFB, 0xB0, 0xB7, 0x3A, 0x47, 0xFE, 0x2B, 0x83, 0x8C, 0x57, 0xD0, 0x28, 0x8B, 0x25, 0x31, 0x77, 0x11, 0x60, 0x0D, 0xA5, 0x1B, 0x96, 0x44, 0x00, 0x00, 0xFC, 0xFB, 0x01, 0x30, 0x07, 0xF8, 0x3B, 0xB6, 0x56, 0x45, 0x0E, 0x50, 0x00, 0x2F, 0x51, 0x3F, 0x2C, 0x8F, 0xE5, 0x2C, 0xC3, 0x00, 0xFA, 0x30, 0x2B, 0xBB, 0x43, 0x6F, 0x76, 0x87, 0x18, 0xEF, 0x00, 0x38, 0x77, 0x77, 0xC2, 0x5F, 0x85, 0xAE, 0x4B, 0x6B, 0xFF, 0x01, 0xAF, 0x47, 0xCF, 0x15, 0x32, 0x6B, 0xDC, 0x26, 0x89, 0x00, 0x3E, 0x67, 0x3A, 0x0D, 0xB4, 0x2F, 0x04, 0xF1, 0xFF, 0x7F, 0xEB, 0xA0, 0xB0, 0xA1, 0x26, 0x73, 0xF4, 0x79, 0x7C, 0x00, 0x60, 0xFB, 0xFF, 0x28, 0x32, 0xC0, 0x00, 0xB0, 0x01, 0x24, 0x07, 0x4F, 0x08, 0x2F, 0x1F, 0x00, 0x00, 0x72, 0x0D, 0x3D, 0x04, 0x7D, 0xFB, 0xFE, 0xE5, 0x00, 0xD8, 0x5C, 0xA7, 0xA5, 0xB7, 0x3F, 0x93, 0x61, 0x00, 0x1C, 0xBF, 0x38, 0x93, 0x40, 0x96, 0x9E, 0x2A, 0x03, 0x4F, 0xF4, 0x4B, 0xFE, 0x28, 0xAF, 0xD0, 0xE1, 0x3E, 0xFF, 0x1A, 0x27, 0x87, 0x3E, 0x05, 0x18, 0x00, 0x00, 0x3F, 0x2B, 0x55, 0x98, 0xBE, 0x04, 0x07, 0xFF, 0x17, 0xFF, 0x08, 0x06, 0x0E, 0x53, 0xFF, 0x20, 0x4A, 0xBF, 0x3F, 0xB6, 0xB3, 0xFF, 0x1C, 0xDE, 0xFF, 0xDD, 0x55, 0x42, 0x60, 0x17, 0x7F, 0xD6, 0xDD, 0xFF, 0x03, 0xED, 0xFF, 0x00, 0x31, 0x00, 0x95, 0x7A, 0xDB, 0x60, 0x37, 0x24, 0xEE, 0x12, 0x2E, 0xBF, 0x50, 0xFD, 0xDA, 0x11, 0xFF, 0xBD, 0x24, 0xFF, 0x69, 0x45, 0xE7, 0x14, 0x6B, 0x9B, 0x0F, 0x8E, 0x5E, 0x34, 0x01, 0x9F, 0x6F, 0xD3, 0x00, 0x1C, 0x2A, 0x35, 0x2F, 0x8F, 0xFC, 0xFC, 0x09, 0x00, 0xAD, 0x00, 0x47, 0x5A, 0x6F, 0xFD, 0x74, 0x4E, 0x97, 0x1E, 0xB9, 0xFF, 0xDC, 0x4F, 0xFF, 0x2F, 0x44, 0x2B, 0xB2, 0x4F, 0x3C, 0xBB, 0x6A, 0xFF, 0x2B, 0xAA, 0x2D, 0x64, 0x10, 0x60, 0xB7, 0x32, 0x35, 0xDC, 0x10, 0x15, 0x00, 0xB4, 0xEC, 0x2F, 0xF3, 0xF9, 0x7B, 0x78, 0xEF, 0x68, 0x9F, 0x10, 0x8B, 0xFF, 0x25, 0xAB, 0x8F, 0x6D, 0xFF, 0x8F, 0x02, 0xBD, 0x4E, 0xDD, 0x6C, 0x01, 0xEC, 0xAC, 0xCE, 0x7F, 0x2D, 0x16, 0xBE, 0x7F, 0x80, 0x7E, 0x7F, 0xC0, 0x9D, 0x2E, 0x04, 0x0F, 0xBD, 0xFF, 0xEF, 0xEF, 0x8A, 0xAF, 0x8E, 0x00, 0x47, 0x24, 0xDD, 0x78, 0xDD, 0x77, 0x33, 0x11, 0x01, 0x33, 0x11, 0x8D, 0x7D, 0x13, 0x13, 0x7D, 0x20, 0x03, 0xBF, 0x8A, 0xBF, 0x77, 0x50, 0x17, 0x70, 0x07, 0xFF, 0xFF, 0x30, 0x2B, 0xB0, 0x2F, 0xF0, 0x0F, 0xB7, 0x01, 0xBF, 0x7F, 0xA8, 0x6D, 0xEA, 0x7F, 0x7F, 0x10, 0x6D, 0xFF, 0x27, 0xB0, 0x04, 0xA1, 0x00, 0xA0, 0x0D, 0xB0, 0x01, 0x02, 0x60, 0xED, 0x61, 0xFF, 0x2C, 0xFF, 0xBE, 0x35, 0xFF, 0xF0, 0x3E, 0xB7, 0x00, 0xC0, 0xFF, 0x19, 0x00, 0x21, 0x1D, 0x01, 0x28, 0xFA, 0x18, 0xCC, 0xFF, 0x3A, 0x3B, 0x92, 0x40, 0x3F, 0x17, 0xFF, 0x6B, 0x8D, 0x27, 0x4C, 0x84, 0xFF, 0xE9, 0xBD, 0xB9, 0x3C, 0xB8, 0xFD, 0x23, 0x34, 0xE2, 0x30, 0x62, 0x4C, 0xDA, 0x40, 0x13, 0xF7, 0xFF, 0xF1, 0x20, 0x03, 0xEF, 0x08, 0xFF, 0xE8, 0xFF, 0xE0, 0x20, 0x03, 0xE1, 0xFF, 0xD9, 0x38, 0xFF, 0xD3, 0x50, 0x95, 0x2E, 0xE1, 0x21, 0x87, 0x57, 0xFF, 0x86, 0x34, 0xFF, 0xD1, 0x93, 0x69, 0x30, 0x41, 0xFA, 0x31, 0x9F, 0xAC, 0xFF, 0x44, 0xC7, 0x41, 0xA5, 0xD9, 0xFF, 0xE4, 0x50, 0x5B, 0xF6, 0xFF, 0x41, 0xF2, 0x20, 0x5D, 0xFB, 0xFF, 0xEE, 0xFF, 0xEA, 0x2F, 0x23, 0x54, 0xF5, 0x20, 0x05, 0xE4, 0x23, 0x97, 0xEA, 0x2E, 0x2E, 0xDA, 0xFF, 0x10, 0xDB, 0xFF, 0xD5, 0x2C, 0x6E, 0xC6, 0xFF, 0xD0, 0xFF, 0x05, 0xCB, 0xFF, 0xC1, 0xFF, 0xBC, 0x27, 0xE7, 0xE1, 0x20, 0x11, 0x41, 0xD2, 0x24, 0x7A, 0xDA, 0xFF, 0xCD, 0xFF, 0xCA, 0x20, 0x19, 0x04, 0xC1, 0xFF, 0xB7, 0xFF, 0xB3, 0x20, 0xFE, 0xBA, 0xFF, 0x14, 0xAF, 0xFF, 0xAB, 0x05, 0xD1, 0xFF, 0x5F, 0x62, 0x6D, 0x03, 0xFF, 0x51, 0x29, 0x20, 0xC2, 0xC2, 0xE1, 0x7F, 0x05, 0xFF, 0x9F, 0x22, 0x8D, 0x5B, 0x07, 0x21, 0x61, 0xA7, 0x20, 0x9A, 0x5F, 0xE9, 0x8A, 0xD9, 0x48, 0x38, 0x99, 0x50, 0xFE, 0x41, 0x01, 0xF7, 0x25, 0x34, 0xEA, 0xFF, 0xE0, 0x8D, 0xA2, 0xD1, 0x73, 0xF6, 0x80, 0x27, 0xF7, 0xFF, 0xEB, 0x25, 0x56, 0xE0, 0xA8, 0x21, 0x1D, 0xE9, 0x21, 0x25, 0xDE, 0x2F, 0x4A, 0xD4, 0xFF, 0xD3, 0x28, 0xFF, 0xC9, 0x2F, 0x52, 0xD3, 0x2B, 0x3D, 0xC9, 0xFF, 0xC8, 0xA8, 0x25, 0x49, 0xBD, 0x21, 0x07, 0xFC, 0x27, 0x46, 0xF0, 0xFF, 0xE6, 0xA2, 0x20, 0x2D, 0xE2, 0x25, 0x9E, 0xD5, 0xFF, 0xE3, 0x21, 0x95, 0xD6, 0xAA, 0x2D, 0xB0, 0xD0, 0x20, 0x21, 0xC3, 0x25, 0x10, 0xDA, 0x21, 0x3B, 0xCD, 0x28, 0xFF, 0xC5, 0x21, 0x4D, 0xC4, 0x25, 0x7B, 0xB6, 0xFF, 0xBF, 0x80, 0x21, 0x3D, 0xB2, 0xFF, 0xAB, 0xFF, 0xB0, 0xFF, 0xA9, 0x0A, 0xFF, 0xA3, 0xFF, 0x9C, 0x21, 0x51, 0xC0, 0x22, 0x4A, 0xB5, 0xA8, 0x21, 0x53, 0xAE, 0x21, 0xA8, 0xA2, 0x21, 0x59, 0xAA, 0xFF, 0xA8, 0xA0, 0x20, 0xC8, 0xA0, 0x2F, 0xE0, 0x95, 0xFF, 0x8C, 0xFF, 0xA6, 0x80, 0x2B, 0x49, 0x9A, 0xFF, 0x92, 0xFF, 0x96, 0xFF, 0x8F, 0xA8, 0x25, 0x33, 0x84, 0x20, 0x05, 0x87, 0x22, 0x2C, 0x7C, 0xFF, 0x7F, 0x2A, 0xFF, 0x79, 0x2B, 0x43, 0x6E, 0x22, 0x86, 0xB8, 0x20, 0x4B, 0xAA, 0x8C, 0x20, 0x53, 0xAD, 0xFF, 0xA4, 0x21, 0x00, 0x30, 0x53, 0x96, 0xFF, 0x54, 0x90, 0x2B, 0xFF, 0x92, 0x20, 0xFC, 0x85, 0x20, 0x4B, 0xA4, 0xFF, 0x41, 0x9B, 0x20, 0x3D, 0xA0, 0xFF, 0x9D, 0xFF, 0x93, 0x20, 0x17, 0x04, 0x8D, 0xFF, 0x89, 0xFF, 0x80, 0x20, 0x3F, 0x86, 0xFF, 0x50, 0x83, 0x20, 0x41, 0x76, 0x20, 0x0D, 0x83, 0xFF, 0x7D, 0xFF, 0x14, 0x77, 0xFF, 0x7E, 0x20, 0x4F, 0x72, 0x25, 0x87, 0x72, 0xFF, 0x04, 0x6C, 0xFF, 0x67, 0xFF, 0x62, 0x40, 0x03, 0x5C, 0xFF, 0x00, 0x58, 0xFF, 0x74, 0xFF, 0x70, 0xFF, 0x69, 0xFF, 0x50, 0x65, 0x25, 0xA1, 0x6A, 0x20, 0x15, 0x5F, 0xFF, 0x5E, 0xFF, 0x04, 0x5A, 0xFF, 0x53, 0xFF, 0x50, 0x22, 0x6C, 0x54, 0xFF, 0x14, 0x4D, 0xFF, 0x4A, 0x00, 0xD3, 0xFF, 0x16, 0x24, 0x1D, 0x6B, 0xFF, 0x6A, 0x15, 0x22, 0x66, 0x72, 0xD7, 0x85, 0x2F, 0xA8, 0xED, 0x5F, 0x95, 0xF9, 0xAA, 0x2E, 0xCE, 0xF0, 0x94, 0x3F, 0x75, 0x21, 0xBF, 0xD5, 0x84, 0x4D, 0x3D, 0xD5, 0x2F, 0xD0, 0xAF, 0xAC, 0xFD, 0x22, 0xFB, 0xE8, 0x26, 0x3B, 0xE0, 0x2F, 0xE7, 0x55, 0xF8, 0x2F, 0x06, 0xF1, 0x23, 0x03, 0xD9, 0x23, 0x01, 0xD3, 0x21, 0x7F, 0x55, 0xF0, 0x28, 0xC8, 0xE6, 0x21, 0x77, 0xD6, 0x23, 0x0F, 0xCC, 0x22, 0xD1, 0x55, 0xDD, 0x21, 0x89, 0xD5, 0x22, 0xBF, 0xC3, 0x22, 0xF6, 0xBB, 0x22, 0xB1, 0x55, 0xBF, 0x21, 0x61, 0xB5, 0x22, 0xB1, 0xA8, 0x21, 0x59, 0x9F, 0x22, 0xBB, 0x55, 0xAB, 0x21, 0x69, 0xA2, 0x21, 0x5F, 0x95, 0x2D, 0x23, 0x8C, 0x42, 0xD5, 0x5A, 0xD2, 0x21, 0x9F, 0xBF, 0x21, 0x95, 0x30, 0x1B, 0xCB, 0x27, 0x21, 0xC4, 0xAA, 0x21, 0xA7, 0xB0, 0x21, 0x9D, 0xA9, 0x21, 0x9F, 0xA6, 0x21, 0x7D, 0x9E, 0xAB, 0x21, 0x7F, 0x8F, 0x23, 0xA2, 0x87, 0x21, 0x77, 0x96, 0x26, 0xB9, 0x30, 0x0B, 0x51, 0x7F, 0x21, 0x19, 0x78, 0x21, 0x7F, 0x9E, 0xFF, 0x94, 0x20, 0x01, 0x45, 0x8A, 0x26, 0xCF, 0x82, 0xFF, 0x81, 0x20, 0x11, 0x8B, 0x20, 0x05, 0x62, 0x82, 0x20, 0x19, 0x30, 0x1B, 0x6E, 0xFF, 0x66, 0x21, 0xA5, 0x71, 0xA2, 0x21, 0x41, 0x68, 0x21, 0x3D, 0x63, 0xFF, 0x60, 0x21, 0x3B, 0x66, 0xA0, 0x21, 0x41, 0x5E, 0x2D, 0xBD, 0x57, 0xFF, 0x51, 0xFF, 0x4F, 0x2A, 0xFF, 0x48, 0x21, 0xC5, 0x70, 0x20, 0x21, 0x68, 0x80, 0x17, 0x6A, 0xAA, 0x20, 0x25, 0x63, 0x21, 0x63, 0x57, 0x20, 0x1D, 0x50, 0x20, 0x1F, 0x55, 0x20, 0xFF, 0x4E, 0x20, 0x01, 0x46, 0xFF, 0x47, 0xFF, 0x40, 0x0A, 0xFF, 0x3F, 0xFF, 0x39, 0x20, 0x07, 0x3F, 0x20, 0x09, 0x39, 0xA2, 0x20, 0x09, 0x32, 0x20, 0x01, 0x2C, 0xFF, 0x5D, 0x23, 0xF6, 0x53, 0xC0, 0x20, 0x23, 0x30, 0x03, 0x49, 0xFF, 0x44, 0xFF, 0x4B, 0xFF, 0x10, 0x45, 0xFF, 0x42, 0x21, 0x3E, 0x40, 0xFF, 0x3C, 0xFF, 0x05, 0x38, 0xFF, 0x34, 0xFF, 0x4A, 0x20, 0x39, 0x41, 0x21, 0x4E, 0x50, 0x43, 0x20, 0x05, 0x3B, 0x20, 0x11, 0x38, 0xFF, 0x35, 0xFF, 0x00, 0x31, 0xFF, 0x2E, 0xFF, 0x33, 0xFF, 0x30, 0xFF, 0x55, 0x2B, 0x23, 0x46, 0x3B, 0x20, 0x0F, 0x33, 0x20, 0x0F, 0x30, 0x24, 0xD2, 0x05, 0x2A, 0xFF, 0x26, 0xFF, 0x2D, 0x2B, 0x94, 0x27, 0x2D, 0xA5, 0x01, 0x23, 0xFF, 0x20, 0xFF, 0x1E, 0xFF, 0x1B, 0x23, 0x68, 0x50, 0x26, 0x40, 0x0B, 0x24, 0x2D, 0xB9, 0x1E, 0xFF, 0x1C, 0xFF, 0x05, 0x1D, 0xFF, 0x1A, 0xFF, 0x18, 0x21, 0xD2, 0x18, 0x24, 0xB8, 0x15, 0x13, 0xFF, 0x12, 0x33, 0x8B, 0x00, 0x20, 0x36, 0xD2, 0x6B, 0xF6, 0xB5, 0x34, 0x85, 0x00, 0x24, 0x87, 0x64, 0xB3, 0xFA, 0x2C, 0x0B, 0xEA, 0x24, 0x61, 0x55, 0xE4, 0x24, 0x57, 0xCC, 0x24, 0x59, 0xC6, 0x27, 0xFF, 0xDF, 0x24, 0x75, 0x52, 0xDA, 0x24, 0x5F, 0xC1, 0x24, 0x4D, 0xBC, 0x00, 0x22, 0xB6, 0x00, 0xC5, 0x23, 0x56, 0x43, 0x7B, 0xFE, 0xFF, 0xF2, 0x34, 0xA5, 0x00, 0x23, 0x4E, 0xAA, 0x24, 0xFD, 0xED, 0x2A, 0x35, 0xEA, 0x2C, 0x67, 0xD5, 0x24, 0xE9, 0xD2, 0xAA, 0x24, 0x91, 0xB7, 0x24, 0x8F, 0xB2, 0x29, 0x02, 0xCD, 0x24, 0xA5, 0xCA, 0xAA, 0x25, 0x7E, 0xAF, 0x24, 0x81, 0xAB, 0x25, 0x86, 0xB0, 0x23, 0x01, 0xAA, 0xAA, 0x23, 0x4B, 0x96, 0x23, 0x4D, 0x90, 0x23, 0x5B, 0xA4, 0x23, 0x09, 0x9F, 0xAA, 0x2E, 0xFF, 0x8A, 0x23, 0x35, 0x85, 0x22, 0xED, 0x7D, 0x22, 0xE9, 0x77, 0xAA, 0x22, 0xDB, 0x67, 0x22, 0xD9, 0x62, 0x22, 0xE7, 0x72, 0x23, 0x39, 0x6D, 0xAA, 0x22, 0xE3, 0x5C, 0x22, 0xE5, 0x57, 0x23, 0x6B, 0x9A, 0x23, 0x37, 0x96, 0xAA, 0x23, 0x17, 0x80, 0x23, 0x19, 0x7C, 0x23, 0x77, 0x93, 0x23, 0x29, 0x90, 0xAA, 0x25, 0x4A, 0x79, 0x23, 0x21, 0x76, 0x22, 0xFF, 0x6A, 0x23, 0x01, 0x65, 0xAA, 0x24, 0x7A, 0x53, 0x22, 0xF9, 0x50, 0x28, 0xA9, 0x62, 0x23, 0x09, 0x5F, 0xAA, 0x25, 0x6C, 0x4D, 0x23, 0x01, 0x4A, 0x21, 0x7F, 0x53, 0x25, 0x78, 0x4E, 0xA2, 0x21, 0x77, 0x42, 0x21, 0x79, 0x3D, 0xFF, 0x52, 0x21, 0x85, 0x4E, 0xAA, 0x21, 0x87, 0x40, 0x21, 0x7D, 0x3C, 0x21, 0x7F, 0x3A, 0x21, 0x69, 0x35, 0xAA, 0x21, 0x6F, 0x2D, 0x25, 0xA4, 0x28, 0x2E, 0xFD, 0x30, 0x21, 0x65, 0x2C, 0xAA, 0x41, 0x53, 0x1E, 0x21, 0x61, 0x1B, 0x21, 0x9F, 0x41, 0x21, 0xDD, 0x3D, 0xAA, 0x21, 0xAB, 0x31, 0x21, 0x99, 0x2D, 0x21, 0xA7, 0x3B, 0x21, 0xAF, 0x38, 0xAA, 0x21, 0x9F, 0x2B, 0x21, 0xA1, 0x29, 0x24, 0xE8, 0x23, 0x21, 0x95, 0x20, 0xAA, 0x21, 0x77, 0x18, 0x21, 0x79, 0x15, 0x21, 0x87, 0x1E, 0x2F, 0x43, 0x1C, 0xAA, 0x21, 0x83, 0x13, 0x23, 0x5E, 0x12, 0x2F, 0x4F, 0x1D, 0x40, 0x1B, 0x19, 0x8A, 0x23, 0x6C, 0x14, 0xFF, 0x11, 0x26, 0x72, 0x14, 0x23, 0x76, 0x11, 0xA8, 0x20, 0x09, 0x0E, 0x20, 0x01, 0x0B, 0x21, 0xA3, 0x10, 0xFF, 0x0F, 0x20, 0xFF, 0x0D, 0x40, 0x03, 0x0B, 0xFF, 0x0A, 0xFF, 0x0C, 0xAA, 0x20, 0x03, 0x09, 0x25, 0x24, 0x08, 0x25, 0x28, 0x06, 0x25, 0x32, 0x13, 0xAA, 0x20, 0x1D, 0x10, 0x20, 0x1F, 0x0C, 0x20, 0x15, 0x0A, 0x25, 0x3C, 0x0F, 0xAB, 0x20, 0x33, 0x0D, 0x20, 0x27, 0x08, 0x20, 0x1D, 0x07, 0x25, 0x52, 0x50, 0x25, 0x56, 0x04, 0x20, 0x01, 0x03, 0x25, 0x76, 0x02, 0x80, 0x07, 0x50, 0x01, 0x01, 0xAC, 0x00, 0xB9, 0x7F, 0x20, 0x2C, 0x1D, 0x03, 0x04, 0xE9, 0x7F, 0x10, 0x04, 0x80, 0x59, 0x30, 0xC2, 0x30, 0xFE, 0xE2, 0x2C, 0x3A, 0x3A, 0x46, 0x20, 0xF8, 0xE9, 0xFF, 0x0C, 0x00, 0x95, 0x00, 0xDC, 0x00, 0x3E, 0x2E, 0x03, 0x1F, 0xA9, 0x80, 0xF2, 0x18, 0x00, 0x10, 0xF9, 0x38, 0xEF, 0x4F, 0x02, 0x50, 0x90, 0xFF, 0x1F, 0xFF, 0xC0, 0xD0, 0x00, 0xDE, 0x98, 0xBF, 0x1B, 0xCB, 0xFF, 0x2F, 0x23, 0xF2, 0x7F, 0xE2, 0x4B, 0xFF, 0x01, 0xCF, 0x27, 0x10, 0x5B, 0x20, 0x2B, 0x10, 0x00, 0x11, 0x49, 0x71, 0x11, 0xFD, 0x60, 0x07, 0xF9, 0x7E, 0x70, 0x17, 0x0B, 0x10, 0x1F, 0x3A, 0x6E, 0x0C, 0xBA, 0x5C, 0x40, 0x41, 0xCD, 0x00, 0x30, 0xE3, 0xFF, 0x20, 0xF9, 0xB7, 0xFF, 0xFF, 0x00, 0xAF, 0xCF, 0x03, 0xD1, 0xF8, 0xFF, 0x7F, 0xFE, 0x00, 0xFF, 0x0C, 0x05, 0x06, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x90, 0x80, 0xED, 0xFF, 0xEE, 0xFF, 0x79, 0x0A, 0x00, 0x77, 0x00, 0xEE, 0x20, 0x07, 0x77, 0x20, 0x07, 0x00, 0x01, 0xAA, 0x00, 0x07, 0xFF, 0xFF, 0x3F, 0xCF, 0x2B, 0x90, 0x06, 0xA5, 0x00, 0x00, 0xF9, 0xF8, 0x70, 0x17, 0x80, 0x1F, 0x4A, 0x00, 0x00, 0xA0, 0x6F, 0x6F, 0xF0, 0x30, 0x00, 0x9B, 0x07, 0x00, 0x00, 0xEF, 0x23, 0x00, 0x80, 0x37, 0x80, 0x3F, 0xEA, 0x05, 0x8B, 0x00, 0x30, 0x1F, 0x80, 0xE8, 0xAB, 0x59, 0xF7, 0x59, 0x00, 0x60, 0x3F, 0x3B, 0xFC, 0xE0, 0x6B, 0xF2, 0x00, 0xE0, 0x5F, 0x00, 0x90, 0x7F, 0xA2, 0x00, 0x6A, 0xF4, 0xF3, 0x2A, 0x9F, 0x8F, 0x90, 0xBF, 0xDE, 0x20, 0xDF, 0x97, 0xDC, 0x48, 0x01, 0x00, 0x20, 0x10, 0x7B, 0xFF, 0x02, 0xAF, 0xFC, 0x30, 0x20, 0xFF, 0xFA, 0x39, 0xE3, 0x4E, 0xFF, 0x00, 0x04, 0x00, 0x00, 0x65, 0x50, 0x01, 0xA9, 0x88, 0x05, 0x04, 0xFF, 0x02, 0xF6, 0x1E, 0x8F, 0xB0, 0x50, 0xEF, 0x00, 0x4A, 0x9F, 0x01, 0x4B, 0x05, 0x08, 0x3C, 0x8F, 0x70, 0x90, 0x21, 0xCF, 0x70, 0xA1, 0xFA, 0x41, 0x45, 0x0C, 0xFF, 0xEF, 0x02, 0x00, 0x20, 0xC5, 0x2A, 0xD9, 0x80, 0x80, 0x80, 0x30, 0x03, 0xFF, 0xFE, 0x05, 0x0B, 0xF8, 0xE1, 0x6F, 0x81, 0x2B, 0x97, 0x80, 0x90, 0x00, 0x05, 0x60, 0x00, 0x2F, 0x66, 0x00, 0xB6, 0xFF, 0xFF, 0x25, 0x06, 0x06, 0x1F, 0xF8, 0x08, 0xF8, 0x9F, 0xF8, 0xF7, 0x2F, 0x73, 0x06, 0x07, 0xBB, 0x90, 0x21, 0x06, 0xD0, 0x40, 0x3B, 0xBB, 0xB8, 0x00, 0x6F, 0x6F, 0x00, 0x70, 0xF0, 0x6F, 0x6F, 0xE0, 0xE0, 0x68, 0xDF, 0x02, 0x50, 0xA0, 0xDF, 0xDF, 0x90, 0x90, 0x20, 0x0B, 0xF0, 0x08, 0x4B, 0x00, 0xB0, 0x00, 0x20, 0x0B, 0xA0, 0x9B, 0x00, 0x00, 0x70, 0x00, 0x89, 0xFF, 0xB6, 0x8D, 0xFF, 0xFF, 0x00, 0x04, 0x03, 0xAD, 0xFD, 0x23, 0x2F, 0xF3, 0xF3, 0x24, 0x9F, 0xAF, 0x20, 0x0B, 0x04, 0xBB, 0x2D, 0xB5, 0xF3, 0xF3, 0x00, 0xAF, 0xBF, 0xB2, 0x00, 0x8B, 0x00, 0xE8, 0xB0, 0x00, 0xFF, 0xEF, 0xC0, 0xC0, 0xFF, 0xFF, 0x49, 0x10, 0x0C, 0x81, 0xFD, 0x90, 0xC1, 0x2B, 0x9B, 0x20, 0x0B, 0x90, 0x00, 0x00, 0xBB, 0x00, 0xA0, 0x21, 0xFF, 0xFF, 0x01, 0x00, 0x00, 0xB3, 0x00, 0xCC, 0x07, 0x7C, 0xFA, 0x68, 0xAC, 0x00, 0xFB, 0x89, 0x00, 0x0A, 0x95, 0xFA, 0x5F, 0x48, 0x00, 0xF8, 0xF9, 0x03, 0x06, 0x72, 0xFA, 0xBD, 0x21, 0x00, 0x9D, 0x01, 0x17, 0x0D, 0xF9, 0xF9, 0x01, 0x00, 0x00, 0xB7, 0x00, 0x58, 0xDF, 0xDB, 0xD8, 0x4F, 0x3F, 0x00, 0x30, 0x20, 0x3A, 0xFF, 0x00, 0x03, 0xFF, 0xFF, 0x01, 0x38, 0x6A, 0x4F, 0x4F, 0x20, 0x30, 0x3B, 0x2E, 0x19, 0x04, 0xFF, 0xFF, 0x4A, 0x0B, 0xBB, 0x2E, 0x18, 0x70, 0xFA, 0x00, 0xCC, 0x5E, 0xFF, 0xFF, 0x09, 0x08, 0xFA, 0xFA, 0x00, 0x8F, 0x8F, 0xF3, 0xF3, 0x8F, 0x7F, 0xFF, 0xFC, 0x00, 0x08, 0x3D, 0x91, 0x00, 0xDD, 0x00, 0xF3, 0xF9, 0x00, 0x8F, 0x9F, 0xBA, 0x00, 0x6B, 0x00, 0x00, 0xB0, 0x00, 0xC7, 0xAF, 0xF4, 0xF7, 0x6F, 0x7F, 0xDC, 0x70, 0x00, 0x19, 0xDF, 0x30, 0x30, 0xFF, 0xFF, 0xF5, 0xC0, 0x00, 0x6F, 0x9F, 0x10, 0x00, 0xD8, 0x00, 0x30, 0x60, 0x01, 0xFF, 0xEF, 0xDB, 0x12, 0x2A, 0x00, 0x31, 0x2E, 0x70, 0x20, 0x09, 0x0C, 0x34, 0xF2, 0xFF, 0xFE, 0x00, 0x10, 0xFD, 0x22, 0xFF, 0x09, 0x5B, 0xEB, 0x40, 0x40, 0xB0, 0x20, 0x2B, 0xFF, 0x0D, 0x9F, 0x1E, 0x08, 0x09, 0x20, 0x1F, 0xAE, 0x7F, 0x05, 0x09, 0xE4, 0x31, 0x08, 0x40, 0x00, 0xFF, 0xE4, 0x3F, 0x49, 0x9F, 0xFF, 0x02, 0x07, 0xBF, 0xFA, 0x30, 0xFF, 0xC8, 0x00, 0x0F, 0x49, 0x23, 0xFC, 0x24, 0x02, 0x7F, 0xEE, 0x24, 0x02, 0x40, 0x07, 0x00, 0x05, 0xFA, 0x60, 0x17, 0x70, 0x1F, 0x00, 0x05, 0xFA, 0x09, 0x90, 0x1F, 0x60, 0x87, 0xD0, 0xBF, 0x55, 0xFA, 0x20, 0xFB, 0xF9, 0xFF, 0xFF, 0x02, 0x8C, 0xAF, 0x03, 0xFF, 0x5E, 0x04, 0x10, 0x16, 0x4D, 0xE6, 0x43, 0x02, 0x4C, 0x49, 0x4D, 0xFF, 0xFE, 0x14, 0x2F, 0xFF, 0x02, 0x30, 0x02, 0x28, 0x26, 0xF7, 0x38, 0x90, 0x69, 0x6D, 0x61, 0x67, 0xA8, 0x37, 0x02, 0x80, 0x27, 0xBE, 0x0D, 0x67, 0x0F, 0x47, 0x06, 0x16, 0x00, 0x8A, 0x12, 0x3A, 0x5B, 0x41, 0xDB, 0x11, 0xF4, 0x00, 0xAC, 0xCF, 0xDD, 0x96, 0xDB, 0x5F, 0xAA, 0xAE, 0x00, 0x6D, 0x3C, 0x2E, 0x7F, 0x8B, 0x72, 0xA3, 0x56, 0x00, 0x47, 0x7A, 0xF8, 0x43, 0x6B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+static const unsigned char Homebrew_LZ[0x2000] =
+{
+	0x11, 0x9C, 0x21, 0x00, 0x00, 0x64, 0x61, 0x72, 0x63, 0xFF, 0xFE, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7C, 0x21, 0x00, 0x00, 0x83, 0x30, 0x09, 0x24, 0x03, 0x00, 0x00, 0x40, 0x20, 0x03, 0x30, 0x13, 0xAB, 0x30, 0x18, 0x0F, 0x20, 0x1D, 0x02, 0xA0, 0x0B, 0x06, 0x20, 0x2B, 0x30, 0x18, 0x5A, 0x05, 0x20, 0x35, 0x10, 0x20, 0x39, 0x30, 0x2B, 0xA4, 0x20, 0x20, 0x40, 0xEA, 0x30, 0x45, 0x20, 0x1C, 0x30, 0x0B, 0x70, 0x60, 0x23, 0x08, 0x20, 0x59, 0x7A, 0x85, 0x30, 0x5D, 0x09, 0x00, 0x00, 0x28, 0x20, 0x2C, 0xA2, 0x20, 0x69, 0x21, 0x80, 0x19, 0x20, 0x0B, 0x04, 0x00, 0x00, 0xC4, 0x60, 0x47, 0xA0, 0x30, 0x5F, 0xCE, 0x20, 0x81, 0xC0, 0x1D, 0x00, 0x00, 0x9C, 0xA5, 0x20, 0x89, 0x12, 0x20, 0x75, 0x60, 0x1E, 0x50, 0x0B, 0x56, 0x30, 0x81, 0x55, 0x1F, 0x50, 0x17, 0x9A, 0x20, 0x8D, 0xA0, 0x60, 0x0B, 0xDE, 0x20, 0x99, 0x2A, 0x40, 0x20, 0x50, 0x2F, 0x22, 0x20, 0x9C, 0xE0, 0x60, 0x0B, 0x00, 0x20, 0x00, 0x2E, 0x20, 0xCB, 0x62, 0x00, 0x6C, 0x00, 0x79, 0x20, 0x00, 0x74, 0x20, 0xD5, 0x4E, 0x00, 0x69, 0x00, 0x6E, 0xA0, 0x20, 0x09, 0x65, 0x20, 0x05, 0x64, 0x00, 0x6F, 0x00, 0x4C, 0xA2, 0x20, 0x03, 0x67, 0x20, 0x07, 0x5F, 0x00, 0x55, 0x20, 0x03, 0x30, 0xAA, 0x20, 0x01, 0x2E, 0x20, 0x2D, 0x63, 0x01, 0x20, 0x2F, 0x44, 0x00, 0x40, 0x2F, 0x74, 0xA3, 0x20, 0x5F, 0x6D, 0x20, 0x51, 0x00, 0x00, 0x68, 0x40, 0x75, 0x70, 0x5D, 0x57, 0x62, 0x20, 0x6B, 0x74, 0x20, 0x81, 0x6F, 0x20, 0x1D, 0x70, 0x61, 0x30, 0x29, 0xD7, 0xF0, 0x27, 0x30, 0x21, 0x70, 0xE0, 0x21, 0x61, 0x20, 0xB1, 0x50, 0x2B, 0x01, 0x10, 0x8D, 0x18, 0x5F, 0x00, 0x53, 0x20, 0xBD, 0x30, 0xDD, 0x65, 0x00, 0x4F, 0x2F, 0x00, 0x75, 0x20, 0xF3, 0x43, 0x80, 0xD1, 0x30, 0x47, 0x01, 0x31, 0x01, 0x00, 0x10, 0x43, 0x6F, 0x42, 0x01, 0x80, 0x43, 0x00, 0x90, 0x87, 0x41, 0x03, 0x20, 0x43, 0x01, 0x90, 0x87, 0x00, 0x90, 0xCB, 0x01, 0x90, 0x87, 0xE0, 0x00, 0x91, 0x0F, 0xF1, 0x53, 0x90, 0x02, 0x43, 0x4C, 0x59, 0x54, 0xFF, 0x2C, 0xFE, 0x14, 0x33, 0x21, 0x02, 0x33, 0x03, 0x33, 0x0F, 0x6C, 0x79, 0x31, 0x74, 0x31, 0x30, 0x11, 0x43, 0x3C, 0x00, 0xC8, 0x43, 0x23, 0x0D, 0x03, 0x43, 0x74, 0x78, 0x6C, 0x31, 0x24, 0x63, 0x50, 0x22, 0xFA, 0x00, 0x00, 0x68, 0x62, 0x6C, 0x6F, 0x67, 0x6F, 0x5F, 0x00, 0x74, 0x6F, 0x70, 0x2E, 0x62, 0x63, 0x6C, 0x69, 0x81, 0x32, 0x18, 0x00, 0x6D, 0x61, 0x74, 0x31, 0x60, 0x63, 0x74, 0x86, 0x33, 0x57, 0x48, 0x62, 0x4D, 0x61, 0x32, 0xC3, 0xB0, 0x70, 0xFF, 0x35, 0xFF, 0xFF, 0x30, 0x03, 0x00, 0x40, 0x02, 0x15, 0x43, 0xB2, 0x04, 0x30, 0x5E, 0x98, 0xA0, 0xA3, 0x80, 0x3F, 0x50, 0x03, 0x23, 0x93, 0x61, 0x6E, 0x31, 0x48, 0x4C, 0x33, 0xE8, 0x04, 0xFF, 0x20, 0x5B, 0x52, 0x6F, 0x6F, 0x07, 0x74, 0x50, 0x61, 0x6E, 0x65, 0xE0, 0x60, 0x00, 0x80, 0x0E, 0x70, 0x47, 0x86, 0x50, 0xCF, 0x70, 0x61, 0x73, 0x31, 0x33, 0xDB, 0x70, 0x53, 0x03, 0xB3, 0x80, 0x53, 0x30, 0x01, 0x70, 0x50, 0xA0, 0x9B, 0x20, 0x42, 0x30, 0x03, 0x80, 0x53, 0x0B, 0x69, 0x63, 0x31, 0x80, 0x34, 0x90, 0x07, 0x30, 0xA7, 0x00, 0x11, 0x03, 0xC7, 0x01, 0x50, 0xA7, 0x23, 0x08, 0x00, 0x80, 0x41, 0xF1, 0x2B, 0x71, 0x95, 0x91, 0x1B, 0x83, 0xF1, 0x27, 0x80, 0x3F, 0x70, 0x61, 0x65, 0x60, 0xDB, 0x50, 0x07, 0x0C, 0x67, 0x72, 0x70, 0x31, 0x35, 0x21, 0x51, 0x33, 0x47, 0x72, 0xCD, 0x24, 0xDB, 0x82, 0x03, 0x67, 0x72, 0x51, 0x07, 0x30, 0x23, 0x3C, 0x25, 0x45, 0x07, 0x47, 0x5F, 0x41, 0x5F, 0x30, 0xA1, 0x02, 0x25, 0x37, 0x00, 0x01, 0x17, 0xD7, 0xF1, 0xD7, 0x30, 0x5F, 0x2C, 0x40, 0x3B, 0x42, 0xC0, 0x3B, 0x35, 0x7C, 0x00, 0x90, 0x2B, 0x67, 0x43, 0x00, 0x20, 0x2B, 0xD1, 0x7F, 0x67, 0x72, 0x50, 0xC7, 0x00, 0xB1, 0xE1, 0x01, 0x12, 0xBF, 0x40, 0xA0, 0x00, 0xB2, 0xBF, 0x62, 0x6F, 0x74, 0x74, 0x6F, 0x6D, 0xF2, 0x62, 0xC2, 0x09, 0x52, 0xBF, 0x50, 0xCF, 0x07, 0x52, 0xBF, 0xF0, 0xC2, 0x00, 0xE2, 0xBF, 0x42, 0xC3, 0x10, 0x00, 0xF2, 0xBF, 0x10, 0x76, 0x70, 0x1E, 0xF0, 0xF0, 0x0F, 0x0F, 0x30, 0x03, 0x02, 0x70, 0x1F, 0x9B, 0x4E, 0x44, 0xD7, 0x00, 0x2C, 0x8F, 0x00, 0x2D, 0x7F, 0x7D, 0x9D, 0xEE, 0x00, 0x4D, 0x9D, 0x11, 0x90, 0x00, 0xEF, 0x4E, 0x84, 0x06, 0x00, 0xA1, 0x00, 0x4D, 0xBD, 0x2B, 0xEE, 0x00, 0x00, 0xDB, 0xF6, 0xC5, 0x60, 0x77, 0x8D, 0x00, 0x30, 0x67, 0x3D, 0x23, 0xD5, 0x3D, 0x27, 0x40, 0x67, 0xFE, 0x00, 0x4E, 0x1D, 0x2A, 0x7A, 0xBE, 0x00, 0x00, 0x50, 0xFF, 0x57, 0xE9, 0x80, 0x17, 0xC5, 0x00, 0x4E, 0x5D, 0xFF, 0xA0, 0x79, 0x00, 0x50, 0x1F, 0x5F, 0x63, 0x1E, 0xD0, 0x00, 0xCF, 0x00, 0x7B, 0x38, 0x4F, 0x84, 0x00, 0xD1, 0x5D, 0x03, 0xF1, 0xEF, 0xFF, 0x1F, 0xF0, 0xF0, 0xFF, 0x81, 0xEF, 0x81, 0xFF, 0x3F, 0x8E, 0x21, 0xC6, 0x20, 0x1A, 0xE0, 0x20, 0x20, 0x92, 0x0F, 0x92, 0x1F, 0xC0, 0xF7, 0x00, 0x00, 0xFD, 0x02, 0xFF, 0xFF, 0x6E, 0xFF, 0x11, 0x06, 0x4E, 0x7A, 0xFF, 0x00, 0xFD, 0x00, 0x00, 0xF7, 0xC0, 0x01, 0x05, 0x00, 0x00, 0x00, 0x5E, 0xFF, 0x11, 0xFF, 0xFF, 0xF6, 0x0B, 0x08, 0x7F, 0x60, 0x10, 0xCF, 0x61, 0x73, 0xFF, 0xFF, 0x10, 0x01, 0x60, 0xFF, 0xCF, 0xE6, 0xFF, 0x7F, 0x0B, 0x71, 0x87, 0x04, 0xFA, 0x2C, 0xFF, 0x90, 0x03, 0x2D, 0x95, 0x4F, 0xFF, 0x04, 0xFC, 0x2C, 0xFF, 0xFF, 0x03, 0x00, 0x01, 0xA5, 0xFF, 0x90, 0x04, 0x5F, 0xCF, 0x10, 0x00, 0xEF, 0x2E, 0xD7, 0xA0, 0xF6, 0x18, 0x00, 0x00, 0xFC, 0x80, 0x47, 0x2D, 0x69, 0xFC, 0x00, 0x00, 0x01, 0xF6, 0x90, 0xFF, 0x5E, 0xFF, 0x01, 0x03, 0x3D, 0x72, 0x02, 0xC3, 0x0D, 0x8F, 0x20, 0xFF, 0xDF, 0x20, 0x42, 0xFF, 0x08, 0x00, 0x6E, 0xFF, 0x02, 0x40, 0xB3, 0x20, 0xFF, 0xC6, 0x83, 0x80, 0x77, 0xFA, 0x3E, 0xFF, 0x40, 0x04, 0x50, 0x9F, 0x41, 0xFF, 0x40, 0x01, 0x2D, 0xE4, 0x3E, 0xFA, 0x40, 0xFF, 0xEF, 0xFE, 0x04, 0x01, 0x08, 0xF5, 0xF1, 0x0D, 0x22, 0xEB, 0xAF, 0xEF, 0x00, 0xF0, 0xF0, 0x5F, 0x1F, 0xF1, 0xF5, 0x0F, 0x0D, 0x09, 0xFE, 0xEF, 0x08, 0x01, 0x72, 0xFF, 0xFF, 0x04, 0x53, 0x02, 0x07, 0xA0, 0xF6, 0xFF, 0x5E, 0xFC, 0x30, 0x5C, 0x7D, 0xE7, 0x20, 0x0C, 0x10, 0xF6, 0x90, 0x6E, 0x20, 0x48, 0xFF, 0xC3, 0x00, 0xFF, 0x01, 0x20, 0xFF, 0x0D, 0x8F, 0x00, 0x00, 0xDF, 0x32, 0x59, 0xB8, 0x22, 0xF2, 0x02, 0x20, 0x0F, 0x32, 0xF8, 0x30, 0x7D, 0xFC, 0xF8, 0x04, 0x00, 0x07, 0xF4, 0xF0, 0x0A, 0x0E, 0xF1, 0xF4, 0xFF, 0x00, 0xFD, 0xF8, 0xEC, 0xF5, 0xE0, 0xC0, 0x90, 0x2F, 0x00, 0x9F, 0x50, 0x10, 0xFF, 0xFF, 0xAF, 0x5F, 0xA0, 0x10, 0x50, 0x1F, 0x0D, 0x2E, 0x8D, 0x04, 0xF3, 0xF7, 0x08, 0x0C, 0x0C, 0xFA, 0xFD, 0x0C, 0x2F, 0x90, 0x3E, 0x77, 0x1F, 0x8F, 0x03, 0xCF, 0x8F, 0xFF, 0xFD, 0x5F, 0x1F, 0x06, 0x03, 0xEF, 0x00, 0xE2, 0x6C, 0xF4, 0x00, 0xF0, 0x1F, 0x02, 0x73, 0xEA, 0x01, 0x10, 0x1D, 0x00, 0xD0, 0x37, 0xA4, 0x63, 0xC2, 0xDF, 0x00, 0x6E, 0x28, 0x00, 0xC3, 0x6C, 0x00, 0x73, 0xEA, 0x2B, 0x01, 0x60, 0xFF, 0x30, 0x69, 0x00, 0x3F, 0x89, 0xFE, 0xFC, 0x20, 0x79, 0x3F, 0xFF, 0x00, 0x70, 0x7D, 0x23, 0x1B, 0x4F, 0xF5, 0x00, 0x7D, 0xE7, 0xF8, 0x00, 0x40, 0x0D, 0x10, 0x14, 0xCE, 0x01, 0x43, 0x4C, 0x49, 0x4D, 0xFF, 0xFE, 0x46, 0x14, 0x2F, 0xFF, 0x02, 0x02, 0x28, 0x24, 0x6E, 0x35, 0xA2, 0x69, 0x10, 0x6D, 0x61, 0x67, 0x24, 0x79, 0x00, 0x80, 0x00, 0x40, 0xFF, 0x52, 0x7D, 0x30, 0x0C, 0x07, 0x8F, 0xFF, 0x57, 0x9F, 0x38, 0x79, 0x00, 0x58, 0x7D, 0x00, 0xF0, 0x1F, 0x40, 0xD8, 0xB6, 0x53, 0x74, 0xDF, 0x00, 0x88, 0x27, 0x57, 0x5F, 0xFF, 0x28, 0x69, 0x00, 0x3F, 0xFF, 0xEF, 0xDD, 0x28, 0x79, 0x3F, 0xFF, 0xB2, 0x63, 0xDC, 0xFF, 0xFF, 0x98, 0x7D, 0xC7, 0x00, 0x67, 0xFF, 0x7F, 0x9D, 0x4F, 0xFF, 0x47, 0x0F, 0x48, 0xE5, 0x89, 0x47, 0x30, 0xD9, 0x50, 0xDD, 0x2F, 0xFF, 0x17, 0xE8, 0x00, 0xBF, 0x00, 0x4F, 0xFF, 0x02, 0x00, 0x10, 0x37, 0x00, 0x68, 0x7F, 0x01, 0x50, 0x7F, 0xB1, 0x00, 0x14, 0x92, 0x2F, 0x84, 0xBE, 0x00, 0x3F, 0xFF, 0x0E, 0x00, 0x20, 0x69, 0x9D, 0xF9, 0x05, 0x24, 0x9C, 0x61, 0xEF, 0x38, 0x67, 0x20, 0x04, 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0x38, 0x7F, 0x83, 0x28, 0x7D, 0x10, 0x90, 0x0F, 0x0F, 0xE0, 0x29, 0x17, 0x72, 0x1F, 0x50, 0xE0, 0x20, 0x0F, 0x10, 0x38, 0x79, 0x1B, 0xFF, 0xFF, 0x02, 0x02, 0x00, 0xFF, 0xB1, 0xDF, 0xFF, 0x20, 0x40, 0x2C, 0x02, 0x01, 0x1B, 0xFD, 0x80, 0xFF, 0xFD, 0x20, 0xB1, 0x20, 0x38, 0x00, 0xDF, 0xDF, 0x08, 0x01, 0x09, 0xF0, 0xF0, 0x0E, 0xD5, 0x2A, 0xC9, 0x28, 0x69, 0x1A, 0x30, 0x27, 0x0E, 0x20, 0x0F, 0x01, 0x2A, 0xDD, 0x90, 0x88, 0x5F, 0xF5, 0x7F, 0x38, 0xF7, 0xFF, 0xFE, 0x1A, 0xFF, 0x3A, 0xF5, 0x02, 0x2A, 0xF5, 0x30, 0x29, 0x50, 0x1D, 0xF0, 0x29, 0x83, 0xF0, 0x30, 0xF0, 0x7F, 0x25, 0xDE, 0x3A, 0x31, 0xD1, 0xF9, 0xFF, 0x7F, 0x60, 0xFE, 0x30, 0x8B, 0x6A, 0x3D, 0xFE, 0xF8, 0x2F, 0xCF, 0xC0, 0x44, 0x00, 0x28, 0x60, 0x01, 0xFF, 0xF5, 0x30, 0xA2, 0x2E, 0xAF, 0x80, 0x6A, 0x55, 0x03, 0x00, 0x30, 0xFF, 0xFE, 0xFF, 0xCF, 0x90, 0x32, 0x19, 0xFF, 0x38, 0x3A, 0x6D, 0xAF, 0xBF, 0xFF, 0xFF, 0x21, 0x2F, 0x0F, 0x29, 0x0A, 0xFB, 0x00, 0x00, 0xF2, 0x20, 0x87, 0x40, 0x2F, 0x20, 0x0F, 0xAF, 0x0F, 0x00, 0x11, 0xF2, 0xFB, 0x03, 0xFF, 0xE8, 0xFF, 0xBF, 0x1E, 0x9F, 0x22, 0x6E, 0x4A, 0x91, 0x01, 0xAF, 0xCF, 0xFF, 0xFF, 0x3F, 0x0F, 0xEF, 0x20, 0x0F, 0x67, 0x2E, 0x21, 0xFF, 0x72, 0x27, 0xFF, 0x03, 0x5B, 0x82, 0x70, 0x7F, 0x86, 0x77, 0x80, 0x01, 0x60, 0x7F, 0xF7, 0xF2, 0x7F, 0xBF, 0xD0, 0x70, 0xFF, 0x21, 0xFF, 0x20, 0x20, 0x03, 0xB1, 0xF5, 0xBF, 0x2F, 0x21, 0x23, 0x80, 0x39, 0x9F, 0xF2, 0xFD, 0xFF, 0x0B, 0x06, 0xFF, 0xDF, 0x00, 0x02, 0x00, 0x2F, 0x6F, 0x70, 0xB0, 0xBF, 0xFF, 0x40, 0xF1, 0x20, 0xC3, 0x07, 0x02, 0xDF, 0x7F, 0x00, 0x00, 0x02, 0xFB, 0xF6, 0xFD, 0xFF, 0xF2, 0xD0, 0x20, 0xB1, 0x0C, 0x1E, 0x00, 0x00, 0x07, 0x72, 0x87, 0x03, 0x74, 0x7F, 0x29, 0x73, 0xD4, 0x7F, 0x10, 0xE5, 0x56, 0xFD, 0x38, 0xF8, 0x00, 0x84, 0xBF, 0x41, 0x4E, 0x74, 0xBF, 0x9C, 0x63, 0x1A, 0x05, 0x70, 0x61, 0x74, 0x31, 0x3C, 0x63, 0x60, 0x1C, 0x67, 0x7B, 0x60, 0xF1, 0x22, 0x27, 0x3A, 0x7E, 0x53, 0x63, 0x65, 0x6E, 0x65, 0x08, 0x4F, 0x75, 0x74, 0x43, 0x2F, 0xFF, 0x47, 0x5F, 0x43, 0x10, 0x5F, 0x30, 0x30, 0xDF, 0xFF, 0x70, 0x61, 0x69, 0x31, 0x4D, 0x4C, 0x8B, 0x5A, 0x02, 0x00, 0x35, 0x19, 0x30, 0x43, 0x40, 0x2F, 0xFF, 0x04, 0x48, 0x62, 0x4D, 0x61, 0x74, 0x00, 0x2F, 0xFF, 0x48, 0x62, 0x0D, 0x52, 0x6F, 0x6F, 0x74, 0xE0, 0x48, 0x02, 0xE0, 0x9F, 0x42, 0x40, 0x9F, 0x56, 0x42, 0x08, 0x80, 0x9F, 0x41, 0x41, 0x3F, 0x41, 0x10, 0x0C, 0x81, 0x3F, 0x05, 0x33, 0x1F, 0x77, 0x00, 0xA2, 0x13, 0x49, 0x99, 0x58, 0x3D, 0x71, 0x8A, 0x00, 0x3A, 0x75, 0x0A, 0xEF, 0xE4, 0xC9, 0xFC, 0xB1, 0x00, 0x00, 0x99, 0x02, 0x63, 0xA9, 0x9B, 0x74, 0xE0, 0x00, 0x38, 0xD3, 0x33, 0xC0, 0x52, 0x6A, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
\ No newline at end of file

From 6ab7c2a0dc487c84194ff8a106fe8d52e1cec0f6 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 26 Nov 2015 14:21:46 +0800
Subject: [PATCH 133/317] [ctrtool] Implemented --listromfs & --romfsdir to
 work directly with NCCH. Also implemented plainrgn extraction.

---
 ctrtool/ivfc.c     | 60 +++++++++++++++++++++++++++++--------
 ctrtool/ivfc.h     | 22 +++++++++-----
 ctrtool/main.c     | 13 ++++----
 ctrtool/ncch.c     | 38 +++++++++++++++++++++++-
 ctrtool/ncch.h     |  5 ++++
 ctrtool/romfs.c    | 74 ++++++++++++++++++++++++++++++++++------------
 ctrtool/romfs.h    | 10 ++++++-
 ctrtool/settings.c | 13 ++++++++
 ctrtool/settings.h |  3 ++
 ctrtool/utils.c    | 37 +++++++++++++++++++++++
 ctrtool/utils.h    |  4 +++
 11 files changed, 232 insertions(+), 47 deletions(-)

diff --git a/ctrtool/ivfc.c b/ctrtool/ivfc.c
index 90df3810..fb7a5f05 100644
--- a/ctrtool/ivfc.c
+++ b/ctrtool/ivfc.c
@@ -31,11 +31,47 @@ void ivfc_set_file(ivfc_context* ctx, FILE* file)
 	ctx->file = file;
 }
 
+void ivfc_set_encrypted(ivfc_context* ctx, u32 encrypted)
+{
+	ctx->encrypted = encrypted;
+}
+
+void ivfc_set_key(ivfc_context* ctx, u8 key[16])
+{
+	memcpy(ctx->key, key, 16);
+}
+
+void ivfc_set_counter(ivfc_context* ctx, u8 counter[16])
+{
+	memcpy(ctx->counter, counter, 16);
+}
+
+void ivfc_fseek(ivfc_context* ctx, u64 offset)
+{
+	u64 data_pos = offset - ctx->offset;
+	fseeko64(ctx->file, offset, SEEK_SET);
+	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
+	ctr_add_counter(&ctx->aes, data_pos / 0x10);
+}
+
+size_t ivfc_fread(ivfc_context* ctx, void* buffer, size_t size, size_t count)
+{
+	size_t read;
+	if ((read = fread(buffer, size, count, ctx->file)) != count) {
+		//printf("ivfc_fread() fail\n");
+		return read;
+	}
+	if (ctx->encrypted) {
+		ctr_crypt_counter(&ctx->aes, buffer, buffer, size*read);
+	}
+	return read;
+}
+
 
 void ivfc_process(ivfc_context* ctx, u32 actions)
 {
-	fseeko64(ctx->file, ctx->offset, SEEK_SET);
-	fread(&ctx->header, 1, sizeof(ivfc_header), ctx->file);
+	ivfc_fseek(ctx, ctx->offset);
+	ivfc_fread(ctx, &ctx->header, 1, sizeof(ivfc_header));
 
 	if (getle32(ctx->header.magic) != MAGIC_IVFC)
 	{
@@ -45,25 +81,23 @@ void ivfc_process(ivfc_context* ctx, u32 actions)
 
 	if (getle32(ctx->header.id) == 0x10000)
 	{
-		fread(&ctx->romfsheader, 1, sizeof(ivfc_header_romfs), ctx->file);
-
 		ctx->levelcount = 3;
 
-		ctx->level[2].hashblocksize = 1 << getle32(ctx->romfsheader.level3.blocksize);
-		ctx->level[1].hashblocksize = 1 << getle32(ctx->romfsheader.level2.blocksize);
-		ctx->level[0].hashblocksize = 1 << getle32(ctx->romfsheader.level1.blocksize);
+		ctx->level[2].hashblocksize = 1 << getle32(ctx->header.level3.blocksize);
+		ctx->level[1].hashblocksize = 1 << getle32(ctx->header.level2.blocksize);
+		ctx->level[0].hashblocksize = 1 << getle32(ctx->header.level1.blocksize);
 
-		ctx->bodyoffset = align64(IVFC_HEADER_SIZE + getle32(ctx->romfsheader.masterhashsize), ctx->level[2].hashblocksize);
-		ctx->bodysize = getle64(ctx->romfsheader.level3.hashdatasize);
+		ctx->bodyoffset = align64(IVFC_HEADER_SIZE + getle32(ctx->header.masterhashsize), ctx->level[2].hashblocksize);
+		ctx->bodysize = getle64(ctx->header.level3.hashdatasize);
 		
 		ctx->level[2].dataoffset = ctx->bodyoffset;
 		ctx->level[2].datasize = align64(ctx->bodysize, ctx->level[2].hashblocksize);
 
 		ctx->level[0].dataoffset = ctx->level[2].dataoffset + ctx->level[2].datasize;
-		ctx->level[0].datasize = align64(getle64(ctx->romfsheader.level1.hashdatasize), ctx->level[0].hashblocksize);
+		ctx->level[0].datasize = align64(getle64(ctx->header.level1.hashdatasize), ctx->level[0].hashblocksize);
 
 		ctx->level[1].dataoffset = ctx->level[0].dataoffset + ctx->level[0].datasize;
-		ctx->level[1].datasize = align64(getle64(ctx->romfsheader.level2.hashdatasize), ctx->level[1].hashblocksize);
+		ctx->level[1].datasize = align64(getle64(ctx->header.level2.hashdatasize), ctx->level[1].hashblocksize);
 
 		ctx->level[0].hashoffset = IVFC_HEADER_SIZE;
 		ctx->level[1].hashoffset = ctx->level[0].dataoffset;
@@ -125,8 +159,8 @@ void ivfc_read(ivfc_context* ctx, u64 offset, u64 size, u8* buffer)
 		return;
 	}
 
-	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-	if (size != fread(buffer, 1, size, ctx->file))
+	ivfc_fseek(ctx, ctx->offset + offset);
+	if (size != ivfc_fread(ctx, buffer, 1, size))
 	{
 		fprintf(stderr, "Error, IVFC could not read file\n");
 		return;
diff --git a/ctrtool/ivfc.h b/ctrtool/ivfc.h
index 5c0aa1b1..9662f45e 100644
--- a/ctrtool/ivfc.h
+++ b/ctrtool/ivfc.h
@@ -2,18 +2,13 @@
 #define __IVFC_H__
 
 #include "types.h"
+#include "ctr.h"
 #include "settings.h"
 
 #define IVFC_HEADER_SIZE 0x60
 #define IVFC_MAX_LEVEL 4
 #define IVFC_MAX_BUFFERSIZE 0x4000
 
-typedef struct
-{
-	u8 magic[4];
-	u8 id[4];
-} ivfc_header;
-
 typedef struct
 {
 	u8 logicaloffset[8];
@@ -33,13 +28,15 @@ typedef struct
 
 typedef struct
 {
+	u8 magic[4];
+	u8 id[4];
 	u8 masterhashsize[4];
 	ivfc_levelheader level1;
 	ivfc_levelheader level2;
 	ivfc_levelheader level3;
 	u8 reserved[4];
 	u8 optionalsize[4];
-} ivfc_header_romfs;
+} ivfc_header;
 
 typedef struct
 {
@@ -47,9 +44,12 @@ typedef struct
 	u64 offset;
 	u64 size;
 	settings* usersettings;
+	u8 counter[16];
+	u8 key[16];
+	ctr_aes_context aes;
+	int encrypted;
 
 	ivfc_header header;
-	ivfc_header_romfs romfsheader;
 
 	u32 levelcount;
 	ivfc_level level[IVFC_MAX_LEVEL];
@@ -64,6 +64,12 @@ void ivfc_set_offset(ivfc_context* ctx, u64 offset);
 void ivfc_set_size(ivfc_context* ctx, u64 size);
 void ivfc_set_file(ivfc_context* ctx, FILE* file);
 void ivfc_set_usersettings(ivfc_context* ctx, settings* usersettings);
+void ivfc_set_encrypted(ivfc_context* ctx, u32 encrypted);
+void ivfc_set_key(ivfc_context* ctx, u8 key[16]);
+void ivfc_set_counter(ivfc_context* ctx, u8 counter[16]);
+void ivfc_fseek(ivfc_context* ctx, u64 offset);
+size_t ivfc_fread(ivfc_context* ctx, void* buffer, size_t size, size_t count);
+
 void ivfc_verify(ivfc_context* ctx, u32 flags);
 void ivfc_print(ivfc_context* ctx);
 
diff --git a/ctrtool/main.c b/ctrtool/main.c
index 25b688d5..4a7199be 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -64,11 +64,14 @@ static void usage(const char *argv0)
 		   "  --lzssout=file	 Specify lzss output file\n"
 		   "CXI/CCI options:\n"
 		   "  -n, --ncch=index   Specify NCCH partition index.\n"
+		   "  --exheader=file    Specify Extended Header file path.\n"
+		   "  --logo=file        Specify Logo file path.\n"
+		   "  --plainrgn=file    Specify Plain region file path"
 		   "  --exefs=file       Specify ExeFS file path.\n"
 		   "  --exefsdir=dir     Specify ExeFS directory path.\n"
 		   "  --romfs=file       Specify RomFS file path.\n"
-		   "  --exheader=file    Specify Extended Header file path.\n"
-		   "  --logo=file        Specify Logo file path.\n"
+		   "  --romfsdir=dir     Specify RomFS directory path.\n"
+		   "  --listromfs        List files in RomFS.\n" 
 		   "CIA options:\n"
 		   "  --certs=file       Specify Certificate chain file path.\n"
 		   "  --tik=file         Specify Ticket file path.\n"
@@ -83,9 +86,6 @@ static void usage(const char *argv0)
 		   "EXEFS options:\n"
 		   "  --decompresscode   Decompress .code section\n"
 		   "                     (only needed when using raw EXEFS file)\n"
-		   "ROMFS options:\n"
-		   "  --romfsdir=dir     Specify RomFS directory path.\n"
-		   "  --listromfs        List files in RomFS.\n"
            "\n",
 		   __TIME__, __DATE__, argv0);
    exit(1);
@@ -149,6 +149,7 @@ int main(int argc, char* argv[])
 			{"logo", 1, NULL, 20},
 			{"decompresscode", 0, NULL, 21},
 			{"titlekey", 1, NULL, 22},
+			{"plainrgn", 1, NULL, 23},
 			{NULL},
 		};
 
@@ -237,6 +238,7 @@ int main(int argc, char* argv[])
 			case 20: settings_set_logo_path(&ctx.usersettings, optarg); break;
 			case 21: ctx.actions |= DecompressCodeFlag; break;
 			case 22: keyset_parse_titlekey(&tmpkeys, optarg, strlen(optarg)); break;
+			case 23: settings_set_plainrgn_path(&ctx.usersettings, optarg); break;
 
 			default:
 				usage(argv[0]);
@@ -452,6 +454,7 @@ int main(int argc, char* argv[])
 			romfs_set_file(&romfsctx, ctx.infile);
 			romfs_set_size(&romfsctx, ctx.infilesize);
 			romfs_set_usersettings(&romfsctx, &ctx.usersettings);
+			romfs_set_encrypted(&romfsctx, 0);
 			romfs_process(&romfsctx, ctx.actions);
 	
 			break;
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 991afc3a..7c06b231 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -116,6 +116,13 @@ int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 		}
 		break;
 
+		case NCCHTYPE_PLAINRGN:
+		{
+			offset = ncch_get_plainrgn_offset(ctx);
+			size = ncch_get_plainrgn_size(ctx);
+		}
+		break;
+
 		default:
 		{
 			fprintf(stderr, "Error invalid NCCH type\n");
@@ -181,6 +188,7 @@ void ncch_save(ncch_context* ctx, u32 type, u32 flags)
 		case NCCHTYPE_ROMFS: path = settings_get_romfs_path(ctx->usersettings); break;
 		case NCCHTYPE_EXHEADER: path = settings_get_exheader_path(ctx->usersettings); break;
 		case NCCHTYPE_LOGO: path = settings_get_logo_path(ctx->usersettings); break;
+		case NCCHTYPE_PLAINRGN: path = settings_get_plainrgn_path(ctx->usersettings); break;
 	}
 
 	if (path == 0 || path->valid == 0)
@@ -199,13 +207,14 @@ void ncch_save(ncch_context* ctx, u32 type, u32 flags)
 		case NCCHTYPE_ROMFS: fprintf(stdout, "Saving RomFS...\n"); break;
 		case NCCHTYPE_EXHEADER: fprintf(stdout, "Saving Extended Header...\n"); break;
 		case NCCHTYPE_LOGO: fprintf(stdout, "Saving Logo...\n"); break;
+		case NCCHTYPE_PLAINRGN: fprintf(stdout, "Saving Plain Region...\n"); break;
 	}
 
 	while(1)
 	{
 		u32 read_len;
 
-		if (0 == ncch_extract_buffer(ctx, buffer, sizeof(buffer), &read_len, type == NCCHTYPE_LOGO))
+		if (0 == ncch_extract_buffer(ctx, buffer, sizeof(buffer), &read_len, type == NCCHTYPE_LOGO || type == NCCHTYPE_PLAINRGN))
 			goto clean;
 
 		if (read_len == 0)
@@ -304,6 +313,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 {
 	u8 exheadercounter[16];
 	u8 exefscounter[16];
+	u8 romfscounter[16];
 	int result = 1;
 
 
@@ -320,6 +330,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 
 	ncch_get_counter(ctx, exheadercounter, NCCHTYPE_EXHEADER);
 	ncch_get_counter(ctx, exefscounter, NCCHTYPE_EXEFS);
+	ncch_get_counter(ctx, romfscounter, NCCHTYPE_ROMFS);
 
 
 	exheader_set_file(&ctx->exheader, ctx->file);
@@ -342,6 +353,14 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	exefs_set_key(&ctx->exefs, ctx->key);
 	exefs_set_encrypted(&ctx->exefs, ctx->encrypted);
 
+	romfs_set_file(&ctx->romfs, ctx->file);
+	romfs_set_offset(&ctx->romfs, ncch_get_romfs_offset(ctx));
+	romfs_set_size(&ctx->romfs, ncch_get_romfs_size(ctx));
+	romfs_set_usersettings(&ctx->romfs, ctx->usersettings);
+	romfs_set_counter(&ctx->romfs, romfscounter);
+	romfs_set_key(&ctx->romfs, ctx->key);
+	romfs_set_encrypted(&ctx->romfs, ctx->encrypted);
+
 	exheader_read(&ctx->exheader, actions);
 
 
@@ -357,6 +376,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 		ncch_save(ctx, NCCHTYPE_ROMFS, actions);
 		ncch_save(ctx, NCCHTYPE_EXHEADER, actions);
 		ncch_save(ctx, NCCHTYPE_LOGO, actions);
+		ncch_save(ctx, NCCHTYPE_PLAINRGN, actions);
 	}
 
 
@@ -374,6 +394,11 @@ void ncch_process(ncch_context* ctx, u32 actions)
 			exefs_set_compressedflag(&ctx->exefs, exheader_get_compressedflag(&ctx->exheader));
 		exefs_process(&ctx->exefs, actions);
 	}
+
+	if (result && ncch_get_romfs_size(ctx))
+	{
+		romfs_process(&ctx->romfs, actions);
+	}
 }
 
 int ncch_signature_verify(ncch_context* ctx, rsakey2048* key)
@@ -425,6 +450,17 @@ u64 ncch_get_logo_size(ncch_context* ctx)
 	return getle32(ctx->header.logosize) * ncch_get_mediaunit_size(ctx);
 }
 
+u64 ncch_get_plainrgn_offset(ncch_context* ctx)
+{
+	return ctx->offset + getle32(ctx->header.plainregionoffset) * ncch_get_mediaunit_size(ctx);
+}
+
+u64 ncch_get_plainrgn_size(ncch_context* ctx)
+{
+	return getle32(ctx->header.plainregionsize) * ncch_get_mediaunit_size(ctx);
+}
+
+
 u64 ncch_get_mediaunit_size(ncch_context* ctx)
 {
 	unsigned int mediaunitsize = settings_get_mediaunit_size(ctx->usersettings);
diff --git a/ctrtool/ncch.h b/ctrtool/ncch.h
index 4bad2be1..64dc4901 100644
--- a/ctrtool/ncch.h
+++ b/ctrtool/ncch.h
@@ -7,6 +7,7 @@
 #include "filepath.h"
 #include "ctr.h"
 #include "exefs.h"
+#include "romfs.h"
 #include "exheader.h"
 #include "settings.h"
 
@@ -16,6 +17,7 @@ typedef enum
 	NCCHTYPE_EXEFS = 2,
 	NCCHTYPE_ROMFS = 3,
 	NCCHTYPE_LOGO = 4,
+	NCCHTYPE_PLAINRGN = 5,
 } ctr_ncchtypes;
 
 typedef struct
@@ -63,6 +65,7 @@ typedef struct
 	ctr_ncchheader header;
 	ctr_aes_context aes;
 	exefs_context exefs;
+	romfs_context romfs;
 	exheader_context exheader;
 	int exefshashcheck;
 	int romfshashcheck;
@@ -87,6 +90,8 @@ u64 ncch_get_exheader_offset(ncch_context* ctx);
 u64 ncch_get_exheader_size(ncch_context* ctx);
 u64 ncch_get_logo_offset(ncch_context* ctx);
 u64 ncch_get_logo_size(ncch_context* ctx);
+u64 ncch_get_plainrgn_offset(ncch_context* ctx);
+u64 ncch_get_plainrgn_size(ncch_context* ctx);
 void ncch_print(ncch_context* ctx);
 int ncch_signature_verify(ncch_context* ctx, rsakey2048* key);
 void ncch_verify(ncch_context* ctx, u32 flags);
diff --git a/ctrtool/romfs.c b/ctrtool/romfs.c
index 05ce5c60..5889bdc4 100644
--- a/ctrtool/romfs.c
+++ b/ctrtool/romfs.c
@@ -30,7 +30,41 @@ void romfs_set_usersettings(romfs_context* ctx, settings* usersettings)
 	ctx->usersettings = usersettings;
 }
 
+void romfs_set_encrypted(romfs_context* ctx, u32 encrypted)
+{
+	ctx->encrypted = encrypted;
+}
+
+void romfs_set_key(romfs_context* ctx, u8 key[16])
+{
+	memcpy(ctx->key, key, 16);
+}
 
+void romfs_set_counter(romfs_context* ctx, u8 counter[16])
+{
+	memcpy(ctx->counter, counter, 16);
+}
+
+void romfs_fseek(romfs_context* ctx, u64 offset)
+{
+	u64 data_pos = offset - ctx->offset;
+	fseeko64(ctx->file, offset, SEEK_SET);
+	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
+	ctr_add_counter(&ctx->aes, data_pos / 0x10);
+}
+
+size_t romfs_fread(romfs_context* ctx, void* buffer, size_t size, size_t count)
+{
+	size_t read;
+	if ((read = fread(buffer, size, count, ctx->file)) != count) {
+		//printf("romfs_fread() fail\n");
+		return read;
+	}
+	if (ctx->encrypted) {
+		ctr_crypt_counter(&ctx->aes, buffer, buffer, size*read);
+	}
+	return read;
+}
 
 void romfs_process(romfs_context* ctx, u32 actions)
 {
@@ -39,15 +73,17 @@ void romfs_process(romfs_context* ctx, u32 actions)
 	u32 fileblockoffset = 0;
 	u32 fileblocksize = 0;
 
-
 	ivfc_set_offset(&ctx->ivfc, ctx->offset);
 	ivfc_set_size(&ctx->ivfc, ctx->size);
 	ivfc_set_file(&ctx->ivfc, ctx->file);
 	ivfc_set_usersettings(&ctx->ivfc, ctx->usersettings);
+	ivfc_set_counter(&ctx->ivfc, ctx->counter);
+	ivfc_set_key(&ctx->ivfc, ctx->key);
+	ivfc_set_encrypted(&ctx->ivfc, ctx->encrypted);
 	ivfc_process(&ctx->ivfc, actions);
 
-	fseeko64(ctx->file, ctx->offset, SEEK_SET);
-	fread(&ctx->header, 1, sizeof(romfs_header), ctx->file);
+	romfs_fseek(ctx, ctx->offset);
+	romfs_fread(ctx, &ctx->header, 1, sizeof(romfs_header));
 
 	if (getle32(ctx->header.magic) != MAGIC_IVFC)
 	{
@@ -57,8 +93,8 @@ void romfs_process(romfs_context* ctx, u32 actions)
 
 	ctx->infoblockoffset = ctx->offset + 0x1000;
 
-	fseeko64(ctx->file, ctx->infoblockoffset, SEEK_SET);
-	fread(&ctx->infoheader, 1, sizeof(romfs_infoheader), ctx->file);
+	romfs_fseek(ctx, ctx->infoblockoffset);
+	romfs_fread(ctx, &ctx->infoheader, 1, sizeof(romfs_infoheader));
 	
 	if (getle32(ctx->infoheader.headersize) != sizeof(romfs_infoheader))
 	{
@@ -71,24 +107,24 @@ void romfs_process(romfs_context* ctx, u32 actions)
 	fileblockoffset = ctx->infoblockoffset + getle32(ctx->infoheader.section[3].offset);
 	fileblocksize = getle32(ctx->infoheader.section[3].size);
 
+	u32 hdrsize = getle32(ctx->infoheader.dataoffset);
+	u8 *block = malloc(hdrsize);
+	romfs_fseek(ctx, ctx->infoblockoffset);
+	romfs_fread(ctx, block, hdrsize, 1);
+
 	ctx->dirblock = malloc(dirblocksize);
 	ctx->dirblocksize = dirblocksize;
+	if(ctx->dirblock)
+		memcpy(ctx->dirblock, block + getle32(ctx->infoheader.section[1].offset), dirblocksize);
+
 	ctx->fileblock = malloc(fileblocksize);
 	ctx->fileblocksize = fileblocksize;
+	if (ctx->fileblock)
+		memcpy(ctx->fileblock, block + getle32(ctx->infoheader.section[3].offset), fileblocksize);
 
-	ctx->datablockoffset = ctx->infoblockoffset + getle32(ctx->infoheader.dataoffset);
-
-	if (ctx->dirblock)
-	{
-		fseeko64(ctx->file, dirblockoffset, SEEK_SET);
-		fread(ctx->dirblock, 1, dirblocksize, ctx->file);
-	}
+	free(block);
 
-	if (ctx->fileblock)
-	{
-		fseeko64(ctx->file, fileblockoffset, SEEK_SET);
-		fread(ctx->fileblock, 1, fileblocksize, ctx->file);
-	}
+	ctx->datablockoffset = ctx->infoblockoffset + getle32(ctx->infoheader.dataoffset);
 
 	if (actions & InfoFlag)
 		romfs_print(ctx);
@@ -315,7 +351,7 @@ void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, const osch
 
 	offset += ctx->datablockoffset;
 
-	fseeko64(ctx->file, offset, SEEK_SET);
+	romfs_fseek(ctx, offset);
 	outfile = os_fopen(path, OS_MODE_WRITE);
 	if (outfile == NULL)
 	{
@@ -329,7 +365,7 @@ void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, const osch
 		if (max > size)
 			max = size;
 
-		if (max != fread(buffer, 1, max, ctx->file))
+		if (max != romfs_fread(ctx, buffer, 1, max))
 		{
 			fprintf(stderr, "Error reading file\n");
 			goto clean;
diff --git a/ctrtool/romfs.h b/ctrtool/romfs.h
index c560ab4b..7706be59 100644
--- a/ctrtool/romfs.h
+++ b/ctrtool/romfs.h
@@ -57,6 +57,8 @@ typedef struct
 	FILE* file;
 	oschar_t* extractdir;
 	settings* usersettings;
+	u8 counter[16];
+	u8 key[16];
 	u64 offset;
 	u64 size;
 	romfs_header header;
@@ -70,6 +72,8 @@ typedef struct
 	romfs_direntry direntry;
 	romfs_fileentry fileentry;
 	ivfc_context ivfc;
+	ctr_aes_context aes;
+	int encrypted;
 } romfs_context;
 
 void romfs_init(romfs_context* ctx);
@@ -77,7 +81,11 @@ void romfs_set_file(romfs_context* ctx, FILE* file);
 void romfs_set_offset(romfs_context* ctx, u64 offset);
 void romfs_set_size(romfs_context* ctx, u64 size);
 void romfs_set_usersettings(romfs_context* ctx, settings* usersettings);
-void romfs_test(romfs_context* ctx);
+void romfs_set_encrypted(romfs_context* ctx, u32 encrypted);
+void romfs_set_key(romfs_context* ctx, u8 key[16]);
+void romfs_set_counter(romfs_context* ctx, u8 counter[16]);
+void romfs_fseek(romfs_context* ctx, u64 offset);
+size_t romfs_fread(romfs_context* ctx, void* buffer, size_t size, size_t count);
 int  romfs_dirblock_read(romfs_context* ctx, u32 diroffset, u32 dirsize, void* buffer);
 int  romfs_dirblock_readentry(romfs_context* ctx, u32 diroffset, romfs_direntry* entry);
 int  romfs_fileblock_read(romfs_context* ctx, u32 fileoffset, u32 filesize, void* buffer);
diff --git a/ctrtool/settings.c b/ctrtool/settings.c
index cbc7aec1..7888d545 100644
--- a/ctrtool/settings.c
+++ b/ctrtool/settings.c
@@ -120,6 +120,14 @@ filepath* settings_get_content_path(settings* usersettings)
 		return 0;
 }
 
+filepath* settings_get_plainrgn_path(settings* usersettings)
+{
+	if (usersettings)
+		return &usersettings->plainrgnpath;
+	else
+		return 0;
+}
+
 unsigned int settings_get_mediaunit_size(settings* usersettings)
 {
 	if (usersettings)
@@ -255,6 +263,11 @@ void settings_set_romfs_dir_path(settings* usersettings, const char* path)
 	filepath_set(&usersettings->romfsdirpath, path);
 }
 
+void settings_set_plainrgn_path(settings* usersettings, const char* path)
+{
+	filepath_set(&usersettings->plainrgnpath, path);
+}
+
 void settings_set_mediaunit_size(settings* usersettings, unsigned int size)
 {
 	usersettings->mediaunitsize = size;
diff --git a/ctrtool/settings.h b/ctrtool/settings.h
index c75bb94b..30b42d22 100644
--- a/ctrtool/settings.h
+++ b/ctrtool/settings.h
@@ -15,6 +15,7 @@ typedef struct
 	filepath romfsdirpath;
 	filepath exheaderpath;
 	filepath logopath;
+	filepath plainrgnpath;
 	filepath certspath;
 	filepath contentpath;
 	filepath tikpath;
@@ -43,6 +44,7 @@ filepath* settings_get_exefs_dir_path(settings* usersettings);
 filepath* settings_get_romfs_dir_path(settings* usersettings);
 filepath* settings_get_firm_dir_path(settings* usersettings);
 filepath* settings_get_wav_path(settings* usersettings);
+filepath* settings_get_plainrgn_path(settings* usersettings);
 unsigned int settings_get_mediaunit_size(settings* usersettings);
 unsigned char* settings_get_ncch_key(settings* usersettings);
 unsigned char* settings_get_ncch_fixedsystemkey(settings* usersettings);
@@ -66,6 +68,7 @@ void settings_set_exefs_dir_path(settings* usersettings, const char* path);
 void settings_set_romfs_dir_path(settings* usersettings, const char* path);
 void settings_set_firm_dir_path(settings* usersettings, const char* path);
 void settings_set_wav_path(settings* usersettings, const char* path);
+void settings_set_plainrgn_path(settings* usersettings, const char* path);
 void settings_set_mediaunit_size(settings* usersettings, unsigned int size);
 void settings_set_ignore_programid(settings* usersettings, int enable);
 void settings_set_list_romfs_files(settings* usersettings, int enable);
diff --git a/ctrtool/utils.c b/ctrtool/utils.c
index d2d4adb6..cfaf184b 100644
--- a/ctrtool/utils.c
+++ b/ctrtool/utils.c
@@ -84,6 +84,43 @@ void putle32(u8* p, u32 n)
 	p[3] = n>>24;
 }
 
+void putle64(u8* p, u64 n)
+{
+	p[0] = n;
+	p[1] = n >> 8;
+	p[2] = n >> 16;
+	p[3] = n >> 24;
+	p[4] = n >> 32;
+	p[5] = n >> 40;
+	p[6] = n >> 48;
+	p[7] = n >> 56;
+}
+
+void putbe16(u8* p, u16 n)
+{
+	p[1] = n;
+	p[0] = n >> 8;
+}
+
+void putbe32(u8* p, u32 n)
+{
+	p[3] = n;
+	p[2] = n >> 8;
+	p[1] = n >> 16;
+	p[0] = n >> 24;
+}
+
+void putbe64(u8* p, u64 n)
+{
+	p[7] = n;
+	p[6] = n >> 8;
+	p[5] = n >> 16;
+	p[4] = n >> 24;
+	p[3] = n >> 32;
+	p[2] = n >> 40;
+	p[1] = n >> 48;
+	p[0] = n >> 56;
+}
 
 void readkeyfile(u8* key, const char* keyfname)
 {
diff --git a/ctrtool/utils.h b/ctrtool/utils.h
index 519a95e5..4d766aac 100644
--- a/ctrtool/utils.h
+++ b/ctrtool/utils.h
@@ -27,6 +27,10 @@ u32 getbe32(const u8* p);
 u32 getbe16(const u8* p);
 void putle16(u8* p, u16 n);
 void putle32(u8* p, u32 n);
+void putle64(u8* p, u64 n);
+void putbe16(u8* p, u16 n);
+void putbe32(u8* p, u32 n);
+void putbe64(u8* p, u64 n);
 
 void readkeyfile(u8* key, const char* keyfname);
 void memdump(FILE* fout, const char* prefix, const u8* data, u32 size);

From 2f81642a69b4f5cc0f7e5d312aadee3b19544e4b Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 26 Nov 2015 14:26:01 +0800
Subject: [PATCH 134/317] [ctrtool] Misc.

---
 ctrtool/utils.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ctrtool/utils.c b/ctrtool/utils.c
index cfaf184b..1f21f073 100644
--- a/ctrtool/utils.c
+++ b/ctrtool/utils.c
@@ -1,4 +1,5 @@
 #include <stdio.h>
+#include <string.h>
 #include <sys/stat.h>
 #ifdef _WIN32
 #include <direct.h>

From b17804b6857d94f885811f5bd494bf6cade6f5cc Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 26 Nov 2015 19:53:19 +0800
Subject: [PATCH 135/317] [ctrtool/makerom] Silenced warnings, fixed compiling
 on systems with libiconv installed.

---
 ctrtool/Makefile | 2 +-
 ctrtool/oschar.c | 1 +
 makerom/Makefile | 2 +-
 makerom/oschar.c | 3 +++
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 165afc5e..73bd2051 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -5,7 +5,7 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c))) $(foreach
 # Compiler Settings
 LIBS = -static-libgcc -static-libstdc++
 CXXFLAGS = -I. 
-CFLAGS = -O2 -flto -Wall -Wno-unused-variable -Wno-unused-but-set-variable -I.
+CFLAGS = -O2 -flto -Wall -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-result -I.
 OUTPUT = ctrtool
 CC = gcc
 CXX = g++
diff --git a/ctrtool/oschar.c b/ctrtool/oschar.c
index 1ef05ddb..715eab3d 100644
--- a/ctrtool/oschar.c
+++ b/ctrtool/oschar.c
@@ -1,5 +1,6 @@
 #include <stdlib.h>
 #ifndef _WIN32
+#define LIBICONV_PLUG
 #include <iconv.h>
 #endif
 #include "oschar.h"
diff --git a/makerom/Makefile b/makerom/Makefile
index e68a81c4..19d05055 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -5,7 +5,7 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 # Compiler Settings
 LIBS = -static-libgcc
 CXXFLAGS = -I.
-CFLAGS = --std=c99 -O2 -flto -Wall -Wno-unused-but-set-variable -Wno-unused-value -I. $(MAKEROM_BUILD_FLAGS)
+CFLAGS = --std=c99 -O2 -flto -Wall -Wno-unused-but-set-variable -Wno-unused-value -Wno-unused-result -I. $(MAKEROM_BUILD_FLAGS)
 CC = gcc
 CXX = g++
 
diff --git a/makerom/oschar.c b/makerom/oschar.c
index 1ef05ddb..f850ef38 100644
--- a/makerom/oschar.c
+++ b/makerom/oschar.c
@@ -1,5 +1,6 @@
 #include <stdlib.h>
 #ifndef _WIN32
+#define LIBICONV_PLUG
 #include <iconv.h>
 #endif
 #include "oschar.h"
@@ -134,6 +135,7 @@ utf16char_t* strcopy_UTF8toUTF16(const char *src)
 
 	iconv_t cd = iconv_open("UTF-16LE", "UTF-8");
 	iconv(cd, &in, &in_bytes, &out, &out_bytes);
+	iconv_close(cd);
 	return dst;
 }
 
@@ -162,6 +164,7 @@ char* strcopy_UTF16toUTF8(const utf16char_t *src)
 
 	iconv_t cd = iconv_open("UTF-8", "UTF-16LE");
 	iconv(cd, &in, &in_bytes, &out, &out_bytes);
+	iconv_close(cd);
 	return dst;
 }
 #endif

From acb8c37d36ee18ef2f5c2ca0b2ceb983ae0b1eed Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 26 Nov 2015 19:59:02 +0800
Subject: [PATCH 136/317] [ctrtool] Misc

---
 ctrtool/oschar.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ctrtool/oschar.c b/ctrtool/oschar.c
index 715eab3d..f850ef38 100644
--- a/ctrtool/oschar.c
+++ b/ctrtool/oschar.c
@@ -135,6 +135,7 @@ utf16char_t* strcopy_UTF8toUTF16(const char *src)
 
 	iconv_t cd = iconv_open("UTF-16LE", "UTF-8");
 	iconv(cd, &in, &in_bytes, &out, &out_bytes);
+	iconv_close(cd);
 	return dst;
 }
 
@@ -163,6 +164,7 @@ char* strcopy_UTF16toUTF8(const utf16char_t *src)
 
 	iconv_t cd = iconv_open("UTF-8", "UTF-16LE");
 	iconv(cd, &in, &in_bytes, &out, &out_bytes);
+	iconv_close(cd);
 	return dst;
 }
 #endif

From 94c4ba7b93310ade282f214e8e0c289b93620858 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 1 Dec 2015 13:04:50 +0800
Subject: [PATCH 137/317] [makerom] Altered encryption preferences for
 different keychains.

---
 makerom/user_settings.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 8eada633..2d2753ca 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -175,16 +175,24 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		if (strcasecmp(argv[i + 1], "test") == 0 || strcasecmp(argv[i + 1], "t") == 0)
+		if (strcasecmp(argv[i + 1], "test") == 0 || strcasecmp(argv[i + 1], "t") == 0) {
 			set->common.keys.keyset = pki_TEST;
-		//else if(strcasecmp(argv[i+1],"beta") == 0 || strcasecmp(argv[i+1],"b") == 0)
+			set->common.rsfSet.Option.EnableCrypt = false; // prefer unencrypted output
+		}
+		//else if(strcasecmp(argv[i+1],"beta") == 0 || strcasecmp(argv[i+1],"b") == 0) {
 		//	set->common.keys.keyset = pki_BETA;
-		else if (strcasecmp(argv[i + 1], "debug") == 0 || strcasecmp(argv[i + 1], "development") == 0 || strcasecmp(argv[i + 1], "d") == 0)
+		//}
+		else if (strcasecmp(argv[i + 1], "debug") == 0 || strcasecmp(argv[i + 1], "development") == 0 || strcasecmp(argv[i + 1], "d") == 0) {
 			set->common.keys.keyset = pki_DEVELOPMENT;
-		else if (strcasecmp(argv[i + 1], "retail") == 0 || strcasecmp(argv[i + 1], "production") == 0 || strcasecmp(argv[i + 1], "p") == 0)
+			set->common.rsfSet.Option.EnableCrypt = true; // prefer encrypted output
+		}
+		else if (strcasecmp(argv[i + 1], "retail") == 0 || strcasecmp(argv[i + 1], "production") == 0 || strcasecmp(argv[i + 1], "p") == 0) {
 			set->common.keys.keyset = pki_PRODUCTION;
-		//else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0)
+			set->common.rsfSet.Option.EnableCrypt = true; // prefer encrypted output
+		}
+		//else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0) {
 		//	set->common.keys.keyset = pki_CUSTOM;
+		//}
 		else {
 			fprintf(stderr, "[SETTING ERROR] Unrecognised target '%s'\n", argv[i + 1]);
 			return USR_BAD_ARG;

From 4d9f77b399ea27a881f6a30af788a644a0de8c53 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 17 Dec 2015 16:13:50 +0800
Subject: [PATCH 138/317] [makerom] misc

---
 makerom/makerom.sln     | 2 +-
 makerom/makerom.vcxproj | 2 +-
 makerom/user_settings.c | 4 +---
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/makerom/makerom.sln b/makerom/makerom.sln
index ff089e36..ab515c70 100644
--- a/makerom/makerom.sln
+++ b/makerom/makerom.sln
@@ -1,7 +1,7 @@
 
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 14
-VisualStudioVersion = 14.0.23107.0
+VisualStudioVersion = 14.0.24720.0
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "makerom", "makerom.vcxproj", "{21926330-F5A5-4643-AD32-D4F167CE226B}"
 EndProject
diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index 896eb095..fa3547f7 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -67,7 +67,7 @@
     <NMakeCleanCommandLine>make clean</NMakeCleanCommandLine>
     <NMakeReBuildCommandLine>make rebuild</NMakeReBuildCommandLine>
     <NMakePreprocessorDefinitions>WIN32;_DEBUG;$(NMakePreprocessorDefinitions)</NMakePreprocessorDefinitions>
-    <IncludePath>C:\Program Files\mingw-w64\x86_64-4.9.2-win32-seh-rt_v4-rev2\mingw64\x86_64-w64-mingw32\include</IncludePath>
+    <IncludePath>C:\mingw\mingw64\x86_64-w64-mingw32\include</IncludePath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <NMakeBuildCommandLine>make</NMakeBuildCommandLine>
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 2d2753ca..21a6eed4 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -49,14 +49,12 @@ int ParseArgs(int argc, char *argv[], user_settings *set)
 
 	// Parsing Arguments
 	int set_result;
-	int i = 1;
-	while (i < argc) {
+	for (int i = 1; i < argc; i += set_result) {
 		set_result = SetArgument(argc, i, argv, set);
 		if (set_result < 1) {
 			fprintf(stderr, "[RESULT] Invalid arguments, see '%s -help'\n", argv[0]);
 			return set_result;
 		}
-		i += set_result;
 	}
 
 	// Checking arguments

From 83d4a1fcf30d15547080a9a63c80e7d665604bc2 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 17 Dec 2015 16:20:03 +0800
Subject: [PATCH 139/317] [makerom] Fixed ELF related code. Addresses #14

---
 makerom/code.c          | 246 ++++++++++++++--------------------------
 makerom/elf.c           | 234 ++++++++++----------------------------
 makerom/elf.h           |  69 +++++------
 makerom/rsf_settings.c  |   4 -
 makerom/user_settings.h |   3 -
 5 files changed, 165 insertions(+), 391 deletions(-)

diff --git a/makerom/code.c b/makerom/code.c
index 07ee74a7..22b64bf0 100644
--- a/makerom/code.c
+++ b/makerom/code.c
@@ -5,32 +5,33 @@
 #include "exheader_read.h"
 #include "code.h"
 
-const char *SDK_PLAINREGION_SEGMENT_NAME = ".module_id";
+const u32 CTR_PAGE_SIZE = 0x1000;
+const u32 DEFAULT_STACK_SIZE = 0x4000; // 10KB
 
 typedef struct code_segment
 {
 	u32 address;
+	u32 memSize;
+	u32 pageNum;
+
 	u32 size;
-	u32 maxPageNum;
 	u8 *data;
 } code_segment;
 
-u32 GetPageSize(ncch_settings *set)
+u32 SizeToPage(u32 memorySize)
 {
-	if (set->rsfSet->Option.PageSize)
-		return strtoul(set->rsfSet->Option.PageSize, NULL, 10);
-	return 0x1000;
+	return align(memorySize, CTR_PAGE_SIZE) / CTR_PAGE_SIZE;
 }
 
-u32 SizeToPage(u32 memorySize, elf_context *elf)
+u32 PageToSize(u32 pageNum)
 {
-	return align(memorySize, elf->pageSize) / elf->pageSize;
+	return pageNum * CTR_PAGE_SIZE;
 }
 
 int ImportPlainRegionFromFile(ncch_settings *set)
 {
 	set->sections.plainRegion.size = align(set->componentFilePtrs.plainregionSize, set->options.blockSize);
-	set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
+	set->sections.plainRegion.buffer = calloc(set->sections.plainRegion.size, 1);
 	if (!set->sections.plainRegion.buffer) { fprintf(stderr, "[ELF ERROR] Not enough memory\n"); return MEM_ERROR; }
 	ReadFile64(set->sections.plainRegion.buffer, set->componentFilePtrs.plainregionSize, 0, set->componentFilePtrs.plainregion);
 	return 0;
@@ -99,117 +100,61 @@ int ImportExeFsCodeBinaryFromFile(ncch_settings *set)
 	return 0;
 }
 
-int GetBSSFromElf(elf_context *elf, ncch_settings *set)
+int ImportPlainRegionFromElf(elf_context *elf, ncch_settings *set)
 {
-	set->codeDetails.bssSize = 0;
-
-	for (int i = 0; i < elf->sectionTableEntryCount; i++) {
-		if (IsBss(&elf->sections[i]))
-			set->codeDetails.bssSize = elf->sections[i].size;
-	}
+	elf_segment segment = elf_GetSegments(elf)[elf_SegmentNum(elf) - 1];
 
-	return 0;
-}
-
-int ImportPlainRegionFromElf(elf_context *elf, ncch_settings *set) // Doesn't work same as N makerom
-{
-	u64 size = 0;
-	u64 offset = 0;
-	for (u16 i = 0; i < elf->activeSegments; i++) {
-		if (strcmp(elf->segments[i].name, SDK_PLAINREGION_SEGMENT_NAME) == 0) {
-			size = elf->segments[i].header->sizeInFile;
-			offset = elf->segments[i].header->offsetInFile;
-			break;
-		}
+	/* Check last segment
+	If the last segment is RO segment, this must be an SDK .module_id segment */
+	if (segment.flags != PF_RODATA) {
+		/* not a RO segment */
+		return 0;
 	}
 
-
-	if (size > 0) {
+	if (segment.fileSize > 0) {
 		/* Creating Output Buffer */
-		set->sections.plainRegion.size = align(size, set->options.blockSize);
-		set->sections.plainRegion.buffer = malloc(set->sections.plainRegion.size);
-		if (!set->sections.plainRegion.buffer) { fprintf(stderr, "[ELF ERROR] Not enough memory\n"); return MEM_ERROR; }
-		memset(set->sections.plainRegion.buffer, 0, set->sections.plainRegion.size);
+		set->sections.plainRegion.size = align(segment.fileSize, set->options.blockSize);
+		set->sections.plainRegion.buffer = calloc(set->sections.plainRegion.size, 1);
+		if (!set->sections.plainRegion.buffer) { fprintf(stderr, "[CODE ERROR] Not enough memory\n"); return MEM_ERROR; }
 
 		/* Copy Plain Region */
-		memcpy(set->sections.plainRegion.buffer, elf->file + offset, size);
+		memcpy(set->sections.plainRegion.buffer, segment.ptr, segment.fileSize);
 	}
-
 	return 0;
 }
 
 int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_flags)
 {
-	memset(out, 0, sizeof(code_segment));
-
-	u16 seg_num = 0;
-	elf_segment **seg = calloc(elf->activeSegments, sizeof(elf_segment*));
-
-	for (u16 i = 0; i < elf->activeSegments; i++) {
-		// Skip SDK ELF plain region
-		if (strcmp(elf->segments[i].name, SDK_PLAINREGION_SEGMENT_NAME) == 0)
+	u32 segmentNum = elf_SegmentNum(elf);
+	const elf_segment *segments = elf_GetSegments(elf);
+
+	/* Find segment */
+	for (u16 i = 0; i < segmentNum; i++) {
+		/*	Skip SDK ELF plain region
+			The last segment should always be data in valid ELFs, 
+			unless this is an SDK ELF with .module_id segment */
+		if (i == segmentNum-1 && segments[i].flags == PF_RODATA)
 			continue;
 
-		//printf("SegName: %s (flags: %x)\n", elf->segments[i].name, elf->segments[i].header->flags);
-		if ((elf->segments[i].header->flags & ~PF_CTRSDK) == segment_flags) {
-			if (seg_num == 0) {
-				seg[seg_num] = &elf->segments[i];
-				seg_num++;
-			}
-			else if (elf->segments[i].vAddr == (u32)align(seg[seg_num - 1]->vAddr, seg[seg_num - 1]->header->alignment)) {
-				seg[seg_num] = &elf->segments[i];
-				seg_num++;
-			}
+		/* Found segment */
+		if ((segments[i].flags & ~PF_CTRSDK) == segment_flags) {
+			out->address = segments[i].vAddr;
+			out->memSize = segments[i].memSize;
+			out->pageNum = SizeToPage(out->memSize);
+			out->size = segments[i].fileSize;
+			out->data = malloc(out->size);
+			if (!out->data) { fprintf(stderr, "[CODE ERROR] Not enough memory\n"); return MEM_ERROR; }
+			memcpy(out->data, segments[i].ptr, out->size);
+			return 0;
 		}
 	}
 
-	/* Return if there are no applicable segment */
-	if (seg_num == 0)
-		return 0;
-
-	/* Getting Segment Size/Settings */
-	u32 vAddr = 0;
-	u32 memorySize = 0;
-	for (u16 i = 0; i < seg_num; i++) {
-		if (i == 0) {
-			vAddr = seg[i]->vAddr;
-		}
-		else { // Add rounded size from previous segment
-			u32 padding = seg[i]->vAddr - (vAddr + memorySize);
-			memorySize += padding;
-		}
-
-		memorySize += seg[i]->header->sizeInMemory;
-
-		if (IsBss(&seg[i]->sections[seg[i]->sectionNum - 1]))
-			memorySize -= seg[i]->sections[seg[i]->sectionNum - 1].size;
-	}
-
-	// For Check
-#ifdef DEBUG
-	printf("Address: 0x%x\n", vAddr);
-	printf("Size:    0x%x\n", memorySize);
-#endif
-
-	out->address = vAddr;
-	out->size = memorySize;
-	out->maxPageNum = SizeToPage(memorySize, elf);
-	out->data = malloc(memorySize);
-
-	/* Writing Segment to Buffer */
-	for (int i = 0; i < seg_num; i++) {
-
-		for (int j = 0; j < seg[i]->sectionNum; j++) {
-			elf_section_entry *section = &seg[i]->sections[j];
-			if (!IsBss(section)) {
-				u8 *pos = (out->data + (section->address - seg[i]->vAddr));
-				memcpy(pos, section->ptr, section->size);
-				//size += section->size;
-			}
-		}
-	}
-
-	free(seg);
+	/* Stub struct data */
+	out->address = 0;
+	out->memSize = 0;
+	out->pageNum = 0;
+	out->size = 0;
+	out->data = NULL;
 	return 0;
 }
 
@@ -217,37 +162,33 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 {
 	/* Getting Code Segments */
 	code_segment text;
-	memset(&text, 0, sizeof(code_segment));
 	code_segment rodata;
-	memset(&rodata, 0, sizeof(code_segment));
 	code_segment rwdata;
-	memset(&rwdata, 0, sizeof(code_segment));
 
-	int result = CreateCodeSegmentFromElf(&text, elf, PF_TEXT);
-	if (result) return result;
-	result = CreateCodeSegmentFromElf(&rodata, elf, PF_RODATA);
-	if (result) return result;
-	result = CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA);
-	if (result) return result;
+	if (CreateCodeSegmentFromElf(&text, elf, PF_TEXT) == MEM_ERROR || CreateCodeSegmentFromElf(&rodata, elf, PF_RODATA) == MEM_ERROR || CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA) == MEM_ERROR)
+		return MEM_ERROR;
 
 	/* Checking the existence of essential ELF Segments */
 	if (!text.size) return NOT_FIND_TEXT_SEGMENT;
 	if (!rwdata.size) return NOT_FIND_DATA_SEGMENT;
 
+	/* Calculateing BSS size */
+	set->codeDetails.bssSize = rwdata.memSize - rwdata.size;
+
 	/* Allocating Buffer for ExeFs Code */
-	u32 size = (text.maxPageNum + rodata.maxPageNum + rwdata.maxPageNum)*elf->pageSize;
+	u32 size = PageToSize(text.pageNum + rodata.pageNum + rwdata.pageNum);
 	u8 *code = calloc(1, size);
 
 	/* Writing Code into Buffer */
-	u8 *textPos = (code + 0);
-	u8 *rodataPos = (code + text.maxPageNum*elf->pageSize);
-	u8 *rwdataPos = (code + (text.maxPageNum + rodata.maxPageNum)*elf->pageSize);
+	u8 *textPos = (code + text.address - text.address);
+	u8 *rodataPos = (code + rodata.address - text.address);
+	u8 *rwdataPos = (code + rwdata.address - text.address);
 	if (text.size) memcpy(textPos, text.data, text.size);
 	if (rodata.size) memcpy(rodataPos, rodata.data, rodata.size);
 	if (rwdata.size) memcpy(rwdataPos, rwdata.data, rwdata.size);
 
 
-	/* Compressing If needed */
+	/* Compressing if needed */
 	if (set->options.CompressCode) {
 		if (set->options.verbose)
 			printf("[CODE] Compressing code... ");
@@ -265,31 +206,32 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 
 	/* Setting code_segment data and freeing original buffers */
 	set->codeDetails.textAddress = text.address;
-	set->codeDetails.textMaxPages = text.maxPageNum;
-	set->codeDetails.textSize = text.size;
+	set->codeDetails.textMaxPages = text.pageNum;
+	set->codeDetails.textSize = text.memSize;
 	if (text.size) free(text.data);
 
 	set->codeDetails.roAddress = rodata.address;
-	set->codeDetails.roMaxPages = rodata.maxPageNum;
-	set->codeDetails.roSize = rodata.size;
+	set->codeDetails.roMaxPages = rodata.pageNum;
+	set->codeDetails.roSize = rodata.memSize;
 	if (rodata.size) free(rodata.data);
 
 	set->codeDetails.rwAddress = rwdata.address;
-	set->codeDetails.rwMaxPages = rwdata.maxPageNum;
-	set->codeDetails.rwSize = rwdata.size;
+	set->codeDetails.rwMaxPages = rwdata.pageNum;
+	set->codeDetails.rwSize = rwdata.memSize;
 	if (rwdata.size) free(rwdata.data);
 
 	if (set->rsfSet->SystemControlInfo.StackSize)
 		set->codeDetails.stackSize = strtoul(set->rsfSet->SystemControlInfo.StackSize, NULL, 0);
 	else {
-		fprintf(stderr, "[CODE ERROR] RSF Parameter Not Found: \"SystemControlInfo/StackSize\"\n");
-		return 1;
+		set->codeDetails.stackSize = DEFAULT_STACK_SIZE;
+		fprintf(stderr, "[CODE WARNING] \"SystemControlInfo/StackSize\" not specified, defaulting to 0x%x bytes\n", DEFAULT_STACK_SIZE);
 	}
 
 	/* Return */
 	return 0;
 }
 
+/*
 void PrintElfContext(elf_context *elf)
 {
 	printf("[ELF] Program Table Data\n");
@@ -303,27 +245,17 @@ void PrintElfContext(elf_context *elf)
 	printf(" Label index: 0x%x\n", elf->sectionHeaderNameEntryIndex);
 	for (int i = 0; i < elf->activeSegments; i++) {
 		printf(" Segment [%d][%s]\n", i, elf->segments[i].name);
-		printf(" > Size :     0x%x\n", elf->segments[i].header->sizeInFile);
-		printf(" > Address :  0x%x\n", elf->segments[i].vAddr);
-		printf(" > Flags:     0x%x\n", elf->segments[i].header->flags);
-		printf(" > Type:      0x%x\n", elf->segments[i].header->type);
-		printf(" > Sections : %d\n", elf->segments[i].sectionNum);
+		printf(" > Size(Memory):   0x%x\n", elf->segments[i].header->sizeInMemory);
+		printf(" > Size(File):     0x%x\n", elf->segments[i].header->sizeInFile);
+		printf(" > Address:        0x%x\n", elf->segments[i].vAddr);
+		printf(" > Flags:          0x%x\n", elf->segments[i].header->flags);
+		printf(" > Type:           0x%x\n", elf->segments[i].header->type);
+		printf(" > Sections: %d\n", elf->segments[i].sectionNum);
 		for (int j = 0; j < elf->segments[i].sectionNum; j++)
 			printf("    > Section [%d][%s][0x%x][0x%x]\n", j, elf->segments[i].sections[j].name, elf->segments[i].sections[j].flags, elf->segments[i].sections[j].type);
-
-		/*
-		char outpath[100];
-		memset(&outpath,0,100);
-		sprintf(outpath,"%s.bin",elf->sections[i].name);
-		chdir("elfsections");
-		FILE *tmp = fopen(outpath,"wb");
-		WriteBuffer(elf->sections[i].ptr,elf->sections[i].size,0,tmp);
-		fclose(tmp);
-		chdir("..");
-		*/
 	}
-
 }
+*/
 
 int BuildExeFsCode(ncch_settings *set)
 {
@@ -331,10 +263,11 @@ int BuildExeFsCode(ncch_settings *set)
 	if (set->options.IsCfa)
 		return result;
 
-	if (set->componentFilePtrs.plainregion) // Import PlainRegion from file
-		if ((result = ImportPlainRegionFromFile(set))) return result;
-	if (!set->options.IsBuildingCodeSection) // Import ExeFs Code from file and return
+	if (!set->options.IsBuildingCodeSection) { // Import ExeFs Code from file and return
+		if (set->componentFilePtrs.plainregion) // Import PlainRegion from file
+			if ((result = ImportPlainRegionFromFile(set))) return result;
 		return ImportExeFsCodeBinaryFromFile(set);
+	}
 
 	/* Import ELF */
 	u8 *elfFile = malloc(set->componentFilePtrs.elfSize);
@@ -345,26 +278,12 @@ int BuildExeFsCode(ncch_settings *set)
 	ReadFile64(elfFile, set->componentFilePtrs.elfSize, 0, set->componentFilePtrs.elf);
 
 	/* Create ELF Context */
-	elf_context *elf = calloc(1, sizeof(elf_context));
-	if (!elf) {
-		fprintf(stderr, "[CODE ERROR] Not enough memory\n");
-		free(elfFile);
-		return MEM_ERROR;
-	}
-
-	if ((result = GetElfContext(elf, elfFile))) goto finish;
-
-	/* Setting Page Size */
-	elf->pageSize = GetPageSize(set);
-
-	if (!set->componentFilePtrs.plainregion)
-		if ((result = ImportPlainRegionFromElf(elf, set))) goto finish;
+	elf_context elf;
 
-	if (set->options.verbose)
-		PrintElfContext(elf);
+	if ((result = elf_Init(&elf, elfFile))) goto finish;
 
-	if ((result = CreateExeFsCode(elf, set))) goto finish;
-	if ((result = GetBSSFromElf(elf, set))) goto finish;
+	if ((result = ImportPlainRegionFromElf(&elf, set))) goto finish;
+	if ((result = CreateExeFsCode(&elf, set))) goto finish;
 
 finish:
 	switch (result) {
@@ -389,8 +308,7 @@ int BuildExeFsCode(ncch_settings *set)
 		fprintf(stderr, "[CODE ERROR] Failed to process ELF file (%d)\n", result);
 	}
 	
-	FreeElfContext(elf);
+	elf_Free(&elf);
 	free(elfFile);
-	free(elf);
 	return result;
 }
diff --git a/makerom/elf.c b/makerom/elf.c
index 6aad3ef1..a934817f 100644
--- a/makerom/elf.c
+++ b/makerom/elf.c
@@ -82,43 +82,12 @@ typedef struct elf_phdr
 } elf_phdr;
 
 // ELF Functions
-int GetElfSectionEntries(elf_context *elf);
-int GetElfProgramEntries(elf_context *elf);
-void PrintElfContext(elf_context *elf);
-int ReadElfHdr(elf_context *elf);
 
-int CreateElfSegments(elf_context *elf);
-bool IsIgnoreSection(elf_section_entry info);
-
-// ELF Functions
-
-int GetElfContext(elf_context *elf, const u8 *elfFile)
-{
-	elf->file = elfFile;
-	
-	int result;
-
-	if((result = ReadElfHdr(elf))) return result;
-	if((result = GetElfSectionEntries(elf))) return result;
-	if((result = GetElfProgramEntries(elf))) return result;
-	if((result = CreateElfSegments(elf))) return result;
-
-	return 0;
-}
-
-void FreeElfContext(elf_context *elf)
-{
-	for (int i = 0; i < elf->activeSegments; i++)
-		free(elf->segments[i].sections);
-	free(elf->sections);
-	free(elf->programHeaders);
-	free(elf->segments);
-}
-
-int ReadElfHdr(elf_context *elf)
+int elf_ProcessHeader(elf_context *elf)
 {
 	const elf_hdr *hdr = (const elf_hdr*)elf->file;
 
+	/* Check conditions for valid CTR ELF */
 	if (u8_to_u32(hdr->magic, BE) != ELF_MAGIC)
 		return NOT_ELF_FILE;
 	if (hdr->bitFormat != elf_32_bit)
@@ -130,185 +99,96 @@ int ReadElfHdr(elf_context *elf)
 	if (u8_to_u16(hdr->type, LE) != elf_executeable)
 		return NON_EXECUTABLE_ELF;
 
-	elf->programTableOffset = u8_to_u32(hdr->programHeaderTableOffset, LE);
-	elf->programTableEntrySize = u8_to_u16(hdr->programHeaderEntrySize, LE);
-	elf->programTableEntryCount = u8_to_u16(hdr->programHeaderEntryCount, LE);
-
-	elf->sectionTableOffset = u8_to_u32(hdr->sectionHeaderTableOffset, LE);
-	elf->sectionTableEntrySize = u8_to_u16(hdr->sectionTableEntrySize, LE);
-	elf->sectionTableEntryCount = u8_to_u16(hdr->sectionHeaderEntryCount, LE);
+	elf->phdrOffset = u8_to_u32(hdr->programHeaderTableOffset, LE);
+	elf->segmentNum = u8_to_u16(hdr->programHeaderEntryCount, LE);
+	elf->segments = calloc(elf->segmentNum, sizeof(elf_segment));
+	if (!elf->segments) {
+		fprintf(stderr, "[ELF ERROR] Not enough memory\n");
+		return MEM_ERROR;
+	}
 
-	elf->sectionHeaderNameEntryIndex = u8_to_u16(hdr->sectionHeaderNameEntryIndex, LE);
+	elf->shdrOffset = u8_to_u32(hdr->sectionHeaderTableOffset, LE);
+	elf->shdrNameIndex = u8_to_u16(hdr->sectionHeaderNameEntryIndex, LE);
+	elf->sectionNum = u8_to_u16(hdr->sectionHeaderEntryCount, LE);
+	elf->sections = calloc(elf->sectionNum, sizeof(elf_section));
+	if (!elf->sections) {
+		fprintf(stderr, "[ELF ERROR] Not enough memory\n");
+		return MEM_ERROR;
+	}
 
 	return 0;
 }
 
-int GetElfSectionEntries(elf_context *elf)
+void elf_PopulateSections(elf_context *elf)
 {
-	elf->sections = calloc(elf->sectionTableEntryCount,sizeof(elf_section_entry));
-	if(!elf->sections) {
-		fprintf(stderr,"[ELF ERROR] Not enough memory\n"); 
-		return MEM_ERROR;
-	}
-
-	const elf_shdr *shdr = (const elf_shdr *)(elf->file + elf->sectionTableOffset);
-	const char *nameTable = (const char*)(elf->file + u8_to_u32(shdr[elf->sectionHeaderNameEntryIndex].offset, LE));
+	const elf_shdr *shdr = (const elf_shdr *)(elf->file + elf->shdrOffset);
+	const char *nameTable = (const char*)(elf->file + u8_to_u32(shdr[elf->shdrNameIndex].offset, LE));
 
-	for(int i = 0; i < elf->sectionTableEntryCount; i++){
+	for (int i = 0; i < elf->sectionNum; i++) {
 		elf->sections[i].name = nameTable + u8_to_u32(shdr[i].name, LE);
 		elf->sections[i].type = u8_to_u32(shdr[i].type, LE);
 		elf->sections[i].flags = u8_to_u32(shdr[i].flags, LE);
-		elf->sections[i].offsetInFile = u8_to_u32(shdr[i].offset, LE);
+		elf->sections[i].fileOffset = u8_to_u32(shdr[i].offset, LE);
 		elf->sections[i].size = u8_to_u32(shdr[i].size, LE);
-		elf->sections[i].ptr = elf->file + elf->sections[i].offsetInFile;
-		elf->sections[i].address = u8_to_u32(shdr[i].addr, LE);
+		elf->sections[i].ptr = elf->file + elf->sections[i].fileOffset;
+		elf->sections[i].vAddr = u8_to_u32(shdr[i].addr, LE);
 		elf->sections[i].alignment = u8_to_u32(shdr[i].addralign, LE);
 	}
-	return 0;
 }
 
-int GetElfProgramEntries(elf_context *elf)
+void elf_PopulateSegments(elf_context *elf)
 {
-	elf->programHeaders = calloc(elf->programTableEntryCount,sizeof(elf_program_entry));
-	if(!elf->programHeaders) {
-		fprintf(stderr,"[ELF ERROR] Not enough memory\n"); 
-		return MEM_ERROR;
-	}
-
-	const elf_phdr *phdr = (const elf_phdr*)(elf->file + elf->programTableOffset);
+	const elf_phdr *phdr = (const elf_phdr *)(elf->file + elf->phdrOffset);
 
-	for(int i = 0; i < elf->programTableEntryCount; i++){
-		elf->programHeaders[i].type = u8_to_u32(phdr[i].type, LE);
-		elf->programHeaders[i].flags = u8_to_u32(phdr[i].flags, LE);
-		elf->programHeaders[i].offsetInFile = u8_to_u32(phdr[i].offset, LE);
-		elf->programHeaders[i].sizeInFile = u8_to_u32(phdr[i].filesz, LE);
-		elf->programHeaders[i].ptr = elf->file + elf->programHeaders[i].offsetInFile;
-		elf->programHeaders[i].physicalAddress = u8_to_u32(phdr[i].paddr, LE);
-		elf->programHeaders[i].virtualAddress = u8_to_u32(phdr[i].vaddr, LE);
-		elf->programHeaders[i].sizeInMemory = u8_to_u32(phdr[i].memsz, LE);
-		elf->programHeaders[i].alignment = u8_to_u32(phdr[i].align, LE);
+	for (int i = 0; i < elf->segmentNum; i++) {
+		elf->segments[i].type = u8_to_u32(phdr[i].type, LE);
+		elf->segments[i].flags = u8_to_u32(phdr[i].flags, LE);
+		elf->segments[i].fileOffset = u8_to_u32(phdr[i].offset, LE);
+		elf->segments[i].fileSize = u8_to_u32(phdr[i].filesz, LE);
+		elf->segments[i].ptr = elf->file + elf->segments[i].fileOffset;
+		elf->segments[i].pAddr = u8_to_u32(phdr[i].paddr, LE);
+		elf->segments[i].vAddr = u8_to_u32(phdr[i].vaddr, LE);
+		elf->segments[i].memSize = u8_to_u32(phdr[i].memsz, LE);
+		elf->segments[i].alignment = u8_to_u32(phdr[i].align, LE);
 	}
-
-	return 0;
 }
 
-/* Section Hdr Functions */
-
-bool IsBss(elf_section_entry *section)
+int elf_Init(elf_context *elf, const u8 *elfFile)
 {
-	return (section->type == SHT_NOBITS && section->flags == (SHF_WRITE | SHF_ALLOC));
-}
+	elf->file = elfFile;
+	
+	int result;
 
-bool IsData(elf_section_entry *section)
-{
-	return (section->type == SHT_PROGBITS && section->flags == (SHF_WRITE | SHF_ALLOC));
-}
+	if((result = elf_ProcessHeader(elf))) return result;
 
-bool IsRoData(elf_section_entry *section)
-{
-	return (section->type == SHT_PROGBITS && section->flags == SHF_ALLOC);
+	elf_PopulateSections(elf);
+	elf_PopulateSegments(elf);
+	return 0;
 }
 
-bool IsText(elf_section_entry *section)
+void elf_Free(elf_context *elf)
 {
-	return (section->type == SHT_PROGBITS && section->flags == (SHF_ALLOC | SHF_EXECINSTR));
+	free(elf->sections);
+	free(elf->segments);
+	memset(elf, 0, sizeof(elf_context));
 }
 
-/* Program Segment Functions */
-void InitSegment(elf_segment *segment)
+u16 elf_SectionNum(elf_context *ctx)
 {
-	memset(segment, 0, sizeof(elf_segment));
-
-	segment->sectionNumMax = 10;
-	segment->sectionNum = 0;
-	segment->sections = calloc(segment->sectionNumMax, sizeof(elf_section_entry));
+	return ctx->sectionNum;
 }
 
-void AddSegmentSection(elf_segment *segment, elf_section_entry *section)
+const elf_section* elf_GetSections(elf_context *ctx)
 {
-	if (segment->sectionNum < segment->sectionNumMax)
-		memcpy(&segment->sections[segment->sectionNum], section, sizeof(elf_section_entry));
-	else {
-		segment->sectionNumMax *= 2;
-		elf_section_entry *tmp = calloc(segment->sectionNumMax, sizeof(elf_section_entry));
-		for (int k = 0; k < segment->sectionNum; k++)
-			memcpy(&tmp[k], &segment->sections[k], sizeof(elf_section_entry));
-		free(segment->sections);
-		segment->sections = tmp;
-		memcpy(&segment->sections[segment->sectionNum], section, sizeof(elf_section_entry));
-	}
-
-	segment->sectionNum++;
+	return ctx->sections;
 }
 
-bool IsIgnoreSection(elf_section_entry info)
+u16 elf_SegmentNum(elf_context *ctx) 
 {
-	return !(info.flags & SHF_ALLOC);//(info.type != SHT_PROGBITS && info.type != SHT_NOBITS && info.type != SHT_INIT_ARRAY && info.type != SHT_FINI_ARRAY && info.type != SHT_ARM_EXIDX);
+	return ctx->segmentNum;
 }
 
-int CreateElfSegments(elf_context *elf)
+const elf_segment* elf_GetSegments(elf_context *ctx)
 {
-	// Interate through Each Program Header
-	elf->activeSegments = 0;
-	elf->segments = calloc(elf->programTableEntryCount,sizeof(elf_segment));
-
-	elf_segment segment;
-
-	bool foundFirstSection = false;
-	int curr, prev;
-	u32 padding, size, sizeInMemory;
-
-	for (int i = 0; i < elf->programTableEntryCount; i++){
-		if (elf->programHeaders[i].sizeInMemory != 0 && elf->programHeaders[i].type == PF_X){
-			InitSegment(&segment);
-
-			foundFirstSection = false;
-			size = 0;
-			sizeInMemory = elf->programHeaders[i].sizeInMemory;
-
-			// Itterate Through Section Headers
-			for (curr = 0; curr < elf->sectionTableEntryCount && size != sizeInMemory; curr++){
-				// Skip irrelevant sections
-				if (IsIgnoreSection(elf->sections[curr]))
-					continue;
-
-
-				if (!foundFirstSection) {
-					if (elf->sections[curr].address != elf->programHeaders[i].virtualAddress)
-						continue;
-
-					foundFirstSection = true;
-					segment.vAddr = elf->sections[curr].address;
-					segment.name = elf->sections[curr].name;
-
-					AddSegmentSection(&segment, &elf->sections[curr]);
-					size = elf->sections[curr].size;
-				}
-				else {
-					AddSegmentSection(&segment, &elf->sections[curr]);
-					padding = elf->sections[curr].address - (elf->sections[prev].address + elf->sections[prev].size);
-					size += padding + elf->sections[curr].size;
-				}
-				prev = curr;
-
-				// Catch section parsing fails
-				if (size > sizeInMemory){
-					fprintf(stderr,"[ELF ERROR] Too large section size.\n Segment size = 0x%x\n Section Size = 0x%x\n", sizeInMemory, size);
-					return ELF_SEGMENT_SECTION_SIZE_MISMATCH;
-				}
-            }
-			if(segment.sectionNum){
-				segment.header = &elf->programHeaders[i];
-				memcpy(&elf->segments[elf->activeSegments],&segment,sizeof(elf_segment));
-				elf->activeSegments++;
-			}
-			else{
-				free(segment.sections);
-				fprintf(stderr,"[ELF ERROR] Program Header Has no corresponding Sections, ELF Cannot be proccessed\n");
-				return ELF_SEGMENTS_NOT_FOUND;
-			}
-		}
-	}
-
-	return 0;
-}
\ No newline at end of file
+	return ctx->segments;
+}
diff --git a/makerom/elf.h b/makerom/elf.h
index c568a5b5..71466f63 100644
--- a/makerom/elf.h
+++ b/makerom/elf.h
@@ -56,17 +56,17 @@ typedef enum elf_section_flag
 	SHF_TLS = 0x400
 } elf_section_flag;
 
-typedef struct elf_section_entry
+typedef struct elf_section
 {
 	const char *name;
 	u32 type;
 	u32 flags;
 	const u8 *ptr;
-	u32 offsetInFile;
+	u32 fileOffset;
 	u32 size;
-	u32 address;
+	u32 vAddr;
 	u32 alignment;
-} elf_section_entry;
+} elf_section;
 
 typedef enum elf_program_type
 {
@@ -91,57 +91,40 @@ typedef enum elf_program_flag
 	PF_RODATA = PF_R
 } elf_program_flag;
 
-typedef struct elf_program_entry
+typedef struct elf_segment
 {
 	u32 type;
 	u32 flags;
 	const u8 *ptr;
-	u32 offsetInFile;
-	u32 sizeInFile;
-	u32 virtualAddress;
-	u32 physicalAddress;
-	u32 sizeInMemory;
-	u32 alignment;
-} elf_program_entry;
-
-typedef struct elf_segment
-{
-	const char *name;
+	u32 fileOffset;
+	u32 fileSize;
+	u32 memSize;
 	u32 vAddr;
-
-	elf_program_entry *header;
-	u32 sectionNum;
-	u32 sectionNumMax;
-	elf_section_entry *sections;
+	u32 pAddr;
+	u32 alignment;
 } elf_segment;
 
 typedef struct elf_context
 {
 	const u8 *file;
 
-	u32 pageSize;
-		
-	u32 programTableOffset;
-	u16 programTableEntrySize;
-	u16 programTableEntryCount;
-	
-	u32 sectionTableOffset;
-	u16 sectionTableEntrySize;
-	u16 sectionTableEntryCount;
-	
-	u16 sectionHeaderNameEntryIndex;
-
-	elf_section_entry *sections;
-	elf_program_entry *programHeaders;
-
-	u16 activeSegments;
+	u32 shdrOffset;
+	u16 shdrNameIndex;
+	u32 phdrOffset;
+
+	u16 sectionNum;
+	elf_section *sections;
+
+	u16 segmentNum;
 	elf_segment *segments;
 } elf_context;
 
-bool IsBss(elf_section_entry *section);
-bool IsData(elf_section_entry *section);
-bool IsRoData(elf_section_entry *section);
-bool IsText(elf_section_entry *section);
 
-int GetElfContext(elf_context *elf, const u8 *elfFile);
-void FreeElfContext(elf_context *elf);
\ No newline at end of file
+int elf_Init(elf_context *ctx, const u8 *fp);
+void elf_Free(elf_context *ctx);
+
+u16 elf_SectionNum(elf_context *ctx);
+const elf_section* elf_GetSections(elf_context *ctx);
+
+u16 elf_SegmentNum(elf_context *ctx);
+const elf_segment* elf_GetSegments(elf_context *ctx);
\ No newline at end of file
diff --git a/makerom/rsf_settings.c b/makerom/rsf_settings.c
index 66fcc0f2..99c89ef0 100644
--- a/makerom/rsf_settings.c
+++ b/makerom/rsf_settings.c
@@ -64,7 +64,6 @@ void GET_Option(ctr_yaml_context *ctx, rsf_settings *rsf)
 		else if(cmpYamlValue("EnableCompress",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCompress,"EnableCompress",ctx);
 		else if(cmpYamlValue("FreeProductCode",ctx)) SetBoolYAMLValue(&rsf->Option.FreeProductCode,"FreeProductCode",ctx);
 		else if(cmpYamlValue("UseOnSD",ctx)) SetBoolYAMLValue(&rsf->Option.UseOnSD,"UseOnSD",ctx);
-		else if(cmpYamlValue("PageSize",ctx)) SetSimpleYAMLValue(&rsf->Option.PageSize,"PageSize",ctx,0);
 		else{
 			fprintf(stderr,"[RSF ERROR] Unrecognised key '%s'\n",GetYamlString(ctx));
 			ctx->error = YAML_UNKNOWN_KEY;
@@ -343,9 +342,6 @@ void GET_CommonHeaderKey(ctr_yaml_context *ctx, rsf_settings *rsf)
 
 void free_RsfSettings(rsf_settings *set)
 {
-	//Option
-	free(set->Option.PageSize);
-
 	//AccessControlInfo
 	free(set->AccessControlInfo.IdealProcessor);
 	free(set->AccessControlInfo.Priority);
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index f06f95ff..ea0f008d 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -70,9 +70,6 @@ typedef struct
 		bool EnableCompress;
 		bool FreeProductCode;
 		bool UseOnSD;
-
-		// Strings
-		char *PageSize;
 	} Option;
 	
 	struct{

From 59c5df9d8c5fd833dc87bd10afaaade6d5895855 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 17 Dec 2015 20:36:34 +0800
Subject: [PATCH 140/317] [makerom] misc

---
 makerom/code.c | 37 ++++++++++++++++---------------------
 1 file changed, 16 insertions(+), 21 deletions(-)

diff --git a/makerom/code.c b/makerom/code.c
index 22b64bf0..cc79cd6c 100644
--- a/makerom/code.c
+++ b/makerom/code.c
@@ -123,39 +123,36 @@ int ImportPlainRegionFromElf(elf_context *elf, ncch_settings *set)
 	return 0;
 }
 
-int CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_flags)
+void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_flags)
 {
 	u32 segmentNum = elf_SegmentNum(elf);
 	const elf_segment *segments = elf_GetSegments(elf);
 
+	/* Initialise struct data */
+	out->address = 0;
+	out->memSize = 0;
+	out->pageNum = 0;
+	out->size = 0;
+	out->data = NULL;
+
 	/* Find segment */
 	for (u16 i = 0; i < segmentNum; i++) {
-		/*	Skip SDK ELF plain region
+		/*	Skip SDK ELF .module_id segment
 			The last segment should always be data in valid ELFs, 
 			unless this is an SDK ELF with .module_id segment */
 		if (i == segmentNum-1 && segments[i].flags == PF_RODATA)
 			continue;
 
 		/* Found segment */
-		if ((segments[i].flags & ~PF_CTRSDK) == segment_flags) {
+		if ((segments[i].flags & ~PF_CTRSDK) == segment_flags && segments[i].type == PT_LOAD) {
 			out->address = segments[i].vAddr;
 			out->memSize = segments[i].memSize;
 			out->pageNum = SizeToPage(out->memSize);
 			out->size = segments[i].fileSize;
-			out->data = malloc(out->size);
-			if (!out->data) { fprintf(stderr, "[CODE ERROR] Not enough memory\n"); return MEM_ERROR; }
-			memcpy(out->data, segments[i].ptr, out->size);
-			return 0;
+			out->data = segments[i].ptr;
+			break;
 		}
 	}
-
-	/* Stub struct data */
-	out->address = 0;
-	out->memSize = 0;
-	out->pageNum = 0;
-	out->size = 0;
-	out->data = NULL;
-	return 0;
 }
 
 int CreateExeFsCode(elf_context *elf, ncch_settings *set)
@@ -165,14 +162,15 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 	code_segment rodata;
 	code_segment rwdata;
 
-	if (CreateCodeSegmentFromElf(&text, elf, PF_TEXT) == MEM_ERROR || CreateCodeSegmentFromElf(&rodata, elf, PF_RODATA) == MEM_ERROR || CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA) == MEM_ERROR)
-		return MEM_ERROR;
+	CreateCodeSegmentFromElf(&text, elf, PF_TEXT);
+	CreateCodeSegmentFromElf(&rodata, elf, PF_RODATA);
+	CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA);
 
 	/* Checking the existence of essential ELF Segments */
 	if (!text.size) return NOT_FIND_TEXT_SEGMENT;
 	if (!rwdata.size) return NOT_FIND_DATA_SEGMENT;
 
-	/* Calculateing BSS size */
+	/* Calculating BSS size */
 	set->codeDetails.bssSize = rwdata.memSize - rwdata.size;
 
 	/* Allocating Buffer for ExeFs Code */
@@ -208,17 +206,14 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 	set->codeDetails.textAddress = text.address;
 	set->codeDetails.textMaxPages = text.pageNum;
 	set->codeDetails.textSize = text.memSize;
-	if (text.size) free(text.data);
 
 	set->codeDetails.roAddress = rodata.address;
 	set->codeDetails.roMaxPages = rodata.pageNum;
 	set->codeDetails.roSize = rodata.memSize;
-	if (rodata.size) free(rodata.data);
 
 	set->codeDetails.rwAddress = rwdata.address;
 	set->codeDetails.rwMaxPages = rwdata.pageNum;
 	set->codeDetails.rwSize = rwdata.memSize;
-	if (rwdata.size) free(rwdata.data);
 
 	if (set->rsfSet->SystemControlInfo.StackSize)
 		set->codeDetails.stackSize = strtoul(set->rsfSet->SystemControlInfo.StackSize, NULL, 0);

From 103fc09d72bdd466eeb5ff68259cd7b7e1fe59fa Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Wed, 23 Dec 2015 14:49:19 +0800
Subject: [PATCH 141/317] [makerom] Cleaned up "desc" presets

---
 makerom/accessdesc.c            | 312 +++++-------------------------
 makerom/code.c                  |   2 +-
 makerom/desc/desc.h             |  33 ++++
 makerom/desc/dev_sigdata.h      | 257 ++++++-------------------
 makerom/desc/presets.h          | 324 +++++++++++++-------------------
 makerom/desc/prod_sigdata.h     | 134 -------------
 makerom/exheader.c              |   2 +-
 makerom/keyset.h                |  13 +-
 makerom/makerom.vcxproj         |   2 +-
 makerom/makerom.vcxproj.filters |   6 +-
 makerom/user_settings.c         |  14 +-
 11 files changed, 278 insertions(+), 821 deletions(-)
 create mode 100644 makerom/desc/desc.h
 delete mode 100644 makerom/desc/prod_sigdata.h

diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index dde1b58b..1b8a3ef9 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -5,7 +5,6 @@
 
 #include "desc/presets.h"
 #include "desc/dev_sigdata.h"
-#include "desc/prod_sigdata.h"
 
 const int RSF_RSA_DATA_LEN = 344;
 const int RSF_DESC_DATA_LEN = 684;
@@ -14,8 +13,9 @@ const int RSF_DESC_DATA_LEN = 684;
 int accessdesc_SignWithKey(exheader_settings *exhdrset);
 int accessdesc_GetSignFromRsf(exheader_settings *exhdrset);
 int accessdesc_GetSignFromPreset(exheader_settings *exhdrset);
-void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, keys_struct *keys);
-void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk, keys_struct *keys);
+const CtrSdkDesc* accessdesc_GetPresetData(keys_struct *keys);
+const CtrSdkDescSignData* accessdesc_GetPresetSignData(keys_struct *keys);
+const CtrSdkDepList* accessdesc_GetPresetDependencyList(keys_struct *keys);
 
 int set_AccessDesc(exheader_settings *exhdrset)
 {
@@ -121,48 +121,41 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 
 int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
 {
-	u8 *desc = NULL;
-	u8 *accessDesc = NULL;
-	u8 *depList = NULL;
+	const CtrSdkDesc *desc = accessdesc_GetPresetData(exhdrset->keys);
+	const CtrSdkDescSignData *pre_sign = accessdesc_GetPresetSignData(exhdrset->keys);
+	const CtrSdkDepList *dependency_list = accessdesc_GetPresetDependencyList(exhdrset->keys);
 
-	u8 *accessDescSig = NULL;
-	u8 *cxiPubk = NULL;
-	u8 *cxiPvtk = NULL;
-
-	accessdesc_GetPresetData(&desc,&accessDesc,&depList,exhdrset->keys);
-	accessdesc_GetPresetSigData(&accessDescSig,&cxiPubk,&cxiPvtk,exhdrset->keys);
 
 	// Error Checking
-	if(!desc || !depList){
+	if(!desc || !dependency_list){
 		fprintf(stderr,"[ACEXDESC ERROR] AccessDesc template is unavailable, please configure RSF file\n");
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 
-	if((!cxiPubk || !cxiPvtk || !accessDesc || !accessDescSig) && exhdrset->keys->rsa.requiresPresignedDesc){
+	if(!pre_sign->modulus && exhdrset->keys->rsa.requiresPresignedDesc){
 		fprintf(stderr,"[ACEXDESC ERROR] This AccessDesc template needs to be signed, the current keyset is incapable of doing so. Please configure RSF file with the appropriate signature data.\n");
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 	
-	
 	// Setting data in Exheader
 	// Dependency List
-	memcpy(exhdrset->exHdr->dependencyList,depList,0x180);
+	memcpy(exhdrset->exHdr->dependencyList, dependency_list->dependency, 0x180);
 
 	// Backing Up Non Preset Data
 	u8 ProgramID[8];
 	exhdr_StorageInfo StorageInfoBackup;
 	exhdr_ARM9AccessControlInfo Arm9Desc;
-	memcpy(ProgramID,exhdrset->exHdr->arm11SystemLocalCapabilities.programId,8);
-	memcpy(&StorageInfoBackup,&exhdrset->exHdr->arm11SystemLocalCapabilities.storageInfo,sizeof(exhdr_StorageInfo));
-	memcpy(&Arm9Desc,&exhdrset->exHdr->arm9AccessControlInfo,sizeof(exhdr_ARM9AccessControlInfo));
+	memcpy(ProgramID, exhdrset->exHdr->arm11SystemLocalCapabilities.programId, 8);
+	memcpy(&StorageInfoBackup, &exhdrset->exHdr->arm11SystemLocalCapabilities.storageInfo, sizeof(exhdr_StorageInfo));
+	memcpy(&Arm9Desc, &exhdrset->exHdr->arm9AccessControlInfo, sizeof(exhdr_ARM9AccessControlInfo));
 	
 	// Setting Preset Data
-	memcpy(&exhdrset->exHdr->arm11SystemLocalCapabilities,desc,0x200);
+	memcpy(&exhdrset->exHdr->arm11SystemLocalCapabilities, desc->exheader_desc, 0x200);
 
 	// Restoring Non Preset Data
-	memcpy(exhdrset->exHdr->arm11SystemLocalCapabilities.programId,ProgramID,8);
-	memcpy(&exhdrset->exHdr->arm11SystemLocalCapabilities.storageInfo,&StorageInfoBackup,sizeof(exhdr_StorageInfo));
-	memcpy(&exhdrset->exHdr->arm9AccessControlInfo,&Arm9Desc,sizeof(exhdr_ARM9AccessControlInfo));
+	memcpy(exhdrset->exHdr->arm11SystemLocalCapabilities.programId, ProgramID, 8);
+	memcpy(&exhdrset->exHdr->arm11SystemLocalCapabilities.storageInfo, &StorageInfoBackup, sizeof(exhdr_StorageInfo));
+	memcpy(&exhdrset->exHdr->arm9AccessControlInfo, &Arm9Desc, sizeof(exhdr_ARM9AccessControlInfo));
 
 
 	// Setting AccessDesc Area
@@ -171,265 +164,46 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
 		return accessdesc_SignWithKey(exhdrset);
 
 	// Otherwise set static data & ncch hdr sig info
-	memcpy(exhdrset->keys->rsa.cxiHdrPub,cxiPubk,0x100);
-	memcpy(exhdrset->keys->rsa.cxiHdrPvt,cxiPvtk,0x100);
-	memcpy(&exhdrset->acexDesc->signature,accessDescSig,0x100);
-	memcpy(&exhdrset->acexDesc->ncchRsaPubKey,cxiPubk,0x100);
-	memcpy(&exhdrset->acexDesc->arm11SystemLocalCapabilities,accessDesc,0x200);
+	memcpy(exhdrset->keys->rsa.cxiHdrPub, pre_sign->modulus, 0x100);
+	memcpy(exhdrset->keys->rsa.cxiHdrPvt, pre_sign->priv_exponent, 0x100);
+	memcpy(&exhdrset->acexDesc->signature, pre_sign->access_desc_signature, 0x100);
+	memcpy(&exhdrset->acexDesc->ncchRsaPubKey, pre_sign->modulus, 0x100);
+	memcpy(&exhdrset->acexDesc->arm11SystemLocalCapabilities, desc->signed_desc, 0x200);
 
 	return 0;
 }
 
-void accessdesc_GetPresetData(u8 **desc, u8 **accessDesc, u8 **depList, keys_struct *keys)
+const CtrSdkDesc* accessdesc_GetPresetData(keys_struct *keys)
 {
-	if(keys->accessDescSign.presetType == desc_preset_APP){
-		switch(keys->accessDescSign.targetFirmware){
-			case 0x1B:
-			case 0x1C:
-				*desc = (u8*)app_fw1B_desc_data;
-				*accessDesc = (u8*)app_fw1B_acex_data;
-				*depList = (u8*)fw1B_dep_list;
-				break;
-			case 0x1D:
-				*desc = (u8*)app_fw1D_desc_data;
-				*accessDesc = (u8*)app_fw1D_acex_data;
-				*depList = (u8*)fw1D_dep_list;
-				break;
-			case 0x1E:
-				*desc = (u8*)app_fw1E_desc_data;
-				*accessDesc = (u8*)app_fw1E_acex_data;
-				*depList = (u8*)fw1D_dep_list;
-				break;
-			case 0x20:
-				*desc = (u8*)app_fw20_desc_data;
-				*accessDesc = (u8*)app_fw20_acex_data;
-				*depList = (u8*)fw20_dep_list;
-				break;
-			case 0x21:
-				*desc = (u8*)app_fw21_desc_data;
-				*accessDesc = (u8*)app_fw21_acex_data;
-				*depList = (u8*)fw21_dep_list;
-				break;
-			case 0x23:
-				*desc = (u8*)app_fw23_desc_data;
-				*accessDesc = (u8*)app_fw23_acex_data;
-				*depList = (u8*)fw23_dep_list;
-				break;
-			case 0x27:
-				*desc = (u8*)app_fw27_desc_data;
-				*accessDesc = (u8*)app_fw27_acex_data;
-				*depList = (u8*)fw27_dep_list;
-				break;
-			
-		}
-	}
-	else if(keys->accessDescSign.presetType == desc_preset_EC_APP){
-		switch(keys->accessDescSign.targetFirmware){
-			case 0x20:
-				*desc = (u8*)ecapp_fw20_desc_data;
-				*accessDesc = (u8*)ecapp_fw20_acex_data;
-				*depList = (u8*)fw20_dep_list;
-				break;
-			case 0x23:
-				*desc = (u8*)ecapp_fw23_desc_data;
-				*accessDesc = (u8*)ecapp_fw23_acex_data;
-				*depList = (u8*)fw23_dep_list;
-				break;
-		}
-	}
-	else if(keys->accessDescSign.presetType == desc_preset_DLP){
-		switch(keys->accessDescSign.targetFirmware){
-			case 0x1B:
-			case 0x1C:
-				*desc = (u8*)dlp_fw1B_desc_data;
-				*accessDesc = (u8*)dlp_fw1B_acex_data;
-				*depList = (u8*)fw1B_dep_list;
-				break;
-			case 0x1D:
-				*desc = (u8*)dlp_fw1D_desc_data;
-				*accessDesc = (u8*)dlp_fw1D_acex_data;
-				*depList = (u8*)fw1D_dep_list;
-				break;
-			case 0x21:
-				*desc = (u8*)dlp_fw21_desc_data;
-				*accessDesc = (u8*)dlp_fw21_acex_data;
-				*depList = (u8*)fw21_dep_list;
-				break;
-		}
-	}
-	else if(keys->accessDescSign.presetType == desc_preset_DEMO){
-		switch(keys->accessDescSign.targetFirmware){
-			case 0x1E:
-				*desc = (u8*)demo_fw1E_desc_data;
-				*accessDesc = (u8*)demo_fw1E_acex_data;
-				*depList = (u8*)fw1D_dep_list;
-				break;
-			case 0x21:
-				*desc = (u8*)demo_fw21_desc_data;
-				*accessDesc = (u8*)demo_fw21_acex_data;
-				*depList = (u8*)fw21_dep_list;
-				break;
-		}
-	}
-	else if(keys->accessDescSign.presetType == desc_preset_FIRM){
-		switch(keys->accessDescSign.targetFirmware){
-			default:
-				*desc = (u8*)firm_fw26_desc_data;
-				*accessDesc = (u8*)firm_fw26_acex_data;
-				*depList = (u8*)firm_fwXX_dep_list;
-				break;
+	for (int i = 0; i < sizeof(kDescPresets) / sizeof(CtrSdkDesc); i++) {
+		if (kDescPresets[i].type == keys->accessDescSign.presetType && kDescPresets[i].fw_minor == keys->accessDescSign.targetFirmware) {
+			return &kDescPresets[i];
 		}
 	}
+	return NULL;
 }
 
-void accessdesc_GetPresetSigData(u8 **accessDescSig, u8 **cxiPubk, u8 **cxiPvtk, keys_struct *keys)
+const CtrSdkDescSignData* accessdesc_GetPresetSignData(keys_struct *keys)
 {
-	if(keys->accessDescSign.presetType == desc_preset_APP){
-		switch(keys->accessDescSign.targetFirmware){
-			case 0x1B:
-			case 0x1C:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)app_fw1B_dev_acexsig;
-					*cxiPubk = (u8*)app_fw1B_dev_hdrpub;
-					*cxiPvtk = (u8*)app_fw1B_dev_hdrpvt;
-				}
-				break;
-			case 0x1D:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)app_fw1D_dev_acexsig;
-					*cxiPubk = (u8*)app_fw1D_dev_hdrpub;
-					*cxiPvtk = (u8*)app_fw1D_dev_hdrpvt;
-				}
-				if(keys->keyset == pki_PRODUCTION){
-					*accessDescSig = (u8*)app_fw1D_prod_acexsig;
-					*cxiPubk = (u8*)app_fw1D_prod_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				break;
-			case 0x1E:
-				if(keys->keyset == pki_PRODUCTION){
-					*accessDescSig = (u8*)app_fw1E_prod_acexsig;
-					*cxiPubk = (u8*)app_fw1E_prod_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				break;
-			case 0x20:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)app_fw20_dev_acexsig;
-					*cxiPubk = (u8*)app_fw20_dev_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				if(keys->keyset == pki_PRODUCTION){
-					*accessDescSig = (u8*)app_fw20_prod_acexsig;
-					*cxiPubk = (u8*)app_fw20_prod_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				break;
-			case 0x21:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)app_fw21_dev_acexsig;
-					*cxiPubk = (u8*)app_fw21_dev_hdrpub;
-					*cxiPvtk = (u8*)app_fw21_dev_hdrpvt;
-				}
-				else if(keys->keyset == pki_PRODUCTION){
-					*accessDescSig = (u8*)app_fw21_prod_acexsig;
-					*cxiPubk = (u8*)app_fw21_prod_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				break;
-			case 0x23:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)app_fw23_dev_acexsig;
-					*cxiPubk = (u8*)app_fw23_dev_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				else if(keys->keyset == pki_PRODUCTION){
-					*accessDescSig = (u8*)app_fw23_prod_acexsig;
-					*cxiPubk = (u8*)app_fw23_prod_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				break;
-			case 0x27:
-				if(keys->keyset == pki_PRODUCTION){
-					*accessDescSig = (u8*)app_fw27_prod_acexsig;
-					*cxiPubk = (u8*)app_fw27_prod_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				break;
-			
-		}
-	}
-	else if(keys->accessDescSign.presetType == desc_preset_EC_APP){
-		switch(keys->accessDescSign.targetFirmware){
-			case 0x20:
-				if(keys->keyset == pki_PRODUCTION){
-					*accessDescSig = (u8*)ecapp_fw20_prod_acexsig;
-					*cxiPubk = (u8*)ecapp_fw20_prod_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				break;
-			case 0x23:
-				if(keys->keyset == pki_PRODUCTION){
-					*accessDescSig = (u8*)ecapp_fw23_prod_acexsig;
-					*cxiPubk = (u8*)ecapp_fw23_prod_hdrpub;
-					*cxiPvtk = NULL;
-				}
-				break;
-		}
-	}
-	else if(keys->accessDescSign.presetType == desc_preset_DLP){
-		switch(keys->accessDescSign.targetFirmware){
-			case 0x1B:
-			case 0x1C:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)dlp_fw1B_dev_acexsig;
-					*cxiPubk = (u8*)dlp_fw1B_dev_hdrpub;
-					*cxiPvtk = (u8*)dlp_fw1B_dev_hdrpvt;
-				}
-				break;
-			case 0x1D:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)dlp_fw1D_dev_acexsig;
-					*cxiPubk = (u8*)dlp_fw1D_dev_hdrpub;
-					*cxiPvtk = (u8*)dlp_fw1D_dev_hdrpvt;
-				}
-				break;
-			case 0x21:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)dlp_fw21_dev_acexsig;
-					*cxiPubk = (u8*)dlp_fw21_dev_hdrpub;
-					*cxiPvtk = (u8*)dlp_fw21_dev_hdrpvt;
-				}
-				break;
-		}
+	if (keys->keyset != pki_DEVELOPMENT) {
+		return NULL;
 	}
-	else if(keys->accessDescSign.presetType == desc_preset_DEMO){
-		switch(keys->accessDescSign.targetFirmware){
-			case 0x1E:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)demo_fw1E_dev_acexsig;
-					*cxiPubk = (u8*)demo_fw1E_dev_hdrpub;
-					*cxiPvtk = NULL;
-				}
- 				break;
-			case 0x21:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)demo_fw21_dev_acexsig;
-					*cxiPubk = (u8*)demo_fw21_dev_hdrpub;
-					*cxiPvtk = (u8*)demo_fw21_dev_hdrpvt;
-				}
- 				break;
+
+	for (int i = 0; i < sizeof(kDevDescSignData) / sizeof(CtrSdkDescSignData); i++) {
+		if (kDevDescSignData[i].type == keys->accessDescSign.presetType && kDevDescSignData[i].fw_minor == keys->accessDescSign.targetFirmware) {
+			return &kDevDescSignData[i];
 		}
 	}
-	else if(keys->accessDescSign.presetType == desc_preset_FIRM){
-		switch(keys->accessDescSign.targetFirmware){
-			case 0x26:
-				if(keys->keyset == pki_DEVELOPMENT){
-					*accessDescSig = (u8*)firm_fw26_dev_acexsig;
-					*cxiPubk = (u8*)firm_fw26_dev_hdrpub;
-					*cxiPvtk = NULL;
-				}
- 				break;
+	
+	return NULL;
+}
+
+const CtrSdkDepList* accessdesc_GetPresetDependencyList(keys_struct *keys)
+{
+	for (int i = 0; i < sizeof(kExheaderDependencyLists) / sizeof(CtrSdkDepList); i++) {
+		if (kExheaderDependencyLists[i].fw_minor == keys->accessDescSign.targetFirmware) {
+			return &kExheaderDependencyLists[i];
 		}
 	}
+	return NULL;
 }
\ No newline at end of file
diff --git a/makerom/code.c b/makerom/code.c
index cc79cd6c..483dfa41 100644
--- a/makerom/code.c
+++ b/makerom/code.c
@@ -15,7 +15,7 @@ typedef struct code_segment
 	u32 pageNum;
 
 	u32 size;
-	u8 *data;
+	const u8 *data;
 } code_segment;
 
 u32 SizeToPage(u32 memorySize)
diff --git a/makerom/desc/desc.h b/makerom/desc/desc.h
new file mode 100644
index 00000000..441d1a8b
--- /dev/null
+++ b/makerom/desc/desc.h
@@ -0,0 +1,33 @@
+#pragma once
+#include <stdint.h>
+
+enum SdkAppTypes {
+	desc_NotSpecified,
+	desc_Application,
+	desc_DlpChild,
+	desc_Demo,
+	desc_EcApplication, // intergrated in (Ext)Application since SDK 7
+	desc_ExtApplication, // Snake equivalent of desc_Application (128MB/804MHz/L2 Cache)
+	desc_ExtDlpChild, // Snake equivalent of desc_DlpChild (128MB/804MHz/L2 Cache)
+	desc_ExtDemo // Snake equivalent of desc_Demo (128MB/804MHz/L2 Cache)
+};
+
+typedef struct CtrSdkDepList {
+	uint32_t fw_minor;
+	uint8_t dependency[0x180];
+} CtrSdkDepList;
+
+typedef struct CtrSdkDesc {
+	uint32_t type;
+	uint32_t fw_minor;
+	uint8_t exheader_desc[0x200];
+	uint8_t signed_desc[0x200];
+} CtrSdkDesc;
+
+typedef struct CtrSdkDescSignData {
+	uint32_t type;
+	uint32_t fw_minor;
+	uint8_t modulus[0x100];
+	uint8_t priv_exponent[0x100];
+	uint8_t access_desc_signature[0x100];
+} CtrSdkDescSignData;
\ No newline at end of file
diff --git a/makerom/desc/dev_sigdata.h b/makerom/desc/dev_sigdata.h
index a8728e82..267a6f0f 100644
--- a/makerom/desc/dev_sigdata.h
+++ b/makerom/desc/dev_sigdata.h
@@ -1,203 +1,58 @@
 #pragma once
-
-/* CTR_SDK 1 (1.2.0) */
-// APP
-static const unsigned char app_fw1B_dev_hdrpub[0x100] =
-{
-	0x9B, 0x82, 0x9C, 0x19, 0x01, 0x73, 0x23, 0x50, 0x89, 0xE3, 0x0B, 0xC8, 0x8F, 0xFB, 0xA5, 0xE4, 0xFD, 0x44, 0xAE, 0x49, 0x32, 0xC7, 0xEF, 0x0A, 0x7E, 0x93, 0x95, 0xBA, 0xA2, 0x48, 0x4D, 0x8E, 0x18, 0x82, 0x34, 0x66, 0xFE, 0xDA, 0x7A, 0x45, 0x4A, 0x7D, 0xD5, 0x3C, 0xC6, 0x5C, 0xE0, 0x71, 0xFC, 0xD0, 0x82, 0xCC, 0xB2, 0xCF, 0x77, 0x0E, 0xAD, 0xCD, 0xD2, 0xAC, 0x1D, 0x66, 0x1B, 0xC1, 0xEA, 0xAC, 0x39, 0x96, 0x2C, 0x52, 0xDE, 0xFF, 0xF2, 0x74, 0xF6, 0xC5, 0xCA, 0x99, 0x31, 0x95, 0x13, 0xBB, 0x3F, 0xED, 0x30, 0xAE, 0x0A, 0xD3, 0x86, 0x0D, 0x0B, 0xF5, 0x56, 0x7D, 0x33, 0xBA, 0xA1, 0x39, 0xA2, 0xF5, 0xB6, 0x47, 0x78, 0x1F, 0xFD, 0x04, 0xA3, 0x49, 0xA9, 0x10, 0xD3, 0x41, 0x2E, 0x92, 0x7D, 0xE1, 0xA4, 0xA8, 0x02, 0x18, 0x01, 0x2C, 0xC2, 0x61, 0xB1, 0xAC, 0xCB, 0xB3, 0x7A, 0x64, 0xB1, 0xC3, 0xE6, 0x3B, 0x50, 0xAD, 0xDD, 0x55, 0xAB, 0x28, 0xDA, 0x59, 0xE7, 0x57, 0x6A, 0x76, 0x4F, 0x6B, 0x08, 0xD1, 0x61, 0x7D, 0x28, 0xD5, 0x88, 0x7B, 0x8E, 0x80, 0x78, 0xF3, 0xFF, 0x50, 0x00, 0xBD, 0x73, 0xFB, 0x62, 0xB3, 0xCA, 0xA8, 0x05, 0x48, 0xE6, 0xE6, 0x71, 0xB5, 0xAC, 0xDA, 0xE9, 0xC6, 0x1F, 0x9B, 0x72, 0x98, 0x2E, 0xFF, 0xB2, 0x9C, 0x36, 0x9F, 0x7E, 0x7D, 0x25, 0x65, 0x6F, 0xB0, 0x60, 0xB1, 0xB5, 0x5F, 0xCF, 0x74, 0x29, 0x91, 0x9D, 0xAB, 0x84, 0x97, 0x1A, 0x27, 0x5D, 0x69, 0x49, 0x16, 0xF8, 0x77, 0x31, 0x26, 0x3E, 0x6F, 0x97, 0x41, 0x4A, 0x26, 0xFD, 0x5B, 0xAB, 0x65, 0x77, 0x45, 0x1C, 0x76, 0x15, 0xDC, 0x1A, 0x63, 0x0F, 0x51, 0x2D, 0xA0, 0x07, 0x6E, 0xE5, 0x29, 0xD3, 0x37, 0x4B, 0xE5, 0x7F, 0xBB, 0x23, 0xD0, 0x2B, 0xB9, 0x76, 0x1F
-};
-
-static const unsigned char app_fw1B_dev_hdrpvt[0x100] =
-{
-	0x66, 0x9F, 0xB5, 0xC5, 0xA6, 0xB8, 0x45, 0xD8, 0xD3, 0x75, 0xFB, 0x03, 0xBB, 0x48, 0xF5, 0x7C, 0x7D, 0x4B, 0x02, 0xBD, 0x19, 0x7E, 0xE9, 0x98, 0x02, 0x5A, 0x00, 0xD8, 0x6E, 0x59, 0xCA, 0x9C, 0x78, 0x3E, 0x0C, 0xB8, 0xDF, 0x7C, 0x6C, 0x6E, 0x27, 0xAF, 0x8C, 0xB6, 0x13, 0xAD, 0x9D, 0x0C, 0x7C, 0x2B, 0x59, 0xF6, 0x1E, 0x16, 0x5D, 0x5A, 0x59, 0x86, 0x57, 0x7D, 0xEF, 0xD4, 0xBF, 0x82, 0xA4, 0x0C, 0x4D, 0xE0, 0x75, 0x95, 0xA6, 0xC6, 0x3F, 0x49, 0xC2, 0xC4, 0x5A, 0x63, 0xE8, 0x5D, 0x99, 0xEC, 0xDB, 0x4D, 0xFA, 0xEF, 0x10, 0x03, 0xF1, 0x15, 0xD1, 0x0B, 0x71, 0xAD, 0x24, 0x23, 0x08, 0x5C, 0x91, 0xD7, 0x17, 0x18, 0x69, 0x04, 0xAB, 0x23, 0x91, 0x62, 0x7D, 0xE8, 0xB5, 0x90, 0xF1, 0x5C, 0x09, 0x28, 0x8C, 0x51, 0xB7, 0x38, 0x02, 0x26, 0x78, 0x8C, 0xA2, 0x05, 0x07, 0x53, 0x7D, 0x99, 0x46, 0xFD, 0x12, 0x77, 0x32, 0x0E, 0xA8, 0x54, 0xE3, 0x32, 0x0E, 0x93, 0x05, 0x10, 0xFA, 0x59, 0x7A, 0x5D, 0x2E, 0xDE, 0x32, 0xE8, 0xE9, 0xF0, 0x27, 0x4E, 0x08, 0x83, 0x08, 0xD4, 0x92, 0x58, 0x4D, 0x6D, 0x34, 0x9F, 0xD9, 0xAF, 0xA9, 0x01, 0x62, 0xB5, 0x1A, 0x1D, 0x7E, 0x8D, 0xBB, 0x8A, 0x58, 0xBA, 0xFF, 0xB4, 0xD3, 0x75, 0xF3, 0x44, 0xE7, 0x13, 0x05, 0xC6, 0xC5, 0xA4, 0xD2, 0x6B, 0x18, 0x31, 0x9F, 0xBE, 0x42, 0x45, 0x82, 0x2E, 0x47, 0x9B, 0x26, 0x73, 0x28, 0xD7, 0x9A, 0x64, 0xA6, 0x3D, 0x38, 0x9C, 0x11, 0x36, 0x01, 0x5B, 0x82, 0x2F, 0x7E, 0xA8, 0xC4, 0x82, 0x15, 0x6C, 0x0B, 0xBA, 0x1C, 0x58, 0xF5, 0x81, 0xF9, 0x45, 0xA9, 0xC6, 0x05, 0x6A, 0x2C, 0xA6, 0xCF, 0xF5, 0xDF, 0xEB, 0xBB, 0xC0, 0x92, 0xE3, 0xA6, 0x9D, 0x23, 0x09, 0x09, 0x0E, 0x98, 0x39
-};
-
-static const unsigned char app_fw1B_dev_acexsig[0x100] =
-{
-	0x05, 0x90, 0xAF, 0x65, 0x16, 0x9F, 0x18, 0x2C, 0x17, 0x78, 0x9F, 0xDF, 0xB6, 0x37, 0xCF, 0x26, 0x9B, 0x1B, 0x75, 0x51, 0xB8, 0x57, 0xA3, 0x8F, 0xD7, 0x93, 0x19, 0x61, 0x81, 0x0D, 0x3D, 0xBC, 0x36, 0x50, 0x53, 0xDA, 0x7D, 0xA9, 0x7F, 0xAA, 0x3E, 0x51, 0x2C, 0x75, 0xA1, 0xB9, 0xB1, 0x56, 0xEB, 0x2A, 0x46, 0x21, 0xEC, 0x4F, 0xA7, 0x0C, 0xA1, 0xA8, 0xFD, 0xEE, 0xA3, 0x4A, 0xFD, 0x54, 0xB0, 0x3A, 0x49, 0x5C, 0x8F, 0x8D, 0xB2, 0xBC, 0x32, 0x50, 0x7E, 0x2C, 0x50, 0xD2, 0x1A, 0x6B, 0x61, 0xCB, 0x2A, 0xC9, 0x7E, 0x6E, 0x6A, 0xC8, 0xD6, 0x9B, 0x21, 0xE7, 0x3B, 0xB8, 0x39, 0x1C, 0xD7, 0xEB, 0x69, 0x35, 0xF5, 0xBC, 0xB5, 0x23, 0x54, 0x81, 0x4F, 0x73, 0xAB, 0x9C, 0x55, 0xF0, 0x04, 0x0B, 0x4A, 0xEA, 0x54, 0x08, 0xBF, 0x36, 0x28, 0x12, 0x5E, 0x44, 0x41, 0xF5, 0x3D, 0xFE, 0xA7, 0x6B, 0x35, 0xF2, 0x9A, 0xF2, 0x88, 0xCD, 0xD6, 0x2E, 0x7B, 0xF3, 0xF5, 0x0D, 0x06, 0x2E, 0x13, 0x4F, 0x78, 0xEE, 0x27, 0xAB, 0x31, 0x06, 0x62, 0xE9, 0xB2, 0x3E, 0xC6, 0x99, 0xD7, 0xA9, 0xCC, 0x21, 0x70, 0xD7, 0xCD, 0x9F, 0x03, 0x66, 0x91, 0x7E, 0xBD, 0x3E, 0x83, 0xC4, 0xFF, 0xC9, 0xAA, 0x7E, 0x27, 0xAE, 0x5C, 0x37, 0x7D, 0x93, 0x57, 0x60, 0xB9, 0x0B, 0x71, 0x43, 0x8A, 0x2F, 0x43, 0x50, 0x94, 0xF8, 0x0D, 0x40, 0xCC, 0x64, 0x16, 0x09, 0x70, 0xCD, 0x03, 0xCA, 0x95, 0x30, 0x20, 0xE2, 0x85, 0x2F, 0x2A, 0xCF, 0x65, 0xAA, 0xE9, 0xCF, 0x1F, 0x57, 0xC1, 0x8F, 0xD5, 0x46, 0x51, 0x5A, 0x99, 0x60, 0x65, 0x93, 0xA9, 0xBB, 0xEA, 0x5F, 0xA0, 0x47, 0xD7, 0x11, 0x04, 0xC7, 0xB4, 0x82, 0x66, 0x24, 0x17, 0x17, 0x5E, 0x9D, 0xC8, 0x50, 0x80, 0x63, 0x28, 0xB3, 0xF8, 0xE3
-};
-
-// DLP
-static const unsigned char dlp_fw1B_dev_hdrpub[0x100] =
-{
-	0xD9, 0xF0, 0xC9, 0x35, 0x1E, 0x55, 0xD8, 0x7E, 0x96, 0x53, 0x33, 0x34, 0xBB, 0x8A, 0xAE, 0x03, 0x92, 0x35, 0xE2, 0x05, 0x58, 0x7C, 0xCC, 0x08, 0xB2, 0xDF, 0x43, 0x41, 0xB7, 0x7A, 0xB5, 0x29, 0xEE, 0x4E, 0xF3, 0xC7, 0x35, 0x3B, 0x7E, 0xC5, 0xEE, 0x74, 0xF0, 0xAA, 0x7E, 0x60, 0xF1, 0x28, 0x35, 0x17, 0xD6, 0xC9, 0x9A, 0xF2, 0x84, 0xFE, 0xC8, 0x93, 0x86, 0xF7, 0xA7, 0x36, 0xA6, 0xB0, 0x28, 0xDC, 0xE8, 0x38, 0x0B, 0x54, 0x42, 0x8D, 0x4E, 0x4B, 0x55, 0x0F, 0x4A, 0x0D, 0x72, 0xA0, 0x23, 0xC9, 0x68, 0x22, 0x37, 0x31, 0x88, 0x2C, 0x05, 0x49, 0x86, 0x80, 0x9A, 0xFC, 0x1D, 0x02, 0xE3, 0x20, 0x15, 0x0C, 0x7E, 0x28, 0x40, 0x57, 0xEF, 0xA7, 0xBC, 0xAA, 0xC5, 0xD6, 0xD7, 0x6F, 0xF9, 0x26, 0x9A, 0x32, 0xB2, 0x9E, 0x10, 0x5F, 0x93, 0xE6, 0xB2, 0xC6, 0xB2, 0x62, 0x34, 0x6A, 0xB0, 0xD9, 0x71, 0x3B, 0x0F, 0x34, 0x6C, 0xB1, 0xFE, 0x3A, 0x39, 0xDE, 0x3D, 0x6A, 0xCB, 0x32, 0x95, 0xFA, 0x18, 0x4F, 0xF4, 0xEB, 0x5F, 0x20, 0xE4, 0xEF, 0x64, 0xC5, 0x06, 0x27, 0xC3, 0x44, 0x2A, 0x39, 0x35, 0xD8, 0x00, 0xDF, 0x00, 0xAD, 0xC4, 0x98, 0x06, 0x52, 0xD8, 0x4A, 0xC5, 0x2A, 0x7F, 0x77, 0x50, 0x62, 0x7E, 0x05, 0x3E, 0x8C, 0x28, 0x0A, 0x26, 0xD2, 0x6C, 0x9B, 0x27, 0x65, 0xE9, 0x77, 0x68, 0xE9, 0xE6, 0xAA, 0xBA, 0xF5, 0x85, 0xFC, 0x75, 0x07, 0x84, 0xB2, 0xCA, 0x35, 0x85, 0x52, 0x10, 0x08, 0xEF, 0x85, 0xD3, 0x70, 0x17, 0x31, 0xE1, 0x44, 0xF6, 0x34, 0xDF, 0x7C, 0x42, 0xF7, 0x74, 0xAA, 0xFC, 0xC3, 0xE4, 0x84, 0x2D, 0xBF, 0x15, 0x1E, 0x84, 0x00, 0xE3, 0x80, 0xD7, 0x89, 0x56, 0xEE, 0x60, 0x09, 0x1F, 0xD3, 0xBF, 0xBF, 0x50, 0x8F, 0xA3, 0x0C, 0x72, 0x3F
-};
-
-static const unsigned char dlp_fw1B_dev_hdrpvt[0x100] =
-{
-	0x10, 0x19, 0x3A, 0x33, 0xA3, 0x47, 0x02, 0x13, 0xEF, 0xB4, 0xBB, 0x9E, 0x94, 0x8F, 0xDC, 0xE4, 0xC4, 0xA3, 0x18, 0x4B, 0xFE, 0xCA, 0x51, 0x23, 0xFF, 0x5A, 0x80, 0x94, 0x55, 0x22, 0x4A, 0x49, 0x8B, 0xA1, 0xE7, 0x5D, 0xFA, 0xAF, 0xA7, 0x60, 0xA5, 0x89, 0x9B, 0xD1, 0x6C, 0x3E, 0x6A, 0xF1, 0xE6, 0x62, 0x19, 0x6A, 0x90, 0xF8, 0x83, 0x1C, 0x72, 0xE2, 0x7A, 0xE0, 0xC6, 0x48, 0x42, 0x2D, 0xD7, 0x06, 0xE2, 0x5C, 0x69, 0x71, 0xD2, 0xEC, 0xAF, 0x30, 0xDF, 0x5A, 0x9E, 0xC4, 0xB9, 0x87, 0xDC, 0xBC, 0xDE, 0xE5, 0x50, 0x20, 0x67, 0x87, 0xA0, 0xE8, 0x5A, 0x78, 0x1B, 0x7A, 0xAE, 0x05, 0xED, 0x93, 0x0C, 0x1A, 0xFD, 0x22, 0xAA, 0x06, 0x14, 0xDC, 0xD6, 0x11, 0xE3, 0x45, 0x48, 0x6A, 0xAC, 0x03, 0xCE, 0xF6, 0x19, 0xBD, 0x95, 0x46, 0x0A, 0x1D, 0xCB, 0x6C, 0xE3, 0xF6, 0x5F, 0x1A, 0xB3, 0x81, 0xC7, 0xE2, 0xAB, 0xFE, 0xEF, 0xFB, 0xEC, 0xFE, 0x88, 0x36, 0x26, 0x60, 0x47, 0x43, 0x78, 0x36, 0xA7, 0xC8, 0xC9, 0x40, 0x98, 0x2E, 0xF2, 0x7E, 0xE4, 0x0D, 0x6C, 0x45, 0x88, 0x2A, 0x32, 0x9B, 0xA2, 0x7C, 0x39, 0x20, 0xAA, 0x6B, 0x64, 0x35, 0xC6, 0xA9, 0x20, 0x71, 0x4A, 0x78, 0x6E, 0x55, 0x3C, 0x9B, 0xEA, 0x10, 0x73, 0xBB, 0xA7, 0xD8, 0xFE, 0x69, 0x42, 0xB8, 0xE7, 0xA1, 0xE5, 0xDF, 0x8A, 0xDE, 0x4C, 0x2B, 0x3A, 0x92, 0xB8, 0x3E, 0x5E, 0x2C, 0x29, 0x0D, 0xC1, 0x3D, 0x10, 0x65, 0x1E, 0xF1, 0x95, 0xE5, 0xF6, 0x45, 0x15, 0xBF, 0xE2, 0x30, 0xA6, 0x70, 0x19, 0xA4, 0x11, 0x57, 0x12, 0x1C, 0x81, 0x4B, 0x54, 0x04, 0xBE, 0x67, 0xF5, 0x00, 0x22, 0x06, 0xDA, 0x6B, 0xCE, 0x23, 0x3F, 0x86, 0xE4, 0x70, 0x6A, 0xD1, 0x3E, 0xE5, 0x74, 0x44, 0x86, 0xDA, 0xBE, 0x79
-};
-
-static const unsigned char dlp_fw1B_dev_acexsig[0x100] = 
-{
-	0x13, 0xB2, 0xF4, 0x89, 0xBB, 0xB4, 0xFF, 0x55, 0x7E, 0x3E, 0x9B, 0x90, 0x44, 0x45, 0xC6, 0x8A, 0x17, 0x32, 0x91, 0x77, 0x7D, 0xCB, 0x4A, 0x26, 0x3D, 0xCA, 0xD8, 0x6E, 0x72, 0x27, 0x93, 0x9C, 0xE4, 0x27, 0xFE, 0x54, 0xDC, 0xE7, 0xDC, 0x02, 0x17, 0x9C, 0x82, 0xA8, 0xB0, 0xE8, 0x69, 0x07, 0xE3, 0x34, 0x0E, 0xBF, 0x17, 0x05, 0x58, 0x23, 0x5F, 0x6D, 0xDA, 0xE8, 0xC6, 0xEE, 0x49, 0x29, 0xEF, 0xD7, 0x48, 0x48, 0x41, 0xE2, 0x2A, 0x57, 0x2B, 0x21, 0x13, 0x64, 0xD4, 0x79, 0x5A, 0xE3, 0x84, 0xDA, 0x63, 0x9A, 0x07, 0x39, 0xE2, 0x7E, 0xA7, 0x56, 0x34, 0x1C, 0xE2, 0xAF, 0xCD, 0x65, 0xD1, 0xC0, 0x1B, 0x72, 0xB1, 0x1D, 0xFC, 0xE2, 0x6E, 0x0F, 0xC7, 0xB0, 0xF5, 0x84, 0x0F, 0xA5, 0x2B, 0xDF, 0x3A, 0xCF, 0x43, 0xE8, 0xE4, 0x07, 0x29, 0xC6, 0x41, 0x0E, 0x7B, 0xEE, 0x35, 0xF9, 0xFC, 0xE7, 0x15, 0xF3, 0x8C, 0x3A, 0xB4, 0x77, 0xBD, 0x88, 0x70, 0x83, 0x4A, 0x03, 0x9E, 0x01, 0x9B, 0xBB, 0xD2, 0xE4, 0xA5, 0xBE, 0xF7, 0x80, 0x92, 0x5A, 0x9F, 0x14, 0x9B, 0x49, 0x5D, 0x3D, 0xDC, 0x32, 0x34, 0x7E, 0xC0, 0xD4, 0xAC, 0xDA, 0x8C, 0xF7, 0xA1, 0xE1, 0xCA, 0x29, 0xF5, 0x58, 0x5E, 0xEB, 0x02, 0xB6, 0x67, 0x42, 0x89, 0x46, 0x4C, 0xA6, 0xA8, 0xBD, 0xEB, 0xEB, 0xDD, 0x8F, 0x2E, 0x72, 0x26, 0x49, 0x70, 0x01, 0x7D, 0x5B, 0x03, 0x06, 0x2C, 0x92, 0x1E, 0x55, 0xB2, 0xDA, 0xD7, 0x0D, 0x70, 0x74, 0x42, 0xD5, 0x62, 0x42, 0x3C, 0xC1, 0x70, 0x8E, 0x67, 0xB1, 0xD9, 0xF3, 0x7E, 0xB2, 0xBA, 0x6D, 0x0F, 0x42, 0x65, 0x24, 0x79, 0xE8, 0x8F, 0xB4, 0x4B, 0x32, 0x35, 0xCA, 0x39, 0x70, 0xFE, 0x8E, 0x81, 0x49, 0x73, 0x8D, 0x3C, 0xCD, 0x60, 0xAF, 0xA3, 0x52, 0x45, 0xEE
-};
-
-/* CTR_SDK 2 (2.3.4) */
-// APP
-static const unsigned char app_fw1D_dev_hdrpub[0x100] =
-{
-	0xE9, 0x45, 0xF0, 0xC6, 0x96, 0xD5, 0x6F, 0x7E, 0xAE, 0x03, 0x92, 0x2E, 0xEA, 0xCB, 0xFD, 0xEA, 0xA4, 0x7A, 0x9F, 0x12, 0xDA, 0x4C, 0x10, 0x0A, 0xBE, 0x08, 0x9D, 0x87, 0xE0, 0x14, 0xAC, 0x7F, 0x39, 0xD2, 0xFE, 0x9D, 0x88, 0xB2, 0x81, 0xF6, 0x1A, 0x9E, 0x15, 0x57, 0xD4, 0xE2, 0x31, 0x08, 0x07, 0xEC, 0x4F, 0x10, 0x00, 0xDE, 0xEF, 0x8B, 0x6F, 0xCF, 0x84, 0xE7, 0x3B, 0x41, 0x08, 0x64, 0x3B, 0x1C, 0x00, 0x7C, 0x73, 0xBB, 0x59, 0x4D, 0xD8, 0xD6, 0xE7, 0x7B, 0xBE, 0xDD, 0x50, 0x98, 0xA1, 0x1A, 0xD5, 0xAA, 0x37, 0x69, 0xB8, 0x25, 0xCB, 0x7B, 0x03, 0x00, 0x90, 0x25, 0xF3, 0x7E, 0x9A, 0x0F, 0xA3, 0xAA, 0xC4, 0xB9, 0x3B, 0x3A, 0x18, 0x2B, 0xBC, 0x9C, 0x11, 0x04, 0x92, 0x16, 0x6E, 0xC3, 0xFA, 0x01, 0xD3, 0x00, 0x02, 0xF3, 0x2E, 0xD5, 0x60, 0xA8, 0xAF, 0xAB, 0xEE, 0x2F, 0x9D, 0x30, 0x3E, 0x0E, 0xDC, 0xB8, 0xEC, 0x87, 0x9E, 0x4A, 0xA9, 0x01, 0x34, 0x69, 0x2C, 0x4C, 0x34, 0xB7, 0x7D, 0xB9, 0x7A, 0x17, 0x74, 0x31, 0xB0, 0x29, 0xC4, 0x7D, 0x27, 0x1F, 0xBA, 0xBA, 0x3F, 0x5B, 0x62, 0xF6, 0x90, 0xB8, 0x37, 0x33, 0xFC, 0x73, 0xD6, 0x19, 0x11, 0xCA, 0x83, 0x2A, 0x58, 0x62, 0x9C, 0xB1, 0x83, 0x43, 0x1D, 0x2C, 0x00, 0xA2, 0xE5, 0x87, 0x97, 0x12, 0x63, 0x31, 0x83, 0x0E, 0xB1, 0x1E, 0x69, 0x99, 0x02, 0xAF, 0xDF, 0xFF, 0x0F, 0xA9, 0x7C, 0x1B, 0x33, 0x9E, 0xFF, 0x9C, 0x14, 0x19, 0xA6, 0xCA, 0xFD, 0xB9, 0x17, 0xE0, 0x22, 0xCF, 0xB5, 0x00, 0x77, 0x2E, 0x31, 0xAD, 0xF7, 0xE5, 0xAD, 0x98, 0x14, 0xDF, 0x19, 0xF0, 0xC9, 0xBE, 0x37, 0xF6, 0xF0, 0x23, 0x66, 0xCF, 0x34, 0xE3, 0xD5, 0x8F, 0xD4, 0x07, 0xBA, 0x06, 0x56, 0x00, 0x66, 0x9A, 0xEB, 0x93
-};
-
-static const unsigned char app_fw1D_dev_hdrpvt[0x100] =
-{
-	0xBC, 0x49, 0x29, 0xB9, 0x01, 0x52, 0x31, 0x76, 0x4C, 0xBA, 0xB1, 0x29, 0x91, 0x77, 0x29, 0xF2, 0x54, 0xE4, 0x6C, 0xB5, 0x68, 0xE1, 0xF0, 0x28, 0xDB, 0x8E, 0x54, 0xA8, 0xB1, 0xA3, 0xBE, 0x3F, 0xCA, 0xCA, 0x95, 0x9D, 0x4E, 0x12, 0xD7, 0x77, 0x6F, 0xB0, 0x9D, 0x85, 0x91, 0x5D, 0x29, 0x3A, 0x54, 0x3A, 0xD6, 0xEE, 0x11, 0xE5, 0xDF, 0xEF, 0xEA, 0x45, 0xD3, 0xFE, 0x58, 0x03, 0x7B, 0xE4, 0x7B, 0x19, 0x75, 0x02, 0xFE, 0xDE, 0xFF, 0x8C, 0x28, 0x33, 0xFE, 0x10, 0x11, 0xD4, 0xCD, 0x13, 0x05, 0x26, 0x85, 0xC3, 0xA8, 0x8A, 0x7A, 0x8A, 0x77, 0x1D, 0x49, 0x25, 0x11, 0x34, 0xB0, 0xBF, 0x45, 0x56, 0xCE, 0x42, 0x2E, 0x1B, 0x5C, 0xC4, 0xDD, 0x71, 0xA0, 0x01, 0x50, 0x73, 0x21, 0xFF, 0x5D, 0x54, 0x6D, 0xDD, 0x3F, 0x14, 0x49, 0x4D, 0x44, 0x46, 0x12, 0x88, 0xD5, 0x92, 0xAE, 0xE2, 0xD0, 0xF6, 0x2C, 0x10, 0xD5, 0x67, 0x61, 0x87, 0x7F, 0x2A, 0x17, 0x9D, 0x4F, 0xC6, 0x79, 0xC3, 0xAF, 0x4D, 0x6F, 0xFB, 0x0F, 0x3B, 0x48, 0x5D, 0x46, 0x9A, 0xE8, 0x53, 0xB7, 0xC5, 0x69, 0xEC, 0x31, 0x25, 0xD1, 0xDC, 0x93, 0xAB, 0x2E, 0x53, 0x3B, 0x8E, 0x96, 0x27, 0x59, 0xD4, 0xF7, 0xB3, 0xAB, 0x51, 0x59, 0xAE, 0x6E, 0x26, 0x4F, 0xC2, 0x95, 0xCE, 0x42, 0xC6, 0xAF, 0x46, 0xC6, 0x2E, 0x32, 0x09, 0x7B, 0xAF, 0x67, 0x4E, 0x57, 0xC8, 0x93, 0x5F, 0x8C, 0xD5, 0x66, 0x7B, 0xCC, 0xE9, 0xBE, 0x86, 0xB9, 0xBB, 0xD0, 0xC8, 0xD2, 0xDC, 0x5F, 0x95, 0x83, 0x28, 0x55, 0x21, 0x1E, 0xEE, 0xCF, 0x23, 0xB7, 0x6D, 0xE0, 0x9A, 0x87, 0x99, 0xFB, 0x82, 0x50, 0xD0, 0x2D, 0xC4, 0xFB, 0xA0, 0x11, 0x2F, 0xDD, 0x05, 0x7E, 0x1C, 0xE3, 0xFB, 0x98, 0x69, 0xD4, 0x49, 0x2F, 0x0D, 0xF6, 0x61
-};
-
-static const unsigned char app_fw1D_dev_acexsig[0x100] =
-{
-	0x62, 0xFE, 0xD9, 0x12, 0x3D, 0x99, 0x53, 0xC4, 0x20, 0x25, 0xDE, 0x59, 0xEA, 0x6E, 0xF3, 0x16, 0x5B, 0x36, 0xBA, 0x1C, 0xB3, 0xB5, 0x48, 0x37, 0xD2, 0xA4, 0x04, 0xE5, 0x14, 0xC6, 0xE7, 0x22, 0x14, 0x40, 0x6F, 0x92, 0x6A, 0x9B, 0xDF, 0xDE, 0xFA, 0xCE, 0x3C, 0xBB, 0x4B, 0xC4, 0x66, 0xA8, 0x86, 0x58, 0xAC, 0xEB, 0x2F, 0xB7, 0xA3, 0xEC, 0xEA, 0x31, 0x23, 0x61, 0xF6, 0x72, 0x1E, 0x26, 0x8A, 0x1D, 0x68, 0x2A, 0x2A, 0x21, 0x5A, 0xA2, 0x6A, 0xBD, 0xCE, 0xC0, 0x19, 0x08, 0x61, 0x64, 0xB3, 0xF6, 0x90, 0xB1, 0x34, 0xF8, 0x50, 0x6F, 0x83, 0xB6, 0x8D, 0x35, 0x12, 0x7F, 0x9C, 0x7B, 0x6E, 0x3C, 0x4E, 0xD1, 0xFD, 0xC3, 0x30, 0xD2, 0xE8, 0x7E, 0x15, 0x1F, 0xAD, 0xDB, 0x1D, 0x92, 0xDA, 0x8C, 0x4E, 0xE9, 0x84, 0x83, 0xFF, 0x1A, 0x09, 0x77, 0x05, 0x5A, 0xCF, 0x5C, 0x8B, 0x4F, 0x68, 0x36, 0xC8, 0xDA, 0x5B, 0x1A, 0x5A, 0x49, 0xF9, 0xA1, 0xF2, 0xC8, 0x02, 0xFD, 0x69, 0x1F, 0x1D, 0xB3, 0xE8, 0xF8, 0xE1, 0x6B, 0x15, 0x9A, 0x5E, 0x41, 0x84, 0x06, 0x1F, 0x2A, 0xB3, 0xB2, 0xA1, 0xDC, 0x63, 0x81, 0xB3, 0x6B, 0x4B, 0x21, 0x67, 0x19, 0x82, 0x52, 0xFE, 0x75, 0x96, 0xA1, 0xDF, 0x02, 0xD4, 0x07, 0x1F, 0x1B, 0x88, 0x12, 0x5A, 0x76, 0x54, 0xC4, 0x06, 0x2D, 0xB1, 0xAA, 0x41, 0x3C, 0x9F, 0x43, 0xA2, 0x75, 0x20, 0x39, 0xB6, 0x06, 0xF9, 0x9C, 0xFC, 0x00, 0xC5, 0xBC, 0x84, 0x13, 0x80, 0xE4, 0x10, 0x1A, 0xCD, 0x95, 0xBB, 0xF2, 0xDC, 0x57, 0x7B, 0xBA, 0x87, 0x05, 0x0B, 0x96, 0xC1, 0xCD, 0x60, 0xC7, 0x10, 0x44, 0x78, 0x0E, 0x0F, 0x2F, 0x91, 0x54, 0x6C, 0xDE, 0xB8, 0x14, 0x46, 0xF3, 0x9C, 0xAC, 0x7B, 0xAA, 0xE7, 0x1B, 0x52, 0xD6, 0xBE, 0x71, 0x97, 0x22
-};
-
-// DLP
-static const unsigned char dlp_fw1D_dev_hdrpub[0x100] =
-{
-	0xB9, 0xDE, 0x3D, 0xC0, 0x55, 0xB9, 0xCC, 0x3F, 0x55, 0xE0, 0x61, 0x1D, 0x6F, 0xCF, 0x3E, 0x7F, 0xE2, 0xF7, 0xF5, 0xAD, 0x5C, 0x02, 0x7F, 0x17, 0x5B, 0x44, 0x2F, 0x2D, 0xDC, 0xD4, 0xA6, 0x63, 0xD2, 0xA7, 0x82, 0xD3, 0x00, 0x77, 0xC8, 0x0B, 0x28, 0x09, 0x3D, 0x81, 0x86, 0x93, 0xF5, 0xF6, 0xE4, 0x69, 0x3B, 0x60, 0x4C, 0x7F, 0x8D, 0x72, 0xA3, 0x22, 0x42, 0x86, 0x87, 0x06, 0xD8, 0x29, 0x89, 0x8A, 0x9F, 0x5F, 0x6C, 0x06, 0x0C, 0x96, 0x84, 0x00, 0x24, 0x5D, 0x0B, 0xEA, 0x15, 0xEC, 0xAD, 0x90, 0xA4, 0x0C, 0x7B, 0xAE, 0x0E, 0x85, 0x3E, 0xA2, 0x20, 0x04, 0xE8, 0xD9, 0x59, 0x0F, 0x31, 0x0E, 0xD4, 0x5D, 0xC1, 0x18, 0xED, 0x0E, 0xB4, 0xD2, 0x5E, 0x65, 0xA2, 0x78, 0x0C, 0x76, 0x03, 0x3A, 0x71, 0x18, 0xE4, 0x38, 0x44, 0x14, 0xE0, 0x93, 0x84, 0xFE, 0x34, 0x82, 0xCA, 0x0B, 0xB8, 0xF2, 0x41, 0xAB, 0x63, 0xF3, 0xDE, 0xAE, 0xF4, 0x36, 0x81, 0xA4, 0x78, 0x7B, 0xF9, 0xA8, 0xFB, 0xC9, 0xA7, 0x6E, 0xA4, 0xD5, 0xE2, 0xA9, 0xD8, 0xD9, 0xE8, 0x98, 0x1B, 0x25, 0x75, 0x00, 0x11, 0x51, 0x97, 0x62, 0x0D, 0xF0, 0x0C, 0xE9, 0x6B, 0x0C, 0xEE, 0xCE, 0x25, 0x2C, 0x3F, 0xDF, 0xBE, 0x54, 0xD5, 0xD6, 0x5E, 0xEE, 0x1F, 0x73, 0xFC, 0xE8, 0xEC, 0xB3, 0x8A, 0x48, 0x9F, 0x6A, 0xC1, 0x63, 0x85, 0xE4, 0x94, 0x85, 0x8F, 0x3D, 0x9D, 0x43, 0xB4, 0xA7, 0x4C, 0x82, 0xA3, 0x0B, 0x67, 0x43, 0x12, 0x31, 0x77, 0x89, 0xB0, 0xD5, 0x00, 0x1B, 0x52, 0x29, 0xCE, 0x54, 0xC7, 0xC4, 0x7D, 0xB6, 0x69, 0x7B, 0xFE, 0xDC, 0xDB, 0x4E, 0xD8, 0x58, 0x42, 0x14, 0x34, 0x72, 0x64, 0xBC, 0x09, 0x6D, 0xAC, 0xD3, 0xC4, 0x1B, 0x5C, 0x8E, 0xF9, 0xBE, 0x84, 0xCD, 0x9A, 0x86, 0x4B, 0x17
-};
-
-static const unsigned char dlp_fw1D_dev_hdrpvt[0x100] =
-{
-	0xAA, 0x51, 0x62, 0x58, 0x9A, 0xB5, 0x74, 0xDA, 0x1C, 0xC1, 0x4D, 0x7C, 0x81, 0xF6, 0x70, 0x99, 0x13, 0xCC, 0x90, 0x0D, 0xD9, 0xA0, 0x58, 0x01, 0x79, 0x1A, 0x53, 0xF9, 0x3C, 0xC0, 0x87, 0xF0, 0x35, 0x1A, 0x56, 0xA1, 0x2F, 0x6E, 0x93, 0x9A, 0xD5, 0x87, 0x12, 0x1B, 0x5C, 0xCC, 0xBC, 0xB9, 0x0E, 0xB8, 0xF7, 0x35, 0xD9, 0x23, 0x90, 0xE4, 0x19, 0x64, 0xCD, 0x7D, 0x24, 0xC2, 0x3A, 0xD6, 0x65, 0x38, 0xE7, 0xAD, 0xB2, 0xF9, 0x20, 0x13, 0xD4, 0xC5, 0xA4, 0x8C, 0xB6, 0xDC, 0x3C, 0x56, 0xF2, 0xFC, 0xF5, 0xB6, 0x92, 0xA6, 0xFE, 0x9B, 0x4E, 0xB7, 0x95, 0x8B, 0xAA, 0x2B, 0x70, 0x96, 0xA1, 0x27, 0xAB, 0xA6, 0x75, 0xC9, 0x77, 0x80, 0xE0, 0x65, 0x5D, 0x26, 0xD8, 0xE8, 0x14, 0xD3, 0x17, 0x46, 0x38, 0x58, 0xCC, 0xD8, 0x5A, 0x5A, 0x9F, 0x27, 0xCE, 0xD8, 0x7A, 0x19, 0xD7, 0x35, 0xB2, 0x32, 0xAF, 0x47, 0x2E, 0x9F, 0x4B, 0x64, 0xEC, 0x1F, 0xC6, 0x40, 0xD0, 0x2C, 0x47, 0xD1, 0xEA, 0x33, 0xE5, 0x0E, 0x80, 0xFC, 0x68, 0xEC, 0x8C, 0x12, 0x33, 0xCE, 0x34, 0x28, 0x79, 0xFA, 0x05, 0x5D, 0x70, 0x15, 0xDE, 0xB1, 0x22, 0x85, 0x18, 0x63, 0x15, 0x35, 0x57, 0x04, 0x17, 0x64, 0x20, 0xC8, 0x52, 0x44, 0x64, 0x5E, 0x47, 0x4E, 0x5F, 0x80, 0x21, 0x16, 0x94, 0x4B, 0x18, 0x11, 0x36, 0x67, 0x3B, 0x6C, 0x69, 0x19, 0xCF, 0xC9, 0x05, 0x85, 0x9B, 0x3A, 0xDE, 0x12, 0x1E, 0x0A, 0xC6, 0x22, 0xA8, 0xC7, 0x9A, 0x34, 0x14, 0x98, 0xFD, 0xD9, 0x0F, 0xE8, 0x64, 0xE6, 0x89, 0x63, 0x6E, 0x17, 0x76, 0xD7, 0x1B, 0x6F, 0x92, 0x00, 0xD8, 0xBB, 0xF6, 0xA0, 0x65, 0x9D, 0xAA, 0x7A, 0x0E, 0x4B, 0x56, 0xA5, 0x33, 0xDA, 0x3F, 0x5D, 0xFE, 0xD3, 0xAD, 0x6E, 0x0E, 0xB3, 0xD4, 0x41
-};
-
-static const unsigned char dlp_fw1D_dev_acexsig[0x100] =
-{
-	0x97, 0x84, 0x97, 0xEE, 0x4F, 0x35, 0xCC, 0xBE, 0x08, 0xB4, 0x5D, 0x7E, 0x17, 0xC3, 0x94, 0x2B, 0x4D, 0x3A, 0xA5, 0xB5, 0x01, 0xD4, 0xAE, 0x2A, 0x90, 0x26, 0x21, 0x8F, 0x56, 0x05, 0xB9, 0xA2, 0x5E, 0xCE, 0x73, 0xC7, 0x42, 0xDC, 0x99, 0xD2, 0x7C, 0x08, 0x62, 0xBF, 0x10, 0x7A, 0xC1, 0x5D, 0x22, 0x53, 0x8F, 0x63, 0x2D, 0x73, 0xF3, 0x05, 0xDA, 0x9D, 0x6A, 0xF8, 0xB9, 0x5B, 0x80, 0xB4, 0x30, 0xB3, 0x11, 0xF7, 0x96, 0x8A, 0xCF, 0x70, 0xD7, 0x62, 0x6E, 0x99, 0x32, 0xFD, 0x74, 0x34, 0x16, 0xFD, 0x17, 0x1F, 0xB1, 0xEC, 0xA4, 0x0F, 0x52, 0x13, 0x9F, 0x62, 0x0D, 0xE0, 0x50, 0xA6, 0xA0, 0x7B, 0x69, 0x95, 0xE0, 0xE9, 0xBB, 0x38, 0x0C, 0x62, 0xE0, 0xE3, 0xCE, 0x82, 0xE0, 0xB9, 0xE0, 0xF6, 0x61, 0x50, 0xBF, 0xA8, 0x18, 0x15, 0x38, 0xFE, 0xFA, 0x8C, 0xBA, 0xA5, 0xB9, 0x9C, 0x05, 0xA6, 0x91, 0x5C, 0xA7, 0x13, 0x6F, 0x13, 0x3F, 0xF1, 0xF6, 0x68, 0xAF, 0x40, 0xEC, 0x27, 0xE0, 0x33, 0x6B, 0xCF, 0x26, 0x06, 0xF8, 0x6A, 0x13, 0x6C, 0xBC, 0xDB, 0xAF, 0x6F, 0x78, 0xA0, 0x80, 0x10, 0x8F, 0xB6, 0x91, 0x5A, 0x43, 0x2C, 0x5F, 0x1D, 0xBA, 0xB4, 0x5E, 0xBE, 0xAE, 0x53, 0x09, 0x17, 0x5B, 0x6C, 0xC1, 0x5E, 0x0F, 0x72, 0x6E, 0xD6, 0x10, 0x0B, 0xC3, 0x26, 0xDC, 0xAF, 0xCA, 0x28, 0xAB, 0x00, 0x67, 0x04, 0xE3, 0x54, 0xE8, 0x95, 0xC6, 0x23, 0xB6, 0x79, 0x70, 0xA4, 0x87, 0x6D, 0x12, 0x48, 0xCC, 0x11, 0x86, 0xEC, 0x82, 0xF4, 0x30, 0xC9, 0xB1, 0x6D, 0x08, 0xA7, 0xEA, 0x8C, 0x6A, 0x97, 0xAA, 0x89, 0xD5, 0xC5, 0x07, 0xA9, 0xD5, 0xCF, 0x09, 0x08, 0xBC, 0x56, 0x63, 0x8D, 0x70, 0x2F, 0x64, 0xAF, 0x51, 0x9E, 0x22, 0xA4, 0x88, 0xF0, 0xDC, 0x56, 0x72, 0x28
-};
-
-// DEMO
-static const unsigned char demo_fw1E_dev_hdrpub[0x100] =
-{
-	0xC0, 0xBE, 0x2D, 0xAC, 0x4A, 0x1D, 0xCB, 0xDE, 0x84, 0x61, 0x0C, 0x29, 0x50, 0xEC, 0x7A, 0xF9, 0xA4, 0x96, 0x3B, 0x6E, 0xF7, 0xEC, 0x38, 0x25, 0x52, 0xB0, 0x6D, 0x71, 0xA4, 0x55, 0x61, 0x7C, 0xB4, 0xCA, 0x7F, 0x4D, 0xB0, 0xF2, 0x26, 0xE8, 0xDE, 0x11, 0x01, 0x3C, 0xFF, 0x11, 0xBE, 0x42, 0x7D, 0x80, 0xD6, 0xF0, 0xEB, 0x1E, 0xF5, 0x68, 0x48, 0x24, 0x65, 0x09, 0xA0, 0x29, 0x9B, 0xC3, 0xBB, 0x45, 0x7E, 0x49, 0xE7, 0x98, 0x0E, 0x5F, 0x3C, 0xCC, 0xA6, 0xC6, 0x13, 0xC5, 0xC6, 0x8C, 0x82, 0x8F, 0xEC, 0xF1, 0x6D, 0xDB, 0x9C, 0xE6, 0xAD, 0xB7, 0x3E, 0xD7, 0x29, 0xFC, 0x3B, 0x50, 0x1F, 0x92, 0x0B, 0x25, 0x91, 0x41, 0x32, 0xFE, 0xCE, 0xAF, 0x0D, 0x34, 0xC5, 0xA3, 0x2E, 0x1A, 0x41, 0xA1, 0xC4, 0x86, 0x8D, 0x94, 0x1E, 0x80, 0x58, 0x3E, 0x35, 0x58, 0x2D, 0x0C, 0xD1, 0x0E, 0x3E, 0x6C, 0xE3, 0xDC, 0x2B, 0x97, 0xDC, 0xEC, 0x3A, 0x0D, 0xDA, 0x8E, 0x14, 0x5F, 0x12, 0xDC, 0xD7, 0x19, 0xD1, 0xE9, 0xDA, 0xD9, 0x6D, 0x02, 0x4E, 0xFC, 0x9B, 0x41, 0x3E, 0x4A, 0x70, 0xD6, 0x81, 0x41, 0xF3, 0x7F, 0xC8, 0x6E, 0xAD, 0x58, 0x25, 0xC8, 0x92, 0xD6, 0x37, 0x10, 0x93, 0xEB, 0x1D, 0xCD, 0x80, 0x05, 0x9F, 0x85, 0x05, 0x75, 0x47, 0xFC, 0x3C, 0xA7, 0x6A, 0xF4, 0x32, 0x1D, 0x49, 0xF3, 0xAA, 0x26, 0xEB, 0x78, 0x02, 0xE6, 0xA7, 0x15, 0xC0, 0xE1, 0x76, 0x19, 0x61, 0x42, 0xEC, 0x58, 0x38, 0x5F, 0x6F, 0xA6, 0x61, 0x6D, 0x49, 0x07, 0x70, 0xFD, 0x08, 0x28, 0x41, 0xB7, 0xA7, 0x96, 0x0E, 0x94, 0x2E, 0xF9, 0x25, 0x29, 0x15, 0x92, 0x13, 0xFC, 0xA6, 0x0D, 0x40, 0x54, 0x2D, 0x9D, 0x4E, 0x19, 0x77, 0xB1, 0xFC, 0x27, 0x95, 0x8F, 0xDA, 0x99, 0xED, 0x2C, 0xD7, 0xE1
-};
-
-static const unsigned char demo_fw1E_dev_acexsig[0x100] =
-{
-	0x67, 0xC0, 0xA1, 0x00, 0x1D, 0xE0, 0x35, 0x62, 0x0F, 0xA7, 0xFE, 0xE7, 0xC5, 0x8B, 0x44, 0xFE, 0x1F, 0x61, 0x82, 0xFD, 0x42, 0xAF, 0x88, 0xAD, 0x44, 0xE2, 0x26, 0xFB, 0xFD, 0xA1, 0xFC, 0x3A, 0x9D, 0xCD, 0x1B, 0x2D, 0xD2, 0x40, 0x13, 0x85, 0x1C, 0x66, 0xCF, 0xF1, 0xF5, 0x1D, 0xF0, 0x5E, 0x54, 0xB5, 0xB9, 0x8A, 0xB2, 0x72, 0x91, 0xF5, 0x23, 0xF0, 0x58, 0xBA, 0xC0, 0x4D, 0x84, 0x77, 0x5A, 0x4D, 0x41, 0xBD, 0xBD, 0x07, 0x38, 0x3E, 0x42, 0x40, 0x94, 0x55, 0x21, 0xCF, 0x99, 0x89, 0xA7, 0xEC, 0xBA, 0x6D, 0x72, 0x3B, 0x98, 0xE1, 0x5A, 0x21, 0x57, 0x79, 0xBF, 0xC4, 0xC5, 0x0D, 0xBF, 0x76, 0x44, 0x88, 0xFE, 0x3D, 0x8A, 0x8A, 0x05, 0x85, 0x61, 0xBB, 0xB6, 0x76, 0x22, 0xF6, 0x59, 0x9E, 0x3B, 0x21, 0xF3, 0x23, 0xC7, 0x20, 0x34, 0x8E, 0xB7, 0xAB, 0xD0, 0x06, 0x56, 0x11, 0x92, 0x02, 0xF0, 0xB7, 0x1A, 0x4D, 0x85, 0xD5, 0x7A, 0x71, 0x75, 0x5D, 0x3A, 0x7D, 0x6F, 0xB7, 0xC2, 0xA6, 0xAF, 0xCF, 0x1C, 0x44, 0x61, 0xBB, 0xE7, 0x03, 0x7D, 0x2E, 0xE9, 0xC2, 0x0D, 0x89, 0xD9, 0x4B, 0x4D, 0x88, 0xB8, 0x81, 0xB5, 0x86, 0x45, 0xAE, 0x59, 0xA5, 0x8D, 0x68, 0x80, 0x00, 0x05, 0x53, 0x27, 0x89, 0xC9, 0x20, 0x1E, 0x9F, 0xDE, 0xAE, 0x7C, 0x98, 0xAC, 0xAC, 0x78, 0x80, 0x7B, 0x3A, 0x1E, 0xA6, 0x4E, 0x03, 0xD3, 0x00, 0xDD, 0x1E, 0xEB, 0x01, 0x9A, 0xDE, 0xAE, 0xF4, 0x84, 0x44, 0xBC, 0x4B, 0xD5, 0xDE, 0x23, 0xF0, 0x3C, 0xA4, 0x57, 0x70, 0x25, 0x2C, 0x93, 0x3D, 0xA5, 0x17, 0xCF, 0x1B, 0x0A, 0xDF, 0x4F, 0x21, 0x71, 0x05, 0xF4, 0xE4, 0x6F, 0xE2, 0xC3, 0x50, 0x74, 0xA9, 0x09, 0x61, 0x1D, 0x81, 0xC9, 0xA3, 0x1F, 0x82, 0x2D, 0x8F, 0xDB, 0x5A, 0x62, 0xB0
-};
-
-/* CTR_SDK 3 (3.2.5) */
-// APP
-static const unsigned char app_fw20_dev_hdrpub[0x100] =
-{
-	0xC4, 0xF6, 0x84, 0x47, 0xF0, 0xF0, 0x5D, 0x2B, 0x06, 0xE0, 0xC6, 0x73, 0xE2, 0x43, 0x9F, 0x57, 0xAA, 0x48, 0xCE, 0xB8, 0xEA, 0xBD, 0xA1, 0x84, 0x06, 0xFC, 0xF5, 0x7D, 0xA0, 0x37, 0x79, 0xA6, 0x27, 0xF0, 0xFE, 0xE8, 0x7E, 0xF1, 0x9E, 0xC0, 0x7A, 0x0A, 0x40, 0x86, 0x20, 0x52, 0x61, 0x4D, 0xAB, 0x50, 0xC5, 0x93, 0xEB, 0x2C, 0x36, 0x10, 0xAA, 0xEF, 0x32, 0x28, 0x5C, 0x82, 0xF7, 0x58, 0xE5, 0x2E, 0xC0, 0xEA, 0x0F, 0xB9, 0x90, 0x64, 0x0D, 0x44, 0x39, 0x36, 0x4E, 0x0D, 0x8A, 0xBF, 0xEB, 0x95, 0x98, 0x29, 0x27, 0xCF, 0xDC, 0x66, 0xE4, 0xCD, 0xE9, 0xC7, 0x9F, 0xF8, 0x1F, 0x64, 0xB0, 0x47, 0x91, 0x82, 0x54, 0x8D, 0x87, 0xD3, 0xE0, 0xA9, 0xFF, 0xE5, 0x78, 0xE9, 0x35, 0x55, 0x57, 0x28, 0x8C, 0x8B, 0x54, 0x63, 0xB7, 0x36, 0xFB, 0x85, 0xDD, 0xB2, 0x54, 0x14, 0xAD, 0x39, 0xDE, 0x88, 0x91, 0xCB, 0xD6, 0xF0, 0x0C, 0xB7, 0xEC, 0x91, 0x48, 0x1C, 0xB9, 0xB3, 0xEB, 0x90, 0xBC, 0xAC, 0x00, 0x40, 0x35, 0x45, 0xD4, 0x71, 0x6A, 0x14, 0x65, 0x3E, 0x3C, 0xEA, 0xAE, 0xE0, 0xFE, 0xE6, 0x71, 0xA2, 0x51, 0x2A, 0x15, 0x70, 0xC1, 0x3D, 0x70, 0x29, 0xAE, 0xFC, 0x21, 0x66, 0x06, 0x8B, 0x66, 0xE4, 0xE9, 0x4D, 0x6A, 0x9D, 0x66, 0xDA, 0x64, 0x2B, 0xE8, 0xF3, 0x8E, 0x31, 0xF0, 0xC2, 0x12, 0x02, 0x39, 0x73, 0x41, 0x4E, 0xF5, 0x91, 0x43, 0x9D, 0x1E, 0x51, 0xE6, 0x2D, 0x4C, 0x8F, 0xA0, 0x21, 0x2A, 0x38, 0x69, 0x3C, 0xB6, 0x9F, 0xF9, 0xBB, 0x8B, 0xFF, 0x72, 0x3A, 0x74, 0x7C, 0xCC, 0x49, 0x5B, 0x40, 0x25, 0x41, 0xE2, 0x2F, 0xEB, 0x3B, 0xD4, 0xE5, 0x14, 0x0F, 0x83, 0x43, 0x63, 0x30, 0x75, 0x5E, 0x4B, 0x29, 0x94, 0x65, 0xF8, 0xDC, 0x6D, 0x5B, 0xC1, 0xB1
-};
-
-static const unsigned char app_fw20_dev_acexsig[0x100] =
-{
-	0x48, 0xAB, 0x7A, 0x3E, 0x55, 0x05, 0x84, 0x09, 0x4E, 0x70, 0xD2, 0x42, 0x3C, 0xBA, 0x32, 0x8B, 0xB9, 0x9F, 0x9D, 0x16, 0x95, 0x19, 0xE7, 0xC7, 0x8E, 0x5B, 0x1D, 0xA3, 0x67, 0xC8, 0x9D, 0xD3, 0xCD, 0x82, 0x5A, 0x3D, 0xC0, 0xD6, 0xB9, 0x13, 0xBE, 0x3F, 0xE7, 0x5F, 0x36, 0x73, 0x71, 0x77, 0xCD, 0x7B, 0x40, 0x33, 0x25, 0xA6, 0xA5, 0xA2, 0x51, 0xC8, 0x40, 0x88, 0xC3, 0x7C, 0x8D, 0x29, 0xDE, 0xEB, 0xCB, 0x9B, 0x5D, 0xE3, 0xDA, 0x3D, 0x74, 0x4A, 0xDE, 0xE7, 0xE7, 0xC0, 0x85, 0x2E, 0x5E, 0x84, 0xE3, 0x1B, 0x24, 0x0B, 0x82, 0x79, 0xEF, 0x1B, 0xAD, 0xD2, 0x6C, 0xE3, 0xDD, 0xC0, 0x03, 0xFD, 0x5E, 0xD9, 0x11, 0xE5, 0x65, 0x05, 0xED, 0x65, 0x79, 0x03, 0x59, 0xE7, 0x09, 0x63, 0x39, 0x9D, 0x51, 0x00, 0x2F, 0x5E, 0x65, 0xB1, 0xA7, 0x73, 0x1B, 0x1E, 0xC9, 0x27, 0x75, 0xB3, 0xF6, 0x7B, 0x36, 0x60, 0x57, 0x3F, 0xF7, 0x45, 0x83, 0x5D, 0x01, 0xD4, 0x02, 0xA7, 0xE5, 0xCE, 0x06, 0x63, 0xF9, 0x27, 0x9A, 0xF7, 0xA6, 0xD8, 0x5A, 0x72, 0xD1, 0x7F, 0x03, 0xE0, 0xA7, 0xD3, 0x47, 0xE9, 0xC2, 0xB3, 0x1C, 0xAE, 0x99, 0xD7, 0x08, 0x13, 0xE7, 0x5F, 0x8B, 0x8D, 0xD6, 0x71, 0xF4, 0x66, 0x0E, 0x71, 0x5E, 0xE0, 0x08, 0xA1, 0x19, 0x9A, 0x39, 0xBD, 0x29, 0x78, 0x75, 0x9F, 0xFE, 0x62, 0xD4, 0x52, 0xA0, 0x01, 0x7B, 0x16, 0x9C, 0x33, 0xFD, 0xBC, 0x05, 0xFB, 0xC4, 0xC9, 0x67, 0xF6, 0xE1, 0xE0, 0x15, 0xFF, 0x13, 0x78, 0x09, 0xDF, 0x1B, 0x6C, 0x29, 0x9F, 0xA7, 0x8D, 0x3D, 0x36, 0xEB, 0x28, 0x2E, 0x85, 0xF1, 0x99, 0x5B, 0x94, 0xB4, 0xB4, 0x47, 0x78, 0xE9, 0x74, 0xDA, 0x71, 0xA0, 0x72, 0xDC, 0x32, 0x55, 0x14, 0xE8, 0x63, 0xDA, 0xB4, 0x77, 0x58, 0x14, 0xC7
-};
-
-/* CTR_SDK 4 (4.2.8) */
-// APP
-static const unsigned char app_fw21_dev_hdrpub[0x100] =
-{
-	0xCF, 0xEC, 0xB2, 0x48, 0x03, 0x6D, 0xB8, 0x09, 0xE3, 0x5C, 0x6C, 0x62, 0x2C, 0xA9, 0x49, 0xE1, 0xF4, 0xF4, 0x0C, 0x6C, 0xC3, 0xE5, 0x2F, 0x9D, 0x50, 0xA0, 0x2B, 0x5A, 0x00, 0xC6, 0x72, 0x00, 0x0B, 0xA3, 0x04, 0x5D, 0x94, 0x46, 0xE7, 0x00, 0x1B, 0x48, 0x85, 0xB5, 0x61, 0x2C, 0xC9, 0x74, 0xCA, 0x2B, 0x43, 0x13, 0xC1, 0x78, 0x97, 0x5C, 0x33, 0x2F, 0x07, 0xC7, 0x85, 0xF0, 0xDA, 0xDB, 0x60, 0x96, 0x50, 0x0F, 0x7C, 0x4B, 0x7A, 0xD7, 0x17, 0x9D, 0xE4, 0xE5, 0xC3, 0xAB, 0x6F, 0x5D, 0xA5, 0x78, 0x32, 0xAD, 0x04, 0xDD, 0x96, 0x6E, 0xDC, 0x75, 0xFF, 0xC2, 0x2F, 0xFA, 0xA2, 0xEE, 0x46, 0x89, 0xCD, 0xAE, 0x69, 0x92, 0xA4, 0x48, 0xBC, 0x46, 0x47, 0xC4, 0x8C, 0x89, 0x63, 0xE1, 0x0A, 0x4D, 0x1C, 0xDC, 0x46, 0x2F, 0x5B, 0x70, 0x8A, 0x7C, 0xE9, 0x22, 0x9C, 0x09, 0x0B, 0xA8, 0x97, 0x40, 0xCA, 0x2A, 0x7D, 0x84, 0xA1, 0x04, 0x4A, 0x2E, 0xDB, 0xD7, 0xD0, 0x64, 0x43, 0x9C, 0xD0, 0x78, 0x11, 0x41, 0x88, 0x33, 0xDD, 0x31, 0x62, 0x90, 0x2D, 0x17, 0xF2, 0xC6, 0xA9, 0x2B, 0x9C, 0x70, 0xAB, 0xDC, 0xD3, 0xAB, 0x5D, 0xDA, 0xEE, 0x3D, 0x6C, 0x0E, 0x81, 0xFF, 0xF6, 0x67, 0x5A, 0x44, 0xF9, 0xAC, 0x07, 0x3D, 0x23, 0x94, 0x75, 0x65, 0x93, 0x20, 0x0C, 0xC5, 0x76, 0x1D, 0x0F, 0x65, 0x06, 0x3D, 0x21, 0xA2, 0xF0, 0x96, 0x80, 0xB7, 0x0A, 0x49, 0x53, 0x38, 0xA3, 0x5D, 0xC0, 0x74, 0x3C, 0xA4, 0xD9, 0x40, 0x36, 0x85, 0x1F, 0x8C, 0xD1, 0x2D, 0x15, 0xF9, 0xEF, 0x24, 0xA9, 0x7E, 0x9D, 0xB2, 0x1E, 0xF8, 0xA0, 0x72, 0x81, 0x17, 0x77, 0x73, 0xB1, 0x56, 0x7F, 0xAD, 0x05, 0xA2, 0xD2, 0x30, 0x5A, 0xF5, 0xD3, 0xAF, 0x0F, 0x10, 0x4A, 0x52, 0xD8, 0x09, 0x47, 0x97
-};
-
-static const unsigned char app_fw21_dev_hdrpvt[0x100] =
-{
-	0x8C, 0xBD, 0xB2, 0x3B, 0xCE, 0x9E, 0x51, 0x09, 0xD8, 0x6D, 0x72, 0x2B, 0xCE, 0x01, 0x55, 0x32, 0x6E, 0xC5, 0x57, 0x37, 0xB4, 0x2E, 0x09, 0x59, 0xD9, 0xFE, 0x60, 0xF9, 0xCE, 0x36, 0x85, 0x6A, 0x04, 0x76, 0x76, 0xF9, 0x04, 0xEA, 0x2D, 0x68, 0xC4, 0x0F, 0x05, 0xFA, 0xAD, 0x69, 0x4C, 0x80, 0x12, 0x6C, 0xD0, 0x3D, 0xAA, 0x22, 0xFF, 0x89, 0x78, 0x57, 0xE8, 0x53, 0x25, 0x15, 0xD0, 0x7E, 0xD8, 0x55, 0x46, 0xA2, 0x04, 0xC7, 0x6E, 0xC1, 0xF3, 0x89, 0x7C, 0x2C, 0x0E, 0x93, 0x97, 0x91, 0x72, 0xF4, 0xF6, 0x90, 0x69, 0x0F, 0xB8, 0xC9, 0x17, 0xCF, 0x83, 0xAC, 0xA5, 0x1F, 0x69, 0x74, 0x12, 0x29, 0x2B, 0x21, 0x58, 0xF2, 0xDA, 0xE3, 0x25, 0x16, 0x09, 0x74, 0x40, 0x90, 0xAB, 0x1B, 0xE4, 0x06, 0x28, 0x77, 0xED, 0xC6, 0x16, 0x86, 0x0A, 0x27, 0xDD, 0x03, 0x01, 0x4D, 0x9A, 0x26, 0x6E, 0xC8, 0x9F, 0xD3, 0x9A, 0x4B, 0x59, 0xD1, 0x10, 0x9B, 0xEB, 0xA9, 0x58, 0x72, 0xBD, 0xA1, 0xFE, 0x9D, 0x86, 0xED, 0x29, 0xE9, 0x29, 0x49, 0x62, 0x4B, 0xD8, 0x7D, 0x2A, 0x7A, 0x66, 0x1B, 0xE5, 0x04, 0x81, 0x56, 0x10, 0x50, 0xAF, 0xB8, 0x48, 0x27, 0xC1, 0xC9, 0x46, 0xBD, 0x3F, 0x16, 0x06, 0xA5, 0x3D, 0x04, 0x9F, 0x0D, 0x54, 0x71, 0x1C, 0xF4, 0x82, 0xC0, 0x66, 0x74, 0xEA, 0x9C, 0x83, 0x3C, 0x27, 0x01, 0xDF, 0x6F, 0x56, 0xA8, 0x1B, 0xE3, 0x68, 0x55, 0x9F, 0xAB, 0x90, 0x67, 0x20, 0x25, 0xFA, 0x3D, 0x51, 0x2A, 0x23, 0x16, 0xCB, 0x06, 0x5A, 0xAD, 0xAC, 0xC8, 0x47, 0xF9, 0x39, 0x2E, 0x6A, 0xF8, 0xFA, 0x0A, 0xE8, 0x8A, 0x64, 0x84, 0x6B, 0xED, 0xDA, 0x8F, 0x2A, 0x08, 0x86, 0x8F, 0x56, 0x69, 0x64, 0xC3, 0x98, 0x55, 0x37, 0x9A, 0x48, 0x40, 0xDA, 0xD5, 0x03, 0x21
-};
-
-static const unsigned char app_fw21_dev_acexsig[0x100] =
-{
-	0xDF, 0x1C, 0x8B, 0x98, 0xE4, 0x6F, 0xA2, 0x35, 0x6C, 0xC3, 0x18, 0x17, 0x98, 0xF3, 0xCE, 0x54, 0x7E, 0x14, 0x2E, 0x7F, 0x1E, 0xD8, 0x6D, 0xCF, 0xBC, 0x29, 0x4E, 0xFE, 0x32, 0x2E, 0xC1, 0x11, 0xAD, 0x46, 0x9A, 0xC6, 0x70, 0xEA, 0xEE, 0x28, 0x55, 0x22, 0xE1, 0x36, 0x05, 0x1C, 0x04, 0x8A, 0xCE, 0x0F, 0x0C, 0x83, 0x8F, 0xC8, 0xD6, 0xDE, 0x11, 0x8E, 0xEA, 0xCF, 0xAD, 0x9B, 0xCF, 0x81, 0x0D, 0xEB, 0x71, 0x13, 0xB3, 0xD3, 0xAE, 0x83, 0x02, 0x4C, 0x0E, 0x10, 0x50, 0x59, 0x3C, 0xEE, 0x60, 0x06, 0xFB, 0x8C, 0x7F, 0xC2, 0x20, 0x24, 0x01, 0x62, 0x55, 0x87, 0x60, 0x0F, 0xAD, 0xFA, 0x73, 0x2E, 0xF6, 0x65, 0x62, 0xD2, 0xE5, 0x10, 0x45, 0x69, 0x70, 0x39, 0x03, 0xD1, 0x39, 0xEC, 0x50, 0xC1, 0xD4, 0x25, 0x39, 0xB2, 0x90, 0x11, 0x4E, 0x95, 0xCB, 0x19, 0xEB, 0xCA, 0x0F, 0xB5, 0xFA, 0xC7, 0xB0, 0xE2, 0xD7, 0xE0, 0x71, 0xC3, 0xE5, 0x55, 0x33, 0x9E, 0x5C, 0xDC, 0x4D, 0x3B, 0x51, 0x11, 0x0D, 0x31, 0x78, 0x96, 0xCA, 0xD7, 0x18, 0x58, 0xEE, 0x00, 0xE9, 0x28, 0xF2, 0x68, 0x76, 0xD4, 0x57, 0xFE, 0x65, 0xB1, 0x4B, 0x49, 0x3F, 0xF6, 0xA6, 0x58, 0x4A, 0xC7, 0xFC, 0xC4, 0xBB, 0x61, 0xBC, 0x58, 0x8D, 0x55, 0x65, 0xE6, 0x0A, 0x79, 0x39, 0x41, 0xB8, 0x80, 0x61, 0xF7, 0x05, 0xC3, 0xFE, 0xD6, 0x8B, 0x09, 0x82, 0xC2, 0x5F, 0xA6, 0x56, 0xF9, 0xEE, 0x1D, 0x0E, 0x06, 0x3E, 0x9F, 0x3F, 0xF1, 0x93, 0x9A, 0x4F, 0xA2, 0xD5, 0x91, 0x87, 0x8A, 0xFE, 0xCF, 0xC3, 0xFC, 0x8A, 0xB1, 0xC4, 0x78, 0xE9, 0xD1, 0x1A, 0xF7, 0xB1, 0xD3, 0x20, 0xCB, 0x83, 0xBE, 0x03, 0xD5, 0xCA, 0xA5, 0x5E, 0x17, 0xA6, 0x91, 0x10, 0xD4, 0xBE, 0x23, 0xD6, 0x4B, 0x4F, 0x03, 0xA9, 0xAE
-};
-
-// DEMO
-static const unsigned char demo_fw21_dev_hdrpub[0x100] =
-{
-	0xB5, 0x11, 0x8D, 0x9E, 0x2D, 0xDB, 0x70, 0x6D, 0x6E, 0xEE, 0xAA, 0x21, 0xE0, 0x4E, 0x80, 0x0A, 0x96, 0x4A, 0x10, 0xD0, 0x9C, 0xD7, 0xD9, 0xD4, 0x94, 0x87, 0x72, 0xA2, 0xAF, 0x02, 0xA0, 0x05, 0x2E, 0xBF, 0x17, 0xEB, 0xFE, 0x5B, 0x9F, 0xB7, 0x0B, 0x1E, 0x3E, 0xF9, 0xAC, 0xBC, 0x7B, 0xB1, 0x56, 0x10, 0x24, 0x5F, 0x57, 0x2C, 0x08, 0xD0, 0x14, 0x79, 0x83, 0x84, 0x6A, 0x45, 0x25, 0xEB, 0xD9, 0xBE, 0x02, 0x21, 0xF7, 0x35, 0xC2, 0x74, 0x57, 0xC5, 0xAC, 0x34, 0x05, 0xC6, 0x9E, 0x82, 0xB8, 0xED, 0x78, 0xC4, 0x3B, 0xFD, 0x23, 0x59, 0x54, 0xD2, 0x0A, 0x0B, 0x5B, 0x25, 0xC0, 0x71, 0xC3, 0x84, 0x3A, 0xA7, 0xF9, 0x99, 0x86, 0xD8, 0xFE, 0x60, 0x10, 0x85, 0x77, 0x57, 0x76, 0x0C, 0x25, 0xE1, 0x18, 0x18, 0x3B, 0x83, 0xFD, 0x36, 0x7C, 0x84, 0x58, 0xC2, 0xC4, 0x68, 0x4F, 0xD1, 0xD7, 0x0A, 0x88, 0xFD, 0xCA, 0x97, 0xA1, 0xE5, 0xCE, 0x72, 0x63, 0xCF, 0x74, 0xD0, 0x20, 0xD9, 0xDE, 0x3F, 0xBB, 0x11, 0xF9, 0x21, 0xAB, 0x3F, 0x54, 0x41, 0xA7, 0xAA, 0xCA, 0xFC, 0xE1, 0x1A, 0x8C, 0x12, 0xC9, 0x39, 0x13, 0x5A, 0x81, 0x29, 0x49, 0xE8, 0xFB, 0x48, 0xC9, 0x4D, 0x50, 0x87, 0xAE, 0x51, 0xFB, 0x94, 0xFC, 0xF0, 0x9C, 0x70, 0x1C, 0xE8, 0x6E, 0x44, 0x53, 0x1E, 0x2F, 0x27, 0x5C, 0xB8, 0xEC, 0xBE, 0xFC, 0xD9, 0x98, 0x6A, 0x08, 0xD0, 0x5C, 0x4D, 0x78, 0x2D, 0x4D, 0x07, 0xAD, 0x5E, 0xB8, 0x51, 0x40, 0xE2, 0x2A, 0x7F, 0xB1, 0x54, 0x47, 0x5C, 0x99, 0x12, 0xC2, 0x6D, 0x5E, 0xED, 0x25, 0x30, 0x6A, 0x99, 0xC5, 0x0D, 0x65, 0x83, 0x68, 0x3A, 0xFD, 0x82, 0x59, 0x0D, 0xCE, 0x0B, 0x49, 0xBE, 0x17, 0x46, 0x51, 0xA9, 0xB6, 0x54, 0xE1, 0x18, 0xBD, 0x49, 0xE6, 0x7F
-};
-
-static const unsigned char demo_fw21_dev_hdrpvt[0x100] =
-{
-	0x1D, 0x7B, 0x79, 0x32, 0xAB, 0x46, 0xD2, 0xBC, 0x8E, 0xD6, 0x7F, 0x8F, 0x3A, 0x85, 0xAD, 0xA5, 0x8B, 0xA9, 0x0D, 0xA9, 0xDA, 0x0F, 0xEF, 0x61, 0x04, 0xBA, 0x35, 0x39, 0x36, 0x03, 0xD8, 0x68, 0x5F, 0x9F, 0x2F, 0xD6, 0xF6, 0x38, 0x96, 0xFD, 0xE7, 0xEA, 0x89, 0xD8, 0x7F, 0x7E, 0xC5, 0x29, 0x2F, 0xD9, 0x3B, 0x02, 0xE7, 0x1F, 0xBD, 0x63, 0x9C, 0x21, 0xD8, 0xFF, 0x43, 0x8A, 0x74, 0xCD, 0x3D, 0x4C, 0x09, 0xEE, 0xDB, 0xE0, 0xBE, 0x03, 0xD1, 0x92, 0xD7, 0x22, 0x35, 0x5A, 0x8C, 0xCE, 0xBE, 0x2B, 0xB4, 0x81, 0x47, 0x3F, 0x45, 0x75, 0x33, 0x31, 0x6B, 0xFF, 0x43, 0x5D, 0x17, 0x43, 0xAE, 0xD1, 0x25, 0xF7, 0xD9, 0xD5, 0x5C, 0xB6, 0x92, 0x5C, 0xB3, 0xF3, 0xF7, 0x65, 0x9F, 0x4C, 0x05, 0x12, 0xEC, 0xA8, 0x6D, 0x70, 0x65, 0x57, 0x6C, 0xD8, 0xE3, 0xD6, 0xFA, 0xC1, 0xFD, 0x54, 0xE8, 0x34, 0x67, 0x4D, 0x0A, 0x14, 0x2F, 0xA3, 0xD4, 0x81, 0x8C, 0xC3, 0xD0, 0x8B, 0x09, 0x08, 0x90, 0x70, 0x68, 0xA0, 0x0E, 0xD1, 0x0B, 0xAA, 0x71, 0xEC, 0x9A, 0x1A, 0x83, 0xFF, 0xA1, 0x70, 0xEB, 0xAC, 0xF2, 0xE9, 0x80, 0xA1, 0xB8, 0x20, 0x31, 0x83, 0xF5, 0x37, 0x01, 0x72, 0x06, 0x50, 0x05, 0x3F, 0x14, 0xF9, 0x29, 0x48, 0x84, 0xA0, 0x0E, 0xF7, 0xB8, 0x1D, 0xA3, 0x36, 0x5A, 0x78, 0x6D, 0x83, 0x90, 0x27, 0xE3, 0x50, 0x49, 0x2F, 0x65, 0xE5, 0x61, 0xED, 0x65, 0xBE, 0xEA, 0x34, 0xA6, 0x6A, 0xEF, 0x49, 0xB4, 0xE0, 0xBC, 0xC2, 0xA5, 0xB8, 0xEB, 0xA9, 0x2F, 0xBA, 0x26, 0x76, 0xB2, 0x5A, 0x3A, 0x3B, 0xFD, 0xAD, 0xFB, 0xE4, 0x79, 0xE2, 0x85, 0x54, 0x5B, 0xAB, 0x1F, 0x0A, 0xE5, 0x8B, 0x77, 0x3A, 0x10, 0x98, 0x26, 0x74, 0xC8, 0xB0, 0x82, 0xB1, 0xF9, 0x8F, 0x68, 0x59
-};
-
-static const unsigned char demo_fw21_dev_acexsig[0x100] =
-{
-	0xD3, 0x7D, 0x42, 0xBA, 0x6A, 0x1E, 0xD8, 0x07, 0x3C, 0x4A, 0xC4, 0xCD, 0x8C, 0x68, 0x3D, 0xCD, 0xCD, 0xBD, 0x9D, 0xCE, 0xB5, 0x2A, 0xF9, 0x63, 0x3D, 0xA9, 0x54, 0x0A, 0x2E, 0x4C, 0xE1, 0x60, 0x4B, 0xD0, 0xC9, 0xEB, 0xEF, 0x31, 0x65, 0x70, 0xB9, 0x0E, 0x06, 0x3B, 0x3D, 0x42, 0x4C, 0x6E, 0x8D, 0x2C, 0xD4, 0x71, 0x29, 0x76, 0xB7, 0xDD, 0x8C, 0xDA, 0xE7, 0xE3, 0x96, 0xA7, 0xAA, 0xF8, 0xCA, 0x05, 0xE8, 0xA7, 0x0A, 0xDD, 0x01, 0x49, 0xBD, 0xF1, 0xA5, 0xE8, 0x16, 0x22, 0xEE, 0x47, 0x1F, 0xEF, 0x28, 0x48, 0x87, 0xA9, 0x2D, 0xFC, 0x4E, 0xD5, 0xA5, 0x98, 0xB1, 0xFE, 0x1B, 0xEB, 0xA9, 0x06, 0x3C, 0x76, 0xD9, 0xAA, 0x0E, 0x9C, 0x60, 0xFC, 0xE9, 0x77, 0x9D, 0x7F, 0x67, 0xAC, 0xF5, 0xC7, 0x49, 0x12, 0xFD, 0x76, 0xAC, 0xD2, 0x54, 0xDB, 0x73, 0x41, 0x10, 0x1F, 0x04, 0x3F, 0xD0, 0x6F, 0xE0, 0x80, 0x24, 0xCC, 0xEE, 0xBF, 0x25, 0x9D, 0x0D, 0x5A, 0x2A, 0x1C, 0xC5, 0xD4, 0xE3, 0x5D, 0x3A, 0xC1, 0x86, 0xD3, 0xD4, 0x52, 0x1C, 0x4C, 0xBF, 0x31, 0xEB, 0x54, 0xCA, 0x4C, 0x06, 0x50, 0x52, 0x87, 0xD4, 0x9D, 0x4A, 0x4B, 0x22, 0xE1, 0x4A, 0xE9, 0x4D, 0x05, 0xA8, 0x57, 0xEC, 0xF8, 0x90, 0xF8, 0x58, 0xC3, 0x8B, 0x3A, 0x0F, 0x88, 0x36, 0xF4, 0xE5, 0x44, 0x10, 0x80, 0x68, 0x86, 0x1D, 0xAE, 0x90, 0x20, 0x03, 0x22, 0x2D, 0x44, 0xBF, 0xAB, 0x2B, 0xA1, 0x14, 0xAD, 0x6B, 0x40, 0x57, 0xDB, 0xBB, 0xDA, 0x09, 0x4C, 0x51, 0x26, 0x9B, 0xE3, 0xD9, 0xF9, 0xE1, 0xBC, 0xF1, 0xF1, 0xCD, 0x30, 0xB4, 0xF5, 0x39, 0xD0, 0xBC, 0xF7, 0x98, 0x05, 0xAF, 0xA8, 0x33, 0x4B, 0xC1, 0x16, 0x0F, 0xF2, 0xC2, 0x79, 0x96, 0xEC, 0xBE, 0xA9, 0xF5, 0x55, 0x7C, 0x82, 0x95, 0x73
-};
-
-// DLP
-static const unsigned char dlp_fw21_dev_hdrpub[0x100] =
-{
-	0xB3, 0x16, 0x68, 0xF1, 0xED, 0x59, 0xC8, 0x7F, 0xC6, 0x50, 0x21, 0xFE, 0x36, 0x7C, 0x55, 0xE7, 0x07, 0xF9, 0x1D, 0x1B, 0xF5, 0xB1, 0x2A, 0x6B, 0x3A, 0xDE, 0x2D, 0x4C, 0x51, 0xCD, 0x4C, 0x9F, 0xEE, 0x1D, 0xE4, 0xE8, 0xF0, 0xFD, 0x09, 0x8E, 0x0F, 0x92, 0x5F, 0xDB, 0x9C, 0x5C, 0x15, 0x55, 0x1A, 0x4D, 0x04, 0x8C, 0xB0, 0xA4, 0x88, 0x97, 0xC4, 0xD5, 0x92, 0x04, 0x42, 0x33, 0x84, 0x81, 0x06, 0xD6, 0xF2, 0x17, 0xDE, 0x83, 0x17, 0x50, 0xD0, 0x47, 0x61, 0x14, 0x0D, 0xB7, 0xC7, 0xA0, 0xC1, 0x8B, 0x82, 0x47, 0x13, 0xEE, 0x76, 0xA2, 0xA3, 0x8D, 0xCE, 0x55, 0xC1, 0xF3, 0x7A, 0xEA, 0x91, 0xE1, 0xB9, 0x2F, 0x8F, 0x9B, 0xC3, 0x7B, 0x51, 0x2F, 0xE7, 0xAD, 0x93, 0x9C, 0xFD, 0xDF, 0x19, 0xC8, 0x6C, 0x24, 0xC2, 0xE2, 0x91, 0x97, 0x1F, 0xEB, 0x4B, 0xD4, 0x46, 0x6C, 0x06, 0x93, 0xAF, 0xF5, 0x5E, 0x8F, 0x77, 0x25, 0xC4, 0x28, 0xC0, 0x82, 0x4A, 0x78, 0xE9, 0x14, 0x08, 0xC3, 0xC3, 0x58, 0x24, 0x44, 0x2D, 0x2B, 0xA7, 0xEE, 0x28, 0xEF, 0x1B, 0x6D, 0xAA, 0x9C, 0xED, 0x7F, 0x35, 0xCE, 0x86, 0x5C, 0x6B, 0x8A, 0x23, 0xD3, 0x9D, 0x05, 0x8F, 0xD2, 0x41, 0x93, 0x1D, 0x1D, 0x7E, 0xB0, 0x46, 0x23, 0x63, 0x07, 0xEA, 0x5F, 0x26, 0xE3, 0x81, 0x27, 0xB3, 0x95, 0xB1, 0x93, 0x59, 0xD4, 0x1A, 0xB8, 0x73, 0xD0, 0x09, 0x95, 0x2B, 0xE8, 0x8B, 0xE2, 0x73, 0x5F, 0x34, 0xB9, 0x98, 0x82, 0xF0, 0x11, 0xC6, 0x8F, 0x12, 0x4D, 0x09, 0x57, 0x10, 0x97, 0x22, 0x0E, 0xC8, 0x7D, 0x40, 0xC1, 0x9D, 0x12, 0x1F, 0x71, 0xFE, 0x1E, 0x1A, 0x8C, 0x3F, 0x56, 0xAC, 0x43, 0xC3, 0x66, 0x0C, 0x81, 0xAE, 0xC1, 0x8F, 0x68, 0xFF, 0x87, 0x07, 0x3C, 0xCD, 0x0A, 0x23, 0xDE, 0xBA, 0x9B
-};
-
-static const unsigned char dlp_fw21_dev_hdrpvt[0x100] =
-{
-	0x77, 0xC2, 0x7A, 0xB7, 0x9E, 0x13, 0xB6, 0x62, 0xCC, 0x09, 0x76, 0x51, 0xFB, 0xB9, 0xB5, 0xF0, 0x63, 0x82, 0x91, 0x96, 0xCA, 0xFC, 0x88, 0xF3, 0x60, 0x50, 0x87, 0x56, 0x4C, 0x35, 0xD0, 0x11, 0xFB, 0x38, 0x7E, 0x85, 0xCF, 0xF2, 0x46, 0xDB, 0x7B, 0x4A, 0x55, 0x54, 0x15, 0x01, 0xF7, 0x3A, 0x0B, 0xF6, 0x89, 0x1E, 0x54, 0x5A, 0x13, 0x05, 0xFB, 0x19, 0x1F, 0x26, 0x3D, 0xE7, 0x19, 0xAA, 0xF7, 0x19, 0xF2, 0x97, 0x47, 0xB3, 0xBE, 0x79, 0xCA, 0x6E, 0x91, 0x5A, 0xC9, 0xB9, 0xA6, 0x83, 0xB8, 0x2A, 0x45, 0x1A, 0xA7, 0x17, 0x86, 0xBA, 0x48, 0x49, 0x62, 0x3C, 0x33, 0x11, 0x51, 0x97, 0x5F, 0xAA, 0xE5, 0x1E, 0x0B, 0x19, 0x0C, 0xE6, 0x80, 0x6A, 0x5A, 0xB1, 0xD6, 0xCE, 0xDB, 0x6E, 0xC0, 0x5D, 0x29, 0x04, 0x84, 0x56, 0xE3, 0x29, 0x7E, 0xAC, 0xE8, 0xEE, 0xB1, 0x91, 0x37, 0xEB, 0x98, 0x9C, 0xBD, 0x02, 0x6A, 0x78, 0x61, 0xB0, 0x79, 0x1A, 0x9F, 0x30, 0x86, 0xF6, 0x71, 0x5A, 0x5A, 0x12, 0xA1, 0x9E, 0xA1, 0x68, 0x03, 0xE5, 0x95, 0xA8, 0x38, 0x58, 0x87, 0x08, 0x57, 0x35, 0x32, 0x47, 0x3B, 0xFC, 0x02, 0x6F, 0xCE, 0x55, 0x61, 0xA3, 0x2A, 0x6B, 0x2F, 0xF8, 0xEE, 0x8D, 0xFA, 0x43, 0x33, 0x02, 0x63, 0x47, 0x02, 0x78, 0x5A, 0x7F, 0x64, 0x07, 0x92, 0xB7, 0x7C, 0x09, 0x7C, 0xFE, 0x2D, 0x1C, 0xFC, 0x77, 0x9F, 0x19, 0x20, 0xDD, 0x6D, 0x4C, 0xFE, 0x49, 0x09, 0x47, 0xCA, 0x9B, 0x1C, 0x8C, 0x1F, 0x37, 0xAC, 0x14, 0x85, 0x56, 0xC0, 0xFD, 0xD6, 0x01, 0xB3, 0x40, 0xA3, 0x1A, 0x32, 0x78, 0xA0, 0xDD, 0x21, 0x75, 0xBF, 0x24, 0xD2, 0x93, 0x85, 0xED, 0x22, 0xAD, 0x99, 0x91, 0x87, 0x4A, 0xEC, 0xC0, 0x6C, 0x71, 0x00, 0x76, 0x08, 0x23, 0xA2, 0xF3, 0xCF, 0x61
-};
-
-static const unsigned char dlp_fw21_dev_acexsig[0x100] =
-{
-	0xAC, 0xE2, 0xA7, 0xC3, 0x00, 0xDE, 0xE8, 0xE9, 0xE0, 0x03, 0xB3, 0x54, 0x08, 0xA8, 0xF8, 0x3A, 0x2E, 0xD8, 0x10, 0x6B, 0xEC, 0xDC, 0x4E, 0xEE, 0x62, 0x10, 0x71, 0x49, 0xD4, 0x43, 0xB1, 0x0E, 0x6B, 0x8C, 0xD7, 0x54, 0xD5, 0x62, 0x28, 0x3F, 0xAA, 0xDE, 0xA9, 0x7D, 0xED, 0x37, 0x7C, 0xE7, 0x89, 0x0B, 0x02, 0xB2, 0x72, 0x4B, 0x17, 0xDB, 0xE2, 0xD3, 0x7C, 0x94, 0x12, 0x3F, 0x2E, 0xA1, 0x08, 0x99, 0xCC, 0x7F, 0x93, 0xE6, 0x38, 0xC9, 0x37, 0x84, 0xD7, 0x11, 0x9D, 0x02, 0x4D, 0x66, 0xB4, 0x70, 0x9F, 0xD8, 0xC6, 0xDD, 0xD5, 0x13, 0x52, 0xF0, 0xA6, 0x78, 0x8C, 0x8E, 0x15, 0xA0, 0xA1, 0xF3, 0xC4, 0xC3, 0x48, 0x45, 0xA5, 0xBE, 0xC9, 0x7A, 0x8B, 0xD3, 0x95, 0xA5, 0x4C, 0xF1, 0xB3, 0x0C, 0x6C, 0x76, 0xA7, 0x57, 0xA1, 0x77, 0xDF, 0x2F, 0xC8, 0x06, 0xA6, 0x0D, 0x1A, 0x09, 0xE4, 0x38, 0x64, 0x07, 0xBE, 0x6A, 0xD2, 0xA0, 0xC0, 0xEC, 0x09, 0x64, 0x9F, 0x0D, 0x93, 0x0C, 0x89, 0xA2, 0x71, 0xD6, 0xC6, 0xC2, 0x54, 0x79, 0x2A, 0xA4, 0x31, 0x28, 0x24, 0x1A, 0xF3, 0x56, 0x78, 0x63, 0x99, 0x97, 0xA5, 0xCE, 0x8F, 0x52, 0x7A, 0x79, 0x51, 0xEE, 0x4C, 0x8B, 0x00, 0x9D, 0x5C, 0x3E, 0xD5, 0xAA, 0x24, 0x9C, 0x94, 0xC6, 0xA3, 0x99, 0x1B, 0x2D, 0xD4, 0xFF, 0xB4, 0x25, 0x73, 0x13, 0x33, 0x9F, 0x03, 0x6F, 0x1E, 0x75, 0xC4, 0x70, 0xF4, 0x07, 0x4F, 0x18, 0xFE, 0xBD, 0x8F, 0x2C, 0x9B, 0x33, 0xD4, 0x30, 0xA7, 0x18, 0x4A, 0xF1, 0xA4, 0xDD, 0x78, 0x41, 0xA0, 0xB8, 0x02, 0x8D, 0x51, 0x96, 0xBE, 0xE7, 0x17, 0x94, 0x66, 0x65, 0x27, 0xF7, 0x69, 0x48, 0x7E, 0xA9, 0x08, 0x71, 0x20, 0x76, 0xB7, 0x8E, 0xD2, 0xBF, 0x5C, 0x7E, 0x5E, 0x06, 0x45, 0xAB, 0x7E, 0x2E
-};
-
-/* CTR_SDK 5 (5.2.2) */
-// APP
-static const unsigned char app_fw23_dev_hdrpub[0x100] =
-{
-	0xED, 0xD8, 0x3B, 0x9E, 0x78, 0x26, 0xD2, 0x96, 0x73, 0x6B, 0x7D, 0xB0, 0x5E, 0x01, 0x51, 0x63, 0x0F, 0x4B, 0xE6, 0x87, 0xCC, 0x4A, 0x03, 0x84, 0xB2, 0x65, 0x77, 0xB2, 0xA2, 0x6F, 0x20, 0x7A, 0x3B, 0xC3, 0xF3, 0xCC, 0x37, 0x7C, 0x1F, 0x77, 0xC8, 0x3D, 0xE2, 0xA9, 0x19, 0x4E, 0x7C, 0xBB, 0xAC, 0x2D, 0x7D, 0x7D, 0xE1, 0x35, 0xF8, 0x44, 0x2E, 0xC5, 0xB7, 0x50, 0x8D, 0xA1, 0x18, 0x34, 0x45, 0x20, 0xD4, 0x29, 0x0E, 0x79, 0xA7, 0xE1, 0x97, 0x1A, 0xE0, 0x39, 0x1D, 0x55, 0xB4, 0x2A, 0xDB, 0xD4, 0x77, 0x56, 0xC8, 0x73, 0xC8, 0x63, 0x04, 0xBA, 0x4C, 0x61, 0x48, 0x2E, 0x52, 0xD5, 0xC5, 0x21, 0x83, 0x4C, 0xBE, 0xE4, 0x38, 0x44, 0xD4, 0x7D, 0x8E, 0xDE, 0x17, 0x4A, 0x6F, 0xBD, 0xB0, 0x2B, 0xF7, 0xA8, 0xF3, 0xD3, 0xB7, 0xED, 0xF2, 0xE6, 0x4C, 0x5B, 0x83, 0x3E, 0x68, 0x67, 0xAF, 0x45, 0xE1, 0xF3, 0xAA, 0xFF, 0x5E, 0xB0, 0x0B, 0x39, 0x8E, 0xCF, 0xA7, 0x28, 0x88, 0xEA, 0x8B, 0x6F, 0x39, 0x39, 0x9F, 0xB1, 0x51, 0xCA, 0xC3, 0xFD, 0x46, 0x02, 0x92, 0x62, 0xB9, 0x98, 0x95, 0xAA, 0xCA, 0x76, 0x75, 0xE7, 0xE8, 0x88, 0x1C, 0x59, 0x9F, 0xD8, 0xCA, 0x99, 0x76, 0x3D, 0x3B, 0x56, 0xFA, 0xE4, 0x5A, 0x2F, 0x12, 0x07, 0x14, 0xA7, 0x81, 0x3D, 0x3B, 0xC0, 0xA7, 0x10, 0xE8, 0x9E, 0x69, 0x41, 0x55, 0x3F, 0xD8, 0x2B, 0x9B, 0x09, 0x1C, 0xE3, 0x94, 0x29, 0xD5, 0x35, 0xB2, 0xC7, 0x04, 0x16, 0x8A, 0xBA, 0x0C, 0x77, 0x78, 0x69, 0xAC, 0x3D, 0xE8, 0x92, 0xD2, 0x78, 0x88, 0x51, 0xAC, 0x80, 0x03, 0xC1, 0x23, 0xEC, 0xDF, 0x0C, 0x80, 0x09, 0x2D, 0xBC, 0x74, 0x22, 0x3F, 0xF2, 0xE3, 0xF0, 0x09, 0x67, 0xA7, 0xD6, 0x36, 0xA8, 0xE4, 0x3F, 0xF5, 0xEC, 0x3D, 0x8B
-};
-
-static const unsigned char app_fw23_dev_acexsig[0x100] =
-{
-	0x1C, 0x2A, 0x20, 0x20, 0xE1, 0x8C, 0x57, 0x67, 0xA7, 0x25, 0x6C, 0x77, 0x72, 0xAE, 0xC9, 0x6D, 0xCD, 0xB3, 0xA4, 0x0E, 0xCE, 0x8A, 0x62, 0x46, 0xB7, 0x99, 0xEB, 0x87, 0xDC, 0xCD, 0x3A, 0x1C, 0x10, 0x18, 0x2C, 0x59, 0x23, 0x81, 0x8A, 0xB9, 0x66, 0x9A, 0x20, 0x42, 0x5E, 0x38, 0xE2, 0x53, 0x92, 0xB1, 0xDD, 0x38, 0x6E, 0x01, 0xF4, 0x56, 0xEC, 0x43, 0x22, 0x9B, 0x15, 0x36, 0xE4, 0x2C, 0x3E, 0x6D, 0x1B, 0xAE, 0xAA, 0x71, 0xA8, 0x0C, 0x9A, 0xC4, 0x5E, 0x19, 0x93, 0xD6, 0x59, 0x23, 0xCD, 0xAD, 0xA5, 0xEF, 0xFD, 0x7D, 0x05, 0x73, 0xAF, 0x29, 0xC4, 0x85, 0x0B, 0x33, 0x9B, 0xF4, 0x5D, 0x31, 0x8E, 0xE8, 0x6C, 0xD1, 0x39, 0xBB, 0x03, 0x8B, 0xD9, 0x77, 0x30, 0xA4, 0x1A, 0x63, 0x50, 0xA0, 0xB9, 0x7B, 0x46, 0x10, 0x6A, 0x9A, 0x31, 0x71, 0x45, 0x72, 0x8C, 0x10, 0x6B, 0xE9, 0xBE, 0xC7, 0x0E, 0x2B, 0x4A, 0xF4, 0x29, 0x0B, 0xAA, 0x91, 0x76, 0xF8, 0xB3, 0x74, 0x57, 0xF8, 0x9B, 0xF4, 0xBE, 0x50, 0x22, 0x46, 0x93, 0xF1, 0x80, 0x64, 0xC1, 0x50, 0x77, 0x2A, 0x2A, 0x70, 0x74, 0x0C, 0xB2, 0xDC, 0x77, 0x34, 0x84, 0x83, 0x4E, 0x5B, 0x47, 0x30, 0x52, 0xF3, 0xEC, 0xC6, 0xB5, 0x93, 0xF3, 0x77, 0x0D, 0x10, 0x86, 0x65, 0x35, 0xC9, 0x84, 0x07, 0x43, 0x51, 0x00, 0x92, 0x2F, 0xA7, 0x75, 0x02, 0x23, 0xEE, 0x0F, 0x9E, 0x69, 0x5A, 0xF9, 0x9C, 0x0E, 0x17, 0x05, 0x94, 0x2A, 0xE9, 0x79, 0x82, 0x2C, 0x68, 0x3E, 0xCD, 0x26, 0xE6, 0x9E, 0x18, 0x99, 0x9A, 0xA0, 0xA7, 0x95, 0xA3, 0xBB, 0xB5, 0x9D, 0x86, 0x6E, 0x99, 0xFD, 0xC4, 0x1F, 0x49, 0x78, 0x2D, 0x4A, 0x8F, 0xAA, 0x77, 0x48, 0x6F, 0x69, 0x6A, 0x71, 0xA7, 0x19, 0x67, 0x56, 0x5B, 0x10, 0x27, 0x07, 0x7F
-};
-
-/* CTR_SDK 6 (6.?.?) */
-// FIRM
-static const unsigned char firm_fw26_dev_hdrpub[0x100] =
-{
-	0xC9, 0x3C, 0x30, 0xE3, 0x64, 0xFD, 0x70, 0xBB, 0x98, 0xB0, 0x7B, 0x59, 0x4F, 0x6A, 0xC5, 0x1A, 0x6E, 0xF7, 0x89, 0x6E, 0xF9, 0x9C, 0x58, 0xC4, 0x34, 0x51, 0xAF, 0x0B, 0x41, 0x0D, 0x76, 0x7D, 0xE5, 0xF8, 0x9C, 0x2F, 0x08, 0x52, 0x75, 0xE2, 0x83, 0x2D, 0x6B, 0x6F, 0x1D, 0xC6, 0x13, 0x41, 0xD6, 0x91, 0x78, 0xF8, 0xD6, 0xC6, 0x57, 0x58, 0xC4, 0xE4, 0x3D, 0x3C, 0x19, 0xEB, 0x81, 0x77, 0x6C, 0xCF, 0x4A, 0xCD, 0x87, 0x9A, 0x2A, 0x82, 0xCB, 0x94, 0xE0, 0xAB, 0x93, 0x49, 0x00, 0x48, 0x1B, 0x6B, 0x0E, 0x62, 0x94, 0xE4, 0x70, 0xAF, 0x16, 0x0C, 0x93, 0x3A, 0x6B, 0x16, 0x20, 0x93, 0xDF, 0x84, 0x26, 0x88, 0x1B, 0x61, 0x47, 0x2C, 0xAE, 0x58, 0x07, 0x5A, 0xE1, 0xED, 0x61, 0x99, 0x15, 0x47, 0x0F, 0x83, 0x69, 0xAF, 0x89, 0xBB, 0x18, 0xC7, 0x56, 0x9C, 0xF5, 0x00, 0xD8, 0x76, 0xFC, 0x2F, 0x56, 0x6D, 0xD7, 0xD2, 0x0F, 0x41, 0xF4, 0xB6, 0xC3, 0x46, 0x37, 0x24, 0xAE, 0x9B, 0x1A, 0xD7, 0xA0, 0x29, 0x48, 0xD0, 0x6C, 0x7F, 0x54, 0x7D, 0x0E, 0xA7, 0xDA, 0x7E, 0x39, 0xF7, 0xCA, 0xB6, 0x51, 0x37, 0x9F, 0x34, 0x84, 0x2F, 0x41, 0xF3, 0x4A, 0x6F, 0xDC, 0x75, 0x83, 0x74, 0x8C, 0x16, 0x28, 0xB2, 0x3D, 0x7B, 0xF1, 0x91, 0xEC, 0x09, 0x25, 0x5F, 0x89, 0x4F, 0x81, 0xA4, 0xD5, 0x9F, 0xD1, 0xD4, 0xDC, 0x0D, 0x96, 0x85, 0x34, 0x01, 0x4C, 0xFE, 0x5F, 0x1A, 0xA3, 0x0B, 0x5B, 0xCF, 0xCF, 0xE1, 0x50, 0x9C, 0x89, 0x2E, 0x06, 0xB4, 0x1A, 0xED, 0x22, 0x76, 0xDA, 0x3D, 0xB5, 0x3E, 0xF5, 0x9B, 0xA7, 0xE2, 0x0E, 0x9D, 0xBD, 0xE0, 0x68, 0xB5, 0xB5, 0x8A, 0xAA, 0x98, 0xF9, 0x07, 0xF1, 0xB4, 0x96, 0xC0, 0xA1, 0xB9, 0xE8, 0x56, 0xAC, 0xB7, 0x39, 0x11, 0x14, 0x0B
-};
-
-static const unsigned char firm_fw26_dev_acexsig[0x100] =
-{
-	0xB0, 0xEB, 0x0B, 0xE4, 0x81, 0x5F, 0x4C, 0x41, 0x74, 0x13, 0x8D, 0x8C, 0x2D, 0x07, 0xDB, 0x67, 0xDB, 0x0A, 0xD3, 0xE9, 0xD9, 0x24, 0x35, 0xA7, 0x2A, 0x7A, 0x7D, 0x22, 0xAD, 0xE5, 0x5B, 0xAC, 0x6B, 0x08, 0x9E, 0xC3, 0x19, 0x5D, 0x28, 0x13, 0x71, 0xE0, 0x4E, 0xF8, 0xA4, 0x2F, 0xF9, 0x41, 0xB4, 0x9F, 0x02, 0x5B, 0xBD, 0xBB, 0x33, 0xFD, 0xF8, 0x57, 0xE5, 0x36, 0x63, 0xB4, 0x8D, 0x05, 0x8F, 0xA5, 0x87, 0x54, 0x62, 0xE5, 0x9E, 0x31, 0x61, 0xD4, 0x3C, 0xFB, 0xB5, 0xE9, 0x76, 0x65, 0x4E, 0xF2, 0x08, 0x44, 0x6D, 0x2B, 0x54, 0x6E, 0x4E, 0xAB, 0xF3, 0xA4, 0xF1, 0xA5, 0xEF, 0x43, 0xFD, 0x02, 0x09, 0xE5, 0x11, 0x2B, 0x8A, 0xB5, 0xEC, 0x20, 0xDE, 0x28, 0xA7, 0x5C, 0x16, 0x71, 0x1E, 0x0A, 0x1A, 0x1B, 0xED, 0x4B, 0x32, 0x0E, 0x3E, 0x86, 0x37, 0x86, 0x64, 0x10, 0xE7, 0x08, 0x18, 0x06, 0x58, 0x96, 0xFB, 0x84, 0x21, 0xA4, 0x46, 0x7A, 0x59, 0x7A, 0x1E, 0x08, 0x1D, 0x38, 0x28, 0xAF, 0xB2, 0x26, 0xB3, 0xAB, 0x00, 0x2C, 0x85, 0x3A, 0xFA, 0x5F, 0x3B, 0xC4, 0xA6, 0x22, 0xBB, 0x79, 0x74, 0x5A, 0x44, 0xCB, 0x9E, 0x8D, 0x6D, 0x18, 0xD3, 0xC1, 0x74, 0x6D, 0xA1, 0x8B, 0xAC, 0xF4, 0x15, 0x9B, 0x07, 0x52, 0xF5, 0x04, 0x26, 0x58, 0x82, 0x05, 0xF4, 0xE9, 0x54, 0xAD, 0x58, 0xF1, 0xE1, 0x02, 0x9B, 0xE2, 0x15, 0x67, 0x62, 0x3B, 0x95, 0xF2, 0xB7, 0xDC, 0x27, 0x94, 0x10, 0xAC, 0x5B, 0xC9, 0x01, 0xBE, 0x8F, 0x46, 0x92, 0x51, 0x22, 0x89, 0x06, 0xB5, 0x78, 0x52, 0x77, 0x83, 0x79, 0x22, 0xB8, 0x7B, 0x10, 0x7E, 0xF9, 0x7F, 0xF2, 0xA2, 0x53, 0x96, 0x89, 0x05, 0x60, 0x9C, 0x7C, 0xAF, 0x02, 0x29, 0x71, 0xB9, 0xEC, 0x62, 0x38, 0x2D, 0xA4, 0x99, 0x04, 0x78
-};
-
-static const unsigned char firm_fw26_2_dev_hdrpub[0x100] =
-{
-	0xB8, 0xF9, 0x95, 0xFA, 0xC9, 0xB4, 0x07, 0x9F, 0xCC, 0xF1, 0xAA, 0x82, 0xBB, 0xE3, 0x29, 0x23, 0xA8, 0xF0, 0xB9, 0x9A, 0x2B, 0x27, 0xCA, 0x65, 0x51, 0xAA, 0x05, 0x40, 0x0F, 0x9E, 0x46, 0xBB, 0xE2, 0xF2, 0x72, 0xA6, 0x76, 0xBE, 0x3D, 0xA8, 0xDA, 0x53, 0x4D, 0xD3, 0x95, 0xC4, 0x01, 0x19, 0xD5, 0xC7, 0x3B, 0xF6, 0x12, 0xE7, 0x08, 0x32, 0x2C, 0x66, 0xD9, 0xC1, 0xB6, 0x7D, 0x03, 0x99, 0xA2, 0x89, 0x40, 0x7E, 0x77, 0x0C, 0xF7, 0xD9, 0x29, 0x50, 0x9C, 0x12, 0xB5, 0xBD, 0xED, 0x74, 0x70, 0x30, 0x39, 0x77, 0x49, 0xCE, 0x4F, 0x4F, 0x42, 0xCE, 0xD3, 0xC9, 0xD0, 0xE3, 0x14, 0x13, 0x6E, 0xE3, 0x59, 0x7A, 0x13, 0xE6, 0xEA, 0x57, 0xA1, 0xA3, 0xEC, 0xF4, 0x03, 0x18, 0x07, 0x0D, 0x63, 0xD5, 0x4B, 0x4E, 0xE7, 0x7A, 0x1E, 0x5E, 0x07, 0x0E, 0x4E, 0xAD, 0x23, 0xCD, 0x38, 0x0B, 0xC0, 0x5E, 0x20, 0xD5, 0x98, 0x57, 0xD5, 0xD8, 0xFD, 0x9D, 0xFF, 0x9F, 0xB0, 0xF7, 0xD8, 0xE5, 0xEB, 0xA5, 0xA2, 0xD9, 0xBF, 0x9E, 0x0B, 0xD5, 0xD5, 0xD9, 0xCE, 0x12, 0xAE, 0x8F, 0xD1, 0xCC, 0xD1, 0x8A, 0x04, 0xA1, 0x06, 0x0A, 0x55, 0xDE, 0x0B, 0xCE, 0x7B, 0x11, 0xD7, 0x0F, 0xD6, 0xD9, 0xDF, 0x54, 0x6D, 0xDF, 0x76, 0x2C, 0xB8, 0xCF, 0x85, 0x54, 0xDB, 0xDB, 0x47, 0x35, 0x28, 0x90, 0x7C, 0x8E, 0x59, 0x7D, 0x25, 0x7C, 0x95, 0xA8, 0x9A, 0xF0, 0x4D, 0xE3, 0x5E, 0x0B, 0xE0, 0x7E, 0xAF, 0x0F, 0xEA, 0xC9, 0x06, 0x81, 0x90, 0xE3, 0xDE, 0x42, 0x9C, 0x99, 0x8F, 0x7A, 0x31, 0xFB, 0x83, 0x05, 0x8B, 0xBB, 0xE9, 0x88, 0x0B, 0x31, 0x44, 0x1C, 0x21, 0x02, 0x66, 0xA2, 0xC4, 0x12, 0xAF, 0x4A, 0xB8, 0x01, 0xB6, 0xE1, 0x3B, 0x73, 0x29, 0x78, 0x6E, 0xB5, 0x39, 0x41, 0x37, 0x07
-};
-
-static const unsigned char firm_fw26_2_dev_acexsig[0x100] =
-{
-	0x57, 0x9D, 0xD4, 0xA1, 0xE8, 0x8C, 0x59, 0x0C, 0xE1, 0xB6, 0x9E, 0x38, 0xD0, 0x45, 0xF7, 0x6F, 0xDD, 0xAE, 0xC6, 0xD1, 0xB1, 0xDE, 0x45, 0xBA, 0xD5, 0x69, 0xF3, 0x8B, 0x54, 0xB0, 0xAA, 0x43, 0x1C, 0x82, 0x58, 0x1D, 0x59, 0xB5, 0xC8, 0xF7, 0xB1, 0x80, 0x3A, 0x99, 0x3E, 0x72, 0xCB, 0x43, 0x5F, 0xE5, 0x96, 0x9C, 0x5B, 0xAE, 0x8C, 0xA3, 0x78, 0x6B, 0xC2, 0xC1, 0xC7, 0x50, 0x36, 0xCB, 0x87, 0xB5, 0x7D, 0x04, 0x74, 0x92, 0xE4, 0x92, 0x94, 0x77, 0x4F, 0x2B, 0x64, 0xDB, 0x6F, 0xE0, 0x75, 0x5A, 0xB5, 0x7B, 0x19, 0xE5, 0x57, 0x4B, 0x9C, 0x0D, 0x80, 0x64, 0xC9, 0x96, 0x1A, 0x5D, 0xAB, 0xEE, 0xB9, 0xAC, 0x3D, 0x2F, 0x60, 0x6F, 0xA2, 0xBC, 0xF9, 0xDD, 0x23, 0x7F, 0xA3, 0x3E, 0xE1, 0x33, 0x31, 0x60, 0x40, 0xF4, 0x26, 0x77, 0x6E, 0xDD, 0xD8, 0x98, 0xD0, 0xE7, 0x01, 0x13, 0x08, 0xC6, 0x0F, 0xB9, 0xF5, 0x52, 0x7A, 0xE4, 0x48, 0xCF, 0x3F, 0x0C, 0x37, 0x38, 0x69, 0x93, 0xFF, 0x12, 0x5B, 0x35, 0x9F, 0x4B, 0x1D, 0x36, 0x53, 0x0C, 0xE6, 0x66, 0xF3, 0xBB, 0xBC, 0x32, 0xF5, 0x8D, 0x74, 0x35, 0x2E, 0xCB, 0xFC, 0x03, 0x02, 0xED, 0x9B, 0xDD, 0xBE, 0x3F, 0xF3, 0xA7, 0xB5, 0xFF, 0x38, 0x43, 0x89, 0xDD, 0x93, 0x43, 0x7A, 0x6E, 0xE0, 0xCF, 0x5E, 0xBF, 0x0C, 0xD5, 0x25, 0x71, 0x98, 0xB2, 0x76, 0xC7, 0x5B, 0x18, 0xC0, 0x71, 0xCB, 0x0C, 0xDB, 0x26, 0x52, 0xB1, 0x55, 0xC3, 0x97, 0x43, 0x1D, 0x33, 0x41, 0x32, 0x2A, 0xD8, 0xB6, 0x37, 0xEA, 0x96, 0x2B, 0xBA, 0x05, 0xA8, 0xA6, 0x3F, 0x47, 0x82, 0xBF, 0x85, 0x3E, 0xDF, 0x8F, 0xEE, 0xFA, 0xD3, 0x68, 0xEE, 0xAE, 0xEB, 0x0E, 0x0D, 0x5D, 0xB1, 0x99, 0xE8, 0x76, 0x70, 0xCF, 0xA4, 0x7E, 0x1E, 0xE6, 0x65
-};
-
-static const unsigned char firm_fw26_3_dev_hdrpub[0x100] =
-{
-	0xAF, 0xC4, 0x87, 0x3F, 0x38, 0xFF, 0x0D, 0x27, 0xEF, 0x59, 0xB7, 0x5D, 0x71, 0xD4, 0x17, 0x5E, 0x37, 0xB9, 0xEC, 0xD9, 0x2B, 0x94, 0xCD, 0x3F, 0xD3, 0x01, 0x24, 0xC6, 0x67, 0x32, 0x67, 0xAA, 0x09, 0x12, 0xFF, 0x72, 0x74, 0x35, 0x6B, 0x41, 0xF4, 0xB5, 0xDD, 0x27, 0x8B, 0xB3, 0xA7, 0xA8, 0x20, 0x5C, 0x3F, 0x33, 0x10, 0xFF, 0x19, 0x60, 0xB0, 0x04, 0x31, 0x9F, 0xD6, 0x57, 0xB3, 0x41, 0xBC, 0x4C, 0xAC, 0xD8, 0xB4, 0x5B, 0x90, 0xDC, 0x85, 0xED, 0x2C, 0x75, 0x06, 0xD4, 0xA0, 0x0F, 0x90, 0xBB, 0x42, 0xA6, 0x17, 0x0D, 0xEB, 0x15, 0x53, 0xFE, 0x7A, 0x10, 0x57, 0x09, 0x9A, 0x5F, 0x9F, 0x94, 0x91, 0xCA, 0x7B, 0x55, 0x7D, 0xED, 0x3B, 0x80, 0x00, 0xD3, 0x5D, 0xC3, 0x0A, 0x9A, 0x5A, 0xD3, 0x80, 0xAD, 0x03, 0xB3, 0x81, 0x1C, 0xE3, 0xBC, 0x0D, 0x7C, 0x06, 0x8F, 0xE8, 0xEB, 0xCE, 0x96, 0x19, 0xA1, 0xF5, 0x1B, 0xE0, 0x87, 0x17, 0xA8, 0x5C, 0x76, 0x0D, 0xC3, 0xD2, 0xBC, 0x8F, 0x57, 0x02, 0xE1, 0x63, 0xFC, 0x14, 0x98, 0x3F, 0xFC, 0x67, 0x09, 0xB0, 0x99, 0xB6, 0x7D, 0x84, 0xD1, 0x39, 0xE3, 0xCE, 0x54, 0x00, 0xBF, 0x33, 0x78, 0xB2, 0xC9, 0x91, 0xAB, 0xF1, 0x05, 0x88, 0xFF, 0x6E, 0x28, 0xFB, 0x18, 0x08, 0x61, 0x9E, 0x37, 0xED, 0x21, 0x8F, 0x73, 0x82, 0x4D, 0x6C, 0x57, 0xEC, 0x85, 0xE4, 0x8B, 0xB9, 0x89, 0x6B, 0x2B, 0x70, 0x25, 0xE9, 0x00, 0x9A, 0x46, 0x00, 0x22, 0x9C, 0xC0, 0x1C, 0x7F, 0xAC, 0x92, 0x1B, 0x17, 0x3B, 0xDA, 0xF3, 0xA3, 0x60, 0x99, 0xF2, 0x75, 0x7C, 0x52, 0xC5, 0xAE, 0xF7, 0x45, 0xE3, 0xE5, 0x5B, 0x6D, 0x2D, 0x47, 0x39, 0x97, 0xFE, 0x2B, 0x6D, 0x7D, 0xBD, 0x35, 0xC8, 0xB6, 0x23, 0x7B, 0x2E, 0xB2, 0x00, 0xD2, 0x61, 0xC5
-};
-
-static const unsigned char firm_fw26_3_dev_acexsig[0x100] =
-{
-	0x85, 0x2B, 0xF3, 0xF5, 0x26, 0x11, 0xFA, 0x95, 0xF8, 0x32, 0x2A, 0xAE, 0xCB, 0x96, 0x71, 0x92, 0xCF, 0x81, 0xE4, 0xF7, 0xC9, 0xBB, 0x27, 0x14, 0x21, 0x08, 0x5B, 0x93, 0xA2, 0x92, 0x86, 0x7C, 0x1F, 0xF8, 0x22, 0x1B, 0x33, 0x10, 0x56, 0xF4, 0xC9, 0x58, 0xDB, 0x0F, 0xEC, 0x0B, 0x8C, 0x31, 0xE7, 0xE8, 0x80, 0x69, 0x57, 0x2B, 0xEE, 0xF9, 0x39, 0xBF, 0xEF, 0x56, 0x1B, 0xE1, 0xFF, 0x44, 0xD7, 0xEE, 0x3E, 0x6C, 0xAA, 0x2C, 0xB2, 0x17, 0xE0, 0xA8, 0xEA, 0xAA, 0x93, 0xE3, 0xBF, 0x63, 0xEE, 0xB4, 0xD5, 0x5F, 0x1E, 0x4A, 0x13, 0x22, 0x7D, 0x36, 0xE1, 0xC3, 0xF3, 0xC6, 0x3A, 0xEC, 0x1A, 0x02, 0xA3, 0x3E, 0xC5, 0x5E, 0xFD, 0xD3, 0x09, 0x1D, 0xAF, 0x7C, 0x1A, 0x75, 0x68, 0x58, 0x93, 0x91, 0x92, 0x27, 0xED, 0x0F, 0xCB, 0x98, 0x0E, 0xEA, 0xDF, 0xA5, 0x28, 0x2E, 0x4D, 0x84, 0x7A, 0xE6, 0xC1, 0xBD, 0x50, 0x8A, 0x6F, 0xAC, 0xEC, 0x64, 0xF4, 0xD2, 0x3B, 0x54, 0xFA, 0x07, 0x06, 0xE9, 0xFE, 0xB0, 0x93, 0x9A, 0x8E, 0x46, 0x95, 0xC5, 0xC5, 0xB5, 0x72, 0x0D, 0xD1, 0x79, 0x1A, 0x80, 0xA0, 0x0B, 0x1F, 0x5E, 0x49, 0x9D, 0x50, 0x57, 0xE5, 0x92, 0x6A, 0xF3, 0x16, 0x74, 0x7B, 0xE9, 0x0F, 0x29, 0xCF, 0x2B, 0x3D, 0x52, 0x10, 0xFC, 0x2F, 0x71, 0x5E, 0xDF, 0xAD, 0xC3, 0xCE, 0x69, 0x25, 0xD5, 0xF2, 0x97, 0x0B, 0xCA, 0xB1, 0x0A, 0x9B, 0xF8, 0x85, 0xB6, 0xDC, 0x4F, 0xB1, 0xCB, 0x03, 0xC4, 0xF8, 0x50, 0x63, 0x15, 0xE0, 0x1F, 0x5A, 0xB7, 0x07, 0x45, 0x0B, 0xD6, 0x9E, 0xCD, 0xBF, 0x2F, 0x1C, 0x99, 0x20, 0x69, 0x76, 0x5C, 0xFC, 0x31, 0x18, 0x9A, 0xB9, 0xAC, 0x77, 0xA6, 0xFB, 0xBD, 0xB9, 0x4D, 0x04, 0x45, 0xED, 0x9E, 0x19, 0x56, 0x18, 0xC7, 0x87, 0xFC
-};
-
-static const unsigned char firm_fw26_4_dev_hdrpub[0x100] =
-{
-	0xC9, 0x83, 0x86, 0x8C, 0x40, 0x07, 0xF3, 0x48, 0xD1, 0xE9, 0xBC, 0x27, 0xAB, 0x11, 0xE4, 0x10, 0x1C, 0x65, 0x1C, 0xA1, 0xE5, 0x9A, 0xEB, 0xB5, 0x22, 0x1F, 0x78, 0x84, 0xC9, 0x9A, 0x7B, 0x45, 0x70, 0x7C, 0x80, 0xDD, 0xC1, 0xF2, 0xF6, 0x0D, 0x91, 0x90, 0x5C, 0xCB, 0x95, 0x1E, 0xC4, 0x31, 0x0D, 0x15, 0xA9, 0x2E, 0x22, 0x94, 0x3F, 0x97, 0x5C, 0x7E, 0x70, 0x5F, 0x5F, 0xF3, 0x12, 0x2D, 0x27, 0x91, 0x53, 0x31, 0xD8, 0x4D, 0xB8, 0x76, 0x74, 0xE8, 0xE1, 0x76, 0xE1, 0xA1, 0x84, 0xA9, 0xF8, 0x62, 0x4F, 0xED, 0x22, 0xFB, 0x82, 0xA5, 0x23, 0x36, 0x2E, 0x08, 0xC8, 0xC1, 0xBA, 0x46, 0x27, 0x10, 0x2E, 0x94, 0x47, 0x62, 0x01, 0x04, 0x4C, 0x84, 0x18, 0xC3, 0xCC, 0xF9, 0xD0, 0x1A, 0x89, 0xC7, 0x47, 0x5C, 0x62, 0x6F, 0x45, 0xF9, 0x18, 0x88, 0x80, 0x3F, 0x65, 0xB5, 0x4B, 0x07, 0x25, 0x4A, 0x97, 0x19, 0xBF, 0x13, 0x44, 0x28, 0x00, 0x38, 0xA7, 0x2E, 0x12, 0x32, 0x5B, 0xB4, 0x3A, 0x96, 0x64, 0x90, 0x77, 0x0F, 0x72, 0xB8, 0x79, 0x97, 0x59, 0x8E, 0x1C, 0xF0, 0xBC, 0x58, 0xD1, 0x26, 0x88, 0x3B, 0x25, 0x65, 0x7E, 0xC6, 0xF5, 0xF5, 0x24, 0x35, 0xC6, 0x65, 0xEF, 0x4C, 0x53, 0xC5, 0x56, 0x9A, 0x1A, 0x5F, 0x15, 0x29, 0xE7, 0x85, 0x1D, 0x35, 0xA1, 0x5C, 0x4B, 0xD6, 0xF2, 0x81, 0x24, 0x5F, 0x43, 0x05, 0xEA, 0xB0, 0x63, 0x0D, 0x78, 0xF7, 0xB5, 0x30, 0x20, 0xF2, 0xC9, 0xE8, 0x91, 0x8F, 0xBF, 0x20, 0x99, 0x95, 0x43, 0xAC, 0xB2, 0xF6, 0x82, 0xF0, 0xB1, 0x33, 0x1E, 0xA9, 0xB3, 0xF5, 0x61, 0xDC, 0x37, 0x81, 0xB3, 0x1F, 0xFE, 0xFF, 0x10, 0x9C, 0x12, 0x2A, 0x80, 0x1F, 0xE3, 0x9C, 0x86, 0x90, 0x47, 0x59, 0x29, 0xA9, 0xE2, 0xD7, 0x6F, 0x89, 0x5C, 0x7D
-};
-
-static const unsigned char firm_fw26_4_dev_acexsig[0x100] =
-{
-	0x1B, 0x67, 0xA7, 0x4F, 0xF7, 0x55, 0x10, 0x85, 0xA9, 0x40, 0x89, 0xDC, 0xFF, 0xED, 0x4D, 0xC9, 0x71, 0x6E, 0x46, 0x92, 0xB2, 0x9E, 0xEA, 0xB9, 0x7C, 0xC6, 0xAB, 0xCD, 0xDD, 0x6B, 0x4A, 0x27, 0x31, 0xF3, 0xFA, 0x26, 0x2F, 0x99, 0x46, 0x32, 0xBD, 0xDE, 0xA3, 0x09, 0xC9, 0x44, 0x6D, 0xF8, 0x6E, 0x36, 0xB1, 0x26, 0x21, 0x02, 0x0E, 0x6B, 0x3F, 0x3C, 0xD6, 0xA5, 0x56, 0xD9, 0x19, 0x68, 0x73, 0xB7, 0x98, 0x08, 0x46, 0x5E, 0x7C, 0xDC, 0x61, 0x69, 0x06, 0x9C, 0x8C, 0x09, 0x4D, 0x54, 0x88, 0x22, 0x98, 0x85, 0x03, 0x07, 0xA7, 0xB7, 0x9F, 0x81, 0xFA, 0x9F, 0xF5, 0xF6, 0x0D, 0x2E, 0xE7, 0x8B, 0x09, 0xB2, 0xB4, 0x7F, 0xB5, 0xBB, 0x57, 0x7A, 0xEB, 0x92, 0x24, 0xAF, 0xFA, 0x24, 0x69, 0x33, 0x55, 0x9D, 0xF6, 0xAC, 0x78, 0xB9, 0xCF, 0x16, 0x88, 0x85, 0xDD, 0xBA, 0x12, 0xB9, 0x50, 0xA9, 0x81, 0x7D, 0x03, 0x83, 0x4F, 0x7F, 0x25, 0xBD, 0xE4, 0x5F, 0x24, 0x85, 0xCB, 0x3A, 0x46, 0x5A, 0x83, 0xEC, 0x1A, 0x85, 0xE1, 0x38, 0xAB, 0xC5, 0x54, 0xE7, 0x14, 0xD1, 0xC4, 0x77, 0x19, 0xAB, 0xAD, 0x75, 0x11, 0xCF, 0xB4, 0xFE, 0xAB, 0x85, 0xF8, 0xAC, 0x9C, 0x08, 0x93, 0xED, 0x10, 0x60, 0xB2, 0x3F, 0x5A, 0x7B, 0xA4, 0x30, 0xA0, 0x72, 0xC2, 0x33, 0xF3, 0xDC, 0x38, 0xEB, 0x58, 0x7A, 0x9C, 0xF5, 0x4F, 0xB4, 0x92, 0x57, 0x07, 0x7C, 0xC8, 0xD7, 0xE3, 0x28, 0xBA, 0x9B, 0x85, 0x7E, 0x8A, 0xB5, 0xF3, 0x18, 0x58, 0x27, 0x81, 0x37, 0x11, 0x9A, 0x8A, 0x97, 0x33, 0x1A, 0x46, 0x90, 0x0F, 0x1E, 0x37, 0xC9, 0x86, 0xF0, 0xF7, 0xA6, 0xBD, 0xCA, 0x65, 0x3B, 0x3B, 0xDC, 0x80, 0x02, 0x44, 0x84, 0x15, 0x12, 0x31, 0x14, 0xB8, 0x76, 0x9B, 0xAF, 0xB4, 0xCD, 0x2D, 0xC1
-};
-
-static const unsigned char firm_fw26_5_dev_hdrpub[0x100] =
-{
-	0xD2, 0x81, 0x84, 0x0D, 0x64, 0x18, 0x87, 0x0F, 0xAC, 0x05, 0x8A, 0xF1, 0x9D, 0x0F, 0x08, 0xC0, 0xC2, 0xD4, 0xE6, 0xEC, 0x7B, 0x96, 0xA1, 0xD0, 0xD7, 0x47, 0x01, 0x03, 0x3F, 0x6F, 0xCB, 0x81, 0xE8, 0x55, 0x82, 0xFE, 0xBC, 0x19, 0x07, 0x05, 0x3D, 0x80, 0x8B, 0x85, 0x44, 0xD4, 0x2D, 0x68, 0xAE, 0x6F, 0xC7, 0x0A, 0xBC, 0xA0, 0xB4, 0x83, 0x7D, 0x00, 0x6F, 0x34, 0x2C, 0xF5, 0x1A, 0x79, 0x59, 0x34, 0x5F, 0x94, 0x40, 0x36, 0x19, 0x90, 0x09, 0x45, 0x30, 0xA7, 0xED, 0x8E, 0x47, 0x9F, 0x6B, 0x31, 0xD2, 0x13, 0x53, 0xEE, 0xF8, 0xC1, 0x00, 0xBD, 0x31, 0x19, 0xB2, 0x5B, 0x9C, 0x44, 0xE3, 0x14, 0x36, 0x31, 0xB4, 0x6F, 0x45, 0x33, 0xCC, 0xD5, 0x5D, 0xD0, 0x54, 0xFC, 0x57, 0xC0, 0xE2, 0x5C, 0xC1, 0x7E, 0xE4, 0x98, 0xBF, 0x61, 0xC6, 0x5F, 0x11, 0xBC, 0xED, 0x7E, 0x2B, 0xB1, 0x31, 0xD3, 0xF6, 0xC7, 0x5C, 0xC9, 0x35, 0x41, 0x82, 0x01, 0xE3, 0xF3, 0x02, 0xCC, 0x09, 0x65, 0x5C, 0xBB, 0xC0, 0x41, 0x47, 0xDC, 0xDC, 0xB9, 0x57, 0xEC, 0x39, 0xB9, 0xE7, 0x30, 0x29, 0x26, 0xA0, 0xE8, 0xD2, 0x3E, 0xAF, 0x46, 0x49, 0xBF, 0xC4, 0x9D, 0xB2, 0xD7, 0x16, 0x77, 0xD3, 0xBA, 0xF4, 0x7C, 0x7B, 0x7B, 0x4C, 0xCD, 0x0E, 0x48, 0xCD, 0x92, 0x1F, 0x2D, 0x7F, 0x00, 0xE8, 0x75, 0xC1, 0xC5, 0x64, 0x53, 0x2B, 0x6F, 0xE0, 0xA8, 0x42, 0xC6, 0x55, 0x66, 0x62, 0x94, 0xEA, 0xCC, 0xAC, 0xE6, 0x75, 0x55, 0xBC, 0xB8, 0x88, 0x18, 0x5B, 0x1F, 0x12, 0xE6, 0x9C, 0x12, 0x1E, 0x29, 0xBD, 0x4F, 0xF0, 0x83, 0xCE, 0xEE, 0xF2, 0x3B, 0x87, 0x28, 0x49, 0x96, 0x31, 0x4F, 0x8E, 0x2A, 0x17, 0x31, 0x46, 0x73, 0x7E, 0xE8, 0x3C, 0x60, 0x82, 0xB7, 0x45, 0x63, 0x50, 0x96, 0xB6, 0xED
-};
-
-static const unsigned char firm_fw26_5_dev_acexsig[0x100] =
-{
-	0x19, 0x92, 0x44, 0x57, 0xF2, 0xEE, 0x7E, 0xA6, 0x1D, 0xB7, 0xF0, 0x57, 0xE7, 0x35, 0x0F, 0x9B, 0xAE, 0xC3, 0x80, 0x3F, 0x8D, 0xFD, 0x4B, 0xBB, 0xCF, 0x0C, 0x02, 0x31, 0x04, 0x2C, 0xB8, 0xA3, 0xB9, 0x7B, 0x87, 0x74, 0x39, 0x86, 0x61, 0xE7, 0x69, 0xE6, 0xD6, 0x01, 0xCE, 0xCE, 0xAB, 0xD6, 0xE7, 0xDE, 0xF3, 0xFF, 0x4B, 0x20, 0xB0, 0x41, 0xCE, 0xE4, 0x02, 0xAA, 0x50, 0x3F, 0xF4, 0xE1, 0xE0, 0x57, 0x6C, 0xCD, 0xC4, 0x70, 0x59, 0x55, 0x80, 0xDB, 0x9F, 0x7B, 0xB3, 0x27, 0xEA, 0x29, 0xA5, 0xB4, 0x98, 0xEE, 0xDB, 0x6C, 0x7D, 0x50, 0x1E, 0xE7, 0xF9, 0xC0, 0x0F, 0x2F, 0x65, 0x0B, 0x37, 0x1C, 0xD2, 0x8B, 0x94, 0x1B, 0x1A, 0xC7, 0x23, 0x85, 0x56, 0x6C, 0x1A, 0xF3, 0x6D, 0xC2, 0xB2, 0xF1, 0x0F, 0xDF, 0x30, 0x65, 0x84, 0xF1, 0xEB, 0xD3, 0x6D, 0xA6, 0xA0, 0x65, 0x3B, 0xA9, 0x07, 0x20, 0x69, 0x7B, 0x63, 0x63, 0xF9, 0xCF, 0x97, 0x46, 0xD0, 0xD1, 0x7D, 0x9F, 0x87, 0x45, 0xC1, 0xED, 0xE8, 0x3C, 0x62, 0x5F, 0x16, 0x35, 0xB2, 0x2E, 0x1C, 0x16, 0x89, 0x2D, 0x93, 0xD9, 0x98, 0x4F, 0x42, 0xDF, 0x63, 0xA5, 0xB9, 0xBB, 0x48, 0x6F, 0xA2, 0xE3, 0x6C, 0xB5, 0xB6, 0x6F, 0x37, 0x37, 0x6E, 0x15, 0xD5, 0x32, 0x75, 0x2E, 0x39, 0x34, 0xCE, 0x1A, 0x81, 0x9E, 0xE8, 0x0B, 0xCA, 0xCB, 0xB0, 0x69, 0xA3, 0xE2, 0xBE, 0x8A, 0xC1, 0xE3, 0xBC, 0xAD, 0x25, 0x6F, 0xCA, 0x80, 0xB0, 0xEC, 0x1B, 0x0F, 0x5C, 0x6B, 0x92, 0xA0, 0xCE, 0x61, 0x04, 0x86, 0x51, 0x57, 0x9C, 0x0F, 0xB9, 0xD5, 0x80, 0x16, 0x30, 0xE1, 0x3A, 0x25, 0x4D, 0xEF, 0x74, 0xC4, 0x94, 0x78, 0xB6, 0x84, 0xDF, 0xC0, 0xE5, 0x62, 0x5B, 0x16, 0x4D, 0xDA, 0x75, 0x71, 0xA9, 0xB0, 0x58, 0x7E, 0x95, 0x83
+#include "desc/desc.h"
+
+static const CtrSdkDescSignData kDevDescSignData[] =
+{
+	/* CTR_SDK 1 (1.2.0) */
+	{
+		.type = desc_Application,
+		.fw_minor = 27,
+		.modulus = { 0x9B, 0x82, 0x9C, 0x19, 0x01, 0x73, 0x23, 0x50, 0x89, 0xE3, 0x0B, 0xC8, 0x8F, 0xFB, 0xA5, 0xE4, 0xFD, 0x44, 0xAE, 0x49, 0x32, 0xC7, 0xEF, 0x0A, 0x7E, 0x93, 0x95, 0xBA, 0xA2, 0x48, 0x4D, 0x8E, 0x18, 0x82, 0x34, 0x66, 0xFE, 0xDA, 0x7A, 0x45, 0x4A, 0x7D, 0xD5, 0x3C, 0xC6, 0x5C, 0xE0, 0x71, 0xFC, 0xD0, 0x82, 0xCC, 0xB2, 0xCF, 0x77, 0x0E, 0xAD, 0xCD, 0xD2, 0xAC, 0x1D, 0x66, 0x1B, 0xC1, 0xEA, 0xAC, 0x39, 0x96, 0x2C, 0x52, 0xDE, 0xFF, 0xF2, 0x74, 0xF6, 0xC5, 0xCA, 0x99, 0x31, 0x95, 0x13, 0xBB, 0x3F, 0xED, 0x30, 0xAE, 0x0A, 0xD3, 0x86, 0x0D, 0x0B, 0xF5, 0x56, 0x7D, 0x33, 0xBA, 0xA1, 0x39, 0xA2, 0xF5, 0xB6, 0x47, 0x78, 0x1F, 0xFD, 0x04, 0xA3, 0x49, 0xA9, 0x10, 0xD3, 0x41, 0x2E, 0x92, 0x7D, 0xE1, 0xA4, 0xA8, 0x02, 0x18, 0x01, 0x2C, 0xC2, 0x61, 0xB1, 0xAC, 0xCB, 0xB3, 0x7A, 0x64, 0xB1, 0xC3, 0xE6, 0x3B, 0x50, 0xAD, 0xDD, 0x55, 0xAB, 0x28, 0xDA, 0x59, 0xE7, 0x57, 0x6A, 0x76, 0x4F, 0x6B, 0x08, 0xD1, 0x61, 0x7D, 0x28, 0xD5, 0x88, 0x7B, 0x8E, 0x80, 0x78, 0xF3, 0xFF, 0x50, 0x00, 0xBD, 0x73, 0xFB, 0x62, 0xB3, 0xCA, 0xA8, 0x05, 0x48, 0xE6, 0xE6, 0x71, 0xB5, 0xAC, 0xDA, 0xE9, 0xC6, 0x1F, 0x9B, 0x72, 0x98, 0x2E, 0xFF, 0xB2, 0x9C, 0x36, 0x9F, 0x7E, 0x7D, 0x25, 0x65, 0x6F, 0xB0, 0x60, 0xB1, 0xB5, 0x5F, 0xCF, 0x74, 0x29, 0x91, 0x9D, 0xAB, 0x84, 0x97, 0x1A, 0x27, 0x5D, 0x69, 0x49, 0x16, 0xF8, 0x77, 0x31, 0x26, 0x3E, 0x6F, 0x97, 0x41, 0x4A, 0x26, 0xFD, 0x5B, 0xAB, 0x65, 0x77, 0x45, 0x1C, 0x76, 0x15, 0xDC, 0x1A, 0x63, 0x0F, 0x51, 0x2D, 0xA0, 0x07, 0x6E, 0xE5, 0x29, 0xD3, 0x37, 0x4B, 0xE5, 0x7F, 0xBB, 0x23, 0xD0, 0x2B, 0xB9, 0x76, 0x1F },
+		.priv_exponent = { 0x66, 0x9F, 0xB5, 0xC5, 0xA6, 0xB8, 0x45, 0xD8, 0xD3, 0x75, 0xFB, 0x03, 0xBB, 0x48, 0xF5, 0x7C, 0x7D, 0x4B, 0x02, 0xBD, 0x19, 0x7E, 0xE9, 0x98, 0x02, 0x5A, 0x00, 0xD8, 0x6E, 0x59, 0xCA, 0x9C, 0x78, 0x3E, 0x0C, 0xB8, 0xDF, 0x7C, 0x6C, 0x6E, 0x27, 0xAF, 0x8C, 0xB6, 0x13, 0xAD, 0x9D, 0x0C, 0x7C, 0x2B, 0x59, 0xF6, 0x1E, 0x16, 0x5D, 0x5A, 0x59, 0x86, 0x57, 0x7D, 0xEF, 0xD4, 0xBF, 0x82, 0xA4, 0x0C, 0x4D, 0xE0, 0x75, 0x95, 0xA6, 0xC6, 0x3F, 0x49, 0xC2, 0xC4, 0x5A, 0x63, 0xE8, 0x5D, 0x99, 0xEC, 0xDB, 0x4D, 0xFA, 0xEF, 0x10, 0x03, 0xF1, 0x15, 0xD1, 0x0B, 0x71, 0xAD, 0x24, 0x23, 0x08, 0x5C, 0x91, 0xD7, 0x17, 0x18, 0x69, 0x04, 0xAB, 0x23, 0x91, 0x62, 0x7D, 0xE8, 0xB5, 0x90, 0xF1, 0x5C, 0x09, 0x28, 0x8C, 0x51, 0xB7, 0x38, 0x02, 0x26, 0x78, 0x8C, 0xA2, 0x05, 0x07, 0x53, 0x7D, 0x99, 0x46, 0xFD, 0x12, 0x77, 0x32, 0x0E, 0xA8, 0x54, 0xE3, 0x32, 0x0E, 0x93, 0x05, 0x10, 0xFA, 0x59, 0x7A, 0x5D, 0x2E, 0xDE, 0x32, 0xE8, 0xE9, 0xF0, 0x27, 0x4E, 0x08, 0x83, 0x08, 0xD4, 0x92, 0x58, 0x4D, 0x6D, 0x34, 0x9F, 0xD9, 0xAF, 0xA9, 0x01, 0x62, 0xB5, 0x1A, 0x1D, 0x7E, 0x8D, 0xBB, 0x8A, 0x58, 0xBA, 0xFF, 0xB4, 0xD3, 0x75, 0xF3, 0x44, 0xE7, 0x13, 0x05, 0xC6, 0xC5, 0xA4, 0xD2, 0x6B, 0x18, 0x31, 0x9F, 0xBE, 0x42, 0x45, 0x82, 0x2E, 0x47, 0x9B, 0x26, 0x73, 0x28, 0xD7, 0x9A, 0x64, 0xA6, 0x3D, 0x38, 0x9C, 0x11, 0x36, 0x01, 0x5B, 0x82, 0x2F, 0x7E, 0xA8, 0xC4, 0x82, 0x15, 0x6C, 0x0B, 0xBA, 0x1C, 0x58, 0xF5, 0x81, 0xF9, 0x45, 0xA9, 0xC6, 0x05, 0x6A, 0x2C, 0xA6, 0xCF, 0xF5, 0xDF, 0xEB, 0xBB, 0xC0, 0x92, 0xE3, 0xA6, 0x9D, 0x23, 0x09, 0x09, 0x0E, 0x98, 0x39 },
+		.access_desc_signature = { 0x05, 0x90, 0xAF, 0x65, 0x16, 0x9F, 0x18, 0x2C, 0x17, 0x78, 0x9F, 0xDF, 0xB6, 0x37, 0xCF, 0x26, 0x9B, 0x1B, 0x75, 0x51, 0xB8, 0x57, 0xA3, 0x8F, 0xD7, 0x93, 0x19, 0x61, 0x81, 0x0D, 0x3D, 0xBC, 0x36, 0x50, 0x53, 0xDA, 0x7D, 0xA9, 0x7F, 0xAA, 0x3E, 0x51, 0x2C, 0x75, 0xA1, 0xB9, 0xB1, 0x56, 0xEB, 0x2A, 0x46, 0x21, 0xEC, 0x4F, 0xA7, 0x0C, 0xA1, 0xA8, 0xFD, 0xEE, 0xA3, 0x4A, 0xFD, 0x54, 0xB0, 0x3A, 0x49, 0x5C, 0x8F, 0x8D, 0xB2, 0xBC, 0x32, 0x50, 0x7E, 0x2C, 0x50, 0xD2, 0x1A, 0x6B, 0x61, 0xCB, 0x2A, 0xC9, 0x7E, 0x6E, 0x6A, 0xC8, 0xD6, 0x9B, 0x21, 0xE7, 0x3B, 0xB8, 0x39, 0x1C, 0xD7, 0xEB, 0x69, 0x35, 0xF5, 0xBC, 0xB5, 0x23, 0x54, 0x81, 0x4F, 0x73, 0xAB, 0x9C, 0x55, 0xF0, 0x04, 0x0B, 0x4A, 0xEA, 0x54, 0x08, 0xBF, 0x36, 0x28, 0x12, 0x5E, 0x44, 0x41, 0xF5, 0x3D, 0xFE, 0xA7, 0x6B, 0x35, 0xF2, 0x9A, 0xF2, 0x88, 0xCD, 0xD6, 0x2E, 0x7B, 0xF3, 0xF5, 0x0D, 0x06, 0x2E, 0x13, 0x4F, 0x78, 0xEE, 0x27, 0xAB, 0x31, 0x06, 0x62, 0xE9, 0xB2, 0x3E, 0xC6, 0x99, 0xD7, 0xA9, 0xCC, 0x21, 0x70, 0xD7, 0xCD, 0x9F, 0x03, 0x66, 0x91, 0x7E, 0xBD, 0x3E, 0x83, 0xC4, 0xFF, 0xC9, 0xAA, 0x7E, 0x27, 0xAE, 0x5C, 0x37, 0x7D, 0x93, 0x57, 0x60, 0xB9, 0x0B, 0x71, 0x43, 0x8A, 0x2F, 0x43, 0x50, 0x94, 0xF8, 0x0D, 0x40, 0xCC, 0x64, 0x16, 0x09, 0x70, 0xCD, 0x03, 0xCA, 0x95, 0x30, 0x20, 0xE2, 0x85, 0x2F, 0x2A, 0xCF, 0x65, 0xAA, 0xE9, 0xCF, 0x1F, 0x57, 0xC1, 0x8F, 0xD5, 0x46, 0x51, 0x5A, 0x99, 0x60, 0x65, 0x93, 0xA9, 0xBB, 0xEA, 0x5F, 0xA0, 0x47, 0xD7, 0x11, 0x04, 0xC7, 0xB4, 0x82, 0x66, 0x24, 0x17, 0x17, 0x5E, 0x9D, 0xC8, 0x50, 0x80, 0x63, 0x28, 0xB3, 0xF8, 0xE3 }
+	},
+	{
+		.type = desc_DlpChild,
+		.fw_minor = 27,
+		.modulus = { 0xD9, 0xF0, 0xC9, 0x35, 0x1E, 0x55, 0xD8, 0x7E, 0x96, 0x53, 0x33, 0x34, 0xBB, 0x8A, 0xAE, 0x03, 0x92, 0x35, 0xE2, 0x05, 0x58, 0x7C, 0xCC, 0x08, 0xB2, 0xDF, 0x43, 0x41, 0xB7, 0x7A, 0xB5, 0x29, 0xEE, 0x4E, 0xF3, 0xC7, 0x35, 0x3B, 0x7E, 0xC5, 0xEE, 0x74, 0xF0, 0xAA, 0x7E, 0x60, 0xF1, 0x28, 0x35, 0x17, 0xD6, 0xC9, 0x9A, 0xF2, 0x84, 0xFE, 0xC8, 0x93, 0x86, 0xF7, 0xA7, 0x36, 0xA6, 0xB0, 0x28, 0xDC, 0xE8, 0x38, 0x0B, 0x54, 0x42, 0x8D, 0x4E, 0x4B, 0x55, 0x0F, 0x4A, 0x0D, 0x72, 0xA0, 0x23, 0xC9, 0x68, 0x22, 0x37, 0x31, 0x88, 0x2C, 0x05, 0x49, 0x86, 0x80, 0x9A, 0xFC, 0x1D, 0x02, 0xE3, 0x20, 0x15, 0x0C, 0x7E, 0x28, 0x40, 0x57, 0xEF, 0xA7, 0xBC, 0xAA, 0xC5, 0xD6, 0xD7, 0x6F, 0xF9, 0x26, 0x9A, 0x32, 0xB2, 0x9E, 0x10, 0x5F, 0x93, 0xE6, 0xB2, 0xC6, 0xB2, 0x62, 0x34, 0x6A, 0xB0, 0xD9, 0x71, 0x3B, 0x0F, 0x34, 0x6C, 0xB1, 0xFE, 0x3A, 0x39, 0xDE, 0x3D, 0x6A, 0xCB, 0x32, 0x95, 0xFA, 0x18, 0x4F, 0xF4, 0xEB, 0x5F, 0x20, 0xE4, 0xEF, 0x64, 0xC5, 0x06, 0x27, 0xC3, 0x44, 0x2A, 0x39, 0x35, 0xD8, 0x00, 0xDF, 0x00, 0xAD, 0xC4, 0x98, 0x06, 0x52, 0xD8, 0x4A, 0xC5, 0x2A, 0x7F, 0x77, 0x50, 0x62, 0x7E, 0x05, 0x3E, 0x8C, 0x28, 0x0A, 0x26, 0xD2, 0x6C, 0x9B, 0x27, 0x65, 0xE9, 0x77, 0x68, 0xE9, 0xE6, 0xAA, 0xBA, 0xF5, 0x85, 0xFC, 0x75, 0x07, 0x84, 0xB2, 0xCA, 0x35, 0x85, 0x52, 0x10, 0x08, 0xEF, 0x85, 0xD3, 0x70, 0x17, 0x31, 0xE1, 0x44, 0xF6, 0x34, 0xDF, 0x7C, 0x42, 0xF7, 0x74, 0xAA, 0xFC, 0xC3, 0xE4, 0x84, 0x2D, 0xBF, 0x15, 0x1E, 0x84, 0x00, 0xE3, 0x80, 0xD7, 0x89, 0x56, 0xEE, 0x60, 0x09, 0x1F, 0xD3, 0xBF, 0xBF, 0x50, 0x8F, 0xA3, 0x0C, 0x72, 0x3F },
+		.priv_exponent = { 0x10, 0x19, 0x3A, 0x33, 0xA3, 0x47, 0x02, 0x13, 0xEF, 0xB4, 0xBB, 0x9E, 0x94, 0x8F, 0xDC, 0xE4, 0xC4, 0xA3, 0x18, 0x4B, 0xFE, 0xCA, 0x51, 0x23, 0xFF, 0x5A, 0x80, 0x94, 0x55, 0x22, 0x4A, 0x49, 0x8B, 0xA1, 0xE7, 0x5D, 0xFA, 0xAF, 0xA7, 0x60, 0xA5, 0x89, 0x9B, 0xD1, 0x6C, 0x3E, 0x6A, 0xF1, 0xE6, 0x62, 0x19, 0x6A, 0x90, 0xF8, 0x83, 0x1C, 0x72, 0xE2, 0x7A, 0xE0, 0xC6, 0x48, 0x42, 0x2D, 0xD7, 0x06, 0xE2, 0x5C, 0x69, 0x71, 0xD2, 0xEC, 0xAF, 0x30, 0xDF, 0x5A, 0x9E, 0xC4, 0xB9, 0x87, 0xDC, 0xBC, 0xDE, 0xE5, 0x50, 0x20, 0x67, 0x87, 0xA0, 0xE8, 0x5A, 0x78, 0x1B, 0x7A, 0xAE, 0x05, 0xED, 0x93, 0x0C, 0x1A, 0xFD, 0x22, 0xAA, 0x06, 0x14, 0xDC, 0xD6, 0x11, 0xE3, 0x45, 0x48, 0x6A, 0xAC, 0x03, 0xCE, 0xF6, 0x19, 0xBD, 0x95, 0x46, 0x0A, 0x1D, 0xCB, 0x6C, 0xE3, 0xF6, 0x5F, 0x1A, 0xB3, 0x81, 0xC7, 0xE2, 0xAB, 0xFE, 0xEF, 0xFB, 0xEC, 0xFE, 0x88, 0x36, 0x26, 0x60, 0x47, 0x43, 0x78, 0x36, 0xA7, 0xC8, 0xC9, 0x40, 0x98, 0x2E, 0xF2, 0x7E, 0xE4, 0x0D, 0x6C, 0x45, 0x88, 0x2A, 0x32, 0x9B, 0xA2, 0x7C, 0x39, 0x20, 0xAA, 0x6B, 0x64, 0x35, 0xC6, 0xA9, 0x20, 0x71, 0x4A, 0x78, 0x6E, 0x55, 0x3C, 0x9B, 0xEA, 0x10, 0x73, 0xBB, 0xA7, 0xD8, 0xFE, 0x69, 0x42, 0xB8, 0xE7, 0xA1, 0xE5, 0xDF, 0x8A, 0xDE, 0x4C, 0x2B, 0x3A, 0x92, 0xB8, 0x3E, 0x5E, 0x2C, 0x29, 0x0D, 0xC1, 0x3D, 0x10, 0x65, 0x1E, 0xF1, 0x95, 0xE5, 0xF6, 0x45, 0x15, 0xBF, 0xE2, 0x30, 0xA6, 0x70, 0x19, 0xA4, 0x11, 0x57, 0x12, 0x1C, 0x81, 0x4B, 0x54, 0x04, 0xBE, 0x67, 0xF5, 0x00, 0x22, 0x06, 0xDA, 0x6B, 0xCE, 0x23, 0x3F, 0x86, 0xE4, 0x70, 0x6A, 0xD1, 0x3E, 0xE5, 0x74, 0x44, 0x86, 0xDA, 0xBE, 0x79 },
+		.access_desc_signature = { 0x10, 0x19, 0x3A, 0x33, 0xA3, 0x47, 0x02, 0x13, 0xEF, 0xB4, 0xBB, 0x9E, 0x94, 0x8F, 0xDC, 0xE4, 0xC4, 0xA3, 0x18, 0x4B, 0xFE, 0xCA, 0x51, 0x23, 0xFF, 0x5A, 0x80, 0x94, 0x55, 0x22, 0x4A, 0x49, 0x8B, 0xA1, 0xE7, 0x5D, 0xFA, 0xAF, 0xA7, 0x60, 0xA5, 0x89, 0x9B, 0xD1, 0x6C, 0x3E, 0x6A, 0xF1, 0xE6, 0x62, 0x19, 0x6A, 0x90, 0xF8, 0x83, 0x1C, 0x72, 0xE2, 0x7A, 0xE0, 0xC6, 0x48, 0x42, 0x2D, 0xD7, 0x06, 0xE2, 0x5C, 0x69, 0x71, 0xD2, 0xEC, 0xAF, 0x30, 0xDF, 0x5A, 0x9E, 0xC4, 0xB9, 0x87, 0xDC, 0xBC, 0xDE, 0xE5, 0x50, 0x20, 0x67, 0x87, 0xA0, 0xE8, 0x5A, 0x78, 0x1B, 0x7A, 0xAE, 0x05, 0xED, 0x93, 0x0C, 0x1A, 0xFD, 0x22, 0xAA, 0x06, 0x14, 0xDC, 0xD6, 0x11, 0xE3, 0x45, 0x48, 0x6A, 0xAC, 0x03, 0xCE, 0xF6, 0x19, 0xBD, 0x95, 0x46, 0x0A, 0x1D, 0xCB, 0x6C, 0xE3, 0xF6, 0x5F, 0x1A, 0xB3, 0x81, 0xC7, 0xE2, 0xAB, 0xFE, 0xEF, 0xFB, 0xEC, 0xFE, 0x88, 0x36, 0x26, 0x60, 0x47, 0x43, 0x78, 0x36, 0xA7, 0xC8, 0xC9, 0x40, 0x98, 0x2E, 0xF2, 0x7E, 0xE4, 0x0D, 0x6C, 0x45, 0x88, 0x2A, 0x32, 0x9B, 0xA2, 0x7C, 0x39, 0x20, 0xAA, 0x6B, 0x64, 0x35, 0xC6, 0xA9, 0x20, 0x71, 0x4A, 0x78, 0x6E, 0x55, 0x3C, 0x9B, 0xEA, 0x10, 0x73, 0xBB, 0xA7, 0xD8, 0xFE, 0x69, 0x42, 0xB8, 0xE7, 0xA1, 0xE5, 0xDF, 0x8A, 0xDE, 0x4C, 0x2B, 0x3A, 0x92, 0xB8, 0x3E, 0x5E, 0x2C, 0x29, 0x0D, 0xC1, 0x3D, 0x10, 0x65, 0x1E, 0xF1, 0x95, 0xE5, 0xF6, 0x45, 0x15, 0xBF, 0xE2, 0x30, 0xA6, 0x70, 0x19, 0xA4, 0x11, 0x57, 0x12, 0x1C, 0x81, 0x4B, 0x54, 0x04, 0xBE, 0x67, 0xF5, 0x00, 0x22, 0x06, 0xDA, 0x6B, 0xCE, 0x23, 0x3F, 0x86, 0xE4, 0x70, 0x6A, 0xD1, 0x3E, 0xE5, 0x74, 0x44, 0x86, 0xDA, 0xBE, 0x79 }
+	},
+	/* CTR_SDK 2 (2.3.4) */
+	{
+		.type = desc_Application,
+		.fw_minor = 29,
+		.modulus = { 0xE9, 0x45, 0xF0, 0xC6, 0x96, 0xD5, 0x6F, 0x7E, 0xAE, 0x03, 0x92, 0x2E, 0xEA, 0xCB, 0xFD, 0xEA, 0xA4, 0x7A, 0x9F, 0x12, 0xDA, 0x4C, 0x10, 0x0A, 0xBE, 0x08, 0x9D, 0x87, 0xE0, 0x14, 0xAC, 0x7F, 0x39, 0xD2, 0xFE, 0x9D, 0x88, 0xB2, 0x81, 0xF6, 0x1A, 0x9E, 0x15, 0x57, 0xD4, 0xE2, 0x31, 0x08, 0x07, 0xEC, 0x4F, 0x10, 0x00, 0xDE, 0xEF, 0x8B, 0x6F, 0xCF, 0x84, 0xE7, 0x3B, 0x41, 0x08, 0x64, 0x3B, 0x1C, 0x00, 0x7C, 0x73, 0xBB, 0x59, 0x4D, 0xD8, 0xD6, 0xE7, 0x7B, 0xBE, 0xDD, 0x50, 0x98, 0xA1, 0x1A, 0xD5, 0xAA, 0x37, 0x69, 0xB8, 0x25, 0xCB, 0x7B, 0x03, 0x00, 0x90, 0x25, 0xF3, 0x7E, 0x9A, 0x0F, 0xA3, 0xAA, 0xC4, 0xB9, 0x3B, 0x3A, 0x18, 0x2B, 0xBC, 0x9C, 0x11, 0x04, 0x92, 0x16, 0x6E, 0xC3, 0xFA, 0x01, 0xD3, 0x00, 0x02, 0xF3, 0x2E, 0xD5, 0x60, 0xA8, 0xAF, 0xAB, 0xEE, 0x2F, 0x9D, 0x30, 0x3E, 0x0E, 0xDC, 0xB8, 0xEC, 0x87, 0x9E, 0x4A, 0xA9, 0x01, 0x34, 0x69, 0x2C, 0x4C, 0x34, 0xB7, 0x7D, 0xB9, 0x7A, 0x17, 0x74, 0x31, 0xB0, 0x29, 0xC4, 0x7D, 0x27, 0x1F, 0xBA, 0xBA, 0x3F, 0x5B, 0x62, 0xF6, 0x90, 0xB8, 0x37, 0x33, 0xFC, 0x73, 0xD6, 0x19, 0x11, 0xCA, 0x83, 0x2A, 0x58, 0x62, 0x9C, 0xB1, 0x83, 0x43, 0x1D, 0x2C, 0x00, 0xA2, 0xE5, 0x87, 0x97, 0x12, 0x63, 0x31, 0x83, 0x0E, 0xB1, 0x1E, 0x69, 0x99, 0x02, 0xAF, 0xDF, 0xFF, 0x0F, 0xA9, 0x7C, 0x1B, 0x33, 0x9E, 0xFF, 0x9C, 0x14, 0x19, 0xA6, 0xCA, 0xFD, 0xB9, 0x17, 0xE0, 0x22, 0xCF, 0xB5, 0x00, 0x77, 0x2E, 0x31, 0xAD, 0xF7, 0xE5, 0xAD, 0x98, 0x14, 0xDF, 0x19, 0xF0, 0xC9, 0xBE, 0x37, 0xF6, 0xF0, 0x23, 0x66, 0xCF, 0x34, 0xE3, 0xD5, 0x8F, 0xD4, 0x07, 0xBA, 0x06, 0x56, 0x00, 0x66, 0x9A, 0xEB, 0x93 },
+		.priv_exponent = { 0xBC, 0x49, 0x29, 0xB9, 0x01, 0x52, 0x31, 0x76, 0x4C, 0xBA, 0xB1, 0x29, 0x91, 0x77, 0x29, 0xF2, 0x54, 0xE4, 0x6C, 0xB5, 0x68, 0xE1, 0xF0, 0x28, 0xDB, 0x8E, 0x54, 0xA8, 0xB1, 0xA3, 0xBE, 0x3F, 0xCA, 0xCA, 0x95, 0x9D, 0x4E, 0x12, 0xD7, 0x77, 0x6F, 0xB0, 0x9D, 0x85, 0x91, 0x5D, 0x29, 0x3A, 0x54, 0x3A, 0xD6, 0xEE, 0x11, 0xE5, 0xDF, 0xEF, 0xEA, 0x45, 0xD3, 0xFE, 0x58, 0x03, 0x7B, 0xE4, 0x7B, 0x19, 0x75, 0x02, 0xFE, 0xDE, 0xFF, 0x8C, 0x28, 0x33, 0xFE, 0x10, 0x11, 0xD4, 0xCD, 0x13, 0x05, 0x26, 0x85, 0xC3, 0xA8, 0x8A, 0x7A, 0x8A, 0x77, 0x1D, 0x49, 0x25, 0x11, 0x34, 0xB0, 0xBF, 0x45, 0x56, 0xCE, 0x42, 0x2E, 0x1B, 0x5C, 0xC4, 0xDD, 0x71, 0xA0, 0x01, 0x50, 0x73, 0x21, 0xFF, 0x5D, 0x54, 0x6D, 0xDD, 0x3F, 0x14, 0x49, 0x4D, 0x44, 0x46, 0x12, 0x88, 0xD5, 0x92, 0xAE, 0xE2, 0xD0, 0xF6, 0x2C, 0x10, 0xD5, 0x67, 0x61, 0x87, 0x7F, 0x2A, 0x17, 0x9D, 0x4F, 0xC6, 0x79, 0xC3, 0xAF, 0x4D, 0x6F, 0xFB, 0x0F, 0x3B, 0x48, 0x5D, 0x46, 0x9A, 0xE8, 0x53, 0xB7, 0xC5, 0x69, 0xEC, 0x31, 0x25, 0xD1, 0xDC, 0x93, 0xAB, 0x2E, 0x53, 0x3B, 0x8E, 0x96, 0x27, 0x59, 0xD4, 0xF7, 0xB3, 0xAB, 0x51, 0x59, 0xAE, 0x6E, 0x26, 0x4F, 0xC2, 0x95, 0xCE, 0x42, 0xC6, 0xAF, 0x46, 0xC6, 0x2E, 0x32, 0x09, 0x7B, 0xAF, 0x67, 0x4E, 0x57, 0xC8, 0x93, 0x5F, 0x8C, 0xD5, 0x66, 0x7B, 0xCC, 0xE9, 0xBE, 0x86, 0xB9, 0xBB, 0xD0, 0xC8, 0xD2, 0xDC, 0x5F, 0x95, 0x83, 0x28, 0x55, 0x21, 0x1E, 0xEE, 0xCF, 0x23, 0xB7, 0x6D, 0xE0, 0x9A, 0x87, 0x99, 0xFB, 0x82, 0x50, 0xD0, 0x2D, 0xC4, 0xFB, 0xA0, 0x11, 0x2F, 0xDD, 0x05, 0x7E, 0x1C, 0xE3, 0xFB, 0x98, 0x69, 0xD4, 0x49, 0x2F, 0x0D, 0xF6, 0x61 },
+		.access_desc_signature = { 0x62, 0xFE, 0xD9, 0x12, 0x3D, 0x99, 0x53, 0xC4, 0x20, 0x25, 0xDE, 0x59, 0xEA, 0x6E, 0xF3, 0x16, 0x5B, 0x36, 0xBA, 0x1C, 0xB3, 0xB5, 0x48, 0x37, 0xD2, 0xA4, 0x04, 0xE5, 0x14, 0xC6, 0xE7, 0x22, 0x14, 0x40, 0x6F, 0x92, 0x6A, 0x9B, 0xDF, 0xDE, 0xFA, 0xCE, 0x3C, 0xBB, 0x4B, 0xC4, 0x66, 0xA8, 0x86, 0x58, 0xAC, 0xEB, 0x2F, 0xB7, 0xA3, 0xEC, 0xEA, 0x31, 0x23, 0x61, 0xF6, 0x72, 0x1E, 0x26, 0x8A, 0x1D, 0x68, 0x2A, 0x2A, 0x21, 0x5A, 0xA2, 0x6A, 0xBD, 0xCE, 0xC0, 0x19, 0x08, 0x61, 0x64, 0xB3, 0xF6, 0x90, 0xB1, 0x34, 0xF8, 0x50, 0x6F, 0x83, 0xB6, 0x8D, 0x35, 0x12, 0x7F, 0x9C, 0x7B, 0x6E, 0x3C, 0x4E, 0xD1, 0xFD, 0xC3, 0x30, 0xD2, 0xE8, 0x7E, 0x15, 0x1F, 0xAD, 0xDB, 0x1D, 0x92, 0xDA, 0x8C, 0x4E, 0xE9, 0x84, 0x83, 0xFF, 0x1A, 0x09, 0x77, 0x05, 0x5A, 0xCF, 0x5C, 0x8B, 0x4F, 0x68, 0x36, 0xC8, 0xDA, 0x5B, 0x1A, 0x5A, 0x49, 0xF9, 0xA1, 0xF2, 0xC8, 0x02, 0xFD, 0x69, 0x1F, 0x1D, 0xB3, 0xE8, 0xF8, 0xE1, 0x6B, 0x15, 0x9A, 0x5E, 0x41, 0x84, 0x06, 0x1F, 0x2A, 0xB3, 0xB2, 0xA1, 0xDC, 0x63, 0x81, 0xB3, 0x6B, 0x4B, 0x21, 0x67, 0x19, 0x82, 0x52, 0xFE, 0x75, 0x96, 0xA1, 0xDF, 0x02, 0xD4, 0x07, 0x1F, 0x1B, 0x88, 0x12, 0x5A, 0x76, 0x54, 0xC4, 0x06, 0x2D, 0xB1, 0xAA, 0x41, 0x3C, 0x9F, 0x43, 0xA2, 0x75, 0x20, 0x39, 0xB6, 0x06, 0xF9, 0x9C, 0xFC, 0x00, 0xC5, 0xBC, 0x84, 0x13, 0x80, 0xE4, 0x10, 0x1A, 0xCD, 0x95, 0xBB, 0xF2, 0xDC, 0x57, 0x7B, 0xBA, 0x87, 0x05, 0x0B, 0x96, 0xC1, 0xCD, 0x60, 0xC7, 0x10, 0x44, 0x78, 0x0E, 0x0F, 0x2F, 0x91, 0x54, 0x6C, 0xDE, 0xB8, 0x14, 0x46, 0xF3, 0x9C, 0xAC, 0x7B, 0xAA, 0xE7, 0x1B, 0x52, 0xD6, 0xBE, 0x71, 0x97, 0x22 }
+	},
+	{
+		.type = desc_DlpChild,
+		.fw_minor = 29,
+		.modulus = { 0xB9, 0xDE, 0x3D, 0xC0, 0x55, 0xB9, 0xCC, 0x3F, 0x55, 0xE0, 0x61, 0x1D, 0x6F, 0xCF, 0x3E, 0x7F, 0xE2, 0xF7, 0xF5, 0xAD, 0x5C, 0x02, 0x7F, 0x17, 0x5B, 0x44, 0x2F, 0x2D, 0xDC, 0xD4, 0xA6, 0x63, 0xD2, 0xA7, 0x82, 0xD3, 0x00, 0x77, 0xC8, 0x0B, 0x28, 0x09, 0x3D, 0x81, 0x86, 0x93, 0xF5, 0xF6, 0xE4, 0x69, 0x3B, 0x60, 0x4C, 0x7F, 0x8D, 0x72, 0xA3, 0x22, 0x42, 0x86, 0x87, 0x06, 0xD8, 0x29, 0x89, 0x8A, 0x9F, 0x5F, 0x6C, 0x06, 0x0C, 0x96, 0x84, 0x00, 0x24, 0x5D, 0x0B, 0xEA, 0x15, 0xEC, 0xAD, 0x90, 0xA4, 0x0C, 0x7B, 0xAE, 0x0E, 0x85, 0x3E, 0xA2, 0x20, 0x04, 0xE8, 0xD9, 0x59, 0x0F, 0x31, 0x0E, 0xD4, 0x5D, 0xC1, 0x18, 0xED, 0x0E, 0xB4, 0xD2, 0x5E, 0x65, 0xA2, 0x78, 0x0C, 0x76, 0x03, 0x3A, 0x71, 0x18, 0xE4, 0x38, 0x44, 0x14, 0xE0, 0x93, 0x84, 0xFE, 0x34, 0x82, 0xCA, 0x0B, 0xB8, 0xF2, 0x41, 0xAB, 0x63, 0xF3, 0xDE, 0xAE, 0xF4, 0x36, 0x81, 0xA4, 0x78, 0x7B, 0xF9, 0xA8, 0xFB, 0xC9, 0xA7, 0x6E, 0xA4, 0xD5, 0xE2, 0xA9, 0xD8, 0xD9, 0xE8, 0x98, 0x1B, 0x25, 0x75, 0x00, 0x11, 0x51, 0x97, 0x62, 0x0D, 0xF0, 0x0C, 0xE9, 0x6B, 0x0C, 0xEE, 0xCE, 0x25, 0x2C, 0x3F, 0xDF, 0xBE, 0x54, 0xD5, 0xD6, 0x5E, 0xEE, 0x1F, 0x73, 0xFC, 0xE8, 0xEC, 0xB3, 0x8A, 0x48, 0x9F, 0x6A, 0xC1, 0x63, 0x85, 0xE4, 0x94, 0x85, 0x8F, 0x3D, 0x9D, 0x43, 0xB4, 0xA7, 0x4C, 0x82, 0xA3, 0x0B, 0x67, 0x43, 0x12, 0x31, 0x77, 0x89, 0xB0, 0xD5, 0x00, 0x1B, 0x52, 0x29, 0xCE, 0x54, 0xC7, 0xC4, 0x7D, 0xB6, 0x69, 0x7B, 0xFE, 0xDC, 0xDB, 0x4E, 0xD8, 0x58, 0x42, 0x14, 0x34, 0x72, 0x64, 0xBC, 0x09, 0x6D, 0xAC, 0xD3, 0xC4, 0x1B, 0x5C, 0x8E, 0xF9, 0xBE, 0x84, 0xCD, 0x9A, 0x86, 0x4B, 0x17 },
+		.priv_exponent = { 0xAA, 0x51, 0x62, 0x58, 0x9A, 0xB5, 0x74, 0xDA, 0x1C, 0xC1, 0x4D, 0x7C, 0x81, 0xF6, 0x70, 0x99, 0x13, 0xCC, 0x90, 0x0D, 0xD9, 0xA0, 0x58, 0x01, 0x79, 0x1A, 0x53, 0xF9, 0x3C, 0xC0, 0x87, 0xF0, 0x35, 0x1A, 0x56, 0xA1, 0x2F, 0x6E, 0x93, 0x9A, 0xD5, 0x87, 0x12, 0x1B, 0x5C, 0xCC, 0xBC, 0xB9, 0x0E, 0xB8, 0xF7, 0x35, 0xD9, 0x23, 0x90, 0xE4, 0x19, 0x64, 0xCD, 0x7D, 0x24, 0xC2, 0x3A, 0xD6, 0x65, 0x38, 0xE7, 0xAD, 0xB2, 0xF9, 0x20, 0x13, 0xD4, 0xC5, 0xA4, 0x8C, 0xB6, 0xDC, 0x3C, 0x56, 0xF2, 0xFC, 0xF5, 0xB6, 0x92, 0xA6, 0xFE, 0x9B, 0x4E, 0xB7, 0x95, 0x8B, 0xAA, 0x2B, 0x70, 0x96, 0xA1, 0x27, 0xAB, 0xA6, 0x75, 0xC9, 0x77, 0x80, 0xE0, 0x65, 0x5D, 0x26, 0xD8, 0xE8, 0x14, 0xD3, 0x17, 0x46, 0x38, 0x58, 0xCC, 0xD8, 0x5A, 0x5A, 0x9F, 0x27, 0xCE, 0xD8, 0x7A, 0x19, 0xD7, 0x35, 0xB2, 0x32, 0xAF, 0x47, 0x2E, 0x9F, 0x4B, 0x64, 0xEC, 0x1F, 0xC6, 0x40, 0xD0, 0x2C, 0x47, 0xD1, 0xEA, 0x33, 0xE5, 0x0E, 0x80, 0xFC, 0x68, 0xEC, 0x8C, 0x12, 0x33, 0xCE, 0x34, 0x28, 0x79, 0xFA, 0x05, 0x5D, 0x70, 0x15, 0xDE, 0xB1, 0x22, 0x85, 0x18, 0x63, 0x15, 0x35, 0x57, 0x04, 0x17, 0x64, 0x20, 0xC8, 0x52, 0x44, 0x64, 0x5E, 0x47, 0x4E, 0x5F, 0x80, 0x21, 0x16, 0x94, 0x4B, 0x18, 0x11, 0x36, 0x67, 0x3B, 0x6C, 0x69, 0x19, 0xCF, 0xC9, 0x05, 0x85, 0x9B, 0x3A, 0xDE, 0x12, 0x1E, 0x0A, 0xC6, 0x22, 0xA8, 0xC7, 0x9A, 0x34, 0x14, 0x98, 0xFD, 0xD9, 0x0F, 0xE8, 0x64, 0xE6, 0x89, 0x63, 0x6E, 0x17, 0x76, 0xD7, 0x1B, 0x6F, 0x92, 0x00, 0xD8, 0xBB, 0xF6, 0xA0, 0x65, 0x9D, 0xAA, 0x7A, 0x0E, 0x4B, 0x56, 0xA5, 0x33, 0xDA, 0x3F, 0x5D, 0xFE, 0xD3, 0xAD, 0x6E, 0x0E, 0xB3, 0xD4, 0x41 },
+		.access_desc_signature = { 0x97, 0x84, 0x97, 0xEE, 0x4F, 0x35, 0xCC, 0xBE, 0x08, 0xB4, 0x5D, 0x7E, 0x17, 0xC3, 0x94, 0x2B, 0x4D, 0x3A, 0xA5, 0xB5, 0x01, 0xD4, 0xAE, 0x2A, 0x90, 0x26, 0x21, 0x8F, 0x56, 0x05, 0xB9, 0xA2, 0x5E, 0xCE, 0x73, 0xC7, 0x42, 0xDC, 0x99, 0xD2, 0x7C, 0x08, 0x62, 0xBF, 0x10, 0x7A, 0xC1, 0x5D, 0x22, 0x53, 0x8F, 0x63, 0x2D, 0x73, 0xF3, 0x05, 0xDA, 0x9D, 0x6A, 0xF8, 0xB9, 0x5B, 0x80, 0xB4, 0x30, 0xB3, 0x11, 0xF7, 0x96, 0x8A, 0xCF, 0x70, 0xD7, 0x62, 0x6E, 0x99, 0x32, 0xFD, 0x74, 0x34, 0x16, 0xFD, 0x17, 0x1F, 0xB1, 0xEC, 0xA4, 0x0F, 0x52, 0x13, 0x9F, 0x62, 0x0D, 0xE0, 0x50, 0xA6, 0xA0, 0x7B, 0x69, 0x95, 0xE0, 0xE9, 0xBB, 0x38, 0x0C, 0x62, 0xE0, 0xE3, 0xCE, 0x82, 0xE0, 0xB9, 0xE0, 0xF6, 0x61, 0x50, 0xBF, 0xA8, 0x18, 0x15, 0x38, 0xFE, 0xFA, 0x8C, 0xBA, 0xA5, 0xB9, 0x9C, 0x05, 0xA6, 0x91, 0x5C, 0xA7, 0x13, 0x6F, 0x13, 0x3F, 0xF1, 0xF6, 0x68, 0xAF, 0x40, 0xEC, 0x27, 0xE0, 0x33, 0x6B, 0xCF, 0x26, 0x06, 0xF8, 0x6A, 0x13, 0x6C, 0xBC, 0xDB, 0xAF, 0x6F, 0x78, 0xA0, 0x80, 0x10, 0x8F, 0xB6, 0x91, 0x5A, 0x43, 0x2C, 0x5F, 0x1D, 0xBA, 0xB4, 0x5E, 0xBE, 0xAE, 0x53, 0x09, 0x17, 0x5B, 0x6C, 0xC1, 0x5E, 0x0F, 0x72, 0x6E, 0xD6, 0x10, 0x0B, 0xC3, 0x26, 0xDC, 0xAF, 0xCA, 0x28, 0xAB, 0x00, 0x67, 0x04, 0xE3, 0x54, 0xE8, 0x95, 0xC6, 0x23, 0xB6, 0x79, 0x70, 0xA4, 0x87, 0x6D, 0x12, 0x48, 0xCC, 0x11, 0x86, 0xEC, 0x82, 0xF4, 0x30, 0xC9, 0xB1, 0x6D, 0x08, 0xA7, 0xEA, 0x8C, 0x6A, 0x97, 0xAA, 0x89, 0xD5, 0xC5, 0x07, 0xA9, 0xD5, 0xCF, 0x09, 0x08, 0xBC, 0x56, 0x63, 0x8D, 0x70, 0x2F, 0x64, 0xAF, 0x51, 0x9E, 0x22, 0xA4, 0x88, 0xF0, 0xDC, 0x56, 0x72, 0x28 }
+	},
+	/* CTR_SDK 4 (4.2.8) */
+	{
+		.type = desc_Application,
+		.fw_minor = 33,
+		.modulus = { 0xCF, 0xEC, 0xB2, 0x48, 0x03, 0x6D, 0xB8, 0x09, 0xE3, 0x5C, 0x6C, 0x62, 0x2C, 0xA9, 0x49, 0xE1, 0xF4, 0xF4, 0x0C, 0x6C, 0xC3, 0xE5, 0x2F, 0x9D, 0x50, 0xA0, 0x2B, 0x5A, 0x00, 0xC6, 0x72, 0x00, 0x0B, 0xA3, 0x04, 0x5D, 0x94, 0x46, 0xE7, 0x00, 0x1B, 0x48, 0x85, 0xB5, 0x61, 0x2C, 0xC9, 0x74, 0xCA, 0x2B, 0x43, 0x13, 0xC1, 0x78, 0x97, 0x5C, 0x33, 0x2F, 0x07, 0xC7, 0x85, 0xF0, 0xDA, 0xDB, 0x60, 0x96, 0x50, 0x0F, 0x7C, 0x4B, 0x7A, 0xD7, 0x17, 0x9D, 0xE4, 0xE5, 0xC3, 0xAB, 0x6F, 0x5D, 0xA5, 0x78, 0x32, 0xAD, 0x04, 0xDD, 0x96, 0x6E, 0xDC, 0x75, 0xFF, 0xC2, 0x2F, 0xFA, 0xA2, 0xEE, 0x46, 0x89, 0xCD, 0xAE, 0x69, 0x92, 0xA4, 0x48, 0xBC, 0x46, 0x47, 0xC4, 0x8C, 0x89, 0x63, 0xE1, 0x0A, 0x4D, 0x1C, 0xDC, 0x46, 0x2F, 0x5B, 0x70, 0x8A, 0x7C, 0xE9, 0x22, 0x9C, 0x09, 0x0B, 0xA8, 0x97, 0x40, 0xCA, 0x2A, 0x7D, 0x84, 0xA1, 0x04, 0x4A, 0x2E, 0xDB, 0xD7, 0xD0, 0x64, 0x43, 0x9C, 0xD0, 0x78, 0x11, 0x41, 0x88, 0x33, 0xDD, 0x31, 0x62, 0x90, 0x2D, 0x17, 0xF2, 0xC6, 0xA9, 0x2B, 0x9C, 0x70, 0xAB, 0xDC, 0xD3, 0xAB, 0x5D, 0xDA, 0xEE, 0x3D, 0x6C, 0x0E, 0x81, 0xFF, 0xF6, 0x67, 0x5A, 0x44, 0xF9, 0xAC, 0x07, 0x3D, 0x23, 0x94, 0x75, 0x65, 0x93, 0x20, 0x0C, 0xC5, 0x76, 0x1D, 0x0F, 0x65, 0x06, 0x3D, 0x21, 0xA2, 0xF0, 0x96, 0x80, 0xB7, 0x0A, 0x49, 0x53, 0x38, 0xA3, 0x5D, 0xC0, 0x74, 0x3C, 0xA4, 0xD9, 0x40, 0x36, 0x85, 0x1F, 0x8C, 0xD1, 0x2D, 0x15, 0xF9, 0xEF, 0x24, 0xA9, 0x7E, 0x9D, 0xB2, 0x1E, 0xF8, 0xA0, 0x72, 0x81, 0x17, 0x77, 0x73, 0xB1, 0x56, 0x7F, 0xAD, 0x05, 0xA2, 0xD2, 0x30, 0x5A, 0xF5, 0xD3, 0xAF, 0x0F, 0x10, 0x4A, 0x52, 0xD8, 0x09, 0x47, 0x97 },
+		.priv_exponent = { 0x8C, 0xBD, 0xB2, 0x3B, 0xCE, 0x9E, 0x51, 0x09, 0xD8, 0x6D, 0x72, 0x2B, 0xCE, 0x01, 0x55, 0x32, 0x6E, 0xC5, 0x57, 0x37, 0xB4, 0x2E, 0x09, 0x59, 0xD9, 0xFE, 0x60, 0xF9, 0xCE, 0x36, 0x85, 0x6A, 0x04, 0x76, 0x76, 0xF9, 0x04, 0xEA, 0x2D, 0x68, 0xC4, 0x0F, 0x05, 0xFA, 0xAD, 0x69, 0x4C, 0x80, 0x12, 0x6C, 0xD0, 0x3D, 0xAA, 0x22, 0xFF, 0x89, 0x78, 0x57, 0xE8, 0x53, 0x25, 0x15, 0xD0, 0x7E, 0xD8, 0x55, 0x46, 0xA2, 0x04, 0xC7, 0x6E, 0xC1, 0xF3, 0x89, 0x7C, 0x2C, 0x0E, 0x93, 0x97, 0x91, 0x72, 0xF4, 0xF6, 0x90, 0x69, 0x0F, 0xB8, 0xC9, 0x17, 0xCF, 0x83, 0xAC, 0xA5, 0x1F, 0x69, 0x74, 0x12, 0x29, 0x2B, 0x21, 0x58, 0xF2, 0xDA, 0xE3, 0x25, 0x16, 0x09, 0x74, 0x40, 0x90, 0xAB, 0x1B, 0xE4, 0x06, 0x28, 0x77, 0xED, 0xC6, 0x16, 0x86, 0x0A, 0x27, 0xDD, 0x03, 0x01, 0x4D, 0x9A, 0x26, 0x6E, 0xC8, 0x9F, 0xD3, 0x9A, 0x4B, 0x59, 0xD1, 0x10, 0x9B, 0xEB, 0xA9, 0x58, 0x72, 0xBD, 0xA1, 0xFE, 0x9D, 0x86, 0xED, 0x29, 0xE9, 0x29, 0x49, 0x62, 0x4B, 0xD8, 0x7D, 0x2A, 0x7A, 0x66, 0x1B, 0xE5, 0x04, 0x81, 0x56, 0x10, 0x50, 0xAF, 0xB8, 0x48, 0x27, 0xC1, 0xC9, 0x46, 0xBD, 0x3F, 0x16, 0x06, 0xA5, 0x3D, 0x04, 0x9F, 0x0D, 0x54, 0x71, 0x1C, 0xF4, 0x82, 0xC0, 0x66, 0x74, 0xEA, 0x9C, 0x83, 0x3C, 0x27, 0x01, 0xDF, 0x6F, 0x56, 0xA8, 0x1B, 0xE3, 0x68, 0x55, 0x9F, 0xAB, 0x90, 0x67, 0x20, 0x25, 0xFA, 0x3D, 0x51, 0x2A, 0x23, 0x16, 0xCB, 0x06, 0x5A, 0xAD, 0xAC, 0xC8, 0x47, 0xF9, 0x39, 0x2E, 0x6A, 0xF8, 0xFA, 0x0A, 0xE8, 0x8A, 0x64, 0x84, 0x6B, 0xED, 0xDA, 0x8F, 0x2A, 0x08, 0x86, 0x8F, 0x56, 0x69, 0x64, 0xC3, 0x98, 0x55, 0x37, 0x9A, 0x48, 0x40, 0xDA, 0xD5, 0x03, 0x21 },
+		.access_desc_signature = { 0xDF, 0x1C, 0x8B, 0x98, 0xE4, 0x6F, 0xA2, 0x35, 0x6C, 0xC3, 0x18, 0x17, 0x98, 0xF3, 0xCE, 0x54, 0x7E, 0x14, 0x2E, 0x7F, 0x1E, 0xD8, 0x6D, 0xCF, 0xBC, 0x29, 0x4E, 0xFE, 0x32, 0x2E, 0xC1, 0x11, 0xAD, 0x46, 0x9A, 0xC6, 0x70, 0xEA, 0xEE, 0x28, 0x55, 0x22, 0xE1, 0x36, 0x05, 0x1C, 0x04, 0x8A, 0xCE, 0x0F, 0x0C, 0x83, 0x8F, 0xC8, 0xD6, 0xDE, 0x11, 0x8E, 0xEA, 0xCF, 0xAD, 0x9B, 0xCF, 0x81, 0x0D, 0xEB, 0x71, 0x13, 0xB3, 0xD3, 0xAE, 0x83, 0x02, 0x4C, 0x0E, 0x10, 0x50, 0x59, 0x3C, 0xEE, 0x60, 0x06, 0xFB, 0x8C, 0x7F, 0xC2, 0x20, 0x24, 0x01, 0x62, 0x55, 0x87, 0x60, 0x0F, 0xAD, 0xFA, 0x73, 0x2E, 0xF6, 0x65, 0x62, 0xD2, 0xE5, 0x10, 0x45, 0x69, 0x70, 0x39, 0x03, 0xD1, 0x39, 0xEC, 0x50, 0xC1, 0xD4, 0x25, 0x39, 0xB2, 0x90, 0x11, 0x4E, 0x95, 0xCB, 0x19, 0xEB, 0xCA, 0x0F, 0xB5, 0xFA, 0xC7, 0xB0, 0xE2, 0xD7, 0xE0, 0x71, 0xC3, 0xE5, 0x55, 0x33, 0x9E, 0x5C, 0xDC, 0x4D, 0x3B, 0x51, 0x11, 0x0D, 0x31, 0x78, 0x96, 0xCA, 0xD7, 0x18, 0x58, 0xEE, 0x00, 0xE9, 0x28, 0xF2, 0x68, 0x76, 0xD4, 0x57, 0xFE, 0x65, 0xB1, 0x4B, 0x49, 0x3F, 0xF6, 0xA6, 0x58, 0x4A, 0xC7, 0xFC, 0xC4, 0xBB, 0x61, 0xBC, 0x58, 0x8D, 0x55, 0x65, 0xE6, 0x0A, 0x79, 0x39, 0x41, 0xB8, 0x80, 0x61, 0xF7, 0x05, 0xC3, 0xFE, 0xD6, 0x8B, 0x09, 0x82, 0xC2, 0x5F, 0xA6, 0x56, 0xF9, 0xEE, 0x1D, 0x0E, 0x06, 0x3E, 0x9F, 0x3F, 0xF1, 0x93, 0x9A, 0x4F, 0xA2, 0xD5, 0x91, 0x87, 0x8A, 0xFE, 0xCF, 0xC3, 0xFC, 0x8A, 0xB1, 0xC4, 0x78, 0xE9, 0xD1, 0x1A, 0xF7, 0xB1, 0xD3, 0x20, 0xCB, 0x83, 0xBE, 0x03, 0xD5, 0xCA, 0xA5, 0x5E, 0x17, 0xA6, 0x91, 0x10, 0xD4, 0xBE, 0x23, 0xD6, 0x4B, 0x4F, 0x03, 0xA9, 0xAE }
+	},
+	{
+		.type = desc_DlpChild,
+		.fw_minor = 33,
+		.modulus = { 0xB3, 0x16, 0x68, 0xF1, 0xED, 0x59, 0xC8, 0x7F, 0xC6, 0x50, 0x21, 0xFE, 0x36, 0x7C, 0x55, 0xE7, 0x07, 0xF9, 0x1D, 0x1B, 0xF5, 0xB1, 0x2A, 0x6B, 0x3A, 0xDE, 0x2D, 0x4C, 0x51, 0xCD, 0x4C, 0x9F, 0xEE, 0x1D, 0xE4, 0xE8, 0xF0, 0xFD, 0x09, 0x8E, 0x0F, 0x92, 0x5F, 0xDB, 0x9C, 0x5C, 0x15, 0x55, 0x1A, 0x4D, 0x04, 0x8C, 0xB0, 0xA4, 0x88, 0x97, 0xC4, 0xD5, 0x92, 0x04, 0x42, 0x33, 0x84, 0x81, 0x06, 0xD6, 0xF2, 0x17, 0xDE, 0x83, 0x17, 0x50, 0xD0, 0x47, 0x61, 0x14, 0x0D, 0xB7, 0xC7, 0xA0, 0xC1, 0x8B, 0x82, 0x47, 0x13, 0xEE, 0x76, 0xA2, 0xA3, 0x8D, 0xCE, 0x55, 0xC1, 0xF3, 0x7A, 0xEA, 0x91, 0xE1, 0xB9, 0x2F, 0x8F, 0x9B, 0xC3, 0x7B, 0x51, 0x2F, 0xE7, 0xAD, 0x93, 0x9C, 0xFD, 0xDF, 0x19, 0xC8, 0x6C, 0x24, 0xC2, 0xE2, 0x91, 0x97, 0x1F, 0xEB, 0x4B, 0xD4, 0x46, 0x6C, 0x06, 0x93, 0xAF, 0xF5, 0x5E, 0x8F, 0x77, 0x25, 0xC4, 0x28, 0xC0, 0x82, 0x4A, 0x78, 0xE9, 0x14, 0x08, 0xC3, 0xC3, 0x58, 0x24, 0x44, 0x2D, 0x2B, 0xA7, 0xEE, 0x28, 0xEF, 0x1B, 0x6D, 0xAA, 0x9C, 0xED, 0x7F, 0x35, 0xCE, 0x86, 0x5C, 0x6B, 0x8A, 0x23, 0xD3, 0x9D, 0x05, 0x8F, 0xD2, 0x41, 0x93, 0x1D, 0x1D, 0x7E, 0xB0, 0x46, 0x23, 0x63, 0x07, 0xEA, 0x5F, 0x26, 0xE3, 0x81, 0x27, 0xB3, 0x95, 0xB1, 0x93, 0x59, 0xD4, 0x1A, 0xB8, 0x73, 0xD0, 0x09, 0x95, 0x2B, 0xE8, 0x8B, 0xE2, 0x73, 0x5F, 0x34, 0xB9, 0x98, 0x82, 0xF0, 0x11, 0xC6, 0x8F, 0x12, 0x4D, 0x09, 0x57, 0x10, 0x97, 0x22, 0x0E, 0xC8, 0x7D, 0x40, 0xC1, 0x9D, 0x12, 0x1F, 0x71, 0xFE, 0x1E, 0x1A, 0x8C, 0x3F, 0x56, 0xAC, 0x43, 0xC3, 0x66, 0x0C, 0x81, 0xAE, 0xC1, 0x8F, 0x68, 0xFF, 0x87, 0x07, 0x3C, 0xCD, 0x0A, 0x23, 0xDE, 0xBA, 0x9B },
+		.priv_exponent = { 0x77, 0xC2, 0x7A, 0xB7, 0x9E, 0x13, 0xB6, 0x62, 0xCC, 0x09, 0x76, 0x51, 0xFB, 0xB9, 0xB5, 0xF0, 0x63, 0x82, 0x91, 0x96, 0xCA, 0xFC, 0x88, 0xF3, 0x60, 0x50, 0x87, 0x56, 0x4C, 0x35, 0xD0, 0x11, 0xFB, 0x38, 0x7E, 0x85, 0xCF, 0xF2, 0x46, 0xDB, 0x7B, 0x4A, 0x55, 0x54, 0x15, 0x01, 0xF7, 0x3A, 0x0B, 0xF6, 0x89, 0x1E, 0x54, 0x5A, 0x13, 0x05, 0xFB, 0x19, 0x1F, 0x26, 0x3D, 0xE7, 0x19, 0xAA, 0xF7, 0x19, 0xF2, 0x97, 0x47, 0xB3, 0xBE, 0x79, 0xCA, 0x6E, 0x91, 0x5A, 0xC9, 0xB9, 0xA6, 0x83, 0xB8, 0x2A, 0x45, 0x1A, 0xA7, 0x17, 0x86, 0xBA, 0x48, 0x49, 0x62, 0x3C, 0x33, 0x11, 0x51, 0x97, 0x5F, 0xAA, 0xE5, 0x1E, 0x0B, 0x19, 0x0C, 0xE6, 0x80, 0x6A, 0x5A, 0xB1, 0xD6, 0xCE, 0xDB, 0x6E, 0xC0, 0x5D, 0x29, 0x04, 0x84, 0x56, 0xE3, 0x29, 0x7E, 0xAC, 0xE8, 0xEE, 0xB1, 0x91, 0x37, 0xEB, 0x98, 0x9C, 0xBD, 0x02, 0x6A, 0x78, 0x61, 0xB0, 0x79, 0x1A, 0x9F, 0x30, 0x86, 0xF6, 0x71, 0x5A, 0x5A, 0x12, 0xA1, 0x9E, 0xA1, 0x68, 0x03, 0xE5, 0x95, 0xA8, 0x38, 0x58, 0x87, 0x08, 0x57, 0x35, 0x32, 0x47, 0x3B, 0xFC, 0x02, 0x6F, 0xCE, 0x55, 0x61, 0xA3, 0x2A, 0x6B, 0x2F, 0xF8, 0xEE, 0x8D, 0xFA, 0x43, 0x33, 0x02, 0x63, 0x47, 0x02, 0x78, 0x5A, 0x7F, 0x64, 0x07, 0x92, 0xB7, 0x7C, 0x09, 0x7C, 0xFE, 0x2D, 0x1C, 0xFC, 0x77, 0x9F, 0x19, 0x20, 0xDD, 0x6D, 0x4C, 0xFE, 0x49, 0x09, 0x47, 0xCA, 0x9B, 0x1C, 0x8C, 0x1F, 0x37, 0xAC, 0x14, 0x85, 0x56, 0xC0, 0xFD, 0xD6, 0x01, 0xB3, 0x40, 0xA3, 0x1A, 0x32, 0x78, 0xA0, 0xDD, 0x21, 0x75, 0xBF, 0x24, 0xD2, 0x93, 0x85, 0xED, 0x22, 0xAD, 0x99, 0x91, 0x87, 0x4A, 0xEC, 0xC0, 0x6C, 0x71, 0x00, 0x76, 0x08, 0x23, 0xA2, 0xF3, 0xCF, 0x61 },
+		.access_desc_signature = { 0xAC, 0xE2, 0xA7, 0xC3, 0x00, 0xDE, 0xE8, 0xE9, 0xE0, 0x03, 0xB3, 0x54, 0x08, 0xA8, 0xF8, 0x3A, 0x2E, 0xD8, 0x10, 0x6B, 0xEC, 0xDC, 0x4E, 0xEE, 0x62, 0x10, 0x71, 0x49, 0xD4, 0x43, 0xB1, 0x0E, 0x6B, 0x8C, 0xD7, 0x54, 0xD5, 0x62, 0x28, 0x3F, 0xAA, 0xDE, 0xA9, 0x7D, 0xED, 0x37, 0x7C, 0xE7, 0x89, 0x0B, 0x02, 0xB2, 0x72, 0x4B, 0x17, 0xDB, 0xE2, 0xD3, 0x7C, 0x94, 0x12, 0x3F, 0x2E, 0xA1, 0x08, 0x99, 0xCC, 0x7F, 0x93, 0xE6, 0x38, 0xC9, 0x37, 0x84, 0xD7, 0x11, 0x9D, 0x02, 0x4D, 0x66, 0xB4, 0x70, 0x9F, 0xD8, 0xC6, 0xDD, 0xD5, 0x13, 0x52, 0xF0, 0xA6, 0x78, 0x8C, 0x8E, 0x15, 0xA0, 0xA1, 0xF3, 0xC4, 0xC3, 0x48, 0x45, 0xA5, 0xBE, 0xC9, 0x7A, 0x8B, 0xD3, 0x95, 0xA5, 0x4C, 0xF1, 0xB3, 0x0C, 0x6C, 0x76, 0xA7, 0x57, 0xA1, 0x77, 0xDF, 0x2F, 0xC8, 0x06, 0xA6, 0x0D, 0x1A, 0x09, 0xE4, 0x38, 0x64, 0x07, 0xBE, 0x6A, 0xD2, 0xA0, 0xC0, 0xEC, 0x09, 0x64, 0x9F, 0x0D, 0x93, 0x0C, 0x89, 0xA2, 0x71, 0xD6, 0xC6, 0xC2, 0x54, 0x79, 0x2A, 0xA4, 0x31, 0x28, 0x24, 0x1A, 0xF3, 0x56, 0x78, 0x63, 0x99, 0x97, 0xA5, 0xCE, 0x8F, 0x52, 0x7A, 0x79, 0x51, 0xEE, 0x4C, 0x8B, 0x00, 0x9D, 0x5C, 0x3E, 0xD5, 0xAA, 0x24, 0x9C, 0x94, 0xC6, 0xA3, 0x99, 0x1B, 0x2D, 0xD4, 0xFF, 0xB4, 0x25, 0x73, 0x13, 0x33, 0x9F, 0x03, 0x6F, 0x1E, 0x75, 0xC4, 0x70, 0xF4, 0x07, 0x4F, 0x18, 0xFE, 0xBD, 0x8F, 0x2C, 0x9B, 0x33, 0xD4, 0x30, 0xA7, 0x18, 0x4A, 0xF1, 0xA4, 0xDD, 0x78, 0x41, 0xA0, 0xB8, 0x02, 0x8D, 0x51, 0x96, 0xBE, 0xE7, 0x17, 0x94, 0x66, 0x65, 0x27, 0xF7, 0x69, 0x48, 0x7E, 0xA9, 0x08, 0x71, 0x20, 0x76, 0xB7, 0x8E, 0xD2, 0xBF, 0x5C, 0x7E, 0x5E, 0x06, 0x45, 0xAB, 0x7E, 0x2E }
+	},
+	{
+		.type = desc_Demo,
+		.fw_minor = 33,
+		.modulus = { 0xB5, 0x11, 0x8D, 0x9E, 0x2D, 0xDB, 0x70, 0x6D, 0x6E, 0xEE, 0xAA, 0x21, 0xE0, 0x4E, 0x80, 0x0A, 0x96, 0x4A, 0x10, 0xD0, 0x9C, 0xD7, 0xD9, 0xD4, 0x94, 0x87, 0x72, 0xA2, 0xAF, 0x02, 0xA0, 0x05, 0x2E, 0xBF, 0x17, 0xEB, 0xFE, 0x5B, 0x9F, 0xB7, 0x0B, 0x1E, 0x3E, 0xF9, 0xAC, 0xBC, 0x7B, 0xB1, 0x56, 0x10, 0x24, 0x5F, 0x57, 0x2C, 0x08, 0xD0, 0x14, 0x79, 0x83, 0x84, 0x6A, 0x45, 0x25, 0xEB, 0xD9, 0xBE, 0x02, 0x21, 0xF7, 0x35, 0xC2, 0x74, 0x57, 0xC5, 0xAC, 0x34, 0x05, 0xC6, 0x9E, 0x82, 0xB8, 0xED, 0x78, 0xC4, 0x3B, 0xFD, 0x23, 0x59, 0x54, 0xD2, 0x0A, 0x0B, 0x5B, 0x25, 0xC0, 0x71, 0xC3, 0x84, 0x3A, 0xA7, 0xF9, 0x99, 0x86, 0xD8, 0xFE, 0x60, 0x10, 0x85, 0x77, 0x57, 0x76, 0x0C, 0x25, 0xE1, 0x18, 0x18, 0x3B, 0x83, 0xFD, 0x36, 0x7C, 0x84, 0x58, 0xC2, 0xC4, 0x68, 0x4F, 0xD1, 0xD7, 0x0A, 0x88, 0xFD, 0xCA, 0x97, 0xA1, 0xE5, 0xCE, 0x72, 0x63, 0xCF, 0x74, 0xD0, 0x20, 0xD9, 0xDE, 0x3F, 0xBB, 0x11, 0xF9, 0x21, 0xAB, 0x3F, 0x54, 0x41, 0xA7, 0xAA, 0xCA, 0xFC, 0xE1, 0x1A, 0x8C, 0x12, 0xC9, 0x39, 0x13, 0x5A, 0x81, 0x29, 0x49, 0xE8, 0xFB, 0x48, 0xC9, 0x4D, 0x50, 0x87, 0xAE, 0x51, 0xFB, 0x94, 0xFC, 0xF0, 0x9C, 0x70, 0x1C, 0xE8, 0x6E, 0x44, 0x53, 0x1E, 0x2F, 0x27, 0x5C, 0xB8, 0xEC, 0xBE, 0xFC, 0xD9, 0x98, 0x6A, 0x08, 0xD0, 0x5C, 0x4D, 0x78, 0x2D, 0x4D, 0x07, 0xAD, 0x5E, 0xB8, 0x51, 0x40, 0xE2, 0x2A, 0x7F, 0xB1, 0x54, 0x47, 0x5C, 0x99, 0x12, 0xC2, 0x6D, 0x5E, 0xED, 0x25, 0x30, 0x6A, 0x99, 0xC5, 0x0D, 0x65, 0x83, 0x68, 0x3A, 0xFD, 0x82, 0x59, 0x0D, 0xCE, 0x0B, 0x49, 0xBE, 0x17, 0x46, 0x51, 0xA9, 0xB6, 0x54, 0xE1, 0x18, 0xBD, 0x49, 0xE6, 0x7F },
+		.priv_exponent = { 0x1D, 0x7B, 0x79, 0x32, 0xAB, 0x46, 0xD2, 0xBC, 0x8E, 0xD6, 0x7F, 0x8F, 0x3A, 0x85, 0xAD, 0xA5, 0x8B, 0xA9, 0x0D, 0xA9, 0xDA, 0x0F, 0xEF, 0x61, 0x04, 0xBA, 0x35, 0x39, 0x36, 0x03, 0xD8, 0x68, 0x5F, 0x9F, 0x2F, 0xD6, 0xF6, 0x38, 0x96, 0xFD, 0xE7, 0xEA, 0x89, 0xD8, 0x7F, 0x7E, 0xC5, 0x29, 0x2F, 0xD9, 0x3B, 0x02, 0xE7, 0x1F, 0xBD, 0x63, 0x9C, 0x21, 0xD8, 0xFF, 0x43, 0x8A, 0x74, 0xCD, 0x3D, 0x4C, 0x09, 0xEE, 0xDB, 0xE0, 0xBE, 0x03, 0xD1, 0x92, 0xD7, 0x22, 0x35, 0x5A, 0x8C, 0xCE, 0xBE, 0x2B, 0xB4, 0x81, 0x47, 0x3F, 0x45, 0x75, 0x33, 0x31, 0x6B, 0xFF, 0x43, 0x5D, 0x17, 0x43, 0xAE, 0xD1, 0x25, 0xF7, 0xD9, 0xD5, 0x5C, 0xB6, 0x92, 0x5C, 0xB3, 0xF3, 0xF7, 0x65, 0x9F, 0x4C, 0x05, 0x12, 0xEC, 0xA8, 0x6D, 0x70, 0x65, 0x57, 0x6C, 0xD8, 0xE3, 0xD6, 0xFA, 0xC1, 0xFD, 0x54, 0xE8, 0x34, 0x67, 0x4D, 0x0A, 0x14, 0x2F, 0xA3, 0xD4, 0x81, 0x8C, 0xC3, 0xD0, 0x8B, 0x09, 0x08, 0x90, 0x70, 0x68, 0xA0, 0x0E, 0xD1, 0x0B, 0xAA, 0x71, 0xEC, 0x9A, 0x1A, 0x83, 0xFF, 0xA1, 0x70, 0xEB, 0xAC, 0xF2, 0xE9, 0x80, 0xA1, 0xB8, 0x20, 0x31, 0x83, 0xF5, 0x37, 0x01, 0x72, 0x06, 0x50, 0x05, 0x3F, 0x14, 0xF9, 0x29, 0x48, 0x84, 0xA0, 0x0E, 0xF7, 0xB8, 0x1D, 0xA3, 0x36, 0x5A, 0x78, 0x6D, 0x83, 0x90, 0x27, 0xE3, 0x50, 0x49, 0x2F, 0x65, 0xE5, 0x61, 0xED, 0x65, 0xBE, 0xEA, 0x34, 0xA6, 0x6A, 0xEF, 0x49, 0xB4, 0xE0, 0xBC, 0xC2, 0xA5, 0xB8, 0xEB, 0xA9, 0x2F, 0xBA, 0x26, 0x76, 0xB2, 0x5A, 0x3A, 0x3B, 0xFD, 0xAD, 0xFB, 0xE4, 0x79, 0xE2, 0x85, 0x54, 0x5B, 0xAB, 0x1F, 0x0A, 0xE5, 0x8B, 0x77, 0x3A, 0x10, 0x98, 0x26, 0x74, 0xC8, 0xB0, 0x82, 0xB1, 0xF9, 0x8F, 0x68, 0x59 },
+		.access_desc_signature = { 0xD3, 0x7D, 0x42, 0xBA, 0x6A, 0x1E, 0xD8, 0x07, 0x3C, 0x4A, 0xC4, 0xCD, 0x8C, 0x68, 0x3D, 0xCD, 0xCD, 0xBD, 0x9D, 0xCE, 0xB5, 0x2A, 0xF9, 0x63, 0x3D, 0xA9, 0x54, 0x0A, 0x2E, 0x4C, 0xE1, 0x60, 0x4B, 0xD0, 0xC9, 0xEB, 0xEF, 0x31, 0x65, 0x70, 0xB9, 0x0E, 0x06, 0x3B, 0x3D, 0x42, 0x4C, 0x6E, 0x8D, 0x2C, 0xD4, 0x71, 0x29, 0x76, 0xB7, 0xDD, 0x8C, 0xDA, 0xE7, 0xE3, 0x96, 0xA7, 0xAA, 0xF8, 0xCA, 0x05, 0xE8, 0xA7, 0x0A, 0xDD, 0x01, 0x49, 0xBD, 0xF1, 0xA5, 0xE8, 0x16, 0x22, 0xEE, 0x47, 0x1F, 0xEF, 0x28, 0x48, 0x87, 0xA9, 0x2D, 0xFC, 0x4E, 0xD5, 0xA5, 0x98, 0xB1, 0xFE, 0x1B, 0xEB, 0xA9, 0x06, 0x3C, 0x76, 0xD9, 0xAA, 0x0E, 0x9C, 0x60, 0xFC, 0xE9, 0x77, 0x9D, 0x7F, 0x67, 0xAC, 0xF5, 0xC7, 0x49, 0x12, 0xFD, 0x76, 0xAC, 0xD2, 0x54, 0xDB, 0x73, 0x41, 0x10, 0x1F, 0x04, 0x3F, 0xD0, 0x6F, 0xE0, 0x80, 0x24, 0xCC, 0xEE, 0xBF, 0x25, 0x9D, 0x0D, 0x5A, 0x2A, 0x1C, 0xC5, 0xD4, 0xE3, 0x5D, 0x3A, 0xC1, 0x86, 0xD3, 0xD4, 0x52, 0x1C, 0x4C, 0xBF, 0x31, 0xEB, 0x54, 0xCA, 0x4C, 0x06, 0x50, 0x52, 0x87, 0xD4, 0x9D, 0x4A, 0x4B, 0x22, 0xE1, 0x4A, 0xE9, 0x4D, 0x05, 0xA8, 0x57, 0xEC, 0xF8, 0x90, 0xF8, 0x58, 0xC3, 0x8B, 0x3A, 0x0F, 0x88, 0x36, 0xF4, 0xE5, 0x44, 0x10, 0x80, 0x68, 0x86, 0x1D, 0xAE, 0x90, 0x20, 0x03, 0x22, 0x2D, 0x44, 0xBF, 0xAB, 0x2B, 0xA1, 0x14, 0xAD, 0x6B, 0x40, 0x57, 0xDB, 0xBB, 0xDA, 0x09, 0x4C, 0x51, 0x26, 0x9B, 0xE3, 0xD9, 0xF9, 0xE1, 0xBC, 0xF1, 0xF1, 0xCD, 0x30, 0xB4, 0xF5, 0x39, 0xD0, 0xBC, 0xF7, 0x98, 0x05, 0xAF, 0xA8, 0x33, 0x4B, 0xC1, 0x16, 0x0F, 0xF2, 0xC2, 0x79, 0x96, 0xEC, 0xBE, 0xA9, 0xF5, 0x55, 0x7C, 0x82, 0x95, 0x73 }
+	},
 };
\ No newline at end of file
diff --git a/makerom/desc/presets.h b/makerom/desc/presets.h
index fd15473f..83c71ab3 100644
--- a/makerom/desc/presets.h
+++ b/makerom/desc/presets.h
@@ -1,196 +1,132 @@
 #pragma once
-
-/* CTR_SDK 1 (1.2.0) (2.27 - 2.28) */
-// DependencyList
-static const unsigned char fw1B_dep_list[0x180] =
-{
-	0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-// APP
-static const unsigned char app_fw1B_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char app_fw1B_acex_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-// DLP
-static const unsigned char dlp_fw1B_desc_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char dlp_fw1B_acex_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-/* CTR_SDK 2 (2.3.4) */
-static const unsigned char fw1D_dep_list[0x180] =
-{
-	0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-// APP (2.29)
-static const unsigned char app_fw1D_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1D, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char app_fw1D_acex_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1D, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-// APP (2.30)
-static const unsigned char app_fw1E_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1E, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char app_fw1E_acex_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1E, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-// DLP (2.29)
-static const unsigned char dlp_fw1D_desc_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1D, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char dlp_fw1D_acex_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1D, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-// DEMO (2.30)
-static const unsigned char demo_fw1E_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1E, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char demo_fw1E_acex_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x02, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1E, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-/* CTR_SDK 3 (3.2.5) (2.32) */
-static const unsigned char fw20_dep_list[0x180] =
-{
-	0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x33, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x37, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-// APP
-static const unsigned char app_fw20_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x20, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char app_fw20_acex_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x20, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-// EC App
-static const unsigned char ecapp_fw20_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x20, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char ecapp_fw20_acex_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x20, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-/* CTR_SDK 4 (4.2.8) (2.33) */
-// DependencyList
-static const unsigned char fw21_dep_list[0x180] =
-{
-	0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x33, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x37, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-// APP
-static const unsigned char app_fw21_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-static const unsigned char app_fw21_acex_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-// DEMO
-static const unsigned char demo_fw21_desc_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x02, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char demo_fw21_acex_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x02, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-// DLP
-static const unsigned char dlp_fw21_desc_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char dlp_fw21_acex_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-/* CTR_SDK 5 (5.2.3) (2.35) */
-static const unsigned char fw23_dep_list[0x180] =
-{
-	0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x33, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x37, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-// APP
-static const unsigned char app_fw23_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x23, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char app_fw23_acex_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x23, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-// EC App
-static const unsigned char ecapp_fw23_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x23, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char ecapp_fw23_acex_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x23, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-/* SDK 7 (7.1.0) (2.39) */
-static const unsigned char fw27_dep_list[0x180] =
-{
-	0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x38, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x33, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x37, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-// APP
-static const unsigned char app_fw27_desc_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x41, 0x00, 0x00, 0x00, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x61, 0x63, 0x74, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x27, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char app_fw27_acex_data[0x200] =
-{
-	0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x41, 0x00, 0x00, 0x00, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x61, 0x63, 0x74, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x27, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-
-/* FIRM (sdk irrelevant) */
-static const unsigned char firm_fwXX_dep_list[0x180] =
-{
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-// FIRM
-static const unsigned char firm_fw26_desc_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x38, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xF1, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
-};
-static const unsigned char firm_fw26_acex_data[0x200] =
-{
-	0xFF, 0xFF, 0xFF, 0xFF, 0x38, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x00, 0x00, 0x02, 0xF1, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02
+#include "desc/desc.h"
+
+static const CtrSdkDesc kDescPresets[] =
+{
+	/* CTR_SDK 1 (1.2.0) (2.27 - 2.28) */
+	{
+		.type = desc_Application,
+		.fw_minor = 27,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	{
+		.type = desc_DlpChild,
+		.fw_minor = 27,
+		.exheader_desc = { 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	/* CTR_SDK 2 (2.3.4) */
+	{
+		.type = desc_Application,
+		.fw_minor = 29,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1D, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1D, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	{
+		.type = desc_DlpChild,
+		.fw_minor = 29,
+		.exheader_desc = { 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1D, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1D, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	{
+		.type = desc_Application,
+		.fw_minor = 30,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1E, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1E, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	{
+		.type = desc_Demo,
+		.fw_minor = 30,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1E, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0xFF, 0xFF, 0xFF, 0xFF, 0x02, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFB, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x1E, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	/* CTR_SDK 3 (3.2.5) (2.32) */
+	{
+		.type = desc_Application,
+		.fw_minor = 32,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x20, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x20, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	{
+		.type = desc_EcApplication,
+		.fw_minor = 32,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x20, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x20, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	/* CTR_SDK 4 (4.2.8) (2.33) */
+	{
+		.type = desc_Application,
+		.fw_minor = 33,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	{
+		.type = desc_DlpChild,
+		.fw_minor = 33,
+		.exheader_desc = { 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	{
+		.type = desc_Demo,
+		.fw_minor = 33,
+		.exheader_desc = { 0xFF, 0xFF, 0xFF, 0xFF, 0x02, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0xFF, 0xFF, 0xFF, 0xFF, 0x02, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x21, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	/* CTR_SDK 5 (5.2.3) (2.35) */
+	{
+		.type = desc_Application,
+		.fw_minor = 35,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x00, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x23, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x23, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	{
+		.type = desc_EcApplication,
+		.fw_minor = 35,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x23, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x23, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+	/* SDK 7 (7.1.0) (2.39) */
+	{
+		.type = desc_Application,
+		.fw_minor = 39,
+		.exheader_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x30, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x41, 0x00, 0x00, 0x00, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x61, 0x63, 0x74, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x27, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
+		.signed_desc = { 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x18, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x68, 0x69, 0x6F, 0x46, 0x49, 0x4F, 0x00, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x30, 0x24, 0x68, 0x6F, 0x73, 0x74, 0x69, 0x6F, 0x31, 0x63, 0x66, 0x67, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x66, 0x73, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x67, 0x73, 0x70, 0x3A, 0x3A, 0x47, 0x70, 0x75, 0x68, 0x69, 0x64, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x6E, 0x64, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x70, 0x78, 0x69, 0x3A, 0x64, 0x65, 0x76, 0x00, 0x41, 0x50, 0x54, 0x3A, 0x41, 0x00, 0x00, 0x00, 0x61, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x61, 0x63, 0x74, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x61, 0x6D, 0x3A, 0x61, 0x70, 0x70, 0x00, 0x00, 0x62, 0x6F, 0x73, 0x73, 0x3A, 0x55, 0x00, 0x00, 0x63, 0x61, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x63, 0x65, 0x63, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x64, 0x6C, 0x70, 0x3A, 0x46, 0x4B, 0x43, 0x4C, 0x64, 0x6C, 0x70, 0x3A, 0x53, 0x52, 0x56, 0x52, 0x64, 0x73, 0x70, 0x3A, 0x3A, 0x44, 0x53, 0x50, 0x66, 0x72, 0x64, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x43, 0x00, 0x00, 0x69, 0x72, 0x3A, 0x55, 0x53, 0x45, 0x52, 0x00, 0x6C, 0x64, 0x72, 0x3A, 0x72, 0x6F, 0x00, 0x00, 0x6D, 0x69, 0x63, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x6E, 0x65, 0x77, 0x73, 0x3A, 0x75, 0x00, 0x00, 0x6E, 0x69, 0x6D, 0x3A, 0x61, 0x6F, 0x63, 0x00, 0x6E, 0x77, 0x6D, 0x3A, 0x3A, 0x55, 0x44, 0x53, 0x70, 0x74, 0x6D, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x73, 0x6F, 0x63, 0x3A, 0x55, 0x00, 0x00, 0x00, 0x73, 0x73, 0x6C, 0x3A, 0x43, 0x00, 0x00, 0x00, 0x79, 0x32, 0x72, 0x3A, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4E, 0x9F, 0xFA, 0xF0, 0xFF, 0xBF, 0xFF, 0xF1, 0xE7, 0x3F, 0x00, 0xF2, 0x00, 0xF0, 0x91, 0xFF, 0x00, 0xF6, 0x91, 0xFF, 0x50, 0xFF, 0x81, 0xFF, 0x58, 0xFF, 0x81, 0xFF, 0x70, 0xFF, 0x81, 0xFF, 0x78, 0xFF, 0x81, 0xFF, 0x01, 0x01, 0x00, 0xFF, 0x00, 0x02, 0x00, 0xFE, 0x27, 0x02, 0x00, 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 }
+	},
+};
+
+static const CtrSdkDepList kExheaderDependencyLists[] =
+{
+	{
+		.fw_minor = 27,
+		.dependency = { 0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+	},
+	{
+		.fw_minor = 28,
+		.dependency = { 0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+	},
+	{
+		.fw_minor = 29,
+		.dependency = { 0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+	},
+	{
+		.fw_minor = 30,
+		.dependency = { 0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+	},
+	{
+		.fw_minor = 32,
+		.dependency = { 0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x33, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x37, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+	},
+	{
+		.fw_minor = 33,
+		.dependency = { 0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x33, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x37, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+	},
+	{
+		.fw_minor = 35,
+		.dependency = { 0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x33, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x37, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+	},
+	{
+		.fw_minor = 39,
+		.dependency = { 0x02, 0x24, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x38, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x15, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x34, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x16, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x26, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x17, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x18, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x27, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x28, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1A, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x32, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x29, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x33, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x1F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x20, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2B, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x35, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2C, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2D, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x21, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x31, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x22, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x37, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2E, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x23, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x02, 0x2F, 0x00, 0x00, 0x30, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+	}
 };
\ No newline at end of file
diff --git a/makerom/desc/prod_sigdata.h b/makerom/desc/prod_sigdata.h
deleted file mode 100644
index b68ca75d..00000000
--- a/makerom/desc/prod_sigdata.h
+++ /dev/null
@@ -1,134 +0,0 @@
-#pragma once
-
-/* CTR_SDK 2 (2.3.4) */
-// APP
-static const unsigned char app_fw1D_prod_hdrpub[0x100] =
-{
-	0x9F, 0xA8, 0xD0, 0xBE, 0x14, 0x3F, 0x28, 0xE5, 0xBE, 0x0E, 0xEB, 0x5D, 0x95, 0xEE, 0xD4, 0x76, 0x7E, 0x1C, 0x11, 0x49, 0x13, 0x55, 0x87, 0x22, 0xCF, 0xA4, 0x2B, 0xDE, 0x59, 0x1A, 0xDB, 0xEB, 0x39, 0x14, 0xE0, 0x27, 0xFD, 0x0B, 0x6E, 0x5B, 0xD9, 0x0E, 0xCD, 0xCC, 0xAF, 0x8E, 0xEF, 0x92, 0xFC, 0x9A, 0x3B, 0x2E, 0xB8, 0x9C, 0xDA, 0x20, 0x22, 0x84, 0x0B, 0x7D, 0xFA, 0xCE, 0x4B, 0xB0, 0xC6, 0xAC, 0xC7, 0xB7, 0x44, 0x59, 0xB6, 0x94, 0xD2, 0xA6, 0x87, 0xEA, 0x36, 0xCB, 0xCB, 0x8E, 0x58, 0xB7, 0xE5, 0xD0, 0xDD, 0x62, 0x0E, 0x83, 0x40, 0x03, 0x21, 0x5B, 0x48, 0x9C, 0x6E, 0x4A, 0x6C, 0x1E, 0x10, 0x9D, 0x6B, 0x85, 0xC3, 0x00, 0x59, 0x3C, 0xE0, 0x35, 0x93, 0x87, 0x94, 0x9A, 0x7C, 0x2C, 0x3C, 0x44, 0xE3, 0x3B, 0x15, 0x20, 0x57, 0xAC, 0x86, 0x8B, 0xE8, 0x97, 0xBB, 0x1C, 0x84, 0x8D, 0x95, 0x83, 0xE7, 0x54, 0x39, 0x8F, 0x0B, 0x13, 0xC7, 0xD6, 0x26, 0x6D, 0xA8, 0xBF, 0x96, 0x79, 0x39, 0xF9, 0x11, 0x63, 0xB1, 0x9F, 0x8C, 0x5F, 0x7A, 0xA9, 0x7B, 0xCD, 0xDB, 0xEE, 0x44, 0x8C, 0xF2, 0x83, 0x7C, 0xA8, 0xD9, 0x8D, 0x4B, 0xB0, 0xD7, 0x86, 0x53, 0x1D, 0xD7, 0x94, 0xD1, 0xFA, 0x61, 0x8B, 0x94, 0x20, 0x4D, 0xD8, 0x5C, 0xB5, 0x2C, 0x6E, 0x7E, 0xAC, 0x85, 0xC7, 0x33, 0xBB, 0x4D, 0x34, 0xAB, 0xDC, 0xED, 0x3F, 0xA0, 0xA8, 0xC7, 0xC2, 0x18, 0x48, 0x70, 0x54, 0x06, 0x7E, 0xA9, 0x2E, 0x30, 0x92, 0x04, 0xBA, 0xFD, 0x2A, 0xF9, 0xEC, 0xD1, 0xD9, 0x5D, 0x45, 0xB3, 0x7E, 0x9A, 0x86, 0xB4, 0x7F, 0xD6, 0x7A, 0x7F, 0x02, 0xEE, 0xB1, 0x65, 0x77, 0x68, 0xCB, 0x3D, 0xB2, 0x6C, 0x70, 0xB1, 0xB6, 0x57, 0x1F, 0x67, 0xB3, 0x73, 0x31, 0x0D, 0x89, 0x83, 0x39
-};
-
-static const unsigned char app_fw1D_prod_acexsig[0x100] =
-{
-	0x05, 0x67, 0xFA, 0xAC, 0x18, 0x3A, 0xCC, 0xC9, 0x1B, 0xCD, 0x49, 0x7F, 0x28, 0x87, 0xF5, 0x8A, 0xD9, 0x86, 0x06, 0xAB, 0x1D, 0x36, 0x41, 0xDB, 0xFD, 0xE5, 0x97, 0x93, 0x1C, 0x9C, 0xAB, 0xB2, 0x62, 0xEB, 0x8B, 0xD6, 0x85, 0xCF, 0x06, 0xC4, 0xC5, 0xB9, 0x7F, 0x3B, 0x6F, 0x07, 0x83, 0x93, 0xBD, 0x26, 0x71, 0x8C, 0xEC, 0xBC, 0x0B, 0x3C, 0xD8, 0x42, 0xF3, 0x19, 0xBE, 0x91, 0xB9, 0xAB, 0x23, 0x39, 0x0F, 0x46, 0x8A, 0xCB, 0xC2, 0x34, 0xD2, 0x39, 0x63, 0xE3, 0x49, 0x59, 0xE0, 0x47, 0x73, 0x4F, 0x8E, 0xC8, 0x87, 0xE7, 0x54, 0xDD, 0xF9, 0x3B, 0x19, 0xD5, 0xB5, 0x78, 0xED, 0x47, 0x4F, 0x53, 0x8F, 0x6D, 0xB6, 0xA8, 0x3A, 0x06, 0x3C, 0x2D, 0x6B, 0xFE, 0x7C, 0x3C, 0x6B, 0x20, 0x47, 0xC9, 0xF5, 0xB7, 0x36, 0x8A, 0x92, 0x27, 0x1A, 0x41, 0x4E, 0xE6, 0x75, 0x6E, 0x88, 0x57, 0xAA, 0x01, 0x43, 0x93, 0x78, 0x5E, 0xE0, 0x3D, 0x59, 0x26, 0xFD, 0x46, 0x09, 0x02, 0xCA, 0x58, 0x45, 0x5A, 0xCB, 0xCC, 0x85, 0xBD, 0x0B, 0xDF, 0xAB, 0xE3, 0xDB, 0x35, 0x36, 0xCC, 0xCF, 0x57, 0x8B, 0x4A, 0x21, 0x1C, 0x3A, 0x2D, 0x90, 0xED, 0xA6, 0xCB, 0x20, 0x21, 0x4A, 0xE4, 0x08, 0xF6, 0xF3, 0x73, 0x5B, 0xA5, 0x73, 0x2B, 0x1C, 0x46, 0x3C, 0x77, 0xB6, 0x43, 0x33, 0xFF, 0xEA, 0xF7, 0xA3, 0xDC, 0x3B, 0xD0, 0xC0, 0xC9, 0x10, 0xF4, 0x86, 0xB5, 0xB1, 0x83, 0x71, 0xF5, 0x6E, 0x67, 0xCC, 0xCA, 0xEE, 0xC0, 0x53, 0xD2, 0x78, 0xA4, 0x2C, 0x86, 0xDF, 0x2F, 0xEF, 0x4D, 0x0C, 0x8B, 0x6B, 0xAE, 0x32, 0xAC, 0x07, 0x2D, 0x4D, 0x6B, 0x4A, 0xEF, 0x13, 0xCE, 0xA7, 0x7C, 0xC9, 0x30, 0x69, 0x88, 0x96, 0x95, 0x8E, 0x11, 0x5C, 0x2A, 0x6D, 0x84, 0x3E, 0x36, 0xDA, 0x9B, 0x2A, 0x20
-};
-
-// APP
-static const unsigned char app_fw1E_prod_hdrpub[0x100] =
-{
-	0xC8, 0xC4, 0x8C, 0x65, 0xA1, 0x76, 0x9B, 0x68, 0x91, 0xF1, 0x2B, 0xDE, 0xDF, 0x0D, 0xE1, 0x44, 0x6B, 0xB2, 0xF9, 0xFA, 0x0C, 0xB8, 0x9A, 0xC7, 0x7E, 0x71, 0xA3, 0x27, 0x57, 0xF3, 0x27, 0x99, 0x15, 0xF2, 0x43, 0x6A, 0x1E, 0x75, 0x4C, 0xA2, 0x7A, 0x77, 0x71, 0x60, 0xFE, 0x14, 0xB6, 0xCB, 0xFC, 0x6E, 0x64, 0x2E, 0x86, 0x9B, 0xFD, 0x17, 0xB5, 0x89, 0xD1, 0xC2, 0x10, 0xFC, 0xCD, 0x81, 0x58, 0x8F, 0x58, 0x43, 0xEC, 0x52, 0x6D, 0xE8, 0x14, 0x32, 0x6E, 0xCD, 0x67, 0x35, 0xDC, 0xDC, 0x58, 0x97, 0xB0, 0xBF, 0xD3, 0xC0, 0x2C, 0xFE, 0x77, 0xEC, 0xE0, 0x33, 0x65, 0xA8, 0x56, 0x52, 0xFD, 0x5B, 0xAB, 0x09, 0xB9, 0xF4, 0x74, 0xB9, 0x98, 0xDA, 0x33, 0x2F, 0x79, 0xD6, 0x52, 0x5D, 0x5A, 0x72, 0xA2, 0xCE, 0x15, 0xC5, 0x4B, 0x0C, 0x92, 0xD6, 0xC9, 0x10, 0x75, 0xFF, 0x6C, 0x8D, 0x9B, 0xDC, 0x34, 0x7A, 0xAA, 0x66, 0x45, 0x60, 0xBC, 0xC6, 0xB6, 0x3B, 0x08, 0x4B, 0x62, 0x2C, 0x95, 0x29, 0xAD, 0xDC, 0xAF, 0xEB, 0x47, 0xB5, 0xF5, 0xD2, 0x1C, 0x6D, 0x23, 0xD4, 0xCA, 0xD8, 0xE5, 0x58, 0x5D, 0x0D, 0x56, 0x95, 0x36, 0x7C, 0x2D, 0xFF, 0x51, 0x8B, 0xA9, 0xC4, 0x2D, 0xA0, 0x60, 0x94, 0xE4, 0xBB, 0x05, 0xF9, 0xFA, 0x08, 0x8C, 0xC6, 0x64, 0x88, 0x07, 0x71, 0x4F, 0x91, 0xB7, 0x62, 0xF6, 0x12, 0xFC, 0xF4, 0xC8, 0x7F, 0x9A, 0x50, 0x7F, 0xFC, 0x73, 0x3B, 0xC4, 0xC6, 0x41, 0x3D, 0xA3, 0x5B, 0x03, 0x54, 0xF6, 0x6C, 0x8C, 0x66, 0xC8, 0xFE, 0xE8, 0x38, 0xA5, 0xC3, 0xDD, 0xC3, 0x9F, 0x25, 0x66, 0x77, 0x75, 0x77, 0x2E, 0xD9, 0xE5, 0x37, 0x15, 0xB6, 0x7D, 0x29, 0x5F, 0xC5, 0x94, 0x31, 0xE0, 0xB2, 0xBA, 0xF3, 0xF7, 0xB6, 0x41, 0x3F, 0xF1, 0x67, 0x03, 0xE3
-};
-
-static const unsigned char app_fw1E_prod_acexsig[0x100] =
-{
-	0x28, 0xBD, 0x6C, 0x5C, 0xE1, 0x57, 0xAB, 0x22, 0xEB, 0xBF, 0x76, 0xC3, 0x45, 0xDB, 0x13, 0x7E, 0x6F, 0x15, 0x7B, 0x13, 0x86, 0x1C, 0xFA, 0xEA, 0xAC, 0x58, 0x43, 0x48, 0xB1, 0xCD, 0x6D, 0xA8, 0xB9, 0x45, 0x9C, 0x03, 0xBE, 0xBA, 0xCA, 0xF9, 0x7D, 0xF5, 0x78, 0x35, 0x36, 0xB3, 0xFE, 0xD8, 0x07, 0x48, 0x46, 0x31, 0x8D, 0xB6, 0x61, 0x94, 0xF7, 0x27, 0xB5, 0x03, 0x5C, 0x01, 0x5A, 0xEC, 0x92, 0x88, 0x15, 0xEB, 0xC1, 0x19, 0xD1, 0x13, 0xF9, 0x69, 0x3F, 0x75, 0x24, 0x18, 0x36, 0xE0, 0x12, 0x1E, 0xE2, 0x34, 0xC0, 0x79, 0x85, 0x4D, 0xB0, 0xA1, 0x9B, 0x8C, 0x9D, 0x0F, 0xCC, 0x56, 0x45, 0xEB, 0x0E, 0x56, 0xA8, 0x1D, 0xA2, 0x81, 0x94, 0x45, 0x35, 0xE9, 0x4A, 0x5D, 0x29, 0x47, 0xBC, 0x40, 0x5B, 0xA8, 0x67, 0xE6, 0x7C, 0x51, 0x8D, 0xB7, 0x97, 0x4A, 0x88, 0xD2, 0x14, 0xFE, 0x20, 0xFF, 0x7A, 0x10, 0xB7, 0xAB, 0x92, 0x38, 0xF5, 0xAC, 0x12, 0xCB, 0x97, 0xAF, 0xFD, 0x78, 0x93, 0xC6, 0xCC, 0xFF, 0x4F, 0x8C, 0x7F, 0x2D, 0x87, 0xEC, 0x8B, 0x85, 0xAE, 0xB1, 0xBA, 0xF9, 0xE2, 0x88, 0xFA, 0x41, 0xCB, 0x27, 0xAA, 0x19, 0x41, 0xF4, 0x93, 0x90, 0x73, 0x1A, 0xFA, 0xC9, 0x15, 0x58, 0xC7, 0x51, 0x02, 0x83, 0xB4, 0xD2, 0xDD, 0x43, 0x3E, 0x2C, 0x11, 0xBB, 0x97, 0x02, 0xCA, 0x29, 0xD2, 0x28, 0x82, 0x4C, 0x5B, 0x7B, 0x94, 0xE4, 0x8C, 0x0B, 0x49, 0x8F, 0x0F, 0xFA, 0xDA, 0x43, 0xA6, 0x52, 0x81, 0xA2, 0x1F, 0x98, 0xB3, 0xB1, 0x8F, 0x3D, 0x64, 0x54, 0x2D, 0xA0, 0xCB, 0xA8, 0x0D, 0xC3, 0x9C, 0xB0, 0x2E, 0x38, 0xEF, 0x3A, 0x47, 0x28, 0xE9, 0x54, 0x95, 0x1A, 0x94, 0x86, 0x7D, 0x36, 0xB6, 0x4D, 0x90, 0x44, 0xF6, 0xC0, 0xA7, 0xC6, 0x31, 0x15, 0x99, 0x7A
-};
-
-/* CTR_SDK 3 (3.2.5) */
-// APP
-static const unsigned char app_fw20_prod_hdrpub[0x100] =
-{
-	0xC0, 0xDE, 0x75, 0x56, 0x5F, 0xC1, 0x95, 0x48, 0x9C, 0x1E, 0x00, 0x41, 0x49, 0x9F, 0xB2, 0x8C, 0x43, 0x30, 0xCA, 0x50, 0xC7, 0xCC, 0x7E, 0xF5, 0x56, 0xD0, 0x8F, 0x89, 0x6A, 0xC7, 0x15, 0x10, 0x70, 0x64, 0xB3, 0x29, 0x5B, 0xE8, 0x6B, 0xCA, 0xB1, 0xFE, 0x44, 0xEC, 0x4D, 0x5D, 0xB9, 0xFC, 0xA8, 0xE2, 0x95, 0xBC, 0xFA, 0x0F, 0x76, 0xA5, 0xE1, 0x07, 0xEA, 0x02, 0x13, 0x8C, 0xA6, 0x18, 0x55, 0xDA, 0xBD, 0x9C, 0xE3, 0x5F, 0xBD, 0x50, 0x1E, 0x89, 0xFC, 0x73, 0xC3, 0x37, 0x39, 0x05, 0xAF, 0xE4, 0xDA, 0xA8, 0x62, 0x9E, 0x58, 0x4B, 0x83, 0x9E, 0x5C, 0x26, 0xF2, 0x8B, 0x41, 0xB4, 0xB5, 0x89, 0xCD, 0x90, 0xC0, 0xB8, 0xA0, 0x9F, 0xFA, 0x83, 0x05, 0x11, 0x06, 0xD2, 0xED, 0x3A, 0xAB, 0xAF, 0x6D, 0x46, 0x8A, 0xE8, 0x0E, 0x39, 0xB1, 0xA3, 0xE6, 0x7A, 0x3E, 0x30, 0xE2, 0xA2, 0xDC, 0xC5, 0x4B, 0x8E, 0x3F, 0x9E, 0xB5, 0xC0, 0x9E, 0x05, 0x23, 0x72, 0x3F, 0x4E, 0xDD, 0x7C, 0xF4, 0x7D, 0xA6, 0x9B, 0x92, 0x45, 0x4B, 0x07, 0xD6, 0x19, 0x53, 0x1C, 0x98, 0x13, 0xB1, 0x50, 0x18, 0x6F, 0x74, 0xFD, 0x2D, 0x1C, 0xD5, 0x04, 0xBD, 0x59, 0x19, 0x05, 0xB0, 0xE8, 0x1E, 0x8A, 0xE8, 0x1C, 0xB0, 0x09, 0xB7, 0x82, 0x22, 0x77, 0x99, 0x93, 0xED, 0x33, 0x6D, 0xC8, 0x0C, 0x8F, 0x54, 0xA6, 0x51, 0x7C, 0x22, 0xC3, 0x13, 0x02, 0x5B, 0xC1, 0x44, 0xFE, 0x8E, 0x0D, 0x19, 0x8E, 0xD1, 0x0C, 0xB8, 0xED, 0xEF, 0xF4, 0x3D, 0x3B, 0x68, 0xA0, 0xA3, 0xB9, 0x52, 0x81, 0x98, 0xA9, 0xAE, 0xD0, 0xCD, 0xC2, 0x14, 0xF6, 0x67, 0x45, 0xC2, 0xC7, 0x68, 0x22, 0xB2, 0xC4, 0x20, 0xB8, 0x33, 0x48, 0x7B, 0xB6, 0x13, 0x2E, 0x7A, 0x3D, 0xC5, 0x5E, 0xB6, 0xAF, 0x2A, 0xF9, 0x7D, 0x53
-};
-
-static const unsigned char app_fw20_prod_acexsig[0x100] =
-{
-	0x19, 0xA5, 0x0A, 0x40, 0x4E, 0xF4, 0xDD, 0xE2, 0x8F, 0xA1, 0x50, 0xA5, 0x78, 0xFF, 0x1D, 0xBA, 0xE3, 0x2B, 0x9D, 0x7A, 0xB5, 0x7C, 0xC1, 0x59, 0x01, 0xB4, 0x2C, 0x46, 0xA8, 0x96, 0xDC, 0xD3, 0xD7, 0x41, 0x0D, 0x0F, 0xC8, 0x24, 0x0D, 0x20, 0xDA, 0xDF, 0x25, 0xE8, 0xC9, 0x88, 0x8C, 0x1B, 0xFF, 0x8B, 0x40, 0x89, 0x9C, 0x2F, 0x37, 0x43, 0x26, 0xDE, 0x18, 0xA3, 0xAB, 0x53, 0x5C, 0xB4, 0xFA, 0xD1, 0x80, 0x2E, 0x46, 0x57, 0x9A, 0x90, 0x49, 0x65, 0xCD, 0x66, 0xE5, 0xE6, 0xB8, 0xF5, 0x3C, 0x70, 0xAE, 0x57, 0xF3, 0x71, 0x31, 0xBA, 0x04, 0x3F, 0x9C, 0x2C, 0x28, 0x9A, 0x32, 0xB8, 0xCD, 0x22, 0x4A, 0x38, 0x7B, 0x91, 0xDA, 0xCC, 0x4D, 0x3A, 0x7D, 0x5C, 0xDC, 0x49, 0x85, 0x37, 0x7A, 0xFF, 0x20, 0xEA, 0x1D, 0x74, 0x2F, 0x83, 0xD8, 0x3C, 0x2E, 0x71, 0xBD, 0x0F, 0xFF, 0x90, 0x8F, 0x49, 0x1C, 0x1F, 0x2A, 0x34, 0xB0, 0x2E, 0x60, 0x78, 0x4B, 0x46, 0xDF, 0x27, 0xEC, 0x37, 0x36, 0xEA, 0xE9, 0xA0, 0xC5, 0x4A, 0x12, 0x1F, 0x36, 0x18, 0x07, 0x97, 0x52, 0xF6, 0xF3, 0xC2, 0x78, 0xA4, 0x70, 0xF2, 0xC3, 0xB6, 0xD8, 0xF1, 0xC9, 0x74, 0x2C, 0x11, 0x21, 0x1A, 0x54, 0xD9, 0x27, 0x6C, 0xB1, 0x24, 0xBD, 0xC8, 0x9B, 0xEC, 0x69, 0xD6, 0xAE, 0x16, 0x90, 0x43, 0x64, 0x58, 0x6F, 0xF8, 0x56, 0x29, 0x04, 0xDF, 0x2F, 0x4C, 0xEE, 0xCC, 0x4D, 0x22, 0x2D, 0xEB, 0x60, 0x35, 0x07, 0x20, 0xF5, 0x75, 0x69, 0x54, 0x26, 0x20, 0x02, 0xC2, 0x1A, 0xBD, 0xA5, 0xDE, 0xC8, 0x38, 0xCD, 0xDB, 0x32, 0x53, 0x5D, 0x08, 0x3F, 0x7D, 0xED, 0x7F, 0x6A, 0x6F, 0x29, 0xEB, 0x11, 0x8A, 0x9A, 0xEE, 0x9C, 0x3C, 0x87, 0x3F, 0xB7, 0x2B, 0x84, 0x7A, 0x74, 0x70, 0xE2, 0x90, 0x33, 0x29
-};
-
-static const unsigned char app_fw20_2_prod_hdrpub[0x100] =
-{
-	0xC7, 0x35, 0xC3, 0x09, 0x60, 0x43, 0xCD, 0xE6, 0x11, 0x07, 0x52, 0xCA, 0x8B, 0x6A, 0xF2, 0x5A, 0x72, 0xC9, 0xAA, 0xDF, 0x63, 0xF3, 0x1F, 0x2A, 0xDE, 0xE3, 0x56, 0x24, 0xE8, 0x95, 0x8D, 0xBA, 0x5D, 0x9F, 0xF7, 0x03, 0xD9, 0x3C, 0xC8, 0x58, 0x47, 0x00, 0x35, 0x1B, 0xDB, 0x16, 0x7B, 0xA7, 0x2B, 0x82, 0x38, 0xBD, 0x20, 0xA9, 0xB7, 0x1E, 0xF4, 0x78, 0xFC, 0x59, 0x28, 0x61, 0x29, 0x74, 0xE5, 0x63, 0x6F, 0xB2, 0x9E, 0x36, 0x2A, 0xA0, 0x5B, 0x50, 0x89, 0x3F, 0xE9, 0x0C, 0x76, 0x05, 0x41, 0xF3, 0x23, 0x9C, 0xCD, 0xA9, 0xC1, 0x3C, 0x0B, 0x48, 0xAC, 0x11, 0x17, 0xA9, 0x46, 0x4D, 0x64, 0xD9, 0xBF, 0x63, 0x13, 0xBF, 0x8A, 0xFF, 0xED, 0xF0, 0x24, 0x71, 0xD6, 0xA9, 0x50, 0x9D, 0x00, 0xFC, 0x9B, 0x33, 0xFF, 0x0F, 0x68, 0x22, 0x25, 0xE8, 0x49, 0x68, 0x76, 0xF4, 0x8D, 0x3B, 0x67, 0xF0, 0xD7, 0x49, 0x41, 0xDE, 0xBF, 0x55, 0xC3, 0x8F, 0xD9, 0xF6, 0x30, 0x39, 0xF3, 0x15, 0x2B, 0x79, 0x6D, 0x71, 0xAC, 0xE9, 0x93, 0x88, 0xBD, 0xDB, 0x24, 0x75, 0xB1, 0x19, 0x84, 0x51, 0xF8, 0xD3, 0xBB, 0xB1, 0xBC, 0xE4, 0x53, 0x51, 0x4E, 0x00, 0x29, 0x66, 0x05, 0xBC, 0x8E, 0x37, 0x80, 0xCD, 0xD3, 0x40, 0xF7, 0x4F, 0xE0, 0x6B, 0x88, 0xDB, 0xBD, 0xA6, 0xF2, 0x11, 0x9C, 0x26, 0xF8, 0xED, 0xB3, 0x37, 0xB0, 0x77, 0x1D, 0xF0, 0x63, 0x8F, 0x81, 0x07, 0xC0, 0x66, 0x91, 0xA1, 0x8D, 0x06, 0xC1, 0xE9, 0xD4, 0xEA, 0xD7, 0xA0, 0xCB, 0x6F, 0x20, 0x7D, 0xC4, 0xCB, 0x0B, 0x9E, 0x80, 0xB5, 0x3A, 0xDA, 0x57, 0xF5, 0x0E, 0x07, 0x9F, 0x2E, 0x92, 0xC7, 0xBC, 0x6E, 0x85, 0x34, 0xB5, 0x95, 0x15, 0xCA, 0x69, 0x37, 0x7B, 0x2C, 0x1D, 0x5A, 0x13, 0x81, 0x74, 0xA3, 0x3E, 0x9D
-};
-
-static const unsigned char app_fw20_2_prod_acexsig[0x100] =
-{
-	0x33, 0x38, 0x2A, 0x9D, 0xBD, 0xBB, 0x2A, 0xE0, 0x63, 0x1E, 0xAA, 0xA5, 0x5D, 0x43, 0xD5, 0x95, 0xD7, 0xA7, 0xFF, 0x28, 0xA1, 0xD4, 0x2A, 0x70, 0x7E, 0x46, 0x0F, 0x8B, 0x00, 0xA0, 0x7E, 0x74, 0x5D, 0x1C, 0x96, 0x89, 0x5C, 0x38, 0xAF, 0x19, 0xF0, 0x2D, 0x88, 0x28, 0x8B, 0x6D, 0xE4, 0xC9, 0xF5, 0x2F, 0xCD, 0x94, 0xDB, 0xF4, 0x2E, 0x1E, 0xF1, 0x17, 0x2D, 0xB6, 0x1E, 0x21, 0x30, 0x28, 0xCE, 0xEA, 0x2E, 0xED, 0x6F, 0x95, 0xC8, 0x9E, 0xF5, 0x1E, 0x91, 0xC5, 0x38, 0x68, 0x1A, 0x4D, 0x74, 0x91, 0x2C, 0xDA, 0x72, 0xE1, 0xCE, 0x58, 0x2D, 0x4C, 0xD9, 0x9F, 0x24, 0xC1, 0xA2, 0xFA, 0xBD, 0x96, 0x95, 0x95, 0x29, 0x25, 0x58, 0x62, 0x39, 0xDD, 0xE7, 0xD7, 0xD3, 0xBF, 0xDB, 0x35, 0x0C, 0x26, 0xAE, 0x7C, 0xA5, 0x5D, 0x0E, 0x0B, 0x6D, 0xBF, 0x87, 0x72, 0xAA, 0x40, 0xA2, 0x55, 0x89, 0xDF, 0x1B, 0xBA, 0x2D, 0x5E, 0xDC, 0xB3, 0x40, 0x0F, 0x8C, 0xBA, 0xDF, 0xF5, 0xB7, 0x50, 0xC2, 0x94, 0x02, 0x4E, 0xFB, 0x8F, 0x5F, 0x8C, 0xE6, 0xE8, 0x38, 0x28, 0x5F, 0xB6, 0xA2, 0x66, 0x67, 0x73, 0x7F, 0xF8, 0x70, 0xFF, 0xE1, 0x30, 0xEC, 0xCE, 0x0D, 0x61, 0x9A, 0xE2, 0xD9, 0x4B, 0x40, 0xB7, 0xE2, 0x31, 0xC5, 0x6F, 0x06, 0x5C, 0x9A, 0x61, 0x5A, 0x14, 0xF6, 0x36, 0x44, 0xF5, 0x93, 0x30, 0x53, 0xB1, 0x97, 0x44, 0x50, 0x79, 0x9F, 0x3A, 0xFB, 0x2D, 0x42, 0xF1, 0x6C, 0x14, 0x8D, 0x35, 0xD6, 0x16, 0x22, 0xC3, 0x8B, 0x79, 0xFD, 0x26, 0xF8, 0x64, 0x76, 0x53, 0xA1, 0x32, 0x90, 0xBE, 0xA3, 0x9A, 0x6B, 0x5A, 0xCF, 0xC0, 0x34, 0xDE, 0x2F, 0xDC, 0x39, 0x14, 0x8F, 0x98, 0x01, 0x45, 0x57, 0x9E, 0x02, 0x05, 0xEB, 0x8E, 0x6D, 0x16, 0x0B, 0xCF, 0x43, 0xBF, 0xE5, 0xE5
-};
-
-static const unsigned char app_fw20_3_prod_hdrpub[0x100] =
-{
-	0xBF, 0x3C, 0x41, 0xF1, 0xD2, 0xDC, 0x47, 0xBE, 0xF2, 0xAE, 0x18, 0xA0, 0xCD, 0xAD, 0x0B, 0xEA, 0xB0, 0x8B, 0x69, 0x4E, 0x58, 0x36, 0x59, 0x59, 0x18, 0xA9, 0x02, 0x0C, 0xE6, 0xA9, 0x9D, 0xDA, 0x0A, 0x1E, 0xDA, 0x51, 0x08, 0xD9, 0xC3, 0x1F, 0xA3, 0x36, 0x55, 0xDE, 0xC3, 0xA0, 0x24, 0x1C, 0xB8, 0x67, 0x71, 0x98, 0xC0, 0x60, 0x15, 0x72, 0x47, 0x7E, 0xDC, 0x7E, 0xEB, 0x43, 0x5E, 0x35, 0x23, 0x95, 0xB2, 0x34, 0x1F, 0x31, 0xE8, 0xC7, 0x1E, 0xA4, 0x9B, 0x88, 0x51, 0x39, 0x75, 0xEE, 0x92, 0xA6, 0xF9, 0xD5, 0x5C, 0xFE, 0x84, 0xED, 0x5B, 0xE8, 0x3F, 0xC0, 0xBE, 0xA7, 0x49, 0x63, 0x5D, 0xF1, 0x89, 0xDC, 0x79, 0x75, 0xBC, 0xB1, 0xF5, 0x20, 0x2A, 0x50, 0xBC, 0x8D, 0x2F, 0xC0, 0x27, 0x14, 0x85, 0x58, 0x8B, 0x11, 0xE0, 0xBA, 0xDE, 0x5F, 0x41, 0x44, 0xEE, 0x4F, 0x3D, 0xB6, 0x8D, 0x7A, 0x2F, 0x9C, 0xE3, 0x2A, 0xC1, 0x5E, 0x82, 0x04, 0x3C, 0xFD, 0x68, 0xFD, 0x0A, 0x14, 0x91, 0xF8, 0x5E, 0xBA, 0xD1, 0x80, 0xF6, 0xF5, 0x89, 0xE2, 0x12, 0xE1, 0x86, 0xE7, 0xF1, 0x78, 0x6F, 0x43, 0x5C, 0xF7, 0xD1, 0x57, 0xDA, 0x83, 0x1E, 0x6E, 0xEF, 0x3C, 0xDF, 0xED, 0x03, 0x95, 0xB7, 0xD4, 0x15, 0x6E, 0x1C, 0xDE, 0xD3, 0x17, 0x02, 0x52, 0x15, 0xBF, 0xDA, 0xFB, 0x62, 0x2E, 0xB5, 0x47, 0x0A, 0x29, 0x08, 0xC5, 0x3C, 0x3C, 0x17, 0x00, 0xC3, 0x50, 0x13, 0x3C, 0xBF, 0xE6, 0xEF, 0x8A, 0x7C, 0x12, 0x22, 0x13, 0x19, 0x06, 0x56, 0xDE, 0xBC, 0xDC, 0xCC, 0xC5, 0xE7, 0xEE, 0xC4, 0x88, 0x48, 0x47, 0xE3, 0xA9, 0x76, 0xFA, 0x51, 0x7B, 0xB7, 0x1D, 0xAF, 0x48, 0x80, 0x25, 0xFD, 0x1C, 0xB8, 0x8C, 0x21, 0xA3, 0x37, 0x48, 0x77, 0xD6, 0x7E, 0x16, 0x8C, 0xC4, 0x0C, 0x05
-};
-
-static const unsigned char app_fw20_3_prod_acexsig[0x100] =
-{
-	0x5E, 0x3C, 0xF9, 0xB5, 0x50, 0x08, 0x3E, 0x49, 0x71, 0x21, 0x4F, 0x22, 0x5A, 0xDB, 0x32, 0x66, 0x8D, 0x64, 0x48, 0x96, 0x59, 0x47, 0xBF, 0xF0, 0x20, 0x4C, 0x6D, 0xE2, 0xCE, 0xE5, 0x44, 0x58, 0x78, 0x15, 0xCD, 0xA8, 0x58, 0xF7, 0x8A, 0xF2, 0x88, 0x04, 0xF1, 0x05, 0x7F, 0xF6, 0x1A, 0x61, 0x68, 0x22, 0xE9, 0x29, 0x01, 0xEF, 0x1C, 0x33, 0xB8, 0x30, 0x18, 0x96, 0xA2, 0x65, 0x15, 0xE6, 0x9C, 0x57, 0x95, 0x90, 0xF0, 0xB6, 0xBC, 0xB2, 0xCB, 0xDF, 0x43, 0xBD, 0x24, 0x6E, 0xD8, 0xC8, 0xAE, 0xA2, 0x32, 0xEA, 0x8A, 0x90, 0x50, 0x5D, 0xE1, 0x1B, 0x82, 0x72, 0x7C, 0x90, 0x24, 0x55, 0x2D, 0x3D, 0x8B, 0x95, 0xFC, 0xA4, 0xDA, 0xEF, 0x82, 0x2B, 0x25, 0xFA, 0x95, 0x28, 0xD0, 0x14, 0x5E, 0x67, 0xE6, 0x24, 0x0C, 0x5D, 0x56, 0x07, 0x79, 0x4F, 0x38, 0x4E, 0xF8, 0xDC, 0x74, 0x32, 0xFC, 0x92, 0xED, 0x99, 0x28, 0xC2, 0x1A, 0x52, 0xE5, 0x48, 0x21, 0xDB, 0x9C, 0x42, 0xF5, 0x71, 0xD3, 0x61, 0xF5, 0xCC, 0xF5, 0xC7, 0x7D, 0xC9, 0x60, 0x5C, 0x92, 0x68, 0x5A, 0xE6, 0x36, 0xF1, 0x7F, 0xCC, 0x85, 0x4C, 0x5C, 0x50, 0x6F, 0xA1, 0x0B, 0xA6, 0xC5, 0x57, 0x76, 0x6A, 0x81, 0x0B, 0x5B, 0xAB, 0x30, 0x85, 0xA8, 0x6B, 0x29, 0xC9, 0x9A, 0x96, 0xFF, 0xCD, 0x9B, 0x3A, 0x89, 0x94, 0x31, 0xC3, 0x4F, 0x0E, 0xC4, 0xA4, 0x19, 0x2F, 0xA4, 0x86, 0xCD, 0x07, 0x6D, 0xE4, 0xC7, 0x38, 0x32, 0xDF, 0x8E, 0xE7, 0xBE, 0x7B, 0xC1, 0x52, 0xBF, 0x4D, 0xB1, 0x66, 0x06, 0xBD, 0xBE, 0x98, 0xE9, 0x63, 0x9B, 0xFD, 0x43, 0x6B, 0x96, 0x9A, 0x8E, 0x78, 0x97, 0x1B, 0x7C, 0x8A, 0xE2, 0x8B, 0x28, 0xB8, 0xD0, 0xBD, 0x32, 0x05, 0x53, 0x92, 0xF7, 0x24, 0x04, 0xD0, 0x25, 0xB1, 0xF7, 0xDF
-};
-
-// EC APP
-static const unsigned char ecapp_fw20_prod_hdrpub[0x100] =
-{
-	0xE1, 0xF2, 0xF8, 0x92, 0xEC, 0x5D, 0xD9, 0xB2, 0x38, 0xCE, 0x52, 0x72, 0x10, 0x3A, 0x51, 0xB2, 0x47, 0xD9, 0xC7, 0x00, 0xF9, 0xEB, 0xE2, 0x1E, 0xE8, 0x53, 0x2F, 0xFF, 0xB0, 0x0D, 0x9E, 0x1B, 0x21, 0x48, 0x0B, 0xBF, 0x53, 0x48, 0x93, 0x9E, 0x20, 0x55, 0xF2, 0x8F, 0xFE, 0x5E, 0x0D, 0xE6, 0xBF, 0xDD, 0xF5, 0xE6, 0xDF, 0x95, 0xA6, 0x5B, 0x38, 0x81, 0x49, 0x1E, 0xE9, 0x77, 0xB1, 0x96, 0xEA, 0xAA, 0x83, 0x18, 0x09, 0x2F, 0x77, 0x59, 0x16, 0x0B, 0xA9, 0xF1, 0xE8, 0xE8, 0x3A, 0x05, 0xEA, 0x35, 0x4F, 0x1D, 0xD4, 0xF9, 0xC5, 0x1A, 0xA2, 0x9E, 0xF7, 0xBD, 0x3B, 0x90, 0xDA, 0x80, 0xA9, 0xA3, 0xED, 0xFC, 0xE3, 0xBF, 0x7A, 0xF1, 0x43, 0x67, 0x5F, 0x35, 0x24, 0xD1, 0x4B, 0xCF, 0x1F, 0x59, 0xF5, 0xF4, 0x5E, 0x88, 0xDE, 0x3D, 0x19, 0xDD, 0x5E, 0x04, 0xB2, 0x39, 0xB3, 0x29, 0x32, 0xBA, 0xA3, 0x1C, 0x18, 0x75, 0x01, 0xE0, 0xC9, 0x22, 0x23, 0xA1, 0x95, 0x04, 0xA6, 0x0F, 0xFB, 0x5D, 0x25, 0xC2, 0x88, 0x21, 0x5F, 0xFD, 0x13, 0xFE, 0x9F, 0x06, 0xE6, 0x5E, 0x53, 0x69, 0x1A, 0x15, 0xD0, 0xAB, 0xBE, 0x16, 0xC5, 0x01, 0x52, 0xEA, 0x87, 0x5F, 0xFE, 0xE6, 0xC3, 0xD1, 0x4F, 0xB9, 0xC3, 0x6B, 0xBD, 0x7D, 0x4E, 0x1D, 0xA9, 0xCD, 0xD8, 0x89, 0x1B, 0x0E, 0x64, 0x97, 0x57, 0x7E, 0x23, 0xF4, 0x85, 0xD0, 0xE9, 0x68, 0x00, 0xBF, 0x7E, 0x8B, 0xB2, 0x42, 0xED, 0x9B, 0xDD, 0xD8, 0x62, 0x13, 0x26, 0x93, 0xF8, 0x66, 0x0B, 0x32, 0x30, 0x8A, 0x9C, 0xF0, 0x7A, 0x7E, 0xD2, 0x04, 0x5D, 0xF1, 0xF2, 0xB2, 0x4A, 0xF2, 0x18, 0xF4, 0xAF, 0xA4, 0x34, 0x06, 0xE7, 0x09, 0x77, 0x01, 0x8F, 0xEE, 0x17, 0x27, 0x89, 0x9B, 0xF0, 0x76, 0x00, 0x25, 0x01, 0x09, 0xC1, 0x51
-};
-
-static const unsigned char ecapp_fw20_prod_acexsig[0x100] =
-{
-	0x6F, 0x5C, 0xA2, 0xD4, 0xDB, 0x21, 0x69, 0x54, 0xFE, 0x63, 0x55, 0x4C, 0x18, 0x86, 0xFF, 0x47, 0x73, 0x9B, 0x3A, 0x6B, 0xF3, 0x63, 0x47, 0x7E, 0x76, 0x86, 0x3B, 0xF1, 0xC6, 0x05, 0xE4, 0x4B, 0x8B, 0x61, 0xF3, 0x06, 0x02, 0x9B, 0x1B, 0xD1, 0x48, 0xCC, 0x51, 0xAF, 0x78, 0xE5, 0x58, 0xEE, 0xC4, 0x93, 0x83, 0xC2, 0xC9, 0x91, 0xD4, 0x4E, 0x00, 0xAD, 0xA8, 0x12, 0x40, 0x77, 0x20, 0xF8, 0xED, 0x11, 0xC1, 0x1D, 0x71, 0x14, 0x75, 0x1D, 0xB6, 0x89, 0xCC, 0xE1, 0x38, 0x3B, 0x8E, 0xAD, 0xA5, 0x17, 0x88, 0x90, 0xC1, 0xBE, 0x95, 0xBB, 0x0F, 0x0B, 0x12, 0xF9, 0x9E, 0xA9, 0x4F, 0x16, 0x34, 0x06, 0x2D, 0xFD, 0x1B, 0x51, 0x92, 0xE1, 0xD3, 0x7D, 0x6B, 0x31, 0xF0, 0xB4, 0xC0, 0x75, 0x91, 0x75, 0x2A, 0x0C, 0x99, 0x46, 0x2F, 0x4B, 0x34, 0xF3, 0x72, 0x10, 0x04, 0x23, 0x62, 0xC8, 0x94, 0xAD, 0x06, 0xC7, 0x69, 0x2A, 0x78, 0x3A, 0xCE, 0x8B, 0xE0, 0x16, 0x7D, 0x28, 0x35, 0xB2, 0xE1, 0x71, 0x49, 0x1C, 0x55, 0xD7, 0xA8, 0x6D, 0xCB, 0xA6, 0xF3, 0xB9, 0x35, 0xEA, 0x9D, 0xB0, 0x04, 0xE8, 0xB5, 0xEC, 0x15, 0xC6, 0xB1, 0x01, 0x69, 0xFB, 0x01, 0x87, 0x58, 0x83, 0xCC, 0xF5, 0x91, 0xC3, 0x3C, 0x2D, 0x7E, 0xAF, 0x43, 0xB9, 0xCD, 0x95, 0x20, 0xF9, 0x8F, 0x6F, 0x39, 0xDE, 0x95, 0x7B, 0x3F, 0xAD, 0x56, 0xF3, 0x07, 0xA3, 0x52, 0x12, 0x0F, 0x56, 0xA4, 0xF7, 0xAC, 0x55, 0xC2, 0x2F, 0x01, 0x0E, 0xFD, 0x26, 0xC9, 0x06, 0x8B, 0xCB, 0x6A, 0x4A, 0xE3, 0xF4, 0x58, 0x04, 0xAB, 0x64, 0x02, 0x99, 0xB9, 0xC5, 0xDA, 0x1F, 0x96, 0xEA, 0xEE, 0xB0, 0x33, 0xFD, 0xE9, 0x74, 0x90, 0x48, 0x7B, 0x88, 0xDE, 0x72, 0x57, 0x4C, 0x69, 0x47, 0x89, 0x03, 0xD6, 0x6B, 0x22, 0xFF
-};
-
-/* CTR_SDK 4 (4.2.8) */
-// APP
-static const unsigned char app_fw21_prod_hdrpub[0x100] =
-{
-	0xCF, 0x00, 0x9C, 0xB3, 0x20, 0xA0, 0x32, 0x47, 0x65, 0x89, 0xE0, 0xA0, 0x40, 0xC5, 0x57, 0x03, 0xA5, 0xF6, 0x8E, 0x66, 0xF5, 0x20, 0x28, 0xEE, 0xA7, 0x44, 0x3E, 0x8E, 0x4F, 0xC0, 0xC9, 0xD3, 0xE4, 0x3A, 0x0B, 0x31, 0xEC, 0x8F, 0xCC, 0x8D, 0x4C, 0xA6, 0x14, 0x49, 0x14, 0xBE, 0x05, 0xC1, 0xB4, 0x22, 0xAD, 0xCE, 0x1D, 0xCD, 0x29, 0x7B, 0x45, 0x16, 0xE5, 0xB9, 0xD6, 0xD2, 0x7A, 0xD0, 0x63, 0xCE, 0x69, 0xB2, 0xCA, 0xB8, 0x6D, 0x10, 0x9B, 0x99, 0x62, 0xF9, 0x45, 0xC0, 0x2E, 0xB5, 0xA1, 0xCD, 0x6B, 0xAF, 0x77, 0x9B, 0xEF, 0xD8, 0x56, 0x48, 0x75, 0x34, 0x02, 0x6E, 0xBA, 0xBF, 0x30, 0x54, 0xBF, 0x33, 0x4D, 0xB1, 0x36, 0xDC, 0x2A, 0xCD, 0x68, 0x81, 0x8C, 0x4F, 0xCB, 0xC2, 0xA2, 0x1D, 0x6E, 0xB0, 0xC0, 0x02, 0xF5, 0xF8, 0x1C, 0x6C, 0xB4, 0xC9, 0xD6, 0x90, 0x27, 0x50, 0xCA, 0x61, 0xE4, 0x1E, 0xA6, 0x1E, 0x43, 0x94, 0x01, 0x81, 0xC3, 0x69, 0xD0, 0xE2, 0x2C, 0xD7, 0x86, 0x1B, 0x8B, 0x69, 0x4D, 0xF0, 0xF1, 0x54, 0x24, 0x20, 0x91, 0xDD, 0x87, 0x12, 0x0A, 0x23, 0x98, 0x09, 0x63, 0xFD, 0xB4, 0x00, 0x69, 0x06, 0xD2, 0xF1, 0xC3, 0xE7, 0x9D, 0xCC, 0x87, 0x99, 0x01, 0x20, 0xDA, 0xD6, 0xA4, 0x24, 0x58, 0x9A, 0x62, 0x52, 0xF0, 0x30, 0x98, 0x6C, 0x08, 0x90, 0xB4, 0xA6, 0xE4, 0x79, 0x47, 0xF3, 0x1D, 0x58, 0x86, 0x4D, 0x9B, 0xA3, 0xE8, 0xFC, 0x1A, 0x63, 0xC3, 0x2F, 0xDF, 0xD3, 0xC6, 0x3B, 0x8E, 0xDA, 0xFB, 0xEA, 0x6D, 0xE3, 0x92, 0x14, 0xC8, 0x21, 0x2C, 0xE3, 0xF2, 0xE3, 0x31, 0x2E, 0xF6, 0x73, 0x27, 0xE8, 0xF2, 0xD5, 0x38, 0xB7, 0x04, 0x46, 0xA7, 0xBE, 0x92, 0x14, 0x66, 0x1E, 0x8D, 0x88, 0xF7, 0xC0, 0x60, 0xB5, 0x7F, 0xF3, 0xCE, 0x43
-};
-
-static const unsigned char app_fw21_prod_acexsig[0x100] =
-{
-	0x04, 0xE3, 0xD1, 0xD2, 0x32, 0xF4, 0x04, 0xE5, 0x79, 0x67, 0x1E, 0x74, 0xD8, 0x1B, 0x8F, 0x6C, 0xEB, 0xE2, 0xFE, 0x1B, 0xCE, 0xAB, 0x92, 0x03, 0xF0, 0x3C, 0xF5, 0x31, 0x07, 0xCE, 0x8E, 0x47, 0xB2, 0xE8, 0x52, 0x8F, 0xFF, 0xA7, 0x1B, 0xE1, 0xFF, 0x58, 0x5E, 0x99, 0xBA, 0x71, 0x90, 0x87, 0x01, 0x92, 0xE8, 0xD0, 0x67, 0x6E, 0x29, 0xD3, 0x1E, 0xA6, 0x22, 0x8F, 0x52, 0xAD, 0x6B, 0xB1, 0xB6, 0xC0, 0xC6, 0x44, 0x5D, 0x41, 0xD8, 0xCE, 0x3A, 0xEB, 0x04, 0x5A, 0x8C, 0x4D, 0x03, 0x9F, 0x31, 0xDC, 0x4E, 0x37, 0xEF, 0x7B, 0x42, 0x02, 0x19, 0x6A, 0x33, 0x60, 0xEF, 0xB9, 0x01, 0x11, 0xAC, 0x82, 0x10, 0xFD, 0x79, 0xD8, 0x2D, 0x5F, 0x42, 0xDE, 0xEC, 0x38, 0x79, 0xF6, 0x70, 0x84, 0x5A, 0xA8, 0x83, 0x58, 0xEF, 0x57, 0x2A, 0x04, 0x1E, 0x9B, 0xAF, 0xB3, 0xCC, 0x67, 0x62, 0xD1, 0x9B, 0xB0, 0xA4, 0x3C, 0x16, 0xB8, 0x0B, 0xC1, 0x7B, 0xE9, 0x39, 0x96, 0x32, 0xF5, 0xC4, 0xA0, 0xAB, 0xE8, 0xEA, 0x2F, 0x2D, 0x83, 0xF4, 0x8C, 0x62, 0xA3, 0x03, 0xDC, 0x6E, 0xAD, 0x9C, 0x46, 0x56, 0xD6, 0xF5, 0xDD, 0xB1, 0x95, 0x47, 0xE9, 0xAB, 0x40, 0x28, 0x87, 0x2B, 0x97, 0x42, 0x1A, 0x71, 0x9F, 0xB7, 0x7D, 0x45, 0x4A, 0x2B, 0xF6, 0xF7, 0xA8, 0x01, 0x14, 0x40, 0x77, 0x14, 0x49, 0x2B, 0x5D, 0x84, 0xA5, 0xC4, 0xA8, 0x10, 0xCD, 0x4B, 0x85, 0x34, 0x58, 0x74, 0x99, 0xD2, 0x44, 0x26, 0x37, 0xC7, 0x7A, 0x7A, 0x60, 0x85, 0x77, 0x73, 0xE9, 0x75, 0xB1, 0x6B, 0xDA, 0x43, 0x02, 0xAD, 0xD2, 0xC6, 0x7F, 0x53, 0xC4, 0xD3, 0x0F, 0x1D, 0xA0, 0x6F, 0xD8, 0x3B, 0xAF, 0xFF, 0x94, 0xF6, 0x27, 0x27, 0x7A, 0xEF, 0xF3, 0x96, 0xA5, 0x29, 0x4A, 0x47, 0xB1, 0x09, 0x2D, 0x34, 0xF5
-};
-
-/* CTR_SDK 5 (5.2.3) */
-// APP
-static const unsigned char app_fw23_prod_hdrpub[0x100] =
-{
-	0xDD, 0x51, 0x85, 0xCB, 0x8C, 0x22, 0xBB, 0x76, 0x08, 0x31, 0xE1, 0xD3, 0x04, 0x30, 0xDB, 0x70, 0x78, 0x6F, 0xD5, 0xCB, 0x79, 0xD4, 0x87, 0x19, 0x3E, 0x39, 0x99, 0x07, 0x12, 0x1C, 0xC9, 0x7C, 0xC9, 0x34, 0x16, 0x37, 0x31, 0xFD, 0x7C, 0x56, 0xB4, 0x53, 0x5D, 0x9D, 0x1F, 0xFE, 0x87, 0x0A, 0x86, 0x2A, 0x9B, 0xF8, 0xE1, 0x2F, 0xE3, 0x98, 0xCD, 0xA0, 0xD2, 0xBF, 0xBF, 0x2D, 0x56, 0x73, 0xC2, 0x7B, 0x38, 0x89, 0x33, 0xA6, 0xC4, 0xC0, 0x7E, 0xF2, 0x54, 0xF6, 0x2F, 0x32, 0xD7, 0x88, 0x88, 0xCD, 0x4D, 0x2B, 0xB5, 0x6D, 0x97, 0xB7, 0x97, 0xF2, 0x5A, 0xCD, 0x93, 0xC8, 0x11, 0x3F, 0x44, 0xB3, 0xF8, 0x2B, 0x45, 0x3F, 0xE1, 0x44, 0x5D, 0x7D, 0xB8, 0x0C, 0x48, 0xD1, 0x53, 0xA8, 0xEF, 0x26, 0xCC, 0x5B, 0x25, 0x82, 0x92, 0x52, 0x2E, 0xAC, 0x32, 0x48, 0x27, 0x4F, 0x24, 0xD7, 0xF8, 0x1B, 0x64, 0x2F, 0x8C, 0x10, 0x84, 0xD3, 0xF7, 0x31, 0x6A, 0xD0, 0x79, 0xC3, 0x19, 0xF3, 0x4A, 0xB7, 0xC7, 0x4B, 0xD8, 0x32, 0x43, 0x29, 0x90, 0xED, 0x93, 0x70, 0x6D, 0xC0, 0x45, 0x1E, 0x6D, 0x3A, 0x8A, 0xCB, 0x43, 0xB1, 0xC3, 0xEB, 0x8D, 0xC0, 0xC3, 0x5C, 0x20, 0xA4, 0xFD, 0xF8, 0xFF, 0xED, 0x4E, 0x5A, 0x15, 0x22, 0x8E, 0x8E, 0xE8, 0x0D, 0x32, 0x0E, 0x15, 0xC4, 0xCF, 0x1F, 0xDF, 0x74, 0x42, 0x73, 0x3D, 0xF8, 0x3F, 0x32, 0x9B, 0xEE, 0xD6, 0xE4, 0x8F, 0x99, 0xAA, 0xF7, 0xFA, 0x72, 0xC0, 0xB6, 0xF6, 0x97, 0x22, 0xDB, 0xDB, 0x2E, 0xD0, 0xBF, 0x40, 0x58, 0x01, 0xE5, 0xBA, 0x07, 0x09, 0x70, 0x1E, 0x8F, 0x8B, 0xAF, 0x73, 0xF9, 0x0E, 0xB2, 0xC7, 0xF4, 0xB8, 0x88, 0xDD, 0xAF, 0xF5, 0x88, 0xA7, 0x1A, 0xE9, 0x39, 0xDF, 0x6C, 0x32, 0xE7, 0x7C, 0xAB, 0x33, 0xCD
-};
-
-static const unsigned char app_fw23_prod_acexsig[0x100] =
-{
-	0xA6, 0x8B, 0x83, 0x98, 0x0A, 0x4C, 0x37, 0x75, 0x54, 0x25, 0xFE, 0xC9, 0x8A, 0x1E, 0x1A, 0x47, 0x0C, 0xD8, 0x12, 0x2E, 0xC0, 0xE4, 0x0D, 0x3D, 0xB9, 0x1E, 0x14, 0xEF, 0x05, 0xD4, 0x4F, 0xC1, 0x9E, 0xFD, 0xDF, 0xF1, 0x2C, 0xDE, 0x45, 0xC2, 0x1A, 0x83, 0xCD, 0x88, 0xFA, 0x51, 0x4F, 0x4A, 0x1F, 0xA3, 0x71, 0x1D, 0xC9, 0x81, 0xF0, 0xB4, 0x68, 0x86, 0x18, 0xCF, 0xF4, 0xE4, 0x58, 0x68, 0x54, 0xAE, 0x00, 0x9E, 0xC4, 0xA5, 0x0B, 0xFF, 0x52, 0x2D, 0x29, 0x83, 0xEF, 0x1F, 0x5A, 0x30, 0xD0, 0xA7, 0x1D, 0x1D, 0x0C, 0x17, 0xAA, 0x7F, 0x54, 0x50, 0xA9, 0x47, 0xA8, 0x2F, 0x31, 0xAE, 0x21, 0x0A, 0x2A, 0xF8, 0xDA, 0x59, 0x1F, 0x90, 0x92, 0x21, 0x56, 0x65, 0x0C, 0x20, 0xBE, 0x1E, 0x53, 0xBF, 0x56, 0x78, 0x38, 0xE0, 0x04, 0xBA, 0x43, 0x6C, 0xB3, 0xFC, 0xFB, 0x1F, 0x38, 0x41, 0x4D, 0xD5, 0xFE, 0xD8, 0x31, 0xC8, 0x53, 0xAD, 0xE1, 0x3F, 0x2C, 0x52, 0x84, 0x40, 0x90, 0x9B, 0xC4, 0xDB, 0xAB, 0x09, 0xAD, 0x41, 0x51, 0x77, 0x9D, 0x0D, 0x06, 0x56, 0x15, 0xEF, 0x45, 0x9D, 0x3A, 0xC3, 0x30, 0x1A, 0x7F, 0xBA, 0xB7, 0xB9, 0xA4, 0xAA, 0x3F, 0x0F, 0xB8, 0x9A, 0x5B, 0xE8, 0xE9, 0x59, 0x7B, 0x5E, 0x5D, 0x0A, 0x3C, 0x5D, 0x54, 0x3D, 0x48, 0x7B, 0x4C, 0x28, 0xD0, 0x91, 0xF6, 0xF1, 0x43, 0x52, 0xBC, 0xE6, 0x08, 0x52, 0x09, 0x0D, 0x64, 0xAE, 0x18, 0x67, 0x3E, 0x8C, 0xAD, 0xE7, 0x45, 0xD4, 0xE1, 0xA0, 0x65, 0xC2, 0x09, 0xE6, 0x44, 0xF4, 0xDE, 0xDD, 0xC5, 0x4C, 0x86, 0x9D, 0x60, 0x81, 0x28, 0x9F, 0x59, 0x78, 0xA5, 0x9F, 0x97, 0x09, 0x11, 0xD9, 0x1C, 0x0B, 0x98, 0x84, 0x83, 0x73, 0xEA, 0xF7, 0xFA, 0x27, 0x99, 0x3C, 0x12, 0xFB, 0x50, 0x43, 0x97, 0x17
-};
-
-static const unsigned char app_fw23_2_prod_hdrpub[0x100] =
-{
-	0xB0, 0x21, 0x4F, 0x59, 0x5E, 0xDA, 0xC8, 0x66, 0x28, 0xAC, 0x0F, 0xD6, 0xAA, 0xAA, 0xC3, 0xCD, 0x2E, 0x0C, 0xAF, 0x37, 0x44, 0xD2, 0x3A, 0x00, 0x5B, 0x8E, 0x06, 0x79, 0x7A, 0x26, 0x71, 0x0E, 0xF6, 0xC9, 0x41, 0x6D, 0x28, 0x9C, 0xC6, 0xF4, 0x74, 0x44, 0xFA, 0xAA, 0x06, 0xF9, 0xB7, 0x0B, 0x83, 0x04, 0xA2, 0x15, 0xA9, 0x2F, 0xD4, 0x66, 0x94, 0x3F, 0xCC, 0xE5, 0x09, 0xA6, 0xAC, 0xFF, 0x7A, 0x7D, 0x27, 0x44, 0x36, 0xE6, 0x83, 0x72, 0x37, 0x69, 0x64, 0x3E, 0x83, 0xFF, 0xED, 0x1A, 0x06, 0xBA, 0x7E, 0x7C, 0xED, 0x2F, 0xB0, 0x99, 0x06, 0x12, 0xC0, 0x74, 0xDF, 0xD3, 0xF9, 0xC9, 0x7D, 0xF1, 0xE1, 0xE3, 0x35, 0x3B, 0x8D, 0x35, 0xB9, 0x0D, 0xF0, 0x30, 0x0E, 0xA8, 0xCC, 0x3E, 0xDE, 0xA5, 0x53, 0x5A, 0xCD, 0x00, 0xCE, 0xBF, 0x6A, 0x62, 0x18, 0x44, 0xA1, 0xBB, 0xDF, 0xDE, 0x78, 0x54, 0xA4, 0x07, 0x3E, 0x63, 0xDB, 0x52, 0x8B, 0x12, 0x20, 0x87, 0x3B, 0x3F, 0xB0, 0xFA, 0xDD, 0x26, 0xB4, 0x32, 0x0B, 0x19, 0x97, 0x91, 0xD6, 0xA6, 0x98, 0xDB, 0xA7, 0xA7, 0xF7, 0xBD, 0x9A, 0xF8, 0x5F, 0x62, 0x9C, 0xFB, 0x70, 0x3D, 0xA2, 0x74, 0x4C, 0x00, 0xA9, 0xCD, 0xF3, 0x98, 0x69, 0x58, 0x40, 0xA1, 0xD8, 0x0F, 0x36, 0x15, 0xAC, 0xCA, 0x1C, 0xC0, 0xD4, 0x80, 0xC8, 0x66, 0x50, 0xBD, 0x78, 0x2C, 0x7C, 0xED, 0x3D, 0x87, 0x20, 0x85, 0x81, 0xAD, 0xBB, 0x8E, 0x6F, 0x79, 0x03, 0xBA, 0xBA, 0xFA, 0x26, 0x73, 0x21, 0xC1, 0xE4, 0xD8, 0x91, 0x1F, 0xE2, 0x86, 0xF1, 0x68, 0x6E, 0xC3, 0xC3, 0x91, 0x2F, 0x73, 0x92, 0xDA, 0x4B, 0x49, 0xE5, 0x4F, 0xD2, 0xA9, 0x82, 0xFE, 0x98, 0x83, 0xCB, 0x4C, 0xA2, 0xC3, 0x3F, 0x0E, 0xCC, 0x38, 0x9E, 0x82, 0xBA, 0xAD, 0x5C, 0xEB
-};
-
-static const unsigned char app_fw23_2_prod_acexsig[0x100] =
-{
-	0x7B, 0xEB, 0x5A, 0xA0, 0x36, 0x1E, 0x1A, 0x75, 0x26, 0x22, 0x72, 0x46, 0xC0, 0x8D, 0x11, 0x8F, 0x9F, 0x7F, 0xDB, 0x8A, 0x06, 0xA9, 0xF9, 0x3E, 0xDC, 0x71, 0x49, 0xD3, 0x40, 0xBE, 0xC7, 0x3A, 0xFF, 0x67, 0xB4, 0x10, 0x23, 0x58, 0x0F, 0xBD, 0x24, 0x39, 0xBF, 0x3B, 0xEB, 0x73, 0x4D, 0x5B, 0xC8, 0xA7, 0x10, 0xDB, 0xFF, 0x54, 0x17, 0x1E, 0x65, 0x29, 0x3C, 0x63, 0x61, 0xB0, 0x9F, 0xC4, 0x80, 0x04, 0x53, 0xDD, 0xE9, 0x9F, 0xA8, 0xC6, 0x4A, 0x41, 0x16, 0x51, 0x4C, 0xF5, 0x7C, 0x38, 0x11, 0x43, 0xF2, 0xFC, 0x4B, 0xCA, 0x87, 0x99, 0x80, 0x20, 0x74, 0xE8, 0x31, 0x59, 0xAB, 0xA2, 0x6E, 0x07, 0xBA, 0xE0, 0x7B, 0xD1, 0x28, 0x1E, 0x37, 0x26, 0xA3, 0x70, 0xD2, 0x25, 0x82, 0xA6, 0x07, 0xE7, 0xBB, 0x18, 0xDE, 0xAA, 0x76, 0xB4, 0xCD, 0x83, 0xAF, 0xC7, 0xC5, 0x03, 0xE8, 0x96, 0x1A, 0xD5, 0x2C, 0x9F, 0xAC, 0x87, 0x70, 0x87, 0x90, 0x69, 0x65, 0x7C, 0xD4, 0x65, 0x0E, 0x64, 0xE1, 0x90, 0x7E, 0x09, 0x98, 0xC5, 0x30, 0x48, 0x5E, 0x7F, 0x4D, 0xB7, 0x08, 0x51, 0xF0, 0xD7, 0x00, 0xBE, 0x23, 0x17, 0xF6, 0x86, 0x09, 0x8B, 0xF2, 0x75, 0x67, 0x31, 0xE3, 0xB0, 0x0D, 0x7A, 0xF0, 0x56, 0x67, 0x21, 0x67, 0xC8, 0x9C, 0x4E, 0x16, 0x34, 0x6D, 0x1A, 0xB7, 0xB5, 0x7B, 0x02, 0x4D, 0x6B, 0xFA, 0xF8, 0x83, 0x09, 0x6C, 0x14, 0x06, 0x9B, 0x1F, 0x2E, 0x26, 0x61, 0xE9, 0xAD, 0xDE, 0xDD, 0x55, 0x92, 0xB3, 0x50, 0x41, 0xCB, 0x75, 0x47, 0xC1, 0xF8, 0x72, 0x44, 0xE5, 0xEA, 0xC9, 0x11, 0x91, 0xAF, 0x4E, 0xC5, 0xBA, 0xEA, 0x2F, 0x26, 0xE4, 0x73, 0xE3, 0x8A, 0xCD, 0x47, 0xB9, 0x53, 0x75, 0xFC, 0x74, 0xD5, 0x74, 0xCF, 0x1F, 0x75, 0x57, 0x9A, 0x1F, 0xA5, 0x56, 0xEF
-};
-
-static const unsigned char app_fw23_3_prod_hdrpub[0x100] =
-{
-	0xB1, 0x75, 0x6B, 0x2D, 0x39, 0xB2, 0x1A, 0xFF, 0x5C, 0xE5, 0x49, 0xF9, 0x96, 0x5A, 0xAF, 0x3F, 0x5E, 0x64, 0xEB, 0xFC, 0x18, 0x50, 0x13, 0xCF, 0x52, 0xB8, 0x06, 0x8A, 0x5A, 0xEC, 0xB1, 0x2F, 0x61, 0x38, 0xFD, 0x9F, 0xC0, 0x2A, 0x51, 0x4F, 0x3B, 0x0E, 0xBA, 0xE7, 0xBA, 0xB8, 0x7C, 0xAA, 0x31, 0xC1, 0x66, 0x38, 0x10, 0x8B, 0xE4, 0x92, 0x42, 0xAB, 0xD7, 0x56, 0x1F, 0xEC, 0x23, 0xF4, 0x75, 0xFD, 0x7D, 0x87, 0xD3, 0xF4, 0x01, 0x3B, 0xA0, 0xF9, 0xD0, 0x17, 0xE4, 0x45, 0xAD, 0xB9, 0xF2, 0xB8, 0x74, 0x7A, 0x24, 0x98, 0x5F, 0x17, 0xD7, 0x21, 0x22, 0x4F, 0xDF, 0x4E, 0x1F, 0x6B, 0x60, 0x84, 0x88, 0x1D, 0xDB, 0xCF, 0x5C, 0xC6, 0xA7, 0xBF, 0x9D, 0x36, 0x88, 0xE2, 0xFD, 0x79, 0x43, 0x95, 0xE8, 0x1E, 0x9F, 0x89, 0x47, 0x40, 0x96, 0xFE, 0xE7, 0xD6, 0x67, 0xDA, 0x3A, 0x3C, 0x81, 0xBD, 0x65, 0x7C, 0xD1, 0xE4, 0xE1, 0x9E, 0x2C, 0xA9, 0xE4, 0xAE, 0x5B, 0xE6, 0x27, 0xAD, 0x25, 0xE6, 0xE4, 0x9F, 0x60, 0xB0, 0x95, 0xC3, 0xCC, 0x4C, 0xEC, 0x6D, 0xFB, 0x70, 0x17, 0xB5, 0x57, 0xC5, 0x47, 0x1C, 0xD2, 0x19, 0x4C, 0xF1, 0x33, 0xF3, 0x83, 0x62, 0x20, 0x8C, 0x23, 0x3D, 0xC3, 0x79, 0xD6, 0xD1, 0x7B, 0x12, 0x8C, 0xA2, 0x1A, 0x9F, 0xF2, 0xC4, 0x01, 0x5E, 0xA0, 0xA4, 0xC9, 0xCC, 0xDC, 0xC3, 0x67, 0xEC, 0x62, 0x81, 0x86, 0x6D, 0x14, 0x2E, 0xF9, 0xC9, 0xF9, 0xD3, 0x7B, 0x4B, 0xC6, 0x1A, 0xD6, 0x1E, 0xA8, 0x20, 0xA9, 0x19, 0xCF, 0xB1, 0xD8, 0xCB, 0xD3, 0xF4, 0x8E, 0x5C, 0xEC, 0x83, 0xD3, 0x54, 0xA2, 0x65, 0x78, 0xFF, 0x4B, 0x7E, 0xC2, 0x2C, 0xFC, 0xBE, 0x90, 0x53, 0x48, 0x06, 0x42, 0x45, 0xBA, 0xCC, 0xCE, 0xE0, 0x70, 0x5C, 0x47, 0xCE, 0xB5, 0xAD
-};
-
-static const unsigned char app_fw23_3_prod_acexsig[0x100] =
-{
-	0x59, 0xB7, 0xA4, 0x4D, 0x58, 0x89, 0x33, 0xA0, 0x85, 0x77, 0xF7, 0x44, 0xE2, 0x14, 0x61, 0xFD, 0x42, 0xDF, 0x42, 0xEE, 0x08, 0x66, 0x2D, 0x28, 0x0C, 0xF9, 0x25, 0x12, 0x45, 0x50, 0x8C, 0x86, 0xF9, 0xCD, 0x86, 0xAB, 0x19, 0x4C, 0x1F, 0x1C, 0x0B, 0xDF, 0x21, 0xB5, 0x9C, 0x89, 0xFA, 0x90, 0xB3, 0x77, 0x3E, 0xA9, 0xCB, 0xDD, 0x6B, 0x15, 0x57, 0x12, 0xA1, 0xC1, 0x02, 0x4A, 0xED, 0xFC, 0x94, 0x02, 0xFF, 0x74, 0x87, 0x42, 0x5D, 0x6F, 0xBD, 0xD5, 0xAE, 0x25, 0xCA, 0x19, 0xF4, 0x89, 0x5A, 0x8E, 0x56, 0x22, 0xA2, 0xC9, 0xDE, 0x15, 0x32, 0xC9, 0x01, 0x43, 0x33, 0x3A, 0xBA, 0xCC, 0x52, 0x98, 0xCD, 0x6E, 0xD4, 0xC4, 0x51, 0x9F, 0xF4, 0xF1, 0xFC, 0xD3, 0x77, 0x22, 0x21, 0xAB, 0x79, 0xAA, 0x44, 0xDD, 0xA5, 0x88, 0xD5, 0x57, 0x26, 0x38, 0xFF, 0xBC, 0x31, 0xAF, 0xF2, 0xB2, 0xF1, 0xF2, 0x13, 0x22, 0xA8, 0xAA, 0x00, 0xA3, 0xFA, 0x82, 0x4A, 0xD6, 0xE6, 0xAF, 0xD7, 0x70, 0x0A, 0xEC, 0x1F, 0xC6, 0x7C, 0xA4, 0x5C, 0xEA, 0x1B, 0xBB, 0x4E, 0xF9, 0x8B, 0xEC, 0x06, 0x88, 0xC6, 0x16, 0x14, 0xB7, 0xCC, 0x77, 0xC1, 0x0B, 0xB4, 0x1D, 0x88, 0xE7, 0xDE, 0x0D, 0x64, 0xDF, 0xD0, 0x71, 0x76, 0xF5, 0x40, 0x38, 0xF5, 0x09, 0xAB, 0x57, 0x91, 0x02, 0x96, 0x39, 0x09, 0x6D, 0x30, 0xEB, 0x4C, 0x69, 0x34, 0x1E, 0xDD, 0xA3, 0x1B, 0xAD, 0xC9, 0xFC, 0xD3, 0xD0, 0x8A, 0x34, 0xD9, 0xDC, 0x48, 0x27, 0x7C, 0x3A, 0xB4, 0x5D, 0xB2, 0x34, 0x56, 0xAA, 0x51, 0x09, 0xD8, 0x74, 0xF0, 0xE3, 0xF2, 0xA0, 0x94, 0xC4, 0x35, 0x4C, 0xFD, 0xE7, 0xFB, 0x51, 0x6A, 0xCD, 0xAA, 0xDE, 0x32, 0x68, 0xE0, 0x5E, 0x3A, 0xC3, 0x62, 0x8E, 0xAB, 0xBA, 0x2B, 0x1D, 0xCE, 0x35, 0x24, 0x3F
-};
-
-// EC APP
-static const unsigned char ecapp_fw23_prod_hdrpub[0x100] =
-{
-	0xC1, 0xFB, 0x30, 0x9C, 0x96, 0xB3, 0xA9, 0x09, 0x62, 0x06, 0xFF, 0xA2, 0x8B, 0xAE, 0xD2, 0xB2, 0xC1, 0x8C, 0x47, 0xA2, 0xC4, 0x49, 0x15, 0x52, 0xE7, 0xD6, 0xA3, 0xEF, 0x7F, 0xD8, 0xB8, 0x28, 0xF1, 0x56, 0x31, 0xF4, 0x6C, 0x23, 0x69, 0xAA, 0x64, 0x8C, 0xC1, 0xD9, 0x37, 0xAA, 0xBB, 0x47, 0xB4, 0xAE, 0x5B, 0xFB, 0x19, 0xFA, 0xC4, 0xD5, 0x89, 0xB0, 0x36, 0x9F, 0xF9, 0x47, 0x56, 0xE8, 0x64, 0xC4, 0xB5, 0x46, 0x3A, 0x18, 0xD5, 0x12, 0x24, 0x61, 0x8D, 0xB2, 0xC8, 0xA6, 0xAC, 0x5C, 0x39, 0x38, 0x6B, 0x34, 0xC4, 0x68, 0x65, 0xF3, 0x72, 0xC7, 0x43, 0x9B, 0x91, 0xE9, 0xC5, 0x48, 0x2F, 0xC9, 0x84, 0xF7, 0xAC, 0xEA, 0xE1, 0x2C, 0xA8, 0xCB, 0x8F, 0xC4, 0x15, 0x4E, 0x85, 0x13, 0x83, 0x6E, 0x7F, 0x44, 0xD9, 0x6C, 0x69, 0x82, 0x38, 0x69, 0xE8, 0x90, 0xA4, 0x82, 0x52, 0xD7, 0xF2, 0x51, 0xAB, 0xEC, 0x26, 0xAD, 0x35, 0x21, 0x40, 0x7B, 0x6D, 0xA6, 0xC2, 0x78, 0xB3, 0xD1, 0xCC, 0xE8, 0x58, 0xC1, 0xF5, 0xC5, 0x47, 0xED, 0x7F, 0xBA, 0x64, 0xD4, 0x24, 0x14, 0x78, 0x8D, 0xD4, 0x81, 0xDE, 0x45, 0x17, 0x30, 0x30, 0x8F, 0xCA, 0x7E, 0x26, 0x74, 0x11, 0x04, 0x21, 0x9E, 0xE9, 0x07, 0x29, 0xEC, 0x20, 0x86, 0x13, 0x7B, 0x56, 0xA4, 0x2D, 0x8A, 0xCB, 0x7C, 0xED, 0x00, 0x84, 0xDE, 0x23, 0xDB, 0x3B, 0x6D, 0xBD, 0x1F, 0xAA, 0x6F, 0xB9, 0x37, 0x2B, 0xCF, 0x6E, 0x88, 0x3E, 0xDB, 0x1A, 0x79, 0xEC, 0x41, 0x8C, 0x63, 0xDA, 0x83, 0x2F, 0xFC, 0x8E, 0x65, 0xAB, 0x71, 0xAC, 0x94, 0xBC, 0x97, 0x8B, 0x5A, 0x04, 0x18, 0x72, 0xF4, 0x22, 0x37, 0x3B, 0xB4, 0x02, 0xF0, 0x25, 0x50, 0x78, 0xDC, 0xCF, 0x76, 0xBD, 0x59, 0xFC, 0x4C, 0xC6, 0x93, 0xCD, 0x64, 0x55, 0x59
-};
-
-static const unsigned char ecapp_fw23_prod_acexsig[0x100] =
-{
-	0x70, 0xF8, 0x6E, 0x2F, 0xC5, 0xE1, 0x2A, 0x05, 0x29, 0x3F, 0x04, 0xA1, 0xD8, 0x30, 0xEC, 0x09, 0x60, 0xC0, 0x90, 0x17, 0x53, 0x1E, 0x3C, 0x14, 0x56, 0xE2, 0xF9, 0x80, 0xD9, 0x22, 0x4A, 0xA7, 0xC7, 0xC6, 0x39, 0xC1, 0x77, 0x2F, 0xC5, 0x35, 0x2D, 0x7E, 0xC9, 0xED, 0x7E, 0xB6, 0x8F, 0x9A, 0x5F, 0xF1, 0x4B, 0xE2, 0xE7, 0x25, 0x37, 0xD1, 0xB6, 0xE5, 0x12, 0x00, 0xA2, 0x84, 0x8F, 0x43, 0xBB, 0xB7, 0x1E, 0x7B, 0xBA, 0x42, 0x45, 0x04, 0x6F, 0xB5, 0x39, 0x67, 0x2E, 0xD1, 0xA2, 0x01, 0xF9, 0x87, 0xF8, 0x6E, 0x88, 0x5B, 0x82, 0xB7, 0xA3, 0xCE, 0xA7, 0xE6, 0xD3, 0xB3, 0x73, 0x93, 0xCC, 0xD1, 0x69, 0x03, 0x53, 0xFD, 0xD3, 0xF1, 0x46, 0xF4, 0xAB, 0xC9, 0xB3, 0xEA, 0x09, 0xC4, 0x36, 0x27, 0x09, 0xFF, 0xBF, 0xA4, 0xF3, 0xC8, 0xB5, 0xD2, 0xC8, 0x0D, 0xC2, 0x6F, 0xA3, 0x7D, 0x63, 0xAD, 0xBE, 0x99, 0x2F, 0xAD, 0x0C, 0xC4, 0x22, 0xC5, 0x3C, 0x17, 0xF8, 0x06, 0x96, 0xBA, 0x1F, 0xEF, 0x77, 0xF5, 0xC6, 0xB4, 0x87, 0x8F, 0x27, 0xE3, 0x38, 0x27, 0x16, 0x13, 0x99, 0x70, 0x35, 0xF2, 0xB1, 0x79, 0x3C, 0x99, 0xB6, 0x2B, 0x32, 0x3D, 0x0F, 0x9A, 0x2D, 0xDB, 0x61, 0xAF, 0x76, 0x74, 0xBF, 0x9E, 0x04, 0x3B, 0xE7, 0xEA, 0xC6, 0x34, 0xC1, 0x53, 0xFF, 0x8E, 0x10, 0x1E, 0x3E, 0x6E, 0x72, 0xAB, 0x75, 0x13, 0x44, 0x94, 0x91, 0x94, 0x34, 0x45, 0xD0, 0x44, 0xD7, 0xC9, 0x17, 0x62, 0xC3, 0xB9, 0x72, 0xE2, 0x88, 0x6A, 0x8C, 0x1D, 0xEF, 0xF2, 0x93, 0x22, 0xF6, 0x88, 0xFC, 0x29, 0xB4, 0x8A, 0x9D, 0xF2, 0x4E, 0xF9, 0x3E, 0xEA, 0x4D, 0x41, 0x00, 0xB3, 0xC4, 0x8B, 0x80, 0xE0, 0xB2, 0xB4, 0xB4, 0x2B, 0xA5, 0xC0, 0x0F, 0x57, 0x90, 0xED, 0x64, 0x8D, 0xC0, 0xEE
-};
-
-/* SDK 7 (7.1.0) */
-// APP
-static const unsigned char app_fw27_prod_hdrpub[0x100] =
-{
-	0x9B, 0x3B, 0x52, 0x2D, 0x61, 0xF5, 0x0D, 0x14, 0x96, 0x09, 0x7A, 0x66, 0xC9, 0x86, 0x4C, 0x51, 0x61, 0x7D, 0xF8, 0x9B, 0xFD, 0xB0, 0x3E, 0x44, 0xC5, 0x0D, 0xC2, 0x6B, 0x6C, 0x66, 0x63, 0x3E, 0xE7, 0xC8, 0x04, 0xCB, 0x06, 0xC8, 0x35, 0xC5, 0x6D, 0xDB, 0x38, 0x36, 0xC5, 0x54, 0x32, 0xF0, 0x60, 0x11, 0x44, 0x9F, 0xD9, 0xFA, 0x6A, 0x43, 0xE1, 0x79, 0x56, 0xBF, 0xCF, 0xDD, 0xA8, 0x35, 0x15, 0x23, 0x51, 0xF9, 0x4B, 0xDA, 0x1A, 0xD9, 0x9D, 0x28, 0xF6, 0xCC, 0x1D, 0x53, 0x00, 0xC0, 0x3C, 0x13, 0x32, 0xBC, 0x7F, 0x75, 0x82, 0xCD, 0x79, 0xEF, 0x65, 0xBC, 0xCA, 0x98, 0x31, 0x0A, 0x7B, 0xEF, 0x18, 0xD8, 0xF3, 0x8D, 0x3A, 0x10, 0x22, 0xA0, 0xF2, 0x8D, 0xA5, 0xA8, 0xBE, 0xA0, 0x62, 0xEC, 0xE2, 0xC7, 0x6C, 0xCF, 0x06, 0x6B, 0xA7, 0xB5, 0xB8, 0x8C, 0xD5, 0x8E, 0xEF, 0xE3, 0x42, 0xC9, 0xAD, 0x44, 0x46, 0x3A, 0x4E, 0x77, 0x63, 0x02, 0xB4, 0x4E, 0xB4, 0x42, 0x65, 0x1D, 0x68, 0x98, 0x37, 0x7A, 0x27, 0x87, 0x31, 0xBE, 0x48, 0xFA, 0x4E, 0xD3, 0x85, 0xA6, 0xD6, 0xD2, 0x2D, 0xCD, 0x10, 0xC9, 0x13, 0x59, 0x12, 0x48, 0x14, 0x67, 0x3E, 0x40, 0xD3, 0xF8, 0x60, 0xA0, 0xBD, 0x77, 0x31, 0x76, 0x78, 0x85, 0x55, 0x53, 0x16, 0xF1, 0xB9, 0xFF, 0x7F, 0x3D, 0x9A, 0xF1, 0x33, 0x1E, 0x67, 0x8F, 0x6B, 0x4A, 0x7A, 0x79, 0x54, 0x8B, 0x43, 0xB5, 0xC2, 0xAF, 0xB8, 0x75, 0x11, 0xDE, 0x4D, 0x34, 0x6A, 0xD6, 0x5A, 0x3B, 0x48, 0x1F, 0x41, 0x9D, 0xF4, 0x58, 0x90, 0x67, 0xA8, 0x71, 0xD4, 0x09, 0x67, 0xF7, 0x55, 0xEF, 0xD3, 0x7C, 0x7D, 0x2F, 0x76, 0x84, 0x70, 0x6E, 0xAA, 0x75, 0x7D, 0xA9, 0x95, 0x42, 0xEF, 0x28, 0x29, 0x48, 0xCD, 0x79, 0xA8, 0x16, 0xB6, 0xB5
-};
-
-static const unsigned char app_fw27_prod_acexsig[0x100] =
-{
-	0x06, 0xDD, 0x68, 0x17, 0xAA, 0x40, 0x3A, 0x75, 0xD2, 0xCF, 0xA2, 0x5A, 0xC8, 0x1B, 0x74, 0x9D, 0x91, 0xCD, 0x38, 0x4E, 0xCA, 0x19, 0x60, 0x8E, 0x39, 0x71, 0x6C, 0xB9, 0xF9, 0x9F, 0x68, 0x44, 0xCF, 0x33, 0x94, 0x54, 0x72, 0xCC, 0xC6, 0x33, 0x96, 0x9F, 0x12, 0x07, 0xE9, 0x38, 0x87, 0x70, 0x11, 0x51, 0xFD, 0xBF, 0xD9, 0x2D, 0xFA, 0x3F, 0x70, 0x42, 0x75, 0x39, 0xE3, 0x97, 0x85, 0xAF, 0x7B, 0xC5, 0x87, 0x9B, 0x0B, 0xF9, 0xE4, 0x1C, 0xC5, 0x6B, 0x44, 0x2A, 0x10, 0x14, 0x86, 0xAA, 0xFE, 0x9E, 0x5B, 0x1D, 0x15, 0xBA, 0x8C, 0x34, 0xA2, 0xAF, 0x14, 0xD0, 0xD4, 0x0E, 0x7B, 0x3A, 0xD5, 0x3C, 0x53, 0xDB, 0x7C, 0xBE, 0x44, 0x58, 0x79, 0x42, 0x23, 0x3A, 0x77, 0xA3, 0x2C, 0xB9, 0xEB, 0x62, 0x19, 0x94, 0x2B, 0xA0, 0x67, 0x94, 0xC6, 0xB2, 0x90, 0xC6, 0x61, 0xFD, 0x43, 0xEC, 0xEA, 0x27, 0x7E, 0xA6, 0xB1, 0xED, 0xA9, 0x67, 0xED, 0x56, 0x91, 0x90, 0xF9, 0x32, 0x4E, 0xC3, 0x29, 0x5A, 0x84, 0x4C, 0xAB, 0x99, 0x75, 0x40, 0x8E, 0x19, 0xD9, 0x12, 0xD1, 0x06, 0x2D, 0xD0, 0x2C, 0xD9, 0x6C, 0x41, 0x35, 0x64, 0xDB, 0x80, 0x63, 0xB2, 0x01, 0xF8, 0x29, 0xAB, 0xF5, 0x70, 0x79, 0x4E, 0x0F, 0xFA, 0x23, 0x20, 0x2E, 0x04, 0x75, 0x48, 0x15, 0x9B, 0x71, 0xD5, 0x85, 0x09, 0x67, 0x7D, 0xAC, 0x6A, 0xFA, 0xC0, 0x16, 0xAF, 0x58, 0x26, 0xCD, 0x6F, 0x1F, 0xB8, 0xF5, 0x8D, 0xD1, 0x7D, 0x3D, 0x70, 0x2F, 0x08, 0xB8, 0x23, 0x61, 0x24, 0xAE, 0x94, 0x31, 0xA3, 0xBD, 0x1E, 0x18, 0xD7, 0x82, 0x92, 0xDD, 0x11, 0x79, 0x7D, 0x1F, 0xEC, 0x03, 0x08, 0x82, 0xCC, 0x52, 0x62, 0xC9, 0x27, 0x2D, 0x08, 0xD5, 0x6B, 0x4E, 0x86, 0x2E, 0x3F, 0x50, 0x5C, 0xA3, 0xC1, 0xDF, 0xF5
-};
diff --git a/makerom/exheader.c b/makerom/exheader.c
index 0d8065b7..9765e1cb 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -108,7 +108,7 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 	/* Transfer settings */
 	exhdrset->keys = ncchset->keys;
 	exhdrset->rsf = ncchset->rsfSet;
-	exhdrset->useAccessDescPreset = ncchset->keys->accessDescSign.presetType != desc_preset_NONE;
+	exhdrset->useAccessDescPreset = ncchset->keys->accessDescSign.presetType != desc_NotSpecified;
 
 	/* Creating Output Buffer */
 	ncchset->sections.exhdr.size = sizeof(extended_hdr);
diff --git a/makerom/keyset.h b/makerom/keyset.h
index 54d38fcc..1e1db788 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -1,4 +1,5 @@
 #pragma once
+#include "desc/desc.h"
 
 typedef enum
 {
@@ -28,16 +29,6 @@ typedef enum
 	pki_CUSTOM,
 } pki_keyset;
 
-typedef enum
-{
-	desc_preset_NONE,
-	desc_preset_APP,
-	desc_preset_EC_APP,
-	desc_preset_DLP,
-	desc_preset_DEMO,
-	desc_preset_FIRM,
-} fixed_accessdesc_type;
-
 // Structs
 
 typedef struct
@@ -48,7 +39,7 @@ typedef struct
 
 	struct
 	{
-		fixed_accessdesc_type presetType;
+		u32 presetType;
 		u32 targetFirmware;
 	} accessDescSign;
 
diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index fa3547f7..7d442011 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -101,9 +101,9 @@
     <ClInclude Include="crr.h" />
     <ClInclude Include="crypto.h" />
     <ClInclude Include="ctr_utils.h" />
+    <ClInclude Include="desc\desc.h" />
     <ClInclude Include="desc\dev_sigdata.h" />
     <ClInclude Include="desc\presets.h" />
-    <ClInclude Include="desc\prod_sigdata.h" />
     <ClInclude Include="oschar.h" />
     <ClInclude Include="romfs_fs.h" />
     <ClInclude Include="elf.h" />
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
index bcb59c1f..472d9e19 100644
--- a/makerom/makerom.vcxproj.filters
+++ b/makerom/makerom.vcxproj.filters
@@ -327,9 +327,6 @@
     <ClInclude Include="desc\presets.h">
       <Filter>Resource Files\DESC</Filter>
     </ClInclude>
-    <ClInclude Include="desc\prod_sigdata.h">
-      <Filter>Resource Files\DESC</Filter>
-    </ClInclude>
     <ClInclude Include="code.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -339,6 +336,9 @@
     <ClInclude Include="oschar.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="desc\desc.h">
+      <Filter>Resource Files\DESC</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="accessdesc.c">
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 21a6eed4..8fa490e0 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -84,7 +84,7 @@ void SetDefaults(user_settings *set)
 {
 	// Target Info
 	set->common.keys.keyset = pki_TEST;
-	set->common.keys.accessDescSign.presetType = desc_preset_NONE;
+	set->common.keys.accessDescSign.presetType = desc_NotSpecified;
 
 	// Build NCCH Info
 	set->ncch.useSecCrypto = false;
@@ -299,11 +299,13 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		char *app_type = calloc(app_type_len + 1, sizeof(char));
 		memcpy(app_type, tmp, app_type_len);
 
-		if (strcasecmp(app_type, "App") == 0 || strcasecmp(app_type, "SDApp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_APP;
-		else if (strcasecmp(app_type, "ECApp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_EC_APP;
-		else if (strcasecmp(app_type, "Demo") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DEMO;
-		else if (strcasecmp(app_type, "DlpChild") == 0 || strcasecmp(app_type, "Dlp") == 0) set->common.keys.accessDescSign.presetType = desc_preset_DLP;
-		else if (strcasecmp(app_type, "FIRM") == 0) set->common.keys.accessDescSign.presetType = desc_preset_FIRM;
+		if (strcasecmp(app_type, "App") == 0 || strcasecmp(app_type, "SDApp") == 0) set->common.keys.accessDescSign.presetType = desc_Application;
+		else if (strcasecmp(app_type, "ECApp") == 0) set->common.keys.accessDescSign.presetType = desc_EcApplication;
+		else if (strcasecmp(app_type, "Demo") == 0) set->common.keys.accessDescSign.presetType = desc_Demo;
+		else if (strcasecmp(app_type, "DlpChild") == 0 || strcasecmp(app_type, "Dlp") == 0) set->common.keys.accessDescSign.presetType = desc_DlpChild;
+		else if (strcasecmp(app_type, "ExtApp") == 0) set->common.keys.accessDescSign.presetType = desc_ExtApplication;
+		else if (strcasecmp(app_type, "ExtDemo") == 0) set->common.keys.accessDescSign.presetType = desc_ExtDemo;
+		else if (strcasecmp(app_type, "ExtDlpChild") == 0 || strcasecmp(app_type, "ExtDlp") == 0) set->common.keys.accessDescSign.presetType = desc_ExtDlpChild;
 		else {
 			fprintf(stderr, "[SETTING ERROR] Accessdesc AppType preset '%s' not valid, please manually configure RSF\n", app_type);
 			return USR_BAD_ARG;

From a2f6616d21f08ca98c5c663c52d0951e3a87dad9 Mon Sep 17 00:00:00 2001
From: Myria <myriachan@gmail.com>
Date: Sat, 26 Dec 2015 11:37:34 -0800
Subject: [PATCH 142/317] Fix Windows compilation by mapping fseeko64 to
 _fseeki64.

---
 ctrtool/utils.h | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ctrtool/utils.h b/ctrtool/utils.h
index 4d766aac..f813b0c0 100644
--- a/ctrtool/utils.h
+++ b/ctrtool/utils.h
@@ -41,7 +41,12 @@ int makedir(const char* dir);
 
 u64 _fsize(const char *filename);
 
-#ifndef _WIN32
+#ifdef _WIN32
+inline int fseeko64(FILE *__stream, long long __off, int __whence)
+{
+	return _fseeki64(__stream, __off, __whence);
+}
+#else
 extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence);
 #endif
 

From fc8eb8ce8cf65dc3a0651d555ae14f5339efffef Mon Sep 17 00:00:00 2001
From: Myria <myriachan@gmail.com>
Date: Sat, 26 Dec 2015 11:38:37 -0800
Subject: [PATCH 143/317] Fix a bunch of Visual Studio compilation warnings,
 mostly related to truncating integers.

---
 ctrtool/cia.c      | 12 +++++-----
 ctrtool/ctr.c      |  2 +-
 ctrtool/cwav.c     | 10 ++++----
 ctrtool/filepath.c |  2 +-
 ctrtool/ivfc.c     |  8 +++----
 ctrtool/main.c     |  6 ++---
 ctrtool/ncch.c     |  8 +++----
 ctrtool/ncsd.c     |  2 +-
 ctrtool/romfs.c    |  6 ++---
 ctrtool/utils.c    | 60 +++++++++++++++++++++++-----------------------
 10 files changed, 58 insertions(+), 58 deletions(-)

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index 91333bde..c2ba55bd 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -46,7 +46,7 @@ void cia_save(cia_context* ctx, u32 type, u32 flags)
 	filepath* path = 0;
 	ctr_tmd_body *body;
 	ctr_tmd_contentchunk *chunk;
-	int i;
+	unsigned int i;
 	char tmpname[255];
 
 	switch(type)
@@ -151,7 +151,7 @@ void cia_save_blob(cia_context *ctx, char *out_path, u64 offset, u64 size, int d
 	{
 		u32 max = sizeof(buffer);
 		if (max > size)
-			max = size;
+			max = (u32) size;
 
 		if (max != fread(buffer, 1, max, ctx->file))
 		{
@@ -195,9 +195,9 @@ void cia_process(cia_context* ctx, u32 actions)
 	ctx->sizemeta = getle32(ctx->header.metasize);
 	
 	ctx->offsetcerts = align(ctx->sizeheader, 64);
-	ctx->offsettik = align(ctx->offsetcerts + ctx->sizecert, 64);
-	ctx->offsettmd = align(ctx->offsettik + ctx->sizetik, 64);
-	ctx->offsetcontent = align(ctx->offsettmd + ctx->sizetmd, 64);
+	ctx->offsettik = align((u32) (ctx->offsetcerts + ctx->sizecert), 64);
+	ctx->offsettmd = align((u32) (ctx->offsettik + ctx->sizetik), 64);
+	ctx->offsetcontent = align((u32) (ctx->offsettmd + ctx->sizetmd), 64);
 	ctx->offsetmeta = align64(ctx->offsetcontent + ctx->sizecontent, 64);
 
 	if (actions & InfoFlag)
@@ -253,7 +253,7 @@ void cia_verify_contents(cia_context *ctx, u32 actions)
 	ctr_tmd_contentchunk *chunk;
 	u8 *verify_buf;
 	u32 content_size=0;
-	int i;
+	unsigned i;
 
 	// verify TMD content hashes, requires decryption ..
 	body  = tmd_get_body(&ctx->tmd);
diff --git a/ctrtool/ctr.c b/ctrtool/ctr.c
index 6948bf8f..e5198f70 100644
--- a/ctrtool/ctr.c
+++ b/ctrtool/ctr.c
@@ -244,7 +244,7 @@ int ctr_rsa_verify_hash(const u8 signature[0x100], const u8 hash[0x20], rsakey20
 {
 	ctr_rsa_context ctx;
 	u32 result;
-	u8 output[0x100];
+//	u8 output[0x100];
 
 	if (key->keytype == RSAKEY_INVALID)
 		return Fail;
diff --git a/ctrtool/cwav.c b/ctrtool/cwav.c
index 4c1242d7..cf9f59b8 100644
--- a/ctrtool/cwav.c
+++ b/ctrtool/cwav.c
@@ -429,7 +429,7 @@ int cwav_dspadpcm_setup(cwav_dspadpcmstate* state, cwav_context* ctx, int isloop
 		}
 
 		state->channelstate[i].samplebuffer = state->samplebuffer + SAMPLECOUNT * i;
-		state->channelstate[i].sampleoffset = ctx->offset + getle32(adpcmchannel->info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8 + startoffset;
+		state->channelstate[i].sampleoffset = (u32) (ctx->offset + getle32(adpcmchannel->info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8 + startoffset);
 		if (isloop)
 		{
 			state->channelstate[i].yn1 = getle16(adpcminfo->loopyn1);
@@ -627,7 +627,7 @@ int cwav_imaadpcm_setup(cwav_imaadpcmstate* state, cwav_context* ctx, int isloop
 		}
 
 		state->channelstate[i].samplebuffer = state->samplebuffer + SAMPLECOUNT * i;
-		state->channelstate[i].sampleoffset = ctx->offset + getle32(adpcmchannel->info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8 + startoffset;
+		state->channelstate[i].sampleoffset = (u32) (ctx->offset + getle32(adpcmchannel->info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8 + startoffset);
 		if (isloop)
 		{
 			state->channelstate[i].data = getle16(adpcminfo->loopdata);
@@ -826,7 +826,7 @@ int cwav_pcm_setup(cwav_pcmstate* state, cwav_context* ctx, int isloop)
 		cwav_channel* pcmchannel = &ctx->channel[i];
 
 		state->channelstate[i].samplebuffer = state->samplebuffer + SAMPLECOUNT * i;
-		state->channelstate[i].sampleoffset = ctx->offset + getle32(pcmchannel->info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8 + startoffset;
+		state->channelstate[i].sampleoffset = (u32) (ctx->offset + getle32(pcmchannel->info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8 + startoffset);
 		stream_in_allocate(&state->channelstate[i].instreamctx, BUFFERSIZE, ctx->file);
 		stream_in_seek(&state->channelstate[i].instreamctx, state->channelstate[i].sampleoffset);
 	}
@@ -932,7 +932,7 @@ void cwav_print(cwav_context* ctx)
 	cwav_header* header = &ctx->header;
 	cwav_infoheader* infoheader = &ctx->infoheader;
 	u32 i;
-	u32 infoheaderoffset = ctx->offset + getle32(ctx->header.infoblockref.offset);
+	u32 infoheaderoffset = (u32) (ctx->offset + getle32(ctx->header.infoblockref.offset));
 	u32 channelcount = getle32(infoheader->channelcount);
 
 	fprintf(stdout, "Header:                 %c%c%c%c\n", header->magic[0], header->magic[1], header->magic[2], header->magic[3]);
@@ -962,7 +962,7 @@ void cwav_print(cwav_context* ctx)
 		{
 			u32 channeloffset = infoheaderoffset + 0x1C + getle32(ctx->channel[i].inforef.offset);
 			u32 codecoffset = channeloffset + getle32(ctx->channel[i].info.codecref.offset);
-			u32 sampleoffset = ctx->offset + getle32(ctx->channel[i].info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8;
+			u32 sampleoffset = (u32) (ctx->offset + getle32(ctx->channel[i].info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8);
 
 			fprintf(stdout, "Channel %d:\n", i);
 			fprintf(stdout, " > Channel ref idtype:  0x%04X\n", getle16(ctx->channel[i].inforef.idtype));
diff --git a/ctrtool/filepath.c b/ctrtool/filepath.c
index 94321e22..366bb65b 100644
--- a/ctrtool/filepath.c
+++ b/ctrtool/filepath.c
@@ -47,7 +47,7 @@ void filepath_append_utf16(filepath* fpath, const u8* name)
 		if (code > 0x7F)
 			code = '#';
 		
-		fpath->pathname[size++] = code;
+		fpath->pathname[size++] = (char) code;
 	}
 
 	fpath->pathname[size] = 0;
diff --git a/ctrtool/ivfc.c b/ctrtool/ivfc.c
index fb7a5f05..041afda3 100644
--- a/ctrtool/ivfc.c
+++ b/ctrtool/ivfc.c
@@ -51,7 +51,7 @@ void ivfc_fseek(ivfc_context* ctx, u64 offset)
 	u64 data_pos = offset - ctx->offset;
 	fseeko64(ctx->file, offset, SEEK_SET);
 	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
-	ctr_add_counter(&ctx->aes, data_pos / 0x10);
+	ctr_add_counter(&ctx->aes, (u32) (data_pos / 0x10));
 }
 
 size_t ivfc_fread(ivfc_context* ctx, void* buffer, size_t size, size_t count)
@@ -128,7 +128,7 @@ void ivfc_verify(ivfc_context* ctx, u32 flags)
 	{
 		ivfc_level* level = ctx->level + i;
 
-		blockcount = level->datasize / level->hashblocksize;
+		blockcount = (u32) (level->datasize / level->hashblocksize);
 		if (level->datasize % level->hashblocksize != 0)
 		{
 			fprintf(stderr, "Error, IVFC block size mismatch\n");
@@ -160,7 +160,7 @@ void ivfc_read(ivfc_context* ctx, u64 offset, u64 size, u8* buffer)
 	}
 
 	ivfc_fseek(ctx, ctx->offset + offset);
-	if (size != ivfc_fread(ctx, buffer, 1, size))
+	if (size != ivfc_fread(ctx, buffer, 1, (size_t) size))
 	{
 		fprintf(stderr, "Error, IVFC could not read file\n");
 		return;
@@ -177,7 +177,7 @@ void ivfc_hash(ivfc_context* ctx, u64 offset, u64 size, u8* hash)
 
 	ivfc_read(ctx, offset, size, ctx->buffer);
 
-	ctr_sha_256(ctx->buffer, size, hash);
+	ctr_sha_256(ctx->buffer, (u32) size, hash);
 }
 
 void ivfc_print(ivfc_context* ctx)
diff --git a/ctrtool/main.c b/ctrtool/main.c
index 4a7199be..7997f172 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -344,7 +344,7 @@ int main(int argc, char* argv[])
 
 			firm_init(&firmctx);
 			firm_set_file(&firmctx, ctx.infile);
-			firm_set_size(&firmctx, ctx.infilesize);
+			firm_set_size(&firmctx, (u32) ctx.infilesize);
 			firm_set_usersettings(&firmctx, &ctx.usersettings);
 			firm_process(&firmctx, ctx.actions);
 			
@@ -399,7 +399,7 @@ int main(int argc, char* argv[])
 
 			tmd_init(&tmdctx);
 			tmd_set_file(&tmdctx, ctx.infile);
-			tmd_set_size(&tmdctx, ctx.infilesize);
+			tmd_set_size(&tmdctx, (u32) ctx.infilesize);
 			tmd_set_usersettings(&tmdctx, &ctx.usersettings);
 			tmd_process(&tmdctx, ctx.actions);
 	
@@ -412,7 +412,7 @@ int main(int argc, char* argv[])
 
 			lzss_init(&lzssctx);
 			lzss_set_file(&lzssctx, ctx.infile);
-			lzss_set_size(&lzssctx, ctx.infilesize);
+			lzss_set_size(&lzssctx, (u32) ctx.infilesize);
 			lzss_set_usersettings(&lzssctx, &ctx.usersettings);
 			lzss_process(&lzssctx, ctx.actions);
 	
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 7c06b231..8d2a9ff6 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -48,7 +48,7 @@ void ncch_set_file(ncch_context* ctx, FILE* file)
 void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type)
 {
 	u32 version = getle16(ctx->header.version);
-	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
+	u32 mediaunitsize = (u32) ncch_get_mediaunit_size(ctx);
 	u8* partitionid = ctx->header.partitionid;
 	u32 i;
 	u64 x = 0;
@@ -73,7 +73,7 @@ void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type)
 		for(i=0; i<8; i++)
 			counter[i] = partitionid[i];
 		for(i=0; i<4; i++)
-			counter[12+i] = x>>((3-i)*8);
+			counter[12+i] = (u8) (x>>((3-i)*8));
 	}
 }
 
@@ -148,7 +148,7 @@ int ncch_extract_buffer(ncch_context* ctx, u8* buffer, u32 buffersize, u32* outs
 	u32 read_len = buffersize;
 
 	if (read_len > ctx->extractsize)
-		read_len = ctx->extractsize;
+		read_len = (u32) ctx->extractsize;
 
 	*outsize = read_len;
 
@@ -234,7 +234,7 @@ void ncch_save(ncch_context* ctx, u32 type, u32 flags)
 
 void ncch_verify(ncch_context* ctx, u32 flags)
 {
-	u32 mediaunitsize = ncch_get_mediaunit_size(ctx);
+	u32 mediaunitsize = (u32) ncch_get_mediaunit_size(ctx);
 	u32 exefshashregionsize = getle32(ctx->header.exefshashregionsize) * mediaunitsize;
 	u32 romfshashregionsize = getle32(ctx->header.romfshashregionsize) * mediaunitsize;
 	u32 exheaderhashregionsize = getle32(ctx->header.extendedheadersize);
diff --git a/ctrtool/ncsd.c b/ctrtool/ncsd.c
index 384216a1..4a7d9284 100644
--- a/ctrtool/ncsd.c
+++ b/ctrtool/ncsd.c
@@ -120,7 +120,7 @@ void ncsd_print(ncsd_context* ctx)
 	char magic[5];
 	ctr_ncsdheader* header = &ctx->header;
 	unsigned int i;
-	unsigned int mediaunitsize = ncsd_get_mediaunit_size(ctx);
+	unsigned int mediaunitsize = (unsigned int) ncsd_get_mediaunit_size(ctx);
 
 
 	memcpy(magic, header->magic, 4);
diff --git a/ctrtool/romfs.c b/ctrtool/romfs.c
index 5889bdc4..f8c9ffb0 100644
--- a/ctrtool/romfs.c
+++ b/ctrtool/romfs.c
@@ -50,7 +50,7 @@ void romfs_fseek(romfs_context* ctx, u64 offset)
 	u64 data_pos = offset - ctx->offset;
 	fseeko64(ctx->file, offset, SEEK_SET);
 	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
-	ctr_add_counter(&ctx->aes, data_pos / 0x10);
+	ctr_add_counter(&ctx->aes, (u32) (data_pos / 0x10));
 }
 
 size_t romfs_fread(romfs_context* ctx, void* buffer, size_t size, size_t count)
@@ -91,7 +91,7 @@ void romfs_process(romfs_context* ctx, u32 actions)
 		return;
 	}
 
-	ctx->infoblockoffset = ctx->offset + 0x1000;
+	ctx->infoblockoffset = (u32) (ctx->offset + 0x1000);
 
 	romfs_fseek(ctx, ctx->infoblockoffset);
 	romfs_fread(ctx, &ctx->infoheader, 1, sizeof(romfs_infoheader));
@@ -363,7 +363,7 @@ void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, const osch
 	{
 		max = sizeof(buffer);
 		if (max > size)
-			max = size;
+			max = (u32) size;
 
 		if (max != romfs_fread(ctx, buffer, 1, max))
 		{
diff --git a/ctrtool/utils.c b/ctrtool/utils.c
index 1f21f073..fe12a62e 100644
--- a/ctrtool/utils.c
+++ b/ctrtool/utils.c
@@ -73,59 +73,59 @@ u32 getbe16(const u8* p)
 
 void putle16(u8* p, u16 n)
 {
-	p[0] = n;
-	p[1] = n>>8;
+	p[0] = (u8) n;
+	p[1] = (u8) (n>>8);
 }
 
 void putle32(u8* p, u32 n)
 {
-	p[0] = n;
-	p[1] = n>>8;
-	p[2] = n>>16;
-	p[3] = n>>24;
+	p[0] = (u8) n;
+	p[1] = (u8) (n>>8);
+	p[2] = (u8) (n>>16);
+	p[3] = (u8) (n>>24);
 }
 
 void putle64(u8* p, u64 n)
 {
-	p[0] = n;
-	p[1] = n >> 8;
-	p[2] = n >> 16;
-	p[3] = n >> 24;
-	p[4] = n >> 32;
-	p[5] = n >> 40;
-	p[6] = n >> 48;
-	p[7] = n >> 56;
+	p[0] = (u8) n;
+	p[1] = (u8) (n >> 8);
+	p[2] = (u8) (n >> 16);
+	p[3] = (u8) (n >> 24);
+	p[4] = (u8) (n >> 32);
+	p[5] = (u8) (n >> 40);
+	p[6] = (u8) (n >> 48);
+	p[7] = (u8) (n >> 56);
 }
 
 void putbe16(u8* p, u16 n)
 {
-	p[1] = n;
-	p[0] = n >> 8;
+	p[1] = (u8) n;
+	p[0] = (u8) (n >> 8);
 }
 
 void putbe32(u8* p, u32 n)
 {
-	p[3] = n;
-	p[2] = n >> 8;
-	p[1] = n >> 16;
-	p[0] = n >> 24;
+	p[3] = (u8) n;
+	p[2] = (u8) (n >> 8);
+	p[1] = (u8) (n >> 16);
+	p[0] = (u8) (n >> 24);
 }
 
 void putbe64(u8* p, u64 n)
 {
-	p[7] = n;
-	p[6] = n >> 8;
-	p[5] = n >> 16;
-	p[4] = n >> 24;
-	p[3] = n >> 32;
-	p[2] = n >> 40;
-	p[1] = n >> 48;
-	p[0] = n >> 56;
+	p[7] = (u8) n;
+	p[6] = (u8) (n >> 8);
+	p[5] = (u8) (n >> 16);
+	p[4] = (u8) (n >> 24);
+	p[3] = (u8) (n >> 32);
+	p[2] = (u8) (n >> 40);
+	p[1] = (u8) (n >> 48);
+	p[0] = (u8) (n >> 56);
 }
 
 void readkeyfile(u8* key, const char* keyfname)
 {
-	u32 keysize = _fsize(keyfname);
+	u64 keysize = _fsize(keyfname);
 	FILE* f = fopen(keyfname, "rb");
 	
 	if (0 == f)
@@ -136,7 +136,7 @@ void readkeyfile(u8* key, const char* keyfname)
 
 	if (keysize != 16)
 	{
-		fprintf(stdout, "Error key size mismatch, got %d, expected %d\n", keysize, 16);
+		fprintf(stdout, "Error key size mismatch, got %"PRId64", expected %d\n", keysize, 16);
 		goto clean;
 	}
 

From a0ee2ae83ce8df792d6885b9ae7a3c3396d06183 Mon Sep 17 00:00:00 2001
From: Myria <myriachan@gmail.com>
Date: Sat, 26 Dec 2015 11:39:33 -0800
Subject: [PATCH 144/317] Disable lame "security" warnings from Visual Studio.
 Changed C runtime library to static for release builds, so that no external
 .dll is required.

---
 ctrtool/ctrtool.vcxproj | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/ctrtool/ctrtool.vcxproj b/ctrtool/ctrtool.vcxproj
index d16bc575..e0d01b55 100644
--- a/ctrtool/ctrtool.vcxproj
+++ b/ctrtool/ctrtool.vcxproj
@@ -54,7 +54,7 @@
     <ClCompile>
       <Optimization>Disabled</Optimization>
       <AdditionalIncludeDirectories>windows;.;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions>WIN32;_CRT_SECURE_NO_WARNINGS;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <MinimalRebuild>true</MinimalRebuild>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
@@ -75,15 +75,14 @@
       <Optimization>MaxSpeed</Optimization>
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <AdditionalIncludeDirectories>windows;.;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PreprocessorDefinitions>WIN32;_CRT_SECURE_NO_WARNINGS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
       <FunctionLevelLinking>true</FunctionLevelLinking>
       <PrecompiledHeader />
       <WarningLevel>Level3</WarningLevel>
       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
     </ClCompile>
     <Link>
-      <OutputFile>c:\dev\tools\bin\ctrtool.exe</OutputFile>
       <GenerateDebugInformation>true</GenerateDebugInformation>
       <SubSystem>Console</SubSystem>
       <OptimizeReferences>true</OptimizeReferences>

From 35ab1ad3a0c394ee03a60dbf21c53a4336f17e2f Mon Sep 17 00:00:00 2001
From: Myria <myriachan@gmail.com>
Date: Sat, 26 Dec 2015 11:40:09 -0800
Subject: [PATCH 145/317] Formatting fix for help text.

---
 ctrtool/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/main.c b/ctrtool/main.c
index 7997f172..76f9ad6f 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -66,7 +66,7 @@ static void usage(const char *argv0)
 		   "  -n, --ncch=index   Specify NCCH partition index.\n"
 		   "  --exheader=file    Specify Extended Header file path.\n"
 		   "  --logo=file        Specify Logo file path.\n"
-		   "  --plainrgn=file    Specify Plain region file path"
+		   "  --plainrgn=file    Specify Plain region file path\n"
 		   "  --exefs=file       Specify ExeFS file path.\n"
 		   "  --exefsdir=dir     Specify ExeFS directory path.\n"
 		   "  --romfs=file       Specify RomFS file path.\n"

From 57818a56776cfa3171c314f39b39b082d1487190 Mon Sep 17 00:00:00 2001
From: Myria <myriachan@gmail.com>
Date: Sat, 26 Dec 2015 11:45:54 -0800
Subject: [PATCH 146/317] keysize is unsigned.

---
 ctrtool/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/utils.c b/ctrtool/utils.c
index fe12a62e..92125e5b 100644
--- a/ctrtool/utils.c
+++ b/ctrtool/utils.c
@@ -136,7 +136,7 @@ void readkeyfile(u8* key, const char* keyfname)
 
 	if (keysize != 16)
 	{
-		fprintf(stdout, "Error key size mismatch, got %"PRId64", expected %d\n", keysize, 16);
+		fprintf(stdout, "Error key size mismatch, got %"PRIu64", expected %d\n", keysize, 16);
 		goto clean;
 	}
 

From 7e9893ec4d97cfad3c18715b91751e3f008d9dce Mon Sep 17 00:00:00 2001
From: Myria <myriachan@gmail.com>
Date: Sat, 26 Dec 2015 12:45:45 -0800
Subject: [PATCH 147/317] Added support for --showsyscalls, which shows the
 names of the system calls, rather than just their IDs.

---
 ctrtool/ctrtool.vcxproj         |   2 +
 ctrtool/ctrtool.vcxproj.filters |   6 ++
 ctrtool/exheader.c              |  84 ++++++++++------
 ctrtool/exheader.h              |   2 +-
 ctrtool/main.c                  |   3 +
 ctrtool/syscalls.c              | 165 ++++++++++++++++++++++++++++++++
 ctrtool/syscalls.h              |  19 ++++
 ctrtool/types.h                 |   3 +-
 8 files changed, 253 insertions(+), 31 deletions(-)
 create mode 100644 ctrtool/syscalls.c
 create mode 100644 ctrtool/syscalls.h

diff --git a/ctrtool/ctrtool.vcxproj b/ctrtool/ctrtool.vcxproj
index e0d01b55..71596d61 100644
--- a/ctrtool/ctrtool.vcxproj
+++ b/ctrtool/ctrtool.vcxproj
@@ -99,6 +99,7 @@
     <ClCompile Include="filepath.c" />
     <ClCompile Include="firm.c" />
     <ClCompile Include="oschar.c" />
+    <ClCompile Include="syscalls.c" />
     <ClCompile Include="windows\getopt.c" />
     <ClCompile Include="windows\getopt1.c" />
     <ClCompile Include="ivfc.c" />
@@ -131,6 +132,7 @@
     <ClInclude Include="filepath.h" />
     <ClInclude Include="firm.h" />
     <ClInclude Include="oschar.h" />
+    <ClInclude Include="syscalls.h" />
     <ClInclude Include="windows\getopt.h" />
     <ClInclude Include="info.h" />
     <ClInclude Include="ivfc.h" />
diff --git a/ctrtool/ctrtool.vcxproj.filters b/ctrtool/ctrtool.vcxproj.filters
index 075c29de..f7862f27 100644
--- a/ctrtool/ctrtool.vcxproj.filters
+++ b/ctrtool/ctrtool.vcxproj.filters
@@ -117,6 +117,9 @@
     <ClCompile Include="oschar.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="syscalls.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="cia.h">
@@ -209,5 +212,8 @@
     <ClInclude Include="oschar.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="syscalls.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 9715616f..e9a6af1d 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -1,3 +1,4 @@
+#include <stdbool.h>
 #include <stdio.h>
 #include <string.h>
 
@@ -5,6 +6,7 @@
 #include "exheader.h"
 #include "utils.h"
 #include "ncch.h"
+#include "syscalls.h"
 #include <inttypes.h>
 
 void exheader_init(exheader_context* ctx)
@@ -193,7 +195,7 @@ int exheader_process(exheader_context* ctx, u32 actions)
 		exheader_verify(ctx);
 
 	if (actions & InfoFlag)
-		exheader_print(ctx);
+		exheader_print(ctx, actions);
 
 	return 1;
 }
@@ -231,7 +233,7 @@ void exheader_print_arm9accesscontrol(exheader_context* ctx)
 	}
 }
 
-void exheader_print_arm11kernelcapabilities(exheader_context* ctx)
+void exheader_print_arm11kernelcapabilities(exheader_context* ctx, u32 actions)
 {
 	unsigned int i, j;
 	unsigned int systemcallmask[8];
@@ -294,42 +296,66 @@ void exheader_print_arm11kernelcapabilities(exheader_context* ctx)
 	}
 
 	fprintf(stdout, "Allowed systemcalls:    ");
-	for(i=0; i<8; i++)
+	if(!(actions & ShowSyscallsFlag))
 	{
-		for(j=0; j<24; j++)
+		for(i=0; i<8; i++)
 		{
-			svcmask = systemcallmask[i];
-
-			if (svcmask & (1<<j))
+			for(j=0; j<24; j++)
 			{
-				unsigned int svcid = i*24+j;
-				if (svccount == 0)
-				{
-					fprintf(stdout, "0x%02X", svcid);
-				}
-				else if ( (svccount & 7) == 0)
-				{
-					fprintf(stdout, "                        ");
-					fprintf(stdout, "0x%02X", svcid);
-				}
-				else
-				{
-					fprintf(stdout, ", 0x%02X", svcid);
-				}
+				svcmask = systemcallmask[i];
 
-				svccount++;
-				if ( (svccount & 7) == 0)
+				if (svcmask & (1<<j))
 				{
-					fprintf(stdout, "\n");
+					unsigned int svcid = i*24+j;
+					if (svccount == 0)
+					{
+						fprintf(stdout, "0x%02X", svcid);
+					}
+					else if ( (svccount & 7) == 0)
+					{
+						fprintf(stdout, "                        ");
+						fprintf(stdout, "0x%02X", svcid);
+					}
+					else
+					{
+						fprintf(stdout, ", 0x%02X", svcid);
+					}
+
+					svccount++;
+					if ( (svccount & 7) == 0)
+					{
+						fprintf(stdout, "\n");
+					}
 				}
 			}
 		}
+		if (svccount & 7)
+			fprintf(stdout, "\n");
+		if (svccount == 0)
+			fprintf(stdout, "none\n");
 	}
-	if (svccount & 7)
+	else
+	{
 		fprintf(stdout, "\n");
-	if (svccount == 0)
-		fprintf(stdout, "none\n");
 
+		for(i=0; i<8; i++)
+		{
+			for(j=0; j<24; j++)
+			{
+				svcmask = systemcallmask[i];
+
+				if (svcmask & (1 << j))
+				{
+					unsigned int svcid = i * 24 + j;
+					char svcname[128];
+
+					syscall_get_name(svcname, sizeof(svcname), svcid);
+
+					fprintf(stdout, " > 0x%02X %s\n", svcid, svcname);
+				}
+			}
+		}
+	}
 
 	fprintf(stdout, "Allowed interrupts:     ");
 	for(i=0; i<0x7F; i++)
@@ -618,7 +644,7 @@ const char* exheader_getsystemmodeextstring(u8 systemmodeext, u8 systemmode)
 }
 
 
-void exheader_print(exheader_context* ctx)
+void exheader_print(exheader_context* ctx, u32 actions)
 {
 	u32 i;
 	u64 savedatasize = getle64(ctx->header.systeminfo.savedatasize);
@@ -679,7 +705,7 @@ void exheader_print(exheader_context* ctx)
 	fprintf(stdout, "Main thread priority:   %d %s\n", ctx->system_local_caps.priority, exheader_getvalidstring(ctx->validpriority));
 	// print resource limit descriptor too? currently mostly zeroes...
 	exheader_print_arm11storageinfo(ctx);
-	exheader_print_arm11kernelcapabilities(ctx);
+	exheader_print_arm11kernelcapabilities(ctx, actions);
 	exheader_print_arm9accesscontrol(ctx);
 
 	fprintf(stdout, "Service access: %s\n", exheader_getvalidstring(ctx->validservicecontrol));
diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
index 9691e0f1..9ac656f0 100644
--- a/ctrtool/exheader.h
+++ b/ctrtool/exheader.h
@@ -194,7 +194,7 @@ int exheader_get_compressedflag(exheader_context* ctx);
 void exheader_read(exheader_context* ctx, u32 actions);
 int exheader_process(exheader_context* ctx, u32 actions);
 const char* exheader_getvalidstring(int valid);
-void exheader_print(exheader_context* ctx);
+void exheader_print(exheader_context* ctx, u32 actions);
 void exheader_verify(exheader_context* ctx);
 int exheader_hash_valid(exheader_context* ctx);
 int exheader_programid_valid(exheader_context* ctx);
diff --git a/ctrtool/main.c b/ctrtool/main.c
index 76f9ad6f..8282c9b3 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -58,6 +58,7 @@ static void usage(const char *argv0)
 		   "  --ncchkey=key      Set ncch key.\n"
 		   "  --ncchsyskey=key   Set ncch fixed system key.\n"
 		   "  --showkeys         Show the keys being used.\n"
+		   "  --showsyscalls     Show system call names instead of numbers.\n"
 		   "  -t, --intype=type	 Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
 		   "                        firm, cwav, exefs, romfs]\n"
 		   "LZSS options:\n"
@@ -150,6 +151,7 @@ int main(int argc, char* argv[])
 			{"decompresscode", 0, NULL, 21},
 			{"titlekey", 1, NULL, 22},
 			{"plainrgn", 1, NULL, 23},
+			{"showsyscalls", 0, NULL, 24},
 			{NULL},
 		};
 
@@ -239,6 +241,7 @@ int main(int argc, char* argv[])
 			case 21: ctx.actions |= DecompressCodeFlag; break;
 			case 22: keyset_parse_titlekey(&tmpkeys, optarg, strlen(optarg)); break;
 			case 23: settings_set_plainrgn_path(&ctx.usersettings, optarg); break;
+			case 24: ctx.actions |= ShowSyscallsFlag; break;
 
 			default:
 				usage(argv[0]);
diff --git a/ctrtool/syscalls.c b/ctrtool/syscalls.c
new file mode 100644
index 00000000..edf8e8c4
--- /dev/null
+++ b/ctrtool/syscalls.c
@@ -0,0 +1,165 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <string.h>
+#include "syscalls.h"
+
+// List of 3DS system calls.  NULL indicates unknown.
+static const char *const syscall_list[NUM_SYSCALLS] =
+{
+	NULL,                                // 00
+	"ControlMemory",                     // 01
+	"QueryMemory",                       // 02
+	"ExitProcess",                       // 03
+	"GetProcessAffinityMask",            // 04
+	"SetProcessAffinityMask",            // 05
+	"GetProcessIdealProcessor",          // 06
+	"SetProcessIdealProcessor",          // 07
+	"CreateThread",                      // 08
+	"ExitThread",                        // 09
+	"SleepThread",                       // 0A
+	"GetThreadPriority",                 // 0B
+	"SetThreadPriority",                 // 0C
+	"GetThreadAffinityMask",             // 0D
+	"SetThreadAffinityMask",             // 0E
+	"GetThreadIdealProcessor",           // 0F
+	"SetThreadIdealProcessor",           // 10
+	"GetCurrentProcessorNumber",         // 11
+	"Run",                               // 12
+	"CreateMutex",                       // 13
+	"ReleaseMutex",                      // 14
+	"CreateSemaphore",                   // 15
+	"ReleaseSemaphore",                  // 16
+	"CreateEvent",                       // 17
+	"SignalEvent",                       // 18
+	"ClearEvent",                        // 19
+	"CreateTimer",                       // 1A
+	"SetTimer",                          // 1B
+	"CancelTimer",                       // 1C
+	"ClearTimer",                        // 1D
+	"CreateMemoryBlock",                 // 1E
+	"MapMemoryBlock",                    // 1F
+	"UnmapMemoryBlock",                  // 20
+	"CreateAddressArbiter",              // 21
+	"ArbitrateAddress",                  // 22
+	"CloseHandle",                       // 23
+	"WaitSynchronization1",              // 24
+	"WaitSynchronizationN",              // 25
+	"SignalAndWait",                     // 26
+	"DuplicateHandle",                   // 27
+	"GetSystemTick",                     // 28
+	"GetHandleInfo",                     // 29
+	"GetSystemInfo",                     // 2A
+	"GetProcessInfo",                    // 2B
+	"GetThreadInfo",                     // 2C
+	"ConnectToPort",                     // 2D
+	"SendSyncRequest1",                  // 2E
+	"SendSyncRequest2",                  // 2F
+	"SendSyncRequest3",                  // 30
+	"SendSyncRequest4",                  // 31
+	"SendSyncRequest",                   // 32
+	"OpenProcess",                       // 33
+	"OpenThread",                        // 34
+	"GetProcessId",                      // 35
+	"GetProcessIdOfThread",              // 36
+	"GetThreadId",                       // 37
+	"GetResourceLimit",                  // 38
+	"GetResourceLimitLimitValues",       // 39
+	"GetResourceLimitCurrentValues",     // 3A
+	"GetThreadContext",                  // 3B
+	"Break",                             // 3C
+	"OutputDebugString",                 // 3D
+	"ControlPerformanceCounter",         // 3E
+	NULL,                                // 3F
+	NULL,                                // 40
+	NULL,                                // 41
+	NULL,                                // 42
+	NULL,                                // 43
+	NULL,                                // 44
+	NULL,                                // 45
+	NULL,                                // 46
+	"CreatePort",                        // 47
+	"CreateSessionToPort",               // 48
+	"CreateSession",                     // 49
+	"AcceptSession",                     // 4A
+	"ReplyAndReceive1",                  // 4B
+	"ReplyAndReceive2",                  // 4C
+	"ReplyAndReceive3",                  // 4D
+	"ReplyAndReceive4",                  // 4E
+	"ReplyAndReceive",                   // 4F
+	"BindInterrupt",                     // 50
+	"UnbindInterrupt",                   // 51
+	"InvalidateProcessDataCache",        // 52
+	"StoreProcessDataCache",             // 53
+	"FlushProcessDataCache",             // 54
+	"StartInterProcessDma",              // 55
+	"StopDma",                           // 56
+	"GetDmaState",                       // 57
+	"RestartDma",                        // 58
+	NULL,                                // 59
+	NULL,                                // 5A
+	NULL,                                // 5B
+	NULL,                                // 5C
+	NULL,                                // 5D
+	NULL,                                // 5E
+	NULL,                                // 5F
+	"DebugActiveProcess",                // 60
+	"BreakDebugProcess",                 // 61
+	"TerminateDebugProcess",             // 62
+	"GetProcessDebugEvent",              // 63
+	"ContinueDebugEvent",                // 64
+	"GetProcessList",                    // 65
+	"GetThreadList",                     // 66
+	"GetDebugThreadContext",             // 67
+	"SetDebugThreadContext",             // 68
+	"QueryDebugProcessMemory",           // 69
+	"ReadProcessMemory",                 // 6A
+	"WriteProcessMemory",                // 6B
+	"SetHardwareBreakPoint",             // 6C
+	"GetDebugThreadParam",               // 6D
+	NULL,                                // 6E
+	NULL,                                // 6F
+	"ControlProcessMemory",              // 70
+	"MapProcessMemory",                  // 71
+	"UnmapProcessMemory",                // 72
+	"CreateCodeSet",                     // 73
+	NULL,                                // 74
+	"CreateProcess",                     // 75
+	"TerminateProcess",                  // 76
+	"SetProcessResourceLimits",          // 77
+	"CreateResourceLimit",               // 78
+	"SetResourceLimitValues",            // 79
+	"AddCodeSegment",                    // 7A
+	"Backdoor",                          // 7B
+	"KernelSetState",                    // 7C
+	"QueryProcessMemory",                // 7D
+	NULL,                                // 7E
+	NULL,                                // 7F
+};
+
+
+void syscall_get_name(char *output, size_t size, unsigned int call_num)
+{
+	typedef char StaticAssert[sizeof(syscall_list) / sizeof(syscall_list[0]) == NUM_SYSCALLS ? 1 : -1];
+
+	if (size == 0)
+	{
+		return;
+	}
+
+	const char *name = NULL;
+	if (call_num < (unsigned int) NUM_SYSCALLS)
+	{
+		name = syscall_list[call_num];
+	}
+
+	char name_buf[] = "UnknownXX";
+	sprintf(&name_buf[sizeof(name_buf) - 3], "%02X", call_num & 0xFFu);
+
+	name = name ? name : name_buf;
+
+	size_t length = strlen(name);
+	length = (length > (size - 1)) ? (size - 1) : length;
+
+	memcpy(output, name, length);
+	output[length] = '\0';
+}
diff --git a/ctrtool/syscalls.h b/ctrtool/syscalls.h
new file mode 100644
index 00000000..5afca898
--- /dev/null
+++ b/ctrtool/syscalls.h
@@ -0,0 +1,19 @@
+#ifndef _SYSCALLS_H_
+#define _SYSCALLS_H_
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+enum { NUM_SYSCALLS = 0x80 };
+
+void syscall_get_name(char *output, size_t size, unsigned int call_num);
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif
diff --git a/ctrtool/types.h b/ctrtool/types.h
index 9234fe1f..5904a080 100644
--- a/ctrtool/types.h
+++ b/ctrtool/types.h
@@ -23,7 +23,8 @@ enum flags
 	VerifyFlag = (1<<4),
 	RawFlag = (1<<5),
 	ShowKeysFlag = (1<<6),
-	DecompressCodeFlag = (1<<7)
+	DecompressCodeFlag = (1<<7),
+	ShowSyscallsFlag = (1<<8),
 };
 
 enum validstate

From 11d4d2a5edcbd968ae4a5edc6851e686253a6aa2 Mon Sep 17 00:00:00 2001
From: Myria <myriachan@gmail.com>
Date: Sat, 26 Dec 2015 18:13:59 -0800
Subject: [PATCH 148/317] Supposedly, not having an fseeko64 is only a Visual
 Studio thing.  Would fix mingw32, supposedly.

---
 ctrtool/utils.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/utils.h b/ctrtool/utils.h
index f813b0c0..1d5eac83 100644
--- a/ctrtool/utils.h
+++ b/ctrtool/utils.h
@@ -41,7 +41,7 @@ int makedir(const char* dir);
 
 u64 _fsize(const char *filename);
 
-#ifdef _WIN32
+#ifdef _MSC_VER
 inline int fseeko64(FILE *__stream, long long __off, int __whence)
 {
 	return _fseeki64(__stream, __off, __whence);

From 695fadcb3c74360349762466f7516cb44d7fd4bb Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 27 Dec 2015 14:55:39 +0800
Subject: [PATCH 149/317] [makerom] misc

---
 makerom/accessdesc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index 1b8a3ef9..847118f4 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -132,7 +132,7 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 
-	if(!pre_sign->modulus && exhdrset->keys->rsa.requiresPresignedDesc){
+	if(!pre_sign && exhdrset->keys->rsa.requiresPresignedDesc){
 		fprintf(stderr,"[ACEXDESC ERROR] This AccessDesc template needs to be signed, the current keyset is incapable of doing so. Please configure RSF file with the appropriate signature data.\n");
 		return CANNOT_SIGN_ACCESSDESC;
 	}

From 26affd158c5636e13e1b77c001d45e62bd58eff7 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 5 Jan 2016 22:52:47 +0800
Subject: [PATCH 150/317] [makerom] misc

---
 makerom/aes_keygen.c            | 124 ++++++++++++++++++++++++++++++++
 makerom/aes_keygen.h            |  12 ++++
 makerom/keyset.c                |  15 ++--
 makerom/makerom.vcxproj         |   2 +
 makerom/makerom.vcxproj.filters |   6 ++
 5 files changed, 149 insertions(+), 10 deletions(-)
 create mode 100644 makerom/aes_keygen.c
 create mode 100644 makerom/aes_keygen.h

diff --git a/makerom/aes_keygen.c b/makerom/aes_keygen.c
new file mode 100644
index 00000000..e5a35d6d
--- /dev/null
+++ b/makerom/aes_keygen.c
@@ -0,0 +1,124 @@
+#include "aes_keygen.h"
+
+// 128bit wrap-around math
+int32_t wrap_index(int32_t i)
+{
+	return i < 0 ? ((i % 16) + 16) % 16 : (i > 15 ? i % 16 : i);
+}
+
+void n128_rrot(const uint8_t *in, uint32_t rot, uint8_t *out)
+{
+	uint32_t bit_shift, byte_shift;
+
+	rot = rot % 128;
+	byte_shift = rot / 8;
+	bit_shift = rot % 8;
+
+	for (int32_t i = 0; i < 16; i++) {
+		out[i] = (in[wrap_index(i - byte_shift)] >> bit_shift) | (in[wrap_index(i - byte_shift - 1)] << (8 - bit_shift));
+	}
+
+}
+
+void n128_lrot(const uint8_t *in, uint32_t rot, uint8_t *out)
+{
+	uint32_t bit_shift, byte_shift;
+
+	rot = rot % 128;
+	byte_shift = rot / 8;
+	bit_shift = rot % 8;
+
+	for (int32_t i = 0; i < 16; i++) {
+		out[i] = (in[wrap_index(i + byte_shift)] << bit_shift) | (in[wrap_index(i + byte_shift + 1)] >> (8 - bit_shift));
+	}
+}
+
+/* out = a + b
+*/
+void n128_add(const uint8_t *a, const uint8_t *b, uint8_t *out)
+{
+	uint8_t carry = 0;
+	uint32_t sum = 0;
+
+	for (int i = 15; i >= 0; i--) {
+		sum = a[i] + b[i] + carry;
+		carry = sum >> 8;
+		out[i] = sum & 0xff;
+	}
+
+	while (carry != 0) {
+		for (int i = 15; i >= 0; i--) {
+			sum = out[i] + carry;
+			carry = sum >> 8;
+			out[i] = sum & 0xff;
+		}
+	}
+}
+
+/* out = a - b
+*/
+void n128_sub(const uint8_t *a, const uint8_t *b, uint8_t *out)
+{
+	uint8_t carry = 0;
+	uint32_t sum = 0;
+
+	for (int i = 15; i >= 0; i--) {
+		sum = a[i] - (b[i] + carry);
+
+		// check to see if anything was borrowed from next byte
+		if (a[i] < (b[i] + carry)) {
+			sum += 0x100;
+			carry = 1;
+		}
+		else {
+			carry = 0;
+		}
+
+		// set value
+		out[i] = sum & 0xff;
+	}
+
+
+	while (carry != 0) {
+		for (int i = 15; i >= 0; i--) {
+			sum = out[i] - carry;
+
+			// check to see if anything was borrowed from next byte
+			if (out[i] < carry) {
+				sum += 0x100;
+				carry = 1;
+			}
+			else {
+				carry = 0;
+			}
+
+			out[i] = sum & 0xff;
+		}
+	}
+
+}
+
+void n128_xor(const uint8_t *a, const uint8_t *b, uint8_t *out)
+{
+	for (int i = 0; i < 16; i++) {
+		out[i] = a[i] ^ b[i];
+	}
+}
+
+// keygen algorithm
+void n_aes_keygen(const uint8_t *x, uint8_t x_shift, const uint8_t *y, uint8_t y_shift, const uint8_t *keygen_constant, uint8_t *key)
+{
+	// overall algo:
+	// key = ((x >>> x_shift) ^ (y >>> y_shift)) + keygen_constant
+	uint8_t x_rot[16], y_rot[16], key_xy[16];
+
+	// Rotate x and y
+	n128_rrot(x, x_shift, x_rot);
+	n128_rrot(y, y_shift, y_rot);
+
+	// XOR rotated x and y
+	n128_xor(x_rot, y_rot, key_xy);
+
+	// Add secret
+	n128_add(key_xy, keygen_constant, key);
+}
\ No newline at end of file
diff --git a/makerom/aes_keygen.h b/makerom/aes_keygen.h
new file mode 100644
index 00000000..0314744a
--- /dev/null
+++ b/makerom/aes_keygen.h
@@ -0,0 +1,12 @@
+#pragma once
+#include <stdint.h>
+
+/*
+	AES Key generator for the Nintendo (Handheld) Consoles
+
+	BYO keygen constants, and input >>> parameters
+
+	key = ((x >>> x_shift) ^ (y >>> y_shift)) + keygen_constant
+*/
+
+void n_aes_keygen(const uint8_t *x, uint8_t x_shift, const uint8_t *y, uint8_t y_shift, const uint8_t *keygen_constant, uint8_t *key);
diff --git a/makerom/keyset.c b/makerom/keyset.c
index cdb32a6b..d4684717 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -1,4 +1,5 @@
 #include "lib.h"
+#include "aes_keygen.h"
 
 // KeyData
 #include "pki/test.h" // Test PKI
@@ -49,16 +50,10 @@ void PrintBadKeySize(char *path, u32 size)
 
 u8* AesKeyScrambler(u8 *key, const u8 *keyX, const u8 *keyY)
 {
-	// Process keyX/keyY to get raw normal key
-	for(int i = 0; i < 16; i++)
-		key[i] = keyX[i] ^ ((keyY[i] >> 2) | ((keyY[i < 15 ? i+1 : 0] & 3) << 6)); // keyX[i] ^
-
-	const u8 SCRAMBLE_SECRET[16] = {0x51, 0xD7, 0x5D, 0xBE, 0xFD, 0x07, 0x57, 0x6A, 0x1C, 0xFC, 0x2A, 0xF0, 0x94, 0x4B, 0xD5, 0x6C};
-
-	// Apply Secret to get final normal key
-	for(int i = 0; i < 16; i++)
-		key[i] = key[i] ^ SCRAMBLE_SECRET[i];
-
+	static const uint8_t CTR_KEYGEN_CONST[16] = { 0xEE, 0x2E, 0xA9, 0x3B, 0x45, 0x0F, 0xFC, 0xF4, 0xD5, 0x62, 0xFF, 0x02, 0x04, 0x01, 0x22, 0xC8 };
+	static const uint8_t CTR_KEYX_SHIFT = 39;
+	static const uint8_t CTR_KEYY_SHIFT = 41;
+	n_aes_keygen(keyX, CTR_KEYX_SHIFT, keyY, CTR_KEYY_SHIFT, CTR_KEYGEN_CONST, key);
 	return key;
 }
 
diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index 7d442011..dbdfd0a3 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -91,6 +91,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="accessdesc.h" />
+    <ClInclude Include="aes_keygen.h" />
     <ClInclude Include="blz.h" />
     <ClInclude Include="cardinfo.h" />
     <ClInclude Include="certs.h" />
@@ -194,6 +195,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="accessdesc.c" />
+    <ClCompile Include="aes_keygen.c" />
     <ClCompile Include="blz.c" />
     <ClCompile Include="cardinfo.c" />
     <ClCompile Include="certs.c" />
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
index 472d9e19..992fd34f 100644
--- a/makerom/makerom.vcxproj.filters
+++ b/makerom/makerom.vcxproj.filters
@@ -339,6 +339,9 @@
     <ClInclude Include="desc\desc.h">
       <Filter>Resource Files\DESC</Filter>
     </ClInclude>
+    <ClInclude Include="aes_keygen.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="accessdesc.c">
@@ -479,6 +482,9 @@
     <ClCompile Include="oschar.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="aes_keygen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <None Include="Makefile">

From 9de65b09efb8c4171b992c6fc4755b7c1ac75ba0 Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Thu, 7 Jan 2016 16:10:21 +0100
Subject: [PATCH 151/317] Fix gcc compatibility.

---
 ctrtool/utils.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/utils.h b/ctrtool/utils.h
index 1d5eac83..93bf2193 100644
--- a/ctrtool/utils.h
+++ b/ctrtool/utils.h
@@ -47,7 +47,7 @@ inline int fseeko64(FILE *__stream, long long __off, int __whence)
 	return _fseeki64(__stream, __off, __whence);
 }
 #else
-extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence);
+extern int fseeko64 (FILE *__stream, off64_t __off, int __whence);
 #endif
 
 #ifdef __cplusplus

From b1725fda79b01c449b913147fffc3a043abf23d3 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 8 Jan 2016 19:58:31 +0800
Subject: [PATCH 152/317] [makerom] Changed makefile

Warning-less compiling on OS X
---
 makerom/Makefile | 27 ++++++++++++++++++++-------
 makerom/utils.h  |  6 ++----
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index 19d05055..9af706b3 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -3,14 +3,27 @@ SRC_DIR = . polarssl libyaml
 OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 
 # Compiler Settings
-LIBS = -static-libgcc
-CXXFLAGS = -I.
-CFLAGS = --std=c99 -O2 -flto -Wall -Wno-unused-but-set-variable -Wno-unused-value -Wno-unused-result -I. $(MAKEROM_BUILD_FLAGS)
+CFLAGS = --std=c99 -O2 -flto -Wall -Wno-unused-value -Wno-unused-result -I.
 CC = gcc
-CXX = g++
+ifeq ($(OS),Windows_NT)
+    #Windows Build CFG
+    CFLAGS += -Wno-unused-but-set-variable
+    LIBS += -static-libgcc
+else
+    UNAME_S := $(shell uname -s)
+    ifeq ($(UNAME_S),Darwin)
+        # OS X
+        CFLAGS +=
+        LIBS += -liconv
+    else
+        # Linux
+        CFLAGS += -Wno-unused-but-set-variable
+        LIBS +=
+    endif
+endif
+
 
 # MAKEROM Build Settings
-MAKEROM_BUILD_FLAGS = #-DDEBUG
 OUTPUT = makerom
 
 main: build
@@ -18,7 +31,7 @@ main: build
 rebuild: clean build
 
 build: $(OBJS)
-	$(CXX) -o $(OUTPUT) $(LIBS) $(OBJS)
+	$(CC) -o $(OUTPUT) $(LIBS) $(OBJS)
 
 clean:
-	rm -rf $(OUTPUT) $(OBJS) *.cci *.cia *.cxi *.cfa
+	rm -rf $(OUTPUT) $(OBJS)
\ No newline at end of file
diff --git a/makerom/utils.h b/makerom/utils.h
index 6370e415..dc8e27c1 100644
--- a/makerom/utils.h
+++ b/makerom/utils.h
@@ -18,7 +18,7 @@ u64 min64(u64 a, u64 b);
 u64 max64(u64 a, u64 b);
 
 // Strings
-void memdump(FILE* fout, const char* prefix, const const u8* data, u32 size);
+void memdump(FILE* fout, const char* prefix, const u8* data, u32 size);
 char* replace_filextention(const char *input, const char *extention);
 
 // Base64
@@ -52,6 +52,4 @@ u32 u8_to_u32(const u8 *value, u8 endianness);
 u64 u8_to_u64(const u8 *value, u8 endianness);
 int u16_to_u8(u8 *out_value, u16 in_value, u8 endianness);
 int u32_to_u8(u8 *out_value, u32 in_value, u8 endianness);
-int u64_to_u8(u8 *out_value, u64 in_value, u8 endianness);
-
-
+int u64_to_u8(u8 *out_value, u64 in_value, u8 endianness);
\ No newline at end of file

From 9b4415a7a0c38497f25d2791e5913a9b0dff14b3 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 8 Jan 2016 20:45:14 +0800
Subject: [PATCH 153/317] [ctrtool] Fix compile errors

And comparisons which would have always returned false.
---
 ctrtool/Makefile | 21 ++++++++++++++++++---
 ctrtool/stream.c |  2 +-
 ctrtool/utils.h  |  6 ++++--
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 73bd2051..3842b54e 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -3,12 +3,27 @@ SRC_DIR = . polarssl tinyxml
 OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c))) $(foreach dir,$(SRC_DIR),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp)))
 
 # Compiler Settings
-LIBS = -static-libgcc -static-libstdc++
-CXXFLAGS = -I. 
-CFLAGS = -O2 -flto -Wall -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-result -I.
 OUTPUT = ctrtool
+CXXFLAGS = -I.
+CFLAGS = -O2 -flto -Wall -Wno-unused-variable  -Wno-unused-result -I.
 CC = gcc
 CXX = g++
+ifeq ($(OS),Windows_NT)
+    #Windows Build CFG
+    CFLAGS += -Wno-unused-but-set-variable
+    LIBS += -static-libgcc -static-libstdc++
+else
+    UNAME_S := $(shell uname -s)
+    ifeq ($(UNAME_S),Darwin)
+        # OS X
+        CFLAGS += -Wno-unused-local-typedef
+        LIBS += -liconv
+    else
+        # Linux
+        CFLAGS += -Wno-unused-but-set-variable
+        LIBS +=
+    endif
+endif
 
 main: $(OBJS)
 	$(CXX) -o $(OUTPUT) $(LIBS) $(OBJS)
diff --git a/ctrtool/stream.c b/ctrtool/stream.c
index e18dda31..dfb1ac6f 100644
--- a/ctrtool/stream.c
+++ b/ctrtool/stream.c
@@ -119,7 +119,7 @@ int stream_out_flush(stream_out_context* ctx)
 	if (ctx->outbufferpos > 0)
 	{
 		size_t writtenbytes = fwrite(ctx->outbuffer, 1, ctx->outbufferpos, ctx->outfile);
-		if (writtenbytes < 0)
+		if (writtenbytes == 0) // will be zero if nothing is written
 			return 0;
 
 
diff --git a/ctrtool/utils.h b/ctrtool/utils.h
index 93bf2193..990d900b 100644
--- a/ctrtool/utils.h
+++ b/ctrtool/utils.h
@@ -46,8 +46,10 @@ inline int fseeko64(FILE *__stream, long long __off, int __whence)
 {
 	return _fseeki64(__stream, __off, __whence);
 }
-#else
-extern int fseeko64 (FILE *__stream, off64_t __off, int __whence);
+#elif __APPLE__
+    #define fseeko64 fseek // OS X file I/O is 64bit
+#elif __linux__
+    extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence);
 #endif
 
 #ifdef __cplusplus

From ed286878bd817eea5d112710d14fb3af99719638 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 8 Jan 2016 20:50:44 +0800
Subject: [PATCH 154/317] [ctrtool] removed silenced warning for hacky code.

---
 ctrtool/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 3842b54e..0f2361fa 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -16,7 +16,7 @@ else
     UNAME_S := $(shell uname -s)
     ifeq ($(UNAME_S),Darwin)
         # OS X
-        CFLAGS += -Wno-unused-local-typedef
+        CFLAGS +=
         LIBS += -liconv
     else
         # Linux

From 8420f9dadd91b753088bd47f3ebd0c2172942abe Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 15 Jan 2016 21:51:31 +0800
Subject: [PATCH 155/317] Update .gitignore

---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index 21388103..c990f923 100644
--- a/.gitignore
+++ b/.gitignore
@@ -36,6 +36,8 @@ local.properties
 ## Ignore Visual Studio temporary files, build results, and
 ## files generated by popular Visual Studio add-ons.
 
+*.VC.opendb
+
 # User-specific files
 *.suo
 *.user

From fefa25f5ad051791c25c950aae2133e2f16d3386 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 15 Jan 2016 21:51:59 +0800
Subject: [PATCH 156/317] [makerom] corrected aes keygen code, thanks plutoo.

---
 makerom/aes_keygen.c | 22 ++++++++++++++++++++++
 makerom/aes_keygen.h |  8 ++------
 makerom/keyset.c     | 11 +----------
 makerom/keyset.h     |  4 +---
 makerom/ncch.c       |  5 +++--
 5 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/makerom/aes_keygen.c b/makerom/aes_keygen.c
index e5a35d6d..ffaa4d93 100644
--- a/makerom/aes_keygen.c
+++ b/makerom/aes_keygen.c
@@ -106,6 +106,7 @@ void n128_xor(const uint8_t *a, const uint8_t *b, uint8_t *out)
 }
 
 // keygen algorithm
+/*
 void n_aes_keygen(const uint8_t *x, uint8_t x_shift, const uint8_t *y, uint8_t y_shift, const uint8_t *keygen_constant, uint8_t *key)
 {
 	// overall algo:
@@ -121,4 +122,25 @@ void n_aes_keygen(const uint8_t *x, uint8_t x_shift, const uint8_t *y, uint8_t y
 
 	// Add secret
 	n128_add(key_xy, keygen_constant, key);
+}
+*/
+
+void ctr_aes_keygen(const uint8_t *x, const uint8_t *y, uint8_t *key)
+{
+	static const uint8_t KEYGEN_CONST[16] = { 0x1F, 0xF9, 0xE9, 0xAA, 0xC5, 0xFE, 0x04, 0x08, 0x02, 0x45, 0x91, 0xDC, 0x5D, 0x52, 0x76, 0x8A };
+
+	// overall algo:
+	// key = (((x <<< 2) ^ y) + KEYGEN_CONST) >>> 41
+	uint8_t x_rot[16], key_xy[16], key_xyc[16];
+
+	// x_rot = x <<< 2
+	n128_lrot(x, 2, x_rot);
+
+	// key_xy = x_rot ^ y
+	n128_xor(x_rot, y, key_xy);
+
+	// key_xyc = key_xy + KEYGEN_CONST
+	n128_add(key_xy, KEYGEN_CONST, key);
+
+	n128_rrot(key_xyc, 41, key);
 }
\ No newline at end of file
diff --git a/makerom/aes_keygen.h b/makerom/aes_keygen.h
index 0314744a..dae87a3c 100644
--- a/makerom/aes_keygen.h
+++ b/makerom/aes_keygen.h
@@ -2,11 +2,7 @@
 #include <stdint.h>
 
 /*
-	AES Key generator for the Nintendo (Handheld) Consoles
-
-	BYO keygen constants, and input >>> parameters
-
-	key = ((x >>> x_shift) ^ (y >>> y_shift)) + keygen_constant
+	AES Key generator for the Nintendo 3DS (CTR) Consoles
 */
 
-void n_aes_keygen(const uint8_t *x, uint8_t x_shift, const uint8_t *y, uint8_t y_shift, const uint8_t *keygen_constant, uint8_t *key);
+void ctr_aes_keygen(const uint8_t *x, const uint8_t *y, uint8_t *key);
diff --git a/makerom/keyset.c b/makerom/keyset.c
index d4684717..3710d92f 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -48,15 +48,6 @@ void PrintBadKeySize(char *path, u32 size)
 	fprintf(stderr,"[KEYSET ERROR] %s has invalid size (0x%x)\n",path,size);
 }
 
-u8* AesKeyScrambler(u8 *key, const u8 *keyX, const u8 *keyY)
-{
-	static const uint8_t CTR_KEYGEN_CONST[16] = { 0xEE, 0x2E, 0xA9, 0x3B, 0x45, 0x0F, 0xFC, 0xF4, 0xD5, 0x62, 0xFF, 0x02, 0x04, 0x01, 0x22, 0xC8 };
-	static const uint8_t CTR_KEYX_SHIFT = 39;
-	static const uint8_t CTR_KEYY_SHIFT = 41;
-	n_aes_keygen(keyX, CTR_KEYX_SHIFT, keyY, CTR_KEYY_SHIFT, CTR_KEYGEN_CONST, key);
-	return key;
-}
-
 int SetKeys(keys_struct *keys)
 {	
 	int result = 0;
@@ -135,7 +126,7 @@ int LoadKeysFromResources(keys_struct *keys)
 		// CIA
 		//for(int i = 0; i < 6; i++){
 		//	keys->aes.commonKey[i] = malloc(16);
-		//	AesKeyScrambler(keys->aes.commonKey[i], ctr_common_etd_keyX_ppki, ctr_common_etd_keyY_ppki[i]);
+		//	ctr_aes_keygen(ctr_common_etd_keyX_ppki, ctr_common_etd_keyY_ppki[i], keys->aes.commonKey[i]);
 		//}
 		if(keys->aes.currentCommonKey > 0xff)
 			SetCurrentCommonKey(keys,0);
diff --git a/makerom/keyset.h b/makerom/keyset.h
index 1e1db788..4ab18ff9 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -96,6 +96,4 @@ void FreeKeys(keys_struct *keys);
 int SetCommonKey(keys_struct *keys, const u8 *key, u8 Index);
 int SetCurrentCommonKey(keys_struct *keys, u8 Index);
 int SetNormalKey(keys_struct *keys, const u8 *key);
-int SetSystemFixedKey(keys_struct *keys, const u8 *key);
-
-u8* AesKeyScrambler(u8 *key, const u8 *keyX, const u8 *keyY);
+int SetSystemFixedKey(keys_struct *keys, const u8 *key);
\ No newline at end of file
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 577843b2..e8d6412f 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -1,4 +1,5 @@
 #include "lib.h"
+#include "aes_keygen.h"
 #include "ncch_build.h"
 #include "exheader_build.h"
 #include "exheader_read.h"
@@ -1043,12 +1044,12 @@ bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr)
 	}
 	
 	if(keys->aes.ncchKeyX[0])
-		AesKeyScrambler(keys->aes.ncchKey0,keys->aes.ncchKeyX[0],hdr->signature);
+		ctr_aes_keygen(keys->aes.ncchKeyX[0],hdr->signature,keys->aes.ncchKey0);
 	else
 		return false;
 	
 	if(keys->aes.ncchKeyX[hdr->flags[ncchflag_CONTENT_KEYX]])
-		AesKeyScrambler(keys->aes.ncchKey1,keys->aes.ncchKeyX[hdr->flags[ncchflag_CONTENT_KEYX]],hdr->signature);
+		ctr_aes_keygen(keys->aes.ncchKeyX[ncchflag_CONTENT_KEYX], hdr->signature, keys->aes.ncchKey0);
 	else
 		return false;
 		

From 75a839efffe20ae6053290a5fc4f7de963d93203 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 15 Jan 2016 23:37:03 +0800
Subject: [PATCH 157/317] [makerom] cleaned up RSA keys

---
 makerom/keyset.c                |  24 +-
 makerom/makerom.vcxproj         |   1 +
 makerom/makerom.vcxproj.filters |   3 +
 makerom/pki/dev.h               | 859 ++------------------------------
 makerom/pki/dev_legacy.h        | 145 +-----
 makerom/pki/prod.h              | 715 +-------------------------
 makerom/pki/rsa_key.h           |  14 +
 makerom/pki/test.h              |  11 +-
 8 files changed, 92 insertions(+), 1680 deletions(-)
 create mode 100644 makerom/pki/rsa_key.h

diff --git a/makerom/keyset.c b/makerom/keyset.c
index 3710d92f..c17bf0c6 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -108,12 +108,12 @@ int LoadKeysFromResources(keys_struct *keys)
 
 		/* RSA Keys */
 		// CIA
-		SetTIK_RsaKey(keys, xs9_dpki_rsa_priv, xs9_dpki_rsa_pub);
-		SetTMD_RsaKey(keys, cpA_dpki_rsa_priv, cpA_dpki_rsa_pub);
+		SetTIK_RsaKey(keys, xs9_dpki_rsa.priv_exponent, xs9_dpki_rsa.modulus);
+		SetTMD_RsaKey(keys, cpA_dpki_rsa.priv_exponent, cpA_dpki_rsa.modulus);
 		// CCI/CFA
-		Set_CCI_CFA_RsaKey(keys, dev_ncsd_cfa_priv, dev_ncsd_cfa_pub);
+		Set_CCI_CFA_RsaKey(keys, dev_ncsd_cfa_rsa.priv_exponent, dev_ncsd_cfa_rsa.modulus);
 		// CXI
-		SetAccessDesc_RsaKey(keys, dev_acex_priv, dev_acex_pub);
+		SetAccessDesc_RsaKey(keys, dev_accessdesc_rsa.priv_exponent, dev_accessdesc_rsa.modulus);
 	
 		/* Certs */
 		SetCaCert(keys, ca4_dpki_cert);
@@ -141,12 +141,12 @@ int LoadKeysFromResources(keys_struct *keys)
 
 		/* RSA Keys */
 		// CIA
-		SetTIK_RsaKey(keys, xsC_ppki_rsa_priv, xsC_ppki_rsa_pub);
-		SetTMD_RsaKey(keys, cpB_ppki_rsa_priv, cpB_ppki_rsa_pub);
+		SetTIK_RsaKey(keys, xsC_ppki_rsa.priv_exponent, xsC_ppki_rsa.modulus);
+		SetTMD_RsaKey(keys, cpB_ppki_rsa.priv_exponent, cpB_ppki_rsa.modulus);
 		// CCI/CFA
-		Set_CCI_CFA_RsaKey(keys, prod_ncsd_cfa_priv, prod_ncsd_cfa_pub);
+		Set_CCI_CFA_RsaKey(keys, prod_ncsd_cfa_rsa.priv_exponent, prod_ncsd_cfa_rsa.modulus);
 		// CXI
-		SetAccessDesc_RsaKey(keys, prod_acex_priv, prod_acex_pub);
+		SetAccessDesc_RsaKey(keys, prod_accessdesc_rsa.priv_exponent, prod_accessdesc_rsa.modulus);
 	
 		/* Certs */
 		SetCaCert(keys, ca3_ppki_cert);
@@ -159,15 +159,15 @@ int LoadKeysFromResources(keys_struct *keys)
 void SetDummyRsaData(keys_struct *keys)
 {
 	if(!keys->rsa.xsPvt || !keys->rsa.xsPub)
-		SetTIK_RsaKey(keys, tpki_rsa_privExp, tpki_rsa_pubMod);
+		SetTIK_RsaKey(keys, tpki_rsa.priv_exponent, tpki_rsa.modulus);
 	if(!keys->rsa.cpPvt || !keys->rsa.cpPub)
-		SetTMD_RsaKey(keys, tpki_rsa_privExp, tpki_rsa_pubMod);
+		SetTMD_RsaKey(keys, tpki_rsa.priv_exponent, tpki_rsa.modulus);
 		
 	if(!keys->rsa.cciCfaPvt || !keys->rsa.cciCfaPub)
-		Set_CCI_CFA_RsaKey(keys, tpki_rsa_privExp, tpki_rsa_pubMod);
+		Set_CCI_CFA_RsaKey(keys, tpki_rsa.priv_exponent, tpki_rsa.modulus);
 	
 	if(!keys->rsa.acexPvt || !keys->rsa.acexPub)
-		SetAccessDesc_RsaKey(keys, tpki_rsa_privExp, tpki_rsa_pubMod);
+		SetAccessDesc_RsaKey(keys, tpki_rsa.priv_exponent, tpki_rsa.modulus);
 
 	/* Certs */
 	if(!keys->certs.caCert)
diff --git a/makerom/makerom.vcxproj b/makerom/makerom.vcxproj
index dbdfd0a3..97eedae3 100644
--- a/makerom/makerom.vcxproj
+++ b/makerom/makerom.vcxproj
@@ -106,6 +106,7 @@
     <ClInclude Include="desc\dev_sigdata.h" />
     <ClInclude Include="desc\presets.h" />
     <ClInclude Include="oschar.h" />
+    <ClInclude Include="pki\rsa_key.h" />
     <ClInclude Include="romfs_fs.h" />
     <ClInclude Include="elf.h" />
     <ClInclude Include="exefs.h" />
diff --git a/makerom/makerom.vcxproj.filters b/makerom/makerom.vcxproj.filters
index 992fd34f..656358e8 100644
--- a/makerom/makerom.vcxproj.filters
+++ b/makerom/makerom.vcxproj.filters
@@ -342,6 +342,9 @@
     <ClInclude Include="aes_keygen.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="pki\rsa_key.h">
+      <Filter>Resource Files\PKI</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="accessdesc.c">
diff --git a/makerom/pki/dev.h b/makerom/pki/dev.h
index db7d9761..6e107355 100644
--- a/makerom/pki/dev.h
+++ b/makerom/pki/dev.h
@@ -1,4 +1,5 @@
 #pragma once
+#include "rsa_key.h"
 
 #ifdef PKI_LEGACY
 #include "pki/dev_legacy.h"
@@ -24,871 +25,71 @@ static const unsigned char ctr_common_etd_key_dpki[2][16] =
 };
 
 //RSA Keys
-static const unsigned char root_dpki_rsa_pub[0x200] =
+static const CtrRsa4096Key root_dpki_rsa =
 {
-	0xD0, 0x1F, 0xE1, 0x00, 0xD4, 0x35, 0x56, 0xB2,
-	0x4B, 0x56, 0xDA, 0xE9, 0x71, 0xB5, 0xA5, 0xD3,
-	0x84, 0xB9, 0x30, 0x03, 0xBE, 0x1B, 0xBF, 0x28,
-	0xA2, 0x30, 0x5B, 0x06, 0x06, 0x45, 0x46, 0x7D,
-	0x5B, 0x02, 0x51, 0xD2, 0x56, 0x1A, 0x27, 0x4F,
-	0x9E, 0x9F, 0x9C, 0xEC, 0x64, 0x61, 0x50, 0xAB,
-	0x3D, 0x2A, 0xE3, 0x36, 0x68, 0x66, 0xAC, 0xA4,
-	0xBA, 0xE8, 0x1A, 0xE3, 0xD7, 0x9A, 0xA6, 0xB0,
-	0x4A, 0x8B, 0xCB, 0xA7, 0xE6, 0xFB, 0x64, 0x89,
-	0x45, 0xEB, 0xDF, 0xDB, 0x85, 0xBA, 0x09, 0x1F,
-	0xD7, 0xD1, 0x14, 0xB5, 0xA3, 0xA7, 0x80, 0xE3,
-	0xA2, 0x2E, 0x6E, 0xCD, 0x87, 0xB5, 0xA4, 0xC6,
-	0xF9, 0x10, 0xE4, 0x03, 0x22, 0x08, 0x81, 0x4B,
-	0x0C, 0xEE, 0xA1, 0xA1, 0x7D, 0xF7, 0x39, 0x69,
-	0x5F, 0x61, 0x7E, 0xF6, 0x35, 0x28, 0xDB, 0x94,
-	0x96, 0x37, 0xA0, 0x56, 0x03, 0x7F, 0x7B, 0x32,
-	0x41, 0x38, 0x95, 0xC0, 0xA8, 0xF1, 0x98, 0x2E,
-	0x15, 0x65, 0xE3, 0x8E, 0xED, 0xC2, 0x2E, 0x59,
-	0x0E, 0xE2, 0x67, 0x7B, 0x86, 0x09, 0xF4, 0x8C,
-	0x2E, 0x30, 0x3F, 0xBC, 0x40, 0x5C, 0xAC, 0x18,
-	0x04, 0x2F, 0x82, 0x20, 0x84, 0xE4, 0x93, 0x68,
-	0x03, 0xDA, 0x7F, 0x41, 0x34, 0x92, 0x48, 0x56,
-	0x2B, 0x8E, 0xE1, 0x2F, 0x78, 0xF8, 0x03, 0x24,
-	0x63, 0x30, 0xBC, 0x7B, 0xE7, 0xEE, 0x72, 0x4A,
-	0xF4, 0x58, 0xA4, 0x72, 0xE7, 0xAB, 0x46, 0xA1,
-	0xA7, 0xC1, 0x0C, 0x2F, 0x18, 0xFA, 0x07, 0xC3,
-	0xDD, 0xD8, 0x98, 0x06, 0xA1, 0x1C, 0x9C, 0xC1,
-	0x30, 0xB2, 0x47, 0xA3, 0x3C, 0x8D, 0x47, 0xDE,
-	0x67, 0xF2, 0x9E, 0x55, 0x77, 0xB1, 0x1C, 0x43,
-	0x49, 0x3D, 0x5B, 0xBA, 0x76, 0x34, 0xA7, 0xE4,
-	0xE7, 0x15, 0x31, 0xB7, 0xDF, 0x59, 0x81, 0xFE,
-	0x24, 0xA1, 0x14, 0x55, 0x4C, 0xBD, 0x8F, 0x00,
-	0x5C, 0xE1, 0xDB, 0x35, 0x08, 0x5C, 0xCF, 0xC7,
-	0x78, 0x06, 0xB6, 0xDE, 0x25, 0x40, 0x68, 0xA2,
-	0x6C, 0xB5, 0x49, 0x2D, 0x45, 0x80, 0x43, 0x8F,
-	0xE1, 0xE5, 0xA9, 0xED, 0x75, 0xC5, 0xED, 0x45,
-	0x1D, 0xCE, 0x78, 0x94, 0x39, 0xCC, 0xC3, 0xBA,
-	0x28, 0xA2, 0x31, 0x2A, 0x1B, 0x87, 0x19, 0xEF,
-	0x0F, 0x73, 0xB7, 0x13, 0x95, 0x0C, 0x02, 0x59,
-	0x1A, 0x74, 0x62, 0xA6, 0x07, 0xF3, 0x7C, 0x0A,
-	0xA7, 0xA1, 0x8F, 0xA9, 0x43, 0xA3, 0x6D, 0x75,
-	0x2A, 0x5F, 0x41, 0x92, 0xF0, 0x13, 0x61, 0x00,
-	0xAA, 0x9C, 0xB4, 0x1B, 0xBE, 0x14, 0xBE, 0xB1,
-	0xF9, 0xFC, 0x69, 0x2F, 0xDF, 0xA0, 0x94, 0x46,
-	0xDE, 0x5A, 0x9D, 0xDE, 0x2C, 0xA5, 0xF6, 0x8C,
-	0x1C, 0x0C, 0x21, 0x42, 0x92, 0x87, 0xCB, 0x2D,
-	0xAA, 0xA3, 0xD2, 0x63, 0x75, 0x2F, 0x73, 0xE0,
-	0x9F, 0xAF, 0x44, 0x79, 0xD2, 0x81, 0x74, 0x29,
-	0xF6, 0x98, 0x00, 0xAF, 0xDE, 0x6B, 0x59, 0x2D,
-	0xC1, 0x98, 0x82, 0xBD, 0xF5, 0x81, 0xCC, 0xAB,
-	0xF2, 0xCB, 0x91, 0x02, 0x9E, 0xF3, 0x5C, 0x4C,
-	0xFD, 0xBB, 0xFF, 0x49, 0xC1, 0xFA, 0x1B, 0x2F,
-	0xE3, 0x1D, 0xE7, 0xA5, 0x60, 0xEC, 0xB4, 0x7E,
-	0xBC, 0xFE, 0x32, 0x42, 0x5B, 0x95, 0x6F, 0x81,
-	0xB6, 0x99, 0x17, 0x48, 0x7E, 0x3B, 0x78, 0x91,
-	0x51, 0xDB, 0x2E, 0x78, 0xB1, 0xFD, 0x2E, 0xBE,
-	0x7E, 0x62, 0x6B, 0x3E, 0xA1, 0x65, 0xB4, 0xFB,
-	0x00, 0xCC, 0xB7, 0x51, 0xAF, 0x50, 0x73, 0x29,
-	0xC4, 0xA3, 0x93, 0x9E, 0xA6, 0xDD, 0x9C, 0x50,
-	0xA0, 0xE7, 0x38, 0x6B, 0x01, 0x45, 0x79, 0x6B,
-	0x41, 0xAF, 0x61, 0xF7, 0x85, 0x55, 0x94, 0x4F,
-	0x3B, 0xC2, 0x2D, 0xC3, 0xBD, 0x0D, 0x00, 0xF8,
-	0x79, 0x8A, 0x42, 0xB1, 0xAA, 0xA0, 0x83, 0x20,
-	0x65, 0x9A, 0xC7, 0x39, 0x5A, 0xB4, 0xF3, 0x29
+	.modulus = { 0xD0, 0x1F, 0xE1, 0x00, 0xD4, 0x35, 0x56, 0xB2, 0x4B, 0x56, 0xDA, 0xE9, 0x71, 0xB5, 0xA5, 0xD3, 0x84, 0xB9, 0x30, 0x03, 0xBE, 0x1B, 0xBF, 0x28, 0xA2, 0x30, 0x5B, 0x06, 0x06, 0x45, 0x46, 0x7D, 0x5B, 0x02, 0x51, 0xD2, 0x56, 0x1A, 0x27, 0x4F, 0x9E, 0x9F, 0x9C, 0xEC, 0x64, 0x61, 0x50, 0xAB, 0x3D, 0x2A, 0xE3, 0x36, 0x68, 0x66, 0xAC, 0xA4, 0xBA, 0xE8, 0x1A, 0xE3, 0xD7, 0x9A, 0xA6, 0xB0, 0x4A, 0x8B, 0xCB, 0xA7, 0xE6, 0xFB, 0x64, 0x89, 0x45, 0xEB, 0xDF, 0xDB, 0x85, 0xBA, 0x09, 0x1F, 0xD7, 0xD1, 0x14, 0xB5, 0xA3, 0xA7, 0x80, 0xE3, 0xA2, 0x2E, 0x6E, 0xCD, 0x87, 0xB5, 0xA4, 0xC6, 0xF9, 0x10, 0xE4, 0x03, 0x22, 0x08, 0x81, 0x4B, 0x0C, 0xEE, 0xA1, 0xA1, 0x7D, 0xF7, 0x39, 0x69, 0x5F, 0x61, 0x7E, 0xF6, 0x35, 0x28, 0xDB, 0x94, 0x96, 0x37, 0xA0, 0x56, 0x03, 0x7F, 0x7B, 0x32, 0x41, 0x38, 0x95, 0xC0, 0xA8, 0xF1, 0x98, 0x2E, 0x15, 0x65, 0xE3, 0x8E, 0xED, 0xC2, 0x2E, 0x59, 0x0E, 0xE2, 0x67, 0x7B, 0x86, 0x09, 0xF4, 0x8C, 0x2E, 0x30, 0x3F, 0xBC, 0x40, 0x5C, 0xAC, 0x18, 0x04, 0x2F, 0x82, 0x20, 0x84, 0xE4, 0x93, 0x68, 0x03, 0xDA, 0x7F, 0x41, 0x34, 0x92, 0x48, 0x56, 0x2B, 0x8E, 0xE1, 0x2F, 0x78, 0xF8, 0x03, 0x24, 0x63, 0x30, 0xBC, 0x7B, 0xE7, 0xEE, 0x72, 0x4A, 0xF4, 0x58, 0xA4, 0x72, 0xE7, 0xAB, 0x46, 0xA1, 0xA7, 0xC1, 0x0C, 0x2F, 0x18, 0xFA, 0x07, 0xC3, 0xDD, 0xD8, 0x98, 0x06, 0xA1, 0x1C, 0x9C, 0xC1, 0x30, 0xB2, 0x47, 0xA3, 0x3C, 0x8D, 0x47, 0xDE, 0x67, 0xF2, 0x9E, 0x55, 0x77, 0xB1, 0x1C, 0x43, 0x49, 0x3D, 0x5B, 0xBA, 0x76, 0x34, 0xA7, 0xE4, 0xE7, 0x15, 0x31, 0xB7, 0xDF, 0x59, 0x81, 0xFE, 0x24, 0xA1, 0x14, 0x55, 0x4C, 0xBD, 0x8F, 0x00, 0x5C, 0xE1, 0xDB, 0x35, 0x08, 0x5C, 0xCF, 0xC7, 0x78, 0x06, 0xB6, 0xDE, 0x25, 0x40, 0x68, 0xA2, 0x6C, 0xB5, 0x49, 0x2D, 0x45, 0x80, 0x43, 0x8F, 0xE1, 0xE5, 0xA9, 0xED, 0x75, 0xC5, 0xED, 0x45, 0x1D, 0xCE, 0x78, 0x94, 0x39, 0xCC, 0xC3, 0xBA, 0x28, 0xA2, 0x31, 0x2A, 0x1B, 0x87, 0x19, 0xEF, 0x0F, 0x73, 0xB7, 0x13, 0x95, 0x0C, 0x02, 0x59, 0x1A, 0x74, 0x62, 0xA6, 0x07, 0xF3, 0x7C, 0x0A, 0xA7, 0xA1, 0x8F, 0xA9, 0x43, 0xA3, 0x6D, 0x75, 0x2A, 0x5F, 0x41, 0x92, 0xF0, 0x13, 0x61, 0x00, 0xAA, 0x9C, 0xB4, 0x1B, 0xBE, 0x14, 0xBE, 0xB1, 0xF9, 0xFC, 0x69, 0x2F, 0xDF, 0xA0, 0x94, 0x46, 0xDE, 0x5A, 0x9D, 0xDE, 0x2C, 0xA5, 0xF6, 0x8C, 0x1C, 0x0C, 0x21, 0x42, 0x92, 0x87, 0xCB, 0x2D, 0xAA, 0xA3, 0xD2, 0x63, 0x75, 0x2F, 0x73, 0xE0, 0x9F, 0xAF, 0x44, 0x79, 0xD2, 0x81, 0x74, 0x29, 0xF6, 0x98, 0x00, 0xAF, 0xDE, 0x6B, 0x59, 0x2D, 0xC1, 0x98, 0x82, 0xBD, 0xF5, 0x81, 0xCC, 0xAB, 0xF2, 0xCB, 0x91, 0x02, 0x9E, 0xF3, 0x5C, 0x4C, 0xFD, 0xBB, 0xFF, 0x49, 0xC1, 0xFA, 0x1B, 0x2F, 0xE3, 0x1D, 0xE7, 0xA5, 0x60, 0xEC, 0xB4, 0x7E, 0xBC, 0xFE, 0x32, 0x42, 0x5B, 0x95, 0x6F, 0x81, 0xB6, 0x99, 0x17, 0x48, 0x7E, 0x3B, 0x78, 0x91, 0x51, 0xDB, 0x2E, 0x78, 0xB1, 0xFD, 0x2E, 0xBE, 0x7E, 0x62, 0x6B, 0x3E, 0xA1, 0x65, 0xB4, 0xFB, 0x00, 0xCC, 0xB7, 0x51, 0xAF, 0x50, 0x73, 0x29, 0xC4, 0xA3, 0x93, 0x9E, 0xA6, 0xDD, 0x9C, 0x50, 0xA0, 0xE7, 0x38, 0x6B, 0x01, 0x45, 0x79, 0x6B, 0x41, 0xAF, 0x61, 0xF7, 0x85, 0x55, 0x94, 0x4F, 0x3B, 0xC2, 0x2D, 0xC3, 0xBD, 0x0D, 0x00, 0xF8, 0x79, 0x8A, 0x42, 0xB1, 0xAA, 0xA0, 0x83, 0x20, 0x65, 0x9A, 0xC7, 0x39, 0x5A, 0xB4, 0xF3, 0x29 },
+	.priv_exponent = {0}
 };
 
-static const unsigned char cpA_dpki_rsa_priv[0x100] =
+static const CtrRsa2048Key cpA_dpki_rsa = 
 {
-    0x28, 0xCE, 0xDC, 0x39, 0x02, 0x7F, 0x3E, 0x8E, 
-	0xAA, 0xB7, 0x59, 0x11, 0xE0, 0x68, 0xBF, 0x80, 
-	0xA6, 0x44, 0x77, 0xDB, 0x1B, 0xA2, 0x50, 0xA3, 
-	0x69, 0xE5, 0x96, 0xB2, 0xC4, 0xCA, 0x7A, 0x35, 
-	0x0D, 0xFC, 0x4A, 0xB2, 0xFB, 0xC0, 0x18, 0xA5, 
-	0x30, 0xB4, 0x9D, 0x10, 0x44, 0xD1, 0xAD, 0x33, 
-	0xFD, 0x15, 0xA7, 0x8D, 0x0F, 0x17, 0xD5, 0xA4, 
-	0xF5, 0x5E, 0x7F, 0x33, 0xF6, 0x80, 0x04, 0x27, 
-	0x6A, 0xEA, 0x9C, 0xEE, 0x68, 0x04, 0x1A, 0xA5, 
-	0xD4, 0x35, 0xA2, 0x25, 0xA2, 0x31, 0xD9, 0xF2, 
-	0xF0, 0xAC, 0xDE, 0x69, 0xB6, 0x64, 0x56, 0x75, 
-	0x2E, 0x9B, 0xEA, 0xDE, 0x2A, 0xBB, 0xD6, 0x00, 
-	0xAA, 0xE6, 0x9B, 0xC2, 0xF6, 0x9F, 0x60, 0xCD, 
-	0x0E, 0xFA, 0xB1, 0x14, 0x4A, 0x47, 0xD6, 0x63, 
-	0x9A, 0xCD, 0x9C, 0x93, 0xB9, 0x09, 0x42, 0xDA, 
-	0x8F, 0xFB, 0xE5, 0x7B, 0xF1, 0x4F, 0x96, 0x33, 
-	0xF9, 0x45, 0x5B, 0xCC, 0x84, 0xAB, 0xC2, 0xD8, 
-	0xC4, 0x0C, 0x85, 0xFA, 0x51, 0x28, 0xB9, 0x97, 
-	0x95, 0x23, 0x8C, 0xB3, 0x1D, 0x4E, 0xB6, 0x1C, 
-	0xCC, 0x60, 0x41, 0xFB, 0x26, 0xC7, 0xD6, 0xCB, 
-	0x77, 0x18, 0xF7, 0xEA, 0xCD, 0x10, 0x3C, 0x5B, 
-	0xA3, 0xC0, 0x77, 0x4C, 0x11, 0xF3, 0x74, 0x50, 
-	0xEE, 0x23, 0x80, 0xC4, 0x5D, 0xDD, 0x57, 0xF5, 
-	0x7D, 0x49, 0x57, 0x4A, 0xBA, 0x62, 0xBF, 0x06, 
-	0xD9, 0xD1, 0x7F, 0x91, 0x10, 0x89, 0x6F, 0x49, 
-	0x09, 0xD7, 0xE9, 0xAF, 0x4C, 0x9F, 0x67, 0x9D, 
-	0x89, 0x82, 0xE4, 0xD5, 0xC1, 0x9A, 0xDC, 0x55, 
-	0x79, 0xE7, 0xE9, 0x2D, 0x81, 0x42, 0x14, 0x55, 
-	0x61, 0x47, 0x9B, 0xED, 0x76, 0x92, 0x1D, 0x2F, 
-	0xB5, 0x7C, 0x28, 0x4B, 0xFF, 0x7B, 0xC2, 0x3B, 
-	0x36, 0x73, 0x99, 0xA6, 0x21, 0x43, 0x0E, 0xA1, 
-	0x1F, 0x82, 0xB8, 0x91, 0x71, 0x11, 0xB2, 0xC1
+	.modulus = { 0xAA, 0x7F, 0x93, 0x80, 0x28, 0x9B, 0xE8, 0x98, 0x63, 0x10, 0x7A, 0xE1, 0x0C, 0x59, 0x2C, 0x2F, 0x7C, 0xFF, 0xBD, 0xAA, 0xDD, 0x74, 0xF4, 0xA2, 0xFB, 0xAC, 0xD7, 0x6F, 0x00, 0x93, 0x42, 0x06, 0x34, 0x71, 0x56, 0xD8, 0x40, 0x49, 0x72, 0x9F, 0x3E, 0x24, 0xFA, 0x5E, 0x19, 0xD1, 0x5B, 0x63, 0x5C, 0xD2, 0xEF, 0x09, 0xDE, 0x32, 0xEE, 0x6B, 0x6F, 0xC8, 0xFA, 0x32, 0x8E, 0x2E, 0x96, 0xB9, 0x94, 0x41, 0x04, 0x7D, 0x07, 0x62, 0x95, 0xDA, 0x0D, 0x91, 0xD8, 0x09, 0x35, 0xD0, 0xDE, 0x8E, 0x6B, 0xC6, 0xAB, 0x14, 0x27, 0x01, 0x9C, 0xFE, 0x49, 0x96, 0xFC, 0x9B, 0x54, 0x79, 0x4D, 0xEB, 0xD7, 0xC6, 0x66, 0x73, 0xA6, 0xDD, 0x3A, 0x77, 0x65, 0x47, 0x94, 0xEC, 0x1C, 0x87, 0xAA, 0x46, 0xD9, 0x78, 0xA9, 0x7D, 0xDB, 0x11, 0x22, 0x6E, 0xD4, 0x12, 0xC2, 0x78, 0x4B, 0x21, 0x83, 0x92, 0xC7, 0x10, 0xC7, 0x74, 0x19, 0xFF, 0xAA, 0xF6, 0x0B, 0x75, 0xD8, 0x23, 0xDD, 0x33, 0xC3, 0xA1, 0x5B, 0xA7, 0x2D, 0x30, 0xA5, 0xA4, 0xD8, 0xF8, 0x0F, 0xD6, 0x73, 0xFD, 0x26, 0xCB, 0x29, 0xA6, 0xEF, 0x50, 0x39, 0xE2, 0x5F, 0x59, 0x61, 0x84, 0x6B, 0xDA, 0x2E, 0xC7, 0xCB, 0xE4, 0x38, 0x4B, 0x28, 0xFB, 0x0D, 0xD5, 0x8E, 0x7C, 0xAA, 0x7D, 0x4B, 0x37, 0x3A, 0xD7, 0x81, 0xDD, 0x73, 0xE3, 0x09, 0x93, 0xBD, 0xBD, 0x7E, 0x08, 0x55, 0x4A, 0x8C, 0xA5, 0xC9, 0x84, 0x2D, 0x71, 0x01, 0xA2, 0x2A, 0x01, 0xB0, 0x15, 0xFB, 0x30, 0x78, 0xB9, 0x13, 0xF4, 0xC7, 0x3F, 0xB5, 0xA6, 0xF1, 0xA2, 0x5E, 0x22, 0xB0, 0x02, 0xB6, 0xE0, 0x09, 0x54, 0x7F, 0x0F, 0xBD, 0xF0, 0xFE, 0xA5, 0x50, 0x1D, 0x93, 0x15, 0xF9, 0x3D, 0x83, 0x0F, 0x0F, 0x0E, 0x3D, 0xE2, 0x3D, 0x96, 0xE7, 0x09, 0xD9, 0x77 },
+	.priv_exponent = { 0x28, 0xCE, 0xDC, 0x39, 0x02, 0x7F, 0x3E, 0x8E, 0xAA, 0xB7, 0x59, 0x11, 0xE0, 0x68, 0xBF, 0x80, 0xA6, 0x44, 0x77, 0xDB, 0x1B, 0xA2, 0x50, 0xA3, 0x69, 0xE5, 0x96, 0xB2, 0xC4, 0xCA, 0x7A, 0x35, 0x0D, 0xFC, 0x4A, 0xB2, 0xFB, 0xC0, 0x18, 0xA5, 0x30, 0xB4, 0x9D, 0x10, 0x44, 0xD1, 0xAD, 0x33, 0xFD, 0x15, 0xA7, 0x8D, 0x0F, 0x17, 0xD5, 0xA4, 0xF5, 0x5E, 0x7F, 0x33, 0xF6, 0x80, 0x04, 0x27, 0x6A, 0xEA, 0x9C, 0xEE, 0x68, 0x04, 0x1A, 0xA5, 0xD4, 0x35, 0xA2, 0x25, 0xA2, 0x31, 0xD9, 0xF2, 0xF0, 0xAC, 0xDE, 0x69, 0xB6, 0x64, 0x56, 0x75, 0x2E, 0x9B, 0xEA, 0xDE, 0x2A, 0xBB, 0xD6, 0x00, 0xAA, 0xE6, 0x9B, 0xC2, 0xF6, 0x9F, 0x60, 0xCD, 0x0E, 0xFA, 0xB1, 0x14, 0x4A, 0x47, 0xD6, 0x63, 0x9A, 0xCD, 0x9C, 0x93, 0xB9, 0x09, 0x42, 0xDA, 0x8F, 0xFB, 0xE5, 0x7B, 0xF1, 0x4F, 0x96, 0x33, 0xF9, 0x45, 0x5B, 0xCC, 0x84, 0xAB, 0xC2, 0xD8, 0xC4, 0x0C, 0x85, 0xFA, 0x51, 0x28, 0xB9, 0x97, 0x95, 0x23, 0x8C, 0xB3, 0x1D, 0x4E, 0xB6, 0x1C, 0xCC, 0x60, 0x41, 0xFB, 0x26, 0xC7, 0xD6, 0xCB, 0x77, 0x18, 0xF7, 0xEA, 0xCD, 0x10, 0x3C, 0x5B, 0xA3, 0xC0, 0x77, 0x4C, 0x11, 0xF3, 0x74, 0x50, 0xEE, 0x23, 0x80, 0xC4, 0x5D, 0xDD, 0x57, 0xF5, 0x7D, 0x49, 0x57, 0x4A, 0xBA, 0x62, 0xBF, 0x06, 0xD9, 0xD1, 0x7F, 0x91, 0x10, 0x89, 0x6F, 0x49, 0x09, 0xD7, 0xE9, 0xAF, 0x4C, 0x9F, 0x67, 0x9D, 0x89, 0x82, 0xE4, 0xD5, 0xC1, 0x9A, 0xDC, 0x55, 0x79, 0xE7, 0xE9, 0x2D, 0x81, 0x42, 0x14, 0x55, 0x61, 0x47, 0x9B, 0xED, 0x76, 0x92, 0x1D, 0x2F, 0xB5, 0x7C, 0x28, 0x4B, 0xFF, 0x7B, 0xC2, 0x3B, 0x36, 0x73, 0x99, 0xA6, 0x21, 0x43, 0x0E, 0xA1, 0x1F, 0x82, 0xB8, 0x91, 0x71, 0x11, 0xB2, 0xC1 }
 };
 
-static const unsigned char cpA_dpki_rsa_pub[0x100] =
+static const CtrRsa2048Key xs9_dpki_rsa =
 {
-    0xAA, 0x7F, 0x93, 0x80, 0x28, 0x9B, 0xE8, 0x98, 
-	0x63, 0x10, 0x7A, 0xE1, 0x0C, 0x59, 0x2C, 0x2F, 
-	0x7C, 0xFF, 0xBD, 0xAA, 0xDD, 0x74, 0xF4, 0xA2, 
-	0xFB, 0xAC, 0xD7, 0x6F, 0x00, 0x93, 0x42, 0x06, 
-	0x34, 0x71, 0x56, 0xD8, 0x40, 0x49, 0x72, 0x9F, 
-	0x3E, 0x24, 0xFA, 0x5E, 0x19, 0xD1, 0x5B, 0x63, 
-	0x5C, 0xD2, 0xEF, 0x09, 0xDE, 0x32, 0xEE, 0x6B, 
-	0x6F, 0xC8, 0xFA, 0x32, 0x8E, 0x2E, 0x96, 0xB9, 
-	0x94, 0x41, 0x04, 0x7D, 0x07, 0x62, 0x95, 0xDA, 
-	0x0D, 0x91, 0xD8, 0x09, 0x35, 0xD0, 0xDE, 0x8E, 
-	0x6B, 0xC6, 0xAB, 0x14, 0x27, 0x01, 0x9C, 0xFE, 
-	0x49, 0x96, 0xFC, 0x9B, 0x54, 0x79, 0x4D, 0xEB, 
-	0xD7, 0xC6, 0x66, 0x73, 0xA6, 0xDD, 0x3A, 0x77, 
-	0x65, 0x47, 0x94, 0xEC, 0x1C, 0x87, 0xAA, 0x46, 
-	0xD9, 0x78, 0xA9, 0x7D, 0xDB, 0x11, 0x22, 0x6E, 
-	0xD4, 0x12, 0xC2, 0x78, 0x4B, 0x21, 0x83, 0x92, 
-	0xC7, 0x10, 0xC7, 0x74, 0x19, 0xFF, 0xAA, 0xF6, 
-	0x0B, 0x75, 0xD8, 0x23, 0xDD, 0x33, 0xC3, 0xA1, 
-	0x5B, 0xA7, 0x2D, 0x30, 0xA5, 0xA4, 0xD8, 0xF8, 
-	0x0F, 0xD6, 0x73, 0xFD, 0x26, 0xCB, 0x29, 0xA6, 
-	0xEF, 0x50, 0x39, 0xE2, 0x5F, 0x59, 0x61, 0x84, 
-	0x6B, 0xDA, 0x2E, 0xC7, 0xCB, 0xE4, 0x38, 0x4B, 
-	0x28, 0xFB, 0x0D, 0xD5, 0x8E, 0x7C, 0xAA, 0x7D, 
-	0x4B, 0x37, 0x3A, 0xD7, 0x81, 0xDD, 0x73, 0xE3, 
-	0x09, 0x93, 0xBD, 0xBD, 0x7E, 0x08, 0x55, 0x4A, 
-	0x8C, 0xA5, 0xC9, 0x84, 0x2D, 0x71, 0x01, 0xA2, 
-	0x2A, 0x01, 0xB0, 0x15, 0xFB, 0x30, 0x78, 0xB9, 
-	0x13, 0xF4, 0xC7, 0x3F, 0xB5, 0xA6, 0xF1, 0xA2, 
-	0x5E, 0x22, 0xB0, 0x02, 0xB6, 0xE0, 0x09, 0x54, 
-	0x7F, 0x0F, 0xBD, 0xF0, 0xFE, 0xA5, 0x50, 0x1D, 
-	0x93, 0x15, 0xF9, 0x3D, 0x83, 0x0F, 0x0F, 0x0E, 
-	0x3D, 0xE2, 0x3D, 0x96, 0xE7, 0x09, 0xD9, 0x77
+	.modulus = { 0xC0, 0x84, 0x4C, 0xEB, 0x7E, 0xB0, 0xCF, 0xF0, 0xAE, 0xB7, 0x77, 0x69, 0x85, 0x93, 0xE4, 0x99, 0x5A, 0x95, 0x4E, 0x58, 0x17, 0x38, 0xCE, 0xD6, 0x81, 0xB0, 0xBD, 0x77, 0x09, 0xE7, 0xF8, 0x9A, 0xDF, 0xAD, 0x05, 0x48, 0x83, 0xF6, 0xC3, 0xFD, 0xDF, 0x7B, 0x83, 0xE0, 0x0C, 0x26, 0x81, 0x54, 0x43, 0x29, 0xEA, 0x82, 0x6C, 0x89, 0xF0, 0xA6, 0x74, 0x42, 0x86, 0x4D, 0x32, 0x60, 0x32, 0x7D, 0xA7, 0x7A, 0x13, 0x40, 0x66, 0x59, 0xDA, 0x3E, 0x41, 0x6B, 0x27, 0x94, 0x03, 0x4F, 0xAA, 0x22, 0x9D, 0xD5, 0x54, 0x52, 0xDB, 0x27, 0x0A, 0x6A, 0xA2, 0x3D, 0x19, 0xB1, 0x66, 0x1B, 0x19, 0x7D, 0xAB, 0xC7, 0x0E, 0x88, 0x17, 0x91, 0xA1, 0x2A, 0xB4, 0x3C, 0x6C, 0xCB, 0xF5, 0xAA, 0x7C, 0x3A, 0xDD, 0x36, 0xFB, 0x35, 0x71, 0x7B, 0x20, 0x01, 0x59, 0x00, 0xD6, 0xF6, 0x90, 0x39, 0x35, 0x41, 0x31, 0xF8, 0xC1, 0xC0, 0x57, 0x3A, 0x35, 0x18, 0x58, 0x90, 0xB1, 0xAD, 0x9A, 0x0E, 0xEC, 0xE0, 0xF4, 0x7A, 0x7D, 0xA5, 0x27, 0x48, 0xC9, 0x72, 0xAB, 0x0D, 0x08, 0x7B, 0x62, 0x35, 0x40, 0x91, 0x14, 0x2B, 0xB1, 0x1D, 0x1A, 0xFA, 0xF9, 0xCD, 0x5C, 0x17, 0x13, 0x53, 0x52, 0x71, 0xCA, 0xE2, 0x2A, 0x78, 0xB1, 0x7F, 0x4A, 0xCD, 0x59, 0xD8, 0xBA, 0x1D, 0x7D, 0x70, 0x5F, 0x78, 0x1B, 0x9F, 0x9D, 0x37, 0x18, 0x8E, 0xD7, 0xCD, 0x0D, 0x49, 0x57, 0x74, 0x69, 0x88, 0x3A, 0x6B, 0x8E, 0x4E, 0x1B, 0x85, 0xDD, 0xBE, 0x39, 0x45, 0x05, 0x89, 0x56, 0x12, 0x97, 0x59, 0x9A, 0x09, 0xA4, 0xC8, 0x2D, 0x2F, 0xF5, 0xCF, 0xB4, 0x73, 0x70, 0xDB, 0x58, 0x1E, 0xB2, 0x4E, 0x77, 0x6F, 0xA4, 0x7E, 0x62, 0xDF, 0xB7, 0x05, 0xE8, 0x80, 0x42, 0x5C, 0xB8, 0x78, 0x87, 0x97, 0x7F, 0x66, 0x2C, 0x5F },
+	.priv_exponent = { 0x74, 0xCB, 0xCF, 0x1E, 0xD0, 0x2D, 0xD4, 0xF9, 0xE0, 0x05, 0xCE, 0x9C, 0x66, 0x3D, 0xE3, 0x62, 0x66, 0x62, 0x4E, 0xB5, 0x82, 0xE1, 0x24, 0x1B, 0x5F, 0x73, 0x2A, 0x7F, 0x1D, 0xB3, 0x6E, 0x50, 0x07, 0x83, 0xA0, 0xC0, 0xED, 0xCE, 0xB7, 0xF9, 0x3D, 0xAC, 0x61, 0xC5, 0x7B, 0x99, 0xA0, 0xBC, 0xCE, 0x42, 0x8F, 0xD3, 0xB0, 0xA5, 0xBF, 0x2A, 0x3D, 0x3E, 0x5E, 0xDC, 0x56, 0xC3, 0xA5, 0xDE, 0x35, 0xCD, 0x0A, 0x00, 0xF8, 0x17, 0x6B, 0x20, 0x79, 0xEF, 0xD8, 0x83, 0x23, 0xBF, 0x21, 0x28, 0xFF, 0x38, 0x7D, 0x80, 0x07, 0x15, 0x18, 0x6C, 0xB9, 0x20, 0xF8, 0x85, 0x77, 0xBC, 0xD9, 0x2A, 0x35, 0x1C, 0xFE, 0xE3, 0xF1, 0xE8, 0x98, 0x2E, 0xA0, 0x4A, 0x48, 0x77, 0x35, 0x03, 0xC9, 0x7A, 0xAC, 0xDA, 0xBE, 0x6D, 0x1D, 0xFB, 0xE4, 0xDE, 0xEC, 0x70, 0x65, 0xFA, 0x10, 0x65, 0xA4, 0xB8, 0x6A, 0xDF, 0x32, 0x6B, 0x8E, 0x28, 0x79, 0x25, 0x87, 0x72, 0xC0, 0x7C, 0x5B, 0x81, 0xBC, 0x81, 0x92, 0x44, 0x7D, 0xEA, 0x61, 0xBD, 0x3C, 0x48, 0xF3, 0x0E, 0x18, 0xDC, 0x8D, 0x89, 0xA0, 0x34, 0xC3, 0xAE, 0x9C, 0x57, 0x72, 0xA6, 0xD7, 0x7C, 0x79, 0xF7, 0xE9, 0x14, 0x6E, 0x15, 0xAC, 0x01, 0xFA, 0xFF, 0xC8, 0xA2, 0x2A, 0x3A, 0xAB, 0x24, 0x3C, 0x7E, 0x2E, 0xC5, 0xDA, 0x83, 0xD5, 0x9D, 0x24, 0x10, 0x83, 0x7A, 0xF4, 0xBB, 0xA3, 0x6F, 0x88, 0xCE, 0xEC, 0x24, 0x1B, 0xF4, 0x36, 0x2E, 0x96, 0xC9, 0x6D, 0x19, 0x02, 0xFE, 0xAA, 0x21, 0x3E, 0x95, 0xA7, 0xFE, 0x83, 0xC8, 0x99, 0x7F, 0xD1, 0xCB, 0x7C, 0x1F, 0x91, 0x30, 0xDB, 0xA4, 0xD3, 0xDD, 0xDA, 0x9B, 0x12, 0x4E, 0x24, 0xD1, 0xA5, 0x6F, 0x15, 0xFC, 0x2C, 0x72, 0x98, 0x2C, 0x89, 0xC5, 0x7D, 0x89, 0xDE, 0x2B, 0x4E, 0x01 }
 };
 
-static const unsigned char xs9_dpki_rsa_priv[0x100] =
+static const CtrRsa2048Key dev_ncsd_cfa_rsa =
 {
-	0x74, 0xCB, 0xCF, 0x1E, 0xD0, 0x2D, 0xD4, 0xF9, 
-	0xE0, 0x05, 0xCE, 0x9C, 0x66, 0x3D, 0xE3, 0x62, 
-	0x66, 0x62, 0x4E, 0xB5, 0x82, 0xE1, 0x24, 0x1B, 
-	0x5F, 0x73, 0x2A, 0x7F, 0x1D, 0xB3, 0x6E, 0x50, 
-	0x07, 0x83, 0xA0, 0xC0, 0xED, 0xCE, 0xB7, 0xF9, 
-	0x3D, 0xAC, 0x61, 0xC5, 0x7B, 0x99, 0xA0, 0xBC, 
-	0xCE, 0x42, 0x8F, 0xD3, 0xB0, 0xA5, 0xBF, 0x2A, 
-	0x3D, 0x3E, 0x5E, 0xDC, 0x56, 0xC3, 0xA5, 0xDE, 
-	0x35, 0xCD, 0x0A, 0x00, 0xF8, 0x17, 0x6B, 0x20, 
-	0x79, 0xEF, 0xD8, 0x83, 0x23, 0xBF, 0x21, 0x28, 
-	0xFF, 0x38, 0x7D, 0x80, 0x07, 0x15, 0x18, 0x6C, 
-	0xB9, 0x20, 0xF8, 0x85, 0x77, 0xBC, 0xD9, 0x2A, 
-	0x35, 0x1C, 0xFE, 0xE3, 0xF1, 0xE8, 0x98, 0x2E, 
-	0xA0, 0x4A, 0x48, 0x77, 0x35, 0x03, 0xC9, 0x7A, 
-	0xAC, 0xDA, 0xBE, 0x6D, 0x1D, 0xFB, 0xE4, 0xDE, 
-	0xEC, 0x70, 0x65, 0xFA, 0x10, 0x65, 0xA4, 0xB8, 
-	0x6A, 0xDF, 0x32, 0x6B, 0x8E, 0x28, 0x79, 0x25, 
-	0x87, 0x72, 0xC0, 0x7C, 0x5B, 0x81, 0xBC, 0x81, 
-	0x92, 0x44, 0x7D, 0xEA, 0x61, 0xBD, 0x3C, 0x48, 
-	0xF3, 0x0E, 0x18, 0xDC, 0x8D, 0x89, 0xA0, 0x34, 
-	0xC3, 0xAE, 0x9C, 0x57, 0x72, 0xA6, 0xD7, 0x7C, 
-	0x79, 0xF7, 0xE9, 0x14, 0x6E, 0x15, 0xAC, 0x01, 
-	0xFA, 0xFF, 0xC8, 0xA2, 0x2A, 0x3A, 0xAB, 0x24, 
-	0x3C, 0x7E, 0x2E, 0xC5, 0xDA, 0x83, 0xD5, 0x9D, 
-	0x24, 0x10, 0x83, 0x7A, 0xF4, 0xBB, 0xA3, 0x6F, 
-	0x88, 0xCE, 0xEC, 0x24, 0x1B, 0xF4, 0x36, 0x2E, 
-	0x96, 0xC9, 0x6D, 0x19, 0x02, 0xFE, 0xAA, 0x21, 
-	0x3E, 0x95, 0xA7, 0xFE, 0x83, 0xC8, 0x99, 0x7F, 
-	0xD1, 0xCB, 0x7C, 0x1F, 0x91, 0x30, 0xDB, 0xA4, 
-	0xD3, 0xDD, 0xDA, 0x9B, 0x12, 0x4E, 0x24, 0xD1, 
-	0xA5, 0x6F, 0x15, 0xFC, 0x2C, 0x72, 0x98, 0x2C, 
-	0x89, 0xC5, 0x7D, 0x89, 0xDE, 0x2B, 0x4E, 0x01
+	.modulus = { 0xB9, 0x0C, 0xC4, 0xC6, 0x78, 0xF8, 0x6E, 0x30, 0x05, 0x28, 0xC1, 0xCB, 0xD2, 0xCF, 0xA7, 0x80, 0x5C, 0x57, 0x4D, 0x16, 0x9C, 0xAF, 0xA6, 0xCD, 0x01, 0xBB, 0x83, 0x33, 0xAD, 0x03, 0xBB, 0x06, 0x63, 0xD8, 0x17, 0xF5, 0xE3, 0xDF, 0xDA, 0x0D, 0x3B, 0x86, 0x0E, 0xA2, 0x80, 0x47, 0x94, 0x44, 0x6F, 0xD9, 0x97, 0x7E, 0x78, 0x6A, 0xC3, 0x93, 0x93, 0xEF, 0x02, 0xFC, 0x22, 0x9F, 0x80, 0x77, 0x8C, 0x70, 0x92, 0x1C, 0x43, 0xB1, 0x37, 0x4C, 0x76, 0xE0, 0x57, 0x3B, 0xAB, 0x89, 0xFF, 0xEF, 0xE5, 0xBB, 0x3E, 0xAB, 0x91, 0x39, 0xB8, 0xD9, 0x66, 0x0B, 0x64, 0x28, 0x91, 0x92, 0xE9, 0xD0, 0xB3, 0xDF, 0xD1, 0x4B, 0xC1, 0x73, 0xB5, 0x3F, 0x56, 0xA0, 0x40, 0x10, 0xFE, 0x15, 0x2B, 0x1F, 0xA2, 0x7A, 0xDE, 0x31, 0xB0, 0x26, 0x40, 0xC3, 0x57, 0xFD, 0x35, 0xCB, 0xF0, 0xFA, 0xFF, 0xFB, 0x6F, 0xDB, 0xCD, 0x34, 0x1D, 0x51, 0x2D, 0x2D, 0x81, 0x18, 0xFF, 0x0C, 0x08, 0x51, 0xD5, 0xB4, 0x4B, 0x56, 0x16, 0x02, 0x9F, 0x4E, 0x6A, 0xDF, 0x06, 0x6E, 0xCB, 0x72, 0x85, 0xE9, 0x2E, 0x43, 0xA2, 0x08, 0x78, 0x0C, 0x38, 0x9C, 0x19, 0xBD, 0x7B, 0x74, 0x74, 0x68, 0xC4, 0x2D, 0xC1, 0x35, 0x9E, 0x65, 0x3B, 0xD8, 0x99, 0x04, 0x1C, 0x8B, 0x93, 0x8E, 0x7E, 0x92, 0x7C, 0xBB, 0xDD, 0x60, 0xEC, 0xE7, 0xFE, 0x0E, 0x9D, 0x4F, 0x36, 0x46, 0xE6, 0xF1, 0x5C, 0x94, 0x70, 0xEE, 0x67, 0x5F, 0x36, 0x2B, 0x70, 0x44, 0x8D, 0xCA, 0x09, 0xB9, 0x58, 0x67, 0xD2, 0x9F, 0xAD, 0x1F, 0x13, 0x54, 0x74, 0xAD, 0xA6, 0x84, 0x44, 0x28, 0xF3, 0xDE, 0x7E, 0x4C, 0x20, 0x2B, 0xC5, 0xE9, 0x12, 0xE9, 0x5E, 0xFB, 0x8D, 0x77, 0xA9, 0xA4, 0xD2, 0x0D, 0x3C, 0x38, 0x24, 0xBE, 0xF5, 0x8A, 0xB5, 0xF5 },
+	.priv_exponent = { 0x32, 0x36, 0x43, 0xC2, 0xB3, 0x1A, 0x7E, 0x13, 0xAB, 0xA2, 0xB6, 0x8B, 0x4F, 0x05, 0xA7, 0xA6, 0xCD, 0xE7, 0xA6, 0x74, 0x47, 0x49, 0xE6, 0x51, 0xE4, 0x71, 0x74, 0x15, 0x76, 0x91, 0xF7, 0x92, 0xB1, 0x4E, 0xF6, 0x99, 0x73, 0x1E, 0xCF, 0xB5, 0x1D, 0x7C, 0xAF, 0xC5, 0xEA, 0x57, 0x01, 0xE5, 0x5C, 0x10, 0x47, 0xEA, 0x3A, 0x54, 0x86, 0x03, 0x2A, 0x76, 0x05, 0x72, 0x53, 0x16, 0xC2, 0xAE, 0x2D, 0xBE, 0x71, 0xF7, 0x17, 0x6B, 0x23, 0xDD, 0x2C, 0xB8, 0x8D, 0x13, 0x14, 0xE5, 0xDA, 0x3B, 0xC7, 0x33, 0x7A, 0xBA, 0xE5, 0x2A, 0x2B, 0x7D, 0x5A, 0x12, 0x27, 0x38, 0x56, 0xDF, 0xED, 0x70, 0x03, 0x0E, 0xED, 0x64, 0xC7, 0xF6, 0x54, 0xAC, 0xFE, 0x1D, 0x77, 0xA4, 0xE4, 0xBC, 0xEB, 0xB9, 0xA6, 0xC5, 0xFE, 0x3A, 0xAF, 0x58, 0x81, 0xE4, 0x3F, 0xA0, 0xE6, 0x93, 0x13, 0x2D, 0x98, 0x7D, 0xB3, 0xE2, 0xC9, 0xC8, 0xD6, 0x31, 0x91, 0x73, 0x9D, 0xCA, 0xC9, 0x44, 0xEF, 0xD0, 0x39, 0xBF, 0x38, 0xFD, 0x1C, 0x91, 0x72, 0x93, 0x40, 0xA9, 0x8A, 0x0D, 0x3E, 0x32, 0xC4, 0x59, 0x4B, 0x0C, 0xC7, 0xEA, 0x50, 0x41, 0x9F, 0xF5, 0xE2, 0xB7, 0x50, 0x7C, 0xE3, 0xC9, 0xEC, 0x46, 0x18, 0xAC, 0xB4, 0x91, 0x2A, 0x32, 0xE0, 0xD8, 0x10, 0x6F, 0xFC, 0x81, 0xB3, 0x95, 0xF3, 0xFC, 0x78, 0xC0, 0xEF, 0xE5, 0x7B, 0x8D, 0x14, 0xD4, 0x36, 0x26, 0x5F, 0xC6, 0x32, 0xC0, 0x19, 0x87, 0x5C, 0x77, 0x26, 0x37, 0xD8, 0xAE, 0x66, 0xD6, 0x0B, 0x28, 0x26, 0x43, 0x7C, 0x25, 0xDB, 0x6D, 0x5C, 0xE8, 0x94, 0x8F, 0xA9, 0x77, 0x07, 0xB2, 0xC0, 0x85, 0xCD, 0x41, 0xBA, 0x48, 0x88, 0x73, 0x34, 0xD5, 0x20, 0x8A, 0x0F, 0xE3, 0x9E, 0x99, 0xF0, 0xC8, 0xE8, 0xD9, 0x2C, 0x2A, 0x21, 0x69, 0xE4, 0xC1 }
 };
 
-static const unsigned char xs9_dpki_rsa_pub[0x100] =
+static const CtrRsa2048Key dev_accessdesc_rsa =
 {
-	0xC0, 0x84, 0x4C, 0xEB, 0x7E, 0xB0, 0xCF, 0xF0, 
-	0xAE, 0xB7, 0x77, 0x69, 0x85, 0x93, 0xE4, 0x99, 
-	0x5A, 0x95, 0x4E, 0x58, 0x17, 0x38, 0xCE, 0xD6, 
-	0x81, 0xB0, 0xBD, 0x77, 0x09, 0xE7, 0xF8, 0x9A, 
-	0xDF, 0xAD, 0x05, 0x48, 0x83, 0xF6, 0xC3, 0xFD, 
-	0xDF, 0x7B, 0x83, 0xE0, 0x0C, 0x26, 0x81, 0x54, 
-	0x43, 0x29, 0xEA, 0x82, 0x6C, 0x89, 0xF0, 0xA6, 
-	0x74, 0x42, 0x86, 0x4D, 0x32, 0x60, 0x32, 0x7D, 
-	0xA7, 0x7A, 0x13, 0x40, 0x66, 0x59, 0xDA, 0x3E, 
-	0x41, 0x6B, 0x27, 0x94, 0x03, 0x4F, 0xAA, 0x22, 
-	0x9D, 0xD5, 0x54, 0x52, 0xDB, 0x27, 0x0A, 0x6A, 
-	0xA2, 0x3D, 0x19, 0xB1, 0x66, 0x1B, 0x19, 0x7D, 
-	0xAB, 0xC7, 0x0E, 0x88, 0x17, 0x91, 0xA1, 0x2A, 
-	0xB4, 0x3C, 0x6C, 0xCB, 0xF5, 0xAA, 0x7C, 0x3A, 
-	0xDD, 0x36, 0xFB, 0x35, 0x71, 0x7B, 0x20, 0x01, 
-	0x59, 0x00, 0xD6, 0xF6, 0x90, 0x39, 0x35, 0x41, 
-	0x31, 0xF8, 0xC1, 0xC0, 0x57, 0x3A, 0x35, 0x18, 
-	0x58, 0x90, 0xB1, 0xAD, 0x9A, 0x0E, 0xEC, 0xE0, 
-	0xF4, 0x7A, 0x7D, 0xA5, 0x27, 0x48, 0xC9, 0x72, 
-	0xAB, 0x0D, 0x08, 0x7B, 0x62, 0x35, 0x40, 0x91, 
-	0x14, 0x2B, 0xB1, 0x1D, 0x1A, 0xFA, 0xF9, 0xCD, 
-	0x5C, 0x17, 0x13, 0x53, 0x52, 0x71, 0xCA, 0xE2, 
-	0x2A, 0x78, 0xB1, 0x7F, 0x4A, 0xCD, 0x59, 0xD8, 
-	0xBA, 0x1D, 0x7D, 0x70, 0x5F, 0x78, 0x1B, 0x9F, 
-	0x9D, 0x37, 0x18, 0x8E, 0xD7, 0xCD, 0x0D, 0x49, 
-	0x57, 0x74, 0x69, 0x88, 0x3A, 0x6B, 0x8E, 0x4E, 
-	0x1B, 0x85, 0xDD, 0xBE, 0x39, 0x45, 0x05, 0x89, 
-	0x56, 0x12, 0x97, 0x59, 0x9A, 0x09, 0xA4, 0xC8, 
-	0x2D, 0x2F, 0xF5, 0xCF, 0xB4, 0x73, 0x70, 0xDB, 
-	0x58, 0x1E, 0xB2, 0x4E, 0x77, 0x6F, 0xA4, 0x7E, 
-	0x62, 0xDF, 0xB7, 0x05, 0xE8, 0x80, 0x42, 0x5C, 
-	0xB8, 0x78, 0x87, 0x97, 0x7F, 0x66, 0x2C, 0x5F
+	.modulus = { 0xF4, 0x3C, 0x45, 0x82, 0xFB, 0xF8, 0x90, 0x5D, 0x07, 0x02, 0x9F, 0x2A, 0x98, 0x8B, 0x63, 0xB7, 0xD3, 0x8F, 0x3C, 0xE2, 0xE0, 0xE0, 0x93, 0xBF, 0xDF, 0x32, 0x43, 0x4D, 0xBE, 0xF4, 0xD1, 0x7A, 0x3A, 0x4E, 0x54, 0x31, 0xD7, 0x73, 0xAE, 0x99, 0x4C, 0xC4, 0x1F, 0x3C, 0x3E, 0xF0, 0x57, 0x05, 0xA3, 0x8A, 0x45, 0x54, 0x60, 0xD8, 0x8F, 0xD9, 0x1D, 0x68, 0x0D, 0x0E, 0x2E, 0xEF, 0xC8, 0xE8, 0x3D, 0xC9, 0x19, 0xF3, 0x73, 0x1E, 0x2D, 0xDA, 0x77, 0x88, 0x3E, 0xCA, 0x5E, 0x25, 0x70, 0x4B, 0xF7, 0x70, 0x95, 0x83, 0x54, 0x24, 0xE0, 0xC3, 0x1A, 0x75, 0xDF, 0x61, 0x3D, 0xD1, 0x42, 0xEC, 0x35, 0x1B, 0x38, 0xD6, 0xC1, 0xF6, 0x7E, 0x18, 0x2A, 0x84, 0x85, 0xDD, 0x57, 0x74, 0x1F, 0x0A, 0x2E, 0xF6, 0xB2, 0x94, 0xA2, 0x3E, 0xE9, 0xA1, 0xD0, 0x09, 0xF7, 0x3A, 0x99, 0x80, 0x05, 0xAF, 0x57, 0x55, 0xEF, 0x52, 0xFA, 0x24, 0x3E, 0x7F, 0xD4, 0x7C, 0x41, 0x44, 0x7B, 0x06, 0x7F, 0xB9, 0x5B, 0x2E, 0x8E, 0x96, 0xAE, 0x46, 0x12, 0x4D, 0x64, 0x21, 0xE5, 0x0F, 0x85, 0xCC, 0xEB, 0x92, 0xE5, 0xF0, 0xF5, 0xA7, 0x42, 0x27, 0x3B, 0xEC, 0xF8, 0xE7, 0x81, 0x75, 0x6F, 0x63, 0x0A, 0x8B, 0x0D, 0x77, 0x38, 0x51, 0xE6, 0x66, 0x33, 0xBA, 0x79, 0xDC, 0x2F, 0x2C, 0x8F, 0xC3, 0x28, 0x06, 0xBB, 0x03, 0x9C, 0xDB, 0xD1, 0x64, 0x0A, 0x66, 0xF0, 0xF8, 0xC1, 0x2A, 0x49, 0x1D, 0x0C, 0x6E, 0x35, 0xBB, 0xEA, 0xB3, 0x5C, 0x0D, 0xE9, 0x95, 0x7C, 0x67, 0xBE, 0x65, 0x77, 0xEC, 0x07, 0xC0, 0x23, 0x05, 0x0A, 0x72, 0x48, 0x86, 0xE9, 0x9E, 0xFC, 0x25, 0x15, 0xE7, 0xC8, 0x21, 0x65, 0xE0, 0x1B, 0xD5, 0xD5, 0x0E, 0xD3, 0x11, 0x54, 0xBB, 0x29, 0x78, 0xBF, 0x2A, 0x3C, 0x3B, 0xB6, 0xB1 },
+	.priv_exponent = {0}
 };
 
-static const unsigned char dev_ncsd_cfa_priv[0x100] =
+static const CtrRsa2048Key dev_crr_rsa =
 {
-	0x32, 0x36, 0x43, 0xC2, 0xB3, 0x1A, 0x7E, 0x13, 
-	0xAB, 0xA2, 0xB6, 0x8B, 0x4F, 0x05, 0xA7, 0xA6, 
-	0xCD, 0xE7, 0xA6, 0x74, 0x47, 0x49, 0xE6, 0x51, 
-	0xE4, 0x71, 0x74, 0x15, 0x76, 0x91, 0xF7, 0x92, 
-	0xB1, 0x4E, 0xF6, 0x99, 0x73, 0x1E, 0xCF, 0xB5, 
-	0x1D, 0x7C, 0xAF, 0xC5, 0xEA, 0x57, 0x01, 0xE5, 
-	0x5C, 0x10, 0x47, 0xEA, 0x3A, 0x54, 0x86, 0x03, 
-	0x2A, 0x76, 0x05, 0x72, 0x53, 0x16, 0xC2, 0xAE, 
-	0x2D, 0xBE, 0x71, 0xF7, 0x17, 0x6B, 0x23, 0xDD, 
-	0x2C, 0xB8, 0x8D, 0x13, 0x14, 0xE5, 0xDA, 0x3B, 
-	0xC7, 0x33, 0x7A, 0xBA, 0xE5, 0x2A, 0x2B, 0x7D, 
-	0x5A, 0x12, 0x27, 0x38, 0x56, 0xDF, 0xED, 0x70, 
-	0x03, 0x0E, 0xED, 0x64, 0xC7, 0xF6, 0x54, 0xAC, 
-	0xFE, 0x1D, 0x77, 0xA4, 0xE4, 0xBC, 0xEB, 0xB9, 
-	0xA6, 0xC5, 0xFE, 0x3A, 0xAF, 0x58, 0x81, 0xE4, 
-	0x3F, 0xA0, 0xE6, 0x93, 0x13, 0x2D, 0x98, 0x7D, 
-	0xB3, 0xE2, 0xC9, 0xC8, 0xD6, 0x31, 0x91, 0x73, 
-	0x9D, 0xCA, 0xC9, 0x44, 0xEF, 0xD0, 0x39, 0xBF, 
-	0x38, 0xFD, 0x1C, 0x91, 0x72, 0x93, 0x40, 0xA9, 
-	0x8A, 0x0D, 0x3E, 0x32, 0xC4, 0x59, 0x4B, 0x0C, 
-	0xC7, 0xEA, 0x50, 0x41, 0x9F, 0xF5, 0xE2, 0xB7, 
-	0x50, 0x7C, 0xE3, 0xC9, 0xEC, 0x46, 0x18, 0xAC, 
-	0xB4, 0x91, 0x2A, 0x32, 0xE0, 0xD8, 0x10, 0x6F, 
-	0xFC, 0x81, 0xB3, 0x95, 0xF3, 0xFC, 0x78, 0xC0, 
-	0xEF, 0xE5, 0x7B, 0x8D, 0x14, 0xD4, 0x36, 0x26, 
-	0x5F, 0xC6, 0x32, 0xC0, 0x19, 0x87, 0x5C, 0x77, 
-	0x26, 0x37, 0xD8, 0xAE, 0x66, 0xD6, 0x0B, 0x28, 
-	0x26, 0x43, 0x7C, 0x25, 0xDB, 0x6D, 0x5C, 0xE8, 
-	0x94, 0x8F, 0xA9, 0x77, 0x07, 0xB2, 0xC0, 0x85, 
-	0xCD, 0x41, 0xBA, 0x48, 0x88, 0x73, 0x34, 0xD5, 
-	0x20, 0x8A, 0x0F, 0xE3, 0x9E, 0x99, 0xF0, 0xC8, 
-	0xE8, 0xD9, 0x2C, 0x2A, 0x21, 0x69, 0xE4, 0xC1
+	.modulus = { 0xC5, 0xF7, 0x09, 0x80, 0x5F, 0xDA, 0xDC, 0xBD, 0x46, 0x07, 0x52, 0xAA, 0x6D, 0xCD, 0x72, 0xB2, 0x50, 0x09, 0x77, 0x47, 0x8A, 0x4F, 0x09, 0x2A, 0xE2, 0x91, 0xB4, 0x5F, 0x04, 0x97, 0x51, 0x75, 0xC9, 0x19, 0x6F, 0x95, 0xBB, 0x23, 0x14, 0x7D, 0x34, 0xDF, 0x77, 0x78, 0x07, 0xE8, 0xD1, 0x10, 0x11, 0xAF, 0xCE, 0x02, 0xB8, 0x73, 0xA9, 0xFB, 0x64, 0xB7, 0x65, 0x87, 0xE5, 0x67, 0xDD, 0x67, 0x37, 0x75, 0xFD, 0x0F, 0xE2, 0x97, 0xBC, 0x79, 0xA8, 0xCC, 0xF9, 0xFA, 0x18, 0xB2, 0x62, 0x4D, 0xF7, 0x53, 0x6B, 0x9C, 0x0E, 0x1A, 0xAB, 0x90, 0xE6, 0x52, 0x86, 0xC8, 0x1C, 0x92, 0x2C, 0x61, 0x53, 0xA9, 0x01, 0xDA, 0x43, 0x93, 0xD0, 0x42, 0x2E, 0xDD, 0xD5, 0x4C, 0x8C, 0x4C, 0xE8, 0x91, 0x56, 0xEC, 0xEE, 0x12, 0x70, 0x0B, 0x64, 0xF0, 0x0A, 0xD6, 0xAF, 0xF8, 0x60, 0xC2, 0xA8, 0x26, 0x7A, 0xC8, 0xBA, 0x55, 0x9A, 0xA1, 0x44, 0xFD, 0x09, 0x47, 0x26, 0xA0, 0xC1, 0x99, 0x9E, 0xF1, 0x24, 0xDF, 0xA3, 0xC2, 0xBB, 0xFF, 0x07, 0x45, 0xD9, 0xD6, 0xA4, 0xC0, 0xFF, 0x6C, 0x6C, 0x78, 0x7B, 0x6D, 0x70, 0x8C, 0x74, 0x44, 0xB0, 0x95, 0xE6, 0xC6, 0x66, 0x5E, 0x7E, 0xBE, 0x71, 0xC5, 0x91, 0x34, 0x73, 0xA7, 0xD4, 0x4C, 0x0D, 0xFC, 0xA9, 0x21, 0x49, 0x94, 0x92, 0xA1, 0x6A, 0x4D, 0x30, 0xA3, 0xD6, 0x9F, 0x6C, 0x60, 0x40, 0x0C, 0xEE, 0xEB, 0xF8, 0x99, 0x22, 0xE1, 0x6F, 0xFC, 0x3C, 0x96, 0x23, 0xAA, 0x11, 0x34, 0x00, 0x4E, 0xFC, 0x2D, 0x60, 0x41, 0x45, 0xE3, 0x5D, 0x78, 0x06, 0xB1, 0xF1, 0xC3, 0x07, 0xB9, 0xD3, 0x47, 0xD0, 0xF1, 0x8C, 0x26, 0x33, 0x1F, 0x6B, 0x46, 0xDD, 0xF3, 0xE3, 0x84, 0x64, 0xA7, 0xF1, 0x53, 0x11, 0xE1, 0x53, 0x4E, 0x99, 0xDB, 0xAC, 0x53 },
+	.priv_exponent = {0}
 };
 
-static const unsigned char dev_ncsd_cfa_pub[0x100] =
+static const unsigned char dev_crr_sign[0x100] = // signature over dev_crr_presigned_rsa.modulus + some other data in CRR header
 {
-	0xB9, 0x0C, 0xC4, 0xC6, 0x78, 0xF8, 0x6E, 0x30, 
-	0x05, 0x28, 0xC1, 0xCB, 0xD2, 0xCF, 0xA7, 0x80, 
-	0x5C, 0x57, 0x4D, 0x16, 0x9C, 0xAF, 0xA6, 0xCD, 
-	0x01, 0xBB, 0x83, 0x33, 0xAD, 0x03, 0xBB, 0x06, 
-	0x63, 0xD8, 0x17, 0xF5, 0xE3, 0xDF, 0xDA, 0x0D, 
-	0x3B, 0x86, 0x0E, 0xA2, 0x80, 0x47, 0x94, 0x44, 
-	0x6F, 0xD9, 0x97, 0x7E, 0x78, 0x6A, 0xC3, 0x93, 
-	0x93, 0xEF, 0x02, 0xFC, 0x22, 0x9F, 0x80, 0x77, 
-	0x8C, 0x70, 0x92, 0x1C, 0x43, 0xB1, 0x37, 0x4C, 
-	0x76, 0xE0, 0x57, 0x3B, 0xAB, 0x89, 0xFF, 0xEF, 
-	0xE5, 0xBB, 0x3E, 0xAB, 0x91, 0x39, 0xB8, 0xD9, 
-	0x66, 0x0B, 0x64, 0x28, 0x91, 0x92, 0xE9, 0xD0, 
-	0xB3, 0xDF, 0xD1, 0x4B, 0xC1, 0x73, 0xB5, 0x3F, 
-	0x56, 0xA0, 0x40, 0x10, 0xFE, 0x15, 0x2B, 0x1F, 
-	0xA2, 0x7A, 0xDE, 0x31, 0xB0, 0x26, 0x40, 0xC3, 
-	0x57, 0xFD, 0x35, 0xCB, 0xF0, 0xFA, 0xFF, 0xFB, 
-	0x6F, 0xDB, 0xCD, 0x34, 0x1D, 0x51, 0x2D, 0x2D, 
-	0x81, 0x18, 0xFF, 0x0C, 0x08, 0x51, 0xD5, 0xB4, 
-	0x4B, 0x56, 0x16, 0x02, 0x9F, 0x4E, 0x6A, 0xDF, 
-	0x06, 0x6E, 0xCB, 0x72, 0x85, 0xE9, 0x2E, 0x43, 
-	0xA2, 0x08, 0x78, 0x0C, 0x38, 0x9C, 0x19, 0xBD, 
-	0x7B, 0x74, 0x74, 0x68, 0xC4, 0x2D, 0xC1, 0x35, 
-	0x9E, 0x65, 0x3B, 0xD8, 0x99, 0x04, 0x1C, 0x8B, 
-	0x93, 0x8E, 0x7E, 0x92, 0x7C, 0xBB, 0xDD, 0x60, 
-	0xEC, 0xE7, 0xFE, 0x0E, 0x9D, 0x4F, 0x36, 0x46, 
-	0xE6, 0xF1, 0x5C, 0x94, 0x70, 0xEE, 0x67, 0x5F, 
-	0x36, 0x2B, 0x70, 0x44, 0x8D, 0xCA, 0x09, 0xB9, 
-	0x58, 0x67, 0xD2, 0x9F, 0xAD, 0x1F, 0x13, 0x54, 
-	0x74, 0xAD, 0xA6, 0x84, 0x44, 0x28, 0xF3, 0xDE, 
-	0x7E, 0x4C, 0x20, 0x2B, 0xC5, 0xE9, 0x12, 0xE9, 
-	0x5E, 0xFB, 0x8D, 0x77, 0xA9, 0xA4, 0xD2, 0x0D, 
-	0x3C, 0x38, 0x24, 0xBE, 0xF5, 0x8A, 0xB5, 0xF5
+	0x96, 0x5C, 0xBE, 0x5E, 0xEF, 0x08, 0x0B, 0x29, 0xEF, 0x95, 0x12, 0xA4, 0x80, 0x36, 0x47, 0xD5, 0x8F, 0xEC, 0xD0, 0xCB, 0x00, 0x4C, 0x29, 0xDC, 0x5E, 0x87, 0xCF, 0x87, 0x66, 0x4B, 0x94, 0xDE, 0xF0, 0xF6, 0x95, 0x19, 0x13, 0xF4, 0x29, 0xC7, 0x89, 0x55, 0x91, 0x2E, 0x3B, 0x17, 0x1C, 0x86, 0x61, 0x03, 0x03, 0xDC, 0x6A, 0x3E, 0x33, 0xD4, 0x7A, 0xEA, 0xF9, 0x14, 0x82, 0x50, 0xF9, 0x3F, 0xAD, 0xCF, 0x9F, 0xB8, 0xE0, 0xAD, 0xF6, 0x40, 0x0F, 0xE6, 0x41, 0x7D, 0x18, 0xB4, 0xC2, 0x1A, 0x1F, 0xA6, 0x2F, 0x51, 0x40, 0x5F, 0x0A, 0x4B, 0x57, 0x4B, 0x73, 0xC2, 0x6A, 0xB9, 0x73, 0x18, 0x5A, 0x9E, 0xC3, 0x90, 0x7D, 0xCC, 0x5B, 0xEC, 0x46, 0x6D, 0x93, 0x09, 0xB6, 0xF0, 0x84, 0x64, 0x46, 0x12, 0x77, 0x7C, 0x87, 0x25, 0xEB, 0x4C, 0xAE, 0x83, 0xB8, 0x25, 0x6E, 0xF7, 0x7D, 0x45, 0xDF, 0xF6, 0x4A, 0x32, 0x9B, 0x8E, 0x32, 0xC6, 0xCF, 0x63, 0x37, 0x92, 0x7D, 0x01, 0xDD, 0xE9, 0x71, 0x37, 0x0C, 0x2E, 0xB7, 0x83, 0xB7, 0x7C, 0x43, 0x37, 0x20, 0x34, 0xF1, 0xAF, 0x78, 0x4A, 0xB0, 0x84, 0xE0, 0x4C, 0x67, 0x54, 0xA8, 0x75, 0x12, 0xE5, 0x27, 0x38, 0x45, 0xFF, 0x49, 0x9D, 0xF3, 0xFC, 0x3F, 0xCE, 0x73, 0x44, 0xE3, 0x28, 0xD0, 0xD6, 0x00, 0x1F, 0x46, 0xF9, 0x64, 0x3B, 0xDC, 0xEE, 0x30, 0xA8, 0x63, 0x05, 0xB0, 0xF1, 0xA6, 0x4B, 0x21, 0x34, 0x2A, 0xEE, 0xBA, 0x1C, 0x89, 0x0B, 0x80, 0xB8, 0x00, 0xC7, 0x40, 0xCB, 0x66, 0x69, 0x44, 0x27, 0x01, 0xAC, 0x08, 0xC3, 0x97, 0xC5, 0x37, 0xE4, 0x8B, 0xAA, 0x41, 0xB1, 0xEE, 0x48, 0xE0, 0xA7, 0xD6, 0x6F, 0x8A, 0xF5, 0x40, 0x90, 0xD4, 0x2D, 0x81, 0xD4, 0xED, 0x9D, 0xCA, 0x03, 0xFE, 0x35, 0xB3, 0x66, 0xAF, 0x82
 };
 
-static const unsigned char dev_acex_priv[0x100] =
+static const CtrRsa2048Key dev_crr_presigned_rsa = // pre signed rsakey
 {
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	.modulus = { 0xE2, 0xAD, 0xA6, 0xEA, 0xCA, 0xA3, 0xE8, 0xCC, 0xA9, 0x70, 0x1D, 0x2E, 0x23, 0x4B, 0xC6, 0x55, 0xCE, 0x13, 0xD9, 0xA7, 0x58, 0xB4, 0xC7, 0x73, 0x96, 0x1D, 0xE8, 0xC3, 0x09, 0x4D, 0x9B, 0xC3, 0xEB, 0x69, 0xA2, 0x37, 0x83, 0x5D, 0xD8, 0x37, 0x04, 0x72, 0x7A, 0x4F, 0xEA, 0x53, 0x98, 0x9D, 0x0E, 0x01, 0x34, 0x70, 0x9A, 0x82, 0x06, 0xE7, 0x6A, 0xC9, 0xF8, 0x0E, 0x49, 0x5A, 0xA4, 0xE7, 0x0E, 0xFA, 0xD4, 0xAB, 0x3B, 0xC5, 0xD7, 0xF1, 0xA4, 0xFC, 0x92, 0x7F, 0xD0, 0xF3, 0xCD, 0xD5, 0xB9, 0x2A, 0x1A, 0x41, 0x62, 0xB3, 0x7B, 0x3E, 0x1E, 0x35, 0x46, 0x41, 0x8E, 0xB2, 0x53, 0x1A, 0x60, 0xF8, 0xC2, 0xD1, 0x94, 0xB3, 0x9D, 0x76, 0x9F, 0x1D, 0x98, 0xAC, 0xF0, 0xCF, 0xE3, 0xA9, 0x05, 0x85, 0xF2, 0xBF, 0x55, 0x76, 0x1B, 0x89, 0x1C, 0xC3, 0x19, 0x2E, 0xEE, 0x94, 0xBE, 0x75, 0x0F, 0xA3, 0x76, 0x8B, 0x24, 0x24, 0x97, 0xFA, 0xC0, 0x53, 0x24, 0xF5, 0x85, 0x02, 0x19, 0x9D, 0xC5, 0x11, 0x2E, 0x6B, 0xA3, 0x26, 0xFE, 0xF7, 0x55, 0xD4, 0x23, 0x0A, 0x73, 0x3F, 0x37, 0x53, 0xEA, 0xC2, 0xB7, 0xC1, 0xC9, 0xD8, 0xF3, 0x2F, 0x78, 0x76, 0x4A, 0xA0, 0x69, 0x60, 0x91, 0xC2, 0x7D, 0x11, 0x74, 0xEF, 0x96, 0xD9, 0x74, 0x53, 0xB1, 0x1C, 0xB0, 0xC4, 0x32, 0x16, 0x82, 0x3B, 0xAF, 0x61, 0xB2, 0xDE, 0x38, 0x87, 0x3E, 0x37, 0x4B, 0xA3, 0x95, 0x88, 0x8E, 0xE0, 0x27, 0x9A, 0x1F, 0x7D, 0xB8, 0x23, 0xC3, 0x63, 0xE8, 0x68, 0x51, 0xD9, 0x8C, 0x4C, 0xC2, 0x59, 0x86, 0x49, 0xF7, 0x46, 0x9E, 0x3C, 0xD7, 0x9F, 0x89, 0x23, 0xB4, 0x73, 0x35, 0x2F, 0x18, 0x23, 0x76, 0xA3, 0x9F, 0x40, 0x0B, 0x76, 0x90, 0x85, 0xC8, 0x89, 0xDA, 0x65, 0xE7, 0x6E, 0xEF, 0x2E, 0xF5, 0x67 },
+	.priv_exponent = { 0x8D, 0x27, 0x29, 0x6B, 0xC7, 0xA7, 0xED, 0xCD, 0x94, 0x2D, 0x36, 0x5E, 0x86, 0xA8, 0x26, 0xE7, 0x43, 0x9E, 0x64, 0xC8, 0xAA, 0x9A, 0x58, 0x21, 0x07, 0xF7, 0xB3, 0xFB, 0xCF, 0x8D, 0x3E, 0x53, 0xF0, 0x02, 0x25, 0x7B, 0x80, 0x18, 0x2E, 0x0D, 0x84, 0x7D, 0x6C, 0xE0, 0xDA, 0xC0, 0x17, 0xA6, 0xA5, 0x13, 0xE6, 0xFD, 0xBF, 0x98, 0xFC, 0x87, 0x9A, 0x9E, 0x0E, 0x13, 0x87, 0x66, 0x24, 0x8D, 0xA5, 0x6C, 0x58, 0x86, 0x10, 0x80, 0x90, 0x89, 0xEE, 0xFD, 0x40, 0x94, 0xCB, 0x1F, 0x26, 0xAB, 0xD1, 0xD3, 0xFF, 0xE9, 0x7B, 0x76, 0xDC, 0x65, 0xC0, 0x15, 0xD8, 0x9B, 0xF6, 0x29, 0xE1, 0x49, 0xE9, 0xDC, 0xBE, 0x24, 0x17, 0xFF, 0x09, 0x2C, 0xD6, 0xC4, 0x6D, 0x50, 0x33, 0xDC, 0xA0, 0x9D, 0x9D, 0xCC, 0xDD, 0x6E, 0x7B, 0xDF, 0x42, 0x22, 0x4D, 0x80, 0xC7, 0xEB, 0xCB, 0xB1, 0x60, 0x2F, 0x04, 0xEE, 0x04, 0x0E, 0x4C, 0x76, 0x49, 0x55, 0x92, 0xA5, 0xC1, 0x13, 0x60, 0x0A, 0x80, 0x15, 0x3D, 0x1C, 0xC6, 0x46, 0x57, 0x2E, 0x7C, 0xB0, 0x3D, 0x87, 0x06, 0x87, 0xFD, 0x31, 0xF8, 0xE7, 0x14, 0x97, 0x2A, 0x57, 0x40, 0xAC, 0x94, 0x61, 0xCD, 0xCF, 0xDE, 0x8C, 0x40, 0x46, 0x95, 0xA0, 0xD6, 0xF9, 0x2C, 0x08, 0x9B, 0x12, 0xBF, 0xF1, 0x88, 0x9C, 0x5D, 0x40, 0x32, 0x6D, 0x9D, 0x99, 0xA4, 0x80, 0xA6, 0xC2, 0x45, 0x5A, 0xD3, 0x22, 0xFE, 0xFA, 0x17, 0x54, 0x11, 0xEA, 0x41, 0xB4, 0xBD, 0x68, 0x1E, 0xDD, 0x3F, 0xE5, 0x92, 0xCB, 0x9E, 0xF8, 0xC0, 0x0A, 0x8B, 0xF5, 0x89, 0xA4, 0x03, 0x68, 0xF8, 0xF8, 0x99, 0x7C, 0xFE, 0xAD, 0x32, 0xDD, 0x5C, 0xB4, 0x06, 0x29, 0xDA, 0x96, 0x8B, 0xBA, 0xCB, 0x15, 0xDE, 0x38, 0x0D, 0xCA, 0xF7, 0x01, 0x65, 0xF6, 0x2D, 0x36, 0x6E, 0x71 }
 };
 
-static const unsigned char dev_acex_pub[0x100] =
+static const CtrRsa2048Key dev_firm_rsa =
 {
-	0xF4, 0x3C, 0x45, 0x82, 0xFB, 0xF8, 0x90, 0x5D, 
-	0x07, 0x02, 0x9F, 0x2A, 0x98, 0x8B, 0x63, 0xB7, 
-	0xD3, 0x8F, 0x3C, 0xE2, 0xE0, 0xE0, 0x93, 0xBF, 
-	0xDF, 0x32, 0x43, 0x4D, 0xBE, 0xF4, 0xD1, 0x7A, 
-	0x3A, 0x4E, 0x54, 0x31, 0xD7, 0x73, 0xAE, 0x99, 
-	0x4C, 0xC4, 0x1F, 0x3C, 0x3E, 0xF0, 0x57, 0x05, 
-	0xA3, 0x8A, 0x45, 0x54, 0x60, 0xD8, 0x8F, 0xD9, 
-	0x1D, 0x68, 0x0D, 0x0E, 0x2E, 0xEF, 0xC8, 0xE8, 
-	0x3D, 0xC9, 0x19, 0xF3, 0x73, 0x1E, 0x2D, 0xDA, 
-	0x77, 0x88, 0x3E, 0xCA, 0x5E, 0x25, 0x70, 0x4B, 
-	0xF7, 0x70, 0x95, 0x83, 0x54, 0x24, 0xE0, 0xC3, 
-	0x1A, 0x75, 0xDF, 0x61, 0x3D, 0xD1, 0x42, 0xEC, 
-	0x35, 0x1B, 0x38, 0xD6, 0xC1, 0xF6, 0x7E, 0x18, 
-	0x2A, 0x84, 0x85, 0xDD, 0x57, 0x74, 0x1F, 0x0A, 
-	0x2E, 0xF6, 0xB2, 0x94, 0xA2, 0x3E, 0xE9, 0xA1, 
-	0xD0, 0x09, 0xF7, 0x3A, 0x99, 0x80, 0x05, 0xAF, 
-	0x57, 0x55, 0xEF, 0x52, 0xFA, 0x24, 0x3E, 0x7F, 
-	0xD4, 0x7C, 0x41, 0x44, 0x7B, 0x06, 0x7F, 0xB9, 
-	0x5B, 0x2E, 0x8E, 0x96, 0xAE, 0x46, 0x12, 0x4D, 
-	0x64, 0x21, 0xE5, 0x0F, 0x85, 0xCC, 0xEB, 0x92, 
-	0xE5, 0xF0, 0xF5, 0xA7, 0x42, 0x27, 0x3B, 0xEC, 
-	0xF8, 0xE7, 0x81, 0x75, 0x6F, 0x63, 0x0A, 0x8B, 
-	0x0D, 0x77, 0x38, 0x51, 0xE6, 0x66, 0x33, 0xBA, 
-	0x79, 0xDC, 0x2F, 0x2C, 0x8F, 0xC3, 0x28, 0x06, 
-	0xBB, 0x03, 0x9C, 0xDB, 0xD1, 0x64, 0x0A, 0x66, 
-	0xF0, 0xF8, 0xC1, 0x2A, 0x49, 0x1D, 0x0C, 0x6E, 
-	0x35, 0xBB, 0xEA, 0xB3, 0x5C, 0x0D, 0xE9, 0x95, 
-	0x7C, 0x67, 0xBE, 0x65, 0x77, 0xEC, 0x07, 0xC0, 
-	0x23, 0x05, 0x0A, 0x72, 0x48, 0x86, 0xE9, 0x9E, 
-	0xFC, 0x25, 0x15, 0xE7, 0xC8, 0x21, 0x65, 0xE0, 
-	0x1B, 0xD5, 0xD5, 0x0E, 0xD3, 0x11, 0x54, 0xBB, 
-	0x29, 0x78, 0xBF, 0x2A, 0x3C, 0x3B, 0xB6, 0xB1
-};
-
-static const unsigned char dev_crr_cert_pub[0x100] = // key to verify dev_crr_cert
-{
-	0xC5, 0xF7, 0x09, 0x80, 0x5F, 0xDA, 0xDC, 0xBD,
-	0x46, 0x07, 0x52, 0xAA, 0x6D, 0xCD, 0x72, 0xB2,
-	0x50, 0x09, 0x77, 0x47, 0x8A, 0x4F, 0x09, 0x2A,
-	0xE2, 0x91, 0xB4, 0x5F, 0x04, 0x97, 0x51, 0x75,
-	0xC9, 0x19, 0x6F, 0x95, 0xBB, 0x23, 0x14, 0x7D,
-	0x34, 0xDF, 0x77, 0x78, 0x07, 0xE8, 0xD1, 0x10,
-	0x11, 0xAF, 0xCE, 0x02, 0xB8, 0x73, 0xA9, 0xFB,
-	0x64, 0xB7, 0x65, 0x87, 0xE5, 0x67, 0xDD, 0x67,
-	0x37, 0x75, 0xFD, 0x0F, 0xE2, 0x97, 0xBC, 0x79,
-	0xA8, 0xCC, 0xF9, 0xFA, 0x18, 0xB2, 0x62, 0x4D,
-	0xF7, 0x53, 0x6B, 0x9C, 0x0E, 0x1A, 0xAB, 0x90,
-	0xE6, 0x52, 0x86, 0xC8, 0x1C, 0x92, 0x2C, 0x61,
-	0x53, 0xA9, 0x01, 0xDA, 0x43, 0x93, 0xD0, 0x42,
-	0x2E, 0xDD, 0xD5, 0x4C, 0x8C, 0x4C, 0xE8, 0x91,
-	0x56, 0xEC, 0xEE, 0x12, 0x70, 0x0B, 0x64, 0xF0,
-	0x0A, 0xD6, 0xAF, 0xF8, 0x60, 0xC2, 0xA8, 0x26,
-	0x7A, 0xC8, 0xBA, 0x55, 0x9A, 0xA1, 0x44, 0xFD,
-	0x09, 0x47, 0x26, 0xA0, 0xC1, 0x99, 0x9E, 0xF1,
-	0x24, 0xDF, 0xA3, 0xC2, 0xBB, 0xFF, 0x07, 0x45,
-	0xD9, 0xD6, 0xA4, 0xC0, 0xFF, 0x6C, 0x6C, 0x78,
-	0x7B, 0x6D, 0x70, 0x8C, 0x74, 0x44, 0xB0, 0x95,
-	0xE6, 0xC6, 0x66, 0x5E, 0x7E, 0xBE, 0x71, 0xC5,
-	0x91, 0x34, 0x73, 0xA7, 0xD4, 0x4C, 0x0D, 0xFC,
-	0xA9, 0x21, 0x49, 0x94, 0x92, 0xA1, 0x6A, 0x4D,
-	0x30, 0xA3, 0xD6, 0x9F, 0x6C, 0x60, 0x40, 0x0C,
-	0xEE, 0xEB, 0xF8, 0x99, 0x22, 0xE1, 0x6F, 0xFC,
-	0x3C, 0x96, 0x23, 0xAA, 0x11, 0x34, 0x00, 0x4E,
-	0xFC, 0x2D, 0x60, 0x41, 0x45, 0xE3, 0x5D, 0x78,
-	0x06, 0xB1, 0xF1, 0xC3, 0x07, 0xB9, 0xD3, 0x47,
-	0xD0, 0xF1, 0x8C, 0x26, 0x33, 0x1F, 0x6B, 0x46,
-	0xDD, 0xF3, 0xE3, 0x84, 0x64, 0xA7, 0xF1, 0x53,
-	0x11, 0xE1, 0x53, 0x4E, 0x99, 0xDB, 0xAC, 0x53
-};
-
-static const unsigned char dev_crr_cert[0x100] = // signature over crr rsa key
-{
-	0x96, 0x5C, 0xBE, 0x5E, 0xEF, 0x08, 0x0B, 0x29,
-	0xEF, 0x95, 0x12, 0xA4, 0x80, 0x36, 0x47, 0xD5,
-	0x8F, 0xEC, 0xD0, 0xCB, 0x00, 0x4C, 0x29, 0xDC,
-	0x5E, 0x87, 0xCF, 0x87, 0x66, 0x4B, 0x94, 0xDE,
-	0xF0, 0xF6, 0x95, 0x19, 0x13, 0xF4, 0x29, 0xC7,
-	0x89, 0x55, 0x91, 0x2E, 0x3B, 0x17, 0x1C, 0x86,
-	0x61, 0x03, 0x03, 0xDC, 0x6A, 0x3E, 0x33, 0xD4,
-	0x7A, 0xEA, 0xF9, 0x14, 0x82, 0x50, 0xF9, 0x3F,
-	0xAD, 0xCF, 0x9F, 0xB8, 0xE0, 0xAD, 0xF6, 0x40,
-	0x0F, 0xE6, 0x41, 0x7D, 0x18, 0xB4, 0xC2, 0x1A,
-	0x1F, 0xA6, 0x2F, 0x51, 0x40, 0x5F, 0x0A, 0x4B,
-	0x57, 0x4B, 0x73, 0xC2, 0x6A, 0xB9, 0x73, 0x18,
-	0x5A, 0x9E, 0xC3, 0x90, 0x7D, 0xCC, 0x5B, 0xEC,
-	0x46, 0x6D, 0x93, 0x09, 0xB6, 0xF0, 0x84, 0x64,
-	0x46, 0x12, 0x77, 0x7C, 0x87, 0x25, 0xEB, 0x4C,
-	0xAE, 0x83, 0xB8, 0x25, 0x6E, 0xF7, 0x7D, 0x45,
-	0xDF, 0xF6, 0x4A, 0x32, 0x9B, 0x8E, 0x32, 0xC6,
-	0xCF, 0x63, 0x37, 0x92, 0x7D, 0x01, 0xDD, 0xE9,
-	0x71, 0x37, 0x0C, 0x2E, 0xB7, 0x83, 0xB7, 0x7C,
-	0x43, 0x37, 0x20, 0x34, 0xF1, 0xAF, 0x78, 0x4A,
-	0xB0, 0x84, 0xE0, 0x4C, 0x67, 0x54, 0xA8, 0x75,
-	0x12, 0xE5, 0x27, 0x38, 0x45, 0xFF, 0x49, 0x9D,
-	0xF3, 0xFC, 0x3F, 0xCE, 0x73, 0x44, 0xE3, 0x28,
-	0xD0, 0xD6, 0x00, 0x1F, 0x46, 0xF9, 0x64, 0x3B,
-	0xDC, 0xEE, 0x30, 0xA8, 0x63, 0x05, 0xB0, 0xF1,
-	0xA6, 0x4B, 0x21, 0x34, 0x2A, 0xEE, 0xBA, 0x1C,
-	0x89, 0x0B, 0x80, 0xB8, 0x00, 0xC7, 0x40, 0xCB,
-	0x66, 0x69, 0x44, 0x27, 0x01, 0xAC, 0x08, 0xC3,
-	0x97, 0xC5, 0x37, 0xE4, 0x8B, 0xAA, 0x41, 0xB1,
-	0xEE, 0x48, 0xE0, 0xA7, 0xD6, 0x6F, 0x8A, 0xF5,
-	0x40, 0x90, 0xD4, 0x2D, 0x81, 0xD4, 0xED, 0x9D,
-	0xCA, 0x03, 0xFE, 0x35, 0xB3, 0x66, 0xAF, 0x82
-};
-
-static const unsigned char dev_crr_priv[0x100] = // pre signed rsakey
-{
-	0x8D, 0x27, 0x29, 0x6B, 0xC7, 0xA7, 0xED, 0xCD, 
-	0x94, 0x2D, 0x36, 0x5E, 0x86, 0xA8, 0x26, 0xE7, 
-	0x43, 0x9E, 0x64, 0xC8, 0xAA, 0x9A, 0x58, 0x21, 
-	0x07, 0xF7, 0xB3, 0xFB, 0xCF, 0x8D, 0x3E, 0x53, 
-	0xF0, 0x02, 0x25, 0x7B, 0x80, 0x18, 0x2E, 0x0D, 
-	0x84, 0x7D, 0x6C, 0xE0, 0xDA, 0xC0, 0x17, 0xA6, 
-	0xA5, 0x13, 0xE6, 0xFD, 0xBF, 0x98, 0xFC, 0x87, 
-	0x9A, 0x9E, 0x0E, 0x13, 0x87, 0x66, 0x24, 0x8D, 
-	0xA5, 0x6C, 0x58, 0x86, 0x10, 0x80, 0x90, 0x89, 
-	0xEE, 0xFD, 0x40, 0x94, 0xCB, 0x1F, 0x26, 0xAB, 
-	0xD1, 0xD3, 0xFF, 0xE9, 0x7B, 0x76, 0xDC, 0x65, 
-	0xC0, 0x15, 0xD8, 0x9B, 0xF6, 0x29, 0xE1, 0x49, 
-	0xE9, 0xDC, 0xBE, 0x24, 0x17, 0xFF, 0x09, 0x2C, 
-	0xD6, 0xC4, 0x6D, 0x50, 0x33, 0xDC, 0xA0, 0x9D, 
-	0x9D, 0xCC, 0xDD, 0x6E, 0x7B, 0xDF, 0x42, 0x22, 
-	0x4D, 0x80, 0xC7, 0xEB, 0xCB, 0xB1, 0x60, 0x2F, 
-	0x04, 0xEE, 0x04, 0x0E, 0x4C, 0x76, 0x49, 0x55, 
-	0x92, 0xA5, 0xC1, 0x13, 0x60, 0x0A, 0x80, 0x15, 
-	0x3D, 0x1C, 0xC6, 0x46, 0x57, 0x2E, 0x7C, 0xB0, 
-	0x3D, 0x87, 0x06, 0x87, 0xFD, 0x31, 0xF8, 0xE7, 
-	0x14, 0x97, 0x2A, 0x57, 0x40, 0xAC, 0x94, 0x61, 
-	0xCD, 0xCF, 0xDE, 0x8C, 0x40, 0x46, 0x95, 0xA0, 
-	0xD6, 0xF9, 0x2C, 0x08, 0x9B, 0x12, 0xBF, 0xF1, 
-	0x88, 0x9C, 0x5D, 0x40, 0x32, 0x6D, 0x9D, 0x99, 
-	0xA4, 0x80, 0xA6, 0xC2, 0x45, 0x5A, 0xD3, 0x22, 
-	0xFE, 0xFA, 0x17, 0x54, 0x11, 0xEA, 0x41, 0xB4, 
-	0xBD, 0x68, 0x1E, 0xDD, 0x3F, 0xE5, 0x92, 0xCB, 
-	0x9E, 0xF8, 0xC0, 0x0A, 0x8B, 0xF5, 0x89, 0xA4, 
-	0x03, 0x68, 0xF8, 0xF8, 0x99, 0x7C, 0xFE, 0xAD, 
-	0x32, 0xDD, 0x5C, 0xB4, 0x06, 0x29, 0xDA, 0x96, 
-	0x8B, 0xBA, 0xCB, 0x15, 0xDE, 0x38, 0x0D, 0xCA, 
-	0xF7, 0x01, 0x65, 0xF6, 0x2D, 0x36, 0x6E, 0x71
-};
-
-static const unsigned char dev_crr_pub[0x100] = // pre signed rsakey
-{
-	0xE2, 0xAD, 0xA6, 0xEA, 0xCA, 0xA3, 0xE8, 0xCC, 
-	0xA9, 0x70, 0x1D, 0x2E, 0x23, 0x4B, 0xC6, 0x55, 
-	0xCE, 0x13, 0xD9, 0xA7, 0x58, 0xB4, 0xC7, 0x73, 
-	0x96, 0x1D, 0xE8, 0xC3, 0x09, 0x4D, 0x9B, 0xC3, 
-	0xEB, 0x69, 0xA2, 0x37, 0x83, 0x5D, 0xD8, 0x37, 
-	0x04, 0x72, 0x7A, 0x4F, 0xEA, 0x53, 0x98, 0x9D, 
-	0x0E, 0x01, 0x34, 0x70, 0x9A, 0x82, 0x06, 0xE7, 
-	0x6A, 0xC9, 0xF8, 0x0E, 0x49, 0x5A, 0xA4, 0xE7, 
-	0x0E, 0xFA, 0xD4, 0xAB, 0x3B, 0xC5, 0xD7, 0xF1, 
-	0xA4, 0xFC, 0x92, 0x7F, 0xD0, 0xF3, 0xCD, 0xD5, 
-	0xB9, 0x2A, 0x1A, 0x41, 0x62, 0xB3, 0x7B, 0x3E, 
-	0x1E, 0x35, 0x46, 0x41, 0x8E, 0xB2, 0x53, 0x1A, 
-	0x60, 0xF8, 0xC2, 0xD1, 0x94, 0xB3, 0x9D, 0x76, 
-	0x9F, 0x1D, 0x98, 0xAC, 0xF0, 0xCF, 0xE3, 0xA9, 
-	0x05, 0x85, 0xF2, 0xBF, 0x55, 0x76, 0x1B, 0x89, 
-	0x1C, 0xC3, 0x19, 0x2E, 0xEE, 0x94, 0xBE, 0x75, 
-	0x0F, 0xA3, 0x76, 0x8B, 0x24, 0x24, 0x97, 0xFA, 
-	0xC0, 0x53, 0x24, 0xF5, 0x85, 0x02, 0x19, 0x9D, 
-	0xC5, 0x11, 0x2E, 0x6B, 0xA3, 0x26, 0xFE, 0xF7, 
-	0x55, 0xD4, 0x23, 0x0A, 0x73, 0x3F, 0x37, 0x53, 
-	0xEA, 0xC2, 0xB7, 0xC1, 0xC9, 0xD8, 0xF3, 0x2F, 
-	0x78, 0x76, 0x4A, 0xA0, 0x69, 0x60, 0x91, 0xC2, 
-	0x7D, 0x11, 0x74, 0xEF, 0x96, 0xD9, 0x74, 0x53, 
-	0xB1, 0x1C, 0xB0, 0xC4, 0x32, 0x16, 0x82, 0x3B, 
-	0xAF, 0x61, 0xB2, 0xDE, 0x38, 0x87, 0x3E, 0x37, 
-	0x4B, 0xA3, 0x95, 0x88, 0x8E, 0xE0, 0x27, 0x9A, 
-	0x1F, 0x7D, 0xB8, 0x23, 0xC3, 0x63, 0xE8, 0x68, 
-	0x51, 0xD9, 0x8C, 0x4C, 0xC2, 0x59, 0x86, 0x49, 
-	0xF7, 0x46, 0x9E, 0x3C, 0xD7, 0x9F, 0x89, 0x23, 
-	0xB4, 0x73, 0x35, 0x2F, 0x18, 0x23, 0x76, 0xA3, 
-	0x9F, 0x40, 0x0B, 0x76, 0x90, 0x85, 0xC8, 0x89, 
-	0xDA, 0x65, 0xE7, 0x6E, 0xEF, 0x2E, 0xF5, 0x67
-};
-
-static const unsigned char dev_firm_pub[0x100] =
-{
-	0xC1, 0x1E, 0x84, 0xE4, 0xDA, 0xD7, 0xED, 0xC8,
-	0xA5, 0xD9, 0xCB, 0x0B, 0xE9, 0x3B, 0x9D, 0xBC,
-	0x15, 0x69, 0xF7, 0x95, 0xF6, 0x8F, 0xB7, 0x91,
-	0x24, 0x19, 0xBE, 0x8F, 0xFE, 0xBB, 0xC1, 0x1D,
-	0x09, 0xF0, 0xE3, 0x78, 0xA2, 0x0C, 0xC0, 0x0B,
-	0x8E, 0xCD, 0xBA, 0x0E, 0x69, 0x4C, 0x61, 0x4A,
-	0xBD, 0x13, 0xEA, 0xE2, 0x23, 0xE4, 0x0B, 0x62,
-	0x1F, 0x9B, 0x63, 0x1B, 0x31, 0x34, 0xB7, 0x12,
-	0x73, 0x64, 0x6B, 0x4E, 0x60, 0x41, 0x0A, 0x3D,
-	0x54, 0x86, 0xFA, 0x49, 0xEC, 0x2D, 0x77, 0xAD,
-	0x1D, 0xBC, 0x48, 0xE7, 0xFB, 0x07, 0xEF, 0x48,
-	0xC3, 0xBE, 0xC3, 0xD6, 0xE1, 0x5B, 0x3D, 0xCD,
-	0x5E, 0x6B, 0x46, 0x08, 0x6A, 0x3A, 0x0E, 0xAE,
-	0x25, 0x49, 0x44, 0xA5, 0x40, 0x0D, 0x94, 0x53,
-	0x18, 0xA4, 0x8F, 0x57, 0x8E, 0xF4, 0xCD, 0xB4,
-	0xD3, 0x4E, 0xE7, 0x15, 0x9B, 0x11, 0x95, 0x85,
-	0x00, 0xC4, 0x92, 0x94, 0xB8, 0xBE, 0xFE, 0xCB,
-	0xB7, 0x50, 0xA0, 0xBE, 0x8A, 0xF5, 0xFD, 0xC8,
-	0x0E, 0x4B, 0xA9, 0x41, 0x13, 0x62, 0x48, 0xCD,
-	0x1A, 0xF3, 0xC8, 0x6B, 0xA5, 0xA0, 0xDF, 0xF1,
-	0x9D, 0x3D, 0xFD, 0xE4, 0xD1, 0x7C, 0x1F, 0x00,
-	0x0D, 0x99, 0x72, 0x6B, 0xA3, 0x05, 0x7F, 0x86,
-	0x38, 0xBE, 0x4D, 0x5E, 0xAB, 0x93, 0xDF, 0xF3,
-	0xEE, 0xA1, 0x9F, 0x22, 0x50, 0xA8, 0x7F, 0x31,
-	0xAA, 0x2B, 0x03, 0x71, 0x9B, 0x14, 0xC4, 0x30,
-	0x88, 0x42, 0x6F, 0xD5, 0x2C, 0x7B, 0x03, 0x64,
-	0x3B, 0x14, 0xEC, 0x46, 0x33, 0xCC, 0x2C, 0x95,
-	0x9F, 0x5C, 0x7B, 0x83, 0xC5, 0x67, 0xDD, 0x7C,
-	0xA1, 0x2D, 0xD6, 0xEC, 0x17, 0x0B, 0x23, 0xC7,
-	0xB1, 0x9A, 0x72, 0xBA, 0x78, 0xCB, 0x39, 0x68,
-	0x5C, 0xB6, 0xB4, 0x61, 0xE1, 0x98, 0xCF, 0x1D,
-	0x69, 0xF9, 0xD7, 0xB0, 0xA0, 0x5E, 0x9C, 0xEB
+	.modulus = {0xC1, 0x1E, 0x84, 0xE4, 0xDA, 0xD7, 0xED, 0xC8, 0xA5, 0xD9, 0xCB, 0x0B, 0xE9, 0x3B, 0x9D, 0xBC, 0x15, 0x69, 0xF7, 0x95, 0xF6, 0x8F, 0xB7, 0x91, 0x24, 0x19, 0xBE, 0x8F, 0xFE, 0xBB, 0xC1, 0x1D, 0x09, 0xF0, 0xE3, 0x78, 0xA2, 0x0C, 0xC0, 0x0B, 0x8E, 0xCD, 0xBA, 0x0E, 0x69, 0x4C, 0x61, 0x4A, 0xBD, 0x13, 0xEA, 0xE2, 0x23, 0xE4, 0x0B, 0x62, 0x1F, 0x9B, 0x63, 0x1B, 0x31, 0x34, 0xB7, 0x12, 0x73, 0x64, 0x6B, 0x4E, 0x60, 0x41, 0x0A, 0x3D, 0x54, 0x86, 0xFA, 0x49, 0xEC, 0x2D, 0x77, 0xAD, 0x1D, 0xBC, 0x48, 0xE7, 0xFB, 0x07, 0xEF, 0x48, 0xC3, 0xBE, 0xC3, 0xD6, 0xE1, 0x5B, 0x3D, 0xCD, 0x5E, 0x6B, 0x46, 0x08, 0x6A, 0x3A, 0x0E, 0xAE, 0x25, 0x49, 0x44, 0xA5, 0x40, 0x0D, 0x94, 0x53, 0x18, 0xA4, 0x8F, 0x57, 0x8E, 0xF4, 0xCD, 0xB4, 0xD3, 0x4E, 0xE7, 0x15, 0x9B, 0x11, 0x95, 0x85, 0x00, 0xC4, 0x92, 0x94, 0xB8, 0xBE, 0xFE, 0xCB, 0xB7, 0x50, 0xA0, 0xBE, 0x8A, 0xF5, 0xFD, 0xC8, 0x0E, 0x4B, 0xA9, 0x41, 0x13, 0x62, 0x48, 0xCD, 0x1A, 0xF3, 0xC8, 0x6B, 0xA5, 0xA0, 0xDF, 0xF1, 0x9D, 0x3D, 0xFD, 0xE4, 0xD1, 0x7C, 0x1F, 0x00, 0x0D, 0x99, 0x72, 0x6B, 0xA3, 0x05, 0x7F, 0x86, 0x38, 0xBE, 0x4D, 0x5E, 0xAB, 0x93, 0xDF, 0xF3, 0xEE, 0xA1, 0x9F, 0x22, 0x50, 0xA8, 0x7F, 0x31, 0xAA, 0x2B, 0x03, 0x71, 0x9B, 0x14, 0xC4, 0x30, 0x88, 0x42, 0x6F, 0xD5, 0x2C, 0x7B, 0x03, 0x64, 0x3B, 0x14, 0xEC, 0x46, 0x33, 0xCC, 0x2C, 0x95, 0x9F, 0x5C, 0x7B, 0x83, 0xC5, 0x67, 0xDD, 0x7C, 0xA1, 0x2D, 0xD6, 0xEC, 0x17, 0x0B, 0x23, 0xC7, 0xB1, 0x9A, 0x72, 0xBA, 0x78, 0xCB, 0x39, 0x68, 0x5C, 0xB6, 0xB4, 0x61, 0xE1, 0x98, 0xCF, 0x1D, 0x69, 0xF9, 0xD7, 0xB0, 0xA0, 0x5E, 0x9C, 0xEB },
+	.priv_exponent = {0}
 };
 
 //Certificates
 static const unsigned char ca4_dpki_cert[0x400] = 
 {
-	0x00, 0x01, 0x00, 0x03, 0x19, 0x49, 0x42, 0x9D, 
-	0x1E, 0x58, 0xA6, 0x2E, 0x7E, 0x8B, 0x56, 0xD1, 
-	0xB7, 0x6A, 0xE3, 0x02, 0xFD, 0x8B, 0x97, 0x49, 
-	0x1F, 0x77, 0x87, 0x45, 0xF7, 0x53, 0x88, 0xC4, 
-	0xDD, 0x0B, 0xEB, 0x1D, 0xF1, 0x22, 0xFB, 0x96, 
-	0x42, 0x15, 0x14, 0x97, 0x76, 0x4A, 0x53, 0xCF, 
-	0x78, 0x15, 0x18, 0x45, 0xE4, 0x2C, 0xA8, 0xFD, 
-	0xE4, 0x86, 0xFD, 0x2A, 0x4F, 0x53, 0xF8, 0xA1, 
-	0xBA, 0x00, 0x8A, 0x74, 0x85, 0xFF, 0x73, 0xB3, 
-	0xBF, 0x7E, 0x3C, 0x98, 0x07, 0x29, 0xD0, 0x65, 
-	0x6B, 0x69, 0x32, 0x19, 0xAD, 0xE8, 0x35, 0xEB, 
-	0x5F, 0xFF, 0xFC, 0xCB, 0x7C, 0xBB, 0x5E, 0x30, 
-	0x7F, 0xE0, 0x68, 0x8B, 0x88, 0x8E, 0xF2, 0xD2, 
-	0x05, 0x3F, 0xB7, 0xE7, 0x91, 0xE9, 0x85, 0xFD, 
-	0x15, 0xEF, 0x10, 0xD7, 0x9C, 0xCA, 0x88, 0xD6, 
-	0xBB, 0x15, 0xE8, 0xE4, 0x71, 0x4A, 0x98, 0xEE, 
-	0x09, 0xBF, 0x7B, 0x8A, 0xF0, 0x53, 0x23, 0x2B, 
-	0x64, 0x50, 0xE6, 0xD5, 0xFD, 0xFF, 0xC2, 0x0A, 
-	0x6D, 0x1E, 0xA6, 0xA2, 0x38, 0x12, 0xE1, 0x01, 
-	0x45, 0x25, 0xD5, 0x6D, 0x40, 0x82, 0x70, 0x3B, 
-	0x86, 0x98, 0x69, 0x59, 0xA7, 0x3C, 0xD1, 0xA1, 
-	0x43, 0x64, 0xD2, 0xC2, 0xDA, 0xEA, 0x96, 0xB0, 
-	0x95, 0xF7, 0x6C, 0x46, 0xE4, 0xFF, 0x41, 0x55, 
-	0x46, 0x5E, 0x70, 0xEF, 0x1E, 0xD3, 0x10, 0x53, 
-	0xD9, 0x70, 0x11, 0xE0, 0x10, 0xCC, 0x93, 0xE7, 
-	0x91, 0x40, 0x13, 0x68, 0x7F, 0xA3, 0xA8, 0x02, 
-	0x99, 0x6D, 0x1E, 0x55, 0x7B, 0x1C, 0xCC, 0x7A, 
-	0x7E, 0x8F, 0x58, 0x65, 0xC1, 0x74, 0x2E, 0x28, 
-	0xE2, 0x6D, 0xEF, 0x38, 0xA9, 0x3A, 0xB5, 0xD8, 
-	0x2D, 0x43, 0xEC, 0xCC, 0xBF, 0x0B, 0xEF, 0x22, 
-	0xE1, 0xFD, 0x57, 0xE2, 0x86, 0x43, 0x33, 0x58, 
-	0x2F, 0xED, 0xEA, 0xBC, 0x01, 0x2F, 0x98, 0x6D, 
-	0xDF, 0xC3, 0xE9, 0x44, 0x79, 0x73, 0x47, 0x03, 
-	0x08, 0x45, 0x5B, 0xDC, 0x57, 0xAA, 0x17, 0x0B, 
-	0x84, 0x42, 0x7F, 0x73, 0xA2, 0x9B, 0x48, 0xF6, 
-	0xDA, 0x13, 0x5F, 0x66, 0xC7, 0x45, 0xC1, 0x42, 
-	0xA8, 0x4A, 0xFB, 0x0E, 0x6A, 0x5E, 0xED, 0x85, 
-	0xD7, 0xB9, 0x71, 0x99, 0x36, 0xF8, 0xCE, 0x2B, 
-	0x62, 0x1F, 0x39, 0x5F, 0x40, 0xDC, 0x03, 0xBE, 
-	0xF8, 0x85, 0x4C, 0x11, 0x17, 0xFF, 0x0C, 0x12, 
-	0x86, 0x41, 0xCC, 0x78, 0x43, 0xB9, 0x7B, 0x43, 
-	0x46, 0xDB, 0x22, 0x6F, 0x60, 0x26, 0xAC, 0xB5, 
-	0x6C, 0x27, 0x8B, 0x8E, 0x0E, 0xA7, 0x9A, 0x2D, 
-	0x65, 0xEF, 0x79, 0x8E, 0x10, 0x78, 0xAD, 0x80, 
-	0xED, 0x4B, 0x96, 0x04, 0xD2, 0xF0, 0x8B, 0x2C, 
-	0xD6, 0x4A, 0x23, 0xA3, 0xDB, 0x27, 0x08, 0x33, 
-	0xB4, 0x02, 0xF8, 0x08, 0x51, 0xF3, 0x5B, 0xED, 
-	0x3E, 0xE4, 0x57, 0x7C, 0x66, 0x60, 0xFB, 0xF1, 
-	0x6D, 0x94, 0x13, 0xE0, 0x9C, 0x91, 0x7A, 0x49, 
-	0xD4, 0x2C, 0x6D, 0xA3, 0x75, 0xBC, 0x27, 0xF0, 
-	0x23, 0x0D, 0xB9, 0x8F, 0x89, 0x73, 0xAB, 0x02, 
-	0x7B, 0x52, 0x2C, 0xD5, 0x7E, 0xC0, 0x3D, 0x25, 
-	0xE8, 0xB3, 0xFC, 0x34, 0x94, 0xC9, 0x7F, 0xB1, 
-	0x08, 0xFE, 0x18, 0xC6, 0x8A, 0x43, 0x36, 0xE4, 
-	0x6C, 0x26, 0xB6, 0xF2, 0x80, 0xD2, 0x7E, 0x34, 
-	0xBE, 0x28, 0x7C, 0x3E, 0x46, 0x87, 0xBC, 0x9D, 
-	0x77, 0x6B, 0x76, 0xD9, 0x28, 0xD1, 0xB6, 0x35, 
-	0x2E, 0xC0, 0x34, 0x7D, 0x72, 0x94, 0xAA, 0x93, 
-	0x60, 0x26, 0x8D, 0x26, 0xF5, 0xF6, 0x52, 0x06, 
-	0x4A, 0xF2, 0x40, 0xD7, 0xD0, 0x0C, 0x7C, 0x5E, 
-	0xA3, 0xC3, 0x2D, 0xE6, 0x2D, 0x9B, 0x5C, 0x4B, 
-	0x4C, 0xAB, 0x6F, 0xD7, 0xBD, 0x37, 0x1D, 0x57, 
-	0xC2, 0x16, 0x60, 0x95, 0x91, 0x0E, 0x4A, 0xD8, 
-	0xE9, 0xED, 0x18, 0x1E, 0xF7, 0x61, 0x93, 0x61, 
-	0x53, 0x89, 0x2D, 0x77, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x52, 0x6F, 0x6F, 0x74, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x01, 0x43, 0x41, 0x30, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x34, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x81, 0x12, 0x2A, 0x46, 
-	0xC9, 0xCC, 0x2D, 0xC4, 0xDF, 0x29, 0x30, 0xE4, 
-	0xDF, 0x3F, 0x8C, 0x70, 0xA0, 0x78, 0x94, 0x87, 
-	0x75, 0xAD, 0x5E, 0x9A, 0xA6, 0x04, 0xC5, 0xB4, 
-	0xD8, 0xEA, 0xFF, 0x2A, 0xA1, 0xD2, 0x14, 0x67, 
-	0x65, 0x64, 0xEF, 0xCA, 0x28, 0xCC, 0x00, 0x15, 
-	0x45, 0x54, 0xA1, 0xA3, 0xEA, 0x13, 0x79, 0xE9, 
-	0xE6, 0xCA, 0xAC, 0xED, 0x15, 0x93, 0xFE, 0x88, 
-	0xD8, 0x9A, 0xC6, 0xB8, 0xAC, 0xCC, 0xAB, 0x6E, 
-	0x20, 0x7C, 0xEB, 0x7C, 0xCA, 0x29, 0x80, 0x9E, 
-	0x29, 0x80, 0x44, 0x06, 0x62, 0xB7, 0xD4, 0x38, 
-	0x2A, 0x15, 0xDA, 0x43, 0x08, 0x57, 0x45, 0xA9, 
-	0xAA, 0xE5, 0x9A, 0xA0, 0x5B, 0xDB, 0x32, 0xF6, 
-	0x68, 0x69, 0xA2, 0xDD, 0x42, 0x95, 0x38, 0x6C, 
-	0x87, 0xEC, 0xDD, 0x35, 0x08, 0xA2, 0xCF, 0x60, 
-	0xD0, 0x1E, 0x23, 0xEC, 0x2F, 0xE6, 0x98, 0xF4, 
-	0x70, 0xD6, 0x00, 0x15, 0x49, 0xA2, 0xF0, 0x67, 
-	0x59, 0x13, 0x1E, 0x53, 0x4C, 0x70, 0x06, 0x05, 
-	0x7D, 0xEF, 0x1D, 0x18, 0xA8, 0x3F, 0x0A, 0xC7,
-	0x9C, 0xFE, 0x80, 0xFF, 0x5A, 0x91, 0xF2, 0xBE, 
-	0xD4, 0xA0, 0x83, 0x70, 0x61, 0x19, 0x0A, 0x03, 
-	0x29, 0x90, 0x21, 0x65, 0x40, 0x3C, 0x9A, 0x90, 
-	0x8F, 0xB6, 0x15, 0x73, 0x9F, 0x3C, 0xE3, 0x3B, 
-	0xF1, 0xBA, 0xEA, 0x16, 0xC2, 0x5B, 0xCE, 0xD7, 
-	0x96, 0x3F, 0xAC, 0xC9, 0xD2, 0x4D, 0x9C, 0x0A, 
-	0xD7, 0x6F, 0xC0, 0x20, 0xB2, 0xC4, 0xB8, 0x4C, 
-	0x10, 0xA7, 0x41, 0xA2, 0xCC, 0x7D, 0x9B, 0xAC, 
-	0x3A, 0xAC, 0xCC, 0xA3, 0x52, 0x9B, 0xAC, 0x31, 
-	0x6A, 0x9A, 0xA7, 0x5D, 0x2A, 0x26, 0xC7, 0xD7, 
-	0xD2, 0x88, 0xCB, 0xA4, 0x66, 0xC5, 0xFE, 0x5F, 
-	0x45, 0x4A, 0xE6, 0x79, 0x74, 0x4A, 0x90, 0xA1, 
-	0x57, 0x72, 0xDB, 0x3B, 0x0E, 0x47, 0xA4, 0x9A,
-	0xF0, 0x31, 0xD1, 0x6D, 0xBE, 0xAB, 0x33, 0x2B,
-	0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	0x00, 0x01, 0x00, 0x03, 0x19, 0x49, 0x42, 0x9D,  0x1E, 0x58, 0xA6, 0x2E, 0x7E, 0x8B, 0x56, 0xD1,  0xB7, 0x6A, 0xE3, 0x02, 0xFD, 0x8B, 0x97, 0x49,  0x1F, 0x77, 0x87, 0x45, 0xF7, 0x53, 0x88, 0xC4,  0xDD, 0x0B, 0xEB, 0x1D, 0xF1, 0x22, 0xFB, 0x96,  0x42, 0x15, 0x14, 0x97, 0x76, 0x4A, 0x53, 0xCF,  0x78, 0x15, 0x18, 0x45, 0xE4, 0x2C, 0xA8, 0xFD,  0xE4, 0x86, 0xFD, 0x2A, 0x4F, 0x53, 0xF8, 0xA1,  0xBA, 0x00, 0x8A, 0x74, 0x85, 0xFF, 0x73, 0xB3,  0xBF, 0x7E, 0x3C, 0x98, 0x07, 0x29, 0xD0, 0x65,  0x6B, 0x69, 0x32, 0x19, 0xAD, 0xE8, 0x35, 0xEB,  0x5F, 0xFF, 0xFC, 0xCB, 0x7C, 0xBB, 0x5E, 0x30,  0x7F, 0xE0, 0x68, 0x8B, 0x88, 0x8E, 0xF2, 0xD2,  0x05, 0x3F, 0xB7, 0xE7, 0x91, 0xE9, 0x85, 0xFD,  0x15, 0xEF, 0x10, 0xD7, 0x9C, 0xCA, 0x88, 0xD6,  0xBB, 0x15, 0xE8, 0xE4, 0x71, 0x4A, 0x98, 0xEE,  0x09, 0xBF, 0x7B, 0x8A, 0xF0, 0x53, 0x23, 0x2B,  0x64, 0x50, 0xE6, 0xD5, 0xFD, 0xFF, 0xC2, 0x0A,  0x6D, 0x1E, 0xA6, 0xA2, 0x38, 0x12, 0xE1, 0x01,  0x45, 0x25, 0xD5, 0x6D, 0x40, 0x82, 0x70, 0x3B,  0x86, 0x98, 0x69, 0x59, 0xA7, 0x3C, 0xD1, 0xA1,  0x43, 0x64, 0xD2, 0xC2, 0xDA, 0xEA, 0x96, 0xB0,  0x95, 0xF7, 0x6C, 0x46, 0xE4, 0xFF, 0x41, 0x55,  0x46, 0x5E, 0x70, 0xEF, 0x1E, 0xD3, 0x10, 0x53,  0xD9, 0x70, 0x11, 0xE0, 0x10, 0xCC, 0x93, 0xE7,  0x91, 0x40, 0x13, 0x68, 0x7F, 0xA3, 0xA8, 0x02,  0x99, 0x6D, 0x1E, 0x55, 0x7B, 0x1C, 0xCC, 0x7A,  0x7E, 0x8F, 0x58, 0x65, 0xC1, 0x74, 0x2E, 0x28,  0xE2, 0x6D, 0xEF, 0x38, 0xA9, 0x3A, 0xB5, 0xD8,  0x2D, 0x43, 0xEC, 0xCC, 0xBF, 0x0B, 0xEF, 0x22,  0xE1, 0xFD, 0x57, 0xE2, 0x86, 0x43, 0x33, 0x58,  0x2F, 0xED, 0xEA, 0xBC, 0x01, 0x2F, 0x98, 0x6D,  0xDF, 0xC3, 0xE9, 0x44, 0x79, 0x73, 0x47, 0x03,  0x08, 0x45, 0x5B, 0xDC, 0x57, 0xAA, 0x17, 0x0B,  0x84, 0x42, 0x7F, 0x73, 0xA2, 0x9B, 0x48, 0xF6,  0xDA, 0x13, 0x5F, 0x66, 0xC7, 0x45, 0xC1, 0x42,  0xA8, 0x4A, 0xFB, 0x0E, 0x6A, 0x5E, 0xED, 0x85,  0xD7, 0xB9, 0x71, 0x99, 0x36, 0xF8, 0xCE, 0x2B,  0x62, 0x1F, 0x39, 0x5F, 0x40, 0xDC, 0x03, 0xBE,  0xF8, 0x85, 0x4C, 0x11, 0x17, 0xFF, 0x0C, 0x12,  0x86, 0x41, 0xCC, 0x78, 0x43, 0xB9, 0x7B, 0x43,  0x46, 0xDB, 0x22, 0x6F, 0x60, 0x26, 0xAC, 0xB5,  0x6C, 0x27, 0x8B, 0x8E, 0x0E, 0xA7, 0x9A, 0x2D,  0x65, 0xEF, 0x79, 0x8E, 0x10, 0x78, 0xAD, 0x80,  0xED, 0x4B, 0x96, 0x04, 0xD2, 0xF0, 0x8B, 0x2C,  0xD6, 0x4A, 0x23, 0xA3, 0xDB, 0x27, 0x08, 0x33,  0xB4, 0x02, 0xF8, 0x08, 0x51, 0xF3, 0x5B, 0xED,  0x3E, 0xE4, 0x57, 0x7C, 0x66, 0x60, 0xFB, 0xF1,  0x6D, 0x94, 0x13, 0xE0, 0x9C, 0x91, 0x7A, 0x49,  0xD4, 0x2C, 0x6D, 0xA3, 0x75, 0xBC, 0x27, 0xF0,  0x23, 0x0D, 0xB9, 0x8F, 0x89, 0x73, 0xAB, 0x02,  0x7B, 0x52, 0x2C, 0xD5, 0x7E, 0xC0, 0x3D, 0x25,  0xE8, 0xB3, 0xFC, 0x34, 0x94, 0xC9, 0x7F, 0xB1,  0x08, 0xFE, 0x18, 0xC6, 0x8A, 0x43, 0x36, 0xE4,  0x6C, 0x26, 0xB6, 0xF2, 0x80, 0xD2, 0x7E, 0x34,  0xBE, 0x28, 0x7C, 0x3E, 0x46, 0x87, 0xBC, 0x9D,  0x77, 0x6B, 0x76, 0xD9, 0x28, 0xD1, 0xB6, 0x35,  0x2E, 0xC0, 0x34, 0x7D, 0x72, 0x94, 0xAA, 0x93,  0x60, 0x26, 0x8D, 0x26, 0xF5, 0xF6, 0x52, 0x06,  0x4A, 0xF2, 0x40, 0xD7, 0xD0, 0x0C, 0x7C, 0x5E,  0xA3, 0xC3, 0x2D, 0xE6, 0x2D, 0x9B, 0x5C, 0x4B,  0x4C, 0xAB, 0x6F, 0xD7, 0xBD, 0x37, 0x1D, 0x57,  0xC2, 0x16, 0x60, 0x95, 0x91, 0x0E, 0x4A, 0xD8,  0xE9, 0xED, 0x18, 0x1E, 0xF7, 0x61, 0x93, 0x61,  0x53, 0x89, 0x2D, 0x77, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x52, 0x6F, 0x6F, 0x74, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x01, 0x43, 0x41, 0x30, 0x30,  0x30, 0x30, 0x30, 0x30, 0x30, 0x34, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x81, 0x12, 0x2A, 0x46,  0xC9, 0xCC, 0x2D, 0xC4, 0xDF, 0x29, 0x30, 0xE4,  0xDF, 0x3F, 0x8C, 0x70, 0xA0, 0x78, 0x94, 0x87,  0x75, 0xAD, 0x5E, 0x9A, 0xA6, 0x04, 0xC5, 0xB4,  0xD8, 0xEA, 0xFF, 0x2A, 0xA1, 0xD2, 0x14, 0x67,  0x65, 0x64, 0xEF, 0xCA, 0x28, 0xCC, 0x00, 0x15,  0x45, 0x54, 0xA1, 0xA3, 0xEA, 0x13, 0x79, 0xE9,  0xE6, 0xCA, 0xAC, 0xED, 0x15, 0x93, 0xFE, 0x88,  0xD8, 0x9A, 0xC6, 0xB8, 0xAC, 0xCC, 0xAB, 0x6E,  0x20, 0x7C, 0xEB, 0x7C, 0xCA, 0x29, 0x80, 0x9E,  0x29, 0x80, 0x44, 0x06, 0x62, 0xB7, 0xD4, 0x38,  0x2A, 0x15, 0xDA, 0x43, 0x08, 0x57, 0x45, 0xA9,  0xAA, 0xE5, 0x9A, 0xA0, 0x5B, 0xDB, 0x32, 0xF6,  0x68, 0x69, 0xA2, 0xDD, 0x42, 0x95, 0x38, 0x6C,  0x87, 0xEC, 0xDD, 0x35, 0x08, 0xA2, 0xCF, 0x60,  0xD0, 0x1E, 0x23, 0xEC, 0x2F, 0xE6, 0x98, 0xF4,  0x70, 0xD6, 0x00, 0x15, 0x49, 0xA2, 0xF0, 0x67,  0x59, 0x13, 0x1E, 0x53, 0x4C, 0x70, 0x06, 0x05,  0x7D, 0xEF, 0x1D, 0x18, 0xA8, 0x3F, 0x0A, 0xC7, 0x9C, 0xFE, 0x80, 0xFF, 0x5A, 0x91, 0xF2, 0xBE,  0xD4, 0xA0, 0x83, 0x70, 0x61, 0x19, 0x0A, 0x03,  0x29, 0x90, 0x21, 0x65, 0x40, 0x3C, 0x9A, 0x90,  0x8F, 0xB6, 0x15, 0x73, 0x9F, 0x3C, 0xE3, 0x3B,  0xF1, 0xBA, 0xEA, 0x16, 0xC2, 0x5B, 0xCE, 0xD7,  0x96, 0x3F, 0xAC, 0xC9, 0xD2, 0x4D, 0x9C, 0x0A,  0xD7, 0x6F, 0xC0, 0x20, 0xB2, 0xC4, 0xB8, 0x4C,  0x10, 0xA7, 0x41, 0xA2, 0xCC, 0x7D, 0x9B, 0xAC,  0x3A, 0xAC, 0xCC, 0xA3, 0x52, 0x9B, 0xAC, 0x31,  0x6A, 0x9A, 0xA7, 0x5D, 0x2A, 0x26, 0xC7, 0xD7,  0xD2, 0x88, 0xCB, 0xA4, 0x66, 0xC5, 0xFE, 0x5F,  0x45, 0x4A, 0xE6, 0x79, 0x74, 0x4A, 0x90, 0xA1,  0x57, 0x72, 0xDB, 0x3B, 0x0E, 0x47, 0xA4, 0x9A, 0xF0, 0x31, 0xD1, 0x6D, 0xBE, 0xAB, 0x33, 0x2B, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
 static const unsigned char xs9_dpki_cert[0x300] = 
 {
-	0x00, 0x01, 0x00, 0x04, 0x63, 0x80, 0x5A, 0x35, 
-	0x1A, 0x43, 0x7B, 0xA2, 0x43, 0x19, 0xBB, 0x3A, 
-	0x77, 0x7B, 0x7A, 0xF3, 0x5E, 0x72, 0x4B, 0x15, 
-	0x0A, 0x06, 0x39, 0x6C, 0x5F, 0xEC, 0x38, 0x45, 
-	0xB1, 0x88, 0x76, 0x26, 0x8D, 0x5E, 0xDA, 0xE6, 
-	0x2F, 0x14, 0xBA, 0x02, 0xFA, 0xD6, 0xFC, 0x3B, 
-	0x2B, 0xBE, 0x87, 0x07, 0x63, 0x8E, 0x55, 0xBF, 
-	0x05, 0x5A, 0xFC, 0xFC, 0xB3, 0x47, 0x69, 0x11, 
-	0x89, 0xDB, 0x1C, 0xAF, 0x4B, 0x43, 0x76, 0x62, 
-	0x3E, 0x30, 0x89, 0x0A, 0x9D, 0x3B, 0xBB, 0x3E, 
-	0x50, 0xBD, 0xF7, 0xA6, 0xC0, 0xF7, 0xF8, 0xBB, 
-	0x0D, 0xB5, 0x6A, 0xBB, 0xC6, 0xC3, 0x50, 0xC8, 
-	0x88, 0xBB, 0x9D, 0xF0, 0x9B, 0xD1, 0x30, 0x64, 
-	0x60, 0x69, 0xDD, 0x34, 0x67, 0xA7, 0x00, 0xEB, 
-	0xDC, 0xF9, 0x8C, 0xB0, 0xF7, 0x93, 0x0E, 0x81, 
-	0xFE, 0x98, 0xD9, 0x72, 0x45, 0x8B, 0x94, 0x7E, 
-	0x59, 0xE2, 0xBE, 0x4E, 0x91, 0x2D, 0x75, 0xCA, 
-	0x1B, 0x8E, 0x2E, 0xF4, 0x6D, 0x73, 0xB1, 0x6B, 
-	0x35, 0xB5, 0x67, 0x0D, 0x63, 0x2D, 0x51, 0x38, 
-	0x53, 0x28, 0x19, 0x1D, 0x9D, 0xAE, 0x8D, 0xC6, 
-	0x61, 0xCC, 0xEF, 0xA4, 0xAB, 0xE2, 0xF3, 0xB0, 
-	0x4C, 0x7B, 0xE2, 0x71, 0xB5, 0xF9, 0x2C, 0xFA, 
-	0x55, 0xCD, 0x88, 0x8B, 0x72, 0xCC, 0xBE, 0x67, 
-	0xFA, 0xDF, 0xEF, 0x6B, 0x53, 0x3C, 0x45, 0xD8, 
-	0xCB, 0xDF, 0xB2, 0x76, 0x41, 0x46, 0xD6, 0xC2, 
-	0x6F, 0x27, 0x16, 0xC5, 0x07, 0xF3, 0xF4, 0x44, 
-	0x66, 0xA3, 0x15, 0xD2, 0x77, 0xF2, 0x89, 0xDA, 
-	0xFD, 0xD5, 0x50, 0xCF, 0xA4, 0x9B, 0xEA, 0xCA, 
-	0xC9, 0x7B, 0xE5, 0x46, 0x0E, 0xED, 0x9B, 0xFB, 
-	0x04, 0xA9, 0xDA, 0x19, 0x58, 0xD9, 0x2A, 0x20, 
-	0x8A, 0xAC, 0xC1, 0xF4, 0x8E, 0xE9, 0x14, 0xD8, 
-	0x8A, 0xD7, 0x41, 0xD5, 0x5B, 0x9B, 0x64, 0x22, 
-	0xD8, 0xAF, 0xAE, 0xC7, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x52, 0x6F, 0x6F, 0x74, 0x2D, 0x43, 0x41, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x34, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x01, 0x58, 0x53, 0x30, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x39, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x18, 0xA3, 0x47, 0xA4, 
-	0xC0, 0x84, 0x4C, 0xEB, 0x7E, 0xB0, 0xCF, 0xF0, 
-	0xAE, 0xB7, 0x77, 0x69, 0x85, 0x93, 0xE4, 0x99, 
-	0x5A, 0x95, 0x4E, 0x58, 0x17, 0x38, 0xCE, 0xD6, 
-	0x81, 0xB0, 0xBD, 0x77, 0x09, 0xE7, 0xF8, 0x9A, 
-	0xDF, 0xAD, 0x05, 0x48, 0x83, 0xF6, 0xC3, 0xFD, 
-	0xDF, 0x7B, 0x83, 0xE0, 0x0C, 0x26, 0x81, 0x54, 
-	0x43, 0x29, 0xEA, 0x82, 0x6C, 0x89, 0xF0, 0xA6, 
-	0x74, 0x42, 0x86, 0x4D, 0x32, 0x60, 0x32, 0x7D, 
-	0xA7, 0x7A, 0x13, 0x40, 0x66, 0x59, 0xDA, 0x3E, 
-	0x41, 0x6B, 0x27, 0x94, 0x03, 0x4F, 0xAA, 0x22, 
-	0x9D, 0xD5, 0x54, 0x52, 0xDB, 0x27, 0x0A, 0x6A, 
-	0xA2, 0x3D, 0x19, 0xB1, 0x66, 0x1B, 0x19, 0x7D, 
-	0xAB, 0xC7, 0x0E, 0x88, 0x17, 0x91, 0xA1, 0x2A, 
-	0xB4, 0x3C, 0x6C, 0xCB, 0xF5, 0xAA, 0x7C, 0x3A, 
-	0xDD, 0x36, 0xFB, 0x35, 0x71, 0x7B, 0x20, 0x01, 
-	0x59, 0x00, 0xD6, 0xF6, 0x90, 0x39, 0x35, 0x41, 
-	0x31, 0xF8, 0xC1, 0xC0, 0x57, 0x3A, 0x35, 0x18, 
-	0x58, 0x90, 0xB1, 0xAD, 0x9A, 0x0E, 0xEC, 0xE0, 
-	0xF4, 0x7A, 0x7D, 0xA5, 0x27, 0x48, 0xC9, 0x72, 
-	0xAB, 0x0D, 0x08, 0x7B, 0x62, 0x35, 0x40, 0x91, 
-	0x14, 0x2B, 0xB1, 0x1D, 0x1A, 0xFA, 0xF9, 0xCD, 
-	0x5C, 0x17, 0x13, 0x53, 0x52, 0x71, 0xCA, 0xE2, 
-	0x2A, 0x78, 0xB1, 0x7F, 0x4A, 0xCD, 0x59, 0xD8, 
-	0xBA, 0x1D, 0x7D, 0x70, 0x5F, 0x78, 0x1B, 0x9F, 
-	0x9D, 0x37, 0x18, 0x8E, 0xD7, 0xCD, 0x0D, 0x49, 
-	0x57, 0x74, 0x69, 0x88, 0x3A, 0x6B, 0x8E, 0x4E, 
-	0x1B, 0x85, 0xDD, 0xBE, 0x39, 0x45, 0x05, 0x89, 
-	0x56, 0x12, 0x97, 0x59, 0x9A, 0x09, 0xA4, 0xC8, 
-	0x2D, 0x2F, 0xF5, 0xCF, 0xB4, 0x73, 0x70, 0xDB, 
-	0x58, 0x1E, 0xB2, 0x4E, 0x77, 0x6F, 0xA4, 0x7E, 
-	0x62, 0xDF, 0xB7, 0x05, 0xE8, 0x80, 0x42, 0x5C, 
-	0xB8, 0x78, 0x87, 0x97, 0x7F, 0x66, 0x2C, 0x5F, 
-	0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	0x00, 0x01, 0x00, 0x04, 0x63, 0x80, 0x5A, 0x35, 0x1A, 0x43, 0x7B, 0xA2, 0x43, 0x19, 0xBB, 0x3A, 0x77, 0x7B, 0x7A, 0xF3, 0x5E, 0x72, 0x4B, 0x15, 0x0A, 0x06, 0x39, 0x6C, 0x5F, 0xEC, 0x38, 0x45, 0xB1, 0x88, 0x76, 0x26, 0x8D, 0x5E, 0xDA, 0xE6, 0x2F, 0x14, 0xBA, 0x02, 0xFA, 0xD6, 0xFC, 0x3B, 0x2B, 0xBE, 0x87, 0x07, 0x63, 0x8E, 0x55, 0xBF, 0x05, 0x5A, 0xFC, 0xFC, 0xB3, 0x47, 0x69, 0x11, 0x89, 0xDB, 0x1C, 0xAF, 0x4B, 0x43, 0x76, 0x62, 0x3E, 0x30, 0x89, 0x0A, 0x9D, 0x3B, 0xBB, 0x3E, 0x50, 0xBD, 0xF7, 0xA6, 0xC0, 0xF7, 0xF8, 0xBB, 0x0D, 0xB5, 0x6A, 0xBB, 0xC6, 0xC3, 0x50, 0xC8, 0x88, 0xBB, 0x9D, 0xF0, 0x9B, 0xD1, 0x30, 0x64, 0x60, 0x69, 0xDD, 0x34, 0x67, 0xA7, 0x00, 0xEB, 0xDC, 0xF9, 0x8C, 0xB0, 0xF7, 0x93, 0x0E, 0x81, 0xFE, 0x98, 0xD9, 0x72, 0x45, 0x8B, 0x94, 0x7E, 0x59, 0xE2, 0xBE, 0x4E, 0x91, 0x2D, 0x75, 0xCA, 0x1B, 0x8E, 0x2E, 0xF4, 0x6D, 0x73, 0xB1, 0x6B, 0x35, 0xB5, 0x67, 0x0D, 0x63, 0x2D, 0x51, 0x38, 0x53, 0x28, 0x19, 0x1D, 0x9D, 0xAE, 0x8D, 0xC6, 0x61, 0xCC, 0xEF, 0xA4, 0xAB, 0xE2, 0xF3, 0xB0, 0x4C, 0x7B, 0xE2, 0x71, 0xB5, 0xF9, 0x2C, 0xFA, 0x55, 0xCD, 0x88, 0x8B, 0x72, 0xCC, 0xBE, 0x67, 0xFA, 0xDF, 0xEF, 0x6B, 0x53, 0x3C, 0x45, 0xD8, 0xCB, 0xDF, 0xB2, 0x76, 0x41, 0x46, 0xD6, 0xC2, 0x6F, 0x27, 0x16, 0xC5, 0x07, 0xF3, 0xF4, 0x44, 0x66, 0xA3, 0x15, 0xD2, 0x77, 0xF2, 0x89, 0xDA, 0xFD, 0xD5, 0x50, 0xCF, 0xA4, 0x9B, 0xEA, 0xCA, 0xC9, 0x7B, 0xE5, 0x46, 0x0E, 0xED, 0x9B, 0xFB, 0x04, 0xA9, 0xDA, 0x19, 0x58, 0xD9, 0x2A, 0x20, 0x8A, 0xAC, 0xC1, 0xF4, 0x8E, 0xE9, 0x14, 0xD8, 0x8A, 0xD7, 0x41, 0xD5, 0x5B, 0x9B, 0x64, 0x22, 0xD8, 0xAF, 0xAE, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x6F, 0x6F, 0x74, 0x2D, 0x43, 0x41, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x58, 0x53, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x39, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0xA3, 0x47, 0xA4, 0xC0, 0x84, 0x4C, 0xEB, 0x7E, 0xB0, 0xCF, 0xF0, 0xAE, 0xB7, 0x77, 0x69, 0x85, 0x93, 0xE4, 0x99, 0x5A, 0x95, 0x4E, 0x58, 0x17, 0x38, 0xCE, 0xD6, 0x81, 0xB0, 0xBD, 0x77, 0x09, 0xE7, 0xF8, 0x9A, 0xDF, 0xAD, 0x05, 0x48, 0x83, 0xF6, 0xC3, 0xFD, 0xDF, 0x7B, 0x83, 0xE0, 0x0C, 0x26, 0x81, 0x54, 0x43, 0x29, 0xEA, 0x82, 0x6C, 0x89, 0xF0, 0xA6, 0x74, 0x42, 0x86, 0x4D, 0x32, 0x60, 0x32, 0x7D, 0xA7, 0x7A, 0x13, 0x40, 0x66, 0x59, 0xDA, 0x3E, 0x41, 0x6B, 0x27, 0x94, 0x03, 0x4F, 0xAA, 0x22, 0x9D, 0xD5, 0x54, 0x52, 0xDB, 0x27, 0x0A, 0x6A, 0xA2, 0x3D, 0x19, 0xB1, 0x66, 0x1B, 0x19, 0x7D, 0xAB, 0xC7, 0x0E, 0x88, 0x17, 0x91, 0xA1, 0x2A, 0xB4, 0x3C, 0x6C, 0xCB, 0xF5, 0xAA, 0x7C, 0x3A, 0xDD, 0x36, 0xFB, 0x35, 0x71, 0x7B, 0x20, 0x01, 0x59, 0x00, 0xD6, 0xF6, 0x90, 0x39, 0x35, 0x41, 0x31, 0xF8, 0xC1, 0xC0, 0x57, 0x3A, 0x35, 0x18, 0x58, 0x90, 0xB1, 0xAD, 0x9A, 0x0E, 0xEC, 0xE0, 0xF4, 0x7A, 0x7D, 0xA5, 0x27, 0x48, 0xC9, 0x72, 0xAB, 0x0D, 0x08, 0x7B, 0x62, 0x35, 0x40, 0x91, 0x14, 0x2B, 0xB1, 0x1D, 0x1A, 0xFA, 0xF9, 0xCD, 0x5C, 0x17, 0x13, 0x53, 0x52, 0x71, 0xCA, 0xE2, 0x2A, 0x78, 0xB1, 0x7F, 0x4A, 0xCD, 0x59, 0xD8, 0xBA, 0x1D, 0x7D, 0x70, 0x5F, 0x78, 0x1B, 0x9F, 0x9D, 0x37, 0x18, 0x8E, 0xD7, 0xCD, 0x0D, 0x49, 0x57, 0x74, 0x69, 0x88, 0x3A, 0x6B, 0x8E, 0x4E, 0x1B, 0x85, 0xDD, 0xBE, 0x39, 0x45, 0x05, 0x89, 0x56, 0x12, 0x97, 0x59, 0x9A, 0x09, 0xA4, 0xC8, 0x2D, 0x2F, 0xF5, 0xCF, 0xB4, 0x73, 0x70, 0xDB, 0x58, 0x1E, 0xB2, 0x4E, 0x77, 0x6F, 0xA4, 0x7E, 0x62, 0xDF, 0xB7, 0x05, 0xE8, 0x80, 0x42, 0x5C, 0xB8, 0x78, 0x87, 0x97, 0x7F, 0x66, 0x2C, 0x5F, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
 static const unsigned char cpA_dpki_cert[0x300] = 
 {
-	0x00, 0x01, 0x00, 0x04, 0x50, 0x05, 0xD7, 0x5E, 
-	0x6D, 0xDE, 0xB8, 0x78, 0x3C, 0x81, 0xE9, 0xEF, 
-	0x0D, 0x17, 0xCD, 0x58, 0xF5, 0x94, 0x26, 0xA3, 
-	0xFD, 0x6F, 0x69, 0x90, 0xE8, 0xF8, 0x32, 0x87, 
-	0x12, 0x2E, 0xC2, 0x5C, 0xA1, 0x4B, 0x99, 0x24, 
-	0x23, 0x37, 0xBA, 0x91, 0xA7, 0x5B, 0x0F, 0x7C, 
-	0x59, 0xFB, 0xF7, 0xD1, 0x89, 0x27, 0x22, 0xC4, 
-	0xE6, 0xAF, 0xC7, 0xDE, 0xC7, 0x4A, 0x6E, 0x00, 
-	0x7F, 0x43, 0x4A, 0x88, 0x8A, 0x82, 0x15, 0xE8, 
-	0xDF, 0x2B, 0x52, 0xED, 0x42, 0x00, 0xBC, 0x69, 
-	0xB4, 0xDA, 0x7F, 0xEB, 0x74, 0x6C, 0x7A, 0x2D, 
-	0x96, 0x56, 0x5B, 0x45, 0x59, 0x7B, 0x8F, 0xAE, 
-	0xB1, 0x6B, 0xDC, 0x76, 0xC1, 0xC8, 0x0C, 0x47, 
-	0xF5, 0x0D, 0xA9, 0xC3, 0xE1, 0xFE, 0x28, 0x50, 
-	0x1C, 0x26, 0xA2, 0xD1, 0x54, 0x4B, 0xD1, 0x60, 
-	0x4A, 0x9E, 0x8F, 0x32, 0x2A, 0xEF, 0x31, 0x5F, 
-	0xEA, 0x48, 0x22, 0x67, 0x22, 0xB7, 0xCB, 0x37, 
-	0x2F, 0xF3, 0x5F, 0x5E, 0x61, 0x6A, 0x53, 0x44, 
-	0xA5, 0x85, 0xE5, 0xA0, 0x8A, 0x2E, 0x17, 0x77, 
-	0x57, 0x2B, 0x7A, 0x9A, 0xF7, 0xD2, 0xD8, 0xC4, 
-	0x9C, 0xD0, 0xA0, 0x54, 0xBF, 0x8A, 0x9D, 0xB4, 
-	0x9F, 0xC6, 0x60, 0x61, 0x7C, 0xB8, 0x35, 0x4E, 
-	0x25, 0x7F, 0x68, 0x68, 0x2F, 0x94, 0xB3, 0xCC, 
-	0x53, 0x8C, 0x42, 0x6F, 0x88, 0xC5, 0x48, 0x5C, 
-	0xBE, 0xC1, 0xD0, 0x48, 0x04, 0x74, 0x96, 0x5A, 
-	0x7E, 0x82, 0x59, 0xAA, 0x9F, 0xB6, 0x61, 0x46, 
-	0xCE, 0x59, 0x21, 0xC6, 0xF0, 0xC1, 0x75, 0x1F, 
-	0x21, 0x91, 0x7F, 0x24, 0x96, 0xCB, 0x0C, 0x70, 
-	0x15, 0x7A, 0xB7, 0xBB, 0x3A, 0x9F, 0x57, 0x56, 
-	0x56, 0x5C, 0x38, 0x92, 0x2E, 0xFD, 0xC8, 0xF1, 
-	0x70, 0xB9, 0xAE, 0xA1, 0xAE, 0x36, 0xF5, 0x5E, 
-	0x35, 0x26, 0x63, 0x0A, 0xBA, 0xB2, 0x05, 0x0F, 
-	0xF0, 0x0C, 0xDC, 0xBB, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x52, 0x6F, 0x6F, 0x74, 0x2D, 0x43, 0x41, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x34, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x01, 0x43, 0x50, 0x30, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x61, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x18, 0xA3, 0x4D, 0x5B, 
-	0xAA, 0x7F, 0x93, 0x80, 0x28, 0x9B, 0xE8, 0x98, 
-	0x63, 0x10, 0x7A, 0xE1, 0x0C, 0x59, 0x2C, 0x2F, 
-	0x7C, 0xFF, 0xBD, 0xAA, 0xDD, 0x74, 0xF4, 0xA2, 
-	0xFB, 0xAC, 0xD7, 0x6F, 0x00, 0x93, 0x42, 0x06, 
-	0x34, 0x71, 0x56, 0xD8, 0x40, 0x49, 0x72, 0x9F, 
-	0x3E, 0x24, 0xFA, 0x5E, 0x19, 0xD1, 0x5B, 0x63, 
-	0x5C, 0xD2, 0xEF, 0x09, 0xDE, 0x32, 0xEE, 0x6B, 
-	0x6F, 0xC8, 0xFA, 0x32, 0x8E, 0x2E, 0x96, 0xB9, 
-	0x94, 0x41, 0x04, 0x7D, 0x07, 0x62, 0x95, 0xDA, 
-	0x0D, 0x91, 0xD8, 0x09, 0x35, 0xD0, 0xDE, 0x8E, 
-	0x6B, 0xC6, 0xAB, 0x14, 0x27, 0x01, 0x9C, 0xFE, 
-	0x49, 0x96, 0xFC, 0x9B, 0x54, 0x79, 0x4D, 0xEB, 
-	0xD7, 0xC6, 0x66, 0x73, 0xA6, 0xDD, 0x3A, 0x77, 
-	0x65, 0x47, 0x94, 0xEC, 0x1C, 0x87, 0xAA, 0x46, 
-	0xD9, 0x78, 0xA9, 0x7D, 0xDB, 0x11, 0x22, 0x6E, 
-	0xD4, 0x12, 0xC2, 0x78, 0x4B, 0x21, 0x83, 0x92, 
-	0xC7, 0x10, 0xC7, 0x74, 0x19, 0xFF, 0xAA, 0xF6, 
-	0x0B, 0x75, 0xD8, 0x23, 0xDD, 0x33, 0xC3, 0xA1, 
-	0x5B, 0xA7, 0x2D, 0x30, 0xA5, 0xA4, 0xD8, 0xF8, 
-	0x0F, 0xD6, 0x73, 0xFD, 0x26, 0xCB, 0x29, 0xA6, 
-	0xEF, 0x50, 0x39, 0xE2, 0x5F, 0x59, 0x61, 0x84, 
-	0x6B, 0xDA, 0x2E, 0xC7, 0xCB, 0xE4, 0x38, 0x4B, 
-	0x28, 0xFB, 0x0D, 0xD5, 0x8E, 0x7C, 0xAA, 0x7D, 
-	0x4B, 0x37, 0x3A, 0xD7, 0x81, 0xDD, 0x73, 0xE3, 
-	0x09, 0x93, 0xBD, 0xBD, 0x7E, 0x08, 0x55, 0x4A, 
-	0x8C, 0xA5, 0xC9, 0x84, 0x2D, 0x71, 0x01, 0xA2, 
-	0x2A, 0x01, 0xB0, 0x15, 0xFB, 0x30, 0x78, 0xB9, 
-	0x13, 0xF4, 0xC7, 0x3F, 0xB5, 0xA6, 0xF1, 0xA2, 
-	0x5E, 0x22, 0xB0, 0x02, 0xB6, 0xE0, 0x09, 0x54, 
-	0x7F, 0x0F, 0xBD, 0xF0, 0xFE, 0xA5, 0x50, 0x1D, 
-	0x93, 0x15, 0xF9, 0x3D, 0x83, 0x0F, 0x0F, 0x0E, 
-	0x3D, 0xE2, 0x3D, 0x96, 0xE7, 0x09, 0xD9, 0x77, 
-	0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	0x00, 0x01, 0x00, 0x04, 0x50, 0x05, 0xD7, 0x5E, 0x6D, 0xDE, 0xB8, 0x78, 0x3C, 0x81, 0xE9, 0xEF, 0x0D, 0x17, 0xCD, 0x58, 0xF5, 0x94, 0x26, 0xA3, 0xFD, 0x6F, 0x69, 0x90, 0xE8, 0xF8, 0x32, 0x87, 0x12, 0x2E, 0xC2, 0x5C, 0xA1, 0x4B, 0x99, 0x24, 0x23, 0x37, 0xBA, 0x91, 0xA7, 0x5B, 0x0F, 0x7C, 0x59, 0xFB, 0xF7, 0xD1, 0x89, 0x27, 0x22, 0xC4, 0xE6, 0xAF, 0xC7, 0xDE, 0xC7, 0x4A, 0x6E, 0x00, 0x7F, 0x43, 0x4A, 0x88, 0x8A, 0x82, 0x15, 0xE8, 0xDF, 0x2B, 0x52, 0xED, 0x42, 0x00, 0xBC, 0x69, 0xB4, 0xDA, 0x7F, 0xEB, 0x74, 0x6C, 0x7A, 0x2D, 0x96, 0x56, 0x5B, 0x45, 0x59, 0x7B, 0x8F, 0xAE, 0xB1, 0x6B, 0xDC, 0x76, 0xC1, 0xC8, 0x0C, 0x47, 0xF5, 0x0D, 0xA9, 0xC3, 0xE1, 0xFE, 0x28, 0x50, 0x1C, 0x26, 0xA2, 0xD1, 0x54, 0x4B, 0xD1, 0x60, 0x4A, 0x9E, 0x8F, 0x32, 0x2A, 0xEF, 0x31, 0x5F, 0xEA, 0x48, 0x22, 0x67, 0x22, 0xB7, 0xCB, 0x37, 0x2F, 0xF3, 0x5F, 0x5E, 0x61, 0x6A, 0x53, 0x44, 0xA5, 0x85, 0xE5, 0xA0, 0x8A, 0x2E, 0x17, 0x77, 0x57, 0x2B, 0x7A, 0x9A, 0xF7, 0xD2, 0xD8, 0xC4, 0x9C, 0xD0, 0xA0, 0x54, 0xBF, 0x8A, 0x9D, 0xB4, 0x9F, 0xC6, 0x60, 0x61, 0x7C, 0xB8, 0x35, 0x4E, 0x25, 0x7F, 0x68, 0x68, 0x2F, 0x94, 0xB3, 0xCC, 0x53, 0x8C, 0x42, 0x6F, 0x88, 0xC5, 0x48, 0x5C, 0xBE, 0xC1, 0xD0, 0x48, 0x04, 0x74, 0x96, 0x5A, 0x7E, 0x82, 0x59, 0xAA, 0x9F, 0xB6, 0x61, 0x46, 0xCE, 0x59, 0x21, 0xC6, 0xF0, 0xC1, 0x75, 0x1F, 0x21, 0x91, 0x7F, 0x24, 0x96, 0xCB, 0x0C, 0x70, 0x15, 0x7A, 0xB7, 0xBB, 0x3A, 0x9F, 0x57, 0x56, 0x56, 0x5C, 0x38, 0x92, 0x2E, 0xFD, 0xC8, 0xF1, 0x70, 0xB9, 0xAE, 0xA1, 0xAE, 0x36, 0xF5, 0x5E, 0x35, 0x26, 0x63, 0x0A, 0xBA, 0xB2, 0x05, 0x0F, 0xF0, 0x0C, 0xDC, 0xBB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x6F, 0x6F, 0x74, 0x2D, 0x43, 0x41, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x43, 0x50, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x61, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0xA3, 0x4D, 0x5B, 0xAA, 0x7F, 0x93, 0x80, 0x28, 0x9B, 0xE8, 0x98, 0x63, 0x10, 0x7A, 0xE1, 0x0C, 0x59, 0x2C, 0x2F, 0x7C, 0xFF, 0xBD, 0xAA, 0xDD, 0x74, 0xF4, 0xA2, 0xFB, 0xAC, 0xD7, 0x6F, 0x00, 0x93, 0x42, 0x06, 0x34, 0x71, 0x56, 0xD8, 0x40, 0x49, 0x72, 0x9F, 0x3E, 0x24, 0xFA, 0x5E, 0x19, 0xD1, 0x5B, 0x63, 0x5C, 0xD2, 0xEF, 0x09, 0xDE, 0x32, 0xEE, 0x6B, 0x6F, 0xC8, 0xFA, 0x32, 0x8E, 0x2E, 0x96, 0xB9, 0x94, 0x41, 0x04, 0x7D, 0x07, 0x62, 0x95, 0xDA, 0x0D, 0x91, 0xD8, 0x09, 0x35, 0xD0, 0xDE, 0x8E, 0x6B, 0xC6, 0xAB, 0x14, 0x27, 0x01, 0x9C, 0xFE, 0x49, 0x96, 0xFC, 0x9B, 0x54, 0x79, 0x4D, 0xEB, 0xD7, 0xC6, 0x66, 0x73, 0xA6, 0xDD, 0x3A, 0x77, 0x65, 0x47, 0x94, 0xEC, 0x1C, 0x87, 0xAA, 0x46, 0xD9, 0x78, 0xA9, 0x7D, 0xDB, 0x11, 0x22, 0x6E, 0xD4, 0x12, 0xC2, 0x78, 0x4B, 0x21, 0x83, 0x92, 0xC7, 0x10, 0xC7, 0x74, 0x19, 0xFF, 0xAA, 0xF6, 0x0B, 0x75, 0xD8, 0x23, 0xDD, 0x33, 0xC3, 0xA1, 0x5B, 0xA7, 0x2D, 0x30, 0xA5, 0xA4, 0xD8, 0xF8, 0x0F, 0xD6, 0x73, 0xFD, 0x26, 0xCB, 0x29, 0xA6, 0xEF, 0x50, 0x39, 0xE2, 0x5F, 0x59, 0x61, 0x84, 0x6B, 0xDA, 0x2E, 0xC7, 0xCB, 0xE4, 0x38, 0x4B, 0x28, 0xFB, 0x0D, 0xD5, 0x8E, 0x7C, 0xAA, 0x7D, 0x4B, 0x37, 0x3A, 0xD7, 0x81, 0xDD, 0x73, 0xE3, 0x09, 0x93, 0xBD, 0xBD, 0x7E, 0x08, 0x55, 0x4A, 0x8C, 0xA5, 0xC9, 0x84, 0x2D, 0x71, 0x01, 0xA2, 0x2A, 0x01, 0xB0, 0x15, 0xFB, 0x30, 0x78, 0xB9, 0x13, 0xF4, 0xC7, 0x3F, 0xB5, 0xA6, 0xF1, 0xA2, 0x5E, 0x22, 0xB0, 0x02, 0xB6, 0xE0, 0x09, 0x54, 0x7F, 0x0F, 0xBD, 0xF0, 0xFE, 0xA5, 0x50, 0x1D, 0x93, 0x15, 0xF9, 0x3D, 0x83, 0x0F, 0x0F, 0x0E, 0x3D, 0xE2, 0x3D, 0x96, 0xE7, 0x09, 0xD9, 0x77, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
diff --git a/makerom/pki/dev_legacy.h b/makerom/pki/dev_legacy.h
index 5d7c638d..83596274 100644
--- a/makerom/pki/dev_legacy.h
+++ b/makerom/pki/dev_legacy.h
@@ -1,4 +1,5 @@
 #pragma once
+#include "rsa_key.h"
 
 // AES Keys
 static const unsigned char rvl_twl_common_etd_key_dpki[1][16] =
@@ -21,148 +22,16 @@ static const unsigned char xs_dpki_eccPubKey[60] =
 
 // RSA Keys
 // CA2 PKI
-static const unsigned char cp7_dpki_rsa_priv[256] =
+static const CtrRsa2048Key cp7_dpki_rsa =
 {
-	0x32, 0xB5, 0xC3, 0x23, 0x67, 0x7B, 0x04, 0xF2,
-	0xBB, 0x00, 0x9F, 0xBC, 0x37, 0x4D, 0x9D, 0x2F,
-	0x71, 0xDB, 0x8C, 0xC7, 0x06, 0xB4, 0xEF, 0x0E,
-	0x43, 0x4E, 0xDC, 0xDD, 0x77, 0xC0, 0x16, 0xD8,
-	0x16, 0x10, 0xE3, 0x5F, 0x0E, 0x68, 0x0D, 0x08,
-	0xAF, 0x0E, 0x8E, 0xFB, 0x53, 0xDD, 0xAB, 0xE0,
-	0x9C, 0x75, 0x9E, 0xFC, 0xB8, 0x6C, 0x8E, 0x62,
-	0xBB, 0x6E, 0x6B, 0x99, 0x63, 0xD8, 0x76, 0xB1,
-	0x98, 0x05, 0xCA, 0xC4, 0x92, 0xBE, 0x2F, 0x5A,
-	0x76, 0xE8, 0xCA, 0xF4, 0xAC, 0xA2, 0xB0, 0x32,
-	0x8A, 0xB7, 0xBB, 0xEB, 0xB3, 0xF1, 0xC2, 0xB1,
-	0x80, 0x9D, 0x17, 0xBA, 0x4F, 0xF6, 0x5B, 0x23,
-	0xF6, 0x5D, 0xAD, 0x43, 0xA6, 0xF1, 0xE4, 0x47,
-	0x7C, 0x4F, 0x93, 0x2E, 0x04, 0x75, 0xEE, 0x2E,
-	0x09, 0x6E, 0xCA, 0x17, 0x0E, 0x58, 0x4C, 0x99,
-	0x7C, 0x45, 0x07, 0xD8, 0x70, 0x91, 0xDE, 0x89,
-	0x13, 0xB9, 0xBA, 0x47, 0x33, 0x4F, 0x4F, 0x79,
-	0x58, 0x16, 0x3F, 0x86, 0x11, 0x35, 0x91, 0x48,
-	0x9B, 0xA7, 0xF7, 0x77, 0xB0, 0xF0, 0x48, 0xE4,
-	0x11, 0x41, 0xF4, 0x25, 0x7D, 0xE5, 0xAC, 0x71,
-	0x6F, 0xCD, 0x9B, 0x6E, 0xD2, 0x30, 0xFF, 0x1D,
-	0x38, 0xE9, 0x2F, 0xE0, 0xD9, 0xA9, 0x89, 0x68,
-	0xB6, 0xAC, 0x45, 0xC8, 0x3B, 0x9F, 0x49, 0x30,
-	0x93, 0x3B, 0x69, 0x6B, 0xBE, 0x20, 0x68, 0x4B,
-	0x87, 0x1F, 0x7C, 0xEA, 0xBC, 0xC2, 0x77, 0xED,
-	0xCC, 0x36, 0xCD, 0xA0, 0xC6, 0xAD, 0x46, 0xF2,
-	0xFD, 0x2D, 0xB9, 0x55, 0x2F, 0x81, 0xD5, 0xA7,
-	0xDF, 0x4E, 0x5B, 0xE3, 0xEA, 0x92, 0xB4, 0xBF,
-	0x22, 0xAA, 0x05, 0xA2, 0x86, 0x7B, 0x1A, 0x06,
-	0xFB, 0x58, 0x00, 0x64, 0xC0, 0xE0, 0xF8, 0x9E,
-	0x1B, 0x1C, 0x3C, 0x23, 0x20, 0xA4, 0x03, 0xEC,
-	0x27, 0x7A, 0x9D, 0x8B, 0xD2, 0x71, 0xAB, 0xFD
+	.modulus = { 0xC3, 0xD9, 0xA5, 0xF3, 0xC2, 0x5D, 0x16, 0xD2, 0x64, 0xAD, 0x2C, 0x0C, 0xB7, 0xE6, 0x5C, 0x50, 0x6D, 0x07, 0x63, 0x05, 0x32, 0x6E, 0xD9, 0xCD, 0xEB, 0x3A, 0x5F, 0x23, 0xB0, 0x3F, 0x38, 0x80, 0x3F, 0x60, 0x96, 0xDC, 0xCC, 0xDB, 0xE3, 0xD4, 0x6E, 0x9A, 0x00, 0x7B, 0x25, 0xBE, 0xF9, 0x59, 0xE7, 0x90, 0x4A, 0xDD, 0x10, 0xF6, 0x12, 0x00, 0x99, 0xC6, 0xFD, 0x3C, 0x80, 0xBE, 0x9B, 0xDF, 0x74, 0x5A, 0x04, 0x59, 0xB2, 0x2A, 0x7C, 0x0C, 0xB4, 0xE7, 0x73, 0xD7, 0x04, 0xF4, 0x2B, 0x77, 0x9A, 0x69, 0xAC, 0x9F, 0xDA, 0x4E, 0x65, 0xF1, 0x3C, 0x30, 0x38, 0x98, 0x4E, 0x94, 0x67, 0xE3, 0xA9, 0x11, 0x2D, 0x81, 0x5E, 0x53, 0xF5, 0x75, 0xD9, 0x27, 0x52, 0x87, 0xFB, 0x98, 0x10, 0x98, 0x2F, 0x62, 0x30, 0x93, 0x5E, 0xAF, 0xEB, 0xC0, 0x3A, 0x64, 0x53, 0x6B, 0x60, 0x2E, 0x17, 0x22, 0x25, 0x97, 0x5F, 0x64, 0x8B, 0x10, 0x67, 0xC0, 0x14, 0x9C, 0xBE, 0x8F, 0x1E, 0x15, 0xF5, 0x73, 0xA7, 0x50, 0x04, 0x7F, 0x34, 0xEB, 0x02, 0x03, 0x32, 0x41, 0x75, 0x20, 0x4A, 0x40, 0x7C, 0x79, 0xDD, 0xE4, 0x29, 0xD6, 0x60, 0x73, 0x2E, 0x02, 0xD4, 0x79, 0x87, 0xF1, 0x33, 0x5A, 0xAA, 0x95, 0xFB, 0x55, 0x0D, 0x29, 0x0D, 0xA2, 0xCF, 0xC6, 0x04, 0xB7, 0x8A, 0x63, 0xCA, 0x64, 0x52, 0x87, 0xAA, 0xEB, 0xE0, 0x7D, 0x6F, 0x6C, 0xDF, 0x0E, 0x6F, 0xF1, 0xC4, 0xC2, 0x60, 0x6C, 0xC4, 0x77, 0x29, 0x03, 0x1E, 0x6B, 0x9C, 0x3C, 0xA3, 0xED, 0x2D, 0xB4, 0xF0, 0x58, 0x81, 0x50, 0xB2, 0x6E, 0x66, 0xDB, 0x99, 0xAC, 0x44, 0x77, 0xA6, 0xFE, 0x80, 0x6E, 0x08, 0xFA, 0xEA, 0xC5, 0x27, 0x92, 0x71, 0xFF, 0xCF, 0x29, 0xB1, 0x13, 0xEB, 0x14, 0x50, 0xD1, 0x81, 0xD8, 0xBF, 0x48, 0x05, 0xBD },
+	.priv_exponent = { 0x32, 0xB5, 0xC3, 0x23, 0x67, 0x7B, 0x04, 0xF2, 0xBB, 0x00, 0x9F, 0xBC, 0x37, 0x4D, 0x9D, 0x2F, 0x71, 0xDB, 0x8C, 0xC7, 0x06, 0xB4, 0xEF, 0x0E, 0x43, 0x4E, 0xDC, 0xDD, 0x77, 0xC0, 0x16, 0xD8, 0x16, 0x10, 0xE3, 0x5F, 0x0E, 0x68, 0x0D, 0x08, 0xAF, 0x0E, 0x8E, 0xFB, 0x53, 0xDD, 0xAB, 0xE0, 0x9C, 0x75, 0x9E, 0xFC, 0xB8, 0x6C, 0x8E, 0x62, 0xBB, 0x6E, 0x6B, 0x99, 0x63, 0xD8, 0x76, 0xB1, 0x98, 0x05, 0xCA, 0xC4, 0x92, 0xBE, 0x2F, 0x5A, 0x76, 0xE8, 0xCA, 0xF4, 0xAC, 0xA2, 0xB0, 0x32, 0x8A, 0xB7, 0xBB, 0xEB, 0xB3, 0xF1, 0xC2, 0xB1, 0x80, 0x9D, 0x17, 0xBA, 0x4F, 0xF6, 0x5B, 0x23, 0xF6, 0x5D, 0xAD, 0x43, 0xA6, 0xF1, 0xE4, 0x47, 0x7C, 0x4F, 0x93, 0x2E, 0x04, 0x75, 0xEE, 0x2E, 0x09, 0x6E, 0xCA, 0x17, 0x0E, 0x58, 0x4C, 0x99, 0x7C, 0x45, 0x07, 0xD8, 0x70, 0x91, 0xDE, 0x89, 0x13, 0xB9, 0xBA, 0x47, 0x33, 0x4F, 0x4F, 0x79, 0x58, 0x16, 0x3F, 0x86, 0x11, 0x35, 0x91, 0x48, 0x9B, 0xA7, 0xF7, 0x77, 0xB0, 0xF0, 0x48, 0xE4, 0x11, 0x41, 0xF4, 0x25, 0x7D, 0xE5, 0xAC, 0x71, 0x6F, 0xCD, 0x9B, 0x6E, 0xD2, 0x30, 0xFF, 0x1D, 0x38, 0xE9, 0x2F, 0xE0, 0xD9, 0xA9, 0x89, 0x68, 0xB6, 0xAC, 0x45, 0xC8, 0x3B, 0x9F, 0x49, 0x30, 0x93, 0x3B, 0x69, 0x6B, 0xBE, 0x20, 0x68, 0x4B, 0x87, 0x1F, 0x7C, 0xEA, 0xBC, 0xC2, 0x77, 0xED, 0xCC, 0x36, 0xCD, 0xA0, 0xC6, 0xAD, 0x46, 0xF2, 0xFD, 0x2D, 0xB9, 0x55, 0x2F, 0x81, 0xD5, 0xA7, 0xDF, 0x4E, 0x5B, 0xE3, 0xEA, 0x92, 0xB4, 0xBF, 0x22, 0xAA, 0x05, 0xA2, 0x86, 0x7B, 0x1A, 0x06, 0xFB, 0x58, 0x00, 0x64, 0xC0, 0xE0, 0xF8, 0x9E, 0x1B, 0x1C, 0x3C, 0x23, 0x20, 0xA4, 0x03, 0xEC, 0x27, 0x7A, 0x9D, 0x8B, 0xD2, 0x71, 0xAB, 0xFD }
 };
 
-static const unsigned char cp7_dpki_rsa_pub[256] =
+static const CtrRsa2048Key xs6_dpki_rsa =
 {
-	0xC3, 0xD9, 0xA5, 0xF3, 0xC2, 0x5D, 0x16, 0xD2,
-	0x64, 0xAD, 0x2C, 0x0C, 0xB7, 0xE6, 0x5C, 0x50,
-	0x6D, 0x07, 0x63, 0x05, 0x32, 0x6E, 0xD9, 0xCD,
-	0xEB, 0x3A, 0x5F, 0x23, 0xB0, 0x3F, 0x38, 0x80,
-	0x3F, 0x60, 0x96, 0xDC, 0xCC, 0xDB, 0xE3, 0xD4,
-	0x6E, 0x9A, 0x00, 0x7B, 0x25, 0xBE, 0xF9, 0x59,
-	0xE7, 0x90, 0x4A, 0xDD, 0x10, 0xF6, 0x12, 0x00,
-	0x99, 0xC6, 0xFD, 0x3C, 0x80, 0xBE, 0x9B, 0xDF,
-	0x74, 0x5A, 0x04, 0x59, 0xB2, 0x2A, 0x7C, 0x0C,
-	0xB4, 0xE7, 0x73, 0xD7, 0x04, 0xF4, 0x2B, 0x77,
-	0x9A, 0x69, 0xAC, 0x9F, 0xDA, 0x4E, 0x65, 0xF1,
-	0x3C, 0x30, 0x38, 0x98, 0x4E, 0x94, 0x67, 0xE3,
-	0xA9, 0x11, 0x2D, 0x81, 0x5E, 0x53, 0xF5, 0x75,
-	0xD9, 0x27, 0x52, 0x87, 0xFB, 0x98, 0x10, 0x98,
-	0x2F, 0x62, 0x30, 0x93, 0x5E, 0xAF, 0xEB, 0xC0,
-	0x3A, 0x64, 0x53, 0x6B, 0x60, 0x2E, 0x17, 0x22,
-	0x25, 0x97, 0x5F, 0x64, 0x8B, 0x10, 0x67, 0xC0,
-	0x14, 0x9C, 0xBE, 0x8F, 0x1E, 0x15, 0xF5, 0x73,
-	0xA7, 0x50, 0x04, 0x7F, 0x34, 0xEB, 0x02, 0x03,
-	0x32, 0x41, 0x75, 0x20, 0x4A, 0x40, 0x7C, 0x79,
-	0xDD, 0xE4, 0x29, 0xD6, 0x60, 0x73, 0x2E, 0x02,
-	0xD4, 0x79, 0x87, 0xF1, 0x33, 0x5A, 0xAA, 0x95,
-	0xFB, 0x55, 0x0D, 0x29, 0x0D, 0xA2, 0xCF, 0xC6,
-	0x04, 0xB7, 0x8A, 0x63, 0xCA, 0x64, 0x52, 0x87,
-	0xAA, 0xEB, 0xE0, 0x7D, 0x6F, 0x6C, 0xDF, 0x0E,
-	0x6F, 0xF1, 0xC4, 0xC2, 0x60, 0x6C, 0xC4, 0x77,
-	0x29, 0x03, 0x1E, 0x6B, 0x9C, 0x3C, 0xA3, 0xED,
-	0x2D, 0xB4, 0xF0, 0x58, 0x81, 0x50, 0xB2, 0x6E,
-	0x66, 0xDB, 0x99, 0xAC, 0x44, 0x77, 0xA6, 0xFE,
-	0x80, 0x6E, 0x08, 0xFA, 0xEA, 0xC5, 0x27, 0x92,
-	0x71, 0xFF, 0xCF, 0x29, 0xB1, 0x13, 0xEB, 0x14,
-	0x50, 0xD1, 0x81, 0xD8, 0xBF, 0x48, 0x05, 0xBD
-};
-
-static const unsigned char xs6_dpki_rsa_priv[256] =
-{
-	0x53, 0x00, 0x39, 0x3F, 0x1F, 0xA6, 0x21, 0xFA,
-	0x9E, 0xB9, 0x0C, 0x94, 0xF8, 0xF3, 0x48, 0x5E,
-	0x73, 0xAC, 0xEC, 0xFD, 0x34, 0x74, 0x46, 0x30,
-	0x01, 0xD5, 0xEF, 0x1D, 0x39, 0x88, 0xB2, 0x26,
-	0x51, 0xC7, 0xD1, 0x12, 0xC2, 0xAA, 0xAE, 0x3B,
-	0x10, 0x12, 0x48, 0x18, 0x54, 0x60, 0xEA, 0xC6,
-	0x63, 0x8F, 0xAE, 0x8E, 0x5E, 0x62, 0xAE, 0x7F,
-	0x6C, 0x8A, 0x61, 0xB2, 0x7F, 0x25, 0x0D, 0xB5,
-	0x62, 0x15, 0xAF, 0x56, 0x71, 0xBF, 0xC6, 0x8C,
-	0x53, 0x1D, 0x70, 0xD3, 0x36, 0xE6, 0x37, 0x12,
-	0x26, 0x0C, 0x61, 0xB6, 0x11, 0x25, 0x2C, 0x7C,
-	0x49, 0x2A, 0x2E, 0xAE, 0xBF, 0x01, 0xBA, 0x7F,
-	0x82, 0x43, 0xDE, 0xD6, 0x62, 0x7C, 0x61, 0x47,
-	0xB8, 0xAD, 0xA7, 0x64, 0xD5, 0xE5, 0xAF, 0x1D,
-	0xE6, 0xA9, 0x0D, 0x83, 0x2D, 0x74, 0x00, 0xD5,
-	0x86, 0x45, 0xEA, 0xCA, 0x31, 0xF1, 0x0B, 0xFB,
-	0xCF, 0x92, 0xFF, 0xB9, 0x95, 0x18, 0xB4, 0xBA,
-	0xAC, 0x49, 0x5B, 0x04, 0x45, 0x39, 0x6A, 0x3E,
-	0xB9, 0x52, 0xA9, 0x47, 0x18, 0xA4, 0x60, 0x18,
-	0x3D, 0xFD, 0xE2, 0x43, 0x5E, 0x64, 0x2C, 0x48,
-	0xC4, 0x65, 0xC5, 0x75, 0x81, 0xB4, 0xC9, 0x12,
-	0x64, 0x7E, 0x7E, 0x9E, 0x6E, 0x3D, 0xA2, 0x82,
-	0x47, 0xBD, 0xAB, 0x40, 0x76, 0x5F, 0x39, 0x50,
-	0x3C, 0x93, 0x3A, 0x0D, 0xD7, 0x00, 0x9B, 0xCA,
-	0x50, 0x63, 0xDD, 0x1C, 0x86, 0x69, 0xE1, 0x9D,
-	0xD1, 0xFF, 0x99, 0x03, 0x70, 0x82, 0xCF, 0xE2,
-	0xBB, 0x70, 0x9E, 0x51, 0xFC, 0x9C, 0x53, 0x3F,
-	0x3F, 0x45, 0xA7, 0x2F, 0x9D, 0xEC, 0x05, 0x0B,
-	0xE7, 0x5D, 0x89, 0xD4, 0xC4, 0x2F, 0x50, 0xB6,
-	0x91, 0xF5, 0x81, 0xA5, 0x83, 0xC7, 0x07, 0x9C,
-	0x82, 0x64, 0x9C, 0xD7, 0x66, 0x4A, 0x1B, 0x4F,
-	0x34, 0x7E, 0x3C, 0xFC, 0x6B, 0x73, 0x01, 0x51
-};
-
-static const unsigned char xs6_dpki_rsa_pub[256] = 
-{
-	0xCB, 0xDA, 0x82, 0x8B, 0xB1, 0x9C, 0x9F, 0xCD,
-	0x0B, 0x6E, 0xBE, 0x65, 0xE6, 0x85, 0x7B, 0x29,
-	0x85, 0xB1, 0x56, 0x67, 0x16, 0xD8, 0xEB, 0xD1,
-	0x42, 0x68, 0x50, 0x01, 0x01, 0x04, 0x24, 0x37,
-	0x73, 0x87, 0x87, 0x9A, 0x92, 0x7D, 0xCD, 0x52,
-	0xC2, 0x3A, 0xA3, 0x80, 0xB6, 0xE8, 0x50, 0x81,
-	0x13, 0xE5, 0xEC, 0xDE, 0xDA, 0x5D, 0x38, 0xB3,
-	0x3D, 0x9B, 0xFA, 0x4A, 0x61, 0x02, 0x00, 0xF1,
-	0xC2, 0xC8, 0x68, 0x7F, 0x1B, 0xCE, 0x09, 0xDD,
-	0x04, 0x95, 0x64, 0xBD, 0xA5, 0x9A, 0x22, 0x14,
-	0x9E, 0x3E, 0xA0, 0x33, 0x73, 0x31, 0xD3, 0x93,
-	0x60, 0x44, 0xB0, 0x9C, 0x65, 0x01, 0xF8, 0xB8,
-	0x79, 0xE9, 0x5E, 0x8A, 0x16, 0x0D, 0xC6, 0x3F,
-	0x1B, 0x7D, 0x5F, 0x3B, 0x7E, 0x64, 0xAA, 0xE1,
-	0x51, 0x27, 0x38, 0x91, 0x29, 0xB4, 0xB1, 0x13,
-	0xC1, 0x2C, 0xB7, 0x96, 0x5C, 0x48, 0xE4, 0x89,
-	0xE8, 0x58, 0xA5, 0x34, 0x86, 0xFE, 0x21, 0x11,
-	0x76, 0x6E, 0x01, 0x24, 0xCB, 0x5F, 0x83, 0x36,
-	0x99, 0x87, 0x32, 0xCB, 0xAC, 0xF5, 0x6E, 0x46,
-	0x4A, 0x6C, 0xD2, 0xCD, 0x65, 0x27, 0x2C, 0xD1,
-	0x46, 0x30, 0x3F, 0x31, 0xAA, 0x39, 0x9A, 0x44,
-	0xBE, 0x5E, 0x91, 0x93, 0x51, 0x82, 0xF8, 0x65,
-	0xF3, 0x66, 0x5D, 0x06, 0x10, 0x7C, 0x9E, 0xE3,
-	0x8D, 0x91, 0x03, 0xEE, 0x58, 0x54, 0x8B, 0x30,
-	0x1A, 0x9E, 0x01, 0xDB, 0x37, 0x6B, 0x89, 0x3D,
-	0xC4, 0xE6, 0xC7, 0x4E, 0xBE, 0xA2, 0x5A, 0xCF,
-	0x0D, 0x28, 0xE7, 0xC7, 0xB3, 0x12, 0x99, 0x8D,
-	0xE7, 0x71, 0x93, 0x9D, 0xD1, 0xE3, 0xD6, 0x6B,
-	0xD4, 0x37, 0xC0, 0xD5, 0x7D, 0x8B, 0xEF, 0x33,
-	0xE5, 0x27, 0xBA, 0x04, 0xCF, 0xD0, 0x62, 0x61,
-	0x9C, 0xD0, 0x7E, 0x38, 0xC1, 0xC7, 0xE6, 0x70,
-	0x49, 0x20, 0x71, 0x5C, 0xC6, 0x35, 0x76, 0x15
+	.modulus = { 0xCB, 0xDA, 0x82, 0x8B, 0xB1, 0x9C, 0x9F, 0xCD, 0x0B, 0x6E, 0xBE, 0x65, 0xE6, 0x85, 0x7B, 0x29, 0x85, 0xB1, 0x56, 0x67, 0x16, 0xD8, 0xEB, 0xD1, 0x42, 0x68, 0x50, 0x01, 0x01, 0x04, 0x24, 0x37, 0x73, 0x87, 0x87, 0x9A, 0x92, 0x7D, 0xCD, 0x52, 0xC2, 0x3A, 0xA3, 0x80, 0xB6, 0xE8, 0x50, 0x81, 0x13, 0xE5, 0xEC, 0xDE, 0xDA, 0x5D, 0x38, 0xB3, 0x3D, 0x9B, 0xFA, 0x4A, 0x61, 0x02, 0x00, 0xF1, 0xC2, 0xC8, 0x68, 0x7F, 0x1B, 0xCE, 0x09, 0xDD, 0x04, 0x95, 0x64, 0xBD, 0xA5, 0x9A, 0x22, 0x14, 0x9E, 0x3E, 0xA0, 0x33, 0x73, 0x31, 0xD3, 0x93, 0x60, 0x44, 0xB0, 0x9C, 0x65, 0x01, 0xF8, 0xB8, 0x79, 0xE9, 0x5E, 0x8A, 0x16, 0x0D, 0xC6, 0x3F, 0x1B, 0x7D, 0x5F, 0x3B, 0x7E, 0x64, 0xAA, 0xE1, 0x51, 0x27, 0x38, 0x91, 0x29, 0xB4, 0xB1, 0x13, 0xC1, 0x2C, 0xB7, 0x96, 0x5C, 0x48, 0xE4, 0x89, 0xE8, 0x58, 0xA5, 0x34, 0x86, 0xFE, 0x21, 0x11, 0x76, 0x6E, 0x01, 0x24, 0xCB, 0x5F, 0x83, 0x36, 0x99, 0x87, 0x32, 0xCB, 0xAC, 0xF5, 0x6E, 0x46, 0x4A, 0x6C, 0xD2, 0xCD, 0x65, 0x27, 0x2C, 0xD1, 0x46, 0x30, 0x3F, 0x31, 0xAA, 0x39, 0x9A, 0x44, 0xBE, 0x5E, 0x91, 0x93, 0x51, 0x82, 0xF8, 0x65, 0xF3, 0x66, 0x5D, 0x06, 0x10, 0x7C, 0x9E, 0xE3, 0x8D, 0x91, 0x03, 0xEE, 0x58, 0x54, 0x8B, 0x30, 0x1A, 0x9E, 0x01, 0xDB, 0x37, 0x6B, 0x89, 0x3D, 0xC4, 0xE6, 0xC7, 0x4E, 0xBE, 0xA2, 0x5A, 0xCF, 0x0D, 0x28, 0xE7, 0xC7, 0xB3, 0x12, 0x99, 0x8D, 0xE7, 0x71, 0x93, 0x9D, 0xD1, 0xE3, 0xD6, 0x6B, 0xD4, 0x37, 0xC0, 0xD5, 0x7D, 0x8B, 0xEF, 0x33, 0xE5, 0x27, 0xBA, 0x04, 0xCF, 0xD0, 0x62, 0x61, 0x9C, 0xD0, 0x7E, 0x38, 0xC1, 0xC7, 0xE6, 0x70, 0x49, 0x20, 0x71, 0x5C, 0xC6, 0x35, 0x76, 0x15 },
+	.priv_exponent = {0x53, 0x00, 0x39, 0x3F, 0x1F, 0xA6, 0x21, 0xFA, 0x9E, 0xB9, 0x0C, 0x94, 0xF8, 0xF3, 0x48, 0x5E, 0x73, 0xAC, 0xEC, 0xFD, 0x34, 0x74, 0x46, 0x30, 0x01, 0xD5, 0xEF, 0x1D, 0x39, 0x88, 0xB2, 0x26, 0x51, 0xC7, 0xD1, 0x12, 0xC2, 0xAA, 0xAE, 0x3B, 0x10, 0x12, 0x48, 0x18, 0x54, 0x60, 0xEA, 0xC6, 0x63, 0x8F, 0xAE, 0x8E, 0x5E, 0x62, 0xAE, 0x7F, 0x6C, 0x8A, 0x61, 0xB2, 0x7F, 0x25, 0x0D, 0xB5, 0x62, 0x15, 0xAF, 0x56, 0x71, 0xBF, 0xC6, 0x8C, 0x53, 0x1D, 0x70, 0xD3, 0x36, 0xE6, 0x37, 0x12, 0x26, 0x0C, 0x61, 0xB6, 0x11, 0x25, 0x2C, 0x7C, 0x49, 0x2A, 0x2E, 0xAE, 0xBF, 0x01, 0xBA, 0x7F, 0x82, 0x43, 0xDE, 0xD6, 0x62, 0x7C, 0x61, 0x47, 0xB8, 0xAD, 0xA7, 0x64, 0xD5, 0xE5, 0xAF, 0x1D, 0xE6, 0xA9, 0x0D, 0x83, 0x2D, 0x74, 0x00, 0xD5, 0x86, 0x45, 0xEA, 0xCA, 0x31, 0xF1, 0x0B, 0xFB, 0xCF, 0x92, 0xFF, 0xB9, 0x95, 0x18, 0xB4, 0xBA, 0xAC, 0x49, 0x5B, 0x04, 0x45, 0x39, 0x6A, 0x3E, 0xB9, 0x52, 0xA9, 0x47, 0x18, 0xA4, 0x60, 0x18, 0x3D, 0xFD, 0xE2, 0x43, 0x5E, 0x64, 0x2C, 0x48, 0xC4, 0x65, 0xC5, 0x75, 0x81, 0xB4, 0xC9, 0x12, 0x64, 0x7E, 0x7E, 0x9E, 0x6E, 0x3D, 0xA2, 0x82, 0x47, 0xBD, 0xAB, 0x40, 0x76, 0x5F, 0x39, 0x50, 0x3C, 0x93, 0x3A, 0x0D, 0xD7, 0x00, 0x9B, 0xCA, 0x50, 0x63, 0xDD, 0x1C, 0x86, 0x69, 0xE1, 0x9D, 0xD1, 0xFF, 0x99, 0x03, 0x70, 0x82, 0xCF, 0xE2, 0xBB, 0x70, 0x9E, 0x51, 0xFC, 0x9C, 0x53, 0x3F, 0x3F, 0x45, 0xA7, 0x2F, 0x9D, 0xEC, 0x05, 0x0B, 0xE7, 0x5D, 0x89, 0xD4, 0xC4, 0x2F, 0x50, 0xB6, 0x91, 0xF5, 0x81, 0xA5, 0x83, 0xC7, 0x07, 0x9C, 0x82, 0x64, 0x9C, 0xD7, 0x66, 0x4A, 0x1B, 0x4F, 0x34, 0x7E, 0x3C, 0xFC, 0x6B, 0x73, 0x01, 0x51}
 };
 
 // Certificates
diff --git a/makerom/pki/prod.h b/makerom/pki/prod.h
index 6935a951..bec496be 100644
--- a/makerom/pki/prod.h
+++ b/makerom/pki/prod.h
@@ -27,727 +27,54 @@ static const unsigned char ctr_common_etd_keyY_ppki[6][16] =
 };
 
 // RSA KEYS
-static const unsigned char root_ppki_rsa_pub[0x200] =
+static const CtrRsa4096Key root_dpki_rsa =
 {
-	0xF8, 0x24, 0x6C, 0x58, 0xBA, 0xE7, 0x50, 0x03,
-	0x01, 0xFB, 0xB7, 0xC2, 0xEB, 0xE0, 0x01, 0x05,
-	0x71, 0xDA, 0x92, 0x23, 0x78, 0xF0, 0x51, 0x4E,
-	0xC0, 0x03, 0x1D, 0xD0, 0xD2, 0x1E, 0xD3, 0xD0,
-	0x7E, 0xFC, 0x85, 0x20, 0x69, 0xB5, 0xDE, 0x9B,
-	0xB9, 0x51, 0xA8, 0xBC, 0x90, 0xA2, 0x44, 0x92,
-	0x6D, 0x37, 0x92, 0x95, 0xAE, 0x94, 0x36, 0xAA,
-	0xA6, 0xA3, 0x02, 0x51, 0x0C, 0x7B, 0x1D, 0xED,
-	0xD5, 0xFB, 0x20, 0x86, 0x9D, 0x7F, 0x30, 0x16,
-	0xF6, 0xBE, 0x65, 0xD3, 0x83, 0xA1, 0x6D, 0xB3,
-	0x32, 0x1B, 0x95, 0x35, 0x18, 0x90, 0xB1, 0x70,
-	0x02, 0x93, 0x7E, 0xE1, 0x93, 0xF5, 0x7E, 0x99,
-	0xA2, 0x47, 0x4E, 0x9D, 0x38, 0x24, 0xC7, 0xAE,
-	0xE3, 0x85, 0x41, 0xF5, 0x67, 0xE7, 0x51, 0x8C,
-	0x7A, 0x0E, 0x38, 0xE7, 0xEB, 0xAF, 0x41, 0x19,
-	0x1B, 0xCF, 0xF1, 0x7B, 0x42, 0xA6, 0xB4, 0xED,
-	0xE6, 0xCE, 0x8D, 0xE7, 0x31, 0x8F, 0x7F, 0x52,
-	0x04, 0xB3, 0x99, 0x0E, 0x22, 0x67, 0x45, 0xAF,
-	0xD4, 0x85, 0xB2, 0x44, 0x93, 0x00, 0x8B, 0x08,
-	0xC7, 0xF6, 0xB7, 0xE5, 0x6B, 0x02, 0xB3, 0xE8,
-	0xFE, 0x0C, 0x9D, 0x85, 0x9C, 0xB8, 0xB6, 0x82,
-	0x23, 0xB8, 0xAB, 0x27, 0xEE, 0x5F, 0x65, 0x38,
-	0x07, 0x8B, 0x2D, 0xB9, 0x1E, 0x2A, 0x15, 0x3E,
-	0x85, 0x81, 0x80, 0x72, 0xA2, 0x3B, 0x6D, 0xD9,
-	0x32, 0x81, 0x05, 0x4F, 0x6F, 0xB0, 0xF6, 0xF5,
-	0xAD, 0x28, 0x3E, 0xCA, 0x0B, 0x7A, 0xF3, 0x54,
-	0x55, 0xE0, 0x3D, 0xA7, 0xB6, 0x83, 0x26, 0xF3,
-	0xEC, 0x83, 0x4A, 0xF3, 0x14, 0x04, 0x8A, 0xC6,
-	0xDF, 0x20, 0xD2, 0x85, 0x08, 0x67, 0x3C, 0xAB,
-	0x62, 0xA2, 0xC7, 0xBC, 0x13, 0x1A, 0x53, 0x3E,
-	0x0B, 0x66, 0x80, 0x6B, 0x1C, 0x30, 0x66, 0x4B,
-	0x37, 0x23, 0x31, 0xBD, 0xC4, 0xB0, 0xCA, 0xD8,
-	0xD1, 0x1E, 0xE7, 0xBB, 0xD9, 0x28, 0x55, 0x48,
-	0xAA, 0xEC, 0x1F, 0x66, 0xE8, 0x21, 0xB3, 0xC8,
-	0xA0, 0x47, 0x69, 0x00, 0xC5, 0xE6, 0x88, 0xE8,
-	0x0C, 0xCE, 0x3C, 0x61, 0xD6, 0x9C, 0xBB, 0xA1,
-	0x37, 0xC6, 0x60, 0x4F, 0x7A, 0x72, 0xDD, 0x8C,
-	0x7B, 0x3E, 0x3D, 0x51, 0x29, 0x0D, 0xAA, 0x6A,
-	0x59, 0x7B, 0x08, 0x1F, 0x9D, 0x36, 0x33, 0xA3,
-	0x46, 0x7A, 0x35, 0x61, 0x09, 0xAC, 0xA7, 0xDD,
-	0x7D, 0x2E, 0x2F, 0xB2, 0xC1, 0xAE, 0xB8, 0xE2,
-	0x0F, 0x48, 0x92, 0xD8, 0xB9, 0xF8, 0xB4, 0x6F,
-	0x4E, 0x3C, 0x11, 0xF4, 0xF4, 0x7D, 0x8B, 0x75,
-	0x7D, 0xFE, 0xFE, 0xA3, 0x89, 0x9C, 0x33, 0x59,
-	0x5C, 0x5E, 0xFD, 0xEB, 0xCB, 0xAB, 0xE8, 0x41,
-	0x3E, 0x3A, 0x9A, 0x80, 0x3C, 0x69, 0x35, 0x6E,
-	0xB2, 0xB2, 0xAD, 0x5C, 0xC4, 0xC8, 0x58, 0x45,
-	0x5E, 0xF5, 0xF7, 0xB3, 0x06, 0x44, 0xB4, 0x7C,
-	0x64, 0x06, 0x8C, 0xDF, 0x80, 0x9F, 0x76, 0x02,
-	0x5A, 0x2D, 0xB4, 0x46, 0xE0, 0x3D, 0x7C, 0xF6,
-	0x2F, 0x34, 0xE7, 0x02, 0x45, 0x7B, 0x02, 0xA4,
-	0xCF, 0x5D, 0x9D, 0xD5, 0x3C, 0xA5, 0x3A, 0x7C,
-	0xA6, 0x29, 0x78, 0x8C, 0x67, 0xCA, 0x08, 0xBF,
-	0xEC, 0xCA, 0x43, 0xA9, 0x57, 0xAD, 0x16, 0xC9,
-	0x4E, 0x1C, 0xD8, 0x75, 0xCA, 0x10, 0x7D, 0xCE,
-	0x7E, 0x01, 0x18, 0xF0, 0xDF, 0x6B, 0xFE, 0xE5,
-	0x1D, 0xDB, 0xD9, 0x91, 0xC2, 0x6E, 0x60, 0xCD,
-	0x48, 0x58, 0xAA, 0x59, 0x2C, 0x82, 0x00, 0x75,
-	0xF2, 0x9F, 0x52, 0x6C, 0x91, 0x7C, 0x6F, 0xE5,
-	0x40, 0x3E, 0xA7, 0xD4, 0xA5, 0x0C, 0xEC, 0x3B,
-	0x73, 0x84, 0xDE, 0x88, 0x6E, 0x82, 0xD2, 0xEB,
-	0x4D, 0x4E, 0x42, 0xB5, 0xF2, 0xB1, 0x49, 0xA8,
-	0x1E, 0xA7, 0xCE, 0x71, 0x44, 0xDC, 0x29, 0x94,
-	0xCF, 0xC4, 0x4E, 0x1F, 0x91, 0xCB, 0xD4, 0x95
+	.modulus = { 0xF8, 0x24, 0x6C, 0x58, 0xBA, 0xE7, 0x50, 0x03, 0x01, 0xFB, 0xB7, 0xC2, 0xEB, 0xE0, 0x01, 0x05, 0x71, 0xDA, 0x92, 0x23, 0x78, 0xF0, 0x51, 0x4E, 0xC0, 0x03, 0x1D, 0xD0, 0xD2, 0x1E, 0xD3, 0xD0, 0x7E, 0xFC, 0x85, 0x20, 0x69, 0xB5, 0xDE, 0x9B, 0xB9, 0x51, 0xA8, 0xBC, 0x90, 0xA2, 0x44, 0x92, 0x6D, 0x37, 0x92, 0x95, 0xAE, 0x94, 0x36, 0xAA, 0xA6, 0xA3, 0x02, 0x51, 0x0C, 0x7B, 0x1D, 0xED, 0xD5, 0xFB, 0x20, 0x86, 0x9D, 0x7F, 0x30, 0x16, 0xF6, 0xBE, 0x65, 0xD3, 0x83, 0xA1, 0x6D, 0xB3, 0x32, 0x1B, 0x95, 0x35, 0x18, 0x90, 0xB1, 0x70, 0x02, 0x93, 0x7E, 0xE1, 0x93, 0xF5, 0x7E, 0x99, 0xA2, 0x47, 0x4E, 0x9D, 0x38, 0x24, 0xC7, 0xAE, 0xE3, 0x85, 0x41, 0xF5, 0x67, 0xE7, 0x51, 0x8C, 0x7A, 0x0E, 0x38, 0xE7, 0xEB, 0xAF, 0x41, 0x19, 0x1B, 0xCF, 0xF1, 0x7B, 0x42, 0xA6, 0xB4, 0xED, 0xE6, 0xCE, 0x8D, 0xE7, 0x31, 0x8F, 0x7F, 0x52, 0x04, 0xB3, 0x99, 0x0E, 0x22, 0x67, 0x45, 0xAF, 0xD4, 0x85, 0xB2, 0x44, 0x93, 0x00, 0x8B, 0x08, 0xC7, 0xF6, 0xB7, 0xE5, 0x6B, 0x02, 0xB3, 0xE8, 0xFE, 0x0C, 0x9D, 0x85, 0x9C, 0xB8, 0xB6, 0x82, 0x23, 0xB8, 0xAB, 0x27, 0xEE, 0x5F, 0x65, 0x38, 0x07, 0x8B, 0x2D, 0xB9, 0x1E, 0x2A, 0x15, 0x3E, 0x85, 0x81, 0x80, 0x72, 0xA2, 0x3B, 0x6D, 0xD9, 0x32, 0x81, 0x05, 0x4F, 0x6F, 0xB0, 0xF6, 0xF5, 0xAD, 0x28, 0x3E, 0xCA, 0x0B, 0x7A, 0xF3, 0x54, 0x55, 0xE0, 0x3D, 0xA7, 0xB6, 0x83, 0x26, 0xF3, 0xEC, 0x83, 0x4A, 0xF3, 0x14, 0x04, 0x8A, 0xC6, 0xDF, 0x20, 0xD2, 0x85, 0x08, 0x67, 0x3C, 0xAB, 0x62, 0xA2, 0xC7, 0xBC, 0x13, 0x1A, 0x53, 0x3E, 0x0B, 0x66, 0x80, 0x6B, 0x1C, 0x30, 0x66, 0x4B, 0x37, 0x23, 0x31, 0xBD, 0xC4, 0xB0, 0xCA, 0xD8, 0xD1, 0x1E, 0xE7, 0xBB, 0xD9, 0x28, 0x55, 0x48, 0xAA, 0xEC, 0x1F, 0x66, 0xE8, 0x21, 0xB3, 0xC8, 0xA0, 0x47, 0x69, 0x00, 0xC5, 0xE6, 0x88, 0xE8, 0x0C, 0xCE, 0x3C, 0x61, 0xD6, 0x9C, 0xBB, 0xA1, 0x37, 0xC6, 0x60, 0x4F, 0x7A, 0x72, 0xDD, 0x8C, 0x7B, 0x3E, 0x3D, 0x51, 0x29, 0x0D, 0xAA, 0x6A, 0x59, 0x7B, 0x08, 0x1F, 0x9D, 0x36, 0x33, 0xA3, 0x46, 0x7A, 0x35, 0x61, 0x09, 0xAC, 0xA7, 0xDD, 0x7D, 0x2E, 0x2F, 0xB2, 0xC1, 0xAE, 0xB8, 0xE2, 0x0F, 0x48, 0x92, 0xD8, 0xB9, 0xF8, 0xB4, 0x6F, 0x4E, 0x3C, 0x11, 0xF4, 0xF4, 0x7D, 0x8B, 0x75, 0x7D, 0xFE, 0xFE, 0xA3, 0x89, 0x9C, 0x33, 0x59, 0x5C, 0x5E, 0xFD, 0xEB, 0xCB, 0xAB, 0xE8, 0x41, 0x3E, 0x3A, 0x9A, 0x80, 0x3C, 0x69, 0x35, 0x6E, 0xB2, 0xB2, 0xAD, 0x5C, 0xC4, 0xC8, 0x58, 0x45, 0x5E, 0xF5, 0xF7, 0xB3, 0x06, 0x44, 0xB4, 0x7C, 0x64, 0x06, 0x8C, 0xDF, 0x80, 0x9F, 0x76, 0x02, 0x5A, 0x2D, 0xB4, 0x46, 0xE0, 0x3D, 0x7C, 0xF6, 0x2F, 0x34, 0xE7, 0x02, 0x45, 0x7B, 0x02, 0xA4, 0xCF, 0x5D, 0x9D, 0xD5, 0x3C, 0xA5, 0x3A, 0x7C, 0xA6, 0x29, 0x78, 0x8C, 0x67, 0xCA, 0x08, 0xBF, 0xEC, 0xCA, 0x43, 0xA9, 0x57, 0xAD, 0x16, 0xC9, 0x4E, 0x1C, 0xD8, 0x75, 0xCA, 0x10, 0x7D, 0xCE, 0x7E, 0x01, 0x18, 0xF0, 0xDF, 0x6B, 0xFE, 0xE5, 0x1D, 0xDB, 0xD9, 0x91, 0xC2, 0x6E, 0x60, 0xCD, 0x48, 0x58, 0xAA, 0x59, 0x2C, 0x82, 0x00, 0x75, 0xF2, 0x9F, 0x52, 0x6C, 0x91, 0x7C, 0x6F, 0xE5, 0x40, 0x3E, 0xA7, 0xD4, 0xA5, 0x0C, 0xEC, 0x3B, 0x73, 0x84, 0xDE, 0x88, 0x6E, 0x82, 0xD2, 0xEB, 0x4D, 0x4E, 0x42, 0xB5, 0xF2, 0xB1, 0x49, 0xA8, 0x1E, 0xA7, 0xCE, 0x71, 0x44, 0xDC, 0x29, 0x94, 0xCF, 0xC4, 0x4E, 0x1F, 0x91, 0xCB, 0xD4, 0x95 },
+	.priv_exponent = { 0 }
 };
 
-static const unsigned char cpB_ppki_rsa_priv[256] =
+static const CtrRsa2048Key cpB_ppki_rsa =
 {
-    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	.modulus = { 0xA6, 0x89, 0xC5, 0x90, 0xFD, 0x0B, 0x2F, 0x0D, 0x4F, 0x56, 0xB6, 0x32, 0xFB, 0x93, 0x4E, 0xD0, 0x73, 0x95, 0x17, 0xB3, 0x3A, 0x79, 0xDE, 0x04, 0x0E, 0xE9, 0x2D, 0xC3, 0x1D, 0x37, 0xC7, 0xF7, 0x3B, 0xF0, 0x4B, 0xD3, 0xE4, 0x4E, 0x20, 0xAB, 0x5A, 0x6F, 0xEA, 0xF5, 0x98, 0x4C, 0xC1, 0xF6, 0x06, 0x2E, 0x9A, 0x9F, 0xE5, 0x6C, 0x32, 0x85, 0xDC, 0x6F, 0x25, 0xDD, 0xD5, 0xD0, 0xBF, 0x9F, 0xE2, 0xEF, 0xE8, 0x35, 0xDF, 0x26, 0x34, 0xED, 0x93, 0x7F, 0xAB, 0x02, 0x14, 0xD1, 0x04, 0x80, 0x9C, 0xF7, 0x4B, 0x86, 0x0E, 0x6B, 0x04, 0x83, 0xF4, 0xCD, 0x2D, 0xAB, 0x2A, 0x96, 0x02, 0xBC, 0x56, 0xF0, 0xD6, 0xBD, 0x94, 0x6A, 0xED, 0x6E, 0x0B, 0xE4, 0xF0, 0x8F, 0x26, 0x68, 0x6B, 0xD0, 0x9E, 0xF7, 0xDB, 0x32, 0x5F, 0x82, 0xB1, 0x8F, 0x6A, 0xF2, 0xED, 0x52, 0x5B, 0xFD, 0x82, 0x8B, 0x65, 0x3F, 0xEE, 0x6E, 0xCE, 0x40, 0x0D, 0x5A, 0x48, 0xFF, 0xE2, 0x2D, 0x53, 0x8B, 0xB5, 0x33, 0x5B, 0x41, 0x53, 0x34, 0x2D, 0x43, 0x35, 0xAC, 0xF5, 0x90, 0xD0, 0xD3, 0x0A, 0xE2, 0x04, 0x3C, 0x7F, 0x5A, 0xD2, 0x14, 0xFC, 0x9C, 0x0F, 0xE6, 0xFA, 0x40, 0xA5, 0xC8, 0x65, 0x06, 0xCA, 0x63, 0x69, 0xBC, 0xEE, 0x44, 0xA3, 0x2D, 0x9E, 0x69, 0x5C, 0xF0, 0x0B, 0x4F, 0xD7, 0x9A, 0xDB, 0x56, 0x8D, 0x14, 0x9C, 0x20, 0x28, 0xA1, 0x4C, 0x9D, 0x71, 0xB8, 0x50, 0xCA, 0x36, 0x5B, 0x37, 0xF7, 0x0B, 0x65, 0x77, 0x91, 0xFC, 0x5D, 0x72, 0x8C, 0x4E, 0x18, 0xFD, 0x22, 0x55, 0x7C, 0x40, 0x62, 0xD7, 0x47, 0x71, 0x53, 0x3C, 0x70, 0x17, 0x9D, 0x3D, 0xAE, 0x8F, 0x92, 0xB1, 0x17, 0xE4, 0x5C, 0xB3, 0x32, 0xF3, 0xB3, 0xC2, 0xA2, 0x2E, 0x70, 0x5C, 0xFE, 0xC6, 0x6F, 0x6D, 0xA3, 0x77, 0x2B },
+	.priv_exponent = { 0 }
 };
 
-static const unsigned char cpB_ppki_rsa_pub[256] =
+static const CtrRsa2048Key xsC_ppki_rsa =
 {
-	0xA6, 0x89, 0xC5, 0x90, 0xFD, 0x0B, 0x2F, 0x0D,
-	0x4F, 0x56, 0xB6, 0x32, 0xFB, 0x93, 0x4E, 0xD0,
-	0x73, 0x95, 0x17, 0xB3, 0x3A, 0x79, 0xDE, 0x04,
-	0x0E, 0xE9, 0x2D, 0xC3, 0x1D, 0x37, 0xC7, 0xF7,
-	0x3B, 0xF0, 0x4B, 0xD3, 0xE4, 0x4E, 0x20, 0xAB,
-	0x5A, 0x6F, 0xEA, 0xF5, 0x98, 0x4C, 0xC1, 0xF6,
-	0x06, 0x2E, 0x9A, 0x9F, 0xE5, 0x6C, 0x32, 0x85,
-	0xDC, 0x6F, 0x25, 0xDD, 0xD5, 0xD0, 0xBF, 0x9F,
-	0xE2, 0xEF, 0xE8, 0x35, 0xDF, 0x26, 0x34, 0xED,
-	0x93, 0x7F, 0xAB, 0x02, 0x14, 0xD1, 0x04, 0x80,
-	0x9C, 0xF7, 0x4B, 0x86, 0x0E, 0x6B, 0x04, 0x83,
-	0xF4, 0xCD, 0x2D, 0xAB, 0x2A, 0x96, 0x02, 0xBC,
-	0x56, 0xF0, 0xD6, 0xBD, 0x94, 0x6A, 0xED, 0x6E,
-	0x0B, 0xE4, 0xF0, 0x8F, 0x26, 0x68, 0x6B, 0xD0,
-	0x9E, 0xF7, 0xDB, 0x32, 0x5F, 0x82, 0xB1, 0x8F,
-	0x6A, 0xF2, 0xED, 0x52, 0x5B, 0xFD, 0x82, 0x8B,
-	0x65, 0x3F, 0xEE, 0x6E, 0xCE, 0x40, 0x0D, 0x5A,
-	0x48, 0xFF, 0xE2, 0x2D, 0x53, 0x8B, 0xB5, 0x33,
-	0x5B, 0x41, 0x53, 0x34, 0x2D, 0x43, 0x35, 0xAC,
-	0xF5, 0x90, 0xD0, 0xD3, 0x0A, 0xE2, 0x04, 0x3C,
-	0x7F, 0x5A, 0xD2, 0x14, 0xFC, 0x9C, 0x0F, 0xE6,
-	0xFA, 0x40, 0xA5, 0xC8, 0x65, 0x06, 0xCA, 0x63,
-	0x69, 0xBC, 0xEE, 0x44, 0xA3, 0x2D, 0x9E, 0x69,
-	0x5C, 0xF0, 0x0B, 0x4F, 0xD7, 0x9A, 0xDB, 0x56,
-	0x8D, 0x14, 0x9C, 0x20, 0x28, 0xA1, 0x4C, 0x9D,
-	0x71, 0xB8, 0x50, 0xCA, 0x36, 0x5B, 0x37, 0xF7,
-	0x0B, 0x65, 0x77, 0x91, 0xFC, 0x5D, 0x72, 0x8C,
-	0x4E, 0x18, 0xFD, 0x22, 0x55, 0x7C, 0x40, 0x62,
-	0xD7, 0x47, 0x71, 0x53, 0x3C, 0x70, 0x17, 0x9D,
-	0x3D, 0xAE, 0x8F, 0x92, 0xB1, 0x17, 0xE4, 0x5C,
-	0xB3, 0x32, 0xF3, 0xB3, 0xC2, 0xA2, 0x2E, 0x70,
-	0x5C, 0xFE, 0xC6, 0x6F, 0x6D, 0xA3, 0x77, 0x2B
+	.modulus = { 0xAD, 0x50, 0x5B, 0xB6, 0xC6, 0x7E, 0x2E, 0x5B, 0xDD, 0x6A, 0x3B, 0xEC, 0x43, 0xD9, 0x10, 0xC7, 0x72, 0xE9, 0xCC, 0x29, 0x0D, 0xA5, 0x85, 0x88, 0xB7, 0x7D, 0xCC, 0x11, 0x68, 0x0B, 0xB3, 0xE2, 0x9F, 0x4E, 0xAB, 0xBB, 0x26, 0xE9, 0x8C, 0x26, 0x01, 0x98, 0x5C, 0x04, 0x1B, 0xB1, 0x43, 0x78, 0xE6, 0x89, 0x18, 0x1A, 0xAD, 0x77, 0x05, 0x68, 0xE9, 0x28, 0xA2, 0xB9, 0x81, 0x67, 0xEE, 0x3E, 0x10, 0xD0, 0x72, 0xBE, 0xEF, 0x1F, 0xA2, 0x2F, 0xA2, 0xAA, 0x3E, 0x13, 0xF1, 0x1E, 0x18, 0x36, 0xA9, 0x2A, 0x42, 0x81, 0xEF, 0x70, 0xAA, 0xF4, 0xE4, 0x62, 0x99, 0x82, 0x21, 0xC6, 0xFB, 0xB9, 0xBD, 0xD0, 0x17, 0xE6, 0xAC, 0x59, 0x04, 0x94, 0xE9, 0xCE, 0xA9, 0x85, 0x9C, 0xEB, 0x2D, 0x2A, 0x4C, 0x17, 0x66, 0xF2, 0xC3, 0x39, 0x12, 0xC5, 0x8F, 0x14, 0xA8, 0x03, 0xE3, 0x6F, 0xCC, 0xDC, 0xCC, 0xDC, 0x13, 0xFD, 0x7A, 0xE7, 0x7C, 0x7A, 0x78, 0xD9, 0x97, 0xE6, 0xAC, 0xC3, 0x55, 0x57, 0xE0, 0xD3, 0xE9, 0xEB, 0x64, 0xB4, 0x3C, 0x92, 0xF4, 0xC5, 0x0D, 0x67, 0xA6, 0x02, 0xDE, 0xB3, 0x91, 0xB0, 0x66, 0x61, 0xCD, 0x32, 0x88, 0x0B, 0xD6, 0x49, 0x12, 0xAF, 0x1C, 0xBC, 0xB7, 0x16, 0x2A, 0x06, 0xF0, 0x25, 0x65, 0xD3, 0xB0, 0xEC, 0xE4, 0xFC, 0xEC, 0xDD, 0xAE, 0x8A, 0x49, 0x34, 0xDB, 0x8E, 0xE6, 0x7F, 0x30, 0x17, 0x98, 0x62, 0x21, 0x15, 0x5D, 0x13, 0x1C, 0x6C, 0x3F, 0x09, 0xAB, 0x19, 0x45, 0xC2, 0x06, 0xAC, 0x70, 0xC9, 0x42, 0xB3, 0x6F, 0x49, 0xA1, 0x18, 0x3B, 0xCD, 0x78, 0xB6, 0xE4, 0xB4, 0x7C, 0x6C, 0x5C, 0xAC, 0x0F, 0x8D, 0x62, 0xF8, 0x97, 0xC6, 0x95, 0x3D, 0xD1, 0x2F, 0x28, 0xB7, 0x0C, 0x5B, 0x7D, 0xF7, 0x51, 0x81, 0x9A, 0x98, 0x34, 0x65, 0x26, 0x25 },
+	.priv_exponent = { 0 }
 };
 
-static const unsigned char xsC_ppki_rsa_priv[256] =
+static const CtrRsa2048Key prod_ncsd_cfa_rsa =
 {
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	.modulus = { 0xFB, 0xDE, 0xB8, 0x2B, 0x40, 0x93, 0x0F, 0xF6, 0xB1, 0x9A, 0x08, 0x06, 0x1B, 0x86, 0xFE, 0xD0, 0xDF, 0x10, 0x79, 0x17, 0x3D, 0x8C, 0xE2, 0x7A, 0xCE, 0x8F, 0x23, 0x45, 0xB9, 0x0A, 0x6D, 0xED, 0x30, 0x0E, 0xC1, 0xA8, 0x92, 0xC4, 0xBD, 0x1A, 0xCE, 0xA7, 0xAC, 0x77, 0xAA, 0x47, 0xE5, 0x20, 0x4A, 0x44, 0x91, 0xDF, 0x1C, 0xFE, 0x86, 0x28, 0x12, 0x2D, 0x66, 0xDF, 0xBE, 0xAD, 0x96, 0x61, 0xED, 0xF2, 0xF7, 0x41, 0x7B, 0x57, 0x88, 0x6B, 0x24, 0x1E, 0x7D, 0xEC, 0xBE, 0x98, 0x65, 0x65, 0x36, 0x65, 0x99, 0xA9, 0xFE, 0x24, 0x67, 0x85, 0x99, 0xEE, 0x2A, 0xAE, 0xEE, 0xB1, 0x81, 0x1A, 0x22, 0xE3, 0x6D, 0x75, 0x6E, 0x21, 0xBC, 0xEF, 0x11, 0x5C, 0x61, 0xAF, 0x0C, 0x30, 0x00, 0xB6, 0xA2, 0x23, 0xED, 0xFE, 0x70, 0x15, 0xDA, 0x52, 0xE1, 0xE6, 0x2D, 0xCE, 0x34, 0xE8, 0xAA, 0x4C, 0xF1, 0xD6, 0x67, 0x56, 0x57, 0xD3, 0xDB, 0xC0, 0x90, 0x49, 0x6F, 0x45, 0x73, 0x93, 0x4E, 0x30, 0x30, 0x70, 0xF5, 0xC9, 0x8F, 0x31, 0x25, 0xF2, 0xC2, 0xE7, 0x33, 0x7F, 0x4E, 0xB6, 0xF5, 0x2A, 0xDF, 0x20, 0x00, 0xE5, 0x79, 0xB2, 0xD0, 0xF9, 0x17, 0xF7, 0x7E, 0x16, 0x90, 0x40, 0x00, 0x57, 0x91, 0x44, 0x78, 0xEF, 0x1C, 0xE0, 0x85, 0x09, 0xDA, 0xF4, 0x14, 0x7E, 0x4B, 0xD7, 0x35, 0xD6, 0x87, 0x54, 0x8F, 0x2A, 0xB5, 0xA7, 0x6F, 0x50, 0xD0, 0xF7, 0xD1, 0xF1, 0x19, 0xC9, 0xAC, 0x22, 0x7E, 0x05, 0x11, 0xF5, 0xF2, 0x6D, 0xEE, 0x92, 0x27, 0x57, 0x5F, 0xE5, 0x15, 0x0D, 0x27, 0x68, 0xBF, 0x52, 0x65, 0x74, 0x73, 0xA6, 0x58, 0x6D, 0x79, 0x18, 0xAC, 0x31, 0xDD, 0xDD, 0x80, 0x8B, 0x75, 0x24, 0xE1, 0x17, 0xE1, 0x95, 0x25, 0x16, 0x29, 0xAB, 0x69, 0x69, 0xC8, 0x28, 0xEE, 0x5D },
+	.priv_exponent = { 0 }
 };
 
-static const unsigned char xsC_ppki_rsa_pub[256] =
+static const CtrRsa2048Key prod_accessdesc_rsa =
 {
-	0xAD, 0x50, 0x5B, 0xB6, 0xC6, 0x7E, 0x2E, 0x5B,
-	0xDD, 0x6A, 0x3B, 0xEC, 0x43, 0xD9, 0x10, 0xC7,
-	0x72, 0xE9, 0xCC, 0x29, 0x0D, 0xA5, 0x85, 0x88,
-	0xB7, 0x7D, 0xCC, 0x11, 0x68, 0x0B, 0xB3, 0xE2,
-	0x9F, 0x4E, 0xAB, 0xBB, 0x26, 0xE9, 0x8C, 0x26,
-	0x01, 0x98, 0x5C, 0x04, 0x1B, 0xB1, 0x43, 0x78,
-	0xE6, 0x89, 0x18, 0x1A, 0xAD, 0x77, 0x05, 0x68,
-	0xE9, 0x28, 0xA2, 0xB9, 0x81, 0x67, 0xEE, 0x3E,
-	0x10, 0xD0, 0x72, 0xBE, 0xEF, 0x1F, 0xA2, 0x2F,
-	0xA2, 0xAA, 0x3E, 0x13, 0xF1, 0x1E, 0x18, 0x36,
-	0xA9, 0x2A, 0x42, 0x81, 0xEF, 0x70, 0xAA, 0xF4,
-	0xE4, 0x62, 0x99, 0x82, 0x21, 0xC6, 0xFB, 0xB9,
-	0xBD, 0xD0, 0x17, 0xE6, 0xAC, 0x59, 0x04, 0x94,
-	0xE9, 0xCE, 0xA9, 0x85, 0x9C, 0xEB, 0x2D, 0x2A,
-	0x4C, 0x17, 0x66, 0xF2, 0xC3, 0x39, 0x12, 0xC5,
-	0x8F, 0x14, 0xA8, 0x03, 0xE3, 0x6F, 0xCC, 0xDC,
-	0xCC, 0xDC, 0x13, 0xFD, 0x7A, 0xE7, 0x7C, 0x7A,
-	0x78, 0xD9, 0x97, 0xE6, 0xAC, 0xC3, 0x55, 0x57,
-	0xE0, 0xD3, 0xE9, 0xEB, 0x64, 0xB4, 0x3C, 0x92,
-	0xF4, 0xC5, 0x0D, 0x67, 0xA6, 0x02, 0xDE, 0xB3,
-	0x91, 0xB0, 0x66, 0x61, 0xCD, 0x32, 0x88, 0x0B,
-	0xD6, 0x49, 0x12, 0xAF, 0x1C, 0xBC, 0xB7, 0x16,
-	0x2A, 0x06, 0xF0, 0x25, 0x65, 0xD3, 0xB0, 0xEC,
-	0xE4, 0xFC, 0xEC, 0xDD, 0xAE, 0x8A, 0x49, 0x34,
-	0xDB, 0x8E, 0xE6, 0x7F, 0x30, 0x17, 0x98, 0x62,
-	0x21, 0x15, 0x5D, 0x13, 0x1C, 0x6C, 0x3F, 0x09,
-	0xAB, 0x19, 0x45, 0xC2, 0x06, 0xAC, 0x70, 0xC9,
-	0x42, 0xB3, 0x6F, 0x49, 0xA1, 0x18, 0x3B, 0xCD,
-	0x78, 0xB6, 0xE4, 0xB4, 0x7C, 0x6C, 0x5C, 0xAC,
-	0x0F, 0x8D, 0x62, 0xF8, 0x97, 0xC6, 0x95, 0x3D,
-	0xD1, 0x2F, 0x28, 0xB7, 0x0C, 0x5B, 0x7D, 0xF7,
-	0x51, 0x81, 0x9A, 0x98, 0x34, 0x65, 0x26, 0x25
+	.modulus = { 0xB1, 0xE3, 0xE3, 0x5F, 0x01, 0x39, 0x80, 0xD1, 0x56, 0x78, 0x9D, 0xB7, 0x06, 0xF7, 0x1D, 0xBF, 0x3E, 0x22, 0x76, 0xED, 0xF9, 0x5D, 0xA2, 0x36, 0xB6, 0x30, 0x61, 0x05, 0x96, 0xD3, 0x00, 0xB9, 0xED, 0xF1, 0xD7, 0xE0, 0x1D, 0xA0, 0x4F, 0xB7, 0xCF, 0x5A, 0x19, 0x87, 0x75, 0x49, 0x88, 0x40, 0xED, 0xE3, 0x6F, 0x7C, 0x90, 0x4A, 0x64, 0x45, 0x98, 0xD7, 0x04, 0xB9, 0x5A, 0x6B, 0x45, 0xAA, 0x7E, 0x94, 0xC0, 0xB3, 0xB7, 0xDB, 0x7B, 0x66, 0x59, 0x20, 0xB7, 0x08, 0xE2, 0xF3, 0x83, 0xA3, 0x7F, 0xE3, 0x20, 0x21, 0xA0, 0xEB, 0xB7, 0x28, 0x0F, 0xF3, 0x2B, 0x15, 0xA4, 0xC9, 0xD0, 0xAB, 0x89, 0x39, 0x99, 0x7E, 0x76, 0x5F, 0x9E, 0x4D, 0x1E, 0x01, 0x22, 0x8D, 0x74, 0xA6, 0xEB, 0x9A, 0xA3, 0x9D, 0x45, 0xE5, 0x10, 0x61, 0x6E, 0x20, 0xFD, 0x23, 0x75, 0xC0, 0xC5, 0x05, 0x03, 0xC5, 0x4C, 0x02, 0x4F, 0x54, 0x4B, 0x57, 0x08, 0xB4, 0x46, 0xC3, 0x2C, 0xF1, 0xF9, 0x52, 0x6C, 0xCD, 0x14, 0x55, 0xA8, 0x55, 0x92, 0x6D, 0xE2, 0x4A, 0x41, 0x46, 0xEB, 0x08, 0xC5, 0xF3, 0xB4, 0x8D, 0x0D, 0x5E, 0x21, 0xEA, 0xAF, 0x4D, 0x27, 0x4D, 0xDE, 0x77, 0x93, 0x97, 0xE2, 0xC7, 0x6B, 0x66, 0x1F, 0xDB, 0x2D, 0x6E, 0xA9, 0x5F, 0x61, 0x14, 0x17, 0x7B, 0x2B, 0x66, 0x5A, 0xB5, 0x01, 0x89, 0xF2, 0x23, 0x75, 0x25, 0x25, 0x9C, 0x86, 0x9A, 0x89, 0xFF, 0x64, 0x1D, 0x5B, 0xCE, 0xD7, 0x7E, 0x3F, 0x2D, 0xA8, 0xDA, 0xB5, 0x5A, 0xC5, 0x5F, 0x59, 0x20, 0xB0, 0xED, 0x1C, 0x91, 0xFF, 0xA3, 0x27, 0xB8, 0x8E, 0xCF, 0x82, 0x15, 0xE5, 0x49, 0xEF, 0xE4, 0x58, 0xE1, 0x5F, 0x8F, 0x53, 0xB9, 0x33, 0x2A, 0x56, 0x24, 0xAA, 0xA1, 0xD3, 0x6E, 0x47, 0x1A, 0x63, 0x44, 0x19, 0xB3, 0x8E, 0xA5 },
+	.priv_exponent = { 0 }
 };
 
-static const unsigned char prod_acex_pub[0x100] =
+static const CtrRsa2048Key prod_firm_rsa =
 {
-	0xB1, 0xE3, 0xE3, 0x5F, 0x01, 0x39, 0x80, 0xD1,
-	0x56, 0x78, 0x9D, 0xB7, 0x06, 0xF7, 0x1D, 0xBF,
-	0x3E, 0x22, 0x76, 0xED, 0xF9, 0x5D, 0xA2, 0x36,
-	0xB6, 0x30, 0x61, 0x05, 0x96, 0xD3, 0x00, 0xB9,
-	0xED, 0xF1, 0xD7, 0xE0, 0x1D, 0xA0, 0x4F, 0xB7,
-	0xCF, 0x5A, 0x19, 0x87, 0x75, 0x49, 0x88, 0x40,
-	0xED, 0xE3, 0x6F, 0x7C, 0x90, 0x4A, 0x64, 0x45,
-	0x98, 0xD7, 0x04, 0xB9, 0x5A, 0x6B, 0x45, 0xAA,
-	0x7E, 0x94, 0xC0, 0xB3, 0xB7, 0xDB, 0x7B, 0x66,
-	0x59, 0x20, 0xB7, 0x08, 0xE2, 0xF3, 0x83, 0xA3,
-	0x7F, 0xE3, 0x20, 0x21, 0xA0, 0xEB, 0xB7, 0x28,
-	0x0F, 0xF3, 0x2B, 0x15, 0xA4, 0xC9, 0xD0, 0xAB,
-	0x89, 0x39, 0x99, 0x7E, 0x76, 0x5F, 0x9E, 0x4D,
-	0x1E, 0x01, 0x22, 0x8D, 0x74, 0xA6, 0xEB, 0x9A,
-	0xA3, 0x9D, 0x45, 0xE5, 0x10, 0x61, 0x6E, 0x20,
-	0xFD, 0x23, 0x75, 0xC0, 0xC5, 0x05, 0x03, 0xC5,
-	0x4C, 0x02, 0x4F, 0x54, 0x4B, 0x57, 0x08, 0xB4,
-	0x46, 0xC3, 0x2C, 0xF1, 0xF9, 0x52, 0x6C, 0xCD,
-	0x14, 0x55, 0xA8, 0x55, 0x92, 0x6D, 0xE2, 0x4A,
-	0x41, 0x46, 0xEB, 0x08, 0xC5, 0xF3, 0xB4, 0x8D,
-	0x0D, 0x5E, 0x21, 0xEA, 0xAF, 0x4D, 0x27, 0x4D,
-	0xDE, 0x77, 0x93, 0x97, 0xE2, 0xC7, 0x6B, 0x66,
-	0x1F, 0xDB, 0x2D, 0x6E, 0xA9, 0x5F, 0x61, 0x14,
-	0x17, 0x7B, 0x2B, 0x66, 0x5A, 0xB5, 0x01, 0x89,
-	0xF2, 0x23, 0x75, 0x25, 0x25, 0x9C, 0x86, 0x9A,
-	0x89, 0xFF, 0x64, 0x1D, 0x5B, 0xCE, 0xD7, 0x7E,
-	0x3F, 0x2D, 0xA8, 0xDA, 0xB5, 0x5A, 0xC5, 0x5F,
-	0x59, 0x20, 0xB0, 0xED, 0x1C, 0x91, 0xFF, 0xA3,
-	0x27, 0xB8, 0x8E, 0xCF, 0x82, 0x15, 0xE5, 0x49,
-	0xEF, 0xE4, 0x58, 0xE1, 0x5F, 0x8F, 0x53, 0xB9,
-	0x33, 0x2A, 0x56, 0x24, 0xAA, 0xA1, 0xD3, 0x6E,
-	0x47, 0x1A, 0x63, 0x44, 0x19, 0xB3, 0x8E, 0xA5
-};
-
-static const unsigned char prod_acex_priv[256] =
-{
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-static const unsigned char prod_ncsd_cfa_pub[0x100] =
-{
-	0xFB, 0xDE, 0xB8, 0x2B, 0x40, 0x93, 0x0F, 0xF6,
-	0xB1, 0x9A, 0x08, 0x06, 0x1B, 0x86, 0xFE, 0xD0,
-	0xDF, 0x10, 0x79, 0x17, 0x3D, 0x8C, 0xE2, 0x7A,
-	0xCE, 0x8F, 0x23, 0x45, 0xB9, 0x0A, 0x6D, 0xED,
-	0x30, 0x0E, 0xC1, 0xA8, 0x92, 0xC4, 0xBD, 0x1A,
-	0xCE, 0xA7, 0xAC, 0x77, 0xAA, 0x47, 0xE5, 0x20,
-	0x4A, 0x44, 0x91, 0xDF, 0x1C, 0xFE, 0x86, 0x28,
-	0x12, 0x2D, 0x66, 0xDF, 0xBE, 0xAD, 0x96, 0x61,
-	0xED, 0xF2, 0xF7, 0x41, 0x7B, 0x57, 0x88, 0x6B,
-	0x24, 0x1E, 0x7D, 0xEC, 0xBE, 0x98, 0x65, 0x65,
-	0x36, 0x65, 0x99, 0xA9, 0xFE, 0x24, 0x67, 0x85,
-	0x99, 0xEE, 0x2A, 0xAE, 0xEE, 0xB1, 0x81, 0x1A,
-	0x22, 0xE3, 0x6D, 0x75, 0x6E, 0x21, 0xBC, 0xEF,
-	0x11, 0x5C, 0x61, 0xAF, 0x0C, 0x30, 0x00, 0xB6,
-	0xA2, 0x23, 0xED, 0xFE, 0x70, 0x15, 0xDA, 0x52,
-	0xE1, 0xE6, 0x2D, 0xCE, 0x34, 0xE8, 0xAA, 0x4C,
-	0xF1, 0xD6, 0x67, 0x56, 0x57, 0xD3, 0xDB, 0xC0,
-	0x90, 0x49, 0x6F, 0x45, 0x73, 0x93, 0x4E, 0x30,
-	0x30, 0x70, 0xF5, 0xC9, 0x8F, 0x31, 0x25, 0xF2,
-	0xC2, 0xE7, 0x33, 0x7F, 0x4E, 0xB6, 0xF5, 0x2A,
-	0xDF, 0x20, 0x00, 0xE5, 0x79, 0xB2, 0xD0, 0xF9,
-	0x17, 0xF7, 0x7E, 0x16, 0x90, 0x40, 0x00, 0x57,
-	0x91, 0x44, 0x78, 0xEF, 0x1C, 0xE0, 0x85, 0x09,
-	0xDA, 0xF4, 0x14, 0x7E, 0x4B, 0xD7, 0x35, 0xD6,
-	0x87, 0x54, 0x8F, 0x2A, 0xB5, 0xA7, 0x6F, 0x50,
-	0xD0, 0xF7, 0xD1, 0xF1, 0x19, 0xC9, 0xAC, 0x22,
-	0x7E, 0x05, 0x11, 0xF5, 0xF2, 0x6D, 0xEE, 0x92,
-	0x27, 0x57, 0x5F, 0xE5, 0x15, 0x0D, 0x27, 0x68,
-	0xBF, 0x52, 0x65, 0x74, 0x73, 0xA6, 0x58, 0x6D,
-	0x79, 0x18, 0xAC, 0x31, 0xDD, 0xDD, 0x80, 0x8B,
-	0x75, 0x24, 0xE1, 0x17, 0xE1, 0x95, 0x25, 0x16,
-	0x29, 0xAB, 0x69, 0x69, 0xC8, 0x28, 0xEE, 0x5D
-};
-
-static const unsigned char prod_ncsd_cfa_priv[256] =
-{
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-static const unsigned char prod_firm_pub[0x100] =
-{
-	0xDE, 0xCF, 0xB6, 0xFC, 0x3D, 0x33, 0xE9, 0x55,
-	0xFD, 0xAC, 0x90, 0xE8, 0x88, 0x17, 0xB0, 0x03,
-	0xA1, 0x6B, 0x9A, 0xAB, 0x72, 0x70, 0x79, 0x32,
-	0xA2, 0xA0, 0x8C, 0xBB, 0x33, 0x6F, 0xB0, 0x76,
-	0x96, 0x2E, 0xC4, 0xE9, 0x2E, 0xD8, 0x8F, 0x92,
-	0xC0, 0x2D, 0x4D, 0x41, 0x0F, 0xDE, 0x45, 0x1B,
-	0x25, 0x3C, 0xBE, 0x37, 0x6B, 0x45, 0x82, 0x21,
-	0xE6, 0x4D, 0xB1, 0x23, 0x81, 0x82, 0xB6, 0x81,
-	0x62, 0xB7, 0x30, 0xF4, 0x60, 0x4B, 0xC7, 0xF7,
-	0xF0, 0x17, 0x0C, 0xB5, 0x75, 0x88, 0x77, 0x93,
-	0x52, 0x63, 0x70, 0xF0, 0x0B, 0xC6, 0x73, 0x43,
-	0x41, 0xEE, 0xE4, 0xF0, 0x71, 0xEC, 0xC8, 0xC1,
-	0x32, 0xC4, 0xDC, 0xA9, 0x99, 0x1D, 0x31, 0xB8,
-	0xA4, 0x7E, 0xDD, 0x19, 0x04, 0x0F, 0x02, 0xA8,
-	0x1A, 0xAF, 0xB3, 0x48, 0x9A, 0x29, 0x29, 0x5E,
-	0x49, 0x84, 0xE0, 0x94, 0x11, 0xD1, 0x7E, 0xAB,
-	0xB2, 0xC0, 0x44, 0x7E, 0xA1, 0x1B, 0x5E, 0x9D,
-	0x0D, 0x1A, 0xF9, 0x02, 0x9A, 0x2E, 0x53, 0x03,
-	0x2D, 0x48, 0x96, 0x7C, 0x2C, 0xA6, 0xD7, 0xAC,
-	0xF1, 0xED, 0x2B, 0x18, 0xBB, 0x01, 0xCB, 0x13,
-	0xB9, 0xAC, 0xA6, 0xEE, 0x55, 0x00, 0x37, 0x7C,
-	0x69, 0x61, 0x62, 0x89, 0x01, 0x54, 0x77, 0x9F,
-	0x07, 0x5D, 0x26, 0x34, 0x3A, 0xA9, 0x49, 0xA5,
-	0xAF, 0xF2, 0x5E, 0x06, 0x51, 0xB7, 0x1C, 0xE0,
-	0xDE, 0xDA, 0x5C, 0x0B, 0x9F, 0x98, 0xC2, 0x15,
-	0xFD, 0xBA, 0xD8, 0xA9, 0x99, 0x00, 0xAB, 0xA4,
-	0x8E, 0x4A, 0x16, 0x9D, 0x66, 0x2A, 0xE8, 0x56,
-	0x64, 0xB2, 0xB6, 0xC0, 0x93, 0xAF, 0x4D, 0x38,
-	0xA0, 0x16, 0x5C, 0xE4, 0xBD, 0x62, 0xC2, 0x46,
-	0x6B, 0xC9, 0x5A, 0x59, 0x4A, 0x72, 0x58, 0xFD,
-	0xB2, 0xCC, 0x36, 0x87, 0x30, 0x85, 0xE8, 0xA1,
-	0x04, 0x5B, 0xE0, 0x17, 0x9B, 0xD0, 0xEC, 0x9B
+	.modulus = { 0xDE, 0xCF, 0xB6, 0xFC, 0x3D, 0x33, 0xE9, 0x55, 0xFD, 0xAC, 0x90, 0xE8, 0x88, 0x17, 0xB0, 0x03, 0xA1, 0x6B, 0x9A, 0xAB, 0x72, 0x70, 0x79, 0x32, 0xA2, 0xA0, 0x8C, 0xBB, 0x33, 0x6F, 0xB0, 0x76, 0x96, 0x2E, 0xC4, 0xE9, 0x2E, 0xD8, 0x8F, 0x92, 0xC0, 0x2D, 0x4D, 0x41, 0x0F, 0xDE, 0x45, 0x1B, 0x25, 0x3C, 0xBE, 0x37, 0x6B, 0x45, 0x82, 0x21, 0xE6, 0x4D, 0xB1, 0x23, 0x81, 0x82, 0xB6, 0x81, 0x62, 0xB7, 0x30, 0xF4, 0x60, 0x4B, 0xC7, 0xF7, 0xF0, 0x17, 0x0C, 0xB5, 0x75, 0x88, 0x77, 0x93, 0x52, 0x63, 0x70, 0xF0, 0x0B, 0xC6, 0x73, 0x43, 0x41, 0xEE, 0xE4, 0xF0, 0x71, 0xEC, 0xC8, 0xC1, 0x32, 0xC4, 0xDC, 0xA9, 0x99, 0x1D, 0x31, 0xB8, 0xA4, 0x7E, 0xDD, 0x19, 0x04, 0x0F, 0x02, 0xA8, 0x1A, 0xAF, 0xB3, 0x48, 0x9A, 0x29, 0x29, 0x5E, 0x49, 0x84, 0xE0, 0x94, 0x11, 0xD1, 0x7E, 0xAB, 0xB2, 0xC0, 0x44, 0x7E, 0xA1, 0x1B, 0x5E, 0x9D, 0x0D, 0x1A, 0xF9, 0x02, 0x9A, 0x2E, 0x53, 0x03, 0x2D, 0x48, 0x96, 0x7C, 0x2C, 0xA6, 0xD7, 0xAC, 0xF1, 0xED, 0x2B, 0x18, 0xBB, 0x01, 0xCB, 0x13, 0xB9, 0xAC, 0xA6, 0xEE, 0x55, 0x00, 0x37, 0x7C, 0x69, 0x61, 0x62, 0x89, 0x01, 0x54, 0x77, 0x9F, 0x07, 0x5D, 0x26, 0x34, 0x3A, 0xA9, 0x49, 0xA5, 0xAF, 0xF2, 0x5E, 0x06, 0x51, 0xB7, 0x1C, 0xE0, 0xDE, 0xDA, 0x5C, 0x0B, 0x9F, 0x98, 0xC2, 0x15, 0xFD, 0xBA, 0xD8, 0xA9, 0x99, 0x00, 0xAB, 0xA4, 0x8E, 0x4A, 0x16, 0x9D, 0x66, 0x2A, 0xE8, 0x56, 0x64, 0xB2, 0xB6, 0xC0, 0x93, 0xAF, 0x4D, 0x38, 0xA0, 0x16, 0x5C, 0xE4, 0xBD, 0x62, 0xC2, 0x46, 0x6B, 0xC9, 0x5A, 0x59, 0x4A, 0x72, 0x58, 0xFD, 0xB2, 0xCC, 0x36, 0x87, 0x30, 0x85, 0xE8, 0xA1, 0x04, 0x5B, 0xE0, 0x17, 0x9B, 0xD0, 0xEC, 0x9B },
+	.priv_exponent = { 0 }
 };
 
 //Certificates
 static const unsigned char ca3_ppki_cert[0x400] =
 {
-	0x00, 0x01, 0x00, 0x03, 0x70, 0x41, 0x38, 0xEF, 
-	0xBB, 0xBD, 0xA1, 0x6A, 0x98, 0x7D, 0xD9, 0x01, 
-	0x32, 0x6D, 0x1C, 0x94, 0x59, 0x48, 0x4C, 0x88, 
-	0xA2, 0x86, 0x1B, 0x91, 0xA3, 0x12, 0x58, 0x7A, 
-	0xE7, 0x0E, 0xF6, 0x23, 0x7E, 0xC5, 0x0E, 0x10, 
-	0x32, 0xDC, 0x39, 0xDD, 0xE8, 0x9A, 0x96, 0xA8, 
-	0xE8, 0x59, 0xD7, 0x6A, 0x98, 0xA6, 0xE7, 0xE3, 
-	0x6A, 0x0C, 0xFE, 0x35, 0x2C, 0xA8, 0x93, 0x05, 
-	0x82, 0x34, 0xFF, 0x83, 0x3F, 0xCB, 0x3B, 0x03, 
-	0x81, 0x1E, 0x9F, 0x0D, 0xC0, 0xD9, 0xA5, 0x2F, 
-	0x80, 0x45, 0xB4, 0xB2, 0xF9, 0x41, 0x1B, 0x67, 
-	0xA5, 0x1C, 0x44, 0xB5, 0xEF, 0x8C, 0xE7, 0x7B, 
-	0xD6, 0xD5, 0x6B, 0xA7, 0x57, 0x34, 0xA1, 0x85, 
-	0x6D, 0xE6, 0xD4, 0xBE, 0xD6, 0xD3, 0xA2, 0x42, 
-	0xC7, 0xC8, 0x79, 0x1B, 0x34, 0x22, 0x37, 0x5E, 
-	0x5C, 0x77, 0x9A, 0xBF, 0x07, 0x2F, 0x76, 0x95, 
-	0xEF, 0xA0, 0xF7, 0x5B, 0xCB, 0x83, 0x78, 0x9F, 
-	0xC3, 0x0E, 0x3F, 0xE4, 0xCC, 0x83, 0x92, 0x20, 
-	0x78, 0x40, 0x63, 0x89, 0x49, 0xC7, 0xF6, 0x88, 
-	0x56, 0x5F, 0x64, 0x9B, 0x74, 0xD6, 0x3D, 0x8D, 
-	0x58, 0xFF, 0xAD, 0xDA, 0x57, 0x1E, 0x95, 0x54, 
-	0x42, 0x6B, 0x13, 0x18, 0xFC, 0x46, 0x89, 0x83, 
-	0xD4, 0xC8, 0xA5, 0x62, 0x8B, 0x06, 0xB6, 0xFC, 
-	0x5D, 0x50, 0x7C, 0x13, 0xE7, 0xA1, 0x8A, 0xC1, 
-	0x51, 0x1E, 0xB6, 0xD6, 0x2E, 0xA5, 0x44, 0x8F, 
-	0x83, 0x50, 0x14, 0x47, 0xA9, 0xAF, 0xB3, 0xEC, 
-	0xC2, 0x90, 0x3C, 0x9D, 0xD5, 0x2F, 0x92, 0x2A, 
-	0xC9, 0xAC, 0xDB, 0xEF, 0x58, 0xC6, 0x02, 0x18, 
-	0x48, 0xD9, 0x6E, 0x20, 0x87, 0x32, 0xD3, 0xD1, 
-	0xD9, 0xD9, 0xEA, 0x44, 0x0D, 0x91, 0x62, 0x1C, 
-	0x7A, 0x99, 0xDB, 0x88, 0x43, 0xC5, 0x9C, 0x1F, 
-	0x2E, 0x2C, 0x7D, 0x9B, 0x57, 0x7D, 0x51, 0x2C, 
-	0x16, 0x6D, 0x6F, 0x7E, 0x1A, 0xAD, 0x4A, 0x77, 
-	0x4A, 0x37, 0x44, 0x7E, 0x78, 0xFE, 0x20, 0x21, 
-	0xE1, 0x4A, 0x95, 0xD1, 0x12, 0xA0, 0x68, 0xAD, 
-	0xA0, 0x19, 0xF4, 0x63, 0xC7, 0xA5, 0x56, 0x85, 
-	0xAA, 0xBB, 0x68, 0x88, 0xB9, 0x24, 0x64, 0x83, 
-	0xD1, 0x8B, 0x9C, 0x80, 0x6F, 0x47, 0x49, 0x18, 
-	0x33, 0x17, 0x82, 0x34, 0x4A, 0x4B, 0x85, 0x31, 
-	0x33, 0x4B, 0x26, 0x30, 0x32, 0x63, 0xD9, 0xD2, 
-	0xEB, 0x4F, 0x4B, 0xB9, 0x96, 0x02, 0xB3, 0x52, 
-	0xF6, 0xAE, 0x40, 0x46, 0xC6, 0x9A, 0x5E, 0x7E, 
-	0x8E, 0x4A, 0x18, 0xEF, 0x9B, 0xC0, 0xA2, 0xDE, 
-	0xD6, 0x13, 0x10, 0x41, 0x70, 0x12, 0xFD, 0x82, 
-	0x4C, 0xC1, 0x16, 0xCF, 0xB7, 0xC4, 0xC1, 0xF7, 
-	0xEC, 0x71, 0x77, 0xA1, 0x74, 0x46, 0xCB, 0xDE, 
-	0x96, 0xF3, 0xED, 0xD8, 0x8F, 0xCD, 0x05, 0x2F, 
-	0x0B, 0x88, 0x8A, 0x45, 0xFD, 0xAF, 0x2B, 0x63, 
-	0x13, 0x54, 0xF4, 0x0D, 0x16, 0xE5, 0xFA, 0x9C, 
-	0x2C, 0x4E, 0xDA, 0x98, 0xE7, 0x98, 0xD1, 0x5E, 
-	0x60, 0x46, 0xDC, 0x53, 0x63, 0xF3, 0x09, 0x6B, 
-	0x2C, 0x60, 0x7A, 0x9D, 0x8D, 0xD5, 0x5B, 0x15, 
-	0x02, 0xA6, 0xAC, 0x7D, 0x3C, 0xC8, 0xD8, 0xC5, 
-	0x75, 0x99, 0x8E, 0x7D, 0x79, 0x69, 0x10, 0xC8, 
-	0x04, 0xC4, 0x95, 0x23, 0x50, 0x57, 0xE9, 0x1E, 
-	0xCD, 0x26, 0x37, 0xC9, 0xC1, 0x84, 0x51, 0x51, 
-	0xAC, 0x6B, 0x9A, 0x04, 0x90, 0xAE, 0x3E, 0xC6, 
-	0xF4, 0x77, 0x40, 0xA0, 0xDB, 0x0B, 0xA3, 0x6D, 
-	0x07, 0x59, 0x56, 0xCE, 0xE7, 0x35, 0x4E, 0xA3, 
-	0xE9, 0xA4, 0xF2, 0x72, 0x0B, 0x26, 0x55, 0x0C, 
-	0x7D, 0x39, 0x43, 0x24, 0xBC, 0x0C, 0xB7, 0xE9, 
-	0x31, 0x7D, 0x8A, 0x86, 0x61, 0xF4, 0x21, 0x91, 
-	0xFF, 0x10, 0xB0, 0x82, 0x56, 0xCE, 0x3F, 0xD2, 
-	0x5B, 0x74, 0x5E, 0x51, 0x94, 0x90, 0x6B, 0x4D, 
-	0x61, 0xCB, 0x4C, 0x2E, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x52, 0x6F, 0x6F, 0x74, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x01, 0x43, 0x41, 0x30, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x33, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x7B, 0xE8, 0xEF, 0x6C, 
-	0xB2, 0x79, 0xC9, 0xE2, 0xEE, 0xE1, 0x21, 0xC6, 
-	0xEA, 0xF4, 0x4F, 0xF6, 0x39, 0xF8, 0x8F, 0x07, 
-	0x8B, 0x4B, 0x77, 0xED, 0x9F, 0x95, 0x60, 0xB0, 
-	0x35, 0x82, 0x81, 0xB5, 0x0E, 0x55, 0xAB, 0x72, 
-	0x11, 0x15, 0xA1, 0x77, 0x70, 0x3C, 0x7A, 0x30, 
-	0xFE, 0x3A, 0xE9, 0xEF, 0x1C, 0x60, 0xBC, 0x1D, 
-	0x97, 0x46, 0x76, 0xB2, 0x3A, 0x68, 0xCC, 0x04, 
-	0xB1, 0x98, 0x52, 0x5B, 0xC9, 0x68, 0xF1, 0x1D, 
-	0xE2, 0xDB, 0x50, 0xE4, 0xD9, 0xE7, 0xF0, 0x71, 
-	0xE5, 0x62, 0xDA, 0xE2, 0x09, 0x22, 0x33, 0xE9, 
-	0xD3, 0x63, 0xF6, 0x1D, 0xD7, 0xC1, 0x9F, 0xF3, 
-	0xA4, 0xA9, 0x1E, 0x8F, 0x65, 0x53, 0xD4, 0x71, 
-	0xDD, 0x7B, 0x84, 0xB9, 0xF1, 0xB8, 0xCE, 0x73, 
-	0x35, 0xF0, 0xF5, 0x54, 0x05, 0x63, 0xA1, 0xEA, 
-	0xB8, 0x39, 0x63, 0xE0, 0x9B, 0xE9, 0x01, 0x01, 
-	0x1F, 0x99, 0x54, 0x63, 0x61, 0x28, 0x70, 0x20, 
-	0xE9, 0xCC, 0x0D, 0xAB, 0x48, 0x7F, 0x14, 0x0D, 
-	0x66, 0x26, 0xA1, 0x83, 0x6D, 0x27, 0x11, 0x1F, 
-	0x20, 0x68, 0xDE, 0x47, 0x72, 0x14, 0x91, 0x51, 
-	0xCF, 0x69, 0xC6, 0x1B, 0xA6, 0x0E, 0xF9, 0xD9, 
-	0x49, 0xA0, 0xF7, 0x1F, 0x54, 0x99, 0xF2, 0xD3, 
-	0x9A, 0xD2, 0x8C, 0x70, 0x05, 0x34, 0x82, 0x93, 
-	0xC4, 0x31, 0xFF, 0xBD, 0x33, 0xF6, 0xBC, 0xA6, 
-	0x0D, 0xC7, 0x19, 0x5E, 0xA2, 0xBC, 0xC5, 0x6D, 
-	0x20, 0x0B, 0xAF, 0x6D, 0x06, 0xD0, 0x9C, 0x41, 
-	0xDB, 0x8D, 0xE9, 0xC7, 0x20, 0x15, 0x4C, 0xA4, 
-	0x83, 0x2B, 0x69, 0xC0, 0x8C, 0x69, 0xCD, 0x3B, 
-	0x07, 0x3A, 0x00, 0x63, 0x60, 0x2F, 0x46, 0x2D, 
-	0x33, 0x80, 0x61, 0xA5, 0xEA, 0x6C, 0x91, 0x5C, 
-	0xD5, 0x62, 0x35, 0x79, 0xC3, 0xEB, 0x64, 0xCE, 
-	0x44, 0xEF, 0x58, 0x6D, 0x14, 0xBA, 0xAA, 0x88, 
-	0x34, 0x01, 0x9B, 0x3E, 0xEB, 0xEE, 0xD3, 0x79, 
-	0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	0x00, 0x01, 0x00, 0x03, 0x70, 0x41, 0x38, 0xEF,  0xBB, 0xBD, 0xA1, 0x6A, 0x98, 0x7D, 0xD9, 0x01,  0x32, 0x6D, 0x1C, 0x94, 0x59, 0x48, 0x4C, 0x88,  0xA2, 0x86, 0x1B, 0x91, 0xA3, 0x12, 0x58, 0x7A,  0xE7, 0x0E, 0xF6, 0x23, 0x7E, 0xC5, 0x0E, 0x10,  0x32, 0xDC, 0x39, 0xDD, 0xE8, 0x9A, 0x96, 0xA8,  0xE8, 0x59, 0xD7, 0x6A, 0x98, 0xA6, 0xE7, 0xE3,  0x6A, 0x0C, 0xFE, 0x35, 0x2C, 0xA8, 0x93, 0x05,  0x82, 0x34, 0xFF, 0x83, 0x3F, 0xCB, 0x3B, 0x03,  0x81, 0x1E, 0x9F, 0x0D, 0xC0, 0xD9, 0xA5, 0x2F,  0x80, 0x45, 0xB4, 0xB2, 0xF9, 0x41, 0x1B, 0x67,  0xA5, 0x1C, 0x44, 0xB5, 0xEF, 0x8C, 0xE7, 0x7B,  0xD6, 0xD5, 0x6B, 0xA7, 0x57, 0x34, 0xA1, 0x85,  0x6D, 0xE6, 0xD4, 0xBE, 0xD6, 0xD3, 0xA2, 0x42,  0xC7, 0xC8, 0x79, 0x1B, 0x34, 0x22, 0x37, 0x5E,  0x5C, 0x77, 0x9A, 0xBF, 0x07, 0x2F, 0x76, 0x95,  0xEF, 0xA0, 0xF7, 0x5B, 0xCB, 0x83, 0x78, 0x9F,  0xC3, 0x0E, 0x3F, 0xE4, 0xCC, 0x83, 0x92, 0x20,  0x78, 0x40, 0x63, 0x89, 0x49, 0xC7, 0xF6, 0x88,  0x56, 0x5F, 0x64, 0x9B, 0x74, 0xD6, 0x3D, 0x8D,  0x58, 0xFF, 0xAD, 0xDA, 0x57, 0x1E, 0x95, 0x54,  0x42, 0x6B, 0x13, 0x18, 0xFC, 0x46, 0x89, 0x83,  0xD4, 0xC8, 0xA5, 0x62, 0x8B, 0x06, 0xB6, 0xFC,  0x5D, 0x50, 0x7C, 0x13, 0xE7, 0xA1, 0x8A, 0xC1,  0x51, 0x1E, 0xB6, 0xD6, 0x2E, 0xA5, 0x44, 0x8F,  0x83, 0x50, 0x14, 0x47, 0xA9, 0xAF, 0xB3, 0xEC,  0xC2, 0x90, 0x3C, 0x9D, 0xD5, 0x2F, 0x92, 0x2A,  0xC9, 0xAC, 0xDB, 0xEF, 0x58, 0xC6, 0x02, 0x18,  0x48, 0xD9, 0x6E, 0x20, 0x87, 0x32, 0xD3, 0xD1,  0xD9, 0xD9, 0xEA, 0x44, 0x0D, 0x91, 0x62, 0x1C,  0x7A, 0x99, 0xDB, 0x88, 0x43, 0xC5, 0x9C, 0x1F,  0x2E, 0x2C, 0x7D, 0x9B, 0x57, 0x7D, 0x51, 0x2C,  0x16, 0x6D, 0x6F, 0x7E, 0x1A, 0xAD, 0x4A, 0x77,  0x4A, 0x37, 0x44, 0x7E, 0x78, 0xFE, 0x20, 0x21,  0xE1, 0x4A, 0x95, 0xD1, 0x12, 0xA0, 0x68, 0xAD,  0xA0, 0x19, 0xF4, 0x63, 0xC7, 0xA5, 0x56, 0x85,  0xAA, 0xBB, 0x68, 0x88, 0xB9, 0x24, 0x64, 0x83,  0xD1, 0x8B, 0x9C, 0x80, 0x6F, 0x47, 0x49, 0x18,  0x33, 0x17, 0x82, 0x34, 0x4A, 0x4B, 0x85, 0x31,  0x33, 0x4B, 0x26, 0x30, 0x32, 0x63, 0xD9, 0xD2,  0xEB, 0x4F, 0x4B, 0xB9, 0x96, 0x02, 0xB3, 0x52,  0xF6, 0xAE, 0x40, 0x46, 0xC6, 0x9A, 0x5E, 0x7E,  0x8E, 0x4A, 0x18, 0xEF, 0x9B, 0xC0, 0xA2, 0xDE,  0xD6, 0x13, 0x10, 0x41, 0x70, 0x12, 0xFD, 0x82,  0x4C, 0xC1, 0x16, 0xCF, 0xB7, 0xC4, 0xC1, 0xF7,  0xEC, 0x71, 0x77, 0xA1, 0x74, 0x46, 0xCB, 0xDE,  0x96, 0xF3, 0xED, 0xD8, 0x8F, 0xCD, 0x05, 0x2F,  0x0B, 0x88, 0x8A, 0x45, 0xFD, 0xAF, 0x2B, 0x63,  0x13, 0x54, 0xF4, 0x0D, 0x16, 0xE5, 0xFA, 0x9C,  0x2C, 0x4E, 0xDA, 0x98, 0xE7, 0x98, 0xD1, 0x5E,  0x60, 0x46, 0xDC, 0x53, 0x63, 0xF3, 0x09, 0x6B,  0x2C, 0x60, 0x7A, 0x9D, 0x8D, 0xD5, 0x5B, 0x15,  0x02, 0xA6, 0xAC, 0x7D, 0x3C, 0xC8, 0xD8, 0xC5,  0x75, 0x99, 0x8E, 0x7D, 0x79, 0x69, 0x10, 0xC8,  0x04, 0xC4, 0x95, 0x23, 0x50, 0x57, 0xE9, 0x1E,  0xCD, 0x26, 0x37, 0xC9, 0xC1, 0x84, 0x51, 0x51,  0xAC, 0x6B, 0x9A, 0x04, 0x90, 0xAE, 0x3E, 0xC6,  0xF4, 0x77, 0x40, 0xA0, 0xDB, 0x0B, 0xA3, 0x6D,  0x07, 0x59, 0x56, 0xCE, 0xE7, 0x35, 0x4E, 0xA3,  0xE9, 0xA4, 0xF2, 0x72, 0x0B, 0x26, 0x55, 0x0C,  0x7D, 0x39, 0x43, 0x24, 0xBC, 0x0C, 0xB7, 0xE9,  0x31, 0x7D, 0x8A, 0x86, 0x61, 0xF4, 0x21, 0x91,  0xFF, 0x10, 0xB0, 0x82, 0x56, 0xCE, 0x3F, 0xD2,  0x5B, 0x74, 0x5E, 0x51, 0x94, 0x90, 0x6B, 0x4D,  0x61, 0xCB, 0x4C, 0x2E, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x52, 0x6F, 0x6F, 0x74, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x01, 0x43, 0x41, 0x30, 0x30,  0x30, 0x30, 0x30, 0x30, 0x30, 0x33, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x7B, 0xE8, 0xEF, 0x6C,  0xB2, 0x79, 0xC9, 0xE2, 0xEE, 0xE1, 0x21, 0xC6,  0xEA, 0xF4, 0x4F, 0xF6, 0x39, 0xF8, 0x8F, 0x07,  0x8B, 0x4B, 0x77, 0xED, 0x9F, 0x95, 0x60, 0xB0,  0x35, 0x82, 0x81, 0xB5, 0x0E, 0x55, 0xAB, 0x72,  0x11, 0x15, 0xA1, 0x77, 0x70, 0x3C, 0x7A, 0x30,  0xFE, 0x3A, 0xE9, 0xEF, 0x1C, 0x60, 0xBC, 0x1D,  0x97, 0x46, 0x76, 0xB2, 0x3A, 0x68, 0xCC, 0x04,  0xB1, 0x98, 0x52, 0x5B, 0xC9, 0x68, 0xF1, 0x1D,  0xE2, 0xDB, 0x50, 0xE4, 0xD9, 0xE7, 0xF0, 0x71,  0xE5, 0x62, 0xDA, 0xE2, 0x09, 0x22, 0x33, 0xE9,  0xD3, 0x63, 0xF6, 0x1D, 0xD7, 0xC1, 0x9F, 0xF3,  0xA4, 0xA9, 0x1E, 0x8F, 0x65, 0x53, 0xD4, 0x71,  0xDD, 0x7B, 0x84, 0xB9, 0xF1, 0xB8, 0xCE, 0x73,  0x35, 0xF0, 0xF5, 0x54, 0x05, 0x63, 0xA1, 0xEA,  0xB8, 0x39, 0x63, 0xE0, 0x9B, 0xE9, 0x01, 0x01,  0x1F, 0x99, 0x54, 0x63, 0x61, 0x28, 0x70, 0x20,  0xE9, 0xCC, 0x0D, 0xAB, 0x48, 0x7F, 0x14, 0x0D,  0x66, 0x26, 0xA1, 0x83, 0x6D, 0x27, 0x11, 0x1F,  0x20, 0x68, 0xDE, 0x47, 0x72, 0x14, 0x91, 0x51,  0xCF, 0x69, 0xC6, 0x1B, 0xA6, 0x0E, 0xF9, 0xD9,  0x49, 0xA0, 0xF7, 0x1F, 0x54, 0x99, 0xF2, 0xD3,  0x9A, 0xD2, 0x8C, 0x70, 0x05, 0x34, 0x82, 0x93,  0xC4, 0x31, 0xFF, 0xBD, 0x33, 0xF6, 0xBC, 0xA6,  0x0D, 0xC7, 0x19, 0x5E, 0xA2, 0xBC, 0xC5, 0x6D,  0x20, 0x0B, 0xAF, 0x6D, 0x06, 0xD0, 0x9C, 0x41,  0xDB, 0x8D, 0xE9, 0xC7, 0x20, 0x15, 0x4C, 0xA4,  0x83, 0x2B, 0x69, 0xC0, 0x8C, 0x69, 0xCD, 0x3B,  0x07, 0x3A, 0x00, 0x63, 0x60, 0x2F, 0x46, 0x2D,  0x33, 0x80, 0x61, 0xA5, 0xEA, 0x6C, 0x91, 0x5C,  0xD5, 0x62, 0x35, 0x79, 0xC3, 0xEB, 0x64, 0xCE,  0x44, 0xEF, 0x58, 0x6D, 0x14, 0xBA, 0xAA, 0x88,  0x34, 0x01, 0x9B, 0x3E, 0xEB, 0xEE, 0xD3, 0x79,  0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
 static const unsigned char xsC_ppki_cert[0x300] = 
 {
-	0x00, 0x01, 0x00, 0x04, 0x91, 0x9E, 0xBE, 0x46, 
-	0x4A, 0xD0, 0xF5, 0x52, 0xCD, 0x1B, 0x72, 0xE7, 
-	0x88, 0x49, 0x10, 0xCF, 0x55, 0xA9, 0xF0, 0x2E, 
-	0x50, 0x78, 0x96, 0x41, 0xD8, 0x96, 0x68, 0x3D, 
-	0xC0, 0x05, 0xBD, 0x0A, 0xEA, 0x87, 0x07, 0x9D, 
-	0x8A, 0xC2, 0x84, 0xC6, 0x75, 0x06, 0x5F, 0x74, 
-	0xC8, 0xBF, 0x37, 0xC8, 0x80, 0x44, 0x40, 0x95, 
-	0x02, 0xA0, 0x22, 0x98, 0x0B, 0xB8, 0xAD, 0x48, 
-	0x38, 0x3F, 0x6D, 0x28, 0xA7, 0x9D, 0xE3, 0x96, 
-	0x26, 0xCC, 0xB2, 0xB2, 0x2A, 0x0F, 0x19, 0xE4, 
-	0x10, 0x32, 0xF0, 0x94, 0xB3, 0x9F, 0xF0, 0x13, 
-	0x31, 0x46, 0xDE, 0xC8, 0xF6, 0xC1, 0xA9, 0xD5, 
-	0x5C, 0xD2, 0x8D, 0x9E, 0x1C, 0x47, 0xB3, 0xD1, 
-	0x1F, 0x4F, 0x54, 0x26, 0xC2, 0xC7, 0x80, 0x13, 
-	0x5A, 0x27, 0x75, 0xD3, 0xCA, 0x67, 0x9B, 0xC7, 
-	0xE8, 0x34, 0xF0, 0xE0, 0xFB, 0x58, 0xE6, 0x88, 
-	0x60, 0xA7, 0x13, 0x30, 0xFC, 0x95, 0x79, 0x17, 
-	0x93, 0xC8, 0xFB, 0xA9, 0x35, 0xA7, 0xA6, 0x90, 
-	0x8F, 0x22, 0x9D, 0xEE, 0x2A, 0x0C, 0xA6, 0xB9, 
-	0xB2, 0x3B, 0x12, 0xD4, 0x95, 0xA6, 0xFE, 0x19, 
-	0xD0, 0xD7, 0x26, 0x48, 0x21, 0x68, 0x78, 0x60, 
-	0x5A, 0x66, 0x53, 0x8D, 0xBF, 0x37, 0x68, 0x99, 
-	0x90, 0x5D, 0x34, 0x45, 0xFC, 0x5C, 0x72, 0x7A, 
-	0x0E, 0x13, 0xE0, 0xE2, 0xC8, 0x97, 0x1C, 0x9C, 
-	0xFA, 0x6C, 0x60, 0x67, 0x88, 0x75, 0x73, 0x2A, 
-	0x4E, 0x75, 0x52, 0x3D, 0x2F, 0x56, 0x2F, 0x12, 
-	0xAA, 0xBD, 0x15, 0x73, 0xBF, 0x06, 0xC9, 0x40, 
-	0x54, 0xAE, 0xFA, 0x81, 0xA7, 0x14, 0x17, 0xAF, 
-	0x9A, 0x4A, 0x06, 0x6D, 0x0F, 0xFC, 0x5A, 0xD6, 
-	0x4B, 0xAB, 0x28, 0xB1, 0xFF, 0x60, 0x66, 0x1F, 
-	0x44, 0x37, 0xD4, 0x9E, 0x1E, 0x0D, 0x94, 0x12, 
-	0xEB, 0x4B, 0xCA, 0xCF, 0x4C, 0xFD, 0x6A, 0x34, 
-	0x08, 0x84, 0x79, 0x82, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x52, 0x6F, 0x6F, 0x74, 0x2D, 0x43, 0x41, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x33, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x01, 0x58, 0x53, 0x30, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x63, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x13, 0x7A, 0x08, 0x94, 
-	0xAD, 0x50, 0x5B, 0xB6, 0xC6, 0x7E, 0x2E, 0x5B, 
-	0xDD, 0x6A, 0x3B, 0xEC, 0x43, 0xD9, 0x10, 0xC7, 
-	0x72, 0xE9, 0xCC, 0x29, 0x0D, 0xA5, 0x85, 0x88, 
-	0xB7, 0x7D, 0xCC, 0x11, 0x68, 0x0B, 0xB3, 0xE2, 
-	0x9F, 0x4E, 0xAB, 0xBB, 0x26, 0xE9, 0x8C, 0x26, 
-	0x01, 0x98, 0x5C, 0x04, 0x1B, 0xB1, 0x43, 0x78, 
-	0xE6, 0x89, 0x18, 0x1A, 0xAD, 0x77, 0x05, 0x68, 
-	0xE9, 0x28, 0xA2, 0xB9, 0x81, 0x67, 0xEE, 0x3E, 
-	0x10, 0xD0, 0x72, 0xBE, 0xEF, 0x1F, 0xA2, 0x2F, 
-	0xA2, 0xAA, 0x3E, 0x13, 0xF1, 0x1E, 0x18, 0x36, 
-	0xA9, 0x2A, 0x42, 0x81, 0xEF, 0x70, 0xAA, 0xF4, 
-	0xE4, 0x62, 0x99, 0x82, 0x21, 0xC6, 0xFB, 0xB9, 
-	0xBD, 0xD0, 0x17, 0xE6, 0xAC, 0x59, 0x04, 0x94, 
-	0xE9, 0xCE, 0xA9, 0x85, 0x9C, 0xEB, 0x2D, 0x2A, 
-	0x4C, 0x17, 0x66, 0xF2, 0xC3, 0x39, 0x12, 0xC5, 
-	0x8F, 0x14, 0xA8, 0x03, 0xE3, 0x6F, 0xCC, 0xDC, 
-	0xCC, 0xDC, 0x13, 0xFD, 0x7A, 0xE7, 0x7C, 0x7A, 
-	0x78, 0xD9, 0x97, 0xE6, 0xAC, 0xC3, 0x55, 0x57, 
-	0xE0, 0xD3, 0xE9, 0xEB, 0x64, 0xB4, 0x3C, 0x92, 
-	0xF4, 0xC5, 0x0D, 0x67, 0xA6, 0x02, 0xDE, 0xB3, 
-	0x91, 0xB0, 0x66, 0x61, 0xCD, 0x32, 0x88, 0x0B, 
-	0xD6, 0x49, 0x12, 0xAF, 0x1C, 0xBC, 0xB7, 0x16, 
-	0x2A, 0x06, 0xF0, 0x25, 0x65, 0xD3, 0xB0, 0xEC, 
-	0xE4, 0xFC, 0xEC, 0xDD, 0xAE, 0x8A, 0x49, 0x34, 
-	0xDB, 0x8E, 0xE6, 0x7F, 0x30, 0x17, 0x98, 0x62, 
-	0x21, 0x15, 0x5D, 0x13, 0x1C, 0x6C, 0x3F, 0x09, 
-	0xAB, 0x19, 0x45, 0xC2, 0x06, 0xAC, 0x70, 0xC9, 
-	0x42, 0xB3, 0x6F, 0x49, 0xA1, 0x18, 0x3B, 0xCD, 
-	0x78, 0xB6, 0xE4, 0xB4, 0x7C, 0x6C, 0x5C, 0xAC, 
-	0x0F, 0x8D, 0x62, 0xF8, 0x97, 0xC6, 0x95, 0x3D, 
-	0xD1, 0x2F, 0x28, 0xB7, 0x0C, 0x5B, 0x7D, 0xF7, 
-	0x51, 0x81, 0x9A, 0x98, 0x34, 0x65, 0x26, 0x25, 
-	0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	0x00, 0x01, 0x00, 0x04, 0x91, 0x9E, 0xBE, 0x46, 0x4A, 0xD0, 0xF5, 0x52, 0xCD, 0x1B, 0x72, 0xE7, 0x88, 0x49, 0x10, 0xCF, 0x55, 0xA9, 0xF0, 0x2E, 0x50, 0x78, 0x96, 0x41, 0xD8, 0x96, 0x68, 0x3D, 0xC0, 0x05, 0xBD, 0x0A, 0xEA, 0x87, 0x07, 0x9D, 0x8A, 0xC2, 0x84, 0xC6, 0x75, 0x06, 0x5F, 0x74, 0xC8, 0xBF, 0x37, 0xC8, 0x80, 0x44, 0x40, 0x95, 0x02, 0xA0, 0x22, 0x98, 0x0B, 0xB8, 0xAD, 0x48, 0x38, 0x3F, 0x6D, 0x28, 0xA7, 0x9D, 0xE3, 0x96, 0x26, 0xCC, 0xB2, 0xB2, 0x2A, 0x0F, 0x19, 0xE4, 0x10, 0x32, 0xF0, 0x94, 0xB3, 0x9F, 0xF0, 0x13, 0x31, 0x46, 0xDE, 0xC8, 0xF6, 0xC1, 0xA9, 0xD5, 0x5C, 0xD2, 0x8D, 0x9E, 0x1C, 0x47, 0xB3, 0xD1, 0x1F, 0x4F, 0x54, 0x26, 0xC2, 0xC7, 0x80, 0x13, 0x5A, 0x27, 0x75, 0xD3, 0xCA, 0x67, 0x9B, 0xC7, 0xE8, 0x34, 0xF0, 0xE0, 0xFB, 0x58, 0xE6, 0x88, 0x60, 0xA7, 0x13, 0x30, 0xFC, 0x95, 0x79, 0x17, 0x93, 0xC8, 0xFB, 0xA9, 0x35, 0xA7, 0xA6, 0x90, 0x8F, 0x22, 0x9D, 0xEE, 0x2A, 0x0C, 0xA6, 0xB9, 0xB2, 0x3B, 0x12, 0xD4, 0x95, 0xA6, 0xFE, 0x19, 0xD0, 0xD7, 0x26, 0x48, 0x21, 0x68, 0x78, 0x60, 0x5A, 0x66, 0x53, 0x8D, 0xBF, 0x37, 0x68, 0x99, 0x90, 0x5D, 0x34, 0x45, 0xFC, 0x5C, 0x72, 0x7A, 0x0E, 0x13, 0xE0, 0xE2, 0xC8, 0x97, 0x1C, 0x9C, 0xFA, 0x6C, 0x60, 0x67, 0x88, 0x75, 0x73, 0x2A, 0x4E, 0x75, 0x52, 0x3D, 0x2F, 0x56, 0x2F, 0x12, 0xAA, 0xBD, 0x15, 0x73, 0xBF, 0x06, 0xC9, 0x40, 0x54, 0xAE, 0xFA, 0x81, 0xA7, 0x14, 0x17, 0xAF, 0x9A, 0x4A, 0x06, 0x6D, 0x0F, 0xFC, 0x5A, 0xD6, 0x4B, 0xAB, 0x28, 0xB1, 0xFF, 0x60, 0x66, 0x1F, 0x44, 0x37, 0xD4, 0x9E, 0x1E, 0x0D, 0x94, 0x12, 0xEB, 0x4B, 0xCA, 0xCF, 0x4C, 0xFD, 0x6A, 0x34, 0x08, 0x84, 0x79, 0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x6F, 0x6F, 0x74, 0x2D, 0x43, 0x41, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x58, 0x53, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x7A, 0x08, 0x94, 0xAD, 0x50, 0x5B, 0xB6, 0xC6, 0x7E, 0x2E, 0x5B, 0xDD, 0x6A, 0x3B, 0xEC, 0x43, 0xD9, 0x10, 0xC7, 0x72, 0xE9, 0xCC, 0x29, 0x0D, 0xA5, 0x85, 0x88, 0xB7, 0x7D, 0xCC, 0x11, 0x68, 0x0B, 0xB3, 0xE2, 0x9F, 0x4E, 0xAB, 0xBB, 0x26, 0xE9, 0x8C, 0x26, 0x01, 0x98, 0x5C, 0x04, 0x1B, 0xB1, 0x43, 0x78, 0xE6, 0x89, 0x18, 0x1A, 0xAD, 0x77, 0x05, 0x68, 0xE9, 0x28, 0xA2, 0xB9, 0x81, 0x67, 0xEE, 0x3E, 0x10, 0xD0, 0x72, 0xBE, 0xEF, 0x1F, 0xA2, 0x2F, 0xA2, 0xAA, 0x3E, 0x13, 0xF1, 0x1E, 0x18, 0x36, 0xA9, 0x2A, 0x42, 0x81, 0xEF, 0x70, 0xAA, 0xF4, 0xE4, 0x62, 0x99, 0x82, 0x21, 0xC6, 0xFB, 0xB9, 0xBD, 0xD0, 0x17, 0xE6, 0xAC, 0x59, 0x04, 0x94, 0xE9, 0xCE, 0xA9, 0x85, 0x9C, 0xEB, 0x2D, 0x2A, 0x4C, 0x17, 0x66, 0xF2, 0xC3, 0x39, 0x12, 0xC5, 0x8F, 0x14, 0xA8, 0x03, 0xE3, 0x6F, 0xCC, 0xDC, 0xCC, 0xDC, 0x13, 0xFD, 0x7A, 0xE7, 0x7C, 0x7A, 0x78, 0xD9, 0x97, 0xE6, 0xAC, 0xC3, 0x55, 0x57, 0xE0, 0xD3, 0xE9, 0xEB, 0x64, 0xB4, 0x3C, 0x92, 0xF4, 0xC5, 0x0D, 0x67, 0xA6, 0x02, 0xDE, 0xB3, 0x91, 0xB0, 0x66, 0x61, 0xCD, 0x32, 0x88, 0x0B, 0xD6, 0x49, 0x12, 0xAF, 0x1C, 0xBC, 0xB7, 0x16, 0x2A, 0x06, 0xF0, 0x25, 0x65, 0xD3, 0xB0, 0xEC, 0xE4, 0xFC, 0xEC, 0xDD, 0xAE, 0x8A, 0x49, 0x34, 0xDB, 0x8E, 0xE6, 0x7F, 0x30, 0x17, 0x98, 0x62, 0x21, 0x15, 0x5D, 0x13, 0x1C, 0x6C, 0x3F, 0x09, 0xAB, 0x19, 0x45, 0xC2, 0x06, 0xAC, 0x70, 0xC9, 0x42, 0xB3, 0x6F, 0x49, 0xA1, 0x18, 0x3B, 0xCD, 0x78, 0xB6, 0xE4, 0xB4, 0x7C, 0x6C, 0x5C, 0xAC, 0x0F, 0x8D, 0x62, 0xF8, 0x97, 0xC6, 0x95, 0x3D, 0xD1, 0x2F, 0x28, 0xB7, 0x0C, 0x5B, 0x7D, 0xF7, 0x51, 0x81, 0x9A, 0x98, 0x34, 0x65, 0x26, 0x25, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
 
 static const unsigned char cpB_ppki_cert[0x300] = 
 {
-	0x00, 0x01, 0x00, 0x04, 0x2E, 0xA6, 0x6C, 0x66, 
-	0xCF, 0xF3, 0x35, 0x79, 0x7D, 0x04, 0x97, 0xB7, 
-	0x7A, 0x19, 0x7F, 0x9F, 0xE5, 0x1A, 0xB5, 0xA4, 
-	0x13, 0x75, 0xDC, 0x73, 0xFD, 0x9E, 0x0B, 0x10, 
-	0x66, 0x9B, 0x1B, 0x9A, 0x5B, 0x7E, 0x8A, 0xB2, 
-	0x8F, 0x01, 0xB6, 0x7B, 0x62, 0x54, 0xC1, 0x4A, 
-	0xA1, 0x33, 0x14, 0x18, 0xF2, 0x5B, 0xA5, 0x49, 
-	0x00, 0x4C, 0x37, 0x8D, 0xD7, 0x2F, 0x0C, 0xE6, 
-	0x3B, 0x1F, 0x70, 0x91, 0xAA, 0xFE, 0x38, 0x09, 
-	0xB7, 0xAC, 0x6C, 0x28, 0x76, 0xA6, 0x1D, 0x60, 
-	0x51, 0x6C, 0x43, 0xA6, 0x37, 0x29, 0x16, 0x2D, 
-	0x28, 0x0B, 0xE2, 0x1B, 0xE8, 0xE2, 0xFE, 0x05, 
-	0x7D, 0x8E, 0xB6, 0xE2, 0x04, 0x24, 0x22, 0x45, 
-	0x73, 0x1A, 0xB6, 0xFE, 0xE3, 0x0E, 0x53, 0x35, 
-	0x37, 0x3E, 0xEB, 0xA9, 0x70, 0xD5, 0x31, 0xBB, 
-	0xA2, 0xCB, 0x22, 0x2D, 0x96, 0x84, 0x38, 0x7D, 
-	0x5F, 0x2A, 0x1B, 0xF7, 0x52, 0x00, 0xCE, 0x06, 
-	0x56, 0xE3, 0x90, 0xCE, 0x19, 0x13, 0x5B, 0x59, 
-	0xE1, 0x4F, 0x0F, 0xA5, 0xC1, 0x28, 0x1A, 0x73, 
-	0x86, 0xCC, 0xD1, 0xC8, 0xEC, 0x3F, 0xAD, 0x70, 
-	0xFB, 0xCE, 0x74, 0xDE, 0xEE, 0x1F, 0xD0, 0x5F, 
-	0x46, 0x33, 0x0B, 0x51, 0xF9, 0xB7, 0x9E, 0x1D, 
-	0xDB, 0xF4, 0xE3, 0x3F, 0x14, 0x88, 0x9D, 0x05, 
-	0x28, 0x29, 0x24, 0xC5, 0xF5, 0xDC, 0x27, 0x66, 
-	0xEF, 0x06, 0x27, 0xD7, 0xEE, 0xDC, 0x73, 0x6E, 
-	0x67, 0xC2, 0xE5, 0xB9, 0x38, 0x34, 0x66, 0x80, 
-	0x72, 0x21, 0x6D, 0x1C, 0x78, 0xB8, 0x23, 0xA0, 
-	0x72, 0xD3, 0x4F, 0xF3, 0xEC, 0xF9, 0xBD, 0x11, 
-	0xA2, 0x9A, 0xF1, 0x6C, 0x33, 0xBD, 0x09, 0xAF, 
-	0xB2, 0xD7, 0x4D, 0x53, 0x4E, 0x02, 0x7C, 0x19, 
-	0x24, 0x0D, 0x59, 0x5A, 0x68, 0xEB, 0xB3, 0x05, 
-	0xAC, 0xC4, 0x4A, 0xB3, 0x8A, 0xB8, 0x20, 0xC6, 
-	0xD4, 0x26, 0x56, 0x0C, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x52, 0x6F, 0x6F, 0x74, 0x2D, 0x43, 0x41, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x33, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x01, 0x43, 0x50, 0x30, 0x30, 
-	0x30, 0x30, 0x30, 0x30, 0x30, 0x62, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x13, 0x7A, 0x08, 0x0B, 
-	0xA6, 0x89, 0xC5, 0x90, 0xFD, 0x0B, 0x2F, 0x0D, 
-	0x4F, 0x56, 0xB6, 0x32, 0xFB, 0x93, 0x4E, 0xD0, 
-	0x73, 0x95, 0x17, 0xB3, 0x3A, 0x79, 0xDE, 0x04, 
-	0x0E, 0xE9, 0x2D, 0xC3, 0x1D, 0x37, 0xC7, 0xF7, 
-	0x3B, 0xF0, 0x4B, 0xD3, 0xE4, 0x4E, 0x20, 0xAB, 
-	0x5A, 0x6F, 0xEA, 0xF5, 0x98, 0x4C, 0xC1, 0xF6, 
-	0x06, 0x2E, 0x9A, 0x9F, 0xE5, 0x6C, 0x32, 0x85, 
-	0xDC, 0x6F, 0x25, 0xDD, 0xD5, 0xD0, 0xBF, 0x9F, 
-	0xE2, 0xEF, 0xE8, 0x35, 0xDF, 0x26, 0x34, 0xED, 
-	0x93, 0x7F, 0xAB, 0x02, 0x14, 0xD1, 0x04, 0x80, 
-	0x9C, 0xF7, 0x4B, 0x86, 0x0E, 0x6B, 0x04, 0x83, 
-	0xF4, 0xCD, 0x2D, 0xAB, 0x2A, 0x96, 0x02, 0xBC, 
-	0x56, 0xF0, 0xD6, 0xBD, 0x94, 0x6A, 0xED, 0x6E, 
-	0x0B, 0xE4, 0xF0, 0x8F, 0x26, 0x68, 0x6B, 0xD0, 
-	0x9E, 0xF7, 0xDB, 0x32, 0x5F, 0x82, 0xB1, 0x8F, 
-	0x6A, 0xF2, 0xED, 0x52, 0x5B, 0xFD, 0x82, 0x8B, 
-	0x65, 0x3F, 0xEE, 0x6E, 0xCE, 0x40, 0x0D, 0x5A, 
-	0x48, 0xFF, 0xE2, 0x2D, 0x53, 0x8B, 0xB5, 0x33, 
-	0x5B, 0x41, 0x53, 0x34, 0x2D, 0x43, 0x35, 0xAC, 
-	0xF5, 0x90, 0xD0, 0xD3, 0x0A, 0xE2, 0x04, 0x3C, 
-	0x7F, 0x5A, 0xD2, 0x14, 0xFC, 0x9C, 0x0F, 0xE6, 
-	0xFA, 0x40, 0xA5, 0xC8, 0x65, 0x06, 0xCA, 0x63, 
-	0x69, 0xBC, 0xEE, 0x44, 0xA3, 0x2D, 0x9E, 0x69, 
-	0x5C, 0xF0, 0x0B, 0x4F, 0xD7, 0x9A, 0xDB, 0x56, 
-	0x8D, 0x14, 0x9C, 0x20, 0x28, 0xA1, 0x4C, 0x9D, 
-	0x71, 0xB8, 0x50, 0xCA, 0x36, 0x5B, 0x37, 0xF7, 
-	0x0B, 0x65, 0x77, 0x91, 0xFC, 0x5D, 0x72, 0x8C, 
-	0x4E, 0x18, 0xFD, 0x22, 0x55, 0x7C, 0x40, 0x62, 
-	0xD7, 0x47, 0x71, 0x53, 0x3C, 0x70, 0x17, 0x9D, 
-	0x3D, 0xAE, 0x8F, 0x92, 0xB1, 0x17, 0xE4, 0x5C, 
-	0xB3, 0x32, 0xF3, 0xB3, 0xC2, 0xA2, 0x2E, 0x70, 
-	0x5C, 0xFE, 0xC6, 0x6F, 0x6D, 0xA3, 0x77, 0x2B, 
-	0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	0x00, 0x01, 0x00, 0x04, 0x2E, 0xA6, 0x6C, 0x66, 0xCF, 0xF3, 0x35, 0x79, 0x7D, 0x04, 0x97, 0xB7, 0x7A, 0x19, 0x7F, 0x9F, 0xE5, 0x1A, 0xB5, 0xA4, 0x13, 0x75, 0xDC, 0x73, 0xFD, 0x9E, 0x0B, 0x10, 0x66, 0x9B, 0x1B, 0x9A, 0x5B, 0x7E, 0x8A, 0xB2, 0x8F, 0x01, 0xB6, 0x7B, 0x62, 0x54, 0xC1, 0x4A, 0xA1, 0x33, 0x14, 0x18, 0xF2, 0x5B, 0xA5, 0x49, 0x00, 0x4C, 0x37, 0x8D, 0xD7, 0x2F, 0x0C, 0xE6, 0x3B, 0x1F, 0x70, 0x91, 0xAA, 0xFE, 0x38, 0x09, 0xB7, 0xAC, 0x6C, 0x28, 0x76, 0xA6, 0x1D, 0x60, 0x51, 0x6C, 0x43, 0xA6, 0x37, 0x29, 0x16, 0x2D, 0x28, 0x0B, 0xE2, 0x1B, 0xE8, 0xE2, 0xFE, 0x05, 0x7D, 0x8E, 0xB6, 0xE2, 0x04, 0x24, 0x22, 0x45, 0x73, 0x1A, 0xB6, 0xFE, 0xE3, 0x0E, 0x53, 0x35, 0x37, 0x3E, 0xEB, 0xA9, 0x70, 0xD5, 0x31, 0xBB, 0xA2, 0xCB, 0x22, 0x2D, 0x96, 0x84, 0x38, 0x7D, 0x5F, 0x2A, 0x1B, 0xF7, 0x52, 0x00, 0xCE, 0x06, 0x56, 0xE3, 0x90, 0xCE, 0x19, 0x13, 0x5B, 0x59, 0xE1, 0x4F, 0x0F, 0xA5, 0xC1, 0x28, 0x1A, 0x73, 0x86, 0xCC, 0xD1, 0xC8, 0xEC, 0x3F, 0xAD, 0x70, 0xFB, 0xCE, 0x74, 0xDE, 0xEE, 0x1F, 0xD0, 0x5F, 0x46, 0x33, 0x0B, 0x51, 0xF9, 0xB7, 0x9E, 0x1D, 0xDB, 0xF4, 0xE3, 0x3F, 0x14, 0x88, 0x9D, 0x05, 0x28, 0x29, 0x24, 0xC5, 0xF5, 0xDC, 0x27, 0x66, 0xEF, 0x06, 0x27, 0xD7, 0xEE, 0xDC, 0x73, 0x6E, 0x67, 0xC2, 0xE5, 0xB9, 0x38, 0x34, 0x66, 0x80, 0x72, 0x21, 0x6D, 0x1C, 0x78, 0xB8, 0x23, 0xA0, 0x72, 0xD3, 0x4F, 0xF3, 0xEC, 0xF9, 0xBD, 0x11, 0xA2, 0x9A, 0xF1, 0x6C, 0x33, 0xBD, 0x09, 0xAF, 0xB2, 0xD7, 0x4D, 0x53, 0x4E, 0x02, 0x7C, 0x19, 0x24, 0x0D, 0x59, 0x5A, 0x68, 0xEB, 0xB3, 0x05, 0xAC, 0xC4, 0x4A, 0xB3, 0x8A, 0xB8, 0x20, 0xC6, 0xD4, 0x26, 0x56, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x6F, 0x6F, 0x74, 0x2D, 0x43, 0x41, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x43, 0x50, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x7A, 0x08, 0x0B, 0xA6, 0x89, 0xC5, 0x90, 0xFD, 0x0B, 0x2F, 0x0D, 0x4F, 0x56, 0xB6, 0x32, 0xFB, 0x93, 0x4E, 0xD0, 0x73, 0x95, 0x17, 0xB3, 0x3A, 0x79, 0xDE, 0x04, 0x0E, 0xE9, 0x2D, 0xC3, 0x1D, 0x37, 0xC7, 0xF7, 0x3B, 0xF0, 0x4B, 0xD3, 0xE4, 0x4E, 0x20, 0xAB, 0x5A, 0x6F, 0xEA, 0xF5, 0x98, 0x4C, 0xC1, 0xF6, 0x06, 0x2E, 0x9A, 0x9F, 0xE5, 0x6C, 0x32, 0x85, 0xDC, 0x6F, 0x25, 0xDD, 0xD5, 0xD0, 0xBF, 0x9F, 0xE2, 0xEF, 0xE8, 0x35, 0xDF, 0x26, 0x34, 0xED, 0x93, 0x7F, 0xAB, 0x02, 0x14, 0xD1, 0x04, 0x80, 0x9C, 0xF7, 0x4B, 0x86, 0x0E, 0x6B, 0x04, 0x83, 0xF4, 0xCD, 0x2D, 0xAB, 0x2A, 0x96, 0x02, 0xBC, 0x56, 0xF0, 0xD6, 0xBD, 0x94, 0x6A, 0xED, 0x6E, 0x0B, 0xE4, 0xF0, 0x8F, 0x26, 0x68, 0x6B, 0xD0, 0x9E, 0xF7, 0xDB, 0x32, 0x5F, 0x82, 0xB1, 0x8F, 0x6A, 0xF2, 0xED, 0x52, 0x5B, 0xFD, 0x82, 0x8B, 0x65, 0x3F, 0xEE, 0x6E, 0xCE, 0x40, 0x0D, 0x5A, 0x48, 0xFF, 0xE2, 0x2D, 0x53, 0x8B, 0xB5, 0x33, 0x5B, 0x41, 0x53, 0x34, 0x2D, 0x43, 0x35, 0xAC, 0xF5, 0x90, 0xD0, 0xD3, 0x0A, 0xE2, 0x04, 0x3C, 0x7F, 0x5A, 0xD2, 0x14, 0xFC, 0x9C, 0x0F, 0xE6, 0xFA, 0x40, 0xA5, 0xC8, 0x65, 0x06, 0xCA, 0x63, 0x69, 0xBC, 0xEE, 0x44, 0xA3, 0x2D, 0x9E, 0x69, 0x5C, 0xF0, 0x0B, 0x4F, 0xD7, 0x9A, 0xDB, 0x56, 0x8D, 0x14, 0x9C, 0x20, 0x28, 0xA1, 0x4C, 0x9D, 0x71, 0xB8, 0x50, 0xCA, 0x36, 0x5B, 0x37, 0xF7, 0x0B, 0x65, 0x77, 0x91, 0xFC, 0x5D, 0x72, 0x8C, 0x4E, 0x18, 0xFD, 0x22, 0x55, 0x7C, 0x40, 0x62, 0xD7, 0x47, 0x71, 0x53, 0x3C, 0x70, 0x17, 0x9D, 0x3D, 0xAE, 0x8F, 0x92, 0xB1, 0x17, 0xE4, 0x5C, 0xB3, 0x32, 0xF3, 0xB3, 0xC2, 0xA2, 0x2E, 0x70, 0x5C, 0xFE, 0xC6, 0x6F, 0x6D, 0xA3, 0x77, 0x2B, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
\ No newline at end of file
diff --git a/makerom/pki/rsa_key.h b/makerom/pki/rsa_key.h
new file mode 100644
index 00000000..73f68bb5
--- /dev/null
+++ b/makerom/pki/rsa_key.h
@@ -0,0 +1,14 @@
+#pragma once
+#include <stdint.h>
+
+typedef struct CtrRsa2048Key {
+	uint8_t modulus[0x100];
+	uint8_t priv_exponent[0x100];
+	//uint8_t pub_exponent[0x3];
+} CtrRsa2048Key;
+
+typedef struct CtrRsa4096Key {
+	uint8_t modulus[0x200];
+	uint8_t priv_exponent[0x200];
+	//uint8_t pub_exponent[0x3];
+} CtrRsa4096Key;
\ No newline at end of file
diff --git a/makerom/pki/test.h b/makerom/pki/test.h
index f04cad47..0d659d06 100644
--- a/makerom/pki/test.h
+++ b/makerom/pki/test.h
@@ -1,4 +1,5 @@
 #pragma once
+#include "rsa_key.h"
 
 // AES KEYS
 static const unsigned char zeros_aesKey[16] = 
@@ -8,14 +9,10 @@ static const unsigned char zeros_aesKey[16] =
 };
 
 // RSA KEYS
-static const unsigned char tpki_rsa_privExp[256] = 
+static const CtrRsa2048Key tpki_rsa =
 {
-	0x3E, 0x2B, 0xBE, 0xBA, 0x7F, 0x29, 0x02, 0x52, 0xBF, 0x1B, 0xF1, 0xE4, 0x21, 0x2F, 0xD9, 0x76, 0x1E, 0x39, 0x23, 0x4A, 0x6D, 0xFF, 0x99, 0xF6, 0x33, 0xAA, 0x2B, 0x62, 0x03, 0x0A, 0x0E, 0x15, 0xAC, 0x16, 0xB9, 0x85, 0x63, 0x77, 0xF5, 0x74, 0x24, 0x61, 0xB1, 0x01, 0x6E, 0xEB, 0x72, 0x24, 0x1E, 0x5D, 0xFA, 0x8F, 0xA8, 0x5A, 0x10, 0x14, 0x47, 0xBD, 0x05, 0xA0, 0x7E, 0xE5, 0xFF, 0x60, 0x87, 0x2A, 0x18, 0x31, 0xC1, 0x39, 0x6C, 0xD5, 0x45, 0xBB, 0x29, 0x05, 0x04, 0xFB, 0x7A, 0xA2, 0x68, 0x21, 0x5F, 0xED, 0x4E, 0xFE, 0x64, 0x60, 0x69, 0xBD, 0x96, 0xD0, 0xA7, 0x06, 0x3D, 0x53, 0x7B, 0x68, 0x92, 0x88, 0x50, 0x86, 0xEE, 0x06, 0x5D, 0x72, 0x73, 0x9A, 0x39, 0xB6, 0x72, 0x3B, 0x20, 0x01, 0x39, 0xDF, 0x37, 0x28, 0x1E, 0xF5, 0x39, 0x63, 0xBC, 0x2A, 0xF2, 0x5E, 0xAB, 0x1A, 0x99, 0xE4, 0x5B, 0xEB, 0xE6, 0x36, 0x30, 0x6C, 0x40, 0x01, 0x61, 0x60, 0xCC, 0x55, 0x89, 0x6D, 0xCA, 0x7E, 0xE0, 0x64, 0x78, 0x7F, 0x7B, 0x26, 0xAE, 0x3E, 0xA3, 0x12, 0x45, 0x16, 0xF6, 0xC8, 0xD0, 0xB9, 0x4F, 0x91, 0x11, 0x12, 0x11, 0xBB, 0xBB, 0x7F, 0xAB, 0xC7, 0x82, 0xDC, 0x4A, 0x61, 0x9C, 0x14, 0xAE, 0x29, 0xFD, 0x3A, 0x60, 0x13, 0x93, 0x19, 0x2F, 0x54, 0x49, 0xB2, 0x44, 0x34, 0x58, 0x14, 0xD7, 0x2F, 0x70, 0x25, 0xA0, 0x48, 0x66, 0x76, 0x55, 0x87, 0x9B, 0x25, 0x77, 0x6D, 0x0B, 0x75, 0x98, 0x8B, 0xA6, 0x39, 0x40, 0x3C, 0x21, 0x7F, 0x2A, 0x24, 0xC1, 0xA5, 0xC1, 0xDC, 0x5A, 0x57, 0x54, 0xF6, 0x03, 0xF6, 0xAD, 0x51, 0x33, 0x40, 0x6D, 0x5C, 0x26, 0x5E, 0x29, 0x92, 0x82, 0xE5, 0x29, 0x13, 0x7D, 0x7D, 0xFE, 0x08, 0x73, 0xBC, 0x5D, 0xC4, 0xE9, 0x2B, 0xD6, 0x71
-};
-
-static const unsigned char tpki_rsa_pubMod[256] =
-{
-	0xCA, 0xC5, 0x88, 0xC7, 0xF1, 0x2A, 0x09, 0x2B, 0x76, 0x49, 0xC0, 0xA8, 0x35, 0x75, 0x10, 0x82, 0xC2, 0xB5, 0xE5, 0xB2, 0xE9, 0xC8, 0x18, 0x88, 0xF3, 0x98, 0x89, 0xBF, 0x9D, 0xE6, 0xE4, 0x0B, 0x71, 0x5D, 0xDD, 0x3F, 0x13, 0x82, 0x71, 0xF2, 0xED, 0x31, 0x86, 0x99, 0xD9, 0x47, 0xFE, 0xC5, 0x7A, 0x75, 0x93, 0xE1, 0xF8, 0x6D, 0xC6, 0x3D, 0x9B, 0xE1, 0x15, 0x99, 0xE1, 0xC2, 0xE0, 0x5C, 0x38, 0x4B, 0x35, 0xA2, 0x4D, 0x3E, 0xE2, 0xCE, 0xFB, 0xB3, 0x08, 0xA3, 0xDD, 0x0C, 0x26, 0x31, 0x84, 0x92, 0x27, 0xC8, 0x8A, 0x8E, 0xC8, 0x83, 0xA8, 0x6C, 0xA7, 0xA3, 0x39, 0x71, 0x9E, 0xF1, 0x34, 0x91, 0x01, 0xDF, 0x11, 0x4A, 0x9C, 0xF9, 0x8B, 0xF9, 0x2F, 0x46, 0x44, 0x0A, 0x72, 0x38, 0xF3, 0x8B, 0x6D, 0x23, 0x33, 0x89, 0xBF, 0x66, 0x34, 0xA7, 0x86, 0xE6, 0xAD, 0xF2, 0xDE, 0xF9, 0xAB, 0x16, 0xA1, 0x40, 0xEE, 0xD8, 0xF7, 0x6C, 0xDC, 0x00, 0x92, 0xCB, 0x31, 0x49, 0xFC, 0x26, 0x64, 0x24, 0x08, 0x8F, 0xC6, 0x60, 0xFF, 0x1E, 0xE3, 0xF0, 0xDD, 0xFB, 0x6D, 0x0D, 0x0F, 0x49, 0x7C, 0xAD, 0x03, 0xEC, 0x9F, 0x63, 0x58, 0xFA, 0x46, 0xDF, 0xA2, 0x64, 0x0E, 0xCC, 0x85, 0x57, 0xE7, 0x2C, 0x61, 0x7F, 0x59, 0xB8, 0x62, 0x7D, 0x59, 0x0E, 0xF6, 0x84, 0x96, 0x99, 0x42, 0xB0, 0x39, 0x83, 0x80, 0xB5, 0x52, 0x2E, 0x07, 0x3F, 0x92, 0xE3, 0x9E, 0xF5, 0x47, 0xEB, 0xA7, 0xD7, 0xD4, 0x15, 0xF1, 0x22, 0x82, 0x32, 0xBE, 0x2A, 0xD0, 0x8C, 0x01, 0xCC, 0x30, 0xA9, 0x11, 0x96, 0xF6, 0xE9, 0x2B, 0xEA, 0x0E, 0xF8, 0x2D, 0x0D, 0xB1, 0x91, 0xD5, 0x1A, 0x94, 0x51, 0xB9, 0x85, 0x39, 0xB0, 0xAF, 0x9F, 0x54, 0x9E, 0x99, 0xE1, 0x46, 0xE5, 0x6F, 0xE2, 0x5F, 0x4B, 0x4E, 0x23
+	.modulus = { 0xCA, 0xC5, 0x88, 0xC7, 0xF1, 0x2A, 0x09, 0x2B, 0x76, 0x49, 0xC0, 0xA8, 0x35, 0x75, 0x10, 0x82, 0xC2, 0xB5, 0xE5, 0xB2, 0xE9, 0xC8, 0x18, 0x88, 0xF3, 0x98, 0x89, 0xBF, 0x9D, 0xE6, 0xE4, 0x0B, 0x71, 0x5D, 0xDD, 0x3F, 0x13, 0x82, 0x71, 0xF2, 0xED, 0x31, 0x86, 0x99, 0xD9, 0x47, 0xFE, 0xC5, 0x7A, 0x75, 0x93, 0xE1, 0xF8, 0x6D, 0xC6, 0x3D, 0x9B, 0xE1, 0x15, 0x99, 0xE1, 0xC2, 0xE0, 0x5C, 0x38, 0x4B, 0x35, 0xA2, 0x4D, 0x3E, 0xE2, 0xCE, 0xFB, 0xB3, 0x08, 0xA3, 0xDD, 0x0C, 0x26, 0x31, 0x84, 0x92, 0x27, 0xC8, 0x8A, 0x8E, 0xC8, 0x83, 0xA8, 0x6C, 0xA7, 0xA3, 0x39, 0x71, 0x9E, 0xF1, 0x34, 0x91, 0x01, 0xDF, 0x11, 0x4A, 0x9C, 0xF9, 0x8B, 0xF9, 0x2F, 0x46, 0x44, 0x0A, 0x72, 0x38, 0xF3, 0x8B, 0x6D, 0x23, 0x33, 0x89, 0xBF, 0x66, 0x34, 0xA7, 0x86, 0xE6, 0xAD, 0xF2, 0xDE, 0xF9, 0xAB, 0x16, 0xA1, 0x40, 0xEE, 0xD8, 0xF7, 0x6C, 0xDC, 0x00, 0x92, 0xCB, 0x31, 0x49, 0xFC, 0x26, 0x64, 0x24, 0x08, 0x8F, 0xC6, 0x60, 0xFF, 0x1E, 0xE3, 0xF0, 0xDD, 0xFB, 0x6D, 0x0D, 0x0F, 0x49, 0x7C, 0xAD, 0x03, 0xEC, 0x9F, 0x63, 0x58, 0xFA, 0x46, 0xDF, 0xA2, 0x64, 0x0E, 0xCC, 0x85, 0x57, 0xE7, 0x2C, 0x61, 0x7F, 0x59, 0xB8, 0x62, 0x7D, 0x59, 0x0E, 0xF6, 0x84, 0x96, 0x99, 0x42, 0xB0, 0x39, 0x83, 0x80, 0xB5, 0x52, 0x2E, 0x07, 0x3F, 0x92, 0xE3, 0x9E, 0xF5, 0x47, 0xEB, 0xA7, 0xD7, 0xD4, 0x15, 0xF1, 0x22, 0x82, 0x32, 0xBE, 0x2A, 0xD0, 0x8C, 0x01, 0xCC, 0x30, 0xA9, 0x11, 0x96, 0xF6, 0xE9, 0x2B, 0xEA, 0x0E, 0xF8, 0x2D, 0x0D, 0xB1, 0x91, 0xD5, 0x1A, 0x94, 0x51, 0xB9, 0x85, 0x39, 0xB0, 0xAF, 0x9F, 0x54, 0x9E, 0x99, 0xE1, 0x46, 0xE5, 0x6F, 0xE2, 0x5F, 0x4B, 0x4E, 0x23 },
+	.priv_exponent = { 0x3E, 0x2B, 0xBE, 0xBA, 0x7F, 0x29, 0x02, 0x52, 0xBF, 0x1B, 0xF1, 0xE4, 0x21, 0x2F, 0xD9, 0x76, 0x1E, 0x39, 0x23, 0x4A, 0x6D, 0xFF, 0x99, 0xF6, 0x33, 0xAA, 0x2B, 0x62, 0x03, 0x0A, 0x0E, 0x15, 0xAC, 0x16, 0xB9, 0x85, 0x63, 0x77, 0xF5, 0x74, 0x24, 0x61, 0xB1, 0x01, 0x6E, 0xEB, 0x72, 0x24, 0x1E, 0x5D, 0xFA, 0x8F, 0xA8, 0x5A, 0x10, 0x14, 0x47, 0xBD, 0x05, 0xA0, 0x7E, 0xE5, 0xFF, 0x60, 0x87, 0x2A, 0x18, 0x31, 0xC1, 0x39, 0x6C, 0xD5, 0x45, 0xBB, 0x29, 0x05, 0x04, 0xFB, 0x7A, 0xA2, 0x68, 0x21, 0x5F, 0xED, 0x4E, 0xFE, 0x64, 0x60, 0x69, 0xBD, 0x96, 0xD0, 0xA7, 0x06, 0x3D, 0x53, 0x7B, 0x68, 0x92, 0x88, 0x50, 0x86, 0xEE, 0x06, 0x5D, 0x72, 0x73, 0x9A, 0x39, 0xB6, 0x72, 0x3B, 0x20, 0x01, 0x39, 0xDF, 0x37, 0x28, 0x1E, 0xF5, 0x39, 0x63, 0xBC, 0x2A, 0xF2, 0x5E, 0xAB, 0x1A, 0x99, 0xE4, 0x5B, 0xEB, 0xE6, 0x36, 0x30, 0x6C, 0x40, 0x01, 0x61, 0x60, 0xCC, 0x55, 0x89, 0x6D, 0xCA, 0x7E, 0xE0, 0x64, 0x78, 0x7F, 0x7B, 0x26, 0xAE, 0x3E, 0xA3, 0x12, 0x45, 0x16, 0xF6, 0xC8, 0xD0, 0xB9, 0x4F, 0x91, 0x11, 0x12, 0x11, 0xBB, 0xBB, 0x7F, 0xAB, 0xC7, 0x82, 0xDC, 0x4A, 0x61, 0x9C, 0x14, 0xAE, 0x29, 0xFD, 0x3A, 0x60, 0x13, 0x93, 0x19, 0x2F, 0x54, 0x49, 0xB2, 0x44, 0x34, 0x58, 0x14, 0xD7, 0x2F, 0x70, 0x25, 0xA0, 0x48, 0x66, 0x76, 0x55, 0x87, 0x9B, 0x25, 0x77, 0x6D, 0x0B, 0x75, 0x98, 0x8B, 0xA6, 0x39, 0x40, 0x3C, 0x21, 0x7F, 0x2A, 0x24, 0xC1, 0xA5, 0xC1, 0xDC, 0x5A, 0x57, 0x54, 0xF6, 0x03, 0xF6, 0xAD, 0x51, 0x33, 0x40, 0x6D, 0x5C, 0x26, 0x5E, 0x29, 0x92, 0x82, 0xE5, 0x29, 0x13, 0x7D, 0x7D, 0xFE, 0x08, 0x73, 0xBC, 0x5D, 0xC4, 0xE9, 0x2B, 0xD6, 0x71 }
 };
 
 //Certificates

From 22a112763427ec2c2a2ccdbf10c8673868f5513b Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 16 Jan 2016 10:10:18 +0800
Subject: [PATCH 158/317] [makerom] Fix typo in ctr_aes_keygen()

---
 makerom/aes_keygen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/aes_keygen.c b/makerom/aes_keygen.c
index ffaa4d93..c9934101 100644
--- a/makerom/aes_keygen.c
+++ b/makerom/aes_keygen.c
@@ -140,7 +140,7 @@ void ctr_aes_keygen(const uint8_t *x, const uint8_t *y, uint8_t *key)
 	n128_xor(x_rot, y, key_xy);
 
 	// key_xyc = key_xy + KEYGEN_CONST
-	n128_add(key_xy, KEYGEN_CONST, key);
+	n128_add(key_xy, KEYGEN_CONST, key_xyc);
 
 	n128_rrot(key_xyc, 41, key);
 }
\ No newline at end of file

From 2ffdca34c5bd062108cabad85070e4b5b72a5044 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 16 Jan 2016 10:37:12 +0800
Subject: [PATCH 159/317] [makerom] Fix typo in prod keyset

---
 makerom/pki/prod.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/pki/prod.h b/makerom/pki/prod.h
index bec496be..31250811 100644
--- a/makerom/pki/prod.h
+++ b/makerom/pki/prod.h
@@ -27,7 +27,7 @@ static const unsigned char ctr_common_etd_keyY_ppki[6][16] =
 };
 
 // RSA KEYS
-static const CtrRsa4096Key root_dpki_rsa =
+static const CtrRsa4096Key root_ppki_rsa =
 {
 	.modulus = { 0xF8, 0x24, 0x6C, 0x58, 0xBA, 0xE7, 0x50, 0x03, 0x01, 0xFB, 0xB7, 0xC2, 0xEB, 0xE0, 0x01, 0x05, 0x71, 0xDA, 0x92, 0x23, 0x78, 0xF0, 0x51, 0x4E, 0xC0, 0x03, 0x1D, 0xD0, 0xD2, 0x1E, 0xD3, 0xD0, 0x7E, 0xFC, 0x85, 0x20, 0x69, 0xB5, 0xDE, 0x9B, 0xB9, 0x51, 0xA8, 0xBC, 0x90, 0xA2, 0x44, 0x92, 0x6D, 0x37, 0x92, 0x95, 0xAE, 0x94, 0x36, 0xAA, 0xA6, 0xA3, 0x02, 0x51, 0x0C, 0x7B, 0x1D, 0xED, 0xD5, 0xFB, 0x20, 0x86, 0x9D, 0x7F, 0x30, 0x16, 0xF6, 0xBE, 0x65, 0xD3, 0x83, 0xA1, 0x6D, 0xB3, 0x32, 0x1B, 0x95, 0x35, 0x18, 0x90, 0xB1, 0x70, 0x02, 0x93, 0x7E, 0xE1, 0x93, 0xF5, 0x7E, 0x99, 0xA2, 0x47, 0x4E, 0x9D, 0x38, 0x24, 0xC7, 0xAE, 0xE3, 0x85, 0x41, 0xF5, 0x67, 0xE7, 0x51, 0x8C, 0x7A, 0x0E, 0x38, 0xE7, 0xEB, 0xAF, 0x41, 0x19, 0x1B, 0xCF, 0xF1, 0x7B, 0x42, 0xA6, 0xB4, 0xED, 0xE6, 0xCE, 0x8D, 0xE7, 0x31, 0x8F, 0x7F, 0x52, 0x04, 0xB3, 0x99, 0x0E, 0x22, 0x67, 0x45, 0xAF, 0xD4, 0x85, 0xB2, 0x44, 0x93, 0x00, 0x8B, 0x08, 0xC7, 0xF6, 0xB7, 0xE5, 0x6B, 0x02, 0xB3, 0xE8, 0xFE, 0x0C, 0x9D, 0x85, 0x9C, 0xB8, 0xB6, 0x82, 0x23, 0xB8, 0xAB, 0x27, 0xEE, 0x5F, 0x65, 0x38, 0x07, 0x8B, 0x2D, 0xB9, 0x1E, 0x2A, 0x15, 0x3E, 0x85, 0x81, 0x80, 0x72, 0xA2, 0x3B, 0x6D, 0xD9, 0x32, 0x81, 0x05, 0x4F, 0x6F, 0xB0, 0xF6, 0xF5, 0xAD, 0x28, 0x3E, 0xCA, 0x0B, 0x7A, 0xF3, 0x54, 0x55, 0xE0, 0x3D, 0xA7, 0xB6, 0x83, 0x26, 0xF3, 0xEC, 0x83, 0x4A, 0xF3, 0x14, 0x04, 0x8A, 0xC6, 0xDF, 0x20, 0xD2, 0x85, 0x08, 0x67, 0x3C, 0xAB, 0x62, 0xA2, 0xC7, 0xBC, 0x13, 0x1A, 0x53, 0x3E, 0x0B, 0x66, 0x80, 0x6B, 0x1C, 0x30, 0x66, 0x4B, 0x37, 0x23, 0x31, 0xBD, 0xC4, 0xB0, 0xCA, 0xD8, 0xD1, 0x1E, 0xE7, 0xBB, 0xD9, 0x28, 0x55, 0x48, 0xAA, 0xEC, 0x1F, 0x66, 0xE8, 0x21, 0xB3, 0xC8, 0xA0, 0x47, 0x69, 0x00, 0xC5, 0xE6, 0x88, 0xE8, 0x0C, 0xCE, 0x3C, 0x61, 0xD6, 0x9C, 0xBB, 0xA1, 0x37, 0xC6, 0x60, 0x4F, 0x7A, 0x72, 0xDD, 0x8C, 0x7B, 0x3E, 0x3D, 0x51, 0x29, 0x0D, 0xAA, 0x6A, 0x59, 0x7B, 0x08, 0x1F, 0x9D, 0x36, 0x33, 0xA3, 0x46, 0x7A, 0x35, 0x61, 0x09, 0xAC, 0xA7, 0xDD, 0x7D, 0x2E, 0x2F, 0xB2, 0xC1, 0xAE, 0xB8, 0xE2, 0x0F, 0x48, 0x92, 0xD8, 0xB9, 0xF8, 0xB4, 0x6F, 0x4E, 0x3C, 0x11, 0xF4, 0xF4, 0x7D, 0x8B, 0x75, 0x7D, 0xFE, 0xFE, 0xA3, 0x89, 0x9C, 0x33, 0x59, 0x5C, 0x5E, 0xFD, 0xEB, 0xCB, 0xAB, 0xE8, 0x41, 0x3E, 0x3A, 0x9A, 0x80, 0x3C, 0x69, 0x35, 0x6E, 0xB2, 0xB2, 0xAD, 0x5C, 0xC4, 0xC8, 0x58, 0x45, 0x5E, 0xF5, 0xF7, 0xB3, 0x06, 0x44, 0xB4, 0x7C, 0x64, 0x06, 0x8C, 0xDF, 0x80, 0x9F, 0x76, 0x02, 0x5A, 0x2D, 0xB4, 0x46, 0xE0, 0x3D, 0x7C, 0xF6, 0x2F, 0x34, 0xE7, 0x02, 0x45, 0x7B, 0x02, 0xA4, 0xCF, 0x5D, 0x9D, 0xD5, 0x3C, 0xA5, 0x3A, 0x7C, 0xA6, 0x29, 0x78, 0x8C, 0x67, 0xCA, 0x08, 0xBF, 0xEC, 0xCA, 0x43, 0xA9, 0x57, 0xAD, 0x16, 0xC9, 0x4E, 0x1C, 0xD8, 0x75, 0xCA, 0x10, 0x7D, 0xCE, 0x7E, 0x01, 0x18, 0xF0, 0xDF, 0x6B, 0xFE, 0xE5, 0x1D, 0xDB, 0xD9, 0x91, 0xC2, 0x6E, 0x60, 0xCD, 0x48, 0x58, 0xAA, 0x59, 0x2C, 0x82, 0x00, 0x75, 0xF2, 0x9F, 0x52, 0x6C, 0x91, 0x7C, 0x6F, 0xE5, 0x40, 0x3E, 0xA7, 0xD4, 0xA5, 0x0C, 0xEC, 0x3B, 0x73, 0x84, 0xDE, 0x88, 0x6E, 0x82, 0xD2, 0xEB, 0x4D, 0x4E, 0x42, 0xB5, 0xF2, 0xB1, 0x49, 0xA8, 0x1E, 0xA7, 0xCE, 0x71, 0x44, 0xDC, 0x29, 0x94, 0xCF, 0xC4, 0x4E, 0x1F, 0x91, 0xCB, 0xD4, 0x95 },
 	.priv_exponent = { 0 }

From 8ac78cac33d4d59c30b2420c9e13bf314b901631 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 16 Jan 2016 10:39:40 +0800
Subject: [PATCH 160/317] [makerom] Fix BSS duplication in ExeFS code, issue
 #20

---
 makerom/code.c | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/makerom/code.c b/makerom/code.c
index 483dfa41..88b23e6a 100644
--- a/makerom/code.c
+++ b/makerom/code.c
@@ -12,9 +12,8 @@ typedef struct code_segment
 {
 	u32 address;
 	u32 memSize;
+	u32 fileSize;
 	u32 pageNum;
-
-	u32 size;
 	const u8 *data;
 } code_segment;
 
@@ -132,7 +131,7 @@ void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_f
 	out->address = 0;
 	out->memSize = 0;
 	out->pageNum = 0;
-	out->size = 0;
+	out->fileSize = 0;
 	out->data = NULL;
 
 	/* Find segment */
@@ -147,8 +146,8 @@ void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_f
 		if ((segments[i].flags & ~PF_CTRSDK) == segment_flags && segments[i].type == PT_LOAD) {
 			out->address = segments[i].vAddr;
 			out->memSize = segments[i].memSize;
-			out->pageNum = SizeToPage(out->memSize);
-			out->size = segments[i].fileSize;
+			out->fileSize = segments[i].fileSize;
+			out->pageNum = SizeToPage(out->fileSize);
 			out->data = segments[i].ptr;
 			break;
 		}
@@ -167,23 +166,23 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 	CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA);
 
 	/* Checking the existence of essential ELF Segments */
-	if (!text.size) return NOT_FIND_TEXT_SEGMENT;
-	if (!rwdata.size) return NOT_FIND_DATA_SEGMENT;
+	if (!text.fileSize) return NOT_FIND_TEXT_SEGMENT;
+	if (!rwdata.fileSize) return NOT_FIND_DATA_SEGMENT;
 
-	/* Calculating BSS size */
-	set->codeDetails.bssSize = rwdata.memSize - rwdata.size;
+	/* Calculating BSS fileSize */
+	set->codeDetails.bssSize = rwdata.memSize - rwdata.fileSize;
 
 	/* Allocating Buffer for ExeFs Code */
 	u32 size = PageToSize(text.pageNum + rodata.pageNum + rwdata.pageNum);
 	u8 *code = calloc(1, size);
 
 	/* Writing Code into Buffer */
-	u8 *textPos = (code + text.address - text.address);
-	u8 *rodataPos = (code + rodata.address - text.address);
-	u8 *rwdataPos = (code + rwdata.address - text.address);
-	if (text.size) memcpy(textPos, text.data, text.size);
-	if (rodata.size) memcpy(rodataPos, rodata.data, rodata.size);
-	if (rwdata.size) memcpy(rwdataPos, rwdata.data, rwdata.size);
+	u8 *textPos = (code + PageToSize(0));
+	u8 *rodataPos = (code + PageToSize(text.pageNum));
+	u8 *rwdataPos = (code + PageToSize(text.pageNum + rodata.pageNum));
+	if (text.fileSize) memcpy(textPos, text.data, text.fileSize);
+	if (rodata.fileSize) memcpy(rodataPos, rodata.data, rodata.fileSize);
+	if (rwdata.fileSize) memcpy(rwdataPos, rwdata.data, rwdata.fileSize);
 
 
 	/* Compressing if needed */

From 7b8d16fac61913f08b78a7af9183dc8e5e56f8b9 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 16 Jan 2016 18:26:12 +0800
Subject: [PATCH 161/317] [makerom] misc

---
 makerom/code.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/code.c b/makerom/code.c
index 88b23e6a..11124471 100644
--- a/makerom/code.c
+++ b/makerom/code.c
@@ -169,7 +169,7 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 	if (!text.fileSize) return NOT_FIND_TEXT_SEGMENT;
 	if (!rwdata.fileSize) return NOT_FIND_DATA_SEGMENT;
 
-	/* Calculating BSS fileSize */
+	/* Calculating BSS size */
 	set->codeDetails.bssSize = rwdata.memSize - rwdata.fileSize;
 
 	/* Allocating Buffer for ExeFs Code */

From 3548ebb1cf8038c0712279e9a7051ee61ec6807b Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 18 Jan 2016 19:28:52 +0800
Subject: [PATCH 162/317] [makerom] Added dev common keys: 2,3,4,5

---
 makerom/keyset.c  | 2 +-
 makerom/pki/dev.h | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/makerom/keyset.c b/makerom/keyset.c
index c17bf0c6..85cc3f7a 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -91,7 +91,7 @@ int LoadKeysFromResources(keys_struct *keys)
 		keys->keysetLoaded = true;
 		/* AES Keys */
 		// CIA
-		for(int i = 0; i < 2; i++)
+		for(int i = 0; i < 6; i++)
 			SetCommonKey(keys, ctr_common_etd_key_dpki[i],i);
 
 		if(keys->aes.currentCommonKey > 0xff)
diff --git a/makerom/pki/dev.h b/makerom/pki/dev.h
index 6e107355..1099a23b 100644
--- a/makerom/pki/dev.h
+++ b/makerom/pki/dev.h
@@ -18,10 +18,14 @@ static const unsigned char dev_fixed_ncch_key[2][16] =
 	{0x52, 0x7C, 0xE6, 0x30, 0xA9, 0xCA, 0x30, 0x5F, 0x36, 0x96, 0xF3, 0xCD, 0xE9, 0x54, 0x19, 0x4B} , // System FixedKey
 };
 
-static const unsigned char ctr_common_etd_key_dpki[2][16] =
+static const unsigned char ctr_common_etd_key_dpki[6][16] =
 {
 	{0x55, 0xA3, 0xF8, 0x72, 0xBD, 0xC8, 0x0C, 0x55, 0x5A, 0x65, 0x43, 0x81, 0x13, 0x9E, 0x15, 0x3B} , // 0 - eShop Titles
 	{0x44, 0x34, 0xED, 0x14, 0x82, 0x0C, 0xA1, 0xEB, 0xAB, 0x82, 0xC1, 0x6E, 0x7B, 0xEF, 0x0C, 0x25} , // 1 - System Titles
+	{0xF6, 0x2E, 0x3F, 0x95, 0x8E, 0x28, 0xA2, 0x1F, 0x28, 0x9E, 0xEC, 0x71, 0xA8, 0x66, 0x29, 0xDC} , // 2
+	{0x2B, 0x49, 0xCB, 0x6F, 0x99, 0x98, 0xD9, 0xAD, 0x94, 0xF2, 0xED, 0xE7, 0xB5, 0xDA, 0x3E, 0x27} , // 3
+	{0x75, 0x05, 0x52, 0xBF, 0xAA, 0x1C, 0x04, 0x07, 0x55, 0xC8, 0xD5, 0x9A, 0x55, 0xF9, 0xAD, 0x1F} , // 4
+	{0xAA, 0xDA, 0x4C, 0xA8, 0xF6, 0xE5, 0xA9, 0x77, 0xE0, 0xA0, 0xF9, 0xE4, 0x76, 0xCF, 0x0D, 0x63} , // 5
 };
 
 //RSA Keys

From 58ca552e3ef704624e45c4843eab717a13e04b09 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 18 Jan 2016 23:44:58 +0800
Subject: [PATCH 163/317] [makerom] Encryption is now disabled by default.

---
 makerom/user_settings.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 8fa490e0..e35e89ee 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -96,7 +96,7 @@ void SetDefaults(user_settings *set)
 	// RSF Settings
 	clrmem(&set->common.rsfSet, sizeof(rsf_settings));
 	set->common.rsfSet.Option.EnableCompress = true;
-	set->common.rsfSet.Option.EnableCrypt = true;
+	set->common.rsfSet.Option.EnableCrypt = false;
 	set->common.rsfSet.Option.UseOnSD = false;
 	set->common.rsfSet.Option.FreeProductCode = false;
 
@@ -175,18 +175,15 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		}
 		if (strcasecmp(argv[i + 1], "test") == 0 || strcasecmp(argv[i + 1], "t") == 0) {
 			set->common.keys.keyset = pki_TEST;
-			set->common.rsfSet.Option.EnableCrypt = false; // prefer unencrypted output
 		}
 		//else if(strcasecmp(argv[i+1],"beta") == 0 || strcasecmp(argv[i+1],"b") == 0) {
 		//	set->common.keys.keyset = pki_BETA;
 		//}
 		else if (strcasecmp(argv[i + 1], "debug") == 0 || strcasecmp(argv[i + 1], "development") == 0 || strcasecmp(argv[i + 1], "d") == 0) {
 			set->common.keys.keyset = pki_DEVELOPMENT;
-			set->common.rsfSet.Option.EnableCrypt = true; // prefer encrypted output
 		}
 		else if (strcasecmp(argv[i + 1], "retail") == 0 || strcasecmp(argv[i + 1], "production") == 0 || strcasecmp(argv[i + 1], "p") == 0) {
 			set->common.keys.keyset = pki_PRODUCTION;
-			set->common.rsfSet.Option.EnableCrypt = true; // prefer encrypted output
 		}
 		//else if(strcasecmp(argv[i+1],"custom") == 0 || strcasecmp(argv[i+1],"c") == 0) {
 		//	set->common.keys.keyset = pki_CUSTOM;

From 167e3f550930c2a0a52b239d8a53f96369b71855 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 18 Jan 2016 23:46:25 +0800
Subject: [PATCH 164/317] [makerom/ctrtool] Release 0.15

---
 makerom/user_settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index e35e89ee..68cc1bb6 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -880,7 +880,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.14 (C) 3DSGuy 2014\n");
+	printf("CTR MAKEROM v0.15 (C) 3DSGuy 2014\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 

From 8dd652737a0f617cb25dfcd7c1dad92db1c0c21d Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 24 Jan 2016 04:20:44 +0800
Subject: [PATCH 165/317] [makerom] Increased maximum affinity mask to 3 (from
 1).

---
 makerom/exheader.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/exheader.c b/makerom/exheader.c
index 9765e1cb..3338aa09 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -346,8 +346,8 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 	/* flag[2] */
 	if(rsf->AccessControlInfo.AffinityMask){
 		arm11->affinityMask = strtol(rsf->AccessControlInfo.AffinityMask,NULL,0);
-		if(arm11->affinityMask > 1){
-			fprintf(stderr,"[EXHEADER ERROR] Unexpected AffinityMask: %d. Expected range: 0x0 - 0x1\n", arm11->affinityMask);
+		if(arm11->affinityMask > 3){
+			fprintf(stderr,"[EXHEADER ERROR] Unexpected AffinityMask: %d. Expected range: 0x0 - 0x3\n", arm11->affinityMask);
 			return EXHDR_BAD_RSF_OPT;
 		}
 	}

From a8c0850b02cb9a80a6e2c9dc360f0c8642d21398 Mon Sep 17 00:00:00 2001
From: Alex Eckhart <eckhartalex@gmail.com>
Date: Mon, 25 Jan 2016 22:32:05 -0700
Subject: [PATCH 166/317] Fix agb_firm cia generation.

---
 makerom/exheader.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/exheader.c b/makerom/exheader.c
index 9765e1cb..579e4d15 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -1242,7 +1242,7 @@ int GetSaveDataSizeFromString(u64 *out, char *string, char *moduleName)
 			fprintf(stderr,"[ERROR] Invalid save data size format.\n");
 		return EXHDR_BAD_RSF_OPT;
 	}
-	if((SaveDataSize & 65536) != 0){
+	if((SaveDataSize % 65536) != 0){
 		if(moduleName)
 			fprintf(stderr,"[%s ERROR] Save data size must be aligned to 64K.\n",moduleName);
 		else
@@ -1280,7 +1280,7 @@ int GetSaveDataSize_rsf(u64 *SaveDataSize, user_settings *usrset)
 			fprintf(stderr,"[EXHEADER ERROR] Invalid save data size format.\n");
 			return EXHDR_BAD_RSF_OPT;
 		}
-		if((*SaveDataSize & 65536) != 0){
+		if((*SaveDataSize % 65536) != 0){
 			fprintf(stderr,"[EXHEADER ERROR] Save data size must be aligned to 64K.\n");
 			return EXHDR_BAD_RSF_OPT;
 		}

From d9556da765285306bcd8da3c0969f3e60e6b731a Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 15 Feb 2016 13:42:56 +0800
Subject: [PATCH 167/317] Cleaned up polarssl.

---
 makerom/crypto.c                |  139 +---
 makerom/polarssl/arc4.h         |   98 ---
 makerom/polarssl/asn1.h         |  246 -------
 makerom/polarssl/asn1write.h    |   46 --
 makerom/polarssl/blowfish.h     |  171 -----
 makerom/polarssl/camellia.h     |  200 ------
 makerom/polarssl/certs.h        |   47 --
 makerom/polarssl/cipher.h       |  463 -------------
 makerom/polarssl/cipher_wrap.h  |  107 ---
 makerom/polarssl/config.h       |   83 +--
 makerom/polarssl/ctr_drbg.h     |  231 -------
 makerom/polarssl/debug.h        |   89 ---
 makerom/polarssl/des.h          |  252 -------
 makerom/polarssl/dhm.h          |  244 -------
 makerom/polarssl/entropy.h      |  153 -----
 makerom/polarssl/entropy_poll.h |   75 --
 makerom/polarssl/error.h        |  108 ---
 makerom/polarssl/gcm.h          |  147 ----
 makerom/polarssl/havege.h       |   71 --
 makerom/polarssl/md.c           |  298 --------
 makerom/polarssl/md.h           |  363 ----------
 makerom/polarssl/md2.h          |  171 -----
 makerom/polarssl/md4.h          |  177 -----
 makerom/polarssl/md5.c          |  585 ----------------
 makerom/polarssl/md5.h          |  182 -----
 makerom/polarssl/md_wrap.c      |  733 --------------------
 makerom/polarssl/md_wrap.h      |   64 --
 makerom/polarssl/net.h          |  159 -----
 makerom/polarssl/openssl.h      |  136 ----
 makerom/polarssl/padlock.c      |  162 -----
 makerom/polarssl/padlock.h      |  108 ---
 makerom/polarssl/pbkdf2.h       |   82 ---
 makerom/polarssl/pem.h          |  105 ---
 makerom/polarssl/pkcs11.h       |  161 -----
 makerom/polarssl/pkcs12.h       |  131 ----
 makerom/polarssl/pkcs5.h        |  122 ----
 makerom/polarssl/rsa.c          |    6 +-
 makerom/polarssl/rsa.h          |    6 +-
 makerom/polarssl/sha2.h         |    5 -
 makerom/polarssl/sha4.c         |  760 ---------------------
 makerom/polarssl/sha4.h         |  186 -----
 makerom/polarssl/ssl.h          | 1140 -------------------------------
 makerom/polarssl/ssl_cache.h    |  119 ----
 makerom/polarssl/timing.h       |   75 --
 makerom/polarssl/version.h      |   81 ---
 makerom/polarssl/x509.h         |  778 ---------------------
 makerom/polarssl/x509write.h    |   46 --
 makerom/polarssl/xtea.h         |  129 ----
 48 files changed, 49 insertions(+), 9991 deletions(-)
 delete mode 100644 makerom/polarssl/arc4.h
 delete mode 100644 makerom/polarssl/asn1.h
 delete mode 100644 makerom/polarssl/asn1write.h
 delete mode 100644 makerom/polarssl/blowfish.h
 delete mode 100644 makerom/polarssl/camellia.h
 delete mode 100644 makerom/polarssl/certs.h
 delete mode 100644 makerom/polarssl/cipher.h
 delete mode 100644 makerom/polarssl/cipher_wrap.h
 delete mode 100644 makerom/polarssl/ctr_drbg.h
 delete mode 100644 makerom/polarssl/debug.h
 delete mode 100644 makerom/polarssl/des.h
 delete mode 100644 makerom/polarssl/dhm.h
 delete mode 100644 makerom/polarssl/entropy.h
 delete mode 100644 makerom/polarssl/entropy_poll.h
 delete mode 100644 makerom/polarssl/error.h
 delete mode 100644 makerom/polarssl/gcm.h
 delete mode 100644 makerom/polarssl/havege.h
 delete mode 100644 makerom/polarssl/md.c
 delete mode 100644 makerom/polarssl/md.h
 delete mode 100644 makerom/polarssl/md2.h
 delete mode 100644 makerom/polarssl/md4.h
 delete mode 100644 makerom/polarssl/md5.c
 delete mode 100644 makerom/polarssl/md5.h
 delete mode 100644 makerom/polarssl/md_wrap.c
 delete mode 100644 makerom/polarssl/md_wrap.h
 delete mode 100644 makerom/polarssl/net.h
 delete mode 100644 makerom/polarssl/openssl.h
 delete mode 100644 makerom/polarssl/padlock.c
 delete mode 100644 makerom/polarssl/padlock.h
 delete mode 100644 makerom/polarssl/pbkdf2.h
 delete mode 100644 makerom/polarssl/pem.h
 delete mode 100644 makerom/polarssl/pkcs11.h
 delete mode 100644 makerom/polarssl/pkcs12.h
 delete mode 100644 makerom/polarssl/pkcs5.h
 delete mode 100644 makerom/polarssl/sha4.c
 delete mode 100644 makerom/polarssl/sha4.h
 delete mode 100644 makerom/polarssl/ssl.h
 delete mode 100644 makerom/polarssl/ssl_cache.h
 delete mode 100644 makerom/polarssl/timing.h
 delete mode 100644 makerom/polarssl/version.h
 delete mode 100644 makerom/polarssl/x509.h
 delete mode 100644 makerom/polarssl/x509write.h
 delete mode 100644 makerom/polarssl/xtea.h

diff --git a/makerom/crypto.c b/makerom/crypto.c
index f654efe2..7231edc1 100644
--- a/makerom/crypto.c
+++ b/makerom/crypto.c
@@ -189,145 +189,8 @@ int RsaSignVerify(void *data, u64 len, u8 *sign, u8 *mod, u8 *priv_exp, u32 sig_
 	if(rsa_mode == CTR_RSA_VERIFY)
 		rsa_result = rsa_pkcs1_verify(&ctx, RSA_PUBLIC, GetRsaHashType(sig_type), 0, hash, sign);
 	else // CTR_RSA_SIGN
-		rsa_result = ctr_rsa_rsassa_pkcs1_v15_sign(&ctx, RSA_PRIVATE, GetRsaHashType(sig_type), 0, hash, sign);
+		rsa_result = rsa_rsassa_pkcs1_v15_sign(&ctx, RSA_PRIVATE, GetRsaHashType(sig_type), 0, hash, sign);
 	
 	rsa_free(&ctx);
 	return rsa_result;
-}
-
-/**
-*  Hacked from rsa.c, polarssl doesn't like generating signatures when only D and N are present
-**/
-int ctr_rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
-                               int mode,
-                               int hash_id,
-                               unsigned int hashlen,
-                               const unsigned char *hash,
-                               unsigned char *sig )
-{
-    size_t nb_pad, olen, ret;
-    unsigned char *p = sig;
-
-    if( ctx->padding != RSA_PKCS_V15 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    olen = ctx->len;
-
-    switch( hash_id )
-    {
-        case SIG_RSA_RAW:
-            nb_pad = olen - 3 - hashlen;
-            break;
-
-        case SIG_RSA_MD2:
-        case SIG_RSA_MD4:
-        case SIG_RSA_MD5:
-            nb_pad = olen - 3 - 34;
-            break;
-
-        case SIG_RSA_SHA1:
-            nb_pad = olen - 3 - 35;
-            break;
-
-        case SIG_RSA_SHA224:
-            nb_pad = olen - 3 - 47;
-            break;
-
-        case SIG_RSA_SHA256:
-            nb_pad = olen - 3 - 51;
-            break;
-
-        case SIG_RSA_SHA384:
-            nb_pad = olen - 3 - 67;
-            break;
-
-        case SIG_RSA_SHA512:
-            nb_pad = olen - 3 - 83;
-            break;
-
-
-        default:
-            return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    *p++ = 0;
-    *p++ = RSA_SIGN;
-    memset( p, 0xFF, nb_pad );
-    p += nb_pad;
-    *p++ = 0;
-
-    switch( hash_id )
-    {
-        case SIG_RSA_RAW:
-            memcpy( p, hash, hashlen );
-            break;
-
-        case SIG_RSA_MD2:
-            memcpy( p, ASN1_HASH_MDX, 18 );
-            memcpy( p + 18, hash, 16 );
-            p[13] = 2; break;
-
-        case SIG_RSA_MD4:
-            memcpy( p, ASN1_HASH_MDX, 18 );
-            memcpy( p + 18, hash, 16 );
-            p[13] = 4; break;
-
-        case SIG_RSA_MD5:
-            memcpy( p, ASN1_HASH_MDX, 18 );
-            memcpy( p + 18, hash, 16 );
-            p[13] = 5; break;
-
-        case SIG_RSA_SHA1:
-            memcpy( p, ASN1_HASH_SHA1, 15 );
-            memcpy( p + 15, hash, 20 );
-            break;
-
-        case SIG_RSA_SHA224:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 28 );
-            p[1] += 28; p[14] = 4; p[18] += 28; break;
-
-        case SIG_RSA_SHA256:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 32 );
-            p[1] += 32; p[14] = 1; p[18] += 32; break;
-
-        case SIG_RSA_SHA384:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 48 );
-            p[1] += 48; p[14] = 2; p[18] += 48; break;
-
-        case SIG_RSA_SHA512:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 64 );
-            p[1] += 64; p[14] = 3; p[18] += 64; break;
-
-        default:
-            return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    mpi T, T1, T2;
-
-	mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
-
-    MPI_CHK( mpi_read_binary( &T, sig, ctx->len ) );
-
-    if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
-    {
-        mpi_free( &T );
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }	
-	
-	MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
-	
-    MPI_CHK( mpi_write_binary( &T, sig, olen ) );
-
-cleanup:
-
-    mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
-
-    return( 0 );
 }
\ No newline at end of file
diff --git a/makerom/polarssl/arc4.h b/makerom/polarssl/arc4.h
deleted file mode 100644
index d60be3f2..00000000
--- a/makerom/polarssl/arc4.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/**
- * \file arc4.h
- *
- * \brief The ARCFOUR stream cipher
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_ARC4_H
-#define POLARSSL_ARC4_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#if !defined(POLARSSL_ARC4_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          ARC4 context structure
- */
-typedef struct
-{
-    int x;                      /*!< permutation index */
-    int y;                      /*!< permutation index */
-    unsigned char m[256];       /*!< permutation table */
-}
-arc4_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          ARC4 key schedule
- *
- * \param ctx      ARC4 context to be initialized
- * \param key      the secret key
- * \param keylen   length of the key
- */
-void arc4_setup( arc4_context *ctx, const unsigned char *key, unsigned int keylen );
-
-/**
- * \brief          ARC4 cipher function
- *
- * \param ctx      ARC4 context
- * \param length   length of the input data
- * \param input    buffer holding the input data
- * \param output   buffer for the output data
- *
- * \return         0 if successful
- */
-int arc4_crypt( arc4_context *ctx, size_t length, const unsigned char *input,
-                unsigned char *output );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_ARC4_ALT */
-#include "polarssl/arc4_alt.h"
-#endif /* POLARSSL_ARC4_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int arc4_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* arc4.h */
diff --git a/makerom/polarssl/asn1.h b/makerom/polarssl/asn1.h
deleted file mode 100644
index e21ae098..00000000
--- a/makerom/polarssl/asn1.h
+++ /dev/null
@@ -1,246 +0,0 @@
-/**
- * \file asn1.h
- *
- * \brief Generic ASN.1 parsing
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_ASN1_H
-#define POLARSSL_ASN1_H
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_BIGNUM_C)
-#include "polarssl/bignum.h"
-#endif
-
-#include <string.h>
-
-/** 
- * \addtogroup asn1_module
- * \{ 
- */
- 
-/**
- * \name ASN1 Error codes
- * These error codes are OR'ed to X509 error codes for
- * higher error granularity. 
- * ASN1 is a standard to specify data structures.
- * \{
- */
-#define POLARSSL_ERR_ASN1_OUT_OF_DATA                      -0x0060  /**< Out of data when parsing an ASN1 data structure. */
-#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG                   -0x0062  /**< ASN1 tag was of an unexpected value. */
-#define POLARSSL_ERR_ASN1_INVALID_LENGTH                   -0x0064  /**< Error when trying to determine the length or invalid length. */
-#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH                  -0x0066  /**< Actual length differs from expected length. */
-#define POLARSSL_ERR_ASN1_INVALID_DATA                     -0x0068  /**< Data is invalid. (not used) */
-#define POLARSSL_ERR_ASN1_MALLOC_FAILED                    -0x006A  /**< Memory allocation failed */
-#define POLARSSL_ERR_ASN1_BUF_TOO_SMALL                    -0x006C  /**< Buffer too small when writing ASN.1 data structure. */
-
-/* \} name */
-
-/**
- * \name DER constants
- * These constants comply with DER encoded the ANS1 type tags.
- * DER encoding uses hexadecimal representation.
- * An example DER sequence is:\n
- * - 0x02 -- tag indicating INTEGER
- * - 0x01 -- length in octets
- * - 0x05 -- value
- * Such sequences are typically read into \c ::x509_buf.
- * \{
- */
-#define ASN1_BOOLEAN                 0x01
-#define ASN1_INTEGER                 0x02
-#define ASN1_BIT_STRING              0x03
-#define ASN1_OCTET_STRING            0x04
-#define ASN1_NULL                    0x05
-#define ASN1_OID                     0x06
-#define ASN1_UTF8_STRING             0x0C
-#define ASN1_SEQUENCE                0x10
-#define ASN1_SET                     0x11
-#define ASN1_PRINTABLE_STRING        0x13
-#define ASN1_T61_STRING              0x14
-#define ASN1_IA5_STRING              0x16
-#define ASN1_UTC_TIME                0x17
-#define ASN1_GENERALIZED_TIME        0x18
-#define ASN1_UNIVERSAL_STRING        0x1C
-#define ASN1_BMP_STRING              0x1E
-#define ASN1_PRIMITIVE               0x00
-#define ASN1_CONSTRUCTED             0x20
-#define ASN1_CONTEXT_SPECIFIC        0x80
-/* \} name */
-/* \} addtogroup asn1_module */
-
-/** Returns the size of the binary string, without the trailing \\0 */
-#define OID_SIZE(x) (sizeof(x) - 1)
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \name Functions to parse ASN.1 data structures
- * \{
- */
-
-/**
- * Type-length-value structure that allows for ASN1 using DER.
- */
-typedef struct _asn1_buf
-{
-    int tag;                /**< ASN1 type, e.g. ASN1_UTF8_STRING. */
-    size_t len;             /**< ASN1 length, e.g. in octets. */
-    unsigned char *p;       /**< ASN1 data, e.g. in ASCII. */
-}
-asn1_buf;
-
-/**
- * Container for ASN1 bit strings.
- */
-typedef struct _asn1_bitstring
-{
-    size_t len;                 /**< ASN1 length, e.g. in octets. */
-    unsigned char unused_bits;  /**< Number of unused bits at the end of the string */
-    unsigned char *p;           /**< Raw ASN1 data for the bit string */
-}
-asn1_bitstring;
-
-/**
- * Container for a sequence of ASN.1 items
- */
-typedef struct _asn1_sequence
-{
-    asn1_buf buf;                   /**< Buffer containing the given ASN.1 item. */
-    struct _asn1_sequence *next;    /**< The next entry in the sequence. */
-}
-asn1_sequence;
-
-/**
- * Get the length of an ASN.1 element.
- * Updates the pointer to immediately behind the length.
- *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param len   The variable that will receive the value
- *
- * \return      0 if successful, POLARSSL_ERR_ASN1_OUT_OF_DATA on reaching
- *              end of data, POLARSSL_ERR_ASN1_INVALID_LENGTH if length is
- *              unparseable.
- */
-int asn1_get_len( unsigned char **p,
-                  const unsigned char *end,
-                  size_t *len );
-
-/**
- * Get the tag and length of the tag. Check for the requested tag.
- * Updates the pointer to immediately behind the tag and length.
- *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param len   The variable that will receive the length
- * \param tag   The expected tag
- *
- * \return      0 if successful, POLARSSL_ERR_ASN1_UNEXPECTED_TAG if tag did
- *              not match requested tag, or another specific ASN.1 error code.
- */
-int asn1_get_tag( unsigned char **p,
-                  const unsigned char *end,
-                  size_t *len, int tag );
-
-/**
- * Retrieve a boolean ASN.1 tag and its value.
- * Updates the pointer to immediately behind the full tag.
- *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param val   The variable that will receive the value
- *
- * \return      0 if successful or a specific ASN.1 error code.
- */
-int asn1_get_bool( unsigned char **p,
-                   const unsigned char *end,
-                   int *val );
-
-/**
- * Retrieve an integer ASN.1 tag and its value.
- * Updates the pointer to immediately behind the full tag.
- *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param val   The variable that will receive the value
- *
- * \return      0 if successful or a specific ASN.1 error code.
- */
-int asn1_get_int( unsigned char **p,
-                  const unsigned char *end,
-                  int *val );
-
-/**
- * Retrieve a bitstring ASN.1 tag and its value.
- * Updates the pointer to immediately behind the full tag.
- *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param bs    The variable that will receive the value
- *
- * \return      0 if successful or a specific ASN.1 error code.
- */
-int asn1_get_bitstring( unsigned char **p, const unsigned char *end,
-                        asn1_bitstring *bs);
-
-/**
- * Parses and splits an ASN.1 "SEQUENCE OF <tag>"
- * Updated the pointer to immediately behind the full sequence tag.
- *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param cur   First variable in the chain to fill
- * \param tag   Type of sequence
- *
- * \return      0 if successful or a specific ASN.1 error code.
- */
-int asn1_get_sequence_of( unsigned char **p,
-                          const unsigned char *end,
-                          asn1_sequence *cur,
-                          int tag);
-
-#if defined(POLARSSL_BIGNUM_C)
-/**
- * Retrieve a MPI value from an integer ASN.1 tag.
- * Updates the pointer to immediately behind the full tag.
- *
- * \param p     The position in the ASN.1 data
- * \param end   End of data
- * \param X     The MPI that will receive the value
- *
- * \return      0 if successful or a specific ASN.1 or MPI error code.
- */
-int asn1_get_mpi( unsigned char **p,
-                  const unsigned char *end,
-                  mpi *X );
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* asn1.h */
diff --git a/makerom/polarssl/asn1write.h b/makerom/polarssl/asn1write.h
deleted file mode 100644
index 7ea26800..00000000
--- a/makerom/polarssl/asn1write.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * \file asn1write.h
- *
- * \brief ASN.1 buffer writing functionality
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_ASN1_WRITE_H
-#define POLARSSL_ASN1_WRITE_H
-
-#include "polarssl/asn1.h"
-
-#define ASN1_CHK_ADD(g, f) if( ( ret = f ) < 0 ) return( ret ); else g += ret
-
-int asn1_write_len( unsigned char **p, unsigned char *start, size_t len );
-int asn1_write_tag( unsigned char **p, unsigned char *start, unsigned char tag );
-int asn1_write_mpi( unsigned char **p, unsigned char *start, mpi *X );
-int asn1_write_null( unsigned char **p, unsigned char *start );
-int asn1_write_oid( unsigned char **p, unsigned char *start, char *oid );
-int asn1_write_algorithm_identifier( unsigned char **p, unsigned char *start, char *algorithm_oid );
-int asn1_write_int( unsigned char **p, unsigned char *start, int val );
-int asn1_write_printable_string( unsigned char **p, unsigned char *start,
-                                 char *text );
-int asn1_write_ia5_string( unsigned char **p, unsigned char *start,
-                                 char *text );
-
-#endif /* POLARSSL_ASN1_WRITE_H */
diff --git a/makerom/polarssl/blowfish.h b/makerom/polarssl/blowfish.h
deleted file mode 100644
index 0157f8ef..00000000
--- a/makerom/polarssl/blowfish.h
+++ /dev/null
@@ -1,171 +0,0 @@
-/**
- * \file blowfish.h
- *
- * \brief Blowfish block cipher
- *
- *  Copyright (C) 2012-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_BLOWFISH_H
-#define POLARSSL_BLOWFISH_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define BLOWFISH_ENCRYPT     1
-#define BLOWFISH_DECRYPT     0
-#define BLOWFISH_MAX_KEY     448
-#define BLOWFISH_MIN_KEY     32
-#define BLOWFISH_ROUNDS      16         /* when increasing this value, make sure to extend the initialisation vectors */
-#define BLOWFISH_BLOCKSIZE   8          /* Blowfish uses 64 bit blocks */
-
-#define POLARSSL_ERR_BLOWFISH_INVALID_KEY_LENGTH                -0x0016  /**< Invalid key length. */
-#define POLARSSL_ERR_BLOWFISH_INVALID_INPUT_LENGTH              -0x0018  /**< Invalid data input length. */
-
-#if !defined(POLARSSL_BLOWFISH_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          Blowfish context structure
- */
-typedef struct
-{
-    uint32_t P[BLOWFISH_ROUNDS + 2];    /*!<  Blowfish round keys    */
-    uint32_t S[4][256];                 /*!<  key dependent S-boxes  */
-}
-blowfish_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Blowfish key schedule
- *
- * \param ctx      Blowfish context to be initialized
- * \param key      encryption key
- * \param keysize  must be between 32 and 448 bits
- *
- * \return         0 if successful, or POLARSSL_ERR_BLOWFISH_INVALID_KEY_LENGTH
- */
-int blowfish_setkey( blowfish_context *ctx, const unsigned char *key, unsigned int keysize );
-
-/**
- * \brief          Blowfish-ECB block encryption/decryption
- *
- * \param ctx      Blowfish context
- * \param mode     BLOWFISH_ENCRYPT or BLOWFISH_DECRYPT
- * \param input    8-byte input block
- * \param output   8-byte output block
- *
- * \return         0 if successful
- */
-int blowfish_crypt_ecb( blowfish_context *ctx,
-                        int mode,
-                        const unsigned char input[BLOWFISH_BLOCKSIZE],
-                        unsigned char output[BLOWFISH_BLOCKSIZE] );
-
-/**
- * \brief          Blowfish-CBC buffer encryption/decryption
- *                 Length should be a multiple of the block
- *                 size (8 bytes)
- *
- * \param ctx      Blowfish context
- * \param mode     BLOWFISH_ENCRYPT or BLOWFISH_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if successful, or POLARSSL_ERR_BLOWFISH_INVALID_INPUT_LENGTH
- */
-int blowfish_crypt_cbc( blowfish_context *ctx,
-                        int mode,
-                        size_t length,
-                        unsigned char iv[BLOWFISH_BLOCKSIZE],
-                        const unsigned char *input,
-                        unsigned char *output );
-
-/**
- * \brief          Blowfish CFB buffer encryption/decryption.
- *
- * both 
- * \param ctx      Blowfish context
- * \param mode     BLOWFISH_ENCRYPT or BLOWFISH_DECRYPT
- * \param length   length of the input data
- * \param iv_off   offset in IV (updated after use)
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if successful
- */
-int blowfish_crypt_cfb64( blowfish_context *ctx,
-                          int mode,
-                          size_t length,
-                          size_t *iv_off,
-                          unsigned char iv[BLOWFISH_BLOCKSIZE],
-                          const unsigned char *input,
-                          unsigned char *output );
-
-/**
- * \brief               Blowfish-CTR buffer encryption/decryption
- *
- * Warning: You have to keep the maximum use of your counter in mind!
- *
- * \param length        The length of the data
- * \param nc_off        The offset in the current stream_block (for resuming
- *                      within current cipher stream). The offset pointer to
- *                      should be 0 at the start of a stream.
- * \param nonce_counter The 64-bit nonce and counter.
- * \param stream_block  The saved stream-block for resuming. Is overwritten
- *                      by the function.
- * \param input         The input data stream
- * \param output        The output data stream
- *
- * \return         0 if successful
- */
-int blowfish_crypt_ctr( blowfish_context *ctx,
-                        size_t length,
-                        size_t *nc_off,
-                        unsigned char nonce_counter[BLOWFISH_BLOCKSIZE],
-                        unsigned char stream_block[BLOWFISH_BLOCKSIZE],
-                        const unsigned char *input,
-                        unsigned char *output );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_BLOWFISH_ALT */
-#include "polarssl/blowfish_alt.h"
-#endif /* POLARSSL_BLOWFISH_ALT */
-
-#endif /* blowfish.h */
diff --git a/makerom/polarssl/camellia.h b/makerom/polarssl/camellia.h
deleted file mode 100644
index 3bd3bc30..00000000
--- a/makerom/polarssl/camellia.h
+++ /dev/null
@@ -1,200 +0,0 @@
-/**
- * \file camellia.h
- *
- * \brief Camellia block cipher
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_CAMELLIA_H
-#define POLARSSL_CAMELLIA_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define CAMELLIA_ENCRYPT     1
-#define CAMELLIA_DECRYPT     0
-
-#define POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH           -0x0024  /**< Invalid key length. */
-#define POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH         -0x0026  /**< Invalid data input length. */
-
-#if !defined(POLARSSL_CAMELLIA_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          CAMELLIA context structure
- */
-typedef struct
-{
-    int nr;                     /*!<  number of rounds  */
-    uint32_t rk[68];            /*!<  CAMELLIA round keys    */
-}
-camellia_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          CAMELLIA key schedule (encryption)
- *
- * \param ctx      CAMELLIA context to be initialized
- * \param key      encryption key
- * \param keysize  must be 128, 192 or 256
- * 
- * \return         0 if successful, or POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH
- */
-int camellia_setkey_enc( camellia_context *ctx, const unsigned char *key, unsigned int keysize );
-
-/**
- * \brief          CAMELLIA key schedule (decryption)
- *
- * \param ctx      CAMELLIA context to be initialized
- * \param key      decryption key
- * \param keysize  must be 128, 192 or 256
- * 
- * \return         0 if successful, or POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH
- */
-int camellia_setkey_dec( camellia_context *ctx, const unsigned char *key, unsigned int keysize );
-
-/**
- * \brief          CAMELLIA-ECB block encryption/decryption
- *
- * \param ctx      CAMELLIA context
- * \param mode     CAMELLIA_ENCRYPT or CAMELLIA_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
- * 
- * \return         0 if successful
- */
-int camellia_crypt_ecb( camellia_context *ctx,
-                    int mode,
-                    const unsigned char input[16],
-                    unsigned char output[16] );
-
-/**
- * \brief          CAMELLIA-CBC buffer encryption/decryption
- *                 Length should be a multiple of the block
- *                 size (16 bytes)
- *
- * \param ctx      CAMELLIA context
- * \param mode     CAMELLIA_ENCRYPT or CAMELLIA_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- * 
- * \return         0 if successful, or POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH
- */
-int camellia_crypt_cbc( camellia_context *ctx,
-                    int mode,
-                    size_t length,
-                    unsigned char iv[16],
-                    const unsigned char *input,
-                    unsigned char *output );
-
-/**
- * \brief          CAMELLIA-CFB128 buffer encryption/decryption
- *
- * Note: Due to the nature of CFB you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * camellia_setkey_enc() for both CAMELLIA_ENCRYPT and CAMELLIE_DECRYPT.
- *
- * \param ctx      CAMELLIA context
- * \param mode     CAMELLIA_ENCRYPT or CAMELLIA_DECRYPT
- * \param length   length of the input data
- * \param iv_off   offset in IV (updated after use)
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- * 
- * \return         0 if successful, or POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH
- */
-int camellia_crypt_cfb128( camellia_context *ctx,
-                       int mode,
-                       size_t length,
-                       size_t *iv_off,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output );
-
-/**
- * \brief               CAMELLIA-CTR buffer encryption/decryption
- *
- * Warning: You have to keep the maximum use of your counter in mind!
- *
- * Note: Due to the nature of CTR you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * camellia_setkey_enc() for both CAMELLIA_ENCRYPT and CAMELLIA_DECRYPT.
- *
- * \param length        The length of the data
- * \param nc_off        The offset in the current stream_block (for resuming
- *                      within current cipher stream). The offset pointer to
- *                      should be 0 at the start of a stream.
- * \param nonce_counter The 128-bit nonce and counter.
- * \param stream_block  The saved stream-block for resuming. Is overwritten
- *                      by the function.
- * \param input         The input data stream
- * \param output        The output data stream
- *
- * \return         0 if successful
- */
-int camellia_crypt_ctr( camellia_context *ctx,
-                       size_t length,
-                       size_t *nc_off,
-                       unsigned char nonce_counter[16],
-                       unsigned char stream_block[16],
-                       const unsigned char *input,
-                       unsigned char *output );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_CAMELLIA_ALT */
-#include "polarssl/camellia_alt.h"
-#endif /* POLARSSL_CAMELLIA_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int camellia_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* camellia.h */
diff --git a/makerom/polarssl/certs.h b/makerom/polarssl/certs.h
deleted file mode 100644
index 5399e326..00000000
--- a/makerom/polarssl/certs.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/**
- * \file certs.h
- *
- * \brief Sample certificates and DHM parameters for testing
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_CERTS_H
-#define POLARSSL_CERTS_H
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-extern const char test_ca_crt[];
-extern const char test_ca_key[];
-extern const char test_ca_pwd[];
-extern const char test_srv_crt[];
-extern const char test_srv_key[];
-extern const char test_cli_crt[];
-extern const char test_cli_key[];
-extern const char test_dhm_params[];
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* certs.h */
diff --git a/makerom/polarssl/cipher.h b/makerom/polarssl/cipher.h
deleted file mode 100644
index 8224128e..00000000
--- a/makerom/polarssl/cipher.h
+++ /dev/null
@@ -1,463 +0,0 @@
-/**
- * \file cipher.h
- * 
- * \brief Generic cipher wrapper.
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#ifndef POLARSSL_CIPHER_H
-#define POLARSSL_CIPHER_H
-
-#include <string.h>
-
-#if defined(_MSC_VER) && !defined(inline)
-#define inline _inline
-#else
-#if defined(__ARMCC_VERSION) && !defined(inline)
-#define inline __inline
-#endif /* __ARMCC_VERSION */
-#endif /*_MSC_VER */
-
-#define POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE            -0x6080  /**< The selected feature is not available. */
-#define POLARSSL_ERR_CIPHER_BAD_INPUT_DATA                 -0x6100  /**< Bad input parameters to function. */
-#define POLARSSL_ERR_CIPHER_ALLOC_FAILED                   -0x6180  /**< Failed to allocate memory. */
-#define POLARSSL_ERR_CIPHER_INVALID_PADDING                -0x6200  /**< Input data contains invalid padding and is rejected. */
-#define POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED            -0x6280  /**< Decryption of block requires a full block. */
-
-typedef enum {
-    POLARSSL_CIPHER_ID_NONE = 0,
-    POLARSSL_CIPHER_ID_NULL,
-    POLARSSL_CIPHER_ID_AES,
-    POLARSSL_CIPHER_ID_DES,
-    POLARSSL_CIPHER_ID_3DES,
-    POLARSSL_CIPHER_ID_CAMELLIA,
-    POLARSSL_CIPHER_ID_BLOWFISH,
-} cipher_id_t;
-
-typedef enum {
-    POLARSSL_CIPHER_NONE = 0,
-    POLARSSL_CIPHER_NULL,
-    POLARSSL_CIPHER_AES_128_CBC,
-    POLARSSL_CIPHER_AES_192_CBC,
-    POLARSSL_CIPHER_AES_256_CBC,
-    POLARSSL_CIPHER_AES_128_CFB128,
-    POLARSSL_CIPHER_AES_192_CFB128,
-    POLARSSL_CIPHER_AES_256_CFB128,
-    POLARSSL_CIPHER_AES_128_CTR,
-    POLARSSL_CIPHER_AES_192_CTR,
-    POLARSSL_CIPHER_AES_256_CTR,
-    POLARSSL_CIPHER_CAMELLIA_128_CBC,
-    POLARSSL_CIPHER_CAMELLIA_192_CBC,
-    POLARSSL_CIPHER_CAMELLIA_256_CBC,
-    POLARSSL_CIPHER_CAMELLIA_128_CFB128,
-    POLARSSL_CIPHER_CAMELLIA_192_CFB128,
-    POLARSSL_CIPHER_CAMELLIA_256_CFB128,
-    POLARSSL_CIPHER_CAMELLIA_128_CTR,
-    POLARSSL_CIPHER_CAMELLIA_192_CTR,
-    POLARSSL_CIPHER_CAMELLIA_256_CTR,
-    POLARSSL_CIPHER_DES_CBC,
-    POLARSSL_CIPHER_DES_EDE_CBC,
-    POLARSSL_CIPHER_DES_EDE3_CBC,
-    POLARSSL_CIPHER_BLOWFISH_CBC,
-    POLARSSL_CIPHER_BLOWFISH_CFB64,
-    POLARSSL_CIPHER_BLOWFISH_CTR,
-} cipher_type_t;
-
-typedef enum {
-    POLARSSL_MODE_NONE = 0,
-    POLARSSL_MODE_NULL,
-    POLARSSL_MODE_CBC,
-    POLARSSL_MODE_CFB,
-    POLARSSL_MODE_OFB,
-    POLARSSL_MODE_CTR,
-} cipher_mode_t;
-
-typedef enum {
-    POLARSSL_OPERATION_NONE = -1,
-    POLARSSL_DECRYPT = 0,
-    POLARSSL_ENCRYPT,
-} operation_t;
-
-enum {
-    /** Undefined key length */
-    POLARSSL_KEY_LENGTH_NONE = 0,
-    /** Key length, in bits (including parity), for DES keys */
-    POLARSSL_KEY_LENGTH_DES  = 64,
-    /** Key length, in bits (including parity), for DES in two key EDE */
-    POLARSSL_KEY_LENGTH_DES_EDE = 128,
-    /** Key length, in bits (including parity), for DES in three-key EDE */
-    POLARSSL_KEY_LENGTH_DES_EDE3 = 192,
-    /** Maximum length of any IV, in bytes */
-    POLARSSL_MAX_IV_LENGTH = 16,
-};
-
-/**
- * Base cipher information. The non-mode specific functions and values.
- */
-typedef struct {
-
-    /** Base Cipher type (e.g. POLARSSL_CIPHER_ID_AES) */
-    cipher_id_t cipher;
-
-    /** Encrypt using CBC */
-    int (*cbc_func)( void *ctx, operation_t mode, size_t length, unsigned char *iv,
-            const unsigned char *input, unsigned char *output );
-
-    /** Encrypt using CFB (Full length) */
-    int (*cfb_func)( void *ctx, operation_t mode, size_t length, size_t *iv_off,
-            unsigned char *iv, const unsigned char *input, unsigned char *output );
-
-    /** Encrypt using CTR */
-    int (*ctr_func)( void *ctx, size_t length, size_t *nc_off, unsigned char *nonce_counter,
-            unsigned char *stream_block, const unsigned char *input, unsigned char *output );
-
-    /** Set key for encryption purposes */
-    int (*setkey_enc_func)( void *ctx, const unsigned char *key, unsigned int key_length);
-
-    /** Set key for decryption purposes */
-    int (*setkey_dec_func)( void *ctx, const unsigned char *key, unsigned int key_length);
-
-    /** Allocate a new context */
-    void * (*ctx_alloc_func)( void );
-
-    /** Free the given context */
-    void (*ctx_free_func)( void *ctx );
-
-} cipher_base_t;
-
-/**
- * Cipher information. Allows cipher functions to be called in a generic way.
- */
-typedef struct {
-    /** Full cipher identifier (e.g. POLARSSL_CIPHER_AES_256_CBC) */
-    cipher_type_t type;
-
-    /** Cipher mode (e.g. POLARSSL_MODE_CBC) */
-    cipher_mode_t mode;
-
-    /** Cipher key length, in bits (default length for variable sized ciphers)
-     *  (Includes parity bits for ciphers like DES) */
-    unsigned int key_length;
-
-    /** Name of the cipher */
-    const char * name;
-
-    /** IV size, in bytes */
-    unsigned int iv_size;
-
-    /** block size, in bytes */
-    unsigned int block_size;
-
-    /** Base cipher information and functions */
-    const cipher_base_t *base;
-
-} cipher_info_t;
-
-/**
- * Generic cipher context.
- */
-typedef struct {
-    /** Information about the associated cipher */
-    const cipher_info_t *cipher_info;
-
-    /** Key length to use */
-    int key_length;
-
-    /** Operation that the context's key has been initialised for */
-    operation_t operation;
-
-    /** Buffer for data that hasn't been encrypted yet */
-    unsigned char unprocessed_data[POLARSSL_MAX_IV_LENGTH];
-
-    /** Number of bytes that still need processing */
-    size_t unprocessed_len;
-
-    /** Current IV or NONCE_COUNTER for CTR-mode */
-    unsigned char iv[POLARSSL_MAX_IV_LENGTH];
-
-    /** Cipher-specific context */
-    void *cipher_ctx;
-} cipher_context_t;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief Returns the list of ciphers supported by the generic cipher module.
- *
- * \return              a statically allocated array of ciphers, the last entry
- *                      is 0.
- */
-const int *cipher_list( void );
-
-/**
- * \brief               Returns the cipher information structure associated
- *                      with the given cipher name.
- *
- * \param cipher_name   Name of the cipher to search for.
- *
- * \return              the cipher information structure associated with the
- *                      given cipher_name, or NULL if not found.
- */
-const cipher_info_t *cipher_info_from_string( const char *cipher_name );
-
-/**
- * \brief               Returns the cipher information structure associated
- *                      with the given cipher type.
- *
- * \param cipher_type   Type of the cipher to search for.
- *
- * \return              the cipher information structure associated with the
- *                      given cipher_type, or NULL if not found.
- */
-const cipher_info_t *cipher_info_from_type( const cipher_type_t cipher_type );
-
-/**
- * \brief               Initialises and fills the cipher context structure with
- *                      the appropriate values.
- *
- * \param ctx           context to initialise. May not be NULL.
- * \param cipher_info   cipher to use.
- *
- * \return              \c 0 on success,
- *                      \c POLARSSL_ERR_CIPHER_BAD_INPUT_DATA on parameter failure,
- *                      \c POLARSSL_ERR_CIPHER_ALLOC_FAILED if allocation of the
- *                      cipher-specific context failed.
- */
-int cipher_init_ctx( cipher_context_t *ctx, const cipher_info_t *cipher_info );
-
-/**
- * \brief               Free the cipher-specific context of ctx. Freeing ctx
- *                      itself remains the responsibility of the caller.
- *
- * \param ctx           Free the cipher-specific context
- *
- * \returns             0 on success, POLARSSL_ERR_CIPHER_BAD_INPUT_DATA if
- *                      parameter verification fails.
- */
-int cipher_free_ctx( cipher_context_t *ctx );
-
-/**
- * \brief               Returns the block size of the given cipher.
- *
- * \param ctx           cipher's context. Must have been initialised.
- *
- * \return              size of the cipher's blocks, or 0 if ctx has not been
- *                      initialised.
- */
-static inline unsigned int cipher_get_block_size( const cipher_context_t *ctx )
-{
-    if( NULL == ctx || NULL == ctx->cipher_info )
-        return 0;
-
-    return ctx->cipher_info->block_size;
-}
-
-/**
- * \brief               Returns the mode of operation for the cipher.
- *                      (e.g. POLARSSL_MODE_CBC)
- *
- * \param ctx           cipher's context. Must have been initialised.
- *
- * \return              mode of operation, or POLARSSL_MODE_NONE if ctx
- *                      has not been initialised.
- */
-static inline cipher_mode_t cipher_get_cipher_mode( const cipher_context_t *ctx )
-{
-    if( NULL == ctx || NULL == ctx->cipher_info )
-        return POLARSSL_MODE_NONE;
-
-    return ctx->cipher_info->mode;
-}
-
-/**
- * \brief               Returns the size of the cipher's IV.
- *
- * \param ctx           cipher's context. Must have been initialised.
- *
- * \return              size of the cipher's IV, or 0 if ctx has not been
- *                      initialised.
- */
-static inline int cipher_get_iv_size( const cipher_context_t *ctx )
-{
-    if( NULL == ctx || NULL == ctx->cipher_info )
-        return 0;
-
-    return ctx->cipher_info->iv_size;
-}
-
-/**
- * \brief               Returns the type of the given cipher.
- *
- * \param ctx           cipher's context. Must have been initialised.
- *
- * \return              type of the cipher, or POLARSSL_CIPHER_NONE if ctx has
- *                      not been initialised.
- */
-static inline cipher_type_t cipher_get_type( const cipher_context_t *ctx )
-{
-    if( NULL == ctx || NULL == ctx->cipher_info )
-        return POLARSSL_CIPHER_NONE;
-
-    return ctx->cipher_info->type;
-}
-
-/**
- * \brief               Returns the name of the given cipher, as a string.
- *
- * \param ctx           cipher's context. Must have been initialised.
- *
- * \return              name of the cipher, or NULL if ctx was not initialised.
- */
-static inline const char *cipher_get_name( const cipher_context_t *ctx )
-{
-    if( NULL == ctx || NULL == ctx->cipher_info )
-        return 0;
-
-    return ctx->cipher_info->name;
-}
-
-/**
- * \brief               Returns the key length of the cipher.
- *
- * \param ctx           cipher's context. Must have been initialised.
- *
- * \return              cipher's key length, in bits, or
- *                      POLARSSL_KEY_LENGTH_NONE if ctx has not been
- *                      initialised.
- */
-static inline int cipher_get_key_size ( const cipher_context_t *ctx )
-{
-    if( NULL == ctx )
-        return POLARSSL_KEY_LENGTH_NONE;
-
-    return ctx->key_length;
-}
-
-/**
- * \brief               Returns the operation of the given cipher.
- *
- * \param ctx           cipher's context. Must have been initialised.
- *
- * \return              operation (POLARSSL_ENCRYPT or POLARSSL_DECRYPT),
- *                      or POLARSSL_OPERATION_NONE if ctx has not been
- *                      initialised.
- */
-static inline operation_t cipher_get_operation( const cipher_context_t *ctx )
-{
-    if( NULL == ctx || NULL == ctx->cipher_info )
-        return POLARSSL_OPERATION_NONE;
-
-    return ctx->operation;
-}
-
-/**
- * \brief               Set the key to use with the given context.
- *
- * \param ctx           generic cipher context. May not be NULL. Must have been
- *                      initialised using cipher_context_from_type or
- *                      cipher_context_from_string.
- * \param key           The key to use.
- * \param key_length    key length to use, in bits.
- * \param operation     Operation that the key will be used for, either
- *                      POLARSSL_ENCRYPT or POLARSSL_DECRYPT.
- *
- * \returns             0 on success, POLARSSL_ERR_CIPHER_BAD_INPUT_DATA if
- *                      parameter verification fails or a cipher specific
- *                      error code.
- */
-int cipher_setkey( cipher_context_t *ctx, const unsigned char *key, int key_length,
-        const operation_t operation );
-
-/**
- * \brief               Reset the given context, setting the IV to iv
- *
- * \param ctx           generic cipher context
- * \param iv            IV to use or NONCE_COUNTER in the case of a CTR-mode cipher
- *
- * \returns             0 on success, POLARSSL_ERR_CIPHER_BAD_INPUT_DATA
- *                      if parameter verification fails.
- */
-int cipher_reset( cipher_context_t *ctx, const unsigned char *iv );
-
-/**
- * \brief               Generic cipher update function. Encrypts/decrypts
- *                      using the given cipher context. Writes as many block
- *                      size'd blocks of data as possible to output. Any data
- *                      that cannot be written immediately will either be added
- *                      to the next block, or flushed when cipher_final is
- *                      called.
- *
- * \param ctx           generic cipher context
- * \param input         buffer holding the input data
- * \param ilen          length of the input data
- * \param output        buffer for the output data. Should be able to hold at
- *                      least ilen + block_size. Cannot be the same buffer as
- *                      input!
- * \param olen          length of the output data, will be filled with the
- *                      actual number of bytes written.
- *
- * \returns             0 on success, POLARSSL_ERR_CIPHER_BAD_INPUT_DATA if
- *                      parameter verification fails,
- *                      POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE on an
- *                      unsupported mode for a cipher or a cipher specific
- *                      error code.
- */
-int cipher_update( cipher_context_t *ctx, const unsigned char *input, size_t ilen,
-        unsigned char *output, size_t *olen );
-
-/**
- * \brief               Generic cipher finalisation function. If data still
- *                      needs to be flushed from an incomplete block, data
- *                      contained within it will be padded with the size of
- *                      the last block, and written to the output buffer.
- *
- * \param ctx           Generic cipher context
- * \param output        buffer to write data to. Needs block_size data available.
- * \param olen          length of the data written to the output buffer.
- *
- * \returns             0 on success, POLARSSL_ERR_CIPHER_BAD_INPUT_DATA if
- *                      parameter verification fails,
- *                      POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption
- *                      expected a full block but was not provided one,
- *                      POLARSSL_ERR_CIPHER_INVALID_PADDING on invalid padding
- *                      while decrypting or a cipher specific error code.
- */
-int cipher_finish( cipher_context_t *ctx, unsigned char *output, size_t *olen);
-
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int cipher_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* POLARSSL_MD_H */
diff --git a/makerom/polarssl/cipher_wrap.h b/makerom/polarssl/cipher_wrap.h
deleted file mode 100644
index 2f18effa..00000000
--- a/makerom/polarssl/cipher_wrap.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/**
- * \file cipher_wrap.h
- * 
- * \brief Cipher wrappers.
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_CIPHER_WRAP_H
-#define POLARSSL_CIPHER_WRAP_H
-
-#include "polarssl/config.h"
-#include "polarssl/cipher.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if defined(POLARSSL_AES_C)
-
-extern const cipher_info_t aes_128_cbc_info;
-extern const cipher_info_t aes_192_cbc_info;
-extern const cipher_info_t aes_256_cbc_info;
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-extern const cipher_info_t aes_128_cfb128_info;
-extern const cipher_info_t aes_192_cfb128_info;
-extern const cipher_info_t aes_256_cfb128_info;
-#endif /* POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-extern const cipher_info_t aes_128_ctr_info;
-extern const cipher_info_t aes_192_ctr_info;
-extern const cipher_info_t aes_256_ctr_info;
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-
-#endif /* defined(POLARSSL_AES_C) */
-
-#if defined(POLARSSL_CAMELLIA_C)
-
-extern const cipher_info_t camellia_128_cbc_info;
-extern const cipher_info_t camellia_192_cbc_info;
-extern const cipher_info_t camellia_256_cbc_info;
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-extern const cipher_info_t camellia_128_cfb128_info;
-extern const cipher_info_t camellia_192_cfb128_info;
-extern const cipher_info_t camellia_256_cfb128_info;
-#endif /* POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-extern const cipher_info_t camellia_128_ctr_info;
-extern const cipher_info_t camellia_192_ctr_info;
-extern const cipher_info_t camellia_256_ctr_info;
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-
-#endif /* defined(POLARSSL_CAMELLIA_C) */
-
-#if defined(POLARSSL_DES_C)
-
-extern const cipher_info_t des_cbc_info;
-extern const cipher_info_t des_ede_cbc_info;
-extern const cipher_info_t des_ede3_cbc_info;
-
-#endif /* defined(POLARSSL_DES_C) */
-
-#if defined(POLARSSL_BLOWFISH_C)
-extern const cipher_info_t blowfish_cbc_info;
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-extern const cipher_info_t blowfish_cfb64_info;
-#endif /* POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-extern const cipher_info_t blowfish_ctr_info;
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-#endif /* defined(POLARSSL_BLOWFISH_C) */
-
-#if defined(POLARSSL_CIPHER_NULL_CIPHER)
-extern const cipher_info_t null_cipher_info;
-#endif /* defined(POLARSSL_CIPHER_NULL_CIPHER) */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* POLARSSL_CIPHER_WRAP_H */
diff --git a/makerom/polarssl/config.h b/makerom/polarssl/config.h
index bd1a4663..2c43ff4d 100644
--- a/makerom/polarssl/config.h
+++ b/makerom/polarssl/config.h
@@ -83,7 +83,7 @@
  *      include/polarssl/bn_mul.h
  *
  */
-#define POLARSSL_HAVE_ASM
+//#define POLARSSL_HAVE_ASM
 
 /**
  * \def POLARSSL_HAVE_SSE2
@@ -148,7 +148,7 @@
  *
  * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
  */
-#define POLARSSL_CIPHER_MODE_CFB
+//#define POLARSSL_CIPHER_MODE_CFB
 
 /**
  * \def POLARSSL_CIPHER_MODE_CTR
@@ -198,7 +198,7 @@
  * Disable if you run into name conflicts and want to really remove the
  * error_strerror()
  */
-#define POLARSSL_ERROR_STRERROR_DUMMY
+//#define POLARSSL_ERROR_STRERROR_DUMMY
 
 /**
  * \def POLARSSL_GENPRIME
@@ -207,14 +207,14 @@
  *
  * Enable the RSA prime-number generation code.
  */
-#define POLARSSL_GENPRIME
+//#define POLARSSL_GENPRIME
 
 /**
  * \def POLARSSL_FS_IO
  *
  * Enable functions that use the filesystem.
  */
-#define POLARSSL_FS_IO
+//#define POLARSSL_FS_IO
 
 /**
  * \def POLARSSL_NO_DEFAULT_ENTROPY_SOURCES
@@ -248,7 +248,7 @@
  * Enable support for PKCS#1 v2.1 encoding.
  * This enables support for RSAES-OAEP and RSASSA-PSS operations.
  */
-#define POLARSSL_PKCS1_V21
+//#define POLARSSL_PKCS1_V21
 
 /**
  * \def POLARSSL_RSA_NO_CRT
@@ -257,15 +257,16 @@
  *
  * Uncomment this macro to disable the use of CRT in RSA.
  *
-#define POLARSSL_RSA_NO_CRT
  */
+#define POLARSSL_RSA_NO_CRT
+
 
 /**
  * \def POLARSSL_SELF_TEST
  *
  * Enable the checkup functions (*_self_test).
  */
-#define POLARSSL_SELF_TEST
+//#define POLARSSL_SELF_TEST
 
 /**
  * \def POLARSSL_SSL_ALL_ALERT_MESSAGES
@@ -279,7 +280,7 @@
  *
  * Enable sending of all alert messages
  */
-#define POLARSSL_SSL_ALERT_MESSAGES
+//#define POLARSSL_SSL_ALERT_MESSAGES
 
 /**
  * \def POLARSSL_SSL_DEBUG_ALL
@@ -315,7 +316,7 @@
  *
  * Comment this macro to disable support for SSLv2 Client Hello messages.
  */
-#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+//#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
 
 /**
  * \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
@@ -391,7 +392,7 @@
  *      TLS_RSA_WITH_RC4_128_MD5
  *      TLS_RSA_WITH_RC4_128_SHA
  */
-#define POLARSSL_ARC4_C
+//#define POLARSSL_ARC4_C
 
 /**
  * \def POLARSSL_ASN1_PARSE_C
@@ -401,7 +402,7 @@
  * Module:  library/asn1.c
  * Caller:  library/x509parse.c
  */
-#define POLARSSL_ASN1_PARSE_C
+//#define POLARSSL_ASN1_PARSE_C
 
 /**
  * \def POLARSSL_ASN1_WRITE_C
@@ -410,7 +411,7 @@
  *
  * Module:  library/asn1write.c
  */
-#define POLARSSL_ASN1_WRITE_C
+//#define POLARSSL_ASN1_WRITE_C
 
 /**
  * \def POLARSSL_BASE64_C
@@ -446,7 +447,7 @@
  *
  * Module:  library/blowfish.c
  */
-#define POLARSSL_BLOWFISH_C
+//#define POLARSSL_BLOWFISH_C
 
 /**
  * \def POLARSSL_CAMELLIA_C
@@ -467,7 +468,7 @@
  *      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  *      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
  */
-#define POLARSSL_CAMELLIA_C
+//#define POLARSSL_CAMELLIA_C
 
 /**
  * \def POLARSSL_CERTS_C
@@ -479,7 +480,7 @@
  *
  * This module is used for testing (ssl_client/server).
  */
-#define POLARSSL_CERTS_C
+//#define POLARSSL_CERTS_C
 
 /**
  * \def POLARSSL_CIPHER_C
@@ -491,7 +492,7 @@
  *
  * Uncomment to enable generic cipher wrappers.
  */
-#define POLARSSL_CIPHER_C
+//#define POLARSSL_CIPHER_C
 
 /**
  * \def POLARSSL_CTR_DRBG_C
@@ -505,7 +506,7 @@
  *
  * This module provides the CTR_DRBG AES-256 random number generator.
  */
-#define POLARSSL_CTR_DRBG_C
+//#define POLARSSL_CTR_DRBG_C
 
 /**
  * \def POLARSSL_DEBUG_C
@@ -519,7 +520,7 @@
  *
  * This module provides debugging functions.
  */
-#define POLARSSL_DEBUG_C
+//#define POLARSSL_DEBUG_C
 
 /**
  * \def POLARSSL_DES_C
@@ -537,7 +538,7 @@
  *
  * PEM uses DES/3DES for decrypting encrypted keys.
  */
-#define POLARSSL_DES_C
+//#define POLARSSL_DES_C
 
 /**
  * \def POLARSSL_DHM_C
@@ -563,7 +564,7 @@
  *      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  *      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  */
-#define POLARSSL_DHM_C
+//#define POLARSSL_DHM_C
 
 /**
  * \def POLARSSL_ENTROPY_C
@@ -577,7 +578,7 @@
  *
  * This module provides a generic entropy pool
  */
-#define POLARSSL_ENTROPY_C
+//#define POLARSSL_ENTROPY_C
 
 /**
  * \def POLARSSL_ERROR_C
@@ -589,7 +590,7 @@
  *
  * This module enables err_strerror().
  */
-#define POLARSSL_ERROR_C
+//#define POLARSSL_ERROR_C
 
 /**
  * \def POLARSSL_GCM_C
@@ -605,7 +606,7 @@
  *      TLS_RSA_WITH_AES_128_GCM_SHA256
  *      TLS_RSA_WITH_AES_256_GCM_SHA384
  */
-#define POLARSSL_GCM_C
+//#define POLARSSL_GCM_C
 
 /**
  * \def POLARSSL_HAVEGE_C
@@ -640,7 +641,7 @@
  *
  * Uncomment to enable generic message digest wrappers.
  */
-#define POLARSSL_MD_C
+//#define POLARSSL_MD_C
 
 /**
  * \def POLARSSL_MD2_C
@@ -681,7 +682,7 @@
  * This module is required for SSL/TLS and X.509.
  * PEM uses MD5 for decrypting encrypted keys.
  */
-#define POLARSSL_MD5_C
+//#define POLARSSL_MD5_C
 
 /**
  * \def POLARSSL_NET_C
@@ -693,7 +694,7 @@
  *
  * This module provides TCP/IP networking routines.
  */
-#define POLARSSL_NET_C
+//#define POLARSSL_NET_C
 
 /**
  * \def POLARSSL_PADLOCK_C
@@ -705,7 +706,7 @@
  *
  * This modules adds support for the VIA PadLock on x86.
  */
-#define POLARSSL_PADLOCK_C
+//#define POLARSSL_PADLOCK_C
 
 /**
  * \def POLARSSL_PBKDF2_C
@@ -733,7 +734,7 @@
  *
  * This modules adds support for decoding PEM files.
  */
-#define POLARSSL_PEM_C
+//#define POLARSSL_PEM_C
 
 /**
  * \def POLARSSL_PKCS5_C
@@ -746,7 +747,7 @@
  *
  * This module adds support for the PKCS#5 functions.
  */
-#define POLARSSL_PKCS5_C
+//#define POLARSSL_PKCS5_C
 
 /**
  * \def POLARSSL_PKCS11_C
@@ -778,7 +779,7 @@
  *
  * This module enables PKCS#12 functions.
  */
-#define POLARSSL_PKCS12_C
+//#define POLARSSL_PKCS12_C
 
 /**
  * \def POLARSSL_RSA_C
@@ -837,7 +838,7 @@
  *
  * This module adds support for SHA-384 and SHA-512.
  */
-#define POLARSSL_SHA4_C
+//#define POLARSSL_SHA4_C
 
 /**
  * \def POLARSSL_SSL_CACHE_C
@@ -849,7 +850,7 @@
  *
  * Requires: POLARSSL_SSL_CACHE_C
  */
-#define POLARSSL_SSL_CACHE_C
+//#define POLARSSL_SSL_CACHE_C
 
 /**
  * \def POLARSSL_SSL_CLI_C
@@ -863,7 +864,7 @@
  *
  * This module is required for SSL/TLS client support.
  */
-#define POLARSSL_SSL_CLI_C
+//#define POLARSSL_SSL_CLI_C
 
 /**
  * \def POLARSSL_SSL_SRV_C
@@ -877,7 +878,7 @@
  *
  * This module is required for SSL/TLS server support.
  */
-#define POLARSSL_SSL_SRV_C
+//#define POLARSSL_SSL_SRV_C
 
 /**
  * \def POLARSSL_SSL_TLS_C
@@ -892,7 +893,7 @@
  *
  * This module is required for SSL/TLS.
  */
-#define POLARSSL_SSL_TLS_C
+//#define POLARSSL_SSL_TLS_C
 
 /**
  * \def POLARSSL_TIMING_C
@@ -904,7 +905,7 @@
  *
  * This module is used by the HAVEGE random number generator.
  */
-#define POLARSSL_TIMING_C
+//#define POLARSSL_TIMING_C
 
 /**
  * \def POLARSSL_VERSION_C
@@ -915,7 +916,7 @@
  *
  * This module provides run-time version information.
  */
-#define POLARSSL_VERSION_C
+//#define POLARSSL_VERSION_C
 
 /**
  * \def POLARSSL_X509_PARSE_C
@@ -931,7 +932,7 @@
  *
  * This module is required for X.509 certificate parsing.
  */
-#define POLARSSL_X509_PARSE_C
+//#define POLARSSL_X509_PARSE_C
 
 /**
  * \def POLARSSL_X509_WRITE_C
@@ -944,7 +945,7 @@
  *
  * This module is required for X.509 certificate request writing.
  */
-#define POLARSSL_X509_WRITE_C
+//#define POLARSSL_X509_WRITE_C
 
 /**
  * \def POLARSSL_XTEA_C
@@ -954,7 +955,7 @@
  * Module:  library/xtea.c
  * Caller:
  */
-#define POLARSSL_XTEA_C
+//#define POLARSSL_XTEA_C
 /* \} name */
 
 /**
diff --git a/makerom/polarssl/ctr_drbg.h b/makerom/polarssl/ctr_drbg.h
deleted file mode 100644
index c75feda8..00000000
--- a/makerom/polarssl/ctr_drbg.h
+++ /dev/null
@@ -1,231 +0,0 @@
-/**
- * \file ctr_drbg.h
- *
- * \brief CTR_DRBG based on AES-256 (NIST SP 800-90)
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_CTR_DRBG_H
-#define POLARSSL_CTR_DRBG_H
-
-#include <string.h>
-
-#include "polarssl/aes.h"
-
-#define POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED        -0x0034  /**< The entropy source failed. */
-#define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG              -0x0036  /**< Too many random requested in single call. */
-#define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG                -0x0038  /**< Input too large (Entropy + additional). */
-#define POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A  /**< Read/write error in file. */
-
-#define CTR_DRBG_BLOCKSIZE          16      /**< Block size used by the cipher                  */
-#define CTR_DRBG_KEYSIZE            32      /**< Key size used by the cipher                    */
-#define CTR_DRBG_KEYBITS            ( CTR_DRBG_KEYSIZE * 8 )
-#define CTR_DRBG_SEEDLEN            ( CTR_DRBG_KEYSIZE + CTR_DRBG_BLOCKSIZE )
-                                            /**< The seed length (counter + AES key)            */
-
-#if !defined(POLARSSL_CONFIG_OPTIONS)
-#define CTR_DRBG_ENTROPY_LEN        48      /**< Amount of entropy used per seed by default */
-#define CTR_DRBG_RESEED_INTERVAL    10000   /**< Interval before reseed is performed by default */
-#define CTR_DRBG_MAX_INPUT          256     /**< Maximum number of additional input bytes */
-#define CTR_DRBG_MAX_REQUEST        1024    /**< Maximum number of requested bytes per call */
-#define CTR_DRBG_MAX_SEED_INPUT     384     /**< Maximum size of (re)seed buffer */
-#endif /* !POLARSSL_CONFIG_OPTIONS */
-
-#define CTR_DRBG_PR_OFF             0       /**< No prediction resistance       */
-#define CTR_DRBG_PR_ON              1       /**< Prediction resistance enabled  */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          CTR_DRBG context structure
- */
-typedef struct
-{
-    unsigned char counter[16];  /*!<  counter (V)       */
-    int reseed_counter;         /*!<  reseed counter    */
-    int prediction_resistance;  /*!<  enable prediction resistance (Automatic
-                                      reseed before every random generation)        */
-    size_t entropy_len;         /*!<  amount of entropy grabbed on each (re)seed    */
-    int reseed_interval;        /*!<  reseed interval   */
-
-    aes_context aes_ctx;        /*!<  AES context       */
-
-    /*
-     * Callbacks (Entropy)
-     */
-    int (*f_entropy)(void *, unsigned char *, size_t);
-
-    void *p_entropy;            /*!<  context for the entropy function */
-}
-ctr_drbg_context;
-
-/**
- * \brief               CTR_DRBG initialization
- * 
- * Note: Personalization data can be provided in addition to the more generic
- *       entropy source to make this instantiation as unique as possible.
- *
- * \param ctx           CTR_DRBG context to be initialized
- * \param f_entropy     Entropy callback (p_entropy, buffer to fill, buffer
- *                      length)
- * \param p_entropy     Entropy context
- * \param custom        Personalization data (Device specific identifiers)
- *                      (Can be NULL)
- * \param len           Length of personalization data
- *
- * \return              0 if successful, or
- *                      POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
- */
-int ctr_drbg_init( ctr_drbg_context *ctx,
-                   int (*f_entropy)(void *, unsigned char *, size_t),
-                   void *p_entropy,
-                   const unsigned char *custom,
-                   size_t len );
-
-/**
- * \brief               Enable / disable prediction resistance (Default: Off)
- *
- * Note: If enabled, entropy is used for ctx->entropy_len before each call!
- *       Only use this if you have ample supply of good entropy!
- *
- * \param ctx           CTR_DRBG context
- * \param resistance    CTR_DRBG_PR_ON or CTR_DRBG_PR_OFF
- */
-void ctr_drbg_set_prediction_resistance( ctr_drbg_context *ctx,
-                                         int resistance );
-
-/**
- * \brief               Set the amount of entropy grabbed on each (re)seed
- *                      (Default: CTR_DRBG_ENTROPY_LEN)
- *
- * \param ctx           CTR_DRBG context
- * \param len           Amount of entropy to grab
- */
-void ctr_drbg_set_entropy_len( ctr_drbg_context *ctx,
-                               size_t len );
-
-/**
- * \brief               Set the reseed interval
- *                      (Default: CTR_DRBG_RESEED_INTERVAL)
- *
- * \param ctx           CTR_DRBG context
- * \param interval      Reseed interval
- */
-void ctr_drbg_set_reseed_interval( ctr_drbg_context *ctx,
-                                   int interval );
-
-/**
- * \brief               CTR_DRBG reseeding (extracts data from entropy source)
- * 
- * \param ctx           CTR_DRBG context
- * \param additional    Additional data to add to state (Can be NULL)
- * \param len           Length of additional data
- *
- * \return              0 if successful, or
- *                      POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
- */
-int ctr_drbg_reseed( ctr_drbg_context *ctx,
-                     const unsigned char *additional, size_t len );
-
-/**
- * \brief               CTR_DRBG update state
- *
- * \param ctx           CTR_DRBG context
- * \param additional    Additional data to update state with
- * \param add_len       Length of additional data
- */
-void ctr_drbg_update( ctr_drbg_context *ctx,
-                      const unsigned char *additional, size_t add_len );
-
-/**
- * \brief               CTR_DRBG generate random with additional update input
- *
- * Note: Automatically reseeds if reseed_counter is reached.
- *
- * \param p_rng         CTR_DRBG context
- * \param output        Buffer to fill
- * \param output_len    Length of the buffer
- * \param additional    Additional data to update with (Can be NULL)
- * \param add_len       Length of additional data
- *
- * \return              0 if successful, or
- *                      POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED, or
- *                      POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG
- */
-int ctr_drbg_random_with_add( void *p_rng,
-                              unsigned char *output, size_t output_len,
-                              const unsigned char *additional, size_t add_len );
-
-/**
- * \brief               CTR_DRBG generate random
- *
- * Note: Automatically reseeds if reseed_counter is reached.
- *
- * \param p_rng         CTR_DRBG context
- * \param output        Buffer to fill
- * \param output_len    Length of the buffer
- *
- * \return              0 if successful, or
- *                      POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED, or
- *                      POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG
- */
-int ctr_drbg_random( void *p_rng,
-                     unsigned char *output, size_t output_len );
-
-#if defined(POLARSSL_FS_IO)
-/**
- * \brief               Write a seed file
- *
- * \param path          Name of the file
- *
- * \return              0 if successful, 1 on file error, or
- *                      POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
- */
-int ctr_drbg_write_seed_file( ctr_drbg_context *ctx, const char *path );
-
-/**
- * \brief               Read and update a seed file. Seed is added to this
- *                      instance
- *
- * \param path          Name of the file
- *
- * \return              0 if successful, 1 on file error,
- *                      POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
- *                      POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG
- */
-int ctr_drbg_update_seed_file( ctr_drbg_context *ctx, const char *path );
-#endif
-
-/**
- * \brief               Checkup routine
- *
- * \return              0 if successful, or 1 if the test failed
- */
-int ctr_drbg_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* ctr_drbg.h */
diff --git a/makerom/polarssl/debug.h b/makerom/polarssl/debug.h
deleted file mode 100644
index d85b6d3b..00000000
--- a/makerom/polarssl/debug.h
+++ /dev/null
@@ -1,89 +0,0 @@
-/**
- * \file debug.h
- *
- * \brief Debug functions
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_DEBUG_H
-#define POLARSSL_DEBUG_H
-
-#include "polarssl/config.h"
-#include "polarssl/ssl.h"
-
-#if defined(POLARSSL_DEBUG_C)
-
-#define SSL_DEBUG_MSG( level, args )                    \
-    debug_print_msg( ssl, level, __FILE__, __LINE__, debug_fmt args );
-
-#define SSL_DEBUG_RET( level, text, ret )                \
-    debug_print_ret( ssl, level, __FILE__, __LINE__, text, ret );
-
-#define SSL_DEBUG_BUF( level, text, buf, len )           \
-    debug_print_buf( ssl, level, __FILE__, __LINE__, text, buf, len );
-
-#define SSL_DEBUG_MPI( level, text, X )                  \
-    debug_print_mpi( ssl, level, __FILE__, __LINE__, text, X );
-
-#define SSL_DEBUG_CRT( level, text, crt )                \
-    debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt );
-
-#else
-
-#define SSL_DEBUG_MSG( level, args )            do { } while( 0 )
-#define SSL_DEBUG_RET( level, text, ret )       do { } while( 0 )
-#define SSL_DEBUG_BUF( level, text, buf, len )  do { } while( 0 )
-#define SSL_DEBUG_MPI( level, text, X )         do { } while( 0 )
-#define SSL_DEBUG_CRT( level, text, crt )       do { } while( 0 )
-
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-char *debug_fmt( const char *format, ... );
-
-void debug_print_msg( const ssl_context *ssl, int level,
-                      const char *file, int line, const char *text );
-
-void debug_print_ret( const ssl_context *ssl, int level,
-                      const char *file, int line,
-                      const char *text, int ret );
-
-void debug_print_buf( const ssl_context *ssl, int level,
-                      const char *file, int line, const char *text,
-                      unsigned char *buf, size_t len );
-
-void debug_print_mpi( const ssl_context *ssl, int level,
-                      const char *file, int line,
-                      const char *text, const mpi *X );
-
-void debug_print_crt( const ssl_context *ssl, int level,
-                      const char *file, int line,
-                      const char *text, const x509_cert *crt );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* debug.h */
diff --git a/makerom/polarssl/des.h b/makerom/polarssl/des.h
deleted file mode 100644
index 443cd3fe..00000000
--- a/makerom/polarssl/des.h
+++ /dev/null
@@ -1,252 +0,0 @@
-/**
- * \file des.h
- *
- * \brief DES block cipher
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_DES_H
-#define POLARSSL_DES_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define DES_ENCRYPT     1
-#define DES_DECRYPT     0
-
-#define POLARSSL_ERR_DES_INVALID_INPUT_LENGTH              -0x0032  /**< The data input has an invalid length. */
-
-#define DES_KEY_SIZE    8
-
-#if !defined(POLARSSL_DES_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          DES context structure
- */
-typedef struct
-{
-    int mode;                   /*!<  encrypt/decrypt   */
-    uint32_t sk[32];            /*!<  DES subkeys       */
-}
-des_context;
-
-/**
- * \brief          Triple-DES context structure
- */
-typedef struct
-{
-    int mode;                   /*!<  encrypt/decrypt   */
-    uint32_t sk[96];            /*!<  3DES subkeys      */
-}
-des3_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Set key parity on the given key to odd.
- *
- *                 DES keys are 56 bits long, but each byte is padded with
- *                 a parity bit to allow verification.
- *
- * \param key      8-byte secret key
- */
-void des_key_set_parity( unsigned char key[DES_KEY_SIZE] );
-
-/**
- * \brief          Check that key parity on the given key is odd.
- *
- *                 DES keys are 56 bits long, but each byte is padded with
- *                 a parity bit to allow verification.
- *
- * \param key      8-byte secret key
- *
- * \return         0 is parity was ok, 1 if parity was not correct.
- */
-int des_key_check_key_parity( const unsigned char key[DES_KEY_SIZE] );
-
-/**
- * \brief          Check that key is not a weak or semi-weak DES key
- *
- * \param key      8-byte secret key
- *
- * \return         0 if no weak key was found, 1 if a weak key was identified.
- */
-int des_key_check_weak( const unsigned char key[DES_KEY_SIZE] );
-
-/**
- * \brief          DES key schedule (56-bit, encryption)
- *
- * \param ctx      DES context to be initialized
- * \param key      8-byte secret key
- *
- * \return         0
- */
-int des_setkey_enc( des_context *ctx, const unsigned char key[DES_KEY_SIZE] );
-
-/**
- * \brief          DES key schedule (56-bit, decryption)
- *
- * \param ctx      DES context to be initialized
- * \param key      8-byte secret key
- *
- * \return         0
- */
-int des_setkey_dec( des_context *ctx, const unsigned char key[DES_KEY_SIZE] );
-
-/**
- * \brief          Triple-DES key schedule (112-bit, encryption)
- *
- * \param ctx      3DES context to be initialized
- * \param key      16-byte secret key
- *
- * \return         0
- */
-int des3_set2key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] );
-
-/**
- * \brief          Triple-DES key schedule (112-bit, decryption)
- *
- * \param ctx      3DES context to be initialized
- * \param key      16-byte secret key
- *
- * \return         0
- */
-int des3_set2key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] );
-
-/**
- * \brief          Triple-DES key schedule (168-bit, encryption)
- *
- * \param ctx      3DES context to be initialized
- * \param key      24-byte secret key
- *
- * \return         0
- */
-int des3_set3key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] );
-
-/**
- * \brief          Triple-DES key schedule (168-bit, decryption)
- *
- * \param ctx      3DES context to be initialized
- * \param key      24-byte secret key
- *
- * \return         0
- */
-int des3_set3key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] );
-
-/**
- * \brief          DES-ECB block encryption/decryption
- *
- * \param ctx      DES context
- * \param input    64-bit input block
- * \param output   64-bit output block
- *
- * \return         0 if successful
- */
-int des_crypt_ecb( des_context *ctx,
-                    const unsigned char input[8],
-                    unsigned char output[8] );
-
-/**
- * \brief          DES-CBC buffer encryption/decryption
- *
- * \param ctx      DES context
- * \param mode     DES_ENCRYPT or DES_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- */
-int des_crypt_cbc( des_context *ctx,
-                    int mode,
-                    size_t length,
-                    unsigned char iv[8],
-                    const unsigned char *input,
-                    unsigned char *output );
-
-/**
- * \brief          3DES-ECB block encryption/decryption
- *
- * \param ctx      3DES context
- * \param input    64-bit input block
- * \param output   64-bit output block
- *
- * \return         0 if successful
- */
-int des3_crypt_ecb( des3_context *ctx,
-                     const unsigned char input[8],
-                     unsigned char output[8] );
-
-/**
- * \brief          3DES-CBC buffer encryption/decryption
- *
- * \param ctx      3DES context
- * \param mode     DES_ENCRYPT or DES_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if successful, or POLARSSL_ERR_DES_INVALID_INPUT_LENGTH
- */
-int des3_crypt_cbc( des3_context *ctx,
-                     int mode,
-                     size_t length,
-                     unsigned char iv[8],
-                     const unsigned char *input,
-                     unsigned char *output );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_DES_ALT */
-#include "polarssl/des_alt.h"
-#endif /* POLARSSL_DES_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int des_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* des.h */
diff --git a/makerom/polarssl/dhm.h b/makerom/polarssl/dhm.h
deleted file mode 100644
index a1643ca7..00000000
--- a/makerom/polarssl/dhm.h
+++ /dev/null
@@ -1,244 +0,0 @@
-/**
- * \file dhm.h
- *
- * \brief Diffie-Hellman-Merkle key exchange
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_DHM_H
-#define POLARSSL_DHM_H
-
-#include "polarssl/bignum.h"
-
-/*
- * DHM Error codes
- */
-#define POLARSSL_ERR_DHM_BAD_INPUT_DATA                    -0x3080  /**< Bad input parameters to function. */
-#define POLARSSL_ERR_DHM_READ_PARAMS_FAILED                -0x3100  /**< Reading of the DHM parameters failed. */
-#define POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED                -0x3180  /**< Making of the DHM parameters failed. */
-#define POLARSSL_ERR_DHM_READ_PUBLIC_FAILED                -0x3200  /**< Reading of the public values failed. */
-#define POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED                -0x3280  /**< Making of the public value failed. */
-#define POLARSSL_ERR_DHM_CALC_SECRET_FAILED                -0x3300  /**< Calculation of the DHM secret failed. */
-
-/**
- * RFC 3526 defines a number of standardized Diffie-Hellman groups
- * for IKE.
- * RFC 5114 defines a number of standardized Diffie-Hellman groups
- * that can be used.
- *
- * Some are included here for convenience.
- *
- * Included are:
- *  RFC 3526 3.    2048-bit MODP Group
- *  RFC 3526 4.    3072-bit MODP Group
- *  RFC 5114 2.1.  1024-bit MODP Group with 160-bit Prime Order Subgroup
- *  RFC 5114 2.2.  2048-bit MODP Group with 224-bit Prime Order Subgroup
- */
-#define POLARSSL_DHM_RFC3526_MODP_2048_P               \
-    "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
-    "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
-    "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
-    "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
-    "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
-    "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
-    "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
-    "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \
-    "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \
-    "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
-    "15728E5A8AACAA68FFFFFFFFFFFFFFFF"
-
-#define POLARSSL_DHM_RFC3526_MODP_2048_G          "02"
-
-#define POLARSSL_DHM_RFC3526_MODP_3072_P               \
-    "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
-    "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
-    "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
-    "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
-    "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
-    "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
-    "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
-    "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \
-    "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \
-    "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
-    "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \
-    "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \
-    "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \
-    "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \
-    "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \
-    "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"
-
-#define POLARSSL_DHM_RFC3526_MODP_3072_G          "02"
-
-#define POLARSSL_DHM_RFC5114_MODP_1024_P               \
-    "B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C6" \
-    "9A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C0" \
-    "13ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD70" \
-    "98488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0" \
-    "A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708" \
-    "DF1FB2BC2E4A4371"
-
-#define POLARSSL_DHM_RFC5114_MODP_1024_G               \
-    "A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507F" \
-    "D6406CFF14266D31266FEA1E5C41564B777E690F5504F213" \
-    "160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1" \
-    "909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28A" \
-    "D662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24" \
-    "855E6EEB22B3B2E5"
-
-#define POLARSSL_DHM_RFC5114_MODP_2048_P               \
-    "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" \
-    "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" \
-    "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" \
-    "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" \
-    "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" \
-    "B3BF8A317091883681286130BC8985DB1602E714415D9330" \
-    "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" \
-    "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" \
-    "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" \
-    "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" \
-    "CF9DE5384E71B81C0AC4DFFE0C10E64F"
-
-#define POLARSSL_DHM_RFC5114_MODP_2048_G              \
-    "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"\
-    "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"\
-    "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7"\
-    "C17669101999024AF4D027275AC1348BB8A762D0521BC98A"\
-    "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE"\
-    "F180EB34118E98D119529A45D6F834566E3025E316A330EF"\
-    "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB"\
-    "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381"\
-    "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269"\
-    "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179"\
-    "81BC087F2A7065B384B890D3191F2BFA"
-
-/**
- * \brief          DHM context structure
- */
-typedef struct
-{
-    size_t len; /*!<  size(P) in chars  */
-    mpi P;      /*!<  prime modulus     */
-    mpi G;      /*!<  generator         */
-    mpi X;      /*!<  secret value      */
-    mpi GX;     /*!<  self = G^X mod P  */
-    mpi GY;     /*!<  peer = G^Y mod P  */
-    mpi K;      /*!<  key = GY^X mod P  */
-    mpi RP;     /*!<  cached R^2 mod P  */
-}
-dhm_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Parse the ServerKeyExchange parameters
- *
- * \param ctx      DHM context
- * \param p        &(start of input buffer)
- * \param end      end of buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_DHM_XXX error code
- */
-int dhm_read_params( dhm_context *ctx,
-                     unsigned char **p,
-                     const unsigned char *end );
-
-/**
- * \brief          Setup and write the ServerKeyExchange parameters
- *
- * \param ctx      DHM context
- * \param x_size   private value size in bytes
- * \param output   destination buffer
- * \param olen     number of chars written
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- *
- * \note           This function assumes that ctx->P and ctx->G
- *                 have already been properly set (for example
- *                 using mpi_read_string or mpi_read_binary).
- *
- * \return         0 if successful, or an POLARSSL_ERR_DHM_XXX error code
- */
-int dhm_make_params( dhm_context *ctx, int x_size,
-                     unsigned char *output, size_t *olen,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng );
-
-/**
- * \brief          Import the peer's public value G^Y
- *
- * \param ctx      DHM context
- * \param input    input buffer
- * \param ilen     size of buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_DHM_XXX error code
- */
-int dhm_read_public( dhm_context *ctx,
-                     const unsigned char *input, size_t ilen );
-
-/**
- * \brief          Create own private value X and export G^X
- *
- * \param ctx      DHM context
- * \param x_size   private value size in bytes
- * \param output   destination buffer
- * \param olen     must be equal to ctx->P.len
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- *
- * \return         0 if successful, or an POLARSSL_ERR_DHM_XXX error code
- */
-int dhm_make_public( dhm_context *ctx, int x_size,
-                     unsigned char *output, size_t olen,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng );
-
-/**
- * \brief          Derive and export the shared secret (G^Y)^X mod P
- *
- * \param ctx      DHM context
- * \param output   destination buffer
- * \param olen     number of chars written
- *
- * \return         0 if successful, or an POLARSSL_ERR_DHM_XXX error code
- */
-int dhm_calc_secret( dhm_context *ctx,
-                     unsigned char *output, size_t *olen );
-
-/**
- * \brief          Free the components of a DHM key
- */
-void dhm_free( dhm_context *ctx );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int dhm_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/makerom/polarssl/entropy.h b/makerom/polarssl/entropy.h
deleted file mode 100644
index 5b6b3806..00000000
--- a/makerom/polarssl/entropy.h
+++ /dev/null
@@ -1,153 +0,0 @@
-/**
- * \file entropy.h
- *
- * \brief Entropy accumulator implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_ENTROPY_H
-#define POLARSSL_ENTROPY_H
-
-#include <string.h>
-
-#include "polarssl/config.h"
-
-#include "polarssl/sha4.h"
-#if defined(POLARSSL_HAVEGE_C)
-#include "polarssl/havege.h"
-#endif
-
-#define POLARSSL_ERR_ENTROPY_SOURCE_FAILED                 -0x003C  /**< Critical entropy source failure. */
-#define POLARSSL_ERR_ENTROPY_MAX_SOURCES                   -0x003E  /**< No more sources can be added. */
-#define POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED            -0x0040  /**< No sources have been added to poll. */
-
-#if !defined(POLARSSL_CONFIG_OPTIONS)
-#define ENTROPY_MAX_SOURCES     20      /**< Maximum number of sources supported */
-#define ENTROPY_MAX_GATHER      128     /**< Maximum amount requested from entropy sources */
-#endif /* !POLARSSL_CONFIG_OPTIONS  */
-
-#define ENTROPY_BLOCK_SIZE      64      /**< Block size of entropy accumulator (SHA-512) */
-
-#define ENTROPY_SOURCE_MANUAL   ENTROPY_MAX_SOURCES
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief           Entropy poll callback pointer
- *
- * \param data      Callback-specific data pointer
- * \param output    Data to fill
- * \param len       Maximum size to provide
- * \param olen      The actual amount of bytes put into the buffer (Can be 0)
- *
- * \return          0 if no critical failures occurred,
- *                  POLARSSL_ERR_ENTROPY_SOURCE_FAILED otherwise
- */
-typedef int (*f_source_ptr)(void *, unsigned char *, size_t, size_t *);
-
-/**
- * \brief           Entropy source state
- */
-typedef struct
-{
-    f_source_ptr    f_source;   /**< The entropy source callback */
-    void *          p_source;   /**< The callback data pointer */
-    size_t          size;       /**< Amount received */
-    size_t          threshold;  /**< Minimum level required before release */
-}
-source_state;
-
-/**
- * \brief           Entropy context structure
- */
-typedef struct 
-{
-    sha4_context    accumulator;
-    int             source_count;
-    source_state    source[ENTROPY_MAX_SOURCES];
-#if defined(POLARSSL_HAVEGE_C)
-    havege_state    havege_data;
-#endif
-}
-entropy_context;
-
-/**
- * \brief           Initialize the context
- *
- * \param ctx       Entropy context to initialize
- */
-void entropy_init( entropy_context *ctx );
-
-/**
- * \brief           Adds an entropy source to poll
- *
- * \param ctx       Entropy context
- * \param f_source  Entropy function
- * \param p_source  Function data
- * \param threshold Minimum required from source before entropy is released
- *                  ( with entropy_func() )
- *
- * \return          0 if successful or POLARSSL_ERR_ENTROPY_MAX_SOURCES
- */
-int entropy_add_source( entropy_context *ctx,
-                        f_source_ptr f_source, void *p_source,
-                        size_t threshold );
-
-/**
- * \brief           Trigger an extra gather poll for the accumulator
- *
- * \param ctx       Entropy context
- *
- * \return          0 if successful, or POLARSSL_ERR_ENTROPY_SOURCE_FAILED
- */
-int entropy_gather( entropy_context *ctx );
-
-/**
- * \brief           Retrieve entropy from the accumulator (Max ENTROPY_BLOCK_SIZE)
- *
- * \param data      Entropy context
- * \param output    Buffer to fill
- * \param len       Length of buffer
- *
- * \return          0 if successful, or POLARSSL_ERR_ENTROPY_SOURCE_FAILED
- */
-int entropy_func( void *data, unsigned char *output, size_t len );
-
-/**
- * \brief           Add data to the accumulator manually
- * 
- * \param ctx       Entropy context
- * \param data      Data to add
- * \param len       Length of data
- *
- * \return          0 if successful
- */
-int entropy_update_manual( entropy_context *ctx,
-                           const unsigned char *data, size_t len );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* entropy.h */
diff --git a/makerom/polarssl/entropy_poll.h b/makerom/polarssl/entropy_poll.h
deleted file mode 100644
index 4d09e74c..00000000
--- a/makerom/polarssl/entropy_poll.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * \file entropy_poll.h
- *
- * \brief Platform-specific and custom entropy polling functions
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_ENTROPY_POLL_H
-#define POLARSSL_ENTROPY_POLL_H
-
-#include <string.h>
-
-#include "polarssl/config.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*
- * Default thresholds for built-in sources
- */
-#define ENTROPY_MIN_PLATFORM    128     /**< Minimum for platform source    */
-#define ENTROPY_MIN_HAVEGE      128     /**< Minimum for HAVEGE             */
-#define ENTROPY_MIN_HARDCLOCK    32     /**< Minimum for hardclock()        */
-
-#if !defined(POLARSSL_NO_PLATFORM_ENTROPY)
-/**
- * \brief           Platform-specific entropy poll callback
- */
-int platform_entropy_poll( void *data,
-                           unsigned char *output, size_t len, size_t *olen );
-#endif
-
-#if defined(POLARSSL_HAVEGE_C)
-/**
- * \brief           HAVEGE based entropy poll callback
- *
- * Requires an HAVEGE state as its data pointer.
- */
-int havege_poll( void *data,
-                 unsigned char *output, size_t len, size_t *olen );
-#endif
-
-#if defined(POLARSSL_TIMING_C)
-/**
- * \brief           hardclock-based entropy poll callback
- */
-int hardclock_poll( void *data,
-                    unsigned char *output, size_t len, size_t *olen );
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* entropy_poll.h */
diff --git a/makerom/polarssl/error.h b/makerom/polarssl/error.h
deleted file mode 100644
index 94c73a8f..00000000
--- a/makerom/polarssl/error.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/**
- * \file error.h
- *
- * \brief Error to string translation
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_ERROR_H
-#define POLARSSL_ERROR_H
-
-#include <string.h>
-
-/**
- * Error code layout.
- *
- * Currently we try to keep all error codes within the negative space of 16
- * bytes signed integers to support all platforms (-0x0000 - -0x8000). In
- * addition we'd like to give two layers of information on the error if
- * possible.
- *
- * For that purpose the error codes are segmented in the following manner:
- *
- * 16 bit error code bit-segmentation
- *
- * 1 bit  - Intentionally not used
- * 3 bits - High level module ID
- * 5 bits - Module-dependent error code
- * 6 bits - Low level module errors
- * 1 bit  - Intentionally not used
- *
- * Low-level module errors (0x007E-0x0002)
- *
- * Module   Nr  Codes assigned 
- * MPI       7  0x0002-0x0010
- * GCM       2  0x0012-0x0014
- * BLOWFISH  2  0x0016-0x0018
- * AES       2  0x0020-0x0022
- * CAMELLIA  2  0x0024-0x0026
- * XTEA      1  0x0028-0x0028
- * BASE64    2  0x002A-0x002C
- * PADLOCK   1  0x0030-0x0030
- * DES       1  0x0032-0x0032
- * CTR_DBRG  3  0x0034-0x003A
- * ENTROPY   3  0x003C-0x0040
- * NET      11  0x0042-0x0056
- * ASN1      7  0x0060-0x006C
- * MD2       1  0x0070-0x0070
- * MD4       1  0x0072-0x0072
- * MD5       1  0x0074-0x0074
- * SHA1      1  0x0076-0x0076
- * SHA2      1  0x0078-0x0078
- * SHA4      1  0x007A-0x007A
- *
- * High-level module nr (3 bits - 0x1...-0x8...)
- * Name     ID  Nr of Errors
- * PEM      1   9
- * PKCS#12  1   4 (Started from top)
- * X509     2   23
- * DHM      3   6
- * PKCS5    3   4 (Started from top)
- * RSA      4   9
- * MD       5   4
- * CIPHER   6   5
- * SSL      6   2 (Started from top)
- * SSL      7   31
- *
- * Module dependent error code (5 bits 0x.08.-0x.F8.)
- */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief Translate a PolarSSL error code into a string representation,
- *        Result is truncated if necessary and always includes a terminating
- *        null byte.
- *
- * \param errnum    error code
- * \param buffer    buffer to place representation in
- * \param buflen    length of the buffer
- */
-void error_strerror( int errnum, char *buffer, size_t buflen );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* error.h */
diff --git a/makerom/polarssl/gcm.h b/makerom/polarssl/gcm.h
deleted file mode 100644
index b3df62c4..00000000
--- a/makerom/polarssl/gcm.h
+++ /dev/null
@@ -1,147 +0,0 @@
-/**
- * \file gcm.h
- *
- * \brief Galois/Counter mode for AES
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_GCM_H
-#define POLARSSL_GCM_H
-
-#include "polarssl/aes.h"
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT64 uint64_t;
-#else
-#include <stdint.h>
-#endif
-
-#define GCM_ENCRYPT     1
-#define GCM_DECRYPT     0
-
-#define POLARSSL_ERR_GCM_AUTH_FAILED                       -0x0012  /**< Authenticated decryption failed. */
-#define POLARSSL_ERR_GCM_BAD_INPUT                         -0x0014  /**< Bad input parameters to function. */
-
-/**
- * \brief          GCM context structure
- */
-typedef struct {
-    aes_context aes_ctx;        /*!< AES context used */
-    uint64_t HL[16];            /*!< Precalculated HTable */
-    uint64_t HH[16];            /*!< Precalculated HTable */
-}
-gcm_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief           GCM initialization (encryption)
- *
- * \param ctx       GCM context to be initialized
- * \param key       encryption key
- * \param keysize   must be 128, 192 or 256
- *
- * \return          0 if successful, or POLARSSL_ERR_AES_INVALID_KEY_LENGTH
- */
-int gcm_init( gcm_context *ctx, const unsigned char *key, unsigned int keysize );
-
-/**
- * \brief           GCM buffer encryption/decryption using AES
- *
- * \note On encryption, the output buffer can be the same as the input buffer.
- *       On decryption, the output buffer cannot be the same as input buffer.
- *       If buffers overlap, the output buffer must trail at least 8 bytes
- *       behind the input buffer.
- *
- * \param ctx       GCM context
- * \param mode      GCM_ENCRYPT or GCM_DECRYPT
- * \param length    length of the input data
- * \param iv        initialization vector
- * \param iv_len    length of IV
- * \param add       additional data
- * \param add_len   length of additional data
- * \param input     buffer holding the input data
- * \param output    buffer for holding the output data
- * \param tag_len   length of the tag to generate
- * \param tag       buffer for holding the tag
- *
- * \return         0 if successful
- */
-int gcm_crypt_and_tag( gcm_context *ctx,
-                       int mode,
-                       size_t length,
-                       const unsigned char *iv,
-                       size_t iv_len,
-                       const unsigned char *add,
-                       size_t add_len,
-                       const unsigned char *input,
-                       unsigned char *output,
-                       size_t tag_len,
-                       unsigned char *tag );
-
-/**
- * \brief           GCM buffer authenticated decryption using AES
- *
- * \note On decryption, the output buffer cannot be the same as input buffer.
- *       If buffers overlap, the output buffer must trail at least 8 bytes
- *       behind the input buffer.
- *
- * \param ctx       GCM context
- * \param length    length of the input data
- * \param iv        initialization vector
- * \param iv_len    length of IV
- * \param add       additional data
- * \param add_len   length of additional data
- * \param tag       buffer holding the tag
- * \param tag_len   length of the tag 
- * \param input     buffer holding the input data
- * \param output    buffer for holding the output data
- *
- * \return         0 if successful and authenticated,
- *                 POLARSSL_ERR_GCM_AUTH_FAILED if tag does not match
- */
-int gcm_auth_decrypt( gcm_context *ctx,
-                      size_t length,
-                      const unsigned char *iv,
-                      size_t iv_len,
-                      const unsigned char *add,
-                      size_t add_len,
-                      const unsigned char *tag, 
-                      size_t tag_len,
-                      const unsigned char *input,
-                      unsigned char *output );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int gcm_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* gcm.h */
diff --git a/makerom/polarssl/havege.h b/makerom/polarssl/havege.h
deleted file mode 100644
index 53c4f38c..00000000
--- a/makerom/polarssl/havege.h
+++ /dev/null
@@ -1,71 +0,0 @@
-/**
- * \file havege.h
- *
- * \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_HAVEGE_H
-#define POLARSSL_HAVEGE_H
-
-#include <string.h>
-
-#define COLLECT_SIZE 1024
-
-/**
- * \brief          HAVEGE state structure
- */
-typedef struct
-{
-    int PT1, PT2, offset[2];
-    int pool[COLLECT_SIZE];
-    int WALK[8192];
-}
-havege_state;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          HAVEGE initialization
- *
- * \param hs       HAVEGE state to be initialized
- */
-void havege_init( havege_state *hs );
-
-/**
- * \brief          HAVEGE rand function
- *
- * \param p_rng    A HAVEGE state
- * \param output   Buffer to fill
- * \param len      Length of buffer
- *
- * \return         0
- */
-int havege_random( void *p_rng, unsigned char *output, size_t len );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* havege.h */
diff --git a/makerom/polarssl/md.c b/makerom/polarssl/md.c
deleted file mode 100644
index ab0f468c..00000000
--- a/makerom/polarssl/md.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/**
- * \file md.c
- * 
- * \brief Generic message digest wrapper for PolarSSL
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_MD_C)
-
-#include "polarssl/md.h"
-#include "polarssl/md_wrap.h"
-
-#include <stdlib.h>
-#include <strings.h>
-
-//#if defined _MSC_VER && !defined strcasecmp
-//#define strcasecmp _stricmp
-//#endif
-
-static const int supported_digests[] = {
-
-#if defined(POLARSSL_MD2_C)
-        POLARSSL_MD_MD2,
-#endif
-
-#if defined(POLARSSL_MD4_C)
-        POLARSSL_MD_MD4,
-#endif
-
-#if defined(POLARSSL_MD5_C)
-        POLARSSL_MD_MD5,
-#endif
-
-#if defined(POLARSSL_SHA1_C)
-        POLARSSL_MD_SHA1,
-#endif
-
-#if defined(POLARSSL_SHA2_C)
-        POLARSSL_MD_SHA224,
-        POLARSSL_MD_SHA256,
-#endif
-
-#if defined(POLARSSL_SHA4_C)
-        POLARSSL_MD_SHA384,
-        POLARSSL_MD_SHA512,
-#endif
-
-        0
-};
-
-const int *md_list( void )
-{
-    return supported_digests;
-}
-
-const md_info_t *md_info_from_string( const char *md_name )
-{
-    if( NULL == md_name )
-        return NULL;
-
-    /* Get the appropriate digest information */
-#if defined(POLARSSL_MD2_C)
-    if( !strcasecmp( "MD2", md_name ) )
-        return md_info_from_type( POLARSSL_MD_MD2 );
-#endif
-#if defined(POLARSSL_MD4_C)
-    if( !strcasecmp( "MD4", md_name ) )
-        return md_info_from_type( POLARSSL_MD_MD4 );
-#endif
-#if defined(POLARSSL_MD5_C)
-    if( !strcasecmp( "MD5", md_name ) )
-        return md_info_from_type( POLARSSL_MD_MD5 );
-#endif
-#if defined(POLARSSL_SHA1_C)
-    if( !strcasecmp( "SHA1", md_name ) || !strcasecmp( "SHA", md_name ) )
-        return md_info_from_type( POLARSSL_MD_SHA1 );
-#endif
-#if defined(POLARSSL_SHA2_C)
-    if( !strcasecmp( "SHA224", md_name ) )
-        return md_info_from_type( POLARSSL_MD_SHA224 );
-    if( !strcasecmp( "SHA256", md_name ) )
-        return md_info_from_type( POLARSSL_MD_SHA256 );
-#endif
-#if defined(POLARSSL_SHA4_C)
-    if( !strcasecmp( "SHA384", md_name ) )
-        return md_info_from_type( POLARSSL_MD_SHA384 );
-    if( !strcasecmp( "SHA512", md_name ) )
-        return md_info_from_type( POLARSSL_MD_SHA512 );
-#endif
-    return NULL;
-}
-
-const md_info_t *md_info_from_type( md_type_t md_type )
-{
-    switch( md_type )
-    {
-#if defined(POLARSSL_MD2_C)
-        case POLARSSL_MD_MD2:
-            return &md2_info;
-#endif
-#if defined(POLARSSL_MD4_C)
-        case POLARSSL_MD_MD4:
-            return &md4_info;
-#endif
-#if defined(POLARSSL_MD5_C)
-        case POLARSSL_MD_MD5:
-            return &md5_info;
-#endif
-#if defined(POLARSSL_SHA1_C)
-        case POLARSSL_MD_SHA1:
-            return &sha1_info;
-#endif
-#if defined(POLARSSL_SHA2_C)
-        case POLARSSL_MD_SHA224:
-            return &sha224_info;
-        case POLARSSL_MD_SHA256:
-            return &sha256_info;
-#endif
-#if defined(POLARSSL_SHA4_C)
-        case POLARSSL_MD_SHA384:
-            return &sha384_info;
-        case POLARSSL_MD_SHA512:
-            return &sha512_info;
-#endif
-        default:
-            return NULL;
-    }
-}
-
-int md_init_ctx( md_context_t *ctx, const md_info_t *md_info )
-{
-    if( md_info == NULL || ctx == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    memset( ctx, 0, sizeof( md_context_t ) );
-
-    if( ( ctx->md_ctx = md_info->ctx_alloc_func() ) == NULL )
-        return POLARSSL_ERR_MD_ALLOC_FAILED;
-
-    ctx->md_info = md_info;
-
-    md_info->starts_func( ctx->md_ctx );
-
-    return 0;
-}
-
-int md_free_ctx( md_context_t *ctx )
-{
-    if( ctx == NULL || ctx->md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    ctx->md_info->ctx_free_func( ctx->md_ctx );
-    ctx->md_ctx = NULL;
-
-    return 0;
-}
-
-int md_starts( md_context_t *ctx )
-{
-    if( ctx == NULL || ctx->md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    ctx->md_info->starts_func( ctx->md_ctx );
-
-    return 0;
-}
-
-int md_update( md_context_t *ctx, const unsigned char *input, size_t ilen )
-{
-    if( ctx == NULL || ctx->md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    ctx->md_info->update_func( ctx->md_ctx, input, ilen );
-
-    return 0;
-}
-
-int md_finish( md_context_t *ctx, unsigned char *output )
-{
-    if( ctx == NULL || ctx->md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    ctx->md_info->finish_func( ctx->md_ctx, output );
-
-    return 0;
-}
-
-int md( const md_info_t *md_info, const unsigned char *input, size_t ilen,
-            unsigned char *output )
-{
-    if ( md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    md_info->digest_func( input, ilen, output );
-
-    return 0;
-}
-
-int md_file( const md_info_t *md_info, const char *path, unsigned char *output )
-{
-#if defined(POLARSSL_FS_IO)
-    int ret;
-#endif
-
-    if( md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-#if defined(POLARSSL_FS_IO)
-    ret = md_info->file_func( path, output );
-    if( ret != 0 )
-        return( POLARSSL_ERR_MD_FILE_IO_ERROR + ret );
-
-    return( ret );
-#else
-    ((void) path);
-    ((void) output);
-
-    return POLARSSL_ERR_MD_FEATURE_UNAVAILABLE;
-#endif
-}
-
-int md_hmac_starts( md_context_t *ctx, const unsigned char *key, size_t keylen )
-{
-    if( ctx == NULL || ctx->md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    ctx->md_info->hmac_starts_func( ctx->md_ctx, key, keylen);
-
-    return 0;
-}
-
-int md_hmac_update( md_context_t *ctx, const unsigned char *input, size_t ilen )
-{
-    if( ctx == NULL || ctx->md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    ctx->md_info->hmac_update_func( ctx->md_ctx, input, ilen );
-
-    return 0;
-}
-
-int md_hmac_finish( md_context_t *ctx, unsigned char *output)
-{
-    if( ctx == NULL || ctx->md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    ctx->md_info->hmac_finish_func( ctx->md_ctx, output);
-
-    return 0;
-}
-
-int md_hmac_reset( md_context_t *ctx )
-{
-    if( ctx == NULL || ctx->md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    ctx->md_info->hmac_reset_func( ctx->md_ctx);
-
-    return 0;
-}
-
-int md_hmac( const md_info_t *md_info, const unsigned char *key, size_t keylen,
-                const unsigned char *input, size_t ilen,
-                unsigned char *output )
-{
-    if( md_info == NULL )
-        return POLARSSL_ERR_MD_BAD_INPUT_DATA;
-
-    md_info->hmac_func( key, keylen, input, ilen, output );
-
-    return 0;
-}
-
-#endif
diff --git a/makerom/polarssl/md.h b/makerom/polarssl/md.h
deleted file mode 100644
index 6a1bdd41..00000000
--- a/makerom/polarssl/md.h
+++ /dev/null
@@ -1,363 +0,0 @@
-/**
- * \file md.h
- * 
- * \brief Generic message digest wrapper
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_MD_H
-#define POLARSSL_MD_H
-
-#include <string.h>
-
-#if defined(_MSC_VER) && !defined(inline)
-#define inline _inline
-#else
-#if defined(__ARMCC_VERSION) && !defined(inline)
-#define inline __inline
-#endif /* __ARMCC_VERSION */
-#endif /*_MSC_VER */
-
-#define POLARSSL_ERR_MD_FEATURE_UNAVAILABLE                -0x5080  /**< The selected feature is not available. */
-#define POLARSSL_ERR_MD_BAD_INPUT_DATA                     -0x5100  /**< Bad input parameters to function. */
-#define POLARSSL_ERR_MD_ALLOC_FAILED                       -0x5180  /**< Failed to allocate memory. */
-#define POLARSSL_ERR_MD_FILE_IO_ERROR                      -0x5200  /**< Opening or reading of file failed. */
-
-typedef enum {
-    POLARSSL_MD_NONE=0,
-    POLARSSL_MD_MD2,
-    POLARSSL_MD_MD4,
-    POLARSSL_MD_MD5,
-    POLARSSL_MD_SHA1,
-    POLARSSL_MD_SHA224,
-    POLARSSL_MD_SHA256,
-    POLARSSL_MD_SHA384,
-    POLARSSL_MD_SHA512,
-} md_type_t;
-
-#define POLARSSL_MD_MAX_SIZE         64  /* longest known is SHA512 */
-
-/**
- * Message digest information. Allows message digest functions to be called
- * in a generic way.
- */
-typedef struct {
-    /** Digest identifier */
-    md_type_t type;
-
-    /** Name of the message digest */
-    const char * name;
-
-    /** Output length of the digest function */
-    int size;
-
-    /** Digest initialisation function */
-    void (*starts_func)( void *ctx );
-
-    /** Digest update function */
-    void (*update_func)( void *ctx, const unsigned char *input, size_t ilen );
-
-    /** Digest finalisation function */
-    void (*finish_func)( void *ctx, unsigned char *output );
-
-    /** Generic digest function */
-    void (*digest_func)( const unsigned char *input, size_t ilen,
-                            unsigned char *output );
-
-    /** Generic file digest function */
-    int (*file_func)( const char *path, unsigned char *output );
-
-    /** HMAC Initialisation function */
-    void (*hmac_starts_func)( void *ctx, const unsigned char *key, size_t keylen );
-
-    /** HMAC update function */
-    void (*hmac_update_func)( void *ctx, const unsigned char *input, size_t ilen );
-
-    /** HMAC finalisation function */
-    void (*hmac_finish_func)( void *ctx, unsigned char *output);
-
-    /** HMAC context reset function */
-    void (*hmac_reset_func)( void *ctx );
-
-    /** Generic HMAC function */
-    void (*hmac_func)( const unsigned char *key, size_t keylen,
-                    const unsigned char *input, size_t ilen,
-                    unsigned char *output );
-
-    /** Allocate a new context */
-    void * (*ctx_alloc_func)( void );
-
-    /** Free the given context */
-    void (*ctx_free_func)( void *ctx );
-
-} md_info_t;
-
-/**
- * Generic message digest context.
- */
-typedef struct {
-    /** Information about the associated message digest */
-    const md_info_t *md_info;
-
-    /** Digest-specific context */
-    void *md_ctx;
-} md_context_t;
-
-#define MD_CONTEXT_T_INIT { \
-    NULL, /* md_info */ \
-    NULL, /* md_ctx */ \
-}
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief Returns the list of digests supported by the generic digest module.
- *
- * \return          a statically allocated array of digests, the last entry
- *                  is 0.
- */
-const int *md_list( void );
-
-/**
- * \brief           Returns the message digest information associated with the
- *                  given digest name.
- *
- * \param md_name   Name of the digest to search for.
- *
- * \return          The message digest information associated with md_name or
- *                  NULL if not found.
- */
-const md_info_t *md_info_from_string( const char *md_name );
-
-/**
- * \brief           Returns the message digest information associated with the
- *                  given digest type.
- *
- * \param md_type   type of digest to search for.
- *
- * \return          The message digest information associated with md_type or
- *                  NULL if not found.
- */
-const md_info_t *md_info_from_type( md_type_t md_type );
-
-/**
- * \brief          Initialises and fills the message digest context structure with
- *                 the appropriate values.
- *
- * \param ctx      context to initialise. May not be NULL. The
- *                 digest-specific context (ctx->md_ctx) must be NULL. It will
- *                 be allocated, and must be freed using md_free_ctx() later.
- * \param md_info  message digest to use.
- *
- * \returns        \c 0 on success, \c POLARSSL_ERR_MD_BAD_INPUT_DATA on
- *                 parameter failure, \c POLARSSL_ERR_MD_ALLOC_FAILED if
- *                 allocation of the digest-specific context failed.
- */
-int md_init_ctx( md_context_t *ctx, const md_info_t *md_info );
-
-/**
- * \brief          Free the message-specific context of ctx. Freeing ctx itself
- *                 remains the responsibility of the caller.
- *
- * \param ctx      Free the message-specific context
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md_free_ctx( md_context_t *ctx );
-
-/**
- * \brief           Returns the size of the message digest output.
- *
- * \param md_info   message digest info
- *
- * \return          size of the message digest output.
- */
-static inline unsigned char md_get_size( const md_info_t *md_info )
-{
-    if( md_info == NULL )
-        return( 0 );
-
-    return md_info->size;
-}
-
-/**
- * \brief           Returns the type of the message digest output.
- *
- * \param md_info   message digest info
- *
- * \return          type of the message digest output.
- */
-static inline md_type_t md_get_type( const md_info_t *md_info )
-{
-    if( md_info == NULL )
-        return( POLARSSL_MD_NONE );
-
-    return md_info->type;
-}
-
-/**
- * \brief           Returns the name of the message digest output.
- *
- * \param md_info   message digest info
- *
- * \return          name of the message digest output.
- */
-static inline const char *md_get_name( const md_info_t *md_info )
-{
-    if( md_info == NULL )
-        return( NULL );
-
-    return md_info->name;
-}
-
-/**
- * \brief          Set-up the given context for a new message digest
- *
- * \param ctx      generic message digest context.
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md_starts( md_context_t *ctx );
-
-/**
- * \brief          Generic message digest process buffer
- *
- * \param ctx      Generic message digest context
- * \param input    buffer holding the  datal
- * \param ilen     length of the input data
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md_update( md_context_t *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          Generic message digest final digest
- *
- * \param ctx      Generic message digest context
- * \param output   Generic message digest checksum result
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md_finish( md_context_t *ctx, unsigned char *output );
-
-/**
- * \brief          Output = message_digest( input buffer )
- *
- * \param md_info  message digest info
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   Generic message digest checksum result
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md( const md_info_t *md_info, const unsigned char *input, size_t ilen,
-        unsigned char *output );
-
-/**
- * \brief          Output = message_digest( file contents )
- *
- * \param md_info  message digest info
- * \param path     input file name
- * \param output   generic message digest checksum result
- *
- * \return         0 if successful, POLARSSL_ERR_MD_FILE_OPEN_FAILED if fopen
- *                 failed, POLARSSL_ERR_MD_FILE_READ_FAILED if fread failed,
- *                 POLARSSL_ERR_MD_BAD_INPUT_DATA if md_info was NULL.
- */
-int md_file( const md_info_t *md_info, const char *path, unsigned char *output );
-
-/**
- * \brief          Generic HMAC context setup
- *
- * \param ctx      HMAC context to be initialized
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md_hmac_starts( md_context_t *ctx, const unsigned char *key, size_t keylen );
-
-/**
- * \brief          Generic HMAC process buffer
- *
- * \param ctx      HMAC context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md_hmac_update( md_context_t *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          Generic HMAC final digest
- *
- * \param ctx      HMAC context
- * \param output   Generic HMAC checksum result
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md_hmac_finish( md_context_t *ctx, unsigned char *output);
-
-/**
- * \brief          Generic HMAC context reset
- *
- * \param ctx      HMAC context to be reset
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md_hmac_reset( md_context_t *ctx );
-
-/**
- * \brief          Output = Generic_HMAC( hmac key, input buffer )
- *
- * \param md_info  message digest info
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   Generic HMAC-result
- *
- * \returns        0 on success, POLARSSL_ERR_MD_BAD_INPUT_DATA if parameter
- *                 verification fails.
- */
-int md_hmac( const md_info_t *md_info, const unsigned char *key, size_t keylen,
-                const unsigned char *input, size_t ilen,
-                unsigned char *output );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* POLARSSL_MD_H */
diff --git a/makerom/polarssl/md2.h b/makerom/polarssl/md2.h
deleted file mode 100644
index f4372423..00000000
--- a/makerom/polarssl/md2.h
+++ /dev/null
@@ -1,171 +0,0 @@
-/**
- * \file md2.h
- *
- * \brief MD2 message digest algorithm (hash function)
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_MD2_H
-#define POLARSSL_MD2_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#define POLARSSL_ERR_MD2_FILE_IO_ERROR                 -0x0070  /**< Read/write error in file. */
-
-#if !defined(POLARSSL_MD2_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          MD2 context structure
- */
-typedef struct
-{
-    unsigned char cksum[16];    /*!< checksum of the data block */
-    unsigned char state[48];    /*!< intermediate digest state  */
-    unsigned char buffer[16];   /*!< data block being processed */
-
-    unsigned char ipad[16];     /*!< HMAC: inner padding        */
-    unsigned char opad[16];     /*!< HMAC: outer padding        */
-    size_t left;                /*!< amount of data in buffer   */
-}
-md2_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          MD2 context setup
- *
- * \param ctx      context to be initialized
- */
-void md2_starts( md2_context *ctx );
-
-/**
- * \brief          MD2 process buffer
- *
- * \param ctx      MD2 context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void md2_update( md2_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          MD2 final digest
- *
- * \param ctx      MD2 context
- * \param output   MD2 checksum result
- */
-void md2_finish( md2_context *ctx, unsigned char output[16] );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_MD2_ALT */
-#include "polarssl/md2_alt.h"
-#endif /* POLARSSL_MD2_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Output = MD2( input buffer )
- *
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   MD2 checksum result
- */
-void md2( const unsigned char *input, size_t ilen, unsigned char output[16] );
-
-/**
- * \brief          Output = MD2( file contents )
- *
- * \param path     input file name
- * \param output   MD2 checksum result
- *
- * \return         0 if successful, or POLARSSL_ERR_MD2_FILE_IO_ERROR
- */
-int md2_file( const char *path, unsigned char output[16] );
-
-/**
- * \brief          MD2 HMAC context setup
- *
- * \param ctx      HMAC context to be initialized
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- */
-void md2_hmac_starts( md2_context *ctx, const unsigned char *key, size_t keylen );
-
-/**
- * \brief          MD2 HMAC process buffer
- *
- * \param ctx      HMAC context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void md2_hmac_update( md2_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          MD2 HMAC final digest
- *
- * \param ctx      HMAC context
- * \param output   MD2 HMAC checksum result
- */
-void md2_hmac_finish( md2_context *ctx, unsigned char output[16] );
-
-/**
- * \brief          MD2 HMAC context reset
- *
- * \param ctx      HMAC context to be reset
- */
-void md2_hmac_reset( md2_context *ctx );
-
-/**
- * \brief          Output = HMAC-MD2( hmac key, input buffer )
- *
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   HMAC-MD2 result
- */
-void md2_hmac( const unsigned char *key, size_t keylen,
-               const unsigned char *input, size_t ilen,
-               unsigned char output[16] );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int md2_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* md2.h */
diff --git a/makerom/polarssl/md4.h b/makerom/polarssl/md4.h
deleted file mode 100644
index 9600361f..00000000
--- a/makerom/polarssl/md4.h
+++ /dev/null
@@ -1,177 +0,0 @@
-/**
- * \file md4.h
- *
- * \brief MD4 message digest algorithm (hash function)
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_MD4_H
-#define POLARSSL_MD4_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define POLARSSL_ERR_MD4_FILE_IO_ERROR                 -0x0072  /**< Read/write error in file. */
-
-#if !defined(POLARSSL_MD4_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          MD4 context structure
- */
-typedef struct
-{
-    uint32_t total[2];          /*!< number of bytes processed  */
-    uint32_t state[4];          /*!< intermediate digest state  */
-    unsigned char buffer[64];   /*!< data block being processed */
-
-    unsigned char ipad[64];     /*!< HMAC: inner padding        */
-    unsigned char opad[64];     /*!< HMAC: outer padding        */
-}
-md4_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          MD4 context setup
- *
- * \param ctx      context to be initialized
- */
-void md4_starts( md4_context *ctx );
-
-/**
- * \brief          MD4 process buffer
- *
- * \param ctx      MD4 context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void md4_update( md4_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          MD4 final digest
- *
- * \param ctx      MD4 context
- * \param output   MD4 checksum result
- */
-void md4_finish( md4_context *ctx, unsigned char output[16] );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_MD4_ALT */
-#include "polarssl/md4_alt.h"
-#endif /* POLARSSL_MD4_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Output = MD4( input buffer )
- *
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   MD4 checksum result
- */
-void md4( const unsigned char *input, size_t ilen, unsigned char output[16] );
-
-/**
- * \brief          Output = MD4( file contents )
- *
- * \param path     input file name
- * \param output   MD4 checksum result
- *
- * \return         0 if successful, or POLARSSL_ERR_MD4_FILE_IO_ERROR
- */
-int md4_file( const char *path, unsigned char output[16] );
-
-/**
- * \brief          MD4 HMAC context setup
- *
- * \param ctx      HMAC context to be initialized
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- */
-void md4_hmac_starts( md4_context *ctx, const unsigned char *key, size_t keylen );
-
-/**
- * \brief          MD4 HMAC process buffer
- *
- * \param ctx      HMAC context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void md4_hmac_update( md4_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          MD4 HMAC final digest
- *
- * \param ctx      HMAC context
- * \param output   MD4 HMAC checksum result
- */
-void md4_hmac_finish( md4_context *ctx, unsigned char output[16] );
-
-/**
- * \brief          MD4 HMAC context reset
- *
- * \param ctx      HMAC context to be reset
- */
-void md4_hmac_reset( md4_context *ctx );
-
-/**
- * \brief          Output = HMAC-MD4( hmac key, input buffer )
- *
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   HMAC-MD4 result
- */
-void md4_hmac( const unsigned char *key, size_t keylen,
-               const unsigned char *input, size_t ilen,
-               unsigned char output[16] );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int md4_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* md4.h */
diff --git a/makerom/polarssl/md5.c b/makerom/polarssl/md5.c
deleted file mode 100644
index b28461e9..00000000
--- a/makerom/polarssl/md5.c
+++ /dev/null
@@ -1,585 +0,0 @@
-/*
- *  RFC 1321 compliant MD5 implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The MD5 algorithm was designed by Ron Rivest in 1991.
- *
- *  http://www.ietf.org/rfc/rfc1321.txt
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_MD5_C)
-
-#include "polarssl/md5.h"
-
-#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
-#include <stdio.h>
-#endif
-
-#if !defined(POLARSSL_MD5_ALT)
-
-/*
- * 32-bit integer manipulation macros (little endian)
- */
-#ifndef GET_UINT32_LE
-#define GET_UINT32_LE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ]       )             \
-        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
-}
-#endif
-
-#ifndef PUT_UINT32_LE
-#define PUT_UINT32_LE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n)       );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
-}
-#endif
-
-/*
- * MD5 context setup
- */
-void md5_starts( md5_context *ctx )
-{
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    ctx->state[0] = 0x67452301;
-    ctx->state[1] = 0xEFCDAB89;
-    ctx->state[2] = 0x98BADCFE;
-    ctx->state[3] = 0x10325476;
-}
-
-void md5_process( md5_context *ctx, const unsigned char data[64] )
-{
-    uint32_t X[16], A, B, C, D;
-
-    GET_UINT32_LE( X[ 0], data,  0 );
-    GET_UINT32_LE( X[ 1], data,  4 );
-    GET_UINT32_LE( X[ 2], data,  8 );
-    GET_UINT32_LE( X[ 3], data, 12 );
-    GET_UINT32_LE( X[ 4], data, 16 );
-    GET_UINT32_LE( X[ 5], data, 20 );
-    GET_UINT32_LE( X[ 6], data, 24 );
-    GET_UINT32_LE( X[ 7], data, 28 );
-    GET_UINT32_LE( X[ 8], data, 32 );
-    GET_UINT32_LE( X[ 9], data, 36 );
-    GET_UINT32_LE( X[10], data, 40 );
-    GET_UINT32_LE( X[11], data, 44 );
-    GET_UINT32_LE( X[12], data, 48 );
-    GET_UINT32_LE( X[13], data, 52 );
-    GET_UINT32_LE( X[14], data, 56 );
-    GET_UINT32_LE( X[15], data, 60 );
-
-#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
-
-#define P(a,b,c,d,k,s,t)                                \
-{                                                       \
-    a += F(b,c,d) + X[k] + t; a = S(a,s) + b;           \
-}
-
-    A = ctx->state[0];
-    B = ctx->state[1];
-    C = ctx->state[2];
-    D = ctx->state[3];
-
-#define F(x,y,z) (z ^ (x & (y ^ z)))
-
-    P( A, B, C, D,  0,  7, 0xD76AA478 );
-    P( D, A, B, C,  1, 12, 0xE8C7B756 );
-    P( C, D, A, B,  2, 17, 0x242070DB );
-    P( B, C, D, A,  3, 22, 0xC1BDCEEE );
-    P( A, B, C, D,  4,  7, 0xF57C0FAF );
-    P( D, A, B, C,  5, 12, 0x4787C62A );
-    P( C, D, A, B,  6, 17, 0xA8304613 );
-    P( B, C, D, A,  7, 22, 0xFD469501 );
-    P( A, B, C, D,  8,  7, 0x698098D8 );
-    P( D, A, B, C,  9, 12, 0x8B44F7AF );
-    P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
-    P( B, C, D, A, 11, 22, 0x895CD7BE );
-    P( A, B, C, D, 12,  7, 0x6B901122 );
-    P( D, A, B, C, 13, 12, 0xFD987193 );
-    P( C, D, A, B, 14, 17, 0xA679438E );
-    P( B, C, D, A, 15, 22, 0x49B40821 );
-
-#undef F
-
-#define F(x,y,z) (y ^ (z & (x ^ y)))
-
-    P( A, B, C, D,  1,  5, 0xF61E2562 );
-    P( D, A, B, C,  6,  9, 0xC040B340 );
-    P( C, D, A, B, 11, 14, 0x265E5A51 );
-    P( B, C, D, A,  0, 20, 0xE9B6C7AA );
-    P( A, B, C, D,  5,  5, 0xD62F105D );
-    P( D, A, B, C, 10,  9, 0x02441453 );
-    P( C, D, A, B, 15, 14, 0xD8A1E681 );
-    P( B, C, D, A,  4, 20, 0xE7D3FBC8 );
-    P( A, B, C, D,  9,  5, 0x21E1CDE6 );
-    P( D, A, B, C, 14,  9, 0xC33707D6 );
-    P( C, D, A, B,  3, 14, 0xF4D50D87 );
-    P( B, C, D, A,  8, 20, 0x455A14ED );
-    P( A, B, C, D, 13,  5, 0xA9E3E905 );
-    P( D, A, B, C,  2,  9, 0xFCEFA3F8 );
-    P( C, D, A, B,  7, 14, 0x676F02D9 );
-    P( B, C, D, A, 12, 20, 0x8D2A4C8A );
-
-#undef F
-    
-#define F(x,y,z) (x ^ y ^ z)
-
-    P( A, B, C, D,  5,  4, 0xFFFA3942 );
-    P( D, A, B, C,  8, 11, 0x8771F681 );
-    P( C, D, A, B, 11, 16, 0x6D9D6122 );
-    P( B, C, D, A, 14, 23, 0xFDE5380C );
-    P( A, B, C, D,  1,  4, 0xA4BEEA44 );
-    P( D, A, B, C,  4, 11, 0x4BDECFA9 );
-    P( C, D, A, B,  7, 16, 0xF6BB4B60 );
-    P( B, C, D, A, 10, 23, 0xBEBFBC70 );
-    P( A, B, C, D, 13,  4, 0x289B7EC6 );
-    P( D, A, B, C,  0, 11, 0xEAA127FA );
-    P( C, D, A, B,  3, 16, 0xD4EF3085 );
-    P( B, C, D, A,  6, 23, 0x04881D05 );
-    P( A, B, C, D,  9,  4, 0xD9D4D039 );
-    P( D, A, B, C, 12, 11, 0xE6DB99E5 );
-    P( C, D, A, B, 15, 16, 0x1FA27CF8 );
-    P( B, C, D, A,  2, 23, 0xC4AC5665 );
-
-#undef F
-
-#define F(x,y,z) (y ^ (x | ~z))
-
-    P( A, B, C, D,  0,  6, 0xF4292244 );
-    P( D, A, B, C,  7, 10, 0x432AFF97 );
-    P( C, D, A, B, 14, 15, 0xAB9423A7 );
-    P( B, C, D, A,  5, 21, 0xFC93A039 );
-    P( A, B, C, D, 12,  6, 0x655B59C3 );
-    P( D, A, B, C,  3, 10, 0x8F0CCC92 );
-    P( C, D, A, B, 10, 15, 0xFFEFF47D );
-    P( B, C, D, A,  1, 21, 0x85845DD1 );
-    P( A, B, C, D,  8,  6, 0x6FA87E4F );
-    P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
-    P( C, D, A, B,  6, 15, 0xA3014314 );
-    P( B, C, D, A, 13, 21, 0x4E0811A1 );
-    P( A, B, C, D,  4,  6, 0xF7537E82 );
-    P( D, A, B, C, 11, 10, 0xBD3AF235 );
-    P( C, D, A, B,  2, 15, 0x2AD7D2BB );
-    P( B, C, D, A,  9, 21, 0xEB86D391 );
-
-#undef F
-
-    ctx->state[0] += A;
-    ctx->state[1] += B;
-    ctx->state[2] += C;
-    ctx->state[3] += D;
-}
-
-/*
- * MD5 process buffer
- */
-void md5_update( md5_context *ctx, const unsigned char *input, size_t ilen )
-{
-    size_t fill;
-    uint32_t left;
-
-    if( ilen <= 0 )
-        return;
-
-    left = ctx->total[0] & 0x3F;
-    fill = 64 - left;
-
-    ctx->total[0] += (uint32_t) ilen;
-    ctx->total[0] &= 0xFFFFFFFF;
-
-    if( ctx->total[0] < (uint32_t) ilen )
-        ctx->total[1]++;
-
-    if( left && ilen >= fill )
-    {
-        memcpy( (void *) (ctx->buffer + left), input, fill );
-        md5_process( ctx, ctx->buffer );
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while( ilen >= 64 )
-    {
-        md5_process( ctx, input );
-        input += 64;
-        ilen  -= 64;
-    }
-
-    if( ilen > 0 )
-    {
-        memcpy( (void *) (ctx->buffer + left), input, ilen );
-    }
-}
-
-static const unsigned char md5_padding[64] =
-{
- 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/*
- * MD5 final digest
- */
-void md5_finish( md5_context *ctx, unsigned char output[16] )
-{
-    uint32_t last, padn;
-    uint32_t high, low;
-    unsigned char msglen[8];
-
-    high = ( ctx->total[0] >> 29 )
-         | ( ctx->total[1] <<  3 );
-    low  = ( ctx->total[0] <<  3 );
-
-    PUT_UINT32_LE( low,  msglen, 0 );
-    PUT_UINT32_LE( high, msglen, 4 );
-
-    last = ctx->total[0] & 0x3F;
-    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
-
-    md5_update( ctx, md5_padding, padn );
-    md5_update( ctx, msglen, 8 );
-
-    PUT_UINT32_LE( ctx->state[0], output,  0 );
-    PUT_UINT32_LE( ctx->state[1], output,  4 );
-    PUT_UINT32_LE( ctx->state[2], output,  8 );
-    PUT_UINT32_LE( ctx->state[3], output, 12 );
-}
-
-#endif /* !POLARSSL_MD5_ALT */
-
-/*
- * output = MD5( input buffer )
- */
-void md5( const unsigned char *input, size_t ilen, unsigned char output[16] )
-{
-    md5_context ctx;
-
-    md5_starts( &ctx );
-    md5_update( &ctx, input, ilen );
-    md5_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( md5_context ) );
-}
-
-#if defined(POLARSSL_FS_IO)
-/*
- * output = MD5( file contents )
- */
-int md5_file( const char *path, unsigned char output[16] )
-{
-    FILE *f;
-    size_t n;
-    md5_context ctx;
-    unsigned char buf[1024];
-
-    if( ( f = fopen( path, "rb" ) ) == NULL )
-        return( POLARSSL_ERR_MD5_FILE_IO_ERROR );
-
-    md5_starts( &ctx );
-
-    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
-        md5_update( &ctx, buf, n );
-
-    md5_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( md5_context ) );
-
-    if( ferror( f ) != 0 )
-    {
-        fclose( f );
-        return( POLARSSL_ERR_MD5_FILE_IO_ERROR );
-    }
-
-    fclose( f );
-    return( 0 );
-}
-#endif /* POLARSSL_FS_IO */
-
-/*
- * MD5 HMAC context setup
- */
-void md5_hmac_starts( md5_context *ctx, const unsigned char *key, size_t keylen )
-{
-    size_t i;
-    unsigned char sum[16];
-
-    if( keylen > 64 )
-    {
-        md5( key, keylen, sum );
-        keylen = 16;
-        key = sum;
-    }
-
-    memset( ctx->ipad, 0x36, 64 );
-    memset( ctx->opad, 0x5C, 64 );
-
-    for( i = 0; i < keylen; i++ )
-    {
-        ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
-        ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
-    }
-
-    md5_starts( ctx );
-    md5_update( ctx, ctx->ipad, 64 );
-
-    memset( sum, 0, sizeof( sum ) );
-}
-
-/*
- * MD5 HMAC process buffer
- */
-void md5_hmac_update( md5_context *ctx, const unsigned char *input, size_t ilen )
-{
-    md5_update( ctx, input, ilen );
-}
-
-/*
- * MD5 HMAC final digest
- */
-void md5_hmac_finish( md5_context *ctx, unsigned char output[16] )
-{
-    unsigned char tmpbuf[16];
-
-    md5_finish( ctx, tmpbuf );
-    md5_starts( ctx );
-    md5_update( ctx, ctx->opad, 64 );
-    md5_update( ctx, tmpbuf, 16 );
-    md5_finish( ctx, output );
-
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
-}
-
-/*
- * MD5 HMAC context reset
- */
-void md5_hmac_reset( md5_context *ctx )
-{
-    md5_starts( ctx );
-    md5_update( ctx, ctx->ipad, 64 );
-}
-
-/*
- * output = HMAC-MD5( hmac key, input buffer )
- */
-void md5_hmac( const unsigned char *key, size_t keylen,
-               const unsigned char *input, size_t ilen,
-               unsigned char output[16] )
-{
-    md5_context ctx;
-
-    md5_hmac_starts( &ctx, key, keylen );
-    md5_hmac_update( &ctx, input, ilen );
-    md5_hmac_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( md5_context ) );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-/*
- * RFC 1321 test vectors
- */
-static unsigned char md5_test_buf[7][81] =
-{
-    { "" }, 
-    { "a" },
-    { "abc" },
-    { "message digest" },
-    { "abcdefghijklmnopqrstuvwxyz" },
-    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
-    { "12345678901234567890123456789012345678901234567890123456789012" \
-      "345678901234567890" }
-};
-
-static const int md5_test_buflen[7] =
-{
-    0, 1, 3, 14, 26, 62, 80
-};
-
-static const unsigned char md5_test_sum[7][16] =
-{
-    { 0xD4, 0x1D, 0x8C, 0xD9, 0x8F, 0x00, 0xB2, 0x04,
-      0xE9, 0x80, 0x09, 0x98, 0xEC, 0xF8, 0x42, 0x7E },
-    { 0x0C, 0xC1, 0x75, 0xB9, 0xC0, 0xF1, 0xB6, 0xA8,
-      0x31, 0xC3, 0x99, 0xE2, 0x69, 0x77, 0x26, 0x61 },
-    { 0x90, 0x01, 0x50, 0x98, 0x3C, 0xD2, 0x4F, 0xB0,
-      0xD6, 0x96, 0x3F, 0x7D, 0x28, 0xE1, 0x7F, 0x72 },
-    { 0xF9, 0x6B, 0x69, 0x7D, 0x7C, 0xB7, 0x93, 0x8D,
-      0x52, 0x5A, 0x2F, 0x31, 0xAA, 0xF1, 0x61, 0xD0 },
-    { 0xC3, 0xFC, 0xD3, 0xD7, 0x61, 0x92, 0xE4, 0x00,
-      0x7D, 0xFB, 0x49, 0x6C, 0xCA, 0x67, 0xE1, 0x3B },
-    { 0xD1, 0x74, 0xAB, 0x98, 0xD2, 0x77, 0xD9, 0xF5,
-      0xA5, 0x61, 0x1C, 0x2C, 0x9F, 0x41, 0x9D, 0x9F },
-    { 0x57, 0xED, 0xF4, 0xA2, 0x2B, 0xE3, 0xC9, 0x55,
-      0xAC, 0x49, 0xDA, 0x2E, 0x21, 0x07, 0xB6, 0x7A }
-};
-
-/*
- * RFC 2202 test vectors
- */
-static unsigned char md5_hmac_test_key[7][26] =
-{
-    { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B" },
-    { "Jefe" },
-    { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA" },
-    { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
-      "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
-    { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C" },
-    { "" }, /* 0xAA 80 times */
-    { "" }
-};
-
-static const int md5_hmac_test_keylen[7] =
-{
-    16, 4, 16, 25, 16, 80, 80
-};
-
-static unsigned char md5_hmac_test_buf[7][74] =
-{
-    { "Hi There" },
-    { "what do ya want for nothing?" },
-    { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
-    { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
-    { "Test With Truncation" },
-    { "Test Using Larger Than Block-Size Key - Hash Key First" },
-    { "Test Using Larger Than Block-Size Key and Larger"
-      " Than One Block-Size Data" }
-};
-
-static const int md5_hmac_test_buflen[7] =
-{
-    8, 28, 50, 50, 20, 54, 73
-};
-
-static const unsigned char md5_hmac_test_sum[7][16] =
-{
-    { 0x92, 0x94, 0x72, 0x7A, 0x36, 0x38, 0xBB, 0x1C,
-      0x13, 0xF4, 0x8E, 0xF8, 0x15, 0x8B, 0xFC, 0x9D },
-    { 0x75, 0x0C, 0x78, 0x3E, 0x6A, 0xB0, 0xB5, 0x03,
-      0xEA, 0xA8, 0x6E, 0x31, 0x0A, 0x5D, 0xB7, 0x38 },
-    { 0x56, 0xBE, 0x34, 0x52, 0x1D, 0x14, 0x4C, 0x88,
-      0xDB, 0xB8, 0xC7, 0x33, 0xF0, 0xE8, 0xB3, 0xF6 },
-    { 0x69, 0x7E, 0xAF, 0x0A, 0xCA, 0x3A, 0x3A, 0xEA,
-      0x3A, 0x75, 0x16, 0x47, 0x46, 0xFF, 0xAA, 0x79 },
-    { 0x56, 0x46, 0x1E, 0xF2, 0x34, 0x2E, 0xDC, 0x00,
-      0xF9, 0xBA, 0xB9, 0x95 },
-    { 0x6B, 0x1A, 0xB7, 0xFE, 0x4B, 0xD7, 0xBF, 0x8F,
-      0x0B, 0x62, 0xE6, 0xCE, 0x61, 0xB9, 0xD0, 0xCD },
-    { 0x6F, 0x63, 0x0F, 0xAD, 0x67, 0xCD, 0xA0, 0xEE,
-      0x1F, 0xB1, 0xF5, 0x62, 0xDB, 0x3A, 0xA5, 0x3E }
-};
-
-/*
- * Checkup routine
- */
-int md5_self_test( int verbose )
-{
-    int i, buflen;
-    unsigned char buf[1024];
-    unsigned char md5sum[16];
-    md5_context ctx;
-
-    for( i = 0; i < 7; i++ )
-    {
-        if( verbose != 0 )
-            printf( "  MD5 test #%d: ", i + 1 );
-
-        md5( md5_test_buf[i], md5_test_buflen[i], md5sum );
-
-        if( memcmp( md5sum, md5_test_sum[i], 16 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    for( i = 0; i < 7; i++ )
-    {
-        if( verbose != 0 )
-            printf( "  HMAC-MD5 test #%d: ", i + 1 );
-
-        if( i == 5 || i == 6 )
-        {
-            memset( buf, '\xAA', buflen = 80 );
-            md5_hmac_starts( &ctx, buf, buflen );
-        }
-        else
-            md5_hmac_starts( &ctx, md5_hmac_test_key[i],
-                                   md5_hmac_test_keylen[i] );
-
-        md5_hmac_update( &ctx, md5_hmac_test_buf[i],
-                               md5_hmac_test_buflen[i] );
-
-        md5_hmac_finish( &ctx, md5sum );
-
-        buflen = ( i == 4 ) ? 12 : 16;
-
-        if( memcmp( md5sum, md5_hmac_test_sum[i], buflen ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/md5.h b/makerom/polarssl/md5.h
deleted file mode 100644
index ecb64282..00000000
--- a/makerom/polarssl/md5.h
+++ /dev/null
@@ -1,182 +0,0 @@
-/**
- * \file md5.h
- *
- * \brief MD5 message digest algorithm (hash function)
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_MD5_H
-#define POLARSSL_MD5_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define POLARSSL_ERR_MD5_FILE_IO_ERROR                 -0x0074  /**< Read/write error in file. */
-
-#if !defined(POLARSSL_MD5_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          MD5 context structure
- */
-typedef struct
-{
-    uint32_t total[2];          /*!< number of bytes processed  */
-    uint32_t state[4];          /*!< intermediate digest state  */
-    unsigned char buffer[64];   /*!< data block being processed */
-
-    unsigned char ipad[64];     /*!< HMAC: inner padding        */
-    unsigned char opad[64];     /*!< HMAC: outer padding        */
-}
-md5_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          MD5 context setup
- *
- * \param ctx      context to be initialized
- */
-void md5_starts( md5_context *ctx );
-
-/**
- * \brief          MD5 process buffer
- *
- * \param ctx      MD5 context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void md5_update( md5_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          MD5 final digest
- *
- * \param ctx      MD5 context
- * \param output   MD5 checksum result
- */
-void md5_finish( md5_context *ctx, unsigned char output[16] );
-
-/* Internal use */
-void md5_process( md5_context *ctx, const unsigned char data[64] );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_MD5_ALT */
-#include "polarssl/md5_alt.h"
-#endif /* POLARSSL_MD5_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Output = MD5( input buffer )
- *
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   MD5 checksum result
- */
-void md5( const unsigned char *input, size_t ilen, unsigned char output[16] );
-
-/**
- * \brief          Output = MD5( file contents )
- *
- * \param path     input file name
- * \param output   MD5 checksum result
- *
- * \return         0 if successful, or POLARSSL_ERR_MD5_FILE_IO_ERROR
- */
-int md5_file( const char *path, unsigned char output[16] );
-
-/**
- * \brief          MD5 HMAC context setup
- *
- * \param ctx      HMAC context to be initialized
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- */
-void md5_hmac_starts( md5_context *ctx,
-                      const unsigned char *key, size_t keylen );
-
-/**
- * \brief          MD5 HMAC process buffer
- *
- * \param ctx      HMAC context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void md5_hmac_update( md5_context *ctx,
-                      const unsigned char *input, size_t ilen );
-
-/**
- * \brief          MD5 HMAC final digest
- *
- * \param ctx      HMAC context
- * \param output   MD5 HMAC checksum result
- */
-void md5_hmac_finish( md5_context *ctx, unsigned char output[16] );
-
-/**
- * \brief          MD5 HMAC context reset
- *
- * \param ctx      HMAC context to be reset
- */
-void md5_hmac_reset( md5_context *ctx );
-
-/**
- * \brief          Output = HMAC-MD5( hmac key, input buffer )
- *
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   HMAC-MD5 result
- */
-void md5_hmac( const unsigned char *key, size_t keylen,
-               const unsigned char *input, size_t ilen,
-               unsigned char output[16] );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int md5_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* md5.h */
diff --git a/makerom/polarssl/md_wrap.c b/makerom/polarssl/md_wrap.c
deleted file mode 100644
index f276db59..00000000
--- a/makerom/polarssl/md_wrap.c
+++ /dev/null
@@ -1,733 +0,0 @@
-/**
- * \file md_wrap.c
-
- * \brief Generic message digest wrapper for PolarSSL
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_MD_C)
-
-#include "polarssl/md_wrap.h"
-
-#if defined(POLARSSL_MD2_C)
-#include "polarssl/md2.h"
-#endif
-
-#if defined(POLARSSL_MD4_C)
-#include "polarssl/md4.h"
-#endif
-
-#if defined(POLARSSL_MD5_C)
-#include "polarssl/md5.h"
-#endif
-
-#if defined(POLARSSL_SHA1_C)
-#include "polarssl/sha1.h"
-#endif
-
-#if defined(POLARSSL_SHA2_C)
-#include "polarssl/sha2.h"
-#endif
-
-#if defined(POLARSSL_SHA4_C)
-#include "polarssl/sha4.h"
-#endif
-
-#include <stdlib.h>
-
-#if defined(POLARSSL_MD2_C)
-
-static void md2_starts_wrap( void *ctx )
-{
-    md2_starts( (md2_context *) ctx );
-}
-
-static void md2_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    md2_update( (md2_context *) ctx, input, ilen );
-}
-
-static void md2_finish_wrap( void *ctx, unsigned char *output )
-{
-    md2_finish( (md2_context *) ctx, output );
-}
-
-int md2_file_wrap( const char *path, unsigned char *output )
-{
-#if defined(POLARSSL_FS_IO)
-    return md2_file( path, output );
-#else
-    ((void) path);
-    ((void) output);
-    return POLARSSL_ERR_MD_FEATURE_UNAVAILABLE;
-#endif
-}
-
-static void md2_hmac_starts_wrap( void *ctx, const unsigned char *key, size_t keylen )
-{
-    md2_hmac_starts( (md2_context *) ctx, key, keylen );
-}
-
-static void md2_hmac_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    md2_hmac_update( (md2_context *) ctx, input, ilen );
-}
-
-static void md2_hmac_finish_wrap( void *ctx, unsigned char *output )
-{
-    md2_hmac_finish( (md2_context *) ctx, output );
-}
-
-static void md2_hmac_reset_wrap( void *ctx )
-{
-    md2_hmac_reset( (md2_context *) ctx );
-}
-
-static void * md2_ctx_alloc( void )
-{
-    return malloc( sizeof( md2_context ) );
-}
-
-static void md2_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const md_info_t md2_info = {
-    POLARSSL_MD_MD2,
-    "MD2",
-    16,
-    md2_starts_wrap,
-    md2_update_wrap,
-    md2_finish_wrap,
-    md2,
-    md2_file_wrap,
-    md2_hmac_starts_wrap,
-    md2_hmac_update_wrap,
-    md2_hmac_finish_wrap,
-    md2_hmac_reset_wrap,
-    md2_hmac,
-    md2_ctx_alloc,
-    md2_ctx_free,
-};
-
-#endif
-
-#if defined(POLARSSL_MD4_C)
-
-void md4_starts_wrap( void *ctx )
-{
-    md4_starts( (md4_context *) ctx );
-}
-
-void md4_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    md4_update( (md4_context *) ctx, input, ilen );
-}
-
-void md4_finish_wrap( void *ctx, unsigned char *output )
-{
-    md4_finish( (md4_context *) ctx, output );
-}
-
-int md4_file_wrap( const char *path, unsigned char *output )
-{
-#if defined(POLARSSL_FS_IO)
-    return md4_file( path, output );
-#else
-    ((void) path);
-    ((void) output);
-    return POLARSSL_ERR_MD_FEATURE_UNAVAILABLE;
-#endif
-}
-
-void md4_hmac_starts_wrap( void *ctx, const unsigned char *key, size_t keylen )
-{
-    md4_hmac_starts( (md4_context *) ctx, key, keylen );
-}
-
-void md4_hmac_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    md4_hmac_update( (md4_context *) ctx, input, ilen );
-}
-
-void md4_hmac_finish_wrap( void *ctx, unsigned char *output )
-{
-    md4_hmac_finish( (md4_context *) ctx, output );
-}
-
-void md4_hmac_reset_wrap( void *ctx )
-{
-    md4_hmac_reset( (md4_context *) ctx );
-}
-
-void *md4_ctx_alloc( void )
-{
-    return malloc( sizeof( md4_context ) );
-}
-
-void md4_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const md_info_t md4_info = {
-    POLARSSL_MD_MD4,
-    "MD4",
-    16,
-    md4_starts_wrap,
-    md4_update_wrap,
-    md4_finish_wrap,
-    md4,
-    md4_file_wrap,
-    md4_hmac_starts_wrap,
-    md4_hmac_update_wrap,
-    md4_hmac_finish_wrap,
-    md4_hmac_reset_wrap,
-    md4_hmac,
-    md4_ctx_alloc,
-    md4_ctx_free,
-};
-
-#endif
-
-#if defined(POLARSSL_MD5_C)
-
-static void md5_starts_wrap( void *ctx )
-{
-    md5_starts( (md5_context *) ctx );
-}
-
-static void md5_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    md5_update( (md5_context *) ctx, input, ilen );
-}
-
-static void md5_finish_wrap( void *ctx, unsigned char *output )
-{
-    md5_finish( (md5_context *) ctx, output );
-}
-
-int md5_file_wrap( const char *path, unsigned char *output )
-{
-#if defined(POLARSSL_FS_IO)
-    return md5_file( path, output );
-#else
-    ((void) path);
-    ((void) output);
-    return POLARSSL_ERR_MD_FEATURE_UNAVAILABLE;
-#endif
-}
-
-static void md5_hmac_starts_wrap( void *ctx, const unsigned char *key, size_t keylen )
-{
-    md5_hmac_starts( (md5_context *) ctx, key, keylen );
-}
-
-static void md5_hmac_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    md5_hmac_update( (md5_context *) ctx, input, ilen );
-}
-
-static void md5_hmac_finish_wrap( void *ctx, unsigned char *output )
-{
-    md5_hmac_finish( (md5_context *) ctx, output );
-}
-
-static void md5_hmac_reset_wrap( void *ctx )
-{
-    md5_hmac_reset( (md5_context *) ctx );
-}
-
-static void * md5_ctx_alloc( void )
-{
-    return malloc( sizeof( md5_context ) );
-}
-
-static void md5_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const md_info_t md5_info = {
-    POLARSSL_MD_MD5,
-    "MD5",
-    16,
-    md5_starts_wrap,
-    md5_update_wrap,
-    md5_finish_wrap,
-    md5,
-    md5_file_wrap,
-    md5_hmac_starts_wrap,
-    md5_hmac_update_wrap,
-    md5_hmac_finish_wrap,
-    md5_hmac_reset_wrap,
-    md5_hmac,
-    md5_ctx_alloc,
-    md5_ctx_free,
-};
-
-#endif
-
-#if defined(POLARSSL_SHA1_C)
-
-void sha1_starts_wrap( void *ctx )
-{
-    sha1_starts( (sha1_context *) ctx );
-}
-
-void sha1_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha1_update( (sha1_context *) ctx, input, ilen );
-}
-
-void sha1_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha1_finish( (sha1_context *) ctx, output );
-}
-
-int sha1_file_wrap( const char *path, unsigned char *output )
-{
-#if defined(POLARSSL_FS_IO)
-    return sha1_file( path, output );
-#else
-    ((void) path);
-    ((void) output);
-    return POLARSSL_ERR_MD_FEATURE_UNAVAILABLE;
-#endif
-}
-
-void sha1_hmac_starts_wrap( void *ctx, const unsigned char *key, size_t keylen )
-{
-    sha1_hmac_starts( (sha1_context *) ctx, key, keylen );
-}
-
-void sha1_hmac_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha1_hmac_update( (sha1_context *) ctx, input, ilen );
-}
-
-void sha1_hmac_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha1_hmac_finish( (sha1_context *) ctx, output );
-}
-
-void sha1_hmac_reset_wrap( void *ctx )
-{
-    sha1_hmac_reset( (sha1_context *) ctx );
-}
-
-void * sha1_ctx_alloc( void )
-{
-    return malloc( sizeof( sha1_context ) );
-}
-
-void sha1_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const md_info_t sha1_info = {
-    POLARSSL_MD_SHA1,
-    "SHA1",
-    20,
-    sha1_starts_wrap,
-    sha1_update_wrap,
-    sha1_finish_wrap,
-    sha1,
-    sha1_file_wrap,
-    sha1_hmac_starts_wrap,
-    sha1_hmac_update_wrap,
-    sha1_hmac_finish_wrap,
-    sha1_hmac_reset_wrap,
-    sha1_hmac,
-    sha1_ctx_alloc,
-    sha1_ctx_free,
-};
-
-#endif
-
-/*
- * Wrappers for generic message digests
- */
-#if defined(POLARSSL_SHA2_C)
-
-void sha224_starts_wrap( void *ctx )
-{
-    sha2_starts( (sha2_context *) ctx, 1 );
-}
-
-void sha224_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha2_update( (sha2_context *) ctx, input, ilen );
-}
-
-void sha224_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha2_finish( (sha2_context *) ctx, output );
-}
-
-void sha224_wrap( const unsigned char *input, size_t ilen,
-                    unsigned char *output )
-{
-    sha2( input, ilen, output, 1 );
-}
-
-int sha224_file_wrap( const char *path, unsigned char *output )
-{
-#if defined(POLARSSL_FS_IO)
-    return sha2_file( path, output, 1 );
-#else
-    ((void) path);
-    ((void) output);
-    return POLARSSL_ERR_MD_FEATURE_UNAVAILABLE;
-#endif
-}
-
-void sha224_hmac_starts_wrap( void *ctx, const unsigned char *key, size_t keylen )
-{
-    sha2_hmac_starts( (sha2_context *) ctx, key, keylen, 1 );
-}
-
-void sha224_hmac_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha2_hmac_update( (sha2_context *) ctx, input, ilen );
-}
-
-void sha224_hmac_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha2_hmac_finish( (sha2_context *) ctx, output );
-}
-
-void sha224_hmac_reset_wrap( void *ctx )
-{
-    sha2_hmac_reset( (sha2_context *) ctx );
-}
-
-void sha224_hmac_wrap( const unsigned char *key, size_t keylen,
-        const unsigned char *input, size_t ilen,
-        unsigned char *output )
-{
-    sha2_hmac( key, keylen, input, ilen, output, 1 );
-}
-
-void * sha224_ctx_alloc( void )
-{
-    return malloc( sizeof( sha2_context ) );
-}
-
-void sha224_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const md_info_t sha224_info = {
-    POLARSSL_MD_SHA224,
-    "SHA224",
-    28,
-    sha224_starts_wrap,
-    sha224_update_wrap,
-    sha224_finish_wrap,
-    sha224_wrap,
-    sha224_file_wrap,
-    sha224_hmac_starts_wrap,
-    sha224_hmac_update_wrap,
-    sha224_hmac_finish_wrap,
-    sha224_hmac_reset_wrap,
-    sha224_hmac_wrap,
-    sha224_ctx_alloc,
-    sha224_ctx_free,
-};
-
-void sha256_starts_wrap( void *ctx )
-{
-    sha2_starts( (sha2_context *) ctx, 0 );
-}
-
-void sha256_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha2_update( (sha2_context *) ctx, input, ilen );
-}
-
-void sha256_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha2_finish( (sha2_context *) ctx, output );
-}
-
-void sha256_wrap( const unsigned char *input, size_t ilen,
-                    unsigned char *output )
-{
-    sha2( input, ilen, output, 0 );
-}
-
-int sha256_file_wrap( const char *path, unsigned char *output )
-{
-#if defined(POLARSSL_FS_IO)
-    return sha2_file( path, output, 0 );
-#else
-    ((void) path);
-    ((void) output);
-    return POLARSSL_ERR_MD_FEATURE_UNAVAILABLE;
-#endif
-}
-
-void sha256_hmac_starts_wrap( void *ctx, const unsigned char *key, size_t keylen )
-{
-    sha2_hmac_starts( (sha2_context *) ctx, key, keylen, 0 );
-}
-
-void sha256_hmac_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha2_hmac_update( (sha2_context *) ctx, input, ilen );
-}
-
-void sha256_hmac_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha2_hmac_finish( (sha2_context *) ctx, output );
-}
-
-void sha256_hmac_reset_wrap( void *ctx )
-{
-    sha2_hmac_reset( (sha2_context *) ctx );
-}
-
-void sha256_hmac_wrap( const unsigned char *key, size_t keylen,
-        const unsigned char *input, size_t ilen,
-        unsigned char *output )
-{
-    sha2_hmac( key, keylen, input, ilen, output, 0 );
-}
-
-void * sha256_ctx_alloc( void )
-{
-    return malloc( sizeof( sha2_context ) );
-}
-
-void sha256_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const md_info_t sha256_info = {
-    POLARSSL_MD_SHA256,
-    "SHA256",
-    32,
-    sha256_starts_wrap,
-    sha256_update_wrap,
-    sha256_finish_wrap,
-    sha256_wrap,
-    sha256_file_wrap,
-    sha256_hmac_starts_wrap,
-    sha256_hmac_update_wrap,
-    sha256_hmac_finish_wrap,
-    sha256_hmac_reset_wrap,
-    sha256_hmac_wrap,
-    sha256_ctx_alloc,
-    sha256_ctx_free,
-};
-
-#endif
-
-#if defined(POLARSSL_SHA4_C)
-
-void sha384_starts_wrap( void *ctx )
-{
-    sha4_starts( (sha4_context *) ctx, 1 );
-}
-
-void sha384_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha4_update( (sha4_context *) ctx, input, ilen );
-}
-
-void sha384_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha4_finish( (sha4_context *) ctx, output );
-}
-
-void sha384_wrap( const unsigned char *input, size_t ilen,
-                    unsigned char *output )
-{
-    sha4( input, ilen, output, 1 );
-}
-
-int sha384_file_wrap( const char *path, unsigned char *output )
-{
-#if defined(POLARSSL_FS_IO)
-    return sha4_file( path, output, 1 );
-#else
-    ((void) path);
-    ((void) output);
-    return POLARSSL_ERR_MD_FEATURE_UNAVAILABLE;
-#endif
-}
-
-void sha384_hmac_starts_wrap( void *ctx, const unsigned char *key, size_t keylen )
-{
-    sha4_hmac_starts( (sha4_context *) ctx, key, keylen, 1 );
-}
-
-void sha384_hmac_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha4_hmac_update( (sha4_context *) ctx, input, ilen );
-}
-
-void sha384_hmac_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha4_hmac_finish( (sha4_context *) ctx, output );
-}
-
-void sha384_hmac_reset_wrap( void *ctx )
-{
-    sha4_hmac_reset( (sha4_context *) ctx );
-}
-
-void sha384_hmac_wrap( const unsigned char *key, size_t keylen,
-        const unsigned char *input, size_t ilen,
-        unsigned char *output )
-{
-    sha4_hmac( key, keylen, input, ilen, output, 1 );
-}
-
-void * sha384_ctx_alloc( void )
-{
-    return malloc( sizeof( sha4_context ) );
-}
-
-void sha384_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const md_info_t sha384_info = {
-    POLARSSL_MD_SHA384,
-    "SHA384",
-    48,
-    sha384_starts_wrap,
-    sha384_update_wrap,
-    sha384_finish_wrap,
-    sha384_wrap,
-    sha384_file_wrap,
-    sha384_hmac_starts_wrap,
-    sha384_hmac_update_wrap,
-    sha384_hmac_finish_wrap,
-    sha384_hmac_reset_wrap,
-    sha384_hmac_wrap,
-    sha384_ctx_alloc,
-    sha384_ctx_free,
-};
-
-void sha512_starts_wrap( void *ctx )
-{
-    sha4_starts( (sha4_context *) ctx, 0 );
-}
-
-void sha512_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha4_update( (sha4_context *) ctx, input, ilen );
-}
-
-void sha512_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha4_finish( (sha4_context *) ctx, output );
-}
-
-void sha512_wrap( const unsigned char *input, size_t ilen,
-                    unsigned char *output )
-{
-    sha4( input, ilen, output, 0 );
-}
-
-int sha512_file_wrap( const char *path, unsigned char *output )
-{
-#if defined(POLARSSL_FS_IO)
-    return sha4_file( path, output, 0 );
-#else
-    ((void) path);
-    ((void) output);
-    return POLARSSL_ERR_MD_FEATURE_UNAVAILABLE;
-#endif
-}
-
-void sha512_hmac_starts_wrap( void *ctx, const unsigned char *key, size_t keylen )
-{
-    sha4_hmac_starts( (sha4_context *) ctx, key, keylen, 0 );
-}
-
-void sha512_hmac_update_wrap( void *ctx, const unsigned char *input, size_t ilen )
-{
-    sha4_hmac_update( (sha4_context *) ctx, input, ilen );
-}
-
-void sha512_hmac_finish_wrap( void *ctx, unsigned char *output )
-{
-    sha4_hmac_finish( (sha4_context *) ctx, output );
-}
-
-void sha512_hmac_reset_wrap( void *ctx )
-{
-    sha4_hmac_reset( (sha4_context *) ctx );
-}
-
-void sha512_hmac_wrap( const unsigned char *key, size_t keylen,
-        const unsigned char *input, size_t ilen,
-        unsigned char *output )
-{
-    sha4_hmac( key, keylen, input, ilen, output, 0 );
-}
-
-void * sha512_ctx_alloc( void )
-{
-    return malloc( sizeof( sha4_context ) );
-}
-
-void sha512_ctx_free( void *ctx )
-{
-    free( ctx );
-}
-
-const md_info_t sha512_info = {
-    POLARSSL_MD_SHA512,
-    "SHA512",
-    64,
-    sha512_starts_wrap,
-    sha512_update_wrap,
-    sha512_finish_wrap,
-    sha512_wrap,
-    sha512_file_wrap,
-    sha512_hmac_starts_wrap,
-    sha512_hmac_update_wrap,
-    sha512_hmac_finish_wrap,
-    sha512_hmac_reset_wrap,
-    sha512_hmac_wrap,
-    sha512_ctx_alloc,
-    sha512_ctx_free,
-};
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/md_wrap.h b/makerom/polarssl/md_wrap.h
deleted file mode 100644
index 43fc76fc..00000000
--- a/makerom/polarssl/md_wrap.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/**
- * \file md_wrap.h
- * 
- * \brief Message digest wrappers.
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_MD_WRAP_H
-#define POLARSSL_MD_WRAP_H
-
-#include "polarssl/config.h"
-#include "polarssl/md.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#if defined(POLARSSL_MD2_C)
-extern const md_info_t md2_info;
-#endif
-#if defined(POLARSSL_MD4_C)
-extern const md_info_t md4_info;
-#endif
-#if defined(POLARSSL_MD5_C)
-extern const md_info_t md5_info;
-#endif
-#if defined(POLARSSL_SHA1_C)
-extern const md_info_t sha1_info;
-#endif
-#if defined(POLARSSL_SHA2_C)
-extern const md_info_t sha224_info;
-extern const md_info_t sha256_info;
-#endif
-#if defined(POLARSSL_SHA4_C)
-extern const md_info_t sha384_info;
-extern const md_info_t sha512_info;
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* POLARSSL_MD_WRAP_H */
diff --git a/makerom/polarssl/net.h b/makerom/polarssl/net.h
deleted file mode 100644
index 88302ac0..00000000
--- a/makerom/polarssl/net.h
+++ /dev/null
@@ -1,159 +0,0 @@
-/**
- * \file net.h
- *
- * \brief Network communication functions
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_NET_H
-#define POLARSSL_NET_H
-
-#include <string.h>
-
-#define POLARSSL_ERR_NET_UNKNOWN_HOST                      -0x0056  /**< Failed to get an IP address for the given hostname. */
-#define POLARSSL_ERR_NET_SOCKET_FAILED                     -0x0042  /**< Failed to open a socket. */
-#define POLARSSL_ERR_NET_CONNECT_FAILED                    -0x0044  /**< The connection to the given server / port failed. */
-#define POLARSSL_ERR_NET_BIND_FAILED                       -0x0046  /**< Binding of the socket failed. */
-#define POLARSSL_ERR_NET_LISTEN_FAILED                     -0x0048  /**< Could not listen on the socket. */
-#define POLARSSL_ERR_NET_ACCEPT_FAILED                     -0x004A  /**< Could not accept the incoming connection. */
-#define POLARSSL_ERR_NET_RECV_FAILED                       -0x004C  /**< Reading information from the socket failed. */
-#define POLARSSL_ERR_NET_SEND_FAILED                       -0x004E  /**< Sending information through the socket failed. */
-#define POLARSSL_ERR_NET_CONN_RESET                        -0x0050  /**< Connection was reset by peer. */
-#define POLARSSL_ERR_NET_WANT_READ                         -0x0052  /**< Connection requires a read call. */
-#define POLARSSL_ERR_NET_WANT_WRITE                        -0x0054  /**< Connection requires a write call. */
-
-#define POLARSSL_NET_LISTEN_BACKLOG         10 /**< The backlog that listen() should use. */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Initiate a TCP connection with host:port
- *
- * \param fd       Socket to use
- * \param host     Host to connect to
- * \param port     Port to connect to
- *
- * \return         0 if successful, or one of:
- *                      POLARSSL_ERR_NET_SOCKET_FAILED,
- *                      POLARSSL_ERR_NET_UNKNOWN_HOST,
- *                      POLARSSL_ERR_NET_CONNECT_FAILED
- */
-int net_connect( int *fd, const char *host, int port );
-
-/**
- * \brief          Create a listening socket on bind_ip:port.
- *                 If bind_ip == NULL, all interfaces are binded.
- *
- * \param fd       Socket to use
- * \param bind_ip  IP to bind to, can be NULL
- * \param port     Port number to use
- *
- * \return         0 if successful, or one of:
- *                      POLARSSL_ERR_NET_SOCKET_FAILED,
- *                      POLARSSL_ERR_NET_BIND_FAILED,
- *                      POLARSSL_ERR_NET_LISTEN_FAILED
- */
-int net_bind( int *fd, const char *bind_ip, int port );
-
-/**
- * \brief           Accept a connection from a remote client
- *
- * \param bind_fd   Relevant socket
- * \param client_fd Will contain the connected client socket
- * \param client_ip Will contain the client IP address
- *
- * \return          0 if successful, POLARSSL_ERR_NET_ACCEPT_FAILED, or
- *                  POLARSSL_ERR_NET_WOULD_BLOCK is bind_fd was set to
- *                  non-blocking and accept() is blocking.
- */
-int net_accept( int bind_fd, int *client_fd, void *client_ip );
-
-/**
- * \brief          Set the socket blocking
- *
- * \param fd       Socket to set
- *
- * \return         0 if successful, or a non-zero error code
- */
-int net_set_block( int fd );
-
-/**
- * \brief          Set the socket non-blocking
- *
- * \param fd       Socket to set
- *
- * \return         0 if successful, or a non-zero error code
- */
-int net_set_nonblock( int fd );
-
-/**
- * \brief          Portable usleep helper
- *
- * \param usec     Amount of microseconds to sleep
- *
- * \note           Real amount of time slept will not be less than
- *                 select()'s timeout granularity (typically, 10ms).
- */
-void net_usleep( unsigned long usec );
-
-/**
- * \brief          Read at most 'len' characters. If no error occurs,
- *                 the actual amount read is returned.
- *
- * \param ctx      Socket
- * \param buf      The buffer to write to
- * \param len      Maximum length of the buffer
- *
- * \return         This function returns the number of bytes received,
- *                 or a non-zero error code; POLARSSL_ERR_NET_WANT_READ
- *                 indicates read() is blocking.
- */
-int net_recv( void *ctx, unsigned char *buf, size_t len );
-
-/**
- * \brief          Write at most 'len' characters. If no error occurs,
- *                 the actual amount read is returned.
- *
- * \param ctx      Socket
- * \param buf      The buffer to read from
- * \param len      The length of the buffer
- *
- * \return         This function returns the number of bytes sent,
- *                 or a non-zero error code; POLARSSL_ERR_NET_WANT_WRITE
- *                 indicates write() is blocking.
- */
-int net_send( void *ctx, const unsigned char *buf, size_t len );
-
-/**
- * \brief          Gracefully shutdown the connection
- *
- * \param fd       The socket to close
- */
-void net_close( int fd );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* net.h */
diff --git a/makerom/polarssl/openssl.h b/makerom/polarssl/openssl.h
deleted file mode 100644
index 4423857d..00000000
--- a/makerom/polarssl/openssl.h
+++ /dev/null
@@ -1,136 +0,0 @@
-/**
- * \file openssl.h
- *
- * \brief OpenSSL wrapper (definitions, inline functions).
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- * OpenSSL wrapper contributed by David Barett
- */
-#ifndef POLARSSL_OPENSSL_H
-#define POLARSSL_OPENSSL_H
-
-#include "polarssl/aes.h"
-#include "polarssl/md5.h"
-#include "polarssl/rsa.h"
-#include "polarssl/sha1.h"
-
-#define AES_SIZE                16
-#define AES_BLOCK_SIZE          16
-#define AES_KEY                 aes_context
-#define MD5_CTX                 md5_context
-#define SHA_CTX                 sha1_context
-
-#define SHA1_Init( CTX ) \
-        sha1_starts( (CTX) )
-#define SHA1_Update(  CTX, BUF, LEN ) \
-        sha1_update( (CTX), (unsigned char *)(BUF), (LEN) )
-#define SHA1_Final( OUT, CTX ) \
-        sha1_finish( (CTX), (OUT) )
-
-#define MD5_Init( CTX ) \
-        md5_starts( (CTX) )
-#define MD5_Update( CTX, BUF, LEN ) \
-        md5_update( (CTX), (unsigned char *)(BUF), (LEN) )
-#define MD5_Final( OUT, CTX ) \
-        md5_finish( (CTX), (OUT) )
-
-#define AES_set_encrypt_key( KEY, KEYSIZE, CTX ) \
-        aes_setkey_enc( (CTX), (KEY), (KEYSIZE) )
-#define AES_set_decrypt_key( KEY, KEYSIZE, CTX ) \
-        aes_setkey_dec( (CTX), (KEY), (KEYSIZE) )
-#define AES_cbc_encrypt( INPUT, OUTPUT, LEN, CTX, IV, MODE ) \
-        aes_crypt_cbc( (CTX), (MODE), (LEN), (IV), (INPUT), (OUTPUT) )
-
-/*
- * RSA stuff follows. TODO: needs cleanup
- */
-inline int __RSA_Passthrough( void *output, void *input, int size )
-{
-    memcpy( output, input, size );
-    return size;
-}
-
-inline rsa_context* d2i_RSA_PUBKEY( void *ignore, unsigned char **bufptr,
-                                    int len )
-{
-    unsigned char *buffer = *(unsigned char **) bufptr;
-    rsa_context *rsa;
-    
-    /*
-     * Not a general-purpose parser: only parses public key from *exactly*
-     *   openssl genrsa -out privkey.pem 512 (or 1024)
-     *   openssl rsa -in privkey.pem -out privatekey.der -outform der
-     *   openssl rsa -in privkey.pem -out pubkey.der -outform der -pubout
-     *
-     * TODO: make a general-purpose parse
-     */
-    if( ignore != 0 || ( len != 94 && len != 162 ) )
-        return( 0 );
-
-    rsa = (rsa_context *) malloc( sizeof( rsa_rsa ) );
-    if( rsa == NULL )
-        return( 0 );
-
-    memset( rsa, 0, sizeof( rsa_context ) );
-
-    if( ( len ==  94 && 
-          mpi_read_binary( &rsa->N, &buffer[ 25],  64 ) == 0 &&
-          mpi_read_binary( &rsa->E, &buffer[ 91],   3 ) == 0 ) ||
-        ( len == 162 &&
-          mpi_read_binary( &rsa->N, &buffer[ 29], 128 ) == 0 ) &&
-          mpi_read_binary( &rsa->E, &buffer[159],   3 ) == 0 )
-    {
-        /*
-         * key read successfully
-         */
-        rsa->len = ( mpi_msb( &rsa->N ) + 7 ) >> 3;
-        return( rsa );
-    }
-    else
-    {
-        memset( rsa, 0, sizeof( rsa_context ) );
-        free( rsa );
-        return( 0 );
-    }
-}
-
-#define RSA                     rsa_context
-#define RSA_PKCS1_PADDING       1 /* ignored; always encrypt with this */
-#define RSA_size( CTX )         (CTX)->len
-#define RSA_free( CTX )         rsa_free( CTX )
-#define ERR_get_error( )        "ERR_get_error() not supported"
-#define RSA_blinding_off( IGNORE )
-
-#define d2i_RSAPrivateKey( a, b, c ) new rsa_context /* TODO: C++ bleh */
-
-inline int RSA_public_decrypt ( int size, unsigned char* input, unsigned char* output, RSA* key, int ignore ) { int outsize=size; if( !rsa_pkcs1_decrypt( key, RSA_PUBLIC,  &outsize, input, output ) ) return outsize; else return -1; }
-inline int RSA_private_decrypt( int size, unsigned char* input, unsigned char* output, RSA* key, int ignore ) { int outsize=size; if( !rsa_pkcs1_decrypt( key, RSA_PRIVATE, &outsize, input, output ) ) return outsize; else return -1; }
-inline int RSA_public_encrypt ( int size, unsigned char* input, unsigned char* output, RSA* key, int ignore ) { if( !rsa_pkcs1_encrypt( key, RSA_PUBLIC,  size, input, output ) ) return RSA_size(key); else return -1; }
-inline int RSA_private_encrypt( int size, unsigned char* input, unsigned char* output, RSA* key, int ignore ) { if( !rsa_pkcs1_encrypt( key, RSA_PRIVATE, size, input, output ) ) return RSA_size(key); else return -1; }
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* openssl.h */
diff --git a/makerom/polarssl/padlock.c b/makerom/polarssl/padlock.c
deleted file mode 100644
index 9ddac15e..00000000
--- a/makerom/polarssl/padlock.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- *  VIA PadLock support functions
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  This implementation is based on the VIA PadLock Programming Guide:
- *
- *  http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/
- *  programming_guide.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_PADLOCK_C)
-
-#include "polarssl/padlock.h"
-
-#if defined(POLARSSL_HAVE_X86)
-
-/*
- * PadLock detection routine
- */
-int padlock_supports( int feature )
-{
-    static int flags = -1;
-    int ebx, edx;
-
-    if( flags == -1 )
-    {
-        __asm__( "movl  %%ebx, %0           \n"     \
-             "movl  $0xC0000000, %%eax  \n"     \
-             "cpuid                     \n"     \
-             "cmpl  $0xC0000001, %%eax  \n"     \
-             "movl  $0, %%edx           \n"     \
-             "jb    unsupported         \n"     \
-             "movl  $0xC0000001, %%eax  \n"     \
-             "cpuid                     \n"     \
-             "unsupported:              \n"     \
-             "movl  %%edx, %1           \n"     \
-             "movl  %2, %%ebx           \n"
-             : "=m" (ebx), "=m" (edx)
-             :  "m" (ebx)
-             : "eax", "ecx", "edx" );
-
-        flags = edx;
-    }
-
-    return( flags & feature );
-}
-
-/*
- * PadLock AES-ECB block en(de)cryption
- */
-int padlock_xcryptecb( aes_context *ctx,
-                       int mode,
-                       const unsigned char input[16],
-                       unsigned char output[16] )
-{
-    int ebx;
-    uint32_t *rk;
-    uint32_t *blk;
-    uint32_t *ctrl;
-    unsigned char buf[256];
-
-    rk  = ctx->rk;
-    blk = PADLOCK_ALIGN16( buf );
-    memcpy( blk, input, 16 );
-
-     ctrl = blk + 4;
-    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + ( mode^1 ) - 10 ) << 9 );
-
-    __asm__( "pushfl; popfl         \n"     \
-         "movl    %%ebx, %0     \n"     \
-         "movl    $1, %%ecx     \n"     \
-         "movl    %2, %%edx     \n"     \
-         "movl    %3, %%ebx     \n"     \
-         "movl    %4, %%esi     \n"     \
-         "movl    %4, %%edi     \n"     \
-         ".byte  0xf3,0x0f,0xa7,0xc8\n" \
-         "movl    %1, %%ebx     \n"
-         : "=m" (ebx)
-         :  "m" (ebx), "m" (ctrl), "m" (rk), "m" (blk)
-         : "ecx", "edx", "esi", "edi" );
-
-    memcpy( output, blk, 16 );
-
-    return( 0 );
-}
-
-/*
- * PadLock AES-CBC buffer en(de)cryption
- */
-int padlock_xcryptcbc( aes_context *ctx,
-                       int mode,
-                       size_t length,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int ebx;
-    size_t count;
-    uint32_t *rk;
-    uint32_t *iw;
-    uint32_t *ctrl;
-    unsigned char buf[256];
-
-    if( ( (long) input  & 15 ) != 0 ||
-        ( (long) output & 15 ) != 0 )
-        return( POLARSSL_ERR_PADLOCK_DATA_MISALIGNED );
-
-    rk = ctx->rk;
-    iw = PADLOCK_ALIGN16( buf );
-    memcpy( iw, iv, 16 );
-
-     ctrl = iw + 4;
-    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + (mode^1) - 10 ) << 9 );
-
-    count = (length + 15) >> 4;
-
-    __asm__( "pushfl; popfl         \n"     \
-         "movl    %%ebx, %0     \n"     \
-         "movl    %2, %%ecx     \n"     \
-         "movl    %3, %%edx     \n"     \
-         "movl    %4, %%ebx     \n"     \
-         "movl    %5, %%esi     \n"     \
-         "movl    %6, %%edi     \n"     \
-         "movl    %7, %%eax     \n"     \
-         ".byte  0xf3,0x0f,0xa7,0xd0\n" \
-         "movl    %1, %%ebx     \n"
-         : "=m" (ebx)
-         :  "m" (ebx), "m" (count), "m" (ctrl),
-            "m"  (rk), "m" (input), "m" (output), "m" (iw)
-         : "eax", "ecx", "edx", "esi", "edi" );
-
-    memcpy( iv, iw, 16 );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/padlock.h b/makerom/polarssl/padlock.h
deleted file mode 100644
index 48f5f624..00000000
--- a/makerom/polarssl/padlock.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/**
- * \file padlock.h
- *
- * \brief VIA PadLock ACE for HW encryption/decryption supported by some processors
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_PADLOCK_H
-#define POLARSSL_PADLOCK_H
-
-#include "polarssl/aes.h"
-
-#define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
-
-#if defined(POLARSSL_HAVE_ASM) && defined(__GNUC__) && defined(__i386__)
-
-#ifndef POLARSSL_HAVE_X86
-#define POLARSSL_HAVE_X86
-#endif
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef INT32 int32_t;
-#else
-#include <inttypes.h>
-#endif
-
-
-#define PADLOCK_RNG 0x000C
-#define PADLOCK_ACE 0x00C0
-#define PADLOCK_PHE 0x0C00
-#define PADLOCK_PMM 0x3000
-
-#define PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) x & ~15))
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          PadLock detection routine
- *
- * \param          The feature to detect
- *
- * \return         1 if CPU has support for the feature, 0 otherwise
- */
-int padlock_supports( int feature );
-
-/**
- * \brief          PadLock AES-ECB block en(de)cryption
- *
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
- *
- * \return         0 if success, 1 if operation failed
- */
-int padlock_xcryptecb( aes_context *ctx,
-                       int mode,
-                       const unsigned char input[16],
-                       unsigned char output[16] );
-
-/**
- * \brief          PadLock AES-CBC buffer en(de)cryption
- *
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if success, 1 if operation failed
- */
-int padlock_xcryptcbc( aes_context *ctx,
-                       int mode,
-                       size_t length,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* HAVE_X86  */
-
-#endif /* padlock.h */
diff --git a/makerom/polarssl/pbkdf2.h b/makerom/polarssl/pbkdf2.h
deleted file mode 100644
index 2a1f4ba2..00000000
--- a/makerom/polarssl/pbkdf2.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/**
- * \file pbkdf2.h
- *
- * \brief Password-Based Key Derivation Function 2 (from PKCS#5)
- *        DEPRECATED: use pkcs5.h instead.
- *
- * \author Mathias Olsson <mathias@kompetensum.com>
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_PBKDF2_H
-#define POLARSSL_PBKDF2_H
-
-#include <string.h>
-
-#include "polarssl/md.h"
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define POLARSSL_ERR_PBKDF2_BAD_INPUT_DATA                 -0x007C  /**< Bad input parameters to function. */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          PKCS#5 PBKDF2 using HMAC
- *                 DEPRECATED: Use pkcs5_pbkdf2_hmac() instead!
- *
- * \param ctx      Generic HMAC context
- * \param password Password to use when generating key
- * \param plen     Length of password
- * \param salt     Salt to use when generating key
- * \param slen     Length of salt
- * \param iteration_count       Iteration count
- * \param key_length            Length of generated key
- * \param output   Generated key. Must be at least as big as key_length
- *
- * \returns        0 on success, or a PolarSSL error code if verification fails.
- */
-int pbkdf2_hmac( md_context_t *ctx, const unsigned char *password,
-                 size_t plen, const unsigned char *salt, size_t slen,
-                 unsigned int iteration_count,
-                 uint32_t key_length, unsigned char *output );
-
-/**
- * \brief          Checkup routine
- *                 DEPRECATED: Use pkcs5_self_test() instead!
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int pbkdf2_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* pbkdf2.h */
diff --git a/makerom/polarssl/pem.h b/makerom/polarssl/pem.h
deleted file mode 100644
index e95dc10a..00000000
--- a/makerom/polarssl/pem.h
+++ /dev/null
@@ -1,105 +0,0 @@
-/**
- * \file pem.h
- *
- * \brief Privacy Enhanced Mail (PEM) decoding
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_PEM_H
-#define POLARSSL_PEM_H
-
-#include <string.h>
-
-/**
- * \name PEM Error codes
- * These error codes are returned in case of errors reading the
- * PEM data.
- * \{
- */
-#define POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT          -0x1080  /**< No PEM header or footer found. */
-#define POLARSSL_ERR_PEM_INVALID_DATA                      -0x1100  /**< PEM string is not as expected. */
-#define POLARSSL_ERR_PEM_MALLOC_FAILED                     -0x1180  /**< Failed to allocate memory. */
-#define POLARSSL_ERR_PEM_INVALID_ENC_IV                    -0x1200  /**< RSA IV is not in hex-format. */
-#define POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG                   -0x1280  /**< Unsupported key encryption algorithm. */
-#define POLARSSL_ERR_PEM_PASSWORD_REQUIRED                 -0x1300  /**< Private key password can't be empty. */
-#define POLARSSL_ERR_PEM_PASSWORD_MISMATCH                 -0x1380  /**< Given private key password does not allow for correct decryption. */
-#define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE               -0x1400  /**< Unavailable feature, e.g. hashing/encryption combination. */
-#define POLARSSL_ERR_PEM_BAD_INPUT_DATA                    -0x1480  /**< Bad input parameters to function. */
-/* \} name */
-
-/**
- * \brief       PEM context structure
- */
-typedef struct
-{
-    unsigned char *buf;     /*!< buffer for decoded data             */
-    size_t buflen;          /*!< length of the buffer                */
-    unsigned char *info;    /*!< buffer for extra header information */
-}
-pem_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief       PEM context setup
- *
- * \param ctx   context to be initialized
- */
-void pem_init( pem_context *ctx );
-
-/**
- * \brief       Read a buffer for PEM information and store the resulting
- *              data into the specified context buffers.
- *
- * \param ctx       context to use
- * \param header    header string to seek and expect
- * \param footer    footer string to seek and expect
- * \param data      source data to look in
- * \param pwd       password for decryption (can be NULL)
- * \param pwdlen    length of password
- * \param use_len   destination for total length used (set after header is
- *                  correctly read, so unless you get
- *                  POLARSSL_ERR_PEM_BAD_INPUT_DATA or
- *                  POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is
- *                  the length to skip)
- *
- * \return          0 on success, ior a specific PEM error code
- */
-int pem_read_buffer( pem_context *ctx, char *header, char *footer,
-                     const unsigned char *data,
-                     const unsigned char *pwd,
-                     size_t pwdlen, size_t *use_len );
-
-/**
- * \brief       PEM context memory freeing
- *
- * \param ctx   context to be freed
- */
-void pem_free( pem_context *ctx );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* pem.h */
diff --git a/makerom/polarssl/pkcs11.h b/makerom/polarssl/pkcs11.h
deleted file mode 100644
index 3e95392d..00000000
--- a/makerom/polarssl/pkcs11.h
+++ /dev/null
@@ -1,161 +0,0 @@
-/**
- * \file pkcs11.h
- *
- * \brief Wrapper for PKCS#11 library libpkcs11-helper
- *
- * \author Adriaan de Jong <dejong@fox-it.com>
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_PKCS11_H
-#define POLARSSL_PKCS11_H
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_PKCS11_C)
-
-#include "polarssl/x509.h"
-
-#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
-
-#if defined(_MSC_VER) && !defined(inline)
-#define inline _inline
-#else
-#if defined(__ARMCC_VERSION) && !defined(inline)
-#define inline __inline
-#endif /* __ARMCC_VERSION */
-#endif /*_MSC_VER */
-
-/**
- * Context for PKCS #11 private keys.
- */
-typedef struct {
-        pkcs11h_certificate_t pkcs11h_cert;
-        int len;
-} pkcs11_context;
-
-/**
- * Fill in a PolarSSL certificate, based on the given PKCS11 helper certificate.
- *
- * \param cert          X.509 certificate to fill
- * \param pkcs11h_cert  PKCS #11 helper certificate
- *
- * \return              0 on success.
- */
-int pkcs11_x509_cert_init( x509_cert *cert, pkcs11h_certificate_t pkcs11h_cert );
-
-/**
- * Initialise a pkcs11_context, storing the given certificate. Note that the
- * pkcs11_context will take over control of the certificate, freeing it when
- * done.
- *
- * \param priv_key      Private key structure to fill.
- * \param pkcs11_cert   PKCS #11 helper certificate
- *
- * \return              0 on success
- */
-int pkcs11_priv_key_init( pkcs11_context *priv_key,
-        pkcs11h_certificate_t pkcs11_cert );
-
-/**
- * Free the contents of the given private key context. Note that the structure
- * itself is not freed.
- *
- * \param priv_key      Private key structure to cleanup
- */
-void pkcs11_priv_key_free( pkcs11_context *priv_key );
-
-/**
- * \brief          Do an RSA private key decrypt, then remove the message padding
- *
- * \param ctx      PKCS #11 context
- * \param mode     must be RSA_PRIVATE, for compatibility with rsa.c's signature
- * \param input    buffer holding the encrypted data
- * \param output   buffer that will hold the plaintext
- * \param olen     will contain the plaintext length
- * \param output_max_len    maximum length of the output buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- *                 an error is thrown.
- */
-int pkcs11_decrypt( pkcs11_context *ctx,
-                       int mode, size_t *olen,
-                       const unsigned char *input,
-                       unsigned char *output,
-                       size_t output_max_len );
-
-/**
- * \brief          Do a private RSA to sign a message digest
- *
- * \param ctx      PKCS #11 context
- * \param mode     must be RSA_PRIVATE, for compatibility with rsa.c's signature
- * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen  message digest length (for SIG_RSA_RAW only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer that will hold the ciphertext
- *
- * \return         0 if the signing operation was successful,
- *                 or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-int pkcs11_sign( pkcs11_context *ctx,
-                    int mode,
-                    int hash_id,
-                    unsigned int hashlen,
-                    const unsigned char *hash,
-                    unsigned char *sig );
-
-/**
- * SSL/TLS wrappers for PKCS#11 functions
- */
-static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
-                        const unsigned char *input, unsigned char *output,
-                        size_t output_max_len )
-{
-    return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output,
-                           output_max_len );
-}
-
-static inline int ssl_pkcs11_sign( void *ctx, 
-                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                     int mode, int hash_id, unsigned int hashlen,
-                     const unsigned char *hash, unsigned char *sig )
-{
-    ((void) f_rng);
-    ((void) p_rng);
-    return pkcs11_sign( (pkcs11_context *) ctx, mode, hash_id,
-                        hashlen, hash, sig );
-}
-
-static inline size_t ssl_pkcs11_key_len( void *ctx )
-{
-    return ( (pkcs11_context *) ctx )->len;
-}
-
-#endif /* POLARSSL_PKCS11_C */
-
-#endif /* POLARSSL_PKCS11_H */
diff --git a/makerom/polarssl/pkcs12.h b/makerom/polarssl/pkcs12.h
deleted file mode 100644
index ef559bde..00000000
--- a/makerom/polarssl/pkcs12.h
+++ /dev/null
@@ -1,131 +0,0 @@
-/**
- * \file pkcs12.h
- *
- * \brief PKCS#12 Personal Information Exchange Syntax
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_PKCS12_H
-#define POLARSSL_PKCS12_H
-
-#include <string.h>
-
-#include "polarssl/md.h"
-#include "polarssl/cipher.h"
-#include "polarssl/asn1.h"
-
-#define POLARSSL_ERR_PKCS12_BAD_INPUT_DATA                 -0x1F80  /**< Bad input parameters to function. */
-#define POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE            -0x1F00  /**< Feature not available, e.g. unsupported encryption scheme. */
-#define POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT             -0x1E80  /**< PBE ASN.1 data not as expected. */
-#define POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH              -0x1E00  /**< Given private key password does not allow for correct decryption. */
-
-#define PKCS12_DERIVE_KEY       1   /*< encryption/decryption key */
-#define PKCS12_DERIVE_IV        2   /*< initialization vector     */
-#define PKCS12_DERIVE_MAC_KEY   3   /*< integrity / MAC key       */
-
-#define PKCS12_PBE_DECRYPT      0
-#define PKCS12_PBE_ENCRYPT      1
-
-/*
- * PKCS#12 PBE types
- */
-#define OID_PKCS12               "\x2a\x86\x48\x86\xf7\x0d\x01\x0c"
-#define OID_PKCS12_PBE_SHA1_RC4_128         OID_PKCS12 "\x01\x01"
-#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC    OID_PKCS12 "\x01\x03"
-#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC    OID_PKCS12 "\x01\x04"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief            PKCS12 Password Based function (encryption / decryption)
- *                   for pbeWithSHAAnd128BitRC4
- *
- * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure
- * \param mode       either PKCS12_PBE_ENCRYPT or PKCS12_PBE_DECRYPT
- * \param pwd        the password used (may be NULL if no password is used)
- * \param pwdlen     length of the password (may be 0)
- * \param input      the input data
- * \param len        data length
- * \param output     the output buffer
- *
- * \return           0 if successful, or a PolarSSL error code
- */
-int pkcs12_pbe_sha1_rc4_128( asn1_buf *pbe_params, int mode,
-                             const unsigned char *pwd,  size_t pwdlen,
-                             const unsigned char *input, size_t len,
-                             unsigned char *output );
-
-/**
- * \brief            PKCS12 Password Based function (encryption / decryption)
- *                   for cipher-based and md-based PBE's
- *
- * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure
- * \param mode       either PKCS12_PBE_ENCRYPT or PKCS12_PBE_DECRYPT
- * \param cipher_type the cipher used
- * \param md_type     the md used
- * \param pwd        the password used (may be NULL if no password is used)
- * \param pwdlen     length of the password (may be 0)
- * \param input      the input data
- * \param len        data length
- * \param output     the output buffer
- *
- * \return           0 if successful, or a PolarSSL error code
- */
-int pkcs12_pbe( asn1_buf *pbe_params, int mode,
-                cipher_type_t cipher_type, md_type_t md_type,
-                const unsigned char *pwd,  size_t pwdlen,
-                const unsigned char *input, size_t len,
-                unsigned char *output );
-
-/**
- * \brief            The PKCS#12 derivation function uses a password and a salt
- *                   to produce pseudo-random bits for a particular "purpose".
- *
- *                   Depending on the given id, this function can produce an
- *                   encryption/decryption key, an nitialization vector or an
- *                   integrity key.
- *
- * \param data       buffer to store the derived data in
- * \param datalen    length to fill
- * \param pwd        password to use (may be NULL if no password is used)
- * \param pwdlen     length of the password (may be 0)
- * \param salt       salt buffer to use
- * \param saltlen    length of the salt
- * \param md         md type to use during the derivation
- * \param id         id that describes the purpose (can be PKCS12_DERIVE_KEY,
- *                   PKCS12_DERIVE_IV or PKCS12_DERIVE_MAC_KEY)
- * \param iterations number of iterations
- *
- * \return          0 if successful, or a MD, BIGNUM type error.
- */
-int pkcs12_derivation( unsigned char *data, size_t datalen,
-                       const unsigned char *pwd, size_t pwdlen,
-                       const unsigned char *salt, size_t saltlen,
-                       md_type_t md, int id, int iterations );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* pkcs12.h */
diff --git a/makerom/polarssl/pkcs5.h b/makerom/polarssl/pkcs5.h
deleted file mode 100644
index 18f1a4be..00000000
--- a/makerom/polarssl/pkcs5.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/**
- * \file pkcs#5.h
- *
- * \brief PKCS#5 functions
- *
- * \author Mathias Olsson <mathias@kompetensum.com>
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_PKCS5_H
-#define POLARSSL_PKCS5_H
-
-#include <string.h>
-
-#include "polarssl/asn1.h"
-#include "polarssl/md.h"
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA                  -0x3f80  /**< Bad input parameters to function. */
-#define POLARSSL_ERR_PKCS5_INVALID_FORMAT                  -0x3f00  /**< Unexpected ASN.1 data. */
-#define POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE             -0x3e80  /**< Requested encryption or digest alg not available. */
-#define POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH               -0x3e00  /**< Given private key password does not allow for correct decryption. */
-
-#define PKCS5_DECRYPT      0
-#define PKCS5_ENCRYPT      1
-
-/*
- * PKCS#5 OIDs
- */
-#define OID_PKCS5               "\x2a\x86\x48\x86\xf7\x0d\x01\x05"
-#define OID_PKCS5_PBES2         OID_PKCS5 "\x0d"
-#define OID_PKCS5_PBKDF2        OID_PKCS5 "\x0c"
-
-/*
- * Encryption Algorithm OIDs
- */
-#define OID_DES_CBC             "\x2b\x0e\x03\x02\x07"
-#define OID_DES_EDE3_CBC        "\x2a\x86\x48\x86\xf7\x0d\x03\x07"
-
-/*
- * Digest Algorithm OIDs
- */
-#define OID_HMAC_SHA1           "\x2a\x86\x48\x86\xf7\x0d\x02\x07"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          PKCS#5 PBES2 function
- *
- * \param pbe_params the ASN.1 algorithm parameters
- * \param mode       either PKCS5_DECRYPT or PKCS5_ENCRYPT
- * \param pwd        password to use when generating key
- * \param plen       length of password
- * \param data       data to process
- * \param datalen    length of data
- * \param output     output buffer
- *
- * \returns        0 on success, or a PolarSSL error code if verification fails.
- */
-int pkcs5_pbes2( asn1_buf *pbe_params, int mode,
-                 const unsigned char *pwd,  size_t pwdlen,
-                 const unsigned char *data, size_t datalen,
-                 unsigned char *output );
-
-/**
- * \brief          PKCS#5 PBKDF2 using HMAC
- *
- * \param ctx      Generic HMAC context
- * \param password Password to use when generating key
- * \param plen     Length of password
- * \param salt     Salt to use when generating key
- * \param slen     Length of salt
- * \param iteration_count       Iteration count
- * \param key_length            Length of generated key
- * \param output   Generated key. Must be at least as big as key_length
- *
- * \returns        0 on success, or a PolarSSL error code if verification fails.
- */
-int pkcs5_pbkdf2_hmac( md_context_t *ctx, const unsigned char *password,
-                       size_t plen, const unsigned char *salt, size_t slen,
-                       unsigned int iteration_count,
-                       uint32_t key_length, unsigned char *output );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int pkcs5_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* pkcs5.h */
diff --git a/makerom/polarssl/rsa.c b/makerom/polarssl/rsa.c
index e53d9a2e..5b2d6e02 100644
--- a/makerom/polarssl/rsa.c
+++ b/makerom/polarssl/rsa.c
@@ -1012,7 +1012,7 @@ int rsa_rsassa_pss_verify( rsa_context *ctx,
                            int hash_id,
                            unsigned int hashlen,
                            const unsigned char *hash,
-                           unsigned char *sig )
+                           const unsigned char *sig )
 {
     int ret;
     size_t siglen;
@@ -1143,7 +1143,7 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
                                  int hash_id,
                                  unsigned int hashlen,
                                  const unsigned char *hash,
-                                 unsigned char *sig )
+                                 const unsigned char *sig )
 {
     int ret;
     size_t len, siglen;
@@ -1251,7 +1251,7 @@ int rsa_pkcs1_verify( rsa_context *ctx,
                       int hash_id,
                       unsigned int hashlen,
                       const unsigned char *hash,
-                      unsigned char *sig )
+                      const unsigned char *sig )
 {
     switch( ctx->padding )
     {
diff --git a/makerom/polarssl/rsa.h b/makerom/polarssl/rsa.h
index 2424cc1f..9b9060fa 100644
--- a/makerom/polarssl/rsa.h
+++ b/makerom/polarssl/rsa.h
@@ -521,7 +521,7 @@ int rsa_pkcs1_verify( rsa_context *ctx,
                       int hash_id,
                       unsigned int hashlen,
                       const unsigned char *hash,
-                      unsigned char *sig );
+                      const unsigned char *sig );
 
 /**
  * \brief          Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
@@ -544,7 +544,7 @@ int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
                                  int hash_id,
                                  unsigned int hashlen,
                                  const unsigned char *hash,
-                                 unsigned char *sig );
+                                 const unsigned char *sig );
 
 /**
  * \brief          Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
@@ -574,7 +574,7 @@ int rsa_rsassa_pss_verify( rsa_context *ctx,
                            int hash_id,
                            unsigned int hashlen,
                            const unsigned char *hash,
-                           unsigned char *sig );
+                           const unsigned char *sig );
 
 /**
  * \brief          Free the components of an RSA key
diff --git a/makerom/polarssl/sha2.h b/makerom/polarssl/sha2.h
index 4f124721..cbc0724c 100644
--- a/makerom/polarssl/sha2.h
+++ b/makerom/polarssl/sha2.h
@@ -40,7 +40,6 @@ typedef UINT32 uint32_t;
 
 #define POLARSSL_ERR_SHA2_FILE_IO_ERROR                -0x0078  /**< Read/write error in file. */
 
-#if !defined(POLARSSL_SHA2_ALT)
 // Regular implementation
 //
 
@@ -95,10 +94,6 @@ void sha2_process( sha2_context *ctx, const unsigned char data[64] );
 }
 #endif
 
-#else  /* POLARSSL_SHA2_ALT */
-#include "polarssl/sha2_alt.h"
-#endif /* POLARSSL_SHA2_ALT */
-
 #ifdef __cplusplus
 extern "C" {
 #endif
diff --git a/makerom/polarssl/sha4.c b/makerom/polarssl/sha4.c
deleted file mode 100644
index 466420ab..00000000
--- a/makerom/polarssl/sha4.c
+++ /dev/null
@@ -1,760 +0,0 @@
-/*
- *  FIPS-180-2 compliant SHA-384/512 implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The SHA-512 Secure Hash Standard was published by NIST in 2002.
- *
- *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_SHA4_C)
-
-#include "polarssl/sha4.h"
-
-#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
-#include <stdio.h>
-#endif
-
-#if !defined(POLARSSL_SHA4_ALT)
-
-/*
- * 64-bit integer manipulation macros (big endian)
- */
-#ifndef GET_UINT64_BE
-#define GET_UINT64_BE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint64_t) (b)[(i)    ] << 56 )       \
-        | ( (uint64_t) (b)[(i) + 1] << 48 )       \
-        | ( (uint64_t) (b)[(i) + 2] << 40 )       \
-        | ( (uint64_t) (b)[(i) + 3] << 32 )       \
-        | ( (uint64_t) (b)[(i) + 4] << 24 )       \
-        | ( (uint64_t) (b)[(i) + 5] << 16 )       \
-        | ( (uint64_t) (b)[(i) + 6] <<  8 )       \
-        | ( (uint64_t) (b)[(i) + 7]       );      \
-}
-#endif
-
-#ifndef PUT_UINT64_BE
-#define PUT_UINT64_BE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n) >> 56 );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >> 48 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >> 40 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n) >> 32 );       \
-    (b)[(i) + 4] = (unsigned char) ( (n) >> 24 );       \
-    (b)[(i) + 5] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 6] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 7] = (unsigned char) ( (n)       );       \
-}
-#endif
-
-/*
- * Round constants
- */
-static const uint64_t K[80] =
-{
-    UL64(0x428A2F98D728AE22),  UL64(0x7137449123EF65CD),
-    UL64(0xB5C0FBCFEC4D3B2F),  UL64(0xE9B5DBA58189DBBC),
-    UL64(0x3956C25BF348B538),  UL64(0x59F111F1B605D019),
-    UL64(0x923F82A4AF194F9B),  UL64(0xAB1C5ED5DA6D8118),
-    UL64(0xD807AA98A3030242),  UL64(0x12835B0145706FBE),
-    UL64(0x243185BE4EE4B28C),  UL64(0x550C7DC3D5FFB4E2),
-    UL64(0x72BE5D74F27B896F),  UL64(0x80DEB1FE3B1696B1),
-    UL64(0x9BDC06A725C71235),  UL64(0xC19BF174CF692694),
-    UL64(0xE49B69C19EF14AD2),  UL64(0xEFBE4786384F25E3),
-    UL64(0x0FC19DC68B8CD5B5),  UL64(0x240CA1CC77AC9C65),
-    UL64(0x2DE92C6F592B0275),  UL64(0x4A7484AA6EA6E483),
-    UL64(0x5CB0A9DCBD41FBD4),  UL64(0x76F988DA831153B5),
-    UL64(0x983E5152EE66DFAB),  UL64(0xA831C66D2DB43210),
-    UL64(0xB00327C898FB213F),  UL64(0xBF597FC7BEEF0EE4),
-    UL64(0xC6E00BF33DA88FC2),  UL64(0xD5A79147930AA725),
-    UL64(0x06CA6351E003826F),  UL64(0x142929670A0E6E70),
-    UL64(0x27B70A8546D22FFC),  UL64(0x2E1B21385C26C926),
-    UL64(0x4D2C6DFC5AC42AED),  UL64(0x53380D139D95B3DF),
-    UL64(0x650A73548BAF63DE),  UL64(0x766A0ABB3C77B2A8),
-    UL64(0x81C2C92E47EDAEE6),  UL64(0x92722C851482353B),
-    UL64(0xA2BFE8A14CF10364),  UL64(0xA81A664BBC423001),
-    UL64(0xC24B8B70D0F89791),  UL64(0xC76C51A30654BE30),
-    UL64(0xD192E819D6EF5218),  UL64(0xD69906245565A910),
-    UL64(0xF40E35855771202A),  UL64(0x106AA07032BBD1B8),
-    UL64(0x19A4C116B8D2D0C8),  UL64(0x1E376C085141AB53),
-    UL64(0x2748774CDF8EEB99),  UL64(0x34B0BCB5E19B48A8),
-    UL64(0x391C0CB3C5C95A63),  UL64(0x4ED8AA4AE3418ACB),
-    UL64(0x5B9CCA4F7763E373),  UL64(0x682E6FF3D6B2B8A3),
-    UL64(0x748F82EE5DEFB2FC),  UL64(0x78A5636F43172F60),
-    UL64(0x84C87814A1F0AB72),  UL64(0x8CC702081A6439EC),
-    UL64(0x90BEFFFA23631E28),  UL64(0xA4506CEBDE82BDE9),
-    UL64(0xBEF9A3F7B2C67915),  UL64(0xC67178F2E372532B),
-    UL64(0xCA273ECEEA26619C),  UL64(0xD186B8C721C0C207),
-    UL64(0xEADA7DD6CDE0EB1E),  UL64(0xF57D4F7FEE6ED178),
-    UL64(0x06F067AA72176FBA),  UL64(0x0A637DC5A2C898A6),
-    UL64(0x113F9804BEF90DAE),  UL64(0x1B710B35131C471B),
-    UL64(0x28DB77F523047D84),  UL64(0x32CAAB7B40C72493),
-    UL64(0x3C9EBE0A15C9BEBC),  UL64(0x431D67C49C100D4C),
-    UL64(0x4CC5D4BECB3E42B6),  UL64(0x597F299CFC657E2A),
-    UL64(0x5FCB6FAB3AD6FAEC),  UL64(0x6C44198C4A475817)
-};
-
-/*
- * SHA-512 context setup
- */
-void sha4_starts( sha4_context *ctx, int is384 )
-{
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    if( is384 == 0 )
-    {
-        /* SHA-512 */
-        ctx->state[0] = UL64(0x6A09E667F3BCC908);
-        ctx->state[1] = UL64(0xBB67AE8584CAA73B);
-        ctx->state[2] = UL64(0x3C6EF372FE94F82B);
-        ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
-        ctx->state[4] = UL64(0x510E527FADE682D1);
-        ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
-        ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
-        ctx->state[7] = UL64(0x5BE0CD19137E2179);
-    }
-    else
-    {
-        /* SHA-384 */
-        ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
-        ctx->state[1] = UL64(0x629A292A367CD507);
-        ctx->state[2] = UL64(0x9159015A3070DD17);
-        ctx->state[3] = UL64(0x152FECD8F70E5939);
-        ctx->state[4] = UL64(0x67332667FFC00B31);
-        ctx->state[5] = UL64(0x8EB44A8768581511);
-        ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
-        ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
-    }
-
-    ctx->is384 = is384;
-}
-
-static void sha4_process( sha4_context *ctx, const unsigned char data[128] )
-{
-    int i;
-    uint64_t temp1, temp2, W[80];
-    uint64_t A, B, C, D, E, F, G, H;
-
-#define  SHR(x,n) (x >> n)
-#define ROTR(x,n) (SHR(x,n) | (x << (64 - n)))
-
-#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^  SHR(x, 7))
-#define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^  SHR(x, 6))
-
-#define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
-#define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
-
-#define F0(x,y,z) ((x & y) | (z & (x | y)))
-#define F1(x,y,z) (z ^ (x & (y ^ z)))
-
-#define P(a,b,c,d,e,f,g,h,x,K)                  \
-{                                               \
-    temp1 = h + S3(e) + F1(e,f,g) + K + x;      \
-    temp2 = S2(a) + F0(a,b,c);                  \
-    d += temp1; h = temp1 + temp2;              \
-}
-
-    for( i = 0; i < 16; i++ )
-    {
-        GET_UINT64_BE( W[i], data, i << 3 );
-    }
-
-    for( ; i < 80; i++ )
-    {
-        W[i] = S1(W[i -  2]) + W[i -  7] +
-               S0(W[i - 15]) + W[i - 16];
-    }
-
-    A = ctx->state[0];
-    B = ctx->state[1];
-    C = ctx->state[2];
-    D = ctx->state[3];
-    E = ctx->state[4];
-    F = ctx->state[5];
-    G = ctx->state[6];
-    H = ctx->state[7];
-    i = 0;
-
-    do
-    {
-        P( A, B, C, D, E, F, G, H, W[i], K[i] ); i++;
-        P( H, A, B, C, D, E, F, G, W[i], K[i] ); i++;
-        P( G, H, A, B, C, D, E, F, W[i], K[i] ); i++;
-        P( F, G, H, A, B, C, D, E, W[i], K[i] ); i++;
-        P( E, F, G, H, A, B, C, D, W[i], K[i] ); i++;
-        P( D, E, F, G, H, A, B, C, W[i], K[i] ); i++;
-        P( C, D, E, F, G, H, A, B, W[i], K[i] ); i++;
-        P( B, C, D, E, F, G, H, A, W[i], K[i] ); i++;
-    }
-    while( i < 80 );
-
-    ctx->state[0] += A;
-    ctx->state[1] += B;
-    ctx->state[2] += C;
-    ctx->state[3] += D;
-    ctx->state[4] += E;
-    ctx->state[5] += F;
-    ctx->state[6] += G;
-    ctx->state[7] += H;
-}
-
-/*
- * SHA-512 process buffer
- */
-void sha4_update( sha4_context *ctx, const unsigned char *input, size_t ilen )
-{
-    size_t fill;
-    unsigned int left;
-
-    if( ilen <= 0 )
-        return;
-
-    left = (unsigned int) (ctx->total[0] & 0x7F);
-    fill = 128 - left;
-
-    ctx->total[0] += (uint64_t) ilen;
-
-    if( ctx->total[0] < (uint64_t) ilen )
-        ctx->total[1]++;
-
-    if( left && ilen >= fill )
-    {
-        memcpy( (void *) (ctx->buffer + left), input, fill );
-        sha4_process( ctx, ctx->buffer );
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while( ilen >= 128 )
-    {
-        sha4_process( ctx, input );
-        input += 128;
-        ilen  -= 128;
-    }
-
-    if( ilen > 0 )
-        memcpy( (void *) (ctx->buffer + left), input, ilen );
-}
-
-static const unsigned char sha4_padding[128] =
-{
- 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/*
- * SHA-512 final digest
- */
-void sha4_finish( sha4_context *ctx, unsigned char output[64] )
-{
-    size_t last, padn;
-    uint64_t high, low;
-    unsigned char msglen[16];
-
-    high = ( ctx->total[0] >> 61 )
-         | ( ctx->total[1] <<  3 );
-    low  = ( ctx->total[0] <<  3 );
-
-    PUT_UINT64_BE( high, msglen, 0 );
-    PUT_UINT64_BE( low,  msglen, 8 );
-
-    last = (size_t)( ctx->total[0] & 0x7F );
-    padn = ( last < 112 ) ? ( 112 - last ) : ( 240 - last );
-
-    sha4_update( ctx, sha4_padding, padn );
-    sha4_update( ctx, msglen, 16 );
-
-    PUT_UINT64_BE( ctx->state[0], output,  0 );
-    PUT_UINT64_BE( ctx->state[1], output,  8 );
-    PUT_UINT64_BE( ctx->state[2], output, 16 );
-    PUT_UINT64_BE( ctx->state[3], output, 24 );
-    PUT_UINT64_BE( ctx->state[4], output, 32 );
-    PUT_UINT64_BE( ctx->state[5], output, 40 );
-
-    if( ctx->is384 == 0 )
-    {
-        PUT_UINT64_BE( ctx->state[6], output, 48 );
-        PUT_UINT64_BE( ctx->state[7], output, 56 );
-    }
-}
-
-#endif /* !POLARSSL_SHA4_ALT */
-
-/*
- * output = SHA-512( input buffer )
- */
-void sha4( const unsigned char *input, size_t ilen,
-           unsigned char output[64], int is384 )
-{
-    sha4_context ctx;
-
-    sha4_starts( &ctx, is384 );
-    sha4_update( &ctx, input, ilen );
-    sha4_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha4_context ) );
-}
-
-#if defined(POLARSSL_FS_IO)
-/*
- * output = SHA-512( file contents )
- */
-int sha4_file( const char *path, unsigned char output[64], int is384 )
-{
-    FILE *f;
-    size_t n;
-    sha4_context ctx;
-    unsigned char buf[1024];
-
-    if( ( f = fopen( path, "rb" ) ) == NULL )
-        return( POLARSSL_ERR_SHA4_FILE_IO_ERROR );
-
-    sha4_starts( &ctx, is384 );
-
-    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
-        sha4_update( &ctx, buf, n );
-
-    sha4_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha4_context ) );
-
-    if( ferror( f ) != 0 )
-    {
-        fclose( f );
-        return( POLARSSL_ERR_SHA4_FILE_IO_ERROR );
-    }
-
-    fclose( f );
-    return( 0 );
-}
-#endif /* POLARSSL_FS_IO */
-
-/*
- * SHA-512 HMAC context setup
- */
-void sha4_hmac_starts( sha4_context *ctx, const unsigned char *key, size_t keylen,
-                       int is384 )
-{
-    size_t i;
-    unsigned char sum[64];
-
-    if( keylen > 128 )
-    {
-        sha4( key, keylen, sum, is384 );
-        keylen = ( is384 ) ? 48 : 64;
-        key = sum;
-    }
-
-    memset( ctx->ipad, 0x36, 128 );
-    memset( ctx->opad, 0x5C, 128 );
-
-    for( i = 0; i < keylen; i++ )
-    {
-        ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
-        ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
-    }
-
-    sha4_starts( ctx, is384 );
-    sha4_update( ctx, ctx->ipad, 128 );
-
-    memset( sum, 0, sizeof( sum ) );
-}
-
-/*
- * SHA-512 HMAC process buffer
- */
-void sha4_hmac_update( sha4_context  *ctx,
-                       const unsigned char *input, size_t ilen )
-{
-    sha4_update( ctx, input, ilen );
-}
-
-/*
- * SHA-512 HMAC final digest
- */
-void sha4_hmac_finish( sha4_context *ctx, unsigned char output[64] )
-{
-    int is384, hlen;
-    unsigned char tmpbuf[64];
-
-    is384 = ctx->is384;
-    hlen = ( is384 == 0 ) ? 64 : 48;
-
-    sha4_finish( ctx, tmpbuf );
-    sha4_starts( ctx, is384 );
-    sha4_update( ctx, ctx->opad, 128 );
-    sha4_update( ctx, tmpbuf, hlen );
-    sha4_finish( ctx, output );
-
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
-}
-
-/*
- * SHA-512 HMAC context reset
- */
-void sha4_hmac_reset( sha4_context *ctx )
-{
-    sha4_starts( ctx, ctx->is384 );
-    sha4_update( ctx, ctx->ipad, 128 );
-}
-
-/*
- * output = HMAC-SHA-512( hmac key, input buffer )
- */
-void sha4_hmac( const unsigned char *key, size_t keylen,
-                const unsigned char *input, size_t ilen,
-                unsigned char output[64], int is384 )
-{
-    sha4_context ctx;
-
-    sha4_hmac_starts( &ctx, key, keylen, is384 );
-    sha4_hmac_update( &ctx, input, ilen );
-    sha4_hmac_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha4_context ) );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-/*
- * FIPS-180-2 test vectors
- */
-static unsigned char sha4_test_buf[3][113] = 
-{
-    { "abc" },
-    { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
-      "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
-    { "" }
-};
-
-static const int sha4_test_buflen[3] =
-{
-    3, 112, 1000
-};
-
-static const unsigned char sha4_test_sum[6][64] =
-{
-    /*
-     * SHA-384 test vectors
-     */
-    { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
-      0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
-      0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
-      0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
-      0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
-      0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
-    { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
-      0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
-      0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
-      0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
-      0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
-      0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
-    { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
-      0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
-      0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
-      0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
-      0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
-      0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
-
-    /*
-     * SHA-512 test vectors
-     */
-    { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
-      0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
-      0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
-      0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
-      0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
-      0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
-      0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
-      0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
-    { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
-      0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
-      0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
-      0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
-      0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
-      0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
-      0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
-      0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
-    { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
-      0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
-      0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
-      0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
-      0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
-      0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
-      0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
-      0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
-};
-
-/*
- * RFC 4231 test vectors
- */
-static unsigned char sha4_hmac_test_key[7][26] =
-{
-    { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
-      "\x0B\x0B\x0B\x0B" },
-    { "Jefe" },
-    { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
-      "\xAA\xAA\xAA\xAA" },
-    { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
-      "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
-    { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
-      "\x0C\x0C\x0C\x0C" },
-    { "" }, /* 0xAA 131 times */
-    { "" }
-};
-
-static const int sha4_hmac_test_keylen[7] =
-{
-    20, 4, 20, 25, 20, 131, 131
-};
-
-static unsigned char sha4_hmac_test_buf[7][153] =
-{
-    { "Hi There" },
-    { "what do ya want for nothing?" },
-    { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
-    { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
-    { "Test With Truncation" },
-    { "Test Using Larger Than Block-Size Key - Hash Key First" },
-    { "This is a test using a larger than block-size key "
-      "and a larger than block-size data. The key needs to "
-      "be hashed before being used by the HMAC algorithm." }
-};
-
-static const int sha4_hmac_test_buflen[7] =
-{
-    8, 28, 50, 50, 20, 54, 152
-};
-
-static const unsigned char sha4_hmac_test_sum[14][64] =
-{
-    /*
-     * HMAC-SHA-384 test vectors
-     */
-    { 0xAF, 0xD0, 0x39, 0x44, 0xD8, 0x48, 0x95, 0x62,
-      0x6B, 0x08, 0x25, 0xF4, 0xAB, 0x46, 0x90, 0x7F,
-      0x15, 0xF9, 0xDA, 0xDB, 0xE4, 0x10, 0x1E, 0xC6,
-      0x82, 0xAA, 0x03, 0x4C, 0x7C, 0xEB, 0xC5, 0x9C,
-      0xFA, 0xEA, 0x9E, 0xA9, 0x07, 0x6E, 0xDE, 0x7F,
-      0x4A, 0xF1, 0x52, 0xE8, 0xB2, 0xFA, 0x9C, 0xB6 },
-    { 0xAF, 0x45, 0xD2, 0xE3, 0x76, 0x48, 0x40, 0x31,
-      0x61, 0x7F, 0x78, 0xD2, 0xB5, 0x8A, 0x6B, 0x1B,
-      0x9C, 0x7E, 0xF4, 0x64, 0xF5, 0xA0, 0x1B, 0x47,
-      0xE4, 0x2E, 0xC3, 0x73, 0x63, 0x22, 0x44, 0x5E,
-      0x8E, 0x22, 0x40, 0xCA, 0x5E, 0x69, 0xE2, 0xC7,
-      0x8B, 0x32, 0x39, 0xEC, 0xFA, 0xB2, 0x16, 0x49 },
-    { 0x88, 0x06, 0x26, 0x08, 0xD3, 0xE6, 0xAD, 0x8A,
-      0x0A, 0xA2, 0xAC, 0xE0, 0x14, 0xC8, 0xA8, 0x6F,
-      0x0A, 0xA6, 0x35, 0xD9, 0x47, 0xAC, 0x9F, 0xEB,
-      0xE8, 0x3E, 0xF4, 0xE5, 0x59, 0x66, 0x14, 0x4B,
-      0x2A, 0x5A, 0xB3, 0x9D, 0xC1, 0x38, 0x14, 0xB9,
-      0x4E, 0x3A, 0xB6, 0xE1, 0x01, 0xA3, 0x4F, 0x27 },
-    { 0x3E, 0x8A, 0x69, 0xB7, 0x78, 0x3C, 0x25, 0x85,
-      0x19, 0x33, 0xAB, 0x62, 0x90, 0xAF, 0x6C, 0xA7,
-      0x7A, 0x99, 0x81, 0x48, 0x08, 0x50, 0x00, 0x9C,
-      0xC5, 0x57, 0x7C, 0x6E, 0x1F, 0x57, 0x3B, 0x4E,
-      0x68, 0x01, 0xDD, 0x23, 0xC4, 0xA7, 0xD6, 0x79,
-      0xCC, 0xF8, 0xA3, 0x86, 0xC6, 0x74, 0xCF, 0xFB },
-    { 0x3A, 0xBF, 0x34, 0xC3, 0x50, 0x3B, 0x2A, 0x23,
-      0xA4, 0x6E, 0xFC, 0x61, 0x9B, 0xAE, 0xF8, 0x97 },
-    { 0x4E, 0xCE, 0x08, 0x44, 0x85, 0x81, 0x3E, 0x90,
-      0x88, 0xD2, 0xC6, 0x3A, 0x04, 0x1B, 0xC5, 0xB4,
-      0x4F, 0x9E, 0xF1, 0x01, 0x2A, 0x2B, 0x58, 0x8F,
-      0x3C, 0xD1, 0x1F, 0x05, 0x03, 0x3A, 0xC4, 0xC6,
-      0x0C, 0x2E, 0xF6, 0xAB, 0x40, 0x30, 0xFE, 0x82,
-      0x96, 0x24, 0x8D, 0xF1, 0x63, 0xF4, 0x49, 0x52 },
-    { 0x66, 0x17, 0x17, 0x8E, 0x94, 0x1F, 0x02, 0x0D,
-      0x35, 0x1E, 0x2F, 0x25, 0x4E, 0x8F, 0xD3, 0x2C,
-      0x60, 0x24, 0x20, 0xFE, 0xB0, 0xB8, 0xFB, 0x9A,
-      0xDC, 0xCE, 0xBB, 0x82, 0x46, 0x1E, 0x99, 0xC5,
-      0xA6, 0x78, 0xCC, 0x31, 0xE7, 0x99, 0x17, 0x6D,
-      0x38, 0x60, 0xE6, 0x11, 0x0C, 0x46, 0x52, 0x3E },
-
-    /*
-     * HMAC-SHA-512 test vectors
-     */
-    { 0x87, 0xAA, 0x7C, 0xDE, 0xA5, 0xEF, 0x61, 0x9D,
-      0x4F, 0xF0, 0xB4, 0x24, 0x1A, 0x1D, 0x6C, 0xB0,
-      0x23, 0x79, 0xF4, 0xE2, 0xCE, 0x4E, 0xC2, 0x78,
-      0x7A, 0xD0, 0xB3, 0x05, 0x45, 0xE1, 0x7C, 0xDE,
-      0xDA, 0xA8, 0x33, 0xB7, 0xD6, 0xB8, 0xA7, 0x02,
-      0x03, 0x8B, 0x27, 0x4E, 0xAE, 0xA3, 0xF4, 0xE4,
-      0xBE, 0x9D, 0x91, 0x4E, 0xEB, 0x61, 0xF1, 0x70,
-      0x2E, 0x69, 0x6C, 0x20, 0x3A, 0x12, 0x68, 0x54 },
-    { 0x16, 0x4B, 0x7A, 0x7B, 0xFC, 0xF8, 0x19, 0xE2,
-      0xE3, 0x95, 0xFB, 0xE7, 0x3B, 0x56, 0xE0, 0xA3,
-      0x87, 0xBD, 0x64, 0x22, 0x2E, 0x83, 0x1F, 0xD6,
-      0x10, 0x27, 0x0C, 0xD7, 0xEA, 0x25, 0x05, 0x54,
-      0x97, 0x58, 0xBF, 0x75, 0xC0, 0x5A, 0x99, 0x4A,
-      0x6D, 0x03, 0x4F, 0x65, 0xF8, 0xF0, 0xE6, 0xFD,
-      0xCA, 0xEA, 0xB1, 0xA3, 0x4D, 0x4A, 0x6B, 0x4B,
-      0x63, 0x6E, 0x07, 0x0A, 0x38, 0xBC, 0xE7, 0x37 },
-    { 0xFA, 0x73, 0xB0, 0x08, 0x9D, 0x56, 0xA2, 0x84,
-      0xEF, 0xB0, 0xF0, 0x75, 0x6C, 0x89, 0x0B, 0xE9,
-      0xB1, 0xB5, 0xDB, 0xDD, 0x8E, 0xE8, 0x1A, 0x36,
-      0x55, 0xF8, 0x3E, 0x33, 0xB2, 0x27, 0x9D, 0x39,
-      0xBF, 0x3E, 0x84, 0x82, 0x79, 0xA7, 0x22, 0xC8,
-      0x06, 0xB4, 0x85, 0xA4, 0x7E, 0x67, 0xC8, 0x07,
-      0xB9, 0x46, 0xA3, 0x37, 0xBE, 0xE8, 0x94, 0x26,
-      0x74, 0x27, 0x88, 0x59, 0xE1, 0x32, 0x92, 0xFB },
-    { 0xB0, 0xBA, 0x46, 0x56, 0x37, 0x45, 0x8C, 0x69,
-      0x90, 0xE5, 0xA8, 0xC5, 0xF6, 0x1D, 0x4A, 0xF7,
-      0xE5, 0x76, 0xD9, 0x7F, 0xF9, 0x4B, 0x87, 0x2D,
-      0xE7, 0x6F, 0x80, 0x50, 0x36, 0x1E, 0xE3, 0xDB,
-      0xA9, 0x1C, 0xA5, 0xC1, 0x1A, 0xA2, 0x5E, 0xB4,
-      0xD6, 0x79, 0x27, 0x5C, 0xC5, 0x78, 0x80, 0x63,
-      0xA5, 0xF1, 0x97, 0x41, 0x12, 0x0C, 0x4F, 0x2D,
-      0xE2, 0xAD, 0xEB, 0xEB, 0x10, 0xA2, 0x98, 0xDD },
-    { 0x41, 0x5F, 0xAD, 0x62, 0x71, 0x58, 0x0A, 0x53,
-      0x1D, 0x41, 0x79, 0xBC, 0x89, 0x1D, 0x87, 0xA6 },
-    { 0x80, 0xB2, 0x42, 0x63, 0xC7, 0xC1, 0xA3, 0xEB,
-      0xB7, 0x14, 0x93, 0xC1, 0xDD, 0x7B, 0xE8, 0xB4,
-      0x9B, 0x46, 0xD1, 0xF4, 0x1B, 0x4A, 0xEE, 0xC1,
-      0x12, 0x1B, 0x01, 0x37, 0x83, 0xF8, 0xF3, 0x52,
-      0x6B, 0x56, 0xD0, 0x37, 0xE0, 0x5F, 0x25, 0x98,
-      0xBD, 0x0F, 0xD2, 0x21, 0x5D, 0x6A, 0x1E, 0x52,
-      0x95, 0xE6, 0x4F, 0x73, 0xF6, 0x3F, 0x0A, 0xEC,
-      0x8B, 0x91, 0x5A, 0x98, 0x5D, 0x78, 0x65, 0x98 },
-    { 0xE3, 0x7B, 0x6A, 0x77, 0x5D, 0xC8, 0x7D, 0xBA,
-      0xA4, 0xDF, 0xA9, 0xF9, 0x6E, 0x5E, 0x3F, 0xFD,
-      0xDE, 0xBD, 0x71, 0xF8, 0x86, 0x72, 0x89, 0x86,
-      0x5D, 0xF5, 0xA3, 0x2D, 0x20, 0xCD, 0xC9, 0x44,
-      0xB6, 0x02, 0x2C, 0xAC, 0x3C, 0x49, 0x82, 0xB1,
-      0x0D, 0x5E, 0xEB, 0x55, 0xC3, 0xE4, 0xDE, 0x15,
-      0x13, 0x46, 0x76, 0xFB, 0x6D, 0xE0, 0x44, 0x60,
-      0x65, 0xC9, 0x74, 0x40, 0xFA, 0x8C, 0x6A, 0x58 }
-};
-
-/*
- * Checkup routine
- */
-int sha4_self_test( int verbose )
-{
-    int i, j, k, buflen;
-    unsigned char buf[1024];
-    unsigned char sha4sum[64];
-    sha4_context ctx;
-
-    for( i = 0; i < 6; i++ )
-    {
-        j = i % 3;
-        k = i < 3;
-
-        if( verbose != 0 )
-            printf( "  SHA-%d test #%d: ", 512 - k * 128, j + 1 );
-
-        sha4_starts( &ctx, k );
-
-        if( j == 2 )
-        {
-            memset( buf, 'a', buflen = 1000 );
-
-            for( j = 0; j < 1000; j++ )
-                sha4_update( &ctx, buf, buflen );
-        }
-        else
-            sha4_update( &ctx, sha4_test_buf[j],
-                               sha4_test_buflen[j] );
-
-        sha4_finish( &ctx, sha4sum );
-
-        if( memcmp( sha4sum, sha4_test_sum[i], 64 - k * 16 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    for( i = 0; i < 14; i++ )
-    {
-        j = i % 7;
-        k = i < 7;
-
-        if( verbose != 0 )
-            printf( "  HMAC-SHA-%d test #%d: ", 512 - k * 128, j + 1 );
-
-        if( j == 5 || j == 6 )
-        {
-            memset( buf, '\xAA', buflen = 131 );
-            sha4_hmac_starts( &ctx, buf, buflen, k );
-        }
-        else
-            sha4_hmac_starts( &ctx, sha4_hmac_test_key[j],
-                                    sha4_hmac_test_keylen[j], k );
-
-        sha4_hmac_update( &ctx, sha4_hmac_test_buf[j],
-                                sha4_hmac_test_buflen[j] );
-
-        sha4_hmac_finish( &ctx, sha4sum );
-
-        buflen = ( j == 4 ) ? 16 : 64 - k * 16;
-
-        if( memcmp( sha4sum, sha4_hmac_test_sum[i], buflen ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/sha4.h b/makerom/polarssl/sha4.h
deleted file mode 100644
index e2fd55a8..00000000
--- a/makerom/polarssl/sha4.h
+++ /dev/null
@@ -1,186 +0,0 @@
-/**
- * \file sha4.h
- *
- * \brief SHA-384 and SHA-512 cryptographic hash function
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_SHA4_H
-#define POLARSSL_SHA4_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#if defined(_MSC_VER) || defined(__WATCOMC__)
-  #define UL64(x) x##ui64
-  typedef unsigned __int64 uint64_t;
-#else
-  #include <inttypes.h>
-  #define UL64(x) x##ULL
-#endif
-
-#define POLARSSL_ERR_SHA4_FILE_IO_ERROR                -0x007A  /**< Read/write error in file. */
-
-#if !defined(POLARSSL_SHA1_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          SHA-512 context structure
- */
-typedef struct
-{
-    uint64_t total[2];          /*!< number of bytes processed  */
-    uint64_t state[8];          /*!< intermediate digest state  */
-    unsigned char buffer[128];  /*!< data block being processed */
-
-    unsigned char ipad[128];    /*!< HMAC: inner padding        */
-    unsigned char opad[128];    /*!< HMAC: outer padding        */
-    int is384;                  /*!< 0 => SHA-512, else SHA-384 */
-}
-sha4_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          SHA-512 context setup
- *
- * \param ctx      context to be initialized
- * \param is384    0 = use SHA512, 1 = use SHA384
- */
-void sha4_starts( sha4_context *ctx, int is384 );
-
-/**
- * \brief          SHA-512 process buffer
- *
- * \param ctx      SHA-512 context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void sha4_update( sha4_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          SHA-512 final digest
- *
- * \param ctx      SHA-512 context
- * \param output   SHA-384/512 checksum result
- */
-void sha4_finish( sha4_context *ctx, unsigned char output[64] );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_SHA4_ALT */
-#include "polarssl/sha4_alt.h"
-#endif /* POLARSSL_SHA4_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Output = SHA-512( input buffer )
- *
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   SHA-384/512 checksum result
- * \param is384    0 = use SHA512, 1 = use SHA384
- */
-void sha4( const unsigned char *input, size_t ilen,
-           unsigned char output[64], int is384 );
-
-/**
- * \brief          Output = SHA-512( file contents )
- *
- * \param path     input file name
- * \param output   SHA-384/512 checksum result
- * \param is384    0 = use SHA512, 1 = use SHA384
- *
- * \return         0 if successful, or POLARSSL_ERR_SHA4_FILE_IO_ERROR
- */
-int sha4_file( const char *path, unsigned char output[64], int is384 );
-
-/**
- * \brief          SHA-512 HMAC context setup
- *
- * \param ctx      HMAC context to be initialized
- * \param is384    0 = use SHA512, 1 = use SHA384
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- */
-void sha4_hmac_starts( sha4_context *ctx, const unsigned char *key, size_t keylen,
-                       int is384 );
-
-/**
- * \brief          SHA-512 HMAC process buffer
- *
- * \param ctx      HMAC context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void sha4_hmac_update( sha4_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          SHA-512 HMAC final digest
- *
- * \param ctx      HMAC context
- * \param output   SHA-384/512 HMAC checksum result
- */
-void sha4_hmac_finish( sha4_context *ctx, unsigned char output[64] );
-
-/**
- * \brief          SHA-512 HMAC context reset
- *
- * \param ctx      HMAC context to be reset
- */
-void sha4_hmac_reset( sha4_context *ctx );
-
-/**
- * \brief          Output = HMAC-SHA-512( hmac key, input buffer )
- *
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   HMAC-SHA-384/512 result
- * \param is384    0 = use SHA512, 1 = use SHA384
- */
-void sha4_hmac( const unsigned char *key, size_t keylen,
-                const unsigned char *input, size_t ilen,
-                unsigned char output[64], int is384 );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int sha4_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* sha4.h */
diff --git a/makerom/polarssl/ssl.h b/makerom/polarssl/ssl.h
deleted file mode 100644
index 5b2d9787..00000000
--- a/makerom/polarssl/ssl.h
+++ /dev/null
@@ -1,1140 +0,0 @@
-/**
- * \file ssl.h
- *
- * \brief SSL/TLS functions.
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_SSL_H
-#define POLARSSL_SSL_H
-
-#include <time.h>
-
-#include "polarssl/net.h"
-#include "polarssl/rsa.h"
-#include "polarssl/md5.h"
-#include "polarssl/sha1.h"
-#include "polarssl/sha2.h"
-#include "polarssl/sha4.h"
-#include "polarssl/x509.h"
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_DHM_C)
-#include "polarssl/dhm.h"
-#endif
-
-#if defined(POLARSSL_ZLIB_SUPPORT)
-#include "polarssl/zlib.h"
-#endif
-
-#if defined(_MSC_VER) && !defined(inline)
-#define inline _inline
-#else
-#if defined(__ARMCC_VERSION) && !defined(inline)
-#define inline __inline
-#endif /* __ARMCC_VERSION */
-#endif /*_MSC_VER */
-
-/*
- * SSL Error codes
- */
-#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE               -0x7080  /**< The requested feature is not available. */
-#define POLARSSL_ERR_SSL_BAD_INPUT_DATA                    -0x7100  /**< Bad input parameters to function. */
-#define POLARSSL_ERR_SSL_INVALID_MAC                       -0x7180  /**< Verification of the message MAC failed. */
-#define POLARSSL_ERR_SSL_INVALID_RECORD                    -0x7200  /**< An invalid SSL record was received. */
-#define POLARSSL_ERR_SSL_CONN_EOF                          -0x7280  /**< The connection indicated an EOF. */
-#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER                    -0x7300  /**< An unknown cipher was received. */
-#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN                  -0x7380  /**< The server has no ciphersuites in common with the client. */
-#define POLARSSL_ERR_SSL_NO_SESSION_FOUND                  -0x7400  /**< No session to recover was found. */
-#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE             -0x7480  /**< No client certification received from the client, but required by the authentication mode. */
-#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE             -0x7500  /**< Our own certificate(s) is/are too large to send in an SSL message.*/
-#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED              -0x7580  /**< The own certificate is not set, but needed by the server. */
-#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED              -0x7600  /**< The own private key is not set, but needed. */
-#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED                 -0x7680  /**< No CA Chain is set, but required to operate. */
-#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE                -0x7700  /**< An unexpected message was received from our peer. */
-#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE               -0x7780  /**< A fatal alert message was received from our peer. */
-#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED                -0x7800  /**< Verification of our peer failed. */
-#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY                 -0x7880  /**< The peer notified us that the connection is going to be closed. */
-#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO               -0x7900  /**< Processing of the ClientHello handshake message failed. */
-#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO               -0x7980  /**< Processing of the ServerHello handshake message failed. */
-#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE                -0x7A00  /**< Processing of the Certificate handshake message failed. */
-#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST        -0x7A80  /**< Processing of the CertificateRequest handshake message failed. */
-#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE        -0x7B00  /**< Processing of the ServerKeyExchange handshake message failed. */
-#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE          -0x7B80  /**< Processing of the ServerHelloDone handshake message failed. */
-#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE        -0x7C00  /**< Processing of the ClientKeyExchange handshake message failed. */
-#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_RP -0x7C80  /**< Processing of the ClientKeyExchange handshake message failed in DHM Read Public. */
-#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_DHM_CS -0x7D00  /**< Processing of the ClientKeyExchange handshake message failed in DHM Calculate Secret. */
-#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY         -0x7D80  /**< Processing of the CertificateVerify handshake message failed. */
-#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC         -0x7E00  /**< Processing of the ChangeCipherSpec handshake message failed. */
-#define POLARSSL_ERR_SSL_BAD_HS_FINISHED                   -0x7E80  /**< Processing of the Finished handshake message failed. */
-#define POLARSSL_ERR_SSL_MALLOC_FAILED                     -0x7F00  /**< Memory allocation failed */
-#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED                   -0x7F80  /**< Hardware acceleration function returned with error */
-#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH              -0x6F80  /**< Hardware acceleration function skipped / left alone data */
-#define POLARSSL_ERR_SSL_COMPRESSION_FAILED                -0x6F00  /**< Processing of the compression / decompression failed */
-#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION           -0x6E80  /**< Handshake protocol not within min/max boundaries */
-
-/*
- * Various constants
- */
-#define SSL_MAJOR_VERSION_3             3
-#define SSL_MINOR_VERSION_0             0   /*!< SSL v3.0 */
-#define SSL_MINOR_VERSION_1             1   /*!< TLS v1.0 */
-#define SSL_MINOR_VERSION_2             2   /*!< TLS v1.1 */
-#define SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
-
-#define SSL_IS_CLIENT                   0
-#define SSL_IS_SERVER                   1
-#define SSL_COMPRESS_NULL               0
-#define SSL_COMPRESS_DEFLATE            1
-
-#define SSL_VERIFY_NONE                 0
-#define SSL_VERIFY_OPTIONAL             1
-#define SSL_VERIFY_REQUIRED             2
-
-#define SSL_INITIAL_HANDSHAKE           0
-#define SSL_RENEGOTIATION               1
-
-#define SSL_LEGACY_RENEGOTIATION        0
-#define SSL_SECURE_RENEGOTIATION        1
-
-#define SSL_RENEGOTIATION_DISABLED      0
-#define SSL_RENEGOTIATION_ENABLED       1
-
-#define SSL_LEGACY_NO_RENEGOTIATION     0
-#define SSL_LEGACY_ALLOW_RENEGOTIATION  1
-#define SSL_LEGACY_BREAK_HANDSHAKE      2
-
-/*
- * Size of the input / output buffer.
- * Note: the RFC defines the default size of SSL / TLS messages. If you
- * change the value here, other clients / servers may not be able to
- * communicate with you anymore. Only change this value if you control
- * both sides of the connection and have it reduced at both sides!
- */
-#if !defined(POLARSSL_CONFIG_OPTIONS)
-#define SSL_MAX_CONTENT_LEN         16384   /**< Size of the input / output buffer */
-#endif /* !POLARSSL_CONFIG_OPTIONS */
-
-/*
- * Allow an extra 512 bytes for the record header
- * and encryption overhead (counter + MAC + padding)
- * and allow for a maximum of 1024 of compression expansion if
- * enabled.
- */
-#if defined(POLARSSL_ZLIB_SUPPORT)
-#define SSL_COMPRESSION_ADD          1024
-#else
-#define SSL_COMPRESSION_ADD             0
-#endif
-
-#define SSL_BUFFER_LEN (SSL_MAX_CONTENT_LEN + SSL_COMPRESSION_ADD + 512)
-
-/*
- * Supported ciphersuites (Official IANA names)
- */
-#define TLS_RSA_WITH_NULL_MD5                    0x01   /**< Weak! */
-#define TLS_RSA_WITH_NULL_SHA                    0x02   /**< Weak! */
-#define TLS_RSA_WITH_NULL_SHA256                 0x3B   /**< Weak! */
-#define TLS_RSA_WITH_DES_CBC_SHA                 0x09   /**< Weak! Not in TLS 1.2 */
-#define TLS_DHE_RSA_WITH_DES_CBC_SHA             0x15   /**< Weak! Not in TLS 1.2 */
-
-#define TLS_RSA_WITH_RC4_128_MD5                 0x04
-#define TLS_RSA_WITH_RC4_128_SHA                 0x05
-
-#define TLS_RSA_WITH_3DES_EDE_CBC_SHA            0x0A
-#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        0x16
-
-#define TLS_RSA_WITH_AES_128_CBC_SHA             0x2F
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA         0x33
-#define TLS_RSA_WITH_AES_256_CBC_SHA             0x35
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA         0x39
-#define TLS_RSA_WITH_AES_128_CBC_SHA256          0x3C   /**< TLS 1.2 */
-#define TLS_RSA_WITH_AES_256_CBC_SHA256          0x3D   /**< TLS 1.2 */
-#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      0x67   /**< TLS 1.2 */
-#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      0x6B   /**< TLS 1.2 */
-
-#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA        0x41
-#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA    0x45
-#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA        0x84
-#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA    0x88
-#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256     0xBA   /**< TLS 1.2 */
-#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE   /**< TLS 1.2 */
-#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256     0xC0   /**< TLS 1.2 */
-#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4   /**< TLS 1.2 */
-
-#define TLS_RSA_WITH_AES_128_GCM_SHA256          0x9C
-#define TLS_RSA_WITH_AES_256_GCM_SHA384          0x9D
-#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      0x9E
-#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      0x9F
-
-#define SSL_EMPTY_RENEGOTIATION_INFO    0xFF   /**< renegotiation info ext */ 
-
-/*
- * Supported Signature and Hash algorithms (For TLS 1.2)
- */
-#define SSL_HASH_NONE                0
-#define SSL_HASH_MD5                 1
-#define SSL_HASH_SHA1                2
-#define SSL_HASH_SHA224              3
-#define SSL_HASH_SHA256              4
-#define SSL_HASH_SHA384              5
-#define SSL_HASH_SHA512              6
-
-#define SSL_SIG_RSA                  1
-
-/*
- * Client Certificate Types
- */
-#define SSL_CERT_TYPE_RSA_SIGN       1
-
-/*
- * Message, alert and handshake types
- */
-#define SSL_MSG_CHANGE_CIPHER_SPEC     20
-#define SSL_MSG_ALERT                  21
-#define SSL_MSG_HANDSHAKE              22
-#define SSL_MSG_APPLICATION_DATA       23
-
-#define SSL_ALERT_LEVEL_WARNING         1
-#define SSL_ALERT_LEVEL_FATAL           2
-
-#define SSL_ALERT_MSG_CLOSE_NOTIFY           0  /* 0x00 */
-#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE    10  /* 0x0A */
-#define SSL_ALERT_MSG_BAD_RECORD_MAC        20  /* 0x14 */
-#define SSL_ALERT_MSG_DECRYPTION_FAILED     21  /* 0x15 */
-#define SSL_ALERT_MSG_RECORD_OVERFLOW       22  /* 0x16 */
-#define SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30  /* 0x1E */
-#define SSL_ALERT_MSG_HANDSHAKE_FAILURE     40  /* 0x28 */
-#define SSL_ALERT_MSG_NO_CERT               41  /* 0x29 */
-#define SSL_ALERT_MSG_BAD_CERT              42  /* 0x2A */
-#define SSL_ALERT_MSG_UNSUPPORTED_CERT      43  /* 0x2B */
-#define SSL_ALERT_MSG_CERT_REVOKED          44  /* 0x2C */
-#define SSL_ALERT_MSG_CERT_EXPIRED          45  /* 0x2D */
-#define SSL_ALERT_MSG_CERT_UNKNOWN          46  /* 0x2E */
-#define SSL_ALERT_MSG_ILLEGAL_PARAMETER     47  /* 0x2F */
-#define SSL_ALERT_MSG_UNKNOWN_CA            48  /* 0x30 */
-#define SSL_ALERT_MSG_ACCESS_DENIED         49  /* 0x31 */
-#define SSL_ALERT_MSG_DECODE_ERROR          50  /* 0x32 */
-#define SSL_ALERT_MSG_DECRYPT_ERROR         51  /* 0x33 */
-#define SSL_ALERT_MSG_EXPORT_RESTRICTION    60  /* 0x3C */
-#define SSL_ALERT_MSG_PROTOCOL_VERSION      70  /* 0x46 */
-#define SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71  /* 0x47 */
-#define SSL_ALERT_MSG_INTERNAL_ERROR        80  /* 0x50 */
-#define SSL_ALERT_MSG_USER_CANCELED         90  /* 0x5A */
-#define SSL_ALERT_MSG_NO_RENEGOTIATION     100  /* 0x64 */
-#define SSL_ALERT_MSG_UNSUPPORTED_EXT      110  /* 0x6E */
-#define SSL_ALERT_MSG_UNRECOGNIZED_NAME    112  /* 0x70 */
-
-#define SSL_HS_HELLO_REQUEST            0
-#define SSL_HS_CLIENT_HELLO             1
-#define SSL_HS_SERVER_HELLO             2
-#define SSL_HS_CERTIFICATE             11
-#define SSL_HS_SERVER_KEY_EXCHANGE     12
-#define SSL_HS_CERTIFICATE_REQUEST     13
-#define SSL_HS_SERVER_HELLO_DONE       14
-#define SSL_HS_CERTIFICATE_VERIFY      15
-#define SSL_HS_CLIENT_KEY_EXCHANGE     16
-#define SSL_HS_FINISHED                20
-
-/*
- * TLS extensions
- */
-#define TLS_EXT_SERVERNAME              0
-#define TLS_EXT_SERVERNAME_HOSTNAME     0
-
-#define TLS_EXT_SIG_ALG                13
-
-#define TLS_EXT_RENEGOTIATION_INFO 0xFF01
-
-
-/*
- * Generic function pointers for allowing external RSA private key
- * implementations.
- */
-typedef int (*rsa_decrypt_func)( void *ctx, int mode, size_t *olen,
-                        const unsigned char *input, unsigned char *output,
-                        size_t output_max_len ); 
-typedef int (*rsa_sign_func)( void *ctx,
-                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                     int mode, int hash_id, unsigned int hashlen,
-                     const unsigned char *hash, unsigned char *sig );
-typedef size_t (*rsa_key_len_func)( void *ctx );
-
-/*
- * SSL state machine
- */
-typedef enum
-{
-    SSL_HELLO_REQUEST,
-    SSL_CLIENT_HELLO,
-    SSL_SERVER_HELLO,
-    SSL_SERVER_CERTIFICATE,
-    SSL_SERVER_KEY_EXCHANGE,
-    SSL_CERTIFICATE_REQUEST,
-    SSL_SERVER_HELLO_DONE,
-    SSL_CLIENT_CERTIFICATE,
-    SSL_CLIENT_KEY_EXCHANGE,
-    SSL_CERTIFICATE_VERIFY,
-    SSL_CLIENT_CHANGE_CIPHER_SPEC,
-    SSL_CLIENT_FINISHED,
-    SSL_SERVER_CHANGE_CIPHER_SPEC,
-    SSL_SERVER_FINISHED,
-    SSL_FLUSH_BUFFERS,
-    SSL_HANDSHAKE_WRAPUP,
-    SSL_HANDSHAKE_OVER
-}
-ssl_states;
-
-typedef struct _ssl_session ssl_session;
-typedef struct _ssl_context ssl_context;
-typedef struct _ssl_transform ssl_transform;
-typedef struct _ssl_handshake_params ssl_handshake_params;
-
-/*
- * This structure is used for storing current session data.
- */
-struct _ssl_session
-{
-    time_t start;               /*!< starting time      */
-    int ciphersuite;            /*!< chosen ciphersuite */
-    int compression;            /*!< chosen compression */
-    size_t length;              /*!< session id length  */
-    unsigned char id[32];       /*!< session identifier */
-    unsigned char master[48];   /*!< the master secret  */
-    x509_cert *peer_cert;       /*!< peer X.509 cert chain */
-};
-
-/*
- * This structure contains a full set of runtime transform parameters
- * either in negotiation or active.
- */
-struct _ssl_transform
-{
-    /*
-     * Session specific crypto layer
-     */
-    unsigned int keylen;                /*!<  symmetric key length    */
-    size_t minlen;                      /*!<  min. ciphertext length  */
-    size_t ivlen;                       /*!<  IV length               */
-    size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
-    size_t maclen;                      /*!<  MAC length              */
-
-    unsigned char iv_enc[16];           /*!<  IV (encryption)         */
-    unsigned char iv_dec[16];           /*!<  IV (decryption)         */
-
-    unsigned char mac_enc[32];          /*!<  MAC (encryption)        */
-    unsigned char mac_dec[32];          /*!<  MAC (decryption)        */
-
-    uint32_t ctx_enc[136];              /*!<  encryption context      */
-    uint32_t ctx_dec[136];              /*!<  decryption context      */
-
-    /*
-     * Session specific compression layer
-     */
-#if defined(POLARSSL_ZLIB_SUPPORT)
-    z_stream ctx_deflate;               /*!<  compression context     */
-    z_stream ctx_inflate;               /*!<  decompression context   */
-#endif
-};
-
-/*
- * This structure contains the parameters only needed during handshake.
- */
-struct _ssl_handshake_params
-{
-    /*
-     * Handshake specific crypto variables
-     */
-    int sig_alg;                        /*!<  Signature algorithm     */
-    int cert_type;                      /*!<  Requested cert type     */
-    int verify_sig_alg;                 /*!<  Signature algorithm for verify */
-#if defined(POLARSSL_DHM_C)
-    dhm_context dhm_ctx;                /*!<  DHM key exchange        */
-#endif
-
-    /*
-     * Checksum contexts
-     */
-     md5_context fin_md5;
-    sha1_context fin_sha1;
-    sha2_context fin_sha2;
-    sha4_context fin_sha4;
-
-    void (*update_checksum)(ssl_context *, unsigned char *, size_t);
-    void (*calc_verify)(ssl_context *, unsigned char *);
-    void (*calc_finished)(ssl_context *, unsigned char *, int);
-    int  (*tls_prf)(unsigned char *, size_t, char *,
-                    unsigned char *, size_t,
-                    unsigned char *, size_t);
-
-    size_t pmslen;                      /*!<  premaster length        */
-
-    unsigned char randbytes[64];        /*!<  random bytes            */
-    unsigned char premaster[POLARSSL_MPI_MAX_SIZE];
-                                        /*!<  premaster secret        */
-
-    int resume;                         /*!<  session resume indicator*/
-};
-
-struct _ssl_context
-{
-    /*
-     * Miscellaneous
-     */
-    int state;                  /*!< SSL handshake: current state     */
-    int renegotiation;          /*!< Initial or renegotiation         */
-
-    int major_ver;              /*!< equal to  SSL_MAJOR_VERSION_3    */
-    int minor_ver;              /*!< either 0 (SSL3) or 1 (TLS1.0)    */
-
-    int max_major_ver;          /*!< max. major version from client   */
-    int max_minor_ver;          /*!< max. minor version from client   */
-    int min_major_ver;          /*!< min. major version accepted      */
-    int min_minor_ver;          /*!< min. minor version accepted      */
-
-    /*
-     * Callbacks (RNG, debug, I/O, verification)
-     */
-    int  (*f_rng)(void *, unsigned char *, size_t);
-    void (*f_dbg)(void *, int, const char *);
-    int (*f_recv)(void *, unsigned char *, size_t);
-    int (*f_send)(void *, const unsigned char *, size_t);
-    int (*f_vrfy)(void *, x509_cert *, int, int *);
-    int (*f_get_cache)(void *, ssl_session *);
-    int (*f_set_cache)(void *, const ssl_session *);
-    int (*f_sni)(void *, ssl_context *, const unsigned char *, size_t);
-
-    void *p_rng;                /*!< context for the RNG function     */
-    void *p_dbg;                /*!< context for the debug function   */
-    void *p_recv;               /*!< context for reading operations   */
-    void *p_send;               /*!< context for writing operations   */
-    void *p_vrfy;               /*!< context for verification         */
-    void *p_get_cache;          /*!< context for cache retrieval      */
-    void *p_set_cache;          /*!< context for cache store          */
-    void *p_sni;                /*!< context for SNI extension        */
-    void *p_hw_data;            /*!< context for HW acceleration      */
-
-    /*
-     * Session layer
-     */
-    ssl_session *session_in;            /*!<  current session data (in)   */
-    ssl_session *session_out;           /*!<  current session data (out)  */
-    ssl_session *session;               /*!<  negotiated session data     */
-    ssl_session *session_negotiate;     /*!<  session data in negotiation */
-
-    ssl_handshake_params *handshake;    /*!<  params required only during
-                                              the handshake process        */
-
-    /*
-     * Record layer transformations
-     */
-    ssl_transform *transform_in;        /*!<  current transform params (in)   */
-    ssl_transform *transform_out;       /*!<  current transform params (in)   */
-    ssl_transform *transform;           /*!<  negotiated transform params     */
-    ssl_transform *transform_negotiate; /*!<  transform params in negotiation */
-
-    /*
-     * Record layer (incoming data)
-     */
-    unsigned char *in_ctr;      /*!< 64-bit incoming message counter  */
-    unsigned char *in_hdr;      /*!< 5-byte record header (in_ctr+8)  */
-    unsigned char *in_msg;      /*!< the message contents (in_hdr+5)  */
-    unsigned char *in_offt;     /*!< read offset in application data  */
-
-    int in_msgtype;             /*!< record header: message type      */
-    size_t in_msglen;           /*!< record header: message length    */
-    size_t in_left;             /*!< amount of data read so far       */
-
-    size_t in_hslen;            /*!< current handshake message length */
-    int nb_zero;                /*!< # of 0-length encrypted messages */
-
-    /*
-     * Record layer (outgoing data)
-     */
-    unsigned char *out_ctr;     /*!< 64-bit outgoing message counter  */
-    unsigned char *out_hdr;     /*!< 5-byte record header (out_ctr+8) */
-    unsigned char *out_msg;     /*!< the message contents (out_hdr+32)*/
-
-    int out_msgtype;            /*!< record header: message type      */
-    size_t out_msglen;          /*!< record header: message length    */
-    size_t out_left;            /*!< amount of data not yet written   */
-
-    /*
-     * PKI layer
-     */
-    void *rsa_key;                      /*!<  own RSA private key     */
-    rsa_decrypt_func rsa_decrypt;       /*!<  function for RSA decrypt*/
-    rsa_sign_func rsa_sign;             /*!<  function for RSA sign   */
-    rsa_key_len_func rsa_key_len;       /*!<  function for RSA key len*/
-
-    x509_cert *own_cert;                /*!<  own X.509 certificate   */
-    x509_cert *ca_chain;                /*!<  own trusted CA chain    */
-    x509_crl *ca_crl;                   /*!<  trusted CA CRLs         */
-    const char *peer_cn;                /*!<  expected peer CN        */
-
-    /*
-     * User settings
-     */
-    int endpoint;                       /*!<  0: client, 1: server    */
-    int authmode;                       /*!<  verification mode       */
-    int client_auth;                    /*!<  flag for client auth.   */
-    int verify_result;                  /*!<  verification result     */
-    int disable_renegotiation;          /*!<  enable/disable renegotiation   */
-    int allow_legacy_renegotiation;     /*!<  allow legacy renegotiation     */
-    const int **ciphersuites;           /*!<  allowed ciphersuites / version */
-
-#if defined(POLARSSL_DHM_C)
-    mpi dhm_P;                          /*!<  prime modulus for DHM   */
-    mpi dhm_G;                          /*!<  generator for DHM       */
-#endif
-
-    /*
-     * TLS extensions
-     */
-    unsigned char *hostname;
-    size_t         hostname_len;
-
-    /*
-     * Secure renegotiation
-     */
-    int secure_renegotiation;           /*!<  does peer support legacy or
-                                              secure renegotiation           */
-    size_t verify_data_len;             /*!<  length of verify data stored   */
-    char own_verify_data[36];           /*!<  previous handshake verify data */
-    char peer_verify_data[36];          /*!<  previous handshake verify data */
-};
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-extern const int ssl_default_ciphersuites[];
-
-#if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
-extern int (*ssl_hw_record_init)(ssl_context *ssl,
-                const unsigned char *key_enc, const unsigned char *key_dec,
-                const unsigned char *iv_enc,  const unsigned char *iv_dec,
-                const unsigned char *mac_enc, const unsigned char *mac_dec);
-extern int (*ssl_hw_record_reset)(ssl_context *ssl);
-extern int (*ssl_hw_record_write)(ssl_context *ssl);
-extern int (*ssl_hw_record_read)(ssl_context *ssl);
-extern int (*ssl_hw_record_finish)(ssl_context *ssl);
-#endif
-
-/**
- * \brief Returns the list of ciphersuites supported by the SSL/TLS module.
- *
- * \return              a statically allocated array of ciphersuites, the last
- *                      entry is 0.
- */
-static inline const int *ssl_list_ciphersuites( void )
-{
-    return ssl_default_ciphersuites;
-}
-
-/**
- * \brief               Return the name of the ciphersuite associated with the given
- *                      ID
- *
- * \param ciphersuite_id SSL ciphersuite ID
- *
- * \return              a string containing the ciphersuite name
- */
-const char *ssl_get_ciphersuite_name( const int ciphersuite_id );
-
-/**
- * \brief               Return the ID of the ciphersuite associated with the given
- *                      name
- *
- * \param ciphersuite_name SSL ciphersuite name
- *
- * \return              the ID with the ciphersuite or 0 if not found
- */
-int ssl_get_ciphersuite_id( const char *ciphersuite_name );
-
-/**
- * \brief          Initialize an SSL context
- *
- * \param ssl      SSL context
- *
- * \return         0 if successful, or POLARSSL_ERR_SSL_MALLOC_FAILED if
- *                 memory allocation failed
- */
-int ssl_init( ssl_context *ssl );
-
-/**
- * \brief          Reset an already initialized SSL context for re-use
- *                 while retaining application-set variables, function
- *                 pointers and data.
- *
- * \param ssl      SSL context
- * \return         0 if successful, or POLASSL_ERR_SSL_MALLOC_FAILED,
-                   POLARSSL_ERR_SSL_HW_ACCEL_FAILED or
- *                 POLARSSL_ERR_SSL_COMPRESSION_FAILED
- */
-int ssl_session_reset( ssl_context *ssl );
-
-/**
- * \brief          Set the current endpoint type
- *
- * \param ssl      SSL context
- * \param endpoint must be SSL_IS_CLIENT or SSL_IS_SERVER
- */
-void ssl_set_endpoint( ssl_context *ssl, int endpoint );
-
-/**
- * \brief          Set the certificate verification mode
- *
- * \param ssl      SSL context
- * \param authmode can be:
- *
- *  SSL_VERIFY_NONE:      peer certificate is not checked (default),
- *                        this is insecure and SHOULD be avoided.
- *
- *  SSL_VERIFY_OPTIONAL:  peer certificate is checked, however the
- *                        handshake continues even if verification failed;
- *                        ssl_get_verify_result() can be called after the
- *                        handshake is complete.
- *
- *  SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
- *                        handshake is aborted if verification failed.
- */
-void ssl_set_authmode( ssl_context *ssl, int authmode );
-
-/**
- * \brief          Set the verification callback (Optional).
- *
- *                 If set, the verify callback is called for each
- *                 certificate in the chain. For implementation
- *                 information, please see \c x509parse_verify()
- *
- * \param ssl      SSL context
- * \param f_vrfy   verification function
- * \param p_vrfy   verification parameter
- */
-void ssl_set_verify( ssl_context *ssl,
-                     int (*f_vrfy)(void *, x509_cert *, int, int *),
-                     void *p_vrfy );
-
-/**
- * \brief          Set the random number generator callback
- *
- * \param ssl      SSL context
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- */
-void ssl_set_rng( ssl_context *ssl,
-                  int (*f_rng)(void *, unsigned char *, size_t),
-                  void *p_rng );
-
-/**
- * \brief          Set the debug callback
- *
- * \param ssl      SSL context
- * \param f_dbg    debug function
- * \param p_dbg    debug parameter
- */
-void ssl_set_dbg( ssl_context *ssl,
-                  void (*f_dbg)(void *, int, const char *),
-                  void  *p_dbg );
-
-/**
- * \brief          Set the underlying BIO read and write callbacks
- *
- * \param ssl      SSL context
- * \param f_recv   read callback
- * \param p_recv   read parameter
- * \param f_send   write callback
- * \param p_send   write parameter
- */
-void ssl_set_bio( ssl_context *ssl,
-        int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
-        int (*f_send)(void *, const unsigned char *, size_t), void *p_send );
-
-/**
- * \brief          Set the session cache callbacks (server-side only)
- *                 If not set, no session resuming is done.
- *
- *                 The session cache has the responsibility to check for stale
- *                 entries based on timeout. See RFC 5246 for recommendations.
- *
- *                 Warning: session.peer_cert is cleared by the SSL/TLS layer on
- *                 connection shutdown, so do not cache the pointer! Either set
- *                 it to NULL or make a full copy of the certificate.
- *
- *                 The get callback is called once during the initial handshake
- *                 to enable session resuming. The get function has the
- *                 following parameters: (void *parameter, ssl_session *session)
- *                 If a valid entry is found, it should fill the master of
- *                 the session object with the cached values and return 0,
- *                 return 1 otherwise. Optionally peer_cert can be set as well
- *                 if it is properly present in cache entry.
- *
- *                 The set callback is called once during the initial handshake
- *                 to enable session resuming after the entire handshake has
- *                 been finished. The set function has the following parameters:
- *                 (void *parameter, const ssl_session *session). The function
- *                 should create a cache entry for future retrieval based on
- *                 the data in the session structure and should keep in mind
- *                 that the ssl_session object presented (and all its referenced
- *                 data) is cleared by the SSL/TLS layer when the connection is
- *                 terminated. It is recommended to add metadata to determine if
- *                 an entry is still valid in the future. Return 0 if
- *                 successfully cached, return 1 otherwise.
- *
- * \param ssl            SSL context
- * \param f_get_cache    session get callback
- * \param p_get_cache    session get parameter
- * \param f_set_cache    session set callback
- * \param p_set_cache    session set parameter
- */
-void ssl_set_session_cache( ssl_context *ssl,
-        int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
-        int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache );
-
-/**
- * \brief          Request resumption of session (client-side only)
- *                 Session data is copied from presented session structure.
- *
- *                 Warning: session.peer_cert is cleared by the SSL/TLS layer on
- *                 connection shutdown, so do not cache the pointer! Either set
- *                 it to NULL or make a full copy of the certificate when
- *                 storing the session for use in this function.
- *
- * \param ssl      SSL context
- * \param session  session context
- */
-void ssl_set_session( ssl_context *ssl, const ssl_session *session );
-
-/**
- * \brief               Set the list of allowed ciphersuites
- *                      (Default: ssl_default_ciphersuites)
- *                      (Overrides all version specific lists)
- *
- * \param ssl           SSL context
- * \param ciphersuites  0-terminated list of allowed ciphersuites
- */
-void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites );
-
-/**
- * \brief               Set the list of allowed ciphersuites for a specific
- *                      version of the protocol.
- *                      (Default: ssl_default_ciphersuites)
- *                      (Only useful on the server side)
- *
- * \param ssl           SSL context
- * \param ciphersuites  0-terminated list of allowed ciphersuites
- * \param major         Major version number (only SSL_MAJOR_VERSION_3
- *                      supported)
- * \param minor         Minor version number (SSL_MINOR_VERSION_0,
- *                      SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
- *                      SSL_MINOR_VERSION_3 supported)
- */
-void ssl_set_ciphersuites_for_version( ssl_context *ssl,
-                                       const int *ciphersuites,
-                                       int major, int minor );
-
-/**
- * \brief          Set the data required to verify peer certificate
- *
- * \param ssl      SSL context
- * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
- * \param ca_crl   trusted CA CRLs
- * \param peer_cn  expected peer CommonName (or NULL)
- */
-void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
-                       x509_crl *ca_crl, const char *peer_cn );
-
-/**
- * \brief          Set own certificate chain and private key
- *
- *                 Note: own_cert should contain IN order from the bottom
- *                 up your certificate chain. The top certificate (self-signed)
- *                 can be omitted.
- *
- * \param ssl      SSL context
- * \param own_cert own public certificate chain
- * \param rsa_key  own private RSA key
- */
-void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
-                       rsa_context *rsa_key );
-
-/**
- * \brief          Set own certificate and alternate non-PolarSSL private
- *                 key and handling callbacks, such as the PKCS#11 wrappers
- *                 or any other external private key handler.
- *                 (see the respective RSA functions in rsa.h for documentation
- *                 of the callback parameters, with the only change being
- *                 that the rsa_context * is a void * in the callbacks)
- *
- *                 Note: own_cert should contain IN order from the bottom
- *                 up your certificate chain. The top certificate (self-signed)
- *                 can be omitted.
- *
- * \param ssl      SSL context
- * \param own_cert own public certificate chain
- * \param rsa_key  alternate implementation private RSA key
- * \param rsa_decrypt_func  alternate implementation of \c rsa_pkcs1_decrypt()
- * \param rsa_sign_func     alternate implementation of \c rsa_pkcs1_sign()
- * \param rsa_key_len_func  function returning length of RSA key in bytes
- */
-void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
-                           void *rsa_key,
-                           rsa_decrypt_func rsa_decrypt,
-                           rsa_sign_func rsa_sign,
-                           rsa_key_len_func rsa_key_len );
-
-#if defined(POLARSSL_DHM_C)
-/**
- * \brief          Set the Diffie-Hellman public P and G values,
- *                 read as hexadecimal strings (server-side only)
- *                 (Default: POLARSSL_DHM_RFC5114_MODP_1024_[PG])
- *
- * \param ssl      SSL context
- * \param dhm_P    Diffie-Hellman-Merkle modulus
- * \param dhm_G    Diffie-Hellman-Merkle generator
- *
- * \return         0 if successful
- */
-int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G );
-
-/**
- * \brief          Set the Diffie-Hellman public P and G values,
- *                 read from existing context (server-side only)
- *
- * \param ssl      SSL context
- * \param dhm_ctx  Diffie-Hellman-Merkle context
- *
- * \return         0 if successful
- */
-int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx );
-#endif
-
-/**
- * \brief          Set hostname for ServerName TLS extension
- *                 (client-side only)
- *                 
- *
- * \param ssl      SSL context
- * \param hostname the server hostname
- *
- * \return         0 if successful or POLARSSL_ERR_SSL_MALLOC_FAILED
- */
-int ssl_set_hostname( ssl_context *ssl, const char *hostname );
-
-/**
- * \brief          Set server side ServerName TLS extension callback
- *                 (optional, server-side only).
- *
- *                 If set, the ServerName callback is called whenever the
- *                 server receives a ServerName TLS extension from the client
- *                 during a handshake. The ServerName callback has the
- *                 following parameters: (void *parameter, ssl_context *ssl,
- *                 const unsigned char *hostname, size_t len). If a suitable
- *                 certificate is found, the callback should set the
- *                 certificate and key to use with ssl_set_own_cert() (and
- *                 possibly adjust the CA chain as well) and return 0. The
- *                 callback should return -1 to abort the handshake at this
- *                 point.
- *
- * \param ssl      SSL context
- * \param f_sni    verification function
- * \param p_sni    verification parameter
- */
-void ssl_set_sni( ssl_context *ssl,
-                  int (*f_sni)(void *, ssl_context *, const unsigned char *,
-                               size_t),
-                  void *p_sni );
-
-/**
- * \brief          Set the maximum supported version sent from the client side
- * 
- * \param ssl      SSL context
- * \param major    Major version number (only SSL_MAJOR_VERSION_3 supported)
- * \param minor    Minor version number (SSL_MINOR_VERSION_0,
- *                 SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
- *                 SSL_MINOR_VERSION_3 supported)
- */
-void ssl_set_max_version( ssl_context *ssl, int major, int minor );
-
-
-/**
- * \brief          Set the minimum accepted SSL/TLS protocol version
- *                 (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0)
- *
- * \param ssl      SSL context
- * \param major    Major version number (only SSL_MAJOR_VERSION_3 supported)
- * \param minor    Minor version number (SSL_MINOR_VERSION_0,
- *                 SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
- *                 SSL_MINOR_VERSION_3 supported)
- */
-void ssl_set_min_version( ssl_context *ssl, int major, int minor );
-
-/**
- * \brief          Enable / Disable renegotiation support for connection when
- *                 initiated by peer
- *                 (Default: SSL_RENEGOTIATION_DISABLED)
- *
- *                 Note: A server with support enabled is more vulnerable for a
- *                 resource DoS by a malicious client. You should enable this on
- *                 a client to enable server-initiated renegotiation.
- *
- * \param ssl      SSL context
- * \param renegotiation     Enable or disable (SSL_RENEGOTIATION_ENABLED or
- *                                             SSL_RENEGOTIATION_DISABLED)
- */
-void ssl_set_renegotiation( ssl_context *ssl, int renegotiation );
-
-/**
- * \brief          Prevent or allow legacy renegotiation.
- *                 (Default: SSL_LEGACY_NO_RENEGOTIATION)
- *                 
- *                 SSL_LEGACY_NO_RENEGOTIATION allows connections to
- *                 be established even if the peer does not support
- *                 secure renegotiation, but does not allow renegotiation
- *                 to take place if not secure.
- *                 (Interoperable and secure option)
- *
- *                 SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations
- *                 with non-upgraded peers. Allowing legacy renegotiation
- *                 makes the connection vulnerable to specific man in the
- *                 middle attacks. (See RFC 5746)
- *                 (Most interoperable and least secure option)
- *
- *                 SSL_LEGACY_BREAK_HANDSHAKE breaks off connections
- *                 if peer does not support secure renegotiation. Results
- *                 in interoperability issues with non-upgraded peers
- *                 that do not support renegotiation altogether.
- *                 (Most secure option, interoperability issues)
- *
- * \param ssl      SSL context
- * \param allow_legacy  Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
- *                                        SSL_ALLOW_LEGACY_RENEGOTIATION or
- *                                        SSL_LEGACY_BREAK_HANDSHAKE)
- */
-void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy );
-
-/**
- * \brief          Return the number of data bytes available to read
- *
- * \param ssl      SSL context
- *
- * \return         how many bytes are available in the read buffer
- */
-size_t ssl_get_bytes_avail( const ssl_context *ssl );
-
-/**
- * \brief          Return the result of the certificate verification
- *
- * \param ssl      SSL context
- *
- * \return         0 if successful, or a combination of:
- *                      BADCERT_EXPIRED
- *                      BADCERT_REVOKED
- *                      BADCERT_CN_MISMATCH
- *                      BADCERT_NOT_TRUSTED
- */
-int ssl_get_verify_result( const ssl_context *ssl );
-
-/**
- * \brief          Return the name of the current ciphersuite
- *
- * \param ssl      SSL context
- *
- * \return         a string containing the ciphersuite name
- */
-const char *ssl_get_ciphersuite( const ssl_context *ssl );
-
-/**
- * \brief          Return the current SSL version (SSLv3/TLSv1/etc)
- *
- * \param ssl      SSL context
- *
- * \return         a string containing the SSL version
- */
-const char *ssl_get_version( const ssl_context *ssl );
-
-/**
- * \brief          Return the peer certificate from the current connection
- *
- *                 Note: Can be NULL in case no certificate was sent during
- *                 the handshake. Different calls for the same connection can
- *                 return the same or different pointers for the same
- *                 certificate and even a different certificate altogether.
- *                 The peer cert CAN change in a single connection if
- *                 renegotiation is performed.
- *
- * \param ssl      SSL context
- *
- * \return         the current peer certificate
- */
-const x509_cert *ssl_get_peer_cert( const ssl_context *ssl );
-
-/**
- * \brief          Perform the SSL handshake
- *
- * \param ssl      SSL context
- *
- * \return         0 if successful, POLARSSL_ERR_NET_WANT_READ,
- *                 POLARSSL_ERR_NET_WANT_WRITE, or a specific SSL error code.
- */
-int ssl_handshake( ssl_context *ssl );
-
-/**
- * \brief          Perform a single step of the SSL handshake
- *
- *                 Note: the state of the context (ssl->state) will be at
- *                 the following state after execution of this function.
- *                 Do not call this function if state is SSL_HANDSHAKE_OVER.
- *
- * \param ssl      SSL context
- *
- * \return         0 if successful, POLARSSL_ERR_NET_WANT_READ,
- *                 POLARSSL_ERR_NET_WANT_WRITE, or a specific SSL error code.
- */
-int ssl_handshake_step( ssl_context *ssl );
-
-/**
- * \brief          Perform an SSL renegotiation on the running connection
- *
- * \param ssl      SSL context
- *
- * \return         0 if succesful, or any ssl_handshake() return value.
- */
-int ssl_renegotiate( ssl_context *ssl );
-
-/**
- * \brief          Read at most 'len' application data bytes
- *
- * \param ssl      SSL context
- * \param buf      buffer that will hold the data
- * \param len      how many bytes must be read
- *
- * \return         This function returns the number of bytes read, 0 for EOF,
- *                 or a negative error code.
- */
-int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len );
-
-/**
- * \brief          Write exactly 'len' application data bytes
- *
- * \param ssl      SSL context
- * \param buf      buffer holding the data
- * \param len      how many bytes must be written
- *
- * \return         This function returns the number of bytes written,
- *                 or a negative error code.
- *
- * \note           When this function returns POLARSSL_ERR_NET_WANT_WRITE,
- *                 it must be called later with the *same* arguments,
- *                 until it returns a positive value.
- */
-int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len );
-
-/**
- * \brief           Send an alert message
- *
- * \param ssl       SSL context
- * \param level     The alert level of the message
- *                  (SSL_ALERT_LEVEL_WARNING or SSL_ALERT_LEVEL_FATAL)
- * \param message   The alert message (SSL_ALERT_MSG_*)
- *
- * \return          0 if successful, or a specific SSL error code.
- */
-int ssl_send_alert_message( ssl_context *ssl,
-                            unsigned char level,
-                            unsigned char message );
-/**
- * \brief          Notify the peer that the connection is being closed
- *
- * \param ssl      SSL context
- */
-int ssl_close_notify( ssl_context *ssl );
-
-/**
- * \brief          Free referenced items in an SSL context and clear memory
- *
- * \param ssl      SSL context
- */
-void ssl_free( ssl_context *ssl );
-
-/**
- * \brief          Free referenced items in an SSL session including the
- *                 peer certificate and clear memory
- *
- * \param session  SSL session
- */
-void ssl_session_free( ssl_session *session );
-
-/**
- * \brief           Free referenced items in an SSL transform context and clear
- *                  memory
- *
- * \param transform SSL transform context
- */
-void ssl_transform_free( ssl_transform *transform );
-
-/**
- * \brief           Free referenced items in an SSL handshake context and clear
- *                  memory
- *
- * \param handshake SSL handshake context
- */
-void ssl_handshake_free( ssl_handshake_params *handshake );
-
-/*
- * Internal functions (do not call directly)
- */
-int ssl_handshake_client_step( ssl_context *ssl );
-int ssl_handshake_server_step( ssl_context *ssl );
-void ssl_handshake_wrapup( ssl_context *ssl );
-
-int ssl_send_fatal_handshake_failure( ssl_context *ssl );
-
-int ssl_derive_keys( ssl_context *ssl );
-
-int ssl_read_record( ssl_context *ssl );
-/**
- * \return         0 if successful, POLARSSL_ERR_SSL_CONN_EOF on EOF or
- *                 another negative error code.
- */
-int ssl_fetch_input( ssl_context *ssl, size_t nb_want );
-
-int ssl_write_record( ssl_context *ssl );
-int ssl_flush_output( ssl_context *ssl );
-
-int ssl_parse_certificate( ssl_context *ssl );
-int ssl_write_certificate( ssl_context *ssl );
-
-int ssl_parse_change_cipher_spec( ssl_context *ssl );
-int ssl_write_change_cipher_spec( ssl_context *ssl );
-
-int ssl_parse_finished( ssl_context *ssl );
-int ssl_write_finished( ssl_context *ssl );
-
-void ssl_optimize_checksum( ssl_context *ssl, int ciphersuite );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* ssl.h */
diff --git a/makerom/polarssl/ssl_cache.h b/makerom/polarssl/ssl_cache.h
deleted file mode 100644
index 521129a8..00000000
--- a/makerom/polarssl/ssl_cache.h
+++ /dev/null
@@ -1,119 +0,0 @@
-/**
- * \file ssl_cache.h
- *
- * \brief SSL session cache implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_SSL_CACHE_H
-#define POLARSSL_SSL_CACHE_H
-
-#include "polarssl/ssl.h"
-
-#if !defined(POLARSSL_CONFIG_OPTIONS)
-#define SSL_CACHE_DEFAULT_TIMEOUT       86400   /*!< 1 day  */
-#define SSL_CACHE_DEFAULT_MAX_ENTRIES      50   /*!< Maximum entries in cache */
-#endif /* !POLARSSL_CONFIG_OPTIONS */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef struct _ssl_cache_context ssl_cache_context;
-typedef struct _ssl_cache_entry ssl_cache_entry;
-
-/**
- * \brief   This structure is used for storing cache entries
- */
-struct _ssl_cache_entry
-{
-    time_t timestamp;           /*!< entry timestamp    */
-    ssl_session session;        /*!< entry session      */
-    x509_buf peer_cert;         /*!< entry peer_cert    */
-    ssl_cache_entry *next;      /*!< chain pointer      */
-};
-
-/**
- * \brief Cache context
- */
-struct _ssl_cache_context
-{
-    ssl_cache_entry *chain;     /*!< start of the chain     */
-    int timeout;                /*!< cache entry timeout    */
-    int max_entries;            /*!< maximum entries        */
-};
-
-/**
- * \brief          Initialize an SSL cache context
- *
- * \param cache    SSL cache context
- */
-void ssl_cache_init( ssl_cache_context *cache );
-
-/**
- * \brief          Cache get callback implementation
- *
- * \param data     SSL cache context
- * \param session  session to retrieve entry for
- */
-int ssl_cache_get( void *data, ssl_session *session );
-
-/**
- * \brief          Cache set callback implementation
- *
- * \param data     SSL cache context
- * \param session  session to store entry for
- */
-int ssl_cache_set( void *data, const ssl_session *session );
-
-/**
- * \brief          Set the cache timeout
- *                 (Default: SSL_CACHE_DEFAULT_TIMEOUT (1 day))
- *
- *                 A timeout of 0 indicates no timeout.
- *
- * \param cache    SSL cache context
- * \param timeout  cache entry timeout
- */
-void ssl_cache_set_timeout( ssl_cache_context *cache, int timeout );
-
-/**
- * \brief          Set the cache timeout
- *                 (Default: SSL_CACHE_DEFAULT_MAX_ENTRIES (50))
- *
- * \param cache    SSL cache context
- * \param max      cache entry maximum
- */
-void ssl_cache_set_max_entries( ssl_cache_context *cache, int max );
-
-/**
- * \brief          Free referenced items in a cache context and clear memory
- *
- * \param cache    SSL cache context
- */
-void ssl_cache_free( ssl_cache_context *cache );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* ssl_cache.h */
diff --git a/makerom/polarssl/timing.h b/makerom/polarssl/timing.h
deleted file mode 100644
index 355c63c7..00000000
--- a/makerom/polarssl/timing.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/**
- * \file timing.h
- *
- * \brief Portable interface to the CPU cycle counter
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_TIMING_H
-#define POLARSSL_TIMING_H
-
-/**
- * \brief          timer structure
- */
-struct hr_time
-{
-    unsigned char opaque[32];
-};
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-extern volatile int alarmed;
-
-/**
- * \brief          Return the CPU cycle counter value
- */
-unsigned long hardclock( void );
-
-/**
- * \brief          Return the elapsed time in milliseconds
- *
- * \param val      points to a timer structure
- * \param reset    if set to 1, the timer is restarted
- */
-unsigned long get_timer( struct hr_time *val, int reset );
-
-/**
- * \brief          Setup an alarm clock
- *
- * \param seconds  delay before the "alarmed" flag is set
- */
-void set_alarm( int seconds );
-
-/**
- * \brief          Sleep for a certain amount of time
- *
- * \param milliseconds  delay in milliseconds
- */
-void m_sleep( int milliseconds );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* timing.h */
diff --git a/makerom/polarssl/version.h b/makerom/polarssl/version.h
deleted file mode 100644
index ebaa9c0f..00000000
--- a/makerom/polarssl/version.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/**
- * \file version.h
- *
- * \brief Run-time version information
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- * This set of compile-time defines and run-time variables can be used to
- * determine the version number of the PolarSSL library used.
- */
-#ifndef POLARSSL_VERSION_H
-#define POLARSSL_VERSION_H
-
-#include "polarssl/config.h"
-
-/**
- * The version number x.y.z is split into three parts.
- * Major, Minor, Patchlevel
- */
-#define POLARSSL_VERSION_MAJOR  1
-#define POLARSSL_VERSION_MINOR  2
-#define POLARSSL_VERSION_PATCH  8
-
-/**
- * The single version number has the following structure:
- *    MMNNPP00
- *    Major version | Minor version | Patch version
- */
-#define POLARSSL_VERSION_NUMBER         0x01020800
-#define POLARSSL_VERSION_STRING         "1.2.8"
-#define POLARSSL_VERSION_STRING_FULL    "PolarSSL 1.2.8"
-
-#if defined(POLARSSL_VERSION_C)
-
-/**
- * Get the version number.
- *
- * \return          The constructed version number in the format
- *                  MMNNPP00 (Major, Minor, Patch).
- */
-unsigned int version_get_number( void );
-
-/**
- * Get the version string ("x.y.z").
- *
- * \param string    The string that will receive the value.
- *                  (Should be at least 9 bytes in size)
- */
-void version_get_string( char *string );
-
-/**
- * Get the full version string ("PolarSSL x.y.z").
- *
- * \param string    The string that will receive the value.
- *                  (Should be at least 18 bytes in size)
- */
-void version_get_string_full( char *string );
-
-#endif /* POLARSSL_VERSION_C */
-
-#endif /* version.h */
diff --git a/makerom/polarssl/x509.h b/makerom/polarssl/x509.h
deleted file mode 100644
index 71a51a94..00000000
--- a/makerom/polarssl/x509.h
+++ /dev/null
@@ -1,778 +0,0 @@
-/**
- * \file x509.h
- *
- * \brief X.509 certificate and private key decoding
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_X509_H
-#define POLARSSL_X509_H
-
-#include "polarssl/asn1.h"
-#include "polarssl/rsa.h"
-#include "polarssl/dhm.h"
-
-/** 
- * \addtogroup x509_module
- * \{ 
- */
- 
-/** 
- * \name X509 Error codes
- * \{
- */
-#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE              -0x2080  /**< Unavailable feature, e.g. RSA hashing/encryption combination. */
-#define POLARSSL_ERR_X509_CERT_INVALID_PEM                 -0x2100  /**< The PEM-encoded certificate contains invalid elements, e.g. invalid character. */ 
-#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT              -0x2180  /**< The certificate format is invalid, e.g. different type expected. */
-#define POLARSSL_ERR_X509_CERT_INVALID_VERSION             -0x2200  /**< The certificate version element is invalid. */
-#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL              -0x2280  /**< The serial tag or value is invalid. */
-#define POLARSSL_ERR_X509_CERT_INVALID_ALG                 -0x2300  /**< The algorithm tag or value is invalid. */
-#define POLARSSL_ERR_X509_CERT_INVALID_NAME                -0x2380  /**< The name tag or value is invalid. */
-#define POLARSSL_ERR_X509_CERT_INVALID_DATE                -0x2400  /**< The date tag or value is invalid. */
-#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY              -0x2480  /**< The pubkey tag or value is invalid (only RSA is supported). */
-#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE           -0x2500  /**< The signature tag or value invalid. */
-#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS          -0x2580  /**< The extension tag or value is invalid. */
-#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION             -0x2600  /**< Certificate or CRL has an unsupported version number. */
-#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG             -0x2680  /**< Signature algorithm (oid) is unsupported. */
-#define POLARSSL_ERR_X509_UNKNOWN_PK_ALG                   -0x2700  /**< Key algorithm is unsupported (only RSA is supported). */
-#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH                -0x2780  /**< Certificate signature algorithms do not match. (see \c ::x509_cert sig_oid) */
-#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED               -0x2800  /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
-#define POLARSSL_ERR_X509_KEY_INVALID_VERSION              -0x2880  /**< Unsupported RSA key version */
-#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT               -0x2900  /**< Invalid RSA key tag or value. */
-#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2980  /**< Format not recognized as DER or PEM. */
-#define POLARSSL_ERR_X509_INVALID_INPUT                    -0x2A00  /**< Input invalid. */
-#define POLARSSL_ERR_X509_MALLOC_FAILED                    -0x2A80  /**< Allocation of memory failed. */
-#define POLARSSL_ERR_X509_FILE_IO_ERROR                    -0x2B00  /**< Read/write of file failed. */
-#define POLARSSL_ERR_X509_PASSWORD_REQUIRED                -0x2B80  /**< Private key password can't be empty. */
-#define POLARSSL_ERR_X509_PASSWORD_MISMATCH                -0x2C00  /**< Given private key password does not allow for correct decryption. */
-/* \} name */
-
-
-/**
- * \name X509 Verify codes
- * \{
- */
-#define BADCERT_EXPIRED             0x01  /**< The certificate validity has expired. */
-#define BADCERT_REVOKED             0x02  /**< The certificate has been revoked (is on a CRL). */
-#define BADCERT_CN_MISMATCH         0x04  /**< The certificate Common Name (CN) does not match with the expected CN. */
-#define BADCERT_NOT_TRUSTED         0x08  /**< The certificate is not correctly signed by the trusted CA. */
-#define BADCRL_NOT_TRUSTED          0x10  /**< CRL is not correctly signed by the trusted CA. */
-#define BADCRL_EXPIRED              0x20  /**< CRL is expired. */
-#define BADCERT_MISSING             0x40  /**< Certificate was missing. */
-#define BADCERT_SKIP_VERIFY         0x80  /**< Certificate verification was skipped. */
-#define BADCERT_OTHER             0x0100  /**< Other reason (can be used by verify callback) */
-/* \} name */
-/* \} addtogroup x509_module */
-
-/*
- * various object identifiers
- */
-#define X520_COMMON_NAME                3
-#define X520_COUNTRY                    6
-#define X520_LOCALITY                   7
-#define X520_STATE                      8
-#define X520_ORGANIZATION              10
-#define X520_ORG_UNIT                  11
-#define PKCS9_EMAIL                     1
-
-#define X509_OUTPUT_DER              0x01
-#define X509_OUTPUT_PEM              0x02
-#define PEM_LINE_LENGTH                72
-#define X509_ISSUER                  0x01
-#define X509_SUBJECT                 0x02
-
-#define OID_X520                "\x55\x04"
-#define OID_CN                  OID_X520 "\x03"
-#define OID_COUNTRY             OID_X520 "\x06"
-#define OID_LOCALITY            OID_X520 "\x07"
-#define OID_STATE               OID_X520 "\x08"
-#define OID_ORGANIZATION        OID_X520 "\x0A"
-#define OID_ORG_UNIT            OID_X520 "\x0B"
-
-#define OID_PKCS1               "\x2A\x86\x48\x86\xF7\x0D\x01\x01"
-#define OID_PKCS1_RSA           OID_PKCS1 "\x01"
-#define OID_PKCS1_SHA1          OID_PKCS1 "\x05"
-
-#define OID_RSA_SHA_OBS         "\x2B\x0E\x03\x02\x1D"
-
-#define OID_PKCS9               "\x2A\x86\x48\x86\xF7\x0D\x01\x09"
-#define OID_PKCS9_EMAIL         OID_PKCS9 "\x01"
-
-/** ISO arc for standard certificate and CRL extensions */
-#define OID_ID_CE               "\x55\x1D" /**< id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29} */
-
-/**
- * Private Internet Extensions
- * { iso(1) identified-organization(3) dod(6) internet(1)
- *                      security(5) mechanisms(5) pkix(7) }
- */
-#define OID_PKIX                "\x2B\x06\x01\x05\x05\x07"
-
-/*
- * OIDs for standard certificate extensions
- */
-#define OID_AUTHORITY_KEY_IDENTIFIER    OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 } */
-#define OID_SUBJECT_KEY_IDENTIFIER      OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 } */
-#define OID_KEY_USAGE                   OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 } */
-#define OID_CERTIFICATE_POLICIES        OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 } */
-#define OID_POLICY_MAPPINGS             OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 } */
-#define OID_SUBJECT_ALT_NAME            OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 } */
-#define OID_ISSUER_ALT_NAME             OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 } */
-#define OID_SUBJECT_DIRECTORY_ATTRS     OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 } */
-#define OID_BASIC_CONSTRAINTS           OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 } */
-#define OID_NAME_CONSTRAINTS            OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 } */
-#define OID_POLICY_CONSTRAINTS          OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 } */
-#define OID_EXTENDED_KEY_USAGE          OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
-#define OID_CRL_DISTRIBUTION_POINTS     OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 } */
-#define OID_INIHIBIT_ANYPOLICY          OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 } */
-#define OID_FRESHEST_CRL                OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 } */
-
-/*
- * X.509 v3 Key Usage Extension flags
- */
-#define KU_DIGITAL_SIGNATURE            (0x80)  /* bit 0 */
-#define KU_NON_REPUDIATION              (0x40)  /* bit 1 */
-#define KU_KEY_ENCIPHERMENT             (0x20)  /* bit 2 */
-#define KU_DATA_ENCIPHERMENT            (0x10)  /* bit 3 */
-#define KU_KEY_AGREEMENT                (0x08)  /* bit 4 */
-#define KU_KEY_CERT_SIGN                (0x04)  /* bit 5 */
-#define KU_CRL_SIGN                     (0x02)  /* bit 6 */
-
-/*
- * X.509 v3 Extended key usage OIDs
- */
-#define OID_ANY_EXTENDED_KEY_USAGE      OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
-
-#define OID_KP                          OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
-#define OID_SERVER_AUTH                 OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
-#define OID_CLIENT_AUTH                 OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
-#define OID_CODE_SIGNING                OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
-#define OID_EMAIL_PROTECTION            OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
-#define OID_TIME_STAMPING               OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
-#define OID_OCSP_SIGNING                OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
-
-#define STRING_SERVER_AUTH              "TLS Web Server Authentication"
-#define STRING_CLIENT_AUTH              "TLS Web Client Authentication"
-#define STRING_CODE_SIGNING             "Code Signing"
-#define STRING_EMAIL_PROTECTION         "E-mail Protection"
-#define STRING_TIME_STAMPING            "Time Stamping"
-#define STRING_OCSP_SIGNING             "OCSP Signing"
-
-/*
- * OIDs for CRL extensions
- */
-#define OID_PRIVATE_KEY_USAGE_PERIOD    OID_ID_CE "\x10"
-#define OID_CRL_NUMBER                  OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
-
-/*
- * Netscape certificate extensions
- */
-#define OID_NETSCAPE                "\x60\x86\x48\x01\x86\xF8\x42" /**< Netscape OID */
-#define OID_NS_CERT                 OID_NETSCAPE "\x01"
-#define OID_NS_CERT_TYPE            OID_NS_CERT  "\x01"
-#define OID_NS_BASE_URL             OID_NS_CERT  "\x02"
-#define OID_NS_REVOCATION_URL       OID_NS_CERT  "\x03"
-#define OID_NS_CA_REVOCATION_URL    OID_NS_CERT  "\x04"
-#define OID_NS_RENEWAL_URL          OID_NS_CERT  "\x07"
-#define OID_NS_CA_POLICY_URL        OID_NS_CERT  "\x08"
-#define OID_NS_SSL_SERVER_NAME      OID_NS_CERT  "\x0C"
-#define OID_NS_COMMENT              OID_NS_CERT  "\x0D"
-#define OID_NS_DATA_TYPE            OID_NETSCAPE "\x02"
-#define OID_NS_CERT_SEQUENCE        OID_NS_DATA_TYPE "\x05"
-
-/*
- * Netscape certificate types
- * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
- */
-
-#define NS_CERT_TYPE_SSL_CLIENT         (0x80)  /* bit 0 */
-#define NS_CERT_TYPE_SSL_SERVER         (0x40)  /* bit 1 */
-#define NS_CERT_TYPE_EMAIL              (0x20)  /* bit 2 */
-#define NS_CERT_TYPE_OBJECT_SIGNING     (0x10)  /* bit 3 */
-#define NS_CERT_TYPE_RESERVED           (0x08)  /* bit 4 */
-#define NS_CERT_TYPE_SSL_CA             (0x04)  /* bit 5 */
-#define NS_CERT_TYPE_EMAIL_CA           (0x02)  /* bit 6 */
-#define NS_CERT_TYPE_OBJECT_SIGNING_CA  (0x01)  /* bit 7 */
-
-#define EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
-#define EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
-#define EXT_KEY_USAGE                   (1 << 2)
-#define EXT_CERTIFICATE_POLICIES        (1 << 3)
-#define EXT_POLICY_MAPPINGS             (1 << 4)
-#define EXT_SUBJECT_ALT_NAME            (1 << 5)
-#define EXT_ISSUER_ALT_NAME             (1 << 6)
-#define EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
-#define EXT_BASIC_CONSTRAINTS           (1 << 8)
-#define EXT_NAME_CONSTRAINTS            (1 << 9)
-#define EXT_POLICY_CONSTRAINTS          (1 << 10)
-#define EXT_EXTENDED_KEY_USAGE          (1 << 11)
-#define EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
-#define EXT_INIHIBIT_ANYPOLICY          (1 << 13)
-#define EXT_FRESHEST_CRL                (1 << 14)
-
-#define EXT_NS_CERT_TYPE                (1 << 16)
-
-/*
- * Storage format identifiers
- * Recognized formats: PEM and DER
- */
-#define X509_FORMAT_DER                 1
-#define X509_FORMAT_PEM                 2
-
-/** 
- * \addtogroup x509_module
- * \{ */
-
-/**
- * \name Structures for parsing X.509 certificates and CRLs
- * \{
- */
- 
-/** 
- * Type-length-value structure that allows for ASN1 using DER.
- */
-typedef asn1_buf x509_buf;
-
-/**
- * Container for ASN1 bit strings.
- */
-typedef asn1_bitstring x509_bitstring;
-
-/**
- * Container for ASN1 named information objects. 
- * It allows for Relative Distinguished Names (e.g. cn=polarssl,ou=code,etc.).
- */
-typedef struct _x509_name
-{
-    x509_buf oid;               /**< The object identifier. */
-    x509_buf val;               /**< The named value. */
-    struct _x509_name *next;    /**< The next named information object. */
-}
-x509_name;
-
-/**
- * Container for a sequence of ASN.1 items
- */
-typedef asn1_sequence x509_sequence;
-
-/** Container for date and time (precision in seconds). */
-typedef struct _x509_time
-{
-    int year, mon, day;         /**< Date. */
-    int hour, min, sec;         /**< Time. */
-}
-x509_time;
-
-/** 
- * Container for an X.509 certificate. The certificate may be chained.
- */
-typedef struct _x509_cert
-{
-    x509_buf raw;               /**< The raw certificate data (DER). */
-    x509_buf tbs;               /**< The raw certificate body (DER). The part that is To Be Signed. */
-
-    int version;                /**< The X.509 version. (0=v1, 1=v2, 2=v3) */
-    x509_buf serial;            /**< Unique id for certificate issued by a specific CA. */
-    x509_buf sig_oid1;          /**< Signature algorithm, e.g. sha1RSA */
-
-    x509_buf issuer_raw;        /**< The raw issuer data (DER). Used for quick comparison. */
-    x509_buf subject_raw;       /**< The raw subject data (DER). Used for quick comparison. */
-
-    x509_name issuer;           /**< The parsed issuer data (named information object). */
-    x509_name subject;          /**< The parsed subject data (named information object). */
-
-    x509_time valid_from;       /**< Start time of certificate validity. */
-    x509_time valid_to;         /**< End time of certificate validity. */
-
-    x509_buf pk_oid;            /**< Subject public key info. Includes the public key algorithm and the key itself. */
-    rsa_context rsa;            /**< Container for the RSA context. Only RSA is supported for public keys at this time. */
-
-    x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
-    x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
-    x509_buf v3_ext;            /**< Optional X.509 v3 extensions. Only Basic Contraints are supported at this time. */
-    x509_sequence subject_alt_names;    /**< Optional list of Subject Alternative Names (Only dNSName supported). */
-
-    int ext_types;              /**< Bit string containing detected and parsed extensions */
-    int ca_istrue;              /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
-    int max_pathlen;            /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
-
-    unsigned char key_usage;    /**< Optional key usage extension value: See the values below */
-
-    x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
-
-    unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values below */
-
-    x509_buf sig_oid2;          /**< Signature algorithm. Must match sig_oid1. */
-    x509_buf sig;               /**< Signature: hash of the tbs part signed with the private key. */
-    int sig_alg;                /**< Internal representation of the signature algorithm, e.g. SIG_RSA_MD2 */
-
-    struct _x509_cert *next;    /**< Next certificate in the CA-chain. */ 
-}
-x509_cert;
-
-/** 
- * Certificate revocation list entry. 
- * Contains the CA-specific serial numbers and revocation dates.
- */
-typedef struct _x509_crl_entry
-{
-    x509_buf raw;
-
-    x509_buf serial;
-
-    x509_time revocation_date;
-
-    x509_buf entry_ext;
-
-    struct _x509_crl_entry *next;
-}
-x509_crl_entry;
-
-/** 
- * Certificate revocation list structure. 
- * Every CRL may have multiple entries.
- */
-typedef struct _x509_crl
-{
-    x509_buf raw;           /**< The raw certificate data (DER). */
-    x509_buf tbs;           /**< The raw certificate body (DER). The part that is To Be Signed. */
-
-    int version;
-    x509_buf sig_oid1;
-
-    x509_buf issuer_raw;    /**< The raw issuer data (DER). */
-
-    x509_name issuer;       /**< The parsed issuer data (named information object). */
-
-    x509_time this_update;  
-    x509_time next_update;
-
-    x509_crl_entry entry;   /**< The CRL entries containing the certificate revocation times for this CA. */
-
-    x509_buf crl_ext;
-
-    x509_buf sig_oid2;
-    x509_buf sig;
-    int sig_alg;
-
-    struct _x509_crl *next; 
-}
-x509_crl;
-/** \} name Structures for parsing X.509 certificates and CRLs */
-/** \} addtogroup x509_module */
-
-/**
- * \name Structures for writing X.509 certificates.
- * XvP: commented out as they are not used.
- * - <tt>typedef struct _x509_node x509_node;</tt>
- * - <tt>typedef struct _x509_raw x509_raw;</tt>
- */
-/*
-typedef struct _x509_node
-{
-    unsigned char *data;
-    unsigned char *p;
-    unsigned char *end;
-
-    size_t len;
-}
-x509_node;
-
-typedef struct _x509_raw
-{
-    x509_node raw;
-    x509_node tbs;
-
-    x509_node version;
-    x509_node serial;
-    x509_node tbs_signalg;
-    x509_node issuer;
-    x509_node validity;
-    x509_node subject;
-    x509_node subpubkey;
-
-    x509_node signalg;
-    x509_node sign;
-}
-x509_raw;
-*/
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \name Functions to read in DHM parameters, a certificate, CRL or private RSA key
- * \{
- */
-
-/** \ingroup x509_module */
-/**
- * \brief          Parse a single DER formatted certificate and add it
- *                 to the chained list.
- *
- * \param chain    points to the start of the chain
- * \param buf      buffer holding the certificate DER data
- * \param buflen   size of the buffer
- *
- * \return         0 if successful, or a specific X509 or PEM error code
- */
-int x509parse_crt_der( x509_cert *chain, const unsigned char *buf, size_t buflen );
-
-/**
- * \brief          Parse one or more certificates and add them
- *                 to the chained list. Parses permissively. If some
- *                 certificates can be parsed, the result is the number
- *                 of failed certificates it encountered. If none complete
- *                 correctly, the first error is returned.
- *
- * \param chain    points to the start of the chain
- * \param buf      buffer holding the certificate data
- * \param buflen   size of the buffer
- *
- * \return         0 if all certificates parsed successfully, a positive number
- *                 if partly successful or a specific X509 or PEM error code
- */
-int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen );
-
-/** \ingroup x509_module */
-/**
- * \brief          Load one or more certificates and add them
- *                 to the chained list. Parses permissively. If some
- *                 certificates can be parsed, the result is the number
- *                 of failed certificates it encountered. If none complete
- *                 correctly, the first error is returned.
- *
- * \param chain    points to the start of the chain
- * \param path     filename to read the certificates from
- *
- * \return         0 if all certificates parsed successfully, a positive number
- *                 if partly successful or a specific X509 or PEM error code
- */
-int x509parse_crtfile( x509_cert *chain, const char *path );
-
-/** \ingroup x509_module */
-/**
- * \brief          Load one or more certificate files from a path and add them
- *                 to the chained list. Parses permissively. If some
- *                 certificates can be parsed, the result is the number
- *                 of failed certificates it encountered. If none complete
- *                 correctly, the first error is returned.
- *
- * \param chain    points to the start of the chain
- * \param path     directory / folder to read the certificate files from
- *
- * \return         0 if all certificates parsed successfully, a positive number
- *                 if partly successful or a specific X509 or PEM error code
- */
-int x509parse_crtpath( x509_cert *chain, const char *path );
-
-/** \ingroup x509_module */
-/**
- * \brief          Parse one or more CRLs and add them
- *                 to the chained list
- *
- * \param chain    points to the start of the chain
- * \param buf      buffer holding the CRL data
- * \param buflen   size of the buffer
- *
- * \return         0 if successful, or a specific X509 or PEM error code
- */
-int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen );
-
-/** \ingroup x509_module */
-/**
- * \brief          Load one or more CRLs and add them
- *                 to the chained list
- *
- * \param chain    points to the start of the chain
- * \param path     filename to read the CRLs from
- *
- * \return         0 if successful, or a specific X509 or PEM error code
- */
-int x509parse_crlfile( x509_crl *chain, const char *path );
-
-/** \ingroup x509_module */
-/**
- * \brief          Parse a private RSA key
- *
- * \param rsa      RSA context to be initialized
- * \param key      input buffer
- * \param keylen   size of the buffer
- * \param pwd      password for decryption (optional)
- * \param pwdlen   size of the password
- *
- * \return         0 if successful, or a specific X509 or PEM error code
- */
-int x509parse_key( rsa_context *rsa,
-                   const unsigned char *key, size_t keylen,
-                   const unsigned char *pwd, size_t pwdlen );
-
-/** \ingroup x509_module */
-/**
- * \brief          Load and parse a private RSA key
- *
- * \param rsa      RSA context to be initialized
- * \param path     filename to read the private key from
- * \param password password to decrypt the file (can be NULL)
- *
- * \return         0 if successful, or a specific X509 or PEM error code
- */
-int x509parse_keyfile( rsa_context *rsa, const char *path,
-                       const char *password );
-
-/** \ingroup x509_module */
-/**
- * \brief          Parse a public RSA key
- *
- * \param rsa      RSA context to be initialized
- * \param key      input buffer
- * \param keylen   size of the buffer
- *
- * \return         0 if successful, or a specific X509 or PEM error code
- */
-int x509parse_public_key( rsa_context *rsa,
-                   const unsigned char *key, size_t keylen );
-
-/** \ingroup x509_module */
-/**
- * \brief          Load and parse a public RSA key
- *
- * \param rsa      RSA context to be initialized
- * \param path     filename to read the private key from
- *
- * \return         0 if successful, or a specific X509 or PEM error code
- */
-int x509parse_public_keyfile( rsa_context *rsa, const char *path );
-
-/** \ingroup x509_module */
-/**
- * \brief          Parse DHM parameters
- *
- * \param dhm      DHM context to be initialized
- * \param dhmin    input buffer
- * \param dhminlen size of the buffer
- *
- * \return         0 if successful, or a specific X509 or PEM error code
- */
-int x509parse_dhm( dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen );
-
-/** \ingroup x509_module */
-/**
- * \brief          Load and parse DHM parameters
- *
- * \param dhm      DHM context to be initialized
- * \param path     filename to read the DHM Parameters from
- *
- * \return         0 if successful, or a specific X509 or PEM error code
- */
-int x509parse_dhmfile( dhm_context *dhm, const char *path );
-
-/** \} name Functions to read in DHM parameters, a certificate, CRL or private RSA key */
-
-/**
- * \brief          Store the certificate DN in printable form into buf;
- *                 no more than size characters will be written.
- *
- * \param buf      Buffer to write to
- * \param size     Maximum size of buffer
- * \param dn       The X509 name to represent
- *
- * \return         The amount of data written to the buffer, or -1 in
- *                 case of an error.
- */
-int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn );
-
-/**
- * \brief          Store the certificate serial in printable form into buf;
- *                 no more than size characters will be written.
- *
- * \param buf      Buffer to write to
- * \param size     Maximum size of buffer
- * \param serial   The X509 serial to represent
- *
- * \return         The amount of data written to the buffer, or -1 in
- *                 case of an error.
- */
-int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial );
-
-/**
- * \brief          Returns an informational string about the
- *                 certificate.
- *
- * \param buf      Buffer to write to
- * \param size     Maximum size of buffer
- * \param prefix   A line prefix
- * \param crt      The X509 certificate to represent
- *
- * \return         The amount of data written to the buffer, or -1 in
- *                 case of an error.
- */
-int x509parse_cert_info( char *buf, size_t size, const char *prefix,
-                         const x509_cert *crt );
-
-/**
- * \brief          Returns an informational string about the
- *                 CRL.
- *
- * \param buf      Buffer to write to
- * \param size     Maximum size of buffer
- * \param prefix   A line prefix
- * \param crl      The X509 CRL to represent
- *
- * \return         The amount of data written to the buffer, or -1 in
- *                 case of an error.
- */
-int x509parse_crl_info( char *buf, size_t size, const char *prefix,
-                        const x509_crl *crl );
-
-/**
- * \brief          Give an known OID, return its descriptive string.
- *
- * \param oid      buffer containing the oid
- *
- * \return         Return a string if the OID is known,
- *                 or NULL otherwise.
- */
-const char *x509_oid_get_description( x509_buf *oid );
-
-/**
- * \brief          Give an OID, return a string version of its OID number.
- *
- * \param buf      Buffer to write to
- * \param size     Maximum size of buffer
- * \param oid      Buffer containing the OID
- *
- * \return         The amount of data written to the buffer, or -1 in
- *                 case of an error.
- */
-int x509_oid_get_numeric_string( char *buf, size_t size, x509_buf *oid );
-
-/**
- * \brief          Check a given x509_time against the system time and check
- *                 if it is valid.
- *
- * \param time     x509_time to check
- *
- * \return         Return 0 if the x509_time is still valid,
- *                 or 1 otherwise.
- */
-int x509parse_time_expired( const x509_time *time );
-
-/**
- * \name Functions to verify a certificate
- * \{
- */
-/** \ingroup x509_module */
-/**
- * \brief          Verify the certificate signature
- *
- *                 The verify callback is a user-supplied callback that
- *                 can clear / modify / add flags for a certificate. If set,
- *                 the verification callback is called for each
- *                 certificate in the chain (from the trust-ca down to the
- *                 presented crt). The parameters for the callback are:
- *                 (void *parameter, x509_cert *crt, int certificate_depth,
- *                 int *flags). With the flags representing current flags for
- *                 that specific certificate and the certificate depth from
- *                 the bottom (Peer cert depth = 0).
- *
- *                 All flags left after returning from the callback
- *                 are also returned to the application. The function should
- *                 return 0 for anything but a fatal error.
- *
- * \param crt      a certificate to be verified
- * \param trust_ca the trusted CA chain
- * \param ca_crl   the CRL chain for trusted CA's
- * \param cn       expected Common Name (can be set to
- *                 NULL if the CN must not be verified)
- * \param flags    result of the verification
- * \param f_vrfy   verification function
- * \param p_vrfy   verification parameter
- *
- * \return         0 if successful or POLARSSL_ERR_X509_SIG_VERIFY_FAILED,
- *                 in which case *flags will have one or more of
- *                 the following values set:
- *                      BADCERT_EXPIRED --
- *                      BADCERT_REVOKED --
- *                      BADCERT_CN_MISMATCH --
- *                      BADCERT_NOT_TRUSTED
- *                 or another error in case of a fatal error encountered
- *                 during the verification process.
- */
-int x509parse_verify( x509_cert *crt,
-                      x509_cert *trust_ca,
-                      x509_crl *ca_crl,
-                      const char *cn, int *flags,
-                      int (*f_vrfy)(void *, x509_cert *, int, int *),
-                      void *p_vrfy );
-
-/**
- * \brief          Verify the certificate signature
- *
- * \param crt      a certificate to be verified
- * \param crl      the CRL to verify against
- *
- * \return         1 if the certificate is revoked, 0 otherwise
- *
- */
-int x509parse_revoked( const x509_cert *crt, const x509_crl *crl );
-
-/** \} name Functions to verify a certificate */
-
-
-
-/**
- * \name Functions to clear a certificate, CRL or private RSA key 
- * \{
- */
-/** \ingroup x509_module */
-/**
- * \brief          Unallocate all certificate data
- *
- * \param crt      Certificate chain to free
- */
-void x509_free( x509_cert *crt );
-
-/** \ingroup x509_module */
-/**
- * \brief          Unallocate all CRL data
- *
- * \param crl      CRL chain to free
- */
-void x509_crl_free( x509_crl *crl );
-
-/** \} name Functions to clear a certificate, CRL or private RSA key */
-
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int x509_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* x509.h */
diff --git a/makerom/polarssl/x509write.h b/makerom/polarssl/x509write.h
deleted file mode 100644
index 16bfab3b..00000000
--- a/makerom/polarssl/x509write.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * \file x509write.h
- *
- * \brief X509 buffer writing functionality
- *
- *  Copyright (C) 2006-2012, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_X509_WRITE_H
-#define POLARSSL_X509_WRITE_H
-
-#include "polarssl/rsa.h"
-
-typedef struct _x509_req_name
-{
-    char oid[128];
-    char name[128];
-
-    struct _x509_req_name *next;
-}
-x509_req_name;
-
-int x509_write_pubkey_der( unsigned char *buf, size_t size, rsa_context *rsa );
-int x509_write_key_der( unsigned char *buf, size_t size, rsa_context *rsa );
-int x509_write_cert_req( unsigned char *buf, size_t size, rsa_context *rsa,
-                         x509_req_name *req_name, int hash_id );
-
-#endif /* POLARSSL_X509_WRITE_H */
diff --git a/makerom/polarssl/xtea.h b/makerom/polarssl/xtea.h
deleted file mode 100644
index eda7e44e..00000000
--- a/makerom/polarssl/xtea.h
+++ /dev/null
@@ -1,129 +0,0 @@
-/**
- * \file xtea.h
- *
- * \brief XTEA block cipher (32-bit)
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_XTEA_H
-#define POLARSSL_XTEA_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define XTEA_ENCRYPT     1
-#define XTEA_DECRYPT     0
-
-#define POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH             -0x0028  /**< The data input has an invalid length. */
-
-#if !defined(POLARSSL_XTEA_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          XTEA context structure
- */
-typedef struct
-{
-    uint32_t k[4];       /*!< key */
-}
-xtea_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          XTEA key schedule
- *
- * \param ctx      XTEA context to be initialized
- * \param key      the secret key
- */
-void xtea_setup( xtea_context *ctx, unsigned char key[16] );
-
-/**
- * \brief          XTEA cipher function
- *
- * \param ctx      XTEA context
- * \param mode     XTEA_ENCRYPT or XTEA_DECRYPT
- * \param input    8-byte input block
- * \param output   8-byte output block
- *
- * \return         0 if successful
- */
-int xtea_crypt_ecb( xtea_context *ctx,
-                    int mode,
-                    unsigned char input[8],
-                    unsigned char output[8] );
-
-/**
- * \brief          XTEA CBC cipher function
- *
- * \param ctx      XTEA context
- * \param mode     XTEA_ENCRYPT or XTEA_DECRYPT
- * \param length   the length of input, multiple of 8
- * \param iv       initialization vector for CBC mode
- * \param input    input block
- * \param output   output block
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH if the length % 8 != 0
- */
-int xtea_crypt_cbc( xtea_context *ctx,
-                    int mode,
-                    size_t length,
-                    unsigned char iv[8],
-                    unsigned char *input,
-                    unsigned char *output);
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_XTEA_ALT */
-#include "polarssl/xtea_alt.h"
-#endif /* POLARSSL_XTEA_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int xtea_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* xtea.h */

From 32f075b03d503fd22b0309223bd2fd3d69bd357f Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 15 Feb 2016 14:17:53 +0800
Subject: [PATCH 168/317] Fixed issue #25

---
 makerom/user_settings.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 68cc1bb6..3702316b 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -702,8 +702,8 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 
 int CheckArgumentCombination(user_settings *set)
 {
-	// If content 0 was not specified, we must build it (a NCCH file)
-	if (set->common.contentPath[0] == NULL) {
+	// If content 0 was not specified (and a special file aka SRL,CIA,CCI was not specified), we must build it (a NCCH file)
+	if (set->common.contentPath[0] == NULL && set->common.workingFilePath == NULL) {
 		set->ncch.buildNcch0 = true;
 		// A CXI can contain elements of a CFA, but not the other way round.
 		if (set->ncch.ncchType & CXI)
@@ -717,6 +717,7 @@ int CheckArgumentCombination(user_settings *set)
 	}
 	else {
 		set->ncch.buildNcch0 = false;
+		set->ncch.ncchType = 0;
 	}
 
 	for (int i = 0; i < CIA_MAX_CONTENT; i++) {

From 521ecb71dc3583db0d4022f371721622e74cbde8 Mon Sep 17 00:00:00 2001
From: piratesephiroth <piratesephiroth@users.noreply.github.com>
Date: Mon, 15 Feb 2016 05:55:59 -0300
Subject: [PATCH 169/317] Fix CategoryFlags always being considered invalid

---
 makerom/titleid.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/makerom/titleid.c b/makerom/titleid.c
index 33961a4e..251282be 100644
--- a/makerom/titleid.c
+++ b/makerom/titleid.c
@@ -143,8 +143,7 @@ int SetPIDCategoryFromFlags(u16 *cat, char **CategoryFlags, u32 FlagNum)
 		else if(strcmp(CategoryFlags[i],"CanSkipConvertJumpId") == 0)
 			ret = SetPIDCategoryFromFlag(cat,PROGRAM_ID_CATEGORY_FLAG_CAN_SKIP_CONVERT_JUMP_ID,"CanSkipConvertJumpId");
 		
-		if(ret == PID_INVALID_CATEGORY) break;
-		
+
 		else {
 			fprintf(stderr,"[ID ERROR] Invalid CategoryFlag: \"%s\"\n",CategoryFlags[i]);
 			return PID_INVALID_CATEGORY;
@@ -242,4 +241,4 @@ bool IsContents(u16 Category)
 bool IsAddOnContent(u16 Category)
 {
 	return Category == PROGRAM_ID_CATEGORY_ADD_ON_CONTENTS;
-}
\ No newline at end of file
+}

From b2206ea17b9fc6af407fb59dbf46c6fa1a630ea1 Mon Sep 17 00:00:00 2001
From: luigoalma <luigoalma@hotmail.com>
Date: Wed, 17 Feb 2016 19:15:08 +0000
Subject: [PATCH 170/317] Fix newline on cia_print()

---
 ctrtool/cia.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index c2ba55bd..bf757557 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -299,7 +299,7 @@ void cia_print(cia_context* ctx)
 	fprintf(stdout, "Version                 %04x\n", getle16(header->version));
 	fprintf(stdout, "Certificates offset:    0x%"PRIx64"\n", ctx->offsetcerts);
 	fprintf(stdout, "Certificates size:      0x%x\n", ctx->sizecert);
-	fprintf(stdout, "Ticket offset:          0x%"PRIx64"n", ctx->offsettik);
+	fprintf(stdout, "Ticket offset:          0x%"PRIx64"\n", ctx->offsettik);
 	fprintf(stdout, "Ticket size             0x%x\n", ctx->sizetik);
 	fprintf(stdout, "TMD offset:             0x%"PRIx64"\n", ctx->offsettmd);
 	fprintf(stdout, "TMD size:               0x%x\n", ctx->sizetmd);

From cedbe6d149d726200f85c1cde49d282757dc4826 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 18 Feb 2016 19:50:07 +0800
Subject: [PATCH 171/317] Fixed array transfer bug.

---
 makerom/cia.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index 36b54d92..492181ac 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -155,7 +155,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	ciaset->ciaSections.content.buffer = usrset->common.workingFile.buffer;
 	ciaset->ciaSections.content.size = usrset->common.workingFile.size;
 	usrset->common.workingFile.buffer = NULL;
-	ciaset->ciaSections.content.size = 0;
+	usrset->common.workingFile.size = 0;
 	ciaset->content.includeUpdateNcch = usrset->cia.includeUpdateNcch;
 	ciaset->verbose = usrset->common.verbose;
 	
@@ -473,7 +473,7 @@ int GetSettingsFromSrl(cia_settings *ciaset)
 		fprintf(stderr,"[CIA ERROR] Invalid TWL SRL File\n");
 		return FAILED_TO_IMPORT_FILE;
 	}
-	
+
 	// Check if TWL SRL File
 	if(u8_to_u16(&hdr->title_id[6],LE) != 0x0003){
 		fprintf(stderr,"[CIA ERROR] Invalid TWL SRL File\n");

From 9dc611bbbf05ff700654f636f7150b91146d6c9f Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 20 Mar 2016 11:34:50 +0800
Subject: [PATCH 172/317] Fix CIA content hash validation fail.

---
 ctrtool/tmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/tmd.c b/ctrtool/tmd.c
index bcb687f1..95d23276 100644
--- a/ctrtool/tmd.c
+++ b/ctrtool/tmd.c
@@ -169,7 +169,7 @@ void tmd_print(tmd_context* ctx)
 		fprintf(stdout, "\n");
 		fprintf(stdout, "Content size:           %016"PRIx64"\n", getbe64(chunk->size));
 
-		switch(ctx->content_hash_stat[getbe16(chunk->index)]) {
+		switch(ctx->content_hash_stat[i]) {
 			case 1:  memdump(stdout, "Content hash [OK]:      ", chunk->hash, 32); break;
 			case 2:  memdump(stdout, "Content hash [FAIL]:    ", chunk->hash, 32); break;
 			default: memdump(stdout, "Content hash:           ", chunk->hash, 32); break; 

From cf2ba24d69f3cae1f06e91ea62fc7c2798e69c0f Mon Sep 17 00:00:00 2001
From: Yifan Lu <me@yifanlu.com>
Date: Thu, 24 Mar 2016 17:48:14 -0500
Subject: [PATCH 173/317] Added support for disabling padding between segments
 for code Fixed potential bug where code size is calculated by taking the page
 size of combined segments rather than the combined padded segment size. This
 could be a problem, for example, if two segments add up to require two pages
 of padding. Fixed potential bug where memory-size is used for
 codeDetails.rwSize; this counts .bss which is not in the file

---
 makerom/code.c          | 21 ++++++++++++++-------
 makerom/ncch.c          |  1 +
 makerom/ncch_build.h    |  1 +
 makerom/user_settings.c | 10 ++++++++++
 makerom/user_settings.h |  1 +
 5 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/makerom/code.c b/makerom/code.c
index 11124471..e7d60c4d 100644
--- a/makerom/code.c
+++ b/makerom/code.c
@@ -173,13 +173,20 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 	set->codeDetails.bssSize = rwdata.memSize - rwdata.fileSize;
 
 	/* Allocating Buffer for ExeFs Code */
-	u32 size = PageToSize(text.pageNum + rodata.pageNum + rwdata.pageNum);
+	bool noCodePadding = set->options.noCodePadding;
+	u32 size;
+	if (noCodePadding) {
+		size = text.fileSize + rodata.fileSize + rwdata.fileSize;
+	}
+	else {
+		size = PageToSize(text.pageNum + rodata.pageNum + rwdata.pageNum);
+	}
 	u8 *code = calloc(1, size);
 
 	/* Writing Code into Buffer */
-	u8 *textPos = (code + PageToSize(0));
-	u8 *rodataPos = (code + PageToSize(text.pageNum));
-	u8 *rwdataPos = (code + PageToSize(text.pageNum + rodata.pageNum));
+	u8 *textPos = code;
+	u8 *rodataPos = (textPos + (noCodePadding ? text.fileSize : PageToSize(text.pageNum)));
+	u8 *rwdataPos = (rodataPos + (noCodePadding ? rodata.fileSize : PageToSize(rodata.pageNum)));
 	if (text.fileSize) memcpy(textPos, text.data, text.fileSize);
 	if (rodata.fileSize) memcpy(rodataPos, rodata.data, rodata.fileSize);
 	if (rwdata.fileSize) memcpy(rwdataPos, rwdata.data, rwdata.fileSize);
@@ -204,15 +211,15 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 	/* Setting code_segment data and freeing original buffers */
 	set->codeDetails.textAddress = text.address;
 	set->codeDetails.textMaxPages = text.pageNum;
-	set->codeDetails.textSize = text.memSize;
+	set->codeDetails.textSize = text.fileSize;
 
 	set->codeDetails.roAddress = rodata.address;
 	set->codeDetails.roMaxPages = rodata.pageNum;
-	set->codeDetails.roSize = rodata.memSize;
+	set->codeDetails.roSize = rodata.fileSize;
 
 	set->codeDetails.rwAddress = rwdata.address;
 	set->codeDetails.rwMaxPages = rwdata.pageNum;
-	set->codeDetails.rwSize = rwdata.memSize;
+	set->codeDetails.rwSize = rwdata.fileSize;
 
 	if (set->rsfSet->SystemControlInfo.StackSize)
 		set->codeDetails.stackSize = strtoul(set->rsfSet->SystemControlInfo.StackSize, NULL, 0);
diff --git a/makerom/ncch.c b/makerom/ncch.c
index e8d6412f..ccc2e3c5 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -177,6 +177,7 @@ int GetBasicOptions(ncch_settings *ncchset, user_settings *usrset)
 	ncchset->options.IsCfa = (usrset->ncch.ncchType == CFA);
 	ncchset->options.IsBuildingCodeSection = (usrset->ncch.elfPath != NULL);
 	ncchset->options.UseRomFS = ((ncchset->rsfSet->RomFs.RootPath && strlen(ncchset->rsfSet->RomFs.RootPath) > 0) || usrset->ncch.romfsPath);
+	ncchset->options.noCodePadding = usrset->ncch.noCodePadding;
 	ncchset->options.useSecCrypto = usrset->ncch.useSecCrypto;
 	ncchset->options.keyXID = usrset->ncch.keyXID;
 	
diff --git a/makerom/ncch_build.h b/makerom/ncch_build.h
index d97ab7b7..7aa90957 100644
--- a/makerom/ncch_build.h
+++ b/makerom/ncch_build.h
@@ -19,6 +19,7 @@ typedef struct
 		bool IsCfa;
 		bool IsBuildingCodeSection;
 		bool UseRomFS;
+		bool noCodePadding;
 		
 		bool useSecCrypto;
 		u8 keyXID;
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 3702316b..f1a864e8 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -92,6 +92,7 @@ void SetDefaults(user_settings *set)
 	set->ncch.includeExefsLogo = false;
 	set->common.outFormat = NCCH;
 	set->ncch.ncchType = format_not_set;
+	set->ncch.noCodePadding = false;
 
 	// RSF Settings
 	clrmem(&set->common.rsfSet, sizeof(rsf_settings));
@@ -352,6 +353,14 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		set->ncch.ncchType |= CFA;
 		return 1;
 	}
+	else if (strcmp(argv[i], "-nocodepadding") == 0) {
+		if (ParamNum) {
+			PrintNoNeedParam(argv[i]);
+			return USR_BAD_ARG;
+		}
+		set->ncch.noCodePadding = true;
+		return 1;
+	}
 
 	// Ncch Rebuild Options
 	else if (strcmp(argv[i], "-code") == 0) {
@@ -941,6 +950,7 @@ void DisplayExtendedHelp(char *app_name)
 	printf(" -logo          <file>              Logo file (Overrides \"BasicInfo/Logo\" in RSF)\n");
 	printf(" -desc          <apptype>:<fw>      Specify Access Descriptor template\n");
 	printf(" -exefslogo                         Include Logo in ExeFS (Required for usage on <5.0 systems)\n");
+	printf(" -nocodepadding                     For building sysmodules, do not pad .code segments\n");
 	printf("NCCH REBUILD OPTIONS:\n");
 	printf(" -code          <file>              Decompressed ExeFS \".code\"\n");
 	printf(" -exheader      <file>              Exheader template\n");
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index ea0f008d..ba6af79e 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -267,6 +267,7 @@ typedef struct
 		char *exheaderPath; // for .code details
 		char *plainRegionPath; // prebuilt Plain Region
 		char *romfsPath; // Prebuild _cleartext_ romfs binary
+		bool noCodePadding; // do not pad code.bin for sysmodule
 		
 		bool useSecCrypto;
 		u8 keyXID;

From 65e6974494804ae3137b4f02641f17f5652542ab Mon Sep 17 00:00:00 2001
From: Timothy Redaelli <timothy.redaelli@gmail.com>
Date: Wed, 13 Apr 2016 18:57:45 +0200
Subject: [PATCH 174/317] [makerom] Fix parsing of -content option

---
 makerom/user_settings.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index f1a864e8..6d19e059 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -614,7 +614,15 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-		char *pos = strstr(argv[i + 1], ":");
+		int count = 0;
+		char *pos = argv[i + 1];
+		while ((pos = strstr(pos + 1, ":")))
+			count++;
+
+		pos = argv[i + 1];
+		while (count-- > 1)
+			pos = strstr(pos + 1, ":");
+
 		if (!pos || strlen(pos) < 2) {
 			fprintf(stderr, "[SETTING ERROR] Bad argument '%s %s', correct format:\n", argv[i], argv[i + 1]);
 			fprintf(stderr, "	%s <CONTENT PATH>:<INDEX>\n", argv[i]);

From d3be7adce15c878a9f5fdb6f6113cff327307448 Mon Sep 17 00:00:00 2001
From: Steven Smith <Steveice10@gmail.com>
Date: Wed, 25 May 2016 18:54:47 -0700
Subject: [PATCH 175/317] Add seed DB access permission.

---
 ctrtool/exheader.c | 3 +++
 makerom/exheader.c | 2 ++
 makerom/exheader.h | 3 ++-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index e9a6af1d..57844790 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -464,6 +464,9 @@ char* exheader_print_accessinfobit(u32 bit, char *str)
 		case 20 : 
 			sprintf(str,"Category HomeMenu");
 			break;
+		case 21 : 
+			sprintf(str,"Seed DB");
+			break;
 		default : 
 			sprintf(str,"Bit %d (unknown)",bit);
 			break;
diff --git a/makerom/exheader.c b/makerom/exheader.c
index c132a88b..fc0777cd 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -490,6 +490,8 @@ int SetARM11StorageInfoFsAccessInfo(exhdr_ARM11SystemLocalCapabilities *arm11, r
 			accessInfo |= fsaccess_SHELL;
 		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"CategoryHomeMenu") == 0)
 			accessInfo |= fsaccess_CATEGORY_HOME_MENU;
+		else if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"SeedDB") == 0)
+			accessInfo |= fsaccess_SEEDDB;
 		else{
 			fprintf(stderr,"[EXHEADER ERROR] Invalid FileSystemAccess Name: \"%s\"\n",rsf->AccessControlInfo.FileSystemAccess[i]);
 			return EXHDR_BAD_RSF_OPT;
diff --git a/makerom/exheader.h b/makerom/exheader.h
index d3ef983b..8c72ff84 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -88,6 +88,7 @@ typedef enum
 	fsaccess_SHOP = (1 << 18), // 0x00040000 probably used by eshop
 	fsaccess_SHELL = (1 << 19), // 0x00080000 reference to "Nintendo [User Interface] Shell" (NS)?
 	fsaccess_CATEGORY_HOME_MENU = (1 << 20), // 0x00100000 used by homemenu
+	fsaccess_SEEDDB = (1 << 21), // 0x00200000 seeddb access
 } file_system_access;
 
 typedef enum
@@ -243,4 +244,4 @@ int CheckAccessDescSignature(access_descriptor *acexDesc, keys_struct *keys);
 int GetSaveDataSizeFromString(u64 *out, char *string, char *moduleName);
 int GetRemasterVersion_rsf(u16 *RemasterVersion, user_settings *usrset);
 
-void ErrorParamNotFound(char *string);
\ No newline at end of file
+void ErrorParamNotFound(char *string);

From de5c4e1b2aaa7e2e9c020c258c4918ad64d88824 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 14 Jun 2016 18:17:59 +0800
Subject: [PATCH 176/317] License both ctrtool and makerom under MIT License.

---
 ctrtool/LICENSE | 22 ++++++++++++++++++++++
 makerom/LICENSE | 23 +++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 ctrtool/LICENSE
 create mode 100644 makerom/LICENSE

diff --git a/ctrtool/LICENSE b/ctrtool/LICENSE
new file mode 100644
index 00000000..37685952
--- /dev/null
+++ b/ctrtool/LICENSE
@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2012 neimod
+Copyright (c) 2014 3DSGuy
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/makerom/LICENSE b/makerom/LICENSE
new file mode 100644
index 00000000..61db3e0a
--- /dev/null
+++ b/makerom/LICENSE
@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2014 3DSGuy
+Copyright (c) 2014 applestash
+Copyright (c) 2015-2016 Jakcron
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file

From 01cd4cba7bf3c83001f393d357cfde57dd390514 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 14 Jun 2016 20:35:05 +0800
Subject: [PATCH 177/317] [ctrtool] Improved efficiency of aes-ctr operations.

---
 ctrtool/ctr.c      | 46 +++++++++++++++++++++++-------------
 ctrtool/ctr.h      |  6 +++--
 ctrtool/exefs.c    | 14 +++++++----
 ctrtool/exheader.c |  3 ++-
 ctrtool/ivfc.c     | 59 ++++++++++++++++++++++++++++++++++------------
 ctrtool/ivfc.h     |  1 -
 ctrtool/ncch.c     |  3 ++-
 ctrtool/romfs.c    |  8 +++++--
 8 files changed, 96 insertions(+), 44 deletions(-)

diff --git a/ctrtool/ctr.c b/ctrtool/ctr.c
index e5198f70..54cfc0fa 100644
--- a/ctrtool/ctr.c
+++ b/ctrtool/ctr.c
@@ -4,6 +4,7 @@
 #include <time.h>
 
 #include "ctr.h"
+#include "utils.h"
 
 
 void ctr_set_iv( ctr_aes_context* ctx,
@@ -15,23 +16,30 @@ void ctr_set_iv( ctr_aes_context* ctx,
 void ctr_add_counter( ctr_aes_context* ctx,
 				      u32 block_num )
 {
-	u32 i, j;
-	for (i = 0; i < block_num; i++) {
-		for (j = 0x10; j > 0; j--) {
-			// increment u8 by 1
-			ctx->ctr[j - 1]++;
-
-			// if it didn't overflow to 0, then we can exit now
-			if (ctx->ctr[j - 1])
-				break;
-
-			// if we reach here, the next u8 needs to be incremented
-
-			// Loop to beginning back if needed
-			if (j == 1)
-				j = 0x10;
+	u32 ctr[4];
+	ctr[3] = getbe32(&ctx->ctr[0]);
+	ctr[2] = getbe32(&ctx->ctr[4]);
+	ctr[1] = getbe32(&ctx->ctr[8]);
+	ctr[0] = getbe32(&ctx->ctr[12]);
+
+	for (u32 i = 0; i < 4; i++) {
+		u64 total = ctr[i] + block_num;
+		// if there wasn't a wrap around, add the two together and exit
+		if (total <= 0xffffffff) {
+			ctr[i] += block_num;
+			break;
 		}
+
+		// add the difference
+		ctr[i] = (u32)(total - 0x100000000);
+		// carry to next word
+		block_num = (u32)(total >> 32);
 	}
+	
+	putbe32(ctx->ctr + 0x00, ctr[3]);
+	putbe32(ctx->ctr + 0x04, ctr[2]);
+	putbe32(ctx->ctr + 0x08, ctr[1]);
+	putbe32(ctx->ctr + 0x0C, ctr[0]);
 }
 				  
 void ctr_set_counter( ctr_aes_context* ctx,
@@ -41,11 +49,15 @@ void ctr_set_counter( ctr_aes_context* ctx,
 }
 
 
+void ctr_init_key(ctr_aes_context* ctx,
+				       u8 key[16])
+{
+	aes_setkey_enc(&ctx->aes, key, 128);
+}
+
 void ctr_init_counter( ctr_aes_context* ctx,
-				       u8 key[16],
 				       u8 ctr[16] )
 {
-	aes_setkey_enc(&ctx->aes, key, 128);
 	ctr_set_counter(ctx, ctr);
 }
 
diff --git a/ctrtool/ctr.h b/ctrtool/ctr.h
index 66caff7b..48b61e55 100644
--- a/ctrtool/ctr.h
+++ b/ctrtool/ctr.h
@@ -61,10 +61,12 @@ void		ctr_add_counter( ctr_aes_context* ctx,
 void		ctr_set_counter( ctr_aes_context* ctx, 
 						 u8 ctr[16] );
 
+void		ctr_init_key(ctr_aes_context* ctx,
+						 u8 key[16]);
+
 
 void		ctr_init_counter( ctr_aes_context* ctx, 
-						  u8 key[16], 
-						  u8 ctr[16] );
+						 u8 ctr[16] );
 
 
 void		ctr_crypt_counter_block( ctr_aes_context* ctx, 
diff --git a/ctrtool/exefs.c b/ctrtool/exefs.c
index 36180438..e732e4cb 100644
--- a/ctrtool/exefs.c
+++ b/ctrtool/exefs.c
@@ -124,7 +124,8 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 	}
 
 	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
+	ctr_init_key(&ctx->aes, ctx->key);
+	ctr_init_counter(&ctx->aes, ctx->counter);
 	ctr_add_counter(&ctx->aes, offset / 0x10);
 
 	if (index == 0 && (ctx->compressedflag || (flags & DecompressCodeFlag)) && ((flags & RawFlag) == 0))
@@ -210,10 +211,12 @@ void exefs_read_header(exefs_context* ctx, u32 flags)
 	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread(&ctx->header, 1, sizeof(exefs_header), ctx->file);
 
-	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
-
-	if (ctx->encrypted)
+	if (ctx->encrypted) {
+		ctr_init_key(&ctx->aes, ctx->key);
+		ctr_init_counter(&ctx->aes, ctx->counter);
 		ctr_crypt_counter(&ctx->aes, (u8*)&ctx->header, (u8*)&ctx->header, sizeof(exefs_header));
+	}
+		
 }
 
 void exefs_calculate_hash(exefs_context* ctx, u8 hash[32])
@@ -269,7 +272,8 @@ int exefs_verify(exefs_context* ctx, u32 index, u32 flags)
 		return 0;
 
 	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
+	ctr_init_key(&ctx->aes, ctx->key);
+	ctr_init_counter(&ctx->aes, ctx->counter);
 	ctr_add_counter(&ctx->aes, offset / 0x10);
 
 	ctr_sha_256_init(&ctx->sha);
diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 57844790..4a96f0f1 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -93,7 +93,8 @@ void exheader_read(exheader_context* ctx, u32 actions)
 		fseeko64(ctx->file, ctx->offset, SEEK_SET);
 		fread(&ctx->header, 1, sizeof(exheader_header), ctx->file);
 
-		ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
+		ctr_init_key(&ctx->aes, ctx->key);
+		ctr_init_counter(&ctx->aes, ctx->counter);
 		if (ctx->encrypted)
 			ctr_crypt_counter(&ctx->aes, (u8*)&ctx->header, (u8*)&ctx->header, sizeof(exheader_header));
 
diff --git a/ctrtool/ivfc.c b/ctrtool/ivfc.c
index 041afda3..4a77a676 100644
--- a/ctrtool/ivfc.c
+++ b/ctrtool/ivfc.c
@@ -38,7 +38,7 @@ void ivfc_set_encrypted(ivfc_context* ctx, u32 encrypted)
 
 void ivfc_set_key(ivfc_context* ctx, u8 key[16])
 {
-	memcpy(ctx->key, key, 16);
+	ctr_init_key(&ctx->aes, key);
 }
 
 void ivfc_set_counter(ivfc_context* ctx, u8 counter[16])
@@ -50,8 +50,14 @@ void ivfc_fseek(ivfc_context* ctx, u64 offset)
 {
 	u64 data_pos = offset - ctx->offset;
 	fseeko64(ctx->file, offset, SEEK_SET);
-	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
-	ctr_add_counter(&ctx->aes, (u32) (data_pos / 0x10));
+
+	if (ctx->encrypted) {
+		//printf("start fseek encrypted prep\n");
+		ctr_init_counter(&ctx->aes, ctx->counter);
+		//printf("middle fseek encrypted prep\n");
+		ctr_add_counter(&ctx->aes, (u32)(data_pos / 0x10));
+		//printf("finish fseek encrypted prep\n");
+	}
 }
 
 size_t ivfc_fread(ivfc_context* ctx, void* buffer, size_t size, size_t count)
@@ -124,31 +130,54 @@ void ivfc_verify(ivfc_context* ctx, u32 flags)
 		level->hashcheck = Fail;
 	}
 
-	for(i=0; i<ctx->levelcount; i++)
+	// Import IVFC level hashes
+	uint8_t *levelhash[IVFC_MAX_LEVEL] = { NULL };
+
+	for (i=0; i<ctx->levelcount; i++)
 	{
-		ivfc_level* level = ctx->level + i;
+		blockcount = (u32)(ctx->level[i].datasize / ctx->level[i].hashblocksize);
+		u32 read_size = align(blockcount * 0x20, ctx->level[i].hashblocksize);
+		levelhash[i] = malloc(read_size);
+		ivfc_read(ctx, ctx->level[i].hashoffset, read_size, levelhash[i]);
+	}
 
-		blockcount = (u32) (level->datasize / level->hashblocksize);
-		if (level->datasize % level->hashblocksize != 0)
+	// Verify blocks
+	for (i=0; i<ctx->levelcount; i++)
+	{
+		blockcount = (u32) (ctx->level[i].datasize / ctx->level[i].hashblocksize);
+		if (ctx->level[i].datasize % ctx->level[i].hashblocksize != 0)
 		{
 			fprintf(stderr, "Error, IVFC block size mismatch\n");
 			return;
 		}
 
-		level->hashcheck = Good;
+		ctx->level[i].hashcheck = Good;
 
-		for(j=0; j<blockcount; j++)
+		for (j=0; j<blockcount; j++)
 		{
 			u8 calchash[32];
-			u8 testhash[32];
 			
-			ivfc_hash(ctx, level->dataoffset + level->hashblocksize * j, level->hashblocksize, calchash);
-			ivfc_read(ctx, level->hashoffset + 0x20 * j, 0x20, testhash);
-
-			if (memcmp(calchash, testhash, 0x20) != 0)
-				level->hashcheck = Fail;
+			// a hash level
+			if (i < 2) {
+				ctr_sha_256(levelhash[i+1] + ctx->level[i].hashblocksize * j, ctx->level[i].hashblocksize, calchash);
+			}
+			// a data level
+			else {
+				ivfc_read(ctx, ctx->level[i].dataoffset + j * ctx->level[i].hashblocksize, ctx->level[i].hashblocksize, ctx->buffer);
+				ctr_sha_256(ctx->buffer, (u32)ctx->level[i].hashblocksize, calchash);
+			}
+
+			if (memcmp(calchash, levelhash[i] + 0x20 * j, 0x20) != 0) {
+				ctx->level[i].hashcheck = Fail;
+			}
+				
 		}
 	}
+
+	// Free level hashes
+	for (int i = 0; i < 3; i++) {
+		free(levelhash[i]);
+	}
 }
 
 void ivfc_read(ivfc_context* ctx, u64 offset, u64 size, u8* buffer)
diff --git a/ctrtool/ivfc.h b/ctrtool/ivfc.h
index 9662f45e..67b5c7e6 100644
--- a/ctrtool/ivfc.h
+++ b/ctrtool/ivfc.h
@@ -45,7 +45,6 @@ typedef struct
 	u64 size;
 	settings* usersettings;
 	u8 counter[16];
-	u8 key[16];
 	ctr_aes_context aes;
 	int encrypted;
 
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 8d2a9ff6..b553b600 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -135,7 +135,8 @@ int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 	ctx->extractflags = flags;
 	fseeko64(ctx->file, offset, SEEK_SET);
 	ncch_get_counter(ctx, counter, type);
-	ctr_init_counter(&ctx->aes, ctx->key, counter);
+	ctr_init_key(&ctx->aes, ctx->key);
+	ctr_init_counter(&ctx->aes, counter);
 
 	return 1;
 
diff --git a/ctrtool/romfs.c b/ctrtool/romfs.c
index f8c9ffb0..6f004674 100644
--- a/ctrtool/romfs.c
+++ b/ctrtool/romfs.c
@@ -38,6 +38,7 @@ void romfs_set_encrypted(romfs_context* ctx, u32 encrypted)
 void romfs_set_key(romfs_context* ctx, u8 key[16])
 {
 	memcpy(ctx->key, key, 16);
+	ctr_init_key(&ctx->aes, key);
 }
 
 void romfs_set_counter(romfs_context* ctx, u8 counter[16])
@@ -49,8 +50,11 @@ void romfs_fseek(romfs_context* ctx, u64 offset)
 {
 	u64 data_pos = offset - ctx->offset;
 	fseeko64(ctx->file, offset, SEEK_SET);
-	ctr_init_counter(&ctx->aes, ctx->key, ctx->counter);
-	ctr_add_counter(&ctx->aes, (u32) (data_pos / 0x10));
+
+	if (ctx->encrypted) {
+		ctr_init_counter(&ctx->aes, ctx->counter);
+		ctr_add_counter(&ctx->aes, (u32)(data_pos / 0x10));
+	}
 }
 
 size_t romfs_fread(romfs_context* ctx, void* buffer, size_t size, size_t count)

From b85775479ba737ff824b4762e20729af74274639 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 27 Jun 2016 15:59:03 +0800
Subject: [PATCH 178/317] [makerom] Warn user for not specifying any services,
 instead of erroring out.

---
 .gitignore         | 3 ++-
 makerom/exheader.c | 8 ++++++--
 makerom/exheader.h | 1 +
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.gitignore b/.gitignore
index c990f923..39b344f0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -226,4 +226,5 @@ pip-log.txt
 *.cia
 
 #exec
-*.exe
\ No newline at end of file
+*.exe
+*.db
diff --git a/makerom/exheader.c b/makerom/exheader.c
index fc0777cd..dbb183ec 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -617,8 +617,7 @@ int SetARM11ServiceAccessControl(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 		}
 	}
 	else{
-		ErrorParamNotFound("AccessControlInfo/ServiceAccessControl");
-		return EXHDR_BAD_RSF_OPT;
+		WarnParamNotFound("AccessControlInfo/ServiceAccessControl");
 	}
 	return 0;
 }
@@ -1164,6 +1163,11 @@ void ErrorParamNotFound(char *string)
 	fprintf(stderr,"[EXHEADER ERROR] Parameter Not Found: \"%s\"\n",string);
 }
 
+void WarnParamNotFound(char *string)
+{
+	fprintf(stderr, "[EXHEADER WARNING] Parameter Not Found: \"%s\"\n", string);
+}
+
 /* ExHeader Binary Print Functions */
 void exhdr_Print_ServiceAccessControl(extended_hdr *hdr)
 {
diff --git a/makerom/exheader.h b/makerom/exheader.h
index 8c72ff84..67b0662e 100644
--- a/makerom/exheader.h
+++ b/makerom/exheader.h
@@ -245,3 +245,4 @@ int GetSaveDataSizeFromString(u64 *out, char *string, char *moduleName);
 int GetRemasterVersion_rsf(u16 *RemasterVersion, user_settings *usrset);
 
 void ErrorParamNotFound(char *string);
+void WarnParamNotFound(char *string);
\ No newline at end of file

From d24dda0bc02a816887e2f34c3790d7a401f8bd98 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sat, 9 Jul 2016 16:38:05 +0800
Subject: [PATCH 179/317] Fixes issue #39

---
 ctrtool/main.c     |  2 +-
 ctrtool/settings.c | 16 ++++++++--------
 ctrtool/settings.h |  4 ++--
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/ctrtool/main.c b/ctrtool/main.c
index 8282c9b3..dd8ef88f 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -224,7 +224,7 @@ int main(int argc, char* argv[])
 			case 4: settings_set_tik_path(&ctx.usersettings, optarg); break;
 			case 5: settings_set_tmd_path(&ctx.usersettings, optarg); break;
 			case 6: settings_set_content_path(&ctx.usersettings, optarg); break;
-			case 7: settings_set_content_path(&ctx.usersettings, optarg); break;
+			case 7: settings_set_meta_path(&ctx.usersettings, optarg); break;
 			case 8: settings_set_exefs_dir_path(&ctx.usersettings, optarg); break;
 			case 9: settings_set_mediaunit_size(&ctx.usersettings, strtoul(optarg, 0, 0)); break;
 			case 10: ctx.actions |= ShowKeysFlag; break;
diff --git a/ctrtool/settings.c b/ctrtool/settings.c
index 7888d545..ddbf51bc 100644
--- a/ctrtool/settings.c
+++ b/ctrtool/settings.c
@@ -104,18 +104,18 @@ filepath* settings_get_tmd_path(settings* usersettings)
 		return 0;
 }
 
-filepath* settings_get_meta_path(settings* usersettings)
+filepath* settings_get_content_path(settings* usersettings)
 {
 	if (usersettings)
-		return &usersettings->metapath;
+		return &usersettings->contentpath;
 	else
 		return 0;
 }
 
-filepath* settings_get_content_path(settings* usersettings)
+filepath* settings_get_meta_path(settings* usersettings)
 {
 	if (usersettings)
-		return &usersettings->contentpath;
+		return &usersettings->metapath;
 	else
 		return 0;
 }
@@ -243,14 +243,14 @@ void settings_set_tmd_path(settings* usersettings, const char* path)
 	filepath_set(&usersettings->tmdpath, path);
 }
 
-void settings_set_meta_path(settings* usersettings, const char* path)
+void settings_set_content_path(settings* usersettings, const char* path)
 {
-	filepath_set(&usersettings->metapath, path);
+	filepath_set(&usersettings->contentpath, path);
 }
 
-void settings_set_content_path(settings* usersettings, const char* path)
+void settings_set_meta_path(settings* usersettings, const char* path)
 {
-	filepath_set(&usersettings->contentpath, path);
+	filepath_set(&usersettings->metapath, path);
 }
 
 void settings_set_exefs_dir_path(settings* usersettings, const char* path)
diff --git a/ctrtool/settings.h b/ctrtool/settings.h
index 30b42d22..2822b93a 100644
--- a/ctrtool/settings.h
+++ b/ctrtool/settings.h
@@ -38,8 +38,8 @@ filepath* settings_get_logo_path(settings* usersettings);
 filepath* settings_get_certs_path(settings* usersettings);
 filepath* settings_get_tik_path(settings* usersettings);
 filepath* settings_get_tmd_path(settings* usersettings);
-filepath* settings_get_meta_path(settings* usersettings);
 filepath* settings_get_content_path(settings* usersettings);
+filepath* settings_get_meta_path(settings* usersettings);
 filepath* settings_get_exefs_dir_path(settings* usersettings);
 filepath* settings_get_romfs_dir_path(settings* usersettings);
 filepath* settings_get_firm_dir_path(settings* usersettings);
@@ -62,8 +62,8 @@ void settings_set_logo_path(settings* usersettings, const char* path);
 void settings_set_certs_path(settings* usersettings, const char* path);
 void settings_set_tik_path(settings* usersettings, const char* path);
 void settings_set_tmd_path(settings* usersettings, const char* path);
-void settings_set_meta_path(settings* usersettings, const char* path);
 void settings_set_content_path(settings* usersettings, const char* path);
+void settings_set_meta_path(settings* usersettings, const char* path);
 void settings_set_exefs_dir_path(settings* usersettings, const char* path);
 void settings_set_romfs_dir_path(settings* usersettings, const char* path);
 void settings_set_firm_dir_path(settings* usersettings, const char* path);

From 02ee3b99c1e4e0490d050811220a43f42c35d64d Mon Sep 17 00:00:00 2001
From: infinicore <infinicore@protonmail.com>
Date: Wed, 20 Jul 2016 14:12:56 +0000
Subject: [PATCH 180/317] Fix build with gcc on some platforms.

---
 ctrtool/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 0f2361fa..c316463c 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -5,7 +5,7 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c))) $(foreach
 # Compiler Settings
 OUTPUT = ctrtool
 CXXFLAGS = -I.
-CFLAGS = -O2 -flto -Wall -Wno-unused-variable  -Wno-unused-result -I.
+CFLAGS = -O2 -flto -Wall -Wno-unused-variable  -Wno-unused-result -I. -std=c99
 CC = gcc
 CXX = g++
 ifeq ($(OS),Windows_NT)

From 7b384c62139586ae2eee02d06cdc3dce4988c18b Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 6 Oct 2016 14:12:22 +0800
Subject: [PATCH 181/317] [makerom] Do not include logo as a ncch region if it
 is included in the ExeFS archive (toggled by cmd arg -exefslogo)

---
 makerom/ncch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/ncch.c b/makerom/ncch.c
index ccc2e3c5..796a9cf6 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -383,7 +383,7 @@ int SetupNcch(ncch_settings *set, romfs_buildctx *romfs)
 	else
 		acexSize = 0;
 
-	if(set->sections.logo.size){
+	if(set->sections.logo.size && set->options.IncludeExeFsLogo == false){
 		logoSize = set->sections.logo.size;
 		logoOffset = align(ncchSize,set->options.blockSize);
 		ncchSize = logoOffset + logoSize;

From dc81220cf60f7d079c359003a48b995c10b1fed9 Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Sat, 7 Jan 2017 21:31:05 +0100
Subject: [PATCH 182/317] Updated FIRM code in ctrtool according to
 3dbrew/boot9. Removed -flto flag since this can cause problems.

---
 ctrtool/Makefile | 2 +-
 ctrtool/firm.c   | 9 ++++++---
 ctrtool/firm.h   | 6 +++---
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index c316463c..7a534c98 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -5,7 +5,7 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c))) $(foreach
 # Compiler Settings
 OUTPUT = ctrtool
 CXXFLAGS = -I.
-CFLAGS = -O2 -flto -Wall -Wno-unused-variable  -Wno-unused-result -I. -std=c99
+CFLAGS = -O2 -Wall -Wno-unused-variable  -Wno-unused-result -I. -std=c99
 CC = gcc
 CXX = g++
 ifeq ($(OS),Windows_NT)
diff --git a/ctrtool/firm.c b/ctrtool/firm.c
index e865cc0e..491f4a7e 100644
--- a/ctrtool/firm.c
+++ b/ctrtool/firm.c
@@ -206,9 +206,10 @@ void firm_print(firm_context* ctx)
 {
 	u32 i;
 	u32 address;
-	u32 type;
+	u32 copyMethod;
 	u32 offset;
 	u32 size;
+	u32 priority = getle32(ctx->header.priority);
 	u32 entrypointarm11 = getle32(ctx->header.entrypointarm11);
 	u32 entrypointarm9 = getle32(ctx->header.entrypointarm9);
 
@@ -221,6 +222,7 @@ void firm_print(firm_context* ctx)
 		memdump(stdout, "Signature (FAIL):       ", ctx->header.signature, 0x100);
 
 	fprintf(stdout, "\n");
+	fprintf(stdout, "Priority:               %u\n", priority);
 	fprintf(stdout, "Entrypoint ARM9:        0x%08X\n", entrypointarm9);
 	fprintf(stdout, "Entrypoint ARM11:       0x%08X\n", entrypointarm11);
 	fprintf(stdout, "\n");
@@ -234,12 +236,13 @@ void firm_print(firm_context* ctx)
 		offset = getle32(section->offset);
 		size = getle32(section->size);
 		address = getle32(section->address);
-		type = getle32(section->type);
+		copyMethod = getle32(section->copyMethod);
 
 		if (size)
 		{
 			fprintf(stdout, "Section %d              \n", i);
-			fprintf(stdout, " Type:                  %s\n", type==0? "ARM9" : type==1? "ARM11" : "UNKNOWN");
+			fprintf(stdout, " Copy Method:           %s\n", copyMethod==0 ? "NDMA" : copyMethod==1 ? "XDMA" :
+															copyMethod==2 ? "memcpy" : "UNKNOWN");
 			fprintf(stdout, " Address:               0x%08X\n", address);
 			fprintf(stdout, " Offset:                0x%08X\n", offset);
 			fprintf(stdout, " Size:                  0x%08X\n", size);			
diff --git a/ctrtool/firm.h b/ctrtool/firm.h
index 29af98f4..5d1ebbcf 100644
--- a/ctrtool/firm.h
+++ b/ctrtool/firm.h
@@ -13,7 +13,7 @@ typedef struct
 	u8 offset[4];
 	u8 address[4];
 	u8 size[4];
-	u8 type[4];
+	u8 copyMethod[4];
 	u8 hash[32];
 } firm_sectionheader;
 
@@ -23,10 +23,10 @@ typedef struct
 typedef struct
 {
 	u8 magic[4];
-	u8 reserved1[4];
+	u8 priority[4];
 	u8 entrypointarm11[4];
 	u8 entrypointarm9[4];
-	u8 reserved2[0x30];
+	u8 reserved1[0x30];
 	firm_sectionheader section[4];
 	u8 signature[0x100];
 } firm_header;

From dfabf8daa2d19d73271ce927740256a216556ff7 Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Sat, 7 Jan 2017 22:01:23 +0100
Subject: [PATCH 183/317] Added unique ID range check in makerom. Removed -flto
 flag since this can cause problems.

---
 makerom/Makefile  | 2 +-
 makerom/titleid.c | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index 9af706b3..f4f6faf6 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -3,7 +3,7 @@ SRC_DIR = . polarssl libyaml
 OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 
 # Compiler Settings
-CFLAGS = --std=c99 -O2 -flto -Wall -Wno-unused-value -Wno-unused-result -I.
+CFLAGS = --std=c99 -O2 -Wall -Wno-unused-value -Wno-unused-result -I.
 CC = gcc
 ifeq ($(OS),Windows_NT)
     #Windows Build CFG
diff --git a/makerom/titleid.c b/makerom/titleid.c
index 251282be..aea6a158 100644
--- a/makerom/titleid.c
+++ b/makerom/titleid.c
@@ -61,6 +61,11 @@ int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader)
 	else
 		uniqueId = DEFAULT_UNIQUE_ID;
 
+	if(uniqueId & 0xFFF00000u){
+		fprintf(stderr,"[ID ERROR] Unique ID is out of range.\n");
+		return PID_BAD_RSF_SET;
+	}
+
 	// Getting Variation
 	if(SetTitleVariation(&variation,category,rsf) == PID_INVALID_VARIATION)
 		return PID_BAD_RSF_SET;

From cf1a6fb41ebd89502ac917122d4c4d37de9fd683 Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Wed, 18 Jan 2017 23:13:54 +0100
Subject: [PATCH 184/317] Fix a few warnings (excluding polarssl ones).

---
 makerom/blz.c   | 2 +-
 makerom/utils.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/makerom/blz.c b/makerom/blz.c
index 1b64a071..9c63b3af 100644
--- a/makerom/blz.c
+++ b/makerom/blz.c
@@ -182,7 +182,7 @@ u8* BLZ_Encode(char *filename, u32* pak_len, int mode) {
 
 /*----------------------------------------------------------------------------*/
 u8 *BLZ_Code(u8 *raw_buffer, int raw_len, u32 *new_len, int best) {
-  u8 *pak_buffer, *pak, *raw, *raw_end, *flg, *tmp;
+  u8 *pak_buffer, *pak, *raw, *raw_end, *flg = NULL, *tmp;
   u32   pak_len, inc_len, hdr_len, enc_len, len, pos, max;
   u32   len_best, pos_best, len_next, pos_next, len_post, pos_post;
   u32   pak_tmp, raw_tmp;
diff --git a/makerom/utils.c b/makerom/utils.c
index 999433e7..05e4d3c1 100644
--- a/makerom/utils.c
+++ b/makerom/utils.c
@@ -309,7 +309,7 @@ int fseek_64(FILE *fp, u64 file_pos)
 //Data Size conversion
 u16 u8_to_u16(const u8 *value, u8 endianness)
 {
-	u16 new_value;
+	u16 new_value = 0;
 	switch(endianness){
 		case(BE): new_value =  (value[1]<<0) | (value[0]<<8); break;
 		case(LE): new_value = (value[0]<<0) | (value[1]<<8); break;
@@ -319,7 +319,7 @@ u16 u8_to_u16(const u8 *value, u8 endianness)
 
 u32 u8_to_u32(const u8 *value, u8 endianness)
 {
-	u32 new_value;
+	u32 new_value = 0;
 	switch(endianness){
 		case(BE): new_value = (value[3]<<0) | (value[2]<<8) | (value[1]<<16) | (value[0]<<24); break;
 		case(LE): new_value = (value[0]<<0) | (value[1]<<8) | (value[2]<<16) | (value[3]<<24); break;

From 70e0d1280ff761c41c4aba41b0bae22bc27603aa Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Thu, 19 Jan 2017 00:47:58 +0100
Subject: [PATCH 185/317] Fixed more warnings.

---
 makerom/Makefile | 4 +---
 makerom/blz.c    | 2 +-
 makerom/ncch.c   | 2 +-
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/makerom/Makefile b/makerom/Makefile
index f4f6faf6..fd0832ff 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -3,7 +3,7 @@ SRC_DIR = . polarssl libyaml
 OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 
 # Compiler Settings
-CFLAGS = --std=c99 -O2 -Wall -Wno-unused-value -Wno-unused-result -I.
+CFLAGS = --std=gnu99 -O2 -Wall -Wno-unused-value -Wno-unused-result -I.
 CC = gcc
 ifeq ($(OS),Windows_NT)
     #Windows Build CFG
@@ -13,12 +13,10 @@ else
     UNAME_S := $(shell uname -s)
     ifeq ($(UNAME_S),Darwin)
         # OS X
-        CFLAGS +=
         LIBS += -liconv
     else
         # Linux
         CFLAGS += -Wno-unused-but-set-variable
-        LIBS +=
     endif
 endif
 
diff --git a/makerom/blz.c b/makerom/blz.c
index 9c63b3af..7f4622d2 100644
--- a/makerom/blz.c
+++ b/makerom/blz.c
@@ -184,7 +184,7 @@ u8* BLZ_Encode(char *filename, u32* pak_len, int mode) {
 u8 *BLZ_Code(u8 *raw_buffer, int raw_len, u32 *new_len, int best) {
   u8 *pak_buffer, *pak, *raw, *raw_end, *flg = NULL, *tmp;
   u32   pak_len, inc_len, hdr_len, enc_len, len, pos, max;
-  u32   len_best, pos_best, len_next, pos_next, len_post, pos_post;
+  u32   len_best, pos_best = 0, len_next, pos_next, len_post, pos_post;
   u32   pak_tmp, raw_tmp;
   u8  mask;
 
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 796a9cf6..8621b126 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -361,7 +361,7 @@ int SetupNcch(ncch_settings *set, romfs_buildctx *romfs)
 {
 	u64 ncchSize = 0;
 	u64 exhdrSize,acexSize,logoSize,plnRgnSize,exefsSize,romfsSize;
-	u64 exhdrOffset,acexOffset,logoOffset,plnRgnOffset,exefsOffset,romfsOffset;
+	u64 exhdrOffset,acexOffset = 0,logoOffset,plnRgnOffset,exefsOffset,romfsOffset;
 	u32 exefsHashSize,romfsHashSize;
 
 	ncchSize += sizeof(ncch_hdr); // Sig+Hdr

From 90dca52c8d1f81fd3f7a938db22fdd2c56540a83 Mon Sep 17 00:00:00 2001
From: "James Pelster \"CaptainSwag101" <jpmac26@gmail.com>
Date: Sat, 21 Jan 2017 16:34:59 -0800
Subject: [PATCH 186/317] Edited Makefile

---
 ctrtool/Makefile |   4 ++++
 ctrtool/ctrtool  | Bin 0 -> 257872 bytes
 makerom/Makefile |   6 +++++-
 makerom/makerom  | Bin 0 -> 429576 bytes
 4 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100755 ctrtool/ctrtool
 create mode 100755 makerom/makerom

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 7a534c98..96d1c153 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -28,5 +28,9 @@ endif
 main: $(OBJS)
 	$(CXX) -o $(OUTPUT) $(LIBS) $(OBJS)
 
+install: $(OUTPUT)
+	@cp ./$(OUTPUT) -t $(DEVKITARM)/bin/
+	@echo "Installed."
+
 clean:
 	rm -rf $(OUTPUT) $(OBJS)
diff --git a/ctrtool/ctrtool b/ctrtool/ctrtool
new file mode 100755
index 0000000000000000000000000000000000000000..c5495b63ed8f9d066f82f21a108cd71985510b4b
GIT binary patch
literal 257872
zcmcG%31C!J(gxa{1PBnkQBk9UHqdHN#Kb{OlxUiC$ZZXZEW(U15Fr7^0FiV9E=Xdh
zA$Qu=IBxti>fp|(GvKHYf;I^O0?w$28-mKFaxOu@g+;c!?>p!Al0caG-}_%H>3gc`
zRGp<xRh{LYo||7dIKghWMLr3(8*NPO@0BY->aWdKvnx@i`6t(wW$TQ;7u$N+IwIXc
z!iXU*x7GJyi*@8XSz>KAa!bO$tONzfO30NDk?$S~3<>HJDIvcpFZRi`9@TgMKB}CN
zZ=1~_@yy4vZn{$8H(fbF!Xw|aJIkcaHpKe2^09c#x8KUQ-^v&Hwprzmd`IfXy7Au#
z3qK+u7b&K5`DJs<zp-!9@-y^1??jpJd6jX*^MfQj^6frHCT)@LNWR;VkLCPtKdBbs
zFiT#0?UHVlKl06X<mal=DR*5v;HuJzSC&qh=9_)x?5u0AymmnU^6CArmh~oo(iYr0
zlH{^^SUv~-vCQ4^k3B*B(3gjF9^t#~+gFD7Z(4KC#-iH3^IszFI{YIK=Bv!NJ9^oB
zBocN#{@s9o={+Crv97Yq#%CwIw<i0iV2^*kaOkY7S06fSw&(7p_Q@Sy0ZF@`eqemo
zDX_}`I~ClCb~qJ$QagM+?ZDT!1Mkre{|DNkU(gPGP&;tF9r!uzz^`rx?r#VF+jii-
zcHo=ZfoHbU4jtQpuV{x)Vmt6v?ZE%tPQMRqNA7#=(EqU={(ou*{!Tk^tsS_po$_>P
zhyJW~=wE4veoZ^|`nVnX>)U}Bwj<Zy4*x#w(BIw;e;SlijmPuaflqITPiZ^!&UWbC
z?a;r`4*d`9z<0OP4p+3pe|S6a;&$M)zYhFs`}wt<^86L>Gi?{x#$TuWV#JSK3<kXb
zFSFpIEr!3d;OpAJzqj}}vRd=mYQZPB;osAOr(5(9f0hsa?B9jw<l=Aa^Aa8j-`@sq
zgFh<wPMmPX74$*Z+QyBWG<Ev4apm5k8QyW@Y~y}6;*MK0GscaZFne~<T~lUeW?qNq
z(xUS6ao&5&ipNcvRx&-GnP$%(S5`cueEPJa(kb41$IZ+*IqTJ6Q$FQXxhKpn8t0un
zWBROdcNI+>S2SZr(Y@oQ70()1T0Cu%cQV+Mpv*U;c-+h>GrYc{QZS!ZG!=g*mJXdM
zzl(;>ByiSLR%oiK3!WxTm@uxKsZ86rk<(^PnKp6Uu;Oyx)MAoNP-Nxa857FxwH42v
z;<c4bFDssA17zBSsb#k5WnSd4O(`!bEt_0qEAbYWmMSFZ%Y5DmlZ$59rrteq$_(4g
z^0FCIrg=+j-sz>&XBE#tq0vaiXvC7DDWzahURE@r*j6&B*jsL!P*hqveF8b5hPJ82
zQ_G9JQpz;nR9i`Taq-;*vIOXw={^*T!W3ruwF6|bT#}$1B@;@gmlu<nce=0CHr3)?
zKA~t@32RU^V-ndE&zNC@Z~(@YPM<c(Rx)eG6fX)iqqqn)oG^XbO!N#H6?vzZ@Xr*o
zoG^I?q^X)oB8yZu)3|Z7p(kDzWa{*pvIs2mxN&S-ONFKuO_^pZf$-@wY~|A|P7qpb
zE6B?m_nZD1w!G1!U4uO1GW-9ge^z`VJ1$`>DD(^hAu<e5&*QG{pBa0+y8kuM?F2+d
z3IFlG4w8bD9Z#Z-<nMG6hJ2GPC?zEz8cVX$e6r)euTX}F{TO=by<Kg{aUbjqKXyr@
z@I#TF{qbVpJJ}uro_X$->5jHXt@J00??$+uWP8R+d;9(grX|t#YLs7s?N{VuUVff<
z>?wqM9c*t|^u7zGATm#|g)RF1S1G%~nD93;hx&6k4$d}=d?NM?g^=-N1Rk+Ngfo_m
zd?I#^@T>?B-w``Ucy=5-V&@2FTpIaA>>1$$BS3toWvKFZ!ZS=?^y7$wTUC{~^f-88
zl-g#?h=WILCec}OaLSH+a^v7^yU0h6gR@ML&(Jt{#1{}ZIu0J0G7&yL4&H?T>oYkH
z4n>K6%HrTDQ7H5&4&E&eUJ(aBBMx322iM}@HF5BWZV|m84t{1F{lYkSd|a_84t{nV
z{gOC1=Q5E`Z5-U1s!3FR9Q@n}F}~Nu!Ox3>Z-|4Z#lbhl!OxF_Z;OLp5C<1=@C)PM
z`{Uq|IX2OU<KR8x=xv!Xy}c+7o*V~ftPuI6#=#vCAimS$;JxDDjyQPlICy#-yiXiF
zBM$D2gJ;FTFNuTa#=$R*gX?kd%i`ce<KXFW@X>MbzH#vJaq!FI;FIIvSH!`~;^6(_
z;Irf4SH{6B;^6(`;MH;PtK#4_aqyft_<}fiMjU)$96U1)z9<fUbsT(29DG0=yfzMg
zV;sCb4t{MMT=(xu)`K0U_UvQR1NGj7mJPapb#h~rqUD;qfNHs9BK~R@=i-U!$;6x6
zTJX8#cTCfinj2(#7}GSNX1z?`%rs4>xkRQ1F-?<cE|lr(nWm{UYh?OrrfDM03Yor~
zX_`i}Os0D?O_OMjm+1?brYSUs%Jf-G(*&BiGTnt~nm#i_rW2T^$uk`?eWVA{G<9aG
zO#j3*O`K_y>D^4zw3+))0C33;rfJg5Z8E)?X__)~gG_H^nkLMwm+AMJrs*=5$n+|v
zX|l|PGF`_sO_f<A)Bj|eCd#ak>DQR1X)?=X`UR$GlFack{b#0Wip-%h{U@erg3Mf*
z{v*>gJ!XbXKg2Xmj_Hu;`<SMwF;iuF2GcY#rcI{*z%)&Zx&Jupe;3mZrnkxT@0g}3
zF*nHcFs5lj%zBx=nQ591bBRn3VwxtyTqx7mGfh)r*2whLOw&Y|6*7G}(=-icnN0U)
znkK;<FVhz=O;cbFmFcsXrU@`}Wx5N~9QtO4OeZkSA#XZl`pAVybEuoCGW`?N9O9-;
zrgt;Vp>6IzCi|ah4qbDbOmAkIL)P3N(;J!QP&Mmi`hBJuDw#`UdKJ?gvgSgWu49@Z
zlUakbYn1B_z4q?nd&~RJo?7Y}=^C+|!+7Ly<7nL`w6bm-$ULZ5?$Q5Zv*l;Dc$(Hy
zN%hdX&J2t>-KcUp@SRy-7<$RM2wJ2!RXHPThd=ADlduM0k%YPx8oPjHlEYIJVNd`h
zet61mBb@_-RBS_{$?fELk>kHGROKu~V7A<L^#ohpv0Dd0=3Zl~_!he2KiuLn)_A-7
z58tcJuR(5?Q9r1~xn}(6LAGFr>wERFg@(6euhOcX!f?%Q)E+GbjlbDm7@FvGXjQ*Q
zD)@vfj~;qPl|J;gtdDMN_3ub_cRnJDpJCwu1u>xFv*+x#gQ^m_T3`U6tirV=Hd{FJ
zwn0p=O%}4sc2pTQj_CzRYgJufCH(I?pFjes4isM{Q+{FhAMUKpuLJ_+&loevhK3>?
z?F!q5O&}^>MI!jN<Q4@6Eg(fkflm>LQp+BRWPeNo6|c;L;!j9|8M`Bz@1i#;;aw#m
z(4tkXKu_go{vg&IMO`XaQw!XNxO1#)jBBjx_pWh`{)Z)pRC72xL?!Iz;8-Hr%toRx
zc;)Vk`q;vqWgG1i#ZbLKy;ijo$`d}z0uEKcz$2Y(k@^E|GY_L7E!GaRIhIH=zhM&x
za~=ij%#EniMMqj%3}}zJMk2162?Q%g9j(Kx!sc2@&ml@cXFea}lwdxAM5QV|<8-r1
zF}MZ{*un3>U`u<T2e0WRVLxV~XAk}K56Pa&ap+?`bbE^!2n8_*$GBCn2G=TXyWk4Q
zZ5Pzr>@8tAp8%G5Fmt20>sL8KjJ2Yg!V-ZFv#`uiLdcJ39*BRzVsaK?Un|%n7OX!R
zuUD}9B&@w+dRWZAD$1c&?hNJ*D%d~^wg;ZfoTXstr{(zUv*0*HQJ#R!D>T}Z-H0(|
z_5r2Usk!F4GFwg)vdOl%<8Y)c3R$K@)V|;~izL@wBAKwA3igBr`<CVWNWm&BSUq7Y
z6s**OJww>53O3q;%_i(|1#?@l5roZEunY_4Ana}h>tVt6V1$~Z6fD_-ts^W?!sgh-
z`}t9AhML&S%ZY#`8O|P9iA3hcFjY=Bn#5k{fF69<8sQH(Q|p*Ts)3k6TnI3+X{^nb
zb8Fskw^p?Ucs%CmS|Ale)v_9L)GP#R3|%vyZ5y!x-6}Z1+n5mD0=6<CeF$u8LiWx*
z*=GFlaa5{_m5K;iu<R5<UbKL%gggge(CbWzW_^}aZKaZ5TTA6$0jamgOTBvWDWpyX
z5LsIZ^^mZwjP8oCl{MV31TubrsfZTu*4s}ZV+w$6W%x+gRz{g3Y$fB3QIKK8$%wcj
z@epFBle+3z3)reciwHEfDmA$RzAjQ;-S|fQ1<1CIH|hom?H(sojLbWQurdqSO4$7b
zwyoJr0NV=rQz3*bhSKIZ9PoF6q0mZ8KND@SGK$?#o<ekorxdW2=u`sRitY+vThX(g
zh3EkgZTVMtn!o~>l!$ASzT%;S1e|)TbtF!XwNfm6=XmZIoTpVy0S9efe}q3dgFVBB
zc<;~2L-3>pW?}GJ72`A^()gnC_ot}XGZwH_#a<<_ZN**yux-Wm-iwOeiE>!-;3#AA
z>{yRFNnv^b2rjL}rIWC&xIT)om2zVKWi$62f+IT5a?yYPg?`&R%cU*NxA_lG(5n89
zBKQw`wZM8jxGLt@r)q()dQ6z81>RDRiBNz=c(lqbr(eC;$P+foXiN`!KT{r>?yl)4
zxaT6EEpoa+b3>c-jsvawx0c+3-5xl%k8R}ul(r7;(XyP$pj3YUk)ILqqKs2~7vU?R
z$afyT5^cUzOAr;)G(aBiVO98D<OtM93FJI+G6{NF1b=Bwz#cIRNN}k|aGxT`utdn2
z<fR}$VIM_d>v~7ZxiSlJtGE*_Y(9p{gs-p|WVe=p@oh7|166pJMUW;5w7>=cEh&r}
z&3dFWfAAO||6VtC=>Bi_4;|rYsxP|<F?3UdO@1|{o{Ks5IiGjyWBWzB*ln}bj>3k`
zNd3y8_|pA{&(MwUW?oneZgRSQ=Gc`)v}`NUF0LZbHnx$o^pgIObeQ;&dgWfppy5O!
z80f}+y+Pch+t=zJpYWa&<<>RAO}iL;z!LH+asub{vDtiQjzmT=4TEj$+72@Svi~e4
ztrR$rq5E&L`8qT|j(kyOKQcqhhOy>-$P+71-MhUoJvnGr?Z@CnN%cUBx2qnSzsO;;
zfgxrt{2QZ>;9tTF^mO<#%(zd7e*iP=)8VVmJ3YQS?eusrX85P$UxBdxbokj=5jY*b
z=7Q7X7r?EYF8?z<Pmh1%!qejyUUYi=!&rf6SAKB*8|ZbQb5Gg77Y0XV>7j!3z{WbN
zu&%jRfmZ4Bsq_K#g`gk!-_oBQEJzL1E6vpMn_}gFepA1|&k26r|66`tgY%c1u0FuO
z{U7kP?cyt&I26nzUCp=k$|kD5`Ab1GO;tC)jissD=BKeVRmof(OH;MYw_|ClviVXh
zP1Q1=h^47YW>qXr)iJ%XG*!i%7)w(%%n`9Phl1&jrK$SnfLNNUVmhs~u}rE))P5Pu
zWYfl_WmCqbWz$8|dQ&H<Gff3F<S?WKT$<xIYAL@R{Eq5VJM>Y!Ys5&8@#%2gIBFcy
zjpL%<517H;omOb{(T%*+raUQy^KHvMwxvI|hxDn6K3NjBvS;M12j`{=KM3`vJXzX1
z$xP|Hg-;d}6kf@T;YWht0C`~DHdx@ep`b@dx0m<QgTqseTO8Wbq=f2xTdkc{$2#tv
zbO#k|fZ(V!J=j%-q*DCbWN)m(q&cwB`>8R!hkbZ*X8m$zZ2o6W%>Gi|Q3LZ~wNQK$
zq>Ba3tYdOho`am5@}MtKalu(wPQEE~qgf6j)I2z<yDUv$qb~_%u|?_^DU3K8Uyzih
zJSZ=`9?Nkj=_&uX@iV21C0ywW&XF}UzPWQOq;ykKT9-FMU(trXj$F;nyW{<lERTOr
zYOtXD4F##?4m4ykTGY6udv5iBgh)fCvMd$IZ8I=C5|@E7qOR|QdEJ9ZH@_c~kJcO<
z8q@-{K)J#EXM|H7?agOK`d9Zi+6%LHde76A{zf<Ui3cPrpIpLWeeaYasbBJ;QMNz3
zoDHxTD>r)Z1~E&Z1M(w1921WGda$D&ydzmR3Q~1rR9Yj~6S;~g`4ooAlL|w3Crfr|
zg`o*4qTg*?(Ky6K8sU)7`&^j#o+BT30h}y4<C)dOl*YbBtU$_boIoD2L?Mz3QID7K
z42?@O_99@6tw)&;16~rRPto#qLh+ItYjl5;qmC_W&bZtT%C>kpzK)?G(E?2l-S|YR
za3SNTJ*eS!am!V9I2AqcgLeS^i?+0T($yn6*s8lH>i&8=LZ(z-Gm4}pV|&?v{?)10
zxP<*DeLU^H=8b5@Sd+@uGd_^TIDuk(hAyROm;bmnb6~!)$I=Vk*p1m8TjgeIT_`VA
z4{Xu3{7rf&ACEuaQMhEjW7@2ZF8_C0e&7e+nUTV9^$y*ii+SS?-S{4S^rj>y6;8+M
zt26>0<69xiAK2pkjVm;y1-14!*e&^}N22R$)CF~y70+JhYi`9IB~C8Sa2;He<eLTA
z-YOUiCz3Q6T2(npJxE*T?suYOkm0`agn1VLQlFBXI&=-IjCycH(qY{g(c!Qj8kwy7
zcO2IHe&*@B$8G<?|J`A5*B-hOned!hZ#4MplRd!!DcM3d26UOR&pZpLV3HH81_j;y
zj#0=l^Emp0wT`v7()Z9@boFOaFQnq%k&ad0AT&M*!LY-+F+2^GQ}zwL_@DB>a>aj}
zAJMt-z8<<Q)q@}z8YlI}Ja{d1Q^vz>@d#zVR7hpNGuN9QoT-Z0^UU>7T2ulR+9CP_
z1vSx)U3Cuht?2)qTy}jDJ-HgjyB-=VtzN7?;O|L`<7YM_6*r#De_hZj-88={NuBo9
zgP1I!tLCD`Zab_8A302IG9KN}FaIv|WP{%KSH16tl?`0(YA_Rj)?e0^bty5bnbwvL
zOQ^0%z*A$Z@$27{hMKHRa@yCraYzq;66|6gIu}()Yph}a9pHT4@=@Ynufci*Sg58v
z9&fQ>_SS`}D|@d-58a<!r<U9Hii->EL~qwa??_PS{<Jzy0YyiJSjTm`Ixqy$yZ-mc
z)Gp1WZwa#S$SK&ROLpRu!IIaLL|~-@h%Bj3qD~^Tz-*Q|^p0O4b%lJ^Lf)y6iI9$*
zqZP8kLf&ZQRLIE+Il)5qvT~wq$T?df2V2M_B2kBVvJTo4_2_f+M+}0fz62j)tx&&?
zwJ4ZP+W+IUImYMM^;svoaF=)rSv<z3%!3}oT<!p{4ojiv++AYKQu%E(ir&k?XNzne
zZwJW?8wO;6pdhASvcGi16Rr4PEBTvJ1h~dTh-2^AY!C`eE4VVRx4jt={&Fohp#ob_
z#h6r%^i#`Q%e8lDL0N~<Z$#Mq{?u&Z#=Cg~NMhBgshgcA=a<eM*8I|#1+9z`=*BE~
zomT18*6Hh7>ASJ40{sw+zhDzG%mOTBMeKgm-(rA|N^hjE&D^N0nDW|%!AT5>#0xuN
z0R7~K-c42d&utr+eK&k?=<W<XRPLZJJ<O#sj1TOrA$ezE-|yxAj^400$?OMQ{CK21
zk8ywk|AoL6L5FT^hPgqsrxntX>=WzJ6nb`}w>w9ua?P>&1fP^8+UVWkHZbnyWE2{^
zwZ-cSjlH^b{>NCBAY4#<=J@u*+)B^hKcjPDDCyk7?E3PHu>Vug0oy#r#~9_tPvL4T
zY?znG?m#^w{yY(JBJ85^fp{OfrW;?%;7rzdmyEAi;@&JR)@2SQVO@r5F4b)1I&y53
z9HGnzmEy`17w`D@j1E4%jqSZrt2!)=!(xG?f43bA4oMun4Ldq`j1zij#5n`4{%o>=
zf*#bNXRq@8NbhS+DBR98U~HLN2y^g}59xfsvc4<$@N?Wo^#rS)+Yc6*@bPQx`k^0n
z<3ppVVOIxn7xo=o#%ivoeX$M0H~98*hd~H4jA(`q-*ESUS~Mn$MQ9OMa2|{9&K9#?
z;>O$<l;0J6M2VQEB;;p)ixQ*&V;d6s$81&z@&X$@Mw1r!8c_J}{6I@neh-p(AIRL&
zJR&#}bD2YhhKT{ME&f?g^w~rf<OO|cXa*;`f1k*Ldc#R!y){F&dc*e}Zcg-mn=0mh
zBjesq;K)`&DC^EX>UDbj$LzCSiEuCuX^W5EocO@EX<{Fgr}-VJ-%z0xSGKH^Ht$hn
z4vulAc>Jpop{;R1V?%?^V{f1t&t)Ak-)Pv@!4q_MOhuhgA!8GxxxhvSs#?{hw4=dp
zTN7I8#eV38cpYsET^+3yUG9mV+=(Z5p&sN;&R$fIPif*?>&elYm-%nN<Hw&~dBm1$
zv(387HKH)|D*J##@dM~~A%fFyxYuLsW?(3TV)JV(-pcks>3gyCm!K(>R;T4ctAE%^
ze4If8UADcC&2>i|=eZp1l6vHDk8y0J-GvI*Aq&Rb*`V@-o^V#7XTqI<$gCHOQCJUl
zfvN!$SLZ=Lf;r8$J~m@j_%cNi0)-2!@^Y9!&3=H8A)z;%94Aof@G%zZ&j3c}FTtF@
zfrJ0Befc5aJX-#T#_sSq#qB29XlHv8M>vzixj;kS{h-dQ$5;@(Bz8EAVNMBv;mIIC
zA-gDWs>)TPa^=fhV(-_`OoV#DoB<LLt_50b0@RiLhAi~V8;xdcMV<rnN-nbM4Lds&
z+MC4)=FIECod%ComYknjdfQOce74zBz?#DVuZgHhWPaxw;WB<v=9^R5(CchZaVhp@
zmX87Zh?SxfujGaehRc^OYfB<(ujWHk-9;c*J-Z2oHqS;i8Bd2+$liE~nRo=%dyVVh
z>QvvwF8{X)zRuE|sd>OwKAXpmGg~g=@9!zICwADHKUI7-pk(iHWH<TQeNa7{7y`D?
zw+4uz%l~AD@pvu};+hzIp#^sk-ji@rKTPO%#_MDgd|l?T0~eY--q<Ua<)UFjE7pNV
zH~c)zB~}v@e4Nk0w@8ldQsBzu)8pwRsU(Tv&mbt#PY`%40FR)Q0u;4O+y^pxn<g<-
zWuS3G1|pGRiOj&lB11C1geRH-?LsJbTJ@mH(B!949dDC}G=*R;kY(Y^eDp+{@f(~!
z8E|xe74neJeAXeFhQG?(h!KrNn^}{wa*~W$^K7U^I+RU(w1q?O76h=Ep~=3cb^k4)
zq4Lqxjh;WsXPwWz@Er6H#6AcD0IiAPs&ZfKU+DwT#ru|%mk5A1jv_8ziL7_cFXM&^
zKDzNMgM5b62<rR(TG=og7#YsLj`{V;@y_IUe+hh9n{?}V2=R?kkQQwZ&d-ekM_l?`
z#yx7yVN?dbx$cmKZ%h+L<u*p=^95*wQ9~Pp^RrO8So~ouV}r!fF?zJ$sPSt3Lj_WD
z-Rj>aXP8O8%XnJx{3h9)Y)Cyg6ov(jF?>8Gh@)Y(IXNt;Q53SB6i8a%SbGLLfln9i
zWvKo)yFx+Y;)&s59G(YTEVwnzj!fgu!+sco`*i6YF<loWU(hj1<KXQHlRfwt48Y}(
zstiB{ZO&Pnd9(lpa~K;q$y4%_sgZ{;u_*W)Y6s=GkdYvCe>POP4(ebt)`&zY!l%g*
z&+75m5BfLQ?aQMOc3D)|5(<0yOO!A|6z{LNp5ZZ$yGEcs$q?RDaF~t5fS_sqLbfD6
z)FkLr-(Nk(!ODgufGTy;Ll2^nJ9;pQ7dr<soXJnd&g0+|W7P)X-(mM}v%9KCrnsu}
zyAj;YzfHsQ8GJs&Smoc52&`tTsuxN1yAyypQ-M-RK+3aR2M6Dlpj9!X@q~V#J0w(`
z;c3d3ahIzp-@&rs+sW_u7<nPVFPm#^em`{5Rs<ADqAyBjnEoHS>z{~AU_DVxxAU0)
z_#WTaV46WQ+7Tq!0!zoUMUg*H{CI-|c8>$*imw2Skhnde2eUk(v7<eqX+wvEUgkSz
zVhacWABeWl#fK`PBT*=xC%-y48GdYfuMKFop@?w7Uv?^Dy)KA;lEviDaJnXYr*9|P
zVcv8wl}@QTK>l)J2>dgw_Hf90i+l<)@-fC#ov%T<ojQX=oXes#h=FLY4B1{y`2+aP
z4r|KKvOs7Q2&~TU2UxBJbMxCwL=DvXht${b;K6j=n2-t-QCs@-tR(Qqxv#^$ZQ}aR
zq387x{Wew^4Gp^!{o6ZfOP@HK=YBsq0!=ZxS6Rz*vwdF$yF1^@14nQe0uC!~!gF{c
z{scC1QmEyBf-qqx8Yx)lOaf6lh=2%JkYv4uZzSG}c}g%RS>Xc*!_Sbb%Kswq4{#N8
zces`r88m%!2%Hq&54;;uYAV1@1cUBV(B%i}Es7#ZQRwUrikB^l{gNV5hMOeC2qyy;
zzeSN!Kpq<{9z7++7-tVq6j>DMl7fqctmn~BQBF)SK#*$@xIqvt#TJEk0`IW!<AHyV
z!B2!p4~=oAi#I{pe6}^O;bg?$nB+e`+k06s5jJlx7;HVrkSMc0`~Wyu6yiQ)1DWqj
zOx)SMv@$V!DbJ@GN8~iOe&q1wxe)7GDSNMS4?S!l4l-mQ8y3pbP7!8f!Xh=0=Tny;
zuUzSLJEaQB^QjLBFwu=hPCrxiklUFnC!)Hs#tea;@$v}-PPSuORVvIQ)+GtrPtZ1;
zet={P)I!h+t?K3|)qaAu;S}ZKDAhKCDgfFO1y#t509^xR#iA+pr<?M*93{`cV!$S`
zAwAi9y!jkjTdo6@v4({>3_5-&ct1*^1#ZQ-X%J~{Xfg8nw{@z-tQEFEF)&6{IeaT%
z!ABi{1*er$?jpql3%>J{mX<@Db3(Efc%lOu1-<G(`$=<%v%ju)RiP@7kyFs-dl(l6
zyLE2O?GkWv8zY=OL=9NFgLp#MfBQ>sTR0b}%zC%6Q3N(3r1m%2T?d;w!TkiUSq;1l
zs6`i`;`$$If<{S0yUG^Z<~GbvwgnQg8G@2wwmCS|Jzc9hjv|qlR&_Tj40&GggP`z@
zQlvNsOq(A;c{A6ep*|7*hED!%bN#>eXsW8B_ONEY@61OSty%M>oJ`4L_wv6$SsQkw
zgb%~fVZglqF=F{*5Ju=aOF98#`hm9e)9@xm_9Dq{jOVxg=iWBgp*4K>t#$!;qL(D^
zuw#(48tWhg{Qtm=9pd=^4f#MDehzuipHNp&xk<HE2J00lJ8fAd=w$24cII+`b=oxz
zw6YBY??%hxN9$opyD^E)m{Si9S|A-**@yuhs))ALstP$cg553!>o|qEla0Cs%K_r=
zVBK7#^uXSlh<YGGz@up2|HLXBu@pee-@pQ`M(?lg<U0qwzZQ7a`zb)l`3NTay8q~0
zt%{@26&(1S%h-y&^IiFYZ@s;l(fcqMhb+ccH}^;G=9gvuV9q_jVP{~olq${!3fm;y
zp#js|Q7>0;z&z|d1rGXthlWT{(q58?6iQS29$4>t3}{uD0JkkDTnlI*L|J^lMe}rm
zq&kckYdjUO=8v-|0}&55Dn6!;tlV$P`SM3t!Bt_e(#-omV&vp@CS#bx0>R(lS<hbM
zJx?tWH2;P@07nx%7kho5HHTp)Y4;)%Nu0q(2?F4mZ<ux1>bAKW%w#pN--X7w{M$9R
zQHbGaXA1;#eg{%)!`SQS_B@*Vi}2?lgG&AQp~PRW@Ch;ePYVCB!e5~9NiqBxy3GHk
z!XMc$`6tKlmn-~Z3cp$5Q)BqS3V)Bn*D1UshQCYUZ&&y~D|~JY|DeKWD*Sy4UlGIq
zS>exA_}>waVTfh67|BvaviAeo1lN(I@;jR&o@ApU`4>ps2n>3-{J$b}901FKr$lc)
z{@S%FH_~Y21N*4(?}uwJw9&LrA(NTO`FpV2W}w<CO9_f*J|Pc5cdH}5XH=Q?LaZ1}
z{Et{B!&vz<@N%pahDx0dvE|>GxmiXU<1jy1%=a|70bBtdC>xBdza`D<$=6;yR=%IZ
zohKCO3&W%s6zY*hB4e{yc(*KjHU#LQhb4&|KSQX`pFj>7`Ibr3;emgNnhu{~eu0Go
z6z=%m$Ux2my_pRI1?a9Q^h!csm$cnJ2DFYZ`Y2^BLsN;dY^Y>e(Qa=N?~LMg;&X@>
zSmv_^RT<h0wT}4<f6F<TJ^!rDFUJ@$T3VdP>u(tphu3TKioC^>rq8%nH#+LI4t@I6
z;vvP;bYpOGtq-zFjKP>tZi?=|*Oda;)N%Oa;?ff1j-=+Dk#$>urkAZ9oMda>Ani@<
z@S>T;4tJ4vIo>F@H4RQKatxUc870Q8DQgFxVQc=I@)xzkXHCHi_>Me~lol63a>uZ*
z%w}7gcLs!)r!-eubnYoLiYIs-!`BW@Lwtg=x`*UB(nrmh!m{eM-eSjX(@O8{i&Uz~
zJz&dk)#lGGn?A$q@T?q;lFN)!72u8%<3ZGIaI$$J$gO&yJzT@wjzPD%T(!g8D8}F}
z%v9ng-OthsRe+Bz)^5@AIELR_?k%3`P~{n3?8T)6lgedz>Y{!I`9=(L-0Hg3?OI;m
zm;5hKg>nqLP1XjIZpF01s*-EMgkr^FmXuAoR(`aXW7sHWHt%dzu6X=y5`RMs-_$X0
z`ix@slX(fCHE2ewUBM46D(N`~kM`@J+lHgfL4N?s3;GeG3LUo=O`GVdD?&T46zF8t
zM0cdfchFS-lP<4l#zfiVjzL8e?nbxD=6*xE=_)p(&9!0@xpZ_F-{nKqf1hMN0&Glw
zW9_W?44zV2jD}VXB%6E0bg0$f)LJSgv^C8fLI#ofPuu)DN;IozhRR>;$eUa|;ck{H
z)jXHkP`}7{Xd0Y0W%@L>2Zlwfu631_l}?$!N+a7=HRANz;l;%h9d1M}=#cjTRQd-e
z|0kFWM5-`*bMdm6`48fv=R=2ce;SJ$t1Ft%P=3AvuJzX}?-03jsDH8zr-bxAkFUcr
zgr2>@w^a{$ovFr0I$T(?xCp#pU7y|!3k4VYqH>{G>j(v&=M%`x_ZC)8D&)?#+OIk`
zayVC+>%lZ!D@`)CRpcVb(=`+n%yENdq49&*(}d|z;3dRAuG-%tlEcj9EG#~|YF~q_
z+Bfm1P|L3m4q={D<UwR0ZR93!Wy~#J2Lu1n1Yey80vCXJ<`zZ0!;Dee@+|5(k~-1%
z6&ynY2&4m7_HYAadH7x$c!+#du{nitmJH>;_Vx~*jd0*cl;V%bhAGu<kP|5`2TM=(
z*S>FD74JG<LS`1V7(}&=AgQaxpYQ<^Ywiu`qoe2}uE>{SS!}sg<1@M39<4AYit9Xh
zQBHPAFy{iW3Oi5%WDX-Umwl}52G>}#2ZmDo`j1*~3ay-t@CZBgVH?acS{^GQJ4EhQ
z<i@HK8k_TOtZPl%F8QTn4jA!YSU=K3%Vy)?wcN_X8K=rUTp{Ad?O%UD*_#3rQFK7C
zIuqcFwS3I1M}k$d;NxSDxv@ug>`{+B7RDZj#vVt+9!JL>$HX4FK1yjk;p57BqQh)7
zy;k)ZKov(2N&g!UC=;b)f@ouu=gJOLfXLewa2AkoZK>ONmMbgpM<C`9!7?hu2&aZQ
zMqobqzPM@zkt}K?7gx2OtOoMXhQJ2NlXZ$<&je2c$eGN>YDExd05LCuU?n4n6d<aA
zkgQnc2%;Mhfe3;PKm_WeAKKsw1USZI7WRsTDU_Ji5ez$t7>2q-k;@YZP`6|*_8D=W
z(BC%zHYD_p6Dtjzy>oS{q^4pH2zzsCIyy2Qx_Gj`@)pQrF8f5vYPq5*Fc!NMW*_i<
z<O%XTRK53HJ+x#z&dzhgaS}|Q%LsTO3(+*SDH2ULVh@{Z=W80}&f{{jL4&bxSt@YU
z0{6muHZQW4lajRny@%OPx{zEf^GLJdJ=5P}ucNt;h66)rl{&wkThY=XS6li;?U^?Z
zvhnO<(q|QggKR`rK!7c`ss-rJz2|{2q3(PT)n1H0WB`&}TW-aP4l?h|4$Ol#R16~d
z<$knrFk<%f(Bdo<93jy@+B-1^>$Wg8cYFs^gJZo`==B>&@L<h%D{4(!z=q)_@LG&I
zm;$Y8n|wgHdjt<^qW1VI8r_@}aN;%~$M<sTfA}#l6C<%04eZ`;i5=mb9exc^7>p2d
zK~JA>1|S>+AAkVHYaR34qi|Icx5%yqE`qQ{30mMFZAb8$=RqrF4?+C;F!GD74Qjt}
z9uqq*l^pK}6<otHC9fxV${k5kEL0S~RTR21VMi?<HKce@QCz1eCM$|BK~ZS5h$0~I
zZ8TE;GbF!FktdV<OJh~T_LOk7%JZ_tbpgrJ71{QkvShW2!f#P5Bt=I>u~JcNQWQm&
zT=SARxj3p~6JG#=#;YN@CHJt(bEU;~5y_S)vMGvdI(#*HpsPi}34nM+Q4}Z&T~Y8J
z1=jbTh+HvAkvZbzO_sFuPqk$94)U;_-)169k^i_u)^~y8`nW~$1S!r{6dx&yT19aW
zC`@RcweHo3S@7510bKKHa-zN%!|)MX;p39UQUb94i~NiOHYo-fV1PWne|svAbD4xk
zOXfX~2d1$uugx1t?-R@!#e5CByN9zdH$a;lTB%B(i=ncDK2VHQ0{UA5(()zUN1)^Q
zpb<xL=q6XhjdAxTHUT$L#5pSe-t8>lmn>tJV)3vgs)AISqFM(kP~4#k^9M@^jdUxA
z94~1d22quh2EC4kWMBuHlJ0A0N>IO9V2DvQ9wNns7CV~u|G<uJpbEqO7L;vZLLKc+
zEiDj?&jxVqrMOm*>zc4?37Y@Ya76?{Pr)+n+=d9`5^$^Qhd<$k;6lD={d@mwUUWy~
z^)z{L`J#>s!QuKCuPZHHbd0Ad7cCI|D0tlhUTCXrtku5vRITVZ|3hv%TIBAga@$Z0
z@uroV9{Y5;!%sNr-I4pFtqi4*7p+i^+}zE*<p9<fjDvi%VRw$-hrd_Fq8F-*3(?~J
zi<><(m;Ag^jW{ytKpBP7gNn1kzqt#}KVuUJ<H}iagU$OB>yJD*!i6SaG)=S+@2YY1
zm9*5n2pDvINQY1_;wfF@!qrlext!#|oCFdy?Cui2K<V)d0GqEMU~j9c+Wf`GnM0|o
z`GQR3G=77!A65f-60_cotZ-GY11`6(R8;&klt)~Lx|qAwDnXF=6zGM*e^2~*z)PtC
zz|G~7Fy}51N>7!9?vb8qFlk@!1CqXq<ffBI#*w6&Bpnq=kCRAdlcbm=JFzYy<6X6X
zES7A?T!MQazdPt>N$lP(O@3}i!%bp^<t<tY#=qz$@#&71mfVADQhgWUZ-Tdr+_n?_
zc^VFlF6Tyaf0^b`{DQ9BWX<=HUbhwLXRLH|zg|bb@pJNi{ZL?H`}M8QA7X#L)qXsW
zGsegBZTI(${gD%J9%Hp0O3LL)q2oAAm4rAw&BY3qb{fNwsyCK;aNsYQ$NkS$&q+8o
z+7*wU;GATHALG}fw!A=Nt+?b&#_)#eHg<%U(5PV;+>U?+Cp@cg&XgBtuoW4kyoRLf
zhOudypPne(U{U**gIS>7W31Jx4grC82t0|tREWZ1FA=~#DRlPMub{KWc1l@|d>Dp%
zkd1Lx<<XX#uz>Wn%lK+$*Y|9>knt}6dN`Sbl~09qZrQOb#TS&7Equcw7~FjjMgEbZ
zve)=Vy8G_*EkeA>R*8)w9z}427uN4l7?xzy5LuGDz_b~oy4&BjK*PDPt2BHY3M#Gv
z)8@Bi{MXGO9`96H_#?!hLp<M)1mC{0k~_jST%Lj&b^%}0*TQN-uH0V>&8M<3W-JWN
z8Z&ZuVQ8h=T6@(&6-9qyuML%#J7d^E6L(;J5}U;6%QfO=JO}EHMy={ED1#e{i)Q9)
zGic_EAd4346>byUDChgK{dm%kt*M%CK`mM+hiP9fr~3-Wd=DaDWiv6}V$~zF!a6v(
zjIZT!L3nt@VkB4;W(#iy+UwrUC%0Dz_7E1%!6~youJLgm9P*6K6m}-}D!AIfM0X@S
zp_$kb<Sh&i8+!T2cjTO)r>m(GTE*t^ug&oIo01A|c)*$LeZl07G$l1aQYD(VN7mQ;
zbCYe}8xepX#i^Md>ZS+3I-Q>@7v%GB>T3m0Okx78hiU}ugDAmvmEmWnVDvlg{5f`B
zB{tfQ!_@E<6`Z{lYcFJf%yGJm)uK*4r(<j_#v>YJ@|S3kPAHX9p#IP=^xIF%=v4v~
z;t4&;0!XXKA@wQ}GVcF|#R}$J1_ohi=jPy)8A9=M0Z`L`F-y^C!JG~NP<O9Yy8DWP
z?%RaGW_LJUDjsf;c~pTn5xhC9OEAtil!}=Wam`8~6x$92gzn!j_CT@maM%T-uuVPx
z!diZ+o{!O*tiv<6V)|gVhV`Gu4BdY`$ybl2vyLCjQ<>3m_FIa_u}--YJq!gFhtRWF
zKT4^)0I9%w?}b>(uR90N2=RVRsJ#qNbr<6gmrPLEG%yI4B8}1XF0!)z0C9tBvKnKr
zDCoW~2*r_P1+7ugFC}ybJnkaE#eIMxsQf!e+;Rtc3Eo&XekGo9y39Ke{9i_%a2-U7
zqdnkh&c^VK*2f@D`m(LWjinw&*V~YH3h~b~?@HpoXp8p{FCE=qiSOAK-<SAm=ATRa
z)2;AWlrauS?GDbusK=XlIIz}3Tq3L5Ro=NHwT@$I$=k{rq`{cUD-?W1ba`4}K59z0
z=eq}g?Y^!Ypi#Scf3hgRyp-|(u3(L{`WwAp<NTi7e?*CJRFSJkTe+hsN`FOb`i~{~
z%;x2^H)Mq&Q2aTDK<tF%IyAibBZ`ClxvgRmA`J@m&Tp<!e)sz$5D3hT3WJI71hjbb
zMy!`&7VW`nF2S6QV7Yu37}foZKjDm_QXk%UD{|LBZ#;oM>W?>cKrQh(*&lBL<~05|
zEB-tL{BLfXbnEvE<axPNEC*CcX~r_jjoA-l*{7}2I_TB=dsvbil@WJ-j_2tdZO+3b
zi+3@hjz14aZZHxs3X$`088{D@t|CQw9*z|JSRm<jV)_}0AF%wupn)D}VkezZ)Nz;b
zg$LF*8O~?23r2A}-s>eGg|^^RB;aI{VdXeqWn3@|RvB7?@Bya)@azs&uxL0?qgCCB
zG+rUOAwO68FwH-J#9-#YOQ?vyY&Z+z2`1sS><66Vmm?%WH{nnW-cZs*h0gK1@qVzQ
z(Mel2IH|-aNW$^4j@1PngIDYRRY{?FEhkQ#IP`h1{g+hW<28-7E3X2BhP|nOtEj+i
z*1c8_%}9Xl_}o~VYg?=PHz(?S->-n|{w2o1GqtKksw`*XH32UU;utATk-vmyB?Yg-
zz2B}BovY$0&i3S}NC?8368hgYW!l<7Nj5Q!Y#9`-CUezHuFz5&3m`o<m)X;Bl%_kJ
zc$OIVCdfkpU6#)W1!+P!r5j03@eUV$Lq4AE7t8U?lT6)_a2sp!)`&Q`26qqPB}5q2
zG+$cq9qM4<pcdGRcEJgQ3N7$0n;7dq8xeqEfyfc=J64XLQk1ZHKukXvQH@70;&gk|
z*=M0xp6oSR;87sleUEBYnRrm~fy?*?TlX_lTwz--WUb_1Mhr1NKdFeJ4+Irv?}y%L
zfiF;)V1SAWBNNiGoJEm(aG=wT!>-2Xq6Aem?|})ZL7BfqnRy<gVvH<t-C{IF<!Y*E
zTwoCye=h$nhZZ;sS&?(=$C27DQh6U_-XL^b4B!)cW{p-g8^Q|-Wx-`>(ej1H5iuP^
zp6n*A>J!;|-5v$MHjyE`?D=fM%Odedu-lZAsl)+r%KQO`cxac!-)WckiShr4)&v22
ztTJW+5D|W%2b7-nl6v|qvQm}I;h4p#_^#Wp8&E2^<oI|r0C~-ipb4H~6JTRp1*5VE
zVm8>D_oIn|Ps%>ns0E%zcD}{1Ppl|LH?sOIB9-Oi07n~f{ZDqzDn<4-$T-mZfsNFa
zBUZ!h6P+WimMVLp+iy=%zVBFs{qSt?71_k6Ma!Q`#r#1ulHx;2G0<sz31!4POJWF?
zo6X^hul?kFBE(z^kSnSWap${nYWXHTbhj=J$ySW>mYgp=1Yppwl+q`s-CXZ2485p^
zV|hBe?n-*bP&vloE|H1nJLN_S--(9bTh4K9z6NmIcrt!M)ToCgY9)qg8+*+75;j@B
z<%L}{EAVHyB<FOYF`aaTW65F!CTMs_K_KbDqtVE>?|kQ5F?LLMBJ0w4!xDw@U`S<d
z9D*ZztOU2@79@d>aln)4b!LfuZ!qZgI#IPlVwhaI#i>3fMk2wt(+<(PERYMM`@~Qb
zzxjMC4nnpJ_Q^is0l06ocVxsMY&E{du7|V)aw6xUU4@;;yGKe%#Cecgn0?rH7Z>*|
zGk}ZzMu4LUnX~{CQGn(@!=FPACJ6h)&*=GD2Gv)vZNN^=63|K=JfXLfbc|uK@^73m
zSg&1fXWRt)(e29*P8zkM7$wN8H{X+*k{fqkf&JkzTG%0S6=dXasn;v>p_QJ{I2;Rp
zH62aKSpZl+2-cp^;w7+Tp30^TD4pmE&dnF0k*bg)VPmR?^AGG*7G}eA{)NC`-eH70
zc(*ngodNScQv)z`e-b_IAMhNg=S7<c4sv=x0`~60w{ld}i}zmRkjd!?s4MgoyEwc-
znYI@dX3xK+u|%-DA8-)@6z^5bI2W%VAkOs;VT_v&CJi7BKLftvJl;4m45NziR;wVM
z_V<5C=O^7hXr6gF>Eh$vdx`%8@gEW2r4=6WDqgr@cp-Y>-6;8*%RW(pIFGNzcr!D%
zD19=%!E}bhuo<XGAL5lTqv~0<E}9WDjibrFFOV(4_gnmJ8@J9$7PoO?ds5t*xkVgA
z!CK1!Ke7KHw~mv2%^W_F_!mXs{g=(pD*C4RGTcI^VPv^ckO1C%{?*$hIFE3g<?pYD
z?oHO4kN~o&@)*DI!RhJ9>l#VGS>Y!2v7>rry8tomJW}h%{9pK`$mRRm(Ht-1eF`N<
ztKv=s<Fv@_Afn-wmX^>^Y^*g@9wDPysTBjyzRG*HvC54bF4iWUeU+>7*W*Nt!|h?X
zg*88+VOz4XidTu1bl%{d=r%rd)%Brl`!~%_RbMRQL0{`}I&ZBV&$%tk(x5F}RnmE#
z_v(_I3Y$yITjj#WKbW6D-s+CNe+^oj)D>?jMOsQlo@)P1qMCmIb2T2MiQ9x0sjAnF
zC*(<D-FVoU1xO(-Zq1e74?8)Wy}4T7D(6r<X?-7-5rWqD31^v1KjW;B-!D09<o6rS
zh4TAt=Mwq-uCpHB!KZEbi>pb_gq@_&*giLw$r$<_MK~&>PZ*!%CXB~aHixkfk0}{=
zM3|ac&k$4(RXO*AgPLBfE$B!p#;jPesB$`hVIob8c^N8*nT(U)p$8Jt4~bXdr2w&$
zfM_YA?SZ+CQZaCV{?NeTYd%-d_@S;88V#BCbuCOqREi0uQiVp7nGDvE_KoNZ*XFq3
z-xT*QxQrJfA_~S!iZ(A7`5Pu%sv3zujFZ+YTg`vCeA#Bba(w)JNljJfrimA^D4xR$
z0=&)~{s@M*XHFu&I^}Re<GUC(G3`#hLlR6H{ca?QW<fF+<B7*huuiy-<hAd>-1u9P
z<c99?@kQLwwe&acK9u9iN<;Xi5bh3D;I`iu{LY-6i!C$Haq+L##^9k>-Soa94`!?|
zv}7|{39qNpC)&Zp6I%HcAY6xAh0SdwH_7B`u@gyngwiHB8!RbV!Pt8!C#FmX(L)T`
zQ|ef72u{-GeazLSV9pK55dIgSu<l!5f{x(*2Y@`GQ3J!f6nGuL7>lDG04{~(iNBZR
zODy;tz<*f__{9poz=A&r_*aDApx_mX{d#~rp{FZQNI4Y?j{;hpjWvDHzoC%TQDhmB
z2XXxX>RJP+*o^5L2>l?$CYqsGUjo)3keiKPDuTNd!K;cOiDjxh#%)3vdTm}(5?T>y
zxlQ;9J!&u~139ouh!@qv`^U=~e)ytf`zhqY@g|@H#GQ(JlH$HoaeoDL*qPl7Ce3T$
z8jUX-%q0I#4cj9wyji^cCjX9`!f8+wH1d6*MR$5af92&DLqf}-4>kc$%p&|9xlt?o
zI7xb&68{yeou~*NRs<I-g8m>tu2}%0MYn-YdfIRf(4qmwg+}}i$hxzEQh~%BM17BZ
z&E4d9^fx+rU(g?DH2#X=5BJrKP~e346B6Kkp%VB9CGfo$AP|&3g*>rZ7Pnd<7ZMrF
zF#*&=!xL0dUI7l?(<!b-arhR}Qz+9~kkld0u*$TOWg3PuVGgNP?WS`M<+mWBNo5uA
z0yj4r7>^>7?3fEhZ@wjBZwBJL0F5`~-UFsmCgZ%J=s>Yjj)`kV10k0gv3!fQ!ZmjB
z)blMZL$VKPRS!bekkBN#{q}rED%srq99%v;gXKlYiSGDF)vq48K=6y0rLZ=IwVLJy
zU>TPGP9b+T%B(-AtN|cPSi8XMs5MqpR|Bn<KD#KchsAcr8Nr;_fZ+ymu2Pp<fTqVB
zhyxNDYyv2%K@qL!b>mUd&!HUh2ArF*%SLl#_D01(Iu@i*LaOvS5JLTqF2oEa9TA4I
zSD?v`XE%lHxK(O4TJh^O=L5gefnw)t%f1tLB0r-aE$}=*G8(!cf0KM8U6tS3a<Qi0
zPgc}8PZqY@mR0C#@UyzQKlx8Woy<d#_;@)f(9sq}A5!FlqIsFx@Ax0$(KZ&oC-IjM
z|A@lhOFSCg!k<fg2TCYbCHO7zFd!Db3-RBv6>d_^nGJk+jT*>b{}u2qGz-yqAsX=L
z{<&#b+Sh~Sn5f@?-Hr?}!M$jD@cuM4`3!ay?}CB<y98e+Yx#>`7%+E^HFsd8vZRJr
zvt@xs&TI41yqlUA$AVebC*mLHr?JZToV<SM0OmC7hyTGpE+b?3G8GT$xR^{2j_Sc<
zpvE1^2>ItTsz(weZag%xW$`tbeF*)GqAh>Ni^vX0FUt$Ff-A{gd~eO%trwQ`rhJ*(
zdplm~CVR|k*GVaB`3jfBVd&^acPxPI5DVmHz*{>xtU1NowVY9r*iNuNdbw7l{N3)Y
zNB=rOp$uGg5&NG_9HEVm4;aB7uR}O)QJbLV8ZV4eCisYdKZlIiSrHRhKFogr)I*_(
zC=15q5>R6dEqfM3!EQDRjw#kr3VvASPnR1%;?^WGx#o+Nk-^?m=FC|OfF631HI#J=
zce)FCQ_*yK@IBdrFL8+gw)g^+VS%I`*<F!3Ncx>*ob#aK^9%XNF_sPF3Y6R?8c7j)
zuL}}l8Cx=#GZfUQ#4ymH5<fk|O61(2SlB?PSWF}T0CMAa;W?@i&I3(&zRI>jX6u#&
zP~4))i_BDm%4tjA8H`LT-&NE@{;V7gT>vLgF7K7v(zko&gCw(F5{b(}a<H+J?`vre
zNhdC&3=sQpvDNBi3C93B6VRH<xv4KA^UP8B#R|?uA{PfT61zz}Cku!BUhj9-y#z9;
z5h9(?P&r?`6@{>T?Tk-g<b2%>qiQ{)8nOyCG2a0TIUYjp>sk(d(`!FQM+Hc1p*!FY
z@k;<n*YgJfdaYBVCN`w?V5ipcX|R*7t&6SC1C3E1qYrihHtu~$ZCUI5NS8F!Cu_^<
zm89J2>q;8-Cg)bqvICH7Gxh`0Ad;&K?8g3vy=e_16}ZIef&@j6yLmx?cXdgjF6vDM
zQaz<r7vTP0Uf%1d#*{-orB@epkWYKF0M7ukPFM;Dvnp2KM!~88*G1*eN|fvqVg<Mk
z!s6u5>ZA$)lS5%BfD$24081<iU=;-gP{oTBz+$H4%R|D)hRf@o@g4})uNWlKiuC>;
zPUL;K3wf*jsSZ6@>dX*h0F|~E``41ve>~N9J1)toqm7aJLMMKJWVqXp7OPv@yHJSp
zBIuQesp~IMu?Ik3EbbyP%Gi5DCRW08cC3JxCR3gaNS`3b+=C>77M3i)cjampK+XN*
z)-$^O4H@IaZKJqrDDDGj3Rcx0;qtX>lsoibi@JLe2QWqs$HFrrmtXK|Pb$R2qPfES
zkr`v}%2XwL)l*n<+S1(HvfJ8HZ%>ZF^MI9u?gij6=u*8Ghul4FuI$xww*Y;;IwWKl
zehcl}E@J^KYE+^UH5ToI-7!IUpr<WVux;Qt%+ODW39O<T^r^lt<rwy_!PI_Ds?dRQ
zXCK!B<61})f5wQDb~n~aqU{me|Nc~(ZsTA06%IMCG6p!sjVM%L3+GGTNm$&*i%|KQ
z2mMDcp4r(QD&Mxkfd)X(h4=li4#`RItxrR;{V3YeZ5$2{V%>~=C^=4W<CQ2F#jio&
z%HHbR25MPmzE&wF0h%8;=r(@#{T1bn-(|+@t|{{HSGXq|(%1(k3qanyK(%wY1-92*
z`eZcTs@$^xrP7TPmdfrB_p%c8wSaQN8SgJcGe{%HljWO6;@a>ybIUbq(F@JUWgh&T
zR;<0E@k2qGWO&m2diH;uU$;6Bg#E|U-fyN>j;$MQLUYI90!#m%EO7~6`NFN3!#slr
zBc2Z4=@54T6!OWH*d#HMcr2nOhcREy7lW;2O1NaI*CDR6lBr>iACYb)yDM|v*-D<P
zE&Ev<JE9oj9q7HH1&PoA+-~szUf0tW9}s(E0Ef2hp!m?D?yVTFw35#7#3FBzsJD{o
zVD&bidB54Nx_&G}6&5nl)LCk!J7&LQ?XBXYHunR|``SE_8-Fk=gVP*bxM|qcRb)ab
z^w7W`R6pfmn|Y1im#9Q>E>Ir-15UnBl*l`4;f}4le4Fypn8ADP5ZtkeO_^1-P%tbD
zZj|@0S;zI_$`>78=9_SETwldiE><lVZ~7lBvuRa5;Vco~Cgbre`FInalJO+>2R5i)
zhLypE9q8Y5od3aV-oZN@k?MvXoCrvY7U27k;<8_3?<nG`iZl)qPiU}?9elZDg%z>!
z=3StK{S3`<i}OHV;xamUjIBcwasO^;&R~(KV6^>PJpg)w=Z5(XC$8W?Akma6{)y#B
zPvTfxupEnH_apr(t;$3cVjhp=+!E^dlHTxLk|%Lm85jb87(e8|*HN?pm#=OP_4tkr
z>A{tsZev@+wl1Jb84`RjwXp9_-13wNpFRj@c|D2POf*~w;;~J8D|m4KE)^yxS>z&x
zH+8WPpW+-88gXN?o11tp`xkEeVXG>Ji*HT#z=E>c6AaC{QS?Q&*0s$Q=O|b~g4qo=
z5&eQIK*o!$hp2@6uz>R!p8Dd>0$iRuHcd1k73#i*#b5ro)AOf~cN-fHZEx6}fIdiz
zywtAzBl<gCYKZD`c``=M`-9!=OIyV`qhP<p2aiiNPmicblwRJG4$Exm%gUI(ydBk-
z*DQUZw#ao>TCw2Zh?1bq#smw}pgV5oXszmcP@`>dR**ZNA$7!G$6j<UAw%&SS?GZZ
zxeJ91IxHPqcR7DKFF3cmal{zt1YmUERsNPUv_T(be~hi{(b{~*)X=vvyp-=pJmWW-
z;;*`;L9t=8xPq%|51f^t<DNK#j_6X|UQgvr*HNfkJ@E!TI1a^{jyEWAUz=N7b`}0j
zf;M8+7560Q!5&UMaderuo9n9BB$^J42xFCryOMbj3<nFKzp;n$V{WzAd40W!a|G+{
z>-7l@DCq!<{5)~dL1+*Xkek7G*(R(9_!hqHQYI3BBaiEsbGCwa2PZnOFAPp}4h8W5
z|MyzoAHil|L^K2?iJKsvFBDD3^|;$K2rM!3PC#ghamz8hG~?UIipmN)G7q}7mEZ{J
z1MyVo%+OYjaSkX9b<bMaG8Zc>ovk<lo3ATJ3@CGHE7!oJHn_FLI~#WNaM@RXa%51b
zsy8iDzP9qahQnQRm`}T{DTj^g(hAo?$&+woVr_ya`;c#`eBB*eplG-3F;1ODNh>ir
zp<>g~3m8w{L8!#gU@ls`htr&Z<pIQAW8Q+2;#iwCUGq^%(;ov$`N+1a&D>y|92}Qs
zYz7<j?&!Xo?VE71->5X)S?z7Y5E(5^p}P4$7GH4pQy%0+8RsU8w=lVv+kALK$Y|s=
zRjLjjqygrG1LeZh7)rwjkqV!|-v0&(L_ScH6s@W^Q~?yyJMguBOjx*i7{HR#_u7-I
z#Qj#LzmXL&fQzS&DNbC^L=QOv>+y09o)O)+&{Pged4Xx%g}Y^l{fA~}Bpydx14Y!9
z{vsa2dKxB>*(iw%4eprfH8xXwLrI?@r%ms>0T(WF`ygqR9?VT1tSuXuj!@{3@W_n5
zchLIZyouKD0cth1evGaE+M|pk<&Y5<J;F}neTLon1pkOvsj-=5{a76Am<#(j?ra=$
z(dG|=Wi!vmAKrdoXOG{2z)cH$kDgwER<bp}R#KzZ>u(aPL*$H&=M{Wtg4t$ETi4^C
zGT!-L``<Uo`PBaRDWLw({ck1)bbJ2y$~e<0uUp0Si*&ToCri&-wHZysA41WpHsA?b
zkrFelxHxNKU_A^24%b}|ta$lH>4Cem*?2t_U2v)=l&@oMz$85I?Pe}0v7T8do(47C
zEXHd`PvSr)w4mTt%(~zjA+ae{`dzthdgEW|b1|$epL-()Np>lu&ijS^6B_Y%yb`bj
zK6fO1?tQr9`U`Obc<0!q+ZB?ghYWZ;r~s}QgWE+3;C69@xNo!Nc3pV4&yzR+5j)-z
zXPE!Rekudh3`I{C>ybikEL#nL+bzt5+r_wY**|pKalGf7A;@VArrS-S+r1D92NAmX
zCz-Ua<jtt0c`gWI@v|p1b-b7)N$GdT;>q&6W1!`?BKfgEDY~1lLu+OH)UJPh{vWOU
z>pwVnrap{9z$KsLUoqJ3Aw6x28f-Gg&uNc7;*at2U`y?2WU`;|pBSy(w!aq7oF#hJ
zTJr}P-(3Rzvf{f7<RkScHBRYZ{QP_Lm`0(F{iL&2cOF4~`tcUpcPYwk;75j9c+IVU
z6}EK;NPFVx`}xhG?guCxRtnd+I~^|kI78<8zPqu{r9IsM|Car+Hh&zI7tCqG?!j|@
z=6aX$!4TuH@;8OX`<_G?CHIxsk1eD%M3+mIb@Rq>J@kjv!r*;a|F}S{7VdLbk8oZg
zzIzt!3NL&Uy>J#1fqKvbgV#=+g|sz=P?=P%ia`^-O&VS6P56P+P`^%$hw`<hxD4z^
zm;cD<eC@VRafym&!YX%S_t3&g_;Jysz&3ml8PYouj~lo0HT`o`!n3a7*Tmd|Ywg}M
z-J#KV`@^kyHn|#(Cb;ci0-WGYb>T{whUSZ1_D0voM*+3313U>YS%;Fk_Wc*0lQs9I
z-1@!n)?@hN6S%+wljHe+pyK))vI?`|07{Gt+||PpyjiZ`<Wza27YdX6#>u`h<&RRq
z^tO(X`EZre5TnV3Znb~lGNz~YUB`1C1!-Df7?inr9owPp@8PuTA0Pi8wz%?F|D}H{
z`+wsfx17p9UW%y<73lwqf4mDzdjGHdV_%t3`p58VC;P`gR>%C~iFs%w=^uaL)BmA=
zd`WVKfBXv{{(te0kCF4K{o_oa{?Gm6nfu!JkGz#Kriya8fxGL<KWbHX0IhsuA<fHR
zM_{8hGi@r6lV>_eSQ4oEP8a|&Z?|-hjBIR}pL#-=U`VS44@%=e-FhClk{V1CrA@mf
zG;k?@9l~wwAA*HMOcH;_OdXyMlXSW*Ix>VhnD!OQ87$_G{-zX<QIIUohcFo~p#UkO
zD^f5;*l^jZgHrldOdk8fi<RPF8QiVQ{+S0>%WW5!5{rLfF-hk%_cwBu`|kyu<zmvQ
z%`bw1IQ8@n^Ryv2Uou|a_ld)6aAZ&5-NL?&m^{L{WBOH9?;Xh<#RTx+={6tGc23NC
znEPN0V*U_j=F3-4_De4Zl<brI7@4JmnPl~n^pO>8<%qws=8rREhspJZNzuL=i>F8@
zOMjH^hOLVEB%JJK6KYlOfno5r?u?56$wvUO#-ba?Icdb9t-?@0IXU+9U6WbwY4|P?
z?kfc=B&FzM-jsy)L1$$R$=>U|1J?x<V%-=m%$s&G1HtrTYhh@hOFV{_SFJVB?wwRs
z@B0@$%*8;9&!1BE=MhL}dtOX-IH?4VoZ0(c16SOH&humWsc@8-evC}>cFxZ4t_8~4
z={Dv6DB>cDD3>C<S4Cysr2rR6dDf{YxAUUT>nPFe2d>t<zV9n1yM+UO7<dDn5NTh;
zm#ybJjhy-a@9cR!7UDQk{#WyzE3BzatNG6N{|EN`PpW<X_w$|K%8b&U?|tcHdtUcY
z%%1nJL?cOi?&Q<|fj!4cNo@Z#Lv}!9wuo<>iGj6RgsutZVbbU8B?++he$5k7e1@8C
z#m|TE{?CipT*RKkzY%a^HM$E*YP}`7PmIOX9NQmwAwa9z4&IU<PaAM)O*|UWfv{Zj
zOqC0ih^-}+_!voTY2IiYxsYMhz(lPo03HMFGy7sfNZk?7f&=$Y0(09dAM~3eOq9zm
z_u^d%uXUbQlu3DDgJ1TZhzfGlUV(FQBw-#oNfdvCby31>plO~T8#j{gEm#|Ceg(iP
zwjBm_&iPh*44o+3;|PjozAY^i>_CLK_!-{E<Ykf^MKSvqnU4-&g*YF*f)DNcTU_Ij
zh?x9~TE0IfkB5C$fzUB}--jB1g`w#K<r*1YwWJpdj+1AM_w8iW=9J=vH>?|pZAfZM
zhg^b4cF1Mn3KSnt`Il--NAh;ohn~l7E_@Zb_%fC$G$&nrNCv^2Nkpv*FH#lmtgx4h
zB?{|N*mVlq{GiO+Ps~u*D->2J><0>)Ax0={H-$|umQA@>VF!pi6n5W2DK}kVA5+*Y
zk)^O7E3B@t<-pQe9Ni&{{I)_)R>(V4)?D$m!ak+2)e4)Xux_zcVP`AsB89y`V)J#p
zL&14Ns`wv8HB3>hQ&hjqk<~5~_bcoGg%t|>IkCZOE(TEU0*PV(&<nSt?T1EsVhDba
zdujeKE==Ye_-k+6H==ls5SJ;Q+W<s2B$vp>dPuSuIeIxYqv8mEpd^?gl>_<T0ckj0
z5&l*Y;-bl%=LjCEz=IU`F=G98*<ueV?qY)E?o`<E;&p|csIX-!Z%2ilC_)N5SYc}v
zmOm25rE4r?=kx;xhqsfcY<L6Z1EBE3SY@yoxI`2FS>6)L)3L5lN)PO}VUE_L`Ha|j
zA@MDt9xD+OVOjoxv?Or>Map2OjB$@U<mCE&caac-yY1Twu>wHn&ZtT3+D54`1lT$%
z2zjqb7N1E-&Lhw9bomjNeQnsG6to`;sJM#_if9Um(CkZ8<+{om<cyFxcZ4@6=z;sA
z*&s1lJgKtwS6TNfq75X1{g7FI3a4TmW3bf`nmD$MQn?TDJC*h4XQk8(Mf4<yXugnr
zGZ5jS3j83zIE023F|@We|DzLNh1Gz#B{SLw{I&~L(4)T-Ay22smn}tDmPnm%povx+
zVmhIr`v;1}TM>Azm4}l&*d<LYPZbYGa}2F>M01?0a+HcW$bqOT&*A&MJj$ixXCmxA
z96Gtb3<Zn3{K5RqeKd`*r?7#qVu}Ne@NSB}pZOu)!b5|IE3s?S+(0@cQja3>4`rW?
zdMqDcHh~5GT}k3vFvDwuWzD$$G_Q=;7vr}hxqt_XKh;6IFxSSby&%=?O=2>r;s5ws
zH5;ghd{Y4XwNSqwntNL3FzAfxt$gn6yB*p*Mnt&#R}b}r%<pilV4t4IS~Vq!`QPBj
z=t2Xq(2HYS+|pu8-6hMUh=N^ZA;Mfgllt-9y&V7aeZD7SoKnSDaFUx!zIiclcX27e
zuF!yvWUS7LC7pshdl1}vi22}d4nlc(o*+`pRAD1?wRCm~kTFzuvF7Wx0$v1<2t}m$
zvPJz(y10}A_(Dp}@VbTLAr%K_4vO)!kOjXNl7v$TX5Jdrzs9VL`12>&|8=xUr?*bG
zKA%m^H8wD`Y=mcnMR~f0^0GI`1qrQSGk;^}eEIuS);7A@@yE|eA%y39{>Jghi+>0t
z+_VW|(rgTy>^1TPvo9x@kNKJR{Cq^@-EqPx3#(XsKMTKc^u72ymZ1y#{$0xSuTG0w
z1+mU&V?N{gGlIM}_bYq`2~c=A)9BWyiXT`Lyve^Z3rdMVE%H8pI!~CC)v*2U&qA=p
z%j};2ljMQX+$tU`aOfRuD5F(Rj^@fH7EIW_k{ObX`q+N0iZ|wFh(7b>@<b;?9z4gu
zSiuXi#hxwD5-g}0tGrIU8E|OT@fP1V+S1@!AXRPs4V^#P24SlF3KruZiT_=OJWp{H
zWg%a+^N}n<V2`28_kd<_lpR`ooSN6>9G}mlhx`RHo2gee-h`)!JZ))~E@xp4_T1`w
z`MY4gJ?`paOswLqNnCmSC+xl*u8L!rw7t#+Y42Dh5^&@lHQvPZT}UT-N5a=+uFpJ(
zzqtE97jJ<q9nry7jen7g*?fC)tLLQTR{OeD4>`kKJ%=aj;|!S9|6sEmoq?YS$ECS%
zLk6#)7c)1*R%nY4%Qp<y;Ybo*hDP*&Co`D`lwjSO=gWDcjMs4~Ar9UnV`1=B9ivKI
zi~JaTm}d_}Qr8wY-Z{3=z722nP=Aht`YTXlKqQN<QPML>iZUv4t9&v3EExFn$Fs!e
zUq<+Uh5k4df8H-I`M(||<$nKZ_;VKl{D+eN%xI<u+Ts6cg#Rs3(%VnZf1Tn#n*7g=
zX6n%ne_od;%ip{yQq>=iovQqiUz^2gQ~!w$+WbUh#3?fTi0}cI@p+4LO?_$n{l7xq
z4<A}V{y1PE9+vE(;H$-B;P25E<JIUJ+{RlAV5a1+()npTaJqMx7q<jxOFxs>bi7V0
zL!b683l+i%V1%v<4Hor#KEBLH|LRmV+^iii3_|!zjQ`L|!V5!-Xa_`R6v3#+c5`!}
zq(;2X1_`a8exQ8jofvM^Z}GE&vtJ3%i@<r;E$G=FgkNF7Vb?OBYPC+|o`U^`<K?Pc
z5xZvn3T!N1QzytU2R%Mqo}Nq1MG1N315E6-{-YgcW#SF%K`qV$`_ZhjKHWM$2{~=v
z_k9v_V6H{z9>}X)O)in3CSu>`WQeOCLW>(~cyeX4D;VI54-oT_oSkwmu#&m0+39c~
zDSsM;JEo#f<@m#E>lvb{Lh@-|%JZ5?kFwIQSn2sz`l&Yfc}#cnJkhHBe`Y&<25Tqz
z`<s&xR``$N<+G>OG+$YxR*tl)i_y;bJwdfVvK?1;sL<<K<b#dF`|Yw@uqh`el=+6J
zv!M;B8oLj(F?~zTuRuci>mP^w*m1%&ls^)Dn*FMM|3-Z5<%oBPzXo`7Jj#Il2JzgC
zR{KN-@#heqtMF4=<7X3p04-}eBtFLjJYDQqAP~>)#)6bdE2iw5_5M;c`mEeji}*lH
z{1vi8E4HCm@IJQ4{|xkt*8swo(&RMj>L`fH4p4V-F+i5CBAq5Qq`AzQ${oAz+G642
zMSU%uj8bP0ZT{D&lB*I0Y3ZcR-++Xilej7YAS4WkBG=|~)z6K#-8-Ez9)H>p`-0nL
z0t&WPe2zzBADoEzH=b}}KLdrvtCQXvw513vp;_A!vHV%}Ir#8mF6?TtYaL<^$1#>0
z931O5^qefN;jbRgsm~9-q1<@Hx?_O%z(Y5%k*WnM_^eL(RPB-_+Yv^aNqbR<7#J~Y
zfIAf!7;MYPz`#xZB{jT6hyIB29Fi7MHMixtr^&l0Qu8sv1oFj$a!jrO97uU&=JCT2
zERG;hF#NN}<Cx(%v{dB1xyrShAd5M(u_6*z4RZjfqU$4&)q`SsxTNXAu}5aPRtm#!
zaDWs7LGk!x$f7z2rMN1Hlcf+BPUFZwB+i!KEut&Ft%`y?R#)?<sf=$~UvB18O2!e{
zHdP!uC<lT$G%l)Jh=?5MHxDTE8lrhcMd<M~G!=z)l!bVJb)F?P7uv8x4hLr31YPAk
z;bFxW_uu1M3d#2b(Z99$PE~w?etZEc#~TO!fqf0bUqQZCD86bYCV&6*C~msp<s``n
ztMwp4G|u<&OWR4-k-W(91W#lE&vy}w85GZZIVd0jx$wXIg=zQ?yf{+1n!K!tGh*NJ
z9CF5h>uaUA_!pW@H-x;a2`4J~8#V~<ZOCWUcbCvf5_)SWdnoj-liB1OH{vQdKN#3s
zp!9q}cu|rscahy&h#@%wNm21JYP+go_Zj{psorUkGFpc$qO~wb#_Nk!S7~dk_2yq6
zfjx4fddeQ{hpiR?6scW?Nnp4r)r;#P?$5A@MAZYR1ImhB{m8{Kh`REUBYT}sP{`#`
zA@vmEfDm&T`YG<bymj`>Kxf^JNOTYOeJ44@E5Cqyu-k29f;ZQ!k|z9tCwA9}O{K)<
zWC9Ca$U@U#1%y9wDLzC42Ib(F?f?I<_9kFbRoC7(#azu$AYy<JrMztdS7WGX3?vZf
z(8xJ@N=TH%T)pbm#2BwpV;Uu|1CWN;=eCuQXx^B~ORk!b;k}ZWD1){%$RLQcAd`qR
zVAH2)MiFhs{(k?pPgOOT`{sMT=gSl6Q)jO|t+n>rYufuDHN{slm=x2Vd80e()tbY?
zx9hU5S}#g08YS$W-yrPL?iLjfxRbt8&ul>8evd{0lCm3ZTWeiE2Z){d0t$$)3Zi!O
z9KFpw>H%0+##kvC?dqB-u*22;UqIpRh|gpWb^w7IpW^_&<^YDe7LMO;y^C3*8y&z1
z^+OXk-D!Pn0iw3rR=8XC3x<F)P5ha{#CvxUGmmb2L=&goX!1H6@qS(~;u?*3x@)c0
z^(W~PrCfh2fug$~y8+#9-D%Cm3$fVUkV1FQ^FVjA)!hztw;Rp{g^ShbFJ7~*zpJik
zb&l)yY<0`|H{Nou;GVi;s@C=`<YQqiq-M=Q5b56GR{o}*dvqzSQRSbhGIz*=JiDV^
z?OeB*7QIyEO3+{D8qf{`WCxAs%m2<v;Kok6-f|913DD0=Kz3Q{;;19{wf5js+yc4@
zAnLwctAW+sN$u!1SK(z^UD!&ugq!+sAL|K?K)1cd_p$!iRrwE9`3zOww?)nQ$9a;9
zxj#z9l@|5;H3TfyY16SAl4?g^OU1g#;pN0_=5_^K8f5e!u*Rg93Z~Cp>dct*4F?xp
zUu>+5UKn@}0geEWnLbl&OzLYiywF(le*kk+sj-LS#!|(`ehoa0)d{f1HFk5cG3mU~
zu2<uc{X#JFN{xLEIA||TB&sU_O%c%M5>WrR$6o{BaM8o{7znV#-8TG#-!xoAQwyzp
zN`*ryjFGSw0J@Tj6J1>ZDg%fu88p>R0yO#qK()62!oRJ67WsEN%f{ryM;z)JLYi+8
z`997<sIAuiMICKwR;R8rIyN#eMWwor@m$rV?lS&>sGm}`WY6Yz!}EpxV)XaatlbB<
zme=_Q&>~9uJ$1jP@&)Sl8OmcjmT5(r)&r{z&CDi9?96XPn8xio>pQysv~s_Fd4uYY
zI;~vRX|euFl@C6x{H{_t-#@598lMG@+`jQ!jW7!`^TUBE_!E%YKNsA`if{u2cY)yU
zku6p``g@euJ##y6*TP@<cRn<Km0zy%XH>4E2kr0^?}b&Xz(f7QZQtVCU-{nENBihI
zo1@QF)ywD*W?%9RDz{PD^yImH=I;VlOS5I8>FuKrJq+-T>Su!b*@t!`dt>w#y<e&K
zpVIrv)BCR-y+Gyb=p@qm$iE{T70<s=|L4~36_g)<2lKx|yD63bU4QYld`xzT&cpqX
zF{3WXNmaU<FB+h?xkcLOq6c2V$9UDaabDFYLG{IS)$ZE7sp9X2f<FC&*UZ;_FPIP2
zcDR~WHli<@+H7u9l&m24toFBntAh|V+AyQ<?{hH27sBs|>h00p@td&=5y1B52E8HE
z0V(!msK;?bcrK_yW^d=JwUwBAhKp-nTnQA8m*vr;1}{bbK=d=7O^G}Z{YtN6-H4K3
zyPuC+69=Lv?5C;w2ckb)EmXt<(MBF?zl#%y`=|s`dx-?=q<QLWd(_G(`HfR3%Ia0F
z+Ppi3c+)T&({^l<p3x`w(hvbofv2817=03WM#fJtbQ6c3qtB}a3>0;6p0&osM*4BH
zfu7Ri1RfcV9xpO*hVwx*gKHi%oL6i(7(vUUhx95}Edd&bzXn9VSYe~K;XKh&7|sVa
zoErphoqrJBY;{S$SKCkXBM9mIgXnf1t@96}i9E(P=#+yNA_nA}E`)Z99k8FeCwA25
zc+#1x=woz_@k=aA(czREitg|{n~~srS%J=%nzh})35i7emb<|&iw^JMNhYQg4|%2N
zSi|{uE&|NoQIaFzWPXj)_rKzxM73}H*1a0XtNb+d&7wR3VVf}k>=LgcA4gpd@#-?*
zup_{!nPgGp{^D;jXw*>p4T3vFi%Y*@aPHrCzw1zrj4*Tfoj>C22*XB-*?|ob@t6wt
zuRTw>lwpl{+{4CH5OL&xBc<Oe*l`%GRZ?o(C2S0+J~r*%TfO;{@BH^W@4D~KYh}9f
z`BU;2JC|E7sGV%PRYtKF?m~1m-(Xnvs`n+L9yjtlav3SM_-nk>gb43-^c*iMmUreG
zxA?%FJrbY93mdHU1=ng$wS$*6-iOdD_8cFf>nv9^kwCsTp`K>(t<lQ2T5_@vu3k8O
zsIZ}U!$B4D#qIOK)!Fs--0%s-9-0@3K-1|0$kXEqXWl=}?=#M)JwKQBivDiNLqA;G
z4r7PM6Pn^~>ajH5>8k`?$8f(F{=Iu}r^I;?+oSQqia0IL7;sVfxtZnH4k3+-&$tSY
zQ~o*sQ%aEM&I6P$dVqdOGv)#MiE0kpUUj#R$6^d07U(dR7qvah{nX{#t=fxvQ>a*x
zy8J-&LnFr0Dd`Hi!JpI>WX`zfbIDvnc7Onl&{#>e+Fn1NfpG3eFK)kVydUBGF?ts(
z^%rWnYMKs8Cb#oH_WIiC_1;sxCOU2*QaE}Pg&I=q4BAFJEzh;Lr(%B)er)c9hV83Q
zbxu9}en-~4taQAt;o0SK(OvtH`3HmAXYPjJLG4SP=wADhs1v>aZRF0`<)octXT6h}
zS)uB+kGLznN#e@zn=5=%51-A08k<gIPLH6ysWens`_iO#?JY01SBNhHcbkK&YzKEk
z3GN5Q_HJ@;W81-<Q-q5huuR~YYaQIEc5tuVQJ6>mk~Z-y(sq$}m~`jvgchP4OWMQF
zt9whjya}!FYp@7AbL?>(x7>YQKk$U{Ye4nR&eY;iI_Ei%+2S@m4{aH(b;D7)AUCDE
zj-`@$&xY_pRBubhc85J-{rIp^!oMd1PK8fV7%uh`%S_O0<W~h3M^=9uiqVdupV4o4
z38-A(&#5UJ8tgorro#HVu@9J<v*=%3gO3`>=)u$A5Bw*?F|D!=V!`#A<AYtJy8)@@
z3(ra>ng}}Zft@XJK9*;VX%gj}1n044+|cNYai7Elwc)ZM46PYAEczpE_IzJz#Cl`x
z=-)pi|K!fP?ykEl=+2xsM=`&N@oCoQNb}=*Z)SHIyN`wAMt>`=|1DR)jQTBgMfqPl
z+K<ZzyYfBPQT{}`@?mlL#jbo6<#t<TVI96gImdAe>u}P8tf!ySNgk6EtctuV#=$hu
zbH&*1`kS9roS&0VrzD>Uy@_>nkpWI5osHDV*(?9X##sBD7LniSUf5-+U;72b)l!B5
zn~0}ym!3`7%`V50aPo6MC~yy{td|cpmf`{ZMf`M$`Dwy8byYiTunJc_1_qC*pDrff
zaX49u<7#Gp{2*h|;mXK|1DtQ~M=!Afj%-Z*;J2C#w{l0LdBel|h{)(WDh>Cuo9jq+
z$T^K0sp;4D*1?Qe5u|8YG?&*LPsd?$Z(E5=ge~;L_vCl`I87O+v{lqxJ~a9WKXoB0
ztimw@@yk%&4-@1AIJ(JWw~#CML$*b$<@r9BwqpJ%p3$|Vi|#y8ZrX_G(K^j)bnt-r
z9;QMxHpcy5v+0bAe(FjucBKzE$~U;uFGTmb(mt;A7q0X#Dy@A~Qi68hyB{U~ao6hO
zl+-@z<i_Z&Dwyx8OmkHvfT&V$C9cXhtcnv!qvxt%qpK3QDw1tf`JqZSyDFcyDo)ys
zo}z;HT$O>Yio_;Wu2V^?tI~F@2Id6m=r5|^ELX6b0_Gy7qsmZ~3_t{fp;ujr6Xv6P
zt7HTv*Kv8}pDCJ6yfU-S1+B+$80~$0q$8q_*a&(o95N(cBnl1vms%RFS5@b0(XyjW
zqq%mG_~8sDe<gL1tE$oXf>CE|SUrM)MX$S`m0`6|8!d4^y|7wni=K5qCxz8QNi@^_
z3@FyvqsRDNyGZTSjfI)RYGEO|n73hlCu`8&dtt2zih|lNE>h!#A`y<F)<v$CIw};2
zKoo6L(c<`Jwc)dq4FGjKYM@Zpo--y9CpBxLN#`e}5SfX={jT#xh-cN2FmN$HYoFB+
z^lP{))Q+m38Gh=H)aIypp=vEsK}qzC8_qnruk4$YNwayEUqmkL>e#MS<qjT+pSa`4
z%&vG=(@={)mBsO_Ca7OObA^SDALplaT)q2bwDr08Lnc$0+F4U>v>V-%A~5R5SUv}U
zyhiu?D?tc*HsvLHy7;rB2Km2>KTVN-xcF0gx7x~A@k;G!IO@OUXKuZ_c*SpzAp{;k
z2+Y>*(ES9zT<$s3Gqglix5jAb0#xDUje1%1HxI$zJRsk6s=axwd>IcUnf^Nb8o=4_
z8S-`c!{2fH|A+O}e{_HQY5HsU{NuD=%7-Z2&pu;?ce(m~xN!lUhChq=lb1i=cA=8}
zUx4QrkKNy{jU}_rWv$q0Ryn{&$QST^{P?xi>P;p{$(aP1&@ZvltwUpw1JMSgvp|Rk
z1w?UzVY@A+?QtD%K1mtKp9yJD<IFU%_{eHMd_&0&;hSt^i0%}dHI<{^3vDBp+WiED
zoS$O-+Mn8p)>ZA~jxw@&Gzj+j)H5qB7|-q&$set4RXHRdsvp!&n3~0B_Swo@&vW=1
z`saT%ol)J}y>K6+-B-Xg)`shX#PVp(m$}84RcFpL>BncDcOqUt)t1YXn%p&&xmyQJ
zzPj@Bzq3}$To_&Tr2LW^aNJ8AL>D4zL9~L?l47Qi2#=j&9^WVW7z=IT37Q(Mf4p3F
zKx)Dg^83QYSL8+|ZVmb9_to^buIg#h#X5ifS#@*Y&t+pLHdeQG|L#y?Hj|iMS?alS
z=60-^JYdR~Z1{P!CR-21a}~Ac(D8sPYOm?q3L~^Ks3D~*T@&@;%KE5NSkDFbEp=RN
zKYqX$Yb(2+2q&CqdFG3$=PSFO;*!x*El<u4Y9Fp)3_|IpMU>9wP5k}AGw}J~m;NC>
ztvy5OJeo0-4l$HktEnPN9Y39p*TEmc>m=bB8)+=;K7K&-BGTtH{0{jLejn9*gyNq%
z6sz0&!V-!v0L7Ya0mVb6T;)*wb;*;{@jIkFemQ*9-0BTG%9XjN;kRD+9a6;aU)tgK
zx3fJyH_~PL$PQED`_<z73#@xK(GA#GefnTDJZ#}&S=3yl8x2LC>1zG%vAMc7`rngy
zqeKaAMt{bpw~spws5#~1E#Gu{>X~-xVJM|+tXsWd+p5NSMAAty(8(7|u1{UQ%``T|
zD|cQ*A6Jho*#&IUZ+`c~X6J8dOiTL-)PD4Ejk%zQ$9YUt{LSeV&F=g*6<e@Tdd*bf
zc?{hdvwfzaL{C!TJW2VIe6xHt?g>WBxRkZr&;G*tMb2c2=qsV>7g#{r-~K{l$}H(o
zp>Kw!X6ZKqWgXDbWjL<L6yZSfifADwGvpqd*~&L$ss_e>2fNfrcaQy%DOGS+!hYp{
z-y=(;E&7P2S^Jqj{B-HyU*QD>9K;x`qTGwmsh8n@m1f;m)h`=HmEj>=NlJ?4JgT-F
z6Q<k)SU4P?-+2{c)XsyKUM|JI@HdTE$gS6)6+m8EbuSqE$#=k5w<5;oqJ>50iVtc(
zb00<8`0k=fAa4_-Hd2S%nfR%r_uM#_Xq>k_YhxC{g^;i5r!pvySrYGo=vq0=K4JT0
zuea3J;9^_z)azV_j(UnT&ZAiy#9uTBW@#8IO)3A+nrG3U-Hx8w@MUbD4PNeNzY?jC
zrTVl{;XVZAb>S=!IY*U4PW@){{VSl+H+zVj_ZvA|ZZL9wj;tMs-_Pi1mp1KWSd}C9
zP2n!C&wS->N64$(P$%%y5i-XM2ubDW%PPw)nxhVG{fj+6#WN;U&*&@e_gsF<c{zcf
zM(Et+grl{~ex3;8DyrMss?IJJ@EI~uMp_43SWneDD;qY#9^oEWX%7mAb~aGi4r?z5
zPQI7+JZI0aPYVUY`@eO!^r;KjD5Vws1f;~tRp+Vr(-g<)VU?=T9NoklAX?snM>>Oo
zg=t!HJThGCufbs_f0vNe9HkioxO<bI8pWA({W8UT|B8ia$p*R`=!9!*4NT&5{&14k
zCw*<c^L)OF9es!9eZ*1_b^Ehg9=(|NxD~FYZ!C?QX-`KhM`+13q2dAYgdi4&Z~D1M
zx=6g$O?9xBX=u3zJL4MZ9xZUN_XxJ$zHB%LD6QobVAaPvPnqj;56B4heRovrpewCq
z@vE16tdq69(%N=3$iH!=!@uz>a}097Ye4UdZyjV}Ly57B5Sq#eHR3}btLNVKjCZ~{
z>gQf_uBSQLBpp0fy)V@Joco$Xis#yAr2q-)5K#Punz>uNX#KaXS+KD^`o#NfZ40!Z
zV;OBekni(S)$~1*(f(I1A6In=xW41t(6y9Ywh>Y=$#y3U@_U$BX+74C8$oxNN!!Uc
z0mCFh(ogg^T;vOep3!5UxJQp3t6PUweU$!QP=6))u%G_yUe+Kt?pjhX?&f}Q9pN7k
z^`nxPyZ`#Aj0gD)a^r4`V-$U&_y5}p?}+yC0P`yUcqfnH5-;4Oy9ByNovtukF(k%{
zBQZLQA({_s0g?d(8dAQ^OS=LE#{(K;w8jTWGIZS3%5c$i0IP=RIsjJNifFoet-XJ$
zwGu8566BA2IGe%`B=mn$s9Ie^H8MnJtM<7rk}=+@E>Z~<!(*!Z9qNi8Nh(&>J}EqE
z9S#DN>vClHRfbP$W1n(`gjZB?Ei;<lfzhLoPbg#$xpc2EpIL|1WcQVE;^GVv{*IoC
z{_^e7RCeo@KgIqJwcPwwCdLHsf@l0tv+vH`Do!sb+%G$!J0rndoB+|=`OnYvuZQ<>
zyIebeaCl$O(|(`nuMZEB8~s4H6YN^ikpIJ>;?38c2G4rJ1!+mVc5UGmxd+Ceu&%EN
zU#+ymaNV=vsc83~MElJ97a%sdzZhL_d&RKj!#1#`Mt`_mXg+4<!S?6`zbZ!_x%Ue0
z@XAeQ=iZ1KMRIu1zr%MgW1Ii99V?mn%GAp#B{4nmO7(tySm1&F@X>~F$=I4v{Zcb^
zr@C6{3?=N&QPTiR;<#j=Ri8{$-A_}w2Tv&ly+8OprshU>sNdN=c`V#CW2Y3W`U5>H
za}zpMj9h$Qmaie4%w5x`W5uwe$jgy$-23@(6K8@sJl6U1xv319PY$(K)^z^-l$|!Z
z%5Xz!)}72;nh>K(J^WAnu-l9kPwwU4ewye$h}eqy!x0i@r95A<3sqn8%bh1GiLL>)
zI(s%Ix_biaxG6EEA2nmcs(9a*ap-ngZl-2dy;b1Us&&P5-9F&nit+!J!^V}h_Y>%B
z69FfyC_aWl9MKl~vgkkc7T;r)&oq|Y#xw}##XHd0>0iX@-4<QRptSs!jt7?Ivq*m#
zA1kXwkNgF^HGYPFMxThD`vY8%fR9-A+>)l1za9v_tBZp3(pPDk4W^zPYI1?ze(9V1
zj-KTg(Vf&xo#8g^2WWNpFR?y(A4rGEUK-$PR|9XCh4Hl^+vXS~rf&30&4~=)nT#8N
zUM=5bT7!zyvafUA2aG9HqTlFOfN(R~Q<_m6fXQF4>DKmoTCEHywqkd|WYmg%Ri>y-
z(cXvelN?q_6Y&+2f3G}A`Tuy|WL+DC%y(t7PF@h$<IbU~j}+|v+@!><)uX=3;%S(2
z`0&yX-Ph^OYSY2is?Va&MgPf}rrgwop-Yb7lyGSI-BrCp97AtQNUZ`W2pfe8Bn58p
zmP7624eeEpSBq+IV%(m5Mr;AJ_#$s;vFcpu@@Hq(&Av5N*R$WPVNZ0AC5e$6?lYZ=
zj}^6i;4FQ$cfUK7fpTJVyN1%T!u-O`Hp2%dYoA#^<zQ}V$2xOST^;xIxmjDQKAKrq
zfKNRiOzu$ZZ~c7-v<f)^WR+gh&J+!FHK#Pu&yF+w4bq<&j`RsJqs~)nrr)RlbGId|
z6=o{FT*s?;F<w>oJ(%*PY5c=^y*4kwrB2uDh_r2N<y@R}2P>eS3IR7;SQ;@QCp$#V
z>R^rRjQ%Q8pj!M%t)d_VVdR)Gw%>HNt{Fea8RN4cs9i!elaXc?&u+&LL9YC)DF<?c
z&%!v1NxnTATpIO+It}<G4PC><Q9>qoam>+K|F_|GiHCcV*wX34#f*bx9?^JrGhUJQ
zi1f|~tTRJG9+C;sHEy1Cs=L^4<(K1c&9B{sTiv6UF=9uOJC;U`Jm&7`)F+<IfoLMV
zXBB){iV$#ZSIqwuh*(&|q!dpm_Ody~rfXl{ZY4&dVd>texc%w0&v>*lrtnyq`+67G
zm$Zmoyz%uZ`DKAVN`-c_;`F}0ufCw*FC0pkS&@S6<io;-n|0VJUqy4;4?Y}E|4_XB
zbpPasz6bsM5Y_{Gix|Lt5lH9bq{f_iK5ml209xlxUsV9hRMGb52eqz=606N<IMys1
za9@tI{ek9e54O{6?hM>?^;bM!uf#}qzP>|syYuzc2NISu30%kfdUAdTY1;W@<M$ni
z+Yd`LF+Zj2{Mm`>9K~~rt}@PP02M}fMo_VSH^)^5Yl^j_%Wg(|6Q2ALB<BlSojZg|
ze~6w0!2k_qB7Sc2;NrJ+ujGX#0p835)mQ%;Arwm%PXA8!(2GN8*3bQ)Kk)}6Y44L@
ziSNGxg=sW^antq$@j~uJ?Xl4x9l%Tgl<qphL0kX?w%VP%b%yO<zkp77w)_jacYPTe
z<nivQne)M5W$iZ}8=rb+w<P8cy80Y-Dr+B{O%lK#9T#t=E(K}pV$T98ic~mNw~S)5
zxW4&Y1Ly$2xLnUq=tH>Ie&0s=YpR02$3AwEL)NyNnC;uH*%^g0ot>cldX=59GL16&
zH|zE@f8e#7!@<#XqjAqdyU~b#L=oREet`N5hA^tSK{MFNw>)iy_qf7esZh33-6bk~
z!4*z+g>#C9feQcA6^?L)PpMFot^0-wzwZh^N+I9$C0F+$YmYH8!CAit*s^;^*+G6T
zW32``wWIgmcs>-X`;}m4$FRREz*dya`XkS%p`$t$6N1H?RD70-b@QnPy}xP`KSL*T
z>kY_Ikna1xPoWVkIN9Ewqx@Scx9|JDr1GDiRxaLGe84Wxmq5adl`@DCI5@gd{pxf9
ztZKY3L9}NSFWncbqpN;n*@9PBTAZhktf6Ozh_A^~I*Xe=C#gdIILdpq7J_V^DgRn~
zH3>`I?&}pc)XrQwmie>BZ(^J?7^im2x;bFLiA$o2*U=qv93AL4H@I?3NOa{ksF$V#
zpZ_PuDmWyd{G+audw*$He^iRUE+N1*oIz+vUs(#oIARiuG}_AAKP?@_IHH#@h5x?5
z!KP~_J?%(zV#%2`HG^o@Kd!lsnlXAbgeUcr*_yM)%_cu)V|&uIx6ky+;avRbt>Ra=
z7Q>tF_U?*so|bY&IQs?uw3nyEFZxI!x{r@~43XFS&i6Ycs=oDp$3)fFCwsZOx|_fi
z-BBr~{Zg`N+C!hyk9+trS}uTT7qT2>az!^<dEz1N+S?v|nID;T)vaTv^{{y~=$y0p
zFBdk5;_i3+T-+ZD{u8HiahQzpMwq82YgeRZy~l5_`oXasQZs)qMyh^r5|2-~$KgCa
zs>htP8wMTZ9vpGIXddMF(wZ>vl_2-0^0|7N9ORxVpQER1yxh$4$9bB>S)$w{<ucp@
zUQOq(a#`+Hp4ClKh$clRF#WvTc+ZR!wqjksj@P03<>Aqxr^Tw=-dA;dC0EI+|IFgs
z=~8Rx>VSqONxh;WYx1$U{l8j&9tUye&|h@n&%|)o(=2UP%vdd4jc3#6EEvW3DjYAw
zhL^^Is>Zi>aaIk{NX(eIwJ?;_tnWw^QaC*J1)YkLr9$jAc#fMh0T^olQOi^DEK;*B
zv#Qr{yD?KAE|^JC&r;=&Smi3|i`U@0qxkOV<V(fct*6v+p|)7Mu~ewUajS-6<nmji
zb$=*U)n_i%=MXh|6XCt6>CeT&IaWADni)H3bmf1lq>^ibQ?q7KL`ngvM3cc~;q6^k
zfrd;PM4xL{bWL1zw<|i&if}f$<}Op||2Har1I1Sa%vaKe+0`$JkonKp&-U>O$=Ah>
z+rz^d?9VsolGW54{TSa*?POB1FngM#M`2K8&o{l?zcTe^-bRz2(5vq~;N>O{2y(M(
z;1B%rram=S)_%Kl)b^qP!lhF#;mQot37ew}e=hw_R&O&q$BXpAcUjM4tOE*H@tPli
z54K|63gj1n%vi0vyUqZbPJcAzpsIjc)IpA=ElAmtzfj!Ijh)v_W@3nv!#bR(JB(l_
zrRq2%qd9u|(e`uw9c#eGJrdT|Y@=`dT5nR}XAq`A?%N}nGVa1zTD0O3%mPBk`KWh1
z;i`7cXI^n5Tt^o(R?l<uh%ds@y~9iw`A^cDN29mVsHB4$WjWF4p=bdz(?;{h)5o0n
zP5k~*Do!m7Bia+cPR*KX>jyIm4%Q@wJmV^)X5C;Vj5`S5rI+ZrVjXO4TNr&D|5Izw
zoI<Ukl)(@&A#Vmrr2#>&SA<*kUlL38x$|>?&iCLSn_q!WuTpAs%D)dQ;$JG|YhqJY
z*8WUVrglPSrBmI+t);11%5dc-y;M!J9&(e)Dn~Y?eyF@McJb8A*LkRpI_dINzNtV)
zU*)jHJQHi#Aj_Rw_BeZ5vAi3K*j*hfmQP4@eCRS1njlxzB>|@_`a1Qw5U5}uRJSCm
zu9io)?Twj>YsPn|+K&dA2u2>6vcbDW>5n9LA@CkdEFX`sy!a9@!kta#-#cYVXzXR5
zfKl6fu&1KY%%AQE-|jsZj+_Se9k_S?LBLuz%{NYNV0^-l``$5Yl&s*+lFrjQSLE(H
zIOEho(oIqi3j_K*XCKY?jmmI!d<X4oI4m(|QZvP+(P3K0THv!FQ>w<-{!M7+IW?=6
z2fp>*hmh5D_t>}Nl<)E8EH<+r@W#Id-}e-5vaRfb<LKahWi8h+E^p-WD%=3e6Vt!Y
zVG5sYUQUAEL2p=8F>D3jBbnwIF2;wW%Kck5McqCPQ<3ef!G{OiZ6Mqya6c1fT=`p!
zQ?OwS1FsVv)?$98qHeY@Qm-NKjgr|V4l(BV22EBU>z#V|>pU2)>@Ff=t&^|LhOcs=
zv!(rN#SdsJ-*7ETud|~iOAO2HMk6^{9eujGwcA6De$Mac-LkoYdrB&nS0tF-n{{nq
zgUpO*^Khm^NEq#$+sFqj*IO^aoByRZp_fcO-|IdeZw)<c!(MmtSmX8c^_BO~JDb0V
z6mKwp5gT54MQwJ#^syZWPaoTF@ba;#&Y^b^_=Ps^iWpR#)Xd8vv_@PSZ2q4>3vjUh
zu$7EB^}~M#f!SO|Vbl!R25zG!dcd0K8J(+<!^WKY?~I3XzlXPr;YYXfzU2`&|BqX1
zI{e=b2dA|r9K7)<!@*<!S;9e1xei{Uw%5bFbXb_d6Ikd47N+u8<E3IO^zm!QgM}}4
zui)m%@QZ!&J&pXr|7F(y^{4m$AsSrc`tQ)Le@BD&pD5DcFpn_}_VD<Bp#h^34TgaK
z1aug}JTA(Ak0H#ijxM+HyviDGhmQ}9=jDqHA9t(w(|F?6(s*tujptwf@pv=_#-*`b
z%HN@kZ#d)Y$oNqCyixfr42ki5#m0BhKNw%R8(#wl8BZVIa=mfXTFPULuZ2AR1ALu1
zK8=ZSYHXGK9l?0VGTu&%cP#IM{4k9-ckR~d<8bQ(tZs+Tty*Ir;;*Vt3ZMOZX>?pf
zUERj_O~xgbcLMTimRkQ4*v(!ziHo)SALa4ZaFSTczK%lps2@-tt@=FGI#0P^`MBO)
z@_(W~^Cz9YicS(DwEYR7j`@cTXgbTh1HU`x?<@T_!HoT2GNavnN$vKp_R@L6!O>1Q
zkHQ=XOgO(EZXknzWeDFNXGadg*HSb0(N%Qq2L;ibnzf7<m9@_n#q(SIj>WU&Jdb@j
zuf&?=1aM{fSu+=>W)7qaq^zI&*N%R!sy{;d?bHvR0%BBK)xbPfknTYl)s~tiyTTiJ
zI92_y9&ll#p6kS=R3z??O9bKKz)A1ww)0anFGwIxtK0r*%3akbyG*&=UGFgg>8Utm
z&4n_DQnS>w$ER!-p3MVVL3CGK@O>5h5Awd2h^ORz@6+XdVgIGmPgPCg-%C<6hq^(G
zOU)X?)AajO9jA1!KH0Ns6!T%%?aqmTDKBx!#Uk&P2D;bK_8|q8T=NjESJcfxM&`fE
zBXv7ZdA0gv?<p&|6|Lj)aVZGgv2X6S17kn;@BOB1aK}0?iRU-h8kzDEb2}T4+y+hU
zvAE$2XszYxl75+b?#kX)8;0pnH^j9NU>MW{<*DcfSIdkbVtnPPptf`Q^rIc8TvC0q
zqdtXxe?Pk!MLm2v?m^!%jjt=Hgb20|=Kq_Q(~owZ(xv)jr>d3Hk9JATI>svwp;Rr*
zA5`J}DfmL4rl>yIBQ<Lq4|YmHT#^4Mzd-5Lu$Kevl$y23KzosQBv4hfbwFrOCWn`s
zI5o(P?T+!9`<W^Bx#y)u1Uc_oyr*WsVoi=6P@#W^+P@?0U(f!%4aI#2_1LsVuxd*9
zsy;fcBK1UlMRjY()Dw#<y4R;>{aF^XRJpl4XgzURzf9JO@HHiAY(R-4Q4))xdhcyS
zn^{3ztzmW@7H!cq91`t-t^M4D0T!k)KYjGXe@J)bi|?sfm%u{fbN42I-~hsnWLMnf
zRlH854@PPkQq=#XMo+2(wnOw|DYEd=*Z7rLN8Sv!qQ%^{N6)=fY<DZ5r<ERv9xs(*
z4<M%Oj*|0#Y|YgiE4@nDtEyU4mdx|~c61>Iemvyqf<zDQ9{qrMj6}Ch&AJ}`GvmOl
zWm#bhG4-s%6h*RQJDWbE-xLczCwyU&#1`$?XnC>dyjY<%e9FLHgqy<kKT~`qXTgwS
z^|6K?h#-O>$)b~Jh>CtLL$+5c<*#DKD~+r==zd#exU!_LVC85!1!OeA8)gCUG2@}7
zA;?PqmuCwDm^F>b@+}NF4qHuY<c9w$mPucv>^2*l%Dz}CQ)rX2sq893ME6pQ>?$hh
zZeEJvA<E<8Zlx*Kx3bGr$=?7b_|gD}T$pJzfJxfq@>>0I9A<&^Q>NH%FEBg1y*+bN
zW$hPgZx~WpdoPyFRXuC(99&s@L+6Ur+SKaG+B><My|t3>ck#vTiqvaT+8ZlUuZ#~5
z0)J6z4PatU5WSLX-T*wiBFqEmf%t>9SCz}+*(`{tBDES|H85v<xE1d<zynfzrUJ|J
zn)23))EdD)K0e$B*!b`m2_tkdJfIM{`9S$xS{<)LzE$P(D7ciLd^%7uulcoK8O56s
zsZ}9)3M3A^7S!I1nRU>sy@HLts+{=nJ)U~GRwJp&;!UZ&c?h@7pb8#Qz-&?$!CZSY
z@jC1#9VjE6<>nDtZa=KOd8|e-G>hjle3hH)x{_x$V+R<<nA`2wHx43uy9Y|JpIjM)
zyI6cPcDJ=*dDQRXbDTT+d-Zz;ddWi`-z(oaEeJOTnR+kT5M)lt7s)e&<Unw`kybdt
za4g8QDjYsUjkJxy<JRTzPyNRi>E>L%0MpM;0?kE^uX%};`hamK5YLc$2|b<$)vbe<
zTt$hWY2f`iG>BS4ffV!lon;gTN$8dL(uacd2SH|umt5<I&}R!{9pu+XUA@GniW!ZX
zo-e{|$tLRsz)UFZ!M&l(BnX#eb&FqPH_|egt3CoUKo@={Ux$(X3}d6c{6H_%SeQ3I
zI%?M7lbb;^i?7Vh{QQqAKl>do{ie^E?eK_RGgc@u!b>#x^*hfME)t71vEkWVXTAWy
zV2)N8;>To}BeNDp3X?wN<{hNp_xTi*n|f*9P*+nAIqRl%lRip+S-gNr__?0m29Xy|
zB__Yz3n61YKYC~t2?+v8E)fQ-dpXBrkbyyxsnTwJAbjuW##DWr80v~Z<`FNm#mg+2
zzxMdzzXfSvc8Fj@z50Dz#Q5HfCQ;b0f9G63xfkFd5mD01OMvgZD(5<val<M);vwr7
z(%Q841j$u~jYITU7KBYI6@4=#&I{j^!*G6LiI>?UZb={Y(nq{xJ|HPH@j87lP53U-
z@A{@e@ih1H(@(xkG0fbc!HI_(`+G?TxNl&PX=DX3I6>C$1^rFkDynx(;{)YlJU_{(
zxA~d+`A={CTRzAv3&`PTz7ab{kcPa7gf(8~O{$&i!|W9?izk-&xz2sF@T|haYqCiW
zy}hf6lkj5v+N5=tKIUik(<>~!MjaYMH<kH``XC9wdw%-WAaf*0?(`CSyu^|~>=|_>
z#&1uJgKUr@CwX%!>XA*do|n5)2y1J$03Hp@Ch^D+B3_xzoTzSse;d1j2#<+pXpuG7
z)DM!=fKE^x%%)$<X1H>F=78&#d}So__QQ>SZZJMcSea$b>c!;|PnaPX_7dBfYK%K^
zRI-T)16G{phIaGR;?X=o#6ds(22=Hs8p%e#e)k{}L_K&XJV~=XL|$tY>LoTCk99(k
z_mgbyC%yWXfegKW^{#2w+6lO?o3*tZ@s_3U`rUBjc1fVtYzB;;^wTG@nK!P=z0m1U
z-$P#`M4wGGUzMvI%_3MvUobMf3#peo1hX`E^BUgR)lZ#E9<>1AXWr&D#9PW+qus7D
zE7{;Bmj#)_M*9t3dYPYI>n9KRASbcH4-ZNrffg(h`%$E0K$BM5gNXzj=G2eI{xf!o
zZDZ)<Tht!7=&A3I`H7#=3ahAYgpy6&e6jS&Z02Qzn4f9&(+9JNtWMXLvxfI|G@P+6
zg^B%s;>~QLAsZg^>-Y4^a-Vj%o*zM?UOmC{CX?UHW;QyIb6h!v%#p$}Kgrg<G@E%>
zyp}$mO)?dD^$kDyRyOfQHo>%3x;gGf9@!7g5vi)}g*mE}IilP%$CYk=nyJPY*GRsp
zd3t=pmn}zg^fP<><mN>iZW#PW&1!QtL(8px2F_XOC$=!<Y+|KNYbVp{7-+d*^yx=0
zH+!1~I~pqv5o=S;hOax2bNnPp?Vw?2HuIY1=w@r>$0*AtcLw3{Z03-kUJ|5tfdN)S
zHnEBk_s_D}wI)PV#2inWZM>N>K@~CE)mh0rHX&%K?We)dY;kj3Uz{ToeEbjHHfw^7
z*$hAj*?0Ujpa;Fg_8_q$YppT6wc75v9+Nv4_<$&D(akX%!u0B}7xM(Y{BSb`q+d4q
zIw;JhkFu^E6r_zojI@oAmVIznkY1k!u}oWXo0H;4$tck*y!r!7a=GP+;@{*Q>?x7o
ziTk&iv{Mq2Y<^IAagaO$KsPTVP^u2BZl2~RTXA7|nN7%2R=ZT}$NltjKl2(<x6dZ7
zt3E3T*Jcw3ugG2B1)hhr+vyl-a{zsS>8_m7?0EFF8N*PG=n>4Ai5>KkTt>21IIBOv
z4C7ky3=O0KkgQajO+k8X7Ci+qoNQH=9uxEt@zO`y`~)gO^PqTwy5U6SJv=xl{?S|z
zvaSLX24J9<LH!bR^=_7CGeY(Q!@(vm!}7N|&&j4w`I(Jg?uAs{tPJ|3HfPBC0pUxD
zA+$!`?1-t#Hp6c}@fJWLtY^Q8bqV3xLU*vQyvF{RO)vK{XrpQkxujZvm}uI8XgcI&
zP!`q($rV9*Q;_^X8bku{9e}fc64IpK9R-5!7{vaHsAubBJ9eZ+&N4~W%Lo+qM<2`&
zB#g(NiRQt_(SyuU5TKnA1!`_Kz1!C=^4GpgAM81qja=HB6ereTka(Zzen!((LHp_Q
z8z}{#rdv>lRs|t5KpR7+ay3x?m}smjNI^jjrFS$0O<gKc8np2IdaMft;W{rtOl`GZ
zp$=(rh<SIi;TRaA&2%C+-5731w;+j5&Wve%Jt~iyK?RN{IS&mfo8IUpH)JyyweNbF
z7BBawMAg66-2)T~@WCJfV>I^jay>63Q_xg_o#$HLV~`{K_W9N;g33?6EitJL2ECGo
zi0Q(NuEw5oC^K5}{o!PT(2xWKJ$Hki)9(i9WsD&}UrK0~*Q~q*gQjUM-F#QHA}M-I
z{*}VS(d8x0S4(|PE>*1z;wXZmtEk^in@h4`;i*5rJ>BbcP5FE;156`YLXci5)hR*7
z{T^TXb7b3FE8U2;s0K`Hk4eEXZf36u18#Prqb9INwnF_LI5j$BYVUeU3R$4&bZ+)A
zXnK#AKJEmomt2p&jv1gyN_Rm$l#~tY-5jA|kT~uo>s1EJ*o>C6o6+yOzV%DZsD>c~
zA*Rd9AdR4V1GClC-aQ@t1gVspZ65Fh#A8+kZ6~4VhFQ3IO-|}va!Wk7L^E~>(<3fr
z^eZ(1vleOSrk|!W^eR+B<7zb6`aNB70|kj4YE7Kk2xl@7Wc+US_&1D{;jws@JE0yd
z0@k5eW@p6<Rfm4b=X|FHoxWZ^JHW2WNNEfR4yM^2u~U$z!1FH`0D&>hN_*u-o2DpU
zoTBE(3!5AYoT6;V>Y7-$Lrb&Ctt?c8C7B$6@+Lb~RxnAl`nOPHp&c_tlQq5PEmLNh
z(*C}TAr&OBTi9h$TzR(>JuB*m64x68B?#H*rHAmY8(Vo9zXC3LSR6pR$0z2_rc0_J
zryB=a13X1%Nr%k1*HI^)uFQ4*w9g{5WsWg)5Umh6H0gI`J1qvAXwmh1ddOBF;wRiY
zLm^0_55Fr;x8?qxbju1Y_aw-!|JE<xfmzU4vWfTn%&}}@ho62I#Uz_}-4EBH#+$CZ
z6C_6<d5tt{_G>ol0v{>gloydW$n^Bq7{Agtq>5u<sE#xez?dxKTN&dQ9s>;Z8BNSf
zZw`o#&XyXD@-PPs1XA(d3s8!}Lkzo@U!TVyS!KU=q_8&aDUVjL1GsFsKbu*FvRy{f
zYBqz~v|}JF*E^d)DcZyAyIBqPgZx=pHku68^`nz&Q6sS)8<F2V07X|v`_a7&*O${f
z%(cf&7#!~$lue>HqJyD0C9yD6D&(SS+0#xlzoe?b5*e`h8YLAAe=wo$KsJHawbW13
z8>m_0*SB<}L69jSKE}@+g{)En(UGOn9|WLRkU+t)YAEkU*lws5Te2uQd>?zU^|K_K
zS<Mi@ZoME(QP@#NQ5Fp?T<<4o;%z;oU-Q#TgHCs_ttH>4iEIL0v88V|f!5KeVN8>P
z+z4{10n0>e%k}ou*h@G$k7J7RGBm312!sLxM}y%dHncGmZ$`1pim74}fOw~uN`Yj<
z-Pv0tfKZ)mfUC0^hSB1O+gJ>^D>nPsx-<)KZ#9!)^HsS=KC=AR^(h91hK5xuC7i7v
zRb(^vVuiMQz9Ek$=iq%5?rd@|iOw`L(C0(02ox+vKfR54q2F}$Ge@$Sw@|dQ30MH;
z4UdTR!xOaYdKhDhu1tw0Ts+P2SQ8{c?@*=WVILC=ZZ_~nx1}|g`RVllNNr5K5@Zep
z9PeA1#fnKT^%KNwp#Ew)?`z#0pwX1N62g=8dw^+!>_}nv`U7S33&I;6!t-j1cIq+y
z{Mg+x2Ig#*TRDRw%_NW>^?5M;s<=Oi4HdBfz;pzr_kn5DV60{q%3d`Vi3jG<+{9eZ
zi~Mkn;ap1c+8CRRq3ad7zxIChH(cq3C5y&u`mtf(*I|&gpq_V_JmA<M49z%AP#FDi
zpKt}vGx#3BJe&A-C_x$a(dHn50!niEHoe8T<3Jf5GGQnw=L@QEcp@t;e7liD8sdR-
zvRH@6MWa$SgHpU%g$1n``#A9~<z9M)<UEFQB(kQr1<3>1a08|XJt033MU7y-NtpK%
zA7qm<L6`){2Wt&#5-tY_k=B@H80raty&y6wGq!-s^%8Y^KVx#Z-v`U-9lv_3qI#zY
z)Z=oIHzL64GJhg@5FHeiz#m{*`bIZrwn=#m@NR50&J{q9EKI@iF4+rW?<T|zys>{^
zHUlpTl;aSn=eyDEc7qj|8jn7LvY(eBd*cJh*X6E@@}Kn6oBRx>*C|e^eumC9s*cw7
zNgNbnaO<LN4AXI?y@KQ^8yAws))B@4ozfMul`)-^X9vH5U_d`GkkU_LyPpv1Q5?X_
zHb0G%>-`|f^BNHtnnQp9#kanxKmb3v&tB|<;Cp$Bu@3}eXaf8246m6K9+G`!;tv=<
zv(Moclp9QaGmO3$sotD*%MNl0@h6QD0=`;WlTDlq68kt0Oi5QcG$GGk``J{IDRDWb
zF3mDefSa(74F3*1n`A_LX#@3A&^V!h>BclXt*R_#j5dSW&OM&Ly6_J(tFDk3O0!EM
zjPT23SV#Mi>Bp@Dyo<Y-IE66@Vr~~vzyVU{q@Q?OP9aU15vdW@0lo0l1UDN0+gMHt
zEQ#5|YI{#?pJBB$2?LvbW}aZJA^TboKX2L7u9En1FIxKHD5MA^vjDK@d*KSgBjaaW
zc@rdPkz2t?uuH_L-^<jY8!Xk_n~9y}Yt15Co3%fn$?WSYl1Vi|+84M3dd$uyPB3@2
zZ3PMr>Sl)eU07@Mhn<1^H}`XldN9#Hfb}zs?y&S1Im~dD;jNKwjY6*lVeT<}ejoUm
zO<wMifp7hO-t|G)Lc5r0N4*68QN#}<NN{xvqvS`C^Nsmb%9=l+5u1YytI_&oZ*uTB
z$3Q>jvSH*vI}*UZnd3q-f?IS9();kuffQ_A{4IWh*hC9Vk7#A|$1yI@rFNxg1M%ZF
zR4?gDgzweXp*7gp4%@QYm`T1{Y{H@1c*!-i>hPXNUj$-}>{Y7eJLwq#k0)e{{x0Sn
z*6}tooVJMjDcM#qp!W5^U_|&Z$88t^!gc}iA@o3g9``b<)fAjgO9RbN#(b^UpkVvW
z0bV7Ha<={Sb^yrsdhDOytT}qGpIH$kj=3Tk$6f->n$<)E#q4x~8i2FXZJ{2t;qB0{
zoJT-|F(VxyEG&kgLg5|{JB6ZdMr6gG1@oIbeVf^fkb8rym-;=Z=Q~nx3BRZ-kzc>3
zA9x0LC`!iXJHY$vv32k`#bwOa3tyK8s7)3dh@PO_PVqmk5Vhs-z6ZQhyk1ADRTI3g
zH_w;;S?RIeLpY%x9&g0m>jDALzrQf<>?5$_pitdqkU7Ou)*vB+3{z0N#x+DBV;9CO
zV?PuqgdwYU!I!`Eg~z>4qI>!{9$Sk*VbVc_1a=#3=ZV}1`9;j*TcAB)q}B`jT<f!3
z-HPey76t*YSe(1c;sywWp6;aBp}0lH>?w?Q5yngBgLI1+I3fIC*J29MMK6^8zOah@
zYE03MXdtVW(x~4BMgmz$ty)BLcnA71C6@?0LO;<sydt2n5%jYFtg1u5%p?oevAwD$
z=&u(l9uJ78@PF(jA>a_h7)0H!idr>jqFAMxC<XZ*SR*`L;LIiY65wi8g`6NB6Q8Go
z7a;%<kVN6ZhK1i=o|y}G<M|IVNLZW&Z~DZkus3CNCvYUi_B6fVP{4VaKsYm=Etow8
zVn7#Lx@c!sVvKGyfW@6AZv(`&(V*o(%qG(sq=}P0Ad0^!vzu6pR1w_YhZLJZyK!de
zPV}kWLbtO^{|>t63f*$zwL^D+#bT|XPwq#$JCjz@-Ow#p80c0_*`-0Js`5E9A`+Om
zsN`(%`wh?CasKc#=5Z-E$&E@R#zX~qJjEC{```Lh)q#O5Tb_2yZ-e=dXTc}=S5AO~
z6?H2=(P>^bL0C4*CJxJWMU;R*j*k-s<u=3sWgzRRU1WC9&OmsdO%Qh253?ULL#|r~
zYn+*{(u^=pU3Ifm_oLXD&(UDs2ID>+I55t*Y3psQD0u^thA3R;H~|6z65;Uzz7g<d
zULD7_qJIpc<HqP1COF8JW;2*xCgbM;z$R{6YBqBiI{v@F{k(R#pDW8PAxn;yaBRyV
zY8~zpv-bhX+Izu%eGBphTAGo^qJvG?QyJMV`ES@ysVKBpAY!m@D(Y5D``Sxl?C>xc
z&t_Wi>}ClYFi8B_Sdy5oM4hv`onpP0KmpiQKsx<90I<z`WOv3m2MCo0$}I;44hCh0
zF&AJ=m*0iqD(b>9S+}>sOmG6G>qdDAlCa3B0O<za!6VTF9Mv)Eu`l3$VLA47_hY|7
z%KJ$SFuP@QzN{<j9&$Nd21_J!*bv_wGrcN18FK&`)8^w8h5V`t)1MO4&(lA!AtP@w
z)-lc(nuYi|7>2kAtb_A9*p}zWki@$x(+}Kl4>E#b7T})w8rR3@H($o?AhVs4in_x+
z8X@v2KMfJyH{`WY3!@3T)5LO*GI&174Zb9nE7m=3m!-f#g*GWcF%9qo+oF0~0Whl$
zOo8Dg^9^95n8hK#k2SWD5QmpuYcBUwINGU%Rs-_6Jp^09<P7#fiWWfr`#NA$zrP>v
zwZ$gk>{D7mHM~UN(D&g2?oY948SZz-xK~|=`~BeFRYL~&;2!6+&^}-P9F$@#4}sW+
zjTx80{;q2DJT?tNGC1@pU;u>`pg{q+8xhZvRv|SIIP}gF0!PtTe&Frj?`3Ek%uo37
z?>3mg*&4`6f&4y&B2B$segc)<Vi#BB1`l&Pct;cBY*p<xTeg9t%z}6Q0;2z1(U8$A
z!#vY$hk23)1h8DJOOOL>!9^mspFZWKHwH<D4CY^>65>XNXN-0X0mO}7U>qQB@;tH2
ziR&?={N$Q!Mulo|HW0`g6kM6GN7z>l^>UO+))PNC>QHYQrG|<|Ihzd(wtr1nuVMSr
z-_25Bva;gQU8~CHN-CP$W<RbonkPai-g?{dqj(>VceCD~O=8Gw(-O?Ar4qaB7QQQm
zA-kiSpME<)vp}but9W~6?UlJlF8b0ftMCP3aPCFYgS<l$NJ{&8@2cEIpXPNhHtCr0
zWBW-YK&XRqkdK4$J@#|}@sCL#h^;1o%A7`~`~>0t1Ue1IlQ4z9nG}W{s1evX#m!ZA
zs8B`Qy^Z{B2_oyx5;{xGj*+M-xSB!S9(Z=QZGz{q&t923`wMCuh3y)`qh>%M!dwII
zV2{}{Dzw<#iy^aY%^!hXLQAr$9_KB)RWnwgO?nJuey2Z6gFRTZsEK!BTNx56*tgQT
z@tJ8yX81kW1!=%00HKn$Z)Y}9!gAPCVKKj*I28bgM*M%1+^{%jYqIIR_|2}!J@%Pz
z4jXp1VpwKS;j=t}{b0YF&b=yk>5!Nl3Xmw!MI;BK7hReCSnMH9lhlX}US=7Eg{no<
zs$StC%8$s%LEiyoC}}ix#7nOs=Y-G-Hm7sJ)ACt-%mrl9IK<i8&3K?KVV>|vaP>{S
zFA!xcXU5h6+@+KnzGFnDmIl-YdG`9bi#i*%(JJ<0I5ehYJefymn&?W32_?-^X`SNA
z{-%aveF$xNh13*bdkh;a(R4gt_AW@^P<St<gX}N1EDZQ}umhB+Ms82CwXkfOoeiz1
zLuLhK(uv|+7u*ZN3(KQ5o5o+i0@Iwk`!AeT_WUQ@cB+^U#Bkek`#m|)eA>1wl-6L|
zQOnUoTeFY(tsP&R`#HtJcu%GfQu-OGT3&jC^wIP|VKjjfp&H%z1Z+0MsmhOC17jlK
z$#$g##kaYl-gF2tf~5Q1f@qNk!S>3w^O$g7SWMxcl>zxK-LvK)abzrcEK~zfG1GaH
zbIouUj*7j)4V%n9XaPIYXiN*7X&E!@;deF2k{*m-69w&^{)`>X2|Wgdz!nPQACyhv
zp%E#v8I=G79YEJ{^Z4vSSb~ma6lO7&<TubR_Eu0!t4ht;dsXgNA03hY=*8M)Q9ZR2
zw{$E}W-0D4*B8FdUFXu5BZ9VR{0e?%t8LD7jK^jdzTh*+ffHNZZ}8Kr$<2xP=~j^s
z3MIBOo^Am)9%N9v$f(3FPfmu_xQE#)ab&*Jo2}BQu**CS07D3QhCqURybuDnMFzG#
z;gh;0F^>sca9k*M)yJ9?23Zg-N=JbbLDIDcYzs7a%Nmo%u8CF%ZdeR!4;F%=drSa*
z8sp4HiF{h`ihD4-Y`Do47JLy7T2z){CRdQ4<psh#Bbz0V)9qcwu)<9fbB|qc;@cNx
z%?bGddrZe{2EV>=F(#Whc2(}{{W~b8Lg)o(LY4erR}#3AgCwiMefFy<7FW0$YzrM#
z&e&iCP<#%qZ3aQBS|Q3>Y{_aEc#BAvT89TNn`FvzICdiwz*<~J2$M}YCJW9ZSI**~
zd3hU)WO2WdQ0fF$#KQ_V8)XccxIIn=*t*!g`}#75Y4U9BLicULo8gF6qKU@NFtDsy
zbMjEeWZ_*8T8npVKY`}(Dmjb<5{yFg#7_E&uR^%%lnvLq-~CNSxk7R$lKb!p!(J5P
zbu^l=my<$~+#=6^X3fOhBOmYAYsA%rO^BuubipAH6?(C9asJCWzcVI}6j@VdHfU8b
zoe}{+FuRd_`UK?AoaAWK)9x}y1E<PmlN&_|v;@BSl4&8U!DlB&EX*e8r%jA7KUqOL
zsBIPA(`wODu|;9a#Sn-?vgNGeB0+kyCpc=fl;|LACfH;4$+`cyNa2X^juN&+5|IM=
zP$Gp}9(r}=^1vazBF@6PBKN|WYrb3d4JoqoEfc9h0vkK6u}Fz!aatCxXN!6@P{>+=
zL!<!5rI4lxk1nA2%#ALMtQGuqlq)eyHOYF*5M*uUbpL2-;-4lyCIPwjiX5NFAz<U?
zJH}|N;$HZb@n#upbDW3f$pxV}i-%FkCapXnwE_4!Mc6X%DfgXVHwDSHz{1=?8dInd
zjG%HH00My}dd<VUlw(6iW-I$-Z^c;xtY>Y)+@C~n3<2gR7Xu`VILJ^GU0|{+v-FBw
z=S$Fbl<7JbX6Z}il+k-XJwO@QhAl%i6#6Md+GJWvLn@;&KZGJsJwl@es}f?ng50G8
z44>436dG$MQa`kI!-z2w;E#IvB04d7BZ~k_WKpAlFpXUbmcgHzDJJb=r4*8^tbxzG
zY*E?m_gZa|Aouztd?p(4=4Er2BBHewb)-=g{jK(ESDc2!_Tx%>;TN~vRM8u=@X;FQ
zXEh`6?kY9frXnclVNk0vk^KzxK)kWYw0rdSaVg63;P)<aNkJB#LdMVTqS>;^D<d6E
z3mWhuIxAMQ)C%-uXQ!ai(1d=q`O4hj5rmHA9Ias%Mic2$8U`d$oRrup0L0#6idfSY
zZ04;Z%~0$hG?vl}rZY=z2t>ycTg@0eOuOc8U5UDb@ho=0`q+j0X(@UXEn|m38TssF
zbsNd#{9vzL&sRI9`G}0<ii-Iczp`Wos;3ITyag3VFLlYSSl*a243?Be($tj<Ax^-l
zebAUg-SlI8FxXZ<vC4)hhZ95wGrPbFkiu`=2<k4-*x(jPHn>(l>4wNMvP@W#{K$Ee
zx=OARIP&AHH|G_lA@ge{Jh?}Os&=G6<dBsEHMD(epyydi(H0|8)DJgxfGZ!Ou#ED3
z%~9ptv;papQd}C5!!2cox6QO=^U-ps_Yzyo`};Z-4eL0AK|DWq6!O<;`*mMI_k53l
zOis(H5EVS-E~*|`Kd78>Ete;oMA^r^yx77DD;LbV=$@a@Q#MVas9eE*23}LD;Syi2
zXMFvnMakqgB1jsz*AM|XM+Ecc%j%%%Ey|;2se!51xCI#;?L6E79g^v2Bhz#GsGo);
zs_ZAA9{ycC!+6Do{ylcwq7B@Wn6#Opn6ETm3f7-RWR@6(&cmI3MXu-hvgAl^?n&b0
zPACRj&=9)^HU}OQEJoWsmN;S-+~ndO?Hu?+v7l|o6dlN{2QRNM1MKAW0ZC87C%^Z&
z!xAEgY*4&@Vh_p`j?hwI5L|~uE;8!8>XC1ac4c+#)C6ww1;2@2`Y(@kIg*GHTR5Ph
z084rmE?bMSkika6`A(cq7k!E&l=QFt!}RDe=5)h^InWD_2Zih<g@Yk@t3y<0)KW%{
z$6awCHgw@g8-$XD@X+IYfKGt6kxXE_Mq5BARdz=!*$)IZz@EjhiObYCBag%a30dc8
ztk!)q)*t%mfwLGA+l80hq$=3ueui+&c4wMX-q+8p2ShtV?(8075>#9ac!EdlQ~V@w
z$KcLW6L~UJ-7EHRI52Ph%H-QI2%nvoV8jP#lO?giSrjt)8az14-qXAwVv^ttv{CJ`
zyjO)~m`k3Niq&!k`U*F#qtzg@s$$WVw+@;cq)AuAP+Nx&T>4BOxxC2~v;^gj?AhlM
zt+!vz=bHNqxfGY88XkreuCPQ3@E|5=6w0AQTwD8g3|bbGMZ;bpC`6H{M$%S&kZ!|G
z1(K8!X|54slZj2%bHbQryXCJ^2vwB$6K<tBXn{OpKt$dYYeBWbwPO(z*&d*sG&vFX
zU2+;ki+MEO*EvWmOSc_G0@O_QHCq@oQX&Uxto+O^N}ZMafXS=e#@0#HVhEVvgd|W6
zaTdBY!s>`Tv`7sIa>VDQcq%Lj)<=+m321cHg1c+4WDRT~Ab_YBpJ!H42RnQn6y&$h
z3`)`|t8`Pn*47}4iu7QNJ`jRWMBycn>jcys3quh+6|^mgb^;2Zda+aHO(t%WVjtSo
z+tP)X$LL|s7BEIi?Hs5MP^);SJWXEhIg8msgh1y2ggXfEx?4Zz5nQ|~H#j5aYEUlT
zd<-k7gyDsN+KC#4PwZV<)M8PDuRufP#<D<y<T_bm7Dxs14RRlg8kEw%201Sl%S^%>
zp=E<Zwb|%P8n8(4?(&{xqMwCjqS%~;X%(7OwjDuO0&|?+ORlR}_~e)FSiubNUu8jf
zhJWdLcaT1Yc=SnTBs<ySeH}?M>uyMeA&Z-a(S#Rnx4^+6*d3-8%2yQ@h!O?JcwC7h
ziokIw3O3%ksZxes*}LFWTw+c|ZQoianKuIxxY(Q-jj2$Gp`8U4ii|N|A{grsD+B5%
zqGQVe8pUM6EbEI?&S4K-5t|i#jfFc$RLLq$5Len34aO+5qnC)cn06h-i{x1a6v`&;
zl_6V{cTdKnaul^N#&i(Er8ME-)e#DCim0LS2D-snq8w%VG%WyABS|(O*2O9cpb1mk
zVVih1xw2xx!00EhbC^+@H2b&Cw_q}^W+R8+NQH^q#4yQGpI1te@)H~I<(d+;@~T|V
zp)|_gv697N-9ZXzR^e9Dkyf%;&;Wr!Qjt;`=i#xHLv<-z2RT^79xj@3mL{>s{K_b?
zD68l`)I-o}1K))&_kUJorLJjtpnDy3>XTDthbWa51T*lxeU&1~PquG01^Pulsl|;_
za7)2IT(>UjMyv6z0TD4)I*EAL6!`nup;5c22TfLLF+3h?u`(^tVr{D0%nQn_Cdq6-
z|7xT_jQ-6Pi^{wHoO7*cyCD8B8JR(1TQ*G+AU2ikL+#umDrZv?ILmPC@q<Gtrbbzw
zZUdGC<%lR@ovs^g%w|{6u-dR{l%qc>xmVsn!Dtg#axbbKE-FmT&DvpVEJJcL2S_Dz
z6ec8U(1Otf6%sKwa6QKz<#V)*%pTCh3btNW@nCA~$El9?O$9}F&I1CM;o*t7OD~kV
z3UL*n&?syfSTd{ZE)uq&g*+sp(RngBNZ3*ZJcSf7g(fT;UbG4aW@2>37w4Fx(?oVw
zXK)R|)Ckzo=VCxgJ!eT+$D}?}4`T$v*wkgKk$<{*(X7w(eowo3pgh+NIO=rNKo$t6
zlvZP9DT6jXTSxLJaiOTAk7G|}<ziYZ9*yE$8owcklCJ1mg~fwlEK#$R9`}=5B^lz{
z%2JI%%N%8Fu+SFKuvKTzWb&{=H)n~Y;$~>g%C^T*15%_{HDP)0>tyB?jwsAy+=`}W
z#rS7+QX?BS0S>9muP9$+hM<{gC^dxYXriy^(#Xm)&?ea;5GatdhN?<_jZ2`9ITN#m
zBFu5v<uHC0y0DBglr0=>Mv?uv<0xcUML(hiLEOuh9_ApyG!{h35|2v<nuEj|j~yg(
z?J{s2WvfvUF{&r#e)Z|Q=iJ^WsJ#^5?tA3S;!eFPcg@FG<17gdSt9fZhRX>o_qX!r
z*fi*^;5fmPD3r6$D<MxYOSoW-Cr2VDFy*d2r&yDP10ZslF)amzMWBP6I)TZt9b^hP
zde5v~=JSq{+YwIPY`<lfH?joD^=|)#7`DfgV;}pkg3Nm7%wdn;#Yz}-Rj&N=qWN4o
z+#A?aA-vn?Nx)Rrwl>)!rQGj5?2ES1`-EYX`VGt;MvOOimFBL6gAQx-8C;C*;8BFN
zRL<T)x}?R9dRWrj8XJ=Yn)3Xba8-dGI08ciMB&yyVu~;s7H~bZ!S7Ap@?#^<seg*q
zMX+NVZq=)Dd;|ej2++b5lp?v$vifk<;#7w?ZsKDcb>zV^M=nlWhyT4aLz&^fiP@NE
zX0`z>BUT}Nk$fXkkl4CJQ->Sn*2U9dnUUQ%Oz8+<m0;C<?BaO_VfnuAu*sO(n@#S}
zJNEe?v${kLC}bfvosmOSMpW++J7#fa%Ga42H5d;T8!RSbOJ92J<yMg4a6@3nGnq?Q
z_H}cbwsk6G>?dE<NeTH%+3`jA-Gk)m)iJycHUil$P5u3l-FlaKbLp-8JksWT5(y>4
z(i^m~Lk3)vpXh$aXU}!sT@ESZg2llbB+U1hIKZ$w!V2xYxx&3ziBoX4Fhmb?;%+fK
zZP2Xe#bhY@(*Y{ubbvvyX<=n-kTaK{S(03Lg*T4i#swX&BTT+s15I`@kKX2hJFGLG
z2qe-&l)Et-T#eDD#G+%&1myQ&0*d0cgWw>9>vDIDW>Kpc6tR;#AFe#F*`#~BAGh0K
zi^DV1-68<{NZev_n>>e>uzW=AvJNu)u*W{-OfzirlX}Yi_2S?@?-SUo1ZLfGP&)kz
z48|S=A#|2XKZ*x4<7%ABWDw4jBeNM&0MpG&ZpWvt?0n+4<XD7j<D;k?Of)~PUXd*T
zEYe8Z<rrV*;IY}(0)Qu%C_S!wel)YJ9f2hN+wevsnmt9o)CRz8?=hsM5NL}RB#zt`
ze7U%O@%x%D_b`53oyCNW=aV3!J)4M$?cD73S}eOu(Q~B`XsM`k2;^&yZ>uV&6BzdX
zP9%Qxa2vga%-CK@2FYD|u6!YED08$J=)znh%4v>M-rS28^cK9ayVN?Af=%!T!ACmz
z&TBgEO8qjeTaoK+k~uD8j|0GAi{6{q?w1?=$rIxQn=(j9FaFyL^DfPD23NTiit!9o
z4g<;VTI{&jm0$ubPiE5uX$h_CjKfj)N}`Eey*L0EC*6~jtaak@T^4JbRlLU%On_(O
z;4Tim1B%U}P#Q}s8{KOx$si<2>Xb(-g@h5Ew2)PvP;Q5t6N`m}4@>sIguxzPV|LgM
zXcCh^FA&_!O)B$zpgNh2hN?wULguwAb3HFcow8g@288y@fDm{}>yJ|y+>3q2Qy@O8
z!vXQTGSFa?R}Kn^T!(Zg&1}mrmII4{ZefHh4zX(|8y+w6ERG}OZ@5x6azeH6f`LN^
z05}&x4~)H-P7)w25EL@xvA-~pi73I!%4s1}S>g5EV`b0w96U0%4PCM_KLSpYXii6B
zBE^(oSm%lwK@zim9pk|b;8IHHp5;M5vKv_*mOjW}u-ySOI}lc}+yhR-zaOMu2{?kr
z%2Fr{qLO{1g^_SJ7?yf?teDbMSQ?mLh&E2>!f_|bcV{}VCz0=P4@_=W8wA>iB-^Nj
zWE4p^36@upF!H3#rDeD1&ZLeO;+fRJ|AO<y9T$c=IAzu`kP>w^xFSa#oNFpAQAglL
z9Sn9+N6;?WM+qj3n~VZrmWVXw&Df-&&&#GaWksEteXjV!=Bs2++aXWfwYX1Kag&Ep
z2fab@dX8$@I-%p3I>-D(y-|k_RDs%1NA4P6O4Qkat!dO*MP61+oz0fqiT#MTbB_sn
z#<rjR2Isf}9^y#?9vEr7;A|BNffbb&k6vgin$3g(>7*sJ@&c+60?|3ni=m#vQZ=F#
z^Dz1s2~?oEl7G%vJ!)w7-=WY!U7j=_yO7?XknBgsTA~mGQjw$33Rha9keQn%$AB4V
z^I7RA)Ch&Jnh<BeV26o94dk=P5}uzWAi>^{o7rLFs$X3fBwDk%&iFe~AvI|Nh#O+6
zsDh49HNk8~E!mhN4lZ0G85w#I0F@xoa%Y2<NTl>2BM}{Q)Y2AEqve4fEaZU_eX|9G
zRf(lrpb)DG+o*Q|oyGkn%ONedfLJ~F0-SMo9`{KoxPm+70k}{6b;>nMkg6%A=&rRq
zO_Iz}>`Vf=ngtn6HsS%>C6Q4!Z<BR8(W%{3Q5@NgyX8*7%2$xbVTT3XI4G;M*$<SE
zpeU;BOH6xA!B)`)fNo~E5*BUXf|M)-x3Ewe0kd&pZf2*$cU^oN#sfx4FS3I%647jB
zQ7VO$Y!vl|@4>eEm?X5x%8_}}Lf<5rnr$jL>apF#W~fbwEyvl90Lz4A+s_=Au?prI
zuqI<u5`)mNNVAqPS5T|=n>1q$WtIOURSGn)cuYGZ?^iOBmgckQu=0s<Xu(0ABRa6y
zh@Hu_ST(A}?4-2YJ8k@?ty!}Ig56>x64!?VYC*Q4iX65^+3uC*BLx-}ha_jz^dm5N
zSLLSQ!!XUv^fA4Ko{AD`OTbjK2H1Q|XFd#n>L4D?L6}{}q_kk2Iur73jFt2EfB#2S
zNPe9LPP{uYcfB%D5G{K;Dj_1oJ+%d^si32gmEuaJph>e5=uQ*Yn3m3`n&s482E$IZ
zX$LaJU?nn<ZnH#SNnCKSy%`u$R<<NU8R^EMS7#ZLp+aUOr<2{h6QYdHz!Cl?3e3?u
zSqW%omd<51y<B(@h};p`oDhi9yIh1JWu6G7Q?iv>!TQ<T59I(IS#6jOCShm9!VcuU
zEE&u`r#MrkOt_aew(rW^MHgy|FuxYgdflPq=pve}HtMX&<{lY#*DX&^J&j6h&ZH8+
zXHbbD%blaVEoJnR*PTrqViLW;FBW|s!o0>4nf;hPCBmTSs?-sNZulWbu`MTzDlW_t
z{~k2z>~Kv04s~MK5_N!Omx4O4v%<1iSZU7pzL!l(Bar;zKr)t&60o36Oc*T|qs$3B
zs;3dghzr+Q#+FXoN$D-nMqXk(Jh+{3Tpe~AGiotU#f9UHCW@dIX<#gpm|D`9v3<!B
zaWzWX@-_nc&<DGJz1Grc^kJQ?m!84hSGE^eUWzRkEhMPT#apuKInAdvNIt|1XHQ)@
zlY<6YhGfjirfino$<j|8$mTBkyt6{sT9BaFG*Nq-=5&L`C7#Hjp<7%rX3&T%bLfaz
znrp(DG%+k>aYu>Gq|rJiaDn>@!-gx&(g@pAL9$us=lp{lWQ<Asj-=Z@QclH|PNqrt
zuwL2;v{;rAh;l0`<?CnwLzC|kF_z(!=GS2vi6AnGNR6Y-zG~C<8`u;d!#+X_q!HQD
zXfN8p7uH6Lk`Z;gPE&g_(2w3@=SzZx%T&7{wwAK^B-8+)mOJ;MjIEXzyLVjih!R#s
ziZz_tm3Nd&?BrBIbf`&w;}(z=!#pIQ$6zh+8Y*1^97^_a<d%9fKNu&UA{ti48Z>wu
z=b9FtH3W2go)T1+8PFO}wgRC#9D5}Da)x-Lm*n{*=N$lNL4e^xW+Nl8L{c1e5JQ=b
zO{L8Qbn_C|r8>mx1~<x7ENm*;*@a1vtUKzET(AdoX0zltvNG(M6W*aFTt{|@ME=Wp
zzVZZ7sg(OE(@_pTXFbMCfV0+)9f;%X>%kKF0s_Wi9!hAbYj4KeBEO0R;4&=)(SU^@
z{2yzpLw95#8#uCwEy>YU$?ObSa(OUJSWKZO*1>B$Wl7E~iKn75BJpII*Rn_A6gniP
z>^cacOCeNQR!b48j4{fdw16W}7%h;LLzNgSq6c~Tcw9I}iyAr?=T}zjEY4!@&??xi
z#9jp%wXwH|80{B<S(1-yC75rO<wag*3rsGZ@Vp`!PF|IJ;FAd8CeGf9K03QSAF9MI
zVj<RTA*jcD;g@~3j-*`CDN=|`UP(YD9cSf?+Jzddg@!nc0eT>Oa1$EzF1z}Rlwg;(
zoWv{FGVsNgJ0?9v1~2=mlTZW&5+{u_AjKY?{O2qP37JZqds(UHxpHJC5kX>}<oLor
zY)um0asUe@V@&N>4fO%&MbyeX)~nfnRqU3CZc-HUy=~jlY5>o1P=J_~Z>u8~kN8>e
zKjM7kLL4MV4ah>=gQF5P$RsUMV;9YpsIjeL(Fac+ty6H2Ja`yT)jAnCZsC2RueR_k
z%x96|zBZ7p0I*V+RZ2n&D!WpIY(dX*!5KVYWJn?vM3uu*+iA=Exm_(+9G|&<6Y_w-
zgR<$>T0T0R07vnbwXv@U;pYJuD#9`{fUa0CMo2k{b+waPuoHqzjYG-g(Iq1;l45yu
zlC_~M6vA4FHe!>B12(rYGCUYQw0c=Eh!qz}A%;a{OQV1k^8FK+TJP!tUM9=L!dxqf
zXaNN^6wv~Z6fJ}XM*ujNMNmtIh<OLK!P=rgeDJ~%f~~f<Ee$-lMPjHG+mG=@wiq5T
z61OgTcj|YRTb5kFe$CcRWU#3huKJJ0`mc+{Fu0;;9_fZuJYai-t*J4X9fcqYO`@X{
zwQylvGaAVI#Btt8RB&Rh948B=H4R`tvSbvNaA7SQI%@|jqE+lkU@O*r9ZY~rM)WX=
zu8c;iqXdJ%rG$66n31{S4u(}AD~XEnYKZgUds!Gufeu(V#=q#J@Rh5gMWAwrcA8+x
zQz+T!ClSK-z@1^~)$&!s(8J{t94qsBgj^j1<f0nlAw-5MS=v+H`Xp^a*9x-<?q$Is
zyRnZSP8i^aUmfCy6NhHQ3B&zx+K6m8acnmHs>fZ_H=TA7_1Jdb2b%T1clsBmtFrSq
zKhdS04^0o~w&8)x_&eky+wLCjg%kSBANjT3AMj#C-~QL$#*3lzGd&i!@nY=nesuKf
zycj<Jsfowx!sq*NV>mxOeJ^0ve}8ikAbq~MJ9)bryXWwoqbM6N|8qwsKFy2a)4tsM
zOV-#Uw{`iY8vEmxY8>|yM)2$nT+?`+YcKxJDPP3-;VSOYw(kzqjnxxZrIV@4C-OMO
z{t@pMqD^?&HYAo{YmV{4kBlF--{Xrp5B~z#?5urN$x1!}kb9Y5)yKy?bV2D}Zt}6J
zTgFD8ds^3bFB?ngwEV2C4^5`Y>elX8=7NhRg-h<a)vKM%<oc2>Ut86mOueeUtzPas
z-M#AFt=_Oh<Ysuo)>Q9otv=TMo<aQO!uI;=#pI|x(5u5pqRpdv-?N|l`%47TCwa$m
zQT&ANiM(z%clT@0?VOtR3S;DRI&Y+&8{gsmB^_%LRj-5%spqfha_ZLbn#8G=MYQ8{
zU-zW!EgYS~I5^e)p1VAK1wygn@%q*bzNjuN4E>Xv%oumJ`olJilM829RNdIhyzcoJ
ze>1OyYpd(KXKQ<o7+D{LJwJEPffz3!rE(Z2W=}@vKgEa82r(WXllswXx--9#e`Z&_
zzr6F5&+@gFstp<@KRZ_Fvq3B9+zqvY-cPkW&#=M-pA@{N%LxX5B7dCPysL2I)N28r
z(8uW8^XKHNb!Lh@Bm4B{NBCS`cWyR75TcvpKjtM@a-ZJ@@B~Sg*Ho7CcK?8ypuF4I
z8osKAH>Q4npRqMn<q18T6KMdix&zsnpDH2j8TF}a<iiEL?BZZlE?3aP5#o|YxajqT
zQ`N_?dT$sXn``~7m%9A*=x#23U)bIH-c1HtbQ8b5+HrkoaR4}oAN$mdCnLb#cCQ)V
zQI9p_Nygywh6dL;e&lVJ_z}3SdaN1WjXy&i94usyz$N2H;L7w^Grk9ZhB~;O@gs1(
z;z!_m>#=5hia*00T%Y(6xW4ftaA)bUW_&;XjBs##^2r{7>mNS?ca9!w#zT;CV;vk{
zYqUq;2F8!T4bo%H_>b0BODOOGwV}N5T#do;BQ-u2KT_jdJ=Tmr&wcO5eI2ay{RG%y
zJ>P*EqQ+kFR&*{0{T;j&e8fNxRa0Z(RaqWOugdaReDRg4SbiZ{odByWFG#S;@>qoN
zIYE<Qa!8^MStem~_(-`1A5GWA{)BcyzK14K&v;qGxX#vZEa&LO2|D_9l8%wYqK>wm
ztW&>E*wL?(c9Ql?!sK1c!|lEoVP9^0@9MhD#4mP0ou09Gco#-;`N~uJwsdOdH-v|M
z+T5w#r+|wAdPvP|<liDbhB|4^Ae=a7fJJ<G1$>N%C3<D~Bq!1tU=bhJhJPy8gzZ~f
zEd%23Nag-oKAe|`!|*_K!!gj3d%@n21-P(7=lH{<(KT+wQ`Q2;_4dMV_vk!6As}BY
zOZvcqe`2(Uy+3LpZ337tzM=bUuevkJFF)1xBA>?S0KzqU_ub@pKPcjTNCEG|3wR$|
z#QWF+-bWPiKB<6rPnf$_`%Hc?(l@%F-cIkxeHX;_{UTE>48Yz`zPds=M8_2<(Fdc4
zRv#Oi`q6cUrf2PgGxINt|2J!$7gpP=@N#B+c_028z<)#dZz%t<$6h|dn}2=$KY$xF
z>9BgU`_t(DMDEW)_ovnU>7Wk7>hAn`=t8~$U;LtU>bbMK4S%eYx{V*L(dxyCijj+_
z?SOYypbk=b#W=TuZiqQ%T)cqB#p`EWVfl=USI@Y@;u#mOopFVwGtLYD=v0913&+xS
zG@%tbSL<VMOJjPCi<il`c$JJRERu2Y8liQ!M8?G{1R1nqoLe8isgy9^8R<)DUe2&w
zeKO${5j}q3;v%M-L8>7e-42oO5MEKecrefZKO#L}!*-^fD}NmyGitwn`TioY8T)9w
z?P7cl<99+1pL0&l`fp)gtD&jl#Ua8}ucLee&#6qOk%ezM6*1&c7nU&OaJZs~I$_FT
zEyfr~64fiiCr=~GJU;%!hbi$>Xwm%_zmx~f<HL?#LkdbtyKj6HMmt!ey%D&WUCtbB
zky{)aX|zsREb>##Eh}PvV#rS9jPvpV3o+I|Y9F>CpRS{#6y3N$TI#}BBaJ(m$ddZ%
z&;{yfp)^tHn@-wI9L}?2+!Y0N70o#JycR}ieHg3ef5qpSM8^dpLS3w*#u%SCU_q>-
z#$0>fP+E-{cB1sv80$`NZJC392H`8hSJ|~TREDqEhC(h|yn$&Wc>x}-BuiX0XpYXM
z_jrd{+HQyW*NW>4-;bGm^#YiugMIy`PC}8~&KY}Wck9sMrH}FpSyrR+6*J2pF_Q3c
z$F%8}x4e77bPB?29;pc*`D+b@xl7MVjbGta*C#R!+|xbdsDw!BxrQn07v41DmJTn?
z;~)E`d!1S?=*hRN^un@S&kojFYW#AqdP#Q<U5wn6dT#NQ9m~5M`}p}CZdu;tD_zfz
zMgL1})GmHsC~UoOruFVUURyb{rjnMzCDjLSsXx}OBKi9G)N`*)$aPLuhN~(wEA3qa
z?-ujb^8bgrcaM*<xE{DS5Fps-21OecHQKZdUK8<>2-YlSaf69Q0l``;7He&*E$S|y
z6^PwLv#zVuYD=qD+WKp)wLfWVDWZlAND{mez)RE$@&2sKCEg$)lJ|Sg%(ItV)V}Y}
zKVCnQeV)0TIdkUBIcLtCnFsD&RaF)zZRC1N#YT_xMV=~a_mNOFa)Wo-hO&;Po8s5a
z@&p!FHZ6_M;33RM8E@Pxy$Ur|Meiw&)9I?{oy8CFTehPrdTa6Hn$l4Gh@|u;&JqHc
z@AO0)8iYm@WBCPvS?lqQ{BXmK_4V~FpB%wfY*EfrG&}Z{$i|j8^Tuu*`|`xtm^_LF
zX4Tx;6qvOUpPMcIDaBvU(<-k>mG>eqw7i`+_Jy%Yiuqz=hE{PHXV%m^n<B5ZNZB_E
zBxrutMq7W7ig1wB(V`u0Qx>yTS(tSO76)cQXAI^-&I`%@u~@-xfRa<lPB($YqP}o8
zbdi)Slv|uT)mMN|^-Yqt780J%$~4@D34L3<4zfmm1<L%~6t9$@-^Jk*Xq^|hu~#{$
z;Q?WnW%tQoc$=S&9eZfYt|KB(d6zvMe&bMW{`CS*{Lmt!CI@zAJ;g;}v-Gj$4bTK3
z(7GvpHE=;w&=pkO<R1>4d}+Vro8lLO!Lpl$88DU_OOVlJukuNw4P|Q+d~J-0E;fZs
z9{D!5)#swbqr)C~<4CE~@DP2uad%vL)bNr%n?Am!&-MIW?m-F$M_B#VHew&re2>cC
zK<wOtmffr=&dn=x<r!bCYtE^Xzbrhu^6*C#5a~@qZnOEVY92~rAuoYQ?k=Hw#qNb`
zec@gC-i8yH@I3A3Z8!{0<!PVbT;{*gtOkEV9Z+qYsnPGgI?p0r2uB#xHf;0jM+)Yw
zN+c5pLZ0nb<5(!sHX>iqmcNNAB~1g52$B)|@z?jL{7vwAJGURrA|iatMMfC=D0&_X
zfE?w6ag+FlT1%04*<SCml{zKMdc4bayDu&8GR7>NIWe`ppwhdnH=U7}$|%gvU|LWk
zCos<E1R}mXe!KZ46{heNR#$X;8?OgBzDK`J6|qP0Te%qYteqOYusjeQW$?Q|@S_1f
zhF5R!>+mky=v{V)zPLOnXG{uU(R4cK(VnCiW~CcE1UrPIVkc-7@ZO0$^)A~YNLnxq
zHQ$VeSI3=)Z>cL!PZz|6&+$XiTwLUx#fwLS9}J<K!d>**<04Cl5=)3uy@K9X9;n#q
zZ5(9?@iq$N@<oOYOETzi9xJfSaVqsL+XPZ!L5h%g9#^^TDkEx?yx=B?W#oW)ocMWi
z3j5>~kYff5QKIDNvgDA#E3`NlnXZ&5&fhmUmw|Kk`rn;<m%+O??lyBTpwIPiWN^67
zzSVZtO`R5qomGIc{X`Z@OcvZod7@Xp!9qhMz+UP^xdDOrDZWjAQE6=S6Qp<$J~gq?
z>#L*tSBKv#;@g>gOY{5^ehc|6<+q66a(+vqhgQYT?)5jW_1?w@w{g33;$^d7OhjLF
zG^BhE`u$$VSI>qrpliL${vrvJqxo;E;2f8~RV1f(88T29>2H#o!B3Jea&}z)3o2S8
z`KKz|hW8eQev3dTst!9vzHlNZbW3c?Ui2@L8IQ>8!{lDju}?`aB7AN4{JiSOlstZM
z4r+&R5KbwSr457;%TCv=W_~AHbk<bKd{+_hclTYsM%XScHXJe0bMvByL?`A}0Xuqr
zeqh|e3?+1|E~*)K9^8IjVdD-w=-$Q?Sfy1(zZr;LSL9p2#~0p{<Gt-PkzITUl&F-a
ztGQ@2yoM;gw{fUHtMY>nm_a;sC2vDK<v%N=Vt;{I%Eeh*fu8@dP|e3X?6y_kRU3(q
zN2J9LO%i#utUC}r>0_Z`^|))9v%6Hr{3kH(q)(0JLh?9xX|~IBqh_z>0Gv=zQdRV5
z62NG0cOW|9Qv>a1;4$Gf0YaSb<Z%;pAaOQ|B8!fGK?-@7ZLS^%oyU!~<?xnoMTaFN
zX^nJ2(DyETRjVtyEn1kzKy=I+ZHUc=aTgVNm*KVE5Ew_ID%>7H8<aH#Kzat-frCs6
z0O$;t8|E4y<IXIR(OC9cU|g=^LX1TLM+j*jnYLM|I(b~~3xX2&ybD$oD69^z#-X!K
zW;=m!38kzS13bKqnYZ>F+tu1}Q@U$xKbdpqj2oRn4<V~92R(Y|q7q+-Q5_x6s}85M
zs`aGz<3>L#3|~|6nzwNalAt>LWDeWw!`X^r7@lK@g+Inkcvfg6X9|TUbS&5i!O!RN
zfRbilwwR!7;a#?~dfatr5nh$DFEX5I5TpVEj!bhFNni#R99|n^VSH3O?!tnaal9%H
zgewbEZL>_ZLvs`rI2%%KLq8f8sb;1KvRVSLprajwB!W!_tH35=pUL=XIV|6QsA<bq
z$GEGD7)9^0yCuQ93@`B=nkB}aL?mXaFG?8Ok_f`x8S2ZVqmEw$A9(-GJcd}o@Yz>0
zLG-P5+<7IG=oM2;K7)sSme!3HIO(QQ7*chn1x`A2Q|(F$eMeczy|2Pt^c8Zwn(D+#
z(}Opm<GUzTimevzh9aT~sZQbQalUd}0ffPw6AVDu4CYZOLNp7isU3sCyNsECy8-z+
z1yRoL`<m+Vd`-AO6Z}->`<v==eNBA4T(*)Kp_W8}uW9yBlGyY?s7k58F!M-GfY>TY
zE#z^8N?k25QXk(VweBlQn*<$rPpa-i(!QD`cI<nAsPvY_k-klJ`}w}(yV&<#Yj;LZ
z2t=<gTK_4I4DW5@kd;-ji#1AwttY-z%*GMZ;OWZ=GKL4(946){!GWIQ*W#GNa4*wR
zCUniX;%DPn!ZKfEZt1(&(FScwY08B{Nsdi@grIy@>}>C{b%AknF~~O|_?{J*)G!hN
zX$;#6jB(Q$hP7INCTeu|J(U7T8s)@0qFW2I7$28!(fe?+C^agH+>vk%W{L<7+7W@k
z7z?r_t&u`Ckq#{nNJ<v6wWcDDOw$PWm5o`Wjj+Kn?vf(!vL{s}D%PxS95fyrXrv<W
zWC{VtO#w)yD<>7xvohtRq9k_TCQ#ZSG)3iBssscSpM(%hMNpC}B{T<+u%B{<3P-@!
zjGNxA<Tl+TRA1$sOM{P7R7GMy*&d;TOB2vTn;{M;EzJd@r)p)IA^BM$Lv_U`-p1|X
zBe05;yN_hhMUcq|f`ND0Gu#`f<4vb554#+oWKo3O6oA4Lh&PuZ5N~;iD3=>lHzyzr
zG6yaq9T;gQ&=g=8CO}3j2G1d9=^n430JTi{6ibODbUQ6jS!+sJMXp7;gt<nBrb_RH
zDLde+7c8H+<I1{Lm`96rfCAF+AI7XAdioP<dW*=^wXd9e7cod@GOT+94(TG<WNd96
z%8PgeBvb4b3zET9IeDGPvuX@QR~!=Ji0oPKW}1r{1R5Dw#i<Mi7)5HA8`}#-D3a7m
zslw_qR?5%7tKMZ1X-@qIa)I>gGUK6zO}9$}k%oLrg#bO#*lQ_GHz+OV4TN%OD0BnJ
z>(U9RiFW$swnDvj5tpV-5toT)aObOami8y_SmpIL4#5C#+~J$fZCbty*jpDD=d<#`
z>W`)oa5E)zRpW*Q--&&@w<Vb?pIJvt=hoyrZSA~W9K`2B<jD39ecqq$=iH6U3x{>;
z`{&+eQ-^tcrK4F;$62QI6oj@^huaFO!>t816`%OLqiQ{&6&IDoF<?b}`Yu^bW7`L4
z%&cD(G<Gc=9X;H4qQGv-fbGb|n0#GWe6ZWycAOF5R2@C5yE;0(hel;DwK_5_FZ7SB
zc9(bK>g~HfCHvAs7A$56Bj4}dgF~U9aYvLmHCc5Kn-U0K+PEQjX;o};FGsfUza@`N
z^<OrdS98rlclb@OcUgh&#L*}Cnx-CygJn%lQ$ck_A~?43)ez^#I8gV2ey5uqT6S!U
zo%27!e;ds&PChQ{k;V-nw%6ENi4@`=C{Uf_5=`<l8Xqg~LZ1^d8;`6%5d~J0+494*
z%=w6ZEq8usTV8SbqQ>3@b7N=qmT_6ZOI+u>Mm81BiH$zo9p6B7grCd`IPVTNQ`@EB
zh??l|nu<6HHDmE+;7KBh>kh(gdDRskgt$EFl|bX#(8%NwmoHN9XCOL6+>WxRJNCIi
z<eDDfUGw&btBE%V_j)xnKvyi@+r$qOV<00>v+8I`7NHo}dD_$B<oY5{^2GMMTA6&=
zk2p?_x_!gl_l_R#mz%D(7D;$I$N#+#e;DvSyt;;e8u|535r^CeSScch;KuDmH95Tm
zjMt3Xj$fyUjdG&-=_7}0+eza?+SNk|cpFj^os&m$oRb55>6&OV;1f^xzCZ!?(*{0q
zUvC!?K4jq&j^hBIL-1>AMp5Z?;P2pQJyD6kYL!z6qq?<;>sj<&50lL)Fpb1Nzmaw6
zMr<c&gwVErjl@aTMkb<PCt`feDf}{f!gBTcLK-RhGJ66;Oe~_2k}tC-m>1WV&`9Z*
z*^^RwQc5G`UuI9r=}9?_RDPK~siY^BG!pnSdlH~00UD|MGJ8@-PYBkUGvmwb$qafj
zgGOe4nLU|FPiE4{6<=mguAnDZ(8%mBvnR9Z$!r>#XL}L|Z>#@&Avw4tMhv6Sj3jPR
zNi6TxL$8+xTJR^<bCfSo!MU63d%TVR!~QP5_Z~tb3EOWc{I%uX+_9fTHivshcyBwC
z9jBTor^wd&MD{0&sw5)#J%p5o1A8CtL`}S2Ex!_%DR)j3p|?Z@VajhsMWA)wtQo~I
znpgZ>IMMP(5eNLigX?-bIQ(BbN|FOZhXf+TAx+AY9FEMeorHcN7?zMxfQznsSsEdh
zpSWVv$eTr^pd_~x5#&$kArbvGqi|r8p7W{!BhHFZoitE0^!&V<2>+rNh#I2t&QwQ;
z7JXsxHl!n2ZPbo>Bi#mYWc_bDF%e%D|Dux$zr1b`!h1eC=mOC}UsgA;BPJHn4N*Z~
z(rA>>4HVD?qJX}vZr~=LSV}j_-EPP#AEqK4Gs%Fz%+PjX++gechaX%qoifl;hUEdA
z+r=%F)uZ6BH;cINhmpR6za6A-i{j9U<-CTs!&MW@F{peT1m{GzAJ6p8m#bMPOpHyy
zjOoIgj4`yTvDbUsJ=mR97^32A#<iCKla|S`D_a54CiX7VOe{^mY+$^H4fZ5X2k?45
zZR5QoGfR%9V55-(Ut$a9aNw+~c9iU1f^(d{#=(b`SG;yqhtB(<q%rMR=keWco%Uz;
zgzgB;BD8`~#i_gVtbK{yJ9LPcz|2H3WgFM(R(t4OH|Bzc4ZB%yvwz1fWqSP;h)K9q
zBT)kK2?KWfx@1}5NIX?s^4O1%FZGeuLoC2@F~23RJy<Clf1tn`L{lvu;hq!PM##Qk
z+gZ8%B@XB;jRTsye`J+}t#TDv^fcNFz4##``4szRdC9FA@hwwW-P8#_v^`UhDiNe$
zhMMAXL8Ve!FOXd9S>l&LD$hl#FgT0Fxw}92GwD|Fu;`h&WjkV{*C;ZxHaI_CLOfRV
zXL-)|e!sU@7Bp=`72Pu}x+ZLiZp<CSGF&32L7O%SmpmlEg5^&vf9ft;Er+r}V<L+N
z@JYVmu19>t=Wvk~+Z$EUALRNfKDuFFcLa2Q1O#IfJ{DvmAM0|9p>%fMx3?G0&=Hf6
z;%953*XGp{1AC0G<t@$u;HTbRJL@f$|4u&W^Z5}T%XT>TQBV8wD^epr&aH|3I4`|2
z)AsCEOL$A3?29$rOT*DgxnU=#F}`42AbJjA1|2oATodvdp0M5%I&5-mYEDmbl%-?%
zJ;Hpi&+~+aQ7P0Nn~@XcNcBgo%Ojg2Bb<CT+8X1&$eK`T)KBQ?{Jbn`fBL(<y|LWa
zl=$RT!!y#N;}^`sPv%vb;5*;NAX~4cNMx~d5gEE7@4Fsmy%&g1M-}Xc{9*EO_uh2I
zV0a*MK^|o#K1N&ykq?!)&Q<I?33^Y4$_7I3yP(GfrO|15Ej>q+tsc8N+@2Gdh2A<u
z!-%`=wpPY`iJp}U<xUGk=jK6=K<tKAC?1IJSGFPP6*<7}8S;amz2Lq9?;qD+yIsPu
z@fYYav|?}Q`LZ~x%JlpLUaYQH{2Kx?Fl$vHHo@>}G@nnbSADC8sT@2gIVMFP2Tlyg
z1P|qf-^&SYqw(cuK)PhUw(sPGdwPSzX}smy4_e+B9;+(gV^D0h3G8ToOL9Zj{C9rF
z0EXiuT6%_psI2pagXOA?sna4au=V+&_qM+Sz5ZJsZ{q_zD3c}+aQR)lD)l!E?e&C4
zRIGu{3%B{?nA&##*mr!fIr|Z{4RCLDcgx<PPM7YQ2J<r}1pAy6b|&dCh29Bo&8ez*
z`-V-mQ9t-@m8(^gh7Y~V#z$VXq1nKK%z<z+C;WPOVAhVn#&@enPUx;;ZQq%K?Js*P
zaW#GG<8PAr;ETK<Vc?$%8#6JSd9)szF+#;y%O^v96|c?5N&94;fn~;z{n%Mt)$p!!
z%sqR1eX&q4xXs$ZR||;fKMsoG5{AEB1bYmE+j0Vn1;uD?TVSKpG%2UzmC%a<*`1`T
z7eVc*u}NpBW5*ZSfgc`>8h3cBTRCme(lb1=+IbnTte?9Cd`PQYloElK-rFBxC}_G)
z6XC>))!y6X978p73DP}HoX*ad1F@5ya`{HsDU!b`pk)_y$Ik2xECz2vo>x%~{uGgL
zT{qIF+7FD}s)~*C&!`mv>3g(N3d~yV8=FYQom59pigOnz5ojCVAQCOWmrUgIHly*k
z;AY#n-B+<{;j0;4b@wHFvDpiJ;rJPl(x+@O+*ylPu#wQ1;~1?J*}uD*q^6&cq&-TU
zt3z4oiCu7pQ0K+)J7=`)9?rZuw~8rL6^W1Spu%kpU|OThzM+;K__7Vv(fke7k^J?t
ztzFTv5GIMw$B~81p!YH_Q~fs)tlN>gX8;j$%sW*e`819%u-G^D1Dq9$s-qKH*r>qW
zyYam$&O(n|CEOPo-690!Ob|5u4^zA>p1e!pN2lj9OXneKbp|48&Fl_OXz_%;H#t^?
zsNGM-A<VoE&qL1EQa-%9H?%c+PA;4B-ljhZ^>OnAX0-%jxdh0SdxHBX&voUq)GPOd
zPN8ggS8r%rS-f$>btNCV`#=h0-n_m5)?2=)Sg#ZMhIJL|7oOR;Vcvv5bRjLV{ha$!
zpd$ChYrZx2So)njBE?5FFZJLEd=Vd6%iJRaAj`uwIMzBsZ_@GQj8kt$e5XRscz2y?
zY;sSVGSTW~acauP2cCxc1J%(A+__+YdRHA^?)-bP=sC`0aW4h|=RQPvg+Dja;ytGp
zX-rZfWyg4Ldk{)-4eVmPSx`!Sg;Jp;=EI&yzhme-=7uUD+I}gQRU?8~O^w0rd9+-@
z8(xEk;fN?3379#Ua)(zBJ)EEK6c;&fCWSRaQXZ@R1N_OTp_iR!NDfq7S&TbNsxW^z
zKXpz|bzAOmkn@CoEum5cft(wPOIfqAbxq)uSW<+Jyry;xCQ1q2<q{;3Hcv438{_ki
zwCIKMxR^NnWWbejzDp9XzNZ$Qv{bI@RS*h93z9GWU-6$D8>(S-2me*aa+%=Df0O?^
z{_6`M&3`w1r(%6{#KP}3#-sZ!$ZcFZ?~+Js%eEsb8+HVFTR0u2oNSpAq0<qlIO(Oi
zzo&7T>K@NE-w5FQ9t#Oy>Zy*_bikI+&HcGy%jc4>FN%&Z@_T2emE*9e*n5^y7qR0<
zd>+~#Lvpla1R|Fe7nZe-ZB<iXhgf%k2xosd7ggZ=FPZ}Sm&oKY?TbFq(_$jGC2F<d
zG@xK>5d;|=>C7hxnnNm6qCd{{akxYpK*!BHDG;3kJ=bv9$Q1{xJfXAE_xto1J0dL)
zPNqWmQ{+J`lp`$hTQ(C2Sl%xsD#dm}eq?AB-m79)N$IM{Hs^<0A+%0;D1c>2#Nw+i
z{<3ZuLv-YrRkC;(ItC@d>-aIPtn5UT%OX7I>54V;Ulep3Uj@ZgdBI=Q&e|GYGX$^l
z&?G0`kfW%>p@rT%R<W&6&9q@q0+GVUq`%&VnTUkgv|e8YYGvVzhOwV#cL9OjcnW#A
z!>c);n3u%gkHL{x2bEp?41GTm{m7+mgdq@szY$s&J|Pj2&b_KTt|Jcb$-)d%QsSp1
zX6#*OjO-;;B)tt`iq}?b337J#9WgoHR0ObF&x!twvGHp#V|aVcyg5Rmz%1@svWtfB
zgjP@J5ITNPPx342amk}_xR-IM#(X5KvTUn!E=RX%6#DLP#?f#VR(8JF^FD6t9f8Q3
ziOV2@w3>Wmku^-Xn{b10RP^xZ5OxR<0S7t1P+1Tf8o5|Un-EhOccIBT=Pvv}A}6>^
ziW|?^dvaE*NfiW&7%~(!{8}S7NV6@u-T8wS2tBg%RRAXcX64{u?JqdqwseeX>C|*f
z7n+t>|7uI7pU#_V?1kRT#1=kDw||srf33Ff)?I`hHPC!qHFlNGN7-#*K8|KSvi@@9
z+#ppm=Hq`?e?K97R(;V=tlxB2f2>v+7iPiS;VtDN0*bKsX}7hzw-;veHXH+o*H-ND
zHdOK8i(Zv0v-=d`h<>x1sxrG%>nc~@=ehIS7ri7Gn|9u*Y!gy_b+&Lg(p2By)x#-!
zAy4e!PeeWh4<pFrUFW*@g%^C0*5J`9wFG5+AY~hz`#_uSmSdHtHHejq*x~Ow%^%pR
zp*1moPUEXkJ6|z5R>jo3<FS9Hvx-x-$HBn-qq#-Cnnf};$kse(9Ty7(+Tz47qXV7L
zMijNj=Y4pDFOplFm@TP7Jtm;@eHTY>;|$Vk2;?hB{8L6#kd+c=rc0=dko3fFDIu$r
z^!h1tyo^;}GwU7HKZb;Yat_@t0%p5&z#{DS@E(|Fwe-r{a0?@*`^HYYZK^Hw-NskF
zw|U9Hf-ro{D%{&}D)BRCdYh|G_QYm)#AbBF=B<pZs;u8TvRTd|c+c7to4vNOzIT{+
z(x$L8J^bFK^}C15GIDXiJF&C6;y-i8`c{hicSmA}b0AnT5`n5nPu56KMBN+W@{k^L
zjswM13Py4i<0SbNiw0N7Ww7D7DiM5<w$T4T>2Oa@a3-r+W(JkvRkRut-K}Srx6~$A
z8j*GGcVspJ&&k#43Mg;m1q=x03@fo9bh>>vH1~6u;S7>5UliH&D8ER#?JavnXDUi;
zz`ru~15pmN>J7B0^~U@(Z7DiBZKa_@@jwZ8wgvA_Y|-JYr&FF-ZlnAFmjwdr1G_f(
z+csO;+qja#X1oevV+G-De2_%=pQdMha^1|tRKZd8QEc`~258uvxnbwh3B$ZM|BQmM
ztN$Xa#qeIQ_vRn-4)HmU@r1Nn!-BJ=C)X#(5=5@QK7qm8_)hi6lj2nsHwe4zq5}S;
zNj`6L&FP-l)g2u7g#+gPibtSoGjso#yxY#t*wt%EO*+2%`JUsvjm?Y{Iz~vBz*p0&
z$)SI`NvtVdyeI7q_v|+(Z+R|Q;VDQQO3e&^0n75T_>@QM$;FjKghaDmzi{IgIU0%X
z(G!pFI@4~)Vs4B-3ge=HpV8892O?cjCTcu4_KV)Vd-v{Kf8<j)zQG}s`k)h8Pr%2{
zRrSF2R;>@j0z(L0^;Wf1dR_{IJBJ3wI<eWkIBo*7h{4aFP`_)R&;em*NNer{7KR-p
zjSkFuG16MUYv15}t_1NtDifo2){~0@vFniq+pjs@+dQ$iDpuDK3v^V)W~?O0qki{D
z64v^>XRY<se=^MHo%EE<o^6*xSEkQenLcN>R9D339_52!_dY5l5#k&}(6Mwk(k^qy
z$S+o8$zO^-oYe{@t+~0LL=a*x(nyTW&I@pzTdU=wNPD^-+9st>;Ac4<CQ~hK3pxoj
zo+=5EJR)!8{GBR@Peog<<KiZ+jPb3MKxg8_m&;G=o?<x(7KlAkyhMIEKPB(-ACF7;
z(RLb&@3)VE$UVj4UUAM=%OLbsuoXzz0s{Lec587x=`zb_%Y2(Da-t4bF%bcgPUl#b
z1A0-=yUvX&*5;kA1w^EFvo<kP@6y4+0HiGLgaDJc4g!iha+Gn>{C<nA9%>Qa<o;?%
z?R0+YLJd7AV!|Bu0KXf=f4j~3St>iKz6!~h4S{D`Lf6S}Z1xam6;0Y%{aqT?a@bMF
zxUG5{&(h?_wf}ln&ABaI=V&sU+3#W!Y<A|P)AzTqW;(wBlDaZ}vvXH?_Zh)&s@qJd
zGqxkrim=Leu2Om9ZTJ<CkWq=}nV29eL+fFMHI+r(W!g1L%c8S{RX+=F-txw_%OaGg
zB78IouE04Qa2%}?v%$JpB|pjb3_o%w$2=LrIvGrewKEX*<T%%}WJnLJGhS8lb<eU!
zEYOynT?(|ScuW=dhaW4~?w88fbg)nCV&cbf&bHJP7l3TxG2kc?z9{k(NrgBBai^CE
zPI(x(FNmtfz@cPbg)E_CA21wpoMDDIxUZ;={gl-yI(u@os)DBprv)l{yg#2Pg=Rqk
zDKrls{3?Ni2}?VCfw+8fIQQtB#M3euBwZo!*jTH{11;_skQe4fy=2qpXfBx4h+`jT
zI>jN$oyAMYoE*(98EmrLs*^=JR_RnjFj-2}Fjk@<Haj~LCgn6z!Yr`4FX7JO#eiH8
zk``u6j@Fb5E*zmK4@4%@Y;H*)W*AG4OHM3sR;!Zn-u7oD2;H0<KK5uFzNQq6d53M}
z1q3vWjG?c07B|s|_x9lsgN2p!Juy-U(<X8lLG0t#WXwq3R2|t>wgD6>WM|gLbuv5g
zE3y6};`9x(ku{RtmsR*1UgW}&YfcM{?I_#8$0v8b&-PJV3vqE$#j0z@aZb=3i<Wna
z0wcR2%u_vyE9riqV%3~hx$!%UGqR#>&i3STTs3pJ#cVfA8IoQiX{AJwl~ys($I7=R
z%4O0YEIc?{ET>0V)%c>h#omXp=J1QFN%R;36_(7`>Em3^)KX4nYr=`x@~-eBO}1$&
zg#-hSrw{)<5*`+4FhXz==8+8PG+Obs4QB|j$a)i#G8&!fwCE)FHcrKKNnFAo%RRzN
zmWAv*GGq2d`Dqs`H)(v2w00$v#g2J+YbEmRY}@K4a<$9SRy_#9%hrDOHnwP{^vG2J
zBBVcu3aQ=)R0z#GGJGYh%gipRW~-8y!koku+szq?O4u%|d(J3sm=e6Jv~kmC5dN*@
z)8ht0IHo$n+gL!R+$TD(I((HUC)tP*)j*#_#}2q2YZ=?3>#?=WKrG07)?-X-XA^Ru
z&w6Sqn+fmh5h^SSE)aWM*6qMVB#K0{H*UZm18Ckewn~q#I{=V`F1Wif^@3L!S}wt2
zlIiMPL93!Uo(vwEeBNCjMc&hyyxDnBCvxZ_(;oh_&usD;RX6kEZvXWl^=9W^n(S@5
zMrLyg^g0C{6hAi;_(>PV%>5nL-#Kl{V`9EwA3VTsAj&zXXt{4kTTbXOG`*xnQhOI{
z)u!lgw?M^9=*mn{pf$0FR7Q%EW25en%4rFRSRHxBDdBTPW${OaPRw6>2gWbCY3lU*
zkUtA+PTx+B_jd8?g?rBR-d@7|3ilN1)iZiAhWFmMxAr}vj=S}^VLVpl$;sJpRxCIt
z2klW#JH^Q(jh+2OB~X0LMf_z9%ZHiYVp;7Nb&pWV!;hp2vCw%9)bQA@4$iHe^$r{2
zxkP^$|B<XeS$MPVAb_&K`H0VR`6{;E@NNLvTEMkL^9$JBwItxcZQR*Fi9{R`r}g!^
z17CB2#Y1QfKE;Ah;#vmH9ZzIdp#XEHxR}&dRebEd{VK{Ne<}8r+Eqq9iBaYJNZOf^
zYDZe|HH)iO`YQ&9v?J{$z5)z^?+T2Z9nMxNOMf|Nhc+m{B=<I~WDwNV?`?QQ9yKFc
zhZaJHh(3kBv*o`35-coHXXPq#1Z!{89%@J!IBfrWWWm|7sx#R3-OVMdRndmx2G9^b
zpB?VX<C}`*%P9@e)##A*fw6oyZ#Pd*XC>4i-9&3;XUM5k>Y!+zsve8m*Iyuy+OYcI
zK~0_F9H!XilsHTZ8E0+UiP%1S8^y(xLJPeQWz-z7+$<Kc+zv~3py3rF<*l7;ALU4-
zJc?u#_3bpHTHuG`9Ad_mbh@^@RXc!!s3KmV5`h_zpdnVsrDZ$(kv*I+6my8E$(Q7I
zy1WRxGm+Pl-&ekA+=^$?+t3a)5l&~&O0{m)yby?vUSCC&{6+-H#_*dQ>3KOY^8Mg3
z;Wu(Z!&yY;1dqr1DfSUw9a&#B_T|9FH+8u+veQ?wks&M(R`VS?uH^{c?F(<oNj@N!
z55YfR!j68LEOY@4S;bPkPHH)?AjUN+8NMj5f(`1D|1Nu#UQLzn#mpd33sPfwakX0&
zeXR3Eka;X%f$IX5uNOo(#>AZ3i9^=88IZEC%BlDucB0}z3_)fUvE;A-fQQPPsu#lX
zZ3n{aw>j0+hM-6k8H>a>MFffrGCS;1z7r-K?rnSoe)K`$T+QXf5Y7?YAZYRyi{3H@
z1-!e{d0V}RQfq-~H1R{=dubRZT8)mw|2h+fa!58Wv7IumT&IB&=Np@ulOD?YD3)8z
zny*D}W2xdkyBsHW4P&KTTIpQ1$;IFxZAaosAYY~PRx0CDQGK$M<{Ec$TpIF4I7_HE
z)GH9#>r^5_tH$3@Tz<m~z8IUijyHC_;yblC5LjFryWzls*tES>V?PMQzB2?<vB69%
z&?=D`WR5K)1<ms08P&15-F#HUxkwQSotZTnWN707dW)~;4LM2RwBTLi^nf9f3RjB7
zX6HCfuSq9^e~YY6l+qc0<EvHFt7ISpav5f+iC*$9tASfr${2EYTY=1#QnPHh$KuJt
zz)w)e8sA3t4VY!jD2~&axD26zzhZB&Mko3JM9SgTsJ+f%;MjO&adB{+TSWVz#I&?$
zOYIHkV>l!ES3$EBG+}cqyM#5<LZT*Srnbm^5f)!uQk1>w+(8qGB0X`E;V*35uv`{%
zp%FGNW4V|k^F9dg&Iw)?-aRDv(<-)I<uJ6jX}+{5K_;_S)y`U5M%+Y|$8&Zx|0yxO
zt0|(UI`L*BvCFG>c3Z>UzHz4ex((6cIOUJ!(m;v&(E9dv#PqvttVKQHE})GdwR&s^
zdneUie@C*Nn35-b(_)kMN;r`*AMjR)2SoNeN?d~h2S}xd{nW_EY(vUU>Ry?EdCn*%
zs_LE%YMkMamUa9ax`mQkjKm$l;yO$XZ}ipg)LfFXpJ^`Lt1~=QEpryvQqRaahvWSA
zgyW|MVw2equk|zyv3vKTn?$%uZfQnt8EB^cxqQ0AY!D4q?1O)Tsl7b9`r9{M=s}1|
zCQZtPCI>>3a+fB0kVpMBa@!wwX|dkr8$V9$Kgf*mr$ZO)%ijWT;}4k*Ej>fR@uB1W
zo(21}x_L}gd-9)dd!}R1vq+YfEP1gA+B*fv8K@13bQ3_q*+TN78fHNB6-)IqQB*~g
z*#$hYD&T7pWJ6Bw4bg!qlF3B+Svf?}3h>quY7P_zj)9yYqg7-p%Xy176Ne}v>H+BS
zM}JDR6}1VJVjVYc1rZA2H7ujXsHeUR1J;y_Z1X){P6hie{(I4C(b0#X**HlyvLiH%
z>lQ<YH&3jd$n8JQ3c_ImvwGx;&_dlRm76~bQDJ#L){wZ+dqOLG>{$?hL&~SaL-!<3
z11}*IU8#eQ>1(U!xWt=u6D})Kts!3I^*xDS@`JWYk9Vg39(Nk%>!YIbt0Ud)Qr)<v
zkkQcl;Q*Asmy1<!5MzIfP0NBKpWsX9Jw&ir|E-}LShwQWr?awbJ&Jy4#6U920%CP;
z?C0wA+;C*a*Kv8)2NRK1oY?zIJ!JA$5q33Y2#arT)hm@ALM&dz<(aH)e5<u;Ou@eV
z8MRN)&yhI{D0@bV{j=-YrLX7-`hDt)!ipDUv$s|*UxW<xJ@H-NL}P`@{^omZ?XN6q
zP+A{9cW-ZUjqoWLvU&5m2?@mbq60n}2vn>N-Ix4hnqESp4>?|s-_dM@V%A`Zv6K9{
ztEu-l3!&y6CbEMYJ+Tljx>(J)P25wEn8K=8{HJ89?^*W@D<z(ev0(l70`6w9hgrJS
z2|F`|Q`=$xe!-XoOn_GBmY2+UJQ+Mj$`z!_m9hu5);aV=$`V59E|y%q&g8(2#roQ<
z9%_N3iZPgPyHHI%)CY{tR-DA#NyJ^8y|hIvEr{$1_f&ctzAnWi>@7*flcZw4tynG<
zw`Nq7%La`+lKN{*{q^vjsbBGePCW0q$Rg*KS8ad1jmHX~3!)@nn@&EEWcagG7~N%f
z7rykqQlVuC(n?!WHVxtE%ZdZe)J@Wgw;@Q9+wZNCD@K~2PejWNE%bX7{XRI&4}yQI
z!C%7kz<<@XNo~(ruad~yDAv78k$+f_N|8*E?!ICQ9)5g*wO#w`G%BnRJwam|@PAON
zW8P2f_zFj0*wv^xi2GWEov{$B4IT~eGxu2~C*EPgrsyvLz=4Wg-o~RKV%d&_j~_E1
zBz>K?@nVx6a?=e0;!>rxO`C;kp}#1SrnOgJHiQh*T5{1M6L-liHbZ$Y+nP9%pH$j1
zFe%%Rc$Oc9z_4D4oK;_fxA9w=Ed6B-_Q>-F`LQJSUEiZvQeg^m4Uyif*)Ei38(@k4
zK2p3?ey#h9M_K7el5zqUhS^8i23XFsQ-z`ej}^JREIb6^BJipr9a+1DRY*GFFWEjV
z{gG#ii4+#Ya|xxHre@hxN60&tlv+^gX5*!v0=m|9cCXh72|bZa@0hV2j<GCMSQWa&
z>=j~wX$NFfWwB;Vhe5i~V7hRlnIS9WswWsi!HZx{s8<Kz!SgR?e`acN{*Rahn<3!^
zYWi7p1;ZK_UBNx=)HBF99TxK{76JK*PDWPlGaznir!#D$+W`z2)+!=d-rwM+-4cjB
zUM%n>`4u<W+xSzMOp4bTR$A%;!4YY5X5#q$O*;8on*6wumYjv@oMLjUFyHL_Af28s
zHJFWo9iE&Zp(bXHz>Bx>W9_3s%pl-ZS;#tCawsZmU@iI^oA7{}Aah(gC3G@%HzH@5
z8b3-Qu}Twyw<f1+l2GYkQ)ZGNG(!Pj4?oJ=75a9iyrt<;Z;I>Oo@rXSN|U?|W9b$n
znmA6Tm$lZFy=0b_yr!sZ#<sIQxnF6Dx1pM9Ng{2GyG2l{G1IqchBj?Ht7akVTx!59
z7J&nA->IDy_yGg0@n=F?GG~hSg7i|GK1<WZ{bJdehLnjR)}ZsyGV$Xo54?>5?N|m3
zm)c(x(6tKax+y8@2r+g#`8v;o_a~aQ0lOIlzwUJ2*ZJdZyx-=`RQm07F4QXChVPM{
zxLGsJzza9$Ycun%?$gZIO*1bfrfYeZ-XBOiBMrR92{y~jwW-jU%q<p)BQ#UDskpFs
zv-7-3ZxG}XLo#a0n)c>(h8yHQUS0L1^_A-nCH7iO8L=ub^MtX*%$x19f>3p~9iDoA
z;RYEg(b@7Ch&-fgR_8FCA)zCEDrFFp0x4Te+I5%ZF>qJd7GS*vI1ua>Ghyye;bf~~
zR0uAgRrMyV%7pMXT%pWY15;uQ!M4^Mz!;L_JrT#b{uz-7XXaH!$D3Z511T~A8;+r}
z@3AV3Mc<?1YD|91m0a9tDL%mC-nTN%+jtxKfv^!DY&E^dm~d<;*B?E5kKQl#d-AI#
zgxCze5P~H~k%-))!MbCllOy(BV|-!QkFs2>V{NT~nIgXPoL_6ch~YeM!=<uys>31D
zyVUIMxqYX?c>0Zb%gu0F_bYT?YbL&>kQF5}??v>Wd^gE}6@Au#Su`tEc8Jz$M1-jY
zSPe2_LW#YjQNcmihC0ab1@?~koYjEzN?|d2-jiVhb8!?s27amv)8=1gRb+>AEy~BH
zkCq{3PLw`}i~Rsx&fr@pT(a=o)6WB@yz=8&Sb2JcWO-G!UUvG$^h#dyB=@M(WvM8y
z;-Of0!0Er@$9oSKci@1J?=R~^GUcLNPxM-Kvdwg2Pp7cBO~@yrTZXlOJ4ATCjI%17
zPQXr(_;-}AE`)u(&x?C4uW4d$WWAI+hP@kZz^`au*eRW!>0JJ-NK&Zpi^QD^d665E
zC5N!s)*NSUN2=ArRI4g@8Rtq}TfB_$2!!*7I%j{FDl2zzr6@ZSEc2X;RWn-7nF}?P
z9aB6iO)8swQ5M)Y6W%w0$43lupjw`=kN5Wb`I`{CE^U8;F;f$rFYQ3K7oA;J>mI1+
zs6^IShF6>uZ~$VYH+}+`{)m229Dk?=hxEC?+wgZpWLWTH9P)e>t=@+FNJ&#kv2sqy
zsM07(vw!RV6`9^q=Cx!$*Pt*)P#7~FF7r0t1Bnu+3nFTsKj&?1<An*7c!OV2^hNxt
ze}#CMY-bFv@gWQ4k`Rt$W?8HCPz}lbsZhHp@*z(6U@@n~xUYg$znFo}PumF6y7mmD
zL(AUb&fnXG+Uyk_pf%JD@){+Qe`K9%BEj~1$`lE`7M+$0dNrKE;Y`Rk)A|O_sqnqb
zaoFD1bQT|p;1JEws*3J~Z^|nBXMm`H_6rwyZ@o(pl%q#5F2u;ksX8ffFNtY*Lihp^
z<p?IOSl%v!UZ5Hwy#P#y={d)-Y`_XT6xFSpIoq92dX$G6N*G1lR>A+p!8L~GD8vBX
z*j6W@bK2W*4XI@IGQ*AmK{8og?@@8&Z4iT$%r~sev?vK>1usELIG$g3RhofRp+V}V
z#EldI2XEs%pk?&zi-9>$=bE>1e0Jq8LY9MURSAgG!8O+85vFsE33`>L*xH>+vBvY=
z!Y0f4yG<AGQ$h|&aq{o&NKcc0PyPHoCoI^PzZDBds0%B33@??MG|5dWBx$B5UG63g
zlcksE;?>!Jyb5R}pCj25c1n{cC@4vsw9qD=nmj~-N#f;h;`C%DINT-(m-#)gSI>&s
z`(vd`Q|wbXuY7-R@1nKZrW}3^P^vu;3B@DR9uGunmr{Y(Hm8DRR3PGa0^#{fJwd`~
z{7c&e1d@He;|cAfs3(3Y2~kQ><K8l@(Zze0ypN)xi2pyFQ(GFXeVjv&@o0!Qe;3D=
zB>%hAjrcpm^E*A_&^18*fi9B$Li^gHuWioV`pbdBVUI<Qq`=F~-8W6-w@uM-es%fY
zUVVZF!iORaa3~2~rH=&N%<qhZ2%DSM9;xl9iTLAf{<kP6or#;?#ZB+p{97bF>fbWn
z|NON_N2hH8mCis8F^60R9S7~<FbhKYu6RQ{m>c%Ll@s=}+xA@4-;om^?|&;epQqSp
zs4}ds=}1p=;msL%Zi6J*Eqt?Y3xVi?h15ea2#F}K;MW5#N0VDt$n01CU3m_$om<?#
zC!Qt4LT~ds>27$#B2)S{1o-hVvD=j(6lYfe;c*;K>zxS1h7)3Ah73^gY$~z?)-*I(
zF+lEd<VIR86fW))I63X|FpUQ;@!Egn2TcWGKcQ@pE-_u^S>`y%2%4Q_JnVKDeN$y1
zi)0{S)(&8DjCf{2AbK&+(=a21=QwB3=6vrf3@fjAH&+w@Ntb|aPCiJ%7DX5NzT+~6
zT?a&-P@6gOubF~Kv{8QA>KnvllIqcWH9giiTeD+Qc*S`-svLZ1b8ek1?P>0#QelOx
z7;K}zMr%RfJK+^?qo0AZ-~+M6S}NwR4@3>bDQSqODMWw00VkH61sBK!w@aGI#8&ts
z4PQ=~2V(w3F8pa}_^(u(tbXV^pJbqWPZ~bx4i)5M{v|HB>1l9L18#`{SD!}rH<{q-
zvcQE6xTP+*3)A2x7;sDbft#EOE;kF@P_d+A{<sV7qBOXz0h84a+$Xy;IxE5>O}nrG
z2WOeF`EDBA?+mz(e&8NTgA2`0gBl7OfmxRe>e4i*DF#$mKTwxufMWYNgCXg(Cwb7K
z<N=G41&fmVE=umRC^=$LGIvojhk@3DQRQ5n)pB8^S)rz6Av+vGxX2SdqR1ov>gFeM
zm&C;fqIby)oLnG$Zst<_SixRXQu^cg<2{}x|8~^V_HcI&LeL+6LI8MzC#EX5Irr<{
zNeg0Yp9Z9v0p5It_TCEZ*JtkSeT)uy5`Pk$Y%_P6BF@W%^suNPS(UcI=SqPZZB*oA
zGwL90eIOQ-0xN!(ChYD>0*)*>`_$%mnKh|Oi#yGLEOP7pC0%coskg}1dkKC^*PA&~
zfi7|DJ(8|>i>bH7*1IpOp0lskTk6(ZovwGjskhYD`+?TG*K`hEwjFyeUExSmA#N+Y
z1)ro4oI%{6zr(H6nXa_OuLyM5N)KmMnn0y4w^CQS(!WimE?en(D(T_6j1m4W3(rVr
z@-WfXF4MF*0a7u<h3<d9g#9FTsTf?#e<`CR66y{_{oT>Za!lSs<&m8{Slv(DXuQNS
z-&Hy%rBqEuDGm&4sR_2!S*cP5l;XQz(*!gIhAM-xsa$q;QZ4aGFoiMNmJ$(bO(M0K
z6unxpoq%NnrPyaYkL?hDPg|v$x{Hh!u}X>dLfsKH7J4|%PyiY|(U8~<-P}L^sL?}h
z&W|x6-G*EP&Cr6zK-?f5grC!;id>W|cvZNylvV8`mUOyofm>EP7^{<xQj#Fwmz=}1
zO7?{c(xZ(kH|5v$Dc={e43-P|NoIc<hXEj$WJAs_-xsnBunYM|p9gtDHstK`S&&n5
zvBAWN5BtXgkxSFMn?F>xw?e7rJ1{MShv51J1$1+`d8aAiZ03-oq3j}6-_c=LNf}|E
z=A0(A^PI<Q8PgtTq(T8(MOA2Y*lALwUaI8VDotsysu!cf4oa0Nuw^dOGQ&Qd57Lp=
zl@dkbR9?hxZcdu=+5N4Q`EU;XSSxk<b#xY$ZATxVfU;=wXxrM3RgyXE_RQ8cd^@#n
zNX_Huuq(Al%Zfvk2K-rhATXSd6}p+u&7~HqZfe-s+gxE2D`86^P;;$KIKd_$3F?|>
z*u<k@1SR7zk;Bd3x5)=+^00Sr$e_y62G2!e{HGBWiO}W<me9-O+0~JRL5AZ67u!^K
zS_+=zoF2b^mPZALzCuzyL1?mo_Z(+YQ}8lthU4YZ-ktQtEVXoEYQ@UJl;p@5uq>%{
z+yNesi=~CSV&)R~O8`U=F8qY!Go*!sTx#+BbGTwaY{*;cl3BdmQZYPZFR1mWl7;&U
zl+D0AOGp*CvQH>za*&e-t%zjyhYBSjozEqml6;2HSEt(k$fsW7kmA83KC^^f;TpX9
zuLwG&UoVM%AMfwrW-E;DhTltfb#c(<oFrMYnxoh~^32^0(P`*RRG^Wj*NFDAC9bE0
ze5lyIPSXmgIw{=d6i`ya!;FdX&IQbu*t9NFST)c0rMxYCHEWOLA*v`%?U}L|F<LUp
zIIwGM7bZ%%)RI+KI;>e;96k}dG{QnzR#fBt&fKqpKdbeQKu(+`Dm+mr$=80*ZFr(o
zkRpnR;+2zu*V)=9A%Zl~p^9Rib8!F8EEYJnGxuXoB~Nxy${P^G9JYNdRH&`({!>x$
zcV^LHhL~oC4q>U1Uhgq;OPMn`7DCXQ1)g;Xyd?{Vh^$RzQ4TSfmd10iNpi;fdvxG~
zUw4z`D2%Dl6UdQzfK-H*%NW?YGnBAG2x*80(U|L;r9ud0&{U<Z0*y*({|VMge=MI8
zgVwr1PE-WMqoIuVHF=GV9x6~QCdVr#$~|t<eG0(sw&Hs$Nrre9X*t<yi8o0x1t8Hh
zDO=zAJ^C`y@dmec;o_f6p@)W{pk<qLljJFN9YZX4^rC7*Ggq`1iq9UIS<z`QW36RS
zHAv1taJXn{hl65pnlZj_nh+E^q{n$sUcXtv3sbf^ZRe-ZRJ1p%3^RkNW9p*$mYUFt
zlSNf=`l}(ZMN_f=79g_Fe3l4di)PQ%EHtyVMVm)7f|Y=RePN0L?11|eI~i~osm+lM
z6qPhG-s}@AMh6Q<;U^1S!+2m_l#v>>Zo;%4f%uhquB>%=P*?-0YNkb(5y~_xvY9u`
zngQgqN^sFX7?rAE6vH2Ywrg6X<vg=ZVDUrqVua@L)LJ#9z@<ngei>RdqbIStGz1TG
zIHe6sQ-qZHE^fi#b+pAJV$JkO)E=KmmJiEgBQA&4<i8^V75?tI0m^n0mrY)qb8?+<
zjGgY%9%QjUf;a<{LfmAMN~4jwykvn>F6<^%>{wep=<4?ry&!`TC3DZq)TNd512zre
zW0W}pWaCjC3%cX|d%X9lVmc2w5cTijG_%Q9u56yjuF*1<*PqnS|KuB?3*D;QU>A-*
zQ+t7*N^Bx#*SpEooA9;JH#B=lcJ>c!_PmgFPa97$Yxkhr!mZjuP8z>S5Z29nc8AQ3
zRe~<j5cxw$kLwp4EjORd6c79N<n-&$Hs%8TnK0hEz%D?(ByZKeeKR_&^O_^&ySveS
z+jtO|7Tg}DqJT?ah4xZ-LWshTxrHChF1*eye3vQwEh+pvw{R@G@E_d5SD3;_N#Psa
z!n3mrhup&BP2q1!;mh2@Q?d&O+`{`&7~jYz;hrNF)_9jq`vkq&!S}a+bIU}J9$SJv
zjnleJcvRNx@ax;PJi`jHT44v55FfI4ql9>r(Gj5DX3aKScXlPaDMF^Z$z7DVOaAt;
z=pvzy00*14IlqAiR<z$aQ3y?fOa_@v<&vkGMBdvf3oXa?M5lcesVmY_ZIvZ%DkVxY
zp20x*TWaFXN=ppms&(83tq5WgR+i{gZu56*)$sftPw*sz60=uuh*k!)NO*p?C%B0u
zlEp%o3Cko!=3px(*N}m_Gx(4CNO_f3+MEO|=gKX2#%ho83>%j2X|5BjDZ3D=_n{c`
z)}UcQZ}?DIU(qmR-$VljQ59t1V}I3BI6qH>NX9r6sZ>(|^ncs;^r#@H%&6FY_t#3%
z%0jWO`J$Pq0bZ~Yg9kra8Jp-?@i@e2{sY{(ayfsTr_Wa5*Cq5h0iKb16<Uvk!zCfT
zJL8qtiq$TpCsL3cfplXAq>T{GI>LjOA=|q=L2Oq+CSz!6Q<ecjE86;p(AnLc;KD7F
zdJm~Soj=BHDqPg;<&RXk`6Bt8CI2O78Q@p~k-9>y8?7tVv`Ag0{#u4Ld6lKoO}-sZ
zBT-(W7-NyTKr-K?=vzs~vjLT%zb(J3wQBW#S7o}(M7$aFUn8-9r`kvzv{V21w%aN3
zj2MbJ^=2|yiivWRnS^+!^PZ%5!I((Wq^gy75e;cR@2h7Si~S5_%NTZVPp+gOy;CTA
z02sRCm)ff<AhCaEc5|j}(9XPlq3uj!8Hg%$;Q+Tkv?Uyn>W{_b7E_ikr3O@<b&L$=
zI;e;>{e?!AmF|F=7d3qtQ0_(4AueGCbiudvG6Q-6Z)U&=QTTQ(v3I7J*h}h`1c*LY
zlHT+Gjgo7zJo{0ymBjv(TuSPol)QV!|1l+{Z}hV+Abk|>H}92!OiGey2$7;>sikC>
zP*S3%3?&0X$%SWSQPRvBI~1QsNq2|&Y{P|Mmd%~xT<%l}Qe@_X<sVmSOr#N&C6}KL
zeO;~!9w}`PO4y0hUBY&JCX046<+@WF;rE-eE&)X=SOO|b%6sKt1l7!xtdTcMss3E7
zaI=b*e6BR@&X_jc1K6^e-B@b6K^3KTkBIi$7})8lfxScq_D_BtSShCLaS&ZIFQTBM
z=T}O1lLaO<H8)FbDV>{c6{w<B0z$D=6_*L6cbEa9D}bA!D<A}tLO1)<^RXzkf^cVf
zYRtz20j_Ry&fDTDbi{``#w)lD*qxEXrI^Uiv>}pgR-rn0E2U}9O0|+q_HAV&BpbLD
zh(()yTPdI~AdEGl<0BGU@sCs>;6;o<kJK2|%NRvcV|1yE(U2-TMs)fXDy2qVsAM2V
z5T{{@<~Yy{g0!Ft;~|XLB$rOBtQ2cO7@<oV`E_<9_ns+@$N<Vj)4D@op{%yZ2r(}d
z7NblfYW1aPwUXoJX07Iq$e%%dU|MPYezcMvWwxRe?bFJI{aW!2+KSfyoK|9Wb@a)_
z_zX6h(p?kpn8S{ilz^nlWjA6&8<d2ZQC}I%Oc|ItZM7C@f0U$c&f-%uL319~tz2Sc
zo~fMD9tRInAZeO~8RlDn$-h~~ww`j+s*cq(GhSvuH9#;mY*Pk-|M>_U4x<QMm&qiA
zN?HF;1L0wN-*L+SaqkyefM2xt<1ChD?Ede1|Ejt^nfQbE9!lv<F~TrY&ka82MVU;I
z5@dx+=f7vrx$hdm(TE}ukdG7My`sb{6q!^7jF>F6>LhPbF{2^x>1CjU$xy0k##9o%
zFX!Ez86TG-uTF3m4HnJ~z)5n}UYumKfrpPqt@rJEA0ow=)+ui|_@^g$3e){R1JifD
z_Ia2h`xHwRTK~=)0LvGFk%i@vX)K?w%*Hac)8wun>69^B)e=WtX*=iA4$WrRkSgb0
zdNZy<Z+_aG8l#G3k*>54m>y}~;_m)yeYf8I?kabY007W$2z2kOy)4;hNQW}UccM%V
z*LpfTGpEFzhf+FQvi(^QQ$~G6ap*7El6Uu&ZLUVhmZG}^QcBXKR9?Z!jDvAmrTbBu
zVhMM5ARE@-46N=zo4*G_2!<FEM}r|_0hgbYY6?Fi3SWKgWa%*7av-@nOjb62UTbH3
zc5CN+W^1$m+t$_}l|o(@eduJf=<C!0FnwqpouP+65C4S&K|IFw(!^B3!+A=as{kDF
ze*_^T;$ZEJ6h!?Wr8NHMwRE6qDP=ti?unE6i?>uv2X}xD9p_>9o&VI)*nB-Ejf~q3
zRUS`6JjA}X8OM)K%qq6f7Mo^@iNk|2ZF8Q@E*7@Mj@M$rzFtw-!Qa{H;S-1Iz;&Zs
z6;e1GQlo|R)|uIOeJ8tE)E0Zf6ieZCa&|E>t_9s+X|aBI$&3ImA(c=Dck36Q5BC;*
z0iJnh|ABZWGEKsE-D%%t4VvYd0E45VTBygc$Oph-%Del(DW3SiI|_e7e^^&$!NP>m
z*$Bf;>-fN1U|ghc4FWT@JD5HH56%MVPH>lphY_osmPwV!l1{ADj>xoUz)p6eLo9r5
z$KL(gP<KUp8)M`Aty}_lUFwhbKQmtzlO62u=*d|VmV2j^{P48B>bp(8M1fA%QyJdu
z+PWRhzcGWYO4)h7LalWvSSK8C8)_3#Xr_s7oYP3_N;>6n0;X)Yu^~|yOqx(fRB)Fq
znRV(z<AGgj6U5z}T&_rn_m!>{xhT^&8%cbxpj-*ciN7!vO=0zXFk1M-DprM#NkLHg
zKHJzCWS?JRoHjVn`p%=POhc_Jab$R$UqHKTAc8t*%LO{o+72`73NFGy!RNFaDauuE
zN>lFlnUwo2U=ttGKvrYLnT<tYURmb^zfT#|zL?&&16Uv8adKB1qg)^wV6*vD#n{%c
z*mAH*$PLESHMCX}rd(nrX(@SU7L2=r@x?f%1(d~~pUpAny*5a{{{Ucjj)^tLFr;Fm
z85Z_x&0IV@0RS5h4rVD1JC-<3!PihG<tq8(agv-e%;xB8i|LZPdwHGi22&Ll`<sMY
zOSk_`BV7!G<sNl*cL5ytqAc~gl<cmfugj1<A_~Ms)F+5aL7*m&R;XRc=0$c-J7o)I
z_LEVNu`CKi3#pmv+IfmJuxlZNz?U7(-i_>cou|cUV4`Wj_TDaaJ%M3O+5!5Y{74U}
z3WI2*Ysff=sePKQos2Ki1{8}DK}MSt+M9Y7d9flg<5dJ#z^r*yZbN-?rC4gthLd2n
z$ZC5B+YH&#h+J&&bN#w(l&IB8W!1zvEYoS<NgfK6W@GPdcK!mOnuwC|_)~zH6<Y$M
z6shGT6G3{CwQwy3T92V=rS?XgeKJ2%l1Nlgw^SSn?kS^8`j=i&0J>Qjfnq=52%8(b
zM1uu_E+aNWK-}MD(C7U!d4KL3$~;b6<;+~eM^0<ymC)3nI{gH!oTFXdbmO01u`sCr
zbK0_th?7s&j=THoY22*gnZoZmE|3}wzuZ3f9se2lWiNU>#il3Ht0l~{erR9vavJTY
zLBXQEKzQIY*FG*?5BdzeYedNyIxAi0d|j}~TJKy%_)<Tlp6W~^bxInk#JChv)*3E=
zgJ6tMH?8oCo)OB6V^^6&dGjl@AlYdvKx<{}NVZ9Hkrp-@4HykOfLLkok!i=au~>_X
zz@SNOLatvncBhPQ0HoSMN)Iw|*vM?HYQf$k6_<8hn(B_Lx@2w>Q&cwR?OxwIFL8&$
zpN(#DM#|tL*Nk{PCd%n3k@&ioub5s5rcM5LNzsWkv}`Y1v=_gd{Dze2=UrCQ7D~NU
z>G5dLySwu{jYbKhw$Wi7Ld}UJS%$dkM5VoZn2B!IWp-0e&8TJ`yuoW}P)&?P3>*yp
zZO$d!qovQXuS%0Y{Tg{`B@s7=jOd|9a_5$Ug>Fl?IZq$Yv(Sb26;dEImCln=qGlJ0
zt<WE%d<*S$Hi!&HpBP(11OnmJ?8h3|T~zPF%tg)83?r#ZVZDtwXmi@Np`ILb2J2f!
z$H-Ql%DmGIvi;k4hv3pw`#&@7Q%$6vRQGqc`Zw>}>fgkHH#=c+IusQG%a*b7@HVWM
zZlp8CIXah(BsCThTW0&?!6^1ry>ut5WcRhUWO1tGV^Z=0Es0<S*c@Br>!~8oN|AA<
zh+r{c-_UWOD>3tsZCZD$XP-dW--B7ANKV*?yQ#$qAZdw-#vPC<3_?VxPo`omu=Z~%
zNEB&_RByo{h31JV92Cumxo$%mHUw!milUGoogL!jozF2Z<qC9$s{Yil{L$dg3~h6M
zhSEW!rq+x_s*#Ln?rMIX?n<ef|D!Xo2S5Y~lqljl*>p}H#xOMbcS@h7a093jA+a;1
zlH9dNCTz#Mtnx~%fHPYCz1v&;dmn4{f4UL~41DWKxun+FYI>*%GEJTTWF)MVgr`jc
zj474}`b^lAp4U3sZ`ULQLYuRWKC5LpU{8g&DW<)-&WddBGUHZm(jO;UH&xJ!=#MPG
zW+=9*`?TKEkbxu$&NKz}$1vUb2>-gvBp0YxN_G=Jt~*31=|*E@_~WHlu8{^|Rria`
zbrHSCAgVN<Bx04RgOO&Xe1?s)a<)+G(_=(htd`pfIyw9Bxfaa}Sr(0ekg6{M#acAq
z5%Tx7Xi8oFF)P(Bvwn-ql>AwWgLVD3l|XW#h>Xq|MFxGtUp|r%0(}ORFqr>j45<yg
zZ<AhG#yi16NiI*XCyQKslyDg^MS;ke8{^R0ql(Nwj>tqt>`_G~!yfI@3DD0T)scA6
z);9JiC8ZlOF^$ejH`zxUn`SD@DP1BYk=q`?>WGYV`oiH!liqiIXTuHh+~Na6FLj}}
z9-0MR(iQsun)J_sUTUHD)Ae#_IVKF+=A6$xD6V3iB+sI*V}vnjzAF9c#>kQ65>r%@
zE8S!$(TrW-5pWAZOn0V+-Fq)j6|1~@lC$AglCLLLxpq?47j4diTtOp@ZV|a#UuELN
z<*@RLQ59)ssh=PaklIVRH02cmWa7q`T1oIf+-*X&rOlg69jEjVEz=>1w#<!gnb&QZ
ze99zZ{jnOIjn%MhtlrGTYKn_hFwh611Kie<wzc0K+z+Ge&s(gw*)rE_8AF?ExTnM=
z%;h{|A}OVmaMLm}tL52*3I`P(J;m)x@&aZR+-|K-%dsbF6<MElGg8gn+Wb00=%R13
zpvFv)LBlrzdBlw@W<W|F4+wLU+(sg20}RX$GhsgSjn9Qy2cF9#p+}<A9--H96ry0&
zTuHldib3t<5_lk{rp<CYsMj2x;WN8&i-c0xbDDU~8oO06x<@oUqOv1*IV9pAYn0y=
zJEajlmP8{|_Bb8%KM=c13)@4JM%#=qO=Vg0B5*8CH*qb3@bqlz_n}lqspYoRgHYu1
zfOi3m?(Y_FUAL*zf6e6@VBf~RUD5PQri4mjbZFMvBnj?rXtv762h;ZO#nPp$xU1|D
z1nUN!$ysZW-w5eJJuRO~T?w6~F+7XV7;>SGG2&EXJXW0Tzxj`P{JIA4_~i(@x&9lm
zY0HI(zu<NaySv@ITRF+Hz#Csr`){!8v-_cOj;i4=q4R0Yl39w?mx%dFBj!;T)4E;F
zVn!fS8`lX#{FJ^}ZTveV`sZrnOVu)T{R;v@v~e|1tTuj*K4fcS8Fl(SkULd~drCHO
zzxy@n;|#$rt7DFek<uZyn0ntXRmyLnRdXG~;J((IK|`-e$nv#*m77)!<vW^lZ_N<E
zR{%KqLsudl-a#>O$jA~tttU?43LLk{vujh3tn)i0h+A3zOLE=y8+?HuLW_6G<KKkh
z>C+CMG0t<1l*J}j)2|x~kYOK4_StbS|03h=uIX0J(D6SCY$B_h7ZaW-BYCpwx6g4h
zRb?@Oz>%s|fU-=mR%qdxWUeO&bHeV}%Jv+WZa`wEnbD_qn=^y^SXNZtks$#v$z0F3
zNOTbl*2A+P{XSFb{=|LH_V>rw9?)vWNTyBI>vPh{Gszb2!m4#HAvrl&=7MQSAwR`s
zKbbABNWa%f%MZHmJj;zTR#mMPs%9U&DNOY~v)A8)r3UNuV$nGny>3dsD{k}jJxfmh
z4SCwH55rv?E%kP^rr>HH-f`dQ!}-GEM%@lGeQ^C{{rHs9$4Za0eLTm20Z3=a)gn6H
zBRX0RD@QnIp}Ve!Qm9)b=5WT}?2(LSLOScX9hDMzh{f;T)hvlZ=+j3TxGqb?csF+q
z%r*ce99YzqcIgD^QbcU6?&d=?=XrgR3tj`5o5x!4n+h!W6bGrKJw_CopfS#tTjrLt
zv>ZMd8Z!jx2iBy~I3*K}UEF18dTG$`Tkz9e@b0qCDChe{VPv9lf?F;eS5{ca`+(HY
z+#@s4sLMp-nm%Y;YSHK*dRoaDGiyj|jvUq(jR&M$_Hc?qH^cc8fH|HNz0Gh+qRv=q
z4kF8})>8V1j3CB4VI-g#U(I@JzZ8x$WSos`(5$uTEScbv1syc&f5{r8T`NONzlaQ7
zc?I2c#vR5enw9L9gTUtVeDmHcu_+)#Z0-vbD>m;qT-YM>+$XcH)D;}qC7HWMgIgU@
z!1T8|4qfdsV^{OlnOtxs2n<4#%&|xyWGR+qAsWluQZDd?C|4(x+jVG)a_@W*$_;FF
zYy^s>+zc6tzLYCa$s=Ncxmc%CUu{6%B_1jDT-vYqQYWf0OMJ|Gl>~*0rSf*lQkf&X
z{m3D-X-dL0)JT_nCspznQt}qJBzU~@)z9ES@(TseNTyGFhcF6TsRutA7c91?U_T_V
zk5|~PZEJBh@mI)Kjl-fZdVoRR>9_Pv?83Uteiyl1M!tA~%B=&`(MZp4Yc1mALlaGX
zg$JDTDd)nZj?(n}(p0-`mE|CBWQmOrOG=;vHBAf2dmi=tf==b328@NR!NeCH+&@0a
zjSuRJ+ZhVa`VCHrr<mNT^`Af=cPlqLlvlf${I{;Y((4nkQaVvr9dw3&vMZ;OW45lZ
z#0HV**fUmE(l4hBJgo%i7Fj3~z^q){Y6t2fO(C&xQApPq;SD4`nd{nfnIq68Q;8uz
z0R;3J#`xF1(g37W*PMjsLPhW~K)+ANlOki&`)ub6El5bsS;i&90JD&3<rKFSJ@2SE
z{$!=laj?dE$nDeE+fqRr`=b5%<!AQiuKrE@Jk^AiLH|X6DnGNalKzbym}<=JPpUO{
zeQ1X0BA0j!(f;gb$dcEJX`>nsCnjgS|3C9hbUUSvvZYi+^WioLLUW_7-QoOIb3Y1)
zNy?^h3L}YkiPS#tV#1LA(0xu1>D^E0kY*$Ibw%#^`G>(yoz&^J?6k;i;dd*J&ku~_
z2LSBD1)HUfEG|glI5^dAv2A@e)rvDQ8iZ;y`(so)I7VNHY9j_hE`w@NEKTCyvPhNj
z|17FK{&+vC{e`4Vs#$wkJvQmn+&yALXQpMXtLaQTFc3TV7mR@E#O^6*UTsvpvj??7
zfetA!^D$us(J@-aj`=I5L_0k&QVzGDEz!KjLRn_Y$jZ2YOxV@z?WA`6u9BE~&1iG}
zN1`_Xmi#*@+VEzHb#<k&?1~y3CDcgpn&Cp{xqwb2{>LZ}Q>xA4aH1)t0B;k3(E_d(
zt_(!EGo-C|gUHSE+y?KEd|lFM@k`{D@0paj`R5E!pT@T{MU6e(*8?rLUUs%t=I7{%
z8zuMU##-*=?7i&1k<W2Y9VjHcTvq5xkOH+wjLp=erG->Il;)>f2(VHvGqdywT`!rq
zLGp2fNV7dO>(ORmg*NA}u9YjJyw=j@Aoey~VAntDj&hH1f*s|L*dZ5S${a39H@k_z
z{WWkE`?O9h2XWXU6sKZb+Fr-304tF)q_;Uo7+l&F=rb0VTMSUGux+`Ei<YstTwzL>
zYA@PqQ`|)0eg(LRxM6~JONw({C(Aq|5EcGp><8iKw6o^tM*E3VzaS&|LaAiEG+Y18
zRFwEH?ZZW)BCPBFunf>*ZyC_Aka`NfnGM=a-fKjS0y{qg*iAH}1WleKtY{mbO{!gK
z-@U)FB5dOqq;qbRoX_wTL8ALbn+W@$j)pB#Qt^&$5MIR$oex`O%utP=Q||dY)iOqT
zpw<0k1KDuOD|U4LW%kDb+vXgsh#FHh&0xPYB}}!=w%P(Wk!q);n;vjx2<YcT?7Cd)
zim-}|w(ni$GL$xC8S1NUGcqS!<{siE0(S*)ZMU`UejaHqc#!{SyG!txxt|P;bkVU*
zJa2`y<o-yWt;2{{uP}ga5>S`GIGAOfvk3@`7{fvQC`!oP``T8ruG`3E&ZOsHVaj;3
zsBKjtF5W7|^bW;Eb|}Eqjmm405&G=57Yx|;t*N$M&WLn3`9I<^0*%bcyy@XmEow$m
zG?$DTyvYA5$WnKC6l6+2q29650U`?smGHz^1Kb1Mn`h#OTp8q#Gffb4fw5i@e$MIW
z<Ns8wyv-IX89CVvZF9s8k*1x<ug(ahp4Q&v7c;3-$~?3}+i&;&N;ZQ=2BO2Bx)Jx;
zbT|LKf68#m*mFf~hiXNLt05nJSIRt|=6^m^$c?j@{RZg2q|#V+w>y*j5pCh*B%cEC
z)c_u79!vMY1fiYwN?01URp$2cA8>o3b$n+HJ(0dgi!v(~--Xgt0O@ph&%naPd!hjJ
zTd~s6@AK2^sxN3|q(&_=&C!|T>a+i{{{O4Gwm&PbNcUB{Y(tcm?lt}6>=D*NHVrfD
z40!(-<Vew{kjg@z8^4lGAE6_gHiPi63GjohR4d4rMqK}h9YcwxuysExrL<p}z@RDa
z2&)yrtk99xCELCDJp0TJliTJj;~M+aDllUnX4N0T7R4a-=ix#A-1=*^P?j8sRu;M3
z;^J*N^C)dh*Ktrrm*8&6|G&NW=~>mMc=SvA-ON`c?A7`&%dd7<b(#B~amfn2oc5Wx
zKB#P8jTu41n+mt`;eO*|a!aJuqx$Ds8x-592p(}c_+l=saXHxSRk~zJM#*s*B~zT8
z_Lr%(DlQ%ydexVkzi7$qdiKr5j2@b=9@51_F?HSTV<c)ppI&5UxpU$Qs!%N30<qkQ
zeP`rmos|ne9MMlM41`-hYob{syNtp0D9II0pWUr=tk=DtXoJKy*JbZ>ucDr{5<_`v
z3-+}mT&U7*w{N1oKeul)ENZdg{rV<*uLJc@bpbRQU?eb-wWGhl;&3;#QYhJ7nYMqV
z*nfr)<=^S|nezT;-usT6-4V<HrA1GCC>zvK>GwJTwZHq$^8!#Bj2esFk-oy>zi?QZ
z8YV8DrqlQMW*FIe&1?t>Jiq5rDtpqWwe5@;kb;@q%R)zKb}_c>iY2%~&G_}>-i$1F
zgde2JV14Sxy?@P3_vy26vw0b#pMkBgrnKHxIaPYAh_DG}H;&t!qL0mpv{eczH9uN+
zg%l&=Fg>b8@Q~wrda$8b2Fn#@M^ey19AQiGn_f&jxYS&CmE1UBZ;kxQTmf81g>-8w
zDOXgcNo&yti#BK5Us60&DDRun@6=-r;=c2I(~iOEo#LSq={JSP4^7kCQg8r`ptAW#
zZX4Er{cZOhFemODyv-#p-&Wc-+lHjujLd%ko?U{uyI5j7B}SFs?t1gPlplFlrOR(T
zZr<Cw%x_1x`R(j6zg>IeH$4A=g>xlxcX68p6nT>81#X=GKrj9ZH&smT<akZ(O{WTv
zC%<k|k4Tjjv6z%wbAcxRCH}-8d1Zbr4&?ZknCEcMkl=azS-1}|Tfte0dP;?Rh6axe
z_vD7=1j1J>5qHZ2;jS~n?e!6{)R#2zjq|G>82<k?&ma=5TC-HaJ}|Pw1)r9Ek)B9M
zKJ`M3@t$zcf`$9a1LJlBLxJKGDrM-G!Ac*_iJg9>D`mmL7-pY7EV`FfQY&DaJ@>Fm
zD&miGf=5?LIG?!N*?XJEI8QpG9LL=QJxI?rk?fu5<2)8IU8HugG~+a*!rPF7_t39_
zx4HLIR3Fiy;;|#TF<fLe^t&?FKYT<W+_O*c2mD!h5Un=IF#<lk?QLiRSRzW#!#(>3
z3r^q8tGRDCF-H=Kgn}PQl(8ldKtlWtLK4DGjQZ~>m6?@T^!e5H^)}A#TkVoQ3Bc@(
z1~`=5^P8Q!tdkCkc^_T{aT4Xy$oyyc{^jEtsM*;5L(-sz*d+PnHV{Ql<p|=Bg>awi
ztCX0qG9)LWq<dUv;O|P_kXd$RcG>1WW$QkpY+ty=nXO1*fAVUZqGZ*SOOh8$&q5kz
z0CMvEhsDv{M$h7ja$q|=|08Y)Yx93ZkLc30E{<)>1ndyR6~GbwK<>LJ@hUd%qQndO
zcO8Ez(;1z%M-31jkodA-g$ctwz4I-f$>mIjZ;OR*=YA@Dru>;vNWKtd3Y{#4&euZ9
zjLZgglNvULeGfD2drGRtB&ktE4f*m#YPC`%`X&;33jxMq&#%y=S;4z^N##>NJpV1m
zUM5y5+uI<#E3Z(ZhhH4Ao(bDSa)+>}8$0f@rz5X++(*cYe`wM=Zu^yA8Okc(9J1vn
z4+6hW`IT<@Lntr3FdrZKN3r^1ed=wn-$8fX6l1bVHkp!rUD|oZPqB896i!R5QlT6&
zsLSr$G(UxW5cPJ-RvmH22$7j0l=KQ96-p{Ze*1|Iu9OI#YEi(&a;%HZvN$pH`Zc4a
zTocM*y5ln8lD^lGdK*?}4}=1pkp^1ZA85n?b(@=TiC*s|6q|5dP=-Jsk56&Kgwy)A
zs<+?i{AT!_WRuh}uArX4*i`{;*XFB+vXR{<Rg^@nunXc+{ZN(n8(P_gkfpAy6Rv=~
z54dVNQhO(U;iW>|Km1v1Sj7ma2Q0hEL8G4=VeBSN_!=J!PA9qY={u6-p1f`IcS1n!
z2Y4P%7mk+7%CGahjYpDZlZHYbZc*6hF)5uGW%P)Y6(QD6q4wtS0ss`p?_zi*F+9KB
z%&GRQ%FioGx*zp`B^Mv{LM6A0x|XsN=6M_R%f9yYgasnZG^b)AXZ`gN_U2<}-iQ6q
zN4UxyK`PdymYJC@etCBB=^4dE=4tWDbn!{q#ZS#BZhQV!kZ<|^^SO#{qQ=-+F3r*e
z>P}NmZXS-)Ry;+ZLwb}zaR?MQ1mX*t8Pxr!R@PAOYyzPWfg=R^TJT)=(GW*d4RPeL
zA8{=DGXNc(_I#v+TaR=2{8$8kXZWgkPV!IT`FG}ope;sWv~~%=T^?=6a!<;%=o0o-
z6Dnoq@h*FPYG%oYzY?Oo?FYre^S9)BZx{Q4PotqV`1)61Sl+3#JQyEb44g{xkfa{r
zTKHXO#pIozN=!y$EW55-5EgTG2n92tSio@;WfK>vGlHQq+M-Tme=$%qn$4$K?=o2v
zi&2>BQAP<DS27=v&Lt1mkB=4GG0&__{)`-VivH_frYJ#@;U}+fclWaPVj~@qS{%*K
zDDjM?^*hi#G=;7T$&hqWtgLj2F{u&@r9)FpiB1utA|Z*17A8WW3b-Rug~L+#8*X6)
zR{i{EJi+<YaI{9SO4>1xGASe#{^5#$mBHIMDP*=tv(sNBoxRe&>f!)Z7XncP6TIJ%
zyekDiG*#{1<oUK4q<(2C)7-#s$SUZRuL=zSOs?@Y$YwX4?LV(eS;*KbwS35TRaK<+
zafsfea;GDut(xA^dy=2g?cC7*-etpT3Xe3KyBMw_(ezqz!P3w-_;s#mZr9Hf>V_wl
z2T@sgng`qv_BLG0jBDlY;#U9r{QH1^A9|#Aj6JxR_y^3!K$RTJLkx<+ptm|p4!G-t
zIP5;YA9*c&$0<Z}a*|DC_3EC?B2cP*AuO-K78?Z1=cK2mixc)uanpo-Li^EV4nx|R
zlej-!#+Vk<IT64JW)um5WBq(S>_xzezoWTGYCxWi9QGE}Tm4=9d!2u8@b67ahb_>d
z%ca8vU>Z7XkuTvK!lJ3m++p2edVDjm68qAQ%v7b6)O9KKA#*RWozY-VO|FBNIAS|)
z1w6(Do4<a*%*t_THY#00;=ejms#v_w<~+pAzPeZh0)Tq9LHzLiB}RrX(HRtyt)B<_
z9p+|FQz`LP6z6iDJqi5)ol&=W0_+GF5nziwL0K&<CTM|7W7IA-J3PGQs~~=$tujww
zNQpK!{q18_bf&DpABfJ#lOF-P4QfV^+N}0DSLBa$MfmD5ck>Ff$;a<_-lYT=$^L+b
zNYv$_2|OX$yI;aUIQ&{Mae;lr&OKWmQ-()yLdGl09XV<&xyIlKa*JQ;mDP{8&3`9z
zLb2zvhMefMJ1MZl#;NHg7PKs6{Ty084HQGmfAgd@%ybiQIvC!D%Opo=B8{Nd%zXMW
zvXQ=ZQKyR)=(kKE_y{QW5aj%>s2E+MghNa8I*TO&N7udv)hDstlvH0M!`7XricAhq
znk!=Z-f!b=5QGOSFZ0-ngRkm23;%N7mm3YxB|?1|>|<0~qX_l$x>ZLkH=H-p5>~e;
zm#fp!+=LaOtPJ%vxaFCzsd5rNm|5<2TW)fna;yOFgkngZjFEcm1C=~W5@DTfN*i-o
zP>Ct`fG=Xdc}P`0T_qg{32rVkqn4CKAOrp6O#Q&7>uE1yvf(-T2=|mD=K-n+n4(~h
zxE--^8~;juS(h#t&R_2WVsGz*FvTgtEEd9)Z&$()5~H>WXL7lkeyV_pR!+qhiRP}E
zd5V}F8VE7NZqeP)MVHKqO>e=t^$nepEDTRmP6>|FdrS3B2ZmTh^N&OZsIk=M{I8r~
zjL1~#F;nR>U21C2j3g1Yv>dB`X=K_%nBWe5fvOKtW2xnTy)O_`U%#O%R@YJ;TouXk
zIAKE2UU9vMA<3#cHmj~!1g5ULmc2x{9=m^)3^R6ryZP;S*8H}2@T&k-8ZRX<gn6N3
zR)Lm*aSk_e?HBQF2^-Zq+7TwW*h%;)YU&CLOI_)jjQ6LwMzyYNmN-YG>z*S5PwI|L
z)ot%nx5d<*V9p}FxmDY>s+(JD41hS5;(De)np;Kuv?Pe=N<2)H2CI%fkbhtxAG%Vp
ziWtZeZa>HNC^<)JSP_R?<o{vs-2<z<s=WUvmr@Gx6crU~tWR5@X$>^cv{D)<AqgaK
z0x1cFme3NC1Ef8<G&$i?W5tpp*tEqCDx<N36`f9v4mzk<V?~QCqiID&#Tr{wtkg#3
z9kF&gNzVIOd++C(bJF^o_x=6;_|0iI-*eVld+oK?zF(dvs8O?_iwD(;R5m9a?&wu%
z!qzY7nH945t8(l>mS29SPWR1Tx+A~WEDE0bCjB@)?@H>5-t&Ix5waq$?AfH;`ofu4
z_*3=fa{K%7sjws~l7(M-taXO9+OUpztg=w7&v~pX4Qr2y^%0MCVJKFM$2upO*>SYW
zYt1t2rETdNPkVlJcjbZmRvu7Ap=K{zr19*=k<!aic>n9y>NjJD`~_)W4W6yta*2+8
zCfKvk^i@s!CZ}Y2dHQ)akcsiAl_*d#c-&k1C*5KX>nn(Ad>oSZD5@4qPs{y4wTEPy
zS%FUTJ@<8BF>90iR*DwVJ}YmLQ7KlqDVjeN#$)AG{7sVs`pAEu?1bp-9aO`OWb^*=
zImQRZo?gcZ;Y^P<;FMzk`BMfQV=F^vS^cprhV&<%lh%wc=lznzRe~I+s<B?VeCsD5
z>qp63$p#X-len;}&ioWh1EusMs=Ug^-(lc5W8mekf#bZ?imvLYWJ-BZmW|5U^H~L`
zdY{VKoFS+T4KOO{yna(UGHHJ-x?cK{`5}Gd{0r~BLB?{?eP1QTwvuA&aI4qXL{!S-
z^)uoYwM?|cowvHF&l4?X^7P_^;+m%%cX_?u`HYUTBePwi8{st{M>wPGpd+oyBcWdV
z?btNcEsun3b7<$V2dtg7_TWoLRQ9BcNaZTW*e}28xJow2)4SG@|Bx%c4tf3TLdO}m
zmoI!la=BJ7GMp_S*;&QG^ir~bQF*yiJwroYWNIa3cRm#;j1Qbt^QqCruxym2q9)Md
zelF`BHM4(*m%?~G>%t6XUAl_w6Th3e)bE}b^JQ2*On=T0tc?A(JRZsF6m7??#M0MK
zy7rAF{j#kR(odvelDhmev!7+jz1#reE||P};)qnK`|lSE+!r}1+BQuS_5mq?9Y<F?
zdkA_4v4H;c7&8c@S03J7d5FaL$sL{nl^t;ytg<umDgnOgyk7W{VjdxrN0{$^QWc%r
zNRm1#2Qnh7W)~NB$&QU4aNAxC4!Co4J<u+5W)+_%_L&7-#AT3|?eF9MQpX0yu=`}8
z{DI@D)Q`L@)8&*xR3%49iIA%V_hj{obqb_oXgh9-Z_z*EQ5oM=`CZs$7N<tBsSyZM
zBVO8tnBxy~+tukMZ=>^-DKXlQyd*i7WRz?rZd5b8`Aik?s99pqLBLnBG5O?uQVKeo
zI*Z0sr&)Yz9~)@qWfE<Y(5UihQG-7gtYI##3aKLx;3-!|JSoRh!4c27P4VyguNWQC
zZ}W2o`Cp!Prv~e!1a}-=;El-)$puuQGqQ6}6*A9-@bl?2?a!%<GFd($N$RR|LQS%0
z&w3j~@pwpAH7(_yM*UteGRw2;a?g9Wv^2_652q>@YWL8a$DY#j*aCF&nkG6j(yPR&
ztecoR%K&?UlmrUT{Dr&Ge79cu7oqGZJ0)X=tS#rbJ2+3ti$qj1vUw%CDbShbYtj6K
zTAo2=&w?a~``tOZQO^6RL`3Dw(lAb0%I6q_&&2^4;$OcwCauIIot*4(sI1KIkQ+_7
zh<(&-`R1LHEWp>ehR4OYT)MmRC|u>K^M9dzt$zD+^XgC7*;pxZX1}AF{SMPl9aHle
zc$HLhY4)lB&d8+6^aA;`7hM3jQx^ay`(~nl=2vQhPkgoQB!6N|Tq}NF%_yYXnO7*1
zj&5<LP~;U0B3#YbrVHiELNU)Kto$`qEkjziG!<X@OeaS;j867yc*k}5<f%M%P)*3E
zXUB2oW+`{5R4KC6TrTbJxLKH}3)C6iqQ2~S#>=17smPX(No5jWRn<Ox$~Eq|d-fMD
zn}FK~q*}YfgG@!WPN&=ZPniX%0}iH`;UZb77m}0^?^2hm>bs>)xJ804RKKc7_m|ry
zT~nN&KAk4vxmv{n^>?|XQloFdl>0iIa#9V)nRor`S*MJuFf@>}%s|ehX&P@inJk*e
zde^9zz2y{X9hXMxq*dakby`LeDT_dYAC+ZvDp&qpsr>5CPLAYZfv3v;cKK6fuUu-Z
zFS?v3PbFblRR3CLz+(UXt$FuJlT(uvO#XMhE$2M)Af@w+9vP3nG))hJ;)<e6eae3O
zcPQKLC_Aa!g|ve_x1UmP4N>i2f#>sU%vZgkI*z%nuKuzIsBF1P{f#m8b$)m^Dbemo
zU9J{O#&|hWRdwTy6y8n-K-HLex2H~0_mkNE-8|h-zU{baVK2>N+f}4|=aj2M>pR$o
z1I_>PAF4Qq#oKR|uA0dS4JY;5EcaJR_)!sF$L!RZwz+-TDcPiu&5PgZa$)OBwuL(0
z<4mf}_^!lI@<E0#hJ(-{#f4oFUEGIdgD6eZQlff&VwxE@1D@&=Z(ymXXP$4;ZQ$Sq
zWRgW}Ar3jH`@Abc38^e#<1gvq(|39jSr-X@b%w5cp2bhHD0ulFo!R8>-7;_-U@x6v
zuIym(?jM;=Xi3KH=zpb$^Mn3*=y^MspWOUZ+0Ui*9D50IPB?z93iAHeIrn|wfF1}$
z=YKja=;<^6;Am3Wl(EocQ^rDBnsIGOc_ci={rEjn3DhX~onNWxiA-^2w_WxNwo;$=
zF<|atz}&UFvg^K;UFh4RCnJm1OulRn6l9)0^PL~L^=XflkZtEZ+SQjj(exhH6Kczg
z2(5Iksa@^uFi3i#9R|8^RmwLrOzM&EC%XIJrAB08REkZzOc#EWOr+G$r_X%SJRT+%
zJ5!>vJ?FvRM>DB%dk2dZf+4PUi7)FnYKY`Im-sUw?)bnSCi1W9TC6jDVb@FE&!YKi
z)woBdOM70Lrp5rDBS-XVVNb|SFH57sO%)6gw3=I}Tl?kr)%f|oO5(5F#pGd+Lq5c^
zk>>3F{-i1n8R}Ht%uIc{*lQGx|2ebv8|Xzs3ID|;e4L@epYY>!Jt-2tK9uk!frM9^
zgunQGFX0D&M#4`qyACBhWD;H#O1L<6!rzrOpfAUdO4qpC$?-aqaG@{Zw@bp6dRk8%
zmHyt;QR#2xD^t|>n6G*ikPDP4E9r$@+|-qJzbE76gSyjRrXLwprSt`v&+3M?={Xvf
zdYDjgKI(Cn1v%;+QaVndaCRKs>Z~`VHRj3m)tu+ww{{RSPfF)5b>jYeN$t8P_1{i^
zpB%=?gU<9&X30AZC+MyV;Tbd_Crf;_UY@94zSXNvgGto+6XYDfKJ%LG{NZXY$L@A+
zP_hM!o`XM=n*kj;+dnWgAu*1B-xNFqcIS2}*Es4VeY>2aRN&$#_Hkk9+v=?Sf}am_
zlyf4ZV=*~Y$KUE6++=kRPBOh)W|CZ3yZ6XenI);KYuR^S_6?=1(pB~)xgyzzjUuBj
z!aC9!9rO7rx{IcFsC!rU$rJhVRJ|<3o<5UBlYD7AzR_Zm;3;)6K~_5%ynM_UkhsOY
z9=-C6{P|?LkEeS*InTi~xiCFdIO-2YpHhF8z0wgqhUl(L^#uA8W@bbbr6h3jN#Rf0
z{edB_u(C+Y=y=DD4-9?qgE?r$)Z1~_%NO$f<q4W_GX!tVV^e8fr3;rgI=Q#t%k(XH
z$!TM+y148--6N71{wmg-mF;f#X)HMhQco4aWJEf*i}#y3PXYOEp5q=`{L^P{>2#lR
zF*nukTd>ZNH<Xlj?t{GGt^VDWXE=a5t?VO>TX|B7?`QRq+yXgy`Z`6XkK`_*FFEtX
z2`PPYB01Wv_LEsq59+`8%eOPCD)Hqsw;;KPxM5H6s^Xi9cPEQi7S}}YpZ3(BY-?rt
z{WAosD|Ww9vHPddD}G05j4%JraMqdSKSBMye@xi3etF@0x=7lxqPzbP-Tg`_8j_O-
z%6B}OQGVU8I{rYT8oy?3ac%M1;#-Svdvec)nU4Hlo}`Y6J|y@`Z^P)or>w25r7hpC
zxM@*|-Lhdrdn{qMbPzV!ZFS8XV|Jb<&MVkDtzb@kYrfsycvsB%b;X20{Q8!Tc!S;C
zlCaxibq)50#&}FtkLu%3XMMb-{tl(cZfb0As!P;wN-4Lgu6>j36Hc_W*y|fN&J<z0
zv@TI+ES_t7A7iJhPs@qXekt1?C08zq>CE~iQ_FcqIkHM_YtSF<v5if!=7e3}($?0|
znus+_uof?0UTQ5Wu83L_#N~4*Smn4X*5;`3GBRyuVfzHDqG2>gWGD<0i^ev`;`X#r
zG9Jgyo7R4XPlf9jQy#Icn^gL?^0iYMGwoGvEzKM4J7U{zFfojLYg^04wz?*}vB536
zpzzXITQfGb#p1EL_L#jn*4EzG(mWR<XHFykR%KmlYa^;FmfLj=4Q;XZc5NO0Tdj;W
z={a)kiMm8%y(b%%v*+8Dv8I-`ZFXW?tFMfUtE!?ECB-!r%a<vQ>Ex<!uC6JooM5Hn
zuWY`fxn)Z;rZrI8X)jw7c6;6CSc6o*M$hxu6{ke3>TT_bSd(AGln(-1?P(OL{wz;y
zinXn5kF`~!OzLt)gDyvrL#VjE9^crF%^O;L#i#0R+^?skr6Fb~VptV$r>@_tCs-ao
z*ak?ZU`~MFRJYY`t=kyW1)}+Oo<@~*Ww_GU))Gq1v?oU&{9tOM`N7m2ewy@@v&YDv
z;s;X<<WKQ~DUO-H^>{w0F6d7xrRl)jvT@QYjkU&_8)D7%+gz4v)6)uOT`LttiaUk5
zqF>dYB^^zz{(9wf2u}Pew*jWo?^Q5U51XhS0l{hQTE@q>^OnW7TwPkN`U!_$Qnk{q
zZjHqn0$e&C6ThsvZhbsvM`zn5b@iLPG#q|KL#!@t(_Kh4Zt?oJX$?C4;td-bn;R3`
z?54W*JA4*8{K~q<W;?M-4J55?jV*1+ikRWwTvlx@TW%GvsJzZDjkVX$^m-cc7~Z5V
zR<?A|`z|Y9R%&lB-HdXlv_c<m#d3QK>SIbM#H(2q_2Pzjt2~bQ#nD+(yrR^uuB!03
z!lS9%)uk1SuJ+|sj1gW5xg_~^ydB^=@f?kQrtqpu?c&zfcw;?Xr1Y`Q$B9?k*cPi#
zkZfg%%Tzqmr)`MWZFCu83mx=|<<^Q-R(V}>1Erf#W$bGS+OMXMm*{@C+Nu{Vj>lWJ
z*bTAu9X{QXDn0C?mbUs>8lH~V+|oRwF5bGSuDPQL(@ebTO?7S5MCqMWQ89opqG+8}
zZH=3mXu$DR6T{Owo2W{8SJ-uJ+S;JbhS=stY-);0a*oaw9nHFWw=~=B@mQ?Y$D>iy
zH&V5U!Kh>0=cK1Q?UI(Zm_6ID9GxjgsfESWWfLrACi!buV@G{mJg(hpIRzR<D_`|T
zvsYXAi#ZmqmHub;YL%FyuCX~0QxgwUNR~5}HPB$%8e0=iv(zKO!p4NOuDlLiJFXC|
zlCM0Ovs_{2$*koHGcGmK_N|KMI+b7bLyuST)ponMiiUP3IL5eZ=={{6XWvxU)~IT%
zk`&`48DpF^Yj$DfLTlFh=J4;Fg2Kx3yR6yQ&Jmcv*eiW&gRSQ*=&o+u*j$(BX!H6X
z?JAF9YxAAL@H13~T*k7Jl5)Geq0L@VU2IpjG<3u}l;5mnbxmRQDv@b3=V11tP#bcJ
zN|lDSroN@ARVF#HhPBq3_6D2T&su9mj82cT3HDjIp`egn%XOcx-HFy|@s6cqa+$@b
zn&-~B99x|JusYVJD!VQ=-GWxc+T)E)6g{0tY@@G6Q=2AO*GgGjcdaT4{(0YQ{<&KI
zu_i?qsQJLDr5g7e+-`8S!2*M}LCfITB|6@5g9i<^8k}QrlEG6ITK-Xk+YPQZSZ=Vu
zpykkwoyu6>Kc8PpCiuL0iN-IO-v<qT)!^d>H#D|2-8QY^Hfbv}*Ecp>Th>cS$yBzT
zPL}>x8c(8yx;%3xD-<<fR_h=UX>4v~QKc6|nj<5Qa9C`4tktEJ#nv+UXXUb`%a*TN
zX3@*kw{Ej0EUH*hNqwiYb4Nn2bg3I1)C|uIKTCS$l9twOOp_CvS^@)%>b2CmC)h|N
zx@BudppkeCr`h;Y(#|#O1aX(&F;bWD!sfboqpSklb?1gU`fla7dOZk=k5qr4)mdfD
ziMDO6E%ar!4EAoi(%;GaHOQYe%Moz+cCmkz;hF35m#amu6U`NH`PHMAj!MSioBT@o
zkl#`3y(M+c_N)SXcEPOoS+lO5d-a^Th1Xhb+qO1tZoOk}^W4N-%UOY0&Gq%0_@}+W
zir>}VZixr2`Ym;vk%(<*x7yY_U8Jc;%=z2u>JwILobk<)g@RQdYfH3SiN-suL{o!R
z-@*XU452BOsMA^+8rv)ub*%C&dWrQd?J>c|4cn}?x-C`*6EZ0%t9?_;77;^5Q&USb
zUzK%&6a?!mWg=BqSt&}zc!n>LXlrTO&@QxiV|zmVu*gNcrKPpqinnZRu^M7duUOCQ
z6mt{tm_$?=Y1`PWl1G^u2u(GxN@`ZrEMFeA^Xjj#n`4d4Yx8a9tcyFg&782XqcNV4
z?o2Aqgq7_~6V$IYEv?cpr9rN>i=<}FpRin$=1#Ef8IAe&j2YrMx74f2xN<LbbwkTc
zgwlO#HZ`(3YiEio6PgWm9dTA*svnS8GuSAZF~gLQR>9yU#bv9>{|5Y`(s?6E)WzFd
z(xuZX=_toJh6d8v(ny=9=fUN)BI$6Hb!_;|m_dm<acp}jlN@$@n7FYN&9@s`nlDe-
z9nGz*b5x8wBnE{<&6%f~s4NcZsW`GnAe%-)RFa!T(o`<3e{thxwGklI&GdIla+{G9
zE&6kls*7qbBGzs*2W1sz2KaUrWrkBl=cx{bSk<K66l-X#!&*i$Mb2{yq+sjpf`Th_
zOt&h}!(vHJVrrt~K?^x`(UDO?v?p6JJUOZEL~_NHoDhQ|x<wc%Nl%GvXxvJdrzd-!
zywm2iC&WIfi&DMB!}j`^j20bCB($X>?z9mVMTr}w(sJx(<}I>;z)XY9I5zZ{Qm<z_
zM#WEv?{!<ACk^@nw>-U}O6{oFYotrcSC;47PG^;GGY8JM>1Fb5>8<k9wiM~ckfsNa
z*mPw1w(1ksPKe%8U2U5ds+!{r(L`-k70fe8sDWX!WOc<=B_$PsxXqFu@$S4vW{6wG
zeWre@d0lH=8zm@%v|?))I+-yQ+KWOH((_EcH>W#<*1E(d9ZxzjH;(w;Nh%5>EbMe@
zZUjfTO1f<(2ph#J)ubc^={x8*@RJ+Cmq6Lp*rIAr*vSUc^tbZ}VvTE#mWIm2KsLy{
z9H<gVmB5OYrqKx~=~M}5=~M~0UB5Djf1->9%5bTXwu(4&LP<q&pb%%M@hg>GB@Aqh
z8)Tsyv+FmB<6MtvC(uUy@jNHgG}hl?x+k9lsJLmwE7>cMDTwDRXBc%OI3-wO#@BEJ
z8E#!+e}OOqtMd!1NkgCoNNe$X+AYgPGM@^2x`Z=?paW@Uft20&F#K&uJIxuE=dp3m
z{K|8hNXvjt{|JNOzzlE&Gbfa-E~AD7j1G?Hs3~;^czdP{@y<jrbtjS6(j4E$m>!dr
z-Ih(UW_mg4>tr<2sY!ucF+uN~#^k(Wt{7&H8d}(IqfR-K=u5Pib@RIxsHsDl!C401
zZSVqvf4xY{{o3F&2ESqOlLqfMSa0w;gVPMY+2HTrsrCKD;I|Ea(cl9H?=pD1!375M
z4dxnbGIstCYQO%EAO7F<!-b)G`0|w0>Hj!H|6b_#;n43bq2ITMey=sZs|>Em)#<)s
z+QaUP_3wXtx5jG>{>aGv_&u7w-eAPY|Jyq>-K^X680lNVs|loUq3ZQz(kHosO#I!Y
zz9k=L^&LJzRO>{xz8t>j_b)abzOu(=-qs?!xg@3c7uAMO+LYN5V?rSNU}o(vb3VUz
zS>Zc8b;9Rc=!Y2ILO;OpYh!_^4#TVoH4KxZH{n7@aFTdMdwWO9(@l8H_VwAIjFG;N
zY(tk6+a)Wa;SDl2I^fBsADd^R_==~G-&lVHRa-T(%1m*vVi>{0LotT!1&VEPTT4f(
z^BA`3q)<7`v8zKR>c%xkcx{avHzmv#tjeX<Y-SI7i1m3{YhKvGDY}_?_?WUqNV>8$
z<EJXM{G$uTL}O6o>`?Xu)i!{h`TAmMRVA$OWuc`;`cYi7DeI%_qyh=aCa;@FV1vo=
zqQeb)Sxm6ja9AdbQ?*6f(AZwjPHFvyCjQm4jJmjNovIUnwQf49GOt;_bgeNh#E{CY
zSpkMWAC~O%78YE0tv$o8E-#*?e$Or_oa6uP@n>IiZAd~WwEJ{bpke7k4vncq`s_5l
zTxCE`*V9q;mx|B%Ise;vo7G9Q<I-?{;+zxSvrg}8K4kE#YxVC(%<n@6SJkyO)4#Ap
zb7xfQ%+0?tR{fi^5Vvar=j^I7kJZX2m>GDzu7=WCIjZ<x=9ImyGR{(0myt!kt1CsA
zVboQW`U_L)zF~~&Ris<cUL6(3rgq2%7uz4(><U>pI!aX^WExIutc{Bi(w}fx*^1G$
z!r5D$n=c8yz)<6cTu|XYOFZuE|H|Z4dT;WjCjJgxTpXlNE4Y@#Ez!)sSGJ4K<)g<1
ziLX*{ZfNA&8|ff85|C9jD_vTT>Ko0lCU<a3tE*-dmsXWj+8bKhxMY)NQ<^=xSY4B2
zSZG^1z+@8uwH1}cVYSXaIE#e_y}#uRj@5Ndt?^hJ3pdBLx(87X=9rJmBL2QnF?~ET
zg~Q3j9QkL~wU(PJ%QeL3C$AE#Wr14Bu`P%LoO45Ud59Q#X&<yn5}#JD|1--7YvDGQ
zoGoo!(V_6$ypw7fx8=0PY!QT;p*oKf{;2Axv#<EFe_hj(;4pDibeCT$_e|7vqoA9d
z^ebfhQeQ`EZ1DB3Dfoe@iJEtizAt{j2#4>b&)}ItzmK0%zmK0%fA#3mQ+dcqpAMo$
zno78&gwJ`WTyIiE6=k^^IzD&x$Vry)ZSHNfu~F>*IO!-pyFNj#b1y}mVwULY%AU;z
z&leJ3%9&G6Ki~C*qaVI*3c=`ZJqhyN=x#j_{Vb*HL(%>5J-!#+jjtMs@1GeBdOVnI
zaE`%+2Dz;r_+%1So<Enzf5sC6On!v<^8B{QT|kfmnn;kBf$*rBC67-`BJgK2t+x{7
z<sk1MypzCtX)InbWnD^`M!13?_lRc`-bW}Rh~*UodG*0+LLK1_!e+ufga-+qCVY_~
ze}m{pgck|J1o>ki^47^43G$MreT452{zQ<sn%+csh;V|C%fst&!jpulWc~p{CO7+c
z5GLV>FA#1bqi-RjrwC7y*>92A<775TW}{^E@e4sRdOjKb(`5WdMr+9Ez`HE#a~E6I
z*DfLdWc2%ami0ouWv!WISxcE%eB*k{`bx27m6lu9-ODZO&Q+Fm)jG?1w$ZZIC(!>v
zXKXNw6<cj|N(*)Ra%b?70|3(#swt}sJZj;f4k}IOt+(Xl<kApAo1lJK+2{2C)?1k?
z)K;dV-x6zUX}1>1KDTA(F}U8$%1QQju8?yat9n`S(lTp;7)<A0S$7AWtLzg6+upR9
zvsonQky~Q3@fWLiJ77JDRy(dT7Ys(VY3^*rhF3hadq2Zl@d%^Lxd|EQrkok9%MB&w
zMGGYsX1Iw-Pf;lc7Vde4v7Me`tL{f+;?p8?24Ak0ITt-jQgPKuuDV~-6k3Fl0lcVs
z54{ZV_2Hv<Y*r^^vY^s6@s_pd?OMA@_5!I}Y7e@6l+S&P;GK&A!*zqWT<;&JP~|Z~
zs{D+AD&IXQDpYevUEC_!)EIBDYPf3>#{{#ZU#-`ND_a|wkyy)^&(txqV?Eixv{Ys)
z&Z0}KuJ6znpv=^j-oyKx`OE_KW4poq1`iuNZqPE={)m=8Yw(mo>$94E-2C2Uu)xqK
z89eLA89Zokk3lQ+Ssq`gC|eA!F}U8~CWFleL(#2!4gDd5`&zZW&zRro)(z$aN}q92
zg`N3UT6w(8Z7EkW-MU7Nqw0pFwzSGS(Fu&%&iZHUdy;aKf-628$A<fzX)|YCOM_AO
zdV(`9YAhc|zqF`SEs@<8$&XwYmIh=6j(Ni4vOhom;~-xb6wbHm*nE1lRc4;z)2HNo
zdeX`1<~&+qI9)9_T48EA)ft+zEgdH;r(5#tr>o^&KV2>N`stblk{T>i+}B9a>}}@|
zT_vIR6WUth`Z}L=BfDGM%=fabjR~riTzIt>$DFUuMb}F1xw5mClI%&VYqLg4OPfzV
z#L!npYt;Q%Y;H`Luhnu}(R@d%{^r~o5_KVpD-$+T%LS;eY{(W@Ylx0~Nk>~7S5Vvx
zEmKF(7WXU7rPs<1?yhqoPCYH4f9R}Lb4RXq6Bj8Rrbo~MWt&l~_Y&gzdkIR~%vW`p
zsHU+grhKTsl+-oX$KvL@$eOQ8R+r&Ic``+wQSkp<*^DWEf;PZhEGlkW&)wlROQEcD
z4c#h<bKgN<q_tMnH72UJHP>(Av5LmK>f|JPRx08$lcD0~28m*ocIfN9jvid9M=;s!
zkV>ZY%OXyGX`b`Tc-{G_OH}=$lWk_tpr)m&r41jl>=ENu#O~~fwI^nU3A4k5tHXrC
zFu_{R#)s1u<hxGX*DNX;0zZ~-@Fa|(N`UK$Egf7Mj>;WHi4h<u>P>ZV%pS!vRnOyU
zwQ79Xny?m9>UUVn)$O}dxvX5BXk%jRH1Dcdo7y#@#+1mshXU56t~};cQMD;#ycnRV
zYqG70YPtf7nkw8H-$t3Ph}Flq48vYykT5$;xH?QI3=^z{++?T_!{pH-u7+_Z(f7MT
zU$vt;no^K;xVoutRdX3&G<6ZzT{oqWWtdf|IIN~RQP5fnQW`)t59mlERcmV@D{mHa
z6>77Sigvc5J9VN)_SCq#8w*g;=%gb>V%jp>aE;9!T2hldIk{ILhUmg|ekrBF@}`qY
zK~>$i-vrZ@uV8=9SYjxv<OzWw36<q_Z4F!M+G46URmm+y<rOhrC(kscuF0)bdT=lr
z>1BfYR6i3W=}ILFdlGYMpc!IZ7n&%vLC1T6M$&HL1&AUXAeeSS=cQ9qHyN#k-2ZB5
zVIb01{)wcETlp<$YIp)^et*Nv8=p4#6N4`pe8u3K?$q<k=>~5w7&W-cV7<W(gC92d
zX@mb}@COEeYjD_LMw?FOO$IMAc%{MX4K6lVZSYouw;OCX_(6joG1z193kLfP{>b2O
z4F1VrR=c)mioxjyuQga|aD~Bj23rh%z~FrbdklWj;1dRaXz&GtFB^QtU{=D|VQ{L!
zYYg6Ku*KkZgF6lGGnl3tykYWJjGk{9{E@*I4F1vJh`|dxwB5GBSq6&@E;o3a!MhCZ
zG5C3d-!%B7!5<oY!-j_hpEL3QXfSE;ZJV{dR~npWFlz7?gRKU48hqH`L4!{k{Dr|#
z^41>>J#&jr@2v)>8+7Cg&F_T<s}05tZa4S|gP%9}uLhqm=;(7$pIb1<s&fw6esZ>@
zoFfKJGrLXd=9fNGcXy!Fy-PV|_b5%~iv0wOYxZ(_$Uk$oI$Ks|oo-(yoRBiPl;x0W
z*d%k-Lw=NK?vA~mp}uRb?<QK{89~-J#5HG7vRnzoH(XB5N3Uem+KssCc329wjvMr+
z+?><r@3OZlAG5A8C-k-m$WD*luC75g#`LXw=iEadCizWN>ocqf<j=P}gRfSXCWk(b
z*5dNX<0vK~4qxRmg@D6%*8gFVFhA@lhd<}*3zR?3d`;sd^SjmjK4S3TVa+f2hLJP4
z&d8rNd{aNoIb6N06=eTZ?WfB9O*yBxCa9&M9B1mM>GfjN_t>|gH_Bm+E;sk_X;Xl@
ze4Q;@rQUaH<+L3)eeWuuYlO=7nCDS)-sIc{;UqceVjRc={z&MLPcG<cCFhD+>U<}t
zNmYoDI>$2{E34<B<S<qCrMZ^8UXBfAt3-W_zd7k}pPW)RjOC1Lz3<YE_LuZ8zRQ1d
z55alfiYEZ5^Bg0GC@X6g&6s1!zq785meG%J-q)V~I1t0UttOo2`>?H==J9;XUPOnd
zx59jTxUzdBXHm8}^~MP)xb9x1sVK6iAz~JDGj)fV^FqVYC8Nre6VAKXbq^G3+D)vn
z_MpW+vqK%&D#ik5Cz(kvcRb}$GS7VBEo*7xak%zPd})qZ3u`!BWPQ?%y;|BTA?7Ug
z?`&^N*6>XEtF7@Ay`-v7TcwwjyZ*ih?@fWY`*Ow93C}FIxOBCh;nrT$BA1o$5N)b`
zAiHeEisdUfRDs{>?ln&1zI#JUtX-Xi$F{QgaO$lw--Qz&(&O&04F1NTBk()(`>zK7
z%V5SmI$nWYkTY)ll{?FK{_Rbf)_GR;B&*=f1#cR6!MdI08L_NvMYF7eOA0O+ciwv=
zS(z6hGa15f7pNpQ{YK-d-=)UwAvs4r9a^Wgo;?N&jNa`g9V_(N9{T<F{-j;HcOX*5
z&4S1=oW=2*I$M-;Mdv(`BR1>Z1UX0KXic3Vz8AcTa1DW@HESNBgs_+(XNk)R)r6Y~
zb%YpUBjFB06X8w*M{d>*!fwKSgpUzEL6Eb?&l3KbAZL#MM))e>+l22BzDIbP@Dsud
zgx?Z=M|g?wXTtv?{1+i3gZvQWWpWo1-bQ#Q;avoIQ=yz&zK?JnVIE;ALC!JP5Y`gv
z2pb74gbu>{2_GcfOSqr#QNlkGK1=u<;a>?~CVZXnO~Q8w|4w*@@I%5+2rm$RPk5Q|
z7sB5N!-NYm@jKz&gv$ss2v-xXBV11?CM+e~NLWR<nIM0PAVz2;+(Fnv_z+<S;ll*^
zi;@38_!!|cgwGMaK=?Ppw+P=O{E+Z-!mkLwCH$W7XTo0z@^;RQEb0Z}t%P?It{}XZ
za1G&ogzE|O2#X0T2{#kg5N;zh5$+_k6SffUBRoj>1mQD;e<6I4Aa7m&2H|PK4+uXZ
z{G9Lt;dcaHQmoFyIUY7|*>TQlrNeedeswK{gAe=CY3)}{Yrj-=C8l5UUFxB;-zpD1
z$kSt7Yt&cd>5|kXdG+RxOD*Cqv&yVej>K=YN~^5W8?77VbeuZwUh9gtFjkUWyYn~%
z$zIC!A$_5q`Sb*<p{2e<-dMxqeC-Ww?HtVN2mgFu)wAQ8BM&PW4ufpyIYD_AM;!v`
zQBX9=5aB*pP5<A@DACMy46BN8Bf&CzcE-xNZs*N2tZKu4Y1z&C%c6?aWu^MnEkY|<
zURk+(nXTD$*mAYcl`So+E^#UDy#=a@y2~IaAC5VdC-g+cTI4>LDpN8w-7`}_$Ma?J
zn7C@DPgKoD3|&2bWugdO9lGl%Hc!EJ#Ab$=#R)bb*RvhoZa8!8SW_!6$Vk*}49l`%
z>nA%VncJF<v_oc2q%Bo-OGYzQb(k8(sZ_ET?Zj}(U#C1%{G#JDckn=2UcnXIgyK0n
zw{n&(UqmIATVKpV^)ndy#+akfNvou^xTe^rPd(;Q)3~}RUTUhGyikTSe$KreBl3CX
zt-g*Y-t3@YJ&)9?M@H7i?7D<{LQZDkO1oIBKQpglp1y5sQ(Pfd&D><EXTR(sJ05G^
znAnteg-C|$fi?Xyb+hPto=f%Oqi1G)Yb)~2?8VKPPrfL7d)_>|!0zm1HV`BxcsNv>
zVdQ12)MS)5Q3Run;z{fo^8;jyw$`3dC)yHweT=n1OddhCm~VOXx()OYid<kZ&EDMD
z(t#$=SY=nDts`b_W5;}!wSh-VW0+{w%Yws__GT3^?%G$)w~FYJ=F3yZt#~YNeaD9P
zYPVfs-DwxiOF?P1w$Q}qNv~qfqf3$>mrrZI+?sc}b-6XI!I~D|U`^X-6<so8#<cbs
zGf3i+HL7B)nby8`?feN=(GB?7mM4;B*Ia4x{jx5#Ev^cy+hB(0{j}JAZf>ZH)1?@m
zpJ3fUVv?P9O0AJAhcl_es`#cm6ptm26DNDDOBPXc@}!1VQugvb2nz8Et|Hl%_{qzM
zMK)CaEXm%OAL-Di>zb`k9_G%ar=dBvw5?g2r)s=ImqFt;nTuZ`mlN3UmXDHHM!maI
zE0M2r=SCZw?<i|-P!&ZhQ6j3Q2hB+xzoMBpQY99u>J?TZSA<F3OKy4!wQeF~=`WUQ
z`rlJ;t#4_Gd#22t%R4n%HpjwB(_0wIOTdd2n8(qCQbs$^3(NY;!Od{!OE`|-*3|l?
zMqD|{$ycUHY;$8<f?F>3<`!PXrkrgCp1E^5?rl!wEvkr?p^mR9HF*AWIwoolGXz<<
zI&rmH)8s;~9G$+W=ZzRJI=&gE-k|-X<JZun-(Y0QO6AQRb2-?UJNNEUG(ALwN>=~$
z{2o-oB3(B;mwaW&b7RNX^*FtXGap;16eK2T>^GR7ELQXd25SsvW@x!ZSsEWVzxSKp
zx!Ibot>Rwe$Mx^R3pLgnobxxW|Msgi{h|pPuQWK<;4UM7i}`)K!MhB8#Na0le%#1E
zZhn8?;D|}@S%Z#!bBuij5uN@ngNF=`n=`h3ON@TUzCjZ&oqdlPdB?ujjQr78v_JM5
zeDyE-w`1ofW9N!DX?yN6IP_;N_qA)@n4O1ByxWZ(uV?2|M&9w`_Wz~Rt1{@=x5wDG
zIY-;^u)+O*((*qmNNwNuja=A|>Fhgc<R1(9(Xnrr@yBX|j(vxXeOLZe+tY0DOV1hm
zE)Uu_)1))kr1N_A6&d+Y8u@hgz5NB9-Yw5-bnH82>~nrQc=l}z)K>>DGWxGH_(tvf
zh>?Fi`<!$fbnF=a3GE-}w}XzHgAP5<$S*rz$J=1=A%mYc__)Cz8+_5=YX&3Zb^J>W
zp5zZMtB>)Qlg_N!s<%}`1(z!<M=sCEIsP?rW@+QeRfXlQRr-938l9}8cY8?wIwdY+
zMo{k2keo^13{GD9$5YFhLD-Xf)yO&Jq0^OFnND}R@y`_Ff6ZT5$Glv99R3``H}>4r
z*xtxgQOl(I_y6hoCm2uGJ)5jn>q<TMx97`(XZm#8`CVkQpEjLGe6F{q#}oXsQU1BJ
zqeY;uwWa-f>(AemZLm?F3@HB-{>KOZf3E|Xw1fXI0^5|<e<#SZK;iKBlx1jlMK+3J
zZEBB2T_j^uVvEI1YF-^XvyJy4(eccf<q+yw`e_2PO|mP)o^7IyJ}S?a1%6`Nn#Q#=
zq1bA#B|wU*y&sEBHLF0j6D;>UaE{W$CLqUOs*{tiMRrZa>dNSC>NM!K>Y5c5%NE~O
zvV7&T8ogVgSNlbm`1SzU5RldX<?Mi{?Eq&#!`-~_?Nz8GQ~u+vFRJu@ogB2zom(v#
zHVaa-U{nJcCyHug#9eFP8J<ivOLirxSBWyR$ZEN+LG5GcWvXA3-gRK*m|Cx6?AZF*
zyed-#5j54L!<zJs>i3qZ+Hh@M*_|wXL#ox@gh@bRy-o&R*ZvZg<Dn$<0{x9x&$DP|
zeeQFx_NZ@}EOkDZgz~wsz|*@aEID^>m=e^C)oL?9?+9R@yKmqb#41>A_vR^KpXJ7v
zZ^$rHL8K)9JNsKsJ+nWf=aa9Rb?$;U>)+p>r?G9eMo0eae*HW8&0<CBGT3}Z|K4Y7
z{<`@Z-{`!&*~q`qdHHL<*XfOzbe(zVB$FR!e(Tsh>uObgPGPw7;RQzCnLoPng-YJt
zWe|GCyRxod@HWmNGkNCl&f#P?-}@3E&ldJ<A5PZtyXQm0$wOc-*bnxDr@=u`{w{LP
zJ;TY#Z?~*`FdvM9rC=Pa1-ron*b8=p{ony`5bOhUb_^#^fcfAc7zMLAkd1@6U^iF@
z_JUDx0Bitrx`vaTU_Q7PtOa|)PVgw$0}g<F;5o1#%$Y)ba4I+m7J)-x4VZK9a54_&
zf?Z%f*aH@UhrlS<57vUG!8kYsc7l_6KC>Il2YbL$uotWa`@jU)4|anC-~n(D>;rRm
zl7FxW90cQF?nUSUqhKEx2M54zF#2KQft}!Kup1l#`@!6Iksq)W%-=;kuoK)1_Jb#c
z4-SDjyRn;xXM4a}uop~#ePB1(4;}!cAHk18zYl+LNInEMfJNQNfwkZPuoLV9yTKD+
zKX?ut0CRY5br75i4uM5r?fv*2>;&Ur-vjs?%zqF+gFWC7I0#OC5AnbvFlP_(z+5m6
z=7U{e5!eGp!9!pz*bm0R(_kk!1P+2x8~R6)2Zz7``MnpvU4q?U0xbGCdcgdB#FO9P
z<V(>H=7R%Z1DNxV)I%^A+zaM|y<ib|6pVrcU@dqKjDtCs;U{n^*aH@Uy<iR42gbpE
zunWxpBz^^>;0dr7JO}1}3OlBv_tVG={uB8DyZ@Pb1m=H%bf%#nECh4ENWQ>Yum{XJ
zh+n{ba0rZolcy6O%m;H0lP~!V_JV!jQLrBz00+Qx;2@ZDIerAEf_;yZ4w&1AJQxR0
z3;zl1pkEpMHheJm2ztOMcn+)ubC`|9!Kq*;SOj*1HDC`I2YbOTun+73`@uut0N4)}
zeTV+zO7is-@?bA`0PF|*z}jP^!{v_Nf2ZDq@$aJt>;w;igJ3_{_XG6se06_6c7VCh
zU<X(P#=$t)1$KfxU^jRO>;e11Uhp(H1m?^j{<Gu@9OO^)B*0q!0#Gm54ITx1zyYuq
zJO}oHIh;}UgHyo)um~IkYrveJVh7j<_JW=Kaisxp2%OBtm7J55BbX1Cf<<607zGnx
zE!Yjl!2@6?*avolC%_(X5bOi93()rq`WG-4ECh?dDA)})fSu3b2QdCi;(_@C*gFe3
zum+5Saj*yM0{g)pZ~#064ubvQ5O^BQ;g9|e2|iDHJj|aDM!|lt7aTf;Jy-Mlx71Ux
z_IJbwyTL)Q7tAgszb|4R*nI}Sg1unQHKg|k>;XFm$v4;w4uJjOIWYc5?7kNJ|BOGt
zzO&fzKJ@(u_Jf0eAw4kn9O;2YVD=pBc$Iiy-)s048~~4kgWv!-1fBzP{tG*<BR)74
z90a?-{2}rO7J)~>T5tgD1GDE6e;B*L{1N;I)`CaDZtxt~2j*UnJ}?UACMj<)3LXGE
z!G5sc8c9wq!oJLrWE>nkZzOpF>^XlVIe8xXA|uHfF#eX2<N+}Mts}`nuoldj4;`Ee
zc7jD<H&_GqfN^ke@<_4|ESiG+4fyw+BgtAY=UpSoPH^zuBgv!k`{I%0X)qTY0`tMi
z3y25igHf;)tOaYqZZHA%fZbrudq$E2LI?AU$q!g6Xpbbj!2C-_l09J2rO1Kt%aB{h
z?`b2+UNGl!ewSbm*Z}rjIg;!L2f))p2Zz8RaB?Z~??oQW1xvvqumSANCmz^6b0o<%
zQL7hh00+QMa1h)J=3Yg*U>qC(`@qSI$Y%lZz(KGZ?3sl=upc}J=FcYG#pneaz&@}O
z><9OP17I&W2p$E8zyUDlYT|=YFt?oY0*k;Num<b{<AT>xUSRDU<SO8Ug<$@5@WI?7
z>|BCgumS9uPkLbA4cN65I~HIMSX+i%lz8RHf!*L<FuoK!z}(N_w@T!}TCne*N0Nu+
z_rKt8`TZF6Wf^*U;e+un;SaDAJOK9nEA>!*9~?<$FDD*Y2<9ImJ+SZVls8!P4eB!(
zeG+@B&~p^~1iy!0!9nme*nb@RZzR1RVHcSDWAY33f_-4;Pq1eN`30wfLm;oDu%aiB
z1N*@)Z~*K9`+kaj!v7h5t|tD^u^-GoiTz;FFVGA2K8M~K;{Ou8V9o&YVEk9egSF37
ze&7H&c_qJJAYHHrjDrJU7ufx4@+th&=(&mXz#_2!cjOlw0{4Q0gX9;?|0DHT@K4CC
z!rs4<9vFWG`@qh>AqPhP6ThzJ_iLmB4uXAP&IsiQ7G))q@tgU5K{D9~?wgoQcCWFl
zUxU41K~6H+53U3U!Ry|XOir$~xTu&+7J)0k2C(cc$b;XToJ^hoH@z*HJO}OrC$HtM
z99Rhc4Xgn#dwVjO04u@0;0M4%;6H;Wz@LNXz>Ieg|5nSI1r~yrOd&paKbQcoeP=S6
za|?EW`QRon3O)kH!6RTd_+zjad==~m3oar*U@e$KzU~6^!M$J<{0bNc-|{Z(xDCI7
zx$7+JY;H1H3V!U}<QtrIG5W!i;307Pd&m!VeH=UlJ`bJ%&w=N_@izHE-^E}dxB{#J
zJHZ6_D7Y7V0z3qs0#AVVTmt<L_~0RM=2Yn5m%wvi;WYHdEo&WE2!0K$0rRJ$7kv2g
zWU>b=&!e2dhptE_2f%?VlgS})Sw8t|;{7`_C|7V7SPT9M>;%ha5+6JS_JJ2&MSO5O
zI0XIy%xxz90^);bz*_LuS;Pll1be`$*~AB515bndug3o^mi03*AH1j#yTL_Z0(=VG
z3r4OX-(V+r0{jDb4lKHse79QG=fOho;yJ_zTfqeQIJg&#Tt|HH7VrdkaS`#sar~9*
z+&eAnyI?6;KA&<29|60;`8N;`d<7f;Ke8a1%x<Gzfm6Z%087D(i>VLbxP`<6pDU%l
zf!CH%-@v2bAo%%3<hPxCF2-K)F|Y<)R*t=3FSr++P(iw&wUl(h8gK}F6wFOfE?^P3
zI*OmcyTMNID_{@!_R3`PC>RA#gU^H69qipM!)~w;ECnA0<KR=vNf#Uf4}tkr_zCO<
zhrq{fB;IE3!L6WufCs=hc&vu}f(urXU$7PI2Tz0Nz?z#VpDna6un>F<tN|}xg}vYk
zum}7u*at3IO@6@_!6D(_On$f04}zuO%v<m?*aLQfBj5orzJ~nDZ}2quNG<u@Mn2bK
zH+T{(1qZ<f(7KiQ;FoU0Zg9go><0g%4!gnVdhEW7{DFmFX+3t)zP|=$*HQn#so?Ae
z^nx3}2Jj)U3+x3CfJ5L>aC!{8z{kOy_0)GTAAAjrf^XS?Kf(E6H@E`q1vh~G;N9RL
z_z;*=Pdx(j!N<WU_$(L)e*<=d7i}ayI2-H-Zv_XzRxqc*vOWpsgS}uBd;*Mv$H8v!
zH()P#4(tan+C+S?5X_0uj=+2{0Y<@3f?OrEdckh+DX<s(8Q2fL2o8d;fH@mzCym4h
z-wsB>=^*z6t!u$<a1q!G-URl88^A$uGnli{vUY;`;45GhoP0a+!P#IpSPS-oJHdYN
zAUFs<2j*;|e**KtSHLKE=^exemw?^iX0R9R0{g*-z(H^XoZN`Laq0!Q0;~ZWzy#O^
z?gh7lhrj{w1X$Qay#m*PlW%8S1Pj5>gEinGFae$d_k!b_i4PWnC%}c^Ij{<xOn<)~
zECjy-)_|{o3D9ogH}!QZm;eued%;2Q5ICikc%Ag4cOnNq1}4Ch;0f^34$=W@H<Qi>
zs9#%<2fN=-KLftT-`(v3OFu~c1`pkXf4~QJ;2-dwoy5DFdUPNC6ZrNAXcyo;4-yZ&
z_@l%F*YBlWfM5AI@xTS2B;E(n2cE#r?||pP*M$Cl+C>j`fSbV@@Bo+qkAQo@0q_v`
z8h8TC`84sti@?d`ClA~UUJD)qd%+^o%Y7KTz{zw8^2xYsg_W^&QpUS-&L6)g<NQfN
z&n3*cV>tO<5ip<B^1Lq&zQ`Y5Gn{PA;!9-GqR5mb7f#$Ve!F$UMb}?>_0&s6g~Tr<
zoI-Do5X?vDwS<$<-|7%Sp(h9;AEtLhKa+xf0Q%V!^gigXrl6mIZpBCIAA~$U1wA{1
zdt)i+xzMMipcg{7Q_!Q(^HR_opckZ|cS4_&g1#5}f)w;#=;bNsN1<1xpbtP_4gE6l
zhxv&A&p~fZLC?u#z6AYUjxZ?lQ=#ukAzuXjQRv}vtbu+o1w9V^a0+@C^dr#2^{2<k
zhv|om{xH2Cy4Vw@pN76a1$_wmz7+Jy)OX2mSWiB5@lTju3VnMDdM)&=Dd-94;{ULo
zZs?m*&<{XgmxA60UCKAC=LGbs6!byp<<QR$m2Y;ou5V#_F7!Dm<O`t}q@YKk=Rwa4
z>2EOlr}*gkeD8!V_FO6Sg^@|!nZ=PQJF`k7_Kxh^B2$VZlNLtCn>ZrhYveCWA-_5#
zFMZd5k$;ECqisj#N>`uohsNMbdb#Im`xx$3{GDRoj;tjSd;J8JTybQ4`9xvr{xXXE
zF7i_#1ky9|OC$C=M_l)R$VvTrlgOEm*wby|&lB2>V(%SKItEXL)C>Pn;;H<5`YR%K
zWn@Z8WD@46e)|M+2a%gDdd83&Lhdkfi;Uck%*7G=wh2m+ldmFpQ^(O?BUdGI6~S`4
zW5Sc<?J0_?KQg{_VllrKnO`EU>}eqW+0l06$C`j&x{-Soxk)Of{-+c;VB&WPiF)#2
z=EBI72eKAM?EAA9M)JDPD~=TG99JBfv*Y|5BUKdgoJEm>;z%9>2oiy6B>mVRdge3@
zCodE|<|FiMDt-a<h(iR0o(nxMBwq-<5V{SWWz490dsC!f+k}WsMZxi;yU5g!T14Z-
z+eEze^uLmi2P7Z&XO%_l?rhB6d0uIxV8^&6kp-DcC#Vb*`!Y~AG4saJ)MBGv`MDqc
zTbqZIv&1g1+^Zw@&90xN9-TvO&+Evk{L}azMeZWeXFftNgnkgZYF9pb6#8N4sCPe7
zuN#c~)k4Lt9hnu8g1X40#ne~P*9HH0D4x)JpdW)yHFZBiKLq_q3VJ_uNx#OG*5!B_
zy45nAe2>uSU2Y*=Y2QQ8$3uUgl!xc9Wf8m9ZQl!xgGE070-1LXCpYk2+NWvXRgqH}
z(lb!^C(#llF=Pp~$gf5|E(A}%l3(SPh%j|K=|+AZ@+CqD$~QaWD*wnGK`!i<e&~mx
z=SY0>5&6^552lbGg8pa<`s4|WmnrD^(8a!NM>#0^OQG+9?k{(t*FxU~on+jP(B+}?
z?a=-0JPN%V`c~)-B2D|aU)o1^R!PL(DeYs&c}pS%w@irS(JXMcZr6(@)<p8?wn`m>
z#N{LU2GA$=CWPSWqXrm#Rgnd&Li(0WYzihIarsC;m``0ehQ51+&=%|mH~IU)TU9^k
z^ok;FNuJ`wpTfO{2Id`N&lvq!X=G1E)_-M8h|HmH3w3416RB+}=#q@8cPB{4ZXZro
z3t_3)SuW!$ZrhQ)%GX^BTk@4ng{eZmQQ86h`vZ&v^h<P~-PwzzU&4kR<Fd*#lxN&7
zRidl8e<|^|CpafF{aSY>rD4+Bs#_90;jI(bx!=nsmb%|7R11@O(T$$G&BICEf|Pny
zzYajRL-az}ebA>s-zlQ_)65^JFFUd`sVJrkE}M9Z^HtZ^bHr;U-c>pY^{=F#!+^XC
zdbnLpg}yxny$Jf&6!aSCqCc!B4t*2!aQ?cWuS-Gifxa5L9kTO~k@vSBvA^HQhuh(4
z=vC+m(}$p!L-*?uzfNW#Tmbz>N!RO#m}j(Vr!vtfnYhg9l0-_Cle{ln^7l4H(f_Fa
zAG-KswUE%aBeN<}kjaFlBr;yo>w<p}zH0YgdbH|0Nl#B~7EWYFXy!PgM(S-J@y-x$
zu4zyH@wCjVx1XRHNuNQ*rE*gfWzftg{*c7qI-LA#u>Zd?vOPQNg^WP<RDY7s#NqH=
z%)g`nz4puaZRQ~*?mT2g<m|YtSF_W!U!sd&I?=a}dq*E<Ue36LUovSHdP+GJQV;wo
zJBO1^eAj-fpj*hS(=$CGYCjxBZXI$7)Ba4q>Gg9fBL%AULUB7z9bL^EcsGZ&pL;sj
z3C;8WO_2q+x=tvCm5<zE<a&etre65xFN-6mva*(CrkSfqJx!p;{s`y7lAiepy&HNS
z^mjT$Q0NDs7eH6`8D13ZgT5O2cB$B@%7gjT&T-{3FI*g1kX14+WpPAR|0DGw=gqW#
z?%%Lo<M#vklL^_BMau6bN?h4hg#1b5uM&Cl5qoQ(pM{?75J92Gp`U>s?iaeCpGqO$
zWAyvwCEtgjA4gu^c_H;?)HqV^*286y<M(7_y*>3nvY4!hzU;Tq-v41Zd9$fMMj!b$
z^}5W}w>olmdq(E>a3pm-G%l&Bl9Xu;`l|L0Cl~YGDmU#tj`vv2NO}qQ+u`p_Hx8<D
zQ}g-qNLAKF>8&^QAALtYKAilMq!%6ss@!p4G2^EDqgEHADwk|FFj_w`oSZ4~@uz^;
znF~EHI-EQuvR?g)x_)7qVb&ehk?mj4%o<0npM&us$4Gyp${&4mNGDuhx}aA<57(C-
z=;hG;<u7^;L0^!9-f#4W<xfK|Kt4R~3_;I>9v&AalZc&yo)3KrbmbuIkdN3?%0H7r
z^g`&h(8oi+Q3SnyWz2D;0nxq06MN5yLqhetLe_hp-&aKT@5spdtoVKOM5$t8=GRje
z2u)t>8zP;<pBhebyfdoaw7WH>bRw(wC2HV6j3`#23~)WeNt&Vik@^yaJ|6l#!FEKi
zYub@luNO-@Vl+)*wO)CPz8>_IbDwTeP@gy6cz(E<b?+}ysxu2187~J#-^0Vn$Hi)|
zonRmHB__gVzO;Da-M;T4%SZAp_i2w2-!vVUF86DXKyOtP{g3!p?%PiJr{Uz&LR#*w
zmss~_K1^a}xwMGnvs70gViIpJ@eUI2e95<0Z}3@GW`{OS?Yv}my2F#Qub+6k_75k^
zMUnZ4-KWJq=yVhAN9aS)k3qk}rRsc6W?_2@dbmC2Lq7>U+`dYoA5S4)3tja4<)@NX
z0=n2EWi0vIk=ewszhq(=|1O=#qzJOu*Mr;{<oxSziE{}0S?I?^vDYu9+7DSAscJ}B
zEu4)5@pm>GbFH5rPS*3?=Wp6+o9pdjHDjkS;&~Z2#6G#N{3!9l{h8cfJ_0@LKe^9*
z7`opdqDSsGA50-H_nk$5xZjfd&-<Z=`ysgxy$^c0e#-smJ<$Drl=dL^rA7V#-^1-;
zF*DSde<P=Y38*creBBe|6QziW%6RU#emhuCZ;IGipJMu`=L@2nkN7!`{JuwrlN{%8
zK<Bmx_6N6!pG|wf(~&8q=7;jL+|NEmyzn|&?rWcf?(c`hpK^a&<iq}#``jWQ?(eg4
z%yH;44Rt=ENA7(egB~ugLg+_Q=$HH9hoOi4-vIp}^c+VyDEd30KMFm3-murmhud*4
z^fM{+9EC3V4eJ>&@_s#14(FiT|1zBXqu3Mb2bV_<W@LWBU+_y+cBI|qlfX&h{aWHt
zeh+4HB<A0T^!oQ3*~I$-z5A0)2A*OkvY+M0Gi*^jOYQlgG;q<^iN39mdHwOId7P&&
zO8?$DRzntl_M`6%`q=hxKSDnZ{S<Vmv)1Cs{)`5_A1e3mUxhwh=rrv*3=?^|hd=2H
zqx;2t=y}k?^{N!Q4Lw{><R1T&6m+@QFZ%uRQZ91Oe?0WRi9M9dsC7(bWL@TS!R;Bb
z_bBm>6VH}-=2HvGa{?!!e_Cj%^hqOUQzEdTv_v|(0A&#kGLKD#z|tv>N_qZZN-yWB
zGLK#F&cjoW_v^C0B=gusX=+3n-OHSkG)&Y>etJpo<QIpN&jiy;-R~dI$huXgMd=bO
zo_I%O{F6`hKlAJlQLXBuJQq=Za5(uuaK7Q`_v+)~NNZM+<Y)9Upj5RNT+ba@#^W!0
z=MXzGsd$nYA1Sv^`1|17LNFi6=U(Xhq5t0~w{G;GL;orC%X|K;O1Ion=W|`w=U%7W
z#0zN(?)6Gl`$3);+4FC~^|1Iso*&r<UEWLRt6!d--nmC<WP3)|_s24{c;cpTdCT)B
zTfh2$uDqi*{r}g}mv<cgG5CP{k$iU9v|s4|H_E#c{io4C>FdMEA4t7^{qoKp%Z-aB
zW^Np_z*qadtlMqFCG5`}W}iaR_xg#{<+v_$V2oDF8g^|U0U1Y*qJR50{?C+SDf;BO
zq9czFCm#}f={No7vP>x1l(S2miO|xCnGXhk6NgVOp%y(;`qI}2c}^)0KGPESBl(f%
zmI|QTGSHB|e_Uig+JD}+II=Fw%1*V6G8#qSY4lk~hLiICPM^Ni{q%xNwye`G%T&G!
zFQYzvcQ{FRZ07H)0{xmiHzj=k_$K|GJV!M?1zn!2vQp4{puZ~54@o-aBkko7^s~^9
z2@U^@IwxVbYwf5(Eb}HvEVkTXY%xR5sBvv7Dkt;LI_$Yt^n2?s_5;_r3ogk|5pr9R
z3(xmzptnM2nWE+uRd`4A%5z~Nze?z8-BZnqr*z`&{JU)8BIUydSbLE>h}`w2{`t#a
zo%ed<kj%4gO<7(`CT4P!ouVLR^<wsaNoUuS=Da>s&)2J*mbvAMsFgoW%U>x9Jil;W
zSRI*CrgvrYVbvhF=kL(lW#nH^Z!dED{tmqZM*j8mW-|fY|99vuH1cEVt-%kq$UTbQ
zg{B<M{yhDj*)LY-N~ILxKd@U&%l4mlmrl(5aHOClNTfQU_mHH2lzL~{^C-R4j~(MG
zB1hP&Tr_$gS{=zZpl1j@o1WqxMixIp{Y<EyEs31HAS)^Z!{}|Ml8LIzCehHopVYJ>
zR5x5sf57v7pEG_KHLqP3IXEdZ8fvk+o=W@!#NYn?;pB_sw4EkC-ZJNyOWEIlmcxd?
zwAEX;$n%Z`KN?Q{BACzA{T~MmH7T>H=XK(Ld2aH^37%8qJL?Ij|3ROzhyEw?R;+oF
z-sUM*J^ieDo?+i0vS7z~JF~m9?$6ZcALyCG^MY#sMfC^uZhMpdr3ZdF{A@|be1v`o
z`U2?ZIYdzC{YGDyej0iK^5cE-GA;~3&x2kT>}S0FHLstkj2x#j{Vu&@L|>GQ<o#?o
zxg_Z4RO38*S(#aTQg2(9Ne3nR<ayFOo@bQzVf*T*XP>vvA7wsXnvtq@5>-CAghBL`
zKgT#I`jo%3R%IBEOS$IIpm+UpIQdi4uKeezauP=rb&i{Lgoa>#aV>@QlKH_=uB20g
z9{c(9<72|`!{yoyeG2iy<tNX}PD(+S=V!;Kpr3$lK@ab93_^ePSHsCmU^^eFH`(vi
z`u+P!;{ROeqJN_Zry6Hd-bYxK_C7)!eR=5H64d9lo0RtvT7%76;_?x@`_Q)<eI-KJ
z5SernWhwo|3Fv#ECxy<wYj<XudmbP4-&3HE-KA!e<+265GpjpOumAHok9c9U-hAl0
zpkFBUXT=zL*?8X*(kuRy=ag5U8ctqn;-~Jnmqd=(nTMp?ev+I&#l}fLUC1-ky=V2-
zqvXo!B=n(g&aa1)Pl-OS|MuF4*M8N046Qd+Cr$lL(W@_<nEBmQ7s(`XK9YXX4E*t%
z;pDTgpMDklH?O5kze4sKQm22{80i<1ejn+d{4LMpia}oeWR7S0VJ@R(ekPJv<(u?1
zAS%yuZ$CYp{C;pg?DbP#zf!@D%NJAHw|rvOW2whOb)YKsvz7z3GcOJ&*=BV=LYH@4
zpM@T7=iNp=+%Ft}ehT?8y$|}y5Iq<DC!imPE@@fZ8Ib!1PT#NcZ}@Sy+-M)E_wiOR
zlHE)GM_(vpe)&(Swm&3IK2ksA`Sz2)=Xq^69j+ieAop8G-CL}PRHYtu>0dvZvfhyX
zH&Zh7dA8(zfb{3QWbVDmz8}jJp`U}k06NVlupgLHK>LI~LFncq@>8K#LBGTyf)cj~
z`X=aQLTCPK#tU`N$U8sN2j+!{#F5{He5J@UZ}7`+^Y=@#1ulD2h)KKy#M@829TJaS
zb#w2I`yu+&%H23uYi|+K^R5Bny-K{$zJfPzDy3C&)|E$z_*O-3{M=di;}65hFABwL
zU%~kIhvJ)qm8nFjCH^tu%W&jdFJL#f|MXFc%AdS{;5c&YM9xdc8y94slIgMEOz}$}
z@m?ifVyt+#1mjIc_8jpRygYh8K4&)d1$ww$PK90oJ>33^py#EKuYqo-kdH&30^Mng
zVz&6H3;HDJ*9gH|SFzsI7q>WaQu7LV&w`}q%@;Si?OO8H4`1x}?<WZTG<3<Y^bO7@
z%9kPN<<MVA*AIH*2Q?+DC-rnq-(RamU-W9q<B!8h`8y@Pa`f&ma_u$q9_ovK6~1I5
zcS{146%#YR9HgL5^3jX_Ie#{O;<tPX2}hx?gT6}$Yo&eApY6z!_OXDu8Jm;pUTTRP
zER~xd2M`@1-eKbXHeLR`{YBP48Fxiq%~%xKo>>{$mANFchp>-}y!$zYJ)2Pjk3C2(
zZ0;iLA?)Ll;{MDIcsHi(rb;JfHDsiT)k-YM3m++`1CmMJbMX@)c<saU>vDSO1YY!S
z(w9wK9ipg%^-@&GdpGu=?_pC;W*$QG^50{MGW30rX-H@ZYA$q3|6W9eJ@Xglxkk^Z
zeG1Qir6~IWei*%aESp%7lCBP1Q_71MlwagMA-m3TZ#|ek`4~06ERGx>pZTqn1)=-r
zz39wg!>9bO+{=-Meyh9h=IQg=1M?Xv)^vvpj9L#%uF`Camru+p%o>Bggew>3Y(kYk
zb}jf%_HSRmo=QHmE|hu6=$W3%Xg*mxhrT1c-=v1`G7c??Oj#4L>0lY<7s*(^V7c3`
zNV}f;KISXP|5(yr@A@UxJaajtY*w#IKW*MKk2#q`o#ap6-_klVoP6YFeo(*1tVjDY
zvUcB`sv;4W&t$?0^c`O{l6*{2^gohUc`wYS)g#H@NPSV~muf!3<bTxtl*})sF(3cz
zIDhB3?(^=?ejw|?Of?TEorAtxMv@ugAFuyrb(HlVoP$G=9$bH<zfT~4YRyRUcS3@@
zgRbOYX6A<{C_%OS)$3p69<3coe#+Eu|2{Mq+a_d=_;;S!8t2-+w==zHA{`(XpGkmK
ztCag7`d(ejdoF@@(tBj(niVaE>H%E*n0p=bx7$Vn<Dv8)h0u>fzs}fY`VZ=Ze_xB8
zaydwrO(A9sc$$*M5WOv<%Bd4Q$JUJ`zlBccBX;hE-dZ=3tPmox{P|uPIg+_aO;@~p
z$$NSBAb*SOJ3uz`qt%f|FU*>k6)b>4M9v|9q+uj^Pf(tXICT#}l>(Q{y&r5vNxb~I
zjNh9^lJA#%H@kL`?;Y7oBFD3{-kE`A!3*X^h&B*!T_g2FCYI#q0U4jn{c^nH+%I2x
z9vwEW;!s_?N_M~+h;o4V1??lrH%q$e{6@{!Rr}+fZ?`-*vvXXj)XdC!=8**@PmMlu
zCqwZxEVQcnmUBJ*Iq8fD0TWC+Ox4a8N6Is|)60~M+Vs=aSCwxq`t~J8l6Q+f^O5=^
z??19SMv^}fe=u(zqrGQ+b%L%!EY932BsEm(XP@Z*;D~-6f#33x_H_dKr0pZg!$MH)
zONO7%=;meSr_%2XA@?Y9-6E&Tg(U8m^@+b8FVUsqrcU495UkP?UGzmM>@(>5ju6my
zzkYthKVL4${21y;!JTiH%jr6V&;uNjzaI2$`p}3zXAzxzq<tKM-U_{12&Ch0AM&V!
zZW+SVemaf(e&ogX&PVhQK|cw--64WPm-kIAxQBkiN0<ENL!SfvM?z=*KC0bQ8+MFS
z=Pdpf&n^pNWuOx%o+$b{(RU1e4~jm|UpT|8-|0bb)-hdoasIe0IMI>F+W-CN8^441
z2l@M@ZYfWrFUtJ0ABFyT(&CBrp(Iod5kKV4r##X31(kySN9cvnw|9*s$4NToBl(F!
z-+J#z@(z>!sCw<qA6CkF^;8)rN6(1VJWbN+LEpZeBgyyp(h>S0==(oBl4LlO^<Y6O
zql={95B(VQ)h2yY|GfN@e&(H_+?J~Q9)6Fgjc(DGdjs`j*GTful1{4fVZUxg$epx~
z-64|N$S*`i9DQ4Nk0iH=KChpyjM!`R7Am7p=|pawnIThF7F1E|0P&6x@9t6Yyyr0%
zPc#>u(XnV^@SINGXJ&mQ=r8f3yx%M@M3;O|Uch=E`Xj+|#E+xq3G6#(em~`G%gmES
zUjzCM-Zv87Z%VC?ZT15x73%W`RsQHJcwi*(oQe3UANm~V@^>YD{Q_mnb5D`|<1_yp
zoFCk-W(#Z(F)WMToMPs`57K`4PWvv9)uq@!75X~pzc=SEV~h(ov2w|z$4oc<RQ*c=
zeb&c=<stTWL(hYLj_*GE@zaj%>d1l?tf!aMy<0i^LJ^ziv`l9wcJ>qh4Dol!#y9nK
zRQvPRBhkpI3uMD-^!T-eO2<e1k-HFk9v(>^R22P>*jWhu2=wt8{7~(J@wi)_FEjlN
zyICx10^N)m7L`8}#NYEzBgrRC{0C(|;NO4q?5v2i%JOKmnSOmo(KqQcBgyHmJ_alQ
zKAYF?)I^R?QX86(LZ@}!KGkG4)X$<XE?M^4DXm>@AG2Vfjom1VY2OXcLPVp)%X@_P
zqshDqzxc<cWi%8vdi@0`+SR)-x`;RFb0f)1WaGsvw^Z|vO4it!wDc79Yth6gi|=9<
z-^<OyJSM^)fLLZ$<cnC5w?ZTtsW0*#!DGDVu0NQrw-4<3jq|T`^;&grN?()#ww(9j
zag5;4ho{e9uG=$G7p!^kJQo!`=)3gWBl=#aDu<Fcjk}2#n!po&AN-5qbFJN!6Z|TV
zKLCF+e5Sh|KjHC*;Ln7Av7djl$ImTe%!mILKfluB7r~eGr}_EoJbo?wsqob}<=Efm
z@jKxc!GEtm{sxcV1HT-8I{W(IFM`i?Rxf`mz4!z07r=kFpTFAU55b=gf1RJ7xkd?y
ze{&acHpcr5)jGtnKeN>37r~zae|aGO5|>{KzZU*9Ki~LgDzr}cb?{I7`DHt@GN02n
z3R&b1AouPsk0hU#_U+h#T-LWTTtShO_fz(LWhA+R@2=e9?kt{eSmX$boV>sCMdbb>
z_0-W<j=mQ&9WhnEL`}wBRZ;aOo%6Hyziok)rQfHc?Gjxd{pv_k8dUZ<yCk5iUF#A*
z%KI^2;ysX`6@^ZEnGdV9gx>`}et5+9-U#aP9oiJ(AAsKpKV3bR_iKI({&c_oIxqfd
z_@9EG@8@sy_}S&WuMobsPfhwUk3SXum*KOW?%D6NuN3}w#)#hl{|95l?}Go!G2$P9
z|GP2bABF!{_-Fn0WxlL3ApScI|9iZD)9cU4U#50|@UyAlZ+?6v`Dh^iXWjTy;h#P-
zl6<?Lf1~H0QuxooCmGK_)X%#S5&aGDGryC*pX!4DD)D8^b?e7+PyYe<gYeV!b4TI-
z20q)lUi@Y+{%QEHz)x4c*-MCred+4QRQNe#*k1}?@^`5}{k2~D4e+z!KjP<Sep(4g
z8;UbtzWtjc$zSk2`}|A1cBI?xGa@K*dyzYaoV>3o`)xis=`&vQ(mO$V2l_^mp9`e7
z-%W1-Jy(2-_oGUBmxc5^r1eO8@?M-zBlpkpy&xo~%~y8iBbWPxk(-}hF20m`WM(qi
z=C@01-=xzNvecKo$UTOf%qiUZ(BkFq5d0_Lr>k!#;J-LV{B!VMga2N?e&4t=naRPp
ztYq48r4YUaKV83H1HS<Nm45xEKM}ts;LnA>*UuL}d?e_H9^^ic+`Ig8{_!9FBk(Wt
z^KbS1G+^St!_Qyg@rU3)O#F0y$mO8&G5Bxw$6w~fFM==e)A8kf!VkeumwqSwkBkw&
z2mak-@cZDmjlmy)zhMmi5d2%l;O8#0tYz@i&0mV(i~e-^llLXx3O}8HJK^6BKi&MQ
z2YxO5RP{*ONuNnSUHk#~tH;nk1b@jG{9G!yyjM7#{v!A@$Kcn(x8bLn|A_sa@TbF1
zH-GDSo%nsP6Mx`!;t!elZ}!*ks8_#ptJv=y!@eT;Z-IZIKfa#+seY^$e&!hbPWb;p
zKa?(h5B%SZ!S93r<1zRH@V`3-e+d3p#^C4PNdGbhzX<+AWAJO?-!lfk6Mowm{2uu0
z$KdzDUje_x@Bhr(RRK!<8h|hMr&~V^!QVdyKX(QF8~k+buL%C5WAJO?i+|I_?}Xns
z2EPaXQ}84H{8f1Mvk(5EG57=UCI9*U_`Z4X5d1H}zueDX@9EF2<~_Oa)Ae8SKK1X8
zk$x@wgK79O4mRXy|Hk>A9SzMJe0Iot+J7^Kok!vSVGKJ@!+!<-Tm1R-tz)xm*f&aJ
zr_>{PAN<e8;FrQb3cuE`KXa8^4;$did|_39uLok$-vxgT{B(Xk0KXJI$9LX*sNE~4
zqwr;%NLNoz!<T+O9Y1@ePCs2enF?RhPghS$;YZ=8v%dkpj6><t?}EQ*4E_Q5h49mr
z-%<E7j?kTX{>fbG`u{Zio8XuD`La0SxA;H%Cf;ieKV3VO_xQiaIyc=oRtkR*{=NS7
zbk=sY02ciX@K>-t+s=1)KAZV|*S;?JUxB|f!2giTKLCFU>$i0NJqmv+e6s1&uQ!4u
z{nPMofxkJxzf<X#c9>1YJP5xnyuYx?+g}hp`N+M-I`LludJedDM&Wm{KB@5Q;aau`
zNc=ebFR?C3$Ctl*aFX>#z>cgYH-0btE7`C4Ng(}a-Sqq6KMy|^;Oh++Nq-RjRMvs%
z_&KYYkHNns5MOU7sr<t~0AKnmuN=K~bQJ#CG4#jbU&}f$UHaYdJK^6R(61K`l727z
zr{Je5N8$Iw&;9O*z6a&*v+QvFGYG#6e!BQMH?xi(BYr;oh5Y@FRQ5?dDx`sS!<YJz
zT^s7p|4Esl){C{sMULwAX?Al+?o(P$^3y|l-N;?Tch}#oo}L5fc?7<+>+J15J*I6-
zG|_V!Jx?H)uKi?F;NOS8T_U)C^V;WB_*Z^!M8D6+<u7#oS_*#!{N_OXMwj0JfBzW#
zF8F_fzakJ{4^U$N0r>V)sr@eeqwsHsza`M_+T3<?8vb{mPOm?E4SRy{*(UMj-`nS$
z3jg9`=DgX>zg`GR`law!z>fyvFZS{e|8DqC2KvV*RR1XTrVIY1Kj3`HA79qPztUwb
zWRdGd?l;Kwh2_2yl<S+!`^Ee9y@2d4U%k-#DceL^>>fhj3FL5(FW<VotA6oq)YE6o
zKFMC69<j~0Pm+(^J;;3>HQApD$$e4VCi-fSd&{%@{TGq@*N~i9`-@$BYw;Iysp`G(
z55eCHe>UIU`r4$^5x)H0me0daHJ*zd1K9Bu_-FW@-50Xsc~4L7TIT0J<nP%8%I$~l
zxK;#zI)9f3H+ptt>J199qZa;p_zwj5yHx_h?}UFG{;vc40mT<PyWY<Fg1_(6&iCwR
zeRk?{R2{GAIf|a=k=ql{bDx{eY52?ddqAHJ@E>;h*|)Nef{&OlANrs`^iPF9>8Gjr
zVyC<pXBm8Xk6!lkK0B!=Sug7`RP@Brlgr;9VmjtaM{jfrzZ-tl82n!NUGU2S@fW!H
z=!gFp{8at3=pTfC4t~0Q@|@ck-{BYf^_zV+$>-!Lw1<=YT_?V0|1p@)%v+Qhs$JEf
zX9;rY>Td%6I`|*;r<2+3=3_7XAHz>)=OOqf;TQPhoBepPvkyDZz*qI=KYe!k>W#?B
zdvOYX!TFMu+Xa_;`>s-Mlf81Ax{m(;x%Bxdg}(rPI(wq;q+H=|C(Z0!Upm?zbs{JB
z$loP>6uA+R%lFAie{)XzSLAw-yZe{?T``fH8<Kn6D~Ew~{M`ipj#avH7=m8_|FS^)
zzSwQwxpnyGdBzpear>FfHn*IL;CI7Mm+#Vxuob>4hs8cSedQqavI{+DkW06YKLCHu
z3+d~_QTX%Wr?aCUJC?y$cC1QoN6vcw{>lGt@7u$ps;<6I5`w6p0a5Ec0wP|BnGiza
z^*|CNfDj=l^4d-&lL;A_%#1UW5U{l=Dy6=t@qVe+)Ou~T%~O4;Ro~ZGtx{_h)cUGz
zHC~F?T1{K;7x>oYx6hn&X2xp2=lP!R56`2VIlsO3+Iz3P_S$Q&z0V2J&2YEZwU2N#
zrT>)D3)OQWrSG8h@4E9BuXE%Tqx6npI?w4zzsgD9Na?RqdOrV>`~6NzuXx3MeunmO
zST`_6nJvrnS)%JBI=Z>~O*bSs{as4<6{UB1(lrRr=@Y|b?_MpOznapQP<o;KEtEb$
z>4nC3hSDdzR@fe2LFrdfdZGOHQ2LnH3+I29(l=82Uhej};@0m{dS8Kbmh;4R8jF;E
zR}noJe}`?tkJKhGTb9%DMECKZv*!%g7xTW_-O``Tr{N%)zqZkN0OB)hrAzOa*Sf5I
zIiL8v|3-d4gv+^^(kr*qxl{V>)Tg+|(VIsoedFh(zfS3oyt|`d{9zO=NIs?XLjLg-
zN+0vy=lH*rUP<YN^0!m^^M~xz@BJHj&Xekk9M7lpUsHOWyM3;63O7^wOO)Q=?vIj_
zM1U-xM<~6R{+`+_cYZZf!vA$j-=ESe-0A9`OZun|I=4dU2e{K+`z%u^eah#gH&A*x
zr626h?>a}(PU#0z`gnJ`E6#jArI%59q4>znl)j_9aQY*Z{>OjPyzG%r(2>vUlwMB#
zGu>T2_S{&0qgIk#`JD7Al)mwE%5R|bwUnN5^M_Gl{_T{``X%p$oBl6pEMX1c^z$iw
z>W4T_?xa^c^}m_Y?T^U+^0aTcq)(yzk5Kx#AJe(i5_&NCd5k?KMG&a#2mZTJ({|80
z&CQ4D+J%+SaeXFs((&${RNrEHF#Jjyo%KpJrC(D-ac6gVGN+Y<O^M9sOrjeewNv(W
z9X`d+I`)CTi*sG+PC17$>H?R2P+o6vf!w~0MAtE9=gw0~sjs%W=(z6nr4B#-``8=D
z?cCW&^&Yj&MW_7gm><{cU8>iQ_uQ%HRGs#9IP#ttC3{pxf6vV=r;@9k^lC~^O`v$1
zyZt36O4GT%$4?^ry*I_<xE>$7>cRD$D`J%OTszVI&%Qf%UPOFG?J?Qwf1Rh2WPUeO
zc~j``HhT1ncp=nJ6l81Z|0js9^WdEtU&(ilOy292?;)SEhn>oI_Eyh7lLOsPe5m@K
zYv<0QJ*%k?=6zK1!YJ$Sqv$6=yPaP8Uq#mAMR;m0eXYp)5Kp_#KWeqL(IlOE%(^1$
z>by^552EbHmoBhcmCYV?r5lQ@SZUh20rZ5NUu1QbCai0LaN%Po6MdjGWSuruDzj^Q
z=_;$=6p<dkzR3Cso_0O6G;D1!+$K@Jx;1p7=#N0gP9)@z(#2MTa@u{)Tg978tT#)v
zLSv3Et+$rzZ$Igti)dl-MA78WifB6sBnQ&{=+ZN-Q<d9py)$Sw{fDUvH|*X51^c=0
zKaJL9_ZJ<wwb*)#vs_g??XShOzki4{c;1tYy--xTd6ab_7k*`N>1(5C+k}2TS6sSd
zlr_LD_(@6WwWZdF{By&o(tAp+Yq<A*G^+HeQtPErJVBE%$5&Gs*3~7SjJ|U>>!IC<
zfWWdt&#<fuib{Vt%KCND2b9j(v=`~erjpX1jk5YiH3@cL^~c2J?vkVK9Zi3z=cuPg
zTep-RMSpSSccW!m^C;3+4_`^(D+zohfv+U+l?1+$z*iFZN&;U=;Qtc|3{A47CIh(3
z1N}q3tz7>5(?0x<zUPndJQnx93AX$ihv&>mbL7{4cz%9*Sbj+?hJK9!P9a>mhLO(e
zSiVd;g)by5drh&;utm<hT${((av!aa)^M>czjl*<Y2TL|dA@enn?+j!a?uu<=i;TV
zT$NfsWV6ap&_pEff;(*q$(0;u%iZ9EWA)k8dq`3(YggP&`8#l|tqk-#@oefbg6GS2
zSANL;|Lit`e()E#3H|#h?$6=A4fpqPAHA2>dmr4V;$DOMT-;B?y#x0i+}GoN74Em<
zz6tk7aeof?ZMeUW`{;=%ANQ%a*Wf-E_tS9iz`Y0e^|)V!`>nWd!u?U)pTm6{?(gG1
zdT*4E`&8U(aG#6&X}EXb-h=yk+^@p@R@^t?{wVIx;l2&`_i-P+kCt!!o7bGhI&S^h
zdjZTZke)<(bAfaU;mCCq(v7_V?A+cckZ$OAEs$=;?Xm*tW_<lef%H+RL9jr&u{+@c
z>BbJl3Zxr5adv@pV>i|oNMD8eO(>8aNBVb=?g$h=dT{?<f%G*<?=O&^Li!a2$~SiI
zh64GGUB0zIeq*Nx3#6NQ=H3G75<{dqK3E{#%uA0INS7Er<$tO``krY2;RVvmkp5zU
z^zlf44e5AvZWHk9Zw2zpo)^))Um)GgQ=b&zZ|1$-nst1e@nkBn4}R=bAbnq?ABc35
z&)m)YW}XY(`!{I$*W!L7?swz<IPTkUFZrI*AB6icxX;D?>$qodzXbQ&aUaJ0L)`uC
z_Sf^bS8I7Z-YLXsZN)R&hvVu0=UmSx((@ni%;SF&{r{@#`EYtZxxW6`@@Xe8T6RQv
zO+}z0P+nCTsHv>2tn#K*IVm$LDc9#;CFHf$7TY;QC04Q3k{2(rGI{Y))-`$YQpcZi
z7gA!4wv6B9#dopt`70&l#Th@xOTVjS{3S2Gn`QheFTT5F{7WxB)*67{;l;;UW&7A}
zNPd@CdsxOVbtjfsds=<)SG{<d)$&8t2QNO}x@J>8e1gTV%lfYpYcI?AzwWdW+LbVV
zuNU9j+MdS`E3x*m^7&^a*1p!rG3vj1`Ov6@U+cy9vxWot==Zl;XXV3<*Pi9V<B0Z3
zc4iU%#q(G`ob6|^HO{g_wh&gxzm~;zsmP*LLY0==iiw!VPCh<-Hm-<r`Q>vG;mp5$
zl1;y|*KGR9c<UrP3(~I^`k(QENjCk;UbIC-{P(wxuGRV!A&KY5qCEXIKsfUmnq<?j
z>~$yoEXvdGza>0hyPhk6zgz(Sa{>IV0{91nOMB~V`ej+`<zIULl^R&Y`oB>1*;t=_
z2+vnf{w82P{ICLeWdXc~a4xqsq~%USeNHMs&)+i7SMDhV@D{?QU%q7vXSU^hbrrz>
zvjBbv;atywm0C|*xR9R#d>FXw(Nh|K6IbL3yd3l|5uUI9e>VKPl)s^W2Y4%R(=Q(t
z;4`XN%N<^=e5f$F#uJ{e+<gn+hZMl47Ql}wfY%Vta<I;uBlR%tvVjk;Q{4Cs^9j#a
zPuXkEV`ok$dg<S{Y~e587^GkPH^{l%VU(+>mUVUk{;R>Ke93I#Bj1{%U;Kv~*$%YA
z4m3-uW&J1cp*66R)E|6ZV({f&{Bnag1Bau3wZZ3k@$Vbl_To1h9Q82)k{=oTY%l$7
z29J92pBOyk#eZh-GraiSz-^Rk)=3W$p0B?iCtUiaL*;p{iih@W6}ML^F5ifwv{!-m
zuT@;Wu|@cMz=zi<&V2bATcUjWE>T>*2}JlIz=y6@T)yE$_;kWqAMEqzaCUkxP;OQo
z;rZ&{0Q%weN^jcxb>Of2@E+jXefTB7-}2!<A)Mv&)}30<Can%_Ix9Z&F2xrEe+2j)
zz+VUcSKt@@ROxBQU#{J#!py&AQ1K<8p9TDZO^O?PvK;tZ!0SN&O~UiZXF~zp$gK~4
zJCVs{<aWLfH*(wH!;RcF`tWNDlzR)|VrMSW{$d}UFH@fl7v}HBjXvDer{9O0`ds0|
zpGLVh$~{JlwRWY21J|by_*~#kz=wf10^b1KzF6yN=E46le1JEA{$s-j_^H6_XaOR6
zeu?stv#ylZ4ZP2X{|fjJ@M`ec3Eb-U@;QzI7{VX8(VsN%KH#SQw*VgkE@#xJj5mQ>
zmnwh5r;_YqK7BL&JA9+k=kzbuThtwL8GYO6!=3*1;ZFbh@Htc;>Bk>vxn?}B2mU7L
zG3>1Cf&aya{~Y*VefVbJHrmDhD_=W+m*1e}n(^2`0T!-LD{#~AmjfU2;V%F$NBxZ*
zm_&gX<}(a@xfW~n0`Eh84FAI^Jzu{(E%f895#M@eSnyo`oQuiF=PjbAQ<6FBEdE%3
zQJ(eA7zq^Zm9uWz54eAwbu{5c9R2sLgZR%!o0tpNz+B4;;GKj|BD;FzZrU&8*~oPs
z@DIxrKN<M<2|twNTt1+<(epv!Kh8>3DK2O2D9`fa^4Dhs^!;mX;XDugKLmc@DCKhw
z@Ixt3Hi7DS*|6IAUjRQA_+X#nvw+Vfoa@<nmGUwE*fP-DJC)wVpUxwk<<NSf(wn&1
zEujC#UzDETnc?e2&|i3;;$|iJ4(MCIrMP_ClITAXT(WxpDWd@1c=pGzKBZwI*A&9J
zy=T3xeB_-7N;v`eC%;hK$bSjpT>puvzp2kE(3elPg|BJvI^fAgiktCxJ@6^hRSu2C
zlFfPvc>fA5SH2BQNpAsfenR;ed-XBlEdOb+4`s^68b^ZVb`4&jd`$fAAi}x+i%@?P
zS3C}Q%^0nZ>EBa;&);2fIm=9CM1em$PVqBQ?s<euxzn|t`vSil^dIk{^hQ4S0<Ydv
zakdwHJqbR^Cv171DF2fE2Y%r;ZP&%X$J2n~a%1C_k6BOE0Z&5zO@GY>-nvHl8#y!q
zUv#kYnP030tOwp-r}RdDt|gr1-;8lOpybwFps(bQPtqmtF4KK0;Vl0Q#{21#YFTf9
zzO2m_#Ps8P;J^J!t&bUBV~Bv;yYAP@zfW>e%n|sfzf$}H)c>>nm_GM9jp(^P`}^!t
z8u;7L2a~rS{FBGp!i?Mrxo!r%1wLk9_94*s|I!w^M3K_}9(eJiTF><gTW<g_8&LX6
z;GY5?Oey`nz)Pv)SPr*;p!ihalL_Z`-REo9v7jHmQTZPU`bEIwzgIp-0dEI>;QNZN
z2EHD+wMzNi2mA`)eNz=Db0pWDz=x+OZuEaM@SC4e{&#?W82Ar;_UC=W|5wUq&mzrG
zMjga*Xgx#mwF+B@0#Ci5{FeZ425#S=^fkacfLs4i`W?VG5MD-cwq{>^?-I}t|4jMF
z-_oNz*8~6b9p%IC(((1*gmb_2j8%O$<NX=XHy>dOo$1HdfRBU}-$hdCy#eq!^C9JL
z?Av}MSeAp;=B1wwe931@|0D334}5T6t&hA*KxylM&v{DeSAhOD;3M*}TFY7re2{Q%
z*V@s_=L+DD1Ft}P$$ZK6CirZDeU@+YQpyLw`+Rybo(v$j>)N}uK7GZ?=OEyNC)xs-
zdGkcz$3m~pQgZ7|!r5N+Uas{V0G=S6>pvQHsUG-7@ELx}7UU4%SAzaR%p)1#_kg~#
zLg|ftcntWK30m%S(7z3Q5cA`mXx9!y|E%&M^Cj0_)X^-56)&kA9sqs<@Ycg@K@I@E
z40svrzwv**Ztyde{){5c5CuN4M)4BxIU9I0aB`33S`B>Y>$W^|+=s7qhW@)+&o@RZ
zelhSq)N``J)-AwW-ctG&;7<sS2iNTt(2rEwf|~vs0sgChDxaCi^Cz0n%W3@j<M!id
z<4){ksrHMpdy@!fId2Il|90@14*a>pm7d={;cFG}t*}?duAU42x57`LVJp{_gpVgZ
zH2WsTpSc-)$}sPn`R=E{n`hXPza4VE5B$f#e>hs%TU$VHU$68=4~K!5pR2ej_if;n
znAeU0pHB(r@p3!-TbhpL+LIg`mfJRr>lpCKgtOfGZ&vxsH-ssz5_o)z;t|ld2#yEW
ztrPSEB`W80kaj8XKIoyT|Fys?eeL}j@YTM4d6;mqSHAi2WzY}#?9a!*ho{?8lNqSb
z^b@tceQzpm^mZI|oXFu}#U~YMhAF_09#T2n20q6DZ#`1!&j-E$c==6=?~Z<7MmX1h
zzOVjC&~Jf!b_btc;KTPQALGAW1ibY|t<RxQlxu-o38h~MKDPpIu29^x_kQ60$0~00
z?f1YRf&Y*OpLYpoy&Cqdn@Y&gal1xAugo}_B>vktYZ&~=9g=Gn=<mh&GV{w~p$C!c
z7A}CV2A?PIS2-B}?JA)kXI%%ss1LmE0e;i(l>Qmu&j4@5`1%0&n}XxPb^EjcK7lI0
z`ZIL5E!4)&PX;~+IhcMt7I<rq(%+0S78B0$9Q}aSvlV!k(Br{%TL(TPFW7=^K-%Sm
zk0<-tS`!we5BSeO|K|TF|LcK23f$}?4?_`u3;ZyQN8{%V18-hu3y0r9&));SW4rSI
z5%`xMpzWHstJ;UdfS*J-%dK*S@-g<|6vAbl0)5*H^zER3_gUp{=8JCuFNdBRzw2Vd
z|2s;5Q;{;d4*0-zipw|WDe0dlzz%#%>vJ^9y#w@RuPD9;_}mYC5aZO;e>3n4?p6LH
z;PVb}`@a<*1wLaB)N%)&RsKhSehTo`wTh1gel+kOe58E75By9+4}CM^IxaYfT(|QG
zXMLN3elhdi55Xt(q4GEO^8w&}N7%w;E_giwe4m$<{sQ1{0I!6e8~gSF;au(>Sg)D>
zEvI+Q8UML&9d{hztS5GrmYV_pxrB3^q|+BCSpoXisY-9;)(t#4pm-(tTnv0muh#!3
zz^?=T(-#$g7<&Go;2?6{o*|s;f4t9s{yX?oZn1@WH{|&g^w;_3g?$dDb`|euZTFp9
zm`pg!VFdGzncrss?}L981OG<g$t$&7GGB770PgSKZr~fR4oZW*ANW06RSw3^Yyw`k
zTJcLj{}|ychadae^$O@mFkX0{o3D3(_XTWuHhTLm<kpArXyo=8=y!We%k7a|mbDi-
z{4Af_eSYZ)gtI-de11_g=m(=(?p)O8OyGTgSN?tApC+8!<@evd2m0ohl+O>q=Stw^
zpD3R;@cA#``-8u+V^0AuJ4*SO{v8IMd{A*CpT85%^%+FG%gnzM%2f{CztnP#K2!rA
z>{dR<SbCj6IP=+p_36>T&mf%T_O&b2ZVv#D5iWN7a9a>#Z#NLmeEtG|X`ZCgJ|yt@
z7#D{BCc>Fd2j;sMK))5ZeZAIyVu>ca0DKF^@0=pV-zJ>PJreP{$qHM$9IE{LZm<P0
z_NN?pCG4${X9eNRr_&cdTmbrJ(2oKCkl=W5-M(1>?+2g3^|nx(`SezUL;uZs?QX)k
zKJVW*Tj)vc<$4_S<vogz1^(x~wY|wd*@8R+{29;>%~X6T@IL{!v3@c0*WZATK;Kq^
z{v*N<C3~BMy<HCcs7YGx;El@P*wxv<heC=QIX4TA%&uEI;oRP95a&-J?HuqKK-~LM
z;5X0ba&ynQ4S>G9(-z8gMVjF*;AOv8{QY9Z?*+ae_Jx0>u=Q)gxjtuNy>=AvKM>CA
z!QKsX1Tp&X5AfOIn|Jmgg=9S+USkWr>92i&Cy!VB*kVbx<`T~3UUq`=pQW(X1^S`5
z(wqKT3%qQ);sMZK0(_7Cl#hH{g3|s6ct7f6#_yxRTQ@78KZ4KGgtHwe^ZEaO7J3l5
zZl8hAu&<uGO;I_N9jE-ukmmrxxxHuk=8NM%Z+9zw81yFtU-Ic}LArn^fm=Siv=Mk^
zn=O>5f_?yat55%b3cTNEZ+~t0KdF44g<d@kyt!5Jx558q!+)~kdjbCdxD9(U3i$4a
zK|WndzYF*u0K5|QG~*~hIQPqP#M{ldvq68>G1~9uoXNR@qcGR)YS3F4FXNGRC-AbZ
zTA%ZP-w*s#%(IQaUow2|SNb68zg=(;xo)2rdiaM%4r9nLvOd_@A2H*uoNyUOK6xGw
zyzd?@*Z9wkz+auBa`<Pl7M=k9KK#||QK$8UbGh>oS3DB<ZHE6!<=+GRm%x(&#Y=(z
z26!v_*UaxP18=_GOaC|E8+ObV4nG2)35P=;4p(|JPAh@;W4zO{OD-Gu$U>#hK>n@3
zn|=178+hL`Eq7gs@;M*)mQ~6psjzjK!9$9h_TFLe3dLuk+)aeDJSSj(XA<~q1#Th!
zycqZ!z~hM1?g4zvG?l{u$~AhjFX7C;au4m_(?K5qeH`o1e&DAAFULNtv8!S5c@g#}
z0s3<Y7ysvK<!}6l3&Cd}tiQes`d@&Le}DWb@Ol0+<ud^Km%wMJ$`<4T;M+mp2YYME
z{Q&gk3$(xf4Ej%jw?eOse0HOO!1D3ONsb_#$I-y4T5cWqGy!iweBc(~9l%F!SNd(E
zHQ{XF!$XSKgZ={G)`g1CDAt7Q2<Q6v_s4%G^vLYGJq-E{n178vybAvP{mQ=&`t}dP
zxxXqQ=i9++R~pFN-g~frw+#4X;PYQmd0qkh1j3om2H4eB;LV^PdD#}^Ae7riIJfHu
z@NbR1>II*2oU8vD_*`W89HxBCyl@BbvK5M(e*6XSEk63+6VBzvv0mO6{NDh5^SR2$
zjMLA6AHA3Ap?u4V@*GVSX8CM6Lg|~q=S0Gp{{!$pjh?(h1BdBH4pn;7-qXOxnxeRA
z*V(|EyH(B&;J*gA-wyW+4kFj><^uRHz-M@^miss4c^LQ>?0+2u{D}g5ULl;@dmq*j
zMxK+7*7o*1sr8S5&urjBk7&7%LLZg@AHcf!XyD%<ob~EnpC5HL=*uvEO+C*6{^SQ*
zZY9dSMQ}X0Zuf(}@*%CyPNY2xycz3F!{=k*_9mq_`cN`m+uL`smisRF>?t@NT(>Ep
zubirU#v<)_!r4!@u2FrXLs4?A0R0gBPow8;z{@XIJ~x0*2KW{4d*yHw@Mg@vrrbM$
z4?L)Rb^)Iu!nuFnM!d`TInROq<NsCutBW*4Nd?z`Kg+^;$Bc{p2xt8-gWoa+{40R>
zE!1+mfS*D*mpj21XX^yM$fs}T0)H0k=zYNFa^R2q;!8g#oa<8#f5XUg2>9SOt<P^^
zhqnT^2NWl>AlK`_hrX%!eZb!$ob~oY-+c6m;R8J}^XV?fD1901UK#itKsd|c9?aLZ
zz#9k`dHz7lJr43;2E4pYal>b&!JkpQ)zWJ<a66{>W56#0KKE7aUs8Ly?i3skuG@p4
zAB6rKinI*}a6NP1&-xwcH_cQ%Z-$(Ap@BBR#n=4YpKz8#CH$O&k#M}wkF%0-TM(1C
z3Hb0l#jh&S3>}1XoX~&HA!X=M|1u@F&Ii8b8kNJtkn@#<bN_BZ|LzI;+d<z4KY>Pq
zT)zfB=WojAEZ~0yo}6k6V#Z@}K>PQC2bKOd(C-KQxk{DW^{CJ3f`iC)I}7wfSod9u
zwDW-<`FrJG5Bxg9S<W9r-}V6h5a|2XDE(-Z`#a!+rzk!a{rD2_fdN}MnDO!+@MVbe
zQ}gB8yDERbA5J*e=TYDO*NH+;<M#qv@?VVltN@-2DNbr8SH#dmPv!wn0l%+E<+%}j
zt_FT9;`s^C{~Wjtf5Z3*n}HAb=JA(-m-+hlJ;A}$b=zfz_IoSz(AcGYfbYP(mPVcc
z@F5@nd4|sewov{a{nA1>%hT_-$3VZOSLx3I|6br#h;L5?ewE;OaNTYPeYvkb4+8H$
z+!ku14^IOhyjJlb>iIHodyC?SN-jDlX>iErAmASWFUR~+27E$we!V(OaMGXSl>e!q
zKOVS^dQJnrfN+-E6Ikbx+ap&9cs15*HvwM@K10Xaf|LW_2z;Pj$IE!=+jYRLi@o%>
z10Q}<@uwl5dw}=1DZU+w@*v?{&p75yv(9}D^nKq}`Wr00J{BAguG=280Oz>nW?$U0
zo^a-WE8^a!AOC}Jo{uVTwuQ?$*xQxB7h(VL7L?HkK6_vur)fg2D}isvKDFuJyMR9e
zzulC(8T^MLD$gC@^8)a`8*M=h{ojC(^eMfWe?Jl&nO(PWHQKH%)0EFRq#aB+%V8qw
zIRW@g;Df-;JhcpbhJEAWY~bZbDF4ae^BwS+g!b+Q{Kueg{jt`6BlO{3;9C|eURR_U
zeq-?G6pw??TfpreTM(ls9{@iQ`&K=mKLG0&zdfu0UUsVT|8LOGC7kye%kf^A@%L5`
z&T?A<dww|RW8kx8x-G~qz<WV|KICb}-6f!Z7Uylw0{tf7qu<v0v;%(%csb5%9S!^s
zg!8#a|GBB{pdaHq&ohP`FxK;RpD2IhuO10}2hLSK0{$lhA3oI<qz?@{jc}I3PkrNb
z4e%Fz`%~9~PapR0Qbk(8FM(G=KO-o2;_lq8{jKNMhJom9GwAyRwg502)^mh&e@*kf
z$M+Y|msKi#hqAGD7(SR!DU2Z3F0|lf`E0qzmgiE1t%-zld;RCBrh$GC^R=O`1D;H)
zoHv5c9N?`(%6~QRMc}_4=iJDw$rS;;b(Ag7#-B+6_v^`j0<Szw>CJe&Q*dG7`R5_R
zxm{z9pCh=j58J_~)#nfFD8OgJu`0LZ*R|Y}QOY#n*71rPeV$D?m%BI0CAM+}4gF-L
zH+G{Nc=_RqoAGtI;F{O{@2^1be^2BOz^^IS_9jX+*Z#+8{YQ@V@~;8DKkScb*Xe@0
zOVr;n(3h=NJ`Y0AdkE+DZoqgs3|X%S{hjcujeqh0=;vXcnh5&;1%3Gn<!|)u4d4rY
zq55X*!w%ph&~rn-*YVum+-sWPv~RUu`Im#_IN(Xh|7*Y(0I!8#XZ*}0@G*$PzX1BX
zf!pWWf|&X|L^!WUY^)#0gZ??tS7N?97x=57pXOV?yeIS^a^1$9p#7WkJ_7Lb?^3xP
zhCEfk{p*W)gmXW><y&7Q31@rdUzdFo^jG=fnb(1TE9~llDEH^UD}QARQV;ww;9D?H
zH38oW+`@ZFUkCnogTwzc`tULE0mS9fpf5gA<uh=(Ey!ii+r0?q_WIukIRf-H?6B#_
z8p63BNASLh(UbY0FRxMlQSe^|{>S?E0h6HLfcUMMH`jrFy>EWG3HVyf%ZC0Q@EKgA
z<(hgv0Qwcaa-RkL0PJlW>bVX09yk}YRHQ_6&Pgh_uf3uA^9t}v;KP{LNbGXW2JW9{
zzX81L4CQkU%IyMfPqiigSY=~fKsd{}@=~>9t-!AVy@l_+M1bEeI38TL`#`_Lckcbq
zzz4S4LVW}Bd_*|wgFpVfJCWtHCkGSG^qZjn&ERvA(9`+_ayEK+I_N*dKKKEk{~qYu
ze171az?+YxA9R^@(=X_e=kfk0=m%Xf$n!CJWPAvEYv`W`KH`(}KMCjh`}dp1Q8zI@
z6@J}eR0dy15zhSW$+kT2CI4DhJ@7W@&qCm55zhU1ukXAKhbfrP`=8Mdx-JF%_d(z9
zizok-aITO4y_H9RZ}!bQZxYV@%PzBpvxz@gq)t-*3dPNM;q3#)`(9N1wPML;9VWQ`
zcK>@E=*zCAg6JAV;>o~=R@s7(n<v+@0({OQoc+2X_<_crTwwTf$I*3Zk=!ia2I6{N
z{~Im03HbfM2fk|y;c>-E|CHeR+x_qBpf77uK1HA(A)Mv>IP|junf4_^&E?)YsPtyv
zc_HxBpA>%s^k)ILj<W?Z{>*m>XZ{^nR~kEZHRwm4ReCdD+$A`ex^52xAJ|*zP15TH
z=szQz%e@u*K6@j>z75*0;gIq%>!9htE4FF7{sZ)j2<Q0uFwP+t0Y4k`%`248{YW^+
z@IR0QOIIBDUBHJ9SNh44YFQ5v&f}%lr~l7`zWijZ&#U0`y5V!K;_raZ2;tn`D)?8X
zy}LF-&(SXi-xqkxPUUkK_}_K7(ht6%^_&U*%R#^GaiuqU*av+1JBn9={>Q+ZZ&W@8
z9|Atot#~Qup8}ptD83m9FA&b{^1mnhSI`elR(fNXcA2a7|KpQdp9uI*0X_u(;S}Ii
z!254dKKlZ10)G6{%Ezp`<G=?n51Mv;3wU{-@;M6Q>r&tr^xVvM-zS{g^}KH%<d>lT
z@Sj@lWbhdQ{WpE*3d+cV=W*(f=Nv&e^Y`z+oCx|M#3dkRYccR)^vfv7;Y{Gk>$P2*
zfhU2N<NeSJfUhB(%k`g=yac#Ej&vLFPknm(5crQAuH~A3c?S6PIQOyw<&FS<8tV?T
z-kdm3<@1ltD$hGWKMVM+A1l5Fcq{PoDO#@4t6t!PQx!M;cp305am9^1e+YbZt=fT$
zO0<C2fDd3iE?3z4z~IL!pE1D8nza7?S1MkPjyZsEmb3qyVHN0GzYTiuX$0<n|Mzt8
zS&z7uvCmQ98?Y`g_<6zyOkKC{gZ@OU_o+E@-CcnGQNhPq$3p%w(7ypbH^aX&K3K_o
zZSOYl-yie`0lyXVi|MZgg!8ztA-AcZKNI+ti)=v*o&tXTQ>qW9KGy+H!vDl@w0;b{
z|54@hWRVtdA8`9=#qUzsdeYF(Qv7w$|ABDs$A$2_W`X`6pznh|7`+;`K-*P*r1CNI
z$k%`;=W6|b3_eqU7h^x=Uf`z!AHh1p_@!q6@Av6>0(cqhn5oaV3FrDRLfoSP?Ya~6
zM`2&-NR<0HaR2+xZ-LJ?Uq9}*5dHWYZSUjgfWv_wjrq&;`{{&peRhMM7&{OL{VTsz
z`P`2BtOY)|M8~PIC$|yK^Kw7dBLkqn5A;{CLr7N!_*UQ}=y%iJKLNKl+Cpjk(vN@-
ze@}7a|9p)mCf3`D*ypVR{|4ZF&nUeq_e{dMy-)k(_C4VK?>yWHKGtE%$LP<00UxYT
z{1BA8Rd77GZX@9TxNp6==OXmiZOZ2s=))x7);CrDhXAh-+{G9_=YYQdf0h0$;A!BG
zyr4Ll3%RZVUN+5^XER^?gm9LRe_vw=^n<q2PlmyLgYa_U;Qi-)!o^R+Il4WOyz64L
z*Ee4rLO7S3!n`&E^mU-$!V4d|V!#`L`_FL&fj9fc<67|dzYl&b=m&iCKNH-tM)tN*
zqTZeaedW1|n{oXT@bXs`Uq4Fe|3)~ss~P7Wjh>HgRyhnzR(dlY4+6gB9K~NzHr8Rl
z`+W2^@ZmF*{ut2DC!EW@(5G+hpig1EYzO`2z?&1w$IKVE0Ux?Yans&Sz?1L~8^Pyc
z;3Jciek|~<z%881dI<Q7hW=Yhe+2N?4gSe&LE3=teyYlC=whY+ZILGI4}2h?_%5KI
z4*Vuw@Y3~l;7x?HevW~DmH}T5`W3G!{j<fIaIxSZa@}qsoaOAFkA4Y0eGl3~ZREBY
z^#1*$7eQayqvdWz8GiwN4c6~we&1z@%HcWe+a3n`1Az~ITlpA2Z5r^O!$02u`o)BE
z{r%^WBB1ww_v2f@PlTPJN4f3*pUZr9^##y>jQCg@^zVV*^0jOHQf*gXoh_6wGuBkX
zxt{*-`PiTzgnix%{J#PGrB_rAW?j|`ylkQ3-!IY(>wx#{qw`c9@VkMx2DCn=AAbXU
z5bL1RQSK|it?w%R4Zy8vJesKpTV0`OoNnFe(8`DvOT<?O6Uj_85l>fCSI?}q!l_I;
z)7{ZQB*EbP`X#}IO-oyXL90EIimZ&LGm%s<(-jO;#z>kd+7rQ*u|!)a7HrQXQt4o*
zyVnXQx{|R-CemI}Qx~YoPZaE+>I6fnRA@~w63?X8SRJWQS0vcp-PN^*vbdgtTyYO+
zI+Dpm<15ot$8;tY33btra3)3nMteHKbc^(MMnY6$*Uuo)wO1rVsZ2$sRloG~mil=W
zGwZC5Xo_=3dLtdot|J<YBtw}_`kCo!r+-0NXJw+R=&?H!jWJz#b*KloU^3hl48>xJ
za3~Ye0;(iE*q%;?+H+GYH8t85%9k3jC?TjR(Rh2LH<$^v#Ud`0`XC9=v}1-94~MzZ
z0IFs<zh+wLHR&+bPo$+kgE8tzD;y0`j#Q#cS{_@QW{N~Q+!<oI#lvY=`vX;mVW8Sd
zr8#4|GgO6JFquk(Bk8nYL27h6^^O&aFhlw`xH1yg3a70l^@|r-bC<SROZfkmO8P%Q
z|5wrfGpxDvJeQv5((_z;=DgDR?WAp1TXbc-n>(v384aep+k&03r2Ovcj%9x*;u(6b
zh^AAaiYiIwjt`QaP@S}Uss)bpCWBoGs6?GWt5eZTL|CP}NMh8iXjjBq6<I?HR}oGo
zt>B7<fx4Ea<)<tRo-%v>;w8b;8ka0>q87Omnil0xXr4_v=gv`8rK}nn=gwZXuqD{I
zsD5!n)1s4^+stUXGtx_AaK*w}`jJVrMdR`mn5p#%#uC&l`W*<gM3;BP=7r+zu}E|0
zS<O+YO%2FM<I@qQYhDmOE1O*F=TcScWyJXdRkgxv7Klj<QestYGm@J-g`f@uPGOYO
zAqhum@Wj_p4~Pu;cW+lLl1e2!00g{Z(E?OtsdQPix3Q}+P!|j~FKKLPIU_iC*`oRu
z5;>Wq;EENC>ZI|D677*d)xv0eRb#xpzB3wYZ){!~{9@T=HO14BRAx@3Baw<Yd6z8s
zqWNny|LhJjjsHgWz>-K;q9<GM=Tv%utFbeis5mk>Qer9+Z*2bj3jd3|;eVAqP$hzH
zj77T0T+eK#(UfUyt_?OV4$f^_*cknsY6oUW)`mp5oAcH#B*mRecGi_0B#rTKf=$Qg
zFk9f`_N8jF0IjG`bbaYoK!7bY7Qa-Pfmzb}*%{L2w(d-1X(ZE7-PrRvP0W*H#_V>|
z=s>lX)tBQ@ql)&0*<hT?kk)~k9dC0&>By{;Bbj=dD@gOg&Ee+g7wyA^ff_Y?%Ub3J
z7dFmr2v(}W@}YseXqAk5V!<}AnQR-WOG79Vs;}mHM5CXph&j1tF3p6xlAQC4*4|hg
zmO$+inpqZ+*CHbDSgn7DT^$LuF`kKL)_hr!x+@h3sNHNlyE_zPMoR<1wl7{CP@2Iy
zlSPd7<w)<}=2}aGppor=W0aLAw>Q5a=iuBWvrlQHd9#6M1MybPZ~A*M!Nz$YnAfnx
z3O1avX!a>h^+f0KC)>S1Izt|!6+C(2;yJSy1{cqryR@+-*fM+0!p5LQ7CsiU?UNTa
z&8ZJoRa8~XBxQ_;x&SR-9-L88P0%8jv8`)Kz-Bh~aFTxvHv|N4InAGtkNC^<hL!Bj
zv_)#9J}`S?v?HmRr$y7zOyd$`4VT4N#S^RJQlQsV*H^IuiEBhY9m$O(v!bO*ry;h4
zl1FC-Ft1bQy;^{m9aH=5cc8K*VU$fJw7@TkTyxv(8EaArb%Ip&8>)yCJBeKBP+QuH
zrpXfzN4#B^&a@}GGhU24NSlKxBD9p`v@{4GkX&1Krr6gehlk6}ih^~zzF~ID?8Y{W
z{3KbQkmH*PvSUpdGo8+=B$y^oHk9d3MS?w%RJ21lc_-L9HZ7-xV%=YG?1`%!POV91
zf{}2WC1p}AsHC+Ks%J|R*h}vuQX(CfU!1RJX0?RcmQr@@6>TV6JyHtM<eYx07E`EN
zuC}5f5{`w)OQF?eJ?lBG(Sq#}t!B85-B}}U)XP!LtXy40P*fQ*(n1z5@uTHtidG*H
z^76I0Ia*e`G}IIE`5eqR+p0iqeIic1k)c^>Mpa9KZnceFJg@0Mno(tiV$^LqptAX7
z4&b4XI|sDovAnWC6}4zfw68JsrO}@|QnU>9Y?nlmF;ZZUd+8Dk#-0d9R<c3vdsR`V
z>p_%lHnXN~S+q1*%RgJzBqNR4RPO3Pm3U+k%qV0r+{3JSX(jvMZflokG`pHnIX9Y0
zlh45Jd5>!}P+b!p9aQCP>C)@~O^7brK<ibEmtdGydE`n`0K)VkXOMBvgHy*{Vr9bc
zWn<8hittb%-Ov#ZZK|nHB-fCUruBlCTTM$s`n5;a*1}TO%BItd>cYG?RGMLtqx<e6
zw0oTOvN06gUt!WdSPFW~8j!9?do<L|F%YBPURwbx?OB467ZHoF0%(;vtkFghid7N?
zA<0p^#l%RQ#k)&3Xj4_?sojy(nubI-MIamxRy4g`rIOc@<p@A)NW+2tvx1R!^4B!G
zkwaFC^844^GiWpnv*>zSf<Hkr<H7W*Xi}p%qWf8!&=Cu*)NXg{Zf!V3GXlF>tcVo*
zkzA3u*ro{i1gt0Sh4oB~J@PTLYVzfrKw;_{4tbYwVwqzY3#JM>{;DZt*4`NI(#m<(
zV;(Pqm0fH*_qum3!no1t2nxe-1h+EKEKk9<uDVc|Lpq!zm5BN4?i-pk!<^>rAI<;-
zhNre6(M0hqS~m7jlquLjo|gI#IesM>C2~8+mzN2H;!MG+nKi-gB<YQe;H>qX)s&tc
zOLm4DJAEEwwn3O-Ih@7u9BQ15rwm!UJc6v5O|4FnF-P6aeCZjGq+DHzxY$>6vSRFH
zaTw7|<}@qCB4)nO6e(D`wmsStqz>|Si;Py-YtlR4GA}SgMqyJt1BZZeXHuC&x6c>l
z*_A?b!6c1V`kO@D0XZYl_%od79uLWdjT$_qeu+d@xq8o8@qh7!fbo{tsJVP4_X=7)
zCGr(0en5^`G#>1x`CI)KcF%R5%<+z3v&ESZL(fHE?%<HDjABuH$GQnO($A&2`l))v
z76&GjM^2PXu!Q~C1h_|Qb1KpkO?0Q1MoGLBqhQaN`XStzD&#{#@g1keR|C-#(jBKE
zBm#0T)$+S#=ooXVlB-5u&)H;@iHf|1Xgswtt^=JF!;B(`RHp@Mc`6hpABqgJNG-S`
z8KZXjCVCl$>`R9e-8Ao}P-AkbWCUfaL}my*L}Q$q*A}7hKTq4-O`g_?q~kOc673vl
zcRV5~ij`Q_Xk?*So3n#ChYxpBu9nZN=j{oZkIia@{R7eJ+;GfHaZ6+(&|L$}AllZf
z8nB{dodW9mSS0T4`mRV<xGU+!D8FYSVdIvSSnfcptB*xOsg}-YTI%oaaDS*!_YpK`
z&C0K}x4KrfM}0cklNJlq;jJ1r21NL@jE#8ZOmp)}+LDP<2SryoZo69-&Ge+9XU`l&
z(uwDYg8Mbx86hu(I+dLhN1w&n3`j_LsYHDnDJ>cE=^=X$ynE#y8)}Q0nT&sD%Y~N(
z+T;EeXCV{sR7QQzMbz8wp)MAl_0KG+mgeeRZf_cU>mGt)k$3>`z6H+({9Aib2BFyS
zRpE5N2;CV%7^49byr<2wB%6F{esiEwe^gag*RpBK>YYloCX{Apjm=gU4PcrLX@Kfn
znDs3sX24r^q_nvMrC<cnt2k0iQGnzcufh>qw@D4SWvuJQ+(O0H6F1uB6GyLYjXD9w
zjW_d?8S<>G+%i#AQeJL~`bz#arq3LED_19TZ41ech9U1N^7?@sCE6<urB-^I<(OVp
z4`<?$CBL&8aV#=sEAI1jXS5>|OmP+ct&yq26(A=iiF6TrZ^7BNK?<HRNKRH4sRkJX
zE+K1khzL$JTNv7<Oawb+^GMw-YJ;)!#-m`xA)0ij4l;6+B}|V^wF25gbE@>IX&TCO
z*=CP2%yKObb(2A6*zDM#4X_X`Tl`JQPB=2r(4-Wkl}?-XnQOed1VB|F6KiVc_qJ+W
zYaTdUtVNCkfmxk&o|g?`SGiIi@5Y&ajP4o7g=He+I~DDLH|w>c0q-K&%h<h;<i3$f
z(sULUr__Df#kAj*<RFz3RiavZEeV+s_r4t&5gtr%pv)|$)}+=*wvm@3j`I&S%zC#>
zCWbkdNF=4EEGxh3DIqq-J+U{VKpyH@6zPeidLmRVtH#PO7NW+Lp-2z~>2#`B2e-aE
zl}@CbK6gf>Gf*Kev5BTx(xZOq%~a8GK!D6AlX`rbV315Kt>J?mp{U<Am-7MM!Rw!|
z$i^ksWYre)qsv}8#f$CWNSD|p8JAAL4~@aHAHICcX^R4t!C<(zH`EsG2?S=*?-*4!
z$g3dg;EqJ2ZPzbfK6_46Fi@d~3B-sh8}Q7olVu8|wP7gk^C<j%t1CGbrl)UnW4ahm
zIm<OO*>^=!bY3N^Bp6X9?BY?9>Uc7dZuDxQ)}D-^`oywuqnXapf_B!cD8=|Fz)Q>D
zK!6W)#3)QaV?2`Tq7X8lk>LucC1saoR!d@GVs(VJG5pI<_Gwu`WG>7O)wVDlc99r^
zm(jo6`cZG177N-V#_Bl1JxIff(t5pz4)pjvQ&S)5Ij7BB!(2V1wj^AUTe4W3+a0R$
zIJAKRmYbMs42w(g#jwyBbVi6I8<*n=*_gFDL3}JFcZ_K;9j8siB{TJMisQ*2QsSVy
zGgf8b%ZVE2lus~}BuQb}$<_3ZXR>SAzRp#>FSQ$^9Ye>a(!Om76$PtWcZ_BPoo2}v
zgefc;4Af*2aL4@9RA6Z&<Aek#QbMaN)e2sOxE(J#u)}7Yo9Dz2eavJK<q@DWT9~_;
z2eOVtZ4-xcX#av|YX1n}k?IX<izk;Iz?eq^frbPf+=$E}_i7dCn#x1sS6I)8mE-Dr
z47Gm?#aTt0M*8N}Dh=ReT?<zXhM5yTI{(3Hj#UqjS`5}8Z&o;?M#QW(B28!B=olSa
zP;s7gLZ(rUT@KlnA?`HDm{(TuxOdT1F5IJc#_KWyHx1F5w}ubSr8|xH;tt~QQ5jKF
zuiSk>c@;31iseL}FcEeo$u0G=%44>9GNP3psfR}Me5!>>yk)6xB;`8#`Oi2=dwe`4
z&d*+l^5k{7PKDy3v#aJx;A3hCSh$<)j_pz%-Ai((qsfxc5;+s0XkUAT3ZYR+fgh=n
zTkJJzMa;^IwjXpLsu7|wl#RUmPX1*Vsh;V}#I`-dSa+M9g#rw|C*mR=1)n!`_>yCm
z69VM=ySxgwPnmbj!Z~w%JQEVlE>m4on%9HF<V>@auLrYJGh1t)gXpZZbs=e{5vJsG
zi!kn-=$np3Zo({QOmWL{;>-n4f8bQ9t~co{EQP$7fxFYI&+euz?jCPLq~?y%<dG3e
zw@Fs-Fp@#hk!LcX;{>aH#|c=c$$W?`#PM4lqH~DBUJjpo9ZIgEXQdmcl)h@@m|b?e
zA3l0>PMq1N7@m~~M-)__d-(8xnhvRstYLY7!0|=QA^;OE1#_upW)%p%EgXbtk2Uv@
z2(sR2MIB1^j3nK|V#e9AUWln#7|M!)#<B!mqUlhKj+1&tNP3g?S=3O<GM>uG+ONQj
z?o3DR9EwBG4mllTW8W+$kxmZ6xzGD*!*fPpp?b<hCstoY&037Hg)J$q1P7?9WxLk1
zz=qrdwX%SnlSst8TXv#}*=E%6+)W!`j(6ahgd8L2n(cH)NG7|i;JGq&3q#p`T}tw*
zp_xoP<HtAyMlTQ@@Wdt@*G-f^Yj2!2f_tY|rhW2#I3~v0h&e#wzO1Oc@uG7St>nGK
zu|PNFne3d!qgixkCsTt^)Md7Kl`V;8_CLAqtV8fMgQPp^(fQ}r>=}g~OEzJ=s+m;@
zc<fod|5A=<2d#Y4Ue?^1x${JAqdAR9^)ZbgRnKvRWS@|=qK$`ou;r9`oXE;n*$9U_
zLL;5dT<XMCjM;EBkIKqUzYcxQ393N#Qa&cYThzKfZ_gTK9ziia2Y^wW6H+#jQs3hA
zOYC)Z<Sw>Eo^A&No5!+qjIn{%!j&<TlWW;UI_g`6vGCZ_;uB5m)dV}cLSc%*(SfzJ
zdN@2qI)O$R5Tq+CgY3Dbj%aVBUB$|J#D^kslp(8G+3gO0w1T7S!Av4ZCJ%nB7%oRq
zs8k+SXf1qwXD2LMf)M38gJLrrN5Es5h_m}_M26NqJkA`L+bf2c(Fh$x^R_Rmlwwt+
zueA3uH8}xF567;EDM(jZ`o06V(C6BSVdDjtS(v&?fRS^%T%k<D7enzBtLt59pN7C`
zr_{V_qRyl#M(helWNB9l6Q=ZtiHBoFLWiWBEgUulVXt(Y!Po9tn-g1(zf<ADGpA$o
zM`4(@v8yX<Ft}?ZT*WVTWRHP4eycENJI^nSuzJG0Vy98HMz&{a-CGA()6w}d?ssPk
z$dOZUMSG~Z2Mu*jY5Ia<RTLmg(*XOtxEQzF;{<98b@1hER%3{hv**M&HM2$}u`)6o
zbra1+oNcW)YU`3+M;pJP;Y>=97DoofHKSK#c*f&bSrWc}&UPrrQ+2~XTVM^H`X%qc
ztTDZ_Wu2VdZHT19ZughFR)?13|Dp^zo#Q=IP+%v<1hKgCtO4YD(57V8)alAsXKNj@
z5OJN?(a{}CHil7kkg_ey7pxMRJlkDjo3o{}pfa>Fpx4TLyQ`!YS^}>`B^NK@DJP#>
z5d-Iypfg%LjR?%t1Nxq}xNInl2iX@<Cl(TKAc{{TJNP;kh<IEL_H43Yx-$_4)wvu;
zpVd6aX*HVZSO{I@I&GI>nI{wo7d6+!JKOGF7CCS6n8g?wAKCkJ!a-uc`Q62MyVr=B
z0E&)CwKyEY6!RjB0a6VUCd&34NtWf4b?Fdq5_L=^R>P|5J|N4;Z3^fB4QJ+}xfl~x
z#r$Xb4yM2{@vNgVe0|e08)ka7!rLrIP8@o!3N)op@1)n&mh#Ew`UIb>q7yXkA<4`o
za*OFBXFp!&SAQVQ)xijb1$!tgE<33zEZMEEa+gnshdga^=3fV;A9+^qv?UP=W;#i@
z!8UrEO<xC%M^*=E5?h(+^ehAURkS=IMdQJFhuD{LiJca+#KO*L;_S&m&p7oO8>>Uc
zfo~4i`5z%M*I>*yZ8>Ao=Sb8xnFC)KLT+`dQ2|kRJ5Ca`)#LF|W9XzB&!lDpz~f3~
z5;5Ms@T!?iqRz{yGG<(sT%M^T%(~4uP2%BsHmq}di|4T~^V)~b=d3vxth83}3CWr0
zXpoYAIEx80mB?WAw$B+xY_Z6ydCxyXe5RQ`Z(U#3$hTU`b=QNzHrips`y`~f9w*Zi
zw{z>C3^kHB2O4!gWi#iBAUYG07<#`vYRxG%(hNCdX`F#B3PefIrg?`PjyrdeR!h1s
zl5!?5cEWgVz%p&}FPFsvJLcaNOZ2SXJ#u!YJYWCKB9$<2P;rB@)>v}TfNbNVl$7Es
z#<eOTa|=HbN7J%Rf^QIDt;=(Q8E1UGX2b27yOh2o)=g(0n04;7i0PQUGSXC1ACA6e
zts!f#_9K>{P8<~?rxkN7N;?MObhl1Wv?7QW&{#3Nl{oXdsJkoo*eg|9Hjeo9g$%#M
zps|Lm-IgBiAi3to0DRpXsMKQ;@}8EyyWtTvAF~MSNl{;?(kp1LgZs@szS5cAapg6s
z^vZ?!Pb4|=-(&^E0d0NBBfCLvVhSYTY|PGC{X*J#dQ2qXsG7Jf?lTu`jvbafA*es#
z@bk<CfhuaL$6=Eb?#|W(bJzB&@rJ|Y-HQ^#WnR#Mry$CvMFGiE?L6L=_#iU-I@<td
zu)BOx`S=29G>>u|$fNTpJWZtIGOm5onfRI%H{}V<S>cO`<R~hgzs}KDk8e~P?~cXj
zTt={w)+%xg+gUxk=ElPBVXNVCrX=c}ZhG;bw`F>K!3!~t?qz~cGxLP>f-9=3VD#mU
zdXfn}@+msBLHo>ezAldnyDf)f&#9)~04~%X>mM<3kO+x37!IY{+v$*TIHCc-L`}6%
zu)&qRy?h)Yorsf5mRS?*sdW2D9Em1}m_lB0-w`!7pq@UN$&n*I1C@1mDM&=20XpTN
zzFy(@Bs`X^Q3=%2u>)~Hvo2{PJQL5_T@2V4ctO?p{JeH_E#qk_$}zyYKE%rbtf>5D
z2o90uG`X6OIZKOi%op2*zB%yU*fnu!alx+vxOE0Yy3js=Z$S^o&TQhFM>&(>aWPrC
z5`M~KznoP$izQoMSL9v{AEpnQJ80r?)x#W&Ht*MEIRx_gw6rhgM2sZ7;El}a2o}xv
zIa-j6-;u}@p3WW0xo?G<Y!uEg?}^uF@P*WX1mT^9%*vV*+`cyXh}0e@;0jeU-65+`
zk(4=t)}}j#tc&?uCw-JH1(6>(65KzY;%ABr$yIPfN@tbiu$a(#CM13-pQ8}kzML&S
zK5UT<l#2{pJz1?^vT#13;e@Sn7w>_pxwPzFoT{fWl#zE-y_06XciGq)^6NwtS<;ZL
zS(8AcSt2>Z``=s0agY(KR*x}un>bNP$BXrdoO;}uNS$z^>C3FZ%*K`?Jo+3rH>Vw%
zvMj!u#1>o<Nz<n=$hOzl(<|fr`2(-UnN#C(XvjAOuzKY7M>ThcR9bYx>($QGMOU6>
z<jhD{Qr>~%8mJ;+Zu;E!xK(uGVW=Vs;7rhN^~_2uFf;d)CGy!3w+GB~H`YD6(M)!W
z72i0ud?1Q_TXh3X?3-)vZL)Yvp01ZAB!&=AD|A9oCOaM3*hR^T0p7V+44$FJ?*+?y
zUXHb81(%gS2V9)Z%dB>1_2gfCJHwoLWQJ^7e9<AUWsZVr^orb1^+0{y>Fm7ZW`wxi
zveb4$1pfKZE9iW>%VP&F6?S7yZNT#LYC{W7^D3cP#8Z1+yZkff#6t9)pC0-a7wx15
zWk1vBA@Xt|yFKMqP73hT9-4epi-t_3R~q1LQ}zor&?>VN%1dh9+?AEp(o71Qyji`;
zJAAx)lO;w2MOhs!;x&iNC+v@#P$nB6jw$k+GjxKXn--*I*of-VN&l$tWh5%bHTZIN
z6Qv06E)UOGyunC!i_W~z_c`*|9#31Us^qM}vN*pX5NY?UgqqLFonmv>OY$zGdAGx5
zIAD*lRl;!>XEck=*7J9(BB^+U59!jmX7Y!l@=3at{BovBg<t7*VnXN|??mN{SMC+}
ztY4j`gEsVaFM8#O#Db57<xv)zD`cK@`i}>#_aG3n*753cM0Aefms~wLoq#PL*XDOQ
z`6Ch0RE9q0;_>uFsktba7hcLG<)tC+3a+Qui@?jn*}_=OvRmWyi7^?fPF*-TD{(ex
z(x%)=kX$uHTGZ$88RG0%BCFsZPTW{7NRFYCZRVhtiO-{5#`cp(TAQuBR72F2&r#|C
z=eI^(&BjtY&l(x~gnUqknoCPbXGg(%*v21QtL8mNX{33nkf;1SD&cCg^MNdX(>vrC
zM9%o~Nl!eC?2dKro`n#wAb2ek%=d~+z_S6wJ^-Bu<&P)LT})@6sZ;nX4$OgH@T9xQ
z&}BICx%X_~S*g_)U|g91MUGPqY7;Rwak*LMt!A&)a37KY=YKr|`PZt>9zNC5)fRW0
z2XA$;`pKs_veR_#6iH*%chWECv@naqJBt`64lxOO72m0hEQ70;(kBaC>*YM-!%<96
z)Ltw%*V}if-aF4Z%Vw)0y{3!iJG#?b<8tpbzi9awNhPg{c!EA%NpF8l&(Oyb^ohQ;
zSkcx^pX!)S;eZN$lAZgC_BC<hXURR2(iGZg<F_L`5A<GJMJf^tF(G~>V;QSLhHgcM
zhLTkw-d;s2As>XOh;-tspPlWL*E|u^FugU=%dh3*tCzw<H;a^q`F&QHGE#Z;)@qpY
zC8!Acr$WlrGAJZ(RfP5PZ|1wG|Ce|E4m*FU6`$#~YKv`pvgj^1%X}wXpOn`8<~x7S
zo4*xo^0yS*^ki8r0LtYl`wu?r>;M7!<<6fewk0it{8Qv9`;R|=10}t`b7#Voe@(G1
z#Mc1ebiT}YXU+F;6}2q-%r^aX>TLaoi*0(ctYPHej*O!TV>y}pUt=P=PNV<%Pc4}8
zH;=LD$+9+s(0o5$K>7!t#Wj!CH|W<+SN$*B-Ilb=xKebTt2d|qrW|u$Md>?S`OC)I
zlA{bCjvkOF%i{WTJx%=qTWjeD%hd22ME*hK9|ECYey08BBmW%GCCAzFD>+VqGGyc%
z=P~7*{1+3(GU591)i=S$U2c~7uDU*HUCnR4e~<om=N~}+feA{L<VL$L^POsQzk<@-
z`OEgPg}Q7X&D3^;k&Hf@eEMWr*U=Am{tW(ZL*^vSx2qw<on`I52IztFn^O9azYqDh
zhTPPaRqlPXZl`B={+1tVPqh3{IX0L-z=M4L@;CYNU$aT`U$aT`pJ_gXkNl?p@MsPB
z^1oYNFG=r~tKg4SHilg4>O9bor|JJa=zr5q&rc6a^7GRb@t0?w&HW{!-qV$T82N|4
zVE(^QUY4IJe>?JT{}=fwi(K!}zh-PPFoOIe$ZtB<=(nl2(W4J3kGuSlW3>Gv$7qcV
z9rNbP<Tv-v2y^GRDmA}Vsrff^qU$pG%$@&^yF0)6JGjFE&7U*_A3Vxky!hu>%FMi!
z+Ok^l_oAC;Dbic-%~0-rwD|8|bNQ7%+~lwJ;Y`byxsRvcrff;TKgn&1?r#Wz`yPdl
pPep}t1L{A5KhSY7p*Pe2MsCJ_@%YYHe(z<9en{UlcVGVU{}1taru6^-

literal 0
HcmV?d00001

diff --git a/makerom/Makefile b/makerom/Makefile
index fd0832ff..0ecdb691 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -31,5 +31,9 @@ rebuild: clean build
 build: $(OBJS)
 	$(CC) -o $(OUTPUT) $(LIBS) $(OBJS)
 
+install: $(OUTPUT)
+	@cp ./$(OUTPUT) -t $(DEVKITARM)/bin/
+	@echo "Installed."
+
 clean:
-	rm -rf $(OUTPUT) $(OBJS)
\ No newline at end of file
+	rm -rf $(OUTPUT) $(OBJS)
diff --git a/makerom/makerom b/makerom/makerom
new file mode 100755
index 0000000000000000000000000000000000000000..1a70e1ca349c305182e4a43d3831944a2eec5cc6
GIT binary patch
literal 429576
zcmcG13t&{m)&JcjKtSL|M2&*FYSd6)iBe58=q@C3R~L;%l!^+9q+mfP>_RFEi@OWC
zEURe+<?~UgR_m+Q&j)Yv03nF4fK^efM0{{BD-cB?fSCX9cjoS9gT(rM|NlR&+?g{o
zXU?2CbIzGFbMMY9^IwtSa%suG4DB+FxkWyYfYiU5RyDh`<oS<BE7H2+-;=dI8ljy8
z#uAo!+C5tw)X8VIlxkWgo>};>C_@2?GCYz<KKm-LmV72D<dgli{dt_Edj9QGRhoQi
znp?`*j<ja)QsvpZ#t1z5Y#~ATTX?2=CfkubwsSk}+)lgXv(X_e`Am+FW8;6<Ipe!7
z!-E|29zL{E`M2%Ky8J8uGH^T7Zw*m&zBQyw;K}EA$4FL7K9lXPMLW{@OaF45iobFC
z>yR(b_>%MIWVQ3hkGt)n{^yUs{oL{6?hIC*TUm6`xfk_6Z_32;E|75(KkE*@dYJT-
z;v;gTxi|hJ%UOQkwV_P2&-;@f9awhsEq{3Z-4*%Y?PC2)@gH%>xR`L|WDr(@|N5OY
zuW#|Uv7~qa(*AEP>i237lH85>_ek)49l(cl06(t-_)#6eZ|eX)t^+#X@1Xu`9n?2E
zfPdBjo^Bn~&*%XDXa{(1?4bT_9l%fN0ME(}>R;4B{b?P*|J4Ef$qwL`bkJ|V4&aw{
zfM;z7@FzRKlixx8B^|&EJHWG`gZhtlQ2*8r;DbBBvjO$pC_DUbeg}A>sCcCH^>GLA
zc^$y1HI9TQ(m}t?9n}Bt4&ZNg03X`{{OS(+o!0?;Vh3=m1N_H#04EQQ#0PH&_$PHx
z|G5s}{W^g6?g0NEJAl^!&(Ycmn)dA&q+n;|Urjp=^$B+$2G?LeM$=qeq)iD-9zE%g
z+L+350d2~p$>Z(}RA?i8*NmJL42;&MOuqHb+gat#(Gw=|IeGNh$=c}g6Q_*1ecWWN
zA~0tBcvTD(fpHVYXlyq2*2&t0-?PHxF}IE%KM{BWlWz}B(ngNFb;^`6lLI3wZXGA>
z0u#q;fyu!;N8cJ4qm5409Y5wyZNiudQ^tU#z-0VitC%uo%<l<Pblg5M7|<$&L@Akg
zQGdx!kt(32LTF^`z{KEqZ9)q5=v$|ZA&!ZY#@tB?M~<wV61X*h_9I7*4*YS_n31=Q
zR21JnX7Xe;wp)b^A{wv#ZcJeGwA;0cX_Lo+<O&S%c5U3~iFZyNnd*@&s&F_dMP$S6
z=nS2xs_Z=3Gbx@haVl^TiYlO)1dbfZIT{J#z^@6nj=NK<06`N$(wz=&bUp^vem7y_
zoldop+F-wL;GmHgoOfX=RoFk3yx_cFLoPD@pZrhZ$@~SlvYa{;Nf*2hh@_VEe~uY9
zt_MAmj{qcW{+}L%yOF7V?&O0fj_b;vcCiuuns+PtrcaXYe6*y&^Q5Npk0bY;kfraE
z{7bF}!s*W>|8koZ{w@GGT}qKV4eq#<0?$u_J1(ri3)0|8ACUz`X>j(P{PU#2)BQ*z
z4NjVpf8}ZL<XUIh@H99Wm--u(2Je=FYTDQ|IDMz&-=s8n_aqR{$}~78F7+2mgZE59
zv2RI(>uK=nG<Z@LSiCR|eso&>MQQMKef&%s+;PpN)k|q``nt)#rD^bElR!M{(%{FX
z!Plq3X(N(<jcM@QBoNQdX>e%c)L&B?{KOPg)2uXjpEP)L8vLX*cuN}m<TSYUO`F`(
z$4mZYr@`GxAf7pC@Ke*^xoPmz(%|ki_~~iz{51F(Y4CzH_?c<&qBQtfX>d;(JU<O?
zq`_$`lYixD@Lwf?cn(j4pPdFDl?Fd24L&vver_6kQW~6ljpSct8vOhu5YJE=ydVu;
zl?E?NgIA})FGzzgOoLyT249p0@1F*LCJj#Ap8R_$4Nf0E`L{F;esL0rXI&b+C=I?o
z4PKlEZ%l(<k_I=zUuPS!PA6?WLo=dvfsEEhBm8>ynpBO}U-v>$>lwZAuYQULDdxwr
z+-_>c-x=MQr|PvEC7;1ORjyqp`2(LKPgQHbB>8Wdr;4=~Nqz_ORIPTk<hL<Tm1>71
z|1tAarS>GrZ(^P*)E*`I4a`$@+U1g8%{*16?UDR)=BX;}0?EJ3JXNIami%+fQ#IN-
zl7E7Eszh6p{KL#s723@|0&vEknWqZ0n<PJ%d8$6UQS$dPPnBoaN&YV8sp{;PBtMyX
zsyKU*<nLgfs?DyJ{B6urrP(3L-^e^wnLSDJzhRy#%pN8AE19S2vdbkuka?;s+avi)
zn5U|;3nYI5^EAb_Tk^kRo+``Ek^E`QQ&riT<WFRtD#~s?#PRoH-pzcI<hwCXm1H+c
zK7)CxBD+rV2mXybRgnFX<iBN}Cf{Bp`5nwt71`C2-^M&ukR6iz$IMgp*pno`iFv9V
zdz9oiFi%xumrH&%^HedmNAk;=r)seaB>yt=R4KMw^3O3(RbuBz{t4!(LTpX)4>M2I
zVK@IE^Upk0hTSCjxy(~l*o~6EmwBoPyH4_VF;CTCza;s|%u^-UizI&s^Hc?Pwd8MO
zo+`i&N&ZIWx%BNx$k#?58>Dg3THhiUez(=S3q*Nu@LumTfAkLXUgtC49yW9t*N<WD
zG2%;_kn)?m(InT156m7Cf0~dzPZ?%b9soH$^TWcOhFO}I?F-jDgCZ?>Yz>#Q-`r>Q
zoSCUb>-5MT<YN~`_xfV97a|!r%X{hKW+Y~w?2A3fMDhE&e@Aq$9*HpXfqvh5JQH_?
zirm3}`(lFE*E+iiz~#h^G+P<1@A^zBoSPka<Bu15t2QjB=J1BMHF-k^>H?<{LfrvK
zGayX?J^Wcq;il03W_|u@qkdb4;c7IZtv*xe(xblxGwcEQCsfomIM|4l=9POJIunC0
zKEv&6xT0udS(%1s_WHqPny|@le&sW-@UZT1Bn&1-AyK~PslqyY0O*;U6FSf%P#ikY
zEzm!7V0Ey2sL~bHqlYk(#Oa{}+w|zSNCFtrqn4yHo(XgdRc1V^M>iwyFxE9S#}^x%
zV}$EE`HBZ;PdhJhObtg%Mn82A86Di3m}kU#=NYj;Ubf$CwJzJ4A^e|$5jngUVuGdU
zty}Oi!51%g`OF(~)@j{*4Z>F7M4!Tu3_P2V%>c(O0l&yO&alrTofuUoj4F8P&){hl
zJkI1Lv9#VtEVhk*$dD@(Lm0F88B9rvlpGv}>Mw!{tX#l^urh{}XKrOi{D$G71FmT^
zeX$#IjQEup>@|2Ac-}{0oU2u3r1uJmBv{o{HF{Mk&O4myphkPT(pafR>j=wk$jhFm
z?02#HqI-jV&9l9++2vqn@!FYLt#xK*_)=|V=Y~u`w59w9<}`Q2&EA{5H+ygKj$Fef
zI&7%<y<r~2k{lkcm0e3fH)3HL(QxHvE!aCTGW<@fb##eZd_D+CVr#ha6D<IVHY_7n
z-fYCDyN#Hq#fZPsgiabVDdI-MprT74-gstT&!>5n$1sN)jy4!nURVdp51<==EXHR3
zSeVODmSlrxGm@GSdxcZm5WbGY<If*^Km;f5bs1*32@qf0!=x<W_!X^4vIPbpv%!U2
z=&5>F7IJudlPA<#7jP3m62se@0XX6^_QkKw04|w3^8wXSIUo<Hj;{X^Np>_hTj>2?
zbu%P>Yvz#n@Jwor@UBd!JHh8SpJbnY^AYLK6gG%j!f4)6qxlM>`B6smjvCEZ7|oAI
z9L+LXc*ET8bWvF6Gr!#PJeZUNz8b}0Hy-9Wd4AKM=k}Y|<>mXKf(!iS?RiDadi>^1
zc}Cz&G+<4^<~Mg4@$z!RY*2z_KER?qPbJPa;xR!R7YJk`mz~5{WaDAoxPv+*_?nVQ
zh~sc2j%(74#;~ErtgrLgC^jc4hJmX^<e(3eA~#b+&KF-yMl}p>QZhF<SIOL9i!w)B
za*f+CZ^(C~Zg2r)?ui^UPy$wqq~>jyP5HwAH8YTxYc!PRO+p%yTbfs?5|O+R6ZkV4
zB6-y+DQQXw{|H|sDV2UHExj}?UFW2MTXqtbu|0#%u3@gG-J7IGreK8`rs~m%dvXf5
z80Lq|ve1qdD$UJ%o)@yMo@p%=QF?SB8ry}$5L2K~Q8&j99B}LN>p};*!d7){)EC!v
zwe;w_!sSRFsSOordgNmGu10LW4AF?q%j570>x}rLc_F0y@p*Y1j6WX9tHaaiw-K}%
z=6o6Yp684>Mqr>4@%haIhWRN3#EODY8tw<BxA{^^<U|GJDI`R>=Q$rJXSZ{;61PX6
zzqSMv*L7V>+?5`EvA74&pz~FwjFKLDbYnJc%*s5jNS8kQbvWD{{~}~*;EZC0QI(|d
z(~#=XEvQWU1uW^!pq-QBqAd$646tC4ye6Q{@L|52k>H=NHIirX8Gb=X$bd3+D~W^o
z#)=xBSMG;sjp76j=Q@lB@?g=8`24&^v@_y<vMrG3_nX_TReM`ou`t}^*idW*ych|4
zDu%@9(Z{fPXd6LflOBly623bx7qiy|KC;Y#KjzQNHsY`5h0u_*wFpm6Of~bIm<DV2
zmoh8S9%wYg{0g24rU!l`b|Vx&)xwk0CVYwoZSr^D7j2TOL@2PFE$e`Wf}3pVtkEIy
znkJT@1}C0)jQHJo1;VHyu@_kgw}Olu5__5>rdQ~Tm$~*l1(!;SAp<U7Y%#?HAl5+(
z&N@tRt0*GaVdm!^7uiJ3|KU=s1t|KI=KpYMd(FSCr4Wk(4qTm4-vkG)*@(X3IB<dE
z9NVlf{#Cr}{bvpZ`r2;;TgoB5C!lQNKQIG{_Z&(Jw|GK_&ej*KY4cJ@=e{jQd{S%p
zO_xLEVxh8|V>k|{^4-Izgqv9>Zl*&e+|0d6Dsz1?aV+%3{o-YfC0(bUT)5L_q(4RH
z`%@I1ok-_KkXH~mA-uD|rXwv)^f_gy&w}73Ml37u2wv(C^G=VNDYK%SE~|EB86@dP
zI;qg9&tdI23~<Jc4v>;*#K8ZbkNR|H)N@_&^7ljA4(ZVdMpL+@gsk7U1&mG{pJKqj
zCMyPHfy%_X_7kHhQ(o2Fqm|Trpys2^!hWFUBV}O^mzwp?WF)c*cNT6r!rtXK4h8o@
zzosZJaR(>0XIe)bbLjdXOY{0RISE$TcfxTm=^B_<a(Z9_`V}QBN-#16(+}TUk2Zmc
z_T?%U*aCN2kFpwF>cCrAd6Zg*f8wYl32uGIXDX3~%T;-bY=lx0Iw-xf;8Th4;T~Dz
z;T~D-VH>N&i>bNH{sZSS_=0_LHfi1#JY6~HBe~D2%y>qRoT^gT?_7nH-3$LfPew0e
zrW4DsNyz4if~O>IAco$=5bVX)0qh<!o(*<RTo&0B_{D2sp)Y+c`~~r$Bks|7oaXG&
zjwg#{W6?uWZF{ss<gnWO${ww4nu6Ctq^ZuhM{`Y5B3+2i5+4Cox8Mb^b!}U$^euzh
zZK-XkFYIi(=5t=L>FUR=WL_InW+sj&Q!0filZ7drg(($n3&%oRHUH_|D9!8m-2Zbg
z)mcN)oiq#OqHLgG_B<8n?d)pe*L9*F;oAX&dJgpzEo%XdEnU@7%HsZK6T8p4ad(@E
zZSIufcY3hluXif`ZbY#G1IkrUxYG~HD&Y+Gr6tFvxEY4iXTEL^ZvjHs=@4ouj|0xi
z)V?W@<4v%5o#wV5riq6wgVA?Pv@*$`{9C-^_4Ww#TGCCAoV5=t7Hg2wAG!<s{K&C@
zq|l0Q!=5fqcL^#>>A|rtZaWQgo|EP#Re5yWrP>z&rxCj@FNf@&1Xs<vS#|%4{RzCy
zs*T~#nnL^Qg8hCGwx#HfO`1ddn}XOW{AU6ZH-)#g(DX*BRDMZ|)VR~wnREoz4%-<X
zw%Gr_>eAP10=;~S|Is>6d_Fxo?)%nOM@wzDZW}M+6TJ>VI}Vqlgo^4e24yaTzZJTR
zipqyVq@bvN1(<yavXMGHdJ;3|5}R7=+pXRXwzG)sa$uuGRtwjzQ-0neX5iF4yhS;6
z$Ft_KsF@0@VC$50>e{=uhdHto^z=b;sr#Hk+NT38HN{XU2LzpZBl}Cxro87g=C#B7
z=6A%4fXiwoL@zEyYVPoi_)x}M^f}KWOBs=YI%2KT?Zx^?<oukBC>(7Z>8S4E{(h6D
z*wk(qSs*e7?cg_?hM3>^%yr>|t$IWzimP3;2lr6q@!?*%5g(hQJafa`W&P%3wPmW1
zVXMh*eKYBo2R%R8i8-4tS<8ZEm(|n3ahikUCG^_npFb*FkHR_?8{me-Ft;)&z)0-M
zJnq&-p+Y<w(ePN3Y`!2e?>GOJ$L%tawGe3xgTr<vrj!}Mn+3d532DD|g>|w+G0azG
z@xa>-*JYs^xo17N8T*LXO0_LScjONL4&PFfkNmU7paEP8Mj3p?vl(~LBM+beFlL-+
z$ET~1#!8VOh0lDDMetPrMqmsYuW+Z;*Xdbi=*YW$j0_Dl>zfb%heXz)LE;i${5~Nw
zF5P1%lnW|+@frz+4EczYY_7$&9d3!U0mCd<-*IO(>vhIJOe;NJCz1756}Cf=gv@8i
z!g?}GS*sIq)Z%TJlMI(hoPc2rH^;z4elk&zOn8zBBbg{qCPpO_W0MKt1?MG12>zI^
zQb|cyJ8A0=AGB=_(Z3#f56X;Iv*4#Ojr_Jf<t6Q!d0-pR%zg;}gbtjgM}Gu*s0XCJ
zW9N`Nn162YF*1GjKv+!$69aKwUcox;EF-q6N$S4VERXmzc=%)D)*A7_u#ZtGk6*#0
z)QNi$M-;2%otq>31Ne_sE@1b&>Wr|B{e1)eTZed{LSw2fOx1-cU5I<ckey!Dg><<Z
zleNRENCM&%H{xK=P?Ru`?$&4D0>dj#_edtFV<Y2GNp0_=`(YUL#Tzd5=k?Vi*S5hI
zW6K^oaFZVW2NHA3T@u%51O`KOm7&i*N?7xnj5M}@{ev%DXhy3uW*NSe#|I{dKUY_y
z#~8jKI#+{XN~^hD7<S14($GwXPC65PYt$mb_+auT(+KZCNK^ILAbp?^5}-O)jPvs1
zC@6W2l<12)V;V6s>Kcb~EbKoZ1VY6*)(;&8BPJYI?21f886#Se3Q6?PBhzs<%8g89
zvLxU-`I!(-jzp>~`h_030^v}~iARECPamUlqe2XToz5J3D)1vHgFeMc^CNTv65NLQ
zv9<JH%EA_*qR-szZRo-=*i9rF;$5B|`5?e(6YiU_2HHY>qXKJK4j-^BR6@Ymwg%^<
zHHhSe&`;ogYFDnZ_RZ8PWXmD3zc-=S7yBn=*%!N?y!Ex-&p96w`zNQ!hf%>7oYRD~
zf%poNtULE;N7flQ`JZorDWonVep6mP@QG-_JBLX-MCUyFggOkZZ}|4Sz6ZldoaIb#
z=G5bmV(-b75a?rngj@~e4Gi6F<&LIm3w~tJz^rlJ&kY`j`8-#TzKj~!m>|WmB~A(*
zI1lkL0lJW)ML;o9CQ@_DGqJ*^^)i-eIL;NZ)1TZprAy*8thd1J&NeVB6dW0<?DR|k
zr)r&^4Gv9YMK%S8V4D3gjKPRuK$vj2RXDX9TvUJ%h%Y|VJ;a=7AfH_>`6W##9%BB^
z<1;6!T@0*FJ)|X6nH3GZ0x1g){-qczJH|MXg6gP}X~&AINOsw`Doap~Vy>71Uu|;0
zcJ)CV-04q#sNdV0K~MTynM{bkwGf5&Himy4N%xz3t*bUFVSoAn3J>*yajDuUu@Nse
z2VU$B^oWfjLdg_BaWJ~S3ECb|xcBL?HM<tD!%i>s$QKTf&BH3bqDS6k>-I;h_6opc
zWuFB?>4WN+T=<|K%%y#dz%U+eY5<3uP2(A=%!Hf0mn|zZ;b!+{-R;QMusgDA`6%V5
zHvwq(l>x4I2H1oFwqSsrf!kZP-WgyM2H1iDHlqPaObg4|p8!_UBT!P(El^a#li8Vc
zlDW@L<d<wy%1)2=AgwdG6Uda5Z2f0)7qAEIp*EFiakS}AG^ngmM~%)s9`UMkoheb<
zwZO^FT&S%Wj;Pzug5hd$?2w|zp21EJGo%buBsHzaRWeeKJPHdu?e>xaC`gn|JEz30
zM-DL61L66|jpXYi7-z|8dgKRWO3u<FJ!rXS6IiZCR<M1q62Bh#BT^+->k&7ei91S$
z>5;93+@wdoN5jPMk~^I~&Mdi2k8DT#Y28Y0)g!NyjhB>+fkk8o6?)`+*3T~q27V9B
zll4du;Q>AJ7Hj5|Ow}WF5=tudNDw`AwB*by+ArdT9WS{bU_iVpshHFeOWHy??H#pH
z)^YFlFVqv3mKA;h{}X<NxFVW;5ELGvpo_ij$OYN<8%HkaYQJ>kf^POhM=m(Zo^j-Y
z?)I1?7xb|GM=t1NUwGsKw|(M~3r@57lG+hQewHmR1I4dBuWqv61)Go1Vzt21xEi&e
z`h_(YC1xA};kLsOh7Jcjlepr4)$Z9uPwz@do|fqBU70OJI<9D(1`loz?Up|l7h{?3
zit=<j>6RsZF>jlB#?_Qfj*@D-nzG4JP^qga?bp5EwcZHVJD%&VpLni{B2y?zd9MGv
zqw^urFB}b{M{*D#@E3nIxrgIz7S<KMkvI>R7N~nK8zGkc3;S<yTkD&$pjbQMfbWB8
zlfyeMHd^aljlSZy0y8~x`|F;nZ%gA>)P}ch4e!9sn@&?3<JULB^P7sm`;l$);mdky
z$IJQ*bPw#0m&UJrHa@wLWR#j4^uZt4)37azS8MsLt+NiaBG5Xu3vTn|Xj411--q|w
z)N!x>#9<7>Zw29&nMQmvW*o+P>K_NNA9LNbqw05c4)5}KsxC-ei%y{h0qGvzh06;U
zB=YKa^$PFGL6Vnqu%o(O=@@f${f_S8ZI_2vhpLYIX;J64BKF&KdAKf=>bfeU5OzR3
zad`4gkW6K1oc%$oY-;3K4dU0>&PMWPRAW2)_*1jf+Q755;{A?j1n1k|eS5g!nR<TG
z=;TB;RbDFGQ6Wq}2WeoCvQ{K~$xAKiuF9hI)WE@2_VsXSQo+m9ejdrg7-lMJdCJe$
zO$<qfE9p-DY}NJ(#E30W3!Jf7MZd%+Wh?9$hyRN@YOa#oI5kc7!f%}DA=lXlHz*(H
zTgC*7;NihRdM1EF5BeN`Ma@Ju&qp3Y3QE|XfO(NPCfh#jw7m;J`v)j7ZlIzIMVmYO
z5a)os3S61`>+}g6!gyUZndQXmRJ#2%iYbY!&5eQcaH7FUDGrYtthd+6ls<2V(Q#@@
z^M46i?hR5Cd&Vzlk@#(LdjCoa{xjtaG^zoq;Gv{DnCkxzHIF#$XK`NIm544koW=XU
zKACYAt=$0D$hP6NX1dh$VV{>2qS?`p;Zr9!B)DmTsv;{timc4f3jx4OADrOyOCRJL
zZjQhOC{KoR41M<FQaiQRN3h|afS^kR8<O_E+zB5z9#%Q-X&7N?0y8HXEW=2PJU9+@
z_#e*z6KY5lM$@Cu;xH&B@6TPQ*2;VU?e4g^n%Y=ZJ0)lF81dUq7z}pN9=XZkH@~I0
zp8UG<0ZUn<5j9e=_mkA{(g|%9LhaW$Dr{!*F*NKI*2%CXil8(@`k-vGPS{WGDE2Qv
zs_j~$J|`*&u45R2>c-DRy9L*tl8*Hb+Bp<-P$wm37Q0O6vsemecd-EeFuR<ToZGQe
zaWvC5ufdAM$z<dxGIEl0Gv)o&vhF{$WAL>(=RuFc;gB?mGo9As;gjBertPCaLux7p
z{46FlD{V_i#^&hM4Y+{KsWQ}5^}#IvEUqL~?HT1DyGM{=!}>20Co5?KQt4B<Tv&G<
z14L>nk@(3}0;Z;EQU}u{y#Eh%(pY&!VtJKZtVN_RQuflXe`2_gAtwrwv>@#2PV|>3
zTGB#Wu6k!qm%t;Y^&Dm3j?&mRO@M(?4dAvR3yk!F@;%SlZ|#I9nT*RBjLVht+7uR`
zipw!tagy|*N5(h=;*{iwF+9{|psn2cx=vPXq`x%ipzAhbdDo4X)r3_05>Vts3YAvl
ziH@=e^YTJm6v>cb)amB!1R3|ARH6MDsA=cc`eJjMfX@ly`FYzoCK0<K=KU=2;|{Di
zYeSqs9xp%r55oeu;kO8=;H1g%i4(%ZP0`pxvIx}K5F+_JJ1OwvAbB&Z<LX}%o_^;n
z2d4pxkUbXv8T}9}j>y?)>h#As;{gT_&yea+jb}>hSsl+tJmqL80}YoVV@-$pWrw49
zc3}VlO@oO`COk}7*Gr|9c_Cz2JQhz$OiCt3F=3sDdSIM7Hk!lZAU*Od3IJm!d29qJ
z#!;BM*6K4KVi5v(b*M;6+}8G0iYCvI&r{r}s9CF>N~3;`@W-Ume<nPLdWCffk1u||
zI!qFxeDNi@pv@PrmBS>hma+`7&c<;vbdwX9=5f+f8!|Mk&ukniwSc&^1Eq@d^iv`v
z7_U>6BDf*1Y<!0+;fHEQW#wqKz>kBdud}gct%+|zdU+`k)L^<0yl${!Pom&Vgy8T_
zhxsw~b=Gg6(MZPH%AxG}_rqN(R~A}fWoDzB=)Zt6yrK>n7jKZSSc;Uj2Pk;-%?~#i
zu?Gk<Vgm*|e}-1G^s_;lbqxB}PeHF+t$cKefsmx++1MIfOy>5(h!t7S3ML1jM|hQq
z;7tJg%(V`@=Ffa@1>h}jVobajy$-iHtes#aa#k6>ui-0Rt49_|>mIK?cZRn74A3oZ
zLTxoE`YR~nZOwigpb>AUEdXu)zG}F7)fH$N8{`hRWa^O*IO3KpJ%U}F7PegB7My1n
ziustHTa*1Muni?0(K-;JM`lT<D;k9dudL_8tS{VTO~eq`<B~V%fQWHW%-f4W*5m*;
zW&~rjW?#x-gjLH1>jvUhd<K+gW%$-sP!2c&=vVr{rEaUz>870B6bqHG*aQCiS<J;K
zjJ&YUigL_+|BGW@Sf?gjH*XP|ddxx1<tKq0#jVrHttp_v=EVoLxaf{#i*r<qVeMOZ
z*}}^f-BtOoS$=8?V-w3yW%<{zqIjLiZ$8h#S`$E*-~7xOW#J~?QHPK|4gQdEGuETY
z?-a^y&j2OgYg0sa2g>l<t=5|y*<XOwhz-rfs8^s`P4+g9dKFAxt2Gx~2~T&sQ1&>=
zmS&^j@+|yQQ-E5AUe*Zyj3Mjz{#W5npSkfC!`x<szi2MM&eu>kiGtTqugRmK{0h9o
zc<h-^pP_vx>u+fnyl_6uIG5jHFv2Z84fD&XeW(cKb;zS{u4O@MQ$=#o-n@oyLAEX8
z8kP?;X6+IL^*`bO?n}dLHtMa*4c9tj<Bx%3Q`nA5V#B(+c@0ov{f7o@{5#}4c=Rwd
zw0K?c=5?KF0CMe-o@#UP0VN}Rxfbk{cmVBE$i88N*2bIdyU?bM9%J-g+|J4d3Hm=9
zjL|LD*_Z;zd7u+6IA^c1R)SF#)ot}vFKv16_1<AV^LxCcA|gA~YkuH0-?Gk7SoBC7
zoGFAYUn6fsaIWuS5oGM!25^6qVXkHIR%<lC-r`;Q{q&c;#b4|5<{=TkCsR58qg$;%
zp@FQxb%BZg(cs!gQsl?n0quqBV3Lbp4-ORhMJC+RYOV>KHo|L8fNV88uhgumU4V(T
zzFdn6co}X2daYeg$a{c*jGG8pLcnUL%9VgvuMzw-!OuJ33jqOt`BH@0OsyQQ>xtJQ
z)N49)Ks@HRh!^FDS9gJre~#{3UEh)!zq|8Msqxf<NYU13V-w>u!F?Q&`{Ordf<2{p
z$-&(0FW%xeKb~@;zBpT7%)5gwoISXVVqC_Y)LM0=Yw}lg>hPXk_e`VsO+EY!b~FIs
z-4JmA4)E#rnVZWB_rmB>|9}&CPXw+Ddg$$K+*N9RuSfbqQG4~pU3}*I@pDk4Zg~dk
z8vQmK10<nevpU?8;Wbz5v%iK8_bx+yO<riJs5U?Jo47k-?Axm3(<uH%k1T<HEJp2r
z;#sOM?t58j(aDHoASXju2mRVB_`Wy1|7d;otAwt0d5bqqc?HJ%oM@{a#fc9Ns`h7i
ztIh{CdQ?MRUkp1s%;f_HZ&ewzXQOep_&T^;Q3{_lrxZSEZ$H@BZ!1<(nQNob??->}
zJNNWN{4F2D&FS|e=A*Z-c)fma2G)Q#^rMSMpSTTV_~|wTdg+UYX<&+L6U&0%R}Ir(
zj}{s*2$%_2&nbN|4dB$J1}OH0699kgsk#eiPg7izzwo<SusiY<H%#e+YWm_L)?#C$
zcr|Nb(p;0j1T{I)y@At9aZ=g4G!w^_oUwR$mN#CO8E*O^T$c^jh5tbd&N<yjs|iuS
z^+OC@UpxutPe5B-@2Q&H8cZ1dKJvx0@Rnm{;22g|=V?Xt)&715!rL-~xTjg3#gG7S
zoQ;4Y#l>UhU}+Ecn=R>HMp9pSi|h69cxYg+`7f_oZ{LcfKYoV`aUQ(+>8%NYbM{A2
zoMiVoWzjeE2tVafgL65}=W6z&`D|VpfK=2fDf-ly^`j$3`@%m$jK0%n|ArI1f@0)d
zhGd$4EHgJypjv(VKE|ANul5%2*Js1tff*32i;)<pFU~rys54wBWWo*LFyyIK<muqi
z7+-gN_MH^yaJ{Rn_^l}~;%d84;_KH8%tpV%=rQ*}PEns1Rg2VNfTGE39>V%QB0W!%
zpQMMu$rL?Qb?xc-!J%gvC{^^>Q(yE!BE)O+h7V?x>ZMz~;U6;mkcJ`&Wav?P7hcyI
zZ}A>oZWgPVC^gsnTy@^K_YmXo@$2#qh2O?XIKO^JcGpI%3@ny1&5KRfAtYS(C$NRy
z;vdM5Qhng|M95ow(8+9-7ty)C0`5}tol<j~;Fh_YQ;PWxTbbw+-6S4TE6|<^Y*=}{
z0A7k{QmZ|k3#jUR<gq~QQS2;!Pn&A{s@_r6aF%#+9qY4qVO?|+mssyiZ&mLs$|~-X
z^q#iM+yTkV!7A)+ZtnMSynlvSkFwHY3k$9P#ons^-Ge*$ZtKgnxVh)l#Bzm_yFIVK
z+-#T|adD^LyS{kuEOURqkDkdi-_av)U@n%znT07_?c%b)^)1x&_xlVhCAh<Efb?P+
ztj-={Zg<t2SGJhnV2K{=hvX0TMj1{Z&t(U}4bB&*N~XxWl7b%mtOjTIkYEf=y+;2F
zgpB6QyMoQ-#dS=E($j@Ile(EY*=VQ(Yg_FY4xX_@?Mp#REe9f_vCB|q<*#m|Dqx7z
z*l%J<{zoFF9<LUit)sS#OXx|gWLoezLt^Yh>2sR2J?8t%(60t-EpLV6Wn(J~*Que(
z@CMU$dENP{pvPs}w8IG&09Jg=)MHGjB)-kMrp;d<ps)@g{ge<!rP2S0mtNdzKyCKL
zdeavl4{L|pTaM;zsJf=Ls@yesI~@=BKW0m~NsqQxb_uuU=>CQ^hx;SuH{RuBSNN+g
z^>(Ir8I7K|-?!n<baTD8-y8cjC(aZ+#^^U77L*PeD81C&=zZ_=vaXv;s|I4-)CbOj
z6n>`jD*Jj=MV%}isNZV=*mnJqWr>ya?0(XJb6fvb=1_Lsq?aNdP#PbegYgO4a0_T}
zhqtNJd;>VKD095JpQKS=pl4F(5cu9fZ<4+>!6hRUKbGkjU|HcCN&QViNo~(EeeoNm
zuDVj!dat>rDhqK}+vTlKfVKNu%gm30ACyJ5_~XCP{kTgO7=X!+01?$-BXmOBd|@(h
z;P)fVn7P5V-}P<1osIeM71x>X1h+-r2)?ribI?|QsiLPYi4U}N?}Gn2Ly?xc>dOl2
zy!|$Ki{H4Xhj-R$jharvBBfQm5$}bmgx3~)vn*0)#P8ArmsV68W=pBLZW(UUX^CUO
zKTy9;YYkWcvOWf-FV684eLMLpaC(1hRZbwQaBt!Z5+(CoSf}KeWL(g_b5(bA!+CGX
z34RT_t0~{_L&Qb;A>KvU3Ro9o*%x96kT>Y7tP6T)R$Z3`b>TEjQ0U!^9p%(C(I=dS
z`c5cmM@>JFY6Y=?AnHZ!WS{b)FKLZu&4h04l!ep9HPu6n*u`)f#UNP!Tq$bPFb8F0
z7<D7CYwoe-5p09_c@4D<YG!{8t6E!^Qca9l1IOEEe#b%7ypBphW$ix)o6FdOI%eb3
z{RUQHY{7ad9EuB43mR1tTgC;ORTBHC1x+gHM$%GAoZ>8KR!KMx(H11>uMaBH7e_gB
zRf8ZIWy7lmK~b0ewrbEoBNi;OF75BqVy`jYfzGePrubu=AH`nlt^ha6X@|8=V2qTY
z(k%-1GGM^W3qW`kd7<=HHK-!?S{5MIe3mYGEkl*^YnecOjRLw|*nr1Z@RI-lUIL&I
zf8cM(VM|HVtJUChx|&sgoJ$)~Sci>3n!F1CexQ=85ii5sYMAd^i_hl%d~4w*+;MYh
z*6~CsAHEqf+=vg&y2Is<m6Zd#7cc!{XHU*sn@(_PH~yAB)ta>Zl8V=SKWwPbfa!tB
zBr0oYvWvpK)*Rf40wXfK`jYQ3f=XnOe4SnKQylUB9vOyF|5cWC@L1CFdN!3PzY+j3
zPv2iwglotS#La3z6npo_pU!o;wP8cCO+)|c$~7oZ>%tp*^&h#ezB030ec{*L)~{6W
zuTD7Gl}oC!K+#wDJSHf5bwXd)iG+0qY!hI<*sD9;t{j50X&u%SSeK%?4+fygw2bgt
z9B>S6V%9>!Vxk#|W+rgSX=n?OE+D;ddGG%N1iIbG3hUNXbAQP%Am~dF0c4!zpfRh#
z<ML?nEKhP38D<yjRoF=ewE{gym{xMH2Yum>J!zme-kli|e<6=+&c`Plz9I2f^El<;
zu*Ew;`Vzbi&mIu0*k#cV!YzLZneDS4bg&1XK-9sFAR6EAs>d2n>rC-;D0j05tzdym
zi&ts*B2ajLr)ig{GrstsyN&m@?OmN0bkl2zhuMAjvtGfYjah3vAjvS-hqrY_h++-3
zdk7PVsKy9rsW$y8vhxr*g*|#Nqtok<Y%;B_exkX3{RV&GUb_?MQFbrfaHD7vdlN2a
zLBGywkae@yzBied#kJR-tn!c)42inVS_Fvnbr?OWytn1~+4AEo_s^E+TBD9s9v_^O
zzMiO}(I31g4~gn*n0OfiIfHv<Xg3}@AO+<n?{RZ?jMON?pxO|5W-8xWfbW@LC`I8W
z7dV%;|9~bq2>ju%)n18xAUN{B>f=xB1C{~=L8+{>j_xIW7GOeCG2Ln-HaJ^fvbSsR
zmp}*X4eik(PI85LG2lkL?`sqT1~m$oP$bJ>!CwbSpN_a0?v~vh2g>c|`)iE-zG`W6
zfQo81#1M4IheI5F#r?E(no=aW?Z=O<)7!Ui2<u%VZNGw+1{t|)s_j0nwzj6p1J)`A
z0IPNdXxwAOuFt{hjCqi`AsgP*g26dP!)#gyElX3u>l&u4S6>s6MqrRuL66*xe~pGP
z!{;oQN@64#1)h_t?3T*c;NRFQv{gRLSAncHzc~gWlrpz<<GG+UR+bxkg?9~|l~`G1
z4NSpl*^==7)~{0VFVf&{t5*t6`<SesZygYGOZ;D_!Sk$bDfs3zc#gFp1^*-so@>3F
zf;XkXds`2u;6J3nORRfSaG0PJJ$<b^01r(+Sqoq_l;wtu9<I>zQ?%g8xCc8uPYWJp
z#D?XD=3WDJ;}T<~^p;aMBe6M|?{Vt`@H|dOpUU&d`3pRcA>h1t9tkHNNqMDN5vQAS
zYs3~$0zG)EIWU4!d-lti*w`vVV6B0(3OB*v9S5N?;?sNTOPYm|R+QGzv1$-V59Dro
zPbos}vF!^(APF=2YxB=%Xo*K<)wC@rWi3cZZ1yPh8Ez?<c2nU_2JR2RQ39m_5ApLQ
zvazJe++4WV-_N3{ij`!*uATS_m)TY|!C1C;NbhU1y~Qu&5#zMi5$*!1j`@X)Rs=$p
z)9q7?Dk7uuFv6v{&C{BA?=bxmd%Q?^u_bU}P4V9mYX+0{zC`OKT?TsB6pkwuXcM4?
zo49ILn~jdYFLhK-_`vw1GiC`rg8wrNeBnxuxUk4EV&QiM#{?U#TCc-<Ri%iY=!*v-
zIIwt1k9C83YUXM$E_X8kwe3)8)s!ApL%U-Off$uH{H4p=b!}<Y@4FAdzS}b-+8Q{v
zW;7`0uDnDj*P~o3Lm0#u65Wa7KS=Rz>m;XmCyITsmFn&g5cCzYbjXIj`1d`-O_}(z
zL-@-*UDtZ5e&5rFZgMe(z^PKp{_j++@RvVyU0dQ}C4J5}U?aOMV3&PsB2Jgj{gb@Z
zqfemA@RxcLp<9@89>iXdUWcyXz*P;>5rOvNNM<w)K97AOmjG>9WT#%$m37mmTE53r
zbB8nVK~6Uec6q~ZXOKVk0U%N9r>4>&r;k%_56JO`-*J(*_BU<yOsC$S7lrJI4>D78
zp9B2V0e*_cH4iwzHyq#_1TJ)duR6fD2z<-|KJEaQ5cq@xoa+EL5%_lp7<7QE2z<c-
zjuIed^S>RyHL6w=&IDN-e!HC9wI9Q1Qv1F51UFcr+sg!~)y#0(9^<s-;Uf3|et{2m
zD$XG2aB~vqu2#&6prX@Ffxs^U9QJa+8~2?7(QT}0!8*fH&ck4^tTg*tR1iG4lL<VX
zkzHPf?$Kre+SH6y4aTJ!@PmdZtVAK=t2GN%xi3}D4;n6C3=D~tsCF%?dG(t2Ybqa?
zj!#Y1+sxfwY(RnF*-^7z;c=zPm#Xp{r`%BOKLbY;;R{jj_<Q^y-w!aM-w&1GQlgs!
z53g~B54r-~!v}MMdz@Vi)apxM5m!o+2z4zmdaL05BpQ?RA)4?(S|Fc!Fp6){{1$U(
z#AY{<w>w<ik1yNEDT-g$n4RcZ?G3NT?zk@7U)&fdFk(5&PDDk&`L1Dpu;=N(XSE5`
zUB**60R;0|7i}_7KZr2obVF1OcIVc%GhEK{p@&iHdIk-TPc`g<Mp=mk)wRaRQuP+A
zLWmH^`fPPZC7Qi9m+iRyZ!6ESZ^R-|>#X)nmUnMg?zS&!E5Cr{I2Tdv11HvAOaS%)
z4#HmE(E5<w6%Ej{N50`%JFtD5lWGSOfJ>`R8@G4XdJWpa-UI<*8a%bRhX6b6eR$Sh
z+rB|}R)QO2|CNO!Sjaeu8j=)Z%VtMdcn1sH_#}lnDCDVV?W`l9b))b~7RFeJs_AGw
zC_I;ij~t;eghGD9v-Wuww((f{#F*?okjvU-EbP%9Ee3CYz`}JbOmR1;T4rhXG8Vqc
zLY!@-6QpHp_M<G^$U=SwHH`^cj%Lqf;WifHmUX*Aw`SjlLM*g~xmeAM)GB)9`Q$44
z6AC4sbC52HxFR!#b8(y?i{rKz#0C~QHqaV~*JO;?J)>BopVaWM2A%8p^b)Bx;%0N5
zeIn|$`4`Ia)A>>QX=rH1F`)9G5vvJ--r!k8_ZvaC@j2;Gxue(sjId7us$|?V+8R{n
zm$d&Cc%6sA(|2CMkmJ);6SjB^1+osXX^^MV5Ad&NjOACyzGrtQNq6^x5%@q-Z=AIn
zOYtFfs1zVO6)~iHCb8DhQtKwvIs?M48C_XYY1Dt-yRG!H^im*^zZ^Q%9$|>lb#v$*
zorma%yJH99y~(}`6sGzA@CU*9aBV)8L}z`@Q^24vo_Gv6<bh3%(!Lns+7J;3&W7*w
zLlu0dVaO@pY0@J2P8J!5dEn&{=nkoD#Ac2qoxNlf53&Z0yx@yXmjSAx>B*wiKx)LM
zSF%-4X*Eg}1%L0vKvF%FvSyDzkd(_)q->^q?X*Uu6NCM7tcR~X$+;jI^)75zFSWr#
z{S#RKh7{h)zha1;P}|PMJfM94oOb2w$$~GRMR^O>Cdxl*U+!l6wJhI^a`jQZy>tO-
zIE4GL+2lUh6WN7calu8-YW2aZ`Q;-7P5tq6)<WMvu;>TRrZp#jL=<8rQ0Z&4t^VjB
zDJQ<-oxu;i;TmGiR2P4}wYfmxT?HQ#gNJ@^hv!Q;jcZ+3#!8BO;f8F>dM1TyZCUY)
zL^JJOZ^)l_O$H@Z{zS+MAYb0l3<#LHOUWAq&9YBXdjk<eN9?@vbxf&azk%}9dMw;h
zxHIu2{(D@l7qy?pPL%o}T*I+y_-YWsH@|_ph|~qH07hP;e}&9e$)z}Z5j`N;5jWdQ
zaHiqNp>-5OK~6n>UpMil>WB5km^0$rem$6n)L4WF9M&_UfFmEyfM$IH-wf|W<nvV!
z<(`w6y(d#22wj&#NKl~*I^anPAIW|=e<|-@eOQ5uB2op!u?M+zM#wLG;52>CUjd=<
zzYkA*_qT8h-XcgqMlt{KyH74xn>TZpH~cz`|C(%T>fd0?ik~8isW<y#Q8yAs>>O;U
zcU#?_B6nJ{r@jtNJRo`o2;EVW{e-wgJ)cHMOvp=y;85oT)LHI9g_^OdmIVw+{h177
zdT(K{dshTiF9wlH8#GeXKL$=gnRp*^=EN7$IGS@9N9QgU*^h1mn)X~>bW)0|Yw@x~
zN`ELu--|E)5cC||DNrp$grJAoK=U9b(K;_~fkkIY2ahb|Bf2GUb!s=4|0L@K{53Yr
z7}fjn3NXE9j|1qe05{egasb~y!6w0O>!K6E>P)_A7k)jb)NGP1I>xOExJOQdQf~p^
zUCE7Rva*s#RX-!K)R9}2$Lt=~K23gdILVYB7$L|{HnNZ(iVeq4vDpc_Ry_aQbH7TI
zCFgHn0_W1PsoC`{rzq)Jn_Yh(qu=Uy)^Ci_2kM(L`_(T6BJI7Vu30q@DPo;^B}7Vk
zgSHXPybkg<fT{p@+-AH0nfdbGGq5AAsZ#>81ng=rR&DFu34@FL40sXEmM;`hQ$F}T
zXsLw9iEB__;yO$+Y@sgY@l+GH&+3jrET7AgnJHgmaUTVLcpZ-7e#{Q!SCkg_&zrit
z)cm%Tmy@^GZ_8!jtPN<;Z1H|F>jhyL5jEa!Jt>01`;1ucL0keK>^95;g?pX(h;^Iw
z8O?BbzpEnrDHhb~EZpk}S{3+6@CXoCR@j<2n(~g5P+xdmmM{FHJMgQ4vECQ&!|89U
z7T5uLE}hy0@j?uJpY>`2tCC$M-WET>3NI2RmMb?f`6XdTPnla0R<stRs^gMa`uTy`
zyqpsZbDO<yhuLg?gNaQ}sDJe8^a&l<HEYhA|4?7nsWf_T+rCW$PwhQNqC08+RBSfA
zXOX))aFX%}QIlht?}x@7Yym8c?{3U_8VOt=_#H&BaLX!QLrI(t{=|;1-`1sTBeq94
zyvR0jkLWQrnR+=yjEG@`+#+J5vBK~k-^`25k9@J~v+MU~>|K+|1J-!=xxr-(E+A|*
zcO+hQ<|j=r2|po|*M>wUjVDFbo&MLuWm4+l%mRAsOjKQdA?Q$gEC)@jULZh;;!}s)
z2cABO+$ljc8nW`x7V*!dmH5hbjLvrJO(j?8<%n_>z9dbaRtK9!o(kW<#w5{8>_wP|
znDw}SvELoIAl6$4Pj^F<%CxCp%-RMXARe+C64fkn-DKUwo<*+KD!DrQFOFPo7E6cP
zl&7*(wZr5oJ}?s+gqPnk;@zV%s)fZHjMxqEvU}ef$cbgtH+AW{&b+{p&!wE%h78Vz
zKw+~R*-DR$z=kUs?SftsS0^_%dp#LtmgJeMD_nR*?k&tYb=Z@5ikZV&vX>Eo@*{om
zYh25@NrJz_8_|B;WiYT*o)vG|Tx+i8yA8OY{fI~<t~as!REu}5KB#Q22CLv*<CRnV
z3;Te&IPC%2`kmd4SXQ37qu%aL4u)E1Axsl$E#9a{{z@vAXkd1;K8JA{Z+xn&qIjKt
z@86lh$7+)H7kZMz(q}i}UkEZup!p5m1Lx)Ansb?jC9Zx9Q^Ck)15Sdldzi$$TwOj6
z>`T$S+xp$(&H!<RFRJ|FtUS<BFl{VVSYl4wdL(q}4s!=Y01Rs27@AtG>$hXM{fqL0
zAZZ?o%njB+!0ao~k;sJ~aJFGgFdrpIcd`3OX$a(Mc<Z%2%1ol1h1ns$DoV`)m?pUy
zlKS+y;MJFWYgu0bUo1+N$Zt?6ItJ9=ja}eEwHg=5&{M8a3J2pw|Al(6B~7a4?>nf8
zg)4Z&HFcy{k6aDk_HcR2kIhzA3ddoNz`X*oq`+N^rx-{KDREoMJ}I#v8>?F>6Oe{#
zN<)+%)aQXzPD&)a6!4@-<RPQhYf>!MW<xC4yFS}OTZjb-HDZ19LzilSEsj)dweETZ
z0mMsKWNw9MSa%=~DdD+St{%A^O=~irrC-uu&3st=oB2>Pi0a~_9%#i0Jc~^zNV8V~
z0w3Om7<n;*vLaK!t4Cf$fu)0&vT$%yP><FFwV>gq&yhZ0la8$~9_6y}W5BuX*ABy6
zrSevE2nr30i7#2TaV^xwwf5Y49-Sn)75)HisHMP6iss+HfM~7;tfD%#3btCef`m3|
zVe8TF2FRt^sHO)oj!>&2qO>u+vuU@nBX9gqT;W`>;fiE`XpSybd#ixmUWFq1YgFC#
z)1*P<*uVuhT<zha+G=${MSV%8UDCEb+LdqrT*?zwvOFLo&icr2vq~`Ng4c_e-$9jp
zI99C-ryt&<1P$zNp+ZOIXWI`S68gBVssYEkqD<Mv0_OT2Fz%1^=|2K<YV!Xkw(erc
z36^KRm@jqiA;EBr6ZMNx-*4{65}Tx|XLnFt&hyoM73XCL{-%MO-V)#EpdX(j1=dB#
z$|nf6TL<@3Mscu@SA-!T*7G?0W-8bED^s|!px!Y_`Zq+vw_Gm7=8Wxv>-8m2$m=RH
zaq(7<@^HHX&iQ4qh`2U|ZylWA=$WiMFKi=jUHM=hON;Af<W&?OHFY}$0VlNIfRXUN
zvaPFNBoiBX;VJ}FxOzo275K7Jjuv#=!;|_@UxH~PLI<0E-vAU1jQ5Aezi{ej#G0$5
zL9l)gXE5<5_~}Rp^Q2pTqbPkpIcvKZ9+W~6%&%Lc@=Pf?Gh6Dd?vUiBRwW<xyStk$
zv#_wMTSdM-k-d6Z11qcem6ulzPFd#0Q2K3D-rDZ&?`?bUD_jdZwWVt_OdWJr4o*bs
z^s?1Bi7&o*>QNxl9z+UH`N{n^sQp5Gox8<regifKdnF1KUEr&}q_KFz40lEG`l;VQ
zxXgEOS=;)dNo<9dET7rLTUl-PNF2c*hU$xN$qw(qU9T<XW<;AqGrDRB4KSS*n$bO(
z&JNA!mQ3e_W*n7FyF)X2B-5VIjGijpJrtUeqmrSwQ2l78Lo<45fxC>@o%x}6-3AVp
z1~}Wg-PW}WC{ck4&iUMK%cB6}YdVWQ-EEyOfZ!jOYOo!l?af`+i2uhoTk<eY-pJvh
zll39hf;U`(<Jim9lE!4I`C!lJHfUl;`9-3xdMTaQ#4D-!TFSU{;>lFr{1~bkC|}(Q
z0eS_i@%f<IkuOzi@$LtcUgttb56xZ#GQ{5&Q|A1Lj~;mrU~s!|liWZ+u)=J>+3Pv7
z+*Uk;LY%ydCw&4y-dR8JRVl<8rwtpx)U>N*sB}w;K?;ZZ12cU8ry>l$CD<c*_e$u%
ztz#4y?ycXJ-SuN@@27C4)zvI#UBQX|EC46^d>~Rzw1oj#Z(}%#1&}*2*VzAZBS$TQ
zYaTPo5$e+;<fG8}2h^<?(26%~)=n#TsM~5ig04v2kJOA;gF4(0#BZ<!d(!`Ci#O^^
z-baPPz0jfEtsBq=3$}Zz3iV_UFX^K%rs&Ik3iO?uV)sj!i&I#`06cm0v}=BHHvZ&{
zGwER@<5V@HfDq%U6m4jo+sV<3h)7r-eEvaV4}oHS#0{aO@p+Xge&MBrH96M2KSL=N
z|2v2uaC*Jc2??lRnbHSD3yu4!72e|@3%){F0bwH#Bw>#e<{@ml=urebf-%ByndMV!
z4&>Jfg7BAy2p>iG<6x%)9|1VO35e(n-o-7f<Etn*n}%y$k;x56j!}%)bde42s0g?8
z(dRsXanoVP&UYu)#^qYz0@^eDQjZFY(NP^3>z}VLS>p?@%|f414ZA*T`cZN<tqZ*B
znVaCM<oGY;#%Qs=<h}5LKKlJUqFLGp$n_;#`ZfCF;~#^eDa~}P0D+)<d=!Rew<tdI
zQzEv01%!-vTJ}R|ih2I+<aTm63G=BUF4pCkPWun2)uykw-#Q8^EV-VkD)T>~s#NPc
zyj>~VrR=`n{`Z<NE$RF3WVzWag>s(3`xT5|#vZgV4hCd+=!`?WW@M9xct=48sY5)3
z4LsORsB=7D@#;W-p5yU|EbScccvN3@3}ABnqDTM6q;r;sHo>>l<xuPn@djwL38m=B
zyNrit(o1qYMyx;%(|{UY+@7aB`a|pVKi7xe$?z1tgSQ)26DbjXP-@m;MG2=vZ@EJE
zbi%7aWpz9$T-p^v9$QsS61alt=*tS;{ioJeoX{r^;lV1c_E#jl{dr%Od_Z2=nc9n3
z4pXNF7F6end>7LxAH;GP&$RL!ImdI#f5Y;w?aJNu%WdsPusn5q7&xc4q8%W3j+`gX
zLIcrr>jvq#ajdRuu8|W)`i?v&d<0MEh=UV(mIax@QTDslj(V_<f^;Z-Z5}|S4_HYZ
zU)#^2Qk%RXriAjvQZB(Vdv3dO(JQro0F6fcv2xfBW7gVoSSQMpwe>z|)03QjJ}s=P
zoyU3%0GHhl;))Z2PS{%nKj#2MHG06cmUi~ph|i&gYO`PAhMuAi?F;bLO}SrKhjIm)
z36S*GMt^L!ye8ZQ2tr^w1;8-(2Ryhr<}u<k5hcJ+t(iBp7_kQ#M>NcbCh-y8-eUCI
zZ}eL~t3D*)b-3-1pQ|#Sa{M4!U!WBCko3soK&(zk4v`;NPp~{bbrE-YHxycDV7xU~
zv3~{y)>yv=XT(O{4Opn?s$h40ak&d$n!FXKB;6`toG-#hwAAa3;QvK;(gogDQ}DFR
zV;6D{JWKPJljHN5H#?`|&i$d}xEpxfNwXF@FfjNRe9J)#%uhU6T{A=xWjz@eiUPNU
ziiYUXyC@%uq6>I#V~-Po@z5?kJE5Jv8Vj1N1)xZ%v1g$oy3nH+Gr?|Z?Q^7Yhy>IO
zcKW-}>F>Ny(O^B=jWtw%UD4mkHa~PLXquTI8q59?NpL0L21oKh1Ua%<N%r@^ruugQ
z6Nt<rk!P_(OrKVpO(L7YbXDmSU{dSRnJ>r0g91zur&RP6>`V6YKT~E?kutuI%#c0(
z{PgJmR_h6x(%7ouf}u5VCN&Js?at;nlUJi~N^9N4dhiA0^s$<@jaQoy)J^q~{}*og
zv9-XjPsl4U&c!P0^7N*Pe$jXEqw-K>-_yqDRo^3>c&K`4XeO>t^Za-k%;U`5U{CAW
z%^X5t7;k)O)+3S&erv=A!N-|`1+kP1%KBUe8vHm7PS?<ieaY5Agt4Ye{Smm~+l&Qo
zzl@C(&o7f`Dm~V_3ipF;K!sb`cO_+MWrBY?f-z+9Ei#WuWJ~c|7n*hcKA}7!ht<m7
z4I7GMYUrBK%+oYPsjw(a2^^;Ehk39jpAtYZuwIObki%mORKTHNjN<wCi4$+~;=@%v
z-nj!(b2e%!saZ&=Sw0VK;A#HZ#PbOFcUudERpy%DD%QK}&oX;!0vi(lAU}Hikw{NZ
zA>}<saSp6ez-;?4&i4BeL+-cM6j7PtY<Uc#x1vNa%b(5#4Y5b0$Sl)DqsW{4TdmJY
z9;WqrXcH`qz;P8Y<k7d$t+NAA@}e&`TzISI6u#A5zpa~L4%6h^%V;P=)l}us{(-?7
zS#}>J7SrB4dSa_J-Rb8d=m{VRE_5*VP#AGN02sq)uclXUd|^)%$t+E+|E<=A4xZm(
z{i7+q(#$G~y2}-=lZngj4|tnC2S59b13!yEtC}PYH-@ZZF|lfC=b*au{sU%3dVg82
z!=YjGSTrn1HC)fx{RA9U4Q11W_hsa+MS;Wo9PtwxKx>5w{Xb$2ym^&y^lIp?KALl<
zs^Q*I6f#6hc)iLn-@`eu1A`+}qv0PVh4~!1DZj7iGja91lWJ3@$zhzDry9ak_5D@t
zt2;9#m8<c4f3Cp5!a6)N0vUVOaL*OO%WisP2U7Z+7x1q!i#sScii$D<pQxM%xv^P+
zcar-Y2a3<MqUzLQV>uoghl6_6M;pZ-2A)(fForPgbi(duwGguFvylzHyl0KVlLJsW
zVw~eK8Ew5U0_4UNBpY?|5s#y(;mcHNJ^!?0J#r@72tnzc<Ga7oQt?Y@fIY@@Y*yL@
zc=1m}LCi2Rg5!)>XSp^Wk|oq|#c-gIW%Ik*tRLZcu>&aSJx{CqovG+vgEe{%XJOFr
z*i{8o*Sn2<-zcwsoi!ZnP4gi`z@hF-*ATl^jAAMdu0tHFTwUakU4d=RdSj#IFRs(?
z{S&JDX0_myZ>BznTnNqRs|ClYH^$6&trH-~T-hZ?zj`$D_p2ivHg`s%UrwliSQn$6
zS`W{_URj+WGfT0vYPHAUALx0A|2Jb$@6J@c+~-j5-xyVFN&%F)$GUbO#}3RVpb1QD
zJ?i@rb+c#y>vwd619{(UpanUtc27ZzeSn;&?Zw8PYRexx(-(U*&m*g6OW^35C)gGn
z;b26p#;rqQFXS00E!@IOwZX!@qS^S0%xIv-RT5~kX;T8nqWgj99=&e{ndrGUioNw;
zbS~}sxe>ny?+jr(*mNkVuebw+2vNU0<@A`TdMr)$xWbK*qtjr_+}ynmw?O(Z9FurC
z=^w=gY`mT0-BI(B>hX!F!@|U4pypK+;$@whDpeRw6^7dHuaf?R$OcR!*AT_eh)wla
zGeIz3B;(OEM$Xk`^(82F4`MQ{ut2lcxB<2P{uYi`SPW4l_XazateRv24$xTeBChPG
zL`%l+OoS2pOBLH^-ZF~yrmiNgt=MH-S0OpVh_BMHN0A`OI^MGS9^8`lxcQ}C=zto`
zykZpDWW;N8dV;f1NFX)D6L!NK+#Ec|x*u;mU_9<*sWn3Z3JBmHYJ@!=5OT;`!=hNH
z@qIJ#ICcUb@fE3xP=~~VpH$7qV}!jxnqfYLpYl?Ovq`n?LQ&|RJ{o=sAlB(nA3^sc
zA7+>i1W?f9Cs(lCs`*4mERg}=w#`R-5TZ@$8{)@rAu9h59~VPFd%JZO;uJiHV$5O1
zL6O`WlKG<~2EpHQR^>-wIf%0c|3N|i$o1-^{~>9HCNRIi{i$^}7gy5#tEgTD^y&Gb
zhH}(NQo|f*Gx@{&%4qx%w<S<C{r1nQuLB%gl0C-rMtFLT78r>~ffn${YdBU#7?&JH
z^wba7TEhsC2{glt(9|kz0}Lv%E<z4V-!o#3oD(Y~v+fmOLE?Gnk2Lr=1<y&$qh68y
z;e)qgt$u^Icgmk1q}gLpA<19Ler*U)Yf}j834;|UDy8p5Ki7~{F?OtOWwV3WYa+mA
z!*Vr_HP%LKEuwW0V|{)!gfXZowhzoq_YWZd>brxusW#IM@($^d7D{Za456ZGTo1*E
z!AUp52DlJ`PldBET%-kd)=qu_s%DGT4}{j<gS2%DQYrm__TiGvTHqY>)7tkiASk7o
zC>O-B0fA9xsLQc6m$VE*Z@o8Lr$WxK*>xGS4sr;=m1PlpI2F+!tyU-YdJvA6WyV6g
zT*TI_RC5YTwtq{4hmAr>-&DytEO{FxwZ%+@RqNrX(=xJM>t|K#a+G|UDv{Rrv$c<{
z%cS*!YO*mlU`eW)bU#)QED-+320WZ96dYF($1TL+QWR7I!PHb8L2wr8jKBaUp=d<1
z2x_K=80@YnO|8G$ZIq40GlUgx1MwhywRpgpY(#Ob`JTleek1&Vl0<B(R+iL&%v6;O
z67wpm*ndNj%%U|02yNb_f)wQAR{et4?E_f2u$LmQU)_Ru$4fGa_HqoP&A(LJc%J^7
zhmx<-RstE{lf}M$0+R8&GhJe84SY1{CNja?ft>`3{ia<rAJjlJZii^7Z;V0xPGcpC
z?%H4<2!RZ7G)SO9QB+v{1<zLN9PHslXQ@-CpS*u7geikEGlxpWUATq%6$<ARiL4~<
z1_DSN1RZuIC-{~15h1aA+*YGX<Xa6YQE;U8&$nw|fcF2TY8P46D&eu_sKh91hDwaJ
zf+|sNjaP}`)@YTOWZkF|mDaVASVgh2%2b;2XBDgTLZ;7E=|xPRs?yIeeXL5q#B^7c
zrf#$jO~=^c_u#^#+P>hMph=xckBm{AL-BYWswS1Cn1#0aCO;90e^XeBcglK-y0OOW
z<R&h7Dv%%+bE29N-j^J4vsAE4Q9<~w>`Y3Yp?`+Px<GrQ^`MGbGjm(Db%V3;wKtvz
z8~BxUaVcxu|Ax$JzyVNx8ffR&_<6uVhAVlNQH>8Hsh>cAZxpoK5KisPoycIs=!cF4
zj#2oHbvH(dNX4LhK9{-Q#<76=9dsk^Tzu$oR4ZTRewW}zfHPXjx}i7-m_BKl`%Qx1
z0yx1%6MsN7Lwp4%Ynl5E7H&Y{J5ng8HOsXuEKm1ZK#M>$Y%C{dIZvi)+^YdSO+h&w
zPTg8Sy91g!iGh8`*`|3-uDuP2#s46)yek*gU=iWkuLnzHw~;xWC$7RJ-W|q8tQ_n0
z1o{l)*J?klm^B?t20u1cnD}B_ip3hcdyLgmEY2Zlu7DKRmMvP2p)FbgFyBQ0I~11|
ztt5CAz@I3v;?km}1TO=4t$^EcY0+X9E<xclQkcf2MK1%|OZrXY(xQI?`UAFU;9VP+
z7Ezmh1!y{#+T@jHZ4|h2P>&$04HnECi(S=^U@{y4Zn^phboy{4>1P5u2}!(L%48*y
zxKEFy%&ZnDM~YLe;hu6>DAoewk>XsU?ri*voGht87T*+aN2`0|Aoyy<AT}lchl|b@
zFva}|hV;M>;IGp~@UgV|X?${jh>AOG=~Gb<g}#Mgcn*`Vf1%!L)U!uQG2|$@4wku7
zJ)SB(k||LNHM&&w)D*YX+Yc8^u_^jddObDgZS^*yo^$J?Z9b?!<nYAGKzCU5mxZQh
zX#pcN-O!-!-Sob55w;3V@5DD|k-HH&>Juma2S`48O?;r}<4=FLCbp*dBfgUWtv^je
ziMl1%)<0EvAH3w9qc7fM#7i1wmDo>PG9?(VcwA}wVF(Po#jYv;YiLb2=NMlIq5EOQ
zD?yw&C@1xOfF%BccKEOOIs9-#JH&sk!jE^<lYSNGKgy#o-b-~hEqBdN=tcQ4aDSEF
zwBO!Nwc9o>#NSo9Qlj=hj!=$oAq3$2-7pqtM%hQfw}=1d^uzYa^5G~iw-X3s9=W^{
z<&*3;k64~-#2?~1!j6wB(|$^7wb9x3zJ|=#tcGV$OVpx$;492ks{Baf?*pt{4x(J`
z4Zo;<N}<>f|7?Ap5Bp5{J;7RPbbiL;Up^D37jMHP=39LsbY4WEvzCQGfw(zq{jR;(
zNaHL-kK7EQ@!`~UtXIAuGQ_m-O%vi_XjNMcS5bnxA55hOwbzF`GDXWg3X%HEA6fvB
zpkPbx+{Bf#*3>ikY3-)HSnGQ~*Z6VR$U15209{|U)!<bms~i9%dh<q&+D*h?QnUcz
zGnWi^dGLM3AS9fZ8t05cR*%#PN?fUi16PV$KU=;;IX)kP8{4~#xUk$>0@#q)Lu^or
zt3kbe__Pql$lpHai2V3Sp=+<7v3h(5-g*{2$ScDRV=yNC7?_1OK;^5`4VHyIsR=v?
z;V@!cgr~%h^4r~g3Zb3DzXyTxaQ?yH1n1->9RzoJUx(n%$!MU0Ksld+YZ|yN@|1R;
zBh7!Tb<+|+9*Zi%tN3XW*VKOUQYiH;uD)RB5-Vx2t^{@Z61<{;Z<oYS51(G#JgvzJ
zPbQyM<&vk<RJwra->bC2^hlK^->ji3UCH!drlA7GpR$XQOX)i!enmcgD1GsRzsXYH
zV=-~FJw6*62S@Bzd*pZxeot(+d>+@FLyX9+$LC)SbIv5>^u@D>vTcJ@As3NkIsdBW
z&_d#u1{>xulHnm}a6XzaURw1KKC%OB*W=rYB^yxpL}Y{6{4Vhzq}B}@j{km(6Y9}d
z;8Q}^qmyv6t7=dI_%j@t3T&Z~yip|wB6*WamRjFIF&WFD+wq4<%0XwiR%4vnr~;e(
z2!+wL5itxZhFEkI+L>W4`dIXKq}PRCMH&zJT1RMAIbf*3RUQ~`b@^PwCmHg!;CP&-
zxYvaj0gT__gI5@Pi8!pO6F92qShNxvu=AZZ#tiqxhj~;BDu1+CQHR<MVSW*be`wAg
ztc%gyaYw9!+f-kH`Piq;xYpUHAz)uqK%e%UFQEM(chI3BqOhKa`cXY4=5ya2>oE?E
zmK!KjqFO*v9R?v=7bdqg`$1)dBW#Y?`mn;Cj*WGPYI9j5*dtWimkB+J6%Ulti>xp1
zqIk4eE71(owOGFF5zLCz1#WH#cX!4U!5c84=>=%VkHG3nI9o$8O;?rHH{mE`cm1|3
zd?c-6*0$!%t{b|pt}q{X0`>6700QezIK+U|y4#(ngjP6|FmA5SvR+CZA~q0)1HRnl
zSAaJ>;L8OB-`Dz#YX><~NOP#QZwA|_4{}jVQL=Ao<D)2NpZONQ{EBtcKhL@s-!r13
zLJlv1^v`n?^zPWeEPS67=cJ;bw}P2Q?8=mWZc6Fr-PWj;;C2lva9+^wOHH^#+m50)
z)l`&HD3VOH`Ktt}_1gA+&p%}$MtACwd}utr!g3HlC*;Cm_%5sSi%Nfg3O=%@r;*3A
zN@fY4VabPb5zf4g0$CiiA9YR0R057=k<YI{AxMaaIu-exvq3$MPe5)LwAA6&JggIa
z@m2Xa%EWsa>mcG3Y;$+`8(i*t!#Y&Y7Z!iOPt*Y|j~VB&X?zt`frz7ZDHf_Tsc?jf
zg16wxkl*}<CsKUzW~+4vyn9|kS{vxYi*eH@;A&ZE`Zu9MKn)a1R6lWW1>S3iB-#SA
zYOYPliD9mACxBzp>27i>A9*fkE=_-IQW1XB6oOEDCD+$HbVoQApX=&mkYpsKD^^})
zz1W1&sM61eBumGsQjb-QQoBH8DoLMW5R@7h#djhrJ>Ede<>z4xYJEP#_4yjP9qaKT
zi@4KPMVndlFp8Y7F+fgG$z-KdQ<Xxf<Xr{St=2?VeV5{s@^`$eP|zwerTp{Q03X^T
z@bBKrK#J4y*gH{4{gOzJe#GD2)F~{MPW%(w;ZLfJu8ztGV&4qkQ?oPShU1yMAE(~<
zz(?;P2wH6meu7KfpL@t|MsDO4MLjYBqAf0s7)t9$6k}D((h&E-o`dGJp99UvDy3ef
zWyL`A(R<wZ;MtY2{w@3(a4zq`&wNhZhyU<-cu|)|^77HS9;FFNt$~&QMiG7sLF7M%
zZ<*z2`0>>4E_{>JhhJXc!V%)II#j5U<^{jJ2pqV<zcdpa#QOsWXQpH`t^J2q)n{Cd
zPI2HKyuwsqy$YCr^xb*gC1`bJy!#=x@yBoP;dGzEXJp3d1h5q^*yULNg;PG>yvtFh
z#l%ljME*@v!}#j#J(v#b=_Y)~*5Qb4bApob;VWakar!i1*i{I~mCKA<{eVvnnV@Xj
zdqj{ghiWuAjZLONwuu4}w{L$BGSEVrra4mRO5~DPy5AY6E?VM;669)iDNIHM=Qdj_
zi{F4(Qd{&$m__)YW?Aw6doGI2Th$vzvUnaGoxWP&{8AHVe=Vi`HW;o0$vCpBcwSUW
zdt<=H=w^I08E-TU8C{?Fr*HH(`jYuUPCU%ayfP+gDltsZf7_L3Fi?1Dl5D7z)-<wl
zgNrBFSWm^Mc$mCfXOKs-a(HZ=et#hCYdx_g^6k7>tvFrxvLlLem{~ot2IGY3(3e1|
zX5+>oHLyR9kM+Um%Go1c(3n|llO0$mp%oNMEpSxDz*+OA@H2fHjHi6juGDPiyK#7n
z&{e#8#`Q+*d9egB;DwlEzHmB)v~bgvu~(6z;B<G>2J~v8OkU-tdPV$nw{<iq!ZGK9
z5i+pk3%<#HBGHKnpogbSu$=mVLAk!4GAIk9RlYCZ>TT0E@PFkruFYD}?=xoA5-l&i
z!))oZ`Fjnp3Kv04lvP*@VsVc&Q;&+BkFVkd0aeuPGd60l22SQvzFtWSh2}hCmO2~p
zQQ6F@Fh4yBrvo2!9(FRmEr{zE6=%THXsj^9PoP6Q#LxII^o7<XXsxWV>gQg7)z{0G
z0uQ{2l+{E-<(-E)i1x;kZnhjer})^z9^6hpFNHW-?_*)GD!(KHDQvr6nzHW_<?tAe
zFbx}}4Emor(%1@4IIgEW4k#rIznk$W3e@4{$56Dimw2Q3asb0$wtCg~5zKS)B$3cD
zLwKJ*d?;IwyuhI;gs_D70U=~IfcF`s4}ew>1a?n(niK@OhE~v@*8(-EDnmwp&(8x`
zN3&+K-IZq6ch=>AK(*~L%vnmGLVh7rF8JMlQkqnR%-Xj_)YU6g;LzMJOyRn9D3psy
zZSqu67Tt-rXP)N-$Y=tWIQr%lwF>4Zl-%w!G6P??7?~@P#}8FRe#c#vtRM9u%i`5D
z-!$3@Ip)KYcEcK0OZ3=)epiTnd=aV-`r}}Q%v`&gSQA;O^nYl3^Y|u<?SDLJ3ls!X
z6{RX_#j3@%C~B)#8rwn&EmQ%)i%S(m6unkSD6&W}4KzMRdR;-i%DrwV*DGEHN`a&W
zX#qFH4e`pVFd-t~Mp2=^_xsF~Ckcz6@8|P+{rX2U&zUo4&YU@OW<Qhg1V<f^ol9A{
zYA14zz66vlB|y0lvJ?FZZ-yS2C@n<sN`7z&3YW-RF(}@?2Trs)b==c&ZKA)#(LPKg
zVLBW&4}%iDfxeb$&$5|=_9zr)X;eg;DitWJ1TN!Uz%noa+NvIH(qkRZ<)$?F7&!*n
z^z8|2askId?uNh*;rDfMJKq7;-iXUTtN>TzM*$k5^*q#HvZcQU??>YpT>V_|sr<J>
zJuz(NK&oD*NaFyp#~}5@xebuu<aW?D?ARCD)Nz!w7|=|7I%?hrl1V{m_99K3iz7{p
z{t6K}Um|9K=fteifr$2?LGv`GuvKQv6<&7S0!l5|o#*o<_T6e&oPcoFf_RJ`NdW#w
zlL+Vu+p8oHD~ynQ(j*C2=f8qvnSF<{gKDxN{kZ6GL%IZ5mLV<F{v$<U#E!PiXtfpE
zva&EL;y+c6iqPXFo5*M!+9nn%<S;{s7;L&Z|HUsIznW(t6q*~p+sD4w<J(w3nFFd%
z=c}IumZM>vg`V0hutE*X(6A2#HeAEHYFIsB*iV*r7@U-;fj<ElDzwEIAMzO_=1)gD
z93xMK_kcnjOMdetE-MyCCL|@}x=UPMERM`raW=$Za5e@okYx5&)OVjUy9&gZODnuH
zR!9fcL5%S*NbrI)S8!=b4}5Su=~&dsiDz7V%TsWnYD<UFP4J=rY3tc-XW$e^dU0wN
zk6(Q)i%2~7fYzOQ?csH~dt|IGzl@E)a6S|h4fJ{Dz1;yBF5?~6DGoUqOIV3&|Cgwa
zCny?p*Nm2$(JHR~E0L6q8A<6NWiC^OC6dB1BPkw4x)}LSL~8I8A|d0QDjhq4u{DyE
z0y2|Il^RPb8F?on#V~Zz&A+-*G@0Z2@DJKfd<#(ILfAX8VsU%H@qS6*V{4liPHl<<
zD`dD`8u$V_jdi~dc?RT!b*Q2Ba8dYid0-F3jitSaOaixa;+mFSdsDVug_fZVILr}m
zMsja5VZ0Hyk58jUv6@j9yt6OXGY-hH)r@Gl)h{poM%&3{EWh0Od-UehG0ws&+>?l+
zxx~9h2i27*ly?didwQF`je|vWszPgd5#i3jdiUE{IL+A1{sGUibXH&9%J(!dZHUg&
z0_zJvv=N+VXqy?A57!4VW!GC8_kEAyvcC~4XBZ2*dt?0Lz7-pi?z=e;PWcUdEI9=Y
z+~(;R*F40egTv@9J?`c;_)Y4I-Lf|Vhf*?yp7Eo6VliWr8t@Cl?l+?$-M;}e9D5)D
zJsX|J{rXL6f{Y;Ck3^pvT?YxG$_9tL5RzU9*nqOY<Tz@Yz=>Sy<W{`86io13j{9ui
zfj`{GVs0(l<?YnOTYwL$Kkme8hhq7uH{uggzr?j#6XZ4s_Q!x(kHvgB;<JEX6EXCa
zuh;ms^c6F1HorDPCK6}xYYujV0xKhv!HG5Bp=W9=UKWhH2D6u3RFQsE>N4aRLI1+>
zekr038Sl#^S>;lvOM#Ry-sg<&)WO;y!!PvB7`YbE&cY>?cy_kVcf#HZmip~;3^lP)
zwaEpOt3f+V&<6meYfx7ZLLD>!(pf`NG-NIy85*(&$$;}TAekC+5D?bIQ_Ne}Cq~;k
zZaLz_{$ZsZBhARxkH81cXVGs`i;43B(<3s#Il341Y2Cj|SO1}OV*Fu@sqT*<w`j9!
z$L4(GQK1^wXOq5JhHGL;jzIr$O<!Y@{&6wnMEVyTnZ7BJjkNej;oqdMF-iaJ7;+;0
z4?d(+68Ue@vW@%`==wbY-8lcL`PH$cH_fDn6~}g3(vZjG!{~{;yXrc*D8_;%4=%N;
zew=vP*K@yDzN-)UZaL(;8(A^&g)oSqQoE{;(9O}qth+PYL!ofo6&EJO+pN^@Vt9jj
zBlO`1AAI1fKfCntZ0F*ajEfqa4THXaZ=iF@-aUKvL_4tm!;HG{*A}~bU!Zm0mQQxV
z{ZD?2dnZ1&H|<Obrag|Y|Ke8gzRiKwo@+l*c07X)FlrF@j@KeG%*ZWGJ5zxhOuH74
zHwoD)Xx9hR9tPw&Lbf&SObe{V^vu2-2b^nh9Vu!4D08ob{Zw`&dQNHd>+Nqe`oT-Z
zQ!7zoCp&ZFR&*!u71)S=z3WOc<LbG*ESUW%*ABe$?OTyomcNY-HpDdk3o^pAMsaut
zMZ&_OUK5D52i<Ye5gX~^&fc(5Jm=4Xw)7j7i65f`e7MKqnj=nN<wP@dJLHV0IRD<>
z<Ns0|h~m`&aMHA`oiX{840R(0vP1=&Sx$RR_M?pSO+F>l=3ZTDEX|&SZ|NXqR&{<1
zJGJ<fOj6|P6j7>QHA=F3eT}@&gT(k0<PNS#nU&z`xfXd~o3!_Gm4`9{7u!f*8AE$J
z?eL%Ow43jKqs(T3HQ&ZV8N#i4XAQY(%q04#2sKXZi?1!EK9#w**CT(t)HME>$g7y?
z==7Mptg<K87i-I?E`)}*^sBTZrFtFOY)q;ICC7B0laM47|H@9F=9rNWm?7sS0!0;q
zwHwI<3-NGyG6UDnY=%L(1&SuP?4KJ&qeNh3!Ixw&z`hDw^K;dn)j()*r7oEROgZ3>
zsRfrr)E9`s6MdacV2i71M?1vX7}s#*xb>i+USM2cW%wo%%)mbv9mF(!*G}<;A~6K6
z;5?$@ToB`dy@c}tR{$oPR}9n$BHD{GO7p*m5*kw=<dr$mZL#rTtbY_2e<JDFWyl(m
zvn}g_e;U3Xa;#J5v(sB1*@X|bTXm{*f)r+C5n!B;x$x2rwsjh5TU^11aCoadNx543
z=JJ<rw0UwX@C6=>!(mrnQ=WNv3pV6Yki#}khTe{fpZj(hSE<TRm^dxlD8eXpQo0lS
zxfv=7pc8Af*(7aD$`0j87RA|!$5mzcf>N`FfiIx+)+oJ0Std#*QLxH+KzV>t;>WId
zadwXT9=QL*nuV9>XjWH^%^r6{023?h7i)_n%FeS$otL|CfPXy>j-X9{=0x9*GsPbx
zO#-GK5ujaQ8BBdc5n+Khn^Yfo!x-C}8!8THyA$I#T(ljRgZ&65$<g|a2ln8UvmI|Q
zv)<u)F$D{~7pWm@DT@+Y2^?7Wc43JjwJ4_)2<3PYF2|^VfF?iyLo?L-Ky+gDR%i=h
zB*Ss_$rr(Nt#UPOX-Df7nA{1%00+fajqCluBZo>q-d~yHGZ~uUriDmbU2y{rLsIT0
zc%?cU5Dc&iOHrx}nm(g`7L|P$`&?sOp<J<0AEOy_W$;{174YjAf^Va!(5UF`U+00_
z|7=(r+>hF%&W2j>DygX#@%5|lO&DXT8zkYljPU(3C|1q*HpW$kXXwvG{CuaD3_h<R
zuK=P885_r#?MILF<MgS|GNDAlLph)zN^MNd>$S_dlx9{hb~z<ZU4-5k_a1KY9e^Y7
zXHj6^0UYo9Mgn*yHUNC?3a3uO8x(q)`o{+pNKx#&e{gbEn%V)N({~`vQS&BJK%Hor
zxdw~t4KHIk)|Dzxf54BN5P_gwq~QuqNK^BW)+nlwh+uC&(hGgWrK_1bt|Zuddh~T|
z(D(o!)&}AI?{KO<Z#;2#b-l@{@y??F>x_dFvecD;7pDpk{Q_2p3sGEc9^obPzwgCA
zoJ)}r1`;b>fqAn)1GguaAsQ3Fm{VO>@WE^qK@VgMuE0^@9;54mS5pL-Ut6A`w?h_c
zC2;b`R#a~`iYBloNEo_uW&(bduvi=r{HFweLbdoq6suy48^wE|_o6`_sq95Kcr6m`
zZ1$f;c}Ni}b%rVi!Q#|$qau6~_lN|lOafh1CJR(F;Rscdss2E>hd5SA<OCXr*!vg#
zv=iSDR;{pX{|asVlFs<oVk^C&ZxK#}<w|ugWw&W8W3;ySV^;uxu12$pC0e5-w`qGj
zUH?SJV<M?ja!YZVMK7s9uX5B%AyXpY^=2t2XQrz+O}K#M$_F}~Oq`Tok*S=F^Zh==
z1BZ)KOm5jxu}i_|a7ZKz2>SfdK@MxQw^ww}!MC^x!O@M=dkr?ks0*bdR|@~|TL|0f
zEe&=D=hBs_*~@i_WRcl@S<Ei}Rvc)P<;JG1?V5IUcBKx5mMmEn69gR}s$-!%CHa4N
zK4C_lvs}JiIZod$yJrT+UV0oNj)>y+P0yd(S73(w3H!HVEKRP}HsgK(Bd{AdWgf@p
zL)!2L%S&e{j|!s5f!)*go%rF14$#LQ93<i%YH&zVissv~sD0DN?eOMgO0O1I{uknB
zBb`rans$ihh2*|a9RK%Pw{P5p5rMVI_Q)CdT+Hy#gN?W9P+oSksc(4^0=H6A&cH{s
zr!PVpF5ISy84C3n06gu5<8o8F3#OU`kl_<D#uKC=!!akeFf+=6?vyNbN)uWtX8Gv9
z_NfmCv8Tc-iqs!0ne0=~K`Qc5j0}H(2IBw%YS#wFi-Q+Dg%C_0&-hlUIW5ADUZBHG
zX&bUO<BWI6f#xUzv{E=k!opY$)?c9Ba)eY&ih8tBXvAFI;`)@Fs8MO4MK;hWPtkg<
z_A)zT-dvJM6@!Bw#NmG&-=(;|qo2rLiULWxQj7=#O~L_1mpxGK1gHz}%Z_Idd$LTI
zU2+rY=wa(0VNl1w+AboDsZ_kaz>ek>+b5M^DE97&*0UGNp=Ym9&%$qOCF_j*$Q|A%
zv0rqyO_kw0yh6wA0d~X*wMfvvxV}7q&XoF6k*qI#-vbY?ihpNZdngXTan0|hl6)XD
zjQhrvqJvJoZ#c_+PqWAuDzjbJ#t042g$N<@Hs#VFZDKU&GJu?hhk9i$%AN&?QH0Ac
zgNK_MH3bSaDkW2`hD}2+7+4OGOhJ*H#!#q}2imkll}qtGm>0FFf1uB|l&PXPm~AQ(
z`%jk|jOmtD*HET+@U8n+m!<A60_Mae30+m!A>TkF=NNYIb%+6ojfdsDK;R?Ft32>C
zr(t;ZWgp~}S(aKo+~|wBR~eoGhJ(jbpyf_uYBn6P^Ikf9|5#oF(GN<N7|N+rQ9|)N
zW_ZSkM5$=>YMmm?^}`UyQxJIvN~zaVg55tv81u;Y7gN}n#bG|Zu{5<hQ@cFkNKl=_
zo&s~x;`}}1OK`;qW~Ml>7hlf6kf3cmR&_KLc)!UMPH?Iy4J1j;fc;h_Xjo{*X~D9T
z%;<~Y7sl$6USH!q<_*w-gn1o?j!%J^wWY=|ncRU1#fgA3|JLkkyx8_04mx06CRX%F
zS${n*5VvQ>BCA!S|LLq8=<UHaWQf%~5P^L3$&Tn{G5Hq<ek#U8pqRVrQs*R;+J<p9
zlcSuD>GY7oVnYJ&qnN<^$<X(mkXFjfg0kFd_)@E|S<$&{ZE^b@n=Fd3@p{h(P&y7!
z(M|SRJ)+mTNEFQ~p}lb!$a$3v0~0Rr8R7Y;HU0jt+OY%`Xvox0kYS{9+2dgm=K~$Z
z{u%=zGj`r)e5$t@WnanXd@(@ci6zYKNYxE@x|p}6LXl-kR|`a7rQvz1Joo8Nak{+{
z9oru%o-eR%tdN9%(eGqDhBq67^Xl=f@6GYy>(mmaN6%D};T}dxI6v(ph4<`oG`$#E
z8#2V?XaRfP>X)A(7L3C`gwzp5a+q=OygQ<ERo{I&`q)-$SS{vSCa!9I1L=VeyAM{{
z7JVWve!brNGiu@1bp3#$aWV7pFiHFY#V?xhiT+hi+?K-<SKf^&*5I^hyExc%1()y#
z{>SAxMO6!vAA3oW<996loBbtPv+#urK_zU4c&iLXCmorU8trjbFcbR$AIduXc4s|m
z89b!H6m!0L^;%p5Q*XXPM&8SaZwO%FCQ+Yc{PxS>5dCDr&|-z)d5}@Bz=bT<M=HT;
zosc~NUt{osA!cH@Mi&^29EMK7FV>Eq@(RY_ECg$HFb6@MZg8&4kO32CP;wYy4p3@~
zChMm(r|73NAHsGRgn;>0BUFC@l?XX=oCOsR0LG^_d#$6zeIH+V81tVR<yDPxIe`oP
z?`q(G1z0P`RWY2*ax5y$to6MOsIh>Wpsr{X^aThbn+sU<7GE}g_=n(4u^^`XwZ1I?
z;;H7=U@e8zt5Hw>y~}7&ZJv`{!AVo4l4w;Tosj`0>@v!;T)}ZuVe<Qqz&;H;ATjzh
z=p(c|u249quk)V~&woZNf9_&zZSDDGa3*th1-{f-C+>IC@Wbju*J3+6?*4fC3u9Jp
z+u?NpxNH12+8u+r8WxVPT4F;F8z@)`^Q}zD-!T4k$D*Nlj}p`$*eXZm*{syNi=g=H
zv|o1gZst6M@3&$-b_NW6pwXN>FNfcbc099y+1m#xWb+;Fxv6!1(Z*zZIv1bT`>wyA
zowS=!u@%$d9sSIGKzZL)Och3IXCjxo6xr4-t1D&}yfOYD`o*9p2Xg0Aon!HZAbi$@
zx&l>=(BGZq8*iBo(BIl|#x?q*D<X4<e3AY}SG66avh)|;>IyMe1@lGHS%DuAnW{gs
z5ebL&GHHnHMz18jV7xx#?~!7A!kkU)li5Uw-6O9v{NW0|z{<gjD7MwuRXb%BH`)i9
zQ9AMqT0AVF@I+nkf*LG(z|k1CSTRXT{d6m5*1pYCF`-FGAJQ%j)j5OJiRZ(|{{=2q
zi}P0nnjUDtF*36%o6*r?qfLDaWe079;oS4mcox0ZF_UTAZGTYAyH$4<Y0)vVJI5#Q
z)8*;&<ncn{`^Ow{==J}t=y)(T7>FS(D_o`#%V_7+EcAmoK=iUG$42cxBDhTJ%0@;1
zw>%w-JYf0J2^B)PkteZpCG7}M+3v@TgWu+RqwUZ|{{QmcDBg#AjFtjtlr#GKu3l|}
z7X&Od;Q3MvM1yrSju;w1{+J9(t>LguX{IUxyYk6WfKiwU{Aa%;_j}u)h26C(s5(y3
zZ79Nw%sOvM@wN1$GGe_vmp{!j@_CpZUJjIe*|6PdZ=R9E`vRf0kYURVE?Bo?iWzC<
zErRA56%46e7?_C*P278{Ov}Il{V4G4JiYA-`gjPk*|!rA{Or;{-}A>skKt%uAn9vl
zeh4-D3du*ak9QXU=M@0{wfJ}efPc-tp&El15AY?I0Al+H0c@kmm3Gh1*tfCD>l{`b
z9B5}RCw5CNx@J1__d9|HD3*_0-QP%CGcedy29@5t3*FVe-6{Qp#mA?^g7(~38Z664
zPkQy5=<#}f>M|rBZ~leuj!v!&=C^vH1B0WEZ!H_SF?<g$>&SCWrN#wV>HOiRS3Lva
zY!RNG{gWU`=7nA<y&hq9lZj*Eq~rsG*&8epj+#Ee2Rqb9^k25c7b1DjrobxCZH|TI
zcJKbt4(W=#Q&MbJe#;@#{>D8U(nI%yDK@peeb`_e{zjz6ZCO?*c@SpeBh(e%{o@@q
ztR>N>@OT!9@|WT`YJNg6{8}<l9-A=BIY!Dkc>`Xxg%t~8ItCx1`ew+CpHrbNEPJF)
z`X%VAcmI8!pfLWFNnoKcUc4c_87uaXR_2kI3~i*B0oo5;sG9SkqM>aju!9Lai9lrn
zf4oK)e+=lO_+Z84WgK`R2M#~inQ@>EGWrEb&8c>2Vv*~CU@~{WlIlaIRG$;Fo-yXV
zV_iHxd>4L;LgJE?mYkmoXOhW`38~q~#%C8VOSfTvu-11azBQ4r&DGzY7;?+G#K>wu
zLZ!F!^~&9<hh*%Y5%QUw947#Wf2<Ucmk>-skDG)x!!Bw<UO>W2$X}-zf1XTT@_(@8
zMHiYyA4bHLMC@Q8R%paof>>oDUS#Gm*~+6kAfa8R@I3`u_&(t+E6w8VR}?P%0W%PN
zlqPefDWx<Z_cx#kKI3~D2}~3A;8#nB=LRT-W2_A4k<=$7)jr0n!(R*<Cb@Hy$zc+K
z106APe??+Fjw)Dv+Sw5B&d^%1pXynNl`j^xMf#gr&Z6-}>DnTBfP@0blAQeQYAIul
z7nL7+_0kdnPBwvK34F@Lyi)`HEFknIu8IozkksW?4qup%Yzy)pAx6Pj$z1*n0c$Q_
z*72#y@t;}oH9CG<cU{Ukx|Hu)@uSQf>CaA=@_InRUsAAfJK%pAGByP}1HpuPqF`;7
z7N4lIb0a%As1D_BlT(`|R(8LjV4>$t!3?}gi*N^}b+#$Od=t11KotBulX07-^gCp!
z3qB8&D7^icWNF4{0}|du#x0HT<d{tVez-QITTE9n;de<19sXzIs`N8TJTM3&Cl3LX
z8&`0p?>6v>0VvilJlISsc=%MhQ-WXfouNw2Y6V!u`Ifs7(U1)avJM!Yg-8V_&vdb&
zx{wC?i|Wft4M(ZbHCxhxT5lx6Y1b~A#5qSGaXd(r2fi1g<vo9P;@*{AEdxDSAy{eN
zz3dDEp`T1~Z_3xL@-Z;eQp71Z-m99Tt<e)e#4A*RqTba#0*!6iD{cF=nm>!VtQPN;
z(2$m*-WMR5*+O;G?4jXj10LNDgtHj<27xmf_zZz82Hr>DGzOL<a4G|f5jdBD`Jt%E
z;?<hPnwx3L_nN?S1?VXU&$J{F4CmXzC+|Z&AA?Wb@7_x*<>}Y#%b<bP{H17n{xB4T
zin12xtaM4L014SafZ){_?jY$9P-n}O`x>Z$|D2p;7JOI6^zKq54reoW9G^FHA0oM5
z)a=V+?mF9Jm`O)7lTkX8+mMNLh<uw8nUp7Ia=MktN055>Qf3lY<x!%_o&gDMk2W&X
zQsdc36gtt&@y9DzEcaufeWnz*2*5KKEYS8w>|_DuUyKuJS}Zp*(|l$c?<NN8Os_m7
z(=02~Y-W1U%wtMC4|X7tzaP+f47Kw31(gsk`hUtJ$I7D-i9+qof}I@CgR+sQ7FdqG
zSd-D^_#5*mXCCoh>`q;dfeGcH;mWo0xQTfjZ|1S!auMG1sG>KzX+3Dvjd~I)Qrn;N
zk%0L=Xytn{^Bux`EyL;QCYq72N4utG?1ePKHxVx`=V5}^tJ&uSM<(8C;DLi2lLNDZ
z+K=*U4qn&s>B;e5S@8kpGn)Byv^4cp=Hu{h0-)J<Z9K1=iF;oXPY(a>aT8dA;J~2U
zGJ)6dLf0)2lQw~lnl+L|i@K69m^6nx?NS=N*B*KhWGSgzFVpttVadD*ncK?Gzep^Y
z6Lv_oF=@c(LPV)?IhF^D1Gp*EqOL$XrVr1PTNwVi;MHY3K|F}3<4KtOO!yX7braHS
z$;{;XoKf(@iAilZY{lP)cx$k-s<#+`zRf<eWRHx2c|qd0kr?lABpCFmNKYe;$R`mQ
z%0i|v(qk;LnL68QGuuKP@3P`sf6@i%ivyvW(d~eQr%>$i@z4#Tst!Mv;n2^TL+fTA
zXF+xq1u<BDoB*20S6({dwl1$?V+z07fumfw8^b%;Vwinf`yiILvm;ZP&BM&bY7yGw
zqnVXIIjbR(l^0q0TKiP@15xIot$lBn!6<m5D{o~imfPKPbU7<gO}bPWW;t(xhke~7
z52D0Kb+b;@2ib+z>s04isWuP?)tqCcS_Mcrki@p<a+BqmM`HOy5F^Xifn^q4vpkJt
z>XOLlM+mh|c*qj63QBs16xotv#HpE|bAl9En9ux9s{UT6jxO?PCi7$W#EN{3PIb3V
z#l9jmT&KFiO0@$;WsxtlQhg3c_!;sVH~js~BF|1PGH1tjwE@Hmc$2I8Mk+y{rk(8*
z3vcR2WD4p2opj?ir%IQ9m|1@DrJ^1Iy@1TdweX6`qEYbD@w&c|QD~MfM%AUU!e^Pq
z`0MUi;g2;TH(8KBP{i<SWFT&g^x(`>n#4dyVStMOnt>HeI6qk;rD845(rW^ywR{eE
zlx5_H7!v_Pi~@CBk`-8dNsR5gNO>VC#~Yuv*Tb59bjM&)b`oz%GG0=D((F^1S(u9(
z97JHk$&m_-S-myo_#L7EH-Aay=6s8ruNe>ids_Uj1|;0beB*U?nXWUp^kYf+a$Iqw
ze0`*{CYj2Ono8l}RLHhDT~6Y@z~s)@6_f7yCged2ax!!Jj5)=tSj%&aUgk07xfdl2
zf0Kmg&cG1tcJCDXU7nj{c_3y4^H415cd(pUZlKp`#rl|C#^Gwy#gG^`&+xnvc5qhO
zquU_h{f?ySUXvTE?upDc1v6CB?JbsT9RBxFUAjwr5g`K?7t^u%=cwt5ud96D;>%I9
z9z2u<?@b96KsX$>kJcH>W&G91o1N6Pgh{{0=j)1%cbK*mPm0*fdwwsYb3IfK>?_43
zv$E88)+1hZ26q^+^DteYMINUNv{%Cbq$cdX2;TQ5*pZDSmGT0)G|(42O-!IJl;lg8
zl^%3Hjmp4LDZH*V6tjZ^51q~dzDNsOe>lGairD9bcbJvFop#Sw_-%pHeelatc@e2g
zFbR-S+)U#-1+w8)?{xJx3djq@=(4e1bpWD3s_$@=fX5-(f4lfDjl+LB5^H`h)?&iG
z8icqN_~_NmE`8L6$P2r8D*6)pbnc;nilgQ^VBxBDYngqU%6J))#lZ^{7ORFJdL<&&
zPNrlH{S!r{F34iaXUqydrY)-x#9a=`@M~Oq&|T0ZLX3h9UCi;^cCp~|P-tzzN9g#5
z<aoo1zY6iVd)*2ePXi}ZrwQC`A)F!vx;%);h8|#5gb*GBG<65qtH&g>E%HlLxEKN?
znICH+XIn%**YUj(pFH?T0g5^J=*H}~qy1p;5fwppNn@s*ndwZ|!$PY)@f6>6Mv8Qu
z*J7m5CB6%J*&+KSRK<X(K6VDMkJ_w?krq;hNEzq8jjNN9);}--6g1kS7HJ&_*!12e
zVd`pKJ7zkEe<hM&4txjlKU5~yvCI%jTVxCB2uOuTK)S#}S}I5drxK|h8gXpBX6FU5
z;ykM{_8+4wc#kgb8peZ*w#Y=rV`1H8JVRx3`L2Y*@e->sD64sfw%{|k^2EPhjluiz
zWUTL?ef$6y7k*{X<-QXQq=RGnzhDvIGH1EXz0J2j)$<i};$dXlz|mDGYlqa#buq@w
zHG40~qL?=lu|E-!wJlr;Y*iAg6B8Hj*y6O~TR`xJWf2^n#N~q{GqkZckiR!9>*5ao
za57`e;98k9jCsIx`NEtR0(Bj}jAvLZ-*0wzN8fKL4*xd6m`dCBPXrO+xjdG_eLF&&
z-q}3E8#oz6*<S4g^~sA!u_j{aRjW@ngvt#4PbOs8z)7p8JVrw(c&@=GXLGg&&ip(V
z_iFTpMc$Z*U>52PbJ7l8-_e9PDFbWoA*zAXIB<|n4#sE>TF;Ad@J~)*ePQ;oNPQW;
zdNuwkRcN>B)Q-p8P=CJt?E(_x@Sh31Koi_7MY<uR*ZI9+E!i5rTON~a4c{9?jlI?p
zH8#kqu{jDg_Jkz{?zvj~pWuem5^!In(~f1@cx}&TZ4a~3Zo&N65Vp{BcpgA%U2F2v
zJbc%ohWsNzsDV2Tkp~cp?SB|ujw9s~i>p24>VPGh8KB(2g;w!+Bf5%5G69V6pT#fz
zZTbtzs?LlujQ%aYpMuiAo}QG?aOU%rmCqTVhWe=?5|?D8lGM<iu_|iQ24EE9D=cPh
zBvN4!*#IQX>`XG3aK6O1+g^V>T6>|lEv>q9p<^L3OFK}BwJCl7p@F+lc#^g_N3Z9~
zd4mHuKQTj^I2J%I@Ab7@3aLTnY$xI*1m_p9&wz({{&f!6pY}T)px|8|V;NJaX8<((
z>{PKq4HA74<>9A6EDmgwb0$sO(nw0(K{AF!p~u2O(IEg7=f6T4)wt)rjEPhq!CFQI
zQI|3tT&BR2Y8e8?f>UzTv9FWNGJ5(_#{<DTh0Y7nPiCrAe2zee#$En>XUFwG@BekM
z+Gk|Lxsaf>A7=XhZEv-nNJCOQ>>K<k3XvutiBs!YXl9WofQEg>$aCA0&iiQ8r%6vQ
zM?~&UqDT80UIhYb9hhwBMnioT{)I2VKYeR5l82(i&I@pVQnk>K;0otef}=7KAKpV6
zkAX&b2%xHlp{$(<O=M^|LsbmTVrVo&>lwO9@S+G^&rk(JE{19ux`v@qq}Q9FwS=9=
zknMYfvKY!`=p=?J8S2c?15A;^&|Jb=Vfey|p&uB^+J(@!4Al~E14F|JTZ_<$@GJx)
zD-o3aH7W0xY;W=M=8&?K_XVbv@;=GXT2gt0p^P68@-igl9nX-I_a26_SdQBnlJX8`
zNXk2qq1oiBm?0ObT**)!L%9sCXXqS;vUVfXouNvGj%R2-L+K3J_8@fdEQDMP{mhU^
zawkI~$;}LjB)?!tB>4eDwM?;`A(3f4Lz@ZvH$#Pc5qg;+k@K?*iJa>g5;;$2XcqA%
zGb9p!fT2fOwlNHe#BX6}E%Am3-j4|NXJ`yVg$y+^bU8z>GVKKn*?vN(2ScnZmB~;c
zVaGBwfuS^p<}>tL4}=s$dl<_48KLbARWkHnhGsFej-mAotzszS7lc9#y~BLpWvGI%
zHyEmAXbwUn!i@+<o<dOcMb2MZXK>`HCh<W+&)@-e-EEj2e1^+$xYGXE82|+P9V`p>
zO?NK-2-)Cixn|tFE9S^sFDS^9b$sum=0{kb@Ml0WCu;(12MVRwS1-?B>-j)jrG~k}
zqwYZQUEJ%a$=2iaYk^pfEr%R^--C;Rz2<OFV}}ZCO6XtY@YqhA!^R=D%FSG7a|W6n
zkMU@f)4sAeKRWdrrn%!+Gs<%>Nj(iaD43pG^vP$>4NmXUY&~SC;W7yCFQ+>l3yZU}
zoOl~J!yaNUfdi0Nr&S;0Sl9>;aVyzNsCiES8S|IS=m~niZwlP~p#8O}X}_aPI8K4v
z3JKfcR{v_@m7;Tseqq6JtllVi$_@iqh~5<=@Vih~(S^<sXtqWF?KEn#8)3hFDg}M(
zc%0<bB6AsekuqTLh9So*kv{l9?>YdK5=O?Epy>>8rl5L3=8+Ky#jQE+gPZ3X<T50B
zxjM+A%y_L9Kh1r!?B<!NzHlHtIwy1!py~~rbK>E+6`07OHZ;)x48~%d>W69}B%UxF
z2{cT>`^3*F;!38v5U0aku}jF9hpO*!XfDuLX5WlS9e3&>z4(ny=ow1%pbaI;CT-}5
zEnJ5ToZ6%Bt(4T7r1NQVyvG=X1AWyv@;4R7tW@M_l7S-(i$B$zCCsIapr?nE52vr%
zfpR@`s4ej<h}3tmZw_AXz{#KK>}p+s4wfg)ewCIR&3<Ey>8!Lszbe3F<PhjL0ckkx
zgqO`#ND3F4NAa-PFB9%GNxin;$p~=)zqa2g2o*}`RD`(DUfZubLR@05?ROfo;V^(_
zayWW#>Bq4Vvg((`(>?JT*YcT~qf$?&x=gB6zn#XwlHm}p`ay?z#6fM9aO~E94bcOe
zMnv8RIAJ_R{gGqWa<GaWGUr2K77&M|#_-^=mz<R05>Bb_>PDOU^5&XUg0R)}?uuFj
zT&cZ$zhO>3ZjAd}&WwD^?Jy0FnpYSX?2Oy)`8H1&C}u(%r$=CX?-^i;Q_7-BM-A#&
z`w!yHLh21xZ{XiN-96O1^n5QOZSL=J&~$>_N+>g4jxy)6)RCyOtCczlq<C)JkOQ<l
zxCvhsJJ9A8>8RJ9<kG}$HI*U(QO~@XzXqPmUeWCHf*8tk1<qoUF8^41ai9SWTXY~h
z(IY`U?Z`{WQf8~s1&QNR+;@Tdh)*d-RdFtsl8{~X1EbNB?j4PrZxbAgb_Gi?(7UHF
z755e4sq&j>7tu@Kid;SjiFZ~~kvP{pSPQXYsYOoMB7hcw<1jQ{2xKvkg#h#!w=&hb
zJ6O2)a^a?{!}$4Ziadl1?eR)+@GUDsyh)Q-|GfWT+K>at7!7Y~rFs>{3tmKPrc>RG
zDV6G%MygMX+O;0P0F+`$V6O?gYm|n;q^NI9*a8z)iZuJfOuLEJ;s=8H4$sQb;JLH<
z2;aDJz*EvC6>2`daKP{vcnW4-Zy(f5oFhyOMU$1M$A49;z=U^7rmeO(+kvMO(O&qb
zEpEhgws|g!oQLmtd%+-_x{Q}+aY3*pw=6Y#{pjNSd$Kz_rrUv7inj_(Y4asqkv0Mu
z48T;w&n^O)2xw^|U`l%wc*S~+Nxr$}L`vCS7I^t{X%c}?;dT(00y?lBk?Mazxj!hE
z2HGQSd0=~4s;BaQPvQ!Ypeo?f?Zw{7*$&J;<<PH|g)0bOh1y?r3EeWo|J*)#uw^rL
zZ%ly@^uOjj%gWZ_=YID8S-3lHr$!YN{+3OLQYc7h!f(>G9(yVp-GMeKT~0zL9j|X{
z?R-=Pl5g3c4f}(;So$TEXAYp%1|P)+@kgK#n{R-6PW-UCc&}ki{@)eje9e0eGY98z
z<XNbBzy1`>wk-Q4@~-Wj(WMuXBs{*Dfn=%x1&*8!eqn_qp64WVKRSu!IV~oT$W90x
zNS#R}*FsuPQ`L%`^<v{nAko^y<%O9sbQFHUVqSaUDkeC!qTx+aKjRV7oK)co_G@z$
z9Bi}O#$SvFY1`Tk$Y(p-_zV}{*2A3kTza&p-EJvD&y{Yo{GZ5oiuH}d%o!LT2Y?B0
z0wY#f=Xs5ORao+HpW$mw^PH#d_#K7;7tS`R5xTbZa{;64)PVhriGCZiYv})5QRJRh
zk>^5g%cvvDhH^*2R$_T+?Rc#wc8zpumRcMXBbOyz3wjZ?DwFo*G;|0n+*7d<FM}xc
z0HAn-3Leh&;ymryK%AT*ljn5PL)}|$1rEEk75XxB=smEdlV6JDi!<>FQwJM@HS~>e
zP;9ghbl`aRvXi(}71N4@^Q)n(tQdv8$OH@^Uz`aim`3sgFi!&R2H}A0_lyOb)y5N{
zK37tLMwcIdg_uqQ16qCFW(98qQ%t=OczRL%K_Dmf59k}<3tyijUxG;dG3R|kh231>
zbJbxcKxeL?)A#m;-UA)nJ+Uye%N6vbxtg};x;kz|OW^f28EEK2M#doxMmFr0)h#So
zvxysBmz2Nmom_kq)c1WBR;99RZuq~Rfr4NyYzjs?`rZy!bxs65+}42?#kq*2PbjX*
zc$c2$C9*TH(Y>Y2_}4cy&}FIjR`x>Ce^6tw)<UDvAC&Ocjicrk1iVvDv3UyF$9Tr$
zW(Cgv<4$OC;78tu(G9H}-4RTS3nm&RxZyr}0&@5VNLpOX^kc+<`OpI1QW8n=fY@f#
z75Q@oYQ9;Ec&yYynlcp0vZ~(HYpe!*j2gmp;uO?P_<Pn?T~}6QLC0URu^ICeNz1vC
z(65Yq2NFT#_diQyrWM)YAR?beWCXjjZFS*He4C7^KAK=X(m<^fh>h07UOXbPQWC==
zk604LQ<og=jfZK`DuktLviUF)<9(;~G-Eed`jvsm(nNpL@53U)NgU--YQO;<ztHza
zU~bIafNv18)+c4OvdmTpNkT7w9x4}4aNP{mf08+l;zbi2(*7NKPzS1*D0cVa7fbV{
zn0s+Fz$?DF<$-_wH-p*1FR&Vl0}u29k&A&1hmQ&?Yvu6W9e?C<9QYIrM(@GuTv|fp
z4Tvl?-u*92fv74`bSfZOQMD{0`SDkw^drgx_hc8EHv(5!hNwNRNS7INDlsULm#?>h
zRHz3ki|zCB<7K{c39M@#;CwpNmVShnI6uM}V{Jxa<GxUiN#dvDbUiI0-HS}%MiU6D
zYzy@^fvZhm6M=aq@Ldx~AFiRRP2h_rup5DeCh!px2>)?Z$Vop^xweK{buU<U0;&}%
z(-ye_|KR_MZ-Ev-mu#huzVG45#X^3yVM~RYB4J1M_3{47lt2b0kRh*R>-BmQo<(?8
zWQ$fA-5*h6g@hMIR>$GY<&5#GB!@oZ*URtJ@p-VF$TolN_`dqJ0+ft?oU8lC`Wq7B
z6b))xloy!*g3|91>=n=*%p<<uD)>T$_%1}k7LVQwTYMgpXj`21JKD(gmSnCLqBV$)
zxzh;oR6SjtWy$8|KBz+h%&@IGt5#m+jpx^#N(D%`Uyc3mJsd`bDv$}x$@{1tsQ`A^
zraw!XalQ;|%#y7my!e$DDn@m(Yg^)=-ne^(`kR0^1mL-_xx|(dn?@z%H|?Pc)@Jo)
z#6$h9XI~2*02_Sptxoe%6yqbhG|Apee}jwIvWg`)eO$&HRZ@IxP2WsSs}N3ht1RKf
zAupbB+YaZ}?P!KiW>*OMI`{SAyMSu0XMOS0tM2Q<4-lYFcL3n1`7e@rue=uTB22Uo
zan#%aGEmy)-PyL#X3glcP(-b<9{{(Mvp3i#jHzeL!8h*jjBMxh{sDg`pWqWA?4Jw~
zDqXyw(!f1xUCWh!pqB4Jv7=S-`U(v(3p4mw-9BlhLpPhiYfRw3N#r&Y*i(S+p`klW
zK&Hm>F9Q}tU|%N3AnAA<>qAQ+3+$F0u)8Pom1Ou^d9ty%c9ai#!`jjPPQ3n>VX|e5
zaMMe-tI}x)sP67%62Q*yyHMZPen7!)AWxKfIGqK1A|@t%gLoOUjqudF**;B8kO?>X
zY41c{xcD35ol7Ol8`<uRf-;ci3A=hN{L@gyTKIzyuY3B)MF_^m?;Jm3!fh(b<#In6
zlWh!HC$(!XO2ZiL2bGD@AYfO+3x_ImVp*mLsty!PJB^_>70}VAITj9XS3A^&pVUr+
zJJb#>)$%dNwcuYjn?vT$&{ui3hm3Fn4R1~}Dkv5RK#%<LQ9Uv!^mC0y`>etJQ{7k8
z>mE;gh;8xmCe*;9!Nq04xeTiE=`=Jr+5vx)82Gw^OL%91g<6466lxGawI*l}q{&s%
z_dNNyhKeo_%mg;*OTY5OD26I7!!@DID6G2MuBP2%vkm_X3z=}=lAq3{7=80mht1MU
zagA-k_o$W@IBZ41@YirU{^`o+Vu<!Hqv}x5=v&F-ZJ8g~3f)u3mn1xG{Q@-??&Z!-
zc-H!56LuVrIeP17nV;A6YD~QUr|D(XPe-(SyZ*|mf0SSA^;dem7hj%LdOr|pwS9gZ
zK&*Utr@B(`o}n?U&}9tDLmS9nQ+;Z}cpEVluGC?}qnl%T3n5P150(lYH5@rsm+Q}r
z24UfJ{gu@qEMPiB)bs|j;7*|r*@B5t*pfMDA~3!KJ42mOak9=V_Sa?g4-Hx<P44$K
zj18zk3#G}uNcxusEtDqDtI<~*SfJ>OvDF*z)J&)a+}M6fWzc?VSzBa5uMJ)@Ef(<v
zBV5KimGZM>41QEs#FoWC^D+RE>MalaQkFW8_+>qJ@%YR=$6)+6?I7>jV<LhzTC`R6
zM4XGP?ZhTL0Bg-SrTYWNEg`R-o!rn7Gpb1(7xSqIxDP9gwO@0|&ILEwlrCIXRBG;@
zjFJg1;i(Cr!qlEitX09n_^Kdd-1V5HrR(wXPUJ-!r29|tBO;4{*8?t#fA3L4y^~J1
zxvMo#l&$zQfR9vc@TyhQa6)2iZkaJQuk8G>g)H`oD0V_ox%{;i^f=?mHs|kf4QzUs
z;aI;02|%ON{(X7=chy@6x(<F}r5LALgZ<HU+Rw>CL`A+s^R0_T2^_aKyCWC!8{Vun
zs58DJ-GOP2N5Z+f)IXB~4tnd+NW6c+_%c)lLDD*DbMyu%$ogzH<%?~AU`Y<H0MK4x
z5LE$L0J;f78O(6}O1@ID%*8!uSOETLlp<7=f0c&v$ApeC#9?lr2rK7$Yn?s;g8-7Q
ztk3ceV{H)@$%TAv5f;h)vPfQpMRLC^k{4l-+%JpdMOY;F%OZIZ7RmiwBnNL<YQ=8d
zUvfc2yKSeD{6_Kk+-6GAwA%pI?-f(|6%opQW7uulxaj+Ywbn@d_YD6RrcZ3B`+Vn8
zw$$icn7@TP(BU1?<~<K-MuXgu*UobvMLp<6?F@Gp5*&fSZsayLdAffz3dVv|XgDg(
zxs=0TbrmbliI8b;FvuGqi~K=(kx*}XRHLn{Pdaep1~wl){~tx&+1;J!NK~i88%jL3
zH-bA}cE{7p;S)*p5)Z{E`Kup_nfb4p{?dI}NFmLfU4?Q^Menq5$z!4xE7kEBxv)3D
z`mE!vm9mnI@pMvpYEV4AJvsfl{3E3w%=}@f)HsSne5P7s<@k6M-l76u;;13ndgLLS
z?Lw3mKA788564BMRS*UWt=o4C4!l5fTT-uv9#|cAp^b2GcO*D5TT%-T#}_#MCDMVY
z%;(WFxCqdhi_qyU#o40o`0Y%5)fa_<*Nt>&*6El<0;@P3Yx^twtHr##93?BjTgHeL
zb^PG~J;pzW4ak5a2l$UUY6i3oW(J)MxU}|v?dc)|I9wst{YYT9eT5oGp#~=u!mrNY
zDK!4va_kzcIRP_JmWtR~UjmIrSAQ!cX+}o3Xn3zic=)XD7-%!nmNEL!_XMO$cs-A@
z=6k5DB00Z+Z|wdQ3pYvj2c<(H=>kmsn+f$+z)J{@C=V8A7sI~7vlLovLs}b7hZKTU
z7`~!3+A=T=`qfM(#bU0J36r6yX8nWm?`jz1A$vHH-K6@Hu&Z4y$bdhY3?=S&==CHl
z9Z1U4fQ&8@X>UZ@vf#M1WlX5rks=vgsrYWTDbuz|*kFf5ujDD%O==H5$sev}V<Yu$
zuAw+_jto5?{9}!zj}<J8JhdGDred>w_z!9{E)cm-Tgi;Dd6c03XkW4%`<u(Cg88hS
z0}Rf~f)7Hp^au)%y3<<;3`~=sp8H)rKbqD=O&3=kuec1jzpR>ow6p$iX(wi3DOl15
zXOb+Q-joq4xCr#aQCBnj8GA@x-j_a{g==BwCgNoVuk<N+gOXhf$ngi{@KYwVykn$K
zm{G}m5@@l%iWO%fXg!dH)K$ba!txWGE<b^g2HuZhZWSi5_oD}{%D^vnZK{y&{w(~W
zJoo3|7aLpm=i)aPzj^r0!*3ye3-Rm1uM58w_^rV2aQqI(ZzX;!@jC{;WAIyrU(`$K
z1XsW{0UjHW$F-pU_8#GFajO((zI+Ah`K65`gyC2?<5-kC(B#|vhi^;jr`sJ1XF34z
zZBOmEr&h<UYE&KUtJb#G&R~qoxFj-jz+wG4*6aJFd+R3v15=5Mh{)CZdM`u%Hb+eX
z0_s&a+@N!|f$c#oJ5@`letryxTV(3tWE|ei2A#$jPB-G*l8iG`<E)C|q!H&z;>h_|
z$?I#;yZMrrkt&acgDf>l%?Bo0T4(fGmeP|!6KTGb0o$KO{T!lC6LilfM8PgZRt$|S
zs!=);vr%{o!n1M4f3(uhNK)F9T!CS&F5~G|G8K3xrnC(<mVh311iNQ*U=^I51e&lQ
zAIoe6nt_yaS__dQKaZo$DWr%9R>k;6Z~pg9vbK_CE9UV2J{yMj`qV+pJ^`P_Qe8Fv
zy&As)h7S0Bj)+gusc#<;`UM)lPUAa{h%fSZSL1il`0F+PCb(HRjGr!%jTp?JbJp4!
z&H%3ZJWe^h&0dWB|7sN_{0jk}CIGsm0I)m(a4rFF#{u#B<#{FaaNJ_9|Msk6__LQb
zA%1A`%8YJKV`6%V(Z6%Fo9=&nO?Fqi^fa`L{l~f=FslB@Kj?`T=cjwNyGE{d(IM~V
z4la8W9>()snNk)^`*1UedWKlzf%+P-VrBuFb($WUqHli(N6klA`611Ho*ksQ)ituo
zbys6L+ig295=M`KE!VW&3!J|Fr@F5XtvaRH7VZvli8IZpL-T1|<C@l7gZ5CI|FQcL
z<l@_(?%9c<qVWx+JIIpm7-)v7W<C6jzBv*_$$G6uzgCWh@Co`I+*JWjESmvSch_o?
zEDH`QgbO^EEBN+%-HKrvn{cQ!(8yq55Y+jx32cXfnY5F%n`MF3a1$*(fft~->2xey
zbQzQhwkBVGUc3Z9WyV|7Xe?a4mMhS=dg;#>FV(-#^u}*tEp|L=%d(FHjXXh{d8LkC
z#8<(PI(&tR<^bC9K)Xt#@!c+_J^|pa0AHiQv`Yk^1n`OAh(1ja>%<Qr-2f>xF)$ri
zRII_6Bh0+k1Y;hssGkO7nlQ7-1fKzLe+|Z*VP=U5?g4PQ24i7oW?vJ0c4@FG9r>LO
zm`g{)HqR{8!7~vYpo3>2Sf+#72oBW2a}XSa;7^YGX41@q(z)e^3p1tU-fd88d9XGe
zh-G*oFsIz8wMls99<#<`)kScuy85HAm`s)hUMG~jOYLmdmt)~g*%^hkZ|hosT#IY}
z!HO%aeO)T9cDB@8?cZ2!wX=1F-;{kElCVaKYu}a%t6j|cs-3Mh;il~4YiF}UNxf_B
zY*reBs2Nt#Y}OXPyMc<XKzH`ZwX=1l-ISdPFl&z3-D_tTn%JiR%$g(kjM~|(ITAS)
zVAdSLJ!)sO<_JCwV5zy;tTaMSubs_`Vlb<AHtUDMGiztFei%Hfb~fvW!R*@EtRK=m
zo8RYvnpF5~))gV=*3M>KQId}10=kdx<X!AV+eFtXFEbe&HU!vnlm%IfvpCi%!w=Gx
z1?w_cU4dRQ{xarEUm?S=x1~SnxxWl<WDgyGbwbCXM@)e^pqr4Kyd))u!%01M!(OnZ
z1zAi_R1W%(H}a)<N=jG;m$}LLk`oLwTt*=hNgr5hT#H?*q%m9|K5By@JxcdCF{{+5
z69xj$P!aKEgVDmazo?}izp*cksWSG`ax^h=ZS|#CwnJ~~doM4xqM=^~A_Q~0I55)b
z7tDRF@qp9Y;Dy*wK?*Z<*wd@l!=AnYh#2*7J?-haznS(l`T}MOLx5=6fA7=`o2N&@
zAjyMOgAU$$A?i6f@;uBi`|-#~OzvTaBlFN-oAV6h_TiVvZK9Ri81{UN_nW!Nlt*UO
zaej^Jbm`ZmbLh1$nrW`f@DQBt$9_B3eV*a^BY&?aY7FX(UgulaNF2YU&o%U9%jpT9
zeV92f)339}>0>_DC&e=W*)*_c(|u6)csy?+O<T?$49C9QXBz#P(N1R63HKLfCG~EY
znqky|714zGkWt;)ckooVtAX9zVs>-&s92lzK8Mi><k>0Z?{%NR!+ovko~STc12j}P
zvtYcd9XqHM_3}T?ALmE<j=%$7VBw?UCK)L8-3O6kiWQqhCg9^fXBZJ}ZCFikorw?0
z#+znyb!_E)6Y))oha%1V<vSfG=G$y6Up;gc-ljSr>}5*M@?1tpv=vJ$@Wh9?@iV_3
zY?BlL**!zOfBre@{Zim-Et>;2RTG&cCyC=#ap+VUXbo?Ajr(IiVh`z=M#tk#Jy$tG
zjqJ|(Fz({xK`H!|U~rcy8H2~P<=TC??PhlAhhy-<sO(yW+uw3z4DM6OHdfei6pWD;
z4efH|@LX=QXlTzThhto9(dc=UT=-syxIGDXJqpH27RFge!Dxf979UHAU2+r*MGS6g
zg$s{@v6dJo5ToyrF=Uf)F()UZodGOd#Pr80m)u8}1Tvs8#XL#)H9j&e{R-!Se<aB>
z+oyAJE@_m2hTw;Cb$qTF-vA>>{0#G38f+{}(049DQ)T+h70!lJbueRvbMbRAs$nkG
zNQNQG1fg849ib5!1-YN11+CXDC=HKQOAGo7_((X<#d`ov;K4aGcrBgfV;>d%*MEX%
z>E`rhH&QmB6}=>0etP5lbvYc=ZAEUrHFjh;G=Uy3Me%)}iI`}az9O(%bEvAg*K2h>
zvZ}eC)v9`AHS=76GoR!E8>igoWRAWyDace<@l2=L)%^w9zs~2#>gc&dC<Q*j40|-L
zVLEEgN9Fj|qza)(FEr)4Fj-WivC1340r$4LKT|xD-mlBk^s~3VHEEg>*S})x?<|x$
ziS#}JwC>N;)YHS_uRZu{@2ELN_-n7Jax=6}&MJm0kEq0Mmo^(!M~wAUm~zZ;__-DB
zTa%&b=7X*@Ep;Dy%E)>6G%?dX<9ut<HP#8lqFhxevC{CV8&vfXa|18kkV*KFBgT4e
zH*+X-_&*e03Uw}TVlhohr?#R0jl6(Q6En**(zhl{WAUyc`WR{Ls)2|erenF)JbsSG
zryQmW|KrH{pJP(>dMdqZyqan+(qL)Soutu&G)`n079W{Lv8K^%_nhzjNVki~F09#0
znbldOv5}u-L3QQl$NVHU)sCNy_(ZdP@MAPv8%#ZB{N>oAm1Y|`2iddb`hRsF=UCJs
z&~)bB(fJ>_(>peg4qSo4V~`ZVJM6%L)kx?c(R`&3`*im~={<GNXSL_izJn?3^W3)}
zWOo;io_6q245s|7gzab*2hl3H@aQrcTA_SAQ<Brr2>^79n?dr>^CZB_;J6N6+}E3D
zON1l9Gd0{j5O1}Rf|`T$c$;V`%IyCr8>`Qu9F$t!2(WqLgy(%4WN-<3wb6gew~Q;X
zbme!WK}MfNZ`=>58+wDJ?u{!*<x)xx0%dQUFn-b7?((_>R^z5CDHFQk&sauZh!Z93
zI{u3PHL#2?5Na&U63+3u$z%M+ihd`R4N?1A4?1d&B?aFS4j3S}DJBBmZ`-Km?`vz@
zCrkc&!0j3$EOKXeB7u(BXjgRn=WG2#yFTJoq>g%f+lB$OtK(YuS-{&=ThkGAEE<Az
zO<S`NrZ)s@DIepT=E&VBWvqYV7DL-l4qNm|R53IGrSR8~DdQcM4Hv-N_ZUy)Fev5t
zgNny9B&L0WH1~f1X}XX`OS6{J{0=Ws$k--2UDE~LC&W9)!dp+gWidRtcqHRTp4{&g
z`3hxCkfeVhz9V-^zDfEznh%CON$0fW8Y`f!qnlKkZ!_K`)0&M7Yl-o|KQ{5(w*yMs
zma0LdJgp7-ECjuzmvA30b`B&{efc2Ibb3xe&w(9}nD2e?P>A8yrefozO2|vut1&yi
zO2Q7mht*!sp$N)=%><tdD4vijSb{gDrlgexJ*o8gAr}OqgA&>!{aoNw(-&;@j!7Vb
zje#%6>)#jgYvpjlk#f*SKza952>ewu{ssZxlj6++aG%U92;g4y>zJQJXT|Clm<Nb?
zsm45mm;`VWVk$5rV^N+2eu3ZdR^X>5;1j?d>OsW6>M;CF;(t0pWO^T2%OPO70NmY7
zj~p990_{u^tyB)kVG|Z<VGJg$$p+)gLv<s?29`z-!fOO4@8~sY!!m&zucpXs52`t)
zFDwr8=PkhbU^((UXeYG)BiBD__Wz;&k&jh7a*6Ut_3!7jzYGuF%g=%=`FS&gm5GLs
z9vxt|AG~8iUUMm$4q%k!|Cr^+?=$$da>`-SLvwQYacT}S+ZYxCqjdp94+=<er~se`
z!6`H~Apy=o4Md+Y^GDKw#5`YPb^~T7VhV6PFvYCEzHAKNM!ZywcLwl|A)WvS67O0n
zKwSPC!xM@BDRdb!#p?qb!%q>gTmbIzAb^eT4Iu$`AptuGSm}dPU^_R2gvM^<8QEqk
z$8x=5Jz`aoa$FGkbLE(fb#&d1H-_hvjjJ?Y=aR3L1e~Y&x&VARn6m&q%=s?n9Gr42
zp_2AiLI(>!8^fEJco%d6w`SmEe@X_?1eiy(3rw`#L~D+t9Y-_)9!E62akw#@RtdBh
z<7n8L+z=ArPVg7mh~A$ZpFp$;akLYNCcqU$TV$g3Alh|tw5~)G;PXVQGtqL1cAiGV
zZt|2&EVBbqz=Hvf+-V}N!qimR<A_-rQNT<exyD57LyGI6z7Ps2=4eC#GkxSl6R|%L
z--;vVYD57uedK!%hEU?6M4TQ+%+rVhX8Onq6LBOFZ;m4tYD57uedJjaaTp8JJC5km
zhyrH%$o(ebJ*0R{9I-+p3Yh65E)#Jw5w}9q%u)~6hyrH%$QdT$V?<mWN37I{0%rQi
zuP|{e^&BGB#SzD7L;*8><U<p20TJ(vBUWid0W*C>-1~y!8X{g3N1UJ$1<dr3NhZZj
zL_AR=p6UuNW4EbsCFUyP4l;3f5jTQ{iGmZCBSnoXF%IIMW#axu++}gxIty1~wjn06
z4^s&izx{2%{aYM&mW3-Zi-`NaiQApHcf@h$Shx~n5cfqB_hRDa$8qOcxDs<KamSgs
z*All&9CyBjD>0W6x1WhyO582?iyUAfmo);HElJ=fLjwY`o)GC~;twPK+i`p@M-X4&
z5lAiIUj<NP2S#U<$6dsq7RTRg;tQPm5b&=j{vs29BJr<_<L@!?1s)K5Mf@2i{v*Uc
zQ{!X(Q(R_k2nlqAV7C(cMicuvV*gYnr9DkoH$fahoQ5_YkXsp%^G)o35qqV^hNqAX
zAp$shunXl(bZ?P1jHX%6CgRQ(Tt`g@5!Qwff$Yvdfy4uTc88IVfv@|qBlhPVgu?$c
zp6hjQLNCk1P>1!h9MAd3AO`(;h5RfSE<bO&h%WtkMXWzx#+4r}jW1b@<G}<w^WW~#
zzsvD!b?T=x{o$QD_U}awLf~(>B!nLH6$)k(DS8Fq?hXYjwDOXeR}m9^Jl4-eh&)&$
zpP@M-i1jlCP<c1q>Tf~3h2z1qlJE&)9hDRR^2Gib`1?u!r@sn!GQMknI{;e+;66jt
zN9QW=PEyU4U|1fxrAYSOjnW$hb&W|~`E9s`@n_?_x5wISb(%0api2B3c}AW=Piu`o
zV*0?lKC+gJb5d#_YWnEoJ7b;<?|Xp!RT6agCmgAIJdLHnn(R76l?Rt**UIm^*<Shm
zSGFV(jTp#!C<RItqBOt9Q9yPu%hE?!di=hP-&lqnfchu;AnB*+QiwiuBf%;GxV!5-
z2x1jK3uyG2#QN>dAxM!%HuZrZ*6+Q5n$s{n-=eaeMdBwU;S)rG7Z6_`8;#>%O#E$7
zZ}b8uCse<{k70^-qSu?$!7)<t&xDdHehhqg{aMA=-^DSU&M#KKtX%UPf2QgtdH+xC
z-3c;Q1DtpyflGT|j~KM~Rr0f-UVh%3OY}q9`z*k;=zCKDJ<N9A3E8lE*P*OdcE>RN
z(c8Na_y-g)*4_(9u}%PJ?=YGKuy#LyI0ODUAQx}%#Y7&dk<TD90j%8@1$jP@Be-RZ
zF?Jz1+ZY}|{7Vz?31IEsC-{xThgVSxe=zY=HGaHz5GeHlm+_c_6JeJ7lsi#Wqu`yT
zNp)O<TX}z0$Dbh;`8#6$UV)Z!^!6K@pWg-&mcU;FONR+u>X(Z-oS(_h0xn9G1>cl4
zt3&E{Gf3$A9ZmsUYc|{SSU!~V$I%Jd<sB(I-0u{bYzzy5CMZU%e*aF2^93OGTv>TZ
z%om7>*Y9ma_Gx5}F7{Z+67xD@lIr&$M_Pm9_^lSc#5_p+#QMFP^v@D}JztwZ!10>E
zL&%UTa9R=)lScx3VRf;-gIJptD}+vA?58sO*`&JMA<FP-Ly|I7fBomm(1KJ6>lF`6
z`O%ypy&NiVkbnmS;J!#RMi5p0c|apWk-G*nDVvR-;A@1bjp1jQ{8F7f(OwCB1Tnjs
zn6DDEqhP`%f>h>)5P@thPACM%BPf03Tg+<yWIR$0mHD6b_aCDY6zZiTDU=?Mh{i6f
zlAi_ax}d+q@pGts;sFpXg?CwuhfTe`8`)5QFG<X<_mQ%T>#q>7>rzPn^ByVgK?{J%
zm+^>|m&BX|)VThBNaPh7nflA6GR>I8L=cmtzw3$rL>#}u!k3uE#81@UZNwib_*#E=
z5pcaGFka_G5cOj+6aRwhHT6r!k^<G_7RG)lmA^?{cf08B&P7SOyJY>J>+Uflsk>rl
z_mPeFq02G7Jq8O}szCtmzw4X{qB4C8Xyj(*%+a@wv(iV35%DMb)lKJd)b&d}z;U8H
zrmbxDPk>DACHdbw{I49T>OJrB3I=f46Uxtmdii;CK7O>O$v6kq=><eHoC+6O>J%_T
z{YtrA|E{?$L9LHsCyPuwDFkLiF=KYJ*WHj<tpG&NYOTB^=HG~k>)9z3?+A@dJ*%^j
zC1x68lJx8(;-4SKpJm}o%yq<1)U%U`|2ygz+{wCDcLH__z)d?j*CHS>86*(5lXI+C
zA@n2CS$6WfTSeC%T9Bk`gTDB4U3;-I$xgOQVfi(GVkgfgfBiLorkx~+?ZD04<93os
z*#K@PIA$kLBR%T#A>%rMUrNlFoxFmWTW%+&wv$>P2&Qs(Ag-c~6#rw`V#Yr6Qfu*C
zzx8cQr!5PPkqOX6<h)J@x+hbc-i3g~kH#jIk2^bM{+DP)Jmm(q2E>;_&2mgp^>F%u
z9`W~YHDuh`q)|m7<2TRzt%PQxDrcI+-0;F=?HtF(o9u2bBQvR*8H}$ssdMAZ{40We
z3>;*Q*%RXTBmSqFcpn08Bw)D!+<i%4`z=;!2K)p9bb(;bBN00bv9kLtb_Dm4;@Dkq
zHAx;rBiWH8J67k@lYqMj_>0abm-##tPx%tgEk#zErfqZ_J`V?+B5w+OV|W}1oU93O
zm0cCY5&23_gl>AmlYxco)E=lGTyF<9xldGG<A^t6!6z~Th{|!ZX!YFxXsxbCI_zma
zh`|AAZ$Ydc5(2j^G8O+v*U6-<*Dig6VQQu-!!9`wY^x$2$Wd47K(6Yg19>V(2MX00
zI^a?#=|F|*q65QKnhsQ|-`5JkG3rMhs8SIfn4mUGV2Kxsq(0N(T83BYa2>--b(jlM
zYQ7H7VfbYop3Cqo9iGqdqX_HweQ|*I4DMh08UYXNq`xvef~&>?Az$7TuHNP{mN2r{
zE;Uq=t-=SAWl;|d-`b>fmr6QfNIFI$-D#4JYeDgJoADLT@Ar?HA2B2yBa!YqKn<V5
zM?Bpge8tnPkaWb5bc{s0HzgfchvMmM_QZ6Cq$7r;V<ggf04+A2OUG9U+y|Uv&EHYZ
zjHL7fBs~!&JtL9+GD-hLrlen&oIWcl{V|fBh?1U>NdL=6%-_h7^sAH8=O(3pADH>`
zh$!h9iS!EqMQyP=Q?KiAA;W*yVHd-H)8Pt+{W?6H;Rg{eHhh%`<0&0?4|9LqHwJ*X
zyaxj-e;$z}Uq&L|0!^n1U#gc5Phj|L9riMOvJTfW+(n1$7`E&1EQWu<!_&r+ISA58
zgx0UQ_=@NMDKPTq5kvB4B=TRzbnnb(x?f}I>XXtvC+UbG=@^N0ex@@TnQnC~-KwN?
zBPAU%BpoA>uAJ$fSj%+lV(Hc=r8{5J5kt~366sC^6!o(iU#g=HD~1nzAn-j5@73W}
zhQHHc8~POWl@6yf{GkqKFx;fWnG7$`;Vgz<N7(S?Ac)$;?Orc*o$WOjkhna3z=9qD
zCVVnd-KVMKF+5U-3mG1!!|dVI03EJixQ`AGXZTVbu4MRJ9UjB*sXAQ6utSHv45#XF
zEyMfX7b(;+9Mxftebgo$p2P5`Iy{%*79F0?@Dd%aXZS50Ze;i+9bSd7?nWbj1EelE
zs3TRt_UUGQ{;gLd9Do65{E521`(!r`iE2>wPd}|lyt=R31>Y1m2I2<QZ+F|vjJ{QP
zch&}i30?}6I$!eSAw1+A$H(L}0T(wl#HoQ=97iuS@gJMTD$`j^pTlrsN}cTCc(Ua4
zHQ4z3&BVVOMD}XdtnB*7(-p_gmrl*$L7H~zbP?L5JpGlSzg+q&MSl&~Uq7#5l}#F>
zzqaeI3Hocjd@ZRZ-$J%U1Ef#_SV(|x$y{LIbjy4q`j*t|uSfLPDt>vY08eLqd2T=`
zM?zO4lqaDc2)P(?cShr?KuG-yE^^SBkBGd4fY=dvJ6=7B&*)nAcS~}KSHtgx@}0qN
zH@}~kZ+2a36u%#q??!$P!FS}2gmIOzglwy;3GWk!!>ejbzf5YBc8|)30K`3NzYNF1
ziqzU+xVcf$u67u%eN?2>4$Hz1F2{Ihfrr{*XBtoIcMWjlq#p_w;u8oq$5Z{z;tkK<
z-aMQ8Vz^w*1I^}s+4kCgxH&ML53ttu!_AKAe0sIE-?=z^m2h4HXNUl{d0OHL@jgPz
zQPO(gu8?OnyVSgn!!$W4p+0o8nFFyZXh8iQl$8z2JpYn#ehJAWFV^{m>a0GfR0tcH
z!#!3VDLwvoOvlb=)%!6@^Vb6As2RcrYAj(%nebe-^O`syP?D=t{Q@yds*)T>O&f%T
zBsP+kB#U$s0R&14b&};)k~~Mv8#+m=l}n9IA^`aA)JbMqNnDPap*l&rmCJQHi2wp6
zl{(2yR+8b48X5vH#wQOnW2fsR0tl2;=_Ea^Bx4*k|Ar8dB+E>4j*1q<0Rg|)lG{(K
zViK6(z8NWU%oIJ<Vx2+&Sc<h$G{sW*+3?&QV-9oR59J9#HVR&N4M+RN+=04v16kak
zMK>T?*f9#GGCGgZL#^l~h?epg1(l4pG5T^V8ZQh!ArdkQoQz&O3enwS(UFPN9^(lS
zyHRikG3F5CmliYo$Z(Azb!ikFcoi5`#Q4<0;Pww_h{hNNUlXH{7;jq`T{VX2o>8!v
z7#YNvX<__`!M)gXIAEJj?+@|idmMx5V0l-DCsotovg(07bF{)^b#DUO?uAsPZ_y5J
z@Cf^Epa|7?`-}Oe6$d|M#+`ZP{%_qEyNvq^U4ge~@pvMt8hnX%%UIk!0=Kd0;aXlq
zns+s(X2wVtpNrB-$5yxk^H!NjueOrXY`L=%lU5-qxsAKDrakNO`YUMKX8>C_?K!AG
z=Q2pFP2>~(5LPpRe;mPv)5784^LO|4Ml}v8!oTkJ%gxmAh(V)F?<vPO#|l9Mi&L7?
zum=o>XOc>mrUk>GjaOj^qIg!yk{_Ja!fjj~lAw5wnhy{Nb-0W3^c|{g#X*QXu+mYp
zfb3?NU}b?f5`3}={=@?JBayRBaDxT*5`3Nse#ruVMIw17_)!bY6ICIn3HDgv0@1B5
zqh3xDVk3mOjHXcyfEXf~2$}Qe77>sw3+HtCPZ^l=>bllq;w^?yWhcCfZc7tE;@VLJ
zYkEgZKj4t`XG;2=xcrike%8^`A9G0hEi8TIBgyH9A3gp1?<Mp94@ti!Ien&;zSpkE
zG5Vthh$!Hp@|cuF4_?74-$<tQ0oQ4)`&EafzbZNXiJ{87lhZ$n^w9cu{+U!^)OxM-
z&w_v)ERvRsD+f;Tt#Cj&mmj2W1z&4M^@x(1Z}Cu>2Th^1<M{G$U#P|6R2D}b{O%9$
zjpqGd@8r``FT}2Z_)h%2gS+3p70AEMy+b`fMjfFcr{RLQZS=mh3R_3ddJxs_6=Lln
z+&_u5`<3V>;Y&O+ny88Ahk1bZRCYGFD!vydmO1i>ROg`qYWsAU|BC=`AtlHY_u`;I
z$X?e^y?n*v5B;V!zyJZqpHJ-dH8S^zJq)am`By;<EyeIK8Bs4lgre*#>D%HflRsLE
z&#r**uvde;wTqa6D7X4|6YvAOaS!Rq6>3WuA244gaZ`VSGWtzOGZASdfrXn`J~%Gm
zQ3^cr1-CLhcB{V|@tVQr-%U`Wy~Dj=I*^HchGj7B|LO5fFq{UU*h>~)Eu?@KE+b}O
zg_;Xo$(){MRzMO7@<o31I>7w)*m-RD(Eb7XwiF1q!H$Jb6BD;JJmtQvcF#~;0?dV~
zKz@#z52<U$FkC&9O=bviWGWb3_>_SpxbvTj2a(po=)NL&gY#U*1gw|+pbCJM<WK0=
z>D`ec!`%neG3al^`A3p9FnAk|o)1SZ|AOGK97Gqo42A(>Ow7reIqpMz7L#9b#N=5=
zPj2cZ{8YvHO6+f9{!RXn9vQQzmg!WIfkj0w@6;YB;^R=PQe4_Z&&-{Pb*`8<8?1k^
zhlbPR<53$KR2zMC8Zw8B-0(vmT$Tx1(w5YJsDUPwQw$A#9?(*FszIkT*9)jTD0l^$
zI^O1RXP?P6>94S!$aUrW0R_bhrp<ud>5cd1We4FlTqmCpOP&ctCftKa7!ceO3bAht
zF3Vt21SM$?#5&>aJPT#~2oVgQgYYRpX!cVz$U`x%1^Zd)@?Z$7xB>PBtHzzpw0`0{
zv1ya3_=;(*pGsOzd6gUg-pnwcNTlE4&|vA@cB@%Sr3KZDA#j)p^l6}<lk8?c{WYa9
zhiuH(2IIpUBu6RDezq>*6?Nmk1s@ueQffS1i!T>1blr;{KrS50?L+hW)e6VsjXhU5
zLSNHq@c?2xK-1R+<c@@K7Knv!CPs&&VBAQI&bZEGzBDVBypnR+jg;Y0q|yE;G+3JO
z-NZQY$Qb@cV0eSX>l%3qqK}OOgQ4RA6D4Bp;=P>SFe8Hnqc~QB?II;8DD8?CsofN5
z&6@xx$<lL@{!G=rEUo@eL+z2jTXa|t_Q)>DsL*6BE%KWTMPuKcBRkD+j{ly^HWjK}
zLm4=27Jbszjc?Cn*}{3FVT`9iAtV1uqMIK1XPnM$pp)PPHXUh}$PmcIgbxZLTG(aB
z0WYzgsJsTme__Q(o|Sm3F{n(&@73{I)ESZU;`tK4p$8Z@r>5x1b-rt%vJpEFaopoQ
zAi<Acs1{uHYSi&{OAx<>$3KmNmk}SDpAb2Yk?$drwG;3EFdlG;|EHfq6IiQDxq1?m
zH3`XHy?==SXjgRq5GWa=77~aFpXrWFP2Yt~gG;C(f&?Fz>Js3L#@!jy^O^Ke?puIG
zvm;n7C27)&x_}udNlz_FLu_3<Hp7<2h|cO<A~YhB4;M<(Qpa2G(NVkVEK%lXE>O7A
zASh~YFEiEiF_4LtslJFs%{e40OD%~-y?jVio|+SjntMo8q4LL~<{uK}Qg_Fq-aRC$
zLJf*V)gKZyT=kZyGRIq+>AdQWN^?#j=XFX0ZJc(M27Z;%%9t|aEmn`qm_a)a`^Wv_
zEO<+xblvFNZpzLnvq#H~*K#EOTlcX}@6^*^dmn;;(NmQgZ{?8yET{iD1WJt=F8OZc
zBNGmPAA$AFkfBa-Har%62VHS;wuF79#XVtDfB}tYX3iOEN4+^Lf}8!zkOd;REosA!
z7W%K^?C#qCx)5Mzf=<qKoVxE<u`qDo_);#?;mr_q7yh?Eoo3yCPy*jN{1>BS!tOs9
z@Lf%_eH{BMq~IHj@-7x$PJpwwjM89uIMQJU&Ftw_2Q+%*+a2BLm{=z&?hguqwMn^f
zSt`0o&u_?Msqs*z`V@;r=0^sKFhnf}0N5eA+LR4?HJ=c8e}lw}vt4j6C%3TTbo7|<
z5sOfmLI!Gu8gIftj}lj-g;Muy5-KF2hr}Gh&T66WR>f9|m1OxcCIE7tD|k~o+z|r0
zIX{C0Tux(ZCa0*Y;LuM$M!d?kZy#h%ZH)>1l8Z@wDki|FVPFdabvA}@91svUL~4r~
z>)cnJ8H@b+BJ>822$x={0(#^bG<c=PGt^0BMO`eT9u#K}SLZA`*j5Hw!^<$z`|4e+
z=ewz}Vj4<YBqfOmaWxyHrBhD<`Eui}EE2>3AP2-n@9mp7G+BpQ<0#}2ki%3PWQfQ=
zxPC^3vs}4Io~zknQ*Z^ZPG!<(%%p>mG$w-FUh6=D$o$jNn1!!cfm6YimTOsHvyP^n
ziA8^VArf&Uax1bfGw#XGL-Q*H0+`OjPygW6=a&VxtL~EZ4)xhPI%{!mkBo^L&$upu
z@*|)et5Bsgrdf<-JeC<tgQ($hO_?z&yAbWW0w~Cu8i%aU;=t-33uH2)ZcNB}GqNUX
zJnK0Lv>j&FE+Z{FrXe(wvAlO*AR1C38Zs9Vi5jvFk!JI(xec5}Zi8g%v_5ZA?z0gK
z-N-Esc2A3pl}@b7rY8=Y)2jEuHAckUG3kUuRnR%CKcnwJc@+&4wZP|UXEqgYJ6Z|e
zD*HQ_D6AbT_ti0ME;Q}w$J(Ca2y-l9Szu)ee74{;b7|mnJ}dE(kU5AT$lL%j<$*{!
zYCZtBr5o_f1g3SxaG#W}8XPQV(#6Jv`BLn>Woh6KG2WPnbSO67x(UKE7FFVZv9V|r
zeq6?jRro10Cg5R?R#)l_inH8)pbYK;Qs1IJ_~GMFZ1HVqS$Nz)pNRJV>hR~909GAe
zAoO!VnHX%e0*H;jdjJd??z=eaquXh^pN74(0r76T-dMqFPkKXU?{TnJEBs#%|BL%J
zj_Z1W$%3mN&$iX4Zz;ko7ym+dyvYV{nrm_FAO&g#IpoCWDKN3(kJ9vhcxXO`cMjAp
zI#aJx{3`RxG|y6*2$Tg5s<$!R=e*>0&Q_3rci4HlF?XV5lpIQ0!+t@ERBAk$-3VZ>
zb^0YGSO%0YPj!Y35d<gv&@)wWU>^yLK`@r4%-;6@(e^Ijbyd~gcUF>Kc5gdC(TWAS
zC2Ffhx}-=W1+wVc&5oo{rE(EOj$nlYLWP9l0U<RBWVySwN2@O?YE{k=rLU*wSfSS1
zX6N2}(i>@^7mBoNH@#oeYu?{~uC<f2dd~N~-}8KEy4RZ5F~=Npj4{U?W3I50YHWc_
zv)whTRMnC~F#_1iMf~8mRmn@KF3Cicb>129-DMqo7|^KlfX>bKQ%$F3$%l(eQ!fk*
z6qKn5PTq!?H$JoI-%J9#;TnCffv;f|lojzsEi8?^nj0EuYS}v4J@W4rzs$Bbq4N)-
zW8=nFn)+WmRF*&V^C58L4;qe)+#pNnFj+FmE>x~ughKtE{Bh)$rY2q)RR5t0yg`9r
zJmd>oCQn?pT-h)7)(`GU{@#CRd$_Q00Yyb<)u;O)?_brv$SsR!*o2(#9Ajx>c8dMS
zS<fM^tLvy5v^s%SGyiG&VzSHiy{}+$y%uLyvjj_mYrIDI<6=A^??!ws_1txwSdzgi
z<qKMeQ9%5Q#dGw5XhUB?%iI0{yuI_OYksrc7gBQBAK58E%GV2kOGubL=YjzQofxYW
zSTz*(dw5rtUUpHZFFtC{kdWDBxK=gLp*X!j7yg}sL#Sazt@vJHPVhynuWX&fc&1M9
zXELyC_UmLXeS{oShU{YhZnFC>f=~1rhGf999|gmhK`+^I+5O3~wL#uA13@rznLB}!
zjno5l)#t-aIbUZZBDU+7EC3&)Xc_-9?yqiRVzFif_g5!o?VZZI{~iq*(@q|5h#QPz
z32aG^?KV1KQ~77;pgTne9|sF&1uPp!2Yx5GmPRvaCos%vR9ih3b?8`GwP70-C`;S@
z&*GjYBYH)9<+C5jDSupPPhX~mMA}d7x<7w{4q)3y60aLJz1<&uOOQ+438M)Ue}i9^
zs_^}8lepXeW>2xto0RST%|u9<GSy!qCHQa?y>+mc4yuk03-<p=wy_VW;3G;-4lU4d
z&p(*>D>>c%32>F+OA5kg_`SbU#nYHA8B#3Ju8~FFw8DXq`VhZ{4Yk2;rk@6fW(#(k
z{7)U$c(&<mp=xiyEgSOTRKexbfswFUYuHUz42)}mK1Oz;>f6O|vkdD+u8PZpwz*rE
z?|IOCvLfFsp_YWT&3}x{<5k*|=SQofn%dM4#Td+I>JIo<4-9+~#h1k<&i-D$H{a&U
z`ELK4*>;<w)pwb8hXh{|RJ+6bw!57fLu3n>$BxT(Q*Nw334q)i0$Dwhk;+nwW=Z#)
z{>v92jV$i#sc_R^&CHkXIln$%v)3-6+zke9Lfm+~8+kHIBT80`f_W*x@`vN}p7&+5
z&-pxt8OfhZg)+t#V{F-rA$smG;A>P5Phllb03m@8kw$mGpUd48LV5<b5I9gylJ6x_
zG$;~QIHv(WO2KgKGw_?1I8dZVhRelOPh&2H$2}7c{GT;+BcFqDg8)A<NTa_0E4`z>
zJeXyTkgG1c89tw4{4gZ>?e9X8x>YP#ft_MTkIdH!Jm5RO<IEC@4~~06IZ>9ZNC?bV
zUpEA3h-88`UeI7(1*3-7w)m6D?V%FU8>p1{38`cN<|$!P*Z&DQZ@oriW&*0^l}H~C
zsE^`4eQcm;(8tuUkDZ{urw`ft=wnB3AHRXZ)W;{oKAxhFOpMk8d1g>h?r5C%kh6#Y
z$L`EHGdGo>Bd1S(5&44BRynvtcV=L3IdE9yorlALoX_|l1@z8e8@ue#4=KNw%PkO>
z>!+b5hn}nb`>J~wSLaLF^NQZ7TBovX^TMg>P%}#@t0DaOw*v8m|2=-qg|eBi8F7hy
ztY@l!aDM%P4^#j7u>PH4{o7QZ`~JE!9}VlDPtV{IjY`O91QDWz%ts6^STq6M7aO{V
zAi{FG&rkE2xj!h^3s3Gp82f%mPUC4tPMhy=WPWaBWijm!ZGQ;_pdp0_xLXMLt7w!W
z-I;Pzu+MmZt>T3}#V2UI-wWHHPWu|g{ptsv*`2vA?57vLubyB30oA`PtpBmF{uQc^
zTH2jChScw^`!UtMs;BQ-)x9{ZyXW7i!--0FCLQc@PQFOt^TmSyKC~u8{8fc1+nt#k
z6khcY3NI32nnF(mg?{@F3jHu_@ljgT&>!q+`LpMN{;2B4dO;VK?+WW)qdJB>`co&+
z(>c%J`-8@ecnl?g4bo|w@1t%&^{@2*@V7t+{Xxr9yJ2&UOX`mUd0&jEFnshUAdwBb
zzB69^bET#JI3k-bN%k%Bbw)Icyz?Yk&DSZ`!vgA6mG6BFP9)>BTctkaQ82hPnU5i*
zN^J(*bILPQl5xJU6SB|?WQOkh4I5>rbEP=^-pZ_%r~#o_zBf|=wnO`hWbf{Tx7Giz
zJ)!J9kjQ%sn@;Zg!Pxfz7yT7WGlk!4Y3NwyZnR&f;W?<M^Jl&GSR>1Km*VaH)t>gs
z^2%xNzd~I8v~PP-p=m2rq2T~yY0ntOkel5Zsha_u#`$0zU|)#c4>PC2?r;&AtnNYi
zfSz<yNI1^q(9c&x8F$iqAS)J#sBhE)pb+-%V12Vr$Ee%|>-5r|a;Q3ej=SgFp~!{x
zpm<cm+vz|5BambE>WfFwk^lUw2DrJ*LE|WWltJ#S!>dkO6$9+$nW>b{em^Ml!`q+^
zzArfqa^%|qsjmzSJ_0Zp=>`>r`}!t-Fv=P?ROX{5Y6hC`O+@x{j+UvSoa&>0_1IVW
ztR{E!Egc2rU=NsrJz&<}1TP|Q4(CSo9?jJZr&T2_t^{uFR(~^3zwFVs`wxR3QQj2q
zUCadz2KW7Cd{|+WzEH`f9nTex^WXmi^=CESP2*Wo3+`h*4<4z60><@LVwEU0@Qe<C
zlZhe+AgbRkcPmd@6(7q2qKuN?Xd`sU?1cbfk1&IN`@c<}YT&#+H3AKRGNuu~<Co`G
zH}kI+uAzm_C19<Weg$vbHuh;_-_TKd`8Qp!snpxV#OP`?*ab|&&z*`XrW&5$(Vaek
zR`EH$Z!<6laLlo}*6t;V)UyTAH#edX`A@znt)}8KOo8P^q>o;#r6lv+-6p4;MZTS`
z{YM^RTvc)l>iYX}O=112)ne1?aerjcYNKOx?9LVg0%FcYS!SML=FYb-&BB&q<&<Ci
z^ao~j=jrK+S>5^kRt#GN;5iNY+%BmD7YR5#5pY&K4?nXGsFwMPNA$;a4ReC>PmT`S
zT?FsRdHV985I1klELemFOFKR1V;9~J8`d8+t2>u=7eN6zPhUE#yB{wz2QM0>%7#y?
zo<=e&qyDQ-=FYraBx&~Z{%;X}27I9{TR!*==<j%7A0vz?A#2#0GOr#Q3|E6Q>!fhv
zCSNVA1P9UTI(m)1_-p<pOWj4Q!xv#HT0KuW20>=Y{Q03z#EDl#;gG)eI+?RNRm)ih
z_PeW2=gthYWEe!KKb}DPkY4I#O1&K)T4yh>+Bp~xmWnT#_P8l;@>l7BEs<8Fe-AIL
zEiK#&NupQ~YQmy5x`qo?+U(WD2Mj*KTh&||P*aBR{pI(V#yfvy?1u)(&R=HrH6hjO
zHirWKJe>@HQP|B8uvy8-xL+;3V@RL*yu%!#a0TwNdF1-vph~#BswM!il<A-R5?w$Z
zrB%hG5SEurzD!wem{S!>V37P8Tuq-+f&KpedD!n2<OFQ`VIlX&^FlTqeg(Rhp0eL3
zV?_cwUI8;_#QCNelBquEHd-CaRcE(8EOyz#decVp7=(t`-i$KuH?Pr^#Pkn(z+6BI
zo5P-JtX_>HO`XbTuK?FKGmbLvb=AbxPsJHbB|o#yv8bS(7b)O)N7d{N*=E^|>fT)-
zc_xHpm;X3Ta_dn+FflnFFmJ=nn^)CAgZ^Hzdv00^({?CL`*qTS>GZ1JQCee=Rv4E1
zo6;5pX`{omy-Ir}NE;WX`AVw|(#D5r2bESHq)iCZx|H@nkTx+)JF2v@AZ=urc1CFv
zl;$1qsvu0_SAQ06GYhiZ3|az_BXeMwNRT1+a#wQZfIkBn43!9<>_EBJ3zKA(knBHA
z8>$hl{vqNwuzl?$&BT`l_ONrG)HR2G*(>ZmUhAa~2<o2aAgIsKjDd04Ya*!lFCZvZ
zY<EW165yent#ZA3Y^};&u5y&<HrLisXow13K%HHv9YG;kOU~!FJ&NUNzx^XZ3*Y={
z^xxny`eq$>b61w8+{TWoXY%utQ-@c4o~V^6$%+x)`m*E$9K&t*M-J^-P&L^Fm0*l!
zLDiTA#bL;nkVL;n&b@YBAOB4jmEM5-3(x-j@NUXN-nltk-vOhPZQp!RNrwk;1ixPZ
zd-P4;AH-wLKBpyLdy^c8vyA-g12)wlWuP8P$tuu8v^vSZsc#cwZy)a*ZRRWb=9)xm
zh?hu>Y)#&pKkHo(_d;1wrhIHwvqfIf>ZiX{bh2V|^vz9))bJlrtc_w-C-cj<_mr*J
zP<4Y<u{JqrWb)bJhGRKieqnOb2*;CE7Hf9CzZLN#_N6ys5GD;Qm62OaEg;5*Kt7z%
zuu=Xs?9+=S#E=b!Ng3^CH$*1}I(4yzii+!R3{z$-4m?%1$>$XV$wP$`;&PMyaxOG{
zU*R+IozeLQ^jtosgH!8|!WUlBDv8#7lhwhUofBP7*X}do`<B$$PoR50Co`Foet!u6
zN7wQmD;()h`zeQvB=cp!^iID2mCxtGcbWqfyoc4o-HAL`_Sf>lVs_HTmhZnnrMS+W
z?=*~OVPU1f$7WrCmF25s0ucPH`bx5S)PaN?iD-iu{b_|`?d95(Z(fIS*Lx{kmSaic
z%`D69T%{A%bE#*BZ(z~T8S=Qe_gitNxc47oG>-R6@eB|k)<*tB9(M$fQ+X8ABK1BV
z#jALn!K2s_kI(TaE>wy`G9SGW<)fNKtA9qCxv=&YjVJgv0ehZVjhenJ$1%ESB?-U?
zs+`o=kp|(eg|9(?;3N3tf>Q7+<YqA&8r+Lfng2sWp5nbJJY=pk3*8kq%L^Yc#{jOk
z#~=0+c#>EYn~rLANB)hQXBM(dj2mZ8G5bdSvvddC1$OmwdPQhYp}An667aVEAl3xg
z&RG`nwQ{9ANXy|m4R-yP_S6e@@wzwX@A!|sPd=gJ<egV>Mdb@uLBOXgZcbD!6NYli
zFZU;O1=e2Ump87*T3xAZ@t~K<XUUB7ntJjW*AqkxAMo#E0PrH1TD0028<V$=mUxrB
z-2Xnz%W$UMe&OZPe!Zsh+fwmpRabQ8Fut^R_gLI(0=)t}{pZts>uAr?wt$gWF<|NF
zpQNJX=u<!9T|i{r(?k54{j2|@(6U|et6&4_7ork+O`Sgw|EJx>7}P`le;J+nalr1J
z7x4We<<m=;f1UC_s{G0z|3k`;_2f?gKEEINnJ<HF+CN!A{`Eci4=DeAP1lV<{^s-Z
zUsisT@-Gka|E&D;<<4Kp>GtQT&?BOz9`#x06?Y^D)YLtH69*Rh769LQ)Cp3S-jdJ#
z+)e(em304ISd(KldL43hE{f;8@LnH}&Y)H{p|=CI9sORj+U?y*mZjd<L04bAqb&7x
zEY@Ff6RF4fDxHbC?hNSGX(@S_N-WRn!b*Oj4RfmQ5Vu?^9kQx{Eo;0h`P3-C7P3fQ
ziw2W#itzQ+0>9j(>8zB`4IMUWeQDMHQT{4C*5XCiJbxv8to*0R8=T~u8eAR`-WKEY
zCKYzh7R8ID2eQujvU7j$dcSc0lKCXdv(I_9!R0M-MmlO7$qY)F_oVythmzBN?y|nO
za;mr_@bvl=MA(bZw|hiwF>5*8Z`_ILT_&ZC(Yf``G&Xx*yaT`Hf%O%S8rSQy<qswv
zyt3-_fEOx|u=MJ9Yy6qOgyZSJnRaRtR-GkVYZ)R72k)~o@3F1y1j~P(@Y6pKugJ2r
z(9f4r%SK&oc**B!#n^W{-(I#uL|jJ&V@>T`(Zi3Hbt&iHl_Nt~=K>>*d*{DrqqKA?
zRArc?Q2;gwMA=z>2_cjw`FynIxWP%rM<i;Nhu>YTxh=?Cq|BP-(V8oQcg>i2-_HY;
zwPiQ&-{U=*SJj0K`rka7kE{ojX?%^IA2lcW-0N=gk7~fbC_kWQU!U8(A@4aHlrc2@
zRr?~N+4<uF7)w3#9qDNG4r&>nuI;|e!KKMR=`>Cptv`!OzgPTgsGDZhfjLg)x8+!-
zo2E;XKN3e<x`PvI6_)Wm0Ji21Ww+F*YyHQgTGoGkR11Sy8fhbWsgAwX$U6X%;e#((
zK2Cm}@^##<{3Xg?eqO!=&eHu%oAO^#K2j!If7uKs-`_Nc`4j{hV<Jlq{n|I-DWg<T
zsml^7WatCHyEB9NC#&yGD@*-*C1nitV=W5PL+d7Nock|moinWAtYMDy->Z1958dBu
zx|NC<@&Q)T8QMB_hyAu$m#OD24@{*{s=xpHrlrf&QexI=^;@wuY%Qpdnss^TUT|n&
zPEJ2_I&NioesNAfpU3pwi8J&<j05T^>(#((WX%D;Ht1!fiScMEs5(8cVn<*8p#8@p
z<E0GK7}LQgW~%Dg<nHKqZ<*yY6vuqTG>|Xi4FCOjuK0g7p1?su3paB)W1{yy>+OGR
zf9d!BFYuLSNcS3qX*$ArltK%NP?>I)C9A-Hl*u%wetaz!Ncapu!o%$+;SDeJzfYdo
zSmY5#hxq~B290ufVdrwQz3E(T?%PO>yk1Dx5#x;rp<v$pt5`~j2irKpWOXJUSvRY)
zvNC=0%0zn4D62kwYQUHkUVHl8fn(aowARME6GdAqRt0NCQ1s%1Pu|$aGrJgfNDp2Y
z>O^YD^@$Vg5&5c=zB_zgdF7Lr%D<jW+}X{F@4|_v*^I9UUHD)kI=O{6m-QLGPYT~f
zPkju18q{N@-m#^hf;2&$KNd(pN%<3A6GnwGTm6+O5>n6gvjU#8METwx^dF;mwD_lI
z>wF?p=IvZMcm5=)E~t5LKqne4u66<c2AEKPAr%i+LJD^Tl$X_qSa%Q56`jgn@x`#$
zkkd`3S2{7ha&W%IbVWb6(NE`(`^MKuiU(_EgElv3v3jvP(8qwi@rC|5fUS93d!zEN
zBhRru#_i)(r>}fE;-;S3@t08`0lAA^DmfAB<bMAqz;Lb8%m9|CrT-3BLCzEPFg)L>
zYOw%dH3gia?W{LGn9eb7j^w|87pWXPxZaV9UxJ3dcjoJ(1%Li5_dqTEb<i4()Ka|j
z<zW85cn1z+(WTo(asFB%J6T{@&hh*&4Xn7t^A#raNhB;5*c%bKk+vSHs-%0_(}~;}
zz>P%XSjhI<_P(Iq=+Z8K9&B);g~+Yi${aQ@j{JNgHU1W=n0!Y5*c@Sx`-jXn{sag-
z;;%@WHCfD;u$j2BRC%5SKB7x+@Xng=Bh%Fo^eU&S(Q;}Z>xV>Wu*!;#z~?44yC2QT
zG1Kha-$3Qgz0&7^i-sZ7W9A^CfZg8^{~>w_zSr#SfrfAm@DEjSVG-YEUc5={J5D4x
zUwqb5?>pbZ6E@_3V`7B}uO+jGminwO;c+Gi4%aH0+5fm!gH>}u{p&BNZ&l{>UF*?c
ztruvmUs(SR{}iC%NOMFGKDZwD!$;Qjt-mFGO7+v$dLR@739_SazMW+yWLs_N9R-mN
zzIT0x|9h}Od%xia9zH6e<Ua7i^gfy0%;SD0aj27;zj>NP=qB7L0;i#u3-!f+Q1y4F
zs&pJ&1zmQzy-gJ7EbXR;%*QAa@~;PvXGVWlR~-cFoz31!UdhbL7b7f*sDayP<FvNa
zTjhUDvp?%>PR`Vvr|p1m@%3o$U865ARdQn1zTl@pKYm4Tg_#>DXf|NxqX(u+=8NQ;
zb_^jOgWk^T?+rluzv{21wx_~B?C)#jXZs82`xxdGgZ;l4#Le0}NBCnVzC_U)BJ<q)
zz$8k3Kgk9{sJEHY{=J~m$fTz7M_C9#i2jR8^bQ#QmloEx`ByRj<ol;z5@d}*>%Dpd
z`^(QitZSt<i!(2P*YF`$?mtpP=a&xWEjcts`Nf!ILmg@e{-OR*5Y;)a&;G$)m-$vO
z*};4kS069Gs<`r;Rl%n&ORV&cfnGiQC(;(`N7;P>X<=T86=e3-zr@t<mmJU#p1-(g
z$pfNVOPn}y{uAWmdD{@2&ydecf)aD8*OiZ~JY`i3F0Q?PdV2rB;@X+;Wpy63?;TVM
z-$)r)JAibRAFJ}0DdT!2mssAx^!^cPpO1ph%&RTQRrQ_?sHvZq_D9qXpqO6}6jwD<
zPVG%odnHI+8pQUd7A1mBVLou8rxCR!dBM}D+7kAKN*i5U($75YpTOHVIv-G5(m#tY
za+E^OgxUc?g>gL%Q#EXu=E8>QB5W8KgN6l)8tfen@%EveuMcbZRzN|rj^OY6_xbmb
zUsLx#um76t`nT(*SKXXb{=qE%Q&X+!RTJ-m5Zfxu{WWHl^g@J^CXq$lCd$WGXeRYc
zplL`8xcx=579jibq28WQ;rMQ~bOEDRKrfOihx*W`l)kuHRC@%VnD*G&VbE%%#j~VH
zy}1Ibr9NIbXL@w$kV~d}L#8J9!er6LnFox7vFkcdn3<5xt^8S|Nl4O|u}vd)P<DJ?
zhZ*5>U)17WUvV(?Ol}Zv_rtKK&vJd&hwXLQ^3gZT_#9lezx6W@gyP#&3OK+$LCuQy
z>F3=5ie7y6=x+qeVhyY@Oy#uyQIL{)*fOmcE^)xWIA{isukzcLZh!$S+rmFi)!(`k
zvI6oETp9gFlzD}yI*;K9|4p#1b8aji_~c3$Q=&n7F<fg}6^PS*Os(Q2UKS_~!PbHG
zh&I)^oAr7Dd_Mv{AuU?1<!IN<=|c}?sltmZ4x~n2jGAVYOSOL=17U&$b;(izyiA}A
zTvYbQ`oQeh1Id32?!SE}0C%67I}cp@ZIR4u!Mh81HMPf#vZc?o7%{?l8+=#eMWFyD
zF4EXFD@)&jZW->!q+7gBPey5N@aOTEdMqzE-IB5J`!qt>0qtc)REx8SsGOX|?=dJe
zzdr~}(@Pi}+z_;H4sNBk(ms3Nu>Im-P+A$+@#v-=>KF7SIdBzyl`6Oay&Y{_CwS-g
zbxTm&zl^a2eHv+@8SLS9+V3o#5YUu*Zz&lirM9J{kbiTGg6l7)ot8=Cl%DV=jaWL0
zhn7j>`8Oya@P4em5OUt6(NZ}u$<LMgHjpoMy-|09vBKH|{(MKW1oAt5L&>P83X@Nb
zzu~EIPsI~e&yL6`zf-%mXGiDUOA9ADvigd}A=3CJb><Q9t?;KY&587`JpTw?1`P<R
zC%G2p+0oW<@2PR*_VYKI!A~09`5Uvd(^fF(zjwb7#CHtzPl0eWrJ7%(*p#vla2U@U
ze2Od(%7inJ-it9!^J~Fqqt$N#Rw8xxB}>PADzIMs0$jswwk-Wvn2-t*IA_@H%UMSq
z6@?v1s{b5w2Q!CN-oGX2Gg|#CwTgB55D5<Z2k^C>?cYWrfh}MuNh8Wq6YHmV*ZW&J
zX*Xp`y%N!GwjACZ4kt~0i~EOOIM;2};pyvmB?WOd#fAQU#;y@<5{(G9PXS}7k8xfp
zh?vEm`&*3RG0-34STe`cVQG4IzbSbHdkGqS21S5mGyUhoE>H9nQ{TQmvq8BLPL*3Y
z-pb&;*1hatutFZAhGv1d-GBN@A@^zVzAU{1)npwpcKBca6$rC8VY$Yy{fPft+FLf(
zpghn2ET;07Nd*R5-Xyc2GqQ&TaAUmGe$hJ?7(VWZR(DcTww!=ImW|?-9gTnF+uG@E
zt=Jy~x+kw&cR%3#l@S73Gta^5SOrv?fbpDce$`2RgFVx6*@f)4QS~mFKBuR>-_Rb-
z9Z;OWXm*OUQb{X`^n3lxOeLQiG0?wX2vmV(!!?>@`G^s4jl1b1UQ}K<e&+8SG7Gim
zr2V?`PfVZVZE?N*G6Y>fAcW4<`*K-#iul&|%#hu%En9X4Ez@WojfR)1UJ!2#zq})P
z7n6IMF<qP8uO}w~_50fOCDQNrW5Yb!uX_&qAf4l((F6Ve;>|63aQw^-T8cE{&m$!{
zsSrT*QIG(?96^~jdcjR3??CvBHEWz^>-|T9W(jmuv-j!^BSGG?BmA#09=a%;`DeN?
zyX?$FvU^vj_?eui&Wf2Ol2<~Y{&%qh-#ED}{=(wpRFBrIWr8c8&F71)ZRV*TPdX1s
zq@KMvuz8H2#`LPL(c$-0ad8ULbAt5T#d0!^*1Q;03S0yHtH`8@v8JdOFYwn<YUyao
z5M(_n`ev8^O(?)HmH6oL=@cCmw7Q3KynQ;XIMDw|kPx^qP<e>|QlF-VtErFmG&MrX
zh8C&U2A4(O<8d*dbenfhZ`e`)-GTncnft|*>F#V2KQuiDf+%2$Bi!T@pbtGXzp&J5
zioRK*6IqV(pW`Isvj8*QA&z&rV!lx+21cvpLs{l^Li>1Hf^^ej*_eHzY$C73AV&BW
z6{%s4aZ}IcC-U+GZ;n!LKu?*iy2>Q=Y+xaUS8yI2)@}%Lf~g>9NKel1f}Fsugd8FQ
z!#dv&a<TzjB_p#rPLfje4-+czAE8t!$I?*Yv!kdV%nN3X(f(~@dGSI%Wa<_UcZ&{2
zzdsVJfn!5_Jtr}J<U`h9C;3D{BJY~%RWFP}7dj<M@lLZQz)--4rg-m{<vltY$_}s(
zqWm3-4$1n$I2?|Ih5VKvBR?qW#q+Zne+V+NNQoC@Gkz3gWJew!9%gW!0bF^dg!B8~
zqzt``3bW`rG)&(eWQ^?12ypA)9Au2>%?OB}12AqJY8vHV5fmtlzBy@>LD!|AOB%LN
zg$ynZz9%kwE#hJ-XP9^lDtJRCI)8={hTQKAw}#IR0nf&W+m}B{&zBnDPkKho=UMJQ
z)&nGyXu&lJJhx2JqJzaHs&;oJ#+**wIxd~bBf7}ggQ4Z&eecKNqL>kV-^m}<_nrLF
zeH5lSi53~w>E)$|wad_>cQQf9V79-Lv(huj3A$|Pi5D^(6u43%f%66&bD64Zvr*uG
zYbFC|sp@G@{GTfsyHFDhyHM1)N2I>K_$a+#j0XHNq2h@mv~}YDtA0pM3l6ISC*;>l
z$Aucmz5haKuPKqtFO*(ZU8GjVaK_Y?7yaHay`<u~OXUts+h#fY9RkSc<YvbZt==tA
zJim0zzQmXgOP;ZU(W%;(n@G;lIa>0TA#nNWsfURr_;l%mguELs6b$9*_w&oFW1Sae
z`G09uGiNNv%0FA0yh7ahKKdelpLO2oPvtpY^nR(=Qqhq>ref4Lmiz7gkDr!aRZ;I+
zc=;)We}t@#iK3B((U&fU#85_pRg0B2@nE;#-w;Q+@OYoFCnJ{kqA=Wpmr36;g9J6v
zYFpzIg0gryE_7Ugmjb^IC=6Z<o<>EhB}(KQLE~n(I%Z4hm;+ALfn5KiLSZnGeGv37
zZfXX}mz6$fS{MN`tkU$Z{8DRMXEfjoIyovW+E#vhBKb*aW)tZXM?Ua_p1<3_n%8*I
zfdD^9NV8`%k*%!f3S(%(jeTInq5!N1+jT1Svfu_0qk55cOp0GsV<NjYIZzJ!7tk%0
zqBW3$areA3;q+&)ZPMa!v@{K#GTN(;+0xrurjR}jy9)NW6$S)NNH7hZ-|5jS%tGqX
z&jZ12R)=5AfM|SR-}P9vOegh&W?qqeNe?(#JOiQkY5>hIB?P*hX)A$0r}?FO^j`HJ
z59p_1PUcaV4*S67mvn2emCb%B$eunYNWZXJ-}Zy{!U}WnWPekDz?S?4UB&}?NN|Ze
zWXZRdq49e&B|L`k+!4S{@v5%=<sb5@?gNZO%G}I+Z)O|uZNWTLE)#q?<sVNZ|B_`D
z>-^iE0wcYwBDn0ob1~zoeAB?y*>-`wrO*EI*fKFDGbtwigU#l)a@y0fZ}8U>tRZP+
zE=lb#%(I*Dnpq!y$D<a~{Wn_Z%~b}h<|@-$i-BHfZmALi^<U?w!~Mf{e~0*ZQlwO~
zyyD&}GsgZpQ`_!~{*vY!wk+%7%D-sRa>`dIYsHfW5dUJ0mD$g_1TdrM`w$wtW54Ma
z)c>JrdR_T))SPK|pyu=jakW7d0sYY8GhvH$Poj^SPStKetU;^2^Bc++;}(CF{|jPQ
zIq&!gp=%wwx;6Qf0vdf_y*Kk~h9LW;#7Z$)cc3xdxcUo3|8}YK-vIt1id^u$?SOv!
zv&Rj34&EadybrqIeZU3p1AE?$-D@U-GeGYEFjzj=|1k-IZ2BBO$)h<?3g9&5OM1#j
zg7W$vd|3Y8^UKTs=kw>CwU4+ao|Ac>(FOA%MVku{l1mMhvXA{KSPo7ev~<mSJ}>|G
zGy3KSraJ|g6eMIw<Z99zYw1wuq;*S+>C3-|27@KV(iKUBr$Qk;oaKm@m|KjY2n+u)
z%KZIzu2zJ^2XD-;xUVev8v(0I;;EYrK;{3g%%b#D-ynqLk<_<x%|cNbf6+Ig#F{$g
zm*3^B2#hU$E@0vD6MPq#MH}pI0+Gf2Pg4t}f_R6QKCChPh$ezDfL`v!;GbZfd+E*}
zihg<rn7J&-4BG2e%XN^wK5M+H(LVIT@26Ev3Wr%yT9$lWL)20^^@Q+U{+XrMLY7Jx
z6C`|b>4Y$0gh{BF<}~B;dfw6yUEg@}c1_0~GY~e8D?nH8P|hpP`cxZMpG4~aIjnyZ
z-BJI$=hfGB5`Fc%Ui-{ZsZ1gaWIcpIJo=4Kn3hBschi<)Np9?EEToMQ=Z6r?(O%Gd
z%il;gN1qYu$Q77#EJ?Rzck_?Gnc*9;PJG+thLvwG{cATl%tN>TVay3-HLr_7Ris1w
zMr(#rE+iw7(2pNCIQ~^KDK?1fu&ibDg?Ce-0>bm<6<kRg_;j&s2A@Zd)_j8=`ZRMp
z&0r7rcLNaupP|tB6mM*^PM>{Sxl=9sxF+#cUexnQ^SjHdSK<@YLyd8YTAmy!OV5ea
z49i2Uk-e;;XO!j7h|NBQ%|yR9@C!`&Hy92ct-cqKlzs>4WnM*2=C|T=Jr=`WI%Rkn
zPTjKSfXN%%r|8PFomo2hHIVhvNd}u)_$th+@@=FT{g{igMCRG~W-AfS_Y1TbFoNuS
zPw8nioNtU0UA<~Y!yL}C#Sd2dm#{*Z@u+6}tzP*1%=^3F2<IKw&Myb^?q4le(8bxw
zPt^R-%==$@=6#CFg%a7rqvYq0nTh{t(qIoAe0VtXQh+<JWj_uo2dYti+Xx*8)deA{
zgSd97omq023hs+1ye`>V(Oj1Nqn0q^Gg`Pjm9L>U(MJoAyPm?)m4$AYf7DP&lzgdV
z0}Yw@mAtB2*P~&wsN}d`s@gZOe~*6WemZP_s4&>x0org{Po#I}`Aup`TY%>BxJY({
zy)Mqps;T@Y9DH)hFYDoVrOENbOTF<Q;5cPqqNu*&fT7r<{;U6td8wNj4(Yy^ZZhQb
zo)5FCe{!qnCSa6y9rNXXo!<M9&ZSfk{^~H`O!2;!lgaOGmqW;rl`lXhEt3VAevRp`
zw!i$jmene){Nl`|pA#hTr|fxK=7(%e(VHX>*-sX0D|U&0j!PNXR2JWx`P(BBaK$-+
z)a<1n>`TGNc&c6~$SEID$^M=eD%g*X!c<`H`ud$#5VB7vCJp|h^o*nKt}GtR_OYcT
zUx2lg479F_f4!w-i1+&H11%*5=iXWTa!bkZr>A|ofLr_zzPqmBLj5GmAMuiXe5{+i
z6I0D?`N{i7yUE9gyUG61)p2iA^0tBSoz~>z<D4k5CuM~Tl6MY?u1roYpzug1y4vyf
zBp)B|CZ~^blg}4&*3#%iSGd%vGZm&4uA)qIm8!Opx+wYh1Si^>e0rkmJyf_bx;(lf
z+Ui8tc%4pkZFFUHjU%JaX##?hFAPjRMKA)-hmy}0B%k6#>-QCQsiD0tPrl=w@{T2+
zf=f>;Jm__jbQH1uj(5%_+;e}rrJoyHWADd@{hid38-Mbx?|jK3XKi|Iu4^?r-bvSc
z%eB|KvF)z?*5uUOi&P>t{|5bFz**p(pattJZN<HnRC4UouJ^X%b;gc3>4tvkHMy?6
za&l_+AXRX!^^SMgwa7p1*hidLXL_}2IQE{@k_jpiw^lmDgT}Tv>2yEGKCE}^6zi)l
zPBLlfmAP?ih2v#X3$IrN$KD)|k+YI^GLCh~^){uO`|;pybM0+hWRzO?DV1Y<ZEox>
zC%q!q-fo?6y)~&<E>{Mn$y=x-YHR`-PI@^&Z<`zzAh*%l=AC9V);8B$&v;^|g&uo-
zNowu~)rJ|7881)ZK|_iiVeD};_MssFt#OT?q1E>@Pp23lLp89U3XxB5s~BK7S~Ju`
zeaCnxweY&IxkZkp*#ZANc+AiCo&koSn{hJ0K7(UmCE48Upv-{Hz#O~Pz1A&U*k^#l
z&mW*;`{5Yd>&#rch4US+t7o{5eek?d#tDmrna%GRXGv<dr6%KEhm)=Y5i4A@yajQq
z-m%-`_Q^QY*q)Ait<W<Aza_O~fGHl^Y^Sd+W7*h;G~3rsW969f^VA9s_?hq82VMJJ
zk{QFQ_OzCvx7oEfx7T}X)ro7@g(zyTv$v-f4pYlsyNgBNUYB}huz4*jTw?I%;#?@y
zd7=sLR7e$?yVNUrzv|rlxV6pN<l4)zn$&qKxrzI<$WzPaZEGdHwb_vAde>Xw*q!dR
z_tE>c<%J9FQ(E*Jw5r>@joudf7-T}DPJ08?beY=Ks;zUajdAa=<DHA!dtAo0#IcWC
z8y$NaW2eW3PJ2C=yh!Ea7Th4C#bKV7dxt<H%K}Vzt6gC+?b!Q3D!7cQf@7VfFpFxw
zW32|#MpmJ{!hTC=*zRJrXtnpWw>Tb9?ny1Y$@F0#bqqak2Ug5!jgEB`ap-Wvo826@
zPdL^F7Ejzhz+ppsvqOWFOTBWf>cVXnVl{!cxrMEcwVe(YFp1V%_DY~*Ik|SGy}{e!
z@p>{f|5DX)?e_rD>SQ@AG1y$>q*t-zHrtFSW1nT3fqz4L6P(6d?QJeeExaPAr=dAw
zMAm-CTEn!Q6cXOGo33S*yY|WUCZcnMmUwFZb*f@-rH0m^wU6EwQLK$Wh-<aIk-{0*
zJ8N%^r(PXm#!|*O>|?@(YrP-$_B!cCmfv1#&KFc0U3)8)4tQHB6;Ca>IRI*(FydNg
z<KAvZ92bTO_-%2!C2p^EKwo=H-0O;aFd?^a(Jdi?nT4bExIl>Iw=r&0A3Rua`vXBs
zFwa&{68Bm}`kJ;@kYOf`wMw^f>!9OpbD(9OTqc4gUS7DwP@`j?bK0AQ3~!fX?*}DA
z!%@zM)DReLASP}di+dEhuW*A}VLDr(fE^^OwFQpd?AmR#VIKs<`F1<2bP)mdTVN30
z8m}E{U1C-%9ogxU)T`swg_CY&81I5X*M=iD_7mOJxhxM0vfTieY;Sb!`dd=-KN_HL
zk5Fjs@m8ms`tgINPH7(otF^UCOQbRN$|qG;Jgls6Aza+sWOe9ykp^!c0TJyDj#eN{
znv;{Aj=eITsvcqBX@~!?THiuI#H|ho-%VC7Jm2BEJUc@Y%l<}F(ynJM0X|4rfE-~W
z8{^g%2R_0O+Tval3obR=He~@eZl~h_ER<WzSzvJravOjl(^iBLsc~;3k~SV|0-vnx
zG^p-iu?~7?$%nu1p(T_R*0G$#CtIzzTyLGEm>a2&)yM74Ze))F&^C}^?`LA?^S8h|
z49i<j)yO*9TIg-^R!FGDn%&sC$l=t&5o(!mb=N)u_LdNVUDwY#tPWOr&DJId3Eti?
zDK*!WbG(BR>0;Jir)$wEGP=u&w8riCg#0?Df&{I(SgRXrb0fSSwAzI1NEb{j21U-j
zOkKvnJ*tlowSxh$ia7drt#yu9@5ESD@Ih-G1k(yp*n61Mg%sbxSV)4~1yHY}n1wqh
zQxG{6JLyI;Lck)c9Z}=4rZSrHjtEbzlDdHPdTmbZpdK4zZNeUs#emrgwly-bMzs#i
zLbsOS6?#Vw8^W|us9MZ=v|3aEUr$3*P2NFojT?c^yd&NkgX2xH^^qf1143^J1j>>?
zk~KN)5bS;juiwaONC94mUUn8_IkDAFq$ySXY4rxxTTO6N1_<y17a6}X4m&|r*e|eQ
z9v*A$l!LtYwmXrQ_7=#n%}Fi!tQxSuF9%H9omfk3Elbypbc<l>;{<ftJB3dt))Ds_
zG!mAV5xt<-LC5pV0*h>k+lPd|RWXnWhjk+BZ%NH9GSHobX2rKU9P}6qZoOQBdK(KR
zwQ!(HxZY-p#O*Vw;lrS3n>l7~9+K#D5qGU<ld(*!1FmqAW?Dg41isSY#MVTZ2vod7
zj<?^9v8s1D5yVw>o@v!SaV?NQmR4G%=oWS`V^RW`_9Y}DCE;Qvsp{)gJkHfSEIWhY
zWAVsV*P>yteJmc^3Ms}TdY0_6>cmpaqFF>~)r&MC#T>EW{d$ctZ!K;Nt#6N(wctH`
zOKPFP1~NrMqYe1cVJb)&co)oZYtJzeU;u<F#v`ktvec5n0#8$PK#8%{u@=JxBL}Eq
zy~PFr2_+@~$s6KF(y)$EBG8#5Ob08~jjeDZ8<`QaG9@zJgF=K3`)$!n8wA9vqJp<y
zy!xONh|`fxaqk^5RJ4vdIB?9MRg&MecCd%=&c!yxV~twDk)s+qjA0FYWCO8&U`Bjl
zQLM{e)7~u1?HAf2=TKuBW1Aue(XdCWJ)mzzz<9gp*E;BJv-f*PctcGFt|hFiRJGv&
zUOfX@1c?W%L{P(|VIy&Gha20k`9Z`vF*wXY$AZ|m1URU7BRhqI`Eav(Nskz$veQh+
zmBD!KV_6;mj18I(gw1v!aSib_DrJ`h6}m}lu30n-n2{SdrN4@nw$V)DIoH}RPO=IX
zf(8YPKnS#_T^pIPPm6xxq|}ljsv(55+34~|S(C_O#Fqq-^<LaVKQ$5w`HA|po3$(+
zcND$?Igc=v8AB^5jw5a~Y^%jH<6p=uS}nb7V}am8)j&Vd=H?ytMJ$n2b&eW|TWCIA
zfdbtmRa)Bk872_Y$PIcy1=cd}a2N{OnYRa&^Wg1qQGe`u2~5}C$4{%7-?-hSRXX2j
zDm<(*T(>PX_X9z5npS$THX`;t=xL8@A4eBw9oe90zxXIDa6kPIHUOf)Q9(0ltw+?7
zK0xV?b%dpl(f}CSVD>6xuYsU~i9&oz5pk@;5{3BexHgh!B{Sxv=9<}(tkjZQ?^>Oj
zttDCI1{DcyMhfYgxV^m{t<>!Hs5jn>z${itNi9;gVkcl-aaOy{wlCeDPR$*vVzh{E
zy9pL+(8a?Zy0=-z8_^2q+h_?}?Nf34taQxwdX$1o%y6x(anI}k<JMM5j76bvT;+K0
zz!2ks{;W-Jpy&scc7_^coC!kgwHdUWbzsa)e0x3fqv=2xnNAq6_rAuyRUJS(pm8%e
zV&ml6orYB36UIvrW@gBJ)kHDw`7Vrfp=Mg_H*PnGF}4#nvP1f_s$^A0cK+e^tXV{a
z0@~%GtP+D_BZ{a5JL2_V3HrL~+1o{nB2?=vZ7+mAY1?kG&oLb+e)PLaGJrK_W<yM*
zuAfkU-00HwN$Z@=csI-FV6PJ~p%mArmY7M=)*r1I$>bfDX$)A{@1PD!j3C+exYo(Z
zsU;sYBe1qh^RbWQVE|$AaZ%Vo^krt#TF+N)yu=W1MuCgz;;2j3JFfTeaMzpB*SSRY
zp3pwZq1_knSX_+VNH#0ZU6KPN%&XqN*&RctJJ`Vucq+fDB;Qgjalf*n_n-c!(yB8z
zKV4jkmv7w^Sqm{XR_&-OO+D7XI5>YW_egE$GUH<ZSNrgT;cR(tSrRYEs=wV_TD80G
z_Eh;z#a#7NaeuE-zi<3;BK6eBQtMdNsew`RL1sQ56g7rTe8(;#;;4Vs&RnOKF!-7=
zfr+)$+Fv?muRos7@W~A?@F~Vm`OLu2rOG}zlF*_jzfhX&pYSXmadzyF{d1btl}LSl
zV4`X#9v$sYDt}1nm^D>9x`-)`en&T)@N6&l)>Ngrd~@PwiqZ*h;-{ZHkV%jgjFa)?
zS3J+TRP}h$0PF*=<<?#lt^OEq=zGyO-4C3b?ztD8%M4eY9(y;COz{rlFN1HW`>8Ij
z*SNZ?G!+Mw9bKhknp|tolrcVF2?5`^oT@wn$yy+pk{mLjhy(Z`6M!UFy(T~4T|{R|
z_XB6>>P+T$*fE`Cf4TaQ_^C78;&Jtv%v(wYpiiBfu7q=$W@GLQ&VvX5EFYZN#VJxS
zt_#1f75FzB`WTV?V6r6NYftaUOJ^>Rw5Em_7gDde)-B8<0;0C8a6obG_(HEay`NZ!
z@<PjN_F4&EAgqES`Ch9MbBSwMI*&6flKLrIdHub%#c~_2+HtejzW5oQ#-zv8S9M)a
zAY!|p0J`v&IN4<V3A{(&m^4^q@aCjJwQ-A!O4Lw1mxtPT9+}bFcs`lKYUBNqlZKeg
z{yfyi2atJ5ZG0e^7uUuk$w>t!a}W=;@xf$%ur@w~%n#JYhbAWtH<`nDsEtR-{BUiY
z`^hF<RvW*Fi&ISI#XQu;FM*s{XAS0zY1ZByz)5Umc<Bpv{J=hoaorebaYiy0T8#I`
zM2n@|*l00~%Sfwe(!<36=st&AbpRP$+Q8YAf^XEe%*d7e%HG_r<!gczamYAT9DONp
zBYx_>#G=oH|Cun)N%tkZ$sDfoT@P>a2>wR#hXciA+)XA=NG!T9{Eth7UZG`vUJZWc
z2R{pgpC!RhWAL*o_}RdZ?oOOTY~z4&)AH^!zjO0ULwtcaQPle6-vWoKmPrN|7~r}6
z&0u4aL5AT(INBP7ObYNZ$)Lk8(dlHBZUp2mGDQ>oSeQul9pRsc8$dM1-3;gd$6;o4
zX%UO1nhrI|>naADO9_Mb%+EOA>l07XXZ?WcUH*JcXX=jug14WCkq{jr9s&aShv=9<
z7vXx)sQuCA-GrV`QS()eqvg99oM)$I-q-TqpAiI|{iB0|%sLM2rU&ts8=x}ikx*F9
zh?)rT*`bj`oX=}z5}*RT23IQW_J3y10Re{l2|-krUKMw#^N-Nqt&~$JoZQO1bRR#r
zQE>FY&&}}`jNrxb=IHBgef@R9@3cj$s|12R^#%j`m*Y8BdByQut9%CEKYgOW9Ksk!
zf&>0vrc<t}>xHM|a)0{Ydb=@)Bb}Mo$s<$8KtBmeSWjQ2w<K@!fbA-tsWlz?!S?WP
zB`wZb3X>1~W5Z|07R-O|d5TVoXYG}%gfD*`dBf`~Tikp6a8B^SvP9KiD;WiEPXrlL
zc{Cq`;O?Y?veY+bl%>9QxBsoLQp?<{^hEeH)&E-fG{e8wJS{1lLqq;;;mZQOIN?j1
zUdD$n2levt@TEY&T^7FR?goEo_@e6>{G9M*hF*^Rlc1m<z3ehC0#eboyZq@h%xyI|
z6&ijZ@co@(nQ?wc_%zjD6F$xG8_iP)_M7300sHsiivj!R;fn!#PWVz_0YX*yGEOf~
zhc8q0@<{kHLofG*FLU&AJ1?_NYxXKWxJW-xrzWV+fp4lx={jBu=CdsI?a^haiefVX
zTwksO&u5+pM_VIbLFG&}QKQ1d$ez68=YqT$Vcvc}rzdZV$(vTl*Veh})u2`La%E3}
zKbrz`&8#Y0$j~jLLuY5Z{$GFBgu&6?WVQeva=<pbP|1l@wyA}MLYSH?5JrCfRJM3Y
z*rSpK72nocQn)}+oqRT1=Blty1MyS}3L9H`vUQBAd$1VQlEN8b_FsCk-xsqWXO79?
zZpZ!pIW9EemZOGfO{>YQC=fOa{0}^$^xzuFAZ6}X1eUH&{ciX))vpYnX82E=r;wT+
z311BG_k}NQ8p-Y9i%{a<6254_{&nHYIK7MxU#9Bi!{N&ey$lOq=IF)ZCG#f(_n&kw
ztg)FYcRy^PuQ3r}sXxsN^Gpj9!#wGUiPWDKg?XmIQDNR7lefgo6qj3$36N29#Gp5r
z6ytW_N5h=WVU7kF<Qxl|T4r)UDTbvX{_Xc?kr)r3rusL8PcwYmJcURs3||(|r2oP2
zMeX~8!k2@3Is4^c+yz3&!SH3AUfv5|rs`!=_%cH;%fpvBdRf8?o1P(=Zz8!kKM(wq
z*q9ilMv-+B0s?qSwd52h0@2+HU-&0sxng1>^=LpfO56(fhH$)Z16&Y+n7V`YYqk;z
z;@Xmrq8Xg<cae_|6MlGE)Qk_|xVrKdYF0H)2;KQiiIB_9qsQJFxnT`pSkb3K)-T7<
z@wWSNau!uCgQ3h1({W2--_<)h)`|%JM-<f4I6oOaP4#E#sqcs%c)*Mpg!CD4=huP}
z|E$l5i+e|`(RMv&MmxS2_Q^fnP3-CJ(>!S=uFjccFfc<H;3C8j<zjBX1c2T~te!?r
z+#94%_4o0lMnKA&ASGzS$bB=+HDm|)_(c{U;e8uSc-7v~$(JPd%aYF(J|KB{121UN
z(dtj@Az3nTN^0uhvZA)=cVa3wrmki=$SlKpMHni&w7l7{>p~+_&pOQm*d%(wO3k{`
z)K_wy<`OHnyre8O_7c(A(uc_Eyws`MZ>g&#yqOPV{E-L4v5jZw?(U71H{_IWR*|2m
zEps_VXGL9)KlzA6>RGEf4}S8w&?|;<6W)4?D@x9VkqXXNGKEG{0+12|h{dJERy}Ye
zP>!36;RX1*5W^KZsnh5)Rx`_EU+MqU=zq{?h{vldT|p<!ujkto0jBrROYi<Oz%bL(
zKSPXO_nbvJP-mZjgg*Mqti2<0bpha;niJusMpwL+5z51c^<d)0gCs{^I?cZ|xR9-!
zqAOiCMym&DYBbv%1#lfBcL$&H`va&@`0uLn#<aqVDo^D`s|!u@P>WO5MbOlxdes+U
zFLo-sh=+QM!ndZTUDI8fnwiVB;YEjMUaZ^GDwzlFrP-8Ko0=_Z^-ol#`TA&AclrDH
zYsI-)xJH~1O|Ix%^au5^Hh!Oqp~hzG6Ryqmzm@;e%~xoDR99xD6Gf*gGPB<0W5PKR
zF6C*qxR9$_H&zinF9t9MQ$c;AXiM}Za~+rWMWo+uzbwH7&1y85@(%Vve%Oz}M2Lk^
zY-5CldBATk5AXn<a-wt7TmcZRo<q72QzO-Zj|*IkI+!8t_LLhSp_GWB7sZ6_by@%Z
zvLd_;Um{5mD+aytrksjBQ_!oImldsv{vaJo>$j?fBBkEJIi=8BoKwHbXUxFs%dB-%
zidrlDSv$?Z+l^sC>%(i#6e5Sb*382|)3e_R5R`d`G_${OmWsWFH*`UQUVB(#u_?hi
z%UMFcBovP-x`xMFQ_p3mH8YiWE_dgmi0<1{WnuEV%tSip@{hQ3_5Bv1sV=jXSMRM^
zyA7}>GhgIY+~ptAw++$#9ero%KU%XQAA7^8VPY%Mm;TC&NT1_JJO>?pX%l*esv&8)
z0J53rF5Ea`T<`sh>;ugDI&aF0VUG{<6}htmp5B%y@}JyXnkwa{g*{F)*IPF`mbJ87
zQ{}Do$1|`*^3pm!ZboS3XqZ*PyUQZw4W)Q@MWSzB`bQq8dv{$FedE&K^H_V=C8bGX
zB)q$ZD`po#cGpNf!1nGcRLtmz%97lXl_i&qY%YoBdv}c$W>~lE%>pm?X!S4hL?~Hb
zb=loAkFsB5zI8`?ePYa>vedtvEv@Pv5Pk77CZMdSEBc*_c+fal$bUbM$6Ut2C01r1
zP-YRj^ev0Qn(=jhXZoD7)H81f?X6(0OnYe_{@eCOs=ef;Kl-OUeYbEz)!Dp6s>JF=
zPc<0{Zz|@SOK0&o-J4oank4WpKuF0Y;Nrv4>TR%+s<T)Qn|Nq08P+dzG^7;fXN%@1
z`r>CvVUD8Tu|s(N;XKWrWZ)UAZhPk`dFfRo1haIx0pqTr%+hckYwwDNvjkwlERE3Q
z6nJ-y%HVAp+Sz~utwC_;i^K+w-|_I@(o22-$D9Ywg9A*xsFVPbDjq|6`4=AlM|u%#
zqL)$7iUrM#qK&bcHGq({8$7(&Ky``0Gk`|^C-@$^#o+1SS1yEamr?@w-s3TZZwrtA
z&+rK*0V?3e>tQqyj|1XdAjWES*Tl?7fC}`BhkqY{`Bj-fG_UvY@ZaKdp=01J{yTU-
z(+lslz3_hG|0BGDQGg3rR}T{yK`|r9V+6${mSw&Kn7#b#g4MZ?7+1q*A>!Q3H53iy
z3h()uD|_D!FCso8;BOq;%U@u*zPZYG9{DIP5`Rdh8$(f8Ka~4@;|T+K-^(B$LH2P!
z{6NgrsizMnW}OQJ{uh*-;wlX`ZhWX=4SW&>3{%b?)*al<{}AEAT*i-oZ?xt=NeGyC
z&AQ<6A|$<pkrDLz06;zM-I^-Dj=B1BZlY*g^u^c6p4eS}dFGcY7s&gGG$#3&C^{0Y
zdPxsxV$nD9aLMLQu}M~$S64QMh{EQov;7bhrB&x*6;Bar^Tc8<O3hh12hOc;&t6_^
zf<<Z+V2t86Y_SYzQf>3YjCN&Y<#}IE@DL9FUP5>oow<xwa&no3TIZ^)y?~BC60QC*
zt?+bJ#W+A1t1pD+EFBPn@Y9<G0@s@o2cCHj-Wtf!Ws;+v)zrEsS}k)bPuFs~0Csqq
z6kMWT`D`?|B2smBNVK|<A~pM<D89}-QydzFsOE7V7>!1Ht?7m@WRm18t6YNQl{}BW
zaqF<f7gM)+(lD;-#12p4GB3Xn>wVNecawo_ZS)P^%HXS&Cvz*Vt~#4rF&c0$SzJIx
zVQZ5q7p-0gKMTH#pvlV+#M51QGQXl9Y`c6-<;i~0ntSLIPF!A>xt%BAhbhNR+OTNN
zL<7*I+~!G9;K{ux_3(k>&pvudwB}Ya43tZc1Q7ZU1wGc-<N(U>;^-UZD<NeeB&cEC
z=BOo{CwhX=-X^u`?BHmP0dy{iyo2C;LHTSn52fE^4~^FRQMI3>>2UoR{rFv0*Wc+6
zX6F`sFxAhwT|{KUxBR2GnP(|yz8^emZ|}boJkQf}Tku?~=SK7V><s@e!NcADe+3W4
z{_lc^(f+*Pq2S)kk9i9CGG__{sE?~R8Vfe}oALSX_(i`oKHmd2KKGfHl7bIzoiPrd
z@1lE#ooFc;VGpkBZYddg(WQ4k%w;UU{r<^^xQyl1+fOa^-t?*8K=rThiu^OxYyR-{
zzfk?jBacs{`e%>b{%=%&;S0k)PxaXk_xl;uU*BAHCDlK)ddIzC^)TMzbQo`;L&V8L
z+~m{4lQ$(FAL%A1k4oM));M=3?;OWh;^i~WzMz&OBk=WJ&2DW8F5`HE^FRE+<uQdD
zO!E1B-q+$@K9GIg?BwL}6r7WMel!l^xMpy6jwd0$<<VAH&pdBh;j1LPmYh7nI~`q#
z3&Ja8xP^0*lP8wp_?*0RIA8Qm-iGQlzA%bI;X@o2)64?Oyd1}Sic=#BjfyAl9m3K0
zivDVTFOEbW?n&|ha+CKL$XR?^;hFUE!PM-+-G{?z`LeW;Inq1j#tx<H2iTkeSLeQb
z&3A8!<L-oOta_Jc3ssNC&e{8|W)J7L;a7Ou(yc>{_r%*a?j*Q^q?-q+!N2KMt^twb
zSCtpyzrq>wTcrDuHPn@(7U%b|Iu8D?`B(S)Z{nPoUfbWQH#zCGg9T+vx@CZ!_PV?i
zb}Q|!&4o$q@J`~)zIJG8Y%U)2C+rpJ7P{MPpNeqoyghazwmCx06LGs4PqRH%nn|GR
zn4exTSo3wz?!rCfqP3^%{)DeTK4$&#Ddx$-$)|n*j%j$l+imz1##UHe_}8z<RbM0X
z0DVQeeh@#0BP-n47F_o5mK*<XZ~rNS>wvt4TC92-XU|pr<%8dXn^V7g>+dYWEgt_8
zijV^Upn<2x0i4q-6;I7oxi+q9q;GI7JRw#Mb*$5IZzu0@Z>xhNL%MMghv@y~2kEVH
zBDjc9c$E{|fTvu9$Gte6xK^87-_#-@0Dz%4+?Tdeb1+UIrYU@*n+D*g3}sGAO)S9a
z&N`>#d0cIV#&H(l#5~qWnL*}dBVJb2B!B@_#Br^S&_5oO#!tM~3`-7C0xfnT9^2rg
z=8ryf(V=_rDU_E%>tNH$F$)h2^@`sX{!q{L%b~(hQ7ZmDsj)@IB^D=K9MtftptZU|
zyZ~A}g3n!BJhCGWk}SE-I^I5pg+XO@EQ1GvI>s3)^~#m6e&^;N$j!}^V7!c+vN-J0
zv1`kTOQTE;xgqfA5&)@@(2RV(aFbxbxF!Hz9Jex6J%+;<o<xz|xCzNEPdKpTn7%N!
zg-8JUCFbBm8}A?aIzBT&Hi>i#09)<$pj)09Imk^74|4Q2)J=_qYk=yrc5BcvcmeHa
zoCvWQ8h{&X$92Vx;Bxy8E_09*<t=&VE^=cXwx62&>6d>$po8U@UNhLWcd3|Ygpuxo
zEK>QO77gL!i08AY=!|{XTjRu5u_zq~^ssj>vPKT35lX*fZKB;dar+$$|2|<FPsh~!
zPgwU>U2J#Yx@3AcGhm1pH<%5EAnA;zkEYy9b3_4+gBYl{hexZ9LCU-OeM7594G7Tc
z(by@uh2h)tiiJlJ6TT5biZwZ@S4J+au?xX89@+Fa7`Gg;s~zc;{UK(Xfi{>98V1-M
zsr&lncpKH1?`^cU)0Gg3FCe`gWn~1jz>+ws)zQl8uzVba=HXqeu!)A)X$6Zke0#_j
zJwRL^!$-k{xX>2_u3(pR1Ejija%$u!Sq<tL2l<sl<+TGhx1hPEK@7~i<KDEYKWjt|
zu@SkXzv@_9y$1Y>aNH#1f*_nr%fGzzNpfCuVz`l!wcaf3RT`%o>zoXWIQO61D&<S%
z;mx*5(}+(c&PFAv;n(8DOF>rWN>(Q>YkOT>E5S7{T8NRorrsGRhHn&nVO!kVCU<EI
zr!P&86N6O6a_~Dkr8XcFSYf)Au{N5gIy!4CN#%bePHC7tox$Pf!e~gq>rb7rD)hQH
zwd981_J8MR@d)iU#tE8%twiv3TaQZ=5cZE-w23<~91C{4o~0{X%I6)<0SH!CJocW$
zwo|@I@(RSW(%WI-8rRAs;;rQypQ%CS;g}nF-;J>Xjf>XHE|du5cAMgta4?%axct!1
z#3PJjW`FyHwbu3YPGf`VQj9!q<D!N)+YlUqd=@ob!pEH$?r<%n5H%368sjS!@#C?B
zFdVTvnEv*3Lll<dolK{P;#_zdma~Lwdgi1%2iYqP8zIDy(4qn9hG7b$>P{cXvrl_(
z*)7&eA|n=Fk$&W7+)#f2Ct4($-A;G|66pXk&4?J9dWA?W+};S=7;+Os!V41FmR>V7
z9;?R_i!oYjkZSfh+KAxTy4#Jsg%md7LFwkGwH6mXoco;go<Zs6p~PmeNg|NMTc6&a
zCtrC>L0-%X;*3<D8itXKQ=7ak_s8XK*6kg_)$g(wOO_G}avYIwr>*w%n*O-U4V72w
zaTmX=d9WBlt-Qn12R5aK+X_ZI31=aS!MGI0x(!>|Adj!+$T>VcBj=0*o3$qJ&07Kb
z*U1kW6s7BjA!_3&7$6jvxOLu^xYZ8frR$?0W~fPFNc<9Q6em`~2FB`w=AWmdgy+O@
z<c;mbxfg-G2j=17ocS)VP&khH?;<qPY53A|#UtSXoXUs8hc81d82bt`2=z&);r2YA
zbfhm(;G`2f<i^r&WVzKYcfu6|<f&{P>xbdQZPU-mIKJAP=Q9jy8%NCfLeQ(OMJ{Y1
zgiue6L-A1x{0Ni}=G~R&-u$7fel?_!E@JS1=AX6L0#9!8eAc90&rjU|xT}~d0YPFt
zMz*XD9H42IrFd5Ub`i)O&+-#aY^~U;!DlV*R#tu7$Q-8KH&0C<Tu%n!E_C;rlimk~
zfQ`0v9US3o+(YGPiMlo($~<XwU2#e2xc9!o1?+ti<gq4&sys0^bG3ZU=f}lw*TyXz
zkl}t*Tg{ZvPg5ZI{CH|CUQiAZeywn?H9+1B9<2k&c0IO6+N8M{=f>GCuE-X3&l!N5
zhtU{o_ZSHRx>i8Xbs+0FbStDZMdKD_5$bw@F){=M{Q<ZlxakHcsR^JwZUgkI<9}aW
z{yC|A3!E7FaLRp7tT}EmfHUwrSRpDCPvX0~OHvQr2<jOI(Ku2BVEMavQ7`P1HC^WE
zE&TbxeLQkPfi?J09*A4$3J5}A_h8FBH4Tf~dQyqm!n(W|Uj}oMf%8qM4ox>h_>DAw
zRK;-V-A@NcfzJ3RpCPE`>UVy(;65q%wa8F36R~bsFOf_<d;6sVG3B^$tII*?J3LQH
zjU691!($W(lQR}hn5)zaATg+T1e}4UrZ_0Up*&)|sTai=D~{FPK1P93sRz*yu<Uix
zd-He_=nL@3TnKRpZp{YL&fY8k-USR2=;>fJ5myFCZ!gmM7>e+yEwv|~)?Q_HY&GyO
zXEEdpOdVD&aTGjB95qc&xmQDc_$~{bxl)<9oSt`yBPnXUoQ+40;qxCyNC43s0>X?N
ztK<r#FS!D5hvONMB6{~-ZdO|akhMU}*z^>)I-s9$RJDwdw%<qNa4bI%n*fE(X-zG;
z<_n*{>1A!z5NZO8;KkTJ$%(h%?s#+a+XCLtpi_^Mqb^j>{P7e>H@tQY3MIICIx4{}
zeNRxlBC%<mk!%3xUHrCy@)ilGv=7QnD9dcg9>&F>h62BK3AWUl*&v)JQE7{4g8FOi
zw}^Y_|BYt*HM6gbA>Mp@Z9KMv_{e71yM2tG<^eYI{J!FccMHeJMeBq@0&!X%q+cX2
z@)s%GB&Xte)>-+I2U2Q4x_OupQIdJ*SfUG|>sMeQbgws8k_)sN$QLpS&<YS;iqF(!
z+s&!jMXevtTcBOA8xsijCJP%M8vrQ-lHZasV&$-5p8#Q8kP+Un5sDEPAl%f^YP059
zlG~3RAbyF?QNV~qklbEAK(Q<7^e{;&xQBg+^|c6wJ&(WnY#*D40<wXB5xheKI$<5s
zrgM#lm;6bT?3NeqSq9%Al0&l1P6L4C!(ldzHhTgi63wP>1)^Kwi$-j3ghzP$iDf)s
zbZp7)$O-y>&00(32$ctT?W#M>Uf~@=px7(eR?Nv`*U#Sq#0YU}BuMcP$aCNblCAr#
z6^LRZl!!G+RS!Hect<n#f;tz4Mi8HpKs0g$McxP!B1)__#Dvv|yiTteD$PH35^-%K
z-Hoh{sH?fwCN|?M@LpXpfJLL7Z+cIj-NwFP35(`6{%Y})tse?(2G}L(%pjXv_+^wO
zir2>+(8w14gC+m^+l_7v0^e;Un|AWt&tL*6k$;k)yJ4X0=1E0%NlROcfJ086AOsB>
zl#G^ClZ<9Z&&G@pDOjwEbUU#VMn<2s+O0G+`Lf~1Ygz6TYcYTWF$&-TR!tW`&*g76
z@lw(&m}&(qLLn-krU9Q#9TbgIx_s(y`uu}3mEdeI*?fXwIbcQj#A*Pm&q`;c7~1U`
zxxyorp@QHA38%=tdY0oRnFj)?Y>~SSdj<~rYlK_j#UsFTKOmX_&qiQ;nLn0Eb5ud4
z%sA}58CGqiAJ39&1WT+19MByET@d}*@9Sg649BvwDvmH?-xqr;l*SUp68<m?ID!Oy
z9a;qs1l(E2j7SC_3W_~oz+p{dtPx;qoX938c03*^aIL1p4kM?wiJ3A4ipho)z>k2o
z*rs*mDfSKU;Y}tVgTnrx!A({Jkf0KBaYgFYku`(f{5TPBu`UmdnNT=lUfJPUjb0av
z-tIu3)(+2A<f8Z`8y4+H7`EB^AZ}=tea{BiC%akpA;Q)w$09O-5EH6wkd~WX1(@uW
zHUuJzr=yPbwv12!I)_%G=>`Bb>4xRgB%+Ae74~wnRyEkC5xdt-h<*4|QX4kJh-_(K
zUw0(E5-m=pX+(Xn1+%n28|pO~bwL|6%w%Am0IjA$>=k7*+ZSnyZG@Y~*)&@0ZySdx
zI0Pa1p3xP~m_n<KQbzh&;!|B1!4ion30PgffFwr39}%;UtrQUxvP4g(;}*L-MnA2v
z14C57nQx4p5(-qR4l<Fh+5?~nHJEgXSDu*D^<t=#Q^POgWW~gfumxkgWV3N@bRslK
z!;Mbt9Wj>(&maiRvdb7d(BxYO7){<J87ajRl5!PnIqJY8VX-U?lPIc?KsMywVQ)0@
zz}xBCq-`L^)iJ6`fBP_7;pinpC)|NJFq5}xFamCYg1P3J*s`6Z%2b1%rciWVWlw{Q
z>4v#~hu}KRg{l6IB&ea6-5`ivsssfOv3HzU9R?-Dr34FseDFM@DZtx60PlNH7FZ~-
ztrJoiSb)efu^7~KHXsD-qwQv(#1#grQ)r2X1G|OqFoOQmo*MKuu`e+^Vx!s+xYQQI
zMcrbnL~rcsV8mtxf_uZHkt|3vf}*s^h;)N#J;dO79dWc|i$Gs^TdlNL>F8_J3fkof
zB^b?^sD6dh&6Tp;sw)O0BH4#9A7<Y~)De9Vt%)8ed0bCSzu6D5Wm?`pRuAY!e;M@8
zXlQJQ5GKSeFGs~h*?F$;<)ENOm4@uKiPG-MAfCPsiI|pyBki;#vCa0%?5ZLJt5bq-
zX#z(N#Up0dG<$Mtq9vsQDr46M&1CYB)=bwhfP#pSX3R#MhrEY0W@!d`T*ZLc5_&6m
zH<4_IjT~~Vosx<xVq1u~8}zB=^|RPdvOjbX(-6-qW)zrrF>c8GtKFvd-~?i^Ed{F!
z3E_f<QsXa)i!VV$#L+{V+Bahj!fL{T(JDk-HNcArI6o4PoR*3V$Q0w9<rt5hCcqh^
zQpAKIzbt*9T_kH4&}VB+aE*jwl+}HDC>vhkM$!0Nh+sE+-nWBS6O&ew8j|nE4%=KE
zQ9ZO~?2|t*3NhLXTpfzqYDR^{@|d{1Hp+UE?$5B0YpY2nPET8Cqm83E%ko(GK?Y+C
zoU6GhCeWtYN1fG*b|S><4>L`1I|4jxwdRbm2SMAf1nOv0aDj=nkxjq`mb!^9JOM(X
zGdA{My-C|t*(E$;@6ZQ!vLeyX?JcOv?Bz%Q%3t<tZD(FZE_RW}QsLekJxGN%Y352B
zP9K!KmNm2%(DVDl?B|&j$Wx2x6f%)rK}6#~_vF=OM;1HfL{NDYn$EVMp4+ZA%1qNV
z%sz`MfW~?j-H#=0ZDj-<Kp?9(xZB67@U`tVIt}5ib*Z^G+&cX-wCD!J8j^~o@EQ$*
zzXo`!M^tx%-6E02)B05YXQ3M<5^voC)#&Q+^;q2+2H8BVbR+APxzdfTkFAYtx84H2
zCB&1i$3)|G@Pna&#l2NguTT!!Im`J~6ze(s&6PfmF480!t38c&K#~T`y?Mo^3{mVb
zm!@#GvG9r+$y?FA?ql~%WH*SzEe}a8<r{r~D+C7EK7qf638h9_e0z#V2z{%kC{eYV
zk(!9wxryjunAaxM^w^5XVXlDj4sq-v?RU9^0QV_PD}2pnjT&8+OC+pqkhixUu;0Om
z=CvZ&*UN0yVPNDYh%SuSsEZ?i^ZCbG0CBdUW)s&aZLtFojm`p=-vvzO1l14_&9y1Z
zbJ6Fu?T4xj%Yheh4gk^hT6DMsWR0=tWZc*$H?ju1knB)cjbJk?2Dlg|6oa|k<pLrQ
zQ;Vp28MaOn0jJax%&e6(D9~{FRyQ?-a63q)Bi6xH3j;so{{S}9!BAK@Af63{fUgTA
zDNKfKONTh22EeYy#}WlCO6HQsyRqEq$c(axFDTI1rL?CpY&t>-ZGE(};nsw-*k!Bq
zUQ@go)4s&k{ybeUP_L~7@t9oJv=hbQ6^&}PlpZu4W6|fSSq2!h!DT($yX=n1slrcV
z=vUeK42wa1ys-aIz!RHkO~xvXr;Wi$XP3f`v52wg1a3_(I%ysddut%{HJA!zdR!51
zEA~ggK6JA`#)(75iEw!g9BHTEwbBB2X9zC0hcNPkKnzQhlwvb?kSB0o$CFHB{vb?1
zcAc=4%Fh+P+hS1n+`O9WhH<PwtgD#uK_;AKiNsuKh^Nlbw*j*OZM^Ol>IS6(DVv(s
zFNd{-Rgc5amGQ_*#bje4#h`?VUdsRec%(y27-f+?c^Zq9b<pVG2aLv#4tF4rwHT`C
z9o&Q9ZN+pVTLM)7s_?f!bBxt{J)A>Z^wV&e*m}M^jj3b35IZ=v@RKv<{d0kg3P7{L
zwSWdesv{5dWgy}O>$y?7JG8zhrOGeQ3DkP1C{*ylRwrp_b;dHn^XfQTc4e=|W~T!X
z9^dEA3lvq@N5e3elMq6i1@u0nJ7DD_0$2ADFaUmE(+L9B9S%GI9oUFM?u11edlE-n
zIxl&fua)Uat;;@;e)U7*GmBzJbXEZ*r-PfrBz+kwC#kR#D5jpF?8St)9;NfcVxTBI
zD(_<c&4S+KL{JJf9+`HSj0n$Xjq;8lUM*X@G*`v5Qx)hDI`(^jjH+)yuSMXP6J0FG
zI!)QA<CyjK5v~lmX5eGjUlChrueVNnh?oATii0^Fklttn3Cg08Kc{X<O}qq-AA1{(
zpvV|@m!l3KNHOd#XIqA0_g!>jqf_pT$LgKP7IR_}T#hxHLs1k>&JRR6Xf)V{bc+%u
z2K34^aqEoK_jj-p4bkOkQeja%jR9~K2|B3}%V8T}uM$_nFm%FRi<$l-Wit~WcVj0w
z=|BNo-XGd9irpb38}DrN+9h$`HZs2*DWfxIl?-e<Q2SbLvk4d_Pn+YBb|;p0P*#{W
z6P!JtZIM~5vVSAEv4dj;ker{Jnsy^%k(-j(Mtdu{JPDnb?Fd#AoyJ()jU^!&tLFl@
zKP_1>9%itzKVn^ivBBB|sG%@Kn!B-;y5M0=aM)qB$?mdN(wyJ7kmVd*BOPTgc^UQm
z2x4ZX#EiW~#~r)Uoq23DB~agUEoAFZ*vA}OIa01Ml<;_*16eUU9b%+rf9Q`xMizO^
zv3e=u_F?=14$BJ0nT8nW0BPbftgxa^%20$Q8Ac|}+gdO2w}!p2#E999zY-j2oYZze
zEWijrtT>1uCj9`gyv*MMbn~cWNN@mPtPMIm5FbPYfEJX^g~LAg`;ObRw~-%#F@cEn
zgB5e5!4{dAD9^db0Mt{HuMxS{VRqe^Cs1&>i-Dd3<G=-0lI1S`575~>gq&0~a0|q1
zgh+5;THq{0MhMv_fcX{v77A{O3d8Ei4-F43T+tBpi+){j`-)fYWxx4y9IW78j0$Eq
z%RmBfaSIj>7eOL2L_NvufHjHBtni^wx3ZA{z04%2YEqB;7)t<{!xY3Al_gl&=g}Zf
zb!>Ia_HnMzuKNwxn9VZ=U3O_kx&eB~j#VZ=3I>sb219BFv4`-%PB}TXaNLn6KJ{>%
z`(<o)!sMaYONt|Q^u$tP@7ijBuM?}zRXYTKWBF;}s1jvRf}fG=M2^W=s{@c8v&n0i
zO{jpnpiCj%n0?HPG5Y{JR?4Ox3l@;8l@>sSo0}t%m+6D89hMyphTh`Ac?_pNtKsdO
zBi*q7JKrzIHo(;@tThB9E$Vt6vtwZd4MqqeM|6Xb4p*AAt$~RS1v(waA~3X>*{b8)
zNP`ZiBS(xr6#qZ$y?cCJRhj>vv}v0{VIQyq0jmU!nks5SQ4?Dvr%C8OC6Pe6Q~~YC
zh@BbK0_V`8Ai;Ce=D0ah1qM_`>!2eupfcaVT5fI9(56Mv(sGkqL%DRHriB7R(?aR*
z{dv|tmzLrnGxL3Y|M*4eS$plZpY^Qgwx0E@8zGI#0UJ)ZsTldgsN)T|V)99Q=@k$h
zLeq6OS<vOrax~~L%;k6<pH#CMTQ${?WsNw8(yVD50ps_5{oJ1~pgTAko@l`h;UzG}
z$ESlpesKJ^n~T91=~2U&ZdRu#fpI^UTq}?e8%wQhAOC3l==JSKKiNK>V<)%ZT0u=h
zeUR%9NDV<QQmYx8DOwfbePs#n-by;>-8N|0W(jyIkD3w?dt2oyZXMp<p1X4L#06_I
z^idiLF=4@cF=Jd!K59^_6lnKHl435BM1}E|+SP_tk*q*^21Bf;L0|OnMEm#$>6qKc
zzv5)z7W?AOh)13oUubL+5&TNU+lCZlQ5{2a=q%`Fl`t(-`FQr_#^2G~eW-fW;FU+y
z^U>RBih_9oehzFLG(S#@jn-6ZG{O`HVgaHGyW#xYr{N084Q=BYsXW#;-p*}VTsff9
z@*obj8Rf9?5xGZLW1Rb8ynJG!$ip>^UwGVhfCbp-yYFj!0%ERdT$j7yW4rb&UyPH-
zxJq*nYt)iHh5gVJn~q>K!u%YT*v{wT$fp6^H4e5TD0l#ek7R#0{xy2F2%}qdyyw%E
ztEpP^SaOoYYf{@ro5RK&Bh7f4DMPtri-i!s*W*_~Gh8bze_)h5fL-8p#G_focEi!b
z=Xd>#1qL9dQ3x>y{Sx|pMbi;~BKFa^Ci|kW!w--$v6SXdJb)ex1kfHrbB<oORsIQ?
zm4^k%Ry&eycY#e5=vE^eUBH+fH||`n<vw7>=$dIAc~INrFUpm~gQWDbMi%@KKw}Ms
z1)iU;TxX{D6^7_-x#Q}II1mt!x5@8;xJKCr8&?ttXw>n0ga9gE(y5E|>nIYdAnt2q
z%Ig3^_OEcb*>LuiqwhQVHIUA3gWUIxt9&%8w7C@9MmOs08qQ(d)|R{FBQGtufDz==
z03E>4GkdsML2Y#yqNfIRn%Vlj(_A~p3-gNP6H|qVNS4if;gg}(_l!F+cT7Dbw0PqK
zN2}OD1g^F#Zir()qyQ*J{_MKfHF#{V3{5PvzvK1L_zk=akA4}VZ5=;cIY6mr{Gh5X
z+chEU$J#0fG%Yu8BIn1nWm{_6vi_vDY*%etb~b0bly4QW{rlP^^MC97m<P40`L91e
zrv4qBA46sPJ3j_-`Tx(4VFkJO|JM02tflY$tIm(Pqng#u?$C_?H_wmZaG9fe+qsRc
z^}W6Ae-pG$vcqK#BhlM_I4|Gd+g`)V_w}|P5wzCY%Ogqjw!b?_Yb7^J*55<15B0WB
zqSyy}+uy@gc~<PbBzoJALYZ|yjqNrl?KfdP`v#7w*e(cb_c^X6bs-1WxaHy6(yR61
zY_hcl;v86GE5tdl#+Hb;)wwm|+~s78#M|m@l{lMsvscy$z49Y%mgzVbccje|+Ff+T
zJ*wWFjIJ7OJv%kpf_7@O746h$OWLW?*0fWjEo!GmTh&gDTGl>%<=*=NPoI^@uJg06
zX@8q8MCCF79g*`%wpDO|%-nsC$eH`L&yKkXlsO{jR`+B3__OIg_q4|SXfpss9&tZI
z{3PqR-`F@1os%;+Iw!}Vu{E=!x$nYfdbaI#E==-NPKGg>v^tWsI*PP9g0wn%v^sLM
zI%>4KHU2k?^nP~Z9WDHZEjlO09S#FTTlU}T*xKs2+Ul6v>Ui4fSla41+G-3PzNJHV
z_-qRA5#u0WdUs`shMh<Bad|2<EFQrVPY+c=Qaf#kt*4Vn*Yh9Sq4qg(=pB(W|10)w
z?9J~toyT($`y0#7<I#P3>c8xE2%UPyk@de2mAKH^>-n*f>p7ob&fT>l+3|?#Ud(u>
zgyYN~HL)#w<6bQJC09AHbIM&mAO6Ii*s!@VyvOmXwy?bvz3t|EnCY;aL^}Klh4#hn
z9SKVQ9PPx>eFniI;Wt>m$Ap6t*aPy;cA5CO`E#=d(nK(SH&<3zJ@0hi$?z}t=6CTt
zh3I@DX2{$TMKUQmgy=OHo4t=HY61zP_~vk1nf=jm2i(8pYv1<_+vHYtA3)ePeZPOl
z&HwKH*k|VN*yQ(b8O7xlr}~wBiOFm>8(}y5k!Dh+kK(Dy_uAHJGq&G+nD^~7^`Z#C
z&#pNg2(#K7AJZX7_iyoYlTHOejs&8v#hfIkWA5UWiFE(yc5mq^dlKn^(Wp)p?&_wh
zmcDJH(wiDMqt9FV%f80;ig@qb*R!koheq}9u1XJ0tK8zByWU&+efO$sH}Mm1>B|0*
zvGMe#6DrsF*LzF5-Mf}Ic=K(gJDMMh_qObrpXq4+)5R_1QuhFs=ug>|^Jn)DRrPHd
z6<^&l>iG0f13)4G#X4Fl6S<br@m|g=YT?L&<3%90%4f&MIln-6ZMhTWpvLHY-qf{Q
zL={kPX`&MN00ndrV2ni}PmSu|Rh52fS|#^Ae@{4;A>PILf3DKuEB)+Y%N{~>b=Xx#
zU^(mo?)@2xpFT?``&2MYWhZ>@6!yk%tsZV$9Pb`E-phQAS2`o0_jnSCb06`R{-}jo
zx?j88%Y2wD&O036{n`oMLfzw%$im@%0Q6NRn%7)(Y-e^|M{f2W$9SDR&^BsM@&EuI
z<Yk_qN>T@;uH&odiwpnI*w-nv)JdF_t4jF6!G5l-Vw|7uuku+8z~N}#qE>41mX1mg
z;9CpIbXoB`*sWbL?Vyy-tB^ExG_Op4oifu7N^YNaKyoXr5Y|Z2G}v~{K>t%?IY3Xi
zwoiU^e19U%Ry<-+Yuh;@YXzh3Fcwems_Y%@Wu6AGGOEcK)!WM11G;Ekb@ZMzik+3C
zsVa4??W>*qny#ICuNw*sEbg8*>Hsfu6f}=7)6Pm}T?o>#%W6dhsBj(AYh&10%eZ0L
z1C%j;qnlzC=~b0%Bb@)~J6m{&FFT%p^E$<?^nI=S{?2{A2b)p(Hz;|#zPUsHsJ0<I
zKx)fT+G?_cAGwSL!83`-YYU<Fh~`)FZOPv`eb(&|+MV!Wx82jaE4D7i-mQ2y`M4jw
zdOw({yHeEWZ}@1V!?`bgpqr=cX;=1Uue`07m$~B(_1XtvVr3(npZqI!Ru~J{r8e9#
z=cO-Ktmx$*lfmVJ9NF(ITWTr{lGnZ(f>$-J@tYs!R`b-etH*p{Y+c2<tH<2&%KM{p
zd{*eV0JE3bk&k4oR{#2-Ez`^VT19qcdi%NkyO@T)A49R0JqhCpa1$r8ymjRDwNecB
zXi8|;xbgQ>DmQUF8`?B8ziS-3vAm`08`t$NT=K5-P_dTYTbGO?p_3%8ctfp8^|l4q
z)b-KWw&2RTTli%fFvzgVjh^BzmNAm?YJQ^H9qC_?$%r;=2B}V*yMge!|M%;!=<e?B
zf9)uYW^G&Lqf|WkQ6@N_uAaOhKKZffxk+f?24;`0>GjXuz|Akw2fL4oQ$`=TZ?<3n
zpRJz!;N)S7F~K>CZB3_L(@Thb_fh?uVjOT!e)REMd_`n$idD0&P>I8;a%DMElOJ(3
z?jNcl97x<RJCI%3KTu8lFV=rACv~o_%wDnNjW1VZf3RfNm!a<umb}Wt_m;qKQ)x%L
z<fWK~AB(baZ~2DS+@yDFGVjs;5wNXJ54~IAjmP?*j=?6*gNH|tP$9wJl>qn7tLR@@
z4aft}gU$VGs>vID9`<3O7}UQq#;bAX>7=6`U75w&|HjAoUtj)<NWIAmPPK&E6tMh!
z3>~vm8;rSj)BE*x=I6-Q6}$Q*Wf{4vSL`w&&gf*%D|U7B@3J94CTX>fUp#N|;5c1K
z<>yY0^>5)^XiUS&)zXjYn8AgWC$e#P;i&#0X!TUAZTuRZCoFWo9SeywJypZQ^la4?
zbZC`r%`4}x3C5*I*v-5R5lW97>}9qBJw0+j@+*M0DhqmZS{=@#T~EpZKjA0Xo69u%
zq`@(RPrY9#b3Bk<5)rSC+SAhj;)CNR@Gjp$()rzk;|^BF)B>HBOI72`q^r*VIb}kC
zsb5_+<;2%vCfs?$Te?DAY*a+>g_`K8e{-yH#9O+n_*moK$Jm(6CTshme{(gNl~dw>
z&c>^z#7DC6YWN$Uz%eeV>tNQqLBi@^aVgb1{DM;^mDgYEEqxL(N(%wBIIcN@um;uc
zHo@v2ijhl!m1S8-ZB#HO8&LM9nm5Ad8N(+8pDFRJTD?Ru@M0pZ2-;ivI3H%M-YN0z
z^c|EbR{K;<J0U)AX`uHY0cWd~1NeB%+B?zOD|wDj@|$;fJ@2QnwE07btK`MCySuF2
z6U*BTng18sz17;i-P#RLCK!$};W*K7)ING}Oyd+5>{&rM&PK)x%F$x!ZsaIA*3@Ib
zX@xdHb6QEv9bR_DR(DR&3=V499A*$$sq4#p6-?uzTOFB@JB!iBM{*PICbObF*SQDh
zts^(_d-34VM0!gsJ1Z6sPMw&YHIbj1>@3a^IdxKd&)V#)N#1uk2(Ut)NOq&iEk{iU
z6C1px_d3G;RE%K>@|GAp#mIY0|4lhKS^AkCO!&DB*pvysl+p5*-mF|bVb7*axYq31
zgilEg{PY{K)X)6%U@VcA|B$atT@%lp{)T)79X;FsR8^w#cZtdOf^$6kE-<W$XJ=LM
zTg`7Zzf9ZCnt(YHHQZ>1u?!;&)5EnU4vae@Mb){7ye;+DZoGECx%q2mbp&Tt2h*#9
zj|WG_gT#dRl<8IRDMxnZX2w+Cl$jIm-yNTFYIV=6%x8E#-E5I(eA*s-Ddv6mRjO~x
zo%2SgF5G-V9&V!l=`o#^zjJ!WEU35iHE-!)|MNA$w7W$emVr%~_8UhaO)1pq2?DW2
zhx3iSrLXE4%a0%XYH-|d^hsMIt0x~I!do+a%5gu}r_8F;>&B;CSVe9un2<BNAJ-#5
zC>T55wp&r)pii5;rT3f|)ERS5oKk1pVTz!A%9pD9hvDNxZBy#((<u}FS<v}ft(Irk
zzbz)t0oLjKwkZ>Ogq?v=|Fj*HAI5kDldd%!CiNJ8Q$CMoGdHqH%_R>2nlahJ;l@&V
zW$`uNt`4et?8B;S^&#`4Q>IS@C8G>^q72fv7MV+=SJonQQ^@68=<`4@(JGxjWn$DO
z@o5BeD!ie?Hcc09hprHSx?Y_!v4BZ|WE1XIt=`ht4Tiu@nfZEq@V+U$pz0|Tj2E5F
z8@!$dgox|oby@hBL?z3c#9Fr0m9dugm3Rx+wVVYC!@vKU$?(f4pgVM?TmWCUfc4rb
zMV_vYP_}X)3SZa5s1qX^oH%8o@s2eij;HNYPN|OgN$Wu)7N3%s&{ibD_K2@A1WG*y
zQw#)<32WV}VoI)qY!6e_59J}S2w+Q1`;^at*!Rt2*i?gm1Rsje)pjA!dc$1<MpsH+
z6mTB$mVQSW%vS>kY~XVNP9t9A!<^U|Wk@Q2<UX!uLB-1cr)vympBbG3SoU|9p5s$a
zsnO~L<Mu|XgFOa9-3ztGr^F|DOP3nZr>iOX8gc?v)T_$-d5#oRaJ6ox-^Gd20teb>
zJ+I2B=hZ~nlkr}^D&E^w%^BqFy)}#+C&YW_Rq6%A2ZQ$B*$iIijmrLk5+ufu$WzW|
z&k3*l^U55{^LSZPUUVHuBlCDayzmd;`5>M-<9tgD;GPD&<Q?qJ;KN_S{=|cCV1IOY
z&R?)UTC=+y_C1Y|ngzfGWF`}R|Bdtfm^9v2V~_F);m|736Y(q$XRu&~_|VqSK(r~x
z-R(YpLk37s`j*pO*7m<(wurKT*rPW<z@4FqvVP=GpEB*2`WW*QpYja^^jZgM<CJMV
z0#h<Ql3g;S$&u-i#>@Nw)4&Kju4%;Z09Xs!w$y0!StH{@6*6M7Ligxd7><-|51)de
z*&e=?MbQWQ+8%v$udEJiFtJ)M%BZyaUXGj8&)S6v0)`fBVS>u+4<wZyqfda74jZyV
zGBA`cSRS<n%cER1I{36K51D3pKDoE$fvMh720<7$G1WC+)}X{yvkFw?S`6b#ET$n@
zQxA~e50lH8dqEW>E%F!U()<Ef*`;LwCPvNJO(Ub$MNEwcr%aF$!sIv!+2}3Z2#`jM
zi?KHQvZ&%nxyMS8&hEe&h0$hna34^ElFi|{Ke9QjnnyFu?_l7wui3GJ1+xR5vOMG=
zBn2nh86e}T0TE~WH`f5(Oc7J8CFo{>WRA_GIoQtjV5Na=0L=d2xWA6HMwJvC+sN|h
zLoCQHEwO$s7Ll`n503vX+I@%61P_e@_Hy_ex92m&9HVi|t1CUP=V^R3e3COeS^08C
zXLhwh(D&(>!9SnQDdC!eNu8y0%oCiKm)*(TwT;ApUwAq0ef{9@H7=>ONdp((qGncO
z#v3LQJ>ppX^hhkVHIZITmpjOX=X4$3A)OVe+s|t3E1d%>(9cKs6y_g*GjVMESi$No
zgB5bfA1JUq3<L^r!};Kl2xe?g1ZR$@61%=4dwO;1KlZ9;*^~IsHcMRQzeVS}c4k-E
z5wEpO3Hia1I;J(oJscd|%0iUc$pysZ6YRv?){*<$J;U{7-!ra!55ww#%J{KWlhaRo
z@!l%ta8?lvdnGxYxM}JM4f;5U9K7>(__2<H<v6klb>Rw5B8!edn^2d?o#~yoxO-G(
z>SjN^g;3rDsh5VA_*BpA1b2epQ)|Zi?D#q5_mL<VM@V>2@^77=I5Vi?jyO&g<-*$U
zb710{#<erERVzOmOjzAP81MW29h286Lj&B7%KJN-2UEW%CP}b(SE_pWy^AgS<OlGo
zk8#06{$%bmm^b1#-+SS+FAvaP_~|{K#6uqMEN|i0aABFiN@QO~P^fn?;bW$$6Fc7j
z*<4*LQMr<55Lrbqx$?oz(Y2k~TJQS<i5=&1iSzoIxrrZXe9R|^`u%~9N-io|pBUZ3
zi<WA`J-dc-z~EN2XF6Cj?tT9rfq8&JaJVJLS3svsjf3_6H^JgXOHBz@?S5g^Qb<TS
zSoLoOix(~RC0Gsnh1Eczh9az{w}Qos7H$}ZKZbwHeqpsxsHF(Ye=AtLXz@$1y7mjJ
zi$YyRShL>>7B5<6mtf7=FRVEfnp1=|_pM;@qGfIg*1Y|~ng^Ujdbpdi^Pq(!V8^*5
ziR^=j#`_TreScDJ;)k7REHH5CZ5rxzCn~uFVYkPZBi^EgHrqF2dwR1+z?wlJrl)^s
zoL{+`2tFb^&Rcjg{tZ?5J3fdxYg~^&0h_RtU%4SMx-yZi1h{0t-*FzHf<Bs+U|qAr
zp|6t_jO2}uS0@;pQ<AunO2#@Xk$nT#XW-T+1TKzz#xZrqV2Tlq;DZgc<j4ZR+(czk
zw1%RR(FkJgTR^N8G>X=`itGOZL`f<5$C=0!jt%=l>~lCaM8%lvRIw&#>~O4!2v7Tu
zG{VPCR)N^Wh#O&DPYAyyy?LC>&dItyy)(O}BRA<Y7Kcu+#%>58b1WNRBMQtM52U8k
zOXR8?M57HRsG64@%}*w>T_dSgiOQYlEpA-jIr<QacV-WvmTJ0&xSe*LdM+B9gHis&
zHVW^i*J3_pPx7$AaWI#wJ7!c{*5Hhoel@XU?_2Cpyx{Vf3QzJmO^yC5H*u8;g(p3~
zTUVfSAH>$(OjbHTtr4JB19Vo|{V4>VV;>?Kx#(&>*5IF57M8Fh_)2w0^K<iKZ=Mf*
zjdNLFQB|D&?GC@6ttxw9(W+!yM{rTBv**=heWL%F(Og&H>$Jm7;k6XuDtnR~uzwS?
zfQI4;py+4+k<Q~EW2MeuVA*#1wc#F%vsk+Pyli4V*0FJ0{SGga6CQ!CpBbQ|tW3V&
z56-~WPkXc?>E*A`%k;FB6{$n?KKqED4l7gJ?i5XQK^2FW!>ZS_<3b$(-P6aK#ni{S
zCaR80sOaL#i25psTAm;1%7lqe0HGr6Q#+V?VIf?^O!X)Cpl;jFBF`KGsvQ{qeyM-$
zpyI&eB9&?mLZ%lT*8%n&*%_P~dLoZA=%l&a<qR5hVodzDK+K<K8KIe@3Ofu_5N#0O
zMa42SPZm9cS-=_c`$tYlG;*Ty`~1nH(rYTSqaBjKB>GdrN0^|@{hP*e-uK0a3n>om
z&b~-QA4IFx`5VIYP^CmK@`s>*BKr!<Jo>kdT}F@%3T&<BIPLi@I@y`UE!kI~Db@;r
zt1oI1If0mG2$_EBgbh!lLE$pmK<MqU4SoLg{`*Jy;~(*}qb&YhU7%y}{+GtS%=+ZB
ziCn5OJO!i3-1sktA1Yg4(4kZ6$))zoAq7x^2|GBh`)?xu%i?C{x$SC69_o8H-ha_n
z#J>n%vkQt3uVF6B^c{H61Q|k9s)zAY!b-jiCalD(NJ5sOvBP7fhrt1NoPZDv$DE%c
z7l)-Tdsufv9e(b@%8R!8mD>m44*!<w3x8xJ>l=q%AC3Q^7$yf^pFRuAEy_J0a>{{x
zF9(Y!W5b6>?dZPrJxmXcmt&S_emunyvB|n|9oZNB$xr&MlMj!xcxMv43rh$cryDsc
z{)KR<kuJ4~PcMF=Gw6(UR6g6tjOyc!>m&Hy($pRtpX|;A7o(-0!ZH$XOmC}94_5md
zo;zv$aX5gRQhzD~@7nF~e^ASQUia~uz~1=FdCTLLvAklB&w|%P^R^355+*FX*ckp>
zem65HaH?n9%-nGwNq$^(?{so9NQg7N*&)zZnO?~}$n%w*K~+;?L)g}fNQJ2f_mUJ$
z7WCuza8u`(!GgJZqhbH>*zjXWS|=MbC7NPgqPfpoq%(50Lg6G+b-#JQOD`u&rv=A+
zCZlpyD@*+H10TcR@yG~*fXP{z;-;lX#Q(vzl_PwGfk9ASq%Fyg#MHCvsxN9cLlIxr
z!b@!foE$d3S`Kd_3zeB}Mze;PjP=KFms^^x+URe1-f<To^D$NTpqHi&Ux1SpiQK#s
zVD#AVB-Ws4Ch5~AM-j8XFo6B_G8dC)&B&ia$~0XqPh?+A^yg`O|NH~e&z+Eb7pc_2
zOeFrKG;U(TJlRgZm-&twg$6YCeKt4o-h?DS%YVVi@PZln?3&KWYoO!&XZ_~>ix2e&
zt5)&>WYDE!Gpgr5&wwL&q7fXmJU)JV3vbcVnAXuxez7r{7fJ-lz7h61>!Pa-tO;K0
zkKcu$C9<dWiPXfpcchqL8<0Yu85_R7V1Hz<q#l#00b##%-AG09@ch40M?nvj<@H=+
zIBltfUmR*G-Tiw%xHzVprY`*h-+03xa`dss6xSILX@7~<;lzwzm+bVL@3*<+3%{nZ
z!Ud|b-l`0M?>Ari(8z^#7srNYGZ=bE&+A6!PrPuZtUzijXoHNimj<M~zm2fjENmiN
z(!-02<*g_ddKnC4nMHKo>%&gXUO#;n_R|*0plgkc;O;}zeV-ZPZrZDX7)UlHv}CNU
zt|>f$dj{<)##MT5NCfSO@Ms+$@11xc5~ExOV;yz1US<@%BBH-ao<ciTi&yj`Bc0jJ
ziR@NCyDG913`v>wOCceb*3~i!dx<WcaVzIR|E@zzftY6Ty<fjKF?v!Rzh~Fghd+Et
zLYV>>1@EC_`;*VAZK~ZEUd}6>mW{<#ZOt!t^8H9+u&N3qDpFS~n|_YIxD)G=YimLk
ztsNT7nz}Lx*$_6-Ol~*Q^$=R$*weRQvT1>8)z>vBlV5OTID-HB7fbU^s-g*D6u{W<
z{it<aOe7foVI)ucl{eXoz2)r|a*X>0d2_yrdUXZ?=}Xrja|aH;Z?Q|3<ZZ3w?f&Fk
z<jwo`RRYp{ulMcmk_g5H2lw=StD2Q8y$g9}6T<UHwPapRR`smC{96*pkE4{JoxFb}
z(VSd2a^d?gK79D>BA=X`-aj&b!i6)6a=Ex5Uj?l=N*Fq%yv$dSx%^!IDcP%Foa;w|
zu{$0a;QuDi15P@vzszn&1e@e;h;}vRZ?Z?X)^9`zkE?T+0!^-}lMe!I!<#Y5@S~}4
zUtaUWTHyYM1e^hQrcPqm%uS~ok`qFYIEZu0PU;BGt&R_l75L7cXObVp`-#m=UpfR?
zCk}tQgs;m>)hE(h(P!?2+0poF6q(7#?4a~jMc*v`g@MI(diRd-70!KkH9h4ACvlU&
z88PPfw+*8#t1v;M37{OQG0o^nc~bt=NqLQ~=%4Uw{K^48*G{*5&;0w<ul$5?$*7K8
zo%!R#A8~SGKx|ZWq)nCZscAz`pSh!6<~+y_7*^n)SPdMB^N#QfhL+cJA}^&sqtA#9
z|Hj#^?92HOQaZ!%XZ3&dBCnwX+@JwR>cjP}qv-v26RIazYizuMNzq^cZt$uic|Kl2
z@=ypNmAs)yh!gzavg&96!8l`%xxVR3-+<zW4j)#qZ<sK0B+oBEZ#kcMzu_mJr!lDG
zXF0qbX0xcj;2}rr06$Tz<`EWu=D(rFqpics<9EaJJ;V1F;HzP~)q!QP+?;m(-e8pX
z>j6~!u(01bHKViVpn2*D)lWi(4zBxnkX5J@I=Umfo+I;h6X6DkMTZ2GsHn5g9h#nm
zaxaAc#|orw+wm9xwd}E5)OoA=zxA=GCf(;jO`j^&^!Ki&!=joT|3lsDz?$(b<=A59
zOZ6Y?>R)U17rtFAN8v5>i+-8gNx1(Fucf44zXJ?k7xn9}{r*6)qV&Dne-iaSa{DpF
z>8-O-QCZ4@MAe8?(*If|_-!b>X;OyXv?$?aG$6&2*EMuD<1ZqMUgkYyC4#TgNpDNO
zmp)3}Vu+MYz_(uP(vq)j>YsxzQtYwhQA9^o>=B9`G<=BoZVxIqEIHIpboB@C!PIka
z0{6itKdP>vI=qv?rQN9&{s$?nKhc$YW|w-0$S%oS<-SciDEE1)pL#oT$2}pRHu-Uw
z>f}d=5I|0_<p--lf0KP-W-y^4k$%29Trw<Dg3qJzpq=@mUyqAttLpMeQJBkSb!U@Z
z>=1qkEcMvn>ashvyv&1eGOw#FO*ID-Tr%(mD7!LVMpOCudS27|lKsn__=eW?EP95E
zSj4-cf9{`)=gPgc55vB>;#7e{^<s=T)SyHd(1oUV(++q;m0sri6qG-(u_K3B5C739
znmP}HV@SNr!Mtv71PMovPHv&de3i;uz2$AkSLEic%lYea3sz)TwsgNS-mc^EX8a*H
zZ*5EWo-y8ue@KUCrnmfU_pY)2xoa5>dehhV&G#j;f0+NlW!Nv8zFCNbV_q;`X<5|V
za$YT#EHNTKt**u0A0|mFw9K~z-*@>OVh{@(oC@9?jOPBU<d-{i&(w?VTe>f20R6^(
z(IWbki#+_vRNy+V7FU@7hR@(S<8t?$1(M7KFgk)9Ue9ir!ipB%xZw02*;v8Do)Xah
zT_?zNh@|p5CL=fmOgw+kFaZnT7i!ulHgttM%#<gu%Wng`gX`yx>(ThLz!w`Ed>peY
zq;%tgu`IkBx+&*2atN_CB9D%3XM&UZZ|(|WHLCm#7}jw-qotGg<St-KwAke>)H2oF
zg)4X%bMZuD)R>EpG(pIpEnF7oE?DcI`>K00e{Al8f8&WYEZ+P_)fXgm8cu(re@hjM
zi&@lCiHjd+Z8Z}!GshpdUaNF_Wcv*wbUUcnzIgX#6(99_<dF=H<{wuiPk_UXYrv73
zh8J20VjwEr%Uf64F3~doM8>mVCt+;KWI5rGNY}tiGkIuINoN?7b8(bL<lIVi#n#!B
z7st3N?iPdM=c2nkS-WabAr(nkJ_Aj<sgTazVp19Y3J=5vYGVZKNu--ni}|qd#r351
z=aaw0QU>%^l7%A6qHGoED-~H+R^*YgB15Gj+slfKloc`1JOfY-DO6;>9NDU<R+;>T
zmzqWNdNsc4$X#j3BeV3m=KF_dZ&eG~EN*_imodLMmvI-WLNT?(Y>Q8(5Yht{^pD~D
zu$J<9j+E6jQyq&^v2d(X^wDo@;rEJr#0xf}mm7kT{n?g0#05S23#g<fN$P7VlK)_%
z0niP913*JFc}AfX`O}dy?$0XV2zMBn2&3LYVQW+J7@;n5zquXxDZnuQ43n5Yl?RJ4
z2vRLnRO3ZRl8d9HpPR?dh621n0~vmWW<tUOiBxSZ*ZUZ$yq-UzBt{@YsZW%nR_iWS
z(Yu(fwGQ74pdvSTeGQ*3XSpz_zYtdL^Kw2f)!d!Xjdkr-D-)h4aP18C+@f9ZNtg1;
zVZ!2umz%wbm<{+(7-q@37J>QFJ}+zRWu{Id?z6gCa!fhVX0}>ZtAS{fjr|#mE2p06
zK4muOq02&wZe;6+W6FWg_ImC_^ED#G(w|*7TldK2s<fuoc+@p~lphGf=uF*^)yn3T
zC$XG<x}q{X5{J_Q)f+?4g!_{9THES_n}99QXmxgY8x;yjgH{sOiZ%;680O6F;3%D#
z&Y+tOegwSFubZQ<<_TqA69*q@t841OZZK8&M+NC!OpNHLwJBG1A6+_}-9YqQpd0+=
zj=Fkp;dRJ~&$xbx+MqSz{C4J2jFda-{Fy<rp47wxbSvYxr(4l0t!ac~jsPAFx>U5R
zI-*jSd;0mu`P}4^oet<igTa<87GNjG%nUj{&G@={W-#&7e(uV;Zay*1W<=3NZH{(+
z?iw?3eo$3|81LWOU1`?N&$_TgxXi3x>Oyr%FN7b?OD0o)=P;?~4nAjIgvk=>G)zA1
zFq!aS8wi1cFT9QglUVro<^*})?J93~`j{gsozHe}DEMCHP>}&f8nc=Z()>SR=i@6F
zdF;vmRwiG*0u@%|zl`+E45rmLt_^SbLM1ebh}pB=A6zMN`d&LyUv)(OXVMWiz0c`n
z-2kkgE9sbL)#x~r*`4^X@00joI9@Qd4`*(s)}X4+^vU}*=Tfy(gCZc>gfvQsP#%>r
z3tAJ-MEz8j)u&b5ptF(j3xt%t2=_ckVT?sL55?{WF@_P!(%)P1B;$IZW6U8i_+C#B
zeuW$1$z09nsmNv#t{?>kp3_}PnwtI^-rvOtP!5Qe&zcef1RZbjv#SYHg~yu>N?pL<
zmg`$PvU|e7bTIYBecQ>qzowmSW*`=@bm9CuWGp=lL%8}ok=|CFzlK=3@sBo2F22PO
zPCTdux9~^Lns`EX8v)$lq;*{h!GCZL@N&&3MFz!B*H;d+eTVU!RQ@f-YyEz90^>FF
zDNEzEK%3*r##_3t_$53KbJcAq-{4{>rOm?Xq|IZu9@<y5B|L4L(Yg0VUg70&^)dtI
z?33X!fL9N2PxA2L^KE=g3|_V`{1;Or9C>CEVlsw*xq_FiH(jtoGZNO$0-Q%3ocG$u
zeq;DMD|ZRD^_~V6wyKY|aXF7*QOJqkWyAbO7Zb-~+QG}HSMYkRZ(z?9@h~<@B`@qC
zTB^wOB^?ULFjrA=QqXbl2-8)yB6NRP>yKZjN%rk}A~SkQ(1WBN2*xrnKiJP6ZgV@)
zcy01JRq3^_BO;SMe86{GFI~u1?IIlJ2NleD`Pp%bKd&ENzDy=#V3{x;h@Z{~OQEW}
zqq(mp8*b_5ypD6BD{Qlo9b+f%OMA34`*<jW%%E*m>M~=#tRNSJB4Cs1-ohcBZw8Yu
zPI{ZnIm6t5)Tz=i#z-UMFaA&>IK3j>_bER&lbC&HMK9aT?rAE9Vamp@Du#%a7dxvk
zd8zeL1m`U>G|HNhydk@4__oq`Gk%8XQJ9o%Fk-AnK3Qw!YY#a6+RpG7&tL-6uaEYw
z`e#XQx^J{UwVgTV+f*>!jJTd%SG^Z4C}t8~tAv;Nk`;VCmR!&wX~iVU!`S|mlkHWh
z$@FP42A(HTPQxgsWN}G%grCJ+OZr!NnOy>ORE2W2hro$v6qO<nSnwY~Gv@VZPa@Ja
zD&Iw;P2LkhoX7*+$}fS#ZPDC$eVp~>%-_2>=&swFcs2YUH$Lm^S)ckKLcBX!o6f_M
zEtTn=Bgwx74B}PQz_cps`1;z3NO88vNL2^E3!9X@&U0BJ*IjXJdj(&y#K4l#*PXe~
z6K01}?Y*OHl~rf1iwr)D_f|x!3VxzE9CK#WxQF4Wf{I2l6AU7A+|-R=^T}#jVZy?M
z7adam8F^>9R&Lh*s63PEe2$C)OY%4I5I2d>52zqt#P60Tlh?q~zdtPQGbxRqe$V)c
zJsAgyT({T&LMGjO4xAI_0g^a)_(WiX`61k?xd^&1^N^t=$y(UJ|7`@K?F^QtGnCg6
ze#!Ooy%WbOe8eCEwY|yw#s)95M*}Q6SwaJaI-mb5fXhCPis0V{sK&nAyQvfR<z@e7
zUV_^a@G^Wz-$Yt}szE-!{z&%mQz)`VdHku!I+v^nuR?(R<9~v8?Jc~MOt)Ecc`Zr#
zCN#{Hph*cgSxNWHHkP@t{rNEdq!VspG*7A|Egj;w18Vo_8G_cHl&iX!!S$-*enGl8
zP1g{6t_g2_0_kXedH%4UyR0Vs7d_#h{g7V`A!@_LO4-QC%iK@}L^hSc&b>!oQJmC2
z{srpv7Fj=^9y!@tWO3*8NR5BQV}APSUCeFDGSze*@oFOd9CsdTuggfy5$n^N-e9k?
z(*6;B8dmt}A-20<BWOTVzREO^)?LP(^UsGJ;N%8wU)yhkX^*#PtR(Y8{Bz#oJ8MBJ
zzC6aiA}PFdBvr!1I>P@>m547_Xk6uJtt+QQz8fLu%G8e*X)8Ldd>ox{gR~(EMdLF@
zL6=amk3iPLYP~6lKuB7D5`pb5SwT-TvImLo<=M-eDkAeGt|69Y_Gq5c3u3(JR1y<W
z;|HVURxc5lU^+_VgpV{j<b+RTvG<VAm%mnTUi_Z0(L5Uw((C;b0G&${en$=n-cQ3F
z$RRVe3>RFK5EIw-Nlue^F+EhxA_k`O*7%dr*B41KP<{9>WN?GLrU3_C5oR;)P2@Ub
zJgsAjqehJFVquU}zsUx8xB#bg;B`L&2CN&!z&{m^dfLe$Y=0vh<A@EB<7YA4J4{xG
zcACEcIrS?tlhm)0qH=X1&7eh26JSLpCH1w+;jC5fq49;<WmsD*Ou)#zI=pNXO#WQ_
z^HPH*E;v<KRUC>jdchRWZG2Tr?vR+-REf$l33@(*zn}%y*kr8w;~c}MbRP_&*@;{`
ziPJ>mHin7}0eTp57<20_)*n{lpLm&Ht0IB8T~WR}E!3xaB?a}sS1+Q)IbsJJlQ&iR
zY&Xul7f?4<rVbziM^x`to)}29X!DiD1KKA4$=|TaAAcG{WY#J)c|G5htkMt$v$xfC
zQxkneTlTIxsj)^i(8V17v%wWgbt+`~6syA`R%z1@2+fiFXezv}COiq7*4eyUM7!|!
zA{F@>Me}t>aGMEw8(Wzzew2L*(ldm1(EMCgOF8-5R>7rtB3~?gg)aMx@!7Tvs+{6^
zckO)(CGV<R0@C4QkD&Xf+DK0xT7HHGSOnp-f6Cv9)UfJdQ6xMnZU9XbQI_zkM++9U
z=Qcjmv@io-DMbHs<HGM1Opn*2k)+y2kYE!d832T>(Tvuh*R#OhN?XOrOF+X$?LHeW
zv!i@D5?NGNo<MebEU#;`Oa7EPct<Qp9HVT3LJ@V0;G*@$jY#KN@pG&d9U^o7-*>Av
zy4G;L2=RWaTs<w#s128sXV%l}*<hnRx(M`S2udI;PT=z20DaeQoW06*J8XIsUR|)G
zGQ9U;!BA~o%yILXhEN(wiXiaV<R8`WbH0gvXAdizu;fni5l21IFSjG_P>@8e5&-)#
zC}@;6M@ocPfVRNRR(PepGrMv4!1I_tUtQVRyd%l{0|J$Os<Uz%GQ_HOCqqRF`65D>
z6G^R;@8}u++!vDl(O3KZ1VN>4_el?*%>MlF_k_e8jqD8*+VnqVb0pcKNY_4?i>=jG
zdHOC>7VhD$xA7^&B|@T(0(+iCcCeo-!^bgD`Ee8|^ur*GRBjA6JR~+@UEXk<X)=z<
z&#ZUrYoL81#}YzlKbwRzPZ|`p!8;@F#`vj4?6OZ4No(3ZSB~dANkvmQTYdt}Ux0?X
zbwJV#1O%cXtEpQOxf59&grkW)^U`-oR$xEFBXQd|?ia)WRAeBrjl;8KTBwIG+(TiN
zH79jW#6WUoI?VVKaRh}H@o;Xq`f;jABXl@QOiGjZ+!sLLqIwsO&0R<z6v38A?|4A8
zN?s*y`}t!~A(uK7OwIc*>8H&HGpxb2y-6CwtX&J{zt+@;L_L}2IW#CCSEBI7FTClB
z-pnbynOk@>Pl@n|2MwD~2zD)$m=KNwKdUL+y}_mCgfEk#VcO{{L<%R3sn{G1{5M#e
zQg=A}rCGW2=u*VQE|y8IXI<C!#=hZ0jbFCbZ=}V`d{VuRcVquWp^WxiO|>F7ZFTb+
z_cX3e1jmi=Ni_aXYd4HeY0-Dj(G<R0&3DcBYQDrf@liuqm|XHFCyB?XuPLDScTwiy
zWI`pQMS)s2o^tbgu2XWLcpVdgFj(FEIO;jq$<p-fi^&fYFkk-DWkSlVw^~2ME7$t9
zESw4^ve0XIqUM*?4i4b3cKnJ$v|}ah5Mv{I>GfP-N_43x0w@gu9aT!8O6yHa@RHv!
zSX-^p;e}><y`B#U7NgiXu8JQ$CTtgcMOiHxyTZL4;Ri4Q(%uo7bD?4;KKz)2k$Dmr
z`Nw$&{_vprk6zDY2ubJG#*dr#QvOb_=WLh1ppfrsmYYpA%h6m_^S!8=Ij)*PGx1(V
zGXnV(?@ID-lX%S=y&e{H?`eE2FHg+X2MwFw@Oo}k{`&k~1&ES>Gb3B{Vart0@t==f
z5AYgt7?qdcyZP$-q-L+cmvKZ?3X5X3%(e4=A)Gvf;X4aHwCl4tU#~ISAAm`0nKe8Y
zu{_`&jN2BL01=2Cva)-IY&~7sni=Ww0?7%3CXFin+--GT`lZXk3_UC_Qu+ELsaJYZ
zwkDx0oxR1xH@x48^mm_<62Y?u;yjpY#8#h~QE*<O<edyzhk1oJ3zQ+S-AeFBQqt_+
zyIx1xDzZcg{z%@+Poc;%%XCHhqBK<)`f^d5lvfOT^YJ>K3m-oceIWQlQJUoTvLYj8
zMeIACDG~!j0g44A$rhAaW%5T-C=`k`McFFS5~ag`#n4I)pQk*d4uzg0J{TQA-k|YG
zR~e`h2QrQWCr9eB*}&Z3<`;7vbzPcYp4S0PHF+5kW}IFYDCTZ38e90OBX^fkQ^RL9
ziO>YLHx>qe(6D%OnC4g3q&mFBa`uE5C`b5(U$LAW;TNsUw7T#N%XlIDtTK@G6ZyrA
z#xT|kfL%6msgU5_==r&84DmN3G!cxii7+OFlmDFBVc#o4_oy|}A}VafyUpU(elVdf
z^{>9dWt$a!4(|pL)_s!A64$7r0vQVQ*>A;k^wqZDEb=pK-aRjq9<6hTh>N<bB8Ayb
zDc0rnXfQ74N%CYxwCGbFOjTVtIVwjMb0<*?-;9J>{1vQ?z$^w#<hnCa68Z1d;U9~T
zYP_D0P__U?F;@x}c&mAa8_Uajly#HFSC(hX`bO2f5MEgR=1EyHCa$_c<kboWhW|+-
zzg=<@OsjKN^a?XZa{a;Pm(d53V?Ib7q^~9aJS3;$rPu=27YxmCoLQ3S%Zv17mR^<h
zJ1>Oim%o}_zz-YezC5VB&gQ~vK6J02H}e?*J~Be7LRgDDYDi|9I29ZR2RDa%%!hEr
zdmpyOP2>fk)y?74rfU(XKfbPy6r0L2E$~LTy8Pw;(aY?XXnyDB@>kdCRk^;KoQkDV
zc}Obj@fTJ8>@pO4{=vkf%zPB+^0vVpR0b~l3+gu;PH-|J;8(3@v{omt%|F6O$#`8r
zJIt+f`ei)7-Nu2=UYn4-B!KX}k6+7p$}*r^NtnZ#<sdFD)c_5F8h)hgb><RSXoFpJ
zs)%C(&rmup9D4gzgZiOT8zz^vVK6_@kemiv8Oe(Buy0(c1Sja&&<^c$Fv2a?nMaI&
zh?i^yj)e1%Wv?=IFeAUzJ~qK%&OHKOUskN=8kNu@Oq>17mA%Sr5`<&~ftb+q;Tvlu
zXMo9{L$>@5n<)!c^qFv`*XgHuB-v1$-ynMMh#xFq>~XbThR5J6`@x-il^;y~DV(VM
zLDqReFOh7}U`0ul*56qJny>OQpW<18ZvR}imTUis_F6M0Ab{c4M>5>L?hy)g1i!VK
z`iI8&!LJQFjv8uy9+@Atgsmkw*9#hm=Cp`5HWZ7c4$I5B73L!t@7D7{^72IR8M#ug
zvy}%AC&b&KdzuuUjgV@9!<My+S%CQ28kR2C#+k|+1CWGz{Te0{5|jledY}X&E|6pq
z0b4ByM^U1Bc~qjI6R)S1QmmJ`r@pL{!b3|m-@^S)%+9xI=$63OcCF!apCzqr*{>oW
zm*FxI-cvm!Y6WGPNLL2Ro(B?Gc|l94*RbEaxBv|HJVA5h-z9=u?8Wf+qW(rr5-8X1
z>hSOWmDrXl-y731|BlTP@*%I-D%U0$n;sd<Ig|ugy@j_D{7jFG^D>tMk;yWz=aUwA
z{Q?^*A4?wCJ@x2RUH3ODD^kp9ZVY$*oU;lKnbKYn#;DVFO$>OM-$UOO-9Qe%!+XnJ
z>1BRJE^`GF4AIS+D+t=zU2s>Ogn<@NF)g4gjb=Sg!_$E^h(J3c0JBK=O0<yZQo<)O
zTM1$r?Q@iv?dQI&ij}Sj+9&Y?YiGp#sWVtiyM(y{Kfp@o<`PEvdaUCkA2;I^^8-}a
zt>j?BCDFfoj22TU7nSdVX@*NztrGR*0P{4tuw5W$VcIT`vtdIQ$epHPdl$$dLnJ_s
zm?DYU{<6Z!t$uKNb%*!skejx+HXt0p)XT;D1Egl$@D*_a{q=+WQ$6!D==&Oi8UBz|
zf$C@Q)ruAxA5JXfLiHwc{}R>l$D!7Lo9fezMQ<kgIGFzbB+0ul?T|d9sXRZ&q7{>b
z=fgFhkdk?s6#1R!ZaX=b{Axv_|G6=pxvwo5u5<nz6T*c4=``>g{o1zdr^D|@U!A~L
zM8oGGY@dVhu26K|8lgaf&=g3}%b5Yp=KaytesD^yKlKy@Z4KUNjzsPPT>ML7;kFwc
zD(3@fpKqAa=d=7p_#@b#^vD>m$M(krKar)tvdVCD1YcvH^2@1H3igs-u<^0*#D5V>
zI+57Z5!QCU+#pu}(aasIxMTq_W$0gCxVm)>>4ACxCV%S(cxBIrSN?~yx4;dz{}e-V
zR(1YnE1W^9Dk^U8!ZO_PAgSdaBDLa!|Ik(u{^Hi%;M}eEZzbP91J;UXCEs_DD#-WM
zK(-h_QJf#%*N8;163O#iO=hUGpoz$46q+;(QkWu=5h+X&$&N%*L}p4dwgiuF;R_>C
z617S!2-+Jc*KKeMW@Wb!L&xV3x18f==g0hyu;T&QFbe`AS|LV2(C>evXjc}Hi(R?K
zf#Qk_rF#X|tV>}eBLj1do5{(_#<*2rlxa~~u`SYAnrm!$MjB&tjYIuS_J$dz?b(;Z
zGe;!&%lNdyYkP!2m%4!LBW2xC(LX5bSCE^7m#CSSvEH1-@anx^zQ`gEdl|X}@plp&
zX;P+IUp>~z^O2}txoWW=V9xLdkYk$+iuCFf^op%93#!6TMxQ;6S0mlx$lv2caVr=q
z{u`}gSZUsp)G{0uee>&5)*frODd7*uEh*HCri5{nFwR(HfepsWwD2pmRtDj@igGP1
ze3bXCJo_$l^JC%EsO*qwx$D`~{p9Uxfm~GTZ=zEFyl*L+b|{p30s5(4#hD7dq`~?$
zEiPbR<a|&uGkaP?Sm3@Mw(Fq}to1OGKXfn4vqM3ITX}gqePV?_n)Q%_{>wkNHRJ`(
z(h~{qQv3<0;fk%H$}7@$C|!pR(8<2c8O%y&cl)_-RWs>EpnOnZ@f1&-W4~-$_9yR5
z_s``TPn32=1+T-evf#y(n?s=Ea5T79Q4|jCkNIO%fK;_S%5CHZJ+JdG-p{*`SfOCP
zQgouMokRaZcu<3*m`-a*Ppcc1d|*X4c!gsM_4LR%vUh~{ezwPav@t3{VJ6gj<aGJj
ze>QX1bDkc|i6SUC&jyLDD6DyJt+h&E8CvW4t<AQgrSea*t*EH{lWc2?61V}aet7Z6
zg;wexHA4M|Kg*%t7=C*N&<A@|mHwhOX-~7;r$xx(h46U$FgXZ%j6HY3zuOnfpmy<v
zGpH@Hk!RezJBl+5wpR$?@U@DU3g_^ESEU`vOfe(>F-N1XBep2hyehBfS|Jb^E?6lH
z(+k<I;|j7<Fez(PNG1iDTIbSp!W&+uHKkVM|F($Y42n1uo8%n+Co^vjcfa`J1ikp7
zUd&UY{;l|8t{Qbk@rBlYI8fK?#avz#`ZGURbd%V`u8Q1*i#r0EvFLhb<WB4Tb1;hN
zHG5gIqmoB)CVq0%z~W%h65f)XwM2G$71VB{eE(BpShm)g`@8BT8Z&8esXjR&Ju*5q
zCBZaXEHU-`y4s6A<obVY@znz9Rm8iXV~}FE*2eH_BooaPo4--Ul>NzNUv85>SNyIj
zj28=U8NR>J9yeZ+Z_X4Gqa<sKG++ZX@Pn(Yu}qXsjmIuJr}44jW21hQ!_1Sd>D{A~
zpGm+TE0rFY;0G*KX6yXa>9LDGp%(%doOWb&z|_;+7;CTw8T?g;pZp;-*<G2seX;uS
zdY*=t5jDadhwtV=rbZxTgAAd;mTJ&Jd|P7fSN~RoFZ_TqL?l#3e{s?xxBiqb82VG_
z*>yGpey~EhVe+oMiwr*&`B~?_s!dw7;$p2TWQ7)+ICIDJphRfVN~koiK$ZSYV>+^-
zKics>7~dAmt0Lxi$ddM+S5qgq1#_$0d$xH!SAYQc3zdk;Zhi(vdl}3Gt`w?v8t-o(
zl2jf|YWYp1obNLH3khGv3N<|Z)%7%nSb`SNU1;`?i`iak>|6d*Np|<YY2P&%rA3ee
z0-4J}9sh-uLWqzJf@}d{G$z$ntm^RR-I_OE1)=5@_lB|xPx8bt#fDqA9|nMgK7Hur
ze=R_Zd)M`Gh}7!FK1?h})iiAf?05=#*MKFEZD55L!|G{`i>ziICxug}5i^l<0xKE5
z_&D0><TaElte)r}!97Uf`ECrq6lKj8C(r{^j|=~3m^Ahg-~<CI*YVu>2HNlVsdFr<
z&9O85xxM9O;;)+{{Gao#S!t*nu6(U7goA{%_$@}IZXKJ@SE@$-DgPZKx2#qT(sW=$
zIQMcBv3U@%d@pmfPEqvJ!0GMNZ`|9V-^<@}Ry6@x%4mpB17T4*vlrn<=}bk(_fra@
zRXL(<+Lvh3F1P1GyM?be&~fitlZWyqowu0x`G){nuphD;^K|Y}d$4FRR7YLtcuv{B
zyz#yw{Io$&dV^_|SJpE9Bhfo+;P#f|P=QvSoeJD8xekAZ#kLn1&gezIUi^_4`^*Oy
z@tGf7RlsL$@|57ZYpBF3VxvCmaa5V?<NgsvwJO5zU1k!xVKA+43pg4K5UmxWXBY8V
zDSS>4qW0pf;tOlR2YKP-QTEo1?E-UXq^Jdl<|5Jsq<8z--^fns+6;A5zK$vSR?Kf^
zJlCvmCJ*}kd&Y1$)~N6YtlcrA&?9KcFKMHn|B-ho#?I{*+x-4rl-o2a>}M(v^H5M-
z)P+s^cogdR5q%d6Q3!`?wIty&5@;-PAG9_|;={`?6-82Kshc0bCB*4U-?JdHtge0G
zut{9<aX%QX(~yY%d6`ADAh=fSpl9i6L4j|t5cxD@b9^@PRe)eIyni*mbMfIkyl0HX
zqP@`%T8}GYUj-;|tPUUhrf_7np3DSzz8gG^XSQ~Dv9cbCl;RT<8Gg*6a&ZwAa}rYj
z0w)c}RPlvz@@!s|yi?|@d-iZjLbYtM4u4?1xmdQ5rUo+>2oD`6z#%CNnC3Teq?4aL
zvy1VX?`3|(3p4$?jD@bBLi5nMK5jDUXQlC4{_7iVw7Kx?MJ#IKeBSJf(|acz0DtFA
z@2%p4)_DwHSb#W-KItOgpL$VO@>AZ@v6;S0)@1wBPYreN>`Q)DsqNi6huAhI8u2vJ
zy>q*}X}||EyHM8-{{jFwTHmbkC%?33Rt&^@dMG_OS_aV{Y^^>Qe&H)}?(t_U(?dta
zZE+$e_;83+<r?gEN99Au@7Y6HAbJZw3uQkloyqq1=MPQi>kD}6`2Ze9(Uk@#&FkM%
zo!(M6z4x^7v_`FJ8&zl)Hh<Q<e4V%$;NxanAzLd{Y@N;TJpP*-X(Fq%-Ayrew4}Fm
z+QFcuY54T!6DmhKn(x1GIR6E}q=&}E?~s@bbLu3EP%f|8bH5l=vriQf*y!i>c@oqQ
z^4aoJNv+t(LizB_C2}G4;seDOeR}bk;)}ZC3lp0U@WL#W!qkcEL(c88Ev-ze%k%n)
z)V(A4h3eG-5a)4C@bCewCm4w7@k~FMBH6tXK#DiB^3pI&v5g-0KaL-+wj~DJt9wC=
z6H04sI6$Iai7pZirmvAFWQTkrzrb9xSk|9qJp<w0Bni6WU?itvQ<9%d1U-h))Sg>G
zjN|xN{g=pIt2~_=nw_hNZ?&OPHk_yH6h;)P2xkf;wM^G9WlIOk#lJ}4`C7qE<bGqd
z<nA`->?_}s4kvGqDj)t%N#jcE+3{Ids0PM|z0~7&Z__*Da%f(IKzi5MPqrhxglG$i
zIb))nxz$l(9-ms71%*UIA<<Mwv?viCOSH?(EM2~r$(Z-0f!7#A0^8FR$8Bu@BT3aX
zeme=8*XS2FFf&!C<|xJb)VoO=am<lWZi`a&`CG^@_$`-Jck28Cgd@Hu)xdvjhvVN`
zVhuJq^HNAui%$KXTGjUqUz#NNQ>nwtylmAGP=+Ec9a*+Kvc3)cgij)!VGkA<G_IG&
zER^*J;B?a{JR;WMbj7pR)M@yunFW0lUOj9)xxB1V$qRLkLau8!JA}MNvM%yzdo<3l
zg|yeIuI8_@@8K>|E97K^TXPW=iP^W13xw+IX#Sm$ZLP|Go=;u-6;Y|RD&1!J#)5y2
zCpaP)%x>BcxJC0zpX8$q;FUjngdxUu<aE2WJ-k<?`D*1pUk#=<gufyWrMTiANl=;m
zmgG$fjk{pn`E^~XFJR~N9IHs8u;wAw=(*Zq!x>;S$T30vv_%$}977<RZIaB-R!Yh%
zhQC`5e-%8&(@6f@9piL53RPmc*|do3VV|Z3jo+y?`IqtNz^5#5@|1i$-1S<mxvO_8
zA>PAD0um3!Ck(UvW`rgYbk?#TiPd-Q4FcdS2fgP_W;*r`#eN5{Z~4KR{e18_!vnX$
zAEZ`SZ*`Oor?HaRh>%}Mu>$saEy4<Gi|;gX?Bt-N?{=n+ZY*pHu9C<~v1<%IiP}P<
zUI}%<t=1*qEZOBC6EAZD35{!a@ZO~Mjr6Y3-a_eV<64ft!&}-I{y2)zAF8i{bhmz{
zrWf$zWd?AN5-cxaUhOHQi`^0gn6g)^%%Is`qD_r`gXvx}#!v~7Cr-|)6FvzroTG#b
zMXA;1Z4u#BxVwo^uf@GvNHi#ie$Kt>D!ig|<`r<HMFucdNEi{~A_6s|u+-(mj37L%
zD3Bo8LbI85OLh2Z_D4$n`w+ZQgXw|+fC3t}rB`)j)6#uEYu|>~Z<Y|HZnN&AsZ33P
zZ&&|`rm|wSTK$6Lu>crY9RbEF_$n^s%8uZ&hA{4&xZ4A(P*SP+zA^+GKxd4Xxx#Wg
zYnd#d>uPTp94+~j6S5s?^Rp+_;u-)|Auuh^&1VILnNkUOz05&#nSNml!a*ycm%)OO
z@b=P^KH^#z+-kGGsr$nlc$t3}W+)m*VLm5>*F7f!pjs2Wo}190{7XgoEJ#Fw^M{KC
z5!)ppMb?+cA|(JCVidT%e*xg!I5*AMqJ#v1IbxWLV474HxVXN=!IJ&v-c=RKUTus_
z-_vxK$%HMtD?i^`Qorn3HP5Z8%xi0z$<5x<|0A`lT>66)ljTf~{sk?NjHmnOYSO1b
zlD!q6lgaO<PQnB&n(0R9(P&MG<E$`!*{Q~wTm#4Cx>_YnWn#u_k)tNR6^#Ad)e9sx
zx&Jhs&D}YVr|>A4DJLdUWxMri|0Q3c1E3`5ty;75?_ze;?ZnPs2g9S}ZgTe-Zx-y6
zo7~3zPj8(Y{8k!86OO?Xspl-2%s=tm5!@+`xC41e#C7%8p<d?SF&3QShe1A>?V9gW
zr$tYFCIW8DGngFaJQ$=UJu=bDJPS=-UxGC1Xs^O9;o^##cyZ}Uiwe^D6gKtnRL|bs
z@pjKxNUiCSzwt5$f(jRod6}`}l$gN4gapu!VW8Y-)AEnm8|D|ckx++MTfx0+vaf`R
zNh+Sb>=QUt!|%agwJe=D<Vr4kH!oQBN=71>uU2xlGz)$&Z$N`N6q>8pF={0pula;@
z{33MxBuMa0m7*bZwjJ4H>WZx-*NF=WY$Pa!n|jQJ2_NNGi@w79En`QxmR~bnbN4b`
z&R+=c+~kD+9HeOYk;U=!<ux2|dNQj7=C{BG25JwCDYP^*z;H;gmmQ5ndP}{@Yf@vq
zr86pbJi;azri8eJQpa3JJxA^``f@snod0^zLcBIG*<=QG^3JSv6BuCBW3XNF9rX=7
zXvo!(?d<ZiDaJad&oKhAegi9EK1aLJ0}G4xNgqg{7*%!rvf^Y09B(IFHG@+y&S5s|
zbfQ)51gmD$FaUT*rep4#O-Bp7<ecB!43OL?(+OW^G%3+QqD2V^I0Nh8dYY1j8nm88
z?d@<DN@ZKZPdsH@$b1y}E?1QI@N9~L?EfF}Au_E<z7zEP2T@P#)e6M8BK&TeB0Bl{
z9xu~Rud!O}a)wOIfb_<XF5^dGawzJ=3oI${L*c{%Gro*3(_SmA+p?*8W5{6pF?t?s
zx84&PzXf{`;C3Wby?mA#UlNd~-I%%;=gd6k&#>0CNmpjXIyv;aNaL!y|0apoZ*(Mn
z0!o#W_&%QF=@Z_?u2m=|1WT*^#2mvprj#`UD&n7T<|9+0FeKhBea~EmdUpgjYxLF;
z{HNN|+5AfC@ccpKyEtfiRg5ez^BV6G!DX=jxo`#R+;J?P=D9ljm&H0Pds<y|T54DL
zJu)mPDI6+SGttL>EjEONH(e2Nd9{~0#_UR}S{suP#z7W5hRXoUyh2BS!N8Es?x^Hc
zo9DxylC9?Xj4k4;tHxG@zXp&dAbw%L$5Fbf4&&6_B$-2*S1a1N3b&=)pLmDjgaFNv
zz&Npja$>P0K#GE;Yj5FK!s0tVw|DU?QJKxJ&+i<5A%1&x{*%@XWdzNRhAryEGx--m
zR;R@lT;lu?8JIFEIkTk`K+Zo^kerRDfXibU5p(^SZWNTlp^3dWiJ)K#>YhHkL!$eZ
zvR)Kuw4`RReG;s$pmfa1_BTLfu^13pd&9G}sf+$W&fS;wTQK(f*mrrvSvLg=8bl?5
zf^BSV$X5VVaa@fThb#_n{f`cBgoh<Fp{aP4i+b|4L<OU+>KG&0`nUph6?wZOzCf7*
z;Y67d@eWq2ChsheEnS#lhK&DBdLheY^qL8d9l>#R4rO(J`9p>FU&iiTZ;jn}HSipK
zTX#4CT~_`S02W$VYN5s$ww>j_sO!N0qAr~Xiq!7MkRd7Xly~)JSV$oH@RY=VryF_x
zQFG&BW%jM-6vlLjTK=IOhD^z#{`Y&W%UyLpEmfDi))`Q>MX8uI&xGDuoF72iWSC@N
zoTnCPZ~h$S&E5I)T%lOzPO=^$bxE*D-HgUep=cglEmzXkzUrBI=aB;$p_11w!@QY1
zZbtGl-$J4a9bjP``)Rq58oz1*`$p}Xj>fQ_Ag2p6rR*81<=B(pI;)t0^Gm$O#9PHd
zdWq_vY7>oK<`=3a$Ks;w)ygNd0DtjC7{9R)iC>tjwT(6;(UIT#dIhC%OEh39_y!xp
zcmK)S-BXR+nip4?$#wC8^oW<d2*`#{aA7UZR@f2fzn1M9?XeS|$^-X$W_{7mZ0g3`
zbYxFz>5wOx{brX;P|IGvXKTaocNd30dc@UVN&V^$Dr{^Bp<Ej{bGU1N-VLNMN-@0p
zoP&`03}2RW?qfWQbMWaQW7vUS&&e9glzA*=?qm99H3Ay{mu}?VU5%6(D!>uBDAQqy
z97s_`{^NAiP5#OB7Jd=g=@3KS$vYTgR+ssS#q(Q=7Q}Tt3R)Blr}Z~cuUI}h#*WHT
zfy>*+d9Yp06le>J47Q8-IA@b0lR77_{dgMJ=B~b8qMQ3q6N%iNi+KuP{f60%LnA@T
ze;mW*<jWafj>7!5d1m^4f&0GOe%wHFsr$a*`R8w-hj!mfk$0POTDXm2%L1yGCKKca
z+&8N^fn9!TmYHaO5alE-wwL$B#c3FOJJ@QCBnna^%hI5DU#$jv^$2mTiVU_Yz{8LE
zsMeWgTU}I$u@x*o33gx9#qaFFR_DN);two_`1-OCs2^aqGLii=jnK%pR?~Ms<aNm$
zjTaS)<|ui-1e$BCKR~uta%Uc}_kX>5&P5gXRnNuysHd5OS`F$-=lhrJ)pyj4{oAW?
zd)q4l6i6EO$=NG@{~Pw|A0Ke`Vl$dt7S9f6Mfrb^9AZZFBY(s+5F29Ss46_r>D$#&
zFrb@0Qm`?9(Z0~fggaQQBZ<;+v<21G^J6^gL=za&R$z$DLqry)&?V?NCv^$<<a>7s
zriW>6K8MD3O;UaW=hZp9%@4Makcn$F$lcpYDO9@GV7Dv|RE&(_YAPUBuu}@^n4wal
z1v(TWqSFfjvFU|?*mR$b)0CQ1X!Kv`SoR8tEu+B|`Q@ne{_VkYOa~JVnqII6e=OPq
z1?Qb96Kx=vjxNxD5KcegfvCQM^!YjZW^v?i&T>`l$8>ztRrN4c$)e<w@T}}Uop+*t
zbSOprdt9u22i@b3_tQPzWgdDVG}G#)6W@vc9sa+lf5YqcuYVh&{QnL8o9|%1h5j)U
zr3tcyr@#uciN52Bbsz;5{JQdrDrnO_MaS$QS+c#fa3SZ*x&9>*oBu&Qw6P(5@BckL
z)NM$``Mdr0&u3h;w?3}ek3Nb@`_ad5GVn8f>?+sC*0<Eh;R~&*qCRSiYq>tMe&-$e
z=LfxA|NQes|2*=`4|D9tPmsgzVwjq;%6I4Arhl#z&HlIi^Kahg^zDDzKYwUH258wn
z4uJgg*M9Hnf9L-B?GD0!?Vlg?zv7=4^bNoJZTaVnpWf`Dmt2I>P-?FpPY&IF{qwg!
zj``m2jM5o9>?;}|$jcZjFC&({KmFA1^v;8l7p8X|lKg69mx{BezmgE!s56r4zab<4
zfs!8YSMR^@byLQoU;e3L`J!L`9ceP1@}7AOd*;>enOEz2XMuML6JDYP@amDj_?All
z>esBEe=l^xm#P!ruc!ZeE9qq}#eXZ5)*_{X{VJOe(zP7gv~Us}wl#i4KR-yiBX?eP
zBFo~m7dvuan<uAV5r1qK2k~mcuzkB8%l-fM;J2E_)4JlL2pkYHWjXDlUh7W|PfkdW
z95(-;J$0*MpW+xu7gR{!!zoSM%jP@cCCB)7qEv}sQH^>WoSY5mrbE1*A7FJ7=|vhg
zaP|u8KL#!0AWTTAcKs!?_L=tUr`H<Et}TO<4Pxm{EC#{U%@nv`k-E6V)J1Z8yv&iJ
z10s;fUZ?!Qiitp!A%i)yZEMY*62kc#pHaA`wTZ*hx^&hsZXR<Bt>zsQ&1@YhV7q@z
zJF`Er2FiyFA70}m_s4s++}-FQ|M(DZVc=fvh48_+czYo%RgLC_8`nC2Sc@6`fPGTX
z%+S;(&A_caL7lt)3p68wx|J#o5t=)YhZ0%6jBd>fSZCwhh(0hiH{!SZLHT2N(R-mh
z!BB3gFpt8atnG*G!A~^oYuAz2I)t&jI(4o=O>PzoB&xhcnhQ?^#xeFFz8;+VdLnz3
z$P~|BCkc$`v6l)uW`-4<%q+!=XIJO{0if+p2HUj^;}zx_$}62I-3(^erklpvQ6Rx=
z0u|aK8q8)e#=)Up<}mQIm|9_q(<byaR)Wd3e!%F7M9pxWjZbp^_QF~q5MBnRVc*{a
zK=a-FQn&ID&YSp2t&{dyFdP*`qSP`v%~Gsl^3H-{7UR7HxvK}=vbzW)LqS&DkW!e%
zP1q4<(X2`|5yV*2O$5=x_Br`3Yz^9MVK%I(A^_!tY1C_nkn|;gHQX~k?pJH>dz{hb
z`r)VJj=y5>5&(7vrVSkZ#=%R(L*wbG>^WF%JUFQ~5zMMbqgV<wjvSUR%%~osr%hx}
z#tA%=l_@hC^8e0PZ(Z#}j0#olTbHQAV|9qFu$E#MlMuMPr8*hV^&_vPcM{Ir2@mK?
zyv%knY9C|bNf^qF$sr=nuhcd-{jO>EY5UahEWuY<yUavr5)t)KefJrpFYcBVY3<Mv
zd{<7gUn*$(W&yE)DH5PR%=McDgjcc{khZoUvYPGDqH4|duztm6d$ihGvptqi1l;oH
z<eRAUt?8L0HrwtnZWqdbghu5k?;@}dml^s07B~_0qAn(ykdE|Nv!auC#<M2#d(B7}
z8srvj&>9WV^B=_^yft1O=sd2ewkX2x$JrI&><p64W}UtGeI_UxH*^49#0{CN{H<_N
zhcWoUJXC0bU$FEXL2j!PSuTsU)%pk`Ssb6hh7CSfJ^I5gsk@3SYXn!)apoDP<i7-H
z^<Jx1T943kDU8qmfgyr2Z;dj~1o`~!QRa`L%-dA*XHn+DDDz=uUKM3t5M|y<bMoJa
zGS7}OC!@ysFGra(qRiJ+vMb6wHp-Me$WM(j-xFmXjn?Ns7-d#RnV;f0e+d6z=&S>h
zp{(J7PV#J7#Mv@s1-cZdNY*~xxk}gPw@6O@8V}%#e%GsBWfLm}e}YwAJj)Y!ExijZ
zzLw_ftGt_F)n3YLO86q*X`<!?e($K5KH5%x^U~+3fm#yjjG#1%K#O1aFMkzcv>)Y^
zG!!GvCFN{fkNtMqSQKj&MeU@9Z(BX%-1f{|Y-GO*bSoow$q(OKAoFvW=b=5dQF|ou
zZbK}~<`C-5?1;UKCf~jeZ|;s?@^<;l424!y@fbdN0SnLV#Vy4bw%c(PFA}-y<Y*;w
zzcnu=w_+Yo;k*CN{Im%X5AuViY<8h}{y~h${=a(mTzy5yo!n6P@aJOleydnkEc~y9
z!mDWH{tE|I*vl+1zrsAk{C3o6|E14~O3y4St?Nq&eq^8kEDo;g<40j<&J+13k{6%P
zqNU`A>>Lrc8d2gZ{3@*gntZ>1#m+yH_OALl|GN9z-~9Gl&!xXHw>mY%&dx3<$OgYA
z_cKR7$9D_BKXEL)E~v&68<ToBC9TNb?^KX#-G0x&c+=R&WZt6v10KCd{CX4oZ_H(F
z)&(?Q=(ZH@A7@g5^8&LQ!t=krn>)fL5W3x*xMSy0s<Mi;7r*y1zae?vViqaIvuon%
zp^fo$7>{?49C7inxl=ZD?>hG4x}L}GsBdnsST=`$bfXFu9+wgqsXbbxul;}Cjq5LZ
zD6=*$Z>eHILr3LcqIqZPCiX6?$sO6B%f8sl>_4}VlnY;WzjpTC__9%ancg(iy{j+T
zr{~f3yuEwZQ1VuGqi_!z8&X(q(U<5S8a4dSptT8MUsnB=XqCrfY(K@T#cfr1SuD}j
zS&FBAjpZI1pWa1vtO#;mS#W*GV@Gh)h<=)flb>*Lw2t7LEbQGAPU0(W4rK!bcPX=Q
zRkx1p3D5hg7OEtV)ou(vO5Jb3I<mLUHX1B3$w=Q*Q#Qgb?5_x>`W)R^ov3_1F`0XN
z@AUa1TnfC7?0@QOM(L6=qhLq&#v-KBN=>V4(6L4vVVmHV>T2vOl_}~2@nWtzJ#1F6
zsMdgU|HUhe7nxXK5lOCVjNg1_i?^^x@9gS<S^nyZ+H_h=HMleH+0^lQ=3C3ofAp5N
zS7iDY;K4FYs^g_|KC5s}^1Y><dwQ#*4-?H>z06Pf&Xww;me!W}5OHJp_`TY>m0ISo
z9ayZhu_X!IV@P>DNe;ZsZ9H+)`LyjR?MhQsRRsjSrKi8%%j^uf5z6H3epAjHZ_3%z
z8!JPw=Zh%OU|M9+-(cF#FCt~6H?g&KuU0vCfazj}S+w)?{Q}M_-c%|-x~%-$L@mF9
zK0Ul^t=pjaI1g%K{>voxk#7k%dyo&)ZJ*rYp_#ZE7IGf!cq|eBPgJZ^OqfgS5}Mb*
z%I`S<{NmoyV>nA}`yFa?uJdt@C{GVncJG|(%~+W`{U_bKj`03zWlQ(&Z?WsF`d+VR
zE5$Ob1%8I##=e%!Hm~<b08ixFswz8K{|iyLGBe<<(;FQ@%~T>%^a1Tbi|Fm=PBa<t
z7XFlvxo(h*%Ji-SG!uD5UwUX~t}XT{u8$AcuIXgY&rOfM_&i_mRGEI(1F!N=>Oa*x
zDk|PFby{6AMdLoM%N|8IZluN$d=Pwqb5V=8=u1!l31s=}gz$_tj>;MZtFV@G=e18|
zv58gMN$ka+r@afluB=4*9z@-V0JWS}SCXa9=4ZX0pTnj7$&x9i2~<fpZT*{cVcnp^
zVhUIoU#RYq?`2`g(6qi}N{Q{$(1j&XH~s7gt>2#dPJ~TS8w{I$^uhA>5j)G<M|3TZ
zmgF00dc;51*rL4u#m{seL}9$|zAMW8UyZ`AOyEmK>Ego+^e!2sd_9sJ{$RD45S=kw
zv)AS^k!E;pfqs7*(J%Q~C9ou3&neVly-j`^fQo$Z4Pf%u62Cl)0*hkuarfe%B*`Ws
z(|Kv#SN=8JSmSH{MN*~pfEMq|+I_t3?$|jjE?endiD!Q=uQmMLS9b4VvmUp;jHy6n
zua^B$0OUq~J6Iz*Ex*|*lk;b=Hx-%n3uX&9XK!bg?Ck+XbM`#93GkUouUYk3k-a^C
zl@V(h#M*nOU12}NI+Hd`2A^knFo}Ce61Qojd)M~V4F>an+WbE6_2}xJz>IEN_C`@*
z&{oh;v*xa^W%YxOOSrc0=yh2ur4|%TbNrlQfBH7<^Zh2PQIE8$D5r0~>&RaP1ZN*2
z3h!4$n<U35_sauLxzl=<U~VvZ)A|oH*b=A~pH-?2-qKOiYQ2T(|E6(TnkL_;ZQ?u!
zepRTcL>Iq#i<kL^^0}|b>8rOCi@46uow_IchxBuOTm;*l9PZvp$n{@<*S!;GQRD3H
zohz3=h@;@HVCvqvDfu;BH>+SPxXwVVMRPf^X0dbxOyp1BUQvfD00^Bs?xkf#y`|}H
zGKv7SNMLmv-DkS5p|`3o96=)h*Yg?54*%NW*}b5$J9VYEbit_HnX|ihRnG5@>`ils
zp6^MX8Ofuy=OMK(yCyx<H?2Fljn*WaXi0Jkttd2SlZk@Y(@7oO->U5PdRh&$Ge)IX
z3cj~!3eU{9yJcCRyL=Mu&+F<L`OV$msO<52Zh$!!zyKN7Uh;vJA>Ug%o#R_(PXm-r
zpRg~_TWnO!_mNR-7jSM>0U1$HvHh_X?yAq>ZZ0CDZoE1%y*ju~qztZ-tAWxdeyvB>
zb<5*wUghPqvBs&K>x8_8PmvR(ujJpfP6m0&5~G~L+o2)XE5{aSRSsJ3$upgG^Qy}~
zH2lSaeJ*)-ft5-3RW`56TJl?;-pg)qq3*`;xPI|4xxhqsWy!v!{;lL?oKAyXrw8tl
z1Eo}%rgFYY$xT~banRn62iQf-MLXQr=j6r%Zoyt5h~0p6Bq_Gxp!|f0kFvM>-#_jA
z`d`Se*M{lO?!ABd1mEqS?l^a!{nLkPqq2rQM7yfri^$ljqVi4B5xy^kOJ-@nWBa79
zCAsfDX{&i^k7jR*`=piUzrB6Z?-NKCqaUf?eXVyQcdg*EPugn9-L2M!C!8kRY5Sy=
z%|7YHT+;Ac4KXBuJ+CIQIM-=-5kAAYNfiB>AGlEm@6Ko4)*Rkx3FyY~YDU!sn{ZZX
zJ(ZtcF<U%Ne#X?_0)NXt1)0K8#9e?mDS{FKcEC<FV5viOVt~^dXUPXRKcrxVmVa7M
z6zV9emi<E(AI5O4q*_KZ%coI{;Y<sUF6^iiMwWesT;FTkZt%j34NB^OXp~`o`OO-b
zCbC;QM&H;(N`srG`~x(_`1$5>P0`;kxq5$LTvN5&TK`=K=aOar|G37+N^&kWt|{7A
z<9k^=0FH7MAyT?%2v$f+r!IPgRQAE-*>nt5EPBz4;A&aQY|Q=ktY2_c&o%><nlSq6
zZk4wJ(WtG>);%Z3wFNio9sY&Bb|R;6gybQ2ovQJ3za6rl73=s3-{>+0()_Zr^WVVA
zIC*vR%fmk|o6qI&TC?h$#ge_QTIgLhfq&bwi(>Y3)kJ<Q40SjOZ{dFcQK6{gEEF}Y
z`rhk0-k#MIaP^qA@k{fb1^XAiY@KRyqjd8_F1?{GxVefi?O3U)2kMBYb1&6`@1BqG
zkiKjZokSfeG_sG{Xp{n9{^WK3@rrtVYkd0C9J2doBB+Duo5-N3BT`<$IERnoS*_v4
zu1C*&L6$j4FQFjJal6>A)>GC1V5a;cl_M7|vfqQFWmC1NdL3b${NI@QhEJO9T_FR7
zhR6Ot;?4!m%BuSNGXvzH*fT2Gm{y}shG_=<%|I|`V322U&?yxuZ={x#m8fSB??=x$
z!0C8|Qq!)|RZB}tMG=z$mC-as%}ZiA-p}KBK}`g_@P2=5@8>z^3>T^F^Ug;(``P!s
z_F8MNz4qE`v(w{#Z(HHSv+Q^hKG3$r2KTUyl4Fgn2{5ZO?HkMXcPMBQJ(m+v@zo+X
z7AEbPyQ}LX*#}bFbGt=VJ8uuBR^f}jUciswcsbgC8p+y=Q+(gYE?M95cR1n!e{u4O
zlH9l}dMeSGMJhZfn0*Kztjc_F(tgvv<Kz7=)y(nL3@1xl;m2-@cu1_9^W(O{Axsfw
zv)A$Ars%hXHZesQ&7MjQH$^gPG6+Wx(JAm)W6qsLY@wibIQq$*Y|WTig}o}K=GvBp
z88c0;=^EcQ_^woowj4(cQGdn{<CV)GcQ<uVUt6J&r5@Yl=pZTgO9o+l)@_`A#;4>b
z;EjVbE1SC8E`5KO3NZT2tU+M<j(~IB9Ce6ew<83Ht*n0wrRxjEFNr#QJ+xsJr*1D4
zG^=V-aN`YAx6b<YCdfU-fWyo=!yMNSau4ub#;W;X6;|1cK~yVOSfpW~UtNbDG1FZa
ztx)m8Rnv&ASh=+3fC(LiUrr}MUcZ`3qj-Np(|s~^wb!DfLq?Z^Uhj#AiE6&ZRP(~3
z-Mu}D%IrrOlX1KXA(+*@OO^EY>?gzoAk1|Zz~$TX3OMPFHK{DXIfWFxV(OdtQK;2C
zg%|?3C!3=|095ml1#TCTBfS<8c?f8dUi%bBsvM+fatB*P6HiqsaCU7|YTH6a0`Djj
z0E4-op_g7ZLtSzRD#07KBSr$3lzdL{RbB|o%CZsNwkYaiiMFcgwOgV%N@Mbo`z9pb
zHn`Na<%kE=xw*7f4VeLSE-sV(G#}Xqf;nGSvyvH2w^+RfHwp?H0+6GKQ)w`EbA;~=
zD$Fl4e9Jtyl6_HcYHQR0Bkn>GaPg8QPuA7`B|Ppg!GgA}YsRo!`Uvc444b8G^$Q69
z`a!n~`+LA|6V5@Yd<>*GieL0$Sqb~q0DEm$EmJ0@v;D|^yP0X_fHFH|X9bw(e>G_;
z?GhZY@KbKL)e9Ld6%}Z?q<5Uq5_}a}a?3_&i!sB{(oZ;97oz=5r(Cr!jks%4{^j;j
zFX8Z9@GXvC*Lut66_VwHoeu;Hwl9wD9dq=I9hjTcP{WT8Fu3B_{l@Gb%-#pvlD5L4
zIg~*w5#$cwTk|jlCZfsA?mI{UAT+`PPX)Q@O(3G}xw56kc(%Howr=(wI6M$h{Ofwx
z&pqiUx}fb<XP`9ZR&T@^YJpayO)ldVk64XDH826-dcp8k4~o(+Uv?F)K(yPSrp+zc
z<z=atA>}h7o2Z>mWEKg=v~RFP4&;F04rD<AII~CuRwJ#r?N&Sq?DtXfCwq=qE6$N5
zudzd_&TVP5ZfK=`+z6oC0M;o`LVO{=26k;Lj4VF`a53Hra$6B_*zVysYYZ_?h79KX
zEJ>A~y_yzGL0=|A*C`{#ljx5lE9m{(f~4kk;6R#0dz*a=hEYZP7e>U0C*Y=xkS1@!
zs}9yDam1&pjJ`C3Z99;m_KsG&z|w~@q(47x*#JL{?8WgQyR!}qH-n%4otZ|GXcC&g
zq{C5T2Qh%2-?56HPH1BK#7{qE0my7y1^VxXZ3Wv9N7X!LyS0{bupvgUqh|!$c}DOq
z98>C;mth22x9{h-x<@-;Ob}1mB@J=vMy71U1IFZ=g>U?I&52}sTtWJO9B(TUqMh(H
z;Q+rB2Ppl_-Vx`182hP?+GlOP$6?wi!k?6Xo@zh@(SCjOeQIYtFEixq#SpMK@dZZ6
z@VEfU&+zf+df_9ex(zX7J{e@cz;E>+8;F5cw*aB%wEI+3wR^lI?eH=kS0bjm)IRE!
zAp0W_lWZSOuWjN*`J6OKCfvQs+F{gCB2bN*4-+$K)Z4IQ0v)3{$zvZ#ur+<I@byN5
z;A<NLZYX`<Gl-j6j@67IZJR8vgt>2hgw0=Vk2~p)zD3(Q)D3cVKvI0tiB~|zi&rzK
zg&bQ3xeO>+)_=Hs;D*n45cyOdIqxiH$O~L65V)f6QqVfl&SiCDEFp~LK-SjtL}&is
zY+22bUW;pnlJ|pd!R$J!%B*F%S%Qcb%+A6=GHa35cL4c<*%y0Mba$;PIo1P)3!Syv
zb?YQ=xUV|;H6p2#r>Z#IKn7x*WkZX+qw?qqgk;V7&tbeKme>9zT1q&*7H;xw_6+H@
zu<TE;ZX@vl7fE~{5ldP7N|2KrskLHJkkg7qux@dX({1ZS*Sr%XqYr85vkk1;IA7|H
z?nDMWZ*5LUoIQx;DwzGE0b!RQn*k=7wMPcouM(eGyCXJo#0bLYtzAa}Ad7r{EHyc3
zXS7Hq(4OgzpKTqk9RwciUmT)lYWnulJch*ywXK<TgLN`>({Q3&gM)8xt6e>3i+Glz
zfx(<ZZ2<U3wBs{Q)O#prE8uCjf{<7uHOOsC>E+)$M!Fj!rE+s8uK|^AecxpcA$0yK
zVe1+{4@OaLRji;UkF+-;TN<6rBzLx3HK5P&y69lmH^7Pt`QrdSP5#*30x-sH6zI<w
zv7EAg&p0O$#k3U^$y_Qd6}tR8qL}aNDFA3a5j+DFSZL6f>h`^>+O>Y#TrE4@S378}
zUMY6$gvs0~Oi@+VA<BA*WlepyQZEV<vz1^^3oziJ3amfiJ8Gj2RcdE}^`(iv)$?gp
z4QYO&qk%Pxc&bA}(*&*Fxf+%)p)%bcOfd7*$6F1RT8rVkdO(#cHy^CSzM_7~Q@ESN
z?>C+>|AP0at{2<#-O*}M(E~xgk6&RsCw#mfNh^H|;Jj+Lt1ZjEtURB;fG#TL^ISe{
zK998k!<(qU`ooJC$^{}lW4B0gy?kg+<>p6?ZIE?0!gV$%U$+_?i}rzu=qM~KPWE{F
z4m2sLc@M+LV9uGa12<XgFMk`Y-PY#lRG|bjdw0o@AoncXGkO`G?)HJ;O*+W+5Xn*-
z>*a4!9vR}5`Ln8+`8!v|^-8{qDh%ne=P`B^lvrCnQTm!|C0iub3rms*)9~DjyITj}
zfwR?@+(2S*UcpcW!LNu^fnf9m*j(1~odm9xtru2_Mfo#FI^jW*oY~T1zY|+x`kmJj
z)9<vF7^%~0s4&K$?4MYQ6HfXmwQ8q!K~Aq$zpu^KQ=u8~eM=JR?9s7on(&{KKu4`5
z@!Ip9c<s^tSPM4ucO@7GPELp?@G`!uz&!hKZPS^c>#uaY;Kdi+YA!h@x33a`eay5@
zGhUFltW~_=2Jp~$!Q*t(&PZ-opg*yQ3Zf7B7RUM)&!9yw&gE~>CNi;5`6YFf=lBA(
z;pX`6gq^)VRw`yKdfwV$O<Midf_Uex-QB|SH+A0H`7mhq4zO4QMlu7}!r&`s;Fx#@
zt`OrrYin3nc2}5skQ<ADAAJXgCx&);FzcIerD#7!p?M<LG*({;gxNO{k2D>hd)7_I
zQ3#++;1-c2P$dkx!qHkU-_ic0R-e~+J~2TOW3rR_WZbVGQm72xB~>JJOBuXZs4d5|
z5)z^lhxel)MfD>hMfIa1MTv~QM5TgBnw>54>Vmo5ZRu&-I!4eP_>RWg9cQUa9JWS1
zj#ssr+_~j%9B9VA;6UR<&h8+88`Du9om8@A<QZFL5Fhr)12VpUqg%=fl`x5?Dw)JJ
zA_UJQ1{*`S)!_YW`g-uvaqGDfIu~@+6%U${mR9gw-&{<-!R#$zzrvzrzj82q7q$$W
zvt3K>rI*~a$JrgV|JbrtQTyj(YS&8xM(sls=uhpEW1^n8(gYjVJCnQ%*eztetU=KI
zJK3GcQUeWDEq=3&0O|Z--}zSSJiACZ)hh`{@B)r;swaM_VOI71GV3z?*E8e3AGguI
z-(>_Uf}OpPK1LV7SUm?Y6&>fR(GU^@(Udh6WUqeSK{RSHk<}Y}9AAkM&1^YhjJOo$
z=Q!;9#K{hbD@?f5&5(H|mrBLlpcZ6EaCUo<OKgs^k0#jT>>2Qw_qB(+t3n|5rC!I$
zJ}#2)dM-xddgBOXBwh_Oh+dBuqGVJLF>95h+9e*<9%Y2{%y4MGtf$0TYu3wpaz9vo
zEzbH-4A#sYiK*5`C5C&cx6Fu+qWLl-(j`2<ihYHVy|0iRtO|i_X}*K(BTR6#BP)qV
zS`UwH`@y3#9^}e+suL*7DMTfdJL0T&te5p*zom-Bk*~&Cf3#lKpY+RmP@MIo^|DGm
zT-kwm?;f?Sm-T!7vK|}Py2E-|&+V7>>v7hXSyQTkHLG9N8FALz$XcG{?;z`zC;1mZ
z*iUjQ<{9skMOU;d6=oLIBgpx43ayf5{ZEiRj*gYBaH2!wA#D!kUWA;Ic`9%w;?ehw
z1)IJj=64=A{&UM{hqAQ&-gGfk__@(_KvhTgK>hu)L^ml8wBF`tZqaIg%1u&qjuM=l
zk~F>v31m4mobbC7nAe2gHS!VjyQf%HT&2q@*XYUX3qO<B7k(zMFZ@W`9u<A1EQ$Y#
zCEVKpE?AI4N?JCBlNFZsKWnR1glXD@{Aaa(688mGygVgQyY>z@p}PhiTSVXUkiYaN
z4)XWGvQ;9Q?<K_la6DVVAmj4}uYWE5-@}e+&0_(LzD`5T<N>i*Sg*)^DTT%fl~XW#
z5ACZ>w>QEF)EUJutLbumciN_?NC{Jmy#@ePU+tJhIP=ve8m-u$!3W>SSXrI@p6@7T
z^hk%vObMsfpX-eYy3HOd`=N39bIa&{QB4`@)sw*cB0%_}^=TzKS8)(R{g2&rv^?Rb
zLjto({pX#&-s1u_Yz`?s=$FII%)X89-^Rxroe?vVGFYOoD~|Ct{>Y8D^PhgapO(<Y
zctO9Uw;NrJU#k>zz6fe3WWO&TkUiI5)^bMK9di36x==Jlo4@*@YxD7c_%=V}`RIQR
zV;v?`PxaPOkCq3T`<!p?+i`O<yj;1HPdGGAxXkT^N&|et=s4k_L<HUppnP0Bly?7o
znH%OCkNaUh=wbdVpYV8`aG-Cu;1h0(6J~m>JjEycE>5`358=x`;d^nyWM5T_Pna1e
zO!En!^a;nr3ETQ!eb6Ty5GQ<9B{mlmB8fr_`p!$;pljk<KJWS5H9q0_6&@N7#aOvH
zh}P-3<A2B$xB2gi5AlQR`+*zWuJIUtr>Qnpc{%uAR?HuE6T%(4Happjj@1eUY_4|2
zbAxgJ5Iymjg98W1mCW$pSokh}GN~b<RM_dp*2%B=?9nm*-GXVH(d(NZyTk!xTR#}n
zHy_D@;_)UK862b^m)|H)`5DZ>+2<S$bWJTC9U6-zJHkQ|Ipa6ze-ef>myiAo=Mezy
zk7@R#V05TwK)bqb=Y~Vy(d56o+4<OmZY&4zP3Ou7#qByfsJ$b4P~4!*LaW)0TUjD;
zQ4gD2FLw2<deni#VDkrPD!rD2pKIt^S_ePBu|QLh)3H7N=ZDsG9gfY{A(e-R=Zwd_
zbgHFeG)~x3ql8K)Kj13=A(cz-)f8keb^6HdO}{Pe?o=W;uCsHlXu4m|7=Ue6W;AOk
zX1%bU<$^2m1(l$wRTsIY_EJ;!0#}gNCF`<)zSw`+t;bVMIPbb%;Gz2WPtH4Lor7bn
zLJ4N4fOd3*U%38rI{JXGm>M>Rjvjf}^&?tDz~f@7!{cFURDT>i!)H$bzegE|$~!JH
zIh;RGAt`L4Ruu&PGrsTO|A&WNyM2qRF>gJc&)u3h@$E9MMmH+XBjzW3g-7`c4KZ8L
znyR&WpV;CPqc=RStE_DYPwo|Q)eUYLt%8c&h`t2haU%)|#Q+-}18i7-fPL?6dQ$GX
zDvrKKCtPi(lIm*v1|gktmd{K2IToIt`2vUHpM(m$32eqJOl5xJtv!2zGd7IQvPK3G
zyO22+p8xfZ*)5e;{YCIk?Y9YAQ6ss&k5bY|#}0vR9gF!$X`vPF+B!D8#{{;8L*c|6
z^DbjLsop|H7LU9UQ_slr7wIF&>LPn#+*w>P{a_V0F#X#}_gc4p6L$-L#f%0vz`u+T
zV`F(#8$aT%xL0yuOj?h<!5}02BaXtE#cDbb-xrBT-sTKnN^iUSoA!oxv@cZR_2K>V
z{mtL={ICcK9QxZ|4P$eE0)wNvayh(CsgEK4Y3*mxJbp@(o9!se{9y4N?N0%BPUihf
zE~T2h!N<>I^#ppmsPW`7tAI`61KP~l0JRz)3J0F$Ys|@EbT6H7bq2Zf$sCV1^iX;3
z&i@P_4iG;4)(USN9~Rzkm6!2h%L;su6)5P+HT$ns;={Rz3+VSPwvxy8#|L@K6h5>X
zY9>g47R7F2I5fdV+i=)i?>$Q&oPCA(!96yY*#nss!^PD14ImE3CwiDX(BpD_f?U-d
zz=1W5gN8}VDCuhYvZ8|+vN670;A+V=QcLuh&1ag->*YJ%w{|00H1y-|w$^iB;ye0<
zA~%R=FYRoI#zW4T`P3R6M>8J9zP-^xH@QM`nP`RnNY3|0#yj5uhv!xDBQ6D~JU0SF
z0;#<Pm4rlN;3qJW^q7$7VawzBC|>I5=SHilxY+1td)LF5e)@h5@nk6vsSjZ8llwNe
z(H~928?H5*K;7fATVPoKm$qJJ7<6#I32d+GDsxtiNF4r@yZXEPD$lR`x4+?OncQU4
z@_=u)Z(h>>O8AL8-%eAo$SqSdH0$3nuEWg=!Vlcy@J~0vtGgd$S1E3N0^mSvV+8OF
zthHa?y}ePU*Hu=remGVUH<~Oh^U0W8B#7^N`ujq9k*#!}XOeq>g?*P={k(x_R9H=0
zGj4Zdo4!76b@Zn#j;(8=-N@+ryFoH|?qh;Cc1`8_BD<l#!Q40b-1ZQaqk+D>Uk57Z
z=ikF`jGf9z(*-1ae>a5R`&bWBn}Oez_gQpBQI}b`49_WAYEL^sf1PG~wm_-H<&6pT
z)41rcfh#I4V9)`0*?2<_jWoosYc|G#rudo7VevDY!>Lc+29<xL!l|t?BWt@(&deNG
z+jSx@#Wi${?rLnmCH7$AuDxQ<IH|CgUTDdE3b!1EbMTwkGpY8K(hNQ)$;R*@sJAtJ
zcFoT2{%iSuKm#4u^^__v8Pr$K(E(q^@T|!&fjgSRsESR+UZR!V<~V$+CDB;`V)N-O
z0AGQ-mDkS-M&GT)>%}FmWRJKdHNAL;zPo-GEg*vSIdEUMb83fjH)gqR{LqqHxZ!sg
zmPO~XV_tjeMDlY#Ru_Gr$h_Q&=5>b|pD3REAc4=$*uGrFaGRuPGF8Z5%fC*2CVQ7j
zPcu&rYhR<LQx=*dly1h*Uf@aB$@OA#Pn51PZU&lD63O1?AjswU;vM_uhQ4j^|B|`A
zq21o}%3f^6_vRfUET%kzd!lrr)zS5cT~Oiuiu|2s6N$%}UcAjfL#G2n#j-=>ouS^9
z#P)JZKrFsrcx-3Q$`)SQ370%q7ae4CktSosJbl9fXeP@=)%^XE_~=+-+pw}5!o8AI
zBabGwu>j|Luw}SOwFGTFoY@cIfz5ivKJCZ~7uh_+DP?n6F?+XDonW#@x0}EZP;*7{
zUwrZqpZvTeaIz2aoaYg~I|^R|gkNjyIwcxJ<wmcQc<Vz5eETQm@da^nsY*@0*){TW
zN=@QUIId@2DgB%*9<2DCkz`tWcah6?x^L}gx4Cc0^_m&A7G$;HRdn@U-_@@!w#+$A
zK=k>F{-q8o*ez)!_B$)e34hh-?yg*Rpl@_{-{`-z{V_=9ZWoHgqs{XCz!2_}4t12G
zc{Uau-Jt?hSX%0OeI4Hw?LFw*TX?HWzL@09nP=6cZd9S`tWeig(b+_o>CN5$UFZG%
z<X?w{jfAh>Nu$UOnsj{KL#$z8J6wTGYtP?kN%HQ02n?$ehmyRGZm*H>dP1HzOA3cH
z@!P~NmSUa5_#MvgaDMSFhhxveAuas2@Eh`rBb-C<($(3??-YKg@H@4=aCx^nknfxt
zj{0YiEwVXnFPao1<LoBF^DP~Zm400)jLxjXz;}`~GV3t>{ToFx>#*`W!eTzqUg5Z{
z$Gl5X0e6&VhhUZuc9w%v%0a0#e1>V|psqdWFUamf1HtTp*505XcOVJaIn>*NDqlxG
zy1}8%XG!?_JY)XVZ+@m#4|dk|ZCib-d8qyw*xEB&*3fE$V7eTXIBv1|*)#d2)DSYv
ziDL)fk@^H~#$0Jt>q{$`+REqDM;kcSfH7=p=M85jR!!-THg?*I+c2p;-!p4f15hF6
z>8b5ETndh29nvuM*H&n5=IUiCAiKt^KgsK@nZ;KU+$KSZCxY2GK`nUrR6KVFOS(IV
z?Xi<TjUL$S?y!&EyI5DcdXXarc_aw)|5TK0KN5LQQi-g!+6#-jsSh(`aD29crB_*G
zeY5QahxVgh4|3m!k+BkvG@7iqXzKQlU?DF;f`PfQun8f8u8nWYwFO$9d!6gdo2sI4
zY6D45CTcC5bXM-AuB{43G~!Y;w*^I&|D@|3>byw@qoox3`n)i|GTi;qaKFoeQ84#6
z{JYS$RryDGeA>Fy2T8QlocH8+!N`!?gqg?I>9V41Wl>{I3rArlK86Mg^_ewWp7zY7
z{Id23pKE<{*-(z)I`Xfk?!b3M-(O>R#_fIH+S^C%nJlCBcy~GJ&wW5Fn0pb8*p;zR
z>CuTali0IWK_d4j2Z@)|D+h_xhg%Eho~64s;yPjG%wZ7M?+JDk4uq?WgX+iBPRh>}
z5i&(0Ks=`f*=BYF=m=}ae414dSd7`r`Do2{8wm#aUqYbyB{u_(n#_~E={3ywJQu~k
zM6FD(>E*>eMPaHar!9EJ1dnio87_IMj=G0#!<~y@)`?`Xi%93tq+R^@KicET&Fljh
zzuq2wjdV@hO>S`JQ6tj(6|A%WEB+Jx5VW9vwY&Tl2h_{p@D3MZugU_m!%sOZF)G;Z
zb#Ut4B;IY!T+-^-NP61!J2RRqBe{Avu#<cPpQiy|%}&ZI%X&Z0t%b!6%#1FMriS1;
zwwVvG{NnBrtAYi11zuO0=q0+>*0MZ}uJ4kM!(JvLp+M7=;nZ4@xKS0qBg=fg*m`Ie
zM4G-x6AOq!HwaJvg$djb?(S-UK`5qm)NCDyoYSDDukp;_G@33ioPF}^)t_&qZgjBh
zAgdqh&pB0!?qTRopXOt?;y5x|K&*prB^-MN;vZXq8gme=dqOw`76HjA@FOhPNX&g}
zD)>=F@;oPo-lOD%zg5<s?xX(Eas2~>>|pd96&1YX>MvB*?;(kwW=T0g_DW2{{Ep5*
z;6~*kY>m0cxJ%;@)S`QVMn61yO9-$aiLdP6N*%!em?Yqv;N9IEwM4UsY)zkD3#mR0
z+p$7MXY@g&Hd|g!!$mc_xz!HWIS&Sz?-JK~3zLb9fPn~se_`*l6JIs_Hu_&}Mw!c(
zh?0^(NdsNf3W8jqvM8nj6kXx&TDZsi`u20<l8c<2g#B!{$=$)6JLq6~%x811>C|A+
z`(2{<aMUBnMjWo-fT(@c{an6*{)^#~F?)uppp!N_5ykHaAAC8z<_k^|ee>ZknDA=m
zx!RVIZ;TJdEgiFOkZp%EjoGzpTP??1JG$lh9*wgY!mf^<(Kv>Sr@B-dSOfc|*KqOl
z|0tzvMJKBC))M)#o4j~QOZ}@s_A?aLrCTi$I7=Kz?-+f(s%#C~9>YEDK!&GJE_P8q
ztbI5f_2&4X?FAf|x8+xKZP`Y#o$Lk2F-;o7n89kHrT&c|_YpPBHMninFrE4}NH^xG
zHY(jI$Y~kizM6Rf%BC>PC|@XEOMZPhc6%s8$uHr_L^dsKS#aB=i0b>s+bO%HUc4k&
za97BsWA29x*)qKb43YnU@YWbZ+~j~K_Xg)5PYNEI0@KY2MB_k#^ci(&KuwQa=u?E4
z$>{TB7CmbuO9i&4g6uGjtSR-aF@sZ`BUUh+Y&Y}0OjUiF6^%~YLL1gDH56!FWhh`1
zOrHFg$-_vfq$cxRFPqD5l>Ed+E&LN>UEe~7Z}Ge!WesJTJW3kmnX08oyF=x?j~CU+
zF+@=a2yOUpCuN9r1Hd=%^5l1@Tzo9|Ok2>_-0bkEE#KT6{ZoQNyq=HY(pk60`EqLS
zF<dZ{+q7W8L_8Q`NwdFDea+&oj}TLrSu$2u$FuZ&e3}2?)q4&DLwv+#BHeinhtZAE
znXZX8ktTTHFEQN>Y>Qzoy!Es#Yvxnv;`ExjV)#T$@B>E^`>#h6F9)+ib#8y&+M<A{
z<3as?I>@br`pq}TV+5k7_{a8xU>fGU_mT-nHd5AmrfQ?@7`D0<eLuI3=p<1Cl_`No
zepx(6S*;WLw9D=Y1pX7hf$!q`PA%RlUJ~6)C@JqS{TkOU7^X*wjCfFMuP}ECZk~lS
z!iZ>@Tdx_4n<D)1Q{VV}ug%rAHjBW~!&&Yeq^*kw7j0t$Z_y~ZcOX9zNzxao8Gk@4
z+@aOcd{r@%=r?3GbE-&g_%y}Elb!k5ti!}uPM$Ji1!HB(HF23GQ$)yXYFmRJEQ>y;
z(OdtQv)+hxGbQ647q26@uY$pXFV?yyjfcxBD*C*!{}%K#r`PQT)8Mo3VNudxV5vx8
z_IJ?E2X7}Rviu17Ov4dP)%r$Xqay)>7Zu8KKrbNO92ub*yPW(TR%7N_X!4!zAp1$$
zAWn0dd6r3kr#HxMM;wRABUX)ZT9o46Hway#w^&2-cO*sMHSQJjvJ0sqVO81Z_%g&!
zkJ*yJ)he-E@}G{)S)<;q!uCm7$L5MdifYq}=cX`xm<eEknRv`Rm1K3&xnc;(Z!>cw
z(c=rp%!G$`ZG$^)TUFWLv@LDTPnd~3lvX7rJUeeOLwiAesvu99Wcgu}FlRWu^BHTq
zM=d>9*_5WWjMpYE&<{sJidNW4XU?5j%eTZdW=M|bjSNX9D4NnA!6t(GBB;ep!PHpZ
zr`4J9pmuYkdoa!ORm&?0T)ut9C;HDt)t`&~){N>T1*$sK9MNdR5uppX3kJvNJA>&X
z<4on^kKkG5V49%5h|QLR+EeQ<Is+S8+tYxT%*k&})URRLPoFX1O1JI=xhrTO>SJTc
z>Vhfa!=RDLr7;VN{>eOs#ksb%DPDRf72`Uo+kO^b%TH-ngcA0|@++>?sDNCFET>*D
zE(D&^S9gK$;w*L%23px}TVH}XpJNVqGkmZYPw-eEp>qYKCxQ3YYn>E3iz01>1KE(@
z)%BUO<a?`BRLVE&YM1Y5^4Yg9caZ=7`YA5`3w+bT)pQC8vc!)Ezc7LO<VeWO-%5GP
z=b?d>h>^-#x)k)44r(sH)y2D(N4hs!w(EGB0kc^%`Y=%;wSC2|Ok1+z&`Sgq2E7gB
z^`i18H_Vp&d!=*V6Ll@Q*{Exyt!Zq`y&80re>T>#h7r*YutlK_IY9k$qeuA$Ez&`5
zKDe+@qloT+*^1%VS8BIvVrF#JGL9!^5G}#2+vsF8mo{~^7QI@kd04wYhr5uTOM`J9
z4FTBsYHu%Cooo3_3Tig5obF~X{gP&HLKs~}HxpUQNhsMH=_YXo_?XfBQgQ3`PtcF%
zkd!`S5F`D#x~KCWkFC*;G;=eQ%v#4f0%I?e$@Zd)FVI27Qg*D%Ffbl#c9(M68<3RY
zL3A#;V)<pWW=m5QSDAZ}o<@IxDp)deUQ8VZeRv_|2mo6aZ{~%y?;;AHx`VlDn7MN(
zZ^)zG4bJ}y;~{X`^CokZ{rQz~?<#WSm*khWI-faDuEg+OnuVMa+VXdH6bEk6F=|<G
z{<*3uBUhA4;WlTjVBDQvlkPf!_UihEBFE9b+D=j?aVt90yMOJ{c5XyJ)rwxHBi|Eb
zzahA1*3@+k&a6E*nEe&^IiPC@hSh8{gV~{r8E7$PYP}CJc+u}DPN-AoKTe-cd8O6Z
zNpuovF}Za;rm+}4JheqM+SQ|0yM7wI#*8?*rlWB1OnjkFZy&WJHM(Q>JMl*sj#`eB
z)(6AjfJdEM{V@MnNB-XS{5_@bY=aN^+M{L~5Zm)RHA{bH_9<bH(8?*gZ>#Xvt@FNz
zoS!&U&Ae(}I2@HS%yURxI4U}2SU6xpQ<#4t%=eVGQRRB=rFNLkv8|0Gj`HW9WC#bG
z*%a=+v=lY?e5RppP+qw~rW<WFHEIu!!+*u;ux*fZS{)V+oL1T{pi~}>e&Nh%rBxr4
z*Gt(LQy8bORywT#;EC^GI<yi1xbk#tiaIvxHnJ-#?NrFqH_aS9zNW&TUyqanH9a2?
zG<xa;{p$R@fMx>=gSOStF^t4|T}EJ3igEf%@}`35n`Ej;&%YTBvtn5_#2Mnc)K<|C
zwkD6&<X%On$WQu?0>X&y(tH7q0f(2B@!#HKs2Gn9658``7#Q30e{<m5KP-GU-2L6K
zc2!AI9FGB@21hqMs=Y9@IoxAAe6AGF`cO^jB)}TxOYH*y^Bx1*fp$9!9>K8KruUNw
z=l5{KqZ>~5YS>fmulHu!UT9E1-cdhZ4+|rh(Mdd6FzVs1roKtq?{(x~GgZecrHS;2
zg?BIOOQDMi9^GE}K)CyB;qI$J<#Qe?-9)!sN9b4W0FPL$N6JIrZB<Vc+%`|G{>vc|
zV=nA3>~$kQ7MkJMF!gE9tl9_IxZCsm6b@ss9Ig!I7=&QHT)$@Cd*Dp=8_*YEbx8UK
z&}~o~qrZ?k*t$P@o74wm_%s-8g&NT)#=0`K9V25{rPFOVd($$**?n0!;Q!k5`Whhg
z?(24V5Ekmf(Y0NF5)g35Q6Coft|?s(E7cJ8(XrbAI?G96y*h6luO8Jl$)L7jOwmz5
z8C}=${8ZsTpb~|l_RW4v(x1csuxIw8#t(>r9E<02)bw{9o!C3x=Pl_a(LFb_xTZz+
zT;MMq1F?AiLE;pWylTs5x`pF;=eV($R_4Vu#1SP?tn|^iU}g@VLH2W0Oxk69@H1aO
zgM9vZd@QbE!7Y`B_|`H~sRUU`kK}H0KaKhsq>RK#7rMBGlBMgCLL-R_vUjWQy!lr|
zE#I;@jhMlA3yG!KN!}@z_i~qa8Xw^xWwa{EJyp5CoaB~HJk>>fS~;y&1@f7h$~Pj(
zH&6K{5kFtagOq!5je?AvpVAgd&MWy$?MnPjN*?4hUCW0eY9c#^5a0B+D;&E{WS<>6
zk7)Rh6qNNxu-gI_)D-DY+-Fd!(UquI6FnKhS$_mI4f-Rf>CvAn@m#&NG18R~kS(q3
z*NhU4<yh5h8LYYAy24Xj;g&ef`MUJ=sOEBs(_9IGmx`yxX+4=~<)Er7ml*F#2+)+6
z8K?Ew%viRbjH)Y_*v^#@z$tNAoYrG=<V&c!a)~Fm00=#qYvV|O?SoJXXUB28u}XMJ
zT1DMFMRF;*aOGHDM7o;DThCz;T5Jy=-9tCNUa|gq>P+n!X3m|0nYd1~um(SE8voCf
z-mquFl=-!?T0M6vQPZ_P+_vyq)%;O9P*L+K)a(*Io+SK&c1vGQ5<ZqBT%d#&fy8l#
z6q1<Q?@;@DsnO|mNu$$Tqx010@T3YG&O5+pp(W_})%E5|)%{G8Fd|8?M(-wJ1LNPp
zwcn=pcVnQORUbapwL4wyj!kN@c5|xU655i4AF17MB?;q_1Z(#Y65x#Sct2E_y_}ih
zB%?Whqe8B&PPHW+Qw3mmP?eVOr6l3^YO98X3jTVQI84G{6ZF^+e-%zu^4C?=6!X_{
zBYAe!m=)&U`Ei}0XRCE-s?U#WDcu!k9yi6iRm_hAUB*oh2l+fx9ZQ@aXEd63?{tVM
z*=WTQKcE_o3zSkxUhxk6s(YU9Is71>SM0`BJ}xOB=%pr5pqGGgMbE|_<-4?Fl26;&
z)W^xUTKQsLw~`N|t7sR1;@_W_U-4rHiU*xJ1)sbv<N>tfLjOC`evR3Tv0P?#OopjG
z!!-Xp#eOa0b}pkvC;C?ce+1`Sz=HGQpp|%XfI6^9!z0^GaaxZpcKRZ=yBw>U_2)R~
zuUuh`nQV_*iUoViLDj53SK<_v=*g^faVoXi2aVmRCjALdO&oUerRO&fir)+u@*bVw
z=)(U4M~`IK8{#*3jKyP9*Ab$({h;@T8b|Mq&|VX?H!RE_Jlt;@9BHg<rS?0jYk!wM
zFSG=0FC5K0BGPy^Ns#Mkm#|m~_mHrm{)qq3pM?K3TwB>6V|vTgfxjo!+3?O*JC?8_
zNihC%e3I~3l3*P;kc5r!AKFj&PXjP$bOXOu?e-<LSi6H%y(PSqBpCmBu`W)K=A>fa
z50X&9e}ck<nJ}N7#pP{u^VG`Pq>Qz4xhk`Sw~~Z^3W~Ex@Ny)mx)rCvt9TtFKjEy~
z#NQT9S6y4cLtOh-*CD=r@_(p!z`L2%^`<Wm#;wfXm<F$0$xfBruDaw7uCeldW*hcE
z$eHVckg|$)WrwTm$E(Z!qt-@U-aiP}KN$CS_MD_}g9`6aU3fl)m4A!;jnam?R#vu<
z@$=OgPqS9i<Pj|$k~*=l1!8TcG?1r~Pume2mX<Mz|LX#>E_DvVnIp9q&#Vvif~`o?
zv6om1eyez3r(@B!qYRUBe_8jo_!7n?>$-04`}4x(>d?5PL$7Lno}+FzKNahPP88`@
zSTKd8>%`esnYp)x;464cxBA2%vDJ*_Kv$v>ga}8QUs$rtbD5R<vT{(+)nDpU74R=k
zU>{_{TWPs=Ooc@iRdx09U9YMQL{DJ9K*UHz^q8!z>IgOw<AW;ggDPl2EBp&rc#12$
zIbz^+S7N#=u{mPk7hH*XuEfl^{Y{90Lsa6u<iEZ>lKr66tWM=Rjg8txH>o8X-fizt
z5jI7W0g%>uti>&HR8QC4F2~Q6qY}X~kNOUlajeiwltZ(Gv8N4&tbkLgpl|-d<znlP
z5b3Dd$v+Ik^a*O}*jVbwuXS6w`{M@IWR^^GwfD$;l&Kp#Qnjn6`e@-tzoGx_^uJU5
z?^ONfPpNmLH(!|k;{?;~h0nL?V--KAKgVoVf2ij_>yPWqRCVU6>du@*XZq=DD(uHG
z9tT=&I@pz2caz4Zz_2(lTmdY(M5j6Icpl`{dp+QryQ@7f6Pxz@U+b5q28W~W4stSg
zn#9_<%i?+pl|Co5lBW16Alq8lK97COWL}P6mhT+M1B^jdQ*V2~(v~i(8CnKeos%dy
zJQj%bNO)2I5ZR#6aD^KC4tD$mHPPu-!Al*-^*ST+NxZ0Fk0|Nk#o^&-8Et0wR=vee
zv~RaHw2%6S9&D$gVIBFY*c;uh#KIn+uj^Px;kbIM<xkd|S4zuxJ`5Qw%r7e)h&_o0
zrgLH*?JQkIl09F$tTfywiEWXauKiOe&&!nIaV0<<<YXX?YF~ibhnHwd7p_&hY1!#&
z-=5gFCG^FShIP`Y>ubu$Ia_BrH@YI;u|zvkFJ)w#Wq3&+uarK|$A}e-AcbM_^QB=*
z!<Ih(s8eCJ9^HCOyg$=1Nj>R(zj5%ScOzbkj-a3JTkWCq;m{qGS#wkA0+j6<{wQ)7
zeC?Q*M`0cq@e*aDuM@AkAK1Xt_8Q#HyB&a87<he3LWF4Wwbo#pWK_s+3!nNn0+a;;
zVIx9*jR^UjsyvhOr*WC!v<8mu8aZxkigvUPrJ9@ivJ0C;3y&wXur;e)={N@I5>_M$
zZ)$Ctm?YetB-D>1VMLN}SCU{f-bg}xKCt=xW+1)(@Aysc{tRnNAm$jK_2q&!)%>Pn
zeO;;sbGVm&Bgp<#VJVv5EUm>d)8q2F&ucQfwi2r~m9*IlgFw3p-;Y}k)u)~|mTlTF
zFBmwbSTcz{0|wd1#@QTtPCBlIIEI^SQ9LIdXOo!hO!C-tJNbR#wHn+`$>6?u05fn6
zU3CdNCJ8p`ACTbivx=WJipY%R7>~L)$m;zCV9=g_TYB02L%i`fK7U_ov;gtyn*ziW
zBI+5>86bG?i0(92P{}+pK*!rN<Kc0SLV>BrrAR(dRQ5+JZ%knySAG{|STy1#5!H38
zC_>h&mGw7#^!-A5V7{nt8M9_Q;ic3)@~J&X_YK;QyTe|mS|$cpUwR6M45GBh0Ay?N
z>{<ue<EV6<l<}npG>^)#kPICK%%9-{_TKFayr=Xw4>IF^yCeT(d%k-__qb&Phe1~Z
zn{8V9&0s6>Y<)>@bC-J*Xi-iDVp8nXho{B1W>1W5%~LHORydI3x0)MT>HD4#?vzR5
z(v$Q+$9P`!9j5r<HiSr5Wtcn(%9<SPkMAKSx=+#b#1*Fit=9Y<Q6Di2=Ls+NO{RZW
z(ekBaa0#Q51jCDSND!1O<h$Iu*2(U+fxB#M6v5-mucOv(&EE?`u-~K6r{4ga4jZOD
zW7sgXeD|n){^0Q81A@K7hsVTbM~lt=oErQ}u$!x4Tj9e(VZ*Qg1p-{deuoU2e^7_@
zN<|+Ji)S-)5vbQQ-hrgw^boB>8j>q1Y<!C{6KV6qucxr_p2EgYwe<W^;K0`!+VWkE
zZTWBS6r=WS3#SUM->L@R{*0iXydeIzdGd?a{r`x+Ir*hY{gH!<3g&hVP+Px0n>U}^
zQP$7rWlz1=eC`9@tT&(c^MsS1&&jTa@_at@TGf26($xPO^NAVv`#qn%UjTkGJ+FY@
zNsM59_-*EV>JIaNF`x6*pJmnkc><{Q>rcgcrJIX>qdI_RxK10!Ms+#lZY9e5&9Cr)
ztKV<3Ywgfi<)&iXRI0(u*~uF0TD`#U*O_uX+g8;x(0yqI>H1yY@5}rt+2=lmMPOJs
z5n<@e#&Fa-cmPG>Kwdi=9;W^CQcH)H?dy7dW$tJQN1fQ%^;mQuc`L`^u4_cPv$1fx
zAoXxHq;8-)mcIf%|1@Eg{qngZT^pU&;(KWXKV`W#LnB!0GIj$#cG7q1r)v8=pBViS
zJI{q`QcWQjSlB;z6H(GTP+?(_!oC9AKVPeF1Ip#E2!#Kk2Ju)GelOKw-=~xNA65I*
z)kz<AR5dKQx$_lOSX8nfr-Nm$+T(iq#>>{z%LMWb>L7_#N&UGJx2Z%WA|?kSWn3(j
z_1qpEkuP2;&7o*?vQVKxTiXncIwCej)$izVc|EI=cjEn9eH%xno8H8&M1+0MP24+V
zS}flgr7q!u4mbxk2ig1RP{rQv%PuX*{*L$!?d|mXo7>y%6<5Rd632POZ`R)Kkn(t0
zEPrT~yvP1-jOyOl{%*Mv{r>J=!pZ*bb?eb9rRTV?!c0gMJn?ZSc0I|=YE{3RB)<xD
z`lMx=bd%%WHH2Poe-{?UG?)JL;@j&4wNFc=`86MXyGq}=;r(5Xbc6-%@6Kv&avN8$
zk^P-m%L$h1H+Ns*qhfP+pwjwp?#l3!@G*=meZR4t9cGHr(O{Z=^x@`0yS+(7^xx<G
z>Inyi5tfGR7U?Cqs-4{iw{+~w8rhdMu`e6OUd<$yurQ>Va0_5d_I7-GS+aUx7v}G5
z&j;=KgBwr)fQjw-3H6AR_3ZJ6Yd^^E-u9TR_M}Z_K(w$^40JgAD@Qf9t4lFvm#|Zk
zu)hufjz|(lBnh@b9GfJ3EJ?6^;O-=p*8}9qLt)DKw}R{k4Xs9F0|cAzNqvpEy%HRp
zUzj$(qcHVao^+8?l=-{jg}2vb-l<D{D)Y{O)F(3U)TWvi4p*nUl9qP+W?M~Zai6$;
zT5ytR_)Fp6iIkNgg=?hi$F9c1ES80+XPo3NnAEri_scrMr!_m=GMxxIojHsZD+O-^
z|Kjy(TT6}CtAYA*>(#KX$0*U{>Uc3CzLKqto2mxNJS|>d&HBTQ>TAiU4B`=0SHdr~
zS8mlgpA3&%6&83ie&7uJCJu7;RZM!Zt!}<NT<|#T*rm5=KkCH827#+sUGY5inUQW2
zA~uYg(BR9pEp<g!?njZIR2MmlB0!-`A65Kx8nyB6o2E7Q0Q&>S`fUHG9Yg-F<MYd~
zfitG@X6cUtO`hG_6Qz9~b=0E!ihRSgo?$ATL>XkI9o8mKI$z!|W>!1$@0RL(nY9dd
z1KYdTZE$elJA$l~owm7K+mU~+^g~kcP%^|KpMO2Ps=YA2p?&oD`mxK}_T$8Tpv;}g
z&z4MYA#xM#tY(CN$i*LzVg%JuoH}(9`+`Y(e2tvQG`Ixd`ZK0ysC(L%ygg|AH=eob
zcfb1`ahAw2n66q&Q)PFp50yerm#s~WrrXv$d``?r1zHHSC=e0|73d_;slXHhQ~Ews
zhQFXUhs*eIBDmPJwtR2AMKK*!&8@tURI}*W&*CfKA{Y?+!{<vQOK)QwAIVJ(?iT9X
zi+G=48GZFJO+st__SBYwNHi4IrTu$p81-wNZQ{4@hYObrFBT+tVLQt4ROu3KND>Tr
z_avcGpX)EKXI^x;a)u^cIu_waYyP1iJ6bVt{EMtn!;Z#>9d@j=X%TiT6YALh(e3XS
zw~$n-QEU#i>h0W7AOa#Q9M%wyKCHfSvWx7^nPZk}+F_3M%q8PLUQ@%CyNxMF-+8-|
z;k#VsnTnlNL%7Fyvg5%|7F79(Omqi&y(Oy$eWTmW^F-#k11(>EBJ<p#$|g1`z&uZ6
zo;#X{6JVY@G|v;6=MK&DMCQ3e^E{Dx?$A6>WS%=T&l9Kg4fOZVr@1-3O_TTIXEhnT
zSFK-WTzV&&wt2frH{Wk*zL#jeLnb(6f;E2)e-|9tPy?0d<IL{DYc-WGRL|HM&sE7w
z*aw;n?dI#d>&=(UB5eO}{j&L*_BS_QCNw(z4_FY-*Hb`tahiWhotk1lUr!RTk@?Ct
zD>qXn*1U-+yI;xwzo%@lUw_2lZ?BxUr@5f3d0V01jm_IOtgz8S=B>={E9S5B5u3k1
z+WhI}(ZYF}zYh<JS8k)Yo1dwiKRB``Fvv>U=2Z8>KL|?4t!l;A6RuwzIs*e(u;U%B
zPP2;a%}V@gaDHByieH%@7RNMZ_OA<a-y?!6Q0IK5{kXqT=u4Knc6m5z$te>s^KA-8
zPiVyM)ErhF-qe<FGF6qWX$+-JwQ>Ai#1tUY(@>gi1fA*)2OPzOKEc}D)Q3hzgBhC)
zW~Fq<F99u=@P#B{niBq&B(x+6*D7IAk}xJoFu44J1pKo&Y?fdVWcLJj1(VktOfdb7
zL2?=(dCP%h3?RXvTvygQipS2MSRB)o*?$0cMu=cly6`7f_@OdXxMlcoaDGn7cbzjW
zJnsH-5&&Cv%3%q>b^%~;lf#?x!}8%kr=Y~EiGeNNhgHB$o0QUl4;d0X0xt*$jD}U<
zt87A3-wg|!1ioXFF|Wn~xAX^Y!MTK~Ny1G^xFkt9GD#S&gtL-_qmzW0N;ob__)3ys
zaGgj(#d=hjJw+U$aOpJtj9Q**v-xi;fInF6hJ~;(96eXqc*@YQFufr>Z&?itC>(ub
zFL9@CU6?*Fx2mhLhYw;i-AG=`yOtPiWM3N=w4k;$xswkJO-Al(4@e#y60V<Y;R&$N
z*}W>BKfER6aDz`ZNDxju+bts#h9eq%eO_DP(i%FdTT<BD&Q;o|xt+uW*@$rA(nASb
z>*T0={WhNm3+TdZjj*i{J}Tck$Fvn%9@hvtzYR<DawWZ7-LIEP4-ckWhr{(Ndb){T
zn%=u`sl=d;!ljM&WA2(d{4fiPHN5=v$HQCydXM|-*!_W?mPg6TsKeFalC=Xn@-3w>
zxaQ$7KXYXVFSX@6dt<0VpM@JWP_|oJni+ibQP_*wehlvbt-h=!;uL_pc(u+I4)0Cm
z><al0g2}vyjf*(|q1hB`D{A%5j>7S*XN0B(*~4grlkLms7mv!an+g^*6i->sHO9fG
zosDa6yv?rTeKpb6xZ;onVJ6c{kVl!#j;YrA)>ceSTpkt*SCSGIzX(^oNWoyi$d>H7
znMa4UD{Z50jdWdZMZ|cI{VL<@=14=uTo=lX&&W&?LlBW`^N2zKgQnXX4M1*vwL?Go
zcUoQL-zjA=TA9keoz4Ju=%7ceYDupvJ9m;P_1CdSvsJ8T+{mU0y32K9OGo}VFyX{b
zZAC)j=v%M4kssGY(BbVk@YWzetaU72_5D#~ON|Y)bk0;8V@^i|eUAulHr?J#+LKq1
zGW}{kIi{AFwzz?A9CnEL7@~(rxE+P7o6|&g6n@n_hu@IzdHUsKqlsS&42uK96)3%R
zFNh>f2w9we5K}YgI74*~3q7UxwA3qqyGNfO`+a>C%<VyXr1x)@TXFN1bor*N=sXy|
z)OP#vDQJGeNb>hmY*PNDmPz>&!uI@0oVrY?{~_7g2se=|coG~&P_#~Pc<D;IXzO)Y
zG1Z>``b$zH*7ZGVe9YjiOIq6<<3Rmo5sH)!eK$Hfl|)}W1qaI9`wC|16qQdN>_{no
zI+r7F6!r%TYUb3nXJ+>j2I;Lc{9bdVzJu%~V9AD#?b~lnJjA(uZhOJ};o;IiSD_O(
zX=fCtJ2z=3jM<sjnT+ZL@#6HjW0zYC)8mevQtsHcbMSap-7(QbQ{1}{UjwXK1B^JL
zJ3uw~GJe-q1({jakYwHB$*!RpN9*!%mQgvS3=r_3*mR3=WB4xszzNiUdX$6uzi2he
z@sBn|EC|W@`ksGvvgbEQE5k<D{LiAEireGY(WQ#p<Ja@)pNx?vanqgksd}NB+4jw7
zmXpZ^hVNgd=m~>ynlAQ(V&65@9gR+-?}n$j6-t5P4x%jd6YBQaPnaH0A~DghfL;f6
zR8dR?rId-Ml47E}-Zl}nO-L#lE*f$}1f{F*cJOB_rkke@)%7BAz7<NyKb-L%7P5b3
zF#7a&r2omMcjl90Ct>p{I*PHSnsDAf*lt!$(ILrr6HMIh2#1N2Ns8Wj>%Ds1_XA<-
z#z$nn|I#ySYl7TYn6c<m!Jr>(JOAQfTcovW++HDImOUfrjz9%&%PEt`?OhGDjuXV7
z{a>N&=7CmMdVNmM8u}LW`##UUql01~M^~*CmZuq3O?;S%=+RlYT%w!~#J|pOVYb9L
zyk`}s@Y|aIS6H|)B!r|XMN(`2uN}v6&x(Vn2IJ9_2QIWDJLKy8CCZrpz=&?NLt)`!
zzt~;StR`DC@6zF{EqrbHU#pR}{GQx&vrWG#c5H34jlL;!umRv9N;O?D5B}lkTmxTT
zFIBi?m?izWkslm-IkoWa_jl}WH`<Cr^6VeJkE&rH4pj!qiAizq0Ar${ll{rS(h-lM
zU*F>fSI5xi1B(L}pb#7w4#=s#^>kB+eQ>5jrKtFi6;c@+MQ6l5pvEh)Z|^J{M<J%S
zz!!=dV_3XIVry8u!Fp5tb3I?B=gq@4+CeJtFp0#`O}?)N(M`%y?Cf;y<Xvqj;Qki_
zi}p6|nWjnFyi{1irGKG9SX?|(9lzJSN~b;&7H&{<A*b1oy18Z-+hg>M7Y^1$5yROe
z44!sX-4~Dl!`609h5Xf?f7moHQzXuMghPrjOdDo4E{YY0HN}-a=KGI^AUk{u#XnLy
z@Nd#P+-Aa@<TR7Y6c|Zf6WCf5C>?^MRxhUw$KHvfgIG>$36JaRD1NJXq@1F*XvrJd
zPiX7gxk6uYR`c+V{0maF&Ntt$L3X4nLqr-bIv#1)G)w0^9A@6Co$;Ztcp^&38StVP
zN;MDB)!J`0x0HpzlPOx!_Mf?9juK?u;YoXV`g0I?foCUhRuew>Lgp#F<9tC@JvG6E
z`-|b_=`}mx!=`7<Ip%NazOH(fqwE-J9`lJHTVT4>xfV1Oh%5{)m^GK85?jPL)o0S&
zT2Ejyi@X=PwntEMZVlIymx`V1$R=S9gUMPZ5bs9xJ6Sy*I@GNm``N5(9Tj{^AG_U4
zqEo6QQCnxra1F`DPV*i=cK_bSAyieq-G2N)7#P>Z_1*?2hkW@JK-XtCJ*Mi^M7o*C
zz~>6q!2&Pcl)>`fWQyb-vSL0BYU~U{z5YGxIi^Saq`hEmr$>FF>!b2plYh84c6nQI
z?BYb|9W>+AF@tBEgecg2bA8Ar;T7bXvY1mpj5svS>>3dI(Z90GBhaD%CvFqazhWRu
zpwml8HY0p*WY-WKtZw7qs=cl?e^>G3<;Bw%w`QJvqBRq>wx-t%nz5xewZZIf0dHLX
z4hm+EVkpJ2cfp+57xFzp-zVQyyV4%H*CjFGoLTk5pj#FbQ4<y?LK>)w*(?-p>?H<3
z*v6&cuuBiI=VvP+EVe4BM3mN`pZQtwGFTh?jq$2}Ahm|ItHa_sb>z@=w&xeS;-?d{
z*cCtHU4p`1m9vgm;e&l)Jx7#T!v8OD>DzTDuFLh&p}u+52^I`*$*v0K$lf=sy_2!}
zc7yDb5=J!3vp)tb&DoE3RtvxAXk##u5z0(>YfBANeR<}E!vP+Pp272gr3S`XQkND_
zzr6Ux-`e*9uQ`BbuOVI(fP*?bSLoJGYv$$JXg<-bGvo717PIUV_hc{A)g5G?BSEol
zFaIQdn&oCvcN*B)uO6XE)MmaXT=IOK>1a*P&cEp#hdqy5j&;<sgQ)OL=ThQ%WZQMr
zF^IU#bNK%;&r}yLkz=%I<;ME);|=yhdz}sRLk^`}KN6oR+Bf3~!n71I{a?ij75j+@
zvN~l0*&UfwP)H~W={CCA3^IvWSY*GmarPLkMPiHPG-G|yF1Az}zuQE)pH`IfE_K8n
zqsJ@cJ{Lb?UDQJ)YS0Z6{d5iKuFV<E2N(?=!2X7#poB|*=3v9b>@hSEb+Pue8j?mw
z3URSEINXgs)6K%c$~NO@=(hPLF`o*k4nSj;d*EhqqY&RtaFk6kpXi)K9%h@(GViz9
zC0f^hV5Ih1FkY<|Ew^eN==yH7n8X;)W&O>~OtbuBaMspQxTcp6uLtcY+-PL(wGF1J
z3-be;+l%92HnWwp9lk=)vc<c&db|kEc~NSE+U1Ej(L!ceh;b506`{Tr=v1Ke&Mkse
zw*-_H-kmX>0|F?Yof0Ha+A13b`fGn~x2%+s&=H2kX$|3`vg)Hn+gP_2HRSKlJoyAn
zmsLKPbvR=#PJA%E=Ci@9R>IO%w1lINZ0-!QLy(Bf(b@TuM;6Ae2ysGqe~>wixW#wi
zUTLAET3k)M{u}%w(TVivLxbF81<u5^TCT%FbrUc^v(NxGY$FN9B8!IJ=!V4hTY;_}
zqf7Yl^8*XCvvKQv>RdFCbSX7By%rC|I-ZBii|@t)g|X0BJ%sQPOBIf*p8m&b_LKT~
zHS0-zuRq(VYQF2d1k=ZNI86VOb-_9pO@(dE13GsHnHyj;S`RzJ;=$lLCzipiU(iiG
zA=b^Wb`+$!wTeJkmK8Ro=F06uy-6RI9O(G|c0?xffSW))QuNG-6(e3My?wKMBt2jH
z7r#2we9?ZNC_Te(<(ZpTjItCW+I8fg;vJPz!y=QLt}f$_^b+#&C>(O0hHdN2m-Bjg
zD`Shb67s{d>2Zo1FnA{_B1V{)D5&%ooZg>I(XVV)HU)WYr8kxCy->oBVOU}paKO0&
zf8xJ3f3I#PC5|z(HLyP7!1%I%yBA?udduJeIR@o^6Hb_;M~#Jhy|h;Kr`z4^ev%5J
z-P{!0Ixw)g%q&Ol46}5)sMAbyJBDuwXI>^Vd#g>zWKXfYfI8G0(_`1p(a-5?8J{ZY
z4^PRYRneeM^Zq>={Cz(f{AoWLEWQT~y8b3qum}#SV~Piv4v(nOS3td(e-!kd0=EKm
zIMcy)a3sK$nac3i$%nNbrqyBZ(g|Fr;P|3R^=N<N>q(EqfA43Q&I*9*6hZ(;RUTq{
zW<X!b0v3JOkV}4h*^tGJO^Lf{9K3aMr&?rDD&4_N7}sLzlo<3uHeGJp0XfLZ#z@RA
z`$qy{p=$D*+N&qOh3|^V-}t<XH8mP;lpbFoDwQVk0YcIJpkcrH`9#0@`B4A)G5o1w
zltK1atO`|la+fj6e}`B9K01|Yv|dL0(k=5$K8R(<Jd<xlK-<!pTIZ|5(w`=}nV!u8
zOLY6%3if*J0S>WrPbB)fpWO;f=-<p`zL~yD<HaamhfJ_Y6!Z&BF8CGj5SAbtfRO9J
z%lQ9TH~=$8mj3#5j3+_%RqMl9&0L)_&D*5H++Ih0C4K-D98?0xh?h(YM@9ighq&<B
zq3&q4BY#p;NB%T44hN5PmX0X4PD4q-duJ1dlrizUR<W&XecPFSs*(?+zT@Y15UAO8
z=D$b(H}u1=U-!eWOZwwiUnZua(!Fphh&1<AFeCZ|Q=eYDYmogJolURZnwz80PkJrq
zp*p}Zd|4`?V=X?9rxO5Q-18NjZa#Az&SJ?`6Rk#qE%R^7EEBox1F1*;t$_t|%qF-J
zPC<5Onl)I_yRXE()7F*VbzOx1I@k3h4|V*~K0)sCV#|<HBN$F<PaDePekeKVKq$#3
z?f=B*7EG@zPM(rp%ZuQ<@?C*^LW^35d_5+b@(rW+XJ!r$UxdAZgC6OkC&4jSw;VnO
z3p(r4Yp;~J_1hr#GHDg9%^F09-h=cm+gy$mO?k6F;|a3Y(qJ`ma3n)qe*}qUtJgq_
ze)1aOVGOAZ(}KPd;a6yq`=zqatR<^x8=HyvV6l!@3`9Zt1C9ni4;c@(x@a*=rU=(R
zI0@BG(f^K!r-Vgx52X`uTpzC|^WZ6Ex{_lVFX(Uti4XHx&(W5gbDuzpoO6GSUlb3y
zJ@^%4-Y~U$QkRuLBh)UFfhNnX3F+Aa=7MVcq$Ux6OzttAhxwCO2v2B;K8R$IP*$qd
zal0oWs(2Y4P1pO&GocoUe)7!T#PyeFn#8dUN&gPOqT2<v$}Pl_;QWt)VbNgzNjmXL
zi|fRJ_^gaOaVx!~qFj)hr;6_5Q~bz9)zQPK>-D&)*R`*!pogdVjwX{_rtkja!BNC|
z<H7!Vz435rpcN?f88L|5&B^GlB@`@ZsmpXv83P6WoX=<v>tmKVfX=P!-&OQbqUV{K
zLGs-IKh|UL2pSzhFI-N!gN{a$GXctD`#YdafKQp~TrRo0f?&Z|-{`D|1l;O1u)k<9
z%@bnO3!TYPXxF{b&nPx;^o>%<2OKja=CBv;D9+Y7gzOnQii>p?ao8a`3(CLMQM^%S
z5*@{BbS41_Ov7kN8A5d34N-x?+IfWRJUM{C%ES`$tU_kz8Cn383^`CSJ5MZ|2w>I_
zg1dJ76An{=<tRk=ZFZg^n}4(O3|kby&NB?L?Qn+-p?fp1ps%)3z4?rd<-$31#jlZU
zdBRZ_X+&Y+x?bXKX>_I`g@Op2{bz$+k28Y<{=sxZsuupCvE@=Gj?_P$ye18<cI20I
z<S~n0g#~a2dFo3Oud!Xyr|6Xi+`(d7AH4x%F}cXr7<hp<ZM1Ec^BL3^S(=^xl<^b$
zkvC*Ymw9nYY2IU|ui!bd+tF{6k=2h@rfD>zGgJ9-N7R6OSVy6t;dMB(myW_k8k<vz
z<}XqSr#R?o5o;*x4~i$(qDyG-akdd}*M_X8rOD!)-A^V{Lk(CJU3Dd~wLKZxKJi~o
zm^Yv@*J7K2TT+%Np>}oobkHn|{Mn%MA~@QdnQ#i&p;N#PG#jufI|VcW-A)0~b_CgX
zR96Ky{f|zv1Yw&E!0h%Ht@*pXzVm7Hoo}%**qzx|EUO+`(5KONzSWBxMq<VLc#)y3
z?R?i}KTSqDe~~6CEM8~RR$MfNuhIhZM{VyfDmvPi0<K-}XE2^|3Kk4|i;kL#*EL#g
z<|L+cpR49>k9yGqG1isw$(!9_b%)X2v4zgZxnh6B`)_iW>=)e$Tu;lR8oaX=q{X4U
zxfEtf!}4Z4h@woR?kHT|OD0V8ggmCXp|_V24!w-hGh2wJKP>lz(36S>^4j5-@X|ZC
zm(MV7MS}&6*%iT@C5l1(%D?4N&+0<Sk=LaK4<iUi@XYTG>K!T6!&`^&4~ZB;*C(WJ
zsP`vT_rFIyL%W2+Yx4ha`tjI_zaB>*PDqzH@z>F3=4tff>9^1yIQ94d;!IB86uw;k
zJ7ZNCZW<Yy(W2icdp~BUS~dOdtF-6e)q2osZg0<fQ8QHfmzmXeHHPQiuJ4NDH%~u3
zv*Ni+be~ORG+pPgI51p+QvH>zUx~?^^e4c*K^%Cvt%916_3YjXKNCW<7iRU^&kqc5
zm{N`ye<plVahyGLqfD|aVR0N9+9P##HB0G~yi(aRCFM|%r!%Foov8MC22+OiRx9`T
ziIQFw!yOa{7-ClFR=puv@tnmRUhFWVwKx+)vUQ)GvDbJRNRFi>Qr_%etI~e*&u@u~
zF6JMbx8Rp=1(^>j8_V4AvOU=3Z1>EW(v%VB4L+RZ)B=sz&KBD<HbTtdY-IfYLF2(J
zPVe-#%1X3gBQc{HH$UcG#q0ToT_Lmxvi~5r&xvrF?LK`@g^i5Pqbh7<9_Q0eNV}Z1
z$woWpyY7^H!+rJrNAUh-ie51u=<GXn6Y|IVxGkerWT)teel69fJrW}SH<gf$c*oVP
z+x_B``_x`6d$Tmo>P?{>b)bD5X$twL)w#CD{?WZZoWIW<EXC(tzaSfNM$hqi*M-Ds
z4XJwD^mJDrSk!f5Yv!HpZk~c_@1~RaN2ek*qbk~a4yeD=M7smrA&HH!J%0eglAX>T
zfUsoewFjVIb)=F%poyRnPyPU`)EqVB4;UUj1&Fj2(S<W@MXu#nTan}V4T~HMc%e$&
znN+y2R~;xUP)*ni0|${6oHoerNCD)kmTi?p`|LM5nrDXj>zmVx$$JAKD0HgzQ?xqG
zI;zlgg_;yXjXA4{y4pw264Oql#E+p$#Ys`y;;mW`+1yn!q)un9gXreWb*2(%Qr>9<
zkS-6UdV8(&P<2T6$1e7r(iO6}W1XR~<>+Hb<L$)@)p&c+nr$yG&<fmMytSU6(j;&R
z(*mAvw2qo1Ba_oS9sn4|QD1tN2PXuG=pJ?~0?l>+BI*U;62`F~Ayf=kgg2j8(=>#n
zdX7Gi3iHcbf=ia!4nBOalwLDBd~-SPYc0JJ(ms(AIw;OP0ir}l@n!AW=HP~4!I$bX
zOQjSz?YB`YY03IrVK2i{ecp>B4V3nHiKZAR9oamxeU!a%lKQ4LDqp$Jafid|HQjbw
zf!(J`Gu&3#)vq6gkz9=2y1j7uFjY8eN<DtS{bht_ctK(~vHa)FpU%5o&6X{oxO!LK
zBL8SBcvj)^)#S!BE&D3MIcNA{XvQabF(?~yGDQL5TMc>%{`Gt6^uE0D{B24k;{}F&
z+iPEfV4ypeCKK?emrA;`q+NN%PkrMSMZl{>X4cQEL|2i+PMLmT)nBd-#JZJ!r%Z?R
zJ7v14pN1>bUx}e-2>L5AsymoF#u!n>dBB4s+&1uD6rX;yb|=ll-xOiLMeAycu-)wF
z4n^2UEdWioGka`ZyS8MTnTEuvMU#8BH~*c<_xQp!f`j}6Wk+Dz=ci-<Z&vB6u-Gj)
zxOQ9vSIBM)o}wVLwN^J!WE>O`r*|qB@5wL9^Y7^Qh#-5Ye$NcD`|9_oAba?y`8_+x
z?x){9gY1{}OSx~*kRHc+XBU2X9P42HehRnc`rQr2qF-#=FXxu#n6rZH4E=r~$ad=Y
zlbqD+cNb*!q5QJ!4&pbwx#Hw<X>k7Aa3yiK6eOrN@8q`_{==v&y=K4DwhMVLB|Vbq
zZo)V!eDeY9qtw<dl#|B!dVU4E*X|Kr<Zt6z6cos-LY)8)R9{c*nMzeA_DqWd(_J9j
zoK}E8#FVfnYi5)BRCt~O{3$%&LM|*k)Su$7bwLYvSA_4Z2ru_x*idunXFp3Mt*Jrw
z@olKaOIp*Nl!l}=t=}1Q=^Jq&*WVypmy~ne^hG`MbQ{h1gu1jxx%7Ox!cEbJxK%fR
zq_jrXzwMWP>N}im?zYmiDoSf;BUWfR(SZ9Eom9A@m)J>#YgY2pUbv>jkFKpY>Yw^a
z`L}gaGkg-;c$8>t@wvuo*O%Kfw=}CO;QiZysNj}n)c~XUl|H=*p)n7zXA*JgwV?Xh
zJk@AKxCH*y;SB7rwi(qKdiJ3YDw%Vfdn~YZkiE?U(CEz;fJTq90I0dIN40y2Xf0gd
z?ATL~{gP#XF6J@=>9r8fel(U|OU&LDfOLLjd7!!PSpZ_2V*#k|Tnj*UGYH7+_Xm)h
z%pe8GaFhda>hQ3rb(!Ob=^e!j4743ZpNH>m@?x)ueSB#;lOwtD6{-shw^)+aP|XJR
zXuGcs^S4;tr5RUYsmS^_oi)L1Kc)q<nzyckCZsi|bBHR^677%13Fv720<+q5S3u})
zFZH(<e$s3+icqXM(G+Rz8a4?jLm4FcONJQUo_DFrrFoUaujgqLukT>iM|UjuWW)+)
zHfncECi)gT50FE5k^Wy;yjkK@YV($YV2-X#R<ri(@kGUE0tZo}oml9tIh_g2l^T#U
z0k`7medA!3JQ;hIA1wH+q=NLjAkbHdCIkk_ih~d+w0E6_z@bru#=Dix?B#AleTbJj
z&!8v(Lf=$rymQJPT3}Kq#|x|PLKhn<JD9h%RnNOoOOQQYs@0VAt<J98mX(}cyr?=f
z_$!bs>qlobv#g1E4l--rAUB5^I75E{t)$zRR4<)Dwwv<(m(Qz-dynN)#{`K6^|DXd
z$S#dl%9ZaeRRKB!R9HW4kp!%NteEHcI3UbKwUws?d6P_R@o+XKGlPoblrydO&LY6=
z08&rp-*nahPWn&XuaP{!?8T-4eTx$v@e{kdHUBZH@v{(%LS;P2z0C3h_&Lrv80gZ$
zI&go}M;g}Y_{`^Fm6sHnyN6J;C6!2u403<wvn)vlvwyE-Imr`_2Dw|9wCE65coFZ0
zuTnX^4!451m_91tC7i>u!)R{7XHCF1OUJ=rDrWlLOgQ?fO1sOVyumh=QsAuCR{F(`
zx>32M@GLqyH(d{9O{0{5)2%-J)SUfQoUwWnn3m|2sU~UCEfjNmiPEAX0bjpO{F2jt
zMqjGEKnUxIe<km-_=|;B&=x@nu%y+nPWSp?2q#mVezl9B8nurTShTWX;R46FieuU1
zIEh>i6fUql_&2Cm*zq|zPq?62EfC+Ru&Y)s6fW=`mluT#d^hDt!8J*K_B<EZpa{1p
zY$7`z6{3NhMKJYDW}}WfY%+C96z#>NJNitBYTPFcH*;U43=}+!9|UQ2PxSq3>>IQ+
zG*LQ{BWK^lxsJU@sVsHAf?pCDt!ATT`<MKiH!;CA8AmNVpA0q-2iqae+lSsqoT#ST
zQB61ZH|nCBg*L@YrvldY;*G)v9+8{EPpSP<zkyMlLoCa!m&qg~e(uA7u}Vlhr9lGX
zFLrg?-z(Tp@a(rBES1h5woj@lOn;Ocz*`l<$Mufsm2{ldp_i^sDqQZ7=`y~&Hq<aa
zK7Oshl@3#Co?1J}>o}cmldEy6B3Q7ER>mu7G{$(A6OZ&>!HJrKZMVlW*5dWB^(TfN
z9iW?Vx+DJ+LyHcNg^F(?Ui)*QLXbPzU^!PP4oH;-NQJO~R5g?)|G>+>Iho6NTd1g+
zw<+V*Beh-3F)O&`_`+O4QLi+9_*Rj#@ZgMReO=jSc!|<aP+MUt*TkOzw$mP$^Rx~%
z?x-~egNLetVnnxxCxd5v0>`E)7&h8#fHI=@pcCSiNi-($m~OHjIERWL{s}>_Nj02U
zfvn}~64td9rqJ^hsjb^kwsTFMb4wEYb((Qkb$C@NW%^WPDVF4FX2a9GriIwVbo5;8
zK$tq$7mco=NCM%;XN&-HUjgEf>e+h5(qFnqeCFDHg;k5Z1Lz8{JOkhrt3^+hVmyQP
zXm+m#xpDjc-Kf@Mg7j{$Uk;eIC9b`=iJot5Jr8nibS*}sf4rjpxy?p;B+J@I5QpR2
zI&92>-0!skF>#WoRdojiaq<+!>FA0r%=BgK-4ICA^f*@PBm$|Xqx9^2T;P2Z&V$S)
ztFT7rl-s1ek1&gqaPYylpkWfelQ>(ikLS;8z&wi41(@$y&C@*svHJx3e&w0*)t=g}
zPSy&MkorB0{PFUjwZy28_~H5x2`banaQ7Z=r4pkxLZY<zK}v7aYKzH#WOHLIZT~%i
z?3U*Filp*6{OV6(jaPpPrxoC@^z1xWpqmdRT&Y<86u#C4Ej-_cOV?8%Iu5?z1ii<>
z|6oDLBied{Hkd7sx;Nvr6#93&Cl<AX*^-3CtF3OqPo2^h=;9@|Bl>PV>=m|oKEI~4
z=-xsB<gObnfHeCn3rLt{mo=W9h2tL3)ZwriVAR|?+6ni;h2x2d#?uWaoQx*qo_kD8
zRkx)Q8Lm20)qChoY^r(%CIauV?}*XO;a59-5odSCs`2*3U-Mzp;?eNG%@%!79V;f=
zF}LkHeXb+t#f(_kH#O2z-tW=>=vXF4ph+Fn%93x43*g@f%hmod_Ywgnv{p*!rWBJp
zICV&R&DN=d(rdO%wWrrCO&!gf^Qk?uccn(-0w()s@<*rhk5NxF$nat2fa1XpAHE5!
z(=+SRT@O;}fb^OxQ-jiLe%p0NC0&W^jJTqoN!plMm+Sg<-#_W&r-R%g7zZ(g{z%Bx
z(RA7o;jI<AoO^@w4^u(9^-&?xIpmDSN#KBaXm+%d`-W9C5NY-pR}uZVGRW>^1%Dgl
z+Eqw04nyp^K0R|Fg6-!Nr@I(lR(ZZO`D0Glc?H%K&0(zY1p~e3S*1&gj-Jv&3iP|v
z_?2#g;B*BQn5sbOM4xj$AEGu<h5i)YAgS)_3v~NTS1LDu8zt4j6o@W+Az`T8`8blv
zm##~vHsjs0rB}4;$Lyavc+9@31L5u^l2|=@`5CdIVnKNHKrIB$(6y$+TT)g!gg9Jl
zL=y|c@Mu>W^-|R=ofqja;THWqmHKqHJN3ip_7?&4xwUDxU&{TO&tSnZb;Sc6)?C7O
zG+l^#F7Kx2eqhNH28?0Cw04bQzRp*cNtR`xS;0&g<V<g7o!zJzH<2#8r*aPta)&DS
z$Mvx^$Zf#~jiYVfni%Usv@3BVu;o}+I_~<nO=A5HI1M<&lB0i>tSg|zR;uV>Ccauw
z3^F@YRrF`W{;(F(31)Sm!~mIs?8hwt_d0|?_O1=0K2jz-V86IlK>ZHRdGN>qXk})M
zSB{Exm(}@c9RrE<iLY`raB9M#w+E-ip$*+vN;|aXw?X!K0u>si+>I~M{a5)Xk?W7R
zj+OCs22>Vra{pjn9h4e>LFz-6YRY2CW{XKpiof}DGF(pv!SucxW6^Ffko5Zi<lHNI
zK?<*uLt<XZSA{qv#GX%-{uJ)EkXF{?b>j0aS?K73%B*vd3jm!+9j-A3O_!-=lUy>d
zCFhhwMy!%K6L#Oli><cO0XH*~8E5dVhx6p9Wj@ukrq8a~x$DFH)YhaL<m7M6W%!0q
zpEYRR&Z#e%*`JW5Z1nenf+1?LUP_lvx-G6YUW|j>cBq$2Gbp2|ZgP!SQ96OoXq6eA
z%aCxys&a)^cT(ZUk_v<DcPYzgMgE*k2id=&+b%2RwUN1M1KRF2(sF}?kMb+6eZ+4C
zp2;yxjA!lnW6Yf0Y{d$*d(~bA+Ers(JitgsQEtgSLZYi*{?S@JI0&AJZ2S>^CB0p%
zj+^=~*1KufTfwVM2sn;7v*LUWX*?-r3+lyI#j=_$+cS>8o8nLKP=vb6$+wf1P|-NK
zfJjM&9MD|slz#~1*|Vv-qTT2O6d6eDU)FLhTtuL3K1WvCxj$M?C((qNrB;70IZz(D
ztj=nsczDu)R|1{OCQS-P;bz}=1+3+S+-)GIQw?T)2gK9fuBa56b~$t>=mH<!fbMg>
z;i|*6l|zggnUVf#v~Rn(s%`X_iR-UMizJAbZ};p@7t12kt27mhOybg;)oIP48<~V6
zH_A=OMgObJ(PDT~SajS(eBe%-kLj41^prk1%OtAoA5dXcBF51wvpF*pjoVysL<f-5
zbIa#T@3LcnmUG{MZAZhUKwHbgF&wDdP9#qs1uIQ@)JmSD;2o}D_HDK>l|8-yH4F=l
zi6?Ad{K8^VRt42-b=knmVvK;*<w{%f4@YO@SD0ugC<G#BO%@^r3ue|84|gW#NBMzY
zYv6Rq>%#qzcSE$iNjz}1IHXZ{qnV>O5Y-$DGJEcr*KC++)J4l&b~ctjA+(`>iN{b&
zOlu-y^r?==U?W~;EeXGY0J#G0XX;W_3#!dGm|X8TpOfAHoN==IAhJaJGg<MfAT$$7
zCfn5Ie3ZWMeVv;)!7%2Xb4Ung?EsEcOuX?<J);co?3$4j@gSH-!Y28qc?;Rtz!KgT
z-O3?_S57})8p}!|+-)Q>O0iKf+|?z0!`=C`8RM>1AEn92Gy!*sqj4Xdqmq6d{V#z3
z5n2)O)3hJ5>(tooG4!5N%lQuYw?o#^Qg%-cr6(IoPpK;&;!s)?s_9TkcMx@f4{rda
zT_%U63U3rk<MF!9p{sqPnIri$awsit4;w05F`sqO9xnS{$j48sU>%{Egepe)XErtE
zgP7TW&>rU?R_yoMH+~U$IGOW<P_k&w??s~&rAY~k{WhnMryVOjPKoT$r$;BeT$K%3
zNpz(n#cK_~7Z{!RBgK!N=ZgQt_O@Q3;W=PJ8Y)-XbuNPDhs$*zspCpdDYTI$PkTPH
zYX2!7f1B^vSgYCLht4-Q)S0jd<BN;BI!hT}zRved4G2p_j!Dmi0j2zfBHB&${RDDE
zFQP8drgy{pf?NrTigHNi;o^!t?|nh$w@Nsi>7#Hu$j%~ES%tJ!(N*Me8}lQ85R$xE
zwQ%D56FSJEP_my(d-<tY7We{YZmZW|YXBEXE5*Kwt=`DT-KOfnWQ&vrFwx)m%s*1C
z!f%T#u1fY8P8_1di0<@S&b^!le<$K3Vz;g{%{M>lCO^IWEJPJlb2F4_8;gBzP*%zB
z*k9znL!;3ZE5K7&62!i)bO74aXfHZ+D?0*<*;_F?5z`tQB?q~wNO!@4!)v9EnzaKK
zFvh`ZEr7`UcLZ1Dv)mK^&>DNWQ|^v?6c0Qocp(Bkf?5GuIZfXz(9V1h(Ej7Gs$O0P
z;F4Z`ls;K6KWzbe`62?ddO3<-R`jNgQk&JA@I88SFumFMtkhS|%KYo%SqZYA1iL+`
zy^#<qcP*s6J^MhcO=ad=^QO)8=O!I;&*F{0x!$Pxw^Nfz&b2~E@rc?<`OABW_U9sh
zVwe)O-SJ%Yu}Hf+tgAX5fq$V&jn6~kqq6J$dB{)fR8Hq2+WzZYM9NsM8^Z23sm4Cw
zY`3zU4JJZR6k?kf4gGt9IE6C}Z*+e27Q8wJK$SWfxk4jrP!|j1O49sFO-Fd8!u2k^
zT46hU^m&|8+2v8U$!~eobud6toTI8lklh}X4GX9C0xy@m*h=SL4R^mk+&uqjI~K&<
z4(Zjwp}H&Fpvu+SUgwv$?=f2yhsA+uc~xs4V1|UDE&;`7m%0ZOpIz!IP<(c&+d%Pz
z=t59@cBwl-@fnP+1;uBVx)~IoUFves1<jJ1bw7xcCylyup|EpZSJS$##&ul{rP@E1
z(R0odm|>24lyqR^*iG4T%VTPE!aJLd`oF$5u3H9SJ3gX`pFNFEv~fm={e_N$rg0pE
zy5v0e{nf{W;|o`4qJ6XeTx&$PKM#zL2RRPY8>lgLxKqNIeB5E7(TY*V%;RGe+w^In
zkS)?B<4vOX31_%fd1nCPQ7XEDa5bk-UBEZ=SU#wo3A^sk<&P(>x*YaS=&Jgc-Ho{Z
zWw#~HsRj>x)HH_!Vwr6;-_bj3nS@Fsd;F9<N?h~||4<G+-ge6Oko!yrxq<zv`4<xx
zH6*#8)n_fA{cC+3rClT!Gl{9j-ryRGLiQQf+vo(AZM%C_`t)fO*3|~L8^8_|3S4GL
z*K4?E-k_N2EA7inEW-`@sA?~^Ac$MOV8MrNrlmZP0)iV`?}oKKVP+YYA4}wwN{sgZ
zvG*qMRCV3s_%%kEGK3~KWz0MjlE{#2O6JgTape}S?!Bgrk&sH#C=yDA25HiuG@wa_
z3~7=mQ_(~!{MJ7AUL?=+yzldV|Nrmr|9_wRDf^s#_FjAKwbxpE?Y+-h2M&<2CRhQd
zu=rO@4iQIHMWE`KJvBDa8nCT~<eB+qh`pnFjgbSk@i(#~wS9!q!QC3V3DScai#C9_
zFyr82j5#sU-qLYcd3Iz%y>`zapb-!Q*Uk%9ztBhq5G%vYL00b(C{Sj|21<*ua>tJU
z`d~8_nO^82i?V2I;U?U7JcWnAqZmD7<C`Ii=>pA+8O(6_VA4@w%e@c+ID4?(J;{N}
ziPa4Ag&E)ky?X;$7+*7wj>;ixJZl!AVvm1$)8{zcj}Zs@{&7CCU0aQqZH)%iQU@?7
z7uADYW>Bpe6Ervp@?d8_3tWxSj=Er+EZ`3N-z-m5akypa0Qf2{)5!{6_=A@d;+r9X
zk!y#9b(G0mt^yeuGsD>TU6?ZyY%fA_*6}9uT#`93=825sPBgiqxdu(1jJf4J^W_5O
zL0z2a3y=`y*9`NK$Uq+?6ZuSIpRF6&N`4KN4YISu(Ua})rv&!V0q}5pLmA{Ohq<-{
z^#|qLMLCNh2WSCnAEhUlz{8a^T!Hn(f!TN$pfqMZWndRA^wr368m<LEVDw>t3KGCH
z{{nBXU`GjX{?r8Mg6@E;Ohzt;K0e4s{}$Z<ZL0=B9&(Y0g|q}rG7N?ff^imdqN6xr
zU@`$doN{onbX79kckP5{&}&O5)m8TEp#m+p>pbHr2}*XLSO??vk0IoBn8TkEc!?5g
zQ?vqd^br=Y!;j^#qZ~!Z8JUR~k@sOH!Xobr#`V8K4>5BJ8D7kZhc&~DIcLVS2Ga&(
znq|M3VwgHffp)>|lWB^vSdXbnfCCxU7-pjVVv@m0;omUHDx08pE{w4O8gsy;3M0nB
zbi@7v@04_y!xCkjFuMcE#tAb4vc?OuHsmqiYeeC|7$3jDzP^QyK4$}aBNyErk#M~5
z5&R3w5%a)Ng_${)vOcG3%lPtpQqoVzMlT2@Lz*OlUI{^(GAS0>D`?I@3KU%OFmYix
z9AcMAus1mkzKj5^IDyTCJmQ?dUIM?CL?^J7z^x_G3G5{BYDshg8woy&l;{NZ5%{zu
zI)QBj{w#@3U>6yhn<s)BP;4xcYqnSe_HwLYXcI@Dij6F+q=ej<ey`=R2wNzL>w1Iv
zTcA(W!j}o!Z$Cmd0E!&W!}zXvS4FWcoCjWM2PMw<)`1TC-r0sI^dU6#pkw60NA%rm
zJ9yx|i$Tw%__NRg1Q@=F5;z;>ffQar?qz)EJZXP4+`<PWydVpaI%$6eWYFN#@9?D%
zv@2?^0AJ3Dy@{@p!r)DbPv$$Uz}+tqzSfY6ikc^-UdD=j8n$<Vw_1Td(1<x(EcOtB
zz)dcXjfMiKqp15B9e@VApkgEBm2;q}34LOK2wf>RmH>_b`xZX1#-P<myeHH&>@ILc
zBdeI%bkR*zHz^kNvBM7ICAdw-5YkOX7zoBmLUvaid>;W$rZAsb@Kua*0TaCj7P?9C
z(Fg)`Jn<_a58wT`gyF4=(Tf=uP8V~=7L45na|PoYmuPii4tSd<T}?pslZqIem3jo-
z>Gli8_(NGl!z~X$SD7zjK-g-Ia+6qCGg^Z0j#U9DQ*e~i1tN|3(+I|RK<U_T9D?yH
zQMFizJF*phsM}QiUhFq^BZy~ZB)GTKRPbWWQo)Oy0`P}#TIp*Zw$jAMi4~jQ;efq1
z596Mr)yM!K0oOopI3@-VJ67}~aQjPRzwrz1y)~yAn@-^z1{1j*=FPDKs|B|T13HV5
z05QI=ydz;PkaF|D8d!e^;ddn9@aS$(3hspA4u|eQnsI{h=(|nkY}oLcvjL+pJDh~5
zvv?TD4j;#WBMOXKiMIsf6QTd5o!qgVh6(V+H!M50c}eWeXvU@>Rxg2l9N}VPPXIVJ
z_-+lny9}6`D*yxEN{X$5TzKgm-fVz*n-PIF0gs-e11S_I6g!Uwgyk`W0UN=svw=Q~
zhlhm#cM-VUVcw5k2gk?*eqrTv2G9{z8-j=Yo9dZ;i~SbG>>I=hMO@23{THOMQwZ#R
zOG4~V_9%7idmmt2BW;9&&?I5PVU?7B6VSFw%0WC~t<Vj;_!ug%MLJ+3QxXZXfeuOg
z!x(4hbx@V@WHa;03+9s)c!HXuPsdE6k}b^V*O||!!q}8!L;_NPKl~u;ebdBJR;0P_
zFdT`cMp%6#hC?*N9*c_x;8wadg0aI;ndOg`6b*oo*40GA&S3Q*BI;-;?7gFo_F<wj
zp6%m!QQIT(om7Ou>7!o*fj$Bt8T+>wH-H@vY84yr5&2*#R33&$^lc<<v57!hP!xp3
zC+*Ln!vF~w6XY8Uj9|sq3|9zr$9gEo#9#fUdQAr&P+{H!AK-Ao>ZP50v7LCtj~M&?
z!m)@~Tb9J$itex)tykJ99NQ`MM-})O6}nE3;GdKl4VWONtN_LWOn=peH^yp1V<FHE
zLQMS@`<)}m0;Jtx8aw>85@0WF;bFU<SiSi*Ch`NA$j3z?nQETAxn&r}Oa=!IHoUiX
z#2`I<1%?UNA&ybNgvEhqm<%VvW3BZVt&HJ;-pT<v7>(g<2+RO?&68kuhh0V^LDQRp
z7oFJ9apukFfoSaHmM-2E#CWe+@S><dVnggZc&B(cI*?e}jA#j~DK?1DrCS}?Y!o}d
z9w-2^h4Hswyd5A4c^rX4nCif|QZQbhk;^F<*9xs;V<x!uDO@soH*0i!%{h`rDT{0f
zW1a+{ZK6HQ?v`klVKESM{27W?76vx9S;`2D5nzO&(jkXrJn<@~>JzUXK~$7ROV;rd
zSptwO(HOwnqhVVKkO;AN!5BcA2?hhPGQx=6DiM?Vj*Fl+W19s#&}wJ2B#hs0CAULK
zB&Xj{Ji{$Xs05>NXioj+=u|oY9YoD{JO?`b##+x%_bmZGY&eUd2(-#EsuY;`aj@{4
z2CYuq&M{UybTk|o>5Ymp_NqrGbK`mX1(WXJG{I~f4dZXcBz|K#v5AW5{8sD(G+KNX
zvajq0(v<i?b2oM%i^wqOCoJjVJ%MUMVvRN0C8!QuXs-K7F#a^6A=p3sm^x9fA@qMV
zPb@W0>{YKZN0(sye8Vn2K~$J%D2yZM_6E}kg4b`F$M!BkU!^RihbNX^F@#6fiM52<
zW^>O9a|Mt`LTy)KsWopSp|*tppBQD_BXG5E6RWKfo50c7oVS<I-%CiWg@y?IEd<?K
zs*p+IJ@eXk@Yz|KDclDd!X^cLo%i-Gczfk0-~i+L%{=iF;0c+?ZUlU&{OBP;_q$*`
zI$~3=!8*gVGqJvay@mXdjTqlgvf3fjXDf|^2#LxlwI?J(=<7Nwg*I%9v2>85J(C8?
zGwwYd4_;bQTTr)Q`hn2-eI@{5SoAp-J6`uiVCSg(U;%f=e6Q*AZN$H@WeE}nm!Npq
zag(h{eiUjbo<yZms5q(zZn7EKmxQMTko=i>j0_ri6X}->Dv9XzONOT}g~lp^p@)+i
z=*YV}#L2^Mn(};=UC=f+2Wu0&sh!<&yH$7_3LQ`Krv$F^!TVttz-rdb)WzJ?$i&p{
z&k6zP-^w{qD0pk4e<<FB1bBOq{5?bQ1QQxsAfw-J<!y;nq92J)qGD*6Q3CzF^zhO$
zG-*bS-^vsGgNVLlFT7_!Af6ULB0*`j5Sc%Q@90ko2_SjWNnUvSP#T@&XHD@UnTF8y
z@K~ka;EyR!@FEd?ZK)Jb5{*WoLIp1syeSJ9mFT~YgxXfaE5l#ps61i+#=skGpV|0C
z^kDVRmP)2j$@Eav>_p?iDu-Bv0oceBA&R#Fa*k5)xBj8=@k8U|=uh4lNFsRQ$^Lk0
zMqRQ8z#;~bOo((M!HXuXGWqxMa-<>Zu}b0n0%>%-2MO;@^aYM1d*dgBgeTL`V0n_g
z$s{j;IsqSy0g7;<;RF4NK}51I5peoX;4Y{8kf?w(m4!0FOML`uwSO7%Z*-ghuEzgE
za5euY;Eu?pJ&77b_9S6^LQ?`>2qF6g`XP#IYE3ZSV~aD`3KgXT7x_~B*D<*sHVHB2
zGp6{{sT5y=zc)pdS@D+#W5?au$j*jfvuqXqPc^_V)fsRxDK;kh`ZAtjVmASw{v!9D
zP#jYfY8oM9gxGFGh#6A6REO1}-^P1HZV3LMtO5h*G!@WuqqNgt)cmd982M+_{1*^e
z=*>jrH+V)~UQ{IJp!7n}Nce;DW@tn|Vn6`de;uAiCsOHnBBLB8Y!k`bU&8_IJs!%~
z@ncRNzrc}~p(*@pNd0-g{us`9q<(|L(u<6l3{MXY7^4j*z@Jr~O7bNUL4|D~QT<82
zcqbB-MyB}x&R2*Je2LU`B)kvN-wSjT9n(-~PDVraJHMJ^#T-y6dnm+U*NNd`dfAeJ
zfH5(E=t1@+)5#>-M0%KoH-Yj?ljGDs&P|5Kn!#B$XrSToUZCRfm?7a!q52W&qkO`!
z3I3|^7`RBWj)BLT5nz^H=MS?koq}JWWjP-Hzgp?H@il`vfdSPM%pN)kW@K|Pe@N6n
zkiWm`$RCZzzltCToiEvwNJq@_%Sd3#%9uhWu~<oCfsUWgCY+9%7D}v0>xiDAICTvz
z>!mpLg*xze0lEyJQoL}w3*gF&6r>KN8CM#(g&K@2O`In4N^61!S!M&y7-+K&tVyPA
zFa}H36LTWfE0{<n8T*htH;j}YwI_hneQ^%KzQ#~)DbaI7U;w(a0d_|A0d6UUM#Gtq
zsbE{#d--|dP*-urbSf%fM;W;a9=W18gFOR9enHHhM5lw&qCqyaLV-UxFtI39I>8V7
z8#J~J1_1kDGTqb17{t{dP(tH`@Uf-@k#P1t6v*)*`TCADV@~lSS(E$&arR&<nk>c9
zLTPBoNOYVp*@JmSK{f(TkBajE4S+MFS%VcyNBtOkZO6o)`4~vy&wA|aKc+0|h<yMV
z2R4Vj7uj1AXN>VFY98gW9=pw7g=fvJ48FlLXHT4riVoPbECU?T&nO@OM^neqG;nUl
z#sro?BXS_M!cxIh(#Aj-4;r3`Hz$RFOn8$0h`wlc2*h*~V)e20M^zajBGL#*LE&Y5
z11*`e53~HpRBc0s$<N=5g7>08Gid6e1qPsT!W$denP}iam*9bxc+Ws8mE=#yTa&!V
z7*HiVrVg;_38@Q;w>OOhlax0y{C$aFL)sV{qwqds@neZDBAElG$H&<DW9Tqajv5+3
zr~FzHgExXdf`s?PieWPYelcE7#!C*`^)Fv@uH}5Z+3Xh&F7KbZ8-=_7<##Hfz$m+L
zb+UK*{<hbvbGm+cIKhpZrRhq0QwP>iffn{5(!kVaOx2j;l}A&!0+Z6?${T}OP4R=t
zDD)RH0}C;K<I0a}MYLLEEHChG&;ZywtMKTD!yDku$RVIQ5vB2#02zmOvq8$=7nOh;
zhN@uP7~mZUmUugRBUVXU$E6HFsHClv!^jPkgr($YNdvr*Cn>~)MDzS5)5eqLW$aBH
z&2v*+g~0|%1k^|lWX}!25ylihKZ-x2Q5l*Hjn!XRAamMsHLUh~c{xOXb4L%q_#>CE
zdt`G4Ddb)4-!$TdRc^UwSst7>cj1+k<8FfCD}VG?C(23Rd3&b(Wx0hvF3Q*<VOxw?
z`>XkO@0a4Pk<T|pb<uq{DerS~GhG>$e7bPM^PtiSzGYwePu_k#ByT%YHoMxvvU;t>
z;baZP9`!Yy=F;n=FFjbO`gzT2;(B|NV{vUqwyB5*JI~*g)?d?jC%x*3!;Nhj=QGRJ
z62mWR+sH)u_^9qFdT76WDJ9{qxqC@zl{qJUpKD~y%Dl{rM6=43bIN*41EuDqM9tgx
zfG<F7)1|9=na)m5?mD|w1}i=W6ravIz2NI=ZCTIBSI%(>_VPWyIzo%TabZWH(3Opi
z)EGalzX1WqW^Bu>PW(I7aX5(_Yqz|p)M)ub?FT%CHofLssiYb{d_C_4{Y&<bf(8mM
zbt$*jMyEzY0yWcM-uKm#)oz~dH9fp9H9l;hRD9Risj{zlj}d3YB#*sK{3(sR+Ep)i
zZYawam19dEBJBHl$RX6atD(%Bmit04n6zw9_ssY_v!@{^Bc4r__J1OLE5ve6?Cx@*
za=PSjUf-0!#<?#vZ)dq3S5`ZAwDFr@J#A3-fkJMNt!~SjmBcL@npDakwCY&O|KP9N
z8J-tmxlpfR^9$M=-qh>YBY7MxwjaB<MR_Azwj$eEu^(z7#UfwImt4sGn7vy1Ec?Y~
zUWX{b>%BwAY-gp44J?io6ckw8vUuM+-lxI9$FL3iH-5nXp3$z_(~ZNjjU}(@1&3|=
zyqan$Hkn)3cTKmBX<<T;?2gq<Z&gLFuz#=rxoCb#{3OqvjyJemfBr05MxL7ZY~~qD
z;~)<MwZzF8i>?~jUhmJn+5hb-|AqBe%Wm6NBwWqtJyfmcwU+!sYu#~N*YknxXZuqH
zHV++mN(GPS$dxT6HYv)1_h;->`Qk?_+@O779lxjY3LSfS$yphvca#wy_8iS``Fz$Y
ztYzbc0j2Mbj}nro4@=g4f7P?WUf;Cw!K-sYMrQT5D00*8PWt@C#5+f<Ciqig(_o$L
z<D-W<@81h+GZT1!=m+P?CP|m4iui2>rC)Y-h&FC(FsgGq<R#sB=5+brpxQ{4{|Wwg
zv1jtX?g-d_>p~)D+0mO@thyr4KJGnzDVQ9W+IrA+uZ@eiPG$Y(v)6-p-+fDab&AV8
zw(s`ftFYK+KH1F<#tNM=zKOlL^rc&^HP&iG9N#2j=)JPZz-WWq9**UC(iwFQcF*J{
zug_jAS?E1OG9tfRAVEAOOYywE?}M*-;d(C?{LtPQhG$!etMA*Tt8JwIt@Ng|p0<R`
zuEJAk0^QADHboqhGrvd8=jRFY&^AmFonJU>`uBlH?&2c$b{p@vD25b9Sv*?Vcx6^Z
zz?zU5nHdWub~ZfXCpgo|33?lL+RTW1QKD<gmFOhAe`Ol)(F$eNuaD2u0-m|dK4%k5
zIU4El>JnFb^iucBA@Td8yp`7c2mH?=Nm!aO+a*^eGRdj>()u^-gGu`dQo-@2{q_lW
zUQFql^-=oAzNKQK`-3d(ABTuZn6@gN7;N1-sJPtzTh<laHhSDJt>{Li{((sfRiq7M
z4armO+Ffgge?ADmx>_x&*(WJs=cgL3C70f%bi@sc^$0bj-%qH&D%Re*(c-`d-Wy@t
zdhO@V_p*HpVeW5D_M4rXtt0%J%~Yn&&oCxn(bfaxmB;m~vy8oJZZ&o8JG-~v*Q|Be
z$kA+dK+o)2A^WERQ=5ezroKxt6!D45Il+F=Z?<FD%!ivIlU+!qbQSp)zaE{FdKVg%
zjk_P-n9?KtdeFILtFfkw>if=XY^n$RUfu3638gLL;4yW3?wlt+Wy{hiTJ|CHz9x}1
z-sPsHOHWw*5LmzZeOyEF#)AvKRnGU2(p_WtoTKDhoYhqEVLsulMh`=bi^Gh~o=H>I
z$`)Mkl}p+wa6C<!)DyZ>DCAW1d&_;CHN8nn^%iq;p2_iOo@f8Yv*NScdxKWzaPPH0
zKKktuX--esM0ld)mlJqRu6HhfadILppFPY@sV?&7Vwv`$pIUqFMHTW4NtA6fUeM|*
zd+}3rO{7+de7J#G{I!hW4M9)kt1oJ++|-Jo?#WACE4xGXYo8sr#V5mtD!%a5Ik%PH
zDj#yUw92P6TwgfL`PQ_xds74~8av)g%<d<q673U}ga0jI8&?>~|G2Dw_m=HHn?B(k
z17St8dk>ZGyi!nWeYIqJz>$zW@qwpSr{!|qJ>S?lte90Jx{l=4b6@@;PR!IHE2mQ=
zwBzmlg7;#nLkW#(WtR&c=KJHryTb1)L?2d&HsSWT^h8HdtjU<i+4N*yTiOw~XBvGz
z<m?wq_v-k@cfZi)$$q@HYWCc2)wc(}1k~fi2-&^sR*KBFw+i6qis+doabn5j^7NtT
zVb_#TB~OmT1`s7Db13YZLo(D)+m(D#jFzeYX3@thozrf)RW|HfQgE-vI(>2j<tF~z
zoy%52$BnWdMjR^8D|nb=cc?&pecJI=in8SmH3<)ndfy#dV`}j>ly0#r%bEIYk-)N}
zX}#*zekJ*u^Z%~=f6+IM`SESns!8mbiU*QBFV!aNw=_4W-gu>9Y+drDdXt`wgL(t)
z^g*jTQu+qH&RjX$OdZxXCO@6!!!MxHQ_;Top5$lRY~`ll1cUplWdbbw1NO!`%xk_q
zJ@6HAarM$}?HM}trG1eSid*7dIMbyjtMr}QlWowERmIz{cQBgkjI(2p-S>G0QBT5+
zOv1RMirrLp?mKNJZ0$9t4dRt`?QZM+dVHzeqV8|+HV0BXCnxa->#TU|t$8K%xvEm~
zZF%mi9O=)hy(WA2ek)ZZ%;NLczS>#j&fl>&d|e4CxO>vgxm=T}=35~Gg^bv{iaDg_
z8Fh66wNo9gDumon)L(S5@ZV+D|G$+l=DSlC^37k3OTP3$&Ew<I?#|ZJ($C~RV!Ilv
zd5YsIw`ZgH*Eg@4_!n&z$c|pN$At29e`Lt|+o`EN>_4S5ql32x?4D^{xX>!7*?CcZ
z;&4yfRfGH#-OEqCr+CSy?Cz*4dR1*%O1rSc>4>4wkl1{w>`gD#&&nF!b{^Dz(EEM(
z2j$r#tywFSl{ZTa^YN^xJ8$VUjXl$5{VQ(&2h_L@72|B45I&uB$?IWsy3ZZuQtiW}
zMU4kJXC|fYjNBc5^~KumcS8ah%NLlv{ph|Y;KRB#3+4xy?6}Wc?6R&V^OTf`1N~I)
z78Ci;FC(q+^Y3;DcdY)gBlzUe8h(A9c_m-BUHGc8!1z|t^hlBX?2AduxsK;PdY4OI
zMtHlTbt7FYD5ZaQp-taG+U&;{W`&=*+v&{K<}S3XQ_o>5hhh*H)qdKo)5;|q`^7iR
zeW7%Dhlprf)1q?CO;_3!=SR2-%jr11dLO_c@ZPJu&!J#wR`Ai*YhA^;cZc-OxNL4+
za^!8Qi1LAmqLzCV_3A0KjQjUYda879=nT$Gp{5$1+{SO9ac89^UwNmkQRdf{OSa)}
z?sc0<6r4{{)M#!LqWs)kwD<GRkefYiVLL>hERbDOrg2j;-aS}$VdH7<`YH0V#^Ey0
z{M_63B%chPbna%{Bcm(k2{f%b{5HWihY$8vv_Dl+oI`Fc{cpFM=no#xu2Oz7(9Bht
z?!EYphqs5#g_zg#W~`wpM$Ibnx1AJw<mUUzO9P7wh<C#d9=TSzG`aTdu^Wnu4OTyQ
zx_#`W_M^$TZ{i#9p*@YUb8pO%AJ&P8o+KvWTa5n}7kurhqV~+8Hy_&%s2s5{57y?m
zx2d41#BbJ*)|cG@r0+tcqnFpe(%7(5K2#>2dNbT@^R>;pO(Hsp*Y(Xm3rIZQk$6Pw
z_UUwIYHmY#Xn%*OzgPh{D^z4F>gCVVk5swa6kC@uPbhZNm#aCHgv#!DGrlZP*>}%R
zl6@#|j=|pJL$MVHqpBZ-OQoniJ6ijq>5#C^yy{~Vv7buR14@Z^BNAWEw_*ElUpLBE
zKG$WBGT51SY30;rpBvG+Cc)2UWZUMD+xDHibAOXI|4)l^KW<7KQ#+p_WKw-fb5QK~
z4ngs{qhD7?Y4$~P%B}BA|KP(p{n!)jY?*BJr=NNYUXm|*IR&a5>U^nqwH}xE_Ry`q
z%(agMz88vGEUWiSdz7A9%)7KH`A1vW$L0Gp2Ta`_ZppvZc!w|U`wIEu{d?zbFPdd@
zapuFdMn7cB>mLM5^mjfI(s#?b8EiH6Gu`&X+~_;2UO0b^AUIoG@wmbLv^pw9D3L<o
zZRj{-mANh>F{ZVyH0`-#=(`T(%}YfciOUYX586FT^+LG3<#5=oMGI&LbLSWfWJ$$b
zPT4s1T&ZKuH|q5YK1WxQ@n(_3Vv9_)-iyZYWp(Apl=_GD@X7S4EZMtLK3huuaQDU&
z-U`p>6CO|w9(a0c&!_kAE;Jd)1#;Ql$eYPI$+4m?&2iwAR9=(SiN3az!OceoT7w?*
zdybzk?ZV%xoxHEMX2HJCk2)MAEx~T#RLS-Ae*9TGG=g*grA?AinQhZA92E(CP8&Qt
zMacWmj5N2%ZRe8NE{1tHlv-qIib{NPJ4V1+E!@$d%J+7WR6t7JkPh#q0$=%{+*xZ^
z_!{RfRG6kLKc!_xd&>}4#LkN?ob#kjY11zby%Dh2UTDyDGN4ZVYW4$Z<$YUpBGxF*
z=(odFayz}*RVgXrw(|9I!DFTJ(`j2DR#$W{ITi4ulK%38RMi?Y%_%DeE*+lr?8}=a
zq6ryX@(T0retj<I-NP-{@ZmYlf8DLNVjV5-XzColnIV_w9--DQ|J*%reQI{vM_<kB
zyl2ieSlipMhfB`mU+L=8Rm4?r$D(N4WqjEaStsQ6@V9@zuD><^4xG{bCy&2V9fuRy
z#4{x~@$Rm{DXRR-oi1wpNVTb=?G-Q53w_Bc(4l;L*241sMZK1_tv2|4S4!vC16HMd
z+$w3AZN3_D&nYr5>Z)#Jw)C`XzmnB@pBk0VE?UhQo!)P`RbT^W?3YK%`HK74uQ~PB
zU*EI-z5kTf-eg&y4ONHxpJ}X#DNJ7f>AjuXU`!He$p`;RLw;BD;TC24qzjsEM)q3D
z#@Yp6cU9F+ZsF9Aa;*{lnJ)PDyWz1468C*i^0f~pIm(C0?!8l%H>5pt+98^bm(Q}w
z*m&9Y{sOm!{ZmN6DL+?Hx7$bzN;`%ddNeHCXs;h2p0W6J^6o<MR`()}&qcSgRRY|H
z$|!z0!GGKSM*N?0xWvq&>Z{$O8Ps<P1fj={Cwo<FL-rXp?(<oElk58A&iF|g+iq<s
z3*=ryueh<WBHF}oFZ&Vc15+-aGS^w+Cx1NS%|6+O=guh#O127V^zJFj>=jWrds)#}
zda};FX2;=~%ZjR{mOIGaDvuU%l?$xBzwS_ZyH;=W50|$IYmbYl{oETWo?7war1tUL
zUCGiJ9~Aj=i_a|*ezG@rNV2Ly)_jgn$XZu#`yDqH`W)P~O3U=8J9U$QNOMcY{+a3D
zeb=r_2&5_61llcDby5}1yDmn%!F|ur;q>>-$3?}@q*-wL3I24gx6GF>9A4`!WwP+e
z;o1Cqgu5*7KeifNuf?+^6kZSg`@jDQ{vX+Y`b}H?Yj^?w?>S}bcCjo{#qGuVMcu|v
zh03WN4;A>2#U)&dcsSK(N>NLuP5xEcj_tB+2i!Sl6dH%TO_Z2^DwxZsLq5BB^STcP
zLRHj~9;s~A>^uXJkFzBfoK#%8xhEj+ORLAhm^o!Ximz9Rzb#nFxu>J@WL$cevZ9r^
z_ov&s!grHJPjI}UJbeD}xyazAcj22tp6-8JaNE(jxwfOr>%9K%FL(LZ<+8slN;&II
ze58>urJf*sX6Cg^(-gUTWk|JWyIX&Dzc{^(p!IC$+bA{h10Hk4R*B5?UBa6$X?lyh
zAmHB8A_^f(V$q|Ji>>FweccNLcX)i;U$%E~wW|CjKDUVe6`RuzXpv-P{_gq{>Tv`Z
z>GWK^p0)l!#8Wm6znObhnp-7gZ=I2nBkZ#2oj~8*$h!hU8qalKw5RPm(Y~@_{ej$f
zZ`Sh-X)B#b<%-c7j$QI#5y$4)nfy1O9#f4rJ%4V%XvVr@Gfgh^Y=0M4U$^17vsPA|
z-`gi8^|jec%PT@>Xh|<z?H-(VW0Gpn-ku}<ZVzHZGH(kkX?+;G8y{lmnMf$_OK@7_
zb%<WSc!$gIsV3*ydmWZ;5Rv$4mKgh_;+RJg_r;&9Y{Ny~Wo;{6G5cb@$}yAVSX<F$
zC(jgh-`b_0QK!0F@m|5R9+xt93G=7^_;`)l>ZeaTP54thW^Ow8EW!A0x|E7i#3AR1
z6-v|mD3Q}oSp-`wG>Hru!q0havA0_Ih|j4bl3zT_k2%HVUG+&Qp63-?os=F;Sw@i1
z6pzueu#8jJw3JoT@O)a+wcN6JAA6Bq-)Td$vb5EaJ1r!74&BUtSuY}F6d*hpV^uos
z@ufSZ{oNabv*>0IUhez+zA^a`m+F*+ZKi`~=6i}beBqzg_B~z6rs=@D1J$e7nmxDo
z{LH&SY3-(r9d&ME?70OI`W20L0}t+u2qg<uaNgNF*VegX_9NMa_e!^{SW&PcjdRy&
zgR(EdhDV-F$?==C(y8*DwoOjQ(NEMVvW|Qay2kUa@m=arkJz@A_+?JYu+Z5Ur^+QY
zZuHeF_UzhVO?+Ub@~=tR#HId6_n-dO^ohfTwfFd*3%%F!;q{!d&M(XRbiXA}O0o=o
zpSgGKS?!q37X%#hsZ+(Wf&=t7sSW9M^vqm)ZPtFXpmTaY4>=1D*ty;F`8ccPnQiOS
zcfA|iJepc~r8PThJ^N-glxBWDdUAF$$^Oa47hzk9KVGh+Y4?70;PTAsysYcle5iws
zP3oY7Cs95C-|>(?-#ki`-&-~-)=zG#6yE3MGOB3GipS)#8My)jPYFl*r5p}^s!gle
z9>Ap)lX^#e__}7_wOsyk$<^7{?)u@UobltXN;i78qoW)zW_2`nKKbT$@}otQ^l+YQ
zRn3$&qlw2leN)`)JhVe^cX?Hs^tkwmUdc<)VmoBe^`SQO@5+DSn>TCNbfc@CLNYFK
z_s_avARY96U{&^li)uu!eYLpa_a7UYXB}C7>9MP1d>|pg@ckP~_$~`C(*q5h#jYDn
z^CI`$EV}e8%zGvN5>LzL*qo?0_&G<qF3Agio-cOvUR8dg?!m~QHHWQdvq|ru=XRy#
zWSF)I5&iLla|3VQ<>I(&#lGCZ(wXPH*=?nd19rZTL>*5!?)Gc3Ff!}nx%>J24*u11
zI?q_kS-%WU-QQBa!CUH?vj537L{agu`QEM<*b+a@4U~~d-<p;<>@^Fv^CFihpJ=+^
zdUwrA{Mq+2Q-*WoF7JFCBi2UfX?1zMCfUANQ_*Q&URJIDvgw{Cl0`d@P0ZE*J-I(#
zUY>85D%e+;#=|{h>rmAzp-}O~+gmnOCeJl3p6vHtO`!C|?mO3~R~|12&Rf=ow=hY0
zHFIdIys)zOtCCaui0?o38-+P1Y?wDYqPye(iL`)p@Z`|Eb#VtjD4zaMxOuwt8^1vR
zIoEoox)aavso^eW&wW1>Al78}`mJ)MR(qb+$NF_n&b7~O?jlf3X{k19Y5`yGC9BJP
zy7f*o%I4x%#aDP-Tj;r}0rCFGX}b(@&M77#Ju{o*c$>b6Mp`y#*T*{~D_%HGv90Q_
z{wR5`Ksu6Z>eo+xA9l+*uW1wGm-D${N21emUHn2N3e;b`h)xQe_geh*UYThM`DAj1
z{D)QlJtIAFPyg%frisb&Uz7V^zi#}m8R<Xh=s){E|Lp(#v;XtY{?8w%hri1HXaDD)
z{hxpKfBxD3`71r~C(lRUKl*3?=l}KnpZj+c%0DXd&JQBoJfR&Z6m#oB+qsSkiG<Gw
z5^rR@ZJn}l)r%z}F&jU<SKoT@>9V1_n*vi`fAcF_eCV~<!PmE%-E}Orv#kwUDt{F5
z<h<aMRo}8(u43EHir5pr$8&Ty9{#A6!uD#aMfyO}fU23vWU9{RB)_?ui8s8pj&FT?
z>eI`C{ApQ+9~%38pW}8vP$&G9^_s_%T()+2_M6@pKm7Ow3E`(Wx-&gpzMH+u_7Zp)
z=lo8I7`5`UN5o2jzAgI>E<LLo8-2k}Wzv$}Zw`N5)^)t$iP%T!7>yFes_kqK)lN>`
z*Vi$>Q{bC2e_=}9^gSzz<8;rS$#gh;@U>YRrDct!&0K@|C0C*p*zIo2_}Dr}^=Z&-
z-MJQi!w35`^X7YSOcoF;m{uI;8T^$#k66g&-$k7_d)4>k6Rtv{%dT@BiEJBQ8?Pv#
zUaIR`XL?nEi}S~(Y@a!6-rEep>&DmjRUPMEY#-*cJHdAA2kuo=TAJ=f>LNUw?yH6J
zv%l(kUQ_(EI)D1XR=2LV3)FlK*@$Z&Iwtzvk8Jh|i3*cFZIB~uI<2pws(5+IRN<*t
zuSVsU$2_+nri-3d7}Q%Uk}9d{KsaZj<s#ak8X$AT+&joI{*X+t-;}@uNx8a)`g5Wb
z=an8SeeUY)(8tktYK5kupS$d8h21f23L+5^Lp-!=tL}8nuirRcF5Qd?Myv4f2Tv!{
z!3z*PHT3W}xCajw^aOLVFfz5rTsZWQhXa&QgCdM8b+|$WS^go&;T<_ndQzy!w-o$v
z$2=VIZvodIZ}5JbjAJ-Qffo(l#?#XWuLkbd$SY1>#tZyO7zmgXX+Fr^#uHp}kt+^3
zudArwaV8Xh(i~<H<UfRpfQKFei#-o!o~@2;f5P|x2)|Lknh~!JXfM#$3v&$uuW(-q
zcp-TyVRQ;6`}(r-Au0fJ!XY8gcE)dPd&mz8PzL90hVu*4H3%z+l^bo>g@8vy25**$
z8V2ad^#u=pNZ{>gM_LC?dP;bf#~5;UQi5DRa6bYsB&M4l-jnE$9Gd`piU*xY1{X$z
z<OKKu*$FgoSiwdNFOM9r76X|X9zA2r|LUAGCb+?PxIj{7-vJIDe99nE0>>e6n1W&S
z20ue=yvBr6_ysQ(pEx*M;qC3Lz}*M&3gb5xA67Z!LWKq%FVFHz@&|5G!#aS<ufm%$
z#%TgR8Vhf<e@vH5X7~mnXxb3|yV)(bHnU%a;lm8VfJp=z06oS4!Cx8QkjY3o7%qhn
z`+!7)hbZ^~WTLL1TgDG%vVhuw^C!Yj8Yhi0Fr&L8kC&1BNmTI8gc1ZNGh@6jDG0oK
zfx6(1<pZ9zNG2dC$S?|bZ0th78JmFw&zUeLhMS$Ky`vR4K8^O*BajTt4s=BL{Lxc_
z5e$NxwUMPM(19iJqcE`W9;{&p4Z-kn8()5;z%N?jui&zvp)vRa^eBOJ!~-LI@`rdb
z$5u{;hWzFJ5FYC}av%G%_#)sO=K${itTLDaq!TxQ5P^om2e6`ojNmn{Jd1|`{eVC^
zay$elW^m@ikV8B-t~>^R#A^{X1YVM3S{Yy7(H|UJDeL^nG~{fI{JqCQ{~bOHpHcrc
zJOQGggkZk@z}VyAFNKIL05#AL>1IG1hFwkxq#XPvJz3q+gU<6Rdm&FceIr|2yu(Uc
zQv*GH2P3;>;8|!!u(Jk5Xlj6wXgqv|ODR?toJWyQBt8H%6tfqY9>!b|mGIyTi~Qcf
z_dF1SBp^NN?@eA8NF{-*o*9e$I9@<e-^9ql2ybiTU=CQwd6J28s&aHcFFAz4`1XIH
zpJx#0SIpxabH`_@2TW4O*Bd7nBLh0V98+8CVg8#)Cg?1`d@Q5|BYy(CtcmNvM-}iv
z-u-`B`}clXll}k0`kqwEf6zX1b^bT1<M4QbH-6oy5+tIzSP41l`r`v(*pas`LwFFk
z0l%SfHePPyU~1#Q8ft=#iKz<=Il+X%YpC4#@nGpE(5x^RL|^cE_6i-1`7**s<Lgai
zTTBEWF~YA?Jkpz^2E=%{W|%@i0}S;5BjybEhj{$LuVV!hDZ4-EFBu6rC@lkQ#s;Bb
zO{K^c8k-of>c7!zB_)t$X)prgV1kEPYQa8ePG%@JY~q4>NfqWLY_4VnIvU^KG4Rl^
zj`ToU83`X50<uWsgVCUm=LIH3#=|pW>LwaqTG<OANMq)Rw6Y(PA8A#%K!PC6>H}Cy
z&@2k}0E!Zv>Hm<<e*_n6V$}5d4cMRI_jl0yGk7FlZ&r6bAz0L(cJhzlU{)StJf>4V
z%hLVJ^5YnFe0gjh8*%gpX&aft7@T43V25W-;X!ID>e_gDV+FjXiT$#`P`rkkI?MBS
zc>s!7!7`}uV}kIE=0P9^U!p%Fv;|%nqACQ8KAY&ugiM19p`cTcJ|=}Ahbz1?q<>MB
zRS!y{h+$s9N<<W21sa6<RGRmg#`KY~VlXBHE|FPf57DI<2By5C3RF>Gh#k})TN{tp
zM<#B#rzbfa<}W6k<zsCKCA=5On;7UzM^g%34i%Tf`a$`n(TVV2!2t}R-JoB}Pjur%
zqI#e>Z46OoAdFWwu`#kXUF>9J<!CxlCCIZ6^q|42GZ2EGV6h#Lc0-djrXWW84O~2?
z{zUkiT8&o0E0ba3AFVJ^c>*ed=#SCE1J+3}tuucUm0!vzfz`k>>=;&Yygr29K*j(}
zE8fA(aX@28_6~*k0aze26heSXhKLRjQ-b6NoCU!{fUZa+N5J4GYS#oTH$P<UAdO@i
zLNc?*ORHd#%-}~KEM5!)#zgf^LzpE-n?-y`@$;sQG(1r~JBlAP<w5o*QbU=;fZ@wn
zfRAlYPam5%#`PP>i%kHCV64Cgz(=D*1`zsii%gfXBH)1SKma#k5sO%S^cO-0uvl_O
zBLj7j0w0mOe@||Im3OAG%%qe)J=`liU@W$HyaUWmV2Gj_k`aqzoXpWd;F#6_G?Amr
z;T=dcx;z$qP5}!VftLk4mjY`t5|xf<_@@Av59Pe%AX*`;3n>AZIS#uCG=Rebff4jy
zf)gNzhj4*jfv`+x#;_Ox1AGe`KoGZ(`TK<dn0d=#Y^h}6Ze)}Z10eti=w45-da#ff
zP#sT$AXOM};47q=Xb`yvvf(!oJR2y1ww+u+KY*2jmzPtMTdc04HeU%Zr!Kd6AzZQ4
zB*3HjP=cZGD2p?(8ckUIg3x2^>>%iPPaoJN8Rd6x8pM4Xtu(<EVI7zbqm~jXPo%?w
z0~;@8U&^{Ms&*ndvqB}1kl^K6Bm*;LDUn9@#DXrN=dhcG=|ols(L6-*ru_<h9Bu@E
zPv1ZwKL#JFGgODX9V4uc7sjv*A%W4=*H%%(LogxG5j1E7#)E=XOaR1PLz@i~{lF&0
zV><?@095q@Rsl%|?x$c2GN_Bk^c0NqI>d=U5WF%dKC(ZRMbe4rVT(#Ix3^g82kF}&
znC2$JgO%q9a}Szxss0cp2n+{%6HB}_3Xy}TC=Ibd={^vPit$7J1AOVD9L$0;n!?_q
z9K`&gK-8nqk&P@&Il+$A2plXBQ1HmaF<O1($_Pac!v~{iQCMs>Dz<Tlrenl;C;}X8
ze2xSSV&TWKa~WV5bkfs@Sw0-rsF(s`jW4zwWo+9b!x#gA=9NFz)1a>b1Z#d`mHbst
zW0vtqA12b%zpOn+=z$s1e_n6wnsZD&w31}~CTx#9X016=4_Wi9S`*JFXpO1NpbvAl
zL3{}O1Ysjt<FD@n3I!2m%nz(gh}wywih>P=#h4_RFq?(?BpMO;k);49s!viz@w@O)
z48`AqsIgEP=3TT8`lmm{$3#3T2O*Ofc!OSIv<!Irdj4r`Jf0Dt3vXg&j26eNdNiu<
zn0or?77h5A9@|1tG&E%r@vI$J5JPN%jqrxf(kZ}x3?TYQ7RS{$ruYMWA?6Y6!vb?-
zZ9_dW5$drd7cuZ3)<dTcP|uiv+9M<F74T=IV)4JUV*qT%Km<?-1cm9zQ3TNL&&Ze~
zN{nBBp!K>bBUUgYS}|+=$l70IZG^E_prGDpBoem8g)JdqJ&jCy9Gbpx$_!%xM~7J)
z;@x=!u0v7pSQ9ah3fuN%Uo0dZV@|~}XHndk*$+1|bK#V+xd*2VrY{b&XK~65D;0;$
zDmcsr#o3#naB8N;*xwL3Gcke4#}ImsZsHqY3=41+h7Mf=FxI>QjgD3EfD7n*^qgTW
z;zl$zbP(B!s5zv9Q9Xw0#3?hCAJhdZW6B4V6AsyUIL6W%5+v;?0pSG@*dvzgL2C>t
zf+kSNImF!1f2uD4WU?DvF&PL*z+ef4DW=>0WOoNf#RUG1u03!nV94Su;1zUrHMDSC
zh*Q_p)6~^d)5R@?U2iOYGTN)23_<Nc2+&S5-i?B-DzRPlRg-bctd=h|vcfO7bs#La
zvDd?4XJWtJ*_keNBv_e@mH{D9MeI0I4C1Jb-oVq*8w?!Usxl(jK%8p0ax%5Eho<y!
z7^k73!Iqvl70(bd{P8Bj9~ci6pb$<479b2!$Nt7Q7-H#NW_pd87BSO2W}3xJ4=~e8
zW*W^*$AJ9h^2Ik}?7oGWzGJ4{%=9BOMTZoqAmez0wL8udD#i+9DYn93MARG`FK?o~
zw6V_}(7GIvaCD!AA?_$RHbaq&?%Tj1j62`_b^8sX3ywX)8{5w49xk&GqfrJAGJ@ag
zz?L}n8(R-U?blLh2W8|;6r&4b4(7SSFMD=me{>EovdPTq$XNIo!@!owSeRp<v#2~0
zwQ%(K1kTw;+r{8O)MA)wz|M!=PB3Oiwx1{H7Yi;jt?-OUnph-DXCj&IK=uPO7ETTE
zdW<N~YRVeg+UO8>v^`dR46k3q8%|gb9dH_BK@LYdFcCb2j|nzWPh3uJYylez)eLMd
zAJ~Njoj~!2lLFSJAH?JI!PB5oWsLkNxFMX?scYz1!tzI3T?0jv#M&P@xBUaiFfe3h
zghXun6!2q)RsN-)BjYn>cb69E?M?P1qtg^r6&Z?%f(RjOL{R&y@T?PW*7|<T!8d~)
zv35qwG4&?e+XeYR(>Lpk@mF{(tAAV}fH{`#qjK@fS=!hlNCd{S=QuG$uNlCM|4S|A
z88l|tLNrDO`>bM`;%K$OVtwrB*ljr+T0(sHRp?~Z0c{=-Ac{U7LQ10ySi!D?ko+hM
zGTdxP!Hlvno)CamLmP#rg+YbC>dW9B{%gU19r%yfMIHOAf%6Vl$9dAJ*oz5pgEBPX
z{{kF~kKn?e1XF@N!$h1IIu3)6!&<;$ZNLX@7eG@G0~h^e{@5WkWM1<z3^)m9s>V!l
ze~_;Ob#)*jUkFr}p()F-)+ugA#-=VNruN1xWrOzD>=}!1SR`Rfa&v4S$&wT*jV<52
z(YFgm^v?MD<LjuJNdFQN)R*MH4#bG@3J37bU)G0pR-kVnyf!j6u;@4_{|X#?*7EyL
zA^kNzquX_V2Ix09jLkk&d1RLlNx+!s|073~AdRCZlbAFDqmQQ(Hpxu{)E@%yVtcxv
zw$PRXdM^d330ACHwD$qKQkV|%M8UUVe*xB+UKDJ#PEo<zG7d_A#{!QjKm-eH3MwUl
z3I-UX4QyKjQ$i#0ugBwS%nX&wY@RtaV|ys0y%-_Em<B)r1HQ_E0ch)22@gt-b&v!H
z+pw7eeZla8^BW*8d`@E=)2f>MmcwMJ-||OT<hLiIgU%GcKS~Nf&RqT^@+EpS1O6Y1
zNta}!&9zN@Go>Q=$FbHylhXu^@}9|&se7+vn_KUch|%&MYT9IK5mBdK=H9&VXI0F@
zbB}`sPCcqAnB_gAw6j2WpOW3n;ZO9wyY~;O?-jYa<h|PI$+cVgr+jsa(7ckRoBj3T
zvJk03&K$x?p;{xA-4U;ko?w??Q@TYgEO=0~$*b`8+eNmgUO48<H?4f<ygq382A*nS
zgnV5>*v{yX&%?I3>$D#pMfXo|nZJFz@j^jUN14<i>H(GEbLk5*BO_!;l(TCKFRXb?
zS4hdo-?D$Y+$u6*+P7eJSp&*`BMaF<w|r8t>C7Op=hHm}S12Eu<lm-HyU?;N>gwF8
z`Ncs}-kBHf=3X{!tPT9Zan<~5c!VYUb;-z%1MIH2M*o%f(?bmSF24%*^_M%d{i4XJ
z48HLBEBj_oTjjcPt8+xplN&Kd`K+4*_vV%@A>6v->e;^PVD~fY?>#~sAH}MtY&<n@
zE{}UkgSZ5lGk<Q1M@0LDT_4?f<+rc6q{A*7vOSw?l6}NMvq9lt4S^F5Z!`o_xrDy2
z+_XyNrAB*4ubd4}EYFkOF4lfpnNQE0Wb?Q%eOBa-tJ_?z44<zJ{A}`0gsbfC(V7hs
z>X{`=O=DD+9g?NVH>7#xF4jq(x`53sMm6%poft9SDOYB?eBC@?da{gby;APuudlkU
z-rW5rH)Ad@ufPFau3cwH(=sKL#6vP)U0nEB_Rx&L6_=fJk{ePbiJSQsUt3^n-xP5&
zD$ihrQeakbp;MQl*_`g>$N92O41UP57<4$RM{rNxaqgOiZKRTI&GZe#2a5M1{nuC2
zADZ)S(PiD44P9jIuh%Zjb=bU|mY?p}%Q?lO(}Cy40(s%pCPrTu4;|m2{VDBJ!lQbX
zu+Lxlxm84#hkTIBSLgQVIA>6Hu;JvxIROoiGC90cBCi|7-Wk4^7b$nzePKkZ^V;Gm
z8;!TA8r$yq#&7u0YZ`CBBaZuf)$lEGs)~<Ec^!|XoJ*7I%vQJ_TuVwld9`!Rk!1~2
zIm^$-c+V3TU!7558|^7y^z99r%8(p9?Y*Zx+p#fnpS`Bm)orIac5AnAxr9IDIrqxg
z=+dSO3Lk7fmuoMIy!(OPn-{tEqrA3w{k^nLTZSr9xAq@jkb74CdArUOhow7gEFA?c
z_^C(c-t&=OsGgw2Mc5jh_H!2d8@w1_q`aYX&+%({ck3G{1F~rv=MD?4Nqu{+?3{<z
z`m;|rE)vx8EgaI*eYtr31C71kC6<5bT7z%x@w&?`ciTi!SGy7S3U}(x0dBiSi@S<Z
z!L}ZeTn5|aC(G9O9+D$<1p9Qn&Aak7?q}enE$8lQ$Jq(-^u*N$h^xOg>C<`@zO<j7
z_w#n^7Udgav$x>hL^mWleOSvYReR%xZE_ADb%~Iqo@UN6c9EX*R}b$=e%^W~N5XRG
z{))N7uF-oOr7Z|aS?^YTKXZKTvBX2wz6R?*zV(n?zw2A<Olr%f<}&l8$_?Bt?&OU%
z-DlKZxgNe#9RK{<%Qjp5y7(jQt|2ovo#uL<$~S#bI*(iQdHvKkrsnGlI4b)jukSUR
zJnMn)o4z&Ei#C_H<PY`y=pIT~AiH*%ama$>755AesC<fS<@YsBP}De-9j=Sd+u)^L
zb`rnQBE;WO|4^q8?dtKyA@b78@3PunZF^}oUvKwigVjn3{H2S9NV7lgZR;}?yV0VS
z8z6afs<ZIS&6W<FCF{Q8q`8|mRL)(pwKZUUwLu%*WNTAN=zn|v(R?rq{&$%6mhG#f
zM1lmUbUqmDJh~}UxXDUratTjHe6wglly1#XM#8zxebWz%IX`Jp=b6;KTnP8FCyDZS
z%ezHJJYI`t;=*ZHS6VmLzY8mQVS6BJdR^W^@@1I^VH~(!GM^*U1atE46fe?~n13yO
zD(CKL{<pug)#BJctJJMMaVGzRYKEGD!1K%9@rNx=vT2c(th6pg6mJrztDjZ46Co#c
z<;oH_kG@@(7i#{b)k{vjAFJr%kzN>UJWC0e-4?%J*i$`Lpl~+%Ap4nD!-6NnXJ{TC
zP8XHTy+2qi-Yot20xnoZ{ZxP3sRN>~Bzy0bEbQx@>-|{kO<nSnNmsa?aNcQMsn-Y!
z#cX!!K~`4^6;gr~J~_1dUhsL{EB|b#!->M2k|p==@6E6gZV0BF&4^1`rJ(1aSN~yZ
z+pC^V)7l{yj<D7+$w2m@m&4oTHHU<zK6xa<B^!79#I{Y_f@cwArfQwNVd_-5RAq+y
zofjLAu-Ve)46kzVd$B~6U~OV1oKUy>bW2sAl2F|`VtkaMc*gRw(A#IMDL(`knXfWS
zYq!62m)xx`Q~f+OU&VgW&V6z#pY#{yuUL87Uv~Mey_HML&X|>{Xz+%eS!d&1k-BDk
zop;#7j*_j#SF0*&p0C*(EAKdG_J_xFFZng6#UK0;V_T(s=f{z$sxP=AXTJGyfc%7@
z%HK!y7<wwa_@MnAyv)m$o&KMvxh=Rdv*?2P!kVL;ZK7rGq(u!WyVoCj_40eA{#DC6
z-Y2%Y6m+Rx%IWS@pG)kc&X(Oa%STahj%)V%>y<Ypd5B&`eY*;^zS&Y@FYeG5j!F;n
z*SD!2yscK#9w{bu>e;N_P1|icw!{uk=MCm^ee9mJ+-E^WliPGx!a&xi3id&=)U2ZR
zZ?89qrL8vF!Y!p(bS~?;=jNgfmUGrg#@G!7?#p_`{$!HWj09oVAcs5L%7uAG`kBVr
zfq31E+ym)9ad)q65s7XUn*M0-)lbiz!>+`0P1#raXl=QWNr-@;YKnvJ%gdr>pVJG%
z^4`s`t1sEOUmDE^NDhi$F23nl{BVh5GjSH>u|ZTz|JPIQ>`~%wCaTKMpX7Sh9FM8R
z1y@Xw=Uu#cYwFj&R`Q~?R#7{sInqnF#&b6+ByP)G<IByrZwqeTswtgf-KTaP<qJD4
z5ND8$=WKtvQczvs$*NL`_X6i@R+F+r_<}g}HcGVWn20u~ZW+>wxj*IdC!>7N&o57Z
zS+MzNNZ7!MANP*?AFXRS+4!{mzzmr{+|(8OJ@|Y1IyUfqsFYD!@~Xt4u733gDcaBW
z?xJnxnd?hE<68H`B`?k}K7ZUQCTGezV`25+#Itp{8FmVl4&`?uE|SBBo<Fl`bXh8@
zMfJMI>sL^FXNLREfs!qc(zaTP=dJK?NxMLAnptWczPT^ppvc2r{7;X#u!T;yAJD%U
z->W^{DNEHqHLWgQc!vAKYsCVW`?a6W-PJ1T^(bQAExme@&bw3R2Jj+J?jGHK@wvX!
zr=MRh?#>-LWOHe6Qr`T4eOYq(xq<hBqnk;qWE<N>YsJlUTpl*Mx@O8%Hg1w^&_1Ve
zW|>N+rB}C9nPHXEvg%IFHi77$KHb}eH7m8`L%(ya3J`l)C><x^DW>hrDei@@uru*m
zz077!^qgsXEG4EcShvWREcy5zSKJ}Jm%_6rmr0)}Pty`TF!)rk-Ro_lr@wem!wkx9
zT;tWgBczPHO#+rq$26OktQx94<u6e5#AyGP{U4TVKP=%nzbaDv_MZ9HddDuXJvpto
zOLk7O6IXHe>PlMq(&q<j!g)My2yH4|C2gPVsZ9IK)s(URTd`a8d9|Xc{rk2(4ruW3
zKd3QC*P1pcE>+llRM1W&(}Ta+Hup#vd2e&aRUJN$<~Nlw&Be`qMB5uDB*b)vzHh&B
ztT>%3H^u$92t{Pc$3CAkhTU?_nj0R=a(`Pd;(P7c8A`~JXrbhbDXzv!Yi3<Jzq;hK
zJ+HW%Z|Q15s(-!El-sh;&)k>K$F1Xh<IujhZ0^O-fTQt#!sZXBZtafwqIR#)kLP&j
z_VxSo66@|xI$8Iam*<+3=Z*kXuQMwSOCL?>eeOg>-wemif&Y)Y&zW=hUFLn`?(3m+
zlJNS=7e3$HZK@fzN9McY%BZ+0Ih?EZn7zZzFps-HRJupMKi^oSG-SWKrs|~fxZb8`
zYxmg-hFflG5YK3ByPZ#2bu2{V6z7Y5{?7x4Z>fII{$Q5)=rnovQS)nN%kFGX^n5+p
zdggO8Rkwg`;T_WHyi-o>H@vSHu_cSsLgiUQm6vgPRmfDM1kD%f9=nvqKb4)FpB|9^
zyf%MT(}%^r0-J~X*14Jt6iiw?cTXTG70-7!XqF&}d-0s?-hI)RCKK#+a#r1>>mPk;
zxFAkyd$qFIK+n9Bks0S^e>+0mEFMfNbc#B~m0hFe`nC3qppb=KBk!{P+pnKnRC#y>
zZ=)Y|ekGfuhW}mXh38dxS3VtDJ5aeGZarsE&;Vzrvd<ksuJ5PFR?)(~Rg3eahZ94b
z+wEn<sv;X5&9XVm{YyV5hARoA?oXk9>DxsXynIjmacsdcDKcGHVg4MKPfc%Rrt#7Z
zcjeD$<(3bAUp8&)WVsg{Y}RSA{uP<EX_hOig${L{bfI3)8p_!EUZF#Q;9=Pqp}5I=
zMjPj5Cn4K2m(Ar$@0nd+GL8G#V$Mu{hmAA8#N70zcc#bc%dx$pIGvdB#>X);f7d#^
z%=g7B6z5KR!0mdfpkmp8uFCpv-zT?k^V+iEeN(a`&(>rove)ecjtkSw4V&sX=DeDj
zbfA@zt?heTLj1tzN{2{Mm8jW`evhvy*bHf?lukWmmR1(f`9a=M`t<^?nVj1y1^Hr=
zE9zfP-P!s0)S<_l`MWlX6xE)NWw#O#vR$eFVJ-KM?NPVz^VmEb<JStF`c6~nBYD)c
z37L`ubUCVZyKPIK$mpKiHPvSC1Ie!Yf)~D*pKWPq-gvvsQS-3-bL&Mbrt+(Y?7QC}
z;qn33A^*uI=!x?XsnC+Jq%YUSqWtHbtHf(AI~+-GCx_}9U5+O9bKM@QPvVWawI<hT
z;KM8dZiCDvA5+toXV;~~ZyS1i`{%a8J0Ts_)B6i+@eg84IO^^nTP>cOBJ`wWZoTDl
zj+3X+e1PPjXqwN*_bV%+%53KhEeLmfH)&wjjIV`?8}wc(TdjCxmHA;-YkTh??@qzp
zYo4XMi#blW=G=bvXu|$Gb-Ov2YHr!gUH?h^WvsYu)iR<e|E2OHrAaZ%L_P#%=j^C-
zEd9KxGv#%$YVx7mVJlSMok~p~d?i`oJMUIY%6_RX%O_^O+^J{2u1*e?xg&ow#v-Ic
zl;`$smw6`2^N)X!@0sD3m;OFVyK<}hhHZ0eGq{p#j8bRKiacvJ*K<<m8re6S<%;$e
zrmlQ4{W7hJcklf6q!!v5t>ObQy;IAQg{^s=h4xDeR74n-W(Z4d9GX3S`x2)D<J;bR
zn@^V}`wYiV(tk90?#nBOf^TiQbXeq~$3xzr6+enE^m@jm?7ROn;qzMCcqc3Es;NJ8
zBI6!^GJ6(g;pia7)~`3EFLAbms|eQ*Nh#UI?<Dj3B|q(7R#Xyt-#^9mUU6>hWku8J
z$Hli^F(-KFYr<r<Ca-Pw6iL3f(d%6c>nor6-(01@xy9*?LS#Yvhr*PFT?f*yv#$>!
zo(-LzskXImqpPcM*5NE4j<&rgbX?+joV7KUE&9n$sdOafC~i>w_F>0&V@-C?W$YoY
zQC^dFUkc|9A5xzAGdNQc|H98|h`_t-{-K%Mr4|;5#yQ;_tY<4S%$cqca^%IFz#H>w
zQsdrBpE{TlZ_$0zcOx!{XKwcA$Han`<F|1y+dG;$iX3=OeA82D6xz`J+~$La&_==&
z<3fQA+Z!C}Jmi<;y*wH5eqs2##3}6OsFvc-T57}h2rp5|;yL&*D)p_-y@gvEre?5P
zd!G-;Y%F_GCt}x|8?t?;*paNycW#@T9xJ)GDXDhvF{_V7e7-@)owI^psaA03@=xb&
z)$y8CvcBfX&2C<=O#W29#O#grWw#tc6_2XR&zt_)Da7;O{$rKNcAG+1e6UKwWw;yE
z<;_dqQ<igZhVql)^D;CM%}fr;?7%w#UnVV=7`mRUbV&1w+Hnbsk4ImG7#+FHzGKC{
zl6T^Jyh(EXWb??AJR9*rmv+|NaF1NgZJHmc!oie-3sZL-R(=-X=l>yZPP0w)<b4)G
zRp|{+pX`aJW}jg{!liOUylcoU^U{>r1_K4x!U~;)=B;s7;;9l1joq@|RHo}`3HzLW
z?OSx`y9HWYWrt%fzYn>yXmIXIhnmS#++=QUyuC&5_`t!fjYDgN;)0!n_+(y7NGysS
zToAs+<<=da<<$+769(_^&uXirdOoIC;h(--a&_v!octvYM#uB+|9m}tyYM|-5!cNM
zg!Uii_pEK>Pp|l~=Vxzvz|3}k6Z_e!a_*PAOMX5*u%4&N-8w|sdeW)Ymsc3JC`J`J
zEOS37e9Le3dl|L$2k-KeVtw=mV^;E4P9c<to2@u`(c!hkb;8@ISz)0X`DQiOcGgEF
z>&2ZqmUNQ;WRqYIk@JeS?gEZRpEa4P^?f?~2H$liHbzC>RZxApi2a?^b<gxUjl;&<
z=#Lg#@qT#LT*6VkyFpspb$eyW{PUZaEinz$RNpXcyh_~obhS+X(>nKyyWNXE_meWM
zxP-e;_yv%heH-7@e=i+$XxCb2Jy}#W=gH>nx2uwPd3FW(91*CVlDDxtZF=l*RzO$5
zr;g~X%XszJuM63z+_qdxL<bbiw;U1ZzdS2vfoq6g>@K-CwggpD8}U7<q*E(*eGlP$
z^R-*YE_a<&y&@ZQ&Q)*G;He+2p)GL^ZuwG^+meFygbv8kE6&Cg4kY`mtc_TDW&P~N
zN%|Id9&Pto{OHm3jLHj&1D=adI!sovdcD@N>RwlmIw_!7fP2y6rB?nsl%8x<2)guQ
zd(*o&`;O;*yU*2reDVu6!u5~G+NVi>SSHmYZytYA`KL|Yu>*xeGrCT4>jyo}6G&hC
zvm-boYF)wCa)R(+P(h8uGn$c*6z7sEN^|tQhaYapWbnHx&b<5N%__apt+h|=W?J1)
z?{c_r#cgXB|0Ki0Qu?(;hc(v;=k9O2zPa2^(i2Qr@TJW}DB5T1tkb*j9MZ}rH}dCa
ziJsbE==|(z6R*_@*+Xxh4!pkh@#7=4^IvtVuJs?_I&(tPvUHl@r(2=>x=T)ebqtT$
z%Q~*W_Keu);c#kfoH%wdW(qHRWB1dTsVp-UXQmR&6yCSQ%E>d+>C9AvnZkw?_IxHY
zg#`(A5AVHU>1<{y#Z2+cbUriHW~NHaRGFE=M26K@XQtB36e2BR`E!}6DkBAv|G)YN
z<iY(j2LHQ5gx1RcjKTlz7=SwXXAJ&#hX9BFzhMkCnfm*GYF=2#g!liE`2nrd{ttU+
z0vA=e|NrlqVFzUp3v=TP1A?-g!=j=fGk}T<I-`h7F2fq42qQ~qE;DL{r3Gf`EwdRl
zuZ9+wrIpK|=C#EFGqW-Sv(mBzMFmB9{@=6A0&Vwq@BMY}|97ER2*b>oGtW75=FGg`
z&*$@RKNkI$Zv#Aq=-LK22LH}4ZvLG0c@Ql=hyPvYsQ;zU2MV_V$CbIT3jlnN!2Jvk
zEdS3x@NKn$zY!I$nKC>TfApW5TQGX88viZ8xrqg=_-}Z6=I|2knmEz1h`VBD`U3uf
z%<Rl8?uX2Wa`@k~@^r&Tk55eI{!N)Yb#hjbZusz#DVm20`K!T0c<Yo=lOcz@JV{qF
zH#dvFU~X}-Za5mVs7v$9$<Gp&pPyY?#9feIx?uS5)R8H=V&QV#qTJzVQ$tZfCcoZA
zMS0xKVR1wufBRhFA8wWZC135Nt%;b)wM$C4t|2SPbo^h3|1ZM-p=lj~Tk8l#0l^K@
z&gGE&vtNI((vptb-x1#d{$pRO#hZ0)|KA@!`|WSp-ktY@KXdzY&wK7T!0l%kY1?%i
z_%A&Ublm=3$ALfdb>KhYIKZ6`aG#ZQd_DN5&j;ZD;OhZ@-jSD8I2`9={nKCeuLqr9
z2Q2%A<@KPS1n&OJ&j+L(9>Txwe83<qw`==%7~fy~V!!<@+q?6A@Mms+?tFkd4s?7y
z=sFJk%Im@Z>El4h?f*}l4;X}9zUw$3jKgnz|4%y(aOVTu=k{Ia1AqAWz`yM{(7)?^
z;6LH>q5rk*|3~Kof5!IbP7nVVjsySaJ}3NFy&vEXx!jli>p|!9LCbz&IWPP(_5<#G
zKw|xTsOx;7^ZDTa=JvO2@6P+dpSk_H^8uRMF>ybz=LIium;D1@|5tf|Wj{b}z`rj1
z14Gl{CKHW!{%&4C{~OK+{>knCf9~_4|IO|HN5_FbWBWVc-br(NXxDMzce!Eb{UASg
z!SM8gOhDY(F=&Vz%fI8x{y6ZTupe~X{*Jx6jsqRJ@&EPh&z%p*x&8KEdmQL`J@|uT
zf&Foy^ZB6VxB#L*An!UK__u#P(D^v<2b=c~|7^egE!(^EeqecD@Mmm)ju&vp0Xz(J
z@CUkH4}Smk;14(SA6&tHKj^&uE&Iivc^v4t{kzTwe(Upr|Bd&BmhIhnKln3`1Kj6?
zmg9i!b0P<}>p1Y=cO0;7|E}Y}f7@|@dtad7Uc0*97yOStAK-@UpZWTqoDV3v-WU8=
zzc2VRwm<hdVb^g0;E(1Pbbf#Mul$^_^ZB6VJkfGq_-E_~9bX5!&IkVJeBfWX{Vm(O
z^M3GWZh!84fSd2taX<K{-xpB7HNVI*f9SX72U+F=S)P}imllt!XPK9jo>|P#`>}jZ
z|6B8v{%C%ZWge2{{hsA{Zk?B8nU5rLfzI=ierrAwH<W+R*WYtKVA&4>|35q*=-U3j
zzZckV|35ko{2AMS=Gc*z<aAr?J(o$%7g%x;{h1h&ol{V_IE+pdf5Lu&9J(~!u0A%q
z*qWPdTOKwqq+>T#b|Lm%jOH@ehtqySianM&F{yk3(by~uyym{_*27YxV7WWISwN9^
zwcooQw_4Wg{>t*QusKF-Sn~_`mHYku_2qhJ_@-!KP3)GRh&>DWShvHEnq{TMVp7Ym
z+`3@|JXT+G@#94}E?9uHAlou(9Ui|hGFYp`Wt?N@B$sZEEiyUWwc~Zz09Xv8a|;)g
zVx0wGnOZia@a<-aLL)~Jq|C*?WLbZW&&pEgTYuA}7h|7KJeJl8<wDj!VBY_N^gL_@
z$j8TmjcS=CTxo{5Y!JKE61ZCnH^g3mV)0V!bt=RaD=fg4OS_9F=jP1C4PQ8cYl-3(
zoH9RGhxdm~ImP2j7U;%i;dUp@p7=dJFR!3973<CTymv9aANc-=(FFy?8lkKWM&)y9
z?|fy3<!7-#5=IwhXN#SFiCo<eu9G?+I}5N2kGsuCzOzWUJ+4xwcmb{y-|!&}nFjlD
zxb?)_Y6^27#uka3>@55VJMN1Yi+{j2g!nw&-1Lm>;`scmi6sj%uo6g<UAQ2(cmlS&
zjV{UOd;cu;x%|WCwujK)AyhH(D~J0*;nZ|4f*yyNYXTXG6&NtNB%gnbxbAt`**f5>
z%+m9O+r=01y8*XMA#y$u>-i$MrC|q>brHgYOpZuQ&zzeLW3#f;^Kf9ercSIY5*EaD
zlZaauqvY*>#05d3t_1HkI}65Obx~gS6mI-duq#Boh2@UMVuysV=h-fa05$ixxE;cF
zVfe3I_^a29<jS0EH-vcX3dzT@pO9WOAGiqnsbY8L<m{q?65NW(xj62Y=NRs!eDeQz
zEXvEy<4fE+UBovwO-Nsak5C+m2?+hMHvq<}Cu4aXmIM}BE*XuRUwC-JSi{%?%b@2M
z7Z&8fSgdL)EG*F#3p)Wm?}Vozma~huNXahb+SNMVO!zIA8&h$kW5WmcycRY}F?N;l
zgFQKWK{~fSmWOP)Hvh+w*;uNbm7Slt82BS9m-nwr&tJ^%`r=cXUmjPH2$T7zQ1M(G
zLcTF~a`rqd$iN4{*C^t_1e;>9o3I#<_6xvrT*gK6T~tN<K@Y6ED)6ma!iCmjA_!HX
z)-7TAfj{g4_Y~uHB0Lgd-$4=XzlB-++6m=1!jIOD8{uisUuZ3m!Q))!{1P4iT(z|E
z05>AS5@4hTMoz*9gol=*>`Ay6>9Di}4?047GIZDiTxp_ZTj4{*P03$kt);}_S}?ju
z7+3x;-0BKHbZishUbe9R3HwHVt>*}PBKX=Hv1sHsuZOiHLi@S+I><M`hzs<?Rbj^9
zM15`xV$owsQ8CT6Vq_Ov>PxWq1<T<qD`0yC=StUU{(<oQ8@4t1z3X#L#9Vid?b`VG
zerNe&vv7x-{NDBX=Hd?5{{7|iC7}O<>vKJzSe%7Nv|l`o-+dgT76}b8_P6@I$HDh_
za>om?X8AYA3tu9!2D6|fXD*g>F2Hjr>_M>~Ps^DO|3LH87i9m&-^CX;{-Ig+C;R2t
zJ^N{~S;n%jSbLfH>syPR_}}73rEp!m9s9zB!q^a@iKsL;FONUB!MzTTHg-i~zxp^V
z2NAmg`PJ*$9ic2&?QlKYe$4l)U}K$71ci_NH?GI6wXn+EgTm*Y<q6W^`uwBjTJf^D
z_9VW%TDYrD<8Hfuez{x)BAuRH^qb2~934+%_X@t=X3nQAOXLp^9oN^oqm99Wu8!C4
zu%5#4itpO_jm36cZsPQ@w73iZUDp?$D8F0@?s#UuUkL}0KfWGc#QUpP>$p5z&%h$?
z#5R*Z%jAw_Sh$$`P%ie`aUD3^$u3{dlaZT;FZ*1V7rtO{C9~Y6wo!3|{9NwEDXReT
z@C7y>`@<m%U%d-+Gq7wu3%F`i{u{oc74fgiFt=bqc1B@#Ddcl?R#>77<MDs)!E*Ii
zP?VoOKN}{b=a=9q>=ZmJ%i~T(_?CO&WnDb!<%ef>hdr%mxbPrnW8Y@xVk}m~8ZS#T
zIp0Di-Uk25J%5BhW7qj_{EZuPyT4fu?c6Tbp>WK8J8|3J{*NrnJ;G2;XyTN3jj$hD
zzYBpf)?YjS;PoQX;;i(-Ow!K9Bmz)N@q$&Xt3Q%t6)k1Gcd@-Z>3$NEyAvJE_Il8f
z9xS7WvB59XwCYE86y29~*QF_3=oybZ#?E#H2%<x_(z$ZO1GGDS_WW*Il8M!ROs}ZH
z$*eDKr=RFSm!$RAxKCwQr21-nUZ9^crMZ7iKR-xCYZyQJ#fCI@pdpO@Faz>nF%8A^
znTe1K`6k*mn|92C0!ZFUOLJ&vEu`YgRnk-#9hyneSem3_inr0)1@t6<xvCP~>}eVF
z{9<}V0o_lR&JH}=6v)bT4f1q)k0zLsJ=IGKDfA)sd^V^VD50AZ4X4;7Dx3mYVnG6B
zNQ8>AcqyGoRg^)+hxok#)_Gn_sgNWl&zM3&+IvRIC6Urd&%DLq#o?@1Vl2FusOTn5
zEMAls?w_ggyMrr{!5!wcP+Xu3%gD^jT@ld>usA$CEwlLX$Z2CTCZtCktJaahgs@Uj
zN$yL0-GQC+7t=O_QX^HYPtOk@lN@>3fzUJYWWX8U66I$%q=BKkF6nVituDPNJo20_
zMY`9J!csboX%n5mN)0LQxtZaHs0wFx2Y5+OP?{YI7cj(M3tsr#x<0F}1sasP^z5{A
z8fTB3LS6V^`J~9C!jJsVt(4{zPI6`yu>qr;leF<#c8ernC{R9UubpMJA*z^!nwY^$
zp&~dZ5$NDk`kX?|3D|Ri>S0!y;B|9GK`}O>U(Yz|I@zqLb)IZ)Itt&I6OPH?x>@$H
zu76XLrzb0w=zKR#9C;Q(${|$0Z1Yu^u-U5u8Ye#L1Y2Ojq2Q|k=WZQOD}4&soDqsM
zBLY=9?J%+5phpe^Xvnl53_izU;%s7C3>sf;X8$^<g(cDIN8!|L>9t1U+tfr>G_D}Z
zr{#a6dpFSZGoH`**0ccJlMs?myqqRJLf{@iOAY0S`}iE<MaV687k!$nHob@t8I?wA
zzbAV4g=G$RLP&))^f@(gxEn%<6sYZ_!a-XrgT}D4rdycHbJvg*ntK<YD7Pxe970J)
z6iSYDE2l|4oj_b5pGZ`DY4W#KhSEE6MCG6{#uF74`fc1D6=`gDpj>WV>*jZ*su7x+
zw7%DFdUkVdZ*-vw32{h~IGb*fId|Dv%P!F#vRf7T^cZps2t|`_<pA{&Gv4yME}=am
zTG?fHTOGjpMw46jYd7$5wf=Oop{9ZXqeezZmDVKF_;w3>%AvW%#lz#yJrAZLuGF_&
zT3b%;X?>lfjqpw04QTR}6#Yoa`a#{$motynLw*n(%Y&jHgK;R>Tu?sIewSXXB%oWS
z=%c;~%PzHos++9m$5dkS*a@V4bWeszBtic9gSY0&7NqC+F9rjs$mC_LhjTfZW{h48
z)0g3$s6OA9Qd|$K1E*<85H6N9o)5yszMlCNA%9tR0&<9cvzjD%j`{A1B=!r<d4~90
z1~aH}j+1OC%+*sG{T}G~4D;w=ylr=&b2s01^nWqEF*=8K01DZ5w0>34GFgSEXTw0B
zLSIb-?J0|1+z01KVS>V*dP1v0BvhY!26B(yLq|h>y$j{q)YSdVp!b7vd$WPvX-{g<
z`HI!roBHS$(%zd4zbP4XlO3q(*EDcd6WgQ@_<DHwsoO-K*3Pb(H=@0jsjV3aL1`4Z
z$!-m+GR#Yr0!!LSZAHWbBzpLQDl;K+#&e)s8^CqCOvTWiRi5B=y-i9k6LWu~U;emt
zR8=h@O3y~xGbc<=3ImCB=1QIZ@lpeorf<2fH`nQioY1s%&rLHUR~UvFuiqo?PNW_r
zz!d1J%|vyLKISZ`*JF5F+pT-#dL6yTqd$OiVVSg8Kd|Uiz3jWG_o7?jQFHvnV)Kic
zy&ZLU*on<d>zlJA?V4ZU@Z~A^8k+5*E-6lANRl>Dre)cBqD#*WpOC!fK?w|gfK5~}
z#DP0T6$3-YWOU=+kTi^uG#C?9#;FM|24j4@GG6AfLg^UkTMApf$38!O#KI?Gc!^u%
zx9{KG1Ms{g^Oa4-4G?`gvS#u;3>fbE>KcKr5$GC$t`X=Ofvyqg8iB46=o*2p5$GC$
zt`X=Ofvyqg8iB46=o*2p5$GC$t`X=Ofvyqg8iB46_)|u}YfN@0{vU)FAph@+^xne%
z@3Z6ot|I?$rQ@eO#=0X;{fVCN7uKha4q|=2VinE+CtW=-oQj@A_oRbOw0jmk+du;(
zKTprvNoi7OKX{!kiE8kpz3Jj_=oO{_Z-7{OZV!p3lr4|%OIN@UP9xYgA&!30Fr0R$
zUrl3uro?J|R<b@S8i{r&yv#CV=^XlpciEV!<1~1;F_Y;ey5Yv_Y)UGf!hQ;2a_@8r
z<fA&UK;CcSO4>OeiXof!%5vir0>K~%f{~~Y&=h9^K&HwURRAd2MF+>zi5awao+?SA
zNt~8|5<ntlC`*;nA3_EC03V)3HK6Ik4EgNE@{LsZmW5CK2u;jF$2z7s!8J!QF!GQe
zRkW3=o;f)bWO5V=<f#!9Bt|x5Co2|C@Z08F1oJ`l80!nwK27VdUyRq%Z$>~gEK<x(
zi)y%_L&G3`A{pJTr~`>4N*cLA*AMBPV&%xVs2M?#MM!u_R5Azf9I_GM#rrQz(t04W
zXHChfnB4G>BDZOj5@2UUZJz7D1vJ`;x%p`8=n71OqfAkU5|gJUmKQ5QCQ+5C-0No3
z57YX@sGlZkk?$21*DVL#c*8W@bTJxbD}v3amTKbviGg7B=$TQ;I+CCw2}pTgG=#oh
zL1s}6q+)N>QAu6%d-v$dx@ORkYb1QwLXxcrKfZ^AKZ<A(RuIn%<atR2>2XXF-u#Tx
zU|!d}BrRee7|4)%X#`ms7?`3=?Uq2s1a7Vl-12hZQ)&KztA~7uP6Ql$m6rMk?pi&x
zDDc_p0hc741-ZyQqJG+Kkj@+$5tu(<Pvm}0{3>Rl<od;;bCkEUMjHu+oYJ?_a_Gv$
z6VaI`*n;)O6qCQ3DR8^tu>UZ{{R&gfn8i*wLPK>5h>YB;yc_z{!L>Sfx3db`on;Kl
zgJWKCrs|j*O!fR>9;(d+ec6rajVFUfv72<w{$*c%`}V?_nrkx$4*PVC?nuv%PM)N%
z(EgIvBex+u2YMc0^(?cnXk^jN=x3=4ee6+MA1A5PPtMk5Q95$u%BaMn`xl&hjn=OX
zkkB}i>st2pnPqyp?2W;3@QnWtHHXsHghRxo!I9T5J(JQjV5Oc8=u_dY*%;LbnvEM$
z*qEwPhstX{5fbmBh!)Kn*s$bwWS?n^AY30)G0k~O%Al+JlZujut_l9)*~~RDWihAH
z{l}jHYGci?r!NK%yF6*;%zG5AkhaWM#lPfr-&2Rex4rQE+ri5!LmqUXWD1I+%lZFb
z1zGtKx_m@h`N)}Q#FVeZIiwnGLf(Aoh0GVE&p%Mpz4%Kwk_jqByF+>=u;tgdpQS4@
z!TSJ2oS0r2wt4kK>dRrT^a^`!%;B)-7iFBdczUWb&3*Ferk10psT#(w{?ka+T&c!=
z@)dp4(JNFn6VXCdn<J(8H;|dh=pvnaN*|SZRUiCQW}x)QF%lVAvT=PRtUE>l<9Oj1
zG?}j*!>Aj^kvazV?}s7k!6zfv3`vPB*P3!K)-BleeeH}B0}?^yLk0}}jATw55Dcu(
z5MN-mL%a!I3^MK5`Gec=!t6%r5$Vbk<brf%z2t(lDDaxp;6q)I!oB+ZDL>Uqme)Hl
zFKfGfRj;XJPQJy|(ab>;Qxj4da&dRaC0R&)aY+5=TIWz7*O2g#i;@@X<7(k<{n?kA
z;b8sJpXx&v%sj77zDU-duJd{E0Nx!KPb=?Heb+#@OXg$SOd(5PmcC9w^(~Ut<w%y!
zEYJmixO65Ra}Iu<8JD9!+c*;!r-rZ2HHCg?&{HAjSjMbxdykPWJvZ~x?sJf=mX63F
z&_CyVjziy^_-%{VZ%#a!18E9!GAI1X6H9^^h|K|w;w$`CPVjr00ypX6@oYJSaF^qa
zl)9s@L;`L;mBO+;afG-HO3lilj7;K{0>-$po*{VKS|%z|&qOnzWbnq^Wt#GOMp$S8
zqbdi6yPQx<ovA&UMh4dX+EQokpq?uq9ax|+)}JZomU_HgU0>j?u7`kfyft^3ru<B~
zu+;o>xK#dfaj7pI>$ucLZe4LdT&hhDnRQSbH)*N1S2h%#)W*DshoCA**4_;};5l=8
zvNm>Q%&ydf47tm+#)h3+8dksbVAw^7O^Q1)rwty7F_;g%5R<n01jGj8k<b|Y!Jz&1
zu<1iero3)aLZ59^oe~B%Qea;4ba1JTKwu6geEByi>sP%_QA!q`J}}2TW6E;#&MjdF
zWlUS%;^OeQQx)T00#oQE9lBvd^1_w%O0xq)LR0bO2z^Fvcmy8$heYv)*t7)<SrFEi
zmZ4zBPtdz?mgQ?d;PJj*5X7_%Y(`aKobw!a7j*x_W7L!b9+^2a1LZKB;89%<nk3C>
z&J8;qvkm1iI%T4kO$E;lbrhYFd^*99!s%hgSWjmH@zUiDp)*(d0^Rr$lW9mmN9_4p
z#gRaRhs6=gDP(owu^YqD5i2P9IJR7WNwCDCrX?x0@wKOwwby(&K}=cio1{&sU7);#
zirA+{W!nqactwngFvt2G^m`K|=J!^bN9dii4umpfGvfm4s4WrA3|Yjq^^43Z%6K*7
z6N4<gNtP1PB#+E=OrBB^$GWf54NIPa^FU%xW`?ee4BqJk;LhBQu4Kq+rp<-9v6^Xh
zsboG~&3vBB$SyNIcW+h{k8xzq(hLkvs!W-709K_)U|R|do(6ljouT*Q_qi&6nw5Gn
zZN*NI?!Zb}_iQJiSm_U}Pk7lJsUwr5#_dr}RqH8fgZ`5@0oJZ9UF&Gl!~GlKnqDeB
zf<K)dwc|tP4G7p_P%1_`1Z=}?;{;AlMXo;|KE_IwZNsO1tzxAO-ntt6OUda)Q)DPA
zxyc-4lC48WUmrTa(@Em^kRlR#Bu>!6;C&ll$UMW3ic-e`Ik-Z;PhULDN~_Hc-Zf^;
zjzs`9J3y|j)lz%3%$7sxX1s%zkDv32XQc-lypOO_N4XZ@7!|HfcUSJizY4dMq-#HF
zA=K+;Ws62Sdxu6^<E?IS^fTk$atybM@}lyRa7F66nMh|8O)G;LMbJ0%d0&+j7W*pK
z?|#3?H1Whuc=WU`WpsFP1Y|PPnL9>D^)&$Rk4`2B4M9oKS>;K_ZPGX!e`;{Y+qv}_
zbPQhJe>km;rfPNsW>B!>$v!KXb;se+Z3|b)ZkVYfjI+ZjrXCDCsB4UiB%XoUYcA}+
zauz<(mbyB8qJ`=m)G=o_>KpAdm%z8})$`6KnCmM`ya=<Un#5JU03#PjS<kp&)-zPP
zX~8O~<APN%;j>nyFPQXm44~3e)Pz+K=MKHEP|sd5EQu#WwLidB_vLF)BfE3ukfd5K
zeR|DHOWHSq#8ayDz6ZUVsY&HZZ|LDUXt+bU_gBDp>pj%opY6Z5@!qt%m+qF{b#8Cl
zc<17sX}7oC_G!&jHlDl!%-*<iH}=Dj_#KJ0eTH`XORF}ga4K<7Nz&lK*w#By#t^MK
z5IokcG+|AU7TSS4STpAE&n5K`beks0?aK4L8|N0gs2pg`qe^m1MFub=6Hj+)Zh-6_
zxolwGy4gestsy-KOHX$-78t)!JE#E)s?0xJPkUV3*u9+Go-|ZRZhBlN<T@=?UmO5g
ze(Ea&SCZ*L7oCU`!DBG6QZ?~2nS76EO5NOmb?fO?*Ie*@mip>wpy8tbpmHNTM4WDf
z*4O;4qQKndaDtlLm)=i96Mco1GJDcm*$?S`<RN$nbQ1a^ozI*A2VAXg<@&E$Sb{Po
zu<!tZ%I}Y)UkbZjbMrPDkY~VIcK2>oJ(0+b1;g_P!&wO%-wVh+Riiux;5J;R+-ayK
zatYZ94+1UEqz%k=ceh)&+&pf<^_HhmpMzWpl#{JaJ(S1P6oGmIeTniTyt`urTbEP-
zuRt3i>Uq1EVmIX@uEyI^hn2d<_7(aUZ=uNve^b8Pw}60YwIh^MvyLPtJ8-^Y&xoax
zpd$lYVrJ)}ttcD+Z7&+SC9uxYH6~c-2&=K<G2r8xun(!4nkplJk(NqfHLNBlX&;^Q
z3R1HOB;;<KdQ+M5YDGmo9+0UmXH^C7vGY|0P@Py?Pg32;S-1+_KTf56u3qMDr7AE~
z6dWhD{q<kNbDNLonan+UdN{}?>EC|R={T#|nV>rwG%?Ic28s8ES3T?xe<^tH<D}4S
z<PkqIO5I)w2gcPNcv9m`6phLap!hoFNi}%^=8kLhAFOz_Cn4_*Z`&Km5K{I~P9TBt
ztJF(&$WJwdbsPGD%jg98EkDvSvIXwb`;iFsBZ(w!<NQlQ=E*Kyzd>4~-cd=7n*t)r
zcY3%Il{z5wRkK47fs8z-8$(I$XK)^p@17qFSEI&-H%@_3zHddlkC_zTc+a%aR|f69
z?#fJxYXu~v5get2^e^Air%~?v@rhiA&&O}M9{3?G)t|ZWsOs!cLLHt^H62DO)Jw9+
zj-<w~$c&#Co4)op4Rtt4G_^80L?qNlLL_)Y5j&s~x2;2_^2O0-A88!?Y+>Von~dYE
z3CsucrQdqErV^JL{W{FiYi@?;;d$-;yZE-yv;2h4C(XC~(o_<aN)5kP;k!spQpxD-
zam+??ckrx%3d!H1oRwq^k&cuFP589Vpj9^c7;iQb=h{=F3W8_EwP{(pO<UHZ`F3lC
zGJL<^Mo24p%*>FgZsa90YLt5MEAYZ7^Ao8%WW<le8G)3L$zQ53Du$n%qkqn*k1L<7
z@aXnT_=Uy`M1Mlk8u9}xZSti0{dH6vv{mmPp41+^YVEYTpfv&ErCw>>w)fdE67}IW
zigj*{**A4mcMUL;lp*Ecg&c!BZ191^f``j`H9~Z0=~3-tuZ^EisH&ve`y%FlHQ)(|
z%NgG74aVUb(O)rDZy8W@WARc*Ya>AsHBe3YJF8t7JUkY58{x35t^GUreAbTb`<3g{
zp|3f5y=uctgQV&k<J*I(>Mq2Q-hpLtTy20dIQ1`w9h`{|adGONLg;a3<-Wb7@7Lsf
zYC@Wi{<HH$`ZIxWc<zyNX+!<5_6Rd;?tSS+4*8SZQI~qo-{kr9oG8jza2om!8qAd6
zz3U3ELehf;_lhTO?Eg0TN==xN!LO@h56mOMm7!U(wEYo-zmnYtZ~VkG-(Iq)ajsFe
zh6L;?UqH$whbErSqkh``u|D+v!+OJVea+@D2hT&KvGK{Ory<Gz{G#)vkzQ1!*Hg>9
zy_eBa^ONRM4L-q8oDZ&MnmqSYX8q0uKkD_e1thTAVGEeLRa26*pVLVQIXsv&#qEb0
z@&L&DQ9*Zlog~9!o>3`%$o!`QlOH8N9C|zUt$T{7Z`h3FFIC<x<Qgq)bU|6SftFq%
zUqqABn&-kU$jhdY$D_!p^|@^Pop9rBGV(<H_Akh{nwhsq{B?SE8@Wn;WE4|w(vIIM
zHvSkE_9c;>BWFVL|3>PF<A>x3IT(290__$5iT@*Cl8?v-^aBn@$bPbyZhwdLtRlM{
zPZ4d#0x6j^kUo0!g5HrB{hpfXEKlD-zo7l$$uGu4Kd)(zr&<D{ek2V~Z9P?V%MjQ?
zt^`bN*eUP#gFN7CX56RbbP#!;nS45U#QWsEodIJH$(`>8j&35~Z>2-O33%xYxhQ|`
zv&zuwI$C}#K=!3P=A$5TTt4C5fF=8g*&rYBI@v|4$t!MT8+lPasm5>In>*zxugQ0A
zmCvXoJ5BU^CZ^#zvX=bS5Ipt;@(kHP%6A4tK1w^5`GqVc`axuIaALmS<8RU9E7#H~
zuacMLz@}^<Q!0YVGxXiZ=<zR;_)YW(6WL7G(>@MQktc|ORz6NNtLXTL>29mYGSah@
zET`3l0cC~6A&=yc43%^if$5|en|X7ICOcruJo-K@O7{*Ak`$ux%bP-aP9WppG`Ziu
z-+VIfKEH<w&pyWN{8{_l?aHu^o1Rsc$jxUSoiO4IQ&+Y7o?qML0Wl5CrPNl&>6$|N
zg@QUQ*QYiGz4yJm^fQI$NxxI6=jBhF@iQOuyLG^CPpVm-{-)oao$?t*zXPee<hfhr
z+UG(QYZJ~q_=((TmOsb#`7luaZl!!jwS4m{a^qj+%U;?g*Ox1{mdQ&u40xM$pQM*R
zut=_di9AbFqn;d4yOOM+z1Gl<87t`r*gpB>A^G-&TjlX{<s&jlnmpzqlRSP-=%Hz3
z5>XE#W8}wmw0y3?XI>>8kSWicM)%XuzNs{sNK>Op5>dGkB^gFLD{0qZTWQw_nhGJa
z6}M7qXay@BOGc9ML^g^f$m3KbmN-U}C^C*77B8QuNu(WPXs>9Tcmm-hj6@Qaqy{TS
z$IzaUv?uHTiQ^zLfP@A=8yLEsQV^Q-Cw&xiH3L-c{-JO8Cw+-yKhm4@l7G_6|E>GH
zNsq`iKo9w3{;fBo9s~cfti5+a+<){>PyN<^+DZQze+wk_{w0&Y^w%EopKuWT_Q7$*
z)Wjw2<a*S0P)w}!zxVT?!9RxNobmtRlS=<}`~AybA1L|AfBOfO0n4lWSL_OSyjnq3
zRw~ACP)w*$%zRnlYOD++PbvmK=J)e5zaL5~{m$k1eUagJsZcR&L8aftS$^M5Q_O!s
zF?2(v!pER^V5y>Xy<%WRWx%+_3i-o+WS)Y`uJnH-#qYKz=#>nGtF|&AZ-RmvC)cM0
zESk7gUYa0ZJc3M?KQ^&aUZ#>Si<Rq#%X0@;$_qjRUJeSo$I7!qD&tf7%hUVFjq&pH
zBP!*)!sXA0%6G)btD-CA#$frDf&P~j^5^JEd1){C;``)f{h7qRmGV{Iia9+Pbw5>~
z2cA^q^(0;c3VSLZ_S#9icBd(K`8FBx#CaYnsXK8a9+kAzHNf8`Ajl~o!n>00C!>8m
z==<CPVm)`!k=^J(7rLKwz+_FpR0o=p20Sb=IBO_sH@vN<L;6V_e$dMt3^UlHZ2LDM
z!-tQiTYn%P@Em*vabZ&5R}9yCf$Vm4qgtY=Aikug4!-`2xzC4$QC!!5GoDbjfwGx&
zunfG$F7&#W=6rj(&c|KmJ3Qaxomr~*kAS^M=-c}VfvQ^RsaB%Lvs({Gd~?Q4JF77K
zj0ZxTidhO*Y3EYf8K_FY!?dzCxWZ{Wp8mD!d<?$h089l1O)PA}kBS==U>Isp{^+;{
zSYN~CT{Bu{K$<e<Zo~ZR(4d71{Z^QFqj`|Ayu$o7UBB_GF%;0UB}7tnm!-*_VHYP7
z?81R;4fV=uM+YLg)xW%2(+J~?)Obgi*m7NkyjHj6PW&hj(kKD?_@FNg1_LW4?T+rP
z7YbGcZ!}bZV;V3I!9G0yb8_-+b!j!WwlGCb&Ic;wPIao718+e=0qB|v3K|;b)=M;|
z`ud6r+P%qTJX8biZrX&&V(<jn_Y{tZgY?yV3Z}W)-&lon-wuSni6<*n=GS2jT&@Pv
zSW`pDSe!C(ui{AXCfdCM-~gE9Tv{{ig_F)p@66o|ZBKyPb9c03p!K%YsqoGrIc%nU
zy4}8w*Vzx#>(70zRsu^8Cx9njRP;Qxnr36d9>CM`aqb7gdg<=K$vK3$y4<+~<>k%I
z<$7`#Tt=+J6T0TxP;Pt&KY7O0K2dd}r9l6c4j!mySwe2sK!H&Pp9722S{l#w7zE*A
zI@;AE>N;u1Hza<<b><b7s+tZa-HiQRTxs9e^p39IhP$YMe5)L5Bob%y9hSTYo?{hv
z{U!RV{t}flINnL~(fQ&(t`)v%Wp(D%J9OJ^oRzb-N=oK9$nKx;eWHY)NW{$}VkJQX
zTB0ksGxME8C5FJm-EusWobHDwdkmi$f6nU$?5;h(;heVeHCPZEre9OIZ7L)^(wc}5
zrt7O~1iD6`YXrJRplbxWM&KVA0k1K-&io%Q_&fOj7<%B8mGmeR3IHrU_%D_8qy{=D
zmX805o=rQupakGSJF}B$jb;jO0Hn#$07$kO04wQ|8U?_!H1o|~R>2~@w-*57c>!P|
zCjg8>EURXHl3wNc|9DzKFG2cWNt<@^_&*it|C?;gY##r!DQR>{g^2%={`VB{KS%#%
z0{%z(KS{*@9Q}_M@IOcY9eMoE)Bgvp_@Af$hdbbZf&QCq_+O;|sUrU8>Hm**_@Af$
zJ1zJh>Hi&j{Lj;W4*#R{5LIL4|LxOzM#%;IpI#gl9-Af5fBcM0r2pA!x};d~4si4J
z(^$p1YKoh`+xmh3QyL}CNuELbZ_YFMZ`tj?op%7bb1=y?Eb8T`BZ*!p0Td^44#1jk
zQ36Q!AB+w_(?o4|4kgvC6dZtblmK+fu_*}?>&)#E-5StI_h<)C+oKJLSb^LE`j6VZ
zP@531O@Mf9QG+3Lo!0*rn5YZdb>0j*0jE;lqhFJFr2wmkJ<66LYhE{opD8qED^9&`
zjG*u1%zy;rPl2JH-x$9SS5nuF&!nIr5V8K5dV|*dOj26pgGmP^lg3x9X|Dfrs973W
zzck2sif^~X`Z2qLmQ@F>csXc+f6&~ayBra+z(Ldmg4Rq~9hCA@P;qroVzHY$CkjL!
zm<A3p(LJ_D1&<uLQ4{~DyQJBCy!Zg+eNpfPP!sr!t{k}|df=$JX$8+NF>MIiZc+tp
zIUMkSVuLBUX6y_niU0WuMP#Hz@B~m3h_HA9W1n!ohMvGpck~2)Qf)>}z?>0$k~VUl
zKtSeq&o7**Lr-AP17~t{M?N~4!g~TMTaR#>z<nFPw|D}#dU2Y-B&#RDX#z)&Tp8`l
zc><^jyc4ie^aR>wJthSj-WYtCHw9i5Oo3V8$C(1b{m>NH$e99z=c6gGk>N~%Z|zNi
zjnmK+m_8j%fmq$Ni&IiU#_b=Ik{mrh<ZUzsVsm2mr28koDVhR78_*P(b)GW?T9fQe
z0ma$M(Bc15Q(zafj57t8Cweg@O7${(QQ+w5t5#7!$%z6@<d>qr=pxct6o?EYzZ3<~
z6Cl431x9$9hh40jH`{6o3>Zo}n*y9a@C#Gmg0#JpDL}MS&Z8-y*E%pav`?Waz?f6t
zVvf<wyC&wnkdTX0Y^H#-8BGDEj5h_8<Ixl_7F2aG1=gM>R#Tu>Nd!~i*tX@rFa>n=
z9ZZ1}Gi&QRn*#baeJ4`@MFG;;6gZhfeqjoHh4~x5GzE0}Uzh?2-^njb0lX>cYzlDt
z!7oh#6a~nym;#oib}$9FrFJ$2xTXHm6cCr%*%ZK~e%;9w$PTxf0w@a1u{Q+{B5k&s
z0tat*GzDIWS<=xIKvCfEFHM1`TRNEnC<<iTOo3;a8;{5N3Zejd0xD4y$P546CJJQd
zgCGhl8bS%80D1x*59Q~D$7SjQGcz0>(iRnG(Y_Dm&n#xz7BGEczU?;Hi@7_sf+6oR
zZLM*>%ui{rGEI12?=h_rJ6J|DHH(?@7iRiNX4Zt-WG{Sas2YZz0V_Ss1<^d%%D!H8
zG;Z3QnNzyw7GqW*^A+gSN;1YJJH2==)exyE$&lpb7GdxsWy%@b3tuB3`~WmXYA2S|
zgg;3cYPr0x!t_O%;V(%bvS~i-89Fh$^r0fTGj(Ksa>@&FR6~w-Uh)MO*mHWa#FR4`
z7o(G*(h%p#DGijUG(g1i3y}GG;r^8MoYN4Oxx?l(INm~~VT*db=rqJlRie|7SX4BI
zIs0fmD74JpSVIDMCr+8Meoga6gYxjgKxfryC~{@>$g0x=H<*|m?-@=PFDedy^r!SC
zP}HKm`Y!ktPl^2aWc&?=oQ&@d-5+!RH0tcLzLm`WljR4pHL!n9biQXsgH}0iit-k_
zYG`ISf#M`>%gAUjtjc+4Zs6B1CiF&XsBQ+?s<q6nod$hX&6^oRCU=_{Qm~ROqXRCm
z(oZrZ=a-*-cuXO?33ay1d7kM%uJCfnIIn)$AP-s_0UOSyY<$6OVv0oT29k=us!n_$
zd)RA*F7b)HmU07o&R@OjX*Y0zDNe;t%zP&EmMr_mbGqzZ6VIlUhf}^KF$4OB>y^fc
zw$Gu&b8?CaT%AkyN?_@WL0|5SXHN_m4NYyJg}mC8-%e_pG#E-WGn+ToYVN?KF@<r9
zU2`-}8}cT#rcCyZxJ3B@fyW8}4l`GDbr6{Ja8l2(i!a8zL5W*ZpZH5hy;m}4Uo1Z-
z9SbRt0I6R_tk3w1Ne_b$08EDlebkBw&v<|E2S<w5Ygr7zNt5a*ojdEZE%><H2OdUZ
zb#&k+2iQjD9**~k40fXAJ}y%{V9Jt*tJk!o^lnSaiL8qDtzHH9pKD-NLG`L6kN7^l
zq4%JlsXcv8-FLI-Kw&UE{NW_;WZ3R)SQ%WSY=-N>)!BC@ZJEhTn^_#QC}S6t`p7+*
z+WF()&GiXu90neDrTliWi`s#10q2?YE6jeVZW*FYQMk2JE4QsH)wMwBjzMpR<WQOx
z_rsK8+iXZ{X}Kcb5>gL)8cpwv?Bl_Fr@ut8EiL|=bZmNdPJNv-m!@<~SrDz{R2gNC
z{!VmG;dF0Sp<IQhXYC(L2S>Il+EQ8y*n+r%q!?|&$7<y<ij4_@ur+bJ{?fV&6O|fa
zsWDat4ETYE@x8UiAu}T{D!r$LGI!$`qK;b;dzv9nN5-HplQ$yob@XLkX_9fiOx|~#
zFH?gdT!Jq%|I3O8W3TM=Z;dF3X6~*&6Lpb!c{Q`sh52wbQ=6I`>V7%Yb9d;JF#!h`
zcmxE2GO!YMuaCVbf!!C+fpRDuiaaxFH*Ahng`q$&+G|*f69}eEUtX1AeM;t24ig-i
z7EYBBO_}#Ud3&IIEhoy1ENWY~O;lwjV=!AtkFb*yRlwj!yn#Uje3>W*a1d>obQE2b
z1%fT}7WyuDBB#$RYC>Dak+Rw{P6IewCMX1LnS|`T$Oox{O2dyqI=uTbv}LTa%$J-k
zBg!)2l7(8P*Oo(^E7OdwOaaO=9bFmEba$I8V@6pfLQ-fBI~Ss6r6Ui88rxa)WrEM4
zTq7|H!psZ4s61Na8gynZ>gOwcqEpbi0%LC|zj9?-nSQ?BELEGQLCV{dr};wY02<S{
z(6%zE&6yUDM$l+XE#n>4V*ya3F<Lwtb&JNie79c3i8R$aCZ@z)f@k-qwJo!mG(*v(
zL6K&Sy-9;2jaf8lV!UBW(U$#JTYlB0>Am;0)0ae-=FYiUa!q;SDwJvFCb6E%v#e*J
zL0Oa|b&Sk`-WRo3m$VKYiaw399AtVbZ?^HkRq#Ba$hp|)9N8#}H8bPeE=nl2thm7D
z)vR!?Xu0OYc{Ncj^@3Lep|!kNL&?h}+CV+ZHG#@qx2$Rnx$E3Pt=V645}5sVYR$=^
z-2}D9g;Q(#KZt5geTY$=10JVVf=N_s(jFYs{_~r>S~GyOE3cqh^M;G+3Z0-4)tZ(}
zkcw)J>N3+Rs5P$mVn<IOi)zge61AY#+`gWere#F6=1ZrWqFVF)fC%tYUmbXqOdqIl
z!jIiWwWe9)XH#q3IJM?tmio$Q8K7D-k5g-;#G=+5%ygh8&$6mD)yy@kS`!VtS`&5<
z)fySbeCe-rP;1h@Prt+r<JB4ieMVGkWD-<sUgOl7wQRgqt%2L3T0_Y#YK@9!z7y0M
zxFxDJRIaGj#A3vjpw<}TUKQ0EP>E_y>OAHRH|0C7#xJA}tESal?yvt!P-~u6err{0
zW>c0=@KLQv3mP;uW;3tWtWEZ}sWp;?yjnA$dyRo{7uA{-v{kLC;UK=C)*MrxQzBXs
z)tYZr1va(DF_l+qJiDV>Q+(A<t?{ho)SC0C)@<9O??>}$%?D0@^U>^FnXU_ZIt;f4
zsx^&09!9l>pjva0cs+t@O(Uu`<2^?m5Y(E_P^}r2qHaUAW;}yxjoYiJ*2KhcYE2@s
zsx_CI<fp<WM7y~p4dm1szZQ#H^G+g5Hs%EiYRyu@t2O6Pt-0*sN)wA(6ArvuQ^u(^
z6JmRxw^M6gj&`@IH6HDPTJu&2(kk55c(vw|+!xiFFCs*>=8J?2qFU29-47J%1A<x;
zLVjM{AgVR1HMJJC2J;v#YR$))N;|bC%yB~4m-cE6h-yu{wuMt`^yLOlt=TcPH?gQS
z$5Iu<rq*OiP_1bb)tb4VqFVEvkMT!TYv$J4)S4%>C#-4>3!GYWlv8Uszv*p3ty!JA
zgHvnjQLPzBzEl%Yt?|{{t2Jb)#G=-G&#5&ttL@dA>QXPOTGNZNsx?83Rjt_)e88sG
z9M!(IMpSFAM$G5bnjIFkhL|+fR<))fD8i=J3<Ep0X6E(|YRz`_4VzlCHV!`z6V)1b
zVyD(Ty_eY38j4udnrG66TGg5!hpcK%?>TmAjl*4wT2nr8qn%na_<)^S<0iAJHLK?u
zEo#jiNe8v2VY%L>*1*%ES_599T2oI;JE%41P-e1MYwFOgv8gq^58JCXYlH4s)tb@s
zZEDRmMU<Ud<IrePYx;g+Q)_xZZc}Ugh*hnj(QOpeno34tQ)^s^MXiw#i&|r%y)0@C
zx)m0+#*Nt2njm6TYhLwx%1*7>8U4Ift(o+cO|6;IU{h;)p0=trQ{J<wHIu%#sWqve
z*{L->KeDPdDzincaeT$9)=YWRrq*b7TGblWUoC3QlyaL|bD!R(){L&SsWpR$O|7Ac
zMXgy$`&iVPAYxT(+=x}Jkr0bo14LA7f{0bEkr0bo<3?<1&0u1u)}-FHQ)}jpuv2R)
znM*dcrc$oAsWp{;r)+9XrQaT#T2twFz^2x`nsCNWtx0{?POV9O$xf}=$+}zBnyoZt
zRcrRpjyAPs(n6bBqj|`x*4(GIsWqwd?9>`rszt4FR9V%UNyBVvO<Iaot#Kh1wMIfL
zYRyjhM5|f@L{w`A5t~}G(*F~ST4M;^E~+&<6?3g>jf7a#nkW6=vZ^&-&c9`+)>QhZ
z+tiv@{7Y<VO$ON1nlp-tc4|%PCw6L0>IZgeO{%?GlWMe6Yf?+?)SA=<c4|%P20OJT
zwZcxVNzJxXYf`m#YR#mHHnk>oqMcfkI@nIFNe!`6Yf?wpsWqw5c4|#3ZKu|x_O(-M
zMm=CtYo>VF)Eb$mMXgEouv2SNz3tSRR8Kp#W|t<wPOX_rby9139kr@8PQ*^F@wjeP
zYdnd)T668XzN1>R+^dsXV~GDqRBM2UY7Mk^R%;v=+teBm)tXho727Rp4U7}j8Yy}y
zqFQtOM@M_LrYYvGy;^f$vrVl5N>poP>@U<BidfZ}0Lo6Sc|3lURjpB3)f!cSMXfO~
z4~c4xL#sut8FRp@)<A)%)=>2pwZ@_87itX<QLX9GY*lNZSyXGFT2yPCWWS@<z;02k
zfia?51M<#l4Jbvm28gKEtPFd=qSnA2QLTYHqFMuYMYRTQi)sy2i)sz%M70KLM70Le
zM75?OOlMJRyzW`m8Yf~^YaT_n#-i3pB{sFj>@Vr0)>NZgV^wP?VpD6xj9yf0dSOPd
zsMbu$v8XjKE`XM;#~yg3|F`c#_`YYnx^MXQ6S&lzyq8Q`x*R5lJaymkUH=G5?7B_Y
z2y~6W|7RocoAdvp(W^|u`SD!-|35hYUuB*DZ=yTS|7T0w5dOcx&;PG+4Y1DtH?ifG
z`Tu{VciHCuSF%2~`TzHWZT|l*HpXuL|BM@U^Z%)I%l!ZNiPri5LWKZ7|G%f!I{#mm
z!WjUZ0FYW@H~)VZ1_1B|fK33nf&l;>=l|ba_>^b>2m-*I$PV-WD=`4TZvKC{-?k3(
z|4&`N7;!F_{-GEO6^^MH38%CD?j^_<YUxvsLMXtaQ4RN2R12X1?TV&eTquAdavvso
zV<^DZk#nLJ2Su*uwSYW6)mts&LIKusT7aBo>olAd5P9qcF%;m?T>m2)5JLe9E?_7?
zP1JcV6rfn!-!2qDuSy*3!G{7AU+NGFfSCZ-2K!(rz;!+pU{u~N`%r)il5HOfKv%ZZ
zHB$@4NPtOPBEbFDNB}MoAlnuRfQbM<!%8xQ@R0yXDN0NPNF5V+s5<b-%Ym=@2ku-s
z1ZSlQsQ-<?4_6OeANWRfptDH&F%p1F1ep9?;L`(636TJp2yomk5&%*EdAmpeOaw?a
z1s)e70ZcV($2>1a0{klKAM-ws`uRwJ5CQdbkpS63BmkEPz@h$uGd^8|XK^RB9O{pf
zK)fXn-~}NNfHLWiU>v~H5-tyb<NSOaKu>}5V;sPdPvO*>eR;Dm4In<|8Gq)78v8H+
zEv5n3hXGvS(f~?btcbszPXoX(fTf7|W2!L>U_nZ7cOeYmHX{DdV|K(`^B;dxK>Uwf
z44#3Azn>Te;1K_k7zQx!?cmKJk601^E-n$kE({=z`^6FlVBpdKgfIXiqybnak0WM9
zB8*`Gm0TJ?*daa);Qd}zVQ-EJd)vzR4`CXBeHcJJ5BcpGKM~RZM%jk}5Izl{Qy2i@
z(*O|icVPTyxikP<7y#kZ06K&L5Izk+2m=^n2?HQ}8bF6IfOA3`fL$0sCCB(JVE~nw
z24D>X*obKWc3}WF`7{8#FaW}(0dx!lXtXeX(~4#=wy|6oz&Rlez#0Z{<yae+24D>X
z2*EIbMm`O|E)0MOX#gF=05Ast!Fk6p04@hWQ{E{IpjJo&=nw{gBV<i?u!R8-Bc=i1
zLhTSg&e+E^09>d&;wM5Hz%Rl8IxN+S_z9N=fJ?PQ{M=IUvW{T@1o$)nVX1bAAF~|9
zb+v^7{EbTku!I2wqjqEq131H_0a(KTw3r6aAq;>qm^*|4lwuk{r!au8g){*BFo2)9
zGyuCWfSt?DZ&<<rvM>$65(ePNHN`}ww_z550mA_JEP#<<=`@1utc1lKvH^S+zyiiO
zErVgFO;{sD1KhNW2Kb51uUa1GJ;z6g2AIilbo*$4D_k@{y$}shWy9#6TkE)JfO=~*
zKp!C*;HS`>mBD;8Kmi{Ou)UT!@{4GIZI)<&P5Ndr8X%L82B=q_6QcpH@X-K^k;`H<
zz%FH@7!3f0e`hqnmW+38(Eu4OoudJ^`8o>003@0rskUGM=2QH|5)7ayj<E{{7!RwG
z9>!pRBt95mBOeT~QB`LP25`Vx{FYz<*5|ZcFaXldG(H&M6)qTHZ6or|j==z%m^U^+
zz$PIWU?VGaqQqbTR{FRt7@(#BU&u;M2*Cidp4MOhCtv$ufJzuLCqxJan8~5eIQw7#
zXzCaYVCIqs#9)91??oMh0ru$;h1vxJU@idZ6b!%tpw7Vn(iu5~3kJyHf&si$7!2U8
zT>pN~bh}`Hh|5ASz<NFy;G;lWFu=HSVhaZF#OKY+9dV}Tuj9<a9fAQqM40K?_{(4b
z?TPuV0R^#bmUMtwElC&;fIu^^1=9h1FR`8>EelGeE(=QGSPtm)RTE0%+qYphKq-tM
z0>W$oSs6wH{7jZ}4KsJHU^2iG>C^g`3fjy0XaHv<m^Z0)<zg^^GqOu(54AI~4+h}i
zWt%k^;3C4y9dYHa*#!e2yiCJj0BX!J6)Z9s)<&UA;TF7tc5gI*p|O#)x|?+}{9vX0
zF&b8@;#o~#-&&wp+8uY0=ppLGW#D-4F6-{5d`$Vo-MemXxLKJy_&8fyl(J|u34eqG
zHN;r!Kzx~7X;t5?09S-KlwWl%VIAq_W|cGuK&xG)(yng*fShFARi3N#Kk>8LnUkz@
z08YcddiO57%)_q+={D`_L{4^d17{Xir=@8wDGBTTh02pvenbz|B%PFm?zlgSM8<nY
zvd$`H_bT?pqX8ebs!uaU4X(vn=5iGt(=TbyK5cd+-TSxbBC^b?6ArKv;D+jiTHT~1
znzP&*7-01^*#*+5(_grt*W>**)PDu{;ipyM#8DNm{PMJ_KJ0Mhy*tp|lX=tGm8v`>
zzp^&Gk)qN9lo&Xn>jhs^toyKBa;q=YY5;q9!buRBHF~2)YsLd&cNJWfU2BXdXl^;(
zb928UV^>dVWFBC+JcLQ)dl~CFCX8vgsbNptR7tw^YrbAjPtiBuV4m*>@M(P8p2i6G
ziThqScCC?K3~)sjP9iVW0M)pMz*R4tGC4PrZING(RMt-;sS<M4>#A33nzK_)nbV}k
zRN~O>s#i@^e1!WYS${0#S<OmsrPYRAy`|~zg04%ys+Xz0%@NJD@{om%H#I}geS0~<
zojsA>SfD?9;aXKRIYn>O>5YxI+hjo%?eyks)=0IHK1TPYk$Xe(oMyfQ$*)^K*}21g
zvNP~(%m`$ziX2(;QW<p1h;*u>+-M9mP}Gx1bB!Tvmxx@OXlc<#gEKL4td+$agC)w3
zIo5g`a|||{H6m*rxjw1h&zVm#crC$)_NmiZGYs@25VS5kqR&iOsHYd|KRa6Mv}cWG
zr=Kn;EcAPs7l&EPIm)_Ij+k{7;VA3ZJ-GyfDxR_?G$!oDQlk`g`wKysU{LF?yo{7}
z%6r4l?bY76Gqp63C}I3#$|Yq3)`b4N_o#D?TX&AK4mkd}T7TY8fe8i=CX$WwPYjKr
z_yhyA@`~$Nsc}ht)#Dgppav{^;xi1qAW!Pt(8_VvF_Y$=A0SP~0E5_j<SpXb4j_P5
zy%a+X1kl<57-GPK)}4HaL6zgP&u_VoHa3Q8JoW_7Sw|k8P(B?wE6F0Gb|hW;3OTFc
z>mb8A_7g6{fak0j<}zS%5!<F*uX6Znrm{zLppanjv?JOAjuV(lj<dc4ZxYqOPo0G%
zgK=w~S7MC8#s@c+@8B~GPIQ}!pmpd*F2msBM}alt0ymODI|3gYJiz>}zq9fZ4_f~Q
zQG_F{#K(B1kwiLkq_s4zF=koSH7_p6ppl2I1Na~V4z~VS<-i9Ss4u(%lY}4x4z}tY
zxgY}$whrDOKj+DELU`KRVo5UCAqjQnf((vO{T}CVYc<Y|^!_+mtG#?(%rfZKz-1YP
z=C&bjy}t5sKFL5CQuZB}4+3{W_jD^Lvqc%a7VIhT*5m??wk8!?aO*Wwbx5}xWtJoZ
zp0@VKB!iHGu=9u7&&`0TpU>I2eP~%a_!u$9;FAq6Evx5A>#%FRe+n#PT9}I>Y3+@q
zRqfi{n@ch9Q-I&GMv=AFu)bpz0&LCVgAA_rVA3`B9_4}z1lamG7i2&g^CojS2JeP7
zGEy<dpj>U_S!+-p#u!Zd71nx|i!rcct&9Ye9|<`IVY|N8H_YW&YxmWBjKS}+*0EfS
z0moY37Gn$w^nuk~to407Ky<OzF4o$`TE!THF4p>YvDPLFYaP}QZ1DQ10xDcxs22fV
z2bo*<iV7E(3NW}H0y?z+9(d6WsF|2)CL0UK2A`0;quL7NXPz+38t;7^<h$d;Yd#q2
zEdh)-=%#0VDTtwBy@z{vd<*Y(d+OacD2T=XAT|ab#}I;zpLyX+Dn=TN-(N<<j=$0H
zLI2p~@%>$9sXj~kA`O-30f+`>eGKtBog27SeBkDi99!dXA^E+!$wS-a2WfB{k_3DF
z4tT>WOUFugD`I!TOctI$LRV4_eev|Me^6WnNSrGw0uS}0J^MdKdskGrIngI}N5{EP
zvtjSt_~1|LpiXysfea#_boX#M|Apt^&%MUZ8dh5MM7Augrx)9I*b{!zx`;OozH-n^
zHYxpb@orVh#?l8({c5z~PuwxBsL?*sXFce&boKCrrLLed*W5CB49Zp|4(0JQVDtlz
zrzIHufOuN5Ph(I-3Aqo@)0+EGDY4`}Z1=FhX<P0Ccv|2z&!&B>xet>I$KR;2%Y86T
zvE@FX-Y4Wf5S1nOAsfWphg%NT+y}=EeC|Vl1Li&?zC|9e=04!5u9*7}yisDweb@(L
z?nA4WCHFz@L|bwnbRgzFXdEoL594K)+y@<qxepE?<~|t5SaTn$K+Jt0Am%=-=w;1)
zI3N*n9|AU<1U~iw(X<fzfM^={*at+@z{fsd>I3kx4~V8w$H#M3MAI%p>;s}{T8Mo>
zG!1<01EOi*V;?v)&Bs1)Xqu0GKr{_}>;s}{{1_i&A2>A4$37sMb`@eDTs?-&!eQca
z=rHv`Cd57<n%?O@)K!RmKs2oqVjmDq$5>+@cr<<Q_#NdEA@|`CflV8xUgL8g)>gS#
zb03n&x^RJPe1GiGf%AryaoXsx5`&4)eaP$oaX=27iP6N5Pfa-hZ*ILLRi?9_z^L+=
z>0>{*^)mQ}KKK6_V(VJnt`X=Ofvyqwj~s#D<o^*}{Qpnj|CQG-YW=>;%{X1;cROpR
z-&2eIu7%UPFb<$vu{^2)Kc?o%zk(q87s-EjuFP8`|EoFlPog;TFUc3`0M;crAo@r0
zKUJ3=$)SG>`B!o1pC|u)xhMdU{G&2jtQE=sdt4uYULgN{xhMcj9Y8zR2Y}}cR`SnH
z|If3M|2*siu+;$^=K27*Isgm#|3<;1f06v3yg=;B01mBd=E?wU<iC<f|04OX=Fz`E
z{-<)Y{4L~v1&98HGJvH5`nQn(w^lKBWdH}T4Zyw(;Fa}8z6^jT|LYX@V;O)z{tY^u
z<<C#@AAQhP1~5m7=pQHfi{yVOH_P8j{;&F%S;_!7^6!r5-%9?QJ5&K6`Jcq0e=GUN
z8U8{O0M77#fkXcs`7h+i|6?5bw~+rU)*b+!{NJ<d0VwT`<X>;s1AydzC6fP-c=T@}
z{|ACO^lu~oo_r60h5W089snf&PYFE$BKc3HIO=aB|9RFP0G|BI#2x@7|Gw5901NrQ
zX+{55@}GJ+?EPLA^50_Z0T9Xm0c#I{Py;|Z^Z*FtpV;>R2;`r1>;bTn|2tso0pQ3#
zvFia4$Um{~0kDvNV&4NGlK(ba4*;nb$bX5Y2Y@I4sbUWRPyQ#%gdPBn{I}cp00`vY
zZ0!LM$p5{LJpfn(u%fxmg8uEuzn<#>xN^*%{4Z<b(7%oR6Z;+j3;8E@JpcmvCmnhK
zEad-ohaLcq{F9D70K)b}@=xq~07UXn?0Wz#<R8-#%56OW7V?kV%f1IdT<Xjn#I6TG
zB>%*|2f#x9xux2A04(JHSC-0?|3%gw03`p%#U22G{6Avt0pQ60E=v!9K>ok8_5kqY
z|EgUNfJpw^I`#nY<o~=~4}eJipA&ij1oH1;o!)OU2t5Eu{;PTPFOYwi0&Q|`*r_6%
zFe^}h+eClm)mb*|pIo58MgR``BSBV4mfokeVt-vajg0_2_Mc1%jR05(aOId4`^O;l
zS6dqawhGi=#Qw2;oR{;B02b`e6c`q9jQ|4nS8~&w)6QvxY0j}C_K!vCkJFqdIkSqW
zOw`Tp*4knJB<=EqS{wGqLV$UNniC@S2P_2m%+?5ig#g92Mu5nylA??)87Fw`j}x3H
zMrPa*us=?4?k+Y0_(l5ebi+?&+!+r1udcK<0$?FPr5*Sm^RTTEfCK-MpF4wpe|n3h
z5dfz-m)XF7c-ddAjR4#<=ObJrfB^oH``7;h{3G`dv4MY(3XK4W<=eVh8UYY?*4V(m
zLy)Brz)2Ek*9gFYf5UXX5r7B(7nj*J0&sJjFMzEP0LlL2Ht>I>sY4^cJ~Qqo9l^h{
zg>+~H5au_N4vhc^{->3-{{sA*_ShN$xS7m#*a#qk|C4HKBfz+FjdQ!D5x@fe={9R4
zfC&B<uJW-p0tkfw%WRDRJorcM|8=KE0PTs^&pLvCaVE0>{#no3j^KYnDbBv{2>y}#
zU+o0`r7fMnKXU&ooxuNR`-!a)K$x}MA~phu;2*jFEK4H*H*5Kb4g5zHVBEF{{tY04
ze~Pw%e|D7>{NoN{1^@2pR`AbCS6acpS!V<P#Ki*sp@$XxH^*DRze?+D1^@b=oUGu#
zcDxPzvr>Zv{Ii}m@UQZG-46Umh1$SBdqQgu{+Y|Ytl*!xS;0TJTEM@OG}yrZ1-S+M
z<NaE|KgqCx|9d$dz<+pSFDv*5)(Za7Qxm{H(OAL1s;>?F-}A77e<s2P{=+J);J;sQ
z8~BG9JMe$4vCIbkk^37g;6Jj?2L6eo1^kyet+0UqsQ48Y@XtzR7Vz(jAF&DGzd73m
z{uA8mY~Y{hY~a5_V+H@lA@<<kGS`~9!=<H);6G=y9r&m3vx5JyUA7v71{?Uln{EaF
ztn_*Z@LykU5B_z|CY4xTp#OS_J@`LbyW1Z8gP#@rf1F?i|CK>j@Zb2T75sz73jW{Q
zX#@YTyd(IR_qBn4GTH|IWm2xXfCK-m)MN$!5)i>Z_}PK~^L2LMzrBYQ{L7rI;6H>C
z!T**%8f-5R!9VD1;Q#PyEBN2B#s>b`PyDRlKQhS%{xg-yHt<i}ZQvide{l!!56e4%
z|EYa!;6JctlO6c?cV2A;|Ae1nEr5ULhwQ*V>t_Z3;mKTsfdKxyxo`~z9Qc1>E8k$i
zgMV<dg8w<Itl%HHe<NREU;+Qg{a0DRf3kM79r)kg=ZF>jKR(KVt1#feKXJ8y|A))E
zTRIG03!dMf?=TR-|M2g`3IhTBFJ9VRs4x(wS;yLe|Ic5w2mc#h+HM2?fn}fDfqzUj
zw}F31vVngLleU2W=icWU3<U81rI)J({BQE?W&{6WjZav?zuGAD7YN}0SNaQh@NeH=
zpzQ$u=kompBKZH^{sJESbNvPO;2-B$cl8%^^%r#Y7j*R(boCef5Bm!mgh|%J(}HQL
zFHQUP?`P;v_v=P`e!Ml{aCN{*6F3BJ!W7L9@O@MboP?Tf#V@-%KH5|6b^vo0^PoaW
zpvM7lqG9{{Krh*6Vk`Uia)EaoT-D?q$vK0X^q_a;#a8GbImV!ib`9I-HZVxKTcu2{
zP<lb|U*CT#@2@76q%v#_yyMR*b#AgVE6+tsU4wi_fJa4I*a_1It`+nQSLXq<jsTpZ
zFUVD8;7-lE07s;7;fSPiiDbvSb!+<Srblbg2UrwuI_^ZhHbpCgXtme#Sfb<M1+%>>
z?xU**8GK87`_+y6*`VAhlc<z53|)!@e_r3fNymXT_ICu;kGlHd`6i*Zp(DGe1a|Kf
ziQes>+u7hROf2{R4%766%7$D0-7S?35Ru~Sv2~U%U{ys{Q#`gdkj4m0YXg=xNQBk~
zoLTN5wl?fT>dm({v>N@y)`oze>QrKDgRTjy8@Sd6jmbr9Z5R)<*xI18(t9ZgtqsO1
z>~#=Y8>-AGi*T(Cq!ITMuC-ysJ=W6Nfa!KZYr|g5IPQ$^@qItn+OU}dp|xQ@M&XJ0
z9)#A0=y?ueYXg>*iLDJM=b(nbwKkNOqrlCzHn@xcp|t^%q=eRn6ICFzHat)dLTf{T
z5rozT(&!+zHn@5i#MTDly4up(VC+BFWk}B7LGQQU(H0Bz{!5YGi>(d6N$)MK4LGx0
zp!eg(UCcTM-#j<ujpLV(_`uI?yEgSY=I9S^E-l@EDrKZUd~$H)e<TL$TB)uP=o*2p
z5%{kgf#2l+eUbmG{<-=8v~~W!f$li}pDu}N@T0x?`TwQ>Z<HuI#QzWB<Nqhv=Kr%k
zQ*879A=EbipZ$OAy$^iVW!?Y(**S+la_~5FDk|wwhoBA^a#YkQ8#@~V1`L>pGTR0l
zY&qE64g!ifWfA36s^yJ|ca+ntD7kI7QBkeiWmXuJtEeccR+4ci=1OB5pYQX1UDxNF
z^Eu};wEO-(zK`GI@#Di|yv})D@9Ta2|NnVk=Z2+8_W%9QCE5R1`yBiK1rNmS|7*tZ
z3jpQ^04Bxl|CfXv`~P)cO0xgQ{Qs5|`+v;;f8n<Ozw@EjUH1RezvZ(3$Nc~1B>VqM
zp1jCq|Npl?6sTVS;KcvZx~fS0{{P|=mmZJ<fB*DHo8B)6{tra;F92l9fq$u(`UmuZ
z|DCfd$I5~K&eHrF>ZiRt{Yi7+|3qE(XDxl;-?+L-4*YjUz9pvqkHlssnfiyh`~Rpi
z^>0ZW_{(|!I~@2&-p17br^?j-XGNv)1Aor@pGzG0%X$Bh9Qa#J_M67of7<uN+COgW
z|5);o|Ht3DM~?hk?Q33D#{LtR%)A+E|B{JM?4J19&WR6IWl!9C&5x9^|Ci;+|4Uo1
zZJF4y`?A-3&XNBu{}gNgt0u0!>_4=z|D8!k{+#%)Pd@Vh<Y$(sBmbwgvHztU`ENAF
z{+2oN-`k!z@}If4<O}g5|FQW`G@2v-B5mw{$T{-APK^D}O*-=D#6Nzk|KDebvHz3F
zNB-aa%ZKAf{u6vx>m&aQw6T9MapZsX^k4i<F7%HZ`yY?I!G-?H*gqh~{<iO|maE=&
zjQux=vH!NmvG!kb#b33t|1a;7Bma-w@RRI$KNDmB3$J_l4_98dX!-IXG4{Xz?K`;8
zUm5$K|LMoRe&xM6w<%-)FS?KXZ#-D_NOXC^*gxEGhhywNGxn=AWB=E+wZA&@e?pA?
zzcl3w<EDJ7WXfa8*#C{CGpmBh#{TQ`>-@>a{&vRh?@af*js5M-7i8?7>NfW0x6-DL
z_}vR>#{Pf5df)U16UP2_(uMx|K7VWz&%NfN6k~rOYu|7i`~Txjf9ts}WB=Euc2=Gq
zH}?PH)V(|7#{N$wj{I|`4XF$LUB>?R<*ZrmGWO?$|CO0TZe#y{C~N<uBmeM;v?Kpx
z1MVaLO~1C6zqaewsmA{H#!o&`=rZ=Vtvu}fFXgm9+1UTB+()b&;REAW8)JW)6M5$y
zj`)#3C;oQfUmB;njQu%rwPs@H?>6?g(~tZ)@%PZGjQ#E6iH(=KjQ#C}uWF-ym$AQ{
ze&mnV6De`k#{O^SRP3#c8~cCkh8@!TXk-7sFJD$#nK1UhC2z{FlZ^d;^nn5E?i&)u
z{=eY|P(E{Iva$c$)&);y9GK}g_Wx#vWoNsL{ja#S{6pV)MjQK|w=ots_V+gxim|_3
z=wF4ozp?hW#JqpQHIXSJR;+BO=SKfEQwEx<R$Q7pZ~lGqV=WJT<<HJR|Jjv?kL9j-
zw)v(}9|$&aO@8YQ3&p;lYw}0MxP+R6{#WIk|CQ6lzW;_Nm3jY-3o3JOw$6A|4*Fl=
zoc}Z~qi)SRLz(yg^FxOxFMr@7?E9y#6!ZSWcRsfNQtbO@HdWWY;2iYl{oAzZW92^c
zyhrYPZFTb>)It9(9Q5yhW#;}jjeY;CvnyxqU-QqIuZeyCXJ!s?(9b#lm#`(zyJYVr
za?mg5{I`y(`R3%QHV6Hj^Z(?kx2D<~rVenE`HC<9Y{gHVgZ}9&N6d&H^q0?{QQeZa
zZ{_6aS7P9Qg>%r)IsX@@_HUi~&S(z$Ip_bv)XXDOvvyq?69fNWho@Rs&;H_)Tdd7X
zFz{c3f&cT?SD#cC{!ivB1OF{k2V%~B<`<g#%$0%v<5OoR-Dm#O|HO;~3;(!*|0cix
zyV&~wqUiHeyQ~SHZ=JdO(r949lUVp;;6JwIwEvd7%m=Q&<=Wro%Vpyn^jqs**-&m}
z1}t@#`OeQ>Tl}|c)m`TQ#9H)yh4c9do#(A<J}3tM)gvxj?ObO5wmz<pUuM3)a!ba4
zR8IZuw>aqMod1GPom(IQU<p3r;>s7~^nO~UbDOzMz;c`U%Wq@huMPY;?C(Bn;oBoF
zF&CN3Ilrxg;2LxPtu12U--3bv@y9L_3;&C-@NW?V|L<FEuQV+wo~ExXKmM5lZQ(Bl
z{xe%=mW|3kWA5YHz<&ULV=lPj1!du{?<+r=VSWB%7ibHAxv%{8?__*;>Zrg^rs{)!
zIp=@dy8Xf5eeEy55DWjff&V>YGJaqAiPx-)1~}-S(0Jph+Z+r3+x=qTKhuh?@nhkC
zW$qc1{cASgh=u=VZQ(zEbHRyc@591>vvpHYTli}O|Gx&m`Jo3L3xEH^5B~c-uby~Z
zS@@qNca$3g|7Qb_oP~w|Sz{NTr49V;!Pf@YCtpwgn|D^ud;<&ruR7P0w-oNbz`35>
zpYIDO3;)O?mQ^+8%Fl|0KL-Amvhc^i|A9xI5(|GZ@IOOa_+#L|bm3ze%EBK5|EIRh
z{DN5cW8nYC&8H~~|6C0GKizFC{4wwkW8weG{c=n5oQz8jh=sox_y?4QzZm$BHx~Y4
z;C~*!TR-(^?x_9tC7~(W!vC-`@VAtOKL-9cDGUE0G05kf|0QGL|9uSn|I@MX7X$yl
zY<g$mTT{Oy7XDMWK5JKrh5y?Re+L8qNm%%|Vd0N~|3q!!Kl4pF=Wo>({uuag(H8zx
z*H;f^C<}j^bN-LcJT4agzZC=jsXM0rOf39=bMar4fq&J6O0n?Az@MKpxbCA^_+#Lo
zp)C9{@c&wVS>>y|`-FjilVjnJfq$;C@W;UahmM8+l&SXL^R<OP2L5$o;r~Ma)URXU
z|5wMt{~OA{|3YQqAK`au#lYXMEc}&$fBy8DHWvOE_@ARK{6BIT=lmm;g@2@)bN+y`
z@D~IB{QXlySomY$U-15Cd$8~q1OI<h7XAZ$+Q7e{@xHgQ@D~IB?_%NKf`z{r_~&a2
ze+>K&V&UIDa`~^U(w`PO<}t@H@c-`RZ{Kjcx>db&$2iBr9|Qk#W8pvLN8R0{p8bqv
zeMTGj-*0#8+te36{*jq~HMglh@oHJ)5A|*8(NBtj|4r6kt<aCf!oNuj{O{k^_&r<Q
zr2fQT;}-tfz<>8MvzjI?m@-oCQUB=m&x(crOBnb+Ia*oxpTNNXb949Wd(=7SKT|CH
zZSGN@`$j?bgbQrBNd5YOy03<VQ$DMV{PkJ?=P!G3%IV6;KXKO2ugr4Rf43O<zjo~n
z@w5I8IqQG?)n}g;BY)4c{yUws{u|$qk-z6zzx|%h`kxge|9iMh-JJFB#K_<CtpBU|
z0k5<EABvH`=UM;PF!KMtGV*^d>8#&QKkK)Rk-t9cKX&eC{?2vkNoW0kS7-en(Ko8c
z&-(3W%~}6O*IEB(%vt{*F!J|0>;Jwn^3Qnx)9$nWfw+<XzjW3=&vn+nI)2vw7iHvs
z>a73NS^wc@5*Mn!GAVwc`b($I`cIwppE~P5b=Lncp7sCUeWCi9Ln#-k7rbnl3)OAQ
zT&RA+O1)5h<Cw&S>KW!j^((iHd@9{$ofV<EQ2q504<=uze#7A5<O|i`x*~C*dWK~#
zRL>2kU8rvR;uorC%uBjZy`X4p{6h8CR*t>(srUWPh3ZpRS>{6ZcSbuGs(*9a#UmY?
zb<13+{;JQpQ2p5Gv<ua3%Ur1bR(AYC^|vf@q55viT&SKo_9Pdo@3PE=>Lr%BQ2k;n
z^+NTT{4%gU_0BLCs!utOD}v0aw`DF=KW>=|)dwweq53~9bD{cf%Ur15WSI-qyDf8}
zdR2zGP<={M*tt-hStM5L+Gzds_=W1+r#?F0vbE9rsKkZp*}nTyE>!2#yDEO6y6sC`
zs2+d&)|R(#om1~;oD0>jeEs9r?>-gz{PJZPU$!29W9lcbtDG|1I{&g6)lW4aUud0p
z@S}77{QtXyrBew$l>?`8;8YHr%7On+=Rla)W$<r#QE73wXz}8Oi*FAvXpDtx*EX(O
zT^C+cyQZ<3S(3H9aACCQBmyq?q78Mm)it%v;gyXwwc+};s~W?x+BHoL)iJ)cgkz13
z;g&Vk4GnR<w-hX1FlWK++ryVE+1P@p`T^m_hB^40x+GS;@{T3-ch_DLUQ5JUnrc_p
zud1)D$qCoguBu+w5UXFi8kOPP4HGtmS8R;cwxBjWzC{~qSFVfIR<CHN4U<-pk;fJ9
z;_CW_+8R;TTpMeyuf405cyA!g+Lf{T#<eZsRn3iSwC{KGS5qCU{ulf;H8-xTZD|qR
z;Z;N;JZVDB<zsa0ZVwkWu4!t<SyC!lI%Ud~ush~bWa76Nzs6f~VHK7y4i_w*pOo<Y
zO$93bVS{z|=<k;Ke%O5PHt4wjZ}DCyoP2`EIBNODw};D!ovM1)6iJ<mm+<qeH`K3L
zM}}{xEnX5XtZu4aSs&XNUR+zfvJP9>xSV#Eq=y$&uc^I0JaIzHM5m%PR5!1dEGb%6
zgp!lgaHG#9SJ=3&p+>cbf`*31l~RA_s}>Pn)!3}#WlgxE#hQ?N)v`o<CbWd>s$0U<
zYpMEoRX5bvgj=Y-;Yrlch7FYJ&E>_DXQ=<DT~k_QO=y|0azcytZY^KDaDMTU+rx>f
z*w|FNHe6HROdX^tULU^1N@$`wu4=j7vZhS2rf3D(ldM?tx>{>hbwf)n+Lpvy^&Ary
z$sF<{$%Xh<H#E~?H&SEeB@3Qk?9lbW!2|E|{g`oo$6)3Y+JCOW!-h`|x2U<9Tr8vN
zOWl{sEs>Jy?~Y$eUQCb%zI^iS;aSx+QVwhQEe!Eozc##t&cP_q+2Km(9D0^`-AGAs
za=cXaX|BC<9hpwngek*yM9K4M^<>{WnH$a>J96|DTS~UPeY(#YVFfa++%t1eA9-5U
zmXeHGe?W2AFkYN{+Q<=ChWx(sk;$^GJumD0J+e<@=8wH`r{NvBcf(2hwVsy@ZaAR7
zTPD2Ri*iSqh)6W7|84qfo14SA;gxmO&C4e=th+sYBL%c_qN?H2R4j3y_Ac&Moy7gV
z_x{|3=*-B~*IYZ}y6bPqyOD4C{8<@3e_+JOQKL^A6C8Vb=#0!W-*;Bl+2@=)?mVse
z{0qjv|H6yH7hiH|_JqqOPP+VxD|04KnVLK8s_DwTU{+zYsCahCoVoK#=Py`TwrKH^
z@|&05vh3E|s#mOJ09##G|G_&N)~s!8y0f_@w(hR=8#dl8o^?E~REqRxt;wlbs~Xp>
ztqIqxYig)h-BR`1m358HH&FRe6Q)J2Ypz|pvese@TN|4a+t^eazVXKJtp)Q-E0>fn
zE-IK06f7>UELvK$pd6*jU!{_se3MH&y0Gx(`3Si^c<7A_7A=Sxy$qa<L^BZ`9c`js
zyQ+RILoK~yb&D0NUVZ(>>NO2h8k<+=T$P)9)%7j0W-qq(P7iiXb(7Ulzd{sDZD^Ev
z$CQ;;Q+0DoZL?L=xN_YZa=^(pOQb5bW2FdJu60HnEt2M*q9N7Ys;`-lJG~|zftqz|
znp6a8*VM;i#NcA{Ve(DVkvqedJ3dCFQaq<bNQIZ|9`~6PU&noALnEEO>v8#)7{p_`
zzPX<GkyYwLn1<HaZ0Y=Q^sQ=G*HWj|rPj9z<ps0Ns8oL!VWzoDRZ9}k?)7U|GL@;0
z)yphQOQaM~4Wp$@^Qay*;o1%K=P{~Do>L0pmRNOj>?X_dmXpF{hP0O7(=bKuEjKY|
zVwj<4;_VZi%vxV3(+8;-GL%$@S1{b)fvScEJ@<3uhS4{f`NrBBX^N7GJj2MDaPN(W
z>n)c@{jaTFGufo};)^}1y_Fi}RSk{n$vY-csV+J(o=%EPZI!e~W-x1O8q!s%Kw20Z
zRqx^*5Dl`4TpT73?x^KgEK_n@X?46gZCSTcDyZsfOaXl4)3em4T7#Pnetx^=$3Ld=
z$iHdaZungD{g9DAZm?m8miv>z;1l}$83s=nx$%!{K5Xy-gWoW?!1xasf7>6`^4A#u
zCi<@aM<viwU7((0gx9R2^OowrqBhKeDYj9{eOR|EtwjHy(jG6)vu@(OsmrWQ)^aPy
zy2rYg*JoU<Z$e4~O_cdCvCtJlJMwci;q~>gy70t{C#op2JXux0!NVs@6-xzWO`9^!
zl2}@kCr`HGEn5#plht69V4b04GDC^ZIX%7&n-%G~D7`>6Q^M+oCSuMY&`j%WP&0*U
z`jqCDaO2vBjaIte_vq0S=-OJcft9Xg-&(qqdX~BMEK|a(8md<_d2FsttXRcMBH@Jv
zr3H&~!b^%4-CVSwut;Y?PI!JnSs6=V=PN1;O6L?TF~O<KPA&=6LnO)~&HcTmCLXVN
z)~h0sUeXkiE{eDuwX{xkm8-~1w~WL!w@cUmkA73*W#85~;Tsx%vsdFoU(@)~-!$$v
zxcx2tz0BYwgP8_jGPv8|cH^(kV6LO@O|7TZV4cA-gSmgz?vu>-V~+nR)22k?V`X(y
zJ^j$dx<{IPldP30btyE{s+!itm_N~3#s%mc8*8KsOpN|&l#P38To)5x3Fo+vSmPZG
z(p0BPz2;+doqUrHE0xua&Qi-0r+%d3q%#W@bt3cs4IVS$IOv4$e9sK)cywK)vC4cu
zY`$+d=(s!IQ`6;qSMwWZc2LQ{L)TPkMiS<E^?EdRq|?#Uzcap7GDBM9_LCxC6A#RY
zrMo-Iw19^@-BNWtnr`>iwXw=(uJcMv3e(-y2p*55+r6f?p*H545xU*$*Vf1C8G!DN
z%P4m>;8v!4j)#)?pyZwWmb}+~(-kMYxIVf3tIq6S)1dr2SzP(AN5Jj>-6NpoRgrl{
zRJp4m-P75XcKM>@<MsD{82`BccaMK+1ax}TZ1aDRdnW#Rwp#gKLRaCbKF+&-DR*c6
z!ERLL3Od_660uHmU$?eCzG>*>XR`nG^))fGh7m1k{+YJN7YknQE34Nw5=3=_`1bH0
z@3@C?H$A;}_3*FVE7kbnrQf)d#WJ3_<L}WzUFq{^h00xzW0jJ<DbaV$PsLr2Zcgk?
z_(}eidp!2TxjV6UyL&|66@GH`C%Hz%7G2lEmt7W4;b}pahc|5sd&{#0;vp}obGnf5
zO>9S@)@f3cZ<7ACWs0iX;Vao7)k~jn-i>K8vBswOhJ(xBa>v)?X}72B#hBS&<pPdZ
zBpx#2yjvWU%rN1buK3+lIAX(SVf|{><?eJCZ)wRelh$}D_{o9Vjqer*5g9goHK}<w
z4O(az9eRz~Li=5-=BaGLGdHgd%ldPr+SgCtXP9{X#Q2;~`P3UEYPFiAi8?gQ;#Sr}
zsf$~r!|}PCaZOUD7v~T%3-IteOh}^j=EZZ;^(BHb%lbRkHm-M05SUGd*K$UZ=8c7t
z+ClVkP<wQ#F}rhJqwLI>c)PYSSP&()ZYJL3<VaGQISOQHX8bz45Amgil!7zW)`eC{
zp;dBV*tnh`Y26o_-T9id=!R3*wbH0~bRZn&HP^1GZP*xYXk?owRv&AqUCLUJ!@V$T
z#1-t<na7o&c+7_PkXGB=rEbEnru$iuSc8VwvvjQ02SxG|uxyMGkrvLm)H$gWtVAg_
z`%~8Y?n*+v2-lLkP2^T1i(U4@bo$ki)XK(YIZO&Su!@nEp^l?YA{T4sSTt2|xE2(z
zeY%>NaM!JM(!wHn?PRqkUr`%#ugF!-d*^#i{c4ufvST-8Vj}wz`I1z%QZmL{AGygn
zvE;J~l>gpMP68(rYQtte;w{hartCJS3J<G4krCp>>{7TAm{e|w8WP`X3^N+BsUfG|
zCLw9{(A`ec%fspDQ}!>@8YR^;+_;MUSJ{|!>eITlx^vN$Eji-e`BPWBp@!po&i<X|
zro(a0NpIGZxr8E9jn%2QN}=g3ol%&~=A2&dvq*RD^bzzfY)`c4z2FVhe`mm>BY6+f
z33)ZdyaykqoKo6%tgbp1zN@}bzxg2B(z=a1?Kxg=<v3ZoP1;F};*>1_{b;>%KBji9
z5JIDjX(U$9NvhXwO!DEH-&NmLTbbxUl|q+0di3^%+5LBRUS)qnjePtR&<TFR=$qd`
zjGSO^-m^1s9Mg&qZ?fSpi%`|gOuHsgv{q85AUoGB>o|c}El2EZnpMXG^z5aWC%F~R
z(EV3@dY0sU?P~TZskzmrqjTnBI)7925Wz$|lD7|JAFa93wSOpkdr5Up>r2kxbxo9Z
zZRLt}t5&IjCF27B4ad0b;$EL+WxsIT&dai_t{0EnHQ*1ytOqSC_QT_L;32Lx-FMs`
z`!I69J#IIEZSNen4^78}Z2%tm-ofMcCNMB`+};6Zfn9<pj@$iUe_+6la=%ykhyi;O
z*amiho!~Aod*p!K19pIY@_p2RJqUJzS?8c1%mJgL2kdgN9BcqPz;<yzZNT0OM#c=-
z{a`1Ub1v}@A_r!V#T{$|4}o3aAlL(DaUXIom;?5KQLrDZ0JBaXuw!5ZYzNE1PA~@U
z1>3-0un#;c?x6vD?0NLxU^dtZmV$j?1DJINdcbV3Q@)>xf3OoAdp_xVAM#)a*Z|g?
zLpWd;coghB54j8QcRuk1+rS1e`+@;`2iP$lIk4;f19l!i(-ygq_=6qbF0kz)(hc^8
zN#FZP|HbfN-zE41vo0O50~eAGaJ*plfZYa0CJfkJU<}*`_D#e;MuyQV@dvi$klrxi
zfO%jiSPpi94PY<W1_mY*PcR$o0%PDluxASK0z0OXu8RpbmwEzbUxhmu1^d7na1e}v
zS(ktj@(b($YrrmW6BxLf`~|Z>EWfR6uosMgN5OJ1a4Gu0@n9Di0b|!vFTwH|gbPNl
zqdtLw>!}~vr1J*S19pM!U?h)v3zpwVy%PQ=;x&Qv%q0C_G@tl@ZQw32s{p-V3=HrK
ze1Tcy7uW?>fW2T0><8PyXd(Fo))bL`unimpvx|u@r*^T~q#Nu3cYxV*kpsKtQBSbO
zjg+DvtO3ix4loAxfbC#ExC_jhPddN|cnB;9`@tAE_Hz7z*<cr#2lj#GVAcZi1B`-g
zU<}*=)|8RYU|<pXaRqWqC|9tnocsXGZ=qbk7}yI&Z$sae_*+i7fgKgZL+}HHmxDjB
z94xOS9I&&B_=2$&#1pJpNjQ_qKd=I9tDzjh>{{f&$SUN-9URZQN&R31%vw$T0n5P{
z7z5kEF0c#i1^0njb@&If!Lb<k)_@VP4J-vazy`1rYzMo*U0@Hm59|kzihDif&g7^I
z91muHkaU5OJBTk>1MUL*8c09bvzB@{4f#gm2WB@DFR&l%1AAMD$5rq#(hWwzO<?(5
z<S!Tl4}qQQDL?w_j*Y|*>;ZRyS@#f+2y$RK*avoiHTM#4uoLV9vp$5})yRQ)VB|j1
z3ud<x4%h+qgZ*IEHN@k7;tke-QLy|0>M0o8jy^DZ2l;p{a$q)C4(7@CC(sMlfNfwK
zxC870yTD#>9~k&|^nm?fU<Ud=iykoYB>4meI*|u!z+Q2Giu?y-;MnU(|I?Hk82dc=
zA^0WYdp-KV3b1AuJlOGN!UMCug1;NkvzvSZ`@s${>#Ni+Fa{n416{-;k9a&!Jisn+
z7ufqX{NIS)J-CCBuahre`8Ux62EK(JaR-lronY2Yln0mx2EI+azz%R1*bg28+rER`
zOyt2FunUZWy<i2H)lE9U2-peMfIVQ~yZFl|Jul!7?EN134Mz77KG+2Y3h@6j<qpQc
z2-pjjf`K1Xo?te(35<XpU=-X1mV-TDC)g+aPtZ4uc=r-7F#BiZ4;Tg8!N||4M_}(S
z2p{YN1BJ+g<H5i|!Uwa!QZO5=0VCih!Cw&$82CNzQRMn4f3W|L_%A~5YorhCcpd#<
z|53`Zm~_5DxM1&_^s8X!+vLY=crXg~ffZoZJA?y9!5v^5xEJgK4}pQ>_y_yJtP=Pk
z{DWC1@CWvSd%>QJLHj5e^9|bBa|jR21G~U-um@}ad%-ra58MHE_y_GnU?<oQ_JCvO
zA_r!JS%E>j6pVm1V06Tw-6ig)4cdcXTX4|MnTP+(L3<O}3+@7=XQB_xI*0H}sUPPK
z+U;Q0h45f`7`^lH4>o|EU>n#6c7d^r2kpQD%HtCJgMmv2?M^TX?gh)iUa$i^3ig13
zh2#@B9?YJAUN8!_f#u*1uov75#wH<OhTP?Yb`;FIg7|~|IfM2-uxASCUxfSALAwGB
z<dQBh3+w@Fz<zO`HfTo{!%rt1um;=<_JI9hB!d1W#1q^E_Jdtu^lI`Q>;wblloL1}
z>;)rWKUfL|t|8ySEO3+X;6AYHTI6r$I~WBcGY0J#*a3EdePACLxQ=oHqhQuj@*B(n
zd%;q$A8Y_4*AsuR2HXM0z%H;2+y{1mePG}Q^xT3w7zNAoC|9rs>;yZ(y<iX63-*CW
z!K@oe=Q8BL@nF_Xq!WyQrNV<XU<}*@c7h#XKiC6CXOa%E7mVDBTt4XqvkQnPSPmWn
zyTGj5&^rsgU?&&@vkTD&_D4yFd@mwC%h6j*I>5ke<iJP?<qWpXAv~~iF72p-bbu9L
z_B`STM!*g*3hn~S!5**%JOp-t{b1Ju^xjT>fbC!(*a^lKl22eKcnHiYBRnv=h<JYh
z9*luqU_00Yc7na&Ua$}B1^dCHVD@6#Z6)ylbHErF1v|hBunUZVy-SEM*i(*t75q}%
z!Tx3NVB}WP0oH(hU?-SWO?Y4q*n0<h<og=rz`$DK4@Mf%w*q-E0%qTdUN8#Az#ec1
z7-*)vz;dt;>;MPBNDKZ}67LPvL$G`!=>u!-roPk=?mhSi`@t@->qC@ZEj&0L?Ai<u
z_JRAr{w?sU$k&gc7wiDb!R)Qncj2ESALV-&@m@_l!ECVaKam4_o~N9_u07-n*bDZ6
z{a;7Ej&yzld9WWW2fOxCPGIl1NtfVv$+vpa`#s75Y<rP(fzkcw5j;SCeh~MckUwAy
zY?tpp#~sWD4+#$r%J*N;KJFlXU>BHmkaU7Ea1iVSvl__9UlJd%4Qv4Wz&5ZS+yQp|
ziuwXZeog$>kk5w*AI$y@;e%PfrJjKuuTp=(uEV5vE&jo5F!Fok!K^<J53mC~D&PA^
zPb2!kDA)m3fYCpZf5QKn@@OJnU<B-WlX!uFzY#C6AM67=-y%I=S3m9GPUQYUI|Dm2
zhV1rc<VOtId%+rTYzy%@eaNl=JHbt0^o$`pD@Hiy4%sze*7-wrC)fub0{br*vd6C@
zy%!DH9bgx@7c37C*++%HWXR6Bi|^U^2RkMV*?nN!<%F{y_bEem4;Y()+y=tSLk}3Z
zamd~Ww&f4m*&7KrN_@ab$&lR-b}oUx2Yuy3b{^Py^N`&Jb}b#U2f?;w@SD(IL43jJ
z2T0$&_^*NoJF1857}&J}ePC=Q`aVQFYlrLxFtBRK-Uaq<BVPBB-cJyJu;x=k_71Qg
z>;*d?MQ<zmw-4FnU@zDXc07Szu=6?6c|ZJD2@i~P5g)J<JOuWEfd@$6e-b{J4d#JS
zupF!b8^8{*4eSDUfPG+>xIa%m%XctuGyc9tIAGQu;tzIxlW@SuUh+l0gX7x>=Ud2w
zF|b0ucN1^03)}@pzDxdto#0Wh9~}E(<o=6zf;C_s*a?<{y<h_vc!79=9bhNe|2^^v
zY<m$sVAl6Z?-u<35Px7l*Z}tZ2zfB@WAY7*?jN$FA3-lz0cQP#c!8Z@57_fl<ix#~
z_-v)z4w7!L<Co|G`@p?m_OA$E+z%o5QS|>7Ik4wd^nksG(E~<)PdR@Ke_#~M?ju~V
z|BuLlokuDE2g$EDhzHp9Hu)(y@`T;lPJBn7u%izV{+JVXJJ>t+guNH+d>{BQ-wRLJ
zU5}u*=!AU;j1-@+$8G}`oUkhd7oM<VU?;d2%(C>8ara^?V?$=f1!G5z-j*>cQ~2@x
zb-#ApzS77Dc*_$WZX$p9E643^em;aUi$mk)o)KI>y49L_{tZ`5&%Oj!`HzAn&mFhV
z5n@g#Q$YMy@K<)^xGlP@*`dr^#)L)}1m%nNw+XDm-KQA+UmnoG-!k|ip=O0LANI`(
zjeE#n6biQo3PO{%j3^G}ZXW6T#F)^el28~oWM&!FrFiM(Z`_}c+rJvA{XZi9ANEH>
z;fDgVLX+A@L_@h-Mizu-Y#uc`v@OH`q;E`U1{}I)CFz?hQH}7Ioncweym8!STEned
zq0BA5g3!3l{<2W+onu1dAPPdG=LMsoafRxmNU40Oz~2G<rRH}G{s{d0l%)Po%Ap<p
z7(Cr-{E>X@gkN^-xP6DP3qzTkeZJ+P(ON|O_2B*t?o|KyBRuz@S>ZR2+YiQB9j|`)
z?eG^S@lr-(DTtl$D}+y^b782=x4=oK=#3zE1i3Rr&O8#&QuxF0`NH9Uv#&yxcr}sD
zfoj0r`rC2)8p4-yZI^u9BIU9<;J-XW<sapUqt5po$Y;KF+`d_e6!}%5NpnNF%R-Y1
zLSeKJn)Vq%v=@If@VCPFdq~Q^UBcNS^=I>lg`r%6o>Zv3>dGVaZY=e@34i;=Us)*A
z_@j;``Fjk1FW~V-s@*<9eOX6X>RqX{lm6rO7sWqnO}(W~nR;6w_4W>`Eg{FNZ8Yes
zax>yx@^c6Js?b+1gvw9fY%;VYSQr{D?t5|HiMwiF(NJc&aui`*&WCW{jl0xi=aKU3
zhkph><dC57V*^@WDxVF%-9tVPejEJRqKELy$O_R@Zsb$>2BSZfZ-bZkr1Cr9CH^Bs
zzj;J|myu`LCgJA$=IQ*{2Y(FtTH#fG&B5_j)hNZ^QQY(Y?#_>F_y7USfR7k|rhU&2
zg+CA)N4jX<syuR#D?@I&$kE(OL*W&sx+?cl+?#NpnsEPs<1XPh;NFTm5Pzgyv_Wiu
zf8DEHd_F_>F;wr_6r{wl3;7vuAGhxpEu_=LcVQ^}A!KzYR1~B(n9n8nllpxWf7|f)
zN%2ShH1(SnWa>A4ps$MRsoRup7^cIP`j$g~dJO+_#J|eljnuf}U<rv-^&j^z=SDxE
zeu;k5?^6Fwzf1j(_q+N2a#A(}Dy7@i0ZP8?K;KTzpGqV=^tJoQbkkqZvq<X56)i9E
z+lPEN@^45#L%I1{iC$FKe#y6^xNqaUYBise@@;M?ya8=<RY5P3ew?&Pnad;fBYTu(
zy@bCH3Zc?X8y;O6T*d!$gIZGJTZ&w!ecb+($R*-SZf*|vwj^~@BFo<<<Xe$%l5$U!
zBmI=GIH~Y_OXFXP`ISzmR11?n&kKsaedyb14cO<KdSvpSaWie)lUDN!vVTrm_Ag1~
z*Lbp^DT94HbSK4+{AwZ=4Co}iG*}TDSDeT%$>(zX?ZID#+aJB|Cj9BlEs%Up@+a|c
z$KPT6{kQld|GfK8--Fc9;-n6=Ah=T3*?5;qm5{Ixp|909V9)btSEW?-UyTWcb!k(L
zqQQB|UyFlLzRq<DZFX>Zk}SF<zImsSKmGyxbv~aYzMo5p@7!QvdVKRx(T={%z<~We
zcljlcTlv0U;x~EVl1_mqi@$yNKZgHY#pwTp?}HybV!*yCiLc@FAbc+T--TZs&+o)M
zi~fLl*1cn1pi6j>9N)*7_cD#{$I|MT!WO5nRHw}&w~S~HJmh~^8X<iKfBXo7^%CLy
zRER`9mr?kcr0OiLDjgljZx}hC=Mjn}Z@^vfJK@zlg7G=6e@V>iqM<VXe(7Hrt8<C_
zB;p<>?&FAi=B)h^|3+MkhjE=1ymfd-6(fmH9$DWydcdxf{_fr4Q{}%;rkTUX$G7Gr
z5sK2xhK;R6NZQ>#;!_r6AKkOQ=lk-h(S?Z`E#6dq2gWkL96MmEiMwJoKOVjeo@|dl
zQlBF5CGfiDX(!=J;q&3ojZ14iHAY^Ii^fglH^EmSpE?ijfUkp(Ch5uH^Dg+E@LuiN
z_Z!`{(30m!yu|Mz<hxHFuzw_as^araS`Yp4GHUg>!WXFx`($KYlKizKSQQ%m!i)Rx
zCi$9uI_V7!*k2btiTXR6`dbw5&`N^0#y=MYRsT?dzXSMt(cPZC#>0i7-5EZ59FJv4
zvC3x2uU+UX%N(%BNj%IWd=LCG_|$wn1YZT8JWrSO^c(pBiB}>$a~XF|#M8jEbPr$j
zY@#42;p8we48Lzcuk-jWkML3WNh!RHn-%c6@TDS{2<Ns?c#Sg*DF1E9EkiCKa^?}e
zJK)RU>Bi%a@LljF@Id?#ejh|W{F!l9$FI-G)7`}%ksmbj3*xL^vu2TD8_@F&$)9=g
zc~WveoGVM4Npv5sg+NJgE<I%mxtKn2#Fjw2{~_rSBmBkCfAFjU`&9`ykuR)gd~4%b
zJ}bB`{+T{r@^csdTC)c1Ul@OzeaqDZ$2SXD5cI8L&LaAIk(+V$fc-rqXXb~DnRDYR
z=LUU?lfJ0=;aEC=1Ni%pNB`klh%|9k(@@4+^V!S}^?Icg|C#3w*q6uS_W>eSpyr1X
zuLj)1xU>CbS&aQ=KF7Rub3hUsSMPj8Ov<Sfe|7jfN8)83(YF`AX&mzmcRgm_?yJ@6
zn4px<v=h}>rL!M@+s_-YeI}i0`wM#9BT6z8j?XGoLzHreP{HcXAF$ajOfJ8rgv)|K
zx0oE9Dv;|&?go)l^TEV=w=y(tfyzyB<B|DmJMssRe^3ZAgLVD_GH_0CZD_QlcNgyY
z7Yx|9827}ypZTbnSIv@n)qMAStWV;LzlYuaq`oocm<SgJ=QtllOyV=14y7A^UpD@T
z4+{)E;g)jA!@X>LdVf?7zs%v8hcBUCO1?F~SHTw>eJ1{kLg5A{`f9$=f!tQ)E|dn7
z$T!NBeS%h54=qwzCsS34M-TEFE_C-xl3$15Tj4(;;h`sOA3$<oU1$;wn}R`r$}Q!V
zbr$;@_$yAUSN`kSrJ!V-)q!r$QRGL52khAr4z4C$^rzH+Gf!TSvaX0Cx(R<_{4H{)
zQ?C~o49o(jFzEYP{7Z4re*tmOOCNMdzV@JJ#wDD8oA^>rOteQA25I5+3rOgB*iqzm
zUOHgkDMTWk<g4ss>3Ta$i>rJcPv#y&{xXp_kJO6@{OD}c&MAt`zFS@}%O&Nn9QSd!
zr}}Gv&pnC1cHHxESNn)2JSeM^|4QJK_p5~8%YS7ad@uYm5B?~8l?NYS<Dt%j9}nLI
zpPUW}Hv+%agD-{O>A}~)?@8fhOqBN|55T`>`XMu)O{~}0=QQi(`JpO*qxX7QR`<Fd
z>_cDEWdruV3E?VVUz@X$A@#c-xg*Gpl6t55Vbw3GdguRyv@cz~q;roTl1+iUGzq;X
zo@U=p&7)?sklf-iuaxyn1^#lc7_c8T^?R809CHq7g7JP<B}npl2mZI^4A}4Iv-51?
zLl^vZ`0p9LCf^eCs>C{A5&8CjcfJ(|SIC4rZ2>$x==-dvgBt6k+#*bHk4zb`&ocQj
zOuF{U48fJIMJXc+8YO?*(6@*8A}5;mYx)oJ#P`>D!z>9hWF!{M75J0)U3cdW*lHd}
z_vIar*`X$X6IqZOO&!jdu%?pn@m%tMJQK~bs|NJG9N*=U`V)a)2Cw>6);;aM64{s0
z^Xg`%)hxKwv>I8d2Q|pQgna2q^UHrek#r5X5*Z0k-p4&SeZYRnoj+{9`9Fmp(;@4q
zk4IkK*WGaSfc-l@OFN)H{1H8&+6j_=w;%VCYX<C<;!eJ$wYx<9SsW^hv1m)HB&yu<
z&ZE7d=V{TS@<FvD+VAE7D`DULj4STk(CLZc?+E_>UHm25DdR=rJi#dlm44)xT{~cp
zF!`6fZ|;*R9Xiww2I^!ykoS#e%oyOOF?gslx_@ROOGeyjdTJ@(LF9HLr}|aK>6_`q
zh0i*l`UsD++DBV##_t^XZg{D)N%3a<xGgje^)f1o|8nFGdia<3oe#eU{~gG^<Kcf7
zymj5Xhu@3bIOLe##~;ZTdA~aIJ^0VMfb|S=$?2DRl>?va=vDQq)EV~l{x9y~leo)!
z+!DTumxup$+$DX(x$naL82OTzU$2gbFZsUD_<xem&Leyu{C4z?bVyLja1eeQe7*3A
z`4Qtl(thyG?)j0l=Lnhc68?gwKBmp9WM%w{Zp^d@J+VsKr;_*8w_oobSEZh}!|#S~
zb=Pw}E=@Kq-Bk2a<o6<P<qg<BG4g5ic-rmekxYeL=Pk^j8Z+D!YNTHn%Rsa3M#f`4
zOMbZ8+1>GBac&TmW{8{}oaZz@@ud5^a`eo&X~1rBk9)L}<nv4acZTclI`ChYKVTma
zg{krQmODJjhaTid7w{gekx%Q-C=WA_n8$E^FQZ%fw);Fi@soCvMTf8*eRD-$qJN^l
zUGGd2RejGxt{XXqA=A&wOkY2FK!tH1;m(JY{YC%BQ}aO%UZrSv;D1}8w|*(Fy~bUQ
zo8(hkx|93yeBW`eWY?f4a1rB0bin?-sYfT#GdEPm0f|TUv0d^y4uqI;oS}B3bb1;H
z$0{DMCjfd}x;>s>s{Z4iiF=W|{xgSQ-6Nx8(!5OacQ5igdyey~YkVR7Y3*=HXm`N(
zNnQWr4N;FQs{P~t7~xe)d{XM!>d+*%$Sc)=j8{FvASU5P!t}4R2jb_eY3+_&*gSG^
zD1Ut@x6nPLt9~bj{}TMSxYNmehjbPt+WDN|e6@U{$*XZ?7yh=D4A@r_2j`J=^n@9&
z;2VWZ<b%5(Tkh`1q<#(J?->57_^iuAmQ4l0YQmH97=JPS{hR^&Kg2zeKdL|SJ(ZLx
zI7>S$MZO#PKZ$%|KR7X;Pqf2w&eWfx9u2eqto!F3=&Qosqe1i~+9Caj+IK8bBkmmc
zL5ifS7k}IFS8n_<?8ncIv*7x1KZyH0ala#!d8^6av6oQ)=DF8jqEFuR7zeM?rN%8^
zpHp!+;U2~P2<~C#<&sa2_;^+1VSi#io_y|C=KH8;11bpmI8F4JkK^#EVH_lG{Pht2
z)@t5=mv$iMeld!%Bv|9j`CwK35xbzwTHY5I!aR~6Vka~Xeyl@+s{G+a{?EcE%3sw}
z-!IgPN~)%ML{BO52auO+a30}n;17E6o8S+_tNy@v5P7jrddEY47reD<z@8+sq_dL1
zB`rPh<KX`yye^-^PQ1ju5BDRuU+Ht){b8RGka`;+6W^(0|5e;o`LP!BE<er<{WsG>
zJvutQ4$VVFIr{c|aKL_n&!R8woLS}vZFEcIWV~C_+uSNW9r!P~W58Z4{#AO`#@nUj
zPZ#c6asR5gn@7^Q4?een{!=*R?>;9RRKIl;_bS|@8Mr6nMgMB%J2GkibIQEMOvEK!
zITTdW8tR$RZ`NsZLg9NuWp^j<u9mnPCGtD?Yry|u{Qu3*my_r7>`;~O@4TBtHLJQC
zyf;*}P`(z1s&4jdKJ$W9dXI%lNl;#K;%%2IHiJA`mzkES`abqD_FwK~{zddmJ(@$t
z7YF74+2;R+I!mQ}h+W$@<X0GZlOOa?jFB={u^=ea(+ZXU4agrrKHKEK_qgHPrb{5c
zAE0I?lK;E#-`#A^qZ8#vEi&bIYbdu4&lE_!TIpJ;=XXc(Z?%|x5B#UCm({q%(V-l&
z$~aC>ACHAmB=HctyqB=Ua^`175AO-J2Uuip8BrqRpYKcV<-cT-S^wdG**f-3O?z|A
zGuiPqqpb>&Dr<EjU$Q=Np1#>9UE91MFA4DefqoS%g4{mjT9Ip$fT;h8^0-GUr99@!
zrl2VssoJXj)1e&1-y{>Cw0Q*kr2gB@EG?e1oFG(?*{u5G6f10rhu9(R+35A&fKOgZ
zA!bB`1NPMY46#?V?oOP4n|LJJr}P^Sg=Q=d<rk|t7<;6yK7`G080sIYDPKBgXBn;g
zfAn{wU+sfS9`TIlFTjFo#yzGyV~ij2q9SK_@<{%OUE~qm&oudyR&N;JHjngw#pF=D
z$`l4uH+;&1(r#kt+jH-L{YBFbO!=#Mp4#ythlqRpyrEO#ci(`14^FM;@8GnO7FiPC
zc2(oxKIEE^yFntZ%D+h7Q!EdKmpR+eO0FNdt?wcy`7-_r=9kE^jc)n_dBaOTk}rA2
zy<Mn8ed9bw-Vf2mTqJqm{n??FLdlnQ^c^O=Wk%m-pBzbYxFz*P4mL6i<Kas^6Z_K4
z)&cutM&8tSYAZ)K@i14%KTBUH<3~UK>hP!1C4PB?AA2SF2d~!Ogf@rJgwKYL%Nt(e
zn`h*2<g@hW$?f<Sc|A-@QQUY$PXqF;=x6&$jo;FhN<O#2Z-tk(F8R1w-uU6zM^Y>K
z+==^k+&?bv!}eRgIiVRPq5MUvWzaRa7QIe4tkaLaBj{80S#<K0^EZ}69eaTNEUD)z
z9=;yc(fA$%ZV8f;#47#&YWRX+S^EFPzXnw`=q>s1fW3MoUx<I&`YN%{J&(=GKaTJm
z;iA&GJ?0$?gJ@Oh+DABL4-VMXLTn0U))2nrdmsEW@Joa@kMM(%UU*5n^9V0?#xvRn
z?4=GV9Dh0Rt?;Ux%=}CEDExMKmZR}Uc(GI73GdVaaTGpg<WCpEJi@obZ$thxhXkd5
zbi!|iFBV>v3p>|log(gH|GWqHPfEG@H~RF9UW9eI_TfI`5zg^s-oa~b5Bca9+Wm?3
zQ91qUbJUpBqwB(;|IZofO^BCeD<yG?t<#Y=h4_AAz`j_8r2mt2l*2y*ul5DVr}>lv
zS#34I?}qOa(IT}S$tx)gWO7bbEa%-!7ntHmeu?}J<eNT8y_bHHbSK)kuRGqT&4HDK
zD|Xz6JJR#J5B?zh7-XDB<Oksoc*ti>WqkMGbKtw-RfRK(L{Aic4}5aDNxiRt-wpqF
z)6biF@3k&sUtzvytuG3yJ#LSBuMhSloF2j{d33=3;V8Z&+Sk7t&U4=LdcA=m;pF6!
zo+lFXr~hGkzU&>2UI0iqVkf`sGXwU);qoo9uQU53`SxgrS9gJac_f@c!a1-L``+Qg
zNvvB>Rz9D8w{U8vQ9hsJeG)T&_#fum_r3G2R8>bw&pyK0**Rd}_P-0~1@Cb51X#k6
z`v|r_Jz#(Pe;1B=KQDd5Os6N0aCQ*Rv1bzR0i?}K7twEhMEb3yIjGrhlm0{QML6)q
z0ek-lz9jk&mIwZCjc_IiILRaJc<glgo89T{Tkch;gTGiw>i?wQ&4X`+r+bz0d>o2p
zNv<AoufTm9?h+T{9)BNP+&AIA6L&zlv%$I|+5Zk4x^ZW?cHD1EcHfKp0o><E{ng_&
z@AR_s!B<JoAyNFCc|X<nJvAUoT>9Y;!hciBFOe@yw){^~_Gadk*eA@6kpBPVJq5(I
zJm-Cz{m7dafta4D6|a6JSftc?uL6JD@b^_A=$B0SCB_|@&#$NalJ^13Ohxto_|JTv
zeGOC3%=`-fyuW9rmCUeIdJ(ncK8pi;%=(=0lILT-1`?)^wM&BfEgdyE%ferP4aJhL
z57?JTJk2Bgc=#&#fJ1`9N8p#ir;h8T@MZ8a&2b))uQB?Qd8yx<;Pa916yZcUkQ>aU
z%o?pY=u5o6G)K;W^}1U0?#2IZ{AY@P^9bJy{|x+D4haf>)X0xb;<Nc2xJJw4oE(oO
zp)j*pQ>Nly?)&IQ@0lWJo>EZm|9A=BZ~9S_@2tZpr`vUfBD0Hwygek9i_f#w+im)@
zY*82*UFhpT-_~yo*bhj?Q;uotEwxVP%>!QBPu*ZPuluX{!y)t>_%`z%cf817_L)DI
zkqDGvBpq^JNm)1R0_iUj<7i_4HZkr*LpwA4H%dpDev+bAj#7Us&=>xmY5ytpvDy{7
zPItSJuf^}XgwMJ32CuNyd+)vIDIwe+oBT@~Z<5nd<@;EuZc(UdS*VUpB6$Zn{j^)H
ztLw@_P36G|QH#uAzVm|tdx1M&)%tZ|=$Ow}Iwt8w<HWe$fWHGj9I(ISUI!%RDT#P3
z;{EOSWrUWMhN^B2Eh}J4rqVO7*&MD3EnDD7>G`hQ2Q%&`oD-OS!_*(j(VV}j`lDXC
z{ZwdA#@tYM#tN{2cW_J6H-2<KDE)QLb^P~=>F=q#n^|(@R;$&iYF~2SOeXFe$HgD1
z2Q~2H;Jwy~ceuBaRXyxLeiHHziI$Vs!<$2`{`H}){*ur({|CG(gw*Rk^wpv7$@ik~
zu+LZEnbmsy7k!cIY47O!>2UfI^CtF-eVm+nOkcG+m2Yk6Th?pFLD9)0{ml;eR`@d%
zqyH1W3w{H<)J5kJUheVP2`_o>Ji_<E?}1n2DE5<bN-60Wgg*d3$<$-hPQ2Rt67t#i
zCC`MY=B~@1jhEd&OT0JW*u&Mp?}1P5|JC?!<nNTos`}((5ug`#(hu&yJ@e<hXXCEN
zw3lRiLi$1f6ZAx>8<x5!lyRmHJ#_~M>@P?-DgBUZT*NNLbj0y}Gs$DQ@8}@@j~V}I
z^RW4h<FB}<VUoWU_}lhN>WPW}N%D7L=s<=#5clX$RZS^JpWL$)KE!)p?tVwTcf_tO
zTfYhOhLWIkLacN37{l=_r%MTEGfSi{qc=dq-2NN0-cRI@nrCoW9#=8f`G_A$UmpIt
z@%IX!Ep~g-(#JlqId@+|J9uz->knPu+tF9{Ti){#eddw6+zDR-KTkML{gUnA)+Sjo
zh_jS;FY<NB|A!Ey=V4jzKSUql>`$xxN_n@~wZpBB0wi5>FVzwJ|JmeoT6r&^ynmN6
z@17MD`vuojTzY=V-x~C7J#5}5Q2DFg7gOUfg=VH@MOf0w3vOy!ru^-|-%k8hm~<qk
z`-5?RvxDqz>QY8d;@^wEm+-gR_)CjFC)?~|rEFc#2~C=xv~w(ec~t$MNq(Sji4ZFO
zO!kc(Vsbo^Uj-3=az9t*?*_Ep_(}YgC8awXe;xRnfxiV3p6VBvN-+zRZBS=^BXWC@
zt3po23puktLOII;ECljd$n_z&9l5mq5BP2Hsq@6Fd@cWe{5p^5$;qcYkeBs^^9Uc!
z*Ye4{ltTr)=<nsT<XhVOpK(}@GF<b2&a*WW-@{k!U-a!lU-<W|qm4e(-n`}yrOX&O
z%%71yJ2O3-<li9rwxN&VF?rrQHx&M$lYMF)nO(sA7&)>lx&KuCLksm#S3a#++Fv>H
zdyua*^4{|gCc|=65kD=^{&Vmn_pBYnzl;I8zR@yFeWU6&sMW3xRE;}5$iIX9IU>(~
z8|Ki8KLl_6VZfed_yvaVho6+fk4I+gEcze#g(8oB-W!muJN1Zr4(_eEt8kQix#O(I
zKjS`Ke3UXnuF&<b2L2iRN!qvvVrK>$vr=z1!FR)_*2@m~J@BdPt6lKB;boi4c|>QA
z(SL`Ks+}eB%f}MNWR>zF^8LskLC<@UmomsMB)|Fw?4OB-6#ch|;TEs?hpDbQoFaLz
zIPujSuu6Ix(9?~c<oFBU2EPZMX?y$;eh2(v_|$gT1%CwoqPVmkKlZ^NgJ(N1{)isA
zH*fSGO@Crsgdc>@hwqF_Ydu*c`XId0FXeTMF0UN;!|<u)7=?caKD8Vx;E%yyoTOj;
z#^6W)$(+-(51hQNPqZh!5fDMX6ZuKV&lf$cN0a3@irt>`zOfh;C)w>C!e2iAHj6(-
zmc)6eobZifw>uM`%(s?_FA>t?XI2sY8UCIS!n@xp6H6FZzh%l<wSWA-ga0p|%>P3v
z{*(Hp4*b_~pWzkapGuX8H<g+8O}DPbrM<{CAy?%NhjG=Mhs*v-u{)ZQpZ$_P{KZb@
z?>4u;Y-DqaDS!OciN8d=*tYU9gz49jq@R#`7bhJVus0aF%|1D=m>=}b#$FsQhWl3B
zf0V%&^7kbDxV&$2sVuV@DpFpo(-|(|^`LL`>xum0d_3MSNqO|)J`Q(fS55vU_s8nI
zUeAZjn;-5DS?X){Y|0b=U3^Y$|EceRN&c22zx6NJVN3cF`NZ~M();{{GR~PyqwFPL
z+VR(Vbigij=L>^`hy8w;{}T3{)5kaT$Rp{Ndn;T2oA;fJzO;Q5m2Uso4EH=x`Imeh
zU&8$2uf}eibZn*o!*#m;iF+RIt++GYG~>lR@qEvMs=$3G?jywAJi^D|w|nsI@Y_82
zPWY`J{9bqoKe@l#g#KQm|2#imyy_R}j^9Jknt`dh=S)G2g1vIMKrDS{(6&-4q*@3{
z`sAL^8E>YKUvlqfF8tZZ$T;n+59J<Ek$*&Z^GN>6y`a0{FBeYbKLZWj6`h<q7u<_`
zH}2JOcV5WgI8DAveL94D=HKXlP5GzIgXP@sDf*%0cR1K^oa>&(i#qk*K+atHbM%!9
zq2j~rovl2Ujl3?Q-$PO9M{d$v>GQ+}_^=1x20zY&-vOWL!OOj;qf>avuYK?qytG*z
zKgo|mUeVV1b=2tda+i3Iou}h>f%rF%@Y(Q^p0IF~o1|3uJowxcJ_273KLh?;lkdsn
z71f3%LzoE)8K^cwMJa8Czjg_~pZAc3NQ^s){#@4C?1Q-$Sw-@mql;1RYq=QHzZ^yX
zZuGxl;&qaKmvc4Q3QX^H9s5A3UwQmj_7CRIJ{@19FR_1;+|Jb2;_&(;KjmK9{C7-$
z!gqP3Tsz_G;4cwE)jR!ugp7kZP(8SBz&&Li&wk`ex>&tmZiZJ?ZgTJKR^-*ZSak9*
zRj|e~!PpId>`cC#yx;I2Iy0^PiyGDL%F(lI%%DAbxO^cSO#f5LzCg2QFO#%C)``Ax
zV+URDt4O-{!iV8g#u?s!@n4*wDwyPueq{VUD)OffYI_frk8?xEGJF-fM^DIQvGA-z
zZoSkKB_|c{RlNW;8L8?&a^0apmwlLoBliTq1b?@v#DDzUKHtZ7Cxls-ZbB}6#-Pn|
zJ^o0#I^av-DW<gXmW?>ynxyt4@#sOm4taHcA%1wI9Ug+;2ESd1YKaH?Ae;RRVzN~+
zj;lD-{7+ro#;a87i-eiQ0_Yw5-6#Xs$?E|b==XnCCMfA6vC1jYSA)JIS%da3`Rv)Q
z=Z30$ccrxAf*}2bs}-vnA@#HieH+dmv`=&QFKRz!uDtE}>Es@!Ab4N$SG`@y?=&<2
zM^FAagZ9ed`h!IKjS|Bj=njDy6D#icEU73c_lihQk>XG)FN_YCEvg;LJ<qx44!Yi#
zmi+2~p8@}zyZt2A`H6VV4jl;iukfBAs{E4r(TBcg&U1&;A?b(T4gcE!Uv7`jL&?Xq
z`BqsdpO;jIy@7>Hcv=!W%<KFmL4UjdB<^#~eIqabc)!HAV-fZ5{e$)tK0A-(i`;vi
zdEuaa#(SC9kS}B2C0_>7cYu4o)q36pB>ipHV%C4~PWxpaAm(%=5<j_Td&b3suK9|@
zuM~bay!<XiQoHdQ4`g0{;Bv3(fmeA%-wyPZaewpwt$y?<`ZDLI_oD$e(8j^1zh{K)
zu+w3wSm}9C1o^GpAN^C|RR1`aUdcx@lb%gCupFE!kjq~<sO^dp{oq2<?x$!>PpCUo
z$=7z|twrwsRN8wd{Al<KOgl|pzc2^gGJ^K7c_c%&@88pp0g}d%qv$z|p3kAvc_f~4
z@A-zsgL>bG{?5!-RDZHGw9VDuMv#|#(YGW2HHnX}RytO8KQ{Y)M@%QWRK9KTvG$Cw
ztMOtr@L#x``X=p~_t4C^u$cD_W~%%!-e(2t$sI0NQ9W`=P^@B|Zw0{yQ7U`>gut2<
zRXylEa`T}5H_@BO=VhU1&hY=t=j1bPJR;wZ{GMfl_9SUXs{H7^cn?8Jj~CFm7)n0r
zjLSnL`)1^q4{Cd*wefvS>a|&C&kY^$`9rdddV!(Ibu*;+ufhL26@&KIWiTdx)5?$F
zd4ISwpgVl_ZV_T`C_5lEc<IFdhFa3cXN$W%9+7eEVYv_Wp+HgmKGUe&XUYrK^g&!}
zly>12C#4m`IEh-RXJePrK2{M=A-u-D#JnXMTIPG)>!>&jujT03ik`Ki$2<{G?zcY-
z|5530*^fzk57EDtEC@3<*6Ej)A^JM;H-r1mllQ@-pV|wb56?2!*g4-9e<51(?GWxw
zxIZoKoco!4r(P$YpUox5(ylivk(b*&_<|rNzuXM<@{dI)Pbq(L|Nb7rd0q&j?zzwX
zF$$NE<B3!2e_`VL+^Qpx^md?cQp2EruSj(ANWI+!pAS#Bt-?uer)I}rAD-YWdJZAq
zg#09tH;>fEe)z5M9~LeVU*clwvrP9Gyj`;oV;?Gd<@W*(;$PD4Ji^QG2V|}pOnYxu
zeotT-e8>?NS^nhr1<K%^{rt4`DVyDNs;+3r`!H@sD~$mA(ASN=R-wGo#mtyXl3e;E
z9)VlwU%5Zu)xRd+7t2k*z88o{@;W&xy8td#@$xH2-$C@fB=Inh<WB?qw#GsGuMP=H
z_-*iYO^mnhd01lHOtic55c?GqWL!_5Z_cN=sB-T`-}XDX=Uw!fN5Ve}zq5JJzFs(v
zjhh+NRr+sZz7C%+^6bZ&^TL#KW_jbvb)Q9%b5awZ3$i$r`c;m;J^YTqK?%pJ9LgA~
zhS~p=a+KePSQZ<!H;Vs6f6nO~_g$G$Ga5`>@g#@267D|y?Zn@Q()=at5oXJK>PAN~
zdlu%S%D1u0>7Vd_z4$lzBl(sMKYE>;mwd~E&xL>T-OEiGVIA-+HocG8fWCJ0ZM%zm
z{$*U^cBqrA&*!r%@B7wCrj)$8ZTU=BwZ9nY&7-!AY#;GZ;9>tGGE7Rk<aaf4H=2Hi
z8CjjF4_Otgzu<2$<JC#xQO0{G{&w$qrn)~{!l^;ujQidBC*zI$en%Dj8+?{}lH8xo
zr;2=?!61IDqF(<G$KMpwvnHJm`Mr<P4-DG7MUQ!;eB}2(cEXP|<&!qv%wbitE2Uk}
z4Psy??YhtzhSWiX#5d=5;>+(^$UWH-U+;DzOQkO}4`VrmmU!DRZyfaFRepzL(uW7_
zpN!FZPLjW~Lx<1T7g^E=r0h4cs_4xK9Xa2(HgxR#dOj2&%uf7~^P>>AgR{i<D3O^B
zQ)?KJxW#x83Ey9gz)B<FdxsCKY?TjDT5JSXfGUvXe3*m4GKXm8LlHzHsC3rwK~&sf
zByvb<!v`229vQTkn0c3(|IO$9D=`X=w@O4+zqAAS{7($V&r#FH2j2gcPKj)e5393-
zOVv0_MWKY^!=chAzt2*JKDj4X%I_rkJ~y=6?_cY^FRZHGcvR$Zz<c1aL2Y-g=8;U5
zrOohk@F&0b68`j{{TZo$+>c_y^Xk`mgH1-5VONmRAg}u|2hL@7nKre<STwnHb6NYa
zdQ?926R$~+58Btfd;4ZP!RPmnBxZ$a^-s0$JdzfzV*T{wpuN>S|DG+2qRldQH|rwb
zOMEF*U!2z%)ILoc{_CDH<0Y|oIs)}VA*Sw0Cw%7ZVBO#E#h>-`pgktuzG-dA<2G%^
zcPOQTn2sZc*FpRrz`t4tsBsVf5BUi;d45<fT`ikmsSTPQHiwQ+Xl73FcFqLlzhG&r
z$!t8{*@PRbX8!esLHm9_%lNjL<x^{huSBmqbOfcn>_F}qa-Vj|G49Foq)3)U{3ZkE
z0pcv>un+mFFY>!J8GNCBoAyHUF!MTjYgM*!Qd*4okMJkI8+7bTgW67<eQwtMe_;ci
zmBYt1$hK>NGCMW7NFR>BDE^LonfheHJxM)hRFyZ*W~9$vSa@Ny=3${+5M&qMqx$J6
zNICWp{xe@0v|k@?UnDVqDwV$G*P)j(qP%bx4IRuV4js-|4C$ZkJ*k=(^sP@4pM$vQ
zQ0ub1m9+2Y*f$6eiIevyatYUmyhDfv{a-LHoYf|8t;q_s2GyN}v+Vgnd%<wyMPff}
zE+y=L%sZetL4US)Kx|n^IAi%QzkAUBp~=Uz{&p_yiK$dd^-(vBxcgu=B@nUrTGn~t
zPU=~VaGrT#(C+4Q()<p)QQzb7VPKZrtfM;%5i93!7yfd42JLkwe#!F%saPG!`<!!w
z{-vZ=Mh2P~0|6JL4u(p2v6!_hJtjX5;OLd#uUhtf)<f@6Z-q;5S<oNINK-8JvI4!^
zemH243-Be;9uw;<$xn{Z<Tar905&K19`n=p18Eicg`twdP#Ko*k{aeHw837&o$=#A
zd$sfoUiC6jU!t;IyovUeKE0sX@5I6DoYVhoMreCRA$6@V^bCKyGvsmt|7}vcyyWHl
z-_v3KFuebUVO24pc&d^xwrAW$oC=7OyvvR0+}BXEoyhH^tv|z`kiM=lV5RCc_53lg
zn*9}ix9h0NLH%D87!P0e%R%pZ*H-G9O2sM+a)M(j8QsMq=d)5I^`Hhl<M_R=QN#6*
z$>mYz+|QKK859PwcJSyo3xc;Onu~Ul`wkfo4iWBd!cBQ!miY&E8FcB=yof(<Zax-I
zfHN@D)U5G!^auPd*`uaiq|KL#;^$b{$N3+ZG9xJ|5$C=w)wiZkAfyMEaM}oG1HW^2
zfy^Hg_0?;h#6G;LuIb9yvH1$&r{CwOhh7;^j}lJq?*{E-QVxlAB{kN!LuUZvs_Cet
zpBi7!c*yUpRk-EleV5mf*VCE;=Qc3CWhmoeIsV4+yK5H?SKf*7NV+YiupZ^gJmP;c
z9!ffU34agaf1A&ePR8*fMs6-_C;(=w0en_a-#sPuJn%u*dw(3Xe=hM&++(PwUv)D3
za;`~ds5&hpc{;{x)f?0zQ_Vk0(R27uW*tU3Cil-WyD@E~*tsd4y603kHII<r-79--
z(EhJ0h)1Fxc%A#O;hrHESbJm~72yk>6@m5A3qHDnD%nHH9brBZlsr=2WA9+Sc;=9u
zA@wj(Kju>2pNiKHIuJ|_B`Fm6LS+vV#ovarhU^c$i$D6=aoU_p+tF;oU-#KV`W(d-
z9*2P@gwo*M$-|(Er~K~VxO0Z=&r8G;{<!Bs?s+mE7X|0?Sr4G>%SbsN#ospkJ?5^@
zl0NpbOw<-8`6~{}t#`Vf>um}Zex!l<9>44Nh&z1r3?FZ4=khy<`QwJ{=L38>dHJ$-
z$Y5mjC|>ga8SRkL<LRm-;q(&D_VGjZh_hYcB>Iy?e=GB{6{g=xUtTMV==2^%vLXxB
zd22||v?2Qn$xri0`zwcEcGZx+uY=#!NNxx9NsAfrBK58f`K`!PJjvxrey&Z*{`l46
zBBkEP*^9q!{9PwRq8@Obf|(%mcPglQf1(e$gUDTK<Tm@Non@*@M}Up`Be;(gck@X4
z#={?mKg%IO;Uh-=%oM&9{uuI;QurG9(bI=q?=Og+P4JoUDqj3<oV=$a`OyJC3BFnM
zP)|JPq4A&oLV%8>6w!V7Yr@}s#-G`rq1?^AJd`{4@+{Lc*!YUA0K)^<#-@0ec#LnP
zKR_Sb<tiS={(xyM<L4}jhCEk&7?U?WlxlzF_<IR|FU0*JVBX(m%6HqCq*<x6kdk`S
zj=!o1zhf!mZK6DxFZ!$eIygPZ;5?qcy~rQ9cF1n!v%HtY)ZDBFwfiC5b7u_M>x?@q
zN0<8`?%QyudMN*xYP#IVH&On$b4;$>=_KOr65l-BGq2-!6W#ru#JABGkFOq3CB6;F
zZ@Yotc{KXCu_~@l+}m-t@`jJ^F5IhdA1=Q8aNmvlT%(`Y_u~4cz8%H=Fz%DZy<GoJ
zq40q_IiG{SR`?Gj`0?;zeou6|@V6!S2z&{AuJE@cc=?^wDtI~mmT^=-(p3Y$0sdn`
z=yf%l(0c5Xd~C!02=2?%^KnulAN6^p#J3Ciarq`6d8I}I5`G{2Hu(GbZ25Rm6OeY%
z2S2)C$S#q3b@F~!HX{6gl@8HshJ|+tCqly<&F`wJax~#b;7j3K;a}&oyZ*{s-Fhfu
znV-0vhsrPUYs24+BKikO|GUMnOihbu$tm5nc`;4&^-BC^582bCUry}nq?~6kX_o_?
zcsIcGh+9Qu(Hf_SpQJath5CWM)O^i@Z{l}l|8IrUj=rin?r@}jbiyBmSLai%e!+(s
zlNs+#M<VjQ$iFm~{ye=t{hXpT9(0CDeg$Hz$4iIo_3yEM1gVrB^+TNyO8DjIJGhYc
zWb)sPf2!Z~pJie|$0<>k{B1-2NSWzp)+gH24*2jQcl(q0cEOjxXTO*F!hXp8QlHZo
zxN5?n(oY9DX~~fNw8S?t-VopTz8R}q+3a)ed=$t}?77YanHY$^a`bI2XP$FXeUbO1
zPx7-9eec{nWQRQRQ|?bN<B*!6MUd}B{@~Ifd#MROIseH9S?q-4+agKthm5@o&&!7F
zuK>=I#fNP8?eN!$K7TkvN=W8edGOu0@;kRCoJZt$HofnSl$TRprWDdAQ*;Q-r#-5Z
zevd}-vy*TpEg!PKAQO~C|B#r^CGL+ZmUY3O(3jpp=!A;Ce)N6i27ag0UEdS>66>?2
ztZO&=z0{#co~Zn-r~j%RvR^j!(fd7n)wSMBp{HJ1pb{$aYDZ5uzbAd&Xuf!*GZ8P@
zxAFH&y-rW4GPv(V#Ub?VzGKK%2k&0`68RQoHRL}k?K)i_tG?g(*gg@1`2y_ZXR-ge
z0C|kVp2;XrA^jO5%JB)iEqnOu&bV1rf5Hzt&#<$N0-~tidv4o6e|`6m{eaY?#JMN-
z66QU;gdOcNQ6^V`4|~F)er`y;p|M}|=keEv{<<6a9b8jBY5U@HWYk;db2o4Ct;<(_
zNBkY)SK#hX=Y*Qrzmmqstc+a_+5U<zmV6Jyom4*~?YKb>wC|-q6Ft5=<1au(S%gS$
zFwU_^!iUs{9mr?iH)MZ*1Yf+$FHs+O4>E%}g-7X`bz220j-u}`HyyVpoH>j>%06xv
zaoFeomQSqSIq>uOb4IC)2Ke;kNUz4K;#+z*^=;vCd(rvtLH}-_|Elx7B8*?2e*Si#
z@9<{kQ`7k3mHy=Ta_t0Np+`Sb5cJ<NF7ysB$h7hk6<fKMcpFzD9`iNBQSkgM@K#<4
z-sWEfw+5~xh4cUS7+4mhNNLHXNc!){@M7N-*7q3`R3U0PCZ(u76ujtzmB0#6OMCW<
zTD7k0xQF>2zwfT@*PwdI`B2#R2Yv2i%2VpoUgYxmJ$E%O#N|GrkA(`wE<kE#!XD%(
z@?n1O-7@`4T05XV`S-KZNEzn**V8e$xDxeyaCw_pe|&4mK0#cZNBYBZ_&whq(!ay&
zRc@+1m&p5S^W`lRk6Nqd1v}7l7(LQlPCch`;8YHr%7Ifka4H8*<-n;NIF$pZa^O@B
zoXUYyIdCcmPUXP={TyhTo3E6X8FWIBEjoD|9IL-t2Qu^3r_;^%*b{~7(|P9m=)dw(
z8qWpJcZ0H3Bu}PsAFscvEeiSg_Y?Z{>g~RK`D)2lm^>Rs=PPv1th;^s`xwPq)^QU-
zju_N4&fwVw9gr<x^&HdjbM_kYO+d2$Ezc+o*0~0^1@qM>htD<NWot#AD)ql*oo3Jp
z|Aej6b8Jk$a<R>KCqIvw@6E>Dc>jL}VN(vN0ggN~Us2~6yv*P=28#_YHMq*)T?V%p
zeAM962A?<hqQRdV{FA|d7##UN6TZRA3|?cf*x*uws|?;{aErl54L)t~d4n$+{JFtD
z8T^OAk!P9k4PIvO8iU0Kml|AU@GgT}3_fb`X@k!je9_>~4gSgCKMan{GT|G%%-}T!
ziw!O{xXR#N236rD{rC76bo-p}LD{k6e8u4G!ousrlV&ft`SS2JQ>IOs7QQNX+BLZ|
za<8&nE?31}rspPU_5SFmx0vC}PjkdV$tw5c{Z`DA4_Hn=kgUv4uh8u&KQi7=xaCJ#
zUhT_Iuj8~!xBO|A)4tvO7|ZDg+<Y+JAG-Om)-lshy7|+sR*!P>TOrHoN8R#gSgodi
zb@Q3lzWGJTl=|$q&a}F#z4-T8PQRS&$#0z%?~mPlmNm|!fACvpTVDN!-#W)S_J;0P
z-FoOnO@Hg=$5{v8^pa;3`I{H-j2;Os(vJqLH|+$YKS{sr#fRX1RwDn;F&<?c@{+&I
z$XmI({Wxc((uzdSZo{jyQn)JqGORPK+)|zY&iKYrjFLY#P3uu-sBq61zI(dn)tM(;
zkKrFR^+cUr!u{FsP1kFAbp{ESK}JY?@^93<I#Yx{-|($Pns<zHuXgxy&8xFG<mC)m
z=^2;LH_K9IXy84D&s?hI)!7)l*g}eY)iTYivo81_7=Gt%npbC9@ba6hBLAcF^Z903
z>TC*>cQA!Nc4fZMmO4`cFM^l+EHn9ergG){72d17W(~v7S9;Rxv;203gnM94zR|3q
z!tj}M-F&0rQ|Cz^R{GDgCYgFmGS$<e`1JNAzr`ToHl^tQzLHOGr+<R?O7B}r{tWA|
z=^rvpxFh`D@|cNw>Ny8q;uEgOR~npo)YXR1HGIVAzik*jweV72;V%^`NoTa!Xn4!;
zPCP$4jGj+8dVZtzIP#xy_?I<Lq}8*_;rF}wuRHvY-29Im{s(UURfqqc;R9O#e>?nt
z8J_R*3^@FE-27?ylYH3uZOvCHY0J9U@RpGe8$RO5f5Yf8=_+vey>5Pi!|!qPl@9;B
zn{Rgb=M2wxd0HL*S;PA^|FFaFa`QV3AO4A(|DwbH+VCd+Uv>Cj7@qI)eAnT7-Fo)J
zd)4!w!At$j-;uBUzh)ZP>%++Z!^n3(ujQXqzAWpE5#IXG9)_O)FX3kH*Ls}sLhg!^
z@~!%(j{hX1fA%nXmJY+;J`7)L^uKdL>vz^&Ylo4)$H*VPG^%3KG($&dtKnOHnxA17
zM2{K1`&`Y3O#sggqkk{F<ipMj3Y6k(liptqBmd`N_`eUs55lYb98;t<hc%35!Ke7w
zbv!M@U*zx~bMq00|Dl^-;P78`^HmQ2K{ww3?^O@i4a095hX3zj(%UwS{6oX=+u<c2
zE}x?F$22c%m*FonykBRV^&P|K7(QV51H<V5`7nInF#OSB__yFyJ^8w>C+aRI!XC-O
zS>nHQs*ZoYiO*T^Uip09FnkzZ^dGj}`lmbkbKUy$htV^~$ahb3%P%v0zTsO<JXa5+
zXAQhcuUw|hqwXXEHz_^mSyg5};Pemo8-C|mtCT#MqMi>sywA;l)ZtImYC%(w4>|mC
zH~(>m|A(9Zl*2poYNO{dhd;xFYxpM|KIrB@>+pUz|CGaza`Rs>e7*_SsfS;K_bT^p
zc*)NL7wY`v6@T@J4ZraD7inJIDTK>G!ymp<^Xg6&_`evwsX+7UP6+sa!h4158?E(Q
z%e6eO%B$!7hHo;wvhBx3=GPLR%-glRvaN?-2ru=#Y`U&j&UjI0_-%%F=CSu1zRB>;
z3g^@CUh#YqUcx=RT8I0Rj;6KO@Vo0YuWaOT`=jBz>ou=z-{A-0C7y>(xXwP;*=%45
zpC8fjf1lAm#qeRnpJn*jhPP7WtKhxjUvK1_QuO?Kq__M7$V+;|%_g5sdwJ6ERV|uV
zw&29+zYJftUh~RU8~zW5KX#Aim2EZral_|t(Y&&Sh7Yr`sLJ<an(u~_r^N6F46kgH
z;TsKK_OO;$w#D$DH2mR@YhKv~!#@u%`F!A7cRufj_sX|l8a+*))q0MiL!P${U-dc7
zk1+Xj787`hf76qiSGK6g=NP`VQ}fDJ6kaZO5c#sFHLq+y;p+{5><gM#Hk<HU44)~N
z^z$eiOK_Lrt*>Za*;2y4X!xpUHLq+X;g1-;b+_if4JS_q^AU+p{(op**($=n-|*qD
zYJRtpwyf(7f57m{rVzJ9hTr*HEida#dG0d&?!%f_wtVo989w(9ntwz|6Mw^Z8~*c#
z?>Br?pO#m)cDRjWV_emrKe_c38-AzZm2DjItKq%MeT|WCvh+OAu|2!j(UYP1n@xNk
zHN551{2hkh?dUQ5b%y`G;ddMUQp3LrFZJ`-EL}gH{^1?N?>4-1N86cftcd(J!#n%_
zR~Wv@@J@eNX!tV2JLd)!hR-$pI1`_BhCf!I<8zVWA2$4f|5Mu6fJa(Y_rJS*$cI7@
zL=e&NjUee{v%Bo7lsBJj*xhVMvMh_1H<Ot+$+(l5VP>*lB7_eC(LzK;!LNvjTB{AM
zLPguAB8nAju-ZSg+D7YxRa%LN)oTCv|DAJwXY$S@Y5P3?d3NWW_jk`d_uO;OJ@?#m
z-<c41c|JjWmbmkoBR);s{q0l4OT=CNVYDOt>Tlrl9O+ZUT|Y-3YxGUTy<cY%UkvN@
zc@gn>;_h!Rcbs}~e_JFzLwX;tTZs=7KaKkNDDh_EXAysx_`<~|kMsFE;<Lm(fAw#~
zr-{3s55vY>^fOG{`M-*Ia|8bii7))VwR<Mz=_fuz{B+_u;w9p)pBsobQ9mb;{sYAO
zN$>jq9Pt!!KNtF@^C9lz_%!jwi%d?}gZ%MD>F+#o=YJ9wbirqdyZy8hpC<11b}8{;
z;;#P;@n+(#hiibZ<R9J!T>Q-9ot>%yeKr`MK1M#X%ny6JtL4YOr1ZxHGyi1$r8<MZ
zQG9vcOv+c1=kGxu1TS5dPyVs;S)Mo6-`)m&V_y0Y9q8rx?Gu5okyE*beDZ67zZ80y
zzPeom2+r4cd>?>#>Jx@<CVmO=67yzjiSHsle~Rf-zw3pvYlzSNXQ-4Tq`!@LaFo$c
z68|{y)RfU<`snK+;K#vELhd&`9{w8X=Ra)pFQP!-CqDhW;rAJv;3vdqzHa?;zxrF^
z;RlTVRir->4n*{`NICn7pH6(CWc2HZuO~h?VEAt07ZVTe>QH11>$kivQ`|l$-!snt
zB_^l);R^BoXF?@+zi|`ssVfa9``}LE)At%5{Y`t+yq9?M$Bo|o(k$`edkjAtwDS6r
z;`TZD{sie~sW+$pN8+g)LnZHHrC&M!%MIVS#tIIHBf=0Yd%a3=<jMay)H3%!=M$el
z!}RI$uO~iruHjSU*zNRZnH~_v>uWpl=D|?!-Ttp2K6A0rf9o)#&na%7lkeA(e(||b
zVfO~N6K^`h`22{KW{5AGWpZ9d{8Ov&|4Y*MpJ4OldeZ+h@zQ0+AL`ZDGtQs5x)+rE
z*747UO1EC$gWzZ=R_wg_jfT6PPsNAhf|G0KO0Kt7()V9z^6PIPg4adFr)Er^m#?t~
zw!<)*gXQN|{iL72(dgZ7FDD*M8$M1suOdG8B5U_v;stM)d|VHEiO-&6dTS&7oy1d|
zNA3siB_6!T==}kUFFF6e2$e%=tugv0@sN6>nFRk#eCAk_)Ax@*bNq0_^}DKIC4U@X
zCHp@fg2}jqQ`YWpsm~3>=Nk0(dg3$hGWqqpG2p+A`20cR<85V$_y4Kk9|o<wD#TNR
zCa3-uAn@ymH{WLCg0z6XZY4hV9m8>}ue*uQ9&Na{d%xo+o1FTcX4H6ucu)zozP$&*
zw}}tG*$_FOlh<z*x6jG<W3bezJ<~ofVBsr>H+{t986y4~;=|uH{0`z9h)-ohMV?)2
z1v?cdQQ|W0eEuj@)W_>B#HZhD_+{ktF5<zt*6!a>p`ReWKz$x$8$Uw;?>Z!;mszDx
zBKG+!<g@thP=Oxm?VG@l!+iW#o+JCb{ugg|tI6|cWcdQ|rbBGJ+@BnUg-P@r{Dsly
zNPjHxkn8>w@n*$&len~zez9nLzRj}VCq7Mk^Zm;f;>`uKPd^vFlK9k-Cg&9S>?6K#
zX{gBmC4LQXi7V!>>QcnxirYy)LpyQ5^fBTA*E^3BK2JWw=b7hsK3^vN;<&Y2qW+&H
z{dd?d%^?t1EBajchS3kJRKSSOQvYS*XAz(IoYA{H8;LJ+UVDBcboxIuJ%5ONh8(9q
zJeT+g@e=*;e&TuJQy;K)ecivF_;k^5{aa$Fb1(7c8x21an7qE|d|qMl3>qAK2e^#O
ze=XQJx;}sGe69_Z@~hP6Aqdn(Z~csye2%<=_|!4RXOjFcBtG45?H*2i3-RGihRZp(
zymmSt#vyka9E=j5qy8bDz9xw;bQ_=762FCb)0aa<4kQ1&fHz@2Ha@@cA?N?MM!!{S
zAzwtid7at+>xln3@!_``{TGP;gY$W@$#Wa=r-_G0n||)2JTDM$;`-v_au_yfqUY50
z#^+7s^D^T7J%)Q6bq?``ttQVuP|+#ki+Pj(dh+QY9-M7_e!0d9wmUuNqw6zLoRt%o
z3hC##uhG9<jq>Y>Pu(3V_0_ENcH*Tm!^en!hIo)S-23}o$A514Bc%Ti#d(vsyyTUp
zx4G9@zy6YXK27liAwO;;{o)OwBF7LPBtA=j_<O|vfcVsd_4Ip)58rI<nwLW!k9etI
z_(kM%v-6>!IfM9}#HTMXJMsPU=birttX=m%k2y}e^>y~!&Zo=9U4PpdZTu7Qfb-}c
zw)-RJL%Y3#__M_OZ#DTn4tariDmMJnw6`O%K@hv0Ki}kkaE&p#436TZD?C4T2I;4p
zjs9?s*M-DqzaA=s3i<RZPT>-lKOp^7i}m+)EXxs}zadn_{o6j`!wutjJ@JKCnLO8%
z&&P;|zc4;sl;?BAXAd>{U8Mgi@wtY1^c3;ogT@Exaee(O@&4H4*WWHi$$vWkFSaY4
z``g1{0HWvM3!&n^F1%cEh3ekUCw+?aQ<VSGbA-?G*Jjesy%1{QNgS6R;!{tUJT0uc
zbCq`YkUqG<=-t0vM|_z0Zt{6A@tME2b}uD<FY(2_#%GcE7ZvAC;_?LP`xy_smu3Iq
z_$|g~2k|u;?;$@!f9rnfWyG5zqyJkP(CNe%Z#Vor@@XMH{EUsG{^lFXLgEYD7kiwu
zRdH5MT!u-X`c$asIcu!2LVWQWYxnP1=T_oVcNktJK0`d9Uy6u-T5;YaE?*`6;!i?F
zG0pY$6!HFs`SK&;A^n5LxBtEh|Df6Iw*Lgv&lgzX7~;+JlfI8Q#qqOke(7)cK%x}!
z#oZz9@Ew1B$2m*0@oyS5J>0<Y8YDh*y7AH97DAmo@#%X)+y%jF^gRf!Z8km&^tV30
z-tIWhBk1;m`-z8?=a0zePlz{jT!xAN74fMXLq#55V+BtUFAW-AHaPef$G>5Ck@$ZS
zU*vNyuKy!WGx--kZ}jU)e=_mXXAOUh?Vd$^n0bsQ(x3124dcE+aS|miy`-P&u<?EI
zS}VMg_}p};Ko9Fo5D&g-_|wF%C*E|bjo0<W?^B#NiOZimeWhJdAD2gn&;Op`p0|98
z_yYCg>;5yu!!u3(``O0x#8bZs6*+T_6&!Us^~}7-ne6WwinDU!vWfI_2ip~Wlzc8B
z9^4ixej@QJh);dc=zV-go&FPs<5pi4;&Zg;6N%qKymYMT)BWm49X}W<rTe8nC7xnF
z;q~P6DDmM7Iu!B0>GFj0xx)B-i}XJxK0|-&@;s+Fi4vD1&M<w>FdoM8r>|p(PhT0@
zy}`k$#24vTeZTWs;&Y@&+DBh+aQ+)iZx63E{8Hj6+WE<(-|h4dgo?O5j1v#<F#LAX
z?{l2{>yHt?QE}cRE_VT!{nr%@`>&6a&pi2mhIKwme3AJR{o8gZ`y%oFiBKuG(tf^2
zyqR|H{rV~K6ywix$^TcxryA%FJJZG`^<m@xKGMI8`1B6b=Y7P_B|h6QUK@!Ivt5rp
zLg1o@p$0t+C_R}bE>}CB)(%ClW!YO-p`Ts_zYn;yn_b(b91bO)&nrFh1A+DHO~fB3
zp2~)bY$5&v0#1p?Lgr(eiT{A~VI@=~PkVdb`5bQi=ShFaSt8F#!D2(c=tSVczxgZ1
z=jEh7pLmIRp?w_pHxQpb)b#U1;@gQYyu#Y`b@R=RKW6+R@_!5QMdl^+Z=|E_7UJQo
z(f@$-cM+ev-}qld{G-I1xli=<XjX9&B`#kj{S^I@_xB&2|J#iJ#jNx6DtvxJ`h|N!
zr9}9ruNR$d`kZCF@rT5ZCm!5o{5#iJ!MVhnra}eWZeK@y@h^?u{mfS2l4ofA{>T-i
zPjO#)A=@1xKDE>MyPSIzCsE>Z9qH#Uv37sTvO9<`q-@*|5dQ%2aE;O5MEsM)OHruE
zyNN$SyqWfV3i0m}A7(z}W7N+NoX?}i$L;M`#G4N5R1S}j&ynZQpFC&ue@6Ti;=wyj
zPR~D_Nqpui!(-B~CqBpZrH%N-#QS#}{YwwCf?mZ*l(<|)`lh>$p5(y<@zgPfzl(MD
z6Q7$475NVFTZzwde{}32R&XEj@GVB~{`oQDP0twa>*L=OFEy;cKPEoSIPJx3_t%Q^
zCUH3$j$Qo5R6~CC)x?|2*6z1ir=9rlu;E{){8tg5<G5@meV+K@Lq>n}8Y|cjyqPq~
z%Ppi|c&q7iD+}*dJV|MvKTG=A$xwla@;pjB#d+;<`;)}yFE#qL#wPd|#d(vs{EGC8
zXWD#u(96K^xV0w*3-rSdzXZ7GGj*-W{{Rb4CtiBL;p>Q>PrSLou3oRWb6vXjIscP7
z74&&}HSw83sJPGf8;H*{{&&A|7xCdaljr?x;uFs2^Tx;h@E3v0I_TfyJCyW)L;5+&
z<Ly38yy<e|b1dn9Nxa0kw3Yap^Gt66<If4=CljB4sp-G6#tP0QK6SX^?pHTEK4JJh
z<g-n2-Xty~q+g)F?PFP<c=LItXZ@{Jl-=U|xxQ>B{awUoZ#I4UJpBmqMebknr2jPW
z1;!@`5A^jA@%f8Q{%46lqBw67m+z9kiRTD6vg}91n{N&k`9EIgeA9DygW)dc@s6Ku
z?ZWK!^=jfXR~o(VgVqrrKF;)`zXgpN-NdKfZuHkF7v$}UFBXme`D?9UoOtusOm9bW
ze5=HR*BJdN#HXCk|26&|7u`X;Y1r^ywtElp*^=QY;-4m7>b7=|CjLd@;q8WdT>UM@
zNtC$!i1aDW-```|^TZdpuIX>2qwHubSmGZRheD-%2kB2BKF{^{T<Yg^;w6sD+eqI+
zy!kxS&tt@2M?83u$$uRA>~MU*@I%&Eg*OtPnGO{=iF}Gq&*zJLJ-yE9A2&Ywx5!cF
zZsLol8~$?g`6ThFXF^5X-oBtXi4vD@I)Co#{rRPz6QBN)@%b_99C?B1bDsI7J;YA{
zuKtSOKY9c4Gf3a`YLoLbhgiYui4Sw1-cR}g;<IO&o^h+MHxdt@4)y*%@~IMExZUtw
zT8f`zN8q9B0_8l4_>H75HLSnyA|9M$?QSFe-NdK%82>8q&p4l9n~(Y%q$v9a@#YU0
zz5D;Ch%er0dhqkX9};gmVD#(PSObT&&~JR*@DYQ9<A~35e4ioy71V3OA?nNtqeSd-
zD(Oo{Sig3#^c><%uQYj%B)*RL^fjR(-ypu5_%QbiFb{o=5uZK8_<P)P8RN{E-caez
zH}W7)`qaA(cl*4C_)NpO<n6@!=?~8&pBds)4d<SJOuVVb`sMNG=ZMcy4-Zk#Uv`}H
z=rr<w%K6h@IsWg&o4L+fFYx^c;{CM4caYDE;h@A07xtJu8`fIED-<VD;&K7$gF}tp
z?QOI3VIJl?tkbs&pDgL;LK~M^(wB%Y{&lE``;D84_a8L8iS+L#-aK!3GY9M=#20Qb
z{0P!NKs@}o;g7PvUm-rlxHL!ldE%uHS%1^Szel`@-|P7T@t+cJ{*3Y8w#Ewni}*Cx
zabMq$zyc)tpXYf^iu5NCpV?;ZK0`TQO*}Z$@OP2^wZs=@tljq!znJ*cR-?a+a_%6$
zNPTt@&pAEqvzL4h5^p-y#_KuK-|F-?go?Od`V{eyapvWue_V0iBrZQ7{qS!?McuBR
z2QGf2@%%kNps4F6^XkWw*NMdYIe+gYem3#xKQ#VtA$}q8Ii3TC>~AOW1<K=j;GM+#
zdyG#%{rr{07a6Z!Nd9G~r{8ux93<Yf-t?(|GZ}S$4aX(@n*N&c@1{JrIsZY!_mKa4
zh|laYd?)dH9d9xJe>wSlMR5`(F5f48@Yn5%Uc?RUv&8$E_wfAcuZR!lL#6+B@;YH1
z$EC^m+)ul0A>Mqo(f^Y4A@RAd8~vY>{!NZ^Jwo`ZuW{$|(@^h!VsLPfcoXp#6MrZ1
z8Tw(*FMWh~(6G<?6XNrKW%9T^f5CCa^XR_59w9#U&QR~yt}*=YiO;^#aF3UMLVV#(
zhEvVK?;PJ}?S7kjIF@n3bVEFFn&Q@0@_i%eQ{OQD8(0{wLch!Dxli{vWQ2IrTC-30
zGX>%$uFLPHoNpsO#dX2shdZ2}`zg1dyNS;oZ}xc;<@^$GiPM4~7=9@6Z<2m~z~u3K
z<M&BF$GFbvf9m{iFn#us&o78Ky(?7YRh0h);{ES4dOxQ)e!baq_%@^eXYx7E@wXfO
zcZqKx-o!WrJ<(Se@mY>LmIHnL0rB~g@qrln8Yez=pW&M+=Z((iEW>@g-U(dtz`t(D
z1AmnC3#~@~<Qn7uC(eiQ1HwFgeGiE{U5|bq>ivMh!9%1Ezhd|~<nyTWVO(?{=^rQF
z^hu*Xp7j4je3<j@WctrV;xmVtoVSxt00S0zLZ0J)iulRIr+KdJe)W9fGt`f-`|F68
zm=A=T)mIns)B~a3XABN5b9#=KkIS(0zs%&st-kWa7p@BR{(6Ihn}|2R!|*pz5AS#S
zDdTe~=|AiA%){VTUk?!vziRYP5&tsrnVq2`BgCH|K6jJRKTP~7;#1Q`@B6!-IDW6;
zclo>^zPP4CIlNTggW#x*HZCQOyU)9mhzIn0FC+c=j^ASZA0@t-_}mtgQ+`KAUfYQ`
z-5%=w>-9Yd-l#Zl5|@(m;ri?L{0`#56`@kQem+cm{wQmACwbjRe1Y-2%l{DZ;jbB=
zvq=9a@x{L~e4hAsiO({xW#0?J?*$PLe`)m3(f)to^vnnPI`v<~ORqM6=y{K05Mao>
zNWH`4_jz{`@x}KU|C`pBK<5%K(a(2N&JD!p+KkWlNPjW$=?9I^Ye;{o^S{>Ue?t15
z!~^bUeST$#FED;Sjr3O&pJiNh4EY~)KFpt=N&IHw;o~OH1H?b5IByb{2S`6WWb`+)
z>|x?FA2s=ZNc<bC@cBOJ`)SXEr2hr+xqmbMp1*q0CK;FIuTvC<ALD#Eoh0WFpJ#si
zFyfnlOFp?V?(HJ|%r2AvGt_54@!^KN$D4?!z7;Cxr^$bucoXBCgTxOIFFj=RhZDcq
zamG<TUhg43-(>cA8|m+N{<oN%9xpurT+dJWJT}cg_zUNAw9&tle7-|`Va()tGx1*%
z58rF}CB)ZmHvUh()-2rp(#wF$d|9MF|0(shfp}?0hjJLCKo^nE_Zs+Ybw13q{fzDI
zB0m2fli&AoIpR$`KTVT<Kk?azLq(pTJU0=asTiL-*II>po&POHe=X@BB;I_a(f<+g
zIpQUb3${`EdW!fWzn|rL`yp@{m*IwU?dM59{XygJ{_t>YU`3y^#P1;g<A_gPWb__i
zok~2U|2d8H=Q&RQ;C`l!cyLdslxLGZBtB37;Q7p5#G9$Nt4V(~@x|+m&q>7ZAU;j|
z|9#>gQJgo4%b$^cwjmDxD)9yS;a9WHw}=NkSACNBKN4SjiOrXri2sK8@QmrLnfTFI
z_|(roW_V_e6`TWH#_LNBaqmXbH+?WvLf2b6@hN^^a)SJK5f5Hz{9i(Rl=xgj9CbDE
z#h)4fLusFHasKpg9(Ua)_*!uNp!N3!@_!HMgBy*{al}7MJVm?pxa(2k&6Kl;^bc$h
z{Ve~z$|p!)Vm|69(mzRjj_c0D#Q&A}!U-nl7W#pgAW<y(pE}C?!-?$gDa2<EhRVU?
z`STn<-t;*}2YQL(Y%Fnkqtmm$ZvSQC{e#Be*Oa#spL*Q*pGaPJIQ`p=-uc{5Jp8=j
z2($HdEf!YiNk}gbl79GxQ16}pW5gFS)^6V#Ee>v_-OgNU^kA#6zf*eNBrg9(K8t1J
zb27_*MLfmlqOT)<1Og$^e-r)c=ZH5co?y(6=K`1SMK(VdE8=$e2J%^Ce07*t%@uOh
zmP{~`KZy73@kFtFprw>9S6fm+C6g``;xh09>4|&<v=W!2N;RF2qe^a~gv*}zK&8Gk
zy*F7HL{a}h_t4PpsAp$i=TPsCz9?#GYi(UuUkMFG)m$|nUmlk$xnd#8=E`xVngg%G
z<ito^UV%J47LBJ1*?hdbY$RXI?1><LK3$GR%5i#6y^!T%J|E=@*|<<$Ubza!ljYp<
zf|^WqMU#aDH`82w=SJgdW<1IkGm{f&PnykT($!*pmyBpMU)&dEAe{6aT7as{^%Aa3
z7Z<X1G8t96kQraGnWTDFsHakx@>U+c)TY*8BE2Ur7bjpFnR2yKog5v-$0)kAb0FH*
zJ2(_YK{hVOW4THdCR3e=GWlX5u7Dz2jK=cCk#s)FLJ5^9J-I)~6vddTakgdS=GKiX
z6Gfx2)F@pprw>HXWBEWZT24>IQFd}-;sB~7?x5pbwT?6$SHx7u;sT`H+P(Xd?!KsV
zN8jL3OY4Pg>w@Y;7I?gWJWfMud>o9c?E~9eTersLLY(i4E1ApF`N`OZcYV;Fhk>Q5
zaRW_q_G}0;>2fw#7%hTbr7HF)Kvaq2Y&4N}OpRVd3uGq6G7}F%uTV=|*$Q-jr86p(
z_T-{+B^_i+9ZNT*axohfGL>wU8BJ@kBI!&fu2iy+*s7%4tV$+^CDpj;U5%aHRm(8F
zi3ylpT+NC|Q5Fqj823W;`yq8913MN`_g6M+8HH+Jx)I_!nFLrS(t4{vk;sc8ky%Z^
zs&roO^pmOqeOiL0PfK^1TpB98B(83ctLXvQU$Nlc4AweYiOd8*uq9m?A4-qp<Idt_
zq3T4{+#b}QR6iG2tGU8h1^4~sT%p=t9vg_S?oY$&oVs&x*HGt{7VII7IecOfo--4O
z4sa2<r9SB{43<;@bdT6oe>ujmSL9}|+z;l)3SH@HI@r@qbL@&snBQ?Bb6^{0QzcN7
z$q9Q{X@755Ck$~6Ub_b}^yJfHCR}S!u8hLkYJJFHd?%~9yvQRXiAx`P1=huA+m(sW
zxlCNB#MzDm0_QH9jH7+I>UeRo8ubo#^wrUJL7;MOWD+yCfxJe$r8p781Mic1neu^B
zRpvvcn2m9X_s63mPO*|1Ps_A3Eh@HSFzVbnFwosM6m|6uME&hUTLNJH?e);Wj_o~z
zQTO(KtT0Lw=fx2v)+=X=Yh^s$%1bm^%0h2GkWzy6EsF^|2E~aD0b0k)a^iJ0;*oSE
z-nbrw_5rRbgXvxJ+iYyNn9iUPHv|KWs$zGQU;r*C=ouUd2IT)x3jbU2e;xj}1wFX$
z!F`W@UZ-`{uVvv#gAtg?q<G(nQZA}Yjzr`6l760;%rAW|7OJ>!$yLf}oIeQZzH+V_
zD?z?UUzgBTl#Rs=N9lYH-D+4f-I=ejtO&2DfI)>HUSYXUty{lh!Me?xHm_LFmTFxe
zz_FK>f{%D2SCys2TDQhjaxb9hwRIMu0g2g<8X@@pcfzi3T~Q_oyJ3}r&8yYeyeUwH
zi*2u@nRS~twkB;gN|$7=!#>8ABA_|~_;~T}OQrRLq#@c;tg$?PFajN_<hUDb3x9m|
zB#b!bB3nnr#^Z@n^#H>wGp<y<kP;|Hj57Wkb_p^}nG)unE-!UWDvb)3Bw0zBZK<~P
z0S6iSt}~9zcq{>7EoQARO&8Mn0|#ODiGazi#mg`x^_6TU$w(!mP_MRBn!zNj#hLZR
z4WVFtVKPXI#^I?O%-C8;2C-g$bt7^Lx1wd8@`9B#kt<{nNn>DFYEw9`Few$TH!Jv`
ziF!>g5haJXZv2*$>|Kh-TH99O*I<3pDi_A}t5W~>%^OFjNw&Xn1&%d8WOFcG%DGLN
zElyTPH(51VLSgyPZI-6QtpN*cpv}lwGMdBIYk38Q>&aK1D5<s;-4SNc$}X-gwLY~<
zjr9_)ujKPLtn3uqQX5ulW7BG^R`IWGsm&Lz+;}Vg+{ubkwWe09(Yji}y46^%TdhXh
zYCTVFT1Bdjt7x}%<0`sp-L&$G+Sa;xl@)beY8CCSTeph1>)KYal67sXwXtE9eyrQD
zTH{#%Rvf6*YAV5!xpIv*xPcW}wc#(^tWvOw65H0V(!sWktBiTuDzQOZ+vZh9a6QID
zX7EykqiZl?bPY_Sa(Z7hf?YLIA1euuXheF|Gtj=hJL>N1!hYK}-~PF73!Dw2uHAj@
z+j~1fl_)Xa6h-)RK~eV>a@*215JZ=3+tJa!E!xr3GuS;84YhY{>yCoXbUq{7rk-M1
zwkbi!WG<f_z^+5~_4(XLCdyPMb)Qbp=4-#U6UBQi|B<Wa5MUmRgI?V(b!KvX*pFBh
zDgpZz$XUXkLwuU-=eSqGPP8M3rLeEFb4%2*ZAa(UXt4LnZlS<#NcU^9587El1X6{-
zh0a{MBSsSv)kmd0nM$jK=&})!?bFcqu4tf=mYsGo>X7C^Rn+YOHaQZm4<0}&V*)D3
z2OZn4jJl<`KJ}!sBP$WdVR*^5-j2>_UCX+b4I*17HiG?=BYTDpl;UN(Ng)`T$PP*V
zt2ZlR?QY+`ZIH^7(xuI;l!~?>@f88|BO9ms)<DpimiDA#{oWBdl8Fdej%-=jOqS65
zEoy>DP?R(2N}QP}En_xWVopx?4`Mutjl@W<kVYn^x6+@6D5{v=!d_`y)Bx3vq9Gj>
zX`+xR9jNEu11bzojR+r94VS0OxwNFfw5@yvW2yBU<<mh!Nt{N<5I8S4vC2-JPo1M_
zNGY1bz{%*xSsj;LdMLMN$LOfEV8hU9@!FsmXr-FPzPDav*+pe@dm~&$i-Q_d%7AHx
z2zjyn8`lTDP*Yc~teePa9O)jc*3v{7xrXdy$&9TQB8<V@%EclBC{H#(k(eg+i9I?8
zItHJAqZJNgT@PfY>aGzDOEw1vosdVeX(*S0ZyXd6r+dG#M22f~yQY*xFUWNEBBK>d
z<O=9y-Hbs7SJcsv5i^}YEKEa`nk9$^a|LLym<^!#cuxdoOVbnPlN&uCqtTD-C!7VW
zz{c6~xy#15yCCzk7h!gJ(x$aaF^KeHdJOnz(Rz@RS&a0wq*r>gm0)5IGP=tLS9Z_{
zw?%+D`$ay$60((AM-xr-RICxzPYyx<-g?g9<_Zu8B_3%TcFmZ_6}caXE5*q&wsyfK
z@VCn~F6xmf6<|Rq7aOFOStN{tuI`@po!f?@?kl!*w|8|9MDY3DbhCZMLMJ>{_x`x2
zGHCf_?kFbU(~6cI(K#S~Nc5yr0F9=z^<6QCDJC9FZi=eKXwr>A!gSfB%htW#JZk<N
z1}8Zd>3dDwoqfHR?d*<vyMk_6B6=a8?Lh}M{|&vF^X-u|Bsv;wX&>AYZEwFK+Sc6{
zbjsci)|t&^)mSQ6p8Dc_E04KrsIz^j`;r|4yJaZh2y>Y|akayiTlXmvl*jueK_*&(
z0gF?ms~C}$FY4@V*9lZC9f)=g^=zsZ@s9j8R*X_UeV{{6PlD~(LXO4a4bYZJC5xG_
zI|A0Hn$cNVW;o%r@nX4lGP2~u(@UvdnJnsIG<9f6v7LQ82fMov91NkGWA$^|Guvvd
z(mSqCGz=Yi)q{^{1@++ylPj_~(=Azv1h&NmHQP=kxN98EjfxWzqpm4XS=*5Hv`Z9`
zu1=QYpgo)I!Ad_=L^v^ua3V%_E-lsIo^?f#VHd|Cxh|QV%hk3;4}&zNtBtT*%ljg0
z7$cB!A&Z_#JIQ%Lle(gJNj_QfW%`&^yH<+G)@aXnl+;aWzqVT{Lrpmt#kohNAs)c|
z5yn_n#m}K5I(NN837=wCzvQx(kD^g*!(oIv=50AlK&))A1q36p#aGa1Po+Z_YE2PK
zKov#%5tCInuCJfj;(I#v48Xj<C|&xv%uhmL1Mx&!4tE$GBw~xn){W{FHu<nK12VD^
ziT_x`Ch2Tk>8zGHpM1_OUmKassCX!;=>t@cIy-x#&YpIkMrJCoN41i8e@T~@-U{Ze
ziU9+c!lCkHK~8SO*x<En43@&r+LDY^u%vM%CsjY>mS#-4jinGO9~bKNDF%y}%9oS&
zOuXL)pPGSj8+XqttQ^B=m@GoVv&q6iZKaXYqJvVybFXQZ2QMn#6B7%Lp*~9}=~_*O
zbF(4R)E|eaTN`g!X5f@EIz4qtVGOp%SuE=kD9Q3<!F5G822t;hNP^RPZ8Xd>pQOo|
zM{|&t5K)e62-ArbsESjXY&;l`$q}kpad&<+s1!<aE;Cx+$_n#nM|C_d@5GsoPo-e8
zZJn4fJcjf=DS<ZGgV~bLRbn*^WNKj0qv%gV22Q*Hf=cnzkg6g&D`y&&2KJDswlNtj
z=g}e#)zKwsb}*v(;K;9ClfSxz3|7lSMbSVYlg5HHOxkn>oxq+boy*sE8m;V5@7yg5
zmii(<T(iV&WcFbW2il4HnsOwe0dW*(MmQe^5$a&au4Y!75j1?T#a>0G61tW26&>kH
zE~Cp&eZ7RYm5@PH3b%5_V7>^Ifd}S*?pCxGB&~lAfZ>8hy4bGZsEBH!dLWJus@Rj5
z26QL0w$Qq6Q-oMay*tOK7w2gEVMTqD6Ef~YxvU?a$t~0+8!g(PHVH_&ib2Ny!AQ{i
zU?QHV#4GFzEcZs4bxtm=_u@-cWoj)d$&$8e?rlW}Fs9>IKW_c$F|3w0hv2nsAz;W*
zTZ0j^m~kqdc%!j$aUYfkJw)h4q%9&Oy-IDk#R2je0Q5(EW_|mr9-TP4EQ)S2xt)bc
zoE-YZ-i?PwI2aP4>N?a}-LG1hESF)YW<R1C9erO`q1&bHH#qn1;F>CNlMF*`W5BU;
zKZ~ny*PShUK7a+MoDC47qMlB8U6GfqXqfMCT%f`D)`H*O3f$)o#Lbq%w^H6=r!LE-
z?b>Bigi>0NDuDaUrMd+VkHn&6^&81_Y92ynWrM3kWEr(@>%FAUvKumSpe48%*@Q4j
z|35|pln4_{1yU8mmuj$Y!b)GoearAbcBsyFXuTC|+;UmiNp>=WQ9|5fedl6t!-cIu
z9EhYi#vGD^T9w#SL6-BGNat2q6D5d~vBJ4zp<#1@skJN%F)-K@4GgwNUF}2d8uCNX
z4y=BYrCoBIxhtK+RGx@s=rxqaW=bO=Hx~tKMpUuz4(5ol8O@E=wjtZww_?lGxuZ+d
zNeI|$Yog9pTQPMruYKcaB!QJ8atZZxqRR){Xwc>N7fX|QtOIB%(2igThKdrIm=WuQ
z5yc~BP*Eg#gvnSfPUe^Uf2{V^TqZeDxO5;Y!Lukb>h&`i+UhHovH6qvXVIA1BaYA`
zm#wx_gcwUHxb5l6o`gCqD}jN}!kh4+CGHHd8&XHS9}gly^kqW}wz_aw0F6C4e3Zss
zHj_2N(4^TIe1az>>a$uwM>;F625xL3tp==IWE(Fwh8YY6caCGj2AAU-44n+vWa8-t
zhETO+WNj8;tr@Mz^iZ|P!etMX1ns&EFAbE238O0oBce)1EwbiVxXI*Pp?B}7rc;Mx
z9!Ug+|CL%GwYPOc1P9G6Lc<nOBbv^1DLs<QV>5#tmS&Cm@NiKD&#8#f)O@7QZ~!7@
z2du!n!DuyZG$L-kX+j!3)~3|bgHWDlL4V|Vlp00DRz#je(U2%3yJKvPVF?n}VJuXj
zC>oPTjm%3#%u&cZsTMUZ3Pxq)v226F8D3}X6-~F*))I>>WW&~Fn+=^Z4HHJ}Oe7Pd
ztrYzT*KA<OBv8-2zZ%FGiUZaU&?CnawhC93%$?zx1vRVM8oJ_Q4h}k)&=>TPhc`m5
z2vOb8zI<<XsE9ogRu-{_jGkGSkTu5qL@js+E+$;{B+5pHGFOOX)wQ<aw$qj6X;5qk
z@zkNDyH)vEMp{kv4Iym>v&^>n$;=@(ZMO2Luj6djuKJ3tYidyC=BnP$AlBw~uwFYF
zVR(|8D^AD8^_|FQ2NE>uVr_w+re|utLAL)ge#jr{46nlX*EcDiM$E2tquSkA!gu)W
z)}&iyH0YLe8s<uRqOVx(k@T$cmMS9{bLbt5B=xROikY6Vy_RRh7!-?nBv<!3-HhfZ
zk!Y0>g@@P+f3FQx#&e_9C@<3ofs@QlkJ_*eP>*M6O$K(b6t#hBd1(rJFLlSDxhFYa
z)Qx?;Iz+tP@Q`lNDjs_vnr1RY9W|C_l?kaFJduWH!Ax4JL)31P`;wK($)p`B+V(@L
zN?$ZsN#-{Jj9TKMc1|QMuk7}84+&0qxNT=42QQ5oVg9Ws9!^IKiT347ns&_h(&k#?
z#zQCOM%1u$g|*a3Fn~NKvjW?@yAajLxl%MZG$4Ii;W0bToZ4g;i_zz5R7d;p2$*dE
z%47Q6FWi$Hmgv?D453>$m|D^ki!@AMs^=>@2<9i2(%5yTXV3WJaqSqhYY!gT6FG-^
zw|YWE6(*qt;D*%$OQPfi=;&>Et0mc(yxbDwfiev@WztgzYM0CT4dAJ<bOkABd05s%
zM9dsSJQBA^dQdp=5!W5?>pJVipv71a4~q?H7BM;9d_u^2*@s7c1BswIujut>>u{hU
zktyU^VR#y6i>yaNs(S-wdT}d*FbJCx0fOx~@Ebj#a}mb_dNff#k)%Q<XG<GWZ22@E
zlM=J8ZMwBiv2oRMXC;mceHJTg2rYXn-GwZNMWn<Uu2v)Dk~I>UaDFI}8W6f8;nQC&
zWBIFKoOh+MNy!FCUEo~DQb0?4dp!JUr?s+(K%H>1IXhdEqb!k2mjoUP*)q7TIHsE#
z>;lH%9+90#({P5OD)F8olR$EX$hLD3+3T~}IIcyaaF6aW>PQpPjp)PI*>a>ti-@T#
zp2zmi(pj84B_5rP&?vLrb&tl%dHQmnAQHy=q~+c$ce+tDf=B4oKiHHS!`#J5Q|;>q
zwA4sURkSQa;?ot&1i~#DQdz*#BNBS)c3PTX1G4Ke&b~la&;p;EQft5jmn$U3Han59
z$V<XPcM7$$S#@ePH^Y3WJGoLCGhC0G<O%!6OmiZPz|tde#Nc>ZqA;~F8K?h+szn-K
zEul;uUJn8*?!b{nvizTft%w(NV=L+#z`3S)A=xZOJF#ZgOhx>EJ%YrT87E@(-b!T>
z&pt@-g+^=J5H(ZvNRyj@YmAT>95*)IzGA6eTDwgE-$B%bu;k)W9-}@6#-x-eZ=$%j
zA;3U=-C?5t7{P3=+&Ja2caU#Lpv0UgXBO%;_$qa5((z1A@&ep8;X4UB>@W>E+FoTT
zvvZ!rQxIZO@JD$(J%Y!&C-f<a6d&S1oLM@cZmtWbbFx6=;G=%4r`gp?U0%V$5B0?6
z6?8hth?sBJ6`>*1B?e=sIx<3)w67Y;ry9hdeEmVDTA!_`ZN&Qrc69CR#8HH9#gSyu
zEusn`ypi?iuFiLJcCzmWotTI8kUlkcFJ+=2QY~#g2(M_p>d#}w+U`yy>qd5&A+sfE
zHEM>N#n+?U<;jj&zBvFR)%~G2DH1Ma{hV4EjKK-G1zJA4YMqL!y8oABY+nSrig88F
zlBVCiUp8AZp=)sywg&ke9;U~G{o+e8z42_h*sC7Dsw>6T7$dEX%a|n+(c-P}4KK+j
zF`x&5fUrVzfxg~X8r{q><;U!W&759&NT;?Cp#f!qIRUl6cqLU)zl5q;C%qyb94Hp>
zjVKL;b#)e<Fl~p#E6zJ0+0sO|T#V-@5W(TNP$kptG+Wlk`OPi64PfP?cNU|Uj2At$
z28aygktXC`1zo{BnK%IZ)k%ZS_)Zq*TChp9jOU&p8W>C3*o4p_6I65}ddDFX;?+t#
zSc)?`cVv!MB&#4*u@uW=LAt(Jl2N<oM@pp?&NnnlhtH8Z9mQgP>CuyTf36`(+gn-E
z+tPC{jPUfRARA{j(i_#(b^TBcK$)}%UA=WGs6}8`97RLhJNe`pdLndc%WB9=@l{tm
znx4$d;fM^0?jJqKsE9fkwNMvy`f4K@)cOVsM~Wa(Z!d|!{+%6o#-ZO;2zyN&T(9_e
z20H8K1lUYKbr@Hf8SsJrNWkDwyFX1fmYAp@sh!?PFDs}bV>p({2AxCl&6G>9O^|2M
z1eMc1i3!xPngRM?f@i`np!0AYVnl=VL25eU78=fK(Qy}D3<_DI(O|@$Kj`dT9%W2o
zGD%phYk^p~WKX-g2RoP2r{K8c5!E@U2e+WH8&4fgV(CP+z>dCP`jSILEu(-&YRQ&l
zSSFrt7rrV4y{_z5)&AQhL<9eZFmbzn^E6>5*r7nvXd7q3^>)cMx^~=&MOssJ$Q@~~
zCA%zRu*}u)0S54t10p`~CYrFvl*GB>e_bepJ%)xda@w3&XrTg`S(v`o3OCb`815M!
zQIv(#rP}TlOGmz>IY{#ci0{>RaC)hSiK0ma<JDZ7RIVHGrAI!Nb!lHNi$g+GU{hT|
zCSS%9po-AwQg)qqL{DqhqR3SO3Vw%)hxFjeC0Y~d^~r4+Y*{KT5SMYnzxr`nCaiuF
z7vG3U%ZWHn;w&km&t!VYh&CG^ED(DK3^xmvGxfDAT`p)Epq8|;86l5_!Zl^8NR>w;
zQC-fv4RQ5BoSDhVnW@7JA$oHW(Yh=M5~o@$ExE_~&LGi-C$H);ndEdllHCnjDhDR;
z)h=AI^67QlKVgd%mrFrQ0lSBm_Kw~Q<f|8Uhc9xqsPq@)vO$a7jmwjJE!hJF@Utrd
z6)i!cP`(~rcN3wk9Ou(gfuBnGYS5x_LQ55!)1XCsF3O5o+2*#y<NUVlI3mv4oz<|f
z%~}or{N@bEz&$;IaHC}mI}~|q(N>Hj_ESMi22YOQP|v?u{{MG91=Zy%_WZelVAI+V
zcLA<?30`TJ+B?6FU%Nj8pI(IjUVmt9h`S&dBG9aNOK*oRebi6#do9WO)wQAGRo3_K
z`74OG#`;~r{^NJQD|-9yUmF4mg7*_RSMP$rzlZPN(<dDC;lt7R@Ac=_hPVrYIRbyq
zit_Uc(s!?ak`Uo_IsVH}IC%a2M})Wwg8d}?O@qQ3ZiA~p`@4kv<)cEW9+de*5(o8e
zNq%p~uk!nhFC^+Ovi>6LhpgWyKjA?5i%y+i>gZ65Qlb>RhV^}^{l@;^gmS6hLAq(y
zpJx4#`jgAc@xQVD?Z8AQ{P~JtzA40AfU91#j(xIsX)F19J8qKo7g>Li^{4s!8eWGm
ze(Td-?`fz%bwa2GQzuyYbGOzr@OoAn1oz-Wvi&N5x4QZvt9PUm^4ci>4C}l8{dexC
zSpU-5dW&f$AHRIEq5k7|5LI4}Z#Tt1f4tt--WuC~5GB%rw?CJ*`g3Wk|D$VaRrQ09
zpQCg5AivS%S~}uqu@)WiGppZ7@ArOv9MtmLg<ijj^_%{e^`Astk>Bf|#QG=w5A{(+
zU*E^O*q+yKX8mT?pQrlWK3#6NgQrn9+5Y0Q*8jz4t^ZD^jp5Df`}LWI`oW^r4;HPy
z|Bm8n^`CF3?|;|j$)8*ObG;(3-mb&H!3V*-{{er`BzVs1&z$a*c5SY|4St7v>3^yL
z_xkG_aH>=5NRj*=Pp$0)?OWbv8b87-u&m)$`MB*Sst21W|F3r%dMYl5qq6tk{kP1|
TmD*2jvG%v(_gs>%#`gaok@Dd;

literal 0
HcmV?d00001


From 2b3bc5f2a2eb79e502241436e675b932d25a2fdf Mon Sep 17 00:00:00 2001
From: "James Pelster \"CaptainSwag101" <jpmac26@gmail.com>
Date: Sun, 22 Jan 2017 13:30:17 -0800
Subject: [PATCH 187/317] The '-micro' version arg no longer breaks the version
 number

---
 makerom/user_settings.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 6d19e059..303b61bb 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -508,6 +508,8 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
+		set->cia.useFullTitleVer = true;
+		set->cia.useNormTitleVer = false;
 		u32 ver = strtoul(argv[i + 1], NULL, 0);
 		if (ver > VER_MICRO_MAX) {
 			fprintf(stderr, "[SETTING ERROR] Micro version: '%d' is too large, max: '%d'\n", ver, VER_MICRO_MAX);

From dbe356686cab47c4951d1e27f0657cd3611f500c Mon Sep 17 00:00:00 2001
From: "James Pelster \"CaptainSwag101" <jpmac26@gmail.com>
Date: Sat, 21 Jan 2017 16:34:59 -0800
Subject: [PATCH 188/317] Revert "Edited Makefile"

This reverts commit 90dca52c8d1f81fd3f7a938db22fdd2c56540a83.
---
 ctrtool/Makefile |   4 ----
 ctrtool/ctrtool  | Bin 257872 -> 0 bytes
 makerom/Makefile |   6 +-----
 makerom/makerom  | Bin 429576 -> 0 bytes
 4 files changed, 1 insertion(+), 9 deletions(-)
 delete mode 100755 ctrtool/ctrtool
 delete mode 100755 makerom/makerom

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 96d1c153..7a534c98 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -28,9 +28,5 @@ endif
 main: $(OBJS)
 	$(CXX) -o $(OUTPUT) $(LIBS) $(OBJS)
 
-install: $(OUTPUT)
-	@cp ./$(OUTPUT) -t $(DEVKITARM)/bin/
-	@echo "Installed."
-
 clean:
 	rm -rf $(OUTPUT) $(OBJS)
diff --git a/ctrtool/ctrtool b/ctrtool/ctrtool
deleted file mode 100755
index c5495b63ed8f9d066f82f21a108cd71985510b4b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 257872
zcmcG%31C!J(gxa{1PBnkQBk9UHqdHN#Kb{OlxUiC$ZZXZEW(U15Fr7^0FiV9E=Xdh
zA$Qu=IBxti>fp|(GvKHYf;I^O0?w$28-mKFaxOu@g+;c!?>p!Al0caG-}_%H>3gc`
zRGp<xRh{LYo||7dIKghWMLr3(8*NPO@0BY->aWdKvnx@i`6t(wW$TQ;7u$N+IwIXc
z!iXU*x7GJyi*@8XSz>KAa!bO$tONzfO30NDk?$S~3<>HJDIvcpFZRi`9@TgMKB}CN
zZ=1~_@yy4vZn{$8H(fbF!Xw|aJIkcaHpKe2^09c#x8KUQ-^v&Hwprzmd`IfXy7Au#
z3qK+u7b&K5`DJs<zp-!9@-y^1??jpJd6jX*^MfQj^6frHCT)@LNWR;VkLCPtKdBbs
zFiT#0?UHVlKl06X<mal=DR*5v;HuJzSC&qh=9_)x?5u0AymmnU^6CArmh~oo(iYr0
zlH{^^SUv~-vCQ4^k3B*B(3gjF9^t#~+gFD7Z(4KC#-iH3^IszFI{YIK=Bv!NJ9^oB
zBocN#{@s9o={+Crv97Yq#%CwIw<i0iV2^*kaOkY7S06fSw&(7p_Q@Sy0ZF@`eqemo
zDX_}`I~ClCb~qJ$QagM+?ZDT!1Mkre{|DNkU(gPGP&;tF9r!uzz^`rx?r#VF+jii-
zcHo=ZfoHbU4jtQpuV{x)Vmt6v?ZE%tPQMRqNA7#=(EqU={(ou*{!Tk^tsS_po$_>P
zhyJW~=wE4veoZ^|`nVnX>)U}Bwj<Zy4*x#w(BIw;e;SlijmPuaflqITPiZ^!&UWbC
z?a;r`4*d`9z<0OP4p+3pe|S6a;&$M)zYhFs`}wt<^86L>Gi?{x#$TuWV#JSK3<kXb
zFSFpIEr!3d;OpAJzqj}}vRd=mYQZPB;osAOr(5(9f0hsa?B9jw<l=Aa^Aa8j-`@sq
zgFh<wPMmPX74$*Z+QyBWG<Ev4apm5k8QyW@Y~y}6;*MK0GscaZFne~<T~lUeW?qNq
z(xUS6ao&5&ipNcvRx&-GnP$%(S5`cueEPJa(kb41$IZ+*IqTJ6Q$FQXxhKpn8t0un
zWBROdcNI+>S2SZr(Y@oQ70()1T0Cu%cQV+Mpv*U;c-+h>GrYc{QZS!ZG!=g*mJXdM
zzl(;>ByiSLR%oiK3!WxTm@uxKsZ86rk<(^PnKp6Uu;Oyx)MAoNP-Nxa857FxwH42v
z;<c4bFDssA17zBSsb#k5WnSd4O(`!bEt_0qEAbYWmMSFZ%Y5DmlZ$59rrteq$_(4g
z^0FCIrg=+j-sz>&XBE#tq0vaiXvC7DDWzahURE@r*j6&B*jsL!P*hqveF8b5hPJ82
zQ_G9JQpz;nR9i`Taq-;*vIOXw={^*T!W3ruwF6|bT#}$1B@;@gmlu<nce=0CHr3)?
zKA~t@32RU^V-ndE&zNC@Z~(@YPM<c(Rx)eG6fX)iqqqn)oG^XbO!N#H6?vzZ@Xr*o
zoG^I?q^X)oB8yZu)3|Z7p(kDzWa{*pvIs2mxN&S-ONFKuO_^pZf$-@wY~|A|P7qpb
zE6B?m_nZD1w!G1!U4uO1GW-9ge^z`VJ1$`>DD(^hAu<e5&*QG{pBa0+y8kuM?F2+d
z3IFlG4w8bD9Z#Z-<nMG6hJ2GPC?zEz8cVX$e6r)euTX}F{TO=by<Kg{aUbjqKXyr@
z@I#TF{qbVpJJ}uro_X$->5jHXt@J00??$+uWP8R+d;9(grX|t#YLs7s?N{VuUVff<
z>?wqM9c*t|^u7zGATm#|g)RF1S1G%~nD93;hx&6k4$d}=d?NM?g^=-N1Rk+Ngfo_m
zd?I#^@T>?B-w``Ucy=5-V&@2FTpIaA>>1$$BS3toWvKFZ!ZS=?^y7$wTUC{~^f-88
zl-g#?h=WILCec}OaLSH+a^v7^yU0h6gR@ML&(Jt{#1{}ZIu0J0G7&yL4&H?T>oYkH
z4n>K6%HrTDQ7H5&4&E&eUJ(aBBMx322iM}@HF5BWZV|m84t{1F{lYkSd|a_84t{nV
z{gOC1=Q5E`Z5-U1s!3FR9Q@n}F}~Nu!Ox3>Z-|4Z#lbhl!OxF_Z;OLp5C<1=@C)PM
z`{Uq|IX2OU<KR8x=xv!Xy}c+7o*V~ftPuI6#=#vCAimS$;JxDDjyQPlICy#-yiXiF
zBM$D2gJ;FTFNuTa#=$R*gX?kd%i`ce<KXFW@X>MbzH#vJaq!FI;FIIvSH!`~;^6(_
z;Irf4SH{6B;^6(`;MH;PtK#4_aqyft_<}fiMjU)$96U1)z9<fUbsT(29DG0=yfzMg
zV;sCb4t{MMT=(xu)`K0U_UvQR1NGj7mJPapb#h~rqUD;qfNHs9BK~R@=i-U!$;6x6
zTJX8#cTCfinj2(#7}GSNX1z?`%rs4>xkRQ1F-?<cE|lr(nWm{UYh?OrrfDM03Yor~
zX_`i}Os0D?O_OMjm+1?brYSUs%Jf-G(*&BiGTnt~nm#i_rW2T^$uk`?eWVA{G<9aG
zO#j3*O`K_y>D^4zw3+))0C33;rfJg5Z8E)?X__)~gG_H^nkLMwm+AMJrs*=5$n+|v
zX|l|PGF`_sO_f<A)Bj|eCd#ak>DQR1X)?=X`UR$GlFack{b#0Wip-%h{U@erg3Mf*
z{v*>gJ!XbXKg2Xmj_Hu;`<SMwF;iuF2GcY#rcI{*z%)&Zx&Jupe;3mZrnkxT@0g}3
zF*nHcFs5lj%zBx=nQ591bBRn3VwxtyTqx7mGfh)r*2whLOw&Y|6*7G}(=-icnN0U)
znkK;<FVhz=O;cbFmFcsXrU@`}Wx5N~9QtO4OeZkSA#XZl`pAVybEuoCGW`?N9O9-;
zrgt;Vp>6IzCi|ah4qbDbOmAkIL)P3N(;J!QP&Mmi`hBJuDw#`UdKJ?gvgSgWu49@Z
zlUakbYn1B_z4q?nd&~RJo?7Y}=^C+|!+7Ly<7nL`w6bm-$ULZ5?$Q5Zv*l;Dc$(Hy
zN%hdX&J2t>-KcUp@SRy-7<$RM2wJ2!RXHPThd=ADlduM0k%YPx8oPjHlEYIJVNd`h
zet61mBb@_-RBS_{$?fELk>kHGROKu~V7A<L^#ohpv0Dd0=3Zl~_!he2KiuLn)_A-7
z58tcJuR(5?Q9r1~xn}(6LAGFr>wERFg@(6euhOcX!f?%Q)E+GbjlbDm7@FvGXjQ*Q
zD)@vfj~;qPl|J;gtdDMN_3ub_cRnJDpJCwu1u>xFv*+x#gQ^m_T3`U6tirV=Hd{FJ
zwn0p=O%}4sc2pTQj_CzRYgJufCH(I?pFjes4isM{Q+{FhAMUKpuLJ_+&loevhK3>?
z?F!q5O&}^>MI!jN<Q4@6Eg(fkflm>LQp+BRWPeNo6|c;L;!j9|8M`Bz@1i#;;aw#m
z(4tkXKu_go{vg&IMO`XaQw!XNxO1#)jBBjx_pWh`{)Z)pRC72xL?!Iz;8-Hr%toRx
zc;)Vk`q;vqWgG1i#ZbLKy;ijo$`d}z0uEKcz$2Y(k@^E|GY_L7E!GaRIhIH=zhM&x
za~=ij%#EniMMqj%3}}zJMk2162?Q%g9j(Kx!sc2@&ml@cXFea}lwdxAM5QV|<8-r1
zF}MZ{*un3>U`u<T2e0WRVLxV~XAk}K56Pa&ap+?`bbE^!2n8_*$GBCn2G=TXyWk4Q
zZ5Pzr>@8tAp8%G5Fmt20>sL8KjJ2Yg!V-ZFv#`uiLdcJ39*BRzVsaK?Un|%n7OX!R
zuUD}9B&@w+dRWZAD$1c&?hNJ*D%d~^wg;ZfoTXstr{(zUv*0*HQJ#R!D>T}Z-H0(|
z_5r2Usk!F4GFwg)vdOl%<8Y)c3R$K@)V|;~izL@wBAKwA3igBr`<CVWNWm&BSUq7Y
z6s**OJww>53O3q;%_i(|1#?@l5roZEunY_4Ana}h>tVt6V1$~Z6fD_-ts^W?!sgh-
z`}t9AhML&S%ZY#`8O|P9iA3hcFjY=Bn#5k{fF69<8sQH(Q|p*Ts)3k6TnI3+X{^nb
zb8Fskw^p?Ucs%CmS|Ale)v_9L)GP#R3|%vyZ5y!x-6}Z1+n5mD0=6<CeF$u8LiWx*
z*=GFlaa5{_m5K;iu<R5<UbKL%gggge(CbWzW_^}aZKaZ5TTA6$0jamgOTBvWDWpyX
z5LsIZ^^mZwjP8oCl{MV31TubrsfZTu*4s}ZV+w$6W%x+gRz{g3Y$fB3QIKK8$%wcj
z@epFBle+3z3)reciwHEfDmA$RzAjQ;-S|fQ1<1CIH|hom?H(sojLbWQurdqSO4$7b
zwyoJr0NV=rQz3*bhSKIZ9PoF6q0mZ8KND@SGK$?#o<ekorxdW2=u`sRitY+vThX(g
zh3EkgZTVMtn!o~>l!$ASzT%;S1e|)TbtF!XwNfm6=XmZIoTpVy0S9efe}q3dgFVBB
zc<;~2L-3>pW?}GJ72`A^()gnC_ot}XGZwH_#a<<_ZN**yux-Wm-iwOeiE>!-;3#AA
z>{yRFNnv^b2rjL}rIWC&xIT)om2zVKWi$62f+IT5a?yYPg?`&R%cU*NxA_lG(5n89
zBKQw`wZM8jxGLt@r)q()dQ6z81>RDRiBNz=c(lqbr(eC;$P+foXiN`!KT{r>?yl)4
zxaT6EEpoa+b3>c-jsvawx0c+3-5xl%k8R}ul(r7;(XyP$pj3YUk)ILqqKs2~7vU?R
z$afyT5^cUzOAr;)G(aBiVO98D<OtM93FJI+G6{NF1b=Bwz#cIRNN}k|aGxT`utdn2
z<fR}$VIM_d>v~7ZxiSlJtGE*_Y(9p{gs-p|WVe=p@oh7|166pJMUW;5w7>=cEh&r}
z&3dFWfAAO||6VtC=>Bi_4;|rYsxP|<F?3UdO@1|{o{Ks5IiGjyWBWzB*ln}bj>3k`
zNd3y8_|pA{&(MwUW?oneZgRSQ=Gc`)v}`NUF0LZbHnx$o^pgIObeQ;&dgWfppy5O!
z80f}+y+Pch+t=zJpYWa&<<>RAO}iL;z!LH+asub{vDtiQjzmT=4TEj$+72@Svi~e4
ztrR$rq5E&L`8qT|j(kyOKQcqhhOy>-$P+71-MhUoJvnGr?Z@CnN%cUBx2qnSzsO;;
zfgxrt{2QZ>;9tTF^mO<#%(zd7e*iP=)8VVmJ3YQS?eusrX85P$UxBdxbokj=5jY*b
z=7Q7X7r?EYF8?z<Pmh1%!qejyUUYi=!&rf6SAKB*8|ZbQb5Gg77Y0XV>7j!3z{WbN
zu&%jRfmZ4Bsq_K#g`gk!-_oBQEJzL1E6vpMn_}gFepA1|&k26r|66`tgY%c1u0FuO
z{U7kP?cyt&I26nzUCp=k$|kD5`Ab1GO;tC)jissD=BKeVRmof(OH;MYw_|ClviVXh
zP1Q1=h^47YW>qXr)iJ%XG*!i%7)w(%%n`9Phl1&jrK$SnfLNNUVmhs~u}rE))P5Pu
zWYfl_WmCqbWz$8|dQ&H<Gff3F<S?WKT$<xIYAL@R{Eq5VJM>Y!Ys5&8@#%2gIBFcy
zjpL%<517H;omOb{(T%*+raUQy^KHvMwxvI|hxDn6K3NjBvS;M12j`{=KM3`vJXzX1
z$xP|Hg-;d}6kf@T;YWht0C`~DHdx@ep`b@dx0m<QgTqseTO8Wbq=f2xTdkc{$2#tv
zbO#k|fZ(V!J=j%-q*DCbWN)m(q&cwB`>8R!hkbZ*X8m$zZ2o6W%>Gi|Q3LZ~wNQK$
zq>Ba3tYdOho`am5@}MtKalu(wPQEE~qgf6j)I2z<yDUv$qb~_%u|?_^DU3K8Uyzih
zJSZ=`9?Nkj=_&uX@iV21C0ywW&XF}UzPWQOq;ykKT9-FMU(trXj$F;nyW{<lERTOr
zYOtXD4F##?4m4ykTGY6udv5iBgh)fCvMd$IZ8I=C5|@E7qOR|QdEJ9ZH@_c~kJcO<
z8q@-{K)J#EXM|H7?agOK`d9Zi+6%LHde76A{zf<Ui3cPrpIpLWeeaYasbBJ;QMNz3
zoDHxTD>r)Z1~E&Z1M(w1921WGda$D&ydzmR3Q~1rR9Yj~6S;~g`4ooAlL|w3Crfr|
zg`o*4qTg*?(Ky6K8sU)7`&^j#o+BT30h}y4<C)dOl*YbBtU$_boIoD2L?Mz3QID7K
z42?@O_99@6tw)&;16~rRPto#qLh+ItYjl5;qmC_W&bZtT%C>kpzK)?G(E?2l-S|YR
za3SNTJ*eS!am!V9I2AqcgLeS^i?+0T($yn6*s8lH>i&8=LZ(z-Gm4}pV|&?v{?)10
zxP<*DeLU^H=8b5@Sd+@uGd_^TIDuk(hAyROm;bmnb6~!)$I=Vk*p1m8TjgeIT_`VA
z4{Xu3{7rf&ACEuaQMhEjW7@2ZF8_C0e&7e+nUTV9^$y*ii+SS?-S{4S^rj>y6;8+M
zt26>0<69xiAK2pkjVm;y1-14!*e&^}N22R$)CF~y70+JhYi`9IB~C8Sa2;He<eLTA
z-YOUiCz3Q6T2(npJxE*T?suYOkm0`agn1VLQlFBXI&=-IjCycH(qY{g(c!Qj8kwy7
zcO2IHe&*@B$8G<?|J`A5*B-hOned!hZ#4MplRd!!DcM3d26UOR&pZpLV3HH81_j;y
zj#0=l^Emp0wT`v7()Z9@boFOaFQnq%k&ad0AT&M*!LY-+F+2^GQ}zwL_@DB>a>aj}
zAJMt-z8<<Q)q@}z8YlI}Ja{d1Q^vz>@d#zVR7hpNGuN9QoT-Z0^UU>7T2ulR+9CP_
z1vSx)U3Cuht?2)qTy}jDJ-HgjyB-=VtzN7?;O|L`<7YM_6*r#De_hZj-88={NuBo9
zgP1I!tLCD`Zab_8A302IG9KN}FaIv|WP{%KSH16tl?`0(YA_Rj)?e0^bty5bnbwvL
zOQ^0%z*A$Z@$27{hMKHRa@yCraYzq;66|6gIu}()Yph}a9pHT4@=@Ynufci*Sg58v
z9&fQ>_SS`}D|@d-58a<!r<U9Hii->EL~qwa??_PS{<Jzy0YyiJSjTm`Ixqy$yZ-mc
z)Gp1WZwa#S$SK&ROLpRu!IIaLL|~-@h%Bj3qD~^Tz-*Q|^p0O4b%lJ^Lf)y6iI9$*
zqZP8kLf&ZQRLIE+Il)5qvT~wq$T?df2V2M_B2kBVvJTo4_2_f+M+}0fz62j)tx&&?
zwJ4ZP+W+IUImYMM^;svoaF=)rSv<z3%!3}oT<!p{4ojiv++AYKQu%E(ir&k?XNzne
zZwJW?8wO;6pdhASvcGi16Rr4PEBTvJ1h~dTh-2^AY!C`eE4VVRx4jt={&Fohp#ob_
z#h6r%^i#`Q%e8lDL0N~<Z$#Mq{?u&Z#=Cg~NMhBgshgcA=a<eM*8I|#1+9z`=*BE~
zomT18*6Hh7>ASJ40{sw+zhDzG%mOTBMeKgm-(rA|N^hjE&D^N0nDW|%!AT5>#0xuN
z0R7~K-c42d&utr+eK&k?=<W<XRPLZJJ<O#sj1TOrA$ezE-|yxAj^400$?OMQ{CK21
zk8ywk|AoL6L5FT^hPgqsrxntX>=WzJ6nb`}w>w9ua?P>&1fP^8+UVWkHZbnyWE2{^
zwZ-cSjlH^b{>NCBAY4#<=J@u*+)B^hKcjPDDCyk7?E3PHu>Vug0oy#r#~9_tPvL4T
zY?znG?m#^w{yY(JBJ85^fp{OfrW;?%;7rzdmyEAi;@&JR)@2SQVO@r5F4b)1I&y53
z9HGnzmEy`17w`D@j1E4%jqSZrt2!)=!(xG?f43bA4oMun4Ldq`j1zij#5n`4{%o>=
zf*#bNXRq@8NbhS+DBR98U~HLN2y^g}59xfsvc4<$@N?Wo^#rS)+Yc6*@bPQx`k^0n
z<3ppVVOIxn7xo=o#%ivoeX$M0H~98*hd~H4jA(`q-*ESUS~Mn$MQ9OMa2|{9&K9#?
z;>O$<l;0J6M2VQEB;;p)ixQ*&V;d6s$81&z@&X$@Mw1r!8c_J}{6I@neh-p(AIRL&
zJR&#}bD2YhhKT{ME&f?g^w~rf<OO|cXa*;`f1k*Ldc#R!y){F&dc*e}Zcg-mn=0mh
zBjesq;K)`&DC^EX>UDbj$LzCSiEuCuX^W5EocO@EX<{Fgr}-VJ-%z0xSGKH^Ht$hn
z4vulAc>Jpop{;R1V?%?^V{f1t&t)Ak-)Pv@!4q_MOhuhgA!8GxxxhvSs#?{hw4=dp
zTN7I8#eV38cpYsET^+3yUG9mV+=(Z5p&sN;&R$fIPif*?>&elYm-%nN<Hw&~dBm1$
zv(387HKH)|D*J##@dM~~A%fFyxYuLsW?(3TV)JV(-pcks>3gyCm!K(>R;T4ctAE%^
ze4If8UADcC&2>i|=eZp1l6vHDk8y0J-GvI*Aq&Rb*`V@-o^V#7XTqI<$gCHOQCJUl
zfvN!$SLZ=Lf;r8$J~m@j_%cNi0)-2!@^Y9!&3=H8A)z;%94Aof@G%zZ&j3c}FTtF@
zfrJ0Befc5aJX-#T#_sSq#qB29XlHv8M>vzixj;kS{h-dQ$5;@(Bz8EAVNMBv;mIIC
zA-gDWs>)TPa^=fhV(-_`OoV#DoB<LLt_50b0@RiLhAi~V8;xdcMV<rnN-nbM4Lds&
z+MC4)=FIECod%ComYknjdfQOce74zBz?#DVuZgHhWPaxw;WB<v=9^R5(CchZaVhp@
zmX87Zh?SxfujGaehRc^OYfB<(ujWHk-9;c*J-Z2oHqS;i8Bd2+$liE~nRo=%dyVVh
z>QvvwF8{X)zRuE|sd>OwKAXpmGg~g=@9!zICwADHKUI7-pk(iHWH<TQeNa7{7y`D?
zw+4uz%l~AD@pvu};+hzIp#^sk-ji@rKTPO%#_MDgd|l?T0~eY--q<Ua<)UFjE7pNV
zH~c)zB~}v@e4Nk0w@8ldQsBzu)8pwRsU(Tv&mbt#PY`%40FR)Q0u;4O+y^pxn<g<-
zWuS3G1|pGRiOj&lB11C1geRH-?LsJbTJ@mH(B!949dDC}G=*R;kY(Y^eDp+{@f(~!
z8E|xe74neJeAXeFhQG?(h!KrNn^}{wa*~W$^K7U^I+RU(w1q?O76h=Ep~=3cb^k4)
zq4Lqxjh;WsXPwWz@Er6H#6AcD0IiAPs&ZfKU+DwT#ru|%mk5A1jv_8ziL7_cFXM&^
zKDzNMgM5b62<rR(TG=og7#YsLj`{V;@y_IUe+hh9n{?}V2=R?kkQQwZ&d-ekM_l?`
z#yx7yVN?dbx$cmKZ%h+L<u*p=^95*wQ9~Pp^RrO8So~ouV}r!fF?zJ$sPSt3Lj_WD
z-Rj>aXP8O8%XnJx{3h9)Y)Cyg6ov(jF?>8Gh@)Y(IXNt;Q53SB6i8a%SbGLLfln9i
zWvKo)yFx+Y;)&s59G(YTEVwnzj!fgu!+sco`*i6YF<loWU(hj1<KXQHlRfwt48Y}(
zstiB{ZO&Pnd9(lpa~K;q$y4%_sgZ{;u_*W)Y6s=GkdYvCe>POP4(ebt)`&zY!l%g*
z&+75m5BfLQ?aQMOc3D)|5(<0yOO!A|6z{LNp5ZZ$yGEcs$q?RDaF~t5fS_sqLbfD6
z)FkLr-(Nk(!ODgufGTy;Ll2^nJ9;pQ7dr<soXJnd&g0+|W7P)X-(mM}v%9KCrnsu}
zyAj;YzfHsQ8GJs&Smoc52&`tTsuxN1yAyypQ-M-RK+3aR2M6Dlpj9!X@q~V#J0w(`
z;c3d3ahIzp-@&rs+sW_u7<nPVFPm#^em`{5Rs<ADqAyBjnEoHS>z{~AU_DVxxAU0)
z_#WTaV46WQ+7Tq!0!zoUMUg*H{CI-|c8>$*imw2Skhnde2eUk(v7<eqX+wvEUgkSz
zVhacWABeWl#fK`PBT*=xC%-y48GdYfuMKFop@?w7Uv?^Dy)KA;lEviDaJnXYr*9|P
zVcv8wl}@QTK>l)J2>dgw_Hf90i+l<)@-fC#ov%T<ojQX=oXes#h=FLY4B1{y`2+aP
z4r|KKvOs7Q2&~TU2UxBJbMxCwL=DvXht${b;K6j=n2-t-QCs@-tR(Qqxv#^$ZQ}aR
zq387x{Wew^4Gp^!{o6ZfOP@HK=YBsq0!=ZxS6Rz*vwdF$yF1^@14nQe0uC!~!gF{c
z{scC1QmEyBf-qqx8Yx)lOaf6lh=2%JkYv4uZzSG}c}g%RS>Xc*!_Sbb%Kswq4{#N8
zces`r88m%!2%Hq&54;;uYAV1@1cUBV(B%i}Es7#ZQRwUrikB^l{gNV5hMOeC2qyy;
zzeSN!Kpq<{9z7++7-tVq6j>DMl7fqctmn~BQBF)SK#*$@xIqvt#TJEk0`IW!<AHyV
z!B2!p4~=oAi#I{pe6}^O;bg?$nB+e`+k06s5jJlx7;HVrkSMc0`~Wyu6yiQ)1DWqj
zOx)SMv@$V!DbJ@GN8~iOe&q1wxe)7GDSNMS4?S!l4l-mQ8y3pbP7!8f!Xh=0=Tny;
zuUzSLJEaQB^QjLBFwu=hPCrxiklUFnC!)Hs#tea;@$v}-PPSuORVvIQ)+GtrPtZ1;
zet={P)I!h+t?K3|)qaAu;S}ZKDAhKCDgfFO1y#t509^xR#iA+pr<?M*93{`cV!$S`
zAwAi9y!jkjTdo6@v4({>3_5-&ct1*^1#ZQ-X%J~{Xfg8nw{@z-tQEFEF)&6{IeaT%
z!ABi{1*er$?jpql3%>J{mX<@Db3(Efc%lOu1-<G(`$=<%v%ju)RiP@7kyFs-dl(l6
zyLE2O?GkWv8zY=OL=9NFgLp#MfBQ>sTR0b}%zC%6Q3N(3r1m%2T?d;w!TkiUSq;1l
zs6`i`;`$$If<{S0yUG^Z<~GbvwgnQg8G@2wwmCS|Jzc9hjv|qlR&_Tj40&GggP`z@
zQlvNsOq(A;c{A6ep*|7*hED!%bN#>eXsW8B_ONEY@61OSty%M>oJ`4L_wv6$SsQkw
zgb%~fVZglqF=F{*5Ju=aOF98#`hm9e)9@xm_9Dq{jOVxg=iWBgp*4K>t#$!;qL(D^
zuw#(48tWhg{Qtm=9pd=^4f#MDehzuipHNp&xk<HE2J00lJ8fAd=w$24cII+`b=oxz
zw6YBY??%hxN9$opyD^E)m{Si9S|A-**@yuhs))ALstP$cg553!>o|qEla0Cs%K_r=
zVBK7#^uXSlh<YGGz@up2|HLXBu@pee-@pQ`M(?lg<U0qwzZQ7a`zb)l`3NTay8q~0
zt%{@26&(1S%h-y&^IiFYZ@s;l(fcqMhb+ccH}^;G=9gvuV9q_jVP{~olq${!3fm;y
zp#js|Q7>0;z&z|d1rGXthlWT{(q58?6iQS29$4>t3}{uD0JkkDTnlI*L|J^lMe}rm
zq&kckYdjUO=8v-|0}&55Dn6!;tlV$P`SM3t!Bt_e(#-omV&vp@CS#bx0>R(lS<hbM
zJx?tWH2;P@07nx%7kho5HHTp)Y4;)%Nu0q(2?F4mZ<ux1>bAKW%w#pN--X7w{M$9R
zQHbGaXA1;#eg{%)!`SQS_B@*Vi}2?lgG&AQp~PRW@Ch;ePYVCB!e5~9NiqBxy3GHk
z!XMc$`6tKlmn-~Z3cp$5Q)BqS3V)Bn*D1UshQCYUZ&&y~D|~JY|DeKWD*Sy4UlGIq
zS>exA_}>waVTfh67|BvaviAeo1lN(I@;jR&o@ApU`4>ps2n>3-{J$b}901FKr$lc)
z{@S%FH_~Y21N*4(?}uwJw9&LrA(NTO`FpV2W}w<CO9_f*J|Pc5cdH}5XH=Q?LaZ1}
z{Et{B!&vz<@N%pahDx0dvE|>GxmiXU<1jy1%=a|70bBtdC>xBdza`D<$=6;yR=%IZ
zohKCO3&W%s6zY*hB4e{yc(*KjHU#LQhb4&|KSQX`pFj>7`Ibr3;emgNnhu{~eu0Go
z6z=%m$Ux2my_pRI1?a9Q^h!csm$cnJ2DFYZ`Y2^BLsN;dY^Y>e(Qa=N?~LMg;&X@>
zSmv_^RT<h0wT}4<f6F<TJ^!rDFUJ@$T3VdP>u(tphu3TKioC^>rq8%nH#+LI4t@I6
z;vvP;bYpOGtq-zFjKP>tZi?=|*Oda;)N%Oa;?ff1j-=+Dk#$>urkAZ9oMda>Ani@<
z@S>T;4tJ4vIo>F@H4RQKatxUc870Q8DQgFxVQc=I@)xzkXHCHi_>Me~lol63a>uZ*
z%w}7gcLs!)r!-eubnYoLiYIs-!`BW@Lwtg=x`*UB(nrmh!m{eM-eSjX(@O8{i&Uz~
zJz&dk)#lGGn?A$q@T?q;lFN)!72u8%<3ZGIaI$$J$gO&yJzT@wjzPD%T(!g8D8}F}
z%v9ng-OthsRe+Bz)^5@AIELR_?k%3`P~{n3?8T)6lgedz>Y{!I`9=(L-0Hg3?OI;m
zm;5hKg>nqLP1XjIZpF01s*-EMgkr^FmXuAoR(`aXW7sHWHt%dzu6X=y5`RMs-_$X0
z`ix@slX(fCHE2ewUBM46D(N`~kM`@J+lHgfL4N?s3;GeG3LUo=O`GVdD?&T46zF8t
zM0cdfchFS-lP<4l#zfiVjzL8e?nbxD=6*xE=_)p(&9!0@xpZ_F-{nKqf1hMN0&Glw
zW9_W?44zV2jD}VXB%6E0bg0$f)LJSgv^C8fLI#ofPuu)DN;IozhRR>;$eUa|;ck{H
z)jXHkP`}7{Xd0Y0W%@L>2Zlwfu631_l}?$!N+a7=HRANz;l;%h9d1M}=#cjTRQd-e
z|0kFWM5-`*bMdm6`48fv=R=2ce;SJ$t1Ft%P=3AvuJzX}?-03jsDH8zr-bxAkFUcr
zgr2>@w^a{$ovFr0I$T(?xCp#pU7y|!3k4VYqH>{G>j(v&=M%`x_ZC)8D&)?#+OIk`
zayVC+>%lZ!D@`)CRpcVb(=`+n%yENdq49&*(}d|z;3dRAuG-%tlEcj9EG#~|YF~q_
z+Bfm1P|L3m4q={D<UwR0ZR93!Wy~#J2Lu1n1Yey80vCXJ<`zZ0!;Dee@+|5(k~-1%
z6&ynY2&4m7_HYAadH7x$c!+#du{nitmJH>;_Vx~*jd0*cl;V%bhAGu<kP|5`2TM=(
z*S>FD74JG<LS`1V7(}&=AgQaxpYQ<^Ywiu`qoe2}uE>{SS!}sg<1@M39<4AYit9Xh
zQBHPAFy{iW3Oi5%WDX-Umwl}52G>}#2ZmDo`j1*~3ay-t@CZBgVH?acS{^GQJ4EhQ
z<i@HK8k_TOtZPl%F8QTn4jA!YSU=K3%Vy)?wcN_X8K=rUTp{Ad?O%UD*_#3rQFK7C
zIuqcFwS3I1M}k$d;NxSDxv@ug>`{+B7RDZj#vVt+9!JL>$HX4FK1yjk;p57BqQh)7
zy;k)ZKov(2N&g!UC=;b)f@ouu=gJOLfXLewa2AkoZK>ONmMbgpM<C`9!7?hu2&aZQ
zMqobqzPM@zkt}K?7gx2OtOoMXhQJ2NlXZ$<&je2c$eGN>YDExd05LCuU?n4n6d<aA
zkgQnc2%;Mhfe3;PKm_WeAKKsw1USZI7WRsTDU_Ji5ez$t7>2q-k;@YZP`6|*_8D=W
z(BC%zHYD_p6Dtjzy>oS{q^4pH2zzsCIyy2Qx_Gj`@)pQrF8f5vYPq5*Fc!NMW*_i<
z<O%XTRK53HJ+x#z&dzhgaS}|Q%LsTO3(+*SDH2ULVh@{Z=W80}&f{{jL4&bxSt@YU
z0{6muHZQW4lajRny@%OPx{zEf^GLJdJ=5P}ucNt;h66)rl{&wkThY=XS6li;?U^?Z
zvhnO<(q|QggKR`rK!7c`ss-rJz2|{2q3(PT)n1H0WB`&}TW-aP4l?h|4$Ol#R16~d
z<$knrFk<%f(Bdo<93jy@+B-1^>$Wg8cYFs^gJZo`==B>&@L<h%D{4(!z=q)_@LG&I
zm;$Y8n|wgHdjt<^qW1VI8r_@}aN;%~$M<sTfA}#l6C<%04eZ`;i5=mb9exc^7>p2d
zK~JA>1|S>+AAkVHYaR34qi|Icx5%yqE`qQ{30mMFZAb8$=RqrF4?+C;F!GD74Qjt}
z9uqq*l^pK}6<otHC9fxV${k5kEL0S~RTR21VMi?<HKce@QCz1eCM$|BK~ZS5h$0~I
zZ8TE;GbF!FktdV<OJh~T_LOk7%JZ_tbpgrJ71{QkvShW2!f#P5Bt=I>u~JcNQWQm&
zT=SARxj3p~6JG#=#;YN@CHJt(bEU;~5y_S)vMGvdI(#*HpsPi}34nM+Q4}Z&T~Y8J
z1=jbTh+HvAkvZbzO_sFuPqk$94)U;_-)169k^i_u)^~y8`nW~$1S!r{6dx&yT19aW
zC`@RcweHo3S@7510bKKHa-zN%!|)MX;p39UQUb94i~NiOHYo-fV1PWne|svAbD4xk
zOXfX~2d1$uugx1t?-R@!#e5CByN9zdH$a;lTB%B(i=ncDK2VHQ0{UA5(()zUN1)^Q
zpb<xL=q6XhjdAxTHUT$L#5pSe-t8>lmn>tJV)3vgs)AISqFM(kP~4#k^9M@^jdUxA
z94~1d22quh2EC4kWMBuHlJ0A0N>IO9V2DvQ9wNns7CV~u|G<uJpbEqO7L;vZLLKc+
zEiDj?&jxVqrMOm*>zc4?37Y@Ya76?{Pr)+n+=d9`5^$^Qhd<$k;6lD={d@mwUUWy~
z^)z{L`J#>s!QuKCuPZHHbd0Ad7cCI|D0tlhUTCXrtku5vRITVZ|3hv%TIBAga@$Z0
z@uroV9{Y5;!%sNr-I4pFtqi4*7p+i^+}zE*<p9<fjDvi%VRw$-hrd_Fq8F-*3(?~J
zi<><(m;Ag^jW{ytKpBP7gNn1kzqt#}KVuUJ<H}iagU$OB>yJD*!i6SaG)=S+@2YY1
zm9*5n2pDvINQY1_;wfF@!qrlext!#|oCFdy?Cui2K<V)d0GqEMU~j9c+Wf`GnM0|o
z`GQR3G=77!A65f-60_cotZ-GY11`6(R8;&klt)~Lx|qAwDnXF=6zGM*e^2~*z)PtC
zz|G~7Fy}51N>7!9?vb8qFlk@!1CqXq<ffBI#*w6&Bpnq=kCRAdlcbm=JFzYy<6X6X
zES7A?T!MQazdPt>N$lP(O@3}i!%bp^<t<tY#=qz$@#&71mfVADQhgWUZ-Tdr+_n?_
zc^VFlF6Tyaf0^b`{DQ9BWX<=HUbhwLXRLH|zg|bb@pJNi{ZL?H`}M8QA7X#L)qXsW
zGsegBZTI(${gD%J9%Hp0O3LL)q2oAAm4rAw&BY3qb{fNwsyCK;aNsYQ$NkS$&q+8o
z+7*wU;GATHALG}fw!A=Nt+?b&#_)#eHg<%U(5PV;+>U?+Cp@cg&XgBtuoW4kyoRLf
zhOudypPne(U{U**gIS>7W31Jx4grC82t0|tREWZ1FA=~#DRlPMub{KWc1l@|d>Dp%
zkd1Lx<<XX#uz>Wn%lK+$*Y|9>knt}6dN`Sbl~09qZrQOb#TS&7Equcw7~FjjMgEbZ
zve)=Vy8G_*EkeA>R*8)w9z}427uN4l7?xzy5LuGDz_b~oy4&BjK*PDPt2BHY3M#Gv
z)8@Bi{MXGO9`96H_#?!hLp<M)1mC{0k~_jST%Lj&b^%}0*TQN-uH0V>&8M<3W-JWN
z8Z&ZuVQ8h=T6@(&6-9qyuML%#J7d^E6L(;J5}U;6%QfO=JO}EHMy={ED1#e{i)Q9)
zGic_EAd4346>byUDChgK{dm%kt*M%CK`mM+hiP9fr~3-Wd=DaDWiv6}V$~zF!a6v(
zjIZT!L3nt@VkB4;W(#iy+UwrUC%0Dz_7E1%!6~youJLgm9P*6K6m}-}D!AIfM0X@S
zp_$kb<Sh&i8+!T2cjTO)r>m(GTE*t^ug&oIo01A|c)*$LeZl07G$l1aQYD(VN7mQ;
zbCYe}8xepX#i^Md>ZS+3I-Q>@7v%GB>T3m0Okx78hiU}ugDAmvmEmWnVDvlg{5f`B
zB{tfQ!_@E<6`Z{lYcFJf%yGJm)uK*4r(<j_#v>YJ@|S3kPAHX9p#IP=^xIF%=v4v~
z;t4&;0!XXKA@wQ}GVcF|#R}$J1_ohi=jPy)8A9=M0Z`L`F-y^C!JG~NP<O9Yy8DWP
z?%RaGW_LJUDjsf;c~pTn5xhC9OEAtil!}=Wam`8~6x$92gzn!j_CT@maM%T-uuVPx
z!diZ+o{!O*tiv<6V)|gVhV`Gu4BdY`$ybl2vyLCjQ<>3m_FIa_u}--YJq!gFhtRWF
zKT4^)0I9%w?}b>(uR90N2=RVRsJ#qNbr<6gmrPLEG%yI4B8}1XF0!)z0C9tBvKnKr
zDCoW~2*r_P1+7ugFC}ybJnkaE#eIMxsQf!e+;Rtc3Eo&XekGo9y39Ke{9i_%a2-U7
zqdnkh&c^VK*2f@D`m(LWjinw&*V~YH3h~b~?@HpoXp8p{FCE=qiSOAK-<SAm=ATRa
z)2;AWlrauS?GDbusK=XlIIz}3Tq3L5Ro=NHwT@$I$=k{rq`{cUD-?W1ba`4}K59z0
z=eq}g?Y^!Ypi#Scf3hgRyp-|(u3(L{`WwAp<NTi7e?*CJRFSJkTe+hsN`FOb`i~{~
z%;x2^H)Mq&Q2aTDK<tF%IyAibBZ`ClxvgRmA`J@m&Tp<!e)sz$5D3hT3WJI71hjbb
zMy!`&7VW`nF2S6QV7Yu37}foZKjDm_QXk%UD{|LBZ#;oM>W?>cKrQh(*&lBL<~05|
zEB-tL{BLfXbnEvE<axPNEC*CcX~r_jjoA-l*{7}2I_TB=dsvbil@WJ-j_2tdZO+3b
zi+3@hjz14aZZHxs3X$`088{D@t|CQw9*z|JSRm<jV)_}0AF%wupn)D}VkezZ)Nz;b
zg$LF*8O~?23r2A}-s>eGg|^^RB;aI{VdXeqWn3@|RvB7?@Bya)@azs&uxL0?qgCCB
zG+rUOAwO68FwH-J#9-#YOQ?vyY&Z+z2`1sS><66Vmm?%WH{nnW-cZs*h0gK1@qVzQ
z(Mel2IH|-aNW$^4j@1PngIDYRRY{?FEhkQ#IP`h1{g+hW<28-7E3X2BhP|nOtEj+i
z*1c8_%}9Xl_}o~VYg?=PHz(?S->-n|{w2o1GqtKksw`*XH32UU;utATk-vmyB?Yg-
zz2B}BovY$0&i3S}NC?8368hgYW!l<7Nj5Q!Y#9`-CUezHuFz5&3m`o<m)X;Bl%_kJ
zc$OIVCdfkpU6#)W1!+P!r5j03@eUV$Lq4AE7t8U?lT6)_a2sp!)`&Q`26qqPB}5q2
zG+$cq9qM4<pcdGRcEJgQ3N7$0n;7dq8xeqEfyfc=J64XLQk1ZHKukXvQH@70;&gk|
z*=M0xp6oSR;87sleUEBYnRrm~fy?*?TlX_lTwz--WUb_1Mhr1NKdFeJ4+Irv?}y%L
zfiF;)V1SAWBNNiGoJEm(aG=wT!>-2Xq6Aem?|})ZL7BfqnRy<gVvH<t-C{IF<!Y*E
zTwoCye=h$nhZZ;sS&?(=$C27DQh6U_-XL^b4B!)cW{p-g8^Q|-Wx-`>(ej1H5iuP^
zp6n*A>J!;|-5v$MHjyE`?D=fM%Odedu-lZAsl)+r%KQO`cxac!-)WckiShr4)&v22
ztTJW+5D|W%2b7-nl6v|qvQm}I;h4p#_^#Wp8&E2^<oI|r0C~-ipb4H~6JTRp1*5VE
zVm8>D_oIn|Ps%>ns0E%zcD}{1Ppl|LH?sOIB9-Oi07n~f{ZDqzDn<4-$T-mZfsNFa
zBUZ!h6P+WimMVLp+iy=%zVBFs{qSt?71_k6Ma!Q`#r#1ulHx;2G0<sz31!4POJWF?
zo6X^hul?kFBE(z^kSnSWap${nYWXHTbhj=J$ySW>mYgp=1Yppwl+q`s-CXZ2485p^
zV|hBe?n-*bP&vloE|H1nJLN_S--(9bTh4K9z6NmIcrt!M)ToCgY9)qg8+*+75;j@B
z<%L}{EAVHyB<FOYF`aaTW65F!CTMs_K_KbDqtVE>?|kQ5F?LLMBJ0w4!xDw@U`S<d
z9D*ZztOU2@79@d>aln)4b!LfuZ!qZgI#IPlVwhaI#i>3fMk2wt(+<(PERYMM`@~Qb
zzxjMC4nnpJ_Q^is0l06ocVxsMY&E{du7|V)aw6xUU4@;;yGKe%#Cecgn0?rH7Z>*|
zGk}ZzMu4LUnX~{CQGn(@!=FPACJ6h)&*=GD2Gv)vZNN^=63|K=JfXLfbc|uK@^73m
zSg&1fXWRt)(e29*P8zkM7$wN8H{X+*k{fqkf&JkzTG%0S6=dXasn;v>p_QJ{I2;Rp
zH62aKSpZl+2-cp^;w7+Tp30^TD4pmE&dnF0k*bg)VPmR?^AGG*7G}eA{)NC`-eH70
zc(*ngodNScQv)z`e-b_IAMhNg=S7<c4sv=x0`~60w{ld}i}zmRkjd!?s4MgoyEwc-
znYI@dX3xK+u|%-DA8-)@6z^5bI2W%VAkOs;VT_v&CJi7BKLftvJl;4m45NziR;wVM
z_V<5C=O^7hXr6gF>Eh$vdx`%8@gEW2r4=6WDqgr@cp-Y>-6;8*%RW(pIFGNzcr!D%
zD19=%!E}bhuo<XGAL5lTqv~0<E}9WDjibrFFOV(4_gnmJ8@J9$7PoO?ds5t*xkVgA
z!CK1!Ke7KHw~mv2%^W_F_!mXs{g=(pD*C4RGTcI^VPv^ckO1C%{?*$hIFE3g<?pYD
z?oHO4kN~o&@)*DI!RhJ9>l#VGS>Y!2v7>rry8tomJW}h%{9pK`$mRRm(Ht-1eF`N<
ztKv=s<Fv@_Afn-wmX^>^Y^*g@9wDPysTBjyzRG*HvC54bF4iWUeU+>7*W*Nt!|h?X
zg*88+VOz4XidTu1bl%{d=r%rd)%Brl`!~%_RbMRQL0{`}I&ZBV&$%tk(x5F}RnmE#
z_v(_I3Y$yITjj#WKbW6D-s+CNe+^oj)D>?jMOsQlo@)P1qMCmIb2T2MiQ9x0sjAnF
zC*(<D-FVoU1xO(-Zq1e74?8)Wy}4T7D(6r<X?-7-5rWqD31^v1KjW;B-!D09<o6rS
zh4TAt=Mwq-uCpHB!KZEbi>pb_gq@_&*giLw$r$<_MK~&>PZ*!%CXB~aHixkfk0}{=
zM3|ac&k$4(RXO*AgPLBfE$B!p#;jPesB$`hVIob8c^N8*nT(U)p$8Jt4~bXdr2w&$
zfM_YA?SZ+CQZaCV{?NeTYd%-d_@S;88V#BCbuCOqREi0uQiVp7nGDvE_KoNZ*XFq3
z-xT*QxQrJfA_~S!iZ(A7`5Pu%sv3zujFZ+YTg`vCeA#Bba(w)JNljJfrimA^D4xR$
z0=&)~{s@M*XHFu&I^}Re<GUC(G3`#hLlR6H{ca?QW<fF+<B7*huuiy-<hAd>-1u9P
z<c99?@kQLwwe&acK9u9iN<;Xi5bh3D;I`iu{LY-6i!C$Haq+L##^9k>-Soa94`!?|
zv}7|{39qNpC)&Zp6I%HcAY6xAh0SdwH_7B`u@gyngwiHB8!RbV!Pt8!C#FmX(L)T`
zQ|ef72u{-GeazLSV9pK55dIgSu<l!5f{x(*2Y@`GQ3J!f6nGuL7>lDG04{~(iNBZR
zODy;tz<*f__{9poz=A&r_*aDApx_mX{d#~rp{FZQNI4Y?j{;hpjWvDHzoC%TQDhmB
z2XXxX>RJP+*o^5L2>l?$CYqsGUjo)3keiKPDuTNd!K;cOiDjxh#%)3vdTm}(5?T>y
zxlQ;9J!&u~139ouh!@qv`^U=~e)ytf`zhqY@g|@H#GQ(JlH$HoaeoDL*qPl7Ce3T$
z8jUX-%q0I#4cj9wyji^cCjX9`!f8+wH1d6*MR$5af92&DLqf}-4>kc$%p&|9xlt?o
zI7xb&68{yeou~*NRs<I-g8m>tu2}%0MYn-YdfIRf(4qmwg+}}i$hxzEQh~%BM17BZ
z&E4d9^fx+rU(g?DH2#X=5BJrKP~e346B6Kkp%VB9CGfo$AP|&3g*>rZ7Pnd<7ZMrF
zF#*&=!xL0dUI7l?(<!b-arhR}Qz+9~kkld0u*$TOWg3PuVGgNP?WS`M<+mWBNo5uA
z0yj4r7>^>7?3fEhZ@wjBZwBJL0F5`~-UFsmCgZ%J=s>Yjj)`kV10k0gv3!fQ!ZmjB
z)blMZL$VKPRS!bekkBN#{q}rED%srq99%v;gXKlYiSGDF)vq48K=6y0rLZ=IwVLJy
zU>TPGP9b+T%B(-AtN|cPSi8XMs5MqpR|Bn<KD#KchsAcr8Nr;_fZ+ymu2Pp<fTqVB
zhyxNDYyv2%K@qL!b>mUd&!HUh2ArF*%SLl#_D01(Iu@i*LaOvS5JLTqF2oEa9TA4I
zSD?v`XE%lHxK(O4TJh^O=L5gefnw)t%f1tLB0r-aE$}=*G8(!cf0KM8U6tS3a<Qi0
zPgc}8PZqY@mR0C#@UyzQKlx8Woy<d#_;@)f(9sq}A5!FlqIsFx@Ax0$(KZ&oC-IjM
z|A@lhOFSCg!k<fg2TCYbCHO7zFd!Db3-RBv6>d_^nGJk+jT*>b{}u2qGz-yqAsX=L
z{<&#b+Sh~Sn5f@?-Hr?}!M$jD@cuM4`3!ay?}CB<y98e+Yx#>`7%+E^HFsd8vZRJr
zvt@xs&TI41yqlUA$AVebC*mLHr?JZToV<SM0OmC7hyTGpE+b?3G8GT$xR^{2j_Sc<
zpvE1^2>ItTsz(weZag%xW$`tbeF*)GqAh>Ni^vX0FUt$Ff-A{gd~eO%trwQ`rhJ*(
zdplm~CVR|k*GVaB`3jfBVd&^acPxPI5DVmHz*{>xtU1NowVY9r*iNuNdbw7l{N3)Y
zNB=rOp$uGg5&NG_9HEVm4;aB7uR}O)QJbLV8ZV4eCisYdKZlIiSrHRhKFogr)I*_(
zC=15q5>R6dEqfM3!EQDRjw#kr3VvASPnR1%;?^WGx#o+Nk-^?m=FC|OfF631HI#J=
zce)FCQ_*yK@IBdrFL8+gw)g^+VS%I`*<F!3Ncx>*ob#aK^9%XNF_sPF3Y6R?8c7j)
zuL}}l8Cx=#GZfUQ#4ymH5<fk|O61(2SlB?PSWF}T0CMAa;W?@i&I3(&zRI>jX6u#&
zP~4))i_BDm%4tjA8H`LT-&NE@{;V7gT>vLgF7K7v(zko&gCw(F5{b(}a<H+J?`vre
zNhdC&3=sQpvDNBi3C93B6VRH<xv4KA^UP8B#R|?uA{PfT61zz}Cku!BUhj9-y#z9;
z5h9(?P&r?`6@{>T?Tk-g<b2%>qiQ{)8nOyCG2a0TIUYjp>sk(d(`!FQM+Hc1p*!FY
z@k;<n*YgJfdaYBVCN`w?V5ipcX|R*7t&6SC1C3E1qYrihHtu~$ZCUI5NS8F!Cu_^<
zm89J2>q;8-Cg)bqvICH7Gxh`0Ad;&K?8g3vy=e_16}ZIef&@j6yLmx?cXdgjF6vDM
zQaz<r7vTP0Uf%1d#*{-orB@epkWYKF0M7ukPFM;Dvnp2KM!~88*G1*eN|fvqVg<Mk
z!s6u5>ZA$)lS5%BfD$24081<iU=;-gP{oTBz+$H4%R|D)hRf@o@g4})uNWlKiuC>;
zPUL;K3wf*jsSZ6@>dX*h0F|~E``41ve>~N9J1)toqm7aJLMMKJWVqXp7OPv@yHJSp
zBIuQesp~IMu?Ik3EbbyP%Gi5DCRW08cC3JxCR3gaNS`3b+=C>77M3i)cjampK+XN*
z)-$^O4H@IaZKJqrDDDGj3Rcx0;qtX>lsoibi@JLe2QWqs$HFrrmtXK|Pb$R2qPfES
zkr`v}%2XwL)l*n<+S1(HvfJ8HZ%>ZF^MI9u?gij6=u*8Ghul4FuI$xww*Y;;IwWKl
zehcl}E@J^KYE+^UH5ToI-7!IUpr<WVux;Qt%+ODW39O<T^r^lt<rwy_!PI_Ds?dRQ
zXCK!B<61})f5wQDb~n~aqU{me|Nc~(ZsTA06%IMCG6p!sjVM%L3+GGTNm$&*i%|KQ
z2mMDcp4r(QD&Mxkfd)X(h4=li4#`RItxrR;{V3YeZ5$2{V%>~=C^=4W<CQ2F#jio&
z%HHbR25MPmzE&wF0h%8;=r(@#{T1bn-(|+@t|{{HSGXq|(%1(k3qanyK(%wY1-92*
z`eZcTs@$^xrP7TPmdfrB_p%c8wSaQN8SgJcGe{%HljWO6;@a>ybIUbq(F@JUWgh&T
zR;<0E@k2qGWO&m2diH;uU$;6Bg#E|U-fyN>j;$MQLUYI90!#m%EO7~6`NFN3!#slr
zBc2Z4=@54T6!OWH*d#HMcr2nOhcREy7lW;2O1NaI*CDR6lBr>iACYb)yDM|v*-D<P
zE&Ev<JE9oj9q7HH1&PoA+-~szUf0tW9}s(E0Ef2hp!m?D?yVTFw35#7#3FBzsJD{o
zVD&bidB54Nx_&G}6&5nl)LCk!J7&LQ?XBXYHunR|``SE_8-Fk=gVP*bxM|qcRb)ab
z^w7W`R6pfmn|Y1im#9Q>E>Ir-15UnBl*l`4;f}4le4Fypn8ADP5ZtkeO_^1-P%tbD
zZj|@0S;zI_$`>78=9_SETwldiE><lVZ~7lBvuRa5;Vco~Cgbre`FInalJO+>2R5i)
zhLypE9q8Y5od3aV-oZN@k?MvXoCrvY7U27k;<8_3?<nG`iZl)qPiU}?9elZDg%z>!
z=3StK{S3`<i}OHV;xamUjIBcwasO^;&R~(KV6^>PJpg)w=Z5(XC$8W?Akma6{)y#B
zPvTfxupEnH_apr(t;$3cVjhp=+!E^dlHTxLk|%Lm85jb87(e8|*HN?pm#=OP_4tkr
z>A{tsZev@+wl1Jb84`RjwXp9_-13wNpFRj@c|D2POf*~w;;~J8D|m4KE)^yxS>z&x
zH+8WPpW+-88gXN?o11tp`xkEeVXG>Ji*HT#z=E>c6AaC{QS?Q&*0s$Q=O|b~g4qo=
z5&eQIK*o!$hp2@6uz>R!p8Dd>0$iRuHcd1k73#i*#b5ro)AOf~cN-fHZEx6}fIdiz
zywtAzBl<gCYKZD`c``=M`-9!=OIyV`qhP<p2aiiNPmicblwRJG4$Exm%gUI(ydBk-
z*DQUZw#ao>TCw2Zh?1bq#smw}pgV5oXszmcP@`>dR**ZNA$7!G$6j<UAw%&SS?GZZ
zxeJ91IxHPqcR7DKFF3cmal{zt1YmUERsNPUv_T(be~hi{(b{~*)X=vvyp-=pJmWW-
z;;*`;L9t=8xPq%|51f^t<DNK#j_6X|UQgvr*HNfkJ@E!TI1a^{jyEWAUz=N7b`}0j
zf;M8+7560Q!5&UMaderuo9n9BB$^J42xFCryOMbj3<nFKzp;n$V{WzAd40W!a|G+{
z>-7l@DCq!<{5)~dL1+*Xkek7G*(R(9_!hqHQYI3BBaiEsbGCwa2PZnOFAPp}4h8W5
z|MyzoAHil|L^K2?iJKsvFBDD3^|;$K2rM!3PC#ghamz8hG~?UIipmN)G7q}7mEZ{J
z1MyVo%+OYjaSkX9b<bMaG8Zc>ovk<lo3ATJ3@CGHE7!oJHn_FLI~#WNaM@RXa%51b
zsy8iDzP9qahQnQRm`}T{DTj^g(hAo?$&+woVr_ya`;c#`eBB*eplG-3F;1ODNh>ir
zp<>g~3m8w{L8!#gU@ls`htr&Z<pIQAW8Q+2;#iwCUGq^%(;ov$`N+1a&D>y|92}Qs
zYz7<j?&!Xo?VE71->5X)S?z7Y5E(5^p}P4$7GH4pQy%0+8RsU8w=lVv+kALK$Y|s=
zRjLjjqygrG1LeZh7)rwjkqV!|-v0&(L_ScH6s@W^Q~?yyJMguBOjx*i7{HR#_u7-I
z#Qj#LzmXL&fQzS&DNbC^L=QOv>+y09o)O)+&{Pged4Xx%g}Y^l{fA~}Bpydx14Y!9
z{vsa2dKxB>*(iw%4eprfH8xXwLrI?@r%ms>0T(WF`ygqR9?VT1tSuXuj!@{3@W_n5
zchLIZyouKD0cth1evGaE+M|pk<&Y5<J;F}neTLon1pkOvsj-=5{a76Am<#(j?ra=$
z(dG|=Wi!vmAKrdoXOG{2z)cH$kDgwER<bp}R#KzZ>u(aPL*$H&=M{Wtg4t$ETi4^C
zGT!-L``<Uo`PBaRDWLw({ck1)bbJ2y$~e<0uUp0Si*&ToCri&-wHZysA41WpHsA?b
zkrFelxHxNKU_A^24%b}|ta$lH>4Cem*?2t_U2v)=l&@oMz$85I?Pe}0v7T8do(47C
zEXHd`PvSr)w4mTt%(~zjA+ae{`dzthdgEW|b1|$epL-()Np>lu&ijS^6B_Y%yb`bj
zK6fO1?tQr9`U`Obc<0!q+ZB?ghYWZ;r~s}QgWE+3;C69@xNo!Nc3pV4&yzR+5j)-z
zXPE!Rekudh3`I{C>ybikEL#nL+bzt5+r_wY**|pKalGf7A;@VArrS-S+r1D92NAmX
zCz-Ua<jtt0c`gWI@v|p1b-b7)N$GdT;>q&6W1!`?BKfgEDY~1lLu+OH)UJPh{vWOU
z>pwVnrap{9z$KsLUoqJ3Aw6x28f-Gg&uNc7;*at2U`y?2WU`;|pBSy(w!aq7oF#hJ
zTJr}P-(3Rzvf{f7<RkScHBRYZ{QP_Lm`0(F{iL&2cOF4~`tcUpcPYwk;75j9c+IVU
z6}EK;NPFVx`}xhG?guCxRtnd+I~^|kI78<8zPqu{r9IsM|Car+Hh&zI7tCqG?!j|@
z=6aX$!4TuH@;8OX`<_G?CHIxsk1eD%M3+mIb@Rq>J@kjv!r*;a|F}S{7VdLbk8oZg
zzIzt!3NL&Uy>J#1fqKvbgV#=+g|sz=P?=P%ia`^-O&VS6P56P+P`^%$hw`<hxD4z^
zm;cD<eC@VRafym&!YX%S_t3&g_;Jysz&3ml8PYouj~lo0HT`o`!n3a7*Tmd|Ywg}M
z-J#KV`@^kyHn|#(Cb;ci0-WGYb>T{whUSZ1_D0voM*+3313U>YS%;Fk_Wc*0lQs9I
z-1@!n)?@hN6S%+wljHe+pyK))vI?`|07{Gt+||PpyjiZ`<Wza27YdX6#>u`h<&RRq
z^tO(X`EZre5TnV3Znb~lGNz~YUB`1C1!-Df7?inr9owPp@8PuTA0Pi8wz%?F|D}H{
z`+wsfx17p9UW%y<73lwqf4mDzdjGHdV_%t3`p58VC;P`gR>%C~iFs%w=^uaL)BmA=
zd`WVKfBXv{{(te0kCF4K{o_oa{?Gm6nfu!JkGz#Kriya8fxGL<KWbHX0IhsuA<fHR
zM_{8hGi@r6lV>_eSQ4oEP8a|&Z?|-hjBIR}pL#-=U`VS44@%=e-FhClk{V1CrA@mf
zG;k?@9l~wwAA*HMOcH;_OdXyMlXSW*Ix>VhnD!OQ87$_G{-zX<QIIUohcFo~p#UkO
zD^f5;*l^jZgHrldOdk8fi<RPF8QiVQ{+S0>%WW5!5{rLfF-hk%_cwBu`|kyu<zmvQ
z%`bw1IQ8@n^Ryv2Uou|a_ld)6aAZ&5-NL?&m^{L{WBOH9?;Xh<#RTx+={6tGc23NC
znEPN0V*U_j=F3-4_De4Zl<brI7@4JmnPl~n^pO>8<%qws=8rREhspJZNzuL=i>F8@
zOMjH^hOLVEB%JJK6KYlOfno5r?u?56$wvUO#-ba?Icdb9t-?@0IXU+9U6WbwY4|P?
z?kfc=B&FzM-jsy)L1$$R$=>U|1J?x<V%-=m%$s&G1HtrTYhh@hOFV{_SFJVB?wwRs
z@B0@$%*8;9&!1BE=MhL}dtOX-IH?4VoZ0(c16SOH&humWsc@8-evC}>cFxZ4t_8~4
z={Dv6DB>cDD3>C<S4Cysr2rR6dDf{YxAUUT>nPFe2d>t<zV9n1yM+UO7<dDn5NTh;
zm#ybJjhy-a@9cR!7UDQk{#WyzE3BzatNG6N{|EN`PpW<X_w$|K%8b&U?|tcHdtUcY
z%%1nJL?cOi?&Q<|fj!4cNo@Z#Lv}!9wuo<>iGj6RgsutZVbbU8B?++he$5k7e1@8C
z#m|TE{?CipT*RKkzY%a^HM$E*YP}`7PmIOX9NQmwAwa9z4&IU<PaAM)O*|UWfv{Zj
zOqC0ih^-}+_!voTY2IiYxsYMhz(lPo03HMFGy7sfNZk?7f&=$Y0(09dAM~3eOq9zm
z_u^d%uXUbQlu3DDgJ1TZhzfGlUV(FQBw-#oNfdvCby31>plO~T8#j{gEm#|Ceg(iP
zwjBm_&iPh*44o+3;|PjozAY^i>_CLK_!-{E<Ykf^MKSvqnU4-&g*YF*f)DNcTU_Ij
zh?x9~TE0IfkB5C$fzUB}--jB1g`w#K<r*1YwWJpdj+1AM_w8iW=9J=vH>?|pZAfZM
zhg^b4cF1Mn3KSnt`Il--NAh;ohn~l7E_@Zb_%fC$G$&nrNCv^2Nkpv*FH#lmtgx4h
zB?{|N*mVlq{GiO+Ps~u*D->2J><0>)Ax0={H-$|umQA@>VF!pi6n5W2DK}kVA5+*Y
zk)^O7E3B@t<-pQe9Ni&{{I)_)R>(V4)?D$m!ak+2)e4)Xux_zcVP`AsB89y`V)J#p
zL&14Ns`wv8HB3>hQ&hjqk<~5~_bcoGg%t|>IkCZOE(TEU0*PV(&<nSt?T1EsVhDba
zdujeKE==Ye_-k+6H==ls5SJ;Q+W<s2B$vp>dPuSuIeIxYqv8mEpd^?gl>_<T0ckj0
z5&l*Y;-bl%=LjCEz=IU`F=G98*<ueV?qY)E?o`<E;&p|csIX-!Z%2ilC_)N5SYc}v
zmOm25rE4r?=kx;xhqsfcY<L6Z1EBE3SY@yoxI`2FS>6)L)3L5lN)PO}VUE_L`Ha|j
zA@MDt9xD+OVOjoxv?Or>Map2OjB$@U<mCE&caac-yY1Twu>wHn&ZtT3+D54`1lT$%
z2zjqb7N1E-&Lhw9bomjNeQnsG6to`;sJM#_if9Um(CkZ8<+{om<cyFxcZ4@6=z;sA
z*&s1lJgKtwS6TNfq75X1{g7FI3a4TmW3bf`nmD$MQn?TDJC*h4XQk8(Mf4<yXugnr
zGZ5jS3j83zIE023F|@We|DzLNh1Gz#B{SLw{I&~L(4)T-Ay22smn}tDmPnm%povx+
zVmhIr`v;1}TM>Azm4}l&*d<LYPZbYGa}2F>M01?0a+HcW$bqOT&*A&MJj$ixXCmxA
z96Gtb3<Zn3{K5RqeKd`*r?7#qVu}Ne@NSB}pZOu)!b5|IE3s?S+(0@cQja3>4`rW?
zdMqDcHh~5GT}k3vFvDwuWzD$$G_Q=;7vr}hxqt_XKh;6IFxSSby&%=?O=2>r;s5ws
zH5;ghd{Y4XwNSqwntNL3FzAfxt$gn6yB*p*Mnt&#R}b}r%<pilV4t4IS~Vq!`QPBj
z=t2Xq(2HYS+|pu8-6hMUh=N^ZA;Mfgllt-9y&V7aeZD7SoKnSDaFUx!zIiclcX27e
zuF!yvWUS7LC7pshdl1}vi22}d4nlc(o*+`pRAD1?wRCm~kTFzuvF7Wx0$v1<2t}m$
zvPJz(y10}A_(Dp}@VbTLAr%K_4vO)!kOjXNl7v$TX5Jdrzs9VL`12>&|8=xUr?*bG
zKA%m^H8wD`Y=mcnMR~f0^0GI`1qrQSGk;^}eEIuS);7A@@yE|eA%y39{>Jghi+>0t
z+_VW|(rgTy>^1TPvo9x@kNKJR{Cq^@-EqPx3#(XsKMTKc^u72ymZ1y#{$0xSuTG0w
z1+mU&V?N{gGlIM}_bYq`2~c=A)9BWyiXT`Lyve^Z3rdMVE%H8pI!~CC)v*2U&qA=p
z%j};2ljMQX+$tU`aOfRuD5F(Rj^@fH7EIW_k{ObX`q+N0iZ|wFh(7b>@<b;?9z4gu
zSiuXi#hxwD5-g}0tGrIU8E|OT@fP1V+S1@!AXRPs4V^#P24SlF3KruZiT_=OJWp{H
zWg%a+^N}n<V2`28_kd<_lpR`ooSN6>9G}mlhx`RHo2gee-h`)!JZ))~E@xp4_T1`w
z`MY4gJ?`paOswLqNnCmSC+xl*u8L!rw7t#+Y42Dh5^&@lHQvPZT}UT-N5a=+uFpJ(
zzqtE97jJ<q9nry7jen7g*?fC)tLLQTR{OeD4>`kKJ%=aj;|!S9|6sEmoq?YS$ECS%
zLk6#)7c)1*R%nY4%Qp<y;Ybo*hDP*&Co`D`lwjSO=gWDcjMs4~Ar9UnV`1=B9ivKI
zi~JaTm}d_}Qr8wY-Z{3=z722nP=Aht`YTXlKqQN<QPML>iZUv4t9&v3EExFn$Fs!e
zUq<+Uh5k4df8H-I`M(||<$nKZ_;VKl{D+eN%xI<u+Ts6cg#Rs3(%VnZf1Tn#n*7g=
zX6n%ne_od;%ip{yQq>=iovQqiUz^2gQ~!w$+WbUh#3?fTi0}cI@p+4LO?_$n{l7xq
z4<A}V{y1PE9+vE(;H$-B;P25E<JIUJ+{RlAV5a1+()npTaJqMx7q<jxOFxs>bi7V0
zL!b683l+i%V1%v<4Hor#KEBLH|LRmV+^iii3_|!zjQ`L|!V5!-Xa_`R6v3#+c5`!}
zq(;2X1_`a8exQ8jofvM^Z}GE&vtJ3%i@<r;E$G=FgkNF7Vb?OBYPC+|o`U^`<K?Pc
z5xZvn3T!N1QzytU2R%Mqo}Nq1MG1N315E6-{-YgcW#SF%K`qV$`_ZhjKHWM$2{~=v
z_k9v_V6H{z9>}X)O)in3CSu>`WQeOCLW>(~cyeX4D;VI54-oT_oSkwmu#&m0+39c~
zDSsM;JEo#f<@m#E>lvb{Lh@-|%JZ5?kFwIQSn2sz`l&Yfc}#cnJkhHBe`Y&<25Tqz
z`<s&xR``$N<+G>OG+$YxR*tl)i_y;bJwdfVvK?1;sL<<K<b#dF`|Yw@uqh`el=+6J
zv!M;B8oLj(F?~zTuRuci>mP^w*m1%&ls^)Dn*FMM|3-Z5<%oBPzXo`7Jj#Il2JzgC
zR{KN-@#heqtMF4=<7X3p04-}eBtFLjJYDQqAP~>)#)6bdE2iw5_5M;c`mEeji}*lH
z{1vi8E4HCm@IJQ4{|xkt*8swo(&RMj>L`fH4p4V-F+i5CBAq5Qq`AzQ${oAz+G642
zMSU%uj8bP0ZT{D&lB*I0Y3ZcR-++Xilej7YAS4WkBG=|~)z6K#-8-Ez9)H>p`-0nL
z0t&WPe2zzBADoEzH=b}}KLdrvtCQXvw513vp;_A!vHV%}Ir#8mF6?TtYaL<^$1#>0
z931O5^qefN;jbRgsm~9-q1<@Hx?_O%z(Y5%k*WnM_^eL(RPB-_+Yv^aNqbR<7#J~Y
zfIAf!7;MYPz`#xZB{jT6hyIB29Fi7MHMixtr^&l0Qu8sv1oFj$a!jrO97uU&=JCT2
zERG;hF#NN}<Cx(%v{dB1xyrShAd5M(u_6*z4RZjfqU$4&)q`SsxTNXAu}5aPRtm#!
zaDWs7LGk!x$f7z2rMN1Hlcf+BPUFZwB+i!KEut&Ft%`y?R#)?<sf=$~UvB18O2!e{
zHdP!uC<lT$G%l)Jh=?5MHxDTE8lrhcMd<M~G!=z)l!bVJb)F?P7uv8x4hLr31YPAk
z;bFxW_uu1M3d#2b(Z99$PE~w?etZEc#~TO!fqf0bUqQZCD86bYCV&6*C~msp<s``n
ztMwp4G|u<&OWR4-k-W(91W#lE&vy}w85GZZIVd0jx$wXIg=zQ?yf{+1n!K!tGh*NJ
z9CF5h>uaUA_!pW@H-x;a2`4J~8#V~<ZOCWUcbCvf5_)SWdnoj-liB1OH{vQdKN#3s
zp!9q}cu|rscahy&h#@%wNm21JYP+go_Zj{psorUkGFpc$qO~wb#_Nk!S7~dk_2yq6
zfjx4fddeQ{hpiR?6scW?Nnp4r)r;#P?$5A@MAZYR1ImhB{m8{Kh`REUBYT}sP{`#`
zA@vmEfDm&T`YG<bymj`>Kxf^JNOTYOeJ44@E5Cqyu-k29f;ZQ!k|z9tCwA9}O{K)<
zWC9Ca$U@U#1%y9wDLzC42Ib(F?f?I<_9kFbRoC7(#azu$AYy<JrMztdS7WGX3?vZf
z(8xJ@N=TH%T)pbm#2BwpV;Uu|1CWN;=eCuQXx^B~ORk!b;k}ZWD1){%$RLQcAd`qR
zVAH2)MiFhs{(k?pPgOOT`{sMT=gSl6Q)jO|t+n>rYufuDHN{slm=x2Vd80e()tbY?
zx9hU5S}#g08YS$W-yrPL?iLjfxRbt8&ul>8evd{0lCm3ZTWeiE2Z){d0t$$)3Zi!O
z9KFpw>H%0+##kvC?dqB-u*22;UqIpRh|gpWb^w7IpW^_&<^YDe7LMO;y^C3*8y&z1
z^+OXk-D!Pn0iw3rR=8XC3x<F)P5ha{#CvxUGmmb2L=&goX!1H6@qS(~;u?*3x@)c0
z^(W~PrCfh2fug$~y8+#9-D%Cm3$fVUkV1FQ^FVjA)!hztw;Rp{g^ShbFJ7~*zpJik
zb&l)yY<0`|H{Nou;GVi;s@C=`<YQqiq-M=Q5b56GR{o}*dvqzSQRSbhGIz*=JiDV^
z?OeB*7QIyEO3+{D8qf{`WCxAs%m2<v;Kok6-f|913DD0=Kz3Q{;;19{wf5js+yc4@
zAnLwctAW+sN$u!1SK(z^UD!&ugq!+sAL|K?K)1cd_p$!iRrwE9`3zOww?)nQ$9a;9
zxj#z9l@|5;H3TfyY16SAl4?g^OU1g#;pN0_=5_^K8f5e!u*Rg93Z~Cp>dct*4F?xp
zUu>+5UKn@}0geEWnLbl&OzLYiywF(le*kk+sj-LS#!|(`ehoa0)d{f1HFk5cG3mU~
zu2<uc{X#JFN{xLEIA||TB&sU_O%c%M5>WrR$6o{BaM8o{7znV#-8TG#-!xoAQwyzp
zN`*ryjFGSw0J@Tj6J1>ZDg%fu88p>R0yO#qK()62!oRJ67WsEN%f{ryM;z)JLYi+8
z`997<sIAuiMICKwR;R8rIyN#eMWwor@m$rV?lS&>sGm}`WY6Yz!}EpxV)XaatlbB<
zme=_Q&>~9uJ$1jP@&)Sl8OmcjmT5(r)&r{z&CDi9?96XPn8xio>pQysv~s_Fd4uYY
zI;~vRX|euFl@C6x{H{_t-#@598lMG@+`jQ!jW7!`^TUBE_!E%YKNsA`if{u2cY)yU
zku6p``g@euJ##y6*TP@<cRn<Km0zy%XH>4E2kr0^?}b&Xz(f7QZQtVCU-{nENBihI
zo1@QF)ywD*W?%9RDz{PD^yImH=I;VlOS5I8>FuKrJq+-T>Su!b*@t!`dt>w#y<e&K
zpVIrv)BCR-y+Gyb=p@qm$iE{T70<s=|L4~36_g)<2lKx|yD63bU4QYld`xzT&cpqX
zF{3WXNmaU<FB+h?xkcLOq6c2V$9UDaabDFYLG{IS)$ZE7sp9X2f<FC&*UZ;_FPIP2
zcDR~WHli<@+H7u9l&m24toFBntAh|V+AyQ<?{hH27sBs|>h00p@td&=5y1B52E8HE
z0V(!msK;?bcrK_yW^d=JwUwBAhKp-nTnQA8m*vr;1}{bbK=d=7O^G}Z{YtN6-H4K3
zyPuC+69=Lv?5C;w2ckb)EmXt<(MBF?zl#%y`=|s`dx-?=q<QLWd(_G(`HfR3%Ia0F
z+Ppi3c+)T&({^l<p3x`w(hvbofv2817=03WM#fJtbQ6c3qtB}a3>0;6p0&osM*4BH
zfu7Ri1RfcV9xpO*hVwx*gKHi%oL6i(7(vUUhx95}Edd&bzXn9VSYe~K;XKh&7|sVa
zoErphoqrJBY;{S$SKCkXBM9mIgXnf1t@96}i9E(P=#+yNA_nA}E`)Z99k8FeCwA25
zc+#1x=woz_@k=aA(czREitg|{n~~srS%J=%nzh})35i7emb<|&iw^JMNhYQg4|%2N
zSi|{uE&|NoQIaFzWPXj)_rKzxM73}H*1a0XtNb+d&7wR3VVf}k>=LgcA4gpd@#-?*
zup_{!nPgGp{^D;jXw*>p4T3vFi%Y*@aPHrCzw1zrj4*Tfoj>C22*XB-*?|ob@t6wt
zuRTw>lwpl{+{4CH5OL&xBc<Oe*l`%GRZ?o(C2S0+J~r*%TfO;{@BH^W@4D~KYh}9f
z`BU;2JC|E7sGV%PRYtKF?m~1m-(Xnvs`n+L9yjtlav3SM_-nk>gb43-^c*iMmUreG
zxA?%FJrbY93mdHU1=ng$wS$*6-iOdD_8cFf>nv9^kwCsTp`K>(t<lQ2T5_@vu3k8O
zsIZ}U!$B4D#qIOK)!Fs--0%s-9-0@3K-1|0$kXEqXWl=}?=#M)JwKQBivDiNLqA;G
z4r7PM6Pn^~>ajH5>8k`?$8f(F{=Iu}r^I;?+oSQqia0IL7;sVfxtZnH4k3+-&$tSY
zQ~o*sQ%aEM&I6P$dVqdOGv)#MiE0kpUUj#R$6^d07U(dR7qvah{nX{#t=fxvQ>a*x
zy8J-&LnFr0Dd`Hi!JpI>WX`zfbIDvnc7Onl&{#>e+Fn1NfpG3eFK)kVydUBGF?ts(
z^%rWnYMKs8Cb#oH_WIiC_1;sxCOU2*QaE}Pg&I=q4BAFJEzh;Lr(%B)er)c9hV83Q
zbxu9}en-~4taQAt;o0SK(OvtH`3HmAXYPjJLG4SP=wADhs1v>aZRF0`<)octXT6h}
zS)uB+kGLznN#e@zn=5=%51-A08k<gIPLH6ysWens`_iO#?JY01SBNhHcbkK&YzKEk
z3GN5Q_HJ@;W81-<Q-q5huuR~YYaQIEc5tuVQJ6>mk~Z-y(sq$}m~`jvgchP4OWMQF
zt9whjya}!FYp@7AbL?>(x7>YQKk$U{Ye4nR&eY;iI_Ei%+2S@m4{aH(b;D7)AUCDE
zj-`@$&xY_pRBubhc85J-{rIp^!oMd1PK8fV7%uh`%S_O0<W~h3M^=9uiqVdupV4o4
z38-A(&#5UJ8tgorro#HVu@9J<v*=%3gO3`>=)u$A5Bw*?F|D!=V!`#A<AYtJy8)@@
z3(ra>ng}}Zft@XJK9*;VX%gj}1n044+|cNYai7Elwc)ZM46PYAEczpE_IzJz#Cl`x
z=-)pi|K!fP?ykEl=+2xsM=`&N@oCoQNb}=*Z)SHIyN`wAMt>`=|1DR)jQTBgMfqPl
z+K<ZzyYfBPQT{}`@?mlL#jbo6<#t<TVI96gImdAe>u}P8tf!ySNgk6EtctuV#=$hu
zbH&*1`kS9roS&0VrzD>Uy@_>nkpWI5osHDV*(?9X##sBD7LniSUf5-+U;72b)l!B5
zn~0}ym!3`7%`V50aPo6MC~yy{td|cpmf`{ZMf`M$`Dwy8byYiTunJc_1_qC*pDrff
zaX49u<7#Gp{2*h|;mXK|1DtQ~M=!Afj%-Z*;J2C#w{l0LdBel|h{)(WDh>Cuo9jq+
z$T^K0sp;4D*1?Qe5u|8YG?&*LPsd?$Z(E5=ge~;L_vCl`I87O+v{lqxJ~a9WKXoB0
ztimw@@yk%&4-@1AIJ(JWw~#CML$*b$<@r9BwqpJ%p3$|Vi|#y8ZrX_G(K^j)bnt-r
z9;QMxHpcy5v+0bAe(FjucBKzE$~U;uFGTmb(mt;A7q0X#Dy@A~Qi68hyB{U~ao6hO
zl+-@z<i_Z&Dwyx8OmkHvfT&V$C9cXhtcnv!qvxt%qpK3QDw1tf`JqZSyDFcyDo)ys
zo}z;HT$O>Yio_;Wu2V^?tI~F@2Id6m=r5|^ELX6b0_Gy7qsmZ~3_t{fp;ujr6Xv6P
zt7HTv*Kv8}pDCJ6yfU-S1+B+$80~$0q$8q_*a&(o95N(cBnl1vms%RFS5@b0(XyjW
zqq%mG_~8sDe<gL1tE$oXf>CE|SUrM)MX$S`m0`6|8!d4^y|7wni=K5qCxz8QNi@^_
z3@FyvqsRDNyGZTSjfI)RYGEO|n73hlCu`8&dtt2zih|lNE>h!#A`y<F)<v$CIw};2
zKoo6L(c<`Jwc)dq4FGjKYM@Zpo--y9CpBxLN#`e}5SfX={jT#xh-cN2FmN$HYoFB+
z^lP{))Q+m38Gh=H)aIypp=vEsK}qzC8_qnruk4$YNwayEUqmkL>e#MS<qjT+pSa`4
z%&vG=(@={)mBsO_Ca7OObA^SDALplaT)q2bwDr08Lnc$0+F4U>v>V-%A~5R5SUv}U
zyhiu?D?tc*HsvLHy7;rB2Km2>KTVN-xcF0gx7x~A@k;G!IO@OUXKuZ_c*SpzAp{;k
z2+Y>*(ES9zT<$s3Gqglix5jAb0#xDUje1%1HxI$zJRsk6s=axwd>IcUnf^Nb8o=4_
z8S-`c!{2fH|A+O}e{_HQY5HsU{NuD=%7-Z2&pu;?ce(m~xN!lUhChq=lb1i=cA=8}
zUx4QrkKNy{jU}_rWv$q0Ryn{&$QST^{P?xi>P;p{$(aP1&@ZvltwUpw1JMSgvp|Rk
z1w?UzVY@A+?QtD%K1mtKp9yJD<IFU%_{eHMd_&0&;hSt^i0%}dHI<{^3vDBp+WiED
zoS$O-+Mn8p)>ZA~jxw@&Gzj+j)H5qB7|-q&$set4RXHRdsvp!&n3~0B_Swo@&vW=1
z`saT%ol)J}y>K6+-B-Xg)`shX#PVp(m$}84RcFpL>BncDcOqUt)t1YXn%p&&xmyQJ
zzPj@Bzq3}$To_&Tr2LW^aNJ8AL>D4zL9~L?l47Qi2#=j&9^WVW7z=IT37Q(Mf4p3F
zKx)Dg^83QYSL8+|ZVmb9_to^buIg#h#X5ifS#@*Y&t+pLHdeQG|L#y?Hj|iMS?alS
z=60-^JYdR~Z1{P!CR-21a}~Ac(D8sPYOm?q3L~^Ks3D~*T@&@;%KE5NSkDFbEp=RN
zKYqX$Yb(2+2q&CqdFG3$=PSFO;*!x*El<u4Y9Fp)3_|IpMU>9wP5k}AGw}J~m;NC>
ztvy5OJeo0-4l$HktEnPN9Y39p*TEmc>m=bB8)+=;K7K&-BGTtH{0{jLejn9*gyNq%
z6sz0&!V-!v0L7Ya0mVb6T;)*wb;*;{@jIkFemQ*9-0BTG%9XjN;kRD+9a6;aU)tgK
zx3fJyH_~PL$PQED`_<z73#@xK(GA#GefnTDJZ#}&S=3yl8x2LC>1zG%vAMc7`rngy
zqeKaAMt{bpw~spws5#~1E#Gu{>X~-xVJM|+tXsWd+p5NSMAAty(8(7|u1{UQ%``T|
zD|cQ*A6Jho*#&IUZ+`c~X6J8dOiTL-)PD4Ejk%zQ$9YUt{LSeV&F=g*6<e@Tdd*bf
zc?{hdvwfzaL{C!TJW2VIe6xHt?g>WBxRkZr&;G*tMb2c2=qsV>7g#{r-~K{l$}H(o
zp>Kw!X6ZKqWgXDbWjL<L6yZSfifADwGvpqd*~&L$ss_e>2fNfrcaQy%DOGS+!hYp{
z-y=(;E&7P2S^Jqj{B-HyU*QD>9K;x`qTGwmsh8n@m1f;m)h`=HmEj>=NlJ?4JgT-F
z6Q<k)SU4P?-+2{c)XsyKUM|JI@HdTE$gS6)6+m8EbuSqE$#=k5w<5;oqJ>50iVtc(
zb00<8`0k=fAa4_-Hd2S%nfR%r_uM#_Xq>k_YhxC{g^;i5r!pvySrYGo=vq0=K4JT0
zuea3J;9^_z)azV_j(UnT&ZAiy#9uTBW@#8IO)3A+nrG3U-Hx8w@MUbD4PNeNzY?jC
zrTVl{;XVZAb>S=!IY*U4PW@){{VSl+H+zVj_ZvA|ZZL9wj;tMs-_Pi1mp1KWSd}C9
zP2n!C&wS->N64$(P$%%y5i-XM2ubDW%PPw)nxhVG{fj+6#WN;U&*&@e_gsF<c{zcf
zM(Et+grl{~ex3;8DyrMss?IJJ@EI~uMp_43SWneDD;qY#9^oEWX%7mAb~aGi4r?z5
zPQI7+JZI0aPYVUY`@eO!^r;KjD5Vws1f;~tRp+Vr(-g<)VU?=T9NoklAX?snM>>Oo
zg=t!HJThGCufbs_f0vNe9HkioxO<bI8pWA({W8UT|B8ia$p*R`=!9!*4NT&5{&14k
zCw*<c^L)OF9es!9eZ*1_b^Ehg9=(|NxD~FYZ!C?QX-`KhM`+13q2dAYgdi4&Z~D1M
zx=6g$O?9xBX=u3zJL4MZ9xZUN_XxJ$zHB%LD6QobVAaPvPnqj;56B4heRovrpewCq
z@vE16tdq69(%N=3$iH!=!@uz>a}097Ye4UdZyjV}Ly57B5Sq#eHR3}btLNVKjCZ~{
z>gQf_uBSQLBpp0fy)V@Joco$Xis#yAr2q-)5K#Punz>uNX#KaXS+KD^`o#NfZ40!Z
zV;OBekni(S)$~1*(f(I1A6In=xW41t(6y9Ywh>Y=$#y3U@_U$BX+74C8$oxNN!!Uc
z0mCFh(ogg^T;vOep3!5UxJQp3t6PUweU$!QP=6))u%G_yUe+Kt?pjhX?&f}Q9pN7k
z^`nxPyZ`#Aj0gD)a^r4`V-$U&_y5}p?}+yC0P`yUcqfnH5-;4Oy9ByNovtukF(k%{
zBQZLQA({_s0g?d(8dAQ^OS=LE#{(K;w8jTWGIZS3%5c$i0IP=RIsjJNifFoet-XJ$
zwGu8566BA2IGe%`B=mn$s9Ie^H8MnJtM<7rk}=+@E>Z~<!(*!Z9qNi8Nh(&>J}EqE
z9S#DN>vClHRfbP$W1n(`gjZB?Ei;<lfzhLoPbg#$xpc2EpIL|1WcQVE;^GVv{*IoC
z{_^e7RCeo@KgIqJwcPwwCdLHsf@l0tv+vH`Do!sb+%G$!J0rndoB+|=`OnYvuZQ<>
zyIebeaCl$O(|(`nuMZEB8~s4H6YN^ikpIJ>;?38c2G4rJ1!+mVc5UGmxd+Ceu&%EN
zU#+ymaNV=vsc83~MElJ97a%sdzZhL_d&RKj!#1#`Mt`_mXg+4<!S?6`zbZ!_x%Ue0
z@XAeQ=iZ1KMRIu1zr%MgW1Ii99V?mn%GAp#B{4nmO7(tySm1&F@X>~F$=I4v{Zcb^
zr@C6{3?=N&QPTiR;<#j=Ri8{$-A_}w2Tv&ly+8OprshU>sNdN=c`V#CW2Y3W`U5>H
za}zpMj9h$Qmaie4%w5x`W5uwe$jgy$-23@(6K8@sJl6U1xv319PY$(K)^z^-l$|!Z
z%5Xz!)}72;nh>K(J^WAnu-l9kPwwU4ewye$h}eqy!x0i@r95A<3sqn8%bh1GiLL>)
zI(s%Ix_biaxG6EEA2nmcs(9a*ap-ngZl-2dy;b1Us&&P5-9F&nit+!J!^V}h_Y>%B
z69FfyC_aWl9MKl~vgkkc7T;r)&oq|Y#xw}##XHd0>0iX@-4<QRptSs!jt7?Ivq*m#
zA1kXwkNgF^HGYPFMxThD`vY8%fR9-A+>)l1za9v_tBZp3(pPDk4W^zPYI1?ze(9V1
zj-KTg(Vf&xo#8g^2WWNpFR?y(A4rGEUK-$PR|9XCh4Hl^+vXS~rf&30&4~=)nT#8N
zUM=5bT7!zyvafUA2aG9HqTlFOfN(R~Q<_m6fXQF4>DKmoTCEHywqkd|WYmg%Ri>y-
z(cXvelN?q_6Y&+2f3G}A`Tuy|WL+DC%y(t7PF@h$<IbU~j}+|v+@!><)uX=3;%S(2
z`0&yX-Ph^OYSY2is?Va&MgPf}rrgwop-Yb7lyGSI-BrCp97AtQNUZ`W2pfe8Bn58p
zmP7624eeEpSBq+IV%(m5Mr;AJ_#$s;vFcpu@@Hq(&Av5N*R$WPVNZ0AC5e$6?lYZ=
zj}^6i;4FQ$cfUK7fpTJVyN1%T!u-O`Hp2%dYoA#^<zQ}V$2xOST^;xIxmjDQKAKrq
zfKNRiOzu$ZZ~c7-v<f)^WR+gh&J+!FHK#Pu&yF+w4bq<&j`RsJqs~)nrr)RlbGId|
z6=o{FT*s?;F<w>oJ(%*PY5c=^y*4kwrB2uDh_r2N<y@R}2P>eS3IR7;SQ;@QCp$#V
z>R^rRjQ%Q8pj!M%t)d_VVdR)Gw%>HNt{Fea8RN4cs9i!elaXc?&u+&LL9YC)DF<?c
z&%!v1NxnTATpIO+It}<G4PC><Q9>qoam>+K|F_|GiHCcV*wX34#f*bx9?^JrGhUJQ
zi1f|~tTRJG9+C;sHEy1Cs=L^4<(K1c&9B{sTiv6UF=9uOJC;U`Jm&7`)F+<IfoLMV
zXBB){iV$#ZSIqwuh*(&|q!dpm_Ody~rfXl{ZY4&dVd>texc%w0&v>*lrtnyq`+67G
zm$Zmoyz%uZ`DKAVN`-c_;`F}0ufCw*FC0pkS&@S6<io;-n|0VJUqy4;4?Y}E|4_XB
zbpPasz6bsM5Y_{Gix|Lt5lH9bq{f_iK5ml209xlxUsV9hRMGb52eqz=606N<IMys1
za9@tI{ek9e54O{6?hM>?^;bM!uf#}qzP>|syYuzc2NISu30%kfdUAdTY1;W@<M$ni
z+Yd`LF+Zj2{Mm`>9K~~rt}@PP02M}fMo_VSH^)^5Yl^j_%Wg(|6Q2ALB<BlSojZg|
ze~6w0!2k_qB7Sc2;NrJ+ujGX#0p835)mQ%;Arwm%PXA8!(2GN8*3bQ)Kk)}6Y44L@
ziSNGxg=sW^antq$@j~uJ?Xl4x9l%Tgl<qphL0kX?w%VP%b%yO<zkp77w)_jacYPTe
z<nivQne)M5W$iZ}8=rb+w<P8cy80Y-Dr+B{O%lK#9T#t=E(K}pV$T98ic~mNw~S)5
zxW4&Y1Ly$2xLnUq=tH>Ie&0s=YpR02$3AwEL)NyNnC;uH*%^g0ot>cldX=59GL16&
zH|zE@f8e#7!@<#XqjAqdyU~b#L=oREet`N5hA^tSK{MFNw>)iy_qf7esZh33-6bk~
z!4*z+g>#C9feQcA6^?L)PpMFot^0-wzwZh^N+I9$C0F+$YmYH8!CAit*s^;^*+G6T
zW32``wWIgmcs>-X`;}m4$FRREz*dya`XkS%p`$t$6N1H?RD70-b@QnPy}xP`KSL*T
z>kY_Ikna1xPoWVkIN9Ewqx@Scx9|JDr1GDiRxaLGe84Wxmq5adl`@DCI5@gd{pxf9
ztZKY3L9}NSFWncbqpN;n*@9PBTAZhktf6Ozh_A^~I*Xe=C#gdIILdpq7J_V^DgRn~
zH3>`I?&}pc)XrQwmie>BZ(^J?7^im2x;bFLiA$o2*U=qv93AL4H@I?3NOa{ksF$V#
zpZ_PuDmWyd{G+audw*$He^iRUE+N1*oIz+vUs(#oIARiuG}_AAKP?@_IHH#@h5x?5
z!KP~_J?%(zV#%2`HG^o@Kd!lsnlXAbgeUcr*_yM)%_cu)V|&uIx6ky+;avRbt>Ra=
z7Q>tF_U?*so|bY&IQs?uw3nyEFZxI!x{r@~43XFS&i6Ycs=oDp$3)fFCwsZOx|_fi
z-BBr~{Zg`N+C!hyk9+trS}uTT7qT2>az!^<dEz1N+S?v|nID;T)vaTv^{{y~=$y0p
zFBdk5;_i3+T-+ZD{u8HiahQzpMwq82YgeRZy~l5_`oXasQZs)qMyh^r5|2-~$KgCa
zs>htP8wMTZ9vpGIXddMF(wZ>vl_2-0^0|7N9ORxVpQER1yxh$4$9bB>S)$w{<ucp@
zUQOq(a#`+Hp4ClKh$clRF#WvTc+ZR!wqjksj@P03<>Aqxr^Tw=-dA;dC0EI+|IFgs
z=~8Rx>VSqONxh;WYx1$U{l8j&9tUye&|h@n&%|)o(=2UP%vdd4jc3#6EEvW3DjYAw
zhL^^Is>Zi>aaIk{NX(eIwJ?;_tnWw^QaC*J1)YkLr9$jAc#fMh0T^olQOi^DEK;*B
zv#Qr{yD?KAE|^JC&r;=&Smi3|i`U@0qxkOV<V(fct*6v+p|)7Mu~ewUajS-6<nmji
zb$=*U)n_i%=MXh|6XCt6>CeT&IaWADni)H3bmf1lq>^ibQ?q7KL`ngvM3cc~;q6^k
zfrd;PM4xL{bWL1zw<|i&if}f$<}Op||2Har1I1Sa%vaKe+0`$JkonKp&-U>O$=Ah>
z+rz^d?9VsolGW54{TSa*?POB1FngM#M`2K8&o{l?zcTe^-bRz2(5vq~;N>O{2y(M(
z;1B%rram=S)_%Kl)b^qP!lhF#;mQot37ew}e=hw_R&O&q$BXpAcUjM4tOE*H@tPli
z54K|63gj1n%vi0vyUqZbPJcAzpsIjc)IpA=ElAmtzfj!Ijh)v_W@3nv!#bR(JB(l_
zrRq2%qd9u|(e`uw9c#eGJrdT|Y@=`dT5nR}XAq`A?%N}nGVa1zTD0O3%mPBk`KWh1
z;i`7cXI^n5Tt^o(R?l<uh%ds@y~9iw`A^cDN29mVsHB4$WjWF4p=bdz(?;{h)5o0n
zP5k~*Do!m7Bia+cPR*KX>jyIm4%Q@wJmV^)X5C;Vj5`S5rI+ZrVjXO4TNr&D|5Izw
zoI<Ukl)(@&A#Vmrr2#>&SA<*kUlL38x$|>?&iCLSn_q!WuTpAs%D)dQ;$JG|YhqJY
z*8WUVrglPSrBmI+t);11%5dc-y;M!J9&(e)Dn~Y?eyF@McJb8A*LkRpI_dINzNtV)
zU*)jHJQHi#Aj_Rw_BeZ5vAi3K*j*hfmQP4@eCRS1njlxzB>|@_`a1Qw5U5}uRJSCm
zu9io)?Twj>YsPn|+K&dA2u2>6vcbDW>5n9LA@CkdEFX`sy!a9@!kta#-#cYVXzXR5
zfKl6fu&1KY%%AQE-|jsZj+_Se9k_S?LBLuz%{NYNV0^-l``$5Yl&s*+lFrjQSLE(H
zIOEho(oIqi3j_K*XCKY?jmmI!d<X4oI4m(|QZvP+(P3K0THv!FQ>w<-{!M7+IW?=6
z2fp>*hmh5D_t>}Nl<)E8EH<+r@W#Id-}e-5vaRfb<LKahWi8h+E^p-WD%=3e6Vt!Y
zVG5sYUQUAEL2p=8F>D3jBbnwIF2;wW%Kck5McqCPQ<3ef!G{OiZ6Mqya6c1fT=`p!
zQ?OwS1FsVv)?$98qHeY@Qm-NKjgr|V4l(BV22EBU>z#V|>pU2)>@Ff=t&^|LhOcs=
zv!(rN#SdsJ-*7ETud|~iOAO2HMk6^{9eujGwcA6De$Mac-LkoYdrB&nS0tF-n{{nq
zgUpO*^Khm^NEq#$+sFqj*IO^aoByRZp_fcO-|IdeZw)<c!(MmtSmX8c^_BO~JDb0V
z6mKwp5gT54MQwJ#^syZWPaoTF@ba;#&Y^b^_=Ps^iWpR#)Xd8vv_@PSZ2q4>3vjUh
zu$7EB^}~M#f!SO|Vbl!R25zG!dcd0K8J(+<!^WKY?~I3XzlXPr;YYXfzU2`&|BqX1
zI{e=b2dA|r9K7)<!@*<!S;9e1xei{Uw%5bFbXb_d6Ikd47N+u8<E3IO^zm!QgM}}4
zui)m%@QZ!&J&pXr|7F(y^{4m$AsSrc`tQ)Le@BD&pD5DcFpn_}_VD<Bp#h^34TgaK
z1aug}JTA(Ak0H#ijxM+HyviDGhmQ}9=jDqHA9t(w(|F?6(s*tujptwf@pv=_#-*`b
z%HN@kZ#d)Y$oNqCyixfr42ki5#m0BhKNw%R8(#wl8BZVIa=mfXTFPULuZ2AR1ALu1
zK8=ZSYHXGK9l?0VGTu&%cP#IM{4k9-ckR~d<8bQ(tZs+Tty*Ir;;*Vt3ZMOZX>?pf
zUERj_O~xgbcLMTimRkQ4*v(!ziHo)SALa4ZaFSTczK%lps2@-tt@=FGI#0P^`MBO)
z@_(W~^Cz9YicS(DwEYR7j`@cTXgbTh1HU`x?<@T_!HoT2GNavnN$vKp_R@L6!O>1Q
zkHQ=XOgO(EZXknzWeDFNXGadg*HSb0(N%Qq2L;ibnzf7<m9@_n#q(SIj>WU&Jdb@j
zuf&?=1aM{fSu+=>W)7qaq^zI&*N%R!sy{;d?bHvR0%BBK)xbPfknTYl)s~tiyTTiJ
zI92_y9&ll#p6kS=R3z??O9bKKz)A1ww)0anFGwIxtK0r*%3akbyG*&=UGFgg>8Utm
z&4n_DQnS>w$ER!-p3MVVL3CGK@O>5h5Awd2h^ORz@6+XdVgIGmPgPCg-%C<6hq^(G
zOU)X?)AajO9jA1!KH0Ns6!T%%?aqmTDKBx!#Uk&P2D;bK_8|q8T=NjESJcfxM&`fE
zBXv7ZdA0gv?<p&|6|Lj)aVZGgv2X6S17kn;@BOB1aK}0?iRU-h8kzDEb2}T4+y+hU
zvAE$2XszYxl75+b?#kX)8;0pnH^j9NU>MW{<*DcfSIdkbVtnPPptf`Q^rIc8TvC0q
zqdtXxe?Pk!MLm2v?m^!%jjt=Hgb20|=Kq_Q(~owZ(xv)jr>d3Hk9JATI>svwp;Rr*
zA5`J}DfmL4rl>yIBQ<Lq4|YmHT#^4Mzd-5Lu$Kevl$y23KzosQBv4hfbwFrOCWn`s
zI5o(P?T+!9`<W^Bx#y)u1Uc_oyr*WsVoi=6P@#W^+P@?0U(f!%4aI#2_1LsVuxd*9
zsy;fcBK1UlMRjY()Dw#<y4R;>{aF^XRJpl4XgzURzf9JO@HHiAY(R-4Q4))xdhcyS
zn^{3ztzmW@7H!cq91`t-t^M4D0T!k)KYjGXe@J)bi|?sfm%u{fbN42I-~hsnWLMnf
zRlH854@PPkQq=#XMo+2(wnOw|DYEd=*Z7rLN8Sv!qQ%^{N6)=fY<DZ5r<ERv9xs(*
z4<M%Oj*|0#Y|YgiE4@nDtEyU4mdx|~c61>Iemvyqf<zDQ9{qrMj6}Ch&AJ}`GvmOl
zWm#bhG4-s%6h*RQJDWbE-xLczCwyU&#1`$?XnC>dyjY<%e9FLHgqy<kKT~`qXTgwS
z^|6K?h#-O>$)b~Jh>CtLL$+5c<*#DKD~+r==zd#exU!_LVC85!1!OeA8)gCUG2@}7
zA;?PqmuCwDm^F>b@+}NF4qHuY<c9w$mPucv>^2*l%Dz}CQ)rX2sq893ME6pQ>?$hh
zZeEJvA<E<8Zlx*Kx3bGr$=?7b_|gD}T$pJzfJxfq@>>0I9A<&^Q>NH%FEBg1y*+bN
zW$hPgZx~WpdoPyFRXuC(99&s@L+6Ur+SKaG+B><My|t3>ck#vTiqvaT+8ZlUuZ#~5
z0)J6z4PatU5WSLX-T*wiBFqEmf%t>9SCz}+*(`{tBDES|H85v<xE1d<zynfzrUJ|J
zn)23))EdD)K0e$B*!b`m2_tkdJfIM{`9S$xS{<)LzE$P(D7ciLd^%7uulcoK8O56s
zsZ}9)3M3A^7S!I1nRU>sy@HLts+{=nJ)U~GRwJp&;!UZ&c?h@7pb8#Qz-&?$!CZSY
z@jC1#9VjE6<>nDtZa=KOd8|e-G>hjle3hH)x{_x$V+R<<nA`2wHx43uy9Y|JpIjM)
zyI6cPcDJ=*dDQRXbDTT+d-Zz;ddWi`-z(oaEeJOTnR+kT5M)lt7s)e&<Unw`kybdt
za4g8QDjYsUjkJxy<JRTzPyNRi>E>L%0MpM;0?kE^uX%};`hamK5YLc$2|b<$)vbe<
zTt$hWY2f`iG>BS4ffV!lon;gTN$8dL(uacd2SH|umt5<I&}R!{9pu+XUA@GniW!ZX
zo-e{|$tLRsz)UFZ!M&l(BnX#eb&FqPH_|egt3CoUKo@={Ux$(X3}d6c{6H_%SeQ3I
zI%?M7lbb;^i?7Vh{QQqAKl>do{ie^E?eK_RGgc@u!b>#x^*hfME)t71vEkWVXTAWy
zV2)N8;>To}BeNDp3X?wN<{hNp_xTi*n|f*9P*+nAIqRl%lRip+S-gNr__?0m29Xy|
zB__Yz3n61YKYC~t2?+v8E)fQ-dpXBrkbyyxsnTwJAbjuW##DWr80v~Z<`FNm#mg+2
zzxMdzzXfSvc8Fj@z50Dz#Q5HfCQ;b0f9G63xfkFd5mD01OMvgZD(5<val<M);vwr7
z(%Q841j$u~jYITU7KBYI6@4=#&I{j^!*G6LiI>?UZb={Y(nq{xJ|HPH@j87lP53U-
z@A{@e@ih1H(@(xkG0fbc!HI_(`+G?TxNl&PX=DX3I6>C$1^rFkDynx(;{)YlJU_{(
zxA~d+`A={CTRzAv3&`PTz7ab{kcPa7gf(8~O{$&i!|W9?izk-&xz2sF@T|haYqCiW
zy}hf6lkj5v+N5=tKIUik(<>~!MjaYMH<kH``XC9wdw%-WAaf*0?(`CSyu^|~>=|_>
z#&1uJgKUr@CwX%!>XA*do|n5)2y1J$03Hp@Ch^D+B3_xzoTzSse;d1j2#<+pXpuG7
z)DM!=fKE^x%%)$<X1H>F=78&#d}So__QQ>SZZJMcSea$b>c!;|PnaPX_7dBfYK%K^
zRI-T)16G{phIaGR;?X=o#6ds(22=Hs8p%e#e)k{}L_K&XJV~=XL|$tY>LoTCk99(k
z_mgbyC%yWXfegKW^{#2w+6lO?o3*tZ@s_3U`rUBjc1fVtYzB;;^wTG@nK!P=z0m1U
z-$P#`M4wGGUzMvI%_3MvUobMf3#peo1hX`E^BUgR)lZ#E9<>1AXWr&D#9PW+qus7D
zE7{;Bmj#)_M*9t3dYPYI>n9KRASbcH4-ZNrffg(h`%$E0K$BM5gNXzj=G2eI{xf!o
zZDZ)<Tht!7=&A3I`H7#=3ahAYgpy6&e6jS&Z02Qzn4f9&(+9JNtWMXLvxfI|G@P+6
zg^B%s;>~QLAsZg^>-Y4^a-Vj%o*zM?UOmC{CX?UHW;QyIb6h!v%#p$}Kgrg<G@E%>
zyp}$mO)?dD^$kDyRyOfQHo>%3x;gGf9@!7g5vi)}g*mE}IilP%$CYk=nyJPY*GRsp
zd3t=pmn}zg^fP<><mN>iZW#PW&1!QtL(8px2F_XOC$=!<Y+|KNYbVp{7-+d*^yx=0
zH+!1~I~pqv5o=S;hOax2bNnPp?Vw?2HuIY1=w@r>$0*AtcLw3{Z03-kUJ|5tfdN)S
zHnEBk_s_D}wI)PV#2inWZM>N>K@~CE)mh0rHX&%K?We)dY;kj3Uz{ToeEbjHHfw^7
z*$hAj*?0Ujpa;Fg_8_q$YppT6wc75v9+Nv4_<$&D(akX%!u0B}7xM(Y{BSb`q+d4q
zIw;JhkFu^E6r_zojI@oAmVIznkY1k!u}oWXo0H;4$tck*y!r!7a=GP+;@{*Q>?x7o
ziTk&iv{Mq2Y<^IAagaO$KsPTVP^u2BZl2~RTXA7|nN7%2R=ZT}$NltjKl2(<x6dZ7
zt3E3T*Jcw3ugG2B1)hhr+vyl-a{zsS>8_m7?0EFF8N*PG=n>4Ai5>KkTt>21IIBOv
z4C7ky3=O0KkgQajO+k8X7Ci+qoNQH=9uxEt@zO`y`~)gO^PqTwy5U6SJv=xl{?S|z
zvaSLX24J9<LH!bR^=_7CGeY(Q!@(vm!}7N|&&j4w`I(Jg?uAs{tPJ|3HfPBC0pUxD
zA+$!`?1-t#Hp6c}@fJWLtY^Q8bqV3xLU*vQyvF{RO)vK{XrpQkxujZvm}uI8XgcI&
zP!`q($rV9*Q;_^X8bku{9e}fc64IpK9R-5!7{vaHsAubBJ9eZ+&N4~W%Lo+qM<2`&
zB#g(NiRQt_(SyuU5TKnA1!`_Kz1!C=^4GpgAM81qja=HB6ereTka(Zzen!((LHp_Q
z8z}{#rdv>lRs|t5KpR7+ay3x?m}smjNI^jjrFS$0O<gKc8np2IdaMft;W{rtOl`GZ
zp$=(rh<SIi;TRaA&2%C+-5731w;+j5&Wve%Jt~iyK?RN{IS&mfo8IUpH)JyyweNbF
z7BBawMAg66-2)T~@WCJfV>I^jay>63Q_xg_o#$HLV~`{K_W9N;g33?6EitJL2ECGo
zi0Q(NuEw5oC^K5}{o!PT(2xWKJ$Hki)9(i9WsD&}UrK0~*Q~q*gQjUM-F#QHA}M-I
z{*}VS(d8x0S4(|PE>*1z;wXZmtEk^in@h4`;i*5rJ>BbcP5FE;156`YLXci5)hR*7
z{T^TXb7b3FE8U2;s0K`Hk4eEXZf36u18#Prqb9INwnF_LI5j$BYVUeU3R$4&bZ+)A
zXnK#AKJEmomt2p&jv1gyN_Rm$l#~tY-5jA|kT~uo>s1EJ*o>C6o6+yOzV%DZsD>c~
zA*Rd9AdR4V1GClC-aQ@t1gVspZ65Fh#A8+kZ6~4VhFQ3IO-|}va!Wk7L^E~>(<3fr
z^eZ(1vleOSrk|!W^eR+B<7zb6`aNB70|kj4YE7Kk2xl@7Wc+US_&1D{;jws@JE0yd
z0@k5eW@p6<Rfm4b=X|FHoxWZ^JHW2WNNEfR4yM^2u~U$z!1FH`0D&>hN_*u-o2DpU
zoTBE(3!5AYoT6;V>Y7-$Lrb&Ctt?c8C7B$6@+Lb~RxnAl`nOPHp&c_tlQq5PEmLNh
z(*C}TAr&OBTi9h$TzR(>JuB*m64x68B?#H*rHAmY8(Vo9zXC3LSR6pR$0z2_rc0_J
zryB=a13X1%Nr%k1*HI^)uFQ4*w9g{5WsWg)5Umh6H0gI`J1qvAXwmh1ddOBF;wRiY
zLm^0_55Fr;x8?qxbju1Y_aw-!|JE<xfmzU4vWfTn%&}}@ho62I#Uz_}-4EBH#+$CZ
z6C_6<d5tt{_G>ol0v{>gloydW$n^Bq7{Agtq>5u<sE#xez?dxKTN&dQ9s>;Z8BNSf
zZw`o#&XyXD@-PPs1XA(d3s8!}Lkzo@U!TVyS!KU=q_8&aDUVjL1GsFsKbu*FvRy{f
zYBqz~v|}JF*E^d)DcZyAyIBqPgZx=pHku68^`nz&Q6sS)8<F2V07X|v`_a7&*O${f
z%(cf&7#!~$lue>HqJyD0C9yD6D&(SS+0#xlzoe?b5*e`h8YLAAe=wo$KsJHawbW13
z8>m_0*SB<}L69jSKE}@+g{)En(UGOn9|WLRkU+t)YAEkU*lws5Te2uQd>?zU^|K_K
zS<Mi@ZoME(QP@#NQ5Fp?T<<4o;%z;oU-Q#TgHCs_ttH>4iEIL0v88V|f!5KeVN8>P
z+z4{10n0>e%k}ou*h@G$k7J7RGBm312!sLxM}y%dHncGmZ$`1pim74}fOw~uN`Yj<
z-Pv0tfKZ)mfUC0^hSB1O+gJ>^D>nPsx-<)KZ#9!)^HsS=KC=AR^(h91hK5xuC7i7v
zRb(^vVuiMQz9Ek$=iq%5?rd@|iOw`L(C0(02ox+vKfR54q2F}$Ge@$Sw@|dQ30MH;
z4UdTR!xOaYdKhDhu1tw0Ts+P2SQ8{c?@*=WVILC=ZZ_~nx1}|g`RVllNNr5K5@Zep
z9PeA1#fnKT^%KNwp#Ew)?`z#0pwX1N62g=8dw^+!>_}nv`U7S33&I;6!t-j1cIq+y
z{Mg+x2Ig#*TRDRw%_NW>^?5M;s<=Oi4HdBfz;pzr_kn5DV60{q%3d`Vi3jG<+{9eZ
zi~Mkn;ap1c+8CRRq3ad7zxIChH(cq3C5y&u`mtf(*I|&gpq_V_JmA<M49z%AP#FDi
zpKt}vGx#3BJe&A-C_x$a(dHn50!niEHoe8T<3Jf5GGQnw=L@QEcp@t;e7liD8sdR-
zvRH@6MWa$SgHpU%g$1n``#A9~<z9M)<UEFQB(kQr1<3>1a08|XJt033MU7y-NtpK%
zA7qm<L6`){2Wt&#5-tY_k=B@H80raty&y6wGq!-s^%8Y^KVx#Z-v`U-9lv_3qI#zY
z)Z=oIHzL64GJhg@5FHeiz#m{*`bIZrwn=#m@NR50&J{q9EKI@iF4+rW?<T|zys>{^
zHUlpTl;aSn=eyDEc7qj|8jn7LvY(eBd*cJh*X6E@@}Kn6oBRx>*C|e^eumC9s*cw7
zNgNbnaO<LN4AXI?y@KQ^8yAws))B@4ozfMul`)-^X9vH5U_d`GkkU_LyPpv1Q5?X_
zHb0G%>-`|f^BNHtnnQp9#kanxKmb3v&tB|<;Cp$Bu@3}eXaf8246m6K9+G`!;tv=<
zv(Moclp9QaGmO3$sotD*%MNl0@h6QD0=`;WlTDlq68kt0Oi5QcG$GGk``J{IDRDWb
zF3mDefSa(74F3*1n`A_LX#@3A&^V!h>BclXt*R_#j5dSW&OM&Ly6_J(tFDk3O0!EM
zjPT23SV#Mi>Bp@Dyo<Y-IE66@Vr~~vzyVU{q@Q?OP9aU15vdW@0lo0l1UDN0+gMHt
zEQ#5|YI{#?pJBB$2?LvbW}aZJA^TboKX2L7u9En1FIxKHD5MA^vjDK@d*KSgBjaaW
zc@rdPkz2t?uuH_L-^<jY8!Xk_n~9y}Yt15Co3%fn$?WSYl1Vi|+84M3dd$uyPB3@2
zZ3PMr>Sl)eU07@Mhn<1^H}`XldN9#Hfb}zs?y&S1Im~dD;jNKwjY6*lVeT<}ejoUm
zO<wMifp7hO-t|G)Lc5r0N4*68QN#}<NN{xvqvS`C^Nsmb%9=l+5u1YytI_&oZ*uTB
z$3Q>jvSH*vI}*UZnd3q-f?IS9();kuffQ_A{4IWh*hC9Vk7#A|$1yI@rFNxg1M%ZF
zR4?gDgzweXp*7gp4%@QYm`T1{Y{H@1c*!-i>hPXNUj$-}>{Y7eJLwq#k0)e{{x0Sn
z*6}tooVJMjDcM#qp!W5^U_|&Z$88t^!gc}iA@o3g9``b<)fAjgO9RbN#(b^UpkVvW
z0bV7Ha<={Sb^yrsdhDOytT}qGpIH$kj=3Tk$6f->n$<)E#q4x~8i2FXZJ{2t;qB0{
zoJT-|F(VxyEG&kgLg5|{JB6ZdMr6gG1@oIbeVf^fkb8rym-;=Z=Q~nx3BRZ-kzc>3
zA9x0LC`!iXJHY$vv32k`#bwOa3tyK8s7)3dh@PO_PVqmk5Vhs-z6ZQhyk1ADRTI3g
zH_w;;S?RIeLpY%x9&g0m>jDALzrQf<>?5$_pitdqkU7Ou)*vB+3{z0N#x+DBV;9CO
zV?PuqgdwYU!I!`Eg~z>4qI>!{9$Sk*VbVc_1a=#3=ZV}1`9;j*TcAB)q}B`jT<f!3
z-HPey76t*YSe(1c;sywWp6;aBp}0lH>?w?Q5yngBgLI1+I3fIC*J29MMK6^8zOah@
zYE03MXdtVW(x~4BMgmz$ty)BLcnA71C6@?0LO;<sydt2n5%jYFtg1u5%p?oevAwD$
z=&u(l9uJ78@PF(jA>a_h7)0H!idr>jqFAMxC<XZ*SR*`L;LIiY65wi8g`6NB6Q8Go
z7a;%<kVN6ZhK1i=o|y}G<M|IVNLZW&Z~DZkus3CNCvYUi_B6fVP{4VaKsYm=Etow8
zVn7#Lx@c!sVvKGyfW@6AZv(`&(V*o(%qG(sq=}P0Ad0^!vzu6pR1w_YhZLJZyK!de
zPV}kWLbtO^{|>t63f*$zwL^D+#bT|XPwq#$JCjz@-Ow#p80c0_*`-0Js`5E9A`+Om
zsN`(%`wh?CasKc#=5Z-E$&E@R#zX~qJjEC{```Lh)q#O5Tb_2yZ-e=dXTc}=S5AO~
z6?H2=(P>^bL0C4*CJxJWMU;R*j*k-s<u=3sWgzRRU1WC9&OmsdO%Qh253?ULL#|r~
zYn+*{(u^=pU3Ifm_oLXD&(UDs2ID>+I55t*Y3psQD0u^thA3R;H~|6z65;Uzz7g<d
zULD7_qJIpc<HqP1COF8JW;2*xCgbM;z$R{6YBqBiI{v@F{k(R#pDW8PAxn;yaBRyV
zY8~zpv-bhX+Izu%eGBphTAGo^qJvG?QyJMV`ES@ysVKBpAY!m@D(Y5D``Sxl?C>xc
z&t_Wi>}ClYFi8B_Sdy5oM4hv`onpP0KmpiQKsx<90I<z`WOv3m2MCo0$}I;44hCh0
zF&AJ=m*0iqD(b>9S+}>sOmG6G>qdDAlCa3B0O<za!6VTF9Mv)Eu`l3$VLA47_hY|7
z%KJ$SFuP@QzN{<j9&$Nd21_J!*bv_wGrcN18FK&`)8^w8h5V`t)1MO4&(lA!AtP@w
z)-lc(nuYi|7>2kAtb_A9*p}zWki@$x(+}Kl4>E#b7T})w8rR3@H($o?AhVs4in_x+
z8X@v2KMfJyH{`WY3!@3T)5LO*GI&174Zb9nE7m=3m!-f#g*GWcF%9qo+oF0~0Whl$
zOo8Dg^9^95n8hK#k2SWD5QmpuYcBUwINGU%Rs-_6Jp^09<P7#fiWWfr`#NA$zrP>v
zwZ$gk>{D7mHM~UN(D&g2?oY948SZz-xK~|=`~BeFRYL~&;2!6+&^}-P9F$@#4}sW+
zjTx80{;q2DJT?tNGC1@pU;u>`pg{q+8xhZvRv|SIIP}gF0!PtTe&Frj?`3Ek%uo37
z?>3mg*&4`6f&4y&B2B$segc)<Vi#BB1`l&Pct;cBY*p<xTeg9t%z}6Q0;2z1(U8$A
z!#vY$hk23)1h8DJOOOL>!9^mspFZWKHwH<D4CY^>65>XNXN-0X0mO}7U>qQB@;tH2
ziR&?={N$Q!Mulo|HW0`g6kM6GN7z>l^>UO+))PNC>QHYQrG|<|Ihzd(wtr1nuVMSr
z-_25Bva;gQU8~CHN-CP$W<RbonkPai-g?{dqj(>VceCD~O=8Gw(-O?Ar4qaB7QQQm
zA-kiSpME<)vp}but9W~6?UlJlF8b0ftMCP3aPCFYgS<l$NJ{&8@2cEIpXPNhHtCr0
zWBW-YK&XRqkdK4$J@#|}@sCL#h^;1o%A7`~`~>0t1Ue1IlQ4z9nG}W{s1evX#m!ZA
zs8B`Qy^Z{B2_oyx5;{xGj*+M-xSB!S9(Z=QZGz{q&t923`wMCuh3y)`qh>%M!dwII
zV2{}{Dzw<#iy^aY%^!hXLQAr$9_KB)RWnwgO?nJuey2Z6gFRTZsEK!BTNx56*tgQT
z@tJ8yX81kW1!=%00HKn$Z)Y}9!gAPCVKKj*I28bgM*M%1+^{%jYqIIR_|2}!J@%Pz
z4jXp1VpwKS;j=t}{b0YF&b=yk>5!Nl3Xmw!MI;BK7hReCSnMH9lhlX}US=7Eg{no<
zs$StC%8$s%LEiyoC}}ix#7nOs=Y-G-Hm7sJ)ACt-%mrl9IK<i8&3K?KVV>|vaP>{S
zFA!xcXU5h6+@+KnzGFnDmIl-YdG`9bi#i*%(JJ<0I5ehYJefymn&?W32_?-^X`SNA
z{-%aveF$xNh13*bdkh;a(R4gt_AW@^P<St<gX}N1EDZQ}umhB+Ms82CwXkfOoeiz1
zLuLhK(uv|+7u*ZN3(KQ5o5o+i0@Iwk`!AeT_WUQ@cB+^U#Bkek`#m|)eA>1wl-6L|
zQOnUoTeFY(tsP&R`#HtJcu%GfQu-OGT3&jC^wIP|VKjjfp&H%z1Z+0MsmhOC17jlK
z$#$g##kaYl-gF2tf~5Q1f@qNk!S>3w^O$g7SWMxcl>zxK-LvK)abzrcEK~zfG1GaH
zbIouUj*7j)4V%n9XaPIYXiN*7X&E!@;deF2k{*m-69w&^{)`>X2|Wgdz!nPQACyhv
zp%E#v8I=G79YEJ{^Z4vSSb~ma6lO7&<TubR_Eu0!t4ht;dsXgNA03hY=*8M)Q9ZR2
zw{$E}W-0D4*B8FdUFXu5BZ9VR{0e?%t8LD7jK^jdzTh*+ffHNZZ}8Kr$<2xP=~j^s
z3MIBOo^Am)9%N9v$f(3FPfmu_xQE#)ab&*Jo2}BQu**CS07D3QhCqURybuDnMFzG#
z;gh;0F^>sca9k*M)yJ9?23Zg-N=JbbLDIDcYzs7a%Nmo%u8CF%ZdeR!4;F%=drSa*
z8sp4HiF{h`ihD4-Y`Do47JLy7T2z){CRdQ4<psh#Bbz0V)9qcwu)<9fbB|qc;@cNx
z%?bGddrZe{2EV>=F(#Whc2(}{{W~b8Lg)o(LY4erR}#3AgCwiMefFy<7FW0$YzrM#
z&e&iCP<#%qZ3aQBS|Q3>Y{_aEc#BAvT89TNn`FvzICdiwz*<~J2$M}YCJW9ZSI**~
zd3hU)WO2WdQ0fF$#KQ_V8)XccxIIn=*t*!g`}#75Y4U9BLicULo8gF6qKU@NFtDsy
zbMjEeWZ_*8T8npVKY`}(Dmjb<5{yFg#7_E&uR^%%lnvLq-~CNSxk7R$lKb!p!(J5P
zbu^l=my<$~+#=6^X3fOhBOmYAYsA%rO^BuubipAH6?(C9asJCWzcVI}6j@VdHfU8b
zoe}{+FuRd_`UK?AoaAWK)9x}y1E<PmlN&_|v;@BSl4&8U!DlB&EX*e8r%jA7KUqOL
zsBIPA(`wODu|;9a#Sn-?vgNGeB0+kyCpc=fl;|LACfH;4$+`cyNa2X^juN&+5|IM=
zP$Gp}9(r}=^1vazBF@6PBKN|WYrb3d4JoqoEfc9h0vkK6u}Fz!aatCxXN!6@P{>+=
zL!<!5rI4lxk1nA2%#ALMtQGuqlq)eyHOYF*5M*uUbpL2-;-4lyCIPwjiX5NFAz<U?
zJH}|N;$HZb@n#upbDW3f$pxV}i-%FkCapXnwE_4!Mc6X%DfgXVHwDSHz{1=?8dInd
zjG%HH00My}dd<VUlw(6iW-I$-Z^c;xtY>Y)+@C~n3<2gR7Xu`VILJ^GU0|{+v-FBw
z=S$Fbl<7JbX6Z}il+k-XJwO@QhAl%i6#6Md+GJWvLn@;&KZGJsJwl@es}f?ng50G8
z44>436dG$MQa`kI!-z2w;E#IvB04d7BZ~k_WKpAlFpXUbmcgHzDJJb=r4*8^tbxzG
zY*E?m_gZa|Aouztd?p(4=4Er2BBHewb)-=g{jK(ESDc2!_Tx%>;TN~vRM8u=@X;FQ
zXEh`6?kY9frXnclVNk0vk^KzxK)kWYw0rdSaVg63;P)<aNkJB#LdMVTqS>;^D<d6E
z3mWhuIxAMQ)C%-uXQ!ai(1d=q`O4hj5rmHA9Ias%Mic2$8U`d$oRrup0L0#6idfSY
zZ04;Z%~0$hG?vl}rZY=z2t>ycTg@0eOuOc8U5UDb@ho=0`q+j0X(@UXEn|m38TssF
zbsNd#{9vzL&sRI9`G}0<ii-Iczp`Wos;3ITyag3VFLlYSSl*a243?Be($tj<Ax^-l
zebAUg-SlI8FxXZ<vC4)hhZ95wGrPbFkiu`=2<k4-*x(jPHn>(l>4wNMvP@W#{K$Ee
zx=OARIP&AHH|G_lA@ge{Jh?}Os&=G6<dBsEHMD(epyydi(H0|8)DJgxfGZ!Ou#ED3
z%~9ptv;papQd}C5!!2cox6QO=^U-ps_Yzyo`};Z-4eL0AK|DWq6!O<;`*mMI_k53l
zOis(H5EVS-E~*|`Kd78>Ete;oMA^r^yx77DD;LbV=$@a@Q#MVas9eE*23}LD;Syi2
zXMFvnMakqgB1jsz*AM|XM+Ecc%j%%%Ey|;2se!51xCI#;?L6E79g^v2Bhz#GsGo);
zs_ZAA9{ycC!+6Do{ylcwq7B@Wn6#Opn6ETm3f7-RWR@6(&cmI3MXu-hvgAl^?n&b0
zPACRj&=9)^HU}OQEJoWsmN;S-+~ndO?Hu?+v7l|o6dlN{2QRNM1MKAW0ZC87C%^Z&
z!xAEgY*4&@Vh_p`j?hwI5L|~uE;8!8>XC1ac4c+#)C6ww1;2@2`Y(@kIg*GHTR5Ph
z084rmE?bMSkika6`A(cq7k!E&l=QFt!}RDe=5)h^InWD_2Zih<g@Yk@t3y<0)KW%{
z$6awCHgw@g8-$XD@X+IYfKGt6kxXE_Mq5BARdz=!*$)IZz@EjhiObYCBag%a30dc8
ztk!)q)*t%mfwLGA+l80hq$=3ueui+&c4wMX-q+8p2ShtV?(8075>#9ac!EdlQ~V@w
z$KcLW6L~UJ-7EHRI52Ph%H-QI2%nvoV8jP#lO?giSrjt)8az14-qXAwVv^ttv{CJ`
zyjO)~m`k3Niq&!k`U*F#qtzg@s$$WVw+@;cq)AuAP+Nx&T>4BOxxC2~v;^gj?AhlM
zt+!vz=bHNqxfGY88XkreuCPQ3@E|5=6w0AQTwD8g3|bbGMZ;bpC`6H{M$%S&kZ!|G
z1(K8!X|54slZj2%bHbQryXCJ^2vwB$6K<tBXn{OpKt$dYYeBWbwPO(z*&d*sG&vFX
zU2+;ki+MEO*EvWmOSc_G0@O_QHCq@oQX&Uxto+O^N}ZMafXS=e#@0#HVhEVvgd|W6
zaTdBY!s>`Tv`7sIa>VDQcq%Lj)<=+m321cHg1c+4WDRT~Ab_YBpJ!H42RnQn6y&$h
z3`)`|t8`Pn*47}4iu7QNJ`jRWMBycn>jcys3quh+6|^mgb^;2Zda+aHO(t%WVjtSo
z+tP)X$LL|s7BEIi?Hs5MP^);SJWXEhIg8msgh1y2ggXfEx?4Zz5nQ|~H#j5aYEUlT
zd<-k7gyDsN+KC#4PwZV<)M8PDuRufP#<D<y<T_bm7Dxs14RRlg8kEw%201Sl%S^%>
zp=E<Zwb|%P8n8(4?(&{xqMwCjqS%~;X%(7OwjDuO0&|?+ORlR}_~e)FSiubNUu8jf
zhJWdLcaT1Yc=SnTBs<ySeH}?M>uyMeA&Z-a(S#Rnx4^+6*d3-8%2yQ@h!O?JcwC7h
ziokIw3O3%ksZxes*}LFWTw+c|ZQoianKuIxxY(Q-jj2$Gp`8U4ii|N|A{grsD+B5%
zqGQVe8pUM6EbEI?&S4K-5t|i#jfFc$RLLq$5Len34aO+5qnC)cn06h-i{x1a6v`&;
zl_6V{cTdKnaul^N#&i(Er8ME-)e#DCim0LS2D-snq8w%VG%WyABS|(O*2O9cpb1mk
zVVih1xw2xx!00EhbC^+@H2b&Cw_q}^W+R8+NQH^q#4yQGpI1te@)H~I<(d+;@~T|V
zp)|_gv697N-9ZXzR^e9Dkyf%;&;Wr!Qjt;`=i#xHLv<-z2RT^79xj@3mL{>s{K_b?
zD68l`)I-o}1K))&_kUJorLJjtpnDy3>XTDthbWa51T*lxeU&1~PquG01^Pulsl|;_
za7)2IT(>UjMyv6z0TD4)I*EAL6!`nup;5c22TfLLF+3h?u`(^tVr{D0%nQn_Cdq6-
z|7xT_jQ-6Pi^{wHoO7*cyCD8B8JR(1TQ*G+AU2ikL+#umDrZv?ILmPC@q<Gtrbbzw
zZUdGC<%lR@ovs^g%w|{6u-dR{l%qc>xmVsn!Dtg#axbbKE-FmT&DvpVEJJcL2S_Dz
z6ec8U(1Otf6%sKwa6QKz<#V)*%pTCh3btNW@nCA~$El9?O$9}F&I1CM;o*t7OD~kV
z3UL*n&?syfSTd{ZE)uq&g*+sp(RngBNZ3*ZJcSf7g(fT;UbG4aW@2>37w4Fx(?oVw
zXK)R|)Ckzo=VCxgJ!eT+$D}?}4`T$v*wkgKk$<{*(X7w(eowo3pgh+NIO=rNKo$t6
zlvZP9DT6jXTSxLJaiOTAk7G|}<ziYZ9*yE$8owcklCJ1mg~fwlEK#$R9`}=5B^lz{
z%2JI%%N%8Fu+SFKuvKTzWb&{=H)n~Y;$~>g%C^T*15%_{HDP)0>tyB?jwsAy+=`}W
z#rS7+QX?BS0S>9muP9$+hM<{gC^dxYXriy^(#Xm)&?ea;5GatdhN?<_jZ2`9ITN#m
zBFu5v<uHC0y0DBglr0=>Mv?uv<0xcUML(hiLEOuh9_ApyG!{h35|2v<nuEj|j~yg(
z?J{s2WvfvUF{&r#e)Z|Q=iJ^WsJ#^5?tA3S;!eFPcg@FG<17gdSt9fZhRX>o_qX!r
z*fi*^;5fmPD3r6$D<MxYOSoW-Cr2VDFy*d2r&yDP10ZslF)amzMWBP6I)TZt9b^hP
zde5v~=JSq{+YwIPY`<lfH?joD^=|)#7`DfgV;}pkg3Nm7%wdn;#Yz}-Rj&N=qWN4o
z+#A?aA-vn?Nx)Rrwl>)!rQGj5?2ES1`-EYX`VGt;MvOOimFBL6gAQx-8C;C*;8BFN
zRL<T)x}?R9dRWrj8XJ=Yn)3Xba8-dGI08ciMB&yyVu~;s7H~bZ!S7Ap@?#^<seg*q
zMX+NVZq=)Dd;|ej2++b5lp?v$vifk<;#7w?ZsKDcb>zV^M=nlWhyT4aLz&^fiP@NE
zX0`z>BUT}Nk$fXkkl4CJQ->Sn*2U9dnUUQ%Oz8+<m0;C<?BaO_VfnuAu*sO(n@#S}
zJNEe?v${kLC}bfvosmOSMpW++J7#fa%Ga42H5d;T8!RSbOJ92J<yMg4a6@3nGnq?Q
z_H}cbwsk6G>?dE<NeTH%+3`jA-Gk)m)iJycHUil$P5u3l-FlaKbLp-8JksWT5(y>4
z(i^m~Lk3)vpXh$aXU}!sT@ESZg2llbB+U1hIKZ$w!V2xYxx&3ziBoX4Fhmb?;%+fK
zZP2Xe#bhY@(*Y{ubbvvyX<=n-kTaK{S(03Lg*T4i#swX&BTT+s15I`@kKX2hJFGLG
z2qe-&l)Et-T#eDD#G+%&1myQ&0*d0cgWw>9>vDIDW>Kpc6tR;#AFe#F*`#~BAGh0K
zi^DV1-68<{NZev_n>>e>uzW=AvJNu)u*W{-OfzirlX}Yi_2S?@?-SUo1ZLfGP&)kz
z48|S=A#|2XKZ*x4<7%ABWDw4jBeNM&0MpG&ZpWvt?0n+4<XD7j<D;k?Of)~PUXd*T
zEYe8Z<rrV*;IY}(0)Qu%C_S!wel)YJ9f2hN+wevsnmt9o)CRz8?=hsM5NL}RB#zt`
ze7U%O@%x%D_b`53oyCNW=aV3!J)4M$?cD73S}eOu(Q~B`XsM`k2;^&yZ>uV&6BzdX
zP9%Qxa2vga%-CK@2FYD|u6!YED08$J=)znh%4v>M-rS28^cK9ayVN?Af=%!T!ACmz
z&TBgEO8qjeTaoK+k~uD8j|0GAi{6{q?w1?=$rIxQn=(j9FaFyL^DfPD23NTiit!9o
z4g<;VTI{&jm0$ubPiE5uX$h_CjKfj)N}`Eey*L0EC*6~jtaak@T^4JbRlLU%On_(O
z;4Tim1B%U}P#Q}s8{KOx$si<2>Xb(-g@h5Ew2)PvP;Q5t6N`m}4@>sIguxzPV|LgM
zXcCh^FA&_!O)B$zpgNh2hN?wULguwAb3HFcow8g@288y@fDm{}>yJ|y+>3q2Qy@O8
z!vXQTGSFa?R}Kn^T!(Zg&1}mrmII4{ZefHh4zX(|8y+w6ERG}OZ@5x6azeH6f`LN^
z05}&x4~)H-P7)w25EL@xvA-~pi73I!%4s1}S>g5EV`b0w96U0%4PCM_KLSpYXii6B
zBE^(oSm%lwK@zim9pk|b;8IHHp5;M5vKv_*mOjW}u-ySOI}lc}+yhR-zaOMu2{?kr
z%2Fr{qLO{1g^_SJ7?yf?teDbMSQ?mLh&E2>!f_|bcV{}VCz0=P4@_=W8wA>iB-^Nj
zWE4p^36@upF!H3#rDeD1&ZLeO;+fRJ|AO<y9T$c=IAzu`kP>w^xFSa#oNFpAQAglL
z9Sn9+N6;?WM+qj3n~VZrmWVXw&Df-&&&#GaWksEteXjV!=Bs2++aXWfwYX1Kag&Ep
z2fab@dX8$@I-%p3I>-D(y-|k_RDs%1NA4P6O4Qkat!dO*MP61+oz0fqiT#MTbB_sn
z#<rjR2Isf}9^y#?9vEr7;A|BNffbb&k6vgin$3g(>7*sJ@&c+60?|3ni=m#vQZ=F#
z^Dz1s2~?oEl7G%vJ!)w7-=WY!U7j=_yO7?XknBgsTA~mGQjw$33Rha9keQn%$AB4V
z^I7RA)Ch&Jnh<BeV26o94dk=P5}uzWAi>^{o7rLFs$X3fBwDk%&iFe~AvI|Nh#O+6
zsDh49HNk8~E!mhN4lZ0G85w#I0F@xoa%Y2<NTl>2BM}{Q)Y2AEqve4fEaZU_eX|9G
zRf(lrpb)DG+o*Q|oyGkn%ONedfLJ~F0-SMo9`{KoxPm+70k}{6b;>nMkg6%A=&rRq
zO_Iz}>`Vf=ngtn6HsS%>C6Q4!Z<BR8(W%{3Q5@NgyX8*7%2$xbVTT3XI4G;M*$<SE
zpeU;BOH6xA!B)`)fNo~E5*BUXf|M)-x3Ewe0kd&pZf2*$cU^oN#sfx4FS3I%647jB
zQ7VO$Y!vl|@4>eEm?X5x%8_}}Lf<5rnr$jL>apF#W~fbwEyvl90Lz4A+s_=Au?prI
zuqI<u5`)mNNVAqPS5T|=n>1q$WtIOURSGn)cuYGZ?^iOBmgckQu=0s<Xu(0ABRa6y
zh@Hu_ST(A}?4-2YJ8k@?ty!}Ig56>x64!?VYC*Q4iX65^+3uC*BLx-}ha_jz^dm5N
zSLLSQ!!XUv^fA4Ko{AD`OTbjK2H1Q|XFd#n>L4D?L6}{}q_kk2Iur73jFt2EfB#2S
zNPe9LPP{uYcfB%D5G{K;Dj_1oJ+%d^si32gmEuaJph>e5=uQ*Yn3m3`n&s482E$IZ
zX$LaJU?nn<ZnH#SNnCKSy%`u$R<<NU8R^EMS7#ZLp+aUOr<2{h6QYdHz!Cl?3e3?u
zSqW%omd<51y<B(@h};p`oDhi9yIh1JWu6G7Q?iv>!TQ<T59I(IS#6jOCShm9!VcuU
zEE&u`r#MrkOt_aew(rW^MHgy|FuxYgdflPq=pve}HtMX&<{lY#*DX&^J&j6h&ZH8+
zXHbbD%blaVEoJnR*PTrqViLW;FBW|s!o0>4nf;hPCBmTSs?-sNZulWbu`MTzDlW_t
z{~k2z>~Kv04s~MK5_N!Omx4O4v%<1iSZU7pzL!l(Bar;zKr)t&60o36Oc*T|qs$3B
zs;3dghzr+Q#+FXoN$D-nMqXk(Jh+{3Tpe~AGiotU#f9UHCW@dIX<#gpm|D`9v3<!B
zaWzWX@-_nc&<DGJz1Grc^kJQ?m!84hSGE^eUWzRkEhMPT#apuKInAdvNIt|1XHQ)@
zlY<6YhGfjirfino$<j|8$mTBkyt6{sT9BaFG*Nq-=5&L`C7#Hjp<7%rX3&T%bLfaz
znrp(DG%+k>aYu>Gq|rJiaDn>@!-gx&(g@pAL9$us=lp{lWQ<Asj-=Z@QclH|PNqrt
zuwL2;v{;rAh;l0`<?CnwLzC|kF_z(!=GS2vi6AnGNR6Y-zG~C<8`u;d!#+X_q!HQD
zXfN8p7uH6Lk`Z;gPE&g_(2w3@=SzZx%T&7{wwAK^B-8+)mOJ;MjIEXzyLVjih!R#s
ziZz_tm3Nd&?BrBIbf`&w;}(z=!#pIQ$6zh+8Y*1^97^_a<d%9fKNu&UA{ti48Z>wu
z=b9FtH3W2go)T1+8PFO}wgRC#9D5}Da)x-Lm*n{*=N$lNL4e^xW+Nl8L{c1e5JQ=b
zO{L8Qbn_C|r8>mx1~<x7ENm*;*@a1vtUKzET(AdoX0zltvNG(M6W*aFTt{|@ME=Wp
zzVZZ7sg(OE(@_pTXFbMCfV0+)9f;%X>%kKF0s_Wi9!hAbYj4KeBEO0R;4&=)(SU^@
z{2yzpLw95#8#uCwEy>YU$?ObSa(OUJSWKZO*1>B$Wl7E~iKn75BJpII*Rn_A6gniP
z>^cacOCeNQR!b48j4{fdw16W}7%h;LLzNgSq6c~Tcw9I}iyAr?=T}zjEY4!@&??xi
z#9jp%wXwH|80{B<S(1-yC75rO<wag*3rsGZ@Vp`!PF|IJ;FAd8CeGf9K03QSAF9MI
zVj<RTA*jcD;g@~3j-*`CDN=|`UP(YD9cSf?+Jzddg@!nc0eT>Oa1$EzF1z}Rlwg;(
zoWv{FGVsNgJ0?9v1~2=mlTZW&5+{u_AjKY?{O2qP37JZqds(UHxpHJC5kX>}<oLor
zY)um0asUe@V@&N>4fO%&MbyeX)~nfnRqU3CZc-HUy=~jlY5>o1P=J_~Z>u8~kN8>e
zKjM7kLL4MV4ah>=gQF5P$RsUMV;9YpsIjeL(Fac+ty6H2Ja`yT)jAnCZsC2RueR_k
z%x96|zBZ7p0I*V+RZ2n&D!WpIY(dX*!5KVYWJn?vM3uu*+iA=Exm_(+9G|&<6Y_w-
zgR<$>T0T0R07vnbwXv@U;pYJuD#9`{fUa0CMo2k{b+waPuoHqzjYG-g(Iq1;l45yu
zlC_~M6vA4FHe!>B12(rYGCUYQw0c=Eh!qz}A%;a{OQV1k^8FK+TJP!tUM9=L!dxqf
zXaNN^6wv~Z6fJ}XM*ujNMNmtIh<OLK!P=rgeDJ~%f~~f<Ee$-lMPjHG+mG=@wiq5T
z61OgTcj|YRTb5kFe$CcRWU#3huKJJ0`mc+{Fu0;;9_fZuJYai-t*J4X9fcqYO`@X{
zwQylvGaAVI#Btt8RB&Rh948B=H4R`tvSbvNaA7SQI%@|jqE+lkU@O*r9ZY~rM)WX=
zu8c;iqXdJ%rG$66n31{S4u(}AD~XEnYKZgUds!Gufeu(V#=q#J@Rh5gMWAwrcA8+x
zQz+T!ClSK-z@1^~)$&!s(8J{t94qsBgj^j1<f0nlAw-5MS=v+H`Xp^a*9x-<?q$Is
zyRnZSP8i^aUmfCy6NhHQ3B&zx+K6m8acnmHs>fZ_H=TA7_1Jdb2b%T1clsBmtFrSq
zKhdS04^0o~w&8)x_&eky+wLCjg%kSBANjT3AMj#C-~QL$#*3lzGd&i!@nY=nesuKf
zycj<Jsfowx!sq*NV>mxOeJ^0ve}8ikAbq~MJ9)bryXWwoqbM6N|8qwsKFy2a)4tsM
zOV-#Uw{`iY8vEmxY8>|yM)2$nT+?`+YcKxJDPP3-;VSOYw(kzqjnxxZrIV@4C-OMO
z{t@pMqD^?&HYAo{YmV{4kBlF--{Xrp5B~z#?5urN$x1!}kb9Y5)yKy?bV2D}Zt}6J
zTgFD8ds^3bFB?ngwEV2C4^5`Y>elX8=7NhRg-h<a)vKM%<oc2>Ut86mOueeUtzPas
z-M#AFt=_Oh<Ysuo)>Q9otv=TMo<aQO!uI;=#pI|x(5u5pqRpdv-?N|l`%47TCwa$m
zQT&ANiM(z%clT@0?VOtR3S;DRI&Y+&8{gsmB^_%LRj-5%spqfha_ZLbn#8G=MYQ8{
zU-zW!EgYS~I5^e)p1VAK1wygn@%q*bzNjuN4E>Xv%oumJ`olJilM829RNdIhyzcoJ
ze>1OyYpd(KXKQ<o7+D{LJwJEPffz3!rE(Z2W=}@vKgEa82r(WXllswXx--9#e`Z&_
zzr6F5&+@gFstp<@KRZ_Fvq3B9+zqvY-cPkW&#=M-pA@{N%LxX5B7dCPysL2I)N28r
z(8uW8^XKHNb!Lh@Bm4B{NBCS`cWyR75TcvpKjtM@a-ZJ@@B~Sg*Ho7CcK?8ypuF4I
z8osKAH>Q4npRqMn<q18T6KMdix&zsnpDH2j8TF}a<iiEL?BZZlE?3aP5#o|YxajqT
zQ`N_?dT$sXn``~7m%9A*=x#23U)bIH-c1HtbQ8b5+HrkoaR4}oAN$mdCnLb#cCQ)V
zQI9p_Nygywh6dL;e&lVJ_z}3SdaN1WjXy&i94usyz$N2H;L7w^Grk9ZhB~;O@gs1(
z;z!_m>#=5hia*00T%Y(6xW4ftaA)bUW_&;XjBs##^2r{7>mNS?ca9!w#zT;CV;vk{
zYqUq;2F8!T4bo%H_>b0BODOOGwV}N5T#do;BQ-u2KT_jdJ=Tmr&wcO5eI2ay{RG%y
zJ>P*EqQ+kFR&*{0{T;j&e8fNxRa0Z(RaqWOugdaReDRg4SbiZ{odByWFG#S;@>qoN
zIYE<Qa!8^MStem~_(-`1A5GWA{)BcyzK14K&v;qGxX#vZEa&LO2|D_9l8%wYqK>wm
ztW&>E*wL?(c9Ql?!sK1c!|lEoVP9^0@9MhD#4mP0ou09Gco#-;`N~uJwsdOdH-v|M
z+T5w#r+|wAdPvP|<liDbhB|4^Ae=a7fJJ<G1$>N%C3<D~Bq!1tU=bhJhJPy8gzZ~f
zEd%23Nag-oKAe|`!|*_K!!gj3d%@n21-P(7=lH{<(KT+wQ`Q2;_4dMV_vk!6As}BY
zOZvcqe`2(Uy+3LpZ337tzM=bUuevkJFF)1xBA>?S0KzqU_ub@pKPcjTNCEG|3wR$|
z#QWF+-bWPiKB<6rPnf$_`%Hc?(l@%F-cIkxeHX;_{UTE>48Yz`zPds=M8_2<(Fdc4
zRv#Oi`q6cUrf2PgGxINt|2J!$7gpP=@N#B+c_028z<)#dZz%t<$6h|dn}2=$KY$xF
z>9BgU`_t(DMDEW)_ovnU>7Wk7>hAn`=t8~$U;LtU>bbMK4S%eYx{V*L(dxyCijj+_
z?SOYypbk=b#W=TuZiqQ%T)cqB#p`EWVfl=USI@Y@;u#mOopFVwGtLYD=v0913&+xS
zG@%tbSL<VMOJjPCi<il`c$JJRERu2Y8liQ!M8?G{1R1nqoLe8isgy9^8R<)DUe2&w
zeKO${5j}q3;v%M-L8>7e-42oO5MEKecrefZKO#L}!*-^fD}NmyGitwn`TioY8T)9w
z?P7cl<99+1pL0&l`fp)gtD&jl#Ua8}ucLee&#6qOk%ezM6*1&c7nU&OaJZs~I$_FT
zEyfr~64fiiCr=~GJU;%!hbi$>Xwm%_zmx~f<HL?#LkdbtyKj6HMmt!ey%D&WUCtbB
zky{)aX|zsREb>##Eh}PvV#rS9jPvpV3o+I|Y9F>CpRS{#6y3N$TI#}BBaJ(m$ddZ%
z&;{yfp)^tHn@-wI9L}?2+!Y0N70o#JycR}ieHg3ef5qpSM8^dpLS3w*#u%SCU_q>-
z#$0>fP+E-{cB1sv80$`NZJC392H`8hSJ|~TREDqEhC(h|yn$&Wc>x}-BuiX0XpYXM
z_jrd{+HQyW*NW>4-;bGm^#YiugMIy`PC}8~&KY}Wck9sMrH}FpSyrR+6*J2pF_Q3c
z$F%8}x4e77bPB?29;pc*`D+b@xl7MVjbGta*C#R!+|xbdsDw!BxrQn07v41DmJTn?
z;~)E`d!1S?=*hRN^un@S&kojFYW#AqdP#Q<U5wn6dT#NQ9m~5M`}p}CZdu;tD_zfz
zMgL1})GmHsC~UoOruFVUURyb{rjnMzCDjLSsXx}OBKi9G)N`*)$aPLuhN~(wEA3qa
z?-ujb^8bgrcaM*<xE{DS5Fps-21OecHQKZdUK8<>2-YlSaf69Q0l``;7He&*E$S|y
z6^PwLv#zVuYD=qD+WKp)wLfWVDWZlAND{mez)RE$@&2sKCEg$)lJ|Sg%(ItV)V}Y}
zKVCnQeV)0TIdkUBIcLtCnFsD&RaF)zZRC1N#YT_xMV=~a_mNOFa)Wo-hO&;Po8s5a
z@&p!FHZ6_M;33RM8E@Pxy$Ur|Meiw&)9I?{oy8CFTehPrdTa6Hn$l4Gh@|u;&JqHc
z@AO0)8iYm@WBCPvS?lqQ{BXmK_4V~FpB%wfY*EfrG&}Z{$i|j8^Tuu*`|`xtm^_LF
zX4Tx;6qvOUpPMcIDaBvU(<-k>mG>eqw7i`+_Jy%Yiuqz=hE{PHXV%m^n<B5ZNZB_E
zBxrutMq7W7ig1wB(V`u0Qx>yTS(tSO76)cQXAI^-&I`%@u~@-xfRa<lPB($YqP}o8
zbdi)Slv|uT)mMN|^-Yqt780J%$~4@D34L3<4zfmm1<L%~6t9$@-^Jk*Xq^|hu~#{$
z;Q?WnW%tQoc$=S&9eZfYt|KB(d6zvMe&bMW{`CS*{Lmt!CI@zAJ;g;}v-Gj$4bTK3
z(7GvpHE=;w&=pkO<R1>4d}+Vro8lLO!Lpl$88DU_OOVlJukuNw4P|Q+d~J-0E;fZs
z9{D!5)#swbqr)C~<4CE~@DP2uad%vL)bNr%n?Am!&-MIW?m-F$M_B#VHew&re2>cC
zK<wOtmffr=&dn=x<r!bCYtE^Xzbrhu^6*C#5a~@qZnOEVY92~rAuoYQ?k=Hw#qNb`
zec@gC-i8yH@I3A3Z8!{0<!PVbT;{*gtOkEV9Z+qYsnPGgI?p0r2uB#xHf;0jM+)Yw
zN+c5pLZ0nb<5(!sHX>iqmcNNAB~1g52$B)|@z?jL{7vwAJGURrA|iatMMfC=D0&_X
zfE?w6ag+FlT1%04*<SCml{zKMdc4bayDu&8GR7>NIWe`ppwhdnH=U7}$|%gvU|LWk
zCos<E1R}mXe!KZ46{heNR#$X;8?OgBzDK`J6|qP0Te%qYteqOYusjeQW$?Q|@S_1f
zhF5R!>+mky=v{V)zPLOnXG{uU(R4cK(VnCiW~CcE1UrPIVkc-7@ZO0$^)A~YNLnxq
zHQ$VeSI3=)Z>cL!PZz|6&+$XiTwLUx#fwLS9}J<K!d>**<04Cl5=)3uy@K9X9;n#q
zZ5(9?@iq$N@<oOYOETzi9xJfSaVqsL+XPZ!L5h%g9#^^TDkEx?yx=B?W#oW)ocMWi
z3j5>~kYff5QKIDNvgDA#E3`NlnXZ&5&fhmUmw|Kk`rn;<m%+O??lyBTpwIPiWN^67
zzSVZtO`R5qomGIc{X`Z@OcvZod7@Xp!9qhMz+UP^xdDOrDZWjAQE6=S6Qp<$J~gq?
z>#L*tSBKv#;@g>gOY{5^ehc|6<+q66a(+vqhgQYT?)5jW_1?w@w{g33;$^d7OhjLF
zG^BhE`u$$VSI>qrpliL${vrvJqxo;E;2f8~RV1f(88T29>2H#o!B3Jea&}z)3o2S8
z`KKz|hW8eQev3dTst!9vzHlNZbW3c?Ui2@L8IQ>8!{lDju}?`aB7AN4{JiSOlstZM
z4r+&R5KbwSr457;%TCv=W_~AHbk<bKd{+_hclTYsM%XScHXJe0bMvByL?`A}0Xuqr
zeqh|e3?+1|E~*)K9^8IjVdD-w=-$Q?Sfy1(zZr;LSL9p2#~0p{<Gt-PkzITUl&F-a
ztGQ@2yoM;gw{fUHtMY>nm_a;sC2vDK<v%N=Vt;{I%Eeh*fu8@dP|e3X?6y_kRU3(q
zN2J9LO%i#utUC}r>0_Z`^|))9v%6Hr{3kH(q)(0JLh?9xX|~IBqh_z>0Gv=zQdRV5
z62NG0cOW|9Qv>a1;4$Gf0YaSb<Z%;pAaOQ|B8!fGK?-@7ZLS^%oyU!~<?xnoMTaFN
zX^nJ2(DyETRjVtyEn1kzKy=I+ZHUc=aTgVNm*KVE5Ew_ID%>7H8<aH#Kzat-frCs6
z0O$;t8|E4y<IXIR(OC9cU|g=^LX1TLM+j*jnYLM|I(b~~3xX2&ybD$oD69^z#-X!K
zW;=m!38kzS13bKqnYZ>F+tu1}Q@U$xKbdpqj2oRn4<V~92R(Y|q7q+-Q5_x6s}85M
zs`aGz<3>L#3|~|6nzwNalAt>LWDeWw!`X^r7@lK@g+Inkcvfg6X9|TUbS&5i!O!RN
zfRbilwwR!7;a#?~dfatr5nh$DFEX5I5TpVEj!bhFNni#R99|n^VSH3O?!tnaal9%H
zgewbEZL>_ZLvs`rI2%%KLq8f8sb;1KvRVSLprajwB!W!_tH35=pUL=XIV|6QsA<bq
z$GEGD7)9^0yCuQ93@`B=nkB}aL?mXaFG?8Ok_f`x8S2ZVqmEw$A9(-GJcd}o@Yz>0
zLG-P5+<7IG=oM2;K7)sSme!3HIO(QQ7*chn1x`A2Q|(F$eMeczy|2Pt^c8Zwn(D+#
z(}Opm<GUzTimevzh9aT~sZQbQalUd}0ffPw6AVDu4CYZOLNp7isU3sCyNsECy8-z+
z1yRoL`<m+Vd`-AO6Z}->`<v==eNBA4T(*)Kp_W8}uW9yBlGyY?s7k58F!M-GfY>TY
zE#z^8N?k25QXk(VweBlQn*<$rPpa-i(!QD`cI<nAsPvY_k-klJ`}w}(yV&<#Yj;LZ
z2t=<gTK_4I4DW5@kd;-ji#1AwttY-z%*GMZ;OWZ=GKL4(946){!GWIQ*W#GNa4*wR
zCUniX;%DPn!ZKfEZt1(&(FScwY08B{Nsdi@grIy@>}>C{b%AknF~~O|_?{J*)G!hN
zX$;#6jB(Q$hP7INCTeu|J(U7T8s)@0qFW2I7$28!(fe?+C^agH+>vk%W{L<7+7W@k
z7z?r_t&u`Ckq#{nNJ<v6wWcDDOw$PWm5o`Wjj+Kn?vf(!vL{s}D%PxS95fyrXrv<W
zWC{VtO#w)yD<>7xvohtRq9k_TCQ#ZSG)3iBssscSpM(%hMNpC}B{T<+u%B{<3P-@!
zjGNxA<Tl+TRA1$sOM{P7R7GMy*&d;TOB2vTn;{M;EzJd@r)p)IA^BM$Lv_U`-p1|X
zBe05;yN_hhMUcq|f`ND0Gu#`f<4vb554#+oWKo3O6oA4Lh&PuZ5N~;iD3=>lHzyzr
zG6yaq9T;gQ&=g=8CO}3j2G1d9=^n430JTi{6ibODbUQ6jS!+sJMXp7;gt<nBrb_RH
zDLde+7c8H+<I1{Lm`96rfCAF+AI7XAdioP<dW*=^wXd9e7cod@GOT+94(TG<WNd96
z%8PgeBvb4b3zET9IeDGPvuX@QR~!=Ji0oPKW}1r{1R5Dw#i<Mi7)5HA8`}#-D3a7m
zslw_qR?5%7tKMZ1X-@qIa)I>gGUK6zO}9$}k%oLrg#bO#*lQ_GHz+OV4TN%OD0BnJ
z>(U9RiFW$swnDvj5tpV-5toT)aObOami8y_SmpIL4#5C#+~J$fZCbty*jpDD=d<#`
z>W`)oa5E)zRpW*Q--&&@w<Vb?pIJvt=hoyrZSA~W9K`2B<jD39ecqq$=iH6U3x{>;
z`{&+eQ-^tcrK4F;$62QI6oj@^huaFO!>t816`%OLqiQ{&6&IDoF<?b}`Yu^bW7`L4
z%&cD(G<Gc=9X;H4qQGv-fbGb|n0#GWe6ZWycAOF5R2@C5yE;0(hel;DwK_5_FZ7SB
zc9(bK>g~HfCHvAs7A$56Bj4}dgF~U9aYvLmHCc5Kn-U0K+PEQjX;o};FGsfUza@`N
z^<OrdS98rlclb@OcUgh&#L*}Cnx-CygJn%lQ$ck_A~?43)ez^#I8gV2ey5uqT6S!U
zo%27!e;ds&PChQ{k;V-nw%6ENi4@`=C{Uf_5=`<l8Xqg~LZ1^d8;`6%5d~J0+494*
z%=w6ZEq8usTV8SbqQ>3@b7N=qmT_6ZOI+u>Mm81BiH$zo9p6B7grCd`IPVTNQ`@EB
zh??l|nu<6HHDmE+;7KBh>kh(gdDRskgt$EFl|bX#(8%NwmoHN9XCOL6+>WxRJNCIi
z<eDDfUGw&btBE%V_j)xnKvyi@+r$qOV<00>v+8I`7NHo}dD_$B<oY5{^2GMMTA6&=
zk2p?_x_!gl_l_R#mz%D(7D;$I$N#+#e;DvSyt;;e8u|535r^CeSScch;KuDmH95Tm
zjMt3Xj$fyUjdG&-=_7}0+eza?+SNk|cpFj^os&m$oRb55>6&OV;1f^xzCZ!?(*{0q
zUvC!?K4jq&j^hBIL-1>AMp5Z?;P2pQJyD6kYL!z6qq?<;>sj<&50lL)Fpb1Nzmaw6
zMr<c&gwVErjl@aTMkb<PCt`feDf}{f!gBTcLK-RhGJ66;Oe~_2k}tC-m>1WV&`9Z*
z*^^RwQc5G`UuI9r=}9?_RDPK~siY^BG!pnSdlH~00UD|MGJ8@-PYBkUGvmwb$qafj
zgGOe4nLU|FPiE4{6<=mguAnDZ(8%mBvnR9Z$!r>#XL}L|Z>#@&Avw4tMhv6Sj3jPR
zNi6TxL$8+xTJR^<bCfSo!MU63d%TVR!~QP5_Z~tb3EOWc{I%uX+_9fTHivshcyBwC
z9jBTor^wd&MD{0&sw5)#J%p5o1A8CtL`}S2Ex!_%DR)j3p|?Z@VajhsMWA)wtQo~I
znpgZ>IMMP(5eNLigX?-bIQ(BbN|FOZhXf+TAx+AY9FEMeorHcN7?zMxfQznsSsEdh
zpSWVv$eTr^pd_~x5#&$kArbvGqi|r8p7W{!BhHFZoitE0^!&V<2>+rNh#I2t&QwQ;
z7JXsxHl!n2ZPbo>Bi#mYWc_bDF%e%D|Dux$zr1b`!h1eC=mOC}UsgA;BPJHn4N*Z~
z(rA>>4HVD?qJX}vZr~=LSV}j_-EPP#AEqK4Gs%Fz%+PjX++gechaX%qoifl;hUEdA
z+r=%F)uZ6BH;cINhmpR6za6A-i{j9U<-CTs!&MW@F{peT1m{GzAJ6p8m#bMPOpHyy
zjOoIgj4`yTvDbUsJ=mR97^32A#<iCKla|S`D_a54CiX7VOe{^mY+$^H4fZ5X2k?45
zZR5QoGfR%9V55-(Ut$a9aNw+~c9iU1f^(d{#=(b`SG;yqhtB(<q%rMR=keWco%Uz;
zgzgB;BD8`~#i_gVtbK{yJ9LPcz|2H3WgFM(R(t4OH|Bzc4ZB%yvwz1fWqSP;h)K9q
zBT)kK2?KWfx@1}5NIX?s^4O1%FZGeuLoC2@F~23RJy<Clf1tn`L{lvu;hq!PM##Qk
z+gZ8%B@XB;jRTsye`J+}t#TDv^fcNFz4##``4szRdC9FA@hwwW-P8#_v^`UhDiNe$
zhMMAXL8Ve!FOXd9S>l&LD$hl#FgT0Fxw}92GwD|Fu;`h&WjkV{*C;ZxHaI_CLOfRV
zXL-)|e!sU@7Bp=`72Pu}x+ZLiZp<CSGF&32L7O%SmpmlEg5^&vf9ft;Er+r}V<L+N
z@JYVmu19>t=Wvk~+Z$EUALRNfKDuFFcLa2Q1O#IfJ{DvmAM0|9p>%fMx3?G0&=Hf6
z;%953*XGp{1AC0G<t@$u;HTbRJL@f$|4u&W^Z5}T%XT>TQBV8wD^epr&aH|3I4`|2
z)AsCEOL$A3?29$rOT*DgxnU=#F}`42AbJjA1|2oATodvdp0M5%I&5-mYEDmbl%-?%
zJ;Hpi&+~+aQ7P0Nn~@XcNcBgo%Ojg2Bb<CT+8X1&$eK`T)KBQ?{Jbn`fBL(<y|LWa
zl=$RT!!y#N;}^`sPv%vb;5*;NAX~4cNMx~d5gEE7@4Fsmy%&g1M-}Xc{9*EO_uh2I
zV0a*MK^|o#K1N&ykq?!)&Q<I?33^Y4$_7I3yP(GfrO|15Ej>q+tsc8N+@2Gdh2A<u
z!-%`=wpPY`iJp}U<xUGk=jK6=K<tKAC?1IJSGFPP6*<7}8S;amz2Lq9?;qD+yIsPu
z@fYYav|?}Q`LZ~x%JlpLUaYQH{2Kx?Fl$vHHo@>}G@nnbSADC8sT@2gIVMFP2Tlyg
z1P|qf-^&SYqw(cuK)PhUw(sPGdwPSzX}smy4_e+B9;+(gV^D0h3G8ToOL9Zj{C9rF
z0EXiuT6%_psI2pagXOA?sna4au=V+&_qM+Sz5ZJsZ{q_zD3c}+aQR)lD)l!E?e&C4
zRIGu{3%B{?nA&##*mr!fIr|Z{4RCLDcgx<PPM7YQ2J<r}1pAy6b|&dCh29Bo&8ez*
z`-V-mQ9t-@m8(^gh7Y~V#z$VXq1nKK%z<z+C;WPOVAhVn#&@enPUx;;ZQq%K?Js*P
zaW#GG<8PAr;ETK<Vc?$%8#6JSd9)szF+#;y%O^v96|c?5N&94;fn~;z{n%Mt)$p!!
z%sqR1eX&q4xXs$ZR||;fKMsoG5{AEB1bYmE+j0Vn1;uD?TVSKpG%2UzmC%a<*`1`T
z7eVc*u}NpBW5*ZSfgc`>8h3cBTRCme(lb1=+IbnTte?9Cd`PQYloElK-rFBxC}_G)
z6XC>))!y6X978p73DP}HoX*ad1F@5ya`{HsDU!b`pk)_y$Ik2xECz2vo>x%~{uGgL
zT{qIF+7FD}s)~*C&!`mv>3g(N3d~yV8=FYQom59pigOnz5ojCVAQCOWmrUgIHly*k
z;AY#n-B+<{;j0;4b@wHFvDpiJ;rJPl(x+@O+*ylPu#wQ1;~1?J*}uD*q^6&cq&-TU
zt3z4oiCu7pQ0K+)J7=`)9?rZuw~8rL6^W1Spu%kpU|OThzM+;K__7Vv(fke7k^J?t
ztzFTv5GIMw$B~81p!YH_Q~fs)tlN>gX8;j$%sW*e`819%u-G^D1Dq9$s-qKH*r>qW
zyYam$&O(n|CEOPo-690!Ob|5u4^zA>p1e!pN2lj9OXneKbp|48&Fl_OXz_%;H#t^?
zsNGM-A<VoE&qL1EQa-%9H?%c+PA;4B-ljhZ^>OnAX0-%jxdh0SdxHBX&voUq)GPOd
zPN8ggS8r%rS-f$>btNCV`#=h0-n_m5)?2=)Sg#ZMhIJL|7oOR;Vcvv5bRjLV{ha$!
zpd$ChYrZx2So)njBE?5FFZJLEd=Vd6%iJRaAj`uwIMzBsZ_@GQj8kt$e5XRscz2y?
zY;sSVGSTW~acauP2cCxc1J%(A+__+YdRHA^?)-bP=sC`0aW4h|=RQPvg+Dja;ytGp
zX-rZfWyg4Ldk{)-4eVmPSx`!Sg;Jp;=EI&yzhme-=7uUD+I}gQRU?8~O^w0rd9+-@
z8(xEk;fN?3379#Ua)(zBJ)EEK6c;&fCWSRaQXZ@R1N_OTp_iR!NDfq7S&TbNsxW^z
zKXpz|bzAOmkn@CoEum5cft(wPOIfqAbxq)uSW<+Jyry;xCQ1q2<q{;3Hcv438{_ki
zwCIKMxR^NnWWbejzDp9XzNZ$Qv{bI@RS*h93z9GWU-6$D8>(S-2me*aa+%=Df0O?^
z{_6`M&3`w1r(%6{#KP}3#-sZ!$ZcFZ?~+Js%eEsb8+HVFTR0u2oNSpAq0<qlIO(Oi
zzo&7T>K@NE-w5FQ9t#Oy>Zy*_bikI+&HcGy%jc4>FN%&Z@_T2emE*9e*n5^y7qR0<
zd>+~#Lvpla1R|Fe7nZe-ZB<iXhgf%k2xosd7ggZ=FPZ}Sm&oKY?TbFq(_$jGC2F<d
zG@xK>5d;|=>C7hxnnNm6qCd{{akxYpK*!BHDG;3kJ=bv9$Q1{xJfXAE_xto1J0dL)
zPNqWmQ{+J`lp`$hTQ(C2Sl%xsD#dm}eq?AB-m79)N$IM{Hs^<0A+%0;D1c>2#Nw+i
z{<3ZuLv-YrRkC;(ItC@d>-aIPtn5UT%OX7I>54V;Ulep3Uj@ZgdBI=Q&e|GYGX$^l
z&?G0`kfW%>p@rT%R<W&6&9q@q0+GVUq`%&VnTUkgv|e8YYGvVzhOwV#cL9OjcnW#A
z!>c);n3u%gkHL{x2bEp?41GTm{m7+mgdq@szY$s&J|Pj2&b_KTt|Jcb$-)d%QsSp1
zX6#*OjO-;;B)tt`iq}?b337J#9WgoHR0ObF&x!twvGHp#V|aVcyg5Rmz%1@svWtfB
zgjP@J5ITNPPx342amk}_xR-IM#(X5KvTUn!E=RX%6#DLP#?f#VR(8JF^FD6t9f8Q3
ziOV2@w3>Wmku^-Xn{b10RP^xZ5OxR<0S7t1P+1Tf8o5|Un-EhOccIBT=Pvv}A}6>^
ziW|?^dvaE*NfiW&7%~(!{8}S7NV6@u-T8wS2tBg%RRAXcX64{u?JqdqwseeX>C|*f
z7n+t>|7uI7pU#_V?1kRT#1=kDw||srf33Ff)?I`hHPC!qHFlNGN7-#*K8|KSvi@@9
z+#ppm=Hq`?e?K97R(;V=tlxB2f2>v+7iPiS;VtDN0*bKsX}7hzw-;veHXH+o*H-ND
zHdOK8i(Zv0v-=d`h<>x1sxrG%>nc~@=ehIS7ri7Gn|9u*Y!gy_b+&Lg(p2By)x#-!
zAy4e!PeeWh4<pFrUFW*@g%^C0*5J`9wFG5+AY~hz`#_uSmSdHtHHejq*x~Ow%^%pR
zp*1moPUEXkJ6|z5R>jo3<FS9Hvx-x-$HBn-qq#-Cnnf};$kse(9Ty7(+Tz47qXV7L
zMijNj=Y4pDFOplFm@TP7Jtm;@eHTY>;|$Vk2;?hB{8L6#kd+c=rc0=dko3fFDIu$r
z^!h1tyo^;}GwU7HKZb;Yat_@t0%p5&z#{DS@E(|Fwe-r{a0?@*`^HYYZK^Hw-NskF
zw|U9Hf-ro{D%{&}D)BRCdYh|G_QYm)#AbBF=B<pZs;u8TvRTd|c+c7to4vNOzIT{+
z(x$L8J^bFK^}C15GIDXiJF&C6;y-i8`c{hicSmA}b0AnT5`n5nPu56KMBN+W@{k^L
zjswM13Py4i<0SbNiw0N7Ww7D7DiM5<w$T4T>2Oa@a3-r+W(JkvRkRut-K}Srx6~$A
z8j*GGcVspJ&&k#43Mg;m1q=x03@fo9bh>>vH1~6u;S7>5UliH&D8ER#?JavnXDUi;
zz`ru~15pmN>J7B0^~U@(Z7DiBZKa_@@jwZ8wgvA_Y|-JYr&FF-ZlnAFmjwdr1G_f(
z+csO;+qja#X1oevV+G-De2_%=pQdMha^1|tRKZd8QEc`~258uvxnbwh3B$ZM|BQmM
ztN$Xa#qeIQ_vRn-4)HmU@r1Nn!-BJ=C)X#(5=5@QK7qm8_)hi6lj2nsHwe4zq5}S;
zNj`6L&FP-l)g2u7g#+gPibtSoGjso#yxY#t*wt%EO*+2%`JUsvjm?Y{Iz~vBz*p0&
z$)SI`NvtVdyeI7q_v|+(Z+R|Q;VDQQO3e&^0n75T_>@QM$;FjKghaDmzi{IgIU0%X
z(G!pFI@4~)Vs4B-3ge=HpV8892O?cjCTcu4_KV)Vd-v{Kf8<j)zQG}s`k)h8Pr%2{
zRrSF2R;>@j0z(L0^;Wf1dR_{IJBJ3wI<eWkIBo*7h{4aFP`_)R&;em*NNer{7KR-p
zjSkFuG16MUYv15}t_1NtDifo2){~0@vFniq+pjs@+dQ$iDpuDK3v^V)W~?O0qki{D
z64v^>XRY<se=^MHo%EE<o^6*xSEkQenLcN>R9D339_52!_dY5l5#k&}(6Mwk(k^qy
z$S+o8$zO^-oYe{@t+~0LL=a*x(nyTW&I@pzTdU=wNPD^-+9st>;Ac4<CQ~hK3pxoj
zo+=5EJR)!8{GBR@Peog<<KiZ+jPb3MKxg8_m&;G=o?<x(7KlAkyhMIEKPB(-ACF7;
z(RLb&@3)VE$UVj4UUAM=%OLbsuoXzz0s{Lec587x=`zb_%Y2(Da-t4bF%bcgPUl#b
z1A0-=yUvX&*5;kA1w^EFvo<kP@6y4+0HiGLgaDJc4g!iha+Gn>{C<nA9%>Qa<o;?%
z?R0+YLJd7AV!|Bu0KXf=f4j~3St>iKz6!~h4S{D`Lf6S}Z1xam6;0Y%{aqT?a@bMF
zxUG5{&(h?_wf}ln&ABaI=V&sU+3#W!Y<A|P)AzTqW;(wBlDaZ}vvXH?_Zh)&s@qJd
zGqxkrim=Leu2Om9ZTJ<CkWq=}nV29eL+fFMHI+r(W!g1L%c8S{RX+=F-txw_%OaGg
zB78IouE04Qa2%}?v%$JpB|pjb3_o%w$2=LrIvGrewKEX*<T%%}WJnLJGhS8lb<eU!
zEYOynT?(|ScuW=dhaW4~?w88fbg)nCV&cbf&bHJP7l3TxG2kc?z9{k(NrgBBai^CE
zPI(x(FNmtfz@cPbg)E_CA21wpoMDDIxUZ;={gl-yI(u@os)DBprv)l{yg#2Pg=Rqk
zDKrls{3?Ni2}?VCfw+8fIQQtB#M3euBwZo!*jTH{11;_skQe4fy=2qpXfBx4h+`jT
zI>jN$oyAMYoE*(98EmrLs*^=JR_RnjFj-2}Fjk@<Haj~LCgn6z!Yr`4FX7JO#eiH8
zk``u6j@Fb5E*zmK4@4%@Y;H*)W*AG4OHM3sR;!Zn-u7oD2;H0<KK5uFzNQq6d53M}
z1q3vWjG?c07B|s|_x9lsgN2p!Juy-U(<X8lLG0t#WXwq3R2|t>wgD6>WM|gLbuv5g
zE3y6};`9x(ku{RtmsR*1UgW}&YfcM{?I_#8$0v8b&-PJV3vqE$#j0z@aZb=3i<Wna
z0wcR2%u_vyE9riqV%3~hx$!%UGqR#>&i3STTs3pJ#cVfA8IoQiX{AJwl~ys($I7=R
z%4O0YEIc?{ET>0V)%c>h#omXp=J1QFN%R;36_(7`>Em3^)KX4nYr=`x@~-eBO}1$&
zg#-hSrw{)<5*`+4FhXz==8+8PG+Obs4QB|j$a)i#G8&!fwCE)FHcrKKNnFAo%RRzN
zmWAv*GGq2d`Dqs`H)(v2w00$v#g2J+YbEmRY}@K4a<$9SRy_#9%hrDOHnwP{^vG2J
zBBVcu3aQ=)R0z#GGJGYh%gipRW~-8y!koku+szq?O4u%|d(J3sm=e6Jv~kmC5dN*@
z)8ht0IHo$n+gL!R+$TD(I((HUC)tP*)j*#_#}2q2YZ=?3>#?=WKrG07)?-X-XA^Ru
z&w6Sqn+fmh5h^SSE)aWM*6qMVB#K0{H*UZm18Ckewn~q#I{=V`F1Wif^@3L!S}wt2
zlIiMPL93!Uo(vwEeBNCjMc&hyyxDnBCvxZ_(;oh_&usD;RX6kEZvXWl^=9W^n(S@5
zMrLyg^g0C{6hAi;_(>PV%>5nL-#Kl{V`9EwA3VTsAj&zXXt{4kTTbXOG`*xnQhOI{
z)u!lgw?M^9=*mn{pf$0FR7Q%EW25en%4rFRSRHxBDdBTPW${OaPRw6>2gWbCY3lU*
zkUtA+PTx+B_jd8?g?rBR-d@7|3ilN1)iZiAhWFmMxAr}vj=S}^VLVpl$;sJpRxCIt
z2klW#JH^Q(jh+2OB~X0LMf_z9%ZHiYVp;7Nb&pWV!;hp2vCw%9)bQA@4$iHe^$r{2
zxkP^$|B<XeS$MPVAb_&K`H0VR`6{;E@NNLvTEMkL^9$JBwItxcZQR*Fi9{R`r}g!^
z17CB2#Y1QfKE;Ah;#vmH9ZzIdp#XEHxR}&dRebEd{VK{Ne<}8r+Eqq9iBaYJNZOf^
zYDZe|HH)iO`YQ&9v?J{$z5)z^?+T2Z9nMxNOMf|Nhc+m{B=<I~WDwNV?`?QQ9yKFc
zhZaJHh(3kBv*o`35-coHXXPq#1Z!{89%@J!IBfrWWWm|7sx#R3-OVMdRndmx2G9^b
zpB?VX<C}`*%P9@e)##A*fw6oyZ#Pd*XC>4i-9&3;XUM5k>Y!+zsve8m*Iyuy+OYcI
zK~0_F9H!XilsHTZ8E0+UiP%1S8^y(xLJPeQWz-z7+$<Kc+zv~3py3rF<*l7;ALU4-
zJc?u#_3bpHTHuG`9Ad_mbh@^@RXc!!s3KmV5`h_zpdnVsrDZ$(kv*I+6my8E$(Q7I
zy1WRxGm+Pl-&ekA+=^$?+t3a)5l&~&O0{m)yby?vUSCC&{6+-H#_*dQ>3KOY^8Mg3
z;Wu(Z!&yY;1dqr1DfSUw9a&#B_T|9FH+8u+veQ?wks&M(R`VS?uH^{c?F(<oNj@N!
z55YfR!j68LEOY@4S;bPkPHH)?AjUN+8NMj5f(`1D|1Nu#UQLzn#mpd33sPfwakX0&
zeXR3Eka;X%f$IX5uNOo(#>AZ3i9^=88IZEC%BlDucB0}z3_)fUvE;A-fQQPPsu#lX
zZ3n{aw>j0+hM-6k8H>a>MFffrGCS;1z7r-K?rnSoe)K`$T+QXf5Y7?YAZYRyi{3H@
z1-!e{d0V}RQfq-~H1R{=dubRZT8)mw|2h+fa!58Wv7IumT&IB&=Np@ulOD?YD3)8z
zny*D}W2xdkyBsHW4P&KTTIpQ1$;IFxZAaosAYY~PRx0CDQGK$M<{Ec$TpIF4I7_HE
z)GH9#>r^5_tH$3@Tz<m~z8IUijyHC_;yblC5LjFryWzls*tES>V?PMQzB2?<vB69%
z&?=D`WR5K)1<ms08P&15-F#HUxkwQSotZTnWN707dW)~;4LM2RwBTLi^nf9f3RjB7
zX6HCfuSq9^e~YY6l+qc0<EvHFt7ISpav5f+iC*$9tASfr${2EYTY=1#QnPHh$KuJt
zz)w)e8sA3t4VY!jD2~&axD26zzhZB&Mko3JM9SgTsJ+f%;MjO&adB{+TSWVz#I&?$
zOYIHkV>l!ES3$EBG+}cqyM#5<LZT*Srnbm^5f)!uQk1>w+(8qGB0X`E;V*35uv`{%
zp%FGNW4V|k^F9dg&Iw)?-aRDv(<-)I<uJ6jX}+{5K_;_S)y`U5M%+Y|$8&Zx|0yxO
zt0|(UI`L*BvCFG>c3Z>UzHz4ex((6cIOUJ!(m;v&(E9dv#PqvttVKQHE})GdwR&s^
zdneUie@C*Nn35-b(_)kMN;r`*AMjR)2SoNeN?d~h2S}xd{nW_EY(vUU>Ry?EdCn*%
zs_LE%YMkMamUa9ax`mQkjKm$l;yO$XZ}ipg)LfFXpJ^`Lt1~=QEpryvQqRaahvWSA
zgyW|MVw2equk|zyv3vKTn?$%uZfQnt8EB^cxqQ0AY!D4q?1O)Tsl7b9`r9{M=s}1|
zCQZtPCI>>3a+fB0kVpMBa@!wwX|dkr8$V9$Kgf*mr$ZO)%ijWT;}4k*Ej>fR@uB1W
zo(21}x_L}gd-9)dd!}R1vq+YfEP1gA+B*fv8K@13bQ3_q*+TN78fHNB6-)IqQB*~g
z*#$hYD&T7pWJ6Bw4bg!qlF3B+Svf?}3h>quY7P_zj)9yYqg7-p%Xy176Ne}v>H+BS
zM}JDR6}1VJVjVYc1rZA2H7ujXsHeUR1J;y_Z1X){P6hie{(I4C(b0#X**HlyvLiH%
z>lQ<YH&3jd$n8JQ3c_ImvwGx;&_dlRm76~bQDJ#L){wZ+dqOLG>{$?hL&~SaL-!<3
z11}*IU8#eQ>1(U!xWt=u6D})Kts!3I^*xDS@`JWYk9Vg39(Nk%>!YIbt0Ud)Qr)<v
zkkQcl;Q*Asmy1<!5MzIfP0NBKpWsX9Jw&ir|E-}LShwQWr?awbJ&Jy4#6U920%CP;
z?C0wA+;C*a*Kv8)2NRK1oY?zIJ!JA$5q33Y2#arT)hm@ALM&dz<(aH)e5<u;Ou@eV
z8MRN)&yhI{D0@bV{j=-YrLX7-`hDt)!ipDUv$s|*UxW<xJ@H-NL}P`@{^omZ?XN6q
zP+A{9cW-ZUjqoWLvU&5m2?@mbq60n}2vn>N-Ix4hnqESp4>?|s-_dM@V%A`Zv6K9{
ztEu-l3!&y6CbEMYJ+Tljx>(J)P25wEn8K=8{HJ89?^*W@D<z(ev0(l70`6w9hgrJS
z2|F`|Q`=$xe!-XoOn_GBmY2+UJQ+Mj$`z!_m9hu5);aV=$`V59E|y%q&g8(2#roQ<
z9%_N3iZPgPyHHI%)CY{tR-DA#NyJ^8y|hIvEr{$1_f&ctzAnWi>@7*flcZw4tynG<
zw`Nq7%La`+lKN{*{q^vjsbBGePCW0q$Rg*KS8ad1jmHX~3!)@nn@&EEWcagG7~N%f
z7rykqQlVuC(n?!WHVxtE%ZdZe)J@Wgw;@Q9+wZNCD@K~2PejWNE%bX7{XRI&4}yQI
z!C%7kz<<@XNo~(ruad~yDAv78k$+f_N|8*E?!ICQ9)5g*wO#w`G%BnRJwam|@PAON
zW8P2f_zFj0*wv^xi2GWEov{$B4IT~eGxu2~C*EPgrsyvLz=4Wg-o~RKV%d&_j~_E1
zBz>K?@nVx6a?=e0;!>rxO`C;kp}#1SrnOgJHiQh*T5{1M6L-liHbZ$Y+nP9%pH$j1
zFe%%Rc$Oc9z_4D4oK;_fxA9w=Ed6B-_Q>-F`LQJSUEiZvQeg^m4Uyif*)Ei38(@k4
zK2p3?ey#h9M_K7el5zqUhS^8i23XFsQ-z`ej}^JREIb6^BJipr9a+1DRY*GFFWEjV
z{gG#ii4+#Ya|xxHre@hxN60&tlv+^gX5*!v0=m|9cCXh72|bZa@0hV2j<GCMSQWa&
z>=j~wX$NFfWwB;Vhe5i~V7hRlnIS9WswWsi!HZx{s8<Kz!SgR?e`acN{*Rahn<3!^
zYWi7p1;ZK_UBNx=)HBF99TxK{76JK*PDWPlGaznir!#D$+W`z2)+!=d-rwM+-4cjB
zUM%n>`4u<W+xSzMOp4bTR$A%;!4YY5X5#q$O*;8on*6wumYjv@oMLjUFyHL_Af28s
zHJFWo9iE&Zp(bXHz>Bx>W9_3s%pl-ZS;#tCawsZmU@iI^oA7{}Aah(gC3G@%HzH@5
z8b3-Qu}Twyw<f1+l2GYkQ)ZGNG(!Pj4?oJ=75a9iyrt<;Z;I>Oo@rXSN|U?|W9b$n
znmA6Tm$lZFy=0b_yr!sZ#<sIQxnF6Dx1pM9Ng{2GyG2l{G1IqchBj?Ht7akVTx!59
z7J&nA->IDy_yGg0@n=F?GG~hSg7i|GK1<WZ{bJdehLnjR)}ZsyGV$Xo54?>5?N|m3
zm)c(x(6tKax+y8@2r+g#`8v;o_a~aQ0lOIlzwUJ2*ZJdZyx-=`RQm07F4QXChVPM{
zxLGsJzza9$Ycun%?$gZIO*1bfrfYeZ-XBOiBMrR92{y~jwW-jU%q<p)BQ#UDskpFs
zv-7-3ZxG}XLo#a0n)c>(h8yHQUS0L1^_A-nCH7iO8L=ub^MtX*%$x19f>3p~9iDoA
z;RYEg(b@7Ch&-fgR_8FCA)zCEDrFFp0x4Te+I5%ZF>qJd7GS*vI1ua>Ghyye;bf~~
zR0uAgRrMyV%7pMXT%pWY15;uQ!M4^Mz!;L_JrT#b{uz-7XXaH!$D3Z511T~A8;+r}
z@3AV3Mc<?1YD|91m0a9tDL%mC-nTN%+jtxKfv^!DY&E^dm~d<;*B?E5kKQl#d-AI#
zgxCze5P~H~k%-))!MbCllOy(BV|-!QkFs2>V{NT~nIgXPoL_6ch~YeM!=<uys>31D
zyVUIMxqYX?c>0Zb%gu0F_bYT?YbL&>kQF5}??v>Wd^gE}6@Au#Su`tEc8Jz$M1-jY
zSPe2_LW#YjQNcmihC0ab1@?~koYjEzN?|d2-jiVhb8!?s27amv)8=1gRb+>AEy~BH
zkCq{3PLw`}i~Rsx&fr@pT(a=o)6WB@yz=8&Sb2JcWO-G!UUvG$^h#dyB=@M(WvM8y
z;-Of0!0Er@$9oSKci@1J?=R~^GUcLNPxM-Kvdwg2Pp7cBO~@yrTZXlOJ4ATCjI%17
zPQXr(_;-}AE`)u(&x?C4uW4d$WWAI+hP@kZz^`au*eRW!>0JJ-NK&Zpi^QD^d665E
zC5N!s)*NSUN2=ArRI4g@8Rtq}TfB_$2!!*7I%j{FDl2zzr6@ZSEc2X;RWn-7nF}?P
z9aB6iO)8swQ5M)Y6W%w0$43lupjw`=kN5Wb`I`{CE^U8;F;f$rFYQ3K7oA;J>mI1+
zs6^IShF6>uZ~$VYH+}+`{)m229Dk?=hxEC?+wgZpWLWTH9P)e>t=@+FNJ&#kv2sqy
zsM07(vw!RV6`9^q=Cx!$*Pt*)P#7~FF7r0t1Bnu+3nFTsKj&?1<An*7c!OV2^hNxt
ze}#CMY-bFv@gWQ4k`Rt$W?8HCPz}lbsZhHp@*z(6U@@n~xUYg$znFo}PumF6y7mmD
zL(AUb&fnXG+Uyk_pf%JD@){+Qe`K9%BEj~1$`lE`7M+$0dNrKE;Y`Rk)A|O_sqnqb
zaoFD1bQT|p;1JEws*3J~Z^|nBXMm`H_6rwyZ@o(pl%q#5F2u;ksX8ffFNtY*Lihp^
z<p?IOSl%v!UZ5Hwy#P#y={d)-Y`_XT6xFSpIoq92dX$G6N*G1lR>A+p!8L~GD8vBX
z*j6W@bK2W*4XI@IGQ*AmK{8og?@@8&Z4iT$%r~sev?vK>1usELIG$g3RhofRp+V}V
z#EldI2XEs%pk?&zi-9>$=bE>1e0Jq8LY9MURSAgG!8O+85vFsE33`>L*xH>+vBvY=
z!Y0f4yG<AGQ$h|&aq{o&NKcc0PyPHoCoI^PzZDBds0%B33@??MG|5dWBx$B5UG63g
zlcksE;?>!Jyb5R}pCj25c1n{cC@4vsw9qD=nmj~-N#f;h;`C%DINT-(m-#)gSI>&s
z`(vd`Q|wbXuY7-R@1nKZrW}3^P^vu;3B@DR9uGunmr{Y(Hm8DRR3PGa0^#{fJwd`~
z{7c&e1d@He;|cAfs3(3Y2~kQ><K8l@(Zze0ypN)xi2pyFQ(GFXeVjv&@o0!Qe;3D=
zB>%hAjrcpm^E*A_&^18*fi9B$Li^gHuWioV`pbdBVUI<Qq`=F~-8W6-w@uM-es%fY
zUVVZF!iORaa3~2~rH=&N%<qhZ2%DSM9;xl9iTLAf{<kP6or#;?#ZB+p{97bF>fbWn
z|NON_N2hH8mCis8F^60R9S7~<FbhKYu6RQ{m>c%Ll@s=}+xA@4-;om^?|&;epQqSp
zs4}ds=}1p=;msL%Zi6J*Eqt?Y3xVi?h15ea2#F}K;MW5#N0VDt$n01CU3m_$om<?#
zC!Qt4LT~ds>27$#B2)S{1o-hVvD=j(6lYfe;c*;K>zxS1h7)3Ah73^gY$~z?)-*I(
zF+lEd<VIR86fW))I63X|FpUQ;@!Egn2TcWGKcQ@pE-_u^S>`y%2%4Q_JnVKDeN$y1
zi)0{S)(&8DjCf{2AbK&+(=a21=QwB3=6vrf3@fjAH&+w@Ntb|aPCiJ%7DX5NzT+~6
zT?a&-P@6gOubF~Kv{8QA>KnvllIqcWH9giiTeD+Qc*S`-svLZ1b8ek1?P>0#QelOx
z7;K}zMr%RfJK+^?qo0AZ-~+M6S}NwR4@3>bDQSqODMWw00VkH61sBK!w@aGI#8&ts
z4PQ=~2V(w3F8pa}_^(u(tbXV^pJbqWPZ~bx4i)5M{v|HB>1l9L18#`{SD!}rH<{q-
zvcQE6xTP+*3)A2x7;sDbft#EOE;kF@P_d+A{<sV7qBOXz0h84a+$Xy;IxE5>O}nrG
z2WOeF`EDBA?+mz(e&8NTgA2`0gBl7OfmxRe>e4i*DF#$mKTwxufMWYNgCXg(Cwb7K
z<N=G41&fmVE=umRC^=$LGIvojhk@3DQRQ5n)pB8^S)rz6Av+vGxX2SdqR1ov>gFeM
zm&C;fqIby)oLnG$Zst<_SixRXQu^cg<2{}x|8~^V_HcI&LeL+6LI8MzC#EX5Irr<{
zNeg0Yp9Z9v0p5It_TCEZ*JtkSeT)uy5`Pk$Y%_P6BF@W%^suNPS(UcI=SqPZZB*oA
zGwL90eIOQ-0xN!(ChYD>0*)*>`_$%mnKh|Oi#yGLEOP7pC0%coskg}1dkKC^*PA&~
zfi7|DJ(8|>i>bH7*1IpOp0lskTk6(ZovwGjskhYD`+?TG*K`hEwjFyeUExSmA#N+Y
z1)ro4oI%{6zr(H6nXa_OuLyM5N)KmMnn0y4w^CQS(!WimE?en(D(T_6j1m4W3(rVr
z@-WfXF4MF*0a7u<h3<d9g#9FTsTf?#e<`CR66y{_{oT>Za!lSs<&m8{Slv(DXuQNS
z-&Hy%rBqEuDGm&4sR_2!S*cP5l;XQz(*!gIhAM-xsa$q;QZ4aGFoiMNmJ$(bO(M0K
z6unxpoq%NnrPyaYkL?hDPg|v$x{Hh!u}X>dLfsKH7J4|%PyiY|(U8~<-P}L^sL?}h
z&W|x6-G*EP&Cr6zK-?f5grC!;id>W|cvZNylvV8`mUOyofm>EP7^{<xQj#Fwmz=}1
zO7?{c(xZ(kH|5v$Dc={e43-P|NoIc<hXEj$WJAs_-xsnBunYM|p9gtDHstK`S&&n5
zvBAWN5BtXgkxSFMn?F>xw?e7rJ1{MShv51J1$1+`d8aAiZ03-oq3j}6-_c=LNf}|E
z=A0(A^PI<Q8PgtTq(T8(MOA2Y*lALwUaI8VDotsysu!cf4oa0Nuw^dOGQ&Qd57Lp=
zl@dkbR9?hxZcdu=+5N4Q`EU;XSSxk<b#xY$ZATxVfU;=wXxrM3RgyXE_RQ8cd^@#n
zNX_Huuq(Al%Zfvk2K-rhATXSd6}p+u&7~HqZfe-s+gxE2D`86^P;;$KIKd_$3F?|>
z*u<k@1SR7zk;Bd3x5)=+^00Sr$e_y62G2!e{HGBWiO}W<me9-O+0~JRL5AZ67u!^K
zS_+=zoF2b^mPZALzCuzyL1?mo_Z(+YQ}8lthU4YZ-ktQtEVXoEYQ@UJl;p@5uq>%{
z+yNesi=~CSV&)R~O8`U=F8qY!Go*!sTx#+BbGTwaY{*;cl3BdmQZYPZFR1mWl7;&U
zl+D0AOGp*CvQH>za*&e-t%zjyhYBSjozEqml6;2HSEt(k$fsW7kmA83KC^^f;TpX9
zuLwG&UoVM%AMfwrW-E;DhTltfb#c(<oFrMYnxoh~^32^0(P`*RRG^Wj*NFDAC9bE0
ze5lyIPSXmgIw{=d6i`ya!;FdX&IQbu*t9NFST)c0rMxYCHEWOLA*v`%?U}L|F<LUp
zIIwGM7bZ%%)RI+KI;>e;96k}dG{QnzR#fBt&fKqpKdbeQKu(+`Dm+mr$=80*ZFr(o
zkRpnR;+2zu*V)=9A%Zl~p^9Rib8!F8EEYJnGxuXoB~Nxy${P^G9JYNdRH&`({!>x$
zcV^LHhL~oC4q>U1Uhgq;OPMn`7DCXQ1)g;Xyd?{Vh^$RzQ4TSfmd10iNpi;fdvxG~
zUw4z`D2%Dl6UdQzfK-H*%NW?YGnBAG2x*80(U|L;r9ud0&{U<Z0*y*({|VMge=MI8
zgVwr1PE-WMqoIuVHF=GV9x6~QCdVr#$~|t<eG0(sw&Hs$Nrre9X*t<yi8o0x1t8Hh
zDO=zAJ^C`y@dmec;o_f6p@)W{pk<qLljJFN9YZX4^rC7*Ggq`1iq9UIS<z`QW36RS
zHAv1taJXn{hl65pnlZj_nh+E^q{n$sUcXtv3sbf^ZRe-ZRJ1p%3^RkNW9p*$mYUFt
zlSNf=`l}(ZMN_f=79g_Fe3l4di)PQ%EHtyVMVm)7f|Y=RePN0L?11|eI~i~osm+lM
z6qPhG-s}@AMh6Q<;U^1S!+2m_l#v>>Zo;%4f%uhquB>%=P*?-0YNkb(5y~_xvY9u`
zngQgqN^sFX7?rAE6vH2Ywrg6X<vg=ZVDUrqVua@L)LJ#9z@<ngei>RdqbIStGz1TG
zIHe6sQ-qZHE^fi#b+pAJV$JkO)E=KmmJiEgBQA&4<i8^V75?tI0m^n0mrY)qb8?+<
zjGgY%9%QjUf;a<{LfmAMN~4jwykvn>F6<^%>{wep=<4?ry&!`TC3DZq)TNd512zre
zW0W}pWaCjC3%cX|d%X9lVmc2w5cTijG_%Q9u56yjuF*1<*PqnS|KuB?3*D;QU>A-*
zQ+t7*N^Bx#*SpEooA9;JH#B=lcJ>c!_PmgFPa97$Yxkhr!mZjuP8z>S5Z29nc8AQ3
zRe~<j5cxw$kLwp4EjORd6c79N<n-&$Hs%8TnK0hEz%D?(ByZKeeKR_&^O_^&ySveS
z+jtO|7Tg}DqJT?ah4xZ-LWshTxrHChF1*eye3vQwEh+pvw{R@G@E_d5SD3;_N#Psa
z!n3mrhup&BP2q1!;mh2@Q?d&O+`{`&7~jYz;hrNF)_9jq`vkq&!S}a+bIU}J9$SJv
zjnleJcvRNx@ax;PJi`jHT44v55FfI4ql9>r(Gj5DX3aKScXlPaDMF^Z$z7DVOaAt;
z=pvzy00*14IlqAiR<z$aQ3y?fOa_@v<&vkGMBdvf3oXa?M5lcesVmY_ZIvZ%DkVxY
zp20x*TWaFXN=ppms&(83tq5WgR+i{gZu56*)$sftPw*sz60=uuh*k!)NO*p?C%B0u
zlEp%o3Cko!=3px(*N}m_Gx(4CNO_f3+MEO|=gKX2#%ho83>%j2X|5BjDZ3D=_n{c`
z)}UcQZ}?DIU(qmR-$VljQ59t1V}I3BI6qH>NX9r6sZ>(|^ncs;^r#@H%&6FY_t#3%
z%0jWO`J$Pq0bZ~Yg9kra8Jp-?@i@e2{sY{(ayfsTr_Wa5*Cq5h0iKb16<Uvk!zCfT
zJL8qtiq$TpCsL3cfplXAq>T{GI>LjOA=|q=L2Oq+CSz!6Q<ecjE86;p(AnLc;KD7F
zdJm~Soj=BHDqPg;<&RXk`6Bt8CI2O78Q@p~k-9>y8?7tVv`Ag0{#u4Ld6lKoO}-sZ
zBT-(W7-NyTKr-K?=vzs~vjLT%zb(J3wQBW#S7o}(M7$aFUn8-9r`kvzv{V21w%aN3
zj2MbJ^=2|yiivWRnS^+!^PZ%5!I((Wq^gy75e;cR@2h7Si~S5_%NTZVPp+gOy;CTA
z02sRCm)ff<AhCaEc5|j}(9XPlq3uj!8Hg%$;Q+Tkv?Uyn>W{_b7E_ikr3O@<b&L$=
zI;e;>{e?!AmF|F=7d3qtQ0_(4AueGCbiudvG6Q-6Z)U&=QTTQ(v3I7J*h}h`1c*LY
zlHT+Gjgo7zJo{0ymBjv(TuSPol)QV!|1l+{Z}hV+Abk|>H}92!OiGey2$7;>sikC>
zP*S3%3?&0X$%SWSQPRvBI~1QsNq2|&Y{P|Mmd%~xT<%l}Qe@_X<sVmSOr#N&C6}KL
zeO;~!9w}`PO4y0hUBY&JCX046<+@WF;rE-eE&)X=SOO|b%6sKt1l7!xtdTcMss3E7
zaI=b*e6BR@&X_jc1K6^e-B@b6K^3KTkBIi$7})8lfxScq_D_BtSShCLaS&ZIFQTBM
z=T}O1lLaO<H8)FbDV>{c6{w<B0z$D=6_*L6cbEa9D}bA!D<A}tLO1)<^RXzkf^cVf
zYRtz20j_Ry&fDTDbi{``#w)lD*qxEXrI^Uiv>}pgR-rn0E2U}9O0|+q_HAV&BpbLD
zh(()yTPdI~AdEGl<0BGU@sCs>;6;o<kJK2|%NRvcV|1yE(U2-TMs)fXDy2qVsAM2V
z5T{{@<~Yy{g0!Ft;~|XLB$rOBtQ2cO7@<oV`E_<9_ns+@$N<Vj)4D@op{%yZ2r(}d
z7NblfYW1aPwUXoJX07Iq$e%%dU|MPYezcMvWwxRe?bFJI{aW!2+KSfyoK|9Wb@a)_
z_zX6h(p?kpn8S{ilz^nlWjA6&8<d2ZQC}I%Oc|ItZM7C@f0U$c&f-%uL319~tz2Sc
zo~fMD9tRInAZeO~8RlDn$-h~~ww`j+s*cq(GhSvuH9#;mY*Pk-|M>_U4x<QMm&qiA
zN?HF;1L0wN-*L+SaqkyefM2xt<1ChD?Ede1|Ejt^nfQbE9!lv<F~TrY&ka82MVU;I
z5@dx+=f7vrx$hdm(TE}ukdG7My`sb{6q!^7jF>F6>LhPbF{2^x>1CjU$xy0k##9o%
zFX!Ez86TG-uTF3m4HnJ~z)5n}UYumKfrpPqt@rJEA0ow=)+ui|_@^g$3e){R1JifD
z_Ia2h`xHwRTK~=)0LvGFk%i@vX)K?w%*Hac)8wun>69^B)e=WtX*=iA4$WrRkSgb0
zdNZy<Z+_aG8l#G3k*>54m>y}~;_m)yeYf8I?kabY007W$2z2kOy)4;hNQW}UccM%V
z*LpfTGpEFzhf+FQvi(^QQ$~G6ap*7El6Uu&ZLUVhmZG}^QcBXKR9?Z!jDvAmrTbBu
zVhMM5ARE@-46N=zo4*G_2!<FEM}r|_0hgbYY6?Fi3SWKgWa%*7av-@nOjb62UTbH3
zc5CN+W^1$m+t$_}l|o(@eduJf=<C!0FnwqpouP+65C4S&K|IFw(!^B3!+A=as{kDF
ze*_^T;$ZEJ6h!?Wr8NHMwRE6qDP=ti?unE6i?>uv2X}xD9p_>9o&VI)*nB-Ejf~q3
zRUS`6JjA}X8OM)K%qq6f7Mo^@iNk|2ZF8Q@E*7@Mj@M$rzFtw-!Qa{H;S-1Iz;&Zs
z6;e1GQlo|R)|uIOeJ8tE)E0Zf6ieZCa&|E>t_9s+X|aBI$&3ImA(c=Dck36Q5BC;*
z0iJnh|ABZWGEKsE-D%%t4VvYd0E45VTBygc$Oph-%Del(DW3SiI|_e7e^^&$!NP>m
z*$Bf;>-fN1U|ghc4FWT@JD5HH56%MVPH>lphY_osmPwV!l1{ADj>xoUz)p6eLo9r5
z$KL(gP<KUp8)M`Aty}_lUFwhbKQmtzlO62u=*d|VmV2j^{P48B>bp(8M1fA%QyJdu
z+PWRhzcGWYO4)h7LalWvSSK8C8)_3#Xr_s7oYP3_N;>6n0;X)Yu^~|yOqx(fRB)Fq
znRV(z<AGgj6U5z}T&_rn_m!>{xhT^&8%cbxpj-*ciN7!vO=0zXFk1M-DprM#NkLHg
zKHJzCWS?JRoHjVn`p%=POhc_Jab$R$UqHKTAc8t*%LO{o+72`73NFGy!RNFaDauuE
zN>lFlnUwo2U=ttGKvrYLnT<tYURmb^zfT#|zL?&&16Uv8adKB1qg)^wV6*vD#n{%c
z*mAH*$PLESHMCX}rd(nrX(@SU7L2=r@x?f%1(d~~pUpAny*5a{{{Ucjj)^tLFr;Fm
z85Z_x&0IV@0RS5h4rVD1JC-<3!PihG<tq8(agv-e%;xB8i|LZPdwHGi22&Ll`<sMY
zOSk_`BV7!G<sNl*cL5ytqAc~gl<cmfugj1<A_~Ms)F+5aL7*m&R;XRc=0$c-J7o)I
z_LEVNu`CKi3#pmv+IfmJuxlZNz?U7(-i_>cou|cUV4`Wj_TDaaJ%M3O+5!5Y{74U}
z3WI2*Ysff=sePKQos2Ki1{8}DK}MSt+M9Y7d9flg<5dJ#z^r*yZbN-?rC4gthLd2n
z$ZC5B+YH&#h+J&&bN#w(l&IB8W!1zvEYoS<NgfK6W@GPdcK!mOnuwC|_)~zH6<Y$M
z6shGT6G3{CwQwy3T92V=rS?XgeKJ2%l1Nlgw^SSn?kS^8`j=i&0J>Qjfnq=52%8(b
zM1uu_E+aNWK-}MD(C7U!d4KL3$~;b6<;+~eM^0<ymC)3nI{gH!oTFXdbmO01u`sCr
zbK0_th?7s&j=THoY22*gnZoZmE|3}wzuZ3f9se2lWiNU>#il3Ht0l~{erR9vavJTY
zLBXQEKzQIY*FG*?5BdzeYedNyIxAi0d|j}~TJKy%_)<Tlp6W~^bxInk#JChv)*3E=
zgJ6tMH?8oCo)OB6V^^6&dGjl@AlYdvKx<{}NVZ9Hkrp-@4HykOfLLkok!i=au~>_X
zz@SNOLatvncBhPQ0HoSMN)Iw|*vM?HYQf$k6_<8hn(B_Lx@2w>Q&cwR?OxwIFL8&$
zpN(#DM#|tL*Nk{PCd%n3k@&ioub5s5rcM5LNzsWkv}`Y1v=_gd{Dze2=UrCQ7D~NU
z>G5dLySwu{jYbKhw$Wi7Ld}UJS%$dkM5VoZn2B!IWp-0e&8TJ`yuoW}P)&?P3>*yp
zZO$d!qovQXuS%0Y{Tg{`B@s7=jOd|9a_5$Ug>Fl?IZq$Yv(Sb26;dEImCln=qGlJ0
zt<WE%d<*S$Hi!&HpBP(11OnmJ?8h3|T~zPF%tg)83?r#ZVZDtwXmi@Np`ILb2J2f!
z$H-Ql%DmGIvi;k4hv3pw`#&@7Q%$6vRQGqc`Zw>}>fgkHH#=c+IusQG%a*b7@HVWM
zZlp8CIXah(BsCThTW0&?!6^1ry>ut5WcRhUWO1tGV^Z=0Es0<S*c@Br>!~8oN|AA<
zh+r{c-_UWOD>3tsZCZD$XP-dW--B7ANKV*?yQ#$qAZdw-#vPC<3_?VxPo`omu=Z~%
zNEB&_RByo{h31JV92Cumxo$%mHUw!milUGoogL!jozF2Z<qC9$s{Yil{L$dg3~h6M
zhSEW!rq+x_s*#Ln?rMIX?n<ef|D!Xo2S5Y~lqljl*>p}H#xOMbcS@h7a093jA+a;1
zlH9dNCTz#Mtnx~%fHPYCz1v&;dmn4{f4UL~41DWKxun+FYI>*%GEJTTWF)MVgr`jc
zj474}`b^lAp4U3sZ`ULQLYuRWKC5LpU{8g&DW<)-&WddBGUHZm(jO;UH&xJ!=#MPG
zW+=9*`?TKEkbxu$&NKz}$1vUb2>-gvBp0YxN_G=Jt~*31=|*E@_~WHlu8{^|Rria`
zbrHSCAgVN<Bx04RgOO&Xe1?s)a<)+G(_=(htd`pfIyw9Bxfaa}Sr(0ekg6{M#acAq
z5%Tx7Xi8oFF)P(Bvwn-ql>AwWgLVD3l|XW#h>Xq|MFxGtUp|r%0(}ORFqr>j45<yg
zZ<AhG#yi16NiI*XCyQKslyDg^MS;ke8{^R0ql(Nwj>tqt>`_G~!yfI@3DD0T)scA6
z);9JiC8ZlOF^$ejH`zxUn`SD@DP1BYk=q`?>WGYV`oiH!liqiIXTuHh+~Na6FLj}}
z9-0MR(iQsun)J_sUTUHD)Ae#_IVKF+=A6$xD6V3iB+sI*V}vnjzAF9c#>kQ65>r%@
zE8S!$(TrW-5pWAZOn0V+-Fq)j6|1~@lC$AglCLLLxpq?47j4diTtOp@ZV|a#UuELN
z<*@RLQ59)ssh=PaklIVRH02cmWa7q`T1oIf+-*X&rOlg69jEjVEz=>1w#<!gnb&QZ
ze99zZ{jnOIjn%MhtlrGTYKn_hFwh611Kie<wzc0K+z+Ge&s(gw*)rE_8AF?ExTnM=
z%;h{|A}OVmaMLm}tL52*3I`P(J;m)x@&aZR+-|K-%dsbF6<MElGg8gn+Wb00=%R13
zpvFv)LBlrzdBlw@W<W|F4+wLU+(sg20}RX$GhsgSjn9Qy2cF9#p+}<A9--H96ry0&
zTuHldib3t<5_lk{rp<CYsMj2x;WN8&i-c0xbDDU~8oO06x<@oUqOv1*IV9pAYn0y=
zJEajlmP8{|_Bb8%KM=c13)@4JM%#=qO=Vg0B5*8CH*qb3@bqlz_n}lqspYoRgHYu1
zfOi3m?(Y_FUAL*zf6e6@VBf~RUD5PQri4mjbZFMvBnj?rXtv762h;ZO#nPp$xU1|D
z1nUN!$ysZW-w5eJJuRO~T?w6~F+7XV7;>SGG2&EXJXW0Tzxj`P{JIA4_~i(@x&9lm
zY0HI(zu<NaySv@ITRF+Hz#Csr`){!8v-_cOj;i4=q4R0Yl39w?mx%dFBj!;T)4E;F
zVn!fS8`lX#{FJ^}ZTveV`sZrnOVu)T{R;v@v~e|1tTuj*K4fcS8Fl(SkULd~drCHO
zzxy@n;|#$rt7DFek<uZyn0ntXRmyLnRdXG~;J((IK|`-e$nv#*m77)!<vW^lZ_N<E
zR{%KqLsudl-a#>O$jA~tttU?43LLk{vujh3tn)i0h+A3zOLE=y8+?HuLW_6G<KKkh
z>C+CMG0t<1l*J}j)2|x~kYOK4_StbS|03h=uIX0J(D6SCY$B_h7ZaW-BYCpwx6g4h
zRb?@Oz>%s|fU-=mR%qdxWUeO&bHeV}%Jv+WZa`wEnbD_qn=^y^SXNZtks$#v$z0F3
zNOTbl*2A+P{XSFb{=|LH_V>rw9?)vWNTyBI>vPh{Gszb2!m4#HAvrl&=7MQSAwR`s
zKbbABNWa%f%MZHmJj;zTR#mMPs%9U&DNOY~v)A8)r3UNuV$nGny>3dsD{k}jJxfmh
z4SCwH55rv?E%kP^rr>HH-f`dQ!}-GEM%@lGeQ^C{{rHs9$4Za0eLTm20Z3=a)gn6H
zBRX0RD@QnIp}Ve!Qm9)b=5WT}?2(LSLOScX9hDMzh{f;T)hvlZ=+j3TxGqb?csF+q
z%r*ce99YzqcIgD^QbcU6?&d=?=XrgR3tj`5o5x!4n+h!W6bGrKJw_CopfS#tTjrLt
zv>ZMd8Z!jx2iBy~I3*K}UEF18dTG$`Tkz9e@b0qCDChe{VPv9lf?F;eS5{ca`+(HY
z+#@s4sLMp-nm%Y;YSHK*dRoaDGiyj|jvUq(jR&M$_Hc?qH^cc8fH|HNz0Gh+qRv=q
z4kF8})>8V1j3CB4VI-g#U(I@JzZ8x$WSos`(5$uTEScbv1syc&f5{r8T`NONzlaQ7
zc?I2c#vR5enw9L9gTUtVeDmHcu_+)#Z0-vbD>m;qT-YM>+$XcH)D;}qC7HWMgIgU@
z!1T8|4qfdsV^{OlnOtxs2n<4#%&|xyWGR+qAsWluQZDd?C|4(x+jVG)a_@W*$_;FF
zYy^s>+zc6tzLYCa$s=Ncxmc%CUu{6%B_1jDT-vYqQYWf0OMJ|Gl>~*0rSf*lQkf&X
z{m3D-X-dL0)JT_nCspznQt}qJBzU~@)z9ES@(TseNTyGFhcF6TsRutA7c91?U_T_V
zk5|~PZEJBh@mI)Kjl-fZdVoRR>9_Pv?83Uteiyl1M!tA~%B=&`(MZp4Yc1mALlaGX
zg$JDTDd)nZj?(n}(p0-`mE|CBWQmOrOG=;vHBAf2dmi=tf==b328@NR!NeCH+&@0a
zjSuRJ+ZhVa`VCHrr<mNT^`Af=cPlqLlvlf${I{;Y((4nkQaVvr9dw3&vMZ;OW45lZ
z#0HV**fUmE(l4hBJgo%i7Fj3~z^q){Y6t2fO(C&xQApPq;SD4`nd{nfnIq68Q;8uz
z0R;3J#`xF1(g37W*PMjsLPhW~K)+ANlOki&`)ub6El5bsS;i&90JD&3<rKFSJ@2SE
z{$!=laj?dE$nDeE+fqRr`=b5%<!AQiuKrE@Jk^AiLH|X6DnGNalKzbym}<=JPpUO{
zeQ1X0BA0j!(f;gb$dcEJX`>nsCnjgS|3C9hbUUSvvZYi+^WioLLUW_7-QoOIb3Y1)
zNy?^h3L}YkiPS#tV#1LA(0xu1>D^E0kY*$Ibw%#^`G>(yoz&^J?6k;i;dd*J&ku~_
z2LSBD1)HUfEG|glI5^dAv2A@e)rvDQ8iZ;y`(so)I7VNHY9j_hE`w@NEKTCyvPhNj
z|17FK{&+vC{e`4Vs#$wkJvQmn+&yALXQpMXtLaQTFc3TV7mR@E#O^6*UTsvpvj??7
zfetA!^D$us(J@-aj`=I5L_0k&QVzGDEz!KjLRn_Y$jZ2YOxV@z?WA`6u9BE~&1iG}
zN1`_Xmi#*@+VEzHb#<k&?1~y3CDcgpn&Cp{xqwb2{>LZ}Q>xA4aH1)t0B;k3(E_d(
zt_(!EGo-C|gUHSE+y?KEd|lFM@k`{D@0paj`R5E!pT@T{MU6e(*8?rLUUs%t=I7{%
z8zuMU##-*=?7i&1k<W2Y9VjHcTvq5xkOH+wjLp=erG->Il;)>f2(VHvGqdywT`!rq
zLGp2fNV7dO>(ORmg*NA}u9YjJyw=j@Aoey~VAntDj&hH1f*s|L*dZ5S${a39H@k_z
z{WWkE`?O9h2XWXU6sKZb+Fr-304tF)q_;Uo7+l&F=rb0VTMSUGux+`Ei<YstTwzL>
zYA@PqQ`|)0eg(LRxM6~JONw({C(Aq|5EcGp><8iKw6o^tM*E3VzaS&|LaAiEG+Y18
zRFwEH?ZZW)BCPBFunf>*ZyC_Aka`NfnGM=a-fKjS0y{qg*iAH}1WleKtY{mbO{!gK
z-@U)FB5dOqq;qbRoX_wTL8ALbn+W@$j)pB#Qt^&$5MIR$oex`O%utP=Q||dY)iOqT
zpw<0k1KDuOD|U4LW%kDb+vXgsh#FHh&0xPYB}}!=w%P(Wk!q);n;vjx2<YcT?7Cd)
zim-}|w(ni$GL$xC8S1NUGcqS!<{siE0(S*)ZMU`UejaHqc#!{SyG!txxt|P;bkVU*
zJa2`y<o-yWt;2{{uP}ga5>S`GIGAOfvk3@`7{fvQC`!oP``T8ruG`3E&ZOsHVaj;3
zsBKjtF5W7|^bW;Eb|}Eqjmm405&G=57Yx|;t*N$M&WLn3`9I<^0*%bcyy@XmEow$m
zG?$DTyvYA5$WnKC6l6+2q29650U`?smGHz^1Kb1Mn`h#OTp8q#Gffb4fw5i@e$MIW
z<Ns8wyv-IX89CVvZF9s8k*1x<ug(ahp4Q&v7c;3-$~?3}+i&;&N;ZQ=2BO2Bx)Jx;
zbT|LKf68#m*mFf~hiXNLt05nJSIRt|=6^m^$c?j@{RZg2q|#V+w>y*j5pCh*B%cEC
z)c_u79!vMY1fiYwN?01URp$2cA8>o3b$n+HJ(0dgi!v(~--Xgt0O@ph&%naPd!hjJ
zTd~s6@AK2^sxN3|q(&_=&C!|T>a+i{{{O4Gwm&PbNcUB{Y(tcm?lt}6>=D*NHVrfD
z40!(-<Vew{kjg@z8^4lGAE6_gHiPi63GjohR4d4rMqK}h9YcwxuysExrL<p}z@RDa
z2&)yrtk99xCELCDJp0TJliTJj;~M+aDllUnX4N0T7R4a-=ix#A-1=*^P?j8sRu;M3
z;^J*N^C)dh*Ktrrm*8&6|G&NW=~>mMc=SvA-ON`c?A7`&%dd7<b(#B~amfn2oc5Wx
zKB#P8jTu41n+mt`;eO*|a!aJuqx$Ds8x-592p(}c_+l=saXHxSRk~zJM#*s*B~zT8
z_Lr%(DlQ%ydexVkzi7$qdiKr5j2@b=9@51_F?HSTV<c)ppI&5UxpU$Qs!%N30<qkQ
zeP`rmos|ne9MMlM41`-hYob{syNtp0D9II0pWUr=tk=DtXoJKy*JbZ>ucDr{5<_`v
z3-+}mT&U7*w{N1oKeul)ENZdg{rV<*uLJc@bpbRQU?eb-wWGhl;&3;#QYhJ7nYMqV
z*nfr)<=^S|nezT;-usT6-4V<HrA1GCC>zvK>GwJTwZHq$^8!#Bj2esFk-oy>zi?QZ
z8YV8DrqlQMW*FIe&1?t>Jiq5rDtpqWwe5@;kb;@q%R)zKb}_c>iY2%~&G_}>-i$1F
zgde2JV14Sxy?@P3_vy26vw0b#pMkBgrnKHxIaPYAh_DG}H;&t!qL0mpv{eczH9uN+
zg%l&=Fg>b8@Q~wrda$8b2Fn#@M^ey19AQiGn_f&jxYS&CmE1UBZ;kxQTmf81g>-8w
zDOXgcNo&yti#BK5Us60&DDRun@6=-r;=c2I(~iOEo#LSq={JSP4^7kCQg8r`ptAW#
zZX4Er{cZOhFemODyv-#p-&Wc-+lHjujLd%ko?U{uyI5j7B}SFs?t1gPlplFlrOR(T
zZr<Cw%x_1x`R(j6zg>IeH$4A=g>xlxcX68p6nT>81#X=GKrj9ZH&smT<akZ(O{WTv
zC%<k|k4Tjjv6z%wbAcxRCH}-8d1Zbr4&?ZknCEcMkl=azS-1}|Tfte0dP;?Rh6axe
z_vD7=1j1J>5qHZ2;jS~n?e!6{)R#2zjq|G>82<k?&ma=5TC-HaJ}|Pw1)r9Ek)B9M
zKJ`M3@t$zcf`$9a1LJlBLxJKGDrM-G!Ac*_iJg9>D`mmL7-pY7EV`FfQY&DaJ@>Fm
zD&miGf=5?LIG?!N*?XJEI8QpG9LL=QJxI?rk?fu5<2)8IU8HugG~+a*!rPF7_t39_
zx4HLIR3Fiy;;|#TF<fLe^t&?FKYT<W+_O*c2mD!h5Un=IF#<lk?QLiRSRzW#!#(>3
z3r^q8tGRDCF-H=Kgn}PQl(8ldKtlWtLK4DGjQZ~>m6?@T^!e5H^)}A#TkVoQ3Bc@(
z1~`=5^P8Q!tdkCkc^_T{aT4Xy$oyyc{^jEtsM*;5L(-sz*d+PnHV{Ql<p|=Bg>awi
ztCX0qG9)LWq<dUv;O|P_kXd$RcG>1WW$QkpY+ty=nXO1*fAVUZqGZ*SOOh8$&q5kz
z0CMvEhsDv{M$h7ja$q|=|08Y)Yx93ZkLc30E{<)>1ndyR6~GbwK<>LJ@hUd%qQndO
zcO8Ez(;1z%M-31jkodA-g$ctwz4I-f$>mIjZ;OR*=YA@Dru>;vNWKtd3Y{#4&euZ9
zjLZgglNvULeGfD2drGRtB&ktE4f*m#YPC`%`X&;33jxMq&#%y=S;4z^N##>NJpV1m
zUM5y5+uI<#E3Z(ZhhH4Ao(bDSa)+>}8$0f@rz5X++(*cYe`wM=Zu^yA8Okc(9J1vn
z4+6hW`IT<@Lntr3FdrZKN3r^1ed=wn-$8fX6l1bVHkp!rUD|oZPqB896i!R5QlT6&
zsLSr$G(UxW5cPJ-RvmH22$7j0l=KQ96-p{Ze*1|Iu9OI#YEi(&a;%HZvN$pH`Zc4a
zTocM*y5ln8lD^lGdK*?}4}=1pkp^1ZA85n?b(@=TiC*s|6q|5dP=-Jsk56&Kgwy)A
zs<+?i{AT!_WRuh}uArX4*i`{;*XFB+vXR{<Rg^@nunXc+{ZN(n8(P_gkfpAy6Rv=~
z54dVNQhO(U;iW>|Km1v1Sj7ma2Q0hEL8G4=VeBSN_!=J!PA9qY={u6-p1f`IcS1n!
z2Y4P%7mk+7%CGahjYpDZlZHYbZc*6hF)5uGW%P)Y6(QD6q4wtS0ss`p?_zi*F+9KB
z%&GRQ%FioGx*zp`B^Mv{LM6A0x|XsN=6M_R%f9yYgasnZG^b)AXZ`gN_U2<}-iQ6q
zN4UxyK`PdymYJC@etCBB=^4dE=4tWDbn!{q#ZS#BZhQV!kZ<|^^SO#{qQ=-+F3r*e
z>P}NmZXS-)Ry;+ZLwb}zaR?MQ1mX*t8Pxr!R@PAOYyzPWfg=R^TJT)=(GW*d4RPeL
zA8{=DGXNc(_I#v+TaR=2{8$8kXZWgkPV!IT`FG}ope;sWv~~%=T^?=6a!<;%=o0o-
z6Dnoq@h*FPYG%oYzY?Oo?FYre^S9)BZx{Q4PotqV`1)61Sl+3#JQyEb44g{xkfa{r
zTKHXO#pIozN=!y$EW55-5EgTG2n92tSio@;WfK>vGlHQq+M-Tme=$%qn$4$K?=o2v
zi&2>BQAP<DS27=v&Lt1mkB=4GG0&__{)`-VivH_frYJ#@;U}+fclWaPVj~@qS{%*K
zDDjM?^*hi#G=;7T$&hqWtgLj2F{u&@r9)FpiB1utA|Z*17A8WW3b-Rug~L+#8*X6)
zR{i{EJi+<YaI{9SO4>1xGASe#{^5#$mBHIMDP*=tv(sNBoxRe&>f!)Z7XncP6TIJ%
zyekDiG*#{1<oUK4q<(2C)7-#s$SUZRuL=zSOs?@Y$YwX4?LV(eS;*KbwS35TRaK<+
zafsfea;GDut(xA^dy=2g?cC7*-etpT3Xe3KyBMw_(ezqz!P3w-_;s#mZr9Hf>V_wl
z2T@sgng`qv_BLG0jBDlY;#U9r{QH1^A9|#Aj6JxR_y^3!K$RTJLkx<+ptm|p4!G-t
zIP5;YA9*c&$0<Z}a*|DC_3EC?B2cP*AuO-K78?Z1=cK2mixc)uanpo-Li^EV4nx|R
zlej-!#+Vk<IT64JW)um5WBq(S>_xzezoWTGYCxWi9QGE}Tm4=9d!2u8@b67ahb_>d
z%ca8vU>Z7XkuTvK!lJ3m++p2edVDjm68qAQ%v7b6)O9KKA#*RWozY-VO|FBNIAS|)
z1w6(Do4<a*%*t_THY#00;=ejms#v_w<~+pAzPeZh0)Tq9LHzLiB}RrX(HRtyt)B<_
z9p+|FQz`LP6z6iDJqi5)ol&=W0_+GF5nziwL0K&<CTM|7W7IA-J3PGQs~~=$tujww
zNQpK!{q18_bf&DpABfJ#lOF-P4QfV^+N}0DSLBa$MfmD5ck>Ff$;a<_-lYT=$^L+b
zNYv$_2|OX$yI;aUIQ&{Mae;lr&OKWmQ-()yLdGl09XV<&xyIlKa*JQ;mDP{8&3`9z
zLb2zvhMefMJ1MZl#;NHg7PKs6{Ty084HQGmfAgd@%ybiQIvC!D%Opo=B8{Nd%zXMW
zvXQ=ZQKyR)=(kKE_y{QW5aj%>s2E+MghNa8I*TO&N7udv)hDstlvH0M!`7XricAhq
znk!=Z-f!b=5QGOSFZ0-ngRkm23;%N7mm3YxB|?1|>|<0~qX_l$x>ZLkH=H-p5>~e;
zm#fp!+=LaOtPJ%vxaFCzsd5rNm|5<2TW)fna;yOFgkngZjFEcm1C=~W5@DTfN*i-o
zP>Ct`fG=Xdc}P`0T_qg{32rVkqn4CKAOrp6O#Q&7>uE1yvf(-T2=|mD=K-n+n4(~h
zxE--^8~;juS(h#t&R_2WVsGz*FvTgtEEd9)Z&$()5~H>WXL7lkeyV_pR!+qhiRP}E
zd5V}F8VE7NZqeP)MVHKqO>e=t^$nepEDTRmP6>|FdrS3B2ZmTh^N&OZsIk=M{I8r~
zjL1~#F;nR>U21C2j3g1Yv>dB`X=K_%nBWe5fvOKtW2xnTy)O_`U%#O%R@YJ;TouXk
zIAKE2UU9vMA<3#cHmj~!1g5ULmc2x{9=m^)3^R6ryZP;S*8H}2@T&k-8ZRX<gn6N3
zR)Lm*aSk_e?HBQF2^-Zq+7TwW*h%;)YU&CLOI_)jjQ6LwMzyYNmN-YG>z*S5PwI|L
z)ot%nx5d<*V9p}FxmDY>s+(JD41hS5;(De)np;Kuv?Pe=N<2)H2CI%fkbhtxAG%Vp
ziWtZeZa>HNC^<)JSP_R?<o{vs-2<z<s=WUvmr@Gx6crU~tWR5@X$>^cv{D)<AqgaK
z0x1cFme3NC1Ef8<G&$i?W5tpp*tEqCDx<N36`f9v4mzk<V?~QCqiID&#Tr{wtkg#3
z9kF&gNzVIOd++C(bJF^o_x=6;_|0iI-*eVld+oK?zF(dvs8O?_iwD(;R5m9a?&wu%
z!qzY7nH945t8(l>mS29SPWR1Tx+A~WEDE0bCjB@)?@H>5-t&Ix5waq$?AfH;`ofu4
z_*3=fa{K%7sjws~l7(M-taXO9+OUpztg=w7&v~pX4Qr2y^%0MCVJKFM$2upO*>SYW
zYt1t2rETdNPkVlJcjbZmRvu7Ap=K{zr19*=k<!aic>n9y>NjJD`~_)W4W6yta*2+8
zCfKvk^i@s!CZ}Y2dHQ)akcsiAl_*d#c-&k1C*5KX>nn(Ad>oSZD5@4qPs{y4wTEPy
zS%FUTJ@<8BF>90iR*DwVJ}YmLQ7KlqDVjeN#$)AG{7sVs`pAEu?1bp-9aO`OWb^*=
zImQRZo?gcZ;Y^P<;FMzk`BMfQV=F^vS^cprhV&<%lh%wc=lznzRe~I+s<B?VeCsD5
z>qp63$p#X-len;}&ioWh1EusMs=Ug^-(lc5W8mekf#bZ?imvLYWJ-BZmW|5U^H~L`
zdY{VKoFS+T4KOO{yna(UGHHJ-x?cK{`5}Gd{0r~BLB?{?eP1QTwvuA&aI4qXL{!S-
z^)uoYwM?|cowvHF&l4?X^7P_^;+m%%cX_?u`HYUTBePwi8{st{M>wPGpd+oyBcWdV
z?btNcEsun3b7<$V2dtg7_TWoLRQ9BcNaZTW*e}28xJow2)4SG@|Bx%c4tf3TLdO}m
zmoI!la=BJ7GMp_S*;&QG^ir~bQF*yiJwroYWNIa3cRm#;j1Qbt^QqCruxym2q9)Md
zelF`BHM4(*m%?~G>%t6XUAl_w6Th3e)bE}b^JQ2*On=T0tc?A(JRZsF6m7??#M0MK
zy7rAF{j#kR(odvelDhmev!7+jz1#reE||P};)qnK`|lSE+!r}1+BQuS_5mq?9Y<F?
zdkA_4v4H;c7&8c@S03J7d5FaL$sL{nl^t;ytg<umDgnOgyk7W{VjdxrN0{$^QWc%r
zNRm1#2Qnh7W)~NB$&QU4aNAxC4!Co4J<u+5W)+_%_L&7-#AT3|?eF9MQpX0yu=`}8
z{DI@D)Q`L@)8&*xR3%49iIA%V_hj{obqb_oXgh9-Z_z*EQ5oM=`CZs$7N<tBsSyZM
zBVO8tnBxy~+tukMZ=>^-DKXlQyd*i7WRz?rZd5b8`Aik?s99pqLBLnBG5O?uQVKeo
zI*Z0sr&)Yz9~)@qWfE<Y(5UihQG-7gtYI##3aKLx;3-!|JSoRh!4c27P4VyguNWQC
zZ}W2o`Cp!Prv~e!1a}-=;El-)$puuQGqQ6}6*A9-@bl?2?a!%<GFd($N$RR|LQS%0
z&w3j~@pwpAH7(_yM*UteGRw2;a?g9Wv^2_652q>@YWL8a$DY#j*aCF&nkG6j(yPR&
ztecoR%K&?UlmrUT{Dr&Ge79cu7oqGZJ0)X=tS#rbJ2+3ti$qj1vUw%CDbShbYtj6K
zTAo2=&w?a~``tOZQO^6RL`3Dw(lAb0%I6q_&&2^4;$OcwCauIIot*4(sI1KIkQ+_7
zh<(&-`R1LHEWp>ehR4OYT)MmRC|u>K^M9dzt$zD+^XgC7*;pxZX1}AF{SMPl9aHle
zc$HLhY4)lB&d8+6^aA;`7hM3jQx^ay`(~nl=2vQhPkgoQB!6N|Tq}NF%_yYXnO7*1
zj&5<LP~;U0B3#YbrVHiELNU)Kto$`qEkjziG!<X@OeaS;j867yc*k}5<f%M%P)*3E
zXUB2oW+`{5R4KC6TrTbJxLKH}3)C6iqQ2~S#>=17smPX(No5jWRn<Ox$~Eq|d-fMD
zn}FK~q*}YfgG@!WPN&=ZPniX%0}iH`;UZb77m}0^?^2hm>bs>)xJ804RKKc7_m|ry
zT~nN&KAk4vxmv{n^>?|XQloFdl>0iIa#9V)nRor`S*MJuFf@>}%s|ehX&P@inJk*e
zde^9zz2y{X9hXMxq*dakby`LeDT_dYAC+ZvDp&qpsr>5CPLAYZfv3v;cKK6fuUu-Z
zFS?v3PbFblRR3CLz+(UXt$FuJlT(uvO#XMhE$2M)Af@w+9vP3nG))hJ;)<e6eae3O
zcPQKLC_Aa!g|ve_x1UmP4N>i2f#>sU%vZgkI*z%nuKuzIsBF1P{f#m8b$)m^Dbemo
zU9J{O#&|hWRdwTy6y8n-K-HLex2H~0_mkNE-8|h-zU{baVK2>N+f}4|=aj2M>pR$o
z1I_>PAF4Qq#oKR|uA0dS4JY;5EcaJR_)!sF$L!RZwz+-TDcPiu&5PgZa$)OBwuL(0
z<4mf}_^!lI@<E0#hJ(-{#f4oFUEGIdgD6eZQlff&VwxE@1D@&=Z(ymXXP$4;ZQ$Sq
zWRgW}Ar3jH`@Abc38^e#<1gvq(|39jSr-X@b%w5cp2bhHD0ulFo!R8>-7;_-U@x6v
zuIym(?jM;=Xi3KH=zpb$^Mn3*=y^MspWOUZ+0Ui*9D50IPB?z93iAHeIrn|wfF1}$
z=YKja=;<^6;Am3Wl(EocQ^rDBnsIGOc_ci={rEjn3DhX~onNWxiA-^2w_WxNwo;$=
zF<|atz}&UFvg^K;UFh4RCnJm1OulRn6l9)0^PL~L^=XflkZtEZ+SQjj(exhH6Kczg
z2(5Iksa@^uFi3i#9R|8^RmwLrOzM&EC%XIJrAB08REkZzOc#EWOr+G$r_X%SJRT+%
zJ5!>vJ?FvRM>DB%dk2dZf+4PUi7)FnYKY`Im-sUw?)bnSCi1W9TC6jDVb@FE&!YKi
z)woBdOM70Lrp5rDBS-XVVNb|SFH57sO%)6gw3=I}Tl?kr)%f|oO5(5F#pGd+Lq5c^
zk>>3F{-i1n8R}Ht%uIc{*lQGx|2ebv8|Xzs3ID|;e4L@epYY>!Jt-2tK9uk!frM9^
zgunQGFX0D&M#4`qyACBhWD;H#O1L<6!rzrOpfAUdO4qpC$?-aqaG@{Zw@bp6dRk8%
zmHyt;QR#2xD^t|>n6G*ikPDP4E9r$@+|-qJzbE76gSyjRrXLwprSt`v&+3M?={Xvf
zdYDjgKI(Cn1v%;+QaVndaCRKs>Z~`VHRj3m)tu+ww{{RSPfF)5b>jYeN$t8P_1{i^
zpB%=?gU<9&X30AZC+MyV;Tbd_Crf;_UY@94zSXNvgGto+6XYDfKJ%LG{NZXY$L@A+
zP_hM!o`XM=n*kj;+dnWgAu*1B-xNFqcIS2}*Es4VeY>2aRN&$#_Hkk9+v=?Sf}am_
zlyf4ZV=*~Y$KUE6++=kRPBOh)W|CZ3yZ6XenI);KYuR^S_6?=1(pB~)xgyzzjUuBj
z!aC9!9rO7rx{IcFsC!rU$rJhVRJ|<3o<5UBlYD7AzR_Zm;3;)6K~_5%ynM_UkhsOY
z9=-C6{P|?LkEeS*InTi~xiCFdIO-2YpHhF8z0wgqhUl(L^#uA8W@bbbr6h3jN#Rf0
z{edB_u(C+Y=y=DD4-9?qgE?r$)Z1~_%NO$f<q4W_GX!tVV^e8fr3;rgI=Q#t%k(XH
z$!TM+y148--6N71{wmg-mF;f#X)HMhQco4aWJEf*i}#y3PXYOEp5q=`{L^P{>2#lR
zF*nukTd>ZNH<Xlj?t{GGt^VDWXE=a5t?VO>TX|B7?`QRq+yXgy`Z`6XkK`_*FFEtX
z2`PPYB01Wv_LEsq59+`8%eOPCD)Hqsw;;KPxM5H6s^Xi9cPEQi7S}}YpZ3(BY-?rt
z{WAosD|Ww9vHPddD}G05j4%JraMqdSKSBMye@xi3etF@0x=7lxqPzbP-Tg`_8j_O-
z%6B}OQGVU8I{rYT8oy?3ac%M1;#-Svdvec)nU4Hlo}`Y6J|y@`Z^P)or>w25r7hpC
zxM@*|-Lhdrdn{qMbPzV!ZFS8XV|Jb<&MVkDtzb@kYrfsycvsB%b;X20{Q8!Tc!S;C
zlCaxibq)50#&}FtkLu%3XMMb-{tl(cZfb0As!P;wN-4Lgu6>j36Hc_W*y|fN&J<z0
zv@TI+ES_t7A7iJhPs@qXekt1?C08zq>CE~iQ_FcqIkHM_YtSF<v5if!=7e3}($?0|
znus+_uof?0UTQ5Wu83L_#N~4*Smn4X*5;`3GBRyuVfzHDqG2>gWGD<0i^ev`;`X#r
zG9Jgyo7R4XPlf9jQy#Icn^gL?^0iYMGwoGvEzKM4J7U{zFfojLYg^04wz?*}vB536
zpzzXITQfGb#p1EL_L#jn*4EzG(mWR<XHFykR%KmlYa^;FmfLj=4Q;XZc5NO0Tdj;W
z={a)kiMm8%y(b%%v*+8Dv8I-`ZFXW?tFMfUtE!?ECB-!r%a<vQ>Ex<!uC6JooM5Hn
zuWY`fxn)Z;rZrI8X)jw7c6;6CSc6o*M$hxu6{ke3>TT_bSd(AGln(-1?P(OL{wz;y
zinXn5kF`~!OzLt)gDyvrL#VjE9^crF%^O;L#i#0R+^?skr6Fb~VptV$r>@_tCs-ao
z*ak?ZU`~MFRJYY`t=kyW1)}+Oo<@~*Ww_GU))Gq1v?oU&{9tOM`N7m2ewy@@v&YDv
z;s;X<<WKQ~DUO-H^>{w0F6d7xrRl)jvT@QYjkU&_8)D7%+gz4v)6)uOT`LttiaUk5
zqF>dYB^^zz{(9wf2u}Pew*jWo?^Q5U51XhS0l{hQTE@q>^OnW7TwPkN`U!_$Qnk{q
zZjHqn0$e&C6ThsvZhbsvM`zn5b@iLPG#q|KL#!@t(_Kh4Zt?oJX$?C4;td-bn;R3`
z?54W*JA4*8{K~q<W;?M-4J55?jV*1+ikRWwTvlx@TW%GvsJzZDjkVX$^m-cc7~Z5V
zR<?A|`z|Y9R%&lB-HdXlv_c<m#d3QK>SIbM#H(2q_2Pzjt2~bQ#nD+(yrR^uuB!03
z!lS9%)uk1SuJ+|sj1gW5xg_~^ydB^=@f?kQrtqpu?c&zfcw;?Xr1Y`Q$B9?k*cPi#
zkZfg%%Tzqmr)`MWZFCu83mx=|<<^Q-R(V}>1Erf#W$bGS+OMXMm*{@C+Nu{Vj>lWJ
z*bTAu9X{QXDn0C?mbUs>8lH~V+|oRwF5bGSuDPQL(@ebTO?7S5MCqMWQ89opqG+8}
zZH=3mXu$DR6T{Owo2W{8SJ-uJ+S;JbhS=stY-);0a*oaw9nHFWw=~=B@mQ?Y$D>iy
zH&V5U!Kh>0=cK1Q?UI(Zm_6ID9GxjgsfESWWfLrACi!buV@G{mJg(hpIRzR<D_`|T
zvsYXAi#ZmqmHub;YL%FyuCX~0QxgwUNR~5}HPB$%8e0=iv(zKO!p4NOuDlLiJFXC|
zlCM0Ovs_{2$*koHGcGmK_N|KMI+b7bLyuST)ponMiiUP3IL5eZ=={{6XWvxU)~IT%
zk`&`48DpF^Yj$DfLTlFh=J4;Fg2Kx3yR6yQ&Jmcv*eiW&gRSQ*=&o+u*j$(BX!H6X
z?JAF9YxAAL@H13~T*k7Jl5)Geq0L@VU2IpjG<3u}l;5mnbxmRQDv@b3=V11tP#bcJ
zN|lDSroN@ARVF#HhPBq3_6D2T&su9mj82cT3HDjIp`egn%XOcx-HFy|@s6cqa+$@b
zn&-~B99x|JusYVJD!VQ=-GWxc+T)E)6g{0tY@@G6Q=2AO*GgGjcdaT4{(0YQ{<&KI
zu_i?qsQJLDr5g7e+-`8S!2*M}LCfITB|6@5g9i<^8k}QrlEG6ITK-Xk+YPQZSZ=Vu
zpykkwoyu6>Kc8PpCiuL0iN-IO-v<qT)!^d>H#D|2-8QY^Hfbv}*Ecp>Th>cS$yBzT
zPL}>x8c(8yx;%3xD-<<fR_h=UX>4v~QKc6|nj<5Qa9C`4tktEJ#nv+UXXUb`%a*TN
zX3@*kw{Ej0EUH*hNqwiYb4Nn2bg3I1)C|uIKTCS$l9twOOp_CvS^@)%>b2CmC)h|N
zx@BudppkeCr`h;Y(#|#O1aX(&F;bWD!sfboqpSklb?1gU`fla7dOZk=k5qr4)mdfD
ziMDO6E%ar!4EAoi(%;GaHOQYe%Moz+cCmkz;hF35m#amu6U`NH`PHMAj!MSioBT@o
zkl#`3y(M+c_N)SXcEPOoS+lO5d-a^Th1Xhb+qO1tZoOk}^W4N-%UOY0&Gq%0_@}+W
zir>}VZixr2`Ym;vk%(<*x7yY_U8Jc;%=z2u>JwILobk<)g@RQdYfH3SiN-suL{o!R
z-@*XU452BOsMA^+8rv)ub*%C&dWrQd?J>c|4cn}?x-C`*6EZ0%t9?_;77;^5Q&USb
zUzK%&6a?!mWg=BqSt&}zc!n>LXlrTO&@QxiV|zmVu*gNcrKPpqinnZRu^M7duUOCQ
z6mt{tm_$?=Y1`PWl1G^u2u(GxN@`ZrEMFeA^Xjj#n`4d4Yx8a9tcyFg&782XqcNV4
z?o2Aqgq7_~6V$IYEv?cpr9rN>i=<}FpRin$=1#Ef8IAe&j2YrMx74f2xN<LbbwkTc
zgwlO#HZ`(3YiEio6PgWm9dTA*svnS8GuSAZF~gLQR>9yU#bv9>{|5Y`(s?6E)WzFd
z(xuZX=_toJh6d8v(ny=9=fUN)BI$6Hb!_;|m_dm<acp}jlN@$@n7FYN&9@s`nlDe-
z9nGz*b5x8wBnE{<&6%f~s4NcZsW`GnAe%-)RFa!T(o`<3e{thxwGklI&GdIla+{G9
zE&6kls*7qbBGzs*2W1sz2KaUrWrkBl=cx{bSk<K66l-X#!&*i$Mb2{yq+sjpf`Th_
zOt&h}!(vHJVrrt~K?^x`(UDO?v?p6JJUOZEL~_NHoDhQ|x<wc%Nl%GvXxvJdrzd-!
zywm2iC&WIfi&DMB!}j`^j20bCB($X>?z9mVMTr}w(sJx(<}I>;z)XY9I5zZ{Qm<z_
zM#WEv?{!<ACk^@nw>-U}O6{oFYotrcSC;47PG^;GGY8JM>1Fb5>8<k9wiM~ckfsNa
z*mPw1w(1ksPKe%8U2U5ds+!{r(L`-k70fe8sDWX!WOc<=B_$PsxXqFu@$S4vW{6wG
zeWre@d0lH=8zm@%v|?))I+-yQ+KWOH((_EcH>W#<*1E(d9ZxzjH;(w;Nh%5>EbMe@
zZUjfTO1f<(2ph#J)ubc^={x8*@RJ+Cmq6Lp*rIAr*vSUc^tbZ}VvTE#mWIm2KsLy{
z9H<gVmB5OYrqKx~=~M}5=~M~0UB5Djf1->9%5bTXwu(4&LP<q&pb%%M@hg>GB@Aqh
z8)Tsyv+FmB<6MtvC(uUy@jNHgG}hl?x+k9lsJLmwE7>cMDTwDRXBc%OI3-wO#@BEJ
z8E#!+e}OOqtMd!1NkgCoNNe$X+AYgPGM@^2x`Z=?paW@Uft20&F#K&uJIxuE=dp3m
z{K|8hNXvjt{|JNOzzlE&Gbfa-E~AD7j1G?Hs3~;^czdP{@y<jrbtjS6(j4E$m>!dr
z-Ih(UW_mg4>tr<2sY!ucF+uN~#^k(Wt{7&H8d}(IqfR-K=u5Pib@RIxsHsDl!C401
zZSVqvf4xY{{o3F&2ESqOlLqfMSa0w;gVPMY+2HTrsrCKD;I|Ea(cl9H?=pD1!375M
z4dxnbGIstCYQO%EAO7F<!-b)G`0|w0>Hj!H|6b_#;n43bq2ITMey=sZs|>Em)#<)s
z+QaUP_3wXtx5jG>{>aGv_&u7w-eAPY|Jyq>-K^X680lNVs|loUq3ZQz(kHosO#I!Y
zz9k=L^&LJzRO>{xz8t>j_b)abzOu(=-qs?!xg@3c7uAMO+LYN5V?rSNU}o(vb3VUz
zS>Zc8b;9Rc=!Y2ILO;OpYh!_^4#TVoH4KxZH{n7@aFTdMdwWO9(@l8H_VwAIjFG;N
zY(tk6+a)Wa;SDl2I^fBsADd^R_==~G-&lVHRa-T(%1m*vVi>{0LotT!1&VEPTT4f(
z^BA`3q)<7`v8zKR>c%xkcx{avHzmv#tjeX<Y-SI7i1m3{YhKvGDY}_?_?WUqNV>8$
z<EJXM{G$uTL}O6o>`?Xu)i!{h`TAmMRVA$OWuc`;`cYi7DeI%_qyh=aCa;@FV1vo=
zqQeb)Sxm6ja9AdbQ?*6f(AZwjPHFvyCjQm4jJmjNovIUnwQf49GOt;_bgeNh#E{CY
zSpkMWAC~O%78YE0tv$o8E-#*?e$Or_oa6uP@n>IiZAd~WwEJ{bpke7k4vncq`s_5l
zTxCE`*V9q;mx|B%Ise;vo7G9Q<I-?{;+zxSvrg}8K4kE#YxVC(%<n@6SJkyO)4#Ap
zb7xfQ%+0?tR{fi^5Vvar=j^I7kJZX2m>GDzu7=WCIjZ<x=9ImyGR{(0myt!kt1CsA
zVboQW`U_L)zF~~&Ris<cUL6(3rgq2%7uz4(><U>pI!aX^WExIutc{Bi(w}fx*^1G$
z!r5D$n=c8yz)<6cTu|XYOFZuE|H|Z4dT;WjCjJgxTpXlNE4Y@#Ez!)sSGJ4K<)g<1
ziLX*{ZfNA&8|ff85|C9jD_vTT>Ko0lCU<a3tE*-dmsXWj+8bKhxMY)NQ<^=xSY4B2
zSZG^1z+@8uwH1}cVYSXaIE#e_y}#uRj@5Ndt?^hJ3pdBLx(87X=9rJmBL2QnF?~ET
zg~Q3j9QkL~wU(PJ%QeL3C$AE#Wr14Bu`P%LoO45Ud59Q#X&<yn5}#JD|1--7YvDGQ
zoGoo!(V_6$ypw7fx8=0PY!QT;p*oKf{;2Axv#<EFe_hj(;4pDibeCT$_e|7vqoA9d
z^ebfhQeQ`EZ1DB3Dfoe@iJEtizAt{j2#4>b&)}ItzmK0%zmK0%fA#3mQ+dcqpAMo$
zno78&gwJ`WTyIiE6=k^^IzD&x$Vry)ZSHNfu~F>*IO!-pyFNj#b1y}mVwULY%AU;z
z&leJ3%9&G6Ki~C*qaVI*3c=`ZJqhyN=x#j_{Vb*HL(%>5J-!#+jjtMs@1GeBdOVnI
zaE`%+2Dz;r_+%1So<Enzf5sC6On!v<^8B{QT|kfmnn;kBf$*rBC67-`BJgK2t+x{7
z<sk1MypzCtX)InbWnD^`M!13?_lRc`-bW}Rh~*UodG*0+LLK1_!e+ufga-+qCVY_~
ze}m{pgck|J1o>ki^47^43G$MreT452{zQ<sn%+csh;V|C%fst&!jpulWc~p{CO7+c
z5GLV>FA#1bqi-RjrwC7y*>92A<775TW}{^E@e4sRdOjKb(`5WdMr+9Ez`HE#a~E6I
z*DfLdWc2%ami0ouWv!WISxcE%eB*k{`bx27m6lu9-ODZO&Q+Fm)jG?1w$ZZIC(!>v
zXKXNw6<cj|N(*)Ra%b?70|3(#swt}sJZj;f4k}IOt+(Xl<kApAo1lJK+2{2C)?1k?
z)K;dV-x6zUX}1>1KDTA(F}U8$%1QQju8?yat9n`S(lTp;7)<A0S$7AWtLzg6+upR9
zvsonQky~Q3@fWLiJ77JDRy(dT7Ys(VY3^*rhF3hadq2Zl@d%^Lxd|EQrkok9%MB&w
zMGGYsX1Iw-Pf;lc7Vde4v7Me`tL{f+;?p8?24Ak0ITt-jQgPKuuDV~-6k3Fl0lcVs
z54{ZV_2Hv<Y*r^^vY^s6@s_pd?OMA@_5!I}Y7e@6l+S&P;GK&A!*zqWT<;&JP~|Z~
zs{D+AD&IXQDpYevUEC_!)EIBDYPf3>#{{#ZU#-`ND_a|wkyy)^&(txqV?Eixv{Ys)
z&Z0}KuJ6znpv=^j-oyKx`OE_KW4poq1`iuNZqPE={)m=8Yw(mo>$94E-2C2Uu)xqK
z89eLA89Zokk3lQ+Ssq`gC|eA!F}U8~CWFleL(#2!4gDd5`&zZW&zRro)(z$aN}q92
zg`N3UT6w(8Z7EkW-MU7Nqw0pFwzSGS(Fu&%&iZHUdy;aKf-628$A<fzX)|YCOM_AO
zdV(`9YAhc|zqF`SEs@<8$&XwYmIh=6j(Ni4vOhom;~-xb6wbHm*nE1lRc4;z)2HNo
zdeX`1<~&+qI9)9_T48EA)ft+zEgdH;r(5#tr>o^&KV2>N`stblk{T>i+}B9a>}}@|
zT_vIR6WUth`Z}L=BfDGM%=fabjR~riTzIt>$DFUuMb}F1xw5mClI%&VYqLg4OPfzV
z#L!npYt;Q%Y;H`Luhnu}(R@d%{^r~o5_KVpD-$+T%LS;eY{(W@Ylx0~Nk>~7S5Vvx
zEmKF(7WXU7rPs<1?yhqoPCYH4f9R}Lb4RXq6Bj8Rrbo~MWt&l~_Y&gzdkIR~%vW`p
zsHU+grhKTsl+-oX$KvL@$eOQ8R+r&Ic``+wQSkp<*^DWEf;PZhEGlkW&)wlROQEcD
z4c#h<bKgN<q_tMnH72UJHP>(Av5LmK>f|JPRx08$lcD0~28m*ocIfN9jvid9M=;s!
zkV>ZY%OXyGX`b`Tc-{G_OH}=$lWk_tpr)m&r41jl>=ENu#O~~fwI^nU3A4k5tHXrC
zFu_{R#)s1u<hxGX*DNX;0zZ~-@Fa|(N`UK$Egf7Mj>;WHi4h<u>P>ZV%pS!vRnOyU
zwQ79Xny?m9>UUVn)$O}dxvX5BXk%jRH1Dcdo7y#@#+1mshXU56t~};cQMD;#ycnRV
zYqG70YPtf7nkw8H-$t3Ph}Flq48vYykT5$;xH?QI3=^z{++?T_!{pH-u7+_Z(f7MT
zU$vt;no^K;xVoutRdX3&G<6ZzT{oqWWtdf|IIN~RQP5fnQW`)t59mlERcmV@D{mHa
z6>77Sigvc5J9VN)_SCq#8w*g;=%gb>V%jp>aE;9!T2hldIk{ILhUmg|ekrBF@}`qY
zK~>$i-vrZ@uV8=9SYjxv<OzWw36<q_Z4F!M+G46URmm+y<rOhrC(kscuF0)bdT=lr
z>1BfYR6i3W=}ILFdlGYMpc!IZ7n&%vLC1T6M$&HL1&AUXAeeSS=cQ9qHyN#k-2ZB5
zVIb01{)wcETlp<$YIp)^et*Nv8=p4#6N4`pe8u3K?$q<k=>~5w7&W-cV7<W(gC92d
zX@mb}@COEeYjD_LMw?FOO$IMAc%{MX4K6lVZSYouw;OCX_(6joG1z193kLfP{>b2O
z4F1VrR=c)mioxjyuQga|aD~Bj23rh%z~FrbdklWj;1dRaXz&GtFB^QtU{=D|VQ{L!
zYYg6Ku*KkZgF6lGGnl3tykYWJjGk{9{E@*I4F1vJh`|dxwB5GBSq6&@E;o3a!MhCZ
zG5C3d-!%B7!5<oY!-j_hpEL3QXfSE;ZJV{dR~npWFlz7?gRKU48hqH`L4!{k{Dr|#
z^41>>J#&jr@2v)>8+7Cg&F_T<s}05tZa4S|gP%9}uLhqm=;(7$pIb1<s&fw6esZ>@
zoFfKJGrLXd=9fNGcXy!Fy-PV|_b5%~iv0wOYxZ(_$Uk$oI$Ks|oo-(yoRBiPl;x0W
z*d%k-Lw=NK?vA~mp}uRb?<QK{89~-J#5HG7vRnzoH(XB5N3Uem+KssCc329wjvMr+
z+?><r@3OZlAG5A8C-k-m$WD*luC75g#`LXw=iEadCizWN>ocqf<j=P}gRfSXCWk(b
z*5dNX<0vK~4qxRmg@D6%*8gFVFhA@lhd<}*3zR?3d`;sd^SjmjK4S3TVa+f2hLJP4
z&d8rNd{aNoIb6N06=eTZ?WfB9O*yBxCa9&M9B1mM>GfjN_t>|gH_Bm+E;sk_X;Xl@
ze4Q;@rQUaH<+L3)eeWuuYlO=7nCDS)-sIc{;UqceVjRc={z&MLPcG<cCFhD+>U<}t
zNmYoDI>$2{E34<B<S<qCrMZ^8UXBfAt3-W_zd7k}pPW)RjOC1Lz3<YE_LuZ8zRQ1d
z55alfiYEZ5^Bg0GC@X6g&6s1!zq785meG%J-q)V~I1t0UttOo2`>?H==J9;XUPOnd
zx59jTxUzdBXHm8}^~MP)xb9x1sVK6iAz~JDGj)fV^FqVYC8Nre6VAKXbq^G3+D)vn
z_MpW+vqK%&D#ik5Cz(kvcRb}$GS7VBEo*7xak%zPd})qZ3u`!BWPQ?%y;|BTA?7Ug
z?`&^N*6>XEtF7@Ay`-v7TcwwjyZ*ih?@fWY`*Ow93C}FIxOBCh;nrT$BA1o$5N)b`
zAiHeEisdUfRDs{>?ln&1zI#JUtX-Xi$F{QgaO$lw--Qz&(&O&04F1NTBk()(`>zK7
z%V5SmI$nWYkTY)ll{?FK{_Rbf)_GR;B&*=f1#cR6!MdI08L_NvMYF7eOA0O+ciwv=
zS(z6hGa15f7pNpQ{YK-d-=)UwAvs4r9a^Wgo;?N&jNa`g9V_(N9{T<F{-j;HcOX*5
z&4S1=oW=2*I$M-;Mdv(`BR1>Z1UX0KXic3Vz8AcTa1DW@HESNBgs_+(XNk)R)r6Y~
zb%YpUBjFB06X8w*M{d>*!fwKSgpUzEL6Eb?&l3KbAZL#MM))e>+l22BzDIbP@Dsud
zgx?Z=M|g?wXTtv?{1+i3gZvQWWpWo1-bQ#Q;avoIQ=yz&zK?JnVIE;ALC!JP5Y`gv
z2pb74gbu>{2_GcfOSqr#QNlkGK1=u<;a>?~CVZXnO~Q8w|4w*@@I%5+2rm$RPk5Q|
z7sB5N!-NYm@jKz&gv$ss2v-xXBV11?CM+e~NLWR<nIM0PAVz2;+(Fnv_z+<S;ll*^
zi;@38_!!|cgwGMaK=?Ppw+P=O{E+Z-!mkLwCH$W7XTo0z@^;RQEb0Z}t%P?It{}XZ
za1G&ogzE|O2#X0T2{#kg5N;zh5$+_k6SffUBRoj>1mQD;e<6I4Aa7m&2H|PK4+uXZ
z{G9Lt;dcaHQmoFyIUY7|*>TQlrNeedeswK{gAe=CY3)}{Yrj-=C8l5UUFxB;-zpD1
z$kSt7Yt&cd>5|kXdG+RxOD*Cqv&yVej>K=YN~^5W8?77VbeuZwUh9gtFjkUWyYn~%
z$zIC!A$_5q`Sb*<p{2e<-dMxqeC-Ww?HtVN2mgFu)wAQ8BM&PW4ufpyIYD_AM;!v`
zQBX9=5aB*pP5<A@DACMy46BN8Bf&CzcE-xNZs*N2tZKu4Y1z&C%c6?aWu^MnEkY|<
zURk+(nXTD$*mAYcl`So+E^#UDy#=a@y2~IaAC5VdC-g+cTI4>LDpN8w-7`}_$Ma?J
zn7C@DPgKoD3|&2bWugdO9lGl%Hc!EJ#Ab$=#R)bb*RvhoZa8!8SW_!6$Vk*}49l`%
z>nA%VncJF<v_oc2q%Bo-OGYzQb(k8(sZ_ET?Zj}(U#C1%{G#JDckn=2UcnXIgyK0n
zw{n&(UqmIATVKpV^)ndy#+akfNvou^xTe^rPd(;Q)3~}RUTUhGyikTSe$KreBl3CX
zt-g*Y-t3@YJ&)9?M@H7i?7D<{LQZDkO1oIBKQpglp1y5sQ(Pfd&D><EXTR(sJ05G^
znAnteg-C|$fi?Xyb+hPto=f%Oqi1G)Yb)~2?8VKPPrfL7d)_>|!0zm1HV`BxcsNv>
zVdQ12)MS)5Q3Run;z{fo^8;jyw$`3dC)yHweT=n1OddhCm~VOXx()OYid<kZ&EDMD
z(t#$=SY=nDts`b_W5;}!wSh-VW0+{w%Yws__GT3^?%G$)w~FYJ=F3yZt#~YNeaD9P
zYPVfs-DwxiOF?P1w$Q}qNv~qfqf3$>mrrZI+?sc}b-6XI!I~D|U`^X-6<so8#<cbs
zGf3i+HL7B)nby8`?feN=(GB?7mM4;B*Ia4x{jx5#Ev^cy+hB(0{j}JAZf>ZH)1?@m
zpJ3fUVv?P9O0AJAhcl_es`#cm6ptm26DNDDOBPXc@}!1VQugvb2nz8Et|Hl%_{qzM
zMK)CaEXm%OAL-Di>zb`k9_G%ar=dBvw5?g2r)s=ImqFt;nTuZ`mlN3UmXDHHM!maI
zE0M2r=SCZw?<i|-P!&ZhQ6j3Q2hB+xzoMBpQY99u>J?TZSA<F3OKy4!wQeF~=`WUQ
z`rlJ;t#4_Gd#22t%R4n%HpjwB(_0wIOTdd2n8(qCQbs$^3(NY;!Od{!OE`|-*3|l?
zMqD|{$ycUHY;$8<f?F>3<`!PXrkrgCp1E^5?rl!wEvkr?p^mR9HF*AWIwoolGXz<<
zI&rmH)8s;~9G$+W=ZzRJI=&gE-k|-X<JZun-(Y0QO6AQRb2-?UJNNEUG(ALwN>=~$
z{2o-oB3(B;mwaW&b7RNX^*FtXGap;16eK2T>^GR7ELQXd25SsvW@x!ZSsEWVzxSKp
zx!Ibot>Rwe$Mx^R3pLgnobxxW|Msgi{h|pPuQWK<;4UM7i}`)K!MhB8#Na0le%#1E
zZhn8?;D|}@S%Z#!bBuij5uN@ngNF=`n=`h3ON@TUzCjZ&oqdlPdB?ujjQr78v_JM5
zeDyE-w`1ofW9N!DX?yN6IP_;N_qA)@n4O1ByxWZ(uV?2|M&9w`_Wz~Rt1{@=x5wDG
zIY-;^u)+O*((*qmNNwNuja=A|>Fhgc<R1(9(Xnrr@yBX|j(vxXeOLZe+tY0DOV1hm
zE)Uu_)1))kr1N_A6&d+Y8u@hgz5NB9-Yw5-bnH82>~nrQc=l}z)K>>DGWxGH_(tvf
zh>?Fi`<!$fbnF=a3GE-}w}XzHgAP5<$S*rz$J=1=A%mYc__)Cz8+_5=YX&3Zb^J>W
zp5zZMtB>)Qlg_N!s<%}`1(z!<M=sCEIsP?rW@+QeRfXlQRr-938l9}8cY8?wIwdY+
zMo{k2keo^13{GD9$5YFhLD-Xf)yO&Jq0^OFnND}R@y`_Ff6ZT5$Glv99R3``H}>4r
z*xtxgQOl(I_y6hoCm2uGJ)5jn>q<TMx97`(XZm#8`CVkQpEjLGe6F{q#}oXsQU1BJ
zqeY;uwWa-f>(AemZLm?F3@HB-{>KOZf3E|Xw1fXI0^5|<e<#SZK;iKBlx1jlMK+3J
zZEBB2T_j^uVvEI1YF-^XvyJy4(eccf<q+yw`e_2PO|mP)o^7IyJ}S?a1%6`Nn#Q#=
zq1bA#B|wU*y&sEBHLF0j6D;>UaE{W$CLqUOs*{tiMRrZa>dNSC>NM!K>Y5c5%NE~O
zvV7&T8ogVgSNlbm`1SzU5RldX<?Mi{?Eq&#!`-~_?Nz8GQ~u+vFRJu@ogB2zom(v#
zHVaa-U{nJcCyHug#9eFP8J<ivOLirxSBWyR$ZEN+LG5GcWvXA3-gRK*m|Cx6?AZF*
zyed-#5j54L!<zJs>i3qZ+Hh@M*_|wXL#ox@gh@bRy-o&R*ZvZg<Dn$<0{x9x&$DP|
zeeQFx_NZ@}EOkDZgz~wsz|*@aEID^>m=e^C)oL?9?+9R@yKmqb#41>A_vR^KpXJ7v
zZ^$rHL8K)9JNsKsJ+nWf=aa9Rb?$;U>)+p>r?G9eMo0eae*HW8&0<CBGT3}Z|K4Y7
z{<`@Z-{`!&*~q`qdHHL<*XfOzbe(zVB$FR!e(Tsh>uObgPGPw7;RQzCnLoPng-YJt
zWe|GCyRxod@HWmNGkNCl&f#P?-}@3E&ldJ<A5PZtyXQm0$wOc-*bnxDr@=u`{w{LP
zJ;TY#Z?~*`FdvM9rC=Pa1-ron*b8=p{ony`5bOhUb_^#^fcfAc7zMLAkd1@6U^iF@
z_JUDx0Bitrx`vaTU_Q7PtOa|)PVgw$0}g<F;5o1#%$Y)ba4I+m7J)-x4VZK9a54_&
zf?Z%f*aH@UhrlS<57vUG!8kYsc7l_6KC>Il2YbL$uotWa`@jU)4|anC-~n(D>;rRm
zl7FxW90cQF?nUSUqhKEx2M54zF#2KQft}!Kup1l#`@!6Iksq)W%-=;kuoK)1_Jb#c
z4-SDjyRn;xXM4a}uop~#ePB1(4;}!cAHk18zYl+LNInEMfJNQNfwkZPuoLV9yTKD+
zKX?ut0CRY5br75i4uM5r?fv*2>;&Ur-vjs?%zqF+gFWC7I0#OC5AnbvFlP_(z+5m6
z=7U{e5!eGp!9!pz*bm0R(_kk!1P+2x8~R6)2Zz7``MnpvU4q?U0xbGCdcgdB#FO9P
z<V(>H=7R%Z1DNxV)I%^A+zaM|y<ib|6pVrcU@dqKjDtCs;U{n^*aH@Uy<iR42gbpE
zunWxpBz^^>;0dr7JO}1}3OlBv_tVG={uB8DyZ@Pb1m=H%bf%#nECh4ENWQ>Yum{XJ
zh+n{ba0rZolcy6O%m;H0lP~!V_JV!jQLrBz00+Qx;2@ZDIerAEf_;yZ4w&1AJQxR0
z3;zl1pkEpMHheJm2ztOMcn+)ubC`|9!Kq*;SOj*1HDC`I2YbOTun+73`@uut0N4)}
zeTV+zO7is-@?bA`0PF|*z}jP^!{v_Nf2ZDq@$aJt>;w;igJ3_{_XG6se06_6c7VCh
zU<X(P#=$t)1$KfxU^jRO>;e11Uhp(H1m?^j{<Gu@9OO^)B*0q!0#Gm54ITx1zyYuq
zJO}oHIh;}UgHyo)um~IkYrveJVh7j<_JW=Kaisxp2%OBtm7J55BbX1Cf<<607zGnx
zE!Yjl!2@6?*avolC%_(X5bOi93()rq`WG-4ECh?dDA)})fSu3b2QdCi;(_@C*gFe3
zum+5Saj*yM0{g)pZ~#064ubvQ5O^BQ;g9|e2|iDHJj|aDM!|lt7aTf;Jy-Mlx71Ux
z_IJbwyTL)Q7tAgszb|4R*nI}Sg1unQHKg|k>;XFm$v4;w4uJjOIWYc5?7kNJ|BOGt
zzO&fzKJ@(u_Jf0eAw4kn9O;2YVD=pBc$Iiy-)s048~~4kgWv!-1fBzP{tG*<BR)74
z90a?-{2}rO7J)~>T5tgD1GDE6e;B*L{1N;I)`CaDZtxt~2j*UnJ}?UACMj<)3LXGE
z!G5sc8c9wq!oJLrWE>nkZzOpF>^XlVIe8xXA|uHfF#eX2<N+}Mts}`nuoldj4;`Ee
zc7jD<H&_GqfN^ke@<_4|ESiG+4fyw+BgtAY=UpSoPH^zuBgv!k`{I%0X)qTY0`tMi
z3y25igHf;)tOaYqZZHA%fZbrudq$E2LI?AU$q!g6Xpbbj!2C-_l09J2rO1Kt%aB{h
z?`b2+UNGl!ewSbm*Z}rjIg;!L2f))p2Zz8RaB?Z~??oQW1xvvqumSANCmz^6b0o<%
zQL7hh00+QMa1h)J=3Yg*U>qC(`@qSI$Y%lZz(KGZ?3sl=upc}J=FcYG#pneaz&@}O
z><9OP17I&W2p$E8zyUDlYT|=YFt?oY0*k;Num<b{<AT>xUSRDU<SO8Ug<$@5@WI?7
z>|BCgumS9uPkLbA4cN65I~HIMSX+i%lz8RHf!*L<FuoK!z}(N_w@T!}TCne*N0Nu+
z_rKt8`TZF6Wf^*U;e+un;SaDAJOK9nEA>!*9~?<$FDD*Y2<9ImJ+SZVls8!P4eB!(
zeG+@B&~p^~1iy!0!9nme*nb@RZzR1RVHcSDWAY33f_-4;Pq1eN`30wfLm;oDu%aiB
z1N*@)Z~*K9`+kaj!v7h5t|tD^u^-GoiTz;FFVGA2K8M~K;{Ou8V9o&YVEk9egSF37
ze&7H&c_qJJAYHHrjDrJU7ufx4@+th&=(&mXz#_2!cjOlw0{4Q0gX9;?|0DHT@K4CC
z!rs4<9vFWG`@qh>AqPhP6ThzJ_iLmB4uXAP&IsiQ7G))q@tgU5K{D9~?wgoQcCWFl
zUxU41K~6H+53U3U!Ry|XOir$~xTu&+7J)0k2C(cc$b;XToJ^hoH@z*HJO}OrC$HtM
z99Rhc4Xgn#dwVjO04u@0;0M4%;6H;Wz@LNXz>Ieg|5nSI1r~yrOd&paKbQcoeP=S6
za|?EW`QRon3O)kH!6RTd_+zjad==~m3oar*U@e$KzU~6^!M$J<{0bNc-|{Z(xDCI7
zx$7+JY;H1H3V!U}<QtrIG5W!i;307Pd&m!VeH=UlJ`bJ%&w=N_@izHE-^E}dxB{#J
zJHZ6_D7Y7V0z3qs0#AVVTmt<L_~0RM=2Yn5m%wvi;WYHdEo&WE2!0K$0rRJ$7kv2g
zWU>b=&!e2dhptE_2f%?VlgS})Sw8t|;{7`_C|7V7SPT9M>;%ha5+6JS_JJ2&MSO5O
zI0XIy%xxz90^);bz*_LuS;Pll1be`$*~AB515bndug3o^mi03*AH1j#yTL_Z0(=VG
z3r4OX-(V+r0{jDb4lKHse79QG=fOho;yJ_zTfqeQIJg&#Tt|HH7VrdkaS`#sar~9*
z+&eAnyI?6;KA&<29|60;`8N;`d<7f;Ke8a1%x<Gzfm6Z%087D(i>VLbxP`<6pDU%l
zf!CH%-@v2bAo%%3<hPxCF2-K)F|Y<)R*t=3FSr++P(iw&wUl(h8gK}F6wFOfE?^P3
zI*OmcyTMNID_{@!_R3`PC>RA#gU^H69qipM!)~w;ECnA0<KR=vNf#Uf4}tkr_zCO<
zhrq{fB;IE3!L6WufCs=hc&vu}f(urXU$7PI2Tz0Nz?z#VpDna6un>F<tN|}xg}vYk
zum}7u*at3IO@6@_!6D(_On$f04}zuO%v<m?*aLQfBj5orzJ~nDZ}2quNG<u@Mn2bK
zH+T{(1qZ<f(7KiQ;FoU0Zg9go><0g%4!gnVdhEW7{DFmFX+3t)zP|=$*HQn#so?Ae
z^nx3}2Jj)U3+x3CfJ5L>aC!{8z{kOy_0)GTAAAjrf^XS?Kf(E6H@E`q1vh~G;N9RL
z_z;*=Pdx(j!N<WU_$(L)e*<=d7i}ayI2-H-Zv_XzRxqc*vOWpsgS}uBd;*Mv$H8v!
zH()P#4(tan+C+S?5X_0uj=+2{0Y<@3f?OrEdckh+DX<s(8Q2fL2o8d;fH@mzCym4h
z-wsB>=^*z6t!u$<a1q!G-URl88^A$uGnli{vUY;`;45GhoP0a+!P#IpSPS-oJHdYN
zAUFs<2j*;|e**KtSHLKE=^exemw?^iX0R9R0{g*-z(H^XoZN`Laq0!Q0;~ZWzy#O^
z?gh7lhrj{w1X$Qay#m*PlW%8S1Pj5>gEinGFae$d_k!b_i4PWnC%}c^Ij{<xOn<)~
zECjy-)_|{o3D9ogH}!QZm;eued%;2Q5ICikc%Ag4cOnNq1}4Ch;0f^34$=W@H<Qi>
zs9#%<2fN=-KLftT-`(v3OFu~c1`pkXf4~QJ;2-dwoy5DFdUPNC6ZrNAXcyo;4-yZ&
z_@l%F*YBlWfM5AI@xTS2B;E(n2cE#r?||pP*M$Cl+C>j`fSbV@@Bo+qkAQo@0q_v`
z8h8TC`84sti@?d`ClA~UUJD)qd%+^o%Y7KTz{zw8^2xYsg_W^&QpUS-&L6)g<NQfN
z&n3*cV>tO<5ip<B^1Lq&zQ`Y5Gn{PA;!9-GqR5mb7f#$Ve!F$UMb}?>_0&s6g~Tr<
zoI-Do5X?vDwS<$<-|7%Sp(h9;AEtLhKa+xf0Q%V!^gigXrl6mIZpBCIAA~$U1wA{1
zdt)i+xzMMipcg{7Q_!Q(^HR_opckZ|cS4_&g1#5}f)w;#=;bNsN1<1xpbtP_4gE6l
zhxv&A&p~fZLC?u#z6AYUjxZ?lQ=#ukAzuXjQRv}vtbu+o1w9V^a0+@C^dr#2^{2<k
zhv|om{xH2Cy4Vw@pN76a1$_wmz7+Jy)OX2mSWiB5@lTju3VnMDdM)&=Dd-94;{ULo
zZs?m*&<{XgmxA60UCKAC=LGbs6!byp<<QR$m2Y;ou5V#_F7!Dm<O`t}q@YKk=Rwa4
z>2EOlr}*gkeD8!V_FO6Sg^@|!nZ=PQJF`k7_Kxh^B2$VZlNLtCn>ZrhYveCWA-_5#
zFMZd5k$;ECqisj#N>`uohsNMbdb#Im`xx$3{GDRoj;tjSd;J8JTybQ4`9xvr{xXXE
zF7i_#1ky9|OC$C=M_l)R$VvTrlgOEm*wby|&lB2>V(%SKItEXL)C>Pn;;H<5`YR%K
zWn@Z8WD@46e)|M+2a%gDdd83&Lhdkfi;Uck%*7G=wh2m+ldmFpQ^(O?BUdGI6~S`4
zW5Sc<?J0_?KQg{_VllrKnO`EU>}eqW+0l06$C`j&x{-Soxk)Of{-+c;VB&WPiF)#2
z=EBI72eKAM?EAA9M)JDPD~=TG99JBfv*Y|5BUKdgoJEm>;z%9>2oiy6B>mVRdge3@
zCodE|<|FiMDt-a<h(iR0o(nxMBwq-<5V{SWWz490dsC!f+k}WsMZxi;yU5g!T14Z-
z+eEze^uLmi2P7Z&XO%_l?rhB6d0uIxV8^&6kp-DcC#Vb*`!Y~AG4saJ)MBGv`MDqc
zTbqZIv&1g1+^Zw@&90xN9-TvO&+Evk{L}azMeZWeXFftNgnkgZYF9pb6#8N4sCPe7
zuN#c~)k4Lt9hnu8g1X40#ne~P*9HH0D4x)JpdW)yHFZBiKLq_q3VJ_uNx#OG*5!B_
zy45nAe2>uSU2Y*=Y2QQ8$3uUgl!xc9Wf8m9ZQl!xgGE070-1LXCpYk2+NWvXRgqH}
z(lb!^C(#llF=Pp~$gf5|E(A}%l3(SPh%j|K=|+AZ@+CqD$~QaWD*wnGK`!i<e&~mx
z=SY0>5&6^552lbGg8pa<`s4|WmnrD^(8a!NM>#0^OQG+9?k{(t*FxU~on+jP(B+}?
z?a=-0JPN%V`c~)-B2D|aU)o1^R!PL(DeYs&c}pS%w@irS(JXMcZr6(@)<p8?wn`m>
z#N{LU2GA$=CWPSWqXrm#Rgnd&Li(0WYzihIarsC;m``0ehQ51+&=%|mH~IU)TU9^k
z^ok;FNuJ`wpTfO{2Id`N&lvq!X=G1E)_-M8h|HmH3w3416RB+}=#q@8cPB{4ZXZro
z3t_3)SuW!$ZrhQ)%GX^BTk@4ng{eZmQQ86h`vZ&v^h<P~-PwzzU&4kR<Fd*#lxN&7
zRidl8e<|^|CpafF{aSY>rD4+Bs#_90;jI(bx!=nsmb%|7R11@O(T$$G&BICEf|Pny
zzYajRL-az}ebA>s-zlQ_)65^JFFUd`sVJrkE}M9Z^HtZ^bHr;U-c>pY^{=F#!+^XC
zdbnLpg}yxny$Jf&6!aSCqCc!B4t*2!aQ?cWuS-Gifxa5L9kTO~k@vSBvA^HQhuh(4
z=vC+m(}$p!L-*?uzfNW#Tmbz>N!RO#m}j(Vr!vtfnYhg9l0-_Cle{ln^7l4H(f_Fa
zAG-KswUE%aBeN<}kjaFlBr;yo>w<p}zH0YgdbH|0Nl#B~7EWYFXy!PgM(S-J@y-x$
zu4zyH@wCjVx1XRHNuNQ*rE*gfWzftg{*c7qI-LA#u>Zd?vOPQNg^WP<RDY7s#NqH=
z%)g`nz4puaZRQ~*?mT2g<m|YtSF_W!U!sd&I?=a}dq*E<Ue36LUovSHdP+GJQV;wo
zJBO1^eAj-fpj*hS(=$CGYCjxBZXI$7)Ba4q>Gg9fBL%AULUB7z9bL^EcsGZ&pL;sj
z3C;8WO_2q+x=tvCm5<zE<a&etre65xFN-6mva*(CrkSfqJx!p;{s`y7lAiepy&HNS
z^mjT$Q0NDs7eH6`8D13ZgT5O2cB$B@%7gjT&T-{3FI*g1kX14+WpPAR|0DGw=gqW#
z?%%Lo<M#vklL^_BMau6bN?h4hg#1b5uM&Cl5qoQ(pM{?75J92Gp`U>s?iaeCpGqO$
zWAyvwCEtgjA4gu^c_H;?)HqV^*286y<M(7_y*>3nvY4!hzU;Tq-v41Zd9$fMMj!b$
z^}5W}w>olmdq(E>a3pm-G%l&Bl9Xu;`l|L0Cl~YGDmU#tj`vv2NO}qQ+u`p_Hx8<D
zQ}g-qNLAKF>8&^QAALtYKAilMq!%6ss@!p4G2^EDqgEHADwk|FFj_w`oSZ4~@uz^;
znF~EHI-EQuvR?g)x_)7qVb&ehk?mj4%o<0npM&us$4Gyp${&4mNGDuhx}aA<57(C-
z=;hG;<u7^;L0^!9-f#4W<xfK|Kt4R~3_;I>9v&AalZc&yo)3KrbmbuIkdN3?%0H7r
z^g`&h(8oi+Q3SnyWz2D;0nxq06MN5yLqhetLe_hp-&aKT@5spdtoVKOM5$t8=GRje
z2u)t>8zP;<pBhebyfdoaw7WH>bRw(wC2HV6j3`#23~)WeNt&Vik@^yaJ|6l#!FEKi
zYub@luNO-@Vl+)*wO)CPz8>_IbDwTeP@gy6cz(E<b?+}ysxu2187~J#-^0Vn$Hi)|
zonRmHB__gVzO;Da-M;T4%SZAp_i2w2-!vVUF86DXKyOtP{g3!p?%PiJr{Uz&LR#*w
zmss~_K1^a}xwMGnvs70gViIpJ@eUI2e95<0Z}3@GW`{OS?Yv}my2F#Qub+6k_75k^
zMUnZ4-KWJq=yVhAN9aS)k3qk}rRsc6W?_2@dbmC2Lq7>U+`dYoA5S4)3tja4<)@NX
z0=n2EWi0vIk=ewszhq(=|1O=#qzJOu*Mr;{<oxSziE{}0S?I?^vDYu9+7DSAscJ}B
zEu4)5@pm>GbFH5rPS*3?=Wp6+o9pdjHDjkS;&~Z2#6G#N{3!9l{h8cfJ_0@LKe^9*
z7`opdqDSsGA50-H_nk$5xZjfd&-<Z=`ysgxy$^c0e#-smJ<$Drl=dL^rA7V#-^1-;
zF*DSde<P=Y38*creBBe|6QziW%6RU#emhuCZ;IGipJMu`=L@2nkN7!`{JuwrlN{%8
zK<Bmx_6N6!pG|wf(~&8q=7;jL+|NEmyzn|&?rWcf?(c`hpK^a&<iq}#``jWQ?(eg4
z%yH;44Rt=ENA7(egB~ugLg+_Q=$HH9hoOi4-vIp}^c+VyDEd30KMFm3-murmhud*4
z^fM{+9EC3V4eJ>&@_s#14(FiT|1zBXqu3Mb2bV_<W@LWBU+_y+cBI|qlfX&h{aWHt
zeh+4HB<A0T^!oQ3*~I$-z5A0)2A*OkvY+M0Gi*^jOYQlgG;q<^iN39mdHwOId7P&&
zO8?$DRzntl_M`6%`q=hxKSDnZ{S<Vmv)1Cs{)`5_A1e3mUxhwh=rrv*3=?^|hd=2H
zqx;2t=y}k?^{N!Q4Lw{><R1T&6m+@QFZ%uRQZ91Oe?0WRi9M9dsC7(bWL@TS!R;Bb
z_bBm>6VH}-=2HvGa{?!!e_Cj%^hqOUQzEdTv_v|(0A&#kGLKD#z|tv>N_qZZN-yWB
zGLK#F&cjoW_v^C0B=gusX=+3n-OHSkG)&Y>etJpo<QIpN&jiy;-R~dI$huXgMd=bO
zo_I%O{F6`hKlAJlQLXBuJQq=Za5(uuaK7Q`_v+)~NNZM+<Y)9Upj5RNT+ba@#^W!0
z=MXzGsd$nYA1Sv^`1|17LNFi6=U(Xhq5t0~w{G;GL;orC%X|K;O1Ion=W|`w=U%7W
z#0zN(?)6Gl`$3);+4FC~^|1Iso*&r<UEWLRt6!d--nmC<WP3)|_s24{c;cpTdCT)B
zTfh2$uDqi*{r}g}mv<cgG5CP{k$iU9v|s4|H_E#c{io4C>FdMEA4t7^{qoKp%Z-aB
zW^Np_z*qadtlMqFCG5`}W}iaR_xg#{<+v_$V2oDF8g^|U0U1Y*qJR50{?C+SDf;BO
zq9czFCm#}f={No7vP>x1l(S2miO|xCnGXhk6NgVOp%y(;`qI}2c}^)0KGPESBl(f%
zmI|QTGSHB|e_Uig+JD}+II=Fw%1*V6G8#qSY4lk~hLiICPM^Ni{q%xNwye`G%T&G!
zFQYzvcQ{FRZ07H)0{xmiHzj=k_$K|GJV!M?1zn!2vQp4{puZ~54@o-aBkko7^s~^9
z2@U^@IwxVbYwf5(Eb}HvEVkTXY%xR5sBvv7Dkt;LI_$Yt^n2?s_5;_r3ogk|5pr9R
z3(xmzptnM2nWE+uRd`4A%5z~Nze?z8-BZnqr*z`&{JU)8BIUydSbLE>h}`w2{`t#a
zo%ed<kj%4gO<7(`CT4P!ouVLR^<wsaNoUuS=Da>s&)2J*mbvAMsFgoW%U>x9Jil;W
zSRI*CrgvrYVbvhF=kL(lW#nH^Z!dED{tmqZM*j8mW-|fY|99vuH1cEVt-%kq$UTbQ
zg{B<M{yhDj*)LY-N~ILxKd@U&%l4mlmrl(5aHOClNTfQU_mHH2lzL~{^C-R4j~(MG
zB1hP&Tr_$gS{=zZpl1j@o1WqxMixIp{Y<EyEs31HAS)^Z!{}|Ml8LIzCehHopVYJ>
zR5x5sf57v7pEG_KHLqP3IXEdZ8fvk+o=W@!#NYn?;pB_sw4EkC-ZJNyOWEIlmcxd?
zwAEX;$n%Z`KN?Q{BACzA{T~MmH7T>H=XK(Ld2aH^37%8qJL?Ij|3ROzhyEw?R;+oF
z-sUM*J^ieDo?+i0vS7z~JF~m9?$6ZcALyCG^MY#sMfC^uZhMpdr3ZdF{A@|be1v`o
z`U2?ZIYdzC{YGDyej0iK^5cE-GA;~3&x2kT>}S0FHLstkj2x#j{Vu&@L|>GQ<o#?o
zxg_Z4RO38*S(#aTQg2(9Ne3nR<ayFOo@bQzVf*T*XP>vvA7wsXnvtq@5>-CAghBL`
zKgT#I`jo%3R%IBEOS$IIpm+UpIQdi4uKeezauP=rb&i{Lgoa>#aV>@QlKH_=uB20g
z9{c(9<72|`!{yoyeG2iy<tNX}PD(+S=V!;Kpr3$lK@ab93_^ePSHsCmU^^eFH`(vi
z`u+P!;{ROeqJN_Zry6Hd-bYxK_C7)!eR=5H64d9lo0RtvT7%76;_?x@`_Q)<eI-KJ
z5SernWhwo|3Fv#ECxy<wYj<XudmbP4-&3HE-KA!e<+265GpjpOumAHok9c9U-hAl0
zpkFBUXT=zL*?8X*(kuRy=ag5U8ctqn;-~Jnmqd=(nTMp?ev+I&#l}fLUC1-ky=V2-
zqvXo!B=n(g&aa1)Pl-OS|MuF4*M8N046Qd+Cr$lL(W@_<nEBmQ7s(`XK9YXX4E*t%
z;pDTgpMDklH?O5kze4sKQm22{80i<1ejn+d{4LMpia}oeWR7S0VJ@R(ekPJv<(u?1
zAS%yuZ$CYp{C;pg?DbP#zf!@D%NJAHw|rvOW2whOb)YKsvz7z3GcOJ&*=BV=LYH@4
zpM@T7=iNp=+%Ft}ehT?8y$|}y5Iq<DC!imPE@@fZ8Ib!1PT#NcZ}@Sy+-M)E_wiOR
zlHE)GM_(vpe)&(Swm&3IK2ksA`Sz2)=Xq^69j+ieAop8G-CL}PRHYtu>0dvZvfhyX
zH&Zh7dA8(zfb{3QWbVDmz8}jJp`U}k06NVlupgLHK>LI~LFncq@>8K#LBGTyf)cj~
z`X=aQLTCPK#tU`N$U8sN2j+!{#F5{He5J@UZ}7`+^Y=@#1ulD2h)KKy#M@829TJaS
zb#w2I`yu+&%H23uYi|+K^R5Bny-K{$zJfPzDy3C&)|E$z_*O-3{M=di;}65hFABwL
zU%~kIhvJ)qm8nFjCH^tu%W&jdFJL#f|MXFc%AdS{;5c&YM9xdc8y94slIgMEOz}$}
z@m?ifVyt+#1mjIc_8jpRygYh8K4&)d1$ww$PK90oJ>33^py#EKuYqo-kdH&30^Mng
zVz&6H3;HDJ*9gH|SFzsI7q>WaQu7LV&w`}q%@;Si?OO8H4`1x}?<WZTG<3<Y^bO7@
z%9kPN<<MVA*AIH*2Q?+DC-rnq-(RamU-W9q<B!8h`8y@Pa`f&ma_u$q9_ovK6~1I5
zcS{146%#YR9HgL5^3jX_Ie#{O;<tPX2}hx?gT6}$Yo&eApY6z!_OXDu8Jm;pUTTRP
zER~xd2M`@1-eKbXHeLR`{YBP48Fxiq%~%xKo>>{$mANFchp>-}y!$zYJ)2Pjk3C2(
zZ0;iLA?)Ll;{MDIcsHi(rb;JfHDsiT)k-YM3m++`1CmMJbMX@)c<saU>vDSO1YY!S
z(w9wK9ipg%^-@&GdpGu=?_pC;W*$QG^50{MGW30rX-H@ZYA$q3|6W9eJ@Xglxkk^Z
zeG1Qir6~IWei*%aESp%7lCBP1Q_71MlwagMA-m3TZ#|ek`4~06ERGx>pZTqn1)=-r
zz39wg!>9bO+{=-Meyh9h=IQg=1M?Xv)^vvpj9L#%uF`Camru+p%o>Bggew>3Y(kYk
zb}jf%_HSRmo=QHmE|hu6=$W3%Xg*mxhrT1c-=v1`G7c??Oj#4L>0lY<7s*(^V7c3`
zNV}f;KISXP|5(yr@A@UxJaajtY*w#IKW*MKk2#q`o#ap6-_klVoP6YFeo(*1tVjDY
zvUcB`sv;4W&t$?0^c`O{l6*{2^gohUc`wYS)g#H@NPSV~muf!3<bTxtl*})sF(3cz
zIDhB3?(^=?ejw|?Of?TEorAtxMv@ugAFuyrb(HlVoP$G=9$bH<zfT~4YRyRUcS3@@
zgRbOYX6A<{C_%OS)$3p69<3coe#+Eu|2{Mq+a_d=_;;S!8t2-+w==zHA{`(XpGkmK
ztCag7`d(ejdoF@@(tBj(niVaE>H%E*n0p=bx7$Vn<Dv8)h0u>fzs}fY`VZ=Ze_xB8
zaydwrO(A9sc$$*M5WOv<%Bd4Q$JUJ`zlBccBX;hE-dZ=3tPmox{P|uPIg+_aO;@~p
z$$NSBAb*SOJ3uz`qt%f|FU*>k6)b>4M9v|9q+uj^Pf(tXICT#}l>(Q{y&r5vNxb~I
zjNh9^lJA#%H@kL`?;Y7oBFD3{-kE`A!3*X^h&B*!T_g2FCYI#q0U4jn{c^nH+%I2x
z9vwEW;!s_?N_M~+h;o4V1??lrH%q$e{6@{!Rr}+fZ?`-*vvXXj)XdC!=8**@PmMlu
zCqwZxEVQcnmUBJ*Iq8fD0TWC+Ox4a8N6Is|)60~M+Vs=aSCwxq`t~J8l6Q+f^O5=^
z??19SMv^}fe=u(zqrGQ+b%L%!EY932BsEm(XP@Z*;D~-6f#33x_H_dKr0pZg!$MH)
zONO7%=;meSr_%2XA@?Y9-6E&Tg(U8m^@+b8FVUsqrcU495UkP?UGzmM>@(>5ju6my
zzkYthKVL4${21y;!JTiH%jr6V&;uNjzaI2$`p}3zXAzxzq<tKM-U_{12&Ch0AM&V!
zZW+SVemaf(e&ogX&PVhQK|cw--64WPm-kIAxQBkiN0<ENL!SfvM?z=*KC0bQ8+MFS
z=Pdpf&n^pNWuOx%o+$b{(RU1e4~jm|UpT|8-|0bb)-hdoasIe0IMI>F+W-CN8^441
z2l@M@ZYfWrFUtJ0ABFyT(&CBrp(Iod5kKV4r##X31(kySN9cvnw|9*s$4NToBl(F!
z-+J#z@(z>!sCw<qA6CkF^;8)rN6(1VJWbN+LEpZeBgyyp(h>S0==(oBl4LlO^<Y6O
zql={95B(VQ)h2yY|GfN@e&(H_+?J~Q9)6Fgjc(DGdjs`j*GTful1{4fVZUxg$epx~
z-64|N$S*`i9DQ4Nk0iH=KChpyjM!`R7Am7p=|pawnIThF7F1E|0P&6x@9t6Yyyr0%
zPc#>u(XnV^@SINGXJ&mQ=r8f3yx%M@M3;O|Uch=E`Xj+|#E+xq3G6#(em~`G%gmES
zUjzCM-Zv87Z%VC?ZT15x73%W`RsQHJcwi*(oQe3UANm~V@^>YD{Q_mnb5D`|<1_yp
zoFCk-W(#Z(F)WMToMPs`57K`4PWvv9)uq@!75X~pzc=SEV~h(ov2w|z$4oc<RQ*c=
zeb&c=<stTWL(hYLj_*GE@zaj%>d1l?tf!aMy<0i^LJ^ziv`l9wcJ>qh4Dol!#y9nK
zRQvPRBhkpI3uMD-^!T-eO2<e1k-HFk9v(>^R22P>*jWhu2=wt8{7~(J@wi)_FEjlN
zyICx10^N)m7L`8}#NYEzBgrRC{0C(|;NO4q?5v2i%JOKmnSOmo(KqQcBgyHmJ_alQ
zKAYF?)I^R?QX86(LZ@}!KGkG4)X$<XE?M^4DXm>@AG2Vfjom1VY2OXcLPVp)%X@_P
zqshDqzxc<cWi%8vdi@0`+SR)-x`;RFb0f)1WaGsvw^Z|vO4it!wDc79Yth6gi|=9<
z-^<OyJSM^)fLLZ$<cnC5w?ZTtsW0*#!DGDVu0NQrw-4<3jq|T`^;&grN?()#ww(9j
zag5;4ho{e9uG=$G7p!^kJQo!`=)3gWBl=#aDu<Fcjk}2#n!po&AN-5qbFJN!6Z|TV
zKLCF+e5Sh|KjHC*;Ln7Av7djl$ImTe%!mILKfluB7r~eGr}_EoJbo?wsqob}<=Efm
z@jKxc!GEtm{sxcV1HT-8I{W(IFM`i?Rxf`mz4!z07r=kFpTFAU55b=gf1RJ7xkd?y
ze{&acHpcr5)jGtnKeN>37r~zae|aGO5|>{KzZU*9Ki~LgDzr}cb?{I7`DHt@GN02n
z3R&b1AouPsk0hU#_U+h#T-LWTTtShO_fz(LWhA+R@2=e9?kt{eSmX$boV>sCMdbb>
z_0-W<j=mQ&9WhnEL`}wBRZ;aOo%6Hyziok)rQfHc?Gjxd{pv_k8dUZ<yCk5iUF#A*
z%KI^2;ysX`6@^ZEnGdV9gx>`}et5+9-U#aP9oiJ(AAsKpKV3bR_iKI({&c_oIxqfd
z_@9EG@8@sy_}S&WuMobsPfhwUk3SXum*KOW?%D6NuN3}w#)#hl{|95l?}Go!G2$P9
z|GP2bABF!{_-Fn0WxlL3ApScI|9iZD)9cU4U#50|@UyAlZ+?6v`Dh^iXWjTy;h#P-
zl6<?Lf1~H0QuxooCmGK_)X%#S5&aGDGryC*pX!4DD)D8^b?e7+PyYe<gYeV!b4TI-
z20q)lUi@Y+{%QEHz)x4c*-MCred+4QRQNe#*k1}?@^`5}{k2~D4e+z!KjP<Sep(4g
z8;UbtzWtjc$zSk2`}|A1cBI?xGa@K*dyzYaoV>3o`)xis=`&vQ(mO$V2l_^mp9`e7
z-%W1-Jy(2-_oGUBmxc5^r1eO8@?M-zBlpkpy&xo~%~y8iBbWPxk(-}hF20m`WM(qi
z=C@01-=xzNvecKo$UTOf%qiUZ(BkFq5d0_Lr>k!#;J-LV{B!VMga2N?e&4t=naRPp
ztYq48r4YUaKV83H1HS<Nm45xEKM}ts;LnA>*UuL}d?e_H9^^ic+`Ig8{_!9FBk(Wt
z^KbS1G+^St!_Qyg@rU3)O#F0y$mO8&G5Bxw$6w~fFM==e)A8kf!VkeumwqSwkBkw&
z2mak-@cZDmjlmy)zhMmi5d2%l;O8#0tYz@i&0mV(i~e-^llLXx3O}8HJK^6BKi&MQ
z2YxO5RP{*ONuNnSUHk#~tH;nk1b@jG{9G!yyjM7#{v!A@$Kcn(x8bLn|A_sa@TbF1
zH-GDSo%nsP6Mx`!;t!elZ}!*ks8_#ptJv=y!@eT;Z-IZIKfa#+seY^$e&!hbPWb;p
zKa?(h5B%SZ!S93r<1zRH@V`3-e+d3p#^C4PNdGbhzX<+AWAJO?-!lfk6Mowm{2uu0
z$KdzDUje_x@Bhr(RRK!<8h|hMr&~V^!QVdyKX(QF8~k+buL%C5WAJO?i+|I_?}Xns
z2EPaXQ}84H{8f1Mvk(5EG57=UCI9*U_`Z4X5d1H}zueDX@9EF2<~_Oa)Ae8SKK1X8
zk$x@wgK79O4mRXy|Hk>A9SzMJe0Iot+J7^Kok!vSVGKJ@!+!<-Tm1R-tz)xm*f&aJ
zr_>{PAN<e8;FrQb3cuE`KXa8^4;$did|_39uLok$-vxgT{B(Xk0KXJI$9LX*sNE~4
zqwr;%NLNoz!<T+O9Y1@ePCs2enF?RhPghS$;YZ=8v%dkpj6><t?}EQ*4E_Q5h49mr
z-%<E7j?kTX{>fbG`u{Zio8XuD`La0SxA;H%Cf;ieKV3VO_xQiaIyc=oRtkR*{=NS7
zbk=sY02ciX@K>-t+s=1)KAZV|*S;?JUxB|f!2giTKLCFU>$i0NJqmv+e6s1&uQ!4u
z{nPMofxkJxzf<X#c9>1YJP5xnyuYx?+g}hp`N+M-I`LludJedDM&Wm{KB@5Q;aau`
zNc=ebFR?C3$Ctl*aFX>#z>cgYH-0btE7`C4Ng(}a-Sqq6KMy|^;Oh++Nq-RjRMvs%
z_&KYYkHNns5MOU7sr<t~0AKnmuN=K~bQJ#CG4#jbU&}f$UHaYdJK^6R(61K`l727z
zr{Je5N8$Iw&;9O*z6a&*v+QvFGYG#6e!BQMH?xi(BYr;oh5Y@FRQ5?dDx`sS!<YJz
zT^s7p|4Esl){C{sMULwAX?Al+?o(P$^3y|l-N;?Tch}#oo}L5fc?7<+>+J15J*I6-
zG|_V!Jx?H)uKi?F;NOS8T_U)C^V;WB_*Z^!M8D6+<u7#oS_*#!{N_OXMwj0JfBzW#
zF8F_fzakJ{4^U$N0r>V)sr@eeqwsHsza`M_+T3<?8vb{mPOm?E4SRy{*(UMj-`nS$
z3jg9`=DgX>zg`GR`law!z>fyvFZS{e|8DqC2KvV*RR1XTrVIY1Kj3`HA79qPztUwb
zWRdGd?l;Kwh2_2yl<S+!`^Ee9y@2d4U%k-#DceL^>>fhj3FL5(FW<VotA6oq)YE6o
zKFMC69<j~0Pm+(^J;;3>HQApD$$e4VCi-fSd&{%@{TGq@*N~i9`-@$BYw;Iysp`G(
z55eCHe>UIU`r4$^5x)H0me0daHJ*zd1K9Bu_-FW@-50Xsc~4L7TIT0J<nP%8%I$~l
zxK;#zI)9f3H+ptt>J199qZa;p_zwj5yHx_h?}UFG{;vc40mT<PyWY<Fg1_(6&iCwR
zeRk?{R2{GAIf|a=k=ql{bDx{eY52?ddqAHJ@E>;h*|)Nef{&OlANrs`^iPF9>8Gjr
zVyC<pXBm8Xk6!lkK0B!=Sug7`RP@Brlgr;9VmjtaM{jfrzZ-tl82n!NUGU2S@fW!H
z=!gFp{8at3=pTfC4t~0Q@|@ck-{BYf^_zV+$>-!Lw1<=YT_?V0|1p@)%v+Qhs$JEf
zX9;rY>Td%6I`|*;r<2+3=3_7XAHz>)=OOqf;TQPhoBepPvkyDZz*qI=KYe!k>W#?B
zdvOYX!TFMu+Xa_;`>s-Mlf81Ax{m(;x%Bxdg}(rPI(wq;q+H=|C(Z0!Upm?zbs{JB
z$loP>6uA+R%lFAie{)XzSLAw-yZe{?T``fH8<Kn6D~Ew~{M`ipj#avH7=m8_|FS^)
zzSwQwxpnyGdBzpear>FfHn*IL;CI7Mm+#Vxuob>4hs8cSedQqavI{+DkW06YKLCHu
z3+d~_QTX%Wr?aCUJC?y$cC1QoN6vcw{>lGt@7u$ps;<6I5`w6p0a5Ec0wP|BnGiza
z^*|CNfDj=l^4d-&lL;A_%#1UW5U{l=Dy6=t@qVe+)Ou~T%~O4;Ro~ZGtx{_h)cUGz
zHC~F?T1{K;7x>oYx6hn&X2xp2=lP!R56`2VIlsO3+Iz3P_S$Q&z0V2J&2YEZwU2N#
zrT>)D3)OQWrSG8h@4E9BuXE%Tqx6npI?w4zzsgD9Na?RqdOrV>`~6NzuXx3MeunmO
zST`_6nJvrnS)%JBI=Z>~O*bSs{as4<6{UB1(lrRr=@Y|b?_MpOznapQP<o;KEtEb$
z>4nC3hSDdzR@fe2LFrdfdZGOHQ2LnH3+I29(l=82Uhej};@0m{dS8Kbmh;4R8jF;E
zR}noJe}`?tkJKhGTb9%DMECKZv*!%g7xTW_-O``Tr{N%)zqZkN0OB)hrAzOa*Sf5I
zIiL8v|3-d4gv+^^(kr*qxl{V>)Tg+|(VIsoedFh(zfS3oyt|`d{9zO=NIs?XLjLg-
zN+0vy=lH*rUP<YN^0!m^^M~xz@BJHj&Xekk9M7lpUsHOWyM3;63O7^wOO)Q=?vIj_
zM1U-xM<~6R{+`+_cYZZf!vA$j-=ESe-0A9`OZun|I=4dU2e{K+`z%u^eah#gH&A*x
zr626h?>a}(PU#0z`gnJ`E6#jArI%59q4>znl)j_9aQY*Z{>OjPyzG%r(2>vUlwMB#
zGu>T2_S{&0qgIk#`JD7Al)mwE%5R|bwUnN5^M_Gl{_T{``X%p$oBl6pEMX1c^z$iw
z>W4T_?xa^c^}m_Y?T^U+^0aTcq)(yzk5Kx#AJe(i5_&NCd5k?KMG&a#2mZTJ({|80
z&CQ4D+J%+SaeXFs((&${RNrEHF#Jjyo%KpJrC(D-ac6gVGN+Y<O^M9sOrjeewNv(W
z9X`d+I`)CTi*sG+PC17$>H?R2P+o6vf!w~0MAtE9=gw0~sjs%W=(z6nr4B#-``8=D
z?cCW&^&Yj&MW_7gm><{cU8>iQ_uQ%HRGs#9IP#ttC3{pxf6vV=r;@9k^lC~^O`v$1
zyZt36O4GT%$4?^ry*I_<xE>$7>cRD$D`J%OTszVI&%Qf%UPOFG?J?Qwf1Rh2WPUeO
zc~j``HhT1ncp=nJ6l81Z|0js9^WdEtU&(ilOy292?;)SEhn>oI_Eyh7lLOsPe5m@K
zYv<0QJ*%k?=6zK1!YJ$Sqv$6=yPaP8Uq#mAMR;m0eXYp)5Kp_#KWeqL(IlOE%(^1$
z>by^552EbHmoBhcmCYV?r5lQ@SZUh20rZ5NUu1QbCai0LaN%Po6MdjGWSuruDzj^Q
z=_;$=6p<dkzR3Cso_0O6G;D1!+$K@Jx;1p7=#N0gP9)@z(#2MTa@u{)Tg978tT#)v
zLSv3Et+$rzZ$Igti)dl-MA78WifB6sBnQ&{=+ZN-Q<d9py)$Sw{fDUvH|*X51^c=0
zKaJL9_ZJ<wwb*)#vs_g??XShOzki4{c;1tYy--xTd6ab_7k*`N>1(5C+k}2TS6sSd
zlr_LD_(@6WwWZdF{By&o(tAp+Yq<A*G^+HeQtPErJVBE%$5&Gs*3~7SjJ|U>>!IC<
zfWWdt&#<fuib{Vt%KCND2b9j(v=`~erjpX1jk5YiH3@cL^~c2J?vkVK9Zi3z=cuPg
zTep-RMSpSSccW!m^C;3+4_`^(D+zohfv+U+l?1+$z*iFZN&;U=;Qtc|3{A47CIh(3
z1N}q3tz7>5(?0x<zUPndJQnx93AX$ihv&>mbL7{4cz%9*Sbj+?hJK9!P9a>mhLO(e
zSiVd;g)by5drh&;utm<hT${((av!aa)^M>czjl*<Y2TL|dA@enn?+j!a?uu<=i;TV
zT$NfsWV6ap&_pEff;(*q$(0;u%iZ9EWA)k8dq`3(YggP&`8#l|tqk-#@oefbg6GS2
zSANL;|Lit`e()E#3H|#h?$6=A4fpqPAHA2>dmr4V;$DOMT-;B?y#x0i+}GoN74Em<
zz6tk7aeof?ZMeUW`{;=%ANQ%a*Wf-E_tS9iz`Y0e^|)V!`>nWd!u?U)pTm6{?(gG1
zdT*4E`&8U(aG#6&X}EXb-h=yk+^@p@R@^t?{wVIx;l2&`_i-P+kCt!!o7bGhI&S^h
zdjZTZke)<(bAfaU;mCCq(v7_V?A+cckZ$OAEs$=;?Xm*tW_<lef%H+RL9jr&u{+@c
z>BbJl3Zxr5adv@pV>i|oNMD8eO(>8aNBVb=?g$h=dT{?<f%G*<?=O&^Li!a2$~SiI
zh64GGUB0zIeq*Nx3#6NQ=H3G75<{dqK3E{#%uA0INS7Er<$tO``krY2;RVvmkp5zU
z^zlf44e5AvZWHk9Zw2zpo)^))Um)GgQ=b&zZ|1$-nst1e@nkBn4}R=bAbnq?ABc35
z&)m)YW}XY(`!{I$*W!L7?swz<IPTkUFZrI*AB6icxX;D?>$qodzXbQ&aUaJ0L)`uC
z_Sf^bS8I7Z-YLXsZN)R&hvVu0=UmSx((@ni%;SF&{r{@#`EYtZxxW6`@@Xe8T6RQv
zO+}z0P+nCTsHv>2tn#K*IVm$LDc9#;CFHf$7TY;QC04Q3k{2(rGI{Y))-`$YQpcZi
z7gA!4wv6B9#dopt`70&l#Th@xOTVjS{3S2Gn`QheFTT5F{7WxB)*67{;l;;UW&7A}
zNPd@CdsxOVbtjfsds=<)SG{<d)$&8t2QNO}x@J>8e1gTV%lfYpYcI?AzwWdW+LbVV
zuNU9j+MdS`E3x*m^7&^a*1p!rG3vj1`Ov6@U+cy9vxWot==Zl;XXV3<*Pi9V<B0Z3
zc4iU%#q(G`ob6|^HO{g_wh&gxzm~;zsmP*LLY0==iiw!VPCh<-Hm-<r`Q>vG;mp5$
zl1;y|*KGR9c<UrP3(~I^`k(QENjCk;UbIC-{P(wxuGRV!A&KY5qCEXIKsfUmnq<?j
z>~$yoEXvdGza>0hyPhk6zgz(Sa{>IV0{91nOMB~V`ej+`<zIULl^R&Y`oB>1*;t=_
z2+vnf{w82P{ICLeWdXc~a4xqsq~%USeNHMs&)+i7SMDhV@D{?QU%q7vXSU^hbrrz>
zvjBbv;atywm0C|*xR9R#d>FXw(Nh|K6IbL3yd3l|5uUI9e>VKPl)s^W2Y4%R(=Q(t
z;4`XN%N<^=e5f$F#uJ{e+<gn+hZMl47Ql}wfY%Vta<I;uBlR%tvVjk;Q{4Cs^9j#a
zPuXkEV`ok$dg<S{Y~e587^GkPH^{l%VU(+>mUVUk{;R>Ke93I#Bj1{%U;Kv~*$%YA
z4m3-uW&J1cp*66R)E|6ZV({f&{Bnag1Bau3wZZ3k@$Vbl_To1h9Q82)k{=oTY%l$7
z29J92pBOyk#eZh-GraiSz-^Rk)=3W$p0B?iCtUiaL*;p{iih@W6}ML^F5ifwv{!-m
zuT@;Wu|@cMz=zi<&V2bATcUjWE>T>*2}JlIz=y6@T)yE$_;kWqAMEqzaCUkxP;OQo
z;rZ&{0Q%weN^jcxb>Of2@E+jXefTB7-}2!<A)Mv&)}30<Can%_Ix9Z&F2xrEe+2j)
zz+VUcSKt@@ROxBQU#{J#!py&AQ1K<8p9TDZO^O?PvK;tZ!0SN&O~UiZXF~zp$gK~4
zJCVs{<aWLfH*(wH!;RcF`tWNDlzR)|VrMSW{$d}UFH@fl7v}HBjXvDer{9O0`ds0|
zpGLVh$~{JlwRWY21J|by_*~#kz=wf10^b1KzF6yN=E46le1JEA{$s-j_^H6_XaOR6
zeu?stv#ylZ4ZP2X{|fjJ@M`ec3Eb-U@;QzI7{VX8(VsN%KH#SQw*VgkE@#xJj5mQ>
zmnwh5r;_YqK7BL&JA9+k=kzbuThtwL8GYO6!=3*1;ZFbh@Htc;>Bk>vxn?}B2mU7L
zG3>1Cf&aya{~Y*VefVbJHrmDhD_=W+m*1e}n(^2`0T!-LD{#~AmjfU2;V%F$NBxZ*
zm_&gX<}(a@xfW~n0`Eh84FAI^Jzu{(E%f895#M@eSnyo`oQuiF=PjbAQ<6FBEdE%3
zQJ(eA7zq^Zm9uWz54eAwbu{5c9R2sLgZR%!o0tpNz+B4;;GKj|BD;FzZrU&8*~oPs
z@DIxrKN<M<2|twNTt1+<(epv!Kh8>3DK2O2D9`fa^4Dhs^!;mX;XDugKLmc@DCKhw
z@Ixt3Hi7DS*|6IAUjRQA_+X#nvw+Vfoa@<nmGUwE*fP-DJC)wVpUxwk<<NSf(wn&1
zEujC#UzDETnc?e2&|i3;;$|iJ4(MCIrMP_ClITAXT(WxpDWd@1c=pGzKBZwI*A&9J
zy=T3xeB_-7N;v`eC%;hK$bSjpT>puvzp2kE(3elPg|BJvI^fAgiktCxJ@6^hRSu2C
zlFfPvc>fA5SH2BQNpAsfenR;ed-XBlEdOb+4`s^68b^ZVb`4&jd`$fAAi}x+i%@?P
zS3C}Q%^0nZ>EBa;&);2fIm=9CM1em$PVqBQ?s<euxzn|t`vSil^dIk{^hQ4S0<Ydv
zakdwHJqbR^Cv171DF2fE2Y%r;ZP&%X$J2n~a%1C_k6BOE0Z&5zO@GY>-nvHl8#y!q
zUv#kYnP030tOwp-r}RdDt|gr1-;8lOpybwFps(bQPtqmtF4KK0;Vl0Q#{21#YFTf9
zzO2m_#Ps8P;J^J!t&bUBV~Bv;yYAP@zfW>e%n|sfzf$}H)c>>nm_GM9jp(^P`}^!t
z8u;7L2a~rS{FBGp!i?Mrxo!r%1wLk9_94*s|I!w^M3K_}9(eJiTF><gTW<g_8&LX6
z;GY5?Oey`nz)Pv)SPr*;p!ihalL_Z`-REo9v7jHmQTZPU`bEIwzgIp-0dEI>;QNZN
z2EHD+wMzNi2mA`)eNz=Db0pWDz=x+OZuEaM@SC4e{&#?W82Ar;_UC=W|5wUq&mzrG
zMjga*Xgx#mwF+B@0#Ci5{FeZ425#S=^fkacfLs4i`W?VG5MD-cwq{>^?-I}t|4jMF
z-_oNz*8~6b9p%IC(((1*gmb_2j8%O$<NX=XHy>dOo$1HdfRBU}-$hdCy#eq!^C9JL
z?Av}MSeAp;=B1wwe931@|0D334}5T6t&hA*KxylM&v{DeSAhOD;3M*}TFY7re2{Q%
z*V@s_=L+DD1Ft}P$$ZK6CirZDeU@+YQpyLw`+Rybo(v$j>)N}uK7GZ?=OEyNC)xs-
zdGkcz$3m~pQgZ7|!r5N+Uas{V0G=S6>pvQHsUG-7@ELx}7UU4%SAzaR%p)1#_kg~#
zLg|ftcntWK30m%S(7z3Q5cA`mXx9!y|E%&M^Cj0_)X^-56)&kA9sqs<@Ycg@K@I@E
z40svrzwv**Ztyde{){5c5CuN4M)4BxIU9I0aB`33S`B>Y>$W^|+=s7qhW@)+&o@RZ
zelhSq)N``J)-AwW-ctG&;7<sS2iNTt(2rEwf|~vs0sgChDxaCi^Cz0n%W3@j<M!id
z<4){ksrHMpdy@!fId2Il|90@14*a>pm7d={;cFG}t*}?duAU42x57`LVJp{_gpVgZ
zH2WsTpSc-)$}sPn`R=E{n`hXPza4VE5B$f#e>hs%TU$VHU$68=4~K!5pR2ej_if;n
znAeU0pHB(r@p3!-TbhpL+LIg`mfJRr>lpCKgtOfGZ&vxsH-ssz5_o)z;t|ld2#yEW
ztrPSEB`W80kaj8XKIoyT|Fys?eeL}j@YTM4d6;mqSHAi2WzY}#?9a!*ho{?8lNqSb
z^b@tceQzpm^mZI|oXFu}#U~YMhAF_09#T2n20q6DZ#`1!&j-E$c==6=?~Z<7MmX1h
zzOVjC&~Jf!b_btc;KTPQALGAW1ibY|t<RxQlxu-o38h~MKDPpIu29^x_kQ60$0~00
z?f1YRf&Y*OpLYpoy&Cqdn@Y&gal1xAugo}_B>vktYZ&~=9g=Gn=<mh&GV{w~p$C!c
z7A}CV2A?PIS2-B}?JA)kXI%%ss1LmE0e;i(l>Qmu&j4@5`1%0&n}XxPb^EjcK7lI0
z`ZIL5E!4)&PX;~+IhcMt7I<rq(%+0S78B0$9Q}aSvlV!k(Br{%TL(TPFW7=^K-%Sm
zk0<-tS`!we5BSeO|K|TF|LcK23f$}?4?_`u3;ZyQN8{%V18-hu3y0r9&));SW4rSI
z5%`xMpzWHstJ;UdfS*J-%dK*S@-g<|6vAbl0)5*H^zER3_gUp{=8JCuFNdBRzw2Vd
z|2s;5Q;{;d4*0-zipw|WDe0dlzz%#%>vJ^9y#w@RuPD9;_}mYC5aZO;e>3n4?p6LH
z;PVb}`@a<*1wLaB)N%)&RsKhSehTo`wTh1gel+kOe58E75By9+4}CM^IxaYfT(|QG
zXMLN3elhdi55Xt(q4GEO^8w&}N7%w;E_giwe4m$<{sQ1{0I!6e8~gSF;au(>Sg)D>
zEvI+Q8UML&9d{hztS5GrmYV_pxrB3^q|+BCSpoXisY-9;)(t#4pm-(tTnv0muh#!3
zz^?=T(-#$g7<&Go;2?6{o*|s;f4t9s{yX?oZn1@WH{|&g^w;_3g?$dDb`|euZTFp9
zm`pg!VFdGzncrss?}L981OG<g$t$&7GGB770PgSKZr~fR4oZW*ANW06RSw3^Yyw`k
zTJcLj{}|ychadae^$O@mFkX0{o3D3(_XTWuHhTLm<kpArXyo=8=y!We%k7a|mbDi-
z{4Af_eSYZ)gtI-de11_g=m(=(?p)O8OyGTgSN?tApC+8!<@evd2m0ohl+O>q=Stw^
zpD3R;@cA#``-8u+V^0AuJ4*SO{v8IMd{A*CpT85%^%+FG%gnzM%2f{CztnP#K2!rA
z>{dR<SbCj6IP=+p_36>T&mf%T_O&b2ZVv#D5iWN7a9a>#Z#NLmeEtG|X`ZCgJ|yt@
z7#D{BCc>Fd2j;sMK))5ZeZAIyVu>ca0DKF^@0=pV-zJ>PJreP{$qHM$9IE{LZm<P0
z_NN?pCG4${X9eNRr_&cdTmbrJ(2oKCkl=W5-M(1>?+2g3^|nx(`SezUL;uZs?QX)k
zKJVW*Tj)vc<$4_S<vogz1^(x~wY|wd*@8R+{29;>%~X6T@IL{!v3@c0*WZATK;Kq^
z{v*N<C3~BMy<HCcs7YGx;El@P*wxv<heC=QIX4TA%&uEI;oRP95a&-J?HuqKK-~LM
z;5X0ba&ynQ4S>G9(-z8gMVjF*;AOv8{QY9Z?*+ae_Jx0>u=Q)gxjtuNy>=AvKM>CA
z!QKsX1Tp&X5AfOIn|Jmgg=9S+USkWr>92i&Cy!VB*kVbx<`T~3UUq`=pQW(X1^S`5
z(wqKT3%qQ);sMZK0(_7Cl#hH{g3|s6ct7f6#_yxRTQ@78KZ4KGgtHwe^ZEaO7J3l5
zZl8hAu&<uGO;I_N9jE-ukmmrxxxHuk=8NM%Z+9zw81yFtU-Ic}LArn^fm=Siv=Mk^
zn=O>5f_?yat55%b3cTNEZ+~t0KdF44g<d@kyt!5Jx558q!+)~kdjbCdxD9(U3i$4a
zK|WndzYF*u0K5|QG~*~hIQPqP#M{ldvq68>G1~9uoXNR@qcGR)YS3F4FXNGRC-AbZ
zTA%ZP-w*s#%(IQaUow2|SNb68zg=(;xo)2rdiaM%4r9nLvOd_@A2H*uoNyUOK6xGw
zyzd?@*Z9wkz+auBa`<Pl7M=k9KK#||QK$8UbGh>oS3DB<ZHE6!<=+GRm%x(&#Y=(z
z26!v_*UaxP18=_GOaC|E8+ObV4nG2)35P=;4p(|JPAh@;W4zO{OD-Gu$U>#hK>n@3
zn|=178+hL`Eq7gs@;M*)mQ~6psjzjK!9$9h_TFLe3dLuk+)aeDJSSj(XA<~q1#Th!
zycqZ!z~hM1?g4zvG?l{u$~AhjFX7C;au4m_(?K5qeH`o1e&DAAFULNtv8!S5c@g#}
z0s3<Y7ysvK<!}6l3&Cd}tiQes`d@&Le}DWb@Ol0+<ud^Km%wMJ$`<4T;M+mp2YYME
z{Q&gk3$(xf4Ej%jw?eOse0HOO!1D3ONsb_#$I-y4T5cWqGy!iweBc(~9l%F!SNd(E
zHQ{XF!$XSKgZ={G)`g1CDAt7Q2<Q6v_s4%G^vLYGJq-E{n178vybAvP{mQ=&`t}dP
zxxXqQ=i9++R~pFN-g~frw+#4X;PYQmd0qkh1j3om2H4eB;LV^PdD#}^Ae7riIJfHu
z@NbR1>II*2oU8vD_*`W89HxBCyl@BbvK5M(e*6XSEk63+6VBzvv0mO6{NDh5^SR2$
zjMLA6AHA3Ap?u4V@*GVSX8CM6Lg|~q=S0Gp{{!$pjh?(h1BdBH4pn;7-qXOxnxeRA
z*V(|EyH(B&;J*gA-wyW+4kFj><^uRHz-M@^miss4c^LQ>?0+2u{D}g5ULl;@dmq*j
zMxK+7*7o*1sr8S5&urjBk7&7%LLZg@AHcf!XyD%<ob~EnpC5HL=*uvEO+C*6{^SQ*
zZY9dSMQ}X0Zuf(}@*%CyPNY2xycz3F!{=k*_9mq_`cN`m+uL`smisRF>?t@NT(>Ep
zubirU#v<)_!r4!@u2FrXLs4?A0R0gBPow8;z{@XIJ~x0*2KW{4d*yHw@Mg@vrrbM$
z4?L)Rb^)Iu!nuFnM!d`TInROq<NsCutBW*4Nd?z`Kg+^;$Bc{p2xt8-gWoa+{40R>
zE!1+mfS*D*mpj21XX^yM$fs}T0)H0k=zYNFa^R2q;!8g#oa<8#f5XUg2>9SOt<P^^
zhqnT^2NWl>AlK`_hrX%!eZb!$ob~oY-+c6m;R8J}^XV?fD1901UK#itKsd|c9?aLZ
zz#9k`dHz7lJr43;2E4pYal>b&!JkpQ)zWJ<a66{>W56#0KKE7aUs8Ly?i3skuG@p4
zAB6rKinI*}a6NP1&-xwcH_cQ%Z-$(Ap@BBR#n=4YpKz8#CH$O&k#M}wkF%0-TM(1C
z3Hb0l#jh&S3>}1XoX~&HA!X=M|1u@F&Ii8b8kNJtkn@#<bN_BZ|LzI;+d<z4KY>Pq
zT)zfB=WojAEZ~0yo}6k6V#Z@}K>PQC2bKOd(C-KQxk{DW^{CJ3f`iC)I}7wfSod9u
zwDW-<`FrJG5Bxg9S<W9r-}V6h5a|2XDE(-Z`#a!+rzk!a{rD2_fdN}MnDO!+@MVbe
zQ}gB8yDERbA5J*e=TYDO*NH+;<M#qv@?VVltN@-2DNbr8SH#dmPv!wn0l%+E<+%}j
zt_FT9;`s^C{~Wjtf5Z3*n}HAb=JA(-m-+hlJ;A}$b=zfz_IoSz(AcGYfbYP(mPVcc
z@F5@nd4|sewov{a{nA1>%hT_-$3VZOSLx3I|6br#h;L5?ewE;OaNTYPeYvkb4+8H$
z+!ku14^IOhyjJlb>iIHodyC?SN-jDlX>iErAmASWFUR~+27E$we!V(OaMGXSl>e!q
zKOVS^dQJnrfN+-E6Ikbx+ap&9cs15*HvwM@K10Xaf|LW_2z;Pj$IE!=+jYRLi@o%>
z10Q}<@uwl5dw}=1DZU+w@*v?{&p75yv(9}D^nKq}`Wr00J{BAguG=280Oz>nW?$U0
zo^a-WE8^a!AOC}Jo{uVTwuQ?$*xQxB7h(VL7L?HkK6_vur)fg2D}isvKDFuJyMR9e
zzulC(8T^MLD$gC@^8)a`8*M=h{ojC(^eMfWe?Jl&nO(PWHQKH%)0EFRq#aB+%V8qw
zIRW@g;Df-;JhcpbhJEAWY~bZbDF4ae^BwS+g!b+Q{Kueg{jt`6BlO{3;9C|eURR_U
zeq-?G6pw??TfpreTM(ls9{@iQ`&K=mKLG0&zdfu0UUsVT|8LOGC7kye%kf^A@%L5`
z&T?A<dww|RW8kx8x-G~qz<WV|KICb}-6f!Z7Uylw0{tf7qu<v0v;%(%csb5%9S!^s
zg!8#a|GBB{pdaHq&ohP`FxK;RpD2IhuO10}2hLSK0{$lhA3oI<qz?@{jc}I3PkrNb
z4e%Fz`%~9~PapR0Qbk(8FM(G=KO-o2;_lq8{jKNMhJom9GwAyRwg502)^mh&e@*kf
z$M+Y|msKi#hqAGD7(SR!DU2Z3F0|lf`E0qzmgiE1t%-zld;RCBrh$GC^R=O`1D;H)
zoHv5c9N?`(%6~QRMc}_4=iJDw$rS;;b(Ag7#-B+6_v^`j0<Szw>CJe&Q*dG7`R5_R
zxm{z9pCh=j58J_~)#nfFD8OgJu`0LZ*R|Y}QOY#n*71rPeV$D?m%BI0CAM+}4gF-L
zH+G{Nc=_RqoAGtI;F{O{@2^1be^2BOz^^IS_9jX+*Z#+8{YQ@V@~;8DKkScb*Xe@0
zOVr;n(3h=NJ`Y0AdkE+DZoqgs3|X%S{hjcujeqh0=;vXcnh5&;1%3Gn<!|)u4d4rY
zq55X*!w%ph&~rn-*YVum+-sWPv~RUu`Im#_IN(Xh|7*Y(0I!8#XZ*}0@G*$PzX1BX
zf!pWWf|&X|L^!WUY^)#0gZ??tS7N?97x=57pXOV?yeIS^a^1$9p#7WkJ_7Lb?^3xP
zhCEfk{p*W)gmXW><y&7Q31@rdUzdFo^jG=fnb(1TE9~llDEH^UD}QARQV;ww;9D?H
zH38oW+`@ZFUkCnogTwzc`tULE0mS9fpf5gA<uh=(Ey!ii+r0?q_WIukIRf-H?6B#_
z8p63BNASLh(UbY0FRxMlQSe^|{>S?E0h6HLfcUMMH`jrFy>EWG3HVyf%ZC0Q@EKgA
z<(hgv0Qwcaa-RkL0PJlW>bVX09yk}YRHQ_6&Pgh_uf3uA^9t}v;KP{LNbGXW2JW9{
zzX81L4CQkU%IyMfPqiigSY=~fKsd{}@=~>9t-!AVy@l_+M1bEeI38TL`#`_Lckcbq
zzz4S4LVW}Bd_*|wgFpVfJCWtHCkGSG^qZjn&ERvA(9`+_ayEK+I_N*dKKKEk{~qYu
ze171az?+YxA9R^@(=X_e=kfk0=m%Xf$n!CJWPAvEYv`W`KH`(}KMCjh`}dp1Q8zI@
z6@J}eR0dy15zhSW$+kT2CI4DhJ@7W@&qCm55zhU1ukXAKhbfrP`=8Mdx-JF%_d(z9
zizok-aITO4y_H9RZ}!bQZxYV@%PzBpvxz@gq)t-*3dPNM;q3#)`(9N1wPML;9VWQ`
zcK>@E=*zCAg6JAV;>o~=R@s7(n<v+@0({OQoc+2X_<_crTwwTf$I*3Zk=!ia2I6{N
z{~Im03HbfM2fk|y;c>-E|CHeR+x_qBpf77uK1HA(A)Mv>IP|junf4_^&E?)YsPtyv
zc_HxBpA>%s^k)ILj<W?Z{>*m>XZ{^nR~kEZHRwm4ReCdD+$A`ex^52xAJ|*zP15TH
z=szQz%e@u*K6@j>z75*0;gIq%>!9htE4FF7{sZ)j2<Q0uFwP+t0Y4k`%`248{YW^+
z@IR0QOIIBDUBHJ9SNh44YFQ5v&f}%lr~l7`zWijZ&#U0`y5V!K;_raZ2;tn`D)?8X
zy}LF-&(SXi-xqkxPUUkK_}_K7(ht6%^_&U*%R#^GaiuqU*av+1JBn9={>Q+ZZ&W@8
z9|Atot#~Qup8}ptD83m9FA&b{^1mnhSI`elR(fNXcA2a7|KpQdp9uI*0X_u(;S}Ii
z!254dKKlZ10)G6{%Ezp`<G=?n51Mv;3wU{-@;M6Q>r&tr^xVvM-zS{g^}KH%<d>lT
z@Sj@lWbhdQ{WpE*3d+cV=W*(f=Nv&e^Y`z+oCx|M#3dkRYccR)^vfv7;Y{Gk>$P2*
zfhU2N<NeSJfUhB(%k`g=yac#Ej&vLFPknm(5crQAuH~A3c?S6PIQOyw<&FS<8tV?T
z-kdm3<@1ltD$hGWKMVM+A1l5Fcq{PoDO#@4t6t!PQx!M;cp305am9^1e+YbZt=fT$
zO0<C2fDd3iE?3z4z~IL!pE1D8nza7?S1MkPjyZsEmb3qyVHN0GzYTiuX$0<n|Mzt8
zS&z7uvCmQ98?Y`g_<6zyOkKC{gZ@OU_o+E@-CcnGQNhPq$3p%w(7ypbH^aX&K3K_o
zZSOYl-yie`0lyXVi|MZgg!8ztA-AcZKNI+ti)=v*o&tXTQ>qW9KGy+H!vDl@w0;b{
z|54@hWRVtdA8`9=#qUzsdeYF(Qv7w$|ABDs$A$2_W`X`6pznh|7`+;`K-*P*r1CNI
z$k%`;=W6|b3_eqU7h^x=Uf`z!AHh1p_@!q6@Av6>0(cqhn5oaV3FrDRLfoSP?Ya~6
zM`2&-NR<0HaR2+xZ-LJ?Uq9}*5dHWYZSUjgfWv_wjrq&;`{{&peRhMM7&{OL{VTsz
z`P`2BtOY)|M8~PIC$|yK^Kw7dBLkqn5A;{CLr7N!_*UQ}=y%iJKLNKl+Cpjk(vN@-
ze@}7a|9p)mCf3`D*ypVR{|4ZF&nUeq_e{dMy-)k(_C4VK?>yWHKGtE%$LP<00UxYT
z{1BA8Rd77GZX@9TxNp6==OXmiZOZ2s=))x7);CrDhXAh-+{G9_=YYQdf0h0$;A!BG
zyr4Ll3%RZVUN+5^XER^?gm9LRe_vw=^n<q2PlmyLgYa_U;Qi-)!o^R+Il4WOyz64L
z*Ee4rLO7S3!n`&E^mU-$!V4d|V!#`L`_FL&fj9fc<67|dzYl&b=m&iCKNH-tM)tN*
zqTZeaedW1|n{oXT@bXs`Uq4Fe|3)~ss~P7Wjh>HgRyhnzR(dlY4+6gB9K~NzHr8Rl
z`+W2^@ZmF*{ut2DC!EW@(5G+hpig1EYzO`2z?&1w$IKVE0Ux?Yans&Sz?1L~8^Pyc
z;3Jciek|~<z%881dI<Q7hW=Yhe+2N?4gSe&LE3=teyYlC=whY+ZILGI4}2h?_%5KI
z4*Vuw@Y3~l;7x?HevW~DmH}T5`W3G!{j<fIaIxSZa@}qsoaOAFkA4Y0eGl3~ZREBY
z^#1*$7eQayqvdWz8GiwN4c6~we&1z@%HcWe+a3n`1Az~ITlpA2Z5r^O!$02u`o)BE
z{r%^WBB1ww_v2f@PlTPJN4f3*pUZr9^##y>jQCg@^zVV*^0jOHQf*gXoh_6wGuBkX
zxt{*-`PiTzgnix%{J#PGrB_rAW?j|`ylkQ3-!IY(>wx#{qw`c9@VkMx2DCn=AAbXU
z5bL1RQSK|it?w%R4Zy8vJesKpTV0`OoNnFe(8`DvOT<?O6Uj_85l>fCSI?}q!l_I;
z)7{ZQB*EbP`X#}IO-oyXL90EIimZ&LGm%s<(-jO;#z>kd+7rQ*u|!)a7HrQXQt4o*
zyVnXQx{|R-CemI}Qx~YoPZaE+>I6fnRA@~w63?X8SRJWQS0vcp-PN^*vbdgtTyYO+
zI+Dpm<15ot$8;tY33btra3)3nMteHKbc^(MMnY6$*Uuo)wO1rVsZ2$sRloG~mil=W
zGwZC5Xo_=3dLtdot|J<YBtw}_`kCo!r+-0NXJw+R=&?H!jWJz#b*KloU^3hl48>xJ
za3~Ye0;(iE*q%;?+H+GYH8t85%9k3jC?TjR(Rh2LH<$^v#Ud`0`XC9=v}1-94~MzZ
z0IFs<zh+wLHR&+bPo$+kgE8tzD;y0`j#Q#cS{_@QW{N~Q+!<oI#lvY=`vX;mVW8Sd
zr8#4|GgO6JFquk(Bk8nYL27h6^^O&aFhlw`xH1yg3a70l^@|r-bC<SROZfkmO8P%Q
z|5wrfGpxDvJeQv5((_z;=DgDR?WAp1TXbc-n>(v384aep+k&03r2Ovcj%9x*;u(6b
zh^AAaiYiIwjt`QaP@S}Uss)bpCWBoGs6?GWt5eZTL|CP}NMh8iXjjBq6<I?HR}oGo
zt>B7<fx4Ea<)<tRo-%v>;w8b;8ka0>q87Omnil0xXr4_v=gv`8rK}nn=gwZXuqD{I
zsD5!n)1s4^+stUXGtx_AaK*w}`jJVrMdR`mn5p#%#uC&l`W*<gM3;BP=7r+zu}E|0
zS<O+YO%2FM<I@qQYhDmOE1O*F=TcScWyJXdRkgxv7Klj<QestYGm@J-g`f@uPGOYO
zAqhum@Wj_p4~Pu;cW+lLl1e2!00g{Z(E?OtsdQPix3Q}+P!|j~FKKLPIU_iC*`oRu
z5;>Wq;EENC>ZI|D677*d)xv0eRb#xpzB3wYZ){!~{9@T=HO14BRAx@3Baw<Yd6z8s
zqWNny|LhJjjsHgWz>-K;q9<GM=Tv%utFbeis5mk>Qer9+Z*2bj3jd3|;eVAqP$hzH
zj77T0T+eK#(UfUyt_?OV4$f^_*cknsY6oUW)`mp5oAcH#B*mRecGi_0B#rTKf=$Qg
zFk9f`_N8jF0IjG`bbaYoK!7bY7Qa-Pfmzb}*%{L2w(d-1X(ZE7-PrRvP0W*H#_V>|
z=s>lX)tBQ@ql)&0*<hT?kk)~k9dC0&>By{;Bbj=dD@gOg&Ee+g7wyA^ff_Y?%Ub3J
z7dFmr2v(}W@}YseXqAk5V!<}AnQR-WOG79Vs;}mHM5CXph&j1tF3p6xlAQC4*4|hg
zmO$+inpqZ+*CHbDSgn7DT^$LuF`kKL)_hr!x+@h3sNHNlyE_zPMoR<1wl7{CP@2Iy
zlSPd7<w)<}=2}aGppor=W0aLAw>Q5a=iuBWvrlQHd9#6M1MybPZ~A*M!Nz$YnAfnx
z3O1avX!a>h^+f0KC)>S1Izt|!6+C(2;yJSy1{cqryR@+-*fM+0!p5LQ7CsiU?UNTa
z&8ZJoRa8~XBxQ_;x&SR-9-L88P0%8jv8`)Kz-Bh~aFTxvHv|N4InAGtkNC^<hL!Bj
zv_)#9J}`S?v?HmRr$y7zOyd$`4VT4N#S^RJQlQsV*H^IuiEBhY9m$O(v!bO*ry;h4
zl1FC-Ft1bQy;^{m9aH=5cc8K*VU$fJw7@TkTyxv(8EaArb%Ip&8>)yCJBeKBP+QuH
zrpXfzN4#B^&a@}GGhU24NSlKxBD9p`v@{4GkX&1Krr6gehlk6}ih^~zzF~ID?8Y{W
z{3KbQkmH*PvSUpdGo8+=B$y^oHk9d3MS?w%RJ21lc_-L9HZ7-xV%=YG?1`%!POV91
zf{}2WC1p}AsHC+Ks%J|R*h}vuQX(CfU!1RJX0?RcmQr@@6>TV6JyHtM<eYx07E`EN
zuC}5f5{`w)OQF?eJ?lBG(Sq#}t!B85-B}}U)XP!LtXy40P*fQ*(n1z5@uTHtidG*H
z^76I0Ia*e`G}IIE`5eqR+p0iqeIic1k)c^>Mpa9KZnceFJg@0Mno(tiV$^LqptAX7
z4&b4XI|sDovAnWC6}4zfw68JsrO}@|QnU>9Y?nlmF;ZZUd+8Dk#-0d9R<c3vdsR`V
z>p_%lHnXN~S+q1*%RgJzBqNR4RPO3Pm3U+k%qV0r+{3JSX(jvMZflokG`pHnIX9Y0
zlh45Jd5>!}P+b!p9aQCP>C)@~O^7brK<ibEmtdGydE`n`0K)VkXOMBvgHy*{Vr9bc
zWn<8hittb%-Ov#ZZK|nHB-fCUruBlCTTM$s`n5;a*1}TO%BItd>cYG?RGMLtqx<e6
zw0oTOvN06gUt!WdSPFW~8j!9?do<L|F%YBPURwbx?OB467ZHoF0%(;vtkFghid7N?
zA<0p^#l%RQ#k)&3Xj4_?sojy(nubI-MIamxRy4g`rIOc@<p@A)NW+2tvx1R!^4B!G
zkwaFC^844^GiWpnv*>zSf<Hkr<H7W*Xi}p%qWf8!&=Cu*)NXg{Zf!V3GXlF>tcVo*
zkzA3u*ro{i1gt0Sh4oB~J@PTLYVzfrKw;_{4tbYwVwqzY3#JM>{;DZt*4`NI(#m<(
zV;(Pqm0fH*_qum3!no1t2nxe-1h+EKEKk9<uDVc|Lpq!zm5BN4?i-pk!<^>rAI<;-
zhNre6(M0hqS~m7jlquLjo|gI#IesM>C2~8+mzN2H;!MG+nKi-gB<YQe;H>qX)s&tc
zOLm4DJAEEwwn3O-Ih@7u9BQ15rwm!UJc6v5O|4FnF-P6aeCZjGq+DHzxY$>6vSRFH
zaTw7|<}@qCB4)nO6e(D`wmsStqz>|Si;Py-YtlR4GA}SgMqyJt1BZZeXHuC&x6c>l
z*_A?b!6c1V`kO@D0XZYl_%od79uLWdjT$_qeu+d@xq8o8@qh7!fbo{tsJVP4_X=7)
zCGr(0en5^`G#>1x`CI)KcF%R5%<+z3v&ESZL(fHE?%<HDjABuH$GQnO($A&2`l))v
z76&GjM^2PXu!Q~C1h_|Qb1KpkO?0Q1MoGLBqhQaN`XStzD&#{#@g1keR|C-#(jBKE
zBm#0T)$+S#=ooXVlB-5u&)H;@iHf|1Xgswtt^=JF!;B(`RHp@Mc`6hpABqgJNG-S`
z8KZXjCVCl$>`R9e-8Ao}P-AkbWCUfaL}my*L}Q$q*A}7hKTq4-O`g_?q~kOc673vl
zcRV5~ij`Q_Xk?*So3n#ChYxpBu9nZN=j{oZkIia@{R7eJ+;GfHaZ6+(&|L$}AllZf
z8nB{dodW9mSS0T4`mRV<xGU+!D8FYSVdIvSSnfcptB*xOsg}-YTI%oaaDS*!_YpK`
z&C0K}x4KrfM}0cklNJlq;jJ1r21NL@jE#8ZOmp)}+LDP<2SryoZo69-&Ge+9XU`l&
z(uwDYg8Mbx86hu(I+dLhN1w&n3`j_LsYHDnDJ>cE=^=X$ynE#y8)}Q0nT&sD%Y~N(
z+T;EeXCV{sR7QQzMbz8wp)MAl_0KG+mgeeRZf_cU>mGt)k$3>`z6H+({9Aib2BFyS
zRpE5N2;CV%7^49byr<2wB%6F{esiEwe^gag*RpBK>YYloCX{Apjm=gU4PcrLX@Kfn
znDs3sX24r^q_nvMrC<cnt2k0iQGnzcufh>qw@D4SWvuJQ+(O0H6F1uB6GyLYjXD9w
zjW_d?8S<>G+%i#AQeJL~`bz#arq3LED_19TZ41ech9U1N^7?@sCE6<urB-^I<(OVp
z4`<?$CBL&8aV#=sEAI1jXS5>|OmP+ct&yq26(A=iiF6TrZ^7BNK?<HRNKRH4sRkJX
zE+K1khzL$JTNv7<Oawb+^GMw-YJ;)!#-m`xA)0ij4l;6+B}|V^wF25gbE@>IX&TCO
z*=CP2%yKObb(2A6*zDM#4X_X`Tl`JQPB=2r(4-Wkl}?-XnQOed1VB|F6KiVc_qJ+W
zYaTdUtVNCkfmxk&o|g?`SGiIi@5Y&ajP4o7g=He+I~DDLH|w>c0q-K&%h<h;<i3$f
z(sULUr__Df#kAj*<RFz3RiavZEeV+s_r4t&5gtr%pv)|$)}+=*wvm@3j`I&S%zC#>
zCWbkdNF=4EEGxh3DIqq-J+U{VKpyH@6zPeidLmRVtH#PO7NW+Lp-2z~>2#`B2e-aE
zl}@CbK6gf>Gf*Kev5BTx(xZOq%~a8GK!D6AlX`rbV315Kt>J?mp{U<Am-7MM!Rw!|
z$i^ksWYre)qsv}8#f$CWNSD|p8JAAL4~@aHAHICcX^R4t!C<(zH`EsG2?S=*?-*4!
z$g3dg;EqJ2ZPzbfK6_46Fi@d~3B-sh8}Q7olVu8|wP7gk^C<j%t1CGbrl)UnW4ahm
zIm<OO*>^=!bY3N^Bp6X9?BY?9>Uc7dZuDxQ)}D-^`oywuqnXapf_B!cD8=|Fz)Q>D
zK!6W)#3)QaV?2`Tq7X8lk>LucC1saoR!d@GVs(VJG5pI<_Gwu`WG>7O)wVDlc99r^
zm(jo6`cZG177N-V#_Bl1JxIff(t5pz4)pjvQ&S)5Ij7BB!(2V1wj^AUTe4W3+a0R$
zIJAKRmYbMs42w(g#jwyBbVi6I8<*n=*_gFDL3}JFcZ_K;9j8siB{TJMisQ*2QsSVy
zGgf8b%ZVE2lus~}BuQb}$<_3ZXR>SAzRp#>FSQ$^9Ye>a(!Om76$PtWcZ_BPoo2}v
zgefc;4Af*2aL4@9RA6Z&<Aek#QbMaN)e2sOxE(J#u)}7Yo9Dz2eavJK<q@DWT9~_;
z2eOVtZ4-xcX#av|YX1n}k?IX<izk;Iz?eq^frbPf+=$E}_i7dCn#x1sS6I)8mE-Dr
z47Gm?#aTt0M*8N}Dh=ReT?<zXhM5yTI{(3Hj#UqjS`5}8Z&o;?M#QW(B28!B=olSa
zP;s7gLZ(rUT@KlnA?`HDm{(TuxOdT1F5IJc#_KWyHx1F5w}ubSr8|xH;tt~QQ5jKF
zuiSk>c@;31iseL}FcEeo$u0G=%44>9GNP3psfR}Me5!>>yk)6xB;`8#`Oi2=dwe`4
z&d*+l^5k{7PKDy3v#aJx;A3hCSh$<)j_pz%-Ai((qsfxc5;+s0XkUAT3ZYR+fgh=n
zTkJJzMa;^IwjXpLsu7|wl#RUmPX1*Vsh;V}#I`-dSa+M9g#rw|C*mR=1)n!`_>yCm
z69VM=ySxgwPnmbj!Z~w%JQEVlE>m4on%9HF<V>@auLrYJGh1t)gXpZZbs=e{5vJsG
zi!kn-=$np3Zo({QOmWL{;>-n4f8bQ9t~co{EQP$7fxFYI&+euz?jCPLq~?y%<dG3e
zw@Fs-Fp@#hk!LcX;{>aH#|c=c$$W?`#PM4lqH~DBUJjpo9ZIgEXQdmcl)h@@m|b?e
zA3l0>PMq1N7@m~~M-)__d-(8xnhvRstYLY7!0|=QA^;OE1#_upW)%p%EgXbtk2Uv@
z2(sR2MIB1^j3nK|V#e9AUWln#7|M!)#<B!mqUlhKj+1&tNP3g?S=3O<GM>uG+ONQj
z?o3DR9EwBG4mllTW8W+$kxmZ6xzGD*!*fPpp?b<hCstoY&037Hg)J$q1P7?9WxLk1
zz=qrdwX%SnlSst8TXv#}*=E%6+)W!`j(6ahgd8L2n(cH)NG7|i;JGq&3q#p`T}tw*
zp_xoP<HtAyMlTQ@@Wdt@*G-f^Yj2!2f_tY|rhW2#I3~v0h&e#wzO1Oc@uG7St>nGK
zu|PNFne3d!qgixkCsTt^)Md7Kl`V;8_CLAqtV8fMgQPp^(fQ}r>=}g~OEzJ=s+m;@
zc<fod|5A=<2d#Y4Ue?^1x${JAqdAR9^)ZbgRnKvRWS@|=qK$`ou;r9`oXE;n*$9U_
zLL;5dT<XMCjM;EBkIKqUzYcxQ393N#Qa&cYThzKfZ_gTK9ziia2Y^wW6H+#jQs3hA
zOYC)Z<Sw>Eo^A&No5!+qjIn{%!j&<TlWW;UI_g`6vGCZ_;uB5m)dV}cLSc%*(SfzJ
zdN@2qI)O$R5Tq+CgY3Dbj%aVBUB$|J#D^kslp(8G+3gO0w1T7S!Av4ZCJ%nB7%oRq
zs8k+SXf1qwXD2LMf)M38gJLrrN5Es5h_m}_M26NqJkA`L+bf2c(Fh$x^R_Rmlwwt+
zueA3uH8}xF567;EDM(jZ`o06V(C6BSVdDjtS(v&?fRS^%T%k<D7enzBtLt59pN7C`
zr_{V_qRyl#M(helWNB9l6Q=ZtiHBoFLWiWBEgUulVXt(Y!Po9tn-g1(zf<ADGpA$o
zM`4(@v8yX<Ft}?ZT*WVTWRHP4eycENJI^nSuzJG0Vy98HMz&{a-CGA()6w}d?ssPk
z$dOZUMSG~Z2Mu*jY5Ia<RTLmg(*XOtxEQzF;{<98b@1hER%3{hv**M&HM2$}u`)6o
zbra1+oNcW)YU`3+M;pJP;Y>=97DoofHKSK#c*f&bSrWc}&UPrrQ+2~XTVM^H`X%qc
ztTDZ_Wu2VdZHT19ZughFR)?13|Dp^zo#Q=IP+%v<1hKgCtO4YD(57V8)alAsXKNj@
z5OJN?(a{}CHil7kkg_ey7pxMRJlkDjo3o{}pfa>Fpx4TLyQ`!YS^}>`B^NK@DJP#>
z5d-Iypfg%LjR?%t1Nxq}xNInl2iX@<Cl(TKAc{{TJNP;kh<IEL_H43Yx-$_4)wvu;
zpVd6aX*HVZSO{I@I&GI>nI{wo7d6+!JKOGF7CCS6n8g?wAKCkJ!a-uc`Q62MyVr=B
z0E&)CwKyEY6!RjB0a6VUCd&34NtWf4b?Fdq5_L=^R>P|5J|N4;Z3^fB4QJ+}xfl~x
z#r$Xb4yM2{@vNgVe0|e08)ka7!rLrIP8@o!3N)op@1)n&mh#Ew`UIb>q7yXkA<4`o
za*OFBXFp!&SAQVQ)xijb1$!tgE<33zEZMEEa+gnshdga^=3fV;A9+^qv?UP=W;#i@
z!8UrEO<xC%M^*=E5?h(+^ehAURkS=IMdQJFhuD{LiJca+#KO*L;_S&m&p7oO8>>Uc
zfo~4i`5z%M*I>*yZ8>Ao=Sb8xnFC)KLT+`dQ2|kRJ5Ca`)#LF|W9XzB&!lDpz~f3~
z5;5Ms@T!?iqRz{yGG<(sT%M^T%(~4uP2%BsHmq}di|4T~^V)~b=d3vxth83}3CWr0
zXpoYAIEx80mB?WAw$B+xY_Z6ydCxyXe5RQ`Z(U#3$hTU`b=QNzHrips`y`~f9w*Zi
zw{z>C3^kHB2O4!gWi#iBAUYG07<#`vYRxG%(hNCdX`F#B3PefIrg?`PjyrdeR!h1s
zl5!?5cEWgVz%p&}FPFsvJLcaNOZ2SXJ#u!YJYWCKB9$<2P;rB@)>v}TfNbNVl$7Es
z#<eOTa|=HbN7J%Rf^QIDt;=(Q8E1UGX2b27yOh2o)=g(0n04;7i0PQUGSXC1ACA6e
zts!f#_9K>{P8<~?rxkN7N;?MObhl1Wv?7QW&{#3Nl{oXdsJkoo*eg|9Hjeo9g$%#M
zps|Lm-IgBiAi3to0DRpXsMKQ;@}8EyyWtTvAF~MSNl{;?(kp1LgZs@szS5cAapg6s
z^vZ?!Pb4|=-(&^E0d0NBBfCLvVhSYTY|PGC{X*J#dQ2qXsG7Jf?lTu`jvbafA*es#
z@bk<CfhuaL$6=Eb?#|W(bJzB&@rJ|Y-HQ^#WnR#Mry$CvMFGiE?L6L=_#iU-I@<td
zu)BOx`S=29G>>u|$fNTpJWZtIGOm5onfRI%H{}V<S>cO`<R~hgzs}KDk8e~P?~cXj
zTt={w)+%xg+gUxk=ElPBVXNVCrX=c}ZhG;bw`F>K!3!~t?qz~cGxLP>f-9=3VD#mU
zdXfn}@+msBLHo>ezAldnyDf)f&#9)~04~%X>mM<3kO+x37!IY{+v$*TIHCc-L`}6%
zu)&qRy?h)Yorsf5mRS?*sdW2D9Em1}m_lB0-w`!7pq@UN$&n*I1C@1mDM&=20XpTN
zzFy(@Bs`X^Q3=%2u>)~Hvo2{PJQL5_T@2V4ctO?p{JeH_E#qk_$}zyYKE%rbtf>5D
z2o90uG`X6OIZKOi%op2*zB%yU*fnu!alx+vxOE0Yy3js=Z$S^o&TQhFM>&(>aWPrC
z5`M~KznoP$izQoMSL9v{AEpnQJ80r?)x#W&Ht*MEIRx_gw6rhgM2sZ7;El}a2o}xv
zIa-j6-;u}@p3WW0xo?G<Y!uEg?}^uF@P*WX1mT^9%*vV*+`cyXh}0e@;0jeU-65+`
zk(4=t)}}j#tc&?uCw-JH1(6>(65KzY;%ABr$yIPfN@tbiu$a(#CM13-pQ8}kzML&S
zK5UT<l#2{pJz1?^vT#13;e@Sn7w>_pxwPzFoT{fWl#zE-y_06XciGq)^6NwtS<;ZL
zS(8AcSt2>Z``=s0agY(KR*x}un>bNP$BXrdoO;}uNS$z^>C3FZ%*K`?Jo+3rH>Vw%
zvMj!u#1>o<Nz<n=$hOzl(<|fr`2(-UnN#C(XvjAOuzKY7M>ThcR9bYx>($QGMOU6>
z<jhD{Qr>~%8mJ;+Zu;E!xK(uGVW=Vs;7rhN^~_2uFf;d)CGy!3w+GB~H`YD6(M)!W
z72i0ud?1Q_TXh3X?3-)vZL)Yvp01ZAB!&=AD|A9oCOaM3*hR^T0p7V+44$FJ?*+?y
zUXHb81(%gS2V9)Z%dB>1_2gfCJHwoLWQJ^7e9<AUWsZVr^orb1^+0{y>Fm7ZW`wxi
zveb4$1pfKZE9iW>%VP&F6?S7yZNT#LYC{W7^D3cP#8Z1+yZkff#6t9)pC0-a7wx15
zWk1vBA@Xt|yFKMqP73hT9-4epi-t_3R~q1LQ}zor&?>VN%1dh9+?AEp(o71Qyji`;
zJAAx)lO;w2MOhs!;x&iNC+v@#P$nB6jw$k+GjxKXn--*I*of-VN&l$tWh5%bHTZIN
z6Qv06E)UOGyunC!i_W~z_c`*|9#31Us^qM}vN*pX5NY?UgqqLFonmv>OY$zGdAGx5
zIAD*lRl;!>XEck=*7J9(BB^+U59!jmX7Y!l@=3at{BovBg<t7*VnXN|??mN{SMC+}
ztY4j`gEsVaFM8#O#Db57<xv)zD`cK@`i}>#_aG3n*753cM0Aefms~wLoq#PL*XDOQ
z`6Ch0RE9q0;_>uFsktba7hcLG<)tC+3a+Qui@?jn*}_=OvRmWyi7^?fPF*-TD{(ex
z(x%)=kX$uHTGZ$88RG0%BCFsZPTW{7NRFYCZRVhtiO-{5#`cp(TAQuBR72F2&r#|C
z=eI^(&BjtY&l(x~gnUqknoCPbXGg(%*v21QtL8mNX{33nkf;1SD&cCg^MNdX(>vrC
zM9%o~Nl!eC?2dKro`n#wAb2ek%=d~+z_S6wJ^-Bu<&P)LT})@6sZ;nX4$OgH@T9xQ
z&}BICx%X_~S*g_)U|g91MUGPqY7;Rwak*LMt!A&)a37KY=YKr|`PZt>9zNC5)fRW0
z2XA$;`pKs_veR_#6iH*%chWECv@naqJBt`64lxOO72m0hEQ70;(kBaC>*YM-!%<96
z)Ltw%*V}if-aF4Z%Vw)0y{3!iJG#?b<8tpbzi9awNhPg{c!EA%NpF8l&(Oyb^ohQ;
zSkcx^pX!)S;eZN$lAZgC_BC<hXURR2(iGZg<F_L`5A<GJMJf^tF(G~>V;QSLhHgcM
zhLTkw-d;s2As>XOh;-tspPlWL*E|u^FugU=%dh3*tCzw<H;a^q`F&QHGE#Z;)@qpY
zC8!Acr$WlrGAJZ(RfP5PZ|1wG|Ce|E4m*FU6`$#~YKv`pvgj^1%X}wXpOn`8<~x7S
zo4*xo^0yS*^ki8r0LtYl`wu?r>;M7!<<6fewk0it{8Qv9`;R|=10}t`b7#Voe@(G1
z#Mc1ebiT}YXU+F;6}2q-%r^aX>TLaoi*0(ctYPHej*O!TV>y}pUt=P=PNV<%Pc4}8
zH;=LD$+9+s(0o5$K>7!t#Wj!CH|W<+SN$*B-Ilb=xKebTt2d|qrW|u$Md>?S`OC)I
zlA{bCjvkOF%i{WTJx%=qTWjeD%hd22ME*hK9|ECYey08BBmW%GCCAzFD>+VqGGyc%
z=P~7*{1+3(GU591)i=S$U2c~7uDU*HUCnR4e~<om=N~}+feA{L<VL$L^POsQzk<@-
z`OEgPg}Q7X&D3^;k&Hf@eEMWr*U=Am{tW(ZL*^vSx2qw<on`I52IztFn^O9azYqDh
zhTPPaRqlPXZl`B={+1tVPqh3{IX0L-z=M4L@;CYNU$aT`U$aT`pJ_gXkNl?p@MsPB
z^1oYNFG=r~tKg4SHilg4>O9bor|JJa=zr5q&rc6a^7GRb@t0?w&HW{!-qV$T82N|4
zVE(^QUY4IJe>?JT{}=fwi(K!}zh-PPFoOIe$ZtB<=(nl2(W4J3kGuSlW3>Gv$7qcV
z9rNbP<Tv-v2y^GRDmA}Vsrff^qU$pG%$@&^yF0)6JGjFE&7U*_A3Vxky!hu>%FMi!
z+Ok^l_oAC;Dbic-%~0-rwD|8|bNQ7%+~lwJ;Y`byxsRvcrff;TKgn&1?r#Wz`yPdl
pPep}t1L{A5KhSY7p*Pe2MsCJ_@%YYHe(z<9en{UlcVGVU{}1taru6^-

diff --git a/makerom/Makefile b/makerom/Makefile
index 0ecdb691..fd0832ff 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -31,9 +31,5 @@ rebuild: clean build
 build: $(OBJS)
 	$(CC) -o $(OUTPUT) $(LIBS) $(OBJS)
 
-install: $(OUTPUT)
-	@cp ./$(OUTPUT) -t $(DEVKITARM)/bin/
-	@echo "Installed."
-
 clean:
-	rm -rf $(OUTPUT) $(OBJS)
+	rm -rf $(OUTPUT) $(OBJS)
\ No newline at end of file
diff --git a/makerom/makerom b/makerom/makerom
deleted file mode 100755
index 1a70e1ca349c305182e4a43d3831944a2eec5cc6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 429576
zcmcG13t&{m)&JcjKtSL|M2&*FYSd6)iBe58=q@C3R~L;%l!^+9q+mfP>_RFEi@OWC
zEURe+<?~UgR_m+Q&j)Yv03nF4fK^efM0{{BD-cB?fSCX9cjoS9gT(rM|NlR&+?g{o
zXU?2CbIzGFbMMY9^IwtSa%suG4DB+FxkWyYfYiU5RyDh`<oS<BE7H2+-;=dI8ljy8
z#uAo!+C5tw)X8VIlxkWgo>};>C_@2?GCYz<KKm-LmV72D<dgli{dt_Edj9QGRhoQi
znp?`*j<ja)QsvpZ#t1z5Y#~ATTX?2=CfkubwsSk}+)lgXv(X_e`Am+FW8;6<Ipe!7
z!-E|29zL{E`M2%Ky8J8uGH^T7Zw*m&zBQyw;K}EA$4FL7K9lXPMLW{@OaF45iobFC
z>yR(b_>%MIWVQ3hkGt)n{^yUs{oL{6?hIC*TUm6`xfk_6Z_32;E|75(KkE*@dYJT-
z;v;gTxi|hJ%UOQkwV_P2&-;@f9awhsEq{3Z-4*%Y?PC2)@gH%>xR`L|WDr(@|N5OY
zuW#|Uv7~qa(*AEP>i237lH85>_ek)49l(cl06(t-_)#6eZ|eX)t^+#X@1Xu`9n?2E
zfPdBjo^Bn~&*%XDXa{(1?4bT_9l%fN0ME(}>R;4B{b?P*|J4Ef$qwL`bkJ|V4&aw{
zfM;z7@FzRKlixx8B^|&EJHWG`gZhtlQ2*8r;DbBBvjO$pC_DUbeg}A>sCcCH^>GLA
zc^$y1HI9TQ(m}t?9n}Bt4&ZNg03X`{{OS(+o!0?;Vh3=m1N_H#04EQQ#0PH&_$PHx
z|G5s}{W^g6?g0NEJAl^!&(Ycmn)dA&q+n;|Urjp=^$B+$2G?LeM$=qeq)iD-9zE%g
z+L+350d2~p$>Z(}RA?i8*NmJL42;&MOuqHb+gat#(Gw=|IeGNh$=c}g6Q_*1ecWWN
zA~0tBcvTD(fpHVYXlyq2*2&t0-?PHxF}IE%KM{BWlWz}B(ngNFb;^`6lLI3wZXGA>
z0u#q;fyu!;N8cJ4qm5409Y5wyZNiudQ^tU#z-0VitC%uo%<l<Pblg5M7|<$&L@Akg
zQGdx!kt(32LTF^`z{KEqZ9)q5=v$|ZA&!ZY#@tB?M~<wV61X*h_9I7*4*YS_n31=Q
zR21JnX7Xe;wp)b^A{wv#ZcJeGwA;0cX_Lo+<O&S%c5U3~iFZyNnd*@&s&F_dMP$S6
z=nS2xs_Z=3Gbx@haVl^TiYlO)1dbfZIT{J#z^@6nj=NK<06`N$(wz=&bUp^vem7y_
zoldop+F-wL;GmHgoOfX=RoFk3yx_cFLoPD@pZrhZ$@~SlvYa{;Nf*2hh@_VEe~uY9
zt_MAmj{qcW{+}L%yOF7V?&O0fj_b;vcCiuuns+PtrcaXYe6*y&^Q5Npk0bY;kfraE
z{7bF}!s*W>|8koZ{w@GGT}qKV4eq#<0?$u_J1(ri3)0|8ACUz`X>j(P{PU#2)BQ*z
z4NjVpf8}ZL<XUIh@H99Wm--u(2Je=FYTDQ|IDMz&-=s8n_aqR{$}~78F7+2mgZE59
zv2RI(>uK=nG<Z@LSiCR|eso&>MQQMKef&%s+;PpN)k|q``nt)#rD^bElR!M{(%{FX
z!Plq3X(N(<jcM@QBoNQdX>e%c)L&B?{KOPg)2uXjpEP)L8vLX*cuN}m<TSYUO`F`(
z$4mZYr@`GxAf7pC@Ke*^xoPmz(%|ki_~~iz{51F(Y4CzH_?c<&qBQtfX>d;(JU<O?
zq`_$`lYixD@Lwf?cn(j4pPdFDl?Fd24L&vver_6kQW~6ljpSct8vOhu5YJE=ydVu;
zl?E?NgIA})FGzzgOoLyT249p0@1F*LCJj#Ap8R_$4Nf0E`L{F;esL0rXI&b+C=I?o
z4PKlEZ%l(<k_I=zUuPS!PA6?WLo=dvfsEEhBm8>ynpBO}U-v>$>lwZAuYQULDdxwr
z+-_>c-x=MQr|PvEC7;1ORjyqp`2(LKPgQHbB>8Wdr;4=~Nqz_ORIPTk<hL<Tm1>71
z|1tAarS>GrZ(^P*)E*`I4a`$@+U1g8%{*16?UDR)=BX;}0?EJ3JXNIami%+fQ#IN-
zl7E7Eszh6p{KL#s723@|0&vEknWqZ0n<PJ%d8$6UQS$dPPnBoaN&YV8sp{;PBtMyX
zsyKU*<nLgfs?DyJ{B6urrP(3L-^e^wnLSDJzhRy#%pN8AE19S2vdbkuka?;s+avi)
zn5U|;3nYI5^EAb_Tk^kRo+``Ek^E`QQ&riT<WFRtD#~s?#PRoH-pzcI<hwCXm1H+c
zK7)CxBD+rV2mXybRgnFX<iBN}Cf{Bp`5nwt71`C2-^M&ukR6iz$IMgp*pno`iFv9V
zdz9oiFi%xumrH&%^HedmNAk;=r)seaB>yt=R4KMw^3O3(RbuBz{t4!(LTpX)4>M2I
zVK@IE^Upk0hTSCjxy(~l*o~6EmwBoPyH4_VF;CTCza;s|%u^-UizI&s^Hc?Pwd8MO
zo+`i&N&ZIWx%BNx$k#?58>Dg3THhiUez(=S3q*Nu@LumTfAkLXUgtC49yW9t*N<WD
zG2%;_kn)?m(InT156m7Cf0~dzPZ?%b9soH$^TWcOhFO}I?F-jDgCZ?>Yz>#Q-`r>Q
zoSCUb>-5MT<YN~`_xfV97a|!r%X{hKW+Y~w?2A3fMDhE&e@Aq$9*HpXfqvh5JQH_?
zirm3}`(lFE*E+iiz~#h^G+P<1@A^zBoSPka<Bu15t2QjB=J1BMHF-k^>H?<{LfrvK
zGayX?J^Wcq;il03W_|u@qkdb4;c7IZtv*xe(xblxGwcEQCsfomIM|4l=9POJIunC0
zKEv&6xT0udS(%1s_WHqPny|@le&sW-@UZT1Bn&1-AyK~PslqyY0O*;U6FSf%P#ikY
zEzm!7V0Ey2sL~bHqlYk(#Oa{}+w|zSNCFtrqn4yHo(XgdRc1V^M>iwyFxE9S#}^x%
zV}$EE`HBZ;PdhJhObtg%Mn82A86Di3m}kU#=NYj;Ubf$CwJzJ4A^e|$5jngUVuGdU
zty}Oi!51%g`OF(~)@j{*4Z>F7M4!Tu3_P2V%>c(O0l&yO&alrTofuUoj4F8P&){hl
zJkI1Lv9#VtEVhk*$dD@(Lm0F88B9rvlpGv}>Mw!{tX#l^urh{}XKrOi{D$G71FmT^
zeX$#IjQEup>@|2Ac-}{0oU2u3r1uJmBv{o{HF{Mk&O4myphkPT(pafR>j=wk$jhFm
z?02#HqI-jV&9l9++2vqn@!FYLt#xK*_)=|V=Y~u`w59w9<}`Q2&EA{5H+ygKj$Fef
zI&7%<y<r~2k{lkcm0e3fH)3HL(QxHvE!aCTGW<@fb##eZd_D+CVr#ha6D<IVHY_7n
z-fYCDyN#Hq#fZPsgiabVDdI-MprT74-gstT&!>5n$1sN)jy4!nURVdp51<==EXHR3
zSeVODmSlrxGm@GSdxcZm5WbGY<If*^Km;f5bs1*32@qf0!=x<W_!X^4vIPbpv%!U2
z=&5>F7IJudlPA<#7jP3m62se@0XX6^_QkKw04|w3^8wXSIUo<Hj;{X^Np>_hTj>2?
zbu%P>Yvz#n@Jwor@UBd!JHh8SpJbnY^AYLK6gG%j!f4)6qxlM>`B6smjvCEZ7|oAI
z9L+LXc*ET8bWvF6Gr!#PJeZUNz8b}0Hy-9Wd4AKM=k}Y|<>mXKf(!iS?RiDadi>^1
zc}Cz&G+<4^<~Mg4@$z!RY*2z_KER?qPbJPa;xR!R7YJk`mz~5{WaDAoxPv+*_?nVQ
zh~sc2j%(74#;~ErtgrLgC^jc4hJmX^<e(3eA~#b+&KF-yMl}p>QZhF<SIOL9i!w)B
za*f+CZ^(C~Zg2r)?ui^UPy$wqq~>jyP5HwAH8YTxYc!PRO+p%yTbfs?5|O+R6ZkV4
zB6-y+DQQXw{|H|sDV2UHExj}?UFW2MTXqtbu|0#%u3@gG-J7IGreK8`rs~m%dvXf5
z80Lq|ve1qdD$UJ%o)@yMo@p%=QF?SB8ry}$5L2K~Q8&j99B}LN>p};*!d7){)EC!v
zwe;w_!sSRFsSOordgNmGu10LW4AF?q%j570>x}rLc_F0y@p*Y1j6WX9tHaaiw-K}%
z=6o6Yp684>Mqr>4@%haIhWRN3#EODY8tw<BxA{^^<U|GJDI`R>=Q$rJXSZ{;61PX6
zzqSMv*L7V>+?5`EvA74&pz~FwjFKLDbYnJc%*s5jNS8kQbvWD{{~}~*;EZC0QI(|d
z(~#=XEvQWU1uW^!pq-QBqAd$646tC4ye6Q{@L|52k>H=NHIirX8Gb=X$bd3+D~W^o
z#)=xBSMG;sjp76j=Q@lB@?g=8`24&^v@_y<vMrG3_nX_TReM`ou`t}^*idW*ych|4
zDu%@9(Z{fPXd6LflOBly623bx7qiy|KC;Y#KjzQNHsY`5h0u_*wFpm6Of~bIm<DV2
zmoh8S9%wYg{0g24rU!l`b|Vx&)xwk0CVYwoZSr^D7j2TOL@2PFE$e`Wf}3pVtkEIy
znkJT@1}C0)jQHJo1;VHyu@_kgw}Olu5__5>rdQ~Tm$~*l1(!;SAp<U7Y%#?HAl5+(
z&N@tRt0*GaVdm!^7uiJ3|KU=s1t|KI=KpYMd(FSCr4Wk(4qTm4-vkG)*@(X3IB<dE
z9NVlf{#Cr}{bvpZ`r2;;TgoB5C!lQNKQIG{_Z&(Jw|GK_&ej*KY4cJ@=e{jQd{S%p
zO_xLEVxh8|V>k|{^4-Izgqv9>Zl*&e+|0d6Dsz1?aV+%3{o-YfC0(bUT)5L_q(4RH
z`%@I1ok-_KkXH~mA-uD|rXwv)^f_gy&w}73Ml37u2wv(C^G=VNDYK%SE~|EB86@dP
zI;qg9&tdI23~<Jc4v>;*#K8ZbkNR|H)N@_&^7ljA4(ZVdMpL+@gsk7U1&mG{pJKqj
zCMyPHfy%_X_7kHhQ(o2Fqm|Trpys2^!hWFUBV}O^mzwp?WF)c*cNT6r!rtXK4h8o@
zzosZJaR(>0XIe)bbLjdXOY{0RISE$TcfxTm=^B_<a(Z9_`V}QBN-#16(+}TUk2Zmc
z_T?%U*aCN2kFpwF>cCrAd6Zg*f8wYl32uGIXDX3~%T;-bY=lx0Iw-xf;8Th4;T~Dz
z;T~D-VH>N&i>bNH{sZSS_=0_LHfi1#JY6~HBe~D2%y>qRoT^gT?_7nH-3$LfPew0e
zrW4DsNyz4if~O>IAco$=5bVX)0qh<!o(*<RTo&0B_{D2sp)Y+c`~~r$Bks|7oaXG&
zjwg#{W6?uWZF{ss<gnWO${ww4nu6Ctq^ZuhM{`Y5B3+2i5+4Cox8Mb^b!}U$^euzh
zZK-XkFYIi(=5t=L>FUR=WL_InW+sj&Q!0filZ7drg(($n3&%oRHUH_|D9!8m-2Zbg
z)mcN)oiq#OqHLgG_B<8n?d)pe*L9*F;oAX&dJgpzEo%XdEnU@7%HsZK6T8p4ad(@E
zZSIufcY3hluXif`ZbY#G1IkrUxYG~HD&Y+Gr6tFvxEY4iXTEL^ZvjHs=@4ouj|0xi
z)V?W@<4v%5o#wV5riq6wgVA?Pv@*$`{9C-^_4Ww#TGCCAoV5=t7Hg2wAG!<s{K&C@
zq|l0Q!=5fqcL^#>>A|rtZaWQgo|EP#Re5yWrP>z&rxCj@FNf@&1Xs<vS#|%4{RzCy
zs*T~#nnL^Qg8hCGwx#HfO`1ddn}XOW{AU6ZH-)#g(DX*BRDMZ|)VR~wnREoz4%-<X
zw%Gr_>eAP10=;~S|Is>6d_Fxo?)%nOM@wzDZW}M+6TJ>VI}Vqlgo^4e24yaTzZJTR
zipqyVq@bvN1(<yavXMGHdJ;3|5}R7=+pXRXwzG)sa$uuGRtwjzQ-0neX5iF4yhS;6
z$Ft_KsF@0@VC$50>e{=uhdHto^z=b;sr#Hk+NT38HN{XU2LzpZBl}Cxro87g=C#B7
z=6A%4fXiwoL@zEyYVPoi_)x}M^f}KWOBs=YI%2KT?Zx^?<oukBC>(7Z>8S4E{(h6D
z*wk(qSs*e7?cg_?hM3>^%yr>|t$IWzimP3;2lr6q@!?*%5g(hQJafa`W&P%3wPmW1
zVXMh*eKYBo2R%R8i8-4tS<8ZEm(|n3ahikUCG^_npFb*FkHR_?8{me-Ft;)&z)0-M
zJnq&-p+Y<w(ePN3Y`!2e?>GOJ$L%tawGe3xgTr<vrj!}Mn+3d532DD|g>|w+G0azG
z@xa>-*JYs^xo17N8T*LXO0_LScjONL4&PFfkNmU7paEP8Mj3p?vl(~LBM+beFlL-+
z$ET~1#!8VOh0lDDMetPrMqmsYuW+Z;*Xdbi=*YW$j0_Dl>zfb%heXz)LE;i${5~Nw
zF5P1%lnW|+@frz+4EczYY_7$&9d3!U0mCd<-*IO(>vhIJOe;NJCz1756}Cf=gv@8i
z!g?}GS*sIq)Z%TJlMI(hoPc2rH^;z4elk&zOn8zBBbg{qCPpO_W0MKt1?MG12>zI^
zQb|cyJ8A0=AGB=_(Z3#f56X;Iv*4#Ojr_Jf<t6Q!d0-pR%zg;}gbtjgM}Gu*s0XCJ
zW9N`Nn162YF*1GjKv+!$69aKwUcox;EF-q6N$S4VERXmzc=%)D)*A7_u#ZtGk6*#0
z)QNi$M-;2%otq>31Ne_sE@1b&>Wr|B{e1)eTZed{LSw2fOx1-cU5I<ckey!Dg><<Z
zleNRENCM&%H{xK=P?Ru`?$&4D0>dj#_edtFV<Y2GNp0_=`(YUL#Tzd5=k?Vi*S5hI
zW6K^oaFZVW2NHA3T@u%51O`KOm7&i*N?7xnj5M}@{ev%DXhy3uW*NSe#|I{dKUY_y
z#~8jKI#+{XN~^hD7<S14($GwXPC65PYt$mb_+auT(+KZCNK^ILAbp?^5}-O)jPvs1
zC@6W2l<12)V;V6s>Kcb~EbKoZ1VY6*)(;&8BPJYI?21f886#Se3Q6?PBhzs<%8g89
zvLxU-`I!(-jzp>~`h_030^v}~iARECPamUlqe2XToz5J3D)1vHgFeMc^CNTv65NLQ
zv9<JH%EA_*qR-szZRo-=*i9rF;$5B|`5?e(6YiU_2HHY>qXKJK4j-^BR6@Ymwg%^<
zHHhSe&`;ogYFDnZ_RZ8PWXmD3zc-=S7yBn=*%!N?y!Ex-&p96w`zNQ!hf%>7oYRD~
zf%poNtULE;N7flQ`JZorDWonVep6mP@QG-_JBLX-MCUyFggOkZZ}|4Sz6ZldoaIb#
z=G5bmV(-b75a?rngj@~e4Gi6F<&LIm3w~tJz^rlJ&kY`j`8-#TzKj~!m>|WmB~A(*
zI1lkL0lJW)ML;o9CQ@_DGqJ*^^)i-eIL;NZ)1TZprAy*8thd1J&NeVB6dW0<?DR|k
zr)r&^4Gv9YMK%S8V4D3gjKPRuK$vj2RXDX9TvUJ%h%Y|VJ;a=7AfH_>`6W##9%BB^
z<1;6!T@0*FJ)|X6nH3GZ0x1g){-qczJH|MXg6gP}X~&AINOsw`Doap~Vy>71Uu|;0
zcJ)CV-04q#sNdV0K~MTynM{bkwGf5&Himy4N%xz3t*bUFVSoAn3J>*yajDuUu@Nse
z2VU$B^oWfjLdg_BaWJ~S3ECb|xcBL?HM<tD!%i>s$QKTf&BH3bqDS6k>-I;h_6opc
zWuFB?>4WN+T=<|K%%y#dz%U+eY5<3uP2(A=%!Hf0mn|zZ;b!+{-R;QMusgDA`6%V5
zHvwq(l>x4I2H1oFwqSsrf!kZP-WgyM2H1iDHlqPaObg4|p8!_UBT!P(El^a#li8Vc
zlDW@L<d<wy%1)2=AgwdG6Uda5Z2f0)7qAEIp*EFiakS}AG^ngmM~%)s9`UMkoheb<
zwZO^FT&S%Wj;Pzug5hd$?2w|zp21EJGo%buBsHzaRWeeKJPHdu?e>xaC`gn|JEz30
zM-DL61L66|jpXYi7-z|8dgKRWO3u<FJ!rXS6IiZCR<M1q62Bh#BT^+->k&7ei91S$
z>5;93+@wdoN5jPMk~^I~&Mdi2k8DT#Y28Y0)g!NyjhB>+fkk8o6?)`+*3T~q27V9B
zll4du;Q>AJ7Hj5|Ow}WF5=tudNDw`AwB*by+ArdT9WS{bU_iVpshHFeOWHy??H#pH
z)^YFlFVqv3mKA;h{}X<NxFVW;5ELGvpo_ij$OYN<8%HkaYQJ>kf^POhM=m(Zo^j-Y
z?)I1?7xb|GM=t1NUwGsKw|(M~3r@57lG+hQewHmR1I4dBuWqv61)Go1Vzt21xEi&e
z`h_(YC1xA};kLsOh7Jcjlepr4)$Z9uPwz@do|fqBU70OJI<9D(1`loz?Up|l7h{?3
zit=<j>6RsZF>jlB#?_Qfj*@D-nzG4JP^qga?bp5EwcZHVJD%&VpLni{B2y?zd9MGv
zqw^urFB}b{M{*D#@E3nIxrgIz7S<KMkvI>R7N~nK8zGkc3;S<yTkD&$pjbQMfbWB8
zlfyeMHd^aljlSZy0y8~x`|F;nZ%gA>)P}ch4e!9sn@&?3<JULB^P7sm`;l$);mdky
z$IJQ*bPw#0m&UJrHa@wLWR#j4^uZt4)37azS8MsLt+NiaBG5Xu3vTn|Xj411--q|w
z)N!x>#9<7>Zw29&nMQmvW*o+P>K_NNA9LNbqw05c4)5}KsxC-ei%y{h0qGvzh06;U
zB=YKa^$PFGL6Vnqu%o(O=@@f${f_S8ZI_2vhpLYIX;J64BKF&KdAKf=>bfeU5OzR3
zad`4gkW6K1oc%$oY-;3K4dU0>&PMWPRAW2)_*1jf+Q755;{A?j1n1k|eS5g!nR<TG
z=;TB;RbDFGQ6Wq}2WeoCvQ{K~$xAKiuF9hI)WE@2_VsXSQo+m9ejdrg7-lMJdCJe$
zO$<qfE9p-DY}NJ(#E30W3!Jf7MZd%+Wh?9$hyRN@YOa#oI5kc7!f%}DA=lXlHz*(H
zTgC*7;NihRdM1EF5BeN`Ma@Ju&qp3Y3QE|XfO(NPCfh#jw7m;J`v)j7ZlIzIMVmYO
z5a)os3S61`>+}g6!gyUZndQXmRJ#2%iYbY!&5eQcaH7FUDGrYtthd+6ls<2V(Q#@@
z^M46i?hR5Cd&Vzlk@#(LdjCoa{xjtaG^zoq;Gv{DnCkxzHIF#$XK`NIm544koW=XU
zKACYAt=$0D$hP6NX1dh$VV{>2qS?`p;Zr9!B)DmTsv;{timc4f3jx4OADrOyOCRJL
zZjQhOC{KoR41M<FQaiQRN3h|afS^kR8<O_E+zB5z9#%Q-X&7N?0y8HXEW=2PJU9+@
z_#e*z6KY5lM$@Cu;xH&B@6TPQ*2;VU?e4g^n%Y=ZJ0)lF81dUq7z}pN9=XZkH@~I0
zp8UG<0ZUn<5j9e=_mkA{(g|%9LhaW$Dr{!*F*NKI*2%CXil8(@`k-vGPS{WGDE2Qv
zs_j~$J|`*&u45R2>c-DRy9L*tl8*Hb+Bp<-P$wm37Q0O6vsemecd-EeFuR<ToZGQe
zaWvC5ufdAM$z<dxGIEl0Gv)o&vhF{$WAL>(=RuFc;gB?mGo9As;gjBertPCaLux7p
z{46FlD{V_i#^&hM4Y+{KsWQ}5^}#IvEUqL~?HT1DyGM{=!}>20Co5?KQt4B<Tv&G<
z14L>nk@(3}0;Z;EQU}u{y#Eh%(pY&!VtJKZtVN_RQuflXe`2_gAtwrwv>@#2PV|>3
zTGB#Wu6k!qm%t;Y^&Dm3j?&mRO@M(?4dAvR3yk!F@;%SlZ|#I9nT*RBjLVht+7uR`
zipw!tagy|*N5(h=;*{iwF+9{|psn2cx=vPXq`x%ipzAhbdDo4X)r3_05>Vts3YAvl
ziH@=e^YTJm6v>cb)amB!1R3|ARH6MDsA=cc`eJjMfX@ly`FYzoCK0<K=KU=2;|{Di
zYeSqs9xp%r55oeu;kO8=;H1g%i4(%ZP0`pxvIx}K5F+_JJ1OwvAbB&Z<LX}%o_^;n
z2d4pxkUbXv8T}9}j>y?)>h#As;{gT_&yea+jb}>hSsl+tJmqL80}YoVV@-$pWrw49
zc3}VlO@oO`COk}7*Gr|9c_Cz2JQhz$OiCt3F=3sDdSIM7Hk!lZAU*Od3IJm!d29qJ
z#!;BM*6K4KVi5v(b*M;6+}8G0iYCvI&r{r}s9CF>N~3;`@W-Ume<nPLdWCffk1u||
zI!qFxeDNi@pv@PrmBS>hma+`7&c<;vbdwX9=5f+f8!|Mk&ukniwSc&^1Eq@d^iv`v
z7_U>6BDf*1Y<!0+;fHEQW#wqKz>kBdud}gct%+|zdU+`k)L^<0yl${!Pom&Vgy8T_
zhxsw~b=Gg6(MZPH%AxG}_rqN(R~A}fWoDzB=)Zt6yrK>n7jKZSSc;Uj2Pk;-%?~#i
zu?Gk<Vgm*|e}-1G^s_;lbqxB}PeHF+t$cKefsmx++1MIfOy>5(h!t7S3ML1jM|hQq
z;7tJg%(V`@=Ffa@1>h}jVobajy$-iHtes#aa#k6>ui-0Rt49_|>mIK?cZRn74A3oZ
zLTxoE`YR~nZOwigpb>AUEdXu)zG}F7)fH$N8{`hRWa^O*IO3KpJ%U}F7PegB7My1n
ziustHTa*1Muni?0(K-;JM`lT<D;k9dudL_8tS{VTO~eq`<B~V%fQWHW%-f4W*5m*;
zW&~rjW?#x-gjLH1>jvUhd<K+gW%$-sP!2c&=vVr{rEaUz>870B6bqHG*aQCiS<J;K
zjJ&YUigL_+|BGW@Sf?gjH*XP|ddxx1<tKq0#jVrHttp_v=EVoLxaf{#i*r<qVeMOZ
z*}}^f-BtOoS$=8?V-w3yW%<{zqIjLiZ$8h#S`$E*-~7xOW#J~?QHPK|4gQdEGuETY
z?-a^y&j2OgYg0sa2g>l<t=5|y*<XOwhz-rfs8^s`P4+g9dKFAxt2Gx~2~T&sQ1&>=
zmS&^j@+|yQQ-E5AUe*Zyj3Mjz{#W5npSkfC!`x<szi2MM&eu>kiGtTqugRmK{0h9o
zc<h-^pP_vx>u+fnyl_6uIG5jHFv2Z84fD&XeW(cKb;zS{u4O@MQ$=#o-n@oyLAEX8
z8kP?;X6+IL^*`bO?n}dLHtMa*4c9tj<Bx%3Q`nA5V#B(+c@0ov{f7o@{5#}4c=Rwd
zw0K?c=5?KF0CMe-o@#UP0VN}Rxfbk{cmVBE$i88N*2bIdyU?bM9%J-g+|J4d3Hm=9
zjL|LD*_Z;zd7u+6IA^c1R)SF#)ot}vFKv16_1<AV^LxCcA|gA~YkuH0-?Gk7SoBC7
zoGFAYUn6fsaIWuS5oGM!25^6qVXkHIR%<lC-r`;Q{q&c;#b4|5<{=TkCsR58qg$;%
zp@FQxb%BZg(cs!gQsl?n0quqBV3Lbp4-ORhMJC+RYOV>KHo|L8fNV88uhgumU4V(T
zzFdn6co}X2daYeg$a{c*jGG8pLcnUL%9VgvuMzw-!OuJ33jqOt`BH@0OsyQQ>xtJQ
z)N49)Ks@HRh!^FDS9gJre~#{3UEh)!zq|8Msqxf<NYU13V-w>u!F?Q&`{Ordf<2{p
z$-&(0FW%xeKb~@;zBpT7%)5gwoISXVVqC_Y)LM0=Yw}lg>hPXk_e`VsO+EY!b~FIs
z-4JmA4)E#rnVZWB_rmB>|9}&CPXw+Ddg$$K+*N9RuSfbqQG4~pU3}*I@pDk4Zg~dk
z8vQmK10<nevpU?8;Wbz5v%iK8_bx+yO<riJs5U?Jo47k-?Axm3(<uH%k1T<HEJp2r
z;#sOM?t58j(aDHoASXju2mRVB_`Wy1|7d;otAwt0d5bqqc?HJ%oM@{a#fc9Ns`h7i
ztIh{CdQ?MRUkp1s%;f_HZ&ewzXQOep_&T^;Q3{_lrxZSEZ$H@BZ!1<(nQNob??->}
zJNNWN{4F2D&FS|e=A*Z-c)fma2G)Q#^rMSMpSTTV_~|wTdg+UYX<&+L6U&0%R}Ir(
zj}{s*2$%_2&nbN|4dB$J1}OH0699kgsk#eiPg7izzwo<SusiY<H%#e+YWm_L)?#C$
zcr|Nb(p;0j1T{I)y@At9aZ=g4G!w^_oUwR$mN#CO8E*O^T$c^jh5tbd&N<yjs|iuS
z^+OC@UpxutPe5B-@2Q&H8cZ1dKJvx0@Rnm{;22g|=V?Xt)&715!rL-~xTjg3#gG7S
zoQ;4Y#l>UhU}+Ecn=R>HMp9pSi|h69cxYg+`7f_oZ{LcfKYoV`aUQ(+>8%NYbM{A2
zoMiVoWzjeE2tVafgL65}=W6z&`D|VpfK=2fDf-ly^`j$3`@%m$jK0%n|ArI1f@0)d
zhGd$4EHgJypjv(VKE|ANul5%2*Js1tff*32i;)<pFU~rys54wBWWo*LFyyIK<muqi
z7+-gN_MH^yaJ{Rn_^l}~;%d84;_KH8%tpV%=rQ*}PEns1Rg2VNfTGE39>V%QB0W!%
zpQMMu$rL?Qb?xc-!J%gvC{^^>Q(yE!BE)O+h7V?x>ZMz~;U6;mkcJ`&Wav?P7hcyI
zZ}A>oZWgPVC^gsnTy@^K_YmXo@$2#qh2O?XIKO^JcGpI%3@ny1&5KRfAtYS(C$NRy
z;vdM5Qhng|M95ow(8+9-7ty)C0`5}tol<j~;Fh_YQ;PWxTbbw+-6S4TE6|<^Y*=}{
z0A7k{QmZ|k3#jUR<gq~QQS2;!Pn&A{s@_r6aF%#+9qY4qVO?|+mssyiZ&mLs$|~-X
z^q#iM+yTkV!7A)+ZtnMSynlvSkFwHY3k$9P#ons^-Ge*$ZtKgnxVh)l#Bzm_yFIVK
z+-#T|adD^LyS{kuEOURqkDkdi-_av)U@n%znT07_?c%b)^)1x&_xlVhCAh<Efb?P+
ztj-={Zg<t2SGJhnV2K{=hvX0TMj1{Z&t(U}4bB&*N~XxWl7b%mtOjTIkYEf=y+;2F
zgpB6QyMoQ-#dS=E($j@Ile(EY*=VQ(Yg_FY4xX_@?Mp#REe9f_vCB|q<*#m|Dqx7z
z*l%J<{zoFF9<LUit)sS#OXx|gWLoezLt^Yh>2sR2J?8t%(60t-EpLV6Wn(J~*Que(
z@CMU$dENP{pvPs}w8IG&09Jg=)MHGjB)-kMrp;d<ps)@g{ge<!rP2S0mtNdzKyCKL
zdeavl4{L|pTaM;zsJf=Ls@yesI~@=BKW0m~NsqQxb_uuU=>CQ^hx;SuH{RuBSNN+g
z^>(Ir8I7K|-?!n<baTD8-y8cjC(aZ+#^^U77L*PeD81C&=zZ_=vaXv;s|I4-)CbOj
z6n>`jD*Jj=MV%}isNZV=*mnJqWr>ya?0(XJb6fvb=1_Lsq?aNdP#PbegYgO4a0_T}
zhqtNJd;>VKD095JpQKS=pl4F(5cu9fZ<4+>!6hRUKbGkjU|HcCN&QViNo~(EeeoNm
zuDVj!dat>rDhqK}+vTlKfVKNu%gm30ACyJ5_~XCP{kTgO7=X!+01?$-BXmOBd|@(h
z;P)fVn7P5V-}P<1osIeM71x>X1h+-r2)?ribI?|QsiLPYi4U}N?}Gn2Ly?xc>dOl2
zy!|$Ki{H4Xhj-R$jharvBBfQm5$}bmgx3~)vn*0)#P8ArmsV68W=pBLZW(UUX^CUO
zKTy9;YYkWcvOWf-FV684eLMLpaC(1hRZbwQaBt!Z5+(CoSf}KeWL(g_b5(bA!+CGX
z34RT_t0~{_L&Qb;A>KvU3Ro9o*%x96kT>Y7tP6T)R$Z3`b>TEjQ0U!^9p%(C(I=dS
z`c5cmM@>JFY6Y=?AnHZ!WS{b)FKLZu&4h04l!ep9HPu6n*u`)f#UNP!Tq$bPFb8F0
z7<D7CYwoe-5p09_c@4D<YG!{8t6E!^Qca9l1IOEEe#b%7ypBphW$ix)o6FdOI%eb3
z{RUQHY{7ad9EuB43mR1tTgC;ORTBHC1x+gHM$%GAoZ>8KR!KMx(H11>uMaBH7e_gB
zRf8ZIWy7lmK~b0ewrbEoBNi;OF75BqVy`jYfzGePrubu=AH`nlt^ha6X@|8=V2qTY
z(k%-1GGM^W3qW`kd7<=HHK-!?S{5MIe3mYGEkl*^YnecOjRLw|*nr1Z@RI-lUIL&I
zf8cM(VM|HVtJUChx|&sgoJ$)~Sci>3n!F1CexQ=85ii5sYMAd^i_hl%d~4w*+;MYh
z*6~CsAHEqf+=vg&y2Is<m6Zd#7cc!{XHU*sn@(_PH~yAB)ta>Zl8V=SKWwPbfa!tB
zBr0oYvWvpK)*Rf40wXfK`jYQ3f=XnOe4SnKQylUB9vOyF|5cWC@L1CFdN!3PzY+j3
zPv2iwglotS#La3z6npo_pU!o;wP8cCO+)|c$~7oZ>%tp*^&h#ezB030ec{*L)~{6W
zuTD7Gl}oC!K+#wDJSHf5bwXd)iG+0qY!hI<*sD9;t{j50X&u%SSeK%?4+fygw2bgt
z9B>S6V%9>!Vxk#|W+rgSX=n?OE+D;ddGG%N1iIbG3hUNXbAQP%Am~dF0c4!zpfRh#
z<ML?nEKhP38D<yjRoF=ewE{gym{xMH2Yum>J!zme-kli|e<6=+&c`Plz9I2f^El<;
zu*Ew;`Vzbi&mIu0*k#cV!YzLZneDS4bg&1XK-9sFAR6EAs>d2n>rC-;D0j05tzdym
zi&ts*B2ajLr)ig{GrstsyN&m@?OmN0bkl2zhuMAjvtGfYjah3vAjvS-hqrY_h++-3
zdk7PVsKy9rsW$y8vhxr*g*|#Nqtok<Y%;B_exkX3{RV&GUb_?MQFbrfaHD7vdlN2a
zLBGywkae@yzBied#kJR-tn!c)42inVS_Fvnbr?OWytn1~+4AEo_s^E+TBD9s9v_^O
zzMiO}(I31g4~gn*n0OfiIfHv<Xg3}@AO+<n?{RZ?jMON?pxO|5W-8xWfbW@LC`I8W
z7dV%;|9~bq2>ju%)n18xAUN{B>f=xB1C{~=L8+{>j_xIW7GOeCG2Ln-HaJ^fvbSsR
zmp}*X4eik(PI85LG2lkL?`sqT1~m$oP$bJ>!CwbSpN_a0?v~vh2g>c|`)iE-zG`W6
zfQo81#1M4IheI5F#r?E(no=aW?Z=O<)7!Ui2<u%VZNGw+1{t|)s_j0nwzj6p1J)`A
z0IPNdXxwAOuFt{hjCqi`AsgP*g26dP!)#gyElX3u>l&u4S6>s6MqrRuL66*xe~pGP
z!{;oQN@64#1)h_t?3T*c;NRFQv{gRLSAncHzc~gWlrpz<<GG+UR+bxkg?9~|l~`G1
z4NSpl*^==7)~{0VFVf&{t5*t6`<SesZygYGOZ;D_!Sk$bDfs3zc#gFp1^*-so@>3F
zf;XkXds`2u;6J3nORRfSaG0PJJ$<b^01r(+Sqoq_l;wtu9<I>zQ?%g8xCc8uPYWJp
z#D?XD=3WDJ;}T<~^p;aMBe6M|?{Vt`@H|dOpUU&d`3pRcA>h1t9tkHNNqMDN5vQAS
zYs3~$0zG)EIWU4!d-lti*w`vVV6B0(3OB*v9S5N?;?sNTOPYm|R+QGzv1$-V59Dro
zPbos}vF!^(APF=2YxB=%Xo*K<)wC@rWi3cZZ1yPh8Ez?<c2nU_2JR2RQ39m_5ApLQ
zvazJe++4WV-_N3{ij`!*uATS_m)TY|!C1C;NbhU1y~Qu&5#zMi5$*!1j`@X)Rs=$p
z)9q7?Dk7uuFv6v{&C{BA?=bxmd%Q?^u_bU}P4V9mYX+0{zC`OKT?TsB6pkwuXcM4?
zo49ILn~jdYFLhK-_`vw1GiC`rg8wrNeBnxuxUk4EV&QiM#{?U#TCc-<Ri%iY=!*v-
zIIwt1k9C83YUXM$E_X8kwe3)8)s!ApL%U-Off$uH{H4p=b!}<Y@4FAdzS}b-+8Q{v
zW;7`0uDnDj*P~o3Lm0#u65Wa7KS=Rz>m;XmCyITsmFn&g5cCzYbjXIj`1d`-O_}(z
zL-@-*UDtZ5e&5rFZgMe(z^PKp{_j++@RvVyU0dQ}C4J5}U?aOMV3&PsB2Jgj{gb@Z
zqfemA@RxcLp<9@89>iXdUWcyXz*P;>5rOvNNM<w)K97AOmjG>9WT#%$m37mmTE53r
zbB8nVK~6Uec6q~ZXOKVk0U%N9r>4>&r;k%_56JO`-*J(*_BU<yOsC$S7lrJI4>D78
zp9B2V0e*_cH4iwzHyq#_1TJ)duR6fD2z<-|KJEaQ5cq@xoa+EL5%_lp7<7QE2z<c-
zjuIed^S>RyHL6w=&IDN-e!HC9wI9Q1Qv1F51UFcr+sg!~)y#0(9^<s-;Uf3|et{2m
zD$XG2aB~vqu2#&6prX@Ffxs^U9QJa+8~2?7(QT}0!8*fH&ck4^tTg*tR1iG4lL<VX
zkzHPf?$Kre+SH6y4aTJ!@PmdZtVAK=t2GN%xi3}D4;n6C3=D~tsCF%?dG(t2Ybqa?
zj!#Y1+sxfwY(RnF*-^7z;c=zPm#Xp{r`%BOKLbY;;R{jj_<Q^y-w!aM-w&1GQlgs!
z53g~B54r-~!v}MMdz@Vi)apxM5m!o+2z4zmdaL05BpQ?RA)4?(S|Fc!Fp6){{1$U(
z#AY{<w>w<ik1yNEDT-g$n4RcZ?G3NT?zk@7U)&fdFk(5&PDDk&`L1Dpu;=N(XSE5`
zUB**60R;0|7i}_7KZr2obVF1OcIVc%GhEK{p@&iHdIk-TPc`g<Mp=mk)wRaRQuP+A
zLWmH^`fPPZC7Qi9m+iRyZ!6ESZ^R-|>#X)nmUnMg?zS&!E5Cr{I2Tdv11HvAOaS%)
z4#HmE(E5<w6%Ej{N50`%JFtD5lWGSOfJ>`R8@G4XdJWpa-UI<*8a%bRhX6b6eR$Sh
z+rB|}R)QO2|CNO!Sjaeu8j=)Z%VtMdcn1sH_#}lnDCDVV?W`l9b))b~7RFeJs_AGw
zC_I;ij~t;eghGD9v-Wuww((f{#F*?okjvU-EbP%9Ee3CYz`}JbOmR1;T4rhXG8Vqc
zLY!@-6QpHp_M<G^$U=SwHH`^cj%Lqf;WifHmUX*Aw`SjlLM*g~xmeAM)GB)9`Q$44
z6AC4sbC52HxFR!#b8(y?i{rKz#0C~QHqaV~*JO;?J)>BopVaWM2A%8p^b)Bx;%0N5
zeIn|$`4`Ia)A>>QX=rH1F`)9G5vvJ--r!k8_ZvaC@j2;Gxue(sjId7us$|?V+8R{n
zm$d&Cc%6sA(|2CMkmJ);6SjB^1+osXX^^MV5Ad&NjOACyzGrtQNq6^x5%@q-Z=AIn
zOYtFfs1zVO6)~iHCb8DhQtKwvIs?M48C_XYY1Dt-yRG!H^im*^zZ^Q%9$|>lb#v$*
zorma%yJH99y~(}`6sGzA@CU*9aBV)8L}z`@Q^24vo_Gv6<bh3%(!Lns+7J;3&W7*w
zLlu0dVaO@pY0@J2P8J!5dEn&{=nkoD#Ac2qoxNlf53&Z0yx@yXmjSAx>B*wiKx)LM
zSF%-4X*Eg}1%L0vKvF%FvSyDzkd(_)q->^q?X*Uu6NCM7tcR~X$+;jI^)75zFSWr#
z{S#RKh7{h)zha1;P}|PMJfM94oOb2w$$~GRMR^O>Cdxl*U+!l6wJhI^a`jQZy>tO-
zIE4GL+2lUh6WN7calu8-YW2aZ`Q;-7P5tq6)<WMvu;>TRrZp#jL=<8rQ0Z&4t^VjB
zDJQ<-oxu;i;TmGiR2P4}wYfmxT?HQ#gNJ@^hv!Q;jcZ+3#!8BO;f8F>dM1TyZCUY)
zL^JJOZ^)l_O$H@Z{zS+MAYb0l3<#LHOUWAq&9YBXdjk<eN9?@vbxf&azk%}9dMw;h
zxHIu2{(D@l7qy?pPL%o}T*I+y_-YWsH@|_ph|~qH07hP;e}&9e$)z}Z5j`N;5jWdQ
zaHiqNp>-5OK~6n>UpMil>WB5km^0$rem$6n)L4WF9M&_UfFmEyfM$IH-wf|W<nvV!
z<(`w6y(d#22wj&#NKl~*I^anPAIW|=e<|-@eOQ5uB2op!u?M+zM#wLG;52>CUjd=<
zzYkA*_qT8h-XcgqMlt{KyH74xn>TZpH~cz`|C(%T>fd0?ik~8isW<y#Q8yAs>>O;U
zcU#?_B6nJ{r@jtNJRo`o2;EVW{e-wgJ)cHMOvp=y;85oT)LHI9g_^OdmIVw+{h177
zdT(K{dshTiF9wlH8#GeXKL$=gnRp*^=EN7$IGS@9N9QgU*^h1mn)X~>bW)0|Yw@x~
zN`ELu--|E)5cC||DNrp$grJAoK=U9b(K;_~fkkIY2ahb|Bf2GUb!s=4|0L@K{53Yr
z7}fjn3NXE9j|1qe05{egasb~y!6w0O>!K6E>P)_A7k)jb)NGP1I>xOExJOQdQf~p^
zUCE7Rva*s#RX-!K)R9}2$Lt=~K23gdILVYB7$L|{HnNZ(iVeq4vDpc_Ry_aQbH7TI
zCFgHn0_W1PsoC`{rzq)Jn_Yh(qu=Uy)^Ci_2kM(L`_(T6BJI7Vu30q@DPo;^B}7Vk
zgSHXPybkg<fT{p@+-AH0nfdbGGq5AAsZ#>81ng=rR&DFu34@FL40sXEmM;`hQ$F}T
zXsLw9iEB__;yO$+Y@sgY@l+GH&+3jrET7AgnJHgmaUTVLcpZ-7e#{Q!SCkg_&zrit
z)cm%Tmy@^GZ_8!jtPN<;Z1H|F>jhyL5jEa!Jt>01`;1ucL0keK>^95;g?pX(h;^Iw
z8O?BbzpEnrDHhb~EZpk}S{3+6@CXoCR@j<2n(~g5P+xdmmM{FHJMgQ4vECQ&!|89U
z7T5uLE}hy0@j?uJpY>`2tCC$M-WET>3NI2RmMb?f`6XdTPnla0R<stRs^gMa`uTy`
zyqpsZbDO<yhuLg?gNaQ}sDJe8^a&l<HEYhA|4?7nsWf_T+rCW$PwhQNqC08+RBSfA
zXOX))aFX%}QIlht?}x@7Yym8c?{3U_8VOt=_#H&BaLX!QLrI(t{=|;1-`1sTBeq94
zyvR0jkLWQrnR+=yjEG@`+#+J5vBK~k-^`25k9@J~v+MU~>|K+|1J-!=xxr-(E+A|*
zcO+hQ<|j=r2|po|*M>wUjVDFbo&MLuWm4+l%mRAsOjKQdA?Q$gEC)@jULZh;;!}s)
z2cABO+$ljc8nW`x7V*!dmH5hbjLvrJO(j?8<%n_>z9dbaRtK9!o(kW<#w5{8>_wP|
znDw}SvELoIAl6$4Pj^F<%CxCp%-RMXARe+C64fkn-DKUwo<*+KD!DrQFOFPo7E6cP
zl&7*(wZr5oJ}?s+gqPnk;@zV%s)fZHjMxqEvU}ef$cbgtH+AW{&b+{p&!wE%h78Vz
zKw+~R*-DR$z=kUs?SftsS0^_%dp#LtmgJeMD_nR*?k&tYb=Z@5ikZV&vX>Eo@*{om
zYh25@NrJz_8_|B;WiYT*o)vG|Tx+i8yA8OY{fI~<t~as!REu}5KB#Q22CLv*<CRnV
z3;Te&IPC%2`kmd4SXQ37qu%aL4u)E1Axsl$E#9a{{z@vAXkd1;K8JA{Z+xn&qIjKt
z@86lh$7+)H7kZMz(q}i}UkEZup!p5m1Lx)Ansb?jC9Zx9Q^Ck)15Sdldzi$$TwOj6
z>`T$S+xp$(&H!<RFRJ|FtUS<BFl{VVSYl4wdL(q}4s!=Y01Rs27@AtG>$hXM{fqL0
zAZZ?o%njB+!0ao~k;sJ~aJFGgFdrpIcd`3OX$a(Mc<Z%2%1ol1h1ns$DoV`)m?pUy
zlKS+y;MJFWYgu0bUo1+N$Zt?6ItJ9=ja}eEwHg=5&{M8a3J2pw|Al(6B~7a4?>nf8
zg)4Z&HFcy{k6aDk_HcR2kIhzA3ddoNz`X*oq`+N^rx-{KDREoMJ}I#v8>?F>6Oe{#
zN<)+%)aQXzPD&)a6!4@-<RPQhYf>!MW<xC4yFS}OTZjb-HDZ19LzilSEsj)dweETZ
z0mMsKWNw9MSa%=~DdD+St{%A^O=~irrC-uu&3st=oB2>Pi0a~_9%#i0Jc~^zNV8V~
z0w3Om7<n;*vLaK!t4Cf$fu)0&vT$%yP><FFwV>gq&yhZ0la8$~9_6y}W5BuX*ABy6
zrSevE2nr30i7#2TaV^xwwf5Y49-Sn)75)HisHMP6iss+HfM~7;tfD%#3btCef`m3|
zVe8TF2FRt^sHO)oj!>&2qO>u+vuU@nBX9gqT;W`>;fiE`XpSybd#ixmUWFq1YgFC#
z)1*P<*uVuhT<zha+G=${MSV%8UDCEb+LdqrT*?zwvOFLo&icr2vq~`Ng4c_e-$9jp
zI99C-ryt&<1P$zNp+ZOIXWI`S68gBVssYEkqD<Mv0_OT2Fz%1^=|2K<YV!Xkw(erc
z36^KRm@jqiA;EBr6ZMNx-*4{65}Tx|XLnFt&hyoM73XCL{-%MO-V)#EpdX(j1=dB#
z$|nf6TL<@3Mscu@SA-!T*7G?0W-8bED^s|!px!Y_`Zq+vw_Gm7=8Wxv>-8m2$m=RH
zaq(7<@^HHX&iQ4qh`2U|ZylWA=$WiMFKi=jUHM=hON;Af<W&?OHFY}$0VlNIfRXUN
zvaPFNBoiBX;VJ}FxOzo275K7Jjuv#=!;|_@UxH~PLI<0E-vAU1jQ5Aezi{ej#G0$5
zL9l)gXE5<5_~}Rp^Q2pTqbPkpIcvKZ9+W~6%&%Lc@=Pf?Gh6Dd?vUiBRwW<xyStk$
zv#_wMTSdM-k-d6Z11qcem6ulzPFd#0Q2K3D-rDZ&?`?bUD_jdZwWVt_OdWJr4o*bs
z^s?1Bi7&o*>QNxl9z+UH`N{n^sQp5Gox8<regifKdnF1KUEr&}q_KFz40lEG`l;VQ
zxXgEOS=;)dNo<9dET7rLTUl-PNF2c*hU$xN$qw(qU9T<XW<;AqGrDRB4KSS*n$bO(
z&JNA!mQ3e_W*n7FyF)X2B-5VIjGijpJrtUeqmrSwQ2l78Lo<45fxC>@o%x}6-3AVp
z1~}Wg-PW}WC{ck4&iUMK%cB6}YdVWQ-EEyOfZ!jOYOo!l?af`+i2uhoTk<eY-pJvh
zll39hf;U`(<Jim9lE!4I`C!lJHfUl;`9-3xdMTaQ#4D-!TFSU{;>lFr{1~bkC|}(Q
z0eS_i@%f<IkuOzi@$LtcUgttb56xZ#GQ{5&Q|A1Lj~;mrU~s!|liWZ+u)=J>+3Pv7
z+*Uk;LY%ydCw&4y-dR8JRVl<8rwtpx)U>N*sB}w;K?;ZZ12cU8ry>l$CD<c*_e$u%
ztz#4y?ycXJ-SuN@@27C4)zvI#UBQX|EC46^d>~Rzw1oj#Z(}%#1&}*2*VzAZBS$TQ
zYaTPo5$e+;<fG8}2h^<?(26%~)=n#TsM~5ig04v2kJOA;gF4(0#BZ<!d(!`Ci#O^^
z-baPPz0jfEtsBq=3$}Zz3iV_UFX^K%rs&Ik3iO?uV)sj!i&I#`06cm0v}=BHHvZ&{
zGwER@<5V@HfDq%U6m4jo+sV<3h)7r-eEvaV4}oHS#0{aO@p+Xge&MBrH96M2KSL=N
z|2v2uaC*Jc2??lRnbHSD3yu4!72e|@3%){F0bwH#Bw>#e<{@ml=urebf-%ByndMV!
z4&>Jfg7BAy2p>iG<6x%)9|1VO35e(n-o-7f<Etn*n}%y$k;x56j!}%)bde42s0g?8
z(dRsXanoVP&UYu)#^qYz0@^eDQjZFY(NP^3>z}VLS>p?@%|f414ZA*T`cZN<tqZ*B
znVaCM<oGY;#%Qs=<h}5LKKlJUqFLGp$n_;#`ZfCF;~#^eDa~}P0D+)<d=!Rew<tdI
zQzEv01%!-vTJ}R|ih2I+<aTm63G=BUF4pCkPWun2)uykw-#Q8^EV-VkD)T>~s#NPc
zyj>~VrR=`n{`Z<NE$RF3WVzWag>s(3`xT5|#vZgV4hCd+=!`?WW@M9xct=48sY5)3
z4LsORsB=7D@#;W-p5yU|EbScccvN3@3}ABnqDTM6q;r;sHo>>l<xuPn@djwL38m=B
zyNrit(o1qYMyx;%(|{UY+@7aB`a|pVKi7xe$?z1tgSQ)26DbjXP-@m;MG2=vZ@EJE
zbi%7aWpz9$T-p^v9$QsS61alt=*tS;{ioJeoX{r^;lV1c_E#jl{dr%Od_Z2=nc9n3
z4pXNF7F6end>7LxAH;GP&$RL!ImdI#f5Y;w?aJNu%WdsPusn5q7&xc4q8%W3j+`gX
zLIcrr>jvq#ajdRuu8|W)`i?v&d<0MEh=UV(mIax@QTDslj(V_<f^;Z-Z5}|S4_HYZ
zU)#^2Qk%RXriAjvQZB(Vdv3dO(JQro0F6fcv2xfBW7gVoSSQMpwe>z|)03QjJ}s=P
zoyU3%0GHhl;))Z2PS{%nKj#2MHG06cmUi~ph|i&gYO`PAhMuAi?F;bLO}SrKhjIm)
z36S*GMt^L!ye8ZQ2tr^w1;8-(2Ryhr<}u<k5hcJ+t(iBp7_kQ#M>NcbCh-y8-eUCI
zZ}eL~t3D*)b-3-1pQ|#Sa{M4!U!WBCko3soK&(zk4v`;NPp~{bbrE-YHxycDV7xU~
zv3~{y)>yv=XT(O{4Opn?s$h40ak&d$n!FXKB;6`toG-#hwAAa3;QvK;(gogDQ}DFR
zV;6D{JWKPJljHN5H#?`|&i$d}xEpxfNwXF@FfjNRe9J)#%uhU6T{A=xWjz@eiUPNU
ziiYUXyC@%uq6>I#V~-Po@z5?kJE5Jv8Vj1N1)xZ%v1g$oy3nH+Gr?|Z?Q^7Yhy>IO
zcKW-}>F>Ny(O^B=jWtw%UD4mkHa~PLXquTI8q59?NpL0L21oKh1Ua%<N%r@^ruugQ
z6Nt<rk!P_(OrKVpO(L7YbXDmSU{dSRnJ>r0g91zur&RP6>`V6YKT~E?kutuI%#c0(
z{PgJmR_h6x(%7ouf}u5VCN&Js?at;nlUJi~N^9N4dhiA0^s$<@jaQoy)J^q~{}*og
zv9-XjPsl4U&c!P0^7N*Pe$jXEqw-K>-_yqDRo^3>c&K`4XeO>t^Za-k%;U`5U{CAW
z%^X5t7;k)O)+3S&erv=A!N-|`1+kP1%KBUe8vHm7PS?<ieaY5Agt4Ye{Smm~+l&Qo
zzl@C(&o7f`Dm~V_3ipF;K!sb`cO_+MWrBY?f-z+9Ei#WuWJ~c|7n*hcKA}7!ht<m7
z4I7GMYUrBK%+oYPsjw(a2^^;Ehk39jpAtYZuwIObki%mORKTHNjN<wCi4$+~;=@%v
z-nj!(b2e%!saZ&=Sw0VK;A#HZ#PbOFcUudERpy%DD%QK}&oX;!0vi(lAU}Hikw{NZ
zA>}<saSp6ez-;?4&i4BeL+-cM6j7PtY<Uc#x1vNa%b(5#4Y5b0$Sl)DqsW{4TdmJY
z9;WqrXcH`qz;P8Y<k7d$t+NAA@}e&`TzISI6u#A5zpa~L4%6h^%V;P=)l}us{(-?7
zS#}>J7SrB4dSa_J-Rb8d=m{VRE_5*VP#AGN02sq)uclXUd|^)%$t+E+|E<=A4xZm(
z{i7+q(#$G~y2}-=lZngj4|tnC2S59b13!yEtC}PYH-@ZZF|lfC=b*au{sU%3dVg82
z!=YjGSTrn1HC)fx{RA9U4Q11W_hsa+MS;Wo9PtwxKx>5w{Xb$2ym^&y^lIp?KALl<
zs^Q*I6f#6hc)iLn-@`eu1A`+}qv0PVh4~!1DZj7iGja91lWJ3@$zhzDry9ak_5D@t
zt2;9#m8<c4f3Cp5!a6)N0vUVOaL*OO%WisP2U7Z+7x1q!i#sScii$D<pQxM%xv^P+
zcar-Y2a3<MqUzLQV>uoghl6_6M;pZ-2A)(fForPgbi(duwGguFvylzHyl0KVlLJsW
zVw~eK8Ew5U0_4UNBpY?|5s#y(;mcHNJ^!?0J#r@72tnzc<Ga7oQt?Y@fIY@@Y*yL@
zc=1m}LCi2Rg5!)>XSp^Wk|oq|#c-gIW%Ik*tRLZcu>&aSJx{CqovG+vgEe{%XJOFr
z*i{8o*Sn2<-zcwsoi!ZnP4gi`z@hF-*ATl^jAAMdu0tHFTwUakU4d=RdSj#IFRs(?
z{S&JDX0_myZ>BznTnNqRs|ClYH^$6&trH-~T-hZ?zj`$D_p2ivHg`s%UrwliSQn$6
zS`W{_URj+WGfT0vYPHAUALx0A|2Jb$@6J@c+~-j5-xyVFN&%F)$GUbO#}3RVpb1QD
zJ?i@rb+c#y>vwd619{(UpanUtc27ZzeSn;&?Zw8PYRexx(-(U*&m*g6OW^35C)gGn
z;b26p#;rqQFXS00E!@IOwZX!@qS^S0%xIv-RT5~kX;T8nqWgj99=&e{ndrGUioNw;
zbS~}sxe>ny?+jr(*mNkVuebw+2vNU0<@A`TdMr)$xWbK*qtjr_+}ynmw?O(Z9FurC
z=^w=gY`mT0-BI(B>hX!F!@|U4pypK+;$@whDpeRw6^7dHuaf?R$OcR!*AT_eh)wla
zGeIz3B;(OEM$Xk`^(82F4`MQ{ut2lcxB<2P{uYi`SPW4l_XazateRv24$xTeBChPG
zL`%l+OoS2pOBLH^-ZF~yrmiNgt=MH-S0OpVh_BMHN0A`OI^MGS9^8`lxcQ}C=zto`
zykZpDWW;N8dV;f1NFX)D6L!NK+#Ec|x*u;mU_9<*sWn3Z3JBmHYJ@!=5OT;`!=hNH
z@qIJ#ICcUb@fE3xP=~~VpH$7qV}!jxnqfYLpYl?Ovq`n?LQ&|RJ{o=sAlB(nA3^sc
zA7+>i1W?f9Cs(lCs`*4mERg}=w#`R-5TZ@$8{)@rAu9h59~VPFd%JZO;uJiHV$5O1
zL6O`WlKG<~2EpHQR^>-wIf%0c|3N|i$o1-^{~>9HCNRIi{i$^}7gy5#tEgTD^y&Gb
zhH}(NQo|f*Gx@{&%4qx%w<S<C{r1nQuLB%gl0C-rMtFLT78r>~ffn${YdBU#7?&JH
z^wba7TEhsC2{glt(9|kz0}Lv%E<z4V-!o#3oD(Y~v+fmOLE?Gnk2Lr=1<y&$qh68y
z;e)qgt$u^Icgmk1q}gLpA<19Ler*U)Yf}j834;|UDy8p5Ki7~{F?OtOWwV3WYa+mA
z!*Vr_HP%LKEuwW0V|{)!gfXZowhzoq_YWZd>brxusW#IM@($^d7D{Za456ZGTo1*E
z!AUp52DlJ`PldBET%-kd)=qu_s%DGT4}{j<gS2%DQYrm__TiGvTHqY>)7tkiASk7o
zC>O-B0fA9xsLQc6m$VE*Z@o8Lr$WxK*>xGS4sr;=m1PlpI2F+!tyU-YdJvA6WyV6g
zT*TI_RC5YTwtq{4hmAr>-&DytEO{FxwZ%+@RqNrX(=xJM>t|K#a+G|UDv{Rrv$c<{
z%cS*!YO*mlU`eW)bU#)QED-+320WZ96dYF($1TL+QWR7I!PHb8L2wr8jKBaUp=d<1
z2x_K=80@YnO|8G$ZIq40GlUgx1MwhywRpgpY(#Ob`JTleek1&Vl0<B(R+iL&%v6;O
z67wpm*ndNj%%U|02yNb_f)wQAR{et4?E_f2u$LmQU)_Ru$4fGa_HqoP&A(LJc%J^7
zhmx<-RstE{lf}M$0+R8&GhJe84SY1{CNja?ft>`3{ia<rAJjlJZii^7Z;V0xPGcpC
z?%H4<2!RZ7G)SO9QB+v{1<zLN9PHslXQ@-CpS*u7geikEGlxpWUATq%6$<ARiL4~<
z1_DSN1RZuIC-{~15h1aA+*YGX<Xa6YQE;U8&$nw|fcF2TY8P46D&eu_sKh91hDwaJ
zf+|sNjaP}`)@YTOWZkF|mDaVASVgh2%2b;2XBDgTLZ;7E=|xPRs?yIeeXL5q#B^7c
zrf#$jO~=^c_u#^#+P>hMph=xckBm{AL-BYWswS1Cn1#0aCO;90e^XeBcglK-y0OOW
z<R&h7Dv%%+bE29N-j^J4vsAE4Q9<~w>`Y3Yp?`+Px<GrQ^`MGbGjm(Db%V3;wKtvz
z8~BxUaVcxu|Ax$JzyVNx8ffR&_<6uVhAVlNQH>8Hsh>cAZxpoK5KisPoycIs=!cF4
zj#2oHbvH(dNX4LhK9{-Q#<76=9dsk^Tzu$oR4ZTRewW}zfHPXjx}i7-m_BKl`%Qx1
z0yx1%6MsN7Lwp4%Ynl5E7H&Y{J5ng8HOsXuEKm1ZK#M>$Y%C{dIZvi)+^YdSO+h&w
zPTg8Sy91g!iGh8`*`|3-uDuP2#s46)yek*gU=iWkuLnzHw~;xWC$7RJ-W|q8tQ_n0
z1o{l)*J?klm^B?t20u1cnD}B_ip3hcdyLgmEY2Zlu7DKRmMvP2p)FbgFyBQ0I~11|
ztt5CAz@I3v;?km}1TO=4t$^EcY0+X9E<xclQkcf2MK1%|OZrXY(xQI?`UAFU;9VP+
z7Ezmh1!y{#+T@jHZ4|h2P>&$04HnECi(S=^U@{y4Zn^phboy{4>1P5u2}!(L%48*y
zxKEFy%&ZnDM~YLe;hu6>DAoewk>XsU?ri*voGht87T*+aN2`0|Aoyy<AT}lchl|b@
zFva}|hV;M>;IGp~@UgV|X?${jh>AOG=~Gb<g}#Mgcn*`Vf1%!L)U!uQG2|$@4wku7
zJ)SB(k||LNHM&&w)D*YX+Yc8^u_^jddObDgZS^*yo^$J?Z9b?!<nYAGKzCU5mxZQh
zX#pcN-O!-!-Sob55w;3V@5DD|k-HH&>Juma2S`48O?;r}<4=FLCbp*dBfgUWtv^je
ziMl1%)<0EvAH3w9qc7fM#7i1wmDo>PG9?(VcwA}wVF(Po#jYv;YiLb2=NMlIq5EOQ
zD?yw&C@1xOfF%BccKEOOIs9-#JH&sk!jE^<lYSNGKgy#o-b-~hEqBdN=tcQ4aDSEF
zwBO!Nwc9o>#NSo9Qlj=hj!=$oAq3$2-7pqtM%hQfw}=1d^uzYa^5G~iw-X3s9=W^{
z<&*3;k64~-#2?~1!j6wB(|$^7wb9x3zJ|=#tcGV$OVpx$;492ks{Baf?*pt{4x(J`
z4Zo;<N}<>f|7?Ap5Bp5{J;7RPbbiL;Up^D37jMHP=39LsbY4WEvzCQGfw(zq{jR;(
zNaHL-kK7EQ@!`~UtXIAuGQ_m-O%vi_XjNMcS5bnxA55hOwbzF`GDXWg3X%HEA6fvB
zpkPbx+{Bf#*3>ikY3-)HSnGQ~*Z6VR$U15209{|U)!<bms~i9%dh<q&+D*h?QnUcz
zGnWi^dGLM3AS9fZ8t05cR*%#PN?fUi16PV$KU=;;IX)kP8{4~#xUk$>0@#q)Lu^or
zt3kbe__Pql$lpHai2V3Sp=+<7v3h(5-g*{2$ScDRV=yNC7?_1OK;^5`4VHyIsR=v?
z;V@!cgr~%h^4r~g3Zb3DzXyTxaQ?yH1n1->9RzoJUx(n%$!MU0Ksld+YZ|yN@|1R;
zBh7!Tb<+|+9*Zi%tN3XW*VKOUQYiH;uD)RB5-Vx2t^{@Z61<{;Z<oYS51(G#JgvzJ
zPbQyM<&vk<RJwra->bC2^hlK^->ji3UCH!drlA7GpR$XQOX)i!enmcgD1GsRzsXYH
zV=-~FJw6*62S@Bzd*pZxeot(+d>+@FLyX9+$LC)SbIv5>^u@D>vTcJ@As3NkIsdBW
z&_d#u1{>xulHnm}a6XzaURw1KKC%OB*W=rYB^yxpL}Y{6{4Vhzq}B}@j{km(6Y9}d
z;8Q}^qmyv6t7=dI_%j@t3T&Z~yip|wB6*WamRjFIF&WFD+wq4<%0XwiR%4vnr~;e(
z2!+wL5itxZhFEkI+L>W4`dIXKq}PRCMH&zJT1RMAIbf*3RUQ~`b@^PwCmHg!;CP&-
zxYvaj0gT__gI5@Pi8!pO6F92qShNxvu=AZZ#tiqxhj~;BDu1+CQHR<MVSW*be`wAg
ztc%gyaYw9!+f-kH`Piq;xYpUHAz)uqK%e%UFQEM(chI3BqOhKa`cXY4=5ya2>oE?E
zmK!KjqFO*v9R?v=7bdqg`$1)dBW#Y?`mn;Cj*WGPYI9j5*dtWimkB+J6%Ulti>xp1
zqIk4eE71(owOGFF5zLCz1#WH#cX!4U!5c84=>=%VkHG3nI9o$8O;?rHH{mE`cm1|3
zd?c-6*0$!%t{b|pt}q{X0`>6700QezIK+U|y4#(ngjP6|FmA5SvR+CZA~q0)1HRnl
zSAaJ>;L8OB-`Dz#YX><~NOP#QZwA|_4{}jVQL=Ao<D)2NpZONQ{EBtcKhL@s-!r13
zLJlv1^v`n?^zPWeEPS67=cJ;bw}P2Q?8=mWZc6Fr-PWj;;C2lva9+^wOHH^#+m50)
z)l`&HD3VOH`Ktt}_1gA+&p%}$MtACwd}utr!g3HlC*;Cm_%5sSi%Nfg3O=%@r;*3A
zN@fY4VabPb5zf4g0$CiiA9YR0R057=k<YI{AxMaaIu-exvq3$MPe5)LwAA6&JggIa
z@m2Xa%EWsa>mcG3Y;$+`8(i*t!#Y&Y7Z!iOPt*Y|j~VB&X?zt`frz7ZDHf_Tsc?jf
zg16wxkl*}<CsKUzW~+4vyn9|kS{vxYi*eH@;A&ZE`Zu9MKn)a1R6lWW1>S3iB-#SA
zYOYPliD9mACxBzp>27i>A9*fkE=_-IQW1XB6oOEDCD+$HbVoQApX=&mkYpsKD^^})
zz1W1&sM61eBumGsQjb-QQoBH8DoLMW5R@7h#djhrJ>Ede<>z4xYJEP#_4yjP9qaKT
zi@4KPMVndlFp8Y7F+fgG$z-KdQ<Xxf<Xr{St=2?VeV5{s@^`$eP|zwerTp{Q03X^T
z@bBKrK#J4y*gH{4{gOzJe#GD2)F~{MPW%(w;ZLfJu8ztGV&4qkQ?oPShU1yMAE(~<
zz(?;P2wH6meu7KfpL@t|MsDO4MLjYBqAf0s7)t9$6k}D((h&E-o`dGJp99UvDy3ef
zWyL`A(R<wZ;MtY2{w@3(a4zq`&wNhZhyU<-cu|)|^77HS9;FFNt$~&QMiG7sLF7M%
zZ<*z2`0>>4E_{>JhhJXc!V%)II#j5U<^{jJ2pqV<zcdpa#QOsWXQpH`t^J2q)n{Cd
zPI2HKyuwsqy$YCr^xb*gC1`bJy!#=x@yBoP;dGzEXJp3d1h5q^*yULNg;PG>yvtFh
z#l%ljME*@v!}#j#J(v#b=_Y)~*5Qb4bApob;VWakar!i1*i{I~mCKA<{eVvnnV@Xj
zdqj{ghiWuAjZLONwuu4}w{L$BGSEVrra4mRO5~DPy5AY6E?VM;669)iDNIHM=Qdj_
zi{F4(Qd{&$m__)YW?Aw6doGI2Th$vzvUnaGoxWP&{8AHVe=Vi`HW;o0$vCpBcwSUW
zdt<=H=w^I08E-TU8C{?Fr*HH(`jYuUPCU%ayfP+gDltsZf7_L3Fi?1Dl5D7z)-<wl
zgNrBFSWm^Mc$mCfXOKs-a(HZ=et#hCYdx_g^6k7>tvFrxvLlLem{~ot2IGY3(3e1|
zX5+>oHLyR9kM+Um%Go1c(3n|llO0$mp%oNMEpSxDz*+OA@H2fHjHi6juGDPiyK#7n
z&{e#8#`Q+*d9egB;DwlEzHmB)v~bgvu~(6z;B<G>2J~v8OkU-tdPV$nw{<iq!ZGK9
z5i+pk3%<#HBGHKnpogbSu$=mVLAk!4GAIk9RlYCZ>TT0E@PFkruFYD}?=xoA5-l&i
z!))oZ`Fjnp3Kv04lvP*@VsVc&Q;&+BkFVkd0aeuPGd60l22SQvzFtWSh2}hCmO2~p
zQQ6F@Fh4yBrvo2!9(FRmEr{zE6=%THXsj^9PoP6Q#LxII^o7<XXsxWV>gQg7)z{0G
z0uQ{2l+{E-<(-E)i1x;kZnhjer})^z9^6hpFNHW-?_*)GD!(KHDQvr6nzHW_<?tAe
zFbx}}4Emor(%1@4IIgEW4k#rIznk$W3e@4{$56Dimw2Q3asb0$wtCg~5zKS)B$3cD
zLwKJ*d?;IwyuhI;gs_D70U=~IfcF`s4}ew>1a?n(niK@OhE~v@*8(-EDnmwp&(8x`
zN3&+K-IZq6ch=>AK(*~L%vnmGLVh7rF8JMlQkqnR%-Xj_)YU6g;LzMJOyRn9D3psy
zZSqu67Tt-rXP)N-$Y=tWIQr%lwF>4Zl-%w!G6P??7?~@P#}8FRe#c#vtRM9u%i`5D
z-!$3@Ip)KYcEcK0OZ3=)epiTnd=aV-`r}}Q%v`&gSQA;O^nYl3^Y|u<?SDLJ3ls!X
z6{RX_#j3@%C~B)#8rwn&EmQ%)i%S(m6unkSD6&W}4KzMRdR;-i%DrwV*DGEHN`a&W
zX#qFH4e`pVFd-t~Mp2=^_xsF~Ckcz6@8|P+{rX2U&zUo4&YU@OW<Qhg1V<f^ol9A{
zYA14zz66vlB|y0lvJ?FZZ-yS2C@n<sN`7z&3YW-RF(}@?2Trs)b==c&ZKA)#(LPKg
zVLBW&4}%iDfxeb$&$5|=_9zr)X;eg;DitWJ1TN!Uz%noa+NvIH(qkRZ<)$?F7&!*n
z^z8|2askId?uNh*;rDfMJKq7;-iXUTtN>TzM*$k5^*q#HvZcQU??>YpT>V_|sr<J>
zJuz(NK&oD*NaFyp#~}5@xebuu<aW?D?ARCD)Nz!w7|=|7I%?hrl1V{m_99K3iz7{p
z{t6K}Um|9K=fteifr$2?LGv`GuvKQv6<&7S0!l5|o#*o<_T6e&oPcoFf_RJ`NdW#w
zlL+Vu+p8oHD~ynQ(j*C2=f8qvnSF<{gKDxN{kZ6GL%IZ5mLV<F{v$<U#E!PiXtfpE
zva&EL;y+c6iqPXFo5*M!+9nn%<S;{s7;L&Z|HUsIznW(t6q*~p+sD4w<J(w3nFFd%
z=c}IumZM>vg`V0hutE*X(6A2#HeAEHYFIsB*iV*r7@U-;fj<ElDzwEIAMzO_=1)gD
z93xMK_kcnjOMdetE-MyCCL|@}x=UPMERM`raW=$Za5e@okYx5&)OVjUy9&gZODnuH
zR!9fcL5%S*NbrI)S8!=b4}5Su=~&dsiDz7V%TsWnYD<UFP4J=rY3tc-XW$e^dU0wN
zk6(Q)i%2~7fYzOQ?csH~dt|IGzl@E)a6S|h4fJ{Dz1;yBF5?~6DGoUqOIV3&|Cgwa
zCny?p*Nm2$(JHR~E0L6q8A<6NWiC^OC6dB1BPkw4x)}LSL~8I8A|d0QDjhq4u{DyE
z0y2|Il^RPb8F?on#V~Zz&A+-*G@0Z2@DJKfd<#(ILfAX8VsU%H@qS6*V{4liPHl<<
zD`dD`8u$V_jdi~dc?RT!b*Q2Ba8dYid0-F3jitSaOaixa;+mFSdsDVug_fZVILr}m
zMsja5VZ0Hyk58jUv6@j9yt6OXGY-hH)r@Gl)h{poM%&3{EWh0Od-UehG0ws&+>?l+
zxx~9h2i27*ly?didwQF`je|vWszPgd5#i3jdiUE{IL+A1{sGUibXH&9%J(!dZHUg&
z0_zJvv=N+VXqy?A57!4VW!GC8_kEAyvcC~4XBZ2*dt?0Lz7-pi?z=e;PWcUdEI9=Y
z+~(;R*F40egTv@9J?`c;_)Y4I-Lf|Vhf*?yp7Eo6VliWr8t@Cl?l+?$-M;}e9D5)D
zJsX|J{rXL6f{Y;Ck3^pvT?YxG$_9tL5RzU9*nqOY<Tz@Yz=>Sy<W{`86io13j{9ui
zfj`{GVs0(l<?YnOTYwL$Kkme8hhq7uH{uggzr?j#6XZ4s_Q!x(kHvgB;<JEX6EXCa
zuh;ms^c6F1HorDPCK6}xYYujV0xKhv!HG5Bp=W9=UKWhH2D6u3RFQsE>N4aRLI1+>
zekr038Sl#^S>;lvOM#Ry-sg<&)WO;y!!PvB7`YbE&cY>?cy_kVcf#HZmip~;3^lP)
zwaEpOt3f+V&<6meYfx7ZLLD>!(pf`NG-NIy85*(&$$;}TAekC+5D?bIQ_Ne}Cq~;k
zZaLz_{$ZsZBhARxkH81cXVGs`i;43B(<3s#Il341Y2Cj|SO1}OV*Fu@sqT*<w`j9!
z$L4(GQK1^wXOq5JhHGL;jzIr$O<!Y@{&6wnMEVyTnZ7BJjkNej;oqdMF-iaJ7;+;0
z4?d(+68Ue@vW@%`==wbY-8lcL`PH$cH_fDn6~}g3(vZjG!{~{;yXrc*D8_;%4=%N;
zew=vP*K@yDzN-)UZaL(;8(A^&g)oSqQoE{;(9O}qth+PYL!ofo6&EJO+pN^@Vt9jj
zBlO`1AAI1fKfCntZ0F*ajEfqa4THXaZ=iF@-aUKvL_4tm!;HG{*A}~bU!Zm0mQQxV
z{ZD?2dnZ1&H|<Obrag|Y|Ke8gzRiKwo@+l*c07X)FlrF@j@KeG%*ZWGJ5zxhOuH74
zHwoD)Xx9hR9tPw&Lbf&SObe{V^vu2-2b^nh9Vu!4D08ob{Zw`&dQNHd>+Nqe`oT-Z
zQ!7zoCp&ZFR&*!u71)S=z3WOc<LbG*ESUW%*ABe$?OTyomcNY-HpDdk3o^pAMsaut
zMZ&_OUK5D52i<Ye5gX~^&fc(5Jm=4Xw)7j7i65f`e7MKqnj=nN<wP@dJLHV0IRD<>
z<Ns0|h~m`&aMHA`oiX{840R(0vP1=&Sx$RR_M?pSO+F>l=3ZTDEX|&SZ|NXqR&{<1
zJGJ<fOj6|P6j7>QHA=F3eT}@&gT(k0<PNS#nU&z`xfXd~o3!_Gm4`9{7u!f*8AE$J
z?eL%Ow43jKqs(T3HQ&ZV8N#i4XAQY(%q04#2sKXZi?1!EK9#w**CT(t)HME>$g7y?
z==7Mptg<K87i-I?E`)}*^sBTZrFtFOY)q;ICC7B0laM47|H@9F=9rNWm?7sS0!0;q
zwHwI<3-NGyG6UDnY=%L(1&SuP?4KJ&qeNh3!Ixw&z`hDw^K;dn)j()*r7oEROgZ3>
zsRfrr)E9`s6MdacV2i71M?1vX7}s#*xb>i+USM2cW%wo%%)mbv9mF(!*G}<;A~6K6
z;5?$@ToB`dy@c}tR{$oPR}9n$BHD{GO7p*m5*kw=<dr$mZL#rTtbY_2e<JDFWyl(m
zvn}g_e;U3Xa;#J5v(sB1*@X|bTXm{*f)r+C5n!B;x$x2rwsjh5TU^11aCoadNx543
z=JJ<rw0UwX@C6=>!(mrnQ=WNv3pV6Yki#}khTe{fpZj(hSE<TRm^dxlD8eXpQo0lS
zxfv=7pc8Af*(7aD$`0j87RA|!$5mzcf>N`FfiIx+)+oJ0Std#*QLxH+KzV>t;>WId
zadwXT9=QL*nuV9>XjWH^%^r6{023?h7i)_n%FeS$otL|CfPXy>j-X9{=0x9*GsPbx
zO#-GK5ujaQ8BBdc5n+Khn^Yfo!x-C}8!8THyA$I#T(ljRgZ&65$<g|a2ln8UvmI|Q
zv)<u)F$D{~7pWm@DT@+Y2^?7Wc43JjwJ4_)2<3PYF2|^VfF?iyLo?L-Ky+gDR%i=h
zB*Ss_$rr(Nt#UPOX-Df7nA{1%00+fajqCluBZo>q-d~yHGZ~uUriDmbU2y{rLsIT0
zc%?cU5Dc&iOHrx}nm(g`7L|P$`&?sOp<J<0AEOy_W$;{174YjAf^Va!(5UF`U+00_
z|7=(r+>hF%&W2j>DygX#@%5|lO&DXT8zkYljPU(3C|1q*HpW$kXXwvG{CuaD3_h<R
zuK=P885_r#?MILF<MgS|GNDAlLph)zN^MNd>$S_dlx9{hb~z<ZU4-5k_a1KY9e^Y7
zXHj6^0UYo9Mgn*yHUNC?3a3uO8x(q)`o{+pNKx#&e{gbEn%V)N({~`vQS&BJK%Hor
zxdw~t4KHIk)|Dzxf54BN5P_gwq~QuqNK^BW)+nlwh+uC&(hGgWrK_1bt|Zuddh~T|
z(D(o!)&}AI?{KO<Z#;2#b-l@{@y??F>x_dFvecD;7pDpk{Q_2p3sGEc9^obPzwgCA
zoJ)}r1`;b>fqAn)1GguaAsQ3Fm{VO>@WE^qK@VgMuE0^@9;54mS5pL-Ut6A`w?h_c
zC2;b`R#a~`iYBloNEo_uW&(bduvi=r{HFweLbdoq6suy48^wE|_o6`_sq95Kcr6m`
zZ1$f;c}Ni}b%rVi!Q#|$qau6~_lN|lOafh1CJR(F;Rscdss2E>hd5SA<OCXr*!vg#
zv=iSDR;{pX{|asVlFs<oVk^C&ZxK#}<w|ugWw&W8W3;ySV^;uxu12$pC0e5-w`qGj
zUH?SJV<M?ja!YZVMK7s9uX5B%AyXpY^=2t2XQrz+O}K#M$_F}~Oq`Tok*S=F^Zh==
z1BZ)KOm5jxu}i_|a7ZKz2>SfdK@MxQw^ww}!MC^x!O@M=dkr?ks0*bdR|@~|TL|0f
zEe&=D=hBs_*~@i_WRcl@S<Ei}Rvc)P<;JG1?V5IUcBKx5mMmEn69gR}s$-!%CHa4N
zK4C_lvs}JiIZod$yJrT+UV0oNj)>y+P0yd(S73(w3H!HVEKRP}HsgK(Bd{AdWgf@p
zL)!2L%S&e{j|!s5f!)*go%rF14$#LQ93<i%YH&zVissv~sD0DN?eOMgO0O1I{uknB
zBb`rans$ihh2*|a9RK%Pw{P5p5rMVI_Q)CdT+Hy#gN?W9P+oSksc(4^0=H6A&cH{s
zr!PVpF5ISy84C3n06gu5<8o8F3#OU`kl_<D#uKC=!!akeFf+=6?vyNbN)uWtX8Gv9
z_NfmCv8Tc-iqs!0ne0=~K`Qc5j0}H(2IBw%YS#wFi-Q+Dg%C_0&-hlUIW5ADUZBHG
zX&bUO<BWI6f#xUzv{E=k!opY$)?c9Ba)eY&ih8tBXvAFI;`)@Fs8MO4MK;hWPtkg<
z_A)zT-dvJM6@!Bw#NmG&-=(;|qo2rLiULWxQj7=#O~L_1mpxGK1gHz}%Z_Idd$LTI
zU2+rY=wa(0VNl1w+AboDsZ_kaz>ek>+b5M^DE97&*0UGNp=Ym9&%$qOCF_j*$Q|A%
zv0rqyO_kw0yh6wA0d~X*wMfvvxV}7q&XoF6k*qI#-vbY?ihpNZdngXTan0|hl6)XD
zjQhrvqJvJoZ#c_+PqWAuDzjbJ#t042g$N<@Hs#VFZDKU&GJu?hhk9i$%AN&?QH0Ac
zgNK_MH3bSaDkW2`hD}2+7+4OGOhJ*H#!#q}2imkll}qtGm>0FFf1uB|l&PXPm~AQ(
z`%jk|jOmtD*HET+@U8n+m!<A60_Mae30+m!A>TkF=NNYIb%+6ojfdsDK;R?Ft32>C
zr(t;ZWgp~}S(aKo+~|wBR~eoGhJ(jbpyf_uYBn6P^Ikf9|5#oF(GN<N7|N+rQ9|)N
zW_ZSkM5$=>YMmm?^}`UyQxJIvN~zaVg55tv81u;Y7gN}n#bG|Zu{5<hQ@cFkNKl=_
zo&s~x;`}}1OK`;qW~Ml>7hlf6kf3cmR&_KLc)!UMPH?Iy4J1j;fc;h_Xjo{*X~D9T
z%;<~Y7sl$6USH!q<_*w-gn1o?j!%J^wWY=|ncRU1#fgA3|JLkkyx8_04mx06CRX%F
zS${n*5VvQ>BCA!S|LLq8=<UHaWQf%~5P^L3$&Tn{G5Hq<ek#U8pqRVrQs*R;+J<p9
zlcSuD>GY7oVnYJ&qnN<^$<X(mkXFjfg0kFd_)@E|S<$&{ZE^b@n=Fd3@p{h(P&y7!
z(M|SRJ)+mTNEFQ~p}lb!$a$3v0~0Rr8R7Y;HU0jt+OY%`Xvox0kYS{9+2dgm=K~$Z
z{u%=zGj`r)e5$t@WnanXd@(@ci6zYKNYxE@x|p}6LXl-kR|`a7rQvz1Joo8Nak{+{
z9oru%o-eR%tdN9%(eGqDhBq67^Xl=f@6GYy>(mmaN6%D};T}dxI6v(ph4<`oG`$#E
z8#2V?XaRfP>X)A(7L3C`gwzp5a+q=OygQ<ERo{I&`q)-$SS{vSCa!9I1L=VeyAM{{
z7JVWve!brNGiu@1bp3#$aWV7pFiHFY#V?xhiT+hi+?K-<SKf^&*5I^hyExc%1()y#
z{>SAxMO6!vAA3oW<996loBbtPv+#urK_zU4c&iLXCmorU8trjbFcbR$AIduXc4s|m
z89b!H6m!0L^;%p5Q*XXPM&8SaZwO%FCQ+Yc{PxS>5dCDr&|-z)d5}@Bz=bT<M=HT;
zosc~NUt{osA!cH@Mi&^29EMK7FV>Eq@(RY_ECg$HFb6@MZg8&4kO32CP;wYy4p3@~
zChMm(r|73NAHsGRgn;>0BUFC@l?XX=oCOsR0LG^_d#$6zeIH+V81tVR<yDPxIe`oP
z?`q(G1z0P`RWY2*ax5y$to6MOsIh>Wpsr{X^aThbn+sU<7GE}g_=n(4u^^`XwZ1I?
z;;H7=U@e8zt5Hw>y~}7&ZJv`{!AVo4l4w;Tosj`0>@v!;T)}ZuVe<Qqz&;H;ATjzh
z=p(c|u249quk)V~&woZNf9_&zZSDDGa3*th1-{f-C+>IC@Wbju*J3+6?*4fC3u9Jp
z+u?NpxNH12+8u+r8WxVPT4F;F8z@)`^Q}zD-!T4k$D*Nlj}p`$*eXZm*{syNi=g=H
zv|o1gZst6M@3&$-b_NW6pwXN>FNfcbc099y+1m#xWb+;Fxv6!1(Z*zZIv1bT`>wyA
zowS=!u@%$d9sSIGKzZL)Och3IXCjxo6xr4-t1D&}yfOYD`o*9p2Xg0Aon!HZAbi$@
zx&l>=(BGZq8*iBo(BIl|#x?q*D<X4<e3AY}SG66avh)|;>IyMe1@lGHS%DuAnW{gs
z5ebL&GHHnHMz18jV7xx#?~!7A!kkU)li5Uw-6O9v{NW0|z{<gjD7MwuRXb%BH`)i9
zQ9AMqT0AVF@I+nkf*LG(z|k1CSTRXT{d6m5*1pYCF`-FGAJQ%j)j5OJiRZ(|{{=2q
zi}P0nnjUDtF*36%o6*r?qfLDaWe079;oS4mcox0ZF_UTAZGTYAyH$4<Y0)vVJI5#Q
z)8*;&<ncn{`^Ow{==J}t=y)(T7>FS(D_o`#%V_7+EcAmoK=iUG$42cxBDhTJ%0@;1
zw>%w-JYf0J2^B)PkteZpCG7}M+3v@TgWu+RqwUZ|{{QmcDBg#AjFtjtlr#GKu3l|}
z7X&Od;Q3MvM1yrSju;w1{+J9(t>LguX{IUxyYk6WfKiwU{Aa%;_j}u)h26C(s5(y3
zZ79Nw%sOvM@wN1$GGe_vmp{!j@_CpZUJjIe*|6PdZ=R9E`vRf0kYURVE?Bo?iWzC<
zErRA56%46e7?_C*P278{Ov}Il{V4G4JiYA-`gjPk*|!rA{Or;{-}A>skKt%uAn9vl
zeh4-D3du*ak9QXU=M@0{wfJ}efPc-tp&El15AY?I0Al+H0c@kmm3Gh1*tfCD>l{`b
z9B5}RCw5CNx@J1__d9|HD3*_0-QP%CGcedy29@5t3*FVe-6{Qp#mA?^g7(~38Z664
zPkQy5=<#}f>M|rBZ~leuj!v!&=C^vH1B0WEZ!H_SF?<g$>&SCWrN#wV>HOiRS3Lva
zY!RNG{gWU`=7nA<y&hq9lZj*Eq~rsG*&8epj+#Ee2Rqb9^k25c7b1DjrobxCZH|TI
zcJKbt4(W=#Q&MbJe#;@#{>D8U(nI%yDK@peeb`_e{zjz6ZCO?*c@SpeBh(e%{o@@q
ztR>N>@OT!9@|WT`YJNg6{8}<l9-A=BIY!Dkc>`Xxg%t~8ItCx1`ew+CpHrbNEPJF)
z`X%VAcmI8!pfLWFNnoKcUc4c_87uaXR_2kI3~i*B0oo5;sG9SkqM>aju!9Lai9lrn
zf4oK)e+=lO_+Z84WgK`R2M#~inQ@>EGWrEb&8c>2Vv*~CU@~{WlIlaIRG$;Fo-yXV
zV_iHxd>4L;LgJE?mYkmoXOhW`38~q~#%C8VOSfTvu-11azBQ4r&DGzY7;?+G#K>wu
zLZ!F!^~&9<hh*%Y5%QUw947#Wf2<Ucmk>-skDG)x!!Bw<UO>W2$X}-zf1XTT@_(@8
zMHiYyA4bHLMC@Q8R%paof>>oDUS#Gm*~+6kAfa8R@I3`u_&(t+E6w8VR}?P%0W%PN
zlqPefDWx<Z_cx#kKI3~D2}~3A;8#nB=LRT-W2_A4k<=$7)jr0n!(R*<Cb@Hy$zc+K
z106APe??+Fjw)Dv+Sw5B&d^%1pXynNl`j^xMf#gr&Z6-}>DnTBfP@0blAQeQYAIul
z7nL7+_0kdnPBwvK34F@Lyi)`HEFknIu8IozkksW?4qup%Yzy)pAx6Pj$z1*n0c$Q_
z*72#y@t;}oH9CG<cU{Ukx|Hu)@uSQf>CaA=@_InRUsAAfJK%pAGByP}1HpuPqF`;7
z7N4lIb0a%As1D_BlT(`|R(8LjV4>$t!3?}gi*N^}b+#$Od=t11KotBulX07-^gCp!
z3qB8&D7^icWNF4{0}|du#x0HT<d{tVez-QITTE9n;de<19sXzIs`N8TJTM3&Cl3LX
z8&`0p?>6v>0VvilJlISsc=%MhQ-WXfouNw2Y6V!u`Ifs7(U1)avJM!Yg-8V_&vdb&
zx{wC?i|Wft4M(ZbHCxhxT5lx6Y1b~A#5qSGaXd(r2fi1g<vo9P;@*{AEdxDSAy{eN
zz3dDEp`T1~Z_3xL@-Z;eQp71Z-m99Tt<e)e#4A*RqTba#0*!6iD{cF=nm>!VtQPN;
z(2$m*-WMR5*+O;G?4jXj10LNDgtHj<27xmf_zZz82Hr>DGzOL<a4G|f5jdBD`Jt%E
z;?<hPnwx3L_nN?S1?VXU&$J{F4CmXzC+|Z&AA?Wb@7_x*<>}Y#%b<bP{H17n{xB4T
zin12xtaM4L014SafZ){_?jY$9P-n}O`x>Z$|D2p;7JOI6^zKq54reoW9G^FHA0oM5
z)a=V+?mF9Jm`O)7lTkX8+mMNLh<uw8nUp7Ia=MktN055>Qf3lY<x!%_o&gDMk2W&X
zQsdc36gtt&@y9DzEcaufeWnz*2*5KKEYS8w>|_DuUyKuJS}Zp*(|l$c?<NN8Os_m7
z(=02~Y-W1U%wtMC4|X7tzaP+f47Kw31(gsk`hUtJ$I7D-i9+qof}I@CgR+sQ7FdqG
zSd-D^_#5*mXCCoh>`q;dfeGcH;mWo0xQTfjZ|1S!auMG1sG>KzX+3Dvjd~I)Qrn;N
zk%0L=Xytn{^Bux`EyL;QCYq72N4utG?1ePKHxVx`=V5}^tJ&uSM<(8C;DLi2lLNDZ
z+K=*U4qn&s>B;e5S@8kpGn)Byv^4cp=Hu{h0-)J<Z9K1=iF;oXPY(a>aT8dA;J~2U
zGJ)6dLf0)2lQw~lnl+L|i@K69m^6nx?NS=N*B*KhWGSgzFVpttVadD*ncK?Gzep^Y
z6Lv_oF=@c(LPV)?IhF^D1Gp*EqOL$XrVr1PTNwVi;MHY3K|F}3<4KtOO!yX7braHS
z$;{;XoKf(@iAilZY{lP)cx$k-s<#+`zRf<eWRHx2c|qd0kr?lABpCFmNKYe;$R`mQ
z%0i|v(qk;LnL68QGuuKP@3P`sf6@i%ivyvW(d~eQr%>$i@z4#Tst!Mv;n2^TL+fTA
zXF+xq1u<BDoB*20S6({dwl1$?V+z07fumfw8^b%;Vwinf`yiILvm;ZP&BM&bY7yGw
zqnVXIIjbR(l^0q0TKiP@15xIot$lBn!6<m5D{o~imfPKPbU7<gO}bPWW;t(xhke~7
z52D0Kb+b;@2ib+z>s04isWuP?)tqCcS_Mcrki@p<a+BqmM`HOy5F^Xifn^q4vpkJt
z>XOLlM+mh|c*qj63QBs16xotv#HpE|bAl9En9ux9s{UT6jxO?PCi7$W#EN{3PIb3V
z#l9jmT&KFiO0@$;WsxtlQhg3c_!;sVH~js~BF|1PGH1tjwE@Hmc$2I8Mk+y{rk(8*
z3vcR2WD4p2opj?ir%IQ9m|1@DrJ^1Iy@1TdweX6`qEYbD@w&c|QD~MfM%AUU!e^Pq
z`0MUi;g2;TH(8KBP{i<SWFT&g^x(`>n#4dyVStMOnt>HeI6qk;rD845(rW^ywR{eE
zlx5_H7!v_Pi~@CBk`-8dNsR5gNO>VC#~Yuv*Tb59bjM&)b`oz%GG0=D((F^1S(u9(
z97JHk$&m_-S-myo_#L7EH-Aay=6s8ruNe>ids_Uj1|;0beB*U?nXWUp^kYf+a$Iqw
ze0`*{CYj2Ono8l}RLHhDT~6Y@z~s)@6_f7yCged2ax!!Jj5)=tSj%&aUgk07xfdl2
zf0Kmg&cG1tcJCDXU7nj{c_3y4^H415cd(pUZlKp`#rl|C#^Gwy#gG^`&+xnvc5qhO
zquU_h{f?ySUXvTE?upDc1v6CB?JbsT9RBxFUAjwr5g`K?7t^u%=cwt5ud96D;>%I9
z9z2u<?@b96KsX$>kJcH>W&G91o1N6Pgh{{0=j)1%cbK*mPm0*fdwwsYb3IfK>?_43
zv$E88)+1hZ26q^+^DteYMINUNv{%Cbq$cdX2;TQ5*pZDSmGT0)G|(42O-!IJl;lg8
zl^%3Hjmp4LDZH*V6tjZ^51q~dzDNsOe>lGairD9bcbJvFop#Sw_-%pHeelatc@e2g
zFbR-S+)U#-1+w8)?{xJx3djq@=(4e1bpWD3s_$@=fX5-(f4lfDjl+LB5^H`h)?&iG
z8icqN_~_NmE`8L6$P2r8D*6)pbnc;nilgQ^VBxBDYngqU%6J))#lZ^{7ORFJdL<&&
zPNrlH{S!r{F34iaXUqydrY)-x#9a=`@M~Oq&|T0ZLX3h9UCi;^cCp~|P-tzzN9g#5
z<aoo1zY6iVd)*2ePXi}ZrwQC`A)F!vx;%);h8|#5gb*GBG<65qtH&g>E%HlLxEKN?
znICH+XIn%**YUj(pFH?T0g5^J=*H}~qy1p;5fwppNn@s*ndwZ|!$PY)@f6>6Mv8Qu
z*J7m5CB6%J*&+KSRK<X(K6VDMkJ_w?krq;hNEzq8jjNN9);}--6g1kS7HJ&_*!12e
zVd`pKJ7zkEe<hM&4txjlKU5~yvCI%jTVxCB2uOuTK)S#}S}I5drxK|h8gXpBX6FU5
z;ykM{_8+4wc#kgb8peZ*w#Y=rV`1H8JVRx3`L2Y*@e->sD64sfw%{|k^2EPhjluiz
zWUTL?ef$6y7k*{X<-QXQq=RGnzhDvIGH1EXz0J2j)$<i};$dXlz|mDGYlqa#buq@w
zHG40~qL?=lu|E-!wJlr;Y*iAg6B8Hj*y6O~TR`xJWf2^n#N~q{GqkZckiR!9>*5ao
za57`e;98k9jCsIx`NEtR0(Bj}jAvLZ-*0wzN8fKL4*xd6m`dCBPXrO+xjdG_eLF&&
z-q}3E8#oz6*<S4g^~sA!u_j{aRjW@ngvt#4PbOs8z)7p8JVrw(c&@=GXLGg&&ip(V
z_iFTpMc$Z*U>52PbJ7l8-_e9PDFbWoA*zAXIB<|n4#sE>TF;Ad@J~)*ePQ;oNPQW;
zdNuwkRcN>B)Q-p8P=CJt?E(_x@Sh31Koi_7MY<uR*ZI9+E!i5rTON~a4c{9?jlI?p
zH8#kqu{jDg_Jkz{?zvj~pWuem5^!In(~f1@cx}&TZ4a~3Zo&N65Vp{BcpgA%U2F2v
zJbc%ohWsNzsDV2Tkp~cp?SB|ujw9s~i>p24>VPGh8KB(2g;w!+Bf5%5G69V6pT#fz
zZTbtzs?LlujQ%aYpMuiAo}QG?aOU%rmCqTVhWe=?5|?D8lGM<iu_|iQ24EE9D=cPh
zBvN4!*#IQX>`XG3aK6O1+g^V>T6>|lEv>q9p<^L3OFK}BwJCl7p@F+lc#^g_N3Z9~
zd4mHuKQTj^I2J%I@Ab7@3aLTnY$xI*1m_p9&wz({{&f!6pY}T)px|8|V;NJaX8<((
z>{PKq4HA74<>9A6EDmgwb0$sO(nw0(K{AF!p~u2O(IEg7=f6T4)wt)rjEPhq!CFQI
zQI|3tT&BR2Y8e8?f>UzTv9FWNGJ5(_#{<DTh0Y7nPiCrAe2zee#$En>XUFwG@BekM
z+Gk|Lxsaf>A7=XhZEv-nNJCOQ>>K<k3XvutiBs!YXl9WofQEg>$aCA0&iiQ8r%6vQ
zM?~&UqDT80UIhYb9hhwBMnioT{)I2VKYeR5l82(i&I@pVQnk>K;0otef}=7KAKpV6
zkAX&b2%xHlp{$(<O=M^|LsbmTVrVo&>lwO9@S+G^&rk(JE{19ux`v@qq}Q9FwS=9=
zknMYfvKY!`=p=?J8S2c?15A;^&|Jb=Vfey|p&uB^+J(@!4Al~E14F|JTZ_<$@GJx)
zD-o3aH7W0xY;W=M=8&?K_XVbv@;=GXT2gt0p^P68@-igl9nX-I_a26_SdQBnlJX8`
zNXk2qq1oiBm?0ObT**)!L%9sCXXqS;vUVfXouNvGj%R2-L+K3J_8@fdEQDMP{mhU^
zawkI~$;}LjB)?!tB>4eDwM?;`A(3f4Lz@ZvH$#Pc5qg;+k@K?*iJa>g5;;$2XcqA%
zGb9p!fT2fOwlNHe#BX6}E%Am3-j4|NXJ`yVg$y+^bU8z>GVKKn*?vN(2ScnZmB~;c
zVaGBwfuS^p<}>tL4}=s$dl<_48KLbARWkHnhGsFej-mAotzszS7lc9#y~BLpWvGI%
zHyEmAXbwUn!i@+<o<dOcMb2MZXK>`HCh<W+&)@-e-EEj2e1^+$xYGXE82|+P9V`p>
zO?NK-2-)Cixn|tFE9S^sFDS^9b$sum=0{kb@Ml0WCu;(12MVRwS1-?B>-j)jrG~k}
zqwYZQUEJ%a$=2iaYk^pfEr%R^--C;Rz2<OFV}}ZCO6XtY@YqhA!^R=D%FSG7a|W6n
zkMU@f)4sAeKRWdrrn%!+Gs<%>Nj(iaD43pG^vP$>4NmXUY&~SC;W7yCFQ+>l3yZU}
zoOl~J!yaNUfdi0Nr&S;0Sl9>;aVyzNsCiES8S|IS=m~niZwlP~p#8O}X}_aPI8K4v
z3JKfcR{v_@m7;Tseqq6JtllVi$_@iqh~5<=@Vih~(S^<sXtqWF?KEn#8)3hFDg}M(
zc%0<bB6AsekuqTLh9So*kv{l9?>YdK5=O?Epy>>8rl5L3=8+Ky#jQE+gPZ3X<T50B
zxjM+A%y_L9Kh1r!?B<!NzHlHtIwy1!py~~rbK>E+6`07OHZ;)x48~%d>W69}B%UxF
z2{cT>`^3*F;!38v5U0aku}jF9hpO*!XfDuLX5WlS9e3&>z4(ny=ow1%pbaI;CT-}5
zEnJ5ToZ6%Bt(4T7r1NQVyvG=X1AWyv@;4R7tW@M_l7S-(i$B$zCCsIapr?nE52vr%
zfpR@`s4ej<h}3tmZw_AXz{#KK>}p+s4wfg)ewCIR&3<Ey>8!Lszbe3F<PhjL0ckkx
zgqO`#ND3F4NAa-PFB9%GNxin;$p~=)zqa2g2o*}`RD`(DUfZubLR@05?ROfo;V^(_
zayWW#>Bq4Vvg((`(>?JT*YcT~qf$?&x=gB6zn#XwlHm}p`ay?z#6fM9aO~E94bcOe
zMnv8RIAJ_R{gGqWa<GaWGUr2K77&M|#_-^=mz<R05>Bb_>PDOU^5&XUg0R)}?uuFj
zT&cZ$zhO>3ZjAd}&WwD^?Jy0FnpYSX?2Oy)`8H1&C}u(%r$=CX?-^i;Q_7-BM-A#&
z`w!yHLh21xZ{XiN-96O1^n5QOZSL=J&~$>_N+>g4jxy)6)RCyOtCczlq<C)JkOQ<l
zxCvhsJJ9A8>8RJ9<kG}$HI*U(QO~@XzXqPmUeWCHf*8tk1<qoUF8^41ai9SWTXY~h
z(IY`U?Z`{WQf8~s1&QNR+;@Tdh)*d-RdFtsl8{~X1EbNB?j4PrZxbAgb_Gi?(7UHF
z755e4sq&j>7tu@Kid;SjiFZ~~kvP{pSPQXYsYOoMB7hcw<1jQ{2xKvkg#h#!w=&hb
zJ6O2)a^a?{!}$4Ziadl1?eR)+@GUDsyh)Q-|GfWT+K>at7!7Y~rFs>{3tmKPrc>RG
zDV6G%MygMX+O;0P0F+`$V6O?gYm|n;q^NI9*a8z)iZuJfOuLEJ;s=8H4$sQb;JLH<
z2;aDJz*EvC6>2`daKP{vcnW4-Zy(f5oFhyOMU$1M$A49;z=U^7rmeO(+kvMO(O&qb
zEpEhgws|g!oQLmtd%+-_x{Q}+aY3*pw=6Y#{pjNSd$Kz_rrUv7inj_(Y4asqkv0Mu
z48T;w&n^O)2xw^|U`l%wc*S~+Nxr$}L`vCS7I^t{X%c}?;dT(00y?lBk?Mazxj!hE
z2HGQSd0=~4s;BaQPvQ!Ypeo?f?Zw{7*$&J;<<PH|g)0bOh1y?r3EeWo|J*)#uw^rL
zZ%ly@^uOjj%gWZ_=YID8S-3lHr$!YN{+3OLQYc7h!f(>G9(yVp-GMeKT~0zL9j|X{
z?R-=Pl5g3c4f}(;So$TEXAYp%1|P)+@kgK#n{R-6PW-UCc&}ki{@)eje9e0eGY98z
z<XNbBzy1`>wk-Q4@~-Wj(WMuXBs{*Dfn=%x1&*8!eqn_qp64WVKRSu!IV~oT$W90x
zNS#R}*FsuPQ`L%`^<v{nAko^y<%O9sbQFHUVqSaUDkeC!qTx+aKjRV7oK)co_G@z$
z9Bi}O#$SvFY1`Tk$Y(p-_zV}{*2A3kTza&p-EJvD&y{Yo{GZ5oiuH}d%o!LT2Y?B0
z0wY#f=Xs5ORao+HpW$mw^PH#d_#K7;7tS`R5xTbZa{;64)PVhriGCZiYv})5QRJRh
zk>^5g%cvvDhH^*2R$_T+?Rc#wc8zpumRcMXBbOyz3wjZ?DwFo*G;|0n+*7d<FM}xc
z0HAn-3Leh&;ymryK%AT*ljn5PL)}|$1rEEk75XxB=smEdlV6JDi!<>FQwJM@HS~>e
zP;9ghbl`aRvXi(}71N4@^Q)n(tQdv8$OH@^Uz`aim`3sgFi!&R2H}A0_lyOb)y5N{
zK37tLMwcIdg_uqQ16qCFW(98qQ%t=OczRL%K_Dmf59k}<3tyijUxG;dG3R|kh231>
zbJbxcKxeL?)A#m;-UA)nJ+Uye%N6vbxtg};x;kz|OW^f28EEK2M#doxMmFr0)h#So
zvxysBmz2Nmom_kq)c1WBR;99RZuq~Rfr4NyYzjs?`rZy!bxs65+}42?#kq*2PbjX*
zc$c2$C9*TH(Y>Y2_}4cy&}FIjR`x>Ce^6tw)<UDvAC&Ocjicrk1iVvDv3UyF$9Tr$
zW(Cgv<4$OC;78tu(G9H}-4RTS3nm&RxZyr}0&@5VNLpOX^kc+<`OpI1QW8n=fY@f#
z75Q@oYQ9;Ec&yYynlcp0vZ~(HYpe!*j2gmp;uO?P_<Pn?T~}6QLC0URu^ICeNz1vC
z(65Yq2NFT#_diQyrWM)YAR?beWCXjjZFS*He4C7^KAK=X(m<^fh>h07UOXbPQWC==
zk604LQ<og=jfZK`DuktLviUF)<9(;~G-Eed`jvsm(nNpL@53U)NgU--YQO;<ztHza
zU~bIafNv18)+c4OvdmTpNkT7w9x4}4aNP{mf08+l;zbi2(*7NKPzS1*D0cVa7fbV{
zn0s+Fz$?DF<$-_wH-p*1FR&Vl0}u29k&A&1hmQ&?Yvu6W9e?C<9QYIrM(@GuTv|fp
z4Tvl?-u*92fv74`bSfZOQMD{0`SDkw^drgx_hc8EHv(5!hNwNRNS7INDlsULm#?>h
zRHz3ki|zCB<7K{c39M@#;CwpNmVShnI6uM}V{Jxa<GxUiN#dvDbUiI0-HS}%MiU6D
zYzy@^fvZhm6M=aq@Ldx~AFiRRP2h_rup5DeCh!px2>)?Z$Vop^xweK{buU<U0;&}%
z(-ye_|KR_MZ-Ev-mu#huzVG45#X^3yVM~RYB4J1M_3{47lt2b0kRh*R>-BmQo<(?8
zWQ$fA-5*h6g@hMIR>$GY<&5#GB!@oZ*URtJ@p-VF$TolN_`dqJ0+ft?oU8lC`Wq7B
z6b))xloy!*g3|91>=n=*%p<<uD)>T$_%1}k7LVQwTYMgpXj`21JKD(gmSnCLqBV$)
zxzh;oR6SjtWy$8|KBz+h%&@IGt5#m+jpx^#N(D%`Uyc3mJsd`bDv$}x$@{1tsQ`A^
zraw!XalQ;|%#y7my!e$DDn@m(Yg^)=-ne^(`kR0^1mL-_xx|(dn?@z%H|?Pc)@Jo)
z#6$h9XI~2*02_Sptxoe%6yqbhG|Apee}jwIvWg`)eO$&HRZ@IxP2WsSs}N3ht1RKf
zAupbB+YaZ}?P!KiW>*OMI`{SAyMSu0XMOS0tM2Q<4-lYFcL3n1`7e@rue=uTB22Uo
zan#%aGEmy)-PyL#X3glcP(-b<9{{(Mvp3i#jHzeL!8h*jjBMxh{sDg`pWqWA?4Jw~
zDqXyw(!f1xUCWh!pqB4Jv7=S-`U(v(3p4mw-9BlhLpPhiYfRw3N#r&Y*i(S+p`klW
zK&Hm>F9Q}tU|%N3AnAA<>qAQ+3+$F0u)8Pom1Ou^d9ty%c9ai#!`jjPPQ3n>VX|e5
zaMMe-tI}x)sP67%62Q*yyHMZPen7!)AWxKfIGqK1A|@t%gLoOUjqudF**;B8kO?>X
zY41c{xcD35ol7Ol8`<uRf-;ci3A=hN{L@gyTKIzyuY3B)MF_^m?;Jm3!fh(b<#In6
zlWh!HC$(!XO2ZiL2bGD@AYfO+3x_ImVp*mLsty!PJB^_>70}VAITj9XS3A^&pVUr+
zJJb#>)$%dNwcuYjn?vT$&{ui3hm3Fn4R1~}Dkv5RK#%<LQ9Uv!^mC0y`>etJQ{7k8
z>mE;gh;8xmCe*;9!Nq04xeTiE=`=Jr+5vx)82Gw^OL%91g<6466lxGawI*l}q{&s%
z_dNNyhKeo_%mg;*OTY5OD26I7!!@DID6G2MuBP2%vkm_X3z=}=lAq3{7=80mht1MU
zagA-k_o$W@IBZ41@YirU{^`o+Vu<!Hqv}x5=v&F-ZJ8g~3f)u3mn1xG{Q@-??&Z!-
zc-H!56LuVrIeP17nV;A6YD~QUr|D(XPe-(SyZ*|mf0SSA^;dem7hj%LdOr|pwS9gZ
zK&*Utr@B(`o}n?U&}9tDLmS9nQ+;Z}cpEVluGC?}qnl%T3n5P150(lYH5@rsm+Q}r
z24UfJ{gu@qEMPiB)bs|j;7*|r*@B5t*pfMDA~3!KJ42mOak9=V_Sa?g4-Hx<P44$K
zj18zk3#G}uNcxusEtDqDtI<~*SfJ>OvDF*z)J&)a+}M6fWzc?VSzBa5uMJ)@Ef(<v
zBV5KimGZM>41QEs#FoWC^D+RE>MalaQkFW8_+>qJ@%YR=$6)+6?I7>jV<LhzTC`R6
zM4XGP?ZhTL0Bg-SrTYWNEg`R-o!rn7Gpb1(7xSqIxDP9gwO@0|&ILEwlrCIXRBG;@
zjFJg1;i(Cr!qlEitX09n_^Kdd-1V5HrR(wXPUJ-!r29|tBO;4{*8?t#fA3L4y^~J1
zxvMo#l&$zQfR9vc@TyhQa6)2iZkaJQuk8G>g)H`oD0V_ox%{;i^f=?mHs|kf4QzUs
z;aI;02|%ON{(X7=chy@6x(<F}r5LALgZ<HU+Rw>CL`A+s^R0_T2^_aKyCWC!8{Vun
zs58DJ-GOP2N5Z+f)IXB~4tnd+NW6c+_%c)lLDD*DbMyu%$ogzH<%?~AU`Y<H0MK4x
z5LE$L0J;f78O(6}O1@ID%*8!uSOETLlp<7=f0c&v$ApeC#9?lr2rK7$Yn?s;g8-7Q
ztk3ceV{H)@$%TAv5f;h)vPfQpMRLC^k{4l-+%JpdMOY;F%OZIZ7RmiwBnNL<YQ=8d
zUvfc2yKSeD{6_Kk+-6GAwA%pI?-f(|6%opQW7uulxaj+Ywbn@d_YD6RrcZ3B`+Vn8
zw$$icn7@TP(BU1?<~<K-MuXgu*UobvMLp<6?F@Gp5*&fSZsayLdAffz3dVv|XgDg(
zxs=0TbrmbliI8b;FvuGqi~K=(kx*}XRHLn{Pdaep1~wl){~tx&+1;J!NK~i88%jL3
zH-bA}cE{7p;S)*p5)Z{E`Kup_nfb4p{?dI}NFmLfU4?Q^Menq5$z!4xE7kEBxv)3D
z`mE!vm9mnI@pMvpYEV4AJvsfl{3E3w%=}@f)HsSne5P7s<@k6M-l76u;;13ndgLLS
z?Lw3mKA788564BMRS*UWt=o4C4!l5fTT-uv9#|cAp^b2GcO*D5TT%-T#}_#MCDMVY
z%;(WFxCqdhi_qyU#o40o`0Y%5)fa_<*Nt>&*6El<0;@P3Yx^twtHr##93?BjTgHeL
zb^PG~J;pzW4ak5a2l$UUY6i3oW(J)MxU}|v?dc)|I9wst{YYT9eT5oGp#~=u!mrNY
zDK!4va_kzcIRP_JmWtR~UjmIrSAQ!cX+}o3Xn3zic=)XD7-%!nmNEL!_XMO$cs-A@
z=6k5DB00Z+Z|wdQ3pYvj2c<(H=>kmsn+f$+z)J{@C=V8A7sI~7vlLovLs}b7hZKTU
z7`~!3+A=T=`qfM(#bU0J36r6yX8nWm?`jz1A$vHH-K6@Hu&Z4y$bdhY3?=S&==CHl
z9Z1U4fQ&8@X>UZ@vf#M1WlX5rks=vgsrYWTDbuz|*kFf5ujDD%O==H5$sev}V<Yu$
zuAw+_jto5?{9}!zj}<J8JhdGDred>w_z!9{E)cm-Tgi;Dd6c03XkW4%`<u(Cg88hS
z0}Rf~f)7Hp^au)%y3<<;3`~=sp8H)rKbqD=O&3=kuec1jzpR>ow6p$iX(wi3DOl15
zXOb+Q-joq4xCr#aQCBnj8GA@x-j_a{g==BwCgNoVuk<N+gOXhf$ngi{@KYwVykn$K
zm{G}m5@@l%iWO%fXg!dH)K$ba!txWGE<b^g2HuZhZWSi5_oD}{%D^vnZK{y&{w(~W
zJoo3|7aLpm=i)aPzj^r0!*3ye3-Rm1uM58w_^rV2aQqI(ZzX;!@jC{;WAIyrU(`$K
z1XsW{0UjHW$F-pU_8#GFajO((zI+Ah`K65`gyC2?<5-kC(B#|vhi^;jr`sJ1XF34z
zZBOmEr&h<UYE&KUtJb#G&R~qoxFj-jz+wG4*6aJFd+R3v15=5Mh{)CZdM`u%Hb+eX
z0_s&a+@N!|f$c#oJ5@`letryxTV(3tWE|ei2A#$jPB-G*l8iG`<E)C|q!H&z;>h_|
z$?I#;yZMrrkt&acgDf>l%?Bo0T4(fGmeP|!6KTGb0o$KO{T!lC6LilfM8PgZRt$|S
zs!=);vr%{o!n1M4f3(uhNK)F9T!CS&F5~G|G8K3xrnC(<mVh311iNQ*U=^I51e&lQ
zAIoe6nt_yaS__dQKaZo$DWr%9R>k;6Z~pg9vbK_CE9UV2J{yMj`qV+pJ^`P_Qe8Fv
zy&As)h7S0Bj)+gusc#<;`UM)lPUAa{h%fSZSL1il`0F+PCb(HRjGr!%jTp?JbJp4!
z&H%3ZJWe^h&0dWB|7sN_{0jk}CIGsm0I)m(a4rFF#{u#B<#{FaaNJ_9|Msk6__LQb
zA%1A`%8YJKV`6%V(Z6%Fo9=&nO?Fqi^fa`L{l~f=FslB@Kj?`T=cjwNyGE{d(IM~V
z4la8W9>()snNk)^`*1UedWKlzf%+P-VrBuFb($WUqHli(N6klA`611Ho*ksQ)ituo
zbys6L+ig295=M`KE!VW&3!J|Fr@F5XtvaRH7VZvli8IZpL-T1|<C@l7gZ5CI|FQcL
z<l@_(?%9c<qVWx+JIIpm7-)v7W<C6jzBv*_$$G6uzgCWh@Co`I+*JWjESmvSch_o?
zEDH`QgbO^EEBN+%-HKrvn{cQ!(8yq55Y+jx32cXfnY5F%n`MF3a1$*(fft~->2xey
zbQzQhwkBVGUc3Z9WyV|7Xe?a4mMhS=dg;#>FV(-#^u}*tEp|L=%d(FHjXXh{d8LkC
z#8<(PI(&tR<^bC9K)Xt#@!c+_J^|pa0AHiQv`Yk^1n`OAh(1ja>%<Qr-2f>xF)$ri
zRII_6Bh0+k1Y;hssGkO7nlQ7-1fKzLe+|Z*VP=U5?g4PQ24i7oW?vJ0c4@FG9r>LO
zm`g{)HqR{8!7~vYpo3>2Sf+#72oBW2a}XSa;7^YGX41@q(z)e^3p1tU-fd88d9XGe
zh-G*oFsIz8wMls99<#<`)kScuy85HAm`s)hUMG~jOYLmdmt)~g*%^hkZ|hosT#IY}
z!HO%aeO)T9cDB@8?cZ2!wX=1F-;{kElCVaKYu}a%t6j|cs-3Mh;il~4YiF}UNxf_B
zY*reBs2Nt#Y}OXPyMc<XKzH`ZwX=1l-ISdPFl&z3-D_tTn%JiR%$g(kjM~|(ITAS)
zVAdSLJ!)sO<_JCwV5zy;tTaMSubs_`Vlb<AHtUDMGiztFei%Hfb~fvW!R*@EtRK=m
zo8RYvnpF5~))gV=*3M>KQId}10=kdx<X!AV+eFtXFEbe&HU!vnlm%IfvpCi%!w=Gx
z1?w_cU4dRQ{xarEUm?S=x1~SnxxWl<WDgyGbwbCXM@)e^pqr4Kyd))u!%01M!(OnZ
z1zAi_R1W%(H}a)<N=jG;m$}LLk`oLwTt*=hNgr5hT#H?*q%m9|K5By@JxcdCF{{+5
z69xj$P!aKEgVDmazo?}izp*cksWSG`ax^h=ZS|#CwnJ~~doM4xqM=^~A_Q~0I55)b
z7tDRF@qp9Y;Dy*wK?*Z<*wd@l!=AnYh#2*7J?-haznS(l`T}MOLx5=6fA7=`o2N&@
zAjyMOgAU$$A?i6f@;uBi`|-#~OzvTaBlFN-oAV6h_TiVvZK9Ri81{UN_nW!Nlt*UO
zaej^Jbm`ZmbLh1$nrW`f@DQBt$9_B3eV*a^BY&?aY7FX(UgulaNF2YU&o%U9%jpT9
zeV92f)339}>0>_DC&e=W*)*_c(|u6)csy?+O<T?$49C9QXBz#P(N1R63HKLfCG~EY
znqky|714zGkWt;)ckooVtAX9zVs>-&s92lzK8Mi><k>0Z?{%NR!+ovko~STc12j}P
zvtYcd9XqHM_3}T?ALmE<j=%$7VBw?UCK)L8-3O6kiWQqhCg9^fXBZJ}ZCFikorw?0
z#+znyb!_E)6Y))oha%1V<vSfG=G$y6Up;gc-ljSr>}5*M@?1tpv=vJ$@Wh9?@iV_3
zY?BlL**!zOfBre@{Zim-Et>;2RTG&cCyC=#ap+VUXbo?Ajr(IiVh`z=M#tk#Jy$tG
zjqJ|(Fz({xK`H!|U~rcy8H2~P<=TC??PhlAhhy-<sO(yW+uw3z4DM6OHdfei6pWD;
z4efH|@LX=QXlTzThhto9(dc=UT=-syxIGDXJqpH27RFge!Dxf979UHAU2+r*MGS6g
zg$s{@v6dJo5ToyrF=Uf)F()UZodGOd#Pr80m)u8}1Tvs8#XL#)H9j&e{R-!Se<aB>
z+oyAJE@_m2hTw;Cb$qTF-vA>>{0#G38f+{}(049DQ)T+h70!lJbueRvbMbRAs$nkG
zNQNQG1fg849ib5!1-YN11+CXDC=HKQOAGo7_((X<#d`ov;K4aGcrBgfV;>d%*MEX%
z>E`rhH&QmB6}=>0etP5lbvYc=ZAEUrHFjh;G=Uy3Me%)}iI`}az9O(%bEvAg*K2h>
zvZ}eC)v9`AHS=76GoR!E8>igoWRAWyDace<@l2=L)%^w9zs~2#>gc&dC<Q*j40|-L
zVLEEgN9Fj|qza)(FEr)4Fj-WivC1340r$4LKT|xD-mlBk^s~3VHEEg>*S})x?<|x$
ziS#}JwC>N;)YHS_uRZu{@2ELN_-n7Jax=6}&MJm0kEq0Mmo^(!M~wAUm~zZ;__-DB
zTa%&b=7X*@Ep;Dy%E)>6G%?dX<9ut<HP#8lqFhxevC{CV8&vfXa|18kkV*KFBgT4e
zH*+X-_&*e03Uw}TVlhohr?#R0jl6(Q6En**(zhl{WAUyc`WR{Ls)2|erenF)JbsSG
zryQmW|KrH{pJP(>dMdqZyqan+(qL)Soutu&G)`n079W{Lv8K^%_nhzjNVki~F09#0
znbldOv5}u-L3QQl$NVHU)sCNy_(ZdP@MAPv8%#ZB{N>oAm1Y|`2iddb`hRsF=UCJs
z&~)bB(fJ>_(>peg4qSo4V~`ZVJM6%L)kx?c(R`&3`*im~={<GNXSL_izJn?3^W3)}
zWOo;io_6q245s|7gzab*2hl3H@aQrcTA_SAQ<Brr2>^79n?dr>^CZB_;J6N6+}E3D
zON1l9Gd0{j5O1}Rf|`T$c$;V`%IyCr8>`Qu9F$t!2(WqLgy(%4WN-<3wb6gew~Q;X
zbme!WK}MfNZ`=>58+wDJ?u{!*<x)xx0%dQUFn-b7?((_>R^z5CDHFQk&sauZh!Z93
zI{u3PHL#2?5Na&U63+3u$z%M+ihd`R4N?1A4?1d&B?aFS4j3S}DJBBmZ`-Km?`vz@
zCrkc&!0j3$EOKXeB7u(BXjgRn=WG2#yFTJoq>g%f+lB$OtK(YuS-{&=ThkGAEE<Az
zO<S`NrZ)s@DIepT=E&VBWvqYV7DL-l4qNm|R53IGrSR8~DdQcM4Hv-N_ZUy)Fev5t
zgNny9B&L0WH1~f1X}XX`OS6{J{0=Ws$k--2UDE~LC&W9)!dp+gWidRtcqHRTp4{&g
z`3hxCkfeVhz9V-^zDfEznh%CON$0fW8Y`f!qnlKkZ!_K`)0&M7Yl-o|KQ{5(w*yMs
zma0LdJgp7-ECjuzmvA30b`B&{efc2Ibb3xe&w(9}nD2e?P>A8yrefozO2|vut1&yi
zO2Q7mht*!sp$N)=%><tdD4vijSb{gDrlgexJ*o8gAr}OqgA&>!{aoNw(-&;@j!7Vb
zje#%6>)#jgYvpjlk#f*SKza952>ewu{ssZxlj6++aG%U92;g4y>zJQJXT|Clm<Nb?
zsm45mm;`VWVk$5rV^N+2eu3ZdR^X>5;1j?d>OsW6>M;CF;(t0pWO^T2%OPO70NmY7
zj~p990_{u^tyB)kVG|Z<VGJg$$p+)gLv<s?29`z-!fOO4@8~sY!!m&zucpXs52`t)
zFDwr8=PkhbU^((UXeYG)BiBD__Wz;&k&jh7a*6Ut_3!7jzYGuF%g=%=`FS&gm5GLs
z9vxt|AG~8iUUMm$4q%k!|Cr^+?=$$da>`-SLvwQYacT}S+ZYxCqjdp94+=<er~se`
z!6`H~Apy=o4Md+Y^GDKw#5`YPb^~T7VhV6PFvYCEzHAKNM!ZywcLwl|A)WvS67O0n
zKwSPC!xM@BDRdb!#p?qb!%q>gTmbIzAb^eT4Iu$`AptuGSm}dPU^_R2gvM^<8QEqk
z$8x=5Jz`aoa$FGkbLE(fb#&d1H-_hvjjJ?Y=aR3L1e~Y&x&VARn6m&q%=s?n9Gr42
zp_2AiLI(>!8^fEJco%d6w`SmEe@X_?1eiy(3rw`#L~D+t9Y-_)9!E62akw#@RtdBh
z<7n8L+z=ArPVg7mh~A$ZpFp$;akLYNCcqU$TV$g3Alh|tw5~)G;PXVQGtqL1cAiGV
zZt|2&EVBbqz=Hvf+-V}N!qimR<A_-rQNT<exyD57LyGI6z7Ps2=4eC#GkxSl6R|%L
z--;vVYD57uedK!%hEU?6M4TQ+%+rVhX8Onq6LBOFZ;m4tYD57uedJjaaTp8JJC5km
zhyrH%$o(ebJ*0R{9I-+p3Yh65E)#Jw5w}9q%u)~6hyrH%$QdT$V?<mWN37I{0%rQi
zuP|{e^&BGB#SzD7L;*8><U<p20TJ(vBUWid0W*C>-1~y!8X{g3N1UJ$1<dr3NhZZj
zL_AR=p6UuNW4EbsCFUyP4l;3f5jTQ{iGmZCBSnoXF%IIMW#axu++}gxIty1~wjn06
z4^s&izx{2%{aYM&mW3-Zi-`NaiQApHcf@h$Shx~n5cfqB_hRDa$8qOcxDs<KamSgs
z*All&9CyBjD>0W6x1WhyO582?iyUAfmo);HElJ=fLjwY`o)GC~;twPK+i`p@M-X4&
z5lAiIUj<NP2S#U<$6dsq7RTRg;tQPm5b&=j{vs29BJr<_<L@!?1s)K5Mf@2i{v*Uc
zQ{!X(Q(R_k2nlqAV7C(cMicuvV*gYnr9DkoH$fahoQ5_YkXsp%^G)o35qqV^hNqAX
zAp$shunXl(bZ?P1jHX%6CgRQ(Tt`g@5!Qwff$Yvdfy4uTc88IVfv@|qBlhPVgu?$c
zp6hjQLNCk1P>1!h9MAd3AO`(;h5RfSE<bO&h%WtkMXWzx#+4r}jW1b@<G}<w^WW~#
zzsvD!b?T=x{o$QD_U}awLf~(>B!nLH6$)k(DS8Fq?hXYjwDOXeR}m9^Jl4-eh&)&$
zpP@M-i1jlCP<c1q>Tf~3h2z1qlJE&)9hDRR^2Gib`1?u!r@sn!GQMknI{;e+;66jt
zN9QW=PEyU4U|1fxrAYSOjnW$hb&W|~`E9s`@n_?_x5wISb(%0api2B3c}AW=Piu`o
zV*0?lKC+gJb5d#_YWnEoJ7b;<?|Xp!RT6agCmgAIJdLHnn(R76l?Rt**UIm^*<Shm
zSGFV(jTp#!C<RItqBOt9Q9yPu%hE?!di=hP-&lqnfchu;AnB*+QiwiuBf%;GxV!5-
z2x1jK3uyG2#QN>dAxM!%HuZrZ*6+Q5n$s{n-=eaeMdBwU;S)rG7Z6_`8;#>%O#E$7
zZ}b8uCse<{k70^-qSu?$!7)<t&xDdHehhqg{aMA=-^DSU&M#KKtX%UPf2QgtdH+xC
z-3c;Q1DtpyflGT|j~KM~Rr0f-UVh%3OY}q9`z*k;=zCKDJ<N9A3E8lE*P*OdcE>RN
z(c8Na_y-g)*4_(9u}%PJ?=YGKuy#LyI0ODUAQx}%#Y7&dk<TD90j%8@1$jP@Be-RZ
zF?Jz1+ZY}|{7Vz?31IEsC-{xThgVSxe=zY=HGaHz5GeHlm+_c_6JeJ7lsi#Wqu`yT
zNp)O<TX}z0$Dbh;`8#6$UV)Z!^!6K@pWg-&mcU;FONR+u>X(Z-oS(_h0xn9G1>cl4
zt3&E{Gf3$A9ZmsUYc|{SSU!~V$I%Jd<sB(I-0u{bYzzy5CMZU%e*aF2^93OGTv>TZ
z%om7>*Y9ma_Gx5}F7{Z+67xD@lIr&$M_Pm9_^lSc#5_p+#QMFP^v@D}JztwZ!10>E
zL&%UTa9R=)lScx3VRf;-gIJptD}+vA?58sO*`&JMA<FP-Ly|I7fBomm(1KJ6>lF`6
z`O%ypy&NiVkbnmS;J!#RMi5p0c|apWk-G*nDVvR-;A@1bjp1jQ{8F7f(OwCB1Tnjs
zn6DDEqhP`%f>h>)5P@thPACM%BPf03Tg+<yWIR$0mHD6b_aCDY6zZiTDU=?Mh{i6f
zlAi_ax}d+q@pGts;sFpXg?CwuhfTe`8`)5QFG<X<_mQ%T>#q>7>rzPn^ByVgK?{J%
zm+^>|m&BX|)VThBNaPh7nflA6GR>I8L=cmtzw3$rL>#}u!k3uE#81@UZNwib_*#E=
z5pcaGFka_G5cOj+6aRwhHT6r!k^<G_7RG)lmA^?{cf08B&P7SOyJY>J>+Uflsk>rl
z_mPeFq02G7Jq8O}szCtmzw4X{qB4C8Xyj(*%+a@wv(iV35%DMb)lKJd)b&d}z;U8H
zrmbxDPk>DACHdbw{I49T>OJrB3I=f46Uxtmdii;CK7O>O$v6kq=><eHoC+6O>J%_T
z{YtrA|E{?$L9LHsCyPuwDFkLiF=KYJ*WHj<tpG&NYOTB^=HG~k>)9z3?+A@dJ*%^j
zC1x68lJx8(;-4SKpJm}o%yq<1)U%U`|2ygz+{wCDcLH__z)d?j*CHS>86*(5lXI+C
zA@n2CS$6WfTSeC%T9Bk`gTDB4U3;-I$xgOQVfi(GVkgfgfBiLorkx~+?ZD04<93os
z*#K@PIA$kLBR%T#A>%rMUrNlFoxFmWTW%+&wv$>P2&Qs(Ag-c~6#rw`V#Yr6Qfu*C
zzx8cQr!5PPkqOX6<h)J@x+hbc-i3g~kH#jIk2^bM{+DP)Jmm(q2E>;_&2mgp^>F%u
z9`W~YHDuh`q)|m7<2TRzt%PQxDrcI+-0;F=?HtF(o9u2bBQvR*8H}$ssdMAZ{40We
z3>;*Q*%RXTBmSqFcpn08Bw)D!+<i%4`z=;!2K)p9bb(;bBN00bv9kLtb_Dm4;@Dkq
zHAx;rBiWH8J67k@lYqMj_>0abm-##tPx%tgEk#zErfqZ_J`V?+B5w+OV|W}1oU93O
zm0cCY5&23_gl>AmlYxco)E=lGTyF<9xldGG<A^t6!6z~Th{|!ZX!YFxXsxbCI_zma
zh`|AAZ$Ydc5(2j^G8O+v*U6-<*Dig6VQQu-!!9`wY^x$2$Wd47K(6Yg19>V(2MX00
zI^a?#=|F|*q65QKnhsQ|-`5JkG3rMhs8SIfn4mUGV2Kxsq(0N(T83BYa2>--b(jlM
zYQ7H7VfbYop3Cqo9iGqdqX_HweQ|*I4DMh08UYXNq`xvef~&>?Az$7TuHNP{mN2r{
zE;Uq=t-=SAWl;|d-`b>fmr6QfNIFI$-D#4JYeDgJoADLT@Ar?HA2B2yBa!YqKn<V5
zM?Bpge8tnPkaWb5bc{s0HzgfchvMmM_QZ6Cq$7r;V<ggf04+A2OUG9U+y|Uv&EHYZ
zjHL7fBs~!&JtL9+GD-hLrlen&oIWcl{V|fBh?1U>NdL=6%-_h7^sAH8=O(3pADH>`
zh$!h9iS!EqMQyP=Q?KiAA;W*yVHd-H)8Pt+{W?6H;Rg{eHhh%`<0&0?4|9LqHwJ*X
zyaxj-e;$z}Uq&L|0!^n1U#gc5Phj|L9riMOvJTfW+(n1$7`E&1EQWu<!_&r+ISA58
zgx0UQ_=@NMDKPTq5kvB4B=TRzbnnb(x?f}I>XXtvC+UbG=@^N0ex@@TnQnC~-KwN?
zBPAU%BpoA>uAJ$fSj%+lV(Hc=r8{5J5kt~366sC^6!o(iU#g=HD~1nzAn-j5@73W}
zhQHHc8~POWl@6yf{GkqKFx;fWnG7$`;Vgz<N7(S?Ac)$;?Orc*o$WOjkhna3z=9qD
zCVVnd-KVMKF+5U-3mG1!!|dVI03EJixQ`AGXZTVbu4MRJ9UjB*sXAQ6utSHv45#XF
zEyMfX7b(;+9Mxftebgo$p2P5`Iy{%*79F0?@Dd%aXZS50Ze;i+9bSd7?nWbj1EelE
zs3TRt_UUGQ{;gLd9Do65{E521`(!r`iE2>wPd}|lyt=R31>Y1m2I2<QZ+F|vjJ{QP
zch&}i30?}6I$!eSAw1+A$H(L}0T(wl#HoQ=97iuS@gJMTD$`j^pTlrsN}cTCc(Ua4
zHQ4z3&BVVOMD}XdtnB*7(-p_gmrl*$L7H~zbP?L5JpGlSzg+q&MSl&~Uq7#5l}#F>
zzqaeI3Hocjd@ZRZ-$J%U1Ef#_SV(|x$y{LIbjy4q`j*t|uSfLPDt>vY08eLqd2T=`
zM?zO4lqaDc2)P(?cShr?KuG-yE^^SBkBGd4fY=dvJ6=7B&*)nAcS~}KSHtgx@}0qN
zH@}~kZ+2a36u%#q??!$P!FS}2gmIOzglwy;3GWk!!>ejbzf5YBc8|)30K`3NzYNF1
ziqzU+xVcf$u67u%eN?2>4$Hz1F2{Ihfrr{*XBtoIcMWjlq#p_w;u8oq$5Z{z;tkK<
z-aMQ8Vz^w*1I^}s+4kCgxH&ML53ttu!_AKAe0sIE-?=z^m2h4HXNUl{d0OHL@jgPz
zQPO(gu8?OnyVSgn!!$W4p+0o8nFFyZXh8iQl$8z2JpYn#ehJAWFV^{m>a0GfR0tcH
z!#!3VDLwvoOvlb=)%!6@^Vb6As2RcrYAj(%nebe-^O`syP?D=t{Q@yds*)T>O&f%T
zBsP+kB#U$s0R&14b&};)k~~Mv8#+m=l}n9IA^`aA)JbMqNnDPap*l&rmCJQHi2wp6
zl{(2yR+8b48X5vH#wQOnW2fsR0tl2;=_Ea^Bx4*k|Ar8dB+E>4j*1q<0Rg|)lG{(K
zViK6(z8NWU%oIJ<Vx2+&Sc<h$G{sW*+3?&QV-9oR59J9#HVR&N4M+RN+=04v16kak
zMK>T?*f9#GGCGgZL#^l~h?epg1(l4pG5T^V8ZQh!ArdkQoQz&O3enwS(UFPN9^(lS
zyHRikG3F5CmliYo$Z(Azb!ikFcoi5`#Q4<0;Pww_h{hNNUlXH{7;jq`T{VX2o>8!v
z7#YNvX<__`!M)gXIAEJj?+@|idmMx5V0l-DCsotovg(07bF{)^b#DUO?uAsPZ_y5J
z@Cf^Epa|7?`-}Oe6$d|M#+`ZP{%_qEyNvq^U4ge~@pvMt8hnX%%UIk!0=Kd0;aXlq
zns+s(X2wVtpNrB-$5yxk^H!NjueOrXY`L=%lU5-qxsAKDrakNO`YUMKX8>C_?K!AG
z=Q2pFP2>~(5LPpRe;mPv)5784^LO|4Ml}v8!oTkJ%gxmAh(V)F?<vPO#|l9Mi&L7?
zum=o>XOc>mrUk>GjaOj^qIg!yk{_Ja!fjj~lAw5wnhy{Nb-0W3^c|{g#X*QXu+mYp
zfb3?NU}b?f5`3}={=@?JBayRBaDxT*5`3Nse#ruVMIw17_)!bY6ICIn3HDgv0@1B5
zqh3xDVk3mOjHXcyfEXf~2$}Qe77>sw3+HtCPZ^l=>bllq;w^?yWhcCfZc7tE;@VLJ
zYkEgZKj4t`XG;2=xcrike%8^`A9G0hEi8TIBgyH9A3gp1?<Mp94@ti!Ien&;zSpkE
zG5Vthh$!Hp@|cuF4_?74-$<tQ0oQ4)`&EafzbZNXiJ{87lhZ$n^w9cu{+U!^)OxM-
z&w_v)ERvRsD+f;Tt#Cj&mmj2W1z&4M^@x(1Z}Cu>2Th^1<M{G$U#P|6R2D}b{O%9$
zjpqGd@8r``FT}2Z_)h%2gS+3p70AEMy+b`fMjfFcr{RLQZS=mh3R_3ddJxs_6=Lln
z+&_u5`<3V>;Y&O+ny88Ahk1bZRCYGFD!vydmO1i>ROg`qYWsAU|BC=`AtlHY_u`;I
z$X?e^y?n*v5B;V!zyJZqpHJ-dH8S^zJq)am`By;<EyeIK8Bs4lgre*#>D%HflRsLE
z&#r**uvde;wTqa6D7X4|6YvAOaS!Rq6>3WuA244gaZ`VSGWtzOGZASdfrXn`J~%Gm
zQ3^cr1-CLhcB{V|@tVQr-%U`Wy~Dj=I*^HchGj7B|LO5fFq{UU*h>~)Eu?@KE+b}O
zg_;Xo$(){MRzMO7@<o31I>7w)*m-RD(Eb7XwiF1q!H$Jb6BD;JJmtQvcF#~;0?dV~
zKz@#z52<U$FkC&9O=bviWGWb3_>_SpxbvTj2a(po=)NL&gY#U*1gw|+pbCJM<WK0=
z>D`ec!`%neG3al^`A3p9FnAk|o)1SZ|AOGK97Gqo42A(>Ow7reIqpMz7L#9b#N=5=
zPj2cZ{8YvHO6+f9{!RXn9vQQzmg!WIfkj0w@6;YB;^R=PQe4_Z&&-{Pb*`8<8?1k^
zhlbPR<53$KR2zMC8Zw8B-0(vmT$Tx1(w5YJsDUPwQw$A#9?(*FszIkT*9)jTD0l^$
zI^O1RXP?P6>94S!$aUrW0R_bhrp<ud>5cd1We4FlTqmCpOP&ctCftKa7!ceO3bAht
zF3Vt21SM$?#5&>aJPT#~2oVgQgYYRpX!cVz$U`x%1^Zd)@?Z$7xB>PBtHzzpw0`0{
zv1ya3_=;(*pGsOzd6gUg-pnwcNTlE4&|vA@cB@%Sr3KZDA#j)p^l6}<lk8?c{WYa9
zhiuH(2IIpUBu6RDezq>*6?Nmk1s@ueQffS1i!T>1blr;{KrS50?L+hW)e6VsjXhU5
zLSNHq@c?2xK-1R+<c@@K7Knv!CPs&&VBAQI&bZEGzBDVBypnR+jg;Y0q|yE;G+3JO
z-NZQY$Qb@cV0eSX>l%3qqK}OOgQ4RA6D4Bp;=P>SFe8Hnqc~QB?II;8DD8?CsofN5
z&6@xx$<lL@{!G=rEUo@eL+z2jTXa|t_Q)>DsL*6BE%KWTMPuKcBRkD+j{ly^HWjK}
zLm4=27Jbszjc?Cn*}{3FVT`9iAtV1uqMIK1XPnM$pp)PPHXUh}$PmcIgbxZLTG(aB
z0WYzgsJsTme__Q(o|Sm3F{n(&@73{I)ESZU;`tK4p$8Z@r>5x1b-rt%vJpEFaopoQ
zAi<Acs1{uHYSi&{OAx<>$3KmNmk}SDpAb2Yk?$drwG;3EFdlG;|EHfq6IiQDxq1?m
zH3`XHy?==SXjgRq5GWa=77~aFpXrWFP2Yt~gG;C(f&?Fz>Js3L#@!jy^O^Ke?puIG
zvm;n7C27)&x_}udNlz_FLu_3<Hp7<2h|cO<A~YhB4;M<(Qpa2G(NVkVEK%lXE>O7A
zASh~YFEiEiF_4LtslJFs%{e40OD%~-y?jVio|+SjntMo8q4LL~<{uK}Qg_Fq-aRC$
zLJf*V)gKZyT=kZyGRIq+>AdQWN^?#j=XFX0ZJc(M27Z;%%9t|aEmn`qm_a)a`^Wv_
zEO<+xblvFNZpzLnvq#H~*K#EOTlcX}@6^*^dmn;;(NmQgZ{?8yET{iD1WJt=F8OZc
zBNGmPAA$AFkfBa-Har%62VHS;wuF79#XVtDfB}tYX3iOEN4+^Lf}8!zkOd;REosA!
z7W%K^?C#qCx)5Mzf=<qKoVxE<u`qDo_);#?;mr_q7yh?Eoo3yCPy*jN{1>BS!tOs9
z@Lf%_eH{BMq~IHj@-7x$PJpwwjM89uIMQJU&Ftw_2Q+%*+a2BLm{=z&?hguqwMn^f
zSt`0o&u_?Msqs*z`V@;r=0^sKFhnf}0N5eA+LR4?HJ=c8e}lw}vt4j6C%3TTbo7|<
z5sOfmLI!Gu8gIftj}lj-g;Muy5-KF2hr}Gh&T66WR>f9|m1OxcCIE7tD|k~o+z|r0
zIX{C0Tux(ZCa0*Y;LuM$M!d?kZy#h%ZH)>1l8Z@wDki|FVPFdabvA}@91svUL~4r~
z>)cnJ8H@b+BJ>822$x={0(#^bG<c=PGt^0BMO`eT9u#K}SLZA`*j5Hw!^<$z`|4e+
z=ewz}Vj4<YBqfOmaWxyHrBhD<`Eui}EE2>3AP2-n@9mp7G+BpQ<0#}2ki%3PWQfQ=
zxPC^3vs}4Io~zknQ*Z^ZPG!<(%%p>mG$w-FUh6=D$o$jNn1!!cfm6YimTOsHvyP^n
ziA8^VArf&Uax1bfGw#XGL-Q*H0+`OjPygW6=a&VxtL~EZ4)xhPI%{!mkBo^L&$upu
z@*|)et5Bsgrdf<-JeC<tgQ($hO_?z&yAbWW0w~Cu8i%aU;=t-33uH2)ZcNB}GqNUX
zJnK0Lv>j&FE+Z{FrXe(wvAlO*AR1C38Zs9Vi5jvFk!JI(xec5}Zi8g%v_5ZA?z0gK
z-N-Esc2A3pl}@b7rY8=Y)2jEuHAckUG3kUuRnR%CKcnwJc@+&4wZP|UXEqgYJ6Z|e
zD*HQ_D6AbT_ti0ME;Q}w$J(Ca2y-l9Szu)ee74{;b7|mnJ}dE(kU5AT$lL%j<$*{!
zYCZtBr5o_f1g3SxaG#W}8XPQV(#6Jv`BLn>Woh6KG2WPnbSO67x(UKE7FFVZv9V|r
zeq6?jRro10Cg5R?R#)l_inH8)pbYK;Qs1IJ_~GMFZ1HVqS$Nz)pNRJV>hR~909GAe
zAoO!VnHX%e0*H;jdjJd??z=eaquXh^pN74(0r76T-dMqFPkKXU?{TnJEBs#%|BL%J
zj_Z1W$%3mN&$iX4Zz;ko7ym+dyvYV{nrm_FAO&g#IpoCWDKN3(kJ9vhcxXO`cMjAp
zI#aJx{3`RxG|y6*2$Tg5s<$!R=e*>0&Q_3rci4HlF?XV5lpIQ0!+t@ERBAk$-3VZ>
zb^0YGSO%0YPj!Y35d<gv&@)wWU>^yLK`@r4%-;6@(e^Ijbyd~gcUF>Kc5gdC(TWAS
zC2Ffhx}-=W1+wVc&5oo{rE(EOj$nlYLWP9l0U<RBWVySwN2@O?YE{k=rLU*wSfSS1
zX6N2}(i>@^7mBoNH@#oeYu?{~uC<f2dd~N~-}8KEy4RZ5F~=Npj4{U?W3I50YHWc_
zv)whTRMnC~F#_1iMf~8mRmn@KF3Cicb>129-DMqo7|^KlfX>bKQ%$F3$%l(eQ!fk*
z6qKn5PTq!?H$JoI-%J9#;TnCffv;f|lojzsEi8?^nj0EuYS}v4J@W4rzs$Bbq4N)-
zW8=nFn)+WmRF*&V^C58L4;qe)+#pNnFj+FmE>x~ughKtE{Bh)$rY2q)RR5t0yg`9r
zJmd>oCQn?pT-h)7)(`GU{@#CRd$_Q00Yyb<)u;O)?_brv$SsR!*o2(#9Ajx>c8dMS
zS<fM^tLvy5v^s%SGyiG&VzSHiy{}+$y%uLyvjj_mYrIDI<6=A^??!ws_1txwSdzgi
z<qKMeQ9%5Q#dGw5XhUB?%iI0{yuI_OYksrc7gBQBAK58E%GV2kOGubL=YjzQofxYW
zSTz*(dw5rtUUpHZFFtC{kdWDBxK=gLp*X!j7yg}sL#Sazt@vJHPVhynuWX&fc&1M9
zXELyC_UmLXeS{oShU{YhZnFC>f=~1rhGf999|gmhK`+^I+5O3~wL#uA13@rznLB}!
zjno5l)#t-aIbUZZBDU+7EC3&)Xc_-9?yqiRVzFif_g5!o?VZZI{~iq*(@q|5h#QPz
z32aG^?KV1KQ~77;pgTne9|sF&1uPp!2Yx5GmPRvaCos%vR9ih3b?8`GwP70-C`;S@
z&*GjYBYH)9<+C5jDSupPPhX~mMA}d7x<7w{4q)3y60aLJz1<&uOOQ+438M)Ue}i9^
zs_^}8lepXeW>2xto0RST%|u9<GSy!qCHQa?y>+mc4yuk03-<p=wy_VW;3G;-4lU4d
z&p(*>D>>c%32>F+OA5kg_`SbU#nYHA8B#3Ju8~FFw8DXq`VhZ{4Yk2;rk@6fW(#(k
z{7)U$c(&<mp=xiyEgSOTRKexbfswFUYuHUz42)}mK1Oz;>f6O|vkdD+u8PZpwz*rE
z?|IOCvLfFsp_YWT&3}x{<5k*|=SQofn%dM4#Td+I>JIo<4-9+~#h1k<&i-D$H{a&U
z`ELK4*>;<w)pwb8hXh{|RJ+6bw!57fLu3n>$BxT(Q*Nw334q)i0$Dwhk;+nwW=Z#)
z{>v92jV$i#sc_R^&CHkXIln$%v)3-6+zke9Lfm+~8+kHIBT80`f_W*x@`vN}p7&+5
z&-pxt8OfhZg)+t#V{F-rA$smG;A>P5Phllb03m@8kw$mGpUd48LV5<b5I9gylJ6x_
zG$;~QIHv(WO2KgKGw_?1I8dZVhRelOPh&2H$2}7c{GT;+BcFqDg8)A<NTa_0E4`z>
zJeXyTkgG1c89tw4{4gZ>?e9X8x>YP#ft_MTkIdH!Jm5RO<IEC@4~~06IZ>9ZNC?bV
zUpEA3h-88`UeI7(1*3-7w)m6D?V%FU8>p1{38`cN<|$!P*Z&DQZ@oriW&*0^l}H~C
zsE^`4eQcm;(8tuUkDZ{urw`ft=wnB3AHRXZ)W;{oKAxhFOpMk8d1g>h?r5C%kh6#Y
z$L`EHGdGo>Bd1S(5&44BRynvtcV=L3IdE9yorlALoX_|l1@z8e8@ue#4=KNw%PkO>
z>!+b5hn}nb`>J~wSLaLF^NQZ7TBovX^TMg>P%}#@t0DaOw*v8m|2=-qg|eBi8F7hy
ztY@l!aDM%P4^#j7u>PH4{o7QZ`~JE!9}VlDPtV{IjY`O91QDWz%ts6^STq6M7aO{V
zAi{FG&rkE2xj!h^3s3Gp82f%mPUC4tPMhy=WPWaBWijm!ZGQ;_pdp0_xLXMLt7w!W
z-I;Pzu+MmZt>T3}#V2UI-wWHHPWu|g{ptsv*`2vA?57vLubyB30oA`PtpBmF{uQc^
zTH2jChScw^`!UtMs;BQ-)x9{ZyXW7i!--0FCLQc@PQFOt^TmSyKC~u8{8fc1+nt#k
z6khcY3NI32nnF(mg?{@F3jHu_@ljgT&>!q+`LpMN{;2B4dO;VK?+WW)qdJB>`co&+
z(>c%J`-8@ecnl?g4bo|w@1t%&^{@2*@V7t+{Xxr9yJ2&UOX`mUd0&jEFnshUAdwBb
zzB69^bET#JI3k-bN%k%Bbw)Icyz?Yk&DSZ`!vgA6mG6BFP9)>BTctkaQ82hPnU5i*
zN^J(*bILPQl5xJU6SB|?WQOkh4I5>rbEP=^-pZ_%r~#o_zBf|=wnO`hWbf{Tx7Giz
zJ)!J9kjQ%sn@;Zg!Pxfz7yT7WGlk!4Y3NwyZnR&f;W?<M^Jl&GSR>1Km*VaH)t>gs
z^2%xNzd~I8v~PP-p=m2rq2T~yY0ntOkel5Zsha_u#`$0zU|)#c4>PC2?r;&AtnNYi
zfSz<yNI1^q(9c&x8F$iqAS)J#sBhE)pb+-%V12Vr$Ee%|>-5r|a;Q3ej=SgFp~!{x
zpm<cm+vz|5BambE>WfFwk^lUw2DrJ*LE|WWltJ#S!>dkO6$9+$nW>b{em^Ml!`q+^
zzArfqa^%|qsjmzSJ_0Zp=>`>r`}!t-Fv=P?ROX{5Y6hC`O+@x{j+UvSoa&>0_1IVW
ztR{E!Egc2rU=NsrJz&<}1TP|Q4(CSo9?jJZr&T2_t^{uFR(~^3zwFVs`wxR3QQj2q
zUCadz2KW7Cd{|+WzEH`f9nTex^WXmi^=CESP2*Wo3+`h*4<4z60><@LVwEU0@Qe<C
zlZhe+AgbRkcPmd@6(7q2qKuN?Xd`sU?1cbfk1&IN`@c<}YT&#+H3AKRGNuu~<Co`G
zH}kI+uAzm_C19<Weg$vbHuh;_-_TKd`8Qp!snpxV#OP`?*ab|&&z*`XrW&5$(Vaek
zR`EH$Z!<6laLlo}*6t;V)UyTAH#edX`A@znt)}8KOo8P^q>o;#r6lv+-6p4;MZTS`
z{YM^RTvc)l>iYX}O=112)ne1?aerjcYNKOx?9LVg0%FcYS!SML=FYb-&BB&q<&<Ci
z^ao~j=jrK+S>5^kRt#GN;5iNY+%BmD7YR5#5pY&K4?nXGsFwMPNA$;a4ReC>PmT`S
zT?FsRdHV985I1klELemFOFKR1V;9~J8`d8+t2>u=7eN6zPhUE#yB{wz2QM0>%7#y?
zo<=e&qyDQ-=FYraBx&~Z{%;X}27I9{TR!*==<j%7A0vz?A#2#0GOr#Q3|E6Q>!fhv
zCSNVA1P9UTI(m)1_-p<pOWj4Q!xv#HT0KuW20>=Y{Q03z#EDl#;gG)eI+?RNRm)ih
z_PeW2=gthYWEe!KKb}DPkY4I#O1&K)T4yh>+Bp~xmWnT#_P8l;@>l7BEs<8Fe-AIL
zEiK#&NupQ~YQmy5x`qo?+U(WD2Mj*KTh&||P*aBR{pI(V#yfvy?1u)(&R=HrH6hjO
zHirWKJe>@HQP|B8uvy8-xL+;3V@RL*yu%!#a0TwNdF1-vph~#BswM!il<A-R5?w$Z
zrB%hG5SEurzD!wem{S!>V37P8Tuq-+f&KpedD!n2<OFQ`VIlX&^FlTqeg(Rhp0eL3
zV?_cwUI8;_#QCNelBquEHd-CaRcE(8EOyz#decVp7=(t`-i$KuH?Pr^#Pkn(z+6BI
zo5P-JtX_>HO`XbTuK?FKGmbLvb=AbxPsJHbB|o#yv8bS(7b)O)N7d{N*=E^|>fT)-
zc_xHpm;X3Ta_dn+FflnFFmJ=nn^)CAgZ^Hzdv00^({?CL`*qTS>GZ1JQCee=Rv4E1
zo6;5pX`{omy-Ir}NE;WX`AVw|(#D5r2bESHq)iCZx|H@nkTx+)JF2v@AZ=urc1CFv
zl;$1qsvu0_SAQ06GYhiZ3|az_BXeMwNRT1+a#wQZfIkBn43!9<>_EBJ3zKA(knBHA
z8>$hl{vqNwuzl?$&BT`l_ONrG)HR2G*(>ZmUhAa~2<o2aAgIsKjDd04Ya*!lFCZvZ
zY<EW165yent#ZA3Y^};&u5y&<HrLisXow13K%HHv9YG;kOU~!FJ&NUNzx^XZ3*Y={
z^xxny`eq$>b61w8+{TWoXY%utQ-@c4o~V^6$%+x)`m*E$9K&t*M-J^-P&L^Fm0*l!
zLDiTA#bL;nkVL;n&b@YBAOB4jmEM5-3(x-j@NUXN-nltk-vOhPZQp!RNrwk;1ixPZ
zd-P4;AH-wLKBpyLdy^c8vyA-g12)wlWuP8P$tuu8v^vSZsc#cwZy)a*ZRRWb=9)xm
zh?hu>Y)#&pKkHo(_d;1wrhIHwvqfIf>ZiX{bh2V|^vz9))bJlrtc_w-C-cj<_mr*J
zP<4Y<u{JqrWb)bJhGRKieqnOb2*;CE7Hf9CzZLN#_N6ys5GD;Qm62OaEg;5*Kt7z%
zuu=Xs?9+=S#E=b!Ng3^CH$*1}I(4yzii+!R3{z$-4m?%1$>$XV$wP$`;&PMyaxOG{
zU*R+IozeLQ^jtosgH!8|!WUlBDv8#7lhwhUofBP7*X}do`<B$$PoR50Co`Foet!u6
zN7wQmD;()h`zeQvB=cp!^iID2mCxtGcbWqfyoc4o-HAL`_Sf>lVs_HTmhZnnrMS+W
z?=*~OVPU1f$7WrCmF25s0ucPH`bx5S)PaN?iD-iu{b_|`?d95(Z(fIS*Lx{kmSaic
z%`D69T%{A%bE#*BZ(z~T8S=Qe_gitNxc47oG>-R6@eB|k)<*tB9(M$fQ+X8ABK1BV
z#jALn!K2s_kI(TaE>wy`G9SGW<)fNKtA9qCxv=&YjVJgv0ehZVjhenJ$1%ESB?-U?
zs+`o=kp|(eg|9(?;3N3tf>Q7+<YqA&8r+Lfng2sWp5nbJJY=pk3*8kq%L^Yc#{jOk
z#~=0+c#>EYn~rLANB)hQXBM(dj2mZ8G5bdSvvddC1$OmwdPQhYp}An667aVEAl3xg
z&RG`nwQ{9ANXy|m4R-yP_S6e@@wzwX@A!|sPd=gJ<egV>Mdb@uLBOXgZcbD!6NYli
zFZU;O1=e2Ump87*T3xAZ@t~K<XUUB7ntJjW*AqkxAMo#E0PrH1TD0028<V$=mUxrB
z-2Xnz%W$UMe&OZPe!Zsh+fwmpRabQ8Fut^R_gLI(0=)t}{pZts>uAr?wt$gWF<|NF
zpQNJX=u<!9T|i{r(?k54{j2|@(6U|et6&4_7ork+O`Sgw|EJx>7}P`le;J+nalr1J
z7x4We<<m=;f1UC_s{G0z|3k`;_2f?gKEEINnJ<HF+CN!A{`Eci4=DeAP1lV<{^s-Z
zUsisT@-Gka|E&D;<<4Kp>GtQT&?BOz9`#x06?Y^D)YLtH69*Rh769LQ)Cp3S-jdJ#
z+)e(em304ISd(KldL43hE{f;8@LnH}&Y)H{p|=CI9sORj+U?y*mZjd<L04bAqb&7x
zEY@Ff6RF4fDxHbC?hNSGX(@S_N-WRn!b*Oj4RfmQ5Vu?^9kQx{Eo;0h`P3-C7P3fQ
ziw2W#itzQ+0>9j(>8zB`4IMUWeQDMHQT{4C*5XCiJbxv8to*0R8=T~u8eAR`-WKEY
zCKYzh7R8ID2eQujvU7j$dcSc0lKCXdv(I_9!R0M-MmlO7$qY)F_oVythmzBN?y|nO
za;mr_@bvl=MA(bZw|hiwF>5*8Z`_ILT_&ZC(Yf``G&Xx*yaT`Hf%O%S8rSQy<qswv
zyt3-_fEOx|u=MJ9Yy6qOgyZSJnRaRtR-GkVYZ)R72k)~o@3F1y1j~P(@Y6pKugJ2r
z(9f4r%SK&oc**B!#n^W{-(I#uL|jJ&V@>T`(Zi3Hbt&iHl_Nt~=K>>*d*{DrqqKA?
zRArc?Q2;gwMA=z>2_cjw`FynIxWP%rM<i;Nhu>YTxh=?Cq|BP-(V8oQcg>i2-_HY;
zwPiQ&-{U=*SJj0K`rka7kE{ojX?%^IA2lcW-0N=gk7~fbC_kWQU!U8(A@4aHlrc2@
zRr?~N+4<uF7)w3#9qDNG4r&>nuI;|e!KKMR=`>Cptv`!OzgPTgsGDZhfjLg)x8+!-
zo2E;XKN3e<x`PvI6_)Wm0Ji21Ww+F*YyHQgTGoGkR11Sy8fhbWsgAwX$U6X%;e#((
zK2Cm}@^##<{3Xg?eqO!=&eHu%oAO^#K2j!If7uKs-`_Nc`4j{hV<Jlq{n|I-DWg<T
zsml^7WatCHyEB9NC#&yGD@*-*C1nitV=W5PL+d7Nock|moinWAtYMDy->Z1958dBu
zx|NC<@&Q)T8QMB_hyAu$m#OD24@{*{s=xpHrlrf&QexI=^;@wuY%Qpdnss^TUT|n&
zPEJ2_I&NioesNAfpU3pwi8J&<j05T^>(#((WX%D;Ht1!fiScMEs5(8cVn<*8p#8@p
z<E0GK7}LQgW~%Dg<nHKqZ<*yY6vuqTG>|Xi4FCOjuK0g7p1?su3paB)W1{yy>+OGR
zf9d!BFYuLSNcS3qX*$ArltK%NP?>I)C9A-Hl*u%wetaz!Ncapu!o%$+;SDeJzfYdo
zSmY5#hxq~B290ufVdrwQz3E(T?%PO>yk1Dx5#x;rp<v$pt5`~j2irKpWOXJUSvRY)
zvNC=0%0zn4D62kwYQUHkUVHl8fn(aowARME6GdAqRt0NCQ1s%1Pu|$aGrJgfNDp2Y
z>O^YD^@$Vg5&5c=zB_zgdF7Lr%D<jW+}X{F@4|_v*^I9UUHD)kI=O{6m-QLGPYT~f
zPkju18q{N@-m#^hf;2&$KNd(pN%<3A6GnwGTm6+O5>n6gvjU#8METwx^dF;mwD_lI
z>wF?p=IvZMcm5=)E~t5LKqne4u66<c2AEKPAr%i+LJD^Tl$X_qSa%Q56`jgn@x`#$
zkkd`3S2{7ha&W%IbVWb6(NE`(`^MKuiU(_EgElv3v3jvP(8qwi@rC|5fUS93d!zEN
zBhRru#_i)(r>}fE;-;S3@t08`0lAA^DmfAB<bMAqz;Lb8%m9|CrT-3BLCzEPFg)L>
zYOw%dH3gia?W{LGn9eb7j^w|87pWXPxZaV9UxJ3dcjoJ(1%Li5_dqTEb<i4()Ka|j
z<zW85cn1z+(WTo(asFB%J6T{@&hh*&4Xn7t^A#raNhB;5*c%bKk+vSHs-%0_(}~;}
zz>P%XSjhI<_P(Iq=+Z8K9&B);g~+Yi${aQ@j{JNgHU1W=n0!Y5*c@Sx`-jXn{sag-
z;;%@WHCfD;u$j2BRC%5SKB7x+@Xng=Bh%Fo^eU&S(Q;}Z>xV>Wu*!;#z~?44yC2QT
zG1Kha-$3Qgz0&7^i-sZ7W9A^CfZg8^{~>w_zSr#SfrfAm@DEjSVG-YEUc5={J5D4x
zUwqb5?>pbZ6E@_3V`7B}uO+jGminwO;c+Gi4%aH0+5fm!gH>}u{p&BNZ&l{>UF*?c
ztruvmUs(SR{}iC%NOMFGKDZwD!$;Qjt-mFGO7+v$dLR@739_SazMW+yWLs_N9R-mN
zzIT0x|9h}Od%xia9zH6e<Ua7i^gfy0%;SD0aj27;zj>NP=qB7L0;i#u3-!f+Q1y4F
zs&pJ&1zmQzy-gJ7EbXR;%*QAa@~;PvXGVWlR~-cFoz31!UdhbL7b7f*sDayP<FvNa
zTjhUDvp?%>PR`Vvr|p1m@%3o$U865ARdQn1zTl@pKYm4Tg_#>DXf|NxqX(u+=8NQ;
zb_^jOgWk^T?+rluzv{21wx_~B?C)#jXZs82`xxdGgZ;l4#Le0}NBCnVzC_U)BJ<q)
zz$8k3Kgk9{sJEHY{=J~m$fTz7M_C9#i2jR8^bQ#QmloEx`ByRj<ol;z5@d}*>%Dpd
z`^(QitZSt<i!(2P*YF`$?mtpP=a&xWEjcts`Nf!ILmg@e{-OR*5Y;)a&;G$)m-$vO
z*};4kS069Gs<`r;Rl%n&ORV&cfnGiQC(;(`N7;P>X<=T86=e3-zr@t<mmJU#p1-(g
z$pfNVOPn}y{uAWmdD{@2&ydecf)aD8*OiZ~JY`i3F0Q?PdV2rB;@X+;Wpy63?;TVM
z-$)r)JAibRAFJ}0DdT!2mssAx^!^cPpO1ph%&RTQRrQ_?sHvZq_D9qXpqO6}6jwD<
zPVG%odnHI+8pQUd7A1mBVLou8rxCR!dBM}D+7kAKN*i5U($75YpTOHVIv-G5(m#tY
za+E^OgxUc?g>gL%Q#EXu=E8>QB5W8KgN6l)8tfen@%EveuMcbZRzN|rj^OY6_xbmb
zUsLx#um76t`nT(*SKXXb{=qE%Q&X+!RTJ-m5Zfxu{WWHl^g@J^CXq$lCd$WGXeRYc
zplL`8xcx=579jibq28WQ;rMQ~bOEDRKrfOihx*W`l)kuHRC@%VnD*G&VbE%%#j~VH
zy}1Ibr9NIbXL@w$kV~d}L#8J9!er6LnFox7vFkcdn3<5xt^8S|Nl4O|u}vd)P<DJ?
zhZ*5>U)17WUvV(?Ol}Zv_rtKK&vJd&hwXLQ^3gZT_#9lezx6W@gyP#&3OK+$LCuQy
z>F3=5ie7y6=x+qeVhyY@Oy#uyQIL{)*fOmcE^)xWIA{isukzcLZh!$S+rmFi)!(`k
zvI6oETp9gFlzD}yI*;K9|4p#1b8aji_~c3$Q=&n7F<fg}6^PS*Os(Q2UKS_~!PbHG
zh&I)^oAr7Dd_Mv{AuU?1<!IN<=|c}?sltmZ4x~n2jGAVYOSOL=17U&$b;(izyiA}A
zTvYbQ`oQeh1Id32?!SE}0C%67I}cp@ZIR4u!Mh81HMPf#vZc?o7%{?l8+=#eMWFyD
zF4EXFD@)&jZW->!q+7gBPey5N@aOTEdMqzE-IB5J`!qt>0qtc)REx8SsGOX|?=dJe
zzdr~}(@Pi}+z_;H4sNBk(ms3Nu>Im-P+A$+@#v-=>KF7SIdBzyl`6Oay&Y{_CwS-g
zbxTm&zl^a2eHv+@8SLS9+V3o#5YUu*Zz&lirM9J{kbiTGg6l7)ot8=Cl%DV=jaWL0
zhn7j>`8Oya@P4em5OUt6(NZ}u$<LMgHjpoMy-|09vBKH|{(MKW1oAt5L&>P83X@Nb
zzu~EIPsI~e&yL6`zf-%mXGiDUOA9ADvigd}A=3CJb><Q9t?;KY&587`JpTw?1`P<R
zC%G2p+0oW<@2PR*_VYKI!A~09`5Uvd(^fF(zjwb7#CHtzPl0eWrJ7%(*p#vla2U@U
ze2Od(%7inJ-it9!^J~Fqqt$N#Rw8xxB}>PADzIMs0$jswwk-Wvn2-t*IA_@H%UMSq
z6@?v1s{b5w2Q!CN-oGX2Gg|#CwTgB55D5<Z2k^C>?cYWrfh}MuNh8Wq6YHmV*ZW&J
zX*Xp`y%N!GwjACZ4kt~0i~EOOIM;2};pyvmB?WOd#fAQU#;y@<5{(G9PXS}7k8xfp
zh?vEm`&*3RG0-34STe`cVQG4IzbSbHdkGqS21S5mGyUhoE>H9nQ{TQmvq8BLPL*3Y
z-pb&;*1hatutFZAhGv1d-GBN@A@^zVzAU{1)npwpcKBca6$rC8VY$Yy{fPft+FLf(
zpghn2ET;07Nd*R5-Xyc2GqQ&TaAUmGe$hJ?7(VWZR(DcTww!=ImW|?-9gTnF+uG@E
zt=Jy~x+kw&cR%3#l@S73Gta^5SOrv?fbpDce$`2RgFVx6*@f)4QS~mFKBuR>-_Rb-
z9Z;OWXm*OUQb{X`^n3lxOeLQiG0?wX2vmV(!!?>@`G^s4jl1b1UQ}K<e&+8SG7Gim
zr2V?`PfVZVZE?N*G6Y>fAcW4<`*K-#iul&|%#hu%En9X4Ez@WojfR)1UJ!2#zq})P
z7n6IMF<qP8uO}w~_50fOCDQNrW5Yb!uX_&qAf4l((F6Ve;>|63aQw^-T8cE{&m$!{
zsSrT*QIG(?96^~jdcjR3??CvBHEWz^>-|T9W(jmuv-j!^BSGG?BmA#09=a%;`DeN?
zyX?$FvU^vj_?eui&Wf2Ol2<~Y{&%qh-#ED}{=(wpRFBrIWr8c8&F71)ZRV*TPdX1s
zq@KMvuz8H2#`LPL(c$-0ad8ULbAt5T#d0!^*1Q;03S0yHtH`8@v8JdOFYwn<YUyao
z5M(_n`ev8^O(?)HmH6oL=@cCmw7Q3KynQ;XIMDw|kPx^qP<e>|QlF-VtErFmG&MrX
zh8C&U2A4(O<8d*dbenfhZ`e`)-GTncnft|*>F#V2KQuiDf+%2$Bi!T@pbtGXzp&J5
zioRK*6IqV(pW`Isvj8*QA&z&rV!lx+21cvpLs{l^Li>1Hf^^ej*_eHzY$C73AV&BW
z6{%s4aZ}IcC-U+GZ;n!LKu?*iy2>Q=Y+xaUS8yI2)@}%Lf~g>9NKel1f}Fsugd8FQ
z!#dv&a<TzjB_p#rPLfje4-+czAE8t!$I?*Yv!kdV%nN3X(f(~@dGSI%Wa<_UcZ&{2
zzdsVJfn!5_Jtr}J<U`h9C;3D{BJY~%RWFP}7dj<M@lLZQz)--4rg-m{<vltY$_}s(
zqWm3-4$1n$I2?|Ih5VKvBR?qW#q+Zne+V+NNQoC@Gkz3gWJew!9%gW!0bF^dg!B8~
zqzt``3bW`rG)&(eWQ^?12ypA)9Au2>%?OB}12AqJY8vHV5fmtlzBy@>LD!|AOB%LN
zg$ynZz9%kwE#hJ-XP9^lDtJRCI)8={hTQKAw}#IR0nf&W+m}B{&zBnDPkKho=UMJQ
z)&nGyXu&lJJhx2JqJzaHs&;oJ#+**wIxd~bBf7}ggQ4Z&eecKNqL>kV-^m}<_nrLF
zeH5lSi53~w>E)$|wad_>cQQf9V79-Lv(huj3A$|Pi5D^(6u43%f%66&bD64Zvr*uG
zYbFC|sp@G@{GTfsyHFDhyHM1)N2I>K_$a+#j0XHNq2h@mv~}YDtA0pM3l6ISC*;>l
z$Aucmz5haKuPKqtFO*(ZU8GjVaK_Y?7yaHay`<u~OXUts+h#fY9RkSc<YvbZt==tA
zJim0zzQmXgOP;ZU(W%;(n@G;lIa>0TA#nNWsfURr_;l%mguELs6b$9*_w&oFW1Sae
z`G09uGiNNv%0FA0yh7ahKKdelpLO2oPvtpY^nR(=Qqhq>ref4Lmiz7gkDr!aRZ;I+
zc=;)We}t@#iK3B((U&fU#85_pRg0B2@nE;#-w;Q+@OYoFCnJ{kqA=Wpmr36;g9J6v
zYFpzIg0gryE_7Ugmjb^IC=6Z<o<>EhB}(KQLE~n(I%Z4hm;+ALfn5KiLSZnGeGv37
zZfXX}mz6$fS{MN`tkU$Z{8DRMXEfjoIyovW+E#vhBKb*aW)tZXM?Ua_p1<3_n%8*I
zfdD^9NV8`%k*%!f3S(%(jeTInq5!N1+jT1Svfu_0qk55cOp0GsV<NjYIZzJ!7tk%0
zqBW3$areA3;q+&)ZPMa!v@{K#GTN(;+0xrurjR}jy9)NW6$S)NNH7hZ-|5jS%tGqX
z&jZ12R)=5AfM|SR-}P9vOegh&W?qqeNe?(#JOiQkY5>hIB?P*hX)A$0r}?FO^j`HJ
z59p_1PUcaV4*S67mvn2emCb%B$eunYNWZXJ-}Zy{!U}WnWPekDz?S?4UB&}?NN|Ze
zWXZRdq49e&B|L`k+!4S{@v5%=<sb5@?gNZO%G}I+Z)O|uZNWTLE)#q?<sVNZ|B_`D
z>-^iE0wcYwBDn0ob1~zoeAB?y*>-`wrO*EI*fKFDGbtwigU#l)a@y0fZ}8U>tRZP+
zE=lb#%(I*Dnpq!y$D<a~{Wn_Z%~b}h<|@-$i-BHfZmALi^<U?w!~Mf{e~0*ZQlwO~
zyyD&}GsgZpQ`_!~{*vY!wk+%7%D-sRa>`dIYsHfW5dUJ0mD$g_1TdrM`w$wtW54Ma
z)c>JrdR_T))SPK|pyu=jakW7d0sYY8GhvH$Poj^SPStKetU;^2^Bc++;}(CF{|jPQ
zIq&!gp=%wwx;6Qf0vdf_y*Kk~h9LW;#7Z$)cc3xdxcUo3|8}YK-vIt1id^u$?SOv!
zv&Rj34&EadybrqIeZU3p1AE?$-D@U-GeGYEFjzj=|1k-IZ2BBO$)h<?3g9&5OM1#j
zg7W$vd|3Y8^UKTs=kw>CwU4+ao|Ac>(FOA%MVku{l1mMhvXA{KSPo7ev~<mSJ}>|G
zGy3KSraJ|g6eMIw<Z99zYw1wuq;*S+>C3-|27@KV(iKUBr$Qk;oaKm@m|KjY2n+u)
z%KZIzu2zJ^2XD-;xUVev8v(0I;;EYrK;{3g%%b#D-ynqLk<_<x%|cNbf6+Ig#F{$g
zm*3^B2#hU$E@0vD6MPq#MH}pI0+Gf2Pg4t}f_R6QKCChPh$ezDfL`v!;GbZfd+E*}
zihg<rn7J&-4BG2e%XN^wK5M+H(LVIT@26Ev3Wr%yT9$lWL)20^^@Q+U{+XrMLY7Jx
z6C`|b>4Y$0gh{BF<}~B;dfw6yUEg@}c1_0~GY~e8D?nH8P|hpP`cxZMpG4~aIjnyZ
z-BJI$=hfGB5`Fc%Ui-{ZsZ1gaWIcpIJo=4Kn3hBschi<)Np9?EEToMQ=Z6r?(O%Gd
z%il;gN1qYu$Q77#EJ?Rzck_?Gnc*9;PJG+thLvwG{cATl%tN>TVay3-HLr_7Ris1w
zMr(#rE+iw7(2pNCIQ~^KDK?1fu&ibDg?Ce-0>bm<6<kRg_;j&s2A@Zd)_j8=`ZRMp
z&0r7rcLNaupP|tB6mM*^PM>{Sxl=9sxF+#cUexnQ^SjHdSK<@YLyd8YTAmy!OV5ea
z49i2Uk-e;;XO!j7h|NBQ%|yR9@C!`&Hy92ct-cqKlzs>4WnM*2=C|T=Jr=`WI%Rkn
zPTjKSfXN%%r|8PFomo2hHIVhvNd}u)_$th+@@=FT{g{igMCRG~W-AfS_Y1TbFoNuS
zPw8nioNtU0UA<~Y!yL}C#Sd2dm#{*Z@u+6}tzP*1%=^3F2<IKw&Myb^?q4le(8bxw
zPt^R-%==$@=6#CFg%a7rqvYq0nTh{t(qIoAe0VtXQh+<JWj_uo2dYti+Xx*8)deA{
zgSd97omq023hs+1ye`>V(Oj1Nqn0q^Gg`Pjm9L>U(MJoAyPm?)m4$AYf7DP&lzgdV
z0}Yw@mAtB2*P~&wsN}d`s@gZOe~*6WemZP_s4&>x0org{Po#I}`Aup`TY%>BxJY({
zy)Mqps;T@Y9DH)hFYDoVrOENbOTF<Q;5cPqqNu*&fT7r<{;U6td8wNj4(Yy^ZZhQb
zo)5FCe{!qnCSa6y9rNXXo!<M9&ZSfk{^~H`O!2;!lgaOGmqW;rl`lXhEt3VAevRp`
zw!i$jmene){Nl`|pA#hTr|fxK=7(%e(VHX>*-sX0D|U&0j!PNXR2JWx`P(BBaK$-+
z)a<1n>`TGNc&c6~$SEID$^M=eD%g*X!c<`H`ud$#5VB7vCJp|h^o*nKt}GtR_OYcT
zUx2lg479F_f4!w-i1+&H11%*5=iXWTa!bkZr>A|ofLr_zzPqmBLj5GmAMuiXe5{+i
z6I0D?`N{i7yUE9gyUG61)p2iA^0tBSoz~>z<D4k5CuM~Tl6MY?u1roYpzug1y4vyf
zBp)B|CZ~^blg}4&*3#%iSGd%vGZm&4uA)qIm8!Opx+wYh1Si^>e0rkmJyf_bx;(lf
z+Ui8tc%4pkZFFUHjU%JaX##?hFAPjRMKA)-hmy}0B%k6#>-QCQsiD0tPrl=w@{T2+
zf=f>;Jm__jbQH1uj(5%_+;e}rrJoyHWADd@{hid38-Mbx?|jK3XKi|Iu4^?r-bvSc
z%eB|KvF)z?*5uUOi&P>t{|5bFz**p(pattJZN<HnRC4UouJ^X%b;gc3>4tvkHMy?6
za&l_+AXRX!^^SMgwa7p1*hidLXL_}2IQE{@k_jpiw^lmDgT}Tv>2yEGKCE}^6zi)l
zPBLlfmAP?ih2v#X3$IrN$KD)|k+YI^GLCh~^){uO`|;pybM0+hWRzO?DV1Y<ZEox>
zC%q!q-fo?6y)~&<E>{Mn$y=x-YHR`-PI@^&Z<`zzAh*%l=AC9V);8B$&v;^|g&uo-
zNowu~)rJ|7881)ZK|_iiVeD};_MssFt#OT?q1E>@Pp23lLp89U3XxB5s~BK7S~Ju`
zeaCnxweY&IxkZkp*#ZANc+AiCo&koSn{hJ0K7(UmCE48Upv-{Hz#O~Pz1A&U*k^#l
z&mW*;`{5Yd>&#rch4US+t7o{5eek?d#tDmrna%GRXGv<dr6%KEhm)=Y5i4A@yajQq
z-m%-`_Q^QY*q)Ait<W<Aza_O~fGHl^Y^Sd+W7*h;G~3rsW969f^VA9s_?hq82VMJJ
zk{QFQ_OzCvx7oEfx7T}X)ro7@g(zyTv$v-f4pYlsyNgBNUYB}huz4*jTw?I%;#?@y
zd7=sLR7e$?yVNUrzv|rlxV6pN<l4)zn$&qKxrzI<$WzPaZEGdHwb_vAde>Xw*q!dR
z_tE>c<%J9FQ(E*Jw5r>@joudf7-T}DPJ08?beY=Ks;zUajdAa=<DHA!dtAo0#IcWC
z8y$NaW2eW3PJ2C=yh!Ea7Th4C#bKV7dxt<H%K}Vzt6gC+?b!Q3D!7cQf@7VfFpFxw
zW32|#MpmJ{!hTC=*zRJrXtnpWw>Tb9?ny1Y$@F0#bqqak2Ug5!jgEB`ap-Wvo826@
zPdL^F7Ejzhz+ppsvqOWFOTBWf>cVXnVl{!cxrMEcwVe(YFp1V%_DY~*Ik|SGy}{e!
z@p>{f|5DX)?e_rD>SQ@AG1y$>q*t-zHrtFSW1nT3fqz4L6P(6d?QJeeExaPAr=dAw
zMAm-CTEn!Q6cXOGo33S*yY|WUCZcnMmUwFZb*f@-rH0m^wU6EwQLK$Wh-<aIk-{0*
zJ8N%^r(PXm#!|*O>|?@(YrP-$_B!cCmfv1#&KFc0U3)8)4tQHB6;Ca>IRI*(FydNg
z<KAvZ92bTO_-%2!C2p^EKwo=H-0O;aFd?^a(Jdi?nT4bExIl>Iw=r&0A3Rua`vXBs
zFwa&{68Bm}`kJ;@kYOf`wMw^f>!9OpbD(9OTqc4gUS7DwP@`j?bK0AQ3~!fX?*}DA
z!%@zM)DReLASP}di+dEhuW*A}VLDr(fE^^OwFQpd?AmR#VIKs<`F1<2bP)mdTVN30
z8m}E{U1C-%9ogxU)T`swg_CY&81I5X*M=iD_7mOJxhxM0vfTieY;Sb!`dd=-KN_HL
zk5Fjs@m8ms`tgINPH7(otF^UCOQbRN$|qG;Jgls6Aza+sWOe9ykp^!c0TJyDj#eN{
znv;{Aj=eITsvcqBX@~!?THiuI#H|ho-%VC7Jm2BEJUc@Y%l<}F(ynJM0X|4rfE-~W
z8{^g%2R_0O+Tval3obR=He~@eZl~h_ER<WzSzvJravOjl(^iBLsc~;3k~SV|0-vnx
zG^p-iu?~7?$%nu1p(T_R*0G$#CtIzzTyLGEm>a2&)yM74Ze))F&^C}^?`LA?^S8h|
z49i<j)yO*9TIg-^R!FGDn%&sC$l=t&5o(!mb=N)u_LdNVUDwY#tPWOr&DJId3Eti?
zDK*!WbG(BR>0;Jir)$wEGP=u&w8riCg#0?Df&{I(SgRXrb0fSSwAzI1NEb{j21U-j
zOkKvnJ*tlowSxh$ia7drt#yu9@5ESD@Ih-G1k(yp*n61Mg%sbxSV)4~1yHY}n1wqh
zQxG{6JLyI;Lck)c9Z}=4rZSrHjtEbzlDdHPdTmbZpdK4zZNeUs#emrgwly-bMzs#i
zLbsOS6?#Vw8^W|us9MZ=v|3aEUr$3*P2NFojT?c^yd&NkgX2xH^^qf1143^J1j>>?
zk~KN)5bS;juiwaONC94mUUn8_IkDAFq$ySXY4rxxTTO6N1_<y17a6}X4m&|r*e|eQ
z9v*A$l!LtYwmXrQ_7=#n%}Fi!tQxSuF9%H9omfk3Elbypbc<l>;{<ftJB3dt))Ds_
zG!mAV5xt<-LC5pV0*h>k+lPd|RWXnWhjk+BZ%NH9GSHobX2rKU9P}6qZoOQBdK(KR
zwQ!(HxZY-p#O*Vw;lrS3n>l7~9+K#D5qGU<ld(*!1FmqAW?Dg41isSY#MVTZ2vod7
zj<?^9v8s1D5yVw>o@v!SaV?NQmR4G%=oWS`V^RW`_9Y}DCE;Qvsp{)gJkHfSEIWhY
zWAVsV*P>yteJmc^3Ms}TdY0_6>cmpaqFF>~)r&MC#T>EW{d$ctZ!K;Nt#6N(wctH`
zOKPFP1~NrMqYe1cVJb)&co)oZYtJzeU;u<F#v`ktvec5n0#8$PK#8%{u@=JxBL}Eq
zy~PFr2_+@~$s6KF(y)$EBG8#5Ob08~jjeDZ8<`QaG9@zJgF=K3`)$!n8wA9vqJp<y
zy!xONh|`fxaqk^5RJ4vdIB?9MRg&MecCd%=&c!yxV~twDk)s+qjA0FYWCO8&U`Bjl
zQLM{e)7~u1?HAf2=TKuBW1Aue(XdCWJ)mzzz<9gp*E;BJv-f*PctcGFt|hFiRJGv&
zUOfX@1c?W%L{P(|VIy&Gha20k`9Z`vF*wXY$AZ|m1URU7BRhqI`Eav(Nskz$veQh+
zmBD!KV_6;mj18I(gw1v!aSib_DrJ`h6}m}lu30n-n2{SdrN4@nw$V)DIoH}RPO=IX
zf(8YPKnS#_T^pIPPm6xxq|}ljsv(55+34~|S(C_O#Fqq-^<LaVKQ$5w`HA|po3$(+
zcND$?Igc=v8AB^5jw5a~Y^%jH<6p=uS}nb7V}am8)j&Vd=H?ytMJ$n2b&eW|TWCIA
zfdbtmRa)Bk872_Y$PIcy1=cd}a2N{OnYRa&^Wg1qQGe`u2~5}C$4{%7-?-hSRXX2j
zDm<(*T(>PX_X9z5npS$THX`;t=xL8@A4eBw9oe90zxXIDa6kPIHUOf)Q9(0ltw+?7
zK0xV?b%dpl(f}CSVD>6xuYsU~i9&oz5pk@;5{3BexHgh!B{Sxv=9<}(tkjZQ?^>Oj
zttDCI1{DcyMhfYgxV^m{t<>!Hs5jn>z${itNi9;gVkcl-aaOy{wlCeDPR$*vVzh{E
zy9pL+(8a?Zy0=-z8_^2q+h_?}?Nf34taQxwdX$1o%y6x(anI}k<JMM5j76bvT;+K0
zz!2ks{;W-Jpy&scc7_^coC!kgwHdUWbzsa)e0x3fqv=2xnNAq6_rAuyRUJS(pm8%e
zV&ml6orYB36UIvrW@gBJ)kHDw`7Vrfp=Mg_H*PnGF}4#nvP1f_s$^A0cK+e^tXV{a
z0@~%GtP+D_BZ{a5JL2_V3HrL~+1o{nB2?=vZ7+mAY1?kG&oLb+e)PLaGJrK_W<yM*
zuAfkU-00HwN$Z@=csI-FV6PJ~p%mArmY7M=)*r1I$>bfDX$)A{@1PD!j3C+exYo(Z
zsU;sYBe1qh^RbWQVE|$AaZ%Vo^krt#TF+N)yu=W1MuCgz;;2j3JFfTeaMzpB*SSRY
zp3pwZq1_knSX_+VNH#0ZU6KPN%&XqN*&RctJJ`Vucq+fDB;Qgjalf*n_n-c!(yB8z
zKV4jkmv7w^Sqm{XR_&-OO+D7XI5>YW_egE$GUH<ZSNrgT;cR(tSrRYEs=wV_TD80G
z_Eh;z#a#7NaeuE-zi<3;BK6eBQtMdNsew`RL1sQ56g7rTe8(;#;;4Vs&RnOKF!-7=
zfr+)$+Fv?muRos7@W~A?@F~Vm`OLu2rOG}zlF*_jzfhX&pYSXmadzyF{d1btl}LSl
zV4`X#9v$sYDt}1nm^D>9x`-)`en&T)@N6&l)>Ngrd~@PwiqZ*h;-{ZHkV%jgjFa)?
zS3J+TRP}h$0PF*=<<?#lt^OEq=zGyO-4C3b?ztD8%M4eY9(y;COz{rlFN1HW`>8Ij
z*SNZ?G!+Mw9bKhknp|tolrcVF2?5`^oT@wn$yy+pk{mLjhy(Z`6M!UFy(T~4T|{R|
z_XB6>>P+T$*fE`Cf4TaQ_^C78;&Jtv%v(wYpiiBfu7q=$W@GLQ&VvX5EFYZN#VJxS
zt_#1f75FzB`WTV?V6r6NYftaUOJ^>Rw5Em_7gDde)-B8<0;0C8a6obG_(HEay`NZ!
z@<PjN_F4&EAgqES`Ch9MbBSwMI*&6flKLrIdHub%#c~_2+HtejzW5oQ#-zv8S9M)a
zAY!|p0J`v&IN4<V3A{(&m^4^q@aCjJwQ-A!O4Lw1mxtPT9+}bFcs`lKYUBNqlZKeg
z{yfyi2atJ5ZG0e^7uUuk$w>t!a}W=;@xf$%ur@w~%n#JYhbAWtH<`nDsEtR-{BUiY
z`^hF<RvW*Fi&ISI#XQu;FM*s{XAS0zY1ZByz)5Umc<Bpv{J=hoaorebaYiy0T8#I`
zM2n@|*l00~%Sfwe(!<36=st&AbpRP$+Q8YAf^XEe%*d7e%HG_r<!gczamYAT9DONp
zBYx_>#G=oH|Cun)N%tkZ$sDfoT@P>a2>wR#hXciA+)XA=NG!T9{Eth7UZG`vUJZWc
z2R{pgpC!RhWAL*o_}RdZ?oOOTY~z4&)AH^!zjO0ULwtcaQPle6-vWoKmPrN|7~r}6
z&0u4aL5AT(INBP7ObYNZ$)Lk8(dlHBZUp2mGDQ>oSeQul9pRsc8$dM1-3;gd$6;o4
zX%UO1nhrI|>naADO9_Mb%+EOA>l07XXZ?WcUH*JcXX=jug14WCkq{jr9s&aShv=9<
z7vXx)sQuCA-GrV`QS()eqvg99oM)$I-q-TqpAiI|{iB0|%sLM2rU&ts8=x}ikx*F9
zh?)rT*`bj`oX=}z5}*RT23IQW_J3y10Re{l2|-krUKMw#^N-Nqt&~$JoZQO1bRR#r
zQE>FY&&}}`jNrxb=IHBgef@R9@3cj$s|12R^#%j`m*Y8BdByQut9%CEKYgOW9Ksk!
zf&>0vrc<t}>xHM|a)0{Ydb=@)Bb}Mo$s<$8KtBmeSWjQ2w<K@!fbA-tsWlz?!S?WP
zB`wZb3X>1~W5Z|07R-O|d5TVoXYG}%gfD*`dBf`~Tikp6a8B^SvP9KiD;WiEPXrlL
zc{Cq`;O?Y?veY+bl%>9QxBsoLQp?<{^hEeH)&E-fG{e8wJS{1lLqq;;;mZQOIN?j1
zUdD$n2levt@TEY&T^7FR?goEo_@e6>{G9M*hF*^Rlc1m<z3ehC0#eboyZq@h%xyI|
z6&ijZ@co@(nQ?wc_%zjD6F$xG8_iP)_M7300sHsiivj!R;fn!#PWVz_0YX*yGEOf~
zhc8q0@<{kHLofG*FLU&AJ1?_NYxXKWxJW-xrzWV+fp4lx={jBu=CdsI?a^haiefVX
zTwksO&u5+pM_VIbLFG&}QKQ1d$ez68=YqT$Vcvc}rzdZV$(vTl*Veh})u2`La%E3}
zKbrz`&8#Y0$j~jLLuY5Z{$GFBgu&6?WVQeva=<pbP|1l@wyA}MLYSH?5JrCfRJM3Y
z*rSpK72nocQn)}+oqRT1=Blty1MyS}3L9H`vUQBAd$1VQlEN8b_FsCk-xsqWXO79?
zZpZ!pIW9EemZOGfO{>YQC=fOa{0}^$^xzuFAZ6}X1eUH&{ciX))vpYnX82E=r;wT+
z311BG_k}NQ8p-Y9i%{a<6254_{&nHYIK7MxU#9Bi!{N&ey$lOq=IF)ZCG#f(_n&kw
ztg)FYcRy^PuQ3r}sXxsN^Gpj9!#wGUiPWDKg?XmIQDNR7lefgo6qj3$36N29#Gp5r
z6ytW_N5h=WVU7kF<Qxl|T4r)UDTbvX{_Xc?kr)r3rusL8PcwYmJcURs3||(|r2oP2
zMeX~8!k2@3Is4^c+yz3&!SH3AUfv5|rs`!=_%cH;%fpvBdRf8?o1P(=Zz8!kKM(wq
z*q9ilMv-+B0s?qSwd52h0@2+HU-&0sxng1>^=LpfO56(fhH$)Z16&Y+n7V`YYqk;z
z;@Xmrq8Xg<cae_|6MlGE)Qk_|xVrKdYF0H)2;KQiiIB_9qsQJFxnT`pSkb3K)-T7<
z@wWSNau!uCgQ3h1({W2--_<)h)`|%JM-<f4I6oOaP4#E#sqcs%c)*Mpg!CD4=huP}
z|E$l5i+e|`(RMv&MmxS2_Q^fnP3-CJ(>!S=uFjccFfc<H;3C8j<zjBX1c2T~te!?r
z+#94%_4o0lMnKA&ASGzS$bB=+HDm|)_(c{U;e8uSc-7v~$(JPd%aYF(J|KB{121UN
z(dtj@Az3nTN^0uhvZA)=cVa3wrmki=$SlKpMHni&w7l7{>p~+_&pOQm*d%(wO3k{`
z)K_wy<`OHnyre8O_7c(A(uc_Eyws`MZ>g&#yqOPV{E-L4v5jZw?(U71H{_IWR*|2m
zEps_VXGL9)KlzA6>RGEf4}S8w&?|;<6W)4?D@x9VkqXXNGKEG{0+12|h{dJERy}Ye
zP>!36;RX1*5W^KZsnh5)Rx`_EU+MqU=zq{?h{vldT|p<!ujkto0jBrROYi<Oz%bL(
zKSPXO_nbvJP-mZjgg*Mqti2<0bpha;niJusMpwL+5z51c^<d)0gCs{^I?cZ|xR9-!
zqAOiCMym&DYBbv%1#lfBcL$&H`va&@`0uLn#<aqVDo^D`s|!u@P>WO5MbOlxdes+U
zFLo-sh=+QM!ndZTUDI8fnwiVB;YEjMUaZ^GDwzlFrP-8Ko0=_Z^-ol#`TA&AclrDH
zYsI-)xJH~1O|Ix%^au5^Hh!Oqp~hzG6Ryqmzm@;e%~xoDR99xD6Gf*gGPB<0W5PKR
zF6C*qxR9$_H&zinF9t9MQ$c;AXiM}Za~+rWMWo+uzbwH7&1y85@(%Vve%Oz}M2Lk^
zY-5CldBATk5AXn<a-wt7TmcZRo<q72QzO-Zj|*IkI+!8t_LLhSp_GWB7sZ6_by@%Z
zvLd_;Um{5mD+aytrksjBQ_!oImldsv{vaJo>$j?fBBkEJIi=8BoKwHbXUxFs%dB-%
zidrlDSv$?Z+l^sC>%(i#6e5Sb*382|)3e_R5R`d`G_${OmWsWFH*`UQUVB(#u_?hi
z%UMFcBovP-x`xMFQ_p3mH8YiWE_dgmi0<1{WnuEV%tSip@{hQ3_5Bv1sV=jXSMRM^
zyA7}>GhgIY+~ptAw++$#9ero%KU%XQAA7^8VPY%Mm;TC&NT1_JJO>?pX%l*esv&8)
z0J53rF5Ea`T<`sh>;ugDI&aF0VUG{<6}htmp5B%y@}JyXnkwa{g*{F)*IPF`mbJ87
zQ{}Do$1|`*^3pm!ZboS3XqZ*PyUQZw4W)Q@MWSzB`bQq8dv{$FedE&K^H_V=C8bGX
zB)q$ZD`po#cGpNf!1nGcRLtmz%97lXl_i&qY%YoBdv}c$W>~lE%>pm?X!S4hL?~Hb
zb=loAkFsB5zI8`?ePYa>vedtvEv@Pv5Pk77CZMdSEBc*_c+fal$bUbM$6Ut2C01r1
zP-YRj^ev0Qn(=jhXZoD7)H81f?X6(0OnYe_{@eCOs=ef;Kl-OUeYbEz)!Dp6s>JF=
zPc<0{Zz|@SOK0&o-J4oank4WpKuF0Y;Nrv4>TR%+s<T)Qn|Nq08P+dzG^7;fXN%@1
z`r>CvVUD8Tu|s(N;XKWrWZ)UAZhPk`dFfRo1haIx0pqTr%+hckYwwDNvjkwlERE3Q
z6nJ-y%HVAp+Sz~utwC_;i^K+w-|_I@(o22-$D9Ywg9A*xsFVPbDjq|6`4=AlM|u%#
zqL)$7iUrM#qK&bcHGq({8$7(&Ky``0Gk`|^C-@$^#o+1SS1yEamr?@w-s3TZZwrtA
z&+rK*0V?3e>tQqyj|1XdAjWES*Tl?7fC}`BhkqY{`Bj-fG_UvY@ZaKdp=01J{yTU-
z(+lslz3_hG|0BGDQGg3rR}T{yK`|r9V+6${mSw&Kn7#b#g4MZ?7+1q*A>!Q3H53iy
z3h()uD|_D!FCso8;BOq;%U@u*zPZYG9{DIP5`Rdh8$(f8Ka~4@;|T+K-^(B$LH2P!
z{6NgrsizMnW}OQJ{uh*-;wlX`ZhWX=4SW&>3{%b?)*al<{}AEAT*i-oZ?xt=NeGyC
z&AQ<6A|$<pkrDLz06;zM-I^-Dj=B1BZlY*g^u^c6p4eS}dFGcY7s&gGG$#3&C^{0Y
zdPxsxV$nD9aLMLQu}M~$S64QMh{EQov;7bhrB&x*6;Bar^Tc8<O3hh12hOc;&t6_^
zf<<Z+V2t86Y_SYzQf>3YjCN&Y<#}IE@DL9FUP5>oow<xwa&no3TIZ^)y?~BC60QC*
zt?+bJ#W+A1t1pD+EFBPn@Y9<G0@s@o2cCHj-Wtf!Ws;+v)zrEsS}k)bPuFs~0Csqq
z6kMWT`D`?|B2smBNVK|<A~pM<D89}-QydzFsOE7V7>!1Ht?7m@WRm18t6YNQl{}BW
zaqF<f7gM)+(lD;-#12p4GB3Xn>wVNecawo_ZS)P^%HXS&Cvz*Vt~#4rF&c0$SzJIx
zVQZ5q7p-0gKMTH#pvlV+#M51QGQXl9Y`c6-<;i~0ntSLIPF!A>xt%BAhbhNR+OTNN
zL<7*I+~!G9;K{ux_3(k>&pvudwB}Ya43tZc1Q7ZU1wGc-<N(U>;^-UZD<NeeB&cEC
z=BOo{CwhX=-X^u`?BHmP0dy{iyo2C;LHTSn52fE^4~^FRQMI3>>2UoR{rFv0*Wc+6
zX6F`sFxAhwT|{KUxBR2GnP(|yz8^emZ|}boJkQf}Tku?~=SK7V><s@e!NcADe+3W4
z{_lc^(f+*Pq2S)kk9i9CGG__{sE?~R8Vfe}oALSX_(i`oKHmd2KKGfHl7bIzoiPrd
z@1lE#ooFc;VGpkBZYddg(WQ4k%w;UU{r<^^xQyl1+fOa^-t?*8K=rThiu^OxYyR-{
zzfk?jBacs{`e%>b{%=%&;S0k)PxaXk_xl;uU*BAHCDlK)ddIzC^)TMzbQo`;L&V8L
z+~m{4lQ$(FAL%A1k4oM));M=3?;OWh;^i~WzMz&OBk=WJ&2DW8F5`HE^FRE+<uQdD
zO!E1B-q+$@K9GIg?BwL}6r7WMel!l^xMpy6jwd0$<<VAH&pdBh;j1LPmYh7nI~`q#
z3&Ja8xP^0*lP8wp_?*0RIA8Qm-iGQlzA%bI;X@o2)64?Oyd1}Sic=#BjfyAl9m3K0
zivDVTFOEbW?n&|ha+CKL$XR?^;hFUE!PM-+-G{?z`LeW;Inq1j#tx<H2iTkeSLeQb
z&3A8!<L-oOta_Jc3ssNC&e{8|W)J7L;a7Ou(yc>{_r%*a?j*Q^q?-q+!N2KMt^twb
zSCtpyzrq>wTcrDuHPn@(7U%b|Iu8D?`B(S)Z{nPoUfbWQH#zCGg9T+vx@CZ!_PV?i
zb}Q|!&4o$q@J`~)zIJG8Y%U)2C+rpJ7P{MPpNeqoyghazwmCx06LGs4PqRH%nn|GR
zn4exTSo3wz?!rCfqP3^%{)DeTK4$&#Ddx$-$)|n*j%j$l+imz1##UHe_}8z<RbM0X
z0DVQeeh@#0BP-n47F_o5mK*<XZ~rNS>wvt4TC92-XU|pr<%8dXn^V7g>+dYWEgt_8
zijV^Upn<2x0i4q-6;I7oxi+q9q;GI7JRw#Mb*$5IZzu0@Z>xhNL%MMghv@y~2kEVH
zBDjc9c$E{|fTvu9$Gte6xK^87-_#-@0Dz%4+?Tdeb1+UIrYU@*n+D*g3}sGAO)S9a
z&N`>#d0cIV#&H(l#5~qWnL*}dBVJb2B!B@_#Br^S&_5oO#!tM~3`-7C0xfnT9^2rg
z=8ryf(V=_rDU_E%>tNH$F$)h2^@`sX{!q{L%b~(hQ7ZmDsj)@IB^D=K9MtftptZU|
zyZ~A}g3n!BJhCGWk}SE-I^I5pg+XO@EQ1GvI>s3)^~#m6e&^;N$j!}^V7!c+vN-J0
zv1`kTOQTE;xgqfA5&)@@(2RV(aFbxbxF!Hz9Jex6J%+;<o<xz|xCzNEPdKpTn7%N!
zg-8JUCFbBm8}A?aIzBT&Hi>i#09)<$pj)09Imk^74|4Q2)J=_qYk=yrc5BcvcmeHa
zoCvWQ8h{&X$92Vx;Bxy8E_09*<t=&VE^=cXwx62&>6d>$po8U@UNhLWcd3|Ygpuxo
zEK>QO77gL!i08AY=!|{XTjRu5u_zq~^ssj>vPKT35lX*fZKB;dar+$$|2|<FPsh~!
zPgwU>U2J#Yx@3AcGhm1pH<%5EAnA;zkEYy9b3_4+gBYl{hexZ9LCU-OeM7594G7Tc
z(by@uh2h)tiiJlJ6TT5biZwZ@S4J+au?xX89@+Fa7`Gg;s~zc;{UK(Xfi{>98V1-M
zsr&lncpKH1?`^cU)0Gg3FCe`gWn~1jz>+ws)zQl8uzVba=HXqeu!)A)X$6Zke0#_j
zJwRL^!$-k{xX>2_u3(pR1Ejija%$u!Sq<tL2l<sl<+TGhx1hPEK@7~i<KDEYKWjt|
zu@SkXzv@_9y$1Y>aNH#1f*_nr%fGzzNpfCuVz`l!wcaf3RT`%o>zoXWIQO61D&<S%
z;mx*5(}+(c&PFAv;n(8DOF>rWN>(Q>YkOT>E5S7{T8NRorrsGRhHn&nVO!kVCU<EI
zr!P&86N6O6a_~Dkr8XcFSYf)Au{N5gIy!4CN#%bePHC7tox$Pf!e~gq>rb7rD)hQH
zwd981_J8MR@d)iU#tE8%twiv3TaQZ=5cZE-w23<~91C{4o~0{X%I6)<0SH!CJocW$
zwo|@I@(RSW(%WI-8rRAs;;rQypQ%CS;g}nF-;J>Xjf>XHE|du5cAMgta4?%axct!1
z#3PJjW`FyHwbu3YPGf`VQj9!q<D!N)+YlUqd=@ob!pEH$?r<%n5H%368sjS!@#C?B
zFdVTvnEv*3Lll<dolK{P;#_zdma~Lwdgi1%2iYqP8zIDy(4qn9hG7b$>P{cXvrl_(
z*)7&eA|n=Fk$&W7+)#f2Ct4($-A;G|66pXk&4?J9dWA?W+};S=7;+Os!V41FmR>V7
z9;?R_i!oYjkZSfh+KAxTy4#Jsg%md7LFwkGwH6mXoco;go<Zs6p~PmeNg|NMTc6&a
zCtrC>L0-%X;*3<D8itXKQ=7ak_s8XK*6kg_)$g(wOO_G}avYIwr>*w%n*O-U4V72w
zaTmX=d9WBlt-Qn12R5aK+X_ZI31=aS!MGI0x(!>|Adj!+$T>VcBj=0*o3$qJ&07Kb
z*U1kW6s7BjA!_3&7$6jvxOLu^xYZ8frR$?0W~fPFNc<9Q6em`~2FB`w=AWmdgy+O@
z<c;mbxfg-G2j=17ocS)VP&khH?;<qPY53A|#UtSXoXUs8hc81d82bt`2=z&);r2YA
zbfhm(;G`2f<i^r&WVzKYcfu6|<f&{P>xbdQZPU-mIKJAP=Q9jy8%NCfLeQ(OMJ{Y1
zgiue6L-A1x{0Ni}=G~R&-u$7fel?_!E@JS1=AX6L0#9!8eAc90&rjU|xT}~d0YPFt
zMz*XD9H42IrFd5Ub`i)O&+-#aY^~U;!DlV*R#tu7$Q-8KH&0C<Tu%n!E_C;rlimk~
zfQ`0v9US3o+(YGPiMlo($~<XwU2#e2xc9!o1?+ti<gq4&sys0^bG3ZU=f}lw*TyXz
zkl}t*Tg{ZvPg5ZI{CH|CUQiAZeywn?H9+1B9<2k&c0IO6+N8M{=f>GCuE-X3&l!N5
zhtU{o_ZSHRx>i8Xbs+0FbStDZMdKD_5$bw@F){=M{Q<ZlxakHcsR^JwZUgkI<9}aW
z{yC|A3!E7FaLRp7tT}EmfHUwrSRpDCPvX0~OHvQr2<jOI(Ku2BVEMavQ7`P1HC^WE
zE&TbxeLQkPfi?J09*A4$3J5}A_h8FBH4Tf~dQyqm!n(W|Uj}oMf%8qM4ox>h_>DAw
zRK;-V-A@NcfzJ3RpCPE`>UVy(;65q%wa8F36R~bsFOf_<d;6sVG3B^$tII*?J3LQH
zjU691!($W(lQR}hn5)zaATg+T1e}4UrZ_0Up*&)|sTai=D~{FPK1P93sRz*yu<Uix
zd-He_=nL@3TnKRpZp{YL&fY8k-USR2=;>fJ5myFCZ!gmM7>e+yEwv|~)?Q_HY&GyO
zXEEdpOdVD&aTGjB95qc&xmQDc_$~{bxl)<9oSt`yBPnXUoQ+40;qxCyNC43s0>X?N
ztK<r#FS!D5hvONMB6{~-ZdO|akhMU}*z^>)I-s9$RJDwdw%<qNa4bI%n*fE(X-zG;
z<_n*{>1A!z5NZO8;KkTJ$%(h%?s#+a+XCLtpi_^Mqb^j>{P7e>H@tQY3MIICIx4{}
zeNRxlBC%<mk!%3xUHrCy@)ilGv=7QnD9dcg9>&F>h62BK3AWUl*&v)JQE7{4g8FOi
zw}^Y_|BYt*HM6gbA>Mp@Z9KMv_{e71yM2tG<^eYI{J!FccMHeJMeBq@0&!X%q+cX2
z@)s%GB&Xte)>-+I2U2Q4x_OupQIdJ*SfUG|>sMeQbgws8k_)sN$QLpS&<YS;iqF(!
z+s&!jMXevtTcBOA8xsijCJP%M8vrQ-lHZasV&$-5p8#Q8kP+Un5sDEPAl%f^YP059
zlG~3RAbyF?QNV~qklbEAK(Q<7^e{;&xQBg+^|c6wJ&(WnY#*D40<wXB5xheKI$<5s
zrgM#lm;6bT?3NeqSq9%Al0&l1P6L4C!(ldzHhTgi63wP>1)^Kwi$-j3ghzP$iDf)s
zbZp7)$O-y>&00(32$ctT?W#M>Uf~@=px7(eR?Nv`*U#Sq#0YU}BuMcP$aCNblCAr#
z6^LRZl!!G+RS!Hect<n#f;tz4Mi8HpKs0g$McxP!B1)__#Dvv|yiTteD$PH35^-%K
z-Hoh{sH?fwCN|?M@LpXpfJLL7Z+cIj-NwFP35(`6{%Y})tse?(2G}L(%pjXv_+^wO
zir2>+(8w14gC+m^+l_7v0^e;Un|AWt&tL*6k$;k)yJ4X0=1E0%NlROcfJ086AOsB>
zl#G^ClZ<9Z&&G@pDOjwEbUU#VMn<2s+O0G+`Lf~1Ygz6TYcYTWF$&-TR!tW`&*g76
z@lw(&m}&(qLLn-krU9Q#9TbgIx_s(y`uu}3mEdeI*?fXwIbcQj#A*Pm&q`;c7~1U`
zxxyorp@QHA38%=tdY0oRnFj)?Y>~SSdj<~rYlK_j#UsFTKOmX_&qiQ;nLn0Eb5ud4
z%sA}58CGqiAJ39&1WT+19MByET@d}*@9Sg649BvwDvmH?-xqr;l*SUp68<m?ID!Oy
z9a;qs1l(E2j7SC_3W_~oz+p{dtPx;qoX938c03*^aIL1p4kM?wiJ3A4ipho)z>k2o
z*rs*mDfSKU;Y}tVgTnrx!A({Jkf0KBaYgFYku`(f{5TPBu`UmdnNT=lUfJPUjb0av
z-tIu3)(+2A<f8Z`8y4+H7`EB^AZ}=tea{BiC%akpA;Q)w$09O-5EH6wkd~WX1(@uW
zHUuJzr=yPbwv12!I)_%G=>`Bb>4xRgB%+Ae74~wnRyEkC5xdt-h<*4|QX4kJh-_(K
zUw0(E5-m=pX+(Xn1+%n28|pO~bwL|6%w%Am0IjA$>=k7*+ZSnyZG@Y~*)&@0ZySdx
zI0Pa1p3xP~m_n<KQbzh&;!|B1!4ion30PgffFwr39}%;UtrQUxvP4g(;}*L-MnA2v
z14C57nQx4p5(-qR4l<Fh+5?~nHJEgXSDu*D^<t=#Q^POgWW~gfumxkgWV3N@bRslK
z!;Mbt9Wj>(&maiRvdb7d(BxYO7){<J87ajRl5!PnIqJY8VX-U?lPIc?KsMywVQ)0@
zz}xBCq-`L^)iJ6`fBP_7;pinpC)|NJFq5}xFamCYg1P3J*s`6Z%2b1%rciWVWlw{Q
z>4v#~hu}KRg{l6IB&ea6-5`ivsssfOv3HzU9R?-Dr34FseDFM@DZtx60PlNH7FZ~-
ztrJoiSb)efu^7~KHXsD-qwQv(#1#grQ)r2X1G|OqFoOQmo*MKuu`e+^Vx!s+xYQQI
zMcrbnL~rcsV8mtxf_uZHkt|3vf}*s^h;)N#J;dO79dWc|i$Gs^TdlNL>F8_J3fkof
zB^b?^sD6dh&6Tp;sw)O0BH4#9A7<Y~)De9Vt%)8ed0bCSzu6D5Wm?`pRuAY!e;M@8
zXlQJQ5GKSeFGs~h*?F$;<)ENOm4@uKiPG-MAfCPsiI|pyBki;#vCa0%?5ZLJt5bq-
zX#z(N#Up0dG<$Mtq9vsQDr46M&1CYB)=bwhfP#pSX3R#MhrEY0W@!d`T*ZLc5_&6m
zH<4_IjT~~Vosx<xVq1u~8}zB=^|RPdvOjbX(-6-qW)zrrF>c8GtKFvd-~?i^Ed{F!
z3E_f<QsXa)i!VV$#L+{V+Bahj!fL{T(JDk-HNcArI6o4PoR*3V$Q0w9<rt5hCcqh^
zQpAKIzbt*9T_kH4&}VB+aE*jwl+}HDC>vhkM$!0Nh+sE+-nWBS6O&ew8j|nE4%=KE
zQ9ZO~?2|t*3NhLXTpfzqYDR^{@|d{1Hp+UE?$5B0YpY2nPET8Cqm83E%ko(GK?Y+C
zoU6GhCeWtYN1fG*b|S><4>L`1I|4jxwdRbm2SMAf1nOv0aDj=nkxjq`mb!^9JOM(X
zGdA{My-C|t*(E$;@6ZQ!vLeyX?JcOv?Bz%Q%3t<tZD(FZE_RW}QsLekJxGN%Y352B
zP9K!KmNm2%(DVDl?B|&j$Wx2x6f%)rK}6#~_vF=OM;1HfL{NDYn$EVMp4+ZA%1qNV
z%sz`MfW~?j-H#=0ZDj-<Kp?9(xZB67@U`tVIt}5ib*Z^G+&cX-wCD!J8j^~o@EQ$*
zzXo`!M^tx%-6E02)B05YXQ3M<5^voC)#&Q+^;q2+2H8BVbR+APxzdfTkFAYtx84H2
zCB&1i$3)|G@Pna&#l2NguTT!!Im`J~6ze(s&6PfmF480!t38c&K#~T`y?Mo^3{mVb
zm!@#GvG9r+$y?FA?ql~%WH*SzEe}a8<r{r~D+C7EK7qf638h9_e0z#V2z{%kC{eYV
zk(!9wxryjunAaxM^w^5XVXlDj4sq-v?RU9^0QV_PD}2pnjT&8+OC+pqkhixUu;0Om
z=CvZ&*UN0yVPNDYh%SuSsEZ?i^ZCbG0CBdUW)s&aZLtFojm`p=-vvzO1l14_&9y1Z
zbJ6Fu?T4xj%Yheh4gk^hT6DMsWR0=tWZc*$H?ju1knB)cjbJk?2Dlg|6oa|k<pLrQ
zQ;Vp28MaOn0jJax%&e6(D9~{FRyQ?-a63q)Bi6xH3j;so{{S}9!BAK@Af63{fUgTA
zDNKfKONTh22EeYy#}WlCO6HQsyRqEq$c(axFDTI1rL?CpY&t>-ZGE(};nsw-*k!Bq
zUQ@go)4s&k{ybeUP_L~7@t9oJv=hbQ6^&}PlpZu4W6|fSSq2!h!DT($yX=n1slrcV
z=vUeK42wa1ys-aIz!RHkO~xvXr;Wi$XP3f`v52wg1a3_(I%ysddut%{HJA!zdR!51
zEA~ggK6JA`#)(75iEw!g9BHTEwbBB2X9zC0hcNPkKnzQhlwvb?kSB0o$CFHB{vb?1
zcAc=4%Fh+P+hS1n+`O9WhH<PwtgD#uK_;AKiNsuKh^Nlbw*j*OZM^Ol>IS6(DVv(s
zFNd{-Rgc5amGQ_*#bje4#h`?VUdsRec%(y27-f+?c^Zq9b<pVG2aLv#4tF4rwHT`C
z9o&Q9ZN+pVTLM)7s_?f!bBxt{J)A>Z^wV&e*m}M^jj3b35IZ=v@RKv<{d0kg3P7{L
zwSWdesv{5dWgy}O>$y?7JG8zhrOGeQ3DkP1C{*ylRwrp_b;dHn^XfQTc4e=|W~T!X
z9^dEA3lvq@N5e3elMq6i1@u0nJ7DD_0$2ADFaUmE(+L9B9S%GI9oUFM?u11edlE-n
zIxl&fua)Uat;;@;e)U7*GmBzJbXEZ*r-PfrBz+kwC#kR#D5jpF?8St)9;NfcVxTBI
zD(_<c&4S+KL{JJf9+`HSj0n$Xjq;8lUM*X@G*`v5Qx)hDI`(^jjH+)yuSMXP6J0FG
zI!)QA<CyjK5v~lmX5eGjUlChrueVNnh?oATii0^Fklttn3Cg08Kc{X<O}qq-AA1{(
zpvV|@m!l3KNHOd#XIqA0_g!>jqf_pT$LgKP7IR_}T#hxHLs1k>&JRR6Xf)V{bc+%u
z2K34^aqEoK_jj-p4bkOkQeja%jR9~K2|B3}%V8T}uM$_nFm%FRi<$l-Wit~WcVj0w
z=|BNo-XGd9irpb38}DrN+9h$`HZs2*DWfxIl?-e<Q2SbLvk4d_Pn+YBb|;p0P*#{W
z6P!JtZIM~5vVSAEv4dj;ker{Jnsy^%k(-j(Mtdu{JPDnb?Fd#AoyJ()jU^!&tLFl@
zKP_1>9%itzKVn^ivBBB|sG%@Kn!B-;y5M0=aM)qB$?mdN(wyJ7kmVd*BOPTgc^UQm
z2x4ZX#EiW~#~r)Uoq23DB~agUEoAFZ*vA}OIa01Ml<;_*16eUU9b%+rf9Q`xMizO^
zv3e=u_F?=14$BJ0nT8nW0BPbftgxa^%20$Q8Ac|}+gdO2w}!p2#E999zY-j2oYZze
zEWijrtT>1uCj9`gyv*MMbn~cWNN@mPtPMIm5FbPYfEJX^g~LAg`;ObRw~-%#F@cEn
zgB5e5!4{dAD9^db0Mt{HuMxS{VRqe^Cs1&>i-Dd3<G=-0lI1S`575~>gq&0~a0|q1
zgh+5;THq{0MhMv_fcX{v77A{O3d8Ei4-F43T+tBpi+){j`-)fYWxx4y9IW78j0$Eq
z%RmBfaSIj>7eOL2L_NvufHjHBtni^wx3ZA{z04%2YEqB;7)t<{!xY3Al_gl&=g}Zf
zb!>Ia_HnMzuKNwxn9VZ=U3O_kx&eB~j#VZ=3I>sb219BFv4`-%PB}TXaNLn6KJ{>%
z`(<o)!sMaYONt|Q^u$tP@7ijBuM?}zRXYTKWBF;}s1jvRf}fG=M2^W=s{@c8v&n0i
zO{jpnpiCj%n0?HPG5Y{JR?4Ox3l@;8l@>sSo0}t%m+6D89hMyphTh`Ac?_pNtKsdO
zBi*q7JKrzIHo(;@tThB9E$Vt6vtwZd4MqqeM|6Xb4p*AAt$~RS1v(waA~3X>*{b8)
zNP`ZiBS(xr6#qZ$y?cCJRhj>vv}v0{VIQyq0jmU!nks5SQ4?Dvr%C8OC6Pe6Q~~YC
zh@BbK0_V`8Ai;Ce=D0ah1qM_`>!2eupfcaVT5fI9(56Mv(sGkqL%DRHriB7R(?aR*
z{dv|tmzLrnGxL3Y|M*4eS$plZpY^Qgwx0E@8zGI#0UJ)ZsTldgsN)T|V)99Q=@k$h
zLeq6OS<vOrax~~L%;k6<pH#CMTQ${?WsNw8(yVD50ps_5{oJ1~pgTAko@l`h;UzG}
z$ESlpesKJ^n~T91=~2U&ZdRu#fpI^UTq}?e8%wQhAOC3l==JSKKiNK>V<)%ZT0u=h
zeUR%9NDV<QQmYx8DOwfbePs#n-by;>-8N|0W(jyIkD3w?dt2oyZXMp<p1X4L#06_I
z^idiLF=4@cF=Jd!K59^_6lnKHl435BM1}E|+SP_tk*q*^21Bf;L0|OnMEm#$>6qKc
zzv5)z7W?AOh)13oUubL+5&TNU+lCZlQ5{2a=q%`Fl`t(-`FQr_#^2G~eW-fW;FU+y
z^U>RBih_9oehzFLG(S#@jn-6ZG{O`HVgaHGyW#xYr{N084Q=BYsXW#;-p*}VTsff9
z@*obj8Rf9?5xGZLW1Rb8ynJG!$ip>^UwGVhfCbp-yYFj!0%ERdT$j7yW4rb&UyPH-
zxJq*nYt)iHh5gVJn~q>K!u%YT*v{wT$fp6^H4e5TD0l#ek7R#0{xy2F2%}qdyyw%E
ztEpP^SaOoYYf{@ro5RK&Bh7f4DMPtri-i!s*W*_~Gh8bze_)h5fL-8p#G_focEi!b
z=Xd>#1qL9dQ3x>y{Sx|pMbi;~BKFa^Ci|kW!w--$v6SXdJb)ex1kfHrbB<oORsIQ?
zm4^k%Ry&eycY#e5=vE^eUBH+fH||`n<vw7>=$dIAc~INrFUpm~gQWDbMi%@KKw}Ms
z1)iU;TxX{D6^7_-x#Q}II1mt!x5@8;xJKCr8&?ttXw>n0ga9gE(y5E|>nIYdAnt2q
z%Ig3^_OEcb*>LuiqwhQVHIUA3gWUIxt9&%8w7C@9MmOs08qQ(d)|R{FBQGtufDz==
z03E>4GkdsML2Y#yqNfIRn%Vlj(_A~p3-gNP6H|qVNS4if;gg}(_l!F+cT7Dbw0PqK
zN2}OD1g^F#Zir()qyQ*J{_MKfHF#{V3{5PvzvK1L_zk=akA4}VZ5=;cIY6mr{Gh5X
z+chEU$J#0fG%Yu8BIn1nWm{_6vi_vDY*%etb~b0bly4QW{rlP^^MC97m<P40`L91e
zrv4qBA46sPJ3j_-`Tx(4VFkJO|JM02tflY$tIm(Pqng#u?$C_?H_wmZaG9fe+qsRc
z^}W6Ae-pG$vcqK#BhlM_I4|Gd+g`)V_w}|P5wzCY%Ogqjw!b?_Yb7^J*55<15B0WB
zqSyy}+uy@gc~<PbBzoJALYZ|yjqNrl?KfdP`v#7w*e(cb_c^X6bs-1WxaHy6(yR61
zY_hcl;v86GE5tdl#+Hb;)wwm|+~s78#M|m@l{lMsvscy$z49Y%mgzVbccje|+Ff+T
zJ*wWFjIJ7OJv%kpf_7@O746h$OWLW?*0fWjEo!GmTh&gDTGl>%<=*=NPoI^@uJg06
zX@8q8MCCF79g*`%wpDO|%-nsC$eH`L&yKkXlsO{jR`+B3__OIg_q4|SXfpss9&tZI
z{3PqR-`F@1os%;+Iw!}Vu{E=!x$nYfdbaI#E==-NPKGg>v^tWsI*PP9g0wn%v^sLM
zI%>4KHU2k?^nP~Z9WDHZEjlO09S#FTTlU}T*xKs2+Ul6v>Ui4fSla41+G-3PzNJHV
z_-qRA5#u0WdUs`shMh<Bad|2<EFQrVPY+c=Qaf#kt*4Vn*Yh9Sq4qg(=pB(W|10)w
z?9J~toyT($`y0#7<I#P3>c8xE2%UPyk@de2mAKH^>-n*f>p7ob&fT>l+3|?#Ud(u>
zgyYN~HL)#w<6bQJC09AHbIM&mAO6Ii*s!@VyvOmXwy?bvz3t|EnCY;aL^}Klh4#hn
z9SKVQ9PPx>eFniI;Wt>m$Ap6t*aPy;cA5CO`E#=d(nK(SH&<3zJ@0hi$?z}t=6CTt
zh3I@DX2{$TMKUQmgy=OHo4t=HY61zP_~vk1nf=jm2i(8pYv1<_+vHYtA3)ePeZPOl
z&HwKH*k|VN*yQ(b8O7xlr}~wBiOFm>8(}y5k!Dh+kK(Dy_uAHJGq&G+nD^~7^`Z#C
z&#pNg2(#K7AJZX7_iyoYlTHOejs&8v#hfIkWA5UWiFE(yc5mq^dlKn^(Wp)p?&_wh
zmcDJH(wiDMqt9FV%f80;ig@qb*R!koheq}9u1XJ0tK8zByWU&+efO$sH}Mm1>B|0*
zvGMe#6DrsF*LzF5-Mf}Ic=K(gJDMMh_qObrpXq4+)5R_1QuhFs=ug>|^Jn)DRrPHd
z6<^&l>iG0f13)4G#X4Fl6S<br@m|g=YT?L&<3%90%4f&MIln-6ZMhTWpvLHY-qf{Q
zL={kPX`&MN00ndrV2ni}PmSu|Rh52fS|#^Ae@{4;A>PILf3DKuEB)+Y%N{~>b=Xx#
zU^(mo?)@2xpFT?``&2MYWhZ>@6!yk%tsZV$9Pb`E-phQAS2`o0_jnSCb06`R{-}jo
zx?j88%Y2wD&O036{n`oMLfzw%$im@%0Q6NRn%7)(Y-e^|M{f2W$9SDR&^BsM@&EuI
z<Yk_qN>T@;uH&odiwpnI*w-nv)JdF_t4jF6!G5l-Vw|7uuku+8z~N}#qE>41mX1mg
z;9CpIbXoB`*sWbL?Vyy-tB^ExG_Op4oifu7N^YNaKyoXr5Y|Z2G}v~{K>t%?IY3Xi
zwoiU^e19U%Ry<-+Yuh;@YXzh3Fcwems_Y%@Wu6AGGOEcK)!WM11G;Ekb@ZMzik+3C
zsVa4??W>*qny#ICuNw*sEbg8*>Hsfu6f}=7)6Pm}T?o>#%W6dhsBj(AYh&10%eZ0L
z1C%j;qnlzC=~b0%Bb@)~J6m{&FFT%p^E$<?^nI=S{?2{A2b)p(Hz;|#zPUsHsJ0<I
zKx)fT+G?_cAGwSL!83`-YYU<Fh~`)FZOPv`eb(&|+MV!Wx82jaE4D7i-mQ2y`M4jw
zdOw({yHeEWZ}@1V!?`bgpqr=cX;=1Uue`07m$~B(_1XtvVr3(npZqI!Ru~J{r8e9#
z=cO-Ktmx$*lfmVJ9NF(ITWTr{lGnZ(f>$-J@tYs!R`b-etH*p{Y+c2<tH<2&%KM{p
zd{*eV0JE3bk&k4oR{#2-Ez`^VT19qcdi%NkyO@T)A49R0JqhCpa1$r8ymjRDwNecB
zXi8|;xbgQ>DmQUF8`?B8ziS-3vAm`08`t$NT=K5-P_dTYTbGO?p_3%8ctfp8^|l4q
z)b-KWw&2RTTli%fFvzgVjh^BzmNAm?YJQ^H9qC_?$%r;=2B}V*yMge!|M%;!=<e?B
zf9)uYW^G&Lqf|WkQ6@N_uAaOhKKZffxk+f?24;`0>GjXuz|Akw2fL4oQ$`=TZ?<3n
zpRJz!;N)S7F~K>CZB3_L(@Thb_fh?uVjOT!e)REMd_`n$idD0&P>I8;a%DMElOJ(3
z?jNcl97x<RJCI%3KTu8lFV=rACv~o_%wDnNjW1VZf3RfNm!a<umb}Wt_m;qKQ)x%L
z<fWK~AB(baZ~2DS+@yDFGVjs;5wNXJ54~IAjmP?*j=?6*gNH|tP$9wJl>qn7tLR@@
z4aft}gU$VGs>vID9`<3O7}UQq#;bAX>7=6`U75w&|HjAoUtj)<NWIAmPPK&E6tMh!
z3>~vm8;rSj)BE*x=I6-Q6}$Q*Wf{4vSL`w&&gf*%D|U7B@3J94CTX>fUp#N|;5c1K
z<>yY0^>5)^XiUS&)zXjYn8AgWC$e#P;i&#0X!TUAZTuRZCoFWo9SeywJypZQ^la4?
zbZC`r%`4}x3C5*I*v-5R5lW97>}9qBJw0+j@+*M0DhqmZS{=@#T~EpZKjA0Xo69u%
zq`@(RPrY9#b3Bk<5)rSC+SAhj;)CNR@Gjp$()rzk;|^BF)B>HBOI72`q^r*VIb}kC
zsb5_+<;2%vCfs?$Te?DAY*a+>g_`K8e{-yH#9O+n_*moK$Jm(6CTshme{(gNl~dw>
z&c>^z#7DC6YWN$Uz%eeV>tNQqLBi@^aVgb1{DM;^mDgYEEqxL(N(%wBIIcN@um;uc
zHo@v2ijhl!m1S8-ZB#HO8&LM9nm5Ad8N(+8pDFRJTD?Ru@M0pZ2-;ivI3H%M-YN0z
z^c|EbR{K;<J0U)AX`uHY0cWd~1NeB%+B?zOD|wDj@|$;fJ@2QnwE07btK`MCySuF2
z6U*BTng18sz17;i-P#RLCK!$};W*K7)ING}Oyd+5>{&rM&PK)x%F$x!ZsaIA*3@Ib
zX@xdHb6QEv9bR_DR(DR&3=V499A*$$sq4#p6-?uzTOFB@JB!iBM{*PICbObF*SQDh
zts^(_d-34VM0!gsJ1Z6sPMw&YHIbj1>@3a^IdxKd&)V#)N#1uk2(Ut)NOq&iEk{iU
z6C1px_d3G;RE%K>@|GAp#mIY0|4lhKS^AkCO!&DB*pvysl+p5*-mF|bVb7*axYq31
zgilEg{PY{K)X)6%U@VcA|B$atT@%lp{)T)79X;FsR8^w#cZtdOf^$6kE-<W$XJ=LM
zTg`7Zzf9ZCnt(YHHQZ>1u?!;&)5EnU4vae@Mb){7ye;+DZoGECx%q2mbp&Tt2h*#9
zj|WG_gT#dRl<8IRDMxnZX2w+Cl$jIm-yNTFYIV=6%x8E#-E5I(eA*s-Ddv6mRjO~x
zo%2SgF5G-V9&V!l=`o#^zjJ!WEU35iHE-!)|MNA$w7W$emVr%~_8UhaO)1pq2?DW2
zhx3iSrLXE4%a0%XYH-|d^hsMIt0x~I!do+a%5gu}r_8F;>&B;CSVe9un2<BNAJ-#5
zC>T55wp&r)pii5;rT3f|)ERS5oKk1pVTz!A%9pD9hvDNxZBy#((<u}FS<v}ft(Irk
zzbz)t0oLjKwkZ>Ogq?v=|Fj*HAI5kDldd%!CiNJ8Q$CMoGdHqH%_R>2nlahJ;l@&V
zW$`uNt`4et?8B;S^&#`4Q>IS@C8G>^q72fv7MV+=SJonQQ^@68=<`4@(JGxjWn$DO
z@o5BeD!ie?Hcc09hprHSx?Y_!v4BZ|WE1XIt=`ht4Tiu@nfZEq@V+U$pz0|Tj2E5F
z8@!$dgox|oby@hBL?z3c#9Fr0m9dugm3Rx+wVVYC!@vKU$?(f4pgVM?TmWCUfc4rb
zMV_vYP_}X)3SZa5s1qX^oH%8o@s2eij;HNYPN|OgN$Wu)7N3%s&{ibD_K2@A1WG*y
zQw#)<32WV}VoI)qY!6e_59J}S2w+Q1`;^at*!Rt2*i?gm1Rsje)pjA!dc$1<MpsH+
z6mTB$mVQSW%vS>kY~XVNP9t9A!<^U|Wk@Q2<UX!uLB-1cr)vympBbG3SoU|9p5s$a
zsnO~L<Mu|XgFOa9-3ztGr^F|DOP3nZr>iOX8gc?v)T_$-d5#oRaJ6ox-^Gd20teb>
zJ+I2B=hZ~nlkr}^D&E^w%^BqFy)}#+C&YW_Rq6%A2ZQ$B*$iIijmrLk5+ufu$WzW|
z&k3*l^U55{^LSZPUUVHuBlCDayzmd;`5>M-<9tgD;GPD&<Q?qJ;KN_S{=|cCV1IOY
z&R?)UTC=+y_C1Y|ngzfGWF`}R|Bdtfm^9v2V~_F);m|736Y(q$XRu&~_|VqSK(r~x
z-R(YpLk37s`j*pO*7m<(wurKT*rPW<z@4FqvVP=GpEB*2`WW*QpYja^^jZgM<CJMV
z0#h<Ql3g;S$&u-i#>@Nw)4&Kju4%;Z09Xs!w$y0!StH{@6*6M7Ligxd7><-|51)de
z*&e=?MbQWQ+8%v$udEJiFtJ)M%BZyaUXGj8&)S6v0)`fBVS>u+4<wZyqfda74jZyV
zGBA`cSRS<n%cER1I{36K51D3pKDoE$fvMh720<7$G1WC+)}X{yvkFw?S`6b#ET$n@
zQxA~e50lH8dqEW>E%F!U()<Ef*`;LwCPvNJO(Ub$MNEwcr%aF$!sIv!+2}3Z2#`jM
zi?KHQvZ&%nxyMS8&hEe&h0$hna34^ElFi|{Ke9QjnnyFu?_l7wui3GJ1+xR5vOMG=
zBn2nh86e}T0TE~WH`f5(Oc7J8CFo{>WRA_GIoQtjV5Na=0L=d2xWA6HMwJvC+sN|h
zLoCQHEwO$s7Ll`n503vX+I@%61P_e@_Hy_ex92m&9HVi|t1CUP=V^R3e3COeS^08C
zXLhwh(D&(>!9SnQDdC!eNu8y0%oCiKm)*(TwT;ApUwAq0ef{9@H7=>ONdp((qGncO
z#v3LQJ>ppX^hhkVHIZITmpjOX=X4$3A)OVe+s|t3E1d%>(9cKs6y_g*GjVMESi$No
zgB5bfA1JUq3<L^r!};Kl2xe?g1ZR$@61%=4dwO;1KlZ9;*^~IsHcMRQzeVS}c4k-E
z5wEpO3Hia1I;J(oJscd|%0iUc$pysZ6YRv?){*<$J;U{7-!ra!55ww#%J{KWlhaRo
z@!l%ta8?lvdnGxYxM}JM4f;5U9K7>(__2<H<v6klb>Rw5B8!edn^2d?o#~yoxO-G(
z>SjN^g;3rDsh5VA_*BpA1b2epQ)|Zi?D#q5_mL<VM@V>2@^77=I5Vi?jyO&g<-*$U
zb710{#<erERVzOmOjzAP81MW29h286Lj&B7%KJN-2UEW%CP}b(SE_pWy^AgS<OlGo
zk8#06{$%bmm^b1#-+SS+FAvaP_~|{K#6uqMEN|i0aABFiN@QO~P^fn?;bW$$6Fc7j
z*<4*LQMr<55Lrbqx$?oz(Y2k~TJQS<i5=&1iSzoIxrrZXe9R|^`u%~9N-io|pBUZ3
zi<WA`J-dc-z~EN2XF6Cj?tT9rfq8&JaJVJLS3svsjf3_6H^JgXOHBz@?S5g^Qb<TS
zSoLoOix(~RC0Gsnh1Eczh9az{w}Qos7H$}ZKZbwHeqpsxsHF(Ye=AtLXz@$1y7mjJ
zi$YyRShL>>7B5<6mtf7=FRVEfnp1=|_pM;@qGfIg*1Y|~ng^Ujdbpdi^Pq(!V8^*5
ziR^=j#`_TreScDJ;)k7REHH5CZ5rxzCn~uFVYkPZBi^EgHrqF2dwR1+z?wlJrl)^s
zoL{+`2tFb^&Rcjg{tZ?5J3fdxYg~^&0h_RtU%4SMx-yZi1h{0t-*FzHf<Bs+U|qAr
zp|6t_jO2}uS0@;pQ<AunO2#@Xk$nT#XW-T+1TKzz#xZrqV2Tlq;DZgc<j4ZR+(czk
zw1%RR(FkJgTR^N8G>X=`itGOZL`f<5$C=0!jt%=l>~lCaM8%lvRIw&#>~O4!2v7Tu
zG{VPCR)N^Wh#O&DPYAyyy?LC>&dItyy)(O}BRA<Y7Kcu+#%>58b1WNRBMQtM52U8k
zOXR8?M57HRsG64@%}*w>T_dSgiOQYlEpA-jIr<QacV-WvmTJ0&xSe*LdM+B9gHis&
zHVW^i*J3_pPx7$AaWI#wJ7!c{*5Hhoel@XU?_2Cpyx{Vf3QzJmO^yC5H*u8;g(p3~
zTUVfSAH>$(OjbHTtr4JB19Vo|{V4>VV;>?Kx#(&>*5IF57M8Fh_)2w0^K<iKZ=Mf*
zjdNLFQB|D&?GC@6ttxw9(W+!yM{rTBv**=heWL%F(Og&H>$Jm7;k6XuDtnR~uzwS?
zfQI4;py+4+k<Q~EW2MeuVA*#1wc#F%vsk+Pyli4V*0FJ0{SGga6CQ!CpBbQ|tW3V&
z56-~WPkXc?>E*A`%k;FB6{$n?KKqED4l7gJ?i5XQK^2FW!>ZS_<3b$(-P6aK#ni{S
zCaR80sOaL#i25psTAm;1%7lqe0HGr6Q#+V?VIf?^O!X)Cpl;jFBF`KGsvQ{qeyM-$
zpyI&eB9&?mLZ%lT*8%n&*%_P~dLoZA=%l&a<qR5hVodzDK+K<K8KIe@3Ofu_5N#0O
zMa42SPZm9cS-=_c`$tYlG;*Ty`~1nH(rYTSqaBjKB>GdrN0^|@{hP*e-uK0a3n>om
z&b~-QA4IFx`5VIYP^CmK@`s>*BKr!<Jo>kdT}F@%3T&<BIPLi@I@y`UE!kI~Db@;r
zt1oI1If0mG2$_EBgbh!lLE$pmK<MqU4SoLg{`*Jy;~(*}qb&YhU7%y}{+GtS%=+ZB
ziCn5OJO!i3-1sktA1Yg4(4kZ6$))zoAq7x^2|GBh`)?xu%i?C{x$SC69_o8H-ha_n
z#J>n%vkQt3uVF6B^c{H61Q|k9s)zAY!b-jiCalD(NJ5sOvBP7fhrt1NoPZDv$DE%c
z7l)-Tdsufv9e(b@%8R!8mD>m44*!<w3x8xJ>l=q%AC3Q^7$yf^pFRuAEy_J0a>{{x
zF9(Y!W5b6>?dZPrJxmXcmt&S_emunyvB|n|9oZNB$xr&MlMj!xcxMv43rh$cryDsc
z{)KR<kuJ4~PcMF=Gw6(UR6g6tjOyc!>m&Hy($pRtpX|;A7o(-0!ZH$XOmC}94_5md
zo;zv$aX5gRQhzD~@7nF~e^ASQUia~uz~1=FdCTLLvAklB&w|%P^R^355+*FX*ckp>
zem65HaH?n9%-nGwNq$^(?{so9NQg7N*&)zZnO?~}$n%w*K~+;?L)g}fNQJ2f_mUJ$
z7WCuza8u`(!GgJZqhbH>*zjXWS|=MbC7NPgqPfpoq%(50Lg6G+b-#JQOD`u&rv=A+
zCZlpyD@*+H10TcR@yG~*fXP{z;-;lX#Q(vzl_PwGfk9ASq%Fyg#MHCvsxN9cLlIxr
z!b@!foE$d3S`Kd_3zeB}Mze;PjP=KFms^^x+URe1-f<To^D$NTpqHi&Ux1SpiQK#s
zVD#AVB-Ws4Ch5~AM-j8XFo6B_G8dC)&B&ia$~0XqPh?+A^yg`O|NH~e&z+Eb7pc_2
zOeFrKG;U(TJlRgZm-&twg$6YCeKt4o-h?DS%YVVi@PZln?3&KWYoO!&XZ_~>ix2e&
zt5)&>WYDE!Gpgr5&wwL&q7fXmJU)JV3vbcVnAXuxez7r{7fJ-lz7h61>!Pa-tO;K0
zkKcu$C9<dWiPXfpcchqL8<0Yu85_R7V1Hz<q#l#00b##%-AG09@ch40M?nvj<@H=+
zIBltfUmR*G-Tiw%xHzVprY`*h-+03xa`dss6xSILX@7~<;lzwzm+bVL@3*<+3%{nZ
z!Ud|b-l`0M?>Ari(8z^#7srNYGZ=bE&+A6!PrPuZtUzijXoHNimj<M~zm2fjENmiN
z(!-02<*g_ddKnC4nMHKo>%&gXUO#;n_R|*0plgkc;O;}zeV-ZPZrZDX7)UlHv}CNU
zt|>f$dj{<)##MT5NCfSO@Ms+$@11xc5~ExOV;yz1US<@%BBH-ao<ciTi&yj`Bc0jJ
ziR@NCyDG913`v>wOCceb*3~i!dx<WcaVzIR|E@zzftY6Ty<fjKF?v!Rzh~Fghd+Et
zLYV>>1@EC_`;*VAZK~ZEUd}6>mW{<#ZOt!t^8H9+u&N3qDpFS~n|_YIxD)G=YimLk
ztsNT7nz}Lx*$_6-Ol~*Q^$=R$*weRQvT1>8)z>vBlV5OTID-HB7fbU^s-g*D6u{W<
z{it<aOe7foVI)ucl{eXoz2)r|a*X>0d2_yrdUXZ?=}Xrja|aH;Z?Q|3<ZZ3w?f&Fk
z<jwo`RRYp{ulMcmk_g5H2lw=StD2Q8y$g9}6T<UHwPapRR`smC{96*pkE4{JoxFb}
z(VSd2a^d?gK79D>BA=X`-aj&b!i6)6a=Ex5Uj?l=N*Fq%yv$dSx%^!IDcP%Foa;w|
zu{$0a;QuDi15P@vzszn&1e@e;h;}vRZ?Z?X)^9`zkE?T+0!^-}lMe!I!<#Y5@S~}4
zUtaUWTHyYM1e^hQrcPqm%uS~ok`qFYIEZu0PU;BGt&R_l75L7cXObVp`-#m=UpfR?
zCk}tQgs;m>)hE(h(P!?2+0poF6q(7#?4a~jMc*v`g@MI(diRd-70!KkH9h4ACvlU&
z88PPfw+*8#t1v;M37{OQG0o^nc~bt=NqLQ~=%4Uw{K^48*G{*5&;0w<ul$5?$*7K8
zo%!R#A8~SGKx|ZWq)nCZscAz`pSh!6<~+y_7*^n)SPdMB^N#QfhL+cJA}^&sqtA#9
z|Hj#^?92HOQaZ!%XZ3&dBCnwX+@JwR>cjP}qv-v26RIazYizuMNzq^cZt$uic|Kl2
z@=ypNmAs)yh!gzavg&96!8l`%xxVR3-+<zW4j)#qZ<sK0B+oBEZ#kcMzu_mJr!lDG
zXF0qbX0xcj;2}rr06$Tz<`EWu=D(rFqpics<9EaJJ;V1F;HzP~)q!QP+?;m(-e8pX
z>j6~!u(01bHKViVpn2*D)lWi(4zBxnkX5J@I=Umfo+I;h6X6DkMTZ2GsHn5g9h#nm
zaxaAc#|orw+wm9xwd}E5)OoA=zxA=GCf(;jO`j^&^!Ki&!=joT|3lsDz?$(b<=A59
zOZ6Y?>R)U17rtFAN8v5>i+-8gNx1(Fucf44zXJ?k7xn9}{r*6)qV&Dne-iaSa{DpF
z>8-O-QCZ4@MAe8?(*If|_-!b>X;OyXv?$?aG$6&2*EMuD<1ZqMUgkYyC4#TgNpDNO
zmp)3}Vu+MYz_(uP(vq)j>YsxzQtYwhQA9^o>=B9`G<=BoZVxIqEIHIpboB@C!PIka
z0{6itKdP>vI=qv?rQN9&{s$?nKhc$YW|w-0$S%oS<-SciDEE1)pL#oT$2}pRHu-Uw
z>f}d=5I|0_<p--lf0KP-W-y^4k$%29Trw<Dg3qJzpq=@mUyqAttLpMeQJBkSb!U@Z
z>=1qkEcMvn>ashvyv&1eGOw#FO*ID-Tr%(mD7!LVMpOCudS27|lKsn__=eW?EP95E
zSj4-cf9{`)=gPgc55vB>;#7e{^<s=T)SyHd(1oUV(++q;m0sri6qG-(u_K3B5C739
znmP}HV@SNr!Mtv71PMovPHv&de3i;uz2$AkSLEic%lYea3sz)TwsgNS-mc^EX8a*H
zZ*5EWo-y8ue@KUCrnmfU_pY)2xoa5>dehhV&G#j;f0+NlW!Nv8zFCNbV_q;`X<5|V
za$YT#EHNTKt**u0A0|mFw9K~z-*@>OVh{@(oC@9?jOPBU<d-{i&(w?VTe>f20R6^(
z(IWbki#+_vRNy+V7FU@7hR@(S<8t?$1(M7KFgk)9Ue9ir!ipB%xZw02*;v8Do)Xah
zT_?zNh@|p5CL=fmOgw+kFaZnT7i!ulHgttM%#<gu%Wng`gX`yx>(ThLz!w`Ed>peY
zq;%tgu`IkBx+&*2atN_CB9D%3XM&UZZ|(|WHLCm#7}jw-qotGg<St-KwAke>)H2oF
zg)4X%bMZuD)R>EpG(pIpEnF7oE?DcI`>K00e{Al8f8&WYEZ+P_)fXgm8cu(re@hjM
zi&@lCiHjd+Z8Z}!GshpdUaNF_Wcv*wbUUcnzIgX#6(99_<dF=H<{wuiPk_UXYrv73
zh8J20VjwEr%Uf64F3~doM8>mVCt+;KWI5rGNY}tiGkIuINoN?7b8(bL<lIVi#n#!B
z7st3N?iPdM=c2nkS-WabAr(nkJ_Aj<sgTazVp19Y3J=5vYGVZKNu--ni}|qd#r351
z=aaw0QU>%^l7%A6qHGoED-~H+R^*YgB15Gj+slfKloc`1JOfY-DO6;>9NDU<R+;>T
zmzqWNdNsc4$X#j3BeV3m=KF_dZ&eG~EN*_imodLMmvI-WLNT?(Y>Q8(5Yht{^pD~D
zu$J<9j+E6jQyq&^v2d(X^wDo@;rEJr#0xf}mm7kT{n?g0#05S23#g<fN$P7VlK)_%
z0niP913*JFc}AfX`O}dy?$0XV2zMBn2&3LYVQW+J7@;n5zquXxDZnuQ43n5Yl?RJ4
z2vRLnRO3ZRl8d9HpPR?dh621n0~vmWW<tUOiBxSZ*ZUZ$yq-UzBt{@YsZW%nR_iWS
z(Yu(fwGQ74pdvSTeGQ*3XSpz_zYtdL^Kw2f)!d!Xjdkr-D-)h4aP18C+@f9ZNtg1;
zVZ!2umz%wbm<{+(7-q@37J>QFJ}+zRWu{Id?z6gCa!fhVX0}>ZtAS{fjr|#mE2p06
zK4muOq02&wZe;6+W6FWg_ImC_^ED#G(w|*7TldK2s<fuoc+@p~lphGf=uF*^)yn3T
zC$XG<x}q{X5{J_Q)f+?4g!_{9THES_n}99QXmxgY8x;yjgH{sOiZ%;680O6F;3%D#
z&Y+tOegwSFubZQ<<_TqA69*q@t841OZZK8&M+NC!OpNHLwJBG1A6+_}-9YqQpd0+=
zj=Fkp;dRJ~&$xbx+MqSz{C4J2jFda-{Fy<rp47wxbSvYxr(4l0t!ac~jsPAFx>U5R
zI-*jSd;0mu`P}4^oet<igTa<87GNjG%nUj{&G@={W-#&7e(uV;Zay*1W<=3NZH{(+
z?iw?3eo$3|81LWOU1`?N&$_TgxXi3x>Oyr%FN7b?OD0o)=P;?~4nAjIgvk=>G)zA1
zFq!aS8wi1cFT9QglUVro<^*})?J93~`j{gsozHe}DEMCHP>}&f8nc=Z()>SR=i@6F
zdF;vmRwiG*0u@%|zl`+E45rmLt_^SbLM1ebh}pB=A6zMN`d&LyUv)(OXVMWiz0c`n
z-2kkgE9sbL)#x~r*`4^X@00joI9@Qd4`*(s)}X4+^vU}*=Tfy(gCZc>gfvQsP#%>r
z3tAJ-MEz8j)u&b5ptF(j3xt%t2=_ckVT?sL55?{WF@_P!(%)P1B;$IZW6U8i_+C#B
zeuW$1$z09nsmNv#t{?>kp3_}PnwtI^-rvOtP!5Qe&zcef1RZbjv#SYHg~yu>N?pL<
zmg`$PvU|e7bTIYBecQ>qzowmSW*`=@bm9CuWGp=lL%8}ok=|CFzlK=3@sBo2F22PO
zPCTdux9~^Lns`EX8v)$lq;*{h!GCZL@N&&3MFz!B*H;d+eTVU!RQ@f-YyEz90^>FF
zDNEzEK%3*r##_3t_$53KbJcAq-{4{>rOm?Xq|IZu9@<y5B|L4L(Yg0VUg70&^)dtI
z?33X!fL9N2PxA2L^KE=g3|_V`{1;Or9C>CEVlsw*xq_FiH(jtoGZNO$0-Q%3ocG$u
zeq;DMD|ZRD^_~V6wyKY|aXF7*QOJqkWyAbO7Zb-~+QG}HSMYkRZ(z?9@h~<@B`@qC
zTB^wOB^?ULFjrA=QqXbl2-8)yB6NRP>yKZjN%rk}A~SkQ(1WBN2*xrnKiJP6ZgV@)
zcy01JRq3^_BO;SMe86{GFI~u1?IIlJ2NleD`Pp%bKd&ENzDy=#V3{x;h@Z{~OQEW}
zqq(mp8*b_5ypD6BD{Qlo9b+f%OMA34`*<jW%%E*m>M~=#tRNSJB4Cs1-ohcBZw8Yu
zPI{ZnIm6t5)Tz=i#z-UMFaA&>IK3j>_bER&lbC&HMK9aT?rAE9Vamp@Du#%a7dxvk
zd8zeL1m`U>G|HNhydk@4__oq`Gk%8XQJ9o%Fk-AnK3Qw!YY#a6+RpG7&tL-6uaEYw
z`e#XQx^J{UwVgTV+f*>!jJTd%SG^Z4C}t8~tAv;Nk`;VCmR!&wX~iVU!`S|mlkHWh
z$@FP42A(HTPQxgsWN}G%grCJ+OZr!NnOy>ORE2W2hro$v6qO<nSnwY~Gv@VZPa@Ja
zD&Iw;P2LkhoX7*+$}fS#ZPDC$eVp~>%-_2>=&swFcs2YUH$Lm^S)ckKLcBX!o6f_M
zEtTn=Bgwx74B}PQz_cps`1;z3NO88vNL2^E3!9X@&U0BJ*IjXJdj(&y#K4l#*PXe~
z6K01}?Y*OHl~rf1iwr)D_f|x!3VxzE9CK#WxQF4Wf{I2l6AU7A+|-R=^T}#jVZy?M
z7adam8F^>9R&Lh*s63PEe2$C)OY%4I5I2d>52zqt#P60Tlh?q~zdtPQGbxRqe$V)c
zJsAgyT({T&LMGjO4xAI_0g^a)_(WiX`61k?xd^&1^N^t=$y(UJ|7`@K?F^QtGnCg6
ze#!Ooy%WbOe8eCEwY|yw#s)95M*}Q6SwaJaI-mb5fXhCPis0V{sK&nAyQvfR<z@e7
zUV_^a@G^Wz-$Yt}szE-!{z&%mQz)`VdHku!I+v^nuR?(R<9~v8?Jc~MOt)Ecc`Zr#
zCN#{Hph*cgSxNWHHkP@t{rNEdq!VspG*7A|Egj;w18Vo_8G_cHl&iX!!S$-*enGl8
zP1g{6t_g2_0_kXedH%4UyR0Vs7d_#h{g7V`A!@_LO4-QC%iK@}L^hSc&b>!oQJmC2
z{srpv7Fj=^9y!@tWO3*8NR5BQV}APSUCeFDGSze*@oFOd9CsdTuggfy5$n^N-e9k?
z(*6;B8dmt}A-20<BWOTVzREO^)?LP(^UsGJ;N%8wU)yhkX^*#PtR(Y8{Bz#oJ8MBJ
zzC6aiA}PFdBvr!1I>P@>m547_Xk6uJtt+QQz8fLu%G8e*X)8Ldd>ox{gR~(EMdLF@
zL6=amk3iPLYP~6lKuB7D5`pb5SwT-TvImLo<=M-eDkAeGt|69Y_Gq5c3u3(JR1y<W
z;|HVURxc5lU^+_VgpV{j<b+RTvG<VAm%mnTUi_Z0(L5Uw((C;b0G&${en$=n-cQ3F
z$RRVe3>RFK5EIw-Nlue^F+EhxA_k`O*7%dr*B41KP<{9>WN?GLrU3_C5oR;)P2@Ub
zJgsAjqehJFVquU}zsUx8xB#bg;B`L&2CN&!z&{m^dfLe$Y=0vh<A@EB<7YA4J4{xG
zcACEcIrS?tlhm)0qH=X1&7eh26JSLpCH1w+;jC5fq49;<WmsD*Ou)#zI=pNXO#WQ_
z^HPH*E;v<KRUC>jdchRWZG2Tr?vR+-REf$l33@(*zn}%y*kr8w;~c}MbRP_&*@;{`
ziPJ>mHin7}0eTp57<20_)*n{lpLm&Ht0IB8T~WR}E!3xaB?a}sS1+Q)IbsJJlQ&iR
zY&Xul7f?4<rVbziM^x`to)}29X!DiD1KKA4$=|TaAAcG{WY#J)c|G5htkMt$v$xfC
zQxkneTlTIxsj)^i(8V17v%wWgbt+`~6syA`R%z1@2+fiFXezv}COiq7*4eyUM7!|!
zA{F@>Me}t>aGMEw8(Wzzew2L*(ldm1(EMCgOF8-5R>7rtB3~?gg)aMx@!7Tvs+{6^
zckO)(CGV<R0@C4QkD&Xf+DK0xT7HHGSOnp-f6Cv9)UfJdQ6xMnZU9XbQI_zkM++9U
z=Qcjmv@io-DMbHs<HGM1Opn*2k)+y2kYE!d832T>(Tvuh*R#OhN?XOrOF+X$?LHeW
zv!i@D5?NGNo<MebEU#;`Oa7EPct<Qp9HVT3LJ@V0;G*@$jY#KN@pG&d9U^o7-*>Av
zy4G;L2=RWaTs<w#s128sXV%l}*<hnRx(M`S2udI;PT=z20DaeQoW06*J8XIsUR|)G
zGQ9U;!BA~o%yILXhEN(wiXiaV<R8`WbH0gvXAdizu;fni5l21IFSjG_P>@8e5&-)#
zC}@;6M@ocPfVRNRR(PepGrMv4!1I_tUtQVRyd%l{0|J$Os<Uz%GQ_HOCqqRF`65D>
z6G^R;@8}u++!vDl(O3KZ1VN>4_el?*%>MlF_k_e8jqD8*+VnqVb0pcKNY_4?i>=jG
zdHOC>7VhD$xA7^&B|@T(0(+iCcCeo-!^bgD`Ee8|^ur*GRBjA6JR~+@UEXk<X)=z<
z&#ZUrYoL81#}YzlKbwRzPZ|`p!8;@F#`vj4?6OZ4No(3ZSB~dANkvmQTYdt}Ux0?X
zbwJV#1O%cXtEpQOxf59&grkW)^U`-oR$xEFBXQd|?ia)WRAeBrjl;8KTBwIG+(TiN
zH79jW#6WUoI?VVKaRh}H@o;Xq`f;jABXl@QOiGjZ+!sLLqIwsO&0R<z6v38A?|4A8
zN?s*y`}t!~A(uK7OwIc*>8H&HGpxb2y-6CwtX&J{zt+@;L_L}2IW#CCSEBI7FTClB
z-pnbynOk@>Pl@n|2MwD~2zD)$m=KNwKdUL+y}_mCgfEk#VcO{{L<%R3sn{G1{5M#e
zQg=A}rCGW2=u*VQE|y8IXI<C!#=hZ0jbFCbZ=}V`d{VuRcVquWp^WxiO|>F7ZFTb+
z_cX3e1jmi=Ni_aXYd4HeY0-Dj(G<R0&3DcBYQDrf@liuqm|XHFCyB?XuPLDScTwiy
zWI`pQMS)s2o^tbgu2XWLcpVdgFj(FEIO;jq$<p-fi^&fYFkk-DWkSlVw^~2ME7$t9
zESw4^ve0XIqUM*?4i4b3cKnJ$v|}ah5Mv{I>GfP-N_43x0w@gu9aT!8O6yHa@RHv!
zSX-^p;e}><y`B#U7NgiXu8JQ$CTtgcMOiHxyTZL4;Ri4Q(%uo7bD?4;KKz)2k$Dmr
z`Nw$&{_vprk6zDY2ubJG#*dr#QvOb_=WLh1ppfrsmYYpA%h6m_^S!8=Ij)*PGx1(V
zGXnV(?@ID-lX%S=y&e{H?`eE2FHg+X2MwFw@Oo}k{`&k~1&ES>Gb3B{Vart0@t==f
z5AYgt7?qdcyZP$-q-L+cmvKZ?3X5X3%(e4=A)Gvf;X4aHwCl4tU#~ISAAm`0nKe8Y
zu{_`&jN2BL01=2Cva)-IY&~7sni=Ww0?7%3CXFin+--GT`lZXk3_UC_Qu+ELsaJYZ
zwkDx0oxR1xH@x48^mm_<62Y?u;yjpY#8#h~QE*<O<edyzhk1oJ3zQ+S-AeFBQqt_+
zyIx1xDzZcg{z%@+Poc;%%XCHhqBK<)`f^d5lvfOT^YJ>K3m-oceIWQlQJUoTvLYj8
zMeIACDG~!j0g44A$rhAaW%5T-C=`k`McFFS5~ag`#n4I)pQk*d4uzg0J{TQA-k|YG
zR~e`h2QrQWCr9eB*}&Z3<`;7vbzPcYp4S0PHF+5kW}IFYDCTZ38e90OBX^fkQ^RL9
ziO>YLHx>qe(6D%OnC4g3q&mFBa`uE5C`b5(U$LAW;TNsUw7T#N%XlIDtTK@G6ZyrA
z#xT|kfL%6msgU5_==r&84DmN3G!cxii7+OFlmDFBVc#o4_oy|}A}VafyUpU(elVdf
z^{>9dWt$a!4(|pL)_s!A64$7r0vQVQ*>A;k^wqZDEb=pK-aRjq9<6hTh>N<bB8Ayb
zDc0rnXfQ74N%CYxwCGbFOjTVtIVwjMb0<*?-;9J>{1vQ?z$^w#<hnCa68Z1d;U9~T
zYP_D0P__U?F;@x}c&mAa8_Uajly#HFSC(hX`bO2f5MEgR=1EyHCa$_c<kboWhW|+-
zzg=<@OsjKN^a?XZa{a;Pm(d53V?Ib7q^~9aJS3;$rPu=27YxmCoLQ3S%Zv17mR^<h
zJ1>Oim%o}_zz-YezC5VB&gQ~vK6J02H}e?*J~Be7LRgDDYDi|9I29ZR2RDa%%!hEr
zdmpyOP2>fk)y?74rfU(XKfbPy6r0L2E$~LTy8Pw;(aY?XXnyDB@>kdCRk^;KoQkDV
zc}Obj@fTJ8>@pO4{=vkf%zPB+^0vVpR0b~l3+gu;PH-|J;8(3@v{omt%|F6O$#`8r
zJIt+f`ei)7-Nu2=UYn4-B!KX}k6+7p$}*r^NtnZ#<sdFD)c_5F8h)hgb><RSXoFpJ
zs)%C(&rmup9D4gzgZiOT8zz^vVK6_@kemiv8Oe(Buy0(c1Sja&&<^c$Fv2a?nMaI&
zh?i^yj)e1%Wv?=IFeAUzJ~qK%&OHKOUskN=8kNu@Oq>17mA%Sr5`<&~ftb+q;Tvlu
zXMo9{L$>@5n<)!c^qFv`*XgHuB-v1$-ynMMh#xFq>~XbThR5J6`@x-il^;y~DV(VM
zLDqReFOh7}U`0ul*56qJny>OQpW<18ZvR}imTUis_F6M0Ab{c4M>5>L?hy)g1i!VK
z`iI8&!LJQFjv8uy9+@Atgsmkw*9#hm=Cp`5HWZ7c4$I5B73L!t@7D7{^72IR8M#ug
zvy}%AC&b&KdzuuUjgV@9!<My+S%CQ28kR2C#+k|+1CWGz{Te0{5|jledY}X&E|6pq
z0b4ByM^U1Bc~qjI6R)S1QmmJ`r@pL{!b3|m-@^S)%+9xI=$63OcCF!apCzqr*{>oW
zm*FxI-cvm!Y6WGPNLL2Ro(B?Gc|l94*RbEaxBv|HJVA5h-z9=u?8Wf+qW(rr5-8X1
z>hSOWmDrXl-y731|BlTP@*%I-D%U0$n;sd<Ig|ugy@j_D{7jFG^D>tMk;yWz=aUwA
z{Q?^*A4?wCJ@x2RUH3ODD^kp9ZVY$*oU;lKnbKYn#;DVFO$>OM-$UOO-9Qe%!+XnJ
z>1BRJE^`GF4AIS+D+t=zU2s>Ogn<@NF)g4gjb=Sg!_$E^h(J3c0JBK=O0<yZQo<)O
zTM1$r?Q@iv?dQI&ij}Sj+9&Y?YiGp#sWVtiyM(y{Kfp@o<`PEvdaUCkA2;I^^8-}a
zt>j?BCDFfoj22TU7nSdVX@*NztrGR*0P{4tuw5W$VcIT`vtdIQ$epHPdl$$dLnJ_s
zm?DYU{<6Z!t$uKNb%*!skejx+HXt0p)XT;D1Egl$@D*_a{q=+WQ$6!D==&Oi8UBz|
zf$C@Q)ruAxA5JXfLiHwc{}R>l$D!7Lo9fezMQ<kgIGFzbB+0ul?T|d9sXRZ&q7{>b
z=fgFhkdk?s6#1R!ZaX=b{Axv_|G6=pxvwo5u5<nz6T*c4=``>g{o1zdr^D|@U!A~L
zM8oGGY@dVhu26K|8lgaf&=g3}%b5Yp=KaytesD^yKlKy@Z4KUNjzsPPT>ML7;kFwc
zD(3@fpKqAa=d=7p_#@b#^vD>m$M(krKar)tvdVCD1YcvH^2@1H3igs-u<^0*#D5V>
zI+57Z5!QCU+#pu}(aasIxMTq_W$0gCxVm)>>4ACxCV%S(cxBIrSN?~yx4;dz{}e-V
zR(1YnE1W^9Dk^U8!ZO_PAgSdaBDLa!|Ik(u{^Hi%;M}eEZzbP91J;UXCEs_DD#-WM
zK(-h_QJf#%*N8;163O#iO=hUGpoz$46q+;(QkWu=5h+X&$&N%*L}p4dwgiuF;R_>C
z617S!2-+Jc*KKeMW@Wb!L&xV3x18f==g0hyu;T&QFbe`AS|LV2(C>evXjc}Hi(R?K
zf#Qk_rF#X|tV>}eBLj1do5{(_#<*2rlxa~~u`SYAnrm!$MjB&tjYIuS_J$dz?b(;Z
zGe;!&%lNdyYkP!2m%4!LBW2xC(LX5bSCE^7m#CSSvEH1-@anx^zQ`gEdl|X}@plp&
zX;P+IUp>~z^O2}txoWW=V9xLdkYk$+iuCFf^op%93#!6TMxQ;6S0mlx$lv2caVr=q
z{u`}gSZUsp)G{0uee>&5)*frODd7*uEh*HCri5{nFwR(HfepsWwD2pmRtDj@igGP1
ze3bXCJo_$l^JC%EsO*qwx$D`~{p9Uxfm~GTZ=zEFyl*L+b|{p30s5(4#hD7dq`~?$
zEiPbR<a|&uGkaP?Sm3@Mw(Fq}to1OGKXfn4vqM3ITX}gqePV?_n)Q%_{>wkNHRJ`(
z(h~{qQv3<0;fk%H$}7@$C|!pR(8<2c8O%y&cl)_-RWs>EpnOnZ@f1&-W4~-$_9yR5
z_s``TPn32=1+T-evf#y(n?s=Ea5T79Q4|jCkNIO%fK;_S%5CHZJ+JdG-p{*`SfOCP
zQgouMokRaZcu<3*m`-a*Ppcc1d|*X4c!gsM_4LR%vUh~{ezwPav@t3{VJ6gj<aGJj
ze>QX1bDkc|i6SUC&jyLDD6DyJt+h&E8CvW4t<AQgrSea*t*EH{lWc2?61V}aet7Z6
zg;wexHA4M|Kg*%t7=C*N&<A@|mHwhOX-~7;r$xx(h46U$FgXZ%j6HY3zuOnfpmy<v
zGpH@Hk!RezJBl+5wpR$?@U@DU3g_^ESEU`vOfe(>F-N1XBep2hyehBfS|Jb^E?6lH
z(+k<I;|j7<Fez(PNG1iDTIbSp!W&+uHKkVM|F($Y42n1uo8%n+Co^vjcfa`J1ikp7
zUd&UY{;l|8t{Qbk@rBlYI8fK?#avz#`ZGURbd%V`u8Q1*i#r0EvFLhb<WB4Tb1;hN
zHG5gIqmoB)CVq0%z~W%h65f)XwM2G$71VB{eE(BpShm)g`@8BT8Z&8esXjR&Ju*5q
zCBZaXEHU-`y4s6A<obVY@znz9Rm8iXV~}FE*2eH_BooaPo4--Ul>NzNUv85>SNyIj
zj28=U8NR>J9yeZ+Z_X4Gqa<sKG++ZX@Pn(Yu}qXsjmIuJr}44jW21hQ!_1Sd>D{A~
zpGm+TE0rFY;0G*KX6yXa>9LDGp%(%doOWb&z|_;+7;CTw8T?g;pZp;-*<G2seX;uS
zdY*=t5jDadhwtV=rbZxTgAAd;mTJ&Jd|P7fSN~RoFZ_TqL?l#3e{s?xxBiqb82VG_
z*>yGpey~EhVe+oMiwr*&`B~?_s!dw7;$p2TWQ7)+ICIDJphRfVN~koiK$ZSYV>+^-
zKics>7~dAmt0Lxi$ddM+S5qgq1#_$0d$xH!SAYQc3zdk;Zhi(vdl}3Gt`w?v8t-o(
zl2jf|YWYp1obNLH3khGv3N<|Z)%7%nSb`SNU1;`?i`iak>|6d*Np|<YY2P&%rA3ee
z0-4J}9sh-uLWqzJf@}d{G$z$ntm^RR-I_OE1)=5@_lB|xPx8bt#fDqA9|nMgK7Hur
ze=R_Zd)M`Gh}7!FK1?h})iiAf?05=#*MKFEZD55L!|G{`i>ziICxug}5i^l<0xKE5
z_&D0><TaElte)r}!97Uf`ECrq6lKj8C(r{^j|=~3m^Ahg-~<CI*YVu>2HNlVsdFr<
z&9O85xxM9O;;)+{{Gao#S!t*nu6(U7goA{%_$@}IZXKJ@SE@$-DgPZKx2#qT(sW=$
zIQMcBv3U@%d@pmfPEqvJ!0GMNZ`|9V-^<@}Ry6@x%4mpB17T4*vlrn<=}bk(_fra@
zRXL(<+Lvh3F1P1GyM?be&~fitlZWyqowu0x`G){nuphD;^K|Y}d$4FRR7YLtcuv{B
zyz#yw{Io$&dV^_|SJpE9Bhfo+;P#f|P=QvSoeJD8xekAZ#kLn1&gezIUi^_4`^*Oy
z@tGf7RlsL$@|57ZYpBF3VxvCmaa5V?<NgsvwJO5zU1k!xVKA+43pg4K5UmxWXBY8V
zDSS>4qW0pf;tOlR2YKP-QTEo1?E-UXq^Jdl<|5Jsq<8z--^fns+6;A5zK$vSR?Kf^
zJlCvmCJ*}kd&Y1$)~N6YtlcrA&?9KcFKMHn|B-ho#?I{*+x-4rl-o2a>}M(v^H5M-
z)P+s^cogdR5q%d6Q3!`?wIty&5@;-PAG9_|;={`?6-82Kshc0bCB*4U-?JdHtge0G
zut{9<aX%QX(~yY%d6`ADAh=fSpl9i6L4j|t5cxD@b9^@PRe)eIyni*mbMfIkyl0HX
zqP@`%T8}GYUj-;|tPUUhrf_7np3DSzz8gG^XSQ~Dv9cbCl;RT<8Gg*6a&ZwAa}rYj
z0w)c}RPlvz@@!s|yi?|@d-iZjLbYtM4u4?1xmdQ5rUo+>2oD`6z#%CNnC3Teq?4aL
zvy1VX?`3|(3p4$?jD@bBLi5nMK5jDUXQlC4{_7iVw7Kx?MJ#IKeBSJf(|acz0DtFA
z@2%p4)_DwHSb#W-KItOgpL$VO@>AZ@v6;S0)@1wBPYreN>`Q)DsqNi6huAhI8u2vJ
zy>q*}X}||EyHM8-{{jFwTHmbkC%?33Rt&^@dMG_OS_aV{Y^^>Qe&H)}?(t_U(?dta
zZE+$e_;83+<r?gEN99Au@7Y6HAbJZw3uQkloyqq1=MPQi>kD}6`2Ze9(Uk@#&FkM%
zo!(M6z4x^7v_`FJ8&zl)Hh<Q<e4V%$;NxanAzLd{Y@N;TJpP*-X(Fq%-Ayrew4}Fm
z+QFcuY54T!6DmhKn(x1GIR6E}q=&}E?~s@bbLu3EP%f|8bH5l=vriQf*y!i>c@oqQ
z^4aoJNv+t(LizB_C2}G4;seDOeR}bk;)}ZC3lp0U@WL#W!qkcEL(c88Ev-ze%k%n)
z)V(A4h3eG-5a)4C@bCewCm4w7@k~FMBH6tXK#DiB^3pI&v5g-0KaL-+wj~DJt9wC=
z6H04sI6$Iai7pZirmvAFWQTkrzrb9xSk|9qJp<w0Bni6WU?itvQ<9%d1U-h))Sg>G
zjN|xN{g=pIt2~_=nw_hNZ?&OPHk_yH6h;)P2xkf;wM^G9WlIOk#lJ}4`C7qE<bGqd
z<nA`->?_}s4kvGqDj)t%N#jcE+3{Ids0PM|z0~7&Z__*Da%f(IKzi5MPqrhxglG$i
zIb))nxz$l(9-ms71%*UIA<<Mwv?viCOSH?(EM2~r$(Z-0f!7#A0^8FR$8Bu@BT3aX
zeme=8*XS2FFf&!C<|xJb)VoO=am<lWZi`a&`CG^@_$`-Jck28Cgd@Hu)xdvjhvVN`
zVhuJq^HNAui%$KXTGjUqUz#NNQ>nwtylmAGP=+Ec9a*+Kvc3)cgij)!VGkA<G_IG&
zER^*J;B?a{JR;WMbj7pR)M@yunFW0lUOj9)xxB1V$qRLkLau8!JA}MNvM%yzdo<3l
zg|yeIuI8_@@8K>|E97K^TXPW=iP^W13xw+IX#Sm$ZLP|Go=;u-6;Y|RD&1!J#)5y2
zCpaP)%x>BcxJC0zpX8$q;FUjngdxUu<aE2WJ-k<?`D*1pUk#=<gufyWrMTiANl=;m
zmgG$fjk{pn`E^~XFJR~N9IHs8u;wAw=(*Zq!x>;S$T30vv_%$}977<RZIaB-R!Yh%
zhQC`5e-%8&(@6f@9piL53RPmc*|do3VV|Z3jo+y?`IqtNz^5#5@|1i$-1S<mxvO_8
zA>PAD0um3!Ck(UvW`rgYbk?#TiPd-Q4FcdS2fgP_W;*r`#eN5{Z~4KR{e18_!vnX$
zAEZ`SZ*`Oor?HaRh>%}Mu>$saEy4<Gi|;gX?Bt-N?{=n+ZY*pHu9C<~v1<%IiP}P<
zUI}%<t=1*qEZOBC6EAZD35{!a@ZO~Mjr6Y3-a_eV<64ft!&}-I{y2)zAF8i{bhmz{
zrWf$zWd?AN5-cxaUhOHQi`^0gn6g)^%%Is`qD_r`gXvx}#!v~7Cr-|)6FvzroTG#b
zMXA;1Z4u#BxVwo^uf@GvNHi#ie$Kt>D!ig|<`r<HMFucdNEi{~A_6s|u+-(mj37L%
zD3Bo8LbI85OLh2Z_D4$n`w+ZQgXw|+fC3t}rB`)j)6#uEYu|>~Z<Y|HZnN&AsZ33P
zZ&&|`rm|wSTK$6Lu>crY9RbEF_$n^s%8uZ&hA{4&xZ4A(P*SP+zA^+GKxd4Xxx#Wg
zYnd#d>uPTp94+~j6S5s?^Rp+_;u-)|Auuh^&1VILnNkUOz05&#nSNml!a*ycm%)OO
z@b=P^KH^#z+-kGGsr$nlc$t3}W+)m*VLm5>*F7f!pjs2Wo}190{7XgoEJ#Fw^M{KC
z5!)ppMb?+cA|(JCVidT%e*xg!I5*AMqJ#v1IbxWLV474HxVXN=!IJ&v-c=RKUTus_
z-_vxK$%HMtD?i^`Qorn3HP5Z8%xi0z$<5x<|0A`lT>66)ljTf~{sk?NjHmnOYSO1b
zlD!q6lgaO<PQnB&n(0R9(P&MG<E$`!*{Q~wTm#4Cx>_YnWn#u_k)tNR6^#Ad)e9sx
zx&Jhs&D}YVr|>A4DJLdUWxMri|0Q3c1E3`5ty;75?_ze;?ZnPs2g9S}ZgTe-Zx-y6
zo7~3zPj8(Y{8k!86OO?Xspl-2%s=tm5!@+`xC41e#C7%8p<d?SF&3QShe1A>?V9gW
zr$tYFCIW8DGngFaJQ$=UJu=bDJPS=-UxGC1Xs^O9;o^##cyZ}Uiwe^D6gKtnRL|bs
z@pjKxNUiCSzwt5$f(jRod6}`}l$gN4gapu!VW8Y-)AEnm8|D|ckx++MTfx0+vaf`R
zNh+Sb>=QUt!|%agwJe=D<Vr4kH!oQBN=71>uU2xlGz)$&Z$N`N6q>8pF={0pula;@
z{33MxBuMa0m7*bZwjJ4H>WZx-*NF=WY$Pa!n|jQJ2_NNGi@w79En`QxmR~bnbN4b`
z&R+=c+~kD+9HeOYk;U=!<ux2|dNQj7=C{BG25JwCDYP^*z;H;gmmQ5ndP}{@Yf@vq
zr86pbJi;azri8eJQpa3JJxA^``f@snod0^zLcBIG*<=QG^3JSv6BuCBW3XNF9rX=7
zXvo!(?d<ZiDaJad&oKhAegi9EK1aLJ0}G4xNgqg{7*%!rvf^Y09B(IFHG@+y&S5s|
zbfQ)51gmD$FaUT*rep4#O-Bp7<ecB!43OL?(+OW^G%3+QqD2V^I0Nh8dYY1j8nm88
z?d@<DN@ZKZPdsH@$b1y}E?1QI@N9~L?EfF}Au_E<z7zEP2T@P#)e6M8BK&TeB0Bl{
z9xu~Rud!O}a)wOIfb_<XF5^dGawzJ=3oI${L*c{%Gro*3(_SmA+p?*8W5{6pF?t?s
zx84&PzXf{`;C3Wby?mA#UlNd~-I%%;=gd6k&#>0CNmpjXIyv;aNaL!y|0apoZ*(Mn
z0!o#W_&%QF=@Z_?u2m=|1WT*^#2mvprj#`UD&n7T<|9+0FeKhBea~EmdUpgjYxLF;
z{HNN|+5AfC@ccpKyEtfiRg5ez^BV6G!DX=jxo`#R+;J?P=D9ljm&H0Pds<y|T54DL
zJu)mPDI6+SGttL>EjEONH(e2Nd9{~0#_UR}S{suP#z7W5hRXoUyh2BS!N8Es?x^Hc
zo9DxylC9?Xj4k4;tHxG@zXp&dAbw%L$5Fbf4&&6_B$-2*S1a1N3b&=)pLmDjgaFNv
zz&Npja$>P0K#GE;Yj5FK!s0tVw|DU?QJKxJ&+i<5A%1&x{*%@XWdzNRhAryEGx--m
zR;R@lT;lu?8JIFEIkTk`K+Zo^kerRDfXibU5p(^SZWNTlp^3dWiJ)K#>YhHkL!$eZ
zvR)Kuw4`RReG;s$pmfa1_BTLfu^13pd&9G}sf+$W&fS;wTQK(f*mrrvSvLg=8bl?5
zf^BSV$X5VVaa@fThb#_n{f`cBgoh<Fp{aP4i+b|4L<OU+>KG&0`nUph6?wZOzCf7*
z;Y67d@eWq2ChsheEnS#lhK&DBdLheY^qL8d9l>#R4rO(J`9p>FU&iiTZ;jn}HSipK
zTX#4CT~_`S02W$VYN5s$ww>j_sO!N0qAr~Xiq!7MkRd7Xly~)JSV$oH@RY=VryF_x
zQFG&BW%jM-6vlLjTK=IOhD^z#{`Y&W%UyLpEmfDi))`Q>MX8uI&xGDuoF72iWSC@N
zoTnCPZ~h$S&E5I)T%lOzPO=^$bxE*D-HgUep=cglEmzXkzUrBI=aB;$p_11w!@QY1
zZbtGl-$J4a9bjP``)Rq58oz1*`$p}Xj>fQ_Ag2p6rR*81<=B(pI;)t0^Gm$O#9PHd
zdWq_vY7>oK<`=3a$Ks;w)ygNd0DtjC7{9R)iC>tjwT(6;(UIT#dIhC%OEh39_y!xp
zcmK)S-BXR+nip4?$#wC8^oW<d2*`#{aA7UZR@f2fzn1M9?XeS|$^-X$W_{7mZ0g3`
zbYxFz>5wOx{brX;P|IGvXKTaocNd30dc@UVN&V^$Dr{^Bp<Ej{bGU1N-VLNMN-@0p
zoP&`03}2RW?qfWQbMWaQW7vUS&&e9glzA*=?qm99H3Ay{mu}?VU5%6(D!>uBDAQqy
z97s_`{^NAiP5#OB7Jd=g=@3KS$vYTgR+ssS#q(Q=7Q}Tt3R)Blr}Z~cuUI}h#*WHT
zfy>*+d9Yp06le>J47Q8-IA@b0lR77_{dgMJ=B~b8qMQ3q6N%iNi+KuP{f60%LnA@T
ze;mW*<jWafj>7!5d1m^4f&0GOe%wHFsr$a*`R8w-hj!mfk$0POTDXm2%L1yGCKKca
z+&8N^fn9!TmYHaO5alE-wwL$B#c3FOJJ@QCBnna^%hI5DU#$jv^$2mTiVU_Yz{8LE
zsMeWgTU}I$u@x*o33gx9#qaFFR_DN);two_`1-OCs2^aqGLii=jnK%pR?~Ms<aNm$
zjTaS)<|ui-1e$BCKR~uta%Uc}_kX>5&P5gXRnNuysHd5OS`F$-=lhrJ)pyj4{oAW?
zd)q4l6i6EO$=NG@{~Pw|A0Ke`Vl$dt7S9f6Mfrb^9AZZFBY(s+5F29Ss46_r>D$#&
zFrb@0Qm`?9(Z0~fggaQQBZ<;+v<21G^J6^gL=za&R$z$DLqry)&?V?NCv^$<<a>7s
zriW>6K8MD3O;UaW=hZp9%@4Makcn$F$lcpYDO9@GV7Dv|RE&(_YAPUBuu}@^n4wal
z1v(TWqSFfjvFU|?*mR$b)0CQ1X!Kv`SoR8tEu+B|`Q@ne{_VkYOa~JVnqII6e=OPq
z1?Qb96Kx=vjxNxD5KcegfvCQM^!YjZW^v?i&T>`l$8>ztRrN4c$)e<w@T}}Uop+*t
zbSOprdt9u22i@b3_tQPzWgdDVG}G#)6W@vc9sa+lf5YqcuYVh&{QnL8o9|%1h5j)U
zr3tcyr@#uciN52Bbsz;5{JQdrDrnO_MaS$QS+c#fa3SZ*x&9>*oBu&Qw6P(5@BckL
z)NM$``Mdr0&u3h;w?3}ek3Nb@`_ad5GVn8f>?+sC*0<Eh;R~&*qCRSiYq>tMe&-$e
z=LfxA|NQes|2*=`4|D9tPmsgzVwjq;%6I4Arhl#z&HlIi^Kahg^zDDzKYwUH258wn
z4uJgg*M9Hnf9L-B?GD0!?Vlg?zv7=4^bNoJZTaVnpWf`Dmt2I>P-?FpPY&IF{qwg!
zj``m2jM5o9>?;}|$jcZjFC&({KmFA1^v;8l7p8X|lKg69mx{BezmgE!s56r4zab<4
zfs!8YSMR^@byLQoU;e3L`J!L`9ceP1@}7AOd*;>enOEz2XMuML6JDYP@amDj_?All
z>esBEe=l^xm#P!ruc!ZeE9qq}#eXZ5)*_{X{VJOe(zP7gv~Us}wl#i4KR-yiBX?eP
zBFo~m7dvuan<uAV5r1qK2k~mcuzkB8%l-fM;J2E_)4JlL2pkYHWjXDlUh7W|PfkdW
z95(-;J$0*MpW+xu7gR{!!zoSM%jP@cCCB)7qEv}sQH^>WoSY5mrbE1*A7FJ7=|vhg
zaP|u8KL#!0AWTTAcKs!?_L=tUr`H<Et}TO<4Pxm{EC#{U%@nv`k-E6V)J1Z8yv&iJ
z10s;fUZ?!Qiitp!A%i)yZEMY*62kc#pHaA`wTZ*hx^&hsZXR<Bt>zsQ&1@YhV7q@z
zJF`Er2FiyFA70}m_s4s++}-FQ|M(DZVc=fvh48_+czYo%RgLC_8`nC2Sc@6`fPGTX
z%+S;(&A_caL7lt)3p68wx|J#o5t=)YhZ0%6jBd>fSZCwhh(0hiH{!SZLHT2N(R-mh
z!BB3gFpt8atnG*G!A~^oYuAz2I)t&jI(4o=O>PzoB&xhcnhQ?^#xeFFz8;+VdLnz3
z$P~|BCkc$`v6l)uW`-4<%q+!=XIJO{0if+p2HUj^;}zx_$}62I-3(^erklpvQ6Rx=
z0u|aK8q8)e#=)Up<}mQIm|9_q(<byaR)Wd3e!%F7M9pxWjZbp^_QF~q5MBnRVc*{a
zK=a-FQn&ID&YSp2t&{dyFdP*`qSP`v%~Gsl^3H-{7UR7HxvK}=vbzW)LqS&DkW!e%
zP1q4<(X2`|5yV*2O$5=x_Br`3Yz^9MVK%I(A^_!tY1C_nkn|;gHQX~k?pJH>dz{hb
z`r)VJj=y5>5&(7vrVSkZ#=%R(L*wbG>^WF%JUFQ~5zMMbqgV<wjvSUR%%~osr%hx}
z#tA%=l_@hC^8e0PZ(Z#}j0#olTbHQAV|9qFu$E#MlMuMPr8*hV^&_vPcM{Ir2@mK?
zyv%knY9C|bNf^qF$sr=nuhcd-{jO>EY5UahEWuY<yUavr5)t)KefJrpFYcBVY3<Mv
zd{<7gUn*$(W&yE)DH5PR%=McDgjcc{khZoUvYPGDqH4|duztm6d$ihGvptqi1l;oH
z<eRAUt?8L0HrwtnZWqdbghu5k?;@}dml^s07B~_0qAn(ykdE|Nv!auC#<M2#d(B7}
z8srvj&>9WV^B=_^yft1O=sd2ewkX2x$JrI&><p64W}UtGeI_UxH*^49#0{CN{H<_N
zhcWoUJXC0bU$FEXL2j!PSuTsU)%pk`Ssb6hh7CSfJ^I5gsk@3SYXn!)apoDP<i7-H
z^<Jx1T943kDU8qmfgyr2Z;dj~1o`~!QRa`L%-dA*XHn+DDDz=uUKM3t5M|y<bMoJa
zGS7}OC!@ysFGra(qRiJ+vMb6wHp-Me$WM(j-xFmXjn?Ns7-d#RnV;f0e+d6z=&S>h
zp{(J7PV#J7#Mv@s1-cZdNY*~xxk}gPw@6O@8V}%#e%GsBWfLm}e}YwAJj)Y!ExijZ
zzLw_ftGt_F)n3YLO86q*X`<!?e($K5KH5%x^U~+3fm#yjjG#1%K#O1aFMkzcv>)Y^
zG!!GvCFN{fkNtMqSQKj&MeU@9Z(BX%-1f{|Y-GO*bSoow$q(OKAoFvW=b=5dQF|ou
zZbK}~<`C-5?1;UKCf~jeZ|;s?@^<;l424!y@fbdN0SnLV#Vy4bw%c(PFA}-y<Y*;w
zzcnu=w_+Yo;k*CN{Im%X5AuViY<8h}{y~h${=a(mTzy5yo!n6P@aJOleydnkEc~y9
z!mDWH{tE|I*vl+1zrsAk{C3o6|E14~O3y4St?Nq&eq^8kEDo;g<40j<&J+13k{6%P
zqNU`A>>Lrc8d2gZ{3@*gntZ>1#m+yH_OALl|GN9z-~9Gl&!xXHw>mY%&dx3<$OgYA
z_cKR7$9D_BKXEL)E~v&68<ToBC9TNb?^KX#-G0x&c+=R&WZt6v10KCd{CX4oZ_H(F
z)&(?Q=(ZH@A7@g5^8&LQ!t=krn>)fL5W3x*xMSy0s<Mi;7r*y1zae?vViqaIvuon%
zp^fo$7>{?49C7inxl=ZD?>hG4x}L}GsBdnsST=`$bfXFu9+wgqsXbbxul;}Cjq5LZ
zD6=*$Z>eHILr3LcqIqZPCiX6?$sO6B%f8sl>_4}VlnY;WzjpTC__9%ancg(iy{j+T
zr{~f3yuEwZQ1VuGqi_!z8&X(q(U<5S8a4dSptT8MUsnB=XqCrfY(K@T#cfr1SuD}j
zS&FBAjpZI1pWa1vtO#;mS#W*GV@Gh)h<=)flb>*Lw2t7LEbQGAPU0(W4rK!bcPX=Q
zRkx1p3D5hg7OEtV)ou(vO5Jb3I<mLUHX1B3$w=Q*Q#Qgb?5_x>`W)R^ov3_1F`0XN
z@AUa1TnfC7?0@QOM(L6=qhLq&#v-KBN=>V4(6L4vVVmHV>T2vOl_}~2@nWtzJ#1F6
zsMdgU|HUhe7nxXK5lOCVjNg1_i?^^x@9gS<S^nyZ+H_h=HMleH+0^lQ=3C3ofAp5N
zS7iDY;K4FYs^g_|KC5s}^1Y><dwQ#*4-?H>z06Pf&Xww;me!W}5OHJp_`TY>m0ISo
z9ayZhu_X!IV@P>DNe;ZsZ9H+)`LyjR?MhQsRRsjSrKi8%%j^uf5z6H3epAjHZ_3%z
z8!JPw=Zh%OU|M9+-(cF#FCt~6H?g&KuU0vCfazj}S+w)?{Q}M_-c%|-x~%-$L@mF9
zK0Ul^t=pjaI1g%K{>voxk#7k%dyo&)ZJ*rYp_#ZE7IGf!cq|eBPgJZ^OqfgS5}Mb*
z%I`S<{NmoyV>nA}`yFa?uJdt@C{GVncJG|(%~+W`{U_bKj`03zWlQ(&Z?WsF`d+VR
zE5$Ob1%8I##=e%!Hm~<b08ixFswz8K{|iyLGBe<<(;FQ@%~T>%^a1Tbi|Fm=PBa<t
z7XFlvxo(h*%Ji-SG!uD5UwUX~t}XT{u8$AcuIXgY&rOfM_&i_mRGEI(1F!N=>Oa*x
zDk|PFby{6AMdLoM%N|8IZluN$d=Pwqb5V=8=u1!l31s=}gz$_tj>;MZtFV@G=e18|
zv58gMN$ka+r@afluB=4*9z@-V0JWS}SCXa9=4ZX0pTnj7$&x9i2~<fpZT*{cVcnp^
zVhUIoU#RYq?`2`g(6qi}N{Q{$(1j&XH~s7gt>2#dPJ~TS8w{I$^uhA>5j)G<M|3TZ
zmgF00dc;51*rL4u#m{seL}9$|zAMW8UyZ`AOyEmK>Ego+^e!2sd_9sJ{$RD45S=kw
zv)AS^k!E;pfqs7*(J%Q~C9ou3&neVly-j`^fQo$Z4Pf%u62Cl)0*hkuarfe%B*`Ws
z(|Kv#SN=8JSmSH{MN*~pfEMq|+I_t3?$|jjE?endiD!Q=uQmMLS9b4VvmUp;jHy6n
zua^B$0OUq~J6Iz*Ex*|*lk;b=Hx-%n3uX&9XK!bg?Ck+XbM`#93GkUouUYk3k-a^C
zl@V(h#M*nOU12}NI+Hd`2A^knFo}Ce61Qojd)M~V4F>an+WbE6_2}xJz>IEN_C`@*
z&{oh;v*xa^W%YxOOSrc0=yh2ur4|%TbNrlQfBH7<^Zh2PQIE8$D5r0~>&RaP1ZN*2
z3h!4$n<U35_sauLxzl=<U~VvZ)A|oH*b=A~pH-?2-qKOiYQ2T(|E6(TnkL_;ZQ?u!
zepRTcL>Iq#i<kL^^0}|b>8rOCi@46uow_IchxBuOTm;*l9PZvp$n{@<*S!;GQRD3H
zohz3=h@;@HVCvqvDfu;BH>+SPxXwVVMRPf^X0dbxOyp1BUQvfD00^Bs?xkf#y`|}H
zGKv7SNMLmv-DkS5p|`3o96=)h*Yg?54*%NW*}b5$J9VYEbit_HnX|ihRnG5@>`ils
zp6^MX8Ofuy=OMK(yCyx<H?2Fljn*WaXi0Jkttd2SlZk@Y(@7oO->U5PdRh&$Ge)IX
z3cj~!3eU{9yJcCRyL=Mu&+F<L`OV$msO<52Zh$!!zyKN7Uh;vJA>Ug%o#R_(PXm-r
zpRg~_TWnO!_mNR-7jSM>0U1$HvHh_X?yAq>ZZ0CDZoE1%y*ju~qztZ-tAWxdeyvB>
zb<5*wUghPqvBs&K>x8_8PmvR(ujJpfP6m0&5~G~L+o2)XE5{aSRSsJ3$upgG^Qy}~
zH2lSaeJ*)-ft5-3RW`56TJl?;-pg)qq3*`;xPI|4xxhqsWy!v!{;lL?oKAyXrw8tl
z1Eo}%rgFYY$xT~banRn62iQf-MLXQr=j6r%Zoyt5h~0p6Bq_Gxp!|f0kFvM>-#_jA
z`d`Se*M{lO?!ABd1mEqS?l^a!{nLkPqq2rQM7yfri^$ljqVi4B5xy^kOJ-@nWBa79
zCAsfDX{&i^k7jR*`=piUzrB6Z?-NKCqaUf?eXVyQcdg*EPugn9-L2M!C!8kRY5Sy=
z%|7YHT+;Ac4KXBuJ+CIQIM-=-5kAAYNfiB>AGlEm@6Ko4)*Rkx3FyY~YDU!sn{ZZX
zJ(ZtcF<U%Ne#X?_0)NXt1)0K8#9e?mDS{FKcEC<FV5viOVt~^dXUPXRKcrxVmVa7M
z6zV9emi<E(AI5O4q*_KZ%coI{;Y<sUF6^iiMwWesT;FTkZt%j34NB^OXp~`o`OO-b
zCbC;QM&H;(N`srG`~x(_`1$5>P0`;kxq5$LTvN5&TK`=K=aOar|G37+N^&kWt|{7A
z<9k^=0FH7MAyT?%2v$f+r!IPgRQAE-*>nt5EPBz4;A&aQY|Q=ktY2_c&o%><nlSq6
zZk4wJ(WtG>);%Z3wFNio9sY&Bb|R;6gybQ2ovQJ3za6rl73=s3-{>+0()_Zr^WVVA
zIC*vR%fmk|o6qI&TC?h$#ge_QTIgLhfq&bwi(>Y3)kJ<Q40SjOZ{dFcQK6{gEEF}Y
z`rhk0-k#MIaP^qA@k{fb1^XAiY@KRyqjd8_F1?{GxVefi?O3U)2kMBYb1&6`@1BqG
zkiKjZokSfeG_sG{Xp{n9{^WK3@rrtVYkd0C9J2doBB+Duo5-N3BT`<$IERnoS*_v4
zu1C*&L6$j4FQFjJal6>A)>GC1V5a;cl_M7|vfqQFWmC1NdL3b${NI@QhEJO9T_FR7
zhR6Ot;?4!m%BuSNGXvzH*fT2Gm{y}shG_=<%|I|`V322U&?yxuZ={x#m8fSB??=x$
z!0C8|Qq!)|RZB}tMG=z$mC-as%}ZiA-p}KBK}`g_@P2=5@8>z^3>T^F^Ug;(``P!s
z_F8MNz4qE`v(w{#Z(HHSv+Q^hKG3$r2KTUyl4Fgn2{5ZO?HkMXcPMBQJ(m+v@zo+X
z7AEbPyQ}LX*#}bFbGt=VJ8uuBR^f}jUciswcsbgC8p+y=Q+(gYE?M95cR1n!e{u4O
zlH9l}dMeSGMJhZfn0*Kztjc_F(tgvv<Kz7=)y(nL3@1xl;m2-@cu1_9^W(O{Axsfw
zv)A$Ars%hXHZesQ&7MjQH$^gPG6+Wx(JAm)W6qsLY@wibIQq$*Y|WTig}o}K=GvBp
z88c0;=^EcQ_^woowj4(cQGdn{<CV)GcQ<uVUt6J&r5@Yl=pZTgO9o+l)@_`A#;4>b
z;EjVbE1SC8E`5KO3NZT2tU+M<j(~IB9Ce6ew<83Ht*n0wrRxjEFNr#QJ+xsJr*1D4
zG^=V-aN`YAx6b<YCdfU-fWyo=!yMNSau4ub#;W;X6;|1cK~yVOSfpW~UtNbDG1FZa
ztx)m8Rnv&ASh=+3fC(LiUrr}MUcZ`3qj-Np(|s~^wb!DfLq?Z^Uhj#AiE6&ZRP(~3
z-Mu}D%IrrOlX1KXA(+*@OO^EY>?gzoAk1|Zz~$TX3OMPFHK{DXIfWFxV(OdtQK;2C
zg%|?3C!3=|095ml1#TCTBfS<8c?f8dUi%bBsvM+fatB*P6HiqsaCU7|YTH6a0`Djj
z0E4-op_g7ZLtSzRD#07KBSr$3lzdL{RbB|o%CZsNwkYaiiMFcgwOgV%N@Mbo`z9pb
zHn`Na<%kE=xw*7f4VeLSE-sV(G#}Xqf;nGSvyvH2w^+RfHwp?H0+6GKQ)w`EbA;~=
zD$Fl4e9Jtyl6_HcYHQR0Bkn>GaPg8QPuA7`B|Ppg!GgA}YsRo!`Uvc444b8G^$Q69
z`a!n~`+LA|6V5@Yd<>*GieL0$Sqb~q0DEm$EmJ0@v;D|^yP0X_fHFH|X9bw(e>G_;
z?GhZY@KbKL)e9Ld6%}Z?q<5Uq5_}a}a?3_&i!sB{(oZ;97oz=5r(Cr!jks%4{^j;j
zFX8Z9@GXvC*Lut66_VwHoeu;Hwl9wD9dq=I9hjTcP{WT8Fu3B_{l@Gb%-#pvlD5L4
zIg~*w5#$cwTk|jlCZfsA?mI{UAT+`PPX)Q@O(3G}xw56kc(%Howr=(wI6M$h{Ofwx
z&pqiUx}fb<XP`9ZR&T@^YJpayO)ldVk64XDH826-dcp8k4~o(+Uv?F)K(yPSrp+zc
z<z=atA>}h7o2Z>mWEKg=v~RFP4&;F04rD<AII~CuRwJ#r?N&Sq?DtXfCwq=qE6$N5
zudzd_&TVP5ZfK=`+z6oC0M;o`LVO{=26k;Lj4VF`a53Hra$6B_*zVysYYZ_?h79KX
zEJ>A~y_yzGL0=|A*C`{#ljx5lE9m{(f~4kk;6R#0dz*a=hEYZP7e>U0C*Y=xkS1@!
zs}9yDam1&pjJ`C3Z99;m_KsG&z|w~@q(47x*#JL{?8WgQyR!}qH-n%4otZ|GXcC&g
zq{C5T2Qh%2-?56HPH1BK#7{qE0my7y1^VxXZ3Wv9N7X!LyS0{bupvgUqh|!$c}DOq
z98>C;mth22x9{h-x<@-;Ob}1mB@J=vMy71U1IFZ=g>U?I&52}sTtWJO9B(TUqMh(H
z;Q+rB2Ppl_-Vx`182hP?+GlOP$6?wi!k?6Xo@zh@(SCjOeQIYtFEixq#SpMK@dZZ6
z@VEfU&+zf+df_9ex(zX7J{e@cz;E>+8;F5cw*aB%wEI+3wR^lI?eH=kS0bjm)IRE!
zAp0W_lWZSOuWjN*`J6OKCfvQs+F{gCB2bN*4-+$K)Z4IQ0v)3{$zvZ#ur+<I@byN5
z;A<NLZYX`<Gl-j6j@67IZJR8vgt>2hgw0=Vk2~p)zD3(Q)D3cVKvI0tiB~|zi&rzK
zg&bQ3xeO>+)_=Hs;D*n45cyOdIqxiH$O~L65V)f6QqVfl&SiCDEFp~LK-SjtL}&is
zY+22bUW;pnlJ|pd!R$J!%B*F%S%Qcb%+A6=GHa35cL4c<*%y0Mba$;PIo1P)3!Syv
zb?YQ=xUV|;H6p2#r>Z#IKn7x*WkZX+qw?qqgk;V7&tbeKme>9zT1q&*7H;xw_6+H@
zu<TE;ZX@vl7fE~{5ldP7N|2KrskLHJkkg7qux@dX({1ZS*Sr%XqYr85vkk1;IA7|H
z?nDMWZ*5LUoIQx;DwzGE0b!RQn*k=7wMPcouM(eGyCXJo#0bLYtzAa}Ad7r{EHyc3
zXS7Hq(4OgzpKTqk9RwciUmT)lYWnulJch*ywXK<TgLN`>({Q3&gM)8xt6e>3i+Glz
zfx(<ZZ2<U3wBs{Q)O#prE8uCjf{<7uHOOsC>E+)$M!Fj!rE+s8uK|^AecxpcA$0yK
zVe1+{4@OaLRji;UkF+-;TN<6rBzLx3HK5P&y69lmH^7Pt`QrdSP5#*30x-sH6zI<w
zv7EAg&p0O$#k3U^$y_Qd6}tR8qL}aNDFA3a5j+DFSZL6f>h`^>+O>Y#TrE4@S378}
zUMY6$gvs0~Oi@+VA<BA*WlepyQZEV<vz1^^3oziJ3amfiJ8Gj2RcdE}^`(iv)$?gp
z4QYO&qk%Pxc&bA}(*&*Fxf+%)p)%bcOfd7*$6F1RT8rVkdO(#cHy^CSzM_7~Q@ESN
z?>C+>|AP0at{2<#-O*}M(E~xgk6&RsCw#mfNh^H|;Jj+Lt1ZjEtURB;fG#TL^ISe{
zK998k!<(qU`ooJC$^{}lW4B0gy?kg+<>p6?ZIE?0!gV$%U$+_?i}rzu=qM~KPWE{F
z4m2sLc@M+LV9uGa12<XgFMk`Y-PY#lRG|bjdw0o@AoncXGkO`G?)HJ;O*+W+5Xn*-
z>*a4!9vR}5`Ln8+`8!v|^-8{qDh%ne=P`B^lvrCnQTm!|C0iub3rms*)9~DjyITj}
zfwR?@+(2S*UcpcW!LNu^fnf9m*j(1~odm9xtru2_Mfo#FI^jW*oY~T1zY|+x`kmJj
z)9<vF7^%~0s4&K$?4MYQ6HfXmwQ8q!K~Aq$zpu^KQ=u8~eM=JR?9s7on(&{KKu4`5
z@!Ip9c<s^tSPM4ucO@7GPELp?@G`!uz&!hKZPS^c>#uaY;Kdi+YA!h@x33a`eay5@
zGhUFltW~_=2Jp~$!Q*t(&PZ-opg*yQ3Zf7B7RUM)&!9yw&gE~>CNi;5`6YFf=lBA(
z;pX`6gq^)VRw`yKdfwV$O<Midf_Uex-QB|SH+A0H`7mhq4zO4QMlu7}!r&`s;Fx#@
zt`OrrYin3nc2}5skQ<ADAAJXgCx&);FzcIerD#7!p?M<LG*({;gxNO{k2D>hd)7_I
zQ3#++;1-c2P$dkx!qHkU-_ic0R-e~+J~2TOW3rR_WZbVGQm72xB~>JJOBuXZs4d5|
z5)z^lhxel)MfD>hMfIa1MTv~QM5TgBnw>54>Vmo5ZRu&-I!4eP_>RWg9cQUa9JWS1
zj#ssr+_~j%9B9VA;6UR<&h8+88`Du9om8@A<QZFL5Fhr)12VpUqg%=fl`x5?Dw)JJ
zA_UJQ1{*`S)!_YW`g-uvaqGDfIu~@+6%U${mR9gw-&{<-!R#$zzrvzrzj82q7q$$W
zvt3K>rI*~a$JrgV|JbrtQTyj(YS&8xM(sls=uhpEW1^n8(gYjVJCnQ%*eztetU=KI
zJK3GcQUeWDEq=3&0O|Z--}zSSJiACZ)hh`{@B)r;swaM_VOI71GV3z?*E8e3AGguI
z-(>_Uf}OpPK1LV7SUm?Y6&>fR(GU^@(Udh6WUqeSK{RSHk<}Y}9AAkM&1^YhjJOo$
z=Q!;9#K{hbD@?f5&5(H|mrBLlpcZ6EaCUo<OKgs^k0#jT>>2Qw_qB(+t3n|5rC!I$
zJ}#2)dM-xddgBOXBwh_Oh+dBuqGVJLF>95h+9e*<9%Y2{%y4MGtf$0TYu3wpaz9vo
zEzbH-4A#sYiK*5`C5C&cx6Fu+qWLl-(j`2<ihYHVy|0iRtO|i_X}*K(BTR6#BP)qV
zS`UwH`@y3#9^}e+suL*7DMTfdJL0T&te5p*zom-Bk*~&Cf3#lKpY+RmP@MIo^|DGm
zT-kwm?;f?Sm-T!7vK|}Py2E-|&+V7>>v7hXSyQTkHLG9N8FALz$XcG{?;z`zC;1mZ
z*iUjQ<{9skMOU;d6=oLIBgpx43ayf5{ZEiRj*gYBaH2!wA#D!kUWA;Ic`9%w;?ehw
z1)IJj=64=A{&UM{hqAQ&-gGfk__@(_KvhTgK>hu)L^ml8wBF`tZqaIg%1u&qjuM=l
zk~F>v31m4mobbC7nAe2gHS!VjyQf%HT&2q@*XYUX3qO<B7k(zMFZ@W`9u<A1EQ$Y#
zCEVKpE?AI4N?JCBlNFZsKWnR1glXD@{Aaa(688mGygVgQyY>z@p}PhiTSVXUkiYaN
z4)XWGvQ;9Q?<K_la6DVVAmj4}uYWE5-@}e+&0_(LzD`5T<N>i*Sg*)^DTT%fl~XW#
z5ACZ>w>QEF)EUJutLbumciN_?NC{Jmy#@ePU+tJhIP=ve8m-u$!3W>SSXrI@p6@7T
z^hk%vObMsfpX-eYy3HOd`=N39bIa&{QB4`@)sw*cB0%_}^=TzKS8)(R{g2&rv^?Rb
zLjto({pX#&-s1u_Yz`?s=$FII%)X89-^Rxroe?vVGFYOoD~|Ct{>Y8D^PhgapO(<Y
zctO9Uw;NrJU#k>zz6fe3WWO&TkUiI5)^bMK9di36x==Jlo4@*@YxD7c_%=V}`RIQR
zV;v?`PxaPOkCq3T`<!p?+i`O<yj;1HPdGGAxXkT^N&|et=s4k_L<HUppnP0Bly?7o
znH%OCkNaUh=wbdVpYV8`aG-Cu;1h0(6J~m>JjEycE>5`358=x`;d^nyWM5T_Pna1e
zO!En!^a;nr3ETQ!eb6Ty5GQ<9B{mlmB8fr_`p!$;pljk<KJWS5H9q0_6&@N7#aOvH
zh}P-3<A2B$xB2gi5AlQR`+*zWuJIUtr>Qnpc{%uAR?HuE6T%(4Happjj@1eUY_4|2
zbAxgJ5Iymjg98W1mCW$pSokh}GN~b<RM_dp*2%B=?9nm*-GXVH(d(NZyTk!xTR#}n
zHy_D@;_)UK862b^m)|H)`5DZ>+2<S$bWJTC9U6-zJHkQ|Ipa6ze-ef>myiAo=Mezy
zk7@R#V05TwK)bqb=Y~Vy(d56o+4<OmZY&4zP3Ou7#qByfsJ$b4P~4!*LaW)0TUjD;
zQ4gD2FLw2<deni#VDkrPD!rD2pKIt^S_ePBu|QLh)3H7N=ZDsG9gfY{A(e-R=Zwd_
zbgHFeG)~x3ql8K)Kj13=A(cz-)f8keb^6HdO}{Pe?o=W;uCsHlXu4m|7=Ue6W;AOk
zX1%bU<$^2m1(l$wRTsIY_EJ;!0#}gNCF`<)zSw`+t;bVMIPbb%;Gz2WPtH4Lor7bn
zLJ4N4fOd3*U%38rI{JXGm>M>Rjvjf}^&?tDz~f@7!{cFURDT>i!)H$bzegE|$~!JH
zIh;RGAt`L4Ruu&PGrsTO|A&WNyM2qRF>gJc&)u3h@$E9MMmH+XBjzW3g-7`c4KZ8L
znyR&WpV;CPqc=RStE_DYPwo|Q)eUYLt%8c&h`t2haU%)|#Q+-}18i7-fPL?6dQ$GX
zDvrKKCtPi(lIm*v1|gktmd{K2IToIt`2vUHpM(m$32eqJOl5xJtv!2zGd7IQvPK3G
zyO22+p8xfZ*)5e;{YCIk?Y9YAQ6ss&k5bY|#}0vR9gF!$X`vPF+B!D8#{{;8L*c|6
z^DbjLsop|H7LU9UQ_slr7wIF&>LPn#+*w>P{a_V0F#X#}_gc4p6L$-L#f%0vz`u+T
zV`F(#8$aT%xL0yuOj?h<!5}02BaXtE#cDbb-xrBT-sTKnN^iUSoA!oxv@cZR_2K>V
z{mtL={ICcK9QxZ|4P$eE0)wNvayh(CsgEK4Y3*mxJbp@(o9!se{9y4N?N0%BPUihf
zE~T2h!N<>I^#ppmsPW`7tAI`61KP~l0JRz)3J0F$Ys|@EbT6H7bq2Zf$sCV1^iX;3
z&i@P_4iG;4)(USN9~Rzkm6!2h%L;su6)5P+HT$ns;={Rz3+VSPwvxy8#|L@K6h5>X
zY9>g47R7F2I5fdV+i=)i?>$Q&oPCA(!96yY*#nss!^PD14ImE3CwiDX(BpD_f?U-d
zz=1W5gN8}VDCuhYvZ8|+vN670;A+V=QcLuh&1ag->*YJ%w{|00H1y-|w$^iB;ye0<
zA~%R=FYRoI#zW4T`P3R6M>8J9zP-^xH@QM`nP`RnNY3|0#yj5uhv!xDBQ6D~JU0SF
z0;#<Pm4rlN;3qJW^q7$7VawzBC|>I5=SHilxY+1td)LF5e)@h5@nk6vsSjZ8llwNe
z(H~928?H5*K;7fATVPoKm$qJJ7<6#I32d+GDsxtiNF4r@yZXEPD$lR`x4+?OncQU4
z@_=u)Z(h>>O8AL8-%eAo$SqSdH0$3nuEWg=!Vlcy@J~0vtGgd$S1E3N0^mSvV+8OF
zthHa?y}ePU*Hu=remGVUH<~Oh^U0W8B#7^N`ujq9k*#!}XOeq>g?*P={k(x_R9H=0
zGj4Zdo4!76b@Zn#j;(8=-N@+ryFoH|?qh;Cc1`8_BD<l#!Q40b-1ZQaqk+D>Uk57Z
z=ikF`jGf9z(*-1ae>a5R`&bWBn}Oez_gQpBQI}b`49_WAYEL^sf1PG~wm_-H<&6pT
z)41rcfh#I4V9)`0*?2<_jWoosYc|G#rudo7VevDY!>Lc+29<xL!l|t?BWt@(&deNG
z+jSx@#Wi${?rLnmCH7$AuDxQ<IH|CgUTDdE3b!1EbMTwkGpY8K(hNQ)$;R*@sJAtJ
zcFoT2{%iSuKm#4u^^__v8Pr$K(E(q^@T|!&fjgSRsESR+UZR!V<~V$+CDB;`V)N-O
z0AGQ-mDkS-M&GT)>%}FmWRJKdHNAL;zPo-GEg*vSIdEUMb83fjH)gqR{LqqHxZ!sg
zmPO~XV_tjeMDlY#Ru_Gr$h_Q&=5>b|pD3REAc4=$*uGrFaGRuPGF8Z5%fC*2CVQ7j
zPcu&rYhR<LQx=*dly1h*Uf@aB$@OA#Pn51PZU&lD63O1?AjswU;vM_uhQ4j^|B|`A
zq21o}%3f^6_vRfUET%kzd!lrr)zS5cT~Oiuiu|2s6N$%}UcAjfL#G2n#j-=>ouS^9
z#P)JZKrFsrcx-3Q$`)SQ370%q7ae4CktSosJbl9fXeP@=)%^XE_~=+-+pw}5!o8AI
zBabGwu>j|Luw}SOwFGTFoY@cIfz5ivKJCZ~7uh_+DP?n6F?+XDonW#@x0}EZP;*7{
zUwrZqpZvTeaIz2aoaYg~I|^R|gkNjyIwcxJ<wmcQc<Vz5eETQm@da^nsY*@0*){TW
zN=@QUIId@2DgB%*9<2DCkz`tWcah6?x^L}gx4Cc0^_m&A7G$;HRdn@U-_@@!w#+$A
zK=k>F{-q8o*ez)!_B$)e34hh-?yg*Rpl@_{-{`-z{V_=9ZWoHgqs{XCz!2_}4t12G
zc{Uau-Jt?hSX%0OeI4Hw?LFw*TX?HWzL@09nP=6cZd9S`tWeig(b+_o>CN5$UFZG%
z<X?w{jfAh>Nu$UOnsj{KL#$z8J6wTGYtP?kN%HQ02n?$ehmyRGZm*H>dP1HzOA3cH
z@!P~NmSUa5_#MvgaDMSFhhxveAuas2@Eh`rBb-C<($(3??-YKg@H@4=aCx^nknfxt
zj{0YiEwVXnFPao1<LoBF^DP~Zm400)jLxjXz;}`~GV3t>{ToFx>#*`W!eTzqUg5Z{
z$Gl5X0e6&VhhUZuc9w%v%0a0#e1>V|psqdWFUamf1HtTp*505XcOVJaIn>*NDqlxG
zy1}8%XG!?_JY)XVZ+@m#4|dk|ZCib-d8qyw*xEB&*3fE$V7eTXIBv1|*)#d2)DSYv
ziDL)fk@^H~#$0Jt>q{$`+REqDM;kcSfH7=p=M85jR!!-THg?*I+c2p;-!p4f15hF6
z>8b5ETndh29nvuM*H&n5=IUiCAiKt^KgsK@nZ;KU+$KSZCxY2GK`nUrR6KVFOS(IV
z?Xi<TjUL$S?y!&EyI5DcdXXarc_aw)|5TK0KN5LQQi-g!+6#-jsSh(`aD29crB_*G
zeY5QahxVgh4|3m!k+BkvG@7iqXzKQlU?DF;f`PfQun8f8u8nWYwFO$9d!6gdo2sI4
zY6D45CTcC5bXM-AuB{43G~!Y;w*^I&|D@|3>byw@qoox3`n)i|GTi;qaKFoeQ84#6
z{JYS$RryDGeA>Fy2T8QlocH8+!N`!?gqg?I>9V41Wl>{I3rArlK86Mg^_ewWp7zY7
z{Id23pKE<{*-(z)I`Xfk?!b3M-(O>R#_fIH+S^C%nJlCBcy~GJ&wW5Fn0pb8*p;zR
z>CuTali0IWK_d4j2Z@)|D+h_xhg%Eho~64s;yPjG%wZ7M?+JDk4uq?WgX+iBPRh>}
z5i&(0Ks=`f*=BYF=m=}ae414dSd7`r`Do2{8wm#aUqYbyB{u_(n#_~E={3ywJQu~k
zM6FD(>E*>eMPaHar!9EJ1dnio87_IMj=G0#!<~y@)`?`Xi%93tq+R^@KicET&Fljh
zzuq2wjdV@hO>S`JQ6tj(6|A%WEB+Jx5VW9vwY&Tl2h_{p@D3MZugU_m!%sOZF)G;Z
zb#Ut4B;IY!T+-^-NP61!J2RRqBe{Avu#<cPpQiy|%}&ZI%X&Z0t%b!6%#1FMriS1;
zwwVvG{NnBrtAYi11zuO0=q0+>*0MZ}uJ4kM!(JvLp+M7=;nZ4@xKS0qBg=fg*m`Ie
zM4G-x6AOq!HwaJvg$djb?(S-UK`5qm)NCDyoYSDDukp;_G@33ioPF}^)t_&qZgjBh
zAgdqh&pB0!?qTRopXOt?;y5x|K&*prB^-MN;vZXq8gme=dqOw`76HjA@FOhPNX&g}
zD)>=F@;oPo-lOD%zg5<s?xX(Eas2~>>|pd96&1YX>MvB*?;(kwW=T0g_DW2{{Ep5*
z;6~*kY>m0cxJ%;@)S`QVMn61yO9-$aiLdP6N*%!em?Yqv;N9IEwM4UsY)zkD3#mR0
z+p$7MXY@g&Hd|g!!$mc_xz!HWIS&Sz?-JK~3zLb9fPn~se_`*l6JIs_Hu_&}Mw!c(
zh?0^(NdsNf3W8jqvM8nj6kXx&TDZsi`u20<l8c<2g#B!{$=$)6JLq6~%x811>C|A+
z`(2{<aMUBnMjWo-fT(@c{an6*{)^#~F?)uppp!N_5ykHaAAC8z<_k^|ee>ZknDA=m
zx!RVIZ;TJdEgiFOkZp%EjoGzpTP??1JG$lh9*wgY!mf^<(Kv>Sr@B-dSOfc|*KqOl
z|0tzvMJKBC))M)#o4j~QOZ}@s_A?aLrCTi$I7=Kz?-+f(s%#C~9>YEDK!&GJE_P8q
ztbI5f_2&4X?FAf|x8+xKZP`Y#o$Lk2F-;o7n89kHrT&c|_YpPBHMninFrE4}NH^xG
zHY(jI$Y~kizM6Rf%BC>PC|@XEOMZPhc6%s8$uHr_L^dsKS#aB=i0b>s+bO%HUc4k&
za97BsWA29x*)qKb43YnU@YWbZ+~j~K_Xg)5PYNEI0@KY2MB_k#^ci(&KuwQa=u?E4
z$>{TB7CmbuO9i&4g6uGjtSR-aF@sZ`BUUh+Y&Y}0OjUiF6^%~YLL1gDH56!FWhh`1
zOrHFg$-_vfq$cxRFPqD5l>Ed+E&LN>UEe~7Z}Ge!WesJTJW3kmnX08oyF=x?j~CU+
zF+@=a2yOUpCuN9r1Hd=%^5l1@Tzo9|Ok2>_-0bkEE#KT6{ZoQNyq=HY(pk60`EqLS
zF<dZ{+q7W8L_8Q`NwdFDea+&oj}TLrSu$2u$FuZ&e3}2?)q4&DLwv+#BHeinhtZAE
znXZX8ktTTHFEQN>Y>Qzoy!Es#Yvxnv;`ExjV)#T$@B>E^`>#h6F9)+ib#8y&+M<A{
z<3as?I>@br`pq}TV+5k7_{a8xU>fGU_mT-nHd5AmrfQ?@7`D0<eLuI3=p<1Cl_`No
zepx(6S*;WLw9D=Y1pX7hf$!q`PA%RlUJ~6)C@JqS{TkOU7^X*wjCfFMuP}ECZk~lS
z!iZ>@Tdx_4n<D)1Q{VV}ug%rAHjBW~!&&Yeq^*kw7j0t$Z_y~ZcOX9zNzxao8Gk@4
z+@aOcd{r@%=r?3GbE-&g_%y}Elb!k5ti!}uPM$Ji1!HB(HF23GQ$)yXYFmRJEQ>y;
z(OdtQv)+hxGbQ647q26@uY$pXFV?yyjfcxBD*C*!{}%K#r`PQT)8Mo3VNudxV5vx8
z_IJ?E2X7}Rviu17Ov4dP)%r$Xqay)>7Zu8KKrbNO92ub*yPW(TR%7N_X!4!zAp1$$
zAWn0dd6r3kr#HxMM;wRABUX)ZT9o46Hway#w^&2-cO*sMHSQJjvJ0sqVO81Z_%g&!
zkJ*yJ)he-E@}G{)S)<;q!uCm7$L5MdifYq}=cX`xm<eEknRv`Rm1K3&xnc;(Z!>cw
z(c=rp%!G$`ZG$^)TUFWLv@LDTPnd~3lvX7rJUeeOLwiAesvu99Wcgu}FlRWu^BHTq
zM=d>9*_5WWjMpYE&<{sJidNW4XU?5j%eTZdW=M|bjSNX9D4NnA!6t(GBB;ep!PHpZ
zr`4J9pmuYkdoa!ORm&?0T)ut9C;HDt)t`&~){N>T1*$sK9MNdR5uppX3kJvNJA>&X
z<4on^kKkG5V49%5h|QLR+EeQ<Is+S8+tYxT%*k&})URRLPoFX1O1JI=xhrTO>SJTc
z>Vhfa!=RDLr7;VN{>eOs#ksb%DPDRf72`Uo+kO^b%TH-ngcA0|@++>?sDNCFET>*D
zE(D&^S9gK$;w*L%23px}TVH}XpJNVqGkmZYPw-eEp>qYKCxQ3YYn>E3iz01>1KE(@
z)%BUO<a?`BRLVE&YM1Y5^4Yg9caZ=7`YA5`3w+bT)pQC8vc!)Ezc7LO<VeWO-%5GP
z=b?d>h>^-#x)k)44r(sH)y2D(N4hs!w(EGB0kc^%`Y=%;wSC2|Ok1+z&`Sgq2E7gB
z^`i18H_Vp&d!=*V6Ll@Q*{Exyt!Zq`y&80re>T>#h7r*YutlK_IY9k$qeuA$Ez&`5
zKDe+@qloT+*^1%VS8BIvVrF#JGL9!^5G}#2+vsF8mo{~^7QI@kd04wYhr5uTOM`J9
z4FTBsYHu%Cooo3_3Tig5obF~X{gP&HLKs~}HxpUQNhsMH=_YXo_?XfBQgQ3`PtcF%
zkd!`S5F`D#x~KCWkFC*;G;=eQ%v#4f0%I?e$@Zd)FVI27Qg*D%Ffbl#c9(M68<3RY
zL3A#;V)<pWW=m5QSDAZ}o<@IxDp)deUQ8VZeRv_|2mo6aZ{~%y?;;AHx`VlDn7MN(
zZ^)zG4bJ}y;~{X`^CokZ{rQz~?<#WSm*khWI-faDuEg+OnuVMa+VXdH6bEk6F=|<G
z{<*3uBUhA4;WlTjVBDQvlkPf!_UihEBFE9b+D=j?aVt90yMOJ{c5XyJ)rwxHBi|Eb
zzahA1*3@+k&a6E*nEe&^IiPC@hSh8{gV~{r8E7$PYP}CJc+u}DPN-AoKTe-cd8O6Z
zNpuovF}Za;rm+}4JheqM+SQ|0yM7wI#*8?*rlWB1OnjkFZy&WJHM(Q>JMl*sj#`eB
z)(6AjfJdEM{V@MnNB-XS{5_@bY=aN^+M{L~5Zm)RHA{bH_9<bH(8?*gZ>#Xvt@FNz
zoS!&U&Ae(}I2@HS%yURxI4U}2SU6xpQ<#4t%=eVGQRRB=rFNLkv8|0Gj`HW9WC#bG
z*%a=+v=lY?e5RppP+qw~rW<WFHEIu!!+*u;ux*fZS{)V+oL1T{pi~}>e&Nh%rBxr4
z*Gt(LQy8bORywT#;EC^GI<yi1xbk#tiaIvxHnJ-#?NrFqH_aS9zNW&TUyqanH9a2?
zG<xa;{p$R@fMx>=gSOStF^t4|T}EJ3igEf%@}`35n`Ej;&%YTBvtn5_#2Mnc)K<|C
zwkD6&<X%On$WQu?0>X&y(tH7q0f(2B@!#HKs2Gn9658``7#Q30e{<m5KP-GU-2L6K
zc2!AI9FGB@21hqMs=Y9@IoxAAe6AGF`cO^jB)}TxOYH*y^Bx1*fp$9!9>K8KruUNw
z=l5{KqZ>~5YS>fmulHu!UT9E1-cdhZ4+|rh(Mdd6FzVs1roKtq?{(x~GgZecrHS;2
zg?BIOOQDMi9^GE}K)CyB;qI$J<#Qe?-9)!sN9b4W0FPL$N6JIrZB<Vc+%`|G{>vc|
zV=nA3>~$kQ7MkJMF!gE9tl9_IxZCsm6b@ss9Ig!I7=&QHT)$@Cd*Dp=8_*YEbx8UK
z&}~o~qrZ?k*t$P@o74wm_%s-8g&NT)#=0`K9V25{rPFOVd($$**?n0!;Q!k5`Whhg
z?(24V5Ekmf(Y0NF5)g35Q6Coft|?s(E7cJ8(XrbAI?G96y*h6luO8Jl$)L7jOwmz5
z8C}=${8ZsTpb~|l_RW4v(x1csuxIw8#t(>r9E<02)bw{9o!C3x=Pl_a(LFb_xTZz+
zT;MMq1F?AiLE;pWylTs5x`pF;=eV($R_4Vu#1SP?tn|^iU}g@VLH2W0Oxk69@H1aO
zgM9vZd@QbE!7Y`B_|`H~sRUU`kK}H0KaKhsq>RK#7rMBGlBMgCLL-R_vUjWQy!lr|
zE#I;@jhMlA3yG!KN!}@z_i~qa8Xw^xWwa{EJyp5CoaB~HJk>>fS~;y&1@f7h$~Pj(
zH&6K{5kFtagOq!5je?AvpVAgd&MWy$?MnPjN*?4hUCW0eY9c#^5a0B+D;&E{WS<>6
zk7)Rh6qNNxu-gI_)D-DY+-Fd!(UquI6FnKhS$_mI4f-Rf>CvAn@m#&NG18R~kS(q3
z*NhU4<yh5h8LYYAy24Xj;g&ef`MUJ=sOEBs(_9IGmx`yxX+4=~<)Er7ml*F#2+)+6
z8K?Ew%viRbjH)Y_*v^#@z$tNAoYrG=<V&c!a)~Fm00=#qYvV|O?SoJXXUB28u}XMJ
zT1DMFMRF;*aOGHDM7o;DThCz;T5Jy=-9tCNUa|gq>P+n!X3m|0nYd1~um(SE8voCf
z-mquFl=-!?T0M6vQPZ_P+_vyq)%;O9P*L+K)a(*Io+SK&c1vGQ5<ZqBT%d#&fy8l#
z6q1<Q?@;@DsnO|mNu$$Tqx010@T3YG&O5+pp(W_})%E5|)%{G8Fd|8?M(-wJ1LNPp
zwcn=pcVnQORUbapwL4wyj!kN@c5|xU655i4AF17MB?;q_1Z(#Y65x#Sct2E_y_}ih
zB%?Whqe8B&PPHW+Qw3mmP?eVOr6l3^YO98X3jTVQI84G{6ZF^+e-%zu^4C?=6!X_{
zBYAe!m=)&U`Ei}0XRCE-s?U#WDcu!k9yi6iRm_hAUB*oh2l+fx9ZQ@aXEd63?{tVM
z*=WTQKcE_o3zSkxUhxk6s(YU9Is71>SM0`BJ}xOB=%pr5pqGGgMbE|_<-4?Fl26;&
z)W^xUTKQsLw~`N|t7sR1;@_W_U-4rHiU*xJ1)sbv<N>tfLjOC`evR3Tv0P?#OopjG
z!!-Xp#eOa0b}pkvC;C?ce+1`Sz=HGQpp|%XfI6^9!z0^GaaxZpcKRZ=yBw>U_2)R~
zuUuh`nQV_*iUoViLDj53SK<_v=*g^faVoXi2aVmRCjALdO&oUerRO&fir)+u@*bVw
z=)(U4M~`IK8{#*3jKyP9*Ab$({h;@T8b|Mq&|VX?H!RE_Jlt;@9BHg<rS?0jYk!wM
zFSG=0FC5K0BGPy^Ns#Mkm#|m~_mHrm{)qq3pM?K3TwB>6V|vTgfxjo!+3?O*JC?8_
zNihC%e3I~3l3*P;kc5r!AKFj&PXjP$bOXOu?e-<LSi6H%y(PSqBpCmBu`W)K=A>fa
z50X&9e}ck<nJ}N7#pP{u^VG`Pq>Qz4xhk`Sw~~Z^3W~Ex@Ny)mx)rCvt9TtFKjEy~
z#NQT9S6y4cLtOh-*CD=r@_(p!z`L2%^`<Wm#;wfXm<F$0$xfBruDaw7uCeldW*hcE
z$eHVckg|$)WrwTm$E(Z!qt-@U-aiP}KN$CS_MD_}g9`6aU3fl)m4A!;jnam?R#vu<
z@$=OgPqS9i<Pj|$k~*=l1!8TcG?1r~Pume2mX<Mz|LX#>E_DvVnIp9q&#Vvif~`o?
zv6om1eyez3r(@B!qYRUBe_8jo_!7n?>$-04`}4x(>d?5PL$7Lno}+FzKNahPP88`@
zSTKd8>%`esnYp)x;464cxBA2%vDJ*_Kv$v>ga}8QUs$rtbD5R<vT{(+)nDpU74R=k
zU>{_{TWPs=Ooc@iRdx09U9YMQL{DJ9K*UHz^q8!z>IgOw<AW;ggDPl2EBp&rc#12$
zIbz^+S7N#=u{mPk7hH*XuEfl^{Y{90Lsa6u<iEZ>lKr66tWM=Rjg8txH>o8X-fizt
z5jI7W0g%>uti>&HR8QC4F2~Q6qY}X~kNOUlajeiwltZ(Gv8N4&tbkLgpl|-d<znlP
z5b3Dd$v+Ik^a*O}*jVbwuXS6w`{M@IWR^^GwfD$;l&Kp#Qnjn6`e@-tzoGx_^uJU5
z?^ONfPpNmLH(!|k;{?;~h0nL?V--KAKgVoVf2ij_>yPWqRCVU6>du@*XZq=DD(uHG
z9tT=&I@pz2caz4Zz_2(lTmdY(M5j6Icpl`{dp+QryQ@7f6Pxz@U+b5q28W~W4stSg
zn#9_<%i?+pl|Co5lBW16Alq8lK97COWL}P6mhT+M1B^jdQ*V2~(v~i(8CnKeos%dy
zJQj%bNO)2I5ZR#6aD^KC4tD$mHPPu-!Al*-^*ST+NxZ0Fk0|Nk#o^&-8Et0wR=vee
zv~RaHw2%6S9&D$gVIBFY*c;uh#KIn+uj^Px;kbIM<xkd|S4zuxJ`5Qw%r7e)h&_o0
zrgLH*?JQkIl09F$tTfywiEWXauKiOe&&!nIaV0<<<YXX?YF~ibhnHwd7p_&hY1!#&
z-=5gFCG^FShIP`Y>ubu$Ia_BrH@YI;u|zvkFJ)w#Wq3&+uarK|$A}e-AcbM_^QB=*
z!<Ih(s8eCJ9^HCOyg$=1Nj>R(zj5%ScOzbkj-a3JTkWCq;m{qGS#wkA0+j6<{wQ)7
zeC?Q*M`0cq@e*aDuM@AkAK1Xt_8Q#HyB&a87<he3LWF4Wwbo#pWK_s+3!nNn0+a;;
zVIx9*jR^UjsyvhOr*WC!v<8mu8aZxkigvUPrJ9@ivJ0C;3y&wXur;e)={N@I5>_M$
zZ)$Ctm?YetB-D>1VMLN}SCU{f-bg}xKCt=xW+1)(@Aysc{tRnNAm$jK_2q&!)%>Pn
zeO;;sbGVm&Bgp<#VJVv5EUm>d)8q2F&ucQfwi2r~m9*IlgFw3p-;Y}k)u)~|mTlTF
zFBmwbSTcz{0|wd1#@QTtPCBlIIEI^SQ9LIdXOo!hO!C-tJNbR#wHn+`$>6?u05fn6
zU3CdNCJ8p`ACTbivx=WJipY%R7>~L)$m;zCV9=g_TYB02L%i`fK7U_ov;gtyn*ziW
zBI+5>86bG?i0(92P{}+pK*!rN<Kc0SLV>BrrAR(dRQ5+JZ%knySAG{|STy1#5!H38
zC_>h&mGw7#^!-A5V7{nt8M9_Q;ic3)@~J&X_YK;QyTe|mS|$cpUwR6M45GBh0Ay?N
z>{<ue<EV6<l<}npG>^)#kPICK%%9-{_TKFayr=Xw4>IF^yCeT(d%k-__qb&Phe1~Z
zn{8V9&0s6>Y<)>@bC-J*Xi-iDVp8nXho{B1W>1W5%~LHORydI3x0)MT>HD4#?vzR5
z(v$Q+$9P`!9j5r<HiSr5Wtcn(%9<SPkMAKSx=+#b#1*Fit=9Y<Q6Di2=Ls+NO{RZW
z(ekBaa0#Q51jCDSND!1O<h$Iu*2(U+fxB#M6v5-mucOv(&EE?`u-~K6r{4ga4jZOD
zW7sgXeD|n){^0Q81A@K7hsVTbM~lt=oErQ}u$!x4Tj9e(VZ*Qg1p-{deuoU2e^7_@
zN<|+Ji)S-)5vbQQ-hrgw^boB>8j>q1Y<!C{6KV6qucxr_p2EgYwe<W^;K0`!+VWkE
zZTWBS6r=WS3#SUM->L@R{*0iXydeIzdGd?a{r`x+Ir*hY{gH!<3g&hVP+Px0n>U}^
zQP$7rWlz1=eC`9@tT&(c^MsS1&&jTa@_at@TGf26($xPO^NAVv`#qn%UjTkGJ+FY@
zNsM59_-*EV>JIaNF`x6*pJmnkc><{Q>rcgcrJIX>qdI_RxK10!Ms+#lZY9e5&9Cr)
ztKV<3Ywgfi<)&iXRI0(u*~uF0TD`#U*O_uX+g8;x(0yqI>H1yY@5}rt+2=lmMPOJs
z5n<@e#&Fa-cmPG>Kwdi=9;W^CQcH)H?dy7dW$tJQN1fQ%^;mQuc`L`^u4_cPv$1fx
zAoXxHq;8-)mcIf%|1@Eg{qngZT^pU&;(KWXKV`W#LnB!0GIj$#cG7q1r)v8=pBViS
zJI{q`QcWQjSlB;z6H(GTP+?(_!oC9AKVPeF1Ip#E2!#Kk2Ju)GelOKw-=~xNA65I*
z)kz<AR5dKQx$_lOSX8nfr-Nm$+T(iq#>>{z%LMWb>L7_#N&UGJx2Z%WA|?kSWn3(j
z_1qpEkuP2;&7o*?vQVKxTiXncIwCej)$izVc|EI=cjEn9eH%xno8H8&M1+0MP24+V
zS}flgr7q!u4mbxk2ig1RP{rQv%PuX*{*L$!?d|mXo7>y%6<5Rd632POZ`R)Kkn(t0
zEPrT~yvP1-jOyOl{%*Mv{r>J=!pZ*bb?eb9rRTV?!c0gMJn?ZSc0I|=YE{3RB)<xD
z`lMx=bd%%WHH2Poe-{?UG?)JL;@j&4wNFc=`86MXyGq}=;r(5Xbc6-%@6Kv&avN8$
zk^P-m%L$h1H+Ns*qhfP+pwjwp?#l3!@G*=meZR4t9cGHr(O{Z=^x@`0yS+(7^xx<G
z>Inyi5tfGR7U?Cqs-4{iw{+~w8rhdMu`e6OUd<$yurQ>Va0_5d_I7-GS+aUx7v}G5
z&j;=KgBwr)fQjw-3H6AR_3ZJ6Yd^^E-u9TR_M}Z_K(w$^40JgAD@Qf9t4lFvm#|Zk
zu)hufjz|(lBnh@b9GfJ3EJ?6^;O-=p*8}9qLt)DKw}R{k4Xs9F0|cAzNqvpEy%HRp
zUzj$(qcHVao^+8?l=-{jg}2vb-l<D{D)Y{O)F(3U)TWvi4p*nUl9qP+W?M~Zai6$;
zT5ytR_)Fp6iIkNgg=?hi$F9c1ES80+XPo3NnAEri_scrMr!_m=GMxxIojHsZD+O-^
z|Kjy(TT6}CtAYA*>(#KX$0*U{>Uc3CzLKqto2mxNJS|>d&HBTQ>TAiU4B`=0SHdr~
zS8mlgpA3&%6&83ie&7uJCJu7;RZM!Zt!}<NT<|#T*rm5=KkCH827#+sUGY5inUQW2
zA~uYg(BR9pEp<g!?njZIR2MmlB0!-`A65Kx8nyB6o2E7Q0Q&>S`fUHG9Yg-F<MYd~
zfitG@X6cUtO`hG_6Qz9~b=0E!ihRSgo?$ATL>XkI9o8mKI$z!|W>!1$@0RL(nY9dd
z1KYdTZE$elJA$l~owm7K+mU~+^g~kcP%^|KpMO2Ps=YA2p?&oD`mxK}_T$8Tpv;}g
z&z4MYA#xM#tY(CN$i*LzVg%JuoH}(9`+`Y(e2tvQG`Ixd`ZK0ysC(L%ygg|AH=eob
zcfb1`ahAw2n66q&Q)PFp50yerm#s~WrrXv$d``?r1zHHSC=e0|73d_;slXHhQ~Ews
zhQFXUhs*eIBDmPJwtR2AMKK*!&8@tURI}*W&*CfKA{Y?+!{<vQOK)QwAIVJ(?iT9X
zi+G=48GZFJO+st__SBYwNHi4IrTu$p81-wNZQ{4@hYObrFBT+tVLQt4ROu3KND>Tr
z_avcGpX)EKXI^x;a)u^cIu_waYyP1iJ6bVt{EMtn!;Z#>9d@j=X%TiT6YALh(e3XS
zw~$n-QEU#i>h0W7AOa#Q9M%wyKCHfSvWx7^nPZk}+F_3M%q8PLUQ@%CyNxMF-+8-|
z;k#VsnTnlNL%7Fyvg5%|7F79(Omqi&y(Oy$eWTmW^F-#k11(>EBJ<p#$|g1`z&uZ6
zo;#X{6JVY@G|v;6=MK&DMCQ3e^E{Dx?$A6>WS%=T&l9Kg4fOZVr@1-3O_TTIXEhnT
zSFK-WTzV&&wt2frH{Wk*zL#jeLnb(6f;E2)e-|9tPy?0d<IL{DYc-WGRL|HM&sE7w
z*aw;n?dI#d>&=(UB5eO}{j&L*_BS_QCNw(z4_FY-*Hb`tahiWhotk1lUr!RTk@?Ct
zD>qXn*1U-+yI;xwzo%@lUw_2lZ?BxUr@5f3d0V01jm_IOtgz8S=B>={E9S5B5u3k1
z+WhI}(ZYF}zYh<JS8k)Yo1dwiKRB``Fvv>U=2Z8>KL|?4t!l;A6RuwzIs*e(u;U%B
zPP2;a%}V@gaDHByieH%@7RNMZ_OA<a-y?!6Q0IK5{kXqT=u4Knc6m5z$te>s^KA-8
zPiVyM)ErhF-qe<FGF6qWX$+-JwQ>Ai#1tUY(@>gi1fA*)2OPzOKEc}D)Q3hzgBhC)
zW~Fq<F99u=@P#B{niBq&B(x+6*D7IAk}xJoFu44J1pKo&Y?fdVWcLJj1(VktOfdb7
zL2?=(dCP%h3?RXvTvygQipS2MSRB)o*?$0cMu=cly6`7f_@OdXxMlcoaDGn7cbzjW
zJnsH-5&&Cv%3%q>b^%~;lf#?x!}8%kr=Y~EiGeNNhgHB$o0QUl4;d0X0xt*$jD}U<
zt87A3-wg|!1ioXFF|Wn~xAX^Y!MTK~Ny1G^xFkt9GD#S&gtL-_qmzW0N;ob__)3ys
zaGgj(#d=hjJw+U$aOpJtj9Q**v-xi;fInF6hJ~;(96eXqc*@YQFufr>Z&?itC>(ub
zFL9@CU6?*Fx2mhLhYw;i-AG=`yOtPiWM3N=w4k;$xswkJO-Al(4@e#y60V<Y;R&$N
z*}W>BKfER6aDz`ZNDxju+bts#h9eq%eO_DP(i%FdTT<BD&Q;o|xt+uW*@$rA(nASb
z>*T0={WhNm3+TdZjj*i{J}Tck$Fvn%9@hvtzYR<DawWZ7-LIEP4-ckWhr{(Ndb){T
zn%=u`sl=d;!ljM&WA2(d{4fiPHN5=v$HQCydXM|-*!_W?mPg6TsKeFalC=Xn@-3w>
zxaQ$7KXYXVFSX@6dt<0VpM@JWP_|oJni+ibQP_*wehlvbt-h=!;uL_pc(u+I4)0Cm
z><al0g2}vyjf*(|q1hB`D{A%5j>7S*XN0B(*~4grlkLms7mv!an+g^*6i->sHO9fG
zosDa6yv?rTeKpb6xZ;onVJ6c{kVl!#j;YrA)>ceSTpkt*SCSGIzX(^oNWoyi$d>H7
znMa4UD{Z50jdWdZMZ|cI{VL<@=14=uTo=lX&&W&?LlBW`^N2zKgQnXX4M1*vwL?Go
zcUoQL-zjA=TA9keoz4Ju=%7ceYDupvJ9m;P_1CdSvsJ8T+{mU0y32K9OGo}VFyX{b
zZAC)j=v%M4kssGY(BbVk@YWzetaU72_5D#~ON|Y)bk0;8V@^i|eUAulHr?J#+LKq1
zGW}{kIi{AFwzz?A9CnEL7@~(rxE+P7o6|&g6n@n_hu@IzdHUsKqlsS&42uK96)3%R
zFNh>f2w9we5K}YgI74*~3q7UxwA3qqyGNfO`+a>C%<VyXr1x)@TXFN1bor*N=sXy|
z)OP#vDQJGeNb>hmY*PNDmPz>&!uI@0oVrY?{~_7g2se=|coG~&P_#~Pc<D;IXzO)Y
zG1Z>``b$zH*7ZGVe9YjiOIq6<<3Rmo5sH)!eK$Hfl|)}W1qaI9`wC|16qQdN>_{no
zI+r7F6!r%TYUb3nXJ+>j2I;Lc{9bdVzJu%~V9AD#?b~lnJjA(uZhOJ};o;IiSD_O(
zX=fCtJ2z=3jM<sjnT+ZL@#6HjW0zYC)8mevQtsHcbMSap-7(QbQ{1}{UjwXK1B^JL
zJ3uw~GJe-q1({jakYwHB$*!RpN9*!%mQgvS3=r_3*mR3=WB4xszzNiUdX$6uzi2he
z@sBn|EC|W@`ksGvvgbEQE5k<D{LiAEireGY(WQ#p<Ja@)pNx?vanqgksd}NB+4jw7
zmXpZ^hVNgd=m~>ynlAQ(V&65@9gR+-?}n$j6-t5P4x%jd6YBQaPnaH0A~DghfL;f6
zR8dR?rId-Ml47E}-Zl}nO-L#lE*f$}1f{F*cJOB_rkke@)%7BAz7<NyKb-L%7P5b3
zF#7a&r2omMcjl90Ct>p{I*PHSnsDAf*lt!$(ILrr6HMIh2#1N2Ns8Wj>%Ds1_XA<-
z#z$nn|I#ySYl7TYn6c<m!Jr>(JOAQfTcovW++HDImOUfrjz9%&%PEt`?OhGDjuXV7
z{a>N&=7CmMdVNmM8u}LW`##UUql01~M^~*CmZuq3O?;S%=+RlYT%w!~#J|pOVYb9L
zyk`}s@Y|aIS6H|)B!r|XMN(`2uN}v6&x(Vn2IJ9_2QIWDJLKy8CCZrpz=&?NLt)`!
zzt~;StR`DC@6zF{EqrbHU#pR}{GQx&vrWG#c5H34jlL;!umRv9N;O?D5B}lkTmxTT
zFIBi?m?izWkslm-IkoWa_jl}WH`<Cr^6VeJkE&rH4pj!qiAizq0Ar${ll{rS(h-lM
zU*F>fSI5xi1B(L}pb#7w4#=s#^>kB+eQ>5jrKtFi6;c@+MQ6l5pvEh)Z|^J{M<J%S
zz!!=dV_3XIVry8u!Fp5tb3I?B=gq@4+CeJtFp0#`O}?)N(M`%y?Cf;y<Xvqj;Qki_
zi}p6|nWjnFyi{1irGKG9SX?|(9lzJSN~b;&7H&{<A*b1oy18Z-+hg>M7Y^1$5yROe
z44!sX-4~Dl!`609h5Xf?f7moHQzXuMghPrjOdDo4E{YY0HN}-a=KGI^AUk{u#XnLy
z@Nd#P+-Aa@<TR7Y6c|Zf6WCf5C>?^MRxhUw$KHvfgIG>$36JaRD1NJXq@1F*XvrJd
zPiX7gxk6uYR`c+V{0maF&Ntt$L3X4nLqr-bIv#1)G)w0^9A@6Co$;Ztcp^&38StVP
zN;MDB)!J`0x0HpzlPOx!_Mf?9juK?u;YoXV`g0I?foCUhRuew>Lgp#F<9tC@JvG6E
z`-|b_=`}mx!=`7<Ip%NazOH(fqwE-J9`lJHTVT4>xfV1Oh%5{)m^GK85?jPL)o0S&
zT2Ejyi@X=PwntEMZVlIymx`V1$R=S9gUMPZ5bs9xJ6Sy*I@GNm``N5(9Tj{^AG_U4
zqEo6QQCnxra1F`DPV*i=cK_bSAyieq-G2N)7#P>Z_1*?2hkW@JK-XtCJ*Mi^M7o*C
zz~>6q!2&Pcl)>`fWQyb-vSL0BYU~U{z5YGxIi^Saq`hEmr$>FF>!b2plYh84c6nQI
z?BYb|9W>+AF@tBEgecg2bA8Ar;T7bXvY1mpj5svS>>3dI(Z90GBhaD%CvFqazhWRu
zpwml8HY0p*WY-WKtZw7qs=cl?e^>G3<;Bw%w`QJvqBRq>wx-t%nz5xewZZIf0dHLX
z4hm+EVkpJ2cfp+57xFzp-zVQyyV4%H*CjFGoLTk5pj#FbQ4<y?LK>)w*(?-p>?H<3
z*v6&cuuBiI=VvP+EVe4BM3mN`pZQtwGFTh?jq$2}Ahm|ItHa_sb>z@=w&xeS;-?d{
z*cCtHU4p`1m9vgm;e&l)Jx7#T!v8OD>DzTDuFLh&p}u+52^I`*$*v0K$lf=sy_2!}
zc7yDb5=J!3vp)tb&DoE3RtvxAXk##u5z0(>YfBANeR<}E!vP+Pp272gr3S`XQkND_
zzr6Ux-`e*9uQ`BbuOVI(fP*?bSLoJGYv$$JXg<-bGvo717PIUV_hc{A)g5G?BSEol
zFaIQdn&oCvcN*B)uO6XE)MmaXT=IOK>1a*P&cEp#hdqy5j&;<sgQ)OL=ThQ%WZQMr
zF^IU#bNK%;&r}yLkz=%I<;ME);|=yhdz}sRLk^`}KN6oR+Bf3~!n71I{a?ij75j+@
zvN~l0*&UfwP)H~W={CCA3^IvWSY*GmarPLkMPiHPG-G|yF1Az}zuQE)pH`IfE_K8n
zqsJ@cJ{Lb?UDQJ)YS0Z6{d5iKuFV<E2N(?=!2X7#poB|*=3v9b>@hSEb+Pue8j?mw
z3URSEINXgs)6K%c$~NO@=(hPLF`o*k4nSj;d*EhqqY&RtaFk6kpXi)K9%h@(GViz9
zC0f^hV5Ih1FkY<|Ew^eN==yH7n8X;)W&O>~OtbuBaMspQxTcp6uLtcY+-PL(wGF1J
z3-be;+l%92HnWwp9lk=)vc<c&db|kEc~NSE+U1Ej(L!ceh;b506`{Tr=v1Ke&Mkse
zw*-_H-kmX>0|F?Yof0Ha+A13b`fGn~x2%+s&=H2kX$|3`vg)Hn+gP_2HRSKlJoyAn
zmsLKPbvR=#PJA%E=Ci@9R>IO%w1lINZ0-!QLy(Bf(b@TuM;6Ae2ysGqe~>wixW#wi
zUTLAET3k)M{u}%w(TVivLxbF81<u5^TCT%FbrUc^v(NxGY$FN9B8!IJ=!V4hTY;_}
zqf7Yl^8*XCvvKQv>RdFCbSX7By%rC|I-ZBii|@t)g|X0BJ%sQPOBIf*p8m&b_LKT~
zHS0-zuRq(VYQF2d1k=ZNI86VOb-_9pO@(dE13GsHnHyj;S`RzJ;=$lLCzipiU(iiG
zA=b^Wb`+$!wTeJkmK8Ro=F06uy-6RI9O(G|c0?xffSW))QuNG-6(e3My?wKMBt2jH
z7r#2we9?ZNC_Te(<(ZpTjItCW+I8fg;vJPz!y=QLt}f$_^b+#&C>(O0hHdN2m-Bjg
zD`Shb67s{d>2Zo1FnA{_B1V{)D5&%ooZg>I(XVV)HU)WYr8kxCy->oBVOU}paKO0&
zf8xJ3f3I#PC5|z(HLyP7!1%I%yBA?udduJeIR@o^6Hb_;M~#Jhy|h;Kr`z4^ev%5J
z-P{!0Ixw)g%q&Ol46}5)sMAbyJBDuwXI>^Vd#g>zWKXfYfI8G0(_`1p(a-5?8J{ZY
z4^PRYRneeM^Zq>={Cz(f{AoWLEWQT~y8b3qum}#SV~Piv4v(nOS3td(e-!kd0=EKm
zIMcy)a3sK$nac3i$%nNbrqyBZ(g|Fr;P|3R^=N<N>q(EqfA43Q&I*9*6hZ(;RUTq{
zW<X!b0v3JOkV}4h*^tGJO^Lf{9K3aMr&?rDD&4_N7}sLzlo<3uHeGJp0XfLZ#z@RA
z`$qy{p=$D*+N&qOh3|^V-}t<XH8mP;lpbFoDwQVk0YcIJpkcrH`9#0@`B4A)G5o1w
zltK1atO`|la+fj6e}`B9K01|Yv|dL0(k=5$K8R(<Jd<xlK-<!pTIZ|5(w`=}nV!u8
zOLY6%3if*J0S>WrPbB)fpWO;f=-<p`zL~yD<HaamhfJ_Y6!Z&BF8CGj5SAbtfRO9J
z%lQ9TH~=$8mj3#5j3+_%RqMl9&0L)_&D*5H++Ih0C4K-D98?0xh?h(YM@9ighq&<B
zq3&q4BY#p;NB%T44hN5PmX0X4PD4q-duJ1dlrizUR<W&XecPFSs*(?+zT@Y15UAO8
z=D$b(H}u1=U-!eWOZwwiUnZua(!Fphh&1<AFeCZ|Q=eYDYmogJolURZnwz80PkJrq
zp*p}Zd|4`?V=X?9rxO5Q-18NjZa#Az&SJ?`6Rk#qE%R^7EEBox1F1*;t$_t|%qF-J
zPC<5Onl)I_yRXE()7F*VbzOx1I@k3h4|V*~K0)sCV#|<HBN$F<PaDePekeKVKq$#3
z?f=B*7EG@zPM(rp%ZuQ<@?C*^LW^35d_5+b@(rW+XJ!r$UxdAZgC6OkC&4jSw;VnO
z3p(r4Yp;~J_1hr#GHDg9%^F09-h=cm+gy$mO?k6F;|a3Y(qJ`ma3n)qe*}qUtJgq_
ze)1aOVGOAZ(}KPd;a6yq`=zqatR<^x8=HyvV6l!@3`9Zt1C9ni4;c@(x@a*=rU=(R
zI0@BG(f^K!r-Vgx52X`uTpzC|^WZ6Ex{_lVFX(Uti4XHx&(W5gbDuzpoO6GSUlb3y
zJ@^%4-Y~U$QkRuLBh)UFfhNnX3F+Aa=7MVcq$Ux6OzttAhxwCO2v2B;K8R$IP*$qd
zal0oWs(2Y4P1pO&GocoUe)7!T#PyeFn#8dUN&gPOqT2<v$}Pl_;QWt)VbNgzNjmXL
zi|fRJ_^gaOaVx!~qFj)hr;6_5Q~bz9)zQPK>-D&)*R`*!pogdVjwX{_rtkja!BNC|
z<H7!Vz435rpcN?f88L|5&B^GlB@`@ZsmpXv83P6WoX=<v>tmKVfX=P!-&OQbqUV{K
zLGs-IKh|UL2pSzhFI-N!gN{a$GXctD`#YdafKQp~TrRo0f?&Z|-{`D|1l;O1u)k<9
z%@bnO3!TYPXxF{b&nPx;^o>%<2OKja=CBv;D9+Y7gzOnQii>p?ao8a`3(CLMQM^%S
z5*@{BbS41_Ov7kN8A5d34N-x?+IfWRJUM{C%ES`$tU_kz8Cn383^`CSJ5MZ|2w>I_
zg1dJ76An{=<tRk=ZFZg^n}4(O3|kby&NB?L?Qn+-p?fp1ps%)3z4?rd<-$31#jlZU
zdBRZ_X+&Y+x?bXKX>_I`g@Op2{bz$+k28Y<{=sxZsuupCvE@=Gj?_P$ye18<cI20I
z<S~n0g#~a2dFo3Oud!Xyr|6Xi+`(d7AH4x%F}cXr7<hp<ZM1Ec^BL3^S(=^xl<^b$
zkvC*Ymw9nYY2IU|ui!bd+tF{6k=2h@rfD>zGgJ9-N7R6OSVy6t;dMB(myW_k8k<vz
z<}XqSr#R?o5o;*x4~i$(qDyG-akdd}*M_X8rOD!)-A^V{Lk(CJU3Dd~wLKZxKJi~o
zm^Yv@*J7K2TT+%Np>}oobkHn|{Mn%MA~@QdnQ#i&p;N#PG#jufI|VcW-A)0~b_CgX
zR96Ky{f|zv1Yw&E!0h%Ht@*pXzVm7Hoo}%**qzx|EUO+`(5KONzSWBxMq<VLc#)y3
z?R?i}KTSqDe~~6CEM8~RR$MfNuhIhZM{VyfDmvPi0<K-}XE2^|3Kk4|i;kL#*EL#g
z<|L+cpR49>k9yGqG1isw$(!9_b%)X2v4zgZxnh6B`)_iW>=)e$Tu;lR8oaX=q{X4U
zxfEtf!}4Z4h@woR?kHT|OD0V8ggmCXp|_V24!w-hGh2wJKP>lz(36S>^4j5-@X|ZC
zm(MV7MS}&6*%iT@C5l1(%D?4N&+0<Sk=LaK4<iUi@XYTG>K!T6!&`^&4~ZB;*C(WJ
zsP`vT_rFIyL%W2+Yx4ha`tjI_zaB>*PDqzH@z>F3=4tff>9^1yIQ94d;!IB86uw;k
zJ7ZNCZW<Yy(W2icdp~BUS~dOdtF-6e)q2osZg0<fQ8QHfmzmXeHHPQiuJ4NDH%~u3
zv*Ni+be~ORG+pPgI51p+QvH>zUx~?^^e4c*K^%Cvt%916_3YjXKNCW<7iRU^&kqc5
zm{N`ye<plVahyGLqfD|aVR0N9+9P##HB0G~yi(aRCFM|%r!%Foov8MC22+OiRx9`T
ziIQFw!yOa{7-ClFR=puv@tnmRUhFWVwKx+)vUQ)GvDbJRNRFi>Qr_%etI~e*&u@u~
zF6JMbx8Rp=1(^>j8_V4AvOU=3Z1>EW(v%VB4L+RZ)B=sz&KBD<HbTtdY-IfYLF2(J
zPVe-#%1X3gBQc{HH$UcG#q0ToT_Lmxvi~5r&xvrF?LK`@g^i5Pqbh7<9_Q0eNV}Z1
z$woWpyY7^H!+rJrNAUh-ie51u=<GXn6Y|IVxGkerWT)teel69fJrW}SH<gf$c*oVP
z+x_B``_x`6d$Tmo>P?{>b)bD5X$twL)w#CD{?WZZoWIW<EXC(tzaSfNM$hqi*M-Ds
z4XJwD^mJDrSk!f5Yv!HpZk~c_@1~RaN2ek*qbk~a4yeD=M7smrA&HH!J%0eglAX>T
zfUsoewFjVIb)=F%poyRnPyPU`)EqVB4;UUj1&Fj2(S<W@MXu#nTan}V4T~HMc%e$&
znN+y2R~;xUP)*ni0|${6oHoerNCD)kmTi?p`|LM5nrDXj>zmVx$$JAKD0HgzQ?xqG
zI;zlgg_;yXjXA4{y4pw264Oql#E+p$#Ys`y;;mW`+1yn!q)un9gXreWb*2(%Qr>9<
zkS-6UdV8(&P<2T6$1e7r(iO6}W1XR~<>+Hb<L$)@)p&c+nr$yG&<fmMytSU6(j;&R
z(*mAvw2qo1Ba_oS9sn4|QD1tN2PXuG=pJ?~0?l>+BI*U;62`F~Ayf=kgg2j8(=>#n
zdX7Gi3iHcbf=ia!4nBOalwLDBd~-SPYc0JJ(ms(AIw;OP0ir}l@n!AW=HP~4!I$bX
zOQjSz?YB`YY03IrVK2i{ecp>B4V3nHiKZAR9oamxeU!a%lKQ4LDqp$Jafid|HQjbw
zf!(J`Gu&3#)vq6gkz9=2y1j7uFjY8eN<DtS{bht_ctK(~vHa)FpU%5o&6X{oxO!LK
zBL8SBcvj)^)#S!BE&D3MIcNA{XvQabF(?~yGDQL5TMc>%{`Gt6^uE0D{B24k;{}F&
z+iPEfV4ypeCKK?emrA;`q+NN%PkrMSMZl{>X4cQEL|2i+PMLmT)nBd-#JZJ!r%Z?R
zJ7v14pN1>bUx}e-2>L5AsymoF#u!n>dBB4s+&1uD6rX;yb|=ll-xOiLMeAycu-)wF
z4n^2UEdWioGka`ZyS8MTnTEuvMU#8BH~*c<_xQp!f`j}6Wk+Dz=ci-<Z&vB6u-Gj)
zxOQ9vSIBM)o}wVLwN^J!WE>O`r*|qB@5wL9^Y7^Qh#-5Ye$NcD`|9_oAba?y`8_+x
z?x){9gY1{}OSx~*kRHc+XBU2X9P42HehRnc`rQr2qF-#=FXxu#n6rZH4E=r~$ad=Y
zlbqD+cNb*!q5QJ!4&pbwx#Hw<X>k7Aa3yiK6eOrN@8q`_{==v&y=K4DwhMVLB|Vbq
zZo)V!eDeY9qtw<dl#|B!dVU4E*X|Kr<Zt6z6cos-LY)8)R9{c*nMzeA_DqWd(_J9j
zoK}E8#FVfnYi5)BRCt~O{3$%&LM|*k)Su$7bwLYvSA_4Z2ru_x*idunXFp3Mt*Jrw
z@olKaOIp*Nl!l}=t=}1Q=^Jq&*WVypmy~ne^hG`MbQ{h1gu1jxx%7Ox!cEbJxK%fR
zq_jrXzwMWP>N}im?zYmiDoSf;BUWfR(SZ9Eom9A@m)J>#YgY2pUbv>jkFKpY>Yw^a
z`L}gaGkg-;c$8>t@wvuo*O%Kfw=}CO;QiZysNj}n)c~XUl|H=*p)n7zXA*JgwV?Xh
zJk@AKxCH*y;SB7rwi(qKdiJ3YDw%Vfdn~YZkiE?U(CEz;fJTq90I0dIN40y2Xf0gd
z?ATL~{gP#XF6J@=>9r8fel(U|OU&LDfOLLjd7!!PSpZ_2V*#k|Tnj*UGYH7+_Xm)h
z%pe8GaFhda>hQ3rb(!Ob=^e!j4743ZpNH>m@?x)ueSB#;lOwtD6{-shw^)+aP|XJR
zXuGcs^S4;tr5RUYsmS^_oi)L1Kc)q<nzyckCZsi|bBHR^677%13Fv720<+q5S3u})
zFZH(<e$s3+icqXM(G+Rz8a4?jLm4FcONJQUo_DFrrFoUaujgqLukT>iM|UjuWW)+)
zHfncECi)gT50FE5k^Wy;yjkK@YV($YV2-X#R<ri(@kGUE0tZo}oml9tIh_g2l^T#U
z0k`7medA!3JQ;hIA1wH+q=NLjAkbHdCIkk_ih~d+w0E6_z@bru#=Dix?B#AleTbJj
z&!8v(Lf=$rymQJPT3}Kq#|x|PLKhn<JD9h%RnNOoOOQQYs@0VAt<J98mX(}cyr?=f
z_$!bs>qlobv#g1E4l--rAUB5^I75E{t)$zRR4<)Dwwv<(m(Qz-dynN)#{`K6^|DXd
z$S#dl%9ZaeRRKB!R9HW4kp!%NteEHcI3UbKwUws?d6P_R@o+XKGlPoblrydO&LY6=
z08&rp-*nahPWn&XuaP{!?8T-4eTx$v@e{kdHUBZH@v{(%LS;P2z0C3h_&Lrv80gZ$
zI&go}M;g}Y_{`^Fm6sHnyN6J;C6!2u403<wvn)vlvwyE-Imr`_2Dw|9wCE65coFZ0
zuTnX^4!451m_91tC7i>u!)R{7XHCF1OUJ=rDrWlLOgQ?fO1sOVyumh=QsAuCR{F(`
zx>32M@GLqyH(d{9O{0{5)2%-J)SUfQoUwWnn3m|2sU~UCEfjNmiPEAX0bjpO{F2jt
zMqjGEKnUxIe<km-_=|;B&=x@nu%y+nPWSp?2q#mVezl9B8nurTShTWX;R46FieuU1
zIEh>i6fUql_&2Cm*zq|zPq?62EfC+Ru&Y)s6fW=`mluT#d^hDt!8J*K_B<EZpa{1p
zY$7`z6{3NhMKJYDW}}WfY%+C96z#>NJNitBYTPFcH*;U43=}+!9|UQ2PxSq3>>IQ+
zG*LQ{BWK^lxsJU@sVsHAf?pCDt!ATT`<MKiH!;CA8AmNVpA0q-2iqae+lSsqoT#ST
zQB61ZH|nCBg*L@YrvldY;*G)v9+8{EPpSP<zkyMlLoCa!m&qg~e(uA7u}Vlhr9lGX
zFLrg?-z(Tp@a(rBES1h5woj@lOn;Ocz*`l<$Mufsm2{ldp_i^sDqQZ7=`y~&Hq<aa
zK7Oshl@3#Co?1J}>o}cmldEy6B3Q7ER>mu7G{$(A6OZ&>!HJrKZMVlW*5dWB^(TfN
z9iW?Vx+DJ+LyHcNg^F(?Ui)*QLXbPzU^!PP4oH;-NQJO~R5g?)|G>+>Iho6NTd1g+
zw<+V*Beh-3F)O&`_`+O4QLi+9_*Rj#@ZgMReO=jSc!|<aP+MUt*TkOzw$mP$^Rx~%
z?x-~egNLetVnnxxCxd5v0>`E)7&h8#fHI=@pcCSiNi-($m~OHjIERWL{s}>_Nj02U
zfvn}~64td9rqJ^hsjb^kwsTFMb4wEYb((Qkb$C@NW%^WPDVF4FX2a9GriIwVbo5;8
zK$tq$7mco=NCM%;XN&-HUjgEf>e+h5(qFnqeCFDHg;k5Z1Lz8{JOkhrt3^+hVmyQP
zXm+m#xpDjc-Kf@Mg7j{$Uk;eIC9b`=iJot5Jr8nibS*}sf4rjpxy?p;B+J@I5QpR2
zI&92>-0!skF>#WoRdojiaq<+!>FA0r%=BgK-4ICA^f*@PBm$|Xqx9^2T;P2Z&V$S)
ztFT7rl-s1ek1&gqaPYylpkWfelQ>(ikLS;8z&wi41(@$y&C@*svHJx3e&w0*)t=g}
zPSy&MkorB0{PFUjwZy28_~H5x2`banaQ7Z=r4pkxLZY<zK}v7aYKzH#WOHLIZT~%i
z?3U*Filp*6{OV6(jaPpPrxoC@^z1xWpqmdRT&Y<86u#C4Ej-_cOV?8%Iu5?z1ii<>
z|6oDLBied{Hkd7sx;Nvr6#93&Cl<AX*^-3CtF3OqPo2^h=;9@|Bl>PV>=m|oKEI~4
z=-xsB<gObnfHeCn3rLt{mo=W9h2tL3)ZwriVAR|?+6ni;h2x2d#?uWaoQx*qo_kD8
zRkx)Q8Lm20)qChoY^r(%CIauV?}*XO;a59-5odSCs`2*3U-Mzp;?eNG%@%!79V;f=
zF}LkHeXb+t#f(_kH#O2z-tW=>=vXF4ph+Fn%93x43*g@f%hmod_Ywgnv{p*!rWBJp
zICV&R&DN=d(rdO%wWrrCO&!gf^Qk?uccn(-0w()s@<*rhk5NxF$nat2fa1XpAHE5!
z(=+SRT@O;}fb^OxQ-jiLe%p0NC0&W^jJTqoN!plMm+Sg<-#_W&r-R%g7zZ(g{z%Bx
z(RA7o;jI<AoO^@w4^u(9^-&?xIpmDSN#KBaXm+%d`-W9C5NY-pR}uZVGRW>^1%Dgl
z+Eqw04nyp^K0R|Fg6-!Nr@I(lR(ZZO`D0Glc?H%K&0(zY1p~e3S*1&gj-Jv&3iP|v
z_?2#g;B*BQn5sbOM4xj$AEGu<h5i)YAgS)_3v~NTS1LDu8zt4j6o@W+Az`T8`8blv
zm##~vHsjs0rB}4;$Lyavc+9@31L5u^l2|=@`5CdIVnKNHKrIB$(6y$+TT)g!gg9Jl
zL=y|c@Mu>W^-|R=ofqja;THWqmHKqHJN3ip_7?&4xwUDxU&{TO&tSnZb;Sc6)?C7O
zG+l^#F7Kx2eqhNH28?0Cw04bQzRp*cNtR`xS;0&g<V<g7o!zJzH<2#8r*aPta)&DS
z$Mvx^$Zf#~jiYVfni%Usv@3BVu;o}+I_~<nO=A5HI1M<&lB0i>tSg|zR;uV>Ccauw
z3^F@YRrF`W{;(F(31)Sm!~mIs?8hwt_d0|?_O1=0K2jz-V86IlK>ZHRdGN>qXk})M
zSB{Exm(}@c9RrE<iLY`raB9M#w+E-ip$*+vN;|aXw?X!K0u>si+>I~M{a5)Xk?W7R
zj+OCs22>Vra{pjn9h4e>LFz-6YRY2CW{XKpiof}DGF(pv!SucxW6^Ffko5Zi<lHNI
zK?<*uLt<XZSA{qv#GX%-{uJ)EkXF{?b>j0aS?K73%B*vd3jm!+9j-A3O_!-=lUy>d
zCFhhwMy!%K6L#Oli><cO0XH*~8E5dVhx6p9Wj@ukrq8a~x$DFH)YhaL<m7M6W%!0q
zpEYRR&Z#e%*`JW5Z1nenf+1?LUP_lvx-G6YUW|j>cBq$2Gbp2|ZgP!SQ96OoXq6eA
z%aCxys&a)^cT(ZUk_v<DcPYzgMgE*k2id=&+b%2RwUN1M1KRF2(sF}?kMb+6eZ+4C
zp2;yxjA!lnW6Yf0Y{d$*d(~bA+Ers(JitgsQEtgSLZYi*{?S@JI0&AJZ2S>^CB0p%
zj+^=~*1KufTfwVM2sn;7v*LUWX*?-r3+lyI#j=_$+cS>8o8nLKP=vb6$+wf1P|-NK
zfJjM&9MD|slz#~1*|Vv-qTT2O6d6eDU)FLhTtuL3K1WvCxj$M?C((qNrB;70IZz(D
ztj=nsczDu)R|1{OCQS-P;bz}=1+3+S+-)GIQw?T)2gK9fuBa56b~$t>=mH<!fbMg>
z;i|*6l|zggnUVf#v~Rn(s%`X_iR-UMizJAbZ};p@7t12kt27mhOybg;)oIP48<~V6
zH_A=OMgObJ(PDT~SajS(eBe%-kLj41^prk1%OtAoA5dXcBF51wvpF*pjoVysL<f-5
zbIa#T@3LcnmUG{MZAZhUKwHbgF&wDdP9#qs1uIQ@)JmSD;2o}D_HDK>l|8-yH4F=l
zi6?Ad{K8^VRt42-b=knmVvK;*<w{%f4@YO@SD0ugC<G#BO%@^r3ue|84|gW#NBMzY
zYv6Rq>%#qzcSE$iNjz}1IHXZ{qnV>O5Y-$DGJEcr*KC++)J4l&b~ctjA+(`>iN{b&
zOlu-y^r?==U?W~;EeXGY0J#G0XX;W_3#!dGm|X8TpOfAHoN==IAhJaJGg<MfAT$$7
zCfn5Ie3ZWMeVv;)!7%2Xb4Ung?EsEcOuX?<J);co?3$4j@gSH-!Y28qc?;Rtz!KgT
z-O3?_S57})8p}!|+-)Q>O0iKf+|?z0!`=C`8RM>1AEn92Gy!*sqj4Xdqmq6d{V#z3
z5n2)O)3hJ5>(tooG4!5N%lQuYw?o#^Qg%-cr6(IoPpK;&;!s)?s_9TkcMx@f4{rda
zT_%U63U3rk<MF!9p{sqPnIri$awsit4;w05F`sqO9xnS{$j48sU>%{Egepe)XErtE
zgP7TW&>rU?R_yoMH+~U$IGOW<P_k&w??s~&rAY~k{WhnMryVOjPKoT$r$;BeT$K%3
zNpz(n#cK_~7Z{!RBgK!N=ZgQt_O@Q3;W=PJ8Y)-XbuNPDhs$*zspCpdDYTI$PkTPH
zYX2!7f1B^vSgYCLht4-Q)S0jd<BN;BI!hT}zRved4G2p_j!Dmi0j2zfBHB&${RDDE
zFQP8drgy{pf?NrTigHNi;o^!t?|nh$w@Nsi>7#Hu$j%~ES%tJ!(N*Me8}lQ85R$xE
zwQ%D56FSJEP_my(d-<tY7We{YZmZW|YXBEXE5*Kwt=`DT-KOfnWQ&vrFwx)m%s*1C
z!f%T#u1fY8P8_1di0<@S&b^!le<$K3Vz;g{%{M>lCO^IWEJPJlb2F4_8;gBzP*%zB
z*k9znL!;3ZE5K7&62!i)bO74aXfHZ+D?0*<*;_F?5z`tQB?q~wNO!@4!)v9EnzaKK
zFvh`ZEr7`UcLZ1Dv)mK^&>DNWQ|^v?6c0Qocp(Bkf?5GuIZfXz(9V1h(Ej7Gs$O0P
z;F4Z`ls;K6KWzbe`62?ddO3<-R`jNgQk&JA@I88SFumFMtkhS|%KYo%SqZYA1iL+`
zy^#<qcP*s6J^MhcO=ad=^QO)8=O!I;&*F{0x!$Pxw^Nfz&b2~E@rc?<`OABW_U9sh
zVwe)O-SJ%Yu}Hf+tgAX5fq$V&jn6~kqq6J$dB{)fR8Hq2+WzZYM9NsM8^Z23sm4Cw
zY`3zU4JJZR6k?kf4gGt9IE6C}Z*+e27Q8wJK$SWfxk4jrP!|j1O49sFO-Fd8!u2k^
zT46hU^m&|8+2v8U$!~eobud6toTI8lklh}X4GX9C0xy@m*h=SL4R^mk+&uqjI~K&<
z4(Zjwp}H&Fpvu+SUgwv$?=f2yhsA+uc~xs4V1|UDE&;`7m%0ZOpIz!IP<(c&+d%Pz
z=t59@cBwl-@fnP+1;uBVx)~IoUFves1<jJ1bw7xcCylyup|EpZSJS$##&ul{rP@E1
z(R0odm|>24lyqR^*iG4T%VTPE!aJLd`oF$5u3H9SJ3gX`pFNFEv~fm={e_N$rg0pE
zy5v0e{nf{W;|o`4qJ6XeTx&$PKM#zL2RRPY8>lgLxKqNIeB5E7(TY*V%;RGe+w^In
zkS)?B<4vOX31_%fd1nCPQ7XEDa5bk-UBEZ=SU#wo3A^sk<&P(>x*YaS=&Jgc-Ho{Z
zWw#~HsRj>x)HH_!Vwr6;-_bj3nS@Fsd;F9<N?h~||4<G+-ge6Oko!yrxq<zv`4<xx
zH6*#8)n_fA{cC+3rClT!Gl{9j-ryRGLiQQf+vo(AZM%C_`t)fO*3|~L8^8_|3S4GL
z*K4?E-k_N2EA7inEW-`@sA?~^Ac$MOV8MrNrlmZP0)iV`?}oKKVP+YYA4}wwN{sgZ
zvG*qMRCV3s_%%kEGK3~KWz0MjlE{#2O6JgTape}S?!Bgrk&sH#C=yDA25HiuG@wa_
z3~7=mQ_(~!{MJ7AUL?=+yzldV|Nrmr|9_wRDf^s#_FjAKwbxpE?Y+-h2M&<2CRhQd
zu=rO@4iQIHMWE`KJvBDa8nCT~<eB+qh`pnFjgbSk@i(#~wS9!q!QC3V3DScai#C9_
zFyr82j5#sU-qLYcd3Iz%y>`zapb-!Q*Uk%9ztBhq5G%vYL00b(C{Sj|21<*ua>tJU
z`d~8_nO^82i?V2I;U?U7JcWnAqZmD7<C`Ii=>pA+8O(6_VA4@w%e@c+ID4?(J;{N}
ziPa4Ag&E)ky?X;$7+*7wj>;ixJZl!AVvm1$)8{zcj}Zs@{&7CCU0aQqZH)%iQU@?7
z7uADYW>Bpe6Ervp@?d8_3tWxSj=Er+EZ`3N-z-m5akypa0Qf2{)5!{6_=A@d;+r9X
zk!y#9b(G0mt^yeuGsD>TU6?ZyY%fA_*6}9uT#`93=825sPBgiqxdu(1jJf4J^W_5O
zL0z2a3y=`y*9`NK$Uq+?6ZuSIpRF6&N`4KN4YISu(Ua})rv&!V0q}5pLmA{Ohq<-{
z^#|qLMLCNh2WSCnAEhUlz{8a^T!Hn(f!TN$pfqMZWndRA^wr368m<LEVDw>t3KGCH
z{{nBXU`GjX{?r8Mg6@E;Ohzt;K0e4s{}$Z<ZL0=B9&(Y0g|q}rG7N?ff^imdqN6xr
zU@`$doN{onbX79kckP5{&}&O5)m8TEp#m+p>pbHr2}*XLSO??vk0IoBn8TkEc!?5g
zQ?vqd^br=Y!;j^#qZ~!Z8JUR~k@sOH!Xobr#`V8K4>5BJ8D7kZhc&~DIcLVS2Ga&(
znq|M3VwgHffp)>|lWB^vSdXbnfCCxU7-pjVVv@m0;omUHDx08pE{w4O8gsy;3M0nB
zbi@7v@04_y!xCkjFuMcE#tAb4vc?OuHsmqiYeeC|7$3jDzP^QyK4$}aBNyErk#M~5
z5&R3w5%a)Ng_${)vOcG3%lPtpQqoVzMlT2@Lz*OlUI{^(GAS0>D`?I@3KU%OFmYix
z9AcMAus1mkzKj5^IDyTCJmQ?dUIM?CL?^J7z^x_G3G5{BYDshg8woy&l;{NZ5%{zu
zI)QBj{w#@3U>6yhn<s)BP;4xcYqnSe_HwLYXcI@Dij6F+q=ej<ey`=R2wNzL>w1Iv
zTcA(W!j}o!Z$Cmd0E!&W!}zXvS4FWcoCjWM2PMw<)`1TC-r0sI^dU6#pkw60NA%rm
zJ9yx|i$Tw%__NRg1Q@=F5;z;>ffQar?qz)EJZXP4+`<PWydVpaI%$6eWYFN#@9?D%
zv@2?^0AJ3Dy@{@p!r)DbPv$$Uz}+tqzSfY6ikc^-UdD=j8n$<Vw_1Td(1<x(EcOtB
zz)dcXjfMiKqp15B9e@VApkgEBm2;q}34LOK2wf>RmH>_b`xZX1#-P<myeHH&>@ILc
zBdeI%bkR*zHz^kNvBM7ICAdw-5YkOX7zoBmLUvaid>;W$rZAsb@Kua*0TaCj7P?9C
z(Fg)`Jn<_a58wT`gyF4=(Tf=uP8V~=7L45na|PoYmuPii4tSd<T}?pslZqIem3jo-
z>Gli8_(NGl!z~X$SD7zjK-g-Ia+6qCGg^Z0j#U9DQ*e~i1tN|3(+I|RK<U_T9D?yH
zQMFizJF*phsM}QiUhFq^BZy~ZB)GTKRPbWWQo)Oy0`P}#TIp*Zw$jAMi4~jQ;efq1
z596Mr)yM!K0oOopI3@-VJ67}~aQjPRzwrz1y)~yAn@-^z1{1j*=FPDKs|B|T13HV5
z05QI=ydz;PkaF|D8d!e^;ddn9@aS$(3hspA4u|eQnsI{h=(|nkY}oLcvjL+pJDh~5
zvv?TD4j;#WBMOXKiMIsf6QTd5o!qgVh6(V+H!M50c}eWeXvU@>Rxg2l9N}VPPXIVJ
z_-+lny9}6`D*yxEN{X$5TzKgm-fVz*n-PIF0gs-e11S_I6g!Uwgyk`W0UN=svw=Q~
zhlhm#cM-VUVcw5k2gk?*eqrTv2G9{z8-j=Yo9dZ;i~SbG>>I=hMO@23{THOMQwZ#R
zOG4~V_9%7idmmt2BW;9&&?I5PVU?7B6VSFw%0WC~t<Vj;_!ug%MLJ+3QxXZXfeuOg
z!x(4hbx@V@WHa;03+9s)c!HXuPsdE6k}b^V*O||!!q}8!L;_NPKl~u;ebdBJR;0P_
zFdT`cMp%6#hC?*N9*c_x;8wadg0aI;ndOg`6b*oo*40GA&S3Q*BI;-;?7gFo_F<wj
zp6%m!QQIT(om7Ou>7!o*fj$Bt8T+>wH-H@vY84yr5&2*#R33&$^lc<<v57!hP!xp3
zC+*Ln!vF~w6XY8Uj9|sq3|9zr$9gEo#9#fUdQAr&P+{H!AK-Ao>ZP50v7LCtj~M&?
z!m)@~Tb9J$itex)tykJ99NQ`MM-})O6}nE3;GdKl4VWONtN_LWOn=peH^yp1V<FHE
zLQMS@`<)}m0;Jtx8aw>85@0WF;bFU<SiSi*Ch`NA$j3z?nQETAxn&r}Oa=!IHoUiX
z#2`I<1%?UNA&ybNgvEhqm<%VvW3BZVt&HJ;-pT<v7>(g<2+RO?&68kuhh0V^LDQRp
z7oFJ9apukFfoSaHmM-2E#CWe+@S><dVnggZc&B(cI*?e}jA#j~DK?1DrCS}?Y!o}d
z9w-2^h4Hswyd5A4c^rX4nCif|QZQbhk;^F<*9xs;V<x!uDO@soH*0i!%{h`rDT{0f
zW1a+{ZK6HQ?v`klVKESM{27W?76vx9S;`2D5nzO&(jkXrJn<@~>JzUXK~$7ROV;rd
zSptwO(HOwnqhVVKkO;AN!5BcA2?hhPGQx=6DiM?Vj*Fl+W19s#&}wJ2B#hs0CAULK
zB&Xj{Ji{$Xs05>NXioj+=u|oY9YoD{JO?`b##+x%_bmZGY&eUd2(-#EsuY;`aj@{4
z2CYuq&M{UybTk|o>5Ymp_NqrGbK`mX1(WXJG{I~f4dZXcBz|K#v5AW5{8sD(G+KNX
zvajq0(v<i?b2oM%i^wqOCoJjVJ%MUMVvRN0C8!QuXs-K7F#a^6A=p3sm^x9fA@qMV
zPb@W0>{YKZN0(sye8Vn2K~$J%D2yZM_6E}kg4b`F$M!BkU!^RihbNX^F@#6fiM52<
zW^>O9a|Mt`LTy)KsWopSp|*tppBQD_BXG5E6RWKfo50c7oVS<I-%CiWg@y?IEd<?K
zs*p+IJ@eXk@Yz|KDclDd!X^cLo%i-Gczfk0-~i+L%{=iF;0c+?ZUlU&{OBP;_q$*`
zI$~3=!8*gVGqJvay@mXdjTqlgvf3fjXDf|^2#LxlwI?J(=<7Nwg*I%9v2>85J(C8?
zGwwYd4_;bQTTr)Q`hn2-eI@{5SoAp-J6`uiVCSg(U;%f=e6Q*AZN$H@WeE}nm!Npq
zag(h{eiUjbo<yZms5q(zZn7EKmxQMTko=i>j0_ri6X}->Dv9XzONOT}g~lp^p@)+i
z=*YV}#L2^Mn(};=UC=f+2Wu0&sh!<&yH$7_3LQ`Krv$F^!TVttz-rdb)WzJ?$i&p{
z&k6zP-^w{qD0pk4e<<FB1bBOq{5?bQ1QQxsAfw-J<!y;nq92J)qGD*6Q3CzF^zhO$
zG-*bS-^vsGgNVLlFT7_!Af6ULB0*`j5Sc%Q@90ko2_SjWNnUvSP#T@&XHD@UnTF8y
z@K~ka;EyR!@FEd?ZK)Jb5{*WoLIp1syeSJ9mFT~YgxXfaE5l#ps61i+#=skGpV|0C
z^kDVRmP)2j$@Eav>_p?iDu-Bv0oceBA&R#Fa*k5)xBj8=@k8U|=uh4lNFsRQ$^Lk0
zMqRQ8z#;~bOo((M!HXuXGWqxMa-<>Zu}b0n0%>%-2MO;@^aYM1d*dgBgeTL`V0n_g
z$s{j;IsqSy0g7;<;RF4NK}51I5peoX;4Y{8kf?w(m4!0FOML`uwSO7%Z*-ghuEzgE
za5euY;Eu?pJ&77b_9S6^LQ?`>2qF6g`XP#IYE3ZSV~aD`3KgXT7x_~B*D<*sHVHB2
zGp6{{sT5y=zc)pdS@D+#W5?au$j*jfvuqXqPc^_V)fsRxDK;kh`ZAtjVmASw{v!9D
zP#jYfY8oM9gxGFGh#6A6REO1}-^P1HZV3LMtO5h*G!@WuqqNgt)cmd982M+_{1*^e
z=*>jrH+V)~UQ{IJp!7n}Nce;DW@tn|Vn6`de;uAiCsOHnBBLB8Y!k`bU&8_IJs!%~
z@ncRNzrc}~p(*@pNd0-g{us`9q<(|L(u<6l3{MXY7^4j*z@Jr~O7bNUL4|D~QT<82
zcqbB-MyB}x&R2*Je2LU`B)kvN-wSjT9n(-~PDVraJHMJ^#T-y6dnm+U*NNd`dfAeJ
zfH5(E=t1@+)5#>-M0%KoH-Yj?ljGDs&P|5Kn!#B$XrSToUZCRfm?7a!q52W&qkO`!
z3I3|^7`RBWj)BLT5nz^H=MS?koq}JWWjP-Hzgp?H@il`vfdSPM%pN)kW@K|Pe@N6n
zkiWm`$RCZzzltCToiEvwNJq@_%Sd3#%9uhWu~<oCfsUWgCY+9%7D}v0>xiDAICTvz
z>!mpLg*xze0lEyJQoL}w3*gF&6r>KN8CM#(g&K@2O`In4N^61!S!M&y7-+K&tVyPA
zFa}H36LTWfE0{<n8T*htH;j}YwI_hneQ^%KzQ#~)DbaI7U;w(a0d_|A0d6UUM#Gtq
zsbE{#d--|dP*-urbSf%fM;W;a9=W18gFOR9enHHhM5lw&qCqyaLV-UxFtI39I>8V7
z8#J~J1_1kDGTqb17{t{dP(tH`@Uf-@k#P1t6v*)*`TCADV@~lSS(E$&arR&<nk>c9
zLTPBoNOYVp*@JmSK{f(TkBajE4S+MFS%VcyNBtOkZO6o)`4~vy&wA|aKc+0|h<yMV
z2R4Vj7uj1AXN>VFY98gW9=pw7g=fvJ48FlLXHT4riVoPbECU?T&nO@OM^neqG;nUl
z#sro?BXS_M!cxIh(#Aj-4;r3`Hz$RFOn8$0h`wlc2*h*~V)e20M^zajBGL#*LE&Y5
z11*`e53~HpRBc0s$<N=5g7>08Gid6e1qPsT!W$denP}iam*9bxc+Ws8mE=#yTa&!V
z7*HiVrVg;_38@Q;w>OOhlax0y{C$aFL)sV{qwqds@neZDBAElG$H&<DW9Tqajv5+3
zr~FzHgExXdf`s?PieWPYelcE7#!C*`^)Fv@uH}5Z+3Xh&F7KbZ8-=_7<##Hfz$m+L
zb+UK*{<hbvbGm+cIKhpZrRhq0QwP>iffn{5(!kVaOx2j;l}A&!0+Z6?${T}OP4R=t
zDD)RH0}C;K<I0a}MYLLEEHChG&;ZywtMKTD!yDku$RVIQ5vB2#02zmOvq8$=7nOh;
zhN@uP7~mZUmUugRBUVXU$E6HFsHClv!^jPkgr($YNdvr*Cn>~)MDzS5)5eqLW$aBH
z&2v*+g~0|%1k^|lWX}!25ylihKZ-x2Q5l*Hjn!XRAamMsHLUh~c{xOXb4L%q_#>CE
zdt`G4Ddb)4-!$TdRc^UwSst7>cj1+k<8FfCD}VG?C(23Rd3&b(Wx0hvF3Q*<VOxw?
z`>XkO@0a4Pk<T|pb<uq{DerS~GhG>$e7bPM^PtiSzGYwePu_k#ByT%YHoMxvvU;t>
z;baZP9`!Yy=F;n=FFjbO`gzT2;(B|NV{vUqwyB5*JI~*g)?d?jC%x*3!;Nhj=QGRJ
z62mWR+sH)u_^9qFdT76WDJ9{qxqC@zl{qJUpKD~y%Dl{rM6=43bIN*41EuDqM9tgx
zfG<F7)1|9=na)m5?mD|w1}i=W6ravIz2NI=ZCTIBSI%(>_VPWyIzo%TabZWH(3Opi
z)EGalzX1WqW^Bu>PW(I7aX5(_Yqz|p)M)ub?FT%CHofLssiYb{d_C_4{Y&<bf(8mM
zbt$*jMyEzY0yWcM-uKm#)oz~dH9fp9H9l;hRD9Risj{zlj}d3YB#*sK{3(sR+Ep)i
zZYawam19dEBJBHl$RX6atD(%Bmit04n6zw9_ssY_v!@{^Bc4r__J1OLE5ve6?Cx@*
za=PSjUf-0!#<?#vZ)dq3S5`ZAwDFr@J#A3-fkJMNt!~SjmBcL@npDakwCY&O|KP9N
z8J-tmxlpfR^9$M=-qh>YBY7MxwjaB<MR_Azwj$eEu^(z7#UfwImt4sGn7vy1Ec?Y~
zUWX{b>%BwAY-gp44J?io6ckw8vUuM+-lxI9$FL3iH-5nXp3$z_(~ZNjjU}(@1&3|=
zyqan$Hkn)3cTKmBX<<T;?2gq<Z&gLFuz#=rxoCb#{3OqvjyJemfBr05MxL7ZY~~qD
z;~)<MwZzF8i>?~jUhmJn+5hb-|AqBe%Wm6NBwWqtJyfmcwU+!sYu#~N*YknxXZuqH
zHV++mN(GPS$dxT6HYv)1_h;->`Qk?_+@O779lxjY3LSfS$yphvca#wy_8iS``Fz$Y
ztYzbc0j2Mbj}nro4@=g4f7P?WUf;Cw!K-sYMrQT5D00*8PWt@C#5+f<Ciqig(_o$L
z<D-W<@81h+GZT1!=m+P?CP|m4iui2>rC)Y-h&FC(FsgGq<R#sB=5+brpxQ{4{|Wwg
zv1jtX?g-d_>p~)D+0mO@thyr4KJGnzDVQ9W+IrA+uZ@eiPG$Y(v)6-p-+fDab&AV8
zw(s`ftFYK+KH1F<#tNM=zKOlL^rc&^HP&iG9N#2j=)JPZz-WWq9**UC(iwFQcF*J{
zug_jAS?E1OG9tfRAVEAOOYywE?}M*-;d(C?{LtPQhG$!etMA*Tt8JwIt@Ng|p0<R`
zuEJAk0^QADHboqhGrvd8=jRFY&^AmFonJU>`uBlH?&2c$b{p@vD25b9Sv*?Vcx6^Z
zz?zU5nHdWub~ZfXCpgo|33?lL+RTW1QKD<gmFOhAe`Ol)(F$eNuaD2u0-m|dK4%k5
zIU4El>JnFb^iucBA@Td8yp`7c2mH?=Nm!aO+a*^eGRdj>()u^-gGu`dQo-@2{q_lW
zUQFql^-=oAzNKQK`-3d(ABTuZn6@gN7;N1-sJPtzTh<laHhSDJt>{Li{((sfRiq7M
z4armO+Ffgge?ADmx>_x&*(WJs=cgL3C70f%bi@sc^$0bj-%qH&D%Re*(c-`d-Wy@t
zdhO@V_p*HpVeW5D_M4rXtt0%J%~Yn&&oCxn(bfaxmB;m~vy8oJZZ&o8JG-~v*Q|Be
z$kA+dK+o)2A^WERQ=5ezroKxt6!D45Il+F=Z?<FD%!ivIlU+!qbQSp)zaE{FdKVg%
zjk_P-n9?KtdeFILtFfkw>if=XY^n$RUfu3638gLL;4yW3?wlt+Wy{hiTJ|CHz9x}1
z-sPsHOHWw*5LmzZeOyEF#)AvKRnGU2(p_WtoTKDhoYhqEVLsulMh`=bi^Gh~o=H>I
z$`)Mkl}p+wa6C<!)DyZ>DCAW1d&_;CHN8nn^%iq;p2_iOo@f8Yv*NScdxKWzaPPH0
zKKktuX--esM0ld)mlJqRu6HhfadILppFPY@sV?&7Vwv`$pIUqFMHTW4NtA6fUeM|*
zd+}3rO{7+de7J#G{I!hW4M9)kt1oJ++|-Jo?#WACE4xGXYo8sr#V5mtD!%a5Ik%PH
zDj#yUw92P6TwgfL`PQ_xds74~8av)g%<d<q673U}ga0jI8&?>~|G2Dw_m=HHn?B(k
z17St8dk>ZGyi!nWeYIqJz>$zW@qwpSr{!|qJ>S?lte90Jx{l=4b6@@;PR!IHE2mQ=
zwBzmlg7;#nLkW#(WtR&c=KJHryTb1)L?2d&HsSWT^h8HdtjU<i+4N*yTiOw~XBvGz
z<m?wq_v-k@cfZi)$$q@HYWCc2)wc(}1k~fi2-&^sR*KBFw+i6qis+doabn5j^7NtT
zVb_#TB~OmT1`s7Db13YZLo(D)+m(D#jFzeYX3@thozrf)RW|HfQgE-vI(>2j<tF~z
zoy%52$BnWdMjR^8D|nb=cc?&pecJI=in8SmH3<)ndfy#dV`}j>ly0#r%bEIYk-)N}
zX}#*zekJ*u^Z%~=f6+IM`SESns!8mbiU*QBFV!aNw=_4W-gu>9Y+drDdXt`wgL(t)
z^g*jTQu+qH&RjX$OdZxXCO@6!!!MxHQ_;Top5$lRY~`ll1cUplWdbbw1NO!`%xk_q
zJ@6HAarM$}?HM}trG1eSid*7dIMbyjtMr}QlWowERmIz{cQBgkjI(2p-S>G0QBT5+
zOv1RMirrLp?mKNJZ0$9t4dRt`?QZM+dVHzeqV8|+HV0BXCnxa->#TU|t$8K%xvEm~
zZF%mi9O=)hy(WA2ek)ZZ%;NLczS>#j&fl>&d|e4CxO>vgxm=T}=35~Gg^bv{iaDg_
z8Fh66wNo9gDumon)L(S5@ZV+D|G$+l=DSlC^37k3OTP3$&Ew<I?#|ZJ($C~RV!Ilv
zd5YsIw`ZgH*Eg@4_!n&z$c|pN$At29e`Lt|+o`EN>_4S5ql32x?4D^{xX>!7*?CcZ
z;&4yfRfGH#-OEqCr+CSy?Cz*4dR1*%O1rSc>4>4wkl1{w>`gD#&&nF!b{^Dz(EEM(
z2j$r#tywFSl{ZTa^YN^xJ8$VUjXl$5{VQ(&2h_L@72|B45I&uB$?IWsy3ZZuQtiW}
zMU4kJXC|fYjNBc5^~KumcS8ah%NLlv{ph|Y;KRB#3+4xy?6}Wc?6R&V^OTf`1N~I)
z78Ci;FC(q+^Y3;DcdY)gBlzUe8h(A9c_m-BUHGc8!1z|t^hlBX?2AduxsK;PdY4OI
zMtHlTbt7FYD5ZaQp-taG+U&;{W`&=*+v&{K<}S3XQ_o>5hhh*H)qdKo)5;|q`^7iR
zeW7%Dhlprf)1q?CO;_3!=SR2-%jr11dLO_c@ZPJu&!J#wR`Ai*YhA^;cZc-OxNL4+
za^!8Qi1LAmqLzCV_3A0KjQjUYda879=nT$Gp{5$1+{SO9ac89^UwNmkQRdf{OSa)}
z?sc0<6r4{{)M#!LqWs)kwD<GRkefYiVLL>hERbDOrg2j;-aS}$VdH7<`YH0V#^Ey0
z{M_63B%chPbna%{Bcm(k2{f%b{5HWihY$8vv_Dl+oI`Fc{cpFM=no#xu2Oz7(9Bht
z?!EYphqs5#g_zg#W~`wpM$Ibnx1AJw<mUUzO9P7wh<C#d9=TSzG`aTdu^Wnu4OTyQ
zx_#`W_M^$TZ{i#9p*@YUb8pO%AJ&P8o+KvWTa5n}7kurhqV~+8Hy_&%s2s5{57y?m
zx2d41#BbJ*)|cG@r0+tcqnFpe(%7(5K2#>2dNbT@^R>;pO(Hsp*Y(Xm3rIZQk$6Pw
z_UUwIYHmY#Xn%*OzgPh{D^z4F>gCVVk5swa6kC@uPbhZNm#aCHgv#!DGrlZP*>}%R
zl6@#|j=|pJL$MVHqpBZ-OQoniJ6ijq>5#C^yy{~Vv7buR14@Z^BNAWEw_*ElUpLBE
zKG$WBGT51SY30;rpBvG+Cc)2UWZUMD+xDHibAOXI|4)l^KW<7KQ#+p_WKw-fb5QK~
z4ngs{qhD7?Y4$~P%B}BA|KP(p{n!)jY?*BJr=NNYUXm|*IR&a5>U^nqwH}xE_Ry`q
z%(agMz88vGEUWiSdz7A9%)7KH`A1vW$L0Gp2Ta`_ZppvZc!w|U`wIEu{d?zbFPdd@
zapuFdMn7cB>mLM5^mjfI(s#?b8EiH6Gu`&X+~_;2UO0b^AUIoG@wmbLv^pw9D3L<o
zZRj{-mANh>F{ZVyH0`-#=(`T(%}YfciOUYX586FT^+LG3<#5=oMGI&LbLSWfWJ$$b
zPT4s1T&ZKuH|q5YK1WxQ@n(_3Vv9_)-iyZYWp(Apl=_GD@X7S4EZMtLK3huuaQDU&
z-U`p>6CO|w9(a0c&!_kAE;Jd)1#;Ql$eYPI$+4m?&2iwAR9=(SiN3az!OceoT7w?*
zdybzk?ZV%xoxHEMX2HJCk2)MAEx~T#RLS-Ae*9TGG=g*grA?AinQhZA92E(CP8&Qt
zMacWmj5N2%ZRe8NE{1tHlv-qIib{NPJ4V1+E!@$d%J+7WR6t7JkPh#q0$=%{+*xZ^
z_!{RfRG6kLKc!_xd&>}4#LkN?ob#kjY11zby%Dh2UTDyDGN4ZVYW4$Z<$YUpBGxF*
z=(odFayz}*RVgXrw(|9I!DFTJ(`j2DR#$W{ITi4ulK%38RMi?Y%_%DeE*+lr?8}=a
zq6ryX@(T0retj<I-NP-{@ZmYlf8DLNVjV5-XzColnIV_w9--DQ|J*%reQI{vM_<kB
zyl2ieSlipMhfB`mU+L=8Rm4?r$D(N4WqjEaStsQ6@V9@zuD><^4xG{bCy&2V9fuRy
z#4{x~@$Rm{DXRR-oi1wpNVTb=?G-Q53w_Bc(4l;L*241sMZK1_tv2|4S4!vC16HMd
z+$w3AZN3_D&nYr5>Z)#Jw)C`XzmnB@pBk0VE?UhQo!)P`RbT^W?3YK%`HK74uQ~PB
zU*EI-z5kTf-eg&y4ONHxpJ}X#DNJ7f>AjuXU`!He$p`;RLw;BD;TC24qzjsEM)q3D
z#@Yp6cU9F+ZsF9Aa;*{lnJ)PDyWz1468C*i^0f~pIm(C0?!8l%H>5pt+98^bm(Q}w
z*m&9Y{sOm!{ZmN6DL+?Hx7$bzN;`%ddNeHCXs;h2p0W6J^6o<MR`()}&qcSgRRY|H
z$|!z0!GGKSM*N?0xWvq&>Z{$O8Ps<P1fj={Cwo<FL-rXp?(<oElk58A&iF|g+iq<s
z3*=ryueh<WBHF}oFZ&Vc15+-aGS^w+Cx1NS%|6+O=guh#O127V^zJFj>=jWrds)#}
zda};FX2;=~%ZjR{mOIGaDvuU%l?$xBzwS_ZyH;=W50|$IYmbYl{oETWo?7war1tUL
zUCGiJ9~Aj=i_a|*ezG@rNV2Ly)_jgn$XZu#`yDqH`W)P~O3U=8J9U$QNOMcY{+a3D
zeb=r_2&5_61llcDby5}1yDmn%!F|ur;q>>-$3?}@q*-wL3I24gx6GF>9A4`!WwP+e
z;o1Cqgu5*7KeifNuf?+^6kZSg`@jDQ{vX+Y`b}H?Yj^?w?>S}bcCjo{#qGuVMcu|v
zh03WN4;A>2#U)&dcsSK(N>NLuP5xEcj_tB+2i!Sl6dH%TO_Z2^DwxZsLq5BB^STcP
zLRHj~9;s~A>^uXJkFzBfoK#%8xhEj+ORLAhm^o!Ximz9Rzb#nFxu>J@WL$cevZ9r^
z_ov&s!grHJPjI}UJbeD}xyazAcj22tp6-8JaNE(jxwfOr>%9K%FL(LZ<+8slN;&II
ze58>urJf*sX6Cg^(-gUTWk|JWyIX&Dzc{^(p!IC$+bA{h10Hk4R*B5?UBa6$X?lyh
zAmHB8A_^f(V$q|Ji>>FweccNLcX)i;U$%E~wW|CjKDUVe6`RuzXpv-P{_gq{>Tv`Z
z>GWK^p0)l!#8Wm6znObhnp-7gZ=I2nBkZ#2oj~8*$h!hU8qalKw5RPm(Y~@_{ej$f
zZ`Sh-X)B#b<%-c7j$QI#5y$4)nfy1O9#f4rJ%4V%XvVr@Gfgh^Y=0M4U$^17vsPA|
z-`gi8^|jec%PT@>Xh|<z?H-(VW0Gpn-ku}<ZVzHZGH(kkX?+;G8y{lmnMf$_OK@7_
zb%<WSc!$gIsV3*ydmWZ;5Rv$4mKgh_;+RJg_r;&9Y{Ny~Wo;{6G5cb@$}yAVSX<F$
zC(jgh-`b_0QK!0F@m|5R9+xt93G=7^_;`)l>ZeaTP54thW^Ow8EW!A0x|E7i#3AR1
z6-v|mD3Q}oSp-`wG>Hru!q0havA0_Ih|j4bl3zT_k2%HVUG+&Qp63-?os=F;Sw@i1
z6pzueu#8jJw3JoT@O)a+wcN6JAA6Bq-)Td$vb5EaJ1r!74&BUtSuY}F6d*hpV^uos
z@ufSZ{oNabv*>0IUhez+zA^a`m+F*+ZKi`~=6i}beBqzg_B~z6rs=@D1J$e7nmxDo
z{LH&SY3-(r9d&ME?70OI`W20L0}t+u2qg<uaNgNF*VegX_9NMa_e!^{SW&PcjdRy&
zgR(EdhDV-F$?==C(y8*DwoOjQ(NEMVvW|Qay2kUa@m=arkJz@A_+?JYu+Z5Ur^+QY
zZuHeF_UzhVO?+Ub@~=tR#HId6_n-dO^ohfTwfFd*3%%F!;q{!d&M(XRbiXA}O0o=o
zpSgGKS?!q37X%#hsZ+(Wf&=t7sSW9M^vqm)ZPtFXpmTaY4>=1D*ty;F`8ccPnQiOS
zcfA|iJepc~r8PThJ^N-glxBWDdUAF$$^Oa47hzk9KVGh+Y4?70;PTAsysYcle5iws
zP3oY7Cs95C-|>(?-#ki`-&-~-)=zG#6yE3MGOB3GipS)#8My)jPYFl*r5p}^s!gle
z9>Ap)lX^#e__}7_wOsyk$<^7{?)u@UobltXN;i78qoW)zW_2`nKKbT$@}otQ^l+YQ
zRn3$&qlw2leN)`)JhVe^cX?Hs^tkwmUdc<)VmoBe^`SQO@5+DSn>TCNbfc@CLNYFK
z_s_avARY96U{&^li)uu!eYLpa_a7UYXB}C7>9MP1d>|pg@ckP~_$~`C(*q5h#jYDn
z^CI`$EV}e8%zGvN5>LzL*qo?0_&G<qF3Agio-cOvUR8dg?!m~QHHWQdvq|ru=XRy#
zWSF)I5&iLla|3VQ<>I(&#lGCZ(wXPH*=?nd19rZTL>*5!?)Gc3Ff!}nx%>J24*u11
zI?q_kS-%WU-QQBa!CUH?vj537L{agu`QEM<*b+a@4U~~d-<p;<>@^Fv^CFihpJ=+^
zdUwrA{Mq+2Q-*WoF7JFCBi2UfX?1zMCfUANQ_*Q&URJIDvgw{Cl0`d@P0ZE*J-I(#
zUY>85D%e+;#=|{h>rmAzp-}O~+gmnOCeJl3p6vHtO`!C|?mO3~R~|12&Rf=ow=hY0
zHFIdIys)zOtCCaui0?o38-+P1Y?wDYqPye(iL`)p@Z`|Eb#VtjD4zaMxOuwt8^1vR
zIoEoox)aavso^eW&wW1>Al78}`mJ)MR(qb+$NF_n&b7~O?jlf3X{k19Y5`yGC9BJP
zy7f*o%I4x%#aDP-Tj;r}0rCFGX}b(@&M77#Ju{o*c$>b6Mp`y#*T*{~D_%HGv90Q_
z{wR5`Ksu6Z>eo+xA9l+*uW1wGm-D${N21emUHn2N3e;b`h)xQe_geh*UYThM`DAj1
z{D)QlJtIAFPyg%frisb&Uz7V^zi#}m8R<Xh=s){E|Lp(#v;XtY{?8w%hri1HXaDD)
z{hxpKfBxD3`71r~C(lRUKl*3?=l}KnpZj+c%0DXd&JQBoJfR&Z6m#oB+qsSkiG<Gw
z5^rR@ZJn}l)r%z}F&jU<SKoT@>9V1_n*vi`fAcF_eCV~<!PmE%-E}Orv#kwUDt{F5
z<h<aMRo}8(u43EHir5pr$8&Ty9{#A6!uD#aMfyO}fU23vWU9{RB)_?ui8s8pj&FT?
z>eI`C{ApQ+9~%38pW}8vP$&G9^_s_%T()+2_M6@pKm7Ow3E`(Wx-&gpzMH+u_7Zp)
z=lo8I7`5`UN5o2jzAgI>E<LLo8-2k}Wzv$}Zw`N5)^)t$iP%T!7>yFes_kqK)lN>`
z*Vi$>Q{bC2e_=}9^gSzz<8;rS$#gh;@U>YRrDct!&0K@|C0C*p*zIo2_}Dr}^=Z&-
z-MJQi!w35`^X7YSOcoF;m{uI;8T^$#k66g&-$k7_d)4>k6Rtv{%dT@BiEJBQ8?Pv#
zUaIR`XL?nEi}S~(Y@a!6-rEep>&DmjRUPMEY#-*cJHdAA2kuo=TAJ=f>LNUw?yH6J
zv%l(kUQ_(EI)D1XR=2LV3)FlK*@$Z&Iwtzvk8Jh|i3*cFZIB~uI<2pws(5+IRN<*t
zuSVsU$2_+nri-3d7}Q%Uk}9d{KsaZj<s#ak8X$AT+&joI{*X+t-;}@uNx8a)`g5Wb
z=an8SeeUY)(8tktYK5kupS$d8h21f23L+5^Lp-!=tL}8nuirRcF5Qd?Myv4f2Tv!{
z!3z*PHT3W}xCajw^aOLVFfz5rTsZWQhXa&QgCdM8b+|$WS^go&;T<_ndQzy!w-o$v
z$2=VIZvodIZ}5JbjAJ-Qffo(l#?#XWuLkbd$SY1>#tZyO7zmgXX+Fr^#uHp}kt+^3
zudArwaV8Xh(i~<H<UfRpfQKFei#-o!o~@2;f5P|x2)|Lknh~!JXfM#$3v&$uuW(-q
zcp-TyVRQ;6`}(r-Au0fJ!XY8gcE)dPd&mz8PzL90hVu*4H3%z+l^bo>g@8vy25**$
z8V2ad^#u=pNZ{>gM_LC?dP;bf#~5;UQi5DRa6bYsB&M4l-jnE$9Gd`piU*xY1{X$z
z<OKKu*$FgoSiwdNFOM9r76X|X9zA2r|LUAGCb+?PxIj{7-vJIDe99nE0>>e6n1W&S
z20ue=yvBr6_ysQ(pEx*M;qC3Lz}*M&3gb5xA67Z!LWKq%FVFHz@&|5G!#aS<ufm%$
z#%TgR8Vhf<e@vH5X7~mnXxb3|yV)(bHnU%a;lm8VfJp=z06oS4!Cx8QkjY3o7%qhn
z`+!7)hbZ^~WTLL1TgDG%vVhuw^C!Yj8Yhi0Fr&L8kC&1BNmTI8gc1ZNGh@6jDG0oK
zfx6(1<pZ9zNG2dC$S?|bZ0th78JmFw&zUeLhMS$Ky`vR4K8^O*BajTt4s=BL{Lxc_
z5e$NxwUMPM(19iJqcE`W9;{&p4Z-kn8()5;z%N?jui&zvp)vRa^eBOJ!~-LI@`rdb
z$5u{;hWzFJ5FYC}av%G%_#)sO=K${itTLDaq!TxQ5P^om2e6`ojNmn{Jd1|`{eVC^
zay$elW^m@ikV8B-t~>^R#A^{X1YVM3S{Yy7(H|UJDeL^nG~{fI{JqCQ{~bOHpHcrc
zJOQGggkZk@z}VyAFNKIL05#AL>1IG1hFwkxq#XPvJz3q+gU<6Rdm&FceIr|2yu(Uc
zQv*GH2P3;>;8|!!u(Jk5Xlj6wXgqv|ODR?toJWyQBt8H%6tfqY9>!b|mGIyTi~Qcf
z_dF1SBp^NN?@eA8NF{-*o*9e$I9@<e-^9ql2ybiTU=CQwd6J28s&aHcFFAz4`1XIH
zpJx#0SIpxabH`_@2TW4O*Bd7nBLh0V98+8CVg8#)Cg?1`d@Q5|BYy(CtcmNvM-}iv
z-u-`B`}clXll}k0`kqwEf6zX1b^bT1<M4QbH-6oy5+tIzSP41l`r`v(*pas`LwFFk
z0l%SfHePPyU~1#Q8ft=#iKz<=Il+X%YpC4#@nGpE(5x^RL|^cE_6i-1`7**s<Lgai
zTTBEWF~YA?Jkpz^2E=%{W|%@i0}S;5BjybEhj{$LuVV!hDZ4-EFBu6rC@lkQ#s;Bb
zO{K^c8k-of>c7!zB_)t$X)prgV1kEPYQa8ePG%@JY~q4>NfqWLY_4VnIvU^KG4Rl^
zj`ToU83`X50<uWsgVCUm=LIH3#=|pW>LwaqTG<OANMq)Rw6Y(PA8A#%K!PC6>H}Cy
z&@2k}0E!Zv>Hm<<e*_n6V$}5d4cMRI_jl0yGk7FlZ&r6bAz0L(cJhzlU{)StJf>4V
z%hLVJ^5YnFe0gjh8*%gpX&aft7@T43V25W-;X!ID>e_gDV+FjXiT$#`P`rkkI?MBS
zc>s!7!7`}uV}kIE=0P9^U!p%Fv;|%nqACQ8KAY&ugiM19p`cTcJ|=}Ahbz1?q<>MB
zRS!y{h+$s9N<<W21sa6<RGRmg#`KY~VlXBHE|FPf57DI<2By5C3RF>Gh#k})TN{tp
zM<#B#rzbfa<}W6k<zsCKCA=5On;7UzM^g%34i%Tf`a$`n(TVV2!2t}R-JoB}Pjur%
zqI#e>Z46OoAdFWwu`#kXUF>9J<!CxlCCIZ6^q|42GZ2EGV6h#Lc0-djrXWW84O~2?
z{zUkiT8&o0E0ba3AFVJ^c>*ed=#SCE1J+3}tuucUm0!vzfz`k>>=;&Yygr29K*j(}
zE8fA(aX@28_6~*k0aze26heSXhKLRjQ-b6NoCU!{fUZa+N5J4GYS#oTH$P<UAdO@i
zLNc?*ORHd#%-}~KEM5!)#zgf^LzpE-n?-y`@$;sQG(1r~JBlAP<w5o*QbU=;fZ@wn
zfRAlYPam5%#`PP>i%kHCV64Cgz(=D*1`zsii%gfXBH)1SKma#k5sO%S^cO-0uvl_O
zBLj7j0w0mOe@||Im3OAG%%qe)J=`liU@W$HyaUWmV2Gj_k`aqzoXpWd;F#6_G?Amr
z;T=dcx;z$qP5}!VftLk4mjY`t5|xf<_@@Av59Pe%AX*`;3n>AZIS#uCG=Rebff4jy
zf)gNzhj4*jfv`+x#;_Ox1AGe`KoGZ(`TK<dn0d=#Y^h}6Ze)}Z10eti=w45-da#ff
zP#sT$AXOM};47q=Xb`yvvf(!oJR2y1ww+u+KY*2jmzPtMTdc04HeU%Zr!Kd6AzZQ4
zB*3HjP=cZGD2p?(8ckUIg3x2^>>%iPPaoJN8Rd6x8pM4Xtu(<EVI7zbqm~jXPo%?w
z0~;@8U&^{Ms&*ndvqB}1kl^K6Bm*;LDUn9@#DXrN=dhcG=|ols(L6-*ru_<h9Bu@E
zPv1ZwKL#JFGgODX9V4uc7sjv*A%W4=*H%%(LogxG5j1E7#)E=XOaR1PLz@i~{lF&0
zV><?@095q@Rsl%|?x$c2GN_Bk^c0NqI>d=U5WF%dKC(ZRMbe4rVT(#Ix3^g82kF}&
znC2$JgO%q9a}Szxss0cp2n+{%6HB}_3Xy}TC=Ibd={^vPit$7J1AOVD9L$0;n!?_q
z9K`&gK-8nqk&P@&Il+$A2plXBQ1HmaF<O1($_Pac!v~{iQCMs>Dz<Tlrenl;C;}X8
ze2xSSV&TWKa~WV5bkfs@Sw0-rsF(s`jW4zwWo+9b!x#gA=9NFz)1a>b1Z#d`mHbst
zW0vtqA12b%zpOn+=z$s1e_n6wnsZD&w31}~CTx#9X016=4_Wi9S`*JFXpO1NpbvAl
zL3{}O1Ysjt<FD@n3I!2m%nz(gh}wywih>P=#h4_RFq?(?BpMO;k);49s!viz@w@O)
z48`AqsIgEP=3TT8`lmm{$3#3T2O*Ofc!OSIv<!Irdj4r`Jf0Dt3vXg&j26eNdNiu<
zn0or?77h5A9@|1tG&E%r@vI$J5JPN%jqrxf(kZ}x3?TYQ7RS{$ruYMWA?6Y6!vb?-
zZ9_dW5$drd7cuZ3)<dTcP|uiv+9M<F74T=IV)4JUV*qT%Km<?-1cm9zQ3TNL&&Ze~
zN{nBBp!K>bBUUgYS}|+=$l70IZG^E_prGDpBoem8g)JdqJ&jCy9Gbpx$_!%xM~7J)
z;@x=!u0v7pSQ9ah3fuN%Uo0dZV@|~}XHndk*$+1|bK#V+xd*2VrY{b&XK~65D;0;$
zDmcsr#o3#naB8N;*xwL3Gcke4#}ImsZsHqY3=41+h7Mf=FxI>QjgD3EfD7n*^qgTW
z;zl$zbP(B!s5zv9Q9Xw0#3?hCAJhdZW6B4V6AsyUIL6W%5+v;?0pSG@*dvzgL2C>t
zf+kSNImF!1f2uD4WU?DvF&PL*z+ef4DW=>0WOoNf#RUG1u03!nV94Su;1zUrHMDSC
zh*Q_p)6~^d)5R@?U2iOYGTN)23_<Nc2+&S5-i?B-DzRPlRg-bctd=h|vcfO7bs#La
zvDd?4XJWtJ*_keNBv_e@mH{D9MeI0I4C1Jb-oVq*8w?!Usxl(jK%8p0ax%5Eho<y!
z7^k73!Iqvl70(bd{P8Bj9~ci6pb$<479b2!$Nt7Q7-H#NW_pd87BSO2W}3xJ4=~e8
zW*W^*$AJ9h^2Ik}?7oGWzGJ4{%=9BOMTZoqAmez0wL8udD#i+9DYn93MARG`FK?o~
zw6V_}(7GIvaCD!AA?_$RHbaq&?%Tj1j62`_b^8sX3ywX)8{5w49xk&GqfrJAGJ@ag
zz?L}n8(R-U?blLh2W8|;6r&4b4(7SSFMD=me{>EovdPTq$XNIo!@!owSeRp<v#2~0
zwQ%(K1kTw;+r{8O)MA)wz|M!=PB3Oiwx1{H7Yi;jt?-OUnph-DXCj&IK=uPO7ETTE
zdW<N~YRVeg+UO8>v^`dR46k3q8%|gb9dH_BK@LYdFcCb2j|nzWPh3uJYylez)eLMd
zAJ~Njoj~!2lLFSJAH?JI!PB5oWsLkNxFMX?scYz1!tzI3T?0jv#M&P@xBUaiFfe3h
zghXun6!2q)RsN-)BjYn>cb69E?M?P1qtg^r6&Z?%f(RjOL{R&y@T?PW*7|<T!8d~)
zv35qwG4&?e+XeYR(>Lpk@mF{(tAAV}fH{`#qjK@fS=!hlNCd{S=QuG$uNlCM|4S|A
z88l|tLNrDO`>bM`;%K$OVtwrB*ljr+T0(sHRp?~Z0c{=-Ac{U7LQ10ySi!D?ko+hM
zGTdxP!Hlvno)CamLmP#rg+YbC>dW9B{%gU19r%yfMIHOAf%6Vl$9dAJ*oz5pgEBPX
z{{kF~kKn?e1XF@N!$h1IIu3)6!&<;$ZNLX@7eG@G0~h^e{@5WkWM1<z3^)m9s>V!l
ze~_;Ob#)*jUkFr}p()F-)+ugA#-=VNruN1xWrOzD>=}!1SR`Rfa&v4S$&wT*jV<52
z(YFgm^v?MD<LjuJNdFQN)R*MH4#bG@3J37bU)G0pR-kVnyf!j6u;@4_{|X#?*7EyL
zA^kNzquX_V2Ix09jLkk&d1RLlNx+!s|073~AdRCZlbAFDqmQQ(Hpxu{)E@%yVtcxv
zw$PRXdM^d330ACHwD$qKQkV|%M8UUVe*xB+UKDJ#PEo<zG7d_A#{!QjKm-eH3MwUl
z3I-UX4QyKjQ$i#0ugBwS%nX&wY@RtaV|ys0y%-_Em<B)r1HQ_E0ch)22@gt-b&v!H
z+pw7eeZla8^BW*8d`@E=)2f>MmcwMJ-||OT<hLiIgU%GcKS~Nf&RqT^@+EpS1O6Y1
zNta}!&9zN@Go>Q=$FbHylhXu^@}9|&se7+vn_KUch|%&MYT9IK5mBdK=H9&VXI0F@
zbB}`sPCcqAnB_gAw6j2WpOW3n;ZO9wyY~;O?-jYa<h|PI$+cVgr+jsa(7ckRoBj3T
zvJk03&K$x?p;{xA-4U;ko?w??Q@TYgEO=0~$*b`8+eNmgUO48<H?4f<ygq382A*nS
zgnV5>*v{yX&%?I3>$D#pMfXo|nZJFz@j^jUN14<i>H(GEbLk5*BO_!;l(TCKFRXb?
zS4hdo-?D$Y+$u6*+P7eJSp&*`BMaF<w|r8t>C7Op=hHm}S12Eu<lm-HyU?;N>gwF8
z`Ncs}-kBHf=3X{!tPT9Zan<~5c!VYUb;-z%1MIH2M*o%f(?bmSF24%*^_M%d{i4XJ
z48HLBEBj_oTjjcPt8+xplN&Kd`K+4*_vV%@A>6v->e;^PVD~fY?>#~sAH}MtY&<n@
zE{}UkgSZ5lGk<Q1M@0LDT_4?f<+rc6q{A*7vOSw?l6}NMvq9lt4S^F5Z!`o_xrDy2
z+_XyNrAB*4ubd4}EYFkOF4lfpnNQE0Wb?Q%eOBa-tJ_?z44<zJ{A}`0gsbfC(V7hs
z>X{`=O=DD+9g?NVH>7#xF4jq(x`53sMm6%poft9SDOYB?eBC@?da{gby;APuudlkU
z-rW5rH)Ad@ufPFau3cwH(=sKL#6vP)U0nEB_Rx&L6_=fJk{ePbiJSQsUt3^n-xP5&
zD$ihrQeakbp;MQl*_`g>$N92O41UP57<4$RM{rNxaqgOiZKRTI&GZe#2a5M1{nuC2
zADZ)S(PiD44P9jIuh%Zjb=bU|mY?p}%Q?lO(}Cy40(s%pCPrTu4;|m2{VDBJ!lQbX
zu+Lxlxm84#hkTIBSLgQVIA>6Hu;JvxIROoiGC90cBCi|7-Wk4^7b$nzePKkZ^V;Gm
z8;!TA8r$yq#&7u0YZ`CBBaZuf)$lEGs)~<Ec^!|XoJ*7I%vQJ_TuVwld9`!Rk!1~2
zIm^$-c+V3TU!7558|^7y^z99r%8(p9?Y*Zx+p#fnpS`Bm)orIac5AnAxr9IDIrqxg
z=+dSO3Lk7fmuoMIy!(OPn-{tEqrA3w{k^nLTZSr9xAq@jkb74CdArUOhow7gEFA?c
z_^C(c-t&=OsGgw2Mc5jh_H!2d8@w1_q`aYX&+%({ck3G{1F~rv=MD?4Nqu{+?3{<z
z`m;|rE)vx8EgaI*eYtr31C71kC6<5bT7z%x@w&?`ciTi!SGy7S3U}(x0dBiSi@S<Z
z!L}ZeTn5|aC(G9O9+D$<1p9Qn&Aak7?q}enE$8lQ$Jq(-^u*N$h^xOg>C<`@zO<j7
z_w#n^7Udgav$x>hL^mWleOSvYReR%xZE_ADb%~Iqo@UN6c9EX*R}b$=e%^W~N5XRG
z{))N7uF-oOr7Z|aS?^YTKXZKTvBX2wz6R?*zV(n?zw2A<Olr%f<}&l8$_?Bt?&OU%
z-DlKZxgNe#9RK{<%Qjp5y7(jQt|2ovo#uL<$~S#bI*(iQdHvKkrsnGlI4b)jukSUR
zJnMn)o4z&Ei#C_H<PY`y=pIT~AiH*%ama$>755AesC<fS<@YsBP}De-9j=Sd+u)^L
zb`rnQBE;WO|4^q8?dtKyA@b78@3PunZF^}oUvKwigVjn3{H2S9NV7lgZR;}?yV0VS
z8z6afs<ZIS&6W<FCF{Q8q`8|mRL)(pwKZUUwLu%*WNTAN=zn|v(R?rq{&$%6mhG#f
zM1lmUbUqmDJh~}UxXDUratTjHe6wglly1#XM#8zxebWz%IX`Jp=b6;KTnP8FCyDZS
z%ezHJJYI`t;=*ZHS6VmLzY8mQVS6BJdR^W^@@1I^VH~(!GM^*U1atE46fe?~n13yO
zD(CKL{<pug)#BJctJJMMaVGzRYKEGD!1K%9@rNx=vT2c(th6pg6mJrztDjZ46Co#c
z<;oH_kG@@(7i#{b)k{vjAFJr%kzN>UJWC0e-4?%J*i$`Lpl~+%Ap4nD!-6NnXJ{TC
zP8XHTy+2qi-Yot20xnoZ{ZxP3sRN>~Bzy0bEbQx@>-|{kO<nSnNmsa?aNcQMsn-Y!
z#cX!!K~`4^6;gr~J~_1dUhsL{EB|b#!->M2k|p==@6E6gZV0BF&4^1`rJ(1aSN~yZ
z+pC^V)7l{yj<D7+$w2m@m&4oTHHU<zK6xa<B^!79#I{Y_f@cwArfQwNVd_-5RAq+y
zofjLAu-Ve)46kzVd$B~6U~OV1oKUy>bW2sAl2F|`VtkaMc*gRw(A#IMDL(`knXfWS
zYq!62m)xx`Q~f+OU&VgW&V6z#pY#{yuUL87Uv~Mey_HML&X|>{Xz+%eS!d&1k-BDk
zop;#7j*_j#SF0*&p0C*(EAKdG_J_xFFZng6#UK0;V_T(s=f{z$sxP=AXTJGyfc%7@
z%HK!y7<wwa_@MnAyv)m$o&KMvxh=Rdv*?2P!kVL;ZK7rGq(u!WyVoCj_40eA{#DC6
z-Y2%Y6m+Rx%IWS@pG)kc&X(Oa%STahj%)V%>y<Ypd5B&`eY*;^zS&Y@FYeG5j!F;n
z*SD!2yscK#9w{bu>e;N_P1|icw!{uk=MCm^ee9mJ+-E^WliPGx!a&xi3id&=)U2ZR
zZ?89qrL8vF!Y!p(bS~?;=jNgfmUGrg#@G!7?#p_`{$!HWj09oVAcs5L%7uAG`kBVr
zfq31E+ym)9ad)q65s7XUn*M0-)lbiz!>+`0P1#raXl=QWNr-@;YKnvJ%gdr>pVJG%
z^4`s`t1sEOUmDE^NDhi$F23nl{BVh5GjSH>u|ZTz|JPIQ>`~%wCaTKMpX7Sh9FM8R
z1y@Xw=Uu#cYwFj&R`Q~?R#7{sInqnF#&b6+ByP)G<IByrZwqeTswtgf-KTaP<qJD4
z5ND8$=WKtvQczvs$*NL`_X6i@R+F+r_<}g}HcGVWn20u~ZW+>wxj*IdC!>7N&o57Z
zS+MzNNZ7!MANP*?AFXRS+4!{mzzmr{+|(8OJ@|Y1IyUfqsFYD!@~Xt4u733gDcaBW
z?xJnxnd?hE<68H`B`?k}K7ZUQCTGezV`25+#Itp{8FmVl4&`?uE|SBBo<Fl`bXh8@
zMfJMI>sL^FXNLREfs!qc(zaTP=dJK?NxMLAnptWczPT^ppvc2r{7;X#u!T;yAJD%U
z->W^{DNEHqHLWgQc!vAKYsCVW`?a6W-PJ1T^(bQAExme@&bw3R2Jj+J?jGHK@wvX!
zr=MRh?#>-LWOHe6Qr`T4eOYq(xq<hBqnk;qWE<N>YsJlUTpl*Mx@O8%Hg1w^&_1Ve
zW|>N+rB}C9nPHXEvg%IFHi77$KHb}eH7m8`L%(ya3J`l)C><x^DW>hrDei@@uru*m
zz077!^qgsXEG4EcShvWREcy5zSKJ}Jm%_6rmr0)}Pty`TF!)rk-Ro_lr@wem!wkx9
zT;tWgBczPHO#+rq$26OktQx94<u6e5#AyGP{U4TVKP=%nzbaDv_MZ9HddDuXJvpto
zOLk7O6IXHe>PlMq(&q<j!g)My2yH4|C2gPVsZ9IK)s(URTd`a8d9|Xc{rk2(4ruW3
zKd3QC*P1pcE>+llRM1W&(}Ta+Hup#vd2e&aRUJN$<~Nlw&Be`qMB5uDB*b)vzHh&B
ztT>%3H^u$92t{Pc$3CAkhTU?_nj0R=a(`Pd;(P7c8A`~JXrbhbDXzv!Yi3<Jzq;hK
zJ+HW%Z|Q15s(-!El-sh;&)k>K$F1Xh<IujhZ0^O-fTQt#!sZXBZtafwqIR#)kLP&j
z_VxSo66@|xI$8Iam*<+3=Z*kXuQMwSOCL?>eeOg>-wemif&Y)Y&zW=hUFLn`?(3m+
zlJNS=7e3$HZK@fzN9McY%BZ+0Ih?EZn7zZzFps-HRJupMKi^oSG-SWKrs|~fxZb8`
zYxmg-hFflG5YK3ByPZ#2bu2{V6z7Y5{?7x4Z>fII{$Q5)=rnovQS)nN%kFGX^n5+p
zdggO8Rkwg`;T_WHyi-o>H@vSHu_cSsLgiUQm6vgPRmfDM1kD%f9=nvqKb4)FpB|9^
zyf%MT(}%^r0-J~X*14Jt6iiw?cTXTG70-7!XqF&}d-0s?-hI)RCKK#+a#r1>>mPk;
zxFAkyd$qFIK+n9Bks0S^e>+0mEFMfNbc#B~m0hFe`nC3qppb=KBk!{P+pnKnRC#y>
zZ=)Y|ekGfuhW}mXh38dxS3VtDJ5aeGZarsE&;Vzrvd<ksuJ5PFR?)(~Rg3eahZ94b
z+wEn<sv;X5&9XVm{YyV5hARoA?oXk9>DxsXynIjmacsdcDKcGHVg4MKPfc%Rrt#7Z
zcjeD$<(3bAUp8&)WVsg{Y}RSA{uP<EX_hOig${L{bfI3)8p_!EUZF#Q;9=Pqp}5I=
zMjPj5Cn4K2m(Ar$@0nd+GL8G#V$Mu{hmAA8#N70zcc#bc%dx$pIGvdB#>X);f7d#^
z%=g7B6z5KR!0mdfpkmp8uFCpv-zT?k^V+iEeN(a`&(>rove)ecjtkSw4V&sX=DeDj
zbfA@zt?heTLj1tzN{2{Mm8jW`evhvy*bHf?lukWmmR1(f`9a=M`t<^?nVj1y1^Hr=
zE9zfP-P!s0)S<_l`MWlX6xE)NWw#O#vR$eFVJ-KM?NPVz^VmEb<JStF`c6~nBYD)c
z37L`ubUCVZyKPIK$mpKiHPvSC1Ie!Yf)~D*pKWPq-gvvsQS-3-bL&Mbrt+(Y?7QC}
z;qn33A^*uI=!x?XsnC+Jq%YUSqWtHbtHf(AI~+-GCx_}9U5+O9bKM@QPvVWawI<hT
z;KM8dZiCDvA5+toXV;~~ZyS1i`{%a8J0Ts_)B6i+@eg84IO^^nTP>cOBJ`wWZoTDl
zj+3X+e1PPjXqwN*_bV%+%53KhEeLmfH)&wjjIV`?8}wc(TdjCxmHA;-YkTh??@qzp
zYo4XMi#blW=G=bvXu|$Gb-Ov2YHr!gUH?h^WvsYu)iR<e|E2OHrAaZ%L_P#%=j^C-
zEd9KxGv#%$YVx7mVJlSMok~p~d?i`oJMUIY%6_RX%O_^O+^J{2u1*e?xg&ow#v-Ic
zl;`$smw6`2^N)X!@0sD3m;OFVyK<}hhHZ0eGq{p#j8bRKiacvJ*K<<m8re6S<%;$e
zrmlQ4{W7hJcklf6q!!v5t>ObQy;IAQg{^s=h4xDeR74n-W(Z4d9GX3S`x2)D<J;bR
zn@^V}`wYiV(tk90?#nBOf^TiQbXeq~$3xzr6+enE^m@jm?7ROn;qzMCcqc3Es;NJ8
zBI6!^GJ6(g;pia7)~`3EFLAbms|eQ*Nh#UI?<Dj3B|q(7R#Xyt-#^9mUU6>hWku8J
z$Hli^F(-KFYr<r<Ca-Pw6iL3f(d%6c>nor6-(01@xy9*?LS#Yvhr*PFT?f*yv#$>!
zo(-LzskXImqpPcM*5NE4j<&rgbX?+joV7KUE&9n$sdOafC~i>w_F>0&V@-C?W$YoY
zQC^dFUkc|9A5xzAGdNQc|H98|h`_t-{-K%Mr4|;5#yQ;_tY<4S%$cqca^%IFz#H>w
zQsdrBpE{TlZ_$0zcOx!{XKwcA$Han`<F|1y+dG;$iX3=OeA82D6xz`J+~$La&_==&
z<3fQA+Z!C}Jmi<;y*wH5eqs2##3}6OsFvc-T57}h2rp5|;yL&*D)p_-y@gvEre?5P
zd!G-;Y%F_GCt}x|8?t?;*paNycW#@T9xJ)GDXDhvF{_V7e7-@)owI^psaA03@=xb&
z)$y8CvcBfX&2C<=O#W29#O#grWw#tc6_2XR&zt_)Da7;O{$rKNcAG+1e6UKwWw;yE
z<;_dqQ<igZhVql)^D;CM%}fr;?7%w#UnVV=7`mRUbV&1w+Hnbsk4ImG7#+FHzGKC{
zl6T^Jyh(EXWb??AJR9*rmv+|NaF1NgZJHmc!oie-3sZL-R(=-X=l>yZPP0w)<b4)G
zRp|{+pX`aJW}jg{!liOUylcoU^U{>r1_K4x!U~;)=B;s7;;9l1joq@|RHo}`3HzLW
z?OSx`y9HWYWrt%fzYn>yXmIXIhnmS#++=QUyuC&5_`t!fjYDgN;)0!n_+(y7NGysS
zToAs+<<=da<<$+769(_^&uXirdOoIC;h(--a&_v!octvYM#uB+|9m}tyYM|-5!cNM
zg!Uii_pEK>Pp|l~=Vxzvz|3}k6Z_e!a_*PAOMX5*u%4&N-8w|sdeW)Ymsc3JC`J`J
zEOS37e9Le3dl|L$2k-KeVtw=mV^;E4P9c<to2@u`(c!hkb;8@ISz)0X`DQiOcGgEF
z>&2ZqmUNQ;WRqYIk@JeS?gEZRpEa4P^?f?~2H$liHbzC>RZxApi2a?^b<gxUjl;&<
z=#Lg#@qT#LT*6VkyFpspb$eyW{PUZaEinz$RNpXcyh_~obhS+X(>nKyyWNXE_meWM
zxP-e;_yv%heH-7@e=i+$XxCb2Jy}#W=gH>nx2uwPd3FW(91*CVlDDxtZF=l*RzO$5
zr;g~X%XszJuM63z+_qdxL<bbiw;U1ZzdS2vfoq6g>@K-CwggpD8}U7<q*E(*eGlP$
z^R-*YE_a<&y&@ZQ&Q)*G;He+2p)GL^ZuwG^+meFygbv8kE6&Cg4kY`mtc_TDW&P~N
zN%|Id9&Pto{OHm3jLHj&1D=adI!sovdcD@N>RwlmIw_!7fP2y6rB?nsl%8x<2)guQ
zd(*o&`;O;*yU*2reDVu6!u5~G+NVi>SSHmYZytYA`KL|Yu>*xeGrCT4>jyo}6G&hC
zvm-boYF)wCa)R(+P(h8uGn$c*6z7sEN^|tQhaYapWbnHx&b<5N%__apt+h|=W?J1)
z?{c_r#cgXB|0Ki0Qu?(;hc(v;=k9O2zPa2^(i2Qr@TJW}DB5T1tkb*j9MZ}rH}dCa
ziJsbE==|(z6R*_@*+Xxh4!pkh@#7=4^IvtVuJs?_I&(tPvUHl@r(2=>x=T)ebqtT$
z%Q~*W_Keu);c#kfoH%wdW(qHRWB1dTsVp-UXQmR&6yCSQ%E>d+>C9AvnZkw?_IxHY
zg#`(A5AVHU>1<{y#Z2+cbUriHW~NHaRGFE=M26K@XQtB36e2BR`E!}6DkBAv|G)YN
z<iY(j2LHQ5gx1RcjKTlz7=SwXXAJ&#hX9BFzhMkCnfm*GYF=2#g!liE`2nrd{ttU+
z0vA=e|NrlqVFzUp3v=TP1A?-g!=j=fGk}T<I-`h7F2fq42qQ~qE;DL{r3Gf`EwdRl
zuZ9+wrIpK|=C#EFGqW-Sv(mBzMFmB9{@=6A0&Vwq@BMY}|97ER2*b>oGtW75=FGg`
z&*$@RKNkI$Zv#Aq=-LK22LH}4ZvLG0c@Ql=hyPvYsQ;zU2MV_V$CbIT3jlnN!2Jvk
zEdS3x@NKn$zY!I$nKC>TfApW5TQGX88viZ8xrqg=_-}Z6=I|2knmEz1h`VBD`U3uf
z%<Rl8?uX2Wa`@k~@^r&Tk55eI{!N)Yb#hjbZusz#DVm20`K!T0c<Yo=lOcz@JV{qF
zH#dvFU~X}-Za5mVs7v$9$<Gp&pPyY?#9feIx?uS5)R8H=V&QV#qTJzVQ$tZfCcoZA
zMS0xKVR1wufBRhFA8wWZC135Nt%;b)wM$C4t|2SPbo^h3|1ZM-p=lj~Tk8l#0l^K@
z&gGE&vtNI((vptb-x1#d{$pRO#hZ0)|KA@!`|WSp-ktY@KXdzY&wK7T!0l%kY1?%i
z_%A&Ublm=3$ALfdb>KhYIKZ6`aG#ZQd_DN5&j;ZD;OhZ@-jSD8I2`9={nKCeuLqr9
z2Q2%A<@KPS1n&OJ&j+L(9>Txwe83<qw`==%7~fy~V!!<@+q?6A@Mms+?tFkd4s?7y
z=sFJk%Im@Z>El4h?f*}l4;X}9zUw$3jKgnz|4%y(aOVTu=k{Ia1AqAWz`yM{(7)?^
z;6LH>q5rk*|3~Kof5!IbP7nVVjsySaJ}3NFy&vEXx!jli>p|!9LCbz&IWPP(_5<#G
zKw|xTsOx;7^ZDTa=JvO2@6P+dpSk_H^8uRMF>ybz=LIium;D1@|5tf|Wj{b}z`rj1
z14Gl{CKHW!{%&4C{~OK+{>knCf9~_4|IO|HN5_FbWBWVc-br(NXxDMzce!Eb{UASg
z!SM8gOhDY(F=&Vz%fI8x{y6ZTupe~X{*Jx6jsqRJ@&EPh&z%p*x&8KEdmQL`J@|uT
zf&Foy^ZB6VxB#L*An!UK__u#P(D^v<2b=c~|7^egE!(^EeqecD@Mmm)ju&vp0Xz(J
z@CUkH4}Smk;14(SA6&tHKj^&uE&Iivc^v4t{kzTwe(Upr|Bd&BmhIhnKln3`1Kj6?
zmg9i!b0P<}>p1Y=cO0;7|E}Y}f7@|@dtad7Uc0*97yOStAK-@UpZWTqoDV3v-WU8=
zzc2VRwm<hdVb^g0;E(1Pbbf#Mul$^_^ZB6VJkfGq_-E_~9bX5!&IkVJeBfWX{Vm(O
z^M3GWZh!84fSd2taX<K{-xpB7HNVI*f9SX72U+F=S)P}imllt!XPK9jo>|P#`>}jZ
z|6B8v{%C%ZWge2{{hsA{Zk?B8nU5rLfzI=ierrAwH<W+R*WYtKVA&4>|35q*=-U3j
zzZckV|35ko{2AMS=Gc*z<aAr?J(o$%7g%x;{h1h&ol{V_IE+pdf5Lu&9J(~!u0A%q
z*qWPdTOKwqq+>T#b|Lm%jOH@ehtqySianM&F{yk3(by~uyym{_*27YxV7WWISwN9^
zwcooQw_4Wg{>t*QusKF-Sn~_`mHYku_2qhJ_@-!KP3)GRh&>DWShvHEnq{TMVp7Ym
z+`3@|JXT+G@#94}E?9uHAlou(9Ui|hGFYp`Wt?N@B$sZEEiyUWwc~Zz09Xv8a|;)g
zVx0wGnOZia@a<-aLL)~Jq|C*?WLbZW&&pEgTYuA}7h|7KJeJl8<wDj!VBY_N^gL_@
z$j8TmjcS=CTxo{5Y!JKE61ZCnH^g3mV)0V!bt=RaD=fg4OS_9F=jP1C4PQ8cYl-3(
zoH9RGhxdm~ImP2j7U;%i;dUp@p7=dJFR!3973<CTymv9aANc-=(FFy?8lkKWM&)y9
z?|fy3<!7-#5=IwhXN#SFiCo<eu9G?+I}5N2kGsuCzOzWUJ+4xwcmb{y-|!&}nFjlD
zxb?)_Y6^27#uka3>@55VJMN1Yi+{j2g!nw&-1Lm>;`scmi6sj%uo6g<UAQ2(cmlS&
zjV{UOd;cu;x%|WCwujK)AyhH(D~J0*;nZ|4f*yyNYXTXG6&NtNB%gnbxbAt`**f5>
z%+m9O+r=01y8*XMA#y$u>-i$MrC|q>brHgYOpZuQ&zzeLW3#f;^Kf9ercSIY5*EaD
zlZaauqvY*>#05d3t_1HkI}65Obx~gS6mI-duq#Boh2@UMVuysV=h-fa05$ixxE;cF
zVfe3I_^a29<jS0EH-vcX3dzT@pO9WOAGiqnsbY8L<m{q?65NW(xj62Y=NRs!eDeQz
zEXvEy<4fE+UBovwO-Nsak5C+m2?+hMHvq<}Cu4aXmIM}BE*XuRUwC-JSi{%?%b@2M
z7Z&8fSgdL)EG*F#3p)Wm?}Vozma~huNXahb+SNMVO!zIA8&h$kW5WmcycRY}F?N;l
zgFQKWK{~fSmWOP)Hvh+w*;uNbm7Slt82BS9m-nwr&tJ^%`r=cXUmjPH2$T7zQ1M(G
zLcTF~a`rqd$iN4{*C^t_1e;>9o3I#<_6xvrT*gK6T~tN<K@Y6ED)6ma!iCmjA_!HX
z)-7TAfj{g4_Y~uHB0Lgd-$4=XzlB-++6m=1!jIOD8{uisUuZ3m!Q))!{1P4iT(z|E
z05>AS5@4hTMoz*9gol=*>`Ay6>9Di}4?047GIZDiTxp_ZTj4{*P03$kt);}_S}?ju
z7+3x;-0BKHbZishUbe9R3HwHVt>*}PBKX=Hv1sHsuZOiHLi@S+I><M`hzs<?Rbj^9
zM15`xV$owsQ8CT6Vq_Ov>PxWq1<T<qD`0yC=StUU{(<oQ8@4t1z3X#L#9Vid?b`VG
zerNe&vv7x-{NDBX=Hd?5{{7|iC7}O<>vKJzSe%7Nv|l`o-+dgT76}b8_P6@I$HDh_
za>om?X8AYA3tu9!2D6|fXD*g>F2Hjr>_M>~Ps^DO|3LH87i9m&-^CX;{-Ig+C;R2t
zJ^N{~S;n%jSbLfH>syPR_}}73rEp!m9s9zB!q^a@iKsL;FONUB!MzTTHg-i~zxp^V
z2NAmg`PJ*$9ic2&?QlKYe$4l)U}K$71ci_NH?GI6wXn+EgTm*Y<q6W^`uwBjTJf^D
z_9VW%TDYrD<8Hfuez{x)BAuRH^qb2~934+%_X@t=X3nQAOXLp^9oN^oqm99Wu8!C4
zu%5#4itpO_jm36cZsPQ@w73iZUDp?$D8F0@?s#UuUkL}0KfWGc#QUpP>$p5z&%h$?
z#5R*Z%jAw_Sh$$`P%ie`aUD3^$u3{dlaZT;FZ*1V7rtO{C9~Y6wo!3|{9NwEDXReT
z@C7y>`@<m%U%d-+Gq7wu3%F`i{u{oc74fgiFt=bqc1B@#Ddcl?R#>77<MDs)!E*Ii
zP?VoOKN}{b=a=9q>=ZmJ%i~T(_?CO&WnDb!<%ef>hdr%mxbPrnW8Y@xVk}m~8ZS#T
zIp0Di-Uk25J%5BhW7qj_{EZuPyT4fu?c6Tbp>WK8J8|3J{*NrnJ;G2;XyTN3jj$hD
zzYBpf)?YjS;PoQX;;i(-Ow!K9Bmz)N@q$&Xt3Q%t6)k1Gcd@-Z>3$NEyAvJE_Il8f
z9xS7WvB59XwCYE86y29~*QF_3=oybZ#?E#H2%<x_(z$ZO1GGDS_WW*Il8M!ROs}ZH
z$*eDKr=RFSm!$RAxKCwQr21-nUZ9^crMZ7iKR-xCYZyQJ#fCI@pdpO@Faz>nF%8A^
znTe1K`6k*mn|92C0!ZFUOLJ&vEu`YgRnk-#9hyneSem3_inr0)1@t6<xvCP~>}eVF
z{9<}V0o_lR&JH}=6v)bT4f1q)k0zLsJ=IGKDfA)sd^V^VD50AZ4X4;7Dx3mYVnG6B
zNQ8>AcqyGoRg^)+hxok#)_Gn_sgNWl&zM3&+IvRIC6Urd&%DLq#o?@1Vl2FusOTn5
zEMAls?w_ggyMrr{!5!wcP+Xu3%gD^jT@ld>usA$CEwlLX$Z2CTCZtCktJaahgs@Uj
zN$yL0-GQC+7t=O_QX^HYPtOk@lN@>3fzUJYWWX8U66I$%q=BKkF6nVituDPNJo20_
zMY`9J!csboX%n5mN)0LQxtZaHs0wFx2Y5+OP?{YI7cj(M3tsr#x<0F}1sasP^z5{A
z8fTB3LS6V^`J~9C!jJsVt(4{zPI6`yu>qr;leF<#c8ernC{R9UubpMJA*z^!nwY^$
zp&~dZ5$NDk`kX?|3D|Ri>S0!y;B|9GK`}O>U(Yz|I@zqLb)IZ)Itt&I6OPH?x>@$H
zu76XLrzb0w=zKR#9C;Q(${|$0Z1Yu^u-U5u8Ye#L1Y2Ojq2Q|k=WZQOD}4&soDqsM
zBLY=9?J%+5phpe^Xvnl53_izU;%s7C3>sf;X8$^<g(cDIN8!|L>9t1U+tfr>G_D}Z
zr{#a6dpFSZGoH`**0ccJlMs?myqqRJLf{@iOAY0S`}iE<MaV687k!$nHob@t8I?wA
zzbAV4g=G$RLP&))^f@(gxEn%<6sYZ_!a-XrgT}D4rdycHbJvg*ntK<YD7Pxe970J)
z6iSYDE2l|4oj_b5pGZ`DY4W#KhSEE6MCG6{#uF74`fc1D6=`gDpj>WV>*jZ*su7x+
zw7%DFdUkVdZ*-vw32{h~IGb*fId|Dv%P!F#vRf7T^cZps2t|`_<pA{&Gv4yME}=am
zTG?fHTOGjpMw46jYd7$5wf=Oop{9ZXqeezZmDVKF_;w3>%AvW%#lz#yJrAZLuGF_&
zT3b%;X?>lfjqpw04QTR}6#Yoa`a#{$motynLw*n(%Y&jHgK;R>Tu?sIewSXXB%oWS
z=%c;~%PzHos++9m$5dkS*a@V4bWeszBtic9gSY0&7NqC+F9rjs$mC_LhjTfZW{h48
z)0g3$s6OA9Qd|$K1E*<85H6N9o)5yszMlCNA%9tR0&<9cvzjD%j`{A1B=!r<d4~90
z1~aH}j+1OC%+*sG{T}G~4D;w=ylr=&b2s01^nWqEF*=8K01DZ5w0>34GFgSEXTw0B
zLSIb-?J0|1+z01KVS>V*dP1v0BvhY!26B(yLq|h>y$j{q)YSdVp!b7vd$WPvX-{g<
z`HI!roBHS$(%zd4zbP4XlO3q(*EDcd6WgQ@_<DHwsoO-K*3Pb(H=@0jsjV3aL1`4Z
z$!-m+GR#Yr0!!LSZAHWbBzpLQDl;K+#&e)s8^CqCOvTWiRi5B=y-i9k6LWu~U;emt
zR8=h@O3y~xGbc<=3ImCB=1QIZ@lpeorf<2fH`nQioY1s%&rLHUR~UvFuiqo?PNW_r
zz!d1J%|vyLKISZ`*JF5F+pT-#dL6yTqd$OiVVSg8Kd|Uiz3jWG_o7?jQFHvnV)Kic
zy&ZLU*on<d>zlJA?V4ZU@Z~A^8k+5*E-6lANRl>Dre)cBqD#*WpOC!fK?w|gfK5~}
z#DP0T6$3-YWOU=+kTi^uG#C?9#;FM|24j4@GG6AfLg^UkTMApf$38!O#KI?Gc!^u%
zx9{KG1Ms{g^Oa4-4G?`gvS#u;3>fbE>KcKr5$GC$t`X=Ofvyqg8iB46=o*2p5$GC$
zt`X=Ofvyqg8iB46=o*2p5$GC$t`X=Ofvyqg8iB46_)|u}YfN@0{vU)FAph@+^xne%
z@3Z6ot|I?$rQ@eO#=0X;{fVCN7uKha4q|=2VinE+CtW=-oQj@A_oRbOw0jmk+du;(
zKTprvNoi7OKX{!kiE8kpz3Jj_=oO{_Z-7{OZV!p3lr4|%OIN@UP9xYgA&!30Fr0R$
zUrl3uro?J|R<b@S8i{r&yv#CV=^XlpciEV!<1~1;F_Y;ey5Yv_Y)UGf!hQ;2a_@8r
z<fA&UK;CcSO4>OeiXof!%5vir0>K~%f{~~Y&=h9^K&HwURRAd2MF+>zi5awao+?SA
zNt~8|5<ntlC`*;nA3_EC03V)3HK6Ik4EgNE@{LsZmW5CK2u;jF$2z7s!8J!QF!GQe
zRkW3=o;f)bWO5V=<f#!9Bt|x5Co2|C@Z08F1oJ`l80!nwK27VdUyRq%Z$>~gEK<x(
zi)y%_L&G3`A{pJTr~`>4N*cLA*AMBPV&%xVs2M?#MM!u_R5Azf9I_GM#rrQz(t04W
zXHChfnB4G>BDZOj5@2UUZJz7D1vJ`;x%p`8=n71OqfAkU5|gJUmKQ5QCQ+5C-0No3
z57YX@sGlZkk?$21*DVL#c*8W@bTJxbD}v3amTKbviGg7B=$TQ;I+CCw2}pTgG=#oh
zL1s}6q+)N>QAu6%d-v$dx@ORkYb1QwLXxcrKfZ^AKZ<A(RuIn%<atR2>2XXF-u#Tx
zU|!d}BrRee7|4)%X#`ms7?`3=?Uq2s1a7Vl-12hZQ)&KztA~7uP6Ql$m6rMk?pi&x
zDDc_p0hc741-ZyQqJG+Kkj@+$5tu(<Pvm}0{3>Rl<od;;bCkEUMjHu+oYJ?_a_Gv$
z6VaI`*n;)O6qCQ3DR8^tu>UZ{{R&gfn8i*wLPK>5h>YB;yc_z{!L>Sfx3db`on;Kl
zgJWKCrs|j*O!fR>9;(d+ec6rajVFUfv72<w{$*c%`}V?_nrkx$4*PVC?nuv%PM)N%
z(EgIvBex+u2YMc0^(?cnXk^jN=x3=4ee6+MA1A5PPtMk5Q95$u%BaMn`xl&hjn=OX
zkkB}i>st2pnPqyp?2W;3@QnWtHHXsHghRxo!I9T5J(JQjV5Oc8=u_dY*%;LbnvEM$
z*qEwPhstX{5fbmBh!)Kn*s$bwWS?n^AY30)G0k~O%Al+JlZujut_l9)*~~RDWihAH
z{l}jHYGci?r!NK%yF6*;%zG5AkhaWM#lPfr-&2Rex4rQE+ri5!LmqUXWD1I+%lZFb
z1zGtKx_m@h`N)}Q#FVeZIiwnGLf(Aoh0GVE&p%Mpz4%Kwk_jqByF+>=u;tgdpQS4@
z!TSJ2oS0r2wt4kK>dRrT^a^`!%;B)-7iFBdczUWb&3*Ferk10psT#(w{?ka+T&c!=
z@)dp4(JNFn6VXCdn<J(8H;|dh=pvnaN*|SZRUiCQW}x)QF%lVAvT=PRtUE>l<9Oj1
zG?}j*!>Aj^kvazV?}s7k!6zfv3`vPB*P3!K)-BleeeH}B0}?^yLk0}}jATw55Dcu(
z5MN-mL%a!I3^MK5`Gec=!t6%r5$Vbk<brf%z2t(lDDaxp;6q)I!oB+ZDL>Uqme)Hl
zFKfGfRj;XJPQJy|(ab>;Qxj4da&dRaC0R&)aY+5=TIWz7*O2g#i;@@X<7(k<{n?kA
z;b8sJpXx&v%sj77zDU-duJd{E0Nx!KPb=?Heb+#@OXg$SOd(5PmcC9w^(~Ut<w%y!
zEYJmixO65Ra}Iu<8JD9!+c*;!r-rZ2HHCg?&{HAjSjMbxdykPWJvZ~x?sJf=mX63F
z&_CyVjziy^_-%{VZ%#a!18E9!GAI1X6H9^^h|K|w;w$`CPVjr00ypX6@oYJSaF^qa
zl)9s@L;`L;mBO+;afG-HO3lilj7;K{0>-$po*{VKS|%z|&qOnzWbnq^Wt#GOMp$S8
zqbdi6yPQx<ovA&UMh4dX+EQokpq?uq9ax|+)}JZomU_HgU0>j?u7`kfyft^3ru<B~
zu+;o>xK#dfaj7pI>$ucLZe4LdT&hhDnRQSbH)*N1S2h%#)W*DshoCA**4_;};5l=8
zvNm>Q%&ydf47tm+#)h3+8dksbVAw^7O^Q1)rwty7F_;g%5R<n01jGj8k<b|Y!Jz&1
zu<1iero3)aLZ59^oe~B%Qea;4ba1JTKwu6geEByi>sP%_QA!q`J}}2TW6E;#&MjdF
zWlUS%;^OeQQx)T00#oQE9lBvd^1_w%O0xq)LR0bO2z^Fvcmy8$heYv)*t7)<SrFEi
zmZ4zBPtdz?mgQ?d;PJj*5X7_%Y(`aKobw!a7j*x_W7L!b9+^2a1LZKB;89%<nk3C>
z&J8;qvkm1iI%T4kO$E;lbrhYFd^*99!s%hgSWjmH@zUiDp)*(d0^Rr$lW9mmN9_4p
z#gRaRhs6=gDP(owu^YqD5i2P9IJR7WNwCDCrX?x0@wKOwwby(&K}=cio1{&sU7);#
zirA+{W!nqactwngFvt2G^m`K|=J!^bN9dii4umpfGvfm4s4WrA3|Yjq^^43Z%6K*7
z6N4<gNtP1PB#+E=OrBB^$GWf54NIPa^FU%xW`?ee4BqJk;LhBQu4Kq+rp<-9v6^Xh
zsboG~&3vBB$SyNIcW+h{k8xzq(hLkvs!W-709K_)U|R|do(6ljouT*Q_qi&6nw5Gn
zZN*NI?!Zb}_iQJiSm_U}Pk7lJsUwr5#_dr}RqH8fgZ`5@0oJZ9UF&Gl!~GlKnqDeB
zf<K)dwc|tP4G7p_P%1_`1Z=}?;{;AlMXo;|KE_IwZNsO1tzxAO-ntt6OUda)Q)DPA
zxyc-4lC48WUmrTa(@Em^kRlR#Bu>!6;C&ll$UMW3ic-e`Ik-Z;PhULDN~_Hc-Zf^;
zjzs`9J3y|j)lz%3%$7sxX1s%zkDv32XQc-lypOO_N4XZ@7!|HfcUSJizY4dMq-#HF
zA=K+;Ws62Sdxu6^<E?IS^fTk$atybM@}lyRa7F66nMh|8O)G;LMbJ0%d0&+j7W*pK
z?|#3?H1Whuc=WU`WpsFP1Y|PPnL9>D^)&$Rk4`2B4M9oKS>;K_ZPGX!e`;{Y+qv}_
zbPQhJe>km;rfPNsW>B!>$v!KXb;se+Z3|b)ZkVYfjI+ZjrXCDCsB4UiB%XoUYcA}+
zauz<(mbyB8qJ`=m)G=o_>KpAdm%z8})$`6KnCmM`ya=<Un#5JU03#PjS<kp&)-zPP
zX~8O~<APN%;j>nyFPQXm44~3e)Pz+K=MKHEP|sd5EQu#WwLidB_vLF)BfE3ukfd5K
zeR|DHOWHSq#8ayDz6ZUVsY&HZZ|LDUXt+bU_gBDp>pj%opY6Z5@!qt%m+qF{b#8Cl
zc<17sX}7oC_G!&jHlDl!%-*<iH}=Dj_#KJ0eTH`XORF}ga4K<7Nz&lK*w#By#t^MK
z5IokcG+|AU7TSS4STpAE&n5K`beks0?aK4L8|N0gs2pg`qe^m1MFub=6Hj+)Zh-6_
zxolwGy4gestsy-KOHX$-78t)!JE#E)s?0xJPkUV3*u9+Go-|ZRZhBlN<T@=?UmO5g
ze(Ea&SCZ*L7oCU`!DBG6QZ?~2nS76EO5NOmb?fO?*Ie*@mip>wpy8tbpmHNTM4WDf
z*4O;4qQKndaDtlLm)=i96Mco1GJDcm*$?S`<RN$nbQ1a^ozI*A2VAXg<@&E$Sb{Po
zu<!tZ%I}Y)UkbZjbMrPDkY~VIcK2>oJ(0+b1;g_P!&wO%-wVh+Riiux;5J;R+-ayK
zatYZ94+1UEqz%k=ceh)&+&pf<^_HhmpMzWpl#{JaJ(S1P6oGmIeTniTyt`urTbEP-
zuRt3i>Uq1EVmIX@uEyI^hn2d<_7(aUZ=uNve^b8Pw}60YwIh^MvyLPtJ8-^Y&xoax
zpd$lYVrJ)}ttcD+Z7&+SC9uxYH6~c-2&=K<G2r8xun(!4nkplJk(NqfHLNBlX&;^Q
z3R1HOB;;<KdQ+M5YDGmo9+0UmXH^C7vGY|0P@Py?Pg32;S-1+_KTf56u3qMDr7AE~
z6dWhD{q<kNbDNLonan+UdN{}?>EC|R={T#|nV>rwG%?Ic28s8ES3T?xe<^tH<D}4S
z<PkqIO5I)w2gcPNcv9m`6phLap!hoFNi}%^=8kLhAFOz_Cn4_*Z`&Km5K{I~P9TBt
ztJF(&$WJwdbsPGD%jg98EkDvSvIXwb`;iFsBZ(w!<NQlQ=E*Kyzd>4~-cd=7n*t)r
zcY3%Il{z5wRkK47fs8z-8$(I$XK)^p@17qFSEI&-H%@_3zHddlkC_zTc+a%aR|f69
z?#fJxYXu~v5get2^e^Air%~?v@rhiA&&O}M9{3?G)t|ZWsOs!cLLHt^H62DO)Jw9+
zj-<w~$c&#Co4)op4Rtt4G_^80L?qNlLL_)Y5j&s~x2;2_^2O0-A88!?Y+>Von~dYE
z3CsucrQdqErV^JL{W{FiYi@?;;d$-;yZE-yv;2h4C(XC~(o_<aN)5kP;k!spQpxD-
zam+??ckrx%3d!H1oRwq^k&cuFP589Vpj9^c7;iQb=h{=F3W8_EwP{(pO<UHZ`F3lC
zGJL<^Mo24p%*>FgZsa90YLt5MEAYZ7^Ao8%WW<le8G)3L$zQ53Du$n%qkqn*k1L<7
z@aXnT_=Uy`M1Mlk8u9}xZSti0{dH6vv{mmPp41+^YVEYTpfv&ErCw>>w)fdE67}IW
zigj*{**A4mcMUL;lp*Ecg&c!BZ191^f``j`H9~Z0=~3-tuZ^EisH&ve`y%FlHQ)(|
z%NgG74aVUb(O)rDZy8W@WARc*Ya>AsHBe3YJF8t7JUkY58{x35t^GUreAbTb`<3g{
zp|3f5y=uctgQV&k<J*I(>Mq2Q-hpLtTy20dIQ1`w9h`{|adGONLg;a3<-Wb7@7Lsf
zYC@Wi{<HH$`ZIxWc<zyNX+!<5_6Rd;?tSS+4*8SZQI~qo-{kr9oG8jza2om!8qAd6
zz3U3ELehf;_lhTO?Eg0TN==xN!LO@h56mOMm7!U(wEYo-zmnYtZ~VkG-(Iq)ajsFe
zh6L;?UqH$whbErSqkh``u|D+v!+OJVea+@D2hT&KvGK{Ory<Gz{G#)vkzQ1!*Hg>9
zy_eBa^ONRM4L-q8oDZ&MnmqSYX8q0uKkD_e1thTAVGEeLRa26*pVLVQIXsv&#qEb0
z@&L&DQ9*Zlog~9!o>3`%$o!`QlOH8N9C|zUt$T{7Z`h3FFIC<x<Qgq)bU|6SftFq%
zUqqABn&-kU$jhdY$D_!p^|@^Pop9rBGV(<H_Akh{nwhsq{B?SE8@Wn;WE4|w(vIIM
zHvSkE_9c;>BWFVL|3>PF<A>x3IT(290__$5iT@*Cl8?v-^aBn@$bPbyZhwdLtRlM{
zPZ4d#0x6j^kUo0!g5HrB{hpfXEKlD-zo7l$$uGu4Kd)(zr&<D{ek2V~Z9P?V%MjQ?
zt^`bN*eUP#gFN7CX56RbbP#!;nS45U#QWsEodIJH$(`>8j&35~Z>2-O33%xYxhQ|`
zv&zuwI$C}#K=!3P=A$5TTt4C5fF=8g*&rYBI@v|4$t!MT8+lPasm5>In>*zxugQ0A
zmCvXoJ5BU^CZ^#zvX=bS5Ipt;@(kHP%6A4tK1w^5`GqVc`axuIaALmS<8RU9E7#H~
zuacMLz@}^<Q!0YVGxXiZ=<zR;_)YW(6WL7G(>@MQktc|ORz6NNtLXTL>29mYGSah@
zET`3l0cC~6A&=yc43%^if$5|en|X7ICOcruJo-K@O7{*Ak`$ux%bP-aP9WppG`Ziu
z-+VIfKEH<w&pyWN{8{_l?aHu^o1Rsc$jxUSoiO4IQ&+Y7o?qML0Wl5CrPNl&>6$|N
zg@QUQ*QYiGz4yJm^fQI$NxxI6=jBhF@iQOuyLG^CPpVm-{-)oao$?t*zXPee<hfhr
z+UG(QYZJ~q_=((TmOsb#`7luaZl!!jwS4m{a^qj+%U;?g*Ox1{mdQ&u40xM$pQM*R
zut=_di9AbFqn;d4yOOM+z1Gl<87t`r*gpB>A^G-&TjlX{<s&jlnmpzqlRSP-=%Hz3
z5>XE#W8}wmw0y3?XI>>8kSWicM)%XuzNs{sNK>Op5>dGkB^gFLD{0qZTWQw_nhGJa
z6}M7qXay@BOGc9ML^g^f$m3KbmN-U}C^C*77B8QuNu(WPXs>9Tcmm-hj6@Qaqy{TS
z$IzaUv?uHTiQ^zLfP@A=8yLEsQV^Q-Cw&xiH3L-c{-JO8Cw+-yKhm4@l7G_6|E>GH
zNsq`iKo9w3{;fBo9s~cfti5+a+<){>PyN<^+DZQze+wk_{w0&Y^w%EopKuWT_Q7$*
z)Wjw2<a*S0P)w}!zxVT?!9RxNobmtRlS=<}`~AybA1L|AfBOfO0n4lWSL_OSyjnq3
zRw~ACP)w*$%zRnlYOD++PbvmK=J)e5zaL5~{m$k1eUagJsZcR&L8aftS$^M5Q_O!s
zF?2(v!pER^V5y>Xy<%WRWx%+_3i-o+WS)Y`uJnH-#qYKz=#>nGtF|&AZ-RmvC)cM0
zESk7gUYa0ZJc3M?KQ^&aUZ#>Si<Rq#%X0@;$_qjRUJeSo$I7!qD&tf7%hUVFjq&pH
zBP!*)!sXA0%6G)btD-CA#$frDf&P~j^5^JEd1){C;``)f{h7qRmGV{Iia9+Pbw5>~
z2cA^q^(0;c3VSLZ_S#9icBd(K`8FBx#CaYnsXK8a9+kAzHNf8`Ajl~o!n>00C!>8m
z==<CPVm)`!k=^J(7rLKwz+_FpR0o=p20Sb=IBO_sH@vN<L;6V_e$dMt3^UlHZ2LDM
z!-tQiTYn%P@Em*vabZ&5R}9yCf$Vm4qgtY=Aikug4!-`2xzC4$QC!!5GoDbjfwGx&
zunfG$F7&#W=6rj(&c|KmJ3Qaxomr~*kAS^M=-c}VfvQ^RsaB%Lvs({Gd~?Q4JF77K
zj0ZxTidhO*Y3EYf8K_FY!?dzCxWZ{Wp8mD!d<?$h089l1O)PA}kBS==U>Isp{^+;{
zSYN~CT{Bu{K$<e<Zo~ZR(4d71{Z^QFqj`|Ayu$o7UBB_GF%;0UB}7tnm!-*_VHYP7
z?81R;4fV=uM+YLg)xW%2(+J~?)Obgi*m7NkyjHj6PW&hj(kKD?_@FNg1_LW4?T+rP
z7YbGcZ!}bZV;V3I!9G0yb8_-+b!j!WwlGCb&Ic;wPIao718+e=0qB|v3K|;b)=M;|
z`ud6r+P%qTJX8biZrX&&V(<jn_Y{tZgY?yV3Z}W)-&lon-wuSni6<*n=GS2jT&@Pv
zSW`pDSe!C(ui{AXCfdCM-~gE9Tv{{ig_F)p@66o|ZBKyPb9c03p!K%YsqoGrIc%nU
zy4}8w*Vzx#>(70zRsu^8Cx9njRP;Qxnr36d9>CM`aqb7gdg<=K$vK3$y4<+~<>k%I
z<$7`#Tt=+J6T0TxP;Pt&KY7O0K2dd}r9l6c4j!mySwe2sK!H&Pp9722S{l#w7zE*A
zI@;AE>N;u1Hza<<b><b7s+tZa-HiQRTxs9e^p39IhP$YMe5)L5Bob%y9hSTYo?{hv
z{U!RV{t}flINnL~(fQ&(t`)v%Wp(D%J9OJ^oRzb-N=oK9$nKx;eWHY)NW{$}VkJQX
zTB0ksGxME8C5FJm-EusWobHDwdkmi$f6nU$?5;h(;heVeHCPZEre9OIZ7L)^(wc}5
zrt7O~1iD6`YXrJRplbxWM&KVA0k1K-&io%Q_&fOj7<%B8mGmeR3IHrU_%D_8qy{=D
zmX805o=rQupakGSJF}B$jb;jO0Hn#$07$kO04wQ|8U?_!H1o|~R>2~@w-*57c>!P|
zCjg8>EURXHl3wNc|9DzKFG2cWNt<@^_&*it|C?;gY##r!DQR>{g^2%={`VB{KS%#%
z0{%z(KS{*@9Q}_M@IOcY9eMoE)Bgvp_@Af$hdbbZf&QCq_+O;|sUrU8>Hm**_@Af$
zJ1zJh>Hi&j{Lj;W4*#R{5LIL4|LxOzM#%;IpI#gl9-Af5fBcM0r2pA!x};d~4si4J
z(^$p1YKoh`+xmh3QyL}CNuELbZ_YFMZ`tj?op%7bb1=y?Eb8T`BZ*!p0Td^44#1jk
zQ36Q!AB+w_(?o4|4kgvC6dZtblmK+fu_*}?>&)#E-5StI_h<)C+oKJLSb^LE`j6VZ
zP@531O@Mf9QG+3Lo!0*rn5YZdb>0j*0jE;lqhFJFr2wmkJ<66LYhE{opD8qED^9&`
zjG*u1%zy;rPl2JH-x$9SS5nuF&!nIr5V8K5dV|*dOj26pgGmP^lg3x9X|Dfrs973W
zzck2sif^~X`Z2qLmQ@F>csXc+f6&~ayBra+z(Ldmg4Rq~9hCA@P;qroVzHY$CkjL!
zm<A3p(LJ_D1&<uLQ4{~DyQJBCy!Zg+eNpfPP!sr!t{k}|df=$JX$8+NF>MIiZc+tp
zIUMkSVuLBUX6y_niU0WuMP#Hz@B~m3h_HA9W1n!ohMvGpck~2)Qf)>}z?>0$k~VUl
zKtSeq&o7**Lr-AP17~t{M?N~4!g~TMTaR#>z<nFPw|D}#dU2Y-B&#RDX#z)&Tp8`l
zc><^jyc4ie^aR>wJthSj-WYtCHw9i5Oo3V8$C(1b{m>NH$e99z=c6gGk>N~%Z|zNi
zjnmK+m_8j%fmq$Ni&IiU#_b=Ik{mrh<ZUzsVsm2mr28koDVhR78_*P(b)GW?T9fQe
z0ma$M(Bc15Q(zafj57t8Cweg@O7${(QQ+w5t5#7!$%z6@<d>qr=pxct6o?EYzZ3<~
z6Cl431x9$9hh40jH`{6o3>Zo}n*y9a@C#Gmg0#JpDL}MS&Z8-y*E%pav`?Waz?f6t
zVvf<wyC&wnkdTX0Y^H#-8BGDEj5h_8<Ixl_7F2aG1=gM>R#Tu>Nd!~i*tX@rFa>n=
z9ZZ1}Gi&QRn*#baeJ4`@MFG;;6gZhfeqjoHh4~x5GzE0}Uzh?2-^njb0lX>cYzlDt
z!7oh#6a~nym;#oib}$9FrFJ$2xTXHm6cCr%*%ZK~e%;9w$PTxf0w@a1u{Q+{B5k&s
z0tat*GzDIWS<=xIKvCfEFHM1`TRNEnC<<iTOo3;a8;{5N3Zejd0xD4y$P546CJJQd
zgCGhl8bS%80D1x*59Q~D$7SjQGcz0>(iRnG(Y_Dm&n#xz7BGEczU?;Hi@7_sf+6oR
zZLM*>%ui{rGEI12?=h_rJ6J|DHH(?@7iRiNX4Zt-WG{Sas2YZz0V_Ss1<^d%%D!H8
zG;Z3QnNzyw7GqW*^A+gSN;1YJJH2==)exyE$&lpb7GdxsWy%@b3tuB3`~WmXYA2S|
zgg;3cYPr0x!t_O%;V(%bvS~i-89Fh$^r0fTGj(Ksa>@&FR6~w-Uh)MO*mHWa#FR4`
z7o(G*(h%p#DGijUG(g1i3y}GG;r^8MoYN4Oxx?l(INm~~VT*db=rqJlRie|7SX4BI
zIs0fmD74JpSVIDMCr+8Meoga6gYxjgKxfryC~{@>$g0x=H<*|m?-@=PFDedy^r!SC
zP}HKm`Y!ktPl^2aWc&?=oQ&@d-5+!RH0tcLzLm`WljR4pHL!n9biQXsgH}0iit-k_
zYG`ISf#M`>%gAUjtjc+4Zs6B1CiF&XsBQ+?s<q6nod$hX&6^oRCU=_{Qm~ROqXRCm
z(oZrZ=a-*-cuXO?33ay1d7kM%uJCfnIIn)$AP-s_0UOSyY<$6OVv0oT29k=us!n_$
zd)RA*F7b)HmU07o&R@OjX*Y0zDNe;t%zP&EmMr_mbGqzZ6VIlUhf}^KF$4OB>y^fc
zw$Gu&b8?CaT%AkyN?_@WL0|5SXHN_m4NYyJg}mC8-%e_pG#E-WGn+ToYVN?KF@<r9
zU2`-}8}cT#rcCyZxJ3B@fyW8}4l`GDbr6{Ja8l2(i!a8zL5W*ZpZH5hy;m}4Uo1Z-
z9SbRt0I6R_tk3w1Ne_b$08EDlebkBw&v<|E2S<w5Ygr7zNt5a*ojdEZE%><H2OdUZ
zb#&k+2iQjD9**~k40fXAJ}y%{V9Jt*tJk!o^lnSaiL8qDtzHH9pKD-NLG`L6kN7^l
zq4%JlsXcv8-FLI-Kw&UE{NW_;WZ3R)SQ%WSY=-N>)!BC@ZJEhTn^_#QC}S6t`p7+*
z+WF()&GiXu90neDrTliWi`s#10q2?YE6jeVZW*FYQMk2JE4QsH)wMwBjzMpR<WQOx
z_rsK8+iXZ{X}Kcb5>gL)8cpwv?Bl_Fr@ut8EiL|=bZmNdPJNv-m!@<~SrDz{R2gNC
z{!VmG;dF0Sp<IQhXYC(L2S>Il+EQ8y*n+r%q!?|&$7<y<ij4_@ur+bJ{?fV&6O|fa
zsWDat4ETYE@x8UiAu}T{D!r$LGI!$`qK;b;dzv9nN5-HplQ$yob@XLkX_9fiOx|~#
zFH?gdT!Jq%|I3O8W3TM=Z;dF3X6~*&6Lpb!c{Q`sh52wbQ=6I`>V7%Yb9d;JF#!h`
zcmxE2GO!YMuaCVbf!!C+fpRDuiaaxFH*Ahng`q$&+G|*f69}eEUtX1AeM;t24ig-i
z7EYBBO_}#Ud3&IIEhoy1ENWY~O;lwjV=!AtkFb*yRlwj!yn#Uje3>W*a1d>obQE2b
z1%fT}7WyuDBB#$RYC>Dak+Rw{P6IewCMX1LnS|`T$Oox{O2dyqI=uTbv}LTa%$J-k
zBg!)2l7(8P*Oo(^E7OdwOaaO=9bFmEba$I8V@6pfLQ-fBI~Ss6r6Ui88rxa)WrEM4
zTq7|H!psZ4s61Na8gynZ>gOwcqEpbi0%LC|zj9?-nSQ?BELEGQLCV{dr};wY02<S{
z(6%zE&6yUDM$l+XE#n>4V*ya3F<Lwtb&JNie79c3i8R$aCZ@z)f@k-qwJo!mG(*v(
zL6K&Sy-9;2jaf8lV!UBW(U$#JTYlB0>Am;0)0ae-=FYiUa!q;SDwJvFCb6E%v#e*J
zL0Oa|b&Sk`-WRo3m$VKYiaw399AtVbZ?^HkRq#Ba$hp|)9N8#}H8bPeE=nl2thm7D
z)vR!?Xu0OYc{Ncj^@3Lep|!kNL&?h}+CV+ZHG#@qx2$Rnx$E3Pt=V645}5sVYR$=^
z-2}D9g;Q(#KZt5geTY$=10JVVf=N_s(jFYs{_~r>S~GyOE3cqh^M;G+3Z0-4)tZ(}
zkcw)J>N3+Rs5P$mVn<IOi)zge61AY#+`gWere#F6=1ZrWqFVF)fC%tYUmbXqOdqIl
z!jIiWwWe9)XH#q3IJM?tmio$Q8K7D-k5g-;#G=+5%ygh8&$6mD)yy@kS`!VtS`&5<
z)fySbeCe-rP;1h@Prt+r<JB4ieMVGkWD-<sUgOl7wQRgqt%2L3T0_Y#YK@9!z7y0M
zxFxDJRIaGj#A3vjpw<}TUKQ0EP>E_y>OAHRH|0C7#xJA}tESal?yvt!P-~u6err{0
zW>c0=@KLQv3mP;uW;3tWtWEZ}sWp;?yjnA$dyRo{7uA{-v{kLC;UK=C)*MrxQzBXs
z)tYZr1va(DF_l+qJiDV>Q+(A<t?{ho)SC0C)@<9O??>}$%?D0@^U>^FnXU_ZIt;f4
zsx^&09!9l>pjva0cs+t@O(Uu`<2^?m5Y(E_P^}r2qHaUAW;}yxjoYiJ*2KhcYE2@s
zsx_CI<fp<WM7y~p4dm1szZQ#H^G+g5Hs%EiYRyu@t2O6Pt-0*sN)wA(6ArvuQ^u(^
z6JmRxw^M6gj&`@IH6HDPTJu&2(kk55c(vw|+!xiFFCs*>=8J?2qFU29-47J%1A<x;
zLVjM{AgVR1HMJJC2J;v#YR$))N;|bC%yB~4m-cE6h-yu{wuMt`^yLOlt=TcPH?gQS
z$5Iu<rq*OiP_1bb)tb4VqFVEvkMT!TYv$J4)S4%>C#-4>3!GYWlv8Uszv*p3ty!JA
zgHvnjQLPzBzEl%Yt?|{{t2Jb)#G=-G&#5&ttL@dA>QXPOTGNZNsx?83Rjt_)e88sG
z9M!(IMpSFAM$G5bnjIFkhL|+fR<))fD8i=J3<Ep0X6E(|YRz`_4VzlCHV!`z6V)1b
zVyD(Ty_eY38j4udnrG66TGg5!hpcK%?>TmAjl*4wT2nr8qn%na_<)^S<0iAJHLK?u
zEo#jiNe8v2VY%L>*1*%ES_599T2oI;JE%41P-e1MYwFOgv8gq^58JCXYlH4s)tb@s
zZEDRmMU<Ud<IrePYx;g+Q)_xZZc}Ugh*hnj(QOpeno34tQ)^s^MXiw#i&|r%y)0@C
zx)m0+#*Nt2njm6TYhLwx%1*7>8U4Ift(o+cO|6;IU{h;)p0=trQ{J<wHIu%#sWqve
z*{L->KeDPdDzincaeT$9)=YWRrq*b7TGblWUoC3QlyaL|bD!R(){L&SsWpR$O|7Ac
zMXgy$`&iVPAYxT(+=x}Jkr0bo14LA7f{0bEkr0bo<3?<1&0u1u)}-FHQ)}jpuv2R)
znM*dcrc$oAsWp{;r)+9XrQaT#T2twFz^2x`nsCNWtx0{?POV9O$xf}=$+}zBnyoZt
zRcrRpjyAPs(n6bBqj|`x*4(GIsWqwd?9>`rszt4FR9V%UNyBVvO<Iaot#Kh1wMIfL
zYRyjhM5|f@L{w`A5t~}G(*F~ST4M;^E~+&<6?3g>jf7a#nkW6=vZ^&-&c9`+)>QhZ
z+tiv@{7Y<VO$ON1nlp-tc4|%PCw6L0>IZgeO{%?GlWMe6Yf?+?)SA=<c4|%P20OJT
zwZcxVNzJxXYf`m#YR#mHHnk>oqMcfkI@nIFNe!`6Yf?wpsWqw5c4|#3ZKu|x_O(-M
zMm=CtYo>VF)Eb$mMXgEouv2SNz3tSRR8Kp#W|t<wPOX_rby9139kr@8PQ*^F@wjeP
zYdnd)T668XzN1>R+^dsXV~GDqRBM2UY7Mk^R%;v=+teBm)tXho727Rp4U7}j8Yy}y
zqFQtOM@M_LrYYvGy;^f$vrVl5N>poP>@U<BidfZ}0Lo6Sc|3lURjpB3)f!cSMXfO~
z4~c4xL#sut8FRp@)<A)%)=>2pwZ@_87itX<QLX9GY*lNZSyXGFT2yPCWWS@<z;02k
zfia?51M<#l4Jbvm28gKEtPFd=qSnA2QLTYHqFMuYMYRTQi)sy2i)sz%M70KLM70Le
zM75?OOlMJRyzW`m8Yf~^YaT_n#-i3pB{sFj>@Vr0)>NZgV^wP?VpD6xj9yf0dSOPd
zsMbu$v8XjKE`XM;#~yg3|F`c#_`YYnx^MXQ6S&lzyq8Q`x*R5lJaymkUH=G5?7B_Y
z2y~6W|7RocoAdvp(W^|u`SD!-|35hYUuB*DZ=yTS|7T0w5dOcx&;PG+4Y1DtH?ifG
z`Tu{VciHCuSF%2~`TzHWZT|l*HpXuL|BM@U^Z%)I%l!ZNiPri5LWKZ7|G%f!I{#mm
z!WjUZ0FYW@H~)VZ1_1B|fK33nf&l;>=l|ba_>^b>2m-*I$PV-WD=`4TZvKC{-?k3(
z|4&`N7;!F_{-GEO6^^MH38%CD?j^_<YUxvsLMXtaQ4RN2R12X1?TV&eTquAdavvso
zV<^DZk#nLJ2Su*uwSYW6)mts&LIKusT7aBo>olAd5P9qcF%;m?T>m2)5JLe9E?_7?
zP1JcV6rfn!-!2qDuSy*3!G{7AU+NGFfSCZ-2K!(rz;!+pU{u~N`%r)il5HOfKv%ZZ
zHB$@4NPtOPBEbFDNB}MoAlnuRfQbM<!%8xQ@R0yXDN0NPNF5V+s5<b-%Ym=@2ku-s
z1ZSlQsQ-<?4_6OeANWRfptDH&F%p1F1ep9?;L`(636TJp2yomk5&%*EdAmpeOaw?a
z1s)e70ZcV($2>1a0{klKAM-ws`uRwJ5CQdbkpS63BmkEPz@h$uGd^8|XK^RB9O{pf
zK)fXn-~}NNfHLWiU>v~H5-tyb<NSOaKu>}5V;sPdPvO*>eR;Dm4In<|8Gq)78v8H+
zEv5n3hXGvS(f~?btcbszPXoX(fTf7|W2!L>U_nZ7cOeYmHX{DdV|K(`^B;dxK>Uwf
z44#3Azn>Te;1K_k7zQx!?cmKJk601^E-n$kE({=z`^6FlVBpdKgfIXiqybnak0WM9
zB8*`Gm0TJ?*daa);Qd}zVQ-EJd)vzR4`CXBeHcJJ5BcpGKM~RZM%jk}5Izl{Qy2i@
z(*O|icVPTyxikP<7y#kZ06K&L5Izk+2m=^n2?HQ}8bF6IfOA3`fL$0sCCB(JVE~nw
z24D>X*obKWc3}WF`7{8#FaW}(0dx!lXtXeX(~4#=wy|6oz&Rlez#0Z{<yae+24D>X
z2*EIbMm`O|E)0MOX#gF=05Ast!Fk6p04@hWQ{E{IpjJo&=nw{gBV<i?u!R8-Bc=i1
zLhTSg&e+E^09>d&;wM5Hz%Rl8IxN+S_z9N=fJ?PQ{M=IUvW{T@1o$)nVX1bAAF~|9
zb+v^7{EbTku!I2wqjqEq131H_0a(KTw3r6aAq;>qm^*|4lwuk{r!au8g){*BFo2)9
zGyuCWfSt?DZ&<<rvM>$65(ePNHN`}ww_z550mA_JEP#<<=`@1utc1lKvH^S+zyiiO
zErVgFO;{sD1KhNW2Kb51uUa1GJ;z6g2AIilbo*$4D_k@{y$}shWy9#6TkE)JfO=~*
zKp!C*;HS`>mBD;8Kmi{Ou)UT!@{4GIZI)<&P5Ndr8X%L82B=q_6QcpH@X-K^k;`H<
zz%FH@7!3f0e`hqnmW+38(Eu4OoudJ^`8o>003@0rskUGM=2QH|5)7ayj<E{{7!RwG
z9>!pRBt95mBOeT~QB`LP25`Vx{FYz<*5|ZcFaXldG(H&M6)qTHZ6or|j==z%m^U^+
zz$PIWU?VGaqQqbTR{FRt7@(#BU&u;M2*Cidp4MOhCtv$ufJzuLCqxJan8~5eIQw7#
zXzCaYVCIqs#9)91??oMh0ru$;h1vxJU@idZ6b!%tpw7Vn(iu5~3kJyHf&si$7!2U8
zT>pN~bh}`Hh|5ASz<NFy;G;lWFu=HSVhaZF#OKY+9dV}Tuj9<a9fAQqM40K?_{(4b
z?TPuV0R^#bmUMtwElC&;fIu^^1=9h1FR`8>EelGeE(=QGSPtm)RTE0%+qYphKq-tM
z0>W$oSs6wH{7jZ}4KsJHU^2iG>C^g`3fjy0XaHv<m^Z0)<zg^^GqOu(54AI~4+h}i
zWt%k^;3C4y9dYHa*#!e2yiCJj0BX!J6)Z9s)<&UA;TF7tc5gI*p|O#)x|?+}{9vX0
zF&b8@;#o~#-&&wp+8uY0=ppLGW#D-4F6-{5d`$Vo-MemXxLKJy_&8fyl(J|u34eqG
zHN;r!Kzx~7X;t5?09S-KlwWl%VIAq_W|cGuK&xG)(yng*fShFARi3N#Kk>8LnUkz@
z08YcddiO57%)_q+={D`_L{4^d17{Xir=@8wDGBTTh02pvenbz|B%PFm?zlgSM8<nY
zvd$`H_bT?pqX8ebs!uaU4X(vn=5iGt(=TbyK5cd+-TSxbBC^b?6ArKv;D+jiTHT~1
znzP&*7-01^*#*+5(_grt*W>**)PDu{;ipyM#8DNm{PMJ_KJ0Mhy*tp|lX=tGm8v`>
zzp^&Gk)qN9lo&Xn>jhs^toyKBa;q=YY5;q9!buRBHF~2)YsLd&cNJWfU2BXdXl^;(
zb928UV^>dVWFBC+JcLQ)dl~CFCX8vgsbNptR7tw^YrbAjPtiBuV4m*>@M(P8p2i6G
ziThqScCC?K3~)sjP9iVW0M)pMz*R4tGC4PrZING(RMt-;sS<M4>#A33nzK_)nbV}k
zRN~O>s#i@^e1!WYS${0#S<OmsrPYRAy`|~zg04%ys+Xz0%@NJD@{om%H#I}geS0~<
zojsA>SfD?9;aXKRIYn>O>5YxI+hjo%?eyks)=0IHK1TPYk$Xe(oMyfQ$*)^K*}21g
zvNP~(%m`$ziX2(;QW<p1h;*u>+-M9mP}Gx1bB!Tvmxx@OXlc<#gEKL4td+$agC)w3
zIo5g`a|||{H6m*rxjw1h&zVm#crC$)_NmiZGYs@25VS5kqR&iOsHYd|KRa6Mv}cWG
zr=Kn;EcAPs7l&EPIm)_Ij+k{7;VA3ZJ-GyfDxR_?G$!oDQlk`g`wKysU{LF?yo{7}
z%6r4l?bY76Gqp63C}I3#$|Yq3)`b4N_o#D?TX&AK4mkd}T7TY8fe8i=CX$WwPYjKr
z_yhyA@`~$Nsc}ht)#Dgppav{^;xi1qAW!Pt(8_VvF_Y$=A0SP~0E5_j<SpXb4j_P5
zy%a+X1kl<57-GPK)}4HaL6zgP&u_VoHa3Q8JoW_7Sw|k8P(B?wE6F0Gb|hW;3OTFc
z>mb8A_7g6{fak0j<}zS%5!<F*uX6Znrm{zLppanjv?JOAjuV(lj<dc4ZxYqOPo0G%
zgK=w~S7MC8#s@c+@8B~GPIQ}!pmpd*F2msBM}alt0ymODI|3gYJiz>}zq9fZ4_f~Q
zQG_F{#K(B1kwiLkq_s4zF=koSH7_p6ppl2I1Na~V4z~VS<-i9Ss4u(%lY}4x4z}tY
zxgY}$whrDOKj+DELU`KRVo5UCAqjQnf((vO{T}CVYc<Y|^!_+mtG#?(%rfZKz-1YP
z=C&bjy}t5sKFL5CQuZB}4+3{W_jD^Lvqc%a7VIhT*5m??wk8!?aO*Wwbx5}xWtJoZ
zp0@VKB!iHGu=9u7&&`0TpU>I2eP~%a_!u$9;FAq6Evx5A>#%FRe+n#PT9}I>Y3+@q
zRqfi{n@ch9Q-I&GMv=AFu)bpz0&LCVgAA_rVA3`B9_4}z1lamG7i2&g^CojS2JeP7
zGEy<dpj>U_S!+-p#u!Zd71nx|i!rcct&9Ye9|<`IVY|N8H_YW&YxmWBjKS}+*0EfS
z0moY37Gn$w^nuk~to407Ky<OzF4o$`TE!THF4p>YvDPLFYaP}QZ1DQ10xDcxs22fV
z2bo*<iV7E(3NW}H0y?z+9(d6WsF|2)CL0UK2A`0;quL7NXPz+38t;7^<h$d;Yd#q2
zEdh)-=%#0VDTtwBy@z{vd<*Y(d+OacD2T=XAT|ab#}I;zpLyX+Dn=TN-(N<<j=$0H
zLI2p~@%>$9sXj~kA`O-30f+`>eGKtBog27SeBkDi99!dXA^E+!$wS-a2WfB{k_3DF
z4tT>WOUFugD`I!TOctI$LRV4_eev|Me^6WnNSrGw0uS}0J^MdKdskGrIngI}N5{EP
zvtjSt_~1|LpiXysfea#_boX#M|Apt^&%MUZ8dh5MM7Augrx)9I*b{!zx`;OozH-n^
zHYxpb@orVh#?l8({c5z~PuwxBsL?*sXFce&boKCrrLLed*W5CB49Zp|4(0JQVDtlz
zrzIHufOuN5Ph(I-3Aqo@)0+EGDY4`}Z1=FhX<P0Ccv|2z&!&B>xet>I$KR;2%Y86T
zvE@FX-Y4Wf5S1nOAsfWphg%NT+y}=EeC|Vl1Li&?zC|9e=04!5u9*7}yisDweb@(L
z?nA4WCHFz@L|bwnbRgzFXdEoL594K)+y@<qxepE?<~|t5SaTn$K+Jt0Am%=-=w;1)
zI3N*n9|AU<1U~iw(X<fzfM^={*at+@z{fsd>I3kx4~V8w$H#M3MAI%p>;s}{T8Mo>
zG!1<01EOi*V;?v)&Bs1)Xqu0GKr{_}>;s}{{1_i&A2>A4$37sMb`@eDTs?-&!eQca
z=rHv`Cd57<n%?O@)K!RmKs2oqVjmDq$5>+@cr<<Q_#NdEA@|`CflV8xUgL8g)>gS#
zb03n&x^RJPe1GiGf%AryaoXsx5`&4)eaP$oaX=27iP6N5Pfa-hZ*ILLRi?9_z^L+=
z>0>{*^)mQ}KKK6_V(VJnt`X=Ofvyqwj~s#D<o^*}{Qpnj|CQG-YW=>;%{X1;cROpR
z-&2eIu7%UPFb<$vu{^2)Kc?o%zk(q87s-EjuFP8`|EoFlPog;TFUc3`0M;crAo@r0
zKUJ3=$)SG>`B!o1pC|u)xhMdU{G&2jtQE=sdt4uYULgN{xhMcj9Y8zR2Y}}cR`SnH
z|If3M|2*siu+;$^=K27*Isgm#|3<;1f06v3yg=;B01mBd=E?wU<iC<f|04OX=Fz`E
z{-<)Y{4L~v1&98HGJvH5`nQn(w^lKBWdH}T4Zyw(;Fa}8z6^jT|LYX@V;O)z{tY^u
z<<C#@AAQhP1~5m7=pQHfi{yVOH_P8j{;&F%S;_!7^6!r5-%9?QJ5&K6`Jcq0e=GUN
z8U8{O0M77#fkXcs`7h+i|6?5bw~+rU)*b+!{NJ<d0VwT`<X>;s1AydzC6fP-c=T@}
z{|ACO^lu~oo_r60h5W089snf&PYFE$BKc3HIO=aB|9RFP0G|BI#2x@7|Gw5901NrQ
zX+{55@}GJ+?EPLA^50_Z0T9Xm0c#I{Py;|Z^Z*FtpV;>R2;`r1>;bTn|2tso0pQ3#
zvFia4$Um{~0kDvNV&4NGlK(ba4*;nb$bX5Y2Y@I4sbUWRPyQ#%gdPBn{I}cp00`vY
zZ0!LM$p5{LJpfn(u%fxmg8uEuzn<#>xN^*%{4Z<b(7%oR6Z;+j3;8E@JpcmvCmnhK
zEad-ohaLcq{F9D70K)b}@=xq~07UXn?0Wz#<R8-#%56OW7V?kV%f1IdT<Xjn#I6TG
zB>%*|2f#x9xux2A04(JHSC-0?|3%gw03`p%#U22G{6Avt0pQ60E=v!9K>ok8_5kqY
z|EgUNfJpw^I`#nY<o~=~4}eJipA&ij1oH1;o!)OU2t5Eu{;PTPFOYwi0&Q|`*r_6%
zFe^}h+eClm)mb*|pIo58MgR``BSBV4mfokeVt-vajg0_2_Mc1%jR05(aOId4`^O;l
zS6dqawhGi=#Qw2;oR{;B02b`e6c`q9jQ|4nS8~&w)6QvxY0j}C_K!vCkJFqdIkSqW
zOw`Tp*4knJB<=EqS{wGqLV$UNniC@S2P_2m%+?5ig#g92Mu5nylA??)87Fw`j}x3H
zMrPa*us=?4?k+Y0_(l5ebi+?&+!+r1udcK<0$?FPr5*Sm^RTTEfCK-MpF4wpe|n3h
z5dfz-m)XF7c-ddAjR4#<=ObJrfB^oH``7;h{3G`dv4MY(3XK4W<=eVh8UYY?*4V(m
zLy)Brz)2Ek*9gFYf5UXX5r7B(7nj*J0&sJjFMzEP0LlL2Ht>I>sY4^cJ~Qqo9l^h{
zg>+~H5au_N4vhc^{->3-{{sA*_ShN$xS7m#*a#qk|C4HKBfz+FjdQ!D5x@fe={9R4
zfC&B<uJW-p0tkfw%WRDRJorcM|8=KE0PTs^&pLvCaVE0>{#no3j^KYnDbBv{2>y}#
zU+o0`r7fMnKXU&ooxuNR`-!a)K$x}MA~phu;2*jFEK4H*H*5Kb4g5zHVBEF{{tY04
ze~Pw%e|D7>{NoN{1^@2pR`AbCS6acpS!V<P#Ki*sp@$XxH^*DRze?+D1^@b=oUGu#
zcDxPzvr>Zv{Ii}m@UQZG-46Umh1$SBdqQgu{+Y|Ytl*!xS;0TJTEM@OG}yrZ1-S+M
z<NaE|KgqCx|9d$dz<+pSFDv*5)(Za7Qxm{H(OAL1s;>?F-}A77e<s2P{=+J);J;sQ
z8~BG9JMe$4vCIbkk^37g;6Jj?2L6eo1^kyet+0UqsQ48Y@XtzR7Vz(jAF&DGzd73m
z{uA8mY~Y{hY~a5_V+H@lA@<<kGS`~9!=<H);6G=y9r&m3vx5JyUA7v71{?Uln{EaF
ztn_*Z@LykU5B_z|CY4xTp#OS_J@`LbyW1Z8gP#@rf1F?i|CK>j@Zb2T75sz73jW{Q
zX#@YTyd(IR_qBn4GTH|IWm2xXfCK-m)MN$!5)i>Z_}PK~^L2LMzrBYQ{L7rI;6H>C
z!T**%8f-5R!9VD1;Q#PyEBN2B#s>b`PyDRlKQhS%{xg-yHt<i}ZQvide{l!!56e4%
z|EYa!;6JctlO6c?cV2A;|Ae1nEr5ULhwQ*V>t_Z3;mKTsfdKxyxo`~z9Qc1>E8k$i
zgMV<dg8w<Itl%HHe<NREU;+Qg{a0DRf3kM79r)kg=ZF>jKR(KVt1#feKXJ8y|A))E
zTRIG03!dMf?=TR-|M2g`3IhTBFJ9VRs4x(wS;yLe|Ic5w2mc#h+HM2?fn}fDfqzUj
zw}F31vVngLleU2W=icWU3<U81rI)J({BQE?W&{6WjZav?zuGAD7YN}0SNaQh@NeH=
zpzQ$u=kompBKZH^{sJESbNvPO;2-B$cl8%^^%r#Y7j*R(boCef5Bm!mgh|%J(}HQL
zFHQUP?`P;v_v=P`e!Ml{aCN{*6F3BJ!W7L9@O@MboP?Tf#V@-%KH5|6b^vo0^PoaW
zpvM7lqG9{{Krh*6Vk`Uia)EaoT-D?q$vK0X^q_a;#a8GbImV!ib`9I-HZVxKTcu2{
zP<lb|U*CT#@2@76q%v#_yyMR*b#AgVE6+tsU4wi_fJa4I*a_1It`+nQSLXq<jsTpZ
zFUVD8;7-lE07s;7;fSPiiDbvSb!+<Srblbg2UrwuI_^ZhHbpCgXtme#Sfb<M1+%>>
z?xU**8GK87`_+y6*`VAhlc<z53|)!@e_r3fNymXT_ICu;kGlHd`6i*Zp(DGe1a|Kf
ziQes>+u7hROf2{R4%766%7$D0-7S?35Ru~Sv2~U%U{ys{Q#`gdkj4m0YXg=xNQBk~
zoLTN5wl?fT>dm({v>N@y)`oze>QrKDgRTjy8@Sd6jmbr9Z5R)<*xI18(t9ZgtqsO1
z>~#=Y8>-AGi*T(Cq!ITMuC-ysJ=W6Nfa!KZYr|g5IPQ$^@qItn+OU}dp|xQ@M&XJ0
z9)#A0=y?ueYXg>*iLDJM=b(nbwKkNOqrlCzHn@xcp|t^%q=eRn6ICFzHat)dLTf{T
z5rozT(&!+zHn@5i#MTDly4up(VC+BFWk}B7LGQQU(H0Bz{!5YGi>(d6N$)MK4LGx0
zp!eg(UCcTM-#j<ujpLV(_`uI?yEgSY=I9S^E-l@EDrKZUd~$H)e<TL$TB)uP=o*2p
z5%{kgf#2l+eUbmG{<-=8v~~W!f$li}pDu}N@T0x?`TwQ>Z<HuI#QzWB<Nqhv=Kr%k
zQ*879A=EbipZ$OAy$^iVW!?Y(**S+la_~5FDk|wwhoBA^a#YkQ8#@~V1`L>pGTR0l
zY&qE64g!ifWfA36s^yJ|ca+ntD7kI7QBkeiWmXuJtEeccR+4ci=1OB5pYQX1UDxNF
z^Eu};wEO-(zK`GI@#Di|yv})D@9Ta2|NnVk=Z2+8_W%9QCE5R1`yBiK1rNmS|7*tZ
z3jpQ^04Bxl|CfXv`~P)cO0xgQ{Qs5|`+v;;f8n<Ozw@EjUH1RezvZ(3$Nc~1B>VqM
zp1jCq|Npl?6sTVS;KcvZx~fS0{{P|=mmZJ<fB*DHo8B)6{tra;F92l9fq$u(`UmuZ
z|DCfd$I5~K&eHrF>ZiRt{Yi7+|3qE(XDxl;-?+L-4*YjUz9pvqkHlssnfiyh`~Rpi
z^>0ZW_{(|!I~@2&-p17br^?j-XGNv)1Aor@pGzG0%X$Bh9Qa#J_M67of7<uN+COgW
z|5);o|Ht3DM~?hk?Q33D#{LtR%)A+E|B{JM?4J19&WR6IWl!9C&5x9^|Ci;+|4Uo1
zZJF4y`?A-3&XNBu{}gNgt0u0!>_4=z|D8!k{+#%)Pd@Vh<Y$(sBmbwgvHztU`ENAF
z{+2oN-`k!z@}If4<O}g5|FQW`G@2v-B5mw{$T{-APK^D}O*-=D#6Nzk|KDebvHz3F
zNB-aa%ZKAf{u6vx>m&aQw6T9MapZsX^k4i<F7%HZ`yY?I!G-?H*gqh~{<iO|maE=&
zjQux=vH!NmvG!kb#b33t|1a;7Bma-w@RRI$KNDmB3$J_l4_98dX!-IXG4{Xz?K`;8
zUm5$K|LMoRe&xM6w<%-)FS?KXZ#-D_NOXC^*gxEGhhywNGxn=AWB=E+wZA&@e?pA?
zzcl3w<EDJ7WXfa8*#C{CGpmBh#{TQ`>-@>a{&vRh?@af*js5M-7i8?7>NfW0x6-DL
z_}vR>#{Pf5df)U16UP2_(uMx|K7VWz&%NfN6k~rOYu|7i`~Txjf9ts}WB=Euc2=Gq
zH}?PH)V(|7#{N$wj{I|`4XF$LUB>?R<*ZrmGWO?$|CO0TZe#y{C~N<uBmeM;v?Kpx
z1MVaLO~1C6zqaewsmA{H#!o&`=rZ=Vtvu}fFXgm9+1UTB+()b&;REAW8)JW)6M5$y
zj`)#3C;oQfUmB;njQu%rwPs@H?>6?g(~tZ)@%PZGjQ#E6iH(=KjQ#C}uWF-ym$AQ{
ze&mnV6De`k#{O^SRP3#c8~cCkh8@!TXk-7sFJD$#nK1UhC2z{FlZ^d;^nn5E?i&)u
z{=eY|P(E{Iva$c$)&);y9GK}g_Wx#vWoNsL{ja#S{6pV)MjQK|w=ots_V+gxim|_3
z=wF4ozp?hW#JqpQHIXSJR;+BO=SKfEQwEx<R$Q7pZ~lGqV=WJT<<HJR|Jjv?kL9j-
zw)v(}9|$&aO@8YQ3&p;lYw}0MxP+R6{#WIk|CQ6lzW;_Nm3jY-3o3JOw$6A|4*Fl=
zoc}Z~qi)SRLz(yg^FxOxFMr@7?E9y#6!ZSWcRsfNQtbO@HdWWY;2iYl{oAzZW92^c
zyhrYPZFTb>)It9(9Q5yhW#;}jjeY;CvnyxqU-QqIuZeyCXJ!s?(9b#lm#`(zyJYVr
za?mg5{I`y(`R3%QHV6Hj^Z(?kx2D<~rVenE`HC<9Y{gHVgZ}9&N6d&H^q0?{QQeZa
zZ{_6aS7P9Qg>%r)IsX@@_HUi~&S(z$Ip_bv)XXDOvvyq?69fNWho@Rs&;H_)Tdd7X
zFz{c3f&cT?SD#cC{!ivB1OF{k2V%~B<`<g#%$0%v<5OoR-Dm#O|HO;~3;(!*|0cix
zyV&~wqUiHeyQ~SHZ=JdO(r949lUVp;;6JwIwEvd7%m=Q&<=Wro%Vpyn^jqs**-&m}
z1}t@#`OeQ>Tl}|c)m`TQ#9H)yh4c9do#(A<J}3tM)gvxj?ObO5wmz<pUuM3)a!ba4
zR8IZuw>aqMod1GPom(IQU<p3r;>s7~^nO~UbDOzMz;c`U%Wq@huMPY;?C(Bn;oBoF
zF&CN3Ilrxg;2LxPtu12U--3bv@y9L_3;&C-@NW?V|L<FEuQV+wo~ExXKmM5lZQ(Bl
z{xe%=mW|3kWA5YHz<&ULV=lPj1!du{?<+r=VSWB%7ibHAxv%{8?__*;>Zrg^rs{)!
zIp=@dy8Xf5eeEy55DWjff&V>YGJaqAiPx-)1~}-S(0Jph+Z+r3+x=qTKhuh?@nhkC
zW$qc1{cASgh=u=VZQ(zEbHRyc@591>vvpHYTli}O|Gx&m`Jo3L3xEH^5B~c-uby~Z
zS@@qNca$3g|7Qb_oP~w|Sz{NTr49V;!Pf@YCtpwgn|D^ud;<&ruR7P0w-oNbz`35>
zpYIDO3;)O?mQ^+8%Fl|0KL-Amvhc^i|A9xI5(|GZ@IOOa_+#L|bm3ze%EBK5|EIRh
z{DN5cW8nYC&8H~~|6C0GKizFC{4wwkW8weG{c=n5oQz8jh=sox_y?4QzZm$BHx~Y4
z;C~*!TR-(^?x_9tC7~(W!vC-`@VAtOKL-9cDGUE0G05kf|0QGL|9uSn|I@MX7X$yl
zY<g$mTT{Oy7XDMWK5JKrh5y?Re+L8qNm%%|Vd0N~|3q!!Kl4pF=Wo>({uuag(H8zx
z*H;f^C<}j^bN-LcJT4agzZC=jsXM0rOf39=bMar4fq&J6O0n?Az@MKpxbCA^_+#Lo
zp)C9{@c&wVS>>y|`-FjilVjnJfq$;C@W;UahmM8+l&SXL^R<OP2L5$o;r~Ma)URXU
z|5wMt{~OA{|3YQqAK`au#lYXMEc}&$fBy8DHWvOE_@ARK{6BIT=lmm;g@2@)bN+y`
z@D~IB{QXlySomY$U-15Cd$8~q1OI<h7XAZ$+Q7e{@xHgQ@D~IB?_%NKf`z{r_~&a2
ze+>K&V&UIDa`~^U(w`PO<}t@H@c-`RZ{Kjcx>db&$2iBr9|Qk#W8pvLN8R0{p8bqv
zeMTGj-*0#8+te36{*jq~HMglh@oHJ)5A|*8(NBtj|4r6kt<aCf!oNuj{O{k^_&r<Q
zr2fQT;}-tfz<>8MvzjI?m@-oCQUB=m&x(crOBnb+Ia*oxpTNNXb949Wd(=7SKT|CH
zZSGN@`$j?bgbQrBNd5YOy03<VQ$DMV{PkJ?=P!G3%IV6;KXKO2ugr4Rf43O<zjo~n
z@w5I8IqQG?)n}g;BY)4c{yUws{u|$qk-z6zzx|%h`kxge|9iMh-JJFB#K_<CtpBU|
z0k5<EABvH`=UM;PF!KMtGV*^d>8#&QKkK)Rk-t9cKX&eC{?2vkNoW0kS7-en(Ko8c
z&-(3W%~}6O*IEB(%vt{*F!J|0>;Jwn^3Qnx)9$nWfw+<XzjW3=&vn+nI)2vw7iHvs
z>a73NS^wc@5*Mn!GAVwc`b($I`cIwppE~P5b=Lncp7sCUeWCi9Ln#-k7rbnl3)OAQ
zT&RA+O1)5h<Cw&S>KW!j^((iHd@9{$ofV<EQ2q504<=uze#7A5<O|i`x*~C*dWK~#
zRL>2kU8rvR;uorC%uBjZy`X4p{6h8CR*t>(srUWPh3ZpRS>{6ZcSbuGs(*9a#UmY?
zb<13+{;JQpQ2p5Gv<ua3%Ur1bR(AYC^|vf@q55viT&SKo_9Pdo@3PE=>Lr%BQ2k;n
z^+NTT{4%gU_0BLCs!utOD}v0aw`DF=KW>=|)dwweq53~9bD{cf%Ur15WSI-qyDf8}
zdR2zGP<={M*tt-hStM5L+Gzds_=W1+r#?F0vbE9rsKkZp*}nTyE>!2#yDEO6y6sC`
zs2+d&)|R(#om1~;oD0>jeEs9r?>-gz{PJZPU$!29W9lcbtDG|1I{&g6)lW4aUud0p
z@S}77{QtXyrBew$l>?`8;8YHr%7On+=Rla)W$<r#QE73wXz}8Oi*FAvXpDtx*EX(O
zT^C+cyQZ<3S(3H9aACCQBmyq?q78Mm)it%v;gyXwwc+};s~W?x+BHoL)iJ)cgkz13
z;g&Vk4GnR<w-hX1FlWK++ryVE+1P@p`T^m_hB^40x+GS;@{T3-ch_DLUQ5JUnrc_p
zud1)D$qCoguBu+w5UXFi8kOPP4HGtmS8R;cwxBjWzC{~qSFVfIR<CHN4U<-pk;fJ9
z;_CW_+8R;TTpMeyuf405cyA!g+Lf{T#<eZsRn3iSwC{KGS5qCU{ulf;H8-xTZD|qR
z;Z;N;JZVDB<zsa0ZVwkWu4!t<SyC!lI%Ud~ush~bWa76Nzs6f~VHK7y4i_w*pOo<Y
zO$93bVS{z|=<k;Ke%O5PHt4wjZ}DCyoP2`EIBNODw};D!ovM1)6iJ<mm+<qeH`K3L
zM}}{xEnX5XtZu4aSs&XNUR+zfvJP9>xSV#Eq=y$&uc^I0JaIzHM5m%PR5!1dEGb%6
zgp!lgaHG#9SJ=3&p+>cbf`*31l~RA_s}>Pn)!3}#WlgxE#hQ?N)v`o<CbWd>s$0U<
zYpMEoRX5bvgj=Y-;Yrlch7FYJ&E>_DXQ=<DT~k_QO=y|0azcytZY^KDaDMTU+rx>f
z*w|FNHe6HROdX^tULU^1N@$`wu4=j7vZhS2rf3D(ldM?tx>{>hbwf)n+Lpvy^&Ary
z$sF<{$%Xh<H#E~?H&SEeB@3Qk?9lbW!2|E|{g`oo$6)3Y+JCOW!-h`|x2U<9Tr8vN
zOWl{sEs>Jy?~Y$eUQCb%zI^iS;aSx+QVwhQEe!Eozc##t&cP_q+2Km(9D0^`-AGAs
za=cXaX|BC<9hpwngek*yM9K4M^<>{WnH$a>J96|DTS~UPeY(#YVFfa++%t1eA9-5U
zmXeHGe?W2AFkYN{+Q<=ChWx(sk;$^GJumD0J+e<@=8wH`r{NvBcf(2hwVsy@ZaAR7
zTPD2Ri*iSqh)6W7|84qfo14SA;gxmO&C4e=th+sYBL%c_qN?H2R4j3y_Ac&Moy7gV
z_x{|3=*-B~*IYZ}y6bPqyOD4C{8<@3e_+JOQKL^A6C8Vb=#0!W-*;Bl+2@=)?mVse
z{0qjv|H6yH7hiH|_JqqOPP+VxD|04KnVLK8s_DwTU{+zYsCahCoVoK#=Py`TwrKH^
z@|&05vh3E|s#mOJ09##G|G_&N)~s!8y0f_@w(hR=8#dl8o^?E~REqRxt;wlbs~Xp>
ztqIqxYig)h-BR`1m358HH&FRe6Q)J2Ypz|pvese@TN|4a+t^eazVXKJtp)Q-E0>fn
zE-IK06f7>UELvK$pd6*jU!{_se3MH&y0Gx(`3Si^c<7A_7A=Sxy$qa<L^BZ`9c`js
zyQ+RILoK~yb&D0NUVZ(>>NO2h8k<+=T$P)9)%7j0W-qq(P7iiXb(7Ulzd{sDZD^Ev
z$CQ;;Q+0DoZL?L=xN_YZa=^(pOQb5bW2FdJu60HnEt2M*q9N7Ys;`-lJG~|zftqz|
znp6a8*VM;i#NcA{Ve(DVkvqedJ3dCFQaq<bNQIZ|9`~6PU&noALnEEO>v8#)7{p_`
zzPX<GkyYwLn1<HaZ0Y=Q^sQ=G*HWj|rPj9z<ps0Ns8oL!VWzoDRZ9}k?)7U|GL@;0
z)yphQOQaM~4Wp$@^Qay*;o1%K=P{~Do>L0pmRNOj>?X_dmXpF{hP0O7(=bKuEjKY|
zVwj<4;_VZi%vxV3(+8;-GL%$@S1{b)fvScEJ@<3uhS4{f`NrBBX^N7GJj2MDaPN(W
z>n)c@{jaTFGufo};)^}1y_Fi}RSk{n$vY-csV+J(o=%EPZI!e~W-x1O8q!s%Kw20Z
zRqx^*5Dl`4TpT73?x^KgEK_n@X?46gZCSTcDyZsfOaXl4)3em4T7#Pnetx^=$3Ld=
z$iHdaZungD{g9DAZm?m8miv>z;1l}$83s=nx$%!{K5Xy-gWoW?!1xasf7>6`^4A#u
zCi<@aM<viwU7((0gx9R2^OowrqBhKeDYj9{eOR|EtwjHy(jG6)vu@(OsmrWQ)^aPy
zy2rYg*JoU<Z$e4~O_cdCvCtJlJMwci;q~>gy70t{C#op2JXux0!NVs@6-xzWO`9^!
zl2}@kCr`HGEn5#plht69V4b04GDC^ZIX%7&n-%G~D7`>6Q^M+oCSuMY&`j%WP&0*U
z`jqCDaO2vBjaIte_vq0S=-OJcft9Xg-&(qqdX~BMEK|a(8md<_d2FsttXRcMBH@Jv
zr3H&~!b^%4-CVSwut;Y?PI!JnSs6=V=PN1;O6L?TF~O<KPA&=6LnO)~&HcTmCLXVN
z)~h0sUeXkiE{eDuwX{xkm8-~1w~WL!w@cUmkA73*W#85~;Tsx%vsdFoU(@)~-!$$v
zxcx2tz0BYwgP8_jGPv8|cH^(kV6LO@O|7TZV4cA-gSmgz?vu>-V~+nR)22k?V`X(y
zJ^j$dx<{IPldP30btyE{s+!itm_N~3#s%mc8*8KsOpN|&l#P38To)5x3Fo+vSmPZG
z(p0BPz2;+doqUrHE0xua&Qi-0r+%d3q%#W@bt3cs4IVS$IOv4$e9sK)cywK)vC4cu
zY`$+d=(s!IQ`6;qSMwWZc2LQ{L)TPkMiS<E^?EdRq|?#Uzcap7GDBM9_LCxC6A#RY
zrMo-Iw19^@-BNWtnr`>iwXw=(uJcMv3e(-y2p*55+r6f?p*H545xU*$*Vf1C8G!DN
z%P4m>;8v!4j)#)?pyZwWmb}+~(-kMYxIVf3tIq6S)1dr2SzP(AN5Jj>-6NpoRgrl{
zRJp4m-P75XcKM>@<MsD{82`BccaMK+1ax}TZ1aDRdnW#Rwp#gKLRaCbKF+&-DR*c6
z!ERLL3Od_660uHmU$?eCzG>*>XR`nG^))fGh7m1k{+YJN7YknQE34Nw5=3=_`1bH0
z@3@C?H$A;}_3*FVE7kbnrQf)d#WJ3_<L}WzUFq{^h00xzW0jJ<DbaV$PsLr2Zcgk?
z_(}eidp!2TxjV6UyL&|66@GH`C%Hz%7G2lEmt7W4;b}pahc|5sd&{#0;vp}obGnf5
zO>9S@)@f3cZ<7ACWs0iX;Vao7)k~jn-i>K8vBswOhJ(xBa>v)?X}72B#hBS&<pPdZ
zBpx#2yjvWU%rN1buK3+lIAX(SVf|{><?eJCZ)wRelh$}D_{o9Vjqer*5g9goHK}<w
z4O(az9eRz~Li=5-=BaGLGdHgd%ldPr+SgCtXP9{X#Q2;~`P3UEYPFiAi8?gQ;#Sr}
zsf$~r!|}PCaZOUD7v~T%3-IteOh}^j=EZZ;^(BHb%lbRkHm-M05SUGd*K$UZ=8c7t
z+ClVkP<wQ#F}rhJqwLI>c)PYSSP&()ZYJL3<VaGQISOQHX8bz45Amgil!7zW)`eC{
zp;dBV*tnh`Y26o_-T9id=!R3*wbH0~bRZn&HP^1GZP*xYXk?owRv&AqUCLUJ!@V$T
z#1-t<na7o&c+7_PkXGB=rEbEnru$iuSc8VwvvjQ02SxG|uxyMGkrvLm)H$gWtVAg_
z`%~8Y?n*+v2-lLkP2^T1i(U4@bo$ki)XK(YIZO&Su!@nEp^l?YA{T4sSTt2|xE2(z
zeY%>NaM!JM(!wHn?PRqkUr`%#ugF!-d*^#i{c4ufvST-8Vj}wz`I1z%QZmL{AGygn
zvE;J~l>gpMP68(rYQtte;w{hartCJS3J<G4krCp>>{7TAm{e|w8WP`X3^N+BsUfG|
zCLw9{(A`ec%fspDQ}!>@8YR^;+_;MUSJ{|!>eITlx^vN$Eji-e`BPWBp@!po&i<X|
zro(a0NpIGZxr8E9jn%2QN}=g3ol%&~=A2&dvq*RD^bzzfY)`c4z2FVhe`mm>BY6+f
z33)ZdyaykqoKo6%tgbp1zN@}bzxg2B(z=a1?Kxg=<v3ZoP1;F};*>1_{b;>%KBji9
z5JIDjX(U$9NvhXwO!DEH-&NmLTbbxUl|q+0di3^%+5LBRUS)qnjePtR&<TFR=$qd`
zjGSO^-m^1s9Mg&qZ?fSpi%`|gOuHsgv{q85AUoGB>o|c}El2EZnpMXG^z5aWC%F~R
z(EV3@dY0sU?P~TZskzmrqjTnBI)7925Wz$|lD7|JAFa93wSOpkdr5Up>r2kxbxo9Z
zZRLt}t5&IjCF27B4ad0b;$EL+WxsIT&dai_t{0EnHQ*1ytOqSC_QT_L;32Lx-FMs`
z`!I69J#IIEZSNen4^78}Z2%tm-ofMcCNMB`+};6Zfn9<pj@$iUe_+6la=%ykhyi;O
z*amiho!~Aod*p!K19pIY@_p2RJqUJzS?8c1%mJgL2kdgN9BcqPz;<yzZNT0OM#c=-
z{a`1Ub1v}@A_r!V#T{$|4}o3aAlL(DaUXIom;?5KQLrDZ0JBaXuw!5ZYzNE1PA~@U
z1>3-0un#;c?x6vD?0NLxU^dtZmV$j?1DJINdcbV3Q@)>xf3OoAdp_xVAM#)a*Z|g?
zLpWd;coghB54j8QcRuk1+rS1e`+@;`2iP$lIk4;f19l!i(-ygq_=6qbF0kz)(hc^8
zN#FZP|HbfN-zE41vo0O50~eAGaJ*plfZYa0CJfkJU<}*`_D#e;MuyQV@dvi$klrxi
zfO%jiSPpi94PY<W1_mY*PcR$o0%PDluxASK0z0OXu8RpbmwEzbUxhmu1^d7na1e}v
zS(ktj@(b($YrrmW6BxLf`~|Z>EWfR6uosMgN5OJ1a4Gu0@n9Di0b|!vFTwH|gbPNl
zqdtLw>!}~vr1J*S19pM!U?h)v3zpwVy%PQ=;x&Qv%q0C_G@tl@ZQw32s{p-V3=HrK
ze1Tcy7uW?>fW2T0><8PyXd(Fo))bL`unimpvx|u@r*^T~q#Nu3cYxV*kpsKtQBSbO
zjg+DvtO3ix4loAxfbC#ExC_jhPddN|cnB;9`@tAE_Hz7z*<cr#2lj#GVAcZi1B`-g
zU<}*=)|8RYU|<pXaRqWqC|9tnocsXGZ=qbk7}yI&Z$sae_*+i7fgKgZL+}HHmxDjB
z94xOS9I&&B_=2$&#1pJpNjQ_qKd=I9tDzjh>{{f&$SUN-9URZQN&R31%vw$T0n5P{
z7z5kEF0c#i1^0njb@&If!Lb<k)_@VP4J-vazy`1rYzMo*U0@Hm59|kzihDif&g7^I
z91muHkaU5OJBTk>1MUL*8c09bvzB@{4f#gm2WB@DFR&l%1AAMD$5rq#(hWwzO<?(5
z<S!Tl4}qQQDL?w_j*Y|*>;ZRyS@#f+2y$RK*avoiHTM#4uoLV9vp$5})yRQ)VB|j1
z3ud<x4%h+qgZ*IEHN@k7;tke-QLy|0>M0o8jy^DZ2l;p{a$q)C4(7@CC(sMlfNfwK
zxC870yTD#>9~k&|^nm?fU<Ud=iykoYB>4meI*|u!z+Q2Giu?y-;MnU(|I?Hk82dc=
zA^0WYdp-KV3b1AuJlOGN!UMCug1;NkvzvSZ`@s${>#Ni+Fa{n416{-;k9a&!Jisn+
z7ufqX{NIS)J-CCBuahre`8Ux62EK(JaR-lronY2Yln0mx2EI+azz%R1*bg28+rER`
zOyt2FunUZWy<i2H)lE9U2-peMfIVQ~yZFl|Jul!7?EN134Mz77KG+2Y3h@6j<qpQc
z2-pjjf`K1Xo?te(35<XpU=-X1mV-TDC)g+aPtZ4uc=r-7F#BiZ4;Tg8!N||4M_}(S
z2p{YN1BJ+g<H5i|!Uwa!QZO5=0VCih!Cw&$82CNzQRMn4f3W|L_%A~5YorhCcpd#<
z|53`Zm~_5DxM1&_^s8X!+vLY=crXg~ffZoZJA?y9!5v^5xEJgK4}pQ>_y_yJtP=Pk
z{DWC1@CWvSd%>QJLHj5e^9|bBa|jR21G~U-um@}ad%-ra58MHE_y_GnU?<oQ_JCvO
zA_r!JS%E>j6pVm1V06Tw-6ig)4cdcXTX4|MnTP+(L3<O}3+@7=XQB_xI*0H}sUPPK
z+U;Q0h45f`7`^lH4>o|EU>n#6c7d^r2kpQD%HtCJgMmv2?M^TX?gh)iUa$i^3ig13
zh2#@B9?YJAUN8!_f#u*1uov75#wH<OhTP?Yb`;FIg7|~|IfM2-uxASCUxfSALAwGB
z<dQBh3+w@Fz<zO`HfTo{!%rt1um;=<_JI9hB!d1W#1q^E_Jdtu^lI`Q>;wblloL1}
z>;)rWKUfL|t|8ySEO3+X;6AYHTI6r$I~WBcGY0J#*a3EdePACLxQ=oHqhQuj@*B(n
zd%;q$A8Y_4*AsuR2HXM0z%H;2+y{1mePG}Q^xT3w7zNAoC|9rs>;yZ(y<iX63-*CW
z!K@oe=Q8BL@nF_Xq!WyQrNV<XU<}*@c7h#XKiC6CXOa%E7mVDBTt4XqvkQnPSPmWn
zyTGj5&^rsgU?&&@vkTD&_D4yFd@mwC%h6j*I>5ke<iJP?<qWpXAv~~iF72p-bbu9L
z_B`STM!*g*3hn~S!5**%JOp-t{b1Ju^xjT>fbC!(*a^lKl22eKcnHiYBRnv=h<JYh
z9*luqU_00Yc7na&Ua$}B1^dCHVD@6#Z6)ylbHErF1v|hBunUZVy-SEM*i(*t75q}%
z!Tx3NVB}WP0oH(hU?-SWO?Y4q*n0<h<og=rz`$DK4@Mf%w*q-E0%qTdUN8#Az#ec1
z7-*)vz;dt;>;MPBNDKZ}67LPvL$G`!=>u!-roPk=?mhSi`@t@->qC@ZEj&0L?Ai<u
z_JRAr{w?sU$k&gc7wiDb!R)Qncj2ESALV-&@m@_l!ECVaKam4_o~N9_u07-n*bDZ6
z{a;7Ej&yzld9WWW2fOxCPGIl1NtfVv$+vpa`#s75Y<rP(fzkcw5j;SCeh~MckUwAy
zY?tpp#~sWD4+#$r%J*N;KJFlXU>BHmkaU7Ea1iVSvl__9UlJd%4Qv4Wz&5ZS+yQp|
ziuwXZeog$>kk5w*AI$y@;e%PfrJjKuuTp=(uEV5vE&jo5F!Fok!K^<J53mC~D&PA^
zPb2!kDA)m3fYCpZf5QKn@@OJnU<B-WlX!uFzY#C6AM67=-y%I=S3m9GPUQYUI|Dm2
zhV1rc<VOtId%+rTYzy%@eaNl=JHbt0^o$`pD@Hiy4%sze*7-wrC)fub0{br*vd6C@
zy%!DH9bgx@7c37C*++%HWXR6Bi|^U^2RkMV*?nN!<%F{y_bEem4;Y()+y=tSLk}3Z
zamd~Ww&f4m*&7KrN_@ab$&lR-b}oUx2Yuy3b{^Py^N`&Jb}b#U2f?;w@SD(IL43jJ
z2T0$&_^*NoJF1857}&J}ePC=Q`aVQFYlrLxFtBRK-Uaq<BVPBB-cJyJu;x=k_71Qg
z>;*d?MQ<zmw-4FnU@zDXc07Szu=6?6c|ZJD2@i~P5g)J<JOuWEfd@$6e-b{J4d#JS
zupF!b8^8{*4eSDUfPG+>xIa%m%XctuGyc9tIAGQu;tzIxlW@SuUh+l0gX7x>=Ud2w
zF|b0ucN1^03)}@pzDxdto#0Wh9~}E(<o=6zf;C_s*a?<{y<h_vc!79=9bhNe|2^^v
zY<m$sVAl6Z?-u<35Px7l*Z}tZ2zfB@WAY7*?jN$FA3-lz0cQP#c!8Z@57_fl<ix#~
z_-v)z4w7!L<Co|G`@p?m_OA$E+z%o5QS|>7Ik4wd^nksG(E~<)PdR@Ke_#~M?ju~V
z|BuLlokuDE2g$EDhzHp9Hu)(y@`T;lPJBn7u%izV{+JVXJJ>t+guNH+d>{BQ-wRLJ
zU5}u*=!AU;j1-@+$8G}`oUkhd7oM<VU?;d2%(C>8ara^?V?$=f1!G5z-j*>cQ~2@x
zb-#ApzS77Dc*_$WZX$p9E643^em;aUi$mk)o)KI>y49L_{tZ`5&%Oj!`HzAn&mFhV
z5n@g#Q$YMy@K<)^xGlP@*`dr^#)L)}1m%nNw+XDm-KQA+UmnoG-!k|ip=O0LANI`(
zjeE#n6biQo3PO{%j3^G}ZXW6T#F)^el28~oWM&!FrFiM(Z`_}c+rJvA{XZi9ANEH>
z;fDgVLX+A@L_@h-Mizu-Y#uc`v@OH`q;E`U1{}I)CFz?hQH}7Ioncweym8!STEned
zq0BA5g3!3l{<2W+onu1dAPPdG=LMsoafRxmNU40Oz~2G<rRH}G{s{d0l%)Po%Ap<p
z7(Cr-{E>X@gkN^-xP6DP3qzTkeZJ+P(ON|O_2B*t?o|KyBRuz@S>ZR2+YiQB9j|`)
z?eG^S@lr-(DTtl$D}+y^b782=x4=oK=#3zE1i3Rr&O8#&QuxF0`NH9Uv#&yxcr}sD
zfoj0r`rC2)8p4-yZI^u9BIU9<;J-XW<sapUqt5po$Y;KF+`d_e6!}%5NpnNF%R-Y1
zLSeKJn)Vq%v=@If@VCPFdq~Q^UBcNS^=I>lg`r%6o>Zv3>dGVaZY=e@34i;=Us)*A
z_@j;``Fjk1FW~V-s@*<9eOX6X>RqX{lm6rO7sWqnO}(W~nR;6w_4W>`Eg{FNZ8Yes
zax>yx@^c6Js?b+1gvw9fY%;VYSQr{D?t5|HiMwiF(NJc&aui`*&WCW{jl0xi=aKU3
zhkph><dC57V*^@WDxVF%-9tVPejEJRqKELy$O_R@Zsb$>2BSZfZ-bZkr1Cr9CH^Bs
zzj;J|myu`LCgJA$=IQ*{2Y(FtTH#fG&B5_j)hNZ^QQY(Y?#_>F_y7USfR7k|rhU&2
zg+CA)N4jX<syuR#D?@I&$kE(OL*W&sx+?cl+?#NpnsEPs<1XPh;NFTm5Pzgyv_Wiu
zf8DEHd_F_>F;wr_6r{wl3;7vuAGhxpEu_=LcVQ^}A!KzYR1~B(n9n8nllpxWf7|f)
zN%2ShH1(SnWa>A4ps$MRsoRup7^cIP`j$g~dJO+_#J|eljnuf}U<rv-^&j^z=SDxE
zeu;k5?^6Fwzf1j(_q+N2a#A(}Dy7@i0ZP8?K;KTzpGqV=^tJoQbkkqZvq<X56)i9E
z+lPEN@^45#L%I1{iC$FKe#y6^xNqaUYBise@@;M?ya8=<RY5P3ew?&Pnad;fBYTu(
zy@bCH3Zc?X8y;O6T*d!$gIZGJTZ&w!ecb+($R*-SZf*|vwj^~@BFo<<<Xe$%l5$U!
zBmI=GIH~Y_OXFXP`ISzmR11?n&kKsaedyb14cO<KdSvpSaWie)lUDN!vVTrm_Ag1~
z*Lbp^DT94HbSK4+{AwZ=4Co}iG*}TDSDeT%$>(zX?ZID#+aJB|Cj9BlEs%Up@+a|c
z$KPT6{kQld|GfK8--Fc9;-n6=Ah=T3*?5;qm5{Ixp|909V9)btSEW?-UyTWcb!k(L
zqQQB|UyFlLzRq<DZFX>Zk}SF<zImsSKmGyxbv~aYzMo5p@7!QvdVKRx(T={%z<~We
zcljlcTlv0U;x~EVl1_mqi@$yNKZgHY#pwTp?}HybV!*yCiLc@FAbc+T--TZs&+o)M
zi~fLl*1cn1pi6j>9N)*7_cD#{$I|MT!WO5nRHw}&w~S~HJmh~^8X<iKfBXo7^%CLy
zRER`9mr?kcr0OiLDjgljZx}hC=Mjn}Z@^vfJK@zlg7G=6e@V>iqM<VXe(7Hrt8<C_
zB;p<>?&FAi=B)h^|3+MkhjE=1ymfd-6(fmH9$DWydcdxf{_fr4Q{}%;rkTUX$G7Gr
z5sK2xhK;R6NZQ>#;!_r6AKkOQ=lk-h(S?Z`E#6dq2gWkL96MmEiMwJoKOVjeo@|dl
zQlBF5CGfiDX(!=J;q&3ojZ14iHAY^Ii^fglH^EmSpE?ijfUkp(Ch5uH^Dg+E@LuiN
z_Z!`{(30m!yu|Mz<hxHFuzw_as^araS`Yp4GHUg>!WXFx`($KYlKizKSQQ%m!i)Rx
zCi$9uI_V7!*k2btiTXR6`dbw5&`N^0#y=MYRsT?dzXSMt(cPZC#>0i7-5EZ59FJv4
zvC3x2uU+UX%N(%BNj%IWd=LCG_|$wn1YZT8JWrSO^c(pBiB}>$a~XF|#M8jEbPr$j
zY@#42;p8we48Lzcuk-jWkML3WNh!RHn-%c6@TDS{2<Ns?c#Sg*DF1E9EkiCKa^?}e
zJK)RU>Bi%a@LljF@Id?#ejh|W{F!l9$FI-G)7`}%ksmbj3*xL^vu2TD8_@F&$)9=g
zc~WveoGVM4Npv5sg+NJgE<I%mxtKn2#Fjw2{~_rSBmBkCfAFjU`&9`ykuR)gd~4%b
zJ}bB`{+T{r@^csdTC)c1Ul@OzeaqDZ$2SXD5cI8L&LaAIk(+V$fc-rqXXb~DnRDYR
z=LUU?lfJ0=;aEC=1Ni%pNB`klh%|9k(@@4+^V!S}^?Icg|C#3w*q6uS_W>eSpyr1X
zuLj)1xU>CbS&aQ=KF7Rub3hUsSMPj8Ov<Sfe|7jfN8)83(YF`AX&mzmcRgm_?yJ@6
zn4px<v=h}>rL!M@+s_-YeI}i0`wM#9BT6z8j?XGoLzHreP{HcXAF$ajOfJ8rgv)|K
zx0oE9Dv;|&?go)l^TEV=w=y(tfyzyB<B|DmJMssRe^3ZAgLVD_GH_0CZD_QlcNgyY
z7Yx|9827}ypZTbnSIv@n)qMAStWV;LzlYuaq`oocm<SgJ=QtllOyV=14y7A^UpD@T
z4+{)E;g)jA!@X>LdVf?7zs%v8hcBUCO1?F~SHTw>eJ1{kLg5A{`f9$=f!tQ)E|dn7
z$T!NBeS%h54=qwzCsS34M-TEFE_C-xl3$15Tj4(;;h`sOA3$<oU1$;wn}R`r$}Q!V
zbr$;@_$yAUSN`kSrJ!V-)q!r$QRGL52khAr4z4C$^rzH+Gf!TSvaX0Cx(R<_{4H{)
zQ?C~o49o(jFzEYP{7Z4re*tmOOCNMdzV@JJ#wDD8oA^>rOteQA25I5+3rOgB*iqzm
zUOHgkDMTWk<g4ss>3Ta$i>rJcPv#y&{xXp_kJO6@{OD}c&MAt`zFS@}%O&Nn9QSd!
zr}}Gv&pnC1cHHxESNn)2JSeM^|4QJK_p5~8%YS7ad@uYm5B?~8l?NYS<Dt%j9}nLI
zpPUW}Hv+%agD-{O>A}~)?@8fhOqBN|55T`>`XMu)O{~}0=QQi(`JpO*qxX7QR`<Fd
z>_cDEWdruV3E?VVUz@X$A@#c-xg*Gpl6t55Vbw3GdguRyv@cz~q;roTl1+iUGzq;X
zo@U=p&7)?sklf-iuaxyn1^#lc7_c8T^?R809CHq7g7JP<B}npl2mZI^4A}4Iv-51?
zLl^vZ`0p9LCf^eCs>C{A5&8CjcfJ(|SIC4rZ2>$x==-dvgBt6k+#*bHk4zb`&ocQj
zOuF{U48fJIMJXc+8YO?*(6@*8A}5;mYx)oJ#P`>D!z>9hWF!{M75J0)U3cdW*lHd}
z_vIar*`X$X6IqZOO&!jdu%?pn@m%tMJQK~bs|NJG9N*=U`V)a)2Cw>6);;aM64{s0
z^Xg`%)hxKwv>I8d2Q|pQgna2q^UHrek#r5X5*Z0k-p4&SeZYRnoj+{9`9Fmp(;@4q
zk4IkK*WGaSfc-l@OFN)H{1H8&+6j_=w;%VCYX<C<;!eJ$wYx<9SsW^hv1m)HB&yu<
z&ZE7d=V{TS@<FvD+VAE7D`DULj4STk(CLZc?+E_>UHm25DdR=rJi#dlm44)xT{~cp
zF!`6fZ|;*R9Xiww2I^!ykoS#e%oyOOF?gslx_@ROOGeyjdTJ@(LF9HLr}|aK>6_`q
zh0i*l`UsD++DBV##_t^XZg{D)N%3a<xGgje^)f1o|8nFGdia<3oe#eU{~gG^<Kcf7
zymj5Xhu@3bIOLe##~;ZTdA~aIJ^0VMfb|S=$?2DRl>?va=vDQq)EV~l{x9y~leo)!
z+!DTumxup$+$DX(x$naL82OTzU$2gbFZsUD_<xem&Leyu{C4z?bVyLja1eeQe7*3A
z`4Qtl(thyG?)j0l=Lnhc68?gwKBmp9WM%w{Zp^d@J+VsKr;_*8w_oobSEZh}!|#S~
zb=Pw}E=@Kq-Bk2a<o6<P<qg<BG4g5ic-rmekxYeL=Pk^j8Z+D!YNTHn%Rsa3M#f`4
zOMbZ8+1>GBac&TmW{8{}oaZz@@ud5^a`eo&X~1rBk9)L}<nv4acZTclI`ChYKVTma
zg{krQmODJjhaTid7w{gekx%Q-C=WA_n8$E^FQZ%fw);Fi@soCvMTf8*eRD-$qJN^l
zUGGd2RejGxt{XXqA=A&wOkY2FK!tH1;m(JY{YC%BQ}aO%UZrSv;D1}8w|*(Fy~bUQ
zo8(hkx|93yeBW`eWY?f4a1rB0bin?-sYfT#GdEPm0f|TUv0d^y4uqI;oS}B3bb1;H
z$0{DMCjfd}x;>s>s{Z4iiF=W|{xgSQ-6Nx8(!5OacQ5igdyey~YkVR7Y3*=HXm`N(
zNnQWr4N;FQs{P~t7~xe)d{XM!>d+*%$Sc)=j8{FvASU5P!t}4R2jb_eY3+_&*gSG^
zD1Ut@x6nPLt9~bj{}TMSxYNmehjbPt+WDN|e6@U{$*XZ?7yh=D4A@r_2j`J=^n@9&
z;2VWZ<b%5(Tkh`1q<#(J?->57_^iuAmQ4l0YQmH97=JPS{hR^&Kg2zeKdL|SJ(ZLx
zI7>S$MZO#PKZ$%|KR7X;Pqf2w&eWfx9u2eqto!F3=&Qosqe1i~+9Caj+IK8bBkmmc
zL5ifS7k}IFS8n_<?8ncIv*7x1KZyH0ala#!d8^6av6oQ)=DF8jqEFuR7zeM?rN%8^
zpHp!+;U2~P2<~C#<&sa2_;^+1VSi#io_y|C=KH8;11bpmI8F4JkK^#EVH_lG{Pht2
z)@t5=mv$iMeld!%Bv|9j`CwK35xbzwTHY5I!aR~6Vka~Xeyl@+s{G+a{?EcE%3sw}
z-!IgPN~)%ML{BO52auO+a30}n;17E6o8S+_tNy@v5P7jrddEY47reD<z@8+sq_dL1
zB`rPh<KX`yye^-^PQ1ju5BDRuU+Ht){b8RGka`;+6W^(0|5e;o`LP!BE<er<{WsG>
zJvutQ4$VVFIr{c|aKL_n&!R8woLS}vZFEcIWV~C_+uSNW9r!P~W58Z4{#AO`#@nUj
zPZ#c6asR5gn@7^Q4?een{!=*R?>;9RRKIl;_bS|@8Mr6nMgMB%J2GkibIQEMOvEK!
zITTdW8tR$RZ`NsZLg9NuWp^j<u9mnPCGtD?Yry|u{Qu3*my_r7>`;~O@4TBtHLJQC
zyf;*}P`(z1s&4jdKJ$W9dXI%lNl;#K;%%2IHiJA`mzkES`abqD_FwK~{zddmJ(@$t
z7YF74+2;R+I!mQ}h+W$@<X0GZlOOa?jFB={u^=ea(+ZXU4agrrKHKEK_qgHPrb{5c
zAE0I?lK;E#-`#A^qZ8#vEi&bIYbdu4&lE_!TIpJ;=XXc(Z?%|x5B#UCm({q%(V-l&
z$~aC>ACHAmB=HctyqB=Ua^`175AO-J2Uuip8BrqRpYKcV<-cT-S^wdG**f-3O?z|A
zGuiPqqpb>&Dr<EjU$Q=Np1#>9UE91MFA4DefqoS%g4{mjT9Ip$fT;h8^0-GUr99@!
zrl2VssoJXj)1e&1-y{>Cw0Q*kr2gB@EG?e1oFG(?*{u5G6f10rhu9(R+35A&fKOgZ
zA!bB`1NPMY46#?V?oOP4n|LJJr}P^Sg=Q=d<rk|t7<;6yK7`G080sIYDPKBgXBn;g
zfAn{wU+sfS9`TIlFTjFo#yzGyV~ij2q9SK_@<{%OUE~qm&oudyR&N;JHjngw#pF=D
z$`l4uH+;&1(r#kt+jH-L{YBFbO!=#Mp4#ythlqRpyrEO#ci(`14^FM;@8GnO7FiPC
zc2(oxKIEE^yFntZ%D+h7Q!EdKmpR+eO0FNdt?wcy`7-_r=9kE^jc)n_dBaOTk}rA2
zy<Mn8ed9bw-Vf2mTqJqm{n??FLdlnQ^c^O=Wk%m-pBzbYxFz*P4mL6i<Kas^6Z_K4
z)&cutM&8tSYAZ)K@i14%KTBUH<3~UK>hP!1C4PB?AA2SF2d~!Ogf@rJgwKYL%Nt(e
zn`h*2<g@hW$?f<Sc|A-@QQUY$PXqF;=x6&$jo;FhN<O#2Z-tk(F8R1w-uU6zM^Y>K
z+==^k+&?bv!}eRgIiVRPq5MUvWzaRa7QIe4tkaLaBj{80S#<K0^EZ}69eaTNEUD)z
z9=;yc(fA$%ZV8f;#47#&YWRX+S^EFPzXnw`=q>s1fW3MoUx<I&`YN%{J&(=GKaTJm
z;iA&GJ?0$?gJ@Oh+DABL4-VMXLTn0U))2nrdmsEW@Joa@kMM(%UU*5n^9V0?#xvRn
z?4=GV9Dh0Rt?;Ux%=}CEDExMKmZR}Uc(GI73GdVaaTGpg<WCpEJi@obZ$thxhXkd5
zbi!|iFBV>v3p>|log(gH|GWqHPfEG@H~RF9UW9eI_TfI`5zg^s-oa~b5Bca9+Wm?3
zQ91qUbJUpBqwB(;|IZofO^BCeD<yG?t<#Y=h4_AAz`j_8r2mt2l*2y*ul5DVr}>lv
zS#34I?}qOa(IT}S$tx)gWO7bbEa%-!7ntHmeu?}J<eNT8y_bHHbSK)kuRGqT&4HDK
zD|Xz6JJR#J5B?zh7-XDB<Oksoc*ti>WqkMGbKtw-RfRK(L{Aic4}5aDNxiRt-wpqF
z)6biF@3k&sUtzvytuG3yJ#LSBuMhSloF2j{d33=3;V8Z&+Sk7t&U4=LdcA=m;pF6!
zo+lFXr~hGkzU&>2UI0iqVkf`sGXwU);qoo9uQU53`SxgrS9gJac_f@c!a1-L``+Qg
zNvvB>Rz9D8w{U8vQ9hsJeG)T&_#fum_r3G2R8>bw&pyK0**Rd}_P-0~1@Cb51X#k6
z`v|r_Jz#(Pe;1B=KQDd5Os6N0aCQ*Rv1bzR0i?}K7twEhMEb3yIjGrhlm0{QML6)q
z0ek-lz9jk&mIwZCjc_IiILRaJc<glgo89T{Tkch;gTGiw>i?wQ&4X`+r+bz0d>o2p
zNv<AoufTm9?h+T{9)BNP+&AIA6L&zlv%$I|+5Zk4x^ZW?cHD1EcHfKp0o><E{ng_&
z@AR_s!B<JoAyNFCc|X<nJvAUoT>9Y;!hciBFOe@yw){^~_Gadk*eA@6kpBPVJq5(I
zJm-Cz{m7dafta4D6|a6JSftc?uL6JD@b^_A=$B0SCB_|@&#$NalJ^13Ohxto_|JTv
zeGOC3%=`-fyuW9rmCUeIdJ(ncK8pi;%=(=0lILT-1`?)^wM&BfEgdyE%ferP4aJhL
z57?JTJk2Bgc=#&#fJ1`9N8p#ir;h8T@MZ8a&2b))uQB?Qd8yx<;Pa916yZcUkQ>aU
z%o?pY=u5o6G)K;W^}1U0?#2IZ{AY@P^9bJy{|x+D4haf>)X0xb;<Nc2xJJw4oE(oO
zp)j*pQ>Nly?)&IQ@0lWJo>EZm|9A=BZ~9S_@2tZpr`vUfBD0Hwygek9i_f#w+im)@
zY*82*UFhpT-_~yo*bhj?Q;uotEwxVP%>!QBPu*ZPuluX{!y)t>_%`z%cf817_L)DI
zkqDGvBpq^JNm)1R0_iUj<7i_4HZkr*LpwA4H%dpDev+bAj#7Us&=>xmY5ytpvDy{7
zPItSJuf^}XgwMJ32CuNyd+)vIDIwe+oBT@~Z<5nd<@;EuZc(UdS*VUpB6$Zn{j^)H
ztLw@_P36G|QH#uAzVm|tdx1M&)%tZ|=$Ow}Iwt8w<HWe$fWHGj9I(ISUI!%RDT#P3
z;{EOSWrUWMhN^B2Eh}J4rqVO7*&MD3EnDD7>G`hQ2Q%&`oD-OS!_*(j(VV}j`lDXC
z{ZwdA#@tYM#tN{2cW_J6H-2<KDE)QLb^P~=>F=q#n^|(@R;$&iYF~2SOeXFe$HgD1
z2Q~2H;Jwy~ceuBaRXyxLeiHHziI$Vs!<$2`{`H}){*ur({|CG(gw*Rk^wpv7$@ik~
zu+LZEnbmsy7k!cIY47O!>2UfI^CtF-eVm+nOkcG+m2Yk6Th?pFLD9)0{ml;eR`@d%
zqyH1W3w{H<)J5kJUheVP2`_o>Ji_<E?}1n2DE5<bN-60Wgg*d3$<$-hPQ2Rt67t#i
zCC`MY=B~@1jhEd&OT0JW*u&Mp?}1P5|JC?!<nNTos`}((5ug`#(hu&yJ@e<hXXCEN
zw3lRiLi$1f6ZAx>8<x5!lyRmHJ#_~M>@P?-DgBUZT*NNLbj0y}Gs$DQ@8}@@j~V}I
z^RW4h<FB}<VUoWU_}lhN>WPW}N%D7L=s<=#5clX$RZS^JpWL$)KE!)p?tVwTcf_tO
zTfYhOhLWIkLacN37{l=_r%MTEGfSi{qc=dq-2NN0-cRI@nrCoW9#=8f`G_A$UmpIt
z@%IX!Ep~g-(#JlqId@+|J9uz->knPu+tF9{Ti){#eddw6+zDR-KTkML{gUnA)+Sjo
zh_jS;FY<NB|A!Ey=V4jzKSUql>`$xxN_n@~wZpBB0wi5>FVzwJ|JmeoT6r&^ynmN6
z@17MD`vuojTzY=V-x~C7J#5}5Q2DFg7gOUfg=VH@MOf0w3vOy!ru^-|-%k8hm~<qk
z`-5?RvxDqz>QY8d;@^wEm+-gR_)CjFC)?~|rEFc#2~C=xv~w(ec~t$MNq(Sji4ZFO
zO!kc(Vsbo^Uj-3=az9t*?*_Ep_(}YgC8awXe;xRnfxiV3p6VBvN-+zRZBS=^BXWC@
zt3po23puktLOII;ECljd$n_z&9l5mq5BP2Hsq@6Fd@cWe{5p^5$;qcYkeBs^^9Uc!
z*Ye4{ltTr)=<nsT<XhVOpK(}@GF<b2&a*WW-@{k!U-a!lU-<W|qm4e(-n`}yrOX&O
z%%71yJ2O3-<li9rwxN&VF?rrQHx&M$lYMF)nO(sA7&)>lx&KuCLksm#S3a#++Fv>H
zdyua*^4{|gCc|=65kD=^{&Vmn_pBYnzl;I8zR@yFeWU6&sMW3xRE;}5$iIX9IU>(~
z8|Ki8KLl_6VZfed_yvaVho6+fk4I+gEcze#g(8oB-W!muJN1Zr4(_eEt8kQix#O(I
zKjS`Ke3UXnuF&<b2L2iRN!qvvVrK>$vr=z1!FR)_*2@m~J@BdPt6lKB;boi4c|>QA
z(SL`Ks+}eB%f}MNWR>zF^8LskLC<@UmomsMB)|Fw?4OB-6#ch|;TEs?hpDbQoFaLz
zIPujSuu6Ix(9?~c<oFBU2EPZMX?y$;eh2(v_|$gT1%CwoqPVmkKlZ^NgJ(N1{)isA
zH*fSGO@Crsgdc>@hwqF_Ydu*c`XId0FXeTMF0UN;!|<u)7=?caKD8Vx;E%yyoTOj;
z#^6W)$(+-(51hQNPqZh!5fDMX6ZuKV&lf$cN0a3@irt>`zOfh;C)w>C!e2iAHj6(-
zmc)6eobZifw>uM`%(s?_FA>t?XI2sY8UCIS!n@xp6H6FZzh%l<wSWA-ga0p|%>P3v
z{*(Hp4*b_~pWzkapGuX8H<g+8O}DPbrM<{CAy?%NhjG=Mhs*v-u{)ZQpZ$_P{KZb@
z?>4u;Y-DqaDS!OciN8d=*tYU9gz49jq@R#`7bhJVus0aF%|1D=m>=}b#$FsQhWl3B
zf0V%&^7kbDxV&$2sVuV@DpFpo(-|(|^`LL`>xum0d_3MSNqO|)J`Q(fS55vU_s8nI
zUeAZjn;-5DS?X){Y|0b=U3^Y$|EceRN&c22zx6NJVN3cF`NZ~M();{{GR~PyqwFPL
z+VR(Vbigij=L>^`hy8w;{}T3{)5kaT$Rp{Ndn;T2oA;fJzO;Q5m2Uso4EH=x`Imeh
zU&8$2uf}eibZn*o!*#m;iF+RIt++GYG~>lR@qEvMs=$3G?jywAJi^D|w|nsI@Y_82
zPWY`J{9bqoKe@l#g#KQm|2#imyy_R}j^9Jknt`dh=S)G2g1vIMKrDS{(6&-4q*@3{
z`sAL^8E>YKUvlqfF8tZZ$T;n+59J<Ek$*&Z^GN>6y`a0{FBeYbKLZWj6`h<q7u<_`
zH}2JOcV5WgI8DAveL94D=HKXlP5GzIgXP@sDf*%0cR1K^oa>&(i#qk*K+atHbM%!9
zq2j~rovl2Ujl3?Q-$PO9M{d$v>GQ+}_^=1x20zY&-vOWL!OOj;qf>avuYK?qytG*z
zKgo|mUeVV1b=2tda+i3Iou}h>f%rF%@Y(Q^p0IF~o1|3uJowxcJ_273KLh?;lkdsn
z71f3%LzoE)8K^cwMJa8Czjg_~pZAc3NQ^s){#@4C?1Q-$Sw-@mql;1RYq=QHzZ^yX
zZuGxl;&qaKmvc4Q3QX^H9s5A3UwQmj_7CRIJ{@19FR_1;+|Jb2;_&(;KjmK9{C7-$
z!gqP3Tsz_G;4cwE)jR!ugp7kZP(8SBz&&Li&wk`ex>&tmZiZJ?ZgTJKR^-*ZSak9*
zRj|e~!PpId>`cC#yx;I2Iy0^PiyGDL%F(lI%%DAbxO^cSO#f5LzCg2QFO#%C)``Ax
zV+URDt4O-{!iV8g#u?s!@n4*wDwyPueq{VUD)OffYI_frk8?xEGJF-fM^DIQvGA-z
zZoSkKB_|c{RlNW;8L8?&a^0apmwlLoBliTq1b?@v#DDzUKHtZ7Cxls-ZbB}6#-Pn|
zJ^o0#I^av-DW<gXmW?>ynxyt4@#sOm4taHcA%1wI9Ug+;2ESd1YKaH?Ae;RRVzN~+
zj;lD-{7+ro#;a87i-eiQ0_Yw5-6#Xs$?E|b==XnCCMfA6vC1jYSA)JIS%da3`Rv)Q
z=Z30$ccrxAf*}2bs}-vnA@#HieH+dmv`=&QFKRz!uDtE}>Es@!Ab4N$SG`@y?=&<2
zM^FAagZ9ed`h!IKjS|Bj=njDy6D#icEU73c_lihQk>XG)FN_YCEvg;LJ<qx44!Yi#
zmi+2~p8@}zyZt2A`H6VV4jl;iukfBAs{E4r(TBcg&U1&;A?b(T4gcE!Uv7`jL&?Xq
z`BqsdpO;jIy@7>Hcv=!W%<KFmL4UjdB<^#~eIqabc)!HAV-fZ5{e$)tK0A-(i`;vi
zdEuaa#(SC9kS}B2C0_>7cYu4o)q36pB>ipHV%C4~PWxpaAm(%=5<j_Td&b3suK9|@
zuM~bay!<XiQoHdQ4`g0{;Bv3(fmeA%-wyPZaewpwt$y?<`ZDLI_oD$e(8j^1zh{K)
zu+w3wSm}9C1o^GpAN^C|RR1`aUdcx@lb%gCupFE!kjq~<sO^dp{oq2<?x$!>PpCUo
z$=7z|twrwsRN8wd{Al<KOgl|pzc2^gGJ^K7c_c%&@88pp0g}d%qv$z|p3kAvc_f~4
z@A-zsgL>bG{?5!-RDZHGw9VDuMv#|#(YGW2HHnX}RytO8KQ{Y)M@%QWRK9KTvG$Cw
ztMOtr@L#x``X=p~_t4C^u$cD_W~%%!-e(2t$sI0NQ9W`=P^@B|Zw0{yQ7U`>gut2<
zRXylEa`T}5H_@BO=VhU1&hY=t=j1bPJR;wZ{GMfl_9SUXs{H7^cn?8Jj~CFm7)n0r
zjLSnL`)1^q4{Cd*wefvS>a|&C&kY^$`9rdddV!(Ibu*;+ufhL26@&KIWiTdx)5?$F
zd4ISwpgVl_ZV_T`C_5lEc<IFdhFa3cXN$W%9+7eEVYv_Wp+HgmKGUe&XUYrK^g&!}
zly>12C#4m`IEh-RXJePrK2{M=A-u-D#JnXMTIPG)>!>&jujT03ik`Ki$2<{G?zcY-
z|5530*^fzk57EDtEC@3<*6Ej)A^JM;H-r1mllQ@-pV|wb56?2!*g4-9e<51(?GWxw
zxIZoKoco!4r(P$YpUox5(ylivk(b*&_<|rNzuXM<@{dI)Pbq(L|Nb7rd0q&j?zzwX
zF$$NE<B3!2e_`VL+^Qpx^md?cQp2EruSj(ANWI+!pAS#Bt-?uer)I}rAD-YWdJZAq
zg#09tH;>fEe)z5M9~LeVU*clwvrP9Gyj`;oV;?Gd<@W*(;$PD4Ji^QG2V|}pOnYxu
zeotT-e8>?NS^nhr1<K%^{rt4`DVyDNs;+3r`!H@sD~$mA(ASN=R-wGo#mtyXl3e;E
z9)VlwU%5Zu)xRd+7t2k*z88o{@;W&xy8td#@$xH2-$C@fB=Inh<WB?qw#GsGuMP=H
z_-*iYO^mnhd01lHOtic55c?GqWL!_5Z_cN=sB-T`-}XDX=Uw!fN5Ve}zq5JJzFs(v
zjhh+NRr+sZz7C%+^6bZ&^TL#KW_jbvb)Q9%b5awZ3$i$r`c;m;J^YTqK?%pJ9LgA~
zhS~p=a+KePSQZ<!H;Vs6f6nO~_g$G$Ga5`>@g#@267D|y?Zn@Q()=at5oXJK>PAN~
zdlu%S%D1u0>7Vd_z4$lzBl(sMKYE>;mwd~E&xL>T-OEiGVIA-+HocG8fWCJ0ZM%zm
z{$*U^cBqrA&*!r%@B7wCrj)$8ZTU=BwZ9nY&7-!AY#;GZ;9>tGGE7Rk<aaf4H=2Hi
z8CjjF4_Otgzu<2$<JC#xQO0{G{&w$qrn)~{!l^;ujQidBC*zI$en%Dj8+?{}lH8xo
zr;2=?!61IDqF(<G$KMpwvnHJm`Mr<P4-DG7MUQ!;eB}2(cEXP|<&!qv%wbitE2Uk}
z4Psy??YhtzhSWiX#5d=5;>+(^$UWH-U+;DzOQkO}4`VrmmU!DRZyfaFRepzL(uW7_
zpN!FZPLjW~Lx<1T7g^E=r0h4cs_4xK9Xa2(HgxR#dOj2&%uf7~^P>>AgR{i<D3O^B
zQ)?KJxW#x83Ey9gz)B<FdxsCKY?TjDT5JSXfGUvXe3*m4GKXm8LlHzHsC3rwK~&sf
zByvb<!v`229vQTkn0c3(|IO$9D=`X=w@O4+zqAAS{7($V&r#FH2j2gcPKj)e5393-
zOVv0_MWKY^!=chAzt2*JKDj4X%I_rkJ~y=6?_cY^FRZHGcvR$Zz<c1aL2Y-g=8;U5
zrOohk@F&0b68`j{{TZo$+>c_y^Xk`mgH1-5VONmRAg}u|2hL@7nKre<STwnHb6NYa
zdQ?926R$~+58Btfd;4ZP!RPmnBxZ$a^-s0$JdzfzV*T{wpuN>S|DG+2qRldQH|rwb
zOMEF*U!2z%)ILoc{_CDH<0Y|oIs)}VA*Sw0Cw%7ZVBO#E#h>-`pgktuzG-dA<2G%^
zcPOQTn2sZc*FpRrz`t4tsBsVf5BUi;d45<fT`ikmsSTPQHiwQ+Xl73FcFqLlzhG&r
z$!t8{*@PRbX8!esLHm9_%lNjL<x^{huSBmqbOfcn>_F}qa-Vj|G49Foq)3)U{3ZkE
z0pcv>un+mFFY>!J8GNCBoAyHUF!MTjYgM*!Qd*4okMJkI8+7bTgW67<eQwtMe_;ci
zmBYt1$hK>NGCMW7NFR>BDE^LonfheHJxM)hRFyZ*W~9$vSa@Ny=3${+5M&qMqx$J6
zNICWp{xe@0v|k@?UnDVqDwV$G*P)j(qP%bx4IRuV4js-|4C$ZkJ*k=(^sP@4pM$vQ
zQ0ub1m9+2Y*f$6eiIevyatYUmyhDfv{a-LHoYf|8t;q_s2GyN}v+Vgnd%<wyMPff}
zE+y=L%sZetL4US)Kx|n^IAi%QzkAUBp~=Uz{&p_yiK$dd^-(vBxcgu=B@nUrTGn~t
zPU=~VaGrT#(C+4Q()<p)QQzb7VPKZrtfM;%5i93!7yfd42JLkwe#!F%saPG!`<!!w
z{-vZ=Mh2P~0|6JL4u(p2v6!_hJtjX5;OLd#uUhtf)<f@6Z-q;5S<oNINK-8JvI4!^
zemH243-Be;9uw;<$xn{Z<Tar905&K19`n=p18Eicg`twdP#Ko*k{aeHw837&o$=#A
zd$sfoUiC6jU!t;IyovUeKE0sX@5I6DoYVhoMreCRA$6@V^bCKyGvsmt|7}vcyyWHl
z-_v3KFuebUVO24pc&d^xwrAW$oC=7OyvvR0+}BXEoyhH^tv|z`kiM=lV5RCc_53lg
zn*9}ix9h0NLH%D87!P0e%R%pZ*H-G9O2sM+a)M(j8QsMq=d)5I^`Hhl<M_R=QN#6*
z$>mYz+|QKK859PwcJSyo3xc;Onu~Ul`wkfo4iWBd!cBQ!miY&E8FcB=yof(<Zax-I
zfHN@D)U5G!^auPd*`uaiq|KL#;^$b{$N3+ZG9xJ|5$C=w)wiZkAfyMEaM}oG1HW^2
zfy^Hg_0?;h#6G;LuIb9yvH1$&r{CwOhh7;^j}lJq?*{E-QVxlAB{kN!LuUZvs_Cet
zpBi7!c*yUpRk-EleV5mf*VCE;=Qc3CWhmoeIsV4+yK5H?SKf*7NV+YiupZ^gJmP;c
z9!ffU34agaf1A&ePR8*fMs6-_C;(=w0en_a-#sPuJn%u*dw(3Xe=hM&++(PwUv)D3
za;`~ds5&hpc{;{x)f?0zQ_Vk0(R27uW*tU3Cil-WyD@E~*tsd4y603kHII<r-79--
z(EhJ0h)1Fxc%A#O;hrHESbJm~72yk>6@m5A3qHDnD%nHH9brBZlsr=2WA9+Sc;=9u
zA@wj(Kju>2pNiKHIuJ|_B`Fm6LS+vV#ovarhU^c$i$D6=aoU_p+tF;oU-#KV`W(d-
z9*2P@gwo*M$-|(Er~K~VxO0Z=&r8G;{<!Bs?s+mE7X|0?Sr4G>%SbsN#ospkJ?5^@
zl0NpbOw<-8`6~{}t#`Vf>um}Zex!l<9>44Nh&z1r3?FZ4=khy<`QwJ{=L38>dHJ$-
z$Y5mjC|>ga8SRkL<LRm-;q(&D_VGjZh_hYcB>Iy?e=GB{6{g=xUtTMV==2^%vLXxB
zd22||v?2Qn$xri0`zwcEcGZx+uY=#!NNxx9NsAfrBK58f`K`!PJjvxrey&Z*{`l46
zBBkEP*^9q!{9PwRq8@Obf|(%mcPglQf1(e$gUDTK<Tm@Non@*@M}Up`Be;(gck@X4
z#={?mKg%IO;Uh-=%oM&9{uuI;QurG9(bI=q?=Og+P4JoUDqj3<oV=$a`OyJC3BFnM
zP)|JPq4A&oLV%8>6w!V7Yr@}s#-G`rq1?^AJd`{4@+{Lc*!YUA0K)^<#-@0ec#LnP
zKR_Sb<tiS={(xyM<L4}jhCEk&7?U?WlxlzF_<IR|FU0*JVBX(m%6HqCq*<x6kdk`S
zj=!o1zhf!mZK6DxFZ!$eIygPZ;5?qcy~rQ9cF1n!v%HtY)ZDBFwfiC5b7u_M>x?@q
zN0<8`?%QyudMN*xYP#IVH&On$b4;$>=_KOr65l-BGq2-!6W#ru#JABGkFOq3CB6;F
zZ@Yotc{KXCu_~@l+}m-t@`jJ^F5IhdA1=Q8aNmvlT%(`Y_u~4cz8%H=Fz%DZy<GoJ
zq40q_IiG{SR`?Gj`0?;zeou6|@V6!S2z&{AuJE@cc=?^wDtI~mmT^=-(p3Y$0sdn`
z=yf%l(0c5Xd~C!02=2?%^KnulAN6^p#J3Ciarq`6d8I}I5`G{2Hu(GbZ25Rm6OeY%
z2S2)C$S#q3b@F~!HX{6gl@8HshJ|+tCqly<&F`wJax~#b;7j3K;a}&oyZ*{s-Fhfu
znV-0vhsrPUYs24+BKikO|GUMnOihbu$tm5nc`;4&^-BC^582bCUry}nq?~6kX_o_?
zcsIcGh+9Qu(Hf_SpQJath5CWM)O^i@Z{l}l|8IrUj=rin?r@}jbiyBmSLai%e!+(s
zlNs+#M<VjQ$iFm~{ye=t{hXpT9(0CDeg$Hz$4iIo_3yEM1gVrB^+TNyO8DjIJGhYc
zWb)sPf2!Z~pJie|$0<>k{B1-2NSWzp)+gH24*2jQcl(q0cEOjxXTO*F!hXp8QlHZo
zxN5?n(oY9DX~~fNw8S?t-VopTz8R}q+3a)ed=$t}?77YanHY$^a`bI2XP$FXeUbO1
zPx7-9eec{nWQRQRQ|?bN<B*!6MUd}B{@~Ifd#MROIseH9S?q-4+agKthm5@o&&!7F
zuK>=I#fNP8?eN!$K7TkvN=W8edGOu0@;kRCoJZt$HofnSl$TRprWDdAQ*;Q-r#-5Z
zevd}-vy*TpEg!PKAQO~C|B#r^CGL+ZmUY3O(3jpp=!A;Ce)N6i27ag0UEdS>66>?2
ztZO&=z0{#co~Zn-r~j%RvR^j!(fd7n)wSMBp{HJ1pb{$aYDZ5uzbAd&Xuf!*GZ8P@
zxAFH&y-rW4GPv(V#Ub?VzGKK%2k&0`68RQoHRL}k?K)i_tG?g(*gg@1`2y_ZXR-ge
z0C|kVp2;XrA^jO5%JB)iEqnOu&bV1rf5Hzt&#<$N0-~tidv4o6e|`6m{eaY?#JMN-
z66QU;gdOcNQ6^V`4|~F)er`y;p|M}|=keEv{<<6a9b8jBY5U@HWYk;db2o4Ct;<(_
zNBkY)SK#hX=Y*Qrzmmqstc+a_+5U<zmV6Jyom4*~?YKb>wC|-q6Ft5=<1au(S%gS$
zFwU_^!iUs{9mr?iH)MZ*1Yf+$FHs+O4>E%}g-7X`bz220j-u}`HyyVpoH>j>%06xv
zaoFeomQSqSIq>uOb4IC)2Ke;kNUz4K;#+z*^=;vCd(rvtLH}-_|Elx7B8*?2e*Si#
z@9<{kQ`7k3mHy=Ta_t0Np+`Sb5cJ<NF7ysB$h7hk6<fKMcpFzD9`iNBQSkgM@K#<4
z-sWEfw+5~xh4cUS7+4mhNNLHXNc!){@M7N-*7q3`R3U0PCZ(u76ujtzmB0#6OMCW<
zTD7k0xQF>2zwfT@*PwdI`B2#R2Yv2i%2VpoUgYxmJ$E%O#N|GrkA(`wE<kE#!XD%(
z@?n1O-7@`4T05XV`S-KZNEzn**V8e$xDxeyaCw_pe|&4mK0#cZNBYBZ_&whq(!ay&
zRc@+1m&p5S^W`lRk6Nqd1v}7l7(LQlPCch`;8YHr%7Ifka4H8*<-n;NIF$pZa^O@B
zoXUYyIdCcmPUXP={TyhTo3E6X8FWIBEjoD|9IL-t2Qu^3r_;^%*b{~7(|P9m=)dw(
z8qWpJcZ0H3Bu}PsAFscvEeiSg_Y?Z{>g~RK`D)2lm^>Rs=PPv1th;^s`xwPq)^QU-
zju_N4&fwVw9gr<x^&HdjbM_kYO+d2$Ezc+o*0~0^1@qM>htD<NWot#AD)ql*oo3Jp
z|Aej6b8Jk$a<R>KCqIvw@6E>Dc>jL}VN(vN0ggN~Us2~6yv*P=28#_YHMq*)T?V%p
zeAM962A?<hqQRdV{FA|d7##UN6TZRA3|?cf*x*uws|?;{aErl54L)t~d4n$+{JFtD
z8T^OAk!P9k4PIvO8iU0Kml|AU@GgT}3_fb`X@k!je9_>~4gSgCKMan{GT|G%%-}T!
ziw!O{xXR#N236rD{rC76bo-p}LD{k6e8u4G!ousrlV&ft`SS2JQ>IOs7QQNX+BLZ|
za<8&nE?31}rspPU_5SFmx0vC}PjkdV$tw5c{Z`DA4_Hn=kgUv4uh8u&KQi7=xaCJ#
zUhT_Iuj8~!xBO|A)4tvO7|ZDg+<Y+JAG-Om)-lshy7|+sR*!P>TOrHoN8R#gSgodi
zb@Q3lzWGJTl=|$q&a}F#z4-T8PQRS&$#0z%?~mPlmNm|!fACvpTVDN!-#W)S_J;0P
z-FoOnO@Hg=$5{v8^pa;3`I{H-j2;Os(vJqLH|+$YKS{sr#fRX1RwDn;F&<?c@{+&I
z$XmI({Wxc((uzdSZo{jyQn)JqGORPK+)|zY&iKYrjFLY#P3uu-sBq61zI(dn)tM(;
zkKrFR^+cUr!u{FsP1kFAbp{ESK}JY?@^93<I#Yx{-|($Pns<zHuXgxy&8xFG<mC)m
z=^2;LH_K9IXy84D&s?hI)!7)l*g}eY)iTYivo81_7=Gt%npbC9@ba6hBLAcF^Z903
z>TC*>cQA!Nc4fZMmO4`cFM^l+EHn9ergG){72d17W(~v7S9;Rxv;203gnM94zR|3q
z!tj}M-F&0rQ|Cz^R{GDgCYgFmGS$<e`1JNAzr`ToHl^tQzLHOGr+<R?O7B}r{tWA|
z=^rvpxFh`D@|cNw>Ny8q;uEgOR~npo)YXR1HGIVAzik*jweV72;V%^`NoTa!Xn4!;
zPCP$4jGj+8dVZtzIP#xy_?I<Lq}8*_;rF}wuRHvY-29Im{s(UURfqqc;R9O#e>?nt
z8J_R*3^@FE-27?ylYH3uZOvCHY0J9U@RpGe8$RO5f5Yf8=_+vey>5Pi!|!qPl@9;B
zn{Rgb=M2wxd0HL*S;PA^|FFaFa`QV3AO4A(|DwbH+VCd+Uv>Cj7@qI)eAnT7-Fo)J
zd)4!w!At$j-;uBUzh)ZP>%++Z!^n3(ujQXqzAWpE5#IXG9)_O)FX3kH*Ls}sLhg!^
z@~!%(j{hX1fA%nXmJY+;J`7)L^uKdL>vz^&Ylo4)$H*VPG^%3KG($&dtKnOHnxA17
zM2{K1`&`Y3O#sggqkk{F<ipMj3Y6k(liptqBmd`N_`eUs55lYb98;t<hc%35!Ke7w
zbv!M@U*zx~bMq00|Dl^-;P78`^HmQ2K{ww3?^O@i4a095hX3zj(%UwS{6oX=+u<c2
zE}x?F$22c%m*FonykBRV^&P|K7(QV51H<V5`7nInF#OSB__yFyJ^8w>C+aRI!XC-O
zS>nHQs*ZoYiO*T^Uip09FnkzZ^dGj}`lmbkbKUy$htV^~$ahb3%P%v0zTsO<JXa5+
zXAQhcuUw|hqwXXEHz_^mSyg5};Pemo8-C|mtCT#MqMi>sywA;l)ZtImYC%(w4>|mC
zH~(>m|A(9Zl*2poYNO{dhd;xFYxpM|KIrB@>+pUz|CGaza`Rs>e7*_SsfS;K_bT^p
zc*)NL7wY`v6@T@J4ZraD7inJIDTK>G!ymp<^Xg6&_`evwsX+7UP6+sa!h4158?E(Q
z%e6eO%B$!7hHo;wvhBx3=GPLR%-glRvaN?-2ru=#Y`U&j&UjI0_-%%F=CSu1zRB>;
z3g^@CUh#YqUcx=RT8I0Rj;6KO@Vo0YuWaOT`=jBz>ou=z-{A-0C7y>(xXwP;*=%45
zpC8fjf1lAm#qeRnpJn*jhPP7WtKhxjUvK1_QuO?Kq__M7$V+;|%_g5sdwJ6ERV|uV
zw&29+zYJftUh~RU8~zW5KX#Aim2EZral_|t(Y&&Sh7Yr`sLJ<an(u~_r^N6F46kgH
z;TsKK_OO;$w#D$DH2mR@YhKv~!#@u%`F!A7cRufj_sX|l8a+*))q0MiL!P${U-dc7
zk1+Xj787`hf76qiSGK6g=NP`VQ}fDJ6kaZO5c#sFHLq+y;p+{5><gM#Hk<HU44)~N
z^z$eiOK_Lrt*>Za*;2y4X!xpUHLq+X;g1-;b+_if4JS_q^AU+p{(op**($=n-|*qD
zYJRtpwyf(7f57m{rVzJ9hTr*HEida#dG0d&?!%f_wtVo989w(9ntwz|6Mw^Z8~*c#
z?>Br?pO#m)cDRjWV_emrKe_c38-AzZm2DjItKq%MeT|WCvh+OAu|2!j(UYP1n@xNk
zHN551{2hkh?dUQ5b%y`G;ddMUQp3LrFZJ`-EL}gH{^1?N?>4-1N86cftcd(J!#n%_
zR~Wv@@J@eNX!tV2JLd)!hR-$pI1`_BhCf!I<8zVWA2$4f|5Mu6fJa(Y_rJS*$cI7@
zL=e&NjUee{v%Bo7lsBJj*xhVMvMh_1H<Ot+$+(l5VP>*lB7_eC(LzK;!LNvjTB{AM
zLPguAB8nAju-ZSg+D7YxRa%LN)oTCv|DAJwXY$S@Y5P3?d3NWW_jk`d_uO;OJ@?#m
z-<c41c|JjWmbmkoBR);s{q0l4OT=CNVYDOt>Tlrl9O+ZUT|Y-3YxGUTy<cY%UkvN@
zc@gn>;_h!Rcbs}~e_JFzLwX;tTZs=7KaKkNDDh_EXAysx_`<~|kMsFE;<Lm(fAw#~
zr-{3s55vY>^fOG{`M-*Ia|8bii7))VwR<Mz=_fuz{B+_u;w9p)pBsobQ9mb;{sYAO
zN$>jq9Pt!!KNtF@^C9lz_%!jwi%d?}gZ%MD>F+#o=YJ9wbirqdyZy8hpC<11b}8{;
z;;#P;@n+(#hiibZ<R9J!T>Q-9ot>%yeKr`MK1M#X%ny6JtL4YOr1ZxHGyi1$r8<MZ
zQG9vcOv+c1=kGxu1TS5dPyVs;S)Mo6-`)m&V_y0Y9q8rx?Gu5okyE*beDZ67zZ80y
zzPeom2+r4cd>?>#>Jx@<CVmO=67yzjiSHsle~Rf-zw3pvYlzSNXQ-4Tq`!@LaFo$c
z68|{y)RfU<`snK+;K#vELhd&`9{w8X=Ra)pFQP!-CqDhW;rAJv;3vdqzHa?;zxrF^
z;RlTVRir->4n*{`NICn7pH6(CWc2HZuO~h?VEAt07ZVTe>QH11>$kivQ`|l$-!snt
zB_^l);R^BoXF?@+zi|`ssVfa9``}LE)At%5{Y`t+yq9?M$Bo|o(k$`edkjAtwDS6r
z;`TZD{sie~sW+$pN8+g)LnZHHrC&M!%MIVS#tIIHBf=0Yd%a3=<jMay)H3%!=M$el
z!}RI$uO~iruHjSU*zNRZnH~_v>uWpl=D|?!-Ttp2K6A0rf9o)#&na%7lkeA(e(||b
zVfO~N6K^`h`22{KW{5AGWpZ9d{8Ov&|4Y*MpJ4OldeZ+h@zQ0+AL`ZDGtQs5x)+rE
z*747UO1EC$gWzZ=R_wg_jfT6PPsNAhf|G0KO0Kt7()V9z^6PIPg4adFr)Er^m#?t~
zw!<)*gXQN|{iL72(dgZ7FDD*M8$M1suOdG8B5U_v;stM)d|VHEiO-&6dTS&7oy1d|
zNA3siB_6!T==}kUFFF6e2$e%=tugv0@sN6>nFRk#eCAk_)Ax@*bNq0_^}DKIC4U@X
zCHp@fg2}jqQ`YWpsm~3>=Nk0(dg3$hGWqqpG2p+A`20cR<85V$_y4Kk9|o<wD#TNR
zCa3-uAn@ymH{WLCg0z6XZY4hV9m8>}ue*uQ9&Na{d%xo+o1FTcX4H6ucu)zozP$&*
zw}}tG*$_FOlh<z*x6jG<W3bezJ<~ofVBsr>H+{t986y4~;=|uH{0`z9h)-ohMV?)2
z1v?cdQQ|W0eEuj@)W_>B#HZhD_+{ktF5<zt*6!a>p`ReWKz$x$8$Uw;?>Z!;mszDx
zBKG+!<g@thP=Oxm?VG@l!+iW#o+JCb{ugg|tI6|cWcdQ|rbBGJ+@BnUg-P@r{Dsly
zNPjHxkn8>w@n*$&len~zez9nLzRj}VCq7Mk^Zm;f;>`uKPd^vFlK9k-Cg&9S>?6K#
zX{gBmC4LQXi7V!>>QcnxirYy)LpyQ5^fBTA*E^3BK2JWw=b7hsK3^vN;<&Y2qW+&H
z{dd?d%^?t1EBajchS3kJRKSSOQvYS*XAz(IoYA{H8;LJ+UVDBcboxIuJ%5ONh8(9q
zJeT+g@e=*;e&TuJQy;K)ecivF_;k^5{aa$Fb1(7c8x21an7qE|d|qMl3>qAK2e^#O
ze=XQJx;}sGe69_Z@~hP6Aqdn(Z~csye2%<=_|!4RXOjFcBtG45?H*2i3-RGihRZp(
zymmSt#vyka9E=j5qy8bDz9xw;bQ_=762FCb)0aa<4kQ1&fHz@2Ha@@cA?N?MM!!{S
zAzwtid7at+>xln3@!_``{TGP;gY$W@$#Wa=r-_G0n||)2JTDM$;`-v_au_yfqUY50
z#^+7s^D^T7J%)Q6bq?``ttQVuP|+#ki+Pj(dh+QY9-M7_e!0d9wmUuNqw6zLoRt%o
z3hC##uhG9<jq>Y>Pu(3V_0_ENcH*Tm!^en!hIo)S-23}o$A514Bc%Ti#d(vsyyTUp
zx4G9@zy6YXK27liAwO;;{o)OwBF7LPBtA=j_<O|vfcVsd_4Ip)58rI<nwLW!k9etI
z_(kM%v-6>!IfM9}#HTMXJMsPU=birttX=m%k2y}e^>y~!&Zo=9U4PpdZTu7Qfb-}c
zw)-RJL%Y3#__M_OZ#DTn4tariDmMJnw6`O%K@hv0Ki}kkaE&p#436TZD?C4T2I;4p
zjs9?s*M-DqzaA=s3i<RZPT>-lKOp^7i}m+)EXxs}zadn_{o6j`!wutjJ@JKCnLO8%
z&&P;|zc4;sl;?BAXAd>{U8Mgi@wtY1^c3;ogT@Exaee(O@&4H4*WWHi$$vWkFSaY4
z``g1{0HWvM3!&n^F1%cEh3ekUCw+?aQ<VSGbA-?G*Jjesy%1{QNgS6R;!{tUJT0uc
zbCq`YkUqG<=-t0vM|_z0Zt{6A@tME2b}uD<FY(2_#%GcE7ZvAC;_?LP`xy_smu3Iq
z_$|g~2k|u;?;$@!f9rnfWyG5zqyJkP(CNe%Z#Vor@@XMH{EUsG{^lFXLgEYD7kiwu
zRdH5MT!u-X`c$asIcu!2LVWQWYxnP1=T_oVcNktJK0`d9Uy6u-T5;YaE?*`6;!i?F
zG0pY$6!HFs`SK&;A^n5LxBtEh|Df6Iw*Lgv&lgzX7~;+JlfI8Q#qqOke(7)cK%x}!
z#oZz9@Ew1B$2m*0@oyS5J>0<Y8YDh*y7AH97DAmo@#%X)+y%jF^gRf!Z8km&^tV30
z-tIWhBk1;m`-z8?=a0zePlz{jT!xAN74fMXLq#55V+BtUFAW-AHaPef$G>5Ck@$ZS
zU*vNyuKy!WGx--kZ}jU)e=_mXXAOUh?Vd$^n0bsQ(x3124dcE+aS|miy`-P&u<?EI
zS}VMg_}p};Ko9Fo5D&g-_|wF%C*E|bjo0<W?^B#NiOZimeWhJdAD2gn&;Op`p0|98
z_yYCg>;5yu!!u3(``O0x#8bZs6*+T_6&!Us^~}7-ne6WwinDU!vWfI_2ip~Wlzc8B
z9^4ixej@QJh);dc=zV-go&FPs<5pi4;&Zg;6N%qKymYMT)BWm49X}W<rTe8nC7xnF
z;q~P6DDmM7Iu!B0>GFj0xx)B-i}XJxK0|-&@;s+Fi4vD1&M<w>FdoM8r>|p(PhT0@
zy}`k$#24vTeZTWs;&Y@&+DBh+aQ+)iZx63E{8Hj6+WE<(-|h4dgo?O5j1v#<F#LAX
z?{l2{>yHt?QE}cRE_VT!{nr%@`>&6a&pi2mhIKwme3AJR{o8gZ`y%oFiBKuG(tf^2
zyqR|H{rV~K6ywix$^TcxryA%FJJZG`^<m@xKGMI8`1B6b=Y7P_B|h6QUK@!Ivt5rp
zLg1o@p$0t+C_R}bE>}CB)(%ClW!YO-p`Ts_zYn;yn_b(b91bO)&nrFh1A+DHO~fB3
zp2~)bY$5&v0#1p?Lgr(eiT{A~VI@=~PkVdb`5bQi=ShFaSt8F#!D2(c=tSVczxgZ1
z=jEh7pLmIRp?w_pHxQpb)b#U1;@gQYyu#Y`b@R=RKW6+R@_!5QMdl^+Z=|E_7UJQo
z(f@$-cM+ev-}qld{G-I1xli=<XjX9&B`#kj{S^I@_xB&2|J#iJ#jNx6DtvxJ`h|N!
zr9}9ruNR$d`kZCF@rT5ZCm!5o{5#iJ!MVhnra}eWZeK@y@h^?u{mfS2l4ofA{>T-i
zPjO#)A=@1xKDE>MyPSIzCsE>Z9qH#Uv37sTvO9<`q-@*|5dQ%2aE;O5MEsM)OHruE
zyNN$SyqWfV3i0m}A7(z}W7N+NoX?}i$L;M`#G4N5R1S}j&ynZQpFC&ue@6Ti;=wyj
zPR~D_Nqpui!(-B~CqBpZrH%N-#QS#}{YwwCf?mZ*l(<|)`lh>$p5(y<@zgPfzl(MD
z6Q7$475NVFTZzwde{}32R&XEj@GVB~{`oQDP0twa>*L=OFEy;cKPEoSIPJx3_t%Q^
zCUH3$j$Qo5R6~CC)x?|2*6z1ir=9rlu;E{){8tg5<G5@meV+K@Lq>n}8Y|cjyqPq~
z%Ppi|c&q7iD+}*dJV|MvKTG=A$xwla@;pjB#d+;<`;)}yFE#qL#wPd|#d(vs{EGC8
zXWD#u(96K^xV0w*3-rSdzXZ7GGj*-W{{Rb4CtiBL;p>Q>PrSLou3oRWb6vXjIscP7
z74&&}HSw83sJPGf8;H*{{&&A|7xCdaljr?x;uFs2^Tx;h@E3v0I_TfyJCyW)L;5+&
z<Ly38yy<e|b1dn9Nxa0kw3Yap^Gt66<If4=CljB4sp-G6#tP0QK6SX^?pHTEK4JJh
z<g-n2-Xty~q+g)F?PFP<c=LItXZ@{Jl-=U|xxQ>B{awUoZ#I4UJpBmqMebknr2jPW
z1;!@`5A^jA@%f8Q{%46lqBw67m+z9kiRTD6vg}91n{N&k`9EIgeA9DygW)dc@s6Ku
z?ZWK!^=jfXR~o(VgVqrrKF;)`zXgpN-NdKfZuHkF7v$}UFBXme`D?9UoOtusOm9bW
ze5=HR*BJdN#HXCk|26&|7u`X;Y1r^ywtElp*^=QY;-4m7>b7=|CjLd@;q8WdT>UM@
zNtC$!i1aDW-```|^TZdpuIX>2qwHubSmGZRheD-%2kB2BKF{^{T<Yg^;w6sD+eqI+
zy!kxS&tt@2M?83u$$uRA>~MU*@I%&Eg*OtPnGO{=iF}Gq&*zJLJ-yE9A2&Ywx5!cF
zZsLol8~$?g`6ThFXF^5X-oBtXi4vD@I)Co#{rRPz6QBN)@%b_99C?B1bDsI7J;YA{
zuKtSOKY9c4Gf3a`YLoLbhgiYui4Sw1-cR}g;<IO&o^h+MHxdt@4)y*%@~IMExZUtw
zT8f`zN8q9B0_8l4_>H75HLSnyA|9M$?QSFe-NdK%82>8q&p4l9n~(Y%q$v9a@#YU0
zz5D;Ch%er0dhqkX9};gmVD#(PSObT&&~JR*@DYQ9<A~35e4ioy71V3OA?nNtqeSd-
zD(Oo{Sig3#^c><%uQYj%B)*RL^fjR(-ypu5_%QbiFb{o=5uZK8_<P)P8RN{E-caez
zH}W7)`qaA(cl*4C_)NpO<n6@!=?~8&pBds)4d<SJOuVVb`sMNG=ZMcy4-Zk#Uv`}H
z=rr<w%K6h@IsWg&o4L+fFYx^c;{CM4caYDE;h@A07xtJu8`fIED-<VD;&K7$gF}tp
z?QOI3VIJl?tkbs&pDgL;LK~M^(wB%Y{&lE``;D84_a8L8iS+L#-aK!3GY9M=#20Qb
z{0P!NKs@}o;g7PvUm-rlxHL!ldE%uHS%1^Szel`@-|P7T@t+cJ{*3Y8w#Ewni}*Cx
zabMq$zyc)tpXYf^iu5NCpV?;ZK0`TQO*}Z$@OP2^wZs=@tljq!znJ*cR-?a+a_%6$
zNPTt@&pAEqvzL4h5^p-y#_KuK-|F-?go?Od`V{eyapvWue_V0iBrZQ7{qS!?McuBR
z2QGf2@%%kNps4F6^XkWw*NMdYIe+gYem3#xKQ#VtA$}q8Ii3TC>~AOW1<K=j;GM+#
zdyG#%{rr{07a6Z!Nd9G~r{8ux93<Yf-t?(|GZ}S$4aX(@n*N&c@1{JrIsZY!_mKa4
zh|laYd?)dH9d9xJe>wSlMR5`(F5f48@Yn5%Uc?RUv&8$E_wfAcuZR!lL#6+B@;YH1
z$EC^m+)ul0A>Mqo(f^Y4A@RAd8~vY>{!NZ^Jwo`ZuW{$|(@^h!VsLPfcoXp#6MrZ1
z8Tw(*FMWh~(6G<?6XNrKW%9T^f5CCa^XR_59w9#U&QR~yt}*=YiO;^#aF3UMLVV#(
zhEvVK?;PJ}?S7kjIF@n3bVEFFn&Q@0@_i%eQ{OQD8(0{wLch!Dxli{vWQ2IrTC-30
zGX>%$uFLPHoNpsO#dX2shdZ2}`zg1dyNS;oZ}xc;<@^$GiPM4~7=9@6Z<2m~z~u3K
z<M&BF$GFbvf9m{iFn#us&o78Ky(?7YRh0h);{ES4dOxQ)e!baq_%@^eXYx7E@wXfO
zcZqKx-o!WrJ<(Se@mY>LmIHnL0rB~g@qrln8Yez=pW&M+=Z((iEW>@g-U(dtz`t(D
z1AmnC3#~@~<Qn7uC(eiQ1HwFgeGiE{U5|bq>ivMh!9%1Ezhd|~<nyTWVO(?{=^rQF
z^hu*Xp7j4je3<j@WctrV;xmVtoVSxt00S0zLZ0J)iulRIr+KdJe)W9fGt`f-`|F68
zm=A=T)mIns)B~a3XABN5b9#=KkIS(0zs%&st-kWa7p@BR{(6Ihn}|2R!|*pz5AS#S
zDdTe~=|AiA%){VTUk?!vziRYP5&tsrnVq2`BgCH|K6jJRKTP~7;#1Q`@B6!-IDW6;
zclo>^zPP4CIlNTggW#x*HZCQOyU)9mhzIn0FC+c=j^ASZA0@t-_}mtgQ+`KAUfYQ`
z-5%=w>-9Yd-l#Zl5|@(m;ri?L{0`#56`@kQem+cm{wQmACwbjRe1Y-2%l{DZ;jbB=
zvq=9a@x{L~e4hAsiO({xW#0?J?*$PLe`)m3(f)to^vnnPI`v<~ORqM6=y{K05Mao>
zNWH`4_jz{`@x}KU|C`pBK<5%K(a(2N&JD!p+KkWlNPjW$=?9I^Ye;{o^S{>Ue?t15
z!~^bUeST$#FED;Sjr3O&pJiNh4EY~)KFpt=N&IHw;o~OH1H?b5IByb{2S`6WWb`+)
z>|x?FA2s=ZNc<bC@cBOJ`)SXEr2hr+xqmbMp1*q0CK;FIuTvC<ALD#Eoh0WFpJ#si
zFyfnlOFp?V?(HJ|%r2AvGt_54@!^KN$D4?!z7;Cxr^$bucoXBCgTxOIFFj=RhZDcq
zamG<TUhg43-(>cA8|m+N{<oN%9xpurT+dJWJT}cg_zUNAw9&tle7-|`Va()tGx1*%
z58rF}CB)ZmHvUh()-2rp(#wF$d|9MF|0(shfp}?0hjJLCKo^nE_Zs+Ybw13q{fzDI
zB0m2fli&AoIpR$`KTVT<Kk?azLq(pTJU0=asTiL-*II>po&POHe=X@BB;I_a(f<+g
zIpQUb3${`EdW!fWzn|rL`yp@{m*IwU?dM59{XygJ{_t>YU`3y^#P1;g<A_gPWb__i
zok~2U|2d8H=Q&RQ;C`l!cyLdslxLGZBtB37;Q7p5#G9$Nt4V(~@x|+m&q>7ZAU;j|
z|9#>gQJgo4%b$^cwjmDxD)9yS;a9WHw}=NkSACNBKN4SjiOrXri2sK8@QmrLnfTFI
z_|(roW_V_e6`TWH#_LNBaqmXbH+?WvLf2b6@hN^^a)SJK5f5Hz{9i(Rl=xgj9CbDE
z#h)4fLusFHasKpg9(Ua)_*!uNp!N3!@_!HMgBy*{al}7MJVm?pxa(2k&6Kl;^bc$h
z{Ve~z$|p!)Vm|69(mzRjj_c0D#Q&A}!U-nl7W#pgAW<y(pE}C?!-?$gDa2<EhRVU?
z`STn<-t;*}2YQL(Y%Fnkqtmm$ZvSQC{e#Be*Oa#spL*Q*pGaPJIQ`p=-uc{5Jp8=j
z2($HdEf!YiNk}gbl79GxQ16}pW5gFS)^6V#Ee>v_-OgNU^kA#6zf*eNBrg9(K8t1J
zb27_*MLfmlqOT)<1Og$^e-r)c=ZH5co?y(6=K`1SMK(VdE8=$e2J%^Ce07*t%@uOh
zmP{~`KZy73@kFtFprw>9S6fm+C6g``;xh09>4|&<v=W!2N;RF2qe^a~gv*}zK&8Gk
zy*F7HL{a}h_t4PpsAp$i=TPsCz9?#GYi(UuUkMFG)m$|nUmlk$xnd#8=E`xVngg%G
z<ito^UV%J47LBJ1*?hdbY$RXI?1><LK3$GR%5i#6y^!T%J|E=@*|<<$Ubza!ljYp<
zf|^WqMU#aDH`82w=SJgdW<1IkGm{f&PnykT($!*pmyBpMU)&dEAe{6aT7as{^%Aa3
z7Z<X1G8t96kQraGnWTDFsHakx@>U+c)TY*8BE2Ur7bjpFnR2yKog5v-$0)kAb0FH*
zJ2(_YK{hVOW4THdCR3e=GWlX5u7Dz2jK=cCk#s)FLJ5^9J-I)~6vddTakgdS=GKiX
z6Gfx2)F@pprw>HXWBEWZT24>IQFd}-;sB~7?x5pbwT?6$SHx7u;sT`H+P(Xd?!KsV
zN8jL3OY4Pg>w@Y;7I?gWJWfMud>o9c?E~9eTersLLY(i4E1ApF`N`OZcYV;Fhk>Q5
zaRW_q_G}0;>2fw#7%hTbr7HF)Kvaq2Y&4N}OpRVd3uGq6G7}F%uTV=|*$Q-jr86p(
z_T-{+B^_i+9ZNT*axohfGL>wU8BJ@kBI!&fu2iy+*s7%4tV$+^CDpj;U5%aHRm(8F
zi3ylpT+NC|Q5Fqj823W;`yq8913MN`_g6M+8HH+Jx)I_!nFLrS(t4{vk;sc8ky%Z^
zs&roO^pmOqeOiL0PfK^1TpB98B(83ctLXvQU$Nlc4AweYiOd8*uq9m?A4-qp<Idt_
zq3T4{+#b}QR6iG2tGU8h1^4~sT%p=t9vg_S?oY$&oVs&x*HGt{7VII7IecOfo--4O
z4sa2<r9SB{43<;@bdT6oe>ujmSL9}|+z;l)3SH@HI@r@qbL@&snBQ?Bb6^{0QzcN7
z$q9Q{X@755Ck$~6Ub_b}^yJfHCR}S!u8hLkYJJFHd?%~9yvQRXiAx`P1=huA+m(sW
zxlCNB#MzDm0_QH9jH7+I>UeRo8ubo#^wrUJL7;MOWD+yCfxJe$r8p781Mic1neu^B
zRpvvcn2m9X_s63mPO*|1Ps_A3Eh@HSFzVbnFwosM6m|6uME&hUTLNJH?e);Wj_o~z
zQTO(KtT0Lw=fx2v)+=X=Yh^s$%1bm^%0h2GkWzy6EsF^|2E~aD0b0k)a^iJ0;*oSE
z-nbrw_5rRbgXvxJ+iYyNn9iUPHv|KWs$zGQU;r*C=ouUd2IT)x3jbU2e;xj}1wFX$
z!F`W@UZ-`{uVvv#gAtg?q<G(nQZA}Yjzr`6l760;%rAW|7OJ>!$yLf}oIeQZzH+V_
zD?z?UUzgBTl#Rs=N9lYH-D+4f-I=ejtO&2DfI)>HUSYXUty{lh!Me?xHm_LFmTFxe
zz_FK>f{%D2SCys2TDQhjaxb9hwRIMu0g2g<8X@@pcfzi3T~Q_oyJ3}r&8yYeyeUwH
zi*2u@nRS~twkB;gN|$7=!#>8ABA_|~_;~T}OQrRLq#@c;tg$?PFajN_<hUDb3x9m|
zB#b!bB3nnr#^Z@n^#H>wGp<y<kP;|Hj57Wkb_p^}nG)unE-!UWDvb)3Bw0zBZK<~P
z0S6iSt}~9zcq{>7EoQARO&8Mn0|#ODiGazi#mg`x^_6TU$w(!mP_MRBn!zNj#hLZR
z4WVFtVKPXI#^I?O%-C8;2C-g$bt7^Lx1wd8@`9B#kt<{nNn>DFYEw9`Few$TH!Jv`
ziF!>g5haJXZv2*$>|Kh-TH99O*I<3pDi_A}t5W~>%^OFjNw&Xn1&%d8WOFcG%DGLN
zElyTPH(51VLSgyPZI-6QtpN*cpv}lwGMdBIYk38Q>&aK1D5<s;-4SNc$}X-gwLY~<
zjr9_)ujKPLtn3uqQX5ulW7BG^R`IWGsm&Lz+;}Vg+{ubkwWe09(Yji}y46^%TdhXh
zYCTVFT1Bdjt7x}%<0`sp-L&$G+Sa;xl@)beY8CCSTeph1>)KYal67sXwXtE9eyrQD
zTH{#%Rvf6*YAV5!xpIv*xPcW}wc#(^tWvOw65H0V(!sWktBiTuDzQOZ+vZh9a6QID
zX7EykqiZl?bPY_Sa(Z7hf?YLIA1euuXheF|Gtj=hJL>N1!hYK}-~PF73!Dw2uHAj@
z+j~1fl_)Xa6h-)RK~eV>a@*215JZ=3+tJa!E!xr3GuS;84YhY{>yCoXbUq{7rk-M1
zwkbi!WG<f_z^+5~_4(XLCdyPMb)Qbp=4-#U6UBQi|B<Wa5MUmRgI?V(b!KvX*pFBh
zDgpZz$XUXkLwuU-=eSqGPP8M3rLeEFb4%2*ZAa(UXt4LnZlS<#NcU^9587El1X6{-
zh0a{MBSsSv)kmd0nM$jK=&})!?bFcqu4tf=mYsGo>X7C^Rn+YOHaQZm4<0}&V*)D3
z2OZn4jJl<`KJ}!sBP$WdVR*^5-j2>_UCX+b4I*17HiG?=BYTDpl;UN(Ng)`T$PP*V
zt2ZlR?QY+`ZIH^7(xuI;l!~?>@f88|BO9ms)<DpimiDA#{oWBdl8Fdej%-=jOqS65
zEoy>DP?R(2N}QP}En_xWVopx?4`Mutjl@W<kVYn^x6+@6D5{v=!d_`y)Bx3vq9Gj>
zX`+xR9jNEu11bzojR+r94VS0OxwNFfw5@yvW2yBU<<mh!Nt{N<5I8S4vC2-JPo1M_
zNGY1bz{%*xSsj;LdMLMN$LOfEV8hU9@!FsmXr-FPzPDav*+pe@dm~&$i-Q_d%7AHx
z2zjyn8`lTDP*Yc~teePa9O)jc*3v{7xrXdy$&9TQB8<V@%EclBC{H#(k(eg+i9I?8
zItHJAqZJNgT@PfY>aGzDOEw1vosdVeX(*S0ZyXd6r+dG#M22f~yQY*xFUWNEBBK>d
z<O=9y-Hbs7SJcsv5i^}YEKEa`nk9$^a|LLym<^!#cuxdoOVbnPlN&uCqtTD-C!7VW
zz{c6~xy#15yCCzk7h!gJ(x$aaF^KeHdJOnz(Rz@RS&a0wq*r>gm0)5IGP=tLS9Z_{
zw?%+D`$ay$60((AM-xr-RICxzPYyx<-g?g9<_Zu8B_3%TcFmZ_6}caXE5*q&wsyfK
z@VCn~F6xmf6<|Rq7aOFOStN{tuI`@po!f?@?kl!*w|8|9MDY3DbhCZMLMJ>{_x`x2
zGHCf_?kFbU(~6cI(K#S~Nc5yr0F9=z^<6QCDJC9FZi=eKXwr>A!gSfB%htW#JZk<N
z1}8Zd>3dDwoqfHR?d*<vyMk_6B6=a8?Lh}M{|&vF^X-u|Bsv;wX&>AYZEwFK+Sc6{
zbjsci)|t&^)mSQ6p8Dc_E04KrsIz^j`;r|4yJaZh2y>Y|akayiTlXmvl*jueK_*&(
z0gF?ms~C}$FY4@V*9lZC9f)=g^=zsZ@s9j8R*X_UeV{{6PlD~(LXO4a4bYZJC5xG_
zI|A0Hn$cNVW;o%r@nX4lGP2~u(@UvdnJnsIG<9f6v7LQ82fMov91NkGWA$^|Guvvd
z(mSqCGz=Yi)q{^{1@++ylPj_~(=Azv1h&NmHQP=kxN98EjfxWzqpm4XS=*5Hv`Z9`
zu1=QYpgo)I!Ad_=L^v^ua3V%_E-lsIo^?f#VHd|Cxh|QV%hk3;4}&zNtBtT*%ljg0
z7$cB!A&Z_#JIQ%Lle(gJNj_QfW%`&^yH<+G)@aXnl+;aWzqVT{Lrpmt#kohNAs)c|
z5yn_n#m}K5I(NN837=wCzvQx(kD^g*!(oIv=50AlK&))A1q36p#aGa1Po+Z_YE2PK
zKov#%5tCInuCJfj;(I#v48Xj<C|&xv%uhmL1Mx&!4tE$GBw~xn){W{FHu<nK12VD^
ziT_x`Ch2Tk>8zGHpM1_OUmKassCX!;=>t@cIy-x#&YpIkMrJCoN41i8e@T~@-U{Ze
ziU9+c!lCkHK~8SO*x<En43@&r+LDY^u%vM%CsjY>mS#-4jinGO9~bKNDF%y}%9oS&
zOuXL)pPGSj8+XqttQ^B=m@GoVv&q6iZKaXYqJvVybFXQZ2QMn#6B7%Lp*~9}=~_*O
zbF(4R)E|eaTN`g!X5f@EIz4qtVGOp%SuE=kD9Q3<!F5G822t;hNP^RPZ8Xd>pQOo|
zM{|&t5K)e62-ArbsESjXY&;l`$q}kpad&<+s1!<aE;Cx+$_n#nM|C_d@5GsoPo-e8
zZJn4fJcjf=DS<ZGgV~bLRbn*^WNKj0qv%gV22Q*Hf=cnzkg6g&D`y&&2KJDswlNtj
z=g}e#)zKwsb}*v(;K;9ClfSxz3|7lSMbSVYlg5HHOxkn>oxq+boy*sE8m;V5@7yg5
zmii(<T(iV&WcFbW2il4HnsOwe0dW*(MmQe^5$a&au4Y!75j1?T#a>0G61tW26&>kH
zE~Cp&eZ7RYm5@PH3b%5_V7>^Ifd}S*?pCxGB&~lAfZ>8hy4bGZsEBH!dLWJus@Rj5
z26QL0w$Qq6Q-oMay*tOK7w2gEVMTqD6Ef~YxvU?a$t~0+8!g(PHVH_&ib2Ny!AQ{i
zU?QHV#4GFzEcZs4bxtm=_u@-cWoj)d$&$8e?rlW}Fs9>IKW_c$F|3w0hv2nsAz;W*
zTZ0j^m~kqdc%!j$aUYfkJw)h4q%9&Oy-IDk#R2je0Q5(EW_|mr9-TP4EQ)S2xt)bc
zoE-YZ-i?PwI2aP4>N?a}-LG1hESF)YW<R1C9erO`q1&bHH#qn1;F>CNlMF*`W5BU;
zKZ~ny*PShUK7a+MoDC47qMlB8U6GfqXqfMCT%f`D)`H*O3f$)o#Lbq%w^H6=r!LE-
z?b>Bigi>0NDuDaUrMd+VkHn&6^&81_Y92ynWrM3kWEr(@>%FAUvKumSpe48%*@Q4j
z|35|pln4_{1yU8mmuj$Y!b)GoearAbcBsyFXuTC|+;UmiNp>=WQ9|5fedl6t!-cIu
z9EhYi#vGD^T9w#SL6-BGNat2q6D5d~vBJ4zp<#1@skJN%F)-K@4GgwNUF}2d8uCNX
z4y=BYrCoBIxhtK+RGx@s=rxqaW=bO=Hx~tKMpUuz4(5ol8O@E=wjtZww_?lGxuZ+d
zNeI|$Yog9pTQPMruYKcaB!QJ8atZZxqRR){Xwc>N7fX|QtOIB%(2igThKdrIm=WuQ
z5yc~BP*Eg#gvnSfPUe^Uf2{V^TqZeDxO5;Y!Lukb>h&`i+UhHovH6qvXVIA1BaYA`
zm#wx_gcwUHxb5l6o`gCqD}jN}!kh4+CGHHd8&XHS9}gly^kqW}wz_aw0F6C4e3Zss
zHj_2N(4^TIe1az>>a$uwM>;F625xL3tp==IWE(Fwh8YY6caCGj2AAU-44n+vWa8-t
zhETO+WNj8;tr@Mz^iZ|P!etMX1ns&EFAbE238O0oBce)1EwbiVxXI*Pp?B}7rc;Mx
z9!Ug+|CL%GwYPOc1P9G6Lc<nOBbv^1DLs<QV>5#tmS&Cm@NiKD&#8#f)O@7QZ~!7@
z2du!n!DuyZG$L-kX+j!3)~3|bgHWDlL4V|Vlp00DRz#je(U2%3yJKvPVF?n}VJuXj
zC>oPTjm%3#%u&cZsTMUZ3Pxq)v226F8D3}X6-~F*))I>>WW&~Fn+=^Z4HHJ}Oe7Pd
ztrYzT*KA<OBv8-2zZ%FGiUZaU&?CnawhC93%$?zx1vRVM8oJ_Q4h}k)&=>TPhc`m5
z2vOb8zI<<XsE9ogRu-{_jGkGSkTu5qL@js+E+$;{B+5pHGFOOX)wQ<aw$qj6X;5qk
z@zkNDyH)vEMp{kv4Iym>v&^>n$;=@(ZMO2Luj6djuKJ3tYidyC=BnP$AlBw~uwFYF
zVR(|8D^AD8^_|FQ2NE>uVr_w+re|utLAL)ge#jr{46nlX*EcDiM$E2tquSkA!gu)W
z)}&iyH0YLe8s<uRqOVx(k@T$cmMS9{bLbt5B=xROikY6Vy_RRh7!-?nBv<!3-HhfZ
zk!Y0>g@@P+f3FQx#&e_9C@<3ofs@QlkJ_*eP>*M6O$K(b6t#hBd1(rJFLlSDxhFYa
z)Qx?;Iz+tP@Q`lNDjs_vnr1RY9W|C_l?kaFJduWH!Ax4JL)31P`;wK($)p`B+V(@L
zN?$ZsN#-{Jj9TKMc1|QMuk7}84+&0qxNT=42QQ5oVg9Ws9!^IKiT347ns&_h(&k#?
z#zQCOM%1u$g|*a3Fn~NKvjW?@yAajLxl%MZG$4Ii;W0bToZ4g;i_zz5R7d;p2$*dE
z%47Q6FWi$Hmgv?D453>$m|D^ki!@AMs^=>@2<9i2(%5yTXV3WJaqSqhYY!gT6FG-^
zw|YWE6(*qt;D*%$OQPfi=;&>Et0mc(yxbDwfiev@WztgzYM0CT4dAJ<bOkABd05s%
zM9dsSJQBA^dQdp=5!W5?>pJVipv71a4~q?H7BM;9d_u^2*@s7c1BswIujut>>u{hU
zktyU^VR#y6i>yaNs(S-wdT}d*FbJCx0fOx~@Ebj#a}mb_dNff#k)%Q<XG<GWZ22@E
zlM=J8ZMwBiv2oRMXC;mceHJTg2rYXn-GwZNMWn<Uu2v)Dk~I>UaDFI}8W6f8;nQC&
zWBIFKoOh+MNy!FCUEo~DQb0?4dp!JUr?s+(K%H>1IXhdEqb!k2mjoUP*)q7TIHsE#
z>;lH%9+90#({P5OD)F8olR$EX$hLD3+3T~}IIcyaaF6aW>PQpPjp)PI*>a>ti-@T#
zp2zmi(pj84B_5rP&?vLrb&tl%dHQmnAQHy=q~+c$ce+tDf=B4oKiHHS!`#J5Q|;>q
zwA4sURkSQa;?ot&1i~#DQdz*#BNBS)c3PTX1G4Ke&b~la&;p;EQft5jmn$U3Han59
z$V<XPcM7$$S#@ePH^Y3WJGoLCGhC0G<O%!6OmiZPz|tde#Nc>ZqA;~F8K?h+szn-K
zEul;uUJn8*?!b{nvizTft%w(NV=L+#z`3S)A=xZOJF#ZgOhx>EJ%YrT87E@(-b!T>
z&pt@-g+^=J5H(ZvNRyj@YmAT>95*)IzGA6eTDwgE-$B%bu;k)W9-}@6#-x-eZ=$%j
zA;3U=-C?5t7{P3=+&Ja2caU#Lpv0UgXBO%;_$qa5((z1A@&ep8;X4UB>@W>E+FoTT
zvvZ!rQxIZO@JD$(J%Y!&C-f<a6d&S1oLM@cZmtWbbFx6=;G=%4r`gp?U0%V$5B0?6
z6?8hth?sBJ6`>*1B?e=sIx<3)w67Y;ry9hdeEmVDTA!_`ZN&Qrc69CR#8HH9#gSyu
zEusn`ypi?iuFiLJcCzmWotTI8kUlkcFJ+=2QY~#g2(M_p>d#}w+U`yy>qd5&A+sfE
zHEM>N#n+?U<;jj&zBvFR)%~G2DH1Ma{hV4EjKK-G1zJA4YMqL!y8oABY+nSrig88F
zlBVCiUp8AZp=)sywg&ke9;U~G{o+e8z42_h*sC7Dsw>6T7$dEX%a|n+(c-P}4KK+j
zF`x&5fUrVzfxg~X8r{q><;U!W&759&NT;?Cp#f!qIRUl6cqLU)zl5q;C%qyb94Hp>
zjVKL;b#)e<Fl~p#E6zJ0+0sO|T#V-@5W(TNP$kptG+Wlk`OPi64PfP?cNU|Uj2At$
z28aygktXC`1zo{BnK%IZ)k%ZS_)Zq*TChp9jOU&p8W>C3*o4p_6I65}ddDFX;?+t#
zSc)?`cVv!MB&#4*u@uW=LAt(Jl2N<oM@pp?&NnnlhtH8Z9mQgP>CuyTf36`(+gn-E
z+tPC{jPUfRARA{j(i_#(b^TBcK$)}%UA=WGs6}8`97RLhJNe`pdLndc%WB9=@l{tm
znx4$d;fM^0?jJqKsE9fkwNMvy`f4K@)cOVsM~Wa(Z!d|!{+%6o#-ZO;2zyN&T(9_e
z20H8K1lUYKbr@Hf8SsJrNWkDwyFX1fmYAp@sh!?PFDs}bV>p({2AxCl&6G>9O^|2M
z1eMc1i3!xPngRM?f@i`np!0AYVnl=VL25eU78=fK(Qy}D3<_DI(O|@$Kj`dT9%W2o
zGD%phYk^p~WKX-g2RoP2r{K8c5!E@U2e+WH8&4fgV(CP+z>dCP`jSILEu(-&YRQ&l
zSSFrt7rrV4y{_z5)&AQhL<9eZFmbzn^E6>5*r7nvXd7q3^>)cMx^~=&MOssJ$Q@~~
zCA%zRu*}u)0S54t10p`~CYrFvl*GB>e_bepJ%)xda@w3&XrTg`S(v`o3OCb`815M!
zQIv(#rP}TlOGmz>IY{#ci0{>RaC)hSiK0ma<JDZ7RIVHGrAI!Nb!lHNi$g+GU{hT|
zCSS%9po-AwQg)qqL{DqhqR3SO3Vw%)hxFjeC0Y~d^~r4+Y*{KT5SMYnzxr`nCaiuF
z7vG3U%ZWHn;w&km&t!VYh&CG^ED(DK3^xmvGxfDAT`p)Epq8|;86l5_!Zl^8NR>w;
zQC-fv4RQ5BoSDhVnW@7JA$oHW(Yh=M5~o@$ExE_~&LGi-C$H);ndEdllHCnjDhDR;
z)h=AI^67QlKVgd%mrFrQ0lSBm_Kw~Q<f|8Uhc9xqsPq@)vO$a7jmwjJE!hJF@Utrd
z6)i!cP`(~rcN3wk9Ou(gfuBnGYS5x_LQ55!)1XCsF3O5o+2*#y<NUVlI3mv4oz<|f
z%~}or{N@bEz&$;IaHC}mI}~|q(N>Hj_ESMi22YOQP|v?u{{MG91=Zy%_WZelVAI+V
zcLA<?30`TJ+B?6FU%Nj8pI(IjUVmt9h`S&dBG9aNOK*oRebi6#do9WO)wQAGRo3_K
z`74OG#`;~r{^NJQD|-9yUmF4mg7*_RSMP$rzlZPN(<dDC;lt7R@Ac=_hPVrYIRbyq
zit_Uc(s!?ak`Uo_IsVH}IC%a2M})Wwg8d}?O@qQ3ZiA~p`@4kv<)cEW9+de*5(o8e
zNq%p~uk!nhFC^+Ovi>6LhpgWyKjA?5i%y+i>gZ65Qlb>RhV^}^{l@;^gmS6hLAq(y
zpJx4#`jgAc@xQVD?Z8AQ{P~JtzA40AfU91#j(xIsX)F19J8qKo7g>Li^{4s!8eWGm
ze(Td-?`fz%bwa2GQzuyYbGOzr@OoAn1oz-Wvi&N5x4QZvt9PUm^4ci>4C}l8{dexC
zSpU-5dW&f$AHRIEq5k7|5LI4}Z#Tt1f4tt--WuC~5GB%rw?CJ*`g3Wk|D$VaRrQ09
zpQCg5AivS%S~}uqu@)WiGppZ7@ArOv9MtmLg<ijj^_%{e^`Astk>Bf|#QG=w5A{(+
zU*E^O*q+yKX8mT?pQrlWK3#6NgQrn9+5Y0Q*8jz4t^ZD^jp5Df`}LWI`oW^r4;HPy
z|Bm8n^`CF3?|;|j$)8*ObG;(3-mb&H!3V*-{{er`BzVs1&z$a*c5SY|4St7v>3^yL
z_xkG_aH>=5NRj*=Pp$0)?OWbv8b87-u&m)$`MB*Sst21W|F3r%dMYl5qq6tk{kP1|
TmD*2jvG%v(_gs>%#`gaok@Dd;


From a521cd7abdea70455b4a19fd845dbbf9f105b875 Mon Sep 17 00:00:00 2001
From: Thog <thog92@hotmail.fr>
Date: Wed, 17 May 2017 23:56:38 +0200
Subject: [PATCH 189/317] Cygwin support

---
 ctrtool/Makefile | 28 ++++++++++++++--------------
 ctrtool/oschar.c |  2 ++
 ctrtool/utils.h  |  2 +-
 makerom/Makefile | 26 ++++++++++++++------------
 makerom/oschar.c |  2 ++
 5 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 7a534c98..55bc16b2 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -8,25 +8,25 @@ CXXFLAGS = -I.
 CFLAGS = -O2 -Wall -Wno-unused-variable  -Wno-unused-result -I. -std=c99
 CC = gcc
 CXX = g++
-ifeq ($(OS),Windows_NT)
-    #Windows Build CFG
+SYS := $(shell gcc -dumpmachine)
+ifneq (, $(findstring linux, $(SYS)))
+    # Linux
     CFLAGS += -Wno-unused-but-set-variable
-    LIBS += -static-libgcc -static-libstdc++
+else ifneq(, $(findstring cygwin, $(SYS)))
+    # Cygwin
+    CFLAGS += -Wno-unused-but-set-variable -DUSE_FILE32API
+    LIBS += -liconv
+else ifneq(, $(findstring darwin, $(SYS)))
+    # OS X
+    LIBS += -liconv
 else
-    UNAME_S := $(shell uname -s)
-    ifeq ($(UNAME_S),Darwin)
-        # OS X
-        CFLAGS +=
-        LIBS += -liconv
-    else
-        # Linux
-        CFLAGS += -Wno-unused-but-set-variable
-        LIBS +=
-    endif
+    #Windows Build CFG
+    CFLAGS += -Wno-unused-but-set-variable
+    LIBS += -static-libgcc
 endif
 
 main: $(OBJS)
-	$(CXX) -o $(OUTPUT) $(LIBS) $(OBJS)
+	$(CXX) -o $(OUTPUT) $(OBJS) $(LIBS)
 
 clean:
 	rm -rf $(OUTPUT) $(OBJS)
diff --git a/ctrtool/oschar.c b/ctrtool/oschar.c
index f850ef38..b712ff21 100644
--- a/ctrtool/oschar.c
+++ b/ctrtool/oschar.c
@@ -1,6 +1,8 @@
 #include <stdlib.h>
 #ifndef _WIN32
+#ifndef __CYGWIN__
 #define LIBICONV_PLUG
+#endif
 #include <iconv.h>
 #endif
 #include "oschar.h"
diff --git a/ctrtool/utils.h b/ctrtool/utils.h
index 990d900b..eb68fcbc 100644
--- a/ctrtool/utils.h
+++ b/ctrtool/utils.h
@@ -46,7 +46,7 @@ inline int fseeko64(FILE *__stream, long long __off, int __whence)
 {
 	return _fseeki64(__stream, __off, __whence);
 }
-#elif __APPLE__
+#elif __APPLE__ || __CYGWIN__
     #define fseeko64 fseek // OS X file I/O is 64bit
 #elif __linux__
     extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence);
diff --git a/makerom/Makefile b/makerom/Makefile
index fd0832ff..f7ae6262 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -5,22 +5,24 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 # Compiler Settings
 CFLAGS = --std=gnu99 -O2 -Wall -Wno-unused-value -Wno-unused-result -I.
 CC = gcc
-ifeq ($(OS),Windows_NT)
+
+SYS := $(shell gcc -dumpmachine)
+ifneq (, $(findstring linux, $(SYS)))
+    # Linux
+    CFLAGS += -Wno-unused-but-set-variable
+else ifneq(, $(findstring cygwin, $(SYS)))
+    # Cygwin
+    CFLAGS += -Wno-unused-but-set-variable
+    LIBS += -liconv
+else ifneq(, $(findstring darwin, $(SYS)))
+    # OS X
+    LIBS += -liconv
+else
     #Windows Build CFG
     CFLAGS += -Wno-unused-but-set-variable
     LIBS += -static-libgcc
-else
-    UNAME_S := $(shell uname -s)
-    ifeq ($(UNAME_S),Darwin)
-        # OS X
-        LIBS += -liconv
-    else
-        # Linux
-        CFLAGS += -Wno-unused-but-set-variable
-    endif
 endif
 
-
 # MAKEROM Build Settings
 OUTPUT = makerom
 
@@ -29,7 +31,7 @@ main: build
 rebuild: clean build
 
 build: $(OBJS)
-	$(CC) -o $(OUTPUT) $(LIBS) $(OBJS)
+	$(CC) -o $(OUTPUT) $(OBJS) $(LIBS)
 
 clean:
 	rm -rf $(OUTPUT) $(OBJS)
\ No newline at end of file
diff --git a/makerom/oschar.c b/makerom/oschar.c
index f850ef38..b712ff21 100644
--- a/makerom/oschar.c
+++ b/makerom/oschar.c
@@ -1,6 +1,8 @@
 #include <stdlib.h>
 #ifndef _WIN32
+#ifndef __CYGWIN__
 #define LIBICONV_PLUG
+#endif
 #include <iconv.h>
 #endif
 #include "oschar.h"

From 4c6356122422f59f831db86ae4ec3c5e4a5ce766 Mon Sep 17 00:00:00 2001
From: Michael Scire <SciresM@gmail.com>
Date: Fri, 19 May 2017 08:34:50 -0700
Subject: [PATCH 190/317] ctrtool: Add support for inline decryption

---
 ctrtool/aes_keygen.c | 127 ++++++++++++++++++++++++++++++++++
 ctrtool/aes_keygen.h |   8 +++
 ctrtool/cia.c        |   4 +-
 ctrtool/exefs.c      |  34 ++++------
 ctrtool/exefs.h      |   3 +-
 ctrtool/exheader.c   |  18 -----
 ctrtool/exheader.h   |   1 -
 ctrtool/keyset.cpp   | 125 +++++++++++++++++++++++++---------
 ctrtool/keyset.h     |  22 +++---
 ctrtool/main.c       |  28 ++++++--
 ctrtool/ncch.c       | 157 ++++++++++++++++++++++++++++++++++++-------
 ctrtool/ncch.h       |  15 +++++
 ctrtool/settings.c   |  55 +++++++++------
 ctrtool/settings.h   |   8 ++-
 ctrtool/tik.c        |  24 +++++--
 ctrtool/tik.h        |   2 +-
 ctrtool/types.h      |   1 +
 17 files changed, 493 insertions(+), 139 deletions(-)
 create mode 100644 ctrtool/aes_keygen.c
 create mode 100644 ctrtool/aes_keygen.h

diff --git a/ctrtool/aes_keygen.c b/ctrtool/aes_keygen.c
new file mode 100644
index 00000000..d8bda853
--- /dev/null
+++ b/ctrtool/aes_keygen.c
@@ -0,0 +1,127 @@
+#include "aes_keygen.h"
+
+// 128bit wrap-around math
+int32_t wrap_index(int32_t i)
+{
+	return i < 0 ? ((i % 16) + 16) % 16 : (i > 15 ? i % 16 : i);
+}
+
+void n128_rrot(const uint8_t *in, uint32_t rot, uint8_t *out)
+{
+	uint32_t bit_shift, byte_shift;
+
+	rot = rot % 128;
+	byte_shift = rot / 8;
+	bit_shift = rot % 8;
+
+	for (int32_t i = 0; i < 16; i++) {
+		out[i] = (in[wrap_index(i - byte_shift)] >> bit_shift) | (in[wrap_index(i - byte_shift - 1)] << (8 - bit_shift));
+	}
+
+}
+
+void n128_lrot(const uint8_t *in, uint32_t rot, uint8_t *out)
+{
+	uint32_t bit_shift, byte_shift;
+
+	rot = rot % 128;
+	byte_shift = rot / 8;
+	bit_shift = rot % 8;
+
+	for (int32_t i = 0; i < 16; i++) {
+		out[i] = (in[wrap_index(i + byte_shift)] << bit_shift) | (in[wrap_index(i + byte_shift + 1)] >> (8 - bit_shift));
+	}
+}
+
+/* out = a + b
+*/
+void n128_add(const uint8_t *a, const uint8_t *b, uint8_t *out)
+{
+	uint8_t carry = 0;
+	uint32_t sum = 0;
+
+	for (int i = 15; i >= 0; i--) {
+		sum = a[i] + b[i] + carry;
+		carry = sum >> 8;
+		out[i] = sum & 0xff;
+	}
+
+	while (carry != 0) {
+		for (int i = 15; i >= 0; i--) {
+			sum = out[i] + carry;
+			carry = sum >> 8;
+			out[i] = sum & 0xff;
+		}
+	}
+}
+
+/* out = a - b
+*/
+void n128_sub(const uint8_t *a, const uint8_t *b, uint8_t *out)
+{
+	uint8_t carry = 0;
+	uint32_t sum = 0;
+
+	for (int i = 15; i >= 0; i--) {
+		sum = a[i] - (b[i] + carry);
+
+		// check to see if anything was borrowed from next byte
+		if (a[i] < (b[i] + carry)) {
+			sum += 0x100;
+			carry = 1;
+		}
+		else {
+			carry = 0;
+		}
+
+		// set value
+		out[i] = sum & 0xff;
+	}
+
+
+	while (carry != 0) {
+		for (int i = 15; i >= 0; i--) {
+			sum = out[i] - carry;
+
+			// check to see if anything was borrowed from next byte
+			if (out[i] < carry) {
+				sum += 0x100;
+				carry = 1;
+			}
+			else {
+				carry = 0;
+			}
+
+			out[i] = sum & 0xff;
+		}
+	}
+
+}
+
+void n128_xor(const uint8_t *a, const uint8_t *b, uint8_t *out)
+{
+	for (int i = 0; i < 16; i++) {
+		out[i] = a[i] ^ b[i];
+	}
+}
+
+// keygen algorithm
+void ctr_aes_keygen(const uint8_t *x, const uint8_t *y, uint8_t *key)
+{
+	static const uint8_t KEYGEN_CONST[16] = { 0x1F, 0xF9, 0xE9, 0xAA, 0xC5, 0xFE, 0x04, 0x08, 0x02, 0x45, 0x91, 0xDC, 0x5D, 0x52, 0x76, 0x8A };
+
+	// overall algo:
+	// key = (((x <<< 2) ^ y) + KEYGEN_CONST) >>> 41
+	uint8_t x_rot[16], key_xy[16], key_xyc[16];
+
+	// x_rot = x <<< 2
+	n128_lrot(x, 2, x_rot);
+
+	// key_xy = x_rot ^ y
+	n128_xor(x_rot, y, key_xy);
+
+	// key_xyc = key_xy + KEYGEN_CONST
+	n128_add(key_xy, KEYGEN_CONST, key_xyc);
+
+	n128_rrot(key_xyc, 41, key);
+}
\ No newline at end of file
diff --git a/ctrtool/aes_keygen.h b/ctrtool/aes_keygen.h
new file mode 100644
index 00000000..dae87a3c
--- /dev/null
+++ b/ctrtool/aes_keygen.h
@@ -0,0 +1,8 @@
+#pragma once
+#include <stdint.h>
+
+/*
+	AES Key generator for the Nintendo 3DS (CTR) Consoles
+*/
+
+void ctr_aes_keygen(const uint8_t *x, const uint8_t *y, uint8_t *key);
diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index bf757557..4723c709 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -214,8 +214,8 @@ void cia_process(cia_context* ctx, u32 actions)
 
 	
 
-	if (settings_get_common_key(ctx->usersettings))
-		tik_get_decrypted_titlekey(&ctx->tik, ctx->titlekey);
+	if (settings_get_common_keyX(ctx->usersettings))
+		tik_get_titlekey(&ctx->tik, ctx->titlekey);
 	else if(settings_get_title_key(ctx->usersettings))
 		memcpy(ctx->titlekey, settings_get_title_key(ctx->usersettings), 16);
 		
diff --git a/ctrtool/exefs.c b/ctrtool/exefs.c
index e732e4cb..150a405d 100644
--- a/ctrtool/exefs.c
+++ b/ctrtool/exefs.c
@@ -48,9 +48,10 @@ void exefs_set_encrypted(exefs_context* ctx, u32 encrypted)
 	ctx->encrypted = encrypted;
 }
 
-void exefs_set_key(exefs_context* ctx, u8 key[16])
+void exefs_set_keys(exefs_context* ctx, u8 key[16], u8 special_key[16])
 {
 	memcpy(ctx->key, key, 16);
+	memcpy(ctx->special_key, special_key, 16);
 }
 
 void exefs_set_counter(exefs_context* ctx, u8 counter[16])
@@ -58,22 +59,6 @@ void exefs_set_counter(exefs_context* ctx, u8 counter[16])
 	memcpy(ctx->counter, counter, 16);
 }
 
-void exefs_determine_key(exefs_context* ctx, u32 actions)
-{
-	u8* key = settings_get_ncch_key(ctx->usersettings);
-
-	if (actions & PlainFlag)
-		ctx->encrypted = 0;
-	else
-	{
-		if (key)
-		{
-			ctx->encrypted = 1;
-			memcpy(ctx->key, key, 0x10);
-		}
-	}
-}
-
 void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 {
 	exefs_sectionheader* section = (exefs_sectionheader*)(ctx->header.section + index);
@@ -146,8 +131,14 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 			goto clean;
 		}
 
-		if (ctx->encrypted)
+		if (ctx->encrypted) {
+			// .code and .firm use a special key on 7.0+
+			if (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES)
+				ctr_init_key(&ctx->aes, ctx->special_key);
 			ctr_crypt_counter(&ctx->aes, compressedbuffer, compressedbuffer, compressedsize);
+			if (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES)
+				ctr_init_key(&ctx->aes, ctx->key);
+		}
 
 
 		decompressedsize = lzss_get_decompressed_size(compressedbuffer, compressedsize);
@@ -228,8 +219,6 @@ void exefs_process(exefs_context* ctx, u32 actions)
 {
 	u32 i;
 
-	exefs_determine_key(ctx, actions);
-
 	exefs_read_header(ctx, actions);
 
 	if (actions & VerifyFlag)
@@ -272,7 +261,10 @@ int exefs_verify(exefs_context* ctx, u32 index, u32 flags)
 		return 0;
 
 	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-	ctr_init_key(&ctx->aes, ctx->key);
+	if (index == 0 && (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES))
+		ctr_init_key(&ctx->aes, ctx->special_key);
+	else
+		ctr_init_key(&ctx->aes, ctx->key);
 	ctr_init_counter(&ctx->aes, ctx->counter);
 	ctr_add_counter(&ctx->aes, offset / 0x10);
 
diff --git a/ctrtool/exefs.h b/ctrtool/exefs.h
index 28afffb6..16e6152e 100644
--- a/ctrtool/exefs.h
+++ b/ctrtool/exefs.h
@@ -30,6 +30,7 @@ typedef struct
 	u8 partitionid[8];
 	u8 counter[16];
 	u8 key[16];
+	u8 special_key[16];
 	u64 offset;
 	u64 size;
 	exefs_header header;
@@ -48,7 +49,7 @@ void exefs_set_usersettings(exefs_context* ctx, settings* usersettings);
 void exefs_set_partitionid(exefs_context* ctx, u8 partitionid[8]);
 void exefs_set_counter(exefs_context* ctx, u8 counter[16]);
 void exefs_set_compressedflag(exefs_context* ctx, int compressedflag);
-void exefs_set_key(exefs_context* ctx, u8 key[16]);
+void exefs_set_keys(exefs_context* ctx, u8 key[16], u8 special_key[16]);
 void exefs_set_encrypted(exefs_context* ctx, u32 encrypted);
 void exefs_read_header(exefs_context* ctx, u32 flags);
 void exefs_calculate_hash(exefs_context* ctx, u8 hash[32]);
diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 4a96f0f1..21473de0 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -70,22 +70,6 @@ void exheader_set_key(exheader_context* ctx, u8 key[16])
 }
 
 
-void exheader_determine_key(exheader_context* ctx, u32 actions)
-{
-	u8* key = settings_get_ncch_key(ctx->usersettings);
-
-	if (actions & PlainFlag)
-		ctx->encrypted = 0;
-	else
-	{
-		if (key)
-		{
-			ctx->encrypted = 1;
-			memcpy(ctx->key, key, 0x10);
-		}
-	}
-}
-
 void exheader_read(exheader_context* ctx, u32 actions)
 {
 	if (ctx->haveread == 0)
@@ -183,8 +167,6 @@ void exheader_deserialise_arm11localcaps_permissions(exheader_arm11systemlocalca
 
 int exheader_process(exheader_context* ctx, u32 actions)
 {
-	exheader_determine_key(ctx, actions);
-
 	exheader_read(ctx, actions);
 
 	if (ctx->header.codesetinfo.flags.flag & 1)
diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
index 9ac656f0..09f751ea 100644
--- a/ctrtool/exheader.h
+++ b/ctrtool/exheader.h
@@ -198,6 +198,5 @@ void exheader_print(exheader_context* ctx, u32 actions);
 void exheader_verify(exheader_context* ctx);
 int exheader_hash_valid(exheader_context* ctx);
 int exheader_programid_valid(exheader_context* ctx);
-void exheader_determine_key(exheader_context* ctx, u32 actions);
 
 #endif // _EXHEADER_H_
diff --git a/ctrtool/keyset.cpp b/ctrtool/keyset.cpp
index f11e185d..0341cbe5 100644
--- a/ctrtool/keyset.cpp
+++ b/ctrtool/keyset.cpp
@@ -33,9 +33,57 @@ static unsigned char hextobin(char c)
 	return 0;
 }
 
-void keyset_init(keyset* keys)
+void keyset_init(keyset* keys, u32 actions)
 {
+	const key128 defaultkeys_retail[] = {
+		// common keyX
+		{{0x61, 0x70, 0x85, 0x71, 0x9b, 0x7c, 0xfb, 0x31, 0x6d, 0xf4, 0xdf, 0x2e, 0x83, 0x62, 0xc6, 0xe2}, 1},
+		// fixed system key - unknown if used/correct?
+		{{0x52, 0x7c, 0xe6, 0x30, 0xa9, 0xca, 0x30, 0x5f, 0x36, 0x96, 0xf3, 0xcd, 0xe9, 0x54, 0x19, 0x4b}, 1},
+		// NCCH 0x2c keyX
+		{{0xb9, 0x8e, 0x95, 0xce, 0xca, 0x3e, 0x4d, 0x17, 0x1f, 0x76, 0xa9, 0x4d, 0xe9, 0x34, 0xc0, 0x53}, 1},
+		// NCCH 0x25 keyX 7.x
+		{{0xce, 0xe7, 0xd8, 0xab, 0x30, 0xc0, 0x0d, 0xae, 0x85, 0x0e, 0xf5, 0xe3, 0x82, 0xac, 0x5a, 0xf3}, 1},
+		// NCCH 0x18 keyX N9.3
+		{{0x82, 0xe9, 0xc9, 0xbe, 0xbf, 0xb8, 0xbd, 0xb8, 0x75, 0xec, 0xc0, 0xa0, 0x7d, 0x47, 0x43, 0x74}, 1},
+		// NCCH 0x1B keyX N9.6
+		{{0x45, 0xad, 0x04, 0x95, 0x39, 0x92, 0xc7, 0xc8, 0x93, 0x72, 0x4a, 0x9a, 0x7b, 0xce, 0x61, 0x82}, 1}
+	};
+	const key128 defaultkeys_dev[] = {
+		// common keyX
+		{{0xbd, 0x4f, 0xe7, 0xe7, 0x33, 0xc7, 0x55, 0xfc, 0xe7, 0x54, 0x0e, 0xab, 0xbd, 0x8a, 0xc3, 0x0d}, 1},
+		// fixed system key
+		{{0x52, 0x7c, 0xe6, 0x30, 0xa9, 0xca, 0x30, 0x5f, 0x36, 0x96, 0xf3, 0xcd, 0xe9, 0x54, 0x19, 0x4b}, 1},
+		// NCCH 0x2c keyX
+		{{0x51, 0x02, 0x07, 0x51, 0x55, 0x07, 0xcb, 0xb1, 0x8e, 0x24, 0x3d, 0xcb, 0x85, 0xe2, 0x3a, 0x1d}, 1},
+		// NCCH 0x25 keyX 7.x
+		{{0x81, 0x90, 0x7a, 0x4b, 0x6f, 0x1b, 0x47, 0x32, 0x3a, 0x67, 0x79, 0x74, 0xce, 0x4a, 0xd7, 0x1b}, 1},
+		// NCCH 0x18 keyX N9.3
+		{{0x30, 0x4b, 0xf1, 0x46, 0x83, 0x72, 0xee, 0x64, 0x11, 0x5e, 0xbd, 0x40, 0x93, 0xd8, 0x42, 0x76}, 1},
+		// NCCH 0x1B keyX N9.6
+		{{0x6c, 0x8b, 0x29, 0x44, 0xa0, 0x72, 0x60, 0x35, 0xf9, 0x41, 0xdf, 0xc0, 0x18, 0x52, 0x4f, 0xb6}, 1}
+	};
+
 	memset(keys, 0, sizeof(keyset));
+
+	if (actions & PlainFlag)
+		return;
+
+	if (!(actions & DevFlag)) {
+		memcpy(&keys->commonkeyX, &defaultkeys_retail[0], sizeof(key128));
+		memcpy(&keys->ncchfixedsystemkey, &defaultkeys_retail[1], sizeof(key128));
+		memcpy(&keys->ncchkeyX_old, &defaultkeys_retail[2], sizeof(key128));
+		memcpy(&keys->ncchkeyX_seven, &defaultkeys_retail[3], sizeof(key128));
+		memcpy(&keys->ncchkeyX_ninethree, &defaultkeys_retail[4], sizeof(key128));
+		memcpy(&keys->ncchkeyX_ninesix, &defaultkeys_retail[5], sizeof(key128));
+	} else {
+		memcpy(&keys->commonkeyX, &defaultkeys_dev[0], sizeof(key128));
+		memcpy(&keys->ncchfixedsystemkey, &defaultkeys_dev[1], sizeof(key128));
+		memcpy(&keys->ncchkeyX_old, &defaultkeys_dev[2], sizeof(key128));
+		memcpy(&keys->ncchkeyX_seven, &defaultkeys_dev[3], sizeof(key128));
+		memcpy(&keys->ncchkeyX_ninethree, &defaultkeys_dev[4], sizeof(key128));
+		memcpy(&keys->ncchkeyX_ninesix, &defaultkeys_dev[5], sizeof(key128));
+	}
 }
 
 int keyset_load_key(TiXmlHandle node, unsigned char* key, unsigned int size, int* valid)
@@ -158,9 +206,12 @@ int keyset_load(keyset* keys, const char* fname, int verbose)
 	keyset_load_rsakey2048(root.FirstChild("ncchrsakey"), &keys->ncchrsakey);
 	keyset_load_rsakey2048(root.FirstChild("ncchdescrsakey"), &keys->ncchdescrsakey);
 	keyset_load_rsakey2048(root.FirstChild("firmrsakey"), &keys->firmrsakey);
-	keyset_load_key128(root.FirstChild("commonkey"), &keys->commonkey);
-	keyset_load_key128(root.FirstChild("ncchkey"), &keys->ncchkey);
+	keyset_load_key128(root.FirstChild("commonkeyx"), &keys->commonkeyX);
 	keyset_load_key128(root.FirstChild("ncchfixedsystemkey"), &keys->ncchfixedsystemkey);
+	keyset_load_key128(root.FirstChild("ncchkeyxold"), &keys->ncchkeyX_old);
+	keyset_load_key128(root.FirstChild("ncchkeyxseven"), &keys->ncchkeyX_seven);
+	keyset_load_key128(root.FirstChild("ncchkeyxninethree"), &keys->ncchkeyX_ninethree);
+	keyset_load_key128(root.FirstChild("ncchkeyxninesix"), &keys->ncchkeyX_ninesix);
 
 
 	return 1;
@@ -169,14 +220,21 @@ int keyset_load(keyset* keys, const char* fname, int verbose)
 
 void keyset_merge(keyset* keys, keyset* src)
 {
-	if (src->ncchkey.valid)
-		keyset_set_key128(&keys->ncchkey, src->ncchkey.data);
-	if (src->ncchfixedsystemkey.valid)
-		keyset_set_key128(&keys->ncchfixedsystemkey, src->ncchfixedsystemkey.data);
-	if (src->commonkey.valid)
-		keyset_set_key128(&keys->commonkey, src->commonkey.data);
-	if (src->titlekey.valid)
-		keyset_set_key128(&keys->titlekey, src->titlekey.data);
+#define COPY_IF_VALID(v) do {\
+	if (src->v.valid && !keys->v.valid)\
+		keyset_set_key128(&keys->v, src->v.data);\
+} while (0)
+
+	COPY_IF_VALID(titlekey);
+	COPY_IF_VALID(commonkeyX);
+	COPY_IF_VALID(ncchfixedsystemkey);
+	COPY_IF_VALID(ncchkeyX_old);
+	COPY_IF_VALID(ncchkeyX_seven);
+	COPY_IF_VALID(ncchkeyX_ninethree);
+	COPY_IF_VALID(ncchkeyX_ninesix);
+	COPY_IF_VALID(seed);
+
+#undef COPY_IF_VALID
 }
 
 void keyset_set_key128(key128* key, unsigned char* keydata)
@@ -190,44 +248,44 @@ void keyset_parse_key128(key128* key, char* keytext, int keylen)
 	keyset_parse_key(keytext, keylen, key->data, 16, &key->valid);
 }
 
-void keyset_set_commonkey(keyset* keys, unsigned char* keydata)
+void keyset_parse_commonkeyX(keyset* keys, char* keytext, int keylen)
 {
-	keyset_set_key128(&keys->commonkey, keydata);
+	keyset_parse_key128(&keys->commonkeyX, keytext, keylen);
 }
 
-void keyset_parse_commonkey(keyset* keys, char* keytext, int keylen)
+void keyset_parse_titlekey(keyset* keys, char* keytext, int keylen)
 {
-	keyset_parse_key128(&keys->commonkey, keytext, keylen);
+	keyset_parse_key128(&keys->titlekey, keytext, keylen);
 }
 
-void keyset_set_titlekey(keyset* keys, unsigned char* keydata)
+void keyset_parse_ncchkeyX_old(keyset* keys, char* keytext, int keylen)
 {
-	keyset_set_key128(&keys->titlekey, keydata);
+	keyset_parse_key128(&keys->ncchkeyX_old, keytext, keylen);
 }
 
-void keyset_parse_titlekey(keyset* keys, char* keytext, int keylen)
+void keyset_parse_ncchfixedsystemkey(keyset* keys, char* keytext, int keylen)
 {
-	keyset_parse_key128(&keys->titlekey, keytext, keylen);
+	keyset_parse_key128(&keys->ncchfixedsystemkey, keytext, keylen);
 }
 
-void keyset_set_ncchkey(keyset* keys, unsigned char* keydata)
+void keyset_parse_ncchkeyX_seven(keyset* keys, char* keytext, int keylen)
 {
-	keyset_set_key128(&keys->ncchkey, keydata);
+	keyset_parse_key128(&keys->ncchkeyX_seven, keytext, keylen);
 }
 
-void keyset_parse_ncchkey(keyset* keys, char* keytext, int keylen)
+void keyset_parse_ncchkeyX_ninethree(keyset* keys, char* keytext, int keylen)
 {
-	keyset_parse_key128(&keys->ncchkey, keytext, keylen);
+	keyset_parse_key128(&keys->ncchkeyX_ninethree, keytext, keylen);
 }
 
-void keyset_set_ncchfixedsystemkey(keyset* keys, unsigned char* keydata)
+void keyset_parse_ncchkeyX_ninesix(keyset* keys, char* keytext, int keylen)
 {
-	keyset_set_key128(&keys->ncchfixedsystemkey, keydata);
+	keyset_parse_key128(&keys->ncchkeyX_ninesix, keytext, keylen);
 }
 
-void keyset_parse_ncchfixedsystemkey(keyset* keys, char* keytext, int keylen)
+void keyset_parse_seed(keyset* keys, char* keytext, int keylen)
 {
-	keyset_parse_key128(&keys->ncchfixedsystemkey, keytext, keylen);
+	keyset_parse_key128(&keys->seed, keytext, keylen);
 }
 
 void keyset_dump_rsakey(rsakey2048* key, const char* keytitle)
@@ -261,10 +319,17 @@ void keyset_dump_key128(key128* key, const char* keytitle)
 
 void keyset_dump(keyset* keys)
 {
+#define DUMP_KEY(n, s) do {\
+	keyset_dump_key128(&keys->n, (s));\
+} while(0)
 	fprintf(stdout, "Current keyset:          \n");
-	keyset_dump_key128(&keys->ncchkey, "NCCH KEY");
-	keyset_dump_key128(&keys->ncchfixedsystemkey, "NCCH FIXEDSYSTEMKEY");
-	keyset_dump_key128(&keys->commonkey, "COMMON KEY");
+	DUMP_KEY(ncchkeyX_old, "NCCH OLD KEYX");
+	DUMP_KEY(ncchkeyX_seven, "NCCH 7.0 KEYX");
+	DUMP_KEY(ncchkeyX_ninethree, "NCCH N9.3 KEYX");
+	DUMP_KEY(ncchkeyX_ninesix, "NCCH N9.6 KEYX");
+	DUMP_KEY(ncchfixedsystemkey, "NCCH FIXEDSYSTEMKEY");
+	DUMP_KEY(commonkeyX, "COMMON KEYX");
+#undef DUMP_KEY
 
 	keyset_dump_rsakey(&keys->ncsdrsakey, "NCSD RSA KEY");
 	keyset_dump_rsakey(&keys->ncchdescrsakey, "NCCH DESC RSA KEY");
diff --git a/ctrtool/keyset.h b/ctrtool/keyset.h
index 2cf28668..5f71d907 100644
--- a/ctrtool/keyset.h
+++ b/ctrtool/keyset.h
@@ -42,27 +42,31 @@ typedef struct
 
 typedef struct
 {
-	key128 commonkey;
 	key128 titlekey;
-	key128 ncchkey;
+	key128 seed;
+	key128 commonkeyX;
 	key128 ncchfixedsystemkey;
+	key128 ncchkeyX_old;
+	key128 ncchkeyX_seven;
+	key128 ncchkeyX_ninethree;
+	key128 ncchkeyX_ninesix;
 	rsakey2048 ncsdrsakey;
 	rsakey2048 ncchrsakey;
 	rsakey2048 ncchdescrsakey;
 	rsakey2048 firmrsakey;
 } keyset;
 
-void keyset_init(keyset* keys);
+void keyset_init(keyset* keys, u32 actions);
 int keyset_load(keyset* keys, const char* fname, int verbose);
 void keyset_merge(keyset* keys, keyset* src);
-void keyset_set_commonkey(keyset* keys, unsigned char* keydata);
-void keyset_parse_commonkey(keyset* keys, char* keytext, int keylen);
-void keyset_set_titlekey(keyset* keys, unsigned char* keydata);
+void keyset_parse_commonkeyX(keyset* keys, char* keytext, int keylen);
 void keyset_parse_titlekey(keyset* keys, char* keytext, int keylen);
-void keyset_set_ncchkey(keyset* keys, unsigned char* keydata);
-void keyset_parse_ncchkey(keyset* keys, char* keytext, int keylen);
-void keyset_set_ncchfixedsystemkey(keyset* keys, unsigned char* keydata);
+void keyset_parse_ncchkeyX_old(keyset* keys, char* keytext, int keylen);
 void keyset_parse_ncchfixedsystemkey(keyset* keys, char* keytext, int keylen);
+void keyset_parse_ncchkeyX_seven(keyset* keys, char* keytext, int keylen);
+void keyset_parse_ncchkeyX_ninethree(keyset* keys, char* keytext, int keylen);
+void keyset_parse_ncchkeyX_ninesix(keyset* keys, char* keytext, int keylen);
+void keyset_parse_seed(keyset* keys, char* keytext, int keylen);
 void keyset_dump(keyset* keys);
 
 #ifdef __cplusplus
diff --git a/ctrtool/main.c b/ctrtool/main.c
index dd8ef88f..393d272d 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -52,11 +52,13 @@ static void usage(const char *argv0)
 		   "  -k, --keyset=file  Specify keyset file.\n"
 		   "  -v, --verbose      Give verbose output.\n"
 		   "  -y, --verify       Verify hashes and signatures.\n"
+		   "  -d, --dev          Decrypt with development keys instead of retail.\n"
 		   "  --unitsize=size    Set media unit size (default 0x200).\n"
 		   "  --commonkey=key    Set common key.\n"
 		   "  --titlekey=key     Set tik title key.\n"
 		   "  --ncchkey=key      Set ncch key.\n"
 		   "  --ncchsyskey=key   Set ncch fixed system key.\n"
+		   "  --seed=key         Set seed for ncch seed crypto.\n"
 		   "  --showkeys         Show the keys being used.\n"
 		   "  --showsyscalls     Show system call names instead of numbers.\n"
 		   "  -t, --intype=type	 Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
@@ -109,8 +111,7 @@ int main(int argc, char* argv[])
 	ctx.filetype = FILETYPE_UNKNOWN;
 
 	settings_init(&ctx.usersettings);
-	keyset_init(&ctx.usersettings.keys);
-	keyset_init(&tmpkeys);
+	keyset_init(&tmpkeys, 0);
 
 
 	while (1) 
@@ -137,8 +138,8 @@ int main(int argc, char* argv[])
 			{"raw", 0, NULL, 'r'},
 			{"unitsize", 1, NULL, 9},
 			{"showkeys", 0, NULL, 10},
-			{"commonkey", 1, NULL, 11},
-			{"ncchkey", 1, NULL, 12},
+			{"commonkeyx", 1, NULL, 11},
+			{"ncchkeyxold", 1, NULL, 12},
 			{"intype", 1, NULL, 't'},
 			{"lzssout", 1, NULL, 13},
 			{"firmdir", 1, NULL, 14},
@@ -152,10 +153,14 @@ int main(int argc, char* argv[])
 			{"titlekey", 1, NULL, 22},
 			{"plainrgn", 1, NULL, 23},
 			{"showsyscalls", 0, NULL, 24},
+			{"ncchkeyxseven", 1, NULL, 25},
+			{"ncchkeyxninethree", 1, NULL, 26},
+			{"ncchkeyxninesix", 1, NULL, 27},
+			{"seed", 1, NULL, 28},
 			{NULL},
 		};
 
-		c = getopt_long(argc, argv, "ryxivpk:n:t:", long_options, &option_index);
+		c = getopt_long(argc, argv, "dryxivpk:n:t:", long_options, &option_index);
 		if (c == -1)
 			break;
 
@@ -173,6 +178,10 @@ int main(int argc, char* argv[])
 				ctx.actions |= VerifyFlag;
 			break;
 
+			case 'd':
+				ctx.actions |= DevFlag;
+			break;
+
 			case 'p':
 				ctx.actions |= PlainFlag;
 			break;
@@ -228,8 +237,8 @@ int main(int argc, char* argv[])
 			case 8: settings_set_exefs_dir_path(&ctx.usersettings, optarg); break;
 			case 9: settings_set_mediaunit_size(&ctx.usersettings, strtoul(optarg, 0, 0)); break;
 			case 10: ctx.actions |= ShowKeysFlag; break;
-			case 11: keyset_parse_commonkey(&tmpkeys, optarg, strlen(optarg)); break;
-			case 12: keyset_parse_ncchkey(&tmpkeys, optarg, strlen(optarg)); break;
+			case 11: keyset_parse_commonkeyX(&tmpkeys, optarg, strlen(optarg)); break;
+			case 12: keyset_parse_ncchkeyX_old(&tmpkeys, optarg, strlen(optarg)); break;
 			case 13: settings_set_lzss_path(&ctx.usersettings, optarg); break;
 			case 14: settings_set_firm_dir_path(&ctx.usersettings, optarg); break;
 			case 15: keyset_parse_ncchfixedsystemkey(&tmpkeys, optarg, strlen(optarg)); break;
@@ -242,6 +251,10 @@ int main(int argc, char* argv[])
 			case 22: keyset_parse_titlekey(&tmpkeys, optarg, strlen(optarg)); break;
 			case 23: settings_set_plainrgn_path(&ctx.usersettings, optarg); break;
 			case 24: ctx.actions |= ShowSyscallsFlag; break;
+			case 25: keyset_parse_ncchkeyX_seven(&tmpkeys, optarg, strlen(optarg)); break;
+			case 26: keyset_parse_ncchkeyX_ninethree(&tmpkeys, optarg, strlen(optarg)); break;
+			case 27: keyset_parse_ncchkeyX_ninesix(&tmpkeys, optarg, strlen(optarg)); break;
+			case 28: keyset_parse_seed(&tmpkeys, optarg, strlen(optarg)); break;
 
 			default:
 				usage(argv[0]);
@@ -259,6 +272,7 @@ int main(int argc, char* argv[])
 		usage(argv[0]);
 	}
 
+	keyset_init(&ctx.usersettings.keys, ctx.actions);
 	keyset_load(&ctx.usersettings.keys, keysetfname, (ctx.actions & VerboseFlag) | checkkeysetfile);
 	keyset_merge(&ctx.usersettings.keys, &tmpkeys);
 	if (ctx.actions & ShowKeysFlag)
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index b553b600..1c9f9ee8 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -6,6 +6,7 @@
 #include "utils.h"
 #include "ctr.h"
 #include "settings.h"
+#include "aes_keygen.h"
 #include <inttypes.h>
 
 static int programid_is_system(u8 programid[8])
@@ -333,6 +334,14 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	ncch_get_counter(ctx, exefscounter, NCCHTYPE_EXEFS);
 	ncch_get_counter(ctx, romfscounter, NCCHTYPE_ROMFS);
 
+	if (actions & ShowKeysFlag)
+	{
+		fprintf(stdout, "Counter(s):\n");
+		memdump(stdout, "  exheader: ", exheadercounter, 0x10);
+		memdump(stdout, "  ExeFS: ", exefscounter, 0x10);
+		memdump(stdout, "  RomFS: ", romfscounter, 0x10);
+	}
+
 
 	exheader_set_file(&ctx->exheader, ctx->file);
 	exheader_set_offset(&ctx->exheader, ncch_get_exheader_offset(ctx) );
@@ -351,7 +360,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	exefs_set_partitionid(&ctx->exefs, ctx->header.partitionid);
 	exefs_set_usersettings(&ctx->exefs, ctx->usersettings);
 	exefs_set_counter(&ctx->exefs, exefscounter);
-	exefs_set_key(&ctx->exefs, ctx->key);
+	exefs_set_keys(&ctx->exefs, ctx->key, ctx->special_key);
 	exefs_set_encrypted(&ctx->exefs, ctx->encrypted);
 
 	romfs_set_file(&ctx->romfs, ctx->file);
@@ -359,7 +368,10 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	romfs_set_size(&ctx->romfs, ncch_get_romfs_size(ctx));
 	romfs_set_usersettings(&ctx->romfs, ctx->usersettings);
 	romfs_set_counter(&ctx->romfs, romfscounter);
-	romfs_set_key(&ctx->romfs, ctx->key);
+	if (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES)
+		romfs_set_key(&ctx->romfs, ctx->special_key);
+	else
+		romfs_set_key(&ctx->romfs, ctx->key);
 	romfs_set_encrypted(&ctx->romfs, ctx->encrypted);
 
 	exheader_read(&ctx->exheader, actions);
@@ -371,6 +383,23 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	if (actions & InfoFlag)
 		ncch_print(ctx);		
 
+	if (ctx->encrypted == NCCHCRYPTO_BROKEN)
+	{
+		fprintf(stderr, "Error, NCCH encryption broken.\n");
+		return;
+	}
+
+	if ((actions & ShowKeysFlag) && ctx->encrypted)
+	{
+		fprintf(stdout, "Using key(s):\n");
+		memdump(stdout, "  0x2C: ", ctx->key, 0x10);
+		if (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES)
+		{
+			fprintf(stdout, "  special (%02x): ", ctx->header.flags[3]);
+			memdump(stdout, "", ctx->special_key, 0x10);
+		}
+	}
+
 	if (actions & ExtractFlag)
 	{
 		ncch_save(ctx, NCCHTYPE_EXEFS, actions);
@@ -482,8 +511,12 @@ u64 ncch_get_mediaunit_size(ncch_context* ctx)
 void ncch_determine_key(ncch_context* ctx, u32 actions)
 {
 	exheader_header exheader;
-	u8* key = settings_get_ncch_key(ctx->usersettings);
+	u8* key;
+	u8* seed;
 	ctr_ncchheader* header = &ctx->header;
+	u8 seedbuf[0x20];
+	u8 seedhash[0x20];
+	u8 keyX[0x10], keyY[0x10], seedKeyY[0x10];
 
 	ctx->encrypted = 0;
 	memset(ctx->key, 0, 0x10);
@@ -492,17 +525,58 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 	{
 		ctx->encrypted = 0;
 	} 
-	else if (key != 0)
-	{
-		ctx->encrypted = 1;
-		memcpy(ctx->key, key, 0x10);
-	}
 	else
 	{
 		// No explicit NCCH key defined, so we try to decide
-		
+		// In almost all of these scenarios, the normal 0x2C NCCH keyX will be the default,
+		// except for the old fixedkey crypto, where we'll override it anyway, so let's just
+		// set the 0x2C keyX first.
+		key = settings_get_ncchkeyX_old(ctx->usersettings);
+		if (key)
+			memcpy(keyX, key, 0x10);
+		else
+			fprintf(stderr, "Warning, could not read NCCH base key. Decryption will likely fail.\n");
+
+		// The keyY is normally the beginning of the NCCH header signature. In case seed crypto
+		// changes that, we'll override it below.
+		memcpy(keyY, header->signature, 0x10);
+		memcpy(seedKeyY, keyY, 0x10);
 
-		// Firstly, check if the NCCH is already decrypted, by reading the programid in the exheader
+		// 0x2c crypto is normally used; we override it where necessary
+		ctr_aes_keygen(keyX, keyY, ctx->key);
+
+		// Seed crypto can be used alongside any other crypto type, so we'll need to figure this out early.
+		if (header->flags[7] & 0x20)
+		{
+			ctx->encrypted = NCCHCRYPTO_SEED;
+			seed = settings_get_seed(ctx->usersettings);
+			if (!seed)
+			{
+				fprintf(stderr, "This title uses seed crypto, but no seed is set, unable to decrypt.\n"
+						"Use -p to avoid decryption or use --seed=SEEDHERE to provide the seed.\n");
+				ctx->encrypted = NCCHCRYPTO_BROKEN;
+				return;
+			}
+
+			memcpy(seedbuf, seed, 0x10);
+			// Assumes running on little endian
+			memcpy(seedbuf + 0x10, header->programid, sizeof(header->programid));
+			ctr_sha_256(seedbuf, 0x18, seedhash);
+			if (memcmp(seedhash, header->seedcheck, sizeof(header->seedcheck))) {
+				fprintf(stderr, "Seed check mismatch. (Got: %02x%02x%02x%02x, expected: %02x%02x%02x%02x)\n",
+						seedhash[0], seedhash[1], seedhash[2], seedhash[3],
+						header->seedcheck[0], header->seedcheck[1], header->seedcheck[2], header->seedcheck[3]);
+				ctx->encrypted = NCCHCRYPTO_BROKEN;
+				return;
+			}
+
+			memcpy(seedbuf, header->signature, 0x10);
+			memcpy(seedbuf + 0x10, seed, 0x10);
+			ctr_sha_256(seedbuf, 0x20, seedhash);
+			memcpy(seedKeyY, seedhash, 0x10);
+		}
+
+		// Check if the NCCH is already decrypted, by reading the programid in the exheader
 		// Otherwise, use determination rules
 		fseeko64(ctx->file, ncch_get_exheader_offset(ctx), SEEK_SET);
 		memset(&exheader, 0, sizeof(exheader));
@@ -511,37 +585,74 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 		if (!memcmp(exheader.arm11systemlocalcaps.programid, ctx->header.programid, 8))
 		{
 			// program id's match, so it's probably not encrypted
-			ctx->encrypted = 0;
+			ctx->encrypted = NCCHCRYPTO_NONE;
+			if (!(header->flags[7] & 4))
+				fprintf(stderr, "Warning, exheader seems decrypted but the NCCH says it isn't.\n"
+						"This NCCH will likely break on console.\n");
 		}
-		else if (header->flags[7] & 4)
+		else if (header->flags[7] & 4) // no crypto
 		{
-			ctx->encrypted = 0; // not encrypted
+			ctx->encrypted = NCCHCRYPTO_NONE;
 		}
-		else if (header->flags[7] & 1)
+		else if (header->flags[7] & 1) // fixed key crypto
 		{
+			ctx->encrypted = NCCHCRYPTO_FIXED;
 			if (programid_is_system(header->programid))
 			{
 				// fixed system key
-				ctx->encrypted = 1;
 				key = settings_get_ncch_fixedsystemkey(ctx->usersettings);
-				if (!key)
-					fprintf(stdout, "Warning, could not read system fixed key.\n");
-				else
+				if (!key) {
+					fprintf(stderr, "Error, could not read system fixed key.\n");
+					ctx->encrypted = NCCHCRYPTO_BROKEN;
+				} else {
 					memcpy(ctx->key, key, 0x10);
+				}
 			}
 			else
 			{
 				// null key
-				ctx->encrypted = 1;
 				memset(ctx->key, 0, 0x10);
 			}
 		}
+		else if (header->flags[3] == 0x01) // 7.0 crypto
+		{
+			ctx->encrypted = NCCHCRYPTO_SEVEN;
+			key = settings_get_ncchkeyX_seven(ctx->usersettings);
+			if (!key) {
+				fprintf(stderr, "Error, could not read NCCH 7.0 keyX.\n");
+				return;
+			}
+			ctr_aes_keygen(key, seedKeyY, ctx->special_key);
+		}
+		else if (header->flags[3] == 0x0A) // N9.3 crypto
+		{
+			ctx->encrypted = NCCHCRYPTO_NINETHREE;
+			key = settings_get_ncchkeyX_ninethree(ctx->usersettings);
+			if (!key) {
+				fprintf(stderr, "Error, could not read NCCH 9.3 keyX.\n");
+				return;
+			}
+			ctr_aes_keygen(key, seedKeyY, ctx->special_key);
+		}
+		else if (header->flags[3] == 0x0B) // N9.6 crypto
+		{
+			ctx->encrypted = NCCHCRYPTO_NINESIX;
+			key = settings_get_ncchkeyX_ninesix(ctx->usersettings);
+			if (!key) {
+				fprintf(stderr, "Error, could not read NCCH 9.6 keyX.\n");
+				return;
+			}
+			ctr_aes_keygen(key, seedKeyY, ctx->special_key);
+		}
+		else if (header->flags[3] != 0) // unknown special crypto
+		{
+			fprintf(stderr, "Warning, unknown NCCH crypto method.\n");
+			ctx->encrypted = NCCHCRYPTO_BROKEN;
+		}
 		else
 		{
-			// secure key (cannot decrypt!)
-			fprintf(stdout, "Warning, could not read secure key.\n");
-			ctx->encrypted = 1;
-			memset(ctx->key, 0, 0x10);
+			// old/normal NCCH crypto
+			ctx->encrypted = NCCHCRYPTO_OLD;
 		}
 	}
 }
diff --git a/ctrtool/ncch.h b/ctrtool/ncch.h
index 64dc4901..79f89578 100644
--- a/ctrtool/ncch.h
+++ b/ctrtool/ncch.h
@@ -20,6 +20,19 @@ typedef enum
 	NCCHTYPE_PLAINRGN = 5,
 } ctr_ncchtypes;
 
+typedef enum
+{
+	NCCHCRYPTO_NONE		= 0,		//< already decrypted
+	NCCHCRYPTO_FIXED	= 1,		//< fixed key crypto, used for SDK-made application titles and very very old system titles
+	NCCHCRYPTO_OLD 		= (1<<1),	//< crypto used before 7.0
+	NCCHCRYPTO_SEVEN	= (1<<2),	//< crypto used starting with 7.0
+	NCCHCRYPTO_NINETHREE	= (1<<3),	//< crypto used on N3DS starting with 9.3
+	NCCHCRYPTO_NINESIX	= (1<<4),	//< crypto used on N3DS starting with 9.6
+	NCCHCRYPTO_SEED		= (1<<5),	//< crypto used starting with 9.6 for preloading titles
+	NCCHCRYPTO_SPECIAL_FSES = NCCHCRYPTO_SEVEN | NCCHCRYPTO_NINETHREE | NCCHCRYPTO_NINESIX | NCCHCRYPTO_SEED, //< ExeFS and RomFS need new keys
+	NCCHCRYPTO_BROKEN	= 0xFF		//< Internal: seed crypto required but no seed set
+} ctr_ncchcryptotype;
+
 typedef struct
 {
 	u8 signature[0x100];
@@ -58,6 +71,8 @@ typedef struct
 {
 	FILE* file;
 	u8 key[16];
+	u8 special_key[16]; // used with the 7.x+ crypto methods
+	u8 seed[16];
 	u32 encrypted;
 	u64 offset;
 	u64 size;
diff --git a/ctrtool/settings.c b/ctrtool/settings.c
index ddbf51bc..95f7dbd3 100644
--- a/ctrtool/settings.c
+++ b/ctrtool/settings.c
@@ -136,38 +136,55 @@ unsigned int settings_get_mediaunit_size(settings* usersettings)
 		return 0;
 }
 
-unsigned char* settings_get_ncch_key(settings* usersettings)
+#define GETKEY(s, k)	do {\
+	if ((s) && (s)->keys.k.valid)\
+		return (s)->keys.k.data;\
+	else\
+		return NULL;\
+} while (0)
+
+unsigned char* settings_get_ncch_fixedsystemkey(settings* usersettings)
 {
-	if (usersettings && usersettings->keys.ncchkey.valid)
-		return usersettings->keys.ncchkey.data;
-	else
-		return 0;
+	GETKEY(usersettings, ncchfixedsystemkey);
 }
 
-unsigned char* settings_get_ncch_fixedsystemkey(settings* usersettings)
+unsigned char* settings_get_ncchkeyX_old(settings* usersettings)
 {
-	if (usersettings && usersettings->keys.ncchfixedsystemkey.valid)
-		return usersettings->keys.ncchfixedsystemkey.data;
-	else
-		return 0;
+	GETKEY(usersettings, ncchkeyX_old);
 }
 
-unsigned char* settings_get_common_key(settings* usersettings)
+unsigned char* settings_get_ncchkeyX_seven(settings* usersettings)
 {
-	if (usersettings && usersettings->keys.commonkey.valid)
-		return usersettings->keys.commonkey.data;
-	else
-		return 0;
+	GETKEY(usersettings, ncchkeyX_seven);
+}
+
+unsigned char* settings_get_ncchkeyX_ninethree(settings* usersettings)
+{
+	GETKEY(usersettings, ncchkeyX_ninethree);
+}
+
+unsigned char* settings_get_ncchkeyX_ninesix(settings* usersettings)
+{
+	GETKEY(usersettings, ncchkeyX_ninesix);
+}
+
+unsigned char* settings_get_common_keyX(settings* usersettings)
+{
+	GETKEY(usersettings, commonkeyX);
+}
+
+unsigned char* settings_get_seed(settings* usersettings)
+{
+	GETKEY(usersettings, seed);
 }
 
 unsigned char* settings_get_title_key(settings* usersettings)
 {
-	if (usersettings && usersettings->keys.titlekey.valid)
-		return usersettings->keys.titlekey.data;
-	else
-		return 0;
+	GETKEY(usersettings, titlekey);
 }
 
+#undef GETKEY
+
 int settings_get_ignore_programid(settings* usersettings)
 {
 	if (usersettings)
diff --git a/ctrtool/settings.h b/ctrtool/settings.h
index 2822b93a..c3f819f0 100644
--- a/ctrtool/settings.h
+++ b/ctrtool/settings.h
@@ -46,9 +46,13 @@ filepath* settings_get_firm_dir_path(settings* usersettings);
 filepath* settings_get_wav_path(settings* usersettings);
 filepath* settings_get_plainrgn_path(settings* usersettings);
 unsigned int settings_get_mediaunit_size(settings* usersettings);
-unsigned char* settings_get_ncch_key(settings* usersettings);
 unsigned char* settings_get_ncch_fixedsystemkey(settings* usersettings);
-unsigned char* settings_get_common_key(settings* usersettings);
+unsigned char* settings_get_ncchkeyX_old(settings* usersettings);
+unsigned char* settings_get_ncchkeyX_seven(settings* usersettings);
+unsigned char* settings_get_ncchkeyX_ninethree(settings* usersettings);
+unsigned char* settings_get_ncchkeyX_ninesix(settings* usersettings);
+unsigned char* settings_get_common_keyX(settings* usersettings);
+unsigned char* settings_get_seed(settings* usersettings);
 unsigned char* settings_get_title_key(settings* usersettings);
 int settings_get_ignore_programid(settings* usersettings);
 int settings_get_list_romfs_files(settings* usersettings);
diff --git a/ctrtool/tik.c b/ctrtool/tik.c
index ce582c38..c9a1e5bd 100644
--- a/ctrtool/tik.c
+++ b/ctrtool/tik.c
@@ -2,6 +2,7 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "aes_keygen.h"
 #include "tik.h"
 #include "ctr.h"
 #include "utils.h"
@@ -31,9 +32,9 @@ void tik_set_usersettings(tik_context* ctx, settings* usersettings)
 	ctx->usersettings = usersettings;
 }
 
-void tik_get_decrypted_titlekey(tik_context* ctx, u8 decryptedkey[0x10])
+void tik_get_titlekey(tik_context* ctx, u8 key[0x10])
 {
-	memcpy(decryptedkey, ctx->titlekey, 16);
+	memcpy(ctx->titlekey, key, 16);
 }
 
 void tik_get_titleid(tik_context* ctx, u8 titleid[8])
@@ -50,16 +51,29 @@ void tik_get_iv(tik_context* ctx, u8 iv[16])
 void tik_decrypt_titlekey(tik_context* ctx, u8 decryptedkey[0x10]) 
 {
 	u8 iv[16];
-	u8* key = settings_get_common_key(ctx->usersettings);
+	u8* keyX = settings_get_common_keyX(ctx->usersettings);
+	const u8 keyYs[6][16] = {
+		// application titles (eShop titles)
+		{0xd0, 0x7b, 0x33, 0x7f, 0x9c, 0xa4, 0x38, 0x59, 0x32, 0xa2, 0xe2, 0x57, 0x23, 0x23, 0x2e, 0xb9},
+		// system titles
+		{0x0c, 0x76, 0x72, 0x30, 0xf0, 0x99, 0x8f, 0x1c, 0x46, 0x82, 0x82, 0x02, 0xfa, 0xac, 0xbe, 0x4c},
+		// these are unused
+		{0xc4, 0x75, 0xcb, 0x3a, 0xb8, 0xc7, 0x88, 0xbb, 0x57, 0x5e, 0x12, 0xa1, 0x09, 0x07, 0xb8, 0xa4},
+		{0xe4, 0x86, 0xee, 0xe3, 0xd0, 0xc0, 0x9c, 0x90, 0x2f, 0x66, 0x86, 0xd4, 0xc0, 0x6f, 0x64, 0x9f},
+		{0xed, 0x31, 0xba, 0x9c, 0x04, 0xb0, 0x67, 0x50, 0x6c, 0x44, 0x97, 0xa3, 0x5b, 0x78, 0x04, 0xfc},
+		{0x5e, 0x66, 0x99, 0x8a, 0xb4, 0xe8, 0x93, 0x16, 0x06, 0x85, 0x0f, 0xd7, 0xa1, 0x6d, 0xd7, 0x55},
+	};
+	u8 key[16];
 
 	memset(decryptedkey, 0, 0x10);
 
-	if (!key)
+	if (!keyX)
 	{
 		fprintf(stdout, "Warning, could not read common key.\n");
 	}
 	else
 	{
+		ctr_aes_keygen(keyX, keyYs[(ctx->tik.title_id[3] & 0x10) ? 1 : 0], key);
 		memset(iv, 0, 0x10);
 		memcpy(iv, ctx->tik.title_id, 8);
 
@@ -108,7 +122,7 @@ void tik_print(tik_context* ctx)
 
 	memdump(stdout, "Encrypted Titlekey:     ", tik->encrypted_title_key, 0x10);
 	
-	if (settings_get_common_key(ctx->usersettings))
+	if (settings_get_common_keyX(ctx->usersettings))
 		memdump(stdout, "Decrypted Titlekey:     ", ctx->titlekey, 0x10);
 
 	memdump(stdout,	"Ticket ID:              ", tik->ticket_id, 0x08);
diff --git a/ctrtool/tik.h b/ctrtool/tik.h
index edd72c5b..1aa05966 100644
--- a/ctrtool/tik.h
+++ b/ctrtool/tik.h
@@ -54,7 +54,7 @@ void tik_set_file(tik_context* ctx, FILE* file);
 void tik_set_offset(tik_context* ctx, u64 offset);
 void tik_set_size(tik_context* ctx, u32 size);
 void tik_set_usersettings(tik_context* ctx, settings* usersettings);
-void tik_get_decrypted_titlekey(tik_context* ctx, u8 decryptedkey[0x10]);
+void tik_get_titlekey(tik_context* ctx, u8 key[0x10]);
 void tik_get_titleid(tik_context* ctx, u8 titleid[8]);
 void tik_get_iv(tik_context* ctx, u8 iv[0x10]);
 void tik_decrypt_titlekey(tik_context* ctx, u8 decryptedkey[0x10]);
diff --git a/ctrtool/types.h b/ctrtool/types.h
index 5904a080..c35e2ba8 100644
--- a/ctrtool/types.h
+++ b/ctrtool/types.h
@@ -25,6 +25,7 @@ enum flags
 	ShowKeysFlag = (1<<6),
 	DecompressCodeFlag = (1<<7),
 	ShowSyscallsFlag = (1<<8),
+	DevFlag = (1<<9),
 };
 
 enum validstate

From 876c197387717185b01c4f089eb2eaad20def16e Mon Sep 17 00:00:00 2001
From: Michael Scire <SciresM@gmail.com>
Date: Tue, 23 May 2017 01:00:43 -0700
Subject: [PATCH 191/317] Update .vcproj with new files

---
 ctrtool/ctrtool.vcxproj         | 2 ++
 ctrtool/ctrtool.vcxproj.filters | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/ctrtool/ctrtool.vcxproj b/ctrtool/ctrtool.vcxproj
index 71596d61..21abef9d 100644
--- a/ctrtool/ctrtool.vcxproj
+++ b/ctrtool/ctrtool.vcxproj
@@ -91,6 +91,7 @@
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
+    <ClCompile Include="aes_keygen.c" />
     <ClCompile Include="cia.c" />
     <ClCompile Include="ctr.c" />
     <ClCompile Include="cwav.c" />
@@ -124,6 +125,7 @@
     <ClCompile Include="tinyxml\tinyxmlparser.cpp" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="aes_keygen.h" />
     <ClInclude Include="cia.h" />
     <ClInclude Include="ctr.h" />
     <ClInclude Include="cwav.h" />
diff --git a/ctrtool/ctrtool.vcxproj.filters b/ctrtool/ctrtool.vcxproj.filters
index f7862f27..8f0b3927 100644
--- a/ctrtool/ctrtool.vcxproj.filters
+++ b/ctrtool/ctrtool.vcxproj.filters
@@ -120,6 +120,9 @@
     <ClCompile Include="syscalls.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="aes_keygen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="cia.h">
@@ -215,5 +218,8 @@
     <ClInclude Include="syscalls.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="aes_keygen.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>
\ No newline at end of file

From fae366c1270d3d143c95d3a804b5fbbe32247f95 Mon Sep 17 00:00:00 2001
From: Reisyukaku <asterma@yahoo.com>
Date: Wed, 24 May 2017 00:35:38 -0400
Subject: [PATCH 192/317] fixed subtle titlekey issue

---
 ctrtool/tik.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/tik.c b/ctrtool/tik.c
index c9a1e5bd..0c1b69ce 100644
--- a/ctrtool/tik.c
+++ b/ctrtool/tik.c
@@ -34,7 +34,7 @@ void tik_set_usersettings(tik_context* ctx, settings* usersettings)
 
 void tik_get_titlekey(tik_context* ctx, u8 key[0x10])
 {
-	memcpy(ctx->titlekey, key, 16);
+	memcpy(key, ctx->titlekey, 0x10);
 }
 
 void tik_get_titleid(tik_context* ctx, u8 titleid[8])

From 183d95bffa2c67a933dafa51282a1c9980f40129 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 25 May 2017 12:56:51 +0800
Subject: [PATCH 193/317] [ctrtool] fixed keygen add()/sub() functions

---
 ctrtool/aes_keygen.c | 27 ---------------------------
 1 file changed, 27 deletions(-)

diff --git a/ctrtool/aes_keygen.c b/ctrtool/aes_keygen.c
index d8bda853..eb81bdff 100644
--- a/ctrtool/aes_keygen.c
+++ b/ctrtool/aes_keygen.c
@@ -45,14 +45,6 @@ void n128_add(const uint8_t *a, const uint8_t *b, uint8_t *out)
 		carry = sum >> 8;
 		out[i] = sum & 0xff;
 	}
-
-	while (carry != 0) {
-		for (int i = 15; i >= 0; i--) {
-			sum = out[i] + carry;
-			carry = sum >> 8;
-			out[i] = sum & 0xff;
-		}
-	}
 }
 
 /* out = a - b
@@ -77,25 +69,6 @@ void n128_sub(const uint8_t *a, const uint8_t *b, uint8_t *out)
 		// set value
 		out[i] = sum & 0xff;
 	}
-
-
-	while (carry != 0) {
-		for (int i = 15; i >= 0; i--) {
-			sum = out[i] - carry;
-
-			// check to see if anything was borrowed from next byte
-			if (out[i] < carry) {
-				sum += 0x100;
-				carry = 1;
-			}
-			else {
-				carry = 0;
-			}
-
-			out[i] = sum & 0xff;
-		}
-	}
-
 }
 
 void n128_xor(const uint8_t *a, const uint8_t *b, uint8_t *out)

From 4f875b0d0b82ba0e2635e23736f7bbf110214081 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Thu, 25 May 2017 13:50:03 +0800
Subject: [PATCH 194/317] [makerom] Implemented support for secure crypto.
 Secure crypto is now default. Seeded keyY crypto not yet supported. Time for
 version 0.16!!!

---
 makerom/aes_keygen.c    | 27 ------------------------
 makerom/keyset.c        | 38 +++++++++++++++++++++++++---------
 makerom/ncch.c          | 46 +++++++++++++++++++++++++++--------------
 makerom/ncch.h          |  8 +++++++
 makerom/pki/dev.h       | 24 +++++++++++----------
 makerom/pki/prod.h      | 27 +++++++++++-------------
 makerom/user_settings.c |  4 ++--
 7 files changed, 94 insertions(+), 80 deletions(-)

diff --git a/makerom/aes_keygen.c b/makerom/aes_keygen.c
index c9934101..fc2310ec 100644
--- a/makerom/aes_keygen.c
+++ b/makerom/aes_keygen.c
@@ -45,14 +45,6 @@ void n128_add(const uint8_t *a, const uint8_t *b, uint8_t *out)
 		carry = sum >> 8;
 		out[i] = sum & 0xff;
 	}
-
-	while (carry != 0) {
-		for (int i = 15; i >= 0; i--) {
-			sum = out[i] + carry;
-			carry = sum >> 8;
-			out[i] = sum & 0xff;
-		}
-	}
 }
 
 /* out = a - b
@@ -77,25 +69,6 @@ void n128_sub(const uint8_t *a, const uint8_t *b, uint8_t *out)
 		// set value
 		out[i] = sum & 0xff;
 	}
-
-
-	while (carry != 0) {
-		for (int i = 15; i >= 0; i--) {
-			sum = out[i] - carry;
-
-			// check to see if anything was borrowed from next byte
-			if (out[i] < carry) {
-				sum += 0x100;
-				carry = 1;
-			}
-			else {
-				carry = 0;
-			}
-
-			out[i] = sum & 0xff;
-		}
-	}
-
 }
 
 void n128_xor(const uint8_t *a, const uint8_t *b, uint8_t *out)
diff --git a/makerom/keyset.c b/makerom/keyset.c
index 85cc3f7a..b8c26716 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -101,10 +101,10 @@ int LoadKeysFromResources(keys_struct *keys)
 		SetNormalKey(keys, dev_fixed_ncch_key[0]);
 		SetSystemFixedKey(keys, dev_fixed_ncch_key[1]);
 		
-		/*
-		for(int i = 0; i < 2; i++)
+		
+		for(int i = 0; i < 4; i++)
 			SetNcchKeyX(keys, dev_unfixed_ncch_keyX[i],i);
-		*/
+		
 
 		/* RSA Keys */
 		// CIA
@@ -124,20 +124,19 @@ int LoadKeysFromResources(keys_struct *keys)
 		keys->keysetLoaded = true;
 		/* AES Keys */
 		// CIA
-		//for(int i = 0; i < 6; i++){
-		//	keys->aes.commonKey[i] = malloc(16);
-		//	ctr_aes_keygen(ctr_common_etd_keyX_ppki, ctr_common_etd_keyY_ppki[i], keys->aes.commonKey[i]);
-		//}
+		for (int i = 0; i < 6; i++)
+			SetCommonKey(keys, ctr_common_etd_key_ppki[i], i);
+
 		if(keys->aes.currentCommonKey > 0xff)
 			SetCurrentCommonKey(keys,0);
 	
 		// NCCH
 		keys->aes.normalKey = NULL;
 		keys->aes.systemFixedKey = NULL;
-		/*
-		for(int i = 0; i < 2; i++)
+		
+		for(int i = 0; i < 4; i++)
 			SetNcchKeyX(keys, prod_unfixed_ncch_keyX[i],i);
-		*/
+		
 
 		/* RSA Keys */
 		// CIA
@@ -200,6 +199,7 @@ void DumpKeyset(keys_struct *keys)
 {
 	bool showNcchFixedKeys = (keys->aes.normalKey || keys->aes.systemFixedKey);
 	bool showCommonKeys = false;
+	bool showNcchKeyXs = false;
 	for(int i = 0; i < 256; i++){
 		if(keys->aes.commonKey[i]){
 			showCommonKeys = true;
@@ -207,6 +207,13 @@ void DumpKeyset(keys_struct *keys)
 		}
 	}
 
+	for (int i = 0; i < 256; i++) {
+		if (keys->aes.ncchKeyX[i]) {
+			showNcchKeyXs = true;
+			break;
+		}
+	}
+
 	printf("[*] Keyset\n");
 		
 	if(showCommonKeys){
@@ -218,6 +225,17 @@ void DumpKeyset(keys_struct *keys)
 			}
 		}
 	}
+
+	if (showNcchKeyXs) {
+		printf(" > Unfixed NCCH KeyXs\n");
+		for (int i = 0; i < 256; i++) {
+			if (keys->aes.ncchKeyX[i]) {
+				printf(" [0x%02x]     ", i);
+				memdump(stdout, "", keys->aes.ncchKeyX[i], 16);
+			}
+		}
+	}
+
 	if(showNcchFixedKeys){
 		printf(" > Fixed NCCH Keys\n");
 		if(keys->aes.normalKey)
diff --git a/makerom/ncch.c b/makerom/ncch.c
index 8621b126..b400ec86 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -1024,33 +1024,49 @@ bool IsNcchEncrypted(ncch_hdr *hdr)
 
 bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr)
 {
-	if(!IsNcchEncrypted(hdr)) 
+	if (!IsNcchEncrypted(hdr))
 		return true;
-		
-	if((hdr->flags[ncchflag_OTHER_FLAG] & otherflag_FixedCryptoKey) == otherflag_FixedCryptoKey){
-		if((hdr->programId[4] & 0x10) == 0x10){
-			if(!keys->aes.systemFixedKey)
+
+	if ((hdr->flags[ncchflag_OTHER_FLAG] & otherflag_FixedCryptoKey) == otherflag_FixedCryptoKey) {
+		if ((hdr->programId[4] & 0x10) == 0x10) {
+			if (!keys->aes.systemFixedKey)
 				return false;
-			memcpy(keys->aes.ncchKey0,keys->aes.systemFixedKey,AES_128_KEY_SIZE);
-			memcpy(keys->aes.ncchKey1,keys->aes.systemFixedKey,AES_128_KEY_SIZE);
+			memcpy(keys->aes.ncchKey0, keys->aes.systemFixedKey, AES_128_KEY_SIZE);
+			memcpy(keys->aes.ncchKey1, keys->aes.systemFixedKey, AES_128_KEY_SIZE);
 			return true;
 		}
-		else{
-			if(!keys->aes.normalKey)
+		else {
+			if (!keys->aes.normalKey)
 				return false;
-			memcpy(keys->aes.ncchKey0,keys->aes.normalKey,AES_128_KEY_SIZE);
-			memcpy(keys->aes.ncchKey1,keys->aes.normalKey,AES_128_KEY_SIZE);
+			memcpy(keys->aes.ncchKey0, keys->aes.normalKey, AES_128_KEY_SIZE);
+			memcpy(keys->aes.ncchKey1, keys->aes.normalKey, AES_128_KEY_SIZE);
 			return true;
 		}
 	}
-	
+
+	u8 ncch_keyx_index = 0;
+	switch (hdr->flags[ncchflag_CONTENT_KEYX])
+	{
+	case (keyx_7_0):
+		ncch_keyx_index = 1;
+		break;
+	case (keyx_9_3):
+		ncch_keyx_index = 2;
+		break;
+	case (keyx_9_6):
+		ncch_keyx_index = 3;
+		break;
+	default:
+		ncch_keyx_index = 0;
+	}
+
 	if(keys->aes.ncchKeyX[0])
 		ctr_aes_keygen(keys->aes.ncchKeyX[0],hdr->signature,keys->aes.ncchKey0);
 	else
 		return false;
-	
-	if(keys->aes.ncchKeyX[hdr->flags[ncchflag_CONTENT_KEYX]])
-		ctr_aes_keygen(keys->aes.ncchKeyX[ncchflag_CONTENT_KEYX], hdr->signature, keys->aes.ncchKey0);
+
+	if(keys->aes.ncchKeyX[ncch_keyx_index])
+		ctr_aes_keygen(keys->aes.ncchKeyX[ncch_keyx_index], hdr->signature, keys->aes.ncchKey0);
 	else
 		return false;
 		
diff --git a/makerom/ncch.h b/makerom/ncch.h
index 93c56860..b2066dfe 100644
--- a/makerom/ncch.h
+++ b/makerom/ncch.h
@@ -72,6 +72,14 @@ typedef enum
 	platform_SNAKE = 0x2
 } ncch_platform;
 
+typedef enum
+{
+	keyx_regular = 0x00,
+	keyx_7_0 = 0x01,
+	keyx_9_3 = 0x0A,
+	keyx_9_6 = 0x0B,
+} ncch_keyx_id;
+
 typedef struct
 {
 	u16 formatVersion;
diff --git a/makerom/pki/dev.h b/makerom/pki/dev.h
index 1099a23b..eb793850 100644
--- a/makerom/pki/dev.h
+++ b/makerom/pki/dev.h
@@ -6,26 +6,28 @@
 #endif
 
 // AES KEYS
-static const unsigned char dev_unfixed_ncch_keyX[2][16] = // Dummy
+static const unsigned char dev_unfixed_ncch_keyX[4][16] =
 {
-	{0x82, 0xAD, 0xED, 0xC7, 0xBA, 0x0A, 0x3F, 0x3D, 0x5F, 0xDD, 0x30, 0x0F, 0x0E, 0x9B, 0xE1, 0x5B} , // Normal
-	{0xE5, 0x70, 0x6F, 0x65, 0x6A, 0xF4, 0xD9, 0x3F, 0x1E, 0x2F, 0x29, 0x3F, 0x16, 0x15, 0x4E, 0xD8} , // 7.X new Crypto
+	{ 0x51, 0x02, 0x07, 0x51, 0x55, 0x07, 0xcb, 0xb1, 0x8e, 0x24, 0x3d, 0xcb, 0x85, 0xe2, 0x3a, 0x1d }, // Regular
+	{ 0x81, 0x90, 0x7a, 0x4b, 0x6f, 0x1b, 0x47, 0x32, 0x3a, 0x67, 0x79, 0x74, 0xce, 0x4a, 0xd7, 0x1b }, // >=7.0
+	{ 0x30, 0x4b, 0xf1, 0x46, 0x83, 0x72, 0xee, 0x64, 0x11, 0x5e, 0xbd, 0x40, 0x93, 0xd8, 0x42, 0x76 }, // >=9.3 (New3DS)
+	{ 0x6c, 0x8b, 0x29, 0x44, 0xa0, 0x72, 0x60, 0x35, 0xf9, 0x41, 0xdf, 0xc0, 0x18, 0x52, 0x4f, 0xb6 }  // >=9.6 (New3DS)
 };
 
 static const unsigned char dev_fixed_ncch_key[2][16] =
 {
-	{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00} , // Normal FixedKey
-	{0x52, 0x7C, 0xE6, 0x30, 0xA9, 0xCA, 0x30, 0x5F, 0x36, 0x96, 0xF3, 0xCD, 0xE9, 0x54, 0x19, 0x4B} , // System FixedKey
+	{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // Normal FixedKey
+	{0x52, 0x7C, 0xE6, 0x30, 0xA9, 0xCA, 0x30, 0x5F, 0x36, 0x96, 0xF3, 0xCD, 0xE9, 0x54, 0x19, 0x4B}  // System FixedKey
 };
 
 static const unsigned char ctr_common_etd_key_dpki[6][16] =
 {
-	{0x55, 0xA3, 0xF8, 0x72, 0xBD, 0xC8, 0x0C, 0x55, 0x5A, 0x65, 0x43, 0x81, 0x13, 0x9E, 0x15, 0x3B} , // 0 - eShop Titles
-	{0x44, 0x34, 0xED, 0x14, 0x82, 0x0C, 0xA1, 0xEB, 0xAB, 0x82, 0xC1, 0x6E, 0x7B, 0xEF, 0x0C, 0x25} , // 1 - System Titles
-	{0xF6, 0x2E, 0x3F, 0x95, 0x8E, 0x28, 0xA2, 0x1F, 0x28, 0x9E, 0xEC, 0x71, 0xA8, 0x66, 0x29, 0xDC} , // 2
-	{0x2B, 0x49, 0xCB, 0x6F, 0x99, 0x98, 0xD9, 0xAD, 0x94, 0xF2, 0xED, 0xE7, 0xB5, 0xDA, 0x3E, 0x27} , // 3
-	{0x75, 0x05, 0x52, 0xBF, 0xAA, 0x1C, 0x04, 0x07, 0x55, 0xC8, 0xD5, 0x9A, 0x55, 0xF9, 0xAD, 0x1F} , // 4
-	{0xAA, 0xDA, 0x4C, 0xA8, 0xF6, 0xE5, 0xA9, 0x77, 0xE0, 0xA0, 0xF9, 0xE4, 0x76, 0xCF, 0x0D, 0x63} , // 5
+	{ 0x55, 0xA3, 0xF8, 0x72, 0xBD, 0xC8, 0x0C, 0x55, 0x5A, 0x65, 0x43, 0x81, 0x13, 0x9E, 0x15, 0x3B }, // 0 - eShop Titles
+	{ 0x44, 0x34, 0xED, 0x14, 0x82, 0x0C, 0xA1, 0xEB, 0xAB, 0x82, 0xC1, 0x6E, 0x7B, 0xEF, 0x0C, 0x25 }, // 1 - System Titles
+	{ 0xF6, 0x2E, 0x3F, 0x95, 0x8E, 0x28, 0xA2, 0x1F, 0x28, 0x9E, 0xEC, 0x71, 0xA8, 0x66, 0x29, 0xDC },
+	{ 0x2B, 0x49, 0xCB, 0x6F, 0x99, 0x98, 0xD9, 0xAD, 0x94, 0xF2, 0xED, 0xE7, 0xB5, 0xDA, 0x3E, 0x27 },
+	{ 0x75, 0x05, 0x52, 0xBF, 0xAA, 0x1C, 0x04, 0x07, 0x55, 0xC8, 0xD5, 0x9A, 0x55, 0xF9, 0xAD, 0x1F },
+	{ 0xAA, 0xDA, 0x4C, 0xA8, 0xF6, 0xE5, 0xA9, 0x77, 0xE0, 0xA0, 0xF9, 0xE4, 0x76, 0xCF, 0x0D, 0x63 }
 };
 
 //RSA Keys
diff --git a/makerom/pki/prod.h b/makerom/pki/prod.h
index 31250811..790bd4df 100644
--- a/makerom/pki/prod.h
+++ b/makerom/pki/prod.h
@@ -5,25 +5,22 @@
 #endif
 
 // AES KEYS
-static const unsigned char prod_unfixed_ncch_keyX[2][16] = // Dummy
+static const unsigned char prod_unfixed_ncch_keyX[4][16] =
 {
-	{0x81, 0x50, 0xA9, 0x78, 0x53, 0x3B, 0xA5, 0xE9, 0xA5, 0x0A, 0x23, 0x16, 0xB9, 0x3A, 0xED, 0x5A} , // Normal
-	{0xB4, 0xD1, 0xCF, 0x58, 0x49, 0xCE, 0x8A, 0x2D, 0x71, 0x58, 0xF6, 0x66, 0x77, 0x5D, 0x16, 0x3D} , // 7.X new Crypto
+	{ 0xb9, 0x8e, 0x95, 0xce, 0xca, 0x3e, 0x4d, 0x17, 0x1f, 0x76, 0xa9, 0x4d, 0xe9, 0x34, 0xc0, 0x53 }, // Regular
+	{ 0xce, 0xe7, 0xd8, 0xab, 0x30, 0xc0, 0x0d, 0xae, 0x85, 0x0e, 0xf5, 0xe3, 0x82, 0xac, 0x5a, 0xf3 }, // >=7.0
+	{ 0x82, 0xe9, 0xc9, 0xbe, 0xbf, 0xb8, 0xbd, 0xb8, 0x75, 0xec, 0xc0, 0xa0, 0x7d, 0x47, 0x43, 0x74 }, // >=9.3 (New3DS)
+	{ 0x45, 0xad, 0x04, 0x95, 0x39, 0x92, 0xc7, 0xc8, 0x93, 0x72, 0x4a, 0x9a, 0x7b, 0xce, 0x61, 0x82 }  // >=9.6 (New3DS)
 };
 
-static const unsigned char ctr_common_etd_keyX_ppki[16] = // Dummy
+static const unsigned char ctr_common_etd_key_ppki[6][16] =
 {
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-static const unsigned char ctr_common_etd_keyY_ppki[6][16] =
-{
-	{0xD0, 0x7B, 0x33, 0x7F, 0x9C, 0xA4, 0x38, 0x59, 0x32, 0xA2, 0xE2, 0x57, 0x23, 0x23, 0x2E, 0xB9} , // 0 - eShop Titles
-	{0x0C, 0x76, 0x72, 0x30, 0xF0, 0x99, 0x8F, 0x1C, 0x46, 0x82, 0x82, 0x02, 0xFA, 0xAC, 0xBE, 0x4C} , // 1 - System Titles
-	{0xC4, 0x75, 0xCB, 0x3A, 0xB8, 0xC7, 0x88, 0xBB, 0x57, 0x5E, 0x12, 0xA1, 0x09, 0x07, 0xB8, 0xA4} , // 2
-	{0xE4, 0x86, 0xEE, 0xE3, 0xD0, 0xC0, 0x9C, 0x90, 0x2F, 0x66, 0x86, 0xD4, 0xC0, 0x6F, 0x64, 0x9F} , // 3
-	{0xED, 0x31, 0xBA, 0x9C, 0x04, 0xB0, 0x67, 0x50, 0x6C, 0x44, 0x97, 0xA3, 0x5B, 0x78, 0x04, 0xFC} , // 4
-	{0x5E, 0x66, 0x99, 0x8A, 0xB4, 0xE8, 0x93, 0x16, 0x06, 0x85, 0x0F, 0xD7, 0xA1, 0x6D, 0xD7, 0x55} , // 5
+	{ 0x64, 0xC5, 0xFD, 0x55, 0xDD, 0x3A, 0xD9, 0x88, 0x32, 0x5B, 0xAA, 0xEC, 0x52, 0x43, 0xDB, 0x98 } , // 0 - eShop Titles
+	{ 0x4A, 0xAA, 0x3D, 0x0E, 0x27, 0xD4, 0xD7, 0x28, 0xD0, 0xB1, 0xB4, 0x33, 0xF0, 0xF9, 0xCB, 0xC8 } , // 1 - System Titles
+	{ 0xFB, 0xB0, 0xEF, 0x8C, 0xDB, 0xB0, 0xD8, 0xE4, 0x53, 0xCD, 0x99, 0x34, 0x43, 0x71, 0x69, 0x7F } , // 2
+	{ 0x25, 0x95, 0x9B, 0x7A, 0xD0, 0x40, 0x9F, 0x72, 0x68, 0x41, 0x98, 0xBA, 0x2E, 0xCD, 0x7D, 0xC6 } , // 3
+	{ 0x7A, 0xDA, 0x22, 0xCA, 0xFF, 0xC4, 0x76, 0xCC, 0x82, 0x97, 0xA0, 0xC7, 0xCE, 0xEE, 0xEE, 0xBE } , // 4
+	{ 0xA5, 0x05, 0x1C, 0xA1, 0xB3, 0x7D, 0xCF, 0x3A, 0xFB, 0xCF, 0x8C, 0xC1, 0xED, 0xD9, 0xCE, 0x02 } , // 5
 };
 
 // RSA KEYS
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 303b61bb..5089591d 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -87,7 +87,7 @@ void SetDefaults(user_settings *set)
 	set->common.keys.accessDescSign.presetType = desc_NotSpecified;
 
 	// Build NCCH Info
-	set->ncch.useSecCrypto = false;
+	set->ncch.useSecCrypto = true;
 	set->ncch.buildNcch0 = true;
 	set->ncch.includeExefsLogo = false;
 	set->common.outFormat = NCCH;
@@ -900,7 +900,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.15 (C) 3DSGuy 2014\n");
+	printf("CTR MAKEROM v0.16 (C) 3DSGuy 2017\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 

From 6e858be07bb9faee8d616be0c57fae839ff3a5e2 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 28 May 2017 10:27:55 +0800
Subject: [PATCH 195/317] [makerom] Relaxed support for bad signatures
 (-ignoresign). Warns user when something cannot be signed, instead of
 treating it like a fatal error.

---
 makerom/accessdesc.c    |  76 +++++++++--------
 makerom/exheader.c      |   4 +-
 makerom/keyset.c        | 177 +++++++++++++++++-----------------------
 makerom/keyset.h        |  33 ++++----
 makerom/ncch.c          |  57 +++++++++----
 makerom/ncsd.c          |   7 +-
 makerom/tik.c           |   8 +-
 makerom/tmd.c           |   8 +-
 makerom/user_settings.c |  14 ++--
 9 files changed, 206 insertions(+), 178 deletions(-)

diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index 847118f4..20c4e876 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -19,30 +19,28 @@ const CtrSdkDepList* accessdesc_GetPresetDependencyList(keys_struct *keys);
 
 int set_AccessDesc(exheader_settings *exhdrset)
 {
-	if(exhdrset->useAccessDescPreset) // Use AccessDesc Template
+	if(exhdrset->useAccessDescPreset == true) // Use AccessDesc Template
 		return accessdesc_GetSignFromPreset(exhdrset);
-	else if(exhdrset->rsf->CommonHeaderKey.Found) // Keydata exists in RSF
+	else if(exhdrset->rsf->CommonHeaderKey.Found == true) // Keydata exists in RSF
 		return accessdesc_GetSignFromRsf(exhdrset);
-	else if(!exhdrset->keys->rsa.requiresPresignedDesc) // Else if The AccessDesc can be signed with key
+	else if (Rsa2048Key_CanSign(&exhdrset->keys->rsa.acex) == false) // sign using rsa key
 		return accessdesc_SignWithKey(exhdrset);
-	else{ // No way the access desc signature can be 'obtained'
-		fprintf(stderr,"[ACEXDESC ERROR] Current keyset cannot sign AccessDesc, please appropriately set-up RSF, or specify a preset with \"-desc\"\n");
-		return CANNOT_SIGN_ACCESSDESC;
-	}
+	
+	return 1;
 }
 
 int accessdesc_SignWithKey(exheader_settings *exhdrset)
 {
 	/* Set RSA Keys */
-	memcpy(exhdrset->keys->rsa.cxiHdrPvt,exhdrset->keys->rsa.cciCfaPvt,0x100);
-	memcpy(exhdrset->keys->rsa.cxiHdrPub,exhdrset->keys->rsa.cciCfaPub,0x100);
-	memcpy(&exhdrset->acexDesc->ncchRsaPubKey,exhdrset->keys->rsa.cxiHdrPub,0x100);
+	memcpy(exhdrset->keys->rsa.cxi.pvt, exhdrset->keys->rsa.cciCfa.pvt, 0x100);
+	memcpy(exhdrset->keys->rsa.cxi.pub, exhdrset->keys->rsa.cciCfa.pub, 0x100);
+	memcpy(&exhdrset->acexDesc->ncchRsaPubKey, exhdrset->keys->rsa.cxi.pub, 0x100);
 
 	/* Copy Data From ExHeader */
-	memcpy(&exhdrset->acexDesc->arm11SystemLocalCapabilities,&exhdrset->exHdr->arm11SystemLocalCapabilities,sizeof(exhdr_ARM11SystemLocalCapabilities));
-	memcpy(&exhdrset->acexDesc->arm11KernelCapabilities,&exhdrset->exHdr->arm11KernelCapabilities,sizeof(exhdr_ARM11KernelCapabilities));
-	memcpy(&exhdrset->acexDesc->arm9AccessControlInfo,&exhdrset->exHdr->arm9AccessControlInfo,sizeof(exhdr_ARM9AccessControlInfo));
-	
+	memcpy(&exhdrset->acexDesc->arm11SystemLocalCapabilities, &exhdrset->exHdr->arm11SystemLocalCapabilities, sizeof(exhdr_ARM11SystemLocalCapabilities));
+	memcpy(&exhdrset->acexDesc->arm11KernelCapabilities, &exhdrset->exHdr->arm11KernelCapabilities, sizeof(exhdr_ARM11KernelCapabilities));
+	memcpy(&exhdrset->acexDesc->arm9AccessControlInfo, &exhdrset->exHdr->arm9AccessControlInfo, sizeof(exhdr_ARM9AccessControlInfo));
+
 	/* Adjust Data */
 	exhdr_ARM11SystemLocalCapabilities *arm11 = &exhdrset->acexDesc->arm11SystemLocalCapabilities;
 
@@ -50,7 +48,13 @@ int accessdesc_SignWithKey(exheader_settings *exhdrset)
 	arm11->threadPriority /= 2;
 
 	/* Sign AccessDesc */
-	return SignAccessDesc(exhdrset->acexDesc,exhdrset->keys);
+	if (SignAccessDesc(exhdrset->acexDesc, exhdrset->keys) != 0)
+	{
+		printf("[ACEXDESC WARNING] Failed to sign access descriptor\n");
+		memset(exhdrset->acexDesc->signature, 0xFF, 0x100);
+	}
+
+	return 0;
 }
 
 int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
@@ -100,10 +104,10 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 	/* Set RSA Keys */
 	int result = 0;
 	// NCCH Header pubk
-	result = b64_decode(exhdrset->keys->rsa.cxiHdrPub,exhdrset->rsf->CommonHeaderKey.Modulus,0x100);
+	result = b64_decode(exhdrset->keys->rsa.cxi.pub,exhdrset->rsf->CommonHeaderKey.Modulus,0x100);
 	if(result) return result;
 	// NCCH Header privk
-	result = b64_decode(exhdrset->keys->rsa.cxiHdrPvt,exhdrset->rsf->CommonHeaderKey.D,0x100);
+	result = b64_decode(exhdrset->keys->rsa.cxi.pvt,exhdrset->rsf->CommonHeaderKey.D,0x100);
 	if(result) return result;
 
 	/* Set AccessDesc */
@@ -111,7 +115,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 	result = b64_decode(exhdrset->acexDesc->signature,exhdrset->rsf->CommonHeaderKey.AccCtlDescSign,0x100);
 	if(result) return result;
 	// NCCH Header pubk
-	memcpy(exhdrset->acexDesc->ncchRsaPubKey,exhdrset->keys->rsa.cxiHdrPub,0x100);
+	memcpy(exhdrset->acexDesc->ncchRsaPubKey,exhdrset->keys->rsa.cxi.pub,0x100);
 	// Access Control
 	result = b64_decode((u8*)&exhdrset->acexDesc->arm11SystemLocalCapabilities,exhdrset->rsf->CommonHeaderKey.AccCtlDescBin,0x200);
 	if(result) return result;
@@ -127,16 +131,11 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
 
 
 	// Error Checking
-	if(!desc || !dependency_list){
-		fprintf(stderr,"[ACEXDESC ERROR] AccessDesc template is unavailable, please configure RSF file\n");
+	if (!desc || !dependency_list) {
+		fprintf(stderr, "[ACEXDESC ERROR] AccessDesc template is unavailable, please configure RSF file\n");
 		return CANNOT_SIGN_ACCESSDESC;
 	}
 
-	if(!pre_sign && exhdrset->keys->rsa.requiresPresignedDesc){
-		fprintf(stderr,"[ACEXDESC ERROR] This AccessDesc template needs to be signed, the current keyset is incapable of doing so. Please configure RSF file with the appropriate signature data.\n");
-		return CANNOT_SIGN_ACCESSDESC;
-	}
-	
 	// Setting data in Exheader
 	// Dependency List
 	memcpy(exhdrset->exHdr->dependencyList, dependency_list->dependency, 0x180);
@@ -148,7 +147,7 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
 	memcpy(ProgramID, exhdrset->exHdr->arm11SystemLocalCapabilities.programId, 8);
 	memcpy(&StorageInfoBackup, &exhdrset->exHdr->arm11SystemLocalCapabilities.storageInfo, sizeof(exhdr_StorageInfo));
 	memcpy(&Arm9Desc, &exhdrset->exHdr->arm9AccessControlInfo, sizeof(exhdr_ARM9AccessControlInfo));
-	
+
 	// Setting Preset Data
 	memcpy(&exhdrset->exHdr->arm11SystemLocalCapabilities, desc->exheader_desc, 0x200);
 
@@ -158,17 +157,22 @@ int accessdesc_GetSignFromPreset(exheader_settings *exhdrset)
 	memcpy(&exhdrset->exHdr->arm9AccessControlInfo, &Arm9Desc, sizeof(exhdr_ARM9AccessControlInfo));
 
 
-	// Setting AccessDesc Area
-	// Signing normally if possible
-	if(!exhdrset->keys->rsa.requiresPresignedDesc) 
+	// Setting AccessDesc Area		
+	// If presign available set static data & ncch hdr sig info
+	if (pre_sign)
+	{
+		memcpy(exhdrset->keys->rsa.cxi.pub, pre_sign->modulus, 0x100);
+		memcpy(exhdrset->keys->rsa.cxi.pvt, pre_sign->priv_exponent, 0x100);
+		memcpy(&exhdrset->acexDesc->signature, pre_sign->access_desc_signature, 0x100);
+		memcpy(&exhdrset->acexDesc->ncchRsaPubKey, pre_sign->modulus, 0x100);
+		memcpy(&exhdrset->acexDesc->arm11SystemLocalCapabilities, desc->signed_desc, 0x200);
+	}
+	// otherwise sign properly
+	else
+	{
 		return accessdesc_SignWithKey(exhdrset);
-
-	// Otherwise set static data & ncch hdr sig info
-	memcpy(exhdrset->keys->rsa.cxiHdrPub, pre_sign->modulus, 0x100);
-	memcpy(exhdrset->keys->rsa.cxiHdrPvt, pre_sign->priv_exponent, 0x100);
-	memcpy(&exhdrset->acexDesc->signature, pre_sign->access_desc_signature, 0x100);
-	memcpy(&exhdrset->acexDesc->ncchRsaPubKey, pre_sign->modulus, 0x100);
-	memcpy(&exhdrset->acexDesc->arm11SystemLocalCapabilities, desc->signed_desc, 0x200);
+	}
+	
 
 	return 0;
 }
diff --git a/makerom/exheader.c b/makerom/exheader.c
index dbb183ec..f84f0981 100644
--- a/makerom/exheader.c
+++ b/makerom/exheader.c
@@ -58,14 +58,14 @@ int SignAccessDesc(access_descriptor *acexDesc, keys_struct *keys)
 {
 	u8 *data = (u8*) &acexDesc->ncchRsaPubKey;
 	u8 *sign = (u8*) &acexDesc->signature;
-	return RsaSignVerify(data,0x300,sign,keys->rsa.acexPub,keys->rsa.acexPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	return RsaSignVerify(data, 0x300, sign, keys->rsa.acex.pub, keys->rsa.acex.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
 }
 
 int CheckAccessDescSignature(access_descriptor *acexDesc, keys_struct *keys)
 {
 	u8 *data = (u8*) &acexDesc->ncchRsaPubKey;
 	u8 *sign = (u8*) &acexDesc->signature;
-	return RsaSignVerify(data,0x300,sign,keys->rsa.acexPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
+	return RsaSignVerify(data,0x300,sign,keys->rsa.acex.pub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
 }
 
 /* ExHeader Build Functions */
diff --git a/makerom/keyset.c b/makerom/keyset.c
index b8c26716..dbdec4d3 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -15,12 +15,6 @@ int SetNcchKeyX(keys_struct *keys, const u8 *keyX, u8 index);
 void keysetOpenError(char *file);
 FILE* keyset_OpenFile(char *dir, char *name, bool FileRequired);
 
-int SetTIK_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
-int SetTMD_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
-int Set_CCI_CFA_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
-int SetAccessDesc_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
-int SetCXI_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus);
-
 int SetCaCert(keys_struct *keys, const u8 *cert);
 int SetTikCert(keys_struct *keys, const u8 *cert);
 int SetTmdCert(keys_struct *keys, const u8 *cert);
@@ -28,17 +22,21 @@ int SetTmdCert(keys_struct *keys, const u8 *cert);
 int LoadKeysFromResources(keys_struct *keys);
 void SetDummyRsaData(keys_struct *keys);
 int LoadKeysFromKeyfile(keys_struct *keys);
-void CheckAccessDescKey(keys_struct *keys);
 void DumpKeyset(keys_struct *keys);
 
+
+
 // Code
 void InitKeys(keys_struct *keys)
 {
 	memset(keys,0,sizeof(keys_struct));
 	InitCommonKeySlots(keys);
 	InitNcchKeyXSlots(keys);
-	keys->rsa.cxiHdrPub = malloc(RSA_2048_KEY_SIZE);
-	keys->rsa.cxiHdrPvt = malloc(RSA_2048_KEY_SIZE);
+	Rsa2048Key_Alloc(&keys->rsa.xs);
+	Rsa2048Key_Alloc(&keys->rsa.cp);
+	Rsa2048Key_Alloc(&keys->rsa.cciCfa);
+	Rsa2048Key_Alloc(&keys->rsa.acex);
+	Rsa2048Key_Alloc(&keys->rsa.cxi);
 	keys->aes.ncchKey0 = malloc(AES_128_KEY_SIZE);
 	keys->aes.ncchKey1 = malloc(AES_128_KEY_SIZE);
 }
@@ -50,23 +48,21 @@ void PrintBadKeySize(char *path, u32 size)
 
 int SetKeys(keys_struct *keys)
 {	
-	int result = 0;
-	result = LoadKeysFromResources(keys);
-	if(result) return KEYSET_ERROR;
+	if (LoadKeysFromResources(keys) != 0)
+	{
+		return KEYSET_ERROR;
+	}
 
-	if(!keys->keysetLoaded){
-		result = LoadKeysFromKeyfile(keys);
-		if(result) return KEYSET_ERROR;
+	if (!keys->keysetLoaded)
+	{
+		return KEYSET_ERROR;
 	}
-	
-	if(keys->rsa.isFalseSign)
-		SetDummyRsaData(keys);
 
-	CheckAccessDescKey(keys);
-	
-	if(keys->dumpkeys)
+	if (keys->dumpkeys)
+	{
 		DumpKeyset(keys);
-
+	}
+		
 	return 0;
 }
 
@@ -84,8 +80,10 @@ int LoadKeysFromResources(keys_struct *keys)
 		SetNormalKey(keys,zeros_aesKey);
 		SetSystemFixedKey(keys,zeros_aesKey);
 
-		/* RSA Keys */
-		keys->rsa.isFalseSign = true;		
+		/* Certs */
+		SetCaCert(keys, ca3_tpki_cert);
+		SetTikCert(keys, xsC_tpki_cert);
+		SetTmdCert(keys, cpB_tpki_cert);
 	}
 	else if(keys->keyset == pki_DEVELOPMENT){
 		keys->keysetLoaded = true;
@@ -105,15 +103,14 @@ int LoadKeysFromResources(keys_struct *keys)
 		for(int i = 0; i < 4; i++)
 			SetNcchKeyX(keys, dev_unfixed_ncch_keyX[i],i);
 		
-
 		/* RSA Keys */
 		// CIA
-		SetTIK_RsaKey(keys, xs9_dpki_rsa.priv_exponent, xs9_dpki_rsa.modulus);
-		SetTMD_RsaKey(keys, cpA_dpki_rsa.priv_exponent, cpA_dpki_rsa.modulus);
+		Rsa2048Key_Set(&keys->rsa.xs, xs9_dpki_rsa.priv_exponent, xs9_dpki_rsa.modulus);
+		Rsa2048Key_Set(&keys->rsa.cp, cpA_dpki_rsa.priv_exponent, cpA_dpki_rsa.modulus);
 		// CCI/CFA
-		Set_CCI_CFA_RsaKey(keys, dev_ncsd_cfa_rsa.priv_exponent, dev_ncsd_cfa_rsa.modulus);
+		Rsa2048Key_Set(&keys->rsa.cciCfa, dev_ncsd_cfa_rsa.priv_exponent, dev_ncsd_cfa_rsa.modulus);
 		// CXI
-		SetAccessDesc_RsaKey(keys, dev_accessdesc_rsa.priv_exponent, dev_accessdesc_rsa.modulus);
+		Rsa2048Key_Set(&keys->rsa.acex, dev_accessdesc_rsa.priv_exponent, dev_accessdesc_rsa.modulus);
 	
 		/* Certs */
 		SetCaCert(keys, ca4_dpki_cert);
@@ -140,12 +137,12 @@ int LoadKeysFromResources(keys_struct *keys)
 
 		/* RSA Keys */
 		// CIA
-		SetTIK_RsaKey(keys, xsC_ppki_rsa.priv_exponent, xsC_ppki_rsa.modulus);
-		SetTMD_RsaKey(keys, cpB_ppki_rsa.priv_exponent, cpB_ppki_rsa.modulus);
+		Rsa2048Key_Set(&keys->rsa.xs, xsC_ppki_rsa.priv_exponent, xsC_ppki_rsa.modulus);
+		Rsa2048Key_Set(&keys->rsa.cp, cpB_ppki_rsa.priv_exponent, cpB_ppki_rsa.modulus);
 		// CCI/CFA
-		Set_CCI_CFA_RsaKey(keys, prod_ncsd_cfa_rsa.priv_exponent, prod_ncsd_cfa_rsa.modulus);
+		Rsa2048Key_Set(&keys->rsa.cciCfa, prod_ncsd_cfa_rsa.priv_exponent, prod_ncsd_cfa_rsa.modulus);
 		// CXI
-		SetAccessDesc_RsaKey(keys, prod_accessdesc_rsa.priv_exponent, prod_accessdesc_rsa.modulus);
+		Rsa2048Key_Set(&keys->rsa.acex, prod_accessdesc_rsa.priv_exponent, prod_accessdesc_rsa.modulus);
 	
 		/* Certs */
 		SetCaCert(keys, ca3_ppki_cert);
@@ -155,20 +152,22 @@ int LoadKeysFromResources(keys_struct *keys)
 	return 0;
 }
 
+/*
 void SetDummyRsaData(keys_struct *keys)
 {
-	if(!keys->rsa.xsPvt || !keys->rsa.xsPub)
-		SetTIK_RsaKey(keys, tpki_rsa.priv_exponent, tpki_rsa.modulus);
-	if(!keys->rsa.cpPvt || !keys->rsa.cpPub)
-		SetTMD_RsaKey(keys, tpki_rsa.priv_exponent, tpki_rsa.modulus);
-		
-	if(!keys->rsa.cciCfaPvt || !keys->rsa.cciCfaPub)
-		Set_CCI_CFA_RsaKey(keys, tpki_rsa.priv_exponent, tpki_rsa.modulus);
-	
-	if(!keys->rsa.acexPvt || !keys->rsa.acexPub)
-		SetAccessDesc_RsaKey(keys, tpki_rsa.priv_exponent, tpki_rsa.modulus);
+	// CIA
+	if (Rsa2048Key_CanSign(&keys->rsa.xs) == false)
+		Rsa2048Key_Set(&keys->rsa.xs, tpki_rsa.priv_exponent, tpki_rsa.modulus);
+	if (Rsa2048Key_CanSign(&keys->rsa.cp) == false)
+		Rsa2048Key_Set(&keys->rsa.cp, tpki_rsa.priv_exponent, tpki_rsa.modulus);
+	// CCI/CFA
+	if (Rsa2048Key_CanSign(&keys->rsa.cciCfa) == false)
+		Rsa2048Key_Set(&keys->rsa.cciCfa, tpki_rsa.priv_exponent, tpki_rsa.modulus);
+	// CXI
+	if (Rsa2048Key_CanSign(&keys->rsa.acex) == false)
+		Rsa2048Key_Set(&keys->rsa.acex, tpki_rsa.priv_exponent, tpki_rsa.modulus);
 
-	/* Certs */
+	// Certs
 	if(!keys->certs.caCert)
 		SetCaCert(keys, ca3_tpki_cert);
 	if(!keys->certs.xsCert)
@@ -176,24 +175,7 @@ void SetDummyRsaData(keys_struct *keys)
 	if(!keys->certs.cpCert)
 		SetTmdCert(keys, cpB_tpki_cert);
 }
-
-int LoadKeysFromKeyfile(keys_struct *keys)
-{
-	printf("[KEYSET ERROR] Custom keys not supported\n");
-	return -1;
-}
-
-void CheckAccessDescKey(keys_struct *keys)
-{
-	// Checking if AccessDesc can be signed
-	u8 *tmp = calloc(1,RSA_2048_KEY_SIZE);
-	if(memcmp(tmp,keys->rsa.acexPvt,RSA_2048_KEY_SIZE) == 0)
-		keys->rsa.requiresPresignedDesc = true;
-	else 
-		keys->rsa.requiresPresignedDesc = false;
-
-	free(tmp);
-}
+*/
 
 void DumpKeyset(keys_struct *keys)
 {
@@ -245,17 +227,17 @@ void DumpKeyset(keys_struct *keys)
 	}
 
 	printf(" > TIK RSA Keys\n");
-	memdump(stdout," [PUB]      ",keys->rsa.xsPub,0x100);
-	memdump(stdout," [PVT]      ",keys->rsa.xsPvt,0x100);
+	memdump(stdout," [PUB]      ",keys->rsa.xs.pub,0x100);
+	memdump(stdout," [PVT]      ",keys->rsa.xs.pvt,0x100);
 	printf(" > TMD RSA Keys\n");
-	memdump(stdout," [PUB]      ",keys->rsa.cpPub,0x100);
-	memdump(stdout," [PVT]      ",keys->rsa.cpPvt,0x100);
+	memdump(stdout," [PUB]      ",keys->rsa.cp.pub,0x100);
+	memdump(stdout," [PVT]      ",keys->rsa.cp.pvt,0x100);
 	printf(" > AcexDesc RSA Keys\n");
-	memdump(stdout," [PUB]      ",keys->rsa.acexPub,0x100);
-	memdump(stdout," [PVT]      ",keys->rsa.acexPvt,0x100);
+	memdump(stdout," [PUB]      ",keys->rsa.acex.pub,0x100);
+	memdump(stdout," [PVT]      ",keys->rsa.acex.pvt,0x100);
 	printf(" > NcsdCfa RSA Keys\n");
-	memdump(stdout," [PUB]      ",keys->rsa.cciCfaPub,0x100);
-	memdump(stdout," [PVT]      ",keys->rsa.cciCfaPvt,0x100);
+	memdump(stdout," [PUB]      ",keys->rsa.cciCfa.pub,0x100);
+	memdump(stdout," [PVT]      ",keys->rsa.cciCfa.pvt,0x100);
 }
 
 void keysetOpenError(char *file)
@@ -301,18 +283,11 @@ void FreeKeys(keys_struct *keys)
 	free(keys->aes.ncchKey1);
 	
 	// RSA
-	free(keys->rsa.xsPvt);
-	free(keys->rsa.xsPub);
-	free(keys->rsa.cpPvt);
-	free(keys->rsa.cpPub);
-
-	free(keys->rsa.cciCfaPvt);
-	free(keys->rsa.cciCfaPub);
-	
-	free(keys->rsa.acexPvt);
-	free(keys->rsa.acexPub);
-	free(keys->rsa.cxiHdrPub);
-	free(keys->rsa.cxiHdrPvt);
+	Rsa2048Key_Free(&keys->rsa.xs);
+	Rsa2048Key_Free(&keys->rsa.cp);
+	Rsa2048Key_Free(&keys->rsa.cciCfa);
+	Rsa2048Key_Free(&keys->rsa.acex);
+	Rsa2048Key_Free(&keys->rsa.cxi);
 	
 	// Certs
 	free(keys->certs.caCert);
@@ -378,43 +353,43 @@ int SetSystemFixedKey(keys_struct *keys, const u8 *key)
 	return CopyData(&keys->aes.systemFixedKey,key,16);
 }
 
-int SetTIK_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus)
+int SetCaCert(keys_struct *keys, const u8 *cert)
 {
 	if(!keys) return -1;
-	return SetRsaKeySet(&keys->rsa.xsPvt,priv_exp,&keys->rsa.xsPub,modulus);
+	return CopyData(&keys->certs.caCert,cert,0x400);
 }
-
-int SetTMD_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus)
+int SetTikCert(keys_struct *keys, const u8 *cert)
 {
 	if(!keys) return -1;
-	return SetRsaKeySet(&keys->rsa.cpPvt,priv_exp,&keys->rsa.cpPub,modulus);
+	return CopyData(&keys->certs.xsCert,cert,0x300);
 }
 
-int Set_CCI_CFA_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus)
+int SetTmdCert(keys_struct *keys, const u8 *cert)
 {
 	if(!keys) return -1;
-	return SetRsaKeySet(&keys->rsa.cciCfaPvt,priv_exp,&keys->rsa.cciCfaPub,modulus);
+	return CopyData(&keys->certs.cpCert,cert,0x400);
 }
 
-int SetAccessDesc_RsaKey(keys_struct *keys, const u8 *priv_exp, const u8 *modulus)
+void Rsa2048Key_Alloc(rsa2048_key* key)
 {
-	if(!keys) return -1;
-	return SetRsaKeySet(&keys->rsa.acexPvt,priv_exp,&keys->rsa.acexPub,modulus);
+	key->pub = malloc(RSA_2048_KEY_SIZE);
+	key->pvt = malloc(RSA_2048_KEY_SIZE);
 }
 
-int SetCaCert(keys_struct *keys, const u8 *cert)
+void Rsa2048Key_Free(rsa2048_key* key)
 {
-	if(!keys) return -1;
-	return CopyData(&keys->certs.caCert,cert,0x400);
+	free(key->pub);
+	free(key->pvt);
 }
-int SetTikCert(keys_struct *keys, const u8 *cert)
+
+void Rsa2048Key_Set(rsa2048_key* key, const u8* pvt, const u8* pub)
 {
-	if(!keys) return -1;
-	return CopyData(&keys->certs.xsCert,cert,0x300);
+	memcpy(key->pub, pub, RSA_2048_KEY_SIZE);
+	memcpy(key->pvt, pvt, RSA_2048_KEY_SIZE);
 }
 
-int SetTmdCert(keys_struct *keys, const u8 *cert)
+bool Rsa2048Key_CanSign(const rsa2048_key* key)
 {
-	if(!keys) return -1;
-	return CopyData(&keys->certs.cpCert,cert,0x400);
+	static const u8 rsa2048[RSA_2048_KEY_SIZE] = { 0 };
+	return memcmp(key->pub, rsa2048, RSA_2048_KEY_SIZE) != 0 || memcmp(key->pvt, rsa2048, RSA_2048_KEY_SIZE) != 0;
 }
\ No newline at end of file
diff --git a/makerom/keyset.h b/makerom/keyset.h
index 4ab18ff9..ba3f8748 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -31,11 +31,18 @@ typedef enum
 
 // Structs
 
+typedef struct
+{
+	u8 *pub;
+	u8 *pvt;
+} rsa2048_key;
+
 typedef struct
 {
 	pki_keyset keyset;
 	bool keysetLoaded;
 	bool dumpkeys;
+	bool ignore_sign;
 
 	struct
 	{
@@ -60,23 +67,16 @@ typedef struct
 	
 	struct
 	{
-		bool isFalseSign;
 		// CIA RSA
-		u8 *cpPvt;
-		u8 *cpPub;
-		u8 *xsPvt;
-		u8 *xsPub;
+		rsa2048_key cp;
+		rsa2048_key xs;
 		
 		// CCI/CFA
-		u8 *cciCfaPvt;
-		u8 *cciCfaPub;
-		
+		rsa2048_key cciCfa;
+
 		// CXI
-		bool requiresPresignedDesc;
-		u8 *acexPvt;
-		u8 *acexPub;
-		u8 *cxiHdrPub;
-		u8 *cxiHdrPvt;
+		rsa2048_key acex;
+		rsa2048_key cxi;
 	} rsa;
 	
 	struct
@@ -96,4 +96,9 @@ void FreeKeys(keys_struct *keys);
 int SetCommonKey(keys_struct *keys, const u8 *key, u8 Index);
 int SetCurrentCommonKey(keys_struct *keys, u8 Index);
 int SetNormalKey(keys_struct *keys, const u8 *key);
-int SetSystemFixedKey(keys_struct *keys, const u8 *key);
\ No newline at end of file
+int SetSystemFixedKey(keys_struct *keys, const u8 *key);
+
+void Rsa2048Key_Alloc(rsa2048_key* key);
+void Rsa2048Key_Free(rsa2048_key* key);
+void Rsa2048Key_Set(rsa2048_key* key, const u8* pvt, const u8* pub);
+bool Rsa2048Key_CanSign(const rsa2048_key* key);
\ No newline at end of file
diff --git a/makerom/ncch.c b/makerom/ncch.c
index b400ec86..43646d60 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -36,17 +36,27 @@ bool IsValidProductCode(char *ProductCode, bool FreeProductCode);
 // Code
 int SignCFA(ncch_hdr *hdr, keys_struct *keys)
 {
-	return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfaPub,keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	if (RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cciCfa.pub, keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	{
+		printf("[NCCH WARNING] Failed to sign CFA header\n");
+		memset(GetNcchHdrSig(hdr), 0xFF, 0x100);
+	}
+	return 0;
 }
 
 int CheckCFASignature(ncch_hdr *hdr, keys_struct *keys)
 {
-	return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfaPub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
+	return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfa.pub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
 }
 
 int SignCXI(ncch_hdr *hdr, keys_struct *keys)
 {
-	return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cxiHdrPub,keys->rsa.cxiHdrPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	if (RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cxi.pub, keys->rsa.cxi.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	{
+		printf("[NCCH WARNING] Failed to sign CXI header\n");
+		memset(GetNcchHdrSig(hdr), 0xFF, 0x100);
+	}
+	return 0;
 }
 
 int CheckCXISignature(ncch_hdr *hdr, u8 *pubk)
@@ -748,11 +758,14 @@ int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 	}
 
 	if(IsCfa(hdr)){
-		if(CheckCFASignature(hdr,keys) != Good && !keys->rsa.isFalseSign){
+		if(CheckCFASignature(hdr,keys) != Good){
 			if(!SuppressOutput) 
-				fprintf(stderr,"[NCCH ERROR] CFA Sigcheck Failed\n");
-			free(ncchInfo);
-			return NCCH_HDR_SIG_BAD;
+				fprintf(keys->ignore_sign ? stdout :stderr,"[NCCH %s] CFA Sigcheck Failed\n", keys->ignore_sign ? "WARNING" : "ERROR");
+			if (!keys->ignore_sign)
+			{
+				free(ncchInfo);
+				return NCCH_HDR_SIG_BAD;
+			}
 		}
 		if(!ncchInfo->romfsSize){
 			if(!SuppressOutput) 
@@ -813,19 +826,29 @@ int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 		if(IsNcchEncrypted(hdr))
 			CryptNcchRegion((u8*)acexDesc,ncchInfo->acexSize,ncchInfo->exhdrSize,ncchInfo->titleId,keys->aes.ncchKey0,ncch_exhdr);
 
-		if(CheckAccessDescSignature(acexDesc,keys) != 0 && !keys->rsa.isFalseSign){
-			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] AccessDesc Sigcheck Failed\n");
-			free(ncchInfo);
-			free(acexDesc);
-			return ACCESSDESC_SIG_BAD;
+
+		if(CheckAccessDescSignature(acexDesc,keys) != Good){
+			if (!SuppressOutput) 
+				fprintf(keys->false_sign? stdout : stderr, "[NCCH %s] AccessDesc Sigcheck Failed\n", keys->ignore_sign ? "WARNING" : "ERROR");
+			if (!keys->ignore_sign)
+			{
+				free(ncchInfo);
+				free(acexDesc);
+				return ACCESSDESC_SIG_BAD;
+			}
 		}
 				
-		if(CheckCXISignature(hdr,GetAcexNcchPubKey(acexDesc)) != 0 && !keys->rsa.isFalseSign){
-			if(!SuppressOutput) fprintf(stderr,"[NCCH ERROR] CXI Header Sigcheck Failed\n");
-			free(ncchInfo);			
-			free(acexDesc);
-			return NCCH_HDR_SIG_BAD;
+		if(CheckCXISignature(hdr,GetAcexNcchPubKey(acexDesc)) != Good){
+			if (!SuppressOutput) 
+				fprintf(keys->ignore_sign ? stdout : stderr,"[NCCH %s] CXI Header Sigcheck Failed\n", keys->ignore_sign ? "WARNING" : "ERROR");
+			if (!keys->ignore_sign)
+			{
+				free(ncchInfo);
+				free(acexDesc);
+				return NCCH_HDR_SIG_BAD;
+			}	
 		}
+		
 	}
 
 	if(!CheckHash)
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index ba2a23bb..51e4b9ce 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -579,7 +579,12 @@ int GenCciHdr(cci_settings *set)
 	
 	
 	// Sign Header
-	RsaSignVerify(&hdr->magic,sizeof(cci_hdr)-RSA_2048_KEY_SIZE,hdr->signature,set->keys->rsa.cciCfaPub,set->keys->rsa.cciCfaPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	if (RsaSignVerify(&hdr->magic, sizeof(cci_hdr) - RSA_2048_KEY_SIZE, hdr->signature, set->keys->rsa.cciCfa.pub, set->keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	{
+		printf("[NCSD WARNING] Failed to sign header\n");
+		memset(hdr->signature, 0xFF, 0x100);
+	}
+	
 	
 	return 0;
 }
diff --git a/makerom/tik.c b/makerom/tik.c
index 9267baa9..fb219ae5 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -81,7 +81,13 @@ int SignTicketHeader(buffer_struct *tik, keys_struct *keys)
 	clrmem(sig,sizeof(tik_signature));
 	u32_to_u8(sig->sigType,RSA_2048_SHA256,BE);
 	
-	return RsaSignVerify(data,len,sig->data,keys->rsa.xsPub,keys->rsa.xsPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	if (RsaSignVerify(data, len, sig->data, keys->rsa.xs.pub, keys->rsa.xs.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	{
+		printf("[TIK WARNING] Failed to sign header\n");
+		memset(sig->data, 0xFF, 0x100);
+	}
+
+	return 0;
 }
 
 int CryptTitleKey(u8 *input, u8 *output, u8 *titleId, keys_struct *keys, u8 mode)
diff --git a/makerom/tmd.c b/makerom/tmd.c
index 9407ef60..c7c54492 100644
--- a/makerom/tmd.c
+++ b/makerom/tmd.c
@@ -71,7 +71,13 @@ int SignTMDHeader(tmd_hdr *hdr, tmd_signature *sig, keys_struct *keys)
 	clrmem(sig,sizeof(tmd_signature));
 	u32_to_u8(sig->sigType,RSA_2048_SHA256,BE);
 	
-	return RsaSignVerify((u8*)hdr,sizeof(tmd_hdr),sig->data,keys->rsa.cpPub,keys->rsa.cpPvt,RSA_2048_SHA256,CTR_RSA_SIGN);
+	if (RsaSignVerify((u8*)hdr, sizeof(tmd_hdr), sig->data, keys->rsa.cp.pub, keys->rsa.cp.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	{
+		printf("[TMD WARNING] Failed to sign header\n");
+		memset(sig->data, 0xFF, 0x100);
+	}
+
+	return 0;
 }
 
 int SetupTMDInfoRecord(tmd_content_info_record *info_record, u8 *content_record, u16 ContentCount)
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 5089591d..f995857a 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -85,6 +85,7 @@ void SetDefaults(user_settings *set)
 	// Target Info
 	set->common.keys.keyset = pki_TEST;
 	set->common.keys.accessDescSign.presetType = desc_NotSpecified;
+	set->common.keys.ignore_sign = false;
 
 	// Build NCCH Info
 	set->ncch.useSecCrypto = true;
@@ -195,6 +196,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		}
 		return 2;
 	}
+	/*
 	else if (strcmp(argv[i], "-ckeyid") == 0) {
 		if (ParamNum != 1) {
 			PrintArgReqParam(argv[i], 1);
@@ -222,6 +224,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		}
 		return 2;
 	}
+	*/
 	else if (strcmp(argv[i], "-showkeys") == 0) {
 		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
@@ -230,12 +233,12 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		set->common.keys.dumpkeys = true;
 		return 1;
 	}
-	else if (strcmp(argv[i], "-fsign") == 0) {
+	else if (strcmp(argv[i], "-ignoresign") == 0) {
 		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
 			return USR_BAD_ARG;
 		}
-		set->common.keys.rsa.isFalseSign = true;
+		set->common.keys.ignore_sign = true;
 		return 1;
 	}
 
@@ -949,10 +952,11 @@ void DisplayExtendedHelp(char *app_name)
 	printf("                                    't' Test(false) Keys & prod Certs\n");
 	printf("                                    'd' Development Keys & Certs\n");
 	printf("                                    'p' Production Keys & Certs\n");
-	printf(" -ckeyid        <index>             Override the automatic common key selection\n");
-	printf(" -ncchseckey    <index>             Ncch keyX index ('0'=1.0+, '1'=7.0+)\n");
+	//printf(" -ckeyid        <index>             Override the automatic common key selection\n");
+	//printf(" -ncchseckey    <index>             Ncch keyX index ('0'=1.0+, '1'=7.0+)\n");
 	printf(" -showkeys                          Display the loaded key chain\n");
-	printf(" -fsign                             Ignore invalid signatures\n");
+	//printf(" -fsign                             False sign digital signatures\n");
+	printf(" -ignoresign                        Ignore invalid signatures\n");
 	printf("NCCH OPTIONS:\n");
 	printf(" -elf           <file>              ELF file\n");
 	printf(" -icon          <file>              Icon file\n");

From 7e4c0d7a608663d26570b76aaff6739e57f4e921 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 28 May 2017 11:39:14 +0800
Subject: [PATCH 196/317] [ctrtool] Replace specifying a specific seed, with a
 seeddb.

---
 ctrtool/keyset.cpp | 33 ++++++++++++++++++++++++++++++---
 ctrtool/keyset.h   | 20 ++++++++++++++++++--
 ctrtool/main.c     |  6 +++---
 ctrtool/ncch.c     |  6 +++---
 ctrtool/settings.c | 13 ++++++++++---
 ctrtool/settings.h |  2 +-
 6 files changed, 65 insertions(+), 15 deletions(-)

diff --git a/ctrtool/keyset.cpp b/ctrtool/keyset.cpp
index 0341cbe5..609b7d70 100644
--- a/ctrtool/keyset.cpp
+++ b/ctrtool/keyset.cpp
@@ -232,7 +232,12 @@ void keyset_merge(keyset* keys, keyset* src)
 	COPY_IF_VALID(ncchkeyX_seven);
 	COPY_IF_VALID(ncchkeyX_ninethree);
 	COPY_IF_VALID(ncchkeyX_ninesix);
-	COPY_IF_VALID(seed);
+	if (src->seed_num > 0)
+	{
+		keys->seed_num = src->seed_num;
+		keys->seed_db = (seeddb_entry*)calloc(src->seed_num, sizeof(seeddb_entry));
+		memcpy(keys->seed_db, src->seed_db, src->seed_num * sizeof(seeddb_entry));
+	}
 
 #undef COPY_IF_VALID
 }
@@ -283,9 +288,31 @@ void keyset_parse_ncchkeyX_ninesix(keyset* keys, char* keytext, int keylen)
 	keyset_parse_key128(&keys->ncchkeyX_ninesix, keytext, keylen);
 }
 
-void keyset_parse_seed(keyset* keys, char* keytext, int keylen)
+void keyset_parse_seeddb(keyset* keys, char* path)
 {
-	keyset_parse_key128(&keys->seed, keytext, keylen);
+	//keyset_parse_key128(&keys->seed, keytext, keylen);
+	FILE* fp = fopen(path, "rb");
+	if (fp == NULL)
+	{
+		printf("[ERROR] Failed to load SeedDB (failed to open file)\n");
+		return;
+	}
+
+	seeddb_header hdr;
+	fread(&hdr, sizeof(seeddb_header), 1, fp);
+
+	u32 n_entries = getle32(hdr.n_entries);
+	for (u32 i = 0; i < 0xC; i++)
+	{
+		if (hdr.padding[i] != 0x00)
+		{
+			printf("[ERROR] SeedDB is corrupt. (padding malformed)\n");
+			return;
+		}
+	}
+	
+	keys->seed_db = (seeddb_entry*)calloc(n_entries, sizeof(seeddb_entry));
+	fread(keys->seed_db, n_entries * sizeof(seeddb_entry), 1, fp);
 }
 
 void keyset_dump_rsakey(rsakey2048* key, const char* keytitle)
diff --git a/ctrtool/keyset.h b/ctrtool/keyset.h
index 5f71d907..3d6610fb 100644
--- a/ctrtool/keyset.h
+++ b/ctrtool/keyset.h
@@ -21,6 +21,20 @@ typedef enum
 	RSAKEY_PUB
 } rsakeytype;
 
+typedef struct
+{
+	u8 title_id[8];
+	u8 seed[0x10];
+	u8 padding[0x8];
+} seeddb_entry;
+
+typedef struct
+{
+	u8 n_entries[4];
+	u8 padding[0xC];
+} seeddb_header;
+
+
 typedef struct
 {
 	unsigned char n[256];
@@ -42,8 +56,10 @@ typedef struct
 
 typedef struct
 {
+	u32 seed_num;
+	seeddb_entry* seed_db;
+
 	key128 titlekey;
-	key128 seed;
 	key128 commonkeyX;
 	key128 ncchfixedsystemkey;
 	key128 ncchkeyX_old;
@@ -66,7 +82,7 @@ void keyset_parse_ncchfixedsystemkey(keyset* keys, char* keytext, int keylen);
 void keyset_parse_ncchkeyX_seven(keyset* keys, char* keytext, int keylen);
 void keyset_parse_ncchkeyX_ninethree(keyset* keys, char* keytext, int keylen);
 void keyset_parse_ncchkeyX_ninesix(keyset* keys, char* keytext, int keylen);
-void keyset_parse_seed(keyset* keys, char* keytext, int keylen);
+void keyset_parse_seeddb(keyset* keys, char* path);
 void keyset_dump(keyset* keys);
 
 #ifdef __cplusplus
diff --git a/ctrtool/main.c b/ctrtool/main.c
index 393d272d..17113746 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -58,7 +58,7 @@ static void usage(const char *argv0)
 		   "  --titlekey=key     Set tik title key.\n"
 		   "  --ncchkey=key      Set ncch key.\n"
 		   "  --ncchsyskey=key   Set ncch fixed system key.\n"
-		   "  --seed=key         Set seed for ncch seed crypto.\n"
+		   "  --seeddb=file      Set seeddb for ncch seed crypto.\n"
 		   "  --showkeys         Show the keys being used.\n"
 		   "  --showsyscalls     Show system call names instead of numbers.\n"
 		   "  -t, --intype=type	 Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
@@ -156,7 +156,7 @@ int main(int argc, char* argv[])
 			{"ncchkeyxseven", 1, NULL, 25},
 			{"ncchkeyxninethree", 1, NULL, 26},
 			{"ncchkeyxninesix", 1, NULL, 27},
-			{"seed", 1, NULL, 28},
+			{"seeddb", 1, NULL, 28},
 			{NULL},
 		};
 
@@ -254,7 +254,7 @@ int main(int argc, char* argv[])
 			case 25: keyset_parse_ncchkeyX_seven(&tmpkeys, optarg, strlen(optarg)); break;
 			case 26: keyset_parse_ncchkeyX_ninethree(&tmpkeys, optarg, strlen(optarg)); break;
 			case 27: keyset_parse_ncchkeyX_ninesix(&tmpkeys, optarg, strlen(optarg)); break;
-			case 28: keyset_parse_seed(&tmpkeys, optarg, strlen(optarg)); break;
+			case 28: keyset_parse_seeddb(&tmpkeys, optarg); break;
 
 			default:
 				usage(argv[0]);
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 1c9f9ee8..a847ac20 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -549,11 +549,11 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 		if (header->flags[7] & 0x20)
 		{
 			ctx->encrypted = NCCHCRYPTO_SEED;
-			seed = settings_get_seed(ctx->usersettings);
+			seed = settings_get_seed(ctx->usersettings, getle64(header->partitionid));
 			if (!seed)
 			{
-				fprintf(stderr, "This title uses seed crypto, but no seed is set, unable to decrypt.\n"
-						"Use -p to avoid decryption or use --seed=SEEDHERE to provide the seed.\n");
+				fprintf(stderr, "This title uses seed crypto, but no seed is set in seedDB, unable to decrypt.\n"
+						"Use -p to avoid decryption or use --seeddb=dbfile to specify the seedDB.\n");
 				ctx->encrypted = NCCHCRYPTO_BROKEN;
 				return;
 			}
diff --git a/ctrtool/settings.c b/ctrtool/settings.c
index 95f7dbd3..15523b01 100644
--- a/ctrtool/settings.c
+++ b/ctrtool/settings.c
@@ -173,9 +173,16 @@ unsigned char* settings_get_common_keyX(settings* usersettings)
 	GETKEY(usersettings, commonkeyX);
 }
 
-unsigned char* settings_get_seed(settings* usersettings)
-{
-	GETKEY(usersettings, seed);
+unsigned char* settings_get_seed(settings* usersettings, u64 title_id)
+{
+	for (u32 i = 0; i < usersettings->keys.seed_num; i++)
+	{
+		if (title_id == getle64(usersettings->keys.seed_db[i].title_id))
+		{
+			return usersettings->keys.seed_db[i].seed;
+		}
+	}
+	return NULL;
 }
 
 unsigned char* settings_get_title_key(settings* usersettings)
diff --git a/ctrtool/settings.h b/ctrtool/settings.h
index c3f819f0..c90947b2 100644
--- a/ctrtool/settings.h
+++ b/ctrtool/settings.h
@@ -52,7 +52,7 @@ unsigned char* settings_get_ncchkeyX_seven(settings* usersettings);
 unsigned char* settings_get_ncchkeyX_ninethree(settings* usersettings);
 unsigned char* settings_get_ncchkeyX_ninesix(settings* usersettings);
 unsigned char* settings_get_common_keyX(settings* usersettings);
-unsigned char* settings_get_seed(settings* usersettings);
+unsigned char* settings_get_seed(settings* usersettings, u64 title_id);
 unsigned char* settings_get_title_key(settings* usersettings);
 int settings_get_ignore_programid(settings* usersettings);
 int settings_get_list_romfs_files(settings* usersettings);

From b0896ecee25d8d08bbc633161fd151d7958c0b24 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 28 May 2017 11:57:14 +0800
Subject: [PATCH 197/317] [makerom] Typo

---
 makerom/ncch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/ncch.c b/makerom/ncch.c
index 43646d60..af7996e6 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -829,7 +829,7 @@ int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 
 		if(CheckAccessDescSignature(acexDesc,keys) != Good){
 			if (!SuppressOutput) 
-				fprintf(keys->false_sign? stdout : stderr, "[NCCH %s] AccessDesc Sigcheck Failed\n", keys->ignore_sign ? "WARNING" : "ERROR");
+				fprintf(keys->ignore_sign ? stdout : stderr, "[NCCH %s] AccessDesc Sigcheck Failed\n", keys->ignore_sign ? "WARNING" : "ERROR");
 			if (!keys->ignore_sign)
 			{
 				free(ncchInfo);

From d185b18f27945d52d868f9c28b610b56e3cb5222 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 28 May 2017 13:52:32 +0800
Subject: [PATCH 198/317] [ctrtool] fix bug with seeddb

---
 .gitignore                |   1 +
 .vs/ProjectSettings.json  |   3 +++
 .vs/VSWorkspaceState.json |   9 +++++++++
 ctrtool/ctrtool           | Bin 0 -> 262759 bytes
 ctrtool/keyset.cpp        |   6 +++---
 ctrtool/seeddb.bin        | Bin 0 -> 40752 bytes
 makerom/makerom           | Bin 0 -> 438222 bytes
 7 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 .vs/ProjectSettings.json
 create mode 100644 .vs/VSWorkspaceState.json
 create mode 100644 ctrtool/ctrtool
 create mode 100644 ctrtool/seeddb.bin
 create mode 100644 makerom/makerom

diff --git a/.gitignore b/.gitignore
index 39b344f0..7872f095 100644
--- a/.gitignore
+++ b/.gitignore
@@ -228,3 +228,4 @@ pip-log.txt
 #exec
 *.exe
 *.db
+/.vs/slnx.sqlite
diff --git a/.vs/ProjectSettings.json b/.vs/ProjectSettings.json
new file mode 100644
index 00000000..f8b48885
--- /dev/null
+++ b/.vs/ProjectSettings.json
@@ -0,0 +1,3 @@
+{
+  "CurrentProjectSetting": null
+}
\ No newline at end of file
diff --git a/.vs/VSWorkspaceState.json b/.vs/VSWorkspaceState.json
new file mode 100644
index 00000000..acb3db8b
--- /dev/null
+++ b/.vs/VSWorkspaceState.json
@@ -0,0 +1,9 @@
+{
+  "ExpandedNodes": [
+    "",
+    "\\ctrtool",
+    "\\makerom"
+  ],
+  "SelectedNode": "\\makerom\\keyset.c",
+  "PreviewInSolutionExplorer": false
+}
\ No newline at end of file
diff --git a/ctrtool/ctrtool b/ctrtool/ctrtool
new file mode 100644
index 0000000000000000000000000000000000000000..441e0dd4d0cd351d8af7ceb575de8d8cbd1a70e8
GIT binary patch
literal 262759
zcmd4434B!5^#?wa1c(@YQBk6zj5xMnQHi2WD$zVLfj62cvbzR^L{OFpGY|?&a5BJi
zoSM3~b-`9GtyZZEgh3!7KtQWSaKXCa2KNy*w-7|h|NFi7y_uJk^w;*^|L60^kC}JR
zIrrS{+;h%7_rCk)7ncl4^LjnbzckNf9;R0K3nfVX^?34v=`zhfg`PamG5Fit)63Hp
z=`IpR3~`0+ep_wU&Tpo~dOYNof&cT;6d*6HP(C=ny%ZQFsDDlk`OETB{|fC#^*eu%
zs;Beo@%SX3`B>Kj1qy$lV1k4@zn<<g>Dg4Oew}=*9`j{hrt)Q8rt&$z2keSDzfSwu
zHvT`-Zr{kXLZp~3<c}vH|E7LP%YVbZ3{B*-KcO=E6N4q(`K>uwCOyutlkXbjV?F=f
zf7v$SaJ#(D`X$@0zw>K1*K@&?$v0mz@Pa85&zmxNTDa=Gs=Q0iyJX<`GpC<_p=>w#
zlXmD;qhv{B!}{gmf7ZDN{%4O8KkdX@$DjF+OKyKN&GW{EEfdfF!`at;O<V!~cgAf&
zvDbH&w^ur0h4^2`|C<(c-}>l;)f@VqaZj)OuVcL~Tz~My7k_{7M9-uy&&&zlwj3m#
z{@V-2Cmsd6yc77aPT-%TVMpV$wG(>wi|;7q_U;6JuoFJ>K!3DyH*`Y(O(*o{cS3(p
zC-Ad6f#-JuKe3bkxu_HR*E*s9eJAwsPUtV{q(5)&gnoG^@LiphyQdTS7doN8x|8~R
z*a@F!I)UHR3I9_&p<mPqyrmO9w{$}Pd?)a#PT&Qdz=w4LH#(`$)K1`yo$#sYgnmjV
z^mlbKFJAA2&(cod>7DRj-3k5ZPT;@o1pY`T{Lk+M9_$1@zZ3ZSPWmCUllpY;gwGG1
z(2wqf{?1P5P1NTs&uJc?q3rEgr1|eP{7?9j4)7h|a{}O=plzQewa4>QluLN4P4C!e
z-J!SPjve*c^wk~cCxajL?SNAXZO-cF1^f_R*|SgqoWHP-GeZ+6{Oo76iI;fF%5IrD
zeOlSf(D)glvNBKE6|>5Qm)|mZW~h8d(UkEsXO_?Olm$nYmQ5_5VS`7O7EPHxt$gJ8
zo2Qg3+|e;*6RO6SRfcDjm(7|yBNQG##Zz|OwDD8%cjEYAv+y%=^i{b7%0N~%{^rTE
za&v!<XBJr&np0U`HhEgb^kP=8s;aEAe8$Y_)5cGk9GX)$YXJGoCZ7%rE(EiglaIpV
zx`|UzAR2zlgb8Ic+3s9V*{Er=Cr_J*#?A~+Ehln<(;<~JCQl1hluej)o2R^La>!FL
zy|R3oXJ%-|v<XuyJ<}^g$mf|nbNrObN#i{gq4FtH6tZ#-syl0@D?92F8b9GSvMQ?>
zKY5C0>TMGz&+vq%PnkZud<Ll5!RU91n>=%7<@gEZo{C$_Lo+=S#!s0teF7OzLE%%&
zr_L-7$wH@vr+O-8mY3f~AS+Z>R^ciVV>>;JI#-566BOO_O9sm1Oql_dte7xm`pj~&
z4owfEPIgH%Cybv~!RC#haSM<baMp0<G#7K!4EQn(|1F-1*)t}GP}>>h<Ix)vrcaxN
zo+sb&q3IR;Gnq9bR`w)Hn=okxDk3{qWw5i!?nOzig38LO&~qWyc<S_75Hob-j0xjI
zNmjDm95h>Ur;eXI%~OFYPoLp&s?55TdxjPjm0fiH08i1_vHIX(S?>84d4`q*2O|ma
zK=oX9;rY3#$Db#GDVUq|!t*cYWJ<IDqesY8hW&pU{6`1JU*a5y%H^coR9$7BZjwt1
zo^I#N@MHpijHKy;b%sO1XZ6nukMw&yI)2=+pUgQHs{_whtN{Lbkq4?p;s@Y&+Y7fL
zYZuQU;F%}X?>?xY3{Qq?4rsf0dLjdH{P)1GAA*~Fj3*m-!g@}ge4NMA&2ze)?jh4%
zJ?Gfz(5aJ;p(lNToerPIbeiW<r1`J)@(J>nzIVIzfvw-zE?rWnKaRd7oW8d6&(Vj3
z4|ag~b@VXdm$~4Mz9qcS1$Xo_;g`GMIfbg8-2h|%IsbevxZTAP)z<~Ln=0W0TyRIH
z6OreFvux*Ip$qQrAHxNAYzFfTbHUNk$$w*AaC<2!apPQY2ukwbBo{m@356YT!7=d3
ze^oB{@kyx1Q|*FlF8E>>+>tG!YhCaYT=b8);O=$B5*Pd=7yVKfoNGDf-!d2c6bFdk
zIv2dB3tsPnb8YDS+vI|u>HzV(#RZ48PyXBPf;%w-B6qmpXC$dT9^rzY>4G0{!MP@L
z{<XT`J_pEOJtenix!{>Dcpn!$+XXLj!E;>jvt4kX3+{Kp`?}!gxZnd^@SnKgc`o=*
zUGPE|ysryxxZwR<@L?|axi0uv7yM@~_&685zY9Le1wYRPuXMrBcfqS%@C#h<Y8QNf
z3%=L|&vn6TUGNKC@JC#5t{t6!OI+}Q4iLXfU2tipY}_&zJm8|QbHOih!RuY{pS$3j
zT<|;>e2WX7?}Bf4!GGa`?{L8{b-{%TKF9?(B6~88SeK7}cDBce)`z-?+kiA8>oXe_
zQQO5^foePFZT!`G7vhQONkm#Z+VJn3*O;aXx3<XiI;N?*t$LYGFrCiyGMRpnX{u^#
ziA?{QX{u<eR;GW?G*z=zEz`ecnr6bPl<E7Jri!-4$@JY!Q#D(|Wcn_qsgkWinf@iy
zRK?Z+nV!KkRj}og>06nm>b0_E`evr7axITcU&l06t##lC0Ot&6nkv@XA=6hdP1R~`
zk?FxqQ>9w<GW`ptsY<P7GJPS_RH4=qnLd~4lbNoS={`(Tm0Hy@eHznLp;o0#pU5;-
zr!`KdyE9FdX$_O<G^VL4twNdp{#>L_XL^84f6X*irsb3A-Aq$eTG=xF8PimemPe-l
z!8BE)b>K&~e=E~IrgzBnYfMuWT3cj#9n(~SR=rFon5K%emdW&sOjEU4OJw@bOjD&<
zwKDyCrm4!TYMK5m(^O$rrA*()G*y>1PNwf>nkvg0CewE@O;u$T%JeUpri!u#$n*@R
zshTXGOy9~hRg#r0(>F6sRb+W&`Z}hmf~*5S$nj^Is>j+P(^oJ}m1Av@>A_4>)mZg1
z{R^h4VytB{eIe6SE!Gm5K9^~#6suOI`!G$FVO7iYX-rd9Sd}t;BGXh6);O8&&NNkn
zHB6?{n5Igw3X#^wtfZTk=!+34&TZ322b(rhto2dFxqJ1IqYU%A+?EmMVPnA_<57=i
zq7lnDhn;JfHU2yRa_f!wtA0jtjJn&(=gd66YU-4d_*4EINF-?rfdNfZjo-i%|9xXT
z%Pbxch>s7qwUwB=fMt?OKwP;R8G$c^3dn5{bDr>engV|61F2t1;sJm5O5flKp2X;>
zgHgmj^Aqt$3`C^0Ep%d}b&j^E9LmD1Z}V@MG<&co*5%v_&i2GdwB@hUYPw<C=QnEi
z7J(wt>@A5;^cQM17b9iFAC*;(y)0{DfN9&~UQg@+m5jeE8v=0Tv&_IT-;2y=y~qP7
zDn{aKp7(lMR4WR#=pI1PEHV9kk7vz2s3sEZjBK{~HMAM3l<7>QwVG|HRpeEF1`<fE
zM&4MBOhtq@(t3=xXaNvtPTt(X9`qFHsJ_@q12C@Q)MZGZ;^dYD`fVVKOad<;5Ve+r
z<77Wq0u?WG_|K4Zdch&tRmT!uRV75*w3-#rui`C;4~91Os1$^W#znoPWN6VMRL@wj
zp7L`2jrtAxjrvV`S!3iL*_YW?KGcSt@LK&-iA<|E5->Kc=bi0YGf|FilVJw@nW8I-
ziq>m2han<HY@R=J%~YVpesm?k(W_7$yJsk5)_ar(Rh-XyEtSZyRwH4=3LZiUxm(fN
z)nJSgGOVX0;^I4iV0Te$6IeER^tCiyq6_GxzOmV+Su>GgfhvP^)&#|1ki!7ODBeW$
z*SbO>&IY2y{3>7y!#w!)^Rf^M&%w8h_%&_fc9Qm1q^<q`C23ERev1kjv5VjM*QBc<
zmeyvFIyFUOtd%P3eKPAV@!K_kJ*{AO{%dxh{sruQnPOMX&c0P;Ewb6Yj`?eimau{g
z0LyL3-6}?_d2VhLQ&`&1fnLLY<s`X+kaHB1Bd|?`wUEgP3bxyZok-Y^oIJ6M-<7aV
zJM&@IbE_hK*3Nzsv#(LGhi%y3Uj^*X3Ksd-EKerO`HFPxzb3usIgpM7sVyso)=-(R
zz=wRYJBEHQ)gHRzJl3kOV(YbQWwBO06l^b)H9KSjVIBp0--bO&*dDM#hitH6cM!H+
z!TxH)t|e@}f<0!#E+%Z5f|)kVOW30d7Pet;tO9JYf{nLfe<Ca-VRv}MZ4n4DG~h*)
z%5JD(?$$M2u^VQS*#8|XcaN=^=J^LCAn_hK@*=$zxHw>9^WPC#xT<JGK&#1tD#l}x
zp+&ochkH&76lkZ(#QNq?TU&w82bCFp2>=^K6OvSS<KXrElVY4}1KTOag#>m~j0*tl
zs0rVIBWHb;stWziWO><Bk5XO?KyYbS+`}a7SloSzkcKeH@mC=fcNdCF+K1>4wA<0e
zQia|9ZRef*c#G4?6W>J721gGm(rW6!L0ec4U0X0DIJ{J=q2F6jG)5n-Md^s!T?w6<
zs>nNV82_m&hrw$kuwC1(C$MANMg!QfE7$!TZF`2Tam<VlUdcZd@;e*Yu8?O4>{!T?
z0Cp^7Y5;}k?m~`z{3wN-VguV1asq&{kUt|?zid)<ES3B^miouvqtw@>fZI0umFlCE
zdcX#@EA@2(I~MW~fE^3z^9Ty5a24YCFd`3){-=I?$p*G7Yz=|tCu&Cil~&#!3&Z?a
z{1wQKh2B_>Lccob8nj~@k5bq|0Fkv_S@)5!W5eQ#u$|CPehp>BWf}AQ*`oVgcL9VL
zfF!vS@Kcf`SrhWzFI{yf;O%)}ng^!2^;VF)Cv27OpAieaqbxnu?3tKL)&Z%t=w!^G
zlX3Sq%J;a(!+O9Q(UyB6trN7G7yyyhkQV)ugQ>3aPSv8nMY6goZK4*fl~3tVQ48^8
z&nu`nk99H1u)RDwFeh@J#tP=2bG9dOFA7xya^OH)n{q#fe3evwG@I53$ZoTf>77ys
zpl+za<Zv&PK0bU(byd12ob6JK)>=u%md$3%mVM2ZB}wF(`q3oGJd(uQlgMTEoFvHt
zlH96D&UdK|YqTUO_@f`~DTEiU+T%leBAeQ*&B+d4NCy2BgOhCr(7GP$WH1mOAPnj4
z4V?x$ucXtWhcF;EE&X82LOOSE(0uDA!~D#Md~smd$Y4`__6V#Fni`f2=TFmto`oJU
z4&{GaalY2O2HCirfPmK>96G@>$~f-;evC-#@rL>3?6eyjF%>Y{2zY#Z<65HHc4)n;
z39Dnup>JqS2fbmgGa7bZZg{sCZ?%SzIYB}rx)qrXbEC@tnVrA7;K{Sk_ISc4U}g2C
zxD%T9#*JNm1(5ffM#fK!NI_K&2tsEjtI%WAS`SVcfxd0ajn-Ub(RzEVnd&#%X0}$H
zXnr60OpCN-Yo+TND`dMOJ2c5pH@}JOoUbRS&GpFV-5U0#=hheZ`^UkLn}5RcN+;9@
z%(o&Ny+gF+8Qt`4JBp9l6j+>*W<=_}=#T8s`MP-^V7{+|VYDTn1verGXtTNju5UY}
zW05i^L2UEO<o8Wu1^*>G**q`;HP|s9MXzBU8bo@(kBf6R2jYcZ((C3rGDq!OvjbYm
zmeL7Z!M#_{Vsjm#`nJz?V9c+IfkTya{I5uQ^whU~Uwq6zhAi&UJs4^51|x^E!+*VA
z6`v{}jm@n`e+9JVCEYaq>8cfL%j*N)%>i$NZoam-Buz8W2EAc-Cfa+T*xVA{hDJC-
z!u(rR{(zI;YzTPY0$A_2S<l~e$8q|C26{Ytf^#w8a3r_zrjGrQTd&3kJ=pcatZs|5
zl06;X1KL_HxYuAk;Td6=+Yo#+Ak(fzcfg;QTQB|y+s#%%e$k>Xo(r=w7MEmXJ7X5!
z%~f)5dRG?=sLyR-KWoctFUO3~QLd*@Ti)V*%lj2tpVf_xx7%*M8{W=LKEwRSntrH*
zSR)rCC={!^47s`sBg1;*`WqX?&HLKgDr!e0s{2CN&BItsW$&R~ShcJVaz3>j(D<q?
z2+Uk>?Sf}%%fDg%oI{k955t_D34lAD-9EiyDfmH_)uh$orWBhS^-=oBp!oxO>kV|&
zH-`Cc?pA~-`WB+p^x245Uhe9&8h;Mp=(n<FtUC&+7~rrDW^JSOL34vv!&42xc#VIo
z5BZ~e<)Sluz4Z+Gz^->`EW@vx`wg?1J(O*j@5|9%;{j)}XfIghH-^XSkt5zvKvI;L
z7Q2xmA-bWffLCU~==V`*n6co;Hf(pzT1vjF$V6Yuzs*lN{S+UGQmFg_<{>msoP8Xy
zPs2!D*BeUpCNx6wMyodO=4xWU&{+!@6*e|CUZq%xvs+v%amoW2oj^u2T#Ty0sQDFO
z4xWisFj`pTLQWuZiI{?3bB`a#gM%^3{B8sWU@Y3(uICK^a_b{UGPFfJF{+y_kQEbc
z8{FpqZp)~_PXCs~UZ{j1mBiK>l&9EQj=FgBIhb(}2hH`R(J!=`%hJFC3kpuR=w_{k
zr(GgHf_Ehz$gx#&#Jm8%DliJf)(&&=dpyOj`FS~iK*wMq=mIXfOI&md9lCLfuFyrd
z@7ZMitm~nWD{8@StfCv_qI<?gcM<7Q@~-9xdL#$oHxY;JFyc!Y;4!-V!y~!pP#m+3
zcv0UHbE03S`XZGR`78t3{KO70;t?skc+Ru-A)hl}O5))R1Hw_Wj;rm1y18EbiH~q(
zaww;Ty4kRD4aPaqhFnsl0;b<jwfBX%0P_Wz#BAh%SnTM9#V9mOq1ljl-6a}^fZ)aN
z=qj!T-BNGpQZV<!vABo@zA9(H#lSR(OaK-a^%Xyr{6_lw!uvwqA?10Ci~5NjF#V`+
zrXFd6?b$GZMVB<NLqh(-5_7lNP;Bnt)IEr0CXp8aY1Rk58^|JCY(Y}bZ_@7ShAyV7
z*4Jn%!YF`4Q(-25D{47GD3i$vqD8SXVz`Q;+isFnGY6V&oz6A*r-|RXnmlS(TN?~Z
ziFpY1DlvDmR^w5t<|mx_8!Py$oo}Hl-x<i)yb<;Ue1C1@ce(IC?gaiBg}>d#Kj*@K
zL_8#t`GdeGHjPXvf_fmW)6sUZ5hGF|<yOtlp!uT_UrS}Ik1RF!j2Z#Ul4pkeJwz|K
z8Nt{qoO{9aaHe5424i<1HYP3tGe{L>Ff!5KBg0tGm`$mKgk=WfQAgTxg7M<M1p4rx
zWV5*!>Zfn4@gG2WX%N0(WIe{Sae%lSt+#dBmw|qJMelmVV}-V`i5(rE+bV8aD<4{d
z2#urx88BOP6EVPphB?qLs!^q2tQ2h@=$G0TF$TljAnL$YkL>b>GBM^o;Iy3!&5Nv*
z`(7CLNUK+i-iCg0D&@5*kW%wHKKI)avrRmJlBIyQ>5Gf|iYSsL5ULyl>c>Yh?F)E6
zQvRYF>-Cjk?ndyL026@bxHImN^?5ESs)cnrY{cj1iO<(aVS4n`vptwT2VBE;%$Mxx
zxr2m<t&bJVQ6%5HhJEK3lH@Y+k>WC1k>t3zG?FA1qw)cdi$RdchB9=F#8W`WVoE0!
z^d$BYSLTH(Gc_DCx55EU3~*(>MP^otuiziVj&x-Xs?1cQ$h?Z^VXn;Q%FIf;7Cc7m
z3|HnXm6^I4neQaJ(v^Ad=d89;;RWM}t#xJoJFsXog%_E1iFRdPrqIfu6!al_8PM0;
zePY!DuaC^#3fqM}4h~f8@{;(3Jn?gx@z{jVXRAc64Tp1>WW*`dha-#<n|gxf^Qj71
zmm#B?cg%4BZVv{w(2V4vhT>C|444rPgV?H)h8bbUibj<jW=7am;@ed+Zwb(>zjzAh
z*edc_Q;6AOM%X9fc~F@R>5`#@8>W;1#NO_=QDp9*IKDtt*(es|pg4L!-AGiu4UEW+
zO_vp5IByt`g)JK}r6U|KEqXOnW=Z@H%lfeYq3w5xg1_+bB^JcwWk|+eVilMwR7hHO
zCUqn^gLa9bFEZCEB2pT=XaL&j5y!#_gPW$+e2tV5pP9o9rywf|rb4p|?(q^IUt%*z
za59pym)Jn2dMcz-a1N5P;K<G&#o?8*QQ6@zns#Ei41c}hV>rNa{lr=R34Gfgh#AOd
zDLkS}GMUCowqX6Puo+D5;&R^n#N53GE{`-S*4qHl?_zaWe)GdhPRxBY9itKAv*tl3
z)iSjShQxXbKEBlRvRlLhPutzl1ypuliTMP^;Eaxdo+^a$F7jDlB45hAfW7N#m_y-7
z4gq>-PNVIwncu->qsW)UXJ$a=GmZFdSuhGY;(B->u&vPOS>kH>ybCH=1n>xbO6@Q5
z@C=QZg}UnA4dM`z0rLnA@;-%uo!=!sV~)sr*o6H7b6-j)TAP7D<CQ-z>(|Y$US?yh
z5oz)zs?lrKXAR0;qy8?ubo-%DeR81$`I8H!5)%vmJwC(y)a87_!-04FyNz-KGP*Yu
zQ0pLjy_A)nTrM@sF=d@UM(5FS$Vs{f;j_>NpDhmXE3tmcSnSHXzj>V)`zeP?wFeuh
z<`Fo=<{NVJ^d0o^H>_I6dPNRtvo6-nzezLlG5f9$2R2@mZA3pXv|=p8it)G?k3x^^
z$<`x3XtTHKkuSC4=w4K+eI?7BN^-AF#SzdW=1%Z6nlk+8B}^;~9UsI>HZuA_=rpWF
zYqjM)GA`_qzIbF83>Mbc`5R{MX?`+5VTMz)Up$AlHUC<Kci8q4-TsaoAKS3`(6~%-
zNj(Lz7!rc|$BHS5IjB-5)`^S;xYl<^&p)g2-_4IOkNKJrzZy$|1C$jxbk-@@LQwOm
zBR;pqIs^wVDQ~%(t;tp1RC+}2X0^~B&~c&N7s7KHNE1GE8seb_<YUbzh+wsPPpyyC
zrx~#le_zN+mRc8gMSBNa-zcsGiL1RR|Co@gJnLDeQWMnrUASF3Xtp*js>$GyO*m^S
zWn7`9-W$H9u%#(Yi{1e!o-(xP{dfwPn;Wcjy`>@J8{_HFF|p%KZ6&gL07(mFX)7|0
zuP`$Z-e^eEBcH-O(v}ZAzHsqCO<R#xp_|oYt}P#&rZ28e!=scNZF$#VybA8xMsJ0_
zvW<lS?+M*)`#0K(<I(L1T5JSQE3Lx3`iQJgO(nz^`YJ|r2GAKmXP8(2V2uGH)n4it
z^z_CIzjtH6@AcqMnpboM4f-#qv33;J@kw(`(R%$PY{N&{BTYpaa@|)S?v8C|C0(_!
zubByg;fx9GQ!ESX!=D=QS0pGtHzz?2ELwI*#3pLjb9;D6^lD@^nR=Ib!!Ln8oh;&W
z`$}G7qoRL=2n+-ec~a=bUnD|{&Siz;uS68mP{>*vd6Pn>qiEzDtB^Boq;BU_$Vm!0
z+D7{AoTwObRw-n@jqFAw8gK|b0)zNKJ>po_w^a8od5Yc5R@G5@qMO6sM$ES#r4BOR
z#qxX;z?9>MkSl0fL34X9yyRUgeSjy9#UJsv-Z<D`?lK$2*L}R6$YIDj)<(>CJ!Jky
z^7{_q2s!&x{DySOZyxxmlG>G{tmx&ZJB3A2SZ;mv1GLI1?nWt(M=$SP#-*sE<gCm&
z#bI;V(b%-pKi26WNr_`Egx8y>Li57K6!q}cl;-ew^R3)^Os$r6m|4$;x;MeaN6$gB
zTh^t8r1&*K_J<yceC7?MZ|sJ!r#(OL3^MPFv&k*=VlC7Qrb}dZa;AiylIsq|F|r#|
zr75GiHmRSE5+Caj51XCSK0ekyex{EKO51MI@^IyG17@7j&iXKdI0_!un&H7ALoh0c
z3B<1Vi5CHihy4r+WQeEfk>M$G4dZR%Av>A1rebQyCl=Ys>^0fw7Exs<d#F*p)=r+H
zt@uWi*omBgxl>$?M10`sWZcX9fv&yqtr%qEeI)K}C;BM9*>=*uX5#qJcyWTA?2DP+
z1<#5891|M3{o?5*c!W)K1uBn)ia?-}=T92NEAQL(%dm&CX{a=YM$=F>0oHM74u2a}
zVDVe&8_~4Irukq7jfP#v3h#Cb9YTObnFtyh@r=DPXTz?pM!zQU`FogBk$L_~RB4@I
zrZ*M!@JOX4`8O3w_93Gbj>zfQ8>oZ6@q|uLYE0Hq*)OarZa)^Q3g76|+D*KRf}!tn
z>+R;yFLb9}^WRzTEB`LCr>_yYv(ghA;zOvY2c0^t#!ICYnV*Sy`GZ#T4HaMHa-2M}
z@D$zZbV&S8Y+zjlkm$Dzx)%{BwpIs=94v{mu-Z3rKj6YYC%QF!vo#Tv^sj>P`2q2B
z<bZ+c8Z`HnrVsQ3Hbk7QU_)d;AbpTO7#rnT!&e#*8GyNI$`*fplrf0@{um-w@jJ4`
zlaC=fa06<*up5|{#0UK@*sv?3H2scBFw7QPU*H=FP@`J34K>4fe8d_W=10&94PSO`
z*x4O)Sw_DNK?p`>X)Fv!*$Sp-LBumE4O54glI0gyf(>I5InuQ)K#BoJBbMbK91mTX
z8Gxgkse4-j-UD`POg#hq5N6P#8Z<J>xJ(Q|w)PD!6c;MkkTk11$Q=JL7{76xc<*`E
z^Am(F-oR784RoZ<DgGR>2FZpU>52RO!Ta742R~z=v|)-rJIz`Q4J+fek@bD0?4%rO
z<?qD`@{fVs<h$f%+1pZX;K;Niu9n>dK1YM=V+^y^4(T$WyI6K96oCxFFj^Ox4|$s9
zL-eRbtGP$YQdK6zXMudo!_#a$#fIfH6-tqbZq?0qw3@RC4ERep`R5rXB9GX3kS=&U
zYlEy&!w$Imn8HTC67F)yK+&4xfr?$-qhEs_`SJLGR<uvge?wdJE(8MZR|#Xld+<!>
zRu<-XyXHD49>ei7Vj2DtJY*Z`C_<holMAL2$dR_<f`GR6mNX;YYZx^MqK<7P>6MjY
z`0v0Mk;gK|cwYG}9SE&vD8+pFNPk%{vauIj(UE?m-pbIHZ}x6BCN!8OehB-ZA>tCO
zPf<TVn&ZRXlrdp5z*m)k+c<F=amcq4M@c*t7<R*mP4O2R<_&%Xc)vjwKQ_Mly``IP
za-Q2Yz%0oS7oZl}@_@h0Y`}&a3a&7Vj-c=g^U5EL{O0gh#HF+qk|UU*S=h_L-w@)t
zTbupT?i94m_jvB?QpX=ShX@3&gVX=ctihoB5?di_H$W{n6>Bf-)V=GqwSkf28g}&B
z)~d(hRzRIKv>sdFscvh#V?`Z*TpVVvk+aB%WMBj%7>;2TT(@yN^E3Pv=Jd4CFPO}X
z4a>GFAkENpi@HK$$2bxzJX_n^q-?_lpxn8nRtiIGXm)H21`Z<{=(juI716Ec=p1uM
zc4#w1%z7P8L2iBXx_0(nTEW=mVm){pvALOI6(5@D6*AT!jQ}<clks?GKSOOUeJ2B@
zMr?kjnE4RJ0byoDd(B3dz(E5lW*BSdp)ViAGMqc1(0qUdlpF>)ORG5%667q!AR?LY
zcWtf^<_Fh_OA!iSChk2s7*T<va0LDuKn5hETeTW&u;IjRi;h0^5qBTcaGgIW_3q_h
z*C5TMd@F30w)|Uh;cqCyp?uUthg$W`nrLpPIg9s5O}~CyjC2egg9$^l6@&U>yYQem
z^awMCxiR!^1_o@VGhpx|O1GfTKalklzviGu*5{eqT?40MArZ(A`F+}=;ZTECKm37o
zWO`BUtb9CRR~h+Mp;tW3D-fUm@9pz=)TML#Tm<a@#y-E5-oZW_f0qsa59~9e81ymP
z+vjY|eMrb5Dm2<>xb6@hnWBAu3r~=kY?p<G$V7huu!t^|Qq_Y)ZWh}XI^cJi=o_pc
z2y27!J4?jFpoY0B=63MttGI9<ym(|@8Wf$8eh0P#didL0=AI8ykPaE?rJmUBFwS$b
zMFysWGR|L9%HjiIoOi-Fhy1Y4cV>%$D5AhCt+NFJ$2tdL^*(_a@7l1ddnwdjcCcR)
z0|q7L5hFcJvMOXpWQpM_g#7>VN90Xf=O>VY`1jxjz~K12b77sQ&^rGJT~KQNSdu=~
zV-BHp&c=j@o*=FBorYM7Y{}+ck!-G&B?)eTP9DNyXoNS2OYx{nlN>Oo=7|1CVpw{-
zHO1e<dRiLcYP1IfbaXqMsKxBSOnJ_WGtB64ZaepVL(0cd?X7h5n%_+M{~hfzwVBJm
zE7X=l$$5`d9a}dR+#^TEYFBM^omX)5mlQ4|>HG!!{k0m#6l}*2g7r0OryM_lCn#21
zuAo%k)oLCh47mdFahNviy;sCDzGS<D4PSKSHl)w!2fdS9ug6MZoFhlliciHJ3}OZO
zf7cdW%giPI{xr{%@r?5x`m3yNMQy3MsWiP9(p2Kl3C4zH>e`ANNZ}+1ABGKbG&mS9
zgrjC3{C)#r4rw)L2QOz3`e%Sd>$!iKU4k-lw3>IoSX&NsZd-FszebF7uRFO0E3Ds_
zq37eMBlH(`iO1^N)q9Ky8)9(XuHzAa1F)g#{iD@Ln4+p8(mHlE>v-qH_~33(u)%dW
z-c#7J(HlA;5Wg-xx)q0C{-HM<P78Rq1DqDh*3E5tLvwH4yG?)VFreObfM;mM{DEG(
z9pdF}w5H%EWnXglHZM_eNYVT->^qLG<ds}n;`gE2Ir`#BX`zesSaG)Xwz81rZGGGp
z^5fT}BpDq&KxWZnqjJo51K!p^zayC2+0hpBYuyazXwk9Y)x61GUtm$x&hP6WUyi+e
z;B}Nldl}=ye_=0+?#0OcXZF%(o4)_ZUOsy?d)e|ou$O5tsQ;C{+zcyi+skKu#PGT8
z<r$m*|6?z6QJ2o`<w?N)Z|vohKcExb>)D)5Qi}g0d&xLZdwU7LORISr+Qqh&hqW5+
zM=6z7jHl#UwrQwbiW_k*X+Osl7o(q)=CT)_Jq%T2F$-79pbCOw$)P*-6i}F-(0kvJ
zs?_}M%J`t=K`bn>vs@A@hvmYtgQ84?1~N+FMqyc6l71-{o$z?%3NzA_6*Pxt3Tp{<
z7(7R?&k`RX1-;b^Q41seQUj}CtTWGoC7Xy16)b~w@3+$U2E03TvzvG{&ay>Gdb%DP
zfXHmNxcgTK{KBKk(H50KwH)0L!6KKB6Vp)^wl#F@rccD9-fv^ToSCC7FCJS{9~w0X
zyW(l!z>SY$puP2|U@vPwv_(o^!IXXaeTVTIyHOR}PLJ5@Ei!9;LfXt;_8wNX2me^j
zqtSOBuTZ{_%<A|;%`!z_=u<q!W+zQni&nFWkgI#p<RH>O+m&@R+ZF7$KDQn|L>7)`
zPRaeC`6OqZ7-`Ha$^Sew3YrwB2aNPl7_%!fOX4%&@E=6*K^HoP0;Z~X>>zKbs-`~t
zH`=7$+`4)A9?p2J2K#z)ebyVRwY-KMnP3RD-Yxtrn8r$Tu)hMmjJJJYVn^kKvhs_2
zXi+<EezajcN}oZchWux;%(G>gp?=9qoTva8-jV*^TqT~_@LA?DTUY_>ObSY@pywgC
zHGyaHtM#x9HNgDX>c)s!fLoK1Nu6K7`l)6EIlvyw<->nr4=yqx1pk>mD8xP}yY)Y^
z2d~?i+O3}+!qSkO{@<*hzK;Eu_F$#VDA!L99Yi;~?ZI)4|6_X~cO9WA5&Mno!Lcx?
z9cQ(P-z*5INA$%|#EN{dQD;el+z-Sn935<6skNJHJq+2fTKd3SvJ%g`)_tSaB~McB
z7p+Lhla%YVnh#NcWQr)L)MKK%Gw^Hrv+%ihlYl`P)=dmT=V;4|#tur;YU+U>l&;lO
z^Vd7e?<_2Hz=3*Y9Hi1!Ng2-|D@@o=L_`j8=yd|J6z?6fD3pTz`?uL<O#7dWWXURz
zTy%=p<molmr4lsF_t<`t!}oOT^fy0~^3P)hZ+)lwBX3M9L|fc|3G)JdHYeXp`vKvh
zqYnOibz3@o`1k5wLvQk+YQ{U`;D9Fg50pMEiBBJ7Z_vv%Vr)9J(0=g*;y>6In!;0j
z_v0D*8q>Y#r-@0Z3Qjm*`4jvpI!CTMkn&^j`lGUD2F~+|-`BHtbNh<lkV~xKL}D5e
zwXRmoS0v|(S&C%;w~}O;i{u7H(qEjUNdBfswzx?070Cc`01*ci^e07fz(sP3A{i)-
zQ(P7*lI*dm9{pymtZtszt+-53Bm-O|TR_5YS*$2@MKR1p@w{SED9RPdnTn*+MG{ja
z0dbciIsA?478l7RNm69ktCDQdQ;}{_q{~2>Td(#$3KX{z@huh|X!~Cj$rcy4(?}94
zxF49rgHuusP6HgHhu7ei7hRJa(cu`!VUjoUl#!bp%y-tv-We(GQRNh?at^qv@*+r(
zd8{r)t@=><>|?d%4JEOR4HP(VJApOGzBW~ZYL(+!;J*7BxI7nbqAKtPak?t-Z4f|u
zwnB=XWv;GB#);O4W!wL%NXELjoT*4Aigy&ruM|m@i{$X?wzhyec~>x<wb+Lu?C!-;
zXz>B?Mr=eS_E5B%>2ULk`9g999`tyie=i)Or5DqDtYg<fdS$%-TI>iQa53-P3~?Qc
zrt>wo5|PASfjDE@O+Ccm6db-+No=O{*MQ0rKb5tGia>y1XgqXrrZ`#E|IM%ZU=#k3
z?%kN^J|@`{K`cJSMXaYP#?D``1k~uWM_jEvPPV3Cq2%*vqRxf-`qd-@R3cM+#sFlj
z;CjVmyNhxYDRKTyGWjae>O%d6sPx+^<%Y@<#o<)NAqP_64BbMI!70rGm%|78pt}=!
z4p!U>Tp%ACB-$dW;NZx)<9lQ99>i!I>z0SWZMy@tHXA|2%f-G`tl6<pJAS!arzT0J
zl7d0v?}#gz8;$gtAiflQu)KdYnPXVO2Rop0yvuHa;uDV{N3<U2oWeKhSc8WRJ+jjq
zJ`J8pB`gEZn>eqVTiZ}=#?R@qbi=U;zRa^dRx3{sYz@7M7jtMe-oX2F%?+eOq8dxd
z=I53EH|ulv8u3BZbnits_M%yYO{1pf?zVkEiKZoAX^Curzu&`TI~zXBFud={v#FvF
z>I^HJFJ^C}>rvXqL#j;>&@Y;ODgT=GZWG$6BgPWQpWxFL@(e%#=bYpHQ8<KF$q+;!
zLp<?-$1^0}KTq}+4pp(|#N7#2PRcW?px#Pg98e0)W9$WKUc(PMMBHn85S--ZS$JUz
z+(TRj@Zk8szR4jG{g1+(b{yP$iOa#=8jSj;+LPjzEe5a<6$3m2L@87c@eZOm?F(vL
znWAu-k*NwY#Ji9R>-{6}N9BIK=<+|`uiy2*+pjk|?9UJDkZ%9Ji#nf&Jv<e!H&^UH
z<5KS*nJd0%msaQb`q~HP1{g8yrw)Zc3`V?kXd%weNq*QQVE}cgkLUf&_vC&aj|J%F
zw+QBS8HFew1nbA3_lFTdx?$MptI|8XxiJX<xD7u;7=$!ExQaXz2_tq#CXR>9{H2^z
zm`7U8AEAA5cBAGA{Kgi`DTZa(uaUwQ!==T;xUkODBI5v{XXeYTU&*1BuN>ffh1{Pd
zVjKy5f9;LaOtG$JH*Lib>~Iam_S%rHYj)f)*t2+OS4k$`t!rzm2BY(}n(HM~Y%oZS
zWGPkvol36xVG`aR{DT9NF93-ElYILJKI<05MfLcvWO!5_emCDlFxo(fvWMuuf~<=B
zN__!$%fQihhEdHXoKZJmjKvk$_&4HVoJ&0@uEI0)Xb(I$;Plg*B95(l9@xu?J;-r|
z&5FK;mg_A|)mpTk;vFk6oBLq79zg5khyx~i-k8$M`<7#FNk4bNVZJY<EyUp^985>#
zUcPyxul5w;sN^vKChc88F8BrDulGfdIST%1FjD?9-hbf8CJ#7j(f8P%1?wpQDgEi3
zXQ4kUR|(@(*WQ5skQWo#<>B1DPm5l{=^ZOrySrUWs$3QDqXKdhPbByx-@B4Qq0mpc
zGYgARsw#_~Eiu0qU!a^|K4j}Uv@P)&IDvl|_}eYY-7DUD1?sxeu7~Us^JCro$cVq{
zr=;Ps4W$g(MUr1hKKAgNv?$IQ;7A$g6_!A=QuLpenBOaVGaAxSlHaODVQxHue$85R
z9+Xe+UfhYpg~)rT939W;vQhukp$k#E-J#HVsXnzX2fZ^+@dsorjo2VR28(ZaHN1na
zou+y+Y{BzktDOP-;$<M`0_o(B6<kA_A6zu`q!}Y=*jxR8r$~)U3`-HoHi(Bv`3q1w
z-4N=tbdVN(9Ia)A%=hJ6E&Igzs8WmUsX^h}O&n9*FFq)M_?k`72HY3l3q}}ByoC{(
zC0~kIr>Ncm6|LTz=r+7N<8&;#Lwt`;2;wcBniqjXHSZQ3nsMkQRPI5EM3js55j(d5
zG*5QTARONa=ZUuo873hG206F`j4Q}t1UQJ*kdb!#C-S_%3Ubdj;G*E%^H?zy^t7GS
z0J6hb&zq4o7O|y7dKQ=yn5ch{^FKZloAtXyDXQTdO1}or*E_F;?1Cq<lKiaQ0K4tu
z*D#%9*GSZKbZ>|FJN5NJb^Zcd&^W#uY3eeHP6!lruR-vEsH+V~wChM$jXw_n=<4|h
z0fD3kwy{EZG#h!OF5I72aF8N-SXGNYphT36Qu4|6E!e=C1<~obTg`nz?B^Mx?~7Do
zIO&2HB!LWTI<7im$3SGVz$geE0R?Gq+57?<>~cyIoKqTq&c74~2dEtf0K;?l2OIWf
zh?#GxIrPEXlxdIBZ?kerV;O#_)Rcm2&bH;9aNYcv(;Ih&w4d9V5JJptEsD4!UJq1t
z!_*!@<u!osXW{)f6w|Lcj1!$$`x6iWpspJ-kYTp;H3R)xjfNdvg7KF##-dqb3&a9K
ztPWbPfH=`l#Cw^rx;PM{CT$klgtPp~^8;*jUa~LFM<Z20)v@mo_}_flVQy#s6}qL~
z8byK4LYWYWBtLyj&}>Uw<k$oy8Krphbv5e_p(q=xA_N74!PX@duvL(Vzbr%bdZONu
zy*O;sm<{Wnfk=r~^EO)^ONX>%;s`GHnqkT=mjRQxSv2(*;W=851y5)_>ip#wjCp*T
z801t0ysrUopk4#Yww{S4DMceLROn}c&aJ0Cs&|m0Cr})xddLu8&Z@z}1P^JZ2$gXJ
zz%_(yD}4Y5;}3M>Xso##MY~!d(h!biQ=%6`3%KGlXn4}Ng(owH>XPtUoBhfE#Qt`$
z7tdqXSZ`q*lKgO8Q><Xu=XPb7d(Bu-I<*q>nBxhK+;EIyMXmI)uvzir2=VK~Xl2X#
z?9fHIAEfww958V*f4?~C2m2`bLA=+VX4X8$&QNFJ4rhk9BV$_lI{fv9vsnM6J%;xs
z4pxE`>zSR&^~{G5IfU`{p*G52Fzs@1+C#K{hoZo=Su#?1R$<AH5ROMvvc`Q$>0ehJ
z_doZq|NHZ>?a#O3eep>h{OQUL>GtPkl|PK`Q~tH`kA1H6DTX-){`6@0%VRLJM<bdz
z1`hRT98(`t*r@1XDWpF=tTDDI51r%o&j+<jEBdiE{kTR(@nSs<^Dy=sj&=8cZ1yCc
zE6T++BonHP__KYxL*uM@j#KJNoM?xCEG-d@%=YJ{kr~S|`|xk_+2HdIJjWs|AIk3d
zCLUpz+MIfPB{|@=82N7Meo>Ai2+bb>E=^y2e$^VD=8_@e4)+USmqxtzCJVt~cuqi^
zuoW9ogJ`{Ur$Sh47reOxDr~7s7Zju7ILQRxH}y&cZc=bwins*%mE6gxfpRm^_-yep
z1R2Zu#_*{y>OLdBx(fD1-c=z+$Rfj<4AOFK&(Jj2HwD+Q@a?X`H$98$Iusr4>FC5V
znkWV+@D{9&x4SqbTJ&0!#5JE5ov5DhPQ^ud`cF@O2V;0);!d0hF7}8v$QZWXaj0SW
zkgUiKFJ2kVlFwU&N*%}4aX5DX%<+6aKC&Yn&zgL$7ilV)Z6`B;I)TrmKT&TPay6pl
zw78}5io#%1aSn#Zqc;_EnE30rfBW*c#N4ZIEbi}F#T3K{Z&YW9$0BIq`;q1z#x`*d
z3>pp#^^Y9h6aFL^zi9wtAoD<AGzggUPb41A86<8|z#cAOp%@OJLlQt2<OSnX$D(4x
zpodz3185L(8^Tfv1BnvRi>we+kpDc!SzFL?!yuQz_`qI}X*u@Lg1C!gLw9j6r^AB7
z*=TY2WAwv9#{2ZeQCzT=bXyux&H(lY+AEtXR^G+&F6N7Zvdw=&x<i|L$u@It-2)`r
zI|#iu!0x?){N;Ex73bNYLGpKTaeu%HZCHT6RyrEe?kvBx3R*Q7zr%~p_jq1>LCRRo
zqX4#h6~MY15VU(#V%p6~FJDg11$%fNM_YdH><m;bR&eV_eLUjJrF0QMkLywz8g{2g
zKJBJ0f8ZqEle-Ofzj)0aHTLUlRpAeDerwe&;EK%WA@l0n_-wu}^+|MV;vOcoz#Ew8
zzXDs#*$hyogEFzysY?`ZMZIqmO(v0Cq7{7nA>DxY6YD`2ZBeeW;uIj!JVX$I-I3%%
z|KQKeqlkKgC=kOYJHYqbtbTBai?NJQWUYTB8J5u?n_`pYOt5>Y7*$hbZ%Hy-oB*<7
zn`~f;Y^zQ7XGwO0zZb~Pw8@60$ndhA?1~7;P&FT@T0c;&oZ?U=Yj%?&@`Gp_h!Tt2
zQGA3$%ke36h2LKVZSD~lfV}wxx$cG?rZ7ehSB1{Q@*T!|FPQuaOw9KYZhgvOWYdXn
zpP|jJ3U9+glJWrEC;9Mv_V+6b!Cl_gDx<D)fO%NkNXJaa<*VEP$NB7Ro>KMU+3go%
zu>dMwU9gL2sVev&rC;97dY1qJK~nl<?8d@j9z+-*^5@{;2o`r9ygHCgb-A681BC3r
zp;gpWLD~p8qScf*GzSRT0nhW#4$TfissZ7*(qyh`nG29_P=m<fw$KTKn*xIhfkxpq
z_=|~+IA}1^Rv9Xm$HK0N56TmZahBO^WIb9XJ?U8d0du<+y%H0&LF6#s0=%8whMC=s
z49pv9eBo6XgYN&30q=q3wt$H_Pq(!lgpe|hrA23TL1)BqUKVTr;sI^^eh<<`KK4sa
zMJ<kvG~bSS2}TX?Ln2BYHo5hPA7zXFU<Og9#6L;=q!eCc1IN2A5Dn@UJ`)u4N#WiT
z+V_-WH+iZg7&(F?FT>ee0*mc!JEG~KU09eE#Y-;sXf=!ikrlQ@&`z)$Kz0?b0-pdo
z-c*2b%-w8m-zFjr-FP?Cp<Ycj^3((y7v5<-EY~{KNU&Yjb_%Ip*9aMH_%tiwyD6!#
zL@790lO(wsAJDG^y|(=C*vG<6ST5SLNIOW<7LxC;L3gl`pS6&zSwuaGNEpadq6O-u
zdO?BEQ#=2FtX^cL{l8Y$C$SN<3qEawq)0+g)syN2rB^|h3pz}#WRJ58^%Y+68<5Ga
zjK1P(C(hUFkqtS<r8i)wBYF-nvM-}~8TJ;_MVu9}f)Cz9r$$npn)?AlQA5D884iwY
z*Gf{j<UsTV7CD~;9NIBiAJq7GV6c6Fch0+o&j87t%<2|^y}zfGz<Aj!gZZIRdMxYF
z=;qKqyhzlC8AJCVW3l4x9_$y9wfXnJ^^-VvPmo#RD_(IgNQ}tg`Qc~DNQ?5LA<?~B
z&Cf7taW>{S$~F20B$f8zeQb&3h@5%cOYc<(mv#sEZ+=&9YdwlSvG?hiNnEIySB5w8
z&J`-1<g!eQ=Cd<#MKFF`t1~d02WD93C%$kLB954@rZLkS_GOBXpOig0hD4E_8tzzX
zY4j$JIJCAZuTxaHplWHv!BUIx#Ay>#V*8My&?H5MLve|VBBUtxzC#{3o~(EbcTo&i
z6t7DPgcKCTG#AAHMe!#|;d3bNc2OL!C>BWycrc2`GcJlfOJs}7B}KJEvCc*DnxZHo
zMN_gKAG;`)DvGl}QN1f!kMBX@Y+Ek`1@5kbcPTegBS+Fh6M2`FRx=YS0mJg;+l(oH
zm8f&g=WCG3n)1D@-v;0l(^IoT3?#A+a}k-Bc0~3hav2uDK*oqX#g+5>CxARzv7JVw
zYd-J|nnKLCcR^#sX|17!5hCKe!$a-|fmmL17SoXM$l;vOmAdwaPiB4{h)+2KTKiT1
zGD!9sDmLKplDpVDNj9%5$|;H0NVE!8gq<3RTTvER;rtHYYRQ0(D8cEw>~P%LhXp=b
zuz6eiN{T$T;8oSU=Q<)!C-P;L^Ijq!adqjD$ALT*uZ@813?eIC$WMv<p%tNqUFbhM
zE*5D!8D8Tz+M=15N@iP||3?pYJ5p<UqpoOtsQi}cGv*j(SEJ5nOrKg_T0YId0sFcz
z`k?}^&&dA6@`~%m#1sIVx{jDsKBdAOozc9@E{CA$l^cg-c$(jq^mQY~&nou?#)nqU
zDo2hXnd5z>(@{o+c~#cNA;)`~|DyC(-H6$fLlY+Xia;`@d^}3-x+aWe-^QZjQTWWP
z=BP~<m^`C=LdZ8_<B%Nqn5b)@w8+<Y%#6vbt5Fv!_gy`0%A9^kWm{LZId;*gE3T@X
zJ|pA{t{s7z%ZyVMV049fCl>QVaIZMXow#{jkv=@&8+^5{*A0hW-8iH>GgSmgchF@I
zlKqyfk8i{re4cG8WRCS2Q69nv$!?h`>$3(K?YK%^(a7PxtMsb^`pTL8$p17|Dc|s`
zWouB<RR}HEP0}Y!C|4}z%Cd2bzLOvQ<r_YRnXR&R^|JX({M8bFc?#duwP^Z`a*mVL
z571h4qusBdM~_N+%}qb}>JjL3&>zBV1^vh|CBCc1Pn)PG##0nf3k<UAqS0B_+tR#Z
zzDc^G@iQjMF82+__tr41vb&c_8s!h@t8S436)3+sjHcg|VciF8=khsZ@|1FPwCW()
z-6N+%tcGOQQ7|E`Io35~;P`|8B;Tmf?C~>H{&HW@r1A;3u~ymEY0QT9IrE`uNY3Qx
z)7T%F7VU;sudJLh8DBk<**?cSrX9q9mrwKs2Fnh76F@cIy4kui0bOA<t%H!MTg|ad
zhHd})F-%w9tImi-GM+2rA2`?+*;CanSUU-CuG#h$3x&gZp{wK>e=Neb?cfW=XFs?p
z6XKn}F8q=C3Ge2B0uyaYjTnFDdIfi~p&pJ#fBCmiBH$CQv*i-{aZ=I%%Uc|)c#Gqs
zkID)r>!*)O>`3Vxef9g`DbE!C7&P~ckQGPh=H6OX263P_u{I5&C`NN9A`qpod<aLH
zu(~-;U%3@o5#24-ir*+^uvcaI9kQVAaF5?lc*<;(%&@fZf=}ddTKFZDG~fefc|>KI
z<jT^wU6wb0!z}4xM4k!;gDTOAGHrJdVTc!iZq^+CiGEBDR$up=u@rpaLNy~-7IMKg
zI<dmeCta7>$VcMvw(8YSftF4E{Ea@Ix@NFnxdVR^XCyOdflV0g0J6lQQ`iM{b{F7l
z6kffKy->$qEYXVVjaXa`W31o-uuB+DW56I?mbo5LNPEZ7dJ6)p?gQmp&N4O-Ut7iH
z2rh3s+HEDiRj77+RTVr|xec{b>|0G!;ttBmk;e^XjpFy{Zp5oc8}SuYT~Tcr9z$ph
z>&SW<eRG#fKx_OIM^y8<Js9k!D90KA1f8P%HVz-*s5QwBu;JrUB!#KRK<d#*J(i>%
zhov4zrXI(p9&boJR@#re#7571pbOqZ#yW^EHsL6bdZ8V4V(BpZJQAL%=SQnS6gn1g
zR*-O>l|E6=i{1^y9YnB>3Ng~p$Xs+0`Tk+u3?f-oCl}*%4=x7s;FjnX$&+nzuqS}0
z3FIthW3wE@@jxte5NxD_$O57U2+4{~b`Zw_5p@vk03y&H<KPxO8s*HASvV>-rbJ@a
zI~WcUF?5rLAy+UOr69^&6k6hf@xN>VtTg_LAJGfO5g2E)?Pm2Ipzgzk@K`!nTo-ib
zdHFJV2giOf@exLd!-8?UlKk(&e-H8?JruzyMts?G$1no9Ut9o**3D=L1#(S5kxHqg
zYp@=m;5q9774NX)*Igw0(3513-sHfu$|y;Tj)&fDuC>Eoc<*W-O0j6-#M+0I_I2ss
zXq%j#p%di9jI?<ZoSV31X`Q-%xv;vei#(s3j|r~M=hnlaN}kUxtZ4)K-B3>urX_}g
zs7}WptT5K0!iAo~>LXq1I_7nipWNS7S2E_I74o1jue$L}W4{#4+1v;5%Z-Wa!Pime
zUp_z`D|?RH>XWhgCpXUSk`M6Pe}{)P^pw}43pr6QdXQ7Upg)<#AEerlmkF&|39e$}
z?Xo0IB1@|hTLE-d(Z6I-+VXf*ic3NBCaE9~I27VKg^v=y6t9rfL3u1i82x_yqQF(4
zcf0Jt_+!|Vf>b?Shab@kxr6c53;CR_+G`>Qte5|mR2^FGmsE>M_2;RQ?*v6v=~9_n
z6jd#$Y7|w0qN;UK{TWoS$l_*F@X`g;h$leAH7ZMYWYJAwHs}pIvJ%T&IV%<aM@Z~f
z#2+=uy6$jMU7@I!km?AW6!gIgMdcZnYLVZr#fPM@Yw;Yjysom;AWNziK3C4&_sPCk
zO5(>A@fgK_n2Tz?qGIGvR4J-lMOEpddK^^ji_xTDEnp<CP}J$|Dp2dnG+D8JnXJ!H
z#P4pD-B9nMDpFK9^5+o;Z<F1yOi}G{QJn!Q>txU*{Wr$?7aXpJ)Q0q6ygxSq#KBvU
zAG(7ZrBF1PVkZGO{{x0}bUfozGvoDNqe+TEcx`aO5e9^CJV0Bx6Aw&dlS5nh7!qJ`
zCK)tXJrd(w!e)X4M6wW5aTQIss8XeUwLz6u=ql|-&|)6aq@aE$U=FTI8hGB?20m5b
zBQ91fo(BtDvcx)%0~cqC^;9KRlk#;%Sp!N?-HCcRbN;JZSr#qFzw#+)plD`RQtJ%r
zLY<YhfjSHAJs(`*-7I#>7LO^OG&=tmPg*G2H}bB5&Y6qa4oX`|ZC6LV2bH%8MZCUV
z7O^y0#4l74v{L`Fi0aj}XsqR8u&5gemMcr~C$Y(4#S);&tb1iY{2L5uJIV0pWXN5Q
zm5dxEL<feCD2BA;|FVWqg0%c#xU*3<G85e77>ZGf1<n2c#e)6;So}e;=$mA5qGCa3
z<6pB_6Q^ea7URGoVK@xXGk^b;Izuz`TOJw44UE_y-lafKeJMMQhSG7#DXr2em+mN}
zmBW`so{vK6Y}tfzq!X~Z59jf8@NYie@t?cn^hKy&^`)NB*T}eS9cKskF1YNFx#<&#
zOOXeJ;rD1mcByIiN77=0)-mmRSz=kLNGlUrz;OYo8m#V#!6}^B6NkdM39G2;@4H9|
z*A^{;eTR&{Lm9VzDH8?7$eZwuPc}om%zQsVJ}~Y}<moP^4-+};kVGC!<nb=#FM;Ho
zqJ6W@Rzy1+lof?%t*q!Y2&$;Y)U_5NAcHd2ccfTEiknDLt|)%rkzxrc29cr&6t<rw
z?@^a8Z)J-5PjLD!!g_dd1zCg#4`|$t_)F9=^z<=O;<QiO+7Q0Y4*T&Jmy@X*MIShb
zYN5;JDpGD9sr5Lue<sAGd8=9%HZ77o!B+WOMzkfA6^Jb)6gzU^`SL(W22xs-FtugA
z5%hS%mO0N6wc9ceUyLi#!nmB=8^${r{2qjqAKZ&3{UhGom%2Lb<5YYJ{tMcKT^io7
z*3kT(-5)HzP8H9W_f+v~)f0+;3{Pf5?pEB@w$#1^@f5SC{LIu+c?DwDDHUc`Puy~o
z24AIy?_=RR7pE-F=xNuh{ibYR;O%~q^|9|~vrbFG(T*2!b7+&-`WmK%_h;ga1FtLJ
z=v_Rtt&V3f>?4?}zhkGcO}q~=A~MV|KgiG(`bAqoguF*FB5*m}m?PG?D5MtaFE#ox
zIWTng7O-Q?@5BlBw6(>DwV4eIzW)KB*;@6WlP(CIV6KZB-i;Y2U9jNLj|5lZ6;-dc
zoR?{gO2bR26~`P18Eel5s<|iY+nt?(YaiPrZd2%D^Q-vn-ik=;d~Imcf+I&jxH#k3
z@Vgr`F7h-*9O+Qgw~==eRfEDqY!cSI4V|XitLm@zuxsiK^8tS$y2LQ=k+-gwm^J=k
zNS7cz7QdlFtzV5i2dnkF$6pDE*6#s-wfue5Un_r~@-LCU&-s_h-<SRM^7mE$7W}qb
zqxJ;=Z};Bs!7pwlJDZCP!jg*&EsFPcxba|bsUjYP4O`#J-hlE5cBVY!jIGbiY(Vgv
zHGuTyer$|Fa?P)#p5vKxBVOb8U>2&q|BXYtl1fISi5Y-G<p!a+=WfhH^ApKeo?#cK
z0V0#Qv68c~JJQy0jJ?Q?!4WYJsVNB#unTSc+tT0-kD=s;Cv(z;=LR71yq-{Rsqc6{
zAwcaeDAaL~LEca(i!3q!Zv6tKq~cM*_#B*6@Ot!RyvH*w^te5~ILrg_)NR>hu_2S|
z8`WOGA=6D6)(lPzcYG`MFgqXTPO<%7+|;Pv*BAyf@ISs^k@qzIe{sK}DX&*d^-ss|
zlc@JId6I}PQ^;sZU%i7E<^X{B)&blCP>2(Qkd-OjhT#pYEb;L;$VL1Pyi3s}wyNiB
zyi3u9M_jv~iF3O*1SvVY@VbGx{d=DIFfAMyTyuc_9FD6z28+fwEuMy4K)9u#Lq+iX
zq<-m*Ia;I_df)!U$u3d02*Sss_Bcmh1O$8pT=JidqIkpqH4CNX>b{CT>W%<TcX}tM
z4CqW?p{ML~xsyt9XkoRd5XHR8zs=)pIf3choPY&&pF_`+S#5iRTCzV}Q}BIM7E_Sj
zmU0MS9I65LupILv-TaWdHQA^$-#o?-?g}h~u{&ci>YOjaV;wYHeZ;zyQ?^7QwdgI7
z%0R!*wdiGdu;x%k9sPv*o`CwYwcA~-jYjDafDrgYE72bJ+51UEUIZlL9(ey3c%FrI
zovIhug>RGJhZa|&&)cu}@qLt%`1Bii=Mz3y6Mw-6wINSyph4}_mpa95#20Z84HGBb
zvAc!6$Nl1&n;4#ffHaEV;gRQZae#h3y2bpMXS6Y-Jg_b9tU(JvzwnQ;$pH-4f;Rb~
znVvjAy-E(C?8)YAW#<SkHje~&SLi<-tbPFlDGye2xvmaV|AXv*4)%J#Pr|>Kr>P0K
z7?5BbH!LO(Q;YkM83$*;KXhwTHTQqfZk*rPfY&WE{23*e;_4<XdM3IRnziEz^>7h)
zhtWapBn0h2|6g0zVSF}4;Ljv%yDdwiz%)M~)?!qsom}H#o7VxZj>jPwdL_7IB9w~@
zQ?Ua5On$*qY<ZgUfGa-YtJH|>G~%@baU-F42nU&PF~9U~kv%Eg$pep+2kG}HeIdtQ
z-dfH(Omf7#H*h@X`EjIugV<~*`eJlf;~7nywE|5%AM$B#u>ErJ`CWAAAMmqKzWU00
zJ0stFr8|n#$hc4y#<S)O^fB^Zg8XZwfB9jV1e`;Lu8maj0N8=>IKX)}`x4h&n4?f%
zFUN}1N_cKf>I7`O-l%Zz68C<>m%;@R8Jr?6Q|J{yw=3-@gvaL|5FcHS>flQsJYoKp
zdj6Juut7clK*hKc&wOXf&lfB4*${PRJtMpZ{zlGG<RQq)z*L(S79+!*hKLs-`8;fv
zwXzRj@MS}1=v)DvfmG<kl|RJ~(rNPTXnQf#_6q7f#o>Sj)->=yFYN*xulXhlQ|%Qa
z6zXph^;Ke=3zer(f0ZaJQ4N%{rauEH?v-#ltn@)jao30p<WXCqHld*?t_m5~Bv1`;
zCMLV}9UV=V{<;=uXT)8rk*{wA?Fpb&>ouHzA)6=3<~^dGCmWuhIhAm^JXuTl$5=tR
z>>c#q%fK&Yz9)#E#eAv#A@#isIgQjyzBs?!OLVDbN4egh;n_+bMxDRnTAat?r$)o$
zxlqxfi_lmuR>HUAFV+bhRNEhy@9T~kjE=#8?Mj|+{|M*X`9-4R&>^@<*yL9kbi6Vv
zreNuWyYVx^R`W{wCuD^-UW_&*mZZkSdTKs9rV#!8iI@Z<%7R0Snrl<vUm%9xBWK05
znhDTLSR>UYs)}IDTdaY}{Qvs?W%vv2&!2br-kG_g8dEfNejHxZ0IS;*tXwsE1(UZc
z-`h0QdGo%wj~MSo%g?Yo3xkr_EeP>kF7CS%J5CXD!!j*f`Qq{-VLARK@!JOA#Uz~e
z*e~iH$KXV`wS<>%u)9>!Zzl;2yoO`#c?_fL(vRE*dWY%?U&Yy{4r`mQ^Fkcn+aAM-
zn_VKvvCeM{^+?UfRC{6%${KAAeFn7xR|l`^e5SpyNrv%Z%*2PR3uYw__&Spr$M@ax
zr3%GepS+hp|G<o6@N)GjM*fzWen!$_1;byY`TdFmov3$>@VYyseB<kHLGy27J*1Xr
zQE3V6J%qC`q(=VsP%m3Xjsc^D=eEI4=)<Z82PKNG`tbc5_0|oXy~rNyp~f=K>C2IV
z&KZl<#-bf^2(+5B@XI@G`2tIPWH%o!(ygd%s?NYv2L`L9dLNn*#%txc_mJl+xyFzO
zEpwa)pYy;1Q18Q#`PfU`{xf2c1K<K-fYd`P`mhs{3E$`7S7uYgt}f!KQLy#q1`hYN
zXoeAcX*<Xbv$z$(NBK5in^=NA(N%o|`8#Gm!^LF@I!KS*%OZlYMXCrCT4MfK8h@dR
z1t0thS1mwaYf%ez(y>bN=6+BdZE1?KW$fPo?gPxE1`gkBEk>I2%={X!2jaMr_QE$t
z`YQr;5oe+J*ekLze2I!xod#*ZZO!yN5<cW?*xBWZ^w1aCV$_{<9uW1Ag|Pd0U?=~Z
z&`)v2HZBj9Y-ax!Tj6A-y>R4;^m$+8h%>>DA9gF`=2(`VFUMxqZRR@I5cJvxpAjG2
z6L0Bv!AInJvL;yO@Qtrnpj&pTp*1}zDX{|a0tBRQN<c)}T*5KzDT6--ay*GbV}Iq|
zz#-^tF?t>eac6=kv7dZmFrJzl{(0PUah;NVOqUOG<eOKEbc`bWO?{-X;CoM@$HRs7
zw%L8*KXOzc;&6-w&mr&*{Qa0^tb}#OW48XcW&9jAVOXjO)}z1dFyBWf@)7g4y$l>D
zUOf;=<*&pF_C4PR1!I$-9NEw#A0r)%-{Y^rh$Qq>K2Z#O5FYzt4s<I{;(++CAVx^L
z3}lY^I}>CyfA*A#uEM~|x0l`aZ4UCmChBz;ASX@_Y``>r*j3j1aOi`vt1^S>xIQ;g
zg~p+<05aK);K_(rK!aC`p(qQ^1tzg1)dk`=3YV?&Z&LX)Qu##{2yk5&^6vYKjQbvN
za*G>*((@mc4VX1T>Z8{{Bb^;g@Sd^?6sgkqzzjGL=Yc*LpOzUb?uFSVy<M<<7+KJ$
zJDf&|t{}4*e5!Rs$ypCM%S`y^F@*Nx&$8>q&O>c&E8!}7q<*sl3HtYFGbYuX;V`%S
z)OYebRX=4Fvz^lLs^LRbkOJi=#8=5N3osL>bLe8evli~HN4`jNeFq8FQ3}}KepGf8
zMwkZkBb3PlVQ}hJZ9&cC@#v-q#}`uS5qqz}5(OXb1G)~dZJ(L<7Xl&PNx_%ca3A5T
z2`BYEgnns0OE$4*Wu7O2i&u@q?f*@~AYk!Tn?QqaQB7jT^#sN4=QBPyg}?G0%t)nt
zy1y?;eoYcHGJv4;2tnZS2zbO~DL_dz^-GY^D`*nqR0b+VWFQh5mdOmPEHY%0Z!nqR
z0+k_~$e7B|1gFm98Hc_Ad5%Ib7gBlnvF?RZblX28wrCRI7=C($<g<uvNTrW{KXMA+
z!T(U7S54V7b9Pocd)x7Q6Y_h#P{`eW5V>fL7pDSIy;Oc@|Jr_^>WcWh%Uda<e;XCx
z1&uJ-+{tda8hyAfx8)p&w5MS=&bxhr%Ln_tgHVRp9i~_KJ=_ZlPzfYIfL;8BU!bwL
z_5@o8=59TIA0qIflRaAG4S-<?E?%37hr*hcs!KotE9-4BcSrVnK~{1yidvj?l2*fw
zTFHwKaEi9%*4H}sxkP?M_?N-IK>Wrd@ln_=c^`R4p3E&SYy>rYmU+x;=35Is!)~Fc
z!ODs>q~|xxzBLdJWT)Zw+En|C^ViQB5ir-G3Oa6f$07F~C+SF->jL?k1B-i{H2WiO
z3n~^cKhmPp(R|ylLzA?-dLvCo%nr&YjfRRV%=r^$X<cfTiUT1<-tOK+jz+ujkoWJ5
zf{!TspVz+SP*cD|tVI6Em)`J6DPK#!NiTz}6hf}%W((~S2pHDrc**y}ShWf!g|^z^
zqy55%k&@w~4O-1W82UhLZWdw%e3kn<R?WVqrG#Hv#B~_!#Raoi;Z|=b2qpL8QZy%X
zYSOmgO$l)(vN8K5QU-R3^H~BMLFtw{-C<RMjU)e8#^(+EK|E8+>tcH0YH^fA#|!td
zgH^!%9<i-8y-|pB>|qeV2%7z4%>@on^aH3giYp><YZufmZkLdIWxK=x=ra01w{lnz
zMB0JAcldlelMTFq;TKCPbyOQ}uo%Q9;#0mg7c*0=;BS9KE8W4bOOesa0n*m5xc>|!
zY$Ob}qusFq=K8j-)lC*wP)%O$dkpp?ylVZ88X~#=;`Bm{7$si;YQ0WJGgp@4PojQW
zva7{%WRxutSzw*YjrAX2y+q_zj3}X|<<80R_;Plro4JLO+1S9qE?%}=$Ct{sG~)Zt
zTgFja@%zpLz!e&huk&AT&8*`f0W-Vf{WgUi-pB25A5Q!4KkK8-E%GHMzA{}BySE;t
zncGV8H_17oYeU~Jjczti4UNF!gD-KKAHvmf2Ba8~gH>o?Fn@jcvRH8*6h-gin!UIW
zD!zIw)UF(Ch^MHy&l!)BeowQAb~6wY0`sB3`wY6@9rvreU9AW78*#RcpH&OM4Z}{1
zj1I}=SbQyaG0>-ZM>~&Kdq4YY?pXUU-uQ<oF-Jd)cQRUGuiJ+f8eKf7yedzQ*Mg?)
zC`K%~f@NWF>Qn12S&i8IVIm!`Eu#J1%zAl_8{>2<^E`(<*xP}A3gHsKii7KZYzu#^
zEsyO4QaTUjmg^%8$86hSufJ8tr1&S}-S~bi8B*83%}&781CNaZfE5%&PzvTSqdMGT
z(+_UM)Pi4Ij2Q=#rebPuPk1n<fV^`dC6Q(mlqbGW=GB%Dy0mcd9DH7_ExbFhxSR__
z*M>2AqnbSURzmm-z4`}lXe9oo;X)UjxoAa2Lf0al9xBPj7teF~abEe|c6_hzq{T21
z{LY0D`93qeFMyYF3m4yUT;byI@p$vLLox7F(f1z7pm{Y|XCf(nf~Y*di(zgw%&!d?
zv>>JnpZ4MY-`!ZLzSsO~HQ(i7E;?(|3(;e&m#_?U0WX(dFRsE|=KKHJ3tO(o?!dWl
z*`;|+^#|R2gksnJ;B@V?DmNsZu^n?a>nro$XmEbEFHcr>PO3b{cK*Hcvd~O9l$R#U
zdlH%dkMa(%eaEEAoAz&)_pQ^u*N4j9LHlz5@A9~9Cw`-Hus@Gr{qyg&Z;w;n^~v%Y
zxOn=f{&XxUKF!c>sgK(<B1gJti@3v!tsV0)=0Tf(!?^i_<$70)pupqX251PjAu!Q#
zp`G+`BGfkl^ADTwBR-mf0F$=-9r<-dEMA|bni3DACJ5H>?5{YCU0#XZFFZJjAm<~s
z1~0Y9l7R>No}P$vu?40^A@mpYMttpd)UG7Hl=?&5J_I$bH@x+h%MTIPqnGV^*5c7(
zy`lfaODVV@{8Af!ETqn+FT|sDwt_=nZe9X?xp;2M>J*}JSX^8M3K5t_wuK%$bYlA^
z3-<U5J8XL70Dy&34R}L+4T${MW%kc>b00tEUW>j(Ig?qA+r(~%j$t5b7|P%lFIgm4
z<XRNFncQDuNshfu=`;8}!^Dd7xq{xnZ*i@~X)fFGd09F>3`_hJ4UvuyE(aS6ZmiTS
z)~Fsea_l<zTz#J8)4V)2e<lBe{T2Li##=$xWT$^+r)_+P`<xa$fp)&=>dymkOd@+T
z@Zu@FS6zE(L-TpHyu+5^{~xFf-jUlaxL+x`1@_of)I5KK7M1ZYT>gZsaIrm9Y>I>j
z{egiLcOzm7=Xklr?|?EMd<@Io=PI`f<u)&L+F4*d4*bV1{8->E21u3N+)VtFE_@#G
zMM?ahh;MY^bBL!Lq40Zvgp1{NheRuGp0>_L?Zgp`bVq+zN>uXuwK%O_2Y<vhRcqvZ
zLlCJ?(NLH{&ILNBHy24Az8;`#fZ#-Ci>p#F&K$sch+hB(8Y(EHbHuqwn;ZBYFdX-O
zVGl2A@1ZZijBV?Nk2m$2eTvRQhHc$uAGZMWrmdU2ymZzD6ij+bF2Uql6N1V5I)Vvr
z+_oFo7$B2P0l3ExqXPom1P;K_y;~-5Fkroyk4Jn?9ZS<No{ZScVQ}4XVh7$RSZmAS
z>_b?0q~m7ynr}R8#!E}b@&{MtiMyy+APhbV!NoWp1X0R1BX#58H{e>j&p{70!wb}-
zKL;CN{~zMs1wN|kTKvzD0E0#*Dr&4)qfTw2*d{`i2+<5o;0#U_3kud3HI!?swp3>z
zR)ydsn$vNVs#V)-Z>`#1ZEdx!MFho!M*>)thYti1@WmMhNPGYhmHfVI?Q>=ZeBAs0
zeD248KA)U9XFt|nd+oK?UVH7e_vU7|Kubd2IZ>6)$-HOVB9K=$TFcB|l;=U9P1?b7
z(%9gT5m#nvcl>UXLL6n}q*W_*S1Z6o$ldZwDw24TqQy$)cTS=@(xbnrzrD_pTD{K^
zaFS#<1O!TshUxdN^z=JxPDik>!SH;_&($$4M!jisr3%nWt5D)r;e0_5V(86MQjZd}
z2cgpCyG#u#O$|r@vQ(oK2+m?#>hK74NK0pP^%H?#=)(8ze|jIj0RA8WJqXZhkKW|?
zT<B{gIwsL~4F|B$VVc5zOkl?pHUo%R<QB9hWBn1*|Hi=OOhSeSg}YCpAN|Ngi)$Qk
ziM~skMUHD5sBoVUxaA()57M8J(76i|(x1KcN@ImjU5<0^_W6GNT*eNkR;Y63-o*X;
z8}W>e?-h9$YQ?HM&Cwa!35d<>1V_U_(uRcQ8Zcizqsz{$AdS>;C-ktmCB{n9U=xFA
z*&I~Boe5L8#0M7uHiN3|IGXzFbmc6rRg-jR+^kcFiRCfgd8AQJvD-?DvOu%ytf^<^
z2PDg=Q#2Ky>@=SxCEY}a>Tu?p;^}b<9%*8DZ?01`=tuY_kwMCwvZz$EYQa$grb}5<
z%u$xSU1=p-3{K(TbmtbF0=O>rYC#e!sQ^(QHRqcDkhY3lkH4XuZGt)Bw&2YYTRUfz
zd^HE>@Fk&5{2J?GvgW+s=!$0<xqeD6isKmYmTSyw39nKRp<MXe988eW)<dHon95lt
zb;HG{D1C)Ce=T(uLgv@2jA*wmY*Lh}M3P17iZESkr*~TXi^Y9u+$KrPs&uQH3Hk~7
zlXbNaQ}>WOK#bgR_Jryr8yPk@{j&i4;Bz@{f^#4DKkaDSkBli<((7?BXi-kxG^JC7
zx=A}eg6p4f|0BNmPYHUPAdz|RQ`X3X0?noJeQ=<;mS0?#Tbc-`;s7j2|Cns>x#5Q*
zLJ7pT@%scb9PPT7v1%@~S5iAa1>N)+L?NV`C82-;D9Cp?fA3bDej;q+JbV&_5SIOv
zSiO_|0=QQ1WcR0cF<LBm;AYik?xF+*&IlC%yw@PBNn^&-p9>CCU_39Ga|KxR69nCf
zl-JMF_lx34@c<FI>|Ewyai3t3x`4hPW4{jr#=}@z(%0mY)BOsZ^Gx#iE7bgxdnk20
zIGUQrq|BOJ`jY(ge<c0$lD;vUJ}l`E(eyP>NK{Xjh!sS6wal=<O6J=oMR_)Jf62Ux
zDCZDZbbtGn=;JacVnI_*y7ROAS?lzBU%{LwU{1Nw#hI}XnlAjIMhzp%N+l=LSh`T*
ztw7vQbW#UBmkGB?qwRxwOp*i57xa_XtJ(c)8cF>p?iaa`T6hU?qN%?~k9Lk8L5FH5
z)hbdgST4;Pc>D#gu|`Pwsf8k6obR5g&>kV3Yys%@Dh!%~44Ns4N+qupG>3W>A$r#o
zg`!jVw1IL3Nda<xUaFT&D(US`!lW8$QeBgm>QPb&zy6_GvH6CJO-UlRE^`Y>l4d+M
zgY?s7w6{=ZyGNM`GO8wP-nbjeJPUN^<{Axno&aj_h}57GkRBa|8r;?iZd*;s50I1^
zyh?7bIS$c+Wk7OAscgX)dj;?1g@PNT;FE5m-~m!_YT;&q`~uyV$T5NhpvUJS@Q=%t
z5l$gWyyzC3O<u#>_Ys4#<O!11jMuV}>39mlG9tnRkRRT4Lct?t#xsBZVW7NVI>2QU
zr&q)C4H(h6NWX;i3-0yGKnas=7`60bTJzhvl<LFIL0@dt;5hy^NmM{00Ne}!99aJ8
zfpFfxOwoJ?_)i}X0$e*&!Uhc4<}v?Ue7hSk#+iICW%E5vzTH|oc4fVc(1USh`YSwe
zDfFsZLBqEEClQodENI`CN46WtO-k~J2J8$WgEITucapG;g!#;Vu1W0l%YqFWu>X?O
zP9E4`7OYq{oLA0p!QLhbOPcowyXR8Fv5%9=VEb1xf$e3IdN`@QHh96L1Y0p+II}#k
z-;;z>4gmWAiD8@qNjcF=d9b8xJs{-_7lH3&5hykYZ2T3epU6WX>ZUC6;4PFC>kfc-
zk||l{9nN};?n=>LNy>s2Q+2OHe0quWMA0f;J@aYP6Js+}J{@Andm&jDRnDR_d`j0!
zCPY(o)kjUgC_)^1MSx6;uHZe^chL>}K*D3lnzMPOpCP}oAJq5+sBUcdZvxZ(kjLsT
zl%7lYKG@5-gYe9+ymdo0HWi!NAONGjE$Q|9bf^pqHVb>Cp|^ieYwN~W=f|t@=->Or
zW1aNu=Bb5h?0Iaz_;YgcoC6463o;(t)6Lp0W*7;O#Ehd=5`Sr4`~wm{jxox_A1d|w
zh>qku1^cES_3Hca9fT(({Pz-GD&blCyL6)Yj!Kr*q-$w=x*sX$7xP$fgIAWjaj8<u
zTTgaV-X8?6`dx`Go&FPAywcZ}@Q0<m?@IV1%t~_Q(PBTA_(O#L0g3nRhY#@)i9br1
zp$jHV%l6k?{*bw!fl<`BD`Q;5iG{V~T2_eiw0QMpanAaI)J*Pcn4CKd*_jMa(w;Jw
zI)gDY*PJ_gv?T{{)x3B+Brb=Az5ZCE0P;N~*cd7TJh7jbL=Hc99l7O0DT2wVyP(Z|
zK4}wDxd4_&xNmZP?uOJZ@FrN76C!Jdn`=>1xl8M8=^d%RR8HV0IW(I3r;Nf;j<`iW
z$Xr~eo`3m^RB?1I@19cnhy<k)GE`-kmxc}1<je+ss~Kdf-R1lj@4DR8<vgUB{%Lgl
zF6UwMIbUIPIe*kooovG|nv1zvm$Q-A<aNwrx}3$51T1-d>i4`-!{?|E-!cbz(hb_4
z3;H`j6t2SgpK}kQF`kn|SOEmaL-Gy<)vso^evD>aO*Vze`4JGPRMS(sB!5`5Qabnh
z9wJrU<osQWVwJ1I+3g0snG5<*g0!qX&K`M}*_UKL6NlK{qla@A^dmHsmdN@bDYT?L
z&U#+8mAjm-KeIM~cR`@#2<Rk7+y+`cAyabn@EVzw1e$+MxJ;EfTFNh@)E`YcM&}cS
zvT7{&O_i!9En8f^SRvg}5{tl*ij;%3>f+bZ6)0M;3?50>xI$$^6Zrte%vd7M0loD3
zz4RG({iWvPBusrb{mEnMD<=t=Yqk(B?nY%#i!!|E57OgqqB{`P;YL-OsJ}_n6(;I0
zZd9#_nlDjfiAqn9emYn1EyWO!?m;vnC*1yU#14Ws5G0&pK{nCF9zt}vlze4{37Sig
zdu&a!REzv<n%%TW`i#@GP15VP^cZJ)?i)%KI8$=pbdCaNy!l>)rl)kQ<=ee@UMl(e
zFQJQ-*V)HkNc=!BF!HTk;uq)9t&({1JxaJ%UQU5ut@WpKDa$mMNv*Rw*KC2XJ`cjq
z3j_j|D8O9dfmx)RbPIuz-Xb(~+fD39v%V{=5iik3=Y0M@f#5dM2o*;?qMZxwzVCkQ
zn{POOpjqcGC}=>(*qxq8NjeT1hl#AbKhQtoK>yCq?-zNh4B}&xH|=rYdSQX^=$EV)
zPMIl~;@YaNHK+YT>i)&ch3`RGQ*X2W_negJ6qIW12SU(4Q_K@SUD%Ta!JNG1*aCC^
zn5dEFe1n44yz>nbT|Pa&K#n(<SzOC)!&b8Bv(2}fB-ryO8H>K`We|VJax1BY?>Cgl
z$>Y}@CCG&A_V{7ASlkvAj6#1GltOE_h!2=JtkbN?R_RsP+!oj#YlS&EQBEZv#Hj%{
z1_vX$N&xs4D;1KjoT|#{pdufdckqFZqdD9O-QGZRFQI_01hkpOy;|w!5g)ZO3f2sf
z)MI+Yg`818gh2e<YEIRhyKmK*N(t5Wgg^tuOYR^EoeMGOQ@~3klW9j~Ub+#aBkD<_
z_H%(hk#I#jQ!0FhlbU#NvK@kR%KTWmw9oCtHFr$%$+Iw6^^Qv3c2<nvy1?V_<8B#y
z0qgS$Apbxh|IwqBoK}XFU*HJUIOleW&w1+mibJKMw@vR_S@aw^q(o;WeI!hu!aPwk
zP+*PEVLvuibY$3G?aTlGtyV8J*>($Q*5%4`E^;IL6ZwKf?#_!GX^Q?A;Y?<-I}V&6
z;Z#&8P#kDEjCzs#4pNCH`;E}_=`tv=XwWT~y`&<}iJ(c6tKB5`OA?V%i%unp)7QkF
z>&8BijU6MgTUp;BZ>1aiu*8bNW6|XjyMkD436dN_67Xy!TpK!UuW+tsG@$a$!AB*Z
z?yASBSZ8YV6f&)A(M<PvnVhj+j=y+0LI*Vm<yIUPw@3EL&h(@kk^erE{~y`>{mCzW
zrFjR}{{W3C|KNI0o{;?_vU|L4^z}V(t=1?#SVy?9R=<jLM&Eob8~-WN+IfVw@Zh=r
z<z{_OT=~VuqOOKG5Pg>&QJ?ebA15trcEmUXPgZSkLOA{(xXqWuj>qp<M3L+wJ_1wx
z{SaO3*}Ktc?S%AP@ve_wkvyj~@i8kV_VQ%&l3M75(Ebrso6$^%Vu5?XeNf7nhu!{{
ze)~LcoVmzL)cCnXi%8^-2aK!Z(UeU|Gw#X!!5b&g3m>Wk6T$1J8%e?azsZGybvXIh
zl93?eJayO?3Q}%7*%}EvzRNl4bJ?U0PSgL8t@{ljrxHjCZ<kLhD_;3qO=Z*d*zR+}
zTE^8m+wX&jmc38?d2lmvDx_8BER|r+L;rmI0OG6G;MNrg%Uu;Fr8o<S+*#BMrs>@<
zoS_FkA&IjKVn=%Xkl>Em#nTcaCl$m$`f$mIoL_IX^r`_aHq5yL@}?Sn+9a|b^_*a0
z{Kt+`MFUslPUm$AwH>L^lDQmfwtGK+wH&-NowHqd&|a44SUSJPK#YB}uH~KBpsF=<
zrv(-jAI=u;@#4Ty{mM*T_2FKV%pQZkS*H-5ZRw3o)4D{tZXr8<BM$9#(-Jq<;ePUA
z>IR?DjQY97e6M9g>`3D$@>KK!j+b-GSv!++N5uVPiKaKMRI9<3+Q#3d^erB}@~^!s
z7aV3eKV|`(tA|ZdEHg`6|JvjgPrFMOl_5r+JBddq@osOu?;Xp&gvBS((4+Q{U{t*6
zotNv;R#IVEZenpqlx<Qhq4|ZvlPEzH$Kwp8bD~1&-Mt^ZJ^QJS)pAv$@Qu(Z&@9_<
zXn)n8ymp_!U_9ioc(;$C+w47)*}|(*pll>v8oOkXVE&xcA&0l6cwY_PgTD&z-xDc#
z{|D5Fa>ZR%#4TZsyJ|<~4k){A|MgzcpG42_JEzH*p^mu_!kH?dXd=K}d};c<sK?K_
zW6bOi$yVxYAc{m#-dV+KI5o9zi88P>%RWU2FF&F?i-HU)T(+Io^|?;`&!vu??UdWA
z(^8a>Q-u(TrKK)^hb}elJ2`&yeAz5}kDy)Z$hnTFpMvvvgNpQ=I$rBiR~LDxbUD{~
zs1O|y9K;3L#pw%CdC(>1wsQ<h5Yz~fJZ*0p{(BEtB0j`_Z~8b=8b9re(<eS}<mmzX
zlhAL6AK<@tpg-S!`<v{i?gM`Q`dvS3PNy|S%Di>+(-f#XnQnD>O&|9YnrZ*`HT#{A
zz_QjP_tkyTey8E$&H7+OEMrodX!z3hZgrJ^nc-`psq5%OUCy!}D^Y;?`7KW$v(gFE
z8~yx$vES(;A@G;)cT$YJ{Z7vc5(jK~l8dxIx8=zzKbjodSdXRdjBu*>NR+t|cQnC-
zGyI;v8@{zLzr7~v!}aVX=UDhgYz#U|l7{}P9GI1Nx>}N$-6%~SJIb<GTlOmpO38rv
z$GHPehIs6^!=X{Gl&Ph+-!#Y>djiILS-7f^M+jk48W^*RqcJ!lYSlD5+7|&-U+N%j
zdM`%n{&m}>n64E7chTM2N*<}guxu6P5;CK&!ao52OQGfe0{`a(=6+Qu<6Ek5o2deA
zuT_`}{)3%ck3SIqvi<Qd1OKuw#NV6GFvQK-Ue3fmZz9tiEF}O}0M3f++f-c;KTVcA
zB`j|}`!HIAF;=n~epDChEPo|$y&KHsus6JQM6u<p4(BMDlFAgub+vxU`PW!N+@1Ol
zN!43+gr4JM^n&=e+;hd536<z(_r)r`oPW|C;L7-AR>j5`yQR4aNrcy@I#fghW8PJf
zMPI-@$T^Y%qt%-cLa}+MS%DkS+Ao`so7~(oMg;O6XP-qcJqi+M@hA0`Uy%CRywsCP
zomoXpr^GyflysFe=PY8<uOacAFpz}5l)m<hp$qEmW$HU>rSAO)B+HK5&Os!XsoVmp
zEgo41hvclmK+9qwL+aTzBz8{6R?0eOiMYP3#PS8Vjg?Jk@5IVnzYFZ=Q-9>TZ_5;D
z7?^~s-;Qs!lHV%_P4RxH6e1_TcQl{R0R;Q5R=byZ-yeCSuz6Bg^>H$%?2R2>ugC18
z*ofO_ms15@vO`YRS^X+<ik_C0NBg%wtNv00kx5&m5~3|FiOsN*hunER#On_lO1$Sz
zhm6jf2E&;|$v8P%uu2|srKHrk50DC;`zx+g&XbZd_3UCnc=@qPDQR#a(9`lMuFrch
z<q6`Yw0`=Vf_?IkK>}-Vw$!tv)GJM?A2$k_x|{)8>i4$sDYa5k<ybrYlRDTVCvU_a
zAnhBPSZ^=AKwQ%96|G<G5;Fc>g%U2!dobA5(_l33$RN#oINuCLPm<P|v`28eL7O+@
z*X9kO5x@-J$ZuE9=l3}mhnbyK?})!gOP;3~_d1h6iO*U-O~ZDOh!zKi^E|JV^MI6d
zxe{vO!@Q$y6+7pd???ESjpwy|YQv{4@R_z3`fYNCL%&d>w>LH@8^I0&iP;D5vLUgU
zDC~*F^>U2H`?hROcHSlm^2unFN4y%aG4?8=a^bo0lW|N)BJJ=)<^nMKw@?K{S9uU3
zxlW76N%Uz%r%#|&&G<)(@q~~f^9JoaWG3x=Jdg}`wMjcS88RJ8lmI+lD3knNA3g=q
z1KauL(X{hi&I7(U*TKyh77;eEj?bP2T(e@v2?b7gl$b|u3`U*3$I!6Jntu|CX~fB8
zcFIUopS)V!c)FamCfRM0tj&JCKGob;<lO?lof9WrA!)mt*pYzU;z5()Vlspz2h;XS
zFRk?W#UxIAQWXDPgl!vKMuba_^HY=O+ggY)vz5B7P>Y%DWi^d}+v?5ar@pRzE1LT6
zRZL5An`$t0%^WUdJ7}?x?YdfdAE@tG(YHE>n_y%#_k*G{;?GOlZ*@+Q@RYeNGQfNC
zpQ12G%=@I`m)1=+SkB?g6)d#b<m|z7O^qF{41Z4ozfb#1w%>k(aay<codTJoaoTyR
zM`WtVSr$3IO8>Ri<qu5k6cYsyo;c9i{-?|XoRpMQ&Rc#-4uMiqB_$<#%45eYxG`Hm
zvSv-}go4aHS^Xt7dNQsV)1z{2YnU~LPmY#;eZwWr2fWa$tkmc$-BlIt`!bPNJFoBp
z6U&BymAu+4P`oCtLw@H!!5A8W61a-0ybbHP*ns^{BQeON#Ha(su-)SV_B%f!m&(@B
zjbVFX6A5EwQL(6imvg0*n!KS=p>S`h?>*<0QRv_H9vKx*_Od2g$riT%IahLX9gA$_
zJyo+Vlo+}2bg$(74S9t;KPO{2`H-M0{jm>8L%yYA;K18kM*a9W5o*ql!8_^hu8NQK
ze0T8Iqk^1Su?Ee29`+H^%ASYvyw(d)f;+wm2TaF!lX;AxS?xQre@kR26`a&fc6&4%
zgW58G&dFvOe;1UX+hO01oh6`ZQ7n36tnc00Q>I4h&*_g|{6`FeU!-4p@om^TzAFCT
zM|^es%b171D*rlk)~||RdiYnzuVTIDtMV@&^wsg3;r*}5?=XgbRs43wlCO$?2g&qR
z@!jA2>i9R{wlB?}y!BH=Khd>c*uIA+&$F!5q~V;>wStpR<ltgSXZQ;KApR2K*-7)I
z@zaT)@@4VIB=3;P6-i=wNhC<L>HX&`!cU~v{+_y5`dMBU`235~gWoWKv!Chn_{n^3
zml>w2cBtVX*`F!Tp_wtJ-=IQ-s)qz;oMC6I_P6_rj470rqh|Oa%E3|?3f4sm!|3U*
zLdULdKhu0q-bt`0VTEpjKlqe^4~rC^$4C1MXZg_!N&dy{ad7h1qW>Y@|E2MBI;AV8
zm;T-D-*Y;p>!zQ~eM?tOKb-rPu9?0&_bpu^-JJWDu9=SIzNIUsr{=z;YosUUzNIUq
z!?|x^{q(Thx3GFTnEMviP7lg`OIJ=8<-VosrayWjTOVQd^gHgi{gkqHc79?%rKHXK
zR#N7DE9tV|))()e#;=)L!n2)Yp{BN#;ny!opXCQ(wU=EjfeF;cY7E_1l_HEwI!F5j
zQq(?CBsv+I<nw^^f7SGu_C~YO)Fj;BK4RAQxGJ;oOk{lLXohYknmK*ZjrTim1IZg(
z^5TvCOuat*$+2Z4#t!DR$ZJnYPQv7Ju<C}ET*Mg{=<L{LuDd2y=9}QRCk)0<S4Lbb
zIibWp2Vdi&KCN|T<D}^u%Fmc<>|OS5SKVjj;B4pm;X(s{=jbxQwR5!0Hr)BqlDTGU
za@Csj1X9s|CL||ut>h<a6X3{3zoJgR2P=RX44uw=>^63ehGAuSleBYl3Yy=6MHod#
z2zK^P3<PV^JI_F;lfUeIB|m-B{^?Z(N-xwb+4OG3N|Iv-jTl>UT^ZEyLqYqTLA9;J
z`go>{64`UvBv^6nUa|9S0He9TmmICrg3QWX`H*)^XkuzqFK5C{?dOwSua^CxToUN=
z8>+0FtAA8r-cV7KZ&Xlm$K@ex3|b}(rN2w^+t+zq<{Zfp&b_D80(BnEbA>~1&t5IY
z(a&vglVzJ(iM_MIDsbzaQkzvzPv%D)-up+B!DSE3#UeWYf}dXX)1S@!>0~TJVmU41
z6f?HkKm8Nt-|Cv9Y~_4F12f@^*zX3Kn*f5!WF;~_XB-6P7#?#dj};iRPPSFo!Mz<}
z1jhl(VBe=PU5y9|3twbQSEO)}M|CU;&KEQlgK21?{u~-r7_HxRrU@?g_H-lEbRLx!
z_UO$qlD-9Hcs%?cpHF$*|K0hN{(O6^Io=`Hq?Y|uDcD0Cmw#YXiz{uCV>!oejGz09
zZ!PEp+3bEU{W|e*=DTx@N~gSNNCJJaAF9P2i7{upXu_=TO9A_t#mq46Oz)v3TiQB`
zf~#1q_uasw&rlwPvw0NV&!g|dJo*ji(f=YI{?m92c#y|IZ}B*I5|82&c^o2-f#2Z~
zc$!B^F^@xM@Hp&R9*0-*7}U+<h~Mxy@(vzH4dzighR4x2^Z155j_Jc=@LnFrKE~sl
zi+CIt<x#ej$MJC<Cp^#N#4~vW=kxehCy$d_d3<{zk8(k%;xZm5AI9U9KkyhbfXAu*
zd3;B5d{=5z`3{e&TX>wdlgH4vc?=U8e6Nki=~DAE=JFW+T^`lbc$_JTN4(5qq$H{N
z8IQB3@;LkVJZg9F2vzYIwSdQH0T3?YQTGIoG5^71?06p5)jT3$9^>xian3_Lq8Ib1
zZ{%^V<T&qB9^<77=S#WY7lKXrC69?u^0>g^ap7G&CLPIRaz7pywea{sfXBtJ@wh}P
zed#qkE|bs8FF0@)cc59CKQQmELglMYmQ$DWmUxT9ABVAtX(IFP)78?DP|hP@iWnuC
zBI=E!S1SL}OQ$$p;wzE*r+8eegAmRyGO-#yQN&oYZYs%ITH~i;Wfg{0Nto@wOo1cQ
zm;yg=w`(?V7F01yYIBwh)$v8_j0=3f&e{}IB_z`zGC6mU6#GKZ8FR2OdQI<-u#BWy
zrh*Tqi{&0j)_r~?DLMa$1Pcz&L38R2gmQCW<aviEnE8?_>-s?MZ=2i?5N@S@ovrSo
z<A9|8b5`<M>156~Wv<J}A$M$FtEn#-Wc<d4OVR+YcEn6JaKt~`xHX(lq~4S5><|o6
z&mKgBIDf~+N$QhHO>KUXhxNUcTALCBM_S3ixrH>=oMmGr_d`I!1LQ>@I8&+5@AL9c
zGWl0Y_`<yKvk4E(yP$W`%LMA8DV6^-f%)T`IK0%x&LADieJ-V#aAuQq_mckc^+aUv
zGI4$^rJ=WzExtkq_gtK;0;D6vXZb;ws%6P!&g_zhsK<<R?Om=r1Lvb&_FbvC__qcZ
zJWQ+^sT#EruS0Hbaz14yo_M#9UX#Qk!xAZvaMl?AffZ2wbyqj2!OXv4J+-{}QiTB;
zqkuiloOdiN{(n54;9v27b>8v+FrLhul0V+4{*#<t>WDU5<165RsKGTw@^eIu92X_`
z){ZW{*y>vZInl?wFL;vyr?#M`P||K-%4Ei$IbD)#eh;Ke^cJZD+Gh{^M!d`1@yE5l
z(T?I=W@Cgw6)bg@Vkr+}x+)M;EEiMW+CzUaHkykV)Y<dC9-?C}5>t%m_~NT|4?zf;
z!Ok={V4VakbN-u8_`2i@dIopY-ZM%#5sdNYJXPTrJuL_ZZkbf13Ag?bMjuErx2>HE
zNd|zI2#>HnKXSpzd6CrugHwfqH<IKr$(p}s=NK>cCSq@w*fDu|KO5raoki?)iM=8(
zb`!CLPu61Z4mN?Y>A15<<h(yXkv-Fm6)A0E@0HlK#0pJBggP@&0ss^sDWc(tydrL-
z2uXIgB%5uLIa4&*izM^tbOFg&a>A{YBmQo=9Wu%0XSr#miZDPwNggg*;YynYr8KWc
zxMN-LF9V(nti=Pb4}`BzJ*j6|I~%oCYi5`d54ty(^X*fhjJ=Kv@sc%@BzkZ##9=ku
z7m;{7z$xcvC$^j&;!w5PywV;g5BwnheMOYwJZ_+u8tCPD&|63;)qX>&-D;A(f4NqB
zOkT3fNJjau5hH$Un@Rn28IMI%N#snYixB%Xu?ud>%T-RU%;AQ=xraI!nbTW9Ys6-a
zOI=bUW=`iwN<{3xbxvyJS<V1c{I#a|U*!SXbTY-0e5+y0@g~LNc`2Ti6rBG{%sHuv
zH7<59kU|P}UX*@dN{`=6x`Cv_j{cqp!MTb2m`&O39cX@(9*zH6G)W(fr0x%v$avx&
zX%4h9$XZlOSf-wN#YkMar$A$=|7G~62~|++7tOp6!b~##?Exb4odV6_zMVd&Kcz;i
zGlAyQDbh+^#d%WLQ>Bue87${~bQq?(902g^ZVz2Xmw#7K;nWQuIcrUlktRt#)gF~3
z0Q|d2@ePw=5Qur)d@CuYv6>iYc~;P7|KFuFVg3mIBU4O|^Ne7ata*h5;`w<c+~z?E
zk%oTXpPi^JJ9H*i^EZ-ZNpYEwB1)G^cN04<S-eXGU;2I)$bgt2Da<S#rkjLbhuL1v
zD$hy`zn&c!|G#{oa|P%gI41p{0M+rSns~@8%b^M-6nJX8^DuBQO@rElR8hU~Zsb`M
zzi`gG1+@%U-%$eCy$11Jmq36E^6;1{c)Ueq4v*E6W?WvHTGC{)_f6LPUE;%e@nsT^
zN0+f**ZfN2Yx3d?q>TSSnu}d6S@Uy=ugZ(x%)C0yDoyXHGN{OYs9W}aEUCk^Np_y7
z>#t-#O|oy#6K#Kx?6YO}%op1OI0C%1Aa)jOJ6Ik#y~U{{1I7;w^QB5iGzTY2BY&}e
zFbY(r%@t$HI`Wyth|<`)%;UMq8udzr&*<Ir=JDN(hD|g?LFz)-x9Ci3&l>CaRg9m3
zd1HNnd6T%HBfvSOB^)K`w+5^tq|h3$oRCuURm5wVdF{(<xq0o!Yo&SZ&+Bkr)!Ld@
zU-%PXa!Bp){KQ&BpB$t@US0T7lv}D4Rgx=8F#9}wgFkqaR=^%*&<6;qsh^hLzPZ$m
zo>XYcmJ|3iUh*GBcD|rjHof~@+j_<{PF<>Po#|8k!tN%d-SM}M_1WF+J4@T065<M5
z$M!M$hNTHClY$T4N{BRXrLAKN&0AS3S9)k{dFxoL!lc^?ft*T!^=}<3ljmk>t^z68
zAaF*u{F#LczE2K;Ge9S={F$_dpxDn80RpB72L#+=LBK@?1Ppo}0xmF9zM8gGwH8hH
zLvNCfTj*gYsnO{|28czsaUh)Y!*984$Z2)I2KA~Pre7U>ksKUXLWtb0Q1aWHu$dhc
zNy+*npz>#1lFx-|v3^_W^vi;#za%~@i9aI3P(W%&kxAT%0wd8=68jr{@lTWKi<|RC
z<|8O6bGO0AmdNFKkv%8UQN{2@ytf`}cCVq=bK1%6845~`VXgbKsvV(4xN~#pNq0Ea
zSTb!c$7J*X%AI`R*>Q@LbaHlnfPkKOtcdJhFBPMZ&*>{QPkd4m3#PC_aXRviuaf2p
zM5sd2G+RJR(!}4$xtdh9Rc>&W6XEfPWDiv@omFNETGSWvDu~pm%_A@4JUiez_bMdW
z0RXfYC@4GGNh~YDl^=U7DZ<sC1zOOTDAe<HGrlGH^2^Z2J+u2$ybdp5*@F|ialNqY
zVL|5&0JUsD2`=VrVe}K(WHn!&E<bZBW8#zJW()|YuG_q@j0i@5KMN)^@plg{80xM2
z(xTvf`3bC=R#DelPGbz$6f6*vpV#831bQ52U#RPRkCfr+PiC&mAMXL;+vt3QC~i{s
z`(#r?W!U~ut#TedvOmCVx?bS-IMWpV*6}pt9B7g6H!*inFG@%HB>2%CS3d6#{V@f8
zsXz1twfa`Ac#d%$#OY71C@auPj;bl>Y!2Rr)*ydk!niFn*lO5|?6QxvZ+oVdnD(CI
zQX>ybY(7SAc&b{(Id)Y&b3SHtLU66(TH?;WTQ4|4KG``HX()Kwl#)3v%Z~uF8s5jb
z*$*hozP87=0%%psIrVui83OZ`$KUAa+xOlR3K}~4{&2<#Ah{-_clnt5hV50SG~X>q
zTK6Tx&8?|o@s3DzH-y@I`iBNAuftPsG=X8eGt8Yqz5NHgRLiEGRPovNzN((~ef<Z#
z$oFpheVq4Buj+39xPN%Siom=TRm)T3;LpXr)|(&rWdp!LsF!NAwm$IVhJtu&m_t9>
zC^ekCE%+F}xGrL`d4{*-Gr=eMNnc2<84sVlTj(?@RXosYSRH~hf4pW+Q&Ur@{gdN3
zI<L&PvVCv=aK-wNy*AYTwm(#{HeB)gnAG5YR>KObVd8DAk%s5P_6F<6D<qd@dW$pn
z(q&=a>mXb4y8S%aDxMEjY^ZP8Fs>nbe`{T8@M%77G})l3x0F~_D*@s{`0A`7Bx==4
ztKr4G)Pkw+eIZQ6>)>y&d_G+9rq!_9YKT7BYPD}Em0b3#;%?dgo}gEX-{XK6Ii@}W
z#P%)zNPDK#UJ)JedPGjse?9`v7D09PhRA>omOW_M13!ew_ON9STqM86%N{tt0gL(I
zWe>mvdbMqhGF9_4v_W9r6VfL32ejOaiMN`<slfx9_WF)qvu91>tz*Jf>#>S+{td?y
z3NCMzgsWb+sy=|Akp@8qWIs@R@eQTmn<+q!=mkrAg*AXcssaMPknl9&Z{dDw4It2@
zzxIIifq8R<B{a`Z8uTow{^*HyRU4{Sa1!I1^s$JrEWb0XNC(TVm&i1~EZO&u-<Q4A
zfo9Ra=j?5hN;W(CZmPXY-<x>OFTm;?ljYemS^w$m&kUp>v{0T_>b#Qny?xcQ;yl0U
zA7fI*EkqU6H>?=NMb86$V;BGiqUmg=P2MVr4p>FNpn*K10}J_zK%eM<<>Tz4_6R=l
z;p)Y+p9v*CDGoHBK;PwUpgCTKw}WE8Kwua=vg<|ouwZysZ+%%-{+(<=A*i$ObLSg5
zARA9nDT#FJ*-{F9I{O!EHRPEdrbC|@?>qZr^P_(9Odq2WO}ui)lSl{Alh0=*k2~l(
z{MJx9Y<pQ?-oC)R=d{yS^#tba^*-9S((pYNem3o0C2$UwI+Ln>t3Ml2x_<<Hha5g@
zXvneb5G91V`6YA}Kc&{3eJZ0`W`Y+MFqzim@VW@E?L52y{90h%odz$|!nNLqXqN(S
zy_}>On71Yu4q9$F#~bB^oAL##<t|o&P6^-Zkh+0+41*zZXjxt*hn~OL(u(2~*@-p=
zUw2Vjo2hS;pyeeMk=(wOLiSo!EH0g2W(_@`>YrcEZ#Tb{Ru#SL{NYr;Q5vD8#8h97
z`I;M=FAakW{9G9Ww0+7WoL-e^uLQqU@DztK?GDVFX9&?9nD>GA(f%HUpnzA=J*9!N
zsiYfw5z;_;5nxFUA;mhE6q{XANQ0FU-mR4gm1za4KMu6~#9%vG>@}>vviQoNCmW)?
zes>X=bLW8I-;BkNci}kG?*`C+CGEvaOvl5!t3<CW8|`<hn5CjQY)lpfqp1m%sX^ND
zjOTm9nrLe9sz|ahlE{F{XfCW8UCwVQzm@!!@jIN~^5ik$)H%I%oI-c|U6fjHvrx!g
zkc@hfWHCj(7?`(A=o6TyZI(}sWRa1cLyLBa^bE{<U*wldU52#4JX?t_@gi-97QLX-
z)h?3zA(1G1%i_P~Y~->?!YK<S(!TgFQ=|8(@WnrkOCut_HIa(7QVF{c_~LFg%Fi!u
ztD~eo911&%KB4r<+B;4EO~0%&XXdG<qq`@@@g2I5qhurYO0zDD(pbyX@B2Q6?db#f
zvJT=gxi6oS2S$_UA<j3Kgp=PEp&Svm7_gXl<n)%3$bc6mJt^KM>g|%y>Q6)XY4(~V
zwS{i{!9ZX(C)sM5E^aAx!w-oJJ+yx4&t<~N3~z}<Gx6KvXULMmi`}sPeAEUAtWRB3
zCZHk;Zb@`Ndt~TE{>acsDGGW^KMWErI|8?t!7BCk>$IQp`DYP(xs@EI<c|!k3e4-U
zh7S8ohCH0lBh1XCQ&IwJwy)5#y^;1E1Ti*ADw>o@2(ddzB?3WGXpD5ic^tVr@-u1I
z$k6K%R3nua0`utWnUZnxN&b49{<eXFN~I7DB`@zC=L++XxqfJ<Bs$bEQq=A~cWBWL
z$r!O;PzG9xR{Vk~Bm!29lHd-O(krP;@kU9kC=M-tMVLzg@QYKDl{BM#Wa#;2!o)-Q
z)S9=+oD_UCL~Ge20?G>^H_$t+B+7s)3Efb-JTPymHIxul7nWxs5CVj#-DXIq72Od@
zv;%=+c7ii0fJpm_=-VAlqH-wI9$FvjER`mR4kgs!Mxx$xhYri5f=2?<(%d~#dyf+Q
zYC8!9G!rEewo6Ln*#1DvZiJ3(FQHd;V1szCU&QwzoB^e2J!Ol)yj_u@BWS-}1_5Lp
zC>eREp-P}Pr7nWM1_3=V@55-)^lL)vhvH5n-CU{jqL*KTlsvn={2FBF0WH83S_J0p
zsULa{MBq~aAdoZgp$MG~!j4if{HF;N9fT4)vxm5xf%}hAdWh0c67%0_4IQG~p}CYU
zLzF{AnftMDt=!dwZs-K&ZKBR1-w39QA^Y(>^_n;rj_4;`m`7M87tSEkA<Y|@r>Z))
z5NS)D1Iy%rY^NlbYjWX$<gOqo>T@950ojgTnG~#Cl~37BSQkc^P$^x?1;witg)-%r
z8XzP9%~%R!cR?L&G^&4){y78B#S9h2OX`q>p8k1E7IWaAp%^aBRm<^GR3&9ksP(i^
z>o|l~mp|0{ef~!khgyGuhs_>oj!^5h*jHeME@??(f6<2^%rFF{i5=HpmG_;*ris0_
zA3*~&XdAKLKUmICX-|tZB6i$C1RbJ5qDX8jp|Ak^ky^h$P*$hqDj=*sGHR+6{FWyL
zk@tq%k#EYb=-$e0KIKC+Zq9cxJ$I+b!5z?Gw?>K5EvOo<*C2FlxL*5>g89f5e7jV0
z&l@OL2o&wLq!S6Pokk(P8ki^AhIHUpB%7v`z6Wp`oLmTN&Be$dLP1gN9w!0;01<nm
zbPW*!+BJ;00oX=~g&#B_un1b_!faDH2u!%ah{C084N}=BGY+-EWu>7a>G7kc0T@Uc
zX{bQ<lZFaG(i;fKIv{+BG!#i_pmhidR1yLa(JYcsMIhkl+2mJYCdi2R7kb#AiR=?@
z67KgzAn8GlK?yNPYOe(~x1oYkRz=~5Un&Y!4k;$cp@UUk09cM4a^;`~DQWUJ0%1iF
zo*dNdA7$mB(uKsrts=&Z>=y~CV3Y^I-0&J;Oxwc;3I~aN1I^E;!hva42pE-kn&4H*
z8ySk=lSB#<360DgIz-t@nM1e?5lF0-gsdBigfxY<YevOir?!yXh(QsHB20b>?Tsi@
zA)@V@3l~vn<e4Y8O!|CLC?Wfa!Ys%GM4<`)yeQ0qYzKeT3eiF4Dq^<EDpw2=$;|42
z2?bJ6W?zdDt|~(nR(>U1Nhwm&m8#NMMx?f>I3<e<R;8(^T~#UyiHHo%6NTw+To|(R
zZR~^gYwjWJGS@EIy*OamBZGmKl_H(EP-7SN2)1rTQE^&i!MtV7tckfL3*-xDzp@?q
zt*YJi$sxgdrmx)hfS*cLo7e%FJQr3@>}zZkn0w<pLy0bIm`mBAyR3w3P^0!KQTsao
z?0Gs@F7f1J=yF`s6f{mhVSA^SLvlM?*~r8hvdnBaMX`<<=x9HXW<AS&K2l!jv_VC!
z`DJd){BwTy9?XNkWB*RQ{Zi<{db>k3YVVYql9t`cqb+e)jAFmGVn4(U^GD&-xZWyJ
zj(nLRS$bIwYsCZ8_W`TQfq8vGrxkrS)EYjO`YrRd_K8-%5IePHL!8ZZ?{klgXZnoV
z#X;SVMb`~xo)Nm>%Nmqlo&MORm<ezX&#Sy=@61D@LekUo27T9RSfWUDgM_{MG)A1L
zi$RHC@E0(6?F%q?;zO2E1%m~-_DhXgHFCg=YTTH`dY2mYoE|*6i2IAqz@}&SPmTKh
z$i6cwtmIK*&Z_?4=(atp5}R}D9RW#NsYx^KqQ@^<L&C(iNmj!el3VssUJhe#;o6NA
zG}X_%`Z3Hcu4D36y*w1Sb8)0%c@^@sXfbGZ)K@PL+}U1Vv0MUVnich}uI`-uLTW6l
zXDh5!c(FfzaOPVEE~Ye2)vW@>m9>F8JFJS8;+SvQ<9l#gjc@tT8*f9C61{;eztiH~
zf!o`#st8k}+1RV_DEYL#tB6TJS;+3?s|UNBY!yVNZS5aT-G62ighFdD<wlc7)!8pc
zuvA9vccb=N&i`;Y0rT}};PEXH_UO02TgE6DY2R7K#H*~Hi#-?(%IbZ)>V4ayzIUng
zQo8Ru^}e?(Uk1#VAs==`B<^|Q+N*XDyQ1E=(keu)ymOglmlDbCA^s58X95YGFk)|~
z)OA`SrAN5%Pl~eNl~N<^@01a<!YwuG1NiHKJC}&a^=+)$Q19Eq7q9ic)zShK$6oSR
zXp(55<(H7CZTSg_CMR)h)>^4)gzb3t%hYALlqq$pw_ij;<(DZm$gio^#;psqjQZY|
z>QONvtS=)URXenvlTrSpqLWKZO-sLynwGjXEj2YQ`+90x=GL^#)U^ETsA;)d({fW&
z7FfQHHm!7PT4`!J{OhRcaJQzzO-*aRo|@LWHLW!@wZ4v;T5e4(Q`7NZPff?WH63qi
zI{E9U>14O2lTA&hd_6Ut;?{JEsp*wpM@_Fp?p}#WZ@Sjl$JL0e3Z;>~>+9`*i_CRp
z@A7*4RaPp#RQ9H$zO@2E1UoWb1iQ-K#pc7v-o+w&S6hXXrz3Z#bA)=M)HvcxTZyiw
zI{U3i`*uc}wG44G(jeQ@V6fR8X(ILxGrqkmBhBip)ZZTQtv4f0#P>$k2585Zz9Q#&
zt=bVS9N$=<DjqC_MeXs8R>Enb&}j9#K+8ic<FMA;!%E1fvUD7g(bu;x>SKMisG>8`
z+dpvoH;QE7#v3Ob>^9?eq5X*r*%$)Z>uR?%WcQPioN+yxy5!7ShHZD=t>gA9GMcgP
zBWk}Q^^tl}gLFN|crk1;d`H^57`NYb$L*br+xzN$AJqG{L(yeW6sjFCibs8%!*^#p
zS0uZGomD6jcd2EUGsZ(%f1SO>kn;r@q8YHYNF`^NmSu{KP%JSF+-|WSK^Y;GQ4qFE
zi|Kd7w>@v{uJ^rsz}QWQ8N0Q%9351zwUx13T9L8)B{OzwZKYVDL$=rtyc!ujM91zO
zQbjX%8y!aKtAqEI+<_yNy|TpAmKDserMB7e+tilv`)jFfnOj>JL)y0dYpQKIvY{N=
zP)YIh<Cnws3r03<tG8cpWrMUWvf(u&8@{-0-$#lHh<w=~ZR^Sg)3&JRv@OEnN)}?S
ztc)gqCIjnI6i3!VYU}K6(&42CsTwNWEGi*tsLRdoNhfmEP=tfa&ASi>Id0}~FDPha
zj=qZ$zfA5KFC0I-KE>=tibO;VN2{-;XcZB|Sy1vsgm~bf_V%-UZ(6?fd)B2!c5;~6
z?azv?F5)3%@2wZ}=@M*7+|AdXDf9IAlVoi)Y}k}3K)t<%DlFmu1^(Y=qR4z2ApwO&
zo8BV5gLhYl-yZd0`Mgu6;BEE3r7SH+eJdn@kEoB;{1x;R={c#v#b~{Sem-Sl5<$IB
zZ1d5MJ%N@+R@@R@94Yd;)quC(#J&F9{7lTPg?%E`7$N$E0{4=6v0o)i%Zm8hdGkg3
zW!hn4AG#o%8X~LV?9{4n*kRnFxE+Jmz&Xmf6#q@mGBf)UIX~sXD$a}MJQB_q<E#>O
zZN%&5^yFyV&bm^AmI)wca?Uazq$ZFv2&#7Hh1Y1V8`vKW;IQ35wyW6x%ygE`5n|~)
z(EpEV8+!s<Kq3}gCnq{=mT9*mr`xqj+$uRGqB}}h4^B363lMXyaBz9-JUOfeUwXfW
zWsY*?I2VyJ&GUU=CC`+t)D?-I?{@ZQQIZRZ7#zslX)Yw1f%64Z!gdA=Nf>`kW`x*V
zb$v6jeY~JV@lyn^a={B`j|PVeHjEl<Ig?n}JQ|cs*!><}rSZX;n9R%JDRzaI(mHZV
zg_SI|I6CkLdS(M?9SiODqg&t4gxb(83IXNtiq1ksdbEqQ*&CeLTY2rDgnhB4al{t)
z909xp$nifx;ql_%P(8Eg#)EZpezR1!ApHq;!#saZ&S$LNBb%JW8!*uPJCY>F6ydhr
z(l%?T#VzSp!z%V=y&`$7#K_eJ@nhk@s-DcD?z}p&jg`+|_zU8F$rQ(nZi+8i$mY>x
zT@ik4v(MnzC4c+oLT26#tDNs}?VJRRN)38fA&Rdo>~jm;VayxeJls8}x*lv<6Mh$H
znSTi#-E+Gr+|<WP4iwu%ax8TZD8BZ2ydJ5W7qK_w?bl6CD#A8(x{$T~Ek$Sz{uTRr
zS;$~hF78uR%PN*7miw%R9hQBvUFfkXDAgJ-HD{4oqTZUEP?UK}`6HY>uZY#=S;HAa
z{dDiDwsVrh7TfKq#@ft5l#f}Wx+iw1y%>W-;GtKq>vH)@oI~oW+h?yf2NY!eKayjM
zQsaBU^Ag>4)Uen}jWoRsiw8V*7WRr2u_H5sUH(QTf}2>jrN8@;81bD@Wd7L@H&ZNl
z(<pKzQ9lZAzwU$fxB77-wGY!7^lDg%IeK|!4eo$BdE(q4!ltc%drzU(JMTOM`xV{%
z#-(nz{|op{XW_c=n6O1^jIU}#CgA!}xA~eHdkf<I5xCWvc$dAcVts1Vz{KMI_NxJ_
zyM13_XhbYnH2X4<EL)vRSlFh4&rZdAtKYnFc)grzhJmPJW7M~^YK{0apT+KAdo}K8
zg^4ZwaVTrwQdr-B1lj4c)^0s#z{vLMZSmLh1&ZP!uuE{BVOPXGd688c(pOQzTz%d8
znM-Nu1R?|*!6`MlzY3D}PYOfTZ`|~`^8%}OM;cz1y+Rj%yib=TaS;S>ux{BfYgi6G
z?lQ?bzrDJ>*F_%@P7MToOj|vXwNAKojIVlq{8hoyGx6p2=VOKR&Z9{E^y~?GD5dzY
zMs_CNKHGUw76E+ALWqE(_Rsp+i)r9c^((WE3Z>$+IPU7~P$06aeP6%o?!avy&{Qou
zX3eUT#GzDUZ}n%h$3#T7SPd^(4VZD4TNT}i(3L%Sl*4y}beOOzR@-|kw&5{Q$m?9a
znrcwDvR(CZ`g=vEudAiE@!KvW@kZZkArw6R?4(!`9k6Njs(3e2Z*qu2i>hC_>AZ-v
zHcU(D72EK9Az`Ru9T48Pe6L1R(f1ilGC)EObAT;Hhf&$pZ1<YAwu|9#?OWCWY>4A~
zxbQjt#(os^^mzEdk7s=g&S7%eRvs@X+|;>e3pHO%ymxl{$NlKYGs4Nsi|Xw4p^BAt
z!s<^6_R_c6b1y!HsZsuOQ^jqWgFN}yhE2F=B?v@q{H_<rchps{zo}BPgxIbgX;@iT
zv6d>WWVlCiu5|s%ERQaXPD+>EvHCEbKSYOZ94-Abv_R+)X;>Ai_@GM2x+>Fm+T5u9
zlG0(dBowMf?A4LATd;1f-DVBIIcYq_as~2h$Q2ZQy}C8Oe<K7Tcq5`6G1;&<nkq8V
zB{8xc(LOE}_Vr{2BDb``5{<}pX`sa3-uRB>xkWg&G@{{+A!~ay#nnTCVPa%kLHyh2
zq{9B5%)z;QN02!2G5I*wWX<*cUAb4iT6K#XyJuh8vZnETMI$)_czZ$RGl3UP4*ED+
zJ!s#xFU&kMlB(^oeC?L6JM&GK-pOh!S;?3+^IKLT&Cnx!wddLr7s<^!)WI+F>E*qQ
zf98~fTz_OegV88r@2T4D9Yp^!G}aMN*3T2$tq4Uhj+e?{KHRxsmke3tKrdwHwsy5p
z_1GdCz3$xeidx!a@F(RUyFGCGAHd(b51(k7YnkW(QTs!&@{*=J6_Q5OQ2BQC%Lv4b
zaHs`Z7BksFtchXkU&09Huxf%T*)LL9SHLg2gXHo%7pG-ygSUvRq?l~t^G%j^=PZdF
zaY?XDQj|yRYkDG`;l4uEg7~j3-z9Rp$1aXHLtnUwVT0Q~QiC?CuEHSf;|d9Ls)F;X
z4!eyfa8;ryhXZgEORbzfnV#r~`&X?h&p7JE{a_E&lFVx|oaE^J|3AMa``>u&?8cV1
z<iJ@)Eh`#-P9LY$8h=LT2LHx$IYAXth@t}v7Ap&~Z2fVhdRWiQ1=pS(NnPI)Nevrr
z`998kgZ_t4VzN3?-81vQkm2xO+Rw+er3dn#w;y%SI`^Or!;o`XpJrbw$_85EAW`Wo
zj%zNh>Zs^Y&11K4lQ`b%F`UjKBeBZ!#{<@m&6Rd*Ww5fUUkfyk1rWU;c8GH-=b9nv
z^nR4&RYjrBI&~gr#ki4Hnm{F&S#G~Yn_FBEKLMTMpq|X(S$#@6l-uuj_!8Xqz9SX)
zg+|1S0(Y=`miE4mQL1V~%Z>=V5olF^V&Ma%abfXd1XVS&sN%)7fqOd%=%~Uwxp=WP
zqPRnr5m0(8-zU|}ZdxUXv}}l`g4!X*rHW68#S+W<WLU&%qL=~+;V31m(8nRAcqj($
zUBU_)t9-aWZV=shOek4bBw9nqjjvTZH@&0>^*YD0goQeBv>=yRh#Zq4+OL6J=ZHu+
zQ2rk<W>Ak0(@UVbM-OimkV7rhLAwh*SqNY1{Daw4OWT5jK=%4W0aI$Pa;G%HS9mVB
z;n?U5ku|mIw*$@MjTo(dH+GmFDZJH5utq8OTP%xDLirDIQnPRaLOsxWGcP*T64krd
zQ@vj`s`o%oK6`q%->7(T8icW&<JINV%748>Rb|fwhr?Bag5bv$u!5kyN@iVN{VZ04
zKy#OpNU-71-naEqZ^0n*7txP|-#C6&W(dM^;p9n4=9-T$r5BYsR~ZeRA@fHJ8rf-G
z4n7mBO-_pr!Hvi3^(1dfqdWwWQO=g{mq+*r-&i?w*|}L0#Qzf7^M=6AJgDRKSK~8_
zS(%o1gefnSD{rVNPgYXBsi(A)^B1GiJ70>whtCJ5qR+Yb<iW|8cg*v?sDCf6Sgief
zjp^Tm=-<rLoc{tT0Oj@X|8Mzsel9=vb+tw8*VyE7VV>$PdhKu#DP?l%O^I_)H|N<@
zZ|B};n6AG1(?Ih$UP8%hibPVJF1_b-l7g%vDYEmv&&i1piW3@7;~5cjAC{o^7c|G4
z?1y=JVV<1Ha5RI+nb@&?bZ!v1;}&{=nIDY&z;u(2__$OZiXx}3y<2EDBsC79e@ArY
zw=Gf#??=oqR16Z#Y|5>~4!<+xEv7R-e+_Ygk?8UMA-l*3SD{219b}DD3N>hj;bFTw
zH^RB+3CKKR`A!dqj`TESh>m+gM@CC$A(^Egcf=o!;xAj0{;RZ!z?RtGWn+_a$!}Tu
zK4SCvB{WH{^VVzbaq3E4xR1VOPOQhDc;F0~cjOJb+}D7+wIYsuab5y3=_+Ty2kfHb
z^a9w6>rq6vOck~8EJ#hCm1sLV5MkogZ^U&7@f&Dp^b`8z78ke9_%GDcSIlV*tUK>)
z*>U|@>FY=beVK=2`x146Z34`a_Z20!1lqUskwyF+%)mB>5=#-wOvVNjeZX)LXg-sS
z`0h4O5RM8gI#SRrT_k(^oX0n5pZ^QTdS>N=Rz}3som56@%dwn!tzb|+J&Wo~vd#MT
zSAk~G%^Yv^LT8EgV<5*LW0YXy#Z)M9`(Gs?IhtjnIy$gu;<uQtf)7^$pP<MHD!Tsw
z_GILxS5_*0k&BGbmDE8ta}ASU(Z4YGu>Hch$15z*G6IH3jPN0QvB2nsZJPouKPAw4
zU#Fi^K(qMFrw`>p`)zU>w;PtBWXwEVtINZq2ixP)4&QQ!^{LQ5&@zT>orOHio%bf9
z<w4T8p-=OgmFJ-gpKb!zh`mo|j*H}o1yvX3Y%hb+I5aF+vfo)urG(0r;&Pd?FncnC
zzH2X@kIx~86RzQwa9(iVNgjl0u_!gCci+B!dsZL6{9A0NYKo=pcDx!NZKBLTxZO&P
z>thANs|%Q(uP=;NyoHC1)v%roYHXbuRx<LS_z{V19I`a51fwCw%*FO<B8o~z9um8p
zRVUG}0*fYS@4@1_)0w?d2o*23IBYR>731i;*KJ~eAW9A!Z>JF~wvR~-IOeDLTjgLH
zKM@alsj0_9Za-$iLXjO5R*<>dd5=oE^9emA#FfXibcx&IIo-^8l!0D_wDfy#zvM3F
z58@ugq5AIF_&nPnWM`yvwCZ3BWGhZw{P`u&(+zY3rof4&n)N6RD|K72i3GxV(}jVi
z2>Xr4TucA%+D6GTKzBJ|m4l6(yGbk~q%+!MqS)1%_wxYvhcz@KC*JN=^9Ot-M`<5w
zMC|Jxr1(5JKiw!OUCvu%5W&_N|2^|av!{shnewNAld~in-Gm|r<)*ll8!x}9>3y*B
z#Ae4N{d9VF%qt|&QV%O9o(VRS%on(Q6^zE0oEOq3aQj1iX%WtcWO%xk(BJI&II;Ka
zSePP;#jaH`F<7irVER(*yn)n^xqUHB4z9X~NXv8%V=kol2U_GJy!5rwkAMLPb{)oo
z6EQwa)v`kD1!e{pWWvf%8Qr|JVz~^|?VJ1A9lVq~af+dfm%y|55#k9<EE`b}izQ;$
zZIqT9FYN$r_E?DmpECh}vRr#QA8Gqt{{jV<n+o3CMS=!38nY!@?m|JhOqEzOuePpg
zW1aFv4g^01+#>ewFe{fq5G(=l()Ovr61IbjSZ-L&yfroQ6&6HgOLO%l!LmT=DEfUA
zj3*0@SJtO)@}HBu@nk=zMlgAPDR6Tmtt96eHyY9ITQ#n;h~pDLiS(uCrh?_;5=AHY
z(o3P%xMcJ+P$Bc6)2!5!!6w4Q)Ltuf#o!=WpupY12Z$J#EGlE$tGo&$@cOX(YT361
zAK_iFu2uTTOl2%>W2MZwGVn<hmY3j4f)k%GjyDJIBhRcG1lh@8a<ajs_+$&eBQQEs
zFq$i10n#MD_V^N~<$VQn``KPK$0dfG;PaAD&O6E-ftKZHb<mThY&MtBQ_Pj@9=fAH
zv|!DouaLyG)d&W$=BgE$W)I;-P`SW)<UND)jlfEu#ltISkqA-8cB3zq=tFs^BUukl
zZLB<>mmG9*$X*fI)6Mz?tG#Vj1qWfTvN(KS)}{3n1svbIiE6j17hijhRk66vUK3#w
z!l8+4$j2&F8++2C>~sn|{!+A}4F)ZX4p@an>RQZD*(Pp(ugn^-&!VO6Vdd!~gzUJD
z$;e&3YR02h_39a2nFlQ&3VD~0^`sd~EgoH&XWiD7=1!R=cG=pH`+wWs4Y+(t!%jkK
zht*i%wih0owH$}<9Hs&#&~mznb<>^h4mLqRxXkIRv!y`G(He;eqzV77N<pCYPozQR
zlkR~bWQRY!mqhe4l@e2&1ujRu$#9%5Br2MumkA0%apr_X^gI!VM@gyEWenU(i=i$C
z9xoJa5uwPfM+^cU%<)bKxGIjKeLZbbi!kLt^11@mC#9-WWxdUvfu|?QC}QNhA)GVE
z<%>EH^EgHbF~CLmR1H_Tk|V^`Do5BeNMy8dYOpbq7!vfQSyw@Y2s6;oeqUf;Xs>A3
z`Ns+oT+GN(fe|FmcbF#W(3aC57}P$h+U<^MpRnE2i6E%#_W3f=ZCP=>?oi0hAH}hk
zF)A%X!e%6pNZh5dW4KjU24K-wSv_O~+vNO1yJY+<qtSh&a=USJrqmsWv+2H}HH@=@
zgWYVCvv7w1y?#^XF*E<OmjYWRgU#RrMr-ElK<n8TpE#&-S7NU((3~VPvA0j4`9WUH
zl9pkW2~lKt@<KniVPUCTVeMJV!fR?Ua{cYXX>;k1?A2I~F`r%(!MYQ*SJU6vyFu?^
zk##vej&7$N759-X^fb0LOQ;(bseV1aAlZ+(F$dtXCgq-6=AHvw$??@%4?I~}vWW!h
zmS@)Kd_s(>$%4dYA5OIxF=hNGH}|Kd&fTX|gbR%Eza;VTz!?K*G<Ai>G{UC1m)Wb0
zeVn1z@1WU0ulSo)yRpa!QM()mnM2U?LisM|7fR6h2<g{;PS_YQ^O#6-P%zPk;ycb4
zfj3(FaF5pSTs$@EjQyf+rqPX7av9Q5IQ<%aGk-JsQFcBfYNuKZhRd>~pSg|9XpRK+
z;hu7a7q>efL}6u<obwrWi^L~|vj(j0k+UuO@YBYEQC-2TZ%Wsayt*ut2f*bYtql|?
zlUg!_p*}sah5nZ~i#ds(VE}lsp9_u3*b3nky)Bqy?+A1MMj1&yflXupM~f!_ZZ`G@
zQk)<sSd~UnV|`UD3<5gT(VwwXhTc;kq2i?l%Pi*KlxaJ92adLLU2<BH<_{&d`x+NS
z8n)A}Okq9#UD%&;bsl@6KUKVu4~FfclUWxMmx1trw)jCTmYyg!^!Um68S5FfR_9^}
z-mC88)N}b3RQCHKzD_lEN0Ec2$U~X+J}RZkJUEp2v^RcNnv-kI0MBAEj7Duc3QpBy
znb3^NWW3gUg!AmTvcL3w`&F?eyr7pxdQS1oComjasY`+-qE+pq9{bNLh!qwVg`KH|
z$eUsoFPsgA8E-`52Acm%s*Av#v1uQpB6~14ChKYBWkspKyYq|}=e(yAjjbGx<CN^_
zXljy~Mz@u!lbME7TfqHR8(Ep!h?MRK4=Fi>$Ds$sCP!t@LDs?ES+*J5c6E1bika6W
z?+%uNAG3x*X4Y_}%o+&s_zJc(@&#Ld=oz^%IDI*^n}$5YcmJ(LwcfETkbl6NvUr{O
zv$i+L_n~ZU8ts0YoCsxG91Y)0q88^Ws+v#VNfDd<25PG@Q;L@_h}z4rwIO?7VoD+R
zjyoNyt>_&-jfaTIBbwy;>o%XxFC@k1<`+3V4gEWciu3@a=B|jgC>-o}e*LCwz<3&B
zLjOJP)UOHNt@%AVOH?`&syPfn+xp8$#cxm+5<&}W%~xqZ`O@WTUsc<P378hTNngDx
za9blFQo{}#@ucebfjge(n+vG|&3oh}ag(2o;oIevF;+U%bXg*mmqv5nco<!{T<|P$
zp4}?lRPbTjGNFOizF-ka&BFGwmy2zjC?i-dnnkFBq6L7~B-jEKRARFqb23FOH!>PN
z>lQnqs8n`4VJv*gSsNy7`TprdCy<n)X0g#sPAL)2h*Z2H7>GB2%4m)e)+WK36_&Jf
z&%0)@pDrWVZ=khVCNfoMZUsS)zrv{N{+rH11@(tgqnQw_W?=BG5+gHyjEqS|^_=rv
z67_v(<eZM4^sB^@5@*Ur>dqZi871y|uhukn6YtX4P7O&=0ZY;^)9pk)*KmGjLEsLt
z4JCTc3*1pmn<aWmLknU4g23<C5wtQDjp$v#yvnR-^;Bj?J*C=l!hz_zRCs`odX}bp
z0XbLAtwLocFH|0pQtsTh!K*Mu<A+AL)O>iLWgvYB0zOGu={02M{0;a^Y(v6d@G<;V
zX1?S+TMngDw8J83m>)~KdyK6U<jdZ0tG5fi&Wx)hG0mQbQ2#GQ=q5(X^mr{qTGjBo
zkV5bg<vz5~#ZIgY1?huHn$y*EJx!*Ee_HR=SZa%MNlc(cE+<bHDsb?pAF5OkV!<Sm
z?edLYHaEvk5{HsAi!^ond;OiyHXV@S-->|hsVw&HaiVH$09r|Y$$yem(&NOsEkhNI
zNMGZnkr#jZZh{RzMd3VJ$1t_nz^?S>Qz}6zW0N>ET?w1WTuvrh?yJn$<<+vy6wUdA
zm|7Wod@h^cL97ah>DX;)W?|^4uY1IFoWQ7k;Ep39sm0h@9!bq$X&<sU*Jw+*)HoCX
zVjpRx6d6h`2{KWDkK`Uxu-2@KKd5?Dpi_#cpUfvfht3t8{hD+x0m%v&AnfI=LWOZ5
zPVE%z@3ZWyX))jiWkW8%7PBsT-NYmDl9;fsVkN$d(j&n>k_z|ZlwbJS>-6%$T~T97
z<fS$<a;}w%Z<kL0uyRCvtl&31hg{lX5>X41Le~TbbzP0jwMH-viA@w*S*c4uO-=WW
zh!@QImw>5XC+#15RL~E~*=gmJQ<CmL`!_;xr(o_1%Sy^r+N(fJcQNB|^GT&7v#wry
zB$bLYkHTr21}=vdSPkD0$|{wmLfnuNB@qONSxo<E*$`;?h@@02*s>yZKAKY%%|yQs
zE)?qwCmIQ&tREx?trQQ9ZHc#Nj@8zH_XEvKB!Soz+j&V)s82L2oh8eS;^p?o;fmEb
zbqrV)u6~X3E8}xn%#sQUu9L%<0jUM9R#yjWUA@sGE!VE<HbVx5_s}Td0q4-o$^fOa
zHwgRTwm{9GyqCk0mLVyWEf=tpO$!g}=d7dCX;<~=!r3%MNG_DB^k9Cu4hg3KCQkc&
za|1168B^FEU|B;qut8?4RKvN&gDA2vJ)g{UlyVGKi=}}qsSv2VEoh7n-2OWuQ_74g
zat?4Qc<Ab&P@#71)L;<Xx3mvR=@{)eEM2@J0hJkVeI+C|@DWpk<uRZGB8MD$5!@$J
zGT#no$D8oi)xluwr2|t5qavn+QJqdwW&SFt(uF|51E%sKnle4~b8<sCv-E!}Jf>2F
z6i}Mp#w=31w&bsL&Ur<8fJ7ltdy!k|6)=C6A43ymAdr2UxfM!!=R_<zjNEj~t<IxB
z5P{0an@;g-Do~fiPBQVLxN|Eq>p&}<l2@fsmsZ;Abna^OIg?<gvzACk@g;F?Bm<UH
zNY9kFGJA=$2cXsKG(2$bI{Qs~qw}yCa+bvJGl_OOcX}bW(44Ak^Q-1&o&O0?<_~Yc
zDa@#vUsfKFf_@8d1<hS&=ejTgEoZ@X3fcLE8(&8Jce3%{)cEXzUmWr>B@MZi7V<E7
z9Eb3cIt5y~_PK>9-#hP_@r;8XrvfLvnpkh$4yr<0F@*x)O}dx?@HZDgnE~*}EC9|A
z>`l)l){HkEHG;2uIb)g=s4@|_hPJYoq^D%lhtQ9)FL+y!S%$BY%VO4|883%K&SP&1
z9Mz0xAA=Gvfd?qVO$2FwdV*hBqZ==)Ahn)SEd1M~G4vnlM5q{^Z9dAtNnNLyD-<oe
zNWFVYNv&%pF*NCO)*8x@b-mc-&3ZUJJI)<bHwG&WJ^Ct|p#^dbSNs@nk$bC?QZopt
zxqIB@H*qq?&?X}-E^wl}3tldgqI*a+_CtmFtXPgwiLVagoDoJC4{=6=mk8A%VS7#b
z?JPZ2Ja##KUly_nmbVMYCI$JXvy)639B8>t8OYdWrQ@v4MNQTy)&Wf2e&fN)aiv)N
zZ_WjCo-IOC)@-iH1s>)WAk{H|#^)kcz9K9q?=JAkZKp=X;3Lq|Be;UI5Xj^ku7jjG
znOKrOLX0Mrr7H=L6&MX@_3{WVKFt>YnMYFtETaM<c3WnWev5%`od(6nSRizz!ja2J
z<*QM@K9gc-YnL96n&g-hJ(bV7M}q>*71SA`r;nsPq>-D*sjauixl1`DzD2~Skc3&L
z^swSh(jtN8G33lF&B@p<=Rxgaf!0kV&N7T~op{Z_`nB2{nFb4>B_?c+gu&EzyKJ<_
z`Ljk~t)v9CVLFpliUeBZ>T%O-V>IOY^I=>U-FG$$Ua`&TQ^}^~c=eIOIyBatY^DXe
zwK>a_)%+rm(;xDHv!p3rRcX+8bq@X@O&QyienC<}6KQVUim=D&aiRZ1qqKV}b8U9R
zf9qxuGU~iR>u(~Pj|Sg#BPp~Zz0N1AOp{<BLB^T&y+wLvp6>sDnQ_I4oKG;UHaa7f
z>dd<nOB=t)UqG2g#>~StVeB>4ZX}?O2H+?VTOwV0idaO(3wpIeA$mAtNmUyb$&eQB
zeDER_=ajH;@)YCz53j{qL(fgc^bnd?nE76Id@2n~6Tj(ntKnE&5iYVs5oem+!c>#p
zaYc2>nV)iA>a45690LL}aV7X{_GRr(b9;rhV40vW9^p~!jM1)v^eB$|(brlcfH7zZ
z>Le8P+e4j7!24nQ6mVzCxe~n78?_0jksgmK$epP47v!GNsyd4yywqHatwin?IX`>J
zh@X!5eP|y#3#xQ};7Wy#ctSAWK(?C0nH=IVB@_MG<7&=lqQ;j@*Jh8bu?gi%rfajm
zQ*$Xjl`p@1mDPOA4_{(2o_$!2oK_LIzYRNED%^G$!kqzG5*8${D`NF>V&D#$_CU#r
zSVV3NPOi82%{n2%$y1C}y|08?$H?xYiSBY8%n+{V!K438C8IM`s|N*Gm2^(xL$3T4
z0^{k|;d7c@aoQ1Rc~ocxq{%`J#wO(r@k0;;E{lo&Lg!Vr*+M+iDYIl7@7%9yNuc?^
zL0iEaDfVku;7G5b0!1vej-;579wnSPUjWo<a(bNO$CnfPFrlDl@?W6&?ZtuSw>~2q
z`zymE0263l%V%Ek$7=DhA;JvG2elYcoS7;vV!r|5^z&qpex*#EUPdoN@%Q_ZMZs!*
z1GkB4kk<LCl<r*eyvqWC=7hxDM)oi9m&w|f%M<(h%oe+Hxo5u1w=09Ls#ct@BuX;7
zDwjI<P)h2$v+;=ujhKn$>P5&TlCIbJ_X|?KaATlFh-dtZz!dYOOwiaCbE4>LSvFvO
zRyg4lG2jr-;&65Qjavj%6&;~^N#G7?n!s%d4;bxP$1?kg>4yoKo9G!BXqnBMTCLRn
z)$2T^y)%B5N=<wndYvDAqD_SVy;epn%~wzdxQ5G(zo_1lsbr;Bm-uo$MU{4_SVs(+
zV$o`e3pD?j&M)<m8fPA?SR%1+I=5&?jBiViQ`rFhv>$_>bFsngrA!s5Pn#QOQ%ZjH
zr)E%nBELG03A<lY8vbgbL%?!&u7<dnOUR!!kqLHwX2R}C_X7>1A4TlFp{LuRS7`TQ
zU;KQz)h6D+vnU=9+lZg`bYW<Bdl44R*g@`9jfg*j`os<rvsq`KY4+HCp~MzntPnGP
z$o_{Y2O;}Tab(3`Jd*l_FVxYeAoTa=^v0ZrUA>ouBJy&oBl*wUCk4jt5W1N%2&Wx7
zi}WaJ*fr<>ET^o?$iaMgEIYH>V$;|eP$st|UMli@^6oyq*aR!}Gwh#TPA^TG=$Soh
zlze=^M@>Nql4>Z{zEY8Wn>5}x>je2&!$;McL{IJfRWL{3JRA@4Y_wO&U8A*_S(o}3
zNQ8#u@G<@?bRFIDHD|j+wVg?j*L9Up%_ebEEn`O-L5j6@Jg;w>*GgX3%4-Tcij^{}
z{Gvy%0!lRXSg=ihA2tdMDy#IMDCwH`l|f^=$cZT`=PVm#+TKK)$aIK!M)#OF-Qz<i
z+N?jCx@owxqf^99odxHSSPe92!_JW^o<jDL*i6xpJ)x-uxND`Z${@<!0|4K@6l2#g
z<yiLMpqXlxEH`t|%FvwWg>-e4IA^I)Xn&tHrEjW^m7=)%a*TKJ8t%+eaR^>Uof2N2
zlI=Oi=OV{Sw_=E^loZo7h0`Y&EshvMDaaKQay=7l0tu%qmqI#(02rRty4-p?nQqgT
zpun<F9vGQky_kz!s*#=wioinrbvegw$mSLYUDHy4)`qmVIU9Axs1+3P3<Y4^O$d)l
z=P>Qk?nHeWkw$eqSOtw6e4ggX*WI`0=Mtw6ufdF*ctN8XLR|m@N%4Qu;?9X3j4sCl
z&d8O}bJF7JVhPCazo82lH&_$jUk{`=ZgtLIh5(*`F_U%bt<GAQhk;{R{B&H^Aj(#m
z4DMqHVDb7FR%$|NG^H1W>stAH#D|kt6*-@=P$0Qt-xkBZoROads_h)o1~&9z_pJJy
z{S7B>u`f~Js1-tD*_I;NCX%gXM|_#&$?hUU-irsgq#j26`~pVb%%l6)??O@9jF-FC
z(Un(lrWgs}zY@v*qow(E-Ab?2x>j2$HgFPugjO_Qi$5{fxx<zdxYj*!A8e}v-4d%@
z+8O9oHxE3LRcml3MNsi4OvNj`q1;_BkEX7(0D2`rA8~<V!T{*|&eQL>*s#c$kMnBf
zJX+)~GB$c>IP2G#<Yr&B)==jaTb+VUUd(0M0U6hH^7Nkbr)-|E+cirhBN%LT)+>wJ
z%K|OZZD9zveI8WN<soD*6FN)!KQE!(+Qc}21nJWQc;vOyZNzFjrS}LcavqttP3a?s
z5?niyPsxBKrefB4{o)Q5ruz+&%}N}dD|+gbK+78>sbhF={WmZ86^Bye4`O9bx4Y}Y
ztE|8zoI+X2j--CpCtT4M>KN<mgLYHRc7kXs*4JnH#loqi%nani*nhEs#wLiPOYh6g
zZLM_$v7K_VS+sgr{1uMdmkmq^aVvF`ucHo$^|vMLUdEz=9Z@7W$oU!LzYUY-scPx_
zV9WVUrrq<x<?g(^&-D4If`)}(o8L|9%qr0<z5CwW@vI!ZKg<fs{%g?$x+|Zd)R^v?
zZl(%>TQ^fPamwa!H%L@x{~K>R5DhdxL4@-*NWtSv;@2mCClnXMw`g)rWGD!<+;3hF
z<=U!Wnb*S@9RHKoNJB>?HM0-*y7gz-_x+g%Wv&BHtNO**RdQ-A+h*e*$V;6pLUu<h
zdO{U#b=8|^U##S*W1WWmXijXgY&(0#b8a1}%hdL|_$WpssiW6DRMQQE?*u54J_lxU
z+f6C->_YAG^A^q(dOa?9WfG3lwhxwT23Is6mwtI0U`vy?DvPmQ8rO~tw8DE}VBprj
z^HyhX4cWU{2W79^sNUdb!+$r5rA*3CY&*^T?(GjJ;(47Qbu@KOAG~ck3K`oMcZ~M=
z7WGmjUI0-Bf9H61H${_0L4iIlRfM2u^mRzXSY%BCL<)F93#bKtVa3YKALb^uos{`c
z=$Y7ddgd<u9g|7w?}eF!{(ft}`#`MZ5x0%;72p(zFX0ikzE1K7o;u<dUZ>fUILz{h
zn|N)VbXY`u4{U1?zsNLeFu%w?D;P@Fmp0Y*8QfHR_~4G(K#^??$>~!}s@0k&PP&1X
zKdGMNNo{fVO)vad`!|Ib<?!(3@Yq+E#bXz*Ux5esFz#4G_(kwo!}u-dcO<`+{D%1*
z4xY8(SO~7QghkVrsCcQxT6M$^0q@e`GJRD#T<n(5o)3vVT=sr+)DG;+`!VTnX8DQy
z$LI2YGnfCEFV2s6B0ruHp4~Tj#FlWj{5SPg%iqAOw8H`A_tE^aKgRGg3*)lff9Z4k
zdeg0hdi)DskLBP#nuGf%7cTAlJ6`_>x<a=y=;niNLfawfpq8O@8~OjJdl&d9t84E+
z19BM<5<nF2Mig7DR+(xQi<d+goza;ZtyEg|l(wE~TU%{Q+MX(khG{d6Y3a?{J8kV-
ztUWC~R*O_akUBx|f{GeYA>1c~OAyqc2=Di|_I{q3NdkKQ@A-fJ@1Kum_OqY8*Is+=
zwbxpE?X~yg;Wv!@2&t@LeWrtcIM7cq=tH4C99$!gp)ZPOxR3>5yn?&k+h4LZ@GN*=
z<FIdXNQb?aG>C7I^!&J;<h$T29BEOw8XtiF1n}<z{^Esm+pn`GtGIR_IaV+v!ua#j
ztoGO66iJ!KPO?57%KJb*xOL1O+njv8sW<t`yeEbs9*EaFnG0UL>hc$EXK~W?1Wbf{
zhW51Lz@f1os!VBkKq809RGt~mdoN^lQ3uIkczyTrnzI7qhR<#;pPd49^0O}_8$Z>D
z%U_N<K+IkFw-x_z?tvNO+Mgv6;-5NadHL)`<W$YFd03wLFCKIoO!-5Ts%9UkU6X2@
zj6<gxK^#Y|o!nAgci@Eb*$gUT@4$)WneS4*?wx++nL9`<Eay+t2!v7!x6aOg?xz<X
zWaBLr3y<I}>OcRYe<267=ii3A0$F~z$#VQf<(Vb4(wji9D$Ccsjyzu#@_%)c3G@Zv
zboz`M{+>}j`xJ-c<noNLopnn&(T>-U()t9gJFxnkmf9AK!X;e2VSfLX{CN(s*<WH}
zS2xX-&iD*T>K<16WZgSMYg@`6n#>mjzBnQ`xzDiN<Z`TpVO0|!uYGReaP|B|-}BcO
zs^@a$-EssMP7w>UIls>G%4ZJ)paL{!QGqeLbf{I$O&(g-ROYHn{7XyZ|Kh4-zCsmA
ze5r$3d;4&g$UA*z95ZY0VM_I#F?`lu=r8Aa-8=YY#*(1n5%$3_wS2vA`KOSp{UqKN
z<a2eCCP2I5Jm@5hw1HIJJA=zJt3}&6?T1rbjMTn|83SEER-QpUs&L=(%tKaqNO?ww
zy4tm#s(Xj?RlgzO``7*?>HOWC!SUnF9p!e`?y_&D8mk5-8h=_36%vjAxQCxqV`5sO
zagiCYta`_bK#BwzOHo$7Z0M43oB1Tz5oQocu=>>}F{*CB&cE?to6Zwi<j+#|V15#{
zYxdy{TxSYtk0_u0CnibV-rG5pPNKT5tIw3|lIn$`M)~*V!zJ2R)7n{vEao_#$|S)&
zSkP5=jY<Bi3q+WUM`^3L#de$Xe_iNi?P7MlfdG#k0qKZ;xG6EE@rDSc2Ub7(j>-<~
zIM&kxz}}}A!L*gjN#6&FJ;%2cQrUGJ<&iJreg1R^fM2FlC2u*uTX_2@Z+&3!?-m=l
z`nL*M-?yw84Q5HX$m4tm>pV#sK+jT1*`WEm>BuCoFV9FnTIWMY^|yiwwfJS&!1FJ5
z<Ubw0;LL&iv$g`DNLBvZ;j81l0c>u4IW({KE9S-JvpZoGk$h}ey-F=`*r!>$c8Je>
z<3F@9aUlO7%s7P^!EJEMs_$6V#zaM8-@w<pN({fMfEcecSnY2BKizme(F|sTgMu*-
zYmSGAh4DnV#rXYp_>iTECeI*S+Zcg9<=znjMECS=hb^J(-DLOfn`Z6o$X{20sCk)e
zynSH43f|=Em_ir1vqeO5y{yh&e3;{`c@L>`gao&1#pL+Jai+!17A7zDT)^Kj_Z{21
z7(nj7KEM2-ixA%*Kdk(rk4A~w-~#zAe1`<lb&<Y1$sOhToQWR$@OGd}^6g1|nS=nh
ziw3x#{(9+>icK1oh%N=-VD~dfA1`r9j-RE*-NUOP2~OSIW8f1}msK7lhPv`D7b74w
zZZ0*3sm9!}hO$Peh7!Yr8hRkAC^c>#iIJ)?FRY=gqf|qQBZC@xz!Xf4n@?i2YRnI7
zDC=m|P-09_Ll1mcDm88aiDOk`L0Cgs$E$`C#|1U?fO)~)TO=w~LzlnvH8ct;>%<^&
zLQq4wxb#xvnn|3b8qHx1WxZcDlz3lILl2m+sc}n5oU9s4!y3vuMKzT8Ku|*ur>e#Z
z5+78J6=4l!ovs>6oEFs3113>wTq}u~YP5zmly!z`DDk17h91sTjW!Y=Rt<Q=_gq<L
ztA-M11vT_AQ8nsGoTD1`VGU(XQVk_O64cPcxvDXT#CfVQXH=r$QxM~kah(!VzP&lz
zrA&zn1VBaky6mT_xETtSaM!ptR}ePkWs=Jh8ZN8g{!cb6Q`sMnTdKF&Kab1vOYk-?
z`M}VV{4lC_x!qrG2u$)-h=$9EA9^FnM+39VQv}3nVfxE)&D2X(?n=eDlrP^u)%fEf
z_niLS3%NhUzDn1@=Y!zY_Q8BBXiO@)iwpfnr=zXu?2dG{BNYQko)ROt8*cz5j!Q*z
ziP$creUdXr*<I-f$D7)RT-JElAi~S3&h>=M)g4E2SxP!eg!SKT&ps7<g19a&)f<$G
zKAk4MHpZ>#n^RGA#+!)~T_l7uDt9EJZ%)bP5)m%PxyyQ<io66VlCiDa$UW!>Q_lWM
zy7IAPY&Eb(5@?l<tk#G1=w+*@v$$h$N_SQ-NkyLkA9V?YkPqt9s#L=-okLsLEC#{=
zut{e3f(?fj7OxvYpDt}Ybqo-JGz3UVF4PMk9T#*BNJbi3*qe;LtzM-oH&j3J%-hWm
z0x;G0UL!dda9THaBr5kOqq{{h24z<=!i|d08)08dR6>)jP@cZTc2zh1;pGS0laVJm
zsglGy=o?;N)P-juByc_IadmYWjj$~XoFT4inyvlFW^RKV!HE{$gZ7cUC7AtrUXjlj
z`qZFAY*lu5TE$iia+IqRS0yX=rYpCmqsv6V$TD4c+1HIC_m8Lg&KP%3I>whSM1C$l
ze<cNHu7LK5O31x!usRlDePFMA54QEEI1;RbL3mPZ6631SbpyCgJr(7P13a`30TVnC
zX?h-cnwKMRGIDFGy@zeL_aTn~*mh(pvMU{B>yJ#BDb~UFlmN<eDz?D}W~Jf(N|K8v
zqwA`(PjU--I<hN;CY^g(<Lv%dKlbr+;O%7P)5+M5bR?I~wlOQ<nk5|OgULsxqDw4q
z+i1-e93(D(OgidQ186lJ{TJ=wX;RS$#Lo{&HXd_6ONq2Wf%K$+ybaRl`vAq|9|shd
z0{5MY7Muqta#FD^=_og}KAEm;O;@f=N875iuOuT~e2V^qyN2!h1hhy;I+^3pVsKIp
z`R%$?wvwi|LtT*N9<#`PZLKWcGBOdxc2jChGDv~-_GEM)7^Y&I;#oeWv}J@KM0NmS
zNIJ6HLj+@LQ;cjT@|NR(z!NDjHVCmztO21p+Ynj|R=$+3d@>c?5+~#|vNIKVv%2Zt
zJ1_X57-fDcf<taiG6p}qo~nE`5qm1tc;;zLbS5N+vyg7wV2|{Pl7eHmp#gXFXGC2-
z$orH-eh-*eXX(Obu%;wf6D@%h+Yb=5u?K>3-O)#%*|L1__bG?JfDmM;0R#?-O1kiL
zD!LhNOhk5oadp!R|8~s%!heC7P52Yq0{$-~Vy}Y#$uPI%B|FeeROI`}M3j_nzXktx
z@b~%P?^6!{Ck_8SDk}Wj!JnD?6jBr*;O~Kee>?d5eDGHa+EZvy60!^bJvNlgu|3Jk
zeW}XDspvYnJtH<}B1n>Z{xqOfT|jnk@6VY7?v76TZakH;Zk&SjbSQJzSN2t1nYDNW
zUGXW9_bG?`D~3FSz5(Q69A@(nu?SpAZS)Pb>4Q&!wNi%lhCwuQWHKrU=&fWF3T#lK
za!;ZX@yay%7nf6mq$X+eWsSc)E^>9<aK1E<j=h+!%;|4rO<LGWy1$BaN3JtZNm&ob
zXP)|e=BZB!@3ghbR8mo~I#NCICP0#WZxw_CARSCmpT`t+DNWrCVj6%@T-ZnX1j8%I
zN>E2=Zh#k)5esBq%KYK}*mUgak2d~zWK$+KE?K#sr*!1SwC>d23f?cU;f?SGZ+s}^
zNxp0aZ=Vm|KIQOUNqbBw6&2oF!JA1>RY`F0c0jg*x6d=_2oP67cuTyjNJm$ia0mI-
zX(7*l%PwoYYsiwBhfhsM*K=<y7xXfdIJcLM<&u?e@HZVnNlPq)_fw`vk@k|h#^mIK
zx6cP}pK^GMKbcA@D!kjl8&ywL32g9oKwxlq0w69Qn){Tax0C0aoIFnp<yC<&Z}-By
zRl<D6wM}2;Jbf~@-{d)0cIQHQ{&*<Qk+_n?hmhwCG4dR|ojeEcJa{7#sVb!a-X6#y
z#JPZ&BnNLN$yZ94dr6*WqEt8S|J#~bnwD*Fp@g{v`RfTu#@CT7rz2ANoDkE|i*KeQ
z!gq_1Cm+e;^O>AJ<tFDoL;hb-TtYd*w|#dG0f>{^%t{Xg$+8p4;`5oKKIJ5%*A1!Y
zGm`Jf^vah?#rhxnzw!$qU;lrjSV!7J1gz78$n+Vzez91{&-uScrc0nRO_Av);5Q|r
zdwU9WO&^IxE~M9%V0|k4PMVX#i?<Ks@G0Nl+-^@hvClURNk=(C{F0yf^{k~~`R&$(
z7(?&4p&OgmrM3)JRm&S5)}%n+RP3E}<GH6*H!c4BFE*-O_9r{lIJ7&6B0(E;S0aIO
zfoorN%H@zMMf#+>E<sO_4aZ8CpkE4FMbd)|^daY5mM6F~3JVGXaz|qiy#l`rZH$CX
z<y`GOEERp7C)PAW(%6nl?HG}Ec`}Z+^NhyYGCCD|J;9~_q7lZBryD6xH|06Hxk@|x
zRzLdfi<@>ry<~PRvzbG_%ThSN^aY@f6pNP1XL!^lBP-I4r;Z>p%4;&d8#p*6=^Sda
zP|L9(3$$4xwiO-cRT27Q1FMx6<Qg;GuoD2uYzH3-LPANKNo7$8$?8+^!Fr%6JGxxJ
z-Z3rqb~5rj9-L0$h`zW-XNf1IvpcnuzIZ(hq>jHuhU@q~y`tO%*ZX~9i+g~~BYg9g
z9y>W>Wwo~sOQRtdZ^2I32&dBBZK^t#!Gqw)EN;@jPLQ@4ZjI+wT-rGMBe`EKE>CA4
zOUIV+=^>Uu7&xXVV_5S4vTwU>M;PW|x5w-YaBT=lpMt@B3bFVcSHC8rY;Ufhvs7Sp
zw30g9u7Qha1S=$}@e<f@Qoav&rMp+hStS)>b;R&9KV7Bm0-Dgucy+RJb)s@9S94So
zuNzrmQM*^_NX?ZHBhn^*Y$ejf(=ZV=FpIb2DB3iXDJv>W6jq`JL)O<C;-Y+4V^cX}
zI?UCAMK!Z2gbv#7>rCX)kc+I>a8)E5e?08T-yY7@GJDf}w-c!Iw30yOR_>7!*LqEz
ze~l3xnT)dk#*HOgq2kv5oV9WJV-iuH8jy^&C!^0nt90yHV%(`TA{{Ysrq0)e5Fp%E
z2uD2?f^bSvn}<P0xaUB008o;^iV|@CoD!nl>QwZ(YNiKYh05+t;XSFsJ&=mPM(ak4
zDdy@%jJ9NyBTmf662euf0d-M?BQ1d_>}XZ<yM36eWnwWToM<xNSF95CNbBPQv^)w!
zV&F}uwtrA|PHZoPlYtl8$G!e(u}6Ned<AZ8n2s*Cysc(SU>^9jA?ATgiFWCzBOH$L
z6=3FU2|h0X5Wuy;`W}ec5(Y&1tjYnRl#tVEEczJFqF%H)3F#^!9p(f)w>lkJDxWf+
z-e?oG=80Np2Cl4!4x*vx-YfMgJQ3!@Rj`>+5F~YGEFt2hAvv@n4Z~%PQ!B)Po@*0S
zmrhB8A;lJW8jiiB@saXB&7N@ypFv2*STjLGR^V8c7!~@={9t)m+}bo5Wx!EH;=i5n
zUtrQCLX$>qAaY_{*TKwt3G`&oq$4aEsH&yth!BXGG@+>j3kD{Qqakoa3Sc2pU}}LQ
zQTbe=vLzLL2@#QsJR?$$N=3GafHk7T{8V53a5jaEn!QqTl&9o^B1(!cYdkq?ipYr%
zal2_~$mpxpkX6Km^Db%p`_NbJn}1Cb2aMcPI0B#`GLO~Li&`$rZ{n8A$tbB89R+tl
z!PotA*;c?>P`erY8olOY7!)-M?!cmL1BhQPhd`j<4kq#Iez^<~QbKa^X4I>IuyBDF
z)g+0^#}bt<rlKz*7*dg^MY^%bQju<&I3f=Nig&ZyM0c?w;(fRypp$-^+{mbKCuM93
zL+%BaHI6%3nPW8q(`?=|mreFDucJ2Sr-_c96`MUFl~+W_`Ij`_6<uAw_v`Xx#qf{8
zivLQ+@TIVJWwnl<GfSMBZhS!$J|S0|u_8`FExDDCDD){u$Yn-IzD@nC5waaZt~VgI
zZV!P#NL-%+qI_7<r~GtIMwdZ=(MHeL;7hffeJxq}mMz~IDL&Wqgy=ah6<KGWDuO8Z
z`k;i7(qy4XD1xS<MPv*mA!N)O;UxDql|#{(hzW<9R1|kED5Bs}PeJ8*3RXXI#pUPU
zqtRr&f~#(E8n+x1uku+E+$F|(kn0ROpdlw3NNs?I`0bu|H0*$em}<(0hCbzJxY}sA
zOg>0WXW4o%BS2)=F`YdSXxIS_1AEVasD#kd0#?kp46am@Br5Ts;z4*`f+Dh9#KYx;
zsNIIeF<QNtp3aJvkZb@8NcUnW=cHX;DH-QOhJYKJjp|0ib40@FMI@Xq5*EqC6`qXB
z56SqYTx=da6%Jjx*geKqls2R*7n5LEP$`hCgC7{wycxFCH8RSZ(VP88E9g)oBc`Ir
z=)4&?;c!!%HzNdMHXuN}4d~52M@D)E9NvJg>E`Hi`PVC<=I(U#d3`>|krEClCglwQ
zDK`$a>0CrZ=^!Z<K${FGBIME{eiS{R<qbu&yg{@q2t_@HBwYIbzVk)Dd#ESv8G9B1
zCity*czJ>y2g<rbL&K=v7EDGLJEKlEBJB9M%ZD9(%CVy~w1mHDXc>p{m}jZlD&sH&
z0z39@8M@9EEJMKcv<y>DOLu{G$dZST^JI*oSvHokqR1$%;>p-mL`Dp1>>xL-jf@z3
z!K6NQoF}4a(?<P7gJp$;Y`Ogti$utQ;u&WmBETwlVJkvIEH%uut<dn<|E7g#yog?4
ziNlnZhYE)zK+Ix1w2>$aF`(glFcLMhF|4(M2xj)p2WQ6u3GXQ)A)9I_m$Yda9mbVd
z4Gl)UyV(&qR50~MO7e@Da`)i2oM<`MXlVu`f~*p&XD{=5;QzZ8W4=!hYf<LdR;GK~
zAZISpErzAoVg!3+Uy;=a8#sPMjnI>CqOna+hYAMeVpe5=jsuJ6*w&pD0TJ@zja*Ao
zP|@E6LXovN2WzqVk&A!u#}~xHG|d``@564vV#LA6U%0XS|8sj0^1X|#I2W8fC(>Dn
z=#HHm9owO`79&tpVlvV2=W(;x981TPsR_#Jx4kcqDYiHDM&yF=%AE<19gk%mn&A{S
z)7v=FL882$*rMQgnT?l!b{S3<nT=|I#XD`SlKChTr`UwFy;rk$XagnllvD@yj(KHQ
zC1UtJ*MUD9e|u9gEIj<x+7tB_sO-lO0xZ`KH$FvC3bA(aDVC*tw+Pb?Fu-u8qgJA3
zI?9fSYE7Ap?82$l3PU(eJRreFalObv7!fuO#^-3;DBx+w@I-V6iwPaw2Qm_R2Womx
zqQTV=;pXU1o)<D0aWzoz&jzk&8Pn=%8N9OY$~$IICz=AlzhEI$cg3zh`Q#&HR>#<2
z+c+{&$)-1-n|s=ukZiZeIf3DbWdR{KC9~{^ZiJ9NH6Rgd=UaXF*V%PX$OHa#s_}?n
z=B{C@3SnuVyHW3OZ_%}<=`rptrSOX|$f%ypgUq7G75`)+iidlj+ys@mV6W;$xfdc&
zBO1p85DLDaGY<G{ScmHs?7>{c7Tr1=dvs_5`!l8&BBE;Gb$CG@3)~fq7yGRukkTlg
zb>0QRhoyjmVT+P(XR9F*3v(FhW%$SBfSAbHr4gAy|9C%N-Am~^5whk|m2AnbG81v}
zrZI`gvpNcho=M0N5IP4_(T+rn4B3pVSYOHRmRqQC9Hd$uY>XMTmgx}f;tn&i5n#^F
zj-%g8Ol>(x<lUm~?i2}Gn7dPz%M+D*6VX+=dc+WU3sof%S7qcPc)*>C;^TSjYi%d0
z2s(l6hM`8h=xQUJ^HzDnr6RAVU_e)oqU*~=IV|Vhawmf5utfBE1G0WdGWudF#^#nQ
zF8886>OfAU1K-Wj6DyBC4U<k+7O|>f`<ZQ@4mKubA|}mulVZ&uY<rRFfUjXa8Hz8v
zd|1z?V7=9Bq?@NN729e?A|swK?-F+3a@+S}wd;+*j)JkMS4?HhMy2Fo!gm^dnMYs}
z!XRrMBe8OMGWv1~B+PR-k<Jb`QxRX&#?c7^RxCo&Jd*>=?WY&`y*AiLo10OU;6GO1
zxC|e$3UZna#Em#Cm3`Z}8=1&&2XA>X0&k*wF+|=&UyW^e-a*l~`5L5{kr=hv75lz)
zYC6TDfN$W^_Zob0OrLaYW#B^W;XXuom|GE(kvplF0d1I!mV%cEeVKy2EEBR-9M;{L
zNX*FL=7el@9GYiNds~t@?NgwLM{^ZWu`;n32uagObtEb~Q&Ds0G&{$sS-Dt(aM}Rr
zmbr*UGj_I!j7ZzjsVI<`uI>1r*BMw;%b%?vnfPIGti9%T4XoHO(H32@xjY@kIfIzT
z<Bi)u`wHd<XX_m9w1%8xXPUS)O^^;n#wH`rUfTHMK_iAt{1{?fYG-LW_LzBRSvPER
z-bI8VF4?Un>g72eqrFaqJ!=by0<&)IA37EB>QVx=w;ujr#evUI5`%Iq3o%jkU}jC!
zS(7XY6}2LlEtBLi9#DY<t^iQRPIu?xGMtNwO02@Y=;*}vgs~kFu0OUbMbfOhk&|GT
z&N4x^4i{l1s~hfh?_~lYC;x0u6hL94Hn$B*NA}9YUFE6`lbZ;&vIVlfWt=G<eaA}3
z?aii&(hJhDt?Af$zM7kYJv(tXR$TeDLH{n-c8qFp<{sy6B=9SAH+EvuK|Xwj;wi|d
zP!#-u${%B<o>E%B$#I~N6_%j{y09qB4@sM^QRX;{nQEz_#m;TXRF@4&sLKjoG1Yxa
z<aG9<I$G*(6eXA9a7?pu@a{&K49+C#)Hbp`A?XSXx&;Q^I$W}KDMV5C#{yFKmoM;i
zRC+v{xR*8_Gc1i&pgrYv<-8n*$v`6jhl(gY<wHYKM)c|F7^Bt>S1#jo)B1u<tOK{>
zQU4tDg|7>l3by7EQ05k3If7?GOc>i{KFFQ&K_;SWCADm#cgSL*I6NTDV;0}5sn|1d
zCT?seRq=i<x2n%TfB0`FyBO_9BIj@$Qd(k#5%958kC8%L0)B}x6@up(aeL+S^4cm&
zj9vS736W&vttr`^_7P!BJ)QhZq!s$2iM<()+~qc;Fe=|9CHhTZ6PDT7S2V@_iidxf
z_->xtD;{=P<C*8c<i>vMkeF=VLO7A|DI=yxNQ#vi@fUQg9Xa$&^~0w<@z@>gK@;5~
z9O{#iy}G0{_9oweR@d^W%C$TtBJY^jcIRNQgP_<tQLAGtxfw>>qxcv+j>IpeqPvMQ
zfeQAicB~w$tWh!IZG(s%M_T<C6OlZX*qfsIi=@D5i~3gq42hf@jF!(Ee?rvf)A&9s
zmn1838@FR6tc8OkT*I*?Nx%{7IC?M*s}YNlwe#yp^5LA}atl1n9#U-cZH9CT8Aq~h
z#JCAPJ$QXkIS_OrbQTU2*v8=F-q<5lRDK9{T|&g$F-U9cl*sf9`^<|nr+)Q^<~SyL
z6%#O_z0$Q*7@3GYgNIpveN5KQ!5T)<LX&wLlbI1Qn-LN2QqU0g+l!t=(HQ{<E!=pV
z0fh;Pu7QsF0It}0Ig~JG8O4Qlm#aXrK}k8&<P`&+HM53CQyZ1f6Hb$iu0gs+_9r86
z(7k$Dym_;_wac<&0F<*nYTjuEqPJ-ra<Q_H?f2Gwp08tyP3jZus5h$$M3m`G$q^|i
zu6I;M34~h*Y{LN=)}jn^#nLw$dERXLZGI6K*6-Iq&f$tM3})`o$Inkx<Qln~WqXr_
zZ=0~ODCLN4>#+R;VFy~;WY~h;_VyIwNh#fUOiTd*KC+5Xu|)Lg1oJS0G*xib6Ydq-
zS*cVE^LyPOI&owo`iwH<Zvbv8x|fNVsyu)(%kKOXHXkC2eHGEBi)efa(rC6DyIsW6
zx`kb6qvsCXi%%zFdN5wxK}h>11RX{;)*ym}VVj=l%LNQBAP$R>f}5mg92wc}+mVWG
zRyjU=yatiibm`~D%(LV*>{MtL0R2S?yF@I<(ty8~#a_1vMU}Vd6ofKyM+J(GG5$~r
zhI<-jl2sSm&+NA?WdN!+ig<Mhz!=TROA0|WNlsEs+owgUZvur$Zv*iRGu+mNNRDSx
zm2aji-$@d15P2PDn?t__q$BKTW3ypgL&YxZyNLF>ErLWeR$Y1!WNJV*HsYz>Wfr!+
z?Tw|q6aaABj$sr}Vb^zI=Q3;8@|rhHSj3kdQ|^KQup7JpTkQ}}5#8H#bHk;0jF}kM
zFwTCB&bKL3a9!-hR3%aj8P(a1;}n1cKZw;Vm^CTxFvf!paW)_^SD6a1A3IdKp|r+8
z!dpAod~ShpIWX(y?M`^m3R{4sPeIN#vh4+SXOcw=yyyr#7edk{ZSWH}w73IJvOf`N
z!8Xu&BJE9z_1X}Cn5;~&JXBm-{qXNEzp;h&gnfeYRdO8zlF`7o5VW24N(%Pt<PE%+
z_in=xe4__86xT6XVAd!rG@NJ0;AZTAlC3Ew5yw&HB_mk2D^eWC#<HpGB9VwZrVE*!
zLpEhrH2VX%X35(D7v>=#)-OZS1{eAiHq5GO_%xcs?#2nksvCn-G^5xEvSlvY!cVT)
zx3IOD+Oo`3l~|D&G2Rc5aOS#g+pjS~bfuzsBk2Y<>y6=}D=<FpVN{rsd>;d=0S_{3
zX04u|cdIoxk(BbFAqzh}NDtiO7Jkob#XL~6c5a%;X#@<(3Na&N0LEKk$kk%VfnvyX
zln}`9k?~!vMG9~EqUZAqN9TWtOMA7La4tieRM-SA7eX6}GpO9kU$V?6Yw;n9bBBz;
zMSI}#@1Q6e*r%Ax*u85Ya3c0vHpe?WH@-HW8zMwm`w4(8_YA-i3Za7mpcL3G)0Ato
z3HX`>aCAS07z{gHH3bv(KwM)bEV`Q)w)~ryjw~_5wT=1A7grLp_lX-}&CCA2gNJ>O
zmY3VhCN)(|sNG<}WG-ND7^^jlwOfas)rK9zQybPQB!rR2_5T@4Kv^=;wdm#*2s4Lm
za3+XjXnj5_5TZ~pwG)-glxRF0+%X#!fJyMdGVHXGtPaR?q*MSVnp^ph(x)KhW9)E3
z$0_h4)g$tmArYUFuRDt=rvOY31ac|}bA`)?oIWM&bTTeV1So98jvt<Klo=70Z?S=8
z2PmF{mvAIw^~z*}2X)D|^Wm8Le7(33atwtW+WyFz3&MOiJQCP0R+?*k3*TYG&;jP`
zhHfNGMq3^6%-5D5gjF%dXosV3#lp;ohwe#5KyC^v70!A@UP_1_gw-fO<(F<T&s4*e
zpjVn1*fLs*I1;ijiMFwfu_p3V9H1aP87`vVi>^|-@vsX_R^s@QaAaE^MGZ3|o%>)J
zB?uidQHslJztn8(HTIj0pAiU1<TXk5&Z4`J$czSLn@?p_iLDGK;z1Mb@OA+O?S%_$
z@#dk)C?PK}Bkr&0Ysr{BKrg&mTk#*ROyk#NUc)jf1Nr1e<W4<S$&{xdT0j==)_ppD
zam>3R((Y7iW9?1><ROS6Ox7pF+Z>b<BCYttM&3O43l-X%uY8=a_k=>V-V*81*RVP`
zj!eK}%9DOpAP$m7`D07~DTOCzO(Oad%4-VRnW7PFTL>7zUeoNN2$b|dprm4P0HXZk
z49GImMe7G46QVEag)ExqbZY~lot3LK3X#|7%mRyZli>^x;s8}-JS!4s%%F-PiuAHg
z+6AVZA&DHNPB~kIDn_!(Z7EM-_M?}jqzR^Av21#e!QRQFVW3fhdVq5KbsQBxS~iCh
zHo<jK_z~|q`N+lhj<#@wT%z)E!toN3r_A-|4k?-LH9l|_An^~f2O$!?A(Ig+c{7IK
zZp<RQkE)9Yv>pB1fdN;<ba4h4tz%3FwR{S!m{h;Cb$<w0Hl}#+X~@R$B(Vm^li)w3
zTdU4IC`53N79en6GP+Is*YF?Y94;s9D7z@=Rn65=2~fAS2N6cwWDTQASAn0gU$c1d
z9<v>_(<eR@!{bw=G5W>!ItQlcD6}6%7RWkn$#Qq|$V(gVI%(jIXCKG+t<$l`)0MCC
zHz|>|3%L!8abO{;;*^EOU~8pdu~jS%qHoAr1~TU;G_p&n=nzBd;ZYSDv=5K<3>Bdc
zh~VvhK~sb22L;8HZ?pP^W{D`&l9L(_`wp!O#)>Amod~DX(BRF&*U73ax?H~IvDn8$
zg~CKIhUZw=zMhDMuQ2)Au?Lr@B6tRGWwxPxSqbko5~?tfv6~Tp+tC}Zr`R!9hMfHE
zGSz8#Y_jpLfvImK-k-**z;ppfr=9W1rz>ATso-yQRC^ZGFkUbch=h@APyr&#&Ht|e
z5uai=xs~CuP>*B`%WK_;bmVd8$boe227m!}e(UbRA+E-tDR`afy~590jY)SC)sWDN
zW7QOzM0ZDQ>j+N)@->gMBA3QgGG9v@J_DZeI?99Dr!`nQ+J!5IDE<`3x)X9l@dn+S
z<0PLn?ouA%H_k()qxqz^LARq4L@{$$O-sk}AeNRjJZ0R{OB!dFJ^0A{Go|8U#6H4V
zPo-n8CL`tyHB+w{3lvKXY9am5KU$gD-n+|(T7*`r1k}o#nMUMEt5y&M!$lrXH%=K@
z=A<yv^)UwmR<oUVKH(uF&wQ^+!D?HLiDd1`ftrYRYB5p?&AQlv=V-inQStES#cdUc
z#Q_|L*M>-7mPihZQmECf^dI9yiUUp<%Zt7u1zEBrpb<WvEij$*gU&N~mzE=0=;6c4
z+zMr+Fp0Tfw*#|;B7?=p^->6(>Be7<c;N73&XG-oPrA}P(>l7?!HzDH1KM?%*bwbF
zu%j?B{|aH&k&L~p#oqH!31{~J@Zq@GsgoqVOlP15NTHC#XIoiYplzf<j!RldCMl-C
z&MDAiDT+bwVrvsowp5lRv^Vma?aAPEXKk@%bRvQgx*6iw6l1Bsx>~m8&fy$q7nSm?
z@DeetS;%Bbf%}9fUMw|RSbr9XYN_af&?#!3EErF`Nc12pA<9peBLzo5ge54w2QsJK
zK61&QT0e?|4L2W_%t(K{rE<G$xOD6(JZbECB;{J#Nq0Hf$r(3soJnxbg$fjlD(d1W
zdKrb7j)DL4Ji}`*q#LjNaG8ldxdafc#Lb9ic=!N-y0wzHP*hWHhv<?xS@;|HTM4zE
zVX2EC?_?c@uumcUA?gY#1J0pf35czbh}ge8?I#}@#^$9S)a6ccFg_5sYs66X$R~1)
zxme`LJFsPlDoBHL6wk^zs7TFKR*133Ie&q)5_ff_8}Eu;w(OTzlPlF-kC7_d-cIh|
z!NG9V$sJPU$@8Rb-{mfUOe*SAGBj+dvWA72ibe=JR+wA6+!}Jp>g0|Gg2AhuUmUH<
zKMo)+#mtmO1rE>hd=h7@_3Un0ZY)`o(N$E^Rw!h_)fwSSA9#aUN?<s+fP5$?dYN&7
z3^GFtStdSXvjBZ)#H0KUty@KPD95J^OvDG(6xWXn0y~5AosFlSp?fG-;B+6q`=--w
zfSouPs*%7pIg?XbPwAX!Ah8Eyiug!h*|5c~ch)$tuUzj+(J>jiaip_c?`#V3tO#=%
zGdcq#|E5k2@xZuhi_QG*w!$&LyGw~?a8o@{RSPJR-OH1eZzn5Pq@%4|&zO`Pej^=0
z!i!Z1sl?2P?m#Vin$h{;Qg)IxwwZk@p+Vc(1ll3z+#Cuz#zHMdFq6^aa+-+6C}wJs
znuPH05XXs|2dX!bJ(o28@}wPiet!l^OSgE!fG^0!3GG#L;~4FUOUB7l!oV|uO^_k2
ztUw^haGd&Aa6rctg-mZ_j~Fi(hAcw~h46QB9F^_w#T#)NujXVOWq=LUw)J68Jk818
ztbC<|@WW2Q$Y!fU!jYf@L+5c8r71?zc5ZjD4X)FIyTOW8t*i^SFl|NdNP(lB{YtQm
zxm+G0*2|#bjS99#*u90X*xul*jm_H|0vb}$RP8oDIgRe~(wqp6QJ<~SCCS+GbmNc5
z-1ON$d{bu%u_|IuA$hdjBN2x0m6fRNjge9wGHm;3?E_gp9OhFvMmBKHkG?X5?5sr~
zyMnBC8jRPp3MF2TH;z<Vg;G=btU`T?-4Y#B6d2y<+%o!AYmzkae$lOX#wF_U^`)`b
z<UwbmV)1Ea&SAK)Yyr-cv~JEZvYU}`5822u)WYT=cw{DNM!{-4i*)9m)2<l8gvl%O
zf}OD_Cxegp=F-{e*xS`O>KH<L1UX{xIOnn7=A;wpk2anOF*e|=H3LjL;4-#YAcv=G
z-8(!;48KZ2sE(x0BNL>`VNzChj6XL6VEA@mM-##lKtR&l(OPH59R~!Lf=nH8f>{XN
z5wESZKnx4<sNCaD*QO$?#6#o#ajdyUD2`5Qoyo2@Jge2;c(8=G_HgJ~%Ww^#%iWA*
z--Zna@O=_l^LRAb)oFVm`!UhM64?&Kor9{I2KH&WD;?Wct*s)?@4TIiJ&)6bop(OF
zL>eNEN|~c?FdP?}U!;&b;XZa~eyIc|ge)+Gi)~}mVJs|6)HMKbMi%<9)BI*K;mrPG
zDdFuet7P_<QR?x)ihG$eFfxlP(T<&%U-$+^rZ&)&K$<TyS&RZ<5uz0H(M`rS-asj$
zJ!}^0(aplQHS<JXn}SF^5Cqjt7!DiYC`OjOjGb^)2Lxl*k+D3@`A=tpEa0eDb<<l1
zn&zb0FQRi~M_z+mW6S{D3b~&5%kN~A6!TByvU4!u^7{o+@HSS{0K}CnDE4o8lnV%K
z%zly!h{Nqs9&G*{%<M99VcyFi6HFOh$g8JP96^X~Wh&zTgJ2WDk}hG|yAE!Eqt@69
za))CT4Ao@f0JqAL1uIdo!;DfM&48#+%l(aKeWRxpPfSS7K6xTHq+?_(Nym1kW6P@_
z?YOb#ULqFHC+fGl>CNBoZ6Y@v*(6b4&uSJi1E7(b*R3CIJoR`Dg3LpX`C)N|A{v3g
z<qpw(SfVgD^{9mZXOjXhkXr=$F~vKODCDEU+28lVeGAfFJAxAO98)Bo17*cdIWSgI
zR+3(+D53i(4Mt>(9xMNa1%?-a1Kp{}S`lNEH^D{$d;l~ugz2=W84GihG{`ebY+)8|
zhjbk#!nY68tp{)$nie_F<{zt0Nh(cUu)_+Zu8F(mw2rQC<BXj8E8QEx%25EV8A7%~
zWDZ~%p%3A^mqQ~9<7>G$w=6JF1{wZE1p8AcMmY|+@B_6$Tq{lrNFqVQB$Z$jZDe@q
zNv0M6NLj$kItEpCz*F`LUxOszvpP(JzNuVX{m5(I{7O#Sp?DNp={y^}SYK(b!m#NB
zbwn-b;JX(^!|Z@CS`JARVc0{eVc>vhG@@czvRi;1U=TDF*~US>vn30)VsC0{#$K0k
zrB1C)N49APnm{cn=ADC83nvyOYzKyOEqO+Zf($kW{7#gh%+pQBS#`#k<?I%w!;>sS
zU;!8;&E5%iL*+`=#L3D7=}0S4Ksss3bt}4m1Rz5Uqi3iIzYDko8Tpv23@||H9M@Pl
zh{!`6J)H`!A<jLrB-QsWyF(_?*L`Lt(bs>Vr|*y5{XD#HrgVyDyOD=WQFJ3uDtmQB
zGQt}8QXD<E;NAEbKHSL@64^^9rm`QaN@Th2_>O<+!mE-Czsk67)L(1ga`8akmd!{n
zX#I7+#fg@SM-6!4*0cB>d(^8p1L)$41?PNX=$m9r95!;=4P=a85F6ag*UT@j`s4Ta
zUPs1+1@~U|R#WyL`U(|~3GTmNkon8?|D;I8^_!z#5U{WA{_?rJ8@1pguV3~DGA7)9
z#n8(Q*j+dD`-OnrzpCzdGA5EvjDD)^Y6s8X+wAY};tFEE2F%TP`kcu3UIOn#!+^wR
zpR=!tvL~+N_}P}oit4&87w`e(DJQ?p$Iid;)#`Izo%xOGx_2(PZPFA@31oNAG0)bP
zy6si@^$+Myv?W!%y}iAf9InPjBxhGFUf(~#C;qBWegW0hKgmtRneDe-&-G~oFKxW_
z+!`*9bR@+<wi{ZbU$o2n+<mx-x{C)!X!h1@I&)ygY^#y@EG7+$FI?F>s!x73-}(i<
zR@<m=b!4~1V+Zonz@+`-TxG_6Woo8q#O6%JaQYYv9J)R#(NJD=EisqmvG>KdTydPE
z2aW~Vz6tbV;}K73T<g|Bh+O@YajcbhjH<tK+<>b3Gsl^?az{l~{fu!DrR^ZYC`t^Z
z<Y7GO4FWP>!E-<NnvXp1J)6h=<=^=p1HEvfsDJXZrmA0G$f&Q)e}Ze{7K)d+Pg~DP
zT~pUE86QY~6gNEkWJP_P8+0vqV12xglJ)Vv{Ls3}9p;nd_VY=~^;fb!K7b$GBr3;;
z5G+Z#s83Rk2#LvK>*Is@8Sly+?vs=o;**pcs$_k<oSzA<T!l|kZkSI}Zn%>5arRRu
zPjuzDnc9++8|jmjJ5tH|_)+{2)hYZKB}-Cnv`<oQjFR>7qZ{fpSGf6-OZFxwT#aLV
zk{ZYQBsGpxvOdmzfDAMr8a~W!{j5F4UA)TmjgH?Ie$$Oc`<I}4{-f9H<G{uD&%-}2
ze2lB_#?x#O^UUTmo4V6F^F)I0*#N>ma9{#~Z`JeYg~F6^UMg_Oq!SC=#_i<-U#@h5
zftx73WSBC}iv}+AH`$;qTkYPk`p#}4s!+YpkJpv5*)6Q1^2c&dA>R=`Q3zzW=sV91
z4z)s$uhj*oRJ&RqrYQ6B1uUF^0WT+Ez|@Nv+IBKVcsU^hUQWt@v%chDa;E({rd<AL
zJ~dGEy$#*fzo+T0FI`wR)e)|$UpK-{B!i1I>#pO1?MySytn%5{gI;F409OR09Hm70
z?CtywNjcsLSnvx-IW{C^A|U0&kd!q}%7S}H%4ytsrBDAQ8u2l9jFh}+{QI~G<ltP(
z?#w^U2Tu}>k5~?#^o3=I1>ZP3;@=J3+Gi-H;0MNKVE#9{7E=60rj3CHfEj!?ebfE?
zq-WgrDA#|M<*!qH4iBjJjLqThKJk3*e=s^Ckz`iM_>2w4XF@PO<HPZ(3dUz*I6gJO
z_#{NeY0?Aj<r<$3aOuc!$)n@<N9k)>`&YwzAM;o9zG(cW;&sbDWfGGOA8t}DVtV)?
z)?D{iRr&YtF&aLgE#1U|v;4or!`JwK@eGc*I(wVF2;y8+!T;#li^lT*c>YH{UNkY0
zZCD`y*@jm4)8>App2_TVKV9xepSmS;AV0UAOlSf(S(fX*<crE5I%2?-2^IF6)R$!^
z)Kp3R#LroB`+6}Imzh(wWwM`~KjF!9)MP(5C;O>6IhdJ~{luIc%*)AsT22mT<>W;6
ze$B;&RRYeC|G3Ms!uW9F^$-lb@ONgjs@MH%B9qh4%*lRYPWJP1axg6?`&kK6Zc<M6
za}u%IGTF_@>ls&ezxkkMelomS_f90y*lm>JqhBrzlpm$)x((>A(vhmJTXIZcv=BD`
z&j+kMCE5Dgr(v`??O){P=^}p9_wC=%=P$5MOiS}I<UfkC-T5xg_v$lijM~h;P1TQ%
zC7nMOvU|dnjB_GepqnFTwm>&W*_M!?qMxIsrz1oYX9j~iCHs4myYt@=b+;mSHR8YH
z$;^_q`Jd7!$$|gY;MdM%;0vGG@b?Lu4M6XXQSUAQuIJV6y$e~@@vwU5jLVRjJ*&2O
zW~Pfy9!^f!M|AU_;Uk})o73<eb*-CC%V&~4^{}kkh2Dboja<e&zH0o#YG|P>SJ|gd
z6kj%hw3{`dd3zNf4EcwIK-StYYPR3Vwc5HL`(fF+P2Q&UBXrrQhrLbfdH);Zf$G`*
zGTFC&l$@R0F<1A~PGt+H`busL<nvQf)}|~2jg3w$;-f%m=Z|7;OyQ`A269V&)gDHV
zg(T|q%kQpEhlc93`kLx%m*kKB)cymsyD8gMAKy1?=DyQ!8^YgnZXd7!x|VgE!b6p1
zT@+-EB5S&3eJ;rAw}7%`*DfgqRBnKx<qyU8)#WF2oNl0$dC~1Y^X!f>227cs3o@_j
zC<ce^Vk4Y=w2N7oeQ*zdbD1&(#iw(b2tPOHGJW{T<T8Ev`ARNx7(c(rW%}`RYcA8D
zpSN?F0sO>rnSuO#DVNblQ}*OCgZNpS%M9k{v|L6vdDrDKL-_ej&OSAt%Vng4*0*FT
z_z^vFnIlMDk;~}YD?mSzpUt_<QT$BEWk&IHUoJD6pJlns7?*i8KcC8Fj^XF5T;^DQ
z?#^Y7<7am+b38v!<?KT8_FSftrz>-r6ZjdO%bdv1r7f9p{J55N+3~|UyT<%`xy%Q6
z`bjQx3O`ThGN<xGlON>g{9NWVe$u(j>HHj(%S_<s_*^E&&)0LA5Ag$zXYfOjGx?$A
z5A$<oE^`(?&AH6k{Cun>Gm#(H^0}mF<UD@1<TB^;)0)d%z|Z};Ocg(Ly_z4YUdYdo
zTt=5Y|0S2v$8H#xI6p&knTz;&J(szdpAET8f}cBcnIu1d&SmtSxKHLX`u@o7mQ0Et
z*K!RhN?pzmXkNk36S>UC_-V>zuH<J?E;E&%1-Z<}`FS*#xyn6F<EJ*4`2;`Pa+y!^
z19DgMGdE{fcF)XZuI1_CT;|{SnVidfik}%Rnd$tvmSr5qbD4kV=Rb3q&+&6uE+hQ}
z(Qn}AoLuJf{QNMN`2s&Jxy%>&S(?k-$j^^*8C{V7)m-Mw{9KaD+{Dk%bD5j@xg}?}
z)k97hG4Sx$__?zsGlL&%IX>&rT>Os9a`8L2<l=SwKl=<;pe?!hx2NXf-`SUo*OQmM
zG8g~u&|JLX{#^Vn$~S&D7ysUpT>Se(TH<pYm>*w}i~r=-T>S3Mx%f{f<l^_-my7>w
zSuXx_(!cmrF8<52a`9i?os0i^cP{>$r*iSR?Ya1G0sFhrx%lrdZHeFOz|6Zm7r(Dh
zF8-$hx%mC0{|pxYN%}9#bMe3aEf=5vy<Gfn<8tx;IxiQ0fV{tFa`6Y(=i(22Bp3h3
zu`O{EBf0n^cjV%a&dJ4_zLkqFx-=JWz9|=9d~`1U*u}Z{k`LwL|DyQg*XQE7|H#E#
zX5`{apU%afxFi=}_EIjs{OFeWlMb5|Apb1YpWBs-KYvj!zOpVCf8ndS_=`Jo@t3a4
z#aoBv;;a5G7hercUarc;U-?lk{%UJ3zUIPQeC^j;;%yGh#v60-O%1vD=96>rEmLyw
z{M=l;9WYy`=i(h7&c(Ow&BeD@=i)oo=Hfe>bMekmx%e*V`5MEr`=OTj9)U?TWF(Rn
zHuGhJCdoeni}H6}#TSb*5>j<-_Whe>6m=OVm0?Nia}Qezl@pDLafwC~XZG<2Ta!PN
zf9R94whcVCAOT80k-$qdUUGyl^|acWQ&K8bC^f#g)E7!hO)r!>x46`ll2S7YrD}>x
z9amJUU%k2!Vs>3|xi|0$w3~74J7L|7&+=vPJ3Nzrjxr^EoI0y}2me}9gbrGflHT1_
zQiR@Fk&>=`zN83Uvmzz^x~Qm#@0S%S=~N|!o-h?BM^qw_ow+oTt!>UueI$`h&rdYO
zd2GoaJxq)cZ{y2{^UG%7mx#}A5p!TB&ulBJ9b}ra{YT1ZpcFM;KGSLt2_4Vt`M!_u
zKah<R`#f`gL;8_K!_?-6TAt!W&2;Jgzfm_Ef2D5bD`mCG0LXXwu!sUHJj|cjV@v*P
z_WM|(q2DjEl@wUjG|Rj;Erv#Z=(PQO5{rMRTx03Fe<d*GrN-4qmN+w8v$e!9PF<Q!
zuSjL%%`Ne5Do<ycUGJJ*?^@y;4bJ$6sT)Cp05vX7FDq|q2H{^}2EzA0X`bCY<FLB;
zwn$xkW27OzaZ-HcS64K|S45g8#kb9vNviP(sM4>izOt-oUNN4ZV^#$%oWv(^UZg}r
z+BdY+HAJu+ZKbB}KTrgo!0CSXQ8<xZY+n?$uL3Sw1MK{3kl78!axnMMTjE;1m9^{B
zzP<G1d2HsOCtqbm>e?dsaz04v*?bl%!vc-R^y#JI1}ZLYJFLEM$JxESeVn)1#~hSg
zq9MJM^By?o1TNA^@1iT}p;^9&Zsm7MZ<UOK#&3bv>V7?@L9D(~!#GyM2&=9D;)+z`
zbX;E7lAcPys5p?Iqn3PvPgd)ZJx}{Aini>@9*RK;ys=kTUsGU<@x}03X3ai~M%AvM
z3SvXLb>TW2J`+=`(hl^)Dzwlogbn!L@B=~3AB!*gwI2iSLNL*IkCh1^Z74wcehDNk
zDLk6jmq2<BQV5bm%}C<l_SK63?xq6VvrFI>VOU-Q_gfw=81@yi0i-PjNZV5`-}QA?
z0mH{J*$aK0P=Hid45_^U>GubNbV~^&TY&rCL68uqjsm1l91K#d1d_f;=jpF+uZ56y
z6d;u!4AK_-PC@VbbWHVN`ob6?m|X=hOD}c#J%}{71Ps2~U<@Ib;nrZxW;2klZo`;-
z-_J{{JGLz~YCkH&GLd~yc4_t}vRo4lKhXo2%<|0ssR@R_tWaw|9V;uV&wPqf<qz3U
zU1tQQys++30Vtbsx~trhZy!WWuKj7~cj;`Tii6zLWqtE9b>S8J5Bw8U%G&GQ(9UW)
z={FZrt0h0uYCo1}G&|EH^LJ%7m^}<**(fxcrI=`JoKEWtPqW%KmA-e05O;6g1ib+c
zEz}-|CoXvJYoAl7UDKoX2TE%HIohN4ltS&{J!)@*e+q4%X%eIa^N$s3uS^zTJIw!5
zTzi_VAeqNOr~j=`^=Cb*R+d!7JSwUB`9jry>rr(xEEeKC4U?jz>aB&UC-$g%e@WHp
z-Ky3Xs^$~j`+9RpRZNhQR_`uU{m&j%KU`e(o_g_kY3+H1+Bfy6{pQ{S2mWcZ$GE>G
zzhD5yLu<zv*$O`E4`eC)6$U-72Ak}Te=VgIKe13BI8A0^c+_?#8seP|Rb%n4ypLp;
zC2NmXZbBcfBMW1d(xy;;=0qG7&MZ_Q8CDqQE3iLc6>bPC=rh;81(IQfiM|3>iB&i|
ztZ+@C0?DvK%2!DF3jM<hHy0|93@c3c6{h<NFNoUe^sL#WsB^Lk1W#eL8NM1pYlhgb
z!)o`qYNxqs?x}XHKqeaJ*jS2a&f;`+KNHkdb01g92BU0Ne>)q>vdv9nRfNG>oMy1H
zvN{-@8urE9d-eg@xKlO*mQZ$AqM>SFg3Dg0bj?QtBevVfQYhW&Rlk+|5G7T)rAq#n
zGH3aEYr@zeJC(Bp0B=ly+tjXxT0M3Wr}%J%$MEks%MMj<T!Vq=^sAm<F#iu#yrQ(Y
zR@#Ruo+>Ra@5P~tPb@7y^j(TiFD<^772lzt&nPWE|Io$j#T%tHZY!=)#gt^VQQKVP
z9gKHrJ2>9lw7>*HOMV?2u?a0C>Snf<)s`=6CO>~JneAf4g8lcbeW9!=7__aIP)(){
z-0~NEQQ7#)mblh(WgW+$kokyWzm4d|!xwc4-nInWGndw3#MjMSG5G6i8saNM1|558
zz@Xq-Gmuw~H=SiGo|Fxmb?vLUo76Nc74AXI=$F5RypXWPqDb=)1B2<?ul)(@P`^dD
zN+(b4Y<mA(Q@Cc{=T8<IFepm<*A#eI_FdB{u0;M^KKG|4nU7}oHT3(I%E-2C`mirE
z%9n8s)^$Z{6TXU>fermGR+U+*Qst{`!fofvn1R>O@5Hdo6klesmFYK#7fgUfm;q(^
zM#y=P-d0s05k5*MR^8HDFDD!Atd|QYU~{l3;hXxnYw9<u88mf5&!!ss&9oAW7miV9
zH0>890g=y%l|-ew=2X*l0Z?X$&z#=$Ri7z8pwFDqG|OkoJ879F>6*Upv*kneWhXZM
z+Gmy(GRHOjm(T2g`5ge+M@>yWd$U$2LaU!lm!{=D`x(pb_qT5q_4dq*dk|I?VY*R3
z^dy&_Q*HxmsOE}mmniyTQz$3>oAc&2e70<c)SeY&P>3dQX`mh63sre3Ck}7#rgPof
zsv6}?*svYbv{Mn@)N@MVD<gzrPi$JsCOizIt6*L8G&OK^Kt0k~ILc-KC=v}JXf630
z;|HU|uZyZ))O#u4$clm}Dp&>(1DvxV)e3Lu2?|2Z^RhRJf?u^2fbK^6Y5K7lJDd=|
z11n?@9Dm3Xe#^kow&$w1Rb5}C<;Wx?*biB7me2kz;~vPlWAsX13yMjon2A5tt!ACx
zoF>cKm-q}N6qN2C&$9|Lr%YzP!J`hxIxBbEMa-PWsco*XnFnc=_l3U*s|LoH)&8V-
z*BN6!P}S~h?}_2s8=p*o!6vQOvUrc=F_;w3e}i}w-V)ps(d|w!$0%ig?NdRsr>cUA
z7#fCEd$8t%1ZN0Cy>3Xa@OHzvp8d!a)%ZONiH;8i`0NhA7wTU(#e}d&*;@Rqm5PVP
zsO!I0B)<PJVUaI``7wdc=TUo<L~-CR(Ri)YDoct)=g#3WpZ%<|C&jyLv}c?UWXlUg
z=`LLwU?mNeoD(DlFXfO2ewud76#C<2L*B!-8XFBxJnuM8UY7B_A!i@x^**^%RK;9$
z#%IUqvGE8(pwtfodV!%~%o1c-q=I@^D3w7jJD%}feV>*?j%L>ynE_b5H1>`>^8gib
z&HI4^*rg)khcBduj)S0LOa69yH#P6b1ipsfZ)~~9yfDtUtS-%>1`5h+W!XkCRIcZ1
zKS}P?GREQfuu)TXiNy_+I2*g;SZCmI3W3uPszV$NXMO3_nzo?~aD3a=hK7*G(-2zd
zNL$Q*=TSePqm9TK7E2z-kv(x_c*Ou+iIy^H0IwZ1@}t6$_aj{`%nHs}?S-2}(Li%l
z%n&+R2-WFR?@lHL&`kiANKv&ZdFc07Lp+pMH89Xp!ORd(@W#!AHYa*%RuY&e7{7-U
z4)smC)B5M|yB?$iol}tIU?NBkA<Ab5(pYXvpNfDU#n=_;(6D!f+NNWfw4qLz5Ry@|
zTSn`Q+h~g<;w!7w4FA_PAC{=gM~Iy3V|_FQS60@1eBzvV*Ei&D@50FJ(=i~?(u_i5
zJX`Y9&bR3c75eZV@(2l|l1=fj3t=wJW3Li)u3~Puz1A*S4VUQXuhB?AuexnD^ko6e
zJinWP&PEn=Eo(oY$=?uvk`HUs1_f;{9WhzoyDqDbFP}AY`TJ@=;a;`mUxQWZ@_i=7
zpS&$jC4z%W>%DTJ)jRjZ+V|P(KBcc8^{>BK>-Y5C_Bu9vt-0!Gz9qj87j(l^5PB}r
zc(~{@e<30OJ~C##mDyXz9$XKUKkZ>pa$em2bK0+SQpJFtV~9sUy!<!l+}a<uU&LGM
z-1{5)J$zH8!qysw%p;)|ePiXmvG&of@VT`V{$)_Op|tRN=BzMl-v+ioK3|1z4+?*|
zwD5yLVSUh@!Y8QkXM)0)mlm!M3jfd*et+$_hJNv&@R_BBul9vIZUF4@-$<4}G<7-3
zbp?x?_x<+5vS3MM+?ubS1V8dpbbsVr(r`f|nzlfK!vk=m37%M9-em6_liXKDY%d)S
znBxWHT|nUS%sdlwr7Ng&&MW533eC`LEf?7`Q$S!XBWUTCvN`vM#^gl3>TjZyVl7pp
zpn(-@n7SuhGuBn88Xx3R0+(t4sH&<colv?|OSV$Im3igc<FRTylesP7cVEnqXd{O?
zDxp=Cu(x$H^JO!zY~0kXYu3Cq`EMqo?XI;LWN&Pj?_v6T^>aGCG~#1PP7E@qe}uK`
z2LhGsYpvQ{sI|9RGoV$pI1D0srP|XD=lwB7*7HE%_9ic&q;KSVY9uQQq|?v+J!;AX
zt9jDM_P=HZUolVuDTF!JB&89;DAx()x<qHA9Cc~Q+&@M+gyzgHM>(=3c0J`7e;L<x
zGds&_MLA?$IHXG3kb0TcQ_nS2jgnpdeky8=%)*>8`r)?UUs$&A5pZcb9mZdj;7|Uj
zb0mN%2B9t%zftd;Amc1$n6gAbx8&ci$8(khko3WJ2kD!F^wh)xqz*_HY&u*=FWOum
zL8hpWw5dL-a{yl^D%<t}(ofDj%l$jK)y5rui%M;>aSB>3`RlLtoYV1H!&tUXwq}&o
zZK#=Gd09d>)xDM~<97G1YJ$2+AUTaR@X&x=m#s;3XemaHJ&i9)J5WUyf!nyFwOYF5
zh}TtB=<-EY7Ytt~vuCH)l6%lj{qU1Pr_MFdqF8>Gn@^r%;vw-3N&`xibr1?K=Yl9^
z%4!Rerl9X8bkp68g|=@%+%tyX_dX&5u6|CQ0*1l(X&>9hVmz5WJ2RZzgLdZePx#KX
zKLnx%y|_P2UvWU#ACJj*U0J#m4ye*LMh^3uDt?(G_N$&$1q13H%$Q<8&oJC2!zRVs
z;M=kHG6N0(-tp}s@$Ja7jBhpWf~au^h^4KS|1(OiJHHo7t|7B0C6|(WP)go1?SGh(
z>Kpy6Nq9=?m*=WPF(t`#ga|1)!BcXUC^;6Eag=NoC6}LBLP<Ak{7|TsLs2q_zPQwJ
zp)he`%k#t;0e6}N8SCbQ=bu1oTu39vskgCyfU6{3JIiKNlHGYw!k%zdKv+3aDcWj6
zDwuKyVbObCS<viGz#go55P}A>Mm*;!bucb2E;{~QrD@5u3H4HiYzyR-qe(#R`K}wC
zp4wd!?Hbst!hzkXfqm^mHn1vYz2Rt$Y<?c(SZcVUN;9#e!sUhpnBYs<+zhHz`6>yj
zB*H2I6RLNNm@En47U>EUCz8SfVG3L{Hk51{cW0?|b(}?IdfJj7zD?%BRK$i!#aGYJ
z$q8=^t4zlzE2(aT5@?A@)R1c3TR@glFKl6cM@b8}9JB=p6v*suEp!_fNoGU-zH<=l
z5?|24W`f3M>>n7LY&bT%G&UcP`LUtLf1*+e?ry}hh|xMMv|3I_l`M?@E?2-uXhhW0
zbW<a<)W}au8`(8MjaXeKn31y&tW(k!FKU?&2FoZ~pi}+U5;}bhcKSaZ38QGCh4+=V
zunVH}-on90qI9eqYij6An{9u+l>g$%CQzK(o$+Dor7Ho237LB-|DPD#5cv?sTz9?|
zr5Lm3vmNM;OMuGU71NJ*;tkkRkAZmO%v!GnIyj}~nC4F&mLXF6*MsshbHZA;f&8nv
z^<eAE4+8()5jfGNnIT~y&G{d4{Jh@q@V)Ok>wm8IfA+BcTfLv8RhcIB|6K3$o}dno
zgZG|BWhnYFANy`&UQ!^GU84$;<$)qPcV83aZO2IbHfNXSBD~j9*7>Ik%Pd*fT%%V@
z#xWT7DqJ!m7)(3Cs%9DG2`89HnP6h{CpxF&^k9wP;ru6X_?Sas;qY^{=@x5OosJ|a
zSkec_Gv9eoJdb`?JP~+?qjBSF1AD<S+8xI?)SkoffzwKGEZzNaGwo?poMv^Snyi@y
znxWOe$|>}$8?iM8PVFL<9pP_1(G#9`Uj`2wNLDE4*=Ue?`6(=iyOa4MYL$@rj6xSW
zKNxnQ*ER7ci`K+@K2WqKc2dyK&hd;}hqM1Zrtb^pm`apN!28vSLrOsFjR*AVhbiqP
zTkWs9%f>*HluF@EY9SCSwunJOw&dR+NH^SM3VMsC?zSIM3hQS9td@8uqv0|CfCf-7
zf9C>!Wi8?B)B>y3y|SVH+(;^*nnV5fZmpei=+@3WWNR1wcUyb(gd#cxp2hBc_}vjj
z`upAR|6*?tPYFoZSYlKp0i2ERfjn7xQChPV4e>qinNpFGmIj%{*ZyIw5hD9#as&eu
zIirkl0sfgUv}w@q5M_+p2~*0-@Mf|X@5XWUhf0c-`(kfTwqkOS*l<5kT5N<bw$h5t
z=<b_^l=0SFSp<}XK@c%+kUn1uX{3krUDsfU*M+6Uj`qbq+YPUyON+@ES1-@)9WNP=
z;3ZNCFC+VVoe$Zu?}29?8QvSuWT(DD!+|(x^9IrHiUH0T)?kIYoTz-PS2(Yg57XkS
z2c&5wkYoi>O3Tvtir303<g0xt-`Xq0a4)iS?hhyd*nMK`oS;qybgM#+v|`z=$l`$~
zj;5@ZC6X-U6Z-~h-{Tm({4*yh3|^k@vX0|H5v&$3Jd7t7sxeMwjvlW7_-(lAx8WAP
zb(QtRyB&{OEA^uZv!dx_#|@?h^8Kmg3)X1tzXf`9y|d#2*Gg^?y(!D@q<u2{s;L5F
zLR$t63M|)N&@<*}Bhiw7dx!%-Z*VRyG}u}@5v?=Ufn2<hzIntyD8xVWej=0ZV-mW;
zW(hC`c+SpwtoD=;g4wP&J3EHgSBwwr*B&$IORk~ZB3vG2`7<2uf@qenA{7n)#&6+E
zm*f?wXVn|-JobIj-qS?&=hasWl#3Np?#cIo^==v{X)HI+(=%8v%6Hf$r0beJ?y#1(
zyDk2myC*c9J`CvFuD-9~5v_X+MAPI!Z;u~9TJooyYP9z5y1PpNod=+I<Cu0Rb1;tC
z^vXf{y^=~!-pU4na^VRBD9H}7n}c0>s&ncJ`nX~Bih0awhH_g+71%PFiH!N6a+U;-
zpSQ=wt}nrs>7BB9efggcb`W4NPSrddY#s2L_8H-9Jl`P~Gd3DT4;(FdNA#>s0gvNx
z?FN-sE%~+&7*xNKZT1fTV28T6mn+<0j!iU-vNnCksts?zr$Ivls_nA_&*N>r!iv$x
znZAtzdM^GGJQXfs?nr9E94-jGPlwy{pz7(}&{GS>Q^wKOrbzE<7w=XSN5qIi!1~0?
z2M!R#vPfoP{z&ngu5{yQ`r7<hZJcDU^;Gcw-_s2<t8C^;gk`<x%T-6ZpK)z|c;$Z1
zliOgvbRyu2BUfONv1Ti2Kxlk|Tk3k>*#zKpx{kmPkO5V1lcT2@_WRWsi*En2z<r|v
z&`ri?z^~Zk$25$Pk{LWrO~=~&t2%-wdA|RB3^{1ER85y8RWes~qy6gj*H1^*`aPl$
z#)GRo3<{j6rkqLNc7k<VTlyy13)Z<eHADPv-gr>_ejphwGI{(49|FJ9WzyOc9r{9h
z5fiKj+WT7zXx}Id9NH%r&<;4=QM5bO3pX4T>zCJ*Vm<XF;Zm|fx`7C)9w>dW2&Gj5
z?@+oMUh)gLKu1<E$X(`J^yXBj(XeE7)XxQJ1*@ZAO;xnp`B}A>UCb^fGzOgQZbPer
zm&vu`+c?vTOIlFY*nR<8tH5~)kXi~-b_kGzdPVV68!Bxy2(e-<YhhOA!uhgHPX*n0
z#WMRP&N83vG)n$wrk^$T+Uh)|fs=&|X{|D8!!W%OOzY!o$+2nl%<=m<uyXC%4n@l^
z?csekQx;~px2mknPNX<I*fDyMu-?+RtMz1g;*TC{#19SvLdBZmZtCQp>EnYpcm@rc
zVbT6=aB%py<S%gSqplAWk6tQ%4a|E2m)!w9dWa%u$v<!mSdgpq#Y(#fkmiLd5Kg2<
zy^)P^yDWsB7#;4R{q}+YBOTqPD58fj3Sduiu)E0X%IQ@tqKJ{SAuog`uRK-_bw%7M
z#`9?tFPwblFh)!M$m0yzp6v%iP#LyA!?jN}6rWW`;KbJq;e0aDD}Ip^Sph2Tj|=%i
zmNrGcfq(XY$uLA#xlNIe$aZ?@Xtf_!reywWzT~*D<fSTkmz9Kl0QPlX<fO33wJP#?
zSEP+llyisFinU~RL#(O!T-l&R9fzpNv)6-a$JuiS7grTZfk_)jd8v`6)bRQWU!15*
zyQttGn0_ck!!TVx#%M~L5P=zBiVkIq&B?T=Wx!@GCA>oHfZbU-9^ZD%!?a<QjjlnH
z7OZWjiJWk2Yr4+Qy<^SNVK@yE3e_YF)6Ay*v9wYje-lJ(ygv?nA~W6$RZ$?Niecx=
zAF8?$&3{2I{?5)^eE&al@dJxQ3YmF30hs@d>!M|7g66+hl(9$|Gd&Sp?;#|#kOMrO
zw~hyPAP`#ecTm>+(cwC{1REO_*PBm!9aH{LO^pz$x1W4N&6Rq}+K<M3nqg~-)2Q$_
z$Uqhar@Mmo17Kv-6=>5MqMhP&yXHo{uII<cB`DjQWnE_XFnUF188nqGoRy%ZE7sO`
z9F9irq-1Ge4AeHe{uS9Yi*6RJE*IZoLSl=o=fv^5S}-qlw_s{Ug%-?6!RltgOfWM8
zzR_CL%+ApdPuFC;C1hM%rJW2I>o8+-@mPnsEu>thZQa2LcG+r`!SuE~32*(^I{?=8
zb3FiK%i4tp;o@TUkiua8c`MLco~AAq9`BKnVQk10S)Ogi@xE5E<!NX<=&L$3nr)oI
z3F(wnq0Ny03c9qRY9a!6yx8;z!Xd%xc!z`Kk5&G@qb<L?AH<uV1B2oP3KT=15I}#(
zK?$HM-=P2cJwcz~q04eh6e~R)@b?j0oiD&!K74zl(h^RM#6;P9Q}S=3)P44NSJblG
zf@~<!gdI?(Zr=oAoM_+kTYk=2VLONAv+veRJ7Rx!(A3q>h@}-}&P3syyFF^cH0xCV
z=bRLCtNDrIA6-9CK6|wQHL@tM*fN_~7df2gH+|Vlz7xk-85lqzcvj|wpv+f%nFFKI
zM~ywPdi?1UtRAw*5UZ~hWA(eEJXSLj-7xz5N+Z|&rdxb#KcF=qG#_9zCn$59FY_fU
z;}(x6saa2$(WJ45j8bi))WD*b`<@cIt;#;b&<U?Q2yDgB!t~s_Q8m!4O|y#oa?wbZ
z%oqc<boU(E&ko;r<9&;*l~QrMe|G?_t{7U^5$_6ZI?OmPTYGP}aMFgU_tNkAs6nCE
zRHXsRwm2?0VFdJUoI0Ojo#%)3KaS%)Q@{9p)zNe%m{WIbvxDi`NArkAJY|_Se!Df9
zXt3NwV`Hb}XExJnWh?A=;dg|FJ3#-8xmEMO7%nt^Vuc$r0_>65=9EbZGT(y|-6$wY
z<*7IANmXvichR$hm->(|rT)v?*GZ2%Wj)G|=e_AYS7w2s_M+@yX{(m98r!)lS;OQZ
za1b(XBK0IqX~$6O!TsIVEa%#Cr)16Y6O9?2491}7ltYo8nJYarg5`}f`b^I(9wy(;
zKI%JfAl%-=8#qL)72k(9aNnf(E9MQ<%5tK}7+o&hP3Ja!w}c;i(l_8^*_hrUqUQyi
zE8tHQMXe*YX@)8@R^+cz9p{s9qgJfBYrsDLQ?aVk+&7~g-c@sd`hXjx(D!h6MX0&2
z7OY~;-9wh!0tN@GNP1Q&Nxuvn27?<#s%p?tGGm%UwY-a$E%8@Edh@0Sy?+I_*Tr9f
z-mgrGKVtL_mwG>YBA|D3(~pbkT~DQs&oPl1LH6w=*_}=)UO4{#S+aeR%LGY_6gL#D
z!rH$Y!>f`5MNw<jL|&DqqPyWGuvd%6&5x8RfD4=g=<*g~Cl+G28CNpa6W_~N2R^z*
z(=_J4hkF_Grju;DVQv0c>A`n%I_U~AXj5=H{c319@ShRDVBkal3noX=79E$^sCpBl
zPGc?k{BsVT_NnJxsClT_QDd`1YQsHG)AL>v-S&REp4)@xQn&vn*(0!O&U%LKrurur
zvZwQUh0i{fY+^ECeb<sfzN)3P<%<i?hS}M{Gg$mV9dPpJGvWew>?iE~sId3Ny?#xs
zqy~HTdPLAG?=9<FcsAU2OSqQ$b^eU#?9qoG<x2ZdS9rEQd@XpU59@@E>%*_htq-9G
zt%p{oc$bY?i3~j%6zEWq3>_QDBOOv_8HzbX$d|jTfLYt0@ppSB_c9UlTi_x}5VR^c
zd|Q(;jR$m>lT$#3^(T0Crt!@Vpxp-$aLmJxs~?i5olW-_&+mC5cp2VpO%HqUf2#1{
zLl&~R_Xo*km0RM=-5HeggYq2Dy`o`^`k^8;a>Zy=c0=O@5B|gee6ZkiQsubrXuPev
zq#QMj7cM;*8us@7e-)_FR*c5ahXllS)Y#?G_+<dT(XB4MaQo@9Zq%5ea;3v5<?V)Z
zKfv;%!WP_cDpSMx5o-1-#fl|ge1)~gfpA+Cce>HFf%&hY;do8cDDw)6+pC`zUTJ>o
z6;!ZSxALmjR?(Goq<O-7k)4Zfkj%X4a7gF$Wd2BSc{g!6th>1Uax@f|X9!jxF8!(8
z34yr4@_0AP;(@^jw=DkpSTOc&O%cumKzwJD{+dd?(xP|-mLPc#X;~!R6UAyovGZuq
zQ*6(Bp;!;g;@p8D#Ug^$jbarhXEZ6`uZv8`n`GiyAxvSKg{7x)p+<uRId!qUsi@08
zVvTGHt&#pvE#EeP1_j%NM-`Xc9G0w9$%lfHU{NvZp!}w{!Z9l$1&YR>+Qw&J796Gv
zhn*qha|QVtgB(a(kFmq2lRm<{!q1L3=$St2Sr%VSq0eIjzT&O?KojN6>6m6^@k7>L
zSOkUISMWZ7L|LQa6%)eNTB;_3vJ*xAkP2Z-4iAHDtq^Bg`|F42s!IbA_s(v%K;vxx
z!ip!@m-1U3A#RFS)w%=B*%e$Qks$wu5o|9cDUJK|mjSqbg{?ngJnuPKR;X-|R*Yn9
z5L=OxHh{Va6pCPaD1P>WMOE}JUkBrP&fOu2r@8JFZ%}Qt)=~}<YY~I=WhcskWH)04
zR$ejv+cbF?Zc)tAbnt;8YCs*9S6czRi~{&Lpd&a)$#;=tK^WbsP)3$ALat_Xip(qz
znN}3VY^`XA-GQqRH4oa@|Ke@8#(revS7YzBKR-BRe<t^AVnWzNcS-1@I|8cp(x3AW
z+1QIsJ^HhREJwVcKOyy8luOXq)dBIKcm+EdqM8r8={SOSU1H7;`WJOvO6taMATc>w
z?7iCia8BuoQS9ItssGvZ$^a9F^z%WwFr?=_>V`Bxj`>g$%JvJlS>M$i$CbCf*gKAM
z0oaWT8r6oe+<${=^}gW%v5;z~9|WU=Qf+8YjNX3apcuU;s`cxJoR=cuMES!YH{|b`
zYF_}MZdALf8;*XJZmyZa$#EE|wzD`-(rRKTt+Kia!bJ`I!wHyHL}NwM$DC@<uSaE2
zV1?MR&p$;J`cU^+g<s?>aj%z3#91)1t3B1%zSq5O#o(&Y0P8{^$(c~te9^-0^`a&J
z`*!0rFDf4hT5VHUY#@`hW96DqT#;&32ThPZn;x|P0r+95t2`n{yHeJT?+ai<1-+<B
zG;j$?%Yo-4G%pVt{E^<<vdxN5*W)=$YGc9s%X+C#<A)(DoaNr#&8?H`t+}ehBX&Lz
zS=o|rbOv!Nhy1nu#(U0y+9)C3^~Hq}i^8qPxs;8<nkZcq=BHDT7VCyLPoCOu=p_!0
z!*Ot^)h=2svsO)>ybxHj8sSfP(v-2o5da(eu#Iq6(Fm_&Q(TaYD*|#p8DxUMV*oYG
zd)J1Jb+#}c!0B^9vi@J{FmXe9jmPBc4ysZ8?gc$~?JD=$)%l#Sb77DPCKCbLF8)$0
zo(kLoh?3&vNGAsk_~jT4=7V-xYn;<~j!Uh$t?TznD*4*K`3KYQGXeIEQVaggqfT}i
z+`Zy5T?pggKIt@1ceuZGHH;3KB1n^H!wA`Nrr6KJKZ#twg1)BAnGOEU;KG{=^`_J=
zs9=gS=;pPv!Eco^5z}BJ^qXT;;u&i|v$<hrXUW{OXg{mAfogtud*exw_BIFEvB($v
z!1!oCz_#R{c&G<keK*)D7c1W6>(mCB)cNAOx7)wC-9TW)91Lss@}BJu51LTB0Xx6r
zc*gp>8%{0iZx3%WjuriblEzl8``%%AWOD~5)vaDEtK&x~?L9y|{=;7B>X{(y?Y{j~
zFPvuR<`c0_d_8EP<O+|a48F6_x?^Z){X(MJ8n(yt4G)Fffo0HkM*MT=w%>Z&_pYSv
zOPHIXbyy)j%XZes_i)d_9$M%szFgvXE9$hm_)&rc{xdU`9hTnZoG7<?A;?XNcM=pa
z7w%a2OK9FyhCgx95jwQ?+qXb00LF?$JRDh3up$dsl{a~;G-@u=MlOW{?IubWW+C;|
zrS;rm=LOU!UHePR?`}qJMH3DEPWv{#uq%W2^Bw@d29&4WOqB1Cw}{>GvX8`9){f$~
zWDI&I>26oSli9g$CDyNwi=KT!g3Jl8?bn)tmz>BCY#+m&QpS!2Tx~v++fsGd0sg5#
zL(O6O>2d3e>b8{K{O1e9dlABDmc-t7x{Y1X5*>CVh59EHO1(#`B9t~nlGyY)gas0m
z{U0kA+}z^&J%N5(r+h5ZANKo>wNzmrXy|)Vnpnc#s5PeRy-;h<n_;Pd$JvHC2yeT%
zKG@B4%z%9be@IZ55LaLKP&pHNlt~;kC!mjM17?fp<W$s5e6_vN10ML^((bd|X_J!r
zYpqaEdQ!gzS9YnC=%xN|tx$=4Xs8++@J@iY;oFjbtAG)du@!hw^8ato-FkM`I{}N9
zbuI|GcdP{AwGaANexo!UJQrQu!sQeNw@Ki7GAB*Xk@0?y{9k&Ej;QP#S=RGyU`Z$%
z!c0%&-;24-raS)>N{%lod2CV1kgp3~GP73YqVZu@-Ff-FmMpF3pNgp6B!Ox+i5ZwC
zD76{fjZ>W@al6EtEG_w?FpZ7nSSp0l^sU|D%r9y~#UWrQO;;95`JVTNWp_QEZ^AG)
zRF8A0YENhWea0PVm(a?*+uh_tWOGgF{`J4Bn%jFh;f>JD=*bZwRO{#I)audC;e{R?
zqMzHi%*xZz_fvbVz4bNFWxb3KCbV_>WLYO}82t8~xU)vIz2v{bDKSmYA1ORf*YgK>
z?sYti09nB&?k@%OaN*e+x-WPJ=uzO)gD!9F3VYm*F1Hnre{rd?f%XfoSS~Wh?N(q}
z>@&L_h780$26O8Wd=uJ?5UYvRkWsHAloDk%Y<~7i4ZU!xpe26}mU55Y9aD^ViB(d}
z-EVY;G&mHNJvpL?V&Yw)(o%J$`fXUT0pmB2@zT2Mo_K#l@V=qu1{EVNF`$w6_ZDw%
zD9{mW467G&->bY6=Id6meP)NTqMj7rcl!&y(8tL+ThsW8?SJhl>pX+viS{@%ye;{!
z+!ylIC_R6=@C+85#toiHPky5p%KvU>NYf%JscJD_-P(I8c76*wWV|Y^n-}6^_&pmu
z^KMsf?Vr#)WQu>Uh_CnU2(cuB3GF@?Bl;df0p=^dmEQ%k+;1~KdS2>(S15z$);9Os
z*6DupUGBGYpML9R&b$2^61DfVDC(%J<MPBEGv^(^-x1_WmUm3D+yjMN&4G@ST<-B<
zSqak)-R284{cE4cA3ZYv?ny-Ab6vWwtIv#&@#pqI#DLBC_x3v}RoB&b#))-Zht25I
z@%2RAm*$Ff=GC=bP`7keRx7``L_sh9(mcK_{eSk(q0%tr@n!=%FS;TCUyzeo?sxNF
z^SkXEL-hGQ2IWMC3%w~K6*#%qlG*MhrF9aBq@@g>opcByXdYzIl>=Z?^WRx?wecr^
z>ULXnEp5<s)wlO+zYF@){iWPoZwn`09A+OkQbc#vKzxF23?fIk2*?q*=R$D*F&}WR
zZhPlI`~7Y`-X;eku(X8Y>mPMpgJz`pbNg^STeDB3ow}~*jOp!@C|%bzWX9p=?F810
zueX0d8S#~zq-`Ywo+$}n?`O~L7ayX~kXm2p1R>(9FKw8{nd8=<z4^9t&Z)=ce|?O;
zwZBa(bu%A{lxKdY_T&ZNumM=>+TouUvikU}@3<@pAeB1zpS4G-n>?z-xr=HCsL{T5
zSz}meQE8#3pwI+g)gW~%6hazo0PEtdk&Yo;bEz)b!<3E-g?O!Q@>PJpKC*I81K%-Y
zEP_u?4Il;zI&kv$6`K@oRx=s`nPVNE6mKrS^J2HETG}vmWwwHB68JE+9)%z3x(>|r
zgRXm*91m?259PN8Jakx5p)<omudC1!U&vWG=IeAE#Szmnj+f2~YxIY;@;{))9M;h~
z*b-Pch`O2iZ0$yPkP|m{;inBsaCgx#K-A6L$WT5>mxBw&@^GU0DKtDgYxyFTnZ-qe
zC!J6<c=^5^|C_z{kB{o8_y13R6lszMRJ62>?Usf%V4#7fG^I<MkPRe|KuW@ome3NC
z4T)@iG}%C?X{8NCkkF!{qDDpKDr!_zZmk+Cw%Fn|Dk>^!yvB;XAW^wjtmsYH@AEw~
z=j_?Dn-;&H&*$;^<8v1#uRZU1&wFOx^ZPwBXXRC<m|f%ebrCuIx*XwGx42)MUl%F-
z{9d?j8R{pu>a+D>YD(oy(z#^SsY$z$D;RgtJ)gVdoYZNTr6DXYcu`GD3Ao7!P#uPu
zZ)1-5o-jH6N1kYpPC=cBr^Y<{0qThiCe?prFj2di>})?xvsSPAQN4s}))UUkTvJqj
zhlv#fO0J!Nr;l<pUj3TaOy;eWr(G`o2kjRP*sn01wEc+PcqkG(PfGHdsN{-x$^ZC=
zl5EH6e^9-_OY-lZ6;{npzRq^4gnzy_>dyC4^`t+#SUTgmQr@-w#L-8yJtXOyE2O5-
zcc}|pw;xoa>>20ch}cV|e{DpShwR~TSH(U|yGKQnkAGSPFar{j4!Qc0ck0g7Ci!og
z^h7vHvb&dBA(@|WkO38iaeIG&nk{{k1XeY*Ytj=pLo=ilRarXIz9HOauhABC;pLSp
z<VFhnE)hTyKX``1wEJ<TFzGs|EGF=fN)l@kiA<|X{VGNCaMIZWB188z{#!+Ts@w73
z`HpMMSAIc`-;SO1#gc(tyvn@f#JNVBXML2tA(nl$i(Q>DlA<h(vM-8dzr)3Dl01VX
ze>*t9tA<IW9U%(3m!@-8<_6Gg#YHpvm#F&W<-}^Na<tUJ3lkMFuBXu|ep&@q6)ILs
zv|qdaqM`y~R<-obcg!+hy(;2<)UFe}138Hw*4tGwKpqfbGFGXRs3hFfd8p@+eMz0D
zni<*diUY_yVe08pW_;(Q8937mzMDA~-(<T&^m0gk?oN$&Oyp3DrGE5rcgZu14E)?(
z=@kbS*IBy@C(4i8#n6<2w}J|<TE*4BACnUmPdtT$1dP<N_rbAy<umen;%~o{TKd>?
zO7Mz_yMD~233;EGbTY4_)bubiS^E2rpC(Lfv>a!Z$)Zfgoa}g5RBG+4ox7=rA298C
z<eAh-Pu{F&wTC7>ErGQN^1p_kDA!H(V;`ZZvX<^S)@Y9~(y|L^*{5jPCw86KRe||f
z-tfThu`u*Wny+)xtUAU&{!Vp_`VA1`FK>z0dAdjP^nLBm>tdu&WCKgunGtn^!&)q?
zpAc4MU@kec?U6xdLg(c29$mitS_?i>3FvkMe3jp7<f}9mp;DtTTdN-UgIxSkdj#g^
z9Bukz(An_xY-4tQ)DhNMp@)v8iDQ)ugC<t>id3ytp%gq9{(<8e8-X!`+kNI5G<zJ)
z9;Nf;f=*!9bAeqI{X0trcCLJ;zI1o$^c-oaG(_{mIQHoD^vm))ZzTh2C${qqlb*g}
z$CMlOzU-v!QU}lRld!|q3njnBy@dN6KQ`IVrrl8Ko=)k;h!l&0++WzmOon-odV#a}
z&}XX}z4T*h06cDm^MqfkcRFu{enuqi?mTQu`59Kdgge5Mp6HU!CYuJ!PuX(mkzgg1
zi9{{Gt1eNWeNHl{<@>KvRYIcjr*-nvz`v4$KAv>;qfs8pmC&VGYHpD3u$+5z+ateH
z=YIJ0AfK?qRfLix;>*xP9s-Rf<i~NYMz_QIoz+KmdjHBD`E%DKRMfPOUZ$cxj}?3z
zMg2pjnLUr7Y&k+<lr4?)uw>-^-_j0}C^N+&=a>w~1o>(PV%d%1R!o+vGW_b$6)#CU
zJhsN{vg;cQ>%C*Nbb!RL;?FAn1G-TjP=($3R-_+_yOParq|)x|8BleHd5KmltPHIa
zMcD1=ouux!!qP<ca|QuVy_dgV@8$56q59@SFBVQjo(ldVoA~ByVE20I<PPm#Gf@df
z=({MPUCc#TeREB!WY_SnUr1bEl!7z&rrsytcdtAoJ@c-G6B!w-PC4pxfRdHkdRW)t
zRpu+x-lg)@nT>?~u1A(IGCGN`o`r;EdTKwiqM7t!$v$efN;<DwNZP$}9}EX{by=_8
zKS9hrj~vif&Bs^dainNP{wv?k*765Ihm<@<G~F7vh>mwL6ws4f;k#jYMzYy+bgCMM
z9-&b(;gU0Xod@I|Dp5;`$bh3$^be+ON+UDRU2*n}Iu0YEONkIp{W=%#YiK5Im*hpG
zjOFJSb@4hXg>n2^l}KGr>C+E<mG1uv>WS|DOQcW#!LL=Ht}Afol}3r@?nB0LWewCX
zsw#t5L~g~NE<2MppBztd^DQ@g_j>pw04lT2(e1d(<@kS5HAOj6F6vj0bX}kH#4f$i
zLuI^rg$a9(4tJ<%*9o00gjvtpm46Bks?5%%k|4w#Tkrh7ECZ&GW~Say&o-f)-4E!S
z|8i!flH6Qz_EUuKdE|oi=mh>wdi0vF6=KW!dbXpgHKM9d4k=Y}x<$=YxNXae>t$<}
zBQn)YPj;t%$H(M^LT2st97BoPtN8FRS=6gJ^>&a?zoc3t3zd9w%>{v3a<)~!lwsJ^
zu3!8~h2inVGt1>xqB=fF0W8GqC}WlGJu1l-wWRa#F1qp;OOBEW)2koWm8|JMm3nC<
z^2^aO`7&)zhI;wx_lM1kirXn2JtCN}vtq*90c2{b8%L3}0E}yoONp}<*s1Z<9*x6$
zK_#&BxJ1SgEGju!pg&@)LF?D+6X<`G3dnqbJJt<nB)RL3o-Kh@hou3ju#z<i`*&uM
zDr_Z$Ghd2^eV24{681_b?64>7H+5LQzAe<L!<q%=Z_fN#3phid=vya4SBvtQchjoQ
zevv43s!n+%*J;VueM_b4x@f9?Y;uGJk9?S(4HF1r)Lf{Kcl}bi#XxBL#;-`jKK)9a
z=cWE}ze!Izeskt~{W{C%uF>(T`l&T}zloQEKdN6Uaa8v`$}WBM>~^wZUb6G~UyRu=
z*=Z*NL;XOMS`(!{7NstVQa44Zc~R=hDD~PX^`0m-6)Fw2QZ-a%J(0OB%|_R0jJk(*
zRUDN2s8R*gEaijJF7)6*y?^mcg|sE!r>5(-tB%fva)MWA>(D1+I}KX3s!PAY6rfj1
zeVAzpaY!{r;^S(z^wzqoFF!{l>XB1t>Yavk&3Z_al<8KKrz5;!cc%oGj$T9%@p)%+
zq|J$LmP98d&XQ+$$wA#ud{Yb@W?%%Riao;*Ve%W2N&zM@KeaWWTC^+2@d*$KDgnf%
z^805D6gt2Cs6f^j&wfZ6D~jCtE0sqgWXDr2K9s(jKfrwPK4F&BlBk%{NVik`Po#w-
za4Nz&CoNNqc+umnofXV556e<Q>Gf{rx~d=(=@pB-5;fHk^<C+blwQ{)ogFX_BKPh|
zPuwFztjOM7fj(tYqGrsh8XXf>QT=OY#3@yoCW+=g#6YK&x>Tf?g`2fk3iAb9UHbT`
zu;0mmhsA9BHVJN+gYSnqspPQDtyKR7sdY}8vW-UQ`dC{V<#c8mWvx4W_6I6^Qs)z?
z%1-PbFWQOy=w<PL)8TJ{U*95FaLVbg5B)~cxNaD|VQx3}fPhHWcL;{fTqi@_V$n5-
z)DK5zN->4;$gr9z#TUb}xJuyEZM!YMk(8=rsF$#t7$)k86v<#Br3*<0dX)sqVzne+
zW@J6jF_Nmmdj1cT*3Te{0eb0c$NOPfH>qJ<Ua2;2yys+|B(1AbN3J6KoZNg=RZjK)
zR8+C0zMEAEYX^Bb#8Ig+AKoKLa$c>ZXz$cC@qU)&o>^9?K2*;P3h70U%Q}``^qE~1
zM~Ib2epBYxB20BIc$J*ky;8i)n(D5z%Jb-1{Znn2+hu|<Y5VuknI1EXBr?|s^o`gG
zpeF{OpaPtk!J$|xtJtw)iks-9_atGvO>rMR$7{F~Go6SsDHbxY&N=SPof6sbaSkMW
z=7X#VuYdKjIJ=Xq*m*W*!tE~bWAv<~m@{___5ZG`$#KP7fvVIJ{BeePv}S5Y0i0)|
zRhhJ&*)5vZ`BPPyT&grOe^8D33Q41Rxx=FpQCt~(^*?kOkPilKsTWcTQZF{?B`I&p
z%E1$J4TGB$-l^EZ%|6JG{8t1K+PTpFogX>l{JT!7I#U=Oc^P=~s4}DzYlL$@gGX*9
z|5Bxh+3rc?4eN|d*2$EXPfD1<;>Q6~WgF7=x6>;6QzBuHI(02}NK4j%x`<>lI;^th
z*ms$XN_T%z^<g5AR<3Nk7iAc|Qi=p=Gg!*$iuM_y$VL;QD3hZF&St?aKSj?sniw!q
zAP0u$3Unj?8ooN5YPg9~a(Cx*Dw#^xBnVwg?n#Jy^<gLJ{qoyON|sbg$(8@^PB~hH
zevT%oCCRX}!%>KyQ43eLIQqG(;uvg7OOO3R=@~8Y?9R;nyr*RMO5r=9mH%G#en2(r
z!9aoX@vES%NE27e|By_JOpBi^N4?eE8Lj*mOU|2_`o)i^89IUG><7Z5qttsDe6(dm
z3WT1JK}8~w_9hXXkpkf^i7Jr&3~9PRzNA~tc`2rOC#Yjs*Wr%M&hDR>vN<KQ8;RH~
z4CoVocqZ7Z$_8tq8uxD#e_cy*R6aW|3dNPwGhF3JXvFF4(;~!xV?<2m>qSZ22Y=`!
z&N=JSGvY0o7^Pn?6<SX<8DwSRrG?tdp})!Kuk1ky3gpV)MhoN}>9GZZAmmC3h(dfO
zQd5#Ij~A=lCZu^3svpdf4pcovOX<9nkUiOwcf{)wx|dYOWNWc{L!zonWJ{WY(UqM;
z|AO#q#ib^hc3kgr;`+UsVqh4KiSTF9DSNCQ|EXBAomgb7dZFY`x4cmD=V>PO{#&^I
zsVvejmR$U}%y5-%+j4eGYf~2yN%D8KCC$EnAl2d(Jpi6KYj&+f75-^1VW0dbgnh;q
z_6yxAq!r{iJ=7B?Xay}!f}ILQbh3Z>YDF8P?&~lVs-iu&)d<tw9kD%^qr1C*BPy*9
z)uajyA7h>TAc*8q8*zImLfw*VOS=D7^<!g74R^;`p`N%KYqCf%C!rGVIm)`p-I?vt
zuOc}l>VArj%`~a~svp}&7jpoK`%UftvCLM~<BMlXnZr_ehwMRwT}QDnV0jq+7hNic
zv^A&m2HV1926)9rbkDNDC)1w&g-P2p)r7U=keGGG3ED%@Xn&|D*^=1(q(~C1iiA;4
z^@lrI7U{|6Rk{TnxKfQp2ehVDCY-Tomgu9Wgu^|`0+x?3;Uk?hJZVw6BpZLD_fOp6
zeb}Bd9@r%#2KGmpW|bT$+Vvx2H5M6PCz&dp6ZIHQ`qv$>L(cA@THg0U$+wbF?3vHN
z&IZG`5W==pTfy!}B-1iNA@lEc`_Y=EAP?v~$QWqyAY&l1*KkZoX~a8^{nq1B1Jv;M
z%J<ZqBxawhi=mRb(7BhPa_6p!?YmcQN8nyP3hw!LReSbAfrs6NAFF4o+ar6aO~R-Z
zIn55HEl|%YgB1b3K;N2BkzuhOU<+W-m-sv;N4jsNzK=6T>Q43By6fMm>M$WHBuzU_
z9nRD%YaaO>aJi_Zc1DpP6QPp5SE%H3!qn**Hp!|$@+2n_?fs=yQQ~@sSOoFxFLdpd
zyfW#K72#f)5A8ksR@K$J6jr0>{(C*@_?)yJ68AAi0;=6=s={G;{@#zML=}Wzxsw^f
zUYmSE7FxSXoaa1IyW}ali2BU;AQ>q?{W)or-$C%i`V|xF3{R{p6UTbLC)TgSW@24q
zmTtGXVtr6z{T2n~iFLrl`V|Ht@>*@D@;7vm3G#Yc7I&_^2BNX9H?e+G-X&u4diG~D
zo^o|!gfdXoP<mKX4QHCK{=3zS3Wcis-E_2*upV|kt%b-cKnt1l1aBlV{rxgAnwpqf
ziP^NHFC3>GMSWIAefGur+!ghCSbTbpb-DMLb7Y!ozvumSUj2`{Wl$+F8UH#Ncd}55
zs_iWB)jD^xdi(o20x^`)|4W5>^a&Dq=kw~<(>uSQwsMIy$Lxo(Wm@$&pZ$Z>96#M9
z=MCkgA?8v-H@qkt`kfiu9vMvwPvGxWu^YM0{5sFOj*$s0n;(U;`B8?hpAB-P=v!)U
z{71*e*n~Nm)VY|1o{{XR(`i%G=`=~ZI%9TfxAnx)E}0PVjRTpF-lT<9IKtkJ#53Cw
zCOrDssLh?!DVswg+kbOs)^54?E*II=rtcY1OT`d%wFjkXHkqRitHT7WSXexSv>=ZE
zud|OB-^8oe^zShb^JD7jfr&Xwpd{JF*_mwK&Zb$Qo`6biHyMzV$Ioh^QI43yLo5a-
z?|NjE6Q3-`*nI7IWb_^H$RHk4``~vt^Erv{=h8G`83af7K6HPP4*NW(%$-x^CHhpk
z<n=H8(X-5klayRUCFgk;$JFSVeSNbJFNU8BJ1gze{O(i9>P<Pk<-glGb#Kmk?=D<#
zpT;wks9cFH;gi`TGHKscafU6T(<*Hw`<KV5x$0*puKAiJ8$(~Exbz;{FXiCiyPi`e
zZ|7s8gd_X<_jdVqMpYxeoaU(Fcb{*VJ?RE9!1EK^Hw5_Y%+*D^B1NmpcD+)xvTWB+
zi>k}_OfNX+vsRYwnI%|NKI8XuepUMIu@nks;+X~CCbB2~7{1;XQoidC<-1-9AR{t`
zx5z%9RC?#R&Ogw!CazsqR8zFB=z*dKpKpjp`j_XaYe*6fzH-Q!k;3)4;qPZZ`<+Xv
z6O&8cJ+yAc=67w`V3oADx3>FQ+k!1kEgOBUonc=?Qz+=0-jQa!+Jm+A;w5C8wxzu(
z9Hmv&ZkC6-V0*a37j9Ky4K3WX$xCUjw<*&*W>3${@8VBEmt_lSZ3zck!oHit$7VEs
z&B1W3O{(777W5_fNU$_(Rj|FIskJ4}U;7r5(58l_y4rBC!`IRDaB#k6%<Gy?*y^Ub
zO~J6D$AmY&6#;h;heP{TND5sNZEx+XRc-6DxU9(6h;D=JMyt8L&X!Frty@}r;uV$*
zcC-cSNNKQM7UX<N6@S9Cp~EyQCTFb;4IRO-${X>A@V4{j@^Nym{mEUNCoFb&mA?cG
zwtulHJui#b->V|qzwoVvDxc?PYMg4GyUg=(gQc^y|4xIG4YnEnM)RySUK<LvQrJ>Q
zn}f}*?OPp%x3q?RfvU<`MS;rV3SUEOdvk4gwq42Xf@*4Mqg8Z-d2Y7->;^!4iSx|$
ziP*A=BCl9ejXPR9Tk3uFwRUBmJ)0<3E?c^6`RZjfgXXqSu$`)DDy6AH)2RZ*jkPT;
z!B9u6kI(1w<NN$Hi_8?rpE>g^CwG>UAT+G?QrFrUs#l4X=5M!qQG?IqkA$g@u6N#e
ziMdYyGi=tvt>K`rwVgWcYp!kI<OHC6^YYiEx$CdvCmFQ;O}mZpv;7MQU)>t64JBw`
z5?=fRqSOtP_NG`R+49R;8d|l#uc=;In29NYe@qp&<-5YiRAJjc8h>K>F8_q`UH%E>
zS4BH3Q!g~w@t3sJwMu90RiOCKUE|A{-Z4WJRe38VUhn17<uDgLia#~Jwq180PF!|8
z%0Ji=C&Bjj-R(1#)z=<ui0VT8r5<?v9bLG>>xK{;+^HvoclkTPmA}*jk>6S$tn&nS
zhmZP4gFE4Mt+%YJS1(jwvkXo%m}?L#Nz6w^TiKEoi`hh6j3*CXf7$00zAJH3FtPxZ
zb1xWnEwMSs?Q-5CX}uB0_Ox|1jx!?`r>`uIR9e$;({VF!vv6~9ci{XuNqHGg&MmCL
z)#5hcHsc=0J%#%S?(;Z#d(Mw=FXQCZ6<0I;m1`FF;yQ5qao@)M3Fjjdt8nkZoy29a
zPZz>HkCUH|coLV)YPbhC8AW^!w~CCufs790o+q>4B(o>TY=q2~lhLnF0?Fv>$mpLq
z@H2soR+G`8>n!VEuD7hGZzTU@^xtwU>o>WUwRVnWEuF{j=-p*mUoNt&K&fRty4<oJ
zT5VakuD7foG+EY$F!J9)X85T7F4tGm6<k#1>j>6`WpXgRUJs;AEt_jYO=^fWd=0hC
zb<{Maj!vI0&6yHuaaJH$*V^3H9_;9lLB$bhW<RP!SDaNQDpwU#ZAsPht~AT`k7?|1
z*#5VA=3sg#N;DHQ1CjQ!2O2x0?sTOoB``?Xaktbq+ufi_o6P)dzsA~*Mqke2<;w#z
zRA=GwSX5M2p1{N1uV{rCy#~AVgvY1kHaB%J+}1VD_N{JjMU9(+TkkOgiQ#W+Z{65l
z+f4uAOU%49*v^1RD-Q*0JA%H=dfGRiqMa>+qE%7b)+QxXw%k`+UoYjQ(}sRsy<wD(
zE-&0v7v=Tx(XUjf8HAdiMe|uySy^6ITvT1Qe3{C@czjj&RaKW%sQxLToRww*m@~az
zb<`zYOgw5g2kT{AYl?Qaq)W}$s<w87gUxOhnE>bt)TQR(TK~(#jluSn9l>^LMo<Qs
zvic|=DK4t3LpQ!AhR0~8w3v`vj&z#7aFA5RsMF~;qyDiqTGeOz<*0viZI`dDc4JT%
zi1zp8Xw+krq+Id0w|ZhT?ZcLbe{5{={;{#y{^P`_l>I9CQ~t3r#^g`=$Hw@o`P+cz
zW5vbllS)~)DVD>IFA!wnRv&Ds+Zt1BzUg^$=1B#S;!coUk+15{lFsHfcfC>_0DtW8
zl}-apBtKfgOg(I-dc-hJ@6bFhe_zhB;FjA0RjS{x{fjGC`l{N3^to<d(qY1vwA5~3
zQCdFNS6o}y7>&dBFRKqSFQmJWYTVlHq=7D8x-+Y&p`odzDZG_gX-9NcDl=#8Us2oC
z;tMy*j2|gYtt@YqMveb{B~{k4<yO&(iaULQU`O5TXip;=Lz~pa3a0g8-?E}*0bhfA
z_9+Q)`K?&4CfAH9FnRo{SC>b_di+*LeMB#|%;KUI0bf;RS=3kjXzISIK-r?(98Ktw
z6~AIVq;;U}7+*V_Ez#{MepLZqQCnL`md%WwQC~Y;psAhlhG;8_9Z%(F`m}~nZOpt>
zI_MS4tre@S(%P1KN;j;^*wqrWUQHh_!QE>0sa~{*rQH@^eQ-mkOSZ&H54@<gy)HP8
zpAOg3+A^y))W))^vzauTa8-@9?bJl+o$PgxE-7SIwl{5NZh()gnwW4}W;0bOXNIq~
zU8goyW_@sT6KP@<Dk?I5D>_?r^=3}e5ef#|Tz)i)x+bc&Ubh;(+VSa5ySTMI=$mW2
zY?%p1mxV=DC25vQCi&}7V@F+W$Sf!=T}9&mTDht}n!CnAUzmVUgY-YFCnO=ZxF+m2
z?d_dyVN*z!J(kteVA`A7!gjONE4779VQGCi#^f<Wq>4B_*|2id)WVEQO|*Thtff}v
zS3T(QO1`oVFkM_(eFw7|lepXI{M4Z5TUFcMq-w0<l*CCiCUMrBx%m|ftvPoT@V6i@
zzoPVEYwo-P0p>{<qUuqUp0mh|scB<NZMd^N+W%-}MLpbeCH&kT(Yca%EGsT9^_AAQ
z`&LvH`6^oLJ42mHZ`Lx;Y|Ji>>9Y$+_99Oka(tyUthM%}G+4jRTH8_YWA?MoS`nnv
zqikaPEYzS@VvhP;?M|dl4|OgbfBe9gS&XWA&Ya6mi`^eq1>03+*Ttq=(28J3sHvHv
zrxOWo#1doIXwsi%&6BdYbDk;+{@gK_Kex%BaX-Udh05=+!8U`H26GHr2G4KN{3i?^
zHF&__HiLx*CmI~yY~nH4Ww6p<j=`x0ErTaIb-1ZpHCmp}4>sz|-Pxe=C+7K-!CxDE
z$zVfMd-H?S>mQUhG<!o+iwy8FD-dH_RV$D+fr=t)nf#&msB7D5r7bF3Q6c6b*9aFa
zHOjn`61Ue3^===Z^tQ#VZCjcCh8tUB1`gF5m3kHmCa~qx9x;_){IrMNX}O}(3bNN>
zWH-9HieIi-B`x9ht!=IJJw6$n9eL6}i5(!;f6g46!S?qRxmN|zWH|oIqc+s2uRVW6
zCsm0JGIn^A579gM*w`$V?YdUgO$KFsV*JZiEh;v4S7m{3ZSb|%wlK)#=!N3~B`?&K
zt7d`r6VqgO_^35cO=I**(9}0KpE8drLC&H|tyzTC&8OCAF6MA6rn9Dv$|UFu$b!VX
zsx^91GfN$@=JRwdDAMG|iC0&X%aEt4Q#4UA<w=+CPJaS@%R<(Yx@e_|%4rJY8a8L=
z)7_TERP<;CpmGsed2lmpPrZ(c`bkr<eU!n?P9rQ%eoZ><{#vXNvhzZ@ZxG`!QR|Os
z-dM7Xxq;y*^f2oMRIovBg{Y>k<gpB9`sy|j6g#10NsM{aB}Y>#YPb647Wn4o&AG#(
zdCZ+V|MuIg`u43|O`F>`&2O0>o^RQUcB`eXu8}_-^_C>TlD^2Q+fut3j$lKF)xN<V
zRn1lr%f$BDy0Fz2VoGGm+R{>6L>8MuR=By|s?)m#9rRD(S}mo%sola3z`ljWz_OvW
zBPiI^u+?g>-C}hzhnLD^bu_ka5jI3LH@CL%wM!*WzO;twiA;>UDxK(6B~>I#4w&}9
zWwp09H*^Rs)P!YU9xSpF!tU8&g<3bZT2Y<Xv8o}>;ZRTls@$}1Y*A@In3_O2k#|rh
zTAU}g)aWkTgTWX|M^l$2v+w#1R&n);>gCJJeK~bAd@aEy)=#-U)<%mvx6V#m*x3}q
z{Hm8YX)8OJj;g1%t!**^@1Wq<`TWw%?@n8;N%PZuzFAGVzFD(G+fJRVLR;E|CFI#K
zjrXZ;Y{CkFxu{Vl&JDGlAy)dzS|*`p(E-hxWr|gcV3H(dtamdS(4&gya-ygWb+nEb
zPn*P}6m2IoCY~)#j6pOPiiqA{_H|V1+9ed##17;0EoCxIPs##;?kd+;-`a9Zm`%1e
z*3&A)CJ8~IQr#AaB7L$5Wy5W&*rFghnVGd&I8BYz@)tL4Rt6`jqtbZU22wJ&8cva-
zKdV#)RyMC-hmW-mov)clcBmi}`m9+j4WbFBp-Rqtl2futKhxT#1`kOWO`Q20O<jfw
zT250)NttE0js?<0L{=3!Xb#pl)skoCT#B4y7i(VE+`POQI;7Kz79igasfnTq&1AO#
zn@5RP`@7OKqI}ZG2;{ISJ|V`k=yqthB&CX_p{a{5PA^TO{JOQ6BC^w`iE6h>1(j!?
zQk$ycvu4?ygal9@)efX;D=lsa%FL;=BUrEVC+v26j<TDiNGtb=r8GwSEE_jqa#Z2N
zQi!_WSs<Oyl}=rX_Q-lucdhiHY!af9T%X;$=K5IY<@)Frb5#$YJ8mnLeiv?fD+x`{
zo9k2k*SfUw`>U$h$ydFD>I!B_M@`*Snu{h#jUc+psv4eFyr%5d;^MNHuq~1wN#lYh
zRzY28#BLjE?b62H5N7}wxRke6p`970r0gIxU%i&n<E`$D+G@j%I-GR4P8iX>9j+V?
zFSFeNI{|FwN*QNp5gR2{syRyx(r?jcp(iJRD*|N<k22fYfSa*l0ZvlmBu8^YWs=O|
z1rvdt162ZvB3RMd%$9?b8XbY+P85OWP85MNOsNF%r<`$1$(0)EQvqkE$-#k`3ZMqu
zMCo#!6!6tGisC$Jq-DFqMU`OAM|jzr>&Ic|NP&mf9`~I9b_tr}10CJ~GCy#b-36k~
zBe<liiFS+vq_wy;?UdyrSzCBDUA($zRjdMOW-&24;qfrtzDlhwSbGYwfXO&h{ixD}
zTP7FG{_$WaGJ|X0?6i_KCDf3ZM90oO5W{$2rgFa7G99rOMTt9!oYt1mR^}5yv0iLx
zWNW`u?NiA}sAChA%}7hLf^zt0z9h<h5FpxN-DoDFQ?D;n6Vg<J=ij2AhYTJ!c*NiV
zgS`g34Blt3+~AD{U&+$)UNZOtgP%0`l)<+fY%;jS;5>sj8~pF<w7mZ?_;Z8(1|KuH
z%HRTnxh8-AgIa(8qle4W!>r4!KRyrN=(UOE|IS1IndkYtp6ACr&tcE=M)Q2X!BajR
z@3I>;K5y#%SIl$HG)?a{c-sy7In#veF!<SPG+nPh%|^OUO%P-bqzs5M%TfcUTB({9
ztsbxB;FBSEW(aOxnFP3>^*Fymjq{4WNG6Te{lWIu4$GIbG`RIX`bX*fX2=4|s#;dG
zw8To2RI%c(sNIAuR60@D!kjL4`s}$ZyP2!Y!NFKB@n!W~t>(FUn%NkvbM}#pH9)2+
zVl(lC<t&Zy@EV6*9x?VYtHj<W_ZUueM2@c~vS=`6xry%Ddp(@U#8_S->jP(bVA76x
z2KxrS#j*-%mHDzOSIg{OfP}uv9H=&5nmwE3Xb}yIRC7wubpR{Qk6B(=&f}?gO}J&P
zdY<EJmO&J2k2=mFCLveqC@hyptj=RR95qM?J@HB)D(c}8<@SgXRV;}Mw&!%rptkv(
z3I2R+o<5ag^-Trm+e$SuqhOn#bs76-@OGH3pB%PYy4WqXT)S`7;+D?Z5GMkguy$0l
z!x18HW{zE@4+X4jW7Qk9mT?xbmUAi_TWBLyO>(-B+OH1TiaP2#^|qT$vSL0thjjaX
z=F=L74PG=j+4vWj=fmcC{bw|PrNKgjIR=Lf-(H*VvzkB8V3(m!HqYnHv*r2x@lkCz
zf73fO{@pxV=6Qm_41=EF)=h?<XRz@JE$1Hdyt=ksjzzQFa%M=%$fkO@4YjQNDY@A)
zJyV7V)*V}#SSW^?HU*i1$uS~*f>PO4)B;)-oNV_;*Q&X`4VW@oIKv<`Y%gMWU^*_3
zfrWA=SZ#~a3Yis3EVHo%1%0#H#Qaygxs|gq#zU4p9Ni=WRy-2Ce#3(L4Qh4_tEx`e
zBxL=oWlQHPak8Oax5=>u&!(QYirtA?=XSE#q(+8i*Vs*0wKL5q*3p-}5|pT#JM0t^
znPgUypfuP~E7lCM+ks(bcAC<X@^EW$0~+7tBX3mEj@D36H0sz-?Rl#z6|+{?HUudc
zJ6YrKtEldnohOC3MlmOrtN8AmecNU7&5QCm`Y_v^I@_ukTQSYZR*H((?h!p5ew>}W
zGP>%HF->3Ic@5e5VXF~yop<<~K6}nQF*?isV$3ExeWQGA`Qr@<>>9Bxin+UfhV<1|
z%u?KC*7w@|WB6Q|_wuQs(j`ZyDt;e9@ww!T$EQb*c!Az{HDA2I#C&SpHTDM`#>=M%
zjn|G>^SySwn(wvaHT7CIy7Bj+ls~75?9OaMd+VlP3pF%;pirhsF~X`OjK7aUZHQLd
z=`ov%jE>`MuvorDEKqfGjv3nNY}nQFam?8yF@di$4!X`73Y*1VpR!nSoWgi%1=9<P
zImh=f6Udl7t#O;ft4*9FeP&t}Gry5mWTrp0?ez>9vN;}2zW6O`ZKnZtH1ee-Xf3Sf
z%mWjN7SgM^tztsXQGe$~hkN6vdSEr1Q-<ECWN8Dc9x|oV{;q?B;>pKp-$it!u|bu;
z3cqHShG_r0te8VV3HI42p%p8Zub{WXKWZtQj%~BPmElkBM+CbtU^yMMcVITpKiHwi
z<DVNGGHA2^#ytPo;9m{?x51Uwi)IyA@^{X>@)B!$2iFxk>?MaD6)+id#8(z6YNQkk
zVk^nB(p1G}3TN7mZfdU0TSHenEv7!%hg6+xDIRP)`f`<uz;(OA$d0BUYL0S}p>t}?
zrg0sDT_CPq``FG!F@&g-`s3n@m1PSueB*5In(+v6GGMj0hV(Hb>)y^_`&RS4q^l{+
zFe3-?ti?h5t9<~kg7bH@w}j*<w>r*egtWH1_&px_C|k8Uw?~6$3Y)K0a*E1)N2>m2
zpL!5+9*V=`O{V6Hp*p;tv^Y{dboh%q+uPascQUk0Z5vpe`!a{|Dmpn+%RwD=idjGC
ztW|M#r>&6#UbbhHpczWoZVc;VMj`#Z7$NQEtJLgZbyIUt=}><uu5GCchRk>2HD494
zF2jX#fkw_wyB}A!kQ6sTC%_z_C~Du(L|<hol-o;&ZWV{vAJYf?tktzm;i|1Ib&VYN
zZhBZ9%9@jixXfgzsHI+lSb<J`?9i5jO7$8?Owm%wwEQyJVRroNC!=-yQJ1KCq7Jvv
z^H;Z4wzi`~HYg-<D}oPo20OxYyo9-4!fjqczL#Jvr{UXeLB8wAUCpAbKIUP0LzKfL
zR55UDs<o5DjOB86N<zdC6m?Z?h-An4nW`7{)ne6rvny;Zq|`TA%hm2>Kn_t>h1=;0
z?dDw>Y?n2-)EKj>H5FEA%&wv=E?ZlS7Gr4Y_+DGMimm_-s&HFqD`mPOSQljTbdHxW
z*Gss~OUU;UtcC18sZml+9&-MGGf}SRGJUgy>S#(q`ZaZe*s5a0kEbr;7+zxnUZ&kD
z7Tc@2Rs^&KKuQCs;^KfbQgvra$V!_<Y@KhmW6{c1bh}Pe2iu#QI8qplp(4?aM~cL>
zWjfrZmQKy7Nl`x83zCHB!nL22(Ae^(lS)8U-M2dlrYm2;CbLP2p{(X$w4EPALS!k^
zk}b9EK~<Y7<usPkiX>h~&kV4(*{M`|a4^B?Wn!aH{Y)%LSE^!6c0^{^Kr_TRDl|c8
zgSPf!8cBx<7ef^07=mdhbY40(bz;j}$a#VKRt6${6q!J}xRu^wlWN9KFKpeV=P~az
z_+En_Gx)T@?;CvCV8md?yL9-g4c=t%c7uxzt~1zSaJRuv8vLfgZyWr+!CxBugTenc
z_`2OX-ZvV&-r!7ww;8<0;1Yv11~(b(Hu!FXpD_3ZgU=g0W$<N#uNX}2)#-SHL7%}}
z4K6Ua)L@OlW`mC!e9GX*41Uhw(*~b6c*@{ugMT&n`aL=ww;C)oxX9odgWmH0XP?`R
zoJS14+u+9xe%|1-27hR9*x-K}OnOqMcap&y49+)LX|TcI+YR;@e9GWIn|_=BLni#^
z4SvhuPYwRT;F!UTr*wL+HJE2`k--NHwi)a(_(6kqyf%K`(4RB-6N4{%_%E2}<h?rn
zHyX?}SZHvy!3Kk^1|KzO$7`cw|MA!l-Dhir*Ew14tBzhuR_ihj8kTi*Fu#spmC2GZ
z&Fse4X^Sq)6-SgTUGzE`vzywxz|5tkFgmFPbi9WVR~GO@$L5E6D?;4<NOWT)E{u;J
zUry(73~Q^eOb(IQLM4!zg0M&4CS#zQAaFUSO-$xuQM6ZGVb{wT<Nzu+21B7V4g#td
zC6Iki7wE;8JL{f}2T|0kDY3Z7SG=O!dp@33G07BlvR@SEul%&3onv9KdqyZrPDI5o
zvyF$>E+Fe~IZ(Q|y|pvZbu9hX3O35P?GS(7Scf$?_}ZH`Hrh8Z)XH7^+RCOHwz#i!
zYsm{`!E4tb6-xinzVVwP+E**z1jAy@)xl_~szX6`al@}gNqvy>Z;6v(?qs+^C5TAw
zc-Xn|DmXT;UM))!thL6vrEW;nH+9r;QKGJ)nZNn~Mr}xLPN)k&>zsI$eQoXXrRz-6
zJRY+9qrGB0-1)HNnn!-#o%4LNd{w1IOnrHto0nhUevbOjy?vgCLnzWuj8_NhmoCKm
zN-ffNC&%Zjh~d)}HLe0v^SM9Ee_zgKbraRrc&yPtidEk;l(Z%Kd}hDyPrqjH;`{XT
zcg^#!4940?=%<u1#<q{JNKtQ~iPER%&7(81q^IC-oi%-Chl*ay5k5(&v!{{k+ei)P
z(n@p_Lp5$O2<d={5)X|l?ba1Ixu>6wlY9BE$H{&Ct8s6^-GG~pn}K^P?pECGxVvx*
zaK*UAxH249)U7JqeYjd&5VsMx3D=B!2=@+L4{jH3H|~A758yt6`y}quIJvX`72Ln#
zzJ>cX?mM^_aX-QR2KPJM?{Q~wf5!bM?!R$KN#qA7Z!nyMdlT*&+;zC=IJx(K2kuVX
z0^CxZya!+{ZXK=`w-MKh>%_esCvWO}0=EbEZrlfPpTzwO?u)oD;l7Id2JYLq@8Z6X
z`yuWpxZmLZ19uMh7u?@)W4J4m(L3%fIQh-aS-9J9cjE5C$q!X5#mT!*SL5!(J%|h9
znsA$NTX2uzdT{a+czbZ~#k~*raooS)K8O1X?wh#p;C_hvIquiE-{JlP_h;N+aev1p
zrBE+$Z^XR?Hv{)p-0iqKaChMr;1=Un;^aO1YjF?ansE=|I&fQXyKzt9K7ji;?lZX0
z<GzCX8tz5h_i#VL{T%lj-0yL`Z#t6a%gdNBapsQF9e=wjnVOn9*~+^y@5%{Ryfrf=
z`C6W*Sb49{yK2If>vxnU1yfQL4|QP8sv`bc*53OxZZpqbT<_tt`NzXX!{27G%izV8
zI-WIaV&k1^o=>gT^!)};c=*PP&!)E-exJ$DR3m4viC<+l!JlmjX#WgJ_ct+pjXIDl
zJ<zo29k)*Jn5ImxiZ7<~Vb;<m2QTIHJo5*AOb=7JIu4+2*iW+vyUZ%F0=&ZGUMo;(
z1@5)(mA84&r#Rcup;iup6J3WntuE0{BPM;Yk2h?kS@o@TopN}bO9&nH?H!zd*~(X}
zaM7>oj;4N;1Cz!_&r)I6mn+o1s@{~bMTno=w-9mi{c^8Aa92cq)~bDib-qQ;3pZ4L
zWLrAGKoxxthnUdSm>|6@ZOMc)jO>~l!#um!ZME$4V9sZzD8?%}1tb$d=aMCc;x_hI
zWFBNy;_k&+#!hB5IbTma<S#`aS2dTH2YgFQ?pvduWY0MIv`n^!V;<+Z9v79ZDGBKJ
zKEPuYFR!RrzRdP#dqide;-R7mlvEWv6!J+|quwPWC?ETMGWyA~X5WfYXlqw<NFf(l
zW;a@D>gDtMLcx}e;l>;kcJoc@y6#<EVu>;nXm(v&o0imqZDrQoR6o?>Td=^F=j-lf
zmnN1N=5mOMSbK@-%hWAyJjVu$^OMlC?v5c_)U}SVI>RENHv}oKpd13Q*aeHyYa3`G
zikxTh&Xvtgt({1UCRU{@+};_qwqgODV>NKKgc~>9Hj)h&OG?r5GtT>Ny_=sQnci`?
zTvcjALpd8d8{VqbG{btx=U<S3(q?U;`Ye!EWi6md%EK+wJ8rQS++y8gO|Q46hZ?Nu
z8!i8hvt~{2m^F(iZd_X&D5@@6JH2Dwy1UaX|2?SMC)b!{m7pZKo~&s;i#e%!Ym@Pd
zK3bR)Tk2~=R9EBYCRq0nnPjJfQsbskXm(4GH*=uLn{7(eOB5IDb>kvxN{+l*qk^)R
zd&d;w3|<}NvqVqPd{|^d<<FAr#nnl>E+#_h;BIE|xu!X!Ez9%g(~{XAXl-A+E+>XA
zo#=xyXP+TU5$u`rQ5?&thcmSh`8t1oc~i@#l9qZ^akLP{qPvEeWF!t>*20@m!V6V(
z^9qrpKExi4?&btyoj6`ievwq$|26T}hSt_lG%54vbC<hybI>bv{1kff5~Ia3l85P8
z38UTTczNCB;AGhI#T&+**2MCqM$C*;^2~7}+uYP1=A4^P9dlC3E(rx?ESo={?Yx$7
z&Z4sN62$Q}p@gXZ?2d}s!-y%z3+%93tZ9NCRmR63m2)`>hz~DI;LA^ceE4db_+@6E
zvQl{~3bU!hxht`r&!7Kj98HFZaXwMK#|ptft{a|1o|#a{c;R(DzAO<cWk>rLDtsYZ
zW8QR)_rFnNi^0bY=DtbO8?M&)l6gLAo(raGx}ELwMt=8An*OxG&FT8tSFCZ-^%_?h
zY%n-v_;;A+_Z$3_!KV$rVDJxy|7G+1ioy9AT7H^AJAJ;-YkJExji(G=GWg}Cn!d=$
z@uqLHq3<v_&&2;J^XyIE&kWs8U%>EBH2OG|rsFG|sL@X6c(~rAf5(lQ|ER%bsrtFT
zOyg^%|Dp-^ev`h}O8*3-pH~e3;1xQaK7)38_nP#5)TjMV85~X4&pQK&(|5`6Z8q|E
z7#uHs87BQdGkmsw?eq<&=y(nrw9|Lgq;KX~y-s?@;Gh1apFee1Z2H!ibTycGUMqbK
zhW`b_KVJG){6)vN@4qzK={s-Icj_0Ke(;wX^WI#jSZrKm<gYS#x#@e_@V{32?09Un
z)93qw*3Y}LG(Ka{=Cje}_hO+5Uvr(2WAL!SV+KzdJZ~`7#52`kuE9cshfC{JRHsb;
zW5+XRuIi=L5W}eo=VS9vH2SvnZusrD+Qjh}diZUIIrCIJYzKr`iOO|O+ef1vUzaER
zohq1&MTz+jdH7BG%-|OdW6M94nBNTc@%$4_dD!Ku(<8G$OMhKh%M!q{@{E4pX!uP!
zRyB1rF$InK=NW%)7^s!A-hQy6%Tj0kX%3CqD|M5?*)CSGR{9KGT^Tk(Y%8Yi#Y-nU
zgR?!J&Uo5keCGRt&27B6EL^+M%gcckH`z{-sRTB+O*Xpsl3hh_d)f8^9rJ9_zP59;
zbaJ*mCvS#2WzJed9|!l9EMJ7tL*8l3sWp9fkd-JeOST0%NswicOP;!#s4JjZM#^f0
zO({9-ZYUg&57yPnnf6%5x>^pq%QeRhL0_#tQZDEAke*C><^8LIul2dC^>ZwfteYFH
zHfyF{IQs6E)$+|Z`|M}G599C6yv6x0>*i3HKO5!GL!GSxwQa2(cexUk#P|Pk|D%Kd
z*Xw|^)&Cm~GrHR2`TvXZu4k|NXUfuJkduxw*sjcS>L3|LtSuHdD|n^l>~`MaLSHj$
zj!me;G@uFaHfuv3{Vv^7j!z6i;jL?%*3E|EQ?|JnQn|7XS_~>yo|vC3=b&@}Ib#2$
zy`4kss$Y|@eqVLjnu_uVmDTmZs_GSG%N9RaynN-dYHi)p)*=6mE}IbsB(WCVVolTL
zBisJv7`t4yt@u9s&)<+;E#6fv*PB$wU#U&wa)59C{3^+?F<2Obf?_K1uHw-QCkTv5
zM{#OtGCdG$N^QNeducO<Tava`VOdBlS0#==uPz^BXNf9^*rb|xuvuKL{HPg2CtRnl
z<RMHW9?{BnWg?JJuaSY*On))v8c!73fO9#ir~Hil#-(7bQI{D->U?Yz-U1(AO<vCV
z^SzW<$)s8ti?qeaUB99U!b+m1J2{Hkm2#s?S4|v0VWxseN&K(aKka&U{%Z@>*Hy;u
zaoAw}y_!C4kw%-}i$_iPtREIBuLgtrM)mW1@^$!EjJ(TTpQWzQ;VyT5cC(3Z+L(^l
zp8pS<^x5kfJN<KRQ{`zFj%D*t{<@CWp8q@i`HJ6}MGHOYx|F-Ny@`G3WZtcR|5#*@
z?}O{cB13uX1HWx7(#Lb}rm@Hcupi8Lvt{Lm#v<8ZKNtW<z#7osJQfLqHDE88(J~ep
z5IQ&nmV+0>AI#u@KnTnRyFovg(MCA1zXN_Sw{t9#JC*co<_CPi{;gw?ec%At50*cS
zJg^4LxCVJ(HrNgN!K}BF9&i*K0R7!#k<;Q2W?XAoePA{?0Q$i}uo}#LWGvDR`oVo*
zIoJ=@fX9UXDCv`D@B-NP4&+=%JYY2#+BO#14i13*;2?Mmta*%Z;tyT`yTObs^b2N#
zeV`v4c%1mbA#k72d*GMnC&&+nD*AUK4;%tdgEj9Oi{xLAJg^+}?<QV(-h=*bAUqfV
zhn|8CX6&V$!QOX|MY4Rz1M|Vqdx#G#-!~SSawFyXKGFeZy`Opj_I+S1G6MQP2>&$V
z1<S#VkKzw@AHZLpKRy;oy@_yO7MKg>gMP3aEC=hs8n7D-f&0L2upjILkAeN*5IFED
z(w|NEPs0z^fcwDEXUIR8^*Q8ECx2iV4E0lwz;5s$*b5GTec(y39~=P(z|@;5A216X
z0rSC8upG?zJn00pz-}-X+y@STCqe%g#v-F&KbU_D`T7#^gWX>tUa<EYlpE;(7W&K~
zeP93#eVh6L4uVI(0e(MiRQ$mySc*r%T+q)ij0M1&?-MUL2p$86z#*aYW4;%_EPin~
zcP7vL&~*)%^<&Zj=7PQ80C*4_1P8z&@FX|_j)0?JDu;7&e@guY2l%n`gYx`y>Ipdd
z3-rV9N{svx`QRuR1~Yzzd@u_<2<CzVpdUO5mV+Z;4VXHMe1low5Eue$hTsQBz*N?z
zq2CZcI0*L2^KXeCtoa>!;owjR%mur_0N4lCfc;<?8~}U4LGU0r1P*|s;1JmRd&1GL
zb^ix?1P8#}Im8c^gBfQ?7nlWZ2Xnzb&<`E~%fUf#6wKnsL~70w4h(_yU@zDWj(`Wj
ztaG&Q+u#HJU@uq?4ubo@QE&kCkDw<o1Ww5(KVSeH0z+W#pJ*3g_j$@&=zk&Kx5IxC
zI@li}JUEzoDdL}pKUfWpfFW=c+zw`3aVgRVW`Re*TyPNV1xLXFFzXJ&gZbbnSPl+e
zNjNZ+4j<SHPAPyN%moL*05}5Hfc}h2kzTMD8~`(}x)d1!`@!5hk&{Wfz&>yvm^F!X
zfc;?VeB^=I;1K8sN5E=u6bykGlgSU51@?jE;1RF}90Ui!th=D|n~@=~58MuByn*z9
zHQ-5b5X|tShbg2R%y{#q$PhSkHO~u(e=6w%`>!M4-~c#<J>DTO7aRoxU{)6VpdSo_
zHDE8;4ITvhzyWXoJP8hgBj6~QdJo~>LV7_zm=D%~<zP2h5B7oG-~hM}90L2nQSca;
zbv@|@%fSm^H<(dKI4~Q`xPf$mxnM6?4ju$U-~iYQo&@{A5wIUjEh0WJ3mgRV!6C35
z90BXWQLr1#@R2Ss3+xAT!DFBw90JS13t$Z>TQ?z4wyL^8KiCUagMDBK><71l17IIG
z0`hBvR>qB#FX#tH!4Q~ROn9&y><2?&#x&9c`oRIP96Sm3f)~I6Fe`vuFaY{*A{^KY
z_Jaf9NpLWm@-89W(}@QRfdQ}^tO0w$FxUt7g8kq@Z~z<thrp9U&mrH7;G0Q)!K}BU
zH?SYv2M&P!;2?Mm90G^H5%2=&&n3N!Ne7q@4$ehCp#L`F0n5RY;t!6117K<?@#GT@
z^n>|e4Ok9_z<RJ7>;`+mePBP>4~~Mzz>M2T2bc?90K37AGQ!V84`A;d<Xf<S_`yDK
z1RMlYmyj+$dIJaVL0|G*1V7lnlyU_7%1Pf+o-5Eln6-?2fqh^f*uC~r<h0Oh;46m@
z%m+j3s4rkI7y`>5K<`2a2f#sa1k8GnbW|V@%mVwte6V*t@qoFtq+6ahP#>2OUmfKm
zSdV;gB#2yav;n!Ge<S>0e<S?M!6wQd^uG;#fkR++CGl=T4p;+LgBi`pk>^(QcQ5g^
zK?euG5LmMX`CuP-5-jh6Zw2YwN_xQ|Fa-9$9e*(65%N<7-wx<t?oQ-`eZ7<u=-*5E
zRD<uKJi!t07})(@+6~zMe(J$W((wWG4Ca0iJ%i;RqF$_m{$bi1*#9x&Urqd<Kwn__
zC*cQkKZSll|9_ItHOL361^<hDfVqFgAFO$Wbl!(PF5(Y%{{uN-FW3iWj1n(62#$jH
zjuC#XWqk-70?&e@;3KJ#NLCGJYp;kz0^rTBi$p?T7q}0clop8$fsI#1BB|^6ZLdj@
zNH(|y41iw*dFQ|N@8EXus>zYaLC_B#12=)E!4H9{4{-h#%m)7(41j-mJ>kLMzJc&y
z`5Orj&Yu#A`0wW&0aydR4eSO#0rr7M!2$5c;1GBb90eD?iTseSM$ixL0BgVlU^h4b
z_JLV%CLQZ7>jGE~{@2x!NEm!_D)|OyUW0t_2jFS2{aW%vx^{x6!4qKWgZyq8m<|2|
z41klbBR}9ma61?R4}$x_W8fFS)8Gj(6}g+Upl_mnfv3TFH$V?r))6op+~y;F;HSV4
z_z$obY`ZZM=?7n$7Kxk$dvA(FE`UGFjzp$3TbA$UNF*P8&n=NiHQ10t{=nnlK5*uY
zNaP5(9Xtu12QPptW)i-I_`!Ve`nM7u+y{oitX#r_?*Wg1*Uln5xE;Iz=FUd{t>h03
zfD>*-AK*T)7yLTd56;hvL<Ygf!4dF0n9*ig56p=~a>2u3Ie6_{@(sS{Ho}9a!G16|
zpYY(L;0X9{V8%n1^{zVz54IJMZgBRUlsotZ@E|yGKKcd^f+OJlcah(Ae)|pdgV}!S
z3%CmG1|J9ez_%?R99U3DIf47Y)DC_JuZVI2lNXX-uni1>m%v`|6UC$#v;w3Td;lB)
zD;E)O*s?wf=7S?(HCVkEJ%hvGK5#-QdIs+XPlBHSN5NBIRww0JM!LaXum&6eyTO@D
z$S)XJO1xkfI07C5Gd7dYa^eN2RS*t*8QczLEh8LwcP04+kASDa(_rcr>c_q47d#4<
zgD-<2@Xag8FSs2%0zM6%1hcEC7vN{XDP6qhr<!=d!(cTyb0z5od%-^NAK(C3vx;^N
z{u?+d&#TGrR`j@r{DSWRYruK;5guFu_JI$81K`B9q#Jw|OnsR4xQ=v#ePB5_<pI(S
z_JSF;#0%zwvmYc~;ASukeiqyZ{tP?<o(E5Yh3m-|_%?9L2F5Ya55BpUbb$q6H`oC7
zfxX}WcmNy%kAS1#AedE0d4qoN0$2l1+(39R3+w~)zyYuU90K=&qu|%Uta{{te()8r
z2Ao(&c<@@V56lGzz`MaAuo4^vH-lM0&f|lA@M*9HJOOrtuYi5v#CpPm)4(BcE;tG<
z1hX2b7oZ>90M>x*U^n<U*ayA`8~{H74uM|=N5SX7tc~>JpdWk*tN|;7ga=!|KCl-Y
z0G|ejz+rF{Olu%~qh;lTesCdJ16G3F;KN`acmx~(e+dqOXTVYL6)>xbbZ?~nf_-2;
z_#C($JP95IUjmPT=fTt9l1A#)+mH)pgTDj=;2W9<5Bk9E;B4?9xCT51z6U%FJ_DxG
z-@gE6gD1fN_%c{8<G|Yp4|ahE!B2p_)Yptn^e5n4a8T+mI0Akd40T)9)Mog=g<wAz
z0y7?=A84a~gO5K%{RRiyso&tIHlrWV>LPt$%frY6Pd!4tew2C2ql5z=e+<2XFYF*)
z;OI`|gZ1ws9pI(igaZqoBEEMpj=r04VA}f#2R;gByq!BIU@mwJEC;Xr0O<w`!CtTh
z><4#(gWxB?5%4IOL4JM==7PguIrt}V5F7<Z!0!E|kN8HwL2wFLlTXsaE3Blh$w}8`
zyl&#&q}NRrdKT`_)nk#F!eBm$`RT{-7yg34SmbC5Uos~z%AC4nQu>yO+pK%8y=&%e
z+0#UXgb(2MuEdTZ1oIJk4Q@Ylh7ac>JYjiSH5Oqw;yys;<euc@=FExmpyllY*W-VO
zqUb*&uOGJ)`a%!=7|%zcU+<#l@_h(*9Qqf8UX(d`M{-%_)Si^Znd_6^mzFsdN>S#-
zqIB_9dCf@TcfVJUMP>*A-=5?;J6S59x%jWaKUMtAN75C5UJ3mQn+OWM#>n&1!_W)i
zH(6Gp%K6(1y#V@l&{~)|`KjcEnNy!kDarKhNnMzk(|biAGjGR)KxRSD>y~E@Z%azK
zIw>u)peQr1C^KharVnNUEzF!)LY73{5OTWKj72^q<rkF)tC2_09TSR0-r~%?DJkDb
zPAINaG$itJlhNnev54G3^U5oC(pMz%0-0?o_a!At96{wH^`IMh7i-2M2SlFIcglN{
zjK-x-_2J+3z*yv`pv2dkT%0*|hv=gxwOJP+xqTo#<tTcP;#7H04mb~G>8cz~6Mk~-
zSY$F{?2pJFg+3AbJB8@cPl@D5=||<KDzh?qMP|X`I9;pqN57TGnPdwGRry0Ng`Vl5
zhoKjG`19fEg<b%CzwoR4mP&rhB)>~C3zP3l%k&l58C|67t>ohv;SLb)S0>z($t9Un
z_lTZ)Q>hv|q~7#QSWFh`(o_bDJe7rT*|>~U;@>b9nIm#gr)e)sGky2jtwr(W!&mtl
zd@BF&HNtnT$TJ_IhoQGYzuG2(Lhps%1^sm{dN$t=8vd0+SM{U}ZBWdv_AB8B;XC9B
zFZ9#U4?y>}!%^t_6VRu?xEK1*BtG*IIl0i+)Qv@M5LzJ9cRzJi`k4Uq_0aQ8J>HQ_
zxk*3ct8u!Sg}S&De;EF@`mxA*k#n!;IUxKMnZrq4DEj%#$$=N_jz{Dlg#Q5iA>mi$
zvRL?+z@NO@DH-w9<#-bQVfc%M5X;|UvrB$P;hPwY*UOX%ctTh0LS*n!`G?*G9kn?h
zp$DM1C6H4Cy)gkj41K+a?nh29^fl10GyTgRsmHx3)YcuT#hE!hS1iqJOa6OWW)2kE
z0WE|EZ~AXZ#~|Sg8pa|%zT2M~zMO_$2>oA$NT@y1ulA-;f;*&r^jtx+mZlLScX2v}
zms9MDDUcqBC5X6gT!0FD0Qq;Ce#-RQs-N}rBZ18IDL;{3dr@3ZQX&x+6vxp^i8cXQ
zBIhIh@-gCH-#8X|-iaT*J(=R^=T$$pIP+*yN>}23UTHE5c~cmehS{&ZSt3yFt=_JV
zD!zRD&*T4Sf^onzPRTfMtK>I6U%KF=+_odn7m6>pKIl2n|4)_MDDrnAe~zO!HQq+`
zrp8+{o~=*$#y?wb)rqn#I^`qz?!J=of&FTCKUfcaAM{G-<EAS*E(J1~2AoQqu%h&q
z@e?5BJW4z{?30gI&RJ=+C;b0+l{2psu^JzWFX!#h+o1oSD(BP4KY{#Tj8|WkKGnQR
z+UJzS>I|eO*C(vVrRg=}>siXPp1wbia|j<x5Py9Cko?~XyN9B52D}8#D4+)xDbGQ^
zHipM9&k_8)@c-XYo&n<XXE5G&jz!*M^3|J6ue?M0)t*#l8xJvEVZufSLN~oMJ$aw|
z*-T$lJJ^mKYs*;V8o>TYzt#tRBJ{&D;CSX|i(=<z%;{71roPI2Q{;^xukr0;kyfX@
zGw!<Q*U@&hm<dJ~`iA0}T&vlzZomGk=s!5e;T<Qdp<A5ikYw8*Y40KE7vX2vbv~;9
zgMK~%y$|}C1oR`&hoRGbIUkWT2>ldvh6Cp#^wZE!B%qH%KMq~ZXG{p;pTdMy_}%km
zsmHm{g+E0ypvogU&Zv4^D(i`*GXF2nJlvC%l9YI$DNRqgN7@+Ot4F!z>G_D>M?7th
zk3}%UnR&39_cQAEq;@!y`#}177Nn|j!KU(0xMv9WdI@JfQtqdrABE0K8RF8d#;YZg
z?h?JO+V)sda#_NXS1nEC<ulRWww-mQ)1H^dj<;&uSS0dFsh4k&yvA1~JtOoZZ#(ja
zpBRgLneTeuPrWqlD0!)q;nMU+o$rfvtJnEHM)>tR;_KlM^i$Bi_3Z-m6A9=U6!`H3
z^la!y6VUz8pMmbJht<#zC!mL*AA;_ae43Ax+jhebI3J<+8GdhlJ_7v!a=i3G==-6&
z<%oVyL)Z&_k4UH9ntn>vrzI|x$^y%DSEg6h^XY6V)G*;OJDK@VCEde@nDvL$+j95{
z-Z>VjHGF1XPk%^PI2A(&=7xm~7UrvPaS5FK6RwSLA2Idw$>b%neq-Hd)^Ajvo(U<>
zQ;%ed>a6o+29-<rV}w7kYb^3s39sh+6?%QJEj49wvOVL+kB`*f3&Ov9EOMn3oNCAL
z$ITa2{au{7?R6<%N=;aSo%v$m4e0m1W06m?4rN^=_MFnR%!x{elD>NUeIMYQ3g315
z)Ou%8=H8^_$F#~FLyYKSpU8v%Dbv38Bv(7@fW<OjXY!n~E-5ny%{uD<k<CZqJ4yKA
z{bP{_grM}H>^{pfD@_A(Vk5b*q`ndR0O!ws>*ybT_xf4se{tsdl$5RXXwqr9i$M)#
zQeVrF^UR0i?O^rLk3x5kZ^GXV{W$d7`EGxteD*;<FZ@pVMEhA~XCXa1CYX6?VaiJr
z5*E+Bs*4bPoR;`MITm@FM56RTf2!7}$t9?Nk*b*3O5`Kynj(J=jz#P~#-`^&zla=V
z{}Cded|Uwf`hOXVd{qcaKBc1Nzt>f~_qx8Ta_T1B8NwAxIY+}S$=sHj{4s~QSS15i
ztDip?KQ$Klio|0+LO;fz1D}q!zYIa&58XRHUw}UOQ2h9u@h0XQ(7pX-HgqcizaRQV
z<h%K${Hmd!hd$jIZ=&l8HBLs?6^k>6A5TiTBk>3!Qw@=K5P2s)GZuNw8E>NU)I3PZ
zE0ytv_WD>-%8iNTNkz>@o}9m({JF8nCccZ_dy-|k!|GEyD7`FG@n*f5^*DSlB*=#v
zH`RD=>S1NdUE{~9`?(PEPI2DxPZF={ht;^w8oMVod6_P7rizQxlZ%{(8ddtbUiK4y
zC+8zGB)s{k@`t_+y1N{NF6V^1642$`a9aYpoFi_8?wz;Ex#IQEz2l9XGhPFoWt8)g
zc&njTLU)ftQjQ_$rO;(ACHdbYb{}Kkz_g(35chk`5R1~QGjp&c(V|N1xsC)Ec>~Ck
z^oE6?<SBaz+&fa0JdB3b9(haBn`7-95|)qjgBeq4FUWgB2&#Od^Lfl8W@xNR4?5r1
zq{BfCqSPb|A4yj=a)y!fh*NK({g<jY?*8jQQp%LX(?nGh^O1KDd6U1yc}|HyrAygG
z)%d;MNz0O$w8%IzM7RRN$ve^{+>^=6q+c(UadoNKMfJGa%t+$y&m|V6k1RUu{a@x>
zunFHQ<+VfXQ9Y?F4ot=$NROtWL>6g=t~*qz5B10?JQ6=o>V{sBfW8lU9(0oLd_+#a
z;rG__V}{>bZ-=1gAjeC;0Nv-IXCYtCu}_80aAEdkmOJGtbvD=dNBbdFu4;c`iDUm)
z>u5TZ6rc15@pi7jt1Xw6Jx$KZ7yj#5<YlM7L+^3(6SHqoNewTcAU!LIlJw*!@rYky
zRHP?=FQJDXFGbH&u4DfCH1=H41M?XHsn@yC&*Y9pUd-Tu`t($?n)fqL+mjky$E$f$
zS?0E{C8y+#U$I5s-N@TXJh$>);#te2sVIH1(z*Ee;lCgMw}`*$r&l}WA?X}2{@(g<
z68c`kdFdl2J}*6$$hN`nt|yY;Ea+X(KPU04_Cq=B5xb&$Um>~8Gc66I-{)#j0iEPr
zM1+uc3VCZqo*M7%dD+`_tBDRjY97)D|HQAx&qIztx1iJgDZNz^MK)gt4gYGPD}7a|
zX=sSQ<>`x5LZlwc{f9!r&vfcnbUcmjW2t()l!1{|L4pcanx4Eep@$woCBHQk+{9<b
zB6B4@s^3!msp>x(JpH+(zZd?g@T>Zu^aFoS%Cbz~O2v(O)V%2ke7=7|uH5U$y9~J*
zY@inW6LS6VmtKb4diW~;3Ay{=U;i3%{pf1|zDD@UO*tC7KKeEL1p&6aKJFO+Wpk8I
z05?kbuCKA5?9BVA2k!cf(Yj~ClFSp^l9JyRKkr{6lB7P#eVA?E7>lfv^^fWoqV*}-
zFQ|FalFaj0CLc~%Zx*Mg<VlYi-(@W&B599u-=^!?u}Dv9d_2){)zsVbuTM_gGpb~(
zb>}GZo_TI8GEXKpq}#1Ox>MP2$xA7{!lOVvu1R|QKEi(&`;l}gD&L-d+C9%bkd)k+
zFyE3pJ-_Qk-p(Jy&+iUG-v-^=Zw)~2f-dT?KhiIr^fA9nz&`@LF#&(-jnp^j_8dlJ
zN&C%$z6SdJLWt?F9**m;q)RG?U(%n*o-XMM;lCe$hF|9+^zG0OKo=SINAxTAqz*wp
zo}gZ-@{a0P?AA3Y3H7VXs|I;;-ztauIqyy4L6tY<6}!KdCkyhNMXq)A@^mavF_abQ
z$)Ag*AWrfj_qQ5<V(f{FGY=#&TnW7%dK+}nsU`GUP49-j6FTO3=Og_4pl^fjbEvvJ
z`VGIdT}i)tJ{ET7UD~cDaSg$L2suj<@S73G*+3NjjGI`G!`~(Rs=U!pkJz)NDao`h
zIzUPP<A;ChNn_VY)P7{korq%g70pJlgzqMN7vaAw@r@Ur6?9B^vp&lv$N=Fl5`LzH
zk4Z1P!ptXRyvWDvG<?=i&3PLYk6I_Fep0n_S^lk#HK$0pEFvi-+;+Zu)2Hk(0m8j4
zHk{PqYQh~L9K()ER}aGNwk72oHvXyNZ$3irg}$F~-gbTv`rZWe0q8pu&`(0&2Hm?}
z8-d;hoo3*CB;M5NTE2I^mIYnpZxn8&w`hAAf4znx$62q1kaq}qTO4_pvtDb9Eq@8i
zN760#5KkemSO^W7lUJGYmV1ele>N6r7CPy6+dHvZN=0T?R+9dZvi+2(vJrV1bX=u`
z^UBMHzHJ<NW-W-kg)#D^|EeL}GlY|KP?8S!zIb%JQsW|a5Fafi!8}V3S883*kG$hQ
z=UhgtJhlE%<1FKqIUgl8^UDbbQ?}E`i6{BFM9USDE}w2(?k)76++Y0n1o21v<0aY-
zQ<;*Kcr;%!egYmIKLPo~-%tEIxi4wkPxi=q)|_L&4y5d&$zROOsd9DS^@KZ3xWZqJ
zMV?FMAyGLfJC0dTtxrCLe&V<5m!zkBRx%X7)GC(&T<TAG4)y!j@#A+r^aIe<x)MJ5
z2!FTX_tN)4Kb(NSANn&1=*OTRO+X)lemnvF0`wCJ=ovF;PYLMR(1#Py{m{=OpjSgb
zpMV~MelY=kJ9O*c<Mq=AePROo5$KZ>&<CMUO+Y^l-3OiJpYsv@k3!E$K%c^Zl9zxk
z_ks(c%Wz_UL{0#DWdgd~A8z!>k$yq$6SqOP`zLeGhjG@Kx97zSn=IYR5*@xlmc)My
zd3!za2z?0pe(2u%bpiT;1oVuzQhyWBv!Ne`o`FpJBl7)*-%FQ!&m!MT4?&moc<I}r
zOZvU^KIl6W(2qdhmVhqztGg1=PeT`dd*zQpm-6w_r{pppPC(Cvz9s=Z0KGB+UG8_6
zCZNlG@4^Ihx&K`N{dKmILD93^2hU4Dm;2#43FvZP+?RkZ_s6F~r};Y{kuUejMZVkK
z2CF6a%OyQD6Elu7{_jXp_G)(V7)GOZPvI{&{7gIJ_*ucn@XI`@+wdzp2EIMXE1h|g
z`1ievKT{b??z>C+YWVJ&|1tYWW<w8wOaO)NG<;J2QM-aVKM3DCn@#CCW45k8SBX6H
zk#uB3m+*HBO{KFEi^}5kAgLAk0sQykukwxm4mqc*_J7Kqy-wi^!M7hirY9!7iTU=y
zcL2UchEMh<d=KjF33L2HtzQS=I}Tr^@Ue?!)&uIiY(v`f<n0BDXi#<{IaH~h7V{+B
zD&3=mKSg-epQ&`K`96`c->B86;>kvF!|=&(dFXi{>wB|qGV|xk<WGC%>E?io)USHN
zALcy-@05tmN9f(qbB5#Bulu0;pkHA#gTmhreQE;!W6&o<*E!RHgkRoMFcG?YUMutq
z&@JfcnpOQ3dPW}O6Y0eK>U{F~mJMC_zi;Lb?sGm%G7l%Eyc;{G&)Er3Gd5`tHH6#$
z(pW@(Z$#J6O0%9y`BqZq)TMfbf*&70t{46_r#YV_1XUi&{w4L<nAO$#OTO#X&EoW>
z_V%Tue^BBhyjRbsp-=vOyq-s)PlWE(^OQLVOTaJhcesdrH@~X?(9c6(YSP`4+(7#%
zOJ{SHb5Bd0`L(<cVk&ao`Yk7nydS~`y?z1@iRNeS{gU-5vlH+4>V=_{*Gc3R@;-<<
zlb&dMY<DeV-D=eJD+5Di7vZjyaONX=&4%6vJ<}$FLia;&gnqAwUJd<l0(uDgMd;r1
zM%$rVBk}Y;=o6v4`y+|>h~f9r2aWs;PkK&6KTo`I^B==s>fxVq8{+}-dgbIo&w=ih
z6EOU4IZ_Ta&>P|ZqsUk5FznrC|47<RGMjzTW}}as1Yni-dHDXwyd`#>k@#F{Ve;P+
zP0B^i5OOXeCt~7vufNoKiF429{>LIL6~9O%N0mRBIsB)1JB=UuA?VW9ZM%-Nhid3Y
zp>Iv$fp#q8+Wtu?wJEL!FJZdjoBChu6FPhtw6^GezBoO3yZ)x_gTgQGEouDgSmf=d
zKk4C|%+XY=``Rv(ay{#l$;FuyrR$acWC;FeUKxw5PU8XnKPl((-S%C*|M$GHaMG#6
z#E@?9yJy|b_+VX%{F&goUB1dbW@+*}60VMny`~%yA>?%>U5ZR_$~C%w7F|D@{q$1F
ze}Z+G>zu{_@(PkK>2n>DMm|$;C!z0!zEx55AE^)WUYCo|hckFk{mi)eN%?k$Hh5F%
z9KA?ZP^pza5Ba=5<=rA0IeX;1Qm@>1Fz4wxPnR5uHCsr!<oz)h3AbCqnUBmb<b5)2
zyl3TEp{e>JSG10(VwG?Q@t@3lSKcK4<|FACfIb!aSA|A8%=phbg7XADx~o&gsjsi7
zohXrafp7;1r|eS_mXFl0j60~$(4+fP_WWeC({GyX1Kt0@e+qult^E=C)zBxu;Zmf-
zCW1l_LGOYt>bE~qFSbK(gZ?uiDt#)uP|SKL`GcPM#o}}(Veythk#`b#)*CNHK9E43
zvRl#2*wl&%yeK_+Rs8J+=CsJjE?|C-ytSs@y4Pz;o}9<Jj>Z>rU7}P@E?{G13@1<a
zOj-00M&9}<ystshXFfug_xu#R=~Cnsn+Qt$2ci3TpUwuS-7xIC_k&eGX7-&q4}Wc9
zJB4aF63+$X6<&QQGD+l_kI*yjB>t(F^u0s!)W*oI@(+DI^v2lyyX~iWDfyCrcXk(v
zohL>k(!-0qF!Hutb17mu^3;4%mG=^T4y15}CoKEfVhM&v>yyf?=2;@|81nM2HSH=|
ze^mNxJLLlecBigPPI1Igbj_|o-jw;&N966}yQ@CN$YUnq3C;1Y7)n|Cx>$lpQ|%y(
z{KLqXYRbG_=~<OO^iv+XDu3t}??*c5lt1IBDStJNx%WZZ^yw!^o)ZE3$ZS2LE+B7x
z)}_c|#~#Ld$jB>o&Xp^BnB1>Od>VLRdh$zj(DCu;4qy6&n!8y4^4=tSpV^%2T;lAX
ztMO-X=81{Pe~8~+)aezy97Imu4ZQz`@0=6J+i2>gynm_``iB$D8?n##%DpCI4`tsm
zNw%xw?Rus|Q}v%gb3gAHa+ga!QD#Fw3jL78uliZ80-N*6tDSCkN%~sn`@-~WSmixf
z1vfL^NVpDlF0}Re%!#Yy8+-Q83t8lEhwnUm{X$Ukqw^%H2l|&v&%i(@Vun+-?>a!Z
z##=5$zT?!3XgPZ9%ZoDGsGkM##>>)lc6Jk-QqkH+-6Sb{0ro=PyR_28^Cat0<`JqK
zX<z0X5#=~J`9yp<M)ylY$T>3u{mKNJd_E=j+f2Pv<)!Me>c_YXcqOL#@yko}Hh{cS
zb1y}HY0}jz^PA}X3+5xy`xj<8s`{S`gxkh@nVM7WbP&$npQ`nSI>*9UOm)m5zTTLH
zxU^4sZ`pwY`U{!IseI9&Jt^m`-1nBvdE&!K733?v*%*b_BVr%&&fj$@@{h|Y*Y$~;
zC&x2h9;d*GLH9$W#Itk3rN}20MgI}KPPvEi=I%?89YTs-hqADfipV6Bqh4z5$yZ?$
zJ;;03x(IhutRABCcBNM{P8~>2nI_{@ye3qO6nTBfTf=*<ej*W|S94xajT6e=FZ*^)
zo^E$ZdOeibdy52@dOU)>Gsyd>Q;%uKW<IRyF=>%|!t0Z_#aClfKHbR4FJ$~IX8z=q
zk1FqIK2<$7^Vs#t#}k%ANqXXf)AyX>8>;E2L@!5(f0+0S#*5#r=i!OTrxPYXw+P8k
zY7y-_a4B-N(;gD#N0l2VN>Uako?dXP<uU9a3HlgyDlh?E25`yGcH(a<Wt@1`dSlLy
z3{Om1nK%JTLsO7<5_y%p7p;l!tjh|MYdQbK*AeK4p#Q`f_Y&pPlpE(VfBhQuQ{J~%
z!28v%T8i*!yN}ibRSrtt;>^RzDgU`7k#;1Jx;^$H@8bSTk<V(9`YZjxLFjvVuUJGV
zo_IXxYh>TAn?fja4gdPw?6P!DZzd=N6^ohw7qh<q(51*+(T{5P#vYiLawR1z4IcxP
z?$2{!@xx!xcPTPG$-{p%Ir&+KU$5(>Uy=6-7JTGV<X?rKeDuouD2zRs4bZfdn^1Uk
zsB`X593<S)k6wyA;G~OoEBC)EQyK_i(xpd6RsQgwKX56=PNmvE^fS=y`+w#=0hE{f
zo{6;oKgG9y)8C8ye1!RUkJ~r-Zhshxt#atcp+6x+)nBP~j9M3#>3Qvm<YZ<EG4n*7
z?ks}z68@F1UDEb3rT^lqCamNICiscJyif5w{%Rd)`&UN&2l0Oyf2Q}Q{0QF>^&i3i
z68_h_{r|uA-aS0Z>e>T-Ndh9GMvIDynksljOhSNQtsMwKQG^H)5igTTGJ!yDO(qCx
zHMLf$MT?eN>orwNt)(@`Dq3qb^?sq2W7UecrY*I$wVGo&9!`to`>nNp`@Ll*>Uo~;
z`|Eq3CwXUnYwfl7UVH7e*Iw_QnR5dA=t?{j1AX5x{fvMv-`n^;=o7;9nt(nR^zERZ
z7N+M_DucAY3G_oB-sPVULSAmq5vid3TF}RXo~wNuK|dVy1H<yGgYug}9|yYBW%djC
zX9x86KpzWwO_-i{uHQcSUdd~|ziVJlgg(osPXv7v=<_4=(|r0|(Ekkj`VnAo<CFib
z5yCJYP!s6q+|7NTqgQ?{Kks!FAySo3zQ=OEA2F^A@!=ELKBLHc1bp}1vuj|16m)#2
ztj)*nf3{;3zHQ)p6MWzG=MVIPdh@Tzb8Ko~B4*e{Rde;5b9T#bJ0RiZ+xO>KyF}J;
zKiM@PzcF1f`os#q&Ql?4ZobMA-B+K2*tdsqnQK@6E82LWXF%WozFqdYA4hMqrU-pK
z=*NMc%Z~2{y#jPe<NIw`9+ZC>^aVrEw}YM<f<6X`%(fxu^8KHe4MDF4{n{bu8PIP9
z9qHGg{mnu9*Moj9=sUvnynp)oy&v?eezwcbK{);8{ne+x4EkC3@A5z2qVp`T!KZHr
zy&LrRBl3gtV=w_W{35rXDFgi$&><#hKkVsJ)S%-J`jbPH&w&0g=;BNL@td#BQ#)J_
z`cH=_e?RDVfu2i$FN3}b^kc&E>jU}QLGK0qxG>$+qxFx01KT`A{bis(4*KEY^5+Ng
zt3j9kZwS-#zOM}G2QYv7AJ{eU8t4V%L-WYy?q*>WKG{!nZ`w7mOZZAdeBv{<2lYLP
z`c^)O?*Wa}_g%lfHzDUk(hCwXIoF#Usjr{_$EY4co<Uxp5#zfl;F}1(KRUi8x%tjR
zT(k<`JK7R%m$aQ@A+XrX72tamd=ex0_Rt#i?=H|^0zH?#Jqh~1hA6)c^u2cF9`6DK
zhX;XvP`Likx;q~9F`(!2`?Elw1^Th!^65Zd^`OrKUGv3mzKR~MG9D==dRPm-hlXg!
zM$qpAJ(t~W2K|1}@mM#|V`HF4`5xcLK|eA~53RqW&p`YF`sc#*c|rM!pg%GMeJ<!d
zpdSz}zaS{z1p3`WlwS+_Ekn>Zg1&AD`ex9t7=r#D=&OdHkDiA$8gx7+2=o_PmnMRK
zIq13cI~R0mUoQPNfqnz%x#Fv}psxWvm*3h5`t?JU-we9+KbQRXKwmioeKZVw*%0)J
zpf4GMJ{R=4pic<vFBBg(fxZCrT=Q)0CzRj#3FS9`LizVtexGpr<_7jTy2|EpuJ%m?
z{baO%?{Ikw|8)M&1%1*G^d`^`9fH0Vbn#QU<ZlFh7yMi<`exAIAA<fK=x+}}m+#Yl
zaR~ZE(8W*Zs(&u%KOKTD-_L#95cIX6UpoYSBj}fc-W=9{-ZC9P@t>PP-wb-L{lj~p
zKR*Orz9;-y&~wediJ;3ml#7nQ*?SZ8Z0mruuL<;bhM=zny&v?w!u^{Q*yl#jW&Co{
zH-j$y&sG0>puY+_(*J>f>kQ<NUTF2_@?R4{|7eK%=Yqa12VLTe`q8Gp6?k2+G!{36
z)}i%~vp?oRu6EuJdNJs^+W9i*Q$gQ1+|STHR=(H$XwY-%aZI(<pNn1wdI8EW3Cqv3
zfI-H&8g%g!%Oi9P2!x&iUHp8m_OA#1TF~`5go_v2gK@ea^bMfrYTwJCuOEWG9dud8
za@on4vk;4bo=g8_piBL^+FuR&#v$s@fPT{u^!1>NesYc9{h(h2`uvD~gMIkRpx*=f
z%rN~cf&R9Gz8Umf^LWf6l*j%x*E&`PdJpK|3-71%*Xw3l#~<`#u|K;sTz}qbZGg;!
zCOFVFpud3E1sBHV!LNdL-U2xju}{mT=SM&<1s%f~%;!AYNJ%^11ib<D&IsKC8fnK)
z&>sQ4-Ot}KFR*NwH3B>$XZ+dtUUKY1eiV^&m+}aG7U=6hpA(joKTCxOy&m+3vH!?L
zm)}F!hW$jO9r?|E`MW@$ioDHlBlW-N*Z(Bwe*?WXLbnZ>)V~e%iP(?jq8BX2_Yi}g
zYd((${cg~kBJ!8|_0Ix*`w;T$L7)0a?)t9)eHG}95&5=BlJ?&P`s1LljL^UA*Z(Bw
zV}H48U`>SnHJ`o>^e)hIl`l94>%tJ_$Af<IquKqL*wIOtsB1vK8?Ot#9<%4$v>Cde
zmG8kB`55<?-;MEce<}T4kNU0v-;{8F7>7%J8zJW=(65pDeiV~q-B!DO6LP%X-1A3%
zCu0QYmx0aScjjH>>unqiq5*WIi$e67KK&%nuLZp&LbnZ<^y56x-yDK|3FycEDwe;?
zvxQ2^-vau1pyygg9szv==od!jUAsST-UNNu<GJPU1iko)*uFZi!tdWW90Xbn`hrOR
zg7%#R`qiLgdmYk`r5?5apl<@bH{vIMp?*@vQGTCe(bKyI-U*kNees)SGXe|WUEmw@
z4D;=7Jrus5Mfv1=aP9$L7s?bo8nO$^t7L>*+O-|>@}A8;-=#kJ9-NavzggtG7?LA(
zUT1X*Um5s%z_&^G-iYyS4EW9i-^tJI8u+&G{WZq-4dat`tvwIz2VXY37y3rfdqFS7
zYu{c&dBe@1zXbZkFx}jg>Tw&|@iyr1f?n`ZtQ~I$?HF@D;`HZt*?DKD@BC-|^{ou_
zxxbE_6Wen{-Xaws?W_iU4d~Z~+mUA-6?z8rk3jE>(BIJVqF4F7%S|uZyeb&^g&@yt
z<5(+<BIgmv*$F=J1HL};*7)ss6ZGZ3F@F=#Z};gtL4O}~+(P9S`}A=aVBOe~ov!15
z0OW)IA?9Df*ibuRC;9K%8Y=Cqhn%vPb`8vn)MJ6Y(60c!b_n`ipsxdcX{5ZWLG|z?
z=&ymkHbS@LlE~i%`mEpP_JajU{JsI`<>B&tZY2F2Hx}&!y$-Jnj*9j(FZBFqF67(>
zzFhX(1p57;=dz2npdbEn?zn3s=tqNI9B$_d9WJ%+C(+Jw(8V7YOb)d(WH-{E_rP~4
z_zskDs|fMQxa}Q`+qfD$2Y4lSUh*W+uK+z)d#Vq_S_b;X(w;@3daON~;gt5s_u#w>
zzK?~kA;c&C#?t=g2f_E~tGfoC5WY-|@8_lm8Sj^Ckf-@w?s3=-dK>76NBr_3{`?-3
z!tZ%(%^fe4f&MJ$x%xf#AlM`5Iu2hAwKFsh(#}gD=g`-4ub;Po-UNECIQ$W5C+NA_
z@iN+RIpr5zm%AMW2n?SEUoO8o9`x5KC-5V|IzJ2aqu&Uhmq8qz_f_AI)PsI4=(3&!
z<!|umSAah1&Ft}?*vDO<SA)JfTwZL0IdXwTpPRwA0erZH>IvfD_ds|T^j!Iq(U{;<
z-^yKnBIv6?&sBad=ud-wU8MfCem|Q)FMpfojoiADX91$Le=X>bfS#-TM$jkyK6m-e
zpx+1j=fd@e^4ITyz99!)^gOyAaV6;Y48t4OKJf|N<`YD$w6hF+<Nkni3<5a5ydLeR
z$eDWx+5!64AgAE_A-fY<s{{XX3FPecr|fZv)N>2yr-HsJQja-ip+5q8_Ym|qMSg$o
z_;Dxbi$Tw|zZ{pw?<;|hFfr86AkT3U=r;~g{yfl^<9E{b43|Gu)uej71oX2(pB|=b
zlxBLq1@t!1E5qZFpHKyA|3UxG!2>z-ByWPg5%lB3@-1Dc_3s4zVbI|wg8qe``;2SA
zdNl<7B+%ve-3|?x53PsifiCs$6Q+mq&6j|F8|Zt5=@u4f`)&b!?GW@wKtK6|T>}jf
z{iJ;Tyb1ah7@u5uo}HjyI|O|k0*-@*sQ)C;M}q$4aQpL`{CRL5=we^L%L9X(Co%_q
ztxJuR(tchca{jq%;N(a@ru+T43-lwm<6KFEUa9o)kntqwRsX$fU~4|!gzNc@ok@^-
zgzr7@<^3=0IV?xoQ>CJWP5H(w!yNw?)}?s6>w|WSypzCp(N4^-aJ{<5<zL`x7CWs6
z-y;L~y-BISwJ+~CzMd}mJnY;X(BF9}cr4^EOxAN!tJHTF_zuk<7^oNyzcLD^ubeFD
z!}Q_4yv^V{apb_j6tutKun?cgJ4WP5yLO^or;Zx1bNx<Mex0v(`JJqFdkon32m18&
zKK&%nN9{Q<FeBXm{FAin(%$OB5kD6W44fhDC=Ink+FN0|6h8SLoCW(13|tI31+!y(
zUp7q&-$vB8VL$wi6<&w?p2xEv0?)$V%i!xDJ1~Ih&GT}4&N%p<4E??b{l3sM_DVEm
zJr#$oq&E&5@399C450auYhYm5m=cV^%(sU>Fv8n70xzGJf51nbJshXoo*%|{HN)Q;
z=6%R_yPtO4h4_slBkex#gv-43+1`vk1RP%&ewvr0kPGr|8s<Gl*1gJyUp35IF}&To
zB|xyyEFIqB-AH7g!-k*joiMx!Qatag1V<l%HzmVU-Xd5BTDp7P@a5jONF3F^&)0`}
z_we2B=MJy+uHu`$4oA7^tDhN$pHs31jh5esIc)fRZ<a~gW9DD;p33*$k*`IE;E`V#
zKGQopJL}$au@!lKSkaDQ-Zgn-8HfAC;pcg0nzT_DPTn}o`!ClN>FI+xDvmegprf%;
zJuqzCvw7Y-QskPvqyL!ay_I*Ew(FD^1=~7o__GDx)l&I)@`k@%;5{ubU(Fl7y};|1
z9{f0e_|?O`9rAKb!SL?k-i-x#d1t}!O~bvd@(YmY;yz_B!Y0<||7pY>qr3-4fevu*
z&%^fGhTl-&^$e3=RsvLb^mp*$XZgc77I+`$&rxhj+5Zglyqoin-Y~*@UTV3n;OO2F
zUa!=0)$pTVAK`5pj+eg>gL*~&eIWn-|Lgx_4RlRNXpJ?zyXrA^dd2Vmis1*40gt@&
zDjbv0yT(FzHD=*VeUB}jUj1LJ)BC}EKazKiP4IdL>EgHLa&#<vt@8fHyoB65XDf?$
zxA!9y#d+~Odq0ZrPZ6JuYY)45*b?i76j9_N8xFi%`(V#{tzkvtC*|7BZXQx1dac<j
zp?8P(?P>2_yYE&ieh-j$S3gcUYk!K#Kfw2{9sPXYJ=)~4`2Xv-ktbXK;}y;3xGv(o
zf%lcXU&;Foyl>!r6Yo#+{wnY9@ct3+Blfd??$7&?yietQHt&mgZ{U3;?^p7E1MeGn
z-^BaVyuZr(JG_6y`-uHnKkrBKK9%>`yf5Otf%lcXU&;Foyl>!r6Yo#+{wnY9@ct3+
zBMxBwydTN?RNiOvzKHh*-dFN|CGR)zzJd2myg$wRtGvI%dwiTf>HV$EHlO2sx_1Nk
zgB<iW7Wi=vIzkz}t|Z<09m4+YloqQ$PIvF?bCh@UxhDtR&AUxG=ml)S!#U{AA3d6b
z?)=j;Iq1%RY|cS<{^XS$^c8Gha}K)XsN{N+bbA;4U&)u-a?mv=1D?O<ptrO92RZ6@
z{%=Q)^3Gom%Q3#re~->Vck9pC9P|v^cUTU(Td$7FLD#)2WSo$LzBlDxo}>STq@S3h
zyzZUBQ$ae}{oB5Lbw-ZznhOHYq8#)wEPrke`TLQ+JV*KcN$<!(KY;X0a>#e<-ZyfT
zck#h@bI@IU@S_}b7f<{=2i?UJY-Y}z^CP(!s(xzz=N#UXym#<^HSZgEe}eb7c>jR+
z5%-#$LwGOaeLnBYc<<)@A>ME7v2x;Xj>O+>d@ug#B>deOdVezB-_7^pe-6jry`lF<
z;r%HU6(<%QeO7H}OQy4^Y*P88vg1oT^<BxOC1sO}%O*`e#&F~$J61PmQnk2e+U>r~
zy=rX9q}$uPNiD6J^rRUx=Nz9&E#<qVEuE8UI~$wok8iB^Cds>Hsg7mdr25q@kZ1Qy
zyHQrA+dCRtTOx0gptYx)Qc{4g+L|)>0qT}U{LiFU;eP|(fYw@{%A~wW>1D}=_Ed8^
zxvU;#-8%@at4pR=)ur1qNi@GHZ8DOn_V(0jli^-3uR}r9muhaTL%CK|fq#><UaO<F
zqr;n2*V^2iZgH*!+Wfy?V!vX0c@$Bem(W+`1mgA^x6>oQEo+D?U!9l0JLDz^6zRL*
zpIgryQi2!Z@|nDZk}@nmUf%`(;^k+7^bulKSO1N931z;KfY9Y~>!e%H48^%|ybvGn
z%J=0Z@J`}+y?Lv+fXYq!?#esAvIv;0;jX;f7cAz&<Mshy(JQV$?ANiA4chPG?rttD
zSF@aJzpKaHW&M?y-o1BmeK8l79+sE(OFLcr340geh3M3kcl(GwmcN^fu6|eE_5X@k
zdABcF!-dQ3W2C%vDPI0sV4@SM*>n3i{Xucy&i~@2Ueea^^$olUmoH{qU(AK4*9BNC
z<kmxXUmq*q&-k>T3(MhOaGEgzt{laAH^s`kedm~kR?fvAjz8Z1ZkBho6mj2L#PY+I
zx{`J;ioW$^e5C)b{P>4wD#!ST4Y|TCuq+p^e^add-M_K&cmKx9*Dq&5-rV>(v==YJ
z^~=ZB<QjdVDZazRC?@}eH+;Q>H)1MonA|?S|BHsi>x;jC8)YR1a^>AVe#fUQ|2LGC
zHo5Yi+lQX~>FWOgW!>DuOV90NN3wiBJM8S+wcpv%4wMPkzvD}FBF5YCrJ?J0a^#tI
zxV+0FcnK@->Q|xo=gPVJ2o#Q#pK0}bGg;nEd<rOXf_NW|!XnGK@#0h~-%rQ)P(`#r
zQS`0159=?E;ja8~F<jazm%B^+>esCl`*-lEh92Y?NsGNzIWZGe&K*@&zVJLNcqne)
z$Dh-i^M5kGv(-QHCx#}^vhwbKyncsgyXT{I<#~xgq<qYFx6X!%`Dlq-KcjeopTCOY
z!~MKf6d&Qabu5bS=DGDLijVZ%x)a5B_uP6C#YcH=orvOl`2IhNkM^8jkK%iJ&R<9I
zz5M)N6yMu({xymh;&ajF_oDbdp7V!Md|&vtiZG<F^S#e`&VPl8`S?~M=a-^5oU`*c
zAws^lzwbvvFh=(P_=UPKq_6WOyU6@un3(TjcjM-Bh>$O<D(7hkhJ3f12~e@u0`I>D
z0>oa)JjnC*^t!*FP@v3U_2t7*ZxQS5<APHJdNw&SzlV8)^-vC6<oAzH;8k#)ftP|8
zO-KYFUe(}F@OVCXCGcVB@5ni(H#h&juK3__*+@AqKaIC~J%s<mvW)NVfM@I1Hs#;j
zE9QFc{QXBc_;=>O^U&aI@^=S53@cyn60_TScI;5%UBnZRD_0ru8sbHY!u)_|lRrBL
zekSGgF0*=_-<I!g%O*#jooB<FbKsdAxO^vLHaV9AmvQf-9iG5`-2hzlljyQ`y8d<(
z_lUdp%bApH^8dr}uZha}1@XSC495)A>!}=aUd(~ZZw+Lt_YXPnzvaOH8@Tkhd!4lh
zLiNha%PxOp4ty`*D(8D9=V%k-jm^PdlmkB!xX#}X6DnbKz6p|N<}x1>oR3wMe<Jbj
zt8JcwNw1R~jt#M1#AiA@MVt%sY=@r{#ZPninNfV6!`U9Uz%Ow4<x&1c4!<ahFL8K#
z6qoN*k^XiskK(n&i&(FV%iDlwvxn8dMW0)Co1toOVfj_W6C(|G`O<F_?<KC^$%&G;
z6Yt*7_^&gqdiOf~P{Z}R5J7vKc-3UX#Xrim1-RHr%}q1)eK+3A^(OAw+W*HK_+Nob
zzp83XzJAva<a`8N=kIMZRc=E6Bi72#E`KlJBB%2~lQW0>2NHjj_<Z6=5&!<9#xMR_
zu6e}2{+Qu1pXF*Me%h}LUtq9z6Y+-U44*>$7sPKSF6)_GzXvY;>g%?CxpCh?d|M3P
z2MoghZVW$`_<J#YHt=lvUyuX8fO5L;wDw3YPp)qg?<4N~>f^+V<V%xq&DQ_WJ@yIG
z&MxAW#AguiBkugkg~W?~U~*=W|7T7P@iU2k=;RQeOneeHR#I=#29x9Pi;33|ck#(X
z#Jgks+lluPck9ALB&SsV4^6&n{{_Trh#$}P+(EpXxRc|?Jwts$je5CpUlqgMxL*>(
z-MDwf@V}zoY~$|g9mD)<yxy@f+|@fShP!%;V)(yu)a%>TL#8)pSEJ#lMW2ZW4R`ag
zinvGqFHt{N67PG!_@@)!OuT55;m%GD#)eGoFovgy_YrsV_a5TiY|moK_eQauY>$)g
z^!Y5?6W8bF81D4BC5AhFz8u4su-?~*)BSjD#J9%qD~Z1z!;8?5Z1!-A^6%q~jO}0U
zQG9S5F6zi8XOr?H>WS?;HUr0(0}tBoyhS{|Kk8RGgZDfC3w&Sr^UHUcUzN{*$TbPc
zTEP>)OXz#|{7JsdOz?s{vxg&<inD>l*IjJ<l5dskQs6~d_DA0UemLZeINangjp=n0
z??2dZSMRSWzw4cZ%GK}K$E)9w|H{uB|A|WVyuXq^vBmoJ8u0=oN2UFRuO}3dT&Y|K
z6Mz17<F7W@n?k&AZ9)-ehZV%vooILk`4<3}evM(jmJn|uf6rUSe+2O^;)$ybPf-8s
zi1%-@_I#cEH&Oo8)Q{7DkCXqV$vK?-z2tw5?Q#6ClYh$;lYbWL{j0;zH92y!ORnw2
z*Yzj#y?&=XUhM?_dH9){ji&z^r6N~|yte4MuO^|0><{JoJaEy^)8mbQxxwBv;wK+s
z_`bv!5I^)4YbR!oUage>+E&9~ApTY2efcJ*h4?MRdtXQ>(oFmT;%jCZzy8KFX#XUB
zXrbY?<Ua_8D*f8>`-CDeGrf)lF8ykuo?X9Yk-zxZgz`xoBi9+^UwNp>-`iks8TtGF
zoKVEsTPN}QImUlRo)x&4_^8o_yLE6Y@#4iMr<MHgC~jrL|96sq`@5!37hmm%hDm>~
zFEjbe+5T$cy|ay9zcUsBQ;LTr+w0C8_!`RTe><U!SFz}Iz(t=|kF$Cw5x<lCFYjfz
zi^De)KlZQIo@>beN8*Ld4^R!>hs3u$mrzc8)IqP0flIv&v2ht&D0&!tO;Q~BndXEN
zcgK1u*IC4CHYD`@3Hl%3OG7;Ij<wUxi))Clf5UM73^~gDgm~8vqH=ykyqk9D?Bqq@
z(*C~Rn4B8c`yTn*stwogTm@|x@rV9p__gFeavvM_2gfIf*zI`WB7eaVrvGC}tss66
z>phToE#<uQPm}Nb;bp{&sGm~uuLmyvr2i)-A1j|;cane0tqFba`uj8B(w^hbH2!JE
z?!8X_P5-cZ7ZBeagDCcV^&btdC4MyVzQ+=Zxb}aMc+UjG$C3Y3;8O29TzBwRucYHY
z%jD~K(Sp)K{w4H#)>_2><nMhgq2--lx|R6jo^j4os^>jJIakK)^Y`TM-)eH;mi77<
z@va*Tck4(27FN+i)k15heg`m0>`%NXwmwcGKC938oqa9<E_!&Ke)}M+*6Sp{H^KPb
zxO|oPKb|+dl>D~?mvQgqI^xFtJ}2jk*8T^`{~U0s_kPwpf%pf+M^Vr7iOX|NsAAA{
zoZ@?Wy|gPXcis$#Pfuu>8kRhZcpvAT>u(M5ns<!f;Thun&l`Rr<#Yj;_Ge=4zn%PJ
z{%-ndA^+n}&Q&JItvg#Nr~V+b6E`3K3S9KLE;f&L0xzP>@NEw)tl99xfM?TNiQ-r!
zf0$4)`rF-jH9H6YIpi-~YW#3JdbJQQnre6n@vr5Oa|8MB{*&paiTsZeZ<}Uv+&KOx
zaP=oYH~l!fdWZbpX~ys3qMeFUXy{hBzs;Ane;EH>q>UxsGtSzxjre%tMXwq^%u=tD
zh!;;Ye*F%4P);S@7xQn6oc#YvX!!yCkI%Cy&Nrc38~I;nJmBo-o5X7v*E#*%kweZe
zbKt+DoWeH}TC3CNUx+sxV0vD{HjO#J?7S)#*OdYn|I>e>$#LucNyJax)8t%9IgOO_
z<`ITF{jYKSADKR#Ke?ayANMnU`3$36TZ!NO7vsO%VDG;aAN)M)f5<=bed9ls{PJ0H
znZG;O9ydqIflI$;|J(Tc$bUBRZjLYB>XpI^vCqD{t(~qttH|FrFQI(5v;Av`dp|W?
ze?uM|Hxr+@-RiwrOX2gI#QQHc{y*dy;c?<!R~hc&)!zb_evRWgej4Tcjr@gG#_#6K
zzlqm8ZMfs#9Sf+)x#4AN52lq~hZ67Qy6NN;0~fs|xc-hL|7_yDUrZ=6o$X&jympl7
zZ6*2TGw5npW3Ap<#IJDj+5StZ&zp&NH<)}kFYYDY6`Q|LJ2@k*-ox3RkBPVa+vMnP
zRiW-Zun<UldJnYrxOI69@xFD&zXH5+9ZS6UnS{PyumAD<2)O98XROuh=Ji?R-*ULg
z_t>u#@%v6Ue)&wATz3*b>;>cBVX*fg<-d5K@gGNgGx@tuNhpHppx58Yzm|3)&+X;f
z1CKVPzg=AS^|xMtA3*%bomQ`F|76GiyMz=+M#HYt6z7}JElK`9^5d;uT{-yI=fHnR
zIgc_9aq;;x#0#%Us9a|cZ{?7)ll(<Xjej>Sh0og|P!v6EIo<FFh#yP5<}}m8zc^my
z#GlSH{ZAqPnZRY-C&v6|Gx@t_nfxO1cM<R9dg{h&9q}6CZk_!B@jV~1_ULzhL)L!~
zUl*GfPdGW{R_|e~_xHrNykYox#NQ|0{l4MO{yze){o?-4jr(DTnBEG%6XidKc;b1(
zKTrA7fQy`uV)5`I@^`VF@?2J~I^tE2CG`Cg{qK3Ji5K2w__5@_8o0>6t;ojZMDll&
zzxPAqpGf?N#Mjf#-9Gf!#67m(+11;``%W}D4*xsx!nX{cP5J+JayTw--P|1$Q0#5^
zuWcNiKRJ$gZ)|>@LcFHZ<d@`G1?LifZJWtyWWARY?|;hpi->>A;k2u>h~Ghc-B#mw
z<NGM_o_y11G5Oym-ur5lzW@d%`oCko@gw5Y>p0-*XQmndtHcw;tL`>@Ci`_7@eN-v
zITcj&8sh!$8Gjw+tS8?4tl?iKeiv|Q&#WU%j*CNHAb$`0>+Jjw#A_}yIR|oK>nGm-
zgyG+&y?qRPALL8BPqCI%vEI)WS$`8#jQ<Vd6NsNIKMI2DLdsb{yk>PmU~j$t_q;C`
znVcTl?I_}_iF>an6mjie4_x}YgX^{H??&?9!sm3~rJnyl{C(!luJi2rH*k@2Lu{TN
z{CV~(Htv&&d$%Q2fU}=@z(vkGF*#}Fx4OdrS5Z!H%#U49yeej&J;b|@wtBA^X3`!d
zzUAkJA4dCmfp`z~=KTL(iTAVKA`|2N8@RMTbC}r=%wDep4mUl-<MvYGHSZ^s59XoQ
ziNsqzXL6i=mMKoA(5(x&#F+_xKB17bZv!t1@wu1x=8*F%#Sza?Z_Z9$BYrH`uW}07
znM2P0M{wL@_BN6DD8^S)C}$4wp2rf3xVSL|T=ZGZb;R*^IQjd}Q2uXH&LzZa+0HuR
z-=Ul`=9x>0-%I|!R}zXiJwHXf=OB~+UGl#Qd>`o9oqsDJ{%6YXnJ`lk*Zz+wC-GcD
z@hix`-+0qc@fO419%h6I#Mg0stS5glaM43NFE?BH$rQSsLpj~|Tl?L*vz&6`@&8wW
zi(e|DU+SW)Tge}P-ti#izs-E?W#oT__`Kg*y>}6RPjS8p-F5+&evROKX(ny|38tUf
zyO}<pAU>IRZ)`rENxYcrubZc7;%#HCJy>4#Y5^|wF5-B(IN?h2uRF@>{av2%KS120
zeGaFbrxfR#&}}REYhr$HJMkWli`%CRhrwt(xh$blZe_hwfbSDJXIQ{G<^Y%ZzKZ#u
zJ%}%+oT_`RzY~TT;e6ml<O$y{1YVfs`P~(i)BA;lvL8%2HxcilzdD%0?jSyi>v)Fv
z&xw!R!}RI)1+OVirqJy@^7l<nD0&rXJBb&*Wcd5UM;>M4cu*{Uo&a3*+1FtFT$a6)
z6ldYk?M(7_vA<5wN#a!>n4D8tW-0M?PZ{p~b{p~Ha}9TLE+f9-Z#FJY4|fnREHZp=
z>iMU{<Ilf(iF@Z8zl-0VBi_e(aWvcc8gN|~XeZ9UeE?kS{~)gWE}qOsLD5?q{m<@{
zQ|R#6dOC^tHjXdMTd%pq*U?T~TvtuJYag?RJIViL;#;b$U%w@O32<p=J@fy^6Tg%E
z5B=Hr*ARb>xc6E@5oe!&0xo)Zjrr%j$^Q}gi@C2khWPGyA$sU#zH1fnQsB~_C;5EV
z>9dA-Ki4TI=VHoP5?jZAO#Y|YFBd2Ln*2ST39a$Ye5?3x<Ufz~PGWn!W34?!3rwFb
zjy(*xwEqIy+bQHv5Z^r9_%9}Yw&G4`aPOe}0?OZur1g}u<@kgmm(gzTCLUjZe+B&W
z@MA?hFTI#@{^{flw{iS{_^{)w{oOJDc?j{Y9^-$2^&aK;W8<D6zK-*8H_ERj?j;h6
zJdtOFMkoJy!<QQDbvik>8a|Tv8sdlYxn3vn+lb#nJr@&yl6X9i_XhFaSFK;)V|(_P
zXnGjK{aP*M97nvH{%Sb!>BM^uFgXtrp9x&-_9o_k%7~xi<eXvrN6_9@5Kr8ZP);ZR
zV#=wF`P&=G-*cz&pRJ|vy|d(x+wIei|M$l4^!Wzy{_h$7y<sNk9pWS2vUdK6@^^<r
z5IZmYuJM0`dfSh95!-Vv`HurGdU%`jbYJ4L$zMgk=lpgx@$TQ5d^g`)6=&hl?Q7&O
z{=oR1|M@0xsW<L#Zzq3SnejWnbT9cA#r8qZlfP@T@i(*XZN&TjY`7b*e=1I<&}{@9
zh_q+Z5i=FV@~YQ3;G)l>-h{q?miBNI@pVTV?#AmR;^RwAP7C$Fnt0Vx<G)6w;j4p)
zZz(taSIGY##JfK*{(q4Fm%yc+8<}T5mG~><|69W3Ore|uPB8upUNk#7i2M_YKN34<
zGMo5E<exzPdg2@DpPihq02lrA{Uf2AXOjQx#5Wvg?KzEh`%B_ae{AhJpZr^iuZ+b-
zyMRl7pN@_DSU3==x9!&^=Y7f<PrR7x{%GPS67QwoD<nRb_$HoDSVO#n_}zT2<n~9`
z5?}XhLOJ2C^}31pGWs{?PwppP6q_&41K%g_K(C+s3ySexCI8{n&s`)8E3vq@`<r!&
zj3qt}xagsKRzi^nh)*Vd2cP4dPJ9XR;!UQvUlLzVe9Pp7B89{|i6`g>+&uak@#Q?1
z(n$Whh__MCZeBc0yytY2Uqt?AiLZ-|*PnoEoOX}dPdE8LB7fmK2}NAL@-aZ7hpIaa
zckSGVc=1-lo&PzSc;8cokMiuA?Bq~y3y5DpeA6FHZ!RAD3h|q`PPzGVJ@GBvk3UK|
zHv^Y`^)mi+<M>nZ7jI4|X9fA604{biGWL0^E#$8`%J^Npw3T=l@t;!8yTscV4;(>!
z#AMUktK9d==W67dq`18f|DQqrDxRBi_PGSO<N^A-ZM@vLf0_J!Qxhu2#T#EC-px2F
z%}TCOJY1u_zMcHNBTWAz*v=l}UB?*i^4O087r*f&pVuJ$uGg#NuX!_}@Aov=`wMX|
zHctnL_q}EOyRqIvOmG>;qS!bd1zh&0U5x9T9=<^St{+G3`842Sw_Wc?+p~ap->Zgy
zj_qs)F8%r!;}++KuOffdb;kd6o)x&BxOao$8Opg8xX76u^Q#Y&f6E_@|1a$Clf=8e
zVfcfT^Ez<dM^F!Y6aNS0U(0o*ocQo5*5Ce#riZOuPs@OdoX;^|w+Hzv$bTNsYq_|k
zp19YSP|jbozpIJYj5m8&PdQ&Fe$hvUBYe{9F5sevc;4d?C+G9Vzl?f#miU$l2`%4l
zV!W4#dliPeJjVN!Ur=QIb?e1mQ#tN2zjrM0EyUe?nN8fg#^n3)n3F^Q?EH3`_~Emy
z-Wk;M4;07mN9=EM*nICv@)!QZ`ddnUZXsSZ&G=n={y@B+{^~sHX9w}#GmZax;=50?
z{@(YJ$-jja7ZGne-|*kE-igF}-Y_`_kpD}>OP)7=ga>+^L%fUev(rxl@gj~R-s;tk
z7c%Y#(f;=#zJ_=a_mysb-AXy@m^X8FxPf>Z{mIFc^B{1s=RSU3qlWnN<Ue(UjmyWx
z-y_~#mQdtI;suyE;vagBwf;K0Ed(y@|JxBJXD{+kB7e>AOpfy#r#k!&!<~K>DbB*7
z+Y0g*avyXhX_w^SUq}9~6y<XqZzW!Ju(ki(VJ7HDPX6=8Kb-O(0xo*%{kipPEb-0C
z&o`mlpL5_l6vz1r`c;>Y@}`^K;^*i01ulBt!Z=|x>o}JDPt%XNb#?~v_<4^-#N+Yy
z3d%3sXnGi+{0oVn$T+iw`1O<%KR13i`Mole<330BbK+fhCRBp+pDz)wnrZya9Qe11
zue;g!w+*w3|4zK;cEjHxzJqx2(S{@aqSvq!O`lU^c6bbM(dW81jQ;@ge}VWGo)3AI
z`02#k?lArz6HgM)i_P~=;9@6*51XC1`Fk~RnHPheUsKKjn@tbzQ~oo=yVx&hhc6Rf
zM}Ok*KM^l_&D!bW$pPYCui-A<*zXIRzfT$N=I^1zGoH179@|q1T-rZ|=Nsn}KNq<4
zw<z{JYdPf<tvC6uUl#%|L>v;|Uwn=7M{(abhVpMC{x0*?l^pjMh!@1pE$jfUe(7ne
zcNOLAb`r;ZgW(7}^(rD>beZ8;7WGOf&NrdkS-{nQ#^V2FisN&yvAo%>l>a{C_TD@b
z_Be3SXZ&3K%jEBWG@*=czQ0ZWS7UL}4&c(Bk+Jw>w=Y_M`%W@BMJf&7F9clpi^=ce
zqT|WmR%&+GNB-%G^G)b>7WsS5H2&K-E-B)PwF%{R@>_sQe=j-0><VV7*A>JYIPPx#
z-a<K-^Ze}s@;^)dZS;Hl68}AL=~w?olRuXDhm=$NorEH8zT{y+l=j5WaUBR;?5As?
z@%PX#jdyq~uQ;7}4fzjbz4M4ayWRA&iTF~*`6hI`nEd<4;*cA2@c#t3wErgN_YR`0
z|D>F@gw^{x$7L&U(N7WegYCRt@8*y{Ksi+>B$Th4a(4fc>8I*k!<|0I0#`eX#oNaL
zmv-)AoVk}u!|wx8P9i4fT;fHKMddd-{`;(77jPb3MEuhKHvHR^zaF^MyPbBmf%s2=
zOFI)h=h;oXmvRbOFNfWGk@&p5&8}+6|32})r3pnYBA$o0Qt#;4IgKLX4czy+Jf4KF
zYH!qoi({+EAAjDujQsJ>*IY{eOe~%k_bc-M^|t9}4#)8k@?Rgzn@LzA{NwpK#PdD7
z_Cj&NAL4Ul*M8Z~NPib_-*+ncPa^-iItaw|(_wn^P9@&|zX=5{CVn>YC0p?V*QNU3
z^E&ZX#_R5wU9BO1(TNG=Y$E?nz@<Hj*t+lp`M(uguYXVe*ZExA`5#&Sq`#Z?wQ;|b
z@+BQ1cvlGu;zD?=R|)Y1<A)C7(}^!T*5sT#%m~Yg*KmDz_I4rh;-gIdDS5_!74eyT
zj<%BWW!o<8`R#MY@Ae%}02e(JGk@a7Yb*KV^W~r9UmTmK`&O8oNin-B0WS5{%(Z%*
ze&l1ef^TU^XbWAQVIlDz&ZB0wztiF5cmCum;L`s1^Rf-(Z+qS3yY=yL;@AF<wddD)
zR>2O+85^^QLuOe!+hXz6M8(;-&@BO6+H>!GC<@nf(k>w06MN2hE#)WZAKd=;_8jtm
zM*ekW36<>D%_o6N{;Idf>cxkX_4;EDIUi9@_dO=({CwljtF-oCPdh)<VDB*CGG0|j
z8vmDxA49w-whu}WKlv}F=jG(TfOz**ljGK-7ANO6!@oMr3S3Hj-CV=B62Atx#D@<t
zpKRRtoqF=uq>SIi)juTu)Bm#eyu$)dDeg)K_pRjLB90E1^H+Z$9zVyj%kj@l2)lk4
ztlY=Uru~aU#+B0lo_9R)yI!~UxOw*_#mN-9RXaIvBosZIv}F#L1p?P_{qK1f6ED6a
zp@_q;bNv4>e0QaK-ggz}o6v0|`PY5H_??_b9DbkSQ@J2L16=I?TE_p^QPv;G-_7;w
zFyj5h6KRukAMstp`-=^C&y_}<!uW*y>u&NN3f#qbg!DF<{M|pYdExkHDnI-)&pkRn
zvx0aP<I<}rtdsb@%)hz#|69cS-b^Ux1oGcbe9NB==XCTo5|77wPZ5vjRsI58^tmY(
z&kut^s$YG}<X5rY&k;{dFuQW=&SAv64>9~B@*hWh%PS_w`N`?Ti#~|rGn||yhF?WF
zbBV8g#^k$r@*LvpKQ#Q8<o_D+#Gj*b))HU$J;STXe*<yvRl{9g=qJEMKie7KI{m*y
z{+if2{vq-HTTPA|7jKT~bIUV^J3AbsI2#eVod8_&<U3+{@(L&C2<z`RS!O=*Ud97=
z6F-;u&S_?!FB89wc+HPZ&OOBMAzt`&LXla-A0+-^?3~_<#Cu}%cN=ik8=u4OM>!vp
zzlQsu-G~>SX8Q5oNhsp{zy!s~6uQkIe^G_?YuPX(UItw1UB!KwtM_~4@1kEild`@~
zd>zj}IR1Nx_ijrlr;7tO5pR3Ja4hS3Jx_e)Hq&P<@%M=rbN;%x=wssXIP>7sO%Icw
zG&$#R-8_o;%iM=9r~JjhrN8m-8E7YeKmCl;=jG%-k#WM|lyfur+g2nLIWEr#k0?&2
z&}|F($Ns0aa~Em<p!|mz=Nw5~eoR^8v2%?7SoW)MuC+hDA3qYf@b}4v0@pbGkIy}k
zKfb@HCf*Z^pEHy*?@w0m63Y1=`9I>m!|exuLH^5m{_37#R$wRbiTwQF1C(>j8Fn5r
zo<}MMF6U!CKEI|IZy|8$m$xRN5-uYlMZEX-hPybeU2*&X(*cHSA^iI`a2fa4IF1L9
z@G|8TaeldR{~Ph1ADEm{Cup9uXYjS3;)uuIHND+MmPx>+-uU_I1aR3O)o_30@*eXk
z$NOzUB|J{MI-hv)X@<M!L8~dJkL$0~!!=IMWyTN9>U9rrY0rk(`t>yNb=-F!NB%!j
zPVXrRMM~J7|52Pwq1&kWHeTiYoZTwYCKG>g&zXwcOuP=bw5K7qfB7o;y^9jc`7Mt7
z_Z4U1(Cz2s?|;tt3rKsG_=11hxO5T!6Y-rq$9^sGkyyCJ-g@3Lez)%~A>L1WID!0?
z#J6lnDB|$*h!<UB_yp>$f%t2qOb^ABvz~b3HRC^m`2ECdUN?L+@fQ^5o6xO~{HunU
z{I#TwfCHC)t-CX!h_nAgh$mupKACv&QsZ~)&S{EMXy|r6a2dy2_`Lzgkaj8M^lddc
zuKhO<pI2b*Jdor2An~ei8Nb_iJONzhOCP`Is+jU$BY!vb<J!5Mc>Ht9qZgPS3aOu^
zlyd^{Ek|0t(}<TV&NrdknZTvLFLAycPFfS?bbT|S$j^wcCjNY}^>+#T`(w)4H+KH>
z1@gc5N3+9P%6XUk@#l#jlfUhGtGAH+doQ&9_8n_-ZXRKTgMmx?<L4PB1K0EL{JzJL
zlyeIC4?WP@Uq<`_;@h|`>_hw#;QR7*`1UQugYQFrh6b^o_|^F)e*z2LN4$&s>%E9S
zrug9RVSbAI@pD#v#2fgzgJUUY4+OL_FREhmYXWf5&#uF*J<cBHk-zYcgi1JsauyRm
zDJK6i;>C{{zw=Aqru>QY!*1W*L;kjpjQ=ZK_a7r(c$DGRD*RqG<-A7!>EegC$v>WX
zu<O`P?=0)@2JV~QC4K^M>2Lh|XXcT=>P4&fRoboBoN8>DROfYeq?V?=rq-6F$=0?E
zew(CYQdxOvnOE1I>Bw|8G=L?UJgs6ua_*dk)ybq+pKebtZS26Wp(HcS$vPBFcX(N#
zWU{_BxwNUZHr14@&$PC8BvYNMJp7<YTT?oduAek@`n1WAoP{YVKXzh2RFcGxkF>A$
z?8i>(JDZzVqe$poQhp;P!kS8VBv+(YFHK9|POm)Yl*)O@iuv;vR!=IKT0YgQYfJ&J
z%e2e?3sWm`Yiv#>Q}u0i%}I2sjX#_cfQ>En=~YB47M@*Qaq6Tg)4cSmbVCOUr&ldY
zr=SwNBys9Auc5Ii-ImHM1K7~m-Yj*jY^cMn>7ouP)KXU`w6^xvrT7(>#`<JqN3vrz
zYHxNzO3U4=$;Dvrs0TacmrV6vm3yrnb<0vxd3$TKwx=VV$uzbsm0Ix2HR+U84$*a~
zrY6PgWwHqa=w%vLfSPFz3orFLGmXj$MS?2ogf6ZB9o_<{(wn`o)>|Nd)y4QL!Cxu<
zCVR8-em36E#{1cLFJ*On>R}^ZZ6kgeN1D^z)(DZAWPRgO{JxF6>*%aaE^BJj*Ug<x
z{_Caftrt#eOSNYvl^CtHB?J1T#*X$Bj-yG@3)>qr_!%4&?r26IlWpyd&1tW_Lq@q{
zS*nyb;H`CO{GyFu$+lE|J(T3ZPN1(zb!}~4a>?8&jUCJI<2mxO94|7hwT&(Mu4IZa
zCYxGQ^<rElCDo0Ko10EewbVDItClUVYLr4HQ^|%Fccg`{>h!wh0l7RbrL;UMNXnOB
z<VDsrGNXN3V`+I6$yLjgVLBQ7%23j0sj~)6ub#8`jJe4(W}G&EL2^;$f`xN1dLrEs
z=FH1ZsG0#Y50@w{HBqxFXU{lmZgsM9Ud8-bbLO1_8)|{!!UCZ~dA+K+iTYeJ?{s!=
zVWu70Zd_H_Tv;+bnXFn+SzUcja`svCDyq>SxRm6QCG)1MO6RrKr%OubHnyy&Y^kqU
zhTl}GtXi1-bj7C4Y3WF}XJ)1wTHDip*#)P6+VWGa{EP;;w*N!%k_GAJ)|ElULp1vI
zP-myiL3OE&m1|G8R8|e$;7=%9_esS|N>$O7O=<aIrzuq!noMO?d2-JD<m@?fD;tMs
zcFANdI;*v=Q_7al#dMerR~ITymdcj8R+(W#2s=F{?K8FHboQdcexB;Hl{Mv8V}^gG
zawXHW_cJoE=Gx9odSN;<tE6(}5M9htV)Bf7SaeBQRMcmaG1Uz1Q;XrWOt-hUM&_w{
z4nu+oI5X9eo_0z)Q-Ng#rdU^1SJn9G2eo9XcB~2x5Tic}zg1RIB2pR~hqS9frKT**
zq?+5L<fpIOhE>{Mz5q+|Jp4SGb|B(}{x9ODLmibZna0fO&#sW5Q6(kj1}neZnQ9V2
z3rmu<pT0TdbaQWtsF?j5q`m*M)N<H#rI<-&qYVAv(fqWMu@>5TaaQ&0<lM>`vy#QS
z?!?iOtY|4>yx9w8oKcBoW|k}u8h-NiDRbw~oG~{!fA;K!mDS1W88hcr3P&Uktd9a6
z8H5mCa@INXW}Gpn0##yVip{{mo}emXHy+kujjJ?rLCAy{A|ng&U{U3BS~81LO`Yk=
zm40-X>_G67%5=7;llTF^#)j3N{Kg*QO>LN4{KO?qt!|YY%0f21+@i*gMg-8)^<KHE
zF;ls~IY7E`3F0L5!7ufpSm5Ahl~RxeEM|ez+S6DkSEehQgI-CP(bT%MHRzTJk@a|L
zMQhvY>Q-5ZHJnWfvxK-3Mkf(!CEGe{n;Iolnn#nFm9A?_VO7I!qC%R02mzsJvb8gl
zY->el<QEWKkep1lwWV9?Eizlyj9*z8)bm-zQ5hZS^os1YDQ6HDYAZEVPj;kMragpp
z*hEOQSG_2zTnp%vXl8xVBKlA>bdgNAJ8g!R;OTQy9q^SBr|5`9L!R=wR9mV}9ETDE
zmCC{)^4&1Hb*w^mQy^(Hj{v#7wyCvlg|^BzLV;>rk<Z`=tj2KcS~6{RW4r5sMFglF
z`vNob#!OSX5tAv~xM~-$n=-{pUxMyUuWmi7WkpNtg)JftrYRQF(Rfi>L<QFQS)5o{
zTa-O@MxFf9CDuU;X*f-ETj$674Pq;;Q_B*GQ|8W@S&=NAR61#j_9zkur50jN!M>%d
z(J1FLHBu}OdpX;LG^d-<?`Xw{Et{I6kZ4=HSD+hN!<>a=i6Kf#XJbz~zr6y+n$b02
zaDS{gwt2O6$-0hC-BHu3TwT%eqB&u_I$G3`G(=nJ_POR|u;XqnDOr(jZ%H?ajn_6d
zVNxRxAUj*N9d#yd$U{|?l+S~ETi6JPf$-2bIo~d_ZvX<hoXlcNqPVbOxw&WCGT2}s
zUY*p6x{i`$eY&oFb(<<X9)XrGgo}v9vtHn%X=OA%#5Lxk!_!HEonRKosJIEvrbuK(
z_a4<$YXb~bT2(zKBtX&y+C`tt*`rZfb?e;L3)5JuW2<tOdP|GX>`b?>p4AFRo%SPG
z4QF(EhX<%Q<Ps1CX!e1l-kh#)Ol4NLrM(N=Q*E$XWJa{M(44NAHKTe4bQ7pt);{5)
z0_jZ4XSL2jd2Bvla^b}l6V}=kU!zN=hB{#@Y*oDV!Sd<L6cdpwjJQ)<-Xs~LJ~h<H
zbc@+Vq*xuclbFq1>4SkODP53mYf9Axn?2_|LOfYrt2hWGAE3Gnvkwq2*#a>K?C2LK
zTN;s1YZSFs&xvZx99w+{vKNx9Lbju|4h}$68>%+j{E}gm0f>6GlH!V{G@^VB_+ZS*
z2AlXvv?Q4PlP8sF+Dh%P6M=)%kiYs{M3dCtJa$V*qxpSF^N77*7D)<#9;iW9*;unn
z!ft`>jZL2Eal`c^2;ZeeVzx4*5$h|Z=e{QC<<Qrq&8;mqw<W+lZDn!+lbRJxsg4eK
zvbN4lN1z2+G<3$od9|nN5XQ74!`Cj#$4@AeZ}H-!Xv=q%VtI9~_}%GryDCd#)H--%
zXKcDSMJo}X5gN@b*#X_*t32eglBH9os&ns<U=;m~#kFQLNM@SN)Tc2Jt;nG+sc))U
z8Etl|3G;MnnI+_wH8y1Mv(#>^)uo&3)!86soL<$IY;LU&j6=OW7Cnuy(g;%r^(@O`
zrVACFI@A?0uw+t(q8-yW)fihelje~c2HR>V)O2PMokmkEj7A7;8>djL3cW<MA2G_6
z)FqedEPctoxmTgl#Um0Q4W5`mVkL`b&(RsP8ChGTJ~DCDK?trhN`FIq5VfRqVLB6;
zT9Q1($`$n%Q+z)$m=@k4=$b{%Bgh`CW68QF#ercd#_qzVRXrXFv^T@`NwQOW5UpL8
zTYqA459Pmi$=$)K)Q~+?qnSVc*I`eSEYGwen=Ylo`y<`401Q;By9&v|XK{kk8{a2m
zzI4j&0@@qY@vxF){xo&eGF0_-k<7FvAusAdxb{b;VsxuExUNs!&Pr-t7rbP;uGXf!
zgjBjt4%(|abzw6Pjp2WGrHPG6$0VDds_js{4${JB3a29}Zix%(YX^;1+g!MK9bw<g
zVei?@=Qu%#5;N!NYR<FL9d(F5q}B4=0e2g`sPRp4+p@?QG^eqHS8oXYwA3}XMcrM5
zSC@{4##QNhd(0z7E{`i(>!O7kTCo+5LJ=KAqJ+${_Ou(a!LCz7e@!qX<w0Lms6TUL
zfv&?NIiv(S()A5ZsilEU`T>ThN1g%MwnnCl?VY%qhW1XOl`9-ZI@jrzA$1RuJYY1Q
z#G)8oAzhfx-fIEB(NJwP{~%;>9FmB@lGNGMi3dHFa%gNx)~-g7gyp;`O}mY37lY*>
z(kXpnXZteSj7z05Y`$aAoyz3u*3kL^Q*tR0ZLztGc<M)u!4z+?!61#=?ybS!KE-Tz
z@a$$_C2gd;aP2^>m3F$2^ouIP*QB;GxunEBnv$hE{<sOVI%3PZ3Fs7!Yx|;851i%z
zqbpF!6w6shmKi*0Y$%y3p<z?HB@)okzelRodYW2W+ccuGX&M=^T<L&_6hE;Ni|S=V
zRa!Eq<LqU4oVXB4n{-91>`pK#VuR}J%+@W<Dh1=m1@|*KIZNHy)5+G3<P6P*Rkv1g
z*D=_+!x~~n=XVh=WC5|x`J=31z1zoGMZOhF$ERW!CP^wC16vhb*b2T_6kbxUyRez9
ztxb{9tf~!`Ev?XU1S#ZbI`A-{p%o5q1@@1jpi){JG}7f$gJn0^%q5qUmeLjIGgxdc
z@wT+MEcOJoq&T3MiG;W3Q!G(uK0f5Ca_duOshNyAdW~%alhDOE%~)bfGp2qLw*lO-
zZG_)r>3$^M^@mZafY-odO!!=$5s;G$nrllUCs=FN=i(l}pokn)FjArJ(sWc~JB2cR
zU}8CqEKj;5i;HH}rtx(+fxTBr$~hg&Oh*?_ud%MRWhIW5#22>Ew#;Sjl5?uhfNtGk
zlIk;b;jK;~Y2l?Zt+A9;q}Mt$I!M_%S5jiB50{ruir2yBIm`CJr6NR?;XMD~dFa+X
z_3|=gG0%vGn32gG)1XooQo7vO8Va&YAw*))vW^Q=ZFq2>jQU`Ij*CP)0)fK{DV&s%
z=eQjiJbM+>(oJ@JOQ^xD?`SldTbOC5!!cuDDGwYZUt+7EZc{^}?owc46Af5cV?m4_
zv5-W5va=13IW$2LTftm*Gtf^-Nm}v{Xo=(nwX#96qn~p#zfWg7U9%X~%Nje-oaB<W
zChY9O;k<;UvI<5cAhF@t4A3DGd~n4aov6j(2o0TsBqDGIN{-;@4uSi7=wHT1hEO{c
zt55ePL4A_Q=R?z+k3Y?ci)p%Dfi9lWuKBGLoAf8YMXGZ8MTbWAg2);8WMl^LU<x?^
z<f1gWE6F9v?IQmrJ2UujoDB2igjh>`v_4Gag@M!7=QuD!%;c=|7$?4hM_;<AoBfJO
z^TCV8YUXE{3z2>8l$lK_91Bqom1TS72k8xJNYN%rG$d&^x2(~py9Z|Bj7v0b_4Ok<
z4}5VlxeB3mEWx3j5k7tDgih3^kxs!(YY<+j8YjloJd}=skFBh+{8pnH5B3#qTN12T
zYB`c%4M%sF^7Jj$3kRF97+^3+Fm;(0nh2E^OJEx@8#x~qG44=v-Q$<gV?kXREV_1+
z&$94ba#2~MC0qR`g`eUPth6~iG+8pL(u+vL{T)(klXyR<!kh(HDi;bvS^oA0wM3b6
zZ3zNKE?Chgvaxj!+`)*+lXa%7(c(Z5n^jV5Nhw)O<>BsNQCTd$+&^U#$`~;8@}sU=
zd$7a~vfa-8(o900#|#6<HB|R3<s5A!-U|(m&Q7;SP9|4&Xd|-Z=A_@zu9XxcmgRXO
zOl^sAm`+C2kU?B(X@p3ik7a;sW%Z(YCB?~P-Ktf10=2TFWEx&e`qpyJ5_DE35*3RV
z&zLzUS%L$DLDoYyoDsXR+37zb&^1iwX@m<=pX7}(T^5JtbKvgP1^C$@i4u|EGG}9p
zsLnX?%eAfbtFuIo@M4mZHzya&*Iav>!3uSYn3a{tqoh>rB+aEYzB(=})~BA~c@{}~
z$_(>8o27WMrb+rt%{aW$A{8Ut;+X1|rSaSvcCb=hi|%-#NVjT5rbbDmx|PP9J)DYJ
zvBV$lAz&nsRxPU$N*jY&SW;$3{QR?pYDdb=EvL0KzGH`wkbb7?M6QNDQNQm(2OA5X
z5H+^6FGb!&wl*C&gWD2|V0DeKg)SItd59=F$C4!~b4ymN4Uwmt8hA(p;>QKtvv)=d
z8j43(Mu??W>DGf>rzudk9cV{H!M;|-!1TD4KGj6KqsL}yvm9~?VvfO&fy(E|6G5Dh
z5f#u?I4_4Y=BavElUqF_K^{!ckDsH_;R2NMJ?|$UX&PkI&R4p1&8E>5&8*ox4cS*X
zc#uK#^(5+%HNc*Z*4kDI(Sgt4EAmsFTa$8w7SJ+zghtm99n&lcBfnzVui|+Gb9pEZ
z6^q^JQyjdoQ%{1(R8vz9BAM*Qne`bz)sf|~iMlMy1<7tgJwB(Ks4bi~_uC`>!EaA8
ziJhW5D<+DGt}#P7&#?O{Z|Q7m!ehN85+M?e`uXH6kph>*!Ou=$@WDwYM8IgVKb7%N
z)OQy_Zg22ryG+h^s1pb@jfaiM(I5uLc^qw>JVDWT&)12JQPk%k{&B~gIKFxs$E`ns
zU)I+6f=s!{mug&y0M=!0U^LN?phRps%c+7vPj_QyqhY^T`Q;4#?D<Fxz&2zVlFgDv
zw4u}h73~($h>yc#-1?4IJb0F4_+ASRz$aI=+M`xk>0!voT1S_8KRgT`vxhe6CFRKa
zVI|05S3J2ChnVodqq13!!0J9XmdF{T4H&ZTgu;eZ)`CNCmR;i`TeRFinxlh=>_%hM
zF^6K6hFbYlfM`ctplvUta;w7vZC7`PpY|5p!!fzYsD=(S@IxW`WEYRHWtWb}$Ah-M
zvg1p&FO9ZM>?-hj;><L+9;qsN<O0o&InZ=-o1TkPK3i&Za=-xWa6o9qjYWw%@pbPe
zYk{~Vo*_)C7m=R0u-}<apf2;@Wnb>ZF-i@ytRv!oKk=ZiN)Gt(c963P9U_ANmzMHT
z2HX|2B+-!O1n`Uu_n{?d^Ws?wU5`YB>}TaMo7z2cC-5`kwPMkyd!(pM9qekR%$D<i
zP=r5rc)^Wd5DbS`0j(s+!`l->lu;MrySLE75bwZeN{&l#FXv0;;A~@i21lnO0X@TX
zO=W1n#1j!Zr!4Nq3Ze%#B<rA|gLXjj_JL{!<&4COOBgFpy=2HZtK<QSJ3_%_5`H;+
zdPjDhGU%d3txZNs_V7HK8#3y$Y8;F)6XZ;;=xpz3ZPzT96l;QzaLo;Ptfi+soKLT^
z?5h~j;E4-|Aa1oJDSZ*$L=yXwM6O$*rYH|S*}7=d5ILpb+lMR;+?!c6;0O2C-!yhe
zD`UyF(2k(9minw))*f{#w$?EYm;QI?A(W<2UX6<;{8V&>7Y_tKg%ivzF;Au5BwCMp
zt9a0@v&!$IjGi?|;~kkhfxDaHCy{*@Y(B+LPlkQJrfSqogJh`7`!M46GgmT>k!*!O
z*DXZ`E0jZ2s&E+wKRLzlUX<2|T)Ujg(V6I;4_I=XpMaBqo{1uOuR#tUs*OKg@|P56
z`%;lEMNB$ti`+!3#b-uw;3+aceBY<8IhF@i`;F}InHh~fmV^;OW>xqRkHnO2f1<YG
zrk=}=I>#m2@|XUO^h$&Unzh$;Cs~(judh$9Y^+OLwvGpt2L;$All9Tp9CyB7KlT?}
z*W^=f=#V?cDa(qTs&HeGOxDVwPIvM@x++e^lhCD^W$}gS6F!g=QXmsNK?ZBk_=-o-
z!!IRM_4JExO@8P|<@weH<=LqP*i{;%OfzikNHw)BOGPJ_L<Z3iQIru))084*(*dtI
zRHjCktH?%fs6C8mS#3rK)fsm%Wh0(UOfVqD7EPA*;|J=~9A&GW+mwe#DP%WrOfq&d
zt;}+q$a=_Q4?j480z*UO_SurXkQpEL7G+Yu8W7AX(*2TY&h{c%I5WYZJ5!O%vop0~
zgHeATY(6-`@!DPHL7y&Ze5GDQCXc48SWFjC<h=9~e)1qqoRY|jI%Qjc)ZF4{W8xK0
zwU2<vg4OJ0TASopbKI`NX`F0lT<sLk(mKuhGCI}SC!ZIWusL$7b(;DO3p;~NmRnz3
z^vI!-&bi^>J}R<f4g^p`cJ2deQ-SLJ^`VQ-ddp}I(pC1IgV}?66gRJ2qx?#A-PI<B
zHv}c&Ttp~AEDwN_EAgPm9u7wQZlqU(M^sZoL1&Q+4WAnl{+MU?SHy@Z)4RL1jv9rz
zgu-z>T$A$yxoT~(y72ir*^1gnQ}LOQsDf<>V@1lV+TrzEJMF=tYY(>!+F9vScz(J^
zz6=g@j>tw00Rz@13H7C-U^=2x^A;w{r8gSwf$F;!w<DL>Oadf1c4vpErB>6}Aa`!C
zGl9q&8(ZJ949B2{5N`3YEo4closZy$GB6qK5mbF6av?acE~|bs4lVjUl<8Gcws1vb
zTX1Y9TjI_w(SAUz^D%H7q2Ma}2a+QFgxMhn4`{Kpgo<J)><?OW^kIi?dbxSbQHI6y
z6}|BgTO=7IT_60FQR2jKVg~JrsWdzZC0dCTrMq##J6yMW0BoLE9>buDAOmM+=kLp;
z`_YaDCx?Sibd$wTqXtTgTbJ3b<lOwI%3mq!Q}OfSkYfeZ3`)air}WUh8yeQ~36HoU
zioxJ|I7mL|Or=Z}8G&$8Jk*BC*#4K##A!c0F@l6kmJ^m5?r@W#!xi%hestd=>7*vv
zRtL}Z<2mrK;g*~dazAzs5No7-)<{n`Y6u=28wzrG7+^UuC!c_{;g!ekolOWJd}k1|
z*>FO%p{}X5BevVp$LE$?9vt4gsSwW<U^e1&0sbiXkGg}UBJgTD%Ow26_jyE@X-ILO
z^YoLZ;e9#xKspFAc_Iqc4<Jaq&{Eg7Ix5%p>?q(bu=tpnt=>9_VIR$peKb>@QjPcz
zzI9=^_$2pQBGlMK@^IimP60-nA&j9(5~`XWG{+NaO_HeVK#^EYZb=ELt^*#`|JbBk
z-DAbfL#PKF6yh6=TYuCTj9kRsg=*xUO?TbMOgV2ai3>?F`A$gtpiiyvu;0v8Av);h
zbUVIENYxTq@pEP1<?)o3*Emy;rukJ#)EPO{74#z8A|cL|tq4*wu@l!SPV7N-itg(^
zNKZiNv37j(N;2oOYaFV=!IG#wh`uBZhr7Q+kk^ApS(aWsasDYkS#Qq}7%#e(mS<Yg
zM4WI!XJe0X&7Vl$B2!9-A~HE74Th!8Pt?&z;i!^(Ru~nKbRP$e#?SIOC+TG*9{FsU
zy<n|es9T6Bb+VU0+c5G?a&ktrE8hU52{kuY%^70}3?6l=!G){?J4FlY+^0;%HXvF&
z6V82TRvc{)N?^W3qcj?l95q$p>?R|H(o)@uoz)@{Te?2FA6u?!88js|=Jj)>{;KMt
zOUwNE5C21M7*kQsV@<bnw32vhZ*B4#G$9l<Mj4LqP*24{2sF?(RepbUt1KU<muRL<
zKN1_PhSA~F?33RVjEe3Wph&mhv%z=qyZb<FY(bp{%XiN-2aQy=@4hjON8_5<1AxHt
z82814i-`BB8kES<F)|(sh@Rw$6vx^ulSayz$!NS&j-k-=;i1qs*zxP}2uVhX7YmYK
z$)&4S$#J@l))p*wnbpaa#gTM&(61apQ>0;8`sGjS$RzetJT`e~ef+fNU?YlD;^Ku!
z?*YnQ%_X@sVl>%qn(Bh>KR~sEFhRZ@d!Xp}27w0@79^VjTMH&@7E=gYeYyBR39OMt
z$<_!oyX8U`weSO*f!b*eLHf*e;r3g?ICz7Q^ZR&0W|nQc;ZH3MWbD*s2fpV6U&p8C
z<&$T%T!;t3_+)AazHbTRR8fJ?mllWOQ5PG;0>p4a*^xL)hsvVqo;&xKXa#v^2E>vk
z^-asq9_psXJe_>w22_?M$($=7z~I?#N9K*lh9|a<MB9g*e7cNs<O5il*3S4xL@`(~
zUxdx7dt7Zv{Q95+{%B|i{C-)G!zmN+p!#6tl&wlQVl4@;jm|^i1UkOfEIkv;kQ`!-
z^n`O~@FyU$4410bci9MBV||QD9(*J{x|Ug}sD>Joqxlp+)!k^184>L8Jb#vbhYodk
zE>5*W#^|jWsy?Shx23X>BmER#ixf7Z&?b4Rt(xkJ!VhRd-^n5?zf4+d6`!w3qKPJq
zVRTO_CEAcohl}5=2p_I9e}EVej{paI%y6d>&$HI}Ih1MGmM#>}gjD4UL@-e~@*zFz
zsQDaD*zji0-~M7&cosNI=LUNu`sc8ki|2IAkaYdL&gRNx^uB&dAYzP>hkH7vgQA%%
zW~md#ZE=F(oyKYh*XgG(S(0BR5pwjg9d#(rhN)-vh>x1;_(oLbl0dOkOf<WdHAoM>
b&~EVQv%rk}0~g`%`Y?l9sUMtBxBUMA`Wbe`

literal 0
HcmV?d00001

diff --git a/ctrtool/keyset.cpp b/ctrtool/keyset.cpp
index 609b7d70..dd793003 100644
--- a/ctrtool/keyset.cpp
+++ b/ctrtool/keyset.cpp
@@ -301,7 +301,7 @@ void keyset_parse_seeddb(keyset* keys, char* path)
 	seeddb_header hdr;
 	fread(&hdr, sizeof(seeddb_header), 1, fp);
 
-	u32 n_entries = getle32(hdr.n_entries);
+	keys->seed_num = getle32(hdr.n_entries);
 	for (u32 i = 0; i < 0xC; i++)
 	{
 		if (hdr.padding[i] != 0x00)
@@ -311,8 +311,8 @@ void keyset_parse_seeddb(keyset* keys, char* path)
 		}
 	}
 	
-	keys->seed_db = (seeddb_entry*)calloc(n_entries, sizeof(seeddb_entry));
-	fread(keys->seed_db, n_entries * sizeof(seeddb_entry), 1, fp);
+	keys->seed_db = (seeddb_entry*)calloc(keys->seed_num, sizeof(seeddb_entry));
+	fread(keys->seed_db, keys->seed_num * sizeof(seeddb_entry), 1, fp);
 }
 
 void keyset_dump_rsakey(rsakey2048* key, const char* keytitle)
diff --git a/ctrtool/seeddb.bin b/ctrtool/seeddb.bin
new file mode 100644
index 0000000000000000000000000000000000000000..4bf2190e01856357ed6b8129aae8d7935314c302
GIT binary patch
literal 40752
zcmY)1cOX~o|37f6$jZuI86jJQ>{*hG%%Y4$C1lHtkYt6jOSYtpvR7tAWY5fuvR4s)
z_x*W&KG*sF-ha7!c)rf@KG(U<>$=|R{zHKC|GzQ_|M_nM9ICWQ9g->{fr4J4SSD%q
z0`yHOME~(yzBN8du~$-m$1Rdy|AZ%oT$<!RPSo}^iGxypp`##t|5`rHOXMcx|8aeW
zuxm>qeOF|zT<Lt~yUK!G;rM@C<mgGaGV2FQf-9C!IL?0(MQ#NCjA~Xh@orEc+aYyh
zb8^B1<afbyn4KsJ-bwoE9r^m{YD@u^?*{K{aV$}JbAi~WSm?+RN&aD!{{c?@JKX$+
z$qi}q-M4?F){l=Or=|GkO9GtYVnf_$j`bWt9&6?^T6`ao(}5Q#wSKIy_INYOc(d8L
zelh|%J$T`Z?4R_{7o;Az;3<Wi=Y4~m0sQT!FR`RA;x2AKGf=5<bGwF|5j>WuGcJhs
ztXmOI(_}gR<Zt9m;GSiB90JFVSRV^5KUA?Wr9#dMj=Qz6Ghwqd@%Czc4e8IW3gqtK
z4*eIXNN~5rXI<X6<PF(-B7Xq>rTn$o@soC+G9#ISSmab}kr#qrju<x@R1sEZ@gB4w
zr#^KVc{R8vcXh3aUv`7$u}fr;oy0uI^(p`Pk^qO6;Fl0hw(|X&lU@zu=}&@@`+(oJ
zp1F`8_D%inWRKE&%EUJ0mEeq$-NZfFS6q8(O&20LdR>uU{P(ROz`1Mj*JF~%{T%)#
z6?<y!p$~FT@cpkB=b6RTcn<Myo|UO!9!FjSKIB2r@>;3eG5Llv-ym^>F!Dk0vNFMo
z^BP{}9yINL@%(z}kPm@p&Ua=<S(twuYJGj@)Ug;R<n!Ps3Vwx@bUISnQC(7heuW;p
zKNi6+J|z*DaC|Jy@bkj8NR8HiZz_0gfCrsZep~ZvahMY~Ol8N;clm#ebCmj@F9~p-
zuawYqeGtjrYWVOir}jTTG<*vM_)l#+{|B0S+y%o-7S1+d*!86W?|R1Et|HK3opO%i
z#P@em38+3T_(c9~oa7FI7mT6bPZ+MU&m(6ApLF>nbFi&^J%N%^?vo0AGjcX?hOr0X
z{YjrAhH>#3MNcm`Am;{e)ZE}0A}0+_J+n)ypIq?oqy?{2;KO)YX7lZ=<v$9mdEW@o
z@&Au;c)%a?e0j;{{#0MEYiTwA=^_VmUhtSEU!`CXoReI)XZ+^A;zlEP2Y(`RT_kuR
z#I2S&D+uq!hfBykz|(u!&0lGqv-}vQeLFh&=@aCM;D0k>E0ixZu$O!(OwjGSy@dQF
z_~_>n*Gn~LJO}m8@}&~yVB@P2oIg8Ig;?M>ANzX1yGI>AvH7I|eB;DIQYCHU^q+PT
zu`3>Otf+nuxckuF%PkuFd&$<%6owYWvH5uoe4=Awu<IdV$+>u@qlT>(*!9~14=AR!
z;u4#gn`S3+uRgdngX-^s(~Fq0k;?5;@l(Vr?+=Y(_wOP2ee+a-IIq|<j*FsXgE0(-
zC{IN5&zA%^t6q_9b_d_ipB)-DU#?CQMXn64o911f@gy&-`o8T6=V4#$=erNizVO$D
zQ^}M6i?KGtZ1cV<$~%EKdm7k(C8j$j>qa1uRxVJ3JQVzyzaqsm3%QMXcbi&r3k!AR
zPr<Xx)lQQbNH%#fxJ&p`M5iK;1}A+@($#dlbv@m=i6eFVU<-K?xO0Pm^~8%JvMPbe
z&t>;!A0bZxw;L?P)f-kK>hz9#sqQ@Qf;<CUQDf-Y2U*Uml71}*@rGL5$lrob;l;nL
z@$0KN_N`90$n!Hcz8b;%TW-~A?&sBe#pp|s?z}#O@=f3mUbTOGu;>=?qMK5IiQvg8
z<jvp(o1FUe;eKP6gn1oQj7qTidkDOvd$@}7N_ep2=}%M^erp>jKLS3?eBHo8J<qP~
z@82x`t5Yt>SHX`^8x+iu@}7(S*<<ZbreJ}54ZJOmzx-E**7)UcpS3(Y7HoX2gNt`7
zR}x%JlRR=zBrH^?9EkE;;9q;IF0W{9>10oY9)0wa2Ae<kzzfyO@Apjw3r?}ke}0&*
zB8&2bC;s`80LKA`-s1|T`;q9fOENw>UGI^Tfsf41#H+t%@AG-E$7II)Lk>A5xB#v~
zzxd@GcLn*^jG<G#*w04|-oLuPRk$v1)@(Mpn4kI<yMFB8oOIL1Wal5_DQWd*7ipQD
zMD<UBE3V6$Ihg9OPQACT3KX8k?r%}>Fe{lW&3rC7P48%p()ioiQC<gp%juP_$e*yZ
z!t~mc?vFXJ`CT9U=rrTP?)E|O`pl5*)msI`D1Q|^U77dGn2&1l^Bdmh^=VUXBX<R-
z+Pr-6ec&Cv__@uZ;n7(><lf-E7w;s*J!G9RF!<~&lJl}0`6F=3^s9B6*>mEnW*Mt-
z2@BZsH5~ls-e%F{u)2!`-;l1V><rf5MSvf)hEL|R`<HV!mnRm6UaLp-6TszOE=toF
z-}UQwd`Z7m*{KzIBKSS#3_qL`y>G4!(zWm5c*Y}70w<gFG|!eb{QMZ#GgnzPvLAUe
zxa2^8QGaa+kM<QerD%NqZ^%=?9V;!!TqPbp6|kEpj_kkCf&4xAFT&ivXXM@9wQ}U2
zDOX~zLtYH7suQ<gE|nEzRl#;yE#dnQ<R#$obb*9wM{EUuecfm$A`RI?{sBBc5;taX
zk#rxwWx1P$X|e=)Ie2FO7Fk#(@e1YU6ZduVaUtXt;9D~OrPSq=E<Y!lt-GBG^N}}$
zpZ_B9`f+06Mbm2>an#R$7$ffhw-Ilti93g<yY(${X*Bh>8}eRoKL(-nx94gGpYb=F
z2nN_5BJTrtdE%*uQ=aRw$nwxdecSUZ@?r3^+wqyJH*K0+@guE|8vaT{{vF)&Y?x2y
z`s@c?(;khq%RE?rFach2x!lO}X9%&IN=DOs+YRjeCczyptd@J2zy6)Xue8|cqlfj+
zKfwPSD!JJYjw%*3kl2v>_NJrb&w*EsM}Me&R&;YV<fa+Ut<PD=7r}32oVxFm|4h}D
z=I)zas&MT2wF*A^(z3osvm*t+;7n_ia1-Xg!N;g)i6}P5UdRpzYZ7N>nW6fB!S!hf
zn(vy9W`y3Vq4MO_4M)BY9x~{lQT2+(L_*3Wf#jWKF>*ZGf4(HZ(fNCqS9Rxg#BWWP
z+&}zuSbt6mKB!G4@75%97gzk32)FX^E0iY(_c~YedHJ}8s`%L|&1GSlf17%EQGiE~
z&Fw3Gv$t+bS1!JJlFsRWj6(@NlyAasqMlQ;Qhr`ajO%GGa%%AHv~AnKJJk|NO=g+T
z8+Qtj(}H_CoHen^eDGzI>wCNW3q4olbl^@CL-=Dl{tZ(5tQC#VZq^}Z1Sh%B{8Ed{
zs!3_)k?fqW8n!-V`tR`rJe2Ln_$XpHeA0G=xz3?H`+tvbe}Yd{>MOzIM~P%QZIVso
zoZz~DZi)$9o$0sgKA}Pvt@aZ+7kC5FF>jv0?~|>?FMd#0FbX0+1%8at@A2%w`i;X8
ztAWg=Xzcp)fO{WCy`<aJyIj9wU!I~IjNPAn;9qMgKMYtr=rax;<INV_nnU&Z!LKh-
z-g@qOz2u8k!byF>wpYl7!Ost7Jtg{b{d-3q?XlB|5m^5!0>1Z0sOFLIn##dixKJ@$
z0(Sq(f<HZ{nt`7l9M>M+h%Z7_gsq?D!P6EhXB^)Dvg~EvxmOyptd5Sa0N%?^)xv(~
zs&k!T!n7^*2A0<Xuc^G5U*CLSAk!uDQz|+e>(4HOA76X;F`nk3%1xTC81C)qv#7of
zcvgq_UuV0U%x`!MS-8K~W9t)LaK0~;X;urpG~y9gGBStRG*Dh2yr#{k1xJEKay^h%
z;VIn)7jk28_7O7n0|~!olX)8I3k4#{$ghGkY<!jt?Rxk8#rHE(&nZSckeh+;@YoAB
zQCgC+mOP--c&c59+#Ec&V|CVD#5SO@UV4Js{sv;4Ti}{rDL-^06*96iI~yLqPv%A6
zU;}>P%~s1?K<?!!L)-J#!h(6oZNUR$8@s$|j|b_`kkA!aKgas3JK$AMp4L_}Hx}a@
zORMJ~6*`OZcfl_<R6QZZX^~TmZ?bCtcx(W<9eB6<yTvmT^KMSDG=8zhgYwAj!3$`O
z2V56Be5^ltt{wlp*n->ve2rQ2*f*ES51!J=8_VH!SbyaR&Sz6=)8DmVQ}kp&_wxC)
zL6pA_j+a4T<Y*Us<+$lq@-hA#QshqH7i0w-MXLF>uI;6-L>?AbB6kKC<$F*@>g}G(
zb*GM5K7jT#au@Kq7vJtV>2e9u46XEN1}$tOcLP74guib-eWM_NaVVSE3%>}tJ9veQ
zVn@8*+SI<csFsx|0k*#O0B7^KbN%<yC_!Mv(8l*ZaS4?70Y6!5THpL-bKcN4@@w(a
zacqCg58S!fLGZKe(eet9-jMVH-m56@4}Lt50(YK>BRb+#&<T$)*-qpS!3niVT{7s;
zGjN8qJ`9>az}BAu;EI>@TAtDx^=AhSXEdo4H=%qWIM1ykqPNzY8br!3oaK1?TMGFj
z@EI<xFxdttwp@Yxllc$#Mvw=A&({24dBkfj5<4HM6L5NZ26+hh?UAOe1I~{!PWLku
z=Mu6Nkv|5fiPXP&J#|0lp*5-Iv_0K*<e}hp%=ekg{~mT!dEYx$a^k=q`4jLuTQeRO
z_QmU)9w{&F&a`SG4+9VLKT7tex}bFDaPSNx+pjI;Pr+|R2<7L@-xLd438`IwM|uT$
z1o$VS<yO^&$H5gbwG>Kc^45??gEQ40)t)w|;}$SUneiP|7C`<C{8wQ{Y}y4)M^h%z
zI~1kIu<;WM9uw?vE=b^h5#8lWMiNVJ&ZB%Bc=N{{UK4Rz=6a#KzpeN1e2_l}7jfiO
zAK8o44fj&>(K{N6^`9@m>HNd34ii(eY^6wr2*&igP(B_!SIr_lW@ct1GD%_P_Lt|6
zkth83_*@S&OQIDFMMdiQ(lVW}_b(Bg==3_C$N4~oA49Y+8hmf8qkIzhtII;q!?X@(
z*hf`f<5JmU<0l!Mq*LB`TmDeX@~;+CJn<;D{z>_-Q<D)3PT)(vTr2K8>=6n=^;5y$
z(S_jNF9>;zAJ$68QUAgh`AhI1FWN(5+^@P331jJm%lO#%eg%F#^$wxSr;EBaY3r=p
zUL#mO4P0?4vfE@J=<gw3|AXTKouR1yYw&2!Xk6W){pyLjguSopQDVq5z%5kAzNL>k
za?0grrk~a2$M$D3!LvA6RxZ_?`eyz)?_-eHI3CJpfs;m`@Ang8yzDf>Y%06BQinVn
zd|th?g6h%ojT}4sH)^|&hmhxh3!Of#TEu0s9{25D%a)n~w!X~;UoP2JPH5}X*Zp?W
zX}qH97Ru*=Ki6ToDOY_gvhzEQW7?U~UF2`T*E{@=gisj|wCAMQq!!^~`+ND|5s?9H
zChQb197?$QJNR#7>(jU3f8ANQtQUxOJUKe}X`lG>qx$c_saPo8)8$@YRisfprqYpu
ztuNmHw|+J2yT3Yjm-Sko(|xbXjzsxF@c5Wp3d~dCnu?_Sbk;k3*!x=q?!d4`=E9Pf
z@ky~JRnX@q)?XEaN3GD8{AzJ%Q=@%pQ&eyL4%IIK&;FLkKpJB&6?Nob`07x=IPwqR
zt|uGpR#|Fn+6l@ed)#oa@m~%;N<xwtVNcmqpL5RJpPUJ+UkNTtaw44GA^pSg-&#q(
z&z*mY>Q{klg{~d>USX+5q`kVDAo~Y<f2+Z(UM@2Hku`bT|JC(AP6pQpl&=AIpVg07
zY`i@`D@yJqx<`VoUuwaRR2eU&{QV{oM>+Ar{dE8~KI*{b%k)p%*-hTF@24WacWw;p
zZ|lLG&h@-_@!(-`JYg(#sYYibI{qhcvw5mZ5jRysXtOMf&Zm!K{aFLJ|7jv}p-$Y#
zuCcq1IGM%5P`(NLOTG`EfUiwb^jAIF^7$|R$eY2-%P0+S2K;d^?dIOhlZx3x-U5Cz
z-^#DrN+w{(?29MWWm0D3t>E)XHtZS)85(zS$i2tjEMw1?FW^>dC37Q|JzH15bXE6q
z7s{i22Y7%HL+OCt`6d1l3Qcum-)G3Xz?T)x)*|lw^oX@`4sv(FGeF)A&U&^am!)%^
zyG$$1{x>HNwtw>tTtDj?Nw(7pbz@M7{;t>74$Aj}<Go#Vs3~k-(BLfZzhJdqfV>}k
zVw7gl;ObF+0;V&jnO7>Y>o)-I+@QVwB&}Y5gz19Iv-f|n`)?Rr+oOr~hl=#U;P;>2
zF4t_Z{&EETSjoZ7M&f6yN?XegHwf`r(eX#Y>2w$FYj?5o<l(K=kcXVd-v4p%(!Hs$
z80i(ZH$TP?J<n2|Liz9D=d903aGz9rzAT6TL&La@1^EPcObto<hD_qx(Km7ItrqHb
z$fv-K#6(l8NZm?ArYAxuCEBq4qiOIkN6Mm$EYfMKmrNsubAMv}%?x-`%Z+=yc9Xc9
zW3z^7R+QNMI}1K>ea_8w-_`YV$?MNjM#r)J&mZ7FXHFDe-cXc}csAmshS!6=|8xKK
z;+%&qqA{;ML|DpH&3i)7`OkwVQT9f$4iCJNrIrxMuN+uFz5w1j^`zVGqP^WNzRY}9
z-3r$KErOpo&h<wnVQMP#x^nl|bKKbY`2~L0z}AZ)Lifa}sz6r8Vi_e=e+iuHJ&(=&
zM~^_6ih>CLU&Nfqm%+WoqAR=N$e3i^g_J2gE3oms0$ymee?Iw)c|mEyv}#P_m^R9<
zf;)5<3-aR`Qi-{rJCJ5qT1LJGE?V3|%C+|Pl<Ijk@3s2;e?K&Z*E;xp_PJx0Q&Vq!
z4pJH)Fu#%eALDF*XPgr*HS{8@*QNTU|K2+U8^4?2Lk7mwHG2Ndk}b+1xU+lTP<{*i
z6C+-W_t~|{r1-{T_={Ju{k3gy_Q{FguWyAYtGy5>Z@wNcj`BO;4z)C7<lh-cxaMf7
zUhN*1BHsnS&+;kfqFKrYH6w?Ap+OwhpX`CZT>1EO>df!6JCUbaXZ0H`QT{J@r-5jA
z2>+hW(FAg7(o;#g$oIjm-jGztI{b;Vd3x=sYm%)7@&j<@v~ite_v*-oIM+(4&w;DR
z55XB4Ic#x1#yfL&^7Z<hHpA`@T)Kb0l>o=ge7W0=wZk`+ZH0N~{C8}8<AIaa>CWyi
z$q{cnSkhf*ej$SD<Adkz7y4}GyXfR_D&gF{^a|^r3Bczo-o|D!ZuCkGN}7v$RxhIb
z5pV~;nGoS&HI`qjCVY331#*!e1vgNCdx7t*$@iGw(|HU=v{?U31Ri$CUu*w3_Cv`?
z3=^Nuy-t)r2JTwUp8Df?%Y;`Xb;k47C~SY67+gwInBmB|8~c^y=Lk61rEjA=DLCWr
zPi<ufu}wJQ$9|8QIbi(@8TgSU(TAKWEWZOTw)A>&cT%D}IXIKcLQ_lG0IQ6W6pdW*
zA64YX!Ednf_TF%I>5!cM^r!9gcYNd&;6uHl7pKm09NKTH(=R8*oIp+qPQf91;Yp@x
z!4KC^{n?Z6TaZ(ME8*NJ79=l~CmFj^V<$j@?axtzTNEsD)k|C~G0mu&A}g!=i1IYx
z_`h7Q@{I;-nUzlM`>qUP<Ld<YuLmpERtkSjdFw?+R9%#@^QQ&hdq4hHqMw=|^LOGR
zZk#E0edxeLG9|gK122||<}n|xcCKLKlOEizuC0n?f9pxC;l$!^R>E0yehlCfG+9zk
zqZ~~ihEo+97rL<fpAkIm@m9W&f7B}HGvAFa)1Oo*&jd~{X!@+MPTwx``^^}>gH7!7
zJ!bHQoEm0#cd9MCD@=NYT3@jFl?B{>dm(6Ixm3&OqW5UPU=}Z`&kEi@e(Qc$rD*(x
zYdGRZwgR#J12%9+^?|ZP9sWF(ug&#2)88aeo*i6sXDFpBR(RQ2yhppYh6P(+ae$w&
zA>DuVw(qU}-EV>7L`zs+5?sQ$b2uiKbB2<d-=gINP7bOs15SCyxx`?Cfpcg*KDzGN
z)h^_6;L(;7MFnP@S*;F4D^-4b*!oBwyuEe1LrdYA|Dedg(;k-g>nN`PUbRy5#p3nj
z#-J#v=c|;;Nyrt!30p6k5MG;bI~PGAr?_Wx8MzX8*Ucru>D>Jr;!4xmvupn5$d$pr
zKGV9cY#MB1Q)_LMqG{NTTm_tfN13zHjWpOS;L^=?o}4V?s^AZt`n9gRhhFPzYWnm}
z?36olb#NOCN@AA}&#NLmUCt_U_`OAb9{j$|`>NySS8tD1k33OPw87Rd7r+^c2}SaY
zZyE}G(0*BMyhMWX8sMqp-?fHH4!MJ$vt+VvFUlgn2tIVOB{Vcqchc;^d@}>zG&gch
z@Y`GjcM7W4(h@#9bJ+bkm_U9B{Nn{x|IGcUjdauGW=ml`Yy(saeB*RsV~gRDqm48S
ziXKKkiBbMCIAhn1^|B}8UA{pzhR?2b-9)YpKJ!<7D0~1%QHafyV^RAv_I%I<Zyk0a
zd?WI#PBLABmr_a-+yB=CclmSr8(xT)@UxX}3ze_Bt*HJLaQ@P#qn#r`%H4`_N3;ua
zvG>ma+;ZoEE@SUVp&m<~#`u<+Gs+u+lgA4k$M^bV`a-GyWGC$bJ#r)P_m}+G&+F@R
z6KzgMYPd~d{jV|j<;F6dmzKs!<j3Aqdi{N8jPfSn#gf`LW&^!EcF(S{?nuZuA-@V9
z&)OqsEA4W*uRH!+-0kpG<k!Go;0fO~aeY4ApZGqK{Bgb?a<l&)-|-ilid?I9iS!K{
zo}P71<Tt=+Rcc>};il-;S8_b`R4ge#ZVt{=G)jL^pM0V#kLw4${_Wq$Ex-?h+vXCZ
zCT=n0r#GIakHN-=6}aOcqAZHRz$Lcj6P?P%F4+BR4W2N4_@%^~-TpJ{3xj2;FB7P~
z4fy^nmzeMHkt3}lAqFpNesLkU1$WV45qL3ke3K?wOq-CK<O1?L;6>*{qUG(}BN7YL
z+`r$QQ9y17-XWzT-?A9=m?wOJG2xZ<Jo0<sJwvDGj!yHmbM+LZ)hb}^7mhtRPEuOp
z_KJIvKzljM-%uq6ly?9>-ZQ=#`jF+-^B(O7v<G_x$Q{A!oZd22cv%fsc8-vJD=RyS
z+zFhAr0KKq@<P8sYP3?Sh&V5DXYj$_Ry@&>FXDbo7`<C%r^41(Zs1A3eB*|M8|jW)
z1*_fo5!;CJ?%>t^OD~M%X4y|((;Oq@N<M@90XQAmX7?aF^)B(tKl3}UbNG>af%kk>
z6xFAj5v?P8m#m*;h+SWAaNI{v+pYSC>)p2xQ+NCKu;-T#_|6@7-~09|5+tXld@?(Z
z+(Gqy!EKoM|IVol;5s~%v!Gq{!p6TJc<v1elG7Hk8-LALv&oEou=T4y_{YICKiN{d
zmE;Y3=b!lM|2DPodI-*9<m@x}TPA3>e7IQ9`%L=(7$*RnT`9*>BsYj$P3Ky0Fn;5G
z<bmL>1c&Qw;rLbp12sx|?a#31|0D3}I8F8ht{lI``;J4V^@-6a9|Yd!x)w5~zNM}$
zFBqR4@b?Y!Q1I;umP6+&Ln?2cGzt?fFRCMd0?v1@Ui@x$UAKll;f3g5aoGAe4E*8Z
zATPadtjFq?Rj#r?t5TGI3Vx=eaBTzMX>W{nOJp^c0_(3L!M|Sm(Kb5xdVfgXN|o>4
zvm+=U1>UWC|1(qexrbf*dtp6R*S3*Ig9{H>M0W==(so&A98Wl&?}0o9{J~}1rv?e$
zMq%7}sunyr4aj4`KO8?It;AF*IzVB$K+4L4jlbvMEmn_*eyEYkuX=~hiyD%wp?o6v
zZ|@H-HERSJ!-?)m>#c7;Ax{H;5+^ofUGH@uc!A??fz!ZG<Qd@pjh;6oY$D2p=M{!I
zeLt%p&jpuv7qkqTC`f5yEou^~BvwP72VS3UMN!s%;NP*iy>rW)tQ7ehaGQ>G3#o^a
z^xywZTWkv1VDno(xVQ!h)tgT;9lDQ4c4D`^u>FU(;6%^vzHtcM8T3BGq4g!%CLh%=
z0N=iibANqcdR3U6HPuo4wi)tw;I|bCR~7eF|M}%mE?-%?pP9(tgSUJjj5@9UbYK^s
za=|0)g*Ea*@CltLUJ;GY<x%{3ji=twWBo@Fcwx1rxX{r0J&Gd@lE?ZJDp9@|Tq&b6
zD>S0Vp{3caDSROjyS^ph<Nf2Wi7bgHE(VeN**uapMfs25?eQ<Z)6jLjVZW=~&s1!V
z&F^L4olL2Ii*tdw+I8NKs*7WqP`(0ukIX__E77T_Jc+31>a-~Ke69pPEAyQczg%`U
zqUU|G+29LoeOm>dp{F8}&U`GeU@>Rs=~4>z^Hqa;-o{Tb%-6d|zS|Ugobwje|JQ&!
zgsz(ioY#3AzA1gzh<$4SonI|@MbVCBWT97BgTKw484j8><aOZRKRrr&HJj?7&;I`B
z_eCRYeP0hA<J+BbN9Xrj-^Gv%IW9*Yqx>guEr$s6Vbh(E_AI|#N{1l<<PG4}VP9%8
z(s~7z)!3MhKW&>t-V8p=r~8ZQ<`{8}TboFOqAJ!Ow17XwZ!~FFykefP)%X|ZR2??H
zTEWF$eWc8Lhi{ZeFU?Rk<MssA?*!M1lc*WBc%OXnomO^kjlmf5uiyz9&j((<ulw|L
z>Rub?qb}_E(FOjfO@BFm{Fz)rN=0qr4}1%h?*^w$SaF&2@c0q%Q6gvMWQ8>HZ{T7+
z(bC*ZCm05mjfgGADJPKkfFG__cs0nU;EPK&b;V{xV9)nH@aQjI&1YkRg?cB%yzOa5
z`%r!W{9?m!OWSl6UBv*446kka0P;a_wRpK5+*cfByVI|o@hiEp_4_cm-$p$vsTMA`
z<<L>NgZ6=Xlpg_qOTA`Qr+6;Gb7nm`fw1*7@-c8(-92f#(w=+U&Yex#KRCZ49|t$y
zCYSK)9V-qXtiLUr?~BbJQ{cg4JdZ|c%MWoi%;~>|M`8EhG&rdafo;IrOojeNdzhJV
z1orvE5AdP7=XQ0KMxS4c_UjRLjJBiW&w)n~Tz)<oA4FEw@_=oeRk#)T0{A%vhHo|R
z_h>h-T;q61NQLz`i{QCFUmSwJx0AFgP3OqB{IEy)pWrn|U*TR$TXn2DN$q9ujCle1
zFYu~QIS(Es(-_+XXUuj=3IF?t@LB?2y7F>zx}ljND~wm)UGM+=e#J8QXmmZvErqej
z1PaM>f!|JI^UDgjZPbQg^X?fJT@&0pbNBXR{#PDn6<ji~SA(_pOvut^;~8#)-azDQ
z;N#yDPpw4<Z+~TY|L66C1#JFY2RHY8E2YlXToY$=CYtyLBO%Iff~zRF1i5R=(2hoW
zb2iz%UPitJu6s7MJAuF9HaTmfqR?Nm0OZ@?)XE#DOxBdV1f-T_dOW`!Am0HWTXVlP
z^m?{EWC!mqS)MK#^55X1Pi>vDZ2INBe19dD6`!X-{s-K1P3P@2{v(3#!diFin!aNF
z!2!6cDV2WK_aFgA{Cel3`vr?Ak3;{@mjpQTvmTqd;f-7&l7+O}X5LtTh6n!W@BMe5
zvm}Xo56vV9#x$_?7e08<l;Q*bx1apvI3zPj8LF|*=Z=CO4BESqwO96g1=XafoT9`&
z-y;OCf7brorp`Vu_2Bc{<?C+P{vgqRkH2wgWU8QBtfD)1Ye=sbn}3dhcjsIg9ih%=
zpjEPwxt}cKf_^??@FcQa-$jFUStjE5+!HGAt&o#|%ik7ms-N7U))ef0!!YWYh@2Gs
z3tO~(Wn%D{@pgBO^7b8l<YeGBTtCODZ|Hp;Jkj=D*Mi+0IXU>?s^R+vKJIthZuGmG
zLHm-(kAvSSv@XrsOzI}sKKz<;^-vBu1-KoBiPM{3wB?}#+62D8{$Tryl;G?FR^R%Y
z?|fx><|*GvQH6~UD)5&9XO}OYlpQ3r+1bA?chU{jrv`t2+i$U|bGa(xM8uu0jc10)
zX~4S<+qM*j#c_OZX7BBIcVhk53Gn)x8tP;Bk52m@*5K2h9<4=rTJTIUdiTH8YEOPz
z%l5tc;4qDx4*cqmk=8+J1?wN0`?t;h?DrsN0I%5C7O*5a_1d=M%k7tp+1T@&5xf>p
z@5Xec<hcq%v&w8*E3E%w0#8yEOvpauGctOhirY84K91_MgP+f*pFj4hAh(}TeTSC|
z2YbGr1W%i#QS11meg8~llIE5N54Qiy0WK|?rqq{wJ%uBM`-PFjU3^rZ6MUDHcWfh3
zc-!14sMX)<R}FG5@Utu;;|H6OZlOgv2FY`hG|0KZGu~%Jzp0nfE%(5!ZqeVmiJS*~
zntv!eO+WIQ5XTEm?O8djzv2bIb;OkI!rS<j8h7%S0^2S&D9;BjJ(tkFlN~1dUS<C>
z{b~w!{ZE4rX|*o&%tUO>@)6_a{W`?*0^r6+1c}VvJ=dRMcZ>W$%A|?v3xa>?>Hewt
z@Rg(w;o^onS5_}_A@Gk@i{0~2qs82R7>f8XFJt$wFnEjL(^%t)Q*pW5Eb0OZzp?eP
z2zVvqo_W7S?sC?se?8ZX4z|7*1Lq%+74@i5ofDpI8#wo7Ef5|540!Bt@Xw~AcaN3H
zPd^O`F2;^80dCkYp;ILpVBziiCV}$|6*j-01=pcI-mg<ybdquFY@hC?*aWIC3I1vE
zy~~>r$E?J}8Ou-7hS|uaz+<W;a5XHdJ8*1Mac&OiVf}+NIOo}iFWn@^Q(nbyCe1np
za-h5nc(CR;TSC=|Uy}C3>aWPtvHclYaA&9aHoEkq+VQSW@>xQ;E~2~~_;YfnEHz^*
z$G%pabG~A7#mMEsiA#v|E*fyim61&;9vSCZL9PHkteWY_@yf!R&BXYh-!z)W`V&R)
zUWI*!Y*O+*>sp(^%XP`v^Fs+dZjI_>j?0@{xcJ#EG0g`4sJ=3Iv2A!7cfnP+kuuIs
zV%H0T$ko6vs%i;cczbljlx8(1R(nqmxjJ~5c?c!h;P8ulcM>ztrbKb%=fS0quABSI
zPam5K=3vq~%0Pl#1N>u*PEemXmjoH!%=->nCkNyg!IPt#Lh<L?Dvxr%7aWm2%7a`J
zyyFrJy}<Eo8r4hkee}wvq{#Ka?^HJkhe<Wrj|Lj=X{9?JBEJGo%v)^7Cqr0qZ7S3H
zYE=6N<k!Hzkc&|}wrxu~B;T`jQTvVcH>Tk8wrt`B4>ou6Pks7``*{r8Uoivk%b@Zo
zm%`y|V8_!O?6fyP^{<0V-ZoDw9?JYvW_oMuj_Ol2<Tt?arc6U?qY|34w@=MIXD0fK
z+#G!P8wvjYJx5n>F~h9%%JaXGTYx7LZGP;g62Eb~U#^}pYM33l6?m`F<>^7$Hj~fc
zm8Fsvp_p5PM+vMN6FxlU_tK=4Hcg`lo4;>?kJkA;J9}QTu1%TREYLz4yFYBe-Q*Oe
z|KdioD_gGg^-Nh|`;&LTGjJcV{HFMzXDl20g_QC74m!WP;H=#(pUZBu*hxkkbFHa=
zC`WDwZolcgdvPy^j_Q6sd)}3CT;vYmjKwjpU#ikF%}s0jOf%>iBX<OEZH&_!i&wIy
zd@XS<bFT6;a;N|1NiNuuXHinNmotc5zpmJa+ztFjTR>&eALT>mw-=8*AqmJp?hd{s
zG>~Tz8oDHE{nkLvk`SAJJi)bJ=tX=wPcj|&ZD&{Yg%&oxAAq0EY?GVsjUO2-VmP^Y
z#|E2Uy}-j{uL$XsoDvdg(7le^K7y^Eyum3c-{o+O%1bF)WUjKE8a;u|&kuZ1jbNC&
z@y1QF>hSEcf?ce?@CO%R&iR`1&(ithqPamu<PtVNJ_KjriP|ZPsOO-2{m<|I2pM7P
zs{ruz)3bZ(SKZb7hvy%*Xy{_&CkXueAkVBKevFR)JP#imnL{BuzhH28sR&zo1{`jW
z`Ql5dt#mBNL%>-^_*m86e@Jpw_rVFZt;9aR2?dv?{>~_48J|9Oi(}N3uk07fM}pV8
zR5V?D_%5v`U$UXY>0}%7C~yHjsaFXG&UaNSh5p*UYnMPC4NmlHnf=^!&gu!NKJ7{M
z-9N~mfnR?V#~1EW@2UD|Brt+sxe9p<xc1GF*b%{lAdA?!UZTcK?EOguAG}vvo_B__
zxrR}_f<xhGD9WdT>k*Xkup9Q1Yupu@<NDDUi#!7y?}?0nlkXqXB(=XpZw{qKk>`T<
zxzrb%U4OsRaC}#kaXTLyUwPoam`ROnv?(o9rXw$&6`^29`8VLrf5n=_B7KFr?>na5
z`uTtUeri7W#+ljM0%F1RJ@yg=+5?|yQT`qH-NMz?#K$-`I_ZC=wgUOF=l6T?6~)0{
zUT4<)eiCNvIy8LgM)?x(#`nEPC**ioWOd03Vtp<XA^!j_W9pEb^Vvg`VD3&oj&%21
z<fY&&mpK0h6!pY(EE@Ek=M%-&7iHiEU&JmD%TruA^w#>NW_o1^<;%f8U7uU)|MWyh
zXy>0_Kag8Fjl2T<hi!o0R&OlLiC1Iov>9<s$Sc96=mx&IiL|S^g}IxGY81#IuL5^a
znW||ei~GsH<+yxD%ZM6zE%-{h%6{qJuS3>OukLMVg>NCR184uv^x34%Gg&IHU$=Ja
z@Hp~%@V}=MSY6u*m<otAwpOm3%0b=$UcZX}R{NDauDHd_?LOVtA;=rSM;Vk>qJ_pO
z!^Im+?rz<vK;8y!S#~&C?doYQckQ9ZnW^^2$lJm9?mUWSiDVJPXB$h%ov(a`{0sP&
z`R2ebPiPz2v~_@yyLm724)8d8gIzvPd0y%kM$TY7aqRp%!RvqAaqY%`R?BkcY4P{<
z*>@=a72G<wnwEZ8{#}R}f!VdoU$OhY3q0)DvEP5@#d0j8Gs8}){9;A<Z{P;HxksWS
z_Vmdk6?+_H?sFpV0ar8SkIBOS^Qy^F^b2jaZ3^;U@RRXFEs@8%#xBjCI$8g7C<=KW
z_{uq-+oS9Ln!GbFRUclITSDFsUi0J!Q`<l+;Sz(@$bk;kOXLIKH*ehxjMdKZTN<s3
z$kmO=Lp}(8UQyFPX*Df=QC?rnn&cXG{zKqq>Qx~X7x|A|zvUR`Et-X`Pe;I|EN;CH
z7dmLH<qWuJryMSe>W_k#C{+hc)&?woZ8u{GHBozmd<;CQ^QrZ6Ds$2WDdT;y8H)(y
z<KWjeYUh`dmLLApVBq~~WW`7R9h~W-yh`aYI{9Ja-RpMIGuZtx4X&2{>xEpR^H8AB
zq!|9g_q!-R1D<*=So)Du!U^TN5Ju{^uGsuK3x0a))6R{aKSgU#7$fwgr-)Jh2YC3W
zg*n5Tx#Vi4sf{n+f5#x72N%m1U<j1oj@=lqyEjFI_YL_1csc*qWM57dQi1s!Qe;F`
zjL4V4;~y<DzLPY)ec<(e?T=b}Jn~g=!F>v2iNrTC_8(0;`vk`gkZ*u%_MYgzR>Yi@
zpMNvTX>wp4`4)K1tIPIkmSz>a{5<D0=8Uk<Cw9P78kdd2g<dBJsF~`g#Wi62E5E`2
zrhDTQPqBz)>sUJe{3VRdk9**XH}?(xi25#4|M6s|OSFnd$NvlN`ys03@LgbOQOZVP
z=j|?ReD8z5xPBORTA(q{y!i_+kAe$!|KT$HQ;Gmb@c|PV*V%xqOIKW-c%+B0{)qtm
z_VL!H^08+2S3>uHnbJxtq2nI~*W(Sd*<O+}q@5+Xh8v@d?OzjukN>(&dnxZ1-O{$K
z%oJW6cKwfm=lcu3P`T;F)5m(C!s`;|hw77pA5xcea;pgm=eDThkNF?N`Ui6GS=)cM
zMrQ=<mWEsFI!sgNQ2sc$`KEh-sOgN?>GyAJM9VZhkW+xi?jC>7l8KketKTzPeNrJ6
zIVE^#vEZFIdAnf|4d2S`O;)k_pBmiO7bl=jorvCesy>J9rC~G5(|})M-aTbCH6CGX
z{dkmJ5&sc#TJSSu9K<A=gtFS*>UD*<qf*G}z(qpOcDF`56wCZxBjvNN!q)%)G<E-8
zzd+)n(s2c8gc2Es+jvE9hEbjYy!4CZe*V2_E_afNu(-J^Wyl%9H~A<f=-=hZEUh_I
z+<Y{<hnxw#{9<;P@6buxQk!Z`!TefF<jmj-j2bp~U(v5PX>rY$M2l7;X92fs#!-3@
zwRm>wis#n`kxSV4V+D^c<i9oXi#o$V^zwtsmB8O9&kz1Gm^4;R`)$Hm{QiQoZP?=-
zM-UwUIf;6+Yp`b0y`^xf7~6c57Xp`iXUC{Ru=zP!g5I6<){i5|g~8**mZHsj)dL53
z8+0#y(8T&<3GmU{xLs?p{yFc<f87Pm>M=hH?pH;ol-9RJpLEXJMl9%K8mcb^-Zs(N
z==+l9KFtS%rMu#%u<<7gE@-dl^J4BuLC)>71(J2f*!n{bT)lsFz3FEXZ(M)|=Upxm
zb5vg*T<GPV?fR1x(e^|F>X$L&R>&2=S#?A|h)50JwJ+q5_gqcdK&}XWe{z&Zsppf8
zADu^;h>gz(^8frQ3<1v6@(mnH(yoQiaa|*;A<WqPs|xvz>?TPzyy1^Vb=n(6`5HPX
zuMR#g^JaZ$rp7Lk!*VWvS+gJc1@Nl0sqyc_2a;p=d7KLgg0cNk4e;Cccrnp_rSYw)
z#`bmEY0@Zv3A`-%H+xT9Y37gJ3jt(XN>`C<gVSvj`o*gJO_Z{!$ltF>#riKD@EB3I
zi<g<i9riO8CJ8t^u=S?_xXFa6evHj|dIqmey0*A4*!sf|{M0?IO18JX%T}*(S2nbM
zo1o(xfeQpq(9Zo43Ve|*Pcz)(j;)VP!I?ZvevU5rkS;{o)AFoQVEvmJxWWC1h$x#$
z1OFLIzY9}As;K^TaANfb39FZwwbhcvUW=ZoEJl6<d<oyH_+yIt*VPd@hwc$}W8~)G
zyw{cST+QFdt{nDBiG-|>A-4cO9ZRo}8Q5Im+eRGlj&cecKi1&qZq0abek^V1%A_F1
zSGUbY`CH(`4?b!S1n8)fEbiG(9nHu3BU|v9PaYP++cps{?ZrgI%{wh9e;Zs$_lBa&
zb@R2`S7enhg-c@h&pmM6w60eF%#pqw`#*LwtydaR-X47DRoP%;l_bf#`{fjxgQv0e
zt1~#y1*83#gNEi(ql77eZ2mBmcL8TV@$S3H-@VVz%PvGphJ5|^58>qoo=DF_DyjP-
zS!?if2nmZD_WpW;Tkv=?`1;@+4VHQILwBbB%KzdxUf{J1WM@Y6*0$Ju?3OPtCt}y%
z2mEEQu%~3royRUs=SK^rh*VJC7o6H7($+~w>4VNO%j*T_Rfv%LfvX(2MW6jE^o!y(
z75Cc>?eoYV{@3|Fa$IM>=6#QD>~MyI727`!0H0erW!EJu*+Rld!56Zjz=iT5;7uPA
zzPY|MPdZU9Xqpj}ij9xQ;Ps`UTzntwu6}$UHC*4)atGy~fdB5`V#q$x72j_W8qryw
z*N!|4{8|4EM{&J7-5n2!e{SWy$JXaD;2O3$jFHTe!~RL5dj6!Zgit;n94GdYe%0w@
zlGpNm64xn76p*KY>mF}&()x1g(kIe<)j+<-*#226xZ11uL+#bkJ_9?3H(n>7VB_N@
z_|Z|;s~g4Y-*~yb?2;;iwNU+6;2Gl5PTTrv!6K%LYA>H@-9?@TUhwfKOVi}6(d}H0
zOHnp;4#;1F-^mhdiE&iXqL5IXIIr!3?ayU^e<&G_qe%>R-4v!08kJ5aLHSH@v;3$F
ziN{U|8cL@MG5+Y$N1g?)Ty2-DQpCJr-to%GwiO?{KXSkqwp#fvaoS!ky_7c@@VpB9
ze7OXi``*RZ6U=mOUrY+T{WqVVLiIm@TS^M+d(O(FDn87P7v^zGM_vkk_3Sf+64_3z
z?G5K5t%EVFe=P$SIBEJ(T()QS*2Vb;A(Ix7C|?flT`fXvw(M+h^mvxM<DEck|DghW
zx?%RL&9MPHYA0iHiR2+tl&=KuPP^b}z`?EigRb<pz6CpWeS5)gM`X$wHd;u>vhn!D
zn2BJ|hkkJ927de<zC_DsMM^9|!iEE={s_4B<L_Eieb0Vg`F2x%v{0o0`8c@46Pk0^
z&b^(ge)M8+=J_Y=`8o-nBsXhBoh8VVsjyTO(OnaW^3&iI*E>cP^9)<%yi@xrwN@~n
z0jDI}_`t+;&v7CyjZn_)?IV<*1>f~<i{#eecd>onqDzqF#EX0ZJSKq-PyF)y=<>mw
zsa*E`P2?-!mYH`r6;&swXGUI}3luzwjgM9E1ZqF3p;YoO0+tpjjxxuBP<|c!g2M1r
z=?5CsyvsR19(h|jBL4&4sj2qmO=sW!BR%_mXL?q7<a^-H&xl>IU9H@FJr=~1@66bM
z{4cl!e`D28Z90154|R_(n$&h8-~Vs^TGj2FwI7yVAEZ-J`7C4Wj|1=&0lr^V%QA9L
z#N@@Ut8X%+{2@5EQ7Y}+556gl<5&5r-R-gU-?4v}q69d083gN9XFX~Aqn@0pRg%K`
zb4qZ<lW&gYE{;lG`7kg3(?JlMKdHbs9csT+>g!(pTIRaPD7f|m9iJNfst-+bnXtV!
zkE>(=Ls@tmavE?}W84e7%VG@gNO5pyO_#qTrvtYgp!455Ea2_qExo&JFDQka0bD^K
znZKw!f;`HuB42&f7~B730>7AiWVzbWZ8fXhn)Y+O7S`Xfg701(IHkt@!Hp(^3rAR@
z80#<DzzH}5%&+TeheUUu&}Dlv@c|v59XxErz{Q)}#ZlL+Udg8Es~qx^;Ndb?mu#Ck
z9Ej!;9%OR_wIb&Lcbh5e-87YDdRp21?I9g0HF8ey!32luWu4*Db=*RV$hH~m{J6j)
zPI)uTGwbJ7<lPiMp~W4H^4#FUu>*#-eQc(whe6NRp5AzY{1mv|?QM>u3+KMd?$qv9
z57{3g=K=5CQ?N=G-RmV)TKPWCJci9LBH&)j!FJax8&iBAMOx`ydS{OEXTiHmXl@V6
zq_Ap+&qrlHOm#+n4t!7J(etyey*-nBx*D{kQas3Iz<=g5zKAZ0-{7XqpXM}A$39<|
z1<wmUdC`}vv5QaStvC6f0Sc6t11Ie*E4z5=o<g+yPzaG<5;lL!gA?t=r+D-7*49(m
z=msryj-k8)xQceuu@A?}s8@q;ub$J8aYe2O9<=T-Jj+tp_woX3`RDTzbI31)Q&rMR
zT#vLW4;VdF+T8t&6S+2cCW-&HJg$<E!dfG1oiOK1<T~IUQYH9VexfWDRYy$x#jj%P
zLtXG{nXm8PwA>ZjTImW69{7RHPx|2Eg7F(Xs+X2@9tQq$60zh%^^L)2go5b|jp9r1
z1aC(@t{*W$ehs{wGKHf`pQlXkvZ+iQ)vX-lX5e=>u8AtI#g!Iv=A^piZ=6PM1#Vf`
zVI*4KnSYOf#pyN&o+NTd@SuB&R;MV+HSo<Sh^sYKYmq+yCr>Q;TC@MPa#G>X1o31O
zw!h#7PCAwD@b>Gbdg*7Gq=skD{{2IEC4w_7(yexUtLJ~2TOq&t%=Oy;7>B^|pS=<S
z95U<n-s3#H#&#LQ(`B~Q*!@Qc-n{&1&1mv^nD2e_sBcUE=kKQyfhPv;9DEcCPt5<2
z=Wg-pNEE7n41Ad9ZA2^SiCpRRk1PDM(pY~>3XYqn_Sq=2B@1sPYQ1iJodD&@z;Ob9
z_Xs(dKXe^h<6FpovW1)++~R<lukK|NX=sTu$-LY(?D=yXTu-&}*s-5g_m0Kfc2T`p
zl#TKf;2Q5K9_!!SG_XBk8?W}&KM^@4_{=gVUUs98Rq-R;c=xD1tUsXwcb1+my7?}H
zrNX--R6qKsFv?SdJNb6|c67adXoOSuEzq{R5;+aHtHnTe&GcBAMHHv&cAV-W@)O`}
zUl)G|wdR*vUbcLDG};^+U$o$lDkw~qXeZjW_KQ!9zqZH54;?r?M+^0Z?A$xX-G!Om
z=ggc?eR^;v$|nz^wnNAxxprUTW#Ros&H(;nD2|OJ$o!aY)WSpgL^7=ZVgzR(aMKN<
zPpVXS$#3^=)dm~iOyCFYGW#Kx)UJ(c>E}yD?qlc23{KQ~Z~w@oUh|cLVNFUSO6>W{
z25vkY)=AkrD=a;BvagwyxCNabJGic_u`c_WYWvOL)=#saqZ5#y1Xq7$*k@L^P$#9+
z^IJ2D>JM@baPJNM?8O_c<d$0t!7n-uvF9rn_=Qpv%cp-w-bJyFCim7gV$VNra8Dv5
zub$zGi{>N)TAX_7*yjVMz)946%6vb|aBLg9MOm7+hoj^3fTxxfu1UOl759U;%0Bmq
z*hl2N;IT?&hI^F`8>jc1u6G65m?Gx`cRD?DmEEiT)$WsvgilQV-a&pEymO#QVcltx
z{DwPWN&b%jKji%2T{^tK{Dn{IIxNR7X)*GaBNqU#SUK46>+vR}865vEE8L9TAA;bI
z6+;sfPixpY@Dp1eH}d<A@<QN*Jjc>+EFL*h(&cf>#@-8?e}%!RMJ#GXGQ!*%ZqCzj
zy9XGcya@QCqwcqMs#dx~9!14<uIym*zbJSO<ps02+}-qCQ?bM3rJyS)F9t5h*zXXw
ztGr0)cwRqRZ7l-%8F1gq*Chu(IW91f6UO!h1c@O(3$87~(dg4CPA|M7@Z_>z4LNd2
z@OQ1op}H!ci-&qLV&_ukEs&oBAFSPcdTP<A!DG}T?tn*H54j9@Ti%brhG$xu(|d|X
z^2l?s=dT>N^y5?dpURV*DSS*!55iPbP+lHfGCK40FJ6|*yl1L1AK4buAXfl4Hu_FD
z&}dTjge<q9*1hRIaz*f9<`0A?KKhaklMl)_rK@A(UkQ9iKPi#oR<%an&JT`V=5TC%
ztPD<Q(lK3K=p0joGtJ$@*g22ttAHOY^gi#hucx!ylcYSiNRN#_RdBDx*<^gN&C%w}
zOJ09)ZL#&E8o1OGH%h*#;w-HvWfYqCva$Q`Jh)x5+g0|iVU6{h<tlC`{_o$<1((;q
zbvgLL@#^Jq_R+%Q^ZV%h?t|}|)zj2Uq-sh9;%5qz6B;3R0<VybXv^`z4JN00vTgMH
z4z|8>2G`QgqtWFaV`(4E_lWD@#pZ7o`hQ9h;1oqIYfH*KFI+!qJ6*@pnvUupA^MNM
zeSYKKr|b_U6p4Q%rz+?9k#j<QqaiUC|Gy98_RmW`Z?tOvHv}(naK_$gx-I{>AKQmw
zmor@tnf}K(65wwlDZAN9ngs@4e!fg>_7IyNq`{xrhkgxyB$ldRY~Nk^*aUljFMxN1
zpDD-TpYk$l?_(*uQ5A#gYk(`=yk|J4UUo&KiR03@i3WD$n&8BV7he=RM@G3{&#36w
zJF9^F68O)hJL8Y#aw){v&R^&96upOB3w$HA`c}ni&qq?*U&bwL+r!8&gZo;g?A@6=
z%=&oWG5?6n61INT1s@<_QtK^0hLe08?`)Q{FZT24f#(dH#>9(v<OjYYk$xX!e1Pif
zgG(~em%3X2zLzSa(QkY8E|xb0r?0LcQai2v9Pd(f<v;&Iiw4RYfmgMDKO3pWYG&@6
zns=YA<uY;;@Ti|GA7^HtPU7V>J-%~`b^y64c;)vrU8T<rZ`2--npqYYWBY&C!L9eW
zbkm))9+L<?H)vmt!}?Q8@YA*2ICH#IM!$1oS}y4-WBr{K_>TArjhLlk$6Sf{=N*ri
z*!uM*cvkn4*=lkf`GqJ}ov5}bZ2q+d*DTMhdU_#2SYlYlRu8AL5S{-m@atiTY=rvt
z+$K$(Uup!-V)LIZcnO6g(T=L7s7Q{*a_HnbHox5kcTbHM;w@!#olEK+o5xGX)_?cl
z{_0T<wH>D!AduLLW1*98X-3Dl2UjlY5+Uw0&Bs4~Ey>qf@e=a;;3Hovow7IDe+DO7
z=@}@UeTdu<j=xb=-cFq|Cz5K<>@?(B`UJTT<jXdLi^QYrO&MhtsPY!~8j$;fU%tZi
zN6H~ZgQL){FQW3oGvppnpLo|<@s+*VLUK*+GMTZZIdUIx8=WqhjNe4zX73b9z0ZsZ
zBKHG7wcIl4aC~*g%loMA#WYn8<PX6m8<mTwm3jm=%XCR*0~A`32Z2+464!d7VQ;$X
zI93tr6iAFb7@X8Te0KO~+q8Q3&Z!)`2yA>k1~<>^U|XL&QK~Sfc}0J44x1lB!DF`l
z8@kOyy&A-u4p!~XVe{`3@aJSr_Fuyl#!O1vzmLg^Vb?zlywE_0@#go?oi*zF(Sj24
zGU)sw!0*|pw3+SM6xw$8rBezSi6f5!U-7igZ)%<KQ53mimiGH7)}O_IZ;YjX_}NO8
zI`W5kc~He28{e_u>AVX~0gnTmVi`a0%h}Uo^M4#T1MzZ&yEL_j+6&F&rUu>)==h1?
zL$dE?O5XK;tdAI{s%7@X)*mV0Hq$AG7Egx-9`q>~K8i2H`sV}~KZ-Ytg*H?sn|T{-
z*(;7mze4qsz~2eZj@tUoE5z-UzI$Ly&VxJ?e7Kq;d6i^8U7>_s=P)%k33(QHye0MU
zInS~8ZTWvpqv>;~kQaczUJa$nn0ctFIdW9@bAl!_@*;5FGij_wYx{p11#}Fu(zPp)
z7lT(Gr)bG<cfDq6Ii`o3<votP8eIB;M0m5&?(Nscmete~oIc1uf%kqp$!#%i)jb?8
z9+NRyf$fhrfhWZ5nRL6B1v87U?hIB2vY`AN_|yaPv}KznSw1@(wh5vsEWZd|<V5<|
z>1{u8Ax^)9<OJy_l>Z4{X%yhGjT^wkzxr5?NYM=2KU)F6c0-eJP=Qf=`iC}czfB`6
z%CCdp-}im<fRkTOIeR;nBrGBY`6jq={-cm<bi{5CC{??bHANbc{{e5dDwzN1DMA}@
z!Q}WgzW?+8N7@C?qA3Y!z26{eJn+^{3jZ#4d>n><N)h0sa@TEt>fv1`u-%L^Q}uq2
z>f?ip8in?X+^RkNlB;|`;;(`|AC7=m-VzK5AamTlzaw5+A2k0J<%z*xFf0GDcPx7L
zVX{3?<5k-NauV>JPgYfp#X^72D@QyC;bJ#KP6i(Qa8}G=AJ<D(*JV$Q$nP(5Ht-b!
zuj7}VUYW<cRQ1**+V2oKJGe~*+eLBZBXS9M`|Xqpf+Ua&fX_YT^k`A6=%!tt%H?nE
zyN+B0+{4F656_pi;)+>Pbd38|Z2U@t*P6?Ix4QY{>50Nk%E#`Zswl4v{*u{4&iybi
zk}dD^3%6G`)yP%Ai-lYRX;<^{doA)ZFT7H_ja&_UYjGif$6F=;R|*b!i`~L5@{8bx
z&RR|cWlPUkem!QNDdWeUPnW@~1$nLn+;FTaJ+(?k^0q1$<#oaDNcxYTi?P#oyv5IM
zC0u~@*LT3FO;#FN*<Ri`%VNp!|C+k*cq-dJ4&WzSMj6>#A$w;PSt%tM*$E+$B3mK}
z*(-a5>|MyHRI>L-wq%uLm0kKh&+~nr>;9d;yu8ond!KXM_jP@*>u_k3NWDgRXK=jq
zakbMIFTHMf%RMwXtaBZ?D|l|#<JkqNjMOF7)FmnI3)uYN4qlh-&Hv(+@vkMq3lyho
zWwG(;E;xgWJVoq!waoSNAw(u>e%Sc#2X2t}@sy=_D*a>I%_NsVr3>iz55SkVf6JPk
zW^7?PYJX9F<U%R(K=2$T#$4gNpyeAJqV#yl*Ra?B5x9#_`45}jvHgog_|9yt6-+3f
z0PbT<a*C*WgsjlD=GI}YjYr6nz<X`R=vf<FuQz$xMr`fI@gPqHC)qsb79*~hE7Se*
z`tj2Q*!hzOo+Zf~{N7xA=*sy+nF-YYY>GpP0`SCHDvN>DhxuPVQpox_ReeVF3&GF7
zoccWVAalWe;3}iVO@1}x<=`f-7TrIvHG5b(2j=~V779aN0siiQK#Tc%np<P{huJ^<
zaKzTH&%i}2ce(U4<b_JY|J>o$Wj=)RFTwH27$SRTeKqb%*gh<z8W2SO3Y?5{fWXSS
zli5e-UHTeD!5ieS!J`bV7HXTGxJQ4pf1ON9imlHZ{yo0i4%Jxko|9jG{@||&!zGk&
z2e-JXBrbebdiVaZdQQA(Ni5$5zFrj4H)FqZaeG#+b~&5;9LoRms{#Z#Bf8PUP3!i>
z>0a}lq>A`^$a^8*rv0JG^{Tc&>UE!(Bh=H_`PT=2ru${6!#?>yjQ+W>N5pD{DE|Rm
zh>)>WTg9s5(|sW-+~-+r{ul>;JriwbuXnIsA1_h<(FbQkl%D{16Bqn$wjssNPCKaF
z&&4#0d=Y$RN{YBor0e90orz^{yRI|x@8GHIc_CyhMVCY8!!`B4m1F(=GI-Q*)O3Yc
z=ELpyvr?4QIPCp}AK(w7t%YRXCHm4>nD*_oE@8+22~K$F^7erbMICD^K6)mJhZE58
z@&CS*2ylK*p9gEV36C$n)|*(eyodGw1mHP?@jn+MHgfWAYIA$}+GEe35d54x)A7`~
zl;w_4ooPuydTjkj0$%+r%hRPUw0$b-E(7U7zEkM<6yUBj!Cyv80yUYXz6S-(+IJv7
z1g?81XXC{4$I_XH^9<?_+hYCm5%4?d&fLt)m+vm~lie(}5cfuTI&cGTZ$|+!_1|=l
zCoCsIL$UWC7{I452pn(!7+Z9&Qf^H4o~|s)Gl5qgj<N14y{`PJiI#_(j^qq-R`4s=
zXXl0**hh*DX2>6n^xi=(2wu_cpv7D}udj1KMMCFm<QL>Z;ACugS<IfNyfu%X%HSuN
z*+4D~9$CF1YI}01{hUO5-ofqv`~N2*;1<P(cDHw`thEI~j;1jl#rgv=@OU+WHujQ}
zOnk>oT4xQ(u=T41_<^t-KVRCG1a*5{<CtF>Hoi-O4^^1>;_bBFtr0kM2!F035IsIA
z@VSlN%$i(T%axBelUng_*C3Yx55^N5r`J<iWj!J~p*OrZiCh`nB~C*{<$QKg&AONO
zsJKWfausmCkTzdsj~osYy1o<Yj_WhXRl$EPWG&E4l*Y<tTQn4}y3iv(2Y!{3{3v~`
zhbVXCfNuNE|NHz;P4EO;9u?{vg@;Vn=lV|4^kMVE1@Iq(jka<*nG>D;?t|gmjoAFF
z15RYCX!Kp!+$&<J_6U8PB6j`gg7X&ZR%gz{M;4NJe*d#`k`_Haeem}mO;;CeC)qqV
zW|cxhcCpuwlIpL!65zP~2A(huFAD_T3vT1&X~otj#*ojVXR##yP`rCMi!kencM3VG
zf92o$k8gxT$T6PV4cmO}sN$TC+#H;Ar6H8bbAG#SNm6=T<v8~EuYzCQxTCz;CEZ@2
z-`befeF>YtEx^@C^Y|vWbT2hOiz7=)sq;bgEx|dsZtI25C-IB@6n^*E%|{ct4Y;e8
z42~#=g3+9u>W<Z9_iyC3;DoiOPTn0pEm?`bn)l3q4V%C0!Gj(5KL<XikE5VqKA+j5
z&W!R7;P%X1*UcIucKS{GNhFncMUXp!bF*3VSeBSiMHf*U#%MF_BfkaCpWWqEZZGh|
z`{NJ$7r`!N$eqB=dB2hQa67YvtAq+?h8%s4{0=x>{5(q!xn}>(*^SC^>zx(kF5q>a
z!UJk%g;lcOQ{lJR?NcIm{kQ%U#h8O?d_O^pE~U?zi=)Whz%7Ce=cXL5edhhlKDk(H
zjEyhu;OZ4^M?!uY?*`%vQ*(!LW8<F(_~#r|yuFgy25YAyg1<`7@S*yi;KxiFPaZO~
z$`3QXIAk?*8+-l_z^8=fGH->ZEssVzOOTUDN27cI_(S_%d=g7XVK#%p6dMCmZ2o=-
zE-=f=c1PNnxtGk4K4aJX5XuLFM_#2)k-!TOS^VLeEVj*t9sd#d^q5PEcYaU5sSB;?
znil~!euscR-bq#&-Z4|_;x7(lmiQ%&>W6_BS?UMAai7z6P*ZuyYt%c4JObS8W7!K6
zJH?~tt>d;OV~4T%FACiKf-V*3(LaNm+H%!@QbpQPJ^|d|zGJo;_oeeM;*?fHIqkxb
zCxZ8k6$JN^^z{s#JDMH0ZHetKWP&dojMiD%RsA^K9(dp3Q-v+cXM>k*PA#?sF9pw(
z?ZpW4a$)1=Q}9MyqJ4vnhLA@U3#n<zLL$oNfHQN2+~T02&f+T%CQI&qgYBQ>g7eR=
zkuFpc9JTb+d&H6V<r&K7fu}Y0%eraBHwJLMY>K=Qxqv($94}>VJ3pe$adN7#?%LC?
zKI8@9Y?Ly5QkyrZZA>d~-mkVYMP3LVDQ1{3{cu~^VCcKj_@!&u^-}^a_lwW5(l*2D
zz<AnVRrgdR%9nz>(Ct?yIHjmJB(95O_R6y(F9V;mK2ej=uXovlbu8c@j?@u(IrwC!
zmD{~GW%(JsiRk+ulU^eKXDLE}yGj@_#q6fR@$_Yr{(W~h?EHQPdAr$^A@6K93(E%Y
z+Oe}INKyVd_>SHE5>mSTp^Dh`i04xRSiTZmw&3<s^WoElzs`FyQCW9m>$fWKEjc`4
z#sa)DS39w2zZ2>qsD3qgsyOF^M@odhn{HVfcS(G%L;eCh;l;r?C6nJl^F5!OW*FzO
z{;eMT6@{pH<a3efqaB;p1g)2`{r`XdREPjq(nv%3o!RL^8*?Flr(yVGRR0y^FS<Cj
zoq5adS~+ntyY+tlD)QIhUW7lXFBCtByrUYIM9lgE+ka>PugD1??|7v;YP@V1qR|r7
zgz|5|_r<@PP~Fe1*7bAuc~ds-g#0bIqc`EPSWXAyFj<}`_cJY+zXKmTTXbEyZY+A^
zIe~;|*XT8rZv;=X?yd=?VG2!Cn#FPGU%QL^J@_mKLxtEe8E^WcpP5E)ZpR^S0xv7f
zbfn^^xpTht&5%PiO$zd6aGkxpM^D1NrVcVySBA8hQz35y|5#fs)Sp{!HLa_8%E&Rg
z2YDxWf)VS$czy(z!g0+BEA{{T`}{6&yS$9*Q(kX6jZbpgF3tbBj`BU=!xh)wZyR}>
zk2_!7NtDIskGvN=bh4sC>b-y>ZN&O?uh{J0--KHq_*hzm&xJ{&#nnsl5goci+y61H
zAN;*bPPKE=m$FjQEuUyTQ&;3e;3;vzFH&vYt<RX&D)7#4WBuV6cz5plqv9{F$0I!p
z;tm`NR7Ux6@HZbPT<*G+3-#pgJS7mmgsnd(z(*e#q)|#;do!FV!`ST>g1!Ee;6%ym
zyOSNi8nS7ed%m4H@CntQ0yp2#Sy@!z;ZiutJ*LTN#f<zDc%X(W)8RL^-|V%hd{Wjr
zu>S3zmx=)AIZs2!pLma3Rpjmyo8cG_l%IqA=Sx?N=1y}l4-9)0^e(z#`v+gZ=gVE5
zg>}nZj+_w66CpVvhVoy*`^(rpe`w2)lRK1N7M_`@NB#|5(ZTy?RkK{KA7>%!?<<UK
z$d|y2CZ0=@;>zZA6$v`M3;y}gOt{N3_}P_il7~^OB+D5dVI;1{B~X49ykP8%VcQ?B
z%@FFd306TRSpTsGPKTS8niLddW$G!Wn^HJgf%5C%(v3F0^lqQx|N8i|y}gS<d&qx)
zFK?d4w_%(o#OvJ|tc#f-LjLpL`pViRdaj1PB0Gjb?NN&_kZ*t|P3521DP`ddwC}Bu
zPb|Uun@#ZR?&&1~%FE-AV+4{fD{UB~{1!N6y=qc(HJ=)(_T8_?G%t@L-vi%0aW|{L
zB1bbSgx^Zdb6XtwKKSP&BLg0PV%!$Z?0+f*<YM~|f4~o#G<ovqC#qR;QU)L8ZX!nc
z1Am`t1UOYj586PH3%qn^s6M;L{onsL!v`Nfohikztlj0&m-eIm-OHmWPXN9i7NSL4
z`c7J4(X9N(;sH10gy5AnDx$*4TqGiVQm52in!At_fxl2A7JVvM`A6D`YN@E(FaS9*
zxPsYj73ptn!b)pH4Sqw-Sbt9fK0ivM^K#)xpUB0t2~KanVCxrB@HO-7s6$brE%kp`
zbtYn{vHANTxKNJvc@D-8FXOW!{G?;j)6ntB!0lf5Y>V43c(BxwJ&AkRosFCv{NY#8
z9G3BWiJvG7PTne(!j4Y?{_Oxk;Qaa@M-z@q_>4V%SpPx^9v<izLDbHcv?q^O9A_za
z1l2zT-Zb<^M4K2lH<5Tr$8XsTJ3kJCU$t_6*48^N$;Q^<JmD~4i}F<93%&!taHo?~
zYJ5BkO^3p;^&2(#FQ;QpeJ$l~BO3dTXJp0=QJw}|A)u4g^bl9qtHe}YJKm&Z<h0;B
z#*O2~)QR_Akr9>^O_3Z&egynx)s1$AMn;E^&o4;_Ex!1LoDMwu=QAzy6LoKMnVt(j
zaa|!pP7faSVa2m8*6Hyryjr$!`npZz4B#e|{hE4;VmcENX6ok>{nwB)fy?q%^VqC#
zYZ_QC2~=Iw$Hq?<aF#PY%JqluJ(qoulT6*5my7aj;PcG}b;8$f*d0{(NdC@MRvkGv
z_?p&_F5^Wi?ba<bP9Y^PY=4;teDMMPg^@B*t%fQo#k!FuJ(QOOPwihFFo}-6se2;N
zGM1OG61f!k`(EFj{EYos$Ji2~v1TnV<TBt{ghp0hwz%+!^l&sqoZ;Tc6~L8$ecT-~
zu<iX)IOu(!r(yv4N$`(69Ceh9dH%$=&%KiM+WPyOa61Lgwq9Y>n*BLk$ed#MR={0s
ze@p}1$Kz+{h_zU;r@(I0{WG`s{)^)@!CmHOC)bKAK1(dU9!Og}i~ao0gHvw@x2}9V
zAND=iqJVxV_U}OpZWq8g4oWK6zF&V;=#%gJ$BKFEKgJn?R}H*Y*~cehDflIjotJ>u
zg4_t)*lys!>ZugAwq$#YvDZ4-{**EJm6bYjg3m2m#Oh&9uMSs+qr3_DThijCh6~vf
za<bVgc0+O4&)*c>Vv>K&JH~6jLB=<Di=j0M<;}qBxDD<dUwEI=I`%p$dR7{{K3fm|
zb=SZ8d-h|A9V%3vTe5d3e#-P>>qqOqx7rAB6K}28?wusFVJK33p8SaZ6{>%R?jJXA
zJh-V|s9b4Uzw+B+rL!No2Do>K=S{`REB-h6SJb7c)v)>(!9z;9@;>(M;9XdGxYuH&
zr;YOF;5Uhuj<L5K+&mfRZah92BZu4yyt>kek>-U9-4`0oI-#&Ftp9Qa*J4OCInZM$
zMVjfvY3YoI^?!BXW9OyLzo9>4&a_0|@>X6PtKSXYeznx-^Yp6*vF~%=4u?m#qT}~~
zF9leB+X^3Koj9L)C-qNFD)JBDs&w6w{Cr))DK9SDfA_P*-anfL|K;X8e%C`(O@NH3
z>Vu;VHotrWXE=+0_O`Fx#8|D&#k`$tY<)`n_f{YQZcqGS!u;FTic3w;<VSSFHqr4F
zz<o1(+;Y3L&1lmig7%o@{g7V)Cy_2rr#JHD4e%ZcFMAT2fZXQa`U%mC^xgBacpRjX
z?F^dO`4<eX99(btfF>}=uKbT@QP4?j{OJHUoThs#PEcsG@9(jqA#wwoe}}+NgbNF^
z1q=W6m$#&)3&wfa`fL~cO=^+f8G$!!E3Pg=7L<LL(Brd%-(N^57okp}DDqF9FlW#e
zX+Dko26*_p5yI8_5_RP@F1KR&6IlQ4%JA1+32>`(w^qamEY^JNIBRY<|25P7cMAnq
z&~u2m%v;5(PF6?w?V$$NABKUeu;@sxY9{e-PWa}I9PM2GFOCZbZ#orCKshBVSzO{$
zRr)hk3wZ!MK2g7`Q{;-=`>8h~ue~lv7DXNpp3KsJ)@<8jgoO7hA<516*!h<TPV!y#
zT5Ivb&l6N5KEhu*Mo~TqyzPnisqx>g-314ZH{5hN*oQn7{Kd0Y&lB6jk_o{&rc*1q
zKFHI-3x-l3^*c30&pkhtE#qhAg**e?;r_L`0ba>+r}#L^R~IO;_5Ty_$x)O1$BF{;
z8k+1MKIO2#M)^$exg<eJ7c<7+$qJtL4D^q8BhLaKw0nt@S(!7RSS2|`ToTZRJR4jm
zIKo%Cb*o{l(e<b=Z9UeXJ_Ro(_;g<CD;>AS%m<zf*F|i8%?1B1l<sstt>gWTW_i}4
zsP(@GJ-Fq8%RSPltgSZO)W8kjS&8@F`;T!2;HsQFZRBkE$;&Cz3~s`HQ^*U!DX3oN
z`9)>-dorl;4cEu~MqUiQEcC2*67NWHsqIbvAA6S?ke7h35~_~uU%ywRH`e)OFyb@T
z|CNF#og&%SdKFz^y6H0N<|0&%@@3$=Z0q<-Lr1)Gb=~z3@tnc>=W_7&_}L=yp@O@X
zW4PJu*3mmCUjaV9!IM`LcXBk+x3+KZSm8V5&%nK-?`1}d8Mhq~H@__-owkMiIry{L
zY6&9+U6}$+!>FR>7VP}21b^}4fQijF1*&{u3dviUblB@(1%C0|1EataJsnAcivmSj
zh4QF=Ex2DvA5$V}5<@2$iGJQ%I<~*}65P&0`pj+vWrlM-o+HJ6{4~nH247xJWf&Ur
zJx91um9FfpjLqK-;8H}{a*O$No$KWL_&+zl8>0LuT;J*Jk31qLuh)o6x+e_~q|PE=
z1E*~mH&CtM=UZUwiC@Gk=0PqG?_VbAkea2{i+;)?37hKd>&4cuPT&E=jJp;^I&7}X
z@`>k4G_dO{06Zp0kTk-Y@{L2OtlA&kPXko{A$W5c_3IXT_iBgzkD*O_W!U<#2t3&S
z8&{F5Z&$AR)`+>bv^UBZgJ0*-_uo1la=0+Ifii{pxEt~TaOa_Ln&Zy<Iiv9n+;(2i
zZIEw(Gi`EFvG`h<)p0V7T}{mUh8)NA*Ovr1j><&y_a-KxIXvx~A=mXNkyC;<iC;4D
z<UhM*ezVK*C1JZTaslvOKEk`PtUr8Ot$(pC`(DHPdvWj^#tmW`w}^RC)-#kQ6hp6}
z{Aut9<n-T12U8d_ZXM)3-QLuUTn)S@)KA!^iGkVZ*ee4PV`XdP>fpn~?+IwbPd4Wr
z?o=2NB;Q4T9z2GBjZ5rYi+)CVp25#g?aRpRz~|L){De%Wb(a*b@c#O)!j9Y-T<$i3
z(EUo!k)kZBa~JNK97BE|e8*&T{o%tS`NWqhDEzy!u<^kkJibxeaM72Yeb9%PPouL3
z8=r!}c`uRF_y%ZHELDG1_~QB00o4x%Up=5>y!*I|s%7C8eny8>DDp^fd*Sx_C%snh
z+lH<jcu${;UH^~4%bSyibnnQ8+&d@}H0!86i1JC`!OyPHa6WiYcipO{C*ANm_WBfq
zlhhjcUyhF=BTPyo5L7=Xfbuoq$u^V$s&^`VPbC)BC!BS__Qz_$3%@T~ZaOHXe?0a?
zBdv%STi>>TyVFNJ<~m){c}$#(xZgXr5!G)6XCG$U<vg6mX3$kCqgySB&Cea+PxPy#
z63gh7^2MVS^ywHMqWl2(s@2KcTRiGA%Ff{zJ(xUHkPm|!o{*5`usk=Trh4{w)Gi@*
zeb0bv=x;6BjI*|E<mN6M&s@U#zXfoU+^YqPPw|3`cFi4Ue{(0J`YYgD8LYXf90pUI
zIf@5waWZ{H&JOE?pp+!ean_J0=5oWtuAd_gA?E-uS^I={S;KwrQ83$9H1|XxaxU;|
zAq|3YFYCtBJ}^n=v2!IM7Xa_g3D;sgUE`~#W69ktaun-N#laI@UeZh*T9(mP4ogks
zPQ>OH3Gl@#F$p4j7beHzg6QUBi$titG&rBdsmp1}>&a3fTG77g&NawSfQ#>_;j5o(
zv#Sb8=EC!17(gx$j(=@!s*U{_^<s7*<%)$aHa;nWHy2*MEm*=l&D)uvVrKqF3FS|N
zo3?gZ1^o)8^gsUlL<9*%B61b*@|~gaP&tyod75okB7P@*<f`CTg!68(gbNE~tJ=$D
zw|=Qcehz$O)UVFM->#T}q+|8j+r(Pry5Na6W4Xx-FAcStB}OE_sPH4#13&ZTfheti
zx9xk&(xJ2FPc@NW2A_^_Q}C!Fk}%n?3uj}V$wF=bet-X>tjo-=ceAXI@}qGZ*!h12
zobpCh{|~BIF`5`be{b%1Y<{r-FI1r-)>Jg4oW6&Xrkp8$it1Z}UnJjuFFn%U!b@`q
z?`gHdVdVd8MHAo_IU4Hks!PP>zsuP(*lAZqehu=!m+^FIwN->|Y0k>2j<jLdw=KB3
znyglzEl+8`?CIo_w^$WX-X8qK<Z~T^Y@RL(kpsAm$RKR}=m<XaHd&jRip7*i&Y|pr
zuOoK-Ie{Dh?5EuJW?#CwUE#~sKZwnL&fvbZ9@eT-0UJk5Z*)lZe$zn5zXRT4(x0xG
zTe_$7E=KuBr<EUa7jVs2hpLTB*KC4hg!v~;46yOr4V?T`dX?+*m3uakao>t-%}Y_<
z1Ki@;;{idIz8f}~$Dig@eZ$u8-r!AMdI|>gEV_R})O5`?65Ub$F1X^=u%Nv6*S>B_
zyb-c<Sir9D``|W-S)XG?R`bag%gXqSkDW((e{iwI3if(YfB)hQu6$}D&K2Yjz=`|`
zqv=BCQuo~K(#NPZ1(64W3-ULo5!90eM}84qQ$1RvgFG0VPfB&5ti3UjLYjL?Cc2{x
zc{upn465e7B|YkBzjVedi<@!C<G^EU=9Hd}`?K}Ga1mEI{9*(7WAKb*_6HJOC7iV7
z)iPy{TItB+!8!lbHS3VncbnK*MrM+|$wQt1es)L9%Ey?dm^piIB_|>XTmL8iTR;8n
zoo|j=<n79nyOfM;YABxs{_Iz+7k`JX#hTx$BctXpcK#=WPe@r4%$x{_4Sj2VJzL@w
z*8in|_iX3#g<e-QI?S)MZTIMtH>#fs9ywQg(L#!MKJ<m(K@oRC?ETdY@b!0t4XOJn
z2Uw?S<Nah_^P>C{a1vH~zs~PBY#k#OakB+KA0y8M-!X~0d^P>HX?QeMS~n##wtmY3
zC%;2}x3h`EMPW)T`CYCr_VddI|7x+p8y->8Y&JNvOjTcu^%qaUMW-xHUfO<Pbo%h;
z_nb&tCpvx(_&y<RS$yx{u&|(!cCXY~b>z9=o;^F;++NNC45kAXo5Hmc$n(Iv<yIa=
z(fXa+NaM{k{rZj=c|JG`*T#DG${Rh7)h&*y)*7sTD*&(JDh?^JdS@zrl(q53>XaVJ
z7lNnAH#jz~tJuVv>fN&nf3k?Y2;45Lw%hFn{@jh|$_X#h@E6F7!Gj8pSoBWcu^5k8
zcpNV!kG+3e0)8Pe<6YG2;bN_07WOJ~zeiBM47_oak%7R#go?r}Y12^a|31IA9NgW+
z)pdV&nNUZ)W+sHA1v`JMz&(G(dcU-?>l3w3CbVF=qm1gm0QdQ@d&KtbHG(~Qjhy+3
zT@U27;F<Et14C1Dylf<Hw>?=eWBU(v;M2Etk|TYGVt&01+Bj5^or&`G;B|#ebl?5=
zE-Q^Cs2D~%{QXV1y#zON&G(OHNfPKJQXbs%2%i6sagE^i3l9Q?KB;zoul2gX*du%y
zc^f$G8xzSC!m%Z1)epCDe*D<@)C2A<@RSM9Tgr|_Qn#l4t|N-$dcn{1e_Tzbyfj_d
z=Ax@ts$zle&<AeoRZ+$#cuukPD*ceUe+l;d$HDWIh|VT&ei|8&@2MYb|G)Wd3jCZ4
zvG6I;n1?4;zKTu{iMF8npTPSI!{W?n?{O5U>+%;5Heu`Q&)|WRwy|#E%O_=J3C}k2
zto}y%S#V8l2liVmJT9c$I#gt}t(3^;z(0DAHBK?#J5l3znmoP7We@ox_;Zfvn|t^(
z_%p|{+sESDvGe~s_z^9AK_4-%;%hl}kHiB+vHtW2xE({=Y*^!qZ2yOv<c{0qg{b}p
zI8HS$n`5Fte!x)YxL#uDDDqA4tJ=did}w*E%n4hCtS4WNM7|Bq8|i(k!$^_V?Lat5
z(eD;v<on>dlu65_5^gIWQY&Mr>mB@&A7J_GO9I?}X~z!5*V-((TenTtGvcuEpBVhU
zt%dZoTg1%@Cr^dP;zzLkeNyo2i3-n}9{<W#xySibd&v_!KMsN8LMwi++*VRkIiDm^
zK4ypYf1ULI9AEx}?dY6H)yyo7cqCqgNCA3$UEr5!jP+_&EW0d!JR3FV6Ea8s2mBAa
Uvn;88zSgmIT<C^1-Tr_6KcJcZ#{d8T

literal 0
HcmV?d00001

diff --git a/makerom/makerom b/makerom/makerom
new file mode 100644
index 0000000000000000000000000000000000000000..e2ff712478639b052e50af158a2acf3b2835dab1
GIT binary patch
literal 438222
zcmb@v3t&{m^*_Fw1XwU|qoPJdiFVQ8GeNY8hPn$0+{LA)0!l>%3q+`(5q1H~Yvb-h
zF4xsqpM88SZNL4BwXOJq5F{@i0o&Sut)lj;5f$%c5dtWLhwT6JnYnj!gGBxI|4S=(
z=FFKhXU?2CbLPz4yGzP~BQxA?m;IOF`hknNw$VNTlK;9~<!AO3dH&;b6}fuj-wR#m
zy9n(eU@T#ougkN;B5glCqSWQe#4`*36=g_3QHD<>?B@UpcG*vxLq6GF=bz6?%IDuQ
zB%k)v<;oM~tjCg^ezH8LUxk3%PY;>FU(F@*Y1bortdVck%eU&;&sK{u`)T)&<oMq>
ztAFD%e8@5H<HJ=d{_T8P&AZA!4NYZw>TKD|sk6%jrv3cnOj*%>+Vy^fda`F0;ct25
zSmn1^?R6)YcB_B()5^N8o;l+u*A2aT=F}@^&bTi;|H}DA*Ijwt(5vR$f7KAtZ_+33
zs2`3OE!lF+MUFi8$A8oTme)4KuHN_Zo5vD^KiK;5!HJ9SdhDrM;+Nn*(h&V(!kv>r
z*f9Jz_=1NA6d%xS^#G*n-;aQQMpux?9q9)CAWBb#Kd>A8iQV8|(+&KzZs1kjz@O=+
z-LJaAKhO>Sl5XI=yMYhs27XyL@YUV$Grb%5W8Kj4c7uOIH}FThfgkS%zP=my1Ksd5
zxf^(}8#<qN10T^1ysaDhS9XKHtsD6CZs@$&4gR~`;B%IqO8-v)KM!Rm|847r&VK>%
zRCF@B!JpC%ep5I2x!u73yBj)x?FN3Z8~Czr;Ox_>`W5enpRL`%pX~;o(+zxJH|@^v
z27gC4_#3-{U)2q~q#ODxyMe#b4SW~qpYA%>m3Kx3QZARhK8^-H;rS=QU07G9a2dJI
zH77KCO67yDNs}sP&$usCF=@*5dtKA!&j`6D1#X^H84gWx&6$1oeN%~d-;`OEe9oRS
zeKsl}H8ou6nlkhLIn$=jnC+?vO`ADW;(=gj#;j=q>Fz1_lIWz0yJyUFk>K>ZXS-(I
z%Nnz%-92;W{ZoK;_nbM?W``sW=!Wi}=?cvb-#6v%(6sA@x~51p6wI7<pKI2%S#zd^
z*bx5js+cov+P#F4xk-~M9Nm}`ntFdY<f;(85P0{47_)Ok1#np*xF@a9{o$FeS?PwR
z+&yO+Dc)Z>?LM+PY0~^Tp}Rw<KWWmG(1VrJCjDd*Sw|bwW(#TD*QI3$>u$j#>CSZB
zGc7b_-c(n`yxB8C(_9tk_*B=7DfizucT$=G3RQq8mZ@kHZAldJfM(}78nD=5H)h>G
z7Zizu3h0QG0|yu*bT@=L>+Tu%xhlZr{gBq|X&jY%X5D|ERXWKvDi|0(V$zVSu1Ti~
zho+OAsUcTgn}%L<)lg_z27HTe`d`*JmfAJxp=83_wDa=WmA1_F1ddF(fe+Po+5Xj;
zGiLOq2h$f04Pj3__7vQi9<Fn&e1B1%<+|9)htHeQo9$j<<wNH(pON;HI}|yOK*Ys0
z)BdyP7rjRMNcNvSzX+$_WdG&nNIJa$Aiwrso&ydR(tr65IQ=&JufPG%vVnLOIpETh
zm4!YBoPDtWR0o_q*?;8@xNSRFHo*ahfYN`H9q>MBsLM6o0jDo!|5ZBR*)|Z*`3^V+
zF#Q*C!26}4E?2b!t~lT|4!EroEPloTKiz@9!U1=#H!B@*YYQN1t#ZKWQ`>*F4)|F%
z5YI*j{A>q&ivxa+1K#R@(|5Q3b~xbY+CV(p9PslTaKiyV-vMuTz@5%~hXa0r1K)Le
zr`}%ZfO{Npu9@~<jsu=&1M$ptz%O#Z^BnMt9q@by{Cf^~fdlTGk3|mnAP2tB0l&ln
zR~_(69q@7oJl_GI;D8Tyz$ZK4mpS0m9q`K?@Ja{#3I}|?15TgR{);%^^d0QKY6tvk
z8;EC(176^OKjVNGI^ZiD@F5QPN(Y>KEc<Vj15V3t|J6F+*V;fl8y)cL9Plj;`1c*~
zRtLPu0pH<(7dzl>4*2yBxZ!|vPh<b7(LEkj?=kDdAeS0%4D~Q>g4I={8$BB&M(Wz1
zpeQwHD*jal`jBFtyDOL3mcrkl+nJ{cH(N#i7UpTX%|?+Q%{)!Exk}`RGfz`(t`Pa_
znWu?1Yeaqs^EAz7MC31Ho+jC>6#0vprztiki~M=a(*&F4B7X++G`*%z<ohsBlWP`;
zd<OG0wPv2kAN>k>npiVO<PR`U(`vdzemC<psb>2L00!-3o~G1n6Z!X;rwKJ%MSeT;
zG@WLn$iKlnO{Td@<eQnNsWexJd>!*Nk!Fp^zsx*MqZtwTKQd2~XjY2+@0h14G$)Jv
zFPWzaG|NT)=giaenLd$U&OA+?Ss?NcF;7!x=862zn5T&|b3}eN^E7RyOXPpbJWZO}
z{uTTG6Xx@nZxi|3nWqUeTSfjB=4rajMv))QJWZClO5}$#Pg7;C5c%twr-?FaM1BbK
zG)-ni<S%2MCdsT6`HPvSDKaOE{CUjN1exU`e+Kh3J*H3O`!G+FV-|>f2J<vEW}e6&
zJ&rt0jF}_y2bia6F<m0Rn|YcPv;DXjf97dQ%r=pKk9nF9vsL7`Gf&fDHj4Zk%+q9;
zt3<w;d727yg~-=2PZMF*i2TdU(=?b7k^dv}Gzn&<$p4OcngVmO$p4agngFw0<bTdQ
zr@rY!-hW#_OR0(B9{;Ung@^p(1KO8rVoe*0{o}?Yo?~LXs{MT}C!DJ78>?z>!6f7!
z{DZ1xc~LJ%)k?jdK(t{c5M1H2>N(ScTFQ9q2br#TqY^ueykB4Bil+klvS*M9UF5%^
zp&f}OxdHuYCj7;3mny*n@stvaA)8zrDas3f9MB&n%|L2d8y<o#(!^I2KS~9(r&+q(
z6WjXWb-wC1qr2LCkrR!f3q`se>9)|h(T_R`4@Hi&`;;d(t4+HylG*h%JjovQv^T1|
zU5#%KXo4#xJ`saw4#Pji?<@{Rih74fsd}lm+~3lR$brO?yg<vSqDSv7bK&W!oK@x$
zLJ4ZS0@^4aaVH?5GBFv6@`HaUY&1urz2!NPqkTd}k)wS>*F=sshqEK|-Ek#uLQ=_#
zBS&{C@ehy$Frvi&iPUmmM#;*Mr{sAhz6n`Nw(hw(sy-q|jW+gBi${3oU6njjbcV9N
zXBcH2{xF$P_5NN}4|zSR_MwqCHbV?S2%UncDg5ObC4IxCk)OHygnuB&CCc5ZHa2Io
zt52Xs2p33bQph9&&o*Q;Aa_H6U!=@4%)7u=NuN*_Xx;D)R8oS9HGnpalo(a>e3EDm
zj|3}_MPKB;fsoCPRE3i$Z39as5aL!mK@CD|Kx+B$jA-M861TGKCFCS+6<xh4M@@`&
z2ee0pG|s4&Lbaq|3F-fg;S}AecuW?=Q{h2nS{O57SvmUZFW$VQXR6V!mAU-UMVJa6
ze@mIz=hULql{^De4T>cc?BE~F|H4GYnwvZEPX8VLJN<Y0CvEVL8?Swd*?0`Iu{_!!
z>W2Dp)PGtkl;NyocJ$4Zv2d2i?Sd|Ppo>90+9u@jI44pA8&h?iquLT3#~l8Gx-LdL
z;e)&+dSW<}a_;$4NV0~iM=3<#@&aG%(1YLiRUeLihDn%e3=I@%Ou|%K=)CBzj=~h?
zBWGcY+VmM_VS}874RT^tW~lBC$%-Z@s@f}Uq@S3bfuwBpffGow)&HN(jY*Vef^a69
zRHJ4ly23t))`QyPqFJj+O^C%dF#oXo1_Oh%?3*w!DQRF%(KWQOmJ7M6eP*>&*ci}0
zIrsu3$9S4r9L>W+yTTiU5zPx~L2tgQjq?@+@lO%6K2-~O)zBrVKukdmdZ8xD%T=vK
z=!&X6&Z2{VNM5ccbU`*DAZp?j1|!wPIu9PkoN^k2@M|rZ$kBr<r#5Zy-{!xSR{tv~
z)L8AHTD3<d_MqX?djAoQi@zmK)nK)T9M)}#d28_GAJY^d|CnAOQZl{Dk*;;58y)FZ
zM|y`N-Dag*O1(iQjaSEH&;eC7*|rjkLwO(vtUoOTt^iVDqwi1)6!i(gQXP2>W&ZJH
z1<;I8kLd1<iWjtPO=iZS=8S_cgpiBubcfu36rD20b~Zr9m6*3{1C3o8V1NFP4IBuj
zd%#{Ru??67jvlmiX@J7`&JB#w|G?S-J<f@%CKh_j1Nxua2}-=i5@ARJ`jgKfJw}4K
zZs!FOrC#^JKLoTmvD8GFTduQOTvXQMVxFhA0D-CHePUac>Rj^eK7i2(Xo8{=yBQ#h
zys|o@<Z|VSrjjd__|*W%wqgv0XRXAC3p7D0kczWOYgre~sVB8_5wN>&r>roArV?sv
z<VbI2DU=(l)_O7t$?^mb!eDQ?`1V#}t1y_6qj^f~Ig$9D5_?482>!7s_EF*&0Dx!g
z*Vt>6^i^U{@Y$@y@5NKBQn81SDvQHgTIj8`*8W2W{}4Lcug8T^PxS8<Z!A>;M@zMZ
z-XI+T%;~A#a)GOAGrf~(2@)Z1xte&wOC{hSOn@(y2zo175DaSjj2VYgDSA#5u<7XR
zQ!YF(H4*bt^B_?=h@yHCf$S-1<!d{FT5^o`X+YbfZPJCsF2)p6;@4q^V;St_t{A8f
z0wDgm5_=DwB8eK12<ky^k*be_8A`k=rc@9mjU=9U*t<$J(qaU#1q6TbtH4n}`(JzI
zGFM{L<nY8Ua(H3`Pxi#jb?}{q|6;zx6h_5mK8I9nYj~hZUW8^)9LtAFQxpJs^J$<^
zpJ<Fk&F|dc%jpJJrW<^gDUxD47hCOo1i^@QN(xF7^IMg8Phcc-EKOT>D{>_T;Sw>t
z>^oTxBo@ItEEC@07;TzQ&NppVIe?zl`^wP3p@3GVVl96N<VhF$No}>}0UqthsR=bD
zta?C8u++DF2-nsjzUua9TU$wEXn;tym(aPzy4uKfRe7ROZEC}^Dh{QSJ!;93>TXrz
zTQP5`8lm&8$q7xDb2F3&LFbzfqcAOii>{G^Zo}p{`DW+54S8&dcV$*Gni7oCGCX*7
z^%lwHc}$SWT#kDq7Rc^+v=|gy5zJ^d1eUNBgU1ulUptkAZk0m@+rv_>&-1UeU3t-4
zCGJA)bhkzi5#5R>kHNpsLf;%J^Ub@3=jCqUcS1Xpzk*SSC&}E~phOF?o=;ea-vcNu
z#0!9Q9azDJJ-S^C-298W7`M>q&N1o}USUoKsqf6`Ym(EyNKT(i_x*>3?0fhRW;OyK
zB|F0xO9%PK*bu-$E?KF>jvPfFu+tdH-OnCmU>oAa%zVg_=J09kS@=rxBW8Do2arPe
z!sVkgB1cgDuYg95JRk0BHp#lNwRnE_x#7CsIX5ai<Wh-0O{&6`Paq{YmHVN^$XX^5
z`yq#k?;HM6@*HbFw9mM$Kx*>YpqG3XJF7n7A=o%!KO+{Mj6jQ+Z5TGrKZ6fBQ3BCF
zQ>ik{v&aE<ZP#<xcCBOAcKk>xmGp{T+kPbFuI)3VmX~Klj;;*#jvR$F-v*#_vao?V
znwc)`%6Y^6Yhm>p(VcCPqm7~SnQD(5wPwzCF>{*Lrk$AGby(uCb*-~zw>@+2MN{eV
zzUyk)@e2?SGv7pssy`v@cI0}jaO_k`Z{>;Rl03}E-px9e5oPuE-mq~;1#V0%N|7R0
zc)Y4hpGxjG<q9+R+%!~dn4a*i085))dC5!c6{O4J0oTm<b*XSWH=E13ep%e8`om%!
zD{Ks=*O`aCJ3x%<O&gx-;BBh*4qdrM<PQEZO&{w}D<H6^vMDsNRy3i+Dy{yqoGp+Z
zTX<bAk7<f+fP<pky-5GyiAFjHPc%ams~fS74#lR3hI6@_9zl{OAM^cVJ~7{4#WV6C
z_N_7AGDyor?944mU2Bu4c`9YUSAZNhma6u!mF9L-w&JSJFnNJR1+O*03u;HvL1Xd=
zA-h-2A7YKRbtIhsU8ubbDz+|#2YrVc$sfa1Q{CdfC8OWYaJt(LRZ#WEDK*(m*)_4l
zwp8i=C1xtx#+FiYQ<@TcH6>n#h@_Yd+z9{Z3TgNm)-+F}cegWqKE@3Z0u`X;eui1j
zpz$k4HtC_|yBaAqx{gM`JvWzqY-BUm(AFY7Z&>ndVQARI-phr3eaHM0W+ioW6|vz!
z!7F=JR)vB-;};H7Y#EWHh(sJF2piWYJTl#iB_Fnkc#PU2`i2bJ7rWF9Jll}XK(}dA
z)aVP+TA45nRy=0Jcc7M%yX>?G1uZE;^I4K=4*!r=Uy0Ws_Z<k@?46P#wmrhAW0qR+
znd_12jL+~Sxw8#Uiif?8?46h_U9?Do8L^Ufp?iJ%j+hP+pOW_)Ov>m&Y+p1ZsC_y{
z+XH`B+n~f&2>vXm*)lLrQ$|HO*>#qanl{nnllsv7MJh$=ZgyX24mPsnJUk)@JGa9k
z(uODfZ(-NET8R1^C8hbGL?QwOL|BFVwBuRWD1#7~(lvro$XglI4l@dY4GK+8K1~lq
z+JR#1;aQ324MFX{y&|5V{mIJ^1Gm{CqF^lzFZEOhw?>a)|Hu-?2UPua(T{T*54U2<
z04hQc6Mlf5FNy?rXn@k;9|H!BA|=zSth8|{DqwME<ALHh+g9T1QD}aEe+1h>?55<t
ziaV^y-@32jWIf#!`>Ob-2PiCQX^q#1N#5A@Hw80lY~FOM!gub>?Wj=Ln4E$Ru_smx
z=a4go17DU!h~W$iBod<A2?4?Ooe~cu)(b(t2)QtZV{f@IjNHW=%djI8gITqa(Hm!&
z5aFGGcEUeC9p2#}8@qziPuPTWA%DwKJMw3RcR-T8RpE{2+lc}@;j<H}ohY{xlkLQG
zJ5ebUF>izk{87Z!GAYtER@(UI4OVmnjfcji!y?!Z*ijwqO22bJM22)Coiu&nY<~+k
zaxU`<oYgt#mv_=v|Bv+ZI_Xait#Ht+?4&vU|48$1Fph|<a7IPItr9DPFP<hXEsjn7
z2_eew+(1BIYJlVzy}k{PwG>7m^~g#*<Qa~>v|Xe(Gn*4gj6#@vX`2AGt0@F~L^-HD
z1K9GM*mgLs+oB(}MUK#MMXEh=gpTXZj>4^xquBB_sZAfjaa{`o565*aRzGY@x2TDk
z-uz%<s&_gll2jmCPbM<wo{bb)z}y!Fq4UjuB3F;48^-9c5kW`}>i@3ED@%0Tt_+_I
z2ONQ>KLaB&KLe@XBbB@$a`Y-i>;+Mb)FZMOsTfkr%QNBag^CiR4@Zu;=N8b#znm_<
zCo(@P9-f-K5bk~WEMy|#+m@I2pj&?$-1_k7WL9i@7~ULCyr50&Pav@v8~>3-1=z=o
z(H8pxiPdccw~X|Z17yVkMv7CRoPahGr$Xin2xQR5{;q`PcSq<aAY=*8J@2e~ikV{i
z@%QB99)aQ@gk2EOpAtis0lz=?G0+k!d#)^f2WdLC|KPJZe4beJV@=4#-&a;|fn1R^
zr$JNFJHK7_&hJ+!;?D11=3_`PqNIs>p^YV%h8scY(r_ImRUn-wn3A~@WnQ>Bh;nas
zT^f+O7|>U9+ylDMMvGn5p@4~z)J3752|v#MmQrDsXT%!k=ZPpp5)rk9Sj@EDL2a**
zkC!%}Cy$wa#9I8-jebNW{E-eE4$4eBGE~&IjuHkY;PRg;e$tHd0eD<3_-}JYKocSi
zXkzXJG|8_f_!S)d=K&C*>f$^sdgNjyHiFW=Ly0c}@5_ga{l{$xT5y<d<`esm%kYf+
zECc(GVMuiqva<9Z*f)EU`rIXxl-Tt-FeJ-1;m$%yffDbBr>Ij_*a*V{XG)9(>PXeq
zAEBJZi3mnQm<K8THh|THzjGvp+aqB$SGwF&#sKj@(4IJ7*$mk=;lJIGpP*{bcuh8?
z3G%`c$zvU*`fX8n%NPcig=Ca?2F@UCHCL8hZO8Gb>i6XdRga$spg9&Xj_8p~5oU%|
z$_hWX^avixxsB1bW6J6w(Z)-QH!HD4*d1F0T_HtHlzLT~yj=4M^w8Q%A2!Yqw8L%Y
zF%JZnr^FfLE<?yP-hv^bw^c)dSX+Z?r034E<qqShRBJ3wdtI|3=vOTdtP(O@Ev6)P
zeu0!QvUpJLmPNMNQ(_#5&IycA_Ja)0%oMAFTq9Hjli57C9D*gdn1ikrj$!;>B43XV
z_^RKwj>zQ(QXnR}Wy*XN1VtTjlrFcB-%<x#$ekTD{PDr$?%R8wmZ7!rA^r5^pPiPG
zwS|<eOXvUp1*RFrUazb0oogbk%Yy~gP1XW;9#dk0I|p{7a4RjxDc83*{Od7d2q+1I
zVP1nq(kj((fmGKk05ty_0TG@%oQZYBR`0o|2?ZMt3f3-@T3#)xg+DPLuwp0?G{6W4
zM;((m9oe8*7}>zJ1>5SXbCpi*!Et>ukNWQ89yM1UML=5)4-p3QZ8HZAh)wC4l89v<
z%1yq3XYDXgF1m_E&EX5=j&Yq}kqo5kP9OrJdMhMxY`=NMxN`$o-C2dZzaZ=Ki2e~V
zL&WGi>7_N~8*t1h+GH0hZ8=QuDu;^Xg_Of&iU7Nzo!pk~FBDSPVfN`^NdaOa39BcS
z;*x}zrI0hmOxPy`6_>Ul%Xw@F@LyIkYrX_3mdJ*EBb}6>)2WGqige7(nIzI2R;6(7
zLhc($*({|^ij!6zX<;04@dQ1LLqDWC#{sv#ZR&Cy(DSd!xKkS4kHfd&1X?<UcuG#^
zGFXEJ?^DF_(fj_Q_px`7!}JJy%_%~o!Ux!k@E#E#R${e8ejZ1CcqZSWn0%2U%&-5!
zXfQXKJ{K;%ba6?9G8fn*43{J?IgvU6kn|^v_i=~`XW||63z&aV6olfSi$Q7+kj7{q
z!S67xDG(Mn_T)j@zHunjgWl<#vvZucl2daW=U&jOIt$7V{?R;)9lUVXf*`E2iE=jK
zv-zN3(<)d|Vnaj|=-(+h0VY?oa^tradZxwEDI4x&mGM?u62Yi>4<iZ`1S1jE5Fx`E
z(gZ*3jZmbvfUdWi`L)<qKOqadHBM$f5XLgu1`^g<7sN#qK-vKrV{JGRm2TlxS&r6!
z=3FKI<Xr)pI0+MbZp)v*6%73;P77SIkueb5m3qS4MhHeHPt_Mfu-Ja>5IC=TC2q{S
zMPOiOMD&%&U@N-<4;d<X-P?#Xw{5L_3M~`S5rS3$Bx53($kifelwQfW!$PPDcG)T*
zV!K^#Cwxp80|nCS-Uu?pn~tYQRN9HjOc;j|LxTimykx12mylg^5B}kl-|;06R5CE-
z-$ZKp@Jt;2#OFbwt%WB;SvD6raeTxT=j?OjLUlKF9$e-bPoN1Qno~yw^3agWxZgth
z#!ihENZ;P6i-Ct*OBchdL*LS&6BX+1xc-85R)$W@BOV|o9+A-#0mNo37nUNBs29<b
z2Ov$%<d>~L0LCBF#AA%cjvK?}F>66UF5c!M9KoMtDXs<+VnKp$Hy^j&;55q!WsnIq
zy<WkiGc(buJwG^cpT1nQyk6Y!wfD^7i@%x3FCkHTR~;Vsjkw7%w&x{%&TrsN_R3n(
z?498$>^%BpZ4J7&^WTQkxumtDFV<`~3t<2lbT5TjG8e*e@7x5gB$_VPebi;8uA4x6
zzp?yuj6pA9A(B^Dx7vr!NXSEHL?CdW)7_ynZnIb;iJd<#L-Kg=2iWLks?ojp566Vo
zF0XT$vV1ygh1XUKMkN)K2A@ZTKE@Gla2yqK0F##?mLO~6CJ8acHP5?|>T+OM4gmL>
zmJ<O^PQisdLzJzHdujjS!J+8ArRnd$YR~gAFt8I!JFhR!2V)bFGFM^hmta5o2{I+v
zRIL!E0E=hWZR4fp#{C%2awS#_gn8GO1eMqqtnx!8KI_y~n!D=YW>?&dkj8i=hBZ`d
zey=%o%{$E7h<G0k-XPm~<4S&_#GYj8qLRCn_z5&CNO$G1mw7QOO;ci@0kxz;iT~@=
zh}q_mb|8k8SSGu2ddX}h_A6Eig@Wd9*{8XoaLIfn_Ab(94T(5{4zFA)*8g}FXqa1Y
z(s~M3Jm%9VJw-upbMdJQ`k2#BU2vKiJas`|^O{o^oNu0Y>ViDeed>aXO=I6F+5OrG
zt}yFQjk)vWv5uS!SZPN8)2h##DysTvw_WBii^|E7x$!f<7MXjdyMWs1I6?M{TQuh0
zy-YIlXnu@jDKCA>%dOuNX?X$kB0n#<r2LL6pk@Xb5f@y|4pbC(Tm>~>^?qwFnJ1EB
zGdYmAc(%%0JYqX(rcg;lOwBKuVvx~HA{8iZo!57aG>(N^3%4h~AJjHut>)FyTw|KT
z1v`j!EI0g~8R$r*nm)<`*&fR3_IZ_wkz3VNv%4u++#Cw|muH>st8PhDHbg)BFuKo=
zTe>~wZo`cvBzn)?!twbIGOX=RhJQbdLoMU(k{<JVBt|};T$UKwntUix<;qW`hNTdA
znd_;7lyh8jPZ|C^#b~v4*U}WUB(y1dWJ!9pnwM4WNsdPoXi9ryo~LPd&**Mnaxfdk
zq`t9fcXo7l9<P0KA7HO>+8e~%d1JIWa&i$*(Ip&*ICnSgJ|nt2=VTmK&z5M(|8`v3
znJCgCf)cv*<STFpspA4ruo!_Z5h_q(=X}n^PzD<1zDPt4tfkOeKZP&6A^8gt?oHOo
z8$Yk8RU12?DUOpLWncsV7jO6a#|5-6>dUioT;sK`L||_$?)m1x$W2xCtU>ueqnFD2
z;f0OH^?!p{c>;lR&Rw*_*cxAQliOwZarI5xr)uxv2D0(R&2A{1wrT!dJX)*xiIppl
ztlN=^`KZK?fogQ!DrDTDdsThiN~DZ_x49WA7S|<t?;J2yALe^wkgLv^Rw`p}M(@9;
zQWeTThU(e+hej=4#@7r6Jjmiy^_pzKvl8c(81$Syv3tG&7cW*~(x`fou>uUo8ZCel
zV^oFUwEzdS%@(}=s)3~f{Lo*~Z{F129MCozS<kWU&x{f*^}*uyfVN4A{Xr1u``A{n
zI|#gq(P?M|<3<^T76khGt+4(o!(ZUrw-$kP$VjP%_+0vkyl6+J5_=ytqa9gFEDOM>
z;f{9TC55v@#B4!s{o`IxJN$+i0`Q^4mWoE#H40I^Qp<<dRJh$3i(atBo7m#pytZJ;
z_`UINSAC8UT?>0M`bTb#A#R|vvXLZhi7LCUMM>L;N;uQ#tZ0Mde1~XepYh2SG*c|N
z^kB#mTOflPd&r<Q;~+irX0m~ffA+4`ac!7jtnXb!zaTBLn<=t0SmOe##;15ET!>0L
zP1d-gYmHf~(FPXHBs@k{@0-o?i_#QxDp20Y^1rgYv%AM3o}l(o;dZetrW8bP;}8<1
z*O%S;iEMIh3rO<CIytUIY;qPzMz^HQC8E`va3f^c&xuxq_5@mC<9fs!QpPwUF37`C
z{;&stP&*X0*B0QPy2&=Gs+4Vkq%I?ugFw${ZAqmNrq;G$4((K<pR|{c3$!$@XdZz*
zUQ>a1wD?B(T*f`%@(WCfQkScCAU;SjUcE9G4>j6>H$Fa{mvQF??kU9!nqS=6z@k)}
zHUDdwv+<ic@WR8Vs)ie7yKm$T(QO@JRIZbiw}-yC6WTB9@3iVihCRO-x*k3qZ-ISk
zEJj!F+}z_SfZPW+@O@7;I&6M35JDHGS?E8$ArD`n0)DFXPICdOC<9&Q9Qhop>b>~Z
zie6hoj`hmQS{F2&7x$I;Kula-)>q=!%2bvTzX>TSe3O~EGV7rFhfr_*Z0(#nuFNYl
zLfOii?6WJh>~qv;bH++{sF$)j>+I^Rb5uPOO;pP!raPMGpKju^bQ8Y+u!*sGY$j31
z4ygJnw&rLlBi#}X64)(t=DPo|rJK;w*xcGmHk4TFqS;Hl%!icQVVQ#55Gl5r!e!q7
zNN#hW<7h7NR3!+g`fBk=REdZ7k_3)M$V7!17>!tniluaPE}p12IuB2<IvTIBsQGvn
z;8}oY5uQbO`tbDOiSrg!#j_mGay%#CIRVefcuvN1I-b+<ti-cY)o+=vYUT4O0=&ot
z`petNn^r9z`p-K=u0}jiF1AU^>Q((96>WcX*YW5_nQ!exYG-EeZOZBz1@P)>QM#?s
z?B#x=^=P#Ks`>&Dzs4|bqcI9+6*f-X(69yb&{(~JMrT2u9O{-v=yFPm{<u_Lh(1FO
z0!FzNFurJ#d8ip0`$G5{yl@geJBpW0{=B(Yic~AEve&m-lH$&<LK}60D9e-Yb6&Od
zvI??LIkX}9jx`^Z)jfgj#+jtMdK7ucsD)pHdjfC53}K!rYtAM$o>@i>5WVe$(7f1M
zQS5W+EY3o4R@BJSZaXesGG)E)=)U{SbT@WK_XVpS=qBoTd_b1TZ}mf*FBaE~@Cv)u
z9pAEBr{McFoBl&`I;?d={+Jbfh-Rt?ue~2_DKQhs(tdW=&Ne~r6zwpq4Ef0Mi0+2y
zTC&Uwv0_Mi)x9d}Qs`TY+x!wXy=JXFo_yU%yZMA^0$R~I-mrh8Fnf+gYUhJJu*SV6
zOjU#rz5#m{62{wb7>4oO1p4m5eQ1%Y<(6FFP}Pi=yW;2)r_sjQhrIDfSDYmhXN!&V
zZ{qxvIDaBYv_-!S#!R%OXIi#RSW=@MnD_=jwo`vu$u@wZ55n-$wi`_XJ-m%5os&mj
zMHY?!mW8ikQs;e>6`czfIh+btY|FG=htz+vB-m`AeOyIYCB#tG;zHIu3+xCz#841!
zjDycvm$PvM8p4wPY{MXXxi@~=oJ!RqKA4(_1rVYVLuYu2@7qB9<eL&s5gOTqM<jf;
zgp2-v5deIPgg-0beT&gZT`?pl{SOxkjnA9XjWw(UH^v<gLaAlz4Rr+E<N$0Z;CcsO
z4*`Qa0biT_uR)Q&J|)a22<|d-9kbS)$x_Qd=k>CV!tG=68Y&F@jgAckZhRCr)~?t!
z!lmEr(dT6+&!An4HoMgx{Fr6*Xur_x8$98?#g$oMQ=PKCtZ=KUwc;j5pXiMl!Ne1-
ztQx-E_G5gTM!2x+J=e-hIxzgvqrH^ag&+u8yGiR)&<f6Y!-KLwRTHZv&+43iWrb`A
zErk9YJ#l_Wt;_oN2$zT?%K2P8BvcY@bgNa(F=$z|!xR1--sZFGF*G-)hh_rBdJ9&8
zTEsF_W)+$$Y?SrYDO=PTTUl4FYKpu!!ZjwoJ+wZcm*cecfvnmH3lcx`L8amEJdcV}
zxvOOgi^o?;{oj>4psTro#B7g$9o1RYs|xtATm}6X68IQbNVcqMcz0i~!ZjJJqS)>u
z?X%KY&8t)^jn%e_ORN$fB`abU4w5M_+5@Rl?OiN${zDrq&#a%OtfglLNJgk%sj_Bh
zzlu_AsKRR?{^-Z<kVjcPw4bkfC=R9RFbwsMiDT3Se*&VtBpBDl8|*I$29buF@seN=
zX}B6MkwJ+r_)|5}GbJ`qz!C8O5lrmcmILT;$<79EQr=&tyYV(sT9d=OwEF<>l06u}
z9t;pYu>8w@)mdO4t-Qoz1++qI=V)cBqzz$>NVnqs4_ld^$7awi2mM-PWiOtVDGbJZ
zq`s*a+3ZF3*LwkPO?z9=rm~<rR1YP7TDpnd5{4%JiqwCinC0lg%d!igN_SZjM>Drb
z;*eBfx|uWnqh@fNs^8(wM{Hn#6&v7nbG+qTG|_(-?KCF6c^Z~-#(jt;!ya&$EwrH4
z0!;Hx#Nkh25AUWEu-c!6sq4o)?omD5SIfoJ`~eE|ezr^Hk0!IUn~$5qt64*^aKr$X
zzQ6`x`<2zRJrFkilnVd4l-pPR5+#D!+uMAG<WBa`_To*juL0jZwc)M>7%e<RdDHI_
zgkSEB2Mjp=txb{ZYG8ehBER->ims>Nzu-k%a*V3N@2pBYaOOKG?d(5YN_2k?t8{i>
z_@VHGZUGp)RSDkUFhR2gW1~{S88q`xMXQC9|2nPzk&>(uGti<1_TUmrS_>)2^tf1j
zopowjUqHU#%kQBV7f3wNJ58k(CB|iN(L2|Vv5_S?Fq+50*U^!)ytpu4jOwK(=Fc~-
zT*kYQp}}HBfuB?}(d>iOy0iX7^9=-NJM##aOf)}3{M}mDuvUsS6HDFK*UO8!UScWb
zGPeuMoV8x6iI`X{spo}_8!GUZ-d_|pVyz30AX#e#JyZBO&h;~N65VEXMkAL`wFj$!
zYAM$@x!>1s&W;{AKXl30*3CYl{wJ-QU<K3i84wf8VGpi`8{#RgWBwW1(dbSkn#xhe
zG;fgWX0%N~Lq3;ZI~d)y#9xOPB0i1raj&MmnT3sIgWo&+LGluokD1a~s%^toVkCC@
zz5H*rmG$0ITAhV?hDAHtkrTSgueD=Y!ktegeh4pPZ$=H^X7>Wz|JD&dB5n`Xu{8NA
z=^Yf}>Xet(j;|m@+m@i|dh*a@WDfoS#-kLM6eNGmBo6L7a`4fb)-hAIgZhAT%Cu%e
z{cnBjM~Sw-3}s-+kN+e}|8x9r9WCqq-pK0yeFD)YcOZHsC;SprMEp6%3#V5Y$5Lf=
zu$O{=dMahOpjztQTIz1{Yj0EsGhoFHx4&sO^tGeCOlu9lg-+Q17=%^0UDhwP>uXJ=
z?ri}32XFNkZ&}pWU)97J>=zs5Qkx>Fg}0n658JPS1bYt2?p2+gmUMUzaBC12`cj0V
ztuF&%XTP(H6Ig_h*K;r}>=pC~J?h~alATo@%;L9f#F&M5^CHVYo~B)0&{%kga>hP=
zAn-9Svt2%A^&$5*_kQ#~yB9le^<8^Ayu&(zd#`>l2Fs|23895AN?Z6aDr{6I-nqf}
z$*Y)mHCns)qS=%~%8MQ9l#~&C4K?^-GoX1kG~}U8W6LXu<^3aNOkSNzoh%RfyN5*J
z6mfO!@BVRq?Vsbv8fB6Ug65$`g@+iIhLLD7o+TIo(Vln~V!CcBJjCoWWc|gTD-TDh
z<;8oJEKV%S6kdOD%BRMU;Zv&GySSAmK%j$wtT7f$1&TL@{UmTJIqXQGwTmYDwX1@f
zVSO29Lqj2Z(9`Mx+i#dk$QLiCQmB|9U@QS21Heu$AY?cp+bqZoK+^i;zYWu-%PS<&
zJ=3F&h~bU%mM3oQhwqaN#g)ARMQuiOF|n}cX@Y5kJBR?nuv0dSN!-yB{lR-3L9KmE
z@drWey*cM8tKkXqom?ouZns+8>Z`6yRgZSh-o@d|3%c6_#qvD_CHi0w1kdqKW)NRh
zz|EY)Wrd&ME=(>&hgE%h;pc?s2emuA6VS+jpw{7U-J`@5_<G9fI}yy@P@1^nd=;-$
z;@(wGZ3aT)!NCWF&Z<>MnN^jWTLXiSRMci-H<6*er7S%km8D(Mn#BGlFnCK)Yr?z=
z7Qf-wT0_3#*10!gj+UHWT2yjQcqqb;=*iJD!XHLYoIY<TZ->OUEAa!gqS2N!{91E8
zY<$Xm3G+_OgHr8{;<x9VhAN@$C@s}CLl(sw<~&-8t`?N>`w!DlIeH>PS(-osdW+r_
zm12jKxe%`x7BBSXC`*6LC7C@N=gnDX^-R8Jk?z@Bfx$;B)@86~e(jyPcUtR=U&A$s
zBZb??3~mD5>@nIF+23F>*x9DU`k>9?H<TzHOH9J7oT99Al=x4POLz63(PO8B*=%Lm
zJpixcC+!lqrUWl*$%|i{f~te@8t+j^yi?fQ$P(BDOLJ#(;8Z_^Zk<<s3tuzPRPi=t
zX^$>^9i|-YA^4|1nz9(<O@tsEL)G6v_Qd^OHM-9oJ(i)2eAl1283sC)DW<D3Vw?M5
zF~)uX`$!q%HV8(hX;+p%G5jlk;+C)c(Z9P(t7l<N@c668x_fU9Bt~TTtFK`|{c?UZ
z11;rYivk_ouMR#EOk|x0NN&Kr#r;8`xP4JS<c4D2<huWgP7hFT;21viL%Kzg<L)5t
zS>>x*lKf5xovy4db3u{ajVzn@Wp$=HrJ3JeGu&bh9hfsfS=|RCa}E0)h$h{^;`e;j
zvr~Q?HqHJd=<dM#hJoT1PPIPD>H;Yp15>S;Sk)?~8h2CiLm_XeKGmCBnmN@wfYU5d
zjt-Z4Gox+Cqm7>8W+i$frFa9jVVJ<6%I}NiC{d08C$O?wMF11(U))|jIu+g%91K-$
z4kWUAA>bN1lPH^g2$5;c!NFMeGsB;^aO$#dmU_9ki+qQ-T*J+qjngrC?Snjg<BG~v
z{MMXoOcH#S1!5}I{)&~;U;GaxT7s;Zz&}Lt7r$d+DKI-_+CK!=UzO-zfFQ=-bfX}c
znBd-whP6$2JHY>XgcI@;xOkXk9M-wRwRVg-23&Qwn7vSev`e+^$=_HB^FCDJYy~!y
zT3LMtGywCy#qF;?Q^fxOO&Yu+S44fQ=Rf96^i{F8S(fo<IEjWO8o<?{F}^i)CI+#8
z&+2hKgf#KBmI3oVzZ_~qMbg>_A58Sm1V;8bS~DbBTHID0Jj;a@6Q6xs@h4Ei7(!tN
zX#2Gts=En{4pkH5`nm?U58i>ecj%{U>BVq-Ad}6*xw5>i4&EExl^Ncxy$O}e9SlRT
zPaB@a57hWnd<oF~5AAyBNTzw06oE9nh40%&msVDlF>vw8MGTrb7^uQu63r!_ORpc}
z84z`8|6+&;pO?a?19_{|W4sD47`$UAG|rpNZ&LZ(n#m<or+5G>K6CDw8nlOBJ#)m%
z2|xt>PB@DZbj+nr!JCw&-%qJf^#QQY%Ib5lws1%|RRFENIaOWmp8Xl!SNI=13qMY$
zWo+bU=VK7xQd=IH4E=V&V1<U;8GMej-i3b}SYqV=nPQ7hM<$>#aw3vy57trf2{)>&
z%}+gnvf6$OkF#1!85x$?Y5CxehC4L8kRNi%2xS};2YC^&jr&-@t*B9!{SHsHib4K7
z9I+K;gx-@mA9B;PLVtssjec7&CAJQTbBk4Rrbq69Rdc#p{7&fi5{6kznCp9lJxa6)
zvRgdJhF?9nLDI<qs2suRnHapzwpRdhdm7>aPQEJ~vCaX%)}Ru*ins#qY*dMl23)wT
z7!T35V|<aHp5@4kH&<2dD@%Jkk;Q68_@}DgQ`I9PJk&CB0>}v;Zcf8L3-Qh!8^bx~
z!T(X>e?d~bA4$Kf#klzej>w1!`b`D&#`dX)_X{6b+iXm|-i<vDoj_@T?C})k^=!fL
z1BD1wKYoV~C_bz%_Z0>8igLJM>NX=-+@?JA7#a;!9e26fmnh3(6!78!uJ8=&{k(lf
zZ_E|CoF#$5n@}w{xQ#rS_n?i68Uz~)pYIX}j?g#z6rA%UB4yG$<aq0SdlT<I(3kPz
zcH*rEo<64l;dY<#BLr0h<-VwbAojZ}2jR^7qq;^Qs!e7eQ4QYtFGw3arOdDJ?@9X+
z>)UX+Kr();@SOFlRQ<nvkg*znKXiKiToQw0Idmmot`6hS?$0U;3*T4cpNAI06~?<*
zK-gzo^GCX@nYfWKZ$aohurnI$Xiasi^3o^ih5}CfO`r5E?fo&nsFYQ>UHicJYtcyq
zBmI>62d#$JJtrCtSPiesV|#c@Ag1le#@e~id%jC4+mU?HwilXNSB)mYz}DwFgZfW`
zJ0aiXlW@K3CIch+Z;mfbh0p;g;4w8JKC~$1FxO`+0dHzz9j_dtr@~eYAV^=7k8_&P
zwQALdJV1?k3WEJChFVfsqbwxj5xYQHgGKX0<1gRuR57Sm+Fs$*=&s3X=CeFvCf;VK
z6`t4@{2Hl=+U`K&b+3yrHfx)qo95dX4Jjwo966b+XD(&s$YL11L_-eV0hD({^oR(d
zXrtQ0R~V1tT^{r&&n`6<OF#huc$?HU(VPhg<zj4Lk>2Bu*D_fpjRAwl>L?k_5-pmK
z+(h$9Q4ReO`$ZR=OCe8uT-x{<iXw~7cZCOVa)B1(RD!vQcbZ>anLd~4vF%k5)X&<^
zhZZFkzI`ZzNu0G(UZ8)}A}v=MUgGH`u49&XRp=8x(F8@kP1R-oe7Fe6<72Nf&-*95
zi4w*qTqNW{&Q~k_XOUirbqnK*AoB;t<(yntlr)3uR1K5-E>vnF_GEH@{1x7;p!tFg
zVt@ZQ)a|;GpHqx>^q4mx<=s?pQ7JbY7)bnakwDK{GI1eBSR2tXoCgCA4LTK^m@S#U
zuj30i{&CU)BS)zY(LFg_h_ktW_F!eFm%#7Jag<#KzXk<Y!UHRHAs1tuVVsR+HV3Dl
z8*^0m4jz3;ehJ`-ww*`3DU~s=x0ceg)=x&qPToHY5zLb^^9XrCBs6^>gk`(2^rUzU
zzFPq6uWE-WL2_+e4`f&osDB{3u~f)EsCm5s9Moz1{IxUDD6Y={DJ7;{y$>CNm7DT=
z(MFC~tUKd9f}hVgs)_kNj?hMr>A8kVC;R6g2Z6!#eXGdM1Py(r7pnsdUmv>E*=6xh
z!U)!EwAvK&nX|VVycKSbc4W*wcX%Q;=wUF3yEt9(v_`#uoC55`pg|JT#`r$@#n_xd
zYL_81QSHIm4S9;&1&;V%`u<<K55^H_JeEJy{~_uJ6LYfGv$F9K-~ce#unRQFpI^o+
z4r3)jSSqL;@M}#iSzcgsCBds0{BWL`&+8J(lg;dc)+!fA5p^$xzoj(}*Rw=V5-ZtE
z@=u+@M}IiF*22<2TgiD<R1saD=f=gsxr5iyYSP|lJE9wKxvHeaxczsG2;*BCygLXy
z><4$uYcn4IEx6a$=el8=mdSJh(+gx;W%_=Zp3L+VnV!$|ZA@$X>LSP#9x|Rm3seMv
zV1lkkVJFMbhs4NyS~2Lvs5~{XbO$+H{nYR*4=!K)&__+tM&WF0X`{HSw~Q?yCvWa8
zt3*y&y>tYy)fRz*>P)hnf7Q#*N0)H;+Omw6*+<Z*d{lXlsi)5cOx15KQllkr0QWrN
z#zx`a%_An@zaQg0ttkjd#z&%oXuG?5L;+-_B2%G_@F6)`CWj*#l*v+K0*tI$#~H&r
zvcmM@Zk&2it90J@gLrE1R@mH?U;*E{L_ICKN~Fgjy*bL4h4FZekH~r-U_gK;=L%IC
zH{`>-FMy+ndpslZHb++g>{b&CCgTL2Y2!S&HL4z;fLekF1cT<y(4qs}1JF^{pxr}_
zb&bGoiSpJY|4^Om81KW_PQ0_QQMlk3%ge3yLU5&qeejz>uC;K;p{+aX*L@ETQgE=_
zWzI%NEq}l`?Fw8j6|E&}ppX2J!AqQ8df(?!xlTo8>0iyqWHj!CYHW^D>MnCR&}v|x
z3O~2ZLtdmImnGr8k%j?GDDhA6uc|L7GD?piyQag~gHsf=u{ui3a2C!A?re!>6B&Q8
z#&Dm=f&$dzTMf#Zu^6$NFjR9&n|AhrHsVfqbeB?5^-+6f@BO{ssL&q&9q{nT00HB%
zXNB74N&nP}t4G#ZoN!+Nc|tK)l>=LiA5vo6h;sqRt=k6KaNC*-h|75AcH$zZ3Dzub
z%{w7BaA8#cn2nC`Y0c&xLXw#04Nwy7j{e5DASTXGukp|dN>SuC@uYWcgso}&bZj-<
zo5#dI!DT)r_MwpV=;?kDn;E0E6>hI5DYjF9x0%d(AYfdW&qKRiIr=LKrJvI&M6*r;
zW9*8{e;dEKoRVfxxUl*5DD}2RDa>7FzHPP;cc8t&&d}=87x?_W@!D_bS7%v$KtOhL
z(7g+8rs%^2%2U6|>O(*?(tT(#W>!-+SkaByAi-}pXU-{F>jP)lkod)31r<Psb$}+L
zy`*LoqAG5!HY~Wg4Ds8m<VQ9*WNF~Qg3b(f<sM@(07&%b+ATJrYGRd?CIA6#%>-B<
z<HyfpVB(Do(rC+Q3zZl*Y5b%f@6BS^ja|3_$Fa*L5GS^o;J+ELG5XW2P>Q%g|3FnU
zNe8tP>{3vB2NDTl+4Eqo8RJD8pNGzuazV$S90r0%lmK>O<8e;Lwc~$(MWGxv{)Hz;
z!QNYmZ=7=+r0lK(xszmvWeQR=-^XBMu735aL9UlCloNFeC+e%H!Hc^Wq1<^MmR1B^
z8fI8)##(vnO8c@frMhwTd9N`SS7vAl-sZ@H%|poJSuJKQKFpSn#fN{!1wXS4COg&k
zJ>0yW4=~+cH;)PN)$SZC8u0P2h1A8J?)L>*yr$b?1eai<uf7Sf!#R0{+c(1y(b#GG
zqWck8+iHw~a}ez~j(4g+mLJ_+$g1*lP@=cSy31f+<s`>uuPA&Se#QauM+^erl!Sk9
zI}BtTpPJvK#2y6^-g>_0myD&sVU?eghr)|q)`(t*>S3_*D1{Zs({$4e2ldLL&~pv{
zq77Y%>V(0-F8ZZqVC#3&g6QQ%#%@T#DxH)r{X&-djK87OvKkR^19lv&-i)OHjGElh
zTlP7!PMB0F7%Xr!j>qMg_XhPkObg3C=Ufcd)>F!Q-@U&;5yLG~BYZ6S9g55*RF!_1
z-ghgJE=nUARGURWl6zqqCdj20tfb8C)FP|iu*Xmj8`o+O73ASu-kPqqQt~#7wD}_`
z4wbx!NP--{JYn_E{{H%x($Q_`z>6#Nhw_c#oD!U-@&jnGTcM(LES9m1gTKJJ4J`&f
zn`@j6Tv%_hHi{W+E=Sv(Kf|@yYjP<SWEk>hpgFf<xb|>3&z<WUtq(;|H)WhTmxGZq
zZkmUws=qEj3WqpU{9<UF@CgjpMQ+UE7>c0VIzCXA<BGD;0A7gZj8NUpD!*ig(yC)8
z;7Ta5ufRqCK4oGOR`9I<MGl%)imyxQ@s%(taOif><NJs4g_rB11r9yP0wZS-F6mDR
zd9y|*hJMMa_-fR(76)WflE{2b_>H85!zhn9n=@X6boe%uXDtOD&|Ej^v9Bh>#ZZg4
zC`;+@8)u+JTRP_diV-O#M>r&^tHs!=dNwXb4g3Amol%1Oq4+{OzP4bbxe?V*2yM^y
zBpcv_K-k8ir^J3Li)+K73XZ4;C%kLgON$RJ`dMNz!n%hS4fgBR94UWsbsip}i?xnq
z-x_sFYw^QR5-!fyON-mXdjgD{PdS`yQm4G5ta*4mhY{3bVJ7O@1n<L=Pj&LW2GStQ
zweaxaETw-$0<TvO0R$6fJ+M#K*9TBb>MH|CUG$Y-lapH__!Dcyi0ci)mHyi^mexj@
z#pk9lY|0w^AOYObqi*F9x{7L|hLbwbvU$ge!`OJeP=L}P;tuZfFuEJ%o2kN)2n_xp
zd5xHNk#+QZU7?;8{wf70!fRk!J-8vT331*{`2CrdjM8Fb@sET0?}fjOXj~>RpfZ`$
zFp}_0JFw>&t!Ed|{w)(GikIr)p3q!=X1to9eGNSWG3AO*JH#aX0bST~m~?vZB2wu5
zISz>MXHR}zgjYctf?Dz)mi%nFLA72Kobns&pHV1P4Wyhx5Jy@1wvf{L>oC2gmA@9s
zTEW+c;=+$htmid3SyYE2t|ZNSK?ExRoPRF;SR@!96*$qhp4&RAqx}I^){GdgtR8=1
zQ(G2%%8EhoBwH)A=<m=V9>S08O@fK_C8#aEE!oZi2u%~eTT#oAaIAu;D0gE*HeDA#
z$kQ{iu(2~<ulN1Y6J6|X9+#9JPYVt8SQ^@SpFw`PQ0khhT1vJI-}K<}Ebm3Hqa3kq
z+Xg7@B^J6B;82FzvODDJw^51v0gQf{^1m+F*RJr25A`HZ7y1Q7ihku$Vt-=SbU_j;
zU_D53qx?}PC`k~+eeePDfbTu8<9^M>Rnw|9X38Fabfeqw6VnEc*0S~(_X9FIk)2ev
zDrrM8FX$#bmbRV(V9XmROw$XT_Au0cx|b8%;xK*}CS&J*v;si}T<!Zk2Ou;ep#8h>
zb8DS?g<=WdD@<$(p%QrIht<rXdjgrSdx>ql^aN(LoSOLI2TUV(ar2TEoNh>_Iu%`&
zb3yvW`mo1-F4n(dys0KMgX`auV))cjt<A#4gqQ(5$4g)5^UbykfGEZ|`5Z7t5d*O>
zNvA=jCL9A-5+lxer*+^w4i{^1Ex4j;7qqp#cPm0f>H9KH{qR&o5kr7yhF=HaFeYAP
z*Mo@{bKQAZCO=8u$oRS#B{g$BO@i2TsCpPH-)^I-zf0~^Z%A90jh1!Ul!t@2#n;do
z3au~2Uh-CSMmX5$y!kjjIP;t}zZ>STn@b-9Xsxgt)PMW90P9Pq|B2uMoKL;>8L(<R
z`8lp<V4Fmzs&)k-Q9$5~O2|q=9sne<5XXcXBF;XSaS_@T4g$PVANsrnNEW`J=_gIR
zs!f{kqI@V^B?@YPj*5<^a)HQ~eqcO_Mn2XOF{nSkf(>`<0ihQ0ZM~rTGvmR|>VmI#
zQOxSvCW}D2`b(mGEz055Ia~anG{r+f_dXK!f@r7nkGDAcURLvUd-?&eq&@wYZBNtj
zqn2eIE}tte5Bn|tV`Pv`+Jg;np<F^j^D$EqsAn;!@TwX+Mkpa48h2sIP!kKX>}dXl
zGT+nA_d{NPjnW5}N5mJ6%LFW6!m=goYytC0SdN5c2-pM(>n~w@G10L)i3yijkSl?M
zfheMuvLDOOf!%F^!m?Qb*Ww-|jR))kwrv&Uv0#E-KnARWA{N|;0tjO|(rPB0kQ`Y`
zS$I)oh22~l-p}>9LZxZ~oaN%yeM7{B<w4jL+{M&7c-oH_jBtk}`cbb6KkmrA)#0yd
zOAU0nhI>jg^Q`b(aqE&+`%H}^I^mJ8k7zb#iX2hA;e`2t`<2*mXvdUzGunh&<*52A
z99Tpw^>rLZ<Hs<#`r{OVRV>Css<=@i3MmGwkitRD0@fTT3MmS!kOD%X%EAm3O7P=C
zK>90{vUEO6KRJ($QZ80iF_8MY$t-L^p|A~o<n&*b5X#JbRsDkwOVRKs_7eGB?6?0m
zTvy-)tGC5(?+HiSKBNBo*itAj_5wJ==yInHC*a12v!E9EwU?c^9{7(6TuB+j%NaOA
z$NqX>b(XjK4zJsI6R|Ih0C)1Z5!ZiEK4dCF(#~*)p@Q9Xyj#34E~2uX)>P~p6Z1yG
zlwJrQEtq(Y3s&L#$x$^G{^%H&8y6(~xPPFpr>p{*CHO(B{akwZd+Mro!Z;g!jx0hD
zu*gyk1akw?P55@&Mo;mM#Y0#YdR2R`em<4}+pa$L2#n}&y4cmL9tP-j+Ev><JNf>k
z6`AD$hsU^iH{9+x-$BPq)}f*BpF)!m)(-uY`{L#!;AtI34kGE@sir9Dz-A!%xzu+V
z0N;#nI^dA#eQQfS>VU{1*!7{2#48~15dNI3m+LM-xrYSkm&q5f-XLFu4;27qdGc2k
zh!@sJC?oB-=q9cXzJWeTJB6Qw0y9>G<Qj;K=TM<R(XWo<m)-OQIov7rFmBg@530=u
ztg_g{Q_lk2XUMn5*V+U}<b=wJS&g2GBdyn%8~rieBph%($K0>?Te)8__m`s<rp_FH
zPZGQFg;ZEuKLXg`z~>+K@N&%MXE0jA1(5GRmqU-tyMc|lK9l7qZGiJoF6O$)^CfFP
z9Zzv5fs<qogpq)kKaAEm)Ki>f)Tpq=vS<j3DliE61*HW&C1{`p`X@jh2?_!PSvLcc
zEg{!S$SOc`BqU!#o&_XVLgoU3F;Jf5yP5n;`xn$BiE{vZ7HLdd=+v4AP6t0Y@5Aro
zMq4bLH-W=KjdwC4=#VSz?;9^uFgBm?QjOo*$Ss2GMAg0TPV?8KdQ$tKZ}sIqyUHo(
zW4R-JiAnl?8`(*}<ka*n$@H_UbWdMmlKw|rP1so{{eR;yyet1LQpV;PppE;&*1pkW
zAd*ggWhv?Hx9F*fl6)zVJ57EJ{cGa^dGwcKa+l3QnqQJPMqvVrQ_6}Ok)L-`zU8F+
zIb?;Wni5}4EV1aHI2)G_wnLw?IUjt2<NkPuzLf`_VthINT1wpdG1_pNPl2dSMz&oJ
z|FtdKai3+ZJ`Zm&!S8EW0qrpUj4Gll*fkYl25>1}i}OM0*ZBYm4X}QT1nVHH00Uot
z*o3_tCkSR*#<DImZ3X?$)tWWazIMMn?SFy?oTdi#d6i|_mkh;jx0}WO=|b%Nu+B~A
zEtwX6!E8L*3+huUgWB)u({acAI~!jd1>wSNx{hVRE<&Bif(sF_yAk~eYU0N#RPBXT
z?1lbH1dpl{sZ8#7`H>61_65n_WRnFOPg5fLP4g`_b{TJ;2?-|_S=u@oOCWM`thDG3
z5Hx}kCbdfbdZke$VR=H(TJ+z<^GcZ4f_*|*j)dh~uswtwM<>umfdw-NGbC)N1#2hl
zpAuGN!8!<Ql&}&D#t^RYCkY#1!HyI53}Lu~Cr-MIH)3=iphx1^m_PSP`yN?<J4B<!
zZ8^M*z)<}@WAb(=iggl)lY4-W6E62s&|nQE_Bd2sIwc1HGh@h#b*lclOFCEDOP686
z`@LMh^u8~}pitL=F~MU)8x?9AFvPCRoPtRJexP_7@!;}Vc#XsxMm%7o%o{ja^uAMx
z)VU4_?aWOh(J$ci?zFeu&&kV1LP0&o`KMFoKZJoOeBU?$e@0o;icsRu@pa5iJE9L}
zWvTiMkN%_np|gZ7+L7LD#lRWXw(X(M{JbRT*ZxH<FTq)x=obT-_KX`97c-6^G3Cz3
zc2F$!EylwvqLH%+qfa%_uXTJK`)u5}6dez<PwDl8UfsWhLx=4*jUO*Dc#Lb&5%fw~
zV;KB8cl>j|b*%1Z7?+GQk!>eDOauS{F1NQ&;os6kS*q|*;nw7(^oNu+`_;tI)oNlu
zJI<-9c7cf{!Q#E4D{<`;WyN34omN`BIlMzzvrSF(hx7)t0xx<ZEA&AcIs8`i26y;P
zeZ&BLL4RS={92Y5XNG<amqh%C+h!TZ`#@J=-<ZqBmJX*%;HtB~lvR2NO3@AczVu<Z
zfOS2<veWof?co-ar;i23JG940m5a}M@K((x3sPCvlURVf0!S$?SQPOK$+0ku4X(Y;
z$9L*u4>Dcq4GrGmk1QDkJF<+kN{K%J>jBTVq!hz{hw!$_65g|U&v_vaDRI#ZmwVfA
zV@jTR4UfWE1RR>yv=jGYvT{nP1*Kk3Dc&dojR~;iY9{i$0PPdA4P7^Wih5-@O^x3z
ztktXD2sws3mZQCAj6or|f)R`{j*cWIrF@?s7hkX7RNlp@{N$UAQZHMDs_4oU03j!)
z@;Y2owyN>mR)|1w!|nsOpiFy_7OhNML*wMvenUG0A<!J6yadTMnJh<=h7Qm>kfeP>
zvJ%O5nOuk@EmuGvg>6?Y=K_3A{Aea%c+=vL@dI{8TjoLmOjOlI4xt=v>%b2DK~N(T
z-pi%H-CsCG{9zT(ogmar6t68?^EqLZ<a`y!&H?R3O2QI>Nh@LdpOpP%N*AMYz}O3d
z;%&yXe+t)hKb4?GFzNE)(m(&H%N^7ity=jIEv#7rvNh5+zP$u=ehW5gy4Xbph~`*;
zJN3Kv0BV_T{3HF>+WpM$Cyub6{&9tkwvST~S#q%}d~RgP_gvxctI-BZ%N07y=#cw?
zY|NDcN{{xP{>9`DVQXwygy=#29ucx0ik=Fm0L!AvanWze=SPj8JuSu>7&T$9J~RG?
z`<6WI+ZY<pTl{!UO__HZE}7N9+>3aWK5X0KL3nZdqdE^j!W3dR`6S3&`<Ks*EucZA
z^evYBSW!K&=>z-&-l!WdHVSAajD3TEoQcf>@<~m~0cLUr+NnDaeUR(OEojcT0PQ4y
zCD)Gt%P&Zm&tmyk&~|e^MA|vteJ>*3MQOZBjHK}|;*|pr?YLR~{dD;=EPsvV1+x63
zMP15US^gx;b7XlF%THRz!YG&P*lk^gzh*4IQt%dRc)`gpy5a2F_~GAh(K8RMh;8_X
z#+#5JwiWn+PHda_+Ohm{Ss34N!O(9o-dqH|>9YReg@FFiBkpi7yszv6HT#~l`MqEA
zQkuBG{zc&-s90hWOx1_RI*dL1CJ{KG7d^2DbpbZ*!@}(o)uz2!YVW<!G4rjyvOerF
z;tgZ8H`6zJ|2aOWZQ{yQpGU>2+B2OGnB%<kjSxrlA?BTcV)V5+3k?ygE`kozNnA0I
ztcW+<#zVCHVze+JuynYK3Cy5Y;uW9EewW9~r;8h;l3wTgdS}3_kO7BTF`mN~)bh8v
zp5Qh|K=LnE)-MF#q7!&Q1pMO$5Jd2qkp~WA?}thw$K2sdEG|!o`=GGJW3>Hacq0L~
z*miT1|Cv#B1v*r<k+mI-TkZ0igZ7yqV$@#PwYt!6Qn(QmlCO6ePkFxUyd@;Aj?OC6
zHU_jW1KK-S!ndP0Msz0b*u_3kVm!I!J3rxo+A;!{;9Rct{AUcV6`qOxQjW3)j?7-;
z@f*0&4WBm#Z}40Xc)s{yNd9c#gQ6rfh$`^8@v8`WMF&QN3anp`@3d!Q5K|yopCEg}
zD3N40$g`2nHG&5$u<Lo$Y|g{5cGcIalpEZI&X{|46<m3wF04vr;Ti5%3#MHg_~HVf
zo?7_%@_wS&V5j|~s(q{_ZjCBWHEyVp__OmR-CBALb8{q8Eq)Qj6-~M4ohBxQTrW<3
z-`T34SCz^D-CBh7U32?ZrFt-vhs?a5@_hyI)&%^MD${EJNX9&TL~M^|E!j50ux6B+
z=meTe^D9DiLA>lM{Zv(ZQ^d-o;`vb5Uv-2MDb@evtwa_-unc<2(%11XirAPEvoe&E
zynEvp;t_LX?SM;RpElv7mM2`8v@Q*^Wv8(8`;0Ld0K$13UKYb|kvxn<)iKIgd8k#S
z*}Cwy=Ju~jvb{PXw`2Iq;EO;IjX?PWxN5Z(OZvpch$C(gP~(22F#~*T)be-J_c*JL
zh(_W+0tdJYYTk?|?U9g>=@&W5Q}8m|S9PqDkDRW2%==y!9>nZ1`r|`C+6FUZ)4}`i
z?{d8<+-~x9k<Rs9vL|e_Jxd+KQ<J#4x8UflHY``*r?3$k0o9#*mRy&%?ZaDC5;X7N
z!41x#75L+63+x-I18HE7;%CE#jSQA8sY6&VrNsXMAx0Kt;qw)gcVs~iq&5q|E;vK>
zr5ZJGSeq~3KjEB}@Jb2Ks6)sQgqF%maw}*&jzXYbAyBol9Ah{D_4&Z5(8>@|?=XIg
zby2tgW%;2Bpyo-cx66t{tco6^w*<&7D=KFjhp{Hur23Q8t!YxZq4Tl3rhUN0U2z|K
zqo?jm@HbIwy_4aE-_OPBc+v*$wg+)=0-RKGlm9l+uI1TVqRUm*jLI(6=fP7R2v08(
z!26Ghg`0DXzkm_H)-pPgbpx)gR74l`$AWQCID+!Sm^C=TgwO@eF@wMG<2^3?nt3pD
zR<1D{b+tz6fZIXA0N%c`%WvVrXUEt4S{VZ3vSP6;kb{5%yzD9q@??RGAD|%DF6bo-
zWGD><1FQnSUY4t7mccQ_`0T{$g4+dH*%sshM~;RX-H>l=K?(OqUS&;L|I*?P<<UzZ
zD+t+nW58a|ZpD2q8WWsPjvuSv53d;SYFu3rU6KdefZ(ik?jkt27bgMxq`dJ31Y@#T
zffvbG2Uw7zxHsPzB@1NW6a`sUZR09gkQPObU2v8xNcXtERe&DnsF`?cr_5vQ&t$jC
z@@!TTi>#>U4p|_j1Rm{>jL{$qq+CUTRCa{@^KsssXFMwrAgB>IVQp6)J&T%WT~HDJ
zCgXPuRH@qcjma>|Sn?1*`w-I2HX<;RoT0pugN+RR>70|}x1zqjB-fZT2gv$@eB-A`
z9Kv04?ZdhPh&NouZ|Q_@!@pVK8QQkO#`K5#LVa3#0Rziti}(s(ABJT*ztoqxxtGfk
z2W)X~&UC$eHK~POPTMQEi>P9K432Gtel6^bq-=dpE?J$%$IR*PJm1DwMsl5bl;=6~
zD9?A=Ke;X)hkuB*Oz#zMTs#buvhaPsSimc4^hK&)e^vaL1uxV`H)R=vVY2=1P5$Bm
z-X(1`1?j7SmOYSlIV>o_dvEXnI@d$#kFnX#HkC*IK(QgNn0T>Tq>csg!+2O$cnXic
z`mjM8HJ!2z=w+C-i{x3VAJ-;uEQEmi2E2}1=F;a(HU5e_Df%3oMJ|$Ot6(|DSS^78
z95_K?@LqygwFA+;dB!>z*RtYE7hi&l5usn`3rhX^nk{H3bHP;O#-mu+ModpG@8qBT
z?L2qJ<zM06be7}o|N3&QAO1s)?(k@#Dt8D~xlh|KRK<5_Ge7d^)D?g-LQZAb<qlC<
z@QopJPbHU4A3pap-|fe;;ah#P(3lr2dq86hec7A-bYtjgr@p|QhcYIkX?>wT0{aor
zzLKYgxQvcZ(P+mo@K>@OeZ+Jfy08hquo6P#0)pk48(tUd$yL$#^K9(eif6f&yd!5F
z?$O`Xb$o9{1i%_yoXW-)aya8yBfkuV)HpoXe}!fSr(Eif9`Che0YY4UxUvTNh_8uw
z<_+N%6f<qFmia?%=Eu0EwJ~ROV&TW0ky_~Y9-{zwowAqfHN5fq$?$+g_yD_%hryuu
z${N3biS@i;Al;)&P*Z#bFNtq5M8J}(p@{H)gmd*uK5yICabozymR!&@ZhrvWS@(oy
zLnZkgY7pSn`1n>WPF=xg&SXI?GJq;^`ddI`p~!ENd9l-oZw(KI7Q-@)#-%6~HTj1m
z<2C%FXwka}(~$)ixI*|O;^PG<tk-b0n>+2NXu(J#wBEuav_NjD5pyR|2FI_mc^9;m
z*t4LBBVc(W^rQP};a*{@to;+Zu$|ergt6RbT#l#XeF<<vH>RGK%vmcNoR}9wf;J!e
z<Bcq@vdZ_Mx_JOdo#m@oekH`u`hR12b7y(ODvrxsyf`l%#dZ|Is~B@1yox+lq>LJ>
ziR4D-gkNX!TE9i#J`4YHY@zrrDqP14Ty-8)f=6t8FpDb!UMG!i$ibb{2*Bb0wR(ps
z0)3fyr)U=gAoJps-AR;o5`L^rl6|O_R0l`{nG-$c2@AVu>ng?)@14IdSXY}q&Vp}q
zfydZ>9CF9p>cNS{ArImTm@t-I>?Nk^m*3L9=R35&ir=;I4BnwWGx1KmHit8(wjPcq
zJMHs#Xz!VsLW<wkUpCmK&)L#um^-k5*zub0BH#S))?SykJjQIa(nY=$F79)U@+fN#
z_3pn)+K=(dn!Re%rx}*t;Hl8Q&msL1BE{uM7(g7)X?r0v*kTtVr5OI)puUuvqv}7L
z&$lDxOTLK5Q#Jkgo*|rP7q+j43$Z^C=&~NO{?{s^o>dV$C0Uohl48~63X>im^ZlQ4
zOP$VR8O3_dw|2qjLA>b&&!?B}L*_OQ52z8CZCUCeXIYpxe2Uj)48E!lt0rEI6qhs+
z7e^_qP_Bh6@T3X6O(Ns8C=Z4BVNv|6ztRq3P-SmH9cu(NxVG^2jM0=k9AEtv29`w`
z-jysehNR&P8Qbuo#(8P@Ck}X?k&%WQ4tTz?8;i1}&w#W|$7^g)!*@8~IYwO?{%;37
z*Z5r;-sXV!H<qX2n4oF;CC2PD90Qz&4=`>AoX3`Uy%)WXsD0g$1p{5-3-Oae3%suI
zX{tUxH?sU@Omep{?9#4SxEaYEcE0b78L)BRLz~jZ8MJX1K=Q)IB`te2UKk!R<QQ()
zB7Slk{9ug@O{C@~r(<AsTu~w{6}nW!;deo4;1Tu16>=dkBaGcSb(<y%6TwHHs-Gyr
z7Jow5!U$M`#IODB^g*uVuTS!Kr2lBW?5{7KjAo-91@p!izF+t`)$6O!Fkx2%ddxc=
zg=7cb1@7zT8tpT1h#~AV3a}b%hFSI)x1)9c4S({I)a)(xMH}$}1uO)mV4{xS?vg^v
z$%l|S&^x(`zlHOA{WnFZ$*&DuQ-69PR~fwjeh)2{=wGOR{kbzGbQPdHt;egV@`N7t
zU*I^->+N`)^Ndl|7pvl&<21~2b_ij!aYDk@9Y1^@q7+K5tR9h#Z$8cGyLm)E7e0^U
zkM3%(2B>;YUtGeP>Fw{2e(Lu3-c(wBZ}u1*QTP~KJFET%FwHkBP8Uooac=6y@Fa^N
zy|d~AqIjQipn`o;;!r<$#jnesbOnI{V#L3I8Yrvp?H6s!Y--DhetNL?CSUcv{lv8&
z>cwRO>&;HAx>kr1KjIwy^my-0h$s_VdGsrYl5H2T?E&?7SZ&X>+WsH39sN|XDd!2P
zTmn@W)O{FVcp=pz6b734s|mPPrR`Q?-v?Fx;_V}NItN%B3d#9UKirbSX;xF4fr}3+
z;mbSsW}BabmW5YtvGnmYDUKvq@<-pqhnME`H9zUZyW7HBC-KDZq}Nwi!2hv;Z=-Vk
zy%z8>3)n<pr3GAQ0XGsDwt)9oK*r1Je`W!1v4HOoxWobuvw+P6#w=jI0Agr03viCa
ziXQ+L#2fv4IVEiV0=-F$&#NA*SZ_H(U+ZtR>U=y^_WxDXLH{8q_8;Drl#?KX9})tY
zTcl88K(xpg2>A7YEA?;Gl@E4&UjXN0+opED8S-DyNio&Tk-!#2eWLPLXld;Q;HAz7
zJwmNtIcnXLu9bsYLG4IgC6JQuu6@L=ko-IDBG#=SbOTd);DHyS9pB$s2L*5?`&fP+
zd@cM?b0|A{EGK->^59f`J$*~6cbibaeUPKS8i%gQ*8h*QF9DCL$lC6Z00DuHh#EyD
zYLtLmA~+@zq}wFW!Qe!Y#la<t#wa?XbOR0ojh%+{TwCMd!syJ%xD9S24$2aslYk_+
zBZ?v_ATHFUWpM*kF#r3Wy7zW>z<<8)<9SHeJ$33-)u~gbPHm?gdt)qTK))u<KOg3B
z0q1MAvycHUUT?!Ee9U1a_O5sq<@3s()T-kE_O3jhe^+(l-$pp9fZDujeP;alr13bk
z4zpy~S4ErrXZwt-3f!2F;FZh|zkkO6MdKRKqeG>L`Ta9=0@sx34Xx_{+`tET8Qv$#
z2d>>zCk&m3bqqb9`B;;{Mg&N7LGq0F{oqsMuz@tlKLqnEc&03lHtx0Ye**ky;AdIa
z>2&)y{;K1b^XvdH+`z~&FM>g@<)*Rg`BLQNTv<mQPHc2r0Im`vK~HaRUC``;1W4&I
zT?jOun40F~#y%DR8-+}h<DI>ZR<GQXV;Gz_TOb--DE=P5jr~#+bR$v*khtgCIKYZ@
zYibe+3ttYaG+v@3HGd>33sE;S-IYfmnuEv+MovJaT>X}|3P?&1BF|&w<Re4|5!sWG
zAv;HMSkj?B=6-aD#s`?LJBpb^6csl&Gx8rgoyA!zWroXK#mFaZqHIo0G}C21!Ki0R
z6sKHLh-SIWFe4in$yKQ29CKV|4I<GiJ6?ANV&0R%vtb%K8K%syPq6#60i<^0yS6TE
zQ)A{hcCHhob6t;Quo?>Wh}oh>Vw}Q)Srsw*Y5h+O8qm=h#ey~d>PU;(A9#uW!gwwu
z+x>G?aON>6Ar8F7z+hLPFUgG*a?RH<!|B@Ggtai<JP)Mod1bgQ@Ufl&V7&iu4;j#^
zdNknIPQnx~!f4g=JbQlU`1iu7UPCuTZT{mVyL+xjc9Au+zko#J2+J3};HGC1qmP#8
z35Y&JqPk$&d&V@uaAM1nVuLf>E`N95GE|5EvV2Go;R1KA$KndMTW^qp!GDlF5eYTs
zp;vU${=D2vZa>Du?VD8~fRh1167rt~duZUbu!lzDOWQ-f{;-D>83n$Iiy50g#;h6^
zzNZxa8Dh|Q5PHURsh5s2>?jUVXwPX()k9KE(ounlBrY3%;<QHiiK0Av4T>_vDas;B
z*Df_axiFl6b)QYVM3MJuya6eA&in@WmlJ=iL$~rQRIwwl&1|qA@dc^z3&?`6su0g}
z*@!<nHU0qO*D`(+;%VPm<ALL|%9umegFUtXMy@yoE?cGUq3a8F6?_uC1RK?7ujPt@
ztjoc!<<blpq=lrIOVydG1UYE=h-~Jak}mI86zvME_lERU*>v}u$3eo|n9aYdxZBB_
zSg_<0^mtowxKUh)+lra$`)g5|$WBeNd3!G&is`bk42CibduMCBi?jpnZg23i-*=!Z
ztHb0DgAC3g>=v<8-|nI;aefP7oaxb%bDCfhZEiqx!LIm!L?Jlsk)jVmF;?A${bXFp
zzXZwy7u<%*`Hns6Niv^DJ@%+&zaXeH!Y5p$Og-SN*C=tauJL$&JpQI0cZe^B29-n7
ze3$u4`Or@||B-_NnLK#F7Qy=&kZ7!|<?-B)UL<A-I<cxc6P_~!0+&Ouy@Kl!xW6g;
zS9%`AjVW1iK}XcD2(zEm@||4cVNQ)hKcD8F`z$^SKEdL2ctb^WYGvSjll!V757FXN
ztSQ=VE>FvpX6$$jZG)a>^2yb>hn$0e&o~?NWz5$Q$HmVnxbQT%dOX#$*{}^VE*%=`
zx&Jlx7KfA*>#aZ>48-NxXVcum9~-spYKO1(+LNGn?*a6rBQFctg;oPuD8@G?@z;BW
za5t%$;r9urrxF}~ZiV!X@OIQVmCFlYds|#yi=_`ozi7svkL^%`o?|)<dI=&!&?5=Z
z-4Gi&kK_)|mJA-7&mYX@E^}sc2d*TJzarKwgCyRM(}3x*H!Z-28t{kMMhmc30D-P8
z;oHIcbhI2A9tZZe$&?)ZPDijmBtc<c6X0E`1qA5Mx}e7I5MO5LSN)CVZkIk)p0e2R
zlqcG$#>1KTWQU~!TKW8Q&-D*)2vnGqHD^5Z?*AsTZUk0$nh*5hycsj(=AS$CTOG|9
zSux>_=56WynwNo!>-}vdT{7ytgI*-f$>k6-$qUnLQQfaX$_8@;@<p0wJ`VvpI1Umq
zKS_4h07I()Tg<dR!2*Hh^#Q3`kZSoP5j&Xbw%FAnsg|Vo>#g+wIbI|}gdvr^6pPW#
z+b~M8m-3_b8}#+A)%9Y>XZlaC#%|J-?;@Ki7(1G`X9GU_4dCuo!-2^q)z9Qe!w&Tv
zB!qPmDUp+XfjblSgwgHz*`IS*#uT<Xv;|#jHMT&0&Ix>79o`qXj-7T_JUfA}Z-is}
zDD+E?zrWF|&;Hd+?T=TNVw+>iHgr+1d+CqrwK%#dj}gY-7QU!aV@0WDTQVf>9Vsu7
zJy>2;Pdn(*RQ(y*+rWnQ8M89??~Lq?e2aEXH0bK&2EC+9#@sa)e&kzX+qhiBteCJm
z+G}L<_Vj-5NsoPh`~D4=oZ2g>H>4bWow7ayjYd-&66l|0JbVD`1!vrI*&{i$aeL-a
zpl^Hv`h#(F^Y+eNR-+j>nnjNG4*FXz6HFe;5lW~S#W+!j<)SOmw?YSI%_@#;MopsK
z9s(NHyEhcQS#FGg@z?Evz{{;^;A&e#5P!JU;z^m^$ojZ3_~tQkPdMkCgk+ry(&$q5
zNMJ7l4FP7u0OX>L9tD9^-;c9}@R{WC!rJPhS@pdZJ}r$t>-=;=uYG4CFA+b*`yTB?
z>?W(9hl-C+m8;#BTtTd|z&G7TwKxrcIN?0`o@(xxP5El}cGTXDL*<Ysk?n2jkIYk~
zs@0;ee!1d^awW<3sS!?ss2(Sym!xCvS`KIG;Cxs(Kfeh3MPtGEUibL3j1JA)I(OL{
z>0sHr%h&|19q^}3pn84F9`VSVP;9-B!Pz@^?NH3pj5+H7h^($ogNO3BAU{-K7bAkI
z3#Sn*-ywQFX?ah@)}`{IheTGR)|jWw{#hIqgm)o1&XSf!7l<=lBO|xj?B;F$rd#9<
zvLx8%o&6SnN{hC;YZbC}FLj|O?sd<_O%9hgIwh^TsKtE`To+)G15egzjR>{JBDzC=
z#b2mCR-nSb8UA2#uFJnUb`HOxbRH*fxhe^FxxLvDP|AtIZ@j5Grwbq>qQla}!GqL;
zZzX4{yT-J&J<H-_u{_c&UP9bq_Jt7~yN&`UeW(XYneUz(1sDZOYge#)umECVMc`Un
zyCl|X)$$+3<Wttpe%<BThQ~#gV#BmG@`k!>2l@+Kk$N!FqB)lC!(DP!1fcmVM3nFf
zz=_WV!yH5)+}Zp<B7-Q4i|n<@k;B{C)K6a{J=#XnyO(~a4glaaWGB;<S6$dY_gNgk
z{q50K{o&BQ_GqMQn1n8h(O}ug#KKT5kXSJp2kapOb%W!ZWx$TpU!gc+c4|$@F;P(T
z)@1tw_ISbq<6YKJtcexz;Z8xeyEYq^GMwW9U<u@62qFbCi)*nE$1g!w?C3C)`HYkD
zf`eS{S{lhB2V4$*WF)*#UnE4~zOYrz#W&=F=Zdo2wK$LGihUx61MYKNE+)!@5Cp8w
zx@)gOBzZlMNwA#ho`VP5;4Yyxtzr<}v)AH0q|H2LRSfYG;Q{l)d~Zsq@I^YOr$Fl<
zU)2+s@Oh4dDOss~<^-fFg=6`h-C)wgX<%(VN*<lh4#XC%Z)=WsoBbvOMVsB>I;nLj
zc%^&JlvC(tK3mHOYQaM7{}PSAG+jj5=~I6|nQ-5f_q4@sU7HD$m5g@Z^Aeg#4%)+W
z1jQFemy?=U#=}H;f{F4-8m9-p3|dxhljl?Gp@{o%=iz3QCO+5Ff0o>_lxd@qSob9h
z0=bN=!)21l>h7$r))<;8W$TkOn_9z+q7RTqR2U&nn<Ptc5xHu<sXdt6n_Ur=um@Ve
zBA0nI<x=V;&X4R4)(Cv*U>7ir#5>HzqZY#3$AAOg;{0}|9DlXy<&D;}Fc!!Iz4o07
zlAIAHkIf>O!mM9;WK)CdT<Km{{yx#Y&Jb~fM;>j7I-RI~MC1Uvm=7u9ZynY$>|&+T
z#S-=adY9f#mJty}f{FW04o$LCu~JQ2KTC`^)svrkJpAY<ZIrL|V_pRrRAVl)*r_TQ
z3cZ%&oB@&ppdL*K$<<kM2n+rk0<XE3X5>a%s?+%#K=?7_jO)364=s;)Z+rcRI50XO
zhBQ1faM}9|44)^#i8>m_8`)y?%A4|ud+GO7=lK{=<L~JHPAb(Q6y6ocv6Nd7Ie^dT
zPuhwBG53ANXgP0m;3*(FP>5!e;>V&vcc?8e9pi7Y9W20S0I*0V)PS_l>>V<k;RCcE
zY+9qg8Pf8A`<tp8q;p%F-d}Fs(=Bpf_PZ2UK!a_b+I{Y_RwC>1(i?d_w7t*r92B+R
zd$QAq6z^|)|LgthPd$JUdNoBg3ukv<cbDPqqx$Ni3#S}~!kGhDvOb6T%jE+zKZxOt
zfdDMQRQI^}z=V8*74D_$iaws1Q(d%a%D0g%7*RM4{c;;CTIRCjXX%*{?w^;#|NSWU
zl54Qj_{Y4^_i!`!37o60>kypTg`Tn*&Ir!zW{2T%y{jG03eG&r4(9}CcDKWx;LIL6
z+$|WKnWcllw}5`M9R_+&hT$_2_d3BHYxcKC{d}p+{>E6_c<?8y0i$DEL}%|&n*<Q>
zFXJwJaL3**Ys5~Z$aF_FW1z-;DYc$m!yAH)5U@1bntFNLF8+qoKFhdH9dB^HBbzP%
zPg@}=Z&cS~V)|NqL4v;+7XNvvp2XLqQ`%Fc8_`Yl6lp$(y9B<oe;-?bVsT9a%Wbz}
z&|8R4m;ZXPu=kH(cUwUazhQ@{F98~iv+_u?X6kV7?1KzX^-6wh&s>y`6+Ot09Z)Vf
zJPUd~(cC=!v!{7`W|z%s_m-r?Jwc#j!0i6{a9G#pA*`+ICR9T`gzVx^K;G>2NgQIB
zS&6c`YbnQ4%FBUMJ-7|mo!3sSv<k9SJ%%h;5L}0VzZ4V%FGPg~;k-W$0@-{HA{PB^
zBM=JqVJPgT#v%>+I}d1T6zCJ9dpXN>4sdn3_Oe`uDr~+k0_XbzV|mVb)+UsoVFAT-
zaPGzUCiaERb<7E>KoA<Rh8nQX2J(|LP&E+eFZ8{r3$Vun)gHYyw+8k18G|qf&r(;E
zqe+V5fjuZ=jWY+dZnc$y3>7K$-}LV-LV=}(<q$U2xefIsVOWyeqUKq8^0mPIgn0<N
z9|CGEhVUi@;gy89%DM?|Pr1X_5>79uxZj#vRh^!NO{FY2tqbg_4*lHQJ$C`BS032`
zP2dd;arrNXw!{oLA%D2KXP>29n|6sY5bl51l;gE$<Q1keP}4ugs102LcWJYbNoj5s
zjGZjJ6ccz6sG$SB-S^X{W<zge<X-v-_PV0C{vA_;e$7}Wjb@O$(c-gYiW);%F<7k0
zP-lW@1-SR6`8d*|ZEy3X$ea&ts8?N7Z**ppF4eVu<!meYJ_l7{;ipuETAzk?Xk{v@
zwBJuS)}Pwn?0CGC!bnFRlK1zGhZTy=Ex~VK6JgT47oYZ);1^Ib-UjZLc~{}Z50^Iv
zy^eKUj0dRct=J8OgD?*!0rozi^5-A654cA(mENp#YeUu93shJnHtx;c1bVpKHIi;o
zwjmrc)4VIV_vV%R8GLxf7d?9&)=;z^!aYaheC#!1#}U@z_s@9TkF>b|(j0uJgQxJF
zQg`WUUy*_j*TBY7oQlU`W>n1;d@GIX#2w)du&jw2k5LTzJWNoJNa@{}jp^R~q_3?F
zJNZZ0l?(#K)!1Qx>=U8@*szj)Nt1pz8++LBZvp52W2WrN+wIlZ+m27{Prin9PJDkI
zzq|`F0R_E3`Gg}6jRUNBy&dTv*m!XYATUt&C+`rF=$9=eZoEj>?hG$V<uNY<3ilsp
z;TO8(ld|NUGRPw|$>ZRGXmNADP0ttk3CRBjvTS@?I>!tEQ@4x6-zV{j)i!gq9dCJq
zZY*c1XRqPWVQ8aF<u8N6Jq`OM7;u_mHy~DyVp;P__4F{Txg5&zcf{ldZe~y+QKcTJ
zuLCLT<-Vv~Y=tqR`v;B#_mD!GJwKqm@0;D)1WC}K#|cX9FUB0cm=Ng<0@BVR6c7^q
zE^u_H2Tst@@#S6-4<@_AkLt*bzzy8@Zn00tKkbX`4HWTZ`;$W3d0&w(I6OFUl97q`
zad|CE_=P8caRyJn01Q0;rub(9H+mqc^;)n$7T;vo$G{OizE9tjfwS>=OcZCeHJv3x
zJ%~yB&n&#o>5C5an%6-2;C-B>Ou$D8?L+o*GYN?_e?)I29gt66KVrj(A8hX2a1_Pl
z@dJ6VM4f@=id_mYfIRGSK`DfY(^BpW1Pd<>;FY1uwAu~+qk=zQ0;k>6I>4DX&K-8G
z#<`k7aBl6ceFB)+wQk7F7wdm~Ny7T?JCu4ebs5ZRkMhWE?bp(RAcTW_)>VXrs0+Vi
zBN&OHcwUK=&_5<vIKmwcfH_tPk3k9DVVovuV=3L?KTv5mf7MG&VD8^FUy`D$Jt(gV
zp#HjN+(An4V>Qgm=PWCqbApA#+~Mx+^P!H=`S6f1@;OBo1;7!1cXDG9dY&BjLB>92
z+!u63S{t_^N*x5Fb;jK7llLX<w|`)wfaj<!U6((_;$ZyDY`BFz&Dk$H38}b@^Ebw)
z>=|vKF<`71CluQJXVS)jONl|Ok9`3F@~xgD9t;)UfLjCqL&$^vN46yLn1-f>2c<QE
zizEjpwYohysg_$&%UD#s0#W7+;bjm-bFJXSFaAiq{hq8(ZcEL|4jiY<k5~o&jpNy$
z?0%}=7ic}6N*5>YlQCK>V^3F`rN#lQ5#j{9A#mEb>IqE4F<V%UJzs&3hicdh1KRxf
zfDFEt{%}%F^Qbn-BQPh4lw?8wIb<r%#6gv&X7kurIt~VLa@-{3q^{LlM74JzjyGjW
z;SZ^x$=(s??RY=m$I!Y?mq)It=~JpNdqGhS>icgd|FN*M<pXAhXD=}XckkkX_?!h^
zYVnywxm|S$(!fFv55X@eOCyqx1lCJ6&~9*3yhoj1XVH2Wd!o*K8gySC0=lO=bmiRU
zji4*4gvMv;d0m-L;dnzHm~Pqow_w$yD+s799x~-IM)Bn^OQXQW_*V4=ONeH^4B7<y
z!2aW^`C#PRNTnBJZ2h^!msa~a)XYzp1U?frgXa`?`rx~@Jkl#S{>J#L%dM4fc><x{
z(FY-m{<+WxND)|oclsPk^Mq1VQ|cv@f?8gkeqLgwpMZW2Ja_miRNSI*3`*k;!;rJO
zIvNUGXQ@shEwg~A*7#y{zwTo2v(Vw^CbrYDNTR!W7SkHti;0x)AT1!$UT{w%#nE!Q
zd?GwXEQid-%qmM}Djy9&bOa9tkH?F{R>00*#_KJE=@(>gLlC+`qy=`t6QGXy16EJ8
zM_9c@${|7Dy?cpS7^CsJP5i_p`Ji1k7;f#bZa0S*A^6Gln{t>9*!jTjCGwVpN6+0B
zp7w3r_&&;^t{aRE_D|g5kI{?eE^mzlzI2B>BY*>7z!?l2kR1n`q$lbiPqfFzGA4w}
zLx`zD%z<J%<_5;xjF`qd7;3}n2ylGB`M|-E)MYw#C1M(!7)gB=Q_p7VW}SK(a2|GW
zBz0#={ZJ6ig~+>{NFlHjcVikKCV`+PPy?LN4vr9L0S*c_2{D5Zqjdlm!E^;l$9w`f
z)%A@hlG5)qr5xNi!b3#H;7%mRwXWDXjGn5=<slkA^dKuh`C^cbauHFk0E$WH?3P?K
zW&jHH|LGutJSa^WRziz6x%>riL-?a@pTS7%dNJuC));)hL-UKuG9>A>NgaF*HQ{;`
zE<U5x0!vLEyG+PS;}(!YKK?{Ln9?07pC_cLaorO0-ox{G@UVPdKScX>m&r}{f=|p@
z_<`i+VRHA-Yi0?)MBi$AcFRTRU5k>0|LMV2JXYuFdNOe%MfFEXp&zjhq52?L8of0g
zPgw7w^Q4#1478JQq!UhDTGj1{FOQgbwPX2nV5hHjH9B*fbTFtm@a{fjBM#ZA@lItU
zYJGkJzdtX+sNhRHT`c7-tKH|{4i=n^67watq(ZB`AP`@hYR@Kmtuad+B<5K6gpA@o
z++0`Fkqa9KJr>8hvI1YLn+Y*y<ftkg$Wvo=AfFngefmKu>GP4kpT;g!IXd7`$Lqj2
z)k6oWR7V}~se^@*S*7}32Wr$#9hjs(*MVtjlLS_=JE^yHxQ^i_9p>Cky`sbO8D6Nv
z3mE>J4liW59%0WuY@y*PqeTD&O60!c2)VELhyU%>R%>9U(cMz!a{cEexu>}J@C&Wa
zq~2wHgbn13r)Zyz(AjTVwzeN9_|Q$%#zvY@fm1R4#EKj4Z@q@ab`0@2O(Y2BD?reC
zH1#|on+T7J49jva!Rkfvdf9a`=Kx!e56dWlN%lVOKF*?x?O*&IX@Tei3yo5S%h^Ve
z61g($l-H)8pF;o4|1bUgBh&wuO%o}BpO++lkp58~JZR2=YHIeH_T^>#G2nTQuGouM
zYLk9p;nmymc{)CNr1;*j^e89|t_&!>TY!>ik0a$r`~`wf^YEho5k3V@)9?EK#pigf
z*?lM2At7HRUEPQe-p4x3KOyl&cyUEr`&H1hP|RdGMa^)BcOvw^m*weLmDcYag{J4b
z{NsGl>EqP3kQD@c3Om9K)QEo#1g0rWLjYMJ{SaksYvgEy_Zh7a%3i1z;0pl{D&feF
zoJr6X{`Pkgogbgab;js)xgRdQ$X%-~q*54r?eB-XYx^KO2y-nm#DiBd?X&KQn;AL^
z>5}q^=zOxwQxU7}qamtxATl?mXO1`jgixY<c=X$63@OJ;Zn83tQ^nvaIQ;_h(wttc
zL*O)*tV$!znDOKGGcGwl?eAjru;%Q5bns*AEu%+uBm+i#Gj<ubrTIJKE#n?_z1-!-
zU3drRL&-yD@T8N$awh|9qu?c#f(^)Fp+*0=$noL?ZlO@`c3gF&8{D$2?yyj3XB=0T
zaXcNkV4a~WH51%Wr&W8GwYl)juN1$QwkYG5VnLeg0^I&oxJ~{0UlE_-u02b~8;r&}
zLrVstxzJ$tBya2S)G`uj!dPh_O;D$`hXrC;Z#d4TD`dx7WVwS#ePu9O=#uQ%gXT$0
zmf%0H$y*n+-QigvTs?bMcAKjOE*so)<;DWsNl4$0<=hCn<pq7>S$B60`m2CeI6XX;
za~%*v8oB@^<-Mj@&NYDErlC%6jpd97bS$9O9SgWacGtp-Dv!km;w%Op#{L6O`f7bj
zukT-Dw8laeZ*Qx+vD6(p)G4r|diHdbdkWn2;wi9fxCzQZ&M*N=^7!jrxlM?)PyTmF
zo*_<r$2A1Uz#I>bMTu^t^@5(*5FAI)l>m*@pqhr@6$Fh2Xov<)YY2`cXcRza3n+;h
z!OH-h0vSW^U4W8kW&|$<v`Rx0%n14b9S*3)49HEv>kyS}bBb7s=x3TEO~c3$wr~3i
z-TG5|er%|Yj1s3HRx2V8?@AB;;_&pAWh@tbHHqz-&+Oj>s6ElCLe%C`Qwb{DR0`Z7
z2Q4l&l@T-)ptCiorlHA8&?Nw!ph43bnuZYM0jQIJlDO0~2+&F?O%j)y3IV-HLlazT
zx&Y8zKrJq%jPIgv_$=q?Xb6nxec>9%<v$f}aa?}vmuN>Fk9_Cs|6sJ$;~AC)+Ty##
zKQ9!L4EnJqTI!ENH(Gc5;OYY^EGcfL#3kSFll=9KU42y-3#_m;;MjI3W*3*$Sl4)C
zGU5+eB4s=Z<_4y9Vh=P1tC8o2=Q%z>i0IR=n+NV>_Yd4n#Ss`2dCy+@d_GXXb<bX0
z&wQn&GZz{xavuF&6g5P3WZ17nn8yWA5A-<d3ry`vWG%fJ1R<Rk-1Y<VSbbeOaMG$9
z+FbE_m~Oe1%vs&UCI4i7g1Ul9mtngr>Ebd8Yi`K>V;WqguQGSJyL@>29g%-?Xm|RI
z`|4OqeHmJF@uydWi`^5|Mn7p>L_Xek?h*O;C-Tu94uX>K61Hf9mlu$i*<{tfQ+TPz
zKe1Pm`5DoEp;GzT{2TmyB#EDLRHObdeoj0BKOJ8BBHvo8EA80%<6?`Qdc2*5sV9B2
z$Iby5&pqm|Mf%I9zn;)va^t3>dQgAW=(suhOYUZLRMX^3Y!4lMlLpLZgGfGO2nfjr
zGFEhXXdhqbp%|yaaL~%Hb^7Z|rU|X!DPqLIRO1&9PvJ}Gg;o^uD=-CcA4BkUZLHur
ztMZ)fwB~wzyTkhtt(y`Kk}Pu!2bKQ!=2&Fwcyl{OV%{HF;bC4M;LE%VZDFt5@W}?i
zR}wxp1)fFtQ-o_PDu@z5P*<$SkGhxeqf+pj2=^2IRbu`R{6&OcMR;QZo@#HMPT|n=
zXv=<kSL$Euk{lrSDfZhD&cERy*HG-!^h{TW)?wK$ECkgJI|+}ux-v2mI$2L-D%0!6
zo`Ti-j&)=E;HN{~*c|-8v2k!ds#-VpRQH3cae`nQsNm}~H~~1FD~AJvg)aYjAeIMW
zEyHrt>V}<xuYN-MOoaMNs4w?o9Qzb>asYM(S`!IzclS4v`uY3>_946fy+0NZ^1v`_
zsh*wvatPtFy<h|sK_;|%5Yg6qzV`hx$%`U;jw)Fyjl|6H1POJEeyQy!2$`%3$VoSM
z?Nsmxjl;?^VPDl%Clo-WEMKSEh-Q;iWqIz}lXa54PLhw72n_*5$~-#B6HbysEE0jS
z$VE9xp3+GK5GkwFNp5$N_}sNO>m&!9BzNc}0*I7V=_JKYl5uc}u9IZ4&Qh0)brJzY
z$|mU~U7RE}?pk(Y6fDb1a;7>;ClNp-9CY~het(+-)BM*XMYffqpZfS!At8WBc!87R
zpLPoA`2M6fFAPJFjloOu(9AV8FdI;Emzsr=>9?3R!ugF9!5I7(;uJbK;~kurfg?3D
z2LF*bE(hmA2PX;~VVE&^IC0kBWao8^jbq}1IFzU%O<@c^ooEXjv~N%e?TCDcMw3Ry
z{fE9lo8+Lab<naknuw1vcq7p~4%$B)G<xtwrXrr$|0P<MgErMcdjn`G<L79+0KJSN
zArC^+RT&mCI$O^|;~{9=wi%j--%R!0FB~@Uk_UQA;+zb>U?z!A60;Fz8mTAG7qB#E
zpV7&LGhjFk_|ku#&$!*=i@YSlf_1s$`&qIOYC^O5$77?7TUPSG=wq*78`7BI!&0G@
zbRy22JkQ~QyC9$D*-5EB{W-}=tB{oCbIt;azm@I}oC)Ui0k+l!3((BoRp2uGpQ9Y{
zw^Pe6Zoy`aLuSADujk_j#;hu}1Q+q(eT3r>))BeEdWBOCs(p9uqwLe#Gi$5r+?S1W
z={Rg}RiR>fXn;B0xEMyMEFePtXnTPgwZd3X4<fP)%k%BAJrn7HVTZc^3^oBDh(i}~
z#SU2DX%2Xc)aq7^eVqg5``WSY7I?S=4ienc0uOM&ACpLq1wP3E|ApB7EO18$TrBe0
zz4(k2rZ$18tEgL59CbI3N5~q7T7_$_9GG1Eqk5A!TvZKe#?cFTtg3q%_6jnDyL=^=
z4%UAo{U>Lprax8E?<!46|HyBrf2>{l&sqDbXlnYgzny-3yY&B*^lzu8Ki)}?1@Er<
z!)ovL{5UFwo_}<#>cv!AZ(^d7G#<83|0Y@{!B04GsJbmRJug*bL^MuMX)yKz-3cy2
z0nBP3iQS+V*5Q>c^1WIQa{_0~v!>oz`-xn)4cuI?3xF<Du4_COg0URSZ;;ckaV%yW
zCfn&N_#MyIba3_IoWRZ4X+R8IC3N+V2>sI0<9={$=$CXHSM_AB4d8tQ6u#UY>xGlB
zuIl|6m98#<w{^Q)-K4(p{FIFRkHo(c`p)%VaaHEQWL2M=#b$fT`7DlOdtnw^&sCen
zu%eRn)qgv$A}c~k_DK70N7pf<kz5?UQa=GbAQ#Nz5;1m9Th)#1HBoVlEXzf)-=SLS
zS}>ShVUPR4HR>KLhv7{st!=>sEiYVf-sd+#81Elp^%T;cMBo%50Cw8R>fKA`Mu7vj
zE5&I%6>NPssScrSzi3d3zH={Wq!$#^|EyjQ8ZAoFnx(?YCKM`813d$-xtFXUCUl<<
zxXdupG~VZaX)Q0vI`$g!yB}E0Z*Lk_*!1zYM7;M3xh}{Py$=%+JJ9=9X9PxIK82gL
z{>puGP68C?v*$sUaE&O34A|g52YRy5XLR*NVBL+x2vmvRVICr+LWMdn2RQrDa|{r~
zy^N4bEABewcD*$wGoH!V(knz8sT~thA#9o9vhy~!;~(sZcMy^A$j13Ca>Q9(7U|L7
zEK;6X<LE#4k|wy|S>QpZjMrkl#$J=K+gDD4{%EgCw95Us%SuXoJZ#{u<%6miMD!I{
zj3mynk*9;)kMJLjW{_uBlExFdO^mL}My2H}hx#+x&N}z8iqk3$^$WCwV-JS~8GF_t
zH@FKrl|#=D82#zEIRkwf<SLmkOLupb*@x_swA1XgFCZ<`{f%*4qzjK^*`s&`5GfI)
zqEPRg!gpSBP_w%M4o*K4q2~~42~!r3c}d^8Fx!jkC@=`r+t5q3O*pW`MB$eZgVQ1E
zqi1jyFidH*im?qrslo*a#0H^nu`HFyjc1^82pnPo2WeoKC*4}Y_adr;_{r)VjIs<J
zTEgr<C>!~|4<QYJ$EXr)b=KD*Qnqa;A|Osnuq55M6i!UOw@*A4G~vLbyY@P${l-5a
z*MtKOcP-CLG?o#_b#n2MfvZCx)%YqL7B26U0K!yoHC7Na30O_ckpv#=V1}OuFc@X2
zdzo~1XwCm(Jpqx%j*<PU18f+Ro39eDIo{FadpneC&5AUW{to#Ko}``76lzMZ6MmS7
z96WL<%^YvzNyZuGWFd@n^4-mxV0~lcIr`)?tOoAbP=S)PNDFIgtfeFet}t(gE?f-3
zG5dh3*8iGLrrFz~g98v*2x9)-z4;`JWc@)%+jE&r9YAWC+nGCIlcJx&U)XHmC5x`A
zJPBEp2tmeQspB01Rr!p+TF2}Bv&_eYoCo;b%bD+KPQKePf~rHO*!kWGL>QwDbtn$@
zgHHmoln=Yg%0U_dB)C6mSOg@!E~NW^Y#PW?38<5vf>=bQqe^mRJTCzDX8~XXr$$X7
zFj6wfy<`=8fm-q;=tftu#RUmRv(<l|!$=oN$Mee0fZ)FdNbK%{)LN3k3BGzAh}han
zFTtVfRrQJ3EEf#2NJ%%fkO)nPe9(?8cfa%+^3PLIiLyTPfimAlQFq#@{$_(Lv}`rj
zj#|(zDn}LDQBSptDpaT1Q48Bec~mDmYEio=pNhj*f)xIhc2SjTy&bizUDP=Bszg}@
zuCh)zv0uphK)fO-4R>hN3bGJm<hTmsU(~J@#!@yFHFXZ!6b=e&bBO}&<im9mzJ373
zb`{>1Nc+CRcrg#SbZyo>IOAmKo0;G^CO$r6RiO~c$R!O7Np9)ozR)Tk;6fd1B2bv&
z3VfH#mN9aqf(C3a{u<(TS{?c)6ow?RpA9;yH$;U-#~NHpM0Pkr$a$3?OZYr8_n?&)
z*B@|mAA1sF1MJ@?iUg+(zX4;YX~T;_6}7=lR0+U0On>17ZnL<<f0ZCkA|l*{BZ%CL
za))~W7XvN+^Hs*^s&V|Lku(lW$y9sLJutY2UK^Kmz0aBlU}-)hS6z+iF)q8dLqUH>
zeaq=KyW2md?g(e$Do3e0xPUoqmDi#4J;$8_feW0{+(KXaRk>Lv@8Q_vG3aRfZ4J=K
zL_=5(WRF^8fjIpw#Vxc22}=2-lxg1S=r1Hy!6bZ?{f-2Bo-h5RT=N`YlM{tN7G6_&
zeUWu|+OHflaE20$pS;j251Lt!DbGpqqZp4GOWZQV?GNbpdC_PWB2K(has3j{0VARD
z5TzCED=J{j2`q_>)#~Tts7qE*P54^Hi-QaQr2X;ulZyXKw|i}-l>YAA9FXJ)3zFIV
zN!zMAYjT9D=Rpn<4pRK&KX>hi(6JRb?CL|(e4UgXVR*E7fO-=xjG_>%Zbw?-O+{oc
ziZq|7t+ISfI!TougF;z|3W(G=NwI~9#Th0DX6;Q@&Uwh$LoDN=Li|Y1m+PDfRzDt_
zl5;&#Tf>ZMm-DC3Sk01=E1ai_Ov-u{qAC2mHoKoA1Ztg+yeo-jJjC8Cd2hsw8MP)@
z-Ibd60;0C!iQ~iauCnunFiPgsnMs*@7!SdfxP^#I5{X=^U_54U3kqfp;I`ga`*%=+
zko$&5Ps%fIg)xW$(0A-%Q%H3X1z*;Ne`Xn|U_To7|31JWnjhs7rwnQ3LJNyKc;QDK
zd>VW7brZ0nBoj9m&$n;HCiZ)rc>ciWN%Z4BT$#$lMW`EmM#dR=s5(o-cZ459UL)iT
z7mizT^GrWT_Q4}8B2W@9^KjcNPb-o&su!55^>>o;Mjq(kolA|Et^#+ArB(P_YAn40
zKNUvfB>AbrxqxlH^tt5Uh_tUNB47B@AFsy;or-7Vy2B?Tj24~7AL_%MEUfXWG#kIM
zcg^o*cKo059h`9*U;&Wc;UA&Y7q}A|X)VLdV}y<w{Mj*QxR&K(Lw)%`{At((dqI!>
z?ozlURS%<MltvDqg1DdNT*hVn)F(Jbt%(H|d-v7m(p<wa0_t^9t*Hr6isIbzD6aSb
zO`OuJ{tu%u$AimaCo-<djzbfwqZo}faLZ0(d_LkYjTRT{^gAB{!Y`syOF8~MD4tX$
zj%V`TWb|8(p7a?rz=f~Xm*497Mjb|u;0!)Gw;EK9SJ@;OGq2XL%Q&tWWtjU#S*U^y
zUYl-(;VD$KZW(Pn#AGPaK;zXKge-ImnV9rdr%A>c9}>F-UExP*9A?k)tvs@&0-6x8
zc!hlqla9s3c*oO4@JCq2{3?tp4_sJT&r96(PgZ-T{Wir~RRaLFnsaflEo(&4uUzlk
z*GLEEw(Gs;EFy*R<<MeQX(O%P*=xnR;MHz5;8E5CA?S;<yvxA|JfE>m4mP%^CFpzc
z1#JIz+#y;_6WJ;(x)+$NxW9*fN$%dGb-#dwE+Qv*SK$MPIrkxX3Pp;GSFigR9*?@%
zqUNq$fHa!oMW6_4{Q&?lE;rtU*@`+7FimIhFIi_;M`3s3HD;etS*U8HYHZcPpE<EV
z=va>$j#%@1p$2)1Ed@QXXwVJ%97D2FaC5XstSk0dQhXcE$e0&W)|~YTUB-uTiregj
zi2B%!B>Z=QuSL#$7#Tw4jYfHr-2J+4L1nriSFQ5yrpl9l4t>0ry&inzF;6MwD7^1g
z34oeM7Fc$di=5WW-M1>e#OwbZa@*lXZhhHgKyWqYGq=Z3Cic4$TsDs=ymmxtmi7cc
z7*!`U0$(s(Y?5B!BhFv_cM|g4<2r}HKMI<b_h*AfcHjXB>&3UTk)13thwlahE#UD#
z>Ll*)O#<AZ0uCDaOtOpR4k_2BuK~oo7=J|m5Vi1rJ2@7~1$oIkHUx^R&6L$Jqx*p#
zhmR*OfK8gY2yi?Z>*f1z`o!-KGEYk4Eyf5ujoC~64((|(_l!;sb07bX+3)6BK<zHA
zU)&vGfFw<c+_gWWkCfsb3g5)6eUTP%Xu1cg;LosIE8th|7EQaHRs9=M;~7#s;K6Nx
zwB71tMDCNt3+UKMY}Tmg9`tZ3yP5Sm*D*qCkNQV<2pHB8xQBqTO7*a5x43KnBDArY
z&DZBN^+tCR^@~6qnvzAj@CmZhe^FU&Tc95=P<DdC8p+&^!B2Ka|LWTpgT{J@j|dWa
z%8kg#Lag;#6}xU7xTDu3aqJ@H+yK0EVKYM?pJ<qOcxJVuMG+4^mzlkf9@KCkDYFA8
zww>8-Ai@**-MPJ7{!-1^a1(_vG<_TjeS#Evat;?cdt)BrOULD(=tKDcD=)-|OHe<e
zyp*`>x>>UWYfzWV&V2QG1jhYBa9rzmzB0K-J+&VrBwE#+h+fY5!6>MgOKUWWB;cA@
zHo18hP%Xx8S-`rw!*m`f?ipb(4=(R!RnmM`Xa!Mx*awq+OkB}JBu}JcrWACyFMTpf
zLkUs8qP;EgK>6IYzp}c~hd6ezkk{U)Yxp>r#P3;0ftWC+b_cRT9#zakfeNHs@;K4S
zqteRb(RO)o+(aJRtUP{+>OA-YE%WG&Jj@8F>v<I_&gtKcpB|x+H;@wQf0W(GbxDnU
z3@UCnayJ%AH)s|pQ!H`jxqCJeHk<@zX?6Aq<V3y2x}Y&1?23L471Cy&#j-g16Zw7K
z)skTI8PWQ}Z_xA)V8ZcCcz_ANLu@_ag9tAHob?;T_#YU*f$=ED1E7~wi~}r28Hy2K
zB<n=o?_hjF>n^0$J%hzGx{o<R(ymO3t4Leb`Yz0JzgmZ1dELdlmZJt@mRK?WW(<@m
ztYfK)2mG|;RS)4>Sofp6SmyPa+kj=wcP%`R9&I(=yBe>`<gG!CXY=}nE{9jL3LS=}
z$zv%nzsJE53|QdsEFg=HF#CZJ>iI{e?&q}BII`e0q+SMmNDKbj`IHhf*TKxemZUmB
zu|+;jnYsy<;a9&q`}?GnT~kx~m@;OioMWY&$&}wR&tsEPuFpiCr#pF0V#-=8Wd&1w
z&lF$iNy?K%PTlQQV=d%9L<Vk~xkMvRIRbKjAZw%tG}7fqK<a2we7m!*@>=}rL{~8p
zn6a1;Y5L)Sps{LE0UUF~P*xs!+nVkCYF#(@rGOhMLG|yibZ6x{udHW}kj}g~6F=6A
zFFW8tL7j;fg<}TygDvn+;-Bt|F3z?w*qb{`w10woNyu6IbBDQ8x-VqS2cAM%kc0oI
zas$gLkq~nrEj$;2<(Y`Q!hvTyS(EaQpu}`K+%{>#q$y}mI@Z)<)C|Pq4?Fdf)tnu^
z$Y<)bI2o}8ebSeHYi_0L@U^bnYUXT|d1%Z+A47GZQ{WM1%u-SGZ_xVjN0amcSBG}M
z5LX*^+Vm>m!KYIFM|kC*;?M#C(y`1_^veaHC2LjLZ1Pj^2lj;MB9rfR%lt++S{~!{
zx;gIub%F$qL9w*jnon^%mR$%)ZPr3Kirl@3c<nmPE=R&PN)FJ(`Z$Gi!lJX!nA0Q&
zFosnjsLx^yt1;#*0x&Xc5?~8O#}Au^G>arScO6QDlUaC5g-Q7jK_=zDx?$Nk8?{M7
zCm>XikqOv|2<1ztH$vx2h$p!QNC+pn<`g2-IxJsi2d%>@NeTx)a%9KO(Z{kgWz5P`
zU*Igi5AL<qW(ml>Wc7{?bB=}gbp=5#HFZ=sbYyGc*xd5~C+!b<$I40)E`RDZRG}|t
zw(e&oajm!}UMPAQo}WX-tuB9YOKo}(QP>}RWlbG%(hEXAV|8qD4YvjL8&`NFGqgI5
zn>}*IB-*Xn7b<cEmIKjB?h3pw#s8!e3PwA;q{>~3#Z1)svx?~C&fb;eCNDz<@r&V1
z4v=S76#eKQ8(cM;F#k?$0!@=cP!-0+s>{+}I9<vERO}q)sJ*B&+`0LT5UWC!{S%~r
zxG^vXd*GR>`2mi=ZK@m`0olN_G9Q<f5bK%SmQWB0QPBdtgG18%hk>ES><!U_$hD+H
z<W2!li)Ph1WiIt6R7gZK{xbL`%hDUMdyj6KuV!A2JpfDxCRM|O>C{`Qu{}KnPEw*J
zxPey@y}^@S-uz`oyc_u)T9aQ<^o4&c7Ew+HPoNYK0GF}0#1L#&EIcv<;}oVVLpcoP
zFoczw(%d}t_(WtEI?#E_%g|=HS}M~Nt6u@YB@jJzN%U{WAC4smH9T*Vvgk7o=Ifkk
zmR@9cpb&2S6UD1l{e8R!lw+0iJqy<F78~}OT4lik4s5OZ_%7;f=%}^o-vA?s^^$5-
zpjh39??{tGmQ<=q_=4-1{nqV4`u?Xq+DQrldlFaeJuvIkG!!B@J==ws9){pND-5j>
zkv&+(r$4Y_SKutOFF>|jY2l#TSNO5XAD({pw(8QNTXT!ubJBoS&bt;Fx%7%dmS)P!
z_6TGlpc#*V<~srw+w)LP_tN#2+_lsm69k_jMK8Qh8G?_9is-=g|0l{lK)F2932DnQ
zjY^+f^}jFNFE`_@l_vjrm;wxOxodMd&S)OcV-U<63Pl-Tw#JNU|8S$%HZ^}T`jOEY
zpa1*px}n5qr0|1itp8J$SJbe8gRgRFXRzm%IdiB})6vmjprIpTn87;Zz%%ktc54L?
zZkX&*k*_k^<2?nY9#|lm29iF!E$-1bfp026=e;e0#f^8wHq`b3?qkb3&i|?GZ8u3q
z3)*sVO{qaaJBXg({I3JbF6Q<SRKT)(ftKWtU>TLkIlwb7MtPuYu4H^~lwB*EOIhCT
zq(dHv2O1y^BvQVE6eJOqW@okmt)Twe_G`lafmd@#IG$Hn#B~f#`+E4Ivnm^Akh*&X
zGoD`Qi^6Bh;9uL)TvN{TMd!A)9g@$Ecv{<sw~%o+c4}YiUIs4kVC2fg!={#=k?#)9
zH%^dexzxTn$SYD(Iev|EUdI?V3GOrfeL@E^0{vA0HX2XrV19whVVwmE8;2gN>(!+&
zoFi-FUpoD_yZ2XAIWg{6LPXS$IAE<$p0>O1>$Ts@)fpSJa+LXJwi2F0J{JxqFsW0^
zz#zP{m<GRU{#h`(WZ_6%4=6U2G0PJ>td;s|rXl)Db%Og<T1yw-NFHKl_?mVRAA1cg
zp_8AE<jb=udDy3gs>DPOC+mz(IP8gp$6`NU>t_x<N#~nlIXO0k&yfiVfP8UyieM_-
zgDgA<`2AGCdszH_cCbao;7&yzZ-Hc-cnEAd83oYdGn)<k4hqH84+Bq&5p*$^&>VXM
z3q9BmpwmD2^p}({k>AFxSe!x%!kG>BEqyZD!AZ8ucj_A0tbw!en$@oIC>`2-o$u?i
zg^dRtE{2BglV&(d4O|L+9z4`J@Gi@+`UX;KvC@dkJ;q!9*|e7otS_aEMc9B4ZwuJ3
zZJdj$q4V?f1zs4I^Jv<UWRMY|Lz(*2CNJBIvR|9&4X!*%BE6BV{w*V*MXE-mze*il
z07maqi$2x^%<Ui<{sb+GUrw=4bOna<Hyhc31sEhMa`SvqxUnq7%?~VY(O)!y7?Q5Q
zAgvdP{(@N%*D`Lis4z8-fWXCYjK;q3mgY!*$P`Lj9uc?2+D!(k$z>?$xL%fyD?k$P
zHF@bp_zC9&kE3Np=AdVykgLX(Z0Z5n0)W!%_De1n!^PA5@=W9&YhmP+T2M0v@A+9G
zId{>KA2ISuM9SM5Tu*FN09i#=TYnas%aE)h@^ccsGc~=(k4Ucz>0#0iwdZlEiI`Z@
zPV|9iS_HY!h{D{0#JIp8v^BmeKwUJ(9`ZMdZE7FXc6p>WcfGWRyl=?iI?L=qs-V|q
zu0Tlr0|jokK0MYJy(|;PZ_MRE>*}{2Dx&|&0S_SQJPAhAEj!-ZwwtsEbXt(UqBq^O
zJQo*~Jqee8dqqTcbIXl~)&UIP1YRSMU(rwb#2c(p+(8|jja&ePT}p#=FZ#uZv|p1p
z345bMORC6$f(_*`X)=-`e?>j9z%JE9)FkOrs!$Xd9n4;Xn(A_nhy*;4kJR0zQjpgE
zJAFncR?Jvf1tUj%YQ|CE*mr1L_Qhx5JPBs%`OxNtfM?Q(&onO0XOVaK_J1q+!o>R{
z%Htfy2m%R*qAd~=goL|x1%ba>z{@Nk?-9i^&exe0S-@rjGc91Q1?+`(h;_4oZVSl!
zrm-vw`15|2)m;k*NtEFM2Xavbyd7rC4SK<TG`n6pxf~3#=9NP$eS`7g^0|j8U-}<C
zzS$f{JG<v#p#UBq_~D-FvpA4N4rG}>L5Q4jjhx9LJjeXJJ={aM$9z2j7lM7Jv}(#j
zrhKRav!+}i^64vDJEcTxQdG``&#A*?{how4B}Ao43e9OCDCH+OD4-jehoi6cvqD0G
z`0Q2C{ip1Q?(dHzTKBKx5V--B(M%~8qUe?Qr{|Zk8W9V6v!F-+xj+@?qEmC~#7j;h
zKfGBE0Z7<aXn~jaiMewisR5?gc^!6NpPL6VnouH*`Qs$tPyB_kUedf<RquUlUVlOC
zL<`VW0D*JhRHB1DV@t|^_RLDQ>eOwB$MtUQ?u<{QoQPu4BS_(S2{UX91WI@iUuxMC
zmIi>4?pP*1<GD$8FX6Bf%dsRc_@nfaTV<?iDM`aXP@5|r`zViG_iZc!s<<k|$oBm+
z?(pBiV(C0MTG<iDe{1;$X)&%)(+>9p4*~Kggm7drc&G!;3)fu{0>fDiJ#emx<yx7i
zOXmJi>>La5-4D7S^k)$ZEZ}DrkoWCk7g)e`8YpL#Q0z2$zs?*2frr1GOMoQ%pt{7;
ze}jeMqb}_VoIeF2>_#-yfs0`3+8=VYOre)OfR3mIs)Bu|PY_jemCrsz@zq`l<by{q
zu!q(b{26Wou#7|boCz{XOFWA}T%GTbgWd-@EuWI=eJ#~Krn(53XsOQ3N2-I64msXx
z{u@Zu^*VeX!_sf$WhL|XiEnl-bBOb8OAI&haflaVWf^Q;O4JD(;6^~)XR}`>eALNf
zQ0Cd7K($kaqMKjf!>YeEhUkku#_!bMWVj2!q@Lcfr6dEh!rkhCh7}t#^3}c5=~fe6
z0Vp`vWQ>MCCa5AP<CEP>Ms=(k?ZZ#!uA|cHMwe@`Kq;Zu85ZW#N=~-lu8{3!yPM(l
z-?=pOsZq3DYCsrd{RJnm!s8Hy<3NaS4Z0A%tYlQFHQvBooUD2>aYb|iV^w2_!XS&1
zuN*-At<!0!(nGM)Y3$4ZHo$ejW=(g4F{sKd+<SJeTg$c<#ue;`W3|m^U%6KAO%r6f
zCrs%_MPYyV*vi##4(QXDtih$_Imm@us3EyWZ5=k(@<JHjo07L|pa!}h^BvSc;`mPc
z)ti-IhbZKDo#rd&H!hEV)|4_|1468~YuQZpq@s`fXJ{B@Xj!cVJDO<0Wz($Biwl~*
zPqOD_zU0bUR*h)?*ZM1G*{%HAq`xwkRpBeJj&3SE^yjVh{ha_p9^0Sa56<#+fd3m~
zm<J0rg}$N#Q%_F4uW1ac^ra6Q7vE-$TQuDJO0OH7`7JeKbHgOCRJss4@mqLqQT8S%
zP?&GY!Ag5kFgS}wYZod*<5Da>$y@PU=GCi@u9=LOClg5>U&VGeR>*qfcF017@w^5-
zpM{tT%<IzSC3;^!%=PxD`_Zh_5m~h6aG-UkdoB-z$Jhj%><qyzJ7gdv(se$NK4b;y
zQTLEOe&2v~$kiXW91kmxe2S|mWvIL*57t@-7Ol$Dtw(Y}fL?W3B%d)*sX|a91^8#Q
zRvmpX$o-|km1hM}5|>{w*8d82WH*6zwyk|CN*{mR>i2T4!A`E0piHC@SQ(stg3CWe
zmv0+rVKvc%$!C@dfqBNnd|b6FtT=0ehwKQly2!+;KIe9WaUPu81ZNtP^W}Xw)?Nk_
z?zOcc0U~fXFKul_(N}lE9^IoF(CMT$z1XDIFp}U0V6n-$))@{Ri_;>bK}qCJpU>C_
z8s^LBy!CY7)hhLo!<F^1MM)g!gH-0{P*(~2Am)PUXLG0xrEmAX0?ubl0^g~h1Z$M~
znY^+NX4I2I5lpprs}e;8yH&lphg!jZymuunG(t?oSRS|GZxeuZ*k^#2`HbO%SY!cu
zrgtTkKpZp8tt#6m@!ufqT?s|iCg*jK0yj`+WXI-#8|oFi6eU^y^MQy9D{3$FG<F(|
z?(goxz;g=9rUxEb_6?zKqBu;fmO)BKU`clHGepb-2L#dk%0YE2SuhkBmYm=$F?*MP
zm`^)V(3gpZp|h*^z;r%G9q1BV!ETV|@5+a$bw9SYlE(8EO`7{*JXo#Afr1T!<Jg0v
zJ@6GJ{WrRDe-1kn{$sR&7HGa3%3fb0;#x+B0E!K1aBdMv`=_L*k&;M1J2m}kE;}5S
zeiZXZ1(k3mZ4=7xluhj0+272UM*dZr--q{X?n1qBu7+T==i%{JT72=jORvD;O^xXj
z26&(=P)762Z)AxJ<08Gw!_WC~cK^r51RjbB6_0fVe)xXP_iMaYpasO#^AA+FBUyA>
znp6=ANZpQir9~9i`j3})5wQ2ws{RUZl9<}bkW`QL!F{RYtwZl3)yJa8@d5O}<dZc;
z|0!kY#JvhO)K|M>-Hw5iqDnX^N-Nqp6%NcW(t+xJ-Ol#Foe8r3YN<;FoVPnX#A-%l
z6Bf41a3%kH_!!W4OO_yG6x@FSHW=`FDaH-=(u&czeqiPE{#5#@hcZ|r_`-TMTPF&9
zh1@^4`IW5y#Yx3XRgU_XMyqsIP)by~WjZb7$bWV0DM)YQbNGYz%-cq!eaZ9nvR{GY
z9cSlOL~g+Gxu?L03V4sl5{Vo=$KnZ>k|KC~qE$`ZNe*vSTS-+G|MIkET0?&CP2qRa
z{brWWT}!zkpWL-v5kmWm9NX<a3g*b!Jp+5wn(zdPG&FVO95$(}+xf4GvE+@cL!#V1
zDfg`?_ctigZ<f2!)aC9=B%D%p)@RmW_W{Gu{V4s;)b$5#AF?~1PqiV3(7*^)N*17r
zzy>^!xlh^h%=yV7Y$~Bk%esVGq4Q)9UW8z2^oEXER=swpe+wgV5+2bwP;?#`g0s4E
z#-!D|Y%%ND+KhbLWC+3VKLZ&dTWoEJe8UEo;wI!x<N?YWtAU)hWvl68_=>y7d|edw
zoHGzCi{6@H7iEt+-7X5E;qy_ip;~1+Vo|=sksAuZ&-_J^z)(vF5~YFv?j^%c3eKWQ
zH<Zg+{Dt*^P1sI;jCYN74EuYUH)dPwjWCWx9?Zo@5n|1EXL;DYj#2kza73Q&8E^8y
z5A~BZVRiajlK)}x4Cp_eSK)BEAaoqIs$|9bS@6?Yu~sXPGuErWw&w$}LX^lhs9J~R
zbj4@uuw0h2kzw^SnxM5LpJB8bruf;dB?B29%fTOw^C6oFhxoCS?C%M|#Y_<w8~59{
zRkZ>89m_w;7>45nzYH3dGdb6oJaEwD{K-RcGzjL)Sk5b_=efos@%~NVN)Y5-(SfeW
z)Er+lgC}pni&@!NknQB_*P_lxlWGbq)13|AQ(oG>$mDz=bX2{h?Mw3FPe|t64G5A#
z`}NyQg|!%r$mo6U@V}s|%W;BLef>4-(}eoEYp(||(ZaNY4oGdA+_fLENYQb}#D0?A
zxm9gJD?!a|j_tDmZ)?Eo)JfR&K%_hDwQ}Lj(p4D3p<(#Q*PS{~ckMq(6@a6WwhW8F
z;MdmS76Zyr`SN}(BXGhYdqm`7wF~A%8J;}KEsqRk-z>vRo$$AGBy@EuGN76n3iEV-
zSp<n>{=*ubY1JrvF3KqKNN7Dvgg)>1OOO+FT7R)%1Cb#L)RCphV`;8MX;=_D66aNz
zC03CgG-j`s9uT~2Z>ThPV4ArQEf8x0$3*X=*WZMivmI~=@0%}kU8)si8gCo`8|2WJ
zmK~@)G?-VTywnIzf1n-``i%#r3DVVYSX8Yg(g`6bqQK03v<ao2-Z9~Q+*A0`T8Pwl
zI_Yy&+vklrXblW%>KNo)iYGyKm-B@wlx!qR_BLva@KA(xPxuCCUaXA|#0}t^ywTgz
z<oPF$3rA;;#W-2-&|8B^Ip1d~$Kk}hQm%bo-~tuA(cIC?$EA$BvoqBn$xtH1zO>nc
zh4*aUb0|UMlog>7rat8bMlN@Z@kC~mKVRw<*;E?YjdJ6a#kHsb=x)ObYpbu{N9F0*
zDNs0L(B>_=DmQoPMy<uL%M;seX9D_Pfal_YQ53GjU+)#LJmK<hEE@k8)Nz1qHyS0V
z#aCWj=7*E~jyMONr`B(W`~Z%+<YlVW_$n=$FmUPz?5VV07Xf0F<f6<KXbjD7n?^Ka
zmoD~K=<IlUm`>V3a)u^}50bo{U;0p}nt%#{eD2g$ATP_zW+kGR<2BRgVsF3o)?40X
zXO#a1htr=l&Ta5E{QjHQF7vMVcJJQ3@y^ss=rr(zl;+<bIk5lp_jcm>+M-tfPJDdb
zyt6|z<1hI7G;+YZe_P~0zxD5_G(2|)@J5!g-+DwgGV=50o$0`hW?TZui-c?!w2{$_
zdjNTikT05dW<=IEZ_7wqjR||5ehwoczj6j5$tJbz9Sq3Euz}$wXixY<UJI6$!qWB`
z*J5P+F{O?Bt;fNQ^uoAX%Qv={3VCkhSZiJ61+WR*?MgfDPU+oHksdjJrn>?+8;omj
zz(!MeD{9#~>;{Y+E~5;k@K2FTh@<o3T`6{WiFV+W38j&E48xVH%y=c2yHJ#5<L(o)
z)L(DLhcP<O8!hdW<HfFs#D?xZ5lX+Q+*p~r0N8RJh{V(_7P>FJ^u%nE=0*xprvBY1
z%M}q%dM_-p399ulIdAdx`_Pw;QScm87paOiP5saqJ<ywm=YhOw59V?hcEn!#i!n1x
zO0VKI7<5Y0v%T1_xk0vtQuIrxt-~^$?{H1+q}M}2Z9S(PCAR@Izat0mu+HJ_haGJ+
zAx<xOT8DAD0O$Ro^f2iMJ@=do0g;3lUqfrVf~I>emTz5#_)NpTv|y##Scs3TcF#SU
z7zUXcDVgR=+h~;BAY817KED7!^e|uAI`|Y`sE$XS(D&0<5N=&{6sKwG5Kjc)MK}#?
z-qw*iA`)_ewEFzWahpIxtwmhpRS02-luXrPVxuoQs`fJ<UW)TI@95}D1IZPO1bKS4
z&MCAuPt8V(inMKbb{={;3leIqA`<Me_-02RP(pP}X*)?)H>Cwk`Yfwo)g4Ln_dDQd
zy}Z{RS#2$OdR*!k%(FFH%@={-9pl;8f}Qja8))~icj>KUF<{-{A5n4b5iT8*B!u8L
z_I2|8y@Dpk#h<^c{dkG?e%O_kOTt59dP`?4{NS|84!QpV_XIt44REOK8ru#LGs7+S
z57Mc>vEqYa1$<DC0@zw22AJ2lH8)obG>%-6J&}nyYT{O!V`6}nA$p)#VTi^<&lB@Y
zF=`J7f@O+LLO12Bzon=tx>gy^5#>%9QyPKu^L;R>k~M5O&R{~9>`?~z1qJc0F&Q%>
z98%xIl#czSZ7-Z)&sP5dH$x@4n(EZ&q%dWC4G*XLq1FdtB?wx6UpWTDyo7!$gSvv4
zafmDDI1xRYXXE;-46Kp(B4t=|8i-}M@^p-OGLEEA%rh#nv^Om?GCE7m1eOql;Ya#N
zkvZJByMH#8m_&H*PRouCO^cKa)I;L~NsQP1Gu0p78K{G$C!;gdS~|J@bD{Q!*8vg2
zw^V<4aoP<j`atAI>=uzAX)M+H*{^L9k_dDW^(r7}Bo7C3Of0cTxNJWA*a+M$;F6m@
z+^Ua<?@^DyK4M$&<uVL?9-|WGM4+?b;aC~qB;;wd5}#Ira}RkZ!|5-LE}BUnO2ScD
zv19RNTUAGI!EigODt1;9>=4Rj%%eJtd6K|i18h;Y$9Jn=Cl2lD@!C5^rfTxciC6y}
zt;ZHj3gIRQRst7-)dv%CW?`3qLWo;RPoU}{>?hTJC4qE(1gc`fS9oUx5Eo7zrlb4d
zvPU63jH*YFxFUT*p&gB_=1g@DfZos{+^boLBoI;xDo%U+y%fTb9`b-tX++Zl=Y8N~
zp)WcuLk&kdqoh(YiVh4TEk-Aa%T(v;xU%TLIq?^@ZVkVVDF7t;NK`|?MB<awx3_3Y
z#$xJZp^pr6)W?9ArVEhwtDk4dw4%lt<h!p=d|;Inp3LSWF?@kdKm<g*Q0U+oO7yN=
zbw4N>qbgx`^|$S%Xz`1{$C+378Yb&vC~6xRp(X&gXkz8mEjW@|unTh2SL8W?uQ%%*
z`~iYLZR!?hTr?)%z$;HTqAMJ!@+IRewslkcWymfmL<+mwS!z3grRkGzFzM*zhy<{^
zB7E<qmH-#!l*FlRlC2)qacmRwIFM@B|3>R-b0fr&I4rX3;dWSltE+s>&=TxN!1)9k
ze}t5D1;;QMh}6L<Fb@NuPyw5bl6=f)fSajKCGLc^<*;WI@C5^J2718Va;&64eL+Zh
zBMA>}w02XM0Nwg#5)NgO1d+Ye8Io^FzAkJx#0`($op+L2g^@XQC_V59j8>3&O}}-h
zn*a%~h;fWH9|4v#e=Uz-5c9@pgxHH8vSIBFVvR|k|C!Jtl`HrJdOJ8Gn%hb%iv?2M
zt8{f`!s|c3x<0ZQ`&AU2=ItGucXacm%O!noMXUo*$iTW%7yN<Kh0mt0XD$J}Z?G%R
z8`_-~_;X@>mdRngUY{TH5w;#S)1EAid>5OPq*?C$7}JXJkWs5XqphVISv|^BpWzUH
zWasSfj(vN4XUOa+1+QCp&2Mz{M%KHR_PP|l+0#l3Ru`?C8fWHMUdE!3Ge4oi;knQc
z)f331V8i~&)5c>d*3pk(9malEn6p0Iv*3ak^u(xA<6rfFB6&snzk&#H{5}OHikx}D
zWJ(gLZh#npECNr`ke{mo2}xRG9utZkiKjU#qPKR)QIB1N?##=6c-v6*0AKI~kG|TC
z{SkaJTna^ieJ&JNR?1N3(&*U_fs`dslT;ZF@-a`xWkW4;)zUV}Sj^0IVQvH17n*_H
zrrOm2`t+l$+Cn=TB_RzhV?5dx2`vPYs$(KtEM}zMyioy?H=d*}sz`s5SQu^G;fICh
z49nGNjxK&S)?B%5N2Zc#cj0OSil%1cmt)iw*j>%`rAc03OR4cB%d4&J8CRnrqNN!*
z5#gYtdz|)46d30|wt@@sm7>SAobCPqa<+hS78{);WPPPzGf=4uUibjB^tmWW?4~4y
zPCzgRKtRM_x0aVXF}71)DpTc!=lxP827U-2FtSEZEmLaDswssOr{6w~V|M%oFf%$M
z!;zTH8lbrzL!ND_RfDwB(V$lV@?uRT3u$}lw)`hRMoEp&7&T6q<%NYPLY1wCLM?#B
zk=0;I19-p{2Uw7B?M22fM0MqZazzJ4j$Boy%9T&;;wTfHp<5jXsLny2TC9AfkzaK=
zPLQG@Z)0MOZnf6&oFjG2hO43W{XcOZS6^bn+sxL=urYLCMf$99TmkC?Q8A|HhT8&o
zJ1FH$SiNL`;jdO|<<G4tkIvGp;}QP*CXgktf&v$rF$fXHQ+s6)mg#abw>+}HydO@p
z{z@aYl%D8!a5x-@?uC>^YRU*Qs|K^@$nGNLjr3YFWkoU(+!yW!8d44r!hn!{iE(#f
zmfG+K<c-K^MTcx|tJWfa-i`JbCcjr3*{$=mNqUWLOSoc*GGNhC3}<M-wxWr-SO<|+
z<o&kLd#^SB@t(b|ZY*UdLFKiOs0YzdFsi}5+SN!8yS_l%^^x7W+8DKH)u&I+OH|qo
zD-nr`lzUDTiBM<M|7}z$&l}n8#TK*Vfs|5PR5L$|)mJ;NbgG&Ye>TP5#rf>19w<r4
z6#hCs<pL)6jN!fG_3;H8%wNPrcJ#4#w2UEql&k|P<n$Vx`&dT);h)cFT!bHW2XckN
z%7bu78mOmyglRsH(NP?>VI*0x&u?R@L5vc^DHF(Y^a(bme<-v{?ynkiK8Hb{v2qQw
z@uja^)5L@wm~g^IZ|ETWTJ`#iFH-wH;r^4+R9waal|TdT*(d<{FTR6%2E8%U`$`&o
zFu^j2Y!u4Tj5QVM3t62oW>yP1aQd$yUH{P*t@wMkyx?vF?LV*!Mrom1#T%Qn=g~Z9
zmrNM0q@$zr)hV1FAi5JL1Q_h>BiU<2qss(bT{I4I0tTR971|GOJdzj>t@R^4yjB?h
zsv~t{E*rjOXil2U4Jsnlm`M%I5@SPkg$&xqy0IFdfoDKZ>#g9Yphl_Z)~x4JHynut
zijxZS;#iQ!>yy@&<yv(w2AxO~%2yGYn9V9UZ&B;{Ja(^-eixh4xhRk%YFva2yes!n
zPd1_`ICzbJjy&lJ#qaYVh8RX?!LN;qKpDb(%1o3`ohgM2bQsSQHZQ+(7=3jkD9e@H
z_WQr~{(#;GlVzK1bs+|QOyiGfr>sOCB3nywhy=2&u7jS$;Kp!S(Km2%g?2XPRp1ko
zx7UIzeCz-LD4Vj56&N5YqJi{^=xrV39#6c|o@Yg8;0)I0*hX+c&8iVmP#1zS#h?x9
zue3;VaEC7<`H+x@O1%#Jva)c8ufPX(7aE1g8yLz__-6=+lj?E-a7A!)i~zRgvB)X@
zAoib#b&y!|G*%yC5x{|E5BOkC1o1?B5I=Ju@FyhU6Tpkljl>^x82<6ZAE1kM9trd%
z;51EO0G4*SKe#z2(7Q<jry^~8kr7PKlj&8A`;<KgygB`PO2OdQ-qL4?>I)NRi0a<O
zl8JB%`p};5%cdgsGHvfT<^~WDe-irQA(ua)=VVXuLf9SugZ2l3<o18|x7t69xeCs#
zi4Uuas5r-}h`uPteX!`5NnbM3iCEY3$eO8O4eNLw>xkd|*ColpB`I=nC2Hu%0na^>
zze0rf8EiQyCe@b(;6EAtwF|QnU^iqHpO@OcBZwW+*nNNvFRPnl0^9<|n4BFu_8POR
zBL1iZ{!zpi;J=B_jpY>lyNG|fE}qE4g9P-{1ZE<`?j#_<+eqMB5r<mzCa@zqqZ?y|
z#_t&`hcUsVo>d|ci{Ch0Af~>ZED$n|vTK92N%F87>0w`>J}*iA(f7c<z688Rz?}l{
zpN$f@SposRjY6B3QzWA^dJrmUml8Ti1a(W}7AC$xCq52nSPt486JR~jdRb_@iPj^5
zb~Mohcr(#<VVGr6(k}qo4#)-8>`1LA(FAx2(ON9Do<wU(pdCXr0rn=^;}+VfMEh$3
ztryV*_ybB}PP5R?BifxB4emH*WMh>Khys2LVDtAD;sW?RRpkl99E~VorZ>;D5HBXh
zoCIQ?Miem9n}=khbW3A75h?$uFSE|qhyrGM^8*X<3L?IfKrGaV0%m&ic?<D+B0il!
z^k_r@Grf6_g?Jt-b9VyKrx69r^yZZo;zUv$l|Zc2hyrGMGv7j-PQ?BR#Bmx?z)Wv;
zwh*I4OiLhEX+!}ty}1RNjpFb)5jR0{E%wxCL;*9s`KpEZ3K3sQAWqVV0%m&iUJLPc
zBF;%5PSc12W_ojig}8-?S8K%H@Ea3!Vd5)tAu%Dum={{O-w?L|5EPTRv`RFt#Ed2G
zQ5Nn`#O;{CrRkz^CFU&RZsj&Cs^9T<!2S4Ihwgj_S7O=_W707ZaeEW@#RTpG2UlX=
zC+=Je_gv!6PT($da3$tn#2s(pdWkzaflH%Pmset@6Zbp|*GJrb8W);%RTFU8lLUSp
z+A9*KIcT>1q{}>p_&>p<0^f+g-oh7nf#9zr{<{`_4e?)3;BT|=1x|U0$fJ1X;}-s1
z#Q$pof3Jlv@b{{SuK+S{x9}sxzggqMWq>ts3-n3BK0s`*h5ab82U*yfB?Qs3cp6<d
z5~c-j9%ErYPweg*8?Jvg#|WTRQ7)9TiMvA<%C|H&5%+W0sJu?AnYB4aAkBmm1fSCi
zlLrsltsh$V`BLn?VM6J@*?V_jLYO?>zl<D?Xzzt<5QFi)Qhr|Lp>~Y-KKy9g?{XRM
z#igs}%7?7ZNECvD{YA)zza5yJZTyuXal-hcz2^-2!>mDHh`bHk7^BudDezlJb)^8P
zI#+QXqVtoO?TCrrM?^)$c^a{g#vq98v<gsp(8QU~0RQnpz@LzUPY~NGO8noUM9KIE
zNPmFf2QHLudm#X)X##^qjC8IY3IDS+Ulj^#;*6ec2WkXTViTXqY+&V~V{cU_U_t~-
zuwnJ#1OLpmsRO?Ui)HP{{Wp+2VgK0k0WA91bJuLu7waGY-5$Igg!I&)v<U8R?_rbK
z(}A`2bYLYN0M{dGL=>mL<@c4`p!~j&I}N{DM8??sD+k&nfOY+|$e?~G4eNb0>y6)!
zF$XJ>DTzDW9jFO8p*`rx$q-9UgvQelE?Z8HBhd#1;I~G0g4p~qK>7S9_(ly%6J?@C
zJYE-wAh!EMfSNa1Ih;m<B^u9?CxX~;w-JvevFk^==Mw)IjekOtI0$?YQ}DJXt9tGj
zRM{B(ZqwmSJrD0@rx^XUP({E#ti3mb#^LRqq7N>_Qo(<3@9RJ)Ss%<M@9hRpp8th6
zAqM(jo&1RBPw0b%_)5_S^8wIY9YBU$!u1N&xj*ZS-|t2z>4Rf|n`q}F>H{IN3Nm81
zb1|vDAOPqCC|Cm6$_gxwgcpFM)(0g-3~9tZL?l4wcY?SGh%yPV<zhJTM<wACz}CKB
z@SBLwNq~(%lK7`<{KP0C(5ofIdZyrZKkI$b6{x>4_><V-ZT@(3a-08#UB46Q|4Vxh
zLl64z?R^IbCAar)>;Ie%dcG$=uV%~7i&^+dY42^QrEc%BWXMP^rP%ewZwF>qWKI76
z2l`)#ybWQo+xu^%x>5k5|CN)U#B4{5Ztp50&eMprGWI%%60;mJDeZlT7TSaa{s9MH
zVj{#(Ztt5(e}Ld?{Xdm}(*yv&itMHEa1ZuqZb)n?i6rTNV7MF%A;|RRo7Na`>_`!k
zB`XgXl0P*j3(4X7;0+{A$OrY&Y!)ws?gma`p=?Xzy#(AT0ROqVkOZ+y{0&gE45iRu
zCS{ij6MU`|ZcF3COg=y-Pu6b&A5Y8-3-f7Wb`eZm$&?PTIYuCRlNSOK3Fm<eCOxuZ
zN?nRQgd^EAQz1J4U7r7Wd8$1B_WA{H<3fM&7An>+xZnl-C0Au-{ld0q0M}et%xc_&
zLQtM>K{ot7pV`^+JQyPLU-Xv{IW#IE&ud8a8v$s0#>r1&dLln9&u<ZNjYgzAb0JO_
zOkzyLq{#C}#GjYI=M`FwFEPuBpDfSYi9bQ`1G0Yc4FMxHftflbL6ncXnfOOEueIK%
zV@ZKxat&j#HzkVh^52ULf4BT_8D6q7S%yWA9yYFZsDvEL`o%sLXAQ*Kmfx;e98>=h
zfd3&~0)i-1p8{%*W(jD`>o_O9$(z~#1N*tN&g;LdmlmLYmi}xBPXmu}lnBeF+;nn=
z%~iIY^olPUZUPR6P5F6snf$!C2tQhljubv%;t7Z@_zRV&XIB)4^7h?j`nLhUj@*q%
zk-H<>M?xeFVYT(>sd%eL`32z5fjHGU`AN*9h>72qY|orPc9-Y`l)ri>fyCU581oNF
z<KeNyKPG`c-@%udBI5T?!p|oD7ieyjQ0(d61Z)t1qfZw)L?reH#HPF-8eO%(!4QH>
zZ^DQYSzKEovRJ+Ja9Ql%kSvRb>(f7tXs=J-c&!BbPnTEpX)eoqngDElN)Y=?1xqm)
zrO++Pr0ggc5PYT-ZcF2K()$9^gjsR2J{9;;#5`y%GaV%6a>3O4R8u9G!oL+U=6dQ<
zXTQNZ7H-U;mcveFv<Cdx(s&L_Jjo(d#}Nw>Ru3l0U6!rt)g6wd9k|IbWR?E)z}3b)
z4)Wm*?%LOoW{?=^cb<#upiX|a5)2gR*vb7!`FCVLet*4G|DFjMrWdO_AO%(r@vr6D
zC2lNjX&lJHy)P(OB|x(MNM;r6Bon?zxMFMXHvoSq@t+j@zz`A`N5Ee+fuSU@Btanl
z9SEEX0(!h*Yz<<~^Mt09vMz!B_r1X8(FT&eo@58<d{C_|jWq=H*ZJg=(q)O16R-nh
zF1N(*cM14-?3kH!wMGJWl7I;TljSZD=$=6Q4s(6+PtiCXSin|If{1+l$Eq)fJ1i-}
zLX+IUS6j=$USn|Z6)ok<kWTiba2&pLDG%^%RWBf&o>rg;ZDt+*rtDAIXWrzrFWwt@
zYcY>_OwUnkbRbVP=s>=DSqBQ$LLKm^$92G`9@c?M71e=ps#XW8)N~!FQFrRVBz3b6
zOjA`7SP_J1sVj7tqN#j3T+eW^4$o&eUxybkoU6kN8P3+>MGSXC*pNL*>~#0x`L$3J
z;E|o&&^C(Kt2oYq7CpZVu&G~Q_m+{^zTXI_A#M(lEQjkGMreIXy2X-iot=)6NcVS1
zw+SDKbldQi$Zxu&BZlP1NTj<_(kXl-((T1pB3+53BZj17B+{KD=?<i%bD@hS(j6t~
zh#~11iF7}{jLQthW109W!=1)66Z;uPC@UrXo4_o3o`{m3kx2ilq@R~9={KaN&q+yd
zNO~eldPX9BK++p|lK%D7^!X|2FO~E}l=O^5`U?O>YZc;4_0wSw!zb&okKv<rxRT+H
zIy{cypBAz1p(=#S!0prYJj)2x0FdC@`@q5~1YnXcBa!baK#}hxe5sdpcpAe`>u`|a
zzv^%u!%-csXLz;_&u2J*u(4tRg19GV$=5=BCGsByjH2g>A^9^B`448g#fzA3pPg=5
zO1j>Xju?`Tkx18(>5L|(d)-dAE+yR;FEKx2NIFI$-P?c~^VT!n20PuRlyuKaI$}sV
zMk3uqfPzok@TDR;tQel5!+RONLx&GAe4`G#Fi5E@bvTpZ5jvd3uvdq(8NNV=a~ST2
zuo22b5UrVOj|)a9ACLq;(}7j=Jh7ylj8uF6t)+<JFLc<$@JBlAWB5%Su4K4ThsQCz
zScf^Rs(<Nl4a1M=@Fa%s*Wn<;Aswz``2W%NHt<mw*ZzMt39xANyIQJIX^l0lNwsZa
zsFDhrg#^BfiGqk?)k=#Zz1m-??gC!51~)7Dc3n$bZEde@xqZ6UwpZIKAZi{!l7QMG
z_<;BX`1D<)fKL!X$^ZSC`R-<8ZSU{?U#}l8&CYio&YU@O=FFLyGiMgr@G^z3uwm&)
z{v|fNT;Z8Ee5b-wZTKFAPqX1w3V+FlyA(d&hWiMk!*J&ydl)g+-vnpD9SxA#+%V<R
z4G(&t=fBvTnOhoN@}^S!wo~Z0P1w<d%oO;_=}a%_ra9cZpY3MMlkgaXalMqhMb^_u
zGgr&MJI>tvKU`W<-nPSxr_ODf+71PU=$?l|7%{B|GPg;)m~{pd*VsD>Hvmj`6cQJB
zkLPbEB*yJoQ=B-G2Q%Y$_KY%DRr8?dEnB7XSe6#g^QIn9o;GWz**hvoD5Z3KP5;vY
zAK3Wh>!p+_?Z16lyIz62cEr5ZgGJdz6uCbKFZntk&pwd7l86F(jp%vYwTRAY^43X{
zde@kWu(yVfCGQc=)+;{l37_#_#-b%X(pfo^OSao_-uGB^RfMLR*C$H36{wdMCv3zO
zh5t|unqilDE(~XMWyTp@LLOQwawoZK{rW!{qbj@qXAM3(E;YT0t!L)fcL3R6H%>GE
ztU2`6GE>th_?qu}dKF;S0)DA+)?$9Sd3IZ?$uYBnV7m=sj&hqVH?zh~oA=0N(LZ@S
zPf08%OZ(*OoE1&8+b3Vo&jsz1zw4&&yOVhTkcljI?z@K|HQ&w;_AI}jAY2mTjdL@<
zpD$<SeZR6<erL0sr^pqldu`-%CbB(gz@(choRtmb?a4nA%d<lK_0PB2@3YyB*MtVb
zuuiBwxt)-cy2F0+F6Uots5BAhRa{+q;lfNQ-fRkQy%1F#FTD2hYACL2FRc$9Ee1~<
z1&`cd`dZzP9aWdNUv@KB-@u??-E{qw3om92@U#Ruo<!+3d>`D;*lGAJ`|n~VJHKQe
z_$;7%l4b-otT@Bo)0jyHlMcCI>f}zC@caYW2?gbTl5g*xHKD{*4UVtsN!f3yd9L^L
zPzzme-%umhlnym=4NxZ?NSa0#;{wN=*Zjobvowc~hRvPxma(9~EtA1x+5xJG|J35&
zi(J9fTkTp?+TWJf7l!W7qcP4)c2<PKSdUF}Gj~^n%8P2Bt?l9-SO3_d{LaeTln0}1
zu8I}cZ(aCVXXPw7WJ7)TRXd!O`#OqBkucb=`Jt0pi2j}8!Tvyj>DADBLpCnH2C~;>
zY{9TncDr}*;QPHdJ}Ob@{k1C8fdA6Fko39`jY(cZQM?q1BGan#em~6dNVp!Eb<iIJ
z$0NFPUBq}ZW;8724pS}by0?u&bT(!x??haVL8$rn*Ml(LDsfqPZK?R5Z-SV1kq-C%
z)P9%c@_Y81SMIQWz0Q8%y24yO@vpSs<=##pU1C4RlBm(|pKZS@c&CoksQuzywvM8r
z5_2Cg`vu~L>GSiF9i~fS-fruNiVZgFlDO8G;nSwUpbw!mZO!~b9VfG){xfKQY%XTj
z0ZC7~u{p$Dw+)S6Uvm2>m&>A?w;4;r9XD`IvpC%N$x_@&x2nFz`fUp@c2*wjtn6;A
zAGqp%XXX1r$M%F8ao$+g?3Gsf$JRhOZjaCHaaPt9R8zZY$*V;lFaxQ&UH<Ix5+MgS
z;sLa*IbB+rT@2Eia&j^<dWm?t6%q{@X!<)Ck{H^a#f=s9ISVMZF3emfN5O=DWBB6*
z|0pfSG7njHdBNYH&oocAFpDD8#6C=>^2e3qLo)|qwXg4)a^SPyzl`ZKgD}NN_5Bfx
zzG4iI-OS|c+|4`otf@>?@F=RAF_x3b?T050bC;}bFtzt3cZ}xU%(eOZ{bEcyFu$Ir
zATLQv7S?t(r=t-bTi$SHazbAbzTp{hF>l{IZw9BK-@U=j{8&OTDvgiT@>9M!wx$s#
zBIox?g<S7_R*7HzoqXxQ@wp}9aleQ0wJKE0bM$n1g>AK%WRS_)J#M3Q&{fo0TI7!A
zTEa3eNml3%aDKn2dso;S_$>L041HEHn(>n|DhJODrgVoCK)Hy3?->MB|Lee@DdHJ#
zhz!h!ehYF)-N2@Du?FUMxMy!kUvOU{<_(xvip>+nuD2VffNkXf@BA~?F83b}guw6K
zI|MtQ{tC|cMh!*kz0S@T6ghe*GOL`gDRRV6<hzRe%h|(o4l434MHb}Ts>l%M$AvIo
zQREwf=@1G~dQOr1KN9(bA`epWLx*xcs>pIhjvR`7SdpJr<R|ixsRsylJj)*(wM4y|
zwdPT46ONevs9kS9^8LGNJR~3|`E7qOB!_>0Bwh1BVSbW_eU}V<M;|zb59(|3%GX9$
z|3~g4vNn4E&AE^8+D<jpU^Ra2IWT7TukH55Jq5g(`dz@A7gz@>`SGE>DD6%~&&y20
zcK$$g7S~pK!m`({g*3AsQg6d_@AQu|^Xy0ZFfkR0HS$h8Cq6<xu0GSWk-84MmX{Iw
zvF%Bli+o<zbXkH|7uI6LOj6>NobZ8cjda9tHb@+4;G&L{K%it_v4z|JyN_^2;soXM
z)+Be7%uDX$BH@PyjS`zZ8)qEZ`S&9%kvP@B=XS69I@wnm6qrnbp?3O*Vt-|Jw({fi
zBV068|48Z|>9oCNz>N&Ry{qjZ3vav_EkdfHMEvwlmk7c*X?*8*iOUT-JZq2C2AxPy
z{@$VTqL2SwZB_k}NRvHmpW{vTg@f!VQVfCoS<1LjpBf7O6n$Q<&$ER_p5Nmqc78(<
zN9OQKTwowKIH^8^NJ9Ym#9W;fPHLG+sR&XI6I2Z?e>>AcRu^X(3Y}`M<h%cfV)g8J
z=QXOSJYN%z4B(vB#LTkR0F;as4O#pjtI$e){y>F3nJ+X;g;)?JCbT{p@LKl!%BOZ2
z|0CJfTwVTjLHUk8)kr_e=d$eAb5Q+S^F4!a2F=aO?V#CGFleU#Iv6zB>149~IFEgU
z!<?0)yzb-Pnpgi;JUqH*o_8uOMw86Gi0P6!9x0fAm@kZs{xy4+ni#BT&-2r~<bh(z
z^!V2Zh2jnKmK?a5%Uc=I_*HoN06eXAfty}Ez(|nHuUdT&5s3YJ0Qph>x8#dxX5?<o
zmLBU1*YF?lTKKE{*SJP22>t@fb7b%!&CmR@k~5RlMF>+fo%!efinhc3gE>F?>DA!?
zZfpPV3fh-mU1Z~()TLza{~oi?89-Y-jw-B0e-%*ucc?4?SU5iiYr%J<FuCcQw8?><
ziPQgNM-6aUnY_*4Hl)<A_;u5NtuVE5FZGA|=EmAV{&>iq95~>#9i-C92Q)cC!zDom
z?1NwMA4dP!+gMpvRJ5DNvU`+aWxVnr0T_)*gCB=)lLH?(Z6;|&BeAQ=#6L4r>*5c3
zahOTlS$Qtyx_49%){S*ZJE>AujtP0J)q1ir$VdO{rOv^3oT7d_t4Yq$0<}vI8(f+G
zQI&$G4RP`6sisV;YK4mL{~Rj1ge?{4h>Cw&4i(7-opbOGd0hEEm(O>P@}+Y5vX>Z`
znjbiuJt)h?Zn0=y{?C(ZiCZ;ywW(U%P|WN0OOxC1VPWtkJye*^_o0Q~$=6`g!4exq
z`{pefgntddR>5;t4rWSkz}?A+(u3tckNZO$QSCQt4gZ(F2v!x7!}%peiCXh%O4?T6
zqmjE3kr!w#b{FAc(&3yZHFA934TD^_brI)gu5ETb*6xA7b1mO*+o%Myg1>Ex4Qdg;
z%?2w7`ZlOV{B9f6B7T5iei5(Dm-fl{4%8x^=ZLk4pQJ^)f94mo%npn5GS{BVvf}lV
z6j5d)zG^gC|0xp}v2kCsachWU4KIh{`L%!h<az1)N{R7*qtuo6728xPrdrR~NG%X3
z@(UX|jYv21qu=nwHj!DIbQGbE`Aa@6FSFJ?K)%0o>rK}X?;W$P6>Mc`2>K5mubT4v
zSf2to`&iRivb%QMD%itf<!&C6&|%yvj)Pb!$e(B7E><fT6?JY@2Tu8q{63cPt{d!Q
zIeK;>@VD_J8!Am)=DjtvBu}u;?<r0krM36+kM3q^elcv3-_Lp#=K>2gI-bb!^U%JQ
zS<bKQ|C{COU|-AbGxXm~q~-tI{uWM7vvMi4n*Wj8Lt6{8`7Rhg)`Q5qhT^j<Lu!fO
z$3G*cd(nvgJ3nujqu5#b9-a6zzMPfo+{{eg34P7YjB7A`#wEd0|8HaM>LI^jw@mwI
za!|!GI=2*c+Du<({@W}xGyh#4s-UX<W}#m+IeqW%#)ifk&V4b)4gtFa75;hD$;_EJ
z0FP>keT4nK?}I_MD>K)QB&vj{Gt>9JS`~^Yib)Gyt;WBSXtut#={lXRy>mHf<~AaH
zetmv-^Shhh0e%Ol;>Tjn`Zdn?<zLgPc!Ap!OJ8o&n#MRQml`(ahE1lkfi+^Lv>_)Y
zTyK>B1R9IposA!Qq2~vebP!Uyl<bllk=~N|W2IzDOuxv{mdw4CTAqp{dysO@${*Pp
zcH!I4KbIKe0%@yGmG!)zpeKICwYdt8Misf8>8_wM%O}D5blnO6uhyqxmY;~nm^co1
zM?B2PEnGi-)W0OG*j&3OdmH%J`6Su<RU;|0pCO9%<dR+^7xrW~F(sI9BRuwG*Vu3A
zBRGHII<LQ*7*kgPKZ|*7`WS!Nzf3>EU+^!}%Re4|W@>~bNM0UMpIf_U*dr?AwV~Ts
ziA!=GuGI@q`kHNQJQSLvP(&g2XB%-^Lx>$(`_fn?d$hQY@t<T)U=q_SCFAq2lq5#b
zT6e8q^%FUfv;3$Tg!U%iX!xf%u-^awg~MB#mw0dmgwgU}^nXxJFS7?Dgo2&wks#D?
z;adO4KhE9zwR;N(ZetQ0KysR{#sBfT+XKIM!nb#76~fZI&BssA)Gty^r>3@^r89W*
zFVwTNNIxAL85KQCs|XkMF2%?2;0TpkTB-<>d%8mY`cL6ONfTU8Qj4KbPf|;8HXSB6
z^dz5Gu(qowsl_%Y-+G0RtmM_>f&5I?Pj7O%eoT&YgHTVh$>x}1e;V|&%xYDF;Ci=~
z%qGrFc7@%E1B0WA5<4zj8$G`<b6zNr62Z$p<<a_mP9{y6mbsgzrAs$W%alE-%38;N
zA-*WNtJuvn9u#IHxq5GN=;`K6^S*HZC-Uc5xRB`zx1RBZ_~<B3SDWkm68(5cJ7}PJ
z?%z5qb9)c5^jO?1zQ9WCta(x1eR7QXtLl=AAsrTJq!etJtsPeUtW4#GJP4=lQrZVP
znxC8%CHJEt6jgUey$y-4^UOkM!n{PR_1fa1#LS?oFOz**`l1ctj%x4`tE~8uF4sD#
z-%_%-sY3mx>J1*bbu+JsArB{f+ez&PJpqij;9u~IYLfcGG{;HZO)#kEF@m<9Q-XTV
z3hLQON^esYe~U~VS^01ZO8vx?YTOX+X<}yZaOLnZm~<?iVKM*UhX(UDxs>j>If#5M
zh^$rQ4}!=|Hqtl)ppDx1xTiSFKp5=2L~S^T2-_u}pT{|~eZab>=?fvVAD8`>5$O2e
zMrzwvcrH}YZ>nfnzUWL_R1dWDG<`8BdNLV1T#VvG>N5k}K2+ps0bNcBaGOFo=%Vho
zblI!bV?uS9J~13q6%gwG(7I`92$jq{r%}TD1>5+w1v^ym-&JsA9=S7f{Xe`QH-b}s
zzF>-i9X}3e_KP1_zE}%J(5w_t(Ciz6-747meowRnu;px^04c%VorhgbK|Mh-djhmb
zPi+6e(Bm2B-ipf2EIF7h74-IDnBysxnu8h^{bLOS`5JoZ9WzgLM1dfBKfBB_h;F=h
zyg0{3_5_jq40f~xIsa@UQ!m+05QA7+UIowz3!PL1%*6LjY9t}s({lKymsTv3xa91-
z<s-O{0A7Im1C%=}a~&h^D?o2apDI1zD2U8#j8~IHJyf}BnRW)AS-lD(8FAd=?ZzOe
zj-kUM?Oaj|F0bz<lOHBYTF5;#z(trW`bsQa#w<4R1Z5VSmh`AVvitq88gR-!22K}A
zE#4cp(&~4k%!eWW3a~T2zt_s$gV*b?CZgkxfM(Z!U(`*+dz)%#CA!h|A)|uM0#tG!
z>@|&BG}Y@GtX#Joj_O<^%Ai8oapt7tVbGHCRS46QDndMmEH@Whg6?IR+S@daRY6g}
z<+e+70k7lM0EvNHY!~ZTspDrs<Vz+pF&)grwq|`SvQ|Nk><v`cac+?F{-AhR%<%W~
zEr<Ljh<t~fD%P%Iu8L`6OpJA-&5>#aI+ciBvL65fbdOV5#+`&et8jx2AFnV+@QO!!
zD#}(7?tBb@!8Wrdgo`Xibg#50RV9j8QoO;g1Lc@Ji?X|IJrxS$0CuoLJKaL+&5Y@f
zCJ>SkF|W;2Nc+0x1+dQNRN0V7m=-YRXBc{B*fL(j)S0DmgB=|K)Snor@w+;f2N81b
zLAR?K$t7by-nm1dhoopz0J@j1Dv$^gQxR&g{dgpe>iDk!YRwSTQG)v4kh}AZkB9o5
ze}r0|huS>=)Vl+yTW`+es&;2*3+f(0RV7y9PYG~6W;j$yuZld>D+Kj{0BW0o8ox`t
zQ9cpgI0*`Nekia*Lh%^em7_`ONlAYRy7D+6b&kMTxPV+i-si!fC#5HogS_wUC9k8r
z_Q*pl66F1}$*ZT7gS_jNw|p2}CnfbfXx`(Dx3e<wy!bg?MyNldC06`6ZJ!{6#`rwN
zB~eRm(h!YhE)I2k2C(9=blMEIR4-tAQhL3)sO7{j8krGg^!umLiI7c?Imgnc;2Xxk
zqmY|^NRj@ua$`Pujb(r%g!1Qva(;qyQagrF_8=7=7dNm-sNK|)l5Q9B_fp41J-FyB
z)q>u`IqpI8yxUw7*_z+x;PQ5!mulwIRFd3r2C38d%>EZvo^CoLL{@K9w<W}Yx#{li
z@7cCJkZ)Tkdn`i~QTp8XhNN<fH;|L2KL-;D+trH&tO{V!RYDB+R0G6N@YfW~<^DFg
z?Id?BcyykqW)Csp<v}m~7?Kn;xe;7Leknzh17|F%p<!yLrQQ}EbXTXGf|05P++$*%
zS$(_kxgFv~SDhgeb+4{DoftXO=sbCNy{82A%K6Jb)O$0Wpn5N%UQy82JBM02>xYB+
zdI08WnpObD^jJ?yttj$OH_)6##}{@__Hdx((Oe)jA4d8_SLx^t#P3neUx?{!P>n;v
z>$IT8%ZAseWkAT^49iXA*{Y&NGsF{TbiY0_V3DlU!p<pzH6*Q04`3ZN1j`)78GiRt
zT5i~;Uk0h^V*rENZlQLhP@67rLnHL00Ne(e77)XNn*dr~N^2Gi?g+qjUNF2}!SLP$
zDm^JJV}jxR`a9&kM0xXLB_|4gXYx)O%G;s5mk!TcA0YK*gOoJv)D|?SqTZBNS(?BC
z9gp#QXI`a>3(_|QX^2`mNc~`MWcx5knt47B(&q)~>W_!?pC1cJGk2h?55s92M&X^;
z3(^qD1FGFY<9bqBB?eTxS9xz5mN$M_6E1QlwO$+gCI>rO8s)~o(V$@@B%W+r(#XdF
zTr-A@w&s6lsS%V;+dE(-=b!yAb^bwc)!tzB^F6{==zoV$I<*lp%7>Q2*J-II_;T8w
zK%_Qjt|;!9NIB_k<rXlGh@G~(0tx)`O*sjCJ2B~>t7r>GE1{O^H;iItWC}j7OWl&6
z_mSwY0Sby*?s47{|1gZjrC<IOP!<49p^|?n*`6yY{SGU#u>TY>NrP@c#BaX^*W;lo
znwf=)_~CayEltmm1qWVX|2$Pe039~@dML4@MSgkrtDQ9OsC-kh#I$5CGb$o`k^UuA
z<E-4m{L!45U{?M-ql!z&JK;r5CT{X8DBHJC%HnM5+A46W%=L=dHdkJ(^R{r(<g}em
zRy*tX@3bjfKH1-Vn5LZ|hDX!MsbbBc4}G5`(-wH_9>58;HqJJg6`i(O$aL|5QER^o
z!ep8acV#CiL9>4YGT@7_b_nPXsVlr5-mc}>Y_aYay0T<SDJec)%l7Pt=pel&kH%E5
zp)>*Orqw$3f5##aluPuXv(Iiro&SuofqYSC*BR*kWnjdN!@B9wU06r{H~eUpSJ^vY
zd#0aC$_PsrEKM<%5<V!Iqp|GmlyTE#TUPtP%6`)nIpnS6KUVWw6+zt?%wA@SOnj6~
z&dR>k?G((xU8YQC4cA~Z{TG>-ELDGgHADUL$rr3pQmX6wAf1EJOd3u7mg1%L+osm2
zsmBGyR?iW#55ke`M`-`hP5;Djfw-mZm(V7Cc16!pE83Q7X{>*>U77C;_8-Qf=R#b1
zc7^n)A(n5KCkIA3x7@<;bdwX-6vbaozF(5q3gP;1tStKTsMU)L=ynfXV%o=!1aHFy
z=WB;_lXLa7Jg%!K;U|V=1<&OBI1c_hxV3g_ege_2m=7~AI;qcsKx?PjxpGnyg-v>?
z7W0M$|HEL{DZQNGAeVFL@2gqK_c<zClYE~8weGg{PD)EKPA*eb{8I3K?HjD_n#5yz
z3wR2~6u)2kzm2<yI4R;q_e*iNaV~M?CQfR%jT=|n)!J!@iE#uR(AueG8i+igYOo+Q
z`K3^s{7xHgpT&81Eg4dL7BUzuXLKtu*{SIT5HtBon=Z<CS%_`ay<3u9#TaIJCW(ja
z$mUJ0@Vc|75HfUc?X;9@+e}Q3a&0|)z&&50>eXlGdt@L=kGz!3p>R5x^5-u+Vk4Pc
zZAsU*P5=U0Ic>!>moGylC-p9AhE`eaNaptYlATf}0dc&o`>(CTxFM{%FVEM#hJg=)
zw<uFn9zmBr@+ajp{al&EjZUhCU{-%}`^OZXp~BPig=edV5&6P%Yz-$3ui+kL+IC}(
z1gDuy6GxHhel5yP&zYg-Ka$UMgfa!R;0-uKsMMPxg0?YNF9T`gJu3YZ!;JgHhRJ=Q
z_#=2_{1#;m|Mfp@3>5PF@5x=ERSz)U8(IfT7nO0q2{}qXEIOyjn7KC4u+j*&2HA64
zwE^8Adro7$onC5&IENOe@Tz%asQ>aJo_)f#VgJ$ZB0rYwH`}}14|+(Y{FOwejgaNg
z3J_-$oCl<hTyFGUl4YcsPtz01{glAiBrc}%GD@6?#`@oC8ea5BAm{x{OfI{unW=E*
zA#IEMmv4Y_nd__kUo@(_AL^o%e=-?bua6YPN4vbT=O3^9-maj%{-rnI0iAD|FNaCW
z_qVbA``UNuauGZbliANM3HImh{{87n*GSK$kI1DX@1ovr?u{BaM=0O!f_%>#GB>g;
zeuo=`lBXu$&g;piUAi2+`*QgtZ#yd{!%aJ`=e3hA%{Pxqem}_{bINY)6T;a~m=flt
zC%;$Y2tN)l59RUSp~0Q50R0p|ogb3qe_x@+ic2YUk3!cfv|FL?C{)u(=yH=!p^Fu|
zQ=yp(ZBr<w&>`$M`DZ9p)kNsa3e8sNM1|TFI!>Wg3LUA?F)DG0LPb*ul_=Dp(EHaB
zTCC76g=&@W6@~6m+_Qu(?A%Q-yOE%=5O`Xm;3MrV$+!3SDr?&NONFYY0_8S^<|~v|
z$h3EfLZ-co6k4pdeM=$J-nj~y_FkaSBw=;7LdylENg-dM(-f+43DqjJSfLXXTBXpZ
z6e@}l`h-G;YNHi0R2#gOkfGXp3K^>PE7YJ8+Z8hOds?B}75A7z0}8EG$k6nDg$zya
zR>;uww+c<4M!x@0$WZqO3Vm7aSgMer?)3__E8o=$ZBgi(3RRp*=n{n%D>O@?vsLy?
zg;psps*pOyKUJXt#eG4cnr1@BD>PrBqZC@MkfYERg+?e;-a=^qzZ06S&|3;EQ|L8?
z`V@Lzp^H@SW`)9M5n8WMgF>BzF6>-PFncdSBhQBUOOWy+pZC8pGxjE4-NyQgFh(%m
ze&?2B31-gc5PeEG`oJP;iLTb_H~NrPJ<XZ;Q;}uOY1Gvho4v=I%>&zQZ;;Y?Jz4o~
zmZ_i9_C8T)JQzssPHgO8t}5!3>f?*vs0n)RMpDvgJBR98*z~Q68n?FE9QqRmic*K)
zdnuTAji=Vvxm(1pL)XhX)sA{S&Mms?5e=>5!KxdcSAH$Y*&zJ3U>p@=_Flt+>+7-P
zb(K6TdqK4I!Ah%9w8>K1JVk<$OJik4w5O4GXgf4R;5~Rk>7s*q*NsPM*J+0Eu^!;L
zmc~k~KKjSx^snoS{GXt7<}IOzpI0Gkkr(WxN@p{9KAPTwt~K$)#R$9sIw}x&{=*^;
zMR-V{pn%b|`+pkcopUXjlYVh>pm-skuq_GQ^mwzq8%sY3Nm(PDAi<YD<d=f}8Cq(f
zcWxAK%%lRVQBNgPem;}@K*n<3e1>f2BL0~$juEL5bH4$zKi9+Ww(E_l^e-XJtSw3~
zU}Nbfhum&@OlALii|G1!%VzQ7$*BQQ@ml;VmTrED8aQ{OCllF_`^`;DT3cJY-#?aH
z0u?+qwQp4Q2JU!m4_7~4-Pb;O(8YrGQPJZ<`yyg~K6kyhnXP}fc<4NN085Tc*{SZ{
zJ#O{muGeP_fb;of;WVH${&Gceq#N4pR&UgGfHvp@qt@@mD%^FZ^b*Cql>43>eCPZN
z+xLyM=DSO!QhT`U<+N$9v*U~W@n7bc2-3ta;h{YkGFtt-{{y0M?>@r5Z|eULoSU^h
zi8Fcgu4y;+t1aI47;hJPyY9bhTqD=t*3dVDIi4sIxuHS9<B-d=`!*iH)Bz;_3#v9V
zp~@8TzeE*4Bq8Q)>HodPzsl#WZJ2MZ{}ensn~VRvDya+I=Biq`>y4}Qp987Xv+#Tw
zmVFw#jMF>yH=q|U-X!-QyKr=4=IU(^RFHsmLYR?vIg48!)Opq44}hlHygo50(>Rfp
z6{E?Z2--28B4hA1k6?-9KL*B)_4^m`%GIl89U6MxA5EKhI4>M(f_=Wk({b1W=KE83
zJff>!V!W=dDgX+o8v)gyqP>Nu*zlv%v1_K`@v#4WvbgDpIp5e*`fuSx#M_$OvA=cS
ziSd!G`zK=7mt(nneSv=jXT_0io8l*NU+GQD&rZiae>r_MA(VW65RUe?(55k^ZJRLs
zHU>Rwabf<R{O$6d1!UHVe@w6NafJpc?8g(@`i-B7G^>5qm^N8{1j?14Dr#^#KJ=r2
zZ|jO5j7MqdiqZCyMrrIs>t9&(%;cWZ6HMP02n(R}zn1S-`S<lUYiJvn=cUx=vY&&o
zs9eVLo`Ju;3O{NWRhF%Oii(`3HME`QcJQ%KXg?`rYX|)%dR4UXdb2+R(olbx#+)E7
zv|}4?{g-3gn&*F{{A+?<P(IXJR45x9D;pw`4IeE()4z+t-dg|H21egc-EXc}ako2L
z5$f)K-$5qK-3(5O4E1@>AalC6MU2?l+Px3Zp{>r!O{00}*^GbSK@Gv<hc}lh+|k3{
zP)0N&CXfG^XOeHc+HB^-L-vJa`+nNTWW0ckdS}}G=kF;$byZ%z&E1pjqd;!_W&5$@
zEwC?Ae?O`vi|hRzvHK1$gJA6TDw$Z76ctS`T4?>~BVw3Jjb&zsqTMC^_Gg`b{4a|=
zYytfCOFk*PxWN?3ev))UpO3F^;s3fm8u%~kBRyZ=2ej`!*RwBH&*asYC2z<^UvF0*
zLOw&ui+Gv3{`tgoa5t+0|9FUI=Bjn^t6}(#FCyLjvkd9klZ5|mEBzDcXVU$@euw;s
z;w29YwiyRTe)6c(ADFP4zf*}SfSB68dVEgqAao8f4L3!sl!c30DbE~#$WatoeFR}U
z3y;4H1RfItUH!T=X~#Qj*Lvde-wkbh;>S0%9tb5q>8v<E<g6HlRW>)N^7(`JbP-5A
z#T&AT1^l4$b*B7hl@5&J?rq`j9T5z>R~)H7=a+QvDA(OAL*Lx{ykss`g+rOoFEK^(
znJvD8Ki9yYm4nYH31crFk?r`3BhBCQONc19!P3B%9OxqmR@vB*1Z!-Nn}R#W6Qqp|
z%n5cJ0(_(`Q2_k>Q9~dD=&Fb@s&*9*L1$qdKtFN_xak+9_}JEcp~S%r?WfM`-WhIa
zUlgLwJpH}hior%a+&+r<Ws>^Jf3y-#RrJ)5x4V01dAA=SXG#0iVinKN7p8nkw_n~q
zifn$wW>+zjPw>tays2m%0OV;VL6iz&GIIi~P<i{*5*w;$pIT}|Rqazpn9$Dg<fx(Y
zQSDQ?i)86Vieg9^-#*F~sL2DSXaE>+0br^K0E43iEK~$=s5SGJ=??Yk1#Ac=nsg&M
zaW;QT6JP(|z89Fkf5|0kOguw>`L>|N|6=YFV|;8c*9&(1H-;~Vy<=xC7X<TTZaov|
zn6Ar1zg0Z3F<+aOMuV;Y79+VgsR;d({UjM$2T<mXK;SA%V`YugHbW)6USFnG?(J@9
zi(5}pX{D3AjTF?M3Kb8=bH_!DdMRHgE|8qyISOnhb?Q(rDAhiv*Coy^hw3BKRNPUm
zigmbw9^>Ds3bgP+?68<{+FlbXyaHJLhFiUbH#;i~j?v^B955`K4vh4qGL(aP&FPa_
zl`y_aTQXOUjKt;|0FnMr4E0bf*%N80-x<dQ=hH%OEOo`w-$iF!=SK)f>)+t<<-``9
zV4&n1P5wpyyelO(6Kfhn*QxT0urifaUO%?dS$a4E5#MMPMrzSj?%YBDDYXFAt4a+R
z?|Mr_T+>f-qgG>x;~(~I(@fV}>$H7IEfk5Ww^+*Pek2!OhfyZt-vS<nG8m9T2B%FX
ze8RFuaH(i(toj8W;wpBl-}WC@X4{zsL|W*kj}C~`oVl(9A{kia{fAool4~Q)_50&z
zyXg~|)cg;wKzB~h)ya{h{+oO@)$g?Q!PHg{6zM4|bz3cI%q=uKoLFV?nai^GRo@K|
zsbG~0(P$<4Yn-LBl0ivw3v{w&2I1aTT|tB-QrQZVgYM7XZ1!@;U_+H}`ml^NKf4KZ
z>`Wp+{$zuM=@Qc${i&coma1>^^M&-YV08FJK#&rL4waWz$<A$nJ803T+5aaX%PAOr
zD7|N?E7XU^@6rqOoxFRFe%3C_Ucp+Ibw$t8*^1~1l9$@#dCP1($-{~j!nX-Q0q)Oa
zRtgc8rGCZFLmXx%%B(*s*pkay@c4yUtzd(3In&}z_T<3G_)%W+BGBOSh+tfpJ@5+0
zqlPZ6ox-mu{v|j4fC#k89P1-59`i?k6S54+i!=uUI2O1sD7Vt!*WVY^XYQADN+3!T
zdP16sRp=*+xZc|P&!QHTMDImhN@ze{yH<_aW%ZB0{hKnqXbh&;`4xRS`}?&9d{5G#
z*ON50^_o@y2*YC$Qvdo-w*3ppEpSWT=h}ry)7FvkiK^{QB?XVBBpPzA(>5sSoQ(z%
zf5Uvs1qG|ZMy0%<v(q>KO!>g4Z+tyU%(?SXVosob%X$MahaWagebFxpAT9=?tyJ7)
zxgQ2>71~Bj^Nx+tn*9!ryIInFhWk8y>{oD&URUU~hkap|3weY1m*9T8(Yw-T!nYHj
zyqxMQW(KQA{}<4275U7qJp<qJ@5uc9Ec-qBBi{#o<a^XdzQg%%;p;ErG{KUUsr1G8
z!Tyhl5N7k1`Dub?0cr6x`KRXdbJtG!=MCk*aCm-58ZvF7&6cDMv@UxeJQ&C;-M=4j
z(;ebc7{&iLsLR2yU7M~o<9T@cyu$RnWw|`inB||FJcDCkXz9(<(d=8R=jX_Y{@Oyl
zc6c$2B^=BOFnTc$`C9&G|3~f^T#vnhIpoPR*XDq^5*q>rWY?@xtMddG4a^Yp$}0Vg
zL5^3H;=jgfslNN_k*W2KPSf@#mZHTn7AO-p8e`P>dA!FfZwbAAFQvFhC<+)0gI)f8
zmut)8Tf9MGhJFLAGx7e*Y<rd!wC8%j+4ey8!K{?~q2^`B@@bBThUAaE-}C{^v_sj@
zEbJ%P;mbF5X0EBzf~F>BG^hU{>@;NVx=i$spWbl^V?z<oTxudN>$o(C=ra+COQSud
z9AXFSgTj$w#$R@|8bZ6aUpjP<`6t>v)Sh9(E6|648S4LYUVr7f_3D44-u@M~|IGeF
z?oyKF2<Cb?;uLCHL`~v|HVPPKgd<MN*C>uKJAs88DrP?rUXZz{%p1m4CdT|jCgy|A
z*)X`_n$N2<nMb8FjjMFpCLvvGy8^S^T~<n(j3LhZbFwG#haAm+Rlr_O>Ih8@mc9I1
zOXnr&v}9zoL#7SvfrwrEzm!`q<vP(xokw#5piYV{VmQpOsh^!|3|X+b&^8P10iNVM
zolcE;>JF1fYN6jvK8zPCGt)z2)4%%_AP}%AJ3OWhKPOL&Enqd(TjL)fM^pW~R~^$7
zqQtIfW+B?#t0n$<fVVV>UoF{uim~m$|0M==XgFo{M(kr>A~Z=qg7lcjUf8xQ)4t~0
zA+F~3%xvQ5&O5*Hj|1XLY8ql7^3EWyjewMNMD`dW3dV!>tA_JSRi0m_1{D<Y%fa~y
z^88X&paA9ekG;qI$LU|O3_56n9d($wFk>(-0=^-S|CZ=&)n=7(+S-RW2i+~lIm+6D
zDPf*<ev@OJ|H!kBil@F>z&r1K-3ZOL1O!eSVx#YmwH)-Ow7>pnPX4{<-wt&3!W`8?
zTF^Tw-D?@*FL|uZ^Vg^NXc+$o&E~p)ZW*nWO5rlUTukEiG<v?Qx>~$(59e}xO*zC~
z5{=z_6tWk(sXx)g5%Sh3%P+nG>z;OH<yhy&nbi3BrIlkra4aBL_Oj4p?;f?^|1Yu`
zO7_I3nuUNBvvUAeyNNf=<45P^2X-<~#JsYnaO1>I<CBZn270Z<d)I&Y5?&PDWq7X@
zz8TJcwU+;?=KLf7y+PH(`0qIcvxqsF6Pp(A1c;DbPgHKa&NTZ?wd*^fob;$AZ?t2v
zO6REai+bBCZ|3Mo|FoHTbN^U(?!NAA<=zqA%@4Md(mil&X2RjgZO6FDp3>TlJf&MZ
zu;l$B$~r4HCN}ksSanIIzKT{~dicDe`)wut#|-hmfE^TC4;(qN0#I$AyJTNGnVl7V
ziS0cjR%633w`ar=3o5~HQxrdOS_v^vZ9K8<Rw3u!o^EVw&y?Z0s4Ka9ZnS$~RCIJ7
zUf#MU6WQqXHsW<`aMb9(%NQY3c7}JLcA)#fsL_Apdyn^4W2Wqs+TGpnk7^vf-dVA}
zwl6acyR<c-_8XV;q#WziCHqumd;4-8luNWXrf;t7qSi)^g#O5HZ5L-j4-!b<TX`=(
zSy`G0zx1uQia_8{?9P2W%9g*~r;T>+w}&trID~1e-Wv5bN4sANN2@nCRzK5}8T%D?
z?)vn(H@C;;KGNtt%kHW<xY>WKoCUDQ+8AO-byW2;-Xj#Mek5A`Y|GqdC#9S3XrG!H
zdssB|Hif#kN2sKB10aI(A5$_mcSDdEz^FU-j`k*|V=57jjiJXyl<H?d-6Hr%Q}tFZ
z%u(5`?cLkUYd1u_P0{WRJc{~w_xf^^?U8bCOltY3=RtOUkDgcLm8F&+q0h0Y<@Bjp
zz)dvl(RQOca>X)H86Qf?9j$EBG-k$(2GCK!eJQ+mQ*y^KjkTL_v9!tCz=l_2?c<HL
zTdA7J+6}7VOY@3AK%o=!p%e0<;{|z{`VFr%DO6bwN}jD<-$dz6S&d)%iTy`0yp+pU
z5JG>(iC}ufD;HH7yH1^ZF4@<`U#D%G30ve@=Mdk@-&NZH6b~a^E2OXXj*?JwGiOJ-
zUmwApJ=Z%sEd6>)rYuDQW{=TOQ)UKxf2AX*aDs6Jn|V>SZS=+_Z$mWMU1DPSQ+6nE
zQMGn--z2YeNsPsBWBr;%_oYWA2g;nb4KP}A;83S63)tkqLGeqCj0X$Vha4K~dS-cz
z-*x|!Ocv}&jO`sUik4|WYF=Q2g2bSGsR|m>J4$!m3jE#mj*>SZqu3dJxnquo=CMWT
z8D(j1oA#8}F<QDK&WZ!hica-q?Eo(Dc9jQT-LFMz2b>lA@}K24J;LA{%twZa4An*7
z^`fP9(E%?SuHEQG%iJXgBnJ|=GHD)fdJDZRU;hPT3+k_MRy^&j_@SwPqqnvDb?P@?
zP_~x6%FX%DazK*~!khAOs*dVkHr4x7Ul)DD>qUTpglUQa6<}L8V|Vv!<+Zfv19lLD
zNQ8~EqE*#*zZR}VLPl!Wcrzk(Gv4)PjH#P3fJ?C2t=^2WH0e6gFEx?&(5z<Z0*0>9
zRU$06tv5n$L*FscG~=baye{g~^`!_aXT=KB!rk6eY={P5-LFP!cRMTI&VQEInsiY(
zSEBpXFp)Iz4b#NkrioCy3~GaDGy;}x{ridUfztg<4h8!aT5mBaRKPO1aS$_MI}W~J
z!mZ$J$H8dElk#4;Ha8IPt*PTLjE?^k9%Osr`E+Szb7p2mW{epS+OP?`b2l|-#x9Gd
zOJd3Xh&MSBO-~-<O@;)Mc@(;wpRwNLvFT$PGiMGqrPe#Qn9I959?1C>Wok&5MZ7*|
z#anFW2E+*ZBwcERPhIJK5>3vE_qwxmoS`KW-&x^_s!By*)s<!>u)NYEH6OXjeUZfP
z*g%cMl71wb%!U#_&P+aF#F!^9e5J9_rdai65RZDrpjjIACYACV<~Pi58NV>Hp@|l>
z$Oki?UN$p3{2UCpCvxBN&#*CuB(Po$R(zEsg-OMTz^g`ZROueXyf*vL=JeS-6Mh0R
z5>AWKyQ9}SD~b{Oh|Ng!@eiVzD=P;TH>t!~an48v0n==B^ix2XUOIYhwC<?jgTszo
z{OG2-@02phjNYJnf}evCKQ`i!Xx)r3_5zKgpAiaW{AqCbhyuAKa{=<JJ6abj!`LPD
z%~Cx7zUkcZGJMeDJ!AQs7tWm(`=j1taBgF|^da?x_jIGEt^q-x>?&`n3q`x%EN}L9
zn|MthPdO_d?%rv5*~HN`ptmPI&U9tnxQA@%!6?Y<OJ)8}r*`j(q{}j@gkdnK6iOO7
z^i+C+seDr1gg>cp)O$W!cTKpvznr=wbra0ARaf?NrC}VRMlsH5?wfUGw+TLD-IN7j
zot@ptg|L9_(qnH^m34Nqi`HEb@sJbi5Jxmzu|jXah>b3N0s{1U8q?$Kq**uaHdWi~
zt)Vl<I4hpwV4+cwDz`zjF_P<H!?l}Y$?l4vktUOc_B7;5k1=>msvBdPC}+6{p(q%d
zHZolTaFVd6Hg-Q~<Oj$z+ekx1(Ar~)n^xW@Op|YNi~Y;+seEfP1bVcz8W9V<W4jg>
zU1R#T%#as~9B8a7%k^$R^rpIl>D?(BkkHAbt7(X{po=L$RqA$$xVi~J`MuG)YfJT|
z+<yyl>sy)srv8Sj^1Spe{nk`BISirmjPwE>OgTDFP0R6;_d<HC;gY(srlx4!g=KYg
zBGm-_Lp!>i757MqP|uY|>#hb!tG?m<+8$>G6GiYDu4RqUWxF>Y8L91|Mlu-%lJscZ
znPZHI$^+?cmfWIO^KiPoE&l+f8&tXiea743ta#R7GZR^t2egL1g!6$#l}xWDK~t2$
zHmu2b4bDQN-B}%{(cPX>g2{`Jv<)+NIV+M%Y368Q#f#Cp$z$nV6Vq5r>1|<DYNqVH
z(e{(0?bAweF&S+?hyN#)Mce;9<n5(5qU~3e&{Ml2ocR%1%=ZYsvm{I#g~GTq(w!yY
zs*!w;=9?kXe$K(%^vj|+kudEbz7OHs7taIQ!R<@?Ifv$!x;cGKg2uOk#>}JQhW+pu
zD2V4!5To7}af(p}-!)^PuAV{H<h`e8^hW$iYh+m#R2&*4v^GM9@{{Tqos^D3IHU{^
zB8s6P1f)aOnGBTC2!It0cT;XkUFn}xj;1x$MZ+4Y2Ak($K2u!sg!DkjKxjcm@BkUW
zW~4Gg0jzOJhdyl}@+~m~C~uz;Ebn=J5J~I`Fa(Cg4jiBeAmtfS-;@Q8l{Wxr_PUJV
zpq!OAPtY0@BdQF^oAr`3C`>^Upp?l3G{}UCir_=w0MJMbphdk8C2)*{(We9}LI<eB
zg$>B;sY70nV2T1!B7+|zY-&D6*c9}ynMOoXBWjpPsLEOKZqV&bbtQBNzH#kjq82?h
zWvB(vTD3!HBMYd~dm)fG2FxDOHV`^0TPSqMjLb742W(CD_vrYhx--M+lT0tyon*UK
ztx@S0qIFl4sfTw)>P|8}tjZZ)btjo#(a<*15YUn~=p$y}T^;d!$g7bo-BJPv3I?*m
z#2A?a14y#vvlYl3G7XnG0h|Jv6Ts<KRUZK(nbR$C5iHca0V6b2LZWbHxsf&oIU1Bx
z=&cwjuSFdBM865Xh@L!lVF{rwBT)>Xf;uHz0s)j#i;d{1?K9%WydaEy*YM4<$euO4
zmOY`;Ny$-bYERUA4+EVRueaHIEOD7k5YIMpLFRJo)pGx=c27(COD*X|VSgE0BKWbh
z`nRmfYR(;Dm#E2sNa9Tl=OTE!;{X0gi+56G3(Ki+Vue{{<+ttenxaZx&+VrSgBLw{
z%&7K4nArdgjKVOn%~jx!0ueXev^(Z;wwZ1kP>r&K4JYpDU$*K6)(ZXUV0~K9ep!*G
z_HZ1l_G{ybX9TXRbmQ0I=BCAaxW)S$25|jV`Sz8L<?x!-8YXQgPZ^Y1VDcp=#z>2{
zPaTX;aZ}GGp0QSiSTw$F_NV=CaobXkXJE&3M>vg{b3#pRn;L18llYUXW8mb#?!-&|
z|4Ain&|k|+sq-Ft-VaA|CtlI78Q(IkN{4#r?`;<#vYRudI)28?=W%!SAMUdMkV)>|
z9hi&Zgs1czH`EoY?uucA>$IIr5jQibn6FYyxi)H(#;rfXx$zn$<N;uj8l43Q91-ho
z$>Xm#XHGf?BPMfY@g}OX^ni~K<NvSYgRHv*F8?NnF>6_Ubd|QSA>*ugB8m&xSa*Lh
zi}TX%eWlUlOJ_8OHbs*!JESI;pUYnL+)dH;1{9|o^#!9p*}ZRM@|81){BTmH^jGff
zVtJB?V0D~QFjoIOUxSNU-TG%1P6CqY4?Ym2i{{GmpnG3&w5OqXVscvz6$B8pRJDLY
zu}nirv^~<CX$bWcO%%DRxqvq^+9TT9*%9B;`SWI|RFZw%tS(wbY{1j(SSY!z1n|_C
z11%-${Zb%L%Z$;b`=U^vdwX)ngnx#?^kVDw+dE>_Q!r?5J~q93Ec<*quH9@7?l>dB
zO8J{1I-!3)l{c0QMq39CA=KxzolECMTi-t@{%`!9=(JtLcN3T0+OJT+(>`8b%iL~$
zmQ{!Xt^00p+RiqG_MNe4bW`eOC-rqcV-P|n6>O5k>ie#)l9g{}`k>{W(4uw#G^^hC
z4@&&l<Td%O+9G~@)@eHm5HQ?@E><0x#v=UH&%}<(FLCQPI!kAgC<f}Xu2WmET*1lL
zrs)0b@8RXNzl`w_qw<#ewedytX~~3x;=3js67Pq0LYfVy2@O%M@^$ZE%cMKhRLy?i
zCOH{Cqj5BD@!l^@bg`<9f8Jve!7B6pP&-~)Ujw)z!bB9ePsS7B&xmQCi3h&5CAG}S
zrozPcEkC=}`(5wTmILSu2sNSPATATq^Vu@9d1A+>j$ES24~iFE7+p0Hc-j9jydhFI
zdh0v3a3mJo^6_igomlk*WyMu%gA4-&86sr3@M4oiFNNW9zIMHNoXdi~U+_Ct6%=^!
z%m8BlA2EA^YYpr4|580i(Q4|-OxieM^ul@<e~OgOOzNC4f;$2oYm)w{?8SPcGLwEe
zVZ_2}H+`f#caK~D_EBAXHzv33qsg{?CToq!+TSg?)v<|;$=A<^+sW>FN9Iacy2<~x
z&dT{}r9%7xmad_{;GwAV!!@z$zS{M;#$VH%F6(Kj?{j|G-BR7B2r*i7=yA7x0K56r
zdU$6|Vq|{>_Tq10@yvdI{e}kThdplf267@0r(+JkC$XKOIsCp{^jtSN=)}DJG4E|w
z{<CH}H+_foGiIgiZLoT-eKzP{udnt^ckc<tsHv|x^b*k5xuGYqw=elLn5y%i<=fqR
zdDsp4&JVGNc0-%pk||U^C2VqgeWXU*P`?4PF$cukTKlY~X*aaaEjf?vnm*S%F9HN|
zm%E|o1-B4jIRMLt09O1D04prO3Jb96V*pkGuxbck&Hn(f#saLd0LOm}!0`YaKLoJh
ze*oBE0a8Fsc0UH73qW@W;Pn3i;B*Ucx&=7<V*t(u;OrrQbN&Z_b1c9)7U2Ak0XQFk
z^M?Q~_#Xf+0HA;+ceT>l3uyL00Z<r6d^KgUhCnil2DG!4xLERibgd}^&eH$GCSfcy
zc{j77gP3HW48ts5;)sRT#F(;^`$su9HA<wywR>WFKO@t;(0<VCVYG#wij|Z*Kg2$-
zymrtHq0#om_I?Ad-AxAaJ<aedX$Y%suOY0Khn^+_8WA?ca4iQp3@mRSJiCYDwOz52
z>98yCrbh|@!n(r%Ql$XGy#c_Ae+96@0<0(iSoINrRTd!J8vv~NR{&vG2(zXEEMagp
zy7pOG1=)A2BSdjpJ>F2fs{z7}62-lSffn9_i`MQ5<dez`#`ade?S|GGa(P<<ij@L~
z2A1yD)=YCfuWO7wGO@8GLp<jJuD2yt!fl(iF|Ww^$yyYhFk1-H`HbWIwYAThSB80?
z3VrE4NkUEF_KkXsEX=iojZOJe^!Yk6HLicsjXE{GTB>M#98W3HVY}SSm~{f-{~wi5
zT>4tc#9Z|Grp&bw|G*@fnarik6=;hE<`xJ&E6-Q);NxKbEBSB9>LYqb!CTzknHp9t
z{6_REn>j2_%@xh~X>R%ka2kw{Rs98ZKRa0{QTL71-K*CC05CZKG}!>+9A`*>T5=$Q
zIo6^hLGQFh;YFiVOC$5<W;<^h{0j0T&+GSM+9GqHcbvB03Va$FjIPWj-8ACWxFK-*
z&kN+bJ`*veC*ENf`9UFM3?XK5p>M}k*il~3?TH;F_-C&$sPhTA(b8TaXOVv}w9HTY
z4Jg%fLhPb1`9N3$XW<HFXwi@vT6};#B^~5{671QF@59q>xc?657C3h1zTrqW?YQal
z>9eVkW^Yt8*f)DqSzAoub1KsVSJBR+$EN533wh1PAkW_SF{M}xLHlcSI9~~s@rg?@
z-|Zea!>#2u*5}>oVxD%;<07`p3+QK;9Se~!ptqfpVT^4G&LdO@#iU8qzrFBCA;}dr
zCSCmhxarc3?q(l*LUoemAH&7Q8Ah!8jgedi;>rdKC(ardea&SX-Q48pLv{hL=c?ms
zyD%7Uim}5PGF0Qh#&rM5Zv9(VohJTDH$_+qup5Hci_JTxWyWnY26Ctuo4Zgujvt9}
zJerMZn!Vm*_oZ<7?*G!9fN&017GK%_qKVg5eha$a#OCz*5zY&1*Podlx5mv})4)jY
zKWLeetn~wN$6JFc;r#lktKT$yuG2sik~o&+-TjXmtMpd!gXsf&w8XD;(~IDg2~TMd
z9Ns@aCqL5I8l=|quCE-qpsO6Z`V5NoAC^lenp2O#_~)pMH*zM0u71M}4dm%58;9=K
zM)t1{^3zUI)eT6>G@Ydj=0Tp{LN8w)sc3{O<x4mpHTIn5(*Kjjj+4c+)5Z-M6zta1
zi;y_+GWlAS{yMfOG1}<#+)do=W)h=pk5s?lcJC|+I%c6$AT-3^vC|UaMPHS4+U3ht
zf)1RxsIm}y?dv14&>P@e{k-6_psmC(f+?j(k0&KxW!0@oY&(m<H$uD<<c=P5s$1_T
zo-|z<wo5CVB<}LJU|53%+RqBAW^}%7I@d|5!CX0c#Ex&Zms@DobQPhXyJ*IIC^LK1
zDy)yV^VDAwtAFk)yfEVfUEu4_(2YK=OU}&1KU);9G4eY-i%kf2ZMtK4GY4ZafUsq5
z4xN=Q+YsBFZEQa@R=*|j#4v<Es&5*6v`RJNJrGnN!O8^G9)e_&39%5S?;ABNV)YL%
zoTLG9h9!UZ&XGCVf1-c@x$(xRy!sQ8Fn`5_3gSPP<11z{9+PPbGX*(Gtz>Wk&(M9r
z-AjMITEeQU8(&P<Ju?u<#q^jOgd*c}Iz<K&*obd2bm%1?rP-%JV!p+yK0et!?c(s&
z6Qipd4AfbXCNJAm?bq(<AA!GW?*L+9Yoj{4*WJ8}MUK09n>%_pCT3eLcU>G_^o&}P
zTRyX)(-r@n(Ch!fvY7W)^3^k-`N-zeILTkC`^-+;@A#`xdnO`;iR-M)nA~`XrN^L)
zkLkAKkVU4qv8B2%R^PSg71okhA5DD3wxe_nKxl?c+NXvW?bHO?#6ZGyw<|s&y1GHB
zOk%J?wEFG-(UvYPC>!Z>dj~MOVBaLRc{`$S^Xtu{sgzhll;?D%B;OxE9VLGo@T@R?
zsoC4WDenR}&&VHxCo=o9Mv^A4+c;1Z|3v?hL*-3W0`5RuyzQpX0=@OT0?lmTCa>!w
z_aTxUv_l`t#~CRrnLgCA(HrBlSqI${S~TOTsoEvO2J&oV(n8rCJU-yoU-#6&Ri`XG
zy8rV9^KH8EDN-6AA6Qg*)#0XA#_Ujg%*AKw%e|jvb{Gog57}Qn&E#lymb6vK@T=V;
zW;eI?Gyq)}+nrXZ+sqbQ6?eKZBiD_B@qXuNnygA<T+j%|>MurVf@`>HAmz!y(EvkI
z-xW@q^aj>^&r5IMif+t%%=IXwR1{3VS-X%uMjk<^nEb%LE?bKVH$9fCE9*i)Wd3lS
zyGO=Kfa}~XOeh@j`|*3EO*Bejpb?Y{<9Q$8-Tq@r#Q=@jnVMqW#RIY4#t|Ta-P^5-
zt1)j^QonAQVC>x(9<WW28o|tC?p)OPPtwvr71(E_<l@gU>}{Ql1s994+(}FHlI+tc
z5V>(o9T+z!02b+g(#24$Tr}waWj-Cv;r}f^ExPckuct?)4^4G_w=}hW@ujKt{B|v#
zN44{o>Ea2BU-~TmkBi6RPY*2m%n*NFg`*p0M>Y_0sSDpwKjru-t(Vcz@6sdp8hNu8
z=G(hvtzk3eTWc6_h#z(JEBOXD#L#U-45Lqam(tVPsvlP=v$=>{U0NxHNB#ROnimuv
zAJ}{6=0g;d&62=w{nPPlQ6b}_{Xet!iUj?#o4z6(?QODFJIK4w7<D^&-A)Eyq+d@(
zgD>Nc?*#j<Z!-Rd%>Xui$%j&87UtjMMc^5M9?WZbdBOGXTVnO!3QLOb)N~}TgrM=?
zsx^jC)EkmR^yJErTQa7b$-jQH<X(gGlU^dYWNoD2X=8fKG7}*e+OOI4@6DOYbz)b>
z62tU3r)|0>!OZ-SY=|3*6sN&aQfzLA6|+`h3lsf$U5NDx4@SUU?AIMbp_pcqOoEzw
zu6oq9?Q@pOQizJKUJ;;wqCwwD^+R`|-~V&Xh<W|q+M~bAehZo`DhW@xVy=>Wqsrf5
zW_hRG_#de658f$JCkKlKdQ%OFU)fy$Qv7f;nqKrjFxBCdAaMqodpKBNpn}aYgC=?1
z0ebE5{v-1AHZhW$yNrCDiM)T)pZ6w>;JTFD&S9|$zf=YNWNy*E=HHgD208MIdDm3%
z`#V-~lrU%>B?<Ij1mK4`eaq;+SdM%yT^x1pewaa1;a_W&q|zquGMK2~I*Bb0VPrk}
zq?yeZ(={ym%*~axW(5)N8&;+Pk-0S>{IBd1;}6lj&k1(_uM8jN_&s<pMl4@|&vy~E
zroPK;ebJ%%X4?96u#nTm#4r8>)~d+=r}*daIo#sY8Q@a@r;s0{_573Zta+XBeD3h^
zto>79<;L^>y1e+ZpuCyCWCX;^c|-mSm`3-)czW=M)hc2}jHf__0{j~9+=>{l2n8Ax
zaM}(t6BQX+>JMllz^wZOqGIW9F_7Mjf0{w0iQI=P%W%83%!b8}k|QzRre?gwkBw=a
zmAr0C;e5}B^7V^vGviLA&QdKjb4#XKvC|fY7u{fOtDj`v;(-*hBqjn7A@IDE-}q+*
z7`->f#$!yginnW8x~u{fJnV0OU6cX*v(Yp=|IXc`cneUoXxKl3itL*sWrUcL*nxU@
z_Rx$qB%fuqU4^&8pz<#Bp0t!g{NP0VvjR9ZHreHFYdCQSR}v~C*&aH^x<uzfr(a1<
zo5^YGBqe(_=xZHuerC!6^o-o2Ixx?CS!FIgo-+`$xO^JtAJ9ftai(Lc)G_Lz8U_4k
zPv+8S@&LPA++O7-r!)(;EAR)9VHWZ4F!f^E?4-KM-Xf1EGTG+Zr9><p+JBrG2T3!I
zO~%_*0bA<a!{p^RG8>WkCjwEY<J?c7xZtLT6Kwzcz8XcD#C$Xb_!{PB-HF(LO&ml4
zgQ#l))HPiihEZ}N{>)r`iIbAo7nzq)u-ww-f|L3-wDJF92Br{d(|4dB0J>3F`!jbU
z+60cXU^;JpLFcJGa8ybQ)2NxG3@upp<(3|cR=KS6oTayrqkvf7HXW_@+>TNPtrDkZ
zb(TdxHEUm<fg>%4UQKT2<Wm+*J2~drUThFC>w?m^#qa02$^D_ksA%i;MPG=|6B8Pm
znHQ)n4Q(UNdQAk3|B5R6%k4bNjJfKKfUHj2CA8cipDoFS(C4#z;2=A1TR)xq`R;8h
zB1@3_Ng_<`PRboh%YIJfhRt6_Smoproi-#QY^RBb?&NZn5iy2etx_!i75Qo55iC4s
zlV1kI<t$}S;Npc&yS|NPX(pUqTm)DKAuUI=Rf@y(&n14j37NYB_YllwSrtSpOV?1A
zjRje@6lB>plx258mVtsS1~lIQR4a288I_A@RaBu!{`sFZ^P|&#8z0S?dkykp?96W}
zg`}jyIYBS=I&Hl~xtX>~A?JFW!4no1W_;;G_2~oF!QXDb^<eP>esx~%x0`_E(szSU
z#E%nd<lf+theg<7%-srP2J)Nn!|XQ2{W(Mum55kmI}by1vM5Q%T4JaFdq8QFf@lZv
zx#r~BlAQ$C46WBRJHO^9@?}y+AwpGxJZicqL~vOUbTbQz1BvY{{kEz-?cPdtOd&m-
zr3r)3gi4s>pd7lGT)>WQ^1({=5+kI5XwFSPQVG)3J)Gqi(9pSQmYM;UXQSrex*H>c
zGn}@QRX}1#!``hX0I_AI-r!FS#&xfgx>i*xQsuui6hGI*Th4U3qp=DgWKpM~Q}9TV
zmd09~DyG7%?o(uyKBk+^KRv0`Sn2xDA(jlWwOE?&qz)F`OzD$=g99!ix3{+cQ$|B=
ztK4QPVbg}Ko4sxlujHR%<RAsbCU4_yH`R5`6T;RNDlEvR`+o#wH?7rPJ$N`b-K<ud
zZ|-u|sM7Jx-j$W}RoCL?G!qf%m6*j`GozEXfM{PcD~$2@)oNtIy3{5A0<%@a10G4g
z!88P%A7kn;J6u<+8DRNq+iDIY_52lU;N@yl`c^YM<rgkIEgi4m&lq+)pK@;8NzaLt
zYNb%*)T@uxW@%Vr3M91BoINdb(s8&0V;OyzG05-^%f3whJU{CFdK^Xopv~Mn$ki7g
zF)iJEGHX*?U*_h@R#hWUI4_z#AM$TgOy*Xj+_>q|D%e(f4*!|KK0X)rZZ>n3i=(?%
z(tPQ_tXQtG!|SVA^L2&Aq=K2s$_Zhzoa_dZ&sa>#K4aW#gMll&z5*r@zuM?7Dz=U6
z&Ml*<7cXp8T1aa0A@`Un{~a@zI&B9-oMyVbra4U?F>14Yh~FW4bY=a*?`WrbDXWKg
z&HS;78{31~bvBFEb?6@RUk!NDNqvKa?A6Sy`SpWF3}_W)4-hN)V2XTss7OpjZZSoG
z*MVAMa(rSa$I;3$ogCBB6Dn%g`>VF_ieJ9t<LdaovA7PrrMbAS!Z>MMI6Hs}pnegD
zk9TujnCmd_#sAy>3Y&$llUf&yZC5LfnMQ&+se6c&T@#$oQ+o&GaB!6s?y1{IQXdcc
z3yqfKwEsbkOJ2!5pucW|^hmL8g+^PIbEDq%X$07%8d>vQ{w&bYVxZ+ZOmg`M-6qx2
z_e;<S)zi5f>;5K4auEVqtIs{GP68pc*WU`FWHPGai?E<1tN-3BLQU;>*2pL)wZ@b|
z1L-vkoc&7xW4to;kevxPwboD+d7;P|=)a28Gbx%3L;*BczuE{EC#6gBZpk0*FiC!^
zD3lGsJ4QViTHk7%{*(1gx9jnWP^NkKdgfVOz8qT5m~G<PJ-Nj(Tl@ZK)1t-Kv*wpU
z-3|t=|68Lm#E;QL#|BCRET)B`n(^;u_#|Gj<apG`*TvhI*p&DfGXTrb&*#U-P`ORE
z+@FG+zcx9qVOz?)Kx)^y%a*~HY_U3RlJ`!#{&ISOt&CQ$gs>a?9-(ITE!q9F?;tm)
zzZR*@?bn{2KKBvEejn%EI3L5$W|K!KTj7p|Je*7K=2+Ibn?r+c^u&th(eijmY!Juc
zcqs8;dL&I4>3Wzbuf<}74bqs?#0DraYcXV@eoV81{T{P%nl^6<dUAM#`B0A;^J`6u
z)<$P#&N^U}LbS7)X2D*beE-lzpK6|qZjIJvRxY?xc@oO|2N(h9pX`(7yzoK%R#PG4
zV!I*cE??smdAL<Qu*;uj2$?ut<08z|J9^PEvGlB>WLJ%wnZ|x~OHn(nlluQimmn`}
z(y7Ceeqi+J*VVnd{4?P>ap^Vu_WyzRMYSH9g&C&shxKaAYG@rYGv;yapG~62{PSUV
zUK=QJzW;M@WedDSkC!`3e^0Jxa)QofE~*R<(`MBsX$KVwIBn;foF7Kwi*S=FwaiSp
zH|!8Dct1!~G3i8DDm6$}v#Md0!K!Aj|8qkyayV_f05orzBKx*WSK9^=YjTR((0SM6
zTpIq6ht$ubeeUCa_AGvBzwv1b)1=T2#(k)@tThgct~T4DpU%r?{Gy&53+;;~_k9?z
z#)d3@d5gCu2JIs)nMs4ZJh)CRLX6gMbcs=HpDe-FOA+8+;QQQ&bz0_fN2zrihGZ01
zM@V%EbAaV3uKggBHy__#Y;N=>e#*fR-MfoR8}q@=kjZp8=6G&~3(GPX?NQBQgX%4M
zdOEuk^0=AFp`Ma2NL>hLZzm$x581!+Vb?1%C{zJ+f|b=)P_DhQPmN(w&-Ep3xzA)}
zQFRElpr}N&yg-QkT{0WsewP(+?e0kNnY8P4Rdf#<eQl=@qg;FaJAyow#JHJ18Vw(B
z2Ceif)5~&5N64rHck-)$Fr}6P(slKZU>85i#SL~qDzT3*{Zn|O4Ho&`aF09jmrRh(
zO&>CmMmsA=qV?mcyXb)i{)hvs^d)rJe1wck_Gw?$Sz1?0G8&QW7*3nP+H{{HFdw|}
zSgoQm;||ZO*<q!iW(x~9WAPKY%ble)Y9_F2Kx`YyxyJc~^-l=zw!xz0_(8msVE0YY
zW^qQKG4Wa9r2eW}4VGHTMf8<i9AW5;FbQywn}!K;T3|G+uxRL}qx6&|pkOXn955Tq
z9K=ZT%Z;kzX09)H+V3>Y*6fKm`a5&lnVH5fl&+SR(ToaVn#h(Od6V11aC?>Hr*ro@
zw;DZmw|4uSySq8rAnq}@`foCyGjV;x^C=U=EpN`uV6bm*cJAhkWek(_xs^4s>L>NB
z#x}5=QMYhZ>icgYWy~xs#3TMUUXXC0A#O8+tHw$F8YJ^LDvMfsyIPA1V^(~bdn?2A
zfNBDu1S;fL4s{Db{VJ$vWi(+(r^5bKs$RM;{Cpc!3Rq?VEMsg6oTW#Dz?r;e?q(X-
z!4O~$cKEg0!jxer{7j<Uzw3D`VD*xe+6V<NLU++}#`X$jOtX_+^c$+ZCLSqm=rrXz
z+QMU*BIc;@oLqxxkK_jH0J5rOM!{gy$n|i&u>#M}F1|_|5*wuT%x}q@k6G<jC;2Gj
z;vX9_gZ8?amMR)^PBSCDK`6ozajj#TK_$~t(VV$xooQ{0yd<!4F#XxWBw|{h>;_4W
z;hHPw#OfD@og44bNYG+-uYc!rmI8kY2FFJmVVXKyY~k&dS-WY%J1-&hPD5*QlHnZE
z&6%rf*cdB^T)AFY_yZ}I@HPl%J^C_tjx|y9gR}Hyb#HRuY-g!?Iz2g1-f|SS^RInK
zMQl0_lpnPooX028^$*}gcRc6u1Lf{f&$`K%_ED84SU%|ybsV{>xH(6#B)b}=n|Z{A
z=ekq}8NjPx2qS7-tqsH>?BubFw6193Cs|0Ui7_U8Kk_U`8uc$;)vw{@7xSfFEcXYt
z+E9hRQz3XzPhiM%I2_=zB_WBNo9T>cegncTLb`+<;-ScR8aBdCU)e(quB`;g7v`_>
z!O}$!sF2C0uk5QFndIolDE9uYNv7Pt^O@Yp6U&t+>a><>5YHeUliMkz2AG|HWxr;4
zcJ^CMj(<j{tWMPO`lFqn%AuQ^d9ZRhSovAtWs4OfE#LntG|8Svi$rZ@FeXQ`4$yG&
zPlSwCOgO0}K-MuVqEbB4{pu+H!Mqe<F-EdUF-q_Oe<N$RT+t~eO-1GZy<06ne!*vO
zC!5$3w^)T4Q9C7){ZG=ZzGZOKqVKPHDmbb4%?bdqj-1&B#*of1OilJ^0Va3TmVDK1
z558~PrkrY1g}Kw6+kee-yVgAO&5RYp#0#5eoFi!PGGs5RT%a9>8un1VciqekxR~Kd
zr#Ao+m<&=gdd;3SLZsQ-tbuICFvDH?e~WGc9|xlB!p1V^qaDehpR@V<&8}{T{>I>j
z2+Qn!STH1aK$wl#WjJm7RENxh1_(ejwr<vj%(}Ju8Dp2DO=^TwRpMvDIL`9Td$6*V
z%+20!D%<r-(`LuK=QOmzlzo>xf8^w!@UJmK&?qKjnM(GtgkxNV{8cX^I_ep#iyn6w
zF%7vgx$FYJn5yyoVQNj=S}|{=f3;7NX?_wam9n_{4ztmWh^fr~I$$lY<tUkb3NC5M
zd=2gM83>rwSrE1wUE&=c_Ha_t?=48RNOMqbP8IqZO*GFm0HGbq!O!v(g(=3N!d7iV
zuot0zg%Ar0XNvIx&A4M!po2$RSmGNom1$y*(H>EzsX~D{PTMl5%BGj$k7n;3&AZc$
z;Ka;9o*$8sOdY2|X&rPT;Btrt^9)r{OEAwwT0$@_7@z%uj8YE7*L++NGd0c06*2jb
zC4c{IrZFJlX6$5~tIAR$Gkoq={lSc^O3DTA|6&q1b14}9iOH8@s8>$g)n*V&P1P|6
zr-8k_X2;&Y9mO#_i&RZk4{&2bxf>XThC*g)fr@VSWCMUH$^Ws*l*nd3$;x5aetuv&
zDqDcXI&-LjSENoDDO=932~;RRinhZ{#CS#IM<^-Nb1AcPDRUI?FM3kw#nBjG8?Y+#
zH-L+&$?pn6)BP2MXm%M(qQ$%jVCJdoU~E?U#~1*KPFrN+)3z{4YyBF1)Ne5<c=%^Y
z@q+*0R@IkSrbtu%4<>?*Tm*6s&s<A_dXPK*Z|G`~aSce@sy1=W$b!a6-(>-mF9XGZ
z_Wv3rQ%R3MB}hKPBug0*Dg8@~Dz*4D8D&5Lco;uo{`-s@s!C-wYLw5~pcY#gZT|+0
z>|><a^Bsx;?Oe)Jv?D0`-$BvowrH=B-FRhH(I4j0M2_o?oObm54Rr|=OX$AMWV^!D
zP-Of*U{mX67LJ-}3>~$F6<DEuMJC9YC}2&9#nGb4c1z_N%S?e;$irlK{lbfzy>0AZ
zMK6k8Jh)Br*c$I83(n5l#1GgHZ!!#VFI}BGSBD{o>?3mbEy1aF5B3q8S<&f0Fj&z&
z?eDYN*)8X2T><$J89H*OPc_9GrgT-4xO2J!{Laax%+IAPFez=7t^C@=HY3UvtpO_m
zq<;jL^OMVRr{eghEce);;8*0}SJ^~HiUMTn;wM+QPjUQH;f*$^EZYd?viL!?vg{tp
zqV!xADgOGWEM}w<CRkCBrK%u{8M0*Y4`;(wY_~yWMK{Yke=zz-&cf^tgN>WHx3bk_
zlM2D<^qgjv!d=9yVlNO`I+pvN=o-x#tMce*Ncc5VPI#b+G1MdeiyM`Bm;bbWnG(YO
zV}!JUx=t}d!hgWTV83bdaJqGuiFnQbmHFN4|BPQ`Lj*lieDD!HQu~R+QPgT`n~?Wp
zJ#lMgE8%~R=(%h<w9uy9eu9Ok&BCpw;YO*%(dDIPd)Q5vRmL0Lj3rZ!DE}NfbRw@X
zFgr}yml$+`-sQ3O#K;uT^)!&>G@zZ-si2Yr%lK8gHinNV$TC(vkjW|TWYN-E+9cD*
z&c9nwL^-KJGv+OeTRniROut6)4EuixU=rt~Fbbev+nXBYTKdvWw-n|%!sM|%oy!w+
zxDLm@QJ7aoex^=MQEp+%wm`RBu%`%x<FAk=`$MrzdP1dT$bCk<NQD8fznI*X(J7EP
zM5?@4nveKtSSy;HIF8-O?YA0M4oWUoNpFKaEA!tgOuBdoxuE1tg>{}jl#J6y0lvI2
z`Pcv@4NsG-hO|vkucXH@E_V6znU~a|YC(J4G!9l2Pwn!rEJQ?3HqE#Q6#BCZ6IYUm
z$JF2qVq9U;9VD5}Rg0cqP+w{}y`-(Ipk<F1q<ME6lsVR5_wqG=hM8~-n(@c7E-;x7
z?RsVz9|6n2qawkj%o({hrN)x1j#vgf(~WNmFcJ6UBAzo5jQAnO^N%Y8@yz}_gV0T?
zp|~KqZ7W31-bWq=LB1^!rraD3?GLI39nqM!e6pY|k7ln^K^V&HM*~}@81I-lGGLAi
zO$Nq(Q2eRF#M4Q%+PTrM3X<A*9Ca}JX;YZCnHxy~_|k%GsSoxEad^)hAKCS#t-0+r
zL3mE-$V02ysqtTaR566IU8D_7huDMfi{3Ap8r`!dl$c?B^v^Xu`V*Lz<7qHk65Z2X
z%2s3iAiMRC_oz~$isJ{dF_Y{qp65+H5KV3m#Y^zbANBsC1M;Z%!?FBuKO&a-_fWK_
zxG4JPV~xjtyz{q0S*{tYEFP#RfA#_6xc~c_*KHldvl-D_YOZ7t*C%Dth%(7qb83Yw
z%jaS7J)Y%N{9+B+*?WpZaeRP(JEFnR`53KE4&1OXs;@umYhqD^+fTKq_f<Nt`MJ#z
zT6nC!zHh&x>~Ekw?A>_bXNx)p2d%zH#43H+2c`Z|pD=hWd1DpL_RnXqYAQ5>CwcAs
zBB$-)64)vEfN8taw!(Z}JDr3-D9B934frb-G-u|{#-Am45>w;97=)(#PX?g{{v#&z
zpcxx}NARI>;r}`K*r<=+1RuNg@sr>~)4Bh>;6qZ*zdrbwu8#%5#{zxK4L+9X<2>_W
z7)lb+|D0W(ucKYSH|YE41bJ$FHwaDlPY*&1{Bb4}pnXE{VbDH0_%LW65_}l6i-M1c
zP<W?LRC&+{XaCjU!=U|4@L|w?H25%Rck;31L-m@|Ho2JV*C~aW=+#TZCVFP@Ypd8!
zW2%Snc69m;Mz(qDoYc`~PDJB3XAz>n%SKix&8%rDwIE2_>G$Q+b{r7W=W3a1)a;=B
zujMmzn+&&_-c;*E1ctT0&YXz~{4f6jgrUuE@)^EsGTdwpe9%XhnI5^<5K15o^`6`+
zjugDJgBlebtQ#IQa@F5%PMehH#Gp<V1`nE*7qgtdCZAk3gwlhRqPmiQolkyK6Bq^6
z1x!3xAow@Eo2!1KN#uH^Sl<7InYo>|d-7aV)~mu|{^B4s-5=<&aSQyNCKOO{d+?#c
z{u9B+Mt$@KAG`IjI`}Yj_*3vv18)BE;A6TzeiVEx(8o=|$1;6f!$*F<#mE4&0p(`?
z+HTOcB=R>I-N;FeGraQG<w2T(w<1U@w`r?_Gz0!;LD~m~s+Pf7FkWp*lX@kHRx7On
zb3u^u$p1&(yTC_TU3>qTBtQbl1P}zF!nA1xwaTbfQmJOh3`}fLyj5B+rL|RBt%qtN
zv|5eMMDm<rYEFx-J<^s|dP-Z)Tia3urH}+jLI@C%OGJb~z044S00IF8-tTYkXC?_^
zYy0;9f8Uc2%(L%%?X}lld+oLM#f?#uZOk=p%pXh)2sR7irK?jY{k`j&ocNXNnx1&p
zxLlNe-}R`n#N)0<<tIvAPrE$#xSl+r=S!|<j69QE&t!QDUC(rRE^|Fq@_Y)9*5k?P
z%=F#(yEU}A?;;pZ51)QJv3V73;P9l8a^6ln$-ovlmt7H#-wUfp7}=M&VZ8#s^DXYW
zU?@ifHU|B$lpAlCaONN}#=QUNtS&uQMgEc^;}zw9q2Ne*J9?EB`4m4u+{by_S)G_k
z%8I>Z+-$LGRQga=S}*)|VhZs~%2%Mv`E!-bgo56jmt~%ss-n&zfrxr!;w;xyn8=cg
zlW9f@e><@VYNtgj)uKCWi*_U)V?JUYah_6B;<pr*#4Bv8UbU@C+=)>@xzK-5P4miB
zHFd75FtH3*Jd$BsIaNFl?MIN}s2V<|Y@@|8Y3RztQ|SUK(gi$>i&NDv(fFxd&gClO
zRHAIVpG%LAz^%Fxi*rh5qlK}U(}4&xu@w>wWGF={K@cg4q040VZ^ab^PvY8>sP5h@
ziA@JArr+v5#RYZVCv=ZVab#as0NG;F=sLDMRQw2Jpp9k6Kym!vxLanTC$qFuANtbQ
zh;Hk=kD9HnDBKCteEb4m!=)h?X%kLuVnb|3>1&F6mN=ctpf*q0QmG<QbIRfr|DLBV
z1kFCsONXgwiO7H%A~k=&t~pW^gs%yz_(TJer}P_~{1~JC=hdFNLJ(ZgT!x14yKL8@
zPy`}VL*iq9v(VpDs7q&`E?1|e3DsOdWO2{Fl-f3qrbcN1`sG<dGa9O%$#262s+MFx
zm)*{j+0L<+Z05vZ?DxvSqYK%ely*Vd#UX_ItBp~c+r7ONM@`Q>mP6~>!=G!%=biOe
zegn?C)(-D%=Hi+X?u2&Mv!w7wb<KX_0ApL2m4_=@IPZcrS+Az{_g0)m*f=(`^x$i5
zM7}wH07r%6!K=}(Ka|O}IH$@k2^X}_7?S)ZNje2q4#(Kt61o+D?FEB%0gaNEzR68a
z-imRg)?w3vI_^8E4)~gJJ?P^y5*LqLS>W-X3Y35M6gM0_T_5%wD=w%lOFq6U1HsUg
znOmccHF|)kc=VCa$IrexjG=JW+4ybmJGW#c?(QL4m}?OAweV%b4dyu5;;k5<bXcUo
zV2VJnNOi)W7>0BYR-$|89gfwsEwSr$@K@H8dv(~Q?cd0KL33(BPleX=<&WeKKu-J(
zeUruy(lfZpY5R5+%`3fEa0?HdI4)xqSZ@$;GL3+f-pFuGJWji%NB_q1nWr+mPuGU+
zg)eQ%6V&6v!EWv~_)_!~_=^}@(o25JH%#emzwM0ASVp{Vb`ShTw3gIWu%C}VVmp#s
zaQ=;~iOrer`y^fI6YBm@`ebvBVID)$89o^~-Y?*6)``*?Lj%rMjwnEJ<4@(E7;_7o
zZCv_ihzv2~q6_xT{;l}5_2yf^yG_CT99U5H3^@9UUJo^u#6O=|mz7ah<iTdMXZa~G
zUBdGWj{|c!o;`~FGX28byI;q`VIFI!>=LG~996u)R9sGa*z>d#PGflV=C+@@dev#K
zwfz8m$ER)U`u-^X#^elx%~ZY@llOG<|2C=hLu!7B4ayE?F)G=b5gX(&&RcW5FAO?a
zl$CL}!{OV-gAU`YymdfvjL9T?c5y7M?{L1%BjNl&EIg#VFmrf$;lSZs-I?u#FJc|e
z+o(pbsnxHy;z`I=nCnDZ^1%+l0L>4IQoLLL<Hl*~f3&myvcFkBaIioQU&MDL-^=+j
zBZSBCW!4G@`Hls?LSV}R#zMkMl6M#kn0ac@uJP&mcNnLs|23Rye{qafP99hso19Zu
z*pKT2CJ#%F=!U;vbmsqAXZ~l;m_OU(-)RPb?Vs47uXN_Wvorr~XUv~z@=IoS`%kO%
zy2KS8UO#XMtpcBycb4bxEbn5sJo@vKI6u5U!I%1TB>3`xFX8l}<fl!I7GJ9Z7GJSJ
zwYVIEt!22t7I!ud`V-E|Tl<Mx*jPetP^fEZbiZ?9o-;l#DHU3JJkkGdd4T@7aoYa3
zC5ryaOo<;xe}Y#q@=f<Y@Q(rhOyCy{j7xsYRB5NUu2lHnM^2LuEjw`52OTb5Tw_LJ
z31c#k8Lw}01-#Y8yF2f7y<d@?TV}p{;X~#-SV9iN!dtNf9$pf=Cr1*-&H3$YiLz7P
zJcVoBQh^;AHo{zYoO|mT{fQpHsku%b7&iNoQqKNpAtirk;u{c!@n-_W_3@JPndrWp
zS<Fp&PtGHH+^NzL$sa47dv904T5og~{=#zFRDqbn0A0x(dR1ZcRN1Z)HnmL}T|de5
zcH~44c1;yWPWikQk`q;h^1aBOh>YbUzo4DG^@-1%JYnElqjKU8_j~bd99o$THxZ?u
zN=kRfcuzcRmTGKSV+`@Qa9dwHF9ep0xrZ^=N;qK7>+8;W?cR!a&phWDJ_ukR_eSSX
zIId5W-plVL-l*=o!F8E8dY^R_c`Lq)tNdXvLcx!41u^sHOe%Q4>`5f=C(MEzk*z*)
z-wD%@=mP?8dAa5uanDZqbGezXZX%3_!v5n$FEuak1D{srOHAgndN7ceJf<PD`1Ac<
z96*w~qJA06JJ^0mGOk0*hZg!KGHmi^ps&6qvF!ZvW0_?=A}2CSN0xKNT`x9#az6X)
z@?$-`6_cnhaw7ZgDsRPjoK!II#XQOtikH4`L0&<H$uO~+ht&DWD+r;<*~mjCe?M<U
zw&E8T@t(rH1M7-1`_~nDdA7ZO;aHaCeTg&BE+6JL=uTU7#X$<9&a=5fihZ>E5)<4i
zbsv9HXRp%up*jfiX9Pt~^r62|QsHi!O>f*JxV#ll;3rj<w_>JAbr$E}a3t?GAok^Y
zLiwf$PSPjdLlxh}zLuV@dnO-8{`<iEZq#J)6|&|eM!q1ZUy@BKakh19d6USoZmp6N
z?=LoK=E>b|-CA`g-Z1Wmrzc*sjwy+a)=`*PV;!Rs)z*=BTXHcjOUG8fSU)kFLNe+n
z=6F64x~G0(U*~u0_H*sh$?Y#bQ$O+Shi<+!uYTf?_FWrSe&Bw)uJ0Rp7oX={JV9dU
zo!R_+A%~yq`tmaYw)p7THGk!v+3WcKh2iF2dwK8o=^pzDSzN=(<>kBh-#Uc%7s&Ha
zzKO}?%2?y*p*+UL`!CAVlNjsDHBns7JfTk@SD)S{O0Kg^R1Gd~AXlG$CQ7dUCW;M~
z69xuy^%-EI<Qha&E_ZrQILG`B*1g%ght#~uJ^MK(WT+CTkYVQcT!qW~F@>w%5$5+i
zh08mVX5}Vm?kCLe$Ag&js%yTMUu{}Cs^-lc6aGnsuOfVv3BQOMbMMOsqWjNxzn@Zy
z2Bo**qivE^B)O0veJ`-Fa(<ek8U!~{TtR;SCGPiPo1{T#9z(car8bec$xYlu;AJG%
z_fn<0+~$z~GfLb{;${QnSX+EEF;|j9-z$`22`QFPoFG+Tflapr=T!vh`&pGd&L)xn
zbIP}je9K%gmJ!HZOb=a6hGlvOfoRs3!PrB6Lp*{QjNQ#tTAI&oDW&;u5SkZcTNBsA
zKa&4W&^b)N*<1r2VnJH7ept}CFFz6R@0}Q*fB8?o^Td||&OXkEyurqC<!<-wyR4LW
zXK$cpU8XYo_Xa%gnly=^?_|KUJy5eDGw44uF}~<h<&Q7?j6Ol<Efwy0-E%kyWd40Y
z-&=v2CQ|O37+*NrB=K-<@jk&2@Ejq1(0|gmPqp|@PK+-bYm@8)QmQ7&VIcCq74#h;
z2Wj4#5TAd(O>;8DBE4n<X^wKdS5;B!x=jDRbVYB4ocF1n6kvg3jtF!M_XHPi5AA)E
ziarSMg!sZye+S;6rwg2{+^Z+VmtCzqDVPPhrwg2<S*3Q+h)<cayTKjwbOD&84e^B+
z+f?0Q?}V8|O|;|+o2om$gI)1V!e$!e7S|Q$r?+9r-)uwB&-+d5GeJ2eE@SK5CVw!0
z6I-pCL;kgXydi&WO-cTy5#3ry{HAp8(8~DSj|pOWCnySQ;@zXeDe|iB?4zLn^~)F<
zo*hBwuQh9jc@EXA8xe}nHI0CbLv*=wBnTj@I;kw^*%5GF3y?hEITZ452|~xq0{&wG
ze}jK3ppTdspJOOB<h&X3pAcC<_YJ-sHETtIA^*A{b#4lJwuGE*y!S*g2casm&Avo1
z2b`TDKZm**b&upX1${fHN@N-G*9Sf8L(a<qKSa4^7-Tjg;5jfc9v%0KwpZ^DIokvN
z?V@%hm*$|KOZXczgQ$+UzqzJiSit{&z|$V`zw77z@um@%-JD;2SulUq`1rC<D0k3#
zCFp;R=NoR%UlR1Mr~FLMN#6SMuZ8>(bc6mj#(@9jnzbW>Dxo1W5MMM*IRnmn!iDDm
zFKGqI4k}(jI1c&W3-Y2B>3P0qLuOHY(YZD?VU5FhR?D+7h>mMhfcJ7bLjK)cNlwHF
ze*-m>xW7&OvKs1X4|*Dc2ti!wUXstXx+VE7{`>fUdwvU)&@w`CE#M)?W?DmM1d-4Q
zU8NjN{w)?2oGKS8RKWJ2zchb47zt9!c1qc9O4$xRys4`FYur+r{dF|h-~((J!sH6|
z^>DH3Ab{`#HYuZe1e8)8U*uN_PK{pIs_`6fPQr*h2Z(BdQkDp!WkMj?n}UA2n3xuz
zX`+Ot5dv<N(!xDdjMf=`<|poWr#*m8GznK(w3;@04sx45RU8~2Ut~~#0@R^y8oP$)
z-_(^U44T?Esg5PIdx^3GJwA$DVlc4e19%M35{PNdFpvnsoGl^S8+3Fs<bTy-cs);b
z`1jH(NV`QtiVP!C$h4SSH$uoe2~lqf`j3YEJZC}|Fm)^w{+1EG3T!L`l4T?CEDMPY
z*N=!VE9inwA<lD*7cnU6SbW(9E{goM{(~?L&v9piVvbYu7?X?stq%F$)QE$6nACW0
z!@tv`H?`Je1}_8qq!0PG6S5(A8F<!6^dAKYqm<vjRgL!V4|?hi@i5{bAVyKZ(?K0q
zn>w}#(54aHiR2{FJ`?TIfd$%dH~JoS<vB(xm(XO;0Y9MKn?{I@#h00pg0qFrcUu<l
zzoy0o$=IR}YXNK#PmAX`88rlmm=K>kB;9J$@d3|DuDoXSdsgzmp9UNh)QtXVJ1V4Q
zFjl-@bLpRu?Sc5RjP1*YJr#6X0yd+s!Bg)v=QjA-gSpkZ)?t&U<FeZ!_eM3M0mvDU
z@Qxrt5`z;!aH*mu5YSU)g(xc*h6GoD8MTnB3ALziy+&YDFt^Sib}hrpj7<-(X#~~A
zAjx?AMPnl5YoU2f@nu6*9?oj#05Gf)Z`k0}KoUHh<a?QtA!c=SZVidHL*dn)W0X)m
zBH*+uTfkQhcHKgjI0tiUgT8G+egO`U8z=!lAIWd#Z4wb>v*);gqKIbR@2iz~K(c12
zW1tGrQ-cmq>#c>Q?9_XGxrZPWwU^ff*JK8Kho~^%YYgSKKrbTjpnn4d&j(6Vm%#wk
z4vlAgn-nCLJVd2~|HjPR1}dS>YT=(3?P^UqOCVf$NF!oUGv(Q_470vDe+easDJ~g7
zrX|7noWZ83T1_+lWYD)W0N?fV5@Ia~Y!2o!0X1a$czLiU_jm}jsa#Sx3W0Zrd^KPw
zKHDHZnA^y}rM^}*MFWx7KwefSG>SDrm95~el^|Rr2p4;4Es8JeBN%uJG2mP2frMe|
zG>n34=r%eq8T2RNNXyjv1~IPN<)#hd5tO=2i~>qgxywe7OI(X7by<k1$G?M#Xq4>@
zo=#a0$if@ZoAiX1)1g^(yXS!V5&k$vDT5wGFfWp{VVI|mM}9VBLZUtpg0%!ax@K&8
zsWsrQ5r1oS8ge^)6u*X9I@;UT))?>|*NcJ<bD8EYbw<G77Bq<EXPHRAIY|F&7Mu`|
z8p7iR9;K{>A|>U}zrK!;N~t9<<g{w`ZVC7fhWxD||LPD@3k-?Om#9*w9<1jc^=$~|
zqJG|JxDrq?rHMZ!LVg5uMyN&*v$$NK&*dyaNIW{)6mv`hi8@G#Xl5}MfV})~f;a!`
z0Uxlvk6<LIayL=CNp+me7aQbR34<}b(N`x)muJwN#*qJgvCmc}2%#e2YzTpkTr@aB
z6PO73-w~6f3r5;fs)hP?SIk-F+d?^J3<f2dNK)Z3Gk7B;FF}WVpSAgFb14y&LbjlP
zBZ%{Cf!3SI1}cPG;HeGyYS~iHAV$U&kAid>G$b10%g!+<I7m{@R(eCsqt@4GiaO}o
zs<B2<t3U$<n8}eJ7LJs_{7z7Oc7L~o^_gNIwPZDHL69%;yv#E~6#a6L>}Gh|NnR;5
z(3@07Q^3D16p!X@srhOn<U>l$@4yLD07n0DF`rc+mkg_5sdx;@G>EKhf7e12Hh+h|
zT`5}qVqYzq)*wfxnbKO6ltI<Rh-x9!&;>=dh}pD+{9Jbtgb9eLi&~6}#^NFo9FGV@
z`e;uB=6e6h)8#0JN<2Ek#BOC0@Nck?`VaX<r$A$87l>2s*-oX)MD`N41X;+xLm9T4
z__ZWwVG!+aimMS97B6e|zYOq8{0Ed$y@-@zMlW$oG=L28*M$5B0p(ofRWG#g5PPkW
zJ1yFv3sWP$u4v;S9D^zgOj0A=h?v_`NL;VMjEKtAv_^xlpQ(Tq)oB8yowS-l{+0m$
zY8ps8x0l6>e}h3r!1JCFTKEQ?{r>%sHvDBPlpTyODzI&)sRz^~&w7rpFgkI->FAnW
z0LHwu1|Wj*g}qH`8pzwNa2C>U4mu)d96W>LKQ06WStK=%h%YoG!fXzW_!*gqNULFQ
z8hWegUB*W%s{rnkdlwmqXM7t*#OIpsHmhc{*!Api+9cm=X#jD&2S$(^AIYy~X|Q&L
z#^|b0eEu*26>{1_{zLFU*2p2&@6I93jkpYF7cM~&Q|2C)2qFI-vBiM@AnW_{Ol~cR
zc54WSG=v!zaDOB#Rxwo9qPO6h;qU%LC_ei$$^h`<(~SBikWj<RRJ02R4P(qDB>6e5
zeoN<TX<EqN9$(nQ<OB<(TBUZqPP?`XGjPv<7%0men$aSdVWMxVJDIlqYvKHv$_y=J
z`dRqBC$QczZFt4<-++Imp+{$pnx?S$qTv?O14Zsg3GiT268xy00Z$#vg9I-F2mKAQ
z%XjbyTw~DFE(X%f@aITd7D|+?lKeNa9?5SH;&|7&|7_>FzRshlUasq6sYu;ZV9$#m
z(Pej=wFLqzrafuRmc<wszSYB)BX3{h^a_rCub}p!?8wAy?lo(BXhw15#5E6HR^sgC
zB#`WGc3)~_Z(+h=YdE_9LX4Hy%y_#v9;yy--*Gt7T0JRV+Ov=wKFWq-ymL=Gn4JNg
z_GU$3jU6|fjV;!?$7U_1N&fOJ6t`6&u5ygJ31ks0_UtGg{d&lMD)9vIx+j^OZzp;H
zL-LF0e6`cEPjWCWt50<w07>tMWb4aecZ=qbn77NW0!*g7Ej=-tmyh?LHO$Iwb}zM!
z?7GIOs|@C6@c>!n&H23wD=*J?>hyeFCAXG4bx<8|=IzTNNw(9hz)W71!Pi4EIgw*m
z;_m64wGoBxi#j(nx^a0SW)E%XydPDyxxm2em)V)P6F=JZK9v}ZUnuHb8S-$MK7~|<
zGI3OfcwV%~TN%nGvR`GW2k)Jl$euVVL%oO`SQ*0jS~Q?Clp8C`Gm*V<REGKxc}``h
zFOh>QLuc{atBLG~gSUE!999|1Bl6tJP=6kQHIV~wRE7rX99Iq&m26{CF?|VPx%X?l
zIMcK!IU0;7p8BhF?cMfEf$z<_l%RuTU9cU^msXv95EVzb=o6<-kyxEKl^LZs+pnbc
z4m*D(%4)uY`BwGKxiaa#OZ#yZy>94$0P-==fl=+V8VVA*vS1j662i`4?aWqn={8s;
zds%NbLI^Gzli0NTgs~UgRLp%O?Ca9~QtyoH0x@-JKQXUh%<6}6ARK@2_VAJ`+`sUP
zx4VDlP+!sQ=CmnS_VYy}I$<RLF)B~Mm^fi<*!kgH1KSVh+s{J#S!6$UWA_hNSznX=
z=&>~}(RJGWYb;%(sqO0xj*&*cFL$!nc!FcXj6g2HE@+&wyPi$EptQ(f^u<EswpcB4
zk-D?K$l|ofqO{0hH1WFG+f7^3xC*=dqvJ$5rc`=EUu(`|{PF^JiB2EyPI$rmharY1
ziEj@WvmV_A8nEd8YtfV3LG6jYy9^1Y$2<I>tdF^DI4YnslJ9AMc_;tr!Vl=6w@&Zy
zM3WE_|C2h*;1P=IhTQt1u6R8&QY)#_Z8;m-b|z-xHyZ_aCcgF2@m<EH`Pv7#GBFAR
zc-sCQpK<%&uo>CDKa=4odGHvBFz*9ww!<iJGq2czk9Dc>YC7t#T~Lx5wTUg5&UBqA
z1CagJZ0UJB@f^j`IPE=N@KFa~zw`jq!MT-*>vz(5>8>;OS@;9@Fvt{UXu0$nY+@}x
z>rsPEtk>p8uD~XC&g;|1U=u6&V!xx<#Qc4#Pt{Kx-ha@PY4sCF{`#q7U#p*(KmYpU
z%bgd*0#=g!p0{$pN%o5Wb<ay=f8fyl<H-Km!`J_c?2p~p?*_8Zp4Q`8vj6VY$Oy6z
zUDtY>o4u>O-gys0lE=IFYK&;vu61p~Sq#YQFiYiOG}B|wGFoLBTUskKa!LLotSO6Z
zu(6~mUY0att?FfdWk)j(nbC~3s*m}V5zRRIV!V>Jg{(XYZNB}m)A3fcareia7t9Uj
zFH(wuY1aUo#)e;awju`!r1^j}Uxq%DX}-eGQ6}RWjQ2W4Qo0*7RGAi#X@Trb*9}kQ
zT%er8l+3u!RkDR7TbRyn!atTuzfkE%D7|r=r@}_2YBE7S74bYpJa1~sPvv}GIX|JC
z#)b8+B!4!^W}9TAQe~J(On4>vRYX>$n>bt9&sTQi`cx{t@r_PZQl(TEDwT0vAn-0q
zB{e~xR?%}PdXA}gOe*Ib<-9~Wjq741dxm7sm}Hly$}o}sRHkQ?=`v+9u1iy?o>A_(
ziu?>k%r!-fO=U9SS1OZnVdpE!uOwNeNj5H3hKVdt<UAthr4do7Vy{wm<N9nWz43i6
zRmnW1GFCsOoM+8`^I{KT?t3sl82kKio$W)Vd^Gl8-;i@K<g6obq*kriyzZ0b4-E@j
zF}cq?NSuQjfZ%q-|JZ|PqvhTddvHk5d5uEeV9#95`aU7vkR?2Uu-r4~M=8k4q+zIW
zwT9wzE`8>be;<$PJ>=^!=Di~<147QOQ0_4-B}mDeLcUj}`te9(6++pqMNmz{S+b}g
z?i+i=U|bX9!#yDf6XO9Sf28)FArC63_F#O@=>G^_`Rx!(1n2dTQN@tGPYBhpgPv&3
zP+TGB7%?FpXU96>YYF*w1>(ccHTAWqE=lkvf6cnVI8;u<g!t?WHoRB;=bCkWl$Taf
zEqVRzAuU-+RI{$9NnEpTsL8#Vh+yvP6S?y-<Y2!#5%O&h=DvxWHO*P9UaX6yiR+?S
zxZVkP6650w$NcKGKPLmch3h|}3Tm2qQfEkb!|d8l8cbinf?|g(A=ETAO+!Pz9r#V$
zx}b0K#CZPL5Es|x?xW{qx2#!rR?vS!K{Xo&;|h8(=e|XH7Fvr~CDC{FN{2D_w%RX1
za{E}s``+^Jkj2m>tyxc>x-R+@R~<IY-1Xz*7o8V!R)&0ALcX=3+#R^-xU*PC*&=D$
zdm#*JsFyIuvG|&g^$ns^ZGrgQVF&sj_+p3^C5ByJn}NjN7Vx|lv_Ym;6IrvKT5%mA
zGL&0a6dyj2#bn3_TIf$LELnO{?QvT+)gBLFfOGai9a1tZ2w`e-c4AAuVEz-=`~ZR%
zihV4#*Z0Iu74q!S3-{_{baTW|AFhzILovD7kT+z~pS?rQt07-qz;}SA<A$uL^B4sS
zv2vl3RGvm@GZzN@`$EpvkdJET`!?S>{C6RU7La^NRVzb_XP5fDrip6bCB{~ZYl~3n
z*%k0%C(rkUaxn#Cgxmn}bXb?xwbn(oxb}z8x-p8L7tQ#0nsgfi7;c~WZ7=8?@_NfC
zF{oCU7ZqW>hKjoN>3SlB&G<!Q%t(a@w$OUqHS3`upl~VZWWd3CBDC~T*Lm8hdbS!B
zpL?F?w#WdhXz*cv-X|-ph{1H9X(2Ai2Ml_47`oXoK0f?B(?$^?ZFFgeHg=&RYJ`x~
z#wr<7$qP#W@ji^U8+y{Q7cZ~y=ZE}%4SCwqeR)DDYBtc9xQ>Q$>xtAx1_xWvMFT^=
zdQniW{I+J7e5kn#AxR@J2WnE+d0wF}&tLhyzTDln6BAO%IZp3~d?-Kmggm=VZwkjv
zeJGG(y7ekux*K%Tr5}Zm=rWg(o)Km(CDEm$OYd0z0FU<s{LtbqegmH58GBPiL>xp^
z6u;=B5YgKZQ3x}%+KE1%>B-P3_NSA7*ir7%6l}<}ED`XuNQVRsbs3>BD#8s74gY&I
zWHuTAp@^r_HnCoN4SwBo`?F>vgt!`f1AftMXhOfK;aR6$2pWp3L%wwolWh0747$|}
zWkx0}Pb9?<IT2!`2KCG{+ZI$@PeTNYK2>_)S=czbB8v6D1FP1rHdGL#arsWj)D8)~
z!*z{{$z9E~81k)Bl~6_Qn|Mh}eeY8yDji0G>U>{>gEGJt2Q2SXEn;5NKvU`o9(?a@
zN?jN9yd7|wi0wt}02@YZmPvPbLVVo$n4<hU*&Fe>nr}S&M$m_1cC&w{8sT9p1PaGK
zSTmi?%s_OXf{x}Mg?~8gQ#k578uYEsm5aee9hvBxs)8b2Ss|DX_DkP3&to(0MUe@V
zH5&%1#Jzy%-|uY3IJ*_-YBmgz56BexW-xvca|Jr_4MG2_48ovq&G`7-3!j|0d_Msm
z>`^E;`^apM{dTCnZxfiyuA5y!-vQrIC?yxm(Jr{Cz`8kq4#q6;rNRCrHP(C9IyE&L
zdey8M;Kx_9KTAcNl6~q}&4&IpYX%yB&Hmp0V<_m?Vdm^p_tP4$+1S9_!LOlpb1+EN
z0z}Zi5xao=NDO}a9qMm%UiEAZ=I(N~Va)a&2>N#CzO3CFYcrWlvLw@?j5WJLK+`r&
zUyD4A<ZxaMI@@a2^r~qbpt4@&IJ3S<K*DrqUHxrHvbVo6-WL%H#cre1j4-#zIp}K-
z#Ao+z`bFRTnnplFLOG6X)$FMu0XpBF7<2gy<#XIqle-OJ2<@?Nx349aZ57g;N-pwa
zUOJ8k(3(BX%yDxWv>pTHe7gq)Hr#Aoy+|XM!yLOOiv|uf+4mqO)im};lWe`<ux3wh
z+`;(pOo?*`QMUq5(AUmBmZAT~j&RwkQJ_|%ku|E>KC(AhU<u+SYEM&c2fgXkIt{)K
z-!>p_09u5pb?R41919Gz^XczOvY<FdnyYE-RnsuQLScoHJz4ldGFi3>N+6a67Wmip
z52B8js|`?%Mt7m77GRLbu%7%jT6(RsIp}K*I=ewCI&vBiz)a$_A`S}L-3GNLs6oig
z#bB_K{sG_y-*JpT24c5%i(hbuh7}+sN|>B2fIrWIOr%jO3$-TKHiK3GcCin@7W+(9
zdwSCXWGT!tH|IYuxLeWT#}^IW{+s7-NBCamqc7UAUbX<OX(*Z2BK))<TFHuuQId^A
zxecD90-0S;4ZcRfjO7iQP%08Y6S!Ux%xilo7mhty23(<z>Y?t1L=GGuKYQ%yn56@j
zb;0gzPc!m+&ux{*9zwWrSWhBMf$xBG(g!uJ2TUx4fS?fZaTz6y3$Sq=L0~iS$XrKI
ziz7h=Wtx+h<Y$?Ta%I}&xPZSM;Y;wZA7IPIiw8nhM1Z#qanXq9C4bbcS35?Tg5(3?
z)T@n&^GOMnuspat6XS5BzXfWT7@vFjjW=BVjE@DuCTNM?hen|ds12)wA&($i06Z&m
zu~#&+xIoDCyeceXS_aE0x!u?*Sfc``wqih71K5wDZ!be=0p}ev+?oa&gwLkSn@yJ!
zK}`(2*WDt3^Bv%%;3f|v#@`X2JMdd|{smCPY`WOrq4EVJ*?Ka(Y*IX+xK(j2GFmeu
z17iy&Z=ZHSh=v$>)RG!{b3DzSl~k?~*JMXrD_(?r>d%7jQyNIElD&EnC}ll}Sjif=
zreUB8I;{DCC69+z)<Ovj<I8$AoS*ePuwi!dRr}djB2sMZ38;W6EYuo&vfl&{TRbPp
z2Y~$B2y3tay6~yc-OAr;xq(5UYF`2p4FcyFkO-NrVWXL%zYEx#7O)e-F7~Vj%(?ZC
zeQ^coV~+)Fj68D*7GUc#;Zqou)ZdnI;qTC9jz(bX5NP6B9hPgINTII9f(O?-9lV7p
z@SZU=cp6};y3#_oPDN}4Z3{4Vc@FhytpmG$hA?{@Y^Peb3XvH`wb9N2jd01_<CdL<
zJZpii8%G5X1~kpjjcAMB$s)afPmtYrR9y|9n#=!XAHbMm=NZ6QB?@oN>M+AYC;rE;
zH-kF1N47B0b#hR;%K)~`9U?$hoy&A*7$;0rG-qL>NQ1c3fb&!X82yF-u}3q3<^cZB
z$9U;>r9xexRx_7w111pG5MR{uhP#-EpdG)kB`(?Qa!LBp0%X|Zhp<Lb?`i`QLjZ<I
z_YTlt;oA$NE8j#GUynf=c6kQA>BxqGK&H$tg&k&iwg8kEY<$judq$5w8%#C%IvmXV
zVlHqi6)Ngt%K&q@0@|hILq?IyM~B0)MS_|Z52pyML861<bqQeO@@-?%?G^AFM<NSH
z$b*ErKbXY;K*StKZ2(RP9!9Qp?T3wYgyQ3}wNw;$gQNKxV0l+n^nT&|?%d9W5BAZV
zi#p>~A;hvf_2e0O9ioQeb#IEztsB5dbu_0pnZarX0)}AEYV4obI2R&ZXn;05dzko?
zga)pLL=bV<X*c)6vA$vG*${o;amd*;LBrE!btb(5@ozFXjKWq#XVNfRd=`nxftVn6
zbLmQqn1)??FB2eg&z=xsF$*#J71D!Qklo1QxL9duEFo_gvU?u(_Wrjnnq=6Uu-(bw
z>_D)*4dI}kO;;(t<~d34GE|r-RG<~I4P;Az4E_cL@0g+5#B^rYjPEd=8PaP8rbYZ;
zAU@MD&{=K1{r%>f=&f&cFrI$_%uI45KshJI$7lNno;CI+F*xnIhj(jmx17%BQqrVh
zaj-kUgi=L>mdm*u?(|vA^s1zlpeMoPu!`fdv<dNMFD}iK8oMCJzgG*1=e4YnJATn9
zryb295+p$R*k3n$^vw_U{<`|RQf!aJY)gZocIS5lX=4_gj^T1f8Iqa>Ds)zpB0<p#
zG{!Um!wP!LhO0#YD^g?ZG6?z$WcG}L7*t-GY~R#m3qBDtnk?fR^-}L|J_LAGFh1$p
zs?8MIh2>eH@xug0&EAv+9h&;*Yp77f2gCvkCps7~PzjJtLZy%>2n`Y|T_iH0kftga
zUpV;UHMNfi5x-a^u?-x|?(nr3*^5e6%ZuRUH=m)1J5F6NmzDTxZMa~Oyg%q$57Utc
zfeR+2FKss8!TKIyYl1{Aio%1SWdaeiD03eOl_;}*pur>E>*-)+?w5cy8zx+u{|tK~
zF0Huefgc2%Z6Q`l;M6%T;ZVz)7At_7#fl_fyKF&lK`7o6%B@xOMx34lDD#YDC?9!|
z43$JOx=oA=<idjJ>&5}pY#hj1slK;LusPtAj8X|grJJn_25DVd;B00HjdD7G{~1;g
z44AoMk@G+Ci^PgwYH_hP;8~>|_G=}_&;o^6DIEQGC>IswD&c8c5N(Ka$cTr#T$WBc
zO%8UO4A8m@6hI^sT+qs~0}!l?Yi%#UGwE5-q?cwiU^WXQJ`AVE{_L;OCK_$FZG@nW
zz$ym1aM<VXK6e4jQY{0tGMkN{2t`X!?Bt%3s#dG-k<t@E-yUDPxO=P6YM2zLf*YnV
z%Tzi5Dll`ZFuTpAR-;~=3q*_1*9vBXU(^|E2dY)<0P?>wA%6A{!z*P*m<P9<5TA3-
z^w{TX5f0JB7~u>(fuMss*GnnT!F-ncw&utLsx<aG?e`sI@rE`Ad@>Q9r4*=BXqeWx
zEWT=`?-+nE&n|8Oc-#Q!(PrY=fLE!7KaDVu0h6<h2q7M~nYqwGvyp4)b2r=vD`rdD
z8g>P<Th*5^YJvuXT(g$%DX3Y~57qZ&!gG^a+rJ!&Uw)a747;UIlK8`J*|Ss#-%OLX
zX3b#O^Q#Q0H3L|6dsb?iY!EV?13)XyMKgQTj{<HLQ#aZT9gCT7H5o8O?Q%j>ummkZ
z?$E>!US|D`>X^U)+Kbe}8*Wb^A&ewkuX<`ix#(gb=SH|K0VpK_D8Pc8?zZ!h(h&$*
zHb_H_$f45E!8C$W0SQo+aF8y<O`U@tgqr>UI>*0No&FY>6sOs$i45sA5s1$jo8R*%
zTQC<bpyQkkpxbQJLVvhKJ#LoW3>FS}4W(OI+``ti6xhrz92O18+goyR*}g_oL|;2Q
z*)ByV@9?la8>qzCAcK8bP!EjBLpy4K=^5I>2uJ^ip=1ps+`5vC@b$rX-!W9q+K+=L
zXH|Tr-@CqqY-tM#fpb7w5TQs58WblPA0IcE-M7AmKyIUs<G_-9;HvQ~4m^qtF-c{j
z?G4Z~Oc;$Uo-h%?-I=HWeSpxpz;LPK9M4Is0vbs=(9;5}b16dV4B#}DsF%Uh!az-u
zp@WU-><pG<sFj#G7&^;*9UM0rJbm6b^9a#e8l1sR*IRbP+Lm>8vNr+rJwB`=$dh>4
z?<{keQ|+|-ngePJE;GnYD!Z_D_lz=c)S`zcmt{t{8jwe-W#U2@7PUc49;C{hfG>fQ
zA=QBHvO{`J4stM5s+rWY2iMH!<_wgM!Tf5Jryw2Wsb<gw6ErhM9~*)T?yoppz>RBD
zAeS>2So`D-de#Jd@3MP4lxw2UsG5wMNN(4=a+%4MSrzJfo~+=%rlEhxS!H#;DgCMO
zCD5M|4&L_n4sntXv3Z_aK)1P#SQPTCVgu+WbMCwHJXsB$ll~L%p><ktV;uoCy=bFC
zP_<eW)=;el)&+AnE22$KXxz8icPLjLw9X7(eKSoucMXJiHNeA)1!D_c$td2J1?Bq>
z2R&xCuSQfxWoPslSiY<aYL?5$2v&)Knth80g+U8&_4GBzmt9gaBYZx7*47fC3@L0O
zQbZvG9lG!Jnepr^B?9EGXP)BA2@T&XoM<qD04EzQ1%OptZ*c|=<%y0(?t?0nfp0Ir
z`63DMMIHYhazK_*0xFAWp~}K{goFK_LyjQm$w<Vy_vdBLU+$}8Eb4IGN~Q|*>9j&L
zhdv$GNfYy);0)!i#1Je=9{Z0Ei{iRauH588v#zwHLaPo^PRhgsU`CKPb|7SX(y?gb
z1QJONCPVDn2hK|AxxpjO1!Q9I$t#EhzEj4=$I&Mh*9Y6f&_DGZUSQ66`CjIrmnUfs
zzM2-<q@<H!P(v;k;FGcjde($;J55M3G%;4N{kSe!A6yd>9Zrdu(O7Rt*S{WJKh_Eo
zVx>|OHZZ&t5X{2NMX0_oi48z)6G6#xZ3tl%@f`)?ORxQH%XP?4GQC&&8PN1EOlEx_
zEoND0KyvHxV&rsP7X0-x>tWjDTr1i=fiKG*wl@`?2H#lwT=1Wf1w|!(5PW0*l(hmZ
zmm;3>gZ_}VI2b)-e-rq|Wx$^pA9t}OJE45+^^J3HLuk-`1I!Z5+`)t3AQ14d;xJ7R
z#n>jev_lVUAu^D=UaJw`I*eSL(aFVBq_v4mKf24untp`*xdwU)`ylj+mb{&U{}~|x
znAHs6SVxzb{v(ZxeXNL7q(m&XXt2&QANse8r*Wzwq|=d@WqikRnH|qk(L?swm(}TD
zA3Na|&N2izU*KT`ZI;`&kv4>2D!5a2Y(}rFNXG@=Y|PMPGYF+X(M}_@LvI++7=QwQ
zPmqNp^NcF$AM$L{bj9>z(`iLvT!+E`*~Vn0{mM;fL+2Fid*Z3m0GlH?1d46jUlZ~$
z0ZM)b^4-?F1?0O4mN1Px0nIy<&p8-?-xSI<ZUeb!j{1Rok9gNSY@Q|?cC<ZI=R&@l
zC9tCBNMEIcqCh^|+QRz>JqYTg7350C))Xz+D3n1ZXh^`pSJW?~{_U<`&1CkF@r=oi
z#<15r#Ij5CtP6V+!4`H+zaivcO?$xG81e!BDg(QcLo~onRcYAg8`#NaVV82PsaFan
zOpIvSEKGuao;@=T^sl7x4)oak-U08s3D()3`1}!P&uoZljG+TL>f7qa3iiGvTG+Qv
z{}2xQ-fE0^C>1uCrPpzU<)Cka0M3=0k!lQhGIPSZjR9{-(4$;n4htTo$XG`~29vT&
zY{f7+U%T`r8gp)8KlH#DCBoS96vV(=?cadReqK&y{cPu?Q}5#}P#?DIa~Kt$gfH_M
z$`LN-?O-k<J;FN7XiKi_ftvl;Fv6F^^yWL*tPvM*3Xl@^JNsnKTR(t8_M`LNkHUE%
zC9%l_N~lBtyV%($U2uOaJ1XF?e+OeJKKx3~2p&JRyvj1>1OAtF-t2%(i<k@1pAFS_
zvpIxD)!6d_SP$1Dj|Y7i8tZc9L_{~KG$SXeZlULZIjUL3Twqq;0*vhnc$mL6o~Rl>
zOke@3jH@xgf-NR2F|;-?*I&ojc7)=$e<nlVFXVvVxo!7Np3k}n*6VBZ*UC`Ha;=Y4
zo=5~k{d>@}VuUm>VqNHPwn$Xp$WEJFTu`7=2tesZmw7n11U~jK(J|Ql2f-e5@Ikhh
z#1{@a`rNVQEI$z(<}jx*RD`mFth_yD)KyDA(ikN57FizYMlHmT=$x-n$oJ%cyH(6@
zagOIU68;Lj!m|pq4AKE^fB`x_ndln$3|59c?7skt#sPrjS;^rX7o>P}(7~DCW);t}
zYhXaqh;bq=0u=6At%6~P&R>aS-NaN4Y8ykIliH+?ag(x9k^td0r7;U_V|VpzQIUd#
zk09X#BrK_X?=cV<b*LG?mj8~gk=eZ!0)GQF9Oms!K_u38&p{Gw4?0taJ5%~PGxNB`
z481PI8g!-)aVF;kox+jk@I{dO%sTHV(>osjADp-N4ljcIAD_42hRD;-TU`3*Zs#pX
z(EYr{0OEDtf{3>hhq)2{|MBw{m$FMgb>5=<f6{pi4r7d{44utkjPoi(gJMO)&0&ne
zI4VQu5c!G9&=4X&UKtu1D;jAc&&5$08WxLak26<|eT-!1SB8d@>{FGYkHw1eO|tWF
zRE9>JcA#Sj`^t5o!|b<Co#)UUi-{F~_|WqldWECg&Tt*1@K;x?sqcQA!&~v6+P%%$
z0kiFzLmg({HD?IS#%oS=n4Q<0I51nUgZXyvHBX9|&DX(vv-_H3B0M^+#&H~^>#>iY
zY9qQm_VEKwfN<>NV<u7R*oUA>A7yZlecZsVbAhijELDQc>?a2@v!NWw%#Ly(Gh51a
z?n8UZfy`_w2Qss(9LTh-JoyzJeEHGyAj;s6b5*Zs2Yu=Y$=EJP3g&Y?uRTKYs69e5
zt;-RTrJYAeUgNODw7-2uBDTP^GxogwEU}+z`)RNrT~-x#VlDR5%BS>Vj*xKsX6GjR
z3EstL_X>{5Gv8v)j|9g|Hs?qt6|9`GyJBy*!w%l4UhLz@gTYvlMOcx=SCK_mk;PV#
zMOKl;Rgv9+|2uWyi-r8?6vS?wf`Ds}O83tPj+*Gqi8*T`#}M*y=tM8WL$G7%JpeI8
zRb*+Z$dXi%rKloHP(_xWiYz%58EQ)Ea<&q^F0wmu5mXa7;o;Oum%f<9dxGiiP+tTh
zf92-I?q^ntBP-eYoI2K{BQ2cl`RBSNdACN}4Lm%p_m#V!S9wXtG&=iBuf1}5&ph^P
zuAd$gjQv`8J)O?Du+>|!UdYld%5Mh#G7@*<TOhq#m;SRj<V=hxFx8tu=Q#n9I16aa
zvk;sK*_k-S9i3(x*_n7($3y<n-Y&b3p6>caaACSN!&TeQDfIN#{8OZv{Io`K^THFS
zVzbnaZf8z-#DOy*|J<pQaD2uz#}sKWmE3z&*U|-bp5>oAhtl@n-OtyVgPf<G-(lOD
zj_`=bo#6;i2krA$CvMWoqwYs|CIg&%gy-px%1m{H$1+oUglG2ex*p--epy7bf}^|%
z3NYTq=R`No99|Ni$dS^z2gdQ^eR4nGaH*k*`_3CqbELI(Ty^Ou<Y*t)%2STS%hNHA
zrwacIkL9yG<sI2QBCwRp9y3_;m&CJssmuh=X?RM<dKXXhI5m-7)#b;^%QopHkG6Ac
zKJQ|VQPp=wzEHEfXQcHSPi;v-ecA3n<QUg+e+^=Y9DnSg-gvq0@fN&~A3w!0BomUw
zTMagZi+H_HK8Txi+1w9~E2+G?cQCM2=anM6dnNBAB(mEZSgJF5$;tS1e<yE`7&=Hj
z+id5H*uB%ku?J^{3-*<MDm?mdxL^<Ox^aQ_p2QsR8ur{fv)H)^WjOgIW-@=>c8BqW
z>lK!vpzid+c`nXh8cv}nNqEEX)=}XY#~1tNg$t4oj0$J*Oo>Ak^$EYKh!u?qdw4mO
z*F<bBE}VKcDeK{p;nB5;+*G>QO&poaQ(9fTZsiAie$2GSK7C`JLizl(#3z13={#W_
zjy*gr(Gw5Xk<MW@<XkXMDl2!nT5wZ1c0B;K^YEF?4`4G@VL^+1eEBxh!t^1rCDn*_
zD?9n4J92vp`1(xsLHG1LAZ`)n4b{`8<bA(2B2KzI;!B4iZln^`@w{Df7KvQ=R;Xa&
z!`{%z<RvyU81I(9Px42<PRRqOpFdXloKL3xX*yPirSoe%AGVkDcXrz~;aFyPbO(=G
zXC!WefWppd9i81<T2LJ0Wu*%T@)%P5kwF=W`xgkwiQ+8qd|_5G=q`?BlOQV`58`%k
zI~Urf3Gt8+$L_k<&-}uB^4uS5DHHPH24g@u6ps1B1zXBSwp}OsHZ;TK%tsT~0uU_n
z61`ks9ODJ3*j3>e^^ZO%kPDh0-IUl0SjB`DUkCu6ESIuWdEm~K777!FPqn_ACR&;u
zyC&6g-Rr3rbuQvU`Qj|o?qY`z^@0Lk1Dzb^?(?wIS-u$`SRWV_sq>N+wVj8+xkUe(
z@KslrUT+X}m8Y~{3O#vdgoR^eJe%8II#|sb4O!MEeq&lgOB6*=7KoNFOXS^FZTnR{
zc9o~>j{+WB5qBBWcR$x5Wm<3r#e}nf6;n@+U^j4gZ&d$uoBGovbK$hV+OU^y{lz8Z
z?%?LFf~a0PKeE#EVk=bYt!Reh=usnY#SZJ@BG>u2oR`hJNk?k+Y?8O4hQvo|Nu~RP
zc^8(0y*O566f(n3f{=k2f(ttl$(r8ijg)|=TI0ZpH0TpASK<{Jgb}oapv2j!jFC#b
z-l%y7%!xdMha~g#>EWiY!m}cy2bp&Mms^{iE~3`}2dPKe&k%ijC?R2a0<n;siQlF(
zjU~(*?QK(s^@&s$t|(`UAVVSk#G~o7Q%u?&g2RbSQ`#O%Xo@6cs!~r*r=D(7tNp~4
zE43+E4kt2GY4g)*t4!LcO*>CXdMJmvQkK-uDD{zFr5d^bZ|Ro^Ut&^b=od`$Q9wp=
z3%?p~yf2ab1_M9~2>Yg$dMf$_g4+Iyp26}x;<DA1(a$LS6@_Q17(FkQ`5bk|UQ&02
z>rE%&lCxT0{&1>=`V*Jxk!b#<$&o_|#HpL~hf}?%Kb$H~e>TU@Y>u%uhx*9G)tfGK
zokKc9Rk8^+)qTZgo?<f>rsC=&;ZCPY?#ywC&7s}_l&Pt>defmMS$#ysb>=wn3)3X^
z5jke2;_6MOx;a!_XO6Wthx$n^PsP<o=5;z%TxX7-C<nMq1%hnXN$1r^RFX+-IB;s-
zv;CC3jefK8p*i&&*^{j<O<v0~*X1kmhdsOn@W-8IU`Nj<!lbwFl|}ZL=gN|K1TU?+
zGnDb7?iN^H#~it06F-ShgRyS>!#q_6`Y#Gc9-ER;b}Lg`X+hYT!SZv)%&=!mxPIc4
z$<xL|L61!(Xu2lsl}jh9=#SBmE=6yo**0QCI^uxpT$+wJFCFokBIXHEk`JigXX`If
z{THj!k>5yHI?Yx(MwO097h&3Shsrh)QukPBj;icnI>MihFqK|NM3?zCRX;bBsQp3J
z|0x<eCG6Zf)z+J*ddH_rG4;MVk9ti+FddOpy-n$eqI86*_fJIV-W0dJgJQFq=^Au3
z`OXV+*}B^ApspLzIZa*PQIRI%#&pE{s%t6{-TD7Wc(eGwXwO@bfT3Cbf5f`r|I2Wl
z#{X5F;s3&|;s590aQVNw$mRb<W4+ODk(~u`nEyP!W!Zjaxd|&wj7%jin&OQPqzo;c
z`9D3}!%Z{Qvh1S(Zb~&w#T$KF?RRGd!&rM7zt~J-Z91)(lQ;U3O>5>IcNXeVZqsYx
zu@(F%ok^(mMxV5qTJ=!{E}Lz^pZI1vZ31uUodD9IbUoZe?Rd-pPJV?Zi4X5GgH#;e
zTw&6cAJ>WRzV<<W{HqW0;|G2U5@HWe3D*}DswBQ)_dC{n4O1*Jsa~qG38uOUrn%oK
z=4%pu!X^}w#HSR&AI^EkVVo*Of0kJvm@5EYYF0qE2|>8kAEDL8VVo*ie>U?Xn^`C$
zS&NA=&el$+O4gsv@q}{JN7`+ea&@>)!xmMN{xlBEV#4Cr<%_SJnJ-?7K-HZu{@(IM
zFA-<piyh*N%^G8O(wCN9^t+XzGzjdO^r`X53+<2PWt80}e(*W?QQq^G2@ZibjD$C^
z^0|JDyXvw-w@SsX?q2M2+Pu_6XnkhuyIA%8DjiXmju@<n*+g_*52WA`e*~U1f6SX|
z`J;u$Fy-k2;MH_-rd^*?JtpF{bcErL`RRyl=?DWr9|J&oJ(8+l{E_<8{4oz4NO7#m
zK=rnzOELAXewKPo#NKp-;g1W`5$~iUOuauOq6>fY#wN~$Ir=mUnOerEmgDI>rj{?O
zFca}!I^r|J;shdGx?phhK`(v8`*gK4@sX92m*%OUUhuIl-9NZn`a$t8oLoYJjL7jE
z@Ax`rRyl5Rw%<<9f!%X%|IgF<i~9O6VM%m~DvQZ0GA3`c@{Z`9cOH2)Hu|ODn^kEO
zKd;0Wc2E2uiG?51_i|pCZ4*{0;g#JJUMq+?`>*1ZRtVncATSi`6-i`AI{MEz=T!dc
zRuF}LhHKmH_}u->iBrrSD1cs^OzGZ=U+`<E552vCi|OMpxVlXrWmhnDlnrItDC>J0
z@TKG#_~dQ4b;VOBe=L2y?QM4*-A!ICt!~@uhIhhqBk;f<^MKA<aVH4v3S9Iq0?axT
zWsc;b>+QJzf(Z`7m(BaFt~_L5j|PdWvh}9qDnCI>rwfUCe$x^}SOnDLCoVteKEKW<
zRXDantk5Fuzkh6asQL|twuF!Va8?_KaVoX`Y>tO*jv;hM_^Ovi>ht$x>(UFl^k;k`
z%iM^vCq}{)Vc=bgDr?0rsoK`%wRMfPmE`d;aC|gzeB+Ny)27(Wg`Jr{R2-jYb4<56
zrgr9-*6CDn1_<c5N8)~)qsr!(nTq=x;`lh__<M4A+a(NsJAZ^@GuwGbs68B;#zOpu
zOH`Ao`VcBkR4BYJ0ytnzVtF`bmtm*^>usuaq!QhoQJg1KxlD5yHLbYIZWbMu-64uA
z`)0S1()E2}#!T1ei5WfSb>j5gSBN;YKQWogjeUtB)G73rKKB9IF8xtAvTmETbh>2L
ztw3gJ+Q^Z9P=|d11re_T=@BtrR1PeehQnL2nqM=5DqgWJ#`;fiv9H;EW4T(&g0ks>
zBh{H@HwGfDp0Z$lrdl7aA3v6lm67li%ELG8e#K1WpW=R}>gzm^19xDY!YA5Z=*A~h
zcIo`Kw=Dne<P)m7^vSj@UBd(LGqXUtIW_L}grS~ue*PZQoTx^)_=Lq7>FomPT!O!_
zw2+a1_lwVFS|nYkf!`OLcbk7*d>sL3@U`5cYdJoPF5S<j&bD;q95C1_JW^+{^-Ua^
zWhIffJZ0C^>s_UP4q4)(!qc*Dc%szO-=2Y=s?O5c-SHIJXVG*!&35NSi>JcHE}q7A
z!&79RMbpO(nlcQUe%BREZ~oBbkAbf5%^)m<A+R9(cl*j@H<A|9WNdsX#~3+~$E8E6
z;G(_5=y{8sb>8UZ8h(1%@IvF*>x~}7u_A}$iH12Es@26#oi{oFETTyaI6Y&b?0_>N
zo69ND`4DQ~?3ruRh5=!uH!3x-oMTebJfNTo<%dAt_*D$9A#K;E_(kGjTE=sqXuP~p
z^BR>NL;MfGko9Uz_$o4cqj#%Zy-pTcnO9u!dYGNoJj#q*I4#E;EijYBg<>wzdvTY<
z?#iJ=Z*+zt7}rxURr5u&oOt~$qdfhJ_EZE2=Bwa38+@%&?@{X5!#TyyDsbzq_!4~r
zHcCJ3-`jR^m1%wx6T#Bz+Zgg|slrn80yse8YVz9t_U{e(-{1kz(tvcfN2*lj&G{qs
zWaOB(E4$7wx56vG46md~7z^5Up=M6l*_x<T9$s3V)R{3{u(fQxWt8)YrIA&oIcmy}
z@G<kFp+-*J4~F|DA_RfKzVNuPRr#8mKxHPJMpWBxESw?#k>qG2?5Fs5=R>D@pmuxG
zJY;6Zwds*$DXIOZ{2OVXe{b>|U`Ouiz>#`SiF3*wur60a$*DJ1?SOq2SN8$il|`Fj
z)a40z4L7|YuQn9dPc$r#Zy|+b@HO0yui<ul4Yvz86G!5nsx+E;GA21Qawa(w^NJCk
z1NFTa1zPWP#YYL{k4#=eD_oZDj$Az$=JI`aY+gx-o}Dd@KjvW=CqIVY62WU}BDh&B
ztpN1ei0$c!Zz^JBI$}*a!Z5*JM5N@gf9ZUYtp@+koiEB6Vt2pTJFCllvHknq=Zo(0
zVnBRCFIgV;Mu!_-bTsiLa=4>^=Wa{PqDc+)Q;L$d1xEKAVXnk$=bT>>VCS3#*2SE&
z7}q~6WYiZK;!Wut3}JRrKDhIBkvm@(O{ET?doZUytA|{y#=5M}<#nxp<w}Sw9!5p^
z$9s&W^X{r{vPyCSG}?9kPRZe#eU?rZ0~^kmu;{(wK1lR?ajhd2F)STnNc3w&XkOR;
zx~|(HhKNT-zX3fnn{bz<HySi<-eZ2ZnA@<p-^bbDjcT3F9j}RXv(r5H#$C2EeoT~j
z*aOsHW}Q{uXoN7Br#Jc&6L~c8w8?i=y!u=>pEQKxt)EThqZ2PCOfM8yehWwOT^Lcs
z^)=<>BzCvj`pzOM5LxXpmc>bT?d87YVsGd~Vxuj`8+`|~mavZ#E{w^NR|fYao+J+9
zDCQ+<XJ=7e_Na^(Es;nkYl-A4>w-x1M)f~TB(R|zh@u;%d?=APMI%W+nfR%|3Ks5S
z7I=_%w2Ou~MHdk@CFndnsy+)fU50~!Il>#b0A+00vH|h}accgB|1*u)S!D9RYfd>L
z&(TB?9%W2DaBlCB<_0g#YTk-_m<2R<eBaC+g>>%zL_1k{!Z;b}GM{wPr+IepwDq9-
z6d`hHce?!(B`h5yGW=|s49mqrU#AKiQIL)>^tp-%L!V!OAkzfujqae`mLu>Edq4-y
zkTcF#AZ@%xZM1^HsvVX(j)5k%<qbs{MXWdaCSgXPkbO*~+KWh6a+vMr(`CYnT4?h@
zDc<Nj!YoU1XGPU(spT`)1+~0KqVBVzeIHcwp||3v#4;0lD>OTwP9GnUliW*x7UcyU
z-THX%@cJxSI#LqBO34fm`u@aCl_yTwQ0DSG)AYd<@3Blo5LkU|DFG?^>7s7{%;*=1
zI!zyI8WPp)*|w4U#WAWTy3j}WS@#ezmS4GaqlvcB2HN`lywO~rY2@WwPbQZVwKPL?
za$k3H_%p4s`o(|UdLoDB|5KCc|Lyfe^_Mh_KGk&^eR`IQpTIvdUcBUT$IG18x{sGd
ziu$nevh~UIc)8upml`jR*nIylkC$Bf{e$D>6BYkc$4fcn@Zxjb$4dpR`B#sZ-v3j_
zOQ9JrbzR5H*P||e*eY}4CRa)CjaI_OrR2?ubo87t3MKFKDSCRI`K(i~di)7SM(lgi
ztD=E>2Vdcl)u?^<yCTFv&}1itjP#^17}q~6LZk%6atiEH|9899f1mXkv902Mm~v7-
zUDl&%{q%T~@{YXlRd)>G4Q9$T`d_x?n1+19L_h2*vj@q?;yhe%$B?qul6slg@^Kdr
z-il0u(5EC%8Rm~zi;69jk?}`YA7b7)PV0@j>5<(@!SerZinnA7g&~n8=V>0u6J2lV
zPS^hpT;1&N-Pa2jNmh+LHr6(2^5g2Mzh@!5z@+*J7DA6rSgqc;>ZJyK{+^+*bYwU_
zaT@w&WlFFr1fG}Vb_+22=I7-%eem;g0sK!|6u+v>f6tWI_UY8Rw7XunBMrka6(hZ_
z)=L1BFdu8u?bPcYe#}7n40KJM?WEBkP8Fm-oXV*`+qRYDaMxqcldJ3|jghk3`OPl-
z#y>qajBGcJqLVj3k10K`F=Cd^?<Rw)qS7CCBe%B7rO(TlrPYaDGxd{9S_}ptc1xf3
z{1H3)%#QI+{TyeOcs2ZQD(S9=bh|0(Dz2v@DV!=EBWgtk;(X#F5tVdv_1@?nVN+VK
zD{)xW-B~s|?9_yv?0j$Z0%B0#Ii6T3+X-0Zo%H5bdAHN_UA5LnDDO@R_c;Hq^6py3
zaYFrrP;B&eb*9(Optn;4K2&e#GlS3S?e4>!*4xcg1S09YM`^1S&p-K!#EsHBC1N`S
zyV7?*8$3~|FEu3gLA~7t=<O~{_m9ze>cNEMLVmEvx#wrhCIh3iLy47`@I7jdjLXj`
zy(AnPm!G%-e_Ouge<}OM6jx_wM&cl4Kv_3g3cit6bqV#qY-#!EBL-J?m9+<t)z$Hu
z!+v@x(LzX!9gW>JQ!f8RU$=z#w*NBvwzi*38<?lZiH5KRHGgE{sx4L!3yGdt`i)7(
zXqc;#t3xGs)LneE(n)rnS!G=;J{I8WzWDekD!JnLEYad5=jutkdo+pXR*Ic3j4IZ7
z4VqD0Kf$bG`4&<<%DM?*_iL4PJkbK2IfPGf!>8(ta(N8lefeH)RyN5t8e;Wxm(sZI
zD+Osby6fjIAS6)N6aCzyMn9K_e`)&{8Lz{$Q{(kXjn|)mP8%^M9bpuA<>?52I>IRK
z?ny_SmyR&{-s_0a^wK$h25zRy%_QTE-X-eS?%X2g#ro2(V;ft*XqXq9Hm@W$_4%-K
zlPeT#{q6}4#blOV5IK=m`bmz*l#X25EXd2!)eZhuko}quOA09$wzOz}PNU&j@^)5I
z_N=A23KRP95SENNO3pXWe&Hl|4be_DiS8X4zUp3d?Eg);?9<<KW5=7=@3|BF<?=;V
z(~x^dm2G2|9BIoKPIwo!Sy{la>01n&F8oK?w505nTKORy{PCW)McujYAG-19wz-U+
z<P3GPLDkpOs4|_r2)N96rKJ~F9C`Ho@Lfm3F>g4Y{ZP23wFkSGJ>h~|F-eqo<}EQO
z@fOvvf0=U*lb1d(+{e2Yc$X>A;HG~#)+<~vG4Dm2FIY>KDrK45J<Axfr1WLx<uByM
znV`)ZZ5L(89<$jSJz?DFEV=$-9oJraqcatPdSc#pz`4{{I}@K=Z%293MD0w3DB4T|
zD7`ilW|Ur&aTMQ$bp)l?j>N%rHjDP>o=M-eJ5>Y<k+(z>&Ni#?N<5>OIBX_R7yOvE
zTrKTu;<pxy_Y_}sbAArCNu3p=XtW;iq7v?28>x3GM(H+)G2W;iP!c-=!(W<OOhjJs
zg~Qnm&jxesKVfG)yn<OLT=QNJJTNq4BpN?N4s1l@4G$fQgVPhi{6ZXK<Ot&!E5~FU
zg>p>65td^rj>&Q$KaHOPGoAU3mB0J#Z-1Lwx*4Sx&>l@pn_)OGDZ0g#19HZaLHxY*
z6nrB2IP9lNGs}>fR<9)~vlzVO=vXe=wzm_@o6WS;+aShBy_C-s+BcC+9VO&_{~>FJ
zX{%Z~T_p17?j&*+McatQ=?J6fde^|1ycPQH&R-;0xNDGUhL((NOgeAq2XZp@JQ{fy
z1-QhMSZgUk>kAQ64wag<`bw+pTv14y6B}(PW-o74=h&E|Vz(gu-;(2Y|J!tWF($l1
zrc7pNin=`?)za65im$2n=~!J62rv1wqGNsY!}0NSODHdVVTk0t?f!e`TKc{O%Bbn+
z@r`PAQP{Z_3Mdg>Tnh!1sIY6HfD#!FuZ03iL=)FS0VVm+#I;aBiD=?lD4;|%aV->3
zBAU1s3MdgxTsx(0uzKi`GM5j~?&-LtuUa+D_Pg{lw!eR+{$5Y_hU2$zbf7Fx-M-6=
zxzeRVL-JxVn#t<HJ?V}zjOO!na995Sf&RH)Snuqg%S<O6O{@eMw|~NowtsTm{+ULR
zss4EvOs**BCvmAdRFWV4vxR^U>7Qu6Qqx6Z^nas^#Jv8mchN9)(W?)3k)K7M4FsII
zpI%ZwY0qcZekw4Gu5^*<C%ucebd37xoF3g~{pU(W2pL`H=k1^XUH12XDO8y0!P#sk
zh!_)tnItY}k~rvn;&Bp`#HY@?HlFQ^j72T$DCgcsZwlXan1d$FC~x%$dk%yP8Xtfn
zCo`c=9#T3e9KSX@?1V=;7Z`EIOm0=o{|Ii=S?A5nOFY(O*vFeCPAjKcl(VgIX@-Cw
zp9a3_%ZMy*fe{;VbvhzP5$n<sh3SaNiddA67?+MP^!h9jUFr4a)QVWLh&MVK8Wc`+
zOc0!u#CoN0GQ;4cm<!K1mgIdxEJ8T>d^~$(WNenVLNv)@<okNMEqoV<9Cu^5=ItIO
zp89aXN$(RCieB^RwD4Uor=p5I9XdmJOE?BTu9`li^yA_97jnYR<dM$B24&85Y@=9Z
z4+f>yp<VE&6;<LY!`vA3eM?_S;c@!Nwm&beMiukoSJRDuW-3_u*#qFwL`+RbOi@Hd
zI^y<pM6>XCUpnH>bi@$lxG5d+rF4Wr@MnqWCJ#bc@xBj%=GZK=>5210F*ukx+rTti
z`ED$ebKsn#bTUiFL^?7{`xsKO@_)>ndmx_e+H{RGK06f|1)*TNW>=4r_}9Gi0*Kzq
ze08KFt895O_A6#;CglhJX!KD!JH@&E$m*PgO!l#|_chY)#93TGsu?@m{@tYO%;=4j
znS^e>?1Z-V*u;C1+7w~ZYoVKxZD8w9JtH2beI<tkT<it4*uU{5e)07T7fgV)*3SsE
z&2aluV()Ddd%sW|o5KSGB#UR?#_@2E8G*6ShCLnOtH$R&IH5Q;JKvP<Ag3IPF)Pf>
zDTz%(z{tKa7JNL1-K&30?5#J)%gYv|*5jIkTL^5MXYrX>i>EjiHB}YImf0ff3tcI>
z(3O&fTF#FtZGF_FQ9uB<dO?2*7r6R^NU_nH!+q>lRA}PeLpEzFN!x3-e)R34hwO&}
z%;L2r@rx?n1(k56n%zBa@$Yp{mrVzg1{bkhI=BBk9r4ckv05LDJ&+x$I8t_fF!s$H
zNqrS@08r=GkIxY}(11631Q&E*g?cE9Gq!{*&HD;N!iQ`5E=YKVSyROR&G5w)YIx$h
zI#{c##eYJp@cLSyW1gz#Zb9V0ZDcdYL=%g?E%^qherTbxz(gM;HR;Y0QXB~k_Mug#
zBL)dUSXC3>xIv4()gWy;7iL<#VR5qfktCI~LVSMdU~&}eF#VQ8|CK5+;QeuRq4x)M
z{%Xp`P&KxlqNSkM*;bXVeKdKJL;^^HNDpM+iFbJ75Q|SV2#zIi(fmV~GauM-k@z}u
ziZ&kI1N^Zv*!IrEjc$;(x@p{)(e%Iu1Bt&HIZrZhcD}US$uZ#6!as>>b5=-xH1L-=
zb%*{7Oqg7S-Z>U<11Wh~L}wIw7au7BLdM0;Vlwjudbx%mSdZdA=Pzjm!m^q)633Xt
zr)Z4u2O5Px&}fc!(jJRH$ul1ve=-REUHtv&dg0F-4S|*}IQ*nLj$J%{43(u)jUW|B
z%eF|{eLB)K+U!LIA^+aQ6jOA-`?R5nt__mCaBp&>Ib2}*U3!49t{WelRR!W1_&1!H
z=7`Kl9KX(Vyq8_S_!YE7KSJMaE0<2!kSM}$hlEk+&Ad-Sxgvt;h=bz!UnasV_dEG}
zS9nTePZ@aDl->~g@f<2K6|tYIx2;U;(K7=oaXN8>1@x8ri1MajG-UwjWWjTL8lFRf
zXT!Y!Y9ek+N0=5YCc@=6UF1=__AH}hE021klW|+1!_J?@aKyQnQdXGLwb~0_(BX}0
zKSS(k)3S};s8Q*St`FCo>cRA$nHUC#Ff5}&jG*+Z;TT#Cb3z)X;olpsIZnFWnTaAm
zDsd92fh^X*bH|3X_cIi%w942abfl=A1wj$xmtnvWc~O7DKgsm<rzM+La1(_Q5#1$R
z+FqS_%}`+Jwqyb0_U<aft(4<I?#4)a9^zUKn8BaB0~9N|JPi**eg?JXBwi{p<n!+;
z!%MBEKiVo%^NWHzT%y+=`L?Y~$Ec?sN_U763O@NwddftUr6WvF^-V{JzAX`&zCH8}
z!<WOcA6FBBh|tl~8~r}chrSl+=v8`tq$5}KRQ3>4MFYWLWAw}6$B%8m?S1N}{2tQ!
z<_xiqz7_fIv>cfdW~u+fS+mC4&s08b11#M{I(n21BZZ0jT)7JUQ8gC_P^LUohl}A6
z`|(V2aiC&j*;8jMkm9GS`0iz7077qX^gCe8oY+sFpD@w{$`5A8!#6pvB<4<I)#FJN
zJBe_?>atHKe<4U{cl?It^5eM=`OA-exiq)@*r&Y}zau8Fl&Uf&c^XOzs!MMUco*jc
zoHc>SuAPBMG7u;~HgraPbd62)omaVP@DG`h-L2)vt4o{Y$%^c5FF)Q|x+1cxBjjIG
zeyly<ol{d>vn$h<SoXirkBtVFh52KsC*aJ@FXUV7MDvBFC8}H8Yh}f2OP&xBRDYFa
zuQym5fWXCMi$zg(Lygk368++kyFNUP)+_9{>b!v_@(v^B5zTT(6HnZOQaPUAQ!0;~
zNd<3tqbsQ*9D63grzEyOmX%4P-^G4VTF}X_O4!*d4R?^-B?Yah?;ji>LBwGaI+ghT
z-MS~D^s_SMkrDm13NLY<pF-P8oOz-Ucp0}>*~<h>lToa6mTy#%=mm;B`-(@u6Lww-
zlO?f*a!Z^)sT7P`qB@ha#Ch)Y5-F@cL%0eflg$H(U8`flr>^e$kef^5`GXC$#Ab~&
z<-eyxp4`0=X06o&C10WU$qGfpCu4QJDO{H^G7{0|KrTgjv+Q%pZB*6?zjtvcBU(KZ
zeFBFr*(DZ^hspK%uy^sKQ<XVx#^Qo^yiv1iG^whorKoVmDoG6&4e)3}T5{VR0DJq&
zDyP;`m^Z3(5Aun`yix6cFqf>9i4Ur(>=c0B#kag)DfXuZ7?24$@qv(&9|$>Bnb!rt
ziZ3&`syfe})JO7ZwEhh44WUZkYbwv|Qq>s?HoJffKQZaK;Nl+zEx7`jAknwK@Z*hc
zmw-UsNl9K^*Q4(K!gQ~O?R5(kYfAgs4p#1`nK0=+Z}jUl$?zfdTRi-8hPe01Aq2)J
z*OVV0?tQYaac?U>KFIrI2JUg6^F}o?#^s}h)%Q_vR0BpmbE5qC9p0$u!M`zD?XCQo
zYKh-B$iv0QNiF%+{`h#hq$pgM`AKHFu#0a(4GnmoyoEfeG`iwi=f8RnT@%@LEFSb+
zS&91d44L|nDG+%J?eut0p!_81RRwv*$4mTIR`yQQ>)z7)c^sIf9HodlL*B(F({<09
zN{5RE7kDj>e@c6mGC7fm)cQI0AY^qN(0;z~p&Oy}yIl(Sa7wR`-t$a!#L#q?J%Kw7
zO))xE|0uV9ZH~0#={x_K8V9BKcaDK7P-@4(f4D&WOU6L5&@@-`soMV$>AR1~luG~4
z(6_Ge>&kW>Iwv(qI$2I~0<uD)S3kof`U`>G_E!qpHadT2;tjT`!iiru{ntt+1#Yl`
z4JMG&MW@nO{dfwirN-4!e!SgVaSZ^yD8VXu1!-TTH!_kJ$pyJ(BtMRe_vmlcb<1q&
z)y3;Ka~-c?r5be3QEhWc4ExH7Q=y7eCGpZ884ST6ipN$U2mXm~Nx|W=amgg5Av9Qg
z!>Tg4bZSb9LQ#Ts^3N0@7Z>dFM*m1Q(>sPs-{kVocNnnZpC3StOTX@gRn$-R^rcnO
zJw<k_)n#-4m86trr~AAWx=HHps+i%TT)$@UQ0=XFma2JKzy#MvMhVIMooQ$oKJ}65
z@nt&i|BT;0MG4rmq$GH{+SS-}!}u8qbd;zVTDz-{Wg-vCFS6uz6Xd;=wh%S_&8Xl}
zGmY^s&Kx(=8{J5=$DQSkHtLIPSF3NWH~L$BcYCAX1T|95kL`k`f}}V4U4=)I9xHcx
z7eg+M;dt>Wr!MkVbz%9*^3pbnt9XuL!UY&Ov|p-oz79wBc)W{yI}MT6>T%_z?d8X)
zS~76?F<{Zggz{qmA$hI**lxq6ywTYNr}&|fW;*XHD*vvh!dsy=e+r&RIjPyU>R-d&
zQ=?C)3o?^Ns>f7fyI;l$cV?uDkCUVAk9SuI1G>O$T<!80;$2m${biFVxx8$mck%el
zaSOcWJk7Y@lwFw|MPfyHE541(yZFY;^5Y9i^U9C^#%pG97fy>bQP=WiNJVLQb|yY+
zA$YnPnj4b3+bhEsIa@?Tjgjgp<2>G3-@}`foxBr&2FkYQ)8kj|FZ)IE2c(qKBCKMI
zGD=vl>eNx?#D1&^HTIOm3OGXX@8z}gw8X1|)!w+)E0*G|jO2Y%cEMOg9bnW_ZyE<0
zD|N5YSjFTp=WRXpMoh!c04rGi*vH#$L|*BX;$kKm)o8(L$2cFo)YO&YC!0jZb5V-H
zM^UIj!nJo-l`Za+BECw4?7RlJ8CE`$%M4!A@;g?#B^oiTF5|53-rmU@)n{hEA9al}
zb$Kg>6PV&(sr6F#jAtc>nv8{#@3~SO5r2zrB0FJ>dxz}?!`RQQB>!v4D<uVgE$iDB
zsIrpzUrVnH$1c;_bMEbu*vk^IXtoKFu(&>yvm6Qu)Q7Ab-DQ$C^Yi{h;*Yu}lEV}$
z6R+cB-wMls(mPnimrf~;J+11BuX<Y2QR%mlE;v0^p|G%Xu0cxJ`DRX6{wA3`y?#@K
zNtIe65Nqu4+`bJ&LT@6hN`bvl-_xhS;<%}~IR0k?NBl2BLgJP`nFae&7rf-xQ+P+K
z{(_bmnz1;#Fq!qTmKTXP(7)0igfzSAAdWS`52q5xHUc{9hlkC;eOilJ?zl_MUl#UG
ze>k#YihwSC%M3X)i7wv?eiOAQ6u>-}36Q<B{k9IbT3gj9Q&s7f&Oy6;n@T7*CBU3h
zAi!Vkwy_oBS85aYui%Q!D&%+hb}|_NDyo<4z|GQ9m&^LsB(AWq^fp4hJJ0-1WfVK_
zlw>_O7MB(~W0S8_tcm~NIwvj9cV9*r{%xo?V#lyu=LCD0arJ#yzFU%#M7+`eq>7X@
z;*BoD_y5B>C*6N%l2g<4$o>x7lGT5Iy>m>gQ~HyCdcE@kC8X|)v{&Mp{^c2jTXaWc
zY*s6{5#3%js|8o-?W{G?JjWCqi)pAhIrdwzX6A^By`~vueY0ZaBydcE&i>Xs|3+!g
zn3=7dh;nx}+pJrDtV+W17h26{MKhno$={n%G5~9of|K86SlM~c-UHM2v+ny>xRo&S
z&a_xh=f|+R4Cg7Wu7b|2Jo9<#Y(7R!rTdJ$PyT@trK-AIs;Y`Me87<yhS;eIbFI?Y
z`zliQ_<%i_R8Go_#33`SmF|><_#EqgB@kPbpG`g;K>A@H1`FcEBd9DZp2QP*csTRO
zBmbMZcY(9As{a3HhEYevp7D-mI@V;EmzeU`7X)<%X5fqtI^HR7l!cV0sAqt@;L&pq
za5^5PB+bgNlwB|@Ee-JogCZl^h431bj);05M-i<A0pb7tti7Le83w|#|Le<3=j><S
z_u6Z%z1G@m?@dTMNuAW8ZJx*ZjUBQycC=)IsXHf++9^o2s;IVah$83!73x&W_?fbM
zjm%GSYiddwm1>zyE>@n6*~X2nnOXMPgw;nCz`!OHAYC|IMg897gPTmv3~W5%?pD9f
zuPhM5s>qJQO(sXE31_}5)179z3Yr)GrXRy=S=b^|>;aa1UHue(^^M+8F;5abM&-ks
zv&SDst`4^SD&q%gKT7q!31d)LT#)}FIY-^Sj&FhUdt5~;Ejj^$>U*A9Lxa>rz8jXA
zkyOzqxtU6Rf#{~>Lsoo;VES?T1SYCY9`9d~$Gg=#(bpppvWYpcsah7KYuF>v-UWl?
zyc4@MZmQlUw9Tp78Iu-yqN&oRl0iCLLeIQhWKzUFs#E)3UnG!=ZPcx@)Bi#*TCzW^
zpFuxc(krOTB3!px5LnW`RYZD;T@(w%!=LjV@%tbx!$d4Om7{(J#`I}?m(A)}W|h-S
z!|6;b?MzTR;>K=`5Qhhft=V7JPb5X27>)Vs-*J%NkutGLJhjfkX$5DZM(qg2?$>^h
zw#|Mj@PCJmLCw-~a8cVqDEyr}v<}7pCYaVyFNiV+6fg+fGRQ;VJ`1q(cPoLWWU783
zjpN18BPdEN(?5kJwdqsgx+wgxVhqMXT6Kqe4-f{yw-W0SY-bRaSdTcpdJhFwBF63s
zE;6fcSw!7<<lUwNHLd0S9Za^=vS7x^?CJS5F8M%|Yh}9*+uA9tIqIyL<)Yrv81Rh^
z{acW_0WuBd?vYsEAA@X=z8F$!-Z|e<lY;htykDWt0(@rfuKfL^h72YsW6l5^ySCM|
z!D(wia%d+3T~HUFE1BtwFYq({Lz`*MxNrem@1XpxYuqI61<A!Kdu%Y*Lk_Xr$jz;p
z)h!JiqI}af_d)^J=?~u}B+cpAk2uX~5m;^V-MNbRRFK*wD2$~r<g-Y_;Ju^9dOl$r
zYin|G5zM5XzBM?zj<gN^dysldBu7Qk>Ar_079a}d+T5^CoJ@LZiB%8dtrZ6>bYitQ
ztI7iSZ-YAO%>1act}`*_9G@+6oq$2LfT3H1e3Kp14JE4gL1f*15!oScIhg;5-I{+z
zWQV`)@^+BdV@F{y*B!)QN{Q@|Pk17`$^sDCc?1eW*iIrd_Rw)<_+X8j@AwqW^=1G$
ze5L3ofRx0Y)_}OZyVT|IT3~&ZY(9BANokp3Uo*`bX>_DoS$Hr8o(@+*m&ZP;J}`5)
zGh;S${|U+1Fng}k!XbL0uZ~5=cqcBH)z#Y1@kOPJ{Zw=u;zon^=DYI%jHJLLFrgI~
z1SG@JW5CVLxs(il1$T+$cj@0VjeeXQ6QuTIz_LG_R4ppPVWNSE-hi!kP|>JAT}<9S
zz((DHPkll?f$u;%XRu6*bRG%P6O43d`8DEF%dG7n9fwv*NM{F_zh_wk392V`|Dq?`
zWLZtd%S}=0gJ*s9b7edWUUit{9Pur#eGx+%oPVju(Z(0vMNFvtd&813nYFD$UkFn7
z!EwdFn&$rxkbZbDe^g>fsM98XT^1h66;-%BU8{2Y(TVkk1k)rM4u2DyJFEF{tbmh9
z8~zrz`7k^1gfl7=>mNiiVd@j>7X+y<5fF;ZppA+kty|)Xn#LhOu&8M)gdj2tZ8AF9
zz+?9=NbSaa7`Vsag_etfS@?|x)4qZ;iZ*tP6D_VdtAJTe$@jsZL!pCU`hH9n-v}Yc
z+xMs8g?uAFUa_0fpI`)rPah{^Z`}RezG|VpvSEp>aEmJj7uskY`Xbjelg@B=%C&bV
z)}Iqh|AT}Jypc3cY4W<hP$&?9Is)Zo!lqr3vx3wF1%YZE%ZTuLrG7sir0)QNY!2j`
z++wu@CCT4HrIN#pb>BwqEi6w7i+HnR2fKBz75GX-sp!~6(vXb9NJFym&SB=W7Yq{7
z+)7Xrks@Q|zMX5ACOi9ulTd86mmH*jg|K3Bg829xYLL5+>&X5j*=}$8bE?Cq15BU3
z5ly|QKer&_Ur8I*4IG^ihztEAZ1^nyr{h~vo8zN|*(qvj8tP<+sYfQRsH}@0A^GX#
zHy!$ZpZbv<tTU29mJVcUDj#h!IX7%6NLNM1a~Sle$-~ytw}9e`_NOS#C4%%%S>1U7
zC^EC%#HS%dxIbBh-9t6KiK{C??NdP7-i-HNP*=14Sj5v?IRH^$eIkp}b-Q6nI1l;J
zaPJ#{N-wGoYLOInE?>Pt5?tR(ESCBp)u_O*xXya%{(+{%)JlRPTEXk%Z#Z~;9T}A-
z_bvdeO#&7#<2r`&{941Srfc3$1Nb0yBj^`QA0zTjzW?zc^)lat&I(fhfItX+G)O%_
z$N)mA&6E-;2GeiXXdOY0`=~`m1Ubd<vOqDp0cqg4xd$T)MW<9Yp-{H64UP?|DL9cA
z>ee;Spd~LpCd2ArhU5}!u?5$tr}9n7ZZ_AZK>t_PH%@+#;Ua_7HN&(9<uCt-iLj|l
z5e2LWN@bnFwC6iaN@fmihtoB~l7lS=Qxh#x>y4El$RcSOsRO!lDa(QFN5Xvo4z@HX
z7|fkil{;Z<LYhh)5ms;b8$z0kSO4zB>K??B@Gr=a1^b3;zbJ976jv%0QvSxGVY<+7
zNimD6gg8NGAQN3#DrX75!^dgD8>Z%aNjCr5D-IRTrDYYc1zKcASbBs0X}Rd;7g$7U
zu|B0|R*)rpjItWaN8M0Td+_ZBc`a(<aPZ?qV9H9FUJZby#HSD#lULRsRuQDXNpMR<
zK9AToW)Qu3tb)U?tmlg4F$&Vqm;Fsuzd-yGt%2Gng1JC?p8_f`hwZjjcA2UjUPeD=
zLcrMjSAo=FEB#PKUwg*^{|zE%hG$Zp*KawzY^I9^%01G>7gr<68O7CTC^D3LL?zut
zc0X;8+6HH&^svkC;!6}E_W8GnV?%z6I2b~B5fvBPp9vg_?H>%u`S$<(-)esf6$@ZP
z-gW@1g42hGu6Fz(`Tj1rQ-XTI^alP$1BmG6*GRJBaD@f(q5=Vj%duv{DF)SvzZ@fe
za?SgP*vFrd7WkMAq6O(+L~OQ%99O|p%BnrLSZ$JOT{nv4^BCN?jC__5VdV2&3n1fP
zp)7rok4QdjXLS(_j$Gro$YHEHh;d>ZCnF{lr>Bu|6sPC8B6|F^sCs<3=+Q>SVmaXV
ze0W=U3-A(Q+!jomCl*u?t5V-#BE#?UXZ%c!WuV=L7o^6qB0xSnhBGLxgcIL#6Fp1S
zjUaV=iGRyOW%xI>h=19Lu>!Cn{)<m;K>&)}f&vt|1qmopG;l;zc?l9+45)<!UiA7@
z5e2$nLM0jBve}>I%qZ*el73v1zP^e}ti(mvGyBp8N_l1h6T(KYT|hZ%wVV0RA}-S_
zDd3sWpkZ<9bExCRsh`Ty<SFyHXzKqPkh$EZ|7uPDbxbX;!cBfzedWNW+>}jnpX{on
z$89@R@<J%8NTuFpdg)l4K6y8Fw~kdUna*%Nqtwez-HG=)gVe>EW4_pC?Zz>bFF%qa
zBkt}-QljK<oKfRxza;Ygz9KjE6^V@?e9m)p*3L)V+Bvx@cly`_Gd5i-X1Eq2ED`U=
z(XS>>3tR`AkSQ=VR2|jRQu|qeX{}HeR<nXdEF$pm2pa3nCFUx3=^|St@|D5y#}Sv9
zu{ADXi|pNS1>wp^-f#poj_<IN<s@Q@5w7mqJEDKs1lv;CWj(I!NBFkL-n|@8r^<SH
zY}Ctk4O_<nKCgj9LoFS@_3~)HWKVD{rN-rrmxXyiV(VmTmX{It=U07N?eAjyyye6`
zw==e)#QHkC$#-6eG7^UGh$@WfOdpA08BT)<Noekv7tFoPOF)x<84jaDw-i^>SomfB
zsQwpTceM5FYwF1!;XG>V4WV7b1BKp+tE(1Z4Ac^|ybqpmDI+gi7)~g11xdV7t<m~4
zsCWJ^7xN$0NB&X0^MAaUzkeZr@=@D(iUfcyxSF$shTkpVU{TO~5(Fz7!1!VVcl0sf
zKlRQ(shIzp<S(+PSlP;SC(Ozd^((JOa7li+E7NsUtm)mHcPM>`$l)D?PDOtIMJHud
z5IKHkxPoXQ4Av8Hq=+=Z^yl~vhmfn_6C|;*;1hH!AI>KzNY5^i+J`)n(S?eOGj(}y
z$X{B7{N_Gp_DF=9vYCw+^Z$wb#hH4hY^Dy?0PUT=^e%wHvx5(JrhZ#Oa1m*I)Gx0E
z(e10n{vO!J_)@*|7ws+KTS$w&N$(hz+%kBy7wccpSN`7hf2o-NhCcFl^oDm^G5@)J
z<o|>xZ7JoEidUwPJ9VO-qUyGnI=1BGHqP)aF)Ku`8tGAD!F?%LY~R2$lsZUC8#%-4
zJ}46zQ-(UTuxS)!kX=Agk2;_GZxQ+O0%>d~*E>W@g`^Y=T&z;B1mS7G%40{tSQo*y
z5Yaz8$4g>&uX60<P%Q$A+@fswIbzku-PJU(Q}_?02bU@NsJVPboOuf&6wbUgZheX8
zW(}_S)FCX2ZmuU|AH!PHAL?Y^_q->9xz)SKnm3&R%20i^ejjni<uT>SzTlkKhGTUc
z1mlw-xsG3C%G5x9{eTMAhy7(@VW;&vDoRR#{ik?>1lVUSz>+VqymX}(uA3zw{QWBQ
zTReaV82(m1VJ?D^tQQ}aS!^4l$ye9lgx4K^5qxP_!lR(G7IGkh+=pS3NnE*0WjbE#
zc89G0;U&~+#=FWV<o6Tq;IqNNk0FS-xl2{<lCjiTIq8Rq_i%+fmJ*5g?g-KckRCSh
z^&d~ksmLQ+&|-L`$CDW=om7!{F`6g|kk%;TYjK6%rsDBC`l;n=n6K<}R7QcF!p||=
zMV9>$m`#!H=1Hw^Ec@_?Wy4m=w4yWm(u&U50wHPZj4d!yk<yBmMr@n$6!BW)>8qZt
zYgbEOW>DDdFxmyvzm2KO+v{qL<rYY=V_vn9thd00#}~(@=KpQM{{@;anU<1zwyG=K
z85P-L`b#4EhbMswg^uCZ=LxGYB5w3x2Rr<WQ!L==Y*|Lx!biQ%-`MT&Xvp6pJen5a
z5%P2q?(mK+z`hNBG7H9u!~^O7t{d?8GI0mj-$tx3?~-SomG1t(ns8h&a@~u$1p{|@
zug`bOi;gWGMdxOQ7e-y&epDYEVN(eRBZw8&yZ+(rQOyj#NJQHhXqpZ>z;9=P>Cxnd
zXG7qE!Na^LDJO~Ft%#=Jx3F}j-0o9;P)M1>Y7$vG{r*?}{iROW+?yeW6UnNg6MWHe
zg`y2uM3i!ZPZ?E6k^HHYBYnzYg_QY#Ln-_Dl-&y{ai3D*Q`RkyI{#76p<cyLPs4hl
zkTTns`MpnBR7lx}G6f0vN^OuuPdR^;4<z7*PMrqeeDuQZs;~-8Dk7;OhJJ9)uzz87
zFA;gd^<INK*!S{)LNA|WDHJpY_>}5G$|WUh@OGii0j#g8Y9aS`2uSz;B?4a+d`Bri
z_bIm(QZDp>&H0pcA?3@yW0(1q3koT7Nb!83faSY}5BnjGbotZY;@cuW5GDr^%lJ<i
z#S;*|XUI1oGnMeO)3nf-rf(iK;RE1r)W71ae?Y$UGgdf3w{?Z%Cs%;bGs9ueb0$_2
zTljNUM6)o3xB9j5K$kPM4|%Nl@GwZefUG|&Mb;boK-OuI$P?b;3GffgUE5!I0jPIA
z_aTg`LO^uxO8-8~UQKrdnj>8IQU}vBXlf_f0+(x)g;RjH_%C+~@G}~;lLvksanJvT
zJaCfd9@qcHk<2uf4mTmwm@0ZIgW3o)s9nztg+Jqux2R0j_f7n<{B*8}Ka~4`a><a0
zfm2VB)>Y3|MVTF<BHLbkCNYg3vEoO24#<6ay|`aRfeuQ!)=`voDBKOgITU_YAw%m*
zI^g2gu8dG6QuZeuS<<T#wRSqCg%1bdb1N3L_cIZ^&)Dcvs(s4Fr+rG#@1pKs9CiP!
z-rYYK)8B_N4I{AsxWPTmn&<}i1fi(z?VOqous(-HfAdW72%f;wcn^+76+YW16Fsj$
zxh3;pRh7WAe>j|MB@tW79Io|`f!$kV3wQE3|9uXJsZZZ|D(dYMsM3+YP~o^6XWis=
zWt!A6H8{hfbw|>|DmmM8X5decJBjOB*j;wymGb`2CR2P2b>~k8DAV%aD^vVS_*Bm(
zDK^X=2j#X_edOBl@P3h3B{*MB?WTG0Oqw!w=}t|#6LY4rVOf}5rcSC0mdQDluB0RR
zR_jH_u6F+cneBXq_uEwmZuzrypgWtC<45wUiW-2NxltcMx&<98V+r2pn=WbpmQHlj
zyz?B7#=WS)jr+MStMU41NQEM^t;ihyn)Df7K<&=&DwezPdql@__b5*+XZI!NufN7B
z8sIAm-`K<noPK8C7)(*`6Q8_GeXUGheWd{AdUta-)num2780b+B5%~kXl_1dedH=b
zsuUDXc~VUUY1JF*FrDjH@A>{A)h3TYC)bl!z3Y5&vDINmx3i~QDg4m(cj=r5H*nzF
zkmKa}F7wCq-D~c3W3cAlT|H2kaCAePaEB5&^BWX(&@4<X)$}*^n*UdA{;gNrnEyW+
zkc;!*zhwUZAK=*T`Oka2f9^4>@dM32Q?PW2gUBhgY2*^5o?;>l$_}4j_YF+42Dp8U
zoaL~K?<=@LEd`*VdPaA^^@U=GUTuBd*;muk>G8|m?$=j|_oiBj=OUy$g+6XCCN7J{
z1N}vqc*i0)?6Xu4U|8a~M*3%b&kRTLx8%HgDL&HZY+=N(=^~xD)|Mi-h;X9-2T6DZ
zZgJWlg)Z2SV!4|g-Q8zZ<rd5&TYm4UHbkBCP;}2v3;rYyI?*YtM>*dIr2pv}b91C)
zjQ*CJn*1LgwTiybYm&ZD)>S6BoUvhoDt7f3e*gf5^HQ$;;&-7Z-jA?vJ~HYm>&7F|
zcoK#2l)_W=`g@v&1@@0m)l?kg7}=K<{_z8DnjTT-deQ49#cfHi?5AywUY~~R`?1(O
zlrZN6rPM;Vej<KW!fm6*3rVxdm`RGO3L3@};PQ@tH7sj*H-De!ZJ&T#dcN!0TT(h_
z5nUbdh#TX?E$OOF<13{rwxuh=1IXy{s4r6a;}x#H-HY{wPlM2X&(dt4dzEr{%**t;
zKdE%SJ{bP9PgO*!(}2jf@ZWk8-wynD_pP}5+jRvE=beURcVzQ4{{L*l_b0U4wG$Q=
zE+`pYQ^(;KKQEok)sV77j|nm{@1wYb=4o9su9G>s0KO&))V|?k2EOG3bykE6*vK|W
z;UJ|3lS3-A?bRHEAk4MdHC2#gQ`e5xi;`CDdK6DL+3DIjKtjP6a&7*mKR6labmpz8
zYno6C=M=wak0i1{KPAk060PL_y1>o&{$x^38;t>U{36_i2;>u4ozoKt$Fk8=5n3V(
z^|fUW)fIft)NzfEJ*wE1Uqbl!T>NN!xo`lMlW<ews)~c+d-@@1gpcdQl&)z{Ox=7?
ze7};E;q=O0opNv=lWW0Gb9H6w&^4ESs^^<C{k=ek7w-jnmw~!<ms@<ucA4D^lzAe#
z^2OxqO^NmUPJXg*C(z$?4N#T86KJVEqC0^e?dwh;HTqlE4;`MpLT7Tbr_?ko5u`ru
zmw}a-Pto$-I~r+8Jnm-sj#%d99&QFBB{{4j&OIDf*f^)kuXK=pA^Z^)6yR9`i30@*
z-X&og8Y6TN?7pCQZYpD@4Mh}}7d*!j$0@<)>^JIy^hbfa&YomjxZxY|_zKNK_9nv`
z_+~Ai7Oyw2N|54mDp&6oJ?!wJT6GprJtchdPkr($rtYlGKeo_ie}?Y}Q#vjQ_0EZd
zUt9JQQkZ^qfG!H+x;t(pTAM#`o-1{mYT;E+<;ar5uP)?yRoNcD-({QP8yo8zo1n%b
z$lE#AlAfk~Pd7Ydh0}0|&Ee-M;ri2*J>klEU=GLbnuC_Sak-Mxq760uuq&N<e}f~B
zzjeB<yvesf8_qM{=SZU?fzNLIlb!&jTso=w5zBnlz}V2M*h-m9iJoUw`AlEgY|=~G
z&iJ;QeB0NM+?1SpWksBGW4w20r8;g2zec?7_uz1O^d5zs-{fwi>5tPma)w42r1pUI
z$Fh60<r*i9$xO4POsx=^t5~^@jr-g(JiVGdg}bM?yf%AEovvu*m+RTu2k|?Y-@*J2
z;g^d|Pif@0k>41<G<HfmzwP{v<yRMjjBCyQZ>KttX&=`*^!Xt5OVFS-H_ZeWd~)ju
z&$e{9AYq9xb|e9Qll@$B6E66BA+0Aju}h{?h{;XtbLpM<<fa{4yQU2$O8*EBDF$Q3
zV0$q*wip~&3{EHpr3UJsdmlHL_7LCnAilF&hweI#iDfT?g5Kp-`DFtCuzQ37@$-r1
zM%{Pg2ef3*xsvmT9XmGzLCzg^3{bZEdo5dIQ*yp>V-J$apJ~b(d*)>2Y!;W~FxdVa
zmbwyJzMc6m@B@=GVq2~|hA#-E6&_jkG-)T!4Hhq``81XUTQBJ<m&Lm2$c>zUVAPtK
z*2#eLyWcE**;2-24J+D)J{qL2Fb1|L=EV|s511YDPf)7D?we`jox}x?o$$sY{TDmr
zd2agd7Ypv<BH%}Y>&~Ep%-gZd^9{@FY?pgi<C>RRfNTtRt>p5}I(snK+UcCo%1v%J
zWNWw}B>CRXlV54gY;Jw(wWhUQ-(tSoGVjF~a{)-t9}DnsciUV6F*`ao8MZ_(O>WvD
zNKaSYOq(SN9MgW|$oAJHgkR%Np}uH#cXzXUw$GS$HP{RfY{^b#hB>vd006|2R}2DM
z?o}{*JmkW4hPflzLAqX81#pE?v7v8sAPKQJn7eOc!{OYj$=+IG!x7w?!mv^+f=oR-
z^qJ?A-QC0C%_p(V%Y*0Q7|GYzj@{fH-#xS3JGXGcXznsyu^7zVb2s^3rCP`?SFF_V
zEy}Ttthg=8hLuDMp9PH>ZjkBWVu?S1!7H+#aU0I3@xURQ+NIKFgkyK#XHZOkj~wB7
z$`+y9c+BtNw}~-`dmPjrT*w0&o0G$^x4erotag6zpqq+Mk^sH;aK_{MT0qvYOjnCQ
z9TG42=;UZs1DDpV&EMhK<l7s4RdT3NLc6c(c@lh^G8Kh2RNa)FbS1|~YN;><Seu4U
zlcjtrSJ|)45A@|`Q?7*XM#Ee(S3T@FC`?4@C3N;nOXS7sVw?M7ZVG4dT>!^qTr<LJ
zi75q#eBQ!ulx8z8!83bhJDv@va1@cPS!0r|!;Eh_-%KylTc_QKTQfJ!W_;FAS4B0!
z{2{<AtS)V6CyaFAI~&UT^NyzHZ$u`C;aKpanlc`ggROA(IYDv>XNtkG!mkq-%x$V1
zenbY>hDypcn4AC4S!J5UJ}Yvkq+^-K?a1j0G?1pu@)@VrADvmAc|W;w1Cs9$@>EDr
z)^GClg9r}vQBqPW$bC#^Ik9`{3pp+}bRl2TGF5DU{W|<4=dm-+svpj&R*1*sq{RAT
zIduk=A^IH_r1bDmb7mQpB-Wo9q;>^Db_-lJ0dgG0la}Nt>Zingg7VbXlsnnZZcY0O
zV<H+G(w|(2Veh5lxs%<QH?c}GaO!OoCO$%|<8}OftK;BcZhNI2c)NzN+JU!+$f16=
zWPd$_VIVMc3}8&Qkoo@i=lo<R<#&YwnrmoGjD>F~|2p;6=|MvmIuIbe0GgK6vSwD+
z0WL0>A%4?Z*~#_mCAoMblzUfMtD?AO=0FuI9uoEKz*x?qMb1*CPxk|M^0hmwi{}cJ
zQ*0&vri4I7T34T28deYrW*kE)hxwIDV?%ktWV9w{ZY{YoB<rANFn4TabMCygO^J<_
z!L$PzR$>F=+uH(o&g^Od?(+%KPrxZ3<g+52As!~oI~>eQPlL)6->l+hQ1KXBYBEbh
zE@#JUrG7X_(5N~Hl0%D)^$77eXjvb$ydK$y)!~fRi}34O7G^RoAU=ws8lleXp6tT(
zPUl>S-I@A`GYhW=WmpX>wRs`^DC<j*{taEBJ!{uRwY(ngPb)V62CGuI`l-u2LXPIl
zQ^}XR6B|15_@PllV7H^R5m2^do+hR#xoREY;}qmO!q&_)O%L%a$Er0=iTAtX`=FLa
zd6=C=+$FfGb>XV2QNdiUnoewFnyXbXv5}#z*C2aW!8;)q-Dfr7Z<S`_%AQrfznkx&
z3lTCan{=m5MbNywfPUPAus^x>Bu@8UG@r`l*L(s(?gtnc{s~BVz1GiCr<<klP1u-&
zt8o?>0ba)l(R&fExjigCDVPfbNNhMWeqmz6+41v<J-TYrXA>Jf9Y2%sF;$ZePHZ?P
zexkA+YqcjfGzQJ<gXY(J_8vde1`zH@br!P2T&nn}ApJWxe^~ZKyoN}rr39@%#oXaj
zFvNm9k(i?M7oVoSa9{q+<U1XtP9Vr&S?|I>5aider<2qK%Q%o^#vva+>FHg-0h4rM
zj)KzjtyD9%Y53nR5IX<Ywq)i{0n!9ft*2c{P;e)hC<ar-;0zy(AKIM#N}&iPq9O|F
zmYH3sLYeiCSsR#M5kJT`peWyf52^wEqhmwpNlpB)f0?zUdc>;u-hCG!MIF(w^p8WT
zsk>ORh|=)%FT9O!k2eK^NxuWAK$3A)!tr>$@H>7$(?h_RnX8Dfzkj?xDZ2*gL$R{B
zWy|x`#X<VJ%)DKZ#{J}(r5rBoZc40!7VoAG7XgW_>xN&^6Bhv~u3HnNZ(C0f&08wG
zir{!R|LNx~THOx!Fa}UzGoSt$k_@b{DtC%bJ4`;Fx72%{vwj#JO<(yQ9r-hV3i##j
zd%T_c9)OKjgtrh<4d7FAZsb^c0Y80_60qg)=ZwQ03JKpL3W=hdG6i+OAMCqHkxd!9
zKGh2y-i+ym3)1G0C43O!%JtT5B@a>Wj^z(*_=q6=&$Y6D>(m`^c3z(0lwz~RI=8pI
z<E_1uDjV4O4R4|Lmh1^rbR*7g=&q)pph&bl!h>>C5c3jrF`4Hc?VTnGZ}h1-_W~gD
z<cyDr-DT%1CAa6XLziByd?~)#`M)JQ?K=G+`6*gqE1sOnfz&Po4m@7yH_)RW!TpQD
zI)eHlRuZg&@e!@rQFcpl>(J9Vmi}id1PbU1r{iq)mQVDb50-x}@Uuj9g1xE>haqV4
zEt=Oqf)Q~LO!!6#_M&;^4dZV!O;dD);#vS1X804!-7t?Nb`&1BpZhxPXMwOhUq9Z7
z>8tnvDU>6ehXgD6`T4tC+BoXO=9k{w@tG1aIx?MHd#B5F6uDID$G+63{r5^5mtkr@
zzG-2d8X7h&&ksY;m<4{kM@a@~Yhqa*WaN=ja8g<GFP|r&|Hb?Ye#?t@EDifpD42T^
zS1s1X_hZG5?`7Q7X;A&+J2h-Zyy`ftVRLvKqOr+cT{{Y_)F@df|Ig_RjX*ec4ccs^
zr!AyQndP>#?ynNxO=;`oHQUK0Z}PxO46j6h_?YF4u7>X5t10um6@;4@^N9CZ6q)J-
z`XL1l;S=Z_{6UK9Vj22J5u|37kAEz){O-uaxn+YqIZ1apLOW|wINI@6kppOcb@&Es
zRCj=42;!LvJ$pGge;2UEpzul0CBkn&pqko!?sHRl5(pwR4)+%0aS#oM6RE+AT@?nu
zS2^5r)oDSW&frFT6z$V@D-b`30qo#`y=5VdltOoS2A;Z>4y9HYYX~w2P*3<K?Dhk-
zu2<ncSnG45)~l^`<X=_s&B~SW{??Q5yY^j`=vd>NGLEBTOp^ez)scB{q@%j$K>OGY
zW{9P$?v9_pbQ2wOT#b_ivTs(c4ASqD?&9uptrGX^LfpPCAJX%=QC!b0C8Eq~kiaAz
ziwn~0q}u+4$in(#GU*&c%BLT6^5!b=d7~^A$gJxU8=!?pgSjhW3txs720{yWFc#Ab
z5}K_kz-2EJ5DohVI_#6Z3ig!X@-}iS)Um><r;5Vtjw2HlS>bOkM3*qNpb1n*>h6r+
zMa(_@_@qDF@;_VNH7m?D@=<lB=LVy5gxusS6nG!vGJP(yUE_c-51?l=B_tQhn@xRt
z%cqYA_{iiBIzsSJ+q)Oka{J%vrhXulpy^UitqAv-Gow^+&kl(72J;~GH=?$zL1Yn1
zkBC56K+%tB6_t*5q%eWG2+|YD7k-OBPR`!`4o0|{)?+Z?qwjvu(fx*EC8Imdfv0qI
zBZ%6{=ssor7smesOtx``T~r9_5O+Eui|d(11n4dm(PbJ*K^?ykuNvMT{Vt{eDrY0V
zqOgx3z;I|IeG?4OxlY9iA(@4DFhtua&o1a>lGyTGsvn+y9bBLfma6Ajrk-aTUy1qQ
zXN!$KSf0P*FZp`KcO@U!Wb==pviqQN>))A=ntk6Mo8~Q1ZB`EASy5I6GH?^>^ZGe&
zaa;C2t3OxW7|Y(KdU&y`Df7=*c6U}Jj&;2d%QaWcj%8y*+Okuy<Tql$*8`1O>N@rg
zXVO%p592jHhywAeTeHXD#+2WmtLzYo^4!Hi?)~!@o~7}ie6(gK@&5_DWORC+uFb;|
zfJGi9VDMMDppd+*8C2hz;r2Uouh-F=cIBvf*5}Z3!26HkqK`WERtJ^YxH*XM!+HTH
zesU}~lDCIb^#*IT9LpTqoVkF_BHpjb@WhOoAz+ml!!4<a`*ar#>K)mdn`L#k=I*sx
zTXPT93xN4QF*w#Y4hQ_u5_*yv87asG8h%aw8)tgCKs?;|iGR;PZ=~6N@-=TfPkwDF
z^PbB&(0VX!4tx@^l=DDTWtU|hOnfYR4(8<*@m&(b4(h1qKtM&u0TO8X(}X>cm9Hbj
z9$hT+DE4OHyC6Z$`EPyE$HH1~A{J*1S;qWxT-lZ(diBgO0~H&<@Lrbw)G-qAYujjH
z>#9+KAp~LyfH*Df3b3Ek!aj~3V9mCSQ($Z?cdZ&$cwn|=e}0(S(d>7Q#%44FdsZwr
zmYnC-#<F|X#|}M^UA&m~mw4#QJ^!jrChLWEnb7yy7h={VTG&3*snlm1O{eM=Q0+9G
zs#id@)ub!PZLf)21PRbNaEL&=0(6t@rg?f`RR4G$vW88F=Xn~p3xY+oOiM*V4H~Oi
z@b}km4eGPL0MzxYR{j@+BB&oj$pwuJKEG!a3)JhZ+U<tAxUqo8z&;SvM=<ujK>ilZ
z|DOZ-sTe^d&FA2}vD}6A;|vQ{=db&m6Ae2Qf8L{Qxg#4}c};Un?xNW}2cai&|1>^O
zt1WjEhRCDxU-TtLQiAJZ#(`w58nI={UuRR>q-T^rP6pjlBV2FGgt300*-1P!dD6g+
zJ7T$$c!u+mx>)X;wfS{pUEj{5nk@_1z2^n~&Hb?KA8E$2w}~gfTg7<VvKQ5Gdtyhc
zoE;{d!B|8%*)ibgX^o}qujaLgxryo3HFS#Y4GN#34rgCTK01hs;`i~8P8<C7p$f-e
zRc|fzW=Gb9b1ZX;PUua)@mvc1459h&Q?q;1@4n3&VLl0^Zw;Rpoen<hnY#RPLJ>Y^
zsaY>Sk1H^Z=j@@ba;7l>COwXvz&us2#layi?<Be~r0B2AHKyV3$u+)_s+acYSVyXU
zo(n_p&Gi$BtW#i0wq-Eo6PCt9ti#S=hGpf{OVW;w=&@(dM|e=BnHQhkGtx}3D)R41
zPayyw@m1NA(y96xs@7hW_FcD!rG3}!ZE4^2%!o#nm7+<0=F)fF9+~!C*E`dF@t5-v
zL_ziz-8X&BBJul@B?nY$mJS;&953dFAlmTmdQJW_1R6Sfo-9rLXq33S3k=Nf>~j6I
zl#E&iJ2E-~GAkjY*5vAOJqK$Yf{toR>FCqVnaiv5AMwT3BGZVL*u(g|Anj<W@jVTL
z<FXtlC4-M${u$TQqs6Fwd`5`wSHu=+=<O1s3(`|q6UzwiYDOZaAlK+E3xzSue@0C#
zH@P-{iqG3^RP9$V9_kHWL3E4de6GWNu3O7;jjj!Q)Y~Z6PCl1hEefk4OICO?1Bp5k
z<6Nyn){5gYrw-2RTL`O<HTvlEAL}yDhkKRrnzb<`2bFa<`t}==d7isgVt@Z>_$Hl=
zW;fKcE(ithpAx&~4cRs90p7o{97NCaNxXcQODHpI=T9I#NWaSDG``zag;eW8)j_(7
zOqsVEIv0lh8sA-94ZU_;PN1setmLbe9Vaf3TY0|YWQH$M0Z)l<Q`Ft^k5p6}+d&x!
z$^AWbw9?WWX$(1sel1eJynJMS=8Jc#==mjl88=amaE#BKxQSNc-|u<N^P4U?rLhU#
zRjoeomOXRWv#hv(<{sF~fA?^QM7NSTIlR6qK5IdOapeDSlJ93)%r!{8qRKL9lkIj;
z4l?&6LZV+RbE{Z;kbYDjCgpLJGUWeOB=*&s*hdN+X5=7#>oOx*WhK{SM#7pU*JMUQ
z=aOr9aVfv)FzZ&jlV%;AQd@oy3a%utx~cqjrPZkZdFbc?pOW_i<h=A&{&!YUd?DRs
z^Yj;B$NlYM)a{gWjCw5GI{%UN8>KqK54u_^RIQZI1iuxF`$4i-R5s2%Ka{bbOpf1U
zNE6_btE<L0XGU)d_4c6X+rd4#ng^4+s>3&oCLA#G-~6YevIZk3AGxO+X=;BWq5O#;
zlB`3qtPKz83GVq;rv1nW(Vb9*T&zsy#xtvasSA(G>!?KuV8TT-@5UP=iyN;!gLuGu
z8-2p)Lc-Ih1Be}zFjx?}qmYmggx**eB|KP2xLXNNksv$rw%*UsLfMx6x$xJ$pYf%_
z`x$5W_cP9-Vd*c0`!P+Z)FT=b=#8GNsHWZ4%xQH>h!GfMLMDO1^3E+`>~8&L@@JfA
zW-sLO{8a>dzptV0@V>^~{1o2TP~3<1zDE88;p<!ZZvE27vL~i^UqdbPzJ~Q9_ppGJ
z|0n%~;`P3UqKofq$bZbg@w`A7dYYJ(t@9{uby6Iltu`cd$pn#O>x3vUG4gPo;yhg4
zS`0u@Xx&=u!VqE<5XP9BtVpFI|Iio#uv3CTBVHA700rCOT69Lim<~t}=0gj~_56<E
zg42Qe)sB$v*GIXnk2S1_+1?%BR&20hQ5E0?p?q~B`f5cA8N*u4ZMWGDyg^V^s_Tgy
z)Rx)QmU%}7xX-F(umZLDsUW)A<t!+qqY8)7R*?FGHH$g}eA?SGL)tPEDV4H*wI);U
zR*!~dx|cy+*FT!l)AF+(;Ucc~CLS3O6P8}9vE+B?FpfOAWN`7XH)VPAuKj(v;7<P~
zxpl=;dYGu3>+aJRQ?7OBH@KYjCPE8p$dJFN%|jE7aX(_Ip(fLhzXLKOtL^>=na~U7
zboD;}eU*XxeMi5Td5vARW7X(*DnFGt7}7P1gb^jAP~`UvD<6wHuKHydS;LAR9wcvM
zg+Sb3YS0AYEzq&x9^(;V=h}&?Rs#B7K;PMEZ}wI*kKo}xdlh%r&R30f6>*aR>tdOK
z`X0!v&|~-HpPQhe2q|;vt)8L+b%*MAP%Kj^w66%oBg^Eoh85vvx-FV#<%qL#<ft(J
z7z5YD-)J>4@!_uIYR!(RYt5cENC=`;-dKk$8Z+P}ChwcHFYCwPP~Od3Eik8#0+LoV
z255~|9l{Ot;ru@^IJhBPM7Dy6AtfpQd?D>*K6|~NS)lKKK-%`!;*jR7y+0$89%u~_
zsEY!F6cD#eT_R%4-YNWyiPky@NQO9^-v~3Sf@v~>n(O?R$gi_aT-^;i-R>2_V^y4I
zOY}1=IfWmbbpRYlSl#sQqDsSq8<p(bmmZiv`(4QyMC?F_n~BNnWTKzA5KGx)LYY6C
zO!V#}5{csdi-O6!k5t76$n{wQOmpVqP05v&@qP$4(m(_`nL#v1NC+*MmYnrtumY$7
zEp-aCM@eG|3~tpNQ^*WlwNb!e*Cg1{SF3QG%}~!t(rXKVi#Gx+tU(=Zye2t_td$L&
zV02YiGGYyYi~S=|y*-l@SBPZ{==n7hMOPj7nh$9C*#ighx0D$^R~O3($&rr0_!rx<
z9d&KlZ-DfVv}LavoZlDGSiC=LF9vBQZ=)9_9UM$|cEAP9V#m~>(y|7&4DRX&lws8)
zYnFnoJdz64$tPGM7NnQ|67su36cEy425r#$J5$!=M_Y;_vs2dPhZeug)R*Vk=`PXy
zppHN1_a`y@s8MBt)+%601M+Jx*1#dj0YUn5Sa7&rc<tyGlyTUx54k}e!<QiacRKH|
z<T)1tOSDn2O)Tl}gst%iTD@@uT;2wb42f{0Q32ryl7qC?Y|_Xjn&@T4NiH&fUdUCZ
z%#AkJ$>OOJ!=B=MTKP2>Ilg)lqYr2B$MCA0ltxlhft0XEw8_Sl?TBrItc3pDw#Huv
zuq7@8z*Z3|16aq!5EF{V%F2$DHOm7d@)?74Fk}pmnl#FO8yka&&@Ko#?mR|7k>z)s
zkq5OJENcx>lx<+BgLTq1?r6bl(h=$zn|f|4QgKh(i@dKpk@s^Ha7sz?b<<12eTZpV
zTwRZ>b7g(yZ_f`mf+{%CnEXth=FGX9!cTx&WtnP-D6hFcF|pi@Qw);#7^BKPIFYaX
zf>A~}-|+k^ypa~m%T9*Nl~sQ-5qi8pGQ9O+@}@9GT;C0x;~Ll}YTz|U)t_hl9;=`a
zZlZi7zerx|<?lbiv2!TrFiC1+-P7p(nCyI^*%*DFN1!RYQ*zzzyvvC?*qS|qh3v$^
z$#r{}h{rdC-R8~3IO~G`$#r`MsW)K(S{9jCS#WJlEvy#80ToAB;@W+2T$rmS+axgx
z4B{E1z|n1T-A8a1-AUE%<%|%#n;WF$7nxi)fL(7qVJLAJ3rxD3D(nmmk0^kwZsF$?
z65;t36JSMhN}~I94R5OBt=Z8q?@4fT`q`Q}2mC*a{fW#8F#8?F!gP_{B(@$#)vU8+
z_Z*1zbQu4r!EKqt>a`5kk*lI-59kXN^Mh!3)8rUqZ~{&K61I*cc7IL3+2Qs1aTYMB
z{V9J6AI7LBl*&mnwLL!Q0!PR4Fzi_o!GryPfI%nMVg4FUz>oM^Kp%}*ZmjcPIUlFn
zosB~_YX|-6ft6#j=MEW@J)^NTI~ig0lR(uKPF)Q+W7+C@eB|aG#E=eI+R@*AH&(8F
zo*Ba26U=%{a5IMyGd{cs|8Q4)-z4NWhKkFNR^T9g4mCP9F~Wsl69*G2V-vks-#+;&
zRNvJP+=FSKiOj6iBA1Pe^mHU?r>ECQPZytHu^9>0RdWmcNH&^AD}hNLjT7qygEAK!
z#%EnqcJx4&BL*W(Z%s~f%PVqs;gCp??c$oRTuqsqJl`!$)I6dqJl|DIV{#|bLEcZK
z7kq=`hzJB46`-}zv8bt%h6t)&{Tq|HUM(s2ko=)vv&m204s$9c$s74LlH4;$FND^q
zmSJ98Y+P!|XrO>FLICnaJRxA3$yfsaS+{0QP`Bc>C0$BO0N^^io#~nF|K|^E1k<IQ
zvFUL$(%52gjuON%s}<MMIPAGz*i%59$H7X6IKOlu5N9T#a#L22UIbN}DJgv?A&gBy
z`uie!tu_u{kU9{9N7f0n%zf8LOdEo(v+&e*jWjumZwOy2kVl|K0_}<cVk23iCGTZM
zj#B`r7IDjFKOD&vh~5EgAJg!k!Ftg74h6IcPy+ANV}e)m*gd%33gEiVN6bjmZJmZP
zOfCf+h6^T&4+oH(sYI0i2P|St_Gfdf>R)RtV}`!Lo^FbG8&7gkEit?>LPRTE3oCDa
zbl!|2FSo+nYV!NOw$b=mYv!^1t_lm~+A8yUioqJs?{kdDgM~rrPOAq_+m?Afmg&kL
zPhH35h7W4X!b;)b?J6=>TN@3eXvMH$#NeEZt1Fqd0rmM$QJ*$E4phC_>iUK^wOAyE
zXpL%wKZ#MHXvpy~e3U<?KbGL#wiwm{fYRYzl?#D)ud)i1F|3X+ORo8v<eF2M@w%>l
z<TaGy3sM^?au?o+;)FILK_Qd~kD-hl$FDH0CcK)(S&If(CA18mq`wku=9Gvs-zi#C
zd$RCcc=r%^cjK7siB$F?tV7IJ7aw?O_5dRa*@1sd*BK6jnAUp`y}2$r&nhoUonMe=
zyZV7Dj+)@POwMJ@&GF;tI_srvruQP7I*m$`lDS}D*GO}4B&OC;$;aH_!gHXOqU>zP
zRf@w64>wv$2^_BF;yT<lYRG=9;9846qu<P^M(YLv<NB=Mql{>gCP&pNiM4vvAO#R8
zM-2`yWb4J&W!b-mfj(GZS*GSXZVKX<>=9m#pNrS?&95&!l5#%p3W5!9`sYsm&c{|~
zL`Ts5j2uyzk!BZSMg|coL#sY!#H3LZMI#O4Kb;ZiPnhawB+Ec!*#Y(5+pghFi8SFT
zVz)Y~J&L1}55FUpSuVt=rV!fZsQMSNxi}^Sn2JzNIR<~`!5ntWh2_WTmBShn;jwQ2
zk{E9ZM}D8RtzIK@__;`}1iy-<p5|+-W8I}tDxHVK+*qG*A;!9r&^E^kO?7&jD(Z+`
z{cN;9r(v;y4^>>)IL@sVaqzNqt@w)Y7b<}1Y-M2x<t$zf@EY-^f-aIl6?p>%qXcwP
zH^d(*qK$=fL>spCqa6r#f5H*Olx$WU!e@CS6KI6_E^0g%ZwikiuGq{X099UQF)^N7
zIW6h@P2rp^a!rD$qx}%mrN9`SaWB@~XgSI?KDh-HbM)t{yzK$Ru+C_`3guzm%U*U`
z)2aB_m0nw+rRY{*)SSIdl7_uCs&|>%yoraKFZj|uQ2g-TJzRkWiq-l?#bYmor6N;c
zRN=TazpN{AgfSz4lwW5Q>dR8#O$5$fAfws~=LkDG4lqT-?@h36*R0On>^iqB{%o78
zdkpg3vrSnv3|?w+iL2r#CfC)vb5>3d@tSABG&kJ!-rq|DDrCHEE&u|>4H0fI(tApJ
zPdCuL2nK@IYz#|Od%i6j%bT4!J8@lWwvq9ANVE?s*p!AG2m5CwYK&#BU=6&iU3R9r
z^IKqTMLSctCk(~)Gyn40Mi}X7OrO|`PUy-W;=$L7RlNwpF0-QvvD=Ek`;n_5wSbaE
z5OJ!+5CSj(nD;3nc%}WFCK73pT)e;$OWvs|9oYEpV@O5@7+W4PX0GIwR1zJF(FTEA
zw(lggO%~IKvINlTx>_p4@?shJW;B93EyyH-C8nlqBQi+~GKn1dT98Q^0b$EHk5dsy
z8n(;&WLRXYdlTE7Gc`14Uz44aq5JhuUg>UVUo8wxuDbtXXvTcT!+D~Wg1%~KVxV++
z`-axlB1m9~Y%$wwSIa;eW=C~@w-mOF3#$rvf}KTV7~@_t`+0CCKlyiYcZC}4ei**P
zv*0xjubhbmC$T$;0-wrxh0N<NpJ$5R^mI@mesPN$yGrJ#Dk5k0ZReTf+W(HHw($Ej
zR#NhIN|rbLQ(`#MQ)H@eVx3Z)DSrY}&M@ZdvF@7u<)39`kdnqh%hkYzwGcfGZsBK6
z&KGXx*0>Psp6)*?o4FwU0~JLmo+_dE5-l}@CA=ep$v+R`BwfZ}n*s<H{)VECBy6|?
z)q;|`8RB?kOmus%uXT--N?zf0Hm|CAwJxdMRk&9|HA`gvmh3NXxpfv<-ce*?dtNTg
z3-G9>lf1sE_@@-__SK_p&_|1$UxvQ%Gm9|PVzvno`gwQDo;NPav)aWso!ZL#?S7}E
zQLO*_^v+q>WJ!}i9GT90G5)tf#}dYm8NJT@ARXi9^FLtxuZ%Uu|IwMo`5R?oa(q8~
zpEx`BQ2Zs9y-{?5e{g(xmSa%Z+isxi@;6QCM6PGjvFxQV>6kI;wrt}XndoEL5%eu<
z6q7x!gh|I>$YRoMHrH1elb%Q%^Uv6hhbxU79DdCapO^PprG{8%gS2jrf>Y}U;70nu
zh#|4$BOu9(l4L-y5o;7c#2>LP;#_?(a`>$ckGzBP&z@n6fqBG7Tu<9|FVK`0JcfKD
zLpC6M%Z=SQd9(qwR&nn3HSU-xS>=o`B^Mch?XYN=eci1yZVL;uda2PPS`f661pw7X
zv=&@T*pc0M7lQ1LQ+k;zPmsQoIdb-oZ)>)2>A4b6*glm=PS$cXwGo&rZJ%lcrcSd5
zjEMFiMnroMBVrB9lsGPe$TlR4vONf+;P5BNQsZYrhvAh>Xf$6%dJM-AJ=3u%(P4<~
z+W6h~7*#KRJMA;ZZ`m_2!64K%L5{w}SnAvYBUsyAKwv^OwgVvn-LG-Hhfr<)Bgm2A
zF6vm+A8!(0ONE|edY71=2-(UcSM8V-ZS(T9xsaH?8T2zpSciW^hc$`ei?r$V$A6z6
zRF(^ZA1Xh1=F|_&50GvO{9u%(%(Jf#!Ve~Rp{<l3Oe1dF{9urE_P@yw7N4>$e!%HL
z`A|#~e>2{2vm1UHOQ?3-TY@i0>2IL&vM=`zNcJt^3LUR{{O|~~{d_^}$nk}XTnN5!
zGNIml;U3y_eBl;CW*1GU8=g1FSoHrNZ_te|j()`-ru5Ap#`fY5$84QHj6bxTKj_-9
zE%<|={xA5$YEI;Y8(d+xzIgtC8M7CE_~91(A+ZI2_{vuK!|y&_&L5T)_`??ZBAZ@L
zUn~j@a@E<2w%AtABtBGa@$PnG5>8tj<hG?Ed8;5dY^g2o8l*l;hjkOcNv0GHgft@l
z>+!vyFUlI`R#HzZdkaaEi(uuj_0_IXyYY6!%gph=uP@H-Ltp%!i6SNX;_jfF$0OvB
zyH7N(kk*k-sf?QNNW|C<een`kJoPZeO7+EG@oj2#L0{w=fqzS1lpybT!L2R?FOWM;
znP}eIsJL}~Q9MC+5N)SgwWY>bl)H-CW@VCsCRS5w5`*cB9{`>Qo#2@CH=rHR$fP+5
zZD;eHtxc}qElAC01j&_nyn%zi6(aR=9AX2Z9NYFHQ<yVi^zvoj`rpAuz6Jg7TLpeo
z(Et8IR6);3dcEK>rrP0CxgH^p49^dX`rl`XoEgiud+|nHg93~WI2V=WDn0hfk#3~K
zOSoy!;o2`-vyF_ZF9(EUtlvS3BOC&mi6+-mqVL?bKKG!K+<#P0OYS2s_a8{UF~OYD
zzczrrrr&MNtmW<_!Yn-UO7|M%-HgPcspf|eX!?6XWoX*bA?<Ojw8!I{vj3~SP%gz|
zi*`p0R{L@bgSI%5>-LH7nq0T{<XyS{ZYdN!Q$9N47ZWniJ6_Rr4m+_$|3c}7clXu{
z<Nw=-Kf39KS21+c3m5MQNT*6I*CEnkeNLW@?9aM9+|6UT`u%a@xh&IEE4cYPD2slR
z8BIG#;T*U*Ib^pW{YSW8v=?lCoyCpklKo)6^DI|@j~(x5Kt3m>HOj#W8t|w;S=G9Y
zR<1;t0*H8b9aFX#E%zS?4Z14!1aQ)CWkOsufy(h<ErKw7>Tg0Br)>Gn>_)y#*@_WZ
z7xkNtYMlC4*5{jyK*7}Z{Q1YZUe6+5X|HqiN$M7=<{?P)k(~80!X{_!Nuc*Q-iAw+
zjYC|kWPX-7waei!X8^J5S@(4mFv~R%&=B2k|Cimj&3@%>&(CRf-G7FbO1u9@n$8w_
zy<^nt_tCq0_j<S9y@p6^f7Jv<*JT}XYsvmhz|=KUsW;eDENxDgB4h{WPT!PVUmZ-}
z!!W?+GL}1TWA@~YTp_5L#X&)&QaIn$UT3b!xFht*MS8d|F7s%3KU|?H`)kA4H-psd
zUTw?ZlpL~SEIR?$z;SHWP8jTND{I4tYj9iUE7H9#L^Ery=Ryd4VLlbLUw-w57=M03
z9jL|nI*wlks5sDc4nG}Bo8IlxbtxKwtaELd&7O&T6&i9(<Tw|Ci5x+wjEQWy*17#N
zJh>tRqA8F~T{~4%yD^W}%*A-3osT2h#q1T1ZZ}1efNeXYEsq|DW;whmGrA_6g*pi*
zG9W?5U!{)H3F=U?>$`}{<OQ4BJ_+o{Por=y>v@@*+}xA{_8%DGI?9n4_z7xE9>ocf
z!<Y}VykK5|`0yS!&m`@Gb|S>!pHzp#5=uT>oU7TD*?O~QGT&-;>p6zL7In-<%8fQS
zgFB95B(3jn(S~1h&taZ2e@?!%A^9Hr1nqqFM*get+9@Mh-7OtnYrvduz{D^X>(#;_
zS`d#+olAm;DsRG9gr9~CnzD1P+`HVVWDOQUwuW7-5+n*J0uuT2QH_AnA<-vY2qYR#
zs9bp}#UiOt@zNbjPBY0D7z`5QVJ_-C7O~H7W|q-nlfoNuNoGYDCG(3A%Hqd`dU<{8
z@DJHkYRUeuLy8snQHwsZ#Swml(#fOXnP&qc4{MD$8s=6UYQ6)uy0QPlg&6zwg#N|Y
z*}*J2Sn4d7AH9rA;rp<xtq-K)tq75>cY|3Hq$b;79CH;S>Gf)x<`Wr=pJwsKa3tu#
zF41yYz{H4g*iIHqY>eSG2xMagA1a=+q?{VizvzI3BSRq?x1ah2RBnbGopAnJnc?-e
zF32~L_*$4`{>8lU!e6nEOj`c#k;eDaSJQ{^dp`09KJqjZydZKPpR{=H8<Z{@e%-~6
zpP9eF=if*Sa!A<j^PdvsKNfrrk1FIJ=JQtp59P1(`9Bfm{}zA=`xo->;`5*2^RGdr
zRp<XcLY=2S+GY-yyIA_O!s6XE(yG6clxQj6E)nGWu7cEb6?C3+Ce%#kTO!DY<a+qP
zakSc-4|GGSWqiQs`ErI5%TBbFTFZxKQIlLpB+GT2m4$u4k|~aQOH|}BSD4^92Pf_*
z=Kw;Ch%|z<E>?0>@c&#0D%h9Mzo3Gh$4kJo?G#S}B5s&~YX86tAUmRl!#%7h9)2Yw
zitxCoKzW4qLkw#<t*0fb(G!cfP_)21D`>1>1#NeVLJh_ymiTA?QLt%v^`sNxvw<Pc
zYHZ<8iD-hmwdSst=zCoueYHz}LPYA*We~la?{YKhZ<WIlpU7Be3L4!h*UW2w=l*dH
zNv+LK=J_i+)Ix_!YdZ(bF0XAIF|LEY11&_{Kl5vx1N<em&wm&dV1XSFT-C`rKuh>l
zA>jlaUw@K>*4#}~#CLLYB_Ort=1=4&f6%^C>N1aZ9P6E5!h7Mor5$<-(k$=LGsKj2
z=m8=;o`(ZLyuO>7JJ2;1|8A7`AEJ*wyY(&08y_F#e2fY2JLfo;b9j{V72w%-&d>Yy
zgVb(LaWGBrO%2!Gvc+uNhdS8+IKp2OK&eRq$BO7>m)cm??sbc0@988~?rLsBZ|K_i
zl_-|P!OhdxD{bgnwvrwvblJ|aq0a`_-ml0*HpMazb}GbClbYBe@9^5gxLD>{wq=x+
z67wwEJDX1#%TB8aUp2AHq$Q#O{!f=RB635Ts=d4NOt*jKn~Dvy^6}c_g9)<0KsLp*
z=I2Fb37Fi4WA=FRKhIZJKWN_0ru-OW>KX}rB$INLJ^9Zp(I4q)J_ZU!?fCI$ACyuX
zev(pK`hP^*e>Jh>)nhA=;s8~4dO{6m{>k9>jAie$aSgRA^El5$XJSL|oI{Qvxss3U
zgG&i(zc5eVx&LQ|3TN;6p8ec7TR%hB2G^co1)s%X9}&xj85`!Rnf3#cw7{-liH~Ko
zomSF;bLhe#y#w`z3rO>FdT{Nf{m{DB_Y0<fjX*4^dmu-X&MvZ6SPmF91>arBC9s_%
zxCU=${!~{k?5?SNB=cNm={2uaz>2TgT=7>bOr_`yVc?A5N;h&RuWh=YUwaJX=0}q2
zc5Mv4yZE4YbVKl2#5ZT2h*jFO#47)sTz54)Vd`!$t&_x~H^X>?>8l7b2eXMs-O*;5
zf|-R2!yS`h;|#piEiKu7Y_c;^l4Ayp%bv=q+!6?>(EuTPqd*-y<Z(8@W#v!5!)hPQ
z-A$KVEl{HZ;yVO_xsSN(c5^c;&@Qi8ZylTVSH#DoH*c<`kAEhZYhSBcN=6y(B_xUH
zsWrK=>gon*KR<>8sBRhY90g(G?W8Yl+1rI3V-9%(T=^3PDyN=m*ALEL0ItgK_2!4<
ze;cIUV}4x9BR=ISpOPU(O~v=K3qR*S=F`vi>D6?VE2C(J)+@sAi>*2OfMSz(@Co9#
zW}eQsJuKW$8vbSMrMkAtZftt9RZLgCd;H1XlOQIIK>jo}QbHM6?B(a8;9|b~L|8ix
zS#1knPXs`mDRL<jk2Orw!38kv)XFOU#&@n-xU#15oy@b>ylQB+$<QpFW{jWQ46<Ic
zQh%H7=euHIcmG_fR>N}R$+dSU*Pk<K!qI6GxqgDq<z{Lp@|yMMJ|`TznlUh=sG`@b
zfB!(m$i7HSh0XEifS5A{kKT;q@vpa3==vy_2JRp3U}$4STV+=KrL7XrCr@;}k#<H^
zIDraX{~#|)pYBkkS&*~rN9#%L5;V>%45nu^yl_A=tSg{<Sq_oHOUEV`Cj70(3G!F?
zM<avOR6yh(j&%1^>q9qBrg`&|>sAFk2SRRL4w8onE3*kAxo_F1ly2U}>g(rwVYquT
ztle5i2KbJgQW#hEMyqRCd>*(_&VefcWPt;Z6fjo-9^Vdt^dR-{4BwSZP<S6qlr)xg
z7jj7N2Sri(XAZb2`Yw1{YjQw2N)vVphXOz@I5AgSfPT^0_rktLw3ej?(DyC+I(v)0
z4za!#L3<{E%RI{w&6PVPUtPyD_G^OXM}oQEtjw%WuIx;#Pq<amw5FatX9jbJ@0Q_?
zj81ZrbQN7&*u7)&wPSH|sH|MqHuRB>zc%seMUYA}ZkXew{(R!WGKo*)jTXVR9bdHw
z(8eNo7DQJnZ83l;TMS?_P_y1R`tRo$G4NUf&p;r!q5v^l9nIg%2sS}q{XM-+_k&$r
z83-&`=53YAJUClX=SwC^KE`QPF&pKA4QT$W+A_xN!UM>$MK{N8(aoid27N_X8-%}v
zM;B|g`RrBe<LmmUb$^EentSkMDm79`zak&>UF#QhEoqe)K%n#no(i<4fX%DGMwA~8
z?F+~U_;!+=Rlcp=l`Xl6HC5^ucS7sx7U)fXlide~D}dbnYbf@>cZiw)YpP%HS6zHD
zU@kX+6tG?AW2cWb27B`a{R~|iZ?<`B&SEs|j30q!JTNxwhCH=gikvaAHg?ToT~QGm
zc3(Gfm+hLJSk1c@1H1UpTy%2qc4@~#W5>_{^djF<eC&3zx#}7{r2hpPDhCa^M%Nr{
zVOcb$cdK~jjK)}IbRC~+kRZC+^ffLxxS><`8)c`fquJQ=JkPOHw*9X>aI;5OqcFe;
zEdJd(`kgoXY_@S-ueJ;Ao=9V7pxu<Tzpb_nF46rIkxVu)mRvALjZ3qvY0F;7Q59}8
zN8aS7fgp97!PeF}dw=3xPQv9bT?%pTJozdfC9Z5uZsyqGvs5rLH()LZ(@l^U#*!L!
z<$Q`)H0R>SEk)W;GhAl`Mck-hFn35}YV(wHVwG#~v0@1onRMJ{Ma0D(@z=0CtYTS9
zEjB(WY3DHiXlcma%^BS;GSH^2XtW33O__C#bE}&CmE-a6*f*D&`b&eaO}@6S;ay&c
zS;IM*#j%C2R)rUeM;9=xtDl?qkwYH8P{PIqjcu9pfcXXHyS0Wm`qr&(=*Gls(#`uw
z=G`DbtaU76tF{{>IoyVse*q0eocb2%R~MBxB8YFRy}EC-RP<b5zW>AvKMQK<fX=Z#
zYgb#IVxEi~UB0k>q9$`nj4M78>LY53vRYtZ6sS`mpX5j+vYlzjLFzH0kXCB-StqN1
zba6tgtFcD;TRqyur?zJ8`OU<TgM!rmk}|KIPNr8pFhaBeuh)_GS}X$^7gj%9RHt_n
z#Jr4&`Fu>w7ju+!bj=xLC%KMf!I0n}g2Ez#gY(UF&wTZIo!d7!V$R6li1H>-e#4e2
zn(TQ}@bo5$hRr<>Iew1&WnC<H=?<}>obC^%9SO(b6R}JdmfS>c55G@{7|gAhQPrB9
z-c1-Jw~p|8moS&b=S?eSXUH%z*p&f5s-~w|V)AduBR5aA^Fb@tUE?02CD?vY=Go+{
zFD6$vL3sO4+9R?4-1tWl>v@RdHu~YmCEwEAC4OAf;|2!paLAy?f$rLTQ;id_<<wVf
zf(~c6%x1G%=%#wa=)38^K6yE5Q+JSB!l!>bDb1l=7N>0u&Gr+Vpi8#atbbnh(js7Y
zp8-b|TA4KbA7%=5>#gzWZFQ>Wo`O8R&CZACF+PK50k4MPmM^?IpLRkWI`w)1xBhV>
zVqC)za98c<fO`!&%7I%4;+FvT59Pp>&vyh|?YsZq0<L!jYGw%*Cl{R^$_4I%$0pY8
z@J9Y@yT?5@CDy|jq-~^EXxee|(5^S^BBo0x7Z3(s-TXv6f;ILMm_ZqXC}9jmUQx;*
z!sRA-Yzqm(mzlz-w~kIGow(g3YJHCwKx<}4TWZ1!Xf-jVvLZ<T517;QTC5jZ{DFsT
zfL2P6Je8vbf@vvQ{K|iNniGg3w7B&D9L?!Y!3dCjGq|3)+fENJiUt*49#s~`Wh?D{
zAHy|oJPs_fceR6nw$5o0Yb44Ru~-ynj{@VOz=S9;(FIcV2?h99ewUWJ*D{KqtpNX&
zN4#GD6c$g^zx<h;jqvMaqkFe1S|{6G_iRJmi<5q_%pY7VG%iRDfg?nPCKd`!h^{G$
z3cX$FTXH=QQc@ROIoD@jbXNTgI@Y`NJ;l<qNp>&gMWr>GTt_7$T^lz_A<oQl7k8F-
z8#`(@8C$d0ui=LUazJZ#Zl0i|0(PJt)514FyG3m0{oW)8o+;EyI=Gpek@y|hn(1nF
zFE(Pu_+db0$@!`bf_Z0GReh6NY^!)xDizdLRPYMgLhdailz8tG`28WOx4|_qD=ZC9
z1O*cB@x<6&n9?oq3(I#HckNi<SiLWG9`z>P<887pTHtK=9AM(TE7()Dn5%dMgMjY*
zx=71-*56b*)ZJtnKUHkKy)Ad0!K5wcllh*lvFko7&T8i`1;9qy^eUEp$R%>krLcxW
zf`_b+WgarL$xpdMHX~hvl<b7>G;`zGv?FUYdiNBaUh)cNJb}N2h^E~cG1!`8<C0bL
z`l2}E=7ZNIZ4z=5Dyd-&&9!EJ-OW#1Zk%G&fian%DIu23Ba5%27K;t0eF4b%W*b%n
zb88as;o9Hy5kagD#IykN{AVnH)7Zfl;JSiSfmGtXmB9Dwgi`EWZopXupB@>^*qTqD
z2N`Ql(sCRR=1#1Xju51tAr~Pkf6|4heW43c{e3P({ioA0@~vd4P+SVb+4l)()BhAI
zwClpmevLHAR*xM*&VPoh#w1>j6HkaSUZ?;tM}bBK^8GE-L-h$hlsti73rvgx;}poR
z<S<KN9?NdqE9Vdi<>p`hHxxi5y=Kwle3d92PS0{(<V6&-Wfk-Z;la4Xkp3N~3-1z?
z<d{C!lgb~)P$bt5ir|wIOlt)s5G)K9q*z>0=SB*KOz`N%HI(`N(VxTH5FEUHD3&`*
z8k{z8A<l`~T^JXkEH519AEML3+Ix-b(ih?R47wpapUH2G?}Yt2Jg1N-dt&}tU()ew
z0limOzWp<yxd$|apjr!rpsMp1lOxo7QbqlW#gq5E7BJPk>}tl>AbpTTi?jKITt|AM
zV-@fI@%GG|_zsEncXaU9uQ3FyNF%C-&xuzLzoTQyyp=2{p4GtYW>aA-cdzw<*9m4V
zH2FSA>18~dpW$HS?tBafALU%57Yh>l1s7+)bcTb8T5@o2F$_oI`5bFFQ#7Dym=RrY
z{l|%D%dBgXXKrLK<FpvctKD15D+xksyMFdNF2v@l+yS@gqf@fATDWJ;&aB|E)z!~=
zL0-TOiRWR%8%Phm=4tnG=m}!!p3QPULh~d5=X5s`w8suv$~|;^*4jg0r&896i-7X0
zHaP50sKRYf$wNNhY|EE2028FlR;VOP0VgXhV@78tF4vPZKQkUNqAJ-rb~u+Y-mFh|
zZp}|2h9T|0z@t;YrIVr+Lr!C$uGL^#E%R5hf-r+e_!&KzGMY)fr>L2{o?p)yBRau2
zbXiGZ;RqL7KuA0xaJlEJu<8L*YhZTi9x>-+CmP_iZbn;aZfbDVHGKGr#cLxzJNL8V
zU^6bJJF&_q5Et+=6dUizc{zG*{^eCpj-FzI5VRH^4mx2UayKEzawotC+!7Q_o6C4o
zytp-06-Mh7t3xbvUH#qEt0kkbQlMY?E=9fNR~=<3D0DGoT0~z3$Qq-WWl&yR(Vr6P
zZ?v2gD(bR|NRgXnzIUBJFV16ullHkHj%Tw+$T=}u5hn!G9$~&qCWP6XC_02b$7xoX
z%`fffX7eZf`VpF|LHL=Hc5{xadhzpKhc?`+GV(oReCa2d;xJ1Ar^kVh{e$$od~XdB
zZb9_`!6aY^P{m`}0;&F$K%&YcKzOThWb~#O{h3XsSk8-BFeRHYx^(wC$BXsGP;un;
zq8*(}sqPB;mxgJ88sST#ACpZYhMvF3)sX%zJ|m&-?3kHZ`<trdYbf%YVe$!Li0J1Z
zLFUa{BCx_YEMckTU7>}sg)dcwUnH{7-h5z<p0_qX5{4>0@0()A+VFAk$}CL2)SY;b
z%Jmq8zSbn(>kd+@pfJCGq8+5|LDFI#t#R)1a1Vyw`263=8p<^(;s=I}ezl$WZ&Sd9
zjNR53c>p>%Jq2Ft%fkt%MT*^FcnED<;uDP^26`D_tHAlNGKJsA=31Z&@a}OmvaQjD
z;}BKhU%<`cdLBdSFv*}+m^u+1KfmOkj`9u^ChbOU$#HHSm_Yqn#r-<)g|g-xdz%S9
z_Js~E-eHcyTLn%e*8Iz?VL;y;KUi%jZ1R(Xy<x<^#R<M>1IC_c5;0Q8Dr~;FscWH7
z7P;s6fEHnPzhn%AU~^3{dx^sF3lJ_?N02YP#KSGbKQ!+!<N;)05DVv>sdae04*8YL
zr(L6Jp44w{ZZ}EhW`qZ9qp%1E%uz7~<P+Qe_n%6bYz!Zuc|YHJBJ5}MvR`uXSX!@~
ze2cvwmcE=UiY9JOygz^M2-13<oW5DFob(e`)31nkSbV<f1u+m)-h%WDth3=>+WU$$
zzW(7y@vAAQTH6vq^E>^+G0M%<vTX@-*B>HbK1KKFJou|yF<s~$bs)xCTcGzytt+mg
z;oS}aD0r)F!u3Xg2<7wS+cx2bdRN8axZX%8!SRvBn$>cfWc2dITeC!@N4%}#^>$<m
zkENq-e#_U5&*Rh~Eg<Q!sXdhWd_KI%c>n0XI^KUGw!ZLO@|4hbAJRuSMs&;VxRT2=
zkB1$=|6hPdS9lggq32gvbE$vA4-5EF6%N-lUS4_l{fE;no<qfZHgUP$r|uyX%ssAO
z?h>d-dx(>jQwr=w7J!<*Y5~1>omxd{G*@?vwG`J@(lQIfA5shN$zEQ`Q>(YQx(VGt
zsOQJJ@sf>-o4P3*5n2h6-OUb%T+5@&F$tVrM|KHBMpz_3Y-fqsbTQ^R?O{7+<ivZA
z6rsdBnsh4t5O8;R@>@dVXNI405#ZpD2+a%!*>`mUvq(BzZK$-v@HtE!@x!6TXNU_Y
zxlCz|_v?fi-owO4mp7bf8NBD7_jQ~?wlZJGvlZdrM{CWz-*hTlgvmDsW~V#-C;rK%
z<ipY#+%{#9UQUqx%;chhCA#lSw`DVQx^$<GKO`4ei6AwL%xDz@RK7Kv9>gz>J7cmB
z*AW_%{hbt<G1;GXTk@|2$JXqvYxs#}s_XMzCX2*x9COIp*aLs~z57Qs+DUC)xVaj2
zcR*Wk*ZQ`8!|T~gCAK0H`)gZfTt1eWfY0n$Sk;v7zBUN&ueg*w<}ZNw^Sj}k3%Z%v
z{G6LNZdPZhrXoB6o>6w*i~Y8etu{b3R@;|eLBZz5jevGTI@>{tl^E?zV|>i^9|Lh@
z+ez`y<$HJ+5B0HN+8j(4)4+yAfkp-LFZ1%Iw>u7IUsk34{#;}1ydIhHhP36rQr{?R
z!H{0Yz@CF(0x4BPAs!yZe8oZF{NUA&3v?q-3vEqb91=TZU2JH6>a(%rhRR8M#c~(m
zLpcdf^?Lqp;1a9kj^b$Zk7G*KkEm_*3BTbJ%&n4a_+m0_O1!skFiq}tx!6*fo2I=-
zH*&Fs37j~l{nNsWEgV{Sx#jsA;o(PPKGJVJ4+Q8}?^|KVRB$TtC%<ZAgBkm@d=AIf
z_Y?hoGDtPkAlLfi?>*Z_hs`+BHHHM!ZYK_;sh{@_lm0->MS8iyZBVkiu%m720*>^O
z7|$VV&r&S8hJY=lwFGP_#kx6~OM|9&(<VVUz;wgh@~z8Io1z8yt8a6NFg6j(orsdx
zR!@)aWigkA_bk6^tx?85VG;o?4>t&pg1M&KO;-iI_a?!H&8?Z6t?nd72-)N=X89{@
z++6ysW9nZdvXq}Q(EO`CX39z~8e2lkCdV?Ls?shbThHzE?*LcHZ+<f)G31jSAHzCR
znRzyM+|u0T3kutmJ4}i*lanq6uj=Os!Vd`6C14&z9Oejih=JXI2I2oHuIs_v#;T@F
zXKv!s=3Hz6`}{99CG$;9iFG?nlJK%~F#Q5DBYf=;Om7rY9=BxSOVuFh4!QOvlY-oo
z+miV+EP2$L%sZ8TZsC6S^#72Nm1D+Qlp~uQyD=zQq8n%6w|-x@<|KQAc$SA*EH{dY
zo34adu1P^-Xt@#0lbb@fbI#-Hyywc?4;Ic=uH&2~dZcZtw`LZ&;@>1@fh&IbCW4w1
zm9vgmVcl<_!pX(`V#$U4|9U^L#<~;Lb)V|;IAR8jVD4bEQ>?YJk26-^ZjhQM2^dG$
zVEXPtB8i&X{X6_=heT3Y!%qI>F24=<Ie5+`XYRN=_zv$R==7k+lii)eG5P!k*fk~J
ztPCG4!@riy!p8gX&v=O^WTjOOWp*qMAB~rIlvTQ=yo#C0bq$-DM>%SA#TLF+6@G+h
z-jgpc{}8qJF0Yp(`Y8WxqRaJVwCQqv`86W8(3d4t7U<ddDa=v)v^($ksczmY@<C=c
z^J!v=nzPotqUL-QUtV*T;d9%>?^B&@*ytPS%^^O#OyLd4X@z<09^M(hI>Usn8P2Te
z9w&XsXEOCWJ}?J6N-rVun23Ctk^Xj2dbk?^@bYRI4-AiCuB{*bn$byQwC{3og>N%A
zJ|FnT>K)~yPr%vO?%;5MjVi%+MbpDV?eO4U`LNsT?s%Lh`et4eHLiEJXGq7;7LTIr
zkLz546~DIB3A|U+MEI~d)!Fr62#mZq=B%X`OQvQwnFmxjGGb_!zxq{&V53!TIEn=F
z8m|qto%gy)YxWvRd-g69*kD`Z7;)Alv8K#FhOP;6+CanCKBk{x_lf;AW&RkXWJitV
zPOrY-PVngopBt4WvtvUiPl4z~s~Ny3mUSBgP09B`Qm0inXKt6E*PJ=hq@Fqn9}K~4
z(JX8FL?F?ISLzdLG<&0PpTh~Y`~)c+j)}WR(jfj}k^$Q?dAsm5cF3BxLsrKQc_Nmp
zPQ-FY&W$ZxU(MsY)v?NVfJG%nks~W(3s+X>AG~4X=C(ucbam`me|)a_R~44AUs4su
zqL)*-D^fZM9!+xSlk>*E|7vP7sbRGD>@<F+>uqvTdnO+(oood(0?(|*$i)IS;@myf
zncRalMCSML^Y|wlzvT!~alu^RV0CjJhy&4m%93kuckN_cZCU(!{tM#@k2ESv&?If%
zEc}S&9Jb^Z3{l57aV-ai^Zl4KVMsQq*|&8dk}v&zF|RY4ZGvFWSFEO`e!Ss8Yr0YI
zliB-OU~J@~IAPd*Y9`33Lv7jV4xkrmhwBCbsV%oaQEj>V41;oa3C7{|48q`v%SkH$
z1gVv)H3NuIQ(H5Q-~(Pr1i%Ngi!=^Y0A;SRP5~|i<DN(YjRZ_Kju9|PrJX>dlExB1
z7EB5n{+ua(+4^c8+MO}*1lNmtS~E*|Bh(StTWv#ab|Hs6Nk(JYZbDR~1smO?mi-2B
zSLDwhI^TwL4k1BJZQ8G=<sglZK4zFDZJG6LnRijA+DNO(KY*JHbM$GhSTV35=hlRn
z;2d9^N7vZNSTrHRR&IxIbJi0IZ%@no(_hv%HowMPpE?GR9k~#+ZniE?&{&5h$MJ(b
zN*}p)PQcp;XjCI;b0c$NQszdLaIOViji_3b@IDT$xl1Yu*ZR1D`em{dS7&j~?=zXK
zpa!-t>?{xWX%_abGWT?okGWN=>}N|#Td0`IbwzGwzN4O(l~PycFpj+9HrED-2g!H=
zh<SoTpTJpruy%i`$j@U>Ec@S~JVDrI#yyP)oSQOF>a-0a)5}Ok8#+<7m~CPk??W<r
z8Odk^Yp{;eBws=>O1xK;i#VuJDxch_iQ+yvo3`A8WBJN|{w2c^-QS|<@F>v3t-GFn
zcaHF7n?!t~tLDjwh)psoKmS#VPZdwOWv`wlvo@vR>2A!b`Y?#Ssf<N}Jl&eY>^+)P
zcXOD-g9rh}=)_a*bdLyR0^!W_wk_l6D8dJM7zZ;t$q=i2oEN=4PHYn)a3K>eu#Dly
zBK!a$jPML0?p0m?eT0a}v_N-FnGL@|OpcJ@a6^U-zbV0m{e%m6Gqbm|xv;mh1Cfqy
zx3wNkf6>rkk7yo0YNZkk6@O&rrXsu~s;B7;vwz6X*s<tq-Vl4sFX9>njwKGn9YWtF
z+{NKlQ`dAe1(8-Tb$GIe8xw0bk2(eN>;76Wb<_r_<tCkYS7e6`(B>BY$WHej6DeZO
z?KGoDKb+c?c~o4prnN*V(<`%V={miPd~?(b+ak4K;CFF#96H*?wQ7UZs{lnRF;*9x
zK+meL>p9)qm8Hl1TJ^9v)XAUN91rAWSa2+s4xgOfO{P8^i;tvcFV;6DAFITUf-0No
zO1}1@wAV=kbCVYk*mqJe{M`61I8CLOP{7u?KKy^N_0*!9$nT>Wn9AZSBTKn%axzoP
zQNPIfcLf>r=^YVQ@#(db(PZ5Auzaf1PU;HUN%`16yiDQmj7ufxV$nY}`<T;E?;}k{
zmfHNzD`eaVzl^r3^B1M_5~d=&?iH`G8r>9R_Rm?p@n8B;h0=h5duFXWvl4B&>WFmN
zmaEPHZJ|Q`N`0~Vy<UR8aVkxsfse`F+|78#WbMofh6P*MQeS79hu6gq&c)VZESq$|
z@Ll8kX-{0&EXu>-S<+LT*niVCgoKlvH!*hCl-#%nE-6SELF#tWkS+%6qJdbpn&nTP
zZjclA9cd?m&nYHc2plyEjZ+9Dk~ri<uhwDHC3VFw5*x&tAR$8n^<XcOBC$A8n>Eyl
z+Q=(h-%gfx0(A<EC4gwf!|4PNt>^#&M5|NPiS|YX=tz6a_+a>Rbf{J*?6u~s!B!{i
zwdNLRxcSA)9d_TrxO_Lmvw>%>ePKd3RlWf-499U$x5^DajQ2<Rg-xC<d-+nuVU>Ga
zzvF^bC%^ORu>lHj4;)QERzR=Qj>$|$8kD&T&VsG*d+33NWkezeIxFFJ*aXi90V0(&
z^I`@Y_utV8s5E>K-A+@aS0%!+^u_HCd|e1>{!T&a0QD5pzdXyr-S_|x$;Fld=WsWN
zn;mkcr~vt)$gh#7uX$q~ak1PF>u1|9FOx8{@}t%)who;>ke?v6D}QC}x$OzJV82Ud
z@<?<5{k2-_pw+>W7yUV_-7tL(viMkyv(~~|?I_g?aQ?xh@Soc`V1-a8N>&I?GIZ=3
z%#Bsb^qXF}AHB}n<GJb09Y-bB9~H;#>)4LLGBf6mGxV=dtgnk7m{<=HB-TR(FH$D4
z9x}Lx0M3-@Y5Q7_C0^6xZhrg(GHFBRT%zrp$#(2ysf9-)*_WI*;U%yP54v&g1iqom
z$%+Q=cd;DPJB>ic(c|V=WXpx4XH4`#N-TjQqTGrOoN;W`NF4PRuBeE={~vqb0Z;YU
zKYj^O8HG^EO;)l;p@Hm~>`+-(6t3>Q_RJ`fBu$a1RA@*`L!_i7k<gS<E{YZ{{NLyE
zx!3CZt?ziA@ALaVPxtlWoX^?kz0Ui*&%%;ifhYj!PH;LVBl!*bNdjEVf`#zLAAoQ;
z|AD$WQ#bhxf*zbw<JC=0MWZM>g1Qe<#C!pGAv=soGG-BE4lDTXB*vi?c*UJ*7{={=
zq3OdmiO|-KkXC`v+0oK!WYZEzkYvbyJSZRe%W%1i-YfyAO~%Ml2bu`Gc&7k7V!psm
z9z$q6U=4pa9WaOZZ!;KRFx+uLB%-=mRXEjQ_le@mPYf}LV4H>@9*1=owiMsS;g7%w
z-~!CYw_qWd)Px)O0;k4&0p9)$SVQM!;zg$-j{<M}1&m^xp?-fX2zCeWz=B{6;WQ9W
z%oo@uoQ8QoUPK8o@<&fb9&LDEPZW8yAb%B>Ulz_%V;(8q_$`<RPCZzOp+pg2!NfcZ
zVKbWq3Xz7&FpoIMYab|58K!RoZPBp4LYIX)5kJGeN8SWj^8v2cVeXH3f&n!KI*Vur
zS69%z1m1|=a4O?HJuc=mH_bWb^EjF-EI5M9N5DtxpNGMto4f;~C14S25EDR(48;s!
z4{NMO5H^TW-BKJ6@NhVoGqLLEQjh>d4WM!f<Y3YpxQNs6{bkoMeG6+NZsul~n(-}h
zPaqp8Q!s8IoMDIU&dmg0ha=8EKnXM|!s9!r3DAx@$*g7+S=)~!>k!Y8gc^@o01yvB
zYth5g7~utCp38wd0Kf@>dp6UHF__}}Oj8;AOnKwc+W@fF6t+JBInzUj;69vnQirh)
zE%qmDgHCY_g7)PF9JE<zV8f*VeF-E0?Gx^2xXe6w2D{9LfXRR{hzJZO3;@nX4Gm*C
z&zo=n%7XRrOYrmnDwUyOV)`sz3PLd>H>kE4Ffr@@0bsykC|QQeLA!Dj$U}(7?!Q=%
zt}SM4@)&3nXY`>71}r9d1Ve&h5Q6Jfpn1cf#2Zh5fYFemcOax-1DFf==m+pmpnnVS
z!Ad`CT)87!B3!=!MX!T@P$3$IKo@ZZ2WS{shyZ{flGlR|StJ;9y{ABGDCuw7A4c0A
zn05!{GGHe}(x5d#RY;J-0M`u8Fm?ei8U~<j0&ITW%kZL|Y*pYlhNsAD7%nPFH+en&
zxly7F3*IQvh`C!On!$zChrof#h)^Iy$Ks8@1s@~ytgTo@n5xCtP>5+;`0hE-n822`
zRpKmGFw(iUGAcuA7qeYR^V-U28&bZuG8%&PFT63h3bs`OwHs++^oMA74>Sdr&*yMS
z{}Bw=AnE16LDFkcCmy^4=mCNSAsCc3gdR}VFl41%LK;L{320m($rEP42UGnmqqjm8
zAom!1PzKs6N^lklL*?Ksf=l>>>4@MMqbrS{DSL*o3V<461&tOeFdCr7C0xc!LyaA@
z!y%n`Bz75CXCN8+%fu{*&hIcf5?5#|ZW)$}3Fnar=1ouo(*L0rOTYmWk5--NB0ShQ
z0F@xvVYmE^;4E~Z*a*(jgn;ijO9BFifg=!D9f2dL90!Le0No<_U^BGaB>5PF%#mPb
z9&{T935(=oh#pK*^d*LtH4T{4XSg8-)73$ACpH1JKo&FR`8aDpP9%I#*}r?Vig24T
z@5i(7#$#`{V!Ip|o3(!DoD!}MfZ~dF0hp&yLFK~rC^)QciZ&etO+`B}8M_gJ;OOiM
z8W(ncHU>2n7B-HfcEyzs+j5-(P)D7?)>VNouoTGdG`Qs&9nN7a%m3)CZ~}R_<nKI<
zbBPlKb_fpgR6QeD8-k4)hl$#(ZuP@G+dXJIzA&_J$U=f<9KvnN5RH7qHfivoJ-cGy
z0_$a<4NimmPX(YOL;Fu3LpjX-rzTisKkph^?ZLZ`X7<dDy10d9)aHbLPf~g|a0HqY
zf|a%h-3<_Q6QA$hMJzRlYq~j>?B^Y#+x@|w(;XloQ%1ophERUe{o|~I#u9V|Ed-1i
zG?%bL0DxDyEanT?;L2bjik1Erc(4@8!KCCgxJ(oYKeT`esOo|}kmj)Ee=nfLeBMb6
z%y2*oPzI_$=xz{<PkDIP?EpWf!XUi{oAn^fB7Mm>zLpj-Y<@$9IqT33uK4kKjR2VQ
z;9FIIQebLBgfEPrhfjQrl(5ltu(kehQyyw<2`<xhp|wac4cs!~Ku-LnaCZYj35Z${
zE<Nw_c;l16s~fY>7A~reiDJ<WoCFT5QQ&xR#sHflO`p-2A2oYeBVnq&3C+a6V}%j(
zHfTQDB#&z^u%!jA0|&4VP2N62z1XY@rcFjz8&a`Bm!T_Rx4yu5g5)6Bm)C%PiRqt=
zb%m!8Y|K)F-Rq5sm%w73)99AbHlbo%oJQgOLPD-%$B%jj-Qfd-U<Ac%9_pJ0<izCT
zUgUuvJT(LoirHrKKi%dVkmI-8>~R8b^ZVg#PP%hq==1;|zzzb2P7lCAI&8I}7FHY3
zy`tqUtaJorj8u<<2Q5{D$=nkiki?FaqT580B*4rBwC{@yO0a6z7J44lOtS@z3PCDH
z6Q*Ok@m4g$_b|AjD>p_E@<@vCMl?N=e7`3U`W>L%K{@MJgcGzqw6>!bYj^?Ha9C+W
z4R=ND1X~okIRhHb$j59t!gcZm9B${KsZ7+tp+&&bkRU?y@_1<o!YY^!o?)HZ39TN{
zDIkWkL)`iMtl42U0zHz@?h)t_fB>`@G#ouh-5%_Gz;V3u+^EMeaA>r>xr&C63le*w
zGi}e%$9D`yPlbI3%-IB!Ik2IgsUt8hhoeI`(F_b|06+=6gAev#6VovU0~a!m86#^G
zC-Q+M5X_2g{tPA009rIcErTRVU;=GMKu$h`$*JTWh%XtMHs~=RYxYZ&fy+>xAq&)7
z$WXouF$LEg2J1#hVw`jm)3VX%g$jc#NLBd0w?h~uKzBxBG+_Z2^k+my!tb)*i=zk^
zfmw7V&`2>m&H-o;u*4r0NFnAU7@H;rQljJ3AhP4I3V7rB0km{C7?uWOd>ApG@p%*`
ztty6*7VY3LvZ7^-BB_ofjHs<aI3Ps2q6adXm}N5&4IIQkG?;S{qOaon#^MuDorCJy
zR1Bc_n#yTbbR;tj0EU~mdDo%$e9*B>FXVzDV=SabrtSss4a+R?=n2K2@KrMsvio32
z7}h=5Aq^lI)<xd<r4TTxn{-5y%x<;KIf65NTn_*f9TFU&1#sX2Lt4N`sByFwfDKG&
zOh-4QVpcH`AY#lo@fbRWjqLX@4|Me%76pA3M|}lrNF}&`dc-7<zmt#jaya1wQ*D@A
zmqQ1Kol7_Yp9rBE47S6j&m(ycG%u5+GK5f=P2xJb3BIfbcY(oNiou&;;vD47Kgy8i
z3??>D%EWXaIu$@T2>vq#IQWggG(krP_;6zZGIV2SI*?Ann}Ce^U`1w4S>lL{{_8;*
zhVMb+Ssdaoob<qCrilX-5kEG%0-YgEAMimVV#*bIvImr_z{QxtV=`25@Pc8|5D60&
zTyGd|syT+Z7#8oa{RpTIU{!`d#P0irH3q=u@R@$XWH@W_!`WdAAPh}ujrcH9K$+>!
z(7A;Wbb`?v@gv-?#%SB`SdLIr7-E~1PC?^)H4OO7r9Y(XLckCm8$!TnzEFX%K^xHY
zd>k>W;p_nY2*4Xxy@VkRV?C692ZbUN95Ux(R340ZfXZW_HOTUt0Q)8}y^=QpSvcuN
zSb}l1Do9SNz_3w^Cq?$+T<{{6K!&?NB`<YH%1Z$xFL&Y%UWuxG3gk3Ma{7nyo~6A*
zwO~V8NA)l%LOU@`g3u0(f>Os;L^W_vBmx9}b{&qfVvG+qMFdtlGQZ-L&qbeTbrSy+
z1j?t|V4rL;n*;fP^4J;nuXX!@xA27$5F`;GEmA@m2g%S;V=(-Jw8T6B-73rjGDHhJ
z=-i7r3P2KQBWU%^Sw#%^F{~tE9>{k9Cw!PpV;(S?yJ1nVd`7}NV9<BLJYd+i0Z)qQ
z<ruhuah(ws2-fz6n8%ejUL8D0XF7Nr2j)@u9%fO1b!imKbq<f+46&oRf&kkJu-6Vz
z!ZKWciC>8&Jk|_^V3C}Sv;tfo!SzX|TEeIZI>B5_HBYf)F-f7aSS0O0c|p5Jc^T@<
z6YwJSCFv<H`Ed1RxLkwVOF)q*lqdriDHc_jo5@f#a4Q-LZ-#KBa3I+*x<5)_B%}92
zr?BHng01ictJ8paR-hI%n+1V21|9FwhA6bghaStKtH1|#j1A5|Bp`j2PQ*f35@7vc
zH~PK_r^yk?!FMuNit(V$G#tejKzvdI%v_o4)DwZ|AYe$jN7mEPV^$|*#hZ2o=n)8S
z4AT&M621-abtwb5<Te5AWHd-Vh8Cx=9rLkx-*FIN&>l8YLmU7fUw`BK>H6C(c;^g1
z!>0|Eb|jT@Lv}<CIS(<qNmvL8U@E;IoYL`(xCDsnXaVRqLqN$`_y<IW5hGGjARM&}
zQ&PZ>r~p?}jxy8~b^sTu!jhpXeT1^XK-LTi|8*3HHYER;;=lw*peI4EODBL2HE3BQ
zAagAA1dt7<)#O1|0BpcF6MP6kKv%R`45<)AL`y+au~nchC;-2|r4oD~4ietNU|I_6
zVpzG4y<zF;7=~^Z*i^C;;-Fl4w4Y!j_?ab3GfSS1N)~~VX;RqQk`*L^LJ@tspmK3r
z0N7noxei#lY_OuB192TKrT88F18u1d&>KyN9YLCCG#Eje4G=JzG%N5jfoo>r?PJQw
z^&;?1pNWA8RXGlQ3czP6T2V(Z)O-jb6$q+m8w3iGMj=HI0_&@o<ru(|3vmolOOs)C
zTMTs@4(@@Nl!6_aSl9bGad_syJQHXHS!<Im8qHHkaKk5z%aF_<c?ZrIu<FJF-wg5t
zV{<c9@;i(X@>9krZXT-84zCa@=!NDe*Fx1>FY6{@^)d+8JjHVG0z=qjf*1f(TrBWY
zBIYT}Krm*b7BTb|WG#Uqb7&m}8wD|m2t634yfE~>iI8<jJ~FM~CmHfF6Pt*c!vqXf
zf#f7=0dK-|Fo@Ax+mJXph+vPNdP=y0qOc7C#NPz|W=MzuA8Bcbm?dD6s*B5?gx7&)
ze+a_HKZWp;r`U*u8e9Tk{bMp@RSiCzl|yDkT;muzQW1O`Bxj>OqUEJys8ogtgt6Jj
zAmJfHx}cE?%!h+RSrWE+jxlcGgB^@xBL}c#DDTJOgbz~CwE$AMOz-X;Dbt(bn~t_k
z4O4S?<G%n~3{!Pr2N?v6Qg`U+83<fP??#1Ca1I_CZ9IYhMzFLE1dL{BZ3r{K8PEW+
z4tg18P#=r;0ztw9EQUbpa1{sf@+W{FhDs0169}TPnt|vF;ESaCaAgB58%hv_P5L#E
z2hB}lFn7O1BDjclH-pQ&ZXKvuKtf1c201$)zp>Cb1@<_hh5Fyl1?@7&HWYg@?ObjQ
z#G|eI=5Ufk2`r*B0;eL2D1jz`<^f$U-{4471jhjE6_A5E(X1*4Dn++8X<&N-%#+^X
zb87s~8*IcvsZcxdA!{`T3uMkw0@({ywTYa>*9A1%c)<rF<Az5A1K3vVwmqOU4;>;c
z2ZazugF!nBwqb?2=FU*2@Plj3Sfh-Xi#>3%4cT`NLFn*xpSe(;F-y5gTsihSigDZ<
zIJJh^_&~;>A{b}b7-m(Bjv3k)vj1VmBh+!`HkdyHY|kr*B!(FkVY3AX6go`0q6=w9
zTq+5Mw|uZL0;ciC{hm!611=riYu0uVrpeg8>^2+l4S_NUs;VT+Koe-CN*xx!B+R7Y
zX0JeAv}~b-PzC?M$Ox4ouwi?E*a2RH+cq%s2Rfj`G=J!UADKVqAr}Um3gm)1KM7o9
z{+J2wPkM)$KSY787_|<YxFYTV8+QPHH`Ab@8=iRxF$P31t#?V?*uI1j<_=rL-NP3>
z^dMj~Gb^G*LkcIYU>N(;_KZs1k)oSadmOemx4>TaFVHu1l?@7l?aeLS5Y!AyAxP|u
zT3JbjFxWXc4jkO3ffUwZHjT&dIl`=n;b)NEf5WaQ0AN8JUWRbQut{LJM8?J{Eb#X%
zi})HDKzi87$h0@Y5mFee>C?KghJsdtK!)xAq`Lrm2Blne2CmW~6B8ZT$_8iJC-Ip0
z02G6s0U9YQYB6bH47x1}PsAFES>T3?3LVC(uN*3a3jct7fQX=@Pupmvn5b9*`sHA2
zx+oxX(PE+jzMu{ls`DoBz=Rm9tnIBUM2AB(KAhyd9XXt&!8g4F3}*Pi5R0PWeXS-4
zVQ}0ZA5$k^#|6G0G>@U9ft*4#3`HR^P3MBaVg#yzv2aA}K)Y2LDheO!ZL&cdLTwrD
z??!$Mv&jaZkiTYFn#N&insGmtrVacsv4(<;lLMP!_ni!QVK5g)AxYin2t8a?FnD_H
z((j&L>vKdGVc9jKHR!!iD2yUdBGgf1GJ8EL)EJ$AgL7{tW3auM#z|m4$8QBQPBO;)
z$5FeIjA7%)M#jbuxbYtRWq3Fd`EklMhK(N^@%|+l!^RJ$ZQK|(elVx4#yZH4`Uhni
zn}8VO!_Wkx1A)^Dkr)aU#)cx~BjV!_^%{<%8~0)VssREV00cwPutAuKEg!H#{?OR<
z@hEQWdh{4k3x-L08t}|!#^EGB?3vwK1R(Ur%5m^8-`KT+nt2mEv5;%5ya{OMG+e?5
zSMP;@Z^YGmu)z)zqla!WjT4^4gy}VeBqyVX)Q}F6ioW>KS^5Ozi&KIkkP!|oqr+(l
z4Bsi(@gU5b%x9c5**F>YKPTA(a?qg#dq52A#7VLTq`)p5xF`f%8E^p^u=^&-9uNUL
zZ<6c*39#`w$sP~@N6OG`J#le}0$Ab}!fO$zV)UcgpG7`6Fa*ys0YAaxV{{7;A<Xl4
z2Ka-#UiwK!=!s9>cqNGJXoAgk@mPNR5)gRYj17C=mkY(hMd|SP4eBx~x?>M^ei2=2
z2v>)<oyQLCVAqKACZOc>82C3>UL^;RD7*{2n7#?n<Fy&yZ^2%LYiETfEbgbrVuDVG
zF!J(|AP6lXqN_L1su6zmhOvVIp-tWvo-M;7+6E)A_sj$!0&7>o03rdneiYhjoV*wa
z0Zd!<@R4j3f-qBrg~PK5$-x@NnxH*70L=y)!)8v1K(9E(BhrZb#A=*u69DfnU4y5b
z&@)cgb$Cw?bjX{qbekvX87Ebhw{b2?WP^8<^a2tm0B-cql|1l#g-w8QGS%349@Pq7
znmEm&i=hL?<I`2470e^vH0z<`-7f*8x=EJ}l**K^!)W#iMzij~T}kD-$JyeZjqOl{
z(j4LKFJX9JXuyUKN!V?W<JuTBGe@tqECMLO>j6+U{zgXJGcoL90hVrT{D3XJ<<B_K
zIhMGW+AMF)HOm4!*Mf=<nV}oJ>r??*Yv~BHs7sUL+GLo$O1e?rJ}yx}10I`#&Xu=w
z#<fc<O0?w!z(AMHH82<Y%!c}m*&HAO2vrZ@sR!WIa|Aa4{=6{|;4Or83qss8Uiwm~
z7JJkzT6o|tLd$FvFf2bK55p<3LbM<SnM;+ycWDlyg&EdB3s{8YV1y8g;2eyQ7>wXS
z5nW4$KMsPy2gn1CUYaD`2vi4Z2oA7FD6>c^59G!w22HcK+a#$RtzmVW^uC2BuZ)vE
zVV-x)cQ`cP2CJI$UM#mUiR;$3@MzRes<42ExaS&cemMuV!)zf3{sY%(zU7VG4qn8T
zIxq!?=RSb1pgiNGcTkOTEf%g@q62C4lggn+i&;%3buA`Ib^1xyP3k&OU|kFNEx788
z>)PPcB&pW8?j?$aF(s+rxbBTPS0yaLm?yzSLeSv%&^2hYNpFjZW(`FmsmZwRm9geE
zDm#4A1R;rXExg@^!GQtj%|JWwj3{a&E)U?mEq<R(kFK3bQoXLNd5UC}nK;4DI7J@0
zHs-Thl^+_H_rZ-4ot$l=i($M<cukwm%#U3q)1wb%3<x|jMi-B0b_BMAcw)SZgFin$
zv|s#v1rlDJ@D$t?PVj#BV<7<F!_Qe)&%jaNz($YgplfYuVrjIDXz1qSOY$Vr$V95o
zN`Io8hX;vDC3=#m9u%Jd8ksUGpMkaYV(Vo@Ya2tN4atM%L-r?%>yiEZ$o|G8H%}79
zj1($P^e5AZUgSW3Ph^rpzoB{=`A6qb)E6guyHSZg{y}cOKAuEhlK)DYH&I5?a~3M&
z=lLzjo`JrB)E}1eN6N7QAh^*2DWo5k^z-)U4+8K<1$|eJE(U&-nMfn~1^BwrNJJkh
zG0@*F2=L_Q?n{y*2KbWPs3f8X+26}&CA1Vnh8JLQ9AOkD6!pIgVZiCT@WFn67c<lo
z43)q6uMo(~5e9(Y`=Kb<zE9X4n<>IVooSWye0){v*8?y5^pBdTT<aPamA>s<uCc`?
z;aD}V{s&<OrjhmYD_xq`e5;AQb>dDi&ym};g`!?l%i9Yzx64^S8F)wQxq4%l@;3hS
z+OL(4j;mY8J^rJ8r0TgG&D@WtjY7ow*!Gzm=Bv|H*b@0{{~=ak7P-rAMTIwu!#s;B
zUe2>R^4P9G=E2fe4y%F|ujah#7AaGo7``b6F7L7;T%>+=FTQbz-T39pHKz(6&@07u
zQ+6s0oXDJ$9Th1_A|H1xI<?{sZB|-V0i11+Ugl#m`BSj6)I#zOT~nz(=K@l&!L%U3
zM^ij_m&orO>)$%7ZmwBt^!b@JvrB@+ys}SS%{yz*SQq$p%z5LF5s_xB7e%7zJ6W9w
zjs8n-WQHu9aQ110ufO!Mji>pKWKD>ey|icg<Yi7v*EvLX-MbXKe}YAG;I_O<ZIjDa
zoIKi=?dp7J@uiDz%v-^`<JTOKn91pq)*vM8!&Wde%{{X1)aJJ?TrwM%oY7#F3fY*;
zKGr63mto(eU=^N2w$D{~(%JdGEDc+x@I<AJ-Ysp(8OM2Vi=%~~T6WX1!z}KnriezR
zoZsMhZs25H;Cua7{Opxi_t&l#R?aS6WDu)hv|EZQ(~#krw?HFv;v5#|SjDJAS7HTy
z$Df<#_;KxLgTs~VtK{<Te0<t*zHH0$ysVjATs%89**6~}P0kjU6AH<GdV201sohfp
zmz;Ijm)ejn;<lE1!G$?iHV+~XN9QkGA{UrbQe@vDYdE8G@xci>hx*>^GwriIu4Uqq
znsVZTidB@HRqd43ZZ~DGNBOU+y1#qIt9fTNr!{o=sDHe0YNqYl#nggKyKc7ertP+z
zm*&V!TCT7AaY6sV)#~pu-X-3?uMqzJBR7Wv|KgB0(gn&K?(`E2D|a;<zBMDD;db^I
zue7L(3*)W~T+fe^KI$?zGTp(oWc(Vv4T^eJTj5#BTb`4-0&b7Fu}z8ClAtJihm=ph
zBj!+^T5q_-X_qT0{qXtr6?=^uCbC^S8S5n>B(yxM$|}Y~rufryB!v+lG<9EBpKjL}
zwcSQl?fizLW45TbuscTF;ym$GPxnmNsabC<-(ORo7j^Xwtvf%;^{tG$(EaNf@8bKb
z(%1DKoRfE4=24r*c-uuOmS%RmrreahGp~D#&s9#8V>ekBlkrWI^*K>+LX?b-L)XCz
z`B(2ZkUvXhsGQitw<7)JiOLi1YO9Vnt(nKG=3CUSrTJvRs+%g?z6dY=(6NH}qRaCt
zhjfL$tfqP+;VI$Bm7N^cjiy&+ql2y7qu3X2lo=;g>$_W;L=X0+zsx`PG2vU_*!UAS
z)Dx`vIJ*++0)&*G>G!BTjabx6%l}sKB3}NI;PiOH^O%Mt`!}v!Vs)1;S*7lqK+)zC
z(Nf)K#LC}w^8B8ysgGV<*(Yq)e`Cqa0jHR)cH*Wc$vLl<eK~f}^+3|@yS@uoy?yB}
zvTF0ExM`G@u;xnRMe+?CEiOK5YCDf9J$2f1rDXl13r||Dh%49cZF35l8g`WZb^3%U
zed75X0*~%bd~RU8s&GtokI2PshT}wU`abVjF{OCzwU&bZuCJZ_iF2e}jr2n19IU#o
zvs2++)C+E3gG5=C-MJB(#QfEs>XnCyYfMA@?dI=p=cArK*x2v0=<KVU)~6eun9tVQ
za(3Zzxmn!h3;0OW-)?K|F%Z1eqLddPvVWq(q-kr-Y}razek6!<JXl>lQ+wTufK_)F
zw$k+1Jtz(RU++H}58$X5fo{-UxxJno1stHzezUKAe^~aU2j+a^N;$LEHwzR-Yu5H>
zC7xK@Gi8sU!@U+|&as_~`3O(ClF4`CU(M6y^qe=15J5e^)S~hJtMJmtRy%X1)aTFj
zIV*WHd<<c;<ol=$-hKI3O6F+^&%Tg3k!{Ol|B5dxbp+P;3iYmsjupI7%u-s&^XP2n
z`aPzHS=4;w%+=0BmV^n>l#kE45-BZq?wq!>d(Y;xb5*}l?~6>l5hv^Do>>&9Cn`tC
zZC$@(l815}PtkOrU988R4)7k1n5w#GAX7jj??zvVP_y`*Q-ojz<s-eVM|KK473scS
zI=82Lrq>;{=k=-g#-8J_CwOIaq+c+ZRl;Je9Atj3XjWSAtar9Ad{22l>y~-A$@Wmu
zzEbTQH@0P2PHG4yAJ0liTQ*C}R_p$oiLFn&+70UZ9mj;f2p0)t?SC?`QAV|&Z{oe%
z{OnQ*6^Ay2Z3q@Mk({V@{E~rv^&*9-E>|9}*~?-@oiVV?*6*>lfQf~^;iSa+Ek|2w
zdgS=(SGui_mKDlcTp3z%%!2%tcb@Sw!;ChYGgo~&l_l>!N-t2bnYU@X^wN91#RW^2
z9`%=6e0f{-qRL~2l?p0c;m1~5I#i{v*jVosev4kZuH<}8Rqdk{+u~&GW=wx`XXY8d
z=8W~bzQ$VB$Y1%occS8B_NZykzwY$8XQIg6<L2JqG-<&un=3@gCrjJ?-%oa)b8cGk
zDdV}d``KCrDqo2U=#aOp+Wqv&m+JZF&8~PITIX2Up?GFrXS?!Dw;sxLsSTpuva&Or
za#vlfE)(H&^DOS!T%`8NiX3-3MSW6qX1M=+%e#FQO0{iKf?`J=if(zZ(UKk?H!y`O
znBD1)OY&mxIaLpwr#P8>&UshG+UFxCTHN;O*=oUz<+|}4VzR|2avpiCEnaOlW2H!}
zb${UYoTse!#)?f%oa7W_dxb;3C|`Gewq9-^QS&s%=ge<}s~6(=V_xu0xxMZDyGIV;
z=hm~2-(G&(^%|dk2oJAfnyv4XvjT?iGYiA>Urn{XU%F<8I2sQSACx><P-a(hOWUs5
zO_Y3RVRTFH$0IJR(L&Dpit>-{<$2T|jIARCSB;n9TCjFq`p2FZKJ#47qf;pR#22kw
z&(Sz5X+!o3Uycde;|UVW#<vT09@)HqLikahgoU|8wzj6FyvjWHmX!;?<~doroRk|f
zA!v-&8sQfj`U1`A@%?JCH^!fRr(59h{>jk~bJp$;3IBZP>-B^F`|Dc{H#W8HoGKYe
zn7CwzJ9qa4`sxX9swL&LpO)Iz-(UVljQXvuvv`AX_NsD^gcn;AQWs?DojhnByKnqT
zy-CW!NyqC6Q>|xJ+g`g8dD<tu|ItIsM#n`0Y81~4Tz-XhSEjmb`dk`+J7b-hQ2r8k
z$Ba|72h++eBG&c<?Bc(*nY(GPBTMKMo6qyh)_1E<vCmQTPtT}dKWVDVtqUbQXM5F~
zW^R5V;(0q#;<DC#lE$keCq5JT?_J%$@${ql_V2!ZJiR5af4AkCZOQqw1GeW#7vu$A
z4~}UjEt6_&6Q~n1)Ns7j=;V|wUELTa(x84q<(QE|wwY(ASfx&loYCEO)mEOEZ{D37
zC#hDe$%KAkUlt(vq)0qL*h5g=flbJhSY@s6x!lNdMa+!JTg`+g&RIFn*GJ^eb@qha
zT2CfTA6F@U=vs!Fz|OuV-ZsydNgn<}K@C&MTL_Kkd-jsD^22z{><_3u&|cPGcf_Bk
z_@3^L_#JN+tKTZ+Jh?1NsAB7E3#|jESneH_-7GaD)t<d1cX>7S+M-9hY9lz^FY$$y
zFB7*(^^m8&XMd2j>Qjkx%t@u<iM`u5+zDuK_ur+`M^l^JCnQ$Xxu4gXKii$V*(z^u
zxX-p``gx5B?#<7uW1CBwd)%xp9TFDQ=>M|u+<}rz_PjKggZyNE?YBMN$8<WSn^jle
zk>dEYir@Fb!(-%-y)k^Lr_-GD<W`8DJGs2{s128pvv2uwUW)&HzVQ`OkB;4tDIlz5
zdv4pdt#an+(188x{U#aTnz*hr_Jh*(B0tW9?HgC^$WN-jI`(k=9WKrb_8ut#ik`=o
z>=ECe*!{?!f(&wm8Sr<f^Mvsjzq4G=U3}f;4x2pt@L_^)MXO?#)!x}ogh~ow{64m2
zTMb_krWz-la+AAGyD?jjzdU4zi>l(-YYE*C9=dL~;*Bs1YY@tM(OOYJUUncv<p|s3
z?f#Df2QDjq$$ev(bo;2!mi@*T42`aAO!9a(&SKglLq+F+4H0zlOs?^VcIe!Yjf~G>
zGgWxlP~)kWSral*H&OMmvioLvp?8&sXJ-Z!JgO^L_TbF|U!JuCJu98`KNpT&Fmr1l
zDV;dsYLF-|iDSWx-0tl$XU3V>XzW{7Mw`FCNoP)i*v7l^f}gu24o793nEq)mWvx&!
zwa7mD2zzd=lGDe!W4wH(){R_7J2qZCF|T^h60Sx+%Is<uI~D({4s%Z`a4l`>cl}&F
zCt(#^P|#<#c6skByzF0&_?X8`@~v5rFFueI;?QOzDOeNLXlIzqcFn*1eNu!RPx_8D
z%7>oKKD=kI3*Ct;JRs&nn>1_o499m5o=Z;VqUmfdnEHZ4Cir#b<aOhuACF<N$dK}{
z%C5^WTY8socgJBz%Eg@itaYzv(Px>sn>9wthIvhGWm{{{XLanXv2^)$!;9LJISwpf
z%jULSGwnlcnHQ}+Gj6^#%Tu!bp{dWk?Xn9tuOv!-S+GQQ=H#0kPDcu>j6Q2Btorn2
zT-yfE_|>l;q{?!xOSSj$tk`KcH^W%xLH(E+Pp2jCd_m4t_pJ~X+WEfPHcCJtdU~VZ
zoeQ%p`&AUmCmu1(s0?U-BV#B2Y!3T0whh(16XH^<?mwBhsr}B8-FMb<cdX$rt~(mX
zYR<!FwRHX)SB|e6qc0OBSlsQ_yYe3SLRIJ?x!1Px8TbTfj=8JZX;pqtQuD;-iI&@L
zigeuIJ@w_<@s@_>H5ILPs(V}>S<G89ky|-r`;7)+$2SDJ%scO(dk+1iA~O^1o;*j>
zYu~P%ce~)2Vn=#8E>u(ZY>Znkdqw~KWUkoDEAs3=zY*o(SeUK-Ha%l;ZhhMN4gGg2
zzHKPF5<<T_rMIY#cr&haO#O`m%Z2jN`0ka?yl=L6%;BSGJV1O<JlXs0>!nrEl~yzQ
z=S0}O8v9vv>c=A4)ml&F&6nIZ&weBNqOH4+YZLF56%R9A1ns6+ux&iPKXJ#E`YmjW
zRO8oj+<zzZBu>bx#>h>8`^>ey<;k%|{BMGC_oY<ZmA?;bPkUCPn7X?ne2L<#Bk7ra
zPerPHB`&w5?GWoQyJzUjk$&vs^3-6-D>7xVrXh3z&WZ|034Qt52j9qaP4&yqd>yS`
zz0PIzhM9F)?5VZ7>7t@h#|>wCjBQ^b^?a>#@wTG$rT3<srPgq5o86Y&LS3O&vNN`O
zVrA+i3oZw~9pXGykvipBlf>5aPoJ_;+rCh*!fV3XqvfgI1MA1mzddf|lXJU+FNdAk
z!++ZS7FW=cuO+9tJz~?g-}sjJ-qmWoy}5eL#IG7r33uKZJ`6XtvlV3N)f(TEG~L#T
zpZ%+dnACz-BKf@{?{*j!mxkW(Pjk9nk{5SY)?ms(p>^ksP2A_J!eF){zjgX}kqIwj
zRyh^juYTxXwrmz#y#4c8QH5=9iqhtG?99B#x+=u&c<7XDrFA`PoSY`*?8)&S)4J`D
zhU0op2Xz&rdEZ#c)pl<CWLGPGdXw@+PnFffh&9A1+H>rdGZ9=7{qobk1!s#8AN!g2
zn{XN3*gb8d*xW*a1pBhS`z*ye`=+Rb?0q~V@RCGrdcte*BfHYpn|7A@t|0_*&dhy(
z$E~pCU<Khx8@+i<u`TDJPg)9%e5*SjS-x@STVrxhuZU;$#s=GZcNy*cCx;_n&y9GM
zG@kVY#Z2g7OI^g)N!kiIoV#vCr@z#=J~zH$Viv1~*U5nF#>&U_{MOxhAsaUd?#+3B
zrNY?YK<V|c<hpGK%-<GI@C`cXkQ4k=v5F&)dkWVJ4bQQqt7`X_b#i%TbEi*8%3X86
z^0IBH?0#h#i7D^xLp*lvI8dEx9TvLejd?O5%VlAGzC`BM%6+@0!d<o}C8_+X*<;Al
z1Fr;p7`s@w|6;1#Zq<8A2Zc@F?tdJjyZ0>YCf{EAN@%MWNxIj^IO;Ix8e-6yO|_R?
zqLy<Q6htW?gE!)XQxjA6$UhA5^M8{+quDZM+;&sGn#_i#dt292a*wg@WmmW))Y0#p
zeP;ahg`W#AgcsTKNvv>?<E#+~jf-DpAlcDW$~vQ0{W8trYM~l?<(}BHuS2fP>zldM
zwszcjXUVcP74cdJKkr)C*zd}h5bO{%LGqcf@VvObIT7)Wm#=s)zS}S^vG2x?oYrcJ
z#~oS?vFVBS`H7!r6lmM(9?ZY-?b(!#ldfy>JFT5%()QK(x`oyHqf5SS{nnisFs;pB
z-)6d^w9DDf(r-;WS8>+3ScJ%1j6Jga>=K<8+2|r$BbQy1F8eKiEvd9>*Hvy(oVQkA
z>{9OP@g}80hD#2gwtXgi(d1>cXn3effnn{1P4}ZywGxgTNIuMc_yKR18{0W`%{gNl
zy;o!_-tW=a-uJ3KsWCe0>MX^kd91I*E_!6nXdKYnK)b!boa@cQ=F%~Dw={^WJ8i5k
zoqckxk+wmgs`Baqy=6jrNAF7ZHr2bF-r`dHzL%73&OWL0kY51F!ME}G{V(Nxwry%F
zEyf8b?z^{kV?|9e7w6^x@4Y;C$LFu<%$O24kQ2~R_>LZvbC#$a_i-)@g~N(nTj297
z<M_Qiy=O)D&2b9xi`y*y+{#3e)av${RNAhVx2ntJWb=i~2hMgJRy-#abizq%Uf+?g
zFG5=qY@G|l#<eB~Yw_)rqE#J_E&815y|gZJ(YaOA8^_K!y>fe__k!EEFJ@JrlKt$l
z;IQpD1@mXFW;NG4x|B%)B|IGS7A!LNPm#N~W>(Od#~UBKdcOT&{-+!4Z3o9aW-+<=
z_CVWY@i#_dT{6b&56geEtUs``sDEn5VUGDhP5C^TuHWdvS<x#CKVCDL)E87(Yx|I@
z%O}RBT|;h;k+}8dl4KUQlkBvs_nt4)DqmN3&w85qCFKs=8|EBV*6Z(OnVN||Go@Rw
zA9CpYwE2@`MY0xe;+zky`g}3o>qL)kCXNx8*S}OSJ4fKiY8{7%=O1vHFOk~)yy^3^
z3vb`vRyz4nv*tqYPWEGmRL#mK^S-+ry1ldX@JG9d*lko`0qlotMy#+bqr}2SU=?Jz
zY77@{I>EwWp$Bu}Ru#+@X1LM}SBBxjg)CUS3d4oMvF~XN7bYaw_bi4xo#Dc5D_A&@
z;m&5b>I_$o;mR{yU|=l0GQ$;TxC#t+Cc{<4UA(9NcmD%;e&OIhj2<*s{>2CXStNis
z_=SW2ED8w3{|h)!WytS;)wnR1QQrS2;{(!9|Kqage;fy(Lj1x3z~Ddm1NCwU2O10>
z{!i(s|D*iC0ysc(1On^_BM@MYfcykDCCvE?{}N-cOf0%qwpw=JmGJf<8=5QzmrR8{
zKS~T&+08>M5T$e{Q>iGShnpW3;6d{6L>>>XmDsnZZ-ADenVvavZLICBJ*fd&TKYCt
zUKA`D!3%QR7+4clqHv>tKyM#UEWn#a3((Rd5d3`biu^tC^8HD{R8+8ku%DKeoxV)~
z4G#|p@zL@m1rexZ53Jo(sxQh;2vwnA?eM`J)Z~B3uYcfc_rRrrx39Db@2m#a4miSJ
z0Q`l(AE7&KfY6gRz`{Zp0EEEa%)kHpNuyau;-4L6fPd|m$jJ5!|38M`aQrjzJ(>>w
zN&F+eM{)pB8p|&^@INaDM&kdM9QY^4f&U9~0O<qBRx)xt_}lsb;lFS^!1NAZPl^_W
zi~#oce#6Iu(c=J<E|}wiC@TSO7x;U>?^-)%M99BRABe%r{e}M#@cr&%IR2UV9!&@T
zB>s^;faJi)@!*#n_>J-4zgiBA#Q)#W2V!uN|0M@-IQ-uK|7&sp=>y1a|4SeEseRx-
zCI{d`(_i|)f8IXyZ^Qr3^nrf@|42RjH^_niIy>RNYCeEOF8U204@T>QOuAs|h5rN{
zAbo&!&_47_9~i9<{yXu{#P?`A_$Tp?^Z_CwOrV3|>jisI*kAblx2_j3=>XOZuyNrp
zfM!G%%j_?Ic)fu5AJ7N>CjS5H>_h)f{Qpc2{1f<R1L`Cq3jHMqez<NpnhyMZ{IuN2
z9t2qKbPEVT0Q_^m;d0>r0v(LRKfCZRIWThF_`e<hNFSJiNcdkX2Y!tQKM@PV<-llt
zkSQ17k|AvWz>Ht|z<+%I$Y?q66ZHNxdN}@>_#RCM%z42-fq%4KfaCy(ff4%$evJn|
z9uIzs=$|AQP6wm$&!mfgQVxv7|1W*u_v{1zj(H&y-=pc^pOgd0PRNu4Lv|uIrC)O3
ze@_k!;s2K$_+OI)XkIWAja|Ry1%JvufI#+let$+EnE7j7@IO5-_$Tm>?1aDM0D<tc
z^97^lhyO}D;b?u3sV6e^!heDeMveo&^nsu01OH0=Gx0r|4*p5}BYgm!_ZmqDe|uiQ
z@_XltnCFLn?|cyRJP?yF(Y`cYXdd%ilA8w&JNLu1)BoN%rJtQoVxB`{&i9ynK6oyP
zc^-+eE-?CB((j!|LZJL3zdxc6FzEnZNdCw75&hkH;V=CEm<opD|7UXGpTNJ^XL|nC
zel|{4gS1D>tb;a;vmp7ADWOCXg#tH*Q``yT4B<X%A~}HM&j`Z<s6Jt&5djpqG<-yW
zhc6lKw#Lh$Dif%1NeTR%_4G`LjH|;PC_XfF5w@<UCk0(qP9d!c^Z_5yjc7~?fjh`O
zeEi&eiExj2Al!(J|AyzcC6kH1Zj_ZIqK#V+$<vMIW`kNK=^JRqOpez#ctyIUk3Ws%
z?@1<llA#)Oxj8j3Ab?Dv5%qMf^;O`ia|)5>4L5QJQYa*U8qtE}>4Oz2M}*7FSNi+-
zuOw2TE+W~>i%Oyq-MnZd3bcVrBU<X|8AGkZ+h@YK0$tCI;%OTiK++;gQkf0=&2*Gd
zxTk$&N-W)A`%y_m4=fpx1|<>~5TzwOrJ02Si2SduIMH%)z2Wr7H_z^vxCOg{p8-0|
zIg(hYn_ILz)hlyH>$BziI)=ynmcQFq2Mgx(!(Af7{k?DvFg$C(;1UA4B&qU}%!_ZF
z^-Oe!uByjxHz&ds^Kkijpsy!}3U?CGmke0<lp~_V!9Kpe%y5!F)@jn<HS_>yNW!2a
zOTZ(^pB%W-o9Ks8FNTMqcs(-0I!y`Pzm9OuKo!=nQSEXxA?g~~{9ePLTq5?fAko~2
z)})niX}%mreEJOHlY>w{AP1lddlH3;F4gyN^GB6J@5t^nHy?kz6T{ojXdh9DXhJ3G
zktvkG02)ySF~R~O<J$ZY{T;gKA7e{#NvilD1&k;cK)@_p(v#@s?+L}p!R`D&z#eet
zysr;j`wtXtqCZHMBkEz&udRbQ(Z<@Gh$I2CqT%&0(;?PIx7QP8n3w<idw6&&;rIRn
zzLpUUa6F<)p#caf&>{r|1>%T$hx+FMQU&hK$9ssXT!xVb&4&iHtR{tO5eX28WnPA%
z6~i7xP_+oeg(!s*B*A^k;2Yj*R4Aed4;<j*MnsP8(l~;NA0{WrUPMdi6yVAWdu{=L
z*8p#tu^ZL<H@c=z_9x9?v=NCslms4WK#;<^9_$X3$OnHq@aJq`Zun!mUaW8Mg9Ofc
z!{QA>ys@VoppTyL`hdR|dBj@;G?1TEkg&cOzo2}Bf=1jX6o}XlQ4fXeYXUhHZD?*D
ztC4`kUxlCsfOz)uLEP#|@^TCGW%f%cL^6cv9!eu&L^Yy4h*1qfNFISS5|aBw=<5(Y
z4Quxh0Z>RZiVq3sl|~8yVU532K_z-o$bNY45#|3zJ~S%)iF^SRGWKc)!U9gp7z1Lp
z0PT_e0?<f>BiR#2--s4qJ%qeCt9%!wXKPK=wYC`6ah<IQ>mXMcu2nkzO<;UCGQQ6;
zTxR^=bpx37pz475h~TggSe$1pBU(WtG093$Ky(8U@Iw(6ZXrH?fdKdrlA#Sz&n>{s
z!-p0M63@-Uo8&o^4v$A5AX>Wl!LTPSNtH&dh6oNDuz}eO91Wn5A4qUUc_Y&4VS@z%
zvaYW$*#pT2hQ5MEZmeEB8!F$}Kv&;@(G`#mkZJTFf%-K%9a1VR-26j{`XtbKJYnPs
z9WEfhOK;^yfj%OEk7_VPZ>4B41Qu$_cj=ju#Umh)2s}iB)W9)=0{FZ1cK)OgU^N=N
z?1J+oy!$~i2%#~Qi65mm@g%wVTHzE;ra%Ty1%MHwFp8W1N<fWLh!RmA{wp&W@kiwi
z)jy=ke3zctKP!q48H62(Xh}3`|86=&CV0X4izy6}VGe5F<wN-KL-?`t_gNE2GVuht
zMij^M`hZYDsvsJTO+2aM3K*S@qysxDf*vy!(Jv5mHyE3}+<ZY>_3<M9W=V*62L&FK
z`WyWjRw!!Ih?idePPvOgAEiK}Da<CDcq$LJ8dRD;*y8Wt_#5S_{F};E{a2Jb$d@)G
zN|28SE?TH^Knu7~0*I@s{RX~=C&w9cP!f^-S2Bkm0*>|(;~ielh=}2M9~>)xC;>)f
z$H!58WQAcDk3&*oc)1LbIFj!@AUP%|lvF~7F|qX^6XRUGNQ2p-@9;gyHzuHWAq|tN
zFeuOw>{Rfa-{l+D4rb0j(2%)ajD~zy9&@sXsR>ZAKS)jdr6@nxfQd#{D$NZhWN!GR
z5M#FAg3r&(0qH%ul;42!h;n2ksk0Dy{Jc>=?$_^^GrCdVmBW;u_)G?y<^7@YghIj}
zlUhxp_>+8@vyboPE}{c`((DZr0vMvPDL6bC7KZ8e-_xrxmdq9@Y)JdVsP#ACI7nY+
zcmt4n;O^rK>Mn`;TXLA$PZRQpDo2Tbg0m!*sU$FSU=wg$uS3&)82SC&XhU>@KWp~0
z#KX!(f|WQ_9&<#%Cj9t&YID@gMwkCbGku5OAsv-5xiJXA-&^|~{`*-+eh(jiw1L2M
zFb{M?@4x+q5QNz%i7}BSsLavu^A00uD5)XGoV3!-Bb1=5qGqv(pgdOt{?9>P(4ajD
znsdMh*EcCcYTTznn5%;OR0*mKpW1I!$W$8$dZ65`1WOb{HyGARW{fcyLxSBXBt37E
z$LhiKL;3_zq%XlX*cTa17Qx&lFaUj70y!i7fUpQ|x+3U<y~%@S<LT!Cucc8)1U(uB
zC9ozB`ho|2WHfn$BqJJTL!zOH4;6x;7Bc)JfQkhcC49bU5;VLHya1bEADV}^9<ZxF
zGzsAewa0=SL?YODlOe>L<m)?FjWOAeWI^%|B-ntisK1Cn4W%NKk!S>8A9se2jC2Ho
z7KPvr&&d%CsTQDx(ojE!`>h%6XG8-i{F%`X{=?Fuj@ShF5J2a!@$~UhCFo(3a8x}C
zV@5mAUIy<5;zKdc!I-T9W{U(#1r5+=nTj=npYGt+dS^3(r8Wk(Or8er9{yM$l0rlo
zG&EpF10?rHrXS)SWct9>P-od?$Y2BZI5g8I+4^{_2GiV-iHS-eIzy2#axTM+Hz<`I
zyto$v%#BPzD6=CZS_reY;bADBB@!;aC?9;_q=<hkB-)yo!FzqWSk(||Ww!_~9;LLh
zw;lX|lotBKQZ57)lN5qI3^<g1Ay^fto_bzxLkT6RgT^xkkN<K20&p3Y6??;Szb9uy
z=C7r9aSPpc{J2$WUmw|LbK57C^^+7XyX2Vdl9)O7T-rfr-iW1Nd+#Pmi(h$p?AnuS
zrv8LzJ=4Suv4U++XIsBsM7ZE{@<DV5%{NSbyS=l)((u%yMXMhLl~+wL`pA8_;#t3p
z)ikNxyS8R`T}}6-s>pUJuV^<GUnzd(=3K@1E0(*hve7?~(7Jbnf>5x-?68d9+QuuH
zHG6F@ZOA&AUFqr;aaP?@GTPf)acl7{n~jUeiC2wXO3Q1E*=XCHqGFfkXP<U6tX?{!
zvb#J`Y(`qN#P*vL0tCa(oY%^Bu(x;7*rL!^^){g7XwK0&AD633d5k-Ef}OW}!lUzl
zhYqaCWSYF5t`h!(i^u=`k44Xlk=^ajXGS@M_gOgSN2kZg>~7oX!58*y!csZKh=Ggw
zk7*xrzZN!-3F(VC)YjNH>X=Zn7fO6tE^^n|!=<*1>xs&n)#R!#Dw`Cxmu%H#iyZ5|
z?E!aMBbR#3lTE8D3k0NDGW$)of7@*vYSGb9=|#<ZtQAZ$+S)m7eZFB+$l=I`6UF`S
zO}ZRnHY0A!HNI;!k%9c4@qvvqAFEd6I3JW(I<UX-6YqU$pVZA+d0keTEi0C~#jk##
zaP8&`4Ktaq-1VCx@*~aWYBj8VOnuIke(_=yr=97>1J~o_*RbTuvK$xusuWVf|KXbU
zsl2zj%f*kgo^Ix{jpn`B-G9JJG+prXf;e7Yo&_xnw!h+P3P#43zXUy?e~%a^^(lJc
zxq2e!wSvRL-Y=(^36A5?^j*=ZVNjG9B$cxK!AnJfbF5$Pf15YEbp2S5O?H>qoxXi5
zHu9O6^l;iSGrb`9g-S`|vgVy%XmznSudMgedG1rI&R14gRVAL!>fU`<$<x*6vD(Um
zgpNm_Hy-az=ULmovx#DmyftcROQ~g=eBh0#n-o6yQHxfqpIXW7A-_b!Mn*(5>u5@)
z+pVts1ugH7n}@foIrUlYi{0(SWXi45m0zBAt+ttO(0KFdi6C9W`<Kbmldq0_|3Tkt
zpI~k9yQBww^;UQG?{2?wJ-pSB=k@NdY=<9+I5x==Hx!nC*hCj-+|Zy~@4VYnyz$u4
zYkvuDj7<Lu`ggQp(7)ziYl-kaqy1&^<{eST?{ptM6YP_a{$iKYHcLk#jq3Yrk6#St
zdi5#e=@EA0xSoo>r{QtU6QtJK>dk78^-b!|qb*uzq2j6%c`%G$$7|_>g}SSyw~kqy
zFP>FzYyD7q+^XCKB1K+PMIsBX@gxeR<;b3#?|buOeuUQJIbYS+gcDho67KhG)>PM3
z{#0J(prtPCxVh*^22W@6hp@;4(#F>*1>BtB?&>;e0<()mr+oQ*+eL`q#(K?-7TJ)Z
zXw%zE8_$VG2CN8~nw>RQcvHh|ZW9NZPomc9O_oy=9+zqwuqWA1+Oaf)Yk!rz;>SBD
zsR0iir=PG4Chw1Oe|m<!EoPC+*^u=+qP^r+{0;gaBVw{BYr12eLR7N--7~A6v-TzL
zFcAx0Z_sO#c;)f<4$-&bU$-w36xb1DYI7$<P}tyw+@Zb~>-uCD+kDD7N7z717@!tk
zikiQ3?5rBnY9AGmBW>y(D+a#Zj5xnsDZ1G^IdRjwT6XO-uhQrVeS%$l4VgC*@1GZJ
zd$GoJ=Nqm|;TyVbX3qAsdRgB$aCw~H^t@b+NzYgeB<uZjVgu%_+v&6P;QYHedY-kH
zAGB{jzOC2S@Wp_xo#FC;uIY7rHcbH&oB3{~ze>~L_m19oh;^6Wbi43rx5A=Q9ZBUh
z1(_DVE{(%lryAw;I&WPX-zEO6&!J_Vo~onb>-GyQiaY(DR?ziBsYYWs4V)i2<O_|D
zUldKv-EG|SfPaP8HG}d+hfKfntXlp$p`m2Wt~sBoXS<7OuF!cjru0*S`9z_C36s|8
z-U`tx3D+}xC{A{jDm>*YoxF+XV1_)YD|8cI$dQ=WX4~0nyOZVao6g+#P?}TqB<m;6
zCGVYIFMQz;;pO`Et>0Gu=FGG(lY4T0`vNaWchBT5Nll^_u!dX9)kl>rkZdddrndEZ
zbP;F2aODQQIWK&rPQQz(jZ!O>iCAd3{z6vp>Yyf>yQkF^%G4q$Tl3RhrBb9m_E>Y6
zzSC)_nGmsjUxoZj`Q0vN<^|-2i*rRCE>Cvdmd0b+NPjInz1J<>%_d1c_^)vto(u8+
z-^mYoS^nPeNg%A9Bx`v6mi(2cvy@&u)!rDeH)QMjz$42u^4PAPY-}Hp&8ZbwN%HKv
zA#;l$XkeSOubn@X{_;lQYr*vX#Kw%uvxT<`{D~1A5jSSV?3op#&*6UNo`$U813gX$
zgTwi)8GD@{s`PmK<UU@sO~ZG6=VNuw+&iu{(`R-nzTEjC;66dnB)5CzQvT^S<^de+
zkzJy~hqT9C%j}OCa7ueudT(!BfSbs;F|#($AnDA{*qnM=keWUJ`MkI1+9zLju5Q?_
zU3k6LB6C~=xr}(?%2{*1gSxr5B6k;R72eusy}M9(RmQ<(vQpO?Y7=kn_qy7@!oc)p
zD9v<pjsxZ4JRYO{8Qscv{Ync|Xa80H|1jSm_Uot3%f_;1%kE6}I8&E8zoof3{nAqv
zJ&V#0cf+(SZIv6SM|YWD5u3lT+kt)G1_N8y#?&TJZ*CriuBx^L*G1k_r^`PGPF#3n
zxnzJ@Z@{)VTZ!h1DS=Pj7TjIbsXkTXetA!nuxxz7V+WepIE9`QTXPrEb85JHwRXj@
zA9Jwlvi>5mF#2AEu6{U2bcwUVrtL=!Cs}yTXyr|~)v=|u`{Thy((^h$y;>Vc_86DU
z9jvkBrI+ft&_{}LsTDFD=f`9|yz4p6tNT;AtcmCZfA#b2#V*|RZ4oO=Nx_|C%Vx5V
zqZqHF@A)Pv_^N6Ksd;LBJx|?4+w-$RF3HZHce?0r((eEF*-Iu|sSNq#uf#4>ezW$@
z!59|@i^-YC@@})7k5fG|<~)Z-qtM6aPakm4TgQ_dW3*MD+_WPqWK~6adKc?A@$8u3
zjR9Mx=@rd24{COpSCBN&)p~wmL7L{-Ca>|HGHF}rHN{Wwnw3*eY1{AB;p-QiEtVVh
zMESUsPK86C`pxby17FDxZ>xzek(Xa9JTQTCN&QJP`^l`?maCp}_}`=?&=vG@IYTCB
zWQtr2r_sEx$d{|{A<b*t#WpQDeN)tyi1UwKJ74wlWG$X!`0}mG)_^xFSIn6mpr3Ms
ztHg0-ZT1l{ep}j+ym)<?_fMkCiL<ZLC()OGO$k1{zm|KxhD7Pd4W~Y;%+b4CJSB?1
zAoq0gV)lc1w_oMaj7(lGd9j8j7?jq#rO2{p7j^obQ=$>auC_a{w7T#awQJd~8zURU
zPO+JM`KWy9nqHyRGat*HP2m@4eK7BuYS_6}+1Zg!lcY85pS}(l!}HqnT90jEzi9CO
z7Z*B8@~-x49dlg!LVNGabbk4rk;N_7tL`hOQL}Db*YB#)yrj`LEsc_{b9e*yLX|5^
z%_dxHx6;l2*mA}y;`#MXL*c@cX|gKKjeO*9Ym2wN{}xi#)f%26aBq&(ib|C-k@YUY
zQga)Rdfgu{Bc&H1`Owd$ZENb`;ISvl5^n3BGft$c)e|@HKHsyeyQ-~8PIiXRi}L?<
zy@_`7&h#4jd!L)xt24b8Ja_kUw>%a5Ok(N^s%*4qvA@;WxV>estIvF1Q0R6weAnI!
z)r(T=jvu%ryI|q+NA?v5o~Yj*NBAVPni$&E7&r6M44DCq$e6K$!oDTMPYJ;nnq<|d
z^*?{xwo_rRsd2FSnCoGM4@&(+zrJ|V89@5NN7{dO)l-$#n`A;I*Hg+OoY!7hyG1{;
z-R<Ih<M%wmk5ZEMs#P4#bfDxlM1=Oz1^fjIS-uQZ<;rRmNX(B?xcVTjK1+fxF6_hk
zedNUIPKl`><|u5x?kB?9pFd;awuAj~RlB0^-i#1SQ+l|+?(u`&lPo3f9v};TlcVgE
zOS&4F^klXr%m4bkQKtHlCTsM<P5Eb*PHgtR6qBbP{BUZn)jprr?I*6>2vg_&W_sdl
zneYLnlUaQFcaNy{2_8)06{_F=ae1_APYj#%s`kt`-fUA2+*8k$%vElB*IoF;=d`DN
zpu+C<C$i`76Y^i~zTA`TdYk7<k$|bueUFUWndv25iyowYZ4H0Bc)RLn1Ls@u1(zGI
zOi1{$M5biNwwW7?MJ-QHyXC6;RqERPo58}p?YH^nJMSwCHlO&OX7y%f%#~%29X>{y
zIGCPuzr@jWH#&_kiEP5vKtE=ly)r8)_C<Yp#v{AXS9JNciv;Z4jCQ{c+9IlWDniC=
zApG*YIn-TwGxT_J#A45;t(kbD+-~0|%EhV)c1|R{wfuVo=jp4x7KojY(@_vx?jPPY
zL9$0dd)p?NTrrtFoofzx&3ZK3<R*F7&ZZ+<-@Sfy>cK+kKz8d(`P10O+EvwO*nK`C
zmjA%~P*3aO;O4!bUj*IZ_82`tT1UK8I($QE#hmT$Z_{l>%$Bf@U1B%(X3-{z1ve8~
zv_#i#4l^T9HB!-98A_`*ZJ4TL_SP_t^2T%G@{2m@jf;YOlV|DgrMRkp)_qzgY`yq2
z=sj!-dA?qE-m8a3vh6q%CK8?9I_1=U{=i4nzCGjlymn8`aE{t=B9-NIxVvq+X^yIZ
z@H^)NCIs`jDGiDfUd|H>NXzfn;5t+2D-)C_>bk^NFK_Ow$?`JeTc)<P^s`59I^Du1
zA#OmOa=QOHkB$1=g&l_j>Xpyu-V~SL9<LF(LUwAeHKCfr{`ux=5q{^T&ld9@D3_T+
zU3cqlRj2lmfUniGCvU`RRv4;|U-J3P9?^#%o@)yvX0gl6lDPWuk+fGAhjhc6M^yin
zms?9T)VyLSGyJB7oSnIsQn&bh=jV$Pb2Hxhs$S$ecA~+;#*#HcM1p&%lXpikd*Kz+
z;tgksmG`9VCya*ipZOj+e}_jx{`_yqeuXw({e>TY80YxBq^q0z#w&6!wm+@%HQlm?
zx=pB9EA$B)4_&@Obndm@dEI7pFD!`#PUQBFJI%{`I21CnTYXg$9+4#<*VkOiZs}@M
ze=4Q+Iz768Rp2gLOlGgyI-b>RaUX8W7szgBy<p#c|KiqFul>ir=uVaLUR|@N_o2#)
z*rL=`?_OIw_r)fYwBPtw>u@_6546bJB%e}s*0oWS*HbV2xVffoTnpR$Xs23%Z<)L=
zzvvvOB5~aC@VW3tf1mswAD8a&iyJZ?+NTI)5@mACv(}uox-rLjZtr+faN4(Jl#Q0c
zed2ZzI_?cdYi#BR2xToen!2S(=!HwM%KPHWxe5U;{gq_DeZhZOe@FD6wx`t4wC1Dr
z?WvSki6(q^><)J;ScPoYZQSm?pp5<Exc2p9vo>6guMFf^L94nnw<<<oXB+EY@txz(
z9x>L?_LDi7^?bY3trI6?c|~6EsdR5G&hF+{HhfamQ+~MKr8Z^HG^66XVvB91E?<k`
zcajdQyRmZjwKlcx=C6(~6I~DTD}CD*DwJOJ^|1QEyv?cNS#M+~<dvM5H|gHCynd0I
z1}Wni-XX3|UN$M0=6dhiyiCpDn+qk3hrhX{YR9z9FTSoT69cKTmVwp_6zvr!<zEz}
zUgEf}V|(<=+Jgc@$1+Sg{CK}P-8U<cDH?F~64Rf1Z_jk@t&=*;Zrm~NTcySs9~%1?
zNNzC8zk>b;?N{GPyTNLH=mGlQdc?~4bY+x+^W#<XI`x|Pu2JZ>W^o@#NIVmHYohn~
z;+Aa7g7Z@JjZ!Q-UD&1;>4m&Z5}tA-nBAK$lUuTO<(q|kHI&jWv0TO6{Du5)rwh+H
zEW2oJS3v%U7w)@aXH<SIxmY9gvT!NeR(kc}gv<_kS#u$;cNLnGuBHkc8uOfd>(Q-8
z{C#1sBEmwNcDyXCuybgxqjz|ooWJG6RqmB}tWS#5j(fS?R!JOx-(=FUX&25+mgVS{
zB-I`7eDSUG@zD(?Y7aNPj8+ob={`en8UHk2ZLR_lgUcL+0oNB5lTC7j=iLrD{o-VV
zuS+3siu<P>mD?8FRg^h1!8x*b$=ZyaY9uMizdC<~d}9K1HM-7U%vrTFvWZ2-Z`#(S
z#^#B+>!zmdo8%bwil=90)Kwlnl}DP7+cLHvYFpZ{YG>Z7=c^|4tIHiqXOC4Ih||6~
zZ_L{1+1zDK2NYurPM-LzJ9XuOY5J$SHogkKU%&dGgIZ34-^+WY_v>;OU8@S6swO^n
zxl3@yrLl@Z+q(AlI^T>7$*$nhesL>q3o%5;Bgy1iPon(_&)u~93sM{hjy!OfzRh;g
zYJTBwhDmYvst&j(bDaLR%qoKaRnCU;CDTveS2&=b8fPV7bof|t=jF}wv+5PM$X+je
z*yUKsDs0^3Ph783cekmjU7tJ6eOlPAhlzSuGsP6-B6mAPE|Ht;M~<3u#5CA+u6|TV
zKXJx0(`|Pr?e#vgSLB1owFCAE`RBb8OC&tw?j~o(kc~`)RfS^JOwAIMRn4T7R6Lq$
zI~JRjY-cUD?m4PsSedarYLlsO*Y2|1C-?dJbOR>!#hRB-zH{bEd2i>M;2fIa%_rO6
zziv#u&8|2;af3nMvDqH{wja1Bw|>c#vwX1g)y})iT@4@Ec)aIYE$14Rl~V64$eLFe
zIlrp$YT&L-k)b|(Rcu$b&9ri$ProfS_j-B!k|l+!GuSpCU0C@cSZD9U@%#M7F14?I
zrEa;8zW*I%yp-L9NKHM73lq-Jl_NK-bNetOZGi81tbMh1tut-;lC7IpTe#gchgb3b
z`tM(AzxqqVCxH;&*5!L5^m@yiXEQ3>KP>Li{FFL2*(~^V_BPk!>alB2@z@nmCJN>R
z2h0ys>er%oO>?~<y2CK&gqHU$wxXTZ&ey%)inctodeQW%drhnRgBC7vReGIAk7z@A
z_WS*Zr>Bx^?yY$o9$)hIY&BKA`=c$pM^5`$O^@c?bQTt|UA7)>G66*TE$#y2XaR07
zshl`J>4{=Q?<YnSfwU!ed@85r@qBJF+1o2-yX#$DM(xG`cD2~_E6M{GReLVvabFWz
zo_pb{A94IKKaQGA-G?dkYeYfw{c*E>$~OAko;OyD;NhxhD6bmhcA(ui&86O5J+z|3
zvs%B)(NEx9exe%7?u8w1>O%i2{}(-fzJf(F=B|B6))|go(Mt=(gI<4LmOJOPk{kQ>
zIzq|ow++prdl#R%<0P^^&?Hgk^>cE>W>ZgtoegXyPOA;_qqde6pLrPWwUl^<v*mr<
zzUb$~8GAd<$nd_OEx7-BO+k|8uBf0Ddn~52h^Nr<Ix_ZU8MN}b`4jtQ29{lAA9K~5
zb+N6P1LsM@3c0tRt$l9`*d4Ol;@4uTYuLeg_5H~d?&UMuk6B1tJPA(U(Q<9Im)Jvj
z|HCWX1cbt8dpVtANqRRkP*O5;T}IM?rzn^MqqOA@Jvilbb;VNR@z>MR2KGsx-E=2b
zu=W43_a<OXool1^vywm<C5RShR!9((VJ!#<3X%XS4rro?L$QWIiUUd%EY68oi>(7#
zt5&T|oVE(Kptjo9A*i+5Y6WYpt<-|0t+oyUQ9%&i|6N%bwY&d!_J96!o%0>`zP9a#
zWF@RXh`I0QenuI7n{r!Oocy_D;3RSBu50rWdu0ymd33|R|NJ}uzsEJ(e)%j=w#nn^
z;q6Y2z2EAnt`#iy9=h(=C0B|?!#{VK`+)9p=D@pOp6YdF|Dl4?#NWx$!#39T>3A!k
zYw+u}r$5?~{@_t_+|tQw=7{?(zkmAutgJy<+YWY!vsZ6>IPl|#hgbIUt)IJap75l>
zb6R@28x6;Hiym~Sy5F2|`;Xu&;de`u8h^;1H2GRhWyz@A;dz_J(X{Hx*TtcJkIvqa
zsK*_9GO(6}-xnXLe&*f0;*}B^Ox`$bk)coBYUi7eyR8^=BjSgmiNymy-Jh$dZob;s
z^Xo&tD;zwZJevFPUH{3--@Ci}&(u%I%Fp}Pl(~z0916X4OS5*N__p`$&3>;8D4R9w
zV!*@K{(C%%|M^$(fBoyG|NPYbx47p2^?z^tZ}BMp=U>E(^X)0OhWxZ9EVcChgoK*+
zN0$!m;{W}Pfa=4aNE)79y4Y4>SXWc=<8R5|ZVOMCKTGYmdB>7!nRda<xc9#Z`F8nN
zOK$ppgT8#@a^Y6pg)0vqp5EusXV=l?RYTgU)}49q(-qF=8#Z70CU&g1&l?BF{uy4G
zeC5uMWpt(c$E&+MsV_YAYE$8#U!T^0cIvZ*_bYYF6BF`>f5h87_}vQ^H!T>wed(3-
zLgw%1o$pWm=a29IjK7~-{Ho6Pr#j!C>U@9dfB1*7^ZlvL_oq7FpXz*ns`LG+|KX?3
zm#&a7WfUZgh%?TA|IG+>>V)CRDM@(P!8(|cv2Yd+df*lW9>)B)pB)uvo(~)wH)i+*
zIUb2;=eDfJF}5w3flQ_nfin*5jCAS?m$zJi8QZg@9Pr%83zxG$uK8&Aa{ulw<}S>C
z9gilP?&d!n&osux%(&wV|J&o4KX05kvCNKI?^Yhp%aHg?lWelV{6M7s^W|}`<nJzT
zI+?x`a_3SbbMx|<SEas|DO@}$WB#&$J^tUHe0=Q@xV6B{@tf{F{`!pf=kG6{mGk-w
zm;UF=XW%jlo}0J3fqy#wtW2C!vAgs?A3rBIo6T%k@BTmDf2JS61Xyq@<Aq!K=i4z)
z@Y!DLpS})74$i=^^%&c$7$0)G>;2siobCBH&juR5(0MpRfPduv?(?_-Fk@jRGZQt#
z{0(h)Ii_oYN9v7Vc}~{6?0g*3G0nxB#)3`9wS3<iZ{;6KIYI1X)xU4}*xkPQ>%b=_
zpBd-;caN9(a;6`8rj%s9sNL~i_^D!s%#0lr=I7J){8%r?goo?`GUgu;yUQD|8*hAm
zGi4P_&wDSN_ZN=KRB*`jtURViV}D$~JRB9lKl916vT;HqbB^V3_V?5B4aO8^>@UdP
zKjt{>5T0?a?B&Cmj%U0*{G7o~oc_(tzIeOL55&tiioa9s&I|iQ@&A6gB<2V5Z!czl
zJp4<?KMz+oY}!e4bMY)9uFc>qRQ^o-+-%Hru>;17nVJsHvM^7eco5R&M7RJhb{T_T
zcvvzsYhE56VVp554<}_ZaDrwAFaZhUANZRN&sE~!4a~&jmKh7O3Sb_t_5kj+z!>~L
z=7ERI`~{FVFMUoH;6BL0bUa(SU>5!phaZ?u$P9KmFhzwYiL=-*=cOc(@uV3mNI3Mx
zjJlfxJ!}GrxfQ!ck}+uVZ$8JI^JL@aOh1$_oI?CvW&0b^?(xFs*Y1-v&3vW7ir|Ea
zaSHQqp1=R6WoU`R1>n4V8P5-d05j4TWTK8f#?KPV@CR1W&SHFd8Of!+%IF>*WM7WX
z)sYOOd%WsEMhM8kbl_f+l>J2yC;QN@sx*-kId#cu`ZZ^O05WJdIZLSNNxJd?zD!Hh
z(aJ02%1XQp`-6St+g-_pY5f$gljxNxJ__&c<a%A2>o4TCfihA-`H~;hrMUtLA>^eD
z$brQq<dfIO!7P}kBb~EIhZ&FyNxMmIHpy2)3chotBoRUeXA&ee3}jUP9#T1%91k#4
zwovuj<P367KDjcN?5j$r2i$1zr-iCIVLEwO5l9Hu_fSGId5XT31#$`&l1&Mkt8^j}
zN`N3CH=fWWKuJ*?mrNi^ilF2Y{<97?dNd}Na1xTHPDDW+-6TSege&pLSsa=lN_!^6
zz{LcSJ2xSJQBJ5hQ{mf+??eXkG_QpGTvbR$X3ngYVLbp3zK5n|=D#JGJThZ!df2%N
z6^cNJ=7NmVJ>dwCp8mdWk4CECiZ-Rs3musxxywUjDt<A*&sU_+%c@HQO&3+-TZ$@G
zdS0lcMwQGxs!65^l|r|JjHkJpWY<}lp_=d#KD{42xfck<evuPs;u-_zZ{FB@RinQ~
zs!GpFt5NXXvKOdABZT86i3`3J*A#NI7mVlAq8Pv7{6uA(lHSGfiv+^^M&k`y86=C2
zuZ)gZ1|@;n2|xy3Rc9|yT!6#3iLQE?4vy$Ea`W?Z=RV3f>pVfPsNzr1H=KoE_3`Hf
z@JKIsL)EXL!NY^*a#TJ$#tpjxLB$ZPUcU1ojNR#30)}yKI>Ig(dn)iDK+V(hX$9+n
z&K@edKGa{9-2vnJ4qS2?K!GOzsqsD!<6c9$#h~y}X7;OwDp(pNe-p00#%(kppN0ms
z(y$UqHweEXd)1NTyB_cQR5k;&a}b(`JRQd^LC_A+TuC_K@AB!$6QQTBPU<v4ReBym
z0wN7n{ejf3^NV<`L8ycqyjhNT&w~)+0<jO3@RU^oFofLDJ?#PTT$30)>p31Pd0K*|
zBZ5100q2~1F^Ou)c;p205Jz^DL|?7a6tu=78Bd{&Loy=xx7b!0GIa0=rzef>zW2%v
z(9odtX?)`0?%ZK;A{HRTOXl!(Pto+}^t9!7NH@XLl6mAvbPf<fBKKl|+OVmg`99*1
z9$_u?^5-o);6H9~>C*TZe_bv2pVU>BP@q)^5Gq&d1PUMbkoCN#W+ykd)^<0lB(}h(
zm|Inh+Lb<zTm$@?^B5X@IC*~&g1%54xi|A{EzApmb2*UrS0FwW^em9R-SM1UEJdJN
zF6u3R0?Y5TfXrRc?Fx~QG-@pB7}1SF98Q3EUc~NMg1PD0;>Dl=8Je)1cH<YL$=ayJ
zFl9Nu5!sK&lJjd}4aSWq03Q|^ZUx}O9?AR}q4$?xfNZ4RDMyJOBY%H8k^V_>i$dOa
zK@W1gBUKOyGu4DbeHgmEOTBp-U$+a8vvxjn5Py(vh{`5;K;SlhlzLUbazTlQN8JGL
z1wM*8(nAonxHsOh$^mq^7Ll?b4$-?^gWAc%WE9laIuXtd4PCAe{5oJ(FWSEg=|K#<
zRkB9;L><+PI(nfYPdEdg&;t~G8wRXupc~YFzYGbz`V6VlI_R~thjz43Rh7daAdNsz
z=-naZn%OB_piu{^Dhca}qK3>Z*CQmPJO;S50X!m$WEAO9?g5^U+PLU0()ZK)&Ktdv
zD6c|D>R})~vO|Pufj{D=7OK>56=;Ywb@L;&zFLKZh$Oj(pXe!}NHbXbs2#aFqFVgy
zP35X8^hnl7p5t?B)%f|m?P)uDR81as>j%JJP{hqw56JsoE%<#>dsGX&sgE0%um2#k
zmxBsF?ZjlJ^~qkE*68a$WJNOm-J0bjUzndjp+seZKuOcJNR>V-bZpYvS2+;TlTMIP
zh{rrf<pYIAX1FtdA*mb5snf>Gw3FhUG}^d0X`H}qrPM*<QvkcYMs1ribpAUqWTA`U
zx38b$sh4e>%!51f>mcfyq;kUSpqGE~bbh4s40N7>&NI+?20G6`=Nafc1D$7}^9*#J
zfzC6~c?LSqK<63gJOiC)pz{oLo`KFY(0K+r&p_uH=sW|RXW;*rGvGNg>jnNFfIoow
ze;-Wm&HTT+4gYsG@&6VwZsKa%730+V<k<IV?`qtE_Wqd`@c}M7<75a)jwid3fjZK4
z2KkzX1W4LOPCGy-l1X1ULM{xi^Ci8={9nnHIzKOf7;<J;j-r4rj_X5~z#v8=C>t9~
zexMmbx{@EI(cTkd6yAljw~WL@I~exT)F?8W{PRmXdeUeGzS-yrWFlGj_z0bxLMGGS
zLx|8Todff*Ixtt*cU&RKp9lGnMS9}ZCRib04T1m|h7|&mU`znWl=)y402Y>!fp`g5
z2I-X}OXMgLCdXq5Ac4>nrEtkhP=bAcOE<6@&~Pb3_}XIORw8uQ{Pll912x~Fn#zxN
z&K3=jobn~|b`uq;6M{h?#6p2EC5(UsNnKWwX#QB=JwACb2V|>hAE@wd*z~AAPDy?m
z22rp`G&3!{?zRdW265xihz?OTa5&*y$re>#Oz%X6!(zjy21xQS;YHy|48Y@MVSpDW
zo}Z|6!^oc2CCQ>^g?=m9qmXido*KS$rg#@9lz4+4ws=&zx`=RH_^E`XNeRXIQV?)t
zMKagw*T^?Wbwc?4aZ1eh^75-!fNG3pGJfcy719<AHp81MkoY?d0_b;rc#;am%TPR~
zydP+SkCdQkL>($Q8h(~j-E^^?EUj(=6>3DGgXg0xQRw-@DD+K?7GWjwxQ(`PN>JBx
zoY1Csr5gRlrlo0N$3TMy)pEnoGJpSMX^MM18tK2Y!hhFZ|Mh8N|22ayVJ8AkenfJ`
z{$*<-^Zehd=zoX9Sdfcc!)hl#18!<$nE$-~hb6}qajU5LoJaL}HG~&mp_G6oyWq35
zY_c@rLR97jI(L&cStoYU`R~)577rG^BGOfkT<nO?P^3x(63J2N^Wgg@*Qs1xZiq-%
zn$k#5jy%XGs;S3R#hk%zvYoko=&k97%K^jb9jYdA(a*nqK0j5_m^xta_iI&Wx_x{3
zGI@^_b6U<kgV1c~c7j&Z)cm|*c~7F=BTCdUXGwJ|r&>KBOErT~p)>b}C!9S#x8`F~
zz0QwA;xoCi`B?91y1hl8M8v|o;y)`-rL7HxusacwM|a*$Zs=dACjEMsxGJ`W8$hvj
zOEMi@Ucf7D^bX^A<%KmX*20#h&m_GkFM?2Ybjf7?#N>ewk0<6OMXn9}>AlRg(M8c$
z)5T-11F^Mo@P_)p!FR`}rnVELh}%3z7WbiN_w}bj_iW$xdEoNWpjUZ>KtvE^vGIQ&
zfuQ&dSv)kYcvvbnVv2DAMWj&1=gi^W&fL!3*0Zup{!KWO2{KU!FFh0J;zs7*xhpfl
z>jZ>dm{J<DbIt4WyCDaAglrypI%M0Tj0^SGCP~v=CtPc2K6{O*q<m|?m&j&v6|NKR
zsT<DTBPyt{W}-qb;o{GMK#xY`sa%tL%k-;y<4<M!bI+VZ690u;H%VaQIRYq$+vlJ`
z-*^r&|4y8PSB}FVdBkPO+Cj;ZVx?|Yef8Y3KdPo)=$`;GZ`42X2b4Lve<0A_gM0wD
zp}Y|OFbI^R=0vpN4`vy-XSjtI&~0vEE$22j&%cqY@g{C_p}ltA#QU|J6}3ESuhRYJ
zT16>!`7^4Tq)zIn%AnGq`a?l?1VOd=LA5_B`N7`KL7_qQoDXVatKfO<jSrjPWbLy1
zwLx=JZ^@JD(YkBZ-XEO6HwW5l(srWHT5!LkKetC0v=pYPt3^bgJZ^P1XIW~lD)7>>
zR5H2-9;C)*t8W-m@!{m~b4^3=C5@U0s-Y>py6qyxT~?EN=THqK$+<(b5%kNxmCfsu
z9k*xkrkx3wvms4{E@y|{dwXdB1u@y65dDn*C`S0tG!cGC7muNfA&B`nzLHdR_Mimt
z!zUA&A5VOSm<N=YmQ84>gnPM^c55w#@O7)GaEY3VqCiUFD>ENc6xUMhL31ftF;L9M
z5wVO<9M05Iu<`GXn!2CZTs*=*SEQ}IUd$Zze6hSX*HvB%e#Q9O%*PbP*NfSs&a1&k
zHGbT5)DO?uAJxFzSNwgrOqmok?W8hx{4!;aEXcd8jQ#*W1(idR@_EP!kJKqi%9z6F
zvXqk)dQP>(gw!kxsa<w5q#j}tV=qi^gC)@#{i*HIX=^S(Odx(H)CPVt@OUlkxI_q~
zk91P#y@#ll!T<vS`lTBJ3seaFvk5@r25If8BLpF(VZ({(`l%CF=nw1)IVqspau(-@
z#$GKM{UPXr@2IdFHYg`lS}WD_C={H6e;wh)rpnMT{M0`v+-QhRo=c&*A#G_HB6`eN
zwG(4se*7nXzOQ8kF=ZW{QNAFSKi$;{+rOdFa)O7SnHe(!%VDZ4sHg=+qT(9khFy!^
zgXJ(Xd7P3?0go-!1eu(4Enbt%=waFz4?co8?uxqL)IuL14IfgOnt1GpZL1QU@z=PS
z9kJ{Mv??@aYbbWaau;5SDOTTMEwS*)iBe@;)ir5Vqc<anNo#!)mGM<`rFXC*_Ptix
zw!P7)h!J7>7~hk=p8`jJu~0u$&7W~1m_j=#Cy<Bl3TvX!BC4&gWJX@bM;YH~1fdOr
z<gf;zB-0^jVo5CRx=J-TY2w)QyqL?G!G)5*1C9W$)bprP3az2qoT$fZs1~PE>iad+
zk4co^F4gVOPEr0y2kHh%K}2F{^5he+DwzX&k|AO;9NlxBJc|FEDHD@4*OO|?cZ75v
z&81zl9D$&@f70HeMbo(sRH7U|9u-7|n&8%{zxxzm-MWHx4mvfwvK1QDT<#hCZ#RbT
zzeIfke)~02(J-Fh9{kuif}>-e^MljpXs)zv$mCySG`G%6Rf#{d@Y<q@0xT-I2zUa{
z?#L03BKvzdavWY4NuX=OSS3Up+X91TYyJ`yIP}lPcgSZ${b`z8p|A6*)GPMmovfAn
zL8z=!5{H%4u2boHd;`r_Hhag>+>>=)XK1d2Pzi932vw%LN{`{sve)FKE5B_<#1Xx;
zS;2j6zk*xoC2w}{)#LA$bNEq_)=TfO7bG6(5qE0d<RX}w2YoWP`N+7i*hjkQ(ARmo
zaTlJzo7YsyBSQ1TAd{LxwQ3#YjR0QXUQP-age673%ma<yq2O!p*SX^Bx%3`*4)z{D
zoz_MYmHYiO2-yEl@0HZX^YG@L`Kttv^~4#9&$~+1f@VL_NI7xhD0pq{?c?`uz<0_5
zXWn;8sMt@O<GT>QD&M^WK5ZY};_G0hk07BQUgIhfR`~!7o6Ds=VgqT9VD65&tGEtx
zSHajHTBJUpQ%~1`Oid7DS3#^R^twm9cTcl44n->egomyx)?$sU_1-B?g_^rz?T1S{
zb^ynNEA?uJUQNXKVyPE&^%yvWSM2pOP+n>`xz`WJ+qbq)etze9!E=5`+t$|l*2&NI
zJo9eJlo~GI1L|mOu?u}EC~kj3Rqsgm_gj?N3nn3+jFSeh#<aACYlD<>e{kDasKe{P
zmCym`)yk2lA1thefM+C1>X6>*Wtf@oB;%2aH>K#Q4E3i_CVsh7`4|N4=&pwP>`4Pc
zqylwCG&#jto2&gv&XWV=mh1m~l=ha=(4`nX8y_h}Puw0M^oZoj>-)nDU-`WOg=k7Z
zy(4l&_&FG8t{nO5bUtSk1uiZ?yL5A@Zp!^*hWz0OAfaA7uviPPBge<VwUu9$<m%ga
z7l;Xc$m1k5koRaVbvUhszC<2Fufyx0;*j;^Jn91Q@ZEARR{z{gBP>$_4LuPKP@YM@
z6Y{L`$un#~UI)J5`SbEx#1U$9hs=wB8yq^W2cUMDK^P723?31#Bvc_G2OWS{ffQzv
z8fu@b%hRVWZcpJ+^9HQX!7L6Gquq{OrRU@Xf?5Q9kn~%8bLSA=t}X*O2yF<-XO~g=
zF485=+Gku|p~}#)QvJbGY;wX^(!G6h5$M)9Kru1xOhOWm@fEv;E#m~78PFX48eUPI
zEg17#4-(wtX+C$Y4(2<+nhu2gu2hCxA}TA(wE$X@%Y`+t23;n-Rs5BxauIOQ^H}+g
zBI(1Dl3M(POzgTL%e_d?k>x@~LRBqFaX~lWA#}NtLV7>E%UnyAt0~DnkE;5qe}T<A
z&#0-)!)kH}2*#^Ff5-7WtvC>`IvX%9#8ChV?L*4n5X1Yq7q27+??Fp^(QtW3DV!Kx
zb>bZbABhaoEg<?O`5igh4l_p^#1W#8x*>FNNZU~fg;3G!+5QN|tdcL?FT7e8;vV^p
z(};NCQ(x3PtQoqieNmWvNdijSI_J)y*@8Qd9;24<FJxTp4!^MC18&YpCie^eNY4vE
zkdfo~I1*L;0Jk9N`K<_e7(P1GFcF6Pd=}+8a(tYjUANUo03AJ^3v{B!Tohyg2QEVW
zig)!k2z{<xn8o{X%&tfNmq@Pq`t3JmHzE;ndTjX=7$%Z0oq_fz8h%DoA1v1WBGyIn
zE+a*iKnP*+wRpP}ctIZBzZ5^VyiDl_BW^4)M7+1a(EkbLFl{XL%^dD;Zq6ylsZzZW
zw+@<`U>j^x9)FJiTIf-HLFJw1Q+#I<3Qr-1w3qlSlA{zfB5O3Y6+MrbHbBJrDx5Dx
zYY}&tAYknG)f%O=!CU*pfcRBchvx=PjcrrXWSg?6Ytyrq5^3mh->s0gaJ8O7<?iT1
zG<>*x@j=)=T>o~;egX1Dv06Y2(S)1wdeM-Y>FUi|b!_njk(>Lwp|=gUk@^CsCFoC@
z+u%X;{nzkVXsb9rB(WoK)w;>m0c-t23p~@@_x0W~4C}*f1kG=WJ~nB17X?t`r9s8N
z2c3gfI`Bk7?i)ot3=maNa8|kc<1up(QJz@UJ#5a;{ojVz>>=)-P`pN@zNf3$)j#j?
z;$@K5h62JWp@I<e<xUiSdR*W>l()RC<9GOR+WvjVrJK^Bk3MRXY|DoOx$?(jIs(e8
zZ^xou{zb74SYwt3ro4Ze$4B1C$+1f^B1h|`$Bv>tzo1(w@oC=bA8sM;0|cS4c}Y!L
zr1)Xi5WS-PrYAZjMze<B={9GF$A;<Qgf{mY^cfgI6+eIO3?D(_tGVs@<F@wu9Q`au
z)Ud!K@|Y8|QDABC3_;rQu!x@p-Qkn_RMWGiiwrZhg0;x6tavUe=A0ULD~Gs$=!!b{
zmD6g?3U%eq5T3^=WH7u_z5x=&w-((hka!Xj&-Kf_yq1$({X6;s1^xlU;(TBQ)!=cQ
z(5ny3{Y$MD%tihcyj`GkuOK*S57JQ(Ivs%;Vvj>5>IuTWL_lkg%V<dSyE3UanzP<N
z=}q+Ksn26RYZrz8N@pb9lzBCyMv`lA!m@51$-Rw!ibB^En?r63izcJD!qL@Dv*@_i
zQ0*Z!>_XhWpU`iL)Tb!!5&2phdWim_L=&Ho4!?=E{uL5(6A5b2^`LoQp=#uC37tVF
z{qNi+J>$L;FS&`nMc<G;d1ugZbd>D)0(C1#We!)7GGi_mjUPasJ$qa2fV95rQ~AR5
z{p5D#pYQxMGHRQmBaUeH3;zq%t>1k$@2SSW8Qt@nRChqw_fMhUFVyJo(X{~dH8tT{
z;Lxwp#RGn$P6_$X{YNyQKX#MBzxsW69n}jr|4<rSQB4ZZ`3Y_cqrVM6=Y?ax^jmri
z={3TkM^G86KnGpW9`u25e5LQ`PY(!_KNcR?Eu3144(P~>I;w6nT8I9n2^_T@y^FS>
z;sbt?H%W&g-=JkkJrFGpOql2U)@S6H(sg9=M`*7Q=;SSEVo4x+mwdjO9J3e2?I4Hh
z&`z|8^yaNcZzByUeG4g8k#TR3?yJyp)U5!mAms~is~YigP&Uetai<}eg7T3H%|ePS
zzg@G*?n*4(^Ik>CNa33^5p^4jM#DAqin#9_G`qX+>kDqIrVcz%Zhlr8a;4!t=|Z9Y
z`kP~iUZ<+d54HQY-R&P;N8L$jp&T1U+@D0mHK97CA>iU4!h#<}9+!QurrZ*~ece}o
z&iCmF-@_?-Vfv@OhYtv+YJE?nlnH0;7AiLfi`K<ofAu?|RxjL4_rByW{IXQIze2e4
zpiuiS;qnj5gz93^?jm8qmj0j9uH)6ho{NO)57B!hG5nqWRfT9J>A9A4$S5Rx(!J-Q
z*M<A$?-s_*6b{WqX~O8&b;7vm!KWsp@kl-pjTD|&k;0i8@7blKU#2i~GTB!_`lOI(
z97&8oiAd&xq-Ze7my*tdcazRxBoTyO6Fp6?Bt<lL6dH!cAi;1HFN~F;7~~Lz!qI4Q
zaGY?QB7t;>COxC@;0c7H5F|k~N(mH=h$cNGqz5hj&S4<xkAef=^AFxfh!BbTq28jI
zivBWJaq#E;P#@&b7xh9tgx~cLf7aa#b(O3Ia?p2ko_-p>8pK62j<yE5{v}RN`At0e
zvUuuO{-{>GaKcTo@{D-wN$@=e=S7nemUf^=;rl=|u2kIqU|_^wLD|>Ee|}dg-gsPG
zd}ILUTk*bcO8r)pi&vKUy;UJ1N=rp!wur`-h*I~8oVBGP=p9kSYTpOTeg7;d^{vVF
z{VBuu&H~Zkxuw4K(|muQESj@j6uG5T<gF3)TqY{mBpOgs>Nk3^Nce^?nk^!-O2tc(
zeV-`;4rYj)m8E_;V@1Shp*q=b(YW2hf_UNLp=g3|^|(@DkxaNeMyMVloE1?j%nkP2
z8xYb?3$ubs<C6Oc(|ZfGal%_eONC{j!fnCA{n5hms8XReP`GP=_^wE}nJg6+^bjuY
zE-dOtCG;s3uJRI1?@G!0%6j*FN0ieIdG=q>P4tH60n)h(Nw^C42#^P!^N?{}kqdGw
zCArRiVkf@<N53$yQnIgr^l>A*yZFU;l#vp5(%*^f%lDh0@SDUV39jE891UMV5QpG%
zH5t^G%llI;;Ay7PXX%b#gN6(lLALyf++Z{O46z|xpM#o5JwWg*${^<`N{|n#tcG9S
z*Z01JDA6PJuVWBV<u6Dj0|nqYYQATC8voe}mA9+FXUIIaFQ&=jz6H7-k<X4J1m#uS
zt1U>4U){Pn;J=(PV`wFs2l$B)k4zT8Ly})W@_{G?{4_1C3M_HlhhP4+sJt~kqXBfe
zxeYYzz;6{BM4*Y(NdIzJ3$%~sZrRl4sgNd(eqJ}{5!5N6M7<kkKW-YREiTdjLe_5m
zc_aa(U@791Kc`95I=Fru0{lL8mV!9A#({@8Px}>DC=4)KON?=FiYZo=2&+`PTH}Vh
zAp-}<^8<g<Xf!kzbvU@T+|FGYxK&dE4rxHW4#)88KSxKO7N-_%OEZ<{$UjjcbgY&|
zpZE-Nb3xURn_E{mvzDXK)z+4jkgg3*W1s>^SKST(6}*j(t;c7C$Ni{XL^U;uwdHvB
z?L_dW_{B=O{s^pvyA^;8m6ZsM!Xp#yC1(P6kgg>FCqO4e_$@3r3YYoIT4x@Dwzt7$
zbE|SBv^?WFE@(X^gq?)9`?F{GGRI*`ZOxBzDbVB)1o(v)5j9&bC+X;rp7>??Xx9@V
zJyfl5c{)PQPOYs_T-?-DtVYklY3N4$g0ATq6l=f0?>ytXeWCnubFTVl74)p7X@s6s
zLatT-KLU-%S`0N^2SR9wigb1he}p>lUr2nBbLu^rtbz<g?%IA%&ZN)BY6s`vLY-uQ
zev^*UA`V~QN~4S5F-r7Y%uzoSb7XvQXif80`QU#zm-wU=RqIn)$+l;BDra3e7ft60
zUK#sG0>?N=#LN-VoPhq#Q6<bP^8=9_jsI!)Y>!08SKytlLsH{vJRifMs#{xXl%*fT
z+?Wvc+68+iLE@5@1pLKx{-^T{be@6EGthYkI?q7o8Te1mfagfni~Jvd;J?8CN0I|3
z7LvntSOB2Oi1$m$@pWWC3>o(``5MW0!V-WR$*0GY3dKaD0gxud20)V404O9ER*C@L
zBdK4H(jpquds_h@&L{wkV+4TV7|Y6O@5GOc{C^B7B9~(NUrOo@81a7!rvIPP(XSct
zKb@RLCYPA-Kc@fPSp3h>e*ugCG5sHJ!v75Yk7MyaL;oF&_}@tXU$x+WBmF;ZhyPjn
zueaiV6a7yy;eR9j|H}sd8|nW6Gycc)zttB18|goT|FQHCUTNX~9aFl63t9Z1o*y0>
zGlQl7_&qWc{m+t<3-d)^05h+jMvH1H2xfk_<s0#Og%r;uPbI}Wb9CZehs67g4nP+M
zCg}!;?+rhb;E5%G`~=1USo<560Mf+~*a2u5r|iO@r0PP}0Z7LZfJ!<lIeuKVzJsG$
z3o7nmWyIveO24p`m|H-<;fLlc<KvX^5U0$m(*$o+il2gxxUJmiMPVo4YVt+$V~%Gs
z&}uj=Z637th&J^40&SM)>Je=i*_|;1;<fkvgFSxL{t+rA9%<iA#)3fDrgv*KO8vWu
zX_8kHPjbeODOuZ8doxncmDDZ^;7{~%PpBPP7O=b`VCCL`x#EDCk!21TvcO5K2?VU2
zxF#U^en5UjKtjHYD<cX>PD}<~bX3=U;eo@3ZB@j*>B?!+pU*!*c-6C>0M-P4AWMhs
zj~Xz1W?JrhOLbcU_UU8+yH5M{6m8KZRgRkK$PwQv5lJK*))T;*K$zJR81**45qknp
zT(Ku`U$zr#0{V==%cPd^1pG38-!?y0g*}0RJ+Ei0&U|}0+2{!rwwz%!f$m%XFna<|
zdoY^7c#9{%XaZ-?+#BJ;cmh}x_`<Ky<O#G*Tg?R$K8ZMOGzC6lO@V3P%a{UzeX%L9
zl`#b(=3rA`E5(=szuB4sTPI^vV9FG13dE=;*H26i8hw0Za#GZspwF=>5R)BqI9;6d
zsmT-w*n&-gX}1_tpe51P6cF7g4Ic78)f6bBmNTXR^>z<xp;W%yRunjU?V&{!kTRk`
z1A18$7?Fow6a^&y=w(p=djjYsQDCTtesF#D?AI)&K>tYeqA9@m1235Zx49iJm;y*S
z@fJ1()Jh)pSh*gX0+c@GGwK{keW{}^1_jkmw3-5ZJvIfXBBLoF9fM5)ZEm@pDX{Ju
zvX}x@QpB19=k~04$rMo4+L;0uQmblTGzHXc>K9A_EDE3(O@YhV=p|F&XWZX-*%VNz
zUor(Sd`B;t0{E)vMN@#$4_-C}uqc53#uP9g)y@=Pj{2f0z#R2uQ^0i87fk_t)L&jO
z1+qddrT`WNrrVkVCoyfdm;xuC*_#5}qnFy70$3C{{jw>rq4@<<0E+@yR#V_T>hW8#
zKCCE!Jpq|X6vzqv(JBgL%>z~xSTu-WMFH#yxV=6vCp0!w<)4|sdtI5AKZEpneO_ul
z)i#&v9sQeogeUcUQVE5=q}p0yeW?3sA5jhXwk}dFVf$%HF=+-h@qKE_Wop{ksw7YR
ztD$@__6%t5X(mMTY72d&{A}#x>8TUD%*xNn0_tZ_$)#wdQ&xKZOrlPrSeU`dnUyy)
zYXPCl9@PW?j)2e;&>&HcTUZ(T4xy=HdS46D7iETi$N@>i95@^~F00`6JRzSrGbbr|
zdn{3xt(={7+X)U|o50a!Pr!#!39!-->%k}ugh^?Duobr<^T>kZ$(tCbAvSZr)oE~e
zij{_4@=YeEA$F1!I}HhWc_XPCZ`OiHNga*R#DiDD#HpLsHf_~NPtW(~%dSD5Gp)v~
zI^BPZj@o}wb1i>Se(0O`)0aYCv-07W;F~{Da^-T|V+vi4>jGU?yM7;j<2|2J>iFg2
z6Ilv4K0RulM@F4eI(nk?DZMH(GZaC7qOy5d6lhjuzdqCdmk;85VQMIE0>P?vRM`QI
zy1eq!j6oCJ#|7mU(nX}-ZJPUC2Itm_8*hwUK<~gh+ua<G^uJbmI%V9F@6`wc)`h{A
z8_8R@yNpZbC|!V4@-NwiZv=06u2dzwozq;bp=-qQvJEca1QQ+e-%fou^Qj=~@n%(4
z*|;0Y#i4}H!sz~eLe)}jSlf@V&|^Zf4xIT5k8)ty2LU$^#L*Y}kAQ|YP(n^s;cw#`
z#z(+HMQYR5Dn%=dAGsiQv2(V<aZAqlmgEUuVRr~$K(IO&;52nlRSo`$ZzOgLss8|n
zAQ!qM_Kv%A)~k@Z@j-D7cN8Q;Jfz$V+m!LXP7M(!0H#2lI(%iAN1PbM;6RXSC5<CE
zX<QYda;3fZ1fCaq!yA}bogJ`)2Yb-W({bLCKu1F8?KII1CN6!WVr_GBueQW&NqLk{
z#VUBErjA+#6{`~6;(GUjUIQNxhkIY`{v_|jf<SoV(s-{V*yp7w46Kwk!K1*6tk&_n
zQmM(Q`O%9q%Amko=s{J@84aIqieJkcaNe2lEu$B80ND)uRPrEo94eXzDU(Gm9Yo=t
zjRmS^DA+&n)1YiZ(d>Gf5bb#l(wdv^33mn6!eN8%i($RpsNdCh2)emhyhBB&XJyw`
z^O>5`IcaW`lu>1*+3MD)>;+T2XpwXketFh$g&QGh5w#^Z=hC^cxrx!r_$zYhIf9N3
zf{?YbW$(9?;i8fOmT6-IK!Go~X)mtR4oa2OOT8usQ_o{5B#&JgbB#h9B+=NH$r+k+
z1p6`v8}KSMp(N*b#+RwY5iZu3nRBz`)tGw+#4TaDQPlG_*Td_ny=$lgPSm9}R8>k+
zu<PAmk3+!|NBW(d>*f~#QvXsov?->Z1BdEsKpF|BB-e)@f}Ijs2o?xNcn(f>1lE-4
zV^n2m?}c*+-dG2!nNej-rp(vheLg_AjuB;s<+W|xV^U=%;9y%&*O1HOWI*A!c>M$V
z`%vLL;F)ZhbS%0^b6H#FGwi$I7jo*%yasH`I1m<F#<4$R%LD{rTP8j$NAfC>TdMgh
zK!tC<2-`9iS>`5V%a~-DP|kcM)nnHw#+7Npu1qeLW$axUk91e7E2GD<Oc-Z@KBOi{
zPIHHy3f6Ye*p~^c!Ey~p&k8f!eX#OqmTRyxQ?H&Q^^Qu$))i=bLGitNlZ(`I)OxO5
zKN*rgCp`4GgZq=X#)WMwom`)3_Gnm*M%O&XK|TrqYcyK3M<Z`m@QV+rWsFEuv4320
z>>YUTcv{<Xt4R}yO&ToHthF_1ut=jfnKaQ}Ffnh}@rTWS>(cZ(`th|pCYPqQW|~k@
zoUjVZG&2)v59tls!(SuK%jP;rvY}VK^5N2!$VlwdNQ*(BCURcWo_Giz7ev|h2EN2#
z5^GZ9+Uhw3U6h||^=ek~OPU+K8LuY1xt8^6Ah^mX))2yCj?!O^<r;r!*;9*JgP!y4
z)SBZ9F9UVlMy<IV>CUP(PK;X9?^UeU)COtg+2D4y5OgNBChgUc9S=S=sx|#lhx8s+
zYd&$3-6P`_CbgzH6SyX|Ms}BKVbvOE{L7A<G776Te{$rkTJ!8tLYk5?sWmqppP1B|
zKl+D(ul(VFvuMfykt2TF-K5quDSWMJjSHjJ)X$LL8zBI!*34$q8ZI)cH77H9#Dr-U
zwWfk<w5T;vU{q^DPGYr2fHPm}dv<C~+8^n6sKG|HMnhgVsWk!)R%<?H)S7j4oJFmH
zXC}3V5SrB*8A<)lsx|P`q}C9#OlnOGPHeGijVAUZlUf5ZlUkE9oBG5>`h~OhCoXT*
z<jTAK)IYOo%?9aj7PaOz!u$?CR%_A%21Z8jG^#c0lEhZEhBM!&*7WaEsi9m=YRyX0
zqSjP05T8|R&dF<}7_FGpn%`u(R<*_<#i-VJbiry({zDtJ#-oZ+Yi?n+X3t@DU(%@7
zeB=0)x8guyx+-8p2!1rMT4U(?23BhjR%_~!=Mt>e7_eG1#$)&iR;~E~t2M)u<!xB4
z8AD;U#^ocd)<j1$YE1&Ns5N&QgjYkxM!7g84q((8-)6H~^F;!Uw&wV=YRxiaRBLLm
zT65RUnM7u_CKQZnO%bEkjE(7a%SNr)8|7+IYuq|mwdS)ROsnv>no+H}BlN*)%}-$_
zwdSYz+a|TfFvS-{@)N9D6NDZtt~04MYZO&xwFdVX&1%h+OsS1p6XGy7<fg4!117bm
zL)pxzHR@swqt@)7)C-x_nsX^4WL0Z2IasY}GpRK*zsG9L@7~(Kuv#;-%Bt49t-N4S
zYiMB9nzM{r!}v{~vue$nl>LlaQ;XG_0qCY2nbaB|wXIr%mT}B#%^!?flUiY`)>IUD
zTGW~zghj0hpe$<5uD}ykwdSny<FzKW=3&?zMy=UzR%?(>QDISQ>H@;7YRzD<QEO87
z*{L=A<d3at&AM3pewazEaYZ(2&4#1Ms@4$5tk%4n7HLsyx}LJAHNB?Ws5QLjX0@hx
z+*TX4CgOyRTH_+Hs5NV5YRziRbdH@`Q@28GRcl~_Nv#1-lUh?ta_!Wb8Z0x}sx{Tv
zt+A>#y-wSzHR}ReEo#k(Iaal%Q50^Y*6<8wwWiNcR<)+rTUNEk7g^LA61$D8T2o4i
ztZI!DGOINlWL9f*q^DV}!ES|Ft#LtCwI%>r)S8cc*W0Ky2couF)SB_@t!mB0I;&dK
z?V3fcnRwBv){Otds@A0ZV58P_`_`h?$n<8l#^Invt(o|#RjpARu&6b%f0@;qiN#j6
zrn}mz){H2%sx<?VRjnbBS*<A~z0GP(0J5kxF36(RaFAK80c28Z0+2<m;UKeG<ASVe
zO$4%0Yf_%ss5P^P+Nd?9)E%o@Qz}$j)tXY@t5&t9)c3Getts_AVO48Biob57)}(xC
zqt>K+XrtB~pj|C$&2Eygs5OU42di2$e!f+$QM_(ZYr4y=YE8;)8?{D|VpeM$WEQn%
z{9vnEla_2zYn+f-t>GZET5~`+&Z5=;GO0BKkyWiJ6n|${Yc#?8Olr*m(M*e4!$D@X
z<{j~87PaQ)oToNwO{qBDs@5D7FSM#P8DLdwu8YRms5L3y*{C%s-`J=%DYj}&iq=N0
zNhz>VYf|Rgs5L2DY}A^R5*xK9CCf&wNm1IUHRH!w)tZ!XHfl{ugpFF05@e&+qztuD
zYf_?Y)S491My*NdW24p#?`c(QCVE=c8i9vdtx0jSQEO7XY}A?*4;!_nOyOsv)=VN^
zP-}XewWu|Y$VRPkdt^~-Jdmwg)A&ejuhy*ad_k?z#C>a0YXF(l8t8aYt#MdvRcpYc
z)~pIF*=JU3V6;iC;bJevq}H7O%fVKyX^4JqtJZXHvZ^&enA92p{gPTkAd6b#N7$$}
zZ^aF_s5LT+S|iIft2G+xb(31dYcZ=eBTrb=8pt)NHAJmht>HDiq}Bj3sWn}jENTrj
znbaDnFsU_;f`3qJ;E+kJfsrP)281uFH6S&qHGoWNO<_n+vsweKCbb4yO==B1H>ox7
z%%s*pg-NXel}W9EN|RaxX(qL%Bt&IaYdqU6YK<eZs5Nh5x5lj2a5+}BMla^Ppw?7i
zx5lE@5Xh?5m>RuUt?7Xqy(YD0VzybW`Cu+I?>^UaNx$E|gwSK}dUo0J+jnrMDd{L0
zzib6e2wLC$eA$135<9Qcc?LSq!2e-q;NQ;wM`5or4bR6j{r~@P{$FO9|JRZB^Z)ch
z7YzSDG0y*2I{R7X|8;b+dH(-jWSMpTzm)d2&i}sx*7^T3I@)Ibf9hkK`F|qaJpUgz
z&NBbct`IQJ|94Yb=KlrBi~+z104WP?=KsrZ0KjMfSOtK4H~?Tj|NmtEdXoXb3INk3
zcJu$GH~?TX|6lC8$8P@r>ZAIwnpxzZ`LICbkdhI9Ez7q(UN~P#UUguj0B?rZwXdvT
zqW~SEh8|25KqNVai{3a2uzT3_@Wla=O-3ys$5{223z#UtMn($|(sZ?gu>vILwws~=
zr)G-JD8Lj2$i0oD0F~jlm?%KLvY$;9KrKs%a5F{$^6%J10dNzbF~S>10UjBn0K;?2
zY@+}rD9bhqK$bRFHxctqNr3T85#SX|5`ZZJWLc8{xCrn73eg~BOade(OK}k(Wu*V9
z3jZ^E{XY`>A1EAzr_xx||B3&lHIbYAKdJENn@B%S0x(5@3BUVq=zo<>0^lORd7C5v
zM*X*Jk^r~}kfifJ&n5wMmFq@sGbI837WI$(+KBp%Nq`_0^)pF;EH(+i6ag62KVa(j
zYw@eN%Ss0IhjSp#+ymIo1_212`V7tiY~V0G0EY7$a{%2~&X02dXTFE4Ymenj!!>}o
z=y%1`pOv;T041&g*v0_vF*Se!Ckx{5FxCKY3}6{X{LvLS1~4}{unQXlc!m-GkJ0<1
z8^vRuu!w(2ec)7#`1_h-0KB*lO)-Gkp9k&?T4F)`WlRykCI*nk{2y}+K*Q7k*cbp}
zYXIiqag13p5ymlqQl<tFa>^J3__{}V$fqMiKDRLbQ@93T8w02{LVjDukJuW(aN8IF
zGS&cIhyfsD4FE%aJH~&5sR3AH0LWMau!{j8V-0|f0gN=q0Fbc;U>5_ZVQT<3F@REr
z@tb1+rML!Qi2-cIH2|9!z!PH)z$ONOm>Ph648UM!{JND*plzd>7(fkM1F*yZ?wxC6
zY5<lPKoE`r7>qRln-~CMYXJ5!0Neq<;M_h2z;pl<#V^DFs@NKUT?_!9AxquC8UsLD
zTm!%dwL$!NVjtH4@Ih@6KVoYDFU0`tj%q>th^YbKquL;T=BW5%_Avki#u@;7R2#&P
zTMnlCYK;MW#nb@IF@Qj<9a&=l*O?lCB?h3xH2}L90Hx8}#Q+L$4d8_sz%OhKz%~YO
zpQ!=Z!~hPg(0^i%0nETP0CNn$f!P!jp5BIA02&+vFtz}OfqB;vWX*_QY}W?xo(pp+
zep&`aPaeCLO#?i!Ndw%c=asLB^_uR@rU6nJj&7R<xW}XcYS}bExfP>(?5<|g0JWAh
zKyNk;a6dS^FwmF=$Tg+`_Ek}5UP=S(F{c4`sGCe_fJ|c=pjKLAN(0<8rU4dXE{oFu
zWm1DF4FC)Ni)nye8DCn{02$3MrUCZ&IIv*=6h)yFYZ!p~9{(S67(kRCZ4(9<1FI6>
zz+r$yV;EqoF$}O(R&5Of@bDDBISfF1U$Y4VVA`2x3<Dfw!T{?Gn0MNT0d`QIYyrO=
zY#3lG&2=P9VE~%@mNg7eS%-g-Exf>n0R-JFVE{)T+b}>W44NLqh5=F;)ER3V27m_p
zFo2#Z517ILbzY0?!vM$B7=_w|0dN-py$}Xq0MLtJ0PfUm#DoE|nJ|Et42J={q?^9Z
zo?;UQ2)oOM0X7-K0N?ss!vLd;ku?n9fq!oH+T%=*zsH%U?ZN<;FwAr|yc`BlUYOJ3
zmmAY&t^-VKPQ-Zt3^a3^aUH<t4($=tJhy=BG`9fGWrIpxKDHpPV-Icv6u?l#BFttG
z6yY?$1GIwKFw=SumjRY?H>f|%?I<>;0r;3;J|Q+1o5BEm%r5zEaz3&R12FKi%@PKv
z$MAB0Z1Kl7VE_y-({LDo7<o<xi!_>b;n<~c30z6K8Z@9W7*LC=UM0Y9tQ4;%VT~+~
zR`~a+0)i%8@i$1+Ao=1VaA<!{yShkMOW%I}+{FbytW+!hI-8rNf+#%-UBZAGq^;s1
zAL?mZ`R^;i8ABYxx1tKs4rEi4j2i%;RIZXK*K~Y?F4L|uk5%gX#;JDdGR^nHWB3oB
zKc|<w`Bq}OP5L;Z%kD0~r(sQ6n&OTW(XKzqJZR~+WTYbTGADTdE8$2I=OLl_GHI7`
z`of!jms;f4D6InDi*?l9a{QcrM|op|-T`&#*Q^Sgp_g6YK_S3n*#)`0L5dVNn0ugs
zHI0JX$e>c+zO7c{+pVkp8M@<lt3r{3EKYj!nyfbDw4}Wix_D5Z@|}s&Q^I@eLJb6w
z<|oC$2~`jHg`iyr&q7c8K$QaU9-dGXfToSus!;0j6Ji$`JQOq<;t)2s9NS%7?+NHN
z;|)|#is>PYM}G)tkC7o%-4g|U;fajn-nZ#dEjdx$^qAV#7vTH2w!?-n*Kx<TpKCOb
zivjKlLXqT7B@l+g2p)Rkk;$17x>@*0BCVZ_QaI?L=R?nwG`?eHk>hwn3gWpx^sEez
z3v<0A=!X~btf9G2)2c!qK2`K{!mdl-^1Vc#rm&_eVbFZT6GddrZ+GKe=?m$GT=k9H
zjpb43D!Emq)*7C*2?9zw$emfVmS{u0wXVw~M}u-4Q@?<uBbIk|TA6ot2Hc1qikYh@
zTadI&0PYzQ$7;fb#6bg5Et2RfH6djt<k~=T^R{aENXM{N8g~qqO0O`i^%?FM?9?kv
ztaaF?#9Cjzv10IXyf^7xt+F%>)I%|7U4BNLnLJ-j&R73%w#xDFTEzihRX|Aa9|BJX
zvlcUy^?(p#)>Vk1tiN<)3I^py${KHoKZ=(cCCfXu2jGH1l~{TgQ`U(WhtwQZK5m^<
z;E$v*X0>!_QUA5U500MYSGsgzC~N=oZ^_lSd_}lm@M;3uI_E-UG+`_lU@I@bn&xVk
z)|S7869#g?%btu415e1|^6Od{&N_1Z%v=4r={R5z(~dqv&K&?OXjOA@#DE2@b$}xV
zM$me|7%?b!cyHUTN7%;3QH|Aa8#(K+(_@RLV9ttWpyB%y@BEB8tLB#g%|`k=reR>@
ztT^V<e?lJJCfy|C{VP-2HOikY7;JFBwt&M}s+8fZU%;nGHsE_cTQV5EcAFGu47R?y
zwRpd=VQ|5H5(cf2TbYJI{kQ&=qy4v{f&2YeNA%Z!DdtP>7(we-5RMqqioCVg4M@Ug
zNNYi?A$oavqbCzGFc@KLe`Cmifvta)^Nb+_`R#)+o(&l=uvP8AgbWzi8gV>s`a8u4
z8EI>?xn!`P6U=8q24{%AZ!x&F0?$TzT}e_Z?>;iM4BYFOmO=2WHjG;z6~1LG8AyYQ
zerNh1&>DQ$J-5i3GWa;qgXOJBxeRShTwunnjk<~;_s2!%l7W%7_QNHEpxlsKr#fn;
z!lWOkZ`~JJln&lnoH6)r%ZJNrjihyOW3T)EMN~6YZz8R|Flm)LckyB>2EHQjJ!den
z)=JuEl!%3`GmIgFhh3?3Mf;mf$bf~dZ!sYQLYp&z=@@(&VxYLDj6tznYh<kfIXGi5
z`EOY34JKn?!&)g0NWWz}1|em?sOx4jthLJ;W5(bgS?ee!W5BT1&rKPFT(y5iCu{v0
zKS6Y|)=t*i$y!YrgHG1^Ut+BdX4X2mE>Pq7Z3&b(I}slM907q#my!}ErxMUOp8_(t
z-(mQ`1&CDKG!u-1a}gIfU&waDnA8iJX=A+3gYZyXXyrGNUL3%A19vs;LqIeU<2A(1
z?Kk++ef^i85D<g^3o+5~7LE{X{lOFeO2tWoF~^HY*#8v?-}H+~8q?2dn(T+fpVF`r
z-5;ZYX;&alrE&q6l5bp`l42@(x05bbPl)Ugo+QC#P$C@mJ>dlhmyO~c62%;VR2sIO
zAxjBfAN=yMUqEaLaQG!9{-^qq9{pC6UL_?ij^u?yQL#?MYjAXCT;TWBP_4Q)R{)ZC
zT-}^*{p1nxqvxn;gA2;v&Jv_`^Q8L>e%qH@9rmflM+k}uI;rn0e6upCq2N_r-%4fZ
z+pW5lmC7Z(H-Sn?Rt$+><_t1@<x`#8z${rpq!CX8PCpp&GzX_2FrF42Q)ootZ1(}W
zS-KCU9CP<!pPLy@Te}b7VTRL2HtlWcK1^6J=5eJ>_dz?++I_%!AKQIEGIRGK3ryXI
zr#wsd!C{NB`{2jJ-G_wFP)|$u0l(BWbsqw^a?IU_V_@n&w0N4k4?;)M+<j1isr#Vd
znY#~T1m^C83QXMx9+<ih+L4y-Lphkb4+u=%hm}1n-G>t#w)^0><uVwv4;W3e*$0fK
z!I*u(Xc~;!2V8vsWA*`~X{_Vp*QyvzJF(dZjHXF8`+(6j7_$!;O@lG}z@TYk_JKju
z#_R(|(_qX#U^I>2#>d$Q22C5Y4;W25v)Kn{w?WhJX<|BbxcVSqvkw?e9}q`6v)KoX
zre$pQ0i)??OZLHtrrXcAN|&<Thb1hV)=X+Nb|2Q2J6XC9Nu!*YAe(W2?AZac2NyBg
z=-`DKow56n)9;F3He8QZ#EnTwJ^`QZzQdKK)8E1H;^--(zInPA#KD{Y4?}F7cenEl
zbe@6EGw{FV8ThySKdh7g|1aSGrH|^BzQ51PxR&SpY{miK^^1KQL&-9n1E>(K2(QC$
zQya;@2x0VZBL7{OW!@(8zlK5oD4ZexoO$dzfQ^YfjQ%nCpQK8cFzDY*{$&jMH<JH8
zObWn6{;@KeuQZYWi_AU%HB0{cFew1@I)Dyl9{_&MU?Km^_<xRt{O90(0M>N?r<r{K
z%sK!w`Ttd9ME@r8fB81DT?TM!V-vFsz)Jp0jp*M*{ws{=pC$j3m??iV`CrMPe|8zb
zG8X-t$^U1oD4S&fC-61^+hqU;H))N_0F2~+qv#d941gv78Wo=MHxBuaIB8u5FkOn#
zKOXWok^e|$%HKl%ABv02%K#Yi?~2jCh5R?!tpdR0e>{W!E#x0h__Lb;@Pz+%2K_VS
ze*r`OS2O6}O#bg#_5c{kf4j{dfPyZV{HtyD0ATW8h{^xAM)Yqc|0e<&^lv5q9>zTY
zX7Vp%_W)q>zn<L#U?Tr11VjC;<Uhx<2f#@F1*Sa!nEd-#_5hg4{}T)Pw~+soyCGlq
zFq8jg%N_s|`9ERV1Hi5UKz4foSn`i-_W-cuAKC8#u#o>&u<ik1$Um~#1Hh7hWV;8z
zO#YGW9sm>hZ?o<JK(#FSUufO~U?l%3rab^g@;^bq?g3!Pe~0ZJ0G9mgEqef1^51U1
z2LP`DSlQHOM*lYCU(M_RxOdK${4Z}{(7%=ZBilUyX7Z10_5iTtAKC2zFq8jhc6$IA
z@{jEI0I-iICjZE04}gjMBilUyX7Z0~3B}eu0A})!A1~WI0H&j+?ngFz08Hc`+3o=_
zlYi!@);$1b^8YtSHIn~DmOTKN{GT`N0bt4h63ZR{hWwYA_W-cu|98tC03-Q-XtM{v
zME=|C_W&5l|1Fz604DOkncV}xl7BbLc)w1=?g7B$zru+AS@Q3ct4x{|ay1VR%(B$q
zI_NKbIL(UvlX69PBLIW_F+rAbmUUNJu)ivu#2W#O*na}SZUn#!0q&i%VE<@L{pFU8
z0J~Z0Z^HgDz4<GQ8v)GNpUTxNVm1P>*k8(wIj7Yq*fHlA6ZVh6)E|#IkLS~(@Jy_m
zJ+HFC{)x&J@l{srj~4>WUZA*O!v2640{mdz2!Iy?<XblaNM<a|%h;81!HE6wfb%#>
zMk|Z`@qlv|(?$SaiO&HS{H}~E#en}crIw8Vcp*Tk4fr4VhIJzV1O7P=UIhPQa+i4{
z03LHLvV#B6qJLR70x)CFXPAuuEcnOVzxE~YkGX%475oF2-3WlOe4D#@BLIe-l~(Z2
z3ovg4aOA|=Yy@Dyzh;VYBY+Y7*Dtr(2*AuZ-v;YO08IAZvV#9J4R#v=j_L9Di9Pt2
zHY2-@0PK7-vfBuN!T;o<j+el{?yz+u05i#4jW+_A!2e~rWh21oVg<j$yb-_*{>e7W
zMgSA|pTEl6x)Fd~2(a9`5x@xkG57!Fg^d8p3oSp`gMZT`GYkG{k1BicKehl*-`j(K
z%>5s}0RFknFMxl{{qMa1{(m@*tQ!H?spV$VMgSA|$J~FKc_RQbwS2}3{=;)|ZrcR@
zHDCh&1Zf8U^ePMZ$KN0p@b8*#0sl0&&;tJTDl7O$PG;~AT`l0hDb5W3WlFvU{HyOf
zTEKtR7%TXvxf(P0r#-CTU*>Vd2K<KyTfsklL1_#Ask=Qa;2*hIz&|*f!M_yMS;7Bp
zp&9(++ckrKlwk$`?b&wVKh)5}0{(%vfPd_%vEUymEZ|?(#|r-2-7Mgr3bTU$kP-{{
z@7v1?{vp~1{5Kkktl%GWe~lUZORBBlA32!8f05%#Gx!gWTWJRWG*@5-|33IFHWvIh
zWm&<0ylb@;{3DeW{Ff*!;9on)7W|uMt*KU~mTCh3*&}SgKiS;^{zJ;FYYghF;Qx8L
z1^m<8M|R-9w%8W@tN1#ZX?cPAm!-Dg|7_JETksFQ7Vv*1-U9wh11#X*@TLX)gTey-
zFCMUhe^_A;{)K(4;2({!f`0**SzW+@f10bafPW5{z(4rffd5<7HsHUbs|EZE94+8K
zh%kZwUA+}}dw~i3gUSm2Pp`3n|NU#N;Gh1^*8=_}iB|BRDNVA1f8=Tf|Csyd+kt;r
zVF&&v^|pe4|H>UU;9tyNV*&rjIAYC$fBx$>;Gg!jfd9}WW`h9>{@tCJ4F(MO-@e<p
z!N3Uq!Nmgpr?0Yrf6V<2#uWx;@Q=CwDhv2eQtq??|NDBMv4H=#hVz&e1`PN|&Svoc
zMo|~@4ug*a=kzn~Fff7tA-|he7_i`f@v<)L3Ile`I>rY4|M-zD_}}v3J}db5FZ$62
z{Nt**75qb@75w9vv>E(w{+iifz=Hpqp3Y|Qzr(}b3jRY3Z(G2>T+8k+V8Q?2>@P5a
zf7|^9N;~jB)40FD1pfbVe}NJFGy4l{!9Sj{?%ZF{xxb)ue?jN|g3kQ~|AYGr>ewOc
zA!&gm(T5~``}NgyA^W<M9#?kzov!e^tOK6^4qVav2LC;(5-vmKp8UP84sUi7x}3nB
z#T+P+BItSo97)*sHIPe>>FCmaJ)GbRp0gZ%!Ku;6QCG4oC#FONNzocrlyk^2mjMCX
zLo#VniPRGU|Mm4}IsekhIHe&Y;R`V>Rk;YR7uG~^odbM^f?G*i$OYXu&L!kjXMX=_
zX8^8}w}rAIa3yBnhBI8aeTGxIl(YZK>a~4TQ=$~u2UrxRJMTz*JW(ltD7oi0yhO*%
z6JGNy=}uM*)c6$i@~s~IKqEaM;K-yTL@vVwe|8`L@#lfo_HzK)U#i+6^K|Um277i-
zu<YJZg1y`SwL2Tc>|nY0cU;qBS2jHD=W1Tr0Aa~|x82iJeyd7mG{oVp4ag8?-r9hd
zHgMRj4S2GgXWH6u3{!98)`k|XuW4(8-~DQtX={V30k3Xgwl*kqPNuC5V}LYmZBSY0
zJr~%m4cc<N*MZ&IP_D<a2(z^T8SwWBv$bJmJ8j<Dfa`Yb)`p|Far`2_$A9l<wl?e}
zfZf_~9H;P1_#W7;4N<dsrmYQlS(#~T!{zB%LtwTx6c=NGo7vjnG!)pa4Y(x5Zf&?w
z4(!&3p0&VkZOGLEyR`usc&4ol&Tbmh)&}If#=Nyb+i#}RpzQwwz2DcW%xCHSO%uI0
zZEg6s^xnL+0Z*2*^nUc{`WZFw>*hh9oWFa<8y>Wk?dWmNK@6WRD>!~Nd6*c!J2~us
zOAOX|r#jC-=Nafc1OL~Zfq%>Y`(XYr`~NooPg>^xHKhIgKe;fx&X@Eu&j0KDys$)R
zm;WDR%>R$I&i~Wi6Rq?A5Nw_Qr=us?%>O?=Vl)4r&N0vbk1Mpy|Icv28vslT00J!Y
z|H-6z{(oVa&HO(e|DXKA{68N5zhOWBKY#sScJu#|Q+D(Jc>F)bX8zxIkB{B_|D*ai
z;|2gs{6#a<!Y%#(5gnpx2KaL&TU31+;9oe5-2fn9fPWG*>d#|=|NKOy8w31xNwVl!
zq2EgOn1KJznc`i*0{`4>6$AWr;is5U|Kfb9&8R<#+yD2CqyBkT;Lq^>77YBuoAIds
zcg9iw>%)^Qz#sGeBUa$g@cwoN_=5^Hnuh&D&ok5hmSO*Gw#a{D(^3ZcYtW!t<FLPf
zvNQ!x`;YYBS>eBHumAcqvHzMumyE;yA2G<kY)xdI|9chv?{Lh>fATYC+CR*HUjM`F
zu>X7;<d2Defi3diq)j#=|9$MRzX&7$#in6@Fd_ew>#WFMdUE7J3-Wi9?aVbH|KaSg
z|IcRRKbRTz_qIX)nD|?&{!gNqVgEh0$p6f})fVLM$BAH(e{Xi!-_?rzBP2H-F+qRJ
zuzzc~0SEn!!~Q&G*dKAc^1_<U!~TnyVgHgHc-lXC;6rxU|ED(?<X;qhRXpZ8Gwk1Q
z@P_)p!Q)d?+nHhimCbW-(BC-h-)sA}&jXhSy=olxFSSShLw`&w9+qky_9t`Zn1}tP
z`8Qu0_Wz5W_BSH`oy@R*S;)a2A)7~rY%>n~8zxE9Ty2N_3uH67w!{92sL)He_QU>Y
zRd1q#vLE)xyV59!+vi>y_J0y_S+dqT?2l}M{%p@5&n9{g@_Av{pZQ>x!G75PX(LzT
zZ8z-y7qwUEZW;D3rB3QB!~XlM$Ui8w-5B(@8}?TR%}uo%_Q!<(nzY@1*#D_<+TRBG
zlN~Q1|Asbu<iD&2rQSJI^Wv~STD)mzg59t`f*3sKFT%9ncG$m(E`}iH<GeoEreS}C
ziM-k2upoa-{87TaT*_|P9}`!Q;yHi&VSn^8^2fygZ;oml_D3W9b47N;{zzWS4)xm&
z`=ghUKR#;53-^^B_HPWDc2a2>_J1e(1LoO>9rk~cIweVI9rm9b6H;R{?En9;_df7Z
zU1k3N%}k(_#FSdJ)JDCfq0lyg(55ZY6cRFl1O`YUv{Zr+G6P9FBxy1!P@_dbtTt_N
z#jjPf+g8!m-Dp|MuDC|UEvsEOTGp~_U8BX7U0Ka)wYbI1(EEEo=bU@z&dd$1>-Y70
z{a&x1_XYXPJm;L}ob#OLJm)$8?)=lcQr5jUXD<8ym>)oS^jiOA|5vQbKT~jgarR~Z
zuNGKNS=MF$Ywl=%?>C;*m;Eo>mGmzAhr8?KvcJ60e>2zp&24{6uJ`Y}v1;z5Ep3So
z-sr!5ZmN6pmMbe)th`TttmVNk{+GMa|E5hRU#i^lRL`Od-c{7iYw~yByjt$}^P2n%
zlDvePjs6#9pa1zc$o>ACKclYq-?C~`<vQ!4|05gy&$G{eAupreU44<d-v9geo~+pL
z{<m|#e_oqh?>~9>C!V{K`~8c%TjS5T8~xQEpMQO^ywAM);ro8Rt><TIqyKg``k#A#
z@pHd1_xoR5wrR<8+ke0K=W@UQ(Zwk?`q}6IEAEn4&m5j98~w7+f5!!}uU5=+*yv}U
z|DUgWd7iU#UWzxFZ~4N%Z27*s(SLp0qy^qafAh)(t-aMFZ57vF%LV^y+>L(r`Tug>
znfvFRox(;x`~07uH|_Mi=|fj0<%0i@?0MD=%l>lh?be>PT<~AZ1^>Ubp8kxw;s2Q$
zb-{n%yj0SCpZVL&`^?n^|4+?Z=6j#{_y2}#9Nh5tF8KF{!{6kt{}1Y)n0MHk^~CPQ
zhpvni&iV{D{JG#?+<W1F%e%}|3va*aCpGf2aW?v`zUOx~Thj_H^)B<rK7G^D-`=F&
zW&V3^i@vdLB|o9_x7Lk!$_4+{Nmp%iUuOP_-mdpvX8zo!eFcBLY2M>sW22va{>wjh
zX{}_yP4G!qY<fm^@8@rF-)8QRvAoUvyRUG=UtjQNv;XKNt6!Nk)4a%B_W2#11+Os=
z-_a`<{Cm0JKmLig%MJgxbHl$^F8F`j+WUO>+NJaLE6c|pt<^XD<%0j>-HV$psJUqQ
zr}PE?6zQg3e$6xLhQEGa`B;JV#D_1}H~i&&<r}|I@XdJ_6#nx(z0oiG{I6IWANc8)
zfB6Hs;qP7WfA`daf8X?HKeyhVVxxan*DV*k)4k!pF)SDS7h93-VQ%<eTX|7Mc>A7P
zxZ%G?-|%0#r}ovS?&F649&1sNzTvMg`2VWttM7flz2P5z=z+g@_lvK7O5O0kMBY(u
zF8DuH`0yp%@V}&Z^(Fd(zmxuXdWZk@<Uc;!w)ofF@PFEUJ$Y~4bC<iXClA+z3e^q&
zs)sFW^VDk}mmB_E@VC?re=hjH|KZQd4S%`df04f7&jtV6R)3;E-SFpv|7Z6t{=D4q
z=Ys!#?72|g@UP^8|0j={8~$AIx4Gf}{QKlB&5Z>!kIM~zx!_-@ZurXu|59_qUoQAx
z#_!h88>_tFIcH|cTz$j;q`Kg5sT=-W@L!~E_@9#t`RwyQYi{^|n+yJb<KFO>3;w_C
zKfC(ndEby5{`2mC%GoS8{9k$K8(i?8!wvtv-0<gu|7?B3fAMc*pMST$;m-yCefow!
z>iXhnfx6-Eu+RUY#p80r|0i<6f8OA{e~}yhKfdCZ>Vp5~S)1gBKNtM@IfHk6h#US~
z@Gnp|{JG%&<(j5VFLL&Y3;x~i4Sz29SDG9CT=4&nd&7V3Jm+^c`i4Ij{M+S*|1)Ri
zeT57DzjAN*|DC$v|2B2Qzlz_fl?(o1b;Dm>@UOXkvBM32F8IG$-|+w7RqXRmRyX{s
zTG{6>R5$$Pf`83(^Gdkk&jtV5w?1`@8~$>^|KsY0f9jOJ;9uKy-z(hkmka*i<c5DQ
zH~i&-e~rH3&jtS%xZyuAdBeY1(eKx}*JH-H;Q!65U%7dsdaHVLaE5!sp9}uY=7#^=
ze>!^ff~Ov}tVi_)|MxjZ_1n}}f9ivae`VgL{^u_?b$v&_O+E5ax!}LZ`ju7kJ-OlE
zEf@UXx4-Kj9Q7vkKmV0?!(U(UKlJ31?m4UGPL}tme`w)Ta>M^wF8F_Din`(dDi{1e
zz5F@-9(DHlFP0nr4)0N4{_EPZS(iKVBK3u-_NVQlxsR(${(7(fiK`x%`v!H%KeN}*
zugtR7f3IBf|M^Wfdwcx{WUv2IFFy4-x#S<X*MGOW*MG}fx#S<X*YCWpz5b`<lK;DT
znY!8Qe~e51fqVT=*Axcr^?ye$`3LUxf0;}E-&U9Wf9~7sck=i89dpTF@AbcQ>7&2n
zb?Uyo{@<y+{txOms(X9=&QoTue^=IC|D$HF|7TqC58CVhwz=eA@Yc^|@Aap=Oa6b*
zUjK@$z5Z?9UjHxECI3I|_5W$F|KyXI7pgx$$9tjrvwzy_|I=RopZ5CywAcR!?)CqB
z_6yZ7K9}=C_1f=R=7s8xWnQTMs+Idf^<7glFH|ouFI2yF|K!i+-&toyXkMuPi%Ado
zU#Na_`lSDb>MviDd7*lNWnQRWY3IFA-3fUwR4-WJd!c%5eX;jK_1(MK_SU=J?{i<M
zK5wgKUZ{R{iu*$KukOEMvU_LUGA~qrG335b{iP{+FI0Cd^FsBP%e)t=zigQosvok<
z3)QC;pXY_@Lza1=dV^(NsD6c&`$F}_{4%iK^)4_kRG)hpuLv@`-j;cx`nY9YsGhdW
z3)O#bnHQ=bvdjzByDjrV^`n+~q59?m^FsBx-M0Heb-YM!t?NtcZ}48I&imA-)L4$b
zw0=S6h3aLY`*L2W&aU@n?}h44DDy&f@AR!Br*GX|?<d_Cs$ctyk61tbSk)67))#!i
z`qZ!Iee@lh<}S0|a@B&?&-RS3wqAYULyiCS|GSN)KUMfo68Mt@{v?4vN#Os}64+2z
z*J#(TS+jc0MtfCP(vEj_^=)gnx5u}4_23;@{_y7Zj$XU2vDR*D?d&A(mbl&4)p<|6
zCmD~~$u1jKq|lF~+o&QZ<u`=wyW+cu+?R;iCS@$%*0Zadlsbt&pQWuG3C+<&(wXw3
z!tu`JLc4P3tjYyDO-}xFs%Y7<Y)ahL)zj10Et|(Y{`l)Ud*W?f+d4bAd1-facK0Ri
zSZlJ?PVVZCyA|=rUsYGvV9z3|kEcJpvGbnRL`TeC8IN_euI;!tzR;f48&FQgr>V6E
z$#ise_S&sIam3eUCt7>9xfuuXt!wRx*-Kj6?&|Bly{97?zrD31+1#-`ZqJz&yV_o8
zZ}00(+Laa8-EhOyta@gZtC`A8P%by#+SYsGb<#LpnTQjWClbG>qs_<AA8)o4*p0BN
zt7mDVwYPn?Xpi01nb;-z(<h?e(UEMod&#syiN6=g^)9s89$R5wW#2IWx)sP!@x8rv
z&8o&#%Qo5*aHe58OdD+N>aivJ>s<M-s#_beJq8&S>+RUqX}8B)WAUC`{qWk+o;|B~
zwlsT3XK&xutsQM0D55P{B-`Vn_DXM5PEyW|wlq&i=QhJv`o>mNdhXo0w&WpCc09U~
z=(Z?VPTcHx-L0{h@Xd*2___T!Q@OStezH5Ril40#(p7TRIH$WVv@PnArAT$UC)sWE
zdAoUKMDyHeuk4C-Y~3XVbGt}m1jXO5n(p2h>)mMCi|l4G1C6nTwoL~XLQ_xIww~7Q
zLV~b?UkKN6Y4?>&tm|&Lk-s!Pf9EgbJO8WrzkvVJuJhI3>#VIi=38ya9(yY`gD*n3
zp8q#muD<bs9a3q1CHLGv!MRx~KTG9ksXQ%f{*7d9T`vW3AC{!88p~SOytHD0`aA!|
zXuUP7cUIf1UK3}-n$;_puH9&7+N7&H-f71=Fg;03>_U5{WzWH+C3apt)#~ZmzO{Fu
zWzC&y&D9LN^yrVhc2{pQzI~xcPn#EnsUA{K6>7w=?T`+HHYws#lFC;T6{5>@4Qel~
zHq)Bv>ZTjCEZ!OKX;n(xc-zuCI}yJpo)G<Prw_+_Rdn{JxtDKQ62Vm0uy!@kwJ2-4
zwl7_4FX`xP?b$VVs#TjvbnRHziLu<)8IP?+64*gYb+@JJ^19M;tG=^!OF~;B_jA|w
z?w)vWueG!%9!G&<eQn9Qu2|e!*Bf8mNfSppdL>OHzNK%QNwc)8r_B)RT052DT-%Px
zjWxAyi=#!Iq;2ZyxCbe1gV@v2Md#gR0#KgXM0b1ZmUyzZGq$R4`xeYZQ@m$;M{;Fr
zN9WSMPF42Wo^5^G>A;doG1pdar5Z(5;V=|Ex3%_kAkwZ*F|ZLv8f#5or>Y}mPsHQh
z*4plPTSsd`r>pJhY3<ZStZi$f)^xx4b;7NFXVPP#g%rK6uC=W_ZZ*c@tqBAp(YtyO
zsSM*{@-3}9^i=;x7+H1QePqkK2O3&CV~KdP$WOG(q;NB8q|0d@8On9mYN;0`>d6r2
z2N45fUT^s-(ipR9F|D1*er0R#T~;LC+jd*Lr&ly%O}w|Ok5-I!Aon^f+BRwhH4$&^
zjjxFJbjA}aTkoX4*`$t65kc!tYG@>}vbDP#g|`}4uZeHt#}?u}E=4+tuAY{))!5|<
zy))U<m9QGI(8`a{O3-VBQP-MCm=tT{Ju((%C)3|LM5d<EF^KXGNZlw&Msp?XHSz7O
zQXaR;Zfq48iDNTj@y@ngmNKJO9sQuSbC**6Iz4tMesXZc{Om)r9T9GA?Mo!r#P6hs
zQGvEZAFVGnwVD#GNye}3*1FD)yZf-quv9}(ZzCD)v^-U{>e@RJF-?r1P5M)_cq*Be
zaGQhyep|04T}+gyHWpKTRm`<2o%Sj8N6$0R-ChyB@zx4(ax9UE=3qsdtjMiYh+(KV
zek)qkjg6=Gt?pKaB&!7)JGXYZZABGnN<~@H+S}2lK8bDW)pAwerMUV-*Y@pQoej!0
zSP|!S@bYX}vv#R#-Lm{gad5>=aQ%&m;=yU5FXD#g#ucx_EwNO*^ZDtG5w}>Gp{6&U
zv}exhovB=vHq&qB+WzLUceLVwCh!wtyKLfPopn7k{P0v;x5v><<_Al=`Z^h~XX?=$
z(av)fXr@lMA(PHE{%&?8qb&LSbK{8?d2s{y#ZW^$G1L@>vHX0`UtUj%bwVG1Y`2=6
zD5<%Ho@rwh?V0XZrQy($%Jb_*E_M<R+?5*ok*U9yj12)#tBc7+*H&9ubQuA=yA$yw
zeX(cz4#pxBzSlLlZb!8ADCK>nJFV{YzBRQb+uE(#zGT<BZoKBW7l7Zhy)_{N5fiQY
zo$<Cl)hD!V!$98MhmWvCQtO2HM_33&6+2GBdb*g#_{eKIwzbpnJu7K@J;L49(M^8z
zzU1=0?cEp;uHnCYk=7gBLRS&toIjtG@Yi<3tqp7Io15|VU0zC!ldX5f5oKrG?sj$3
zs8e2iSE-P@%<II~(P)_t8puD^1$)G1OGb99KbPG2S$#jL%%P7vdXQ88C9N^$dD=^m
zh|COUm#e8Mw%HVKA(gqXBF4aHSJyT*+0Az})h}9D-CVn7S$(s;v~kT!1XsUERXLZx
zws|V88C-1flrR8NXH_XRIW4zQJe1Ae-rCv6*d?>_&aEBW`j~@avRrXm7gEIPNNsbi
z-BjD$Kq+S9n9QCxJGnhJTS}0df0jJd{J@(^FZ6Z$ymT33rTk*AfpYnqaZyZXOijhS
z33EAB*{SIP<x+luEdvFP#A~L`uh&X(BL1lKZ9QFoM0#-(|A6F{Z8vVUw`H97R#`hK
z7i-lilWk?TbY~E4L*JyG>sGI7u3y#cHg)5wNd0=6yfLD6P2%OYhp{(iIm8=4#DCq|
z;V$X~qzkeMLHw20W-S<req<QumIwPp2iGI3o~bK!_w+e8ewM!aJEj@HbK|@9RpSm;
zVv*Dw%bmU8kXZoBO@BvMpSx_<tAwOFo|^RUz{85m0D+-W6Rx`Tjq~c3)~YoFZ~Z98
zp7{7lvwAg{Ss|UTgOPcry+ay3R~L*#a?4k1Y*Vj2vmyouGwxMv7r%PuyqOi-r6bIA
z>)<ZkB)jkfnF35G=ZW~LEZV$vMCu?*9~oxnE8qX7c<196Pi%Fo+s6Fpyp^1YkM^?|
z=zH{7YL+$g`i(0OFMfw!uyO^M%U_Lqh9`qYEHfr)&8TZ$W3Q}TQO`1ieNW}w`8V2g
z>aMo0kE~tRx68h+a{f)yxp=f|>@EV>w&x^eNH%_SqP0`aP<cImdpyzY3k>+kWSa!L
zuqo6#8D}nOkq&%~q;5K5%CshiVPY!IVp*b_^gX>>eR);O!r3ApfsayGnJL>cm9ghs
zGnXV+t6EC_{?xWz-PzXG-rv^N(a-p0_^kH(1m$*2Pm`!Zmpxme&sO#5%E~mT94;T3
zP}vptWW^8qa$CG-OBbD0cXeH0yCSlxc4hr7x79}1)dwYlwzh9eFKfkptmI+T`mjD7
zoibP}1L4&hE%v1kDsO!>lf<s*VBpUr2#Vh*F+~1K9$V<FEc=-!DE<;1L#42_ALB;1
zt6RIfldMB9tZdz3+Ci;$Y~5vR-^G?0e@_Ri&Md3Ox1(7}GPWzEOL}bVpnM~&;_G!G
zbP1Q2rKXv4RZrIXs8@G2kD&DRJ57vCwxWl!7UyLgluoZ|ZBeUQrWsUu^;)h!zlGIm
z+{mdn;#C8H2+UnCM2|8;hD9}B#dYy_0X6xu(I&Mx;_A_BbUJvs{jRqI>B`!>*X#bU
zew*Fjjq__HRh{gQ^>_PAYukFYKu<!|wn9#yOVZ&?^7F#%<ZQb+-kY4WwKdTjzuIOh
z-OCOE6PB1=$7DogcwPo3a5f$!3v}^BSGO$MxqMs}N}#WcPxowD#g;`#S}2>1UD4a#
zwSz^0j0)wkblU@aX(zf`#S+RYLR&j4iy3`ljg)miwM~)7K@%EP49^phsI5sHdL@sF
z1ZzT>gh6^Nt46Ay+jCZ<Zap1LBkY;p3duYPpJ{AP#?Hof#<%unGtXqBKA9CKTk*$a
z>8?4)%r;|6A+!=Az3Ln0R@%L4fxDMX?267V>B8=gM-FTC6`#-E(#P_YtYMRMJ551P
zLc6-ugom`YvI8t^Y?GEoAa(_YrK7WlO&|3H$)ibP*s?-MxlH#Kdv*`QNKiRk8uMpc
z#<U(*wrvLHwUHIFa-f%!X0oT6Z10k}vOH2h%9~`naKb0j)j2z9Hdk!d0o5xnk&L}i
ztLQsC!yLe^R@T|=9kOL8>vFg#s%8v#qInF#vNFNmTvBb{xaD*GNX<~oX<;>^Xg_m6
z)xq8NRnt8NC|HZ*Y3k=%x9s%V4q^{s;o5&UX0{zvo~KuvAUl{fx6{Q&uF6q8e>(r1
z&X-PRYVH%5Ux#ll=cN;G*-aH}uVoHbq2*(&xwJp}#A>nI{?+X)XNgdJ4_=(zr`Bij
zQ6w^JNhVv;$9r4RM^}A<(#I>-ws&>gM3a>potSY=7PQX$h#t4fQdO*LJIh;U`(Ecv
zxf5;YO>NtCde<=$t&_>8o36Jf;Y(L7U!}o)HEv=tT!y4pyZQF0y>?AhY>t}1ioB?7
zvJ3UoOsb_X=A@^KAm60gkVUyw-lSvCrOWHNqQDcTV^dVpvFk~G9kO2DeLhjS`ae^z
zq^aJc?4;}n>jKE?ir3~MiCq6)=EL>+%!S^pF%y9eYwFjoi#Bhx-GwZ7hKG6UjjJtP
z?V>YZ6_?o($JMIPgRzxll(b@M6AaC92Rf@Ko|J7;88G#jWqG5NRgoEItO|Td2$bEb
z&~Bflh7n6Sb=KMlOH5XMo%*{oX+RcMS&C0a65VRgz<h?8J5X5JHr-OLorIh1ch59a
zBXPbYJF&TvPTNYW!dN@fB35N>utt_RO_rXk0&3p}ptr(81-YG#+;q1g3-p`dL>ofr
zNx;zP7oUvAAOfueQc~rrooBg(W{B`F<IG!g89La0Vj8wU&&1}>UwFff3$J^JwS+;7
zwTfA?3OIEtJ9=on`nsV@?O>?w)s0iFWzp43YNPh*rsl@gtJW@L7n=hp+27XGFIm?Z
zjbx~3{XEe>FWQRwJ2GDg&3sYpWbLQ6aaH{qn@_jZuUSi03oSMKlcrH~Icsj)&JO-;
zZRHQ`F&7D0bMff8boYMU!NYqses7P)e>2!)@WTe*Yw-UVe8!~LRwDoJzFX@R@d1PT
z4SvkvCk@WJrq`NPdEI)K!-gw1ihS9vW&z*l8r{o;(cNt?n`0$=`r?*yC$n~T+)k&L
zBmH|m@bnhD;+!e^!4tZ^E*^i4?=P9~vj(R<snb^)JZb3uJnMUU@O1Dr)h@6&JMQF9
zw(>LkQ8{a=>g>^mij5o@Qoa`JV`_N`qpD`lVm;kuhb%sg%!Bl@G4uMY+G4+a`KdKJ
zZ*78QN|~G*j<}I_rMR*^8)hZ?Hrltqux+-Iy&QC~Bz*pBgkN`_aJQZBd;QNMqAsqw
z;l`U5ykp_b)wl4ihW}PUC|o#c@&!{aoLW@;hLVe>UHryNroZXUm(I9MbAHR^rEh)P
z+wCi6URgHls@Zd{zUJEUin;SD=U;cd3a?#K7pY&mtf6uFis;H!tDA0Jv$lENZMUz#
z<DIQr+E`iG*4}aFU5V|TUEO#0^d|f6*|Briy^>g$<66Z?f7YDbdR5w$#gnI8v#(*_
zD{lx{ldQsNR^=6y7fzmZZAm!v7QRonDle{l!{iG$?`tTChYM945+9kSkEhfae0Bmn
zo)gcFKM|fZ@n14%U99t2Z@wRYV|Kp#&G#mQ)7<b&vg1vZpG!Y!((O0t_M3dC8LWJJ
z<poA4h$R2nolp9MD1U5vmgMGES&5D<yIQv==CyWr%x$ySyke)#x<X^cBH4W1)Xs2}
zfU3?RTGBT&5!m_Xgcau&;+%hAeqmi<K2$7HUcHyttSn`My_CtWyW*V|z5rWz$<}R~
z^Z}#}&fG21Ip<Q@J=)r_(^7rfigmT=^DQJ@C^ebe)w8Yqy2{Gy7WO84Bxx=+es=(M
zdn+SG_Op4H)`y?${C@|Jn|xe!^LM{@Kdj4f;vtPk&G!Wcj~Kce?tag%Rpy%rYm+O!
zO$?b#w>BXMIfk;SyR}0dI?P1R`xKbImo;WuHol1&-S+GxIq_p&W+qyGxXVmO2ncU$
z<zT9tOLjQx^_zM)v9+mF&K1d%AMOPOgvU6-BddIwCp*0y2jV=GoJKN_3Rh~pDL=6r
z$%iVwD{qm#PMgozm&X4wD}68Sb@C76pwhb{-t>nTAUpkQ7eL2XO%_;C6^=w(djo_0
zRac)?d{2M>m*w};zjpa^3!v+h#6)iYUr5jBBQ{FXzn<Jxe#%$|>z4{Q)^`)z>zlT~
z`mRi=^TL_H%Q}`DBQJbMM~tId-jf$D3ntiX_sI)q53P$VII*Fgyl`&>m>}H089|i1
z^g4W#8j#Ktj)-M|%1$59L$mk?^g<P`2Sz2{oZ@T#zHmKU>bl9_-1I8kEB!>_Zt1hb
z1B#!;-(UPWS%Ye?);0U8tLz*)J?Lt?zuyjyf6FaF@ugm_31Q>8QrNm(s$!AY*WS5G
zx9w|L8_+|8U42VloMczGH<D+i+u)|En7?tZ?9$j2<c`{v(M@aXZ(Ucvs;++1s@0Kt
zDTj<WuT=&WXM+5VDSj;$ZnO!wSQFI4B+IMDN{-WTn8>RIKZ(pj`)i0&qD+{-@{3-J
zgN`%-kB-=^%IjmEYZ&7sRlEo9Fyp-G6AvQw%#+oBBu!@MRgv<-GfDHq+Y)R?W=F_M
zF9opFV4>%B`i4m-OIGavvqi@-Y1DhduxqVYUv~oA#Kz^U=GtZE)H_b6bw#zci1&J3
zW%XMdta9t!)_bhQ))iL-_>4Hjvb)Ewv@BiE60P*{k?ghqIzid|f%H9n*JSn;vsJ;h
zj~kGZ<L#Ep%9=lSz9nV1Dk>_h_)d16<+9V-<~8-TD=XG=G^;s7jjXO)w~})-74@sU
zb=ua>wstu{Bva#njPj)`D^0Tf&??8yJMp@E#JH=Oa4UKD$oaR#E-Rn!>r7~xyED$E
z8y2obfO5h~wgkD?!cjCi!>dlV^ty+6BuS>~b+ysjHRZNz8MF|}IfS6PnEMr$wb91f
zwXSyMHk7tk>gJEMhH4IfTfN@ec;)hhuNuWBf73|1F}!$aZ@Vm^v~ES1*>R+-C%<a^
z{%17qKdLeE4;qX9UgPJ!u5nLFW2eCugKshD{ErTwWWK*VuD}1p;E2J;46ZjAGI;9u
zI{tG8zh-d3E1LcR^ZnC?|5iDmYiIhM){~oA@@DzLW(A3TL1qqmCYWREl~Qj~^4nB@
z8;XoPR66Y{RxHXI8eD;ACs6KnHeW9yEn)cfvSTmXPF`_zu_-!}PEL8D{dlOJZB(11
zVjHu^XCdd9zpU|Dg}Vc#G%k<dKag-urJgx*%duDa;W>s#r_ZugI)*!QHW|g(u@M7G
zHDhcR8hcXhmeN-JViDt8U_2S?WlKSh4QPhJ@n)CLmL4#Bqa0;Xk3M83j+0V;drP9L
z?Jig)66W@ei8lei3eH@1#>A9!r9z$w;+cHk<K-J1uUdQL6{fbqg;Nv9+@P)8972FN
z)VU#wn5#z_vy&HJadI7>yihG4<4;UbTO5SEbc(B+%w6`;{;Ja7zh7Rb<oB4tuN!=>
zLDQp+8mF1>M-A32)AUPMXuQGT52E_}`&Vjw%-}(T?=bOhH@Lyz*A4!U!LJxTKQ`$;
zX|8nLZOW$#%^!dNQPt85RyOOoXog#1S<zC?jPt7Xs$>27tKT3RV<1YM>|qN^bWq)z
z!vrKb2k!=QWL_pqnbD3A8U1CIKqcUOo2)6Tk<jYv^g57eMQ<Nv*e1>f=Q3M8o*Z{p
z2L$~2;m2n4U7!o%xzE1To!hvb$_9C>DY2(AN+daaC|{-+{^cF%wA?+(lwOaqVhT8g
z-L-@JSL*T0m)%EdvuO)gPFeHQ`ra#NCUqA!$9O~wGY4g}?aJ(hv-8u@Cniv68Hsbd
zmGmHQu`r*R?kAK=)`;?osLop0Ce-blUZY9rT#ZrnQYsTrfC-8#MO(L~F)v%3C*^eo
z1*mZ)H;cRby2PuSs1}*(n=0JZ*|o#H!-+R*cXAITyNv2!g=^hsFLK4IYN=Z<*OS%F
zZ^jw+-Fo8N<DAY<bkSAR9{g?kyqAqnD3=h;6Kr26PLS6`+3joc=MH@9mW;02oFwL`
zv)V|LBb(}osNLJ$%8>-Nh};I1B54WbrcbtW`Qo0AE;-X@cgXOid01vGyke17=1nN`
zCet5emVAYKn$|RBX8g(>pR?qEQrH|OZ0)8|wSjTVC0l{=J^;CN5oj1p`Tg+%Eml^3
zt^l;t&Rx-tHW_}6_nwhsMn1ydlLDX3&}uV#$JyuXK;?Pc7n`U~u8|40G;U`Wq4L@{
zTepoIe3sMmJiJ1vobx)XOrEfUdf;~3xvx`q1ublUMT6zTAs1fhz#B~yt{UrnCba*i
z8F5t1652$T&g-MPGv?QmRWc3_=&QWhGb&Zz;PS>gwlO6VPiijjE${{&Qsl`wM<Ijx
zk&2@k(r--jW?KzUk23KjbAJ;Xd+V<9;0N|_*;~!md}9e3rB7umUr`Qby9+9Gu-6eg
z6JJeSUq^}@d2q!<9WG;p<~Ehud(t)5?d^$@NLU7Q4?xcex!3AT;U5osxdFN<V<;5E
ztZ?{v1B%)hlR1O>VEhx~zqsqSTN8b~ti2Xo9=`eHC6@K>5I;on=(tlp-Llf39(N8t
zU|EMhH|`vGknc~9J9{6ptRMZ|xN`y=Ju&X|FR-ls7sj15X%jyjcbZ9;_z85d`lsX0
z2v~l4+$rRD)&{^Ta1@M!<^MJA#J~jDFX7+;u=p3_&X9ZuN5B#A6j=I8@&T*C>2J2I
zF)#v_j=={k2m9swe~&xEV9U$nPVuFdH4H|;F|Y;fKSMs?;P1!>EPVyOf@jB_YJR7B
z5R8GN-~ll4`*G(mI0BA=E#u=(*=6tplVCJ8?hJwn@G#g9j(~&UDKHIAe+&H6$Q2v{
zli(<L0PH_E?u>%vuOg?*sh^c{s=(2Ll#>9*!YStj*grYtOfMzgg(;^WOiWEVr@+CY
zlvDav@D0QVhrzvIq9o-E%lC^?P8uAzIOUYT4L)y7IZ?3ql9V$Dj)0?JVtUFc<|WSk
zZ%R4UVCkDvP77EKCczeP02~AlgTvqmm<G>)rI(W4CLUM?Ccr2-1SY`|Z~z<yhrls#
z1WbctVDSvnUqOCgIoJY5zy#O=j)DE)z~w3Dn1q)ikD1_G$p?(u)CVk|NqN8lu=Gmu
z2dls_Fecxxr2Jq@S;{FaBfnWGry1-A6W{>27aRcx!8CXnEWe8K3Vn9UDVs$-z-q8~
z4(Y+_tEnH@e+}{k2d^dntB40yg9GK%0~`dC;1D<f4uc255pWo+u0RgV9!uxK7aRr?
z@_in114qFzaBx0y;_c^SU<^!LM>)Y!u#oe^(d$VM4uc255pWnxgQvjiD)a*E2d7^{
z`M`3p|3=CQ7T=U|4uFH;32+QN114^!U9N>Mm;}cb(H>ySV)%h0U|BieYseoQsU?3f
zy@d2&e;xT$P);x=7@^!?`BKWkJ3mU7K?kcFNCzgsVQ>gMA=n6iUUojPoOs{}*bla>
zB!6(YiSIZM>02omSiFYz087C$U^!SkANhb~U_V$54uZ|#7`Ru$n<*EV22X**>uAsG
zh<`in0S<zD!C`O^903o5#qT8E_2dIqfl)9D4uVN=2pj;1!GqukI1G+~C%`l~Cf_&E
zj#Z@FNIk*+caaa6*hIa+>dn*_9BQTfHy}r_1x$lU`5vP@@*NxjhvU@yM&z`O_}~zj
z1V_OEu(%!l0;|DeU;;b^4uENJ2%LTs<ps;ZG#CNPJIEJo0h8bWcmN!^ll;Lk@C2Ah
zP%p5$3%M+yK41$t3?38grhULPSo{vk(?dDIYOon>Nx~nD_EBD;??i6kAb3W?cfofd
z*pIxx()S==FbWO}9XtUhz%j5NEWDZWf~8>Td&vhZ2NPfv+zYmVgWw=|3>*eW!IAsW
zpK5Rq^#J=nK)Jxd4^tkYgJri+&Ic$DIQTH_0FLb^-$n5GIQfA?pMXD@_$2ZYI(Pys
z9VGo?_<%8R_%Xu4>c?ppa0r}UL;HOiK48mdkUKd1S;E1g&(Th`q<@m~fz_X<KJpzL
z21|#K^AgGhM!?Z8P!6#Fi{vBU!4a_fuaQq3_$Blh90Zf#C^!g~K8;)?96SZKfN5|5
zoE{-QSPl+@5wQ3$>A@E8AUF!10Q>)j`1SDlTj~QQz<zKHJPh`KnRWw*!NR4`!7{M?
z2=T!|a4%T;75IYbzoQ)_{HyR?Mt;M@1B<^#Ja8Bs1V_NbVD;DG54L=R@-|R@Fanl-
zllWlb8QNX&82L7m|F>utaP-^o0f(L?J(vckFDKnUqK{ztKT%&W3LXIaN01ZP@;&6a
zf_%UPSbUuR2abYcVD&%KK2h*_(u3tcB7ZRYW6HG>`isN|%YRCKtH}3f$O}yTC;Y+a
zf5Cq>`TY_)82t_L!GYh>K49s~@M$97-%&qs2pj~<|A+Pf2f#C6^cCuREBT$J9N-W*
z1Q!1u{Qz6QQ{VuYmT++T8srO>gCk%B90gmz@^Q)|m?l54#UULy08U>^dazv3N;@rJ
zc_{4+fYsnZFbWQXE#L_-0gi$FU|}<Sz*2A!tO7^DX0Ws{?d$~;lSl`SfW_;GH#zM@
z!RQ5PXAm3$hrv;B6dVK3fN8M!HtIbk?UaF~U^Q3`HiIo-0_+F(f`i~7I0POB%P%Bf
za2QO3qu})0`976$g8ik$1Iuml1*6~@umvn$4_-ljU_aOl4uT1A1l$XbfrDV_O!$Ds
zSCSuCJ_|lzbavWF-a$HW5KM!|z~VXN2bP0pz$jS!PVxiGzyw$gR$om!faTY~SLk3G
z90JQXkngo=ryop!L*M{-3>*PR!QyiGgDv3n7U}_3fkR*v90g<G7}yV{!2@7%1^mE%
za8$y<;*Ic~iyXjFFaeg%Lk?g+I0#l(A_p)5j)249DfvF1a)W7b`nyPX1NngE;1C!E
zkAb7$C|G<W@xgwubQ9&hiTuFg1*8K@!6C35JO);SqhJ&~1Ga$0n~?`t4i1A+a1@Mz
zX|NwGeFyx&=t9zi<u?<*mGrkj2S*oE4sdJ<?Xrb*_0%6sETi7wKoj{3-b%gN;IoGQ
z1C}>aJ}_|`<%q!tECX9^r(MCZ4b%r5Xdxar1Rev^;3=?tBl&`3U?fgC-vwWA02}~^
z!GmDSCdv&CfoH(#&E&V0a)4!Ebt~lrN5Ek)y@l{?l&6hwa41H3!1Ar|1xvTV7i<BC
z!O?c&x07E7@&luH($3%*m<G%5qTU_U6D$Wyw<A|@u#5HwN5E6y@DB9uPVxt%;NVX3
z0~5Q*4=lfzc!K@#xeNLS;UoAV<O8O`;sovg5##_4gGn&@XM}@;AE!KE%OmjL4t|36
z14lne`8r7tmV^C&4qtE(JOB<qPIwpf0n5Rb&k_#yg9pGgco?ky9QBd#zaxG(-@i&c
zumwB-jttX&VE@->2Qc~#^!9Gb4_1NYN6|a^4)%k^-$cIPAb0{C`6cmtXpb@43mgFl
z!NFgVFF5>b>IbHOLpghq^Ka1$u>WP`2$r8gj^GG*3LN_#@xkc-kbjc&U;<2o2f*@I
zs25lbj({!TDX<?*gTvtTKI8|MgK01V_MfHv@*NxjTYiuIzXyKf=n<HBm3+W4a6rC0
zv=2B6j)3LXIcE&)51(^NcOZwtb51ol0JeZ>upf+0I_C_6{orA67#sn|z*Au9<a16M
zjDpj5lKuktfGtzcISKh*bk5le4i&>kzE3;n6z+o0#pDZ?UvkcA21nj>&KU+rFFofJ
z-%I{8&N*dZ@#W{7Bv@X0&KUs5-by?$YEyo}GV*&j>1L51Sbi1xfi2)5I5da+`iXbV
zIVS>+T}wEaE~h?V%Ut+?)$_>jJ;<r@oD&0wu0Q9Dg4I=|e=q#ODsb>d$^#DEM0w=<
zf^*IZaQGePoalYfZ-x%07oBs?faSHwb2nIb&N%?~N01*lTu(mlBmPq8V4{Kiz|uzK
z@_y3yQBH7d2lWN}?}Z;&{O)s3`5xp2#=!pfoO6c2;`h=X;OP4)$6o6DN$Lj<gD1e2
zLFD`a;vYQc90Z4-AU;_7dD?j&`3+GnaO6wW^MjQ4DDneGj#2;n`Ti~B3|4=Ka)B-1
zBR*LCJn=t7`jeFV!^Hb{@&N~aLAk-|Uy?sK42}u?zX^YU^k=9KIC{aWPGo@eQ(kq3
zz=4Zjb<$wVbm$Kf{-#%*5wLv5t4`rV#JlWOrwSZ;`>Rgb!_;T_t4>ld`l>Ss4y__S
zII^1f`^mrQRVNBgxAaqR?;5LM=d^;$i!Ye6zu<ytLNDe2&ST@wH71TgaD2-uBTV8?
zd0^Z*8s<aEw5268mS0q~W6Ex8@mp@b=K8XkP*uDLIPD+Co!=Gmp|)h&o>2IUp{XTP
zYKubafE7iMqx?_s|MWkOJI{vPc%fq|JahzDUzFf)q$tz@)D|^O@Ry|WRPle9|Lr5=
z&VNqk!;+F|4}~b=o^Yh3Dg3d*sU<Tg$`awYna>gRxxT2JsAu?ZKR@o=0qXKf&UHn#
z{9SGSMoOkgsFF`vfn_xjzfMu~ACX%%^!uSp-P}j$&CriRuW^Z>&=b&4Ll?QakI?r*
ze+fF~)_Ww*AoTUDzhbT}t4`z^+HQ)a_ze?&gz%fZR63s%&`&~Nl0)YQ3#}RdGVZ+1
zM;Cc;sm8LQe^KZNZC|KS<hZP4bLeAQjJ47tDwUM0iujKazfvemOQzkfno0$$ay1iv
zh;YDrs`-?F@Fet~3stq(@{$=3hU-i0fx<}1oPCpOODgwF4)sqhnX|0KUQ#lHI5eQj
zS!6s!`t|=xeNB5m9Ez08cu3MeSh%EQ&VZ!fH@UWC!JZ42mONGvz5^v#5GkpwEt#_<
zmtPh9((r2-&FI0t5ap42SKjSadqoj>AbTVrrB?N;qCa$#?pj6Be}rEY`u)%`C#rq}
zQoeoYqrImvv_i9_J`F`}u5N06dr5babZ@48+(+s=2>tYrX@8+3iw8r<WFTByV($}q
z?U_VLLtBs*lv-C>4Ml6A)cGj&(sCmIG5F1Rk#%rBYku{@kMiv+L`HiiA*;~4bNDUO
z?JoA9oc{d+=^1YPda|m-4!z42lIT-2@hVS_I}0Tq<u-DllzR$^xJtFEgz<<z?InH<
z@gER^vLB&Us8nN7XUP<i>p{W~5x&8Md-`dwMyM-Q<18=Qtc2>elcXD!@{$fSYRXG{
zsP+wQC!ucDI%!~(xK1~)$bI@G%Fn*WfR}EWq-!j(yFI<AFS>Q2&spUtgGUU0-SAs)
z`0YW@?446freS0n$zJlFPS^nPo+REIC7yYNeh~U0=p{lUdLu;@`mjH~p^N-anE1Cz
zd?kOhV;_2r{6%GIlyYe6D0~X(Pbc9&L*m0{HT)xdEQNj=I>S<4JHltjR3D#ZMH{of
zN*W$%-xz!<|DF95A*lAfO*OBGT=LmVcn#qnm2k@Ykm&h?Vfw7!E-Wjl3B7A-NoAeV
zch5R3&FJR{d>(<%=Y)^4W2(K;@6bop2!L{ke9jQh{@J*5kr*f?ANqmmr{M<*bi2|v
z(s8PYQg#7<{$t$vxao%jAtg`xn8>pxw2zwCxn0`yml#P}NZ0<K?Dv>_9uA>L4@tf9
z>{X;>Gcs9#0n0H~^+n+wlxRU+KnPi=etnF5rm^4lA(M|^ey}rkH9QGEVk$h*MW~;Y
zvk=p^nf<rVd*vjGDQCTBR~yByQqJ(>Ql9*hGID>GfTei_RrXu*Ns!Nz?BBh^$njxm
z=U{m(D`^TnAIPn~s5vluGd@Xsogkmx><`YCe3Ty0UefRF&@Xl4qInHPn^eCy21ELN
z@rC$DzrsES*jr^Emz8vfcN!^r2DiQlt(=3Bc@!y%^s5&5&3S3uc@v-AN6MFkUJ3oL
zgoyt6?YhaQGW79mvo7{~h;&bquF;flf_A<%x1FUtqW5E@Kk}P#=bt>excwvi=cEyT
z32A6SO1~|g%6R)S{uQ5fzYYBp9aq#w`E%8T&taeSehH@@4~OVSW;|Xldc%0KZ*oNR
zMtljzr2w@t?I!gbfL}ZO{@U=%s~`OE5B?%sizTwI-w5eXlm0J+km>)lduBX0*(rIX
zrGCE~ccvP74un>T9Z=&`s74D!Igqdud6ZM}1^+Yd{F(5_PVNcafjH`lLU(KX9VPq-
z;mW@ve4Vk=G3ZC3UuM#+fnLVve(29a7oEt~(|4B4Xi&q0(xZdKI~kCE82ahgk^U6%
zEcU;1^G`#c0{yk}FDu4g5>JgkQdS-*e>L<O(61LlRzIWs%eBuW{UAoX%AEW~p8e1l
zxO_>!Clp08`jPNK!snbPeAwi#$`z1)lyIrvMB!<|&mzC8B}<ilo0q?oyYvk@y(_mS
z)1Fn(r@@zD#CxQ?Q4?SJ>xy4!B??ko)JmrzJVAIn>Hh4zcA61Ibw?Qqa;>%QcZcC~
zlyeH-lH4=)Bjd+0ICo)_{7ztFQK%t@q`HE%eIWv>;haOt<EQ*W`i=1m#cB9Swmpgx
zx0-ZQIQQ@iZ`@cpkv(5ta=ak?%tQkRyqftx0KX?WC-E;{e`HiO{gDBo&F^4DilY9n
z4Mm~7e8-+4clxaId8Im{r>Eds>5MyTgrM4`kx{!A2h1~fs-G2KMEel$trE{X<zN}~
zZs@lNP5BGVGflbTs;82pi7#?#CjM^Xf5pW2+eI~=X6)kXlE=cK_npTu3crK!dkKD@
znTTJbXJ?m}oD97;kX?fq0j)o0;MZiOobP-5g2v%GZMSPe_rNdT{ZO-dJ<dg@VV~fq
z?10L}jDOIl6r>!o^B(C}N$3{z-1q~~=Rm*Ki>>(_gkA&vDxu$6GHn&o7JV6pz8?C=
zyz#KX^Bb3m-=oHh<s~nLLf;N@977M6R4&c#WJ(XFU(EbAlybDhbYZ02<<K92euXBf
zzg7H=KtBY%Qp$mT?Q_>5?9i_mMZ9?ipY=q8o+s_vPr4_=DW5+S<R7Z>Q`R(Q6a<Z*
zsubD}9Fg)BvXAS@gMOUnM~5dD<kVSMi2W*N;<0m5%DGMms-Iv2+O-{*@N&W*A^Zt1
zJhTb>rZh|B6D54k<dnno!+V4tgKh`V`=QSWpdWxfEr%}h8iGCrdQ7+n**)5uNlBJ3
zCeu4vP0-F+z1L609;e|a<^5;F&-Bw^|GXyjbWk^t`b93m9>eG3!pA(-U<>qy3)qhq
z8s&XR{3HK*2fb>~<Q=}&a95pldk&Jmo%F69G3nL3h{3^KFIi8O{R4%X5lQ}|q(3d`
zjXn&BUb_Abt1QM=Vmq0^$QLu`k>XbIzm&?gUzl>13qjdE?5mk4-RY%RR)lOxyiCbf
z*+0_lCf(g8-GfqZv(BK_Etn&0%NdL!Mei(`voyb*l>LL>A^2t5{q^vpXR|Uy+3-X%
z?JoSz!0$Nx+W(;PVNq7Q<;%AB5gh!N;Me&F@$=U=!;hj_az1j})NK1B<CvV6oC3X4
z@=<mMd#C0#Yu)LsvR@}m`Wqx3UO_i4BYel8FChJVLr)lb;hUNNLHGCDa^jRiUl08k
zp8g<Bcb@!&nK4jwnetW<KT7-=#VO}~!e5ootRvbCNyZGS>6`g1hC}ppFX_5T_pqd!
zpkIrtowd$o9C@)z$4Gya^o^39eD{QQVV0H_HBdik?^A@oMEHAH{}TRr^G-D$t93(h
zzSai2DSBcra;dr$dp0fQH1IjMU$l7rLKjf-j}gCy_*Z1-AGB^6!7+I>aQrsw93tn#
zlK&+sXPe}&<gDg#SUDDzjN^T)ENc;Frnkxu8YA6$(%os&?Frq5oT5cr`MaE6EIy3X
zZ#oM>j}dP`;^p-F(7mqNkU;HEL}cM;ddle*JyGRBPxO4d&TDwAjI5aH0dQ$is~1q`
z`@Et^<R#~E?Kh>InMUtSdu8O6X)lr2uaQ?n-m1fLJ$j40PD%OR%()gITVArBw@e8s
zTGZlS4$$@w$G?GeEnYgK&y~h_D)$jNQz=)@QvPPrb(8LQk`DQqc`W50kabqqZV&kF
zHrBJYNQ|Q2lA}VB_d)pCm!_N*UO!ZJoSv=M^Zw26`9_LZY0fypON%0W#jl`Uu!75q
zHuwVJE#)nI3-)G4%K0^)&r{yd_)AB5mln~wx#gAq+zh`%@Oz^vuUX$<{nV^mFQwHe
zbk;y^^m{t#<-GL%%Z#0qGVus~2>O%IuTvELN6LQ;`f=!Igfx-;_=qkmnn?_dRzxk^
zcq0xJ)nTRl(=TWIdP~arH;<nhZ)h1aABs}`gA<p(ne_JMsjU5<et5|_?*{1a_vT9(
zzdN(ertFaTdt1d0<vZT>MWJU22wG=jwi%E>)l2dpBmebpO*!kb?U3?!^77vt{#bDS
zON+wWBqYB8OJvh-f&z%Yl_+KWu{rN)^uoWsliB}?vh-JryAH+Q7tD-K^x!ajDz8X6
zxc}ZG^bzQDptG#wJwliB^EUKce?AR;26W7#_elKdOaLYRT#u^tuN?XU=(vsEQ_iOd
z^cv`^g_>(GQ8>DuH^58$B=I*Be~s6lm0v||*(W-MNzw_HNO>jxLE`V9nR33sXU#t|
z4$E$t#K(10es~p8P7r_El_}@z5}&YrvR<wCJ?eFAtW`r1BdVn2GqRO_RLsKFBc%H~
zQ?9&mQthv)`AC%gHF6HvUGw$h7Whq>mD2kPQWhSOZxZ@6=zcj0eE|9l=>GYl_<RRV
z{F?*%joSCij0ZA)&lK&<U!P_GIy9krs&dJ_h|^c49J-13NV&?Ozm!84e@yOAoP{p3
z({g6LVo!K&iQVH$R`HDy&z{YBR*7dG;oA>=26T7rK!SvR0QxlOEL(Vw(1)N;fzC9~
zdxU<>#AkWedxSn};;Z#r6Vd|8J&u#``J!i^bL^X}_q+%D=C_UwMay$6XoHM2S&K~Q
zQ5F1~ZTjccDd$DWQ|X`aPbx#5=$xJpFDdHtKI2-6JO@bk0_lEf((MUtQ2t4Xac0W8
zqR^dqD8m0R@gBP-<@|$*w=bmRj{idujY_lLC7XjfFUnO-+%eKExEB8>sNYF!%BtMi
zR{fdPNYw`=8%%{I_f^`<Q@-^=R{j|_#LpCYM+x6aIO^&>l5Y(9Zs<QU`fJ8R%4^0$
z^f!DDTAStI-m1)%@I6R+dtSC)3g2PqbD)1oa#MZ=?dYHH!<Y4PSqj8gV64$2pX#Av
zSJI?^lJp-f;7g{Rh#Ou<X^bSbA1iV%pNYQCPdUr@?2Au5kc07~R^|AeQvMj}DoLl-
zZzL^`$g>}M1N2!!ApbqGNzTCBY~(5TeAWk~I}E-1Jn2plzMF8|e(#ZTj6uI2y1#vd
zUU((;HGnSniXMUPFSo>(dq#%>=uzm;=Fp{{av$j=bi{4yxk>rj@>Rn368;k5HKrXn
z=W!T8s1-H|KS=nr>rH)>oMa_hKT@7!CcID5n<oN}Lf=`Ha-IqCMU6{p+|c7pX3Ae%
z6u!VTH={_TDE!s})%I#JLi%Ny{JAORECzHt(d3-ck)gwwdsUAp@n#V3W-s0@ubfgI
zxp%dGaNKz;%onAv=%mrtM)8aB;`dBmR&um3^c@_4ob_+5hoZM~PwS-{jeo7=aeIkP
zpOt-db|G2kmQUJY5c!-U{!z;1pZ6;LhkhFRBv0<}!3USrON&A*Fw3V#uOF79sLw7i
zekr}=E@~(36M=pb`Wr>gsyyKZ2vp6BCI6U&FHAZA#b+yYtYlhD??d-PKXP-*`I$+#
zPtJ>|c~khaLH%!t_&XP+oLhwt`Rog=F!9^G-r6AjPfuwima==NNcR}&o)!Xf58Q9e
zUpSN4%Ks>%1K5jGPAW)`r0Zj4v71Uz)ud@A{!6voKM@8>@05R|_RB-Nz4%MS12<`P
zV-a2Cb%6BUOSq39>CGebA?Wu*FLa5Z(2qgi4c+Y%5-jvl=sTfL7J_+%eg?Ym_tUGO
z%YD3d=nqL;C12w=+3x8b6n=TpU9M%6Xu>Z-x}&7a^+#KvAA!y?ocBn4`5hREU+hu!
zKE;5Ee}m9f{^~p%=WA|Pa*|anNq?Al$4T$^10v8zpuYh90?}tBci(y+$1}X~O$Jo?
z!X%E_1eN5o>g{?RXZjrUrH=a=rk|Sg4(@!Daog5u+(sum=}%G8wJ+n|h?hUn_Q|=K
zJ%!=H0ylqR(kJ-ePyEvj*yBljp}fKCugc$SEZJWWUPY%^knh+nD_RpsSNqgbu2WJU
z?hRJ(*{6@HT<la*dCxsp{bf2Ef)YPr;y)<o;RfXVfOqbyNko`6Tx;{B>LvFvkCXmZ
zQB+m0%sel1PR(7{4;>9GeSHxpy8>#fYNgvr?s-0YYsy*W$y>Fzs@F2v_23j$rlqu{
zj#8vEq&vAL<$PN@K#<(kev)_I<4myFb%jOmBG)jVxg+KLw<(8zy(6;^(^zt-AoTfs
zyRKa<(dz;DOxa-U6yN1h;~(@x(CdXjYwZc$=Zz~;pJRldBz&XE|6ysbiO!YOgvJBq
zYT8fi*Ys<#Uo9zpj!5+*rN>JDmohtjFJkqb_koVwjTT9Hnn}NTW6Jrt=|92qD6`(k
zImNGXST>-g)e2TQ{0_p;YE3!20bT!4Bg4zmBKf<_{FOsnJQDu|@tcUhMF^D3oB!FU
zloS**R#zl}dVDA((SG8~Iakq#3HBL2sx{v8Bb9$5@`{jt_m-4%uP`LNS?`Z}{RKai
z19x*!Oaw^;x|>;^Q}fQfq(4gfHD-LtlUHVbC+CkY3f4!h-=dEv;CGz+u)j3rd06&6
z9tt<exhu8KfuG@>OKA!n2@*amtWpfd&N%Z|Z`@PknD(FOTc*v`yt|C}QR266OF6BQ
zuhP?)a^sfrSI#F&16A=qNxVbE`;due#(ngN!<VLgmWxp{(-%?AC~=2KH>I6*Zc`rr
zz6#EgJ`ajtmt&X0F$9)1Ps4^tInu)K&Y*SC5NE7RL0CZaFK{-Ku8M_`Ceqz(^u_Ee
zss2Gzg}&@JJN0t>I@4X2tMy2)znEU9$I$`!F1Rb@d_?489<d8@Kl~{4cL^<7GOYti
ziag}L_>@G-xy_RYx@peGy7Ewm4zdKIN-$@IPZ#Cfj<k32Jp9+rl=FMZNA>%RJ-yd!
zZf&omy{n0Tn)tU#e03fOEvG}`fKF*D(tA!4FGf7OE8`dMll`zg;pP&1y*I8)yaD1Z
zc#U{s4-XTsiFj)LMCn=feBgu$XPR$W%UG$oU7t@HgT9`0QddQ9)$~F(l)9l$6}ovu
z?xoP%q1!GIl(bbQenjX>PMLm@%#oACj}d=Ae3l2qHyV#c(5fKu4-o$l@pnpmWxwDr
z=lX4*Ui$2{-2b<_xpyn^mHo-ngQmQ5&1PmV_N$PI!DiCC^XLHoxG7|;pJ%{K{?cv{
z(w`(f!%$9n@!QY~%&qEg3F4h5-rW*Ul{0VMr6zQH_Of^tQ4f-?@^0?$dg(ItV|<l!
z+clv(v(riYjgszu(%mBI%p>}92KpiBGliz~N1w-)a*F(?Uq^o<{2eAdv%ZoUKirNh
z@gu}PPW*%ypMInFe=>H&B#``*#Glraa(0>cd*l%Nl$Fff*o}gAfbed@pZCUd>gylR
z{o_GR_(~ZMAkpPn$|fqJMW6J3o#b~4epWKmK6^q;z$9-T)&AF09>U%IriWx6=HI8s
z=VTq_jJB*^2C7D?{-n41QqCb^nA0CZkGsQ!1Zq1c?}yk;{Lg5TN0;|S%(y3iULx<0
zm<C<RH%Pz5=&sLhf2r3f=^99Pi8roO_WbpsALrCd4Wz37qkMCAWUqe+-zw-e(Dxg@
z0sW;ie3J}143%Do(c^P7>64`2zcb}5F?RbQId^HwrTj%LZ)PmQK+BuyNkdV%-7xiN
zx{={2wrB*t_urdxUg5KD2mC<yyo0PZqU-QkUgS>a6jSEV(A^n;)NeWyu$p(LoF1=y
zYovVm4`%;Po!baMomCiP!6<^&O#0pLG4p-ZUQusc;`I8SNy}-k!`aKLqW1%&TfloK
z{*lj8els6ZeoNlGp(ezTv><;rWbB&QrBV1Df!|W$r|hWPFMD0rLiyK)H)6ktr}jaV
zJy@I7KgvwFdtUyb&~mST(CPNcJ(N9@!~1gOAwFIyS;t6!Xm>DwsrOzJJ}<k!FZcX4
z_?vq@vc4ZW-#Mrl{7%4c|NH#*13T+K&z`X#94mb11Y!)m6lhk=xi_g-^-cI6d;IH{
z8?)pl?@O6M_&r`fVIS7aBR&7*Mv<ETq^35MqKAW|U%!|2J3fm(1obmH_87E}D&-p`
z{b|y#k@TuvS$=1nW!P8q)HLC9K9F)=&6a!4`6o3`MNYE0n6GZ!PZ*{>^3AX0$s_F%
zTflg-FXjCE1$<F@P5<@VbJ%A5@d@)8K~e!3X%is%jF3;mL#&gUew#OsczyYtc&++W
z$-uZj<^1PFa?8@M3F~w4welGxpZh;@o_t<keO@!4!i9`4A5A&m`D5i4*gmVV0$L9e
z<g@c*%uD~cd|p!z<o!RpKb~^_^^eQvRItA3`pCFn%|iFtPo$hHO+Nm6ZgLmKj4Pg>
zAnzMG`>B-koUC^#d+hF8g}*jQ#TE}tKVlc<eMFBuo^o#R><9hE%x_pP*M6Uz{_~p;
z7Ov5_ERxLiBk&u8-~FFXdG{0j=MmNVJ9;bY?@e;pDtP%_`Abz8r{nO+ITxna`Qk{;
zR6JTlN#rwrojc#3PC1gK-+eIqyrhhq@?NDWpT%DCS=+lD|CsWHHf5VTv2({r*F?IF
zl1|w<Isc{YoV3#^!uJ#Yw1i`S%zCDt$3NkgRs!`rdpZuY{W&v!ua$8aAHlzVkm=tm
z5Z0%$i_ajhZ{dHA;IDia5A=I@6wgUxO1<R0P)FgHkPKA2;}mKCSoY(&=|Q{8ML^#{
zBB|FP>CTd_*`#A%Xc-l2C}LMa<Ty<Df+x(pYLnVlQ0v1dpm#%OnU99g(8r+P4?S=H
zYZ3B+F6P;Ngnub?iC^pzL7`Vc-wpjjA6?2Dg}xKI>u+ekUblmUCkTI%@ZX9)hmRMO
zOp}pFKP|w3<o9{}bXhlBF6&V0JU8pE1KhL2&)~=je)zhn&)^t-3rUY4>F*-x@5y3V
zc%-0Y$}`^@`R@0Wd$w=VK;eVohoo!DBjp~0|N5cq^V>o%WMiuv`lS*Pd99>WqBo_`
zcS1iS^m<u$lv_dU%ds>=hWKByO|(MQLE=Y=-@yB|l2Sj_&T8H&yXnKaBhb#;4OZpp
zC;lT}%-^>-0DV97-1+zr^!o$iAA`O-fIbR+Cv;_ir4Bq&-!ss=q5IoU=*2b6_n}|J
zXZMkIE309C3>`52tA(m(`d5Si$^S-Urv_yG)jcPAMS<#IxZ09ht=lAtzyB%Lb3MD3
z>F4Tv@LJ}xwK+zN;~QKc%d%^-X;cNzW5VxH%GtzcpPz(1+E=LjZCc>I?4-($rAc>$
zbkCY}6Rdkaojnba$hscYwY2wNr<}hO0(QlJo=N$|jL&-}bH-9it*0!^64;^KoK2DB
zBIg14Jqf>NAt*bR>F*LgMEGgK%Oo5<Wpa%%kT1GjM+iSlcy4>2g8mZp5*^ixpEmq*
z>C=}m9|(wF4*dn_ZxRmV@7{-!_sU89TzU(1DQ_-430=yQOCNwP<(J{neWcz8O?<T;
z#K|~0MPinV)VYykgg1RD<$PEYDY-Qgi7`Ozs#$js{T?IU5#n7g@ysLq3+u4Y&`%0Y
z%l#*=Vd{reM)>ZhQ_j~e=8N)QnMVctuTr`X1v<*S41=|?fKzkm1ADIl0jlKE)(540
z$5PIx#V#WE5OZ0UH)L_y>;{?kCtd^ZrIR|jkJMY<*VhEyZ^y-6$@}{x{#l8f85h+$
zZs<SVcV<YS<}dH}oAHm?@)Q2@zCSyF-U59Nbe5UDN8-zS0c!%{4?u5l<5SNVjiA~e
z`ex`a2^ZZy|KYZegdZck@;lT!<c5bY4w(qjey1dS1p6-Gs{JOMf3T7kzE%7_x^B*T
zQbfF&fM!zf7YUe`XvHfd%NQG1$G^)y9iMgi8PYIjqMmL8O1uH$oh9B{6VI#@6Il*8
zQE}pn{Nz1}mEX%BA4Z_hfqsdkH;-z66Mu$F1cjc4zJU0-_F_5%xbXMWqr@+VF8seM
ze2`<{d^G<YK{ChmN^0eg_QUT<`2AW4IqjnMY1F)5-9wXYw|@+36_ML9_%uDo_#=D}
zlaU*z*S5K0Q{(v<@!E-p8({RE@!6~oZD)Yi#~5_GNqtL~F@6%i+r)oZ{1N{;f|`HT
z>U;4uvL_dyHpc!)e@npc5%{5wCV$og%s7c_lkjcUs`iohRvsb#n<YN|K|BrB{?Ly?
zXBk(~<vyIyN1&h1p-cZb1%29a&W}rc-GAg266%rg!Up;y;VK^$E+??`BYewDxYWT~
z#ePDI*28M(>q)2Rvd_?}>CMo)q38N93Fz(6r)bvduke@mZf=G?$wwESgV2TlT|!s(
zNwpXKfpfCAX8Y|De}wptyw3R225I8IK>QzM^Jm|3Podha#?7&D)e#Bfc6||do-!L*
zX5f|bM;fW`Kj-_;EzsMc-yr<WBk_~a_d~zkC4xd9fc^sXujJ4VLf`%Ul*9Io_elI<
z=#M~GcEyAU{RH&m&<}dCHGg?;Y5VhL{%69(J{B%#{DywHj4wI;FthHc^n6*#?t<_~
zLxGyUMBY3T*aJA{6F^rIl=AK+|K0zZuNQ;RcS6tg6AqjB51Tp&h#rqXKTG_pg`o79
zjBx<O_muE4!l(Qo<#c%A;>YR*y(qL|I>>s$uP)$=vTw^}zRh@;Ij0%=QjQbK3}AWo
zLbq^Nen|`b7QB%1y=SUj4cu~^m2FYg$5j1^*G;@4l~Vr^`XKc70QzC*n*-=0(ANjh
zPeE_Wp^H4y&>Ntu{;T9A@~A5kJ0szx2u1h>g-iLW377Ku{VAb0Lznv4d=|U40e(VH
zK;M}|mwvbx`flh~7`f;9(PmwuhLfx^Dtns(^h$RF02bB=f7*ZOzqg^*ORyK-xt+=o
zmz{F9B|35_>Kt1Pex)nXC-`0E`3;$M<h*{-#5*Pel)SbmczxL&_a&db<a6{#?03GN
zd^S&%&v`l-d6e;gjC@|;y}}ntKUeL&uH=!6!oLYA&jK1xIsfH7!$(hIkG*&_0OPv&
zAH412{rZzWvM2E)#DDB(*lB4$#dmqhp%Cv>lLVYDeIpK)oTQYkiE5%GiGT7`%6a>R
ze4(G2d4A5l*6<~hbi;TvCove(&WELZ|DD;V4_@ar_Nqa7*ZJ<88J9)>3Rk1AzslUR
zJrBP~Ndxa6S&)A#N6IDdVLlC?ABr48Tg5@bVK57J4YFVtI{geI%C}gy7-3BLZpoAu
zq3$aj2tODKF`bg-3)1qm@P80~J6~enEqbv+)~(n_+9&Tj<2)VfY|k(>eG5J#YErq<
z|Gl<oz58_;!L{-#EtoS8-BY+PJP=a-QQi-|{<r2npk&G;{d9U0`!&$-Ruuh5+PNJ1
zjF-8mS;!aK&HuiXaBrbr;-F88Xr-N7h`;j{v(A@ePu2d1?1RN~dY@S+lyb;>s$U@e
zTlwrhVwVm>KM5UoPT3dMWl%I7L(<86t*4#M-nW!?9)msy`Zpx1D!=k4^n8aor8m$s
zj>%_rJn|0p(Ote!@~OHNeTPql@G+0bCkp)t^q9~{pE=J<=MjdK(rh0oKK;Z$OZ+*8
zhd>qo4?v&x`;_x3A*gclUJc`?%3=~nlx@!~@vSGxd%Aa$j$z(=L>}_q?nBTY^r*U>
z)6nPep6(JKUGz@g>up2-h0s;I<*d)hIxH)fS$33zq^ufek<?2Zb0|{3B>WG-|9#o~
zv&Y$O*}SBG4Uuk23O~q<6XslICf$mX%HEtZa1Z3Gko+s;s^^Pb<bC9);rAmchk1l9
z?<YURd&|G&5<$sd-dEm!j&lnp|A#}F_nojl>3`o*MEs-)4kpNPBi;V+d*oHl3HtJp
z{0~6y=KbhwW5_w3njVx})nDR6@Ac}RX&2R>L^(LMo+a|7^1iIBn>^k*?KJ$JwbGvd
zYvyyA@p3t{uKhXujNO#-R5v4!g0y~bUyz<q9!90C;xrcJc6dFGh~5pr?@9O_ka|zR
zuP29}dJkVt4jZ$x6mCl1WAHx>f4^L(6IQs6{>J;`{dB2cDf9)<zu>jE8voTj<h=Wm
zoKKz=yl|i_n(#}&?~!oYJ6GU;FHDX<5n(nJz9E>O5}1@*-e3Rhq_nm}tX#AkJvjmW
zB=nzNKqTboAI}(u%zHA`zV7mp{o(K(!TEUpxx5E|_Zzb1Blcb1i~l6_NBOMn6zgJU
zKFi{iXHG-7K=K76YP84bKk28Gq@ClE-aNwh0Q95KT|51toHy{F>*M}#t{Z2jV`^PN
z-oIaSQQA3c+ReYuML#k3uQ^H@`a-@#sjqve{#MEa?d-I)bG>xfj2u<_tM<z511&2#
z`IhjX;jk>o_cT;{mBS(dztfkeopVwy|M;-Kz<mP;BZT%0r9TW3|HxZ;KR2Ise^CA`
z?(e=r<xX&pm0`<l|Fez6*sBf&=k$k_0sTSrF)ihR|D*st$>`%!S>IS*vO64}5<Kto
z^f9^~eJD$3oolKhpBVI-S*9MU-roM#7Bqupm!(o|2II^{dMTg$&cP$3tCNL+jQn%X
zCn!IUm;8jop9|JwB~alvCj9svgN$A&d1l5B+4{^iPfO(dYS#FnR89Pe>O0V1e)r%N
zK5PBY_!BZw4n3GXP|L*$y^yDt6C@SC3y=Q~pQG^EnQdn>^~~s*DDCrT85A^`7}`1J
ztSRF!n^OS+Q8^$Upq9ETD*N|N^5=IL-mFTb|A@Rwp+5^<elPAd<d6OrhTj=1f93K>
zJ_-1p<#!zX`KbCsx8|jtOA05*$6x;@M)-hLSk9qb6`VcC#*(2R0g#!tLxmgg=dMd<
z-S<}YhkgWl{PnDhQ2%!Y7eGx>RsG@j0>3xmuYW0J*bDt6^n0a1^bh>mq~D)CNO;YS
zX}#Vjad<@khM~7Zzf72`{xRYFG#r|qtubhzuu<o83Nbb{%hS$DA!PblW}M5&UtXNX
zJD&p7i5De9=jMo~m+Y95i<zLS`jgKQ@_D1=W1ezwFZ83(TXXGVW%y=9Dnkc$Q8SYG
zhly`RdC$M_$g-oM&?8=at>0xtIYs>4#6M>E@4;`YRO%vpGyOn*Z)DD@v|eu#-aL|D
z8T3l%M}*+duSVViVTxx)HmRrlUdd77t952c!&A+F`Tdg9&_5ys<ouwVEAX!`Eh~8}
zB(Fcuvfr8V4UxWKby~kCM|kjv9vqYWpjTYOmrVO*>_=vuI(*qRz7`^`Uk{4kh5hFD
zF;2q9$LIgL9wf=fzBgYF2B6P@{>^+n7|iH_p72P!3={v^cc-1V<i<ye-|!kn-*l1q
zW5hqg?|m#5d#2hEe`QY?FE_kC!#^W$`5l;N-<z!uBJV2b$DwbQe34=BzOlUW^r!j$
zg?4wf{|}$j_obar!^V9?PvrMzcJKE4!5KYao+0-<4xLX=PLTd2>6Kgz<0^1W@_S!e
z-yfyi{_{#$RZ(Qrf%o96kFu+v=c8qt@sHo1*6Z+o{kLV(tjFwSMcymGRgTi{T1eMG
zI*zgV`wef=;?=wGao1({5^po{t~BxXgj!wmr{r{y@NU8<OSpNYpAB!u{z1RQC4xdf
z0bSzDXZMlMW1E>DL!a*wL7^A6V*jE0?UK+-p+A|!zY2O4^h3~l`K<e~nujSr!kdTP
zk==`<L`{(HEa`Tebbh~7z5j&y66agiY6IXcd)3k)Vi7cfMF~kR<rs$FoIPp1kC16k
z%EA5!&OlCssx=HrcZPILq<cmf<)otsc<Z*eykN|lvV-MY&>zxWUr0Ko2d*C%{+qDZ
z-?S%QN|YAjpXGOTcJo=*fxB5<cKJzoKjG`|Pdj}k9M>x=e30-Xgl{+D90<<}A0~VX
zzth9Aj^fYygBLFSeU$J8gs(8`n3;QU;SpR}W4N`$FXbt2qdWt~Po=!<*L(aVyqxf7
z37@FEQNrguIB|IsgzqGrZ3tCf8rtJ8`ZhrLlZ1;Im-k!>2>l@RqtK=8tPL6ZF!a;V
zD}{c0hJFIN^^lntHfQK#&}TruO5*d{d;#gFg)zoA=;}Tf^~V2T5Mrr{5#8OO7I~Hv
zui@de^IV88+3nw+k*79rQtlSwpXPUy)V;!Rae?G0^dxlaqiN^z0x%p_bRiA!XUc)J
z^TRM-(97Waz{=lO>nml!^AT2@Ct=PP<j=%VKFR+K`Rx99cDY2h#c}2b{GOBiPDghA
zLZd!)K`Q2A9;z<omfy=d&hI}Bid<B=>8g3>L(F<~Q&`@d7vRA*%6rfPR+jbnCH7;8
ze5MShog$M@@VLY48}bauDnA7~&{!mLNW<@0ewWJM4wBFGt<>i){_o`zgWvwgvhxvr
z>WBWw<7ww<Pu|R*^gXYSdGa<Bdx<|p{5hY&-sS7xZ>Y2B&wBnW^%y1o`p>4F-+KC_
z+9fl8&-g`3pXLVZlX5&I|MG3f|MUFLl$1APH`O^(b>GDpT(NN?-xlJx|7F@)$!EE@
zC?NDC^v9t4`>oP{=trQ}O{7N|KRm)^>hN8nNEmF-<EBgu;E^JlJ3#xDB&*5)jO0I*
z_THOo*8SAFf;xW}k=yp~FlvO2clnZ5(pR<f=Zk6Q&y5^{)7J*37da+LzxgTF9RlPi
zhop=c)lC-Zmj{Vob13cH=EbK>zV+}=_y;VbFOqJQbnSng*6X{fz1WU1={S{VvRNkE
z*5>o_BB`JJzTC7gVTZHpml@w_hfq4uO}CPyZ<Y<_r_;^?qjwL<dB_LDE9D$3>xTO#
zsRODw`vsw&;~?g|=xkY0crK#Lko7!@V`6{r_a-&fy~eHVxcvUzvwxG;>+0C&J^bDT
zs}S|>MjWM5<M<ikRsL<-`J@oMcw5|UJvJC+K}L_%B9F2=(HG)>En6ObeW5BRas;Bs
zRnhkt>Fp!@-kaoSo(R|v{Veo1c<q`w4<m2DF^y8Ie!z)xqT76S$(oVK`xtzVeg*%{
z@G<M1!Tr1`^nv`|fm5}jh?i$B2pTii<dLzUBA4pB&@X<U?;pJK;|H4c&(K4<{6t++
z6#ArB8MnctzxR{=EWhX1nQfmk^R{~5y_lNtBhuY-3P`~j?&eEK{+^_?pyYFkd@Oz!
z@LJEVWY!7PI<~SaW<9t@-Y6HqjPtjD6_~%Ck4b-vCeXj5X~z+H&|aRuRVlw4A+5=D
zo7;D0ZiZ+gMUrkW>GuCUzoY1-W0g#wkLPZpq*LlhxiaJK0n!bV?#XA2-$MWPucv3$
z=goUIYUI*iuK1KjO%R|LH1gkaSYOl<C?MTm#J)A-ur?h_JKy26?qAXeskwd;fVjCU
zip;B#q#x`h{!7IFH&2f;_APTiniKA_kuKs;vowBnLOz@Mfav20eD42NI`<x`+Vl;P
zw@JFxee<6hE2NA(q9?_j=p*T0kV+_d=J+w0@kbdij=={A6h&cKJ;1?H1GBVul6<=P
z9Z7Y6geqkANkjMRQYt-Z^*-ZLO1dG^&Ea<@Kj4l3%3ol=O3vJxw;rukuaku<JWRS%
zq}$E!Nj?k@t(R^(UTrTzA!@XU7u&KD%}0r)@+<9<{pYmvWg)0?-e&ajJ}=#^vb~m3
zOSK-;OuEhdUghJSKD+tJ7O5%cYW0E#oq2=YCGaNFlAFqZ5I)cHdzXJmxuqRXkk01!
zF`p~sOQs!j?4juw-JEI*ZpB!B0A1FMuaZx7H~Pl!ZgyXKzI=?|%YNwh0}L2Ch{Dj+
z0SY5omBRWU`RwO+GpUx_pS<6}>xU%2gL;ziLDPTy`(2rR3{&6Dp&#bgOZ9}{Q`k$?
zx@Nu^(A{0_6GiT(5d5B}Evl1|cgBuq?CY|U{h{znlLAYi{7mV`2jF-7ZRea@WL!{s
zXY^;cUf<L!F06Pfd!Uupy<a7EQGVa`_!Z}z4W2xdz0a)UDZkgVi)^I@D1h8-2@Lq(
z*~KX3O7!6G&phXRf1>eDy?4my%khHn8-x9EwVxpRHw?cy{Ql{)llU^B+zr3(@ZScj
zA1}O9HwyDdR+-64K4mQQ?C1AX*SsMspPc?=@?qch;oywwig*cDzDP0PWF+~>@9N&q
z@2oyrsPi#?wSRxAGK906wLDBa<*pbv7KQ(wj55*4!u31Ej-DZ(qt)k}cY5{-|5T5+
zU-Jwby;9y1rnQSRl%y+9GM~TYoKs}V=U+dR)lSylZALCMmj1+WbvuQ~5LO~h=F0p}
z!sigb7kl~Z<g+o0Pv$=9FnsRk_hsex0j2!|<kb}VxL**SwaNS>1f&(`k=H3$m$Be;
zoZqYc`D?d-M4WmCu?6|w7`e=m=Fgw7(UYUBp9O}<t1$utR!%^lXjaJnATD(vE2^l*
zo8o&I?`}J%--AIb%KX6&J**G!EtUHw;)v-FjFVnJjF9g5?fl-Yv48&gpt~L#E~ADS
zjYR5bX*V4_XKPixy*DeK9&n~pM)_UmXE&YGzf&rO<`Mca=$kj6)B9(Ns{8Gz#D}i-
zeS++RvV*4IHif>6c=GK$2Od92Kz@6Qb<pR6B0HE*Z8_&0pA13evs~7Hg6zZ6lJ3wC
zV3%WT5Qkp2P~*t~_%&TR?i}&#B>mIyi^};8_5P};{(YXN@IB!ment*rcjfo1H@Ba2
z-g}8#z6sYs*yj(0A1@3np>p(Nu&COJJ>++p-{g%i89y=OcPqJaAF3^o8Iz(%3CNeX
zZ(Nn%(QfEJ=RD+%tC?{uGp?I_Sh0{r-2lm|az`ll82s+v%kMdxd654-b?B)%7b0_J
z^_z>8IlnZi8eHUAwTtzE5Au7`0rk&27s7ZTFVhVum#S$M{Px0c#%1G9gDF?`?@M-v
zZw&d&DDmZybn-jmQ|>?K)O!A~nKyM~9K;OMNioB+E$=y(;@Y1fo&Di+zTW|K)2Smz
zUP{SF>MOrbe)NHJ&J*4^o0&i6)%R#YQ($eCccb~q@0@qPW!!o3VwmUj%N+e_lyfIv
zzc@&IQaa7=82p@T$DQ%ZAY}Lj^*^q4gu*|(?EL(uznl5O{&UWA*SP$0>g%@~?8F5u
zDA1v`BA3A;20!bo{C>O{Z<SqT-CHlX=#DS#GC;f+hR-=yNPFsa_%qBExjFc_0`}<m
zB9q8kHE$l4_+LNg%n-huk-}hiJX11dqguhgoAbZynJ*PsQnZY}MAGB$8PXm7#<~Be
zy>kzbq$=}&%|(#mGT}Z5LL+yO(7DVoBNr>vNoK;#WZEP%44_mx-Ib)7PIuFnnaqG|
zP((zKEFhq;7==X;k*F&I-Xb^gN@NicWH;VMfmNa_2&>}0m+#xD>U8gKpM9R+f7AnW
zx<2)u_ndmqIq!MTsp|CKY5N!Unj2SQfAKGC*}rVq$Ia9<7W>`PDfs>^>EY_WalB!H
zH!Sdm1>Ug08y0xO0&iI04GX+sfj2Dhf49KII#)7}AvH}L>hodgUV7?`?d!@X-lF2;
zwg+R9@{)*;hJEN|2s#dxe`(!_^esr2;X3cP^I_LteqFcSZ(Qgyc6bTM$M~CFNqNhI
zkEw+&{p&bO<X>86U{N5OB*d11ABfZv-r|s>LF;F0iOW$CuQT}AT@!~NHSqE3p01?E
zCvk4|UMp7}XAh)S{_B6&`-wyT?>IMm&f@&ZC8{6U|Gy{4!~WF;-HUd86zNk)cOiWR
z>2CXJeGfu<EYcN7JCSZiI*4=|(#w!ukMwq=_ac21=~GB|A$<kuZu_Hrq{kv%fwU9p
zW~75iw;{a@>Geo&M|v;PN0B~-bQjWBknVN>%13%E(iKQMk#0shh;$p$%aC4=^me58
zB7GF;Q%H9qeFf=m2cmqW$0A*Uv=ixOq)ydQY~dX$$2o9B(`884#A5G=9KUIxoGq0j
zt&J-iTTgB-%URPuG_^KHTN_(WQ0_R5#T_H1!~mtGf~LdvDV;6(g}l?4&6WJdw$)uH
zml8ub8_Jd&2g>P8>g06FY2>rvL~+<@Ozp^$K21vny|T?O6w|qE=)|LI1wWJE4EU7K
zl$^$NHckJQ{89RMkWT1YE|n-HoJN1x8!RM7d~Y~KdF@Pdc!@$Gu|sp%=L?b~M%oi2
z=_D1MBZc%&qm-f=2Z}|fF_{|~@w25W!~P#n*-y&03i7X9=*p*+a8Twaak=7;?ffYE
zz`n`+S>HmJ&gk6$fQX#U{j+%PqkL+je}nl;3tizQ<mY{*;8C5Qd(kW8%dC9!-!}pr
zkId%J&2O5{Zu-E!+wxB>bm@%!yd=&vGP3_?J6V47vzv*rZ@2t5UyMW0<_8jy!~CzE
z)2sRp`)12;{`g5uFtqg~ht=QYEZs_1+1J~-`TIB~q<+orRM#Kap)Ey+ZEE>#ewjr6
zwGg!OtMC8Ps{A%zy^8!czj1z^!>jXulo;E@=2x5F$Mz*iht1o1rggQ?oPL=859Xi1
zJTZa%Q<aHVb2Vt<SbAMm{(ktaeoWx2?+z=ld{E<jqAI_|Bey-M`D|V``Re{Vf&6Cw
zDa12V$baiS;T{t)MM&?c%AYE9$dyz<TkKc+hci@{e{WU(wU=rBwU=rBORWP!jkTX?
zouUu>(Eny7i@zH7(H5<iuRi}i<y{)cZ}Hi(|7HHCDKA^d%8wwvi2N_}KSz1Frk3C0
zljD(p8s@kDY4x{$u&b*4SC<YFp}1|S<}i7I^pBle`XaGl{T;-IPJ`y34LAS1{C}#-
zKfAA%KfAByKi&#PYULXKFZ#gD?mx1h=3lm-<{x{TNopDipE`f1bFN~vid+7Zs<_>b
zr94cn?4W22<-gekak1)D%C@l+%s>4Wt^XEw&~&_&{@;T#+x?sW=J8pp{Npdw{I{RU
zx#y1R^5?G1|Fno|w{oF7@4_PTwl+@&FD{~**!&mfi=7)6x<MqL7ttzZYN0Eiga0g|
z9&PhbnD6e`{1WDGc5L1V^F17!55jy&WnB{HdsfzGVZN7RemTtdcFf;~`976(U6?O*
z%s+;CgJXU#%=dN7pN08;m33m6@9&uZ3G)LS^DAL~pkw|b%nzdRuj44p52gibExydL
zaT}ID#If-h=GC*Jj={ywA9y&14xWY=I(yUae8q%+9#>BQpLmb*o#1Q0Bj+oZcM6DY
z1E2Mj%R2zXt^v1plxO+Gz5+fqsPghmp4gAU-JQzi**dX5(Ekf~Ccyk<apw{ma9scX
zi&S2ok(2CE;Iki4F3-A&p9Vg4nR0n{P5j;9%MNkrjGni{X<P#CUas=;jG3<A2|j*>
z^6$|(ACH6gU#VQ46%+rh@k3n}bL5#XrMpu(T>p2T>@s%b*)65V5a;`i;C>OVIA;>C
z)s9@>TD({E%<rH5#JSvtbuJfMIm+N}6~7$3dLQN%(SL{&#k>GBICl%5KVF`M9^2Qk
zf@eg2{<!0Zs<rNGuSIH~iCt>v{7Thy2)O%*@|B3w_-|>mJ;$C=9>IoDjCd{mamY6u
z(JqQ@J|CzfKU{|wp~pE=_1HZ4A@G?<SpN-m^n4QX{m^6kU3b)x|9l<(<vRQub@+Gd
z@aa1I={o$E#JRskZg<6=2>+dhi<L*g%|6EwuhlM5;xaD$_E5W=VLYLnGRv{f`1#;e
z4?fN@eqNXlfsdW5ykDdp=Y8Na;4b*}Ccjzb=_cj4)%cb$pETYV<_{Y03G=6ncZ1V8
zAHOob4jlLON8@Y5oHs1lZc}TN_lp+Vj|7iEJ_3FcxC`!rx0#+8^y7ZJjdz6kdB)qq
zJY)QwVg5ejr-3ilg0C{Z5*+t?lkw$Yey8zPa5$!WiP!2^Ux$4E-W^(CM3e6r{~h#z
z&ltZd%wIPCgD~fCpY7j&cbFe(d?d_I26w@2yqrqBR{hVc!`IZ|8|(0MiE}+)YgRj;
zd7UiyE8sA{a|!rg!56F9oNManzlAvaf&3|LB6%z1zfwp3(K`Icb@;P&_^*j`xl>!U
zT#j$}SVWskwd}b^9exOL@naXO9(#^p?d9~S-E3XeR7cOMI($tXz5(UBU(|BtZ&y<N
z-%WghbBNQA`Pa%#fKRjx%6*cM9KP|lg?ZZe;oxY<5#w(O^9zk16y{~)sE_&K9mY=y
z%fHw7Nnw78@#Dh$gT{{v^ACf&DA)So4a94;?}W%Nbtd|>y<9bqa}Rg~d<^^>b@Y6j
zIQNI?$FyB8fc%fa-R~&B5S;%One;>Ot5MP4fyaNS@;5;KZ{Q6-Q7(UTkFGV)LRHFr
zQTaC^e>m}4_j`05eiHOd@sAqNF(dyv&Y8s754fAd_E}d)PY?7&&kyVIp=Yd0Poa*U
zQPVS|dhBm^Tn-)|R{k#3^HboH;9J4J3LZ(T{3`G#!27|E0)K%x-|zVOdcU+1lVi~y
z%H!a?Pr%1v;8Ae%1Ixi1zz<S!ryG3sJ*wZHM-G8cgWJBt82C8&5zzB-@I1KH=ZoO+
zDm~u=kAmCE@K@js;8y>?fzQ5M>uL2li1wS=KGWc4pHsjm!R@}*f{$0pC&2UI_P0iM
z8i(C%Tk=|P7xLC#p96QmkA!_50iQZg>wgURzk!c|o1Q;|$H8q~*+3I6-)|J$?0f>a
zQ>CB3q|NeE=W4m8|2*(9@S{<m61WTgHt?&!8^Fyzw}Vfjy$*o<H^FDm(Q?iHPlHc`
z+w<l>m>zIz$0f9&kp2&Db~p+=U#0(a@Hn{jpH1LVaO-bba0lG%^C9r5En0uG!vyhK
ze(X--;y)*JTt5ptJP1DVDdqB=b-MN<`1GfhuUw=VZ2UGPv|O{pLV9t4?T`mI`yUD(
z2e<y&3LdSJ-$1-p{m&-O^>^;n`uqy@FN4p5%Xh))+CQ57T`Di%?I!+N@W|(s%XhDd
zKW2LFRxaPECeGj4;d1-Gp!}qT1nF2zoAb=azocBgvrPO%<6l-T-$^Fk4nA|Qa^6qj
zV-P%YpYrc2cHRd*3ohU7rE52VPd}jYlaRj;eC(^r<vX}^?Q!t_-zt~y%o6_-c>D$B
z@|{@X2h&y&-`5QP*bN<5%fD2A@ci$Te+9e%9{s&?`OYd`yWaG?6xQ>w>6umjIOg$R
z6R*|ozlZ$fUNI>#hjRCzjRme}WN+m+!=A^0Pwk^TLh}<JrxEA=*)XX6*5;Q!@Hn{b
z7ma{N!EHQVM!Z%%uO=?_d5e}S-<_m#C&9-KRW9FMB>p&f{}IaNJBY+*!K240m+uS`
z-<>KZ{jFKKe8-RY$>7mbmCJYXh;K6amCEHicf>CSpEzB)e20!WKi6aZQ?7FPP8{)v
zh>L$qtKDo||BQGoJNz1Y`g>K6{3bH#SwtCG&+G-N$Lx6+@mhM0fqcB6^5!?{?bn?t
z^7}fEE$pPy=8pBk=kMdOM6GhSki6sUH*dc>EqdnfOBWz-&*wNdA0HHX@{U#e(l-&`
zkL=ukqbqX9%D;|t7kK<cjY}==x)*%nLAB>X$Uh1my<Er9p1AO$$?vav1|a{M>Az6r
z%isr)VYxn$@47;0xXE!W@qMYi)?*!wVd|`a{CM6Kxuqy~J^0u@TJG(t#@Pby?ycq8
zxVyl3L3teV9{`_zK=n6+e++!eSAGuogm9b$lCMEN-=TJs?_SdNAJ&ndfqZ|~6)hIO
z&4N4E>3yAyG8RxE!FF?ZDyQ&3j-}w^cPp3QexNHyfJdKmMb7MSis>mSUkrPm0iJ(G
zx%HDS;i4k+&-teR*|7XDc>fQS??SFi!QHafQ+|7ou3cM4|6P!G##E2RMfZWvV*O?D
z-nYOf{#Er~f^we#pDHPbdv=}yj|{5*lOX?V@R|3h{Nr!Z3$F-=P$1cpD#q<Hy_d?X
z_n`L{!5a$7|AagzgO5!sPl2xx9#D*r>mWb-UhTJsF3<}Z@bOt!0CgKVM!}swxN=VJ
zQI5;Or!IHpyj8JtBlryZ6`jiQS^5yc=V0<E@qK9@!=7hV><K;5U+8_w-}0u6yTHfp
zQhp@r|C;EZ|GaE5byT+J)F)Kl`uP&@armnYDzzW@jIZ|jH2B-V^U!1VInngosPa+B
zcbcASwOosnH=BH)j%)eOFy+aEPp?pU`R#S$mw-DLDM$Blt_6>O8GMlz{Auv9l-8$z
zf$}d2*U!O!zYX~){O4&4_3HEBlT~(m34G>jT7UUYA7`Pdg6%x>uqz74UCXfyJbIZc
z=eH<!jsx%KA7P|J{suRtEhhgd<+KeV$LZix2kU)NHRRX;K6Z@CTe;_gkAG0*<!{qb
zj_u&HUvnkD{_8lGfk*#EiOu`>2p7@NKMz9QLH{(r`a|%B&uV?l&p!vAZ_)Z(4Q<bZ
zM?SCR9*K6`gB-ZsOR(U>gi}!e4=Qi=KLvdH-;_UucI*J3=+OGeZ;+G1^T20d&z&eF
zB^)P#WLq761@uh8Zy$*~H-Sf<c7<HKKrh@zd|!SW8vAuN-XDOx^P<XsNyVKXgHNT^
zZsa!Q_&Ip=6y=`--vu5){4fUoXW=*rBufr~f4JTi`UI{W2tI>;ct7|N;O=L%T=|<|
zbgc<|I<I^T^4;L$=et6F1KvxV<C8m1Qx9+Pi4XY+^dIwAJHZ>CRXvA8&y~=#?6`Iz
zrsw03pZcQ8=VAXxA^$m)yAXPQ0{QV_?I-U6e;&O50==&y_+P=t;Qy^YdsAR6^B2bZ
z5|n!|xO<%HzYcm%0*_b4C#%4nlT>~O<YVAt_q#%DU7RvKh!bc#OOE$~&z|ebxq2;H
z-w|i~-`o<m|DBMJJf`vwp#G15PmU<JvH3Ib{5G{uSxRx7*TAP=Qu*D$m(WDO_UYfO
z_a(mtPuC6xkBq7OU64N>d;)eRv&(U+$^X)o^Crbk7x>s|s^8+<EyNpW+%2>HdB}T^
z&*S;XS>Rdl@#j>}JHU5>_kY_J@(u8t!N(APUIl)K=|P+<e~Xr`O@TX@UwR?`ZSeSQ
zu8<4Ce*&KWm2#VBp9dfFl=E{kKK=;aaJ#n4C5oNJw86#ppNQ#wy}m#%ECrv%xO+R~
zj}(rRK(ZY2<2SlOKL$N9)Bkhj??j$;;PEdg9|F&T&wN?=yTNY&&#%^cJ_LTBaGV5^
z$00wxMdhDbs26`(NB&jFM=)M!J4KEIDF7Dxd|LIK0)7N|{}rwflRp`J?4ML#y%7D~
zVep2Jsr(txvliTiKiMC=4?KR0wwL^EOuDw+^q_zCLH-i(@!xB?@*5>|?JDq@54j?F
z4dkyi{TRPnz;6NX|D@`96ZqXGzexGF(XZ|UpS)S?DSrc$@;o7Y{`+Z9o1Sr%m%rUg
z^8W!o=Bs|&*LqzzDiKKbBL~avGWJuIxAAy5xPx{y|NnMyx2nBXfakB$`dIwGMR=e<
zd@MmevbUD|o&|d0gW&yJabJ+X0eq@z9DNo%|FA2POCWzg_{>4-ndNVO(Y5b_Pn@j!
z&EGy{`kS;q$3o9<h2tcU{1x)EkRM0=m(YV1wr9g3s%P0k&2%t$gntB_jz-1KvBGf@
zNKS{m`_Hb>VO)!YPl9K`2f-WQpF6>e;8P!Uh5QBlO7JM=@hic<0G_`^>%R{CYv9wj
zxk6Il)8G?-Q~oY=l;?~euX;{|{PW=M%W4Pt8+UZ=FW}Qy|5|*qTZHX7|2R}Qt!FQG
z<>GO$e<S$BCzbz5t~yQ(Jbr@K=Th+Vz#HIa^5BEQaS})_5l;Kt*Qg$HcXC_@9<3S|
zp9GJ?54>5$ojZi%B#?YnINjI%s$YJ~k*<FSeEd3>&K##l{&k$EBHG_3uUC6s2|K)K
ze23~W|MoI?^pCE?$6pso;_P!I^jxEQ<ZnCErQ^USo^eI+7!`L`f%iYF+{Q~g_&DO~
z-5{R;cTk_tf?ohWjecVD@=oyh4^{u?7ifm-z-P}>UVxrkz#E3!glq%<7vmY_yMsRj
zKK)@=NDKIr;F0$$|K0+<Fatg|tGq$6vkN?4)$X&xArwd!zfJ8t{vT~ZUtORV4+Nh~
zD}Nq&P5^hW&~`Z#^6SCl&$%L520u?YG6#|z<fl+iYnPqi;~TWxgBEJ0ag&FAY+n8}
zc>m)nZ|!~;c*6n8<!{rIs&APd>|@B^;3ocz@IVFe@g>MlUgHY+G4AVi@R>p72Z1j=
zO6@uJ87<ew*IU6OCn~4xa-0Z0js9%w{WHP)x33ntvmn34^grwhF~5`scaBm0r$PQ=
z@bRaW{|5YW@aU-W$G~p^pMt-&`rIiTLV@I)rXTU`GF*EEJib%)TYEhTJ_EmM>z7}G
zk3pWcx#ajy)8DIlzPnKQf}_>W4d_3%UT6T%f6x`dFQ~Y41b8%~{G;HFrssO)w}QVz
zI8Fk|2I8`wI=WrxVqAN-$kTh~@IUSXz2Jj8t=f+A+dXutARL(k$>orDzv2pA2R(P1
z9`t{^->-nrz`r#?*TdlbRq{`md`|V>4*6ezPyJr`*T7!}&sVkMB67SOS40rs+MKvI
zakkHmRrWbT<e@Z>oC!UXKhyTT4%g1ABmbT{{6gYf?$LNJdNK68ANr$*s{RD{$HAxX
zc7?13|2(*heb)&1S542?T_NvBKl~y1Ohomc5BcYa^Zw79tM-3pAwPbG%G0)(9B(4W
z#rB-RK97Cx;2`kGfcBqvqTJ)aUCcY{p{E^uGO7BPFVG8{z{jx9@UP$r@YxTzBDf2B
z^58QksGc*xFEaTXRNm&PD}+NRkW4^+{9%>1`~5Qb^v$aOOyrrWqvuJ;&%#e04*8#h
z$FcspAN+UV6E|tOt8l*yk5fB4-&Jn?_5kq7CbhHqpJRygenR#4Q<@>~V&7~z$~_%?
z>^-XA>e(S2LV@HQ$WQH3d7Ed`;1P_Ak04JOd;<OX!{F}+&)=zft_J@n(}Vs@+XZsm
z13vwn+W&6Y=d0i|XDYXT@+0smtb-nco?n7D;5p8hz+X0b%tvnre;qvfH&;joe4pdd
z|1s~F{2|8wtn!DyNi!S;-hj9o*l7lL;oq)>{xgifL+|T5;2Xf>SO>{(0MfOz@kd;d
z?16o*0-vgS-f@%ZubO{92R?~7Z7-Djb>TP(B-4-|tJ)X+6?ntfT#<eTd3HNN?H2#6
z^7k&%3rB(HkJbCN_@N1WBC33U+}9bzBhVR4)<Zt>DOa$??dJ;*O6un#<fp!=@|#ef
zE5O~Vxc#5N$Ie%IxHspHI{Lo``EkU1-$WH2A-?azWzMVk{wJ{Wgy~29%|HAG+_^=|
zZAOM!@JLm^a!zDB&p-ATPV@fz)o)mwxdMFrKGpvcvaT_C?DLp^I1fCsSoK^A`3(3N
z=J8hWG2%Sm+4li$zPsA=T&j99Xy3cQXAyTTg`Nk%`<JP_#Sf2~JobA>ApdVBf1mcB
zt<e8F<9Hrt{_}P43G7dP0($m6N&D?I_TRd}4+U?yN$c}5=wAUoj`?B*<U33c*2@;J
zc7sn`p!GCAb1rxse(xR7GYH=Qg35mqydWGWf#g!iPhotG;@Y*~Gt;h+7s2lV&wpRJ
z`QZn_XYpK{hPfO+1n;kkyMAu+JJddpFI4$IfyW130UuKAEG9=Pam6=cLga6b(x-#L
zr<SOmKSTZ~@aU6jhf`qxQ@|t3l)ni1Gr=ABpDyq&@QDXpAyM#iP5&p9?+JbZ_za$#
zd=dN~gySTTTnqW>TeUuRzqf*qXY{`0H|!|i1K?52%X*dGn=*cw>gj?#e*_-+k@A~R
z_H*F<KUV%M`19cIk;*qi&+De=53We=zCbf9Ia%8!iuZ+l=y?mc)1Won9|OA;eD*@s
zZ*f%2^jxRh`c<EBC=DdTknjJ9>bLiit^}W6u6nFL+y*{_{i3bVbq{g&KmGV#%<16Y
zfc$t?_3-x+`FIN4#kzZgV&`|@arA#WmE#rgnUAWTPeaerM)-}buE?FI;?CjVF6y}i
z{8;drpR4?7;H$v%RrBl`@F}#r_2-S?{a;o+CFn_lH(aCROa7KHUAqK){A8`aJ!iiH
zJo1q0IemdDx(j?ZrSjIF?*|`4`_7`=M~FAj`y>;sgCLrG7xLqS+P=1)dJ;T}eWyK;
z>)*jAA9aP?4Zhnc=$|(#C-)-90pLzT^}hx6KLmW{ER~1269IRBqTKpt)Z|}Mz8f;E
z25*4hI~u&t<VRHA=Hh<v{$DD$=PASBlMkyse~Nl;1E0b;IuiP?5{{EV^3RZW;jc{o
zesBlxWoha3ezM7<e|`kIo(7LB(fa%j_1PsnP#`|O2KlkWRo?pBo5+!}KcD`D@*hC{
zEyCyPi9+6aQRSy0ayoebY0Ax?^ca8G70Cw3d*G4xs{GgY)eBp}8-AejZ-)GP!DmL5
z-?>mPjDtrJe`X+mGkE?E)t?5x1AO)&<rcr)3qC!j`nwirhR47on8$5?e-eBO&sh?X
zpE3TT>iG-m`675jQOhks{#Edag38|jz9$7v+%6L@D1Vn$$2k<-!8&3i_;Qo~mCEmj
zay!9iAJlSRgM1(O<o8v6J$M;>{5<9QFa7?Ca0msGyCLr$sQP!}+7xm2C)Ll*zYqBd
z>@V#P`CowdV_e&O{YUVz3tW-B2=a@X)jm@{)pCol+fw7GPY>*HB)Gdq^-RG39}7N%
zeNl^t&jfFHLiJyTay!At{#|(i`Zt5my2`hqK10HhIgnfe`TV=JJ{RKJM@;`V)zbkz
z9|!OM<Z6-J4F1(R`k#dSB;x-V7PPy-XRp(8-->d75ANQp{AKVxTi_q!${)l19s}O+
zRpozz{Hfsmduu%}f_$%W%wH77%i)1f;d#@m;1_~Vg6{?X0dObl3fT;Pz45Ab*6rZa
z&03#-g#0A<EaH6XW^z0LK9+Xn{I80gAApZvr0sGA_zd{W?J95k2CslmU9J2D*kL#7
zU_7qJtKx)Z!l5*foDBK=kd}J`uAN#(z8mth*f+4a<s9&+r*`-j`i~Djj(Pl#;1`2C
zM`*dHfnNqbhJC8DQJ-<}sf$&=ty{lDoa4HQs`rH+hWzwjRR5*W^Q6fm4qOcWbI4DA
zT;;pLUjXla(iQS7?EEtL%+1OVL;aU5SNl8D%Ku$*InI&b@d?%c6Y#f#&)lH$OTkYA
zpFq1?|LHRhdFlpoc;Hj_sQyvZbEnCdlv{g!fH?2>HdO8R-U#{0jVixuf$F~<Jn{=y
zz{`rA&x5-$mG1$6%=Db0+}34JfzKk2`Y7a|10TQ06|xHDz69QXo9a0fes#eLwX=(T
zY#Vp`g3n&1dLD)T6TzbxzbWw3!N*}Aiw9!h&fiqe$&lYfJc7@`Bn|nQOI^X2<Ki~(
zezYUqjvOBZpPF^$-1tA5o;#FZB3J3_Y2ePV@(W>~uN%Kj`B{+vSMdBI9WS?n|IFmE
zj{YY2Z@?$8-uyiHE5>h9`@aPKI=K6!E5!DN_BmDCCB9AhhtUs@0&jqS*bjP60iQ&F
zu<>{X_!Q#m10f#=pZ<~Re+2w|)AJkUzeKqOa0l_N#aCm(kvWij%=BQsJ`vX@!Kb&Y
z9X#-dz$cDYz8U;G#;fZ8Gw><Q<Htb$1@QPP)$=^~f0-WacO7zoUf6x5+Bv#Z<$r^5
zu?*bBKH+De=ScAJk7|GT(gMBE0v@?l_1p&eGmK-us2%()@QHV+y!nSd@cb37NS*+B
z58VB<^7~Ql1>g->|Gpjaqu?`$t51OZW#AKtm-d1D)utz>`i};`349jsGkgjB3&s%_
zk$L5K0DSUudSB0ge@{400?BibZ@5V1M{(^x!Sf$eei-`U?yI=H<{yU&r}xLu|E>PV
z8J}<^(+$YFk~r@hSI52WkdMBi@}Gm<;=++RkZgr~9`?6=lI`H`#ajOv<oN*jG@duz
z2YwxR1nZ;Sz&~a3Bd!o@uY15JN3|c?y#FomD4wU-eD{6gJii}yoc2I;bLVNuPi0j9
zl_>Wm<6lsI0eAxqe2$BzeyV&8_*;py{s!n@3?3yO!RKId7WB;C?h1YZcD?|7`ZcxN
z-@psde?XP~G03}5sl3foSAyq1q57lHa|`(RxysLx(jDh+@Ua%vvl{*Fe(?B5RQ?+9
zpMXz1q5J~qf6@3+s^>N6f7$e)y=)%bhc>3zo(+$yd?(}&CeHSZR6W-|0rKOYQF-&{
zr-4s`UkyE-#?Mpvqfq}Ia0h-V0(lSIHNOEq4BqgJE96-4GWhg5<u9Y*uQU!nb|K_%
z2cP+l$}a<d7<?S@|C!)Vf=^b(;lBZ&K>U0J<Y&R%XZ3!60{&O<nX-<TOTiDN4NSIw
z|6M8{0e?IA)SfCox<D_iCC=?~b5-1XHsr^jbw$wZGXOq~?{$tq|0s9_@w}~@J_J5l
z6-QlT`ft#B9*lOp8GH(U&*HATnA4a38@?5j5|^R=Uxs}22U^d4QJ=@bBj}&B-66*=
za2NHo{`p7Y^Z)MUtB~*igw}Hj^!y!s67$Xr;7iXy|9_v_`KNG9t>EL2svZ~jyBd7*
zVOKOXLeIOvCwi6d+D$KHg+nNiydUyoxL<3pkAqL2r+N-Up4-4@mTEl@0>2l$0r8v7
z*FOM{d|36+GDnW*gySTTyaf62@4G?|#kB=A5V(Ij3)K$YXve+4<L9fqwb%Z_kvWjO
z9r6<xkB8veso*nspJxnwE%;QUmOBX^ucLpMIDgOa_^Nf##dYLwfd1KAT+#d{=y!_A
zL^kUe8k5eB#7M@=CkjQs;1x@WjPDiGBY8@;`a6oDs|9}~w=H-%bd@!FrF1FdZ`MC=
z@1@cOKUqpsmTY-sz%SGgPYij(iEJw4&%ZX1$tAaXq&1T$cmoALu{B&9DKDQ%q_YqT
zt4M@v>Ur^=j=sKgyv|MCvA(X2-JaLj+Pu6qoJnqh>QpYILl+9UOvX!RQ~Y=FgZ3(C
z16LZ!h^5Askiei{N)CIeT(Zo6Q=e6&lZjF;Yzh?`%;dIvNh*kKmZO_0k-8ens^$D_
zs)ke|n;foLOwg<~@`-jex>MU`%`MJIVyj=sjZo)F7D~lZd2o<Edfr*F9&deDZ=dHm
zDZk(krHk}y30`T$OJ;Iezv$FJ9@)kl%H#$T881b4DSC<Ws6#(NKpn8;ry5tRq8+rF
zLLUDZg8sCDN2V?8aP-FzQst469h4<-MrKc!LZXRe(k~WMelbZE-`Y-Tyx<r8Qjt%#
z@p*50DBI3Iv#_;ebl6YO{j~deGPR#g?pRMZR&)}6k%!2TpCujZI?h?s(e1@HcK7x*
zHmz)Gbp|p!**=LvDxDq7(Z^zm`!fTt==&*eBw<Vj4eN4}KG~CGW4&kh#nv{ibdu==
zYssa2P6|8nC03Oz6})mOoncWw!^ZbV{XscHWeN5ArM8|8O-<|kLe|glJ#9{8%D(o}
zCZ{b!<110}t7JCN7%%Klp=O6&fL|hIJE^^?ZT#Xou4SUdE9JMQJ+7`ZT8stGlKIua
zGpZ>6o&<Ggzm(!z^zxL^$<uFGc;)P1dXx;2P0|pdOIt)0U-t^dgu|LDCz2tXET+8V
zU_vennQKSQLKTxNm5R-sRn*BfwqRAoQe3f=zl}OpuvUU<RdtoeIZ)NMxf50qswsnc
z6>ZfFs3>%4)$&j#XJm=yXzR+xl`W^Pbl6hV7~T9cBv~3b>(32*PAC0r(NC@3!8rY{
zvhQtAmxgoYlGoL{x;rG>P93<A9w^fYs}irsuFZ}3<aD=lKJ>;FQK~>OMHR>ulfwy~
zJID!0x0BS9j~jcv*ruMIj_y9My{pHIxAm=ch{fB&sAuDb&R(x$L!4Z)$fyb(O>6wp
zTKe&nzQjPrkLBn$TeLq$wLFieryO}&D!w>KW2sb1XNS1+m(pA1Uz&o_TumAQ@vin5
zb@CzV)16d8XC^UZ1E4g*GG&?e=5)jhWZbsGP>+9MJVC#%VkO&f3wVFZO#?#z^{C<=
z{a8$f+*}WN0jINf!0F-t`=a!J6aC*z|F<}ublyqlopjzw=j=tqJ*CJ+Is=KKzoL~?
z>IZUcN%9kUJ5BjGCFfLT_dAkLQ^_ToX@}@nV)(3B9`J@UdHFn2&Qv}R6>{6{&RLFz
zWQndfri+CH%~_1L7t$sAF&WBCosN_jhZ9XmymFp?AqKu9Dpx3ENRewB;*(|-Yo0IG
zToFs;(<CM4OAh<w3CpFym3q#dF+1eZ6rVygfcX&@P%()UaAhz}0m}Rgg2Uo9C$Xm1
z6}4x#CK_e6bFAcfs74IYL|YuSFRW^<ccD%h&CPXGHMi7J)!Z7bT}E^3@;Vom*UPcI
zUJe@fHE*zaMZFxS*2_VUX=<u!qUW_WFSJDKn7t)h$A~S>r`A!`+Fb8K9kaKrs8ijR
zQ|ok}mX-C&SXJ*nR@EuIHCm_e=6WV+ZK<bfd7bLEN^n)9Q@5U4$B3<~>fGS+raEoD
zytz(8EvLQQnr*(kb(KR=Tz+nK;*X?D97<|X>t!h%QqN%*Qa*=^b8$Ag3J7D(P!S}(
zn!jezP4zlYQ%jxpYoZYd<>ub3EOm2pi>Yvx6WK&&$4(#BtbL7tT}(WtsZ`fSIJ9b-
ze>F+oy|PvbU#?n$gf9jc2i`EvgjMF#@`DQ@%b&<|bWBs=(A=^wTz3lCIOt}P+82UL
z7E_zfCdtbe{m|meE^=C<GYHmojDKO7rclaV@<+mj&I!@{n&;_<BGCVr$hJTL-CRQ$
z<_ngJITx$KP|a2Pe=a^O6D)sujq)q&OkF!>a=dP_Ziyv6hDsunCbOb>ajCLC3$_HV
zv9AAV;H;?QVwzg&c=jf8N~*i6g7te6s$w0fvb_+#3z3?01@o8DDlq3nOf7GLc;SAd
z3(G*v=UL(YNWQcK8xI;pMYTaf+NwH44RumzxRom%F{DZ=7VIpw9T?3_92U)Mb`9XX
zLSnl&K<jndjH#W!x!I9H&fTWAgiJr3J#8C0ypHa6TI=h=-#&-d+9}6tKc~BGLsyKX
z0#~$Ayfy1Lu5MfJZS3sq?dbFR+E%ac@SIp8ljP{XGgsh6xU-snRI!I*_af=Yqz95-
zvRIbYzZ$$~!%dWW{x-6*l$EAFzSDQQWVH}Wrn_nN6lx<{I*?$VR!AH-I<)G*P5`X{
zSEtGMb;n|Bz18bC#@2bgUGx`qNrKiCvfSX+#HJ$km=aYu8%rlv`&0x+&R%|Nve?9-
zJ1^Jg6-YcMaWgH#c)ifOgLX+q=%zEy>h<S(9emlRJ1u7Oyc8MqlEYhFcg^~))iJNR
zv86G*V<laLc0PQ6PNunWIoC8si}QGSU~Auwyzf*mYgnLfB-O{;bzLc5DV@`{VSO)5
z>GbHTa~-YMJ4rW7Z}3Zr9@^8PpRFWmwk2KN;*j-tEf_AH1Y!v;pEHK{O=w?c#Pdh_
zCo4&+obTJvzE=7x?T-|a<dTvj`FYC9d2A`lI)(dDV8Jqw&L(L0r>huGP*uc;U0M2t
z&61eK>nRRWLDFViL^he<5!TN)NKID}q7P!0&51%f!8>tMR;EZTE%~eKC*Fas_zAi(
zngZu{z~UxZJ;eqSR7<uTH8S@NKPByyPV}X>ZX6us60})jI(_$Y_w~B^Hh6Q}X?+`F
zyqP9TW2#Sz*7xDt;gwt}z0ISPE!-=6x!kz2`{VErePU~IBr!?>ZWmdzJzbDxoHtCH
zQnak%niOc=ohs+G|5hfJAsRA;Tn^K&^(wMAjkWMLBpeQ$jSb?#B3e6iqdeSYB}@gA
z_v5h>s1I-S(RJ=0)osVs=@?a&w2`%{P4@NJe6%myMf+~fNIFY58T8=1Z_Jjd+W1oQ
zP_<|*(^c&-Y|M0)jG0S0)IR=JkCe@gaq4C1!5!RaaoVd*OJ~vUpu5)dx<W^mhkO_R
zifoyDgVmy!c0LnB#0PVF2WfT;w1dq%kX@;wGqRN?yZP<R3w-hsT!BzGrxm%jaj{kr
zokcA~?31QYaa&k3X)^<`mt(iKo@Rd<?nOTD@r$`~fkHWF4LR-k7H9LYLt@uZ3~Q!o
zr;w|<kASO@ElG#RBbVj0cXYOGTHoh&Y+2jU*51+M(L~Y#cix@L#>h{0jQX9$UfnQ9
z6fi=bG^d*vGMd=Ku_<LRQN0qWaGj`pDvd{hQ(ozna$ec`iv?@E776#D%Dh2+lD9zE
zJeBHh>h5~irVg*G-Ra<|sEg{SQE0Dh=#y#H<#+NnBNgqeZR=g@ZD`x#t?%e|V!Ss(
z9XORvNq;KRG}!HLuiY)oLb0~Kjx`&5&f(T3mzqv)^-HUDmN)Oj5ib3PFgYl;3iWYz
z&u}{Ov&CMlt4+pOF2BRu)YrMPl%s!}RyZ_I(NmTktL1r-vw_wvLq0nU>%4RO%XD8n
zk74*pIk`gRY0#YGPgHi_JsvvZZ)C4sHw8C!Z|d!6r{JQG?r11H!fiWS`YzuHCOPy0
zX=J%&YrG=mCm$J{<k<tSO>uCs-p@)Wj?t!kMWgy&c1hgDE4C8V+B%(W9GE0Z<$~|D
zrBa;~JoM!#LK&n8#b*c0*~q8MG{P;+ZiF}Hc&yGh+gjP!5|1v0;I`)93r~CqY6{sD
z-5Hk?90KS)Te{}z$1w$u6z#xfl^iYB<jyzd#c9cXZP0~~^jc?-p4k+uf(jZcteECv
z_Ih+9GED7;0!~aj_?!cq--;@+o}NI6n_i!$r5sI%)E6kC@ik;4i*^=Q%j_<Dw;ZE+
z-YA86r4_B=LCl^gCeImkE?}ecJ<ju*WUwB8B*71+5K;sJl5*1uaR4i=*|CZqSV6n>
zzQkpGvwksFDq!f?@R~nUVi{A3PGt$I{en85bP0bnFEdM5k;bExNxhjb_7%!mem28B
zi@cE<d@g*g%*M0>%iF`ee02g5v9+=;^@2`eF4W5S*{}(@k5cSq^GRFMAJz7TF{nRl
zAF?$_%~*%x)>48Wa}96x1{3MbTp1K;NFdI)K|YOV6&R1@;hLl$n!nVJNdA-kCXF-l
z6XBH}uSs<;T7wO)Y52K;IJDua8HapSQbwzcFlx~aev0ON4z>!F@V&@O53g&Z#{ur#
zT_Cm&4mumNL5AMJB~es5Eb&c@=AIHg&Pe&a{t!P6=1$#_8LW7OzyR7<8ukmD=+T6Y
zA*bBZ%zc+!1>a?`EK%M`!z7a~`qD{gXPtWTAkV+yVb2|dLQr<lRDO}IQ%F{uht!iz
zDvO-nLWWADR|Tl@Tx_q0PDIZG+ho&6ritECp)bex>hNgMSdB(&qDVJE>#I;#fDt!}
zTkhaVNt_TBjCqOuMRGe0UPo>sY<_-XBH^>=CkHS#dMV<e{RHVymC=FjPikqU!^4Vh
zE9fLvCyME$%sb(H0XNHG0h^Tk$(G(sj!Z^6Xe7wmMsiV2!!JD`B#?lY7B}>)3}%9P
zs5;iD+;g}SknMN`XPcT=dK4guTSpsp(G%xU>Mz~p5pMUsbjluQ@hO>$mu2W}QY0b1
zRcd5fZKw#{y))vE6#W`21>Mj?oy9)VHKf=%(^Q;T%`s1If*(<mjXctTwhOmeJTXL5
zq>dDF)$08bCsZb0ib=F%iX8hRerQE=g6tc{DA?v21${@Qso4?Yr3Jbd_MPGK#WXT#
zWG-a8B-5L+WqMv}!}lC|4F(Ot5vWW)vC^n?nsT8)eN_7nPc72&=4HvQykOBqJ!$UR
zh>4Up6SxT~YXh{Cd0I+YyR3n6=RGvb6jBa_pp;JryG+CLrZF1p<eo@|+O`thb`{A<
zZlt(a_kQ&%&S;I#bEK~Kd0j+T(R;)ISdq@<&00*vy@{v1fn-efGk8Q+IYf#ay|(pT
zYr1upga-{-iQEgXL$G1SI~t_|O_Sk<8LAHNssaPllZKpBQw&djR6=~c1-1aYZf-QX
zBQmHi-MWgjqD!Z!_oT{6YC8&n)FPPowGnAS;5%G@dS=_l&#dJ>sIs!rL~|KAuMv91
zC|ql9L5}CR1?l-|wrWX1gKgd}Mo(|2*VEhPwYT-PNuW;^T}?AzIe#`kc0D_hrolbp
zbBB<HDXp?3D3VS@+PHgGmZ&08>1Ra^`>4lK^9`nlDl3r<ZR=>&6x-M?J69C5S0+ap
z-#T^5l3#8V4Hg8oB6SV{#WnB;U29-Qi0AU<3{4YMk|TFT?a`OxAV&MSj45sf@)%MT
z-kG9aQOcDwfk*+<15Nv-bTT-WFtbqTLa(537YMfsnXWrmp!FXQQH|2H%hD?{p4F|g
zSfpyq?e=X*6t@P<fpCJ}JDS@q!Qzk>MB=AM>E$Y_`n+}~wKA`0U`;D`>M9bZ>0p;o
zLw4kb0zE&xMdqwdq`0}s(~TsgH;Wct>~n{sK~4sa4b!eDc_mwT$jG2|CcXB7SgNw`
zSs4;E6%7`7tcY27Uc-i7o6OR44JA<oTMdy4&psN2VpA{MwQW!~Y5REmaMVQq7c0Tj
zwx;DCxofNvsy13AwuvS3iGg&6)-$xol5M1JdMBz#FJ5r}sCY~n*#x*ktEs`&3k;V0
z>i&YIHhPOhjFq7@w?MUx7rGyQhpQq{<#hNh5ebfxycVW~Ff}@da%6U?kmn8Y8%^pR
zJjAs;BuY7nkeoqYd(2y-U}T5-by4=;Dl?157`$d{*Y$>sj;gW2U5aZ)UMf}0*^@wR
z?mn%7`0>#azZ~YVJC+Y*N3<t(OL9@c%`|#pO?pseMy)y1lLl!_vKQGSLym_wk0`$D
z+n(u4_2p<;MDq;yhNQgVk*D2f8j6&Q908^l%z+$P)9xj`yUBB~mQC(DQJlYhN^3%T
zX|hDIlo+2Tl_oWPRd8FR0i`Sb;8r57+jJfhw}yc&w`%jZ%&;6^W9=8VgG3g#Esi;5
z^@`RQ?Rh&KD9R+Q!JcfpR0ce+^|_^J>rjSmiM)H*U$Oh(4%W0nde~6FA=r?W{kGzu
z)4}^@G%6A!-MLaH@63vB&N4u)OBSYS5EhmfrqrUemgd)+5D0Te2+ryuD-34Jw8zSA
zM~@x0krS5!io@x_l9%CuLID$xLW|ZY^cOd#JDLdSs82|1mkM)()$USO39_fekNss8
zA2tV9?;LV_)_0|PxC6E{c0R=W(&Q_3qJ0~BUz6T^)7ruuY<8`=%|ppF56`}wE;%?W
z--`q(foDowN^NH*t3k>|uaj-crpe7xKUc4nW4|RWLvO{-pOfS!Y{je&!>@iog-s9X
zL^4I{o`=&zdzIJ$*wE2VF$zC}@_PGvxc)U>Y{Ph{3}Nma@|08Tv7KHcljSw}Sa}(l
zoDM%ak);<YBs*H?koS92G>P}jMfUWNi|6~wo+eGeGy+(2rYLQpj$v*iJJbX94QG0@
z)TcqVmEKcS>v5n!MORG_G{NywAHG~CtIAdyb|csN^qLw!ZkZe0u!{7``AU1}4Ut5V
zHkSEiSPKDZ+|W&ND8f5|9IiU*TJYlQMsnja^te}ZkD*|gJCf`h2FIL@3Z5Rj6CB2o
ztzuic?8QA<A4n8bqurbmwtH&K801nbLy4y)zDZdyV0)KNxz&296LQ6z4YUjy+#v&%
z9vjFbi|{Dp49T?4aJ1Q$NzmI7gA}1vR^gH-S6vnJWO&-Z-Lfi}>?(F-Q)oJARCF^o
z9d9Oao#=5S$7V#}t5{FGRG?X~NPXe#1g%_B4((;o^B&#(nOp4B8@u`_nCB8QGkM^&
zKAPjFU0g4j8St=3XT$ZmAzA6rB4CJoCvC}7(c~%FRP0*0PS&(!7+pBfhpG-q&w^>o
zaH}jaI7>w|P`d$s2YWbG@Wd@p;8b9@6nZ-1)QYC7LO-l+!fnQ#&)=?%isi584bZDJ
z;!t#;4bfnyCs36yU!Vtj+=bc7+$1)>X%3;Ni<^{Zx5NOCMp<KX5h#EcJ*wH}$s(12
zH-Drz(6Hx}YD{Zy-NBgW!aSZ$YCgmkH=g0m4jw9VPl3f@R$Lf1QO$wo6XY=Di4}jP
zpn7{c5O~lO#*s(waDwAD>5lv={Qsg=xHdNHlHH{zbWykD=XLZA290!S2TC9EbD&ER
zhAfQP(mnKOl${zcE4@uL_g1<J&n;m>n`+vRDUk0f7R&TX28U}@Xl0EeJ(>d-dNf5`
zVvRsMTECQqE=}2UF@RRUo{Uy1p<9r1`yk<{nZ_^2h5Q|#aQ~zHvKHlUa8Qp)7plDj
zEiCveA#_FEF$N*!t8#bZ8~MhQY2H`BnyLlwQc*ABhv;>tNqsmJcpHOzAGxj!z0^W4
z!;i?@8d1DVLXl~Hhj_$xdV0qbJ?%_|*MYJJTMRv#&@e`vxjGOTIou*TOUT@!lc+qx
z;sqpk7=0APEmTa{{1beif;*H=XSAO!Z+ui%>G7V8?VDos{6g00v`HiDN2vtsj&-(S
zg%OAiSfSL794_@YTLkLc1%ZurxLF(D9A5S6P^HRNw!H}<Pn^F_rHeu?qJws)5q|5|
zuSDSFtLaN3<~Mnv&9CV58%1Yr^Efj<U5RCQ>z7stJT|Nvd_U?EZEsB6DKANf$h%m7
z)jjf(n!qo~Rsugax7npV=NF|DW1w`5@?wt1W+j57rAH>MUzA}dP0oN`(C6MQ4|Byw
z(<+<#g{?4cjPPx9rQ{`dd!gO#mHI5*0wxig!ep_C4MuE)=s4@*SBtonWQL;xSnu2u
z7~b^=k2CRoL3c}UD&(^Cg)s@hW!h((V3Uxxc<C7mwd35d*KHl!>Y)BYPb8&gvRtRJ
zON}Hx#Wv;O_i0Ln+vg#|J85wJ5~^bPK%0_SA<;Osl`%akqaI5o(c4*66;i|-(psoA
z5mUAS+nF9^QKVe-d-Hx$dM}UQBDX$gr8%8nSCWZJw=m^)U@)04$ocT))wx_|?u{0I
zG+njZ+f|%12{tw<tU%-_&l^&HN+QTX+5Zl=LJ!$VT8bPLn?icNG&U`$J&#_%!Fz91
zX_k|2O5ZoDH`7V?oeS66{lP>z!w+A0AuFp=i&=_n6a+!A2qp&U84@|$Vve3wl8DR*
zysa4Dw3^<Nh?^m)mj<4Q*L(|v>|oC!XfZ=pCEvy4f&8SsR?yqmW^ca9TSx_r?a(_&
zLxF)ynJdqY*fd2_#%(;5OgXVW{xZ-STEOs|bWHhaBL^SimNfve(Lp)`euB(G9)&wu
zFZ`5rEp`)CkB7-5c2nHpXjf{`8Q}K^y;!VkemGO6!NnWHGLvwx=Uv+Nj^5bZHZ5tK
z^P1u;#Q$q_+OdsZ2&RdbvN`(DjfMtqPf{+GAd6HscY^UBd&0Bn>se&++OAi|M;k9F
zNq<#5x<S697wAB=Tp~+jHm^KBrRiLD{AgcF?vQt^+1~Tq4Bn5Ry7OZwyoAShtsBm@
zf*xAXNYF!O4Za{rx64D1hO(A|<vZ1mTr+t?HVi$(s;r@DD#_$!D^ooKtxd&`VEoAh
z?s;X3@Js0y&Kzppxi?DY-O~1SiXKH$1{Brq=-iOZ6lf9<b4cLID`0wgQ1Vxz&N=}I
zzLSMF0Z2EdbeYS-u{}30&m=T?a?6lq>A$d>nO9}`iZi`@o8V{g^wdu`W8_^@3o)t8
z>bDoThZ82pONPhh8plK7!p=?<va(50**?-y!7sQv=uV!OEYXI%H{gYK)>|k*-$@Ve
v_z|AkN&AU+L5@}k>>xSd)u5cWJ;Mdl9v{8)6=w7#sGhH6R{+Pwd(Qt2;i{G&

literal 0
HcmV?d00001


From 5757ba20de28000981a419bfcf63b1f658b20528 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 28 May 2017 20:46:30 +0800
Subject: [PATCH 199/317] [makerom] Fix encryption for production target.

---
 makerom/accessdesc.c | 10 ++++------
 makerom/keyset.c     |  2 +-
 makerom/keyset.h     |  1 -
 makerom/ncch.c       | 16 ++++++++++------
 makerom/ncsd.c       |  8 ++++----
 makerom/tik.c        |  5 +++--
 makerom/tmd.c        |  5 +++--
 7 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/makerom/accessdesc.c b/makerom/accessdesc.c
index 20c4e876..0e44788b 100644
--- a/makerom/accessdesc.c
+++ b/makerom/accessdesc.c
@@ -23,10 +23,7 @@ int set_AccessDesc(exheader_settings *exhdrset)
 		return accessdesc_GetSignFromPreset(exhdrset);
 	else if(exhdrset->rsf->CommonHeaderKey.Found == true) // Keydata exists in RSF
 		return accessdesc_GetSignFromRsf(exhdrset);
-	else if (Rsa2048Key_CanSign(&exhdrset->keys->rsa.acex) == false) // sign using rsa key
-		return accessdesc_SignWithKey(exhdrset);
-	
-	return 1;
+	return accessdesc_SignWithKey(exhdrset);	
 }
 
 int accessdesc_SignWithKey(exheader_settings *exhdrset)
@@ -48,13 +45,14 @@ int accessdesc_SignWithKey(exheader_settings *exhdrset)
 	arm11->threadPriority /= 2;
 
 	/* Sign AccessDesc */
-	if (SignAccessDesc(exhdrset->acexDesc, exhdrset->keys) != 0)
+	if (Rsa2048Key_CanSign(&exhdrset->keys->rsa.acex) == false)
 	{
 		printf("[ACEXDESC WARNING] Failed to sign access descriptor\n");
 		memset(exhdrset->acexDesc->signature, 0xFF, 0x100);
+		return 0;
 	}
 
-	return 0;
+	return SignAccessDesc(exhdrset->acexDesc, exhdrset->keys);
 }
 
 int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
diff --git a/makerom/keyset.c b/makerom/keyset.c
index dbdec4d3..19887fb9 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -391,5 +391,5 @@ void Rsa2048Key_Set(rsa2048_key* key, const u8* pvt, const u8* pub)
 bool Rsa2048Key_CanSign(const rsa2048_key* key)
 {
 	static const u8 rsa2048[RSA_2048_KEY_SIZE] = { 0 };
-	return memcmp(key->pub, rsa2048, RSA_2048_KEY_SIZE) != 0 || memcmp(key->pvt, rsa2048, RSA_2048_KEY_SIZE) != 0;
+	return memcmp(key->pub, rsa2048, RSA_2048_KEY_SIZE) != 0 && memcmp(key->pvt, rsa2048, RSA_2048_KEY_SIZE) != 0;
 }
\ No newline at end of file
diff --git a/makerom/keyset.h b/makerom/keyset.h
index ba3f8748..2a35b382 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -30,7 +30,6 @@ typedef enum
 } pki_keyset;
 
 // Structs
-
 typedef struct
 {
 	u8 *pub;
diff --git a/makerom/ncch.c b/makerom/ncch.c
index af7996e6..d054cacf 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -36,27 +36,31 @@ bool IsValidProductCode(char *ProductCode, bool FreeProductCode);
 // Code
 int SignCFA(ncch_hdr *hdr, keys_struct *keys)
 {
-	if (RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cciCfa.pub, keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	if (Rsa2048Key_CanSign(&keys->rsa.cciCfa) == false)
 	{
 		printf("[NCCH WARNING] Failed to sign CFA header\n");
 		memset(GetNcchHdrSig(hdr), 0xFF, 0x100);
+		return 0;
 	}
-	return 0;
+
+	return RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cciCfa.pub, keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
 }
 
 int CheckCFASignature(ncch_hdr *hdr, keys_struct *keys)
 {
-	return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr),keys->rsa.cciCfa.pub,NULL,RSA_2048_SHA256,CTR_RSA_VERIFY);
+	return RsaSignVerify(GetNcchHdrData(hdr),GetNcchHdrDataLen(hdr),GetNcchHdrSig(hdr), keys->rsa.cciCfa.pub, keys->rsa.cciCfa.pvt, RSA_2048_SHA256,CTR_RSA_VERIFY);
 }
 
 int SignCXI(ncch_hdr *hdr, keys_struct *keys)
 {
-	if (RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cxi.pub, keys->rsa.cxi.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	if (Rsa2048Key_CanSign(&keys->rsa.cxi) == false)
 	{
 		printf("[NCCH WARNING] Failed to sign CXI header\n");
 		memset(GetNcchHdrSig(hdr), 0xFF, 0x100);
+		return 0;
 	}
-	return 0;
+
+	return RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cxi.pub, keys->rsa.cxi.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
 }
 
 int CheckCXISignature(ncch_hdr *hdr, u8 *pubk)
@@ -1089,7 +1093,7 @@ bool SetNcchKeys(keys_struct *keys, ncch_hdr *hdr)
 		return false;
 
 	if(keys->aes.ncchKeyX[ncch_keyx_index])
-		ctr_aes_keygen(keys->aes.ncchKeyX[ncch_keyx_index], hdr->signature, keys->aes.ncchKey0);
+		ctr_aes_keygen(keys->aes.ncchKeyX[ncch_keyx_index], hdr->signature, keys->aes.ncchKey1);
 	else
 		return false;
 		
diff --git a/makerom/ncsd.c b/makerom/ncsd.c
index 51e4b9ce..b57d8f9d 100644
--- a/makerom/ncsd.c
+++ b/makerom/ncsd.c
@@ -579,14 +579,14 @@ int GenCciHdr(cci_settings *set)
 	
 	
 	// Sign Header
-	if (RsaSignVerify(&hdr->magic, sizeof(cci_hdr) - RSA_2048_KEY_SIZE, hdr->signature, set->keys->rsa.cciCfa.pub, set->keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	if (Rsa2048Key_CanSign(&set->keys->rsa.cciCfa) == false)
 	{
 		printf("[NCSD WARNING] Failed to sign header\n");
 		memset(hdr->signature, 0xFF, 0x100);
+		return 0;
 	}
-	
-	
-	return 0;
+
+	return RsaSignVerify(&hdr->magic, sizeof(cci_hdr) - RSA_2048_KEY_SIZE, hdr->signature, set->keys->rsa.cciCfa.pub, set->keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
 }
 
 char* GetMediaSizeStr(u64 mediaSize)
diff --git a/makerom/tik.c b/makerom/tik.c
index fb219ae5..df955992 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -81,13 +81,14 @@ int SignTicketHeader(buffer_struct *tik, keys_struct *keys)
 	clrmem(sig,sizeof(tik_signature));
 	u32_to_u8(sig->sigType,RSA_2048_SHA256,BE);
 	
-	if (RsaSignVerify(data, len, sig->data, keys->rsa.xs.pub, keys->rsa.xs.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	if (Rsa2048Key_CanSign(&keys->rsa.xs) == false)
 	{
 		printf("[TIK WARNING] Failed to sign header\n");
 		memset(sig->data, 0xFF, 0x100);
+		return 0;
 	}
 
-	return 0;
+	return RsaSignVerify(data, len, sig->data, keys->rsa.xs.pub, keys->rsa.xs.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
 }
 
 int CryptTitleKey(u8 *input, u8 *output, u8 *titleId, keys_struct *keys, u8 mode)
diff --git a/makerom/tmd.c b/makerom/tmd.c
index c7c54492..0b5fa837 100644
--- a/makerom/tmd.c
+++ b/makerom/tmd.c
@@ -71,13 +71,14 @@ int SignTMDHeader(tmd_hdr *hdr, tmd_signature *sig, keys_struct *keys)
 	clrmem(sig,sizeof(tmd_signature));
 	u32_to_u8(sig->sigType,RSA_2048_SHA256,BE);
 	
-	if (RsaSignVerify((u8*)hdr, sizeof(tmd_hdr), sig->data, keys->rsa.cp.pub, keys->rsa.cp.pvt, RSA_2048_SHA256, CTR_RSA_SIGN) != 0)
+	if (Rsa2048Key_CanSign(&keys->rsa.cp) == false)
 	{
 		printf("[TMD WARNING] Failed to sign header\n");
 		memset(sig->data, 0xFF, 0x100);
+		return 0;
 	}
 
-	return 0;
+	return RsaSignVerify((u8*)hdr, sizeof(tmd_hdr), sig->data, keys->rsa.cp.pub, keys->rsa.cp.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
 }
 
 int SetupTMDInfoRecord(tmd_content_info_record *info_record, u8 *content_record, u16 ContentCount)

From de705925743ea452c38fa0b8e4b3ac1419f26c08 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Sun, 28 May 2017 20:53:13 +0800
Subject: [PATCH 200/317] [makerom] Unbroke -target t

---
 makerom/keyset.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/makerom/keyset.c b/makerom/keyset.c
index 19887fb9..4ff402ec 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -80,6 +80,15 @@ int LoadKeysFromResources(keys_struct *keys)
 		SetNormalKey(keys,zeros_aesKey);
 		SetSystemFixedKey(keys,zeros_aesKey);
 
+		/* RSA Keys */
+		// CIA
+		Rsa2048Key_Set(&keys->rsa.xs, tpki_rsa.priv_exponent, tpki_rsa.modulus);
+		Rsa2048Key_Set(&keys->rsa.cp, tpki_rsa.priv_exponent, tpki_rsa.modulus);
+		// CCI/CFA
+		Rsa2048Key_Set(&keys->rsa.cciCfa, tpki_rsa.priv_exponent, tpki_rsa.modulus);
+		// CXI
+		Rsa2048Key_Set(&keys->rsa.acex, tpki_rsa.priv_exponent, tpki_rsa.modulus);
+
 		/* Certs */
 		SetCaCert(keys, ca3_tpki_cert);
 		SetTikCert(keys, xsC_tpki_cert);

From 7c08e895d0c449167f8dfea52cf4eef5e14ec564 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 30 May 2017 13:29:28 +0800
Subject: [PATCH 201/317] Remove unwanted files

---
 ctrtool/ctrtool    | Bin 262759 -> 0 bytes
 ctrtool/seeddb.bin | Bin 40752 -> 0 bytes
 makerom/makerom    | Bin 438222 -> 0 bytes
 3 files changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 ctrtool/ctrtool
 delete mode 100644 ctrtool/seeddb.bin
 delete mode 100644 makerom/makerom

diff --git a/ctrtool/ctrtool b/ctrtool/ctrtool
deleted file mode 100644
index 441e0dd4d0cd351d8af7ceb575de8d8cbd1a70e8..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 262759
zcmd4434B!5^#?wa1c(@YQBk6zj5xMnQHi2WD$zVLfj62cvbzR^L{OFpGY|?&a5BJi
zoSM3~b-`9GtyZZEgh3!7KtQWSaKXCa2KNy*w-7|h|NFi7y_uJk^w;*^|L60^kC}JR
zIrrS{+;h%7_rCk)7ncl4^LjnbzckNf9;R0K3nfVX^?34v=`zhfg`PamG5Fit)63Hp
z=`IpR3~`0+ep_wU&Tpo~dOYNof&cT;6d*6HP(C=ny%ZQFsDDlk`OETB{|fC#^*eu%
zs;Beo@%SX3`B>Kj1qy$lV1k4@zn<<g>Dg4Oew}=*9`j{hrt)Q8rt&$z2keSDzfSwu
zHvT`-Zr{kXLZp~3<c}vH|E7LP%YVbZ3{B*-KcO=E6N4q(`K>uwCOyutlkXbjV?F=f
zf7v$SaJ#(D`X$@0zw>K1*K@&?$v0mz@Pa85&zmxNTDa=Gs=Q0iyJX<`GpC<_p=>w#
zlXmD;qhv{B!}{gmf7ZDN{%4O8KkdX@$DjF+OKyKN&GW{EEfdfF!`at;O<V!~cgAf&
zvDbH&w^ur0h4^2`|C<(c-}>l;)f@VqaZj)OuVcL~Tz~My7k_{7M9-uy&&&zlwj3m#
z{@V-2Cmsd6yc77aPT-%TVMpV$wG(>wi|;7q_U;6JuoFJ>K!3DyH*`Y(O(*o{cS3(p
zC-Ad6f#-JuKe3bkxu_HR*E*s9eJAwsPUtV{q(5)&gnoG^@LiphyQdTS7doN8x|8~R
z*a@F!I)UHR3I9_&p<mPqyrmO9w{$}Pd?)a#PT&Qdz=w4LH#(`$)K1`yo$#sYgnmjV
z^mlbKFJAA2&(cod>7DRj-3k5ZPT;@o1pY`T{Lk+M9_$1@zZ3ZSPWmCUllpY;gwGG1
z(2wqf{?1P5P1NTs&uJc?q3rEgr1|eP{7?9j4)7h|a{}O=plzQewa4>QluLN4P4C!e
z-J!SPjve*c^wk~cCxajL?SNAXZO-cF1^f_R*|SgqoWHP-GeZ+6{Oo76iI;fF%5IrD
zeOlSf(D)glvNBKE6|>5Qm)|mZW~h8d(UkEsXO_?Olm$nYmQ5_5VS`7O7EPHxt$gJ8
zo2Qg3+|e;*6RO6SRfcDjm(7|yBNQG##Zz|OwDD8%cjEYAv+y%=^i{b7%0N~%{^rTE
za&v!<XBJr&np0U`HhEgb^kP=8s;aEAe8$Y_)5cGk9GX)$YXJGoCZ7%rE(EiglaIpV
zx`|UzAR2zlgb8Ic+3s9V*{Er=Cr_J*#?A~+Ehln<(;<~JCQl1hluej)o2R^La>!FL
zy|R3oXJ%-|v<XuyJ<}^g$mf|nbNrObN#i{gq4FtH6tZ#-syl0@D?92F8b9GSvMQ?>
zKY5C0>TMGz&+vq%PnkZud<Ll5!RU91n>=%7<@gEZo{C$_Lo+=S#!s0teF7OzLE%%&
zr_L-7$wH@vr+O-8mY3f~AS+Z>R^ciVV>>;JI#-566BOO_O9sm1Oql_dte7xm`pj~&
z4owfEPIgH%Cybv~!RC#haSM<baMp0<G#7K!4EQn(|1F-1*)t}GP}>>h<Ix)vrcaxN
zo+sb&q3IR;Gnq9bR`w)Hn=okxDk3{qWw5i!?nOzig38LO&~qWyc<S_75Hob-j0xjI
zNmjDm95h>Ur;eXI%~OFYPoLp&s?55TdxjPjm0fiH08i1_vHIX(S?>84d4`q*2O|ma
zK=oX9;rY3#$Db#GDVUq|!t*cYWJ<IDqesY8hW&pU{6`1JU*a5y%H^coR9$7BZjwt1
zo^I#N@MHpijHKy;b%sO1XZ6nukMw&yI)2=+pUgQHs{_whtN{Lbkq4?p;s@Y&+Y7fL
zYZuQU;F%}X?>?xY3{Qq?4rsf0dLjdH{P)1GAA*~Fj3*m-!g@}ge4NMA&2ze)?jh4%
zJ?Gfz(5aJ;p(lNToerPIbeiW<r1`J)@(J>nzIVIzfvw-zE?rWnKaRd7oW8d6&(Vj3
z4|ag~b@VXdm$~4Mz9qcS1$Xo_;g`GMIfbg8-2h|%IsbevxZTAP)z<~Ln=0W0TyRIH
z6OreFvux*Ip$qQrAHxNAYzFfTbHUNk$$w*AaC<2!apPQY2ukwbBo{m@356YT!7=d3
ze^oB{@kyx1Q|*FlF8E>>+>tG!YhCaYT=b8);O=$B5*Pd=7yVKfoNGDf-!d2c6bFdk
zIv2dB3tsPnb8YDS+vI|u>HzV(#RZ48PyXBPf;%w-B6qmpXC$dT9^rzY>4G0{!MP@L
z{<XT`J_pEOJtenix!{>Dcpn!$+XXLj!E;>jvt4kX3+{Kp`?}!gxZnd^@SnKgc`o=*
zUGPE|ysryxxZwR<@L?|axi0uv7yM@~_&685zY9Le1wYRPuXMrBcfqS%@C#h<Y8QNf
z3%=L|&vn6TUGNKC@JC#5t{t6!OI+}Q4iLXfU2tipY}_&zJm8|QbHOih!RuY{pS$3j
zT<|;>e2WX7?}Bf4!GGa`?{L8{b-{%TKF9?(B6~88SeK7}cDBce)`z-?+kiA8>oXe_
zQQO5^foePFZT!`G7vhQONkm#Z+VJn3*O;aXx3<XiI;N?*t$LYGFrCiyGMRpnX{u^#
ziA?{QX{u<eR;GW?G*z=zEz`ecnr6bPl<E7Jri!-4$@JY!Q#D(|Wcn_qsgkWinf@iy
zRK?Z+nV!KkRj}og>06nm>b0_E`evr7axITcU&l06t##lC0Ot&6nkv@XA=6hdP1R~`
zk?FxqQ>9w<GW`ptsY<P7GJPS_RH4=qnLd~4lbNoS={`(Tm0Hy@eHznLp;o0#pU5;-
zr!`KdyE9FdX$_O<G^VL4twNdp{#>L_XL^84f6X*irsb3A-Aq$eTG=xF8PimemPe-l
z!8BE)b>K&~e=E~IrgzBnYfMuWT3cj#9n(~SR=rFon5K%emdW&sOjEU4OJw@bOjD&<
zwKDyCrm4!TYMK5m(^O$rrA*()G*y>1PNwf>nkvg0CewE@O;u$T%JeUpri!u#$n*@R
zshTXGOy9~hRg#r0(>F6sRb+W&`Z}hmf~*5S$nj^Is>j+P(^oJ}m1Av@>A_4>)mZg1
z{R^h4VytB{eIe6SE!Gm5K9^~#6suOI`!G$FVO7iYX-rd9Sd}t;BGXh6);O8&&NNkn
zHB6?{n5Igw3X#^wtfZTk=!+34&TZ322b(rhto2dFxqJ1IqYU%A+?EmMVPnA_<57=i
zq7lnDhn;JfHU2yRa_f!wtA0jtjJn&(=gd66YU-4d_*4EINF-?rfdNfZjo-i%|9xXT
z%Pbxch>s7qwUwB=fMt?OKwP;R8G$c^3dn5{bDr>engV|61F2t1;sJm5O5flKp2X;>
zgHgmj^Aqt$3`C^0Ep%d}b&j^E9LmD1Z}V@MG<&co*5%v_&i2GdwB@hUYPw<C=QnEi
z7J(wt>@A5;^cQM17b9iFAC*;(y)0{DfN9&~UQg@+m5jeE8v=0Tv&_IT-;2y=y~qP7
zDn{aKp7(lMR4WR#=pI1PEHV9kk7vz2s3sEZjBK{~HMAM3l<7>QwVG|HRpeEF1`<fE
zM&4MBOhtq@(t3=xXaNvtPTt(X9`qFHsJ_@q12C@Q)MZGZ;^dYD`fVVKOad<;5Ve+r
z<77Wq0u?WG_|K4Zdch&tRmT!uRV75*w3-#rui`C;4~91Os1$^W#znoPWN6VMRL@wj
zp7L`2jrtAxjrvV`S!3iL*_YW?KGcSt@LK&-iA<|E5->Kc=bi0YGf|FilVJw@nW8I-
ziq>m2han<HY@R=J%~YVpesm?k(W_7$yJsk5)_ar(Rh-XyEtSZyRwH4=3LZiUxm(fN
z)nJSgGOVX0;^I4iV0Te$6IeER^tCiyq6_GxzOmV+Su>GgfhvP^)&#|1ki!7ODBeW$
z*SbO>&IY2y{3>7y!#w!)^Rf^M&%w8h_%&_fc9Qm1q^<q`C23ERev1kjv5VjM*QBc<
zmeyvFIyFUOtd%P3eKPAV@!K_kJ*{AO{%dxh{sruQnPOMX&c0P;Ewb6Yj`?eimau{g
z0LyL3-6}?_d2VhLQ&`&1fnLLY<s`X+kaHB1Bd|?`wUEgP3bxyZok-Y^oIJ6M-<7aV
zJM&@IbE_hK*3Nzsv#(LGhi%y3Uj^*X3Ksd-EKerO`HFPxzb3usIgpM7sVyso)=-(R
zz=wRYJBEHQ)gHRzJl3kOV(YbQWwBO06l^b)H9KSjVIBp0--bO&*dDM#hitH6cM!H+
z!TxH)t|e@}f<0!#E+%Z5f|)kVOW30d7Pet;tO9JYf{nLfe<Ca-VRv}MZ4n4DG~h*)
z%5JD(?$$M2u^VQS*#8|XcaN=^=J^LCAn_hK@*=$zxHw>9^WPC#xT<JGK&#1tD#l}x
zp+&ochkH&76lkZ(#QNq?TU&w82bCFp2>=^K6OvSS<KXrElVY4}1KTOag#>m~j0*tl
zs0rVIBWHb;stWziWO><Bk5XO?KyYbS+`}a7SloSzkcKeH@mC=fcNdCF+K1>4wA<0e
zQia|9ZRef*c#G4?6W>J721gGm(rW6!L0ec4U0X0DIJ{J=q2F6jG)5n-Md^s!T?w6<
zs>nNV82_m&hrw$kuwC1(C$MANMg!QfE7$!TZF`2Tam<VlUdcZd@;e*Yu8?O4>{!T?
z0Cp^7Y5;}k?m~`z{3wN-VguV1asq&{kUt|?zid)<ES3B^miouvqtw@>fZI0umFlCE
zdcX#@EA@2(I~MW~fE^3z^9Ty5a24YCFd`3){-=I?$p*G7Yz=|tCu&Cil~&#!3&Z?a
z{1wQKh2B_>Lccob8nj~@k5bq|0Fkv_S@)5!W5eQ#u$|CPehp>BWf}AQ*`oVgcL9VL
zfF!vS@Kcf`SrhWzFI{yf;O%)}ng^!2^;VF)Cv27OpAieaqbxnu?3tKL)&Z%t=w!^G
zlX3Sq%J;a(!+O9Q(UyB6trN7G7yyyhkQV)ugQ>3aPSv8nMY6goZK4*fl~3tVQ48^8
z&nu`nk99H1u)RDwFeh@J#tP=2bG9dOFA7xya^OH)n{q#fe3evwG@I53$ZoTf>77ys
zpl+za<Zv&PK0bU(byd12ob6JK)>=u%md$3%mVM2ZB}wF(`q3oGJd(uQlgMTEoFvHt
zlH96D&UdK|YqTUO_@f`~DTEiU+T%leBAeQ*&B+d4NCy2BgOhCr(7GP$WH1mOAPnj4
z4V?x$ucXtWhcF;EE&X82LOOSE(0uDA!~D#Md~smd$Y4`__6V#Fni`f2=TFmto`oJU
z4&{GaalY2O2HCirfPmK>96G@>$~f-;evC-#@rL>3?6eyjF%>Y{2zY#Z<65HHc4)n;
z39Dnup>JqS2fbmgGa7bZZg{sCZ?%SzIYB}rx)qrXbEC@tnVrA7;K{Sk_ISc4U}g2C
zxD%T9#*JNm1(5ffM#fK!NI_K&2tsEjtI%WAS`SVcfxd0ajn-Ub(RzEVnd&#%X0}$H
zXnr60OpCN-Yo+TND`dMOJ2c5pH@}JOoUbRS&GpFV-5U0#=hheZ`^UkLn}5RcN+;9@
z%(o&Ny+gF+8Qt`4JBp9l6j+>*W<=_}=#T8s`MP-^V7{+|VYDTn1verGXtTNju5UY}
zW05i^L2UEO<o8Wu1^*>G**q`;HP|s9MXzBU8bo@(kBf6R2jYcZ((C3rGDq!OvjbYm
zmeL7Z!M#_{Vsjm#`nJz?V9c+IfkTya{I5uQ^whU~Uwq6zhAi&UJs4^51|x^E!+*VA
z6`v{}jm@n`e+9JVCEYaq>8cfL%j*N)%>i$NZoam-Buz8W2EAc-Cfa+T*xVA{hDJC-
z!u(rR{(zI;YzTPY0$A_2S<l~e$8q|C26{Ytf^#w8a3r_zrjGrQTd&3kJ=pcatZs|5
zl06;X1KL_HxYuAk;Td6=+Yo#+Ak(fzcfg;QTQB|y+s#%%e$k>Xo(r=w7MEmXJ7X5!
z%~f)5dRG?=sLyR-KWoctFUO3~QLd*@Ti)V*%lj2tpVf_xx7%*M8{W=LKEwRSntrH*
zSR)rCC={!^47s`sBg1;*`WqX?&HLKgDr!e0s{2CN&BItsW$&R~ShcJVaz3>j(D<q?
z2+Uk>?Sf}%%fDg%oI{k955t_D34lAD-9EiyDfmH_)uh$orWBhS^-=oBp!oxO>kV|&
zH-`Cc?pA~-`WB+p^x245Uhe9&8h;Mp=(n<FtUC&+7~rrDW^JSOL34vv!&42xc#VIo
z5BZ~e<)Sluz4Z+Gz^->`EW@vx`wg?1J(O*j@5|9%;{j)}XfIghH-^XSkt5zvKvI;L
z7Q2xmA-bWffLCU~==V`*n6co;Hf(pzT1vjF$V6Yuzs*lN{S+UGQmFg_<{>msoP8Xy
zPs2!D*BeUpCNx6wMyodO=4xWU&{+!@6*e|CUZq%xvs+v%amoW2oj^u2T#Ty0sQDFO
z4xWisFj`pTLQWuZiI{?3bB`a#gM%^3{B8sWU@Y3(uICK^a_b{UGPFfJF{+y_kQEbc
z8{FpqZp)~_PXCs~UZ{j1mBiK>l&9EQj=FgBIhb(}2hH`R(J!=`%hJFC3kpuR=w_{k
zr(GgHf_Ehz$gx#&#Jm8%DliJf)(&&=dpyOj`FS~iK*wMq=mIXfOI&md9lCLfuFyrd
z@7ZMitm~nWD{8@StfCv_qI<?gcM<7Q@~-9xdL#$oHxY;JFyc!Y;4!-V!y~!pP#m+3
zcv0UHbE03S`XZGR`78t3{KO70;t?skc+Ru-A)hl}O5))R1Hw_Wj;rm1y18EbiH~q(
zaww;Ty4kRD4aPaqhFnsl0;b<jwfBX%0P_Wz#BAh%SnTM9#V9mOq1ljl-6a}^fZ)aN
z=qj!T-BNGpQZV<!vABo@zA9(H#lSR(OaK-a^%Xyr{6_lw!uvwqA?10Ci~5NjF#V`+
zrXFd6?b$GZMVB<NLqh(-5_7lNP;Bnt)IEr0CXp8aY1Rk58^|JCY(Y}bZ_@7ShAyV7
z*4Jn%!YF`4Q(-25D{47GD3i$vqD8SXVz`Q;+isFnGY6V&oz6A*r-|RXnmlS(TN?~Z
ziFpY1DlvDmR^w5t<|mx_8!Py$oo}Hl-x<i)yb<;Ue1C1@ce(IC?gaiBg}>d#Kj*@K
zL_8#t`GdeGHjPXvf_fmW)6sUZ5hGF|<yOtlp!uT_UrS}Ik1RF!j2Z#Ul4pkeJwz|K
z8Nt{qoO{9aaHe5424i<1HYP3tGe{L>Ff!5KBg0tGm`$mKgk=WfQAgTxg7M<M1p4rx
zWV5*!>Zfn4@gG2WX%N0(WIe{Sae%lSt+#dBmw|qJMelmVV}-V`i5(rE+bV8aD<4{d
z2#urx88BOP6EVPphB?qLs!^q2tQ2h@=$G0TF$TljAnL$YkL>b>GBM^o;Iy3!&5Nv*
z`(7CLNUK+i-iCg0D&@5*kW%wHKKI)avrRmJlBIyQ>5Gf|iYSsL5ULyl>c>Yh?F)E6
zQvRYF>-Cjk?ndyL026@bxHImN^?5ESs)cnrY{cj1iO<(aVS4n`vptwT2VBE;%$Mxx
zxr2m<t&bJVQ6%5HhJEK3lH@Y+k>WC1k>t3zG?FA1qw)cdi$RdchB9=F#8W`WVoE0!
z^d$BYSLTH(Gc_DCx55EU3~*(>MP^otuiziVj&x-Xs?1cQ$h?Z^VXn;Q%FIf;7Cc7m
z3|HnXm6^I4neQaJ(v^Ad=d89;;RWM}t#xJoJFsXog%_E1iFRdPrqIfu6!al_8PM0;
zePY!DuaC^#3fqM}4h~f8@{;(3Jn?gx@z{jVXRAc64Tp1>WW*`dha-#<n|gxf^Qj71
zmm#B?cg%4BZVv{w(2V4vhT>C|444rPgV?H)h8bbUibj<jW=7am;@ed+Zwb(>zjzAh
z*edc_Q;6AOM%X9fc~F@R>5`#@8>W;1#NO_=QDp9*IKDtt*(es|pg4L!-AGiu4UEW+
zO_vp5IByt`g)JK}r6U|KEqXOnW=Z@H%lfeYq3w5xg1_+bB^JcwWk|+eVilMwR7hHO
zCUqn^gLa9bFEZCEB2pT=XaL&j5y!#_gPW$+e2tV5pP9o9rywf|rb4p|?(q^IUt%*z
za59pym)Jn2dMcz-a1N5P;K<G&#o?8*QQ6@zns#Ei41c}hV>rNa{lr=R34Gfgh#AOd
zDLkS}GMUCowqX6Puo+D5;&R^n#N53GE{`-S*4qHl?_zaWe)GdhPRxBY9itKAv*tl3
z)iSjShQxXbKEBlRvRlLhPutzl1ypuliTMP^;Eaxdo+^a$F7jDlB45hAfW7N#m_y-7
z4gq>-PNVIwncu->qsW)UXJ$a=GmZFdSuhGY;(B->u&vPOS>kH>ybCH=1n>xbO6@Q5
z@C=QZg}UnA4dM`z0rLnA@;-%uo!=!sV~)sr*o6H7b6-j)TAP7D<CQ-z>(|Y$US?yh
z5oz)zs?lrKXAR0;qy8?ubo-%DeR81$`I8H!5)%vmJwC(y)a87_!-04FyNz-KGP*Yu
zQ0pLjy_A)nTrM@sF=d@UM(5FS$Vs{f;j_>NpDhmXE3tmcSnSHXzj>V)`zeP?wFeuh
z<`Fo=<{NVJ^d0o^H>_I6dPNRtvo6-nzezLlG5f9$2R2@mZA3pXv|=p8it)G?k3x^^
z$<`x3XtTHKkuSC4=w4K+eI?7BN^-AF#SzdW=1%Z6nlk+8B}^;~9UsI>HZuA_=rpWF
zYqjM)GA`_qzIbF83>Mbc`5R{MX?`+5VTMz)Up$AlHUC<Kci8q4-TsaoAKS3`(6~%-
zNj(Lz7!rc|$BHS5IjB-5)`^S;xYl<^&p)g2-_4IOkNKJrzZy$|1C$jxbk-@@LQwOm
zBR;pqIs^wVDQ~%(t;tp1RC+}2X0^~B&~c&N7s7KHNE1GE8seb_<YUbzh+wsPPpyyC
zrx~#le_zN+mRc8gMSBNa-zcsGiL1RR|Co@gJnLDeQWMnrUASF3Xtp*js>$GyO*m^S
zWn7`9-W$H9u%#(Yi{1e!o-(xP{dfwPn;Wcjy`>@J8{_HFF|p%KZ6&gL07(mFX)7|0
zuP`$Z-e^eEBcH-O(v}ZAzHsqCO<R#xp_|oYt}P#&rZ28e!=scNZF$#VybA8xMsJ0_
zvW<lS?+M*)`#0K(<I(L1T5JSQE3Lx3`iQJgO(nz^`YJ|r2GAKmXP8(2V2uGH)n4it
z^z_CIzjtH6@AcqMnpboM4f-#qv33;J@kw(`(R%$PY{N&{BTYpaa@|)S?v8C|C0(_!
zubByg;fx9GQ!ESX!=D=QS0pGtHzz?2ELwI*#3pLjb9;D6^lD@^nR=Ib!!Ln8oh;&W
z`$}G7qoRL=2n+-ec~a=bUnD|{&Siz;uS68mP{>*vd6Pn>qiEzDtB^Boq;BU_$Vm!0
z+D7{AoTwObRw-n@jqFAw8gK|b0)zNKJ>po_w^a8od5Yc5R@G5@qMO6sM$ES#r4BOR
z#qxX;z?9>MkSl0fL34X9yyRUgeSjy9#UJsv-Z<D`?lK$2*L}R6$YIDj)<(>CJ!Jky
z^7{_q2s!&x{DySOZyxxmlG>G{tmx&ZJB3A2SZ;mv1GLI1?nWt(M=$SP#-*sE<gCm&
z#bI;V(b%-pKi26WNr_`Egx8y>Li57K6!q}cl;-ew^R3)^Os$r6m|4$;x;MeaN6$gB
zTh^t8r1&*K_J<yceC7?MZ|sJ!r#(OL3^MPFv&k*=VlC7Qrb}dZa;AiylIsq|F|r#|
zr75GiHmRSE5+Caj51XCSK0ekyex{EKO51MI@^IyG17@7j&iXKdI0_!un&H7ALoh0c
z3B<1Vi5CHihy4r+WQeEfk>M$G4dZR%Av>A1rebQyCl=Ys>^0fw7Exs<d#F*p)=r+H
zt@uWi*omBgxl>$?M10`sWZcX9fv&yqtr%qEeI)K}C;BM9*>=*uX5#qJcyWTA?2DP+
z1<#5891|M3{o?5*c!W)K1uBn)ia?-}=T92NEAQL(%dm&CX{a=YM$=F>0oHM74u2a}
zVDVe&8_~4Irukq7jfP#v3h#Cb9YTObnFtyh@r=DPXTz?pM!zQU`FogBk$L_~RB4@I
zrZ*M!@JOX4`8O3w_93Gbj>zfQ8>oZ6@q|uLYE0Hq*)OarZa)^Q3g76|+D*KRf}!tn
z>+R;yFLb9}^WRzTEB`LCr>_yYv(ghA;zOvY2c0^t#!ICYnV*Sy`GZ#T4HaMHa-2M}
z@D$zZbV&S8Y+zjlkm$Dzx)%{BwpIs=94v{mu-Z3rKj6YYC%QF!vo#Tv^sj>P`2q2B
z<bZ+c8Z`HnrVsQ3Hbk7QU_)d;AbpTO7#rnT!&e#*8GyNI$`*fplrf0@{um-w@jJ4`
zlaC=fa06<*up5|{#0UK@*sv?3H2scBFw7QPU*H=FP@`J34K>4fe8d_W=10&94PSO`
z*x4O)Sw_DNK?p`>X)Fv!*$Sp-LBumE4O54glI0gyf(>I5InuQ)K#BoJBbMbK91mTX
z8Gxgkse4-j-UD`POg#hq5N6P#8Z<J>xJ(Q|w)PD!6c;MkkTk11$Q=JL7{76xc<*`E
z^Am(F-oR784RoZ<DgGR>2FZpU>52RO!Ta742R~z=v|)-rJIz`Q4J+fek@bD0?4%rO
z<?qD`@{fVs<h$f%+1pZX;K;Niu9n>dK1YM=V+^y^4(T$WyI6K96oCxFFj^Ox4|$s9
zL-eRbtGP$YQdK6zXMudo!_#a$#fIfH6-tqbZq?0qw3@RC4ERep`R5rXB9GX3kS=&U
zYlEy&!w$Imn8HTC67F)yK+&4xfr?$-qhEs_`SJLGR<uvge?wdJE(8MZR|#Xld+<!>
zRu<-XyXHD49>ei7Vj2DtJY*Z`C_<holMAL2$dR_<f`GR6mNX;YYZx^MqK<7P>6MjY
z`0v0Mk;gK|cwYG}9SE&vD8+pFNPk%{vauIj(UE?m-pbIHZ}x6BCN!8OehB-ZA>tCO
zPf<TVn&ZRXlrdp5z*m)k+c<F=amcq4M@c*t7<R*mP4O2R<_&%Xc)vjwKQ_Mly``IP
za-Q2Yz%0oS7oZl}@_@h0Y`}&a3a&7Vj-c=g^U5EL{O0gh#HF+qk|UU*S=h_L-w@)t
zTbupT?i94m_jvB?QpX=ShX@3&gVX=ctihoB5?di_H$W{n6>Bf-)V=GqwSkf28g}&B
z)~d(hRzRIKv>sdFscvh#V?`Z*TpVVvk+aB%WMBj%7>;2TT(@yN^E3Pv=Jd4CFPO}X
z4a>GFAkENpi@HK$$2bxzJX_n^q-?_lpxn8nRtiIGXm)H21`Z<{=(juI716Ec=p1uM
zc4#w1%z7P8L2iBXx_0(nTEW=mVm){pvALOI6(5@D6*AT!jQ}<clks?GKSOOUeJ2B@
zMr?kjnE4RJ0byoDd(B3dz(E5lW*BSdp)ViAGMqc1(0qUdlpF>)ORG5%667q!AR?LY
zcWtf^<_Fh_OA!iSChk2s7*T<va0LDuKn5hETeTW&u;IjRi;h0^5qBTcaGgIW_3q_h
z*C5TMd@F30w)|Uh;cqCyp?uUthg$W`nrLpPIg9s5O}~CyjC2egg9$^l6@&U>yYQem
z^awMCxiR!^1_o@VGhpx|O1GfTKalklzviGu*5{eqT?40MArZ(A`F+}=;ZTECKm37o
zWO`BUtb9CRR~h+Mp;tW3D-fUm@9pz=)TML#Tm<a@#y-E5-oZW_f0qsa59~9e81ymP
z+vjY|eMrb5Dm2<>xb6@hnWBAu3r~=kY?p<G$V7huu!t^|Qq_Y)ZWh}XI^cJi=o_pc
z2y27!J4?jFpoY0B=63MttGI9<ym(|@8Wf$8eh0P#didL0=AI8ykPaE?rJmUBFwS$b
zMFysWGR|L9%HjiIoOi-Fhy1Y4cV>%$D5AhCt+NFJ$2tdL^*(_a@7l1ddnwdjcCcR)
z0|q7L5hFcJvMOXpWQpM_g#7>VN90Xf=O>VY`1jxjz~K12b77sQ&^rGJT~KQNSdu=~
zV-BHp&c=j@o*=FBorYM7Y{}+ck!-G&B?)eTP9DNyXoNS2OYx{nlN>Oo=7|1CVpw{-
zHO1e<dRiLcYP1IfbaXqMsKxBSOnJ_WGtB64ZaepVL(0cd?X7h5n%_+M{~hfzwVBJm
zE7X=l$$5`d9a}dR+#^TEYFBM^omX)5mlQ4|>HG!!{k0m#6l}*2g7r0OryM_lCn#21
zuAo%k)oLCh47mdFahNviy;sCDzGS<D4PSKSHl)w!2fdS9ug6MZoFhlliciHJ3}OZO
zf7cdW%giPI{xr{%@r?5x`m3yNMQy3MsWiP9(p2Kl3C4zH>e`ANNZ}+1ABGKbG&mS9
zgrjC3{C)#r4rw)L2QOz3`e%Sd>$!iKU4k-lw3>IoSX&NsZd-FszebF7uRFO0E3Ds_
zq37eMBlH(`iO1^N)q9Ky8)9(XuHzAa1F)g#{iD@Ln4+p8(mHlE>v-qH_~33(u)%dW
z-c#7J(HlA;5Wg-xx)q0C{-HM<P78Rq1DqDh*3E5tLvwH4yG?)VFreObfM;mM{DEG(
z9pdF}w5H%EWnXglHZM_eNYVT->^qLG<ds}n;`gE2Ir`#BX`zesSaG)Xwz81rZGGGp
z^5fT}BpDq&KxWZnqjJo51K!p^zayC2+0hpBYuyazXwk9Y)x61GUtm$x&hP6WUyi+e
z;B}Nldl}=ye_=0+?#0OcXZF%(o4)_ZUOsy?d)e|ou$O5tsQ;C{+zcyi+skKu#PGT8
z<r$m*|6?z6QJ2o`<w?N)Z|vohKcExb>)D)5Qi}g0d&xLZdwU7LORISr+Qqh&hqW5+
zM=6z7jHl#UwrQwbiW_k*X+Osl7o(q)=CT)_Jq%T2F$-79pbCOw$)P*-6i}F-(0kvJ
zs?_}M%J`t=K`bn>vs@A@hvmYtgQ84?1~N+FMqyc6l71-{o$z?%3NzA_6*Pxt3Tp{<
z7(7R?&k`RX1-;b^Q41seQUj}CtTWGoC7Xy16)b~w@3+$U2E03TvzvG{&ay>Gdb%DP
zfXHmNxcgTK{KBKk(H50KwH)0L!6KKB6Vp)^wl#F@rccD9-fv^ToSCC7FCJS{9~w0X
zyW(l!z>SY$puP2|U@vPwv_(o^!IXXaeTVTIyHOR}PLJ5@Ei!9;LfXt;_8wNX2me^j
zqtSOBuTZ{_%<A|;%`!z_=u<q!W+zQni&nFWkgI#p<RH>O+m&@R+ZF7$KDQn|L>7)`
zPRaeC`6OqZ7-`Ha$^Sew3YrwB2aNPl7_%!fOX4%&@E=6*K^HoP0;Z~X>>zKbs-`~t
zH`=7$+`4)A9?p2J2K#z)ebyVRwY-KMnP3RD-Yxtrn8r$Tu)hMmjJJJYVn^kKvhs_2
zXi+<EezajcN}oZchWux;%(G>gp?=9qoTva8-jV*^TqT~_@LA?DTUY_>ObSY@pywgC
zHGyaHtM#x9HNgDX>c)s!fLoK1Nu6K7`l)6EIlvyw<->nr4=yqx1pk>mD8xP}yY)Y^
z2d~?i+O3}+!qSkO{@<*hzK;Eu_F$#VDA!L99Yi;~?ZI)4|6_X~cO9WA5&Mno!Lcx?
z9cQ(P-z*5INA$%|#EN{dQD;el+z-Sn935<6skNJHJq+2fTKd3SvJ%g`)_tSaB~McB
z7p+Lhla%YVnh#NcWQr)L)MKK%Gw^Hrv+%ihlYl`P)=dmT=V;4|#tur;YU+U>l&;lO
z^Vd7e?<_2Hz=3*Y9Hi1!Ng2-|D@@o=L_`j8=yd|J6z?6fD3pTz`?uL<O#7dWWXURz
zTy%=p<molmr4lsF_t<`t!}oOT^fy0~^3P)hZ+)lwBX3M9L|fc|3G)JdHYeXp`vKvh
zqYnOibz3@o`1k5wLvQk+YQ{U`;D9Fg50pMEiBBJ7Z_vv%Vr)9J(0=g*;y>6In!;0j
z_v0D*8q>Y#r-@0Z3Qjm*`4jvpI!CTMkn&^j`lGUD2F~+|-`BHtbNh<lkV~xKL}D5e
zwXRmoS0v|(S&C%;w~}O;i{u7H(qEjUNdBfswzx?070Cc`01*ci^e07fz(sP3A{i)-
zQ(P7*lI*dm9{pymtZtszt+-53Bm-O|TR_5YS*$2@MKR1p@w{SED9RPdnTn*+MG{ja
z0dbciIsA?478l7RNm69ktCDQdQ;}{_q{~2>Td(#$3KX{z@huh|X!~Cj$rcy4(?}94
zxF49rgHuusP6HgHhu7ei7hRJa(cu`!VUjoUl#!bp%y-tv-We(GQRNh?at^qv@*+r(
zd8{r)t@=><>|?d%4JEOR4HP(VJApOGzBW~ZYL(+!;J*7BxI7nbqAKtPak?t-Z4f|u
zwnB=XWv;GB#);O4W!wL%NXELjoT*4Aigy&ruM|m@i{$X?wzhyec~>x<wb+Lu?C!-;
zXz>B?Mr=eS_E5B%>2ULk`9g999`tyie=i)Or5DqDtYg<fdS$%-TI>iQa53-P3~?Qc
zrt>wo5|PASfjDE@O+Ccm6db-+No=O{*MQ0rKb5tGia>y1XgqXrrZ`#E|IM%ZU=#k3
z?%kN^J|@`{K`cJSMXaYP#?D``1k~uWM_jEvPPV3Cq2%*vqRxf-`qd-@R3cM+#sFlj
z;CjVmyNhxYDRKTyGWjae>O%d6sPx+^<%Y@<#o<)NAqP_64BbMI!70rGm%|78pt}=!
z4p!U>Tp%ACB-$dW;NZx)<9lQ99>i!I>z0SWZMy@tHXA|2%f-G`tl6<pJAS!arzT0J
zl7d0v?}#gz8;$gtAiflQu)KdYnPXVO2Rop0yvuHa;uDV{N3<U2oWeKhSc8WRJ+jjq
zJ`J8pB`gEZn>eqVTiZ}=#?R@qbi=U;zRa^dRx3{sYz@7M7jtMe-oX2F%?+eOq8dxd
z=I53EH|ulv8u3BZbnits_M%yYO{1pf?zVkEiKZoAX^Curzu&`TI~zXBFud={v#FvF
z>I^HJFJ^C}>rvXqL#j;>&@Y;ODgT=GZWG$6BgPWQpWxFL@(e%#=bYpHQ8<KF$q+;!
zLp<?-$1^0}KTq}+4pp(|#N7#2PRcW?px#Pg98e0)W9$WKUc(PMMBHn85S--ZS$JUz
z+(TRj@Zk8szR4jG{g1+(b{yP$iOa#=8jSj;+LPjzEe5a<6$3m2L@87c@eZOm?F(vL
znWAu-k*NwY#Ji9R>-{6}N9BIK=<+|`uiy2*+pjk|?9UJDkZ%9Ji#nf&Jv<e!H&^UH
z<5KS*nJd0%msaQb`q~HP1{g8yrw)Zc3`V?kXd%weNq*QQVE}cgkLUf&_vC&aj|J%F
zw+QBS8HFew1nbA3_lFTdx?$MptI|8XxiJX<xD7u;7=$!ExQaXz2_tq#CXR>9{H2^z
zm`7U8AEAA5cBAGA{Kgi`DTZa(uaUwQ!==T;xUkODBI5v{XXeYTU&*1BuN>ffh1{Pd
zVjKy5f9;LaOtG$JH*Lib>~Iam_S%rHYj)f)*t2+OS4k$`t!rzm2BY(}n(HM~Y%oZS
zWGPkvol36xVG`aR{DT9NF93-ElYILJKI<05MfLcvWO!5_emCDlFxo(fvWMuuf~<=B
zN__!$%fQihhEdHXoKZJmjKvk$_&4HVoJ&0@uEI0)Xb(I$;Plg*B95(l9@xu?J;-r|
z&5FK;mg_A|)mpTk;vFk6oBLq79zg5khyx~i-k8$M`<7#FNk4bNVZJY<EyUp^985>#
zUcPyxul5w;sN^vKChc88F8BrDulGfdIST%1FjD?9-hbf8CJ#7j(f8P%1?wpQDgEi3
zXQ4kUR|(@(*WQ5skQWo#<>B1DPm5l{=^ZOrySrUWs$3QDqXKdhPbByx-@B4Qq0mpc
zGYgARsw#_~Eiu0qU!a^|K4j}Uv@P)&IDvl|_}eYY-7DUD1?sxeu7~Us^JCro$cVq{
zr=;Ps4W$g(MUr1hKKAgNv?$IQ;7A$g6_!A=QuLpenBOaVGaAxSlHaODVQxHue$85R
z9+Xe+UfhYpg~)rT939W;vQhukp$k#E-J#HVsXnzX2fZ^+@dsorjo2VR28(ZaHN1na
zou+y+Y{BzktDOP-;$<M`0_o(B6<kA_A6zu`q!}Y=*jxR8r$~)U3`-HoHi(Bv`3q1w
z-4N=tbdVN(9Ia)A%=hJ6E&Igzs8WmUsX^h}O&n9*FFq)M_?k`72HY3l3q}}ByoC{(
zC0~kIr>Ncm6|LTz=r+7N<8&;#Lwt`;2;wcBniqjXHSZQ3nsMkQRPI5EM3js55j(d5
zG*5QTARONa=ZUuo873hG206F`j4Q}t1UQJ*kdb!#C-S_%3Ubdj;G*E%^H?zy^t7GS
z0J6hb&zq4o7O|y7dKQ=yn5ch{^FKZloAtXyDXQTdO1}or*E_F;?1Cq<lKiaQ0K4tu
z*D#%9*GSZKbZ>|FJN5NJb^Zcd&^W#uY3eeHP6!lruR-vEsH+V~wChM$jXw_n=<4|h
z0fD3kwy{EZG#h!OF5I72aF8N-SXGNYphT36Qu4|6E!e=C1<~obTg`nz?B^Mx?~7Do
zIO&2HB!LWTI<7im$3SGVz$geE0R?Gq+57?<>~cyIoKqTq&c74~2dEtf0K;?l2OIWf
zh?#GxIrPEXlxdIBZ?kerV;O#_)Rcm2&bH;9aNYcv(;Ih&w4d9V5JJptEsD4!UJq1t
z!_*!@<u!osXW{)f6w|Lcj1!$$`x6iWpspJ-kYTp;H3R)xjfNdvg7KF##-dqb3&a9K
ztPWbPfH=`l#Cw^rx;PM{CT$klgtPp~^8;*jUa~LFM<Z20)v@mo_}_flVQy#s6}qL~
z8byK4LYWYWBtLyj&}>Uw<k$oy8Krphbv5e_p(q=xA_N74!PX@duvL(Vzbr%bdZONu
zy*O;sm<{Wnfk=r~^EO)^ONX>%;s`GHnqkT=mjRQxSv2(*;W=851y5)_>ip#wjCp*T
z801t0ysrUopk4#Yww{S4DMceLROn}c&aJ0Cs&|m0Cr})xddLu8&Z@z}1P^JZ2$gXJ
zz%_(yD}4Y5;}3M>Xso##MY~!d(h!biQ=%6`3%KGlXn4}Ng(owH>XPtUoBhfE#Qt`$
z7tdqXSZ`q*lKgO8Q><Xu=XPb7d(Bu-I<*q>nBxhK+;EIyMXmI)uvzir2=VK~Xl2X#
z?9fHIAEfww958V*f4?~C2m2`bLA=+VX4X8$&QNFJ4rhk9BV$_lI{fv9vsnM6J%;xs
z4pxE`>zSR&^~{G5IfU`{p*G52Fzs@1+C#K{hoZo=Su#?1R$<AH5ROMvvc`Q$>0ehJ
z_doZq|NHZ>?a#O3eep>h{OQUL>GtPkl|PK`Q~tH`kA1H6DTX-){`6@0%VRLJM<bdz
z1`hRT98(`t*r@1XDWpF=tTDDI51r%o&j+<jEBdiE{kTR(@nSs<^Dy=sj&=8cZ1yCc
zE6T++BonHP__KYxL*uM@j#KJNoM?xCEG-d@%=YJ{kr~S|`|xk_+2HdIJjWs|AIk3d
zCLUpz+MIfPB{|@=82N7Meo>Ai2+bb>E=^y2e$^VD=8_@e4)+USmqxtzCJVt~cuqi^
zuoW9ogJ`{Ur$Sh47reOxDr~7s7Zju7ILQRxH}y&cZc=bwins*%mE6gxfpRm^_-yep
z1R2Zu#_*{y>OLdBx(fD1-c=z+$Rfj<4AOFK&(Jj2HwD+Q@a?X`H$98$Iusr4>FC5V
znkWV+@D{9&x4SqbTJ&0!#5JE5ov5DhPQ^ud`cF@O2V;0);!d0hF7}8v$QZWXaj0SW
zkgUiKFJ2kVlFwU&N*%}4aX5DX%<+6aKC&Yn&zgL$7ilV)Z6`B;I)TrmKT&TPay6pl
zw78}5io#%1aSn#Zqc;_EnE30rfBW*c#N4ZIEbi}F#T3K{Z&YW9$0BIq`;q1z#x`*d
z3>pp#^^Y9h6aFL^zi9wtAoD<AGzggUPb41A86<8|z#cAOp%@OJLlQt2<OSnX$D(4x
zpodz3185L(8^Tfv1BnvRi>we+kpDc!SzFL?!yuQz_`qI}X*u@Lg1C!gLw9j6r^AB7
z*=TY2WAwv9#{2ZeQCzT=bXyux&H(lY+AEtXR^G+&F6N7Zvdw=&x<i|L$u@It-2)`r
zI|#iu!0x?){N;Ex73bNYLGpKTaeu%HZCHT6RyrEe?kvBx3R*Q7zr%~p_jq1>LCRRo
zqX4#h6~MY15VU(#V%p6~FJDg11$%fNM_YdH><m;bR&eV_eLUjJrF0QMkLywz8g{2g
zKJBJ0f8ZqEle-Ofzj)0aHTLUlRpAeDerwe&;EK%WA@l0n_-wu}^+|MV;vOcoz#Ew8
zzXDs#*$hyogEFzysY?`ZMZIqmO(v0Cq7{7nA>DxY6YD`2ZBeeW;uIj!JVX$I-I3%%
z|KQKeqlkKgC=kOYJHYqbtbTBai?NJQWUYTB8J5u?n_`pYOt5>Y7*$hbZ%Hy-oB*<7
zn`~f;Y^zQ7XGwO0zZb~Pw8@60$ndhA?1~7;P&FT@T0c;&oZ?U=Yj%?&@`Gp_h!Tt2
zQGA3$%ke36h2LKVZSD~lfV}wxx$cG?rZ7ehSB1{Q@*T!|FPQuaOw9KYZhgvOWYdXn
zpP|jJ3U9+glJWrEC;9Mv_V+6b!Cl_gDx<D)fO%NkNXJaa<*VEP$NB7Ro>KMU+3go%
zu>dMwU9gL2sVev&rC;97dY1qJK~nl<?8d@j9z+-*^5@{;2o`r9ygHCgb-A681BC3r
zp;gpWLD~p8qScf*GzSRT0nhW#4$TfissZ7*(qyh`nG29_P=m<fw$KTKn*xIhfkxpq
z_=|~+IA}1^Rv9Xm$HK0N56TmZahBO^WIb9XJ?U8d0du<+y%H0&LF6#s0=%8whMC=s
z49pv9eBo6XgYN&30q=q3wt$H_Pq(!lgpe|hrA23TL1)BqUKVTr;sI^^eh<<`KK4sa
zMJ<kvG~bSS2}TX?Ln2BYHo5hPA7zXFU<Og9#6L;=q!eCc1IN2A5Dn@UJ`)u4N#WiT
z+V_-WH+iZg7&(F?FT>ee0*mc!JEG~KU09eE#Y-;sXf=!ikrlQ@&`z)$Kz0?b0-pdo
z-c*2b%-w8m-zFjr-FP?Cp<Ycj^3((y7v5<-EY~{KNU&Yjb_%Ip*9aMH_%tiwyD6!#
zL@790lO(wsAJDG^y|(=C*vG<6ST5SLNIOW<7LxC;L3gl`pS6&zSwuaGNEpadq6O-u
zdO?BEQ#=2FtX^cL{l8Y$C$SN<3qEawq)0+g)syN2rB^|h3pz}#WRJ58^%Y+68<5Ga
zjK1P(C(hUFkqtS<r8i)wBYF-nvM-}~8TJ;_MVu9}f)Cz9r$$npn)?AlQA5D884iwY
z*Gf{j<UsTV7CD~;9NIBiAJq7GV6c6Fch0+o&j87t%<2|^y}zfGz<Aj!gZZIRdMxYF
z=;qKqyhzlC8AJCVW3l4x9_$y9wfXnJ^^-VvPmo#RD_(IgNQ}tg`Qc~DNQ?5LA<?~B
z&Cf7taW>{S$~F20B$f8zeQb&3h@5%cOYc<(mv#sEZ+=&9YdwlSvG?hiNnEIySB5w8
z&J`-1<g!eQ=Cd<#MKFF`t1~d02WD93C%$kLB954@rZLkS_GOBXpOig0hD4E_8tzzX
zY4j$JIJCAZuTxaHplWHv!BUIx#Ay>#V*8My&?H5MLve|VBBUtxzC#{3o~(EbcTo&i
z6t7DPgcKCTG#AAHMe!#|;d3bNc2OL!C>BWycrc2`GcJlfOJs}7B}KJEvCc*DnxZHo
zMN_gKAG;`)DvGl}QN1f!kMBX@Y+Ek`1@5kbcPTegBS+Fh6M2`FRx=YS0mJg;+l(oH
zm8f&g=WCG3n)1D@-v;0l(^IoT3?#A+a}k-Bc0~3hav2uDK*oqX#g+5>CxARzv7JVw
zYd-J|nnKLCcR^#sX|17!5hCKe!$a-|fmmL17SoXM$l;vOmAdwaPiB4{h)+2KTKiT1
zGD!9sDmLKplDpVDNj9%5$|;H0NVE!8gq<3RTTvER;rtHYYRQ0(D8cEw>~P%LhXp=b
zuz6eiN{T$T;8oSU=Q<)!C-P;L^Ijq!adqjD$ALT*uZ@813?eIC$WMv<p%tNqUFbhM
zE*5D!8D8Tz+M=15N@iP||3?pYJ5p<UqpoOtsQi}cGv*j(SEJ5nOrKg_T0YId0sFcz
z`k?}^&&dA6@`~%m#1sIVx{jDsKBdAOozc9@E{CA$l^cg-c$(jq^mQY~&nou?#)nqU
zDo2hXnd5z>(@{o+c~#cNA;)`~|DyC(-H6$fLlY+Xia;`@d^}3-x+aWe-^QZjQTWWP
z=BP~<m^`C=LdZ8_<B%Nqn5b)@w8+<Y%#6vbt5Fv!_gy`0%A9^kWm{LZId;*gE3T@X
zJ|pA{t{s7z%ZyVMV049fCl>QVaIZMXow#{jkv=@&8+^5{*A0hW-8iH>GgSmgchF@I
zlKqyfk8i{re4cG8WRCS2Q69nv$!?h`>$3(K?YK%^(a7PxtMsb^`pTL8$p17|Dc|s`
zWouB<RR}HEP0}Y!C|4}z%Cd2bzLOvQ<r_YRnXR&R^|JX({M8bFc?#duwP^Z`a*mVL
z571h4qusBdM~_N+%}qb}>JjL3&>zBV1^vh|CBCc1Pn)PG##0nf3k<UAqS0B_+tR#Z
zzDc^G@iQjMF82+__tr41vb&c_8s!h@t8S436)3+sjHcg|VciF8=khsZ@|1FPwCW()
z-6N+%tcGOQQ7|E`Io35~;P`|8B;Tmf?C~>H{&HW@r1A;3u~ymEY0QT9IrE`uNY3Qx
z)7T%F7VU;sudJLh8DBk<**?cSrX9q9mrwKs2Fnh76F@cIy4kui0bOA<t%H!MTg|ad
zhHd})F-%w9tImi-GM+2rA2`?+*;CanSUU-CuG#h$3x&gZp{wK>e=Neb?cfW=XFs?p
z6XKn}F8q=C3Ge2B0uyaYjTnFDdIfi~p&pJ#fBCmiBH$CQv*i-{aZ=I%%Uc|)c#Gqs
zkID)r>!*)O>`3Vxef9g`DbE!C7&P~ckQGPh=H6OX263P_u{I5&C`NN9A`qpod<aLH
zu(~-;U%3@o5#24-ir*+^uvcaI9kQVAaF5?lc*<;(%&@fZf=}ddTKFZDG~fefc|>KI
z<jT^wU6wb0!z}4xM4k!;gDTOAGHrJdVTc!iZq^+CiGEBDR$up=u@rpaLNy~-7IMKg
zI<dmeCta7>$VcMvw(8YSftF4E{Ea@Ix@NFnxdVR^XCyOdflV0g0J6lQQ`iM{b{F7l
z6kffKy->$qEYXVVjaXa`W31o-uuB+DW56I?mbo5LNPEZ7dJ6)p?gQmp&N4O-Ut7iH
z2rh3s+HEDiRj77+RTVr|xec{b>|0G!;ttBmk;e^XjpFy{Zp5oc8}SuYT~Tcr9z$ph
z>&SW<eRG#fKx_OIM^y8<Js9k!D90KA1f8P%HVz-*s5QwBu;JrUB!#KRK<d#*J(i>%
zhov4zrXI(p9&boJR@#re#7571pbOqZ#yW^EHsL6bdZ8V4V(BpZJQAL%=SQnS6gn1g
zR*-O>l|E6=i{1^y9YnB>3Ng~p$Xs+0`Tk+u3?f-oCl}*%4=x7s;FjnX$&+nzuqS}0
z3FIthW3wE@@jxte5NxD_$O57U2+4{~b`Zw_5p@vk03y&H<KPxO8s*HASvV>-rbJ@a
zI~WcUF?5rLAy+UOr69^&6k6hf@xN>VtTg_LAJGfO5g2E)?Pm2Ipzgzk@K`!nTo-ib
zdHFJV2giOf@exLd!-8?UlKk(&e-H8?JruzyMts?G$1no9Ut9o**3D=L1#(S5kxHqg
zYp@=m;5q9774NX)*Igw0(3513-sHfu$|y;Tj)&fDuC>Eoc<*W-O0j6-#M+0I_I2ss
zXq%j#p%di9jI?<ZoSV31X`Q-%xv;vei#(s3j|r~M=hnlaN}kUxtZ4)K-B3>urX_}g
zs7}WptT5K0!iAo~>LXq1I_7nipWNS7S2E_I74o1jue$L}W4{#4+1v;5%Z-Wa!Pime
zUp_z`D|?RH>XWhgCpXUSk`M6Pe}{)P^pw}43pr6QdXQ7Upg)<#AEerlmkF&|39e$}
z?Xo0IB1@|hTLE-d(Z6I-+VXf*ic3NBCaE9~I27VKg^v=y6t9rfL3u1i82x_yqQF(4
zcf0Jt_+!|Vf>b?Shab@kxr6c53;CR_+G`>Qte5|mR2^FGmsE>M_2;RQ?*v6v=~9_n
z6jd#$Y7|w0qN;UK{TWoS$l_*F@X`g;h$leAH7ZMYWYJAwHs}pIvJ%T&IV%<aM@Z~f
z#2+=uy6$jMU7@I!km?AW6!gIgMdcZnYLVZr#fPM@Yw;Yjysom;AWNziK3C4&_sPCk
zO5(>A@fgK_n2Tz?qGIGvR4J-lMOEpddK^^ji_xTDEnp<CP}J$|Dp2dnG+D8JnXJ!H
z#P4pD-B9nMDpFK9^5+o;Z<F1yOi}G{QJn!Q>txU*{Wr$?7aXpJ)Q0q6ygxSq#KBvU
zAG(7ZrBF1PVkZGO{{x0}bUfozGvoDNqe+TEcx`aO5e9^CJV0Bx6Aw&dlS5nh7!qJ`
zCK)tXJrd(w!e)X4M6wW5aTQIss8XeUwLz6u=ql|-&|)6aq@aE$U=FTI8hGB?20m5b
zBQ91fo(BtDvcx)%0~cqC^;9KRlk#;%Sp!N?-HCcRbN;JZSr#qFzw#+)plD`RQtJ%r
zLY<YhfjSHAJs(`*-7I#>7LO^OG&=tmPg*G2H}bB5&Y6qa4oX`|ZC6LV2bH%8MZCUV
z7O^y0#4l74v{L`Fi0aj}XsqR8u&5gemMcr~C$Y(4#S);&tb1iY{2L5uJIV0pWXN5Q
zm5dxEL<feCD2BA;|FVWqg0%c#xU*3<G85e77>ZGf1<n2c#e)6;So}e;=$mA5qGCa3
z<6pB_6Q^ea7URGoVK@xXGk^b;Izuz`TOJw44UE_y-lafKeJMMQhSG7#DXr2em+mN}
zmBW`so{vK6Y}tfzq!X~Z59jf8@NYie@t?cn^hKy&^`)NB*T}eS9cKskF1YNFx#<&#
zOOXeJ;rD1mcByIiN77=0)-mmRSz=kLNGlUrz;OYo8m#V#!6}^B6NkdM39G2;@4H9|
z*A^{;eTR&{Lm9VzDH8?7$eZwuPc}om%zQsVJ}~Y}<moP^4-+};kVGC!<nb=#FM;Ho
zqJ6W@Rzy1+lof?%t*q!Y2&$;Y)U_5NAcHd2ccfTEiknDLt|)%rkzxrc29cr&6t<rw
z?@^a8Z)J-5PjLD!!g_dd1zCg#4`|$t_)F9=^z<=O;<QiO+7Q0Y4*T&Jmy@X*MIShb
zYN5;JDpGD9sr5Lue<sAGd8=9%HZ77o!B+WOMzkfA6^Jb)6gzU^`SL(W22xs-FtugA
z5%hS%mO0N6wc9ceUyLi#!nmB=8^${r{2qjqAKZ&3{UhGom%2Lb<5YYJ{tMcKT^io7
z*3kT(-5)HzP8H9W_f+v~)f0+;3{Pf5?pEB@w$#1^@f5SC{LIu+c?DwDDHUc`Puy~o
z24AIy?_=RR7pE-F=xNuh{ibYR;O%~q^|9|~vrbFG(T*2!b7+&-`WmK%_h;ga1FtLJ
z=v_Rtt&V3f>?4?}zhkGcO}q~=A~MV|KgiG(`bAqoguF*FB5*m}m?PG?D5MtaFE#ox
zIWTng7O-Q?@5BlBw6(>DwV4eIzW)KB*;@6WlP(CIV6KZB-i;Y2U9jNLj|5lZ6;-dc
zoR?{gO2bR26~`P18Eel5s<|iY+nt?(YaiPrZd2%D^Q-vn-ik=;d~Imcf+I&jxH#k3
z@Vgr`F7h-*9O+Qgw~==eRfEDqY!cSI4V|XitLm@zuxsiK^8tS$y2LQ=k+-gwm^J=k
zNS7cz7QdlFtzV5i2dnkF$6pDE*6#s-wfue5Un_r~@-LCU&-s_h-<SRM^7mE$7W}qb
zqxJ;=Z};Bs!7pwlJDZCP!jg*&EsFPcxba|bsUjYP4O`#J-hlE5cBVY!jIGbiY(Vgv
zHGuTyer$|Fa?P)#p5vKxBVOb8U>2&q|BXYtl1fISi5Y-G<p!a+=WfhH^ApKeo?#cK
z0V0#Qv68c~JJQy0jJ?Q?!4WYJsVNB#unTSc+tT0-kD=s;Cv(z;=LR71yq-{Rsqc6{
zAwcaeDAaL~LEca(i!3q!Zv6tKq~cM*_#B*6@Ot!RyvH*w^te5~ILrg_)NR>hu_2S|
z8`WOGA=6D6)(lPzcYG`MFgqXTPO<%7+|;Pv*BAyf@ISs^k@qzIe{sK}DX&*d^-ss|
zlc@JId6I}PQ^;sZU%i7E<^X{B)&blCP>2(Qkd-OjhT#pYEb;L;$VL1Pyi3s}wyNiB
zyi3u9M_jv~iF3O*1SvVY@VbGx{d=DIFfAMyTyuc_9FD6z28+fwEuMy4K)9u#Lq+iX
zq<-m*Ia;I_df)!U$u3d02*Sss_Bcmh1O$8pT=JidqIkpqH4CNX>b{CT>W%<TcX}tM
z4CqW?p{ML~xsyt9XkoRd5XHR8zs=)pIf3choPY&&pF_`+S#5iRTCzV}Q}BIM7E_Sj
zmU0MS9I65LupILv-TaWdHQA^$-#o?-?g}h~u{&ci>YOjaV;wYHeZ;zyQ?^7QwdgI7
z%0R!*wdiGdu;x%k9sPv*o`CwYwcA~-jYjDafDrgYE72bJ+51UEUIZlL9(ey3c%FrI
zovIhug>RGJhZa|&&)cu}@qLt%`1Bii=Mz3y6Mw-6wINSyph4}_mpa95#20Z84HGBb
zvAc!6$Nl1&n;4#ffHaEV;gRQZae#h3y2bpMXS6Y-Jg_b9tU(JvzwnQ;$pH-4f;Rb~
znVvjAy-E(C?8)YAW#<SkHje~&SLi<-tbPFlDGye2xvmaV|AXv*4)%J#Pr|>Kr>P0K
z7?5BbH!LO(Q;YkM83$*;KXhwTHTQqfZk*rPfY&WE{23*e;_4<XdM3IRnziEz^>7h)
zhtWapBn0h2|6g0zVSF}4;Ljv%yDdwiz%)M~)?!qsom}H#o7VxZj>jPwdL_7IB9w~@
zQ?Ua5On$*qY<ZgUfGa-YtJH|>G~%@baU-F42nU&PF~9U~kv%Eg$pep+2kG}HeIdtQ
z-dfH(Omf7#H*h@X`EjIugV<~*`eJlf;~7nywE|5%AM$B#u>ErJ`CWAAAMmqKzWU00
zJ0stFr8|n#$hc4y#<S)O^fB^Zg8XZwfB9jV1e`;Lu8maj0N8=>IKX)}`x4h&n4?f%
zFUN}1N_cKf>I7`O-l%Zz68C<>m%;@R8Jr?6Q|J{yw=3-@gvaL|5FcHS>flQsJYoKp
zdj6Juut7clK*hKc&wOXf&lfB4*${PRJtMpZ{zlGG<RQq)z*L(S79+!*hKLs-`8;fv
zwXzRj@MS}1=v)DvfmG<kl|RJ~(rNPTXnQf#_6q7f#o>Sj)->=yFYN*xulXhlQ|%Qa
z6zXph^;Ke=3zer(f0ZaJQ4N%{rauEH?v-#ltn@)jao30p<WXCqHld*?t_m5~Bv1`;
zCMLV}9UV=V{<;=uXT)8rk*{wA?Fpb&>ouHzA)6=3<~^dGCmWuhIhAm^JXuTl$5=tR
z>>c#q%fK&Yz9)#E#eAv#A@#isIgQjyzBs?!OLVDbN4egh;n_+bMxDRnTAat?r$)o$
zxlqxfi_lmuR>HUAFV+bhRNEhy@9T~kjE=#8?Mj|+{|M*X`9-4R&>^@<*yL9kbi6Vv
zreNuWyYVx^R`W{wCuD^-UW_&*mZZkSdTKs9rV#!8iI@Z<%7R0Snrl<vUm%9xBWK05
znhDTLSR>UYs)}IDTdaY}{Qvs?W%vv2&!2br-kG_g8dEfNejHxZ0IS;*tXwsE1(UZc
z-`h0QdGo%wj~MSo%g?Yo3xkr_EeP>kF7CS%J5CXD!!j*f`Qq{-VLARK@!JOA#Uz~e
z*e~iH$KXV`wS<>%u)9>!Zzl;2yoO`#c?_fL(vRE*dWY%?U&Yy{4r`mQ^Fkcn+aAM-
zn_VKvvCeM{^+?UfRC{6%${KAAeFn7xR|l`^e5SpyNrv%Z%*2PR3uYw__&Spr$M@ax
zr3%GepS+hp|G<o6@N)GjM*fzWen!$_1;byY`TdFmov3$>@VYyseB<kHLGy27J*1Xr
zQE3V6J%qC`q(=VsP%m3Xjsc^D=eEI4=)<Z82PKNG`tbc5_0|oXy~rNyp~f=K>C2IV
z&KZl<#-bf^2(+5B@XI@G`2tIPWH%o!(ygd%s?NYv2L`L9dLNn*#%txc_mJl+xyFzO
zEpwa)pYy;1Q18Q#`PfU`{xf2c1K<K-fYd`P`mhs{3E$`7S7uYgt}f!KQLy#q1`hYN
zXoeAcX*<Xbv$z$(NBK5in^=NA(N%o|`8#Gm!^LF@I!KS*%OZlYMXCrCT4MfK8h@dR
z1t0thS1mwaYf%ez(y>bN=6+BdZE1?KW$fPo?gPxE1`gkBEk>I2%={X!2jaMr_QE$t
z`YQr;5oe+J*ekLze2I!xod#*ZZO!yN5<cW?*xBWZ^w1aCV$_{<9uW1Ag|Pd0U?=~Z
z&`)v2HZBj9Y-ax!Tj6A-y>R4;^m$+8h%>>DA9gF`=2(`VFUMxqZRR@I5cJvxpAjG2
z6L0Bv!AInJvL;yO@Qtrnpj&pTp*1}zDX{|a0tBRQN<c)}T*5KzDT6--ay*GbV}Iq|
zz#-^tF?t>eac6=kv7dZmFrJzl{(0PUah;NVOqUOG<eOKEbc`bWO?{-X;CoM@$HRs7
zw%L8*KXOzc;&6-w&mr&*{Qa0^tb}#OW48XcW&9jAVOXjO)}z1dFyBWf@)7g4y$l>D
zUOf;=<*&pF_C4PR1!I$-9NEw#A0r)%-{Y^rh$Qq>K2Z#O5FYzt4s<I{;(++CAVx^L
z3}lY^I}>CyfA*A#uEM~|x0l`aZ4UCmChBz;ASX@_Y``>r*j3j1aOi`vt1^S>xIQ;g
zg~p+<05aK);K_(rK!aC`p(qQ^1tzg1)dk`=3YV?&Z&LX)Qu##{2yk5&^6vYKjQbvN
za*G>*((@mc4VX1T>Z8{{Bb^;g@Sd^?6sgkqzzjGL=Yc*LpOzUb?uFSVy<M<<7+KJ$
zJDf&|t{}4*e5!Rs$ypCM%S`y^F@*Nx&$8>q&O>c&E8!}7q<*sl3HtYFGbYuX;V`%S
z)OYebRX=4Fvz^lLs^LRbkOJi=#8=5N3osL>bLe8evli~HN4`jNeFq8FQ3}}KepGf8
zMwkZkBb3PlVQ}hJZ9&cC@#v-q#}`uS5qqz}5(OXb1G)~dZJ(L<7Xl&PNx_%ca3A5T
z2`BYEgnns0OE$4*Wu7O2i&u@q?f*@~AYk!Tn?QqaQB7jT^#sN4=QBPyg}?G0%t)nt
zy1y?;eoYcHGJv4;2tnZS2zbO~DL_dz^-GY^D`*nqR0b+VWFQh5mdOmPEHY%0Z!nqR
z0+k_~$e7B|1gFm98Hc_Ad5%Ib7gBlnvF?RZblX28wrCRI7=C($<g<uvNTrW{KXMA+
z!T(U7S54V7b9Pocd)x7Q6Y_h#P{`eW5V>fL7pDSIy;Oc@|Jr_^>WcWh%Uda<e;XCx
z1&uJ-+{tda8hyAfx8)p&w5MS=&bxhr%Ln_tgHVRp9i~_KJ=_ZlPzfYIfL;8BU!bwL
z_5@o8=59TIA0qIflRaAG4S-<?E?%37hr*hcs!KotE9-4BcSrVnK~{1yidvj?l2*fw
zTFHwKaEi9%*4H}sxkP?M_?N-IK>Wrd@ln_=c^`R4p3E&SYy>rYmU+x;=35Is!)~Fc
z!ODs>q~|xxzBLdJWT)Zw+En|C^ViQB5ir-G3Oa6f$07F~C+SF->jL?k1B-i{H2WiO
z3n~^cKhmPp(R|ylLzA?-dLvCo%nr&YjfRRV%=r^$X<cfTiUT1<-tOK+jz+ujkoWJ5
zf{!TspVz+SP*cD|tVI6Em)`J6DPK#!NiTz}6hf}%W((~S2pHDrc**y}ShWf!g|^z^
zqy55%k&@w~4O-1W82UhLZWdw%e3kn<R?WVqrG#Hv#B~_!#Raoi;Z|=b2qpL8QZy%X
zYSOmgO$l)(vN8K5QU-R3^H~BMLFtw{-C<RMjU)e8#^(+EK|E8+>tcH0YH^fA#|!td
zgH^!%9<i-8y-|pB>|qeV2%7z4%>@on^aH3giYp><YZufmZkLdIWxK=x=ra01w{lnz
zMB0JAcldlelMTFq;TKCPbyOQ}uo%Q9;#0mg7c*0=;BS9KE8W4bOOesa0n*m5xc>|!
zY$Ob}qusFq=K8j-)lC*wP)%O$dkpp?ylVZ88X~#=;`Bm{7$si;YQ0WJGgp@4PojQW
zva7{%WRxutSzw*YjrAX2y+q_zj3}X|<<80R_;Plro4JLO+1S9qE?%}=$Ct{sG~)Zt
zTgFja@%zpLz!e&huk&AT&8*`f0W-Vf{WgUi-pB25A5Q!4KkK8-E%GHMzA{}BySE;t
zncGV8H_17oYeU~Jjczti4UNF!gD-KKAHvmf2Ba8~gH>o?Fn@jcvRH8*6h-gin!UIW
zD!zIw)UF(Ch^MHy&l!)BeowQAb~6wY0`sB3`wY6@9rvreU9AW78*#RcpH&OM4Z}{1
zj1I}=SbQyaG0>-ZM>~&Kdq4YY?pXUU-uQ<oF-Jd)cQRUGuiJ+f8eKf7yedzQ*Mg?)
zC`K%~f@NWF>Qn12S&i8IVIm!`Eu#J1%zAl_8{>2<^E`(<*xP}A3gHsKii7KZYzu#^
zEsyO4QaTUjmg^%8$86hSufJ8tr1&S}-S~bi8B*83%}&781CNaZfE5%&PzvTSqdMGT
z(+_UM)Pi4Ij2Q=#rebPuPk1n<fV^`dC6Q(mlqbGW=GB%Dy0mcd9DH7_ExbFhxSR__
z*M>2AqnbSURzmm-z4`}lXe9oo;X)UjxoAa2Lf0al9xBPj7teF~abEe|c6_hzq{T21
z{LY0D`93qeFMyYF3m4yUT;byI@p$vLLox7F(f1z7pm{Y|XCf(nf~Y*di(zgw%&!d?
zv>>JnpZ4MY-`!ZLzSsO~HQ(i7E;?(|3(;e&m#_?U0WX(dFRsE|=KKHJ3tO(o?!dWl
z*`;|+^#|R2gksnJ;B@V?DmNsZu^n?a>nro$XmEbEFHcr>PO3b{cK*Hcvd~O9l$R#U
zdlH%dkMa(%eaEEAoAz&)_pQ^u*N4j9LHlz5@A9~9Cw`-Hus@Gr{qyg&Z;w;n^~v%Y
zxOn=f{&XxUKF!c>sgK(<B1gJti@3v!tsV0)=0Tf(!?^i_<$70)pupqX251PjAu!Q#
zp`G+`BGfkl^ADTwBR-mf0F$=-9r<-dEMA|bni3DACJ5H>?5{YCU0#XZFFZJjAm<~s
z1~0Y9l7R>No}P$vu?40^A@mpYMttpd)UG7Hl=?&5J_I$bH@x+h%MTIPqnGV^*5c7(
zy`lfaODVV@{8Af!ETqn+FT|sDwt_=nZe9X?xp;2M>J*}JSX^8M3K5t_wuK%$bYlA^
z3-<U5J8XL70Dy&34R}L+4T${MW%kc>b00tEUW>j(Ig?qA+r(~%j$t5b7|P%lFIgm4
z<XRNFncQDuNshfu=`;8}!^Dd7xq{xnZ*i@~X)fFGd09F>3`_hJ4UvuyE(aS6ZmiTS
z)~Fsea_l<zTz#J8)4V)2e<lBe{T2Li##=$xWT$^+r)_+P`<xa$fp)&=>dymkOd@+T
z@Zu@FS6zE(L-TpHyu+5^{~xFf-jUlaxL+x`1@_of)I5KK7M1ZYT>gZsaIrm9Y>I>j
z{egiLcOzm7=Xklr?|?EMd<@Io=PI`f<u)&L+F4*d4*bV1{8->E21u3N+)VtFE_@#G
zMM?ahh;MY^bBL!Lq40Zvgp1{NheRuGp0>_L?Zgp`bVq+zN>uXuwK%O_2Y<vhRcqvZ
zLlCJ?(NLH{&ILNBHy24Az8;`#fZ#-Ci>p#F&K$sch+hB(8Y(EHbHuqwn;ZBYFdX-O
zVGl2A@1ZZijBV?Nk2m$2eTvRQhHc$uAGZMWrmdU2ymZzD6ij+bF2Uql6N1V5I)Vvr
z+_oFo7$B2P0l3ExqXPom1P;K_y;~-5Fkroyk4Jn?9ZS<No{ZScVQ}4XVh7$RSZmAS
z>_b?0q~m7ynr}R8#!E}b@&{MtiMyy+APhbV!NoWp1X0R1BX#58H{e>j&p{70!wb}-
zKL;CN{~zMs1wN|kTKvzD0E0#*Dr&4)qfTw2*d{`i2+<5o;0#U_3kud3HI!?swp3>z
zR)ydsn$vNVs#V)-Z>`#1ZEdx!MFho!M*>)thYti1@WmMhNPGYhmHfVI?Q>=ZeBAs0
zeD248KA)U9XFt|nd+oK?UVH7e_vU7|Kubd2IZ>6)$-HOVB9K=$TFcB|l;=U9P1?b7
z(%9gT5m#nvcl>UXLL6n}q*W_*S1Z6o$ldZwDw24TqQy$)cTS=@(xbnrzrD_pTD{K^
zaFS#<1O!TshUxdN^z=JxPDik>!SH;_&($$4M!jisr3%nWt5D)r;e0_5V(86MQjZd}
z2cgpCyG#u#O$|r@vQ(oK2+m?#>hK74NK0pP^%H?#=)(8ze|jIj0RA8WJqXZhkKW|?
zT<B{gIwsL~4F|B$VVc5zOkl?pHUo%R<QB9hWBn1*|Hi=OOhSeSg}YCpAN|Ngi)$Qk
ziM~skMUHD5sBoVUxaA()57M8J(76i|(x1KcN@ImjU5<0^_W6GNT*eNkR;Y63-o*X;
z8}W>e?-h9$YQ?HM&Cwa!35d<>1V_U_(uRcQ8Zcizqsz{$AdS>;C-ktmCB{n9U=xFA
z*&I~Boe5L8#0M7uHiN3|IGXzFbmc6rRg-jR+^kcFiRCfgd8AQJvD-?DvOu%ytf^<^
z2PDg=Q#2Ky>@=SxCEY}a>Tu?p;^}b<9%*8DZ?01`=tuY_kwMCwvZz$EYQa$grb}5<
z%u$xSU1=p-3{K(TbmtbF0=O>rYC#e!sQ^(QHRqcDkhY3lkH4XuZGt)Bw&2YYTRUfz
zd^HE>@Fk&5{2J?GvgW+s=!$0<xqeD6isKmYmTSyw39nKRp<MXe988eW)<dHon95lt
zb;HG{D1C)Ce=T(uLgv@2jA*wmY*Lh}M3P17iZESkr*~TXi^Y9u+$KrPs&uQH3Hk~7
zlXbNaQ}>WOK#bgR_Jryr8yPk@{j&i4;Bz@{f^#4DKkaDSkBli<((7?BXi-kxG^JC7
zx=A}eg6p4f|0BNmPYHUPAdz|RQ`X3X0?noJeQ=<;mS0?#Tbc-`;s7j2|Cns>x#5Q*
zLJ7pT@%scb9PPT7v1%@~S5iAa1>N)+L?NV`C82-;D9Cp?fA3bDej;q+JbV&_5SIOv
zSiO_|0=QQ1WcR0cF<LBm;AYik?xF+*&IlC%yw@PBNn^&-p9>CCU_39Ga|KxR69nCf
zl-JMF_lx34@c<FI>|Ewyai3t3x`4hPW4{jr#=}@z(%0mY)BOsZ^Gx#iE7bgxdnk20
zIGUQrq|BOJ`jY(ge<c0$lD;vUJ}l`E(eyP>NK{Xjh!sS6wal=<O6J=oMR_)Jf62Ux
zDCZDZbbtGn=;JacVnI_*y7ROAS?lzBU%{LwU{1Nw#hI}XnlAjIMhzp%N+l=LSh`T*
ztw7vQbW#UBmkGB?qwRxwOp*i57xa_XtJ(c)8cF>p?iaa`T6hU?qN%?~k9Lk8L5FH5
z)hbdgST4;Pc>D#gu|`Pwsf8k6obR5g&>kV3Yys%@Dh!%~44Ns4N+qupG>3W>A$r#o
zg`!jVw1IL3Nda<xUaFT&D(US`!lW8$QeBgm>QPb&zy6_GvH6CJO-UlRE^`Y>l4d+M
zgY?s7w6{=ZyGNM`GO8wP-nbjeJPUN^<{Axno&aj_h}57GkRBa|8r;?iZd*;s50I1^
zyh?7bIS$c+Wk7OAscgX)dj;?1g@PNT;FE5m-~m!_YT;&q`~uyV$T5NhpvUJS@Q=%t
z5l$gWyyzC3O<u#>_Ys4#<O!11jMuV}>39mlG9tnRkRRT4Lct?t#xsBZVW7NVI>2QU
zr&q)C4H(h6NWX;i3-0yGKnas=7`60bTJzhvl<LFIL0@dt;5hy^NmM{00Ne}!99aJ8
zfpFfxOwoJ?_)i}X0$e*&!Uhc4<}v?Ue7hSk#+iICW%E5vzTH|oc4fVc(1USh`YSwe
zDfFsZLBqEEClQodENI`CN46WtO-k~J2J8$WgEITucapG;g!#;Vu1W0l%YqFWu>X?O
zP9E4`7OYq{oLA0p!QLhbOPcowyXR8Fv5%9=VEb1xf$e3IdN`@QHh96L1Y0p+II}#k
z-;;z>4gmWAiD8@qNjcF=d9b8xJs{-_7lH3&5hykYZ2T3epU6WX>ZUC6;4PFC>kfc-
zk||l{9nN};?n=>LNy>s2Q+2OHe0quWMA0f;J@aYP6Js+}J{@Andm&jDRnDR_d`j0!
zCPY(o)kjUgC_)^1MSx6;uHZe^chL>}K*D3lnzMPOpCP}oAJq5+sBUcdZvxZ(kjLsT
zl%7lYKG@5-gYe9+ymdo0HWi!NAONGjE$Q|9bf^pqHVb>Cp|^ieYwN~W=f|t@=->Or
zW1aNu=Bb5h?0Iaz_;YgcoC6463o;(t)6Lp0W*7;O#Ehd=5`Sr4`~wm{jxox_A1d|w
zh>qku1^cES_3Hca9fT(({Pz-GD&blCyL6)Yj!Kr*q-$w=x*sX$7xP$fgIAWjaj8<u
zTTgaV-X8?6`dx`Go&FPAywcZ}@Q0<m?@IV1%t~_Q(PBTA_(O#L0g3nRhY#@)i9br1
zp$jHV%l6k?{*bw!fl<`BD`Q;5iG{V~T2_eiw0QMpanAaI)J*Pcn4CKd*_jMa(w;Jw
zI)gDY*PJ_gv?T{{)x3B+Brb=Az5ZCE0P;N~*cd7TJh7jbL=Hc99l7O0DT2wVyP(Z|
zK4}wDxd4_&xNmZP?uOJZ@FrN76C!Jdn`=>1xl8M8=^d%RR8HV0IW(I3r;Nf;j<`iW
z$Xr~eo`3m^RB?1I@19cnhy<k)GE`-kmxc}1<je+ss~Kdf-R1lj@4DR8<vgUB{%Lgl
zF6UwMIbUIPIe*kooovG|nv1zvm$Q-A<aNwrx}3$51T1-d>i4`-!{?|E-!cbz(hb_4
z3;H`j6t2SgpK}kQF`kn|SOEmaL-Gy<)vso^evD>aO*Vze`4JGPRMS(sB!5`5Qabnh
z9wJrU<osQWVwJ1I+3g0snG5<*g0!qX&K`M}*_UKL6NlK{qla@A^dmHsmdN@bDYT?L
z&U#+8mAjm-KeIM~cR`@#2<Rk7+y+`cAyabn@EVzw1e$+MxJ;EfTFNh@)E`YcM&}cS
zvT7{&O_i!9En8f^SRvg}5{tl*ij;%3>f+bZ6)0M;3?50>xI$$^6Zrte%vd7M0loD3
zz4RG({iWvPBusrb{mEnMD<=t=Yqk(B?nY%#i!!|E57OgqqB{`P;YL-OsJ}_n6(;I0
zZd9#_nlDjfiAqn9emYn1EyWO!?m;vnC*1yU#14Ws5G0&pK{nCF9zt}vlze4{37Sig
zdu&a!REzv<n%%TW`i#@GP15VP^cZJ)?i)%KI8$=pbdCaNy!l>)rl)kQ<=ee@UMl(e
zFQJQ-*V)HkNc=!BF!HTk;uq)9t&({1JxaJ%UQU5ut@WpKDa$mMNv*Rw*KC2XJ`cjq
z3j_j|D8O9dfmx)RbPIuz-Xb(~+fD39v%V{=5iik3=Y0M@f#5dM2o*;?qMZxwzVCkQ
zn{POOpjqcGC}=>(*qxq8NjeT1hl#AbKhQtoK>yCq?-zNh4B}&xH|=rYdSQX^=$EV)
zPMIl~;@YaNHK+YT>i)&ch3`RGQ*X2W_negJ6qIW12SU(4Q_K@SUD%Ta!JNG1*aCC^
zn5dEFe1n44yz>nbT|Pa&K#n(<SzOC)!&b8Bv(2}fB-ryO8H>K`We|VJax1BY?>Cgl
z$>Y}@CCG&A_V{7ASlkvAj6#1GltOE_h!2=JtkbN?R_RsP+!oj#YlS&EQBEZv#Hj%{
z1_vX$N&xs4D;1KjoT|#{pdufdckqFZqdD9O-QGZRFQI_01hkpOy;|w!5g)ZO3f2sf
z)MI+Yg`818gh2e<YEIRhyKmK*N(t5Wgg^tuOYR^EoeMGOQ@~3klW9j~Ub+#aBkD<_
z_H%(hk#I#jQ!0FhlbU#NvK@kR%KTWmw9oCtHFr$%$+Iw6^^Qv3c2<nvy1?V_<8B#y
z0qgS$Apbxh|IwqBoK}XFU*HJUIOleW&w1+mibJKMw@vR_S@aw^q(o;WeI!hu!aPwk
zP+*PEVLvuibY$3G?aTlGtyV8J*>($Q*5%4`E^;IL6ZwKf?#_!GX^Q?A;Y?<-I}V&6
z;Z#&8P#kDEjCzs#4pNCH`;E}_=`tv=XwWT~y`&<}iJ(c6tKB5`OA?V%i%unp)7QkF
z>&8BijU6MgTUp;BZ>1aiu*8bNW6|XjyMkD436dN_67Xy!TpK!UuW+tsG@$a$!AB*Z
z?yASBSZ8YV6f&)A(M<PvnVhj+j=y+0LI*Vm<yIUPw@3EL&h(@kk^erE{~y`>{mCzW
zrFjR}{{W3C|KNI0o{;?_vU|L4^z}V(t=1?#SVy?9R=<jLM&Eob8~-WN+IfVw@Zh=r
z<z{_OT=~VuqOOKG5Pg>&QJ?ebA15trcEmUXPgZSkLOA{(xXqWuj>qp<M3L+wJ_1wx
z{SaO3*}Ktc?S%AP@ve_wkvyj~@i8kV_VQ%&l3M75(Ebrso6$^%Vu5?XeNf7nhu!{{
ze)~LcoVmzL)cCnXi%8^-2aK!Z(UeU|Gw#X!!5b&g3m>Wk6T$1J8%e?azsZGybvXIh
zl93?eJayO?3Q}%7*%}EvzRNl4bJ?U0PSgL8t@{ljrxHjCZ<kLhD_;3qO=Z*d*zR+}
zTE^8m+wX&jmc38?d2lmvDx_8BER|r+L;rmI0OG6G;MNrg%Uu;Fr8o<S+*#BMrs>@<
zoS_FkA&IjKVn=%Xkl>Em#nTcaCl$m$`f$mIoL_IX^r`_aHq5yL@}?Sn+9a|b^_*a0
z{Kt+`MFUslPUm$AwH>L^lDQmfwtGK+wH&-NowHqd&|a44SUSJPK#YB}uH~KBpsF=<
zrv(-jAI=u;@#4Ty{mM*T_2FKV%pQZkS*H-5ZRw3o)4D{tZXr8<BM$9#(-Jq<;ePUA
z>IR?DjQY97e6M9g>`3D$@>KK!j+b-GSv!++N5uVPiKaKMRI9<3+Q#3d^erB}@~^!s
z7aV3eKV|`(tA|ZdEHg`6|JvjgPrFMOl_5r+JBddq@osOu?;Xp&gvBS((4+Q{U{t*6
zotNv;R#IVEZenpqlx<Qhq4|ZvlPEzH$Kwp8bD~1&-Mt^ZJ^QJS)pAv$@Qu(Z&@9_<
zXn)n8ymp_!U_9ioc(;$C+w47)*}|(*pll>v8oOkXVE&xcA&0l6cwY_PgTD&z-xDc#
z{|D5Fa>ZR%#4TZsyJ|<~4k){A|MgzcpG42_JEzH*p^mu_!kH?dXd=K}d};c<sK?K_
zW6bOi$yVxYAc{m#-dV+KI5o9zi88P>%RWU2FF&F?i-HU)T(+Io^|?;`&!vu??UdWA
z(^8a>Q-u(TrKK)^hb}elJ2`&yeAz5}kDy)Z$hnTFpMvvvgNpQ=I$rBiR~LDxbUD{~
zs1O|y9K;3L#pw%CdC(>1wsQ<h5Yz~fJZ*0p{(BEtB0j`_Z~8b=8b9re(<eS}<mmzX
zlhAL6AK<@tpg-S!`<v{i?gM`Q`dvS3PNy|S%Di>+(-f#XnQnD>O&|9YnrZ*`HT#{A
zz_QjP_tkyTey8E$&H7+OEMrodX!z3hZgrJ^nc-`psq5%OUCy!}D^Y;?`7KW$v(gFE
z8~yx$vES(;A@G;)cT$YJ{Z7vc5(jK~l8dxIx8=zzKbjodSdXRdjBu*>NR+t|cQnC-
zGyI;v8@{zLzr7~v!}aVX=UDhgYz#U|l7{}P9GI1Nx>}N$-6%~SJIb<GTlOmpO38rv
z$GHPehIs6^!=X{Gl&Ph+-!#Y>djiILS-7f^M+jk48W^*RqcJ!lYSlD5+7|&-U+N%j
zdM`%n{&m}>n64E7chTM2N*<}guxu6P5;CK&!ao52OQGfe0{`a(=6+Qu<6Ek5o2deA
zuT_`}{)3%ck3SIqvi<Qd1OKuw#NV6GFvQK-Ue3fmZz9tiEF}O}0M3f++f-c;KTVcA
zB`j|}`!HIAF;=n~epDChEPo|$y&KHsus6JQM6u<p4(BMDlFAgub+vxU`PW!N+@1Ol
zN!43+gr4JM^n&=e+;hd536<z(_r)r`oPW|C;L7-AR>j5`yQR4aNrcy@I#fghW8PJf
zMPI-@$T^Y%qt%-cLa}+MS%DkS+Ao`so7~(oMg;O6XP-qcJqi+M@hA0`Uy%CRywsCP
zomoXpr^GyflysFe=PY8<uOacAFpz}5l)m<hp$qEmW$HU>rSAO)B+HK5&Os!XsoVmp
zEgo41hvclmK+9qwL+aTzBz8{6R?0eOiMYP3#PS8Vjg?Jk@5IVnzYFZ=Q-9>TZ_5;D
z7?^~s-;Qs!lHV%_P4RxH6e1_TcQl{R0R;Q5R=byZ-yeCSuz6Bg^>H$%?2R2>ugC18
z*ofO_ms15@vO`YRS^X+<ik_C0NBg%wtNv00kx5&m5~3|FiOsN*hunER#On_lO1$Sz
zhm6jf2E&;|$v8P%uu2|srKHrk50DC;`zx+g&XbZd_3UCnc=@qPDQR#a(9`lMuFrch
z<q6`Yw0`=Vf_?IkK>}-Vw$!tv)GJM?A2$k_x|{)8>i4$sDYa5k<ybrYlRDTVCvU_a
zAnhBPSZ^=AKwQ%96|G<G5;Fc>g%U2!dobA5(_l33$RN#oINuCLPm<P|v`28eL7O+@
z*X9kO5x@-J$ZuE9=l3}mhnbyK?})!gOP;3~_d1h6iO*U-O~ZDOh!zKi^E|JV^MI6d
zxe{vO!@Q$y6+7pd???ESjpwy|YQv{4@R_z3`fYNCL%&d>w>LH@8^I0&iP;D5vLUgU
zDC~*F^>U2H`?hROcHSlm^2unFN4y%aG4?8=a^bo0lW|N)BJJ=)<^nMKw@?K{S9uU3
zxlW76N%Uz%r%#|&&G<)(@q~~f^9JoaWG3x=Jdg}`wMjcS88RJ8lmI+lD3knNA3g=q
z1KauL(X{hi&I7(U*TKyh77;eEj?bP2T(e@v2?b7gl$b|u3`U*3$I!6Jntu|CX~fB8
zcFIUopS)V!c)FamCfRM0tj&JCKGob;<lO?lof9WrA!)mt*pYzU;z5()Vlspz2h;XS
zFRk?W#UxIAQWXDPgl!vKMuba_^HY=O+ggY)vz5B7P>Y%DWi^d}+v?5ar@pRzE1LT6
zRZL5An`$t0%^WUdJ7}?x?YdfdAE@tG(YHE>n_y%#_k*G{;?GOlZ*@+Q@RYeNGQfNC
zpQ12G%=@I`m)1=+SkB?g6)d#b<m|z7O^qF{41Z4ozfb#1w%>k(aay<codTJoaoTyR
zM`WtVSr$3IO8>Ri<qu5k6cYsyo;c9i{-?|XoRpMQ&Rc#-4uMiqB_$<#%45eYxG`Hm
zvSv-}go4aHS^Xt7dNQsV)1z{2YnU~LPmY#;eZwWr2fWa$tkmc$-BlIt`!bPNJFoBp
z6U&BymAu+4P`oCtLw@H!!5A8W61a-0ybbHP*ns^{BQeON#Ha(su-)SV_B%f!m&(@B
zjbVFX6A5EwQL(6imvg0*n!KS=p>S`h?>*<0QRv_H9vKx*_Od2g$riT%IahLX9gA$_
zJyo+Vlo+}2bg$(74S9t;KPO{2`H-M0{jm>8L%yYA;K18kM*a9W5o*ql!8_^hu8NQK
ze0T8Iqk^1Su?Ee29`+H^%ASYvyw(d)f;+wm2TaF!lX;AxS?xQre@kR26`a&fc6&4%
zgW58G&dFvOe;1UX+hO01oh6`ZQ7n36tnc00Q>I4h&*_g|{6`FeU!-4p@om^TzAFCT
zM|^es%b171D*rlk)~||RdiYnzuVTIDtMV@&^wsg3;r*}5?=XgbRs43wlCO$?2g&qR
z@!jA2>i9R{wlB?}y!BH=Khd>c*uIA+&$F!5q~V;>wStpR<ltgSXZQ;KApR2K*-7)I
z@zaT)@@4VIB=3;P6-i=wNhC<L>HX&`!cU~v{+_y5`dMBU`235~gWoWKv!Chn_{n^3
zml>w2cBtVX*`F!Tp_wtJ-=IQ-s)qz;oMC6I_P6_rj470rqh|Oa%E3|?3f4sm!|3U*
zLdULdKhu0q-bt`0VTEpjKlqe^4~rC^$4C1MXZg_!N&dy{ad7h1qW>Y@|E2MBI;AV8
zm;T-D-*Y;p>!zQ~eM?tOKb-rPu9?0&_bpu^-JJWDu9=SIzNIUsr{=z;YosUUzNIUq
z!?|x^{q(Thx3GFTnEMviP7lg`OIJ=8<-VosrayWjTOVQd^gHgi{gkqHc79?%rKHXK
zR#N7DE9tV|))()e#;=)L!n2)Yp{BN#;ny!opXCQ(wU=EjfeF;cY7E_1l_HEwI!F5j
zQq(?CBsv+I<nw^^f7SGu_C~YO)Fj;BK4RAQxGJ;oOk{lLXohYknmK*ZjrTim1IZg(
z^5TvCOuat*$+2Z4#t!DR$ZJnYPQv7Ju<C}ET*Mg{=<L{LuDd2y=9}QRCk)0<S4Lbb
zIibWp2Vdi&KCN|T<D}^u%Fmc<>|OS5SKVjj;B4pm;X(s{=jbxQwR5!0Hr)BqlDTGU
za@Csj1X9s|CL||ut>h<a6X3{3zoJgR2P=RX44uw=>^63ehGAuSleBYl3Yy=6MHod#
z2zK^P3<PV^JI_F;lfUeIB|m-B{^?Z(N-xwb+4OG3N|Iv-jTl>UT^ZEyLqYqTLA9;J
z`go>{64`UvBv^6nUa|9S0He9TmmICrg3QWX`H*)^XkuzqFK5C{?dOwSua^CxToUN=
z8>+0FtAA8r-cV7KZ&Xlm$K@ex3|b}(rN2w^+t+zq<{Zfp&b_D80(BnEbA>~1&t5IY
z(a&vglVzJ(iM_MIDsbzaQkzvzPv%D)-up+B!DSE3#UeWYf}dXX)1S@!>0~TJVmU41
z6f?HkKm8Nt-|Cv9Y~_4F12f@^*zX3Kn*f5!WF;~_XB-6P7#?#dj};iRPPSFo!Mz<}
z1jhl(VBe=PU5y9|3twbQSEO)}M|CU;&KEQlgK21?{u~-r7_HxRrU@?g_H-lEbRLx!
z_UO$qlD-9Hcs%?cpHF$*|K0hN{(O6^Io=`Hq?Y|uDcD0Cmw#YXiz{uCV>!oejGz09
zZ!PEp+3bEU{W|e*=DTx@N~gSNNCJJaAF9P2i7{upXu_=TO9A_t#mq46Oz)v3TiQB`
zf~#1q_uasw&rlwPvw0NV&!g|dJo*ji(f=YI{?m92c#y|IZ}B*I5|82&c^o2-f#2Z~
zc$!B^F^@xM@Hp&R9*0-*7}U+<h~Mxy@(vzH4dzighR4x2^Z155j_Jc=@LnFrKE~sl
zi+CIt<x#ej$MJC<Cp^#N#4~vW=kxehCy$d_d3<{zk8(k%;xZm5AI9U9KkyhbfXAu*
zd3;B5d{=5z`3{e&TX>wdlgH4vc?=U8e6Nki=~DAE=JFW+T^`lbc$_JTN4(5qq$H{N
z8IQB3@;LkVJZg9F2vzYIwSdQH0T3?YQTGIoG5^71?06p5)jT3$9^>xian3_Lq8Ib1
zZ{%^V<T&qB9^<77=S#WY7lKXrC69?u^0>g^ap7G&CLPIRaz7pywea{sfXBtJ@wh}P
zed#qkE|bs8FF0@)cc59CKQQmELglMYmQ$DWmUxT9ABVAtX(IFP)78?DP|hP@iWnuC
zBI=E!S1SL}OQ$$p;wzE*r+8eegAmRyGO-#yQN&oYZYs%ITH~i;Wfg{0Nto@wOo1cQ
zm;yg=w`(?V7F01yYIBwh)$v8_j0=3f&e{}IB_z`zGC6mU6#GKZ8FR2OdQI<-u#BWy
zrh*Tqi{&0j)_r~?DLMa$1Pcz&L38R2gmQCW<aviEnE8?_>-s?MZ=2i?5N@S@ovrSo
z<A9|8b5`<M>156~Wv<J}A$M$FtEn#-Wc<d4OVR+YcEn6JaKt~`xHX(lq~4S5><|o6
z&mKgBIDf~+N$QhHO>KUXhxNUcTALCBM_S3ixrH>=oMmGr_d`I!1LQ>@I8&+5@AL9c
zGWl0Y_`<yKvk4E(yP$W`%LMA8DV6^-f%)T`IK0%x&LADieJ-V#aAuQq_mckc^+aUv
zGI4$^rJ=WzExtkq_gtK;0;D6vXZb;ws%6P!&g_zhsK<<R?Om=r1Lvb&_FbvC__qcZ
zJWQ+^sT#EruS0Hbaz14yo_M#9UX#Qk!xAZvaMl?AffZ2wbyqj2!OXv4J+-{}QiTB;
zqkuiloOdiN{(n54;9v27b>8v+FrLhul0V+4{*#<t>WDU5<165RsKGTw@^eIu92X_`
z){ZW{*y>vZInl?wFL;vyr?#M`P||K-%4Ei$IbD)#eh;Ke^cJZD+Gh{^M!d`1@yE5l
z(T?I=W@Cgw6)bg@Vkr+}x+)M;EEiMW+CzUaHkykV)Y<dC9-?C}5>t%m_~NT|4?zf;
z!Ok={V4VakbN-u8_`2i@dIopY-ZM%#5sdNYJXPTrJuL_ZZkbf13Ag?bMjuErx2>HE
zNd|zI2#>HnKXSpzd6CrugHwfqH<IKr$(p}s=NK>cCSq@w*fDu|KO5raoki?)iM=8(
zb`!CLPu61Z4mN?Y>A15<<h(yXkv-Fm6)A0E@0HlK#0pJBggP@&0ss^sDWc(tydrL-
z2uXIgB%5uLIa4&*izM^tbOFg&a>A{YBmQo=9Wu%0XSr#miZDPwNggg*;YynYr8KWc
zxMN-LF9V(nti=Pb4}`BzJ*j6|I~%oCYi5`d54ty(^X*fhjJ=Kv@sc%@BzkZ##9=ku
z7m;{7z$xcvC$^j&;!w5PywV;g5BwnheMOYwJZ_+u8tCPD&|63;)qX>&-D;A(f4NqB
zOkT3fNJjau5hH$Un@Rn28IMI%N#snYixB%Xu?ud>%T-RU%;AQ=xraI!nbTW9Ys6-a
zOI=bUW=`iwN<{3xbxvyJS<V1c{I#a|U*!SXbTY-0e5+y0@g~LNc`2Ti6rBG{%sHuv
zH7<59kU|P}UX*@dN{`=6x`Cv_j{cqp!MTb2m`&O39cX@(9*zH6G)W(fr0x%v$avx&
zX%4h9$XZlOSf-wN#YkMar$A$=|7G~62~|++7tOp6!b~##?Exb4odV6_zMVd&Kcz;i
zGlAyQDbh+^#d%WLQ>Bue87${~bQq?(902g^ZVz2Xmw#7K;nWQuIcrUlktRt#)gF~3
z0Q|d2@ePw=5Qur)d@CuYv6>iYc~;P7|KFuFVg3mIBU4O|^Ne7ata*h5;`w<c+~z?E
zk%oTXpPi^JJ9H*i^EZ-ZNpYEwB1)G^cN04<S-eXGU;2I)$bgt2Da<S#rkjLbhuL1v
zD$hy`zn&c!|G#{oa|P%gI41p{0M+rSns~@8%b^M-6nJX8^DuBQO@rElR8hU~Zsb`M
zzi`gG1+@%U-%$eCy$11Jmq36E^6;1{c)Ueq4v*E6W?WvHTGC{)_f6LPUE;%e@nsT^
zN0+f**ZfN2Yx3d?q>TSSnu}d6S@Uy=ugZ(x%)C0yDoyXHGN{OYs9W}aEUCk^Np_y7
z>#t-#O|oy#6K#Kx?6YO}%op1OI0C%1Aa)jOJ6Ik#y~U{{1I7;w^QB5iGzTY2BY&}e
zFbY(r%@t$HI`Wyth|<`)%;UMq8udzr&*<Ir=JDN(hD|g?LFz)-x9Ci3&l>CaRg9m3
zd1HNnd6T%HBfvSOB^)K`w+5^tq|h3$oRCuURm5wVdF{(<xq0o!Yo&SZ&+Bkr)!Ld@
zU-%PXa!Bp){KQ&BpB$t@US0T7lv}D4Rgx=8F#9}wgFkqaR=^%*&<6;qsh^hLzPZ$m
zo>XYcmJ|3iUh*GBcD|rjHof~@+j_<{PF<>Po#|8k!tN%d-SM}M_1WF+J4@T065<M5
z$M!M$hNTHClY$T4N{BRXrLAKN&0AS3S9)k{dFxoL!lc^?ft*T!^=}<3ljmk>t^z68
zAaF*u{F#LczE2K;Ge9S={F$_dpxDn80RpB72L#+=LBK@?1Ppo}0xmF9zM8gGwH8hH
zLvNCfTj*gYsnO{|28czsaUh)Y!*984$Z2)I2KA~Pre7U>ksKUXLWtb0Q1aWHu$dhc
zNy+*npz>#1lFx-|v3^_W^vi;#za%~@i9aI3P(W%&kxAT%0wd8=68jr{@lTWKi<|RC
z<|8O6bGO0AmdNFKkv%8UQN{2@ytf`}cCVq=bK1%6845~`VXgbKsvV(4xN~#pNq0Ea
zSTb!c$7J*X%AI`R*>Q@LbaHlnfPkKOtcdJhFBPMZ&*>{QPkd4m3#PC_aXRviuaf2p
zM5sd2G+RJR(!}4$xtdh9Rc>&W6XEfPWDiv@omFNETGSWvDu~pm%_A@4JUiez_bMdW
z0RXfYC@4GGNh~YDl^=U7DZ<sC1zOOTDAe<HGrlGH^2^Z2J+u2$ybdp5*@F|ialNqY
zVL|5&0JUsD2`=VrVe}K(WHn!&E<bZBW8#zJW()|YuG_q@j0i@5KMN)^@plg{80xM2
z(xTvf`3bC=R#DelPGbz$6f6*vpV#831bQ52U#RPRkCfr+PiC&mAMXL;+vt3QC~i{s
z`(#r?W!U~ut#TedvOmCVx?bS-IMWpV*6}pt9B7g6H!*inFG@%HB>2%CS3d6#{V@f8
zsXz1twfa`Ac#d%$#OY71C@auPj;bl>Y!2Rr)*ydk!niFn*lO5|?6QxvZ+oVdnD(CI
zQX>ybY(7SAc&b{(Id)Y&b3SHtLU66(TH?;WTQ4|4KG``HX()Kwl#)3v%Z~uF8s5jb
z*$*hozP87=0%%psIrVui83OZ`$KUAa+xOlR3K}~4{&2<#Ah{-_clnt5hV50SG~X>q
zTK6Tx&8?|o@s3DzH-y@I`iBNAuftPsG=X8eGt8Yqz5NHgRLiEGRPovNzN((~ef<Z#
z$oFpheVq4Buj+39xPN%Siom=TRm)T3;LpXr)|(&rWdp!LsF!NAwm$IVhJtu&m_t9>
zC^ekCE%+F}xGrL`d4{*-Gr=eMNnc2<84sVlTj(?@RXosYSRH~hf4pW+Q&Ur@{gdN3
zI<L&PvVCv=aK-wNy*AYTwm(#{HeB)gnAG5YR>KObVd8DAk%s5P_6F<6D<qd@dW$pn
z(q&=a>mXb4y8S%aDxMEjY^ZP8Fs>nbe`{T8@M%77G})l3x0F~_D*@s{`0A`7Bx==4
ztKr4G)Pkw+eIZQ6>)>y&d_G+9rq!_9YKT7BYPD}Em0b3#;%?dgo}gEX-{XK6Ii@}W
z#P%)zNPDK#UJ)JedPGjse?9`v7D09PhRA>omOW_M13!ew_ON9STqM86%N{tt0gL(I
zWe>mvdbMqhGF9_4v_W9r6VfL32ejOaiMN`<slfx9_WF)qvu91>tz*Jf>#>S+{td?y
z3NCMzgsWb+sy=|Akp@8qWIs@R@eQTmn<+q!=mkrAg*AXcssaMPknl9&Z{dDw4It2@
zzxIIifq8R<B{a`Z8uTow{^*HyRU4{Sa1!I1^s$JrEWb0XNC(TVm&i1~EZO&u-<Q4A
zfo9Ra=j?5hN;W(CZmPXY-<x>OFTm;?ljYemS^w$m&kUp>v{0T_>b#Qny?xcQ;yl0U
zA7fI*EkqU6H>?=NMb86$V;BGiqUmg=P2MVr4p>FNpn*K10}J_zK%eM<<>Tz4_6R=l
z;p)Y+p9v*CDGoHBK;PwUpgCTKw}WE8Kwua=vg<|ouwZysZ+%%-{+(<=A*i$ObLSg5
zARA9nDT#FJ*-{F9I{O!EHRPEdrbC|@?>qZr^P_(9Odq2WO}ui)lSl{Alh0=*k2~l(
z{MJx9Y<pQ?-oC)R=d{yS^#tba^*-9S((pYNem3o0C2$UwI+Ln>t3Ml2x_<<Hha5g@
zXvneb5G91V`6YA}Kc&{3eJZ0`W`Y+MFqzim@VW@E?L52y{90h%odz$|!nNLqXqN(S
zy_}>On71Yu4q9$F#~bB^oAL##<t|o&P6^-Zkh+0+41*zZXjxt*hn~OL(u(2~*@-p=
zUw2Vjo2hS;pyeeMk=(wOLiSo!EH0g2W(_@`>YrcEZ#Tb{Ru#SL{NYr;Q5vD8#8h97
z`I;M=FAakW{9G9Ww0+7WoL-e^uLQqU@DztK?GDVFX9&?9nD>GA(f%HUpnzA=J*9!N
zsiYfw5z;_;5nxFUA;mhE6q{XANQ0FU-mR4gm1za4KMu6~#9%vG>@}>vviQoNCmW)?
zes>X=bLW8I-;BkNci}kG?*`C+CGEvaOvl5!t3<CW8|`<hn5CjQY)lpfqp1m%sX^ND
zjOTm9nrLe9sz|ahlE{F{XfCW8UCwVQzm@!!@jIN~^5ik$)H%I%oI-c|U6fjHvrx!g
zkc@hfWHCj(7?`(A=o6TyZI(}sWRa1cLyLBa^bE{<U*wldU52#4JX?t_@gi-97QLX-
z)h?3zA(1G1%i_P~Y~->?!YK<S(!TgFQ=|8(@WnrkOCut_HIa(7QVF{c_~LFg%Fi!u
ztD~eo911&%KB4r<+B;4EO~0%&XXdG<qq`@@@g2I5qhurYO0zDD(pbyX@B2Q6?db#f
zvJT=gxi6oS2S$_UA<j3Kgp=PEp&Svm7_gXl<n)%3$bc6mJt^KM>g|%y>Q6)XY4(~V
zwS{i{!9ZX(C)sM5E^aAx!w-oJJ+yx4&t<~N3~z}<Gx6KvXULMmi`}sPeAEUAtWRB3
zCZHk;Zb@`Ndt~TE{>acsDGGW^KMWErI|8?t!7BCk>$IQp`DYP(xs@EI<c|!k3e4-U
zh7S8ohCH0lBh1XCQ&IwJwy)5#y^;1E1Ti*ADw>o@2(ddzB?3WGXpD5ic^tVr@-u1I
z$k6K%R3nua0`utWnUZnxN&b49{<eXFN~I7DB`@zC=L++XxqfJ<Bs$bEQq=A~cWBWL
z$r!O;PzG9xR{Vk~Bm!29lHd-O(krP;@kU9kC=M-tMVLzg@QYKDl{BM#Wa#;2!o)-Q
z)S9=+oD_UCL~Ge20?G>^H_$t+B+7s)3Efb-JTPymHIxul7nWxs5CVj#-DXIq72Od@
zv;%=+c7ii0fJpm_=-VAlqH-wI9$FvjER`mR4kgs!Mxx$xhYri5f=2?<(%d~#dyf+Q
zYC8!9G!rEewo6Ln*#1DvZiJ3(FQHd;V1szCU&QwzoB^e2J!Ol)yj_u@BWS-}1_5Lp
zC>eREp-P}Pr7nWM1_3=V@55-)^lL)vhvH5n-CU{jqL*KTlsvn={2FBF0WH83S_J0p
zsULa{MBq~aAdoZgp$MG~!j4if{HF;N9fT4)vxm5xf%}hAdWh0c67%0_4IQG~p}CYU
zLzF{AnftMDt=!dwZs-K&ZKBR1-w39QA^Y(>^_n;rj_4;`m`7M87tSEkA<Y|@r>Z))
z5NS)D1Iy%rY^NlbYjWX$<gOqo>T@950ojgTnG~#Cl~37BSQkc^P$^x?1;witg)-%r
z8XzP9%~%R!cR?L&G^&4){y78B#S9h2OX`q>p8k1E7IWaAp%^aBRm<^GR3&9ksP(i^
z>o|l~mp|0{ef~!khgyGuhs_>oj!^5h*jHeME@??(f6<2^%rFF{i5=HpmG_;*ris0_
zA3*~&XdAKLKUmICX-|tZB6i$C1RbJ5qDX8jp|Ak^ky^h$P*$hqDj=*sGHR+6{FWyL
zk@tq%k#EYb=-$e0KIKC+Zq9cxJ$I+b!5z?Gw?>K5EvOo<*C2FlxL*5>g89f5e7jV0
z&l@OL2o&wLq!S6Pokk(P8ki^AhIHUpB%7v`z6Wp`oLmTN&Be$dLP1gN9w!0;01<nm
zbPW*!+BJ;00oX=~g&#B_un1b_!faDH2u!%ah{C084N}=BGY+-EWu>7a>G7kc0T@Uc
zX{bQ<lZFaG(i;fKIv{+BG!#i_pmhidR1yLa(JYcsMIhkl+2mJYCdi2R7kb#AiR=?@
z67KgzAn8GlK?yNPYOe(~x1oYkRz=~5Un&Y!4k;$cp@UUk09cM4a^;`~DQWUJ0%1iF
zo*dNdA7$mB(uKsrts=&Z>=y~CV3Y^I-0&J;Oxwc;3I~aN1I^E;!hva42pE-kn&4H*
z8ySk=lSB#<360DgIz-t@nM1e?5lF0-gsdBigfxY<YevOir?!yXh(QsHB20b>?Tsi@
zA)@V@3l~vn<e4Y8O!|CLC?Wfa!Ys%GM4<`)yeQ0qYzKeT3eiF4Dq^<EDpw2=$;|42
z2?bJ6W?zdDt|~(nR(>U1Nhwm&m8#NMMx?f>I3<e<R;8(^T~#UyiHHo%6NTw+To|(R
zZR~^gYwjWJGS@EIy*OamBZGmKl_H(EP-7SN2)1rTQE^&i!MtV7tckfL3*-xDzp@?q
zt*YJi$sxgdrmx)hfS*cLo7e%FJQr3@>}zZkn0w<pLy0bIm`mBAyR3w3P^0!KQTsao
z?0Gs@F7f1J=yF`s6f{mhVSA^SLvlM?*~r8hvdnBaMX`<<=x9HXW<AS&K2l!jv_VC!
z`DJd){BwTy9?XNkWB*RQ{Zi<{db>k3YVVYql9t`cqb+e)jAFmGVn4(U^GD&-xZWyJ
zj(nLRS$bIwYsCZ8_W`TQfq8vGrxkrS)EYjO`YrRd_K8-%5IePHL!8ZZ?{klgXZnoV
z#X;SVMb`~xo)Nm>%Nmqlo&MORm<ezX&#Sy=@61D@LekUo27T9RSfWUDgM_{MG)A1L
zi$RHC@E0(6?F%q?;zO2E1%m~-_DhXgHFCg=YTTH`dY2mYoE|*6i2IAqz@}&SPmTKh
z$i6cwtmIK*&Z_?4=(atp5}R}D9RW#NsYx^KqQ@^<L&C(iNmj!el3VssUJhe#;o6NA
zG}X_%`Z3Hcu4D36y*w1Sb8)0%c@^@sXfbGZ)K@PL+}U1Vv0MUVnich}uI`-uLTW6l
zXDh5!c(FfzaOPVEE~Ye2)vW@>m9>F8JFJS8;+SvQ<9l#gjc@tT8*f9C61{;eztiH~
zf!o`#st8k}+1RV_DEYL#tB6TJS;+3?s|UNBY!yVNZS5aT-G62ighFdD<wlc7)!8pc
zuvA9vccb=N&i`;Y0rT}};PEXH_UO02TgE6DY2R7K#H*~Hi#-?(%IbZ)>V4ayzIUng
zQo8Ru^}e?(Uk1#VAs==`B<^|Q+N*XDyQ1E=(keu)ymOglmlDbCA^s58X95YGFk)|~
z)OA`SrAN5%Pl~eNl~N<^@01a<!YwuG1NiHKJC}&a^=+)$Q19Eq7q9ic)zShK$6oSR
zXp(55<(H7CZTSg_CMR)h)>^4)gzb3t%hYALlqq$pw_ij;<(DZm$gio^#;psqjQZY|
z>QONvtS=)URXenvlTrSpqLWKZO-sLynwGjXEj2YQ`+90x=GL^#)U^ETsA;)d({fW&
z7FfQHHm!7PT4`!J{OhRcaJQzzO-*aRo|@LWHLW!@wZ4v;T5e4(Q`7NZPff?WH63qi
zI{E9U>14O2lTA&hd_6Ut;?{JEsp*wpM@_Fp?p}#WZ@Sjl$JL0e3Z;>~>+9`*i_CRp
z@A7*4RaPp#RQ9H$zO@2E1UoWb1iQ-K#pc7v-o+w&S6hXXrz3Z#bA)=M)HvcxTZyiw
zI{U3i`*uc}wG44G(jeQ@V6fR8X(ILxGrqkmBhBip)ZZTQtv4f0#P>$k2585Zz9Q#&
zt=bVS9N$=<DjqC_MeXs8R>Enb&}j9#K+8ic<FMA;!%E1fvUD7g(bu;x>SKMisG>8`
z+dpvoH;QE7#v3Ob>^9?eq5X*r*%$)Z>uR?%WcQPioN+yxy5!7ShHZD=t>gA9GMcgP
zBWk}Q^^tl}gLFN|crk1;d`H^57`NYb$L*br+xzN$AJqG{L(yeW6sjFCibs8%!*^#p
zS0uZGomD6jcd2EUGsZ(%f1SO>kn;r@q8YHYNF`^NmSu{KP%JSF+-|WSK^Y;GQ4qFE
zi|Kd7w>@v{uJ^rsz}QWQ8N0Q%9351zwUx13T9L8)B{OzwZKYVDL$=rtyc!ujM91zO
zQbjX%8y!aKtAqEI+<_yNy|TpAmKDserMB7e+tilv`)jFfnOj>JL)y0dYpQKIvY{N=
zP)YIh<Cnws3r03<tG8cpWrMUWvf(u&8@{-0-$#lHh<w=~ZR^Sg)3&JRv@OEnN)}?S
ztc)gqCIjnI6i3!VYU}K6(&42CsTwNWEGi*tsLRdoNhfmEP=tfa&ASi>Id0}~FDPha
zj=qZ$zfA5KFC0I-KE>=tibO;VN2{-;XcZB|Sy1vsgm~bf_V%-UZ(6?fd)B2!c5;~6
z?azv?F5)3%@2wZ}=@M*7+|AdXDf9IAlVoi)Y}k}3K)t<%DlFmu1^(Y=qR4z2ApwO&
zo8BV5gLhYl-yZd0`Mgu6;BEE3r7SH+eJdn@kEoB;{1x;R={c#v#b~{Sem-Sl5<$IB
zZ1d5MJ%N@+R@@R@94Yd;)quC(#J&F9{7lTPg?%E`7$N$E0{4=6v0o)i%Zm8hdGkg3
zW!hn4AG#o%8X~LV?9{4n*kRnFxE+Jmz&Xmf6#q@mGBf)UIX~sXD$a}MJQB_q<E#>O
zZN%&5^yFyV&bm^AmI)wca?Uazq$ZFv2&#7Hh1Y1V8`vKW;IQ35wyW6x%ygE`5n|~)
z(EpEV8+!s<Kq3}gCnq{=mT9*mr`xqj+$uRGqB}}h4^B363lMXyaBz9-JUOfeUwXfW
zWsY*?I2VyJ&GUU=CC`+t)D?-I?{@ZQQIZRZ7#zslX)Yw1f%64Z!gdA=Nf>`kW`x*V
zb$v6jeY~JV@lyn^a={B`j|PVeHjEl<Ig?n}JQ|cs*!><}rSZX;n9R%JDRzaI(mHZV
zg_SI|I6CkLdS(M?9SiODqg&t4gxb(83IXNtiq1ksdbEqQ*&CeLTY2rDgnhB4al{t)
z909xp$nifx;ql_%P(8Eg#)EZpezR1!ApHq;!#saZ&S$LNBb%JW8!*uPJCY>F6ydhr
z(l%?T#VzSp!z%V=y&`$7#K_eJ@nhk@s-DcD?z}p&jg`+|_zU8F$rQ(nZi+8i$mY>x
zT@ik4v(MnzC4c+oLT26#tDNs}?VJRRN)38fA&Rdo>~jm;VayxeJls8}x*lv<6Mh$H
znSTi#-E+Gr+|<WP4iwu%ax8TZD8BZ2ydJ5W7qK_w?bl6CD#A8(x{$T~Ek$Sz{uTRr
zS;$~hF78uR%PN*7miw%R9hQBvUFfkXDAgJ-HD{4oqTZUEP?UK}`6HY>uZY#=S;HAa
z{dDiDwsVrh7TfKq#@ft5l#f}Wx+iw1y%>W-;GtKq>vH)@oI~oW+h?yf2NY!eKayjM
zQsaBU^Ag>4)Uen}jWoRsiw8V*7WRr2u_H5sUH(QTf}2>jrN8@;81bD@Wd7L@H&ZNl
z(<pKzQ9lZAzwU$fxB77-wGY!7^lDg%IeK|!4eo$BdE(q4!ltc%drzU(JMTOM`xV{%
z#-(nz{|op{XW_c=n6O1^jIU}#CgA!}xA~eHdkf<I5xCWvc$dAcVts1Vz{KMI_NxJ_
zyM13_XhbYnH2X4<EL)vRSlFh4&rZdAtKYnFc)grzhJmPJW7M~^YK{0apT+KAdo}K8
zg^4ZwaVTrwQdr-B1lj4c)^0s#z{vLMZSmLh1&ZP!uuE{BVOPXGd688c(pOQzTz%d8
znM-Nu1R?|*!6`MlzY3D}PYOfTZ`|~`^8%}OM;cz1y+Rj%yib=TaS;S>ux{BfYgi6G
z?lQ?bzrDJ>*F_%@P7MToOj|vXwNAKojIVlq{8hoyGx6p2=VOKR&Z9{E^y~?GD5dzY
zMs_CNKHGUw76E+ALWqE(_Rsp+i)r9c^((WE3Z>$+IPU7~P$06aeP6%o?!avy&{Qou
zX3eUT#GzDUZ}n%h$3#T7SPd^(4VZD4TNT}i(3L%Sl*4y}beOOzR@-|kw&5{Q$m?9a
znrcwDvR(CZ`g=vEudAiE@!KvW@kZZkArw6R?4(!`9k6Njs(3e2Z*qu2i>hC_>AZ-v
zHcU(D72EK9Az`Ru9T48Pe6L1R(f1ilGC)EObAT;Hhf&$pZ1<YAwu|9#?OWCWY>4A~
zxbQjt#(os^^mzEdk7s=g&S7%eRvs@X+|;>e3pHO%ymxl{$NlKYGs4Nsi|Xw4p^BAt
z!s<^6_R_c6b1y!HsZsuOQ^jqWgFN}yhE2F=B?v@q{H_<rchps{zo}BPgxIbgX;@iT
zv6d>WWVlCiu5|s%ERQaXPD+>EvHCEbKSYOZ94-Abv_R+)X;>Ai_@GM2x+>Fm+T5u9
zlG0(dBowMf?A4LATd;1f-DVBIIcYq_as~2h$Q2ZQy}C8Oe<K7Tcq5`6G1;&<nkq8V
zB{8xc(LOE}_Vr{2BDb``5{<}pX`sa3-uRB>xkWg&G@{{+A!~ay#nnTCVPa%kLHyh2
zq{9B5%)z;QN02!2G5I*wWX<*cUAb4iT6K#XyJuh8vZnETMI$)_czZ$RGl3UP4*ED+
zJ!s#xFU&kMlB(^oeC?L6JM&GK-pOh!S;?3+^IKLT&Cnx!wddLr7s<^!)WI+F>E*qQ
zf98~fTz_OegV88r@2T4D9Yp^!G}aMN*3T2$tq4Uhj+e?{KHRxsmke3tKrdwHwsy5p
z_1GdCz3$xeidx!a@F(RUyFGCGAHd(b51(k7YnkW(QTs!&@{*=J6_Q5OQ2BQC%Lv4b
zaHs`Z7BksFtchXkU&09Huxf%T*)LL9SHLg2gXHo%7pG-ygSUvRq?l~t^G%j^=PZdF
zaY?XDQj|yRYkDG`;l4uEg7~j3-z9Rp$1aXHLtnUwVT0Q~QiC?CuEHSf;|d9Ls)F;X
z4!eyfa8;ryhXZgEORbzfnV#r~`&X?h&p7JE{a_E&lFVx|oaE^J|3AMa``>u&?8cV1
z<iJ@)Eh`#-P9LY$8h=LT2LHx$IYAXth@t}v7Ap&~Z2fVhdRWiQ1=pS(NnPI)Nevrr
z`998kgZ_t4VzN3?-81vQkm2xO+Rw+er3dn#w;y%SI`^Or!;o`XpJrbw$_85EAW`Wo
zj%zNh>Zs^Y&11K4lQ`b%F`UjKBeBZ!#{<@m&6Rd*Ww5fUUkfyk1rWU;c8GH-=b9nv
z^nR4&RYjrBI&~gr#ki4Hnm{F&S#G~Yn_FBEKLMTMpq|X(S$#@6l-uuj_!8Xqz9SX)
zg+|1S0(Y=`miE4mQL1V~%Z>=V5olF^V&Ma%abfXd1XVS&sN%)7fqOd%=%~Uwxp=WP
zqPRnr5m0(8-zU|}ZdxUXv}}l`g4!X*rHW68#S+W<WLU&%qL=~+;V31m(8nRAcqj($
zUBU_)t9-aWZV=shOek4bBw9nqjjvTZH@&0>^*YD0goQeBv>=yRh#Zq4+OL6J=ZHu+
zQ2rk<W>Ak0(@UVbM-OimkV7rhLAwh*SqNY1{Daw4OWT5jK=%4W0aI$Pa;G%HS9mVB
z;n?U5ku|mIw*$@MjTo(dH+GmFDZJH5utq8OTP%xDLirDIQnPRaLOsxWGcP*T64krd
zQ@vj`s`o%oK6`q%->7(T8icW&<JINV%748>Rb|fwhr?Bag5bv$u!5kyN@iVN{VZ04
zKy#OpNU-71-naEqZ^0n*7txP|-#C6&W(dM^;p9n4=9-T$r5BYsR~ZeRA@fHJ8rf-G
z4n7mBO-_pr!Hvi3^(1dfqdWwWQO=g{mq+*r-&i?w*|}L0#Qzf7^M=6AJgDRKSK~8_
zS(%o1gefnSD{rVNPgYXBsi(A)^B1GiJ70>whtCJ5qR+Yb<iW|8cg*v?sDCf6Sgief
zjp^Tm=-<rLoc{tT0Oj@X|8Mzsel9=vb+tw8*VyE7VV>$PdhKu#DP?l%O^I_)H|N<@
zZ|B};n6AG1(?Ih$UP8%hibPVJF1_b-l7g%vDYEmv&&i1piW3@7;~5cjAC{o^7c|G4
z?1y=JVV<1Ha5RI+nb@&?bZ!v1;}&{=nIDY&z;u(2__$OZiXx}3y<2EDBsC79e@ArY
zw=Gf#??=oqR16Z#Y|5>~4!<+xEv7R-e+_Ygk?8UMA-l*3SD{219b}DD3N>hj;bFTw
zH^RB+3CKKR`A!dqj`TESh>m+gM@CC$A(^Egcf=o!;xAj0{;RZ!z?RtGWn+_a$!}Tu
zK4SCvB{WH{^VVzbaq3E4xR1VOPOQhDc;F0~cjOJb+}D7+wIYsuab5y3=_+Ty2kfHb
z^a9w6>rq6vOck~8EJ#hCm1sLV5MkogZ^U&7@f&Dp^b`8z78ke9_%GDcSIlV*tUK>)
z*>U|@>FY=beVK=2`x146Z34`a_Z20!1lqUskwyF+%)mB>5=#-wOvVNjeZX)LXg-sS
z`0h4O5RM8gI#SRrT_k(^oX0n5pZ^QTdS>N=Rz}3som56@%dwn!tzb|+J&Wo~vd#MT
zSAk~G%^Yv^LT8EgV<5*LW0YXy#Z)M9`(Gs?IhtjnIy$gu;<uQtf)7^$pP<MHD!Tsw
z_GILxS5_*0k&BGbmDE8ta}ASU(Z4YGu>Hch$15z*G6IH3jPN0QvB2nsZJPouKPAw4
zU#Fi^K(qMFrw`>p`)zU>w;PtBWXwEVtINZq2ixP)4&QQ!^{LQ5&@zT>orOHio%bf9
z<w4T8p-=OgmFJ-gpKb!zh`mo|j*H}o1yvX3Y%hb+I5aF+vfo)urG(0r;&Pd?FncnC
zzH2X@kIx~86RzQwa9(iVNgjl0u_!gCci+B!dsZL6{9A0NYKo=pcDx!NZKBLTxZO&P
z>thANs|%Q(uP=;NyoHC1)v%roYHXbuRx<LS_z{V19I`a51fwCw%*FO<B8o~z9um8p
zRVUG}0*fYS@4@1_)0w?d2o*23IBYR>731i;*KJ~eAW9A!Z>JF~wvR~-IOeDLTjgLH
zKM@alsj0_9Za-$iLXjO5R*<>dd5=oE^9emA#FfXibcx&IIo-^8l!0D_wDfy#zvM3F
z58@ugq5AIF_&nPnWM`yvwCZ3BWGhZw{P`u&(+zY3rof4&n)N6RD|K72i3GxV(}jVi
z2>Xr4TucA%+D6GTKzBJ|m4l6(yGbk~q%+!MqS)1%_wxYvhcz@KC*JN=^9Ot-M`<5w
zMC|Jxr1(5JKiw!OUCvu%5W&_N|2^|av!{shnewNAld~in-Gm|r<)*ll8!x}9>3y*B
z#Ae4N{d9VF%qt|&QV%O9o(VRS%on(Q6^zE0oEOq3aQj1iX%WtcWO%xk(BJI&II;Ka
zSePP;#jaH`F<7irVER(*yn)n^xqUHB4z9X~NXv8%V=kol2U_GJy!5rwkAMLPb{)oo
z6EQwa)v`kD1!e{pWWvf%8Qr|JVz~^|?VJ1A9lVq~af+dfm%y|55#k9<EE`b}izQ;$
zZIqT9FYN$r_E?DmpECh}vRr#QA8Gqt{{jV<n+o3CMS=!38nY!@?m|JhOqEzOuePpg
zW1aFv4g^01+#>ewFe{fq5G(=l()Ovr61IbjSZ-L&yfroQ6&6HgOLO%l!LmT=DEfUA
zj3*0@SJtO)@}HBu@nk=zMlgAPDR6Tmtt96eHyY9ITQ#n;h~pDLiS(uCrh?_;5=AHY
z(o3P%xMcJ+P$Bc6)2!5!!6w4Q)Ltuf#o!=WpupY12Z$J#EGlE$tGo&$@cOX(YT361
zAK_iFu2uTTOl2%>W2MZwGVn<hmY3j4f)k%GjyDJIBhRcG1lh@8a<ajs_+$&eBQQEs
zFq$i10n#MD_V^N~<$VQn``KPK$0dfG;PaAD&O6E-ftKZHb<mThY&MtBQ_Pj@9=fAH
zv|!DouaLyG)d&W$=BgE$W)I;-P`SW)<UND)jlfEu#ltISkqA-8cB3zq=tFs^BUukl
zZLB<>mmG9*$X*fI)6Mz?tG#Vj1qWfTvN(KS)}{3n1svbIiE6j17hijhRk66vUK3#w
z!l8+4$j2&F8++2C>~sn|{!+A}4F)ZX4p@an>RQZD*(Pp(ugn^-&!VO6Vdd!~gzUJD
z$;e&3YR02h_39a2nFlQ&3VD~0^`sd~EgoH&XWiD7=1!R=cG=pH`+wWs4Y+(t!%jkK
zht*i%wih0owH$}<9Hs&#&~mznb<>^h4mLqRxXkIRv!y`G(He;eqzV77N<pCYPozQR
zlkR~bWQRY!mqhe4l@e2&1ujRu$#9%5Br2MumkA0%apr_X^gI!VM@gyEWenU(i=i$C
z9xoJa5uwPfM+^cU%<)bKxGIjKeLZbbi!kLt^11@mC#9-WWxdUvfu|?QC}QNhA)GVE
z<%>EH^EgHbF~CLmR1H_Tk|V^`Do5BeNMy8dYOpbq7!vfQSyw@Y2s6;oeqUf;Xs>A3
z`Ns+oT+GN(fe|FmcbF#W(3aC57}P$h+U<^MpRnE2i6E%#_W3f=ZCP=>?oi0hAH}hk
zF)A%X!e%6pNZh5dW4KjU24K-wSv_O~+vNO1yJY+<qtSh&a=USJrqmsWv+2H}HH@=@
zgWYVCvv7w1y?#^XF*E<OmjYWRgU#RrMr-ElK<n8TpE#&-S7NU((3~VPvA0j4`9WUH
zl9pkW2~lKt@<KniVPUCTVeMJV!fR?Ua{cYXX>;k1?A2I~F`r%(!MYQ*SJU6vyFu?^
zk##vej&7$N759-X^fb0LOQ;(bseV1aAlZ+(F$dtXCgq-6=AHvw$??@%4?I~}vWW!h
zmS@)Kd_s(>$%4dYA5OIxF=hNGH}|Kd&fTX|gbR%Eza;VTz!?K*G<Ai>G{UC1m)Wb0
zeVn1z@1WU0ulSo)yRpa!QM()mnM2U?LisM|7fR6h2<g{;PS_YQ^O#6-P%zPk;ycb4
zfj3(FaF5pSTs$@EjQyf+rqPX7av9Q5IQ<%aGk-JsQFcBfYNuKZhRd>~pSg|9XpRK+
z;hu7a7q>efL}6u<obwrWi^L~|vj(j0k+UuO@YBYEQC-2TZ%Wsayt*ut2f*bYtql|?
zlUg!_p*}sah5nZ~i#ds(VE}lsp9_u3*b3nky)Bqy?+A1MMj1&yflXupM~f!_ZZ`G@
zQk)<sSd~UnV|`UD3<5gT(VwwXhTc;kq2i?l%Pi*KlxaJ92adLLU2<BH<_{&d`x+NS
z8n)A}Okq9#UD%&;bsl@6KUKVu4~FfclUWxMmx1trw)jCTmYyg!^!Um68S5FfR_9^}
z-mC88)N}b3RQCHKzD_lEN0Ec2$U~X+J}RZkJUEp2v^RcNnv-kI0MBAEj7Duc3QpBy
znb3^NWW3gUg!AmTvcL3w`&F?eyr7pxdQS1oComjasY`+-qE+pq9{bNLh!qwVg`KH|
z$eUsoFPsgA8E-`52Acm%s*Av#v1uQpB6~14ChKYBWkspKyYq|}=e(yAjjbGx<CN^_
zXljy~Mz@u!lbME7TfqHR8(Ep!h?MRK4=Fi>$Ds$sCP!t@LDs?ES+*J5c6E1bika6W
z?+%uNAG3x*X4Y_}%o+&s_zJc(@&#Ld=oz^%IDI*^n}$5YcmJ(LwcfETkbl6NvUr{O
zv$i+L_n~ZU8ts0YoCsxG91Y)0q88^Ws+v#VNfDd<25PG@Q;L@_h}z4rwIO?7VoD+R
zjyoNyt>_&-jfaTIBbwy;>o%XxFC@k1<`+3V4gEWciu3@a=B|jgC>-o}e*LCwz<3&B
zLjOJP)UOHNt@%AVOH?`&syPfn+xp8$#cxm+5<&}W%~xqZ`O@WTUsc<P378hTNngDx
za9blFQo{}#@ucebfjge(n+vG|&3oh}ag(2o;oIevF;+U%bXg*mmqv5nco<!{T<|P$
zp4}?lRPbTjGNFOizF-ka&BFGwmy2zjC?i-dnnkFBq6L7~B-jEKRARFqb23FOH!>PN
z>lQnqs8n`4VJv*gSsNy7`TprdCy<n)X0g#sPAL)2h*Z2H7>GB2%4m)e)+WK36_&Jf
z&%0)@pDrWVZ=khVCNfoMZUsS)zrv{N{+rH11@(tgqnQw_W?=BG5+gHyjEqS|^_=rv
z67_v(<eZM4^sB^@5@*Ur>dqZi871y|uhukn6YtX4P7O&=0ZY;^)9pk)*KmGjLEsLt
z4JCTc3*1pmn<aWmLknU4g23<C5wtQDjp$v#yvnR-^;Bj?J*C=l!hz_zRCs`odX}bp
z0XbLAtwLocFH|0pQtsTh!K*Mu<A+AL)O>iLWgvYB0zOGu={02M{0;a^Y(v6d@G<;V
zX1?S+TMngDw8J83m>)~KdyK6U<jdZ0tG5fi&Wx)hG0mQbQ2#GQ=q5(X^mr{qTGjBo
zkV5bg<vz5~#ZIgY1?huHn$y*EJx!*Ee_HR=SZa%MNlc(cE+<bHDsb?pAF5OkV!<Sm
z?edLYHaEvk5{HsAi!^ond;OiyHXV@S-->|hsVw&HaiVH$09r|Y$$yem(&NOsEkhNI
zNMGZnkr#jZZh{RzMd3VJ$1t_nz^?S>Qz}6zW0N>ET?w1WTuvrh?yJn$<<+vy6wUdA
zm|7Wod@h^cL97ah>DX;)W?|^4uY1IFoWQ7k;Ep39sm0h@9!bq$X&<sU*Jw+*)HoCX
zVjpRx6d6h`2{KWDkK`Uxu-2@KKd5?Dpi_#cpUfvfht3t8{hD+x0m%v&AnfI=LWOZ5
zPVE%z@3ZWyX))jiWkW8%7PBsT-NYmDl9;fsVkN$d(j&n>k_z|ZlwbJS>-6%$T~T97
z<fS$<a;}w%Z<kL0uyRCvtl&31hg{lX5>X41Le~TbbzP0jwMH-viA@w*S*c4uO-=WW
zh!@QImw>5XC+#15RL~E~*=gmJQ<CmL`!_;xr(o_1%Sy^r+N(fJcQNB|^GT&7v#wry
zB$bLYkHTr21}=vdSPkD0$|{wmLfnuNB@qONSxo<E*$`;?h@@02*s>yZKAKY%%|yQs
zE)?qwCmIQ&tREx?trQQ9ZHc#Nj@8zH_XEvKB!Soz+j&V)s82L2oh8eS;^p?o;fmEb
zbqrV)u6~X3E8}xn%#sQUu9L%<0jUM9R#yjWUA@sGE!VE<HbVx5_s}Td0q4-o$^fOa
zHwgRTwm{9GyqCk0mLVyWEf=tpO$!g}=d7dCX;<~=!r3%MNG_DB^k9Cu4hg3KCQkc&
za|1168B^FEU|B;qut8?4RKvN&gDA2vJ)g{UlyVGKi=}}qsSv2VEoh7n-2OWuQ_74g
zat?4Qc<Ab&P@#71)L;<Xx3mvR=@{)eEM2@J0hJkVeI+C|@DWpk<uRZGB8MD$5!@$J
zGT#no$D8oi)xluwr2|t5qavn+QJqdwW&SFt(uF|51E%sKnle4~b8<sCv-E!}Jf>2F
z6i}Mp#w=31w&bsL&Ur<8fJ7ltdy!k|6)=C6A43ymAdr2UxfM!!=R_<zjNEj~t<IxB
z5P{0an@;g-Do~fiPBQVLxN|Eq>p&}<l2@fsmsZ;Abna^OIg?<gvzACk@g;F?Bm<UH
zNY9kFGJA=$2cXsKG(2$bI{Qs~qw}yCa+bvJGl_OOcX}bW(44Ak^Q-1&o&O0?<_~Yc
zDa@#vUsfKFf_@8d1<hS&=ejTgEoZ@X3fcLE8(&8Jce3%{)cEXzUmWr>B@MZi7V<E7
z9Eb3cIt5y~_PK>9-#hP_@r;8XrvfLvnpkh$4yr<0F@*x)O}dx?@HZDgnE~*}EC9|A
z>`l)l){HkEHG;2uIb)g=s4@|_hPJYoq^D%lhtQ9)FL+y!S%$BY%VO4|883%K&SP&1
z9Mz0xAA=Gvfd?qVO$2FwdV*hBqZ==)Ahn)SEd1M~G4vnlM5q{^Z9dAtNnNLyD-<oe
zNWFVYNv&%pF*NCO)*8x@b-mc-&3ZUJJI)<bHwG&WJ^Ct|p#^dbSNs@nk$bC?QZopt
zxqIB@H*qq?&?X}-E^wl}3tldgqI*a+_CtmFtXPgwiLVagoDoJC4{=6=mk8A%VS7#b
z?JPZ2Ja##KUly_nmbVMYCI$JXvy)639B8>t8OYdWrQ@v4MNQTy)&Wf2e&fN)aiv)N
zZ_WjCo-IOC)@-iH1s>)WAk{H|#^)kcz9K9q?=JAkZKp=X;3Lq|Be;UI5Xj^ku7jjG
znOKrOLX0Mrr7H=L6&MX@_3{WVKFt>YnMYFtETaM<c3WnWev5%`od(6nSRizz!ja2J
z<*QM@K9gc-YnL96n&g-hJ(bV7M}q>*71SA`r;nsPq>-D*sjauixl1`DzD2~Skc3&L
z^swSh(jtN8G33lF&B@p<=Rxgaf!0kV&N7T~op{Z_`nB2{nFb4>B_?c+gu&EzyKJ<_
z`Ljk~t)v9CVLFpliUeBZ>T%O-V>IOY^I=>U-FG$$Ua`&TQ^}^~c=eIOIyBatY^DXe
zwK>a_)%+rm(;xDHv!p3rRcX+8bq@X@O&QyienC<}6KQVUim=D&aiRZ1qqKV}b8U9R
zf9qxuGU~iR>u(~Pj|Sg#BPp~Zz0N1AOp{<BLB^T&y+wLvp6>sDnQ_I4oKG;UHaa7f
z>dd<nOB=t)UqG2g#>~StVeB>4ZX}?O2H+?VTOwV0idaO(3wpIeA$mAtNmUyb$&eQB
zeDER_=ajH;@)YCz53j{qL(fgc^bnd?nE76Id@2n~6Tj(ntKnE&5iYVs5oem+!c>#p
zaYc2>nV)iA>a45690LL}aV7X{_GRr(b9;rhV40vW9^p~!jM1)v^eB$|(brlcfH7zZ
z>Le8P+e4j7!24nQ6mVzCxe~n78?_0jksgmK$epP47v!GNsyd4yywqHatwin?IX`>J
zh@X!5eP|y#3#xQ};7Wy#ctSAWK(?C0nH=IVB@_MG<7&=lqQ;j@*Jh8bu?gi%rfajm
zQ*$Xjl`p@1mDPOA4_{(2o_$!2oK_LIzYRNED%^G$!kqzG5*8${D`NF>V&D#$_CU#r
zSVV3NPOi82%{n2%$y1C}y|08?$H?xYiSBY8%n+{V!K438C8IM`s|N*Gm2^(xL$3T4
z0^{k|;d7c@aoQ1Rc~ocxq{%`J#wO(r@k0;;E{lo&Lg!Vr*+M+iDYIl7@7%9yNuc?^
zL0iEaDfVku;7G5b0!1vej-;579wnSPUjWo<a(bNO$CnfPFrlDl@?W6&?ZtuSw>~2q
z`zymE0263l%V%Ek$7=DhA;JvG2elYcoS7;vV!r|5^z&qpex*#EUPdoN@%Q_ZMZs!*
z1GkB4kk<LCl<r*eyvqWC=7hxDM)oi9m&w|f%M<(h%oe+Hxo5u1w=09Ls#ct@BuX;7
zDwjI<P)h2$v+;=ujhKn$>P5&TlCIbJ_X|?KaATlFh-dtZz!dYOOwiaCbE4>LSvFvO
zRyg4lG2jr-;&65Qjavj%6&;~^N#G7?n!s%d4;bxP$1?kg>4yoKo9G!BXqnBMTCLRn
z)$2T^y)%B5N=<wndYvDAqD_SVy;epn%~wzdxQ5G(zo_1lsbr;Bm-uo$MU{4_SVs(+
zV$o`e3pD?j&M)<m8fPA?SR%1+I=5&?jBiViQ`rFhv>$_>bFsngrA!s5Pn#QOQ%ZjH
zr)E%nBELG03A<lY8vbgbL%?!&u7<dnOUR!!kqLHwX2R}C_X7>1A4TlFp{LuRS7`TQ
zU;KQz)h6D+vnU=9+lZg`bYW<Bdl44R*g@`9jfg*j`os<rvsq`KY4+HCp~MzntPnGP
z$o_{Y2O;}Tab(3`Jd*l_FVxYeAoTa=^v0ZrUA>ouBJy&oBl*wUCk4jt5W1N%2&Wx7
zi}WaJ*fr<>ET^o?$iaMgEIYH>V$;|eP$st|UMli@^6oyq*aR!}Gwh#TPA^TG=$Soh
zlze=^M@>Nql4>Z{zEY8Wn>5}x>je2&!$;McL{IJfRWL{3JRA@4Y_wO&U8A*_S(o}3
zNQ8#u@G<@?bRFIDHD|j+wVg?j*L9Up%_ebEEn`O-L5j6@Jg;w>*GgX3%4-Tcij^{}
z{Gvy%0!lRXSg=ihA2tdMDy#IMDCwH`l|f^=$cZT`=PVm#+TKK)$aIK!M)#OF-Qz<i
z+N?jCx@owxqf^99odxHSSPe92!_JW^o<jDL*i6xpJ)x-uxND`Z${@<!0|4K@6l2#g
z<yiLMpqXlxEH`t|%FvwWg>-e4IA^I)Xn&tHrEjW^m7=)%a*TKJ8t%+eaR^>Uof2N2
zlI=Oi=OV{Sw_=E^loZo7h0`Y&EshvMDaaKQay=7l0tu%qmqI#(02rRty4-p?nQqgT
zpun<F9vGQky_kz!s*#=wioinrbvegw$mSLYUDHy4)`qmVIU9Axs1+3P3<Y4^O$d)l
z=P>Qk?nHeWkw$eqSOtw6e4ggX*WI`0=Mtw6ufdF*ctN8XLR|m@N%4Qu;?9X3j4sCl
z&d8O}bJF7JVhPCazo82lH&_$jUk{`=ZgtLIh5(*`F_U%bt<GAQhk;{R{B&H^Aj(#m
z4DMqHVDb7FR%$|NG^H1W>stAH#D|kt6*-@=P$0Qt-xkBZoROads_h)o1~&9z_pJJy
z{S7B>u`f~Js1-tD*_I;NCX%gXM|_#&$?hUU-irsgq#j26`~pVb%%l6)??O@9jF-FC
z(Un(lrWgs}zY@v*qow(E-Ab?2x>j2$HgFPugjO_Qi$5{fxx<zdxYj*!A8e}v-4d%@
z+8O9oHxE3LRcml3MNsi4OvNj`q1;_BkEX7(0D2`rA8~<V!T{*|&eQL>*s#c$kMnBf
zJX+)~GB$c>IP2G#<Yr&B)==jaTb+VUUd(0M0U6hH^7Nkbr)-|E+cirhBN%LT)+>wJ
z%K|OZZD9zveI8WN<soD*6FN)!KQE!(+Qc}21nJWQc;vOyZNzFjrS}LcavqttP3a?s
z5?niyPsxBKrefB4{o)Q5ruz+&%}N}dD|+gbK+78>sbhF={WmZ86^Bye4`O9bx4Y}Y
ztE|8zoI+X2j--CpCtT4M>KN<mgLYHRc7kXs*4JnH#loqi%nani*nhEs#wLiPOYh6g
zZLM_$v7K_VS+sgr{1uMdmkmq^aVvF`ucHo$^|vMLUdEz=9Z@7W$oU!LzYUY-scPx_
zV9WVUrrq<x<?g(^&-D4If`)}(o8L|9%qr0<z5CwW@vI!ZKg<fs{%g?$x+|Zd)R^v?
zZl(%>TQ^fPamwa!H%L@x{~K>R5DhdxL4@-*NWtSv;@2mCClnXMw`g)rWGD!<+;3hF
z<=U!Wnb*S@9RHKoNJB>?HM0-*y7gz-_x+g%Wv&BHtNO**RdQ-A+h*e*$V;6pLUu<h
zdO{U#b=8|^U##S*W1WWmXijXgY&(0#b8a1}%hdL|_$WpssiW6DRMQQE?*u54J_lxU
z+f6C->_YAG^A^q(dOa?9WfG3lwhxwT23Is6mwtI0U`vy?DvPmQ8rO~tw8DE}VBprj
z^HyhX4cWU{2W79^sNUdb!+$r5rA*3CY&*^T?(GjJ;(47Qbu@KOAG~ck3K`oMcZ~M=
z7WGmjUI0-Bf9H61H${_0L4iIlRfM2u^mRzXSY%BCL<)F93#bKtVa3YKALb^uos{`c
z=$Y7ddgd<u9g|7w?}eF!{(ft}`#`MZ5x0%;72p(zFX0ikzE1K7o;u<dUZ>fUILz{h
zn|N)VbXY`u4{U1?zsNLeFu%w?D;P@Fmp0Y*8QfHR_~4G(K#^??$>~!}s@0k&PP&1X
zKdGMNNo{fVO)vad`!|Ib<?!(3@Yq+E#bXz*Ux5esFz#4G_(kwo!}u-dcO<`+{D%1*
z4xY8(SO~7QghkVrsCcQxT6M$^0q@e`GJRD#T<n(5o)3vVT=sr+)DG;+`!VTnX8DQy
z$LI2YGnfCEFV2s6B0ruHp4~Tj#FlWj{5SPg%iqAOw8H`A_tE^aKgRGg3*)lff9Z4k
zdeg0hdi)DskLBP#nuGf%7cTAlJ6`_>x<a=y=;niNLfawfpq8O@8~OjJdl&d9t84E+
z19BM<5<nF2Mig7DR+(xQi<d+goza;ZtyEg|l(wE~TU%{Q+MX(khG{d6Y3a?{J8kV-
ztUWC~R*O_akUBx|f{GeYA>1c~OAyqc2=Di|_I{q3NdkKQ@A-fJ@1Kum_OqY8*Is+=
zwbxpE?X~yg;Wv!@2&t@LeWrtcIM7cq=tH4C99$!gp)ZPOxR3>5yn?&k+h4LZ@GN*=
z<FIdXNQb?aG>C7I^!&J;<h$T29BEOw8XtiF1n}<z{^Esm+pn`GtGIR_IaV+v!ua#j
ztoGO66iJ!KPO?57%KJb*xOL1O+njv8sW<t`yeEbs9*EaFnG0UL>hc$EXK~W?1Wbf{
zhW51Lz@f1os!VBkKq809RGt~mdoN^lQ3uIkczyTrnzI7qhR<#;pPd49^0O}_8$Z>D
z%U_N<K+IkFw-x_z?tvNO+Mgv6;-5NadHL)`<W$YFd03wLFCKIoO!-5Ts%9UkU6X2@
zj6<gxK^#Y|o!nAgci@Eb*$gUT@4$)WneS4*?wx++nL9`<Eay+t2!v7!x6aOg?xz<X
zWaBLr3y<I}>OcRYe<267=ii3A0$F~z$#VQf<(Vb4(wji9D$Ccsjyzu#@_%)c3G@Zv
zboz`M{+>}j`xJ-c<noNLopnn&(T>-U()t9gJFxnkmf9AK!X;e2VSfLX{CN(s*<WH}
zS2xX-&iD*T>K<16WZgSMYg@`6n#>mjzBnQ`xzDiN<Z`TpVO0|!uYGReaP|B|-}BcO
zs^@a$-EssMP7w>UIls>G%4ZJ)paL{!QGqeLbf{I$O&(g-ROYHn{7XyZ|Kh4-zCsmA
ze5r$3d;4&g$UA*z95ZY0VM_I#F?`lu=r8Aa-8=YY#*(1n5%$3_wS2vA`KOSp{UqKN
z<a2eCCP2I5Jm@5hw1HIJJA=zJt3}&6?T1rbjMTn|83SEER-QpUs&L=(%tKaqNO?ww
zy4tm#s(Xj?RlgzO``7*?>HOWC!SUnF9p!e`?y_&D8mk5-8h=_36%vjAxQCxqV`5sO
zagiCYta`_bK#BwzOHo$7Z0M43oB1Tz5oQocu=>>}F{*CB&cE?to6Zwi<j+#|V15#{
zYxdy{TxSYtk0_u0CnibV-rG5pPNKT5tIw3|lIn$`M)~*V!zJ2R)7n{vEao_#$|S)&
zSkP5=jY<Bi3q+WUM`^3L#de$Xe_iNi?P7MlfdG#k0qKZ;xG6EE@rDSc2Ub7(j>-<~
zIM&kxz}}}A!L*gjN#6&FJ;%2cQrUGJ<&iJreg1R^fM2FlC2u*uTX_2@Z+&3!?-m=l
z`nL*M-?yw84Q5HX$m4tm>pV#sK+jT1*`WEm>BuCoFV9FnTIWMY^|yiwwfJS&!1FJ5
z<Ubw0;LL&iv$g`DNLBvZ;j81l0c>u4IW({KE9S-JvpZoGk$h}ey-F=`*r!>$c8Je>
z<3F@9aUlO7%s7P^!EJEMs_$6V#zaM8-@w<pN({fMfEcecSnY2BKizme(F|sTgMu*-
zYmSGAh4DnV#rXYp_>iTECeI*S+Zcg9<=znjMECS=hb^J(-DLOfn`Z6o$X{20sCk)e
zynSH43f|=Em_ir1vqeO5y{yh&e3;{`c@L>`gao&1#pL+Jai+!17A7zDT)^Kj_Z{21
z7(nj7KEM2-ixA%*Kdk(rk4A~w-~#zAe1`<lb&<Y1$sOhToQWR$@OGd}^6g1|nS=nh
ziw3x#{(9+>icK1oh%N=-VD~dfA1`r9j-RE*-NUOP2~OSIW8f1}msK7lhPv`D7b74w
zZZ0*3sm9!}hO$Peh7!Yr8hRkAC^c>#iIJ)?FRY=gqf|qQBZC@xz!Xf4n@?i2YRnI7
zDC=m|P-09_Ll1mcDm88aiDOk`L0Cgs$E$`C#|1U?fO)~)TO=w~LzlnvH8ct;>%<^&
zLQq4wxb#xvnn|3b8qHx1WxZcDlz3lILl2m+sc}n5oU9s4!y3vuMKzT8Ku|*ur>e#Z
z5+78J6=4l!ovs>6oEFs3113>wTq}u~YP5zmly!z`DDk17h91sTjW!Y=Rt<Q=_gq<L
ztA-M11vT_AQ8nsGoTD1`VGU(XQVk_O64cPcxvDXT#CfVQXH=r$QxM~kah(!VzP&lz
zrA&zn1VBaky6mT_xETtSaM!ptR}ePkWs=Jh8ZN8g{!cb6Q`sMnTdKF&Kab1vOYk-?
z`M}VV{4lC_x!qrG2u$)-h=$9EA9^FnM+39VQv}3nVfxE)&D2X(?n=eDlrP^u)%fEf
z_niLS3%NhUzDn1@=Y!zY_Q8BBXiO@)iwpfnr=zXu?2dG{BNYQko)ROt8*cz5j!Q*z
ziP$creUdXr*<I-f$D7)RT-JElAi~S3&h>=M)g4E2SxP!eg!SKT&ps7<g19a&)f<$G
zKAk4MHpZ>#n^RGA#+!)~T_l7uDt9EJZ%)bP5)m%PxyyQ<io66VlCiDa$UW!>Q_lWM
zy7IAPY&Eb(5@?l<tk#G1=w+*@v$$h$N_SQ-NkyLkA9V?YkPqt9s#L=-okLsLEC#{=
zut{e3f(?fj7OxvYpDt}Ybqo-JGz3UVF4PMk9T#*BNJbi3*qe;LtzM-oH&j3J%-hWm
z0x;G0UL!dda9THaBr5kOqq{{h24z<=!i|d08)08dR6>)jP@cZTc2zh1;pGS0laVJm
zsglGy=o?;N)P-juByc_IadmYWjj$~XoFT4inyvlFW^RKV!HE{$gZ7cUC7AtrUXjlj
z`qZFAY*lu5TE$iia+IqRS0yX=rYpCmqsv6V$TD4c+1HIC_m8Lg&KP%3I>whSM1C$l
ze<cNHu7LK5O31x!usRlDePFMA54QEEI1;RbL3mPZ6631SbpyCgJr(7P13a`30TVnC
zX?h-cnwKMRGIDFGy@zeL_aTn~*mh(pvMU{B>yJ#BDb~UFlmN<eDz?D}W~Jf(N|K8v
zqwA`(PjU--I<hN;CY^g(<Lv%dKlbr+;O%7P)5+M5bR?I~wlOQ<nk5|OgULsxqDw4q
z+i1-e93(D(OgidQ186lJ{TJ=wX;RS$#Lo{&HXd_6ONq2Wf%K$+ybaRl`vAq|9|shd
z0{5MY7Muqta#FD^=_og}KAEm;O;@f=N875iuOuT~e2V^qyN2!h1hhy;I+^3pVsKIp
z`R%$?wvwi|LtT*N9<#`PZLKWcGBOdxc2jChGDv~-_GEM)7^Y&I;#oeWv}J@KM0NmS
zNIJ6HLj+@LQ;cjT@|NR(z!NDjHVCmztO21p+Ynj|R=$+3d@>c?5+~#|vNIKVv%2Zt
zJ1_X57-fDcf<taiG6p}qo~nE`5qm1tc;;zLbS5N+vyg7wV2|{Pl7eHmp#gXFXGC2-
z$orH-eh-*eXX(Obu%;wf6D@%h+Yb=5u?K>3-O)#%*|L1__bG?JfDmM;0R#?-O1kiL
zD!LhNOhk5oadp!R|8~s%!heC7P52Yq0{$-~Vy}Y#$uPI%B|FeeROI`}M3j_nzXktx
z@b~%P?^6!{Ck_8SDk}Wj!JnD?6jBr*;O~Kee>?d5eDGHa+EZvy60!^bJvNlgu|3Jk
zeW}XDspvYnJtH<}B1n>Z{xqOfT|jnk@6VY7?v76TZakH;Zk&SjbSQJzSN2t1nYDNW
zUGXW9_bG?`D~3FSz5(Q69A@(nu?SpAZS)Pb>4Q&!wNi%lhCwuQWHKrU=&fWF3T#lK
za!;ZX@yay%7nf6mq$X+eWsSc)E^>9<aK1E<j=h+!%;|4rO<LGWy1$BaN3JtZNm&ob
zXP)|e=BZB!@3ghbR8mo~I#NCICP0#WZxw_CARSCmpT`t+DNWrCVj6%@T-ZnX1j8%I
zN>E2=Zh#k)5esBq%KYK}*mUgak2d~zWK$+KE?K#sr*!1SwC>d23f?cU;f?SGZ+s}^
zNxp0aZ=Vm|KIQOUNqbBw6&2oF!JA1>RY`F0c0jg*x6d=_2oP67cuTyjNJm$ia0mI-
zX(7*l%PwoYYsiwBhfhsM*K=<y7xXfdIJcLM<&u?e@HZVnNlPq)_fw`vk@k|h#^mIK
zx6cP}pK^GMKbcA@D!kjl8&ywL32g9oKwxlq0w69Qn){Tax0C0aoIFnp<yC<&Z}-By
zRl<D6wM}2;Jbf~@-{d)0cIQHQ{&*<Qk+_n?hmhwCG4dR|ojeEcJa{7#sVb!a-X6#y
z#JPZ&BnNLN$yZ94dr6*WqEt8S|J#~bnwD*Fp@g{v`RfTu#@CT7rz2ANoDkE|i*KeQ
z!gq_1Cm+e;^O>AJ<tFDoL;hb-TtYd*w|#dG0f>{^%t{Xg$+8p4;`5oKKIJ5%*A1!Y
zGm`Jf^vah?#rhxnzw!$qU;lrjSV!7J1gz78$n+Vzez91{&-uScrc0nRO_Av);5Q|r
zdwU9WO&^IxE~M9%V0|k4PMVX#i?<Ks@G0Nl+-^@hvClURNk=(C{F0yf^{k~~`R&$(
z7(?&4p&OgmrM3)JRm&S5)}%n+RP3E}<GH6*H!c4BFE*-O_9r{lIJ7&6B0(E;S0aIO
zfoorN%H@zMMf#+>E<sO_4aZ8CpkE4FMbd)|^daY5mM6F~3JVGXaz|qiy#l`rZH$CX
z<y`GOEERp7C)PAW(%6nl?HG}Ec`}Z+^NhyYGCCD|J;9~_q7lZBryD6xH|06Hxk@|x
zRzLdfi<@>ry<~PRvzbG_%ThSN^aY@f6pNP1XL!^lBP-I4r;Z>p%4;&d8#p*6=^Sda
zP|L9(3$$4xwiO-cRT27Q1FMx6<Qg;GuoD2uYzH3-LPANKNo7$8$?8+^!Fr%6JGxxJ
z-Z3rqb~5rj9-L0$h`zW-XNf1IvpcnuzIZ(hq>jHuhU@q~y`tO%*ZX~9i+g~~BYg9g
z9y>W>Wwo~sOQRtdZ^2I32&dBBZK^t#!Gqw)EN;@jPLQ@4ZjI+wT-rGMBe`EKE>CA4
zOUIV+=^>Uu7&xXVV_5S4vTwU>M;PW|x5w-YaBT=lpMt@B3bFVcSHC8rY;Ufhvs7Sp
zw30g9u7Qha1S=$}@e<f@Qoav&rMp+hStS)>b;R&9KV7Bm0-Dgucy+RJb)s@9S94So
zuNzrmQM*^_NX?ZHBhn^*Y$ejf(=ZV=FpIb2DB3iXDJv>W6jq`JL)O<C;-Y+4V^cX}
zI?UCAMK!Z2gbv#7>rCX)kc+I>a8)E5e?08T-yY7@GJDf}w-c!Iw30yOR_>7!*LqEz
ze~l3xnT)dk#*HOgq2kv5oV9WJV-iuH8jy^&C!^0nt90yHV%(`TA{{Ysrq0)e5Fp%E
z2uD2?f^bSvn}<P0xaUB008o;^iV|@CoD!nl>QwZ(YNiKYh05+t;XSFsJ&=mPM(ak4
zDdy@%jJ9NyBTmf662euf0d-M?BQ1d_>}XZ<yM36eWnwWToM<xNSF95CNbBPQv^)w!
zV&F}uwtrA|PHZoPlYtl8$G!e(u}6Ned<AZ8n2s*Cysc(SU>^9jA?ATgiFWCzBOH$L
z6=3FU2|h0X5Wuy;`W}ec5(Y&1tjYnRl#tVEEczJFqF%H)3F#^!9p(f)w>lkJDxWf+
z-e?oG=80Np2Cl4!4x*vx-YfMgJQ3!@Rj`>+5F~YGEFt2hAvv@n4Z~%PQ!B)Po@*0S
zmrhB8A;lJW8jiiB@saXB&7N@ypFv2*STjLGR^V8c7!~@={9t)m+}bo5Wx!EH;=i5n
zUtrQCLX$>qAaY_{*TKwt3G`&oq$4aEsH&yth!BXGG@+>j3kD{Qqakoa3Sc2pU}}LQ
zQTbe=vLzLL2@#QsJR?$$N=3GafHk7T{8V53a5jaEn!QqTl&9o^B1(!cYdkq?ipYr%
zal2_~$mpxpkX6Km^Db%p`_NbJn}1Cb2aMcPI0B#`GLO~Li&`$rZ{n8A$tbB89R+tl
z!PotA*;c?>P`erY8olOY7!)-M?!cmL1BhQPhd`j<4kq#Iez^<~QbKa^X4I>IuyBDF
z)g+0^#}bt<rlKz*7*dg^MY^%bQju<&I3f=Nig&ZyM0c?w;(fRypp$-^+{mbKCuM93
zL+%BaHI6%3nPW8q(`?=|mreFDucJ2Sr-_c96`MUFl~+W_`Ij`_6<uAw_v`Xx#qf{8
zivLQ+@TIVJWwnl<GfSMBZhS!$J|S0|u_8`FExDDCDD){u$Yn-IzD@nC5waaZt~VgI
zZV!P#NL-%+qI_7<r~GtIMwdZ=(MHeL;7hffeJxq}mMz~IDL&Wqgy=ah6<KGWDuO8Z
z`k;i7(qy4XD1xS<MPv*mA!N)O;UxDql|#{(hzW<9R1|kED5Bs}PeJ8*3RXXI#pUPU
zqtRr&f~#(E8n+x1uku+E+$F|(kn0ROpdlw3NNs?I`0bu|H0*$em}<(0hCbzJxY}sA
zOg>0WXW4o%BS2)=F`YdSXxIS_1AEVasD#kd0#?kp46am@Br5Ts;z4*`f+Dh9#KYx;
zsNIIeF<QNtp3aJvkZb@8NcUnW=cHX;DH-QOhJYKJjp|0ib40@FMI@Xq5*EqC6`qXB
z56SqYTx=da6%Jjx*geKqls2R*7n5LEP$`hCgC7{wycxFCH8RSZ(VP88E9g)oBc`Ir
z=)4&?;c!!%HzNdMHXuN}4d~52M@D)E9NvJg>E`Hi`PVC<=I(U#d3`>|krEClCglwQ
zDK`$a>0CrZ=^!Z<K${FGBIME{eiS{R<qbu&yg{@q2t_@HBwYIbzVk)Dd#ESv8G9B1
zCity*czJ>y2g<rbL&K=v7EDGLJEKlEBJB9M%ZD9(%CVy~w1mHDXc>p{m}jZlD&sH&
z0z39@8M@9EEJMKcv<y>DOLu{G$dZST^JI*oSvHokqR1$%;>p-mL`Dp1>>xL-jf@z3
z!K6NQoF}4a(?<P7gJp$;Y`Ogti$utQ;u&WmBETwlVJkvIEH%uut<dn<|E7g#yog?4
ziNlnZhYE)zK+Ix1w2>$aF`(glFcLMhF|4(M2xj)p2WQ6u3GXQ)A)9I_m$Yda9mbVd
z4Gl)UyV(&qR50~MO7e@Da`)i2oM<`MXlVu`f~*p&XD{=5;QzZ8W4=!hYf<LdR;GK~
zAZISpErzAoVg!3+Uy;=a8#sPMjnI>CqOna+hYAMeVpe5=jsuJ6*w&pD0TJ@zja*Ao
zP|@E6LXovN2WzqVk&A!u#}~xHG|d``@564vV#LA6U%0XS|8sj0^1X|#I2W8fC(>Dn
z=#HHm9owO`79&tpVlvV2=W(;x981TPsR_#Jx4kcqDYiHDM&yF=%AE<19gk%mn&A{S
z)7v=FL882$*rMQgnT?l!b{S3<nT=|I#XD`SlKChTr`UwFy;rk$XagnllvD@yj(KHQ
zC1UtJ*MUD9e|u9gEIj<x+7tB_sO-lO0xZ`KH$FvC3bA(aDVC*tw+Pb?Fu-u8qgJA3
zI?9fSYE7Ap?82$l3PU(eJRreFalObv7!fuO#^-3;DBx+w@I-V6iwPaw2Qm_R2Womx
zqQTV=;pXU1o)<D0aWzoz&jzk&8Pn=%8N9OY$~$IICz=AlzhEI$cg3zh`Q#&HR>#<2
z+c+{&$)-1-n|s=ukZiZeIf3DbWdR{KC9~{^ZiJ9NH6Rgd=UaXF*V%PX$OHa#s_}?n
z=B{C@3SnuVyHW3OZ_%}<=`rptrSOX|$f%ypgUq7G75`)+iidlj+ys@mV6W;$xfdc&
zBO1p85DLDaGY<G{ScmHs?7>{c7Tr1=dvs_5`!l8&BBE;Gb$CG@3)~fq7yGRukkTlg
zb>0QRhoyjmVT+P(XR9F*3v(FhW%$SBfSAbHr4gAy|9C%N-Am~^5whk|m2AnbG81v}
zrZI`gvpNcho=M0N5IP4_(T+rn4B3pVSYOHRmRqQC9Hd$uY>XMTmgx}f;tn&i5n#^F
zj-%g8Ol>(x<lUm~?i2}Gn7dPz%M+D*6VX+=dc+WU3sof%S7qcPc)*>C;^TSjYi%d0
z2s(l6hM`8h=xQUJ^HzDnr6RAVU_e)oqU*~=IV|Vhawmf5utfBE1G0WdGWudF#^#nQ
zF8886>OfAU1K-Wj6DyBC4U<k+7O|>f`<ZQ@4mKubA|}mulVZ&uY<rRFfUjXa8Hz8v
zd|1z?V7=9Bq?@NN729e?A|swK?-F+3a@+S}wd;+*j)JkMS4?HhMy2Fo!gm^dnMYs}
z!XRrMBe8OMGWv1~B+PR-k<Jb`QxRX&#?c7^RxCo&Jd*>=?WY&`y*AiLo10OU;6GO1
zxC|e$3UZna#Em#Cm3`Z}8=1&&2XA>X0&k*wF+|=&UyW^e-a*l~`5L5{kr=hv75lz)
zYC6TDfN$W^_Zob0OrLaYW#B^W;XXuom|GE(kvplF0d1I!mV%cEeVKy2EEBR-9M;{L
zNX*FL=7el@9GYiNds~t@?NgwLM{^ZWu`;n32uagObtEb~Q&Ds0G&{$sS-Dt(aM}Rr
zmbr*UGj_I!j7ZzjsVI<`uI>1r*BMw;%b%?vnfPIGti9%T4XoHO(H32@xjY@kIfIzT
z<Bi)u`wHd<XX_m9w1%8xXPUS)O^^;n#wH`rUfTHMK_iAt{1{?fYG-LW_LzBRSvPER
z-bI8VF4?Un>g72eqrFaqJ!=by0<&)IA37EB>QVx=w;ujr#evUI5`%Iq3o%jkU}jC!
zS(7XY6}2LlEtBLi9#DY<t^iQRPIu?xGMtNwO02@Y=;*}vgs~kFu0OUbMbfOhk&|GT
z&N4x^4i{l1s~hfh?_~lYC;x0u6hL94Hn$B*NA}9YUFE6`lbZ;&vIVlfWt=G<eaA}3
z?aii&(hJhDt?Af$zM7kYJv(tXR$TeDLH{n-c8qFp<{sy6B=9SAH+EvuK|Xwj;wi|d
zP!#-u${%B<o>E%B$#I~N6_%j{y09qB4@sM^QRX;{nQEz_#m;TXRF@4&sLKjoG1Yxa
z<aG9<I$G*(6eXA9a7?pu@a{&K49+C#)Hbp`A?XSXx&;Q^I$W}KDMV5C#{yFKmoM;i
zRC+v{xR*8_Gc1i&pgrYv<-8n*$v`6jhl(gY<wHYKM)c|F7^Bt>S1#jo)B1u<tOK{>
zQU4tDg|7>l3by7EQ05k3If7?GOc>i{KFFQ&K_;SWCADm#cgSL*I6NTDV;0}5sn|1d
zCT?seRq=i<x2n%TfB0`FyBO_9BIj@$Qd(k#5%958kC8%L0)B}x6@up(aeL+S^4cm&
zj9vS736W&vttr`^_7P!BJ)QhZq!s$2iM<()+~qc;Fe=|9CHhTZ6PDT7S2V@_iidxf
z_->xtD;{=P<C*8c<i>vMkeF=VLO7A|DI=yxNQ#vi@fUQg9Xa$&^~0w<@z@>gK@;5~
z9O{#iy}G0{_9oweR@d^W%C$TtBJY^jcIRNQgP_<tQLAGtxfw>>qxcv+j>IpeqPvMQ
zfeQAicB~w$tWh!IZG(s%M_T<C6OlZX*qfsIi=@D5i~3gq42hf@jF!(Ee?rvf)A&9s
zmn1838@FR6tc8OkT*I*?Nx%{7IC?M*s}YNlwe#yp^5LA}atl1n9#U-cZH9CT8Aq~h
z#JCAPJ$QXkIS_OrbQTU2*v8=F-q<5lRDK9{T|&g$F-U9cl*sf9`^<|nr+)Q^<~SyL
z6%#O_z0$Q*7@3GYgNIpveN5KQ!5T)<LX&wLlbI1Qn-LN2QqU0g+l!t=(HQ{<E!=pV
z0fh;Pu7QsF0It}0Ig~JG8O4Qlm#aXrK}k8&<P`&+HM53CQyZ1f6Hb$iu0gs+_9r86
z(7k$Dym_;_wac<&0F<*nYTjuEqPJ-ra<Q_H?f2Gwp08tyP3jZus5h$$M3m`G$q^|i
zu6I;M34~h*Y{LN=)}jn^#nLw$dERXLZGI6K*6-Iq&f$tM3})`o$Inkx<Qln~WqXr_
zZ=0~ODCLN4>#+R;VFy~;WY~h;_VyIwNh#fUOiTd*KC+5Xu|)Lg1oJS0G*xib6Ydq-
zS*cVE^LyPOI&owo`iwH<Zvbv8x|fNVsyu)(%kKOXHXkC2eHGEBi)efa(rC6DyIsW6
zx`kb6qvsCXi%%zFdN5wxK}h>11RX{;)*ym}VVj=l%LNQBAP$R>f}5mg92wc}+mVWG
zRyjU=yatiibm`~D%(LV*>{MtL0R2S?yF@I<(ty8~#a_1vMU}Vd6ofKyM+J(GG5$~r
zhI<-jl2sSm&+NA?WdN!+ig<Mhz!=TROA0|WNlsEs+owgUZvur$Zv*iRGu+mNNRDSx
zm2aji-$@d15P2PDn?t__q$BKTW3ypgL&YxZyNLF>ErLWeR$Y1!WNJV*HsYz>Wfr!+
z?Tw|q6aaABj$sr}Vb^zI=Q3;8@|rhHSj3kdQ|^KQup7JpTkQ}}5#8H#bHk;0jF}kM
zFwTCB&bKL3a9!-hR3%aj8P(a1;}n1cKZw;Vm^CTxFvf!paW)_^SD6a1A3IdKp|r+8
z!dpAod~ShpIWX(y?M`^m3R{4sPeIN#vh4+SXOcw=yyyr#7edk{ZSWH}w73IJvOf`N
z!8Xu&BJE9z_1X}Cn5;~&JXBm-{qXNEzp;h&gnfeYRdO8zlF`7o5VW24N(%Pt<PE%+
z_in=xe4__86xT6XVAd!rG@NJ0;AZTAlC3Ew5yw&HB_mk2D^eWC#<HpGB9VwZrVE*!
zLpEhrH2VX%X35(D7v>=#)-OZS1{eAiHq5GO_%xcs?#2nksvCn-G^5xEvSlvY!cVT)
zx3IOD+Oo`3l~|D&G2Rc5aOS#g+pjS~bfuzsBk2Y<>y6=}D=<FpVN{rsd>;d=0S_{3
zX04u|cdIoxk(BbFAqzh}NDtiO7Jkob#XL~6c5a%;X#@<(3Na&N0LEKk$kk%VfnvyX
zln}`9k?~!vMG9~EqUZAqN9TWtOMA7La4tieRM-SA7eX6}GpO9kU$V?6Yw;n9bBBz;
zMSI}#@1Q6e*r%Ax*u85Ya3c0vHpe?WH@-HW8zMwm`w4(8_YA-i3Za7mpcL3G)0Ato
z3HX`>aCAS07z{gHH3bv(KwM)bEV`Q)w)~ryjw~_5wT=1A7grLp_lX-}&CCA2gNJ>O
zmY3VhCN)(|sNG<}WG-ND7^^jlwOfas)rK9zQybPQB!rR2_5T@4Kv^=;wdm#*2s4Lm
za3+XjXnj5_5TZ~pwG)-glxRF0+%X#!fJyMdGVHXGtPaR?q*MSVnp^ph(x)KhW9)E3
z$0_h4)g$tmArYUFuRDt=rvOY31ac|}bA`)?oIWM&bTTeV1So98jvt<Klo=70Z?S=8
z2PmF{mvAIw^~z*}2X)D|^Wm8Le7(33atwtW+WyFz3&MOiJQCP0R+?*k3*TYG&;jP`
zhHfNGMq3^6%-5D5gjF%dXosV3#lp;ohwe#5KyC^v70!A@UP_1_gw-fO<(F<T&s4*e
zpjVn1*fLs*I1;ijiMFwfu_p3V9H1aP87`vVi>^|-@vsX_R^s@QaAaE^MGZ3|o%>)J
zB?uidQHslJztn8(HTIj0pAiU1<TXk5&Z4`J$czSLn@?p_iLDGK;z1Mb@OA+O?S%_$
z@#dk)C?PK}Bkr&0Ysr{BKrg&mTk#*ROyk#NUc)jf1Nr1e<W4<S$&{xdT0j==)_ppD
zam>3R((Y7iW9?1><ROS6Ox7pF+Z>b<BCYttM&3O43l-X%uY8=a_k=>V-V*81*RVP`
zj!eK}%9DOpAP$m7`D07~DTOCzO(Oad%4-VRnW7PFTL>7zUeoNN2$b|dprm4P0HXZk
z49GImMe7G46QVEag)ExqbZY~lot3LK3X#|7%mRyZli>^x;s8}-JS!4s%%F-PiuAHg
z+6AVZA&DHNPB~kIDn_!(Z7EM-_M?}jqzR^Av21#e!QRQFVW3fhdVq5KbsQBxS~iCh
zHo<jK_z~|q`N+lhj<#@wT%z)E!toN3r_A-|4k?-LH9l|_An^~f2O$!?A(Ig+c{7IK
zZp<RQkE)9Yv>pB1fdN;<ba4h4tz%3FwR{S!m{h;Cb$<w0Hl}#+X~@R$B(Vm^li)w3
zTdU4IC`53N79en6GP+Is*YF?Y94;s9D7z@=Rn65=2~fAS2N6cwWDTQASAn0gU$c1d
z9<v>_(<eR@!{bw=G5W>!ItQlcD6}6%7RWkn$#Qq|$V(gVI%(jIXCKG+t<$l`)0MCC
zHz|>|3%L!8abO{;;*^EOU~8pdu~jS%qHoAr1~TU;G_p&n=nzBd;ZYSDv=5K<3>Bdc
zh~VvhK~sb22L;8HZ?pP^W{D`&l9L(_`wp!O#)>Amod~DX(BRF&*U73ax?H~IvDn8$
zg~CKIhUZw=zMhDMuQ2)Au?Lr@B6tRGWwxPxSqbko5~?tfv6~Tp+tC}Zr`R!9hMfHE
zGSz8#Y_jpLfvImK-k-**z;ppfr=9W1rz>ATso-yQRC^ZGFkUbch=h@APyr&#&Ht|e
z5uai=xs~CuP>*B`%WK_;bmVd8$boe227m!}e(UbRA+E-tDR`afy~590jY)SC)sWDN
zW7QOzM0ZDQ>j+N)@->gMBA3QgGG9v@J_DZeI?99Dr!`nQ+J!5IDE<`3x)X9l@dn+S
z<0PLn?ouA%H_k()qxqz^LARq4L@{$$O-sk}AeNRjJZ0R{OB!dFJ^0A{Go|8U#6H4V
zPo-n8CL`tyHB+w{3lvKXY9am5KU$gD-n+|(T7*`r1k}o#nMUMEt5y&M!$lrXH%=K@
z=A<yv^)UwmR<oUVKH(uF&wQ^+!D?HLiDd1`ftrYRYB5p?&AQlv=V-inQStES#cdUc
z#Q_|L*M>-7mPihZQmECf^dI9yiUUp<%Zt7u1zEBrpb<WvEij$*gU&N~mzE=0=;6c4
z+zMr+Fp0Tfw*#|;B7?=p^->6(>Be7<c;N73&XG-oPrA}P(>l7?!HzDH1KM?%*bwbF
zu%j?B{|aH&k&L~p#oqH!31{~J@Zq@GsgoqVOlP15NTHC#XIoiYplzf<j!RldCMl-C
z&MDAiDT+bwVrvsowp5lRv^Vma?aAPEXKk@%bRvQgx*6iw6l1Bsx>~m8&fy$q7nSm?
z@DeetS;%Bbf%}9fUMw|RSbr9XYN_af&?#!3EErF`Nc12pA<9peBLzo5ge54w2QsJK
zK61&QT0e?|4L2W_%t(K{rE<G$xOD6(JZbECB;{J#Nq0Hf$r(3soJnxbg$fjlD(d1W
zdKrb7j)DL4Ji}`*q#LjNaG8ldxdafc#Lb9ic=!N-y0wzHP*hWHhv<?xS@;|HTM4zE
zVX2EC?_?c@uumcUA?gY#1J0pf35czbh}ge8?I#}@#^$9S)a6ccFg_5sYs66X$R~1)
zxme`LJFsPlDoBHL6wk^zs7TFKR*133Ie&q)5_ff_8}Eu;w(OTzlPlF-kC7_d-cIh|
z!NG9V$sJPU$@8Rb-{mfUOe*SAGBj+dvWA72ibe=JR+wA6+!}Jp>g0|Gg2AhuUmUH<
zKMo)+#mtmO1rE>hd=h7@_3Un0ZY)`o(N$E^Rw!h_)fwSSA9#aUN?<s+fP5$?dYN&7
z3^GFtStdSXvjBZ)#H0KUty@KPD95J^OvDG(6xWXn0y~5AosFlSp?fG-;B+6q`=--w
zfSouPs*%7pIg?XbPwAX!Ah8Eyiug!h*|5c~ch)$tuUzj+(J>jiaip_c?`#V3tO#=%
zGdcq#|E5k2@xZuhi_QG*w!$&LyGw~?a8o@{RSPJR-OH1eZzn5Pq@%4|&zO`Pej^=0
z!i!Z1sl?2P?m#Vin$h{;Qg)IxwwZk@p+Vc(1ll3z+#Cuz#zHMdFq6^aa+-+6C}wJs
znuPH05XXs|2dX!bJ(o28@}wPiet!l^OSgE!fG^0!3GG#L;~4FUOUB7l!oV|uO^_k2
ztUw^haGd&Aa6rctg-mZ_j~Fi(hAcw~h46QB9F^_w#T#)NujXVOWq=LUw)J68Jk818
ztbC<|@WW2Q$Y!fU!jYf@L+5c8r71?zc5ZjD4X)FIyTOW8t*i^SFl|NdNP(lB{YtQm
zxm+G0*2|#bjS99#*u90X*xul*jm_H|0vb}$RP8oDIgRe~(wqp6QJ<~SCCS+GbmNc5
z-1ON$d{bu%u_|IuA$hdjBN2x0m6fRNjge9wGHm;3?E_gp9OhFvMmBKHkG?X5?5sr~
zyMnBC8jRPp3MF2TH;z<Vg;G=btU`T?-4Y#B6d2y<+%o!AYmzkae$lOX#wF_U^`)`b
z<UwbmV)1Ea&SAK)Yyr-cv~JEZvYU}`5822u)WYT=cw{DNM!{-4i*)9m)2<l8gvl%O
zf}OD_Cxegp=F-{e*xS`O>KH<L1UX{xIOnn7=A;wpk2anOF*e|=H3LjL;4-#YAcv=G
z-8(!;48KZ2sE(x0BNL>`VNzChj6XL6VEA@mM-##lKtR&l(OPH59R~!Lf=nH8f>{XN
z5wESZKnx4<sNCaD*QO$?#6#o#ajdyUD2`5Qoyo2@Jge2;c(8=G_HgJ~%Ww^#%iWA*
z--Zna@O=_l^LRAb)oFVm`!UhM64?&Kor9{I2KH&WD;?Wct*s)?@4TIiJ&)6bop(OF
zL>eNEN|~c?FdP?}U!;&b;XZa~eyIc|ge)+Gi)~}mVJs|6)HMKbMi%<9)BI*K;mrPG
zDdFuet7P_<QR?x)ihG$eFfxlP(T<&%U-$+^rZ&)&K$<TyS&RZ<5uz0H(M`rS-asj$
zJ!}^0(aplQHS<JXn}SF^5Cqjt7!DiYC`OjOjGb^)2Lxl*k+D3@`A=tpEa0eDb<<l1
zn&zb0FQRi~M_z+mW6S{D3b~&5%kN~A6!TByvU4!u^7{o+@HSS{0K}CnDE4o8lnV%K
z%zly!h{Nqs9&G*{%<M99VcyFi6HFOh$g8JP96^X~Wh&zTgJ2WDk}hG|yAE!Eqt@69
za))CT4Ao@f0JqAL1uIdo!;DfM&48#+%l(aKeWRxpPfSS7K6xTHq+?_(Nym1kW6P@_
z?YOb#ULqFHC+fGl>CNBoZ6Y@v*(6b4&uSJi1E7(b*R3CIJoR`Dg3LpX`C)N|A{v3g
z<qpw(SfVgD^{9mZXOjXhkXr=$F~vKODCDEU+28lVeGAfFJAxAO98)Bo17*cdIWSgI
zR+3(+D53i(4Mt>(9xMNa1%?-a1Kp{}S`lNEH^D{$d;l~ugz2=W84GihG{`ebY+)8|
zhjbk#!nY68tp{)$nie_F<{zt0Nh(cUu)_+Zu8F(mw2rQC<BXj8E8QEx%25EV8A7%~
zWDZ~%p%3A^mqQ~9<7>G$w=6JF1{wZE1p8AcMmY|+@B_6$Tq{lrNFqVQB$Z$jZDe@q
zNv0M6NLj$kItEpCz*F`LUxOszvpP(JzNuVX{m5(I{7O#Sp?DNp={y^}SYK(b!m#NB
zbwn-b;JX(^!|Z@CS`JARVc0{eVc>vhG@@czvRi;1U=TDF*~US>vn30)VsC0{#$K0k
zrB1C)N49APnm{cn=ADC83nvyOYzKyOEqO+Zf($kW{7#gh%+pQBS#`#k<?I%w!;>sS
zU;!8;&E5%iL*+`=#L3D7=}0S4Ksss3bt}4m1Rz5Uqi3iIzYDko8Tpv23@||H9M@Pl
zh{!`6J)H`!A<jLrB-QsWyF(_?*L`Lt(bs>Vr|*y5{XD#HrgVyDyOD=WQFJ3uDtmQB
zGQt}8QXD<E;NAEbKHSL@64^^9rm`QaN@Th2_>O<+!mE-Czsk67)L(1ga`8akmd!{n
zX#I7+#fg@SM-6!4*0cB>d(^8p1L)$41?PNX=$m9r95!;=4P=a85F6ag*UT@j`s4Ta
zUPs1+1@~U|R#WyL`U(|~3GTmNkon8?|D;I8^_!z#5U{WA{_?rJ8@1pguV3~DGA7)9
z#n8(Q*j+dD`-OnrzpCzdGA5EvjDD)^Y6s8X+wAY};tFEE2F%TP`kcu3UIOn#!+^wR
zpR=!tvL~+N_}P}oit4&87w`e(DJQ?p$Iid;)#`Izo%xOGx_2(PZPFA@31oNAG0)bP
zy6si@^$+Myv?W!%y}iAf9InPjBxhGFUf(~#C;qBWegW0hKgmtRneDe-&-G~oFKxW_
z+!`*9bR@+<wi{ZbU$o2n+<mx-x{C)!X!h1@I&)ygY^#y@EG7+$FI?F>s!x73-}(i<
zR@<m=b!4~1V+Zonz@+`-TxG_6Woo8q#O6%JaQYYv9J)R#(NJD=EisqmvG>KdTydPE
z2aW~Vz6tbV;}K73T<g|Bh+O@YajcbhjH<tK+<>b3Gsl^?az{l~{fu!DrR^ZYC`t^Z
z<Y7GO4FWP>!E-<NnvXp1J)6h=<=^=p1HEvfsDJXZrmA0G$f&Q)e}Ze{7K)d+Pg~DP
zT~pUE86QY~6gNEkWJP_P8+0vqV12xglJ)Vv{Ls3}9p;nd_VY=~^;fb!K7b$GBr3;;
z5G+Z#s83Rk2#LvK>*Is@8Sly+?vs=o;**pcs$_k<oSzA<T!l|kZkSI}Zn%>5arRRu
zPjuzDnc9++8|jmjJ5tH|_)+{2)hYZKB}-Cnv`<oQjFR>7qZ{fpSGf6-OZFxwT#aLV
zk{ZYQBsGpxvOdmzfDAMr8a~W!{j5F4UA)TmjgH?Ie$$Oc`<I}4{-f9H<G{uD&%-}2
ze2lB_#?x#O^UUTmo4V6F^F)I0*#N>ma9{#~Z`JeYg~F6^UMg_Oq!SC=#_i<-U#@h5
zftx73WSBC}iv}+AH`$;qTkYPk`p#}4s!+YpkJpv5*)6Q1^2c&dA>R=`Q3zzW=sV91
z4z)s$uhj*oRJ&RqrYQ6B1uUF^0WT+Ez|@Nv+IBKVcsU^hUQWt@v%chDa;E({rd<AL
zJ~dGEy$#*fzo+T0FI`wR)e)|$UpK-{B!i1I>#pO1?MySytn%5{gI;F409OR09Hm70
z?CtywNjcsLSnvx-IW{C^A|U0&kd!q}%7S}H%4ytsrBDAQ8u2l9jFh}+{QI~G<ltP(
z?#w^U2Tu}>k5~?#^o3=I1>ZP3;@=J3+Gi-H;0MNKVE#9{7E=60rj3CHfEj!?ebfE?
zq-WgrDA#|M<*!qH4iBjJjLqThKJk3*e=s^Ckz`iM_>2w4XF@PO<HPZ(3dUz*I6gJO
z_#{NeY0?Aj<r<$3aOuc!$)n@<N9k)>`&YwzAM;o9zG(cW;&sbDWfGGOA8t}DVtV)?
z)?D{iRr&YtF&aLgE#1U|v;4or!`JwK@eGc*I(wVF2;y8+!T;#li^lT*c>YH{UNkY0
zZCD`y*@jm4)8>App2_TVKV9xepSmS;AV0UAOlSf(S(fX*<crE5I%2?-2^IF6)R$!^
z)Kp3R#LroB`+6}Imzh(wWwM`~KjF!9)MP(5C;O>6IhdJ~{luIc%*)AsT22mT<>W;6
ze$B;&RRYeC|G3Ms!uW9F^$-lb@ONgjs@MH%B9qh4%*lRYPWJP1axg6?`&kK6Zc<M6
za}u%IGTF_@>ls&ezxkkMelomS_f90y*lm>JqhBrzlpm$)x((>A(vhmJTXIZcv=BD`
z&j+kMCE5Dgr(v`??O){P=^}p9_wC=%=P$5MOiS}I<UfkC-T5xg_v$lijM~h;P1TQ%
zC7nMOvU|dnjB_GepqnFTwm>&W*_M!?qMxIsrz1oYX9j~iCHs4myYt@=b+;mSHR8YH
z$;^_q`Jd7!$$|gY;MdM%;0vGG@b?Lu4M6XXQSUAQuIJV6y$e~@@vwU5jLVRjJ*&2O
zW~Pfy9!^f!M|AU_;Uk})o73<eb*-CC%V&~4^{}kkh2Dboja<e&zH0o#YG|P>SJ|gd
z6kj%hw3{`dd3zNf4EcwIK-StYYPR3Vwc5HL`(fF+P2Q&UBXrrQhrLbfdH);Zf$G`*
zGTFC&l$@R0F<1A~PGt+H`busL<nvQf)}|~2jg3w$;-f%m=Z|7;OyQ`A269V&)gDHV
zg(T|q%kQpEhlc93`kLx%m*kKB)cymsyD8gMAKy1?=DyQ!8^YgnZXd7!x|VgE!b6p1
zT@+-EB5S&3eJ;rAw}7%`*DfgqRBnKx<qyU8)#WF2oNl0$dC~1Y^X!f>227cs3o@_j
zC<ce^Vk4Y=w2N7oeQ*zdbD1&(#iw(b2tPOHGJW{T<T8Ev`ARNx7(c(rW%}`RYcA8D
zpSN?F0sO>rnSuO#DVNblQ}*OCgZNpS%M9k{v|L6vdDrDKL-_ej&OSAt%Vng4*0*FT
z_z^vFnIlMDk;~}YD?mSzpUt_<QT$BEWk&IHUoJD6pJlns7?*i8KcC8Fj^XF5T;^DQ
z?#^Y7<7am+b38v!<?KT8_FSftrz>-r6ZjdO%bdv1r7f9p{J55N+3~|UyT<%`xy%Q6
z`bjQx3O`ThGN<xGlON>g{9NWVe$u(j>HHj(%S_<s_*^E&&)0LA5Ag$zXYfOjGx?$A
z5A$<oE^`(?&AH6k{Cun>Gm#(H^0}mF<UD@1<TB^;)0)d%z|Z};Ocg(Ly_z4YUdYdo
zTt=5Y|0S2v$8H#xI6p&knTz;&J(szdpAET8f}cBcnIu1d&SmtSxKHLX`u@o7mQ0Et
z*K!RhN?pzmXkNk36S>UC_-V>zuH<J?E;E&%1-Z<}`FS*#xyn6F<EJ*4`2;`Pa+y!^
z19DgMGdE{fcF)XZuI1_CT;|{SnVidfik}%Rnd$tvmSr5qbD4kV=Rb3q&+&6uE+hQ}
z(Qn}AoLuJf{QNMN`2s&Jxy%>&S(?k-$j^^*8C{V7)m-Mw{9KaD+{Dk%bD5j@xg}?}
z)k97hG4Sx$__?zsGlL&%IX>&rT>Os9a`8L2<l=SwKl=<;pe?!hx2NXf-`SUo*OQmM
zG8g~u&|JLX{#^Vn$~S&D7ysUpT>Se(TH<pYm>*w}i~r=-T>S3Mx%f{f<l^_-my7>w
zSuXx_(!cmrF8<52a`9i?os0i^cP{>$r*iSR?Ya1G0sFhrx%lrdZHeFOz|6Zm7r(Dh
zF8-$hx%mC0{|pxYN%}9#bMe3aEf=5vy<Gfn<8tx;IxiQ0fV{tFa`6Y(=i(22Bp3h3
zu`O{EBf0n^cjV%a&dJ4_zLkqFx-=JWz9|=9d~`1U*u}Z{k`LwL|DyQg*XQE7|H#E#
zX5`{apU%afxFi=}_EIjs{OFeWlMb5|Apb1YpWBs-KYvj!zOpVCf8ndS_=`Jo@t3a4
z#aoBv;;a5G7hercUarc;U-?lk{%UJ3zUIPQeC^j;;%yGh#v60-O%1vD=96>rEmLyw
z{M=l;9WYy`=i(h7&c(Ow&BeD@=i)oo=Hfe>bMekmx%e*V`5MEr`=OTj9)U?TWF(Rn
zHuGhJCdoeni}H6}#TSb*5>j<-_Whe>6m=OVm0?Nia}Qezl@pDLafwC~XZG<2Ta!PN
zf9R94whcVCAOT80k-$qdUUGyl^|acWQ&K8bC^f#g)E7!hO)r!>x46`ll2S7YrD}>x
z9amJUU%k2!Vs>3|xi|0$w3~74J7L|7&+=vPJ3Nzrjxr^EoI0y}2me}9gbrGflHT1_
zQiR@Fk&>=`zN83Uvmzz^x~Qm#@0S%S=~N|!o-h?BM^qw_ow+oTt!>UueI$`h&rdYO
zd2GoaJxq)cZ{y2{^UG%7mx#}A5p!TB&ulBJ9b}ra{YT1ZpcFM;KGSLt2_4Vt`M!_u
zKah<R`#f`gL;8_K!_?-6TAt!W&2;Jgzfm_Ef2D5bD`mCG0LXXwu!sUHJj|cjV@v*P
z_WM|(q2DjEl@wUjG|Rj;Erv#Z=(PQO5{rMRTx03Fe<d*GrN-4qmN+w8v$e!9PF<Q!
zuSjL%%`Ne5Do<ycUGJJ*?^@y;4bJ$6sT)Cp05vX7FDq|q2H{^}2EzA0X`bCY<FLB;
zwn$xkW27OzaZ-HcS64K|S45g8#kb9vNviP(sM4>izOt-oUNN4ZV^#$%oWv(^UZg}r
z+BdY+HAJu+ZKbB}KTrgo!0CSXQ8<xZY+n?$uL3Sw1MK{3kl78!axnMMTjE;1m9^{B
zzP<G1d2HsOCtqbm>e?dsaz04v*?bl%!vc-R^y#JI1}ZLYJFLEM$JxESeVn)1#~hSg
zq9MJM^By?o1TNA^@1iT}p;^9&Zsm7MZ<UOK#&3bv>V7?@L9D(~!#GyM2&=9D;)+z`
zbX;E7lAcPys5p?Iqn3PvPgd)ZJx}{Aini>@9*RK;ys=kTUsGU<@x}03X3ai~M%AvM
z3SvXLb>TW2J`+=`(hl^)Dzwlogbn!L@B=~3AB!*gwI2iSLNL*IkCh1^Z74wcehDNk
zDLk6jmq2<BQV5bm%}C<l_SK63?xq6VvrFI>VOU-Q_gfw=81@yi0i-PjNZV5`-}QA?
z0mH{J*$aK0P=Hid45_^U>GubNbV~^&TY&rCL68uqjsm1l91K#d1d_f;=jpF+uZ56y
z6d;u!4AK_-PC@VbbWHVN`ob6?m|X=hOD}c#J%}{71Ps2~U<@Ib;nrZxW;2klZo`;-
z-_J{{JGLz~YCkH&GLd~yc4_t}vRo4lKhXo2%<|0ssR@R_tWaw|9V;uV&wPqf<qz3U
zU1tQQys++30Vtbsx~trhZy!WWuKj7~cj;`Tii6zLWqtE9b>S8J5Bw8U%G&GQ(9UW)
z={FZrt0h0uYCo1}G&|EH^LJ%7m^}<**(fxcrI=`JoKEWtPqW%KmA-e05O;6g1ib+c
zEz}-|CoXvJYoAl7UDKoX2TE%HIohN4ltS&{J!)@*e+q4%X%eIa^N$s3uS^zTJIw!5
zTzi_VAeqNOr~j=`^=Cb*R+d!7JSwUB`9jry>rr(xEEeKC4U?jz>aB&UC-$g%e@WHp
z-Ky3Xs^$~j`+9RpRZNhQR_`uU{m&j%KU`e(o_g_kY3+H1+Bfy6{pQ{S2mWcZ$GE>G
zzhD5yLu<zv*$O`E4`eC)6$U-72Ak}Te=VgIKe13BI8A0^c+_?#8seP|Rb%n4ypLp;
zC2NmXZbBcfBMW1d(xy;;=0qG7&MZ_Q8CDqQE3iLc6>bPC=rh;81(IQfiM|3>iB&i|
ztZ+@C0?DvK%2!DF3jM<hHy0|93@c3c6{h<NFNoUe^sL#WsB^Lk1W#eL8NM1pYlhgb
z!)o`qYNxqs?x}XHKqeaJ*jS2a&f;`+KNHkdb01g92BU0Ne>)q>vdv9nRfNG>oMy1H
zvN{-@8urE9d-eg@xKlO*mQZ$AqM>SFg3Dg0bj?QtBevVfQYhW&Rlk+|5G7T)rAq#n
zGH3aEYr@zeJC(Bp0B=ly+tjXxT0M3Wr}%J%$MEks%MMj<T!Vq=^sAm<F#iu#yrQ(Y
zR@#Ruo+>Ra@5P~tPb@7y^j(TiFD<^772lzt&nPWE|Io$j#T%tHZY!=)#gt^VQQKVP
z9gKHrJ2>9lw7>*HOMV?2u?a0C>Snf<)s`=6CO>~JneAf4g8lcbeW9!=7__aIP)(){
z-0~NEQQ7#)mblh(WgW+$kokyWzm4d|!xwc4-nInWGndw3#MjMSG5G6i8saNM1|558
zz@Xq-Gmuw~H=SiGo|Fxmb?vLUo76Nc74AXI=$F5RypXWPqDb=)1B2<?ul)(@P`^dD
zN+(b4Y<mA(Q@Cc{=T8<IFepm<*A#eI_FdB{u0;M^KKG|4nU7}oHT3(I%E-2C`mirE
z%9n8s)^$Z{6TXU>fermGR+U+*Qst{`!fofvn1R>O@5Hdo6klesmFYK#7fgUfm;q(^
zM#y=P-d0s05k5*MR^8HDFDD!Atd|QYU~{l3;hXxnYw9<u88mf5&!!ss&9oAW7miV9
zH0>890g=y%l|-ew=2X*l0Z?X$&z#=$Ri7z8pwFDqG|OkoJ879F>6*Upv*kneWhXZM
z+Gmy(GRHOjm(T2g`5ge+M@>yWd$U$2LaU!lm!{=D`x(pb_qT5q_4dq*dk|I?VY*R3
z^dy&_Q*HxmsOE}mmniyTQz$3>oAc&2e70<c)SeY&P>3dQX`mh63sre3Ck}7#rgPof
zsv6}?*svYbv{Mn@)N@MVD<gzrPi$JsCOizIt6*L8G&OK^Kt0k~ILc-KC=v}JXf630
z;|HU|uZyZ))O#u4$clm}Dp&>(1DvxV)e3Lu2?|2Z^RhRJf?u^2fbK^6Y5K7lJDd=|
z11n?@9Dm3Xe#^kow&$w1Rb5}C<;Wx?*biB7me2kz;~vPlWAsX13yMjon2A5tt!ACx
zoF>cKm-q}N6qN2C&$9|Lr%YzP!J`hxIxBbEMa-PWsco*XnFnc=_l3U*s|LoH)&8V-
z*BN6!P}S~h?}_2s8=p*o!6vQOvUrc=F_;w3e}i}w-V)ps(d|w!$0%ig?NdRsr>cUA
z7#fCEd$8t%1ZN0Cy>3Xa@OHzvp8d!a)%ZONiH;8i`0NhA7wTU(#e}d&*;@Rqm5PVP
zsO!I0B)<PJVUaI``7wdc=TUo<L~-CR(Ri)YDoct)=g#3WpZ%<|C&jyLv}c?UWXlUg
z=`LLwU?mNeoD(DlFXfO2ewud76#C<2L*B!-8XFBxJnuM8UY7B_A!i@x^**^%RK;9$
z#%IUqvGE8(pwtfodV!%~%o1c-q=I@^D3w7jJD%}feV>*?j%L>ynE_b5H1>`>^8gib
z&HI4^*rg)khcBduj)S0LOa69yH#P6b1ipsfZ)~~9yfDtUtS-%>1`5h+W!XkCRIcZ1
zKS}P?GREQfuu)TXiNy_+I2*g;SZCmI3W3uPszV$NXMO3_nzo?~aD3a=hK7*G(-2zd
zNL$Q*=TSePqm9TK7E2z-kv(x_c*Ou+iIy^H0IwZ1@}t6$_aj{`%nHs}?S-2}(Li%l
z%n&+R2-WFR?@lHL&`kiANKv&ZdFc07Lp+pMH89Xp!ORd(@W#!AHYa*%RuY&e7{7-U
z4)smC)B5M|yB?$iol}tIU?NBkA<Ab5(pYXvpNfDU#n=_;(6D!f+NNWfw4qLz5Ry@|
zTSn`Q+h~g<;w!7w4FA_PAC{=gM~Iy3V|_FQS60@1eBzvV*Ei&D@50FJ(=i~?(u_i5
zJX`Y9&bR3c75eZV@(2l|l1=fj3t=wJW3Li)u3~Puz1A*S4VUQXuhB?AuexnD^ko6e
zJinWP&PEn=Eo(oY$=?uvk`HUs1_f;{9WhzoyDqDbFP}AY`TJ@=;a;`mUxQWZ@_i=7
zpS&$jC4z%W>%DTJ)jRjZ+V|P(KBcc8^{>BK>-Y5C_Bu9vt-0!Gz9qj87j(l^5PB}r
zc(~{@e<30OJ~C##mDyXz9$XKUKkZ>pa$em2bK0+SQpJFtV~9sUy!<!l+}a<uU&LGM
z-1{5)J$zH8!qysw%p;)|ePiXmvG&of@VT`V{$)_Op|tRN=BzMl-v+ioK3|1z4+?*|
zwD5yLVSUh@!Y8QkXM)0)mlm!M3jfd*et+$_hJNv&@R_BBul9vIZUF4@-$<4}G<7-3
zbp?x?_x<+5vS3MM+?ubS1V8dpbbsVr(r`f|nzlfK!vk=m37%M9-em6_liXKDY%d)S
znBxWHT|nUS%sdlwr7Ng&&MW533eC`LEf?7`Q$S!XBWUTCvN`vM#^gl3>TjZyVl7pp
zpn(-@n7SuhGuBn88Xx3R0+(t4sH&<colv?|OSV$Im3igc<FRTylesP7cVEnqXd{O?
zDxp=Cu(x$H^JO!zY~0kXYu3Cq`EMqo?XI;LWN&Pj?_v6T^>aGCG~#1PP7E@qe}uK`
z2LhGsYpvQ{sI|9RGoV$pI1D0srP|XD=lwB7*7HE%_9ic&q;KSVY9uQQq|?v+J!;AX
zt9jDM_P=HZUolVuDTF!JB&89;DAx()x<qHA9Cc~Q+&@M+gyzgHM>(=3c0J`7e;L<x
zGds&_MLA?$IHXG3kb0TcQ_nS2jgnpdeky8=%)*>8`r)?UUs$&A5pZcb9mZdj;7|Uj
zb0mN%2B9t%zftd;Amc1$n6gAbx8&ci$8(khko3WJ2kD!F^wh)xqz*_HY&u*=FWOum
zL8hpWw5dL-a{yl^D%<t}(ofDj%l$jK)y5rui%M;>aSB>3`RlLtoYV1H!&tUXwq}&o
zZK#=Gd09d>)xDM~<97G1YJ$2+AUTaR@X&x=m#s;3XemaHJ&i9)J5WUyf!nyFwOYF5
zh}TtB=<-EY7Ytt~vuCH)l6%lj{qU1Pr_MFdqF8>Gn@^r%;vw-3N&`xibr1?K=Yl9^
z%4!Rerl9X8bkp68g|=@%+%tyX_dX&5u6|CQ0*1l(X&>9hVmz5WJ2RZzgLdZePx#KX
zKLnx%y|_P2UvWU#ACJj*U0J#m4ye*LMh^3uDt?(G_N$&$1q13H%$Q<8&oJC2!zRVs
z;M=kHG6N0(-tp}s@$Ja7jBhpWf~au^h^4KS|1(OiJHHo7t|7B0C6|(WP)go1?SGh(
z>Kpy6Nq9=?m*=WPF(t`#ga|1)!BcXUC^;6Eag=NoC6}LBLP<Ak{7|TsLs2q_zPQwJ
zp)he`%k#t;0e6}N8SCbQ=bu1oTu39vskgCyfU6{3JIiKNlHGYw!k%zdKv+3aDcWj6
zDwuKyVbObCS<viGz#go55P}A>Mm*;!bucb2E;{~QrD@5u3H4HiYzyR-qe(#R`K}wC
zp4wd!?Hbst!hzkXfqm^mHn1vYz2Rt$Y<?c(SZcVUN;9#e!sUhpnBYs<+zhHz`6>yj
zB*H2I6RLNNm@En47U>EUCz8SfVG3L{Hk51{cW0?|b(}?IdfJj7zD?%BRK$i!#aGYJ
z$q8=^t4zlzE2(aT5@?A@)R1c3TR@glFKl6cM@b8}9JB=p6v*suEp!_fNoGU-zH<=l
z5?|24W`f3M>>n7LY&bT%G&UcP`LUtLf1*+e?ry}hh|xMMv|3I_l`M?@E?2-uXhhW0
zbW<a<)W}au8`(8MjaXeKn31y&tW(k!FKU?&2FoZ~pi}+U5;}bhcKSaZ38QGCh4+=V
zunVH}-on90qI9eqYij6An{9u+l>g$%CQzK(o$+Dor7Ho237LB-|DPD#5cv?sTz9?|
zr5Lm3vmNM;OMuGU71NJ*;tkkRkAZmO%v!GnIyj}~nC4F&mLXF6*MsshbHZA;f&8nv
z^<eAE4+8()5jfGNnIT~y&G{d4{Jh@q@V)Ok>wm8IfA+BcTfLv8RhcIB|6K3$o}dno
zgZG|BWhnYFANy`&UQ!^GU84$;<$)qPcV83aZO2IbHfNXSBD~j9*7>Ik%Pd*fT%%V@
z#xWT7DqJ!m7)(3Cs%9DG2`89HnP6h{CpxF&^k9wP;ru6X_?Sas;qY^{=@x5OosJ|a
zSkec_Gv9eoJdb`?JP~+?qjBSF1AD<S+8xI?)SkoffzwKGEZzNaGwo?poMv^Snyi@y
znxWOe$|>}$8?iM8PVFL<9pP_1(G#9`Uj`2wNLDE4*=Ue?`6(=iyOa4MYL$@rj6xSW
zKNxnQ*ER7ci`K+@K2WqKc2dyK&hd;}hqM1Zrtb^pm`apN!28vSLrOsFjR*AVhbiqP
zTkWs9%f>*HluF@EY9SCSwunJOw&dR+NH^SM3VMsC?zSIM3hQS9td@8uqv0|CfCf-7
zf9C>!Wi8?B)B>y3y|SVH+(;^*nnV5fZmpei=+@3WWNR1wcUyb(gd#cxp2hBc_}vjj
z`upAR|6*?tPYFoZSYlKp0i2ERfjn7xQChPV4e>qinNpFGmIj%{*ZyIw5hD9#as&eu
zIirkl0sfgUv}w@q5M_+p2~*0-@Mf|X@5XWUhf0c-`(kfTwqkOS*l<5kT5N<bw$h5t
z=<b_^l=0SFSp<}XK@c%+kUn1uX{3krUDsfU*M+6Uj`qbq+YPUyON+@ES1-@)9WNP=
z;3ZNCFC+VVoe$Zu?}29?8QvSuWT(DD!+|(x^9IrHiUH0T)?kIYoTz-PS2(Yg57XkS
z2c&5wkYoi>O3Tvtir303<g0xt-`Xq0a4)iS?hhyd*nMK`oS;qybgM#+v|`z=$l`$~
zj;5@ZC6X-U6Z-~h-{Tm({4*yh3|^k@vX0|H5v&$3Jd7t7sxeMwjvlW7_-(lAx8WAP
zb(QtRyB&{OEA^uZv!dx_#|@?h^8Kmg3)X1tzXf`9y|d#2*Gg^?y(!D@q<u2{s;L5F
zLR$t63M|)N&@<*}Bhiw7dx!%-Z*VRyG}u}@5v?=Ufn2<hzIntyD8xVWej=0ZV-mW;
zW(hC`c+SpwtoD=;g4wP&J3EHgSBwwr*B&$IORk~ZB3vG2`7<2uf@qenA{7n)#&6+E
zm*f?wXVn|-JobIj-qS?&=hasWl#3Np?#cIo^==v{X)HI+(=%8v%6Hf$r0beJ?y#1(
zyDk2myC*c9J`CvFuD-9~5v_X+MAPI!Z;u~9TJooyYP9z5y1PpNod=+I<Cu0Rb1;tC
z^vXf{y^=~!-pU4na^VRBD9H}7n}c0>s&ncJ`nX~Bih0awhH_g+71%PFiH!N6a+U;-
zpSQ=wt}nrs>7BB9efggcb`W4NPSrddY#s2L_8H-9Jl`P~Gd3DT4;(FdNA#>s0gvNx
z?FN-sE%~+&7*xNKZT1fTV28T6mn+<0j!iU-vNnCksts?zr$Ivls_nA_&*N>r!iv$x
znZAtzdM^GGJQXfs?nr9E94-jGPlwy{pz7(}&{GS>Q^wKOrbzE<7w=XSN5qIi!1~0?
z2M!R#vPfoP{z&ngu5{yQ`r7<hZJcDU^;Gcw-_s2<t8C^;gk`<x%T-6ZpK)z|c;$Z1
zliOgvbRyu2BUfONv1Ti2Kxlk|Tk3k>*#zKpx{kmPkO5V1lcT2@_WRWsi*En2z<r|v
z&`ri?z^~Zk$25$Pk{LWrO~=~&t2%-wdA|RB3^{1ER85y8RWes~qy6gj*H1^*`aPl$
z#)GRo3<{j6rkqLNc7k<VTlyy13)Z<eHADPv-gr>_ejphwGI{(49|FJ9WzyOc9r{9h
z5fiKj+WT7zXx}Id9NH%r&<;4=QM5bO3pX4T>zCJ*Vm<XF;Zm|fx`7C)9w>dW2&Gj5
z?@+oMUh)gLKu1<E$X(`J^yXBj(XeE7)XxQJ1*@ZAO;xnp`B}A>UCb^fGzOgQZbPer
zm&vu`+c?vTOIlFY*nR<8tH5~)kXi~-b_kGzdPVV68!Bxy2(e-<YhhOA!uhgHPX*n0
z#WMRP&N83vG)n$wrk^$T+Uh)|fs=&|X{|D8!!W%OOzY!o$+2nl%<=m<uyXC%4n@l^
z?csekQx;~px2mknPNX<I*fDyMu-?+RtMz1g;*TC{#19SvLdBZmZtCQp>EnYpcm@rc
zVbT6=aB%py<S%gSqplAWk6tQ%4a|E2m)!w9dWa%u$v<!mSdgpq#Y(#fkmiLd5Kg2<
zy^)P^yDWsB7#;4R{q}+YBOTqPD58fj3Sduiu)E0X%IQ@tqKJ{SAuog`uRK-_bw%7M
z#`9?tFPwblFh)!M$m0yzp6v%iP#LyA!?jN}6rWW`;KbJq;e0aDD}Ip^Sph2Tj|=%i
zmNrGcfq(XY$uLA#xlNIe$aZ?@Xtf_!reywWzT~*D<fSTkmz9Kl0QPlX<fO33wJP#?
zSEP+llyisFinU~RL#(O!T-l&R9fzpNv)6-a$JuiS7grTZfk_)jd8v`6)bRQWU!15*
zyQttGn0_ck!!TVx#%M~L5P=zBiVkIq&B?T=Wx!@GCA>oHfZbU-9^ZD%!?a<QjjlnH
z7OZWjiJWk2Yr4+Qy<^SNVK@yE3e_YF)6Ay*v9wYje-lJ(ygv?nA~W6$RZ$?Niecx=
zAF8?$&3{2I{?5)^eE&al@dJxQ3YmF30hs@d>!M|7g66+hl(9$|Gd&Sp?;#|#kOMrO
zw~hyPAP`#ecTm>+(cwC{1REO_*PBm!9aH{LO^pz$x1W4N&6Rq}+K<M3nqg~-)2Q$_
z$Uqhar@Mmo17Kv-6=>5MqMhP&yXHo{uII<cB`DjQWnE_XFnUF188nqGoRy%ZE7sO`
z9F9irq-1Ge4AeHe{uS9Yi*6RJE*IZoLSl=o=fv^5S}-qlw_s{Ug%-?6!RltgOfWM8
zzR_CL%+ApdPuFC;C1hM%rJW2I>o8+-@mPnsEu>thZQa2LcG+r`!SuE~32*(^I{?=8
zb3FiK%i4tp;o@TUkiua8c`MLco~AAq9`BKnVQk10S)Ogi@xE5E<!NX<=&L$3nr)oI
z3F(wnq0Ny03c9qRY9a!6yx8;z!Xd%xc!z`Kk5&G@qb<L?AH<uV1B2oP3KT=15I}#(
zK?$HM-=P2cJwcz~q04eh6e~R)@b?j0oiD&!K74zl(h^RM#6;P9Q}S=3)P44NSJblG
zf@~<!gdI?(Zr=oAoM_+kTYk=2VLONAv+veRJ7Rx!(A3q>h@}-}&P3syyFF^cH0xCV
z=bRLCtNDrIA6-9CK6|wQHL@tM*fN_~7df2gH+|Vlz7xk-85lqzcvj|wpv+f%nFFKI
zM~ywPdi?1UtRAw*5UZ~hWA(eEJXSLj-7xz5N+Z|&rdxb#KcF=qG#_9zCn$59FY_fU
z;}(x6saa2$(WJ45j8bi))WD*b`<@cIt;#;b&<U?Q2yDgB!t~s_Q8m!4O|y#oa?wbZ
z%oqc<boU(E&ko;r<9&;*l~QrMe|G?_t{7U^5$_6ZI?OmPTYGP}aMFgU_tNkAs6nCE
zRHXsRwm2?0VFdJUoI0Ojo#%)3KaS%)Q@{9p)zNe%m{WIbvxDi`NArkAJY|_Se!Df9
zXt3NwV`Hb}XExJnWh?A=;dg|FJ3#-8xmEMO7%nt^Vuc$r0_>65=9EbZGT(y|-6$wY
z<*7IANmXvichR$hm->(|rT)v?*GZ2%Wj)G|=e_AYS7w2s_M+@yX{(m98r!)lS;OQZ
za1b(XBK0IqX~$6O!TsIVEa%#Cr)16Y6O9?2491}7ltYo8nJYarg5`}f`b^I(9wy(;
zKI%JfAl%-=8#qL)72k(9aNnf(E9MQ<%5tK}7+o&hP3Ja!w}c;i(l_8^*_hrUqUQyi
zE8tHQMXe*YX@)8@R^+cz9p{s9qgJfBYrsDLQ?aVk+&7~g-c@sd`hXjx(D!h6MX0&2
z7OY~;-9wh!0tN@GNP1Q&Nxuvn27?<#s%p?tGGm%UwY-a$E%8@Edh@0Sy?+I_*Tr9f
z-mgrGKVtL_mwG>YBA|D3(~pbkT~DQs&oPl1LH6w=*_}=)UO4{#S+aeR%LGY_6gL#D
z!rH$Y!>f`5MNw<jL|&DqqPyWGuvd%6&5x8RfD4=g=<*g~Cl+G28CNpa6W_~N2R^z*
z(=_J4hkF_Grju;DVQv0c>A`n%I_U~AXj5=H{c319@ShRDVBkal3noX=79E$^sCpBl
zPGc?k{BsVT_NnJxsClT_QDd`1YQsHG)AL>v-S&REp4)@xQn&vn*(0!O&U%LKrurur
zvZwQUh0i{fY+^ECeb<sfzN)3P<%<i?hS}M{Gg$mV9dPpJGvWew>?iE~sId3Ny?#xs
zqy~HTdPLAG?=9<FcsAU2OSqQ$b^eU#?9qoG<x2ZdS9rEQd@XpU59@@E>%*_htq-9G
zt%p{oc$bY?i3~j%6zEWq3>_QDBOOv_8HzbX$d|jTfLYt0@ppSB_c9UlTi_x}5VR^c
zd|Q(;jR$m>lT$#3^(T0Crt!@Vpxp-$aLmJxs~?i5olW-_&+mC5cp2VpO%HqUf2#1{
zLl&~R_Xo*km0RM=-5HeggYq2Dy`o`^`k^8;a>Zy=c0=O@5B|gee6ZkiQsubrXuPev
zq#QMj7cM;*8us@7e-)_FR*c5ahXllS)Y#?G_+<dT(XB4MaQo@9Zq%5ea;3v5<?V)Z
zKfv;%!WP_cDpSMx5o-1-#fl|ge1)~gfpA+Cce>HFf%&hY;do8cDDw)6+pC`zUTJ>o
z6;!ZSxALmjR?(Goq<O-7k)4Zfkj%X4a7gF$Wd2BSc{g!6th>1Uax@f|X9!jxF8!(8
z34yr4@_0AP;(@^jw=DkpSTOc&O%cumKzwJD{+dd?(xP|-mLPc#X;~!R6UAyovGZuq
zQ*6(Bp;!;g;@p8D#Ug^$jbarhXEZ6`uZv8`n`GiyAxvSKg{7x)p+<uRId!qUsi@08
zVvTGHt&#pvE#EeP1_j%NM-`Xc9G0w9$%lfHU{NvZp!}w{!Z9l$1&YR>+Qw&J796Gv
zhn*qha|QVtgB(a(kFmq2lRm<{!q1L3=$St2Sr%VSq0eIjzT&O?KojN6>6m6^@k7>L
zSOkUISMWZ7L|LQa6%)eNTB;_3vJ*xAkP2Z-4iAHDtq^Bg`|F42s!IbA_s(v%K;vxx
z!ip!@m-1U3A#RFS)w%=B*%e$Qks$wu5o|9cDUJK|mjSqbg{?ngJnuPKR;X-|R*Yn9
z5L=OxHh{Va6pCPaD1P>WMOE}JUkBrP&fOu2r@8JFZ%}Qt)=~}<YY~I=WhcskWH)04
zR$ejv+cbF?Zc)tAbnt;8YCs*9S6czRi~{&Lpd&a)$#;=tK^WbsP)3$ALat_Xip(qz
znN}3VY^`XA-GQqRH4oa@|Ke@8#(revS7YzBKR-BRe<t^AVnWzNcS-1@I|8cp(x3AW
z+1QIsJ^HhREJwVcKOyy8luOXq)dBIKcm+EdqM8r8={SOSU1H7;`WJOvO6taMATc>w
z?7iCia8BuoQS9ItssGvZ$^a9F^z%WwFr?=_>V`Bxj`>g$%JvJlS>M$i$CbCf*gKAM
z0oaWT8r6oe+<${=^}gW%v5;z~9|WU=Qf+8YjNX3apcuU;s`cxJoR=cuMES!YH{|b`
zYF_}MZdALf8;*XJZmyZa$#EE|wzD`-(rRKTt+Kia!bJ`I!wHyHL}NwM$DC@<uSaE2
zV1?MR&p$;J`cU^+g<s?>aj%z3#91)1t3B1%zSq5O#o(&Y0P8{^$(c~te9^-0^`a&J
z`*!0rFDf4hT5VHUY#@`hW96DqT#;&32ThPZn;x|P0r+95t2`n{yHeJT?+ai<1-+<B
zG;j$?%Yo-4G%pVt{E^<<vdxN5*W)=$YGc9s%X+C#<A)(DoaNr#&8?H`t+}ehBX&Lz
zS=o|rbOv!Nhy1nu#(U0y+9)C3^~Hq}i^8qPxs;8<nkZcq=BHDT7VCyLPoCOu=p_!0
z!*Ot^)h=2svsO)>ybxHj8sSfP(v-2o5da(eu#Iq6(Fm_&Q(TaYD*|#p8DxUMV*oYG
zd)J1Jb+#}c!0B^9vi@J{FmXe9jmPBc4ysZ8?gc$~?JD=$)%l#Sb77DPCKCbLF8)$0
zo(kLoh?3&vNGAsk_~jT4=7V-xYn;<~j!Uh$t?TznD*4*K`3KYQGXeIEQVaggqfT}i
z+`Zy5T?pggKIt@1ceuZGHH;3KB1n^H!wA`Nrr6KJKZ#twg1)BAnGOEU;KG{=^`_J=
zs9=gS=;pPv!Eco^5z}BJ^qXT;;u&i|v$<hrXUW{OXg{mAfogtud*exw_BIFEvB($v
z!1!oCz_#R{c&G<keK*)D7c1W6>(mCB)cNAOx7)wC-9TW)91Lss@}BJu51LTB0Xx6r
zc*gp>8%{0iZx3%WjuriblEzl8``%%AWOD~5)vaDEtK&x~?L9y|{=;7B>X{(y?Y{j~
zFPvuR<`c0_d_8EP<O+|a48F6_x?^Z){X(MJ8n(yt4G)Fffo0HkM*MT=w%>Z&_pYSv
zOPHIXbyy)j%XZes_i)d_9$M%szFgvXE9$hm_)&rc{xdU`9hTnZoG7<?A;?XNcM=pa
z7w%a2OK9FyhCgx95jwQ?+qXb00LF?$JRDh3up$dsl{a~;G-@u=MlOW{?IubWW+C;|
zrS;rm=LOU!UHePR?`}qJMH3DEPWv{#uq%W2^Bw@d29&4WOqB1Cw}{>GvX8`9){f$~
zWDI&I>26oSli9g$CDyNwi=KT!g3Jl8?bn)tmz>BCY#+m&QpS!2Tx~v++fsGd0sg5#
zL(O6O>2d3e>b8{K{O1e9dlABDmc-t7x{Y1X5*>CVh59EHO1(#`B9t~nlGyY)gas0m
z{U0kA+}z^&J%N5(r+h5ZANKo>wNzmrXy|)Vnpnc#s5PeRy-;h<n_;Pd$JvHC2yeT%
zKG@B4%z%9be@IZ55LaLKP&pHNlt~;kC!mjM17?fp<W$s5e6_vN10ML^((bd|X_J!r
zYpqaEdQ!gzS9YnC=%xN|tx$=4Xs8++@J@iY;oFjbtAG)du@!hw^8ato-FkM`I{}N9
zbuI|GcdP{AwGaANexo!UJQrQu!sQeNw@Ki7GAB*Xk@0?y{9k&Ej;QP#S=RGyU`Z$%
z!c0%&-;24-raS)>N{%lod2CV1kgp3~GP73YqVZu@-Ff-FmMpF3pNgp6B!Ox+i5ZwC
zD76{fjZ>W@al6EtEG_w?FpZ7nSSp0l^sU|D%r9y~#UWrQO;;95`JVTNWp_QEZ^AG)
zRF8A0YENhWea0PVm(a?*+uh_tWOGgF{`J4Bn%jFh;f>JD=*bZwRO{#I)audC;e{R?
zqMzHi%*xZz_fvbVz4bNFWxb3KCbV_>WLYO}82t8~xU)vIz2v{bDKSmYA1ORf*YgK>
z?sYti09nB&?k@%OaN*e+x-WPJ=uzO)gD!9F3VYm*F1Hnre{rd?f%XfoSS~Wh?N(q}
z>@&L_h780$26O8Wd=uJ?5UYvRkWsHAloDk%Y<~7i4ZU!xpe26}mU55Y9aD^ViB(d}
z-EVY;G&mHNJvpL?V&Yw)(o%J$`fXUT0pmB2@zT2Mo_K#l@V=qu1{EVNF`$w6_ZDw%
zD9{mW467G&->bY6=Id6meP)NTqMj7rcl!&y(8tL+ThsW8?SJhl>pX+viS{@%ye;{!
z+!ylIC_R6=@C+85#toiHPky5p%KvU>NYf%JscJD_-P(I8c76*wWV|Y^n-}6^_&pmu
z^KMsf?Vr#)WQu>Uh_CnU2(cuB3GF@?Bl;df0p=^dmEQ%k+;1~KdS2>(S15z$);9Os
z*6DupUGBGYpML9R&b$2^61DfVDC(%J<MPBEGv^(^-x1_WmUm3D+yjMN&4G@ST<-B<
zSqak)-R284{cE4cA3ZYv?ny-Ab6vWwtIv#&@#pqI#DLBC_x3v}RoB&b#))-Zht25I
z@%2RAm*$Ff=GC=bP`7keRx7``L_sh9(mcK_{eSk(q0%tr@n!=%FS;TCUyzeo?sxNF
z^SkXEL-hGQ2IWMC3%w~K6*#%qlG*MhrF9aBq@@g>opcByXdYzIl>=Z?^WRx?wecr^
z>ULXnEp5<s)wlO+zYF@){iWPoZwn`09A+OkQbc#vKzxF23?fIk2*?q*=R$D*F&}WR
zZhPlI`~7Y`-X;eku(X8Y>mPMpgJz`pbNg^STeDB3ow}~*jOp!@C|%bzWX9p=?F810
zueX0d8S#~zq-`Ywo+$}n?`O~L7ayX~kXm2p1R>(9FKw8{nd8=<z4^9t&Z)=ce|?O;
zwZBa(bu%A{lxKdY_T&ZNumM=>+TouUvikU}@3<@pAeB1zpS4G-n>?z-xr=HCsL{T5
zSz}meQE8#3pwI+g)gW~%6hazo0PEtdk&Yo;bEz)b!<3E-g?O!Q@>PJpKC*I81K%-Y
zEP_u?4Il;zI&kv$6`K@oRx=s`nPVNE6mKrS^J2HETG}vmWwwHB68JE+9)%z3x(>|r
zgRXm*91m?259PN8Jakx5p)<omudC1!U&vWG=IeAE#Szmnj+f2~YxIY;@;{))9M;h~
z*b-Pch`O2iZ0$yPkP|m{;inBsaCgx#K-A6L$WT5>mxBw&@^GU0DKtDgYxyFTnZ-qe
zC!J6<c=^5^|C_z{kB{o8_y13R6lszMRJ62>?Usf%V4#7fG^I<MkPRe|KuW@ome3NC
z4T)@iG}%C?X{8NCkkF!{qDDpKDr!_zZmk+Cw%Fn|Dk>^!yvB;XAW^wjtmsYH@AEw~
z=j_?Dn-;&H&*$;^<8v1#uRZU1&wFOx^ZPwBXXRC<m|f%ebrCuIx*XwGx42)MUl%F-
z{9d?j8R{pu>a+D>YD(oy(z#^SsY$z$D;RgtJ)gVdoYZNTr6DXYcu`GD3Ao7!P#uPu
zZ)1-5o-jH6N1kYpPC=cBr^Y<{0qThiCe?prFj2di>})?xvsSPAQN4s}))UUkTvJqj
zhlv#fO0J!Nr;l<pUj3TaOy;eWr(G`o2kjRP*sn01wEc+PcqkG(PfGHdsN{-x$^ZC=
zl5EH6e^9-_OY-lZ6;{npzRq^4gnzy_>dyC4^`t+#SUTgmQr@-w#L-8yJtXOyE2O5-
zcc}|pw;xoa>>20ch}cV|e{DpShwR~TSH(U|yGKQnkAGSPFar{j4!Qc0ck0g7Ci!og
z^h7vHvb&dBA(@|WkO38iaeIG&nk{{k1XeY*Ytj=pLo=ilRarXIz9HOauhABC;pLSp
z<VFhnE)hTyKX``1wEJ<TFzGs|EGF=fN)l@kiA<|X{VGNCaMIZWB188z{#!+Ts@w73
z`HpMMSAIc`-;SO1#gc(tyvn@f#JNVBXML2tA(nl$i(Q>DlA<h(vM-8dzr)3Dl01VX
ze>*t9tA<IW9U%(3m!@-8<_6Gg#YHpvm#F&W<-}^Na<tUJ3lkMFuBXu|ep&@q6)ILs
zv|qdaqM`y~R<-obcg!+hy(;2<)UFe}138Hw*4tGwKpqfbGFGXRs3hFfd8p@+eMz0D
zni<*diUY_yVe08pW_;(Q8937mzMDA~-(<T&^m0gk?oN$&Oyp3DrGE5rcgZu14E)?(
z=@kbS*IBy@C(4i8#n6<2w}J|<TE*4BACnUmPdtT$1dP<N_rbAy<umen;%~o{TKd>?
zO7Mz_yMD~233;EGbTY4_)bubiS^E2rpC(Lfv>a!Z$)Zfgoa}g5RBG+4ox7=rA298C
z<eAh-Pu{F&wTC7>ErGQN^1p_kDA!H(V;`ZZvX<^S)@Y9~(y|L^*{5jPCw86KRe||f
z-tfThu`u*Wny+)xtUAU&{!Vp_`VA1`FK>z0dAdjP^nLBm>tdu&WCKgunGtn^!&)q?
zpAc4MU@kec?U6xdLg(c29$mitS_?i>3FvkMe3jp7<f}9mp;DtTTdN-UgIxSkdj#g^
z9Bukz(An_xY-4tQ)DhNMp@)v8iDQ)ugC<t>id3ytp%gq9{(<8e8-X!`+kNI5G<zJ)
z9;Nf;f=*!9bAeqI{X0trcCLJ;zI1o$^c-oaG(_{mIQHoD^vm))ZzTh2C${qqlb*g}
z$CMlOzU-v!QU}lRld!|q3njnBy@dN6KQ`IVrrl8Ko=)k;h!l&0++WzmOon-odV#a}
z&}XX}z4T*h06cDm^MqfkcRFu{enuqi?mTQu`59Kdgge5Mp6HU!CYuJ!PuX(mkzgg1
zi9{{Gt1eNWeNHl{<@>KvRYIcjr*-nvz`v4$KAv>;qfs8pmC&VGYHpD3u$+5z+ateH
z=YIJ0AfK?qRfLix;>*xP9s-Rf<i~NYMz_QIoz+KmdjHBD`E%DKRMfPOUZ$cxj}?3z
zMg2pjnLUr7Y&k+<lr4?)uw>-^-_j0}C^N+&=a>w~1o>(PV%d%1R!o+vGW_b$6)#CU
zJhsN{vg;cQ>%C*Nbb!RL;?FAn1G-TjP=($3R-_+_yOParq|)x|8BleHd5KmltPHIa
zMcD1=ouux!!qP<ca|QuVy_dgV@8$56q59@SFBVQjo(ldVoA~ByVE20I<PPm#Gf@df
z=({MPUCc#TeREB!WY_SnUr1bEl!7z&rrsytcdtAoJ@c-G6B!w-PC4pxfRdHkdRW)t
zRpu+x-lg)@nT>?~u1A(IGCGN`o`r;EdTKwiqM7t!$v$efN;<DwNZP$}9}EX{by=_8
zKS9hrj~vif&Bs^dainNP{wv?k*765Ihm<@<G~F7vh>mwL6ws4f;k#jYMzYy+bgCMM
z9-&b(;gU0Xod@I|Dp5;`$bh3$^be+ON+UDRU2*n}Iu0YEONkIp{W=%#YiK5Im*hpG
zjOFJSb@4hXg>n2^l}KGr>C+E<mG1uv>WS|DOQcW#!LL=Ht}Afol}3r@?nB0LWewCX
zsw#t5L~g~NE<2MppBztd^DQ@g_j>pw04lT2(e1d(<@kS5HAOj6F6vj0bX}kH#4f$i
zLuI^rg$a9(4tJ<%*9o00gjvtpm46Bks?5%%k|4w#Tkrh7ECZ&GW~Say&o-f)-4E!S
z|8i!flH6Qz_EUuKdE|oi=mh>wdi0vF6=KW!dbXpgHKM9d4k=Y}x<$=YxNXae>t$<}
zBQn)YPj;t%$H(M^LT2st97BoPtN8FRS=6gJ^>&a?zoc3t3zd9w%>{v3a<)~!lwsJ^
zu3!8~h2inVGt1>xqB=fF0W8GqC}WlGJu1l-wWRa#F1qp;OOBEW)2koWm8|JMm3nC<
z^2^aO`7&)zhI;wx_lM1kirXn2JtCN}vtq*90c2{b8%L3}0E}yoONp}<*s1Z<9*x6$
zK_#&BxJ1SgEGju!pg&@)LF?D+6X<`G3dnqbJJt<nB)RL3o-Kh@hou3ju#z<i`*&uM
zDr_Z$Ghd2^eV24{681_b?64>7H+5LQzAe<L!<q%=Z_fN#3phid=vya4SBvtQchjoQ
zevv43s!n+%*J;VueM_b4x@f9?Y;uGJk9?S(4HF1r)Lf{Kcl}bi#XxBL#;-`jKK)9a
z=cWE}ze!Izeskt~{W{C%uF>(T`l&T}zloQEKdN6Uaa8v`$}WBM>~^wZUb6G~UyRu=
z*=Z*NL;XOMS`(!{7NstVQa44Zc~R=hDD~PX^`0m-6)Fw2QZ-a%J(0OB%|_R0jJk(*
zRUDN2s8R*gEaijJF7)6*y?^mcg|sE!r>5(-tB%fva)MWA>(D1+I}KX3s!PAY6rfj1
zeVAzpaY!{r;^S(z^wzqoFF!{l>XB1t>Yavk&3Z_al<8KKrz5;!cc%oGj$T9%@p)%+
zq|J$LmP98d&XQ+$$wA#ud{Yb@W?%%Riao;*Ve%W2N&zM@KeaWWTC^+2@d*$KDgnf%
z^805D6gt2Cs6f^j&wfZ6D~jCtE0sqgWXDr2K9s(jKfrwPK4F&BlBk%{NVik`Po#w-
za4Nz&CoNNqc+umnofXV556e<Q>Gf{rx~d=(=@pB-5;fHk^<C+blwQ{)ogFX_BKPh|
zPuwFztjOM7fj(tYqGrsh8XXf>QT=OY#3@yoCW+=g#6YK&x>Tf?g`2fk3iAb9UHbT`
zu;0mmhsA9BHVJN+gYSnqspPQDtyKR7sdY}8vW-UQ`dC{V<#c8mWvx4W_6I6^Qs)z?
z%1-PbFWQOy=w<PL)8TJ{U*95FaLVbg5B)~cxNaD|VQx3}fPhHWcL;{fTqi@_V$n5-
z)DK5zN->4;$gr9z#TUb}xJuyEZM!YMk(8=rsF$#t7$)k86v<#Br3*<0dX)sqVzne+
zW@J6jF_Nmmdj1cT*3Te{0eb0c$NOPfH>qJ<Ua2;2yys+|B(1AbN3J6KoZNg=RZjK)
zR8+C0zMEAEYX^Bb#8Ig+AKoKLa$c>ZXz$cC@qU)&o>^9?K2*;P3h70U%Q}``^qE~1
zM~Ib2epBYxB20BIc$J*ky;8i)n(D5z%Jb-1{Znn2+hu|<Y5VuknI1EXBr?|s^o`gG
zpeF{OpaPtk!J$|xtJtw)iks-9_atGvO>rMR$7{F~Go6SsDHbxY&N=SPof6sbaSkMW
z=7X#VuYdKjIJ=Xq*m*W*!tE~bWAv<~m@{___5ZG`$#KP7fvVIJ{BeePv}S5Y0i0)|
zRhhJ&*)5vZ`BPPyT&grOe^8D33Q41Rxx=FpQCt~(^*?kOkPilKsTWcTQZF{?B`I&p
z%E1$J4TGB$-l^EZ%|6JG{8t1K+PTpFogX>l{JT!7I#U=Oc^P=~s4}DzYlL$@gGX*9
z|5Bxh+3rc?4eN|d*2$EXPfD1<;>Q6~WgF7=x6>;6QzBuHI(02}NK4j%x`<>lI;^th
z*ms$XN_T%z^<g5AR<3Nk7iAc|Qi=p=Gg!*$iuM_y$VL;QD3hZF&St?aKSj?sniw!q
zAP0u$3Unj?8ooN5YPg9~a(Cx*Dw#^xBnVwg?n#Jy^<gLJ{qoyON|sbg$(8@^PB~hH
zevT%oCCRX}!%>KyQ43eLIQqG(;uvg7OOO3R=@~8Y?9R;nyr*RMO5r=9mH%G#en2(r
z!9aoX@vES%NE27e|By_JOpBi^N4?eE8Lj*mOU|2_`o)i^89IUG><7Z5qttsDe6(dm
z3WT1JK}8~w_9hXXkpkf^i7Jr&3~9PRzNA~tc`2rOC#Yjs*Wr%M&hDR>vN<KQ8;RH~
z4CoVocqZ7Z$_8tq8uxD#e_cy*R6aW|3dNPwGhF3JXvFF4(;~!xV?<2m>qSZ22Y=`!
z&N=JSGvY0o7^Pn?6<SX<8DwSRrG?tdp})!Kuk1ky3gpV)MhoN}>9GZZAmmC3h(dfO
zQd5#Ij~A=lCZu^3svpdf4pcovOX<9nkUiOwcf{)wx|dYOWNWc{L!zonWJ{WY(UqM;
z|AO#q#ib^hc3kgr;`+UsVqh4KiSTF9DSNCQ|EXBAomgb7dZFY`x4cmD=V>PO{#&^I
zsVvejmR$U}%y5-%+j4eGYf~2yN%D8KCC$EnAl2d(Jpi6KYj&+f75-^1VW0dbgnh;q
z_6yxAq!r{iJ=7B?Xay}!f}ILQbh3Z>YDF8P?&~lVs-iu&)d<tw9kD%^qr1C*BPy*9
z)uajyA7h>TAc*8q8*zImLfw*VOS=D7^<!g74R^;`p`N%KYqCf%C!rGVIm)`p-I?vt
zuOc}l>VArj%`~a~svp}&7jpoK`%UftvCLM~<BMlXnZr_ehwMRwT}QDnV0jq+7hNic
zv^A&m2HV1926)9rbkDNDC)1w&g-P2p)r7U=keGGG3ED%@Xn&|D*^=1(q(~C1iiA;4
z^@lrI7U{|6Rk{TnxKfQp2ehVDCY-Tomgu9Wgu^|`0+x?3;Uk?hJZVw6BpZLD_fOp6
zeb}Bd9@r%#2KGmpW|bT$+Vvx2H5M6PCz&dp6ZIHQ`qv$>L(cA@THg0U$+wbF?3vHN
z&IZG`5W==pTfy!}B-1iNA@lEc`_Y=EAP?v~$QWqyAY&l1*KkZoX~a8^{nq1B1Jv;M
z%J<ZqBxawhi=mRb(7BhPa_6p!?YmcQN8nyP3hw!LReSbAfrs6NAFF4o+ar6aO~R-Z
zIn55HEl|%YgB1b3K;N2BkzuhOU<+W-m-sv;N4jsNzK=6T>Q43By6fMm>M$WHBuzU_
z9nRD%YaaO>aJi_Zc1DpP6QPp5SE%H3!qn**Hp!|$@+2n_?fs=yQQ~@sSOoFxFLdpd
zyfW#K72#f)5A8ksR@K$J6jr0>{(C*@_?)yJ68AAi0;=6=s={G;{@#zML=}Wzxsw^f
zUYmSE7FxSXoaa1IyW}ali2BU;AQ>q?{W)or-$C%i`V|xF3{R{p6UTbLC)TgSW@24q
zmTtGXVtr6z{T2n~iFLrl`V|Ht@>*@D@;7vm3G#Yc7I&_^2BNX9H?e+G-X&u4diG~D
zo^o|!gfdXoP<mKX4QHCK{=3zS3Wcis-E_2*upV|kt%b-cKnt1l1aBlV{rxgAnwpqf
ziP^NHFC3>GMSWIAefGur+!ghCSbTbpb-DMLb7Y!ozvumSUj2`{Wl$+F8UH#Ncd}55
zs_iWB)jD^xdi(o20x^`)|4W5>^a&Dq=kw~<(>uSQwsMIy$Lxo(Wm@$&pZ$Z>96#M9
z=MCkgA?8v-H@qkt`kfiu9vMvwPvGxWu^YM0{5sFOj*$s0n;(U;`B8?hpAB-P=v!)U
z{71*e*n~Nm)VY|1o{{XR(`i%G=`=~ZI%9TfxAnx)E}0PVjRTpF-lT<9IKtkJ#53Cw
zCOrDssLh?!DVswg+kbOs)^54?E*II=rtcY1OT`d%wFjkXHkqRitHT7WSXexSv>=ZE
zud|OB-^8oe^zShb^JD7jfr&Xwpd{JF*_mwK&Zb$Qo`6biHyMzV$Ioh^QI43yLo5a-
z?|NjE6Q3-`*nI7IWb_^H$RHk4``~vt^Erv{=h8G`83af7K6HPP4*NW(%$-x^CHhpk
z<n=H8(X-5klayRUCFgk;$JFSVeSNbJFNU8BJ1gze{O(i9>P<Pk<-glGb#Kmk?=D<#
zpT;wks9cFH;gi`TGHKscafU6T(<*Hw`<KV5x$0*puKAiJ8$(~Exbz;{FXiCiyPi`e
zZ|7s8gd_X<_jdVqMpYxeoaU(Fcb{*VJ?RE9!1EK^Hw5_Y%+*D^B1NmpcD+)xvTWB+
zi>k}_OfNX+vsRYwnI%|NKI8XuepUMIu@nks;+X~CCbB2~7{1;XQoidC<-1-9AR{t`
zx5z%9RC?#R&Ogw!CazsqR8zFB=z*dKpKpjp`j_XaYe*6fzH-Q!k;3)4;qPZZ`<+Xv
z6O&8cJ+yAc=67w`V3oADx3>FQ+k!1kEgOBUonc=?Qz+=0-jQa!+Jm+A;w5C8wxzu(
z9Hmv&ZkC6-V0*a37j9Ky4K3WX$xCUjw<*&*W>3${@8VBEmt_lSZ3zck!oHit$7VEs
z&B1W3O{(777W5_fNU$_(Rj|FIskJ4}U;7r5(58l_y4rBC!`IRDaB#k6%<Gy?*y^Ub
zO~J6D$AmY&6#;h;heP{TND5sNZEx+XRc-6DxU9(6h;D=JMyt8L&X!Frty@}r;uV$*
zcC-cSNNKQM7UX<N6@S9Cp~EyQCTFb;4IRO-${X>A@V4{j@^Nym{mEUNCoFb&mA?cG
zwtulHJui#b->V|qzwoVvDxc?PYMg4GyUg=(gQc^y|4xIG4YnEnM)RySUK<LvQrJ>Q
zn}f}*?OPp%x3q?RfvU<`MS;rV3SUEOdvk4gwq42Xf@*4Mqg8Z-d2Y7->;^!4iSx|$
ziP*A=BCl9ejXPR9Tk3uFwRUBmJ)0<3E?c^6`RZjfgXXqSu$`)DDy6AH)2RZ*jkPT;
z!B9u6kI(1w<NN$Hi_8?rpE>g^CwG>UAT+G?QrFrUs#l4X=5M!qQG?IqkA$g@u6N#e
ziMdYyGi=tvt>K`rwVgWcYp!kI<OHC6^YYiEx$CdvCmFQ;O}mZpv;7MQU)>t64JBw`
z5?=fRqSOtP_NG`R+49R;8d|l#uc=;In29NYe@qp&<-5YiRAJjc8h>K>F8_q`UH%E>
zS4BH3Q!g~w@t3sJwMu90RiOCKUE|A{-Z4WJRe38VUhn17<uDgLia#~Jwq180PF!|8
z%0Ji=C&Bjj-R(1#)z=<ui0VT8r5<?v9bLG>>xK{;+^HvoclkTPmA}*jk>6S$tn&nS
zhmZP4gFE4Mt+%YJS1(jwvkXo%m}?L#Nz6w^TiKEoi`hh6j3*CXf7$00zAJH3FtPxZ
zb1xWnEwMSs?Q-5CX}uB0_Ox|1jx!?`r>`uIR9e$;({VF!vv6~9ci{XuNqHGg&MmCL
z)#5hcHsc=0J%#%S?(;Z#d(Mw=FXQCZ6<0I;m1`FF;yQ5qao@)M3Fjjdt8nkZoy29a
zPZz>HkCUH|coLV)YPbhC8AW^!w~CCufs790o+q>4B(o>TY=q2~lhLnF0?Fv>$mpLq
z@H2soR+G`8>n!VEuD7hGZzTU@^xtwU>o>WUwRVnWEuF{j=-p*mUoNt&K&fRty4<oJ
zT5VakuD7foG+EY$F!J9)X85T7F4tGm6<k#1>j>6`WpXgRUJs;AEt_jYO=^fWd=0hC
zb<{Maj!vI0&6yHuaaJH$*V^3H9_;9lLB$bhW<RP!SDaNQDpwU#ZAsPht~AT`k7?|1
z*#5VA=3sg#N;DHQ1CjQ!2O2x0?sTOoB``?Xaktbq+ufi_o6P)dzsA~*Mqke2<;w#z
zRA=GwSX5M2p1{N1uV{rCy#~AVgvY1kHaB%J+}1VD_N{JjMU9(+TkkOgiQ#W+Z{65l
z+f4uAOU%49*v^1RD-Q*0JA%H=dfGRiqMa>+qE%7b)+QxXw%k`+UoYjQ(}sRsy<wD(
zE-&0v7v=Tx(XUjf8HAdiMe|uySy^6ITvT1Qe3{C@czjj&RaKW%sQxLToRww*m@~az
zb<`zYOgw5g2kT{AYl?Qaq)W}$s<w87gUxOhnE>bt)TQR(TK~(#jluSn9l>^LMo<Qs
zvic|=DK4t3LpQ!AhR0~8w3v`vj&z#7aFA5RsMF~;qyDiqTGeOz<*0viZI`dDc4JT%
zi1zp8Xw+krq+Id0w|ZhT?ZcLbe{5{={;{#y{^P`_l>I9CQ~t3r#^g`=$Hw@o`P+cz
zW5vbllS)~)DVD>IFA!wnRv&Ds+Zt1BzUg^$=1B#S;!coUk+15{lFsHfcfC>_0DtW8
zl}-apBtKfgOg(I-dc-hJ@6bFhe_zhB;FjA0RjS{x{fjGC`l{N3^to<d(qY1vwA5~3
zQCdFNS6o}y7>&dBFRKqSFQmJWYTVlHq=7D8x-+Y&p`odzDZG_gX-9NcDl=#8Us2oC
z;tMy*j2|gYtt@YqMveb{B~{k4<yO&(iaULQU`O5TXip;=Lz~pa3a0g8-?E}*0bhfA
z_9+Q)`K?&4CfAH9FnRo{SC>b_di+*LeMB#|%;KUI0bf;RS=3kjXzISIK-r?(98Ktw
z6~AIVq;;U}7+*V_Ez#{MepLZqQCnL`md%WwQC~Y;psAhlhG;8_9Z%(F`m}~nZOpt>
zI_MS4tre@S(%P1KN;j;^*wqrWUQHh_!QE>0sa~{*rQH@^eQ-mkOSZ&H54@<gy)HP8
zpAOg3+A^y))W))^vzauTa8-@9?bJl+o$PgxE-7SIwl{5NZh()gnwW4}W;0bOXNIq~
zU8goyW_@sT6KP@<Dk?I5D>_?r^=3}e5ef#|Tz)i)x+bc&Ubh;(+VSa5ySTMI=$mW2
zY?%p1mxV=DC25vQCi&}7V@F+W$Sf!=T}9&mTDht}n!CnAUzmVUgY-YFCnO=ZxF+m2
z?d_dyVN*z!J(kteVA`A7!gjONE4779VQGCi#^f<Wq>4B_*|2id)WVEQO|*Thtff}v
zS3T(QO1`oVFkM_(eFw7|lepXI{M4Z5TUFcMq-w0<l*CCiCUMrBx%m|ftvPoT@V6i@
zzoPVEYwo-P0p>{<qUuqUp0mh|scB<NZMd^N+W%-}MLpbeCH&kT(Yca%EGsT9^_AAQ
z`&LvH`6^oLJ42mHZ`Lx;Y|Ji>>9Y$+_99Oka(tyUthM%}G+4jRTH8_YWA?MoS`nnv
zqikaPEYzS@VvhP;?M|dl4|OgbfBe9gS&XWA&Ya6mi`^eq1>03+*Ttq=(28J3sHvHv
zrxOWo#1doIXwsi%&6BdYbDk;+{@gK_Kex%BaX-Udh05=+!8U`H26GHr2G4KN{3i?^
zHF&__HiLx*CmI~yY~nH4Ww6p<j=`x0ErTaIb-1ZpHCmp}4>sz|-Pxe=C+7K-!CxDE
z$zVfMd-H?S>mQUhG<!o+iwy8FD-dH_RV$D+fr=t)nf#&msB7D5r7bF3Q6c6b*9aFa
zHOjn`61Ue3^===Z^tQ#VZCjcCh8tUB1`gF5m3kHmCa~qx9x;_){IrMNX}O}(3bNN>
zWH-9HieIi-B`x9ht!=IJJw6$n9eL6}i5(!;f6g46!S?qRxmN|zWH|oIqc+s2uRVW6
zCsm0JGIn^A579gM*w`$V?YdUgO$KFsV*JZiEh;v4S7m{3ZSb|%wlK)#=!N3~B`?&K
zt7d`r6VqgO_^35cO=I**(9}0KpE8drLC&H|tyzTC&8OCAF6MA6rn9Dv$|UFu$b!VX
zsx^91GfN$@=JRwdDAMG|iC0&X%aEt4Q#4UA<w=+CPJaS@%R<(Yx@e_|%4rJY8a8L=
z)7_TERP<;CpmGsed2lmpPrZ(c`bkr<eU!n?P9rQ%eoZ><{#vXNvhzZ@ZxG`!QR|Os
z-dM7Xxq;y*^f2oMRIovBg{Y>k<gpB9`sy|j6g#10NsM{aB}Y>#YPb647Wn4o&AG#(
zdCZ+V|MuIg`u43|O`F>`&2O0>o^RQUcB`eXu8}_-^_C>TlD^2Q+fut3j$lKF)xN<V
zRn1lr%f$BDy0Fz2VoGGm+R{>6L>8MuR=By|s?)m#9rRD(S}mo%sola3z`ljWz_OvW
zBPiI^u+?g>-C}hzhnLD^bu_ka5jI3LH@CL%wM!*WzO;twiA;>UDxK(6B~>I#4w&}9
zWwp09H*^Rs)P!YU9xSpF!tU8&g<3bZT2Y<Xv8o}>;ZRTls@$}1Y*A@In3_O2k#|rh
zTAU}g)aWkTgTWX|M^l$2v+w#1R&n);>gCJJeK~bAd@aEy)=#-U)<%mvx6V#m*x3}q
z{Hm8YX)8OJj;g1%t!**^@1Wq<`TWw%?@n8;N%PZuzFAGVzFD(G+fJRVLR;E|CFI#K
zjrXZ;Y{CkFxu{Vl&JDGlAy)dzS|*`p(E-hxWr|gcV3H(dtamdS(4&gya-ygWb+nEb
zPn*P}6m2IoCY~)#j6pOPiiqA{_H|V1+9ed##17;0EoCxIPs##;?kd+;-`a9Zm`%1e
z*3&A)CJ8~IQr#AaB7L$5Wy5W&*rFghnVGd&I8BYz@)tL4Rt6`jqtbZU22wJ&8cva-
zKdV#)RyMC-hmW-mov)clcBmi}`m9+j4WbFBp-Rqtl2futKhxT#1`kOWO`Q20O<jfw
zT250)NttE0js?<0L{=3!Xb#pl)skoCT#B4y7i(VE+`POQI;7Kz79igasfnTq&1AO#
zn@5RP`@7OKqI}ZG2;{ISJ|V`k=yqthB&CX_p{a{5PA^TO{JOQ6BC^w`iE6h>1(j!?
zQk$ycvu4?ygal9@)efX;D=lsa%FL;=BUrEVC+v26j<TDiNGtb=r8GwSEE_jqa#Z2N
zQi!_WSs<Oyl}=rX_Q-lucdhiHY!af9T%X;$=K5IY<@)Frb5#$YJ8mnLeiv?fD+x`{
zo9k2k*SfUw`>U$h$ydFD>I!B_M@`*Snu{h#jUc+psv4eFyr%5d;^MNHuq~1wN#lYh
zRzY28#BLjE?b62H5N7}wxRke6p`970r0gIxU%i&n<E`$D+G@j%I-GR4P8iX>9j+V?
zFSFeNI{|FwN*QNp5gR2{syRyx(r?jcp(iJRD*|N<k22fYfSa*l0ZvlmBu8^YWs=O|
z1rvdt162ZvB3RMd%$9?b8XbY+P85OWP85MNOsNF%r<`$1$(0)EQvqkE$-#k`3ZMqu
zMCo#!6!6tGisC$Jq-DFqMU`OAM|jzr>&Ic|NP&mf9`~I9b_tr}10CJ~GCy#b-36k~
zBe<liiFS+vq_wy;?UdyrSzCBDUA($zRjdMOW-&24;qfrtzDlhwSbGYwfXO&h{ixD}
zTP7FG{_$WaGJ|X0?6i_KCDf3ZM90oO5W{$2rgFa7G99rOMTt9!oYt1mR^}5yv0iLx
zWNW`u?NiA}sAChA%}7hLf^zt0z9h<h5FpxN-DoDFQ?D;n6Vg<J=ij2AhYTJ!c*NiV
zgS`g34Blt3+~AD{U&+$)UNZOtgP%0`l)<+fY%;jS;5>sj8~pF<w7mZ?_;Z8(1|KuH
z%HRTnxh8-AgIa(8qle4W!>r4!KRyrN=(UOE|IS1IndkYtp6ACr&tcE=M)Q2X!BajR
z@3I>;K5y#%SIl$HG)?a{c-sy7In#veF!<SPG+nPh%|^OUO%P-bqzs5M%TfcUTB({9
ztsbxB;FBSEW(aOxnFP3>^*Fymjq{4WNG6Te{lWIu4$GIbG`RIX`bX*fX2=4|s#;dG
zw8To2RI%c(sNIAuR60@D!kjL4`s}$ZyP2!Y!NFKB@n!W~t>(FUn%NkvbM}#pH9)2+
zVl(lC<t&Zy@EV6*9x?VYtHj<W_ZUueM2@c~vS=`6xry%Ddp(@U#8_S->jP(bVA76x
z2KxrS#j*-%mHDzOSIg{OfP}uv9H=&5nmwE3Xb}yIRC7wubpR{Qk6B(=&f}?gO}J&P
zdY<EJmO&J2k2=mFCLveqC@hyptj=RR95qM?J@HB)D(c}8<@SgXRV;}Mw&!%rptkv(
z3I2R+o<5ag^-Trm+e$SuqhOn#bs76-@OGH3pB%PYy4WqXT)S`7;+D?Z5GMkguy$0l
z!x18HW{zE@4+X4jW7Qk9mT?xbmUAi_TWBLyO>(-B+OH1TiaP2#^|qT$vSL0thjjaX
z=F=L74PG=j+4vWj=fmcC{bw|PrNKgjIR=Lf-(H*VvzkB8V3(m!HqYnHv*r2x@lkCz
zf73fO{@pxV=6Qm_41=EF)=h?<XRz@JE$1Hdyt=ksjzzQFa%M=%$fkO@4YjQNDY@A)
zJyV7V)*V}#SSW^?HU*i1$uS~*f>PO4)B;)-oNV_;*Q&X`4VW@oIKv<`Y%gMWU^*_3
zfrWA=SZ#~a3Yis3EVHo%1%0#H#Qaygxs|gq#zU4p9Ni=WRy-2Ce#3(L4Qh4_tEx`e
zBxL=oWlQHPak8Oax5=>u&!(QYirtA?=XSE#q(+8i*Vs*0wKL5q*3p-}5|pT#JM0t^
znPgUypfuP~E7lCM+ks(bcAC<X@^EW$0~+7tBX3mEj@D36H0sz-?Rl#z6|+{?HUudc
zJ6YrKtEldnohOC3MlmOrtN8AmecNU7&5QCm`Y_v^I@_ukTQSYZR*H((?h!p5ew>}W
zGP>%HF->3Ic@5e5VXF~yop<<~K6}nQF*?isV$3ExeWQGA`Qr@<>>9Bxin+UfhV<1|
z%u?KC*7w@|WB6Q|_wuQs(j`ZyDt;e9@ww!T$EQb*c!Az{HDA2I#C&SpHTDM`#>=M%
zjn|G>^SySwn(wvaHT7CIy7Bj+ls~75?9OaMd+VlP3pF%;pirhsF~X`OjK7aUZHQLd
z=`ov%jE>`MuvorDEKqfGjv3nNY}nQFam?8yF@di$4!X`73Y*1VpR!nSoWgi%1=9<P
zImh=f6Udl7t#O;ft4*9FeP&t}Gry5mWTrp0?ez>9vN;}2zW6O`ZKnZtH1ee-Xf3Sf
z%mWjN7SgM^tztsXQGe$~hkN6vdSEr1Q-<ECWN8Dc9x|oV{;q?B;>pKp-$it!u|bu;
z3cqHShG_r0te8VV3HI42p%p8Zub{WXKWZtQj%~BPmElkBM+CbtU^yMMcVITpKiHwi
z<DVNGGHA2^#ytPo;9m{?x51Uwi)IyA@^{X>@)B!$2iFxk>?MaD6)+id#8(z6YNQkk
zVk^nB(p1G}3TN7mZfdU0TSHenEv7!%hg6+xDIRP)`f`<uz;(OA$d0BUYL0S}p>t}?
zrg0sDT_CPq``FG!F@&g-`s3n@m1PSueB*5In(+v6GGMj0hV(Hb>)y^_`&RS4q^l{+
zFe3-?ti?h5t9<~kg7bH@w}j*<w>r*egtWH1_&px_C|k8Uw?~6$3Y)K0a*E1)N2>m2
zpL!5+9*V=`O{V6Hp*p;tv^Y{dboh%q+uPascQUk0Z5vpe`!a{|Dmpn+%RwD=idjGC
ztW|M#r>&6#UbbhHpczWoZVc;VMj`#Z7$NQEtJLgZbyIUt=}><uu5GCchRk>2HD494
zF2jX#fkw_wyB}A!kQ6sTC%_z_C~Du(L|<hol-o;&ZWV{vAJYf?tktzm;i|1Ib&VYN
zZhBZ9%9@jixXfgzsHI+lSb<J`?9i5jO7$8?Owm%wwEQyJVRroNC!=-yQJ1KCq7Jvv
z^H;Z4wzi`~HYg-<D}oPo20OxYyo9-4!fjqczL#Jvr{UXeLB8wAUCpAbKIUP0LzKfL
zR55UDs<o5DjOB86N<zdC6m?Z?h-An4nW`7{)ne6rvny;Zq|`TA%hm2>Kn_t>h1=;0
z?dDw>Y?n2-)EKj>H5FEA%&wv=E?ZlS7Gr4Y_+DGMimm_-s&HFqD`mPOSQljTbdHxW
z*Gss~OUU;UtcC18sZml+9&-MGGf}SRGJUgy>S#(q`ZaZe*s5a0kEbr;7+zxnUZ&kD
z7Tc@2Rs^&KKuQCs;^KfbQgvra$V!_<Y@KhmW6{c1bh}Pe2iu#QI8qplp(4?aM~cL>
zWjfrZmQKy7Nl`x83zCHB!nL22(Ae^(lS)8U-M2dlrYm2;CbLP2p{(X$w4EPALS!k^
zk}b9EK~<Y7<usPkiX>h~&kV4(*{M`|a4^B?Wn!aH{Y)%LSE^!6c0^{^Kr_TRDl|c8
zgSPf!8cBx<7ef^07=mdhbY40(bz;j}$a#VKRt6${6q!J}xRu^wlWN9KFKpeV=P~az
z_+En_Gx)T@?;CvCV8md?yL9-g4c=t%c7uxzt~1zSaJRuv8vLfgZyWr+!CxBugTenc
z_`2OX-ZvV&-r!7ww;8<0;1Yv11~(b(Hu!FXpD_3ZgU=g0W$<N#uNX}2)#-SHL7%}}
z4K6Ua)L@OlW`mC!e9GX*41Uhw(*~b6c*@{ugMT&n`aL=ww;C)oxX9odgWmH0XP?`R
zoJS14+u+9xe%|1-27hR9*x-K}OnOqMcap&y49+)LX|TcI+YR;@e9GWIn|_=BLni#^
z4SvhuPYwRT;F!UTr*wL+HJE2`k--NHwi)a(_(6kqyf%K`(4RB-6N4{%_%E2}<h?rn
zHyX?}SZHvy!3Kk^1|KzO$7`cw|MA!l-Dhir*Ew14tBzhuR_ihj8kTi*Fu#spmC2GZ
z&Fse4X^Sq)6-SgTUGzE`vzywxz|5tkFgmFPbi9WVR~GO@$L5E6D?;4<NOWT)E{u;J
zUry(73~Q^eOb(IQLM4!zg0M&4CS#zQAaFUSO-$xuQM6ZGVb{wT<Nzu+21B7V4g#td
zC6Iki7wE;8JL{f}2T|0kDY3Z7SG=O!dp@33G07BlvR@SEul%&3onv9KdqyZrPDI5o
zvyF$>E+Fe~IZ(Q|y|pvZbu9hX3O35P?GS(7Scf$?_}ZH`Hrh8Z)XH7^+RCOHwz#i!
zYsm{`!E4tb6-xinzVVwP+E**z1jAy@)xl_~szX6`al@}gNqvy>Z;6v(?qs+^C5TAw
zc-Xn|DmXT;UM))!thL6vrEW;nH+9r;QKGJ)nZNn~Mr}xLPN)k&>zsI$eQoXXrRz-6
zJRY+9qrGB0-1)HNnn!-#o%4LNd{w1IOnrHto0nhUevbOjy?vgCLnzWuj8_NhmoCKm
zN-ffNC&%Zjh~d)}HLe0v^SM9Ee_zgKbraRrc&yPtidEk;l(Z%Kd}hDyPrqjH;`{XT
zcg^#!4940?=%<u1#<q{JNKtQ~iPER%&7(81q^IC-oi%-Chl*ay5k5(&v!{{k+ei)P
z(n@p_Lp5$O2<d={5)X|l?ba1Ixu>6wlY9BE$H{&Ct8s6^-GG~pn}K^P?pECGxVvx*
zaK*UAxH249)U7JqeYjd&5VsMx3D=B!2=@+L4{jH3H|~A758yt6`y}quIJvX`72Ln#
zzJ>cX?mM^_aX-QR2KPJM?{Q~wf5!bM?!R$KN#qA7Z!nyMdlT*&+;zC=IJx(K2kuVX
z0^CxZya!+{ZXK=`w-MKh>%_esCvWO}0=EbEZrlfPpTzwO?u)oD;l7Id2JYLq@8Z6X
z`yuWpxZmLZ19uMh7u?@)W4J4m(L3%fIQh-aS-9J9cjE5C$q!X5#mT!*SL5!(J%|h9
znsA$NTX2uzdT{a+czbZ~#k~*raooS)K8O1X?wh#p;C_hvIquiE-{JlP_h;N+aev1p
zrBE+$Z^XR?Hv{)p-0iqKaChMr;1=Un;^aO1YjF?ansE=|I&fQXyKzt9K7ji;?lZX0
z<GzCX8tz5h_i#VL{T%lj-0yL`Z#t6a%gdNBapsQF9e=wjnVOn9*~+^y@5%{Ryfrf=
z`C6W*Sb49{yK2If>vxnU1yfQL4|QP8sv`bc*53OxZZpqbT<_tt`NzXX!{27G%izV8
zI-WIaV&k1^o=>gT^!)};c=*PP&!)E-exJ$DR3m4viC<+l!JlmjX#WgJ_ct+pjXIDl
zJ<zo29k)*Jn5ImxiZ7<~Vb;<m2QTIHJo5*AOb=7JIu4+2*iW+vyUZ%F0=&ZGUMo;(
z1@5)(mA84&r#Rcup;iup6J3WntuE0{BPM;Yk2h?kS@o@TopN}bO9&nH?H!zd*~(X}
zaM7>oj;4N;1Cz!_&r)I6mn+o1s@{~bMTno=w-9mi{c^8Aa92cq)~bDib-qQ;3pZ4L
zWLrAGKoxxthnUdSm>|6@ZOMc)jO>~l!#um!ZME$4V9sZzD8?%}1tb$d=aMCc;x_hI
zWFBNy;_k&+#!hB5IbTma<S#`aS2dTH2YgFQ?pvduWY0MIv`n^!V;<+Z9v79ZDGBKJ
zKEPuYFR!RrzRdP#dqide;-R7mlvEWv6!J+|quwPWC?ETMGWyA~X5WfYXlqw<NFf(l
zW;a@D>gDtMLcx}e;l>;kcJoc@y6#<EVu>;nXm(v&o0imqZDrQoR6o?>Td=^F=j-lf
zmnN1N=5mOMSbK@-%hWAyJjVu$^OMlC?v5c_)U}SVI>RENHv}oKpd13Q*aeHyYa3`G
zikxTh&Xvtgt({1UCRU{@+};_qwqgODV>NKKgc~>9Hj)h&OG?r5GtT>Ny_=sQnci`?
zTvcjALpd8d8{VqbG{btx=U<S3(q?U;`Ye!EWi6md%EK+wJ8rQS++y8gO|Q46hZ?Nu
z8!i8hvt~{2m^F(iZd_X&D5@@6JH2Dwy1UaX|2?SMC)b!{m7pZKo~&s;i#e%!Ym@Pd
zK3bR)Tk2~=R9EBYCRq0nnPjJfQsbskXm(4GH*=uLn{7(eOB5IDb>kvxN{+l*qk^)R
zd&d;w3|<}NvqVqPd{|^d<<FAr#nnl>E+#_h;BIE|xu!X!Ez9%g(~{XAXl-A+E+>XA
zo#=xyXP+TU5$u`rQ5?&thcmSh`8t1oc~i@#l9qZ^akLP{qPvEeWF!t>*20@m!V6V(
z^9qrpKExi4?&btyoj6`ievwq$|26T}hSt_lG%54vbC<hybI>bv{1kff5~Ia3l85P8
z38UTTczNCB;AGhI#T&+**2MCqM$C*;^2~7}+uYP1=A4^P9dlC3E(rx?ESo={?Yx$7
z&Z4sN62$Q}p@gXZ?2d}s!-y%z3+%93tZ9NCRmR63m2)`>hz~DI;LA^ceE4db_+@6E
zvQl{~3bU!hxht`r&!7Kj98HFZaXwMK#|ptft{a|1o|#a{c;R(DzAO<cWk>rLDtsYZ
zW8QR)_rFnNi^0bY=DtbO8?M&)l6gLAo(raGx}ELwMt=8An*OxG&FT8tSFCZ-^%_?h
zY%n-v_;;A+_Z$3_!KV$rVDJxy|7G+1ioy9AT7H^AJAJ;-YkJExji(G=GWg}Cn!d=$
z@uqLHq3<v_&&2;J^XyIE&kWs8U%>EBH2OG|rsFG|sL@X6c(~rAf5(lQ|ER%bsrtFT
zOyg^%|Dp-^ev`h}O8*3-pH~e3;1xQaK7)38_nP#5)TjMV85~X4&pQK&(|5`6Z8q|E
z7#uHs87BQdGkmsw?eq<&=y(nrw9|Lgq;KX~y-s?@;Gh1apFee1Z2H!ibTycGUMqbK
zhW`b_KVJG){6)vN@4qzK={s-Icj_0Ke(;wX^WI#jSZrKm<gYS#x#@e_@V{32?09Un
z)93qw*3Y}LG(Ka{=Cje}_hO+5Uvr(2WAL!SV+KzdJZ~`7#52`kuE9cshfC{JRHsb;
zW5+XRuIi=L5W}eo=VS9vH2SvnZusrD+Qjh}diZUIIrCIJYzKr`iOO|O+ef1vUzaER
zohq1&MTz+jdH7BG%-|OdW6M94nBNTc@%$4_dD!Ku(<8G$OMhKh%M!q{@{E4pX!uP!
zRyB1rF$InK=NW%)7^s!A-hQy6%Tj0kX%3CqD|M5?*)CSGR{9KGT^Tk(Y%8Yi#Y-nU
zgR?!J&Uo5keCGRt&27B6EL^+M%gcckH`z{-sRTB+O*Xpsl3hh_d)f8^9rJ9_zP59;
zbaJ*mCvS#2WzJed9|!l9EMJ7tL*8l3sWp9fkd-JeOST0%NswicOP;!#s4JjZM#^f0
zO({9-ZYUg&57yPnnf6%5x>^pq%QeRhL0_#tQZDEAke*C><^8LIul2dC^>ZwfteYFH
zHfyF{IQs6E)$+|Z`|M}G599C6yv6x0>*i3HKO5!GL!GSxwQa2(cexUk#P|Pk|D%Kd
z*Xw|^)&Cm~GrHR2`TvXZu4k|NXUfuJkduxw*sjcS>L3|LtSuHdD|n^l>~`MaLSHj$
zj!me;G@uFaHfuv3{Vv^7j!z6i;jL?%*3E|EQ?|JnQn|7XS_~>yo|vC3=b&@}Ib#2$
zy`4kss$Y|@eqVLjnu_uVmDTmZs_GSG%N9RaynN-dYHi)p)*=6mE}IbsB(WCVVolTL
zBisJv7`t4yt@u9s&)<+;E#6fv*PB$wU#U&wa)59C{3^+?F<2Obf?_K1uHw-QCkTv5
zM{#OtGCdG$N^QNeducO<Tava`VOdBlS0#==uPz^BXNf9^*rb|xuvuKL{HPg2CtRnl
z<RMHW9?{BnWg?JJuaSY*On))v8c!73fO9#ir~Hil#-(7bQI{D->U?Yz-U1(AO<vCV
z^SzW<$)s8ti?qeaUB99U!b+m1J2{Hkm2#s?S4|v0VWxseN&K(aKka&U{%Z@>*Hy;u
zaoAw}y_!C4kw%-}i$_iPtREIBuLgtrM)mW1@^$!EjJ(TTpQWzQ;VyT5cC(3Z+L(^l
zp8pS<^x5kfJN<KRQ{`zFj%D*t{<@CWp8q@i`HJ6}MGHOYx|F-Ny@`G3WZtcR|5#*@
z?}O{cB13uX1HWx7(#Lb}rm@Hcupi8Lvt{Lm#v<8ZKNtW<z#7osJQfLqHDE88(J~ep
z5IQ&nmV+0>AI#u@KnTnRyFovg(MCA1zXN_Sw{t9#JC*co<_CPi{;gw?ec%At50*cS
zJg^4LxCVJ(HrNgN!K}BF9&i*K0R7!#k<;Q2W?XAoePA{?0Q$i}uo}#LWGvDR`oVo*
zIoJ=@fX9UXDCv`D@B-NP4&+=%JYY2#+BO#14i13*;2?Mmta*%Z;tyT`yTObs^b2N#
zeV`v4c%1mbA#k72d*GMnC&&+nD*AUK4;%tdgEj9Oi{xLAJg^+}?<QV(-h=*bAUqfV
zhn|8CX6&V$!QOX|MY4Rz1M|Vqdx#G#-!~SSawFyXKGFeZy`Opj_I+S1G6MQP2>&$V
z1<S#VkKzw@AHZLpKRy;oy@_yO7MKg>gMP3aEC=hs8n7D-f&0L2upjILkAeN*5IFED
z(w|NEPs0z^fcwDEXUIR8^*Q8ECx2iV4E0lwz;5s$*b5GTec(y39~=P(z|@;5A216X
z0rSC8upG?zJn00pz-}-X+y@STCqe%g#v-F&KbU_D`T7#^gWX>tUa<EYlpE;(7W&K~
zeP93#eVh6L4uVI(0e(MiRQ$mySc*r%T+q)ij0M1&?-MUL2p$86z#*aYW4;%_EPin~
zcP7vL&~*)%^<&Zj=7PQ80C*4_1P8z&@FX|_j)0?JDu;7&e@guY2l%n`gYx`y>Ipdd
z3-rV9N{svx`QRuR1~Yzzd@u_<2<CzVpdUO5mV+Z;4VXHMe1low5Eue$hTsQBz*N?z
zq2CZcI0*L2^KXeCtoa>!;owjR%mur_0N4lCfc;<?8~}U4LGU0r1P*|s;1JmRd&1GL
zb^ix?1P8#}Im8c^gBfQ?7nlWZ2Xnzb&<`E~%fUf#6wKnsL~70w4h(_yU@zDWj(`Wj
ztaG&Q+u#HJU@uq?4ubo@QE&kCkDw<o1Ww5(KVSeH0z+W#pJ*3g_j$@&=zk&Kx5IxC
zI@li}JUEzoDdL}pKUfWpfFW=c+zw`3aVgRVW`Re*TyPNV1xLXFFzXJ&gZbbnSPl+e
zNjNZ+4j<SHPAPyN%moL*05}5Hfc}h2kzTMD8~`(}x)d1!`@!5hk&{Wfz&>yvm^F!X
zfc;?VeB^=I;1K8sN5E=u6bykGlgSU51@?jE;1RF}90Ui!th=D|n~@=~58MuByn*z9
zHQ-5b5X|tShbg2R%y{#q$PhSkHO~u(e=6w%`>!M4-~c#<J>DTO7aRoxU{)6VpdSo_
zHDE8;4ITvhzyWXoJP8hgBj6~QdJo~>LV7_zm=D%~<zP2h5B7oG-~hM}90L2nQSca;
zbv@|@%fSm^H<(dKI4~Q`xPf$mxnM6?4ju$U-~iYQo&@{A5wIUjEh0WJ3mgRV!6C35
z90BXWQLr1#@R2Ss3+xAT!DFBw90JS13t$Z>TQ?z4wyL^8KiCUagMDBK><71l17IIG
z0`hBvR>qB#FX#tH!4Q~ROn9&y><2?&#x&9c`oRIP96Sm3f)~I6Fe`vuFaY{*A{^KY
z_Jaf9NpLWm@-89W(}@QRfdQ}^tO0w$FxUt7g8kq@Z~z<thrp9U&mrH7;G0Q)!K}BU
zH?SYv2M&P!;2?Mm90G^H5%2=&&n3N!Ne7q@4$ehCp#L`F0n5RY;t!6117K<?@#GT@
z^n>|e4Ok9_z<RJ7>;`+mePBP>4~~Mzz>M2T2bc?90K37AGQ!V84`A;d<Xf<S_`yDK
z1RMlYmyj+$dIJaVL0|G*1V7lnlyU_7%1Pf+o-5Eln6-?2fqh^f*uC~r<h0Oh;46m@
z%m+j3s4rkI7y`>5K<`2a2f#sa1k8GnbW|V@%mVwte6V*t@qoFtq+6ahP#>2OUmfKm
zSdV;gB#2yav;n!Ge<S>0e<S?M!6wQd^uG;#fkR++CGl=T4p;+LgBi`pk>^(QcQ5g^
zK?euG5LmMX`CuP-5-jh6Zw2YwN_xQ|Fa-9$9e*(65%N<7-wx<t?oQ-`eZ7<u=-*5E
zRD<uKJi!t07})(@+6~zMe(J$W((wWG4Ca0iJ%i;RqF$_m{$bi1*#9x&Urqd<Kwn__
zC*cQkKZSll|9_ItHOL361^<hDfVqFgAFO$Wbl!(PF5(Y%{{uN-FW3iWj1n(62#$jH
zjuC#XWqk-70?&e@;3KJ#NLCGJYp;kz0^rTBi$p?T7q}0clop8$fsI#1BB|^6ZLdj@
zNH(|y41iw*dFQ|N@8EXus>zYaLC_B#12=)E!4H9{4{-h#%m)7(41j-mJ>kLMzJc&y
z`5Orj&Yu#A`0wW&0aydR4eSO#0rr7M!2$5c;1GBb90eD?iTseSM$ixL0BgVlU^h4b
z_JLV%CLQZ7>jGE~{@2x!NEm!_D)|OyUW0t_2jFS2{aW%vx^{x6!4qKWgZyq8m<|2|
z41klbBR}9ma61?R4}$x_W8fFS)8Gj(6}g+Upl_mnfv3TFH$V?r))6op+~y;F;HSV4
z_z$obY`ZZM=?7n$7Kxk$dvA(FE`UGFjzp$3TbA$UNF*P8&n=NiHQ10t{=nnlK5*uY
zNaP5(9Xtu12QPptW)i-I_`!Ve`nM7u+y{oitX#r_?*Wg1*Uln5xE;Iz=FUd{t>h03
zfD>*-AK*T)7yLTd56;hvL<Ygf!4dF0n9*ig56p=~a>2u3Ie6_{@(sS{Ho}9a!G16|
zpYY(L;0X9{V8%n1^{zVz54IJMZgBRUlsotZ@E|yGKKcd^f+OJlcah(Ae)|pdgV}!S
z3%CmG1|J9ez_%?R99U3DIf47Y)DC_JuZVI2lNXX-uni1>m%v`|6UC$#v;w3Td;lB)
zD;E)O*s?wf=7S?(HCVkEJ%hvGK5#-QdIs+XPlBHSN5NBIRww0JM!LaXum&6eyTO@D
z$S)XJO1xkfI07C5Gd7dYa^eN2RS*t*8QczLEh8LwcP04+kASDa(_rcr>c_q47d#4<
zgD-<2@Xag8FSs2%0zM6%1hcEC7vN{XDP6qhr<!=d!(cTyb0z5od%-^NAK(C3vx;^N
z{u?+d&#TGrR`j@r{DSWRYruK;5guFu_JI$81K`B9q#Jw|OnsR4xQ=v#ePB5_<pI(S
z_JSF;#0%zwvmYc~;ASukeiqyZ{tP?<o(E5Yh3m-|_%?9L2F5Ya55BpUbb$q6H`oC7
zfxX}WcmNy%kAS1#AedE0d4qoN0$2l1+(39R3+w~)zyYuU90K=&qu|%Uta{{te()8r
z2Ao(&c<@@V56lGzz`MaAuo4^vH-lM0&f|lA@M*9HJOOrtuYi5v#CpPm)4(BcE;tG<
z1hX2b7oZ>90M>x*U^n<U*ayA`8~{H74uM|=N5SX7tc~>JpdWk*tN|;7ga=!|KCl-Y
z0G|ejz+rF{Olu%~qh;lTesCdJ16G3F;KN`acmx~(e+dqOXTVYL6)>xbbZ?~nf_-2;
z_#C($JP95IUjmPT=fTt9l1A#)+mH)pgTDj=;2W9<5Bk9E;B4?9xCT51z6U%FJ_DxG
z-@gE6gD1fN_%c{8<G|Yp4|ahE!B2p_)Yptn^e5n4a8T+mI0Akd40T)9)Mog=g<wAz
z0y7?=A84a~gO5K%{RRiyso&tIHlrWV>LPt$%frY6Pd!4tew2C2ql5z=e+<2XFYF*)
z;OI`|gZ1ws9pI(igaZqoBEEMpj=r04VA}f#2R;gByq!BIU@mwJEC;Xr0O<w`!CtTh
z><4#(gWxB?5%4IOL4JM==7PguIrt}V5F7<Z!0!E|kN8HwL2wFLlTXsaE3Blh$w}8`
zyl&#&q}NRrdKT`_)nk#F!eBm$`RT{-7yg34SmbC5Uos~z%AC4nQu>yO+pK%8y=&%e
z+0#UXgb(2MuEdTZ1oIJk4Q@Ylh7ac>JYjiSH5Oqw;yys;<euc@=FExmpyllY*W-VO
zqUb*&uOGJ)`a%!=7|%zcU+<#l@_h(*9Qqf8UX(d`M{-%_)Si^Znd_6^mzFsdN>S#-
zqIB_9dCf@TcfVJUMP>*A-=5?;J6S59x%jWaKUMtAN75C5UJ3mQn+OWM#>n&1!_W)i
zH(6Gp%K6(1y#V@l&{~)|`KjcEnNy!kDarKhNnMzk(|biAGjGR)KxRSD>y~E@Z%azK
zIw>u)peQr1C^KharVnNUEzF!)LY73{5OTWKj72^q<rkF)tC2_09TSR0-r~%?DJkDb
zPAINaG$itJlhNnev54G3^U5oC(pMz%0-0?o_a!At96{wH^`IMh7i-2M2SlFIcglN{
zjK-x-_2J+3z*yv`pv2dkT%0*|hv=gxwOJP+xqTo#<tTcP;#7H04mb~G>8cz~6Mk~-
zSY$F{?2pJFg+3AbJB8@cPl@D5=||<KDzh?qMP|X`I9;pqN57TGnPdwGRry0Ng`Vl5
zhoKjG`19fEg<b%CzwoR4mP&rhB)>~C3zP3l%k&l58C|67t>ohv;SLb)S0>z($t9Un
z_lTZ)Q>hv|q~7#QSWFh`(o_bDJe7rT*|>~U;@>b9nIm#gr)e)sGky2jtwr(W!&mtl
zd@BF&HNtnT$TJ_IhoQGYzuG2(Lhps%1^sm{dN$t=8vd0+SM{U}ZBWdv_AB8B;XC9B
zFZ9#U4?y>}!%^t_6VRu?xEK1*BtG*IIl0i+)Qv@M5LzJ9cRzJi`k4Uq_0aQ8J>HQ_
zxk*3ct8u!Sg}S&De;EF@`mxA*k#n!;IUxKMnZrq4DEj%#$$=N_jz{Dlg#Q5iA>mi$
zvRL?+z@NO@DH-w9<#-bQVfc%M5X;|UvrB$P;hPwY*UOX%ctTh0LS*n!`G?*G9kn?h
zp$DM1C6H4Cy)gkj41K+a?nh29^fl10GyTgRsmHx3)YcuT#hE!hS1iqJOa6OWW)2kE
z0WE|EZ~AXZ#~|Sg8pa|%zT2M~zMO_$2>oA$NT@y1ulA-;f;*&r^jtx+mZlLScX2v}
zms9MDDUcqBC5X6gT!0FD0Qq;Ce#-RQs-N}rBZ18IDL;{3dr@3ZQX&x+6vxp^i8cXQ
zBIhIh@-gCH-#8X|-iaT*J(=R^=T$$pIP+*yN>}23UTHE5c~cmehS{&ZSt3yFt=_JV
zD!zRD&*T4Sf^onzPRTfMtK>I6U%KF=+_odn7m6>pKIl2n|4)_MDDrnAe~zO!HQq+`
zrp8+{o~=*$#y?wb)rqn#I^`qz?!J=of&FTCKUfcaAM{G-<EAS*E(J1~2AoQqu%h&q
z@e?5BJW4z{?30gI&RJ=+C;b0+l{2psu^JzWFX!#h+o1oSD(BP4KY{#Tj8|WkKGnQR
z+UJzS>I|eO*C(vVrRg=}>siXPp1wbia|j<x5Py9Cko?~XyN9B52D}8#D4+)xDbGQ^
zHipM9&k_8)@c-XYo&n<XXE5G&jz!*M^3|J6ue?M0)t*#l8xJvEVZufSLN~oMJ$aw|
z*-T$lJJ^mKYs*;V8o>TYzt#tRBJ{&D;CSX|i(=<z%;{71roPI2Q{;^xukr0;kyfX@
zGw!<Q*U@&hm<dJ~`iA0}T&vlzZomGk=s!5e;T<Qdp<A5ikYw8*Y40KE7vX2vbv~;9
zgMK~%y$|}C1oR`&hoRGbIUkWT2>ldvh6Cp#^wZE!B%qH%KMq~ZXG{p;pTdMy_}%km
zsmHm{g+E0ypvogU&Zv4^D(i`*GXF2nJlvC%l9YI$DNRqgN7@+Ot4F!z>G_D>M?7th
zk3}%UnR&39_cQAEq;@!y`#}177Nn|j!KU(0xMv9WdI@JfQtqdrABE0K8RF8d#;YZg
z?h?JO+V)sda#_NXS1nEC<ulRWww-mQ)1H^dj<;&uSS0dFsh4k&yvA1~JtOoZZ#(ja
zpBRgLneTeuPrWqlD0!)q;nMU+o$rfvtJnEHM)>tR;_KlM^i$Bi_3Z-m6A9=U6!`H3
z^la!y6VUz8pMmbJht<#zC!mL*AA;_ae43Ax+jhebI3J<+8GdhlJ_7v!a=i3G==-6&
z<%oVyL)Z&_k4UH9ntn>vrzI|x$^y%DSEg6h^XY6V)G*;OJDK@VCEde@nDvL$+j95{
z-Z>VjHGF1XPk%^PI2A(&=7xm~7UrvPaS5FK6RwSLA2Idw$>b%neq-Hd)^Ajvo(U<>
zQ;%ed>a6o+29-<rV}w7kYb^3s39sh+6?%QJEj49wvOVL+kB`*f3&Ov9EOMn3oNCAL
z$ITa2{au{7?R6<%N=;aSo%v$m4e0m1W06m?4rN^=_MFnR%!x{elD>NUeIMYQ3g315
z)Ou%8=H8^_$F#~FLyYKSpU8v%Dbv38Bv(7@fW<OjXY!n~E-5ny%{uD<k<CZqJ4yKA
z{bP{_grM}H>^{pfD@_A(Vk5b*q`ndR0O!ws>*ybT_xf4se{tsdl$5RXXwqr9i$M)#
zQeVrF^UR0i?O^rLk3x5kZ^GXV{W$d7`EGxteD*;<FZ@pVMEhA~XCXa1CYX6?VaiJr
z5*E+Bs*4bPoR;`MITm@FM56RTf2!7}$t9?Nk*b*3O5`Kynj(J=jz#P~#-`^&zla=V
z{}Cded|Uwf`hOXVd{qcaKBc1Nzt>f~_qx8Ta_T1B8NwAxIY+}S$=sHj{4s~QSS15i
ztDip?KQ$Klio|0+LO;fz1D}q!zYIa&58XRHUw}UOQ2h9u@h0XQ(7pX-HgqcizaRQV
z<h%K${Hmd!hd$jIZ=&l8HBLs?6^k>6A5TiTBk>3!Qw@=K5P2s)GZuNw8E>NU)I3PZ
zE0ytv_WD>-%8iNTNkz>@o}9m({JF8nCccZ_dy-|k!|GEyD7`FG@n*f5^*DSlB*=#v
zH`RD=>S1NdUE{~9`?(PEPI2DxPZF={ht;^w8oMVod6_P7rizQxlZ%{(8ddtbUiK4y
zC+8zGB)s{k@`t_+y1N{NF6V^1642$`a9aYpoFi_8?wz;Ex#IQEz2l9XGhPFoWt8)g
zc&njTLU)ftQjQ_$rO;(ACHdbYb{}Kkz_g(35chk`5R1~QGjp&c(V|N1xsC)Ec>~Ck
z^oE6?<SBaz+&fa0JdB3b9(haBn`7-95|)qjgBeq4FUWgB2&#Od^Lfl8W@xNR4?5r1
zq{BfCqSPb|A4yj=a)y!fh*NK({g<jY?*8jQQp%LX(?nGh^O1KDd6U1yc}|HyrAygG
z)%d;MNz0O$w8%IzM7RRN$ve^{+>^=6q+c(UadoNKMfJGa%t+$y&m|V6k1RUu{a@x>
zunFHQ<+VfXQ9Y?F4ot=$NROtWL>6g=t~*qz5B10?JQ6=o>V{sBfW8lU9(0oLd_+#a
z;rG__V}{>bZ-=1gAjeC;0Nv-IXCYtCu}_80aAEdkmOJGtbvD=dNBbdFu4;c`iDUm)
z>u5TZ6rc15@pi7jt1Xw6Jx$KZ7yj#5<YlM7L+^3(6SHqoNewTcAU!LIlJw*!@rYky
zRHP?=FQJDXFGbH&u4DfCH1=H41M?XHsn@yC&*Y9pUd-Tu`t($?n)fqL+mjky$E$f$
zS?0E{C8y+#U$I5s-N@TXJh$>);#te2sVIH1(z*Ee;lCgMw}`*$r&l}WA?X}2{@(g<
z68c`kdFdl2J}*6$$hN`nt|yY;Ea+X(KPU04_Cq=B5xb&$Um>~8Gc66I-{)#j0iEPr
zM1+uc3VCZqo*M7%dD+`_tBDRjY97)D|HQAx&qIztx1iJgDZNz^MK)gt4gYGPD}7a|
zX=sSQ<>`x5LZlwc{f9!r&vfcnbUcmjW2t()l!1{|L4pcanx4Eep@$woCBHQk+{9<b
zB6B4@s^3!msp>x(JpH+(zZd?g@T>Zu^aFoS%Cbz~O2v(O)V%2ke7=7|uH5U$y9~J*
zY@inW6LS6VmtKb4diW~;3Ay{=U;i3%{pf1|zDD@UO*tC7KKeEL1p&6aKJFO+Wpk8I
z05?kbuCKA5?9BVA2k!cf(Yj~ClFSp^l9JyRKkr{6lB7P#eVA?E7>lfv^^fWoqV*}-
zFQ|FalFaj0CLc~%Zx*Mg<VlYi-(@W&B599u-=^!?u}Dv9d_2){)zsVbuTM_gGpb~(
zb>}GZo_TI8GEXKpq}#1Ox>MP2$xA7{!lOVvu1R|QKEi(&`;l}gD&L-d+C9%bkd)k+
zFyE3pJ-_Qk-p(Jy&+iUG-v-^=Zw)~2f-dT?KhiIr^fA9nz&`@LF#&(-jnp^j_8dlJ
zN&C%$z6SdJLWt?F9**m;q)RG?U(%n*o-XMM;lCe$hF|9+^zG0OKo=SINAxTAqz*wp
zo}gZ-@{a0P?AA3Y3H7VXs|I;;-ztauIqyy4L6tY<6}!KdCkyhNMXq)A@^mavF_abQ
z$)Ag*AWrfj_qQ5<V(f{FGY=#&TnW7%dK+}nsU`GUP49-j6FTO3=Og_4pl^fjbEvvJ
z`VGIdT}i)tJ{ET7UD~cDaSg$L2suj<@S73G*+3NjjGI`G!`~(Rs=U!pkJz)NDao`h
zIzUPP<A;ChNn_VY)P7{korq%g70pJlgzqMN7vaAw@r@Ur6?9B^vp&lv$N=Fl5`LzH
zk4Z1P!ptXRyvWDvG<?=i&3PLYk6I_Fep0n_S^lk#HK$0pEFvi-+;+Zu)2Hk(0m8j4
zHk{PqYQh~L9K()ER}aGNwk72oHvXyNZ$3irg}$F~-gbTv`rZWe0q8pu&`(0&2Hm?}
z8-d;hoo3*CB;M5NTE2I^mIYnpZxn8&w`hAAf4znx$62q1kaq}qTO4_pvtDb9Eq@8i
zN760#5KkemSO^W7lUJGYmV1ele>N6r7CPy6+dHvZN=0T?R+9dZvi+2(vJrV1bX=u`
z^UBMHzHJ<NW-W-kg)#D^|EeL}GlY|KP?8S!zIb%JQsW|a5Fafi!8}V3S883*kG$hQ
z=UhgtJhlE%<1FKqIUgl8^UDbbQ?}E`i6{BFM9USDE}w2(?k)76++Y0n1o21v<0aY-
zQ<;*Kcr;%!egYmIKLPo~-%tEIxi4wkPxi=q)|_L&4y5d&$zROOsd9DS^@KZ3xWZqJ
zMV?FMAyGLfJC0dTtxrCLe&V<5m!zkBRx%X7)GC(&T<TAG4)y!j@#A+r^aIe<x)MJ5
z2!FTX_tN)4Kb(NSANn&1=*OTRO+X)lemnvF0`wCJ=ovF;PYLMR(1#Py{m{=OpjSgb
zpMV~MelY=kJ9O*c<Mq=AePROo5$KZ>&<CMUO+Y^l-3OiJpYsv@k3!E$K%c^Zl9zxk
z_ks(c%Wz_UL{0#DWdgd~A8z!>k$yq$6SqOP`zLeGhjG@Kx97zSn=IYR5*@xlmc)My
zd3!za2z?0pe(2u%bpiT;1oVuzQhyWBv!Ne`o`FpJBl7)*-%FQ!&m!MT4?&moc<I}r
zOZvU^KIl6W(2qdhmVhqztGg1=PeT`dd*zQpm-6w_r{pppPC(Cvz9s=Z0KGB+UG8_6
zCZNlG@4^Ihx&K`N{dKmILD93^2hU4Dm;2#43FvZP+?RkZ_s6F~r};Y{kuUejMZVkK
z2CF6a%OyQD6Elu7{_jXp_G)(V7)GOZPvI{&{7gIJ_*ucn@XI`@+wdzp2EIMXE1h|g
z`1ievKT{b??z>C+YWVJ&|1tYWW<w8wOaO)NG<;J2QM-aVKM3DCn@#CCW45k8SBX6H
zk#uB3m+*HBO{KFEi^}5kAgLAk0sQykukwxm4mqc*_J7Kqy-wi^!M7hirY9!7iTU=y
zcL2UchEMh<d=KjF33L2HtzQS=I}Tr^@Ue?!)&uIiY(v`f<n0BDXi#<{IaH~h7V{+B
zD&3=mKSg-epQ&`K`96`c->B86;>kvF!|=&(dFXi{>wB|qGV|xk<WGC%>E?io)USHN
zALcy-@05tmN9f(qbB5#Bulu0;pkHA#gTmhreQE;!W6&o<*E!RHgkRoMFcG?YUMutq
z&@JfcnpOQ3dPW}O6Y0eK>U{F~mJMC_zi;Lb?sGm%G7l%Eyc;{G&)Er3Gd5`tHH6#$
z(pW@(Z$#J6O0%9y`BqZq)TMfbf*&70t{46_r#YV_1XUi&{w4L<nAO$#OTO#X&EoW>
z_V%Tue^BBhyjRbsp-=vOyq-s)PlWE(^OQLVOTaJhcesdrH@~X?(9c6(YSP`4+(7#%
zOJ{SHb5Bd0`L(<cVk&ao`Yk7nydS~`y?z1@iRNeS{gU-5vlH+4>V=_{*Gc3R@;-<<
zlb&dMY<DeV-D=eJD+5Di7vZjyaONX=&4%6vJ<}$FLia;&gnqAwUJd<l0(uDgMd;r1
zM%$rVBk}Y;=o6v4`y+|>h~f9r2aWs;PkK&6KTo`I^B==s>fxVq8{+}-dgbIo&w=ih
z6EOU4IZ_Ta&>P|ZqsUk5FznrC|47<RGMjzTW}}as1Yni-dHDXwyd`#>k@#F{Ve;P+
zP0B^i5OOXeCt~7vufNoKiF429{>LIL6~9O%N0mRBIsB)1JB=UuA?VW9ZM%-Nhid3Y
zp>Iv$fp#q8+Wtu?wJEL!FJZdjoBChu6FPhtw6^GezBoO3yZ)x_gTgQGEouDgSmf=d
zKk4C|%+XY=``Rv(ay{#l$;FuyrR$acWC;FeUKxw5PU8XnKPl((-S%C*|M$GHaMG#6
z#E@?9yJy|b_+VX%{F&goUB1dbW@+*}60VMny`~%yA>?%>U5ZR_$~C%w7F|D@{q$1F
ze}Z+G>zu{_@(PkK>2n>DMm|$;C!z0!zEx55AE^)WUYCo|hckFk{mi)eN%?k$Hh5F%
z9KA?ZP^pza5Ba=5<=rA0IeX;1Qm@>1Fz4wxPnR5uHCsr!<oz)h3AbCqnUBmb<b5)2
zyl3TEp{e>JSG10(VwG?Q@t@3lSKcK4<|FACfIb!aSA|A8%=phbg7XADx~o&gsjsi7
zohXrafp7;1r|eS_mXFl0j60~$(4+fP_WWeC({GyX1Kt0@e+qult^E=C)zBxu;Zmf-
zCW1l_LGOYt>bE~qFSbK(gZ?uiDt#)uP|SKL`GcPM#o}}(Veythk#`b#)*CNHK9E43
zvRl#2*wl&%yeK_+Rs8J+=CsJjE?|C-ytSs@y4Pz;o}9<Jj>Z>rU7}P@E?{G13@1<a
zOj-00M&9}<ystshXFfug_xu#R=~Cnsn+Qt$2ci3TpUwuS-7xIC_k&eGX7-&q4}Wc9
zJB4aF63+$X6<&QQGD+l_kI*yjB>t(F^u0s!)W*oI@(+DI^v2lyyX~iWDfyCrcXk(v
zohL>k(!-0qF!Hutb17mu^3;4%mG=^T4y15}CoKEfVhM&v>yyf?=2;@|81nM2HSH=|
ze^mNxJLLlecBigPPI1Igbj_|o-jw;&N966}yQ@CN$YUnq3C;1Y7)n|Cx>$lpQ|%y(
z{KLqXYRbG_=~<OO^iv+XDu3t}??*c5lt1IBDStJNx%WZZ^yw!^o)ZE3$ZS2LE+B7x
z)}_c|#~#Ld$jB>o&Xp^BnB1>Od>VLRdh$zj(DCu;4qy6&n!8y4^4=tSpV^%2T;lAX
ztMO-X=81{Pe~8~+)aezy97Imu4ZQz`@0=6J+i2>gynm_``iB$D8?n##%DpCI4`tsm
zNw%xw?Rus|Q}v%gb3gAHa+ga!QD#Fw3jL78uliZ80-N*6tDSCkN%~sn`@-~WSmixf
z1vfL^NVpDlF0}Re%!#Yy8+-Q83t8lEhwnUm{X$Ukqw^%H2l|&v&%i(@Vun+-?>a!Z
z##=5$zT?!3XgPZ9%ZoDGsGkM##>>)lc6Jk-QqkH+-6Sb{0ro=PyR_28^Cat0<`JqK
zX<z0X5#=~J`9yp<M)ylY$T>3u{mKNJd_E=j+f2Pv<)!Me>c_YXcqOL#@yko}Hh{cS
zb1y}HY0}jz^PA}X3+5xy`xj<8s`{S`gxkh@nVM7WbP&$npQ`nSI>*9UOm)m5zTTLH
zxU^4sZ`pwY`U{!IseI9&Jt^m`-1nBvdE&!K733?v*%*b_BVr%&&fj$@@{h|Y*Y$~;
zC&x2h9;d*GLH9$W#Itk3rN}20MgI}KPPvEi=I%?89YTs-hqADfipV6Bqh4z5$yZ?$
zJ;;03x(IhutRABCcBNM{P8~>2nI_{@ye3qO6nTBfTf=*<ej*W|S94xajT6e=FZ*^)
zo^E$ZdOeibdy52@dOU)>Gsyd>Q;%uKW<IRyF=>%|!t0Z_#aClfKHbR4FJ$~IX8z=q
zk1FqIK2<$7^Vs#t#}k%ANqXXf)AyX>8>;E2L@!5(f0+0S#*5#r=i!OTrxPYXw+P8k
zY7y-_a4B-N(;gD#N0l2VN>Uako?dXP<uU9a3HlgyDlh?E25`yGcH(a<Wt@1`dSlLy
z3{Om1nK%JTLsO7<5_y%p7p;l!tjh|MYdQbK*AeK4p#Q`f_Y&pPlpE(VfBhQuQ{J~%
z!28v%T8i*!yN}ibRSrtt;>^RzDgU`7k#;1Jx;^$H@8bSTk<V(9`YZjxLFjvVuUJGV
zo_IXxYh>TAn?fja4gdPw?6P!DZzd=N6^ohw7qh<q(51*+(T{5P#vYiLawR1z4IcxP
z?$2{!@xx!xcPTPG$-{p%Ir&+KU$5(>Uy=6-7JTGV<X?rKeDuouD2zRs4bZfdn^1Uk
zsB`X593<S)k6wyA;G~OoEBC)EQyK_i(xpd6RsQgwKX56=PNmvE^fS=y`+w#=0hE{f
zo{6;oKgG9y)8C8ye1!RUkJ~r-Zhshxt#atcp+6x+)nBP~j9M3#>3Qvm<YZ<EG4n*7
z?ks}z68@F1UDEb3rT^lqCamNICiscJyif5w{%Rd)`&UN&2l0Oyf2Q}Q{0QF>^&i3i
z68_h_{r|uA-aS0Z>e>T-Ndh9GMvIDynksljOhSNQtsMwKQG^H)5igTTGJ!yDO(qCx
zHMLf$MT?eN>orwNt)(@`Dq3qb^?sq2W7UecrY*I$wVGo&9!`to`>nNp`@Ll*>Uo~;
z`|Eq3CwXUnYwfl7UVH7e*Iw_QnR5dA=t?{j1AX5x{fvMv-`n^;=o7;9nt(nR^zERZ
z7N+M_DucAY3G_oB-sPVULSAmq5vid3TF}RXo~wNuK|dVy1H<yGgYug}9|yYBW%djC
zX9x86KpzWwO_-i{uHQcSUdd~|ziVJlgg(osPXv7v=<_4=(|r0|(Ekkj`VnAo<CFib
z5yCJYP!s6q+|7NTqgQ?{Kks!FAySo3zQ=OEA2F^A@!=ELKBLHc1bp}1vuj|16m)#2
ztj)*nf3{;3zHQ)p6MWzG=MVIPdh@Tzb8Ko~B4*e{Rde;5b9T#bJ0RiZ+xO>KyF}J;
zKiM@PzcF1f`os#q&Ql?4ZobMA-B+K2*tdsqnQK@6E82LWXF%WozFqdYA4hMqrU-pK
z=*NMc%Z~2{y#jPe<NIw`9+ZC>^aVrEw}YM<f<6X`%(fxu^8KHe4MDF4{n{bu8PIP9
z9qHGg{mnu9*Moj9=sUvnynp)oy&v?eezwcbK{);8{ne+x4EkC3@A5z2qVp`T!KZHr
zy&LrRBl3gtV=w_W{35rXDFgi$&><#hKkVsJ)S%-J`jbPH&w&0g=;BNL@td#BQ#)J_
z`cH=_e?RDVfu2i$FN3}b^kc&E>jU}QLGK0qxG>$+qxFx01KT`A{bis(4*KEY^5+Ng
zt3j9kZwS-#zOM}G2QYv7AJ{eU8t4V%L-WYy?q*>WKG{!nZ`w7mOZZAdeBv{<2lYLP
z`c^)O?*Wa}_g%lfHzDUk(hCwXIoF#Usjr{_$EY4co<Uxp5#zfl;F}1(KRUi8x%tjR
zT(k<`JK7R%m$aQ@A+XrX72tamd=ex0_Rt#i?=H|^0zH?#Jqh~1hA6)c^u2cF9`6DK
zhX;XvP`Likx;q~9F`(!2`?Elw1^Th!^65Zd^`OrKUGv3mzKR~MG9D==dRPm-hlXg!
zM$qpAJ(t~W2K|1}@mM#|V`HF4`5xcLK|eA~53RqW&p`YF`sc#*c|rM!pg%GMeJ<!d
zpdSz}zaS{z1p3`WlwS+_Ekn>Zg1&AD`ex9t7=r#D=&OdHkDiA$8gx7+2=o_PmnMRK
zIq13cI~R0mUoQPNfqnz%x#Fv}psxWvm*3h5`t?JU-we9+KbQRXKwmioeKZVw*%0)J
zpf4GMJ{R=4pic<vFBBg(fxZCrT=Q)0CzRj#3FS9`LizVtexGpr<_7jTy2|EpuJ%m?
z{baO%?{Ikw|8)M&1%1*G^d`^`9fH0Vbn#QU<ZlFh7yMi<`exAIAA<fK=x+}}m+#Yl
zaR~ZE(8W*Zs(&u%KOKTD-_L#95cIX6UpoYSBj}fc-W=9{-ZC9P@t>PP-wb-L{lj~p
zKR*Orz9;-y&~wediJ;3ml#7nQ*?SZ8Z0mruuL<;bhM=zny&v?w!u^{Q*yl#jW&Co{
zH-j$y&sG0>puY+_(*J>f>kQ<NUTF2_@?R4{|7eK%=Yqa12VLTe`q8Gp6?k2+G!{36
z)}i%~vp?oRu6EuJdNJs^+W9i*Q$gQ1+|STHR=(H$XwY-%aZI(<pNn1wdI8EW3Cqv3
zfI-H&8g%g!%Oi9P2!x&iUHp8m_OA#1TF~`5go_v2gK@ea^bMfrYTwJCuOEWG9dud8
za@on4vk;4bo=g8_piBL^+FuR&#v$s@fPT{u^!1>NesYc9{h(h2`uvD~gMIkRpx*=f
z%rN~cf&R9Gz8Umf^LWf6l*j%x*E&`PdJpK|3-71%*Xw3l#~<`#u|K;sTz}qbZGg;!
zCOFVFpud3E1sBHV!LNdL-U2xju}{mT=SM&<1s%f~%;!AYNJ%^11ib<D&IsKC8fnK)
z&>sQ4-Ot}KFR*NwH3B>$XZ+dtUUKY1eiV^&m+}aG7U=6hpA(joKTCxOy&m+3vH!?L
zm)}F!hW$jO9r?|E`MW@$ioDHlBlW-N*Z(Bwe*?WXLbnZ>)V~e%iP(?jq8BX2_Yi}g
zYd((${cg~kBJ!8|_0Ix*`w;T$L7)0a?)t9)eHG}95&5=BlJ?&P`s1LljL^UA*Z(Bw
zV}H48U`>SnHJ`o>^e)hIl`l94>%tJ_$Af<IquKqL*wIOtsB1vK8?Ot#9<%4$v>Cde
zmG8kB`55<?-;MEce<}T4kNU0v-;{8F7>7%J8zJW=(65pDeiV~q-B!DO6LP%X-1A3%
zCu0QYmx0aScjjH>>unqiq5*WIi$e67KK&%nuLZp&LbnZ<^y56x-yDK|3FycEDwe;?
zvxQ2^-vau1pyygg9szv==od!jUAsST-UNNu<GJPU1iko)*uFZi!tdWW90Xbn`hrOR
zg7%#R`qiLgdmYk`r5?5apl<@bH{vIMp?*@vQGTCe(bKyI-U*kNees)SGXe|WUEmw@
z4D;=7Jrus5Mfv1=aP9$L7s?bo8nO$^t7L>*+O-|>@}A8;-=#kJ9-NavzggtG7?LA(
zUT1X*Um5s%z_&^G-iYyS4EW9i-^tJI8u+&G{WZq-4dat`tvwIz2VXY37y3rfdqFS7
zYu{c&dBe@1zXbZkFx}jg>Tw&|@iyr1f?n`ZtQ~I$?HF@D;`HZt*?DKD@BC-|^{ou_
zxxbE_6Wen{-Xaws?W_iU4d~Z~+mUA-6?z8rk3jE>(BIJVqF4F7%S|uZyeb&^g&@yt
z<5(+<BIgmv*$F=J1HL};*7)ss6ZGZ3F@F=#Z};gtL4O}~+(P9S`}A=aVBOe~ov!15
z0OW)IA?9Df*ibuRC;9K%8Y=Cqhn%vPb`8vn)MJ6Y(60c!b_n`ipsxdcX{5ZWLG|z?
z=&ymkHbS@LlE~i%`mEpP_JajU{JsI`<>B&tZY2F2Hx}&!y$-Jnj*9j(FZBFqF67(>
zzFhX(1p57;=dz2npdbEn?zn3s=tqNI9B$_d9WJ%+C(+Jw(8V7YOb)d(WH-{E_rP~4
z_zskDs|fMQxa}Q`+qfD$2Y4lSUh*W+uK+z)d#Vq_S_b;X(w;@3daON~;gt5s_u#w>
zzK?~kA;c&C#?t=g2f_E~tGfoC5WY-|@8_lm8Sj^Ckf-@w?s3=-dK>76NBr_3{`?-3
z!tZ%(%^fe4f&MJ$x%xf#AlM`5Iu2hAwKFsh(#}gD=g`-4ub;Po-UNECIQ$W5C+NA_
z@iN+RIpr5zm%AMW2n?SEUoO8o9`x5KC-5V|IzJ2aqu&Uhmq8qz_f_AI)PsI4=(3&!
z<!|umSAah1&Ft}?*vDO<SA)JfTwZL0IdXwTpPRwA0erZH>IvfD_ds|T^j!Iq(U{;<
z-^yKnBIv6?&sBad=ud-wU8MfCem|Q)FMpfojoiADX91$Le=X>bfS#-TM$jkyK6m-e
zpx+1j=fd@e^4ITyz99!)^gOyAaV6;Y48t4OKJf|N<`YD$w6hF+<Nkni3<5a5ydLeR
z$eDWx+5!64AgAE_A-fY<s{{XX3FPecr|fZv)N>2yr-HsJQja-ip+5q8_Ym|qMSg$o
z_;Dxbi$Tw|zZ{pw?<;|hFfr86AkT3U=r;~g{yfl^<9E{b43|Gu)uej71oX2(pB|=b
zlxBLq1@t!1E5qZFpHKyA|3UxG!2>z-ByWPg5%lB3@-1Dc_3s4zVbI|wg8qe``;2SA
zdNl<7B+%ve-3|?x53PsifiCs$6Q+mq&6j|F8|Zt5=@u4f`)&b!?GW@wKtK6|T>}jf
z{iJ;Tyb1ah7@u5uo}HjyI|O|k0*-@*sQ)C;M}q$4aQpL`{CRL5=we^L%L9X(Co%_q
ztxJuR(tchca{jq%;N(a@ru+T43-lwm<6KFEUa9o)kntqwRsX$fU~4|!gzNc@ok@^-
zgzr7@<^3=0IV?xoQ>CJWP5H(w!yNw?)}?s6>w|WSypzCp(N4^-aJ{<5<zL`x7CWs6
z-y;L~y-BISwJ+~CzMd}mJnY;X(BF9}cr4^EOxAN!tJHTF_zuk<7^oNyzcLD^ubeFD
z!}Q_4yv^V{apb_j6tutKun?cgJ4WP5yLO^or;Zx1bNx<Mex0v(`JJqFdkon32m18&
zKK&%nN9{Q<FeBXm{FAin(%$OB5kD6W44fhDC=Ink+FN0|6h8SLoCW(13|tI31+!y(
zUp7q&-$vB8VL$wi6<&w?p2xEv0?)$V%i!xDJ1~Ih&GT}4&N%p<4E??b{l3sM_DVEm
zJr#$oq&E&5@399C450auYhYm5m=cV^%(sU>Fv8n70xzGJf51nbJshXoo*%|{HN)Q;
z=6%R_yPtO4h4_slBkex#gv-43+1`vk1RP%&ewvr0kPGr|8s<Gl*1gJyUp35IF}&To
zB|xyyEFIqB-AH7g!-k*joiMx!Qatag1V<l%HzmVU-Xd5BTDp7P@a5jONF3F^&)0`}
z_we2B=MJy+uHu`$4oA7^tDhN$pHs31jh5esIc)fRZ<a~gW9DD;p33*$k*`IE;E`V#
zKGQopJL}$au@!lKSkaDQ-Zgn-8HfAC;pcg0nzT_DPTn}o`!ClN>FI+xDvmegprf%;
zJuqzCvw7Y-QskPvqyL!ay_I*Ew(FD^1=~7o__GDx)l&I)@`k@%;5{ubU(Fl7y};|1
z9{f0e_|?O`9rAKb!SL?k-i-x#d1t}!O~bvd@(YmY;yz_B!Y0<||7pY>qr3-4fevu*
z&%^fGhTl-&^$e3=RsvLb^mp*$XZgc77I+`$&rxhj+5Zglyqoin-Y~*@UTV3n;OO2F
zUa!=0)$pTVAK`5pj+eg>gL*~&eIWn-|Lgx_4RlRNXpJ?zyXrA^dd2Vmis1*40gt@&
zDjbv0yT(FzHD=*VeUB}jUj1LJ)BC}EKazKiP4IdL>EgHLa&#<vt@8fHyoB65XDf?$
zxA!9y#d+~Odq0ZrPZ6JuYY)45*b?i76j9_N8xFi%`(V#{tzkvtC*|7BZXQx1dac<j
zp?8P(?P>2_yYE&ieh-j$S3gcUYk!K#Kfw2{9sPXYJ=)~4`2Xv-ktbXK;}y;3xGv(o
zf%lcXU&;Foyl>!r6Yo#+{wnY9@ct3+Blfd??$7&?yietQHt&mgZ{U3;?^p7E1MeGn
z-^BaVyuZr(JG_6y`-uHnKkrBKK9%>`yf5Otf%lcXU&;Foyl>!r6Yo#+{wnY9@ct3+
zBMxBwydTN?RNiOvzKHh*-dFN|CGR)zzJd2myg$wRtGvI%dwiTf>HV$EHlO2sx_1Nk
zgB<iW7Wi=vIzkz}t|Z<09m4+YloqQ$PIvF?bCh@UxhDtR&AUxG=ml)S!#U{AA3d6b
z?)=j;Iq1%RY|cS<{^XS$^c8Gha}K)XsN{N+bbA;4U&)u-a?mv=1D?O<ptrO92RZ6@
z{%=Q)^3Gom%Q3#re~->Vck9pC9P|v^cUTU(Td$7FLD#)2WSo$LzBlDxo}>STq@S3h
zyzZUBQ$ae}{oB5Lbw-ZznhOHYq8#)wEPrke`TLQ+JV*KcN$<!(KY;X0a>#e<-ZyfT
zck#h@bI@IU@S_}b7f<{=2i?UJY-Y}z^CP(!s(xzz=N#UXym#<^HSZgEe}eb7c>jR+
z5%-#$LwGOaeLnBYc<<)@A>ME7v2x;Xj>O+>d@ug#B>deOdVezB-_7^pe-6jry`lF<
z;r%HU6(<%QeO7H}OQy4^Y*P88vg1oT^<BxOC1sO}%O*`e#&F~$J61PmQnk2e+U>r~
zy=rX9q}$uPNiD6J^rRUx=Nz9&E#<qVEuE8UI~$wok8iB^Cds>Hsg7mdr25q@kZ1Qy
zyHQrA+dCRtTOx0gptYx)Qc{4g+L|)>0qT}U{LiFU;eP|(fYw@{%A~wW>1D}=_Ed8^
zxvU;#-8%@at4pR=)ur1qNi@GHZ8DOn_V(0jli^-3uR}r9muhaTL%CK|fq#><UaO<F
zqr;n2*V^2iZgH*!+Wfy?V!vX0c@$Bem(W+`1mgA^x6>oQEo+D?U!9l0JLDz^6zRL*
zpIgryQi2!Z@|nDZk}@nmUf%`(;^k+7^bulKSO1N931z;KfY9Y~>!e%H48^%|ybvGn
z%J=0Z@J`}+y?Lv+fXYq!?#esAvIv;0;jX;f7cAz&<Mshy(JQV$?ANiA4chPG?rttD
zSF@aJzpKaHW&M?y-o1BmeK8l79+sE(OFLcr340geh3M3kcl(GwmcN^fu6|eE_5X@k
zdABcF!-dQ3W2C%vDPI0sV4@SM*>n3i{Xucy&i~@2Ueea^^$olUmoH{qU(AK4*9BNC
z<kmxXUmq*q&-k>T3(MhOaGEgzt{laAH^s`kedm~kR?fvAjz8Z1ZkBho6mj2L#PY+I
zx{`J;ioW$^e5C)b{P>4wD#!ST4Y|TCuq+p^e^add-M_K&cmKx9*Dq&5-rV>(v==YJ
z^~=ZB<QjdVDZazRC?@}eH+;Q>H)1MonA|?S|BHsi>x;jC8)YR1a^>AVe#fUQ|2LGC
zHo5Yi+lQX~>FWOgW!>DuOV90NN3wiBJM8S+wcpv%4wMPkzvD}FBF5YCrJ?J0a^#tI
zxV+0FcnK@->Q|xo=gPVJ2o#Q#pK0}bGg;nEd<rOXf_NW|!XnGK@#0h~-%rQ)P(`#r
zQS`0159=?E;ja8~F<jazm%B^+>esCl`*-lEh92Y?NsGNzIWZGe&K*@&zVJLNcqne)
z$Dh-i^M5kGv(-QHCx#}^vhwbKyncsgyXT{I<#~xgq<qYFx6X!%`Dlq-KcjeopTCOY
z!~MKf6d&Qabu5bS=DGDLijVZ%x)a5B_uP6C#YcH=orvOl`2IhNkM^8jkK%iJ&R<9I
zz5M)N6yMu({xymh;&ajF_oDbdp7V!Md|&vtiZG<F^S#e`&VPl8`S?~M=a-^5oU`*c
zAws^lzwbvvFh=(P_=UPKq_6WOyU6@un3(TjcjM-Bh>$O<D(7hkhJ3f12~e@u0`I>D
z0>oa)JjnC*^t!*FP@v3U_2t7*ZxQS5<APHJdNw&SzlV8)^-vC6<oAzH;8k#)ftP|8
zO-KYFUe(}F@OVCXCGcVB@5ni(H#h&juK3__*+@AqKaIC~J%s<mvW)NVfM@I1Hs#;j
zE9QFc{QXBc_;=>O^U&aI@^=S53@cyn60_TScI;5%UBnZRD_0ru8sbHY!u)_|lRrBL
zekSGgF0*=_-<I!g%O*#jooB<FbKsdAxO^vLHaV9AmvQf-9iG5`-2hzlljyQ`y8d<(
z_lUdp%bApH^8dr}uZha}1@XSC495)A>!}=aUd(~ZZw+Lt_YXPnzvaOH8@Tkhd!4lh
zLiNha%PxOp4ty`*D(8D9=V%k-jm^PdlmkB!xX#}X6DnbKz6p|N<}x1>oR3wMe<Jbj
zt8JcwNw1R~jt#M1#AiA@MVt%sY=@r{#ZPninNfV6!`U9Uz%Ow4<x&1c4!<ahFL8K#
z6qoN*k^XiskK(n&i&(FV%iDlwvxn8dMW0)Co1toOVfj_W6C(|G`O<F_?<KC^$%&G;
z6Yt*7_^&gqdiOf~P{Z}R5J7vKc-3UX#Xrim1-RHr%}q1)eK+3A^(OAw+W*HK_+Nob
zzp83XzJAva<a`8N=kIMZRc=E6Bi72#E`KlJBB%2~lQW0>2NHjj_<Z6=5&!<9#xMR_
zu6e}2{+Qu1pXF*Me%h}LUtq9z6Y+-U44*>$7sPKSF6)_GzXvY;>g%?CxpCh?d|M3P
z2MoghZVW$`_<J#YHt=lvUyuX8fO5L;wDw3YPp)qg?<4N~>f^+V<V%xq&DQ_WJ@yIG
z&MxAW#AguiBkugkg~W?~U~*=W|7T7P@iU2k=;RQeOneeHR#I=#29x9Pi;33|ck#(X
z#Jgks+lluPck9ALB&SsV4^6&n{{_Trh#$}P+(EpXxRc|?Jwts$je5CpUlqgMxL*>(
z-MDwf@V}zoY~$|g9mD)<yxy@f+|@fShP!%;V)(yu)a%>TL#8)pSEJ#lMW2ZW4R`ag
zinvGqFHt{N67PG!_@@)!OuT55;m%GD#)eGoFovgy_YrsV_a5TiY|moK_eQauY>$)g
z^!Y5?6W8bF81D4BC5AhFz8u4su-?~*)BSjD#J9%qD~Z1z!;8?5Z1!-A^6%q~jO}0U
zQG9S5F6zi8XOr?H>WS?;HUr0(0}tBoyhS{|Kk8RGgZDfC3w&Sr^UHUcUzN{*$TbPc
zTEP>)OXz#|{7JsdOz?s{vxg&<inD>l*IjJ<l5dskQs6~d_DA0UemLZeINangjp=n0
z??2dZSMRSWzw4cZ%GK}K$E)9w|H{uB|A|WVyuXq^vBmoJ8u0=oN2UFRuO}3dT&Y|K
z6Mz17<F7W@n?k&AZ9)-ehZV%vooILk`4<3}evM(jmJn|uf6rUSe+2O^;)$ybPf-8s
zi1%-@_I#cEH&Oo8)Q{7DkCXqV$vK?-z2tw5?Q#6ClYh$;lYbWL{j0;zH92y!ORnw2
z*Yzj#y?&=XUhM?_dH9){ji&z^r6N~|yte4MuO^|0><{JoJaEy^)8mbQxxwBv;wK+s
z_`bv!5I^)4YbR!oUage>+E&9~ApTY2efcJ*h4?MRdtXQ>(oFmT;%jCZzy8KFX#XUB
zXrbY?<Ua_8D*f8>`-CDeGrf)lF8ykuo?X9Yk-zxZgz`xoBi9+^UwNp>-`iks8TtGF
zoKVEsTPN}QImUlRo)x&4_^8o_yLE6Y@#4iMr<MHgC~jrL|96sq`@5!37hmm%hDm>~
zFEjbe+5T$cy|ay9zcUsBQ;LTr+w0C8_!`RTe><U!SFz}Iz(t=|kF$Cw5x<lCFYjfz
zi^De)KlZQIo@>beN8*Ld4^R!>hs3u$mrzc8)IqP0flIv&v2ht&D0&!tO;Q~BndXEN
zcgK1u*IC4CHYD`@3Hl%3OG7;Ij<wUxi))Clf5UM73^~gDgm~8vqH=ykyqk9D?Bqq@
z(*C~Rn4B8c`yTn*stwogTm@|x@rV9p__gFeavvM_2gfIf*zI`WB7eaVrvGC}tss66
z>phToE#<uQPm}Nb;bp{&sGm~uuLmyvr2i)-A1j|;cane0tqFba`uj8B(w^hbH2!JE
z?!8X_P5-cZ7ZBeagDCcV^&btdC4MyVzQ+=Zxb}aMc+UjG$C3Y3;8O29TzBwRucYHY
z%jD~K(Sp)K{w4H#)>_2><nMhgq2--lx|R6jo^j4os^>jJIakK)^Y`TM-)eH;mi77<
z@va*Tck4(27FN+i)k15heg`m0>`%NXwmwcGKC938oqa9<E_!&Ke)}M+*6Sp{H^KPb
zxO|oPKb|+dl>D~?mvQgqI^xFtJ}2jk*8T^`{~U0s_kPwpf%pf+M^Vr7iOX|NsAAA{
zoZ@?Wy|gPXcis$#Pfuu>8kRhZcpvAT>u(M5ns<!f;Thun&l`Rr<#Yj;_Ge=4zn%PJ
z{%-ndA^+n}&Q&JItvg#Nr~V+b6E`3K3S9KLE;f&L0xzP>@NEw)tl99xfM?TNiQ-r!
zf0$4)`rF-jH9H6YIpi-~YW#3JdbJQQnre6n@vr5Oa|8MB{*&paiTsZeZ<}Uv+&KOx
zaP=oYH~l!fdWZbpX~ys3qMeFUXy{hBzs;Ane;EH>q>UxsGtSzxjre%tMXwq^%u=tD
zh!;;Ye*F%4P);S@7xQn6oc#YvX!!yCkI%Cy&Nrc38~I;nJmBo-o5X7v*E#*%kweZe
zbKt+DoWeH}TC3CNUx+sxV0vD{HjO#J?7S)#*OdYn|I>e>$#LucNyJax)8t%9IgOO_
z<`ITF{jYKSADKR#Ke?ayANMnU`3$36TZ!NO7vsO%VDG;aAN)M)f5<=bed9ls{PJ0H
znZG;O9ydqIflI$;|J(Tc$bUBRZjLYB>XpI^vCqD{t(~qttH|FrFQI(5v;Av`dp|W?
ze?uM|Hxr+@-RiwrOX2gI#QQHc{y*dy;c?<!R~hc&)!zb_evRWgej4Tcjr@gG#_#6K
zzlqm8ZMfs#9Sf+)x#4AN52lq~hZ67Qy6NN;0~fs|xc-hL|7_yDUrZ=6o$X&jympl7
zZ6*2TGw5npW3Ap<#IJDj+5StZ&zp&NH<)}kFYYDY6`Q|LJ2@k*-ox3RkBPVa+vMnP
zRiW-Zun<UldJnYrxOI69@xFD&zXH5+9ZS6UnS{PyumAD<2)O98XROuh=Ji?R-*ULg
z_t>u#@%v6Ue)&wATz3*b>;>cBVX*fg<-d5K@gGNgGx@tuNhpHppx58Yzm|3)&+X;f
z1CKVPzg=AS^|xMtA3*%bomQ`F|76GiyMz=+M#HYt6z7}JElK`9^5d;uT{-yI=fHnR
zIgc_9aq;;x#0#%Us9a|cZ{?7)ll(<Xjej>Sh0og|P!v6EIo<FFh#yP5<}}m8zc^my
z#GlSH{ZAqPnZRY-C&v6|Gx@t_nfxO1cM<R9dg{h&9q}6CZk_!B@jV~1_ULzhL)L!~
zUl*GfPdGW{R_|e~_xHrNykYox#NQ|0{l4MO{yze){o?-4jr(DTnBEG%6XidKc;b1(
zKTrA7fQy`uV)5`I@^`VF@?2J~I^tE2CG`Cg{qK3Ji5K2w__5@_8o0>6t;ojZMDll&
zzxPAqpGf?N#Mjf#-9Gf!#67m(+11;``%W}D4*xsx!nX{cP5J+JayTw--P|1$Q0#5^
zuWcNiKRJ$gZ)|>@LcFHZ<d@`G1?LifZJWtyWWARY?|;hpi->>A;k2u>h~Ghc-B#mw
z<NGM_o_y11G5Oym-ur5lzW@d%`oCko@gw5Y>p0-*XQmndtHcw;tL`>@Ci`_7@eN-v
zITcj&8sh!$8Gjw+tS8?4tl?iKeiv|Q&#WU%j*CNHAb$`0>+Jjw#A_}yIR|oK>nGm-
zgyG+&y?qRPALL8BPqCI%vEI)WS$`8#jQ<Vd6NsNIKMI2DLdsb{yk>PmU~j$t_q;C`
znVcTl?I_}_iF>an6mjie4_x}YgX^{H??&?9!sm3~rJnyl{C(!luJi2rH*k@2Lu{TN
z{CV~(Htv&&d$%Q2fU}=@z(vkGF*#}Fx4OdrS5Z!H%#U49yeej&J;b|@wtBA^X3`!d
zzUAkJA4dCmfp`z~=KTL(iTAVKA`|2N8@RMTbC}r=%wDep4mUl-<MvYGHSZ^s59XoQ
ziNsqzXL6i=mMKoA(5(x&#F+_xKB17bZv!t1@wu1x=8*F%#Sza?Z_Z9$BYrH`uW}07
znM2P0M{wL@_BN6DD8^S)C}$4wp2rf3xVSL|T=ZGZb;R*^IQjd}Q2uXH&LzZa+0HuR
z-=Ul`=9x>0-%I|!R}zXiJwHXf=OB~+UGl#Qd>`o9oqsDJ{%6YXnJ`lk*Zz+wC-GcD
z@hix`-+0qc@fO419%h6I#Mg0stS5glaM43NFE?BH$rQSsLpj~|Tl?L*vz&6`@&8wW
zi(e|DU+SW)Tge}P-ti#izs-E?W#oT__`Kg*y>}6RPjS8p-F5+&evROKX(ny|38tUf
zyO}<pAU>IRZ)`rENxYcrubZc7;%#HCJy>4#Y5^|wF5-B(IN?h2uRF@>{av2%KS120
zeGaFbrxfR#&}}REYhr$HJMkWli`%CRhrwt(xh$blZe_hwfbSDJXIQ{G<^Y%ZzKZ#u
zJ%}%+oT_`RzY~TT;e6ml<O$y{1YVfs`P~(i)BA;lvL8%2HxcilzdD%0?jSyi>v)Fv
z&xw!R!}RI)1+OVirqJy@^7l<nD0&rXJBb&*Wcd5UM;>M4cu*{Uo&a3*+1FtFT$a6)
z6ldYk?M(7_vA<5wN#a!>n4D8tW-0M?PZ{p~b{p~Ha}9TLE+f9-Z#FJY4|fnREHZp=
z>iMU{<Ilf(iF@Z8zl-0VBi_e(aWvcc8gN|~XeZ9UeE?kS{~)gWE}qOsLD5?q{m<@{
zQ|R#6dOC^tHjXdMTd%pq*U?T~TvtuJYag?RJIViL;#;b$U%w@O32<p=J@fy^6Tg%E
z5B=Hr*ARb>xc6E@5oe!&0xo)Zjrr%j$^Q}gi@C2khWPGyA$sU#zH1fnQsB~_C;5EV
z>9dA-Ki4TI=VHoP5?jZAO#Y|YFBd2Ln*2ST39a$Ye5?3x<Ufz~PGWn!W34?!3rwFb
zjy(*xwEqIy+bQHv5Z^r9_%9}Yw&G4`aPOe}0?OZur1g}u<@kgmm(gzTCLUjZe+B&W
z@MA?hFTI#@{^{flw{iS{_^{)w{oOJDc?j{Y9^-$2^&aK;W8<D6zK-*8H_ERj?j;h6
zJdtOFMkoJy!<QQDbvik>8a|Tv8sdlYxn3vn+lb#nJr@&yl6X9i_XhFaSFK;)V|(_P
zXnGjK{aP*M97nvH{%Sb!>BM^uFgXtrp9x&-_9o_k%7~xi<eXvrN6_9@5Kr8ZP);ZR
zV#=wF`P&=G-*cz&pRJ|vy|d(x+wIei|M$l4^!Wzy{_h$7y<sNk9pWS2vUdK6@^^<r
z5IZmYuJM0`dfSh95!-Vv`HurGdU%`jbYJ4L$zMgk=lpgx@$TQ5d^g`)6=&hl?Q7&O
z{=oR1|M@0xsW<L#Zzq3SnejWnbT9cA#r8qZlfP@T@i(*XZN&TjY`7b*e=1I<&}{@9
zh_q+Z5i=FV@~YQ3;G)l>-h{q?miBNI@pVTV?#AmR;^RwAP7C$Fnt0Vx<G)6w;j4p)
zZz(taSIGY##JfK*{(q4Fm%yc+8<}T5mG~><|69W3Ore|uPB8upUNk#7i2M_YKN34<
zGMo5E<exzPdg2@DpPihq02lrA{Uf2AXOjQx#5Wvg?KzEh`%B_ae{AhJpZr^iuZ+b-
zyMRl7pN@_DSU3==x9!&^=Y7f<PrR7x{%GPS67QwoD<nRb_$HoDSVO#n_}zT2<n~9`
z5?}XhLOJ2C^}31pGWs{?PwppP6q_&41K%g_K(C+s3ySexCI8{n&s`)8E3vq@`<r!&
zj3qt}xagsKRzi^nh)*Vd2cP4dPJ9XR;!UQvUlLzVe9Pp7B89{|i6`g>+&uak@#Q?1
z(n$Whh__MCZeBc0yytY2Uqt?AiLZ-|*PnoEoOX}dPdE8LB7fmK2}NAL@-aZ7hpIaa
zckSGVc=1-lo&PzSc;8cokMiuA?Bq~y3y5DpeA6FHZ!RAD3h|q`PPzGVJ@GBvk3UK|
zHv^Y`^)mi+<M>nZ7jI4|X9fA604{biGWL0^E#$8`%J^Npw3T=l@t;!8yTscV4;(>!
z#AMUktK9d==W67dq`18f|DQqrDxRBi_PGSO<N^A-ZM@vLf0_J!Qxhu2#T#EC-px2F
z%}TCOJY1u_zMcHNBTWAz*v=l}UB?*i^4O087r*f&pVuJ$uGg#NuX!_}@Aov=`wMX|
zHctnL_q}EOyRqIvOmG>;qS!bd1zh&0U5x9T9=<^St{+G3`842Sw_Wc?+p~ap->Zgy
zj_qs)F8%r!;}++KuOffdb;kd6o)x&BxOao$8Opg8xX76u^Q#Y&f6E_@|1a$Clf=8e
zVfcfT^Ez<dM^F!Y6aNS0U(0o*ocQo5*5Ce#riZOuPs@OdoX;^|w+Hzv$bTNsYq_|k
zp19YSP|jbozpIJYj5m8&PdQ&Fe$hvUBYe{9F5sevc;4d?C+G9Vzl?f#miU$l2`%4l
zV!W4#dliPeJjVN!Ur=QIb?e1mQ#tN2zjrM0EyUe?nN8fg#^n3)n3F^Q?EH3`_~Emy
z-Wk;M4;07mN9=EM*nICv@)!QZ`ddnUZXsSZ&G=n={y@B+{^~sHX9w}#GmZax;=50?
z{@(YJ$-jja7ZGne-|*kE-igF}-Y_`_kpD}>OP)7=ga>+^L%fUev(rxl@gj~R-s;tk
z7c%Y#(f;=#zJ_=a_mysb-AXy@m^X8FxPf>Z{mIFc^B{1s=RSU3qlWnN<Ue(UjmyWx
z-y_~#mQdtI;suyE;vagBwf;K0Ed(y@|JxBJXD{+kB7e>AOpfy#r#k!&!<~K>DbB*7
z+Y0g*avyXhX_w^SUq}9~6y<XqZzW!Ju(ki(VJ7HDPX6=8Kb-O(0xo*%{kipPEb-0C
z&o`mlpL5_l6vz1r`c;>Y@}`^K;^*i01ulBt!Z=|x>o}JDPt%XNb#?~v_<4^-#N+Yy
z3d%3sXnGi+{0oVn$T+iw`1O<%KR13i`Mole<330BbK+fhCRBp+pDz)wnrZya9Qe11
zue;g!w+*w3|4zK;cEjHxzJqx2(S{@aqSvq!O`lU^c6bbM(dW81jQ;@ge}VWGo)3AI
z`02#k?lArz6HgM)i_P~=;9@6*51XC1`Fk~RnHPheUsKKjn@tbzQ~oo=yVx&hhc6Rf
zM}Ok*KM^l_&D!bW$pPYCui-A<*zXIRzfT$N=I^1zGoH179@|q1T-rZ|=Nsn}KNq<4
zw<z{JYdPf<tvC6uUl#%|L>v;|Uwn=7M{(abhVpMC{x0*?l^pjMh!@1pE$jfUe(7ne
zcNOLAb`r;ZgW(7}^(rD>beZ8;7WGOf&NrdkS-{nQ#^V2FisN&yvAo%>l>a{C_TD@b
z_Be3SXZ&3K%jEBWG@*=czQ0ZWS7UL}4&c(Bk+Jw>w=Y_M`%W@BMJf&7F9clpi^=ce
zqT|WmR%&+GNB-%G^G)b>7WsS5H2&K-E-B)PwF%{R@>_sQe=j-0><VV7*A>JYIPPx#
z-a<K-^Ze}s@;^)dZS;Hl68}AL=~w?olRuXDhm=$NorEH8zT{y+l=j5WaUBR;?5As?
z@%PX#jdyq~uQ;7}4fzjbz4M4ayWRA&iTF~*`6hI`nEd<4;*cA2@c#t3wErgN_YR`0
z|D>F@gw^{x$7L&U(N7WegYCRt@8*y{Ksi+>B$Th4a(4fc>8I*k!<|0I0#`eX#oNaL
zmv-)AoVk}u!|wx8P9i4fT;fHKMddd-{`;(77jPb3MEuhKHvHR^zaF^MyPbBmf%s2=
zOFI)h=h;oXmvRbOFNfWGk@&p5&8}+6|32})r3pnYBA$o0Qt#;4IgKLX4czy+Jf4KF
zYH!qoi({+EAAjDujQsJ>*IY{eOe~%k_bc-M^|t9}4#)8k@?Rgzn@LzA{NwpK#PdD7
z_Cj&NAL4Ul*M8Z~NPib_-*+ncPa^-iItaw|(_wn^P9@&|zX=5{CVn>YC0p?V*QNU3
z^E&ZX#_R5wU9BO1(TNG=Y$E?nz@<Hj*t+lp`M(uguYXVe*ZExA`5#&Sq`#Z?wQ;|b
z@+BQ1cvlGu;zD?=R|)Y1<A)C7(}^!T*5sT#%m~Yg*KmDz_I4rh;-gIdDS5_!74eyT
zj<%BWW!o<8`R#MY@Ae%}02e(JGk@a7Yb*KV^W~r9UmTmK`&O8oNin-B0WS5{%(Z%*
ze&l1ef^TU^XbWAQVIlDz&ZB0wztiF5cmCum;L`s1^Rf-(Z+qS3yY=yL;@AF<wddD)
zR>2O+85^^QLuOe!+hXz6M8(;-&@BO6+H>!GC<@nf(k>w06MN2hE#)WZAKd=;_8jtm
zM*ekW36<>D%_o6N{;Idf>cxkX_4;EDIUi9@_dO=({CwljtF-oCPdh)<VDB*CGG0|j
z8vmDxA49w-whu}WKlv}F=jG(TfOz**ljGK-7ANO6!@oMr3S3Hj-CV=B62Atx#D@<t
zpKRRtoqF=uq>SIi)juTu)Bm#eyu$)dDeg)K_pRjLB90E1^H+Z$9zVyj%kj@l2)lk4
ztlY=Uru~aU#+B0lo_9R)yI!~UxOw*_#mN-9RXaIvBosZIv}F#L1p?P_{qK1f6ED6a
zp@_q;bNv4>e0QaK-ggz}o6v0|`PY5H_??_b9DbkSQ@J2L16=I?TE_p^QPv;G-_7;w
zFyj5h6KRukAMstp`-=^C&y_}<!uW*y>u&NN3f#qbg!DF<{M|pYdExkHDnI-)&pkRn
zvx0aP<I<}rtdsb@%)hz#|69cS-b^Ux1oGcbe9NB==XCTo5|77wPZ5vjRsI58^tmY(
z&kut^s$YG}<X5rY&k;{dFuQW=&SAv64>9~B@*hWh%PS_w`N`?Ti#~|rGn||yhF?WF
zbBV8g#^k$r@*LvpKQ#Q8<o_D+#Gj*b))HU$J;STXe*<yvRl{9g=qJEMKie7KI{m*y
z{+if2{vq-HTTPA|7jKT~bIUV^J3AbsI2#eVod8_&<U3+{@(L&C2<z`RS!O=*Ud97=
z6F-;u&S_?!FB89wc+HPZ&OOBMAzt`&LXla-A0+-^?3~_<#Cu}%cN=ik8=u4OM>!vp
zzlQsu-G~>SX8Q5oNhsp{zy!s~6uQkIe^G_?YuPX(UItw1UB!KwtM_~4@1kEild`@~
zd>zj}IR1Nx_ijrlr;7tO5pR3Ja4hS3Jx_e)Hq&P<@%M=rbN;%x=wssXIP>7sO%Icw
zG&$#R-8_o;%iM=9r~JjhrN8m-8E7YeKmCl;=jG%-k#WM|lyfur+g2nLIWEr#k0?&2
z&}|F($Ns0aa~Em<p!|mz=Nw5~eoR^8v2%?7SoW)MuC+hDA3qYf@b}4v0@pbGkIy}k
zKfb@HCf*Z^pEHy*?@w0m63Y1=`9I>m!|exuLH^5m{_37#R$wRbiTwQF1C(>j8Fn5r
zo<}MMF6U!CKEI|IZy|8$m$xRN5-uYlMZEX-hPybeU2*&X(*cHSA^iI`a2fa4IF1L9
z@G|8TaeldR{~Ph1ADEm{Cup9uXYjS3;)uuIHND+MmPx>+-uU_I1aR3O)o_30@*eXk
z$NOzUB|J{MI-hv)X@<M!L8~dJkL$0~!!=IMWyTN9>U9rrY0rk(`t>yNb=-F!NB%!j
zPVXrRMM~J7|52Pwq1&kWHeTiYoZTwYCKG>g&zXwcOuP=bw5K7qfB7o;y^9jc`7Mt7
z_Z4U1(Cz2s?|;tt3rKsG_=11hxO5T!6Y-rq$9^sGkyyCJ-g@3Lez)%~A>L1WID!0?
z#J6lnDB|$*h!<UB_yp>$f%t2qOb^ABvz~b3HRC^m`2ECdUN?L+@fQ^5o6xO~{HunU
z{I#TwfCHC)t-CX!h_nAgh$mupKACv&QsZ~)&S{EMXy|r6a2dy2_`Lzgkaj8M^lddc
zuKhO<pI2b*Jdor2An~ei8Nb_iJONzhOCP`Is+jU$BY!vb<J!5Mc>Ht9qZgPS3aOu^
zlyd^{Ek|0t(}<TV&NrdknZTvLFLAycPFfS?bbT|S$j^wcCjNY}^>+#T`(w)4H+KH>
z1@gc5N3+9P%6XUk@#l#jlfUhGtGAH+doQ&9_8n_-ZXRKTgMmx?<L4PB1K0EL{JzJL
zlyeIC4?WP@Uq<`_;@h|`>_hw#;QR7*`1UQugYQFrh6b^o_|^F)e*z2LN4$&s>%E9S
zrug9RVSbAI@pD#v#2fgzgJUUY4+OL_FREhmYXWf5&#uF*J<cBHk-zYcgi1JsauyRm
zDJK6i;>C{{zw=Aqru>QY!*1W*L;kjpjQ=ZK_a7r(c$DGRD*RqG<-A7!>EegC$v>WX
zu<O`P?=0)@2JV~QC4K^M>2Lh|XXcT=>P4&fRoboBoN8>DROfYeq?V?=rq-6F$=0?E
zew(CYQdxOvnOE1I>Bw|8G=L?UJgs6ua_*dk)ybq+pKebtZS26Wp(HcS$vPBFcX(N#
zWU{_BxwNUZHr14@&$PC8BvYNMJp7<YTT?oduAek@`n1WAoP{YVKXzh2RFcGxkF>A$
z?8i>(JDZzVqe$poQhp;P!kS8VBv+(YFHK9|POm)Yl*)O@iuv;vR!=IKT0YgQYfJ&J
z%e2e?3sWm`Yiv#>Q}u0i%}I2sjX#_cfQ>En=~YB47M@*Qaq6Tg)4cSmbVCOUr&ldY
zr=SwNBys9Auc5Ii-ImHM1K7~m-Yj*jY^cMn>7ouP)KXU`w6^xvrT7(>#`<JqN3vrz
zYHxNzO3U4=$;Dvrs0TacmrV6vm3yrnb<0vxd3$TKwx=VV$uzbsm0Ix2HR+U84$*a~
zrY6PgWwHqa=w%vLfSPFz3orFLGmXj$MS?2ogf6ZB9o_<{(wn`o)>|Nd)y4QL!Cxu<
zCVR8-em36E#{1cLFJ*On>R}^ZZ6kgeN1D^z)(DZAWPRgO{JxF6>*%aaE^BJj*Ug<x
z{_Caftrt#eOSNYvl^CtHB?J1T#*X$Bj-yG@3)>qr_!%4&?r26IlWpyd&1tW_Lq@q{
zS*nyb;H`CO{GyFu$+lE|J(T3ZPN1(zb!}~4a>?8&jUCJI<2mxO94|7hwT&(Mu4IZa
zCYxGQ^<rElCDo0Ko10EewbVDItClUVYLr4HQ^|%Fccg`{>h!wh0l7RbrL;UMNXnOB
z<VDsrGNXN3V`+I6$yLjgVLBQ7%23j0sj~)6ub#8`jJe4(W}G&EL2^;$f`xN1dLrEs
z=FH1ZsG0#Y50@w{HBqxFXU{lmZgsM9Ud8-bbLO1_8)|{!!UCZ~dA+K+iTYeJ?{s!=
zVWu70Zd_H_Tv;+bnXFn+SzUcja`svCDyq>SxRm6QCG)1MO6RrKr%OubHnyy&Y^kqU
zhTl}GtXi1-bj7C4Y3WF}XJ)1wTHDip*#)P6+VWGa{EP;;w*N!%k_GAJ)|ElULp1vI
zP-myiL3OE&m1|G8R8|e$;7=%9_esS|N>$O7O=<aIrzuq!noMO?d2-JD<m@?fD;tMs
zcFANdI;*v=Q_7al#dMerR~ITymdcj8R+(W#2s=F{?K8FHboQdcexB;Hl{Mv8V}^gG
zawXHW_cJoE=Gx9odSN;<tE6(}5M9htV)Bf7SaeBQRMcmaG1Uz1Q;XrWOt-hUM&_w{
z4nu+oI5X9eo_0z)Q-Ng#rdU^1SJn9G2eo9XcB~2x5Tic}zg1RIB2pR~hqS9frKT**
zq?+5L<fpIOhE>{Mz5q+|Jp4SGb|B(}{x9ODLmibZna0fO&#sW5Q6(kj1}neZnQ9V2
z3rmu<pT0TdbaQWtsF?j5q`m*M)N<H#rI<-&qYVAv(fqWMu@>5TaaQ&0<lM>`vy#QS
z?!?iOtY|4>yx9w8oKcBoW|k}u8h-NiDRbw~oG~{!fA;K!mDS1W88hcr3P&Uktd9a6
z8H5mCa@INXW}Gpn0##yVip{{mo}emXHy+kujjJ?rLCAy{A|ng&U{U3BS~81LO`Yk=
zm40-X>_G67%5=7;llTF^#)j3N{Kg*QO>LN4{KO?qt!|YY%0f21+@i*gMg-8)^<KHE
zF;ls~IY7E`3F0L5!7ufpSm5Ahl~RxeEM|ez+S6DkSEehQgI-CP(bT%MHRzTJk@a|L
zMQhvY>Q-5ZHJnWfvxK-3Mkf(!CEGe{n;Iolnn#nFm9A?_VO7I!qC%R02mzsJvb8gl
zY->el<QEWKkep1lwWV9?Eizlyj9*z8)bm-zQ5hZS^os1YDQ6HDYAZEVPj;kMragpp
z*hEOQSG_2zTnp%vXl8xVBKlA>bdgNAJ8g!R;OTQy9q^SBr|5`9L!R=wR9mV}9ETDE
zmCC{)^4&1Hb*w^mQy^(Hj{v#7wyCvlg|^BzLV;>rk<Z`=tj2KcS~6{RW4r5sMFglF
z`vNob#!OSX5tAv~xM~-$n=-{pUxMyUuWmi7WkpNtg)JftrYRQF(Rfi>L<QFQS)5o{
zTa-O@MxFf9CDuU;X*f-ETj$674Pq;;Q_B*GQ|8W@S&=NAR61#j_9zkur50jN!M>%d
z(J1FLHBu}OdpX;LG^d-<?`Xw{Et{I6kZ4=HSD+hN!<>a=i6Kf#XJbz~zr6y+n$b02
zaDS{gwt2O6$-0hC-BHu3TwT%eqB&u_I$G3`G(=nJ_POR|u;XqnDOr(jZ%H?ajn_6d
zVNxRxAUj*N9d#yd$U{|?l+S~ETi6JPf$-2bIo~d_ZvX<hoXlcNqPVbOxw&WCGT2}s
zUY*p6x{i`$eY&oFb(<<X9)XrGgo}v9vtHn%X=OA%#5Lxk!_!HEonRKosJIEvrbuK(
z_a4<$YXb~bT2(zKBtX&y+C`tt*`rZfb?e;L3)5JuW2<tOdP|GX>`b?>p4AFRo%SPG
z4QF(EhX<%Q<Ps1CX!e1l-kh#)Ol4NLrM(N=Q*E$XWJa{M(44NAHKTe4bQ7pt);{5)
z0_jZ4XSL2jd2Bvla^b}l6V}=kU!zN=hB{#@Y*oDV!Sd<L6cdpwjJQ)<-Xs~LJ~h<H
zbc@+Vq*xuclbFq1>4SkODP53mYf9Axn?2_|LOfYrt2hWGAE3Gnvkwq2*#a>K?C2LK
zTN;s1YZSFs&xvZx99w+{vKNx9Lbju|4h}$68>%+j{E}gm0f>6GlH!V{G@^VB_+ZS*
z2AlXvv?Q4PlP8sF+Dh%P6M=)%kiYs{M3dCtJa$V*qxpSF^N77*7D)<#9;iW9*;unn
z!ft`>jZL2Eal`c^2;ZeeVzx4*5$h|Z=e{QC<<Qrq&8;mqw<W+lZDn!+lbRJxsg4eK
zvbN4lN1z2+G<3$od9|nN5XQ74!`Cj#$4@AeZ}H-!Xv=q%VtI9~_}%GryDCd#)H--%
zXKcDSMJo}X5gN@b*#X_*t32eglBH9os&ns<U=;m~#kFQLNM@SN)Tc2Jt;nG+sc))U
z8Etl|3G;MnnI+_wH8y1Mv(#>^)uo&3)!86soL<$IY;LU&j6=OW7Cnuy(g;%r^(@O`
zrVACFI@A?0uw+t(q8-yW)fihelje~c2HR>V)O2PMokmkEj7A7;8>djL3cW<MA2G_6
z)FqedEPctoxmTgl#Um0Q4W5`mVkL`b&(RsP8ChGTJ~DCDK?trhN`FIq5VfRqVLB6;
zT9Q1($`$n%Q+z)$m=@k4=$b{%Bgh`CW68QF#ercd#_qzVRXrXFv^T@`NwQOW5UpL8
zTYqA459Pmi$=$)K)Q~+?qnSVc*I`eSEYGwen=Ylo`y<`401Q;By9&v|XK{kk8{a2m
zzI4j&0@@qY@vxF){xo&eGF0_-k<7FvAusAdxb{b;VsxuExUNs!&Pr-t7rbP;uGXf!
zgjBjt4%(|abzw6Pjp2WGrHPG6$0VDds_js{4${JB3a29}Zix%(YX^;1+g!MK9bw<g
zVei?@=Qu%#5;N!NYR<FL9d(F5q}B4=0e2g`sPRp4+p@?QG^eqHS8oXYwA3}XMcrM5
zSC@{4##QNhd(0z7E{`i(>!O7kTCo+5LJ=KAqJ+${_Ou(a!LCz7e@!qX<w0Lms6TUL
zfv&?NIiv(S()A5ZsilEU`T>ThN1g%MwnnCl?VY%qhW1XOl`9-ZI@jrzA$1RuJYY1Q
z#G)8oAzhfx-fIEB(NJwP{~%;>9FmB@lGNGMi3dHFa%gNx)~-g7gyp;`O}mY37lY*>
z(kXpnXZteSj7z05Y`$aAoyz3u*3kL^Q*tR0ZLztGc<M)u!4z+?!61#=?ybS!KE-Tz
z@a$$_C2gd;aP2^>m3F$2^ouIP*QB;GxunEBnv$hE{<sOVI%3PZ3Fs7!Yx|;851i%z
zqbpF!6w6shmKi*0Y$%y3p<z?HB@)okzelRodYW2W+ccuGX&M=^T<L&_6hE;Ni|S=V
zRa!Eq<LqU4oVXB4n{-91>`pK#VuR}J%+@W<Dh1=m1@|*KIZNHy)5+G3<P6P*Rkv1g
z*D=_+!x~~n=XVh=WC5|x`J=31z1zoGMZOhF$ERW!CP^wC16vhb*b2T_6kbxUyRez9
ztxb{9tf~!`Ev?XU1S#ZbI`A-{p%o5q1@@1jpi){JG}7f$gJn0^%q5qUmeLjIGgxdc
z@wT+MEcOJoq&T3MiG;W3Q!G(uK0f5Ca_duOshNyAdW~%alhDOE%~)bfGp2qLw*lO-
zZG_)r>3$^M^@mZafY-odO!!=$5s;G$nrllUCs=FN=i(l}pokn)FjArJ(sWc~JB2cR
zU}8CqEKj;5i;HH}rtx(+fxTBr$~hg&Oh*?_ud%MRWhIW5#22>Ew#;Sjl5?uhfNtGk
zlIk;b;jK;~Y2l?Zt+A9;q}Mt$I!M_%S5jiB50{ruir2yBIm`CJr6NR?;XMD~dFa+X
z_3|=gG0%vGn32gG)1XooQo7vO8Va&YAw*))vW^Q=ZFq2>jQU`Ij*CP)0)fK{DV&s%
z=eQjiJbM+>(oJ@JOQ^xD?`SldTbOC5!!cuDDGwYZUt+7EZc{^}?owc46Af5cV?m4_
zv5-W5va=13IW$2LTftm*Gtf^-Nm}v{Xo=(nwX#96qn~p#zfWg7U9%X~%Nje-oaB<W
zChY9O;k<;UvI<5cAhF@t4A3DGd~n4aov6j(2o0TsBqDGIN{-;@4uSi7=wHT1hEO{c
zt55ePL4A_Q=R?z+k3Y?ci)p%Dfi9lWuKBGLoAf8YMXGZ8MTbWAg2);8WMl^LU<x?^
z<f1gWE6F9v?IQmrJ2UujoDB2igjh>`v_4Gag@M!7=QuD!%;c=|7$?4hM_;<AoBfJO
z^TCV8YUXE{3z2>8l$lK_91Bqom1TS72k8xJNYN%rG$d&^x2(~py9Z|Bj7v0b_4Ok<
z4}5VlxeB3mEWx3j5k7tDgih3^kxs!(YY<+j8YjloJd}=skFBh+{8pnH5B3#qTN12T
zYB`c%4M%sF^7Jj$3kRF97+^3+Fm;(0nh2E^OJEx@8#x~qG44=v-Q$<gV?kXREV_1+
z&$94ba#2~MC0qR`g`eUPth6~iG+8pL(u+vL{T)(klXyR<!kh(HDi;bvS^oA0wM3b6
zZ3zNKE?Chgvaxj!+`)*+lXa%7(c(Z5n^jV5Nhw)O<>BsNQCTd$+&^U#$`~;8@}sU=
zd$7a~vfa-8(o900#|#6<HB|R3<s5A!-U|(m&Q7;SP9|4&Xd|-Z=A_@zu9XxcmgRXO
zOl^sAm`+C2kU?B(X@p3ik7a;sW%Z(YCB?~P-Ktf10=2TFWEx&e`qpyJ5_DE35*3RV
z&zLzUS%L$DLDoYyoDsXR+37zb&^1iwX@m<=pX7}(T^5JtbKvgP1^C$@i4u|EGG}9p
zsLnX?%eAfbtFuIo@M4mZHzya&*Iav>!3uSYn3a{tqoh>rB+aEYzB(=})~BA~c@{}~
z$_(>8o27WMrb+rt%{aW$A{8Ut;+X1|rSaSvcCb=hi|%-#NVjT5rbbDmx|PP9J)DYJ
zvBV$lAz&nsRxPU$N*jY&SW;$3{QR?pYDdb=EvL0KzGH`wkbb7?M6QNDQNQm(2OA5X
z5H+^6FGb!&wl*C&gWD2|V0DeKg)SItd59=F$C4!~b4ymN4Uwmt8hA(p;>QKtvv)=d
z8j43(Mu??W>DGf>rzudk9cV{H!M;|-!1TD4KGj6KqsL}yvm9~?VvfO&fy(E|6G5Dh
z5f#u?I4_4Y=BavElUqF_K^{!ckDsH_;R2NMJ?|$UX&PkI&R4p1&8E>5&8*ox4cS*X
zc#uK#^(5+%HNc*Z*4kDI(Sgt4EAmsFTa$8w7SJ+zghtm99n&lcBfnzVui|+Gb9pEZ
z6^q^JQyjdoQ%{1(R8vz9BAM*Qne`bz)sf|~iMlMy1<7tgJwB(Ks4bi~_uC`>!EaA8
ziJhW5D<+DGt}#P7&#?O{Z|Q7m!ehN85+M?e`uXH6kph>*!Ou=$@WDwYM8IgVKb7%N
z)OQy_Zg22ryG+h^s1pb@jfaiM(I5uLc^qw>JVDWT&)12JQPk%k{&B~gIKFxs$E`ns
zU)I+6f=s!{mug&y0M=!0U^LN?phRps%c+7vPj_QyqhY^T`Q;4#?D<Fxz&2zVlFgDv
zw4u}h73~($h>yc#-1?4IJb0F4_+ASRz$aI=+M`xk>0!voT1S_8KRgT`vxhe6CFRKa
zVI|05S3J2ChnVodqq13!!0J9XmdF{T4H&ZTgu;eZ)`CNCmR;i`TeRFinxlh=>_%hM
zF^6K6hFbYlfM`ctplvUta;w7vZC7`PpY|5p!!fzYsD=(S@IxW`WEYRHWtWb}$Ah-M
zvg1p&FO9ZM>?-hj;><L+9;qsN<O0o&InZ=-o1TkPK3i&Za=-xWa6o9qjYWw%@pbPe
zYk{~Vo*_)C7m=R0u-}<apf2;@Wnb>ZF-i@ytRv!oKk=ZiN)Gt(c963P9U_ANmzMHT
z2HX|2B+-!O1n`Uu_n{?d^Ws?wU5`YB>}TaMo7z2cC-5`kwPMkyd!(pM9qekR%$D<i
zP=r5rc)^Wd5DbS`0j(s+!`l->lu;MrySLE75bwZeN{&l#FXv0;;A~@i21lnO0X@TX
zO=W1n#1j!Zr!4Nq3Ze%#B<rA|gLXjj_JL{!<&4COOBgFpy=2HZtK<QSJ3_%_5`H;+
zdPjDhGU%d3txZNs_V7HK8#3y$Y8;F)6XZ;;=xpz3ZPzT96l;QzaLo;Ptfi+soKLT^
z?5h~j;E4-|Aa1oJDSZ*$L=yXwM6O$*rYH|S*}7=d5ILpb+lMR;+?!c6;0O2C-!yhe
zD`UyF(2k(9minw))*f{#w$?EYm;QI?A(W<2UX6<;{8V&>7Y_tKg%ivzF;Au5BwCMp
zt9a0@v&!$IjGi?|;~kkhfxDaHCy{*@Y(B+LPlkQJrfSqogJh`7`!M46GgmT>k!*!O
z*DXZ`E0jZ2s&E+wKRLzlUX<2|T)Ujg(V6I;4_I=XpMaBqo{1uOuR#tUs*OKg@|P56
z`%;lEMNB$ti`+!3#b-uw;3+aceBY<8IhF@i`;F}InHh~fmV^;OW>xqRkHnO2f1<YG
zrk=}=I>#m2@|XUO^h$&Unzh$;Cs~(judh$9Y^+OLwvGpt2L;$All9Tp9CyB7KlT?}
z*W^=f=#V?cDa(qTs&HeGOxDVwPIvM@x++e^lhCD^W$}gS6F!g=QXmsNK?ZBk_=-o-
z!!IRM_4JExO@8P|<@weH<=LqP*i{;%OfzikNHw)BOGPJ_L<Z3iQIru))084*(*dtI
zRHjCktH?%fs6C8mS#3rK)fsm%Wh0(UOfVqD7EPA*;|J=~9A&GW+mwe#DP%WrOfq&d
zt;}+q$a=_Q4?j480z*UO_SurXkQpEL7G+Yu8W7AX(*2TY&h{c%I5WYZJ5!O%vop0~
zgHeATY(6-`@!DPHL7y&Ze5GDQCXc48SWFjC<h=9~e)1qqoRY|jI%Qjc)ZF4{W8xK0
zwU2<vg4OJ0TASopbKI`NX`F0lT<sLk(mKuhGCI}SC!ZIWusL$7b(;DO3p;~NmRnz3
z^vI!-&bi^>J}R<f4g^p`cJ2deQ-SLJ^`VQ-ddp}I(pC1IgV}?66gRJ2qx?#A-PI<B
zHv}c&Ttp~AEDwN_EAgPm9u7wQZlqU(M^sZoL1&Q+4WAnl{+MU?SHy@Z)4RL1jv9rz
zgu-z>T$A$yxoT~(y72ir*^1gnQ}LOQsDf<>V@1lV+TrzEJMF=tYY(>!+F9vScz(J^
zz6=g@j>tw00Rz@13H7C-U^=2x^A;w{r8gSwf$F;!w<DL>Oadf1c4vpErB>6}Aa`!C
zGl9q&8(ZJ949B2{5N`3YEo4closZy$GB6qK5mbF6av?acE~|bs4lVjUl<8Gcws1vb
zTX1Y9TjI_w(SAUz^D%H7q2Ma}2a+QFgxMhn4`{Kpgo<J)><?OW^kIi?dbxSbQHI6y
z6}|BgTO=7IT_60FQR2jKVg~JrsWdzZC0dCTrMq##J6yMW0BoLE9>buDAOmM+=kLp;
z`_YaDCx?Sibd$wTqXtTgTbJ3b<lOwI%3mq!Q}OfSkYfeZ3`)air}WUh8yeQ~36HoU
zioxJ|I7mL|Or=Z}8G&$8Jk*BC*#4K##A!c0F@l6kmJ^m5?r@W#!xi%hestd=>7*vv
zRtL}Z<2mrK;g*~dazAzs5No7-)<{n`Y6u=28wzrG7+^UuC!c_{;g!ekolOWJd}k1|
z*>FO%p{}X5BevVp$LE$?9vt4gsSwW<U^e1&0sbiXkGg}UBJgTD%Ow26_jyE@X-ILO
z^YoLZ;e9#xKspFAc_Iqc4<Jaq&{Eg7Ix5%p>?q(bu=tpnt=>9_VIR$peKb>@QjPcz
zzI9=^_$2pQBGlMK@^IimP60-nA&j9(5~`XWG{+NaO_HeVK#^EYZb=ELt^*#`|JbBk
z-DAbfL#PKF6yh6=TYuCTj9kRsg=*xUO?TbMOgV2ai3>?F`A$gtpiiyvu;0v8Av);h
zbUVIENYxTq@pEP1<?)o3*Emy;rukJ#)EPO{74#z8A|cL|tq4*wu@l!SPV7N-itg(^
zNKZiNv37j(N;2oOYaFV=!IG#wh`uBZhr7Q+kk^ApS(aWsasDYkS#Qq}7%#e(mS<Yg
zM4WI!XJe0X&7Vl$B2!9-A~HE74Th!8Pt?&z;i!^(Ru~nKbRP$e#?SIOC+TG*9{FsU
zy<n|es9T6Bb+VU0+c5G?a&ktrE8hU52{kuY%^70}3?6l=!G){?J4FlY+^0;%HXvF&
z6V82TRvc{)N?^W3qcj?l95q$p>?R|H(o)@uoz)@{Te?2FA6u?!88js|=Jj)>{;KMt
zOUwNE5C21M7*kQsV@<bnw32vhZ*B4#G$9l<Mj4LqP*24{2sF?(RepbUt1KU<muRL<
zKN1_PhSA~F?33RVjEe3Wph&mhv%z=qyZb<FY(bp{%XiN-2aQy=@4hjON8_5<1AxHt
z82814i-`BB8kES<F)|(sh@Rw$6vx^ulSayz$!NS&j-k-=;i1qs*zxP}2uVhX7YmYK
z$)&4S$#J@l))p*wnbpaa#gTM&(61apQ>0;8`sGjS$RzetJT`e~ef+fNU?YlD;^Ku!
z?*YnQ%_X@sVl>%qn(Bh>KR~sEFhRZ@d!Xp}27w0@79^VjTMH&@7E=gYeYyBR39OMt
z$<_!oyX8U`weSO*f!b*eLHf*e;r3g?ICz7Q^ZR&0W|nQc;ZH3MWbD*s2fpV6U&p8C
z<&$T%T!;t3_+)AazHbTRR8fJ?mllWOQ5PG;0>p4a*^xL)hsvVqo;&xKXa#v^2E>vk
z^-asq9_psXJe_>w22_?M$($=7z~I?#N9K*lh9|a<MB9g*e7cNs<O5il*3S4xL@`(~
zUxdx7dt7Zv{Q95+{%B|i{C-)G!zmN+p!#6tl&wlQVl4@;jm|^i1UkOfEIkv;kQ`!-
z^n`O~@FyU$4410bci9MBV||QD9(*J{x|Ug}sD>Joqxlp+)!k^184>L8Jb#vbhYodk
zE>5*W#^|jWsy?Shx23X>BmER#ixf7Z&?b4Rt(xkJ!VhRd-^n5?zf4+d6`!w3qKPJq
zVRTO_CEAcohl}5=2p_I9e}EVej{paI%y6d>&$HI}Ih1MGmM#>}gjD4UL@-e~@*zFz
zsQDaD*zji0-~M7&cosNI=LUNu`sc8ki|2IAkaYdL&gRNx^uB&dAYzP>hkH7vgQA%%
zW~md#ZE=F(oyKYh*XgG(S(0BR5pwjg9d#(rhN)-vh>x1;_(oLbl0dOkOf<WdHAoM>
b&~EVQv%rk}0~g`%`Y?l9sUMtBxBUMA`Wbe`

diff --git a/ctrtool/seeddb.bin b/ctrtool/seeddb.bin
deleted file mode 100644
index 4bf2190e01856357ed6b8129aae8d7935314c302..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 40752
zcmY)1cOX~o|37f6$jZuI86jJQ>{*hG%%Y4$C1lHtkYt6jOSYtpvR7tAWY5fuvR4s)
z_x*W&KG*sF-ha7!c)rf@KG(U<>$=|R{zHKC|GzQ_|M_nM9ICWQ9g->{fr4J4SSD%q
z0`yHOME~(yzBN8du~$-m$1Rdy|AZ%oT$<!RPSo}^iGxypp`##t|5`rHOXMcx|8aeW
zuxm>qeOF|zT<Lt~yUK!G;rM@C<mgGaGV2FQf-9C!IL?0(MQ#NCjA~Xh@orEc+aYyh
zb8^B1<afbyn4KsJ-bwoE9r^m{YD@u^?*{K{aV$}JbAi~WSm?+RN&aD!{{c?@JKX$+
z$qi}q-M4?F){l=Or=|GkO9GtYVnf_$j`bWt9&6?^T6`ao(}5Q#wSKIy_INYOc(d8L
zelh|%J$T`Z?4R_{7o;Az;3<Wi=Y4~m0sQT!FR`RA;x2AKGf=5<bGwF|5j>WuGcJhs
ztXmOI(_}gR<Zt9m;GSiB90JFVSRV^5KUA?Wr9#dMj=Qz6Ghwqd@%Czc4e8IW3gqtK
z4*eIXNN~5rXI<X6<PF(-B7Xq>rTn$o@soC+G9#ISSmab}kr#qrju<x@R1sEZ@gB4w
zr#^KVc{R8vcXh3aUv`7$u}fr;oy0uI^(p`Pk^qO6;Fl0hw(|X&lU@zu=}&@@`+(oJ
zp1F`8_D%inWRKE&%EUJ0mEeq$-NZfFS6q8(O&20LdR>uU{P(ROz`1Mj*JF~%{T%)#
z6?<y!p$~FT@cpkB=b6RTcn<Myo|UO!9!FjSKIB2r@>;3eG5Llv-ym^>F!Dk0vNFMo
z^BP{}9yINL@%(z}kPm@p&Ua=<S(twuYJGj@)Ug;R<n!Ps3Vwx@bUISnQC(7heuW;p
zKNi6+J|z*DaC|Jy@bkj8NR8HiZz_0gfCrsZep~ZvahMY~Ol8N;clm#ebCmj@F9~p-
zuawYqeGtjrYWVOir}jTTG<*vM_)l#+{|B0S+y%o-7S1+d*!86W?|R1Et|HK3opO%i
z#P@em38+3T_(c9~oa7FI7mT6bPZ+MU&m(6ApLF>nbFi&^J%N%^?vo0AGjcX?hOr0X
z{YjrAhH>#3MNcm`Am;{e)ZE}0A}0+_J+n)ypIq?oqy?{2;KO)YX7lZ=<v$9mdEW@o
z@&Au;c)%a?e0j;{{#0MEYiTwA=^_VmUhtSEU!`CXoReI)XZ+^A;zlEP2Y(`RT_kuR
z#I2S&D+uq!hfBykz|(u!&0lGqv-}vQeLFh&=@aCM;D0k>E0ixZu$O!(OwjGSy@dQF
z_~_>n*Gn~LJO}m8@}&~yVB@P2oIg8Ig;?M>ANzX1yGI>AvH7I|eB;DIQYCHU^q+PT
zu`3>Otf+nuxckuF%PkuFd&$<%6owYWvH5uoe4=Awu<IdV$+>u@qlT>(*!9~14=AR!
z;u4#gn`S3+uRgdngX-^s(~Fq0k;?5;@l(Vr?+=Y(_wOP2ee+a-IIq|<j*FsXgE0(-
zC{IN5&zA%^t6q_9b_d_ipB)-DU#?CQMXn64o911f@gy&-`o8T6=V4#$=erNizVO$D
zQ^}M6i?KGtZ1cV<$~%EKdm7k(C8j$j>qa1uRxVJ3JQVzyzaqsm3%QMXcbi&r3k!AR
zPr<Xx)lQQbNH%#fxJ&p`M5iK;1}A+@($#dlbv@m=i6eFVU<-K?xO0Pm^~8%JvMPbe
z&t>;!A0bZxw;L?P)f-kK>hz9#sqQ@Qf;<CUQDf-Y2U*Uml71}*@rGL5$lrob;l;nL
z@$0KN_N`90$n!Hcz8b;%TW-~A?&sBe#pp|s?z}#O@=f3mUbTOGu;>=?qMK5IiQvg8
z<jvp(o1FUe;eKP6gn1oQj7qTidkDOvd$@}7N_ep2=}%M^erp>jKLS3?eBHo8J<qP~
z@82x`t5Yt>SHX`^8x+iu@}7(S*<<ZbreJ}54ZJOmzx-E**7)UcpS3(Y7HoX2gNt`7
zR}x%JlRR=zBrH^?9EkE;;9q;IF0W{9>10oY9)0wa2Ae<kzzfyO@Apjw3r?}ke}0&*
zB8&2bC;s`80LKA`-s1|T`;q9fOENw>UGI^Tfsf41#H+t%@AG-E$7II)Lk>A5xB#v~
zzxd@GcLn*^jG<G#*w04|-oLuPRk$v1)@(Mpn4kI<yMFB8oOIL1Wal5_DQWd*7ipQD
zMD<UBE3V6$Ihg9OPQACT3KX8k?r%}>Fe{lW&3rC7P48%p()ioiQC<gp%juP_$e*yZ
z!t~mc?vFXJ`CT9U=rrTP?)E|O`pl5*)msI`D1Q|^U77dGn2&1l^Bdmh^=VUXBX<R-
z+Pr-6ec&Cv__@uZ;n7(><lf-E7w;s*J!G9RF!<~&lJl}0`6F=3^s9B6*>mEnW*Mt-
z2@BZsH5~ls-e%F{u)2!`-;l1V><rf5MSvf)hEL|R`<HV!mnRm6UaLp-6TszOE=toF
z-}UQwd`Z7m*{KzIBKSS#3_qL`y>G4!(zWm5c*Y}70w<gFG|!eb{QMZ#GgnzPvLAUe
zxa2^8QGaa+kM<QerD%NqZ^%=?9V;!!TqPbp6|kEpj_kkCf&4xAFT&ivXXM@9wQ}U2
zDOX~zLtYH7suQ<gE|nEzRl#;yE#dnQ<R#$obb*9wM{EUuecfm$A`RI?{sBBc5;taX
zk#rxwWx1P$X|e=)Ie2FO7Fk#(@e1YU6ZduVaUtXt;9D~OrPSq=E<Y!lt-GBG^N}}$
zpZ_B9`f+06Mbm2>an#R$7$ffhw-Ilti93g<yY(${X*Bh>8}eRoKL(-nx94gGpYb=F
z2nN_5BJTrtdE%*uQ=aRw$nwxdecSUZ@?r3^+wqyJH*K0+@guE|8vaT{{vF)&Y?x2y
z`s@c?(;khq%RE?rFach2x!lO}X9%&IN=DOs+YRjeCczyptd@J2zy6)Xue8|cqlfj+
zKfwPSD!JJYjw%*3kl2v>_NJrb&w*EsM}Me&R&;YV<fa+Ut<PD=7r}32oVxFm|4h}D
z=I)zas&MT2wF*A^(z3osvm*t+;7n_ia1-Xg!N;g)i6}P5UdRpzYZ7N>nW6fB!S!hf
zn(vy9W`y3Vq4MO_4M)BY9x~{lQT2+(L_*3Wf#jWKF>*ZGf4(HZ(fNCqS9Rxg#BWWP
z+&}zuSbt6mKB!G4@75%97gzk32)FX^E0iY(_c~YedHJ}8s`%L|&1GSlf17%EQGiE~
z&Fw3Gv$t+bS1!JJlFsRWj6(@NlyAasqMlQ;Qhr`ajO%GGa%%AHv~AnKJJk|NO=g+T
z8+Qtj(}H_CoHen^eDGzI>wCNW3q4olbl^@CL-=Dl{tZ(5tQC#VZq^}Z1Sh%B{8Ed{
zs!3_)k?fqW8n!-V`tR`rJe2Ln_$XpHeA0G=xz3?H`+tvbe}Yd{>MOzIM~P%QZIVso
zoZz~DZi)$9o$0sgKA}Pvt@aZ+7kC5FF>jv0?~|>?FMd#0FbX0+1%8at@A2%w`i;X8
ztAWg=Xzcp)fO{WCy`<aJyIj9wU!I~IjNPAn;9qMgKMYtr=rax;<INV_nnU&Z!LKh-
z-g@qOz2u8k!byF>wpYl7!Ost7Jtg{b{d-3q?XlB|5m^5!0>1Z0sOFLIn##dixKJ@$
z0(Sq(f<HZ{nt`7l9M>M+h%Z7_gsq?D!P6EhXB^)Dvg~EvxmOyptd5Sa0N%?^)xv(~
zs&k!T!n7^*2A0<Xuc^G5U*CLSAk!uDQz|+e>(4HOA76X;F`nk3%1xTC81C)qv#7of
zcvgq_UuV0U%x`!MS-8K~W9t)LaK0~;X;urpG~y9gGBStRG*Dh2yr#{k1xJEKay^h%
z;VIn)7jk28_7O7n0|~!olX)8I3k4#{$ghGkY<!jt?Rxk8#rHE(&nZSckeh+;@YoAB
zQCgC+mOP--c&c59+#Ec&V|CVD#5SO@UV4Js{sv;4Ti}{rDL-^06*96iI~yLqPv%A6
zU;}>P%~s1?K<?!!L)-J#!h(6oZNUR$8@s$|j|b_`kkA!aKgas3JK$AMp4L_}Hx}a@
zORMJ~6*`OZcfl_<R6QZZX^~TmZ?bCtcx(W<9eB6<yTvmT^KMSDG=8zhgYwAj!3$`O
z2V56Be5^ltt{wlp*n->ve2rQ2*f*ES51!J=8_VH!SbyaR&Sz6=)8DmVQ}kp&_wxC)
zL6pA_j+a4T<Y*Us<+$lq@-hA#QshqH7i0w-MXLF>uI;6-L>?AbB6kKC<$F*@>g}G(
zb*GM5K7jT#au@Kq7vJtV>2e9u46XEN1}$tOcLP74guib-eWM_NaVVSE3%>}tJ9veQ
zVn@8*+SI<csFsx|0k*#O0B7^KbN%<yC_!Mv(8l*ZaS4?70Y6!5THpL-bKcN4@@w(a
zacqCg58S!fLGZKe(eet9-jMVH-m56@4}Lt50(YK>BRb+#&<T$)*-qpS!3niVT{7s;
zGjN8qJ`9>az}BAu;EI>@TAtDx^=AhSXEdo4H=%qWIM1ykqPNzY8br!3oaK1?TMGFj
z@EI<xFxdttwp@Yxllc$#Mvw=A&({24dBkfj5<4HM6L5NZ26+hh?UAOe1I~{!PWLku
z=Mu6Nkv|5fiPXP&J#|0lp*5-Iv_0K*<e}hp%=ekg{~mT!dEYx$a^k=q`4jLuTQeRO
z_QmU)9w{&F&a`SG4+9VLKT7tex}bFDaPSNx+pjI;Pr+|R2<7L@-xLd438`IwM|uT$
z1o$VS<yO^&$H5gbwG>Kc^45??gEQ40)t)w|;}$SUneiP|7C`<C{8wQ{Y}y4)M^h%z
zI~1kIu<;WM9uw?vE=b^h5#8lWMiNVJ&ZB%Bc=N{{UK4Rz=6a#KzpeN1e2_l}7jfiO
zAK8o44fj&>(K{N6^`9@m>HNd34ii(eY^6wr2*&igP(B_!SIr_lW@ct1GD%_P_Lt|6
zkth83_*@S&OQIDFMMdiQ(lVW}_b(Bg==3_C$N4~oA49Y+8hmf8qkIzhtII;q!?X@(
z*hf`f<5JmU<0l!Mq*LB`TmDeX@~;+CJn<;D{z>_-Q<D)3PT)(vTr2K8>=6n=^;5y$
z(S_jNF9>;zAJ$68QUAgh`AhI1FWN(5+^@P331jJm%lO#%eg%F#^$wxSr;EBaY3r=p
zUL#mO4P0?4vfE@J=<gw3|AXTKouR1yYw&2!Xk6W){pyLjguSopQDVq5z%5kAzNL>k
za?0grrk~a2$M$D3!LvA6RxZ_?`eyz)?_-eHI3CJpfs;m`@Ang8yzDf>Y%06BQinVn
zd|th?g6h%ojT}4sH)^|&hmhxh3!Of#TEu0s9{25D%a)n~w!X~;UoP2JPH5}X*Zp?W
zX}qH97Ru*=Ki6ToDOY_gvhzEQW7?U~UF2`T*E{@=gisj|wCAMQq!!^~`+ND|5s?9H
zChQb197?$QJNR#7>(jU3f8ANQtQUxOJUKe}X`lG>qx$c_saPo8)8$@YRisfprqYpu
ztuNmHw|+J2yT3Yjm-Sko(|xbXjzsxF@c5Wp3d~dCnu?_Sbk;k3*!x=q?!d4`=E9Pf
z@ky~JRnX@q)?XEaN3GD8{AzJ%Q=@%pQ&eyL4%IIK&;FLkKpJB&6?Nob`07x=IPwqR
zt|uGpR#|Fn+6l@ed)#oa@m~%;N<xwtVNcmqpL5RJpPUJ+UkNTtaw44GA^pSg-&#q(
z&z*mY>Q{klg{~d>USX+5q`kVDAo~Y<f2+Z(UM@2Hku`bT|JC(AP6pQpl&=AIpVg07
zY`i@`D@yJqx<`VoUuwaRR2eU&{QV{oM>+Ar{dE8~KI*{b%k)p%*-hTF@24WacWw;p
zZ|lLG&h@-_@!(-`JYg(#sYYibI{qhcvw5mZ5jRysXtOMf&Zm!K{aFLJ|7jv}p-$Y#
zuCcq1IGM%5P`(NLOTG`EfUiwb^jAIF^7$|R$eY2-%P0+S2K;d^?dIOhlZx3x-U5Cz
z-^#DrN+w{(?29MWWm0D3t>E)XHtZS)85(zS$i2tjEMw1?FW^>dC37Q|JzH15bXE6q
z7s{i22Y7%HL+OCt`6d1l3Qcum-)G3Xz?T)x)*|lw^oX@`4sv(FGeF)A&U&^am!)%^
zyG$$1{x>HNwtw>tTtDj?Nw(7pbz@M7{;t>74$Aj}<Go#Vs3~k-(BLfZzhJdqfV>}k
zVw7gl;ObF+0;V&jnO7>Y>o)-I+@QVwB&}Y5gz19Iv-f|n`)?Rr+oOr~hl=#U;P;>2
zF4t_Z{&EETSjoZ7M&f6yN?XegHwf`r(eX#Y>2w$FYj?5o<l(K=kcXVd-v4p%(!Hs$
z80i(ZH$TP?J<n2|Liz9D=d903aGz9rzAT6TL&La@1^EPcObto<hD_qx(Km7ItrqHb
z$fv-K#6(l8NZm?ArYAxuCEBq4qiOIkN6Mm$EYfMKmrNsubAMv}%?x-`%Z+=yc9Xc9
zW3z^7R+QNMI}1K>ea_8w-_`YV$?MNjM#r)J&mZ7FXHFDe-cXc}csAmshS!6=|8xKK
z;+%&qqA{;ML|DpH&3i)7`OkwVQT9f$4iCJNrIrxMuN+uFz5w1j^`zVGqP^WNzRY}9
z-3r$KErOpo&h<wnVQMP#x^nl|bKKbY`2~L0z}AZ)Lifa}sz6r8Vi_e=e+iuHJ&(=&
zM~^_6ih>CLU&Nfqm%+WoqAR=N$e3i^g_J2gE3oms0$ymee?Iw)c|mEyv}#P_m^R9<
zf;)5<3-aR`Qi-{rJCJ5qT1LJGE?V3|%C+|Pl<Ijk@3s2;e?K&Z*E;xp_PJx0Q&Vq!
z4pJH)Fu#%eALDF*XPgr*HS{8@*QNTU|K2+U8^4?2Lk7mwHG2Ndk}b+1xU+lTP<{*i
z6C+-W_t~|{r1-{T_={Ju{k3gy_Q{FguWyAYtGy5>Z@wNcj`BO;4z)C7<lh-cxaMf7
zUhN*1BHsnS&+;kfqFKrYH6w?Ap+OwhpX`CZT>1EO>df!6JCUbaXZ0H`QT{J@r-5jA
z2>+hW(FAg7(o;#g$oIjm-jGztI{b;Vd3x=sYm%)7@&j<@v~ite_v*-oIM+(4&w;DR
z55XB4Ic#x1#yfL&^7Z<hHpA`@T)Kb0l>o=ge7W0=wZk`+ZH0N~{C8}8<AIaa>CWyi
z$q{cnSkhf*ej$SD<Adkz7y4}GyXfR_D&gF{^a|^r3Bczo-o|D!ZuCkGN}7v$RxhIb
z5pV~;nGoS&HI`qjCVY331#*!e1vgNCdx7t*$@iGw(|HU=v{?U31Ri$CUu*w3_Cv`?
z3=^Nuy-t)r2JTwUp8Df?%Y;`Xb;k47C~SY67+gwInBmB|8~c^y=Lk61rEjA=DLCWr
zPi<ufu}wJQ$9|8QIbi(@8TgSU(TAKWEWZOTw)A>&cT%D}IXIKcLQ_lG0IQ6W6pdW*
zA64YX!Ednf_TF%I>5!cM^r!9gcYNd&;6uHl7pKm09NKTH(=R8*oIp+qPQf91;Yp@x
z!4KC^{n?Z6TaZ(ME8*NJ79=l~CmFj^V<$j@?axtzTNEsD)k|C~G0mu&A}g!=i1IYx
z_`h7Q@{I;-nUzlM`>qUP<Ld<YuLmpERtkSjdFw?+R9%#@^QQ&hdq4hHqMw=|^LOGR
zZk#E0edxeLG9|gK122||<}n|xcCKLKlOEizuC0n?f9pxC;l$!^R>E0yehlCfG+9zk
zqZ~~ihEo+97rL<fpAkIm@m9W&f7B}HGvAFa)1Oo*&jd~{X!@+MPTwx``^^}>gH7!7
zJ!bHQoEm0#cd9MCD@=NYT3@jFl?B{>dm(6Ixm3&OqW5UPU=}Z`&kEi@e(Qc$rD*(x
zYdGRZwgR#J12%9+^?|ZP9sWF(ug&#2)88aeo*i6sXDFpBR(RQ2yhppYh6P(+ae$w&
zA>DuVw(qU}-EV>7L`zs+5?sQ$b2uiKbB2<d-=gINP7bOs15SCyxx`?Cfpcg*KDzGN
z)h^_6;L(;7MFnP@S*;F4D^-4b*!oBwyuEe1LrdYA|Dedg(;k-g>nN`PUbRy5#p3nj
z#-J#v=c|;;Nyrt!30p6k5MG;bI~PGAr?_Wx8MzX8*Ucru>D>Jr;!4xmvupn5$d$pr
zKGV9cY#MB1Q)_LMqG{NTTm_tfN13zHjWpOS;L^=?o}4V?s^AZt`n9gRhhFPzYWnm}
z?36olb#NOCN@AA}&#NLmUCt_U_`OAb9{j$|`>NySS8tD1k33OPw87Rd7r+^c2}SaY
zZyE}G(0*BMyhMWX8sMqp-?fHH4!MJ$vt+VvFUlgn2tIVOB{Vcqchc;^d@}>zG&gch
z@Y`GjcM7W4(h@#9bJ+bkm_U9B{Nn{x|IGcUjdauGW=ml`Yy(saeB*RsV~gRDqm48S
ziXKKkiBbMCIAhn1^|B}8UA{pzhR?2b-9)YpKJ!<7D0~1%QHafyV^RAv_I%I<Zyk0a
zd?WI#PBLABmr_a-+yB=CclmSr8(xT)@UxX}3ze_Bt*HJLaQ@P#qn#r`%H4`_N3;ua
zvG>ma+;ZoEE@SUVp&m<~#`u<+Gs+u+lgA4k$M^bV`a-GyWGC$bJ#r)P_m}+G&+F@R
z6KzgMYPd~d{jV|j<;F6dmzKs!<j3Aqdi{N8jPfSn#gf`LW&^!EcF(S{?nuZuA-@V9
z&)OqsEA4W*uRH!+-0kpG<k!Go;0fO~aeY4ApZGqK{Bgb?a<l&)-|-ilid?I9iS!K{
zo}P71<Tt=+Rcc>};il-;S8_b`R4ge#ZVt{=G)jL^pM0V#kLw4${_Wq$Ex-?h+vXCZ
zCT=n0r#GIakHN-=6}aOcqAZHRz$Lcj6P?P%F4+BR4W2N4_@%^~-TpJ{3xj2;FB7P~
z4fy^nmzeMHkt3}lAqFpNesLkU1$WV45qL3ke3K?wOq-CK<O1?L;6>*{qUG(}BN7YL
z+`r$QQ9y17-XWzT-?A9=m?wOJG2xZ<Jo0<sJwvDGj!yHmbM+LZ)hb}^7mhtRPEuOp
z_KJIvKzljM-%uq6ly?9>-ZQ=#`jF+-^B(O7v<G_x$Q{A!oZd22cv%fsc8-vJD=RyS
z+zFhAr0KKq@<P8sYP3?Sh&V5DXYj$_Ry@&>FXDbo7`<C%r^41(Zs1A3eB*|M8|jW)
z1*_fo5!;CJ?%>t^OD~M%X4y|((;Oq@N<M@90XQAmX7?aF^)B(tKl3}UbNG>af%kk>
z6xFAj5v?P8m#m*;h+SWAaNI{v+pYSC>)p2xQ+NCKu;-T#_|6@7-~09|5+tXld@?(Z
z+(Gqy!EKoM|IVol;5s~%v!Gq{!p6TJc<v1elG7Hk8-LALv&oEou=T4y_{YICKiN{d
zmE;Y3=b!lM|2DPodI-*9<m@x}TPA3>e7IQ9`%L=(7$*RnT`9*>BsYj$P3Ky0Fn;5G
z<bmL>1c&Qw;rLbp12sx|?a#31|0D3}I8F8ht{lI``;J4V^@-6a9|Yd!x)w5~zNM}$
zFBqR4@b?Y!Q1I;umP6+&Ln?2cGzt?fFRCMd0?v1@Ui@x$UAKll;f3g5aoGAe4E*8Z
zATPadtjFq?Rj#r?t5TGI3Vx=eaBTzMX>W{nOJp^c0_(3L!M|Sm(Kb5xdVfgXN|o>4
zvm+=U1>UWC|1(qexrbf*dtp6R*S3*Ig9{H>M0W==(so&A98Wl&?}0o9{J~}1rv?e$
zMq%7}sunyr4aj4`KO8?It;AF*IzVB$K+4L4jlbvMEmn_*eyEYkuX=~hiyD%wp?o6v
zZ|@H-HERSJ!-?)m>#c7;Ax{H;5+^ofUGH@uc!A??fz!ZG<Qd@pjh;6oY$D2p=M{!I
zeLt%p&jpuv7qkqTC`f5yEou^~BvwP72VS3UMN!s%;NP*iy>rW)tQ7ehaGQ>G3#o^a
z^xywZTWkv1VDno(xVQ!h)tgT;9lDQ4c4D`^u>FU(;6%^vzHtcM8T3BGq4g!%CLh%=
z0N=iibANqcdR3U6HPuo4wi)tw;I|bCR~7eF|M}%mE?-%?pP9(tgSUJjj5@9UbYK^s
za=|0)g*Ea*@CltLUJ;GY<x%{3ji=twWBo@Fcwx1rxX{r0J&Gd@lE?ZJDp9@|Tq&b6
zD>S0Vp{3caDSROjyS^ph<Nf2Wi7bgHE(VeN**uapMfs25?eQ<Z)6jLjVZW=~&s1!V
z&F^L4olL2Ii*tdw+I8NKs*7WqP`(0ukIX__E77T_Jc+31>a-~Ke69pPEAyQczg%`U
zqUU|G+29LoeOm>dp{F8}&U`GeU@>Rs=~4>z^Hqa;-o{Tb%-6d|zS|Ugobwje|JQ&!
zgsz(ioY#3AzA1gzh<$4SonI|@MbVCBWT97BgTKw484j8><aOZRKRrr&HJj?7&;I`B
z_eCRYeP0hA<J+BbN9Xrj-^Gv%IW9*Yqx>guEr$s6Vbh(E_AI|#N{1l<<PG4}VP9%8
z(s~7z)!3MhKW&>t-V8p=r~8ZQ<`{8}TboFOqAJ!Ow17XwZ!~FFykefP)%X|ZR2??H
zTEWF$eWc8Lhi{ZeFU?Rk<MssA?*!M1lc*WBc%OXnomO^kjlmf5uiyz9&j((<ulw|L
z>Rub?qb}_E(FOjfO@BFm{Fz)rN=0qr4}1%h?*^w$SaF&2@c0q%Q6gvMWQ8>HZ{T7+
z(bC*ZCm05mjfgGADJPKkfFG__cs0nU;EPK&b;V{xV9)nH@aQjI&1YkRg?cB%yzOa5
z`%r!W{9?m!OWSl6UBv*446kka0P;a_wRpK5+*cfByVI|o@hiEp_4_cm-$p$vsTMA`
z<<L>NgZ6=Xlpg_qOTA`Qr+6;Gb7nm`fw1*7@-c8(-92f#(w=+U&Yex#KRCZ49|t$y
zCYSK)9V-qXtiLUr?~BbJQ{cg4JdZ|c%MWoi%;~>|M`8EhG&rdafo;IrOojeNdzhJV
z1orvE5AdP7=XQ0KMxS4c_UjRLjJBiW&w)n~Tz)<oA4FEw@_=oeRk#)T0{A%vhHo|R
z_h>h-T;q61NQLz`i{QCFUmSwJx0AFgP3OqB{IEy)pWrn|U*TR$TXn2DN$q9ujCle1
zFYu~QIS(Es(-_+XXUuj=3IF?t@LB?2y7F>zx}ljND~wm)UGM+=e#J8QXmmZvErqej
z1PaM>f!|JI^UDgjZPbQg^X?fJT@&0pbNBXR{#PDn6<ji~SA(_pOvut^;~8#)-azDQ
z;N#yDPpw4<Z+~TY|L66C1#JFY2RHY8E2YlXToY$=CYtyLBO%Iff~zRF1i5R=(2hoW
zb2iz%UPitJu6s7MJAuF9HaTmfqR?Nm0OZ@?)XE#DOxBdV1f-T_dOW`!Am0HWTXVlP
z^m?{EWC!mqS)MK#^55X1Pi>vDZ2INBe19dD6`!X-{s-K1P3P@2{v(3#!diFin!aNF
z!2!6cDV2WK_aFgA{Cel3`vr?Ak3;{@mjpQTvmTqd;f-7&l7+O}X5LtTh6n!W@BMe5
zvm}Xo56vV9#x$_?7e08<l;Q*bx1apvI3zPj8LF|*=Z=CO4BESqwO96g1=XafoT9`&
z-y;OCf7brorp`Vu_2Bc{<?C+P{vgqRkH2wgWU8QBtfD)1Ye=sbn}3dhcjsIg9ih%=
zpjEPwxt}cKf_^??@FcQa-$jFUStjE5+!HGAt&o#|%ik7ms-N7U))ef0!!YWYh@2Gs
z3tO~(Wn%D{@pgBO^7b8l<YeGBTtCODZ|Hp;Jkj=D*Mi+0IXU>?s^R+vKJIthZuGmG
zLHm-(kAvSSv@XrsOzI}sKKz<;^-vBu1-KoBiPM{3wB?}#+62D8{$Tryl;G?FR^R%Y
z?|fx><|*GvQH6~UD)5&9XO}OYlpQ3r+1bA?chU{jrv`t2+i$U|bGa(xM8uu0jc10)
zX~4S<+qM*j#c_OZX7BBIcVhk53Gn)x8tP;Bk52m@*5K2h9<4=rTJTIUdiTH8YEOPz
z%l5tc;4qDx4*cqmk=8+J1?wN0`?t;h?DrsN0I%5C7O*5a_1d=M%k7tp+1T@&5xf>p
z@5Xec<hcq%v&w8*E3E%w0#8yEOvpauGctOhirY84K91_MgP+f*pFj4hAh(}TeTSC|
z2YbGr1W%i#QS11meg8~llIE5N54Qiy0WK|?rqq{wJ%uBM`-PFjU3^rZ6MUDHcWfh3
zc-!14sMX)<R}FG5@Utu;;|H6OZlOgv2FY`hG|0KZGu~%Jzp0nfE%(5!ZqeVmiJS*~
zntv!eO+WIQ5XTEm?O8djzv2bIb;OkI!rS<j8h7%S0^2S&D9;BjJ(tkFlN~1dUS<C>
z{b~w!{ZE4rX|*o&%tUO>@)6_a{W`?*0^r6+1c}VvJ=dRMcZ>W$%A|?v3xa>?>Hewt
z@Rg(w;o^onS5_}_A@Gk@i{0~2qs82R7>f8XFJt$wFnEjL(^%t)Q*pW5Eb0OZzp?eP
z2zVvqo_W7S?sC?se?8ZX4z|7*1Lq%+74@i5ofDpI8#wo7Ef5|540!Bt@Xw~AcaN3H
zPd^O`F2;^80dCkYp;ILpVBziiCV}$|6*j-01=pcI-mg<ybdquFY@hC?*aWIC3I1vE
zy~~>r$E?J}8Ou-7hS|uaz+<W;a5XHdJ8*1Mac&OiVf}+NIOo}iFWn@^Q(nbyCe1np
za-h5nc(CR;TSC=|Uy}C3>aWPtvHclYaA&9aHoEkq+VQSW@>xQ;E~2~~_;YfnEHz^*
z$G%pabG~A7#mMEsiA#v|E*fyim61&;9vSCZL9PHkteWY_@yf!R&BXYh-!z)W`V&R)
zUWI*!Y*O+*>sp(^%XP`v^Fs+dZjI_>j?0@{xcJ#EG0g`4sJ=3Iv2A!7cfnP+kuuIs
zV%H0T$ko6vs%i;cczbljlx8(1R(nqmxjJ~5c?c!h;P8ulcM>ztrbKb%=fS0quABSI
zPam5K=3vq~%0Pl#1N>u*PEemXmjoH!%=->nCkNyg!IPt#Lh<L?Dvxr%7aWm2%7a`J
zyyFrJy}<Eo8r4hkee}wvq{#Ka?^HJkhe<Wrj|Lj=X{9?JBEJGo%v)^7Cqr0qZ7S3H
zYE=6N<k!Hzkc&|}wrxu~B;T`jQTvVcH>Tk8wrt`B4>ou6Pks7``*{r8Uoivk%b@Zo
zm%`y|V8_!O?6fyP^{<0V-ZoDw9?JYvW_oMuj_Ol2<Tt?arc6U?qY|34w@=MIXD0fK
z+#G!P8wvjYJx5n>F~h9%%JaXGTYx7LZGP;g62Eb~U#^}pYM33l6?m`F<>^7$Hj~fc
zm8Fsvp_p5PM+vMN6FxlU_tK=4Hcg`lo4;>?kJkA;J9}QTu1%TREYLz4yFYBe-Q*Oe
z|KdioD_gGg^-Nh|`;&LTGjJcV{HFMzXDl20g_QC74m!WP;H=#(pUZBu*hxkkbFHa=
zC`WDwZolcgdvPy^j_Q6sd)}3CT;vYmjKwjpU#ikF%}s0jOf%>iBX<OEZH&_!i&wIy
zd@XS<bFT6;a;N|1NiNuuXHinNmotc5zpmJa+ztFjTR>&eALT>mw-=8*AqmJp?hd{s
zG>~Tz8oDHE{nkLvk`SAJJi)bJ=tX=wPcj|&ZD&{Yg%&oxAAq0EY?GVsjUO2-VmP^Y
z#|E2Uy}-j{uL$XsoDvdg(7le^K7y^Eyum3c-{o+O%1bF)WUjKE8a;u|&kuZ1jbNC&
z@y1QF>hSEcf?ce?@CO%R&iR`1&(ithqPamu<PtVNJ_KjriP|ZPsOO-2{m<|I2pM7P
zs{ruz)3bZ(SKZb7hvy%*Xy{_&CkXueAkVBKevFR)JP#imnL{BuzhH28sR&zo1{`jW
z`Ql5dt#mBNL%>-^_*m86e@Jpw_rVFZt;9aR2?dv?{>~_48J|9Oi(}N3uk07fM}pV8
zR5V?D_%5v`U$UXY>0}%7C~yHjsaFXG&UaNSh5p*UYnMPC4NmlHnf=^!&gu!NKJ7{M
z-9N~mfnR?V#~1EW@2UD|Brt+sxe9p<xc1GF*b%{lAdA?!UZTcK?EOguAG}vvo_B__
zxrR}_f<xhGD9WdT>k*Xkup9Q1Yupu@<NDDUi#!7y?}?0nlkXqXB(=XpZw{qKk>`T<
zxzrb%U4OsRaC}#kaXTLyUwPoam`ROnv?(o9rXw$&6`^29`8VLrf5n=_B7KFr?>na5
z`uTtUeri7W#+ljM0%F1RJ@yg=+5?|yQT`qH-NMz?#K$-`I_ZC=wgUOF=l6T?6~)0{
zUT4<)eiCNvIy8LgM)?x(#`nEPC**ioWOd03Vtp<XA^!j_W9pEb^Vvg`VD3&oj&%21
z<fY&&mpK0h6!pY(EE@Ek=M%-&7iHiEU&JmD%TruA^w#>NW_o1^<;%f8U7uU)|MWyh
zXy>0_Kag8Fjl2T<hi!o0R&OlLiC1Iov>9<s$Sc96=mx&IiL|S^g}IxGY81#IuL5^a
znW||ei~GsH<+yxD%ZM6zE%-{h%6{qJuS3>OukLMVg>NCR184uv^x34%Gg&IHU$=Ja
z@Hp~%@V}=MSY6u*m<otAwpOm3%0b=$UcZX}R{NDauDHd_?LOVtA;=rSM;Vk>qJ_pO
z!^Im+?rz<vK;8y!S#~&C?doYQckQ9ZnW^^2$lJm9?mUWSiDVJPXB$h%ov(a`{0sP&
z`R2ebPiPz2v~_@yyLm724)8d8gIzvPd0y%kM$TY7aqRp%!RvqAaqY%`R?BkcY4P{<
z*>@=a72G<wnwEZ8{#}R}f!VdoU$OhY3q0)DvEP5@#d0j8Gs8}){9;A<Z{P;HxksWS
z_Vmdk6?+_H?sFpV0ar8SkIBOS^Qy^F^b2jaZ3^;U@RRXFEs@8%#xBjCI$8g7C<=KW
z_{uq-+oS9Ln!GbFRUclITSDFsUi0J!Q`<l+;Sz(@$bk;kOXLIKH*ehxjMdKZTN<s3
z$kmO=Lp}(8UQyFPX*Df=QC?rnn&cXG{zKqq>Qx~X7x|A|zvUR`Et-X`Pe;I|EN;CH
z7dmLH<qWuJryMSe>W_k#C{+hc)&?woZ8u{GHBozmd<;CQ^QrZ6Ds$2WDdT;y8H)(y
z<KWjeYUh`dmLLApVBq~~WW`7R9h~W-yh`aYI{9Ja-RpMIGuZtx4X&2{>xEpR^H8AB
zq!|9g_q!-R1D<*=So)Du!U^TN5Ju{^uGsuK3x0a))6R{aKSgU#7$fwgr-)Jh2YC3W
zg*n5Tx#Vi4sf{n+f5#x72N%m1U<j1oj@=lqyEjFI_YL_1csc*qWM57dQi1s!Qe;F`
zjL4V4;~y<DzLPY)ec<(e?T=b}Jn~g=!F>v2iNrTC_8(0;`vk`gkZ*u%_MYgzR>Yi@
zpMNvTX>wp4`4)K1tIPIkmSz>a{5<D0=8Uk<Cw9P78kdd2g<dBJsF~`g#Wi62E5E`2
zrhDTQPqBz)>sUJe{3VRdk9**XH}?(xi25#4|M6s|OSFnd$NvlN`ys03@LgbOQOZVP
z=j|?ReD8z5xPBORTA(q{y!i_+kAe$!|KT$HQ;Gmb@c|PV*V%xqOIKW-c%+B0{)qtm
z_VL!H^08+2S3>uHnbJxtq2nI~*W(Sd*<O+}q@5+Xh8v@d?OzjukN>(&dnxZ1-O{$K
z%oJW6cKwfm=lcu3P`T;F)5m(C!s`;|hw77pA5xcea;pgm=eDThkNF?N`Ui6GS=)cM
zMrQ=<mWEsFI!sgNQ2sc$`KEh-sOgN?>GyAJM9VZhkW+xi?jC>7l8KketKTzPeNrJ6
zIVE^#vEZFIdAnf|4d2S`O;)k_pBmiO7bl=jorvCesy>J9rC~G5(|})M-aTbCH6CGX
z{dkmJ5&sc#TJSSu9K<A=gtFS*>UD*<qf*G}z(qpOcDF`56wCZxBjvNN!q)%)G<E-8
zzd+)n(s2c8gc2Es+jvE9hEbjYy!4CZe*V2_E_afNu(-J^Wyl%9H~A<f=-=hZEUh_I
z+<Y{<hnxw#{9<;P@6buxQk!Z`!TefF<jmj-j2bp~U(v5PX>rY$M2l7;X92fs#!-3@
zwRm>wis#n`kxSV4V+D^c<i9oXi#o$V^zwtsmB8O9&kz1Gm^4;R`)$Hm{QiQoZP?=-
zM-UwUIf;6+Yp`b0y`^xf7~6c57Xp`iXUC{Ru=zP!g5I6<){i5|g~8**mZHsj)dL53
z8+0#y(8T&<3GmU{xLs?p{yFc<f87Pm>M=hH?pH;ol-9RJpLEXJMl9%K8mcb^-Zs(N
z==+l9KFtS%rMu#%u<<7gE@-dl^J4BuLC)>71(J2f*!n{bT)lsFz3FEXZ(M)|=Upxm
zb5vg*T<GPV?fR1x(e^|F>X$L&R>&2=S#?A|h)50JwJ+q5_gqcdK&}XWe{z&Zsppf8
zADu^;h>gz(^8frQ3<1v6@(mnH(yoQiaa|*;A<WqPs|xvz>?TPzyy1^Vb=n(6`5HPX
zuMR#g^JaZ$rp7Lk!*VWvS+gJc1@Nl0sqyc_2a;p=d7KLgg0cNk4e;Cccrnp_rSYw)
z#`bmEY0@Zv3A`-%H+xT9Y37gJ3jt(XN>`C<gVSvj`o*gJO_Z{!$ltF>#riKD@EB3I
zi<g<i9riO8CJ8t^u=S?_xXFa6evHj|dIqmey0*A4*!sf|{M0?IO18JX%T}*(S2nbM
zo1o(xfeQpq(9Zo43Ve|*Pcz)(j;)VP!I?ZvevU5rkS;{o)AFoQVEvmJxWWC1h$x#$
z1OFLIzY9}As;K^TaANfb39FZwwbhcvUW=ZoEJl6<d<oyH_+yIt*VPd@hwc$}W8~)G
zyw{cST+QFdt{nDBiG-|>A-4cO9ZRo}8Q5Im+eRGlj&cecKi1&qZq0abek^V1%A_F1
zSGUbY`CH(`4?b!S1n8)fEbiG(9nHu3BU|v9PaYP++cps{?ZrgI%{wh9e;Zs$_lBa&
zb@R2`S7enhg-c@h&pmM6w60eF%#pqw`#*LwtydaR-X47DRoP%;l_bf#`{fjxgQv0e
zt1~#y1*83#gNEi(ql77eZ2mBmcL8TV@$S3H-@VVz%PvGphJ5|^58>qoo=DF_DyjP-
zS!?if2nmZD_WpW;Tkv=?`1;@+4VHQILwBbB%KzdxUf{J1WM@Y6*0$Ju?3OPtCt}y%
z2mEEQu%~3royRUs=SK^rh*VJC7o6H7($+~w>4VNO%j*T_Rfv%LfvX(2MW6jE^o!y(
z75Cc>?eoYV{@3|Fa$IM>=6#QD>~MyI727`!0H0erW!EJu*+Rld!56Zjz=iT5;7uPA
zzPY|MPdZU9Xqpj}ij9xQ;Ps`UTzntwu6}$UHC*4)atGy~fdB5`V#q$x72j_W8qryw
z*N!|4{8|4EM{&J7-5n2!e{SWy$JXaD;2O3$jFHTe!~RL5dj6!Zgit;n94GdYe%0w@
zlGpNm64xn76p*KY>mF}&()x1g(kIe<)j+<-*#226xZ11uL+#bkJ_9?3H(n>7VB_N@
z_|Z|;s~g4Y-*~yb?2;;iwNU+6;2Gl5PTTrv!6K%LYA>H@-9?@TUhwfKOVi}6(d}H0
zOHnp;4#;1F-^mhdiE&iXqL5IXIIr!3?ayU^e<&G_qe%>R-4v!08kJ5aLHSH@v;3$F
ziN{U|8cL@MG5+Y$N1g?)Ty2-DQpCJr-to%GwiO?{KXSkqwp#fvaoS!ky_7c@@VpB9
ze7OXi``*RZ6U=mOUrY+T{WqVVLiIm@TS^M+d(O(FDn87P7v^zGM_vkk_3Sf+64_3z
z?G5K5t%EVFe=P$SIBEJ(T()QS*2Vb;A(Ix7C|?flT`fXvw(M+h^mvxM<DEck|DghW
zx?%RL&9MPHYA0iHiR2+tl&=KuPP^b}z`?EigRb<pz6CpWeS5)gM`X$wHd;u>vhn!D
zn2BJ|hkkJ927de<zC_DsMM^9|!iEE={s_4B<L_Eieb0Vg`F2x%v{0o0`8c@46Pk0^
z&b^(ge)M8+=J_Y=`8o-nBsXhBoh8VVsjyTO(OnaW^3&iI*E>cP^9)<%yi@xrwN@~n
z0jDI}_`t+;&v7CyjZn_)?IV<*1>f~<i{#eecd>onqDzqF#EX0ZJSKq-PyF)y=<>mw
zsa*E`P2?-!mYH`r6;&swXGUI}3luzwjgM9E1ZqF3p;YoO0+tpjjxxuBP<|c!g2M1r
z=?5CsyvsR19(h|jBL4&4sj2qmO=sW!BR%_mXL?q7<a^-H&xl>IU9H@FJr=~1@66bM
z{4cl!e`D28Z90154|R_(n$&h8-~Vs^TGj2FwI7yVAEZ-J`7C4Wj|1=&0lr^V%QA9L
z#N@@Ut8X%+{2@5EQ7Y}+556gl<5&5r-R-gU-?4v}q69d083gN9XFX~Aqn@0pRg%K`
zb4qZ<lW&gYE{;lG`7kg3(?JlMKdHbs9csT+>g!(pTIRaPD7f|m9iJNfst-+bnXtV!
zkE>(=Ls@tmavE?}W84e7%VG@gNO5pyO_#qTrvtYgp!455Ea2_qExo&JFDQka0bD^K
znZKw!f;`HuB42&f7~B730>7AiWVzbWZ8fXhn)Y+O7S`Xfg701(IHkt@!Hp(^3rAR@
z80#<DzzH}5%&+TeheUUu&}Dlv@c|v59XxErz{Q)}#ZlL+Udg8Es~qx^;Ndb?mu#Ck
z9Ej!;9%OR_wIb&Lcbh5e-87YDdRp21?I9g0HF8ey!32luWu4*Db=*RV$hH~m{J6j)
zPI)uTGwbJ7<lPiMp~W4H^4#FUu>*#-eQc(whe6NRp5AzY{1mv|?QM>u3+KMd?$qv9
z57{3g=K=5CQ?N=G-RmV)TKPWCJci9LBH&)j!FJax8&iBAMOx`ydS{OEXTiHmXl@V6
zq_Ap+&qrlHOm#+n4t!7J(etyey*-nBx*D{kQas3Iz<=g5zKAZ0-{7XqpXM}A$39<|
z1<wmUdC`}vv5QaStvC6f0Sc6t11Ie*E4z5=o<g+yPzaG<5;lL!gA?t=r+D-7*49(m
z=msryj-k8)xQceuu@A?}s8@q;ub$J8aYe2O9<=T-Jj+tp_woX3`RDTzbI31)Q&rMR
zT#vLW4;VdF+T8t&6S+2cCW-&HJg$<E!dfG1oiOK1<T~IUQYH9VexfWDRYy$x#jj%P
zLtXG{nXm8PwA>ZjTImW69{7RHPx|2Eg7F(Xs+X2@9tQq$60zh%^^L)2go5b|jp9r1
z1aC(@t{*W$ehs{wGKHf`pQlXkvZ+iQ)vX-lX5e=>u8AtI#g!Iv=A^piZ=6PM1#Vf`
zVI*4KnSYOf#pyN&o+NTd@SuB&R;MV+HSo<Sh^sYKYmq+yCr>Q;TC@MPa#G>X1o31O
zw!h#7PCAwD@b>Gbdg*7Gq=skD{{2IEC4w_7(yexUtLJ~2TOq&t%=Oy;7>B^|pS=<S
z95U<n-s3#H#&#LQ(`B~Q*!@Qc-n{&1&1mv^nD2e_sBcUE=kKQyfhPv;9DEcCPt5<2
z=Wg-pNEE7n41Ad9ZA2^SiCpRRk1PDM(pY~>3XYqn_Sq=2B@1sPYQ1iJodD&@z;Ob9
z_Xs(dKXe^h<6FpovW1)++~R<lukK|NX=sTu$-LY(?D=yXTu-&}*s-5g_m0Kfc2T`p
zl#TKf;2Q5K9_!!SG_XBk8?W}&KM^@4_{=gVUUs98Rq-R;c=xD1tUsXwcb1+my7?}H
zrNX--R6qKsFv?SdJNb6|c67adXoOSuEzq{R5;+aHtHnTe&GcBAMHHv&cAV-W@)O`}
zUl)G|wdR*vUbcLDG};^+U$o$lDkw~qXeZjW_KQ!9zqZH54;?r?M+^0Z?A$xX-G!Om
z=ggc?eR^;v$|nz^wnNAxxprUTW#Ros&H(;nD2|OJ$o!aY)WSpgL^7=ZVgzR(aMKN<
zPpVXS$#3^=)dm~iOyCFYGW#Kx)UJ(c>E}yD?qlc23{KQ~Z~w@oUh|cLVNFUSO6>W{
z25vkY)=AkrD=a;BvagwyxCNabJGic_u`c_WYWvOL)=#saqZ5#y1Xq7$*k@L^P$#9+
z^IJ2D>JM@baPJNM?8O_c<d$0t!7n-uvF9rn_=Qpv%cp-w-bJyFCim7gV$VNra8Dv5
zub$zGi{>N)TAX_7*yjVMz)946%6vb|aBLg9MOm7+hoj^3fTxxfu1UOl759U;%0Bmq
z*hl2N;IT?&hI^F`8>jc1u6G65m?Gx`cRD?DmEEiT)$WsvgilQV-a&pEymO#QVcltx
z{DwPWN&b%jKji%2T{^tK{Dn{IIxNR7X)*GaBNqU#SUK46>+vR}865vEE8L9TAA;bI
z6+;sfPixpY@Dp1eH}d<A@<QN*Jjc>+EFL*h(&cf>#@-8?e}%!RMJ#GXGQ!*%ZqCzj
zy9XGcya@QCqwcqMs#dx~9!14<uIym*zbJSO<ps02+}-qCQ?bM3rJyS)F9t5h*zXXw
ztGr0)cwRqRZ7l-%8F1gq*Chu(IW91f6UO!h1c@O(3$87~(dg4CPA|M7@Z_>z4LNd2
z@OQ1op}H!ci-&qLV&_ukEs&oBAFSPcdTP<A!DG}T?tn*H54j9@Ti%brhG$xu(|d|X
z^2l?s=dT>N^y5?dpURV*DSS*!55iPbP+lHfGCK40FJ6|*yl1L1AK4buAXfl4Hu_FD
z&}dTjge<q9*1hRIaz*f9<`0A?KKhaklMl)_rK@A(UkQ9iKPi#oR<%an&JT`V=5TC%
ztPD<Q(lK3K=p0joGtJ$@*g22ttAHOY^gi#hucx!ylcYSiNRN#_RdBDx*<^gN&C%w}
zOJ09)ZL#&E8o1OGH%h*#;w-HvWfYqCva$Q`Jh)x5+g0|iVU6{h<tlC`{_o$<1((;q
zbvgLL@#^Jq_R+%Q^ZV%h?t|}|)zj2Uq-sh9;%5qz6B;3R0<VybXv^`z4JN00vTgMH
z4z|8>2G`QgqtWFaV`(4E_lWD@#pZ7o`hQ9h;1oqIYfH*KFI+!qJ6*@pnvUupA^MNM
zeSYKKr|b_U6p4Q%rz+?9k#j<QqaiUC|Gy98_RmW`Z?tOvHv}(naK_$gx-I{>AKQmw
zmor@tnf}K(65wwlDZAN9ngs@4e!fg>_7IyNq`{xrhkgxyB$ldRY~Nk^*aUljFMxN1
zpDD-TpYk$l?_(*uQ5A#gYk(`=yk|J4UUo&KiR03@i3WD$n&8BV7he=RM@G3{&#36w
zJF9^F68O)hJL8Y#aw){v&R^&96upOB3w$HA`c}ni&qq?*U&bwL+r!8&gZo;g?A@6=
z%=&oWG5?6n61INT1s@<_QtK^0hLe08?`)Q{FZT24f#(dH#>9(v<OjYYk$xX!e1Pif
zgG(~em%3X2zLzSa(QkY8E|xb0r?0LcQai2v9Pd(f<v;&Iiw4RYfmgMDKO3pWYG&@6
zns=YA<uY;;@Ti|GA7^HtPU7V>J-%~`b^y64c;)vrU8T<rZ`2--npqYYWBY&C!L9eW
zbkm))9+L<?H)vmt!}?Q8@YA*2ICH#IM!$1oS}y4-WBr{K_>TArjhLlk$6Sf{=N*ri
z*!uM*cvkn4*=lkf`GqJ}ov5}bZ2q+d*DTMhdU_#2SYlYlRu8AL5S{-m@atiTY=rvt
z+$K$(Uup!-V)LIZcnO6g(T=L7s7Q{*a_HnbHox5kcTbHM;w@!#olEK+o5xGX)_?cl
z{_0T<wH>D!AduLLW1*98X-3Dl2UjlY5+Uw0&Bs4~Ey>qf@e=a;;3Hovow7IDe+DO7
z=@}@UeTdu<j=xb=-cFq|Cz5K<>@?(B`UJTT<jXdLi^QYrO&MhtsPY!~8j$;fU%tZi
zN6H~ZgQL){FQW3oGvppnpLo|<@s+*VLUK*+GMTZZIdUIx8=WqhjNe4zX73b9z0ZsZ
zBKHG7wcIl4aC~*g%loMA#WYn8<PX6m8<mTwm3jm=%XCR*0~A`32Z2+464!d7VQ;$X
zI93tr6iAFb7@X8Te0KO~+q8Q3&Z!)`2yA>k1~<>^U|XL&QK~Sfc}0J44x1lB!DF`l
z8@kOyy&A-u4p!~XVe{`3@aJSr_Fuyl#!O1vzmLg^Vb?zlywE_0@#go?oi*zF(Sj24
zGU)sw!0*|pw3+SM6xw$8rBezSi6f5!U-7igZ)%<KQ53mimiGH7)}O_IZ;YjX_}NO8
zI`W5kc~He28{e_u>AVX~0gnTmVi`a0%h}Uo^M4#T1MzZ&yEL_j+6&F&rUu>)==h1?
zL$dE?O5XK;tdAI{s%7@X)*mV0Hq$AG7Egx-9`q>~K8i2H`sV}~KZ-Ytg*H?sn|T{-
z*(;7mze4qsz~2eZj@tUoE5z-UzI$Ly&VxJ?e7Kq;d6i^8U7>_s=P)%k33(QHye0MU
zInS~8ZTWvpqv>;~kQaczUJa$nn0ctFIdW9@bAl!_@*;5FGij_wYx{p11#}Fu(zPp)
z7lT(Gr)bG<cfDq6Ii`o3<votP8eIB;M0m5&?(Nscmete~oIc1uf%kqp$!#%i)jb?8
z9+NRyf$fhrfhWZ5nRL6B1v87U?hIB2vY`AN_|yaPv}KznSw1@(wh5vsEWZd|<V5<|
z>1{u8Ax^)9<OJy_l>Z4{X%yhGjT^wkzxr5?NYM=2KU)F6c0-eJP=Qf=`iC}czfB`6
z%CCdp-}im<fRkTOIeR;nBrGBY`6jq={-cm<bi{5CC{??bHANbc{{e5dDwzN1DMA}@
z!Q}WgzW?+8N7@C?qA3Y!z26{eJn+^{3jZ#4d>n><N)h0sa@TEt>fv1`u-%L^Q}uq2
z>f?ip8in?X+^RkNlB;|`;;(`|AC7=m-VzK5AamTlzaw5+A2k0J<%z*xFf0GDcPx7L
zVX{3?<5k-NauV>JPgYfp#X^72D@QyC;bJ#KP6i(Qa8}G=AJ<D(*JV$Q$nP(5Ht-b!
zuj7}VUYW<cRQ1**+V2oKJGe~*+eLBZBXS9M`|Xqpf+Ua&fX_YT^k`A6=%!tt%H?nE
zyN+B0+{4F656_pi;)+>Pbd38|Z2U@t*P6?Ix4QY{>50Nk%E#`Zswl4v{*u{4&iybi
zk}dD^3%6G`)yP%Ai-lYRX;<^{doA)ZFT7H_ja&_UYjGif$6F=;R|*b!i`~L5@{8bx
z&RR|cWlPUkem!QNDdWeUPnW@~1$nLn+;FTaJ+(?k^0q1$<#oaDNcxYTi?P#oyv5IM
zC0u~@*LT3FO;#FN*<Ri`%VNp!|C+k*cq-dJ4&WzSMj6>#A$w;PSt%tM*$E+$B3mK}
z*(-a5>|MyHRI>L-wq%uLm0kKh&+~nr>;9d;yu8ond!KXM_jP@*>u_k3NWDgRXK=jq
zakbMIFTHMf%RMwXtaBZ?D|l|#<JkqNjMOF7)FmnI3)uYN4qlh-&Hv(+@vkMq3lyho
zWwG(;E;xgWJVoq!waoSNAw(u>e%Sc#2X2t}@sy=_D*a>I%_NsVr3>iz55SkVf6JPk
zW^7?PYJX9F<U%R(K=2$T#$4gNpyeAJqV#yl*Ra?B5x9#_`45}jvHgog_|9yt6-+3f
z0PbT<a*C*WgsjlD=GI}YjYr6nz<X`R=vf<FuQz$xMr`fI@gPqHC)qsb79*~hE7Se*
z`tj2Q*!hzOo+Zf~{N7xA=*sy+nF-YYY>GpP0`SCHDvN>DhxuPVQpox_ReeVF3&GF7
zoccWVAalWe;3}iVO@1}x<=`f-7TrIvHG5b(2j=~V779aN0siiQK#Tc%np<P{huJ^<
zaKzTH&%i}2ce(U4<b_JY|J>o$Wj=)RFTwH27$SRTeKqb%*gh<z8W2SO3Y?5{fWXSS
zli5e-UHTeD!5ieS!J`bV7HXTGxJQ4pf1ON9imlHZ{yo0i4%Jxko|9jG{@||&!zGk&
z2e-JXBrbebdiVaZdQQA(Ni5$5zFrj4H)FqZaeG#+b~&5;9LoRms{#Z#Bf8PUP3!i>
z>0a}lq>A`^$a^8*rv0JG^{Tc&>UE!(Bh=H_`PT=2ru${6!#?>yjQ+W>N5pD{DE|Rm
zh>)>WTg9s5(|sW-+~-+r{ul>;JriwbuXnIsA1_h<(FbQkl%D{16Bqn$wjssNPCKaF
z&&4#0d=Y$RN{YBor0e90orz^{yRI|x@8GHIc_CyhMVCY8!!`B4m1F(=GI-Q*)O3Yc
z=ELpyvr?4QIPCp}AK(w7t%YRXCHm4>nD*_oE@8+22~K$F^7erbMICD^K6)mJhZE58
z@&CS*2ylK*p9gEV36C$n)|*(eyodGw1mHP?@jn+MHgfWAYIA$}+GEe35d54x)A7`~
zl;w_4ooPuydTjkj0$%+r%hRPUw0$b-E(7U7zEkM<6yUBj!Cyv80yUYXz6S-(+IJv7
z1g?81XXC{4$I_XH^9<?_+hYCm5%4?d&fLt)m+vm~lie(}5cfuTI&cGTZ$|+!_1|=l
zCoCsIL$UWC7{I452pn(!7+Z9&Qf^H4o~|s)Gl5qgj<N14y{`PJiI#_(j^qq-R`4s=
zXXl0**hh*DX2>6n^xi=(2wu_cpv7D}udj1KMMCFm<QL>Z;ACugS<IfNyfu%X%HSuN
z*+4D~9$CF1YI}01{hUO5-ofqv`~N2*;1<P(cDHw`thEI~j;1jl#rgv=@OU+WHujQ}
zOnk>oT4xQ(u=T41_<^t-KVRCG1a*5{<CtF>Hoi-O4^^1>;_bBFtr0kM2!F035IsIA
z@VSlN%$i(T%axBelUng_*C3Yx55^N5r`J<iWj!J~p*OrZiCh`nB~C*{<$QKg&AONO
zsJKWfausmCkTzdsj~osYy1o<Yj_WhXRl$EPWG&E4l*Y<tTQn4}y3iv(2Y!{3{3v~`
zhbVXCfNuNE|NHz;P4EO;9u?{vg@;Vn=lV|4^kMVE1@Iq(jka<*nG>D;?t|gmjoAFF
z15RYCX!Kp!+$&<J_6U8PB6j`gg7X&ZR%gz{M;4NJe*d#`k`_Haeem}mO;;CeC)qqV
zW|cxhcCpuwlIpL!65zP~2A(huFAD_T3vT1&X~otj#*ojVXR##yP`rCMi!kencM3VG
zf92o$k8gxT$T6PV4cmO}sN$TC+#H;Ar6H8bbAG#SNm6=T<v8~EuYzCQxTCz;CEZ@2
z-`befeF>YtEx^@C^Y|vWbT2hOiz7=)sq;bgEx|dsZtI25C-IB@6n^*E%|{ct4Y;e8
z42~#=g3+9u>W<Z9_iyC3;DoiOPTn0pEm?`bn)l3q4V%C0!Gj(5KL<XikE5VqKA+j5
z&W!R7;P%X1*UcIucKS{GNhFncMUXp!bF*3VSeBSiMHf*U#%MF_BfkaCpWWqEZZGh|
z`{NJ$7r`!N$eqB=dB2hQa67YvtAq+?h8%s4{0=x>{5(q!xn}>(*^SC^>zx(kF5q>a
z!UJk%g;lcOQ{lJR?NcIm{kQ%U#h8O?d_O^pE~U?zi=)Whz%7Ce=cXL5edhhlKDk(H
zjEyhu;OZ4^M?!uY?*`%vQ*(!LW8<F(_~#r|yuFgy25YAyg1<`7@S*yi;KxiFPaZO~
z$`3QXIAk?*8+-l_z^8=fGH->ZEssVzOOTUDN27cI_(S_%d=g7XVK#%p6dMCmZ2o=-
zE-=f=c1PNnxtGk4K4aJX5XuLFM_#2)k-!TOS^VLeEVj*t9sd#d^q5PEcYaU5sSB;?
znil~!euscR-bq#&-Z4|_;x7(lmiQ%&>W6_BS?UMAai7z6P*ZuyYt%c4JObS8W7!K6
zJH?~tt>d;OV~4T%FACiKf-V*3(LaNm+H%!@QbpQPJ^|d|zGJo;_oeeM;*?fHIqkxb
zCxZ8k6$JN^^z{s#JDMH0ZHetKWP&dojMiD%RsA^K9(dp3Q-v+cXM>k*PA#?sF9pw(
z?ZpW4a$)1=Q}9MyqJ4vnhLA@U3#n<zLL$oNfHQN2+~T02&f+T%CQI&qgYBQ>g7eR=
zkuFpc9JTb+d&H6V<r&K7fu}Y0%eraBHwJLMY>K=Qxqv($94}>VJ3pe$adN7#?%LC?
zKI8@9Y?Ly5QkyrZZA>d~-mkVYMP3LVDQ1{3{cu~^VCcKj_@!&u^-}^a_lwW5(l*2D
zz<AnVRrgdR%9nz>(Ct?yIHjmJB(95O_R6y(F9V;mK2ej=uXovlbu8c@j?@u(IrwC!
zmD{~GW%(JsiRk+ulU^eKXDLE}yGj@_#q6fR@$_Yr{(W~h?EHQPdAr$^A@6K93(E%Y
z+Oe}INKyVd_>SHE5>mSTp^Dh`i04xRSiTZmw&3<s^WoElzs`FyQCW9m>$fWKEjc`4
z#sa)DS39w2zZ2>qsD3qgsyOF^M@odhn{HVfcS(G%L;eCh;l;r?C6nJl^F5!OW*FzO
z{;eMT6@{pH<a3efqaB;p1g)2`{r`XdREPjq(nv%3o!RL^8*?Flr(yVGRR0y^FS<Cj
zoq5adS~+ntyY+tlD)QIhUW7lXFBCtByrUYIM9lgE+ka>PugD1??|7v;YP@V1qR|r7
zgz|5|_r<@PP~Fe1*7bAuc~ds-g#0bIqc`EPSWXAyFj<}`_cJY+zXKmTTXbEyZY+A^
zIe~;|*XT8rZv;=X?yd=?VG2!Cn#FPGU%QL^J@_mKLxtEe8E^WcpP5E)ZpR^S0xv7f
zbfn^^xpTht&5%PiO$zd6aGkxpM^D1NrVcVySBA8hQz35y|5#fs)Sp{!HLa_8%E&Rg
z2YDxWf)VS$czy(z!g0+BEA{{T`}{6&yS$9*Q(kX6jZbpgF3tbBj`BU=!xh)wZyR}>
zk2_!7NtDIskGvN=bh4sC>b-y>ZN&O?uh{J0--KHq_*hzm&xJ{&#nnsl5goci+y61H
zAN;*bPPKE=m$FjQEuUyTQ&;3e;3;vzFH&vYt<RX&D)7#4WBuV6cz5plqv9{F$0I!p
z;tm`NR7Ux6@HZbPT<*G+3-#pgJS7mmgsnd(z(*e#q)|#;do!FV!`ST>g1!Ee;6%ym
zyOSNi8nS7ed%m4H@CntQ0yp2#Sy@!z;ZiutJ*LTN#f<zDc%X(W)8RL^-|V%hd{Wjr
zu>S3zmx=)AIZs2!pLma3Rpjmyo8cG_l%IqA=Sx?N=1y}l4-9)0^e(z#`v+gZ=gVE5
zg>}nZj+_w66CpVvhVoy*`^(rpe`w2)lRK1N7M_`@NB#|5(ZTy?RkK{KA7>%!?<<UK
z$d|y2CZ0=@;>zZA6$v`M3;y}gOt{N3_}P_il7~^OB+D5dVI;1{B~X49ykP8%VcQ?B
z%@FFd306TRSpTsGPKTS8niLddW$G!Wn^HJgf%5C%(v3F0^lqQx|N8i|y}gS<d&qx)
zFK?d4w_%(o#OvJ|tc#f-LjLpL`pViRdaj1PB0Gjb?NN&_kZ*t|P3521DP`ddwC}Bu
zPb|Uun@#ZR?&&1~%FE-AV+4{fD{UB~{1!N6y=qc(HJ=)(_T8_?G%t@L-vi%0aW|{L
zB1bbSgx^Zdb6XtwKKSP&BLg0PV%!$Z?0+f*<YM~|f4~o#G<ovqC#qR;QU)L8ZX!nc
z1Am`t1UOYj586PH3%qn^s6M;L{onsL!v`Nfohikztlj0&m-eIm-OHmWPXN9i7NSL4
z`c7J4(X9N(;sH10gy5AnDx$*4TqGiVQm52in!At_fxl2A7JVvM`A6D`YN@E(FaS9*
zxPsYj73ptn!b)pH4Sqw-Sbt9fK0ivM^K#)xpUB0t2~KanVCxrB@HO-7s6$brE%kp`
zbtYn{vHANTxKNJvc@D-8FXOW!{G?;j)6ntB!0lf5Y>V43c(BxwJ&AkRosFCv{NY#8
z9G3BWiJvG7PTne(!j4Y?{_Oxk;Qaa@M-z@q_>4V%SpPx^9v<izLDbHcv?q^O9A_za
z1l2zT-Zb<^M4K2lH<5Tr$8XsTJ3kJCU$t_6*48^N$;Q^<JmD~4i}F<93%&!taHo?~
zYJ5BkO^3p;^&2(#FQ;QpeJ$l~BO3dTXJp0=QJw}|A)u4g^bl9qtHe}YJKm&Z<h0;B
z#*O2~)QR_Akr9>^O_3Z&egynx)s1$AMn;E^&o4;_Ex!1LoDMwu=QAzy6LoKMnVt(j
zaa|!pP7faSVa2m8*6Hyryjr$!`npZz4B#e|{hE4;VmcENX6ok>{nwB)fy?q%^VqC#
zYZ_QC2~=Iw$Hq?<aF#PY%JqluJ(qoulT6*5my7aj;PcG}b;8$f*d0{(NdC@MRvkGv
z_?p&_F5^Wi?ba<bP9Y^PY=4;teDMMPg^@B*t%fQo#k!FuJ(QOOPwihFFo}-6se2;N
zGM1OG61f!k`(EFj{EYos$Ji2~v1TnV<TBt{ghp0hwz%+!^l&sqoZ;Tc6~L8$ecT-~
zu<iX)IOu(!r(yv4N$`(69Ceh9dH%$=&%KiM+WPyOa61Lgwq9Y>n*BLk$ed#MR={0s
ze@p}1$Kz+{h_zU;r@(I0{WG`s{)^)@!CmHOC)bKAK1(dU9!Og}i~ao0gHvw@x2}9V
zAND=iqJVxV_U}OpZWq8g4oWK6zF&V;=#%gJ$BKFEKgJn?R}H*Y*~cehDflIjotJ>u
zg4_t)*lys!>ZugAwq$#YvDZ4-{**EJm6bYjg3m2m#Oh&9uMSs+qr3_DThijCh6~vf
za<bVgc0+O4&)*c>Vv>K&JH~6jLB=<Di=j0M<;}qBxDD<dUwEI=I`%p$dR7{{K3fm|
zb=SZ8d-h|A9V%3vTe5d3e#-P>>qqOqx7rAB6K}28?wusFVJK33p8SaZ6{>%R?jJXA
zJh-V|s9b4Uzw+B+rL!No2Do>K=S{`REB-h6SJb7c)v)>(!9z;9@;>(M;9XdGxYuH&
zr;YOF;5Uhuj<L5K+&mfRZah92BZu4yyt>kek>-U9-4`0oI-#&Ftp9Qa*J4OCInZM$
zMVjfvY3YoI^?!BXW9OyLzo9>4&a_0|@>X6PtKSXYeznx-^Yp6*vF~%=4u?m#qT}~~
zF9leB+X^3Koj9L)C-qNFD)JBDs&w6w{Cr))DK9SDfA_P*-anfL|K;X8e%C`(O@NH3
z>Vu;VHotrWXE=+0_O`Fx#8|D&#k`$tY<)`n_f{YQZcqGS!u;FTic3w;<VSSFHqr4F
zz<o1(+;Y3L&1lmig7%o@{g7V)Cy_2rr#JHD4e%ZcFMAT2fZXQa`U%mC^xgBacpRjX
z?F^dO`4<eX99(btfF>}=uKbT@QP4?j{OJHUoThs#PEcsG@9(jqA#wwoe}}+NgbNF^
z1q=W6m$#&)3&wfa`fL~cO=^+f8G$!!E3Pg=7L<LL(Brd%-(N^57okp}DDqF9FlW#e
zX+Dko26*_p5yI8_5_RP@F1KR&6IlQ4%JA1+32>`(w^qamEY^JNIBRY<|25P7cMAnq
z&~u2m%v;5(PF6?w?V$$NABKUeu;@sxY9{e-PWa}I9PM2GFOCZbZ#orCKshBVSzO{$
zRr)hk3wZ!MK2g7`Q{;-=`>8h~ue~lv7DXNpp3KsJ)@<8jgoO7hA<516*!h<TPV!y#
zT5Ivb&l6N5KEhu*Mo~TqyzPnisqx>g-314ZH{5hN*oQn7{Kd0Y&lB6jk_o{&rc*1q
zKFHI-3x-l3^*c30&pkhtE#qhAg**e?;r_L`0ba>+r}#L^R~IO;_5Ty_$x)O1$BF{;
z8k+1MKIO2#M)^$exg<eJ7c<7+$qJtL4D^q8BhLaKw0nt@S(!7RSS2|`ToTZRJR4jm
zIKo%Cb*o{l(e<b=Z9UeXJ_Ro(_;g<CD;>AS%m<zf*F|i8%?1B1l<sstt>gWTW_i}4
zsP(@GJ-Fq8%RSPltgSZO)W8kjS&8@F`;T!2;HsQFZRBkE$;&Cz3~s`HQ^*U!DX3oN
z`9)>-dorl;4cEu~MqUiQEcC2*67NWHsqIbvAA6S?ke7h35~_~uU%ywRH`e)OFyb@T
z|CNF#og&%SdKFz^y6H0N<|0&%@@3$=Z0q<-Lr1)Gb=~z3@tnc>=W_7&_}L=yp@O@X
zW4PJu*3mmCUjaV9!IM`LcXBk+x3+KZSm8V5&%nK-?`1}d8Mhq~H@__-owkMiIry{L
zY6&9+U6}$+!>FR>7VP}21b^}4fQijF1*&{u3dviUblB@(1%C0|1EataJsnAcivmSj
zh4QF=Ex2DvA5$V}5<@2$iGJQ%I<~*}65P&0`pj+vWrlM-o+HJ6{4~nH247xJWf&Ur
zJx91um9FfpjLqK-;8H}{a*O$No$KWL_&+zl8>0LuT;J*Jk31qLuh)o6x+e_~q|PE=
z1E*~mH&CtM=UZUwiC@Gk=0PqG?_VbAkea2{i+;)?37hKd>&4cuPT&E=jJp;^I&7}X
z@`>k4G_dO{06Zp0kTk-Y@{L2OtlA&kPXko{A$W5c_3IXT_iBgzkD*O_W!U<#2t3&S
z8&{F5Z&$AR)`+>bv^UBZgJ0*-_uo1la=0+Ifii{pxEt~TaOa_Ln&Zy<Iiv9n+;(2i
zZIEw(Gi`EFvG`h<)p0V7T}{mUh8)NA*Ovr1j><&y_a-KxIXvx~A=mXNkyC;<iC;4D
z<UhM*ezVK*C1JZTaslvOKEk`PtUr8Ot$(pC`(DHPdvWj^#tmW`w}^RC)-#kQ6hp6}
z{Aut9<n-T12U8d_ZXM)3-QLuUTn)S@)KA!^iGkVZ*ee4PV`XdP>fpn~?+IwbPd4Wr
z?o=2NB;Q4T9z2GBjZ5rYi+)CVp25#g?aRpRz~|L){De%Wb(a*b@c#O)!j9Y-T<$i3
z(EUo!k)kZBa~JNK97BE|e8*&T{o%tS`NWqhDEzy!u<^kkJibxeaM72Yeb9%PPouL3
z8=r!}c`uRF_y%ZHELDG1_~QB00o4x%Up=5>y!*I|s%7C8eny8>DDp^fd*Sx_C%snh
z+lH<jcu${;UH^~4%bSyibnnQ8+&d@}H0!86i1JC`!OyPHa6WiYcipO{C*ANm_WBfq
zlhhjcUyhF=BTPyo5L7=Xfbuoq$u^V$s&^`VPbC)BC!BS__Qz_$3%@T~ZaOHXe?0a?
zBdv%STi>>TyVFNJ<~m){c}$#(xZgXr5!G)6XCG$U<vg6mX3$kCqgySB&Cea+PxPy#
z63gh7^2MVS^ywHMqWl2(s@2KcTRiGA%Ff{zJ(xUHkPm|!o{*5`usk=Trh4{w)Gi@*
zeb0bv=x;6BjI*|E<mN6M&s@U#zXfoU+^YqPPw|3`cFi4Ue{(0J`YYgD8LYXf90pUI
zIf@5waWZ{H&JOE?pp+!ean_J0=5oWtuAd_gA?E-uS^I={S;KwrQ83$9H1|XxaxU;|
zAq|3YFYCtBJ}^n=v2!IM7Xa_g3D;sgUE`~#W69ktaun-N#laI@UeZh*T9(mP4ogks
zPQ>OH3Gl@#F$p4j7beHzg6QUBi$titG&rBdsmp1}>&a3fTG77g&NawSfQ#>_;j5o(
zv#Sb8=EC!17(gx$j(=@!s*U{_^<s7*<%)$aHa;nWHy2*MEm*=l&D)uvVrKqF3FS|N
zo3?gZ1^o)8^gsUlL<9*%B61b*@|~gaP&tyod75okB7P@*<f`CTg!68(gbNE~tJ=$D
zw|=Qcehz$O)UVFM->#T}q+|8j+r(Pry5Na6W4Xx-FAcStB}OE_sPH4#13&ZTfheti
zx9xk&(xJ2FPc@NW2A_^_Q}C!Fk}%n?3uj}V$wF=bet-X>tjo-=ceAXI@}qGZ*!h12
zobpCh{|~BIF`5`be{b%1Y<{r-FI1r-)>Jg4oW6&Xrkp8$it1Z}UnJjuFFn%U!b@`q
z?`gHdVdVd8MHAo_IU4Hks!PP>zsuP(*lAZqehu=!m+^FIwN->|Y0k>2j<jLdw=KB3
znyglzEl+8`?CIo_w^$WX-X8qK<Z~T^Y@RL(kpsAm$RKR}=m<XaHd&jRip7*i&Y|pr
zuOoK-Ie{Dh?5EuJW?#CwUE#~sKZwnL&fvbZ9@eT-0UJk5Z*)lZe$zn5zXRT4(x0xG
zTe_$7E=KuBr<EUa7jVs2hpLTB*KC4hg!v~;46yOr4V?T`dX?+*m3uakao>t-%}Y_<
z1Ki@;;{idIz8f}~$Dig@eZ$u8-r!AMdI|>gEV_R})O5`?65Ub$F1X^=u%Nv6*S>B_
zyb-c<Sir9D``|W-S)XG?R`bag%gXqSkDW((e{iwI3if(YfB)hQu6$}D&K2Yjz=`|`
zqv=BCQuo~K(#NPZ1(64W3-ULo5!90eM}84qQ$1RvgFG0VPfB&5ti3UjLYjL?Cc2{x
zc{upn465e7B|YkBzjVedi<@!C<G^EU=9Hd}`?K}Ga1mEI{9*(7WAKb*_6HJOC7iV7
z)iPy{TItB+!8!lbHS3VncbnK*MrM+|$wQt1es)L9%Ey?dm^piIB_|>XTmL8iTR;8n
zoo|j=<n79nyOfM;YABxs{_Iz+7k`JX#hTx$BctXpcK#=WPe@r4%$x{_4Sj2VJzL@w
z*8in|_iX3#g<e-QI?S)MZTIMtH>#fs9ywQg(L#!MKJ<m(K@oRC?ETdY@b!0t4XOJn
z2Uw?S<Nah_^P>C{a1vH~zs~PBY#k#OakB+KA0y8M-!X~0d^P>HX?QeMS~n##wtmY3
zC%;2}x3h`EMPW)T`CYCr_VddI|7x+p8y->8Y&JNvOjTcu^%qaUMW-xHUfO<Pbo%h;
z_nb&tCpvx(_&y<RS$yx{u&|(!cCXY~b>z9=o;^F;++NNC45kAXo5Hmc$n(Iv<yIa=
z(fXa+NaM{k{rZj=c|JG`*T#DG${Rh7)h&*y)*7sTD*&(JDh?^JdS@zrl(q53>XaVJ
z7lNnAH#jz~tJuVv>fN&nf3k?Y2;45Lw%hFn{@jh|$_X#h@E6F7!Gj8pSoBWcu^5k8
zcpNV!kG+3e0)8Pe<6YG2;bN_07WOJ~zeiBM47_oak%7R#go?r}Y12^a|31IA9NgW+
z)pdV&nNUZ)W+sHA1v`JMz&(G(dcU-?>l3w3CbVF=qm1gm0QdQ@d&KtbHG(~Qjhy+3
zT@U27;F<Et14C1Dylf<Hw>?=eWBU(v;M2Etk|TYGVt&01+Bj5^or&`G;B|#ebl?5=
zE-Q^Cs2D~%{QXV1y#zON&G(OHNfPKJQXbs%2%i6sagE^i3l9Q?KB;zoul2gX*du%y
zc^f$G8xzSC!m%Z1)epCDe*D<@)C2A<@RSM9Tgr|_Qn#l4t|N-$dcn{1e_Tzbyfj_d
z=Ax@ts$zle&<AeoRZ+$#cuukPD*ceUe+l;d$HDWIh|VT&ei|8&@2MYb|G)Wd3jCZ4
zvG6I;n1?4;zKTu{iMF8npTPSI!{W?n?{O5U>+%;5Heu`Q&)|WRwy|#E%O_=J3C}k2
zto}y%S#V8l2liVmJT9c$I#gt}t(3^;z(0DAHBK?#J5l3znmoP7We@ox_;Zfvn|t^(
z_%p|{+sESDvGe~s_z^9AK_4-%;%hl}kHiB+vHtW2xE({=Y*^!qZ2yOv<c{0qg{b}p
zI8HS$n`5Fte!x)YxL#uDDDqA4tJ=did}w*E%n4hCtS4WNM7|Bq8|i(k!$^_V?Lat5
z(eD;v<on>dlu65_5^gIWQY&Mr>mB@&A7J_GO9I?}X~z!5*V-((TenTtGvcuEpBVhU
zt%dZoTg1%@Cr^dP;zzLkeNyo2i3-n}9{<W#xySibd&v_!KMsN8LMwi++*VRkIiDm^
zK4ypYf1ULI9AEx}?dY6H)yyo7cqCqgNCA3$UEr5!jP+_&EW0d!JR3FV6Ea8s2mBAa
Uvn;88zSgmIT<C^1-Tr_6KcJcZ#{d8T

diff --git a/makerom/makerom b/makerom/makerom
deleted file mode 100644
index e2ff712478639b052e50af158a2acf3b2835dab1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 438222
zcmb@v3t&{m^*_Fw1XwU|qoPJdiFVQ8GeNY8hPn$0+{LA)0!l>%3q+`(5q1H~Yvb-h
zF4xsqpM88SZNL4BwXOJq5F{@i0o&Sut)lj;5f$%c5dtWLhwT6JnYnj!gGBxI|4S=(
z=FFKhXU?2CbLPz4yGzP~BQxA?m;IOF`hknNw$VNTlK;9~<!AO3dH&;b6}fuj-wR#m
zy9n(eU@T#ougkN;B5glCqSWQe#4`*36=g_3QHD<>?B@UpcG*vxLq6GF=bz6?%IDuQ
zB%k)v<;oM~tjCg^ezH8LUxk3%PY;>FU(F@*Y1bortdVck%eU&;&sK{u`)T)&<oMq>
ztAFD%e8@5H<HJ=d{_T8P&AZA!4NYZw>TKD|sk6%jrv3cnOj*%>+Vy^fda`F0;ct25
zSmn1^?R6)YcB_B()5^N8o;l+u*A2aT=F}@^&bTi;|H}DA*Ijwt(5vR$f7KAtZ_+33
zs2`3OE!lF+MUFi8$A8oTme)4KuHN_Zo5vD^KiK;5!HJ9SdhDrM;+Nn*(h&V(!kv>r
z*f9Jz_=1NA6d%xS^#G*n-;aQQMpux?9q9)CAWBb#Kd>A8iQV8|(+&KzZs1kjz@O=+
z-LJaAKhO>Sl5XI=yMYhs27XyL@YUV$Grb%5W8Kj4c7uOIH}FThfgkS%zP=my1Ksd5
zxf^(}8#<qN10T^1ysaDhS9XKHtsD6CZs@$&4gR~`;B%IqO8-v)KM!Rm|847r&VK>%
zRCF@B!JpC%ep5I2x!u73yBj)x?FN3Z8~Czr;Ox_>`W5enpRL`%pX~;o(+zxJH|@^v
z27gC4_#3-{U)2q~q#ODxyMe#b4SW~qpYA%>m3Kx3QZARhK8^-H;rS=QU07G9a2dJI
zH77KCO67yDNs}sP&$usCF=@*5dtKA!&j`6D1#X^H84gWx&6$1oeN%~d-;`OEe9oRS
zeKsl}H8ou6nlkhLIn$=jnC+?vO`ADW;(=gj#;j=q>Fz1_lIWz0yJyUFk>K>ZXS-(I
z%Nnz%-92;W{ZoK;_nbM?W``sW=!Wi}=?cvb-#6v%(6sA@x~51p6wI7<pKI2%S#zd^
z*bx5js+cov+P#F4xk-~M9Nm}`ntFdY<f;(85P0{47_)Ok1#np*xF@a9{o$FeS?PwR
z+&yO+Dc)Z>?LM+PY0~^Tp}Rw<KWWmG(1VrJCjDd*Sw|bwW(#TD*QI3$>u$j#>CSZB
zGc7b_-c(n`yxB8C(_9tk_*B=7DfizucT$=G3RQq8mZ@kHZAldJfM(}78nD=5H)h>G
z7Zizu3h0QG0|yu*bT@=L>+Tu%xhlZr{gBq|X&jY%X5D|ERXWKvDi|0(V$zVSu1Ti~
zho+OAsUcTgn}%L<)lg_z27HTe`d`*JmfAJxp=83_wDa=WmA1_F1ddF(fe+Po+5Xj;
zGiLOq2h$f04Pj3__7vQi9<Fn&e1B1%<+|9)htHeQo9$j<<wNH(pON;HI}|yOK*Ys0
z)BdyP7rjRMNcNvSzX+$_WdG&nNIJa$Aiwrso&ydR(tr65IQ=&JufPG%vVnLOIpETh
zm4!YBoPDtWR0o_q*?;8@xNSRFHo*ahfYN`H9q>MBsLM6o0jDo!|5ZBR*)|Z*`3^V+
zF#Q*C!26}4E?2b!t~lT|4!EroEPloTKiz@9!U1=#H!B@*YYQN1t#ZKWQ`>*F4)|F%
z5YI*j{A>q&ivxa+1K#R@(|5Q3b~xbY+CV(p9PslTaKiyV-vMuTz@5%~hXa0r1K)Le
zr`}%ZfO{Npu9@~<jsu=&1M$ptz%O#Z^BnMt9q@by{Cf^~fdlTGk3|mnAP2tB0l&ln
zR~_(69q@7oJl_GI;D8Tyz$ZK4mpS0m9q`K?@Ja{#3I}|?15TgR{);%^^d0QKY6tvk
z8;EC(176^OKjVNGI^ZiD@F5QPN(Y>KEc<Vj15V3t|J6F+*V;fl8y)cL9Plj;`1c*~
zRtLPu0pH<(7dzl>4*2yBxZ!|vPh<b7(LEkj?=kDdAeS0%4D~Q>g4I={8$BB&M(Wz1
zpeQwHD*jal`jBFtyDOL3mcrkl+nJ{cH(N#i7UpTX%|?+Q%{)!Exk}`RGfz`(t`Pa_
znWu?1Yeaqs^EAz7MC31Ho+jC>6#0vprztiki~M=a(*&F4B7X++G`*%z<ohsBlWP`;
zd<OG0wPv2kAN>k>npiVO<PR`U(`vdzemC<psb>2L00!-3o~G1n6Z!X;rwKJ%MSeT;
zG@WLn$iKlnO{Td@<eQnNsWexJd>!*Nk!Fp^zsx*MqZtwTKQd2~XjY2+@0h14G$)Jv
zFPWzaG|NT)=giaenLd$U&OA+?Ss?NcF;7!x=862zn5T&|b3}eN^E7RyOXPpbJWZO}
z{uTTG6Xx@nZxi|3nWqUeTSfjB=4rajMv))QJWZClO5}$#Pg7;C5c%twr-?FaM1BbK
zG)-ni<S%2MCdsT6`HPvSDKaOE{CUjN1exU`e+Kh3J*H3O`!G+FV-|>f2J<vEW}e6&
zJ&rt0jF}_y2bia6F<m0Rn|YcPv;DXjf97dQ%r=pKk9nF9vsL7`Gf&fDHj4Zk%+q9;
zt3<w;d727yg~-=2PZMF*i2TdU(=?b7k^dv}Gzn&<$p4OcngVmO$p4agngFw0<bTdQ
zr@rY!-hW#_OR0(B9{;Ung@^p(1KO8rVoe*0{o}?Yo?~LXs{MT}C!DJ78>?z>!6f7!
z{DZ1xc~LJ%)k?jdK(t{c5M1H2>N(ScTFQ9q2br#TqY^ueykB4Bil+klvS*M9UF5%^
zp&f}OxdHuYCj7;3mny*n@stvaA)8zrDas3f9MB&n%|L2d8y<o#(!^I2KS~9(r&+q(
z6WjXWb-wC1qr2LCkrR!f3q`se>9)|h(T_R`4@Hi&`;;d(t4+HylG*h%JjovQv^T1|
zU5#%KXo4#xJ`saw4#Pji?<@{Rih74fsd}lm+~3lR$brO?yg<vSqDSv7bK&W!oK@x$
zLJ4ZS0@^4aaVH?5GBFv6@`HaUY&1urz2!NPqkTd}k)wS>*F=sshqEK|-Ek#uLQ=_#
zBS&{C@ehy$Frvi&iPUmmM#;*Mr{sAhz6n`Nw(hw(sy-q|jW+gBi${3oU6njjbcV9N
zXBcH2{xF$P_5NN}4|zSR_MwqCHbV?S2%UncDg5ObC4IxCk)OHygnuB&CCc5ZHa2Io
zt52Xs2p33bQph9&&o*Q;Aa_H6U!=@4%)7u=NuN*_Xx;D)R8oS9HGnpalo(a>e3EDm
zj|3}_MPKB;fsoCPRE3i$Z39as5aL!mK@CD|Kx+B$jA-M861TGKCFCS+6<xh4M@@`&
z2ee0pG|s4&Lbaq|3F-fg;S}AecuW?=Q{h2nS{O57SvmUZFW$VQXR6V!mAU-UMVJa6
ze@mIz=hULql{^De4T>cc?BE~F|H4GYnwvZEPX8VLJN<Y0CvEVL8?Swd*?0`Iu{_!!
z>W2Dp)PGtkl;NyocJ$4Zv2d2i?Sd|Ppo>90+9u@jI44pA8&h?iquLT3#~l8Gx-LdL
z;e)&+dSW<}a_;$4NV0~iM=3<#@&aG%(1YLiRUeLihDn%e3=I@%Ou|%K=)CBzj=~h?
zBWGcY+VmM_VS}874RT^tW~lBC$%-Z@s@f}Uq@S3bfuwBpffGow)&HN(jY*Vef^a69
zRHJ4ly23t))`QyPqFJj+O^C%dF#oXo1_Oh%?3*w!DQRF%(KWQOmJ7M6eP*>&*ci}0
zIrsu3$9S4r9L>W+yTTiU5zPx~L2tgQjq?@+@lO%6K2-~O)zBrVKukdmdZ8xD%T=vK
z=!&X6&Z2{VNM5ccbU`*DAZp?j1|!wPIu9PkoN^k2@M|rZ$kBr<r#5Zy-{!xSR{tv~
z)L8AHTD3<d_MqX?djAoQi@zmK)nK)T9M)}#d28_GAJY^d|CnAOQZl{Dk*;;58y)FZ
zM|y`N-Dag*O1(iQjaSEH&;eC7*|rjkLwO(vtUoOTt^iVDqwi1)6!i(gQXP2>W&ZJH
z1<;I8kLd1<iWjtPO=iZS=8S_cgpiBubcfu36rD20b~Zr9m6*3{1C3o8V1NFP4IBuj
zd%#{Ru??67jvlmiX@J7`&JB#w|G?S-J<f@%CKh_j1Nxua2}-=i5@ARJ`jgKfJw}4K
zZs!FOrC#^JKLoTmvD8GFTduQOTvXQMVxFhA0D-CHePUac>Rj^eK7i2(Xo8{=yBQ#h
zys|o@<Z|VSrjjd__|*W%wqgv0XRXAC3p7D0kczWOYgre~sVB8_5wN>&r>roArV?sv
z<VbI2DU=(l)_O7t$?^mb!eDQ?`1V#}t1y_6qj^f~Ig$9D5_?482>!7s_EF*&0Dx!g
z*Vt>6^i^U{@Y$@y@5NKBQn81SDvQHgTIj8`*8W2W{}4Lcug8T^PxS8<Z!A>;M@zMZ
z-XI+T%;~A#a)GOAGrf~(2@)Z1xte&wOC{hSOn@(y2zo175DaSjj2VYgDSA#5u<7XR
zQ!YF(H4*bt^B_?=h@yHCf$S-1<!d{FT5^o`X+YbfZPJCsF2)p6;@4q^V;St_t{A8f
z0wDgm5_=DwB8eK12<ky^k*be_8A`k=rc@9mjU=9U*t<$J(qaU#1q6TbtH4n}`(JzI
zGFM{L<nY8Ua(H3`Pxi#jb?}{q|6;zx6h_5mK8I9nYj~hZUW8^)9LtAFQxpJs^J$<^
zpJ<Fk&F|dc%jpJJrW<^gDUxD47hCOo1i^@QN(xF7^IMg8Phcc-EKOT>D{>_T;Sw>t
z>^oTxBo@ItEEC@07;TzQ&NppVIe?zl`^wP3p@3GVVl96N<VhF$No}>}0UqthsR=bD
zta?C8u++DF2-nsjzUua9TU$wEXn;tym(aPzy4uKfRe7ROZEC}^Dh{QSJ!;93>TXrz
zTQP5`8lm&8$q7xDb2F3&LFbzfqcAOii>{G^Zo}p{`DW+54S8&dcV$*Gni7oCGCX*7
z^%lwHc}$SWT#kDq7Rc^+v=|gy5zJ^d1eUNBgU1ulUptkAZk0m@+rv_>&-1UeU3t-4
zCGJA)bhkzi5#5R>kHNpsLf;%J^Ub@3=jCqUcS1Xpzk*SSC&}E~phOF?o=;ea-vcNu
z#0!9Q9azDJJ-S^C-298W7`M>q&N1o}USUoKsqf6`Ym(EyNKT(i_x*>3?0fhRW;OyK
zB|F0xO9%PK*bu-$E?KF>jvPfFu+tdH-OnCmU>oAa%zVg_=J09kS@=rxBW8Do2arPe
z!sVkgB1cgDuYg95JRk0BHp#lNwRnE_x#7CsIX5ai<Wh-0O{&6`Paq{YmHVN^$XX^5
z`yq#k?;HM6@*HbFw9mM$Kx*>YpqG3XJF7n7A=o%!KO+{Mj6jQ+Z5TGrKZ6fBQ3BCF
zQ>ik{v&aE<ZP#<xcCBOAcKk>xmGp{T+kPbFuI)3VmX~Klj;;*#jvR$F-v*#_vao?V
znwc)`%6Y^6Yhm>p(VcCPqm7~SnQD(5wPwzCF>{*Lrk$AGby(uCb*-~zw>@+2MN{eV
zzUyk)@e2?SGv7pssy`v@cI0}jaO_k`Z{>;Rl03}E-px9e5oPuE-mq~;1#V0%N|7R0
zc)Y4hpGxjG<q9+R+%!~dn4a*i085))dC5!c6{O4J0oTm<b*XSWH=E13ep%e8`om%!
zD{Ks=*O`aCJ3x%<O&gx-;BBh*4qdrM<PQEZO&{w}D<H6^vMDsNRy3i+Dy{yqoGp+Z
zTX<bAk7<f+fP<pky-5GyiAFjHPc%ams~fS74#lR3hI6@_9zl{OAM^cVJ~7{4#WV6C
z_N_7AGDyor?944mU2Bu4c`9YUSAZNhma6u!mF9L-w&JSJFnNJR1+O*03u;HvL1Xd=
zA-h-2A7YKRbtIhsU8ubbDz+|#2YrVc$sfa1Q{CdfC8OWYaJt(LRZ#WEDK*(m*)_4l
zwp8i=C1xtx#+FiYQ<@TcH6>n#h@_Yd+z9{Z3TgNm)-+F}cegWqKE@3Z0u`X;eui1j
zpz$k4HtC_|yBaAqx{gM`JvWzqY-BUm(AFY7Z&>ndVQARI-phr3eaHM0W+ioW6|vz!
z!7F=JR)vB-;};H7Y#EWHh(sJF2piWYJTl#iB_Fnkc#PU2`i2bJ7rWF9Jll}XK(}dA
z)aVP+TA45nRy=0Jcc7M%yX>?G1uZE;^I4K=4*!r=Uy0Ws_Z<k@?46P#wmrhAW0qR+
znd_12jL+~Sxw8#Uiif?8?46h_U9?Do8L^Ufp?iJ%j+hP+pOW_)Ov>m&Y+p1ZsC_y{
z+XH`B+n~f&2>vXm*)lLrQ$|HO*>#qanl{nnllsv7MJh$=ZgyX24mPsnJUk)@JGa9k
z(uODfZ(-NET8R1^C8hbGL?QwOL|BFVwBuRWD1#7~(lvro$XglI4l@dY4GK+8K1~lq
z+JR#1;aQ324MFX{y&|5V{mIJ^1Gm{CqF^lzFZEOhw?>a)|Hu-?2UPua(T{T*54U2<
z04hQc6Mlf5FNy?rXn@k;9|H!BA|=zSth8|{DqwME<ALHh+g9T1QD}aEe+1h>?55<t
ziaV^y-@32jWIf#!`>Ob-2PiCQX^q#1N#5A@Hw80lY~FOM!gub>?Wj=Ln4E$Ru_smx
z=a4go17DU!h~W$iBod<A2?4?Ooe~cu)(b(t2)QtZV{f@IjNHW=%djI8gITqa(Hm!&
z5aFGGcEUeC9p2#}8@qziPuPTWA%DwKJMw3RcR-T8RpE{2+lc}@;j<H}ohY{xlkLQG
zJ5ebUF>izk{87Z!GAYtER@(UI4OVmnjfcji!y?!Z*ijwqO22bJM22)Coiu&nY<~+k
zaxU`<oYgt#mv_=v|Bv+ZI_Xait#Ht+?4&vU|48$1Fph|<a7IPItr9DPFP<hXEsjn7
z2_eew+(1BIYJlVzy}k{PwG>7m^~g#*<Qa~>v|Xe(Gn*4gj6#@vX`2AGt0@F~L^-HD
z1K9GM*mgLs+oB(}MUK#MMXEh=gpTXZj>4^xquBB_sZAfjaa{`o565*aRzGY@x2TDk
z-uz%<s&_gll2jmCPbM<wo{bb)z}y!Fq4UjuB3F;48^-9c5kW`}>i@3ED@%0Tt_+_I
z2ONQ>KLaB&KLe@XBbB@$a`Y-i>;+Mb)FZMOsTfkr%QNBag^CiR4@Zu;=N8b#znm_<
zCo(@P9-f-K5bk~WEMy|#+m@I2pj&?$-1_k7WL9i@7~ULCyr50&Pav@v8~>3-1=z=o
z(H8pxiPdccw~X|Z17yVkMv7CRoPahGr$Xin2xQR5{;q`PcSq<aAY=*8J@2e~ikV{i
z@%QB99)aQ@gk2EOpAtis0lz=?G0+k!d#)^f2WdLC|KPJZe4beJV@=4#-&a;|fn1R^
zr$JNFJHK7_&hJ+!;?D11=3_`PqNIs>p^YV%h8scY(r_ImRUn-wn3A~@WnQ>Bh;nas
zT^f+O7|>U9+ylDMMvGn5p@4~z)J3752|v#MmQrDsXT%!k=ZPpp5)rk9Sj@EDL2a**
zkC!%}Cy$wa#9I8-jebNW{E-eE4$4eBGE~&IjuHkY;PRg;e$tHd0eD<3_-}JYKocSi
zXkzXJG|8_f_!S)d=K&C*>f$^sdgNjyHiFW=Ly0c}@5_ga{l{$xT5y<d<`esm%kYf+
zECc(GVMuiqva<9Z*f)EU`rIXxl-Tt-FeJ-1;m$%yffDbBr>Ij_*a*V{XG)9(>PXeq
zAEBJZi3mnQm<K8THh|THzjGvp+aqB$SGwF&#sKj@(4IJ7*$mk=;lJIGpP*{bcuh8?
z3G%`c$zvU*`fX8n%NPcig=Ca?2F@UCHCL8hZO8Gb>i6XdRga$spg9&Xj_8p~5oU%|
z$_hWX^avixxsB1bW6J6w(Z)-QH!HD4*d1F0T_HtHlzLT~yj=4M^w8Q%A2!Yqw8L%Y
zF%JZnr^FfLE<?yP-hv^bw^c)dSX+Z?r034E<qqShRBJ3wdtI|3=vOTdtP(O@Ev6)P
zeu0!QvUpJLmPNMNQ(_#5&IycA_Ja)0%oMAFTq9Hjli57C9D*gdn1ikrj$!;>B43XV
z_^RKwj>zQ(QXnR}Wy*XN1VtTjlrFcB-%<x#$ekTD{PDr$?%R8wmZ7!rA^r5^pPiPG
zwS|<eOXvUp1*RFrUazb0oogbk%Yy~gP1XW;9#dk0I|p{7a4RjxDc83*{Od7d2q+1I
zVP1nq(kj((fmGKk05ty_0TG@%oQZYBR`0o|2?ZMt3f3-@T3#)xg+DPLuwp0?G{6W4
zM;((m9oe8*7}>zJ1>5SXbCpi*!Et>ukNWQ89yM1UML=5)4-p3QZ8HZAh)wC4l89v<
z%1yq3XYDXgF1m_E&EX5=j&Yq}kqo5kP9OrJdMhMxY`=NMxN`$o-C2dZzaZ=Ki2e~V
zL&WGi>7_N~8*t1h+GH0hZ8=QuDu;^Xg_Of&iU7Nzo!pk~FBDSPVfN`^NdaOa39BcS
z;*x}zrI0hmOxPy`6_>Ul%Xw@F@LyIkYrX_3mdJ*EBb}6>)2WGqige7(nIzI2R;6(7
zLhc($*({|^ij!6zX<;04@dQ1LLqDWC#{sv#ZR&Cy(DSd!xKkS4kHfd&1X?<UcuG#^
zGFXEJ?^DF_(fj_Q_px`7!}JJy%_%~o!Ux!k@E#E#R${e8ejZ1CcqZSWn0%2U%&-5!
zXfQXKJ{K;%ba6?9G8fn*43{J?IgvU6kn|^v_i=~`XW||63z&aV6olfSi$Q7+kj7{q
z!S67xDG(Mn_T)j@zHunjgWl<#vvZucl2daW=U&jOIt$7V{?R;)9lUVXf*`E2iE=jK
zv-zN3(<)d|Vnaj|=-(+h0VY?oa^tradZxwEDI4x&mGM?u62Yi>4<iZ`1S1jE5Fx`E
z(gZ*3jZmbvfUdWi`L)<qKOqadHBM$f5XLgu1`^g<7sN#qK-vKrV{JGRm2TlxS&r6!
z=3FKI<Xr)pI0+MbZp)v*6%73;P77SIkueb5m3qS4MhHeHPt_Mfu-Ja>5IC=TC2q{S
zMPOiOMD&%&U@N-<4;d<X-P?#Xw{5L_3M~`S5rS3$Bx53($kifelwQfW!$PPDcG)T*
zV!K^#Cwxp80|nCS-Uu?pn~tYQRN9HjOc;j|LxTimykx12mylg^5B}kl-|;06R5CE-
z-$ZKp@Jt;2#OFbwt%WB;SvD6raeTxT=j?OjLUlKF9$e-bPoN1Qno~yw^3agWxZgth
z#!ihENZ;P6i-Ct*OBchdL*LS&6BX+1xc-85R)$W@BOV|o9+A-#0mNo37nUNBs29<b
z2Ov$%<d>~L0LCBF#AA%cjvK?}F>66UF5c!M9KoMtDXs<+VnKp$Hy^j&;55q!WsnIq
zy<WkiGc(buJwG^cpT1nQyk6Y!wfD^7i@%x3FCkHTR~;Vsjkw7%w&x{%&TrsN_R3n(
z?498$>^%BpZ4J7&^WTQkxumtDFV<`~3t<2lbT5TjG8e*e@7x5gB$_VPebi;8uA4x6
zzp?yuj6pA9A(B^Dx7vr!NXSEHL?CdW)7_ynZnIb;iJd<#L-Kg=2iWLks?ojp566Vo
zF0XT$vV1ygh1XUKMkN)K2A@ZTKE@Gla2yqK0F##?mLO~6CJ8acHP5?|>T+OM4gmL>
zmJ<O^PQisdLzJzHdujjS!J+8ArRnd$YR~gAFt8I!JFhR!2V)bFGFM^hmta5o2{I+v
zRIL!E0E=hWZR4fp#{C%2awS#_gn8GO1eMqqtnx!8KI_y~n!D=YW>?&dkj8i=hBZ`d
zey=%o%{$E7h<G0k-XPm~<4S&_#GYj8qLRCn_z5&CNO$G1mw7QOO;ci@0kxz;iT~@=
zh}q_mb|8k8SSGu2ddX}h_A6Eig@Wd9*{8XoaLIfn_Ab(94T(5{4zFA)*8g}FXqa1Y
z(s~M3Jm%9VJw-upbMdJQ`k2#BU2vKiJas`|^O{o^oNu0Y>ViDeed>aXO=I6F+5OrG
zt}yFQjk)vWv5uS!SZPN8)2h##DysTvw_WBii^|E7x$!f<7MXjdyMWs1I6?M{TQuh0
zy-YIlXnu@jDKCA>%dOuNX?X$kB0n#<r2LL6pk@Xb5f@y|4pbC(Tm>~>^?qwFnJ1EB
zGdYmAc(%%0JYqX(rcg;lOwBKuVvx~HA{8iZo!57aG>(N^3%4h~AJjHut>)FyTw|KT
z1v`j!EI0g~8R$r*nm)<`*&fR3_IZ_wkz3VNv%4u++#Cw|muH>st8PhDHbg)BFuKo=
zTe>~wZo`cvBzn)?!twbIGOX=RhJQbdLoMU(k{<JVBt|};T$UKwntUix<;qW`hNTdA
znd_;7lyh8jPZ|C^#b~v4*U}WUB(y1dWJ!9pnwM4WNsdPoXi9ryo~LPd&**Mnaxfdk
zq`t9fcXo7l9<P0KA7HO>+8e~%d1JIWa&i$*(Ip&*ICnSgJ|nt2=VTmK&z5M(|8`v3
znJCgCf)cv*<STFpspA4ruo!_Z5h_q(=X}n^PzD<1zDPt4tfkOeKZP&6A^8gt?oHOo
z8$Yk8RU12?DUOpLWncsV7jO6a#|5-6>dUioT;sK`L||_$?)m1x$W2xCtU>ueqnFD2
z;f0OH^?!p{c>;lR&Rw*_*cxAQliOwZarI5xr)uxv2D0(R&2A{1wrT!dJX)*xiIppl
ztlN=^`KZK?fogQ!DrDTDdsThiN~DZ_x49WA7S|<t?;J2yALe^wkgLv^Rw`p}M(@9;
zQWeTThU(e+hej=4#@7r6Jjmiy^_pzKvl8c(81$Syv3tG&7cW*~(x`fou>uUo8ZCel
zV^oFUwEzdS%@(}=s)3~f{Lo*~Z{F129MCozS<kWU&x{f*^}*uyfVN4A{Xr1u``A{n
zI|#gq(P?M|<3<^T76khGt+4(o!(ZUrw-$kP$VjP%_+0vkyl6+J5_=ytqa9gFEDOM>
z;f{9TC55v@#B4!s{o`IxJN$+i0`Q^4mWoE#H40I^Qp<<dRJh$3i(atBo7m#pytZJ;
z_`UINSAC8UT?>0M`bTb#A#R|vvXLZhi7LCUMM>L;N;uQ#tZ0Mde1~XepYh2SG*c|N
z^kB#mTOflPd&r<Q;~+irX0m~ffA+4`ac!7jtnXb!zaTBLn<=t0SmOe##;15ET!>0L
zP1d-gYmHf~(FPXHBs@k{@0-o?i_#QxDp20Y^1rgYv%AM3o}l(o;dZetrW8bP;}8<1
z*O%S;iEMIh3rO<CIytUIY;qPzMz^HQC8E`va3f^c&xuxq_5@mC<9fs!QpPwUF37`C
z{;&stP&*X0*B0QPy2&=Gs+4Vkq%I?ugFw${ZAqmNrq;G$4((K<pR|{c3$!$@XdZz*
zUQ>a1wD?B(T*f`%@(WCfQkScCAU;SjUcE9G4>j6>H$Fa{mvQF??kU9!nqS=6z@k)}
zHUDdwv+<ic@WR8Vs)ie7yKm$T(QO@JRIZbiw}-yC6WTB9@3iVihCRO-x*k3qZ-ISk
zEJj!F+}z_SfZPW+@O@7;I&6M35JDHGS?E8$ArD`n0)DFXPICdOC<9&Q9Qhop>b>~Z
zie6hoj`hmQS{F2&7x$I;Kula-)>q=!%2bvTzX>TSe3O~EGV7rFhfr_*Z0(#nuFNYl
zLfOii?6WJh>~qv;bH++{sF$)j>+I^Rb5uPOO;pP!raPMGpKju^bQ8Y+u!*sGY$j31
z4ygJnw&rLlBi#}X64)(t=DPo|rJK;w*xcGmHk4TFqS;Hl%!icQVVQ#55Gl5r!e!q7
zNN#hW<7h7NR3!+g`fBk=REdZ7k_3)M$V7!17>!tniluaPE}p12IuB2<IvTIBsQGvn
z;8}oY5uQbO`tbDOiSrg!#j_mGay%#CIRVefcuvN1I-b+<ti-cY)o+=vYUT4O0=&ot
z`petNn^r9z`p-K=u0}jiF1AU^>Q((96>WcX*YW5_nQ!exYG-EeZOZBz1@P)>QM#?s
z?B#x=^=P#Ks`>&Dzs4|bqcI9+6*f-X(69yb&{(~JMrT2u9O{-v=yFPm{<u_Lh(1FO
z0!FzNFurJ#d8ip0`$G5{yl@geJBpW0{=B(Yic~AEve&m-lH$&<LK}60D9e-Yb6&Od
zvI??LIkX}9jx`^Z)jfgj#+jtMdK7ucsD)pHdjfC53}K!rYtAM$o>@i>5WVe$(7f1M
zQS5W+EY3o4R@BJSZaXesGG)E)=)U{SbT@WK_XVpS=qBoTd_b1TZ}mf*FBaE~@Cv)u
z9pAEBr{McFoBl&`I;?d={+Jbfh-Rt?ue~2_DKQhs(tdW=&Ne~r6zwpq4Ef0Mi0+2y
zTC&Uwv0_Mi)x9d}Qs`TY+x!wXy=JXFo_yU%yZMA^0$R~I-mrh8Fnf+gYUhJJu*SV6
zOjU#rz5#m{62{wb7>4oO1p4m5eQ1%Y<(6FFP}Pi=yW;2)r_sjQhrIDfSDYmhXN!&V
zZ{qxvIDaBYv_-!S#!R%OXIi#RSW=@MnD_=jwo`vu$u@wZ55n-$wi`_XJ-m%5os&mj
zMHY?!mW8ikQs;e>6`czfIh+btY|FG=htz+vB-m`AeOyIYCB#tG;zHIu3+xCz#841!
zjDycvm$PvM8p4wPY{MXXxi@~=oJ!RqKA4(_1rVYVLuYu2@7qB9<eL&s5gOTqM<jf;
zgp2-v5deIPgg-0beT&gZT`?pl{SOxkjnA9XjWw(UH^v<gLaAlz4Rr+E<N$0Z;CcsO
z4*`Qa0biT_uR)Q&J|)a22<|d-9kbS)$x_Qd=k>CV!tG=68Y&F@jgAckZhRCr)~?t!
z!lmEr(dT6+&!An4HoMgx{Fr6*Xur_x8$98?#g$oMQ=PKCtZ=KUwc;j5pXiMl!Ne1-
ztQx-E_G5gTM!2x+J=e-hIxzgvqrH^ag&+u8yGiR)&<f6Y!-KLwRTHZv&+43iWrb`A
zErk9YJ#l_Wt;_oN2$zT?%K2P8BvcY@bgNa(F=$z|!xR1--sZFGF*G-)hh_rBdJ9&8
zTEsF_W)+$$Y?SrYDO=PTTUl4FYKpu!!ZjwoJ+wZcm*cecfvnmH3lcx`L8amEJdcV}
zxvOOgi^o?;{oj>4psTro#B7g$9o1RYs|xtATm}6X68IQbNVcqMcz0i~!ZjJJqS)>u
z?X%KY&8t)^jn%e_ORN$fB`abU4w5M_+5@Rl?OiN${zDrq&#a%OtfglLNJgk%sj_Bh
zzlu_AsKRR?{^-Z<kVjcPw4bkfC=R9RFbwsMiDT3Se*&VtBpBDl8|*I$29buF@seN=
zX}B6MkwJ+r_)|5}GbJ`qz!C8O5lrmcmILT;$<79EQr=&tyYV(sT9d=OwEF<>l06u}
z9t;pYu>8w@)mdO4t-Qoz1++qI=V)cBqzz$>NVnqs4_ld^$7awi2mM-PWiOtVDGbJZ
zq`s*a+3ZF3*LwkPO?z9=rm~<rR1YP7TDpnd5{4%JiqwCinC0lg%d!igN_SZjM>Drb
z;*eBfx|uWnqh@fNs^8(wM{Hn#6&v7nbG+qTG|_(-?KCF6c^Z~-#(jt;!ya&$EwrH4
z0!;Hx#Nkh25AUWEu-c!6sq4o)?omD5SIfoJ`~eE|ezr^Hk0!IUn~$5qt64*^aKr$X
zzQ6`x`<2zRJrFkilnVd4l-pPR5+#D!+uMAG<WBa`_To*juL0jZwc)M>7%e<RdDHI_
zgkSEB2Mjp=txb{ZYG8ehBER->ims>Nzu-k%a*V3N@2pBYaOOKG?d(5YN_2k?t8{i>
z_@VHGZUGp)RSDkUFhR2gW1~{S88q`xMXQC9|2nPzk&>(uGti<1_TUmrS_>)2^tf1j
zopowjUqHU#%kQBV7f3wNJ58k(CB|iN(L2|Vv5_S?Fq+50*U^!)ytpu4jOwK(=Fc~-
zT*kYQp}}HBfuB?}(d>iOy0iX7^9=-NJM##aOf)}3{M}mDuvUsS6HDFK*UO8!UScWb
zGPeuMoV8x6iI`X{spo}_8!GUZ-d_|pVyz30AX#e#JyZBO&h;~N65VEXMkAL`wFj$!
zYAM$@x!>1s&W;{AKXl30*3CYl{wJ-QU<K3i84wf8VGpi`8{#RgWBwW1(dbSkn#xhe
zG;fgWX0%N~Lq3;ZI~d)y#9xOPB0i1raj&MmnT3sIgWo&+LGluokD1a~s%^toVkCC@
zz5H*rmG$0ITAhV?hDAHtkrTSgueD=Y!ktegeh4pPZ$=H^X7>Wz|JD&dB5n`Xu{8NA
z=^Yf}>Xet(j;|m@+m@i|dh*a@WDfoS#-kLM6eNGmBo6L7a`4fb)-hAIgZhAT%Cu%e
z{cnBjM~Sw-3}s-+kN+e}|8x9r9WCqq-pK0yeFD)YcOZHsC;SprMEp6%3#V5Y$5Lf=
zu$O{=dMahOpjztQTIz1{Yj0EsGhoFHx4&sO^tGeCOlu9lg-+Q17=%^0UDhwP>uXJ=
z?ri}32XFNkZ&}pWU)97J>=zs5Qkx>Fg}0n658JPS1bYt2?p2+gmUMUzaBC12`cj0V
ztuF&%XTP(H6Ig_h*K;r}>=pC~J?h~alATo@%;L9f#F&M5^CHVYo~B)0&{%kga>hP=
zAn-9Svt2%A^&$5*_kQ#~yB9le^<8^Ayu&(zd#`>l2Fs|23895AN?Z6aDr{6I-nqf}
z$*Y)mHCns)qS=%~%8MQ9l#~&C4K?^-GoX1kG~}U8W6LXu<^3aNOkSNzoh%RfyN5*J
z6mfO!@BVRq?Vsbv8fB6Ug65$`g@+iIhLLD7o+TIo(Vln~V!CcBJjCoWWc|gTD-TDh
z<;8oJEKV%S6kdOD%BRMU;Zv&GySSAmK%j$wtT7f$1&TL@{UmTJIqXQGwTmYDwX1@f
zVSO29Lqj2Z(9`Mx+i#dk$QLiCQmB|9U@QS21Heu$AY?cp+bqZoK+^i;zYWu-%PS<&
zJ=3F&h~bU%mM3oQhwqaN#g)ARMQuiOF|n}cX@Y5kJBR?nuv0dSN!-yB{lR-3L9KmE
z@drWey*cM8tKkXqom?ouZns+8>Z`6yRgZSh-o@d|3%c6_#qvD_CHi0w1kdqKW)NRh
zz|EY)Wrd&ME=(>&hgE%h;pc?s2emuA6VS+jpw{7U-J`@5_<G9fI}yy@P@1^nd=;-$
z;@(wGZ3aT)!NCWF&Z<>MnN^jWTLXiSRMci-H<6*er7S%km8D(Mn#BGlFnCK)Yr?z=
z7Qf-wT0_3#*10!gj+UHWT2yjQcqqb;=*iJD!XHLYoIY<TZ->OUEAa!gqS2N!{91E8
zY<$Xm3G+_OgHr8{;<x9VhAN@$C@s}CLl(sw<~&-8t`?N>`w!DlIeH>PS(-osdW+r_
zm12jKxe%`x7BBSXC`*6LC7C@N=gnDX^-R8Jk?z@Bfx$;B)@86~e(jyPcUtR=U&A$s
zBZb??3~mD5>@nIF+23F>*x9DU`k>9?H<TzHOH9J7oT99Al=x4POLz63(PO8B*=%Lm
zJpixcC+!lqrUWl*$%|i{f~te@8t+j^yi?fQ$P(BDOLJ#(;8Z_^Zk<<s3tuzPRPi=t
zX^$>^9i|-YA^4|1nz9(<O@tsEL)G6v_Qd^OHM-9oJ(i)2eAl1283sC)DW<D3Vw?M5
zF~)uX`$!q%HV8(hX;+p%G5jlk;+C)c(Z9P(t7l<N@c668x_fU9Bt~TTtFK`|{c?UZ
z11;rYivk_ouMR#EOk|x0NN&Kr#r;8`xP4JS<c4D2<huWgP7hFT;21viL%Kzg<L)5t
zS>>x*lKf5xovy4db3u{ajVzn@Wp$=HrJ3JeGu&bh9hfsfS=|RCa}E0)h$h{^;`e;j
zvr~Q?HqHJd=<dM#hJoT1PPIPD>H;Yp15>S;Sk)?~8h2CiLm_XeKGmCBnmN@wfYU5d
zjt-Z4Gox+Cqm7>8W+i$frFa9jVVJ<6%I}NiC{d08C$O?wMF11(U))|jIu+g%91K-$
z4kWUAA>bN1lPH^g2$5;c!NFMeGsB;^aO$#dmU_9ki+qQ-T*J+qjngrC?Snjg<BG~v
z{MMXoOcH#S1!5}I{)&~;U;GaxT7s;Zz&}Lt7r$d+DKI-_+CK!=UzO-zfFQ=-bfX}c
znBd-whP6$2JHY>XgcI@;xOkXk9M-wRwRVg-23&Qwn7vSev`e+^$=_HB^FCDJYy~!y
zT3LMtGywCy#qF;?Q^fxOO&Yu+S44fQ=Rf96^i{F8S(fo<IEjWO8o<?{F}^i)CI+#8
z&+2hKgf#KBmI3oVzZ_~qMbg>_A58Sm1V;8bS~DbBTHID0Jj;a@6Q6xs@h4Ei7(!tN
zX#2Gts=En{4pkH5`nm?U58i>ecj%{U>BVq-Ad}6*xw5>i4&EExl^Ncxy$O}e9SlRT
zPaB@a57hWnd<oF~5AAyBNTzw06oE9nh40%&msVDlF>vw8MGTrb7^uQu63r!_ORpc}
z84z`8|6+&;pO?a?19_{|W4sD47`$UAG|rpNZ&LZ(n#m<or+5G>K6CDw8nlOBJ#)m%
z2|xt>PB@DZbj+nr!JCw&-%qJf^#QQY%Ib5lws1%|RRFENIaOWmp8Xl!SNI=13qMY$
zWo+bU=VK7xQd=IH4E=V&V1<U;8GMej-i3b}SYqV=nPQ7hM<$>#aw3vy57trf2{)>&
z%}+gnvf6$OkF#1!85x$?Y5CxehC4L8kRNi%2xS};2YC^&jr&-@t*B9!{SHsHib4K7
z9I+K;gx-@mA9B;PLVtssjec7&CAJQTbBk4Rrbq69Rdc#p{7&fi5{6kznCp9lJxa6)
zvRgdJhF?9nLDI<qs2suRnHapzwpRdhdm7>aPQEJ~vCaX%)}Ru*ins#qY*dMl23)wT
z7!T35V|<aHp5@4kH&<2dD@%Jkk;Q68_@}DgQ`I9PJk&CB0>}v;Zcf8L3-Qh!8^bx~
z!T(X>e?d~bA4$Kf#klzej>w1!`b`D&#`dX)_X{6b+iXm|-i<vDoj_@T?C})k^=!fL
z1BD1wKYoV~C_bz%_Z0>8igLJM>NX=-+@?JA7#a;!9e26fmnh3(6!78!uJ8=&{k(lf
zZ_E|CoF#$5n@}w{xQ#rS_n?i68Uz~)pYIX}j?g#z6rA%UB4yG$<aq0SdlT<I(3kPz
zcH*rEo<64l;dY<#BLr0h<-VwbAojZ}2jR^7qq;^Qs!e7eQ4QYtFGw3arOdDJ?@9X+
z>)UX+Kr();@SOFlRQ<nvkg*znKXiKiToQw0Idmmot`6hS?$0U;3*T4cpNAI06~?<*
zK-gzo^GCX@nYfWKZ$aohurnI$Xiasi^3o^ih5}CfO`r5E?fo&nsFYQ>UHicJYtcyq
zBmI>62d#$JJtrCtSPiesV|#c@Ag1le#@e~id%jC4+mU?HwilXNSB)mYz}DwFgZfW`
zJ0aiXlW@K3CIch+Z;mfbh0p;g;4w8JKC~$1FxO`+0dHzz9j_dtr@~eYAV^=7k8_&P
zwQALdJV1?k3WEJChFVfsqbwxj5xYQHgGKX0<1gRuR57Sm+Fs$*=&s3X=CeFvCf;VK
z6`t4@{2Hl=+U`K&b+3yrHfx)qo95dX4Jjwo966b+XD(&s$YL11L_-eV0hD({^oR(d
zXrtQ0R~V1tT^{r&&n`6<OF#huc$?HU(VPhg<zj4Lk>2Bu*D_fpjRAwl>L?k_5-pmK
z+(h$9Q4ReO`$ZR=OCe8uT-x{<iXw~7cZCOVa)B1(RD!vQcbZ>anLd~4vF%k5)X&<^
zhZZFkzI`ZzNu0G(UZ8)}A}v=MUgGH`u49&XRp=8x(F8@kP1R-oe7Fe6<72Nf&-*95
zi4w*qTqNW{&Q~k_XOUirbqnK*AoB;t<(yntlr)3uR1K5-E>vnF_GEH@{1x7;p!tFg
zVt@ZQ)a|;GpHqx>^q4mx<=s?pQ7JbY7)bnakwDK{GI1eBSR2tXoCgCA4LTK^m@S#U
zuj30i{&CU)BS)zY(LFg_h_ktW_F!eFm%#7Jag<#KzXk<Y!UHRHAs1tuVVsR+HV3Dl
z8*^0m4jz3;ehJ`-ww*`3DU~s=x0ceg)=x&qPToHY5zLb^^9XrCBs6^>gk`(2^rUzU
zzFPq6uWE-WL2_+e4`f&osDB{3u~f)EsCm5s9Moz1{IxUDD6Y={DJ7;{y$>CNm7DT=
z(MFC~tUKd9f}hVgs)_kNj?hMr>A8kVC;R6g2Z6!#eXGdM1Py(r7pnsdUmv>E*=6xh
z!U)!EwAvK&nX|VVycKSbc4W*wcX%Q;=wUF3yEt9(v_`#uoC55`pg|JT#`r$@#n_xd
zYL_81QSHIm4S9;&1&;V%`u<<K55^H_JeEJy{~_uJ6LYfGv$F9K-~ce#unRQFpI^o+
z4r3)jSSqL;@M}#iSzcgsCBds0{BWL`&+8J(lg;dc)+!fA5p^$xzoj(}*Rw=V5-ZtE
z@=u+@M}IiF*22<2TgiD<R1saD=f=gsxr5iyYSP|lJE9wKxvHeaxczsG2;*BCygLXy
z><4$uYcn4IEx6a$=el8=mdSJh(+gx;W%_=Zp3L+VnV!$|ZA@$X>LSP#9x|Rm3seMv
zV1lkkVJFMbhs4NyS~2Lvs5~{XbO$+H{nYR*4=!K)&__+tM&WF0X`{HSw~Q?yCvWa8
zt3*y&y>tYy)fRz*>P)hnf7Q#*N0)H;+Omw6*+<Z*d{lXlsi)5cOx15KQllkr0QWrN
z#zx`a%_An@zaQg0ttkjd#z&%oXuG?5L;+-_B2%G_@F6)`CWj*#l*v+K0*tI$#~H&r
zvcmM@Zk&2it90J@gLrE1R@mH?U;*E{L_ICKN~Fgjy*bL4h4FZekH~r-U_gK;=L%IC
zH{`>-FMy+ndpslZHb++g>{b&CCgTL2Y2!S&HL4z;fLekF1cT<y(4qs}1JF^{pxr}_
zb&bGoiSpJY|4^Om81KW_PQ0_QQMlk3%ge3yLU5&qeejz>uC;K;p{+aX*L@ETQgE=_
zWzI%NEq}l`?Fw8j6|E&}ppX2J!AqQ8df(?!xlTo8>0iyqWHj!CYHW^D>MnCR&}v|x
z3O~2ZLtdmImnGr8k%j?GDDhA6uc|L7GD?piyQag~gHsf=u{ui3a2C!A?re!>6B&Q8
z#&Dm=f&$dzTMf#Zu^6$NFjR9&n|AhrHsVfqbeB?5^-+6f@BO{ssL&q&9q{nT00HB%
zXNB74N&nP}t4G#ZoN!+Nc|tK)l>=LiA5vo6h;sqRt=k6KaNC*-h|75AcH$zZ3Dzub
z%{w7BaA8#cn2nC`Y0c&xLXw#04Nwy7j{e5DASTXGukp|dN>SuC@uYWcgso}&bZj-<
zo5#dI!DT)r_MwpV=;?kDn;E0E6>hI5DYjF9x0%d(AYfdW&qKRiIr=LKrJvI&M6*r;
zW9*8{e;dEKoRVfxxUl*5DD}2RDa>7FzHPP;cc8t&&d}=87x?_W@!D_bS7%v$KtOhL
z(7g+8rs%^2%2U6|>O(*?(tT(#W>!-+SkaByAi-}pXU-{F>jP)lkod)31r<Psb$}+L
zy`*LoqAG5!HY~Wg4Ds8m<VQ9*WNF~Qg3b(f<sM@(07&%b+ATJrYGRd?CIA6#%>-B<
z<HyfpVB(Do(rC+Q3zZl*Y5b%f@6BS^ja|3_$Fa*L5GS^o;J+ELG5XW2P>Q%g|3FnU
zNe8tP>{3vB2NDTl+4Eqo8RJD8pNGzuazV$S90r0%lmK>O<8e;Lwc~$(MWGxv{)Hz;
z!QNYmZ=7=+r0lK(xszmvWeQR=-^XBMu735aL9UlCloNFeC+e%H!Hc^Wq1<^MmR1B^
z8fI8)##(vnO8c@frMhwTd9N`SS7vAl-sZ@H%|poJSuJKQKFpSn#fN{!1wXS4COg&k
zJ>0yW4=~+cH;)PN)$SZC8u0P2h1A8J?)L>*yr$b?1eai<uf7Sf!#R0{+c(1y(b#GG
zqWck8+iHw~a}ez~j(4g+mLJ_+$g1*lP@=cSy31f+<s`>uuPA&Se#QauM+^erl!Sk9
zI}BtTpPJvK#2y6^-g>_0myD&sVU?eghr)|q)`(t*>S3_*D1{Zs({$4e2ldLL&~pv{
zq77Y%>V(0-F8ZZqVC#3&g6QQ%#%@T#DxH)r{X&-djK87OvKkR^19lv&-i)OHjGElh
zTlP7!PMB0F7%Xr!j>qMg_XhPkObg3C=Ufcd)>F!Q-@U&;5yLG~BYZ6S9g55*RF!_1
z-ghgJE=nUARGURWl6zqqCdj20tfb8C)FP|iu*Xmj8`o+O73ASu-kPqqQt~#7wD}_`
z4wbx!NP--{JYn_E{{H%x($Q_`z>6#Nhw_c#oD!U-@&jnGTcM(LES9m1gTKJJ4J`&f
zn`@j6Tv%_hHi{W+E=Sv(Kf|@yYjP<SWEk>hpgFf<xb|>3&z<WUtq(;|H)WhTmxGZq
zZkmUws=qEj3WqpU{9<UF@CgjpMQ+UE7>c0VIzCXA<BGD;0A7gZj8NUpD!*ig(yC)8
z;7Ta5ufRqCK4oGOR`9I<MGl%)imyxQ@s%(taOif><NJs4g_rB11r9yP0wZS-F6mDR
zd9y|*hJMMa_-fR(76)WflE{2b_>H85!zhn9n=@X6boe%uXDtOD&|Ej^v9Bh>#ZZg4
zC`;+@8)u+JTRP_diV-O#M>r&^tHs!=dNwXb4g3Amol%1Oq4+{OzP4bbxe?V*2yM^y
zBpcv_K-k8ir^J3Li)+K73XZ4;C%kLgON$RJ`dMNz!n%hS4fgBR94UWsbsip}i?xnq
z-x_sFYw^QR5-!fyON-mXdjgD{PdS`yQm4G5ta*4mhY{3bVJ7O@1n<L=Pj&LW2GStQ
zweaxaETw-$0<TvO0R$6fJ+M#K*9TBb>MH|CUG$Y-lapH__!Dcyi0ci)mHyi^mexj@
z#pk9lY|0w^AOYObqi*F9x{7L|hLbwbvU$ge!`OJeP=L}P;tuZfFuEJ%o2kN)2n_xp
zd5xHNk#+QZU7?;8{wf70!fRk!J-8vT331*{`2CrdjM8Fb@sET0?}fjOXj~>RpfZ`$
zFp}_0JFw>&t!Ed|{w)(GikIr)p3q!=X1to9eGNSWG3AO*JH#aX0bST~m~?vZB2wu5
zISz>MXHR}zgjYctf?Dz)mi%nFLA72Kobns&pHV1P4Wyhx5Jy@1wvf{L>oC2gmA@9s
zTEW+c;=+$htmid3SyYE2t|ZNSK?ExRoPRF;SR@!96*$qhp4&RAqx}I^){GdgtR8=1
zQ(G2%%8EhoBwH)A=<m=V9>S08O@fK_C8#aEE!oZi2u%~eTT#oAaIAu;D0gE*HeDA#
z$kQ{iu(2~<ulN1Y6J6|X9+#9JPYVt8SQ^@SpFw`PQ0khhT1vJI-}K<}Ebm3Hqa3kq
z+Xg7@B^J6B;82FzvODDJw^51v0gQf{^1m+F*RJr25A`HZ7y1Q7ihku$Vt-=SbU_j;
zU_D53qx?}PC`k~+eeePDfbTu8<9^M>Rnw|9X38Fabfeqw6VnEc*0S~(_X9FIk)2ev
zDrrM8FX$#bmbRV(V9XmROw$XT_Au0cx|b8%;xK*}CS&J*v;si}T<!Zk2Ou;ep#8h>
zb8DS?g<=WdD@<$(p%QrIht<rXdjgrSdx>ql^aN(LoSOLI2TUV(ar2TEoNh>_Iu%`&
zb3yvW`mo1-F4n(dys0KMgX`auV))cjt<A#4gqQ(5$4g)5^UbykfGEZ|`5Z7t5d*O>
zNvA=jCL9A-5+lxer*+^w4i{^1Ex4j;7qqp#cPm0f>H9KH{qR&o5kr7yhF=HaFeYAP
z*Mo@{bKQAZCO=8u$oRS#B{g$BO@i2TsCpPH-)^I-zf0~^Z%A90jh1!Ul!t@2#n;do
z3au~2Uh-CSMmX5$y!kjjIP;t}zZ>STn@b-9Xsxgt)PMW90P9Pq|B2uMoKL;>8L(<R
z`8lp<V4Fmzs&)k-Q9$5~O2|q=9sne<5XXcXBF;XSaS_@T4g$PVANsrnNEW`J=_gIR
zs!f{kqI@V^B?@YPj*5<^a)HQ~eqcO_Mn2XOF{nSkf(>`<0ihQ0ZM~rTGvmR|>VmI#
zQOxSvCW}D2`b(mGEz055Ia~anG{r+f_dXK!f@r7nkGDAcURLvUd-?&eq&@wYZBNtj
zqn2eIE}tte5Bn|tV`Pv`+Jg;np<F^j^D$EqsAn;!@TwX+Mkpa48h2sIP!kKX>}dXl
zGT+nA_d{NPjnW5}N5mJ6%LFW6!m=goYytC0SdN5c2-pM(>n~w@G10L)i3yijkSl?M
zfheMuvLDOOf!%F^!m?Qb*Ww-|jR))kwrv&Uv0#E-KnARWA{N|;0tjO|(rPB0kQ`Y`
zS$I)oh22~l-p}>9LZxZ~oaN%yeM7{B<w4jL+{M&7c-oH_jBtk}`cbb6KkmrA)#0yd
zOAU0nhI>jg^Q`b(aqE&+`%H}^I^mJ8k7zb#iX2hA;e`2t`<2*mXvdUzGunh&<*52A
z99Tpw^>rLZ<Hs<#`r{OVRV>Css<=@i3MmGwkitRD0@fTT3MmS!kOD%X%EAm3O7P=C
zK>90{vUEO6KRJ($QZ80iF_8MY$t-L^p|A~o<n&*b5X#JbRsDkwOVRKs_7eGB?6?0m
zTvy-)tGC5(?+HiSKBNBo*itAj_5wJ==yInHC*a12v!E9EwU?c^9{7(6TuB+j%NaOA
z$NqX>b(XjK4zJsI6R|Ih0C)1Z5!ZiEK4dCF(#~*)p@Q9Xyj#34E~2uX)>P~p6Z1yG
zlwJrQEtq(Y3s&L#$x$^G{^%H&8y6(~xPPFpr>p{*CHO(B{akwZd+Mro!Z;g!jx0hD
zu*gyk1akw?P55@&Mo;mM#Y0#YdR2R`em<4}+pa$L2#n}&y4cmL9tP-j+Ev><JNf>k
z6`AD$hsU^iH{9+x-$BPq)}f*BpF)!m)(-uY`{L#!;AtI34kGE@sir9Dz-A!%xzu+V
z0N;#nI^dA#eQQfS>VU{1*!7{2#48~15dNI3m+LM-xrYSkm&q5f-XLFu4;27qdGc2k
zh!@sJC?oB-=q9cXzJWeTJB6Qw0y9>G<Qj;K=TM<R(XWo<m)-OQIov7rFmBg@530=u
ztg_g{Q_lk2XUMn5*V+U}<b=wJS&g2GBdyn%8~rieBph%($K0>?Te)8__m`s<rp_FH
zPZGQFg;ZEuKLXg`z~>+K@N&%MXE0jA1(5GRmqU-tyMc|lK9l7qZGiJoF6O$)^CfFP
z9Zzv5fs<qogpq)kKaAEm)Ki>f)Tpq=vS<j3DliE61*HW&C1{`p`X@jh2?_!PSvLcc
zEg{!S$SOc`BqU!#o&_XVLgoU3F;Jf5yP5n;`xn$BiE{vZ7HLdd=+v4AP6t0Y@5Aro
zMq4bLH-W=KjdwC4=#VSz?;9^uFgBm?QjOo*$Ss2GMAg0TPV?8KdQ$tKZ}sIqyUHo(
zW4R-JiAnl?8`(*}<ka*n$@H_UbWdMmlKw|rP1so{{eR;yyet1LQpV;PppE;&*1pkW
zAd*ggWhv?Hx9F*fl6)zVJ57EJ{cGa^dGwcKa+l3QnqQJPMqvVrQ_6}Ok)L-`zU8F+
zIb?;Wni5}4EV1aHI2)G_wnLw?IUjt2<NkPuzLf`_VthINT1wpdG1_pNPl2dSMz&oJ
z|FtdKai3+ZJ`Zm&!S8EW0qrpUj4Gll*fkYl25>1}i}OM0*ZBYm4X}QT1nVHH00Uot
z*o3_tCkSR*#<DImZ3X?$)tWWazIMMn?SFy?oTdi#d6i|_mkh;jx0}WO=|b%Nu+B~A
zEtwX6!E8L*3+huUgWB)u({acAI~!jd1>wSNx{hVRE<&Bif(sF_yAk~eYU0N#RPBXT
z?1lbH1dpl{sZ8#7`H>61_65n_WRnFOPg5fLP4g`_b{TJ;2?-|_S=u@oOCWM`thDG3
z5Hx}kCbdfbdZke$VR=H(TJ+z<^GcZ4f_*|*j)dh~uswtwM<>umfdw-NGbC)N1#2hl
zpAuGN!8!<Ql&}&D#t^RYCkY#1!HyI53}Lu~Cr-MIH)3=iphx1^m_PSP`yN?<J4B<!
zZ8^M*z)<}@WAb(=iggl)lY4-W6E62s&|nQE_Bd2sIwc1HGh@h#b*lclOFCEDOP686
z`@LMh^u8~}pitL=F~MU)8x?9AFvPCRoPtRJexP_7@!;}Vc#XsxMm%7o%o{ja^uAMx
z)VU4_?aWOh(J$ci?zFeu&&kV1LP0&o`KMFoKZJoOeBU?$e@0o;icsRu@pa5iJE9L}
zWvTiMkN%_np|gZ7+L7LD#lRWXw(X(M{JbRT*ZxH<FTq)x=obT-_KX`97c-6^G3Cz3
zc2F$!EylwvqLH%+qfa%_uXTJK`)u5}6dez<PwDl8UfsWhLx=4*jUO*Dc#Lb&5%fw~
zV;KB8cl>j|b*%1Z7?+GQk!>eDOauS{F1NQ&;os6kS*q|*;nw7(^oNu+`_;tI)oNlu
zJI<-9c7cf{!Q#E4D{<`;WyN34omN`BIlMzzvrSF(hx7)t0xx<ZEA&AcIs8`i26y;P
zeZ&BLL4RS={92Y5XNG<amqh%C+h!TZ`#@J=-<ZqBmJX*%;HtB~lvR2NO3@AczVu<Z
zfOS2<veWof?co-ar;i23JG940m5a}M@K((x3sPCvlURVf0!S$?SQPOK$+0ku4X(Y;
z$9L*u4>Dcq4GrGmk1QDkJF<+kN{K%J>jBTVq!hz{hw!$_65g|U&v_vaDRI#ZmwVfA
zV@jTR4UfWE1RR>yv=jGYvT{nP1*Kk3Dc&dojR~;iY9{i$0PPdA4P7^Wih5-@O^x3z
ztktXD2sws3mZQCAj6or|f)R`{j*cWIrF@?s7hkX7RNlp@{N$UAQZHMDs_4oU03j!)
z@;Y2owyN>mR)|1w!|nsOpiFy_7OhNML*wMvenUG0A<!J6yadTMnJh<=h7Qm>kfeP>
zvJ%O5nOuk@EmuGvg>6?Y=K_3A{Aea%c+=vL@dI{8TjoLmOjOlI4xt=v>%b2DK~N(T
z-pi%H-CsCG{9zT(ogmar6t68?^EqLZ<a`y!&H?R3O2QI>Nh@LdpOpP%N*AMYz}O3d
z;%&yXe+t)hKb4?GFzNE)(m(&H%N^7ity=jIEv#7rvNh5+zP$u=ehW5gy4Xbph~`*;
zJN3Kv0BV_T{3HF>+WpM$Cyub6{&9tkwvST~S#q%}d~RgP_gvxctI-BZ%N07y=#cw?
zY|NDcN{{xP{>9`DVQXwygy=#29ucx0ik=Fm0L!AvanWze=SPj8JuSu>7&T$9J~RG?
z`<6WI+ZY<pTl{!UO__HZE}7N9+>3aWK5X0KL3nZdqdE^j!W3dR`6S3&`<Ks*EucZA
z^evYBSW!K&=>z-&-l!WdHVSAajD3TEoQcf>@<~m~0cLUr+NnDaeUR(OEojcT0PQ4y
zCD)Gt%P&Zm&tmyk&~|e^MA|vteJ>*3MQOZBjHK}|;*|pr?YLR~{dD;=EPsvV1+x63
zMP15US^gx;b7XlF%THRz!YG&P*lk^gzh*4IQt%dRc)`gpy5a2F_~GAh(K8RMh;8_X
z#+#5JwiWn+PHda_+Ohm{Ss34N!O(9o-dqH|>9YReg@FFiBkpi7yszv6HT#~l`MqEA
zQkuBG{zc&-s90hWOx1_RI*dL1CJ{KG7d^2DbpbZ*!@}(o)uz2!YVW<!G4rjyvOerF
z;tgZ8H`6zJ|2aOWZQ{yQpGU>2+B2OGnB%<kjSxrlA?BTcV)V5+3k?ygE`kozNnA0I
ztcW+<#zVCHVze+JuynYK3Cy5Y;uW9EewW9~r;8h;l3wTgdS}3_kO7BTF`mN~)bh8v
zp5Qh|K=LnE)-MF#q7!&Q1pMO$5Jd2qkp~WA?}thw$K2sdEG|!o`=GGJW3>Hacq0L~
z*miT1|Cv#B1v*r<k+mI-TkZ0igZ7yqV$@#PwYt!6Qn(QmlCO6ePkFxUyd@;Aj?OC6
zHU_jW1KK-S!ndP0Msz0b*u_3kVm!I!J3rxo+A;!{;9Rct{AUcV6`qOxQjW3)j?7-;
z@f*0&4WBm#Z}40Xc)s{yNd9c#gQ6rfh$`^8@v8`WMF&QN3anp`@3d!Q5K|yopCEg}
zD3N40$g`2nHG&5$u<Lo$Y|g{5cGcIalpEZI&X{|46<m3wF04vr;Ti5%3#MHg_~HVf
zo?7_%@_wS&V5j|~s(q{_ZjCBWHEyVp__OmR-CBALb8{q8Eq)Qj6-~M4ohBxQTrW<3
z-`T34SCz^D-CBh7U32?ZrFt-vhs?a5@_hyI)&%^MD${EJNX9&TL~M^|E!j50ux6B+
z=meTe^D9DiLA>lM{Zv(ZQ^d-o;`vb5Uv-2MDb@evtwa_-unc<2(%11XirAPEvoe&E
zynEvp;t_LX?SM;RpElv7mM2`8v@Q*^Wv8(8`;0Ld0K$13UKYb|kvxn<)iKIgd8k#S
z*}Cwy=Ju~jvb{PXw`2Iq;EO;IjX?PWxN5Z(OZvpch$C(gP~(22F#~*T)be-J_c*JL
zh(_W+0tdJYYTk?|?U9g>=@&W5Q}8m|S9PqDkDRW2%==y!9>nZ1`r|`C+6FUZ)4}`i
z?{d8<+-~x9k<Rs9vL|e_Jxd+KQ<J#4x8UflHY``*r?3$k0o9#*mRy&%?ZaDC5;X7N
z!41x#75L+63+x-I18HE7;%CE#jSQA8sY6&VrNsXMAx0Kt;qw)gcVs~iq&5q|E;vK>
zr5ZJGSeq~3KjEB}@Jb2Ks6)sQgqF%maw}*&jzXYbAyBol9Ah{D_4&Z5(8>@|?=XIg
zby2tgW%;2Bpyo-cx66t{tco6^w*<&7D=KFjhp{Hur23Q8t!YxZq4Tl3rhUN0U2z|K
zqo?jm@HbIwy_4aE-_OPBc+v*$wg+)=0-RKGlm9l+uI1TVqRUm*jLI(6=fP7R2v08(
z!26Ghg`0DXzkm_H)-pPgbpx)gR74l`$AWQCID+!Sm^C=TgwO@eF@wMG<2^3?nt3pD
zR<1D{b+tz6fZIXA0N%c`%WvVrXUEt4S{VZ3vSP6;kb{5%yzD9q@??RGAD|%DF6bo-
zWGD><1FQnSUY4t7mccQ_`0T{$g4+dH*%sshM~;RX-H>l=K?(OqUS&;L|I*?P<<UzZ
zD+t+nW58a|ZpD2q8WWsPjvuSv53d;SYFu3rU6KdefZ(ik?jkt27bgMxq`dJ31Y@#T
zffvbG2Uw7zxHsPzB@1NW6a`sUZR09gkQPObU2v8xNcXtERe&DnsF`?cr_5vQ&t$jC
z@@!TTi>#>U4p|_j1Rm{>jL{$qq+CUTRCa{@^KsssXFMwrAgB>IVQp6)J&T%WT~HDJ
zCgXPuRH@qcjma>|Sn?1*`w-I2HX<;RoT0pugN+RR>70|}x1zqjB-fZT2gv$@eB-A`
z9Kv04?ZdhPh&NouZ|Q_@!@pVK8QQkO#`K5#LVa3#0Rziti}(s(ABJT*ztoqxxtGfk
z2W)X~&UC$eHK~POPTMQEi>P9K432Gtel6^bq-=dpE?J$%$IR*PJm1DwMsl5bl;=6~
zD9?A=Ke;X)hkuB*Oz#zMTs#buvhaPsSimc4^hK&)e^vaL1uxV`H)R=vVY2=1P5$Bm
z-X(1`1?j7SmOYSlIV>o_dvEXnI@d$#kFnX#HkC*IK(QgNn0T>Tq>csg!+2O$cnXic
z`mjM8HJ!2z=w+C-i{x3VAJ-;uEQEmi2E2}1=F;a(HU5e_Df%3oMJ|$Ot6(|DSS^78
z95_K?@LqygwFA+;dB!>z*RtYE7hi&l5usn`3rhX^nk{H3bHP;O#-mu+ModpG@8qBT
z?L2qJ<zM06be7}o|N3&QAO1s)?(k@#Dt8D~xlh|KRK<5_Ge7d^)D?g-LQZAb<qlC<
z@QopJPbHU4A3pap-|fe;;ah#P(3lr2dq86hec7A-bYtjgr@p|QhcYIkX?>wT0{aor
zzLKYgxQvcZ(P+mo@K>@OeZ+Jfy08hquo6P#0)pk48(tUd$yL$#^K9(eif6f&yd!5F
z?$O`Xb$o9{1i%_yoXW-)aya8yBfkuV)HpoXe}!fSr(Eif9`Che0YY4UxUvTNh_8uw
z<_+N%6f<qFmia?%=Eu0EwJ~ROV&TW0ky_~Y9-{zwowAqfHN5fq$?$+g_yD_%hryuu
z${N3biS@i;Al;)&P*Z#bFNtq5M8J}(p@{H)gmd*uK5yICabozymR!&@ZhrvWS@(oy
zLnZkgY7pSn`1n>WPF=xg&SXI?GJq;^`ddI`p~!ENd9l-oZw(KI7Q-@)#-%6~HTj1m
z<2C%FXwka}(~$)ixI*|O;^PG<tk-b0n>+2NXu(J#wBEuav_NjD5pyR|2FI_mc^9;m
z*t4LBBVc(W^rQP};a*{@to;+Zu$|ergt6RbT#l#XeF<<vH>RGK%vmcNoR}9wf;J!e
z<Bcq@vdZ_Mx_JOdo#m@oekH`u`hR12b7y(ODvrxsyf`l%#dZ|Is~B@1yox+lq>LJ>
ziR4D-gkNX!TE9i#J`4YHY@zrrDqP14Ty-8)f=6t8FpDb!UMG!i$ibb{2*Bb0wR(ps
z0)3fyr)U=gAoJps-AR;o5`L^rl6|O_R0l`{nG-$c2@AVu>ng?)@14IdSXY}q&Vp}q
zfydZ>9CF9p>cNS{ArImTm@t-I>?Nk^m*3L9=R35&ir=;I4BnwWGx1KmHit8(wjPcq
zJMHs#Xz!VsLW<wkUpCmK&)L#um^-k5*zub0BH#S))?SykJjQIa(nY=$F79)U@+fN#
z_3pn)+K=(dn!Re%rx}*t;Hl8Q&msL1BE{uM7(g7)X?r0v*kTtVr5OI)puUuvqv}7L
z&$lDxOTLK5Q#Jkgo*|rP7q+j43$Z^C=&~NO{?{s^o>dV$C0Uohl48~63X>im^ZlQ4
zOP$VR8O3_dw|2qjLA>b&&!?B}L*_OQ52z8CZCUCeXIYpxe2Uj)48E!lt0rEI6qhs+
z7e^_qP_Bh6@T3X6O(Ns8C=Z4BVNv|6ztRq3P-SmH9cu(NxVG^2jM0=k9AEtv29`w`
z-jysehNR&P8Qbuo#(8P@Ck}X?k&%WQ4tTz?8;i1}&w#W|$7^g)!*@8~IYwO?{%;37
z*Z5r;-sXV!H<qX2n4oF;CC2PD90Qz&4=`>AoX3`Uy%)WXsD0g$1p{5-3-Oae3%suI
zX{tUxH?sU@Omep{?9#4SxEaYEcE0b78L)BRLz~jZ8MJX1K=Q)IB`te2UKk!R<QQ()
zB7Slk{9ug@O{C@~r(<AsTu~w{6}nW!;deo4;1Tu16>=dkBaGcSb(<y%6TwHHs-Gyr
z7Jow5!U$M`#IODB^g*uVuTS!Kr2lBW?5{7KjAo-91@p!izF+t`)$6O!Fkx2%ddxc=
zg=7cb1@7zT8tpT1h#~AV3a}b%hFSI)x1)9c4S({I)a)(xMH}$}1uO)mV4{xS?vg^v
z$%l|S&^x(`zlHOA{WnFZ$*&DuQ-69PR~fwjeh)2{=wGOR{kbzGbQPdHt;egV@`N7t
zU*I^->+N`)^Ndl|7pvl&<21~2b_ij!aYDk@9Y1^@q7+K5tR9h#Z$8cGyLm)E7e0^U
zkM3%(2B>;YUtGeP>Fw{2e(Lu3-c(wBZ}u1*QTP~KJFET%FwHkBP8Uooac=6y@Fa^N
zy|d~AqIjQipn`o;;!r<$#jnesbOnI{V#L3I8Yrvp?H6s!Y--DhetNL?CSUcv{lv8&
z>cwRO>&;HAx>kr1KjIwy^my-0h$s_VdGsrYl5H2T?E&?7SZ&X>+WsH39sN|XDd!2P
zTmn@W)O{FVcp=pz6b734s|mPPrR`Q?-v?Fx;_V}NItN%B3d#9UKirbSX;xF4fr}3+
z;mbSsW}BabmW5YtvGnmYDUKvq@<-pqhnME`H9zUZyW7HBC-KDZq}Nwi!2hv;Z=-Vk
zy%z8>3)n<pr3GAQ0XGsDwt)9oK*r1Je`W!1v4HOoxWobuvw+P6#w=jI0Agr03viCa
ziXQ+L#2fv4IVEiV0=-F$&#NA*SZ_H(U+ZtR>U=y^_WxDXLH{8q_8;Drl#?KX9})tY
zTcl88K(xpg2>A7YEA?;Gl@E4&UjXN0+opED8S-DyNio&Tk-!#2eWLPLXld;Q;HAz7
zJwmNtIcnXLu9bsYLG4IgC6JQuu6@L=ko-IDBG#=SbOTd);DHyS9pB$s2L*5?`&fP+
zd@cM?b0|A{EGK->^59f`J$*~6cbibaeUPKS8i%gQ*8h*QF9DCL$lC6Z00DuHh#EyD
zYLtLmA~+@zq}wFW!Qe!Y#la<t#wa?XbOR0ojh%+{TwCMd!syJ%xD9S24$2aslYk_+
zBZ?v_ATHFUWpM*kF#r3Wy7zW>z<<8)<9SHeJ$33-)u~gbPHm?gdt)qTK))u<KOg3B
z0q1MAvycHUUT?!Ee9U1a_O5sq<@3s()T-kE_O3jhe^+(l-$pp9fZDujeP;alr13bk
z4zpy~S4ErrXZwt-3f!2F;FZh|zkkO6MdKRKqeG>L`Ta9=0@sx34Xx_{+`tET8Qv$#
z2d>>zCk&m3bqqb9`B;;{Mg&N7LGq0F{oqsMuz@tlKLqnEc&03lHtx0Ye**ky;AdIa
z>2&)y{;K1b^XvdH+`z~&FM>g@<)*Rg`BLQNTv<mQPHc2r0Im`vK~HaRUC``;1W4&I
zT?jOun40F~#y%DR8-+}h<DI>ZR<GQXV;Gz_TOb--DE=P5jr~#+bR$v*khtgCIKYZ@
zYibe+3ttYaG+v@3HGd>33sE;S-IYfmnuEv+MovJaT>X}|3P?&1BF|&w<Re4|5!sWG
zAv;HMSkj?B=6-aD#s`?LJBpb^6csl&Gx8rgoyA!zWroXK#mFaZqHIo0G}C21!Ki0R
z6sKHLh-SIWFe4in$yKQ29CKV|4I<GiJ6?ANV&0R%vtb%K8K%syPq6#60i<^0yS6TE
zQ)A{hcCHhob6t;Quo?>Wh}oh>Vw}Q)Srsw*Y5h+O8qm=h#ey~d>PU;(A9#uW!gwwu
z+x>G?aON>6Ar8F7z+hLPFUgG*a?RH<!|B@Ggtai<JP)Mod1bgQ@Ufl&V7&iu4;j#^
zdNknIPQnx~!f4g=JbQlU`1iu7UPCuTZT{mVyL+xjc9Au+zko#J2+J3};HGC1qmP#8
z35Y&JqPk$&d&V@uaAM1nVuLf>E`N95GE|5EvV2Go;R1KA$KndMTW^qp!GDlF5eYTs
zp;vU${=D2vZa>Du?VD8~fRh1167rt~duZUbu!lzDOWQ-f{;-D>83n$Iiy50g#;h6^
zzNZxa8Dh|Q5PHURsh5s2>?jUVXwPX()k9KE(ounlBrY3%;<QHiiK0Av4T>_vDas;B
z*Df_axiFl6b)QYVM3MJuya6eA&in@WmlJ=iL$~rQRIwwl&1|qA@dc^z3&?`6su0g}
z*@!<nHU0qO*D`(+;%VPm<ALL|%9umegFUtXMy@yoE?cGUq3a8F6?_uC1RK?7ujPt@
ztjoc!<<blpq=lrIOVydG1UYE=h-~Jak}mI86zvME_lERU*>v}u$3eo|n9aYdxZBB_
zSg_<0^mtowxKUh)+lra$`)g5|$WBeNd3!G&is`bk42CibduMCBi?jpnZg23i-*=!Z
ztHb0DgAC3g>=v<8-|nI;aefP7oaxb%bDCfhZEiqx!LIm!L?Jlsk)jVmF;?A${bXFp
zzXZwy7u<%*`Hns6Niv^DJ@%+&zaXeH!Y5p$Og-SN*C=tauJL$&JpQI0cZe^B29-n7
ze3$u4`Or@||B-_NnLK#F7Qy=&kZ7!|<?-B)UL<A-I<cxc6P_~!0+&Ouy@Kl!xW6g;
zS9%`AjVW1iK}XcD2(zEm@||4cVNQ)hKcD8F`z$^SKEdL2ctb^WYGvSjll!V757FXN
ztSQ=VE>FvpX6$$jZG)a>^2yb>hn$0e&o~?NWz5$Q$HmVnxbQT%dOX#$*{}^VE*%=`
zx&Jlx7KfA*>#aZ>48-NxXVcum9~-spYKO1(+LNGn?*a6rBQFctg;oPuD8@G?@z;BW
za5t%$;r9urrxF}~ZiV!X@OIQVmCFlYds|#yi=_`ozi7svkL^%`o?|)<dI=&!&?5=Z
z-4Gi&kK_)|mJA-7&mYX@E^}sc2d*TJzarKwgCyRM(}3x*H!Z-28t{kMMhmc30D-P8
z;oHIcbhI2A9tZZe$&?)ZPDijmBtc<c6X0E`1qA5Mx}e7I5MO5LSN)CVZkIk)p0e2R
zlqcG$#>1KTWQU~!TKW8Q&-D*)2vnGqHD^5Z?*AsTZUk0$nh*5hycsj(=AS$CTOG|9
zSux>_=56WynwNo!>-}vdT{7ytgI*-f$>k6-$qUnLQQfaX$_8@;@<p0wJ`VvpI1Umq
zKS_4h07I()Tg<dR!2*Hh^#Q3`kZSoP5j&Xbw%FAnsg|Vo>#g+wIbI|}gdvr^6pPW#
z+b~M8m-3_b8}#+A)%9Y>XZlaC#%|J-?;@Ki7(1G`X9GU_4dCuo!-2^q)z9Qe!w&Tv
zB!qPmDUp+XfjblSgwgHz*`IS*#uT<Xv;|#jHMT&0&Ix>79o`qXj-7T_JUfA}Z-is}
zDD+E?zrWF|&;Hd+?T=TNVw+>iHgr+1d+CqrwK%#dj}gY-7QU!aV@0WDTQVf>9Vsu7
zJy>2;Pdn(*RQ(y*+rWnQ8M89??~Lq?e2aEXH0bK&2EC+9#@sa)e&kzX+qhiBteCJm
z+G}L<_Vj-5NsoPh`~D4=oZ2g>H>4bWow7ayjYd-&66l|0JbVD`1!vrI*&{i$aeL-a
zpl^Hv`h#(F^Y+eNR-+j>nnjNG4*FXz6HFe;5lW~S#W+!j<)SOmw?YSI%_@#;MopsK
z9s(NHyEhcQS#FGg@z?Evz{{;^;A&e#5P!JU;z^m^$ojZ3_~tQkPdMkCgk+ry(&$q5
zNMJ7l4FP7u0OX>L9tD9^-;c9}@R{WC!rJPhS@pdZJ}r$t>-=;=uYG4CFA+b*`yTB?
z>?W(9hl-C+m8;#BTtTd|z&G7TwKxrcIN?0`o@(xxP5El}cGTXDL*<Ysk?n2jkIYk~
zs@0;ee!1d^awW<3sS!?ss2(Sym!xCvS`KIG;Cxs(Kfeh3MPtGEUibL3j1JA)I(OL{
z>0sHr%h&|19q^}3pn84F9`VSVP;9-B!Pz@^?NH3pj5+H7h^($ogNO3BAU{-K7bAkI
z3#Sn*-ywQFX?ah@)}`{IheTGR)|jWw{#hIqgm)o1&XSf!7l<=lBO|xj?B;F$rd#9<
zvLx8%o&6SnN{hC;YZbC}FLj|O?sd<_O%9hgIwh^TsKtE`To+)G15egzjR>{JBDzC=
z#b2mCR-nSb8UA2#uFJnUb`HOxbRH*fxhe^FxxLvDP|AtIZ@j5Grwbq>qQla}!GqL;
zZzX4{yT-J&J<H-_u{_c&UP9bq_Jt7~yN&`UeW(XYneUz(1sDZOYge#)umECVMc`Un
zyCl|X)$$+3<Wttpe%<BThQ~#gV#BmG@`k!>2l@+Kk$N!FqB)lC!(DP!1fcmVM3nFf
zz=_WV!yH5)+}Zp<B7-Q4i|n<@k;B{C)K6a{J=#XnyO(~a4glaaWGB;<S6$dY_gNgk
z{q50K{o&BQ_GqMQn1n8h(O}ug#KKT5kXSJp2kapOb%W!ZWx$TpU!gc+c4|$@F;P(T
z)@1tw_ISbq<6YKJtcexz;Z8xeyEYq^GMwW9U<u@62qFbCi)*nE$1g!w?C3C)`HYkD
zf`eS{S{lhB2V4$*WF)*#UnE4~zOYrz#W&=F=Zdo2wK$LGihUx61MYKNE+)!@5Cp8w
zx@)gOBzZlMNwA#ho`VP5;4Yyxtzr<}v)AH0q|H2LRSfYG;Q{l)d~Zsq@I^YOr$Fl<
zU)2+s@Oh4dDOss~<^-fFg=6`h-C)wgX<%(VN*<lh4#XC%Z)=WsoBbvOMVsB>I;nLj
zc%^&JlvC(tK3mHOYQaM7{}PSAG+jj5=~I6|nQ-5f_q4@sU7HD$m5g@Z^Aeg#4%)+W
z1jQFemy?=U#=}H;f{F4-8m9-p3|dxhljl?Gp@{o%=iz3QCO+5Ff0o>_lxd@qSob9h
z0=bN=!)21l>h7$r))<;8W$TkOn_9z+q7RTqR2U&nn<Ptc5xHu<sXdt6n_Ur=um@Ve
zBA0nI<x=V;&X4R4)(Cv*U>7ir#5>HzqZY#3$AAOg;{0}|9DlXy<&D;}Fc!!Iz4o07
zlAIAHkIf>O!mM9;WK)CdT<Km{{yx#Y&Jb~fM;>j7I-RI~MC1Uvm=7u9ZynY$>|&+T
z#S-=adY9f#mJty}f{FW04o$LCu~JQ2KTC`^)svrkJpAY<ZIrL|V_pRrRAVl)*r_TQ
z3cZ%&oB@&ppdL*K$<<kM2n+rk0<XE3X5>a%s?+%#K=?7_jO)364=s;)Z+rcRI50XO
zhBQ1faM}9|44)^#i8>m_8`)y?%A4|ud+GO7=lK{=<L~JHPAb(Q6y6ocv6Nd7Ie^dT
zPuhwBG53ANXgP0m;3*(FP>5!e;>V&vcc?8e9pi7Y9W20S0I*0V)PS_l>>V<k;RCcE
zY+9qg8Pf8A`<tp8q;p%F-d}Fs(=Bpf_PZ2UK!a_b+I{Y_RwC>1(i?d_w7t*r92B+R
zd$QAq6z^|)|LgthPd$JUdNoBg3ukv<cbDPqqx$Ni3#S}~!kGhDvOb6T%jE+zKZxOt
zfdDMQRQI^}z=V8*74D_$iaws1Q(d%a%D0g%7*RM4{c;;CTIRCjXX%*{?w^;#|NSWU
zl54Qj_{Y4^_i!`!37o60>kypTg`Tn*&Ir!zW{2T%y{jG03eG&r4(9}CcDKWx;LIL6
z+$|WKnWcllw}5`M9R_+&hT$_2_d3BHYxcKC{d}p+{>E6_c<?8y0i$DEL}%|&n*<Q>
zFXJwJaL3**Ys5~Z$aF_FW1z-;DYc$m!yAH)5U@1bntFNLF8+qoKFhdH9dB^HBbzP%
zPg@}=Z&cS~V)|NqL4v;+7XNvvp2XLqQ`%Fc8_`Yl6lp$(y9B<oe;-?bVsT9a%Wbz}
z&|8R4m;ZXPu=kH(cUwUazhQ@{F98~iv+_u?X6kV7?1KzX^-6wh&s>y`6+Ot09Z)Vf
zJPUd~(cC=!v!{7`W|z%s_m-r?Jwc#j!0i6{a9G#pA*`+ICR9T`gzVx^K;G>2NgQIB
zS&6c`YbnQ4%FBUMJ-7|mo!3sSv<k9SJ%%h;5L}0VzZ4V%FGPg~;k-W$0@-{HA{PB^
zBM=JqVJPgT#v%>+I}d1T6zCJ9dpXN>4sdn3_Oe`uDr~+k0_XbzV|mVb)+UsoVFAT-
zaPGzUCiaERb<7E>KoA<Rh8nQX2J(|LP&E+eFZ8{r3$Vun)gHYyw+8k18G|qf&r(;E
zqe+V5fjuZ=jWY+dZnc$y3>7K$-}LV-LV=}(<q$U2xefIsVOWyeqUKq8^0mPIgn0<N
z9|CGEhVUi@;gy89%DM?|Pr1X_5>79uxZj#vRh^!NO{FY2tqbg_4*lHQJ$C`BS032`
zP2dd;arrNXw!{oLA%D2KXP>29n|6sY5bl51l;gE$<Q1keP}4ugs102LcWJYbNoj5s
zjGZjJ6ccz6sG$SB-S^X{W<zge<X-v-_PV0C{vA_;e$7}Wjb@O$(c-gYiW);%F<7k0
zP-lW@1-SR6`8d*|ZEy3X$ea&ts8?N7Z**ppF4eVu<!meYJ_l7{;ipuETAzk?Xk{v@
zwBJuS)}Pwn?0CGC!bnFRlK1zGhZTy=Ex~VK6JgT47oYZ);1^Ib-UjZLc~{}Z50^Iv
zy^eKUj0dRct=J8OgD?*!0rozi^5-A654cA(mENp#YeUu93shJnHtx;c1bVpKHIi;o
zwjmrc)4VIV_vV%R8GLxf7d?9&)=;z^!aYaheC#!1#}U@z_s@9TkF>b|(j0uJgQxJF
zQg`WUUy*_j*TBY7oQlU`W>n1;d@GIX#2w)du&jw2k5LTzJWNoJNa@{}jp^R~q_3?F
zJNZZ0l?(#K)!1Qx>=U8@*szj)Nt1pz8++LBZvp52W2WrN+wIlZ+m27{Prin9PJDkI
zzq|`F0R_E3`Gg}6jRUNBy&dTv*m!XYATUt&C+`rF=$9=eZoEj>?hG$V<uNY<3ilsp
z;TO8(ld|NUGRPw|$>ZRGXmNADP0ttk3CRBjvTS@?I>!tEQ@4x6-zV{j)i!gq9dCJq
zZY*c1XRqPWVQ8aF<u8N6Jq`OM7;u_mHy~DyVp;P__4F{Txg5&zcf{ldZe~y+QKcTJ
zuLCLT<-Vv~Y=tqR`v;B#_mD!GJwKqm@0;D)1WC}K#|cX9FUB0cm=Ng<0@BVR6c7^q
zE^u_H2Tst@@#S6-4<@_AkLt*bzzy8@Zn00tKkbX`4HWTZ`;$W3d0&w(I6OFUl97q`
zad|CE_=P8caRyJn01Q0;rub(9H+mqc^;)n$7T;vo$G{OizE9tjfwS>=OcZCeHJv3x
zJ%~yB&n&#o>5C5an%6-2;C-B>Ou$D8?L+o*GYN?_e?)I29gt66KVrj(A8hX2a1_Pl
z@dJ6VM4f@=id_mYfIRGSK`DfY(^BpW1Pd<>;FY1uwAu~+qk=zQ0;k>6I>4DX&K-8G
z#<`k7aBl6ceFB)+wQk7F7wdm~Ny7T?JCu4ebs5ZRkMhWE?bp(RAcTW_)>VXrs0+Vi
zBN&OHcwUK=&_5<vIKmwcfH_tPk3k9DVVovuV=3L?KTv5mf7MG&VD8^FUy`D$Jt(gV
zp#HjN+(An4V>Qgm=PWCqbApA#+~Mx+^P!H=`S6f1@;OBo1;7!1cXDG9dY&BjLB>92
z+!u63S{t_^N*x5Fb;jK7llLX<w|`)wfaj<!U6((_;$ZyDY`BFz&Dk$H38}b@^Ebw)
z>=|vKF<`71CluQJXVS)jONl|Ok9`3F@~xgD9t;)UfLjCqL&$^vN46yLn1-f>2c<QE
zizEjpwYohysg_$&%UD#s0#W7+;bjm-bFJXSFaAiq{hq8(ZcEL|4jiY<k5~o&jpNy$
z?0%}=7ic}6N*5>YlQCK>V^3F`rN#lQ5#j{9A#mEb>IqE4F<V%UJzs&3hicdh1KRxf
zfDFEt{%}%F^Qbn-BQPh4lw?8wIb<r%#6gv&X7kurIt~VLa@-{3q^{LlM74JzjyGjW
z;SZ^x$=(s??RY=m$I!Y?mq)It=~JpNdqGhS>icgd|FN*M<pXAhXD=}XckkkX_?!h^
zYVnywxm|S$(!fFv55X@eOCyqx1lCJ6&~9*3yhoj1XVH2Wd!o*K8gySC0=lO=bmiRU
zji4*4gvMv;d0m-L;dnzHm~Pqow_w$yD+s799x~-IM)Bn^OQXQW_*V4=ONeH^4B7<y
z!2aW^`C#PRNTnBJZ2h^!msa~a)XYzp1U?frgXa`?`rx~@Jkl#S{>J#L%dM4fc><x{
z(FY-m{<+WxND)|oclsPk^Mq1VQ|cv@f?8gkeqLgwpMZW2Ja_miRNSI*3`*k;!;rJO
zIvNUGXQ@shEwg~A*7#y{zwTo2v(Vw^CbrYDNTR!W7SkHti;0x)AT1!$UT{w%#nE!Q
zd?GwXEQid-%qmM}Djy9&bOa9tkH?F{R>00*#_KJE=@(>gLlC+`qy=`t6QGXy16EJ8
zM_9c@${|7Dy?cpS7^CsJP5i_p`Ji1k7;f#bZa0S*A^6Gln{t>9*!jTjCGwVpN6+0B
zp7w3r_&&;^t{aRE_D|g5kI{?eE^mzlzI2B>BY*>7z!?l2kR1n`q$lbiPqfFzGA4w}
zLx`zD%z<J%<_5;xjF`qd7;3}n2ylGB`M|-E)MYw#C1M(!7)gB=Q_p7VW}SK(a2|GW
zBz0#={ZJ6ig~+>{NFlHjcVikKCV`+PPy?LN4vr9L0S*c_2{D5Zqjdlm!E^;l$9w`f
z)%A@hlG5)qr5xNi!b3#H;7%mRwXWDXjGn5=<slkA^dKuh`C^cbauHFk0E$WH?3P?K
zW&jHH|LGutJSa^WRziz6x%>riL-?a@pTS7%dNJuC));)hL-UKuG9>A>NgaF*HQ{;`
zE<U5x0!vLEyG+PS;}(!YKK?{Ln9?07pC_cLaorO0-ox{G@UVPdKScX>m&r}{f=|p@
z_<`i+VRHA-Yi0?)MBi$AcFRTRU5k>0|LMV2JXYuFdNOe%MfFEXp&zjhq52?L8of0g
zPgw7w^Q4#1478JQq!UhDTGj1{FOQgbwPX2nV5hHjH9B*fbTFtm@a{fjBM#ZA@lItU
zYJGkJzdtX+sNhRHT`c7-tKH|{4i=n^67watq(ZB`AP`@hYR@Kmtuad+B<5K6gpA@o
z++0`Fkqa9KJr>8hvI1YLn+Y*y<ftkg$Wvo=AfFngefmKu>GP4kpT;g!IXd7`$Lqj2
z)k6oWR7V}~se^@*S*7}32Wr$#9hjs(*MVtjlLS_=JE^yHxQ^i_9p>Cky`sbO8D6Nv
z3mE>J4liW59%0WuY@y*PqeTD&O60!c2)VELhyU%>R%>9U(cMz!a{cEexu>}J@C&Wa
zq~2wHgbn13r)Zyz(AjTVwzeN9_|Q$%#zvY@fm1R4#EKj4Z@q@ab`0@2O(Y2BD?reC
zH1#|on+T7J49jva!Rkfvdf9a`=Kx!e56dWlN%lVOKF*?x?O*&IX@Tei3yo5S%h^Ve
z61g($l-H)8pF;o4|1bUgBh&wuO%o}BpO++lkp58~JZR2=YHIeH_T^>#G2nTQuGouM
zYLk9p;nmymc{)CNr1;*j^e89|t_&!>TY!>ik0a$r`~`wf^YEho5k3V@)9?EK#pigf
z*?lM2At7HRUEPQe-p4x3KOyl&cyUEr`&H1hP|RdGMa^)BcOvw^m*weLmDcYag{J4b
z{NsGl>EqP3kQD@c3Om9K)QEo#1g0rWLjYMJ{SaksYvgEy_Zh7a%3i1z;0pl{D&feF
zoJr6X{`Pkgogbgab;js)xgRdQ$X%-~q*54r?eB-XYx^KO2y-nm#DiBd?X&KQn;AL^
z>5}q^=zOxwQxU7}qamtxATl?mXO1`jgixY<c=X$63@OJ;Zn83tQ^nvaIQ;_h(wttc
zL*O)*tV$!znDOKGGcGwl?eAjru;%Q5bns*AEu%+uBm+i#Gj<ubrTIJKE#n?_z1-!-
zU3drRL&-yD@T8N$awh|9qu?c#f(^)Fp+*0=$noL?ZlO@`c3gF&8{D$2?yyj3XB=0T
zaXcNkV4a~WH51%Wr&W8GwYl)juN1$QwkYG5VnLeg0^I&oxJ~{0UlE_-u02b~8;r&}
zLrVstxzJ$tBya2S)G`uj!dPh_O;D$`hXrC;Z#d4TD`dx7WVwS#ePu9O=#uQ%gXT$0
zmf%0H$y*n+-QigvTs?bMcAKjOE*so)<;DWsNl4$0<=hCn<pq7>S$B60`m2CeI6XX;
za~%*v8oB@^<-Mj@&NYDErlC%6jpd97bS$9O9SgWacGtp-Dv!km;w%Op#{L6O`f7bj
zukT-Dw8laeZ*Qx+vD6(p)G4r|diHdbdkWn2;wi9fxCzQZ&M*N=^7!jrxlM?)PyTmF
zo*_<r$2A1Uz#I>bMTu^t^@5(*5FAI)l>m*@pqhr@6$Fh2Xov<)YY2`cXcRza3n+;h
z!OH-h0vSW^U4W8kW&|$<v`Rx0%n14b9S*3)49HEv>kyS}bBb7s=x3TEO~c3$wr~3i
z-TG5|er%|Yj1s3HRx2V8?@AB;;_&pAWh@tbHHqz-&+Oj>s6ElCLe%C`Qwb{DR0`Z7
z2Q4l&l@T-)ptCiorlHA8&?Nw!ph43bnuZYM0jQIJlDO0~2+&F?O%j)y3IV-HLlazT
zx&Y8zKrJq%jPIgv_$=q?Xb6nxec>9%<v$f}aa?}vmuN>Fk9_Cs|6sJ$;~AC)+Ty##
zKQ9!L4EnJqTI!ENH(Gc5;OYY^EGcfL#3kSFll=9KU42y-3#_m;;MjI3W*3*$Sl4)C
zGU5+eB4s=Z<_4y9Vh=P1tC8o2=Q%z>i0IR=n+NV>_Yd4n#Ss`2dCy+@d_GXXb<bX0
z&wQn&GZz{xavuF&6g5P3WZ17nn8yWA5A-<d3ry`vWG%fJ1R<Rk-1Y<VSbbeOaMG$9
z+FbE_m~Oe1%vs&UCI4i7g1Ul9mtngr>Ebd8Yi`K>V;WqguQGSJyL@>29g%-?Xm|RI
z`|4OqeHmJF@uydWi`^5|Mn7p>L_Xek?h*O;C-Tu94uX>K61Hf9mlu$i*<{tfQ+TPz
zKe1Pm`5DoEp;GzT{2TmyB#EDLRHObdeoj0BKOJ8BBHvo8EA80%<6?`Qdc2*5sV9B2
z$Iby5&pqm|Mf%I9zn;)va^t3>dQgAW=(suhOYUZLRMX^3Y!4lMlLpLZgGfGO2nfjr
zGFEhXXdhqbp%|yaaL~%Hb^7Z|rU|X!DPqLIRO1&9PvJ}Gg;o^uD=-CcA4BkUZLHur
ztMZ)fwB~wzyTkhtt(y`Kk}Pu!2bKQ!=2&Fwcyl{OV%{HF;bC4M;LE%VZDFt5@W}?i
zR}wxp1)fFtQ-o_PDu@z5P*<$SkGhxeqf+pj2=^2IRbu`R{6&OcMR;QZo@#HMPT|n=
zXv=<kSL$Euk{lrSDfZhD&cERy*HG-!^h{TW)?wK$ECkgJI|+}ux-v2mI$2L-D%0!6
zo`Ti-j&)=E;HN{~*c|-8v2k!ds#-VpRQH3cae`nQsNm}~H~~1FD~AJvg)aYjAeIMW
zEyHrt>V}<xuYN-MOoaMNs4w?o9Qzb>asYM(S`!IzclS4v`uY3>_946fy+0NZ^1v`_
zsh*wvatPtFy<h|sK_;|%5Yg6qzV`hx$%`U;jw)Fyjl|6H1POJEeyQy!2$`%3$VoSM
z?Nsmxjl;?^VPDl%Clo-WEMKSEh-Q;iWqIz}lXa54PLhw72n_*5$~-#B6HbysEE0jS
z$VE9xp3+GK5GkwFNp5$N_}sNO>m&!9BzNc}0*I7V=_JKYl5uc}u9IZ4&Qh0)brJzY
z$|mU~U7RE}?pk(Y6fDb1a;7>;ClNp-9CY~het(+-)BM*XMYffqpZfS!At8WBc!87R
zpLPoA`2M6fFAPJFjloOu(9AV8FdI;Emzsr=>9?3R!ugF9!5I7(;uJbK;~kurfg?3D
z2LF*bE(hmA2PX;~VVE&^IC0kBWao8^jbq}1IFzU%O<@c^ooEXjv~N%e?TCDcMw3Ry
z{fE9lo8+Lab<naknuw1vcq7p~4%$B)G<xtwrXrr$|0P<MgErMcdjn`G<L79+0KJSN
zArC^+RT&mCI$O^|;~{9=wi%j--%R!0FB~@Uk_UQA;+zb>U?z!A60;Fz8mTAG7qB#E
zpV7&LGhjFk_|ku#&$!*=i@YSlf_1s$`&qIOYC^O5$77?7TUPSG=wq*78`7BI!&0G@
zbRy22JkQ~QyC9$D*-5EB{W-}=tB{oCbIt;azm@I}oC)Ui0k+l!3((BoRp2uGpQ9Y{
zw^Pe6Zoy`aLuSADujk_j#;hu}1Q+q(eT3r>))BeEdWBOCs(p9uqwLe#Gi$5r+?S1W
z={Rg}RiR>fXn;B0xEMyMEFePtXnTPgwZd3X4<fP)%k%BAJrn7HVTZc^3^oBDh(i}~
z#SU2DX%2Xc)aq7^eVqg5``WSY7I?S=4ienc0uOM&ACpLq1wP3E|ApB7EO18$TrBe0
zz4(k2rZ$18tEgL59CbI3N5~q7T7_$_9GG1Eqk5A!TvZKe#?cFTtg3q%_6jnDyL=^=
z4%UAo{U>Lprax8E?<!46|HyBrf2>{l&sqDbXlnYgzny-3yY&B*^lzu8Ki)}?1@Er<
z!)ovL{5UFwo_}<#>cv!AZ(^d7G#<83|0Y@{!B04GsJbmRJug*bL^MuMX)yKz-3cy2
z0nBP3iQS+V*5Q>c^1WIQa{_0~v!>oz`-xn)4cuI?3xF<Du4_COg0URSZ;;ckaV%yW
zCfn&N_#MyIba3_IoWRZ4X+R8IC3N+V2>sI0<9={$=$CXHSM_AB4d8tQ6u#UY>xGlB
zuIl|6m98#<w{^Q)-K4(p{FIFRkHo(c`p)%VaaHEQWL2M=#b$fT`7DlOdtnw^&sCen
zu%eRn)qgv$A}c~k_DK70N7pf<kz5?UQa=GbAQ#Nz5;1m9Th)#1HBoVlEXzf)-=SLS
zS}>ShVUPR4HR>KLhv7{st!=>sEiYVf-sd+#81Elp^%T;cMBo%50Cw8R>fKA`Mu7vj
zE5&I%6>NPssScrSzi3d3zH={Wq!$#^|EyjQ8ZAoFnx(?YCKM`813d$-xtFXUCUl<<
zxXdupG~VZaX)Q0vI`$g!yB}E0Z*Lk_*!1zYM7;M3xh}{Py$=%+JJ9=9X9PxIK82gL
z{>puGP68C?v*$sUaE&O34A|g52YRy5XLR*NVBL+x2vmvRVICr+LWMdn2RQrDa|{r~
zy^N4bEABewcD*$wGoH!V(knz8sT~thA#9o9vhy~!;~(sZcMy^A$j13Ca>Q9(7U|L7
zEK;6X<LE#4k|wy|S>QpZjMrkl#$J=K+gDD4{%EgCw95Us%SuXoJZ#{u<%6miMD!I{
zj3mynk*9;)kMJLjW{_uBlExFdO^mL}My2H}hx#+x&N}z8iqk3$^$WCwV-JS~8GF_t
zH@FKrl|#=D82#zEIRkwf<SLmkOLupb*@x_swA1XgFCZ<`{f%*4qzjK^*`s&`5GfI)
zqEPRg!gpSBP_w%M4o*K4q2~~42~!r3c}d^8Fx!jkC@=`r+t5q3O*pW`MB$eZgVQ1E
zqi1jyFidH*im?qrslo*a#0H^nu`HFyjc1^82pnPo2WeoKC*4}Y_adr;_{r)VjIs<J
zTEgr<C>!~|4<QYJ$EXr)b=KD*Qnqa;A|Osnuq55M6i!UOw@*A4G~vLbyY@P${l-5a
z*MtKOcP-CLG?o#_b#n2MfvZCx)%YqL7B26U0K!yoHC7Na30O_ckpv#=V1}OuFc@X2
zdzo~1XwCm(Jpqx%j*<PU18f+Ro39eDIo{FadpneC&5AUW{to#Ko}``76lzMZ6MmS7
z96WL<%^YvzNyZuGWFd@n^4-mxV0~lcIr`)?tOoAbP=S)PNDFIgtfeFet}t(gE?f-3
zG5dh3*8iGLrrFz~g98v*2x9)-z4;`JWc@)%+jE&r9YAWC+nGCIlcJx&U)XHmC5x`A
zJPBEp2tmeQspB01Rr!p+TF2}Bv&_eYoCo;b%bD+KPQKePf~rHO*!kWGL>QwDbtn$@
zgHHmoln=Yg%0U_dB)C6mSOg@!E~NW^Y#PW?38<5vf>=bQqe^mRJTCzDX8~XXr$$X7
zFj6wfy<`=8fm-q;=tftu#RUmRv(<l|!$=oN$Mee0fZ)FdNbK%{)LN3k3BGzAh}han
zFTtVfRrQJ3EEf#2NJ%%fkO)nPe9(?8cfa%+^3PLIiLyTPfimAlQFq#@{$_(Lv}`rj
zj#|(zDn}LDQBSptDpaT1Q48Bec~mDmYEio=pNhj*f)xIhc2SjTy&bizUDP=Bszg}@
zuCh)zv0uphK)fO-4R>hN3bGJm<hTmsU(~J@#!@yFHFXZ!6b=e&bBO}&<im9mzJ373
zb`{>1Nc+CRcrg#SbZyo>IOAmKo0;G^CO$r6RiO~c$R!O7Np9)ozR)Tk;6fd1B2bv&
z3VfH#mN9aqf(C3a{u<(TS{?c)6ow?RpA9;yH$;U-#~NHpM0Pkr$a$3?OZYr8_n?&)
z*B@|mAA1sF1MJ@?iUg+(zX4;YX~T;_6}7=lR0+U0On>17ZnL<<f0ZCkA|l*{BZ%CL
za))~W7XvN+^Hs*^s&V|Lku(lW$y9sLJutY2UK^Kmz0aBlU}-)hS6z+iF)q8dLqUH>
zeaq=KyW2md?g(e$Do3e0xPUoqmDi#4J;$8_feW0{+(KXaRk>Lv@8Q_vG3aRfZ4J=K
zL_=5(WRF^8fjIpw#Vxc22}=2-lxg1S=r1Hy!6bZ?{f-2Bo-h5RT=N`YlM{tN7G6_&
zeUWu|+OHflaE20$pS;j251Lt!DbGpqqZp4GOWZQV?GNbpdC_PWB2K(has3j{0VARD
z5TzCED=J{j2`q_>)#~Tts7qE*P54^Hi-QaQr2X;ulZyXKw|i}-l>YAA9FXJ)3zFIV
zN!zMAYjT9D=Rpn<4pRK&KX>hi(6JRb?CL|(e4UgXVR*E7fO-=xjG_>%Zbw?-O+{oc
ziZq|7t+ISfI!TougF;z|3W(G=NwI~9#Th0DX6;Q@&Uwh$LoDN=Li|Y1m+PDfRzDt_
zl5;&#Tf>ZMm-DC3Sk01=E1ai_Ov-u{qAC2mHoKoA1Ztg+yeo-jJjC8Cd2hsw8MP)@
z-Ibd60;0C!iQ~iauCnunFiPgsnMs*@7!SdfxP^#I5{X=^U_54U3kqfp;I`ga`*%=+
zko$&5Ps%fIg)xW$(0A-%Q%H3X1z*;Ne`Xn|U_To7|31JWnjhs7rwnQ3LJNyKc;QDK
zd>VW7brZ0nBoj9m&$n;HCiZ)rc>ciWN%Z4BT$#$lMW`EmM#dR=s5(o-cZ459UL)iT
z7mizT^GrWT_Q4}8B2W@9^KjcNPb-o&su!55^>>o;Mjq(kolA|Et^#+ArB(P_YAn40
zKNUvfB>AbrxqxlH^tt5Uh_tUNB47B@AFsy;or-7Vy2B?Tj24~7AL_%MEUfXWG#kIM
zcg^o*cKo059h`9*U;&Wc;UA&Y7q}A|X)VLdV}y<w{Mj*QxR&K(Lw)%`{At((dqI!>
z?ozlURS%<MltvDqg1DdNT*hVn)F(Jbt%(H|d-v7m(p<wa0_t^9t*Hr6isIbzD6aSb
zO`OuJ{tu%u$AimaCo-<djzbfwqZo}faLZ0(d_LkYjTRT{^gAB{!Y`syOF8~MD4tX$
zj%V`TWb|8(p7a?rz=f~Xm*497Mjb|u;0!)Gw;EK9SJ@;OGq2XL%Q&tWWtjU#S*U^y
zUYl-(;VD$KZW(Pn#AGPaK;zXKge-ImnV9rdr%A>c9}>F-UExP*9A?k)tvs@&0-6x8
zc!hlqla9s3c*oO4@JCq2{3?tp4_sJT&r96(PgZ-T{Wir~RRaLFnsaflEo(&4uUzlk
z*GLEEw(Gs;EFy*R<<MeQX(O%P*=xnR;MHz5;8E5CA?S;<yvxA|JfE>m4mP%^CFpzc
z1#JIz+#y;_6WJ;(x)+$NxW9*fN$%dGb-#dwE+Qv*SK$MPIrkxX3Pp;GSFigR9*?@%
zqUNq$fHa!oMW6_4{Q&?lE;rtU*@`+7FimIhFIi_;M`3s3HD;etS*U8HYHZcPpE<EV
z=va>$j#%@1p$2)1Ed@QXXwVJ%97D2FaC5XstSk0dQhXcE$e0&W)|~YTUB-uTiregj
zi2B%!B>Z=QuSL#$7#Tw4jYfHr-2J+4L1nriSFQ5yrpl9l4t>0ry&inzF;6MwD7^1g
z34oeM7Fc$di=5WW-M1>e#OwbZa@*lXZhhHgKyWqYGq=Z3Cic4$TsDs=ymmxtmi7cc
z7*!`U0$(s(Y?5B!BhFv_cM|g4<2r}HKMI<b_h*AfcHjXB>&3UTk)13thwlahE#UD#
z>Ll*)O#<AZ0uCDaOtOpR4k_2BuK~oo7=J|m5Vi1rJ2@7~1$oIkHUx^R&6L$Jqx*p#
zhmR*OfK8gY2yi?Z>*f1z`o!-KGEYk4Eyf5ujoC~64((|(_l!;sb07bX+3)6BK<zHA
zU)&vGfFw<c+_gWWkCfsb3g5)6eUTP%Xu1cg;LosIE8th|7EQaHRs9=M;~7#s;K6Nx
zwB71tMDCNt3+UKMY}Tmg9`tZ3yP5Sm*D*qCkNQV<2pHB8xQBqTO7*a5x43KnBDArY
z&DZBN^+tCR^@~6qnvzAj@CmZhe^FU&Tc95=P<DdC8p+&^!B2Ka|LWTpgT{J@j|dWa
z%8kg#Lag;#6}xU7xTDu3aqJ@H+yK0EVKYM?pJ<qOcxJVuMG+4^mzlkf9@KCkDYFA8
zww>8-Ai@**-MPJ7{!-1^a1(_vG<_TjeS#Evat;?cdt)BrOULD(=tKDcD=)-|OHe<e
zyp*`>x>>UWYfzWV&V2QG1jhYBa9rzmzB0K-J+&VrBwE#+h+fY5!6>MgOKUWWB;cA@
zHo18hP%Xx8S-`rw!*m`f?ipb(4=(R!RnmM`Xa!Mx*awq+OkB}JBu}JcrWACyFMTpf
zLkUs8qP;EgK>6IYzp}c~hd6ezkk{U)Yxp>r#P3;0ftWC+b_cRT9#zakfeNHs@;K4S
zqteRb(RO)o+(aJRtUP{+>OA-YE%WG&Jj@8F>v<I_&gtKcpB|x+H;@wQf0W(GbxDnU
z3@UCnayJ%AH)s|pQ!H`jxqCJeHk<@zX?6Aq<V3y2x}Y&1?23L471Cy&#j-g16Zw7K
z)skTI8PWQ}Z_xA)V8ZcCcz_ANLu@_ag9tAHob?;T_#YU*f$=ED1E7~wi~}r28Hy2K
zB<n=o?_hjF>n^0$J%hzGx{o<R(ymO3t4Leb`Yz0JzgmZ1dELdlmZJt@mRK?WW(<@m
ztYfK)2mG|;RS)4>Sofp6SmyPa+kj=wcP%`R9&I(=yBe>`<gG!CXY=}nE{9jL3LS=}
z$zv%nzsJE53|QdsEFg=HF#CZJ>iI{e?&q}BII`e0q+SMmNDKbj`IHhf*TKxemZUmB
zu|+;jnYsy<;a9&q`}?GnT~kx~m@;OioMWY&$&}wR&tsEPuFpiCr#pF0V#-=8Wd&1w
z&lF$iNy?K%PTlQQV=d%9L<Vk~xkMvRIRbKjAZw%tG}7fqK<a2we7m!*@>=}rL{~8p
zn6a1;Y5L)Sps{LE0UUF~P*xs!+nVkCYF#(@rGOhMLG|yibZ6x{udHW}kj}g~6F=6A
zFFW8tL7j;fg<}TygDvn+;-Bt|F3z?w*qb{`w10woNyu6IbBDQ8x-VqS2cAM%kc0oI
zas$gLkq~nrEj$;2<(Y`Q!hvTyS(EaQpu}`K+%{>#q$y}mI@Z)<)C|Pq4?Fdf)tnu^
z$Y<)bI2o}8ebSeHYi_0L@U^bnYUXT|d1%Z+A47GZQ{WM1%u-SGZ_xVjN0amcSBG}M
z5LX*^+Vm>m!KYIFM|kC*;?M#C(y`1_^veaHC2LjLZ1Pj^2lj;MB9rfR%lt++S{~!{
zx;gIub%F$qL9w*jnon^%mR$%)ZPr3Kirl@3c<nmPE=R&PN)FJ(`Z$Gi!lJX!nA0Q&
zFosnjsLx^yt1;#*0x&Xc5?~8O#}Au^G>arScO6QDlUaC5g-Q7jK_=zDx?$Nk8?{M7
zCm>XikqOv|2<1ztH$vx2h$p!QNC+pn<`g2-IxJsi2d%>@NeTx)a%9KO(Z{kgWz5P`
zU*Igi5AL<qW(ml>Wc7{?bB=}gbp=5#HFZ=sbYyGc*xd5~C+!b<$I40)E`RDZRG}|t
zw(e&oajm!}UMPAQo}WX-tuB9YOKo}(QP>}RWlbG%(hEXAV|8qD4YvjL8&`NFGqgI5
zn>}*IB-*Xn7b<cEmIKjB?h3pw#s8!e3PwA;q{>~3#Z1)svx?~C&fb;eCNDz<@r&V1
z4v=S76#eKQ8(cM;F#k?$0!@=cP!-0+s>{+}I9<vERO}q)sJ*B&+`0LT5UWC!{S%~r
zxG^vXd*GR>`2mi=ZK@m`0olN_G9Q<f5bK%SmQWB0QPBdtgG18%hk>ES><!U_$hD+H
z<W2!li)Ph1WiIt6R7gZK{xbL`%hDUMdyj6KuV!A2JpfDxCRM|O>C{`Qu{}KnPEw*J
zxPey@y}^@S-uz`oyc_u)T9aQ<^o4&c7Ew+HPoNYK0GF}0#1L#&EIcv<;}oVVLpcoP
zFoczw(%d}t_(WtEI?#E_%g|=HS}M~Nt6u@YB@jJzN%U{WAC4smH9T*Vvgk7o=Ifkk
zmR@9cpb&2S6UD1l{e8R!lw+0iJqy<F78~}OT4lik4s5OZ_%7;f=%}^o-vA?s^^$5-
zpjh39??{tGmQ<=q_=4-1{nqV4`u?Xq+DQrldlFaeJuvIkG!!B@J==ws9){pND-5j>
zkv&+(r$4Y_SKutOFF>|jY2l#TSNO5XAD({pw(8QNTXT!ubJBoS&bt;Fx%7%dmS)P!
z_6TGlpc#*V<~srw+w)LP_tN#2+_lsm69k_jMK8Qh8G?_9is-=g|0l{lK)F2932DnQ
zjY^+f^}jFNFE`_@l_vjrm;wxOxodMd&S)OcV-U<63Pl-Tw#JNU|8S$%HZ^}T`jOEY
zpa1*px}n5qr0|1itp8J$SJbe8gRgRFXRzm%IdiB})6vmjprIpTn87;Zz%%ktc54L?
zZkX&*k*_k^<2?nY9#|lm29iF!E$-1bfp026=e;e0#f^8wHq`b3?qkb3&i|?GZ8u3q
z3)*sVO{qaaJBXg({I3JbF6Q<SRKT)(ftKWtU>TLkIlwb7MtPuYu4H^~lwB*EOIhCT
zq(dHv2O1y^BvQVE6eJOqW@okmt)Twe_G`lafmd@#IG$Hn#B~f#`+E4Ivnm^Akh*&X
zGoD`Qi^6Bh;9uL)TvN{TMd!A)9g@$Ecv{<sw~%o+c4}YiUIs4kVC2fg!={#=k?#)9
zH%^dexzxTn$SYD(Iev|EUdI?V3GOrfeL@E^0{vA0HX2XrV19whVVwmE8;2gN>(!+&
zoFi-FUpoD_yZ2XAIWg{6LPXS$IAE<$p0>O1>$Ts@)fpSJa+LXJwi2F0J{JxqFsW0^
zz#zP{m<GRU{#h`(WZ_6%4=6U2G0PJ>td;s|rXl)Db%Og<T1yw-NFHKl_?mVRAA1cg
zp_8AE<jb=udDy3gs>DPOC+mz(IP8gp$6`NU>t_x<N#~nlIXO0k&yfiVfP8UyieM_-
zgDgA<`2AGCdszH_cCbao;7&yzZ-Hc-cnEAd83oYdGn)<k4hqH84+Bq&5p*$^&>VXM
z3q9BmpwmD2^p}({k>AFxSe!x%!kG>BEqyZD!AZ8ucj_A0tbw!en$@oIC>`2-o$u?i
zg^dRtE{2BglV&(d4O|L+9z4`J@Gi@+`UX;KvC@dkJ;q!9*|e7otS_aEMc9B4ZwuJ3
zZJdj$q4V?f1zs4I^Jv<UWRMY|Lz(*2CNJBIvR|9&4X!*%BE6BV{w*V*MXE-mze*il
z07maqi$2x^%<Ui<{sb+GUrw=4bOna<Hyhc31sEhMa`SvqxUnq7%?~VY(O)!y7?Q5Q
zAgvdP{(@N%*D`Lis4z8-fWXCYjK;q3mgY!*$P`Lj9uc?2+D!(k$z>?$xL%fyD?k$P
zHF@bp_zC9&kE3Np=AdVykgLX(Z0Z5n0)W!%_De1n!^PA5@=W9&YhmP+T2M0v@A+9G
zId{>KA2ISuM9SM5Tu*FN09i#=TYnas%aE)h@^ccsGc~=(k4Ucz>0#0iwdZlEiI`Z@
zPV|9iS_HY!h{D{0#JIp8v^BmeKwUJ(9`ZMdZE7FXc6p>WcfGWRyl=?iI?L=qs-V|q
zu0Tlr0|jokK0MYJy(|;PZ_MRE>*}{2Dx&|&0S_SQJPAhAEj!-ZwwtsEbXt(UqBq^O
zJQo*~Jqee8dqqTcbIXl~)&UIP1YRSMU(rwb#2c(p+(8|jja&ePT}p#=FZ#uZv|p1p
z345bMORC6$f(_*`X)=-`e?>j9z%JE9)FkOrs!$Xd9n4;Xn(A_nhy*;4kJR0zQjpgE
zJAFncR?Jvf1tUj%YQ|CE*mr1L_Qhx5JPBs%`OxNtfM?Q(&onO0XOVaK_J1q+!o>R{
z%Htfy2m%R*qAd~=goL|x1%ba>z{@Nk?-9i^&exe0S-@rjGc91Q1?+`(h;_4oZVSl!
zrm-vw`15|2)m;k*NtEFM2Xavbyd7rC4SK<TG`n6pxf~3#=9NP$eS`7g^0|j8U-}<C
zzS$f{JG<v#p#UBq_~D-FvpA4N4rG}>L5Q4jjhx9LJjeXJJ={aM$9z2j7lM7Jv}(#j
zrhKRav!+}i^64vDJEcTxQdG``&#A*?{how4B}Ao43e9OCDCH+OD4-jehoi6cvqD0G
z`0Q2C{ip1Q?(dHzTKBKx5V--B(M%~8qUe?Qr{|Zk8W9V6v!F-+xj+@?qEmC~#7j;h
zKfGBE0Z7<aXn~jaiMewisR5?gc^!6NpPL6VnouH*`Qs$tPyB_kUedf<RquUlUVlOC
zL<`VW0D*JhRHB1DV@t|^_RLDQ>eOwB$MtUQ?u<{QoQPu4BS_(S2{UX91WI@iUuxMC
zmIi>4?pP*1<GD$8FX6Bf%dsRc_@nfaTV<?iDM`aXP@5|r`zViG_iZc!s<<k|$oBm+
z?(pBiV(C0MTG<iDe{1;$X)&%)(+>9p4*~Kggm7drc&G!;3)fu{0>fDiJ#emx<yx7i
zOXmJi>>La5-4D7S^k)$ZEZ}DrkoWCk7g)e`8YpL#Q0z2$zs?*2frr1GOMoQ%pt{7;
ze}jeMqb}_VoIeF2>_#-yfs0`3+8=VYOre)OfR3mIs)Bu|PY_jemCrsz@zq`l<by{q
zu!q(b{26Wou#7|boCz{XOFWA}T%GTbgWd-@EuWI=eJ#~Krn(53XsOQ3N2-I64msXx
z{u@Zu^*VeX!_sf$WhL|XiEnl-bBOb8OAI&haflaVWf^Q;O4JD(;6^~)XR}`>eALNf
zQ0Cd7K($kaqMKjf!>YeEhUkku#_!bMWVj2!q@Lcfr6dEh!rkhCh7}t#^3}c5=~fe6
z0Vp`vWQ>MCCa5AP<CEP>Ms=(k?ZZ#!uA|cHMwe@`Kq;Zu85ZW#N=~-lu8{3!yPM(l
z-?=pOsZq3DYCsrd{RJnm!s8Hy<3NaS4Z0A%tYlQFHQvBooUD2>aYb|iV^w2_!XS&1
zuN*-At<!0!(nGM)Y3$4ZHo$ejW=(g4F{sKd+<SJeTg$c<#ue;`W3|m^U%6KAO%r6f
zCrs%_MPYyV*vi##4(QXDtih$_Imm@us3EyWZ5=k(@<JHjo07L|pa!}h^BvSc;`mPc
z)ti-IhbZKDo#rd&H!hEV)|4_|1468~YuQZpq@s`fXJ{B@Xj!cVJDO<0Wz($Biwl~*
zPqOD_zU0bUR*h)?*ZM1G*{%HAq`xwkRpBeJj&3SE^yjVh{ha_p9^0Sa56<#+fd3m~
zm<J0rg}$N#Q%_F4uW1ac^ra6Q7vE-$TQuDJO0OH7`7JeKbHgOCRJss4@mqLqQT8S%
zP?&GY!Ag5kFgS}wYZod*<5Da>$y@PU=GCi@u9=LOClg5>U&VGeR>*qfcF017@w^5-
zpM{tT%<IzSC3;^!%=PxD`_Zh_5m~h6aG-UkdoB-z$Jhj%><qyzJ7gdv(se$NK4b;y
zQTLEOe&2v~$kiXW91kmxe2S|mWvIL*57t@-7Ol$Dtw(Y}fL?W3B%d)*sX|a91^8#Q
zRvmpX$o-|km1hM}5|>{w*8d82WH*6zwyk|CN*{mR>i2T4!A`E0piHC@SQ(stg3CWe
zmv0+rVKvc%$!C@dfqBNnd|b6FtT=0ehwKQly2!+;KIe9WaUPu81ZNtP^W}Xw)?Nk_
z?zOcc0U~fXFKul_(N}lE9^IoF(CMT$z1XDIFp}U0V6n-$))@{Ri_;>bK}qCJpU>C_
z8s^LBy!CY7)hhLo!<F^1MM)g!gH-0{P*(~2Am)PUXLG0xrEmAX0?ubl0^g~h1Z$M~
znY^+NX4I2I5lpprs}e;8yH&lphg!jZymuunG(t?oSRS|GZxeuZ*k^#2`HbO%SY!cu
zrgtTkKpZp8tt#6m@!ufqT?s|iCg*jK0yj`+WXI-#8|oFi6eU^y^MQy9D{3$FG<F(|
z?(goxz;g=9rUxEb_6?zKqBu;fmO)BKU`clHGepb-2L#dk%0YE2SuhkBmYm=$F?*MP
zm`^)V(3gpZp|h*^z;r%G9q1BV!ETV|@5+a$bw9SYlE(8EO`7{*JXo#Afr1T!<Jg0v
zJ@6GJ{WrRDe-1kn{$sR&7HGa3%3fb0;#x+B0E!K1aBdMv`=_L*k&;M1J2m}kE;}5S
zeiZXZ1(k3mZ4=7xluhj0+272UM*dZr--q{X?n1qBu7+T==i%{JT72=jORvD;O^xXj
z26&(=P)762Z)AxJ<08Gw!_WC~cK^r51RjbB6_0fVe)xXP_iMaYpasO#^AA+FBUyA>
znp6=ANZpQir9~9i`j3})5wQ2ws{RUZl9<}bkW`QL!F{RYtwZl3)yJa8@d5O}<dZc;
z|0!kY#JvhO)K|M>-Hw5iqDnX^N-Nqp6%NcW(t+xJ-Ol#Foe8r3YN<;FoVPnX#A-%l
z6Bf41a3%kH_!!W4OO_yG6x@FSHW=`FDaH-=(u&czeqiPE{#5#@hcZ|r_`-TMTPF&9
zh1@^4`IW5y#Yx3XRgU_XMyqsIP)by~WjZb7$bWV0DM)YQbNGYz%-cq!eaZ9nvR{GY
z9cSlOL~g+Gxu?L03V4sl5{Vo=$KnZ>k|KC~qE$`ZNe*vSTS-+G|MIkET0?&CP2qRa
z{brWWT}!zkpWL-v5kmWm9NX<a3g*b!Jp+5wn(zdPG&FVO95$(}+xf4GvE+@cL!#V1
zDfg`?_ctigZ<f2!)aC9=B%D%p)@RmW_W{Gu{V4s;)b$5#AF?~1PqiV3(7*^)N*17r
zzy>^!xlh^h%=yV7Y$~Bk%esVGq4Q)9UW8z2^oEXER=swpe+wgV5+2bwP;?#`g0s4E
z#-!D|Y%%ND+KhbLWC+3VKLZ&dTWoEJe8UEo;wI!x<N?YWtAU)hWvl68_=>y7d|edw
zoHGzCi{6@H7iEt+-7X5E;qy_ip;~1+Vo|=sksAuZ&-_J^z)(vF5~YFv?j^%c3eKWQ
zH<Zg+{Dt*^P1sI;jCYN74EuYUH)dPwjWCWx9?Zo@5n|1EXL;DYj#2kza73Q&8E^8y
z5A~BZVRiajlK)}x4Cp_eSK)BEAaoqIs$|9bS@6?Yu~sXPGuErWw&w$}LX^lhs9J~R
zbj4@uuw0h2kzw^SnxM5LpJB8bruf;dB?B29%fTOw^C6oFhxoCS?C%M|#Y_<w8~59{
zRkZ>89m_w;7>45nzYH3dGdb6oJaEwD{K-RcGzjL)Sk5b_=efos@%~NVN)Y5-(SfeW
z)Er+lgC}pni&@!NknQB_*P_lxlWGbq)13|AQ(oG>$mDz=bX2{h?Mw3FPe|t64G5A#
z`}NyQg|!%r$mo6U@V}s|%W;BLef>4-(}eoEYp(||(ZaNY4oGdA+_fLENYQb}#D0?A
zxm9gJD?!a|j_tDmZ)?Eo)JfR&K%_hDwQ}Lj(p4D3p<(#Q*PS{~ckMq(6@a6WwhW8F
z;MdmS76Zyr`SN}(BXGhYdqm`7wF~A%8J;}KEsqRk-z>vRo$$AGBy@EuGN76n3iEV-
zSp<n>{=*ubY1JrvF3KqKNN7Dvgg)>1OOO+FT7R)%1Cb#L)RCphV`;8MX;=_D66aNz
zC03CgG-j`s9uT~2Z>ThPV4ArQEf8x0$3*X=*WZMivmI~=@0%}kU8)si8gCo`8|2WJ
zmK~@)G?-VTywnIzf1n-``i%#r3DVVYSX8Yg(g`6bqQK03v<ao2-Z9~Q+*A0`T8Pwl
zI_Yy&+vklrXblW%>KNo)iYGyKm-B@wlx!qR_BLva@KA(xPxuCCUaXA|#0}t^ywTgz
z<oPF$3rA;;#W-2-&|8B^Ip1d~$Kk}hQm%bo-~tuA(cIC?$EA$BvoqBn$xtH1zO>nc
zh4*aUb0|UMlog>7rat8bMlN@Z@kC~mKVRw<*;E?YjdJ6a#kHsb=x)ObYpbu{N9F0*
zDNs0L(B>_=DmQoPMy<uL%M;seX9D_Pfal_YQ53GjU+)#LJmK<hEE@k8)Nz1qHyS0V
z#aCWj=7*E~jyMONr`B(W`~Z%+<YlVW_$n=$FmUPz?5VV07Xf0F<f6<KXbjD7n?^Ka
zmoD~K=<IlUm`>V3a)u^}50bo{U;0p}nt%#{eD2g$ATP_zW+kGR<2BRgVsF3o)?40X
zXO#a1htr=l&Ta5E{QjHQF7vMVcJJQ3@y^ss=rr(zl;+<bIk5lp_jcm>+M-tfPJDdb
zyt6|z<1hI7G;+YZe_P~0zxD5_G(2|)@J5!g-+DwgGV=50o$0`hW?TZui-c?!w2{$_
zdjNTikT05dW<=IEZ_7wqjR||5ehwoczj6j5$tJbz9Sq3Euz}$wXixY<UJI6$!qWB`
z*J5P+F{O?Bt;fNQ^uoAX%Qv={3VCkhSZiJ61+WR*?MgfDPU+oHksdjJrn>?+8;omj
zz(!MeD{9#~>;{Y+E~5;k@K2FTh@<o3T`6{WiFV+W38j&E48xVH%y=c2yHJ#5<L(o)
z)L(DLhcP<O8!hdW<HfFs#D?xZ5lX+Q+*p~r0N8RJh{V(_7P>FJ^u%nE=0*xprvBY1
z%M}q%dM_-p399ulIdAdx`_Pw;QScm87paOiP5saqJ<ywm=YhOw59V?hcEn!#i!n1x
zO0VKI7<5Y0v%T1_xk0vtQuIrxt-~^$?{H1+q}M}2Z9S(PCAR@Izat0mu+HJ_haGJ+
zAx<xOT8DAD0O$Ro^f2iMJ@=do0g;3lUqfrVf~I>emTz5#_)NpTv|y##Scs3TcF#SU
z7zUXcDVgR=+h~;BAY817KED7!^e|uAI`|Y`sE$XS(D&0<5N=&{6sKwG5Kjc)MK}#?
z-qw*iA`)_ewEFzWahpIxtwmhpRS02-luXrPVxuoQs`fJ<UW)TI@95}D1IZPO1bKS4
z&MCAuPt8V(inMKbb{={;3leIqA`<Me_-02RP(pP}X*)?)H>Cwk`Yfwo)g4Ln_dDQd
zy}Z{RS#2$OdR*!k%(FFH%@={-9pl;8f}Qja8))~icj>KUF<{-{A5n4b5iT8*B!u8L
z_I2|8y@Dpk#h<^c{dkG?e%O_kOTt59dP`?4{NS|84!QpV_XIt44REOK8ru#LGs7+S
z57Mc>vEqYa1$<DC0@zw22AJ2lH8)obG>%-6J&}nyYT{O!V`6}nA$p)#VTi^<&lB@Y
zF=`J7f@O+LLO12Bzon=tx>gy^5#>%9QyPKu^L;R>k~M5O&R{~9>`?~z1qJc0F&Q%>
z98%xIl#czSZ7-Z)&sP5dH$x@4n(EZ&q%dWC4G*XLq1FdtB?wx6UpWTDyo7!$gSvv4
zafmDDI1xRYXXE;-46Kp(B4t=|8i-}M@^p-OGLEEA%rh#nv^Om?GCE7m1eOql;Ya#N
zkvZJByMH#8m_&H*PRouCO^cKa)I;L~NsQP1Gu0p78K{G$C!;gdS~|J@bD{Q!*8vg2
zw^V<4aoP<j`atAI>=uzAX)M+H*{^L9k_dDW^(r7}Bo7C3Of0cTxNJWA*a+M$;F6m@
z+^Ua<?@^DyK4M$&<uVL?9-|WGM4+?b;aC~qB;;wd5}#Ira}RkZ!|5-LE}BUnO2ScD
zv19RNTUAGI!EigODt1;9>=4Rj%%eJtd6K|i18h;Y$9Jn=Cl2lD@!C5^rfTxciC6y}
zt;ZHj3gIRQRst7-)dv%CW?`3qLWo;RPoU}{>?hTJC4qE(1gc`fS9oUx5Eo7zrlb4d
zvPU63jH*YFxFUT*p&gB_=1g@DfZos{+^boLBoI;xDo%U+y%fTb9`b-tX++Zl=Y8N~
zp)WcuLk&kdqoh(YiVh4TEk-Aa%T(v;xU%TLIq?^@ZVkVVDF7t;NK`|?MB<awx3_3Y
z#$xJZp^pr6)W?9ArVEhwtDk4dw4%lt<h!p=d|;Inp3LSWF?@kdKm<g*Q0U+oO7yN=
zbw4N>qbgx`^|$S%Xz`1{$C+378Yb&vC~6xRp(X&gXkz8mEjW@|unTh2SL8W?uQ%%*
z`~iYLZR!?hTr?)%z$;HTqAMJ!@+IRewslkcWymfmL<+mwS!z3grRkGzFzM*zhy<{^
zB7E<qmH-#!l*FlRlC2)qacmRwIFM@B|3>R-b0fr&I4rX3;dWSltE+s>&=TxN!1)9k
ze}t5D1;;QMh}6L<Fb@NuPyw5bl6=f)fSajKCGLc^<*;WI@C5^J2718Va;&64eL+Zh
zBMA>}w02XM0Nwg#5)NgO1d+Ye8Io^FzAkJx#0`($op+L2g^@XQC_V59j8>3&O}}-h
zn*a%~h;fWH9|4v#e=Uz-5c9@pgxHH8vSIBFVvR|k|C!Jtl`HrJdOJ8Gn%hb%iv?2M
zt8{f`!s|c3x<0ZQ`&AU2=ItGucXacm%O!noMXUo*$iTW%7yN<Kh0mt0XD$J}Z?G%R
z8`_-~_;X@>mdRngUY{TH5w;#S)1EAid>5OPq*?C$7}JXJkWs5XqphVISv|^BpWzUH
zWasSfj(vN4XUOa+1+QCp&2Mz{M%KHR_PP|l+0#l3Ru`?C8fWHMUdE!3Ge4oi;knQc
z)f331V8i~&)5c>d*3pk(9malEn6p0Iv*3ak^u(xA<6rfFB6&snzk&#H{5}OHikx}D
zWJ(gLZh#npECNr`ke{mo2}xRG9utZkiKjU#qPKR)QIB1N?##=6c-v6*0AKI~kG|TC
z{SkaJTna^ieJ&JNR?1N3(&*U_fs`dslT;ZF@-a`xWkW4;)zUV}Sj^0IVQvH17n*_H
zrrOm2`t+l$+Cn=TB_RzhV?5dx2`vPYs$(KtEM}zMyioy?H=d*}sz`s5SQu^G;fICh
z49nGNjxK&S)?B%5N2Zc#cj0OSil%1cmt)iw*j>%`rAc03OR4cB%d4&J8CRnrqNN!*
z5#gYtdz|)46d30|wt@@sm7>SAobCPqa<+hS78{);WPPPzGf=4uUibjB^tmWW?4~4y
zPCzgRKtRM_x0aVXF}71)DpTc!=lxP827U-2FtSEZEmLaDswssOr{6w~V|M%oFf%$M
z!;zTH8lbrzL!ND_RfDwB(V$lV@?uRT3u$}lw)`hRMoEp&7&T6q<%NYPLY1wCLM?#B
zk=0;I19-p{2Uw7B?M22fM0MqZazzJ4j$Boy%9T&;;wTfHp<5jXsLny2TC9AfkzaK=
zPLQG@Z)0MOZnf6&oFjG2hO43W{XcOZS6^bn+sxL=urYLCMf$99TmkC?Q8A|HhT8&o
zJ1FH$SiNL`;jdO|<<G4tkIvGp;}QP*CXgktf&v$rF$fXHQ+s6)mg#abw>+}HydO@p
z{z@aYl%D8!a5x-@?uC>^YRU*Qs|K^@$nGNLjr3YFWkoU(+!yW!8d44r!hn!{iE(#f
zmfG+K<c-K^MTcx|tJWfa-i`JbCcjr3*{$=mNqUWLOSoc*GGNhC3}<M-wxWr-SO<|+
z<o&kLd#^SB@t(b|ZY*UdLFKiOs0YzdFsi}5+SN!8yS_l%^^x7W+8DKH)u&I+OH|qo
zD-nr`lzUDTiBM<M|7}z$&l}n8#TK*Vfs|5PR5L$|)mJ;NbgG&Ye>TP5#rf>19w<r4
z6#hCs<pL)6jN!fG_3;H8%wNPrcJ#4#w2UEql&k|P<n$Vx`&dT);h)cFT!bHW2XckN
z%7bu78mOmyglRsH(NP?>VI*0x&u?R@L5vc^DHF(Y^a(bme<-v{?ynkiK8Hb{v2qQw
z@uja^)5L@wm~g^IZ|ETWTJ`#iFH-wH;r^4+R9waal|TdT*(d<{FTR6%2E8%U`$`&o
zFu^j2Y!u4Tj5QVM3t62oW>yP1aQd$yUH{P*t@wMkyx?vF?LV*!Mrom1#T%Qn=g~Z9
zmrNM0q@$zr)hV1FAi5JL1Q_h>BiU<2qss(bT{I4I0tTR971|GOJdzj>t@R^4yjB?h
zsv~t{E*rjOXil2U4Jsnlm`M%I5@SPkg$&xqy0IFdfoDKZ>#g9Yphl_Z)~x4JHynut
zijxZS;#iQ!>yy@&<yv(w2AxO~%2yGYn9V9UZ&B;{Ja(^-eixh4xhRk%YFva2yes!n
zPd1_`ICzbJjy&lJ#qaYVh8RX?!LN;qKpDb(%1o3`ohgM2bQsSQHZQ+(7=3jkD9e@H
z_WQr~{(#;GlVzK1bs+|QOyiGfr>sOCB3nywhy=2&u7jS$;Kp!S(Km2%g?2XPRp1ko
zx7UIzeCz-LD4Vj56&N5YqJi{^=xrV39#6c|o@Yg8;0)I0*hX+c&8iVmP#1zS#h?x9
zue3;VaEC7<`H+x@O1%#Jva)c8ufPX(7aE1g8yLz__-6=+lj?E-a7A!)i~zRgvB)X@
zAoib#b&y!|G*%yC5x{|E5BOkC1o1?B5I=Ju@FyhU6Tpkljl>^x82<6ZAE1kM9trd%
z;51EO0G4*SKe#z2(7Q<jry^~8kr7PKlj&8A`;<KgygB`PO2OdQ-qL4?>I)NRi0a<O
zl8JB%`p};5%cdgsGHvfT<^~WDe-irQA(ua)=VVXuLf9SugZ2l3<o18|x7t69xeCs#
zi4Uuas5r-}h`uPteX!`5NnbM3iCEY3$eO8O4eNLw>xkd|*ColpB`I=nC2Hu%0na^>
zze0rf8EiQyCe@b(;6EAtwF|QnU^iqHpO@OcBZwW+*nNNvFRPnl0^9<|n4BFu_8POR
zBL1iZ{!zpi;J=B_jpY>lyNG|fE}qE4g9P-{1ZE<`?j#_<+eqMB5r<mzCa@zqqZ?y|
z#_t&`hcUsVo>d|ci{Ch0Af~>ZED$n|vTK92N%F87>0w`>J}*iA(f7c<z688Rz?}l{
zpN$f@SposRjY6B3QzWA^dJrmUml8Ti1a(W}7AC$xCq52nSPt486JR~jdRb_@iPj^5
zb~Mohcr(#<VVGr6(k}qo4#)-8>`1LA(FAx2(ON9Do<wU(pdCXr0rn=^;}+VfMEh$3
ztryV*_ybB}PP5R?BifxB4emH*WMh>Khys2LVDtAD;sW?RRpkl99E~VorZ>;D5HBXh
zoCIQ?Miem9n}=khbW3A75h?$uFSE|qhyrGM^8*X<3L?IfKrGaV0%m&ic?<D+B0il!
z^k_r@Grf6_g?Jt-b9VyKrx69r^yZZo;zUv$l|Zc2hyrGMGv7j-PQ?BR#Bmx?z)Wv;
zwh*I4OiLhEX+!}ty}1RNjpFb)5jR0{E%wxCL;*9s`KpEZ3K3sQAWqVV0%m&iUJLPc
zBF;%5PSc12W_ojig}8-?S8K%H@Ea3!Vd5)tAu%Dum={{O-w?L|5EPTRv`RFt#Ed2G
zQ5Nn`#O;{CrRkz^CFU&RZsj&Cs^9T<!2S4Ihwgj_S7O=_W707ZaeEW@#RTpG2UlX=
zC+=Je_gv!6PT($da3$tn#2s(pdWkzaflH%Pmset@6Zbp|*GJrb8W);%RTFU8lLUSp
z+A9*KIcT>1q{}>p_&>p<0^f+g-oh7nf#9zr{<{`_4e?)3;BT|=1x|U0$fJ1X;}-s1
z#Q$pof3Jlv@b{{SuK+S{x9}sxzggqMWq>ts3-n3BK0s`*h5ab82U*yfB?Qs3cp6<d
z5~c-j9%ErYPweg*8?Jvg#|WTRQ7)9TiMvA<%C|H&5%+W0sJu?AnYB4aAkBmm1fSCi
zlLrsltsh$V`BLn?VM6J@*?V_jLYO?>zl<D?Xzzt<5QFi)Qhr|Lp>~Y-KKy9g?{XRM
z#igs}%7?7ZNECvD{YA)zza5yJZTyuXal-hcz2^-2!>mDHh`bHk7^BudDezlJb)^8P
zI#+QXqVtoO?TCrrM?^)$c^a{g#vq98v<gsp(8QU~0RQnpz@LzUPY~NGO8noUM9KIE
zNPmFf2QHLudm#X)X##^qjC8IY3IDS+Ulj^#;*6ec2WkXTViTXqY+&V~V{cU_U_t~-
zuwnJ#1OLpmsRO?Ui)HP{{Wp+2VgK0k0WA91bJuLu7waGY-5$Igg!I&)v<U8R?_rbK
z(}A`2bYLYN0M{dGL=>mL<@c4`p!~j&I}N{DM8??sD+k&nfOY+|$e?~G4eNb0>y6)!
zF$XJ>DTzDW9jFO8p*`rx$q-9UgvQelE?Z8HBhd#1;I~G0g4p~qK>7S9_(ly%6J?@C
zJYE-wAh!EMfSNa1Ih;m<B^u9?CxX~;w-JvevFk^==Mw)IjekOtI0$?YQ}DJXt9tGj
zRM{B(ZqwmSJrD0@rx^XUP({E#ti3mb#^LRqq7N>_Qo(<3@9RJ)Ss%<M@9hRpp8th6
zAqM(jo&1RBPw0b%_)5_S^8wIY9YBU$!u1N&xj*ZS-|t2z>4Rf|n`q}F>H{IN3Nm81
zb1|vDAOPqCC|Cm6$_gxwgcpFM)(0g-3~9tZL?l4wcY?SGh%yPV<zhJTM<wACz}CKB
z@SBLwNq~(%lK7`<{KP0C(5ofIdZyrZKkI$b6{x>4_><V-ZT@(3a-08#UB46Q|4Vxh
zLl64z?R^IbCAar)>;Ie%dcG$=uV%~7i&^+dY42^QrEc%BWXMP^rP%ewZwF>qWKI76
z2l`)#ybWQo+xu^%x>5k5|CN)U#B4{5Ztp50&eMprGWI%%60;mJDeZlT7TSaa{s9MH
zVj{#(Ztt5(e}Ld?{Xdm}(*yv&itMHEa1ZuqZb)n?i6rTNV7MF%A;|RRo7Na`>_`!k
zB`XgXl0P*j3(4X7;0+{A$OrY&Y!)ws?gma`p=?Xzy#(AT0ROqVkOZ+y{0&gE45iRu
zCS{ij6MU`|ZcF3COg=y-Pu6b&A5Y8-3-f7Wb`eZm$&?PTIYuCRlNSOK3Fm<eCOxuZ
zN?nRQgd^EAQz1J4U7r7Wd8$1B_WA{H<3fM&7An>+xZnl-C0Au-{ld0q0M}et%xc_&
zLQtM>K{ot7pV`^+JQyPLU-Xv{IW#IE&ud8a8v$s0#>r1&dLln9&u<ZNjYgzAb0JO_
zOkzyLq{#C}#GjYI=M`FwFEPuBpDfSYi9bQ`1G0Yc4FMxHftflbL6ncXnfOOEueIK%
zV@ZKxat&j#HzkVh^52ULf4BT_8D6q7S%yWA9yYFZsDvEL`o%sLXAQ*Kmfx;e98>=h
zfd3&~0)i-1p8{%*W(jD`>o_O9$(z~#1N*tN&g;LdmlmLYmi}xBPXmu}lnBeF+;nn=
z%~iIY^olPUZUPR6P5F6snf$!C2tQhljubv%;t7Z@_zRV&XIB)4^7h?j`nLhUj@*q%
zk-H<>M?xeFVYT(>sd%eL`32z5fjHGU`AN*9h>72qY|orPc9-Y`l)ri>fyCU581oNF
z<KeNyKPG`c-@%udBI5T?!p|oD7ieyjQ0(d61Z)t1qfZw)L?reH#HPF-8eO%(!4QH>
zZ^DQYSzKEovRJ+Ja9Ql%kSvRb>(f7tXs=J-c&!BbPnTEpX)eoqngDElN)Y=?1xqm)
zrO++Pr0ggc5PYT-ZcF2K()$9^gjsR2J{9;;#5`y%GaV%6a>3O4R8u9G!oL+U=6dQ<
zXTQNZ7H-U;mcveFv<Cdx(s&L_Jjo(d#}Nw>Ru3l0U6!rt)g6wd9k|IbWR?E)z}3b)
z4)Wm*?%LOoW{?=^cb<#upiX|a5)2gR*vb7!`FCVLet*4G|DFjMrWdO_AO%(r@vr6D
zC2lNjX&lJHy)P(OB|x(MNM;r6Bon?zxMFMXHvoSq@t+j@zz`A`N5Ee+fuSU@Btanl
z9SEEX0(!h*Yz<<~^Mt09vMz!B_r1X8(FT&eo@58<d{C_|jWq=H*ZJg=(q)O16R-nh
zF1N(*cM14-?3kH!wMGJWl7I;TljSZD=$=6Q4s(6+PtiCXSin|If{1+l$Eq)fJ1i-}
zLX+IUS6j=$USn|Z6)ok<kWTiba2&pLDG%^%RWBf&o>rg;ZDt+*rtDAIXWrzrFWwt@
zYcY>_OwUnkbRbVP=s>=DSqBQ$LLKm^$92G`9@c?M71e=ps#XW8)N~!FQFrRVBz3b6
zOjA`7SP_J1sVj7tqN#j3T+eW^4$o&eUxybkoU6kN8P3+>MGSXC*pNL*>~#0x`L$3J
z;E|o&&^C(Kt2oYq7CpZVu&G~Q_m+{^zTXI_A#M(lEQjkGMreIXy2X-iot=)6NcVS1
zw+SDKbldQi$Zxu&BZlP1NTj<_(kXl-((T1pB3+53BZj17B+{KD=?<i%bD@hS(j6t~
zh#~11iF7}{jLQthW109W!=1)66Z;uPC@UrXo4_o3o`{m3kx2ilq@R~9={KaN&q+yd
zNO~eldPX9BK++p|lK%D7^!X|2FO~E}l=O^5`U?O>YZc;4_0wSw!zb&okKv<rxRT+H
zIy{cypBAz1p(=#S!0prYJj)2x0FdC@`@q5~1YnXcBa!baK#}hxe5sdpcpAe`>u`|a
zzv^%u!%-csXLz;_&u2J*u(4tRg19GV$=5=BCGsByjH2g>A^9^B`448g#fzA3pPg=5
zO1j>Xju?`Tkx18(>5L|(d)-dAE+yR;FEKx2NIFI$-P?c~^VT!n20PuRlyuKaI$}sV
zMk3uqfPzok@TDR;tQel5!+RONLx&GAe4`G#Fi5E@bvTpZ5jvd3uvdq(8NNV=a~ST2
zuo22b5UrVOj|)a9ACLq;(}7j=Jh7ylj8uF6t)+<JFLc<$@JBlAWB5%Su4K4ThsQCz
zScf^Rs(<Nl4a1M=@Fa%s*Wn<;Aswz``2W%NHt<mw*ZzMt39xANyIQJIX^l0lNwsZa
zsFDhrg#^BfiGqk?)k=#Zz1m-??gC!51~)7Dc3n$bZEde@xqZ6UwpZIKAZi{!l7QMG
z_<;BX`1D<)fKL!X$^ZSC`R-<8ZSU{?U#}l8&CYio&YU@O=FFLyGiMgr@G^z3uwm&)
z{v|fNT;Z8Ee5b-wZTKFAPqX1w3V+FlyA(d&hWiMk!*J&ydl)g+-vnpD9SxA#+%V<R
z4G(&t=fBvTnOhoN@}^S!wo~Z0P1w<d%oO;_=}a%_ra9cZpY3MMlkgaXalMqhMb^_u
zGgr&MJI>tvKU`W<-nPSxr_ODf+71PU=$?l|7%{B|GPg;)m~{pd*VsD>Hvmj`6cQJB
zkLPbEB*yJoQ=B-G2Q%Y$_KY%DRr8?dEnB7XSe6#g^QIn9o;GWz**hvoD5Z3KP5;vY
zAK3Wh>!p+_?Z16lyIz62cEr5ZgGJdz6uCbKFZntk&pwd7l86F(jp%vYwTRAY^43X{
zde@kWu(yVfCGQc=)+;{l37_#_#-b%X(pfo^OSao_-uGB^RfMLR*C$H36{wdMCv3zO
zh5t|unqilDE(~XMWyTp@LLOQwawoZK{rW!{qbj@qXAM3(E;YT0t!L)fcL3R6H%>GE
ztU2`6GE>th_?qu}dKF;S0)DA+)?$9Sd3IZ?$uYBnV7m=sj&hqVH?zh~oA=0N(LZ@S
zPf08%OZ(*OoE1&8+b3Vo&jsz1zw4&&yOVhTkcljI?z@K|HQ&w;_AI}jAY2mTjdL@<
zpD$<SeZR6<erL0sr^pqldu`-%CbB(gz@(choRtmb?a4nA%d<lK_0PB2@3YyB*MtVb
zuuiBwxt)-cy2F0+F6Uots5BAhRa{+q;lfNQ-fRkQy%1F#FTD2hYACL2FRc$9Ee1~<
z1&`cd`dZzP9aWdNUv@KB-@u??-E{qw3om92@U#Ruo<!+3d>`D;*lGAJ`|n~VJHKQe
z_$;7%l4b-otT@Bo)0jyHlMcCI>f}zC@caYW2?gbTl5g*xHKD{*4UVtsN!f3yd9L^L
zPzzme-%umhlnym=4NxZ?NSa0#;{wN=*Zjobvowc~hRvPxma(9~EtA1x+5xJG|J35&
zi(J9fTkTp?+TWJf7l!W7qcP4)c2<PKSdUF}Gj~^n%8P2Bt?l9-SO3_d{LaeTln0}1
zu8I}cZ(aCVXXPw7WJ7)TRXd!O`#OqBkucb=`Jt0pi2j}8!Tvyj>DADBLpCnH2C~;>
zY{9TncDr}*;QPHdJ}Ob@{k1C8fdA6Fko39`jY(cZQM?q1BGan#em~6dNVp!Eb<iIJ
z$0NFPUBq}ZW;8724pS}by0?u&bT(!x??haVL8$rn*Ml(LDsfqPZK?R5Z-SV1kq-C%
z)P9%c@_Y81SMIQWz0Q8%y24yO@vpSs<=##pU1C4RlBm(|pKZS@c&CoksQuzywvM8r
z5_2Cg`vu~L>GSiF9i~fS-fruNiVZgFlDO8G;nSwUpbw!mZO!~b9VfG){xfKQY%XTj
z0ZC7~u{p$Dw+)S6Uvm2>m&>A?w;4;r9XD`IvpC%N$x_@&x2nFz`fUp@c2*wjtn6;A
zAGqp%XXX1r$M%F8ao$+g?3Gsf$JRhOZjaCHaaPt9R8zZY$*V;lFaxQ&UH<Ix5+MgS
z;sLa*IbB+rT@2Eia&j^<dWm?t6%q{@X!<)Ck{H^a#f=s9ISVMZF3emfN5O=DWBB6*
z|0pfSG7njHdBNYH&oocAFpDD8#6C=>^2e3qLo)|qwXg4)a^SPyzl`ZKgD}NN_5Bfx
zzG4iI-OS|c+|4`otf@>?@F=RAF_x3b?T050bC;}bFtzt3cZ}xU%(eOZ{bEcyFu$Ir
zATLQv7S?t(r=t-bTi$SHazbAbzTp{hF>l{IZw9BK-@U=j{8&OTDvgiT@>9M!wx$s#
zBIox?g<S7_R*7HzoqXxQ@wp}9aleQ0wJKE0bM$n1g>AK%WRS_)J#M3Q&{fo0TI7!A
zTEa3eNml3%aDKn2dso;S_$>L041HEHn(>n|DhJODrgVoCK)Hy3?->MB|Lee@DdHJ#
zhz!h!ehYF)-N2@Du?FUMxMy!kUvOU{<_(xvip>+nuD2VffNkXf@BA~?F83b}guw6K
zI|MtQ{tC|cMh!*kz0S@T6ghe*GOL`gDRRV6<hzRe%h|(o4l434MHb}Ts>l%M$AvIo
zQREwf=@1G~dQOr1KN9(bA`epWLx*xcs>pIhjvR`7SdpJr<R|ixsRsylJj)*(wM4y|
zwdPT46ONevs9kS9^8LGNJR~3|`E7qOB!_>0Bwh1BVSbW_eU}V<M;|zb59(|3%GX9$
z|3~g4vNn4E&AE^8+D<jpU^Ra2IWT7TukH55Jq5g(`dz@A7gz@>`SGE>DD6%~&&y20
zcK$$g7S~pK!m`({g*3AsQg6d_@AQu|^Xy0ZFfkR0HS$h8Cq6<xu0GSWk-84MmX{Iw
zvF%Bli+o<zbXkH|7uI6LOj6>NobZ8cjda9tHb@+4;G&L{K%it_v4z|JyN_^2;soXM
z)+Be7%uDX$BH@PyjS`zZ8)qEZ`S&9%kvP@B=XS69I@wnm6qrnbp?3O*Vt-|Jw({fi
zBV068|48Z|>9oCNz>N&Ry{qjZ3vav_EkdfHMEvwlmk7c*X?*8*iOUT-JZq2C2AxPy
z{@$VTqL2SwZB_k}NRvHmpW{vTg@f!VQVfCoS<1LjpBf7O6n$Q<&$ER_p5Nmqc78(<
zN9OQKTwowKIH^8^NJ9Ym#9W;fPHLG+sR&XI6I2Z?e>>AcRu^X(3Y}`M<h%cfV)g8J
z=QXOSJYN%z4B(vB#LTkR0F;as4O#pjtI$e){y>F3nJ+X;g;)?JCbT{p@LKl!%BOZ2
z|0CJfTwVTjLHUk8)kr_e=d$eAb5Q+S^F4!a2F=aO?V#CGFleU#Iv6zB>149~IFEgU
z!<?0)yzb-Pnpgi;JUqH*o_8uOMw86Gi0P6!9x0fAm@kZs{xy4+ni#BT&-2r~<bh(z
z^!V2Zh2jnKmK?a5%Uc=I_*HoN06eXAfty}Ez(|nHuUdT&5s3YJ0Qph>x8#dxX5?<o
zmLBU1*YF?lTKKE{*SJP22>t@fb7b%!&CmR@k~5RlMF>+fo%!efinhc3gE>F?>DA!?
zZfpPV3fh-mU1Z~()TLza{~oi?89-Y-jw-B0e-%*ucc?4?SU5iiYr%J<FuCcQw8?><
ziPQgNM-6aUnY_*4Hl)<A_;u5NtuVE5FZGA|=EmAV{&>iq95~>#9i-C92Q)cC!zDom
z?1NwMA4dP!+gMpvRJ5DNvU`+aWxVnr0T_)*gCB=)lLH?(Z6;|&BeAQ=#6L4r>*5c3
zahOTlS$Qtyx_49%){S*ZJE>AujtP0J)q1ir$VdO{rOv^3oT7d_t4Yq$0<}vI8(f+G
zQI&$G4RP`6sisV;YK4mL{~Rj1ge?{4h>Cw&4i(7-opbOGd0hEEm(O>P@}+Y5vX>Z`
znjbiuJt)h?Zn0=y{?C(ZiCZ;ywW(U%P|WN0OOxC1VPWtkJye*^_o0Q~$=6`g!4exq
z`{pefgntddR>5;t4rWSkz}?A+(u3tckNZO$QSCQt4gZ(F2v!x7!}%peiCXh%O4?T6
zqmjE3kr!w#b{FAc(&3yZHFA934TD^_brI)gu5ETb*6xA7b1mO*+o%Myg1>Ex4Qdg;
z%?2w7`ZlOV{B9f6B7T5iei5(Dm-fl{4%8x^=ZLk4pQJ^)f94mo%npn5GS{BVvf}lV
z6j5d)zG^gC|0xp}v2kCsachWU4KIh{`L%!h<az1)N{R7*qtuo6728xPrdrR~NG%X3
z@(UX|jYv21qu=nwHj!DIbQGbE`Aa@6FSFJ?K)%0o>rK}X?;W$P6>Mc`2>K5mubT4v
zSf2to`&iRivb%QMD%itf<!&C6&|%yvj)Pb!$e(B7E><fT6?JY@2Tu8q{63cPt{d!Q
zIeK;>@VD_J8!Am)=DjtvBu}u;?<r0krM36+kM3q^elcv3-_Lp#=K>2gI-bb!^U%JQ
zS<bKQ|C{COU|-AbGxXm~q~-tI{uWM7vvMi4n*Wj8Lt6{8`7Rhg)`Q5qhT^j<Lu!fO
z$3G*cd(nvgJ3nujqu5#b9-a6zzMPfo+{{eg34P7YjB7A`#wEd0|8HaM>LI^jw@mwI
za!|!GI=2*c+Du<({@W}xGyh#4s-UX<W}#m+IeqW%#)ifk&V4b)4gtFa75;hD$;_EJ
z0FP>keT4nK?}I_MD>K)QB&vj{Gt>9JS`~^Yib)Gyt;WBSXtut#={lXRy>mHf<~AaH
zetmv-^Shhh0e%Ol;>Tjn`Zdn?<zLgPc!Ap!OJ8o&n#MRQml`(ahE1lkfi+^Lv>_)Y
zTyK>B1R9IposA!Qq2~vebP!Uyl<bllk=~N|W2IzDOuxv{mdw4CTAqp{dysO@${*Pp
zcH!I4KbIKe0%@yGmG!)zpeKICwYdt8Misf8>8_wM%O}D5blnO6uhyqxmY;~nm^co1
zM?B2PEnGi-)W0OG*j&3OdmH%J`6Su<RU;|0pCO9%<dR+^7xrW~F(sI9BRuwG*Vu3A
zBRGHII<LQ*7*kgPKZ|*7`WS!Nzf3>EU+^!}%Re4|W@>~bNM0UMpIf_U*dr?AwV~Ts
ziA!=GuGI@q`kHNQJQSLvP(&g2XB%-^Lx>$(`_fn?d$hQY@t<T)U=q_SCFAq2lq5#b
zT6e8q^%FUfv;3$Tg!U%iX!xf%u-^awg~MB#mw0dmgwgU}^nXxJFS7?Dgo2&wks#D?
z;adO4KhE9zwR;N(ZetQ0KysR{#sBfT+XKIM!nb#76~fZI&BssA)Gty^r>3@^r89W*
zFVwTNNIxAL85KQCs|XkMF2%?2;0TpkTB-<>d%8mY`cL6ONfTU8Qj4KbPf|;8HXSB6
z^dz5Gu(qowsl_%Y-+G0RtmM_>f&5I?Pj7O%eoT&YgHTVh$>x}1e;V|&%xYDF;Ci=~
z%qGrFc7@%E1B0WA5<4zj8$G`<b6zNr62Z$p<<a_mP9{y6mbsgzrAs$W%alE-%38;N
zA-*WNtJuvn9u#IHxq5GN=;`K6^S*HZC-Uc5xRB`zx1RBZ_~<B3SDWkm68(5cJ7}PJ
z?%z5qb9)c5^jO?1zQ9WCta(x1eR7QXtLl=AAsrTJq!etJtsPeUtW4#GJP4=lQrZVP
znxC8%CHJEt6jgUey$y-4^UOkM!n{PR_1fa1#LS?oFOz**`l1ctj%x4`tE~8uF4sD#
z-%_%-sY3mx>J1*bbu+JsArB{f+ez&PJpqij;9u~IYLfcGG{;HZO)#kEF@m<9Q-XTV
z3hLQON^esYe~U~VS^01ZO8vx?YTOX+X<}yZaOLnZm~<?iVKM*UhX(UDxs>j>If#5M
zh^$rQ4}!=|Hqtl)ppDx1xTiSFKp5=2L~S^T2-_u}pT{|~eZab>=?fvVAD8`>5$O2e
zMrzwvcrH}YZ>nfnzUWL_R1dWDG<`8BdNLV1T#VvG>N5k}K2+ps0bNcBaGOFo=%Vho
zblI!bV?uS9J~13q6%gwG(7I`92$jq{r%}TD1>5+w1v^ym-&JsA9=S7f{Xe`QH-b}s
zzF>-i9X}3e_KP1_zE}%J(5w_t(Ciz6-747meowRnu;px^04c%VorhgbK|Mh-djhmb
zPi+6e(Bm2B-ipf2EIF7h74-IDnBysxnu8h^{bLOS`5JoZ9WzgLM1dfBKfBB_h;F=h
zyg0{3_5_jq40f~xIsa@UQ!m+05QA7+UIowz3!PL1%*6LjY9t}s({lKymsTv3xa91-
z<s-O{0A7Im1C%=}a~&h^D?o2apDI1zD2U8#j8~IHJyf}BnRW)AS-lD(8FAd=?ZzOe
zj-kUM?Oaj|F0bz<lOHBYTF5;#z(trW`bsQa#w<4R1Z5VSmh`AVvitq88gR-!22K}A
zE#4cp(&~4k%!eWW3a~T2zt_s$gV*b?CZgkxfM(Z!U(`*+dz)%#CA!h|A)|uM0#tG!
z>@|&BG}Y@GtX#Joj_O<^%Ai8oapt7tVbGHCRS46QDndMmEH@Whg6?IR+S@daRY6g}
z<+e+70k7lM0EvNHY!~ZTspDrs<Vz+pF&)grwq|`SvQ|Nk><v`cac+?F{-AhR%<%W~
zEr<Ljh<t~fD%P%Iu8L`6OpJA-&5>#aI+ciBvL65fbdOV5#+`&et8jx2AFnV+@QO!!
zD#}(7?tBb@!8Wrdgo`Xibg#50RV9j8QoO;g1Lc@Ji?X|IJrxS$0CuoLJKaL+&5Y@f
zCJ>SkF|W;2Nc+0x1+dQNRN0V7m=-YRXBc{B*fL(j)S0DmgB=|K)Snor@w+;f2N81b
zLAR?K$t7by-nm1dhoopz0J@j1Dv$^gQxR&g{dgpe>iDk!YRwSTQG)v4kh}AZkB9o5
ze}r0|huS>=)Vl+yTW`+es&;2*3+f(0RV7y9PYG~6W;j$yuZld>D+Kj{0BW0o8ox`t
zQ9cpgI0*`Nekia*Lh%^em7_`ONlAYRy7D+6b&kMTxPV+i-si!fC#5HogS_wUC9k8r
z_Q*pl66F1}$*ZT7gS_jNw|p2}CnfbfXx`(Dx3e<wy!bg?MyNldC06`6ZJ!{6#`rwN
zB~eRm(h!YhE)I2k2C(9=blMEIR4-tAQhL3)sO7{j8krGg^!umLiI7c?Imgnc;2Xxk
zqmY|^NRj@ua$`Pujb(r%g!1Qva(;qyQagrF_8=7=7dNm-sNK|)l5Q9B_fp41J-FyB
z)q>u`IqpI8yxUw7*_z+x;PQ5!mulwIRFd3r2C38d%>EZvo^CoLL{@K9w<W}Yx#{li
z@7cCJkZ)Tkdn`i~QTp8XhNN<fH;|L2KL-;D+trH&tO{V!RYDB+R0G6N@YfW~<^DFg
z?Id?BcyykqW)Csp<v}m~7?Kn;xe;7Leknzh17|F%p<!yLrQQ}EbXTXGf|05P++$*%
zS$(_kxgFv~SDhgeb+4{DoftXO=sbCNy{82A%K6Jb)O$0Wpn5N%UQy82JBM02>xYB+
zdI08WnpObD^jJ?yttj$OH_)6##}{@__Hdx((Oe)jA4d8_SLx^t#P3neUx?{!P>n;v
z>$IT8%ZAseWkAT^49iXA*{Y&NGsF{TbiY0_V3DlU!p<pzH6*Q04`3ZN1j`)78GiRt
zT5i~;Uk0h^V*rENZlQLhP@67rLnHL00Ne(e77)XNn*dr~N^2Gi?g+qjUNF2}!SLP$
zDm^JJV}jxR`a9&kM0xXLB_|4gXYx)O%G;s5mk!TcA0YK*gOoJv)D|?SqTZBNS(?BC
z9gp#QXI`a>3(_|QX^2`mNc~`MWcx5knt47B(&q)~>W_!?pC1cJGk2h?55s92M&X^;
z3(^qD1FGFY<9bqBB?eTxS9xz5mN$M_6E1QlwO$+gCI>rO8s)~o(V$@@B%W+r(#XdF
zTr-A@w&s6lsS%V;+dE(-=b!yAb^bwc)!tzB^F6{==zoV$I<*lp%7>Q2*J-II_;T8w
zK%_Qjt|;!9NIB_k<rXlGh@G~(0tx)`O*sjCJ2B~>t7r>GE1{O^H;iItWC}j7OWl&6
z_mSwY0Sby*?s47{|1gZjrC<IOP!<49p^|?n*`6yY{SGU#u>TY>NrP@c#BaX^*W;lo
znwf=)_~CayEltmm1qWVX|2$Pe039~@dML4@MSgkrtDQ9OsC-kh#I$5CGb$o`k^UuA
z<E-4m{L!45U{?M-ql!z&JK;r5CT{X8DBHJC%HnM5+A46W%=L=dHdkJ(^R{r(<g}em
zRy*tX@3bjfKH1-Vn5LZ|hDX!MsbbBc4}G5`(-wH_9>58;HqJJg6`i(O$aL|5QER^o
z!ep8acV#CiL9>4YGT@7_b_nPXsVlr5-mc}>Y_aYay0T<SDJec)%l7Pt=pel&kH%E5
zp)>*Orqw$3f5##aluPuXv(Iiro&SuofqYSC*BR*kWnjdN!@B9wU06r{H~eUpSJ^vY
zd#0aC$_PsrEKM<%5<V!Iqp|GmlyTE#TUPtP%6`)nIpnS6KUVWw6+zt?%wA@SOnj6~
z&dR>k?G((xU8YQC4cA~Z{TG>-ELDGgHADUL$rr3pQmX6wAf1EJOd3u7mg1%L+osm2
zsmBGyR?iW#55ke`M`-`hP5;Djfw-mZm(V7Cc16!pE83Q7X{>*>U77C;_8-Qf=R#b1
zc7^n)A(n5KCkIA3x7@<;bdwX-6vbaozF(5q3gP;1tStKTsMU)L=ynfXV%o=!1aHFy
z=WB;_lXLa7Jg%!K;U|V=1<&OBI1c_hxV3g_ege_2m=7~AI;qcsKx?PjxpGnyg-v>?
z7W0M$|HEL{DZQNGAeVFL@2gqK_c<zClYE~8weGg{PD)EKPA*eb{8I3K?HjD_n#5yz
z3wR2~6u)2kzm2<yI4R;q_e*iNaV~M?CQfR%jT=|n)!J!@iE#uR(AueG8i+igYOo+Q
z`K3^s{7xHgpT&81Eg4dL7BUzuXLKtu*{SIT5HtBon=Z<CS%_`ay<3u9#TaIJCW(ja
z$mUJ0@Vc|75HfUc?X;9@+e}Q3a&0|)z&&50>eXlGdt@L=kGz!3p>R5x^5-u+Vk4Pc
zZAsU*P5=U0Ic>!>moGylC-p9AhE`eaNaptYlATf}0dc&o`>(CTxFM{%FVEM#hJg=)
zw<uFn9zmBr@+ajp{al&EjZUhCU{-%}`^OZXp~BPig=edV5&6P%Yz-$3ui+kL+IC}(
z1gDuy6GxHhel5yP&zYg-Ka$UMgfa!R;0-uKsMMPxg0?YNF9T`gJu3YZ!;JgHhRJ=Q
z_#=2_{1#;m|Mfp@3>5PF@5x=ERSz)U8(IfT7nO0q2{}qXEIOyjn7KC4u+j*&2HA64
zwE^8Adro7$onC5&IENOe@Tz%asQ>aJo_)f#VgJ$ZB0rYwH`}}14|+(Y{FOwejgaNg
z3J_-$oCl<hTyFGUl4YcsPtz01{glAiBrc}%GD@6?#`@oC8ea5BAm{x{OfI{unW=E*
zA#IEMmv4Y_nd__kUo@(_AL^o%e=-?bua6YPN4vbT=O3^9-maj%{-rnI0iAD|FNaCW
z_qVbA``UNuauGZbliANM3HImh{{87n*GSK$kI1DX@1ovr?u{BaM=0O!f_%>#GB>g;
zeuo=`lBXu$&g;piUAi2+`*QgtZ#yd{!%aJ`=e3hA%{Pxqem}_{bINY)6T;a~m=flt
zC%;$Y2tN)l59RUSp~0Q50R0p|ogb3qe_x@+ic2YUk3!cfv|FL?C{)u(=yH=!p^Fu|
zQ=yp(ZBr<w&>`$M`DZ9p)kNsa3e8sNM1|TFI!>Wg3LUA?F)DG0LPb*ul_=Dp(EHaB
zTCC76g=&@W6@~6m+_Qu(?A%Q-yOE%=5O`Xm;3MrV$+!3SDr?&NONFYY0_8S^<|~v|
z$h3EfLZ-co6k4pdeM=$J-nj~y_FkaSBw=;7LdylENg-dM(-f+43DqjJSfLXXTBXpZ
z6e@}l`h-G;YNHi0R2#gOkfGXp3K^>PE7YJ8+Z8hOds?B}75A7z0}8EG$k6nDg$zya
zR>;uww+c<4M!x@0$WZqO3Vm7aSgMer?)3__E8o=$ZBgi(3RRp*=n{n%D>O@?vsLy?
zg;psps*pOyKUJXt#eG4cnr1@BD>PrBqZC@MkfYERg+?e;-a=^qzZ06S&|3;EQ|L8?
z`V@Lzp^H@SW`)9M5n8WMgF>BzF6>-PFncdSBhQBUOOWy+pZC8pGxjE4-NyQgFh(%m
ze&?2B31-gc5PeEG`oJP;iLTb_H~NrPJ<XZ;Q;}uOY1Gvho4v=I%>&zQZ;;Y?Jz4o~
zmZ_i9_C8T)JQzssPHgO8t}5!3>f?*vs0n)RMpDvgJBR98*z~Q68n?FE9QqRmic*K)
zdnuTAji=Vvxm(1pL)XhX)sA{S&Mms?5e=>5!KxdcSAH$Y*&zJ3U>p@=_Flt+>+7-P
zb(K6TdqK4I!Ah%9w8>K1JVk<$OJik4w5O4GXgf4R;5~Rk>7s*q*NsPM*J+0Eu^!;L
zmc~k~KKjSx^snoS{GXt7<}IOzpI0Gkkr(WxN@p{9KAPTwt~K$)#R$9sIw}x&{=*^;
zMR-V{pn%b|`+pkcopUXjlYVh>pm-skuq_GQ^mwzq8%sY3Nm(PDAi<YD<d=f}8Cq(f
zcWxAK%%lRVQBNgPem;}@K*n<3e1>f2BL0~$juEL5bH4$zKi9+Ww(E_l^e-XJtSw3~
zU}Nbfhum&@OlALii|G1!%VzQ7$*BQQ@ml;VmTrED8aQ{OCllF_`^`;DT3cJY-#?aH
z0u?+qwQp4Q2JU!m4_7~4-Pb;O(8YrGQPJZ<`yyg~K6kyhnXP}fc<4NN085Tc*{SZ{
zJ#O{muGeP_fb;of;WVH${&Gceq#N4pR&UgGfHvp@qt@@mD%^FZ^b*Cql>43>eCPZN
z+xLyM=DSO!QhT`U<+N$9v*U~W@n7bc2-3ta;h{YkGFtt-{{y0M?>@r5Z|eULoSU^h
zi8Fcgu4y;+t1aI47;hJPyY9bhTqD=t*3dVDIi4sIxuHS9<B-d=`!*iH)Bz;_3#v9V
zp~@8TzeE*4Bq8Q)>HodPzsl#WZJ2MZ{}ensn~VRvDya+I=Biq`>y4}Qp987Xv+#Tw
zmVFw#jMF>yH=q|U-X!-QyKr=4=IU(^RFHsmLYR?vIg48!)Opq44}hlHygo50(>Rfp
z6{E?Z2--28B4hA1k6?-9KL*B)_4^m`%GIl89U6MxA5EKhI4>M(f_=Wk({b1W=KE83
zJff>!V!W=dDgX+o8v)gyqP>Nu*zlv%v1_K`@v#4WvbgDpIp5e*`fuSx#M_$OvA=cS
ziSd!G`zK=7mt(nneSv=jXT_0io8l*NU+GQD&rZiae>r_MA(VW65RUe?(55k^ZJRLs
zHU>Rwabf<R{O$6d1!UHVe@w6NafJpc?8g(@`i-B7G^>5qm^N8{1j?14Dr#^#KJ=r2
zZ|jO5j7MqdiqZCyMrrIs>t9&(%;cWZ6HMP02n(R}zn1S-`S<lUYiJvn=cUx=vY&&o
zs9eVLo`Ju;3O{NWRhF%Oii(`3HME`QcJQ%KXg?`rYX|)%dR4UXdb2+R(olbx#+)E7
zv|}4?{g-3gn&*F{{A+?<P(IXJR45x9D;pw`4IeE()4z+t-dg|H21egc-EXc}ako2L
z5$f)K-$5qK-3(5O4E1@>AalC6MU2?l+Px3Zp{>r!O{00}*^GbSK@Gv<hc}lh+|k3{
zP)0N&CXfG^XOeHc+HB^-L-vJa`+nNTWW0ckdS}}G=kF;$byZ%z&E1pjqd;!_W&5$@
zEwC?Ae?O`vi|hRzvHK1$gJA6TDw$Z76ctS`T4?>~BVw3Jjb&zsqTMC^_Gg`b{4a|=
zYytfCOFk*PxWN?3ev))UpO3F^;s3fm8u%~kBRyZ=2ej`!*RwBH&*asYC2z<^UvF0*
zLOw&ui+Gv3{`tgoa5t+0|9FUI=Bjn^t6}(#FCyLjvkd9klZ5|mEBzDcXVU$@euw;s
z;w29YwiyRTe)6c(ADFP4zf*}SfSB68dVEgqAao8f4L3!sl!c30DbE~#$WatoeFR}U
z3y;4H1RfItUH!T=X~#Qj*Lvde-wkbh;>S0%9tb5q>8v<E<g6HlRW>)N^7(`JbP-5A
z#T&AT1^l4$b*B7hl@5&J?rq`j9T5z>R~)H7=a+QvDA(OAL*Lx{ykss`g+rOoFEK^(
znJvD8Ki9yYm4nYH31crFk?r`3BhBCQONc19!P3B%9OxqmR@vB*1Z!-Nn}R#W6Qqp|
z%n5cJ0(_(`Q2_k>Q9~dD=&Fb@s&*9*L1$qdKtFN_xak+9_}JEcp~S%r?WfM`-WhIa
zUlgLwJpH}hior%a+&+r<Ws>^Jf3y-#RrJ)5x4V01dAA=SXG#0iVinKN7p8nkw_n~q
zifn$wW>+zjPw>tays2m%0OV;VL6iz&GIIi~P<i{*5*w;$pIT}|Rqazpn9$Dg<fx(Y
zQSDQ?i)86Vieg9^-#*F~sL2DSXaE>+0br^K0E43iEK~$=s5SGJ=??Yk1#Ac=nsg&M
zaW;QT6JP(|z89Fkf5|0kOguw>`L>|N|6=YFV|;8c*9&(1H-;~Vy<=xC7X<TTZaov|
zn6Ar1zg0Z3F<+aOMuV;Y79+VgsR;d({UjM$2T<mXK;SA%V`YugHbW)6USFnG?(J@9
zi(5}pX{D3AjTF?M3Kb8=bH_!DdMRHgE|8qyISOnhb?Q(rDAhiv*Coy^hw3BKRNPUm
zigmbw9^>Ds3bgP+?68<{+FlbXyaHJLhFiUbH#;i~j?v^B955`K4vh4qGL(aP&FPa_
zl`y_aTQXOUjKt;|0FnMr4E0bf*%N80-x<dQ=hH%OEOo`w-$iF!=SK)f>)+t<<-``9
zV4&n1P5wpyyelO(6Kfhn*QxT0urifaUO%?dS$a4E5#MMPMrzSj?%YBDDYXFAt4a+R
z?|Mr_T+>f-qgG>x;~(~I(@fV}>$H7IEfk5Ww^+*Pek2!OhfyZt-vS<nG8m9T2B%FX
ze8RFuaH(i(toj8W;wpBl-}WC@X4{zsL|W*kj}C~`oVl(9A{kia{fAool4~Q)_50&z
zyXg~|)cg;wKzB~h)ya{h{+oO@)$g?Q!PHg{6zM4|bz3cI%q=uKoLFV?nai^GRo@K|
zsbG~0(P$<4Yn-LBl0ivw3v{w&2I1aTT|tB-QrQZVgYM7XZ1!@;U_+H}`ml^NKf4KZ
z>`Wp+{$zuM=@Qc${i&coma1>^^M&-YV08FJK#&rL4waWz$<A$nJ803T+5aaX%PAOr
zD7|N?E7XU^@6rqOoxFRFe%3C_Ucp+Ibw$t8*^1~1l9$@#dCP1($-{~j!nX-Q0q)Oa
zRtgc8rGCZFLmXx%%B(*s*pkay@c4yUtzd(3In&}z_T<3G_)%W+BGBOSh+tfpJ@5+0
zqlPZ6ox-mu{v|j4fC#k89P1-59`i?k6S54+i!=uUI2O1sD7Vt!*WVY^XYQADN+3!T
zdP16sRp=*+xZc|P&!QHTMDImhN@ze{yH<_aW%ZB0{hKnqXbh&;`4xRS`}?&9d{5G#
z*ON50^_o@y2*YC$Qvdo-w*3ppEpSWT=h}ry)7FvkiK^{QB?XVBBpPzA(>5sSoQ(z%
zf5Uvs1qG|ZMy0%<v(q>KO!>g4Z+tyU%(?SXVosob%X$MahaWagebFxpAT9=?tyJ7)
zxgQ2>71~Bj^Nx+tn*9!ryIInFhWk8y>{oD&URUU~hkap|3weY1m*9T8(Yw-T!nYHj
zyqxMQW(KQA{}<4275U7qJp<qJ@5uc9Ec-qBBi{#o<a^XdzQg%%;p;ErG{KUUsr1G8
z!Tyhl5N7k1`Dub?0cr6x`KRXdbJtG!=MCk*aCm-58ZvF7&6cDMv@UxeJQ&C;-M=4j
z(;ebc7{&iLsLR2yU7M~o<9T@cyu$RnWw|`inB||FJcDCkXz9(<(d=8R=jX_Y{@Oyl
zc6c$2B^=BOFnTc$`C9&G|3~f^T#vnhIpoPR*XDq^5*q>rWY?@xtMddG4a^Yp$}0Vg
zL5^3H;=jgfslNN_k*W2KPSf@#mZHTn7AO-p8e`P>dA!FfZwbAAFQvFhC<+)0gI)f8
zmut)8Tf9MGhJFLAGx7e*Y<rd!wC8%j+4ey8!K{?~q2^`B@@bBThUAaE-}C{^v_sj@
zEbJ%P;mbF5X0EBzf~F>BG^hU{>@;NVx=i$spWbl^V?z<oTxudN>$o(C=ra+COQSud
z9AXFSgTj$w#$R@|8bZ6aUpjP<`6t>v)Sh9(E6|648S4LYUVr7f_3D44-u@M~|IGeF
z?oyKF2<Cb?;uLCHL`~v|HVPPKgd<MN*C>uKJAs88DrP?rUXZz{%p1m4CdT|jCgy|A
z*)X`_n$N2<nMb8FjjMFpCLvvGy8^S^T~<n(j3LhZbFwG#haAm+Rlr_O>Ih8@mc9I1
zOXnr&v}9zoL#7SvfrwrEzm!`q<vP(xokw#5piYV{VmQpOsh^!|3|X+b&^8P10iNVM
zolcE;>JF1fYN6jvK8zPCGt)z2)4%%_AP}%AJ3OWhKPOL&Enqd(TjL)fM^pW~R~^$7
zqQtIfW+B?#t0n$<fVVV>UoF{uim~m$|0M==XgFo{M(kr>A~Z=qg7lcjUf8xQ)4t~0
zA+F~3%xvQ5&O5*Hj|1XLY8ql7^3EWyjewMNMD`dW3dV!>tA_JSRi0m_1{D<Y%fa~y
z^88X&paA9ekG;qI$LU|O3_56n9d($wFk>(-0=^-S|CZ=&)n=7(+S-RW2i+~lIm+6D
zDPf*<ev@OJ|H!kBil@F>z&r1K-3ZOL1O!eSVx#YmwH)-Ow7>pnPX4{<-wt&3!W`8?
zTF^Tw-D?@*FL|uZ^Vg^NXc+$o&E~p)ZW*nWO5rlUTukEiG<v?Qx>~$(59e}xO*zC~
z5{=z_6tWk(sXx)g5%Sh3%P+nG>z;OH<yhy&nbi3BrIlkra4aBL_Oj4p?;f?^|1Yu`
zO7_I3nuUNBvvUAeyNNf=<45P^2X-<~#JsYnaO1>I<CBZn270Z<d)I&Y5?&PDWq7X@
zz8TJcwU+;?=KLf7y+PH(`0qIcvxqsF6Pp(A1c;DbPgHKa&NTZ?wd*^fob;$AZ?t2v
zO6REai+bBCZ|3Mo|FoHTbN^U(?!NAA<=zqA%@4Md(mil&X2RjgZO6FDp3>TlJf&MZ
zu;l$B$~r4HCN}ksSanIIzKT{~dicDe`)wut#|-hmfE^TC4;(qN0#I$AyJTNGnVl7V
ziS0cjR%633w`ar=3o5~HQxrdOS_v^vZ9K8<Rw3u!o^EVw&y?Z0s4Ka9ZnS$~RCIJ7
zUf#MU6WQqXHsW<`aMb9(%NQY3c7}JLcA)#fsL_Apdyn^4W2Wqs+TGpnk7^vf-dVA}
zwl6acyR<c-_8XV;q#WziCHqumd;4-8luNWXrf;t7qSi)^g#O5HZ5L-j4-!b<TX`=(
zSy`G0zx1uQia_8{?9P2W%9g*~r;T>+w}&trID~1e-Wv5bN4sANN2@nCRzK5}8T%D?
z?)vn(H@C;;KGNtt%kHW<xY>WKoCUDQ+8AO-byW2;-Xj#Mek5A`Y|GqdC#9S3XrG!H
zdssB|Hif#kN2sKB10aI(A5$_mcSDdEz^FU-j`k*|V=57jjiJXyl<H?d-6Hr%Q}tFZ
z%u(5`?cLkUYd1u_P0{WRJc{~w_xf^^?U8bCOltY3=RtOUkDgcLm8F&+q0h0Y<@Bjp
zz)dvl(RQOca>X)H86Qf?9j$EBG-k$(2GCK!eJQ+mQ*y^KjkTL_v9!tCz=l_2?c<HL
zTdA7J+6}7VOY@3AK%o=!p%e0<;{|z{`VFr%DO6bwN}jD<-$dz6S&d)%iTy`0yp+pU
z5JG>(iC}ufD;HH7yH1^ZF4@<`U#D%G30ve@=Mdk@-&NZH6b~a^E2OXXj*?JwGiOJ-
zUmwApJ=Z%sEd6>)rYuDQW{=TOQ)UKxf2AX*aDs6Jn|V>SZS=+_Z$mWMU1DPSQ+6nE
zQMGn--z2YeNsPsBWBr;%_oYWA2g;nb4KP}A;83S63)tkqLGeqCj0X$Vha4K~dS-cz
z-*x|!Ocv}&jO`sUik4|WYF=Q2g2bSGsR|m>J4$!m3jE#mj*>SZqu3dJxnquo=CMWT
z8D(j1oA#8}F<QDK&WZ!hica-q?Eo(Dc9jQT-LFMz2b>lA@}K24J;LA{%twZa4An*7
z^`fP9(E%?SuHEQG%iJXgBnJ|=GHD)fdJDZRU;hPT3+k_MRy^&j_@SwPqqnvDb?P@?
zP_~x6%FX%DazK*~!khAOs*dVkHr4x7Ul)DD>qUTpglUQa6<}L8V|Vv!<+Zfv19lLD
zNQ8~EqE*#*zZR}VLPl!Wcrzk(Gv4)PjH#P3fJ?C2t=^2WH0e6gFEx?&(5z<Z0*0>9
zRU$06tv5n$L*FscG~=baye{g~^`!_aXT=KB!rk6eY={P5-LFP!cRMTI&VQEInsiY(
zSEBpXFp)Iz4b#NkrioCy3~GaDGy;}x{ridUfztg<4h8!aT5mBaRKPO1aS$_MI}W~J
z!mZ$J$H8dElk#4;Ha8IPt*PTLjE?^k9%Osr`E+Szb7p2mW{epS+OP?`b2l|-#x9Gd
zOJd3Xh&MSBO-~-<O@;)Mc@(;wpRwNLvFT$PGiMGqrPe#Qn9I959?1C>Wok&5MZ7*|
z#anFW2E+*ZBwcERPhIJK5>3vE_qwxmoS`KW-&x^_s!By*)s<!>u)NYEH6OXjeUZfP
z*g%cMl71wb%!U#_&P+aF#F!^9e5J9_rdai65RZDrpjjIACYACV<~Pi58NV>Hp@|l>
z$Oki?UN$p3{2UCpCvxBN&#*CuB(Po$R(zEsg-OMTz^g`ZROueXyf*vL=JeS-6Mh0R
z5>AWKyQ9}SD~b{Oh|Ng!@eiVzD=P;TH>t!~an48v0n==B^ix2XUOIYhwC<?jgTszo
z{OG2-@02phjNYJnf}evCKQ`i!Xx)r3_5zKgpAiaW{AqCbhyuAKa{=<JJ6abj!`LPD
z%~Cx7zUkcZGJMeDJ!AQs7tWm(`=j1taBgF|^da?x_jIGEt^q-x>?&`n3q`x%EN}L9
zn|MthPdO_d?%rv5*~HN`ptmPI&U9tnxQA@%!6?Y<OJ)8}r*`j(q{}j@gkdnK6iOO7
z^i+C+seDr1gg>cp)O$W!cTKpvznr=wbra0ARaf?NrC}VRMlsH5?wfUGw+TLD-IN7j
zot@ptg|L9_(qnH^m34Nqi`HEb@sJbi5Jxmzu|jXah>b3N0s{1U8q?$Kq**uaHdWi~
zt)Vl<I4hpwV4+cwDz`zjF_P<H!?l}Y$?l4vktUOc_B7;5k1=>msvBdPC}+6{p(q%d
zHZolTaFVd6Hg-Q~<Oj$z+ekx1(Ar~)n^xW@Op|YNi~Y;+seEfP1bVcz8W9V<W4jg>
zU1R#T%#as~9B8a7%k^$R^rpIl>D?(BkkHAbt7(X{po=L$RqA$$xVi~J`MuG)YfJT|
z+<yyl>sy)srv8Sj^1Spe{nk`BISirmjPwE>OgTDFP0R6;_d<HC;gY(srlx4!g=KYg
zBGm-_Lp!>i757MqP|uY|>#hb!tG?m<+8$>G6GiYDu4RqUWxF>Y8L91|Mlu-%lJscZ
znPZHI$^+?cmfWIO^KiPoE&l+f8&tXiea743ta#R7GZR^t2egL1g!6$#l}xWDK~t2$
zHmu2b4bDQN-B}%{(cPX>g2{`Jv<)+NIV+M%Y368Q#f#Cp$z$nV6Vq5r>1|<DYNqVH
z(e{(0?bAweF&S+?hyN#)Mce;9<n5(5qU~3e&{Ml2ocR%1%=ZYsvm{I#g~GTq(w!yY
zs*!w;=9?kXe$K(%^vj|+kudEbz7OHs7taIQ!R<@?Ifv$!x;cGKg2uOk#>}JQhW+pu
zD2V4!5To7}af(p}-!)^PuAV{H<h`e8^hW$iYh+m#R2&*4v^GM9@{{Tqos^D3IHU{^
zB8s6P1f)aOnGBTC2!It0cT;XkUFn}xj;1x$MZ+4Y2Ak($K2u!sg!DkjKxjcm@BkUW
zW~4Gg0jzOJhdyl}@+~m~C~uz;Ebn=J5J~I`Fa(Cg4jiBeAmtfS-;@Q8l{Wxr_PUJV
zpq!OAPtY0@BdQF^oAr`3C`>^Upp?l3G{}UCir_=w0MJMbphdk8C2)*{(We9}LI<eB
zg$>B;sY70nV2T1!B7+|zY-&D6*c9}ynMOoXBWjpPsLEOKZqV&bbtQBNzH#kjq82?h
zWvB(vTD3!HBMYd~dm)fG2FxDOHV`^0TPSqMjLb742W(CD_vrYhx--M+lT0tyon*UK
ztx@S0qIFl4sfTw)>P|8}tjZZ)btjo#(a<*15YUn~=p$y}T^;d!$g7bo-BJPv3I?*m
z#2A?a14y#vvlYl3G7XnG0h|Jv6Ts<KRUZK(nbR$C5iHca0V6b2LZWbHxsf&oIU1Bx
z=&cwjuSFdBM865Xh@L!lVF{rwBT)>Xf;uHz0s)j#i;d{1?K9%WydaEy*YM4<$euO4
zmOY`;Ny$-bYERUA4+EVRueaHIEOD7k5YIMpLFRJo)pGx=c27(COD*X|VSgE0BKWbh
z`nRmfYR(;Dm#E2sNa9Tl=OTE!;{X0gi+56G3(Ki+Vue{{<+ttenxaZx&+VrSgBLw{
z%&7K4nArdgjKVOn%~jx!0ueXev^(Z;wwZ1kP>r&K4JYpDU$*K6)(ZXUV0~K9ep!*G
z_HZ1l_G{ybX9TXRbmQ0I=BCAaxW)S$25|jV`Sz8L<?x!-8YXQgPZ^Y1VDcp=#z>2{
zPaTX;aZ}GGp0QSiSTw$F_NV=CaobXkXJE&3M>vg{b3#pRn;L18llYUXW8mb#?!-&|
z|4Ain&|k|+sq-Ft-VaA|CtlI78Q(IkN{4#r?`;<#vYRudI)28?=W%!SAMUdMkV)>|
z9hi&Zgs1czH`EoY?uucA>$IIr5jQibn6FYyxi)H(#;rfXx$zn$<N;uj8l43Q91-ho
z$>Xm#XHGf?BPMfY@g}OX^ni~K<NvSYgRHv*F8?NnF>6_Ubd|QSA>*ugB8m&xSa*Lh
zi}TX%eWlUlOJ_8OHbs*!JESI;pUYnL+)dH;1{9|o^#!9p*}ZRM@|81){BTmH^jGff
zVtJB?V0D~QFjoIOUxSNU-TG%1P6CqY4?Ym2i{{GmpnG3&w5OqXVscvz6$B8pRJDLY
zu}nirv^~<CX$bWcO%%DRxqvq^+9TT9*%9B;`SWI|RFZw%tS(wbY{1j(SSY!z1n|_C
z11%-${Zb%L%Z$;b`=U^vdwX)ngnx#?^kVDw+dE>_Q!r?5J~q93Ec<*quH9@7?l>dB
zO8J{1I-!3)l{c0QMq39CA=KxzolECMTi-t@{%`!9=(JtLcN3T0+OJT+(>`8b%iL~$
zmQ{!Xt^00p+RiqG_MNe4bW`eOC-rqcV-P|n6>O5k>ie#)l9g{}`k>{W(4uw#G^^hC
z4@&&l<Td%O+9G~@)@eHm5HQ?@E><0x#v=UH&%}<(FLCQPI!kAgC<f}Xu2WmET*1lL
zrs)0b@8RXNzl`w_qw<#ewedytX~~3x;=3js67Pq0LYfVy2@O%M@^$ZE%cMKhRLy?i
zCOH{Cqj5BD@!l^@bg`<9f8Jve!7B6pP&-~)Ujw)z!bB9ePsS7B&xmQCi3h&5CAG}S
zrozPcEkC=}`(5wTmILSu2sNSPATATq^Vu@9d1A+>j$ES24~iFE7+p0Hc-j9jydhFI
zdh0v3a3mJo^6_igomlk*WyMu%gA4-&86sr3@M4oiFNNW9zIMHNoXdi~U+_Ct6%=^!
z%m8BlA2EA^YYpr4|580i(Q4|-OxieM^ul@<e~OgOOzNC4f;$2oYm)w{?8SPcGLwEe
zVZ_2}H+`f#caK~D_EBAXHzv33qsg{?CToq!+TSg?)v<|;$=A<^+sW>FN9Iacy2<~x
z&dT{}r9%7xmad_{;GwAV!!@z$zS{M;#$VH%F6(Kj?{j|G-BR7B2r*i7=yA7x0K56r
zdU$6|Vq|{>_Tq10@yvdI{e}kThdplf267@0r(+JkC$XKOIsCp{^jtSN=)}DJG4E|w
z{<CH}H+_foGiIgiZLoT-eKzP{udnt^ckc<tsHv|x^b*k5xuGYqw=elLn5y%i<=fqR
zdDsp4&JVGNc0-%pk||U^C2VqgeWXU*P`?4PF$cukTKlY~X*aaaEjf?vnm*S%F9HN|
zm%E|o1-B4jIRMLt09O1D04prO3Jb96V*pkGuxbck&Hn(f#saLd0LOm}!0`YaKLoJh
ze*oBE0a8Fsc0UH73qW@W;Pn3i;B*Ucx&=7<V*t(u;OrrQbN&Z_b1c9)7U2Ak0XQFk
z^M?Q~_#Xf+0HA;+ceT>l3uyL00Z<r6d^KgUhCnil2DG!4xLERibgd}^&eH$GCSfcy
zc{j77gP3HW48ts5;)sRT#F(;^`$su9HA<wywR>WFKO@t;(0<VCVYG#wij|Z*Kg2$-
zymrtHq0#om_I?Ad-AxAaJ<aedX$Y%suOY0Khn^+_8WA?ca4iQp3@mRSJiCYDwOz52
z>98yCrbh|@!n(r%Ql$XGy#c_Ae+96@0<0(iSoINrRTd!J8vv~NR{&vG2(zXEEMagp
zy7pOG1=)A2BSdjpJ>F2fs{z7}62-lSffn9_i`MQ5<dez`#`ade?S|GGa(P<<ij@L~
z2A1yD)=YCfuWO7wGO@8GLp<jJuD2yt!fl(iF|Ww^$yyYhFk1-H`HbWIwYAThSB80?
z3VrE4NkUEF_KkXsEX=iojZOJe^!Yk6HLicsjXE{GTB>M#98W3HVY}SSm~{f-{~wi5
zT>4tc#9Z|Grp&bw|G*@fnarik6=;hE<`xJ&E6-Q);NxKbEBSB9>LYqb!CTzknHp9t
z{6_REn>j2_%@xh~X>R%ka2kw{Rs98ZKRa0{QTL71-K*CC05CZKG}!>+9A`*>T5=$Q
zIo6^hLGQFh;YFiVOC$5<W;<^h{0j0T&+GSM+9GqHcbvB03Va$FjIPWj-8ACWxFK-*
z&kN+bJ`*veC*ENf`9UFM3?XK5p>M}k*il~3?TH;F_-C&$sPhTA(b8TaXOVv}w9HTY
z4Jg%fLhPb1`9N3$XW<HFXwi@vT6};#B^~5{671QF@59q>xc?657C3h1zTrqW?YQal
z>9eVkW^Yt8*f)DqSzAoub1KsVSJBR+$EN533wh1PAkW_SF{M}xLHlcSI9~~s@rg?@
z-|Zea!>#2u*5}>oVxD%;<07`p3+QK;9Se~!ptqfpVT^4G&LdO@#iU8qzrFBCA;}dr
zCSCmhxarc3?q(l*LUoemAH&7Q8Ah!8jgedi;>rdKC(ardea&SX-Q48pLv{hL=c?ms
zyD%7Uim}5PGF0Qh#&rM5Zv9(VohJTDH$_+qup5Hci_JTxWyWnY26Ctuo4Zgujvt9}
zJerMZn!Vm*_oZ<7?*G!9fN&017GK%_qKVg5eha$a#OCz*5zY&1*Podlx5mv})4)jY
zKWLeetn~wN$6JFc;r#lktKT$yuG2sik~o&+-TjXmtMpd!gXsf&w8XD;(~IDg2~TMd
z9Ns@aCqL5I8l=|quCE-qpsO6Z`V5NoAC^lenp2O#_~)pMH*zM0u71M}4dm%58;9=K
zM)t1{^3zUI)eT6>G@Ydj=0Tp{LN8w)sc3{O<x4mpHTIn5(*Kjjj+4c+)5Z-M6zta1
zi;y_+GWlAS{yMfOG1}<#+)do=W)h=pk5s?lcJC|+I%c6$AT-3^vC|UaMPHS4+U3ht
zf)1RxsIm}y?dv14&>P@e{k-6_psmC(f+?j(k0&KxW!0@oY&(m<H$uD<<c=P5s$1_T
zo-|z<wo5CVB<}LJU|53%+RqBAW^}%7I@d|5!CX0c#Ex&Zms@DobQPhXyJ*IIC^LK1
zDy)yV^VDAwtAFk)yfEVfUEu4_(2YK=OU}&1KU);9G4eY-i%kf2ZMtK4GY4ZafUsq5
z4xN=Q+YsBFZEQa@R=*|j#4v<Es&5*6v`RJNJrGnN!O8^G9)e_&39%5S?;ABNV)YL%
zoTLG9h9!UZ&XGCVf1-c@x$(xRy!sQ8Fn`5_3gSPP<11z{9+PPbGX*(Gtz>Wk&(M9r
z-AjMITEeQU8(&P<Ju?u<#q^jOgd*c}Iz<K&*obd2bm%1?rP-%JV!p+yK0et!?c(s&
z6Qipd4AfbXCNJAm?bq(<AA!GW?*L+9Yoj{4*WJ8}MUK09n>%_pCT3eLcU>G_^o&}P
zTRyX)(-r@n(Ch!fvY7W)^3^k-`N-zeILTkC`^-+;@A#`xdnO`;iR-M)nA~`XrN^L)
zkLkAKkVU4qv8B2%R^PSg71okhA5DD3wxe_nKxl?c+NXvW?bHO?#6ZGyw<|s&y1GHB
zOk%J?wEFG-(UvYPC>!Z>dj~MOVBaLRc{`$S^Xtu{sgzhll;?D%B;OxE9VLGo@T@R?
zsoC4WDenR}&&VHxCo=o9Mv^A4+c;1Z|3v?hL*-3W0`5RuyzQpX0=@OT0?lmTCa>!w
z_aTxUv_l`t#~CRrnLgCA(HrBlSqI${S~TOTsoEvO2J&oV(n8rCJU-yoU-#6&Ri`XG
zy8rV9^KH8EDN-6AA6Qg*)#0XA#_Ujg%*AKw%e|jvb{Gog57}Qn&E#lymb6vK@T=V;
zW;eI?Gyq)}+nrXZ+sqbQ6?eKZBiD_B@qXuNnygA<T+j%|>MurVf@`>HAmz!y(EvkI
z-xW@q^aj>^&r5IMif+t%%=IXwR1{3VS-X%uMjk<^nEb%LE?bKVH$9fCE9*i)Wd3lS
zyGO=Kfa}~XOeh@j`|*3EO*Bejpb?Y{<9Q$8-Tq@r#Q=@jnVMqW#RIY4#t|Ta-P^5-
zt1)j^QonAQVC>x(9<WW28o|tC?p)OPPtwvr71(E_<l@gU>}{Ql1s994+(}FHlI+tc
z5V>(o9T+z!02b+g(#24$Tr}waWj-Cv;r}f^ExPckuct?)4^4G_w=}hW@ujKt{B|v#
zN44{o>Ea2BU-~TmkBi6RPY*2m%n*NFg`*p0M>Y_0sSDpwKjru-t(Vcz@6sdp8hNu8
z=G(hvtzk3eTWc6_h#z(JEBOXD#L#U-45Lqam(tVPsvlP=v$=>{U0NxHNB#ROnimuv
zAJ}{6=0g;d&62=w{nPPlQ6b}_{Xet!iUj?#o4z6(?QODFJIK4w7<D^&-A)Eyq+d@(
zgD>Nc?*#j<Z!-Rd%>Xui$%j&87UtjMMc^5M9?WZbdBOGXTVnO!3QLOb)N~}TgrM=?
zsx^jC)EkmR^yJErTQa7b$-jQH<X(gGlU^dYWNoD2X=8fKG7}*e+OOI4@6DOYbz)b>
z62tU3r)|0>!OZ-SY=|3*6sN&aQfzLA6|+`h3lsf$U5NDx4@SUU?AIMbp_pcqOoEzw
zu6oq9?Q@pOQizJKUJ;;wqCwwD^+R`|-~V&Xh<W|q+M~bAehZo`DhW@xVy=>Wqsrf5
zW_hRG_#de658f$JCkKlKdQ%OFU)fy$Qv7f;nqKrjFxBCdAaMqodpKBNpn}aYgC=?1
z0ebE5{v-1AHZhW$yNrCDiM)T)pZ6w>;JTFD&S9|$zf=YNWNy*E=HHgD208MIdDm3%
z`#V-~lrU%>B?<Ij1mK4`eaq;+SdM%yT^x1pewaa1;a_W&q|zquGMK2~I*Bb0VPrk}
zq?yeZ(={ym%*~axW(5)N8&;+Pk-0S>{IBd1;}6lj&k1(_uM8jN_&s<pMl4@|&vy~E
zroPK;ebJ%%X4?96u#nTm#4r8>)~d+=r}*daIo#sY8Q@a@r;s0{_573Zta+XBeD3h^
zto>79<;L^>y1e+ZpuCyCWCX;^c|-mSm`3-)czW=M)hc2}jHf__0{j~9+=>{l2n8Ax
zaM}(t6BQX+>JMllz^wZOqGIW9F_7Mjf0{w0iQI=P%W%83%!b8}k|QzRre?gwkBw=a
zmAr0C;e5}B^7V^vGviLA&QdKjb4#XKvC|fY7u{fOtDj`v;(-*hBqjn7A@IDE-}q+*
z7`->f#$!yginnW8x~u{fJnV0OU6cX*v(Yp=|IXc`cneUoXxKl3itL*sWrUcL*nxU@
z_Rx$qB%fuqU4^&8pz<#Bp0t!g{NP0VvjR9ZHreHFYdCQSR}v~C*&aH^x<uzfr(a1<
zo5^YGBqe(_=xZHuerC!6^o-o2Ixx?CS!FIgo-+`$xO^JtAJ9ftai(Lc)G_Lz8U_4k
zPv+8S@&LPA++O7-r!)(;EAR)9VHWZ4F!f^E?4-KM-Xf1EGTG+Zr9><p+JBrG2T3!I
zO~%_*0bA<a!{p^RG8>WkCjwEY<J?c7xZtLT6Kwzcz8XcD#C$Xb_!{PB-HF(LO&ml4
zgQ#l))HPiihEZ}N{>)r`iIbAo7nzq)u-ww-f|L3-wDJF92Br{d(|4dB0J>3F`!jbU
z+60cXU^;JpLFcJGa8ybQ)2NxG3@upp<(3|cR=KS6oTayrqkvf7HXW_@+>TNPtrDkZ
zb(TdxHEUm<fg>%4UQKT2<Wm+*J2~drUThFC>w?m^#qa02$^D_ksA%i;MPG=|6B8Pm
znHQ)n4Q(UNdQAk3|B5R6%k4bNjJfKKfUHj2CA8cipDoFS(C4#z;2=A1TR)xq`R;8h
zB1@3_Ng_<`PRboh%YIJfhRt6_Smoproi-#QY^RBb?&NZn5iy2etx_!i75Qo55iC4s
zlV1kI<t$}S;Npc&yS|NPX(pUqTm)DKAuUI=Rf@y(&n14j37NYB_YllwSrtSpOV?1A
zjRje@6lB>plx258mVtsS1~lIQR4a288I_A@RaBu!{`sFZ^P|&#8z0S?dkykp?96W}
zg`}jyIYBS=I&Hl~xtX>~A?JFW!4no1W_;;G_2~oF!QXDb^<eP>esx~%x0`_E(szSU
z#E%nd<lf+theg<7%-srP2J)Nn!|XQ2{W(Mum55kmI}by1vM5Q%T4JaFdq8QFf@lZv
zx#r~BlAQ$C46WBRJHO^9@?}y+AwpGxJZicqL~vOUbTbQz1BvY{{kEz-?cPdtOd&m-
zr3r)3gi4s>pd7lGT)>WQ^1({=5+kI5XwFSPQVG)3J)Gqi(9pSQmYM;UXQSrex*H>c
zGn}@QRX}1#!``hX0I_AI-r!FS#&xfgx>i*xQsuui6hGI*Th4U3qp=DgWKpM~Q}9TV
zmd09~DyG7%?o(uyKBk+^KRv0`Sn2xDA(jlWwOE?&qz)F`OzD$=g99!ix3{+cQ$|B=
ztK4QPVbg}Ko4sxlujHR%<RAsbCU4_yH`R5`6T;RNDlEvR`+o#wH?7rPJ$N`b-K<ud
zZ|-u|sM7Jx-j$W}RoCL?G!qf%m6*j`GozEXfM{PcD~$2@)oNtIy3{5A0<%@a10G4g
z!88P%A7kn;J6u<+8DRNq+iDIY_52lU;N@yl`c^YM<rgkIEgi4m&lq+)pK@;8NzaLt
zYNb%*)T@uxW@%Vr3M91BoINdb(s8&0V;OyzG05-^%f3whJU{CFdK^Xopv~Mn$ki7g
zF)iJEGHX*?U*_h@R#hWUI4_z#AM$TgOy*Xj+_>q|D%e(f4*!|KK0X)rZZ>n3i=(?%
z(tPQ_tXQtG!|SVA^L2&Aq=K2s$_Zhzoa_dZ&sa>#K4aW#gMll&z5*r@zuM?7Dz=U6
z&Ml*<7cXp8T1aa0A@`Un{~a@zI&B9-oMyVbra4U?F>14Yh~FW4bY=a*?`WrbDXWKg
z&HS;78{31~bvBFEb?6@RUk!NDNqvKa?A6Sy`SpWF3}_W)4-hN)V2XTss7OpjZZSoG
z*MVAMa(rSa$I;3$ogCBB6Dn%g`>VF_ieJ9t<LdaovA7PrrMbAS!Z>MMI6Hs}pnegD
zk9TujnCmd_#sAy>3Y&$llUf&yZC5LfnMQ&+se6c&T@#$oQ+o&GaB!6s?y1{IQXdcc
z3yqfKwEsbkOJ2!5pucW|^hmL8g+^PIbEDq%X$07%8d>vQ{w&bYVxZ+ZOmg`M-6qx2
z_e;<S)zi5f>;5K4auEVqtIs{GP68pc*WU`FWHPGai?E<1tN-3BLQU;>*2pL)wZ@b|
z1L-vkoc&7xW4to;kevxPwboD+d7;P|=)a28Gbx%3L;*BczuE{EC#6gBZpk0*FiC!^
zD3lGsJ4QViTHk7%{*(1gx9jnWP^NkKdgfVOz8qT5m~G<PJ-Nj(Tl@ZK)1t-Kv*wpU
z-3|t=|68Lm#E;QL#|BCRET)B`n(^;u_#|Gj<apG`*TvhI*p&DfGXTrb&*#U-P`ORE
z+@FG+zcx9qVOz?)Kx)^y%a*~HY_U3RlJ`!#{&ISOt&CQ$gs>a?9-(ITE!q9F?;tm)
zzZR*@?bn{2KKBvEejn%EI3L5$W|K!KTj7p|Je*7K=2+Ibn?r+c^u&th(eijmY!Juc
zcqs8;dL&I4>3Wzbuf<}74bqs?#0DraYcXV@eoV81{T{P%nl^6<dUAM#`B0A;^J`6u
z)<$P#&N^U}LbS7)X2D*beE-lzpK6|qZjIJvRxY?xc@oO|2N(h9pX`(7yzoK%R#PG4
zV!I*cE??smdAL<Qu*;uj2$?ut<08z|J9^PEvGlB>WLJ%wnZ|x~OHn(nlluQimmn`}
z(y7Ceeqi+J*VVnd{4?P>ap^Vu_WyzRMYSH9g&C&shxKaAYG@rYGv;yapG~62{PSUV
zUK=QJzW;M@WedDSkC!`3e^0Jxa)QofE~*R<(`MBsX$KVwIBn;foF7Kwi*S=FwaiSp
zH|!8Dct1!~G3i8DDm6$}v#Md0!K!Aj|8qkyayV_f05orzBKx*WSK9^=YjTR((0SM6
zTpIq6ht$ubeeUCa_AGvBzwv1b)1=T2#(k)@tThgct~T4DpU%r?{Gy&53+;;~_k9?z
z#)d3@d5gCu2JIs)nMs4ZJh)CRLX6gMbcs=HpDe-FOA+8+;QQQ&bz0_fN2zrihGZ01
zM@V%EbAaV3uKggBHy__#Y;N=>e#*fR-MfoR8}q@=kjZp8=6G&~3(GPX?NQBQgX%4M
zdOEuk^0=AFp`Ma2NL>hLZzm$x581!+Vb?1%C{zJ+f|b=)P_DhQPmN(w&-Ep3xzA)}
zQFRElpr}N&yg-QkT{0WsewP(+?e0kNnY8P4Rdf#<eQl=@qg;FaJAyow#JHJ18Vw(B
z2Ceif)5~&5N64rHck-)$Fr}6P(slKZU>85i#SL~qDzT3*{Zn|O4Ho&`aF09jmrRh(
zO&>CmMmsA=qV?mcyXb)i{)hvs^d)rJe1wck_Gw?$Sz1?0G8&QW7*3nP+H{{HFdw|}
zSgoQm;||ZO*<q!iW(x~9WAPKY%ble)Y9_F2Kx`YyxyJc~^-l=zw!xz0_(8msVE0YY
zW^qQKG4Wa9r2eW}4VGHTMf8<i9AW5;FbQywn}!K;T3|G+uxRL}qx6&|pkOXn955Tq
z9K=ZT%Z;kzX09)H+V3>Y*6fKm`a5&lnVH5fl&+SR(ToaVn#h(Od6V11aC?>Hr*ro@
zw;DZmw|4uSySq8rAnq}@`foCyGjV;x^C=U=EpN`uV6bm*cJAhkWek(_xs^4s>L>NB
z#x}5=QMYhZ>icgYWy~xs#3TMUUXXC0A#O8+tHw$F8YJ^LDvMfsyIPA1V^(~bdn?2A
zfNBDu1S;fL4s{Db{VJ$vWi(+(r^5bKs$RM;{Cpc!3Rq?VEMsg6oTW#Dz?r;e?q(X-
z!4O~$cKEg0!jxer{7j<Uzw3D`VD*xe+6V<NLU++}#`X$jOtX_+^c$+ZCLSqm=rrXz
z+QMU*BIc;@oLqxxkK_jH0J5rOM!{gy$n|i&u>#M}F1|_|5*wuT%x}q@k6G<jC;2Gj
z;vX9_gZ8?amMR)^PBSCDK`6ozajj#TK_$~t(VV$xooQ{0yd<!4F#XxWBw|{h>;_4W
z;hHPw#OfD@og44bNYG+-uYc!rmI8kY2FFJmVVXKyY~k&dS-WY%J1-&hPD5*QlHnZE
z&6%rf*cdB^T)AFY_yZ}I@HPl%J^C_tjx|y9gR}Hyb#HRuY-g!?Iz2g1-f|SS^RInK
zMQl0_lpnPooX028^$*}gcRc6u1Lf{f&$`K%_ED84SU%|ybsV{>xH(6#B)b}=n|Z{A
z=ekq}8NjPx2qS7-tqsH>?BubFw6193Cs|0Ui7_U8Kk_U`8uc$;)vw{@7xSfFEcXYt
z+E9hRQz3XzPhiM%I2_=zB_WBNo9T>cegncTLb`+<;-ScR8aBdCU)e(quB`;g7v`_>
z!O}$!sF2C0uk5QFndIolDE9uYNv7Pt^O@Yp6U&t+>a><>5YHeUliMkz2AG|HWxr;4
zcJ^CMj(<j{tWMPO`lFqn%AuQ^d9ZRhSovAtWs4OfE#LntG|8Svi$rZ@FeXQ`4$yG&
zPlSwCOgO0}K-MuVqEbB4{pu+H!Mqe<F-EdUF-q_Oe<N$RT+t~eO-1GZy<06ne!*vO
zC!5$3w^)T4Q9C7){ZG=ZzGZOKqVKPHDmbb4%?bdqj-1&B#*of1OilJ^0Va3TmVDK1
z558~PrkrY1g}Kw6+kee-yVgAO&5RYp#0#5eoFi!PGGs5RT%a9>8un1VciqekxR~Kd
zr#Ao+m<&=gdd;3SLZsQ-tbuICFvDH?e~WGc9|xlB!p1V^qaDehpR@V<&8}{T{>I>j
z2+Qn!STH1aK$wl#WjJm7RENxh1_(ejwr<vj%(}Ju8Dp2DO=^TwRpMvDIL`9Td$6*V
z%+20!D%<r-(`LuK=QOmzlzo>xf8^w!@UJmK&?qKjnM(GtgkxNV{8cX^I_ep#iyn6w
zF%7vgx$FYJn5yyoVQNj=S}|{=f3;7NX?_wam9n_{4ztmWh^fr~I$$lY<tUkb3NC5M
zd=2gM83>rwSrE1wUE&=c_Ha_t?=48RNOMqbP8IqZO*GFm0HGbq!O!v(g(=3N!d7iV
zuot0zg%Ar0XNvIx&A4M!po2$RSmGNom1$y*(H>EzsX~D{PTMl5%BGj$k7n;3&AZc$
z;Ka;9o*$8sOdY2|X&rPT;Btrt^9)r{OEAwwT0$@_7@z%uj8YE7*L++NGd0c06*2jb
zC4c{IrZFJlX6$5~tIAR$Gkoq={lSc^O3DTA|6&q1b14}9iOH8@s8>$g)n*V&P1P|6
zr-8k_X2;&Y9mO#_i&RZk4{&2bxf>XThC*g)fr@VSWCMUH$^Ws*l*nd3$;x5aetuv&
zDqDcXI&-LjSENoDDO=932~;RRinhZ{#CS#IM<^-Nb1AcPDRUI?FM3kw#nBjG8?Y+#
zH-L+&$?pn6)BP2MXm%M(qQ$%jVCJdoU~E?U#~1*KPFrN+)3z{4YyBF1)Ne5<c=%^Y
z@q+*0R@IkSrbtu%4<>?*Tm*6s&s<A_dXPK*Z|G`~aSce@sy1=W$b!a6-(>-mF9XGZ
z_Wv3rQ%R3MB}hKPBug0*Dg8@~Dz*4D8D&5Lco;uo{`-s@s!C-wYLw5~pcY#gZT|+0
z>|><a^Bsx;?Oe)Jv?D0`-$BvowrH=B-FRhH(I4j0M2_o?oObm54Rr|=OX$AMWV^!D
zP-Of*U{mX67LJ-}3>~$F6<DEuMJC9YC}2&9#nGb4c1z_N%S?e;$irlK{lbfzy>0AZ
zMK6k8Jh)Br*c$I83(n5l#1GgHZ!!#VFI}BGSBD{o>?3mbEy1aF5B3q8S<&f0Fj&z&
z?eDYN*)8X2T><$J89H*OPc_9GrgT-4xO2J!{Laax%+IAPFez=7t^C@=HY3UvtpO_m
zq<;jL^OMVRr{eghEce);;8*0}SJ^~HiUMTn;wM+QPjUQH;f*$^EZYd?viL!?vg{tp
zqV!xADgOGWEM}w<CRkCBrK%u{8M0*Y4`;(wY_~yWMK{Yke=zz-&cf^tgN>WHx3bk_
zlM2D<^qgjv!d=9yVlNO`I+pvN=o-x#tMce*Ncc5VPI#b+G1MdeiyM`Bm;bbWnG(YO
zV}!JUx=t}d!hgWTV83bdaJqGuiFnQbmHFN4|BPQ`Lj*lieDD!HQu~R+QPgT`n~?Wp
zJ#lMgE8%~R=(%h<w9uy9eu9Ok&BCpw;YO*%(dDIPd)Q5vRmL0Lj3rZ!DE}NfbRw@X
zFgr}yml$+`-sQ3O#K;uT^)!&>G@zZ-si2Yr%lK8gHinNV$TC(vkjW|TWYN-E+9cD*
z&c9nwL^-KJGv+OeTRniROut6)4EuixU=rt~Fbbev+nXBYTKdvWw-n|%!sM|%oy!w+
zxDLm@QJ7aoex^=MQEp+%wm`RBu%`%x<FAk=`$MrzdP1dT$bCk<NQD8fznI*X(J7EP
zM5?@4nveKtSSy;HIF8-O?YA0M4oWUoNpFKaEA!tgOuBdoxuE1tg>{}jl#J6y0lvI2
z`Pcv@4NsG-hO|vkucXH@E_V6znU~a|YC(J4G!9l2Pwn!rEJQ?3HqE#Q6#BCZ6IYUm
z$JF2qVq9U;9VD5}Rg0cqP+w{}y`-(Ipk<F1q<ME6lsVR5_wqG=hM8~-n(@c7E-;x7
z?RsVz9|6n2qawkj%o({hrN)x1j#vgf(~WNmFcJ6UBAzo5jQAnO^N%Y8@yz}_gV0T?
zp|~KqZ7W31-bWq=LB1^!rraD3?GLI39nqM!e6pY|k7ln^K^V&HM*~}@81I-lGGLAi
zO$Nq(Q2eRF#M4Q%+PTrM3X<A*9Ca}JX;YZCnHxy~_|k%GsSoxEad^)hAKCS#t-0+r
zL3mE-$V02ysqtTaR566IU8D_7huDMfi{3Ap8r`!dl$c?B^v^Xu`V*Lz<7qHk65Z2X
z%2s3iAiMRC_oz~$isJ{dF_Y{qp65+H5KV3m#Y^zbANBsC1M;Z%!?FBuKO&a-_fWK_
zxG4JPV~xjtyz{q0S*{tYEFP#RfA#_6xc~c_*KHldvl-D_YOZ7t*C%Dth%(7qb83Yw
z%jaS7J)Y%N{9+B+*?WpZaeRP(JEFnR`53KE4&1OXs;@umYhqD^+fTKq_f<Nt`MJ#z
zT6nC!zHh&x>~Ekw?A>_bXNx)p2d%zH#43H+2c`Z|pD=hWd1DpL_RnXqYAQ5>CwcAs
zBB$-)64)vEfN8taw!(Z}JDr3-D9B934frb-G-u|{#-Am45>w;97=)(#PX?g{{v#&z
zpcxx}NARI>;r}`K*r<=+1RuNg@sr>~)4Bh>;6qZ*zdrbwu8#%5#{zxK4L+9X<2>_W
z7)lb+|D0W(ucKYSH|YE41bJ$FHwaDlPY*&1{Bb4}pnXE{VbDH0_%LW65_}l6i-M1c
zP<W?LRC&+{XaCjU!=U|4@L|w?H25%Rck;31L-m@|Ho2JV*C~aW=+#TZCVFP@Ypd8!
zW2%Snc69m;Mz(qDoYc`~PDJB3XAz>n%SKix&8%rDwIE2_>G$Q+b{r7W=W3a1)a;=B
zujMmzn+&&_-c;*E1ctT0&YXz~{4f6jgrUuE@)^EsGTdwpe9%XhnI5^<5K15o^`6`+
zjugDJgBlebtQ#IQa@F5%PMehH#Gp<V1`nE*7qgtdCZAk3gwlhRqPmiQolkyK6Bq^6
z1x!3xAow@Eo2!1KN#uH^Sl<7InYo>|d-7aV)~mu|{^B4s-5=<&aSQyNCKOO{d+?#c
z{u9B+Mt$@KAG`IjI`}Yj_*3vv18)BE;A6TzeiVEx(8o=|$1;6f!$*F<#mE4&0p(`?
z+HTOcB=R>I-N;FeGraQG<w2T(w<1U@w`r?_Gz0!;LD~m~s+Pf7FkWp*lX@kHRx7On
zb3u^u$p1&(yTC_TU3>qTBtQbl1P}zF!nA1xwaTbfQmJOh3`}fLyj5B+rL|RBt%qtN
zv|5eMMDm<rYEFx-J<^s|dP-Z)Tia3urH}+jLI@C%OGJb~z044S00IF8-tTYkXC?_^
zYy0;9f8Uc2%(L%%?X}lld+oLM#f?#uZOk=p%pXh)2sR7irK?jY{k`j&ocNXNnx1&p
zxLlNe-}R`n#N)0<<tIvAPrE$#xSl+r=S!|<j69QE&t!QDUC(rRE^|Fq@_Y)9*5k?P
z%=F#(yEU}A?;;pZ51)QJv3V73;P9l8a^6ln$-ovlmt7H#-wUfp7}=M&VZ8#s^DXYW
zU?@ifHU|B$lpAlCaONN}#=QUNtS&uQMgEc^;}zw9q2Ne*J9?EB`4m4u+{by_S)G_k
z%8I>Z+-$LGRQga=S}*)|VhZs~%2%Mv`E!-bgo56jmt~%ss-n&zfrxr!;w;xyn8=cg
zlW9f@e><@VYNtgj)uKCWi*_U)V?JUYah_6B;<pr*#4Bv8UbU@C+=)>@xzK-5P4miB
zHFd75FtH3*Jd$BsIaNFl?MIN}s2V<|Y@@|8Y3RztQ|SUK(gi$>i&NDv(fFxd&gClO
zRHAIVpG%LAz^%Fxi*rh5qlK}U(}4&xu@w>wWGF={K@cg4q040VZ^ab^PvY8>sP5h@
ziA@JArr+v5#RYZVCv=ZVab#as0NG;F=sLDMRQw2Jpp9k6Kym!vxLanTC$qFuANtbQ
zh;Hk=kD9HnDBKCteEb4m!=)h?X%kLuVnb|3>1&F6mN=ctpf*q0QmG<QbIRfr|DLBV
z1kFCsONXgwiO7H%A~k=&t~pW^gs%yz_(TJer}P_~{1~JC=hdFNLJ(ZgT!x14yKL8@
zPy`}VL*iq9v(VpDs7q&`E?1|e3DsOdWO2{Fl-f3qrbcN1`sG<dGa9O%$#262s+MFx
zm)*{j+0L<+Z05vZ?DxvSqYK%ely*Vd#UX_ItBp~c+r7ONM@`Q>mP6~>!=G!%=biOe
zegn?C)(-D%=Hi+X?u2&Mv!w7wb<KX_0ApL2m4_=@IPZcrS+Az{_g0)m*f=(`^x$i5
zM7}wH07r%6!K=}(Ka|O}IH$@k2^X}_7?S)ZNje2q4#(Kt61o+D?FEB%0gaNEzR68a
z-imRg)?w3vI_^8E4)~gJJ?P^y5*LqLS>W-X3Y35M6gM0_T_5%wD=w%lOFq6U1HsUg
znOmccHF|)kc=VCa$IrexjG=JW+4ybmJGW#c?(QL4m}?OAweV%b4dyu5;;k5<bXcUo
zV2VJnNOi)W7>0BYR-$|89gfwsEwSr$@K@H8dv(~Q?cd0KL33(BPleX=<&WeKKu-J(
zeUruy(lfZpY5R5+%`3fEa0?HdI4)xqSZ@$;GL3+f-pFuGJWji%NB_q1nWr+mPuGU+
zg)eQ%6V&6v!EWv~_)_!~_=^}@(o25JH%#emzwM0ASVp{Vb`ShTw3gIWu%C}VVmp#s
zaQ=;~iOrer`y^fI6YBm@`ebvBVID)$89o^~-Y?*6)``*?Lj%rMjwnEJ<4@(E7;_7o
zZCv_ihzv2~q6_xT{;l}5_2yf^yG_CT99U5H3^@9UUJo^u#6O=|mz7ah<iTdMXZa~G
zUBdGWj{|c!o;`~FGX28byI;q`VIFI!>=LG~996u)R9sGa*z>d#PGflV=C+@@dev#K
zwfz8m$ER)U`u-^X#^elx%~ZY@llOG<|2C=hLu!7B4ayE?F)G=b5gX(&&RcW5FAO?a
zl$CL}!{OV-gAU`YymdfvjL9T?c5y7M?{L1%BjNl&EIg#VFmrf$;lSZs-I?u#FJc|e
z+o(pbsnxHy;z`I=nCnDZ^1%+l0L>4IQoLLL<Hl*~f3&myvcFkBaIioQU&MDL-^=+j
zBZSBCW!4G@`Hls?LSV}R#zMkMl6M#kn0ac@uJP&mcNnLs|23Rye{qafP99hso19Zu
z*pKT2CJ#%F=!U;vbmsqAXZ~l;m_OU(-)RPb?Vs47uXN_Wvorr~XUv~z@=IoS`%kO%
zy2KS8UO#XMtpcBycb4bxEbn5sJo@vKI6u5U!I%1TB>3`xFX8l}<fl!I7GJ9Z7GJSJ
zwYVIEt!22t7I!ud`V-E|Tl<Mx*jPetP^fEZbiZ?9o-;l#DHU3JJkkGdd4T@7aoYa3
zC5ryaOo<;xe}Y#q@=f<Y@Q(rhOyCy{j7xsYRB5NUu2lHnM^2LuEjw`52OTb5Tw_LJ
z31c#k8Lw}01-#Y8yF2f7y<d@?TV}p{;X~#-SV9iN!dtNf9$pf=Cr1*-&H3$YiLz7P
zJcVoBQh^;AHo{zYoO|mT{fQpHsku%b7&iNoQqKNpAtirk;u{c!@n-_W_3@JPndrWp
zS<Fp&PtGHH+^NzL$sa47dv904T5og~{=#zFRDqbn0A0x(dR1ZcRN1Z)HnmL}T|de5
zcH~44c1;yWPWikQk`q;h^1aBOh>YbUzo4DG^@-1%JYnElqjKU8_j~bd99o$THxZ?u
zN=kRfcuzcRmTGKSV+`@Qa9dwHF9ep0xrZ^=N;qK7>+8;W?cR!a&phWDJ_ukR_eSSX
zIId5W-plVL-l*=o!F8E8dY^R_c`Lq)tNdXvLcx!41u^sHOe%Q4>`5f=C(MEzk*z*)
z-wD%@=mP?8dAa5uanDZqbGezXZX%3_!v5n$FEuak1D{srOHAgndN7ceJf<PD`1Ac<
z96*w~qJA06JJ^0mGOk0*hZg!KGHmi^ps&6qvF!ZvW0_?=A}2CSN0xKNT`x9#az6X)
z@?$-`6_cnhaw7ZgDsRPjoK!II#XQOtikH4`L0&<H$uO~+ht&DWD+r;<*~mjCe?M<U
zw&E8T@t(rH1M7-1`_~nDdA7ZO;aHaCeTg&BE+6JL=uTU7#X$<9&a=5fihZ>E5)<4i
zbsv9HXRp%up*jfiX9Pt~^r62|QsHi!O>f*JxV#ll;3rj<w_>JAbr$E}a3t?GAok^Y
zLiwf$PSPjdLlxh}zLuV@dnO-8{`<iEZq#J)6|&|eM!q1ZUy@BKakh19d6USoZmp6N
z?=LoK=E>b|-CA`g-Z1Wmrzc*sjwy+a)=`*PV;!Rs)z*=BTXHcjOUG8fSU)kFLNe+n
z=6F64x~G0(U*~u0_H*sh$?Y#bQ$O+Shi<+!uYTf?_FWrSe&Bw)uJ0Rp7oX={JV9dU
zo!R_+A%~yq`tmaYw)p7THGk!v+3WcKh2iF2dwK8o=^pzDSzN=(<>kBh-#Uc%7s&Ha
zzKO}?%2?y*p*+UL`!CAVlNjsDHBns7JfTk@SD)S{O0Kg^R1Gd~AXlG$CQ7dUCW;M~
z69xuy^%-EI<Qha&E_ZrQILG`B*1g%ght#~uJ^MK(WT+CTkYVQcT!qW~F@>w%5$5+i
zh08mVX5}Vm?kCLe$Ag&js%yTMUu{}Cs^-lc6aGnsuOfVv3BQOMbMMOsqWjNxzn@Zy
z2Bo**qivE^B)O0veJ`-Fa(<ek8U!~{TtR;SCGPiPo1{T#9z(car8bec$xYlu;AJG%
z_fn<0+~$z~GfLb{;${QnSX+EEF;|j9-z$`22`QFPoFG+Tflapr=T!vh`&pGd&L)xn
zbIP}je9K%gmJ!HZOb=a6hGlvOfoRs3!PrB6Lp*{QjNQ#tTAI&oDW&;u5SkZcTNBsA
zKa&4W&^b)N*<1r2VnJH7ept}CFFz6R@0}Q*fB8?o^Td||&OXkEyurqC<!<-wyR4LW
zXK$cpU8XYo_Xa%gnly=^?_|KUJy5eDGw44uF}~<h<&Q7?j6Ol<Efwy0-E%kyWd40Y
z-&=v2CQ|O37+*NrB=K-<@jk&2@Ejq1(0|gmPqp|@PK+-bYm@8)QmQ7&VIcCq74#h;
z2Wj4#5TAd(O>;8DBE4n<X^wKdS5;B!x=jDRbVYB4ocF1n6kvg3jtF!M_XHPi5AA)E
ziarSMg!sZye+S;6rwg2{+^Z+VmtCzqDVPPhrwg2<S*3Q+h)<cayTKjwbOD&84e^B+
z+f?0Q?}V8|O|;|+o2om$gI)1V!e$!e7S|Q$r?+9r-)uwB&-+d5GeJ2eE@SK5CVw!0
z6I-pCL;kgXydi&WO-cTy5#3ry{HAp8(8~DSj|pOWCnySQ;@zXeDe|iB?4zLn^~)F<
zo*hBwuQh9jc@EXA8xe}nHI0CbLv*=wBnTj@I;kw^*%5GF3y?hEITZ452|~xq0{&wG
ze}jK3ppTdspJOOB<h&X3pAcC<_YJ-sHETtIA^*A{b#4lJwuGE*y!S*g2casm&Avo1
z2b`TDKZm**b&upX1${fHN@N-G*9Sf8L(a<qKSa4^7-Tjg;5jfc9v%0KwpZ^DIokvN
z?V@%hm*$|KOZXczgQ$+UzqzJiSit{&z|$V`zw77z@um@%-JD;2SulUq`1rC<D0k3#
zCFp;R=NoR%UlR1Mr~FLMN#6SMuZ8>(bc6mj#(@9jnzbW>Dxo1W5MMM*IRnmn!iDDm
zFKGqI4k}(jI1c&W3-Y2B>3P0qLuOHY(YZD?VU5FhR?D+7h>mMhfcJ7bLjK)cNlwHF
ze*-m>xW7&OvKs1X4|*Dc2ti!wUXstXx+VE7{`>fUdwvU)&@w`CE#M)?W?DmM1d-4Q
zU8NjN{w)?2oGKS8RKWJ2zchb47zt9!c1qc9O4$xRys4`FYur+r{dF|h-~((J!sH6|
z^>DH3Ab{`#HYuZe1e8)8U*uN_PK{pIs_`6fPQr*h2Z(BdQkDp!WkMj?n}UA2n3xuz
zX`+Ot5dv<N(!xDdjMf=`<|poWr#*m8GznK(w3;@04sx45RU8~2Ut~~#0@R^y8oP$)
z-_(^U44T?Esg5PIdx^3GJwA$DVlc4e19%M35{PNdFpvnsoGl^S8+3Fs<bTy-cs);b
z`1jH(NV`QtiVP!C$h4SSH$uoe2~lqf`j3YEJZC}|Fm)^w{+1EG3T!L`l4T?CEDMPY
z*N=!VE9inwA<lD*7cnU6SbW(9E{goM{(~?L&v9piVvbYu7?X?stq%F$)QE$6nACW0
z!@tv`H?`Je1}_8qq!0PG6S5(A8F<!6^dAKYqm<vjRgL!V4|?hi@i5{bAVyKZ(?K0q
zn>w}#(54aHiR2{FJ`?TIfd$%dH~JoS<vB(xm(XO;0Y9MKn?{I@#h00pg0qFrcUu<l
zzoy0o$=IR}YXNK#PmAX`88rlmm=K>kB;9J$@d3|DuDoXSdsgzmp9UNh)QtXVJ1V4Q
zFjl-@bLpRu?Sc5RjP1*YJr#6X0yd+s!Bg)v=QjA-gSpkZ)?t&U<FeZ!_eM3M0mvDU
z@Qxrt5`z;!aH*mu5YSU)g(xc*h6GoD8MTnB3ALziy+&YDFt^Sib}hrpj7<-(X#~~A
zAjx?AMPnl5YoU2f@nu6*9?oj#05Gf)Z`k0}KoUHh<a?QtA!c=SZVidHL*dn)W0X)m
zBH*+uTfkQhcHKgjI0tiUgT8G+egO`U8z=!lAIWd#Z4wb>v*);gqKIbR@2iz~K(c12
zW1tGrQ-cmq>#c>Q?9_XGxrZPWwU^ff*JK8Kho~^%YYgSKKrbTjpnn4d&j(6Vm%#wk
z4vlAgn-nCLJVd2~|HjPR1}dS>YT=(3?P^UqOCVf$NF!oUGv(Q_470vDe+easDJ~g7
zrX|7noWZ83T1_+lWYD)W0N?fV5@Ia~Y!2o!0X1a$czLiU_jm}jsa#Sx3W0Zrd^KPw
zKHDHZnA^y}rM^}*MFWx7KwefSG>SDrm95~el^|Rr2p4;4Es8JeBN%uJG2mP2frMe|
zG>n34=r%eq8T2RNNXyjv1~IPN<)#hd5tO=2i~>qgxywe7OI(X7by<k1$G?M#Xq4>@
zo=#a0$if@ZoAiX1)1g^(yXS!V5&k$vDT5wGFfWp{VVI|mM}9VBLZUtpg0%!ax@K&8
zsWsrQ5r1oS8ge^)6u*X9I@;UT))?>|*NcJ<bD8EYbw<G77Bq<EXPHRAIY|F&7Mu`|
z8p7iR9;K{>A|>U}zrK!;N~t9<<g{w`ZVC7fhWxD||LPD@3k-?Om#9*w9<1jc^=$~|
zqJG|JxDrq?rHMZ!LVg5uMyN&*v$$NK&*dyaNIW{)6mv`hi8@G#Xl5}MfV})~f;a!`
z0Uxlvk6<LIayL=CNp+me7aQbR34<}b(N`x)muJwN#*qJgvCmc}2%#e2YzTpkTr@aB
z6PO73-w~6f3r5;fs)hP?SIk-F+d?^J3<f2dNK)Z3Gk7B;FF}WVpSAgFb14y&LbjlP
zBZ%{Cf!3SI1}cPG;HeGyYS~iHAV$U&kAid>G$b10%g!+<I7m{@R(eCsqt@4GiaO}o
zs<B2<t3U$<n8}eJ7LJs_{7z7Oc7L~o^_gNIwPZDHL69%;yv#E~6#a6L>}Gh|NnR;5
z(3@07Q^3D16p!X@srhOn<U>l$@4yLD07n0DF`rc+mkg_5sdx;@G>EKhf7e12Hh+h|
zT`5}qVqYzq)*wfxnbKO6ltI<Rh-x9!&;>=dh}pD+{9Jbtgb9eLi&~6}#^NFo9FGV@
z`e;uB=6e6h)8#0JN<2Ek#BOC0@Nck?`VaX<r$A$87l>2s*-oX)MD`N41X;+xLm9T4
z__ZWwVG!+aimMS97B6e|zYOq8{0Ed$y@-@zMlW$oG=L28*M$5B0p(ofRWG#g5PPkW
zJ1yFv3sWP$u4v;S9D^zgOj0A=h?v_`NL;VMjEKtAv_^xlpQ(Tq)oB8yowS-l{+0m$
zY8ps8x0l6>e}h3r!1JCFTKEQ?{r>%sHvDBPlpTyODzI&)sRz^~&w7rpFgkI->FAnW
z0LHwu1|Wj*g}qH`8pzwNa2C>U4mu)d96W>LKQ06WStK=%h%YoG!fXzW_!*gqNULFQ
z8hWegUB*W%s{rnkdlwmqXM7t*#OIpsHmhc{*!Api+9cm=X#jD&2S$(^AIYy~X|Q&L
z#^|b0eEu*26>{1_{zLFU*2p2&@6I93jkpYF7cM~&Q|2C)2qFI-vBiM@AnW_{Ol~cR
zc54WSG=v!zaDOB#Rxwo9qPO6h;qU%LC_ei$$^h`<(~SBikWj<RRJ02R4P(qDB>6e5
zeoN<TX<EqN9$(nQ<OB<(TBUZqPP?`XGjPv<7%0men$aSdVWMxVJDIlqYvKHv$_y=J
z`dRqBC$QczZFt4<-++Imp+{$pnx?S$qTv?O14Zsg3GiT268xy00Z$#vg9I-F2mKAQ
z%XjbyTw~DFE(X%f@aITd7D|+?lKeNa9?5SH;&|7&|7_>FzRshlUasq6sYu;ZV9$#m
z(Pej=wFLqzrafuRmc<wszSYB)BX3{h^a_rCub}p!?8wAy?lo(BXhw15#5E6HR^sgC
zB#`WGc3)~_Z(+h=YdE_9LX4Hy%y_#v9;yy--*Gt7T0JRV+Ov=wKFWq-ymL=Gn4JNg
z_GU$3jU6|fjV;!?$7U_1N&fOJ6t`6&u5ygJ31ks0_UtGg{d&lMD)9vIx+j^OZzp;H
zL-LF0e6`cEPjWCWt50<w07>tMWb4aecZ=qbn77NW0!*g7Ej=-tmyh?LHO$Iwb}zM!
z?7GIOs|@C6@c>!n&H23wD=*J?>hyeFCAXG4bx<8|=IzTNNw(9hz)W71!Pi4EIgw*m
z;_m64wGoBxi#j(nx^a0SW)E%XydPDyxxm2em)V)P6F=JZK9v}ZUnuHb8S-$MK7~|<
zGI3OfcwV%~TN%nGvR`GW2k)Jl$euVVL%oO`SQ*0jS~Q?Clp8C`Gm*V<REGKxc}``h
zFOh>QLuc{atBLG~gSUE!999|1Bl6tJP=6kQHIV~wRE7rX99Iq&m26{CF?|VPx%X?l
zIMcK!IU0;7p8BhF?cMfEf$z<_l%RuTU9cU^msXv95EVzb=o6<-kyxEKl^LZs+pnbc
z4m*D(%4)uY`BwGKxiaa#OZ#yZy>94$0P-==fl=+V8VVA*vS1j662i`4?aWqn={8s;
zds%NbLI^Gzli0NTgs~UgRLp%O?Ca9~QtyoH0x@-JKQXUh%<6}6ARK@2_VAJ`+`sUP
zx4VDlP+!sQ=CmnS_VYy}I$<RLF)B~Mm^fi<*!kgH1KSVh+s{J#S!6$UWA_hNSznX=
z=&>~}(RJGWYb;%(sqO0xj*&*cFL$!nc!FcXj6g2HE@+&wyPi$EptQ(f^u<EswpcB4
zk-D?K$l|ofqO{0hH1WFG+f7^3xC*=dqvJ$5rc`=EUu(`|{PF^JiB2EyPI$rmharY1
ziEj@WvmV_A8nEd8YtfV3LG6jYy9^1Y$2<I>tdF^DI4YnslJ9AMc_;tr!Vl=6w@&Zy
zM3WE_|C2h*;1P=IhTQt1u6R8&QY)#_Z8;m-b|z-xHyZ_aCcgF2@m<EH`Pv7#GBFAR
zc-sCQpK<%&uo>CDKa=4odGHvBFz*9ww!<iJGq2czk9Dc>YC7t#T~Lx5wTUg5&UBqA
z1CagJZ0UJB@f^j`IPE=N@KFa~zw`jq!MT-*>vz(5>8>;OS@;9@Fvt{UXu0$nY+@}x
z>rsPEtk>p8uD~XC&g;|1U=u6&V!xx<#Qc4#Pt{Kx-ha@PY4sCF{`#q7U#p*(KmYpU
z%bgd*0#=g!p0{$pN%o5Wb<ay=f8fyl<H-Km!`J_c?2p~p?*_8Zp4Q`8vj6VY$Oy6z
zUDtY>o4u>O-gys0lE=IFYK&;vu61p~Sq#YQFiYiOG}B|wGFoLBTUskKa!LLotSO6Z
zu(6~mUY0att?FfdWk)j(nbC~3s*m}V5zRRIV!V>Jg{(XYZNB}m)A3fcareia7t9Uj
zFH(wuY1aUo#)e;awju`!r1^j}Uxq%DX}-eGQ6}RWjQ2W4Qo0*7RGAi#X@Trb*9}kQ
zT%er8l+3u!RkDR7TbRyn!atTuzfkE%D7|r=r@}_2YBE7S74bYpJa1~sPvv}GIX|JC
z#)b8+B!4!^W}9TAQe~J(On4>vRYX>$n>bt9&sTQi`cx{t@r_PZQl(TEDwT0vAn-0q
zB{e~xR?%}PdXA}gOe*Ib<-9~Wjq741dxm7sm}Hly$}o}sRHkQ?=`v+9u1iy?o>A_(
ziu?>k%r!-fO=U9SS1OZnVdpE!uOwNeNj5H3hKVdt<UAthr4do7Vy{wm<N9nWz43i6
zRmnW1GFCsOoM+8`^I{KT?t3sl82kKio$W)Vd^Gl8-;i@K<g6obq*kriyzZ0b4-E@j
zF}cq?NSuQjfZ%q-|JZ|PqvhTddvHk5d5uEeV9#95`aU7vkR?2Uu-r4~M=8k4q+zIW
zwT9wzE`8>be;<$PJ>=^!=Di~<147QOQ0_4-B}mDeLcUj}`te9(6++pqMNmz{S+b}g
z?i+i=U|bX9!#yDf6XO9Sf28)FArC63_F#O@=>G^_`Rx!(1n2dTQN@tGPYBhpgPv&3
zP+TGB7%?FpXU96>YYF*w1>(ccHTAWqE=lkvf6cnVI8;u<g!t?WHoRB;=bCkWl$Taf
zEqVRzAuU-+RI{$9NnEpTsL8#Vh+yvP6S?y-<Y2!#5%O&h=DvxWHO*P9UaX6yiR+?S
zxZVkP6650w$NcKGKPLmch3h|}3Tm2qQfEkb!|d8l8cbinf?|g(A=ETAO+!Pz9r#V$
zx}b0K#CZPL5Es|x?xW{qx2#!rR?vS!K{Xo&;|h8(=e|XH7Fvr~CDC{FN{2D_w%RX1
za{E}s``+^Jkj2m>tyxc>x-R+@R~<IY-1Xz*7o8V!R)&0ALcX=3+#R^-xU*PC*&=D$
zdm#*JsFyIuvG|&g^$ns^ZGrgQVF&sj_+p3^C5ByJn}NjN7Vx|lv_Ym;6IrvKT5%mA
zGL&0a6dyj2#bn3_TIf$LELnO{?QvT+)gBLFfOGai9a1tZ2w`e-c4AAuVEz-=`~ZR%
zihV4#*Z0Iu74q!S3-{_{baTW|AFhzILovD7kT+z~pS?rQt07-qz;}SA<A$uL^B4sS
zv2vl3RGvm@GZzN@`$EpvkdJET`!?S>{C6RU7La^NRVzb_XP5fDrip6bCB{~ZYl~3n
z*%k0%C(rkUaxn#Cgxmn}bXb?xwbn(oxb}z8x-p8L7tQ#0nsgfi7;c~WZ7=8?@_NfC
zF{oCU7ZqW>hKjoN>3SlB&G<!Q%t(a@w$OUqHS3`upl~VZWWd3CBDC~T*Lm8hdbS!B
zpL?F?w#WdhXz*cv-X|-ph{1H9X(2Ai2Ml_47`oXoK0f?B(?$^?ZFFgeHg=&RYJ`x~
z#wr<7$qP#W@ji^U8+y{Q7cZ~y=ZE}%4SCwqeR)DDYBtc9xQ>Q$>xtAx1_xWvMFT^=
zdQniW{I+J7e5kn#AxR@J2WnE+d0wF}&tLhyzTDln6BAO%IZp3~d?-Kmggm=VZwkjv
zeJGG(y7ekux*K%Tr5}Zm=rWg(o)Km(CDEm$OYd0z0FU<s{LtbqegmH58GBPiL>xp^
z6u;=B5YgKZQ3x}%+KE1%>B-P3_NSA7*ir7%6l}<}ED`XuNQVRsbs3>BD#8s74gY&I
zWHuTAp@^r_HnCoN4SwBo`?F>vgt!`f1AftMXhOfK;aR6$2pWp3L%wwolWh0747$|}
zWkx0}Pb9?<IT2!`2KCG{+ZI$@PeTNYK2>_)S=czbB8v6D1FP1rHdGL#arsWj)D8)~
z!*z{{$z9E~81k)Bl~6_Qn|Mh}eeY8yDji0G>U>{>gEGJt2Q2SXEn;5NKvU`o9(?a@
zN?jN9yd7|wi0wt}02@YZmPvPbLVVo$n4<hU*&Fe>nr}S&M$m_1cC&w{8sT9p1PaGK
zSTmi?%s_OXf{x}Mg?~8gQ#k578uYEsm5aee9hvBxs)8b2Ss|DX_DkP3&to(0MUe@V
zH5&%1#Jzy%-|uY3IJ*_-YBmgz56BexW-xvca|Jr_4MG2_48ovq&G`7-3!j|0d_Msm
z>`^E;`^apM{dTCnZxfiyuA5y!-vQrIC?yxm(Jr{Cz`8kq4#q6;rNRCrHP(C9IyE&L
zdey8M;Kx_9KTAcNl6~q}&4&IpYX%yB&Hmp0V<_m?Vdm^p_tP4$+1S9_!LOlpb1+EN
z0z}Zi5xao=NDO}a9qMm%UiEAZ=I(N~Va)a&2>N#CzO3CFYcrWlvLw@?j5WJLK+`r&
zUyD4A<ZxaMI@@a2^r~qbpt4@&IJ3S<K*DrqUHxrHvbVo6-WL%H#cre1j4-#zIp}K-
z#Ao+z`bFRTnnplFLOG6X)$FMu0XpBF7<2gy<#XIqle-OJ2<@?Nx349aZ57g;N-pwa
zUOJ8k(3(BX%yDxWv>pTHe7gq)Hr#Aoy+|XM!yLOOiv|uf+4mqO)im};lWe`<ux3wh
z+`;(pOo?*`QMUq5(AUmBmZAT~j&RwkQJ_|%ku|E>KC(AhU<u+SYEM&c2fgXkIt{)K
z-!>p_09u5pb?R41919Gz^XczOvY<FdnyYE-RnsuQLScoHJz4ldGFi3>N+6a67Wmip
z52B8js|`?%Mt7m77GRLbu%7%jT6(RsIp}K*I=ewCI&vBiz)a$_A`S}L-3GNLs6oig
z#bB_K{sG_y-*JpT24c5%i(hbuh7}+sN|>B2fIrWIOr%jO3$-TKHiK3GcCin@7W+(9
zdwSCXWGT!tH|IYuxLeWT#}^IW{+s7-NBCamqc7UAUbX<OX(*Z2BK))<TFHuuQId^A
zxecD90-0S;4ZcRfjO7iQP%08Y6S!Ux%xilo7mhty23(<z>Y?t1L=GGuKYQ%yn56@j
zb;0gzPc!m+&ux{*9zwWrSWhBMf$xBG(g!uJ2TUx4fS?fZaTz6y3$Sq=L0~iS$XrKI
ziz7h=Wtx+h<Y$?Ta%I}&xPZSM;Y;wZA7IPIiw8nhM1Z#qanXq9C4bbcS35?Tg5(3?
z)T@n&^GOMnuspat6XS5BzXfWT7@vFjjW=BVjE@DuCTNM?hen|ds12)wA&($i06Z&m
zu~#&+xIoDCyeceXS_aE0x!u?*Sfc``wqih71K5wDZ!be=0p}ev+?oa&gwLkSn@yJ!
zK}`(2*WDt3^Bv%%;3f|v#@`X2JMdd|{smCPY`WOrq4EVJ*?Ka(Y*IX+xK(j2GFmeu
z17iy&Z=ZHSh=v$>)RG!{b3DzSl~k?~*JMXrD_(?r>d%7jQyNIElD&EnC}ll}Sjif=
zreUB8I;{DCC69+z)<Ovj<I8$AoS*ePuwi!dRr}djB2sMZ38;W6EYuo&vfl&{TRbPp
z2Y~$B2y3tay6~yc-OAr;xq(5UYF`2p4FcyFkO-NrVWXL%zYEx#7O)e-F7~Vj%(?ZC
zeQ^coV~+)Fj68D*7GUc#;Zqou)ZdnI;qTC9jz(bX5NP6B9hPgINTII9f(O?-9lV7p
z@SZU=cp6};y3#_oPDN}4Z3{4Vc@FhytpmG$hA?{@Y^Peb3XvH`wb9N2jd01_<CdL<
zJZpii8%G5X1~kpjjcAMB$s)afPmtYrR9y|9n#=!XAHbMm=NZ6QB?@oN>M+AYC;rE;
zH-kF1N47B0b#hR;%K)~`9U?$hoy&A*7$;0rG-qL>NQ1c3fb&!X82yF-u}3q3<^cZB
z$9U;>r9xexRx_7w111pG5MR{uhP#-EpdG)kB`(?Qa!LBp0%X|Zhp<Lb?`i`QLjZ<I
z_YTlt;oA$NE8j#GUynf=c6kQA>BxqGK&H$tg&k&iwg8kEY<$judq$5w8%#C%IvmXV
zVlHqi6)Ngt%K&q@0@|hILq?IyM~B0)MS_|Z52pyML861<bqQeO@@-?%?G^AFM<NSH
z$b*ErKbXY;K*StKZ2(RP9!9Qp?T3wYgyQ3}wNw;$gQNKxV0l+n^nT&|?%d9W5BAZV
zi#p>~A;hvf_2e0O9ioQeb#IEztsB5dbu_0pnZarX0)}AEYV4obI2R&ZXn;05dzko?
zga)pLL=bV<X*c)6vA$vG*${o;amd*;LBrE!btb(5@ozFXjKWq#XVNfRd=`nxftVn6
zbLmQqn1)??FB2eg&z=xsF$*#J71D!Qklo1QxL9duEFo_gvU?u(_Wrjnnq=6Uu-(bw
z>_D)*4dI}kO;;(t<~d34GE|r-RG<~I4P;Az4E_cL@0g+5#B^rYjPEd=8PaP8rbYZ;
zAU@MD&{=K1{r%>f=&f&cFrI$_%uI45KshJI$7lNno;CI+F*xnIhj(jmx17%BQqrVh
zaj-kUgi=L>mdm*u?(|vA^s1zlpeMoPu!`fdv<dNMFD}iK8oMCJzgG*1=e4YnJATn9
zryb295+p$R*k3n$^vw_U{<`|RQf!aJY)gZocIS5lX=4_gj^T1f8Iqa>Ds)zpB0<p#
zG{!Um!wP!LhO0#YD^g?ZG6?z$WcG}L7*t-GY~R#m3qBDtnk?fR^-}L|J_LAGFh1$p
zs?8MIh2>eH@xug0&EAv+9h&;*Yp77f2gCvkCps7~PzjJtLZy%>2n`Y|T_iH0kftga
zUpV;UHMNfi5x-a^u?-x|?(nr3*^5e6%ZuRUH=m)1J5F6NmzDTxZMa~Oyg%q$57Utc
zfeR+2FKss8!TKIyYl1{Aio%1SWdaeiD03eOl_;}*pur>E>*-)+?w5cy8zx+u{|tK~
zF0Huefgc2%Z6Q`l;M6%T;ZVz)7At_7#fl_fyKF&lK`7o6%B@xOMx34lDD#YDC?9!|
z43$JOx=oA=<idjJ>&5}pY#hj1slK;LusPtAj8X|grJJn_25DVd;B00HjdD7G{~1;g
z44AoMk@G+Ci^PgwYH_hP;8~>|_G=}_&;o^6DIEQGC>IswD&c8c5N(Ka$cTr#T$WBc
zO%8UO4A8m@6hI^sT+qs~0}!l?Yi%#UGwE5-q?cwiU^WXQJ`AVE{_L;OCK_$FZG@nW
zz$ym1aM<VXK6e4jQY{0tGMkN{2t`X!?Bt%3s#dG-k<t@E-yUDPxO=P6YM2zLf*YnV
z%Tzi5Dll`ZFuTpAR-;~=3q*_1*9vBXU(^|E2dY)<0P?>wA%6A{!z*P*m<P9<5TA3-
z^w{TX5f0JB7~u>(fuMss*GnnT!F-ncw&utLsx<aG?e`sI@rE`Ad@>Q9r4*=BXqeWx
zEWT=`?-+nE&n|8Oc-#Q!(PrY=fLE!7KaDVu0h6<h2q7M~nYqwGvyp4)b2r=vD`rdD
z8g>P<Th*5^YJvuXT(g$%DX3Y~57qZ&!gG^a+rJ!&Uw)a747;UIlK8`J*|Ss#-%OLX
zX3b#O^Q#Q0H3L|6dsb?iY!EV?13)XyMKgQTj{<HLQ#aZT9gCT7H5o8O?Q%j>ummkZ
z?$E>!US|D`>X^U)+Kbe}8*Wb^A&ewkuX<`ix#(gb=SH|K0VpK_D8Pc8?zZ!h(h&$*
zHb_H_$f45E!8C$W0SQo+aF8y<O`U@tgqr>UI>*0No&FY>6sOs$i45sA5s1$jo8R*%
zTQC<bpyQkkpxbQJLVvhKJ#LoW3>FS}4W(OI+``ti6xhrz92O18+goyR*}g_oL|;2Q
z*)ByV@9?la8>qzCAcK8bP!EjBLpy4K=^5I>2uJ^ip=1ps+`5vC@b$rX-!W9q+K+=L
zXH|Tr-@CqqY-tM#fpb7w5TQs58WblPA0IcE-M7AmKyIUs<G_-9;HvQ~4m^qtF-c{j
z?G4Z~Oc;$Uo-h%?-I=HWeSpxpz;LPK9M4Is0vbs=(9;5}b16dV4B#}DsF%Uh!az-u
zp@WU-><pG<sFj#G7&^;*9UM0rJbm6b^9a#e8l1sR*IRbP+Lm>8vNr+rJwB`=$dh>4
z?<{keQ|+|-ngePJE;GnYD!Z_D_lz=c)S`zcmt{t{8jwe-W#U2@7PUc49;C{hfG>fQ
zA=QBHvO{`J4stM5s+rWY2iMH!<_wgM!Tf5Jryw2Wsb<gw6ErhM9~*)T?yoppz>RBD
zAeS>2So`D-de#Jd@3MP4lxw2UsG5wMNN(4=a+%4MSrzJfo~+=%rlEhxS!H#;DgCMO
zCD5M|4&L_n4sntXv3Z_aK)1P#SQPTCVgu+WbMCwHJXsB$ll~L%p><ktV;uoCy=bFC
zP_<eW)=;el)&+AnE22$KXxz8icPLjLw9X7(eKSoucMXJiHNeA)1!D_c$td2J1?Bq>
z2R&xCuSQfxWoPslSiY<aYL?5$2v&)Knth80g+U8&_4GBzmt9gaBYZx7*47fC3@L0O
zQbZvG9lG!Jnepr^B?9EGXP)BA2@T&XoM<qD04EzQ1%OptZ*c|=<%y0(?t?0nfp0Ir
z`63DMMIHYhazK_*0xFAWp~}K{goFK_LyjQm$w<Vy_vdBLU+$}8Eb4IGN~Q|*>9j&L
zhdv$GNfYy);0)!i#1Je=9{Z0Ei{iRauH588v#zwHLaPo^PRhgsU`CKPb|7SX(y?gb
z1QJONCPVDn2hK|AxxpjO1!Q9I$t#EhzEj4=$I&Mh*9Y6f&_DGZUSQ66`CjIrmnUfs
zzM2-<q@<H!P(v;k;FGcjde($;J55M3G%;4N{kSe!A6yd>9Zrdu(O7Rt*S{WJKh_Eo
zVx>|OHZZ&t5X{2NMX0_oi48z)6G6#xZ3tl%@f`)?ORxQH%XP?4GQC&&8PN1EOlEx_
zEoND0KyvHxV&rsP7X0-x>tWjDTr1i=fiKG*wl@`?2H#lwT=1Wf1w|!(5PW0*l(hmZ
zmm;3>gZ_}VI2b)-e-rq|Wx$^pA9t}OJE45+^^J3HLuk-`1I!Z5+`)t3AQ14d;xJ7R
z#n>jev_lVUAu^D=UaJw`I*eSL(aFVBq_v4mKf24untp`*xdwU)`ylj+mb{&U{}~|x
znAHs6SVxzb{v(ZxeXNL7q(m&XXt2&QANse8r*Wzwq|=d@WqikRnH|qk(L?swm(}TD
zA3Na|&N2izU*KT`ZI;`&kv4>2D!5a2Y(}rFNXG@=Y|PMPGYF+X(M}_@LvI++7=QwQ
zPmqNp^NcF$AM$L{bj9>z(`iLvT!+E`*~Vn0{mM;fL+2Fid*Z3m0GlH?1d46jUlZ~$
z0ZM)b^4-?F1?0O4mN1Px0nIy<&p8-?-xSI<ZUeb!j{1Rok9gNSY@Q|?cC<ZI=R&@l
zC9tCBNMEIcqCh^|+QRz>JqYTg7350C))Xz+D3n1ZXh^`pSJW?~{_U<`&1CkF@r=oi
z#<15r#Ij5CtP6V+!4`H+zaivcO?$xG81e!BDg(QcLo~onRcYAg8`#NaVV82PsaFan
zOpIvSEKGuao;@=T^sl7x4)oak-U08s3D()3`1}!P&uoZljG+TL>f7qa3iiGvTG+Qv
z{}2xQ-fE0^C>1uCrPpzU<)Cka0M3=0k!lQhGIPSZjR9{-(4$;n4htTo$XG`~29vT&
zY{f7+U%T`r8gp)8KlH#DCBoS96vV(=?cadReqK&y{cPu?Q}5#}P#?DIa~Kt$gfH_M
z$`LN-?O-k<J;FN7XiKi_ftvl;Fv6F^^yWL*tPvM*3Xl@^JNsnKTR(t8_M`LNkHUE%
zC9%l_N~lBtyV%($U2uOaJ1XF?e+OeJKKx3~2p&JRyvj1>1OAtF-t2%(i<k@1pAFS_
zvpIxD)!6d_SP$1Dj|Y7i8tZc9L_{~KG$SXeZlULZIjUL3Twqq;0*vhnc$mL6o~Rl>
zOke@3jH@xgf-NR2F|;-?*I&ojc7)=$e<nlVFXVvVxo!7Np3k}n*6VBZ*UC`Ha;=Y4
zo=5~k{d>@}VuUm>VqNHPwn$Xp$WEJFTu`7=2tesZmw7n11U~jK(J|Ql2f-e5@Ikhh
z#1{@a`rNVQEI$z(<}jx*RD`mFth_yD)KyDA(ikN57FizYMlHmT=$x-n$oJ%cyH(6@
zagOIU68;Lj!m|pq4AKE^fB`x_ndln$3|59c?7skt#sPrjS;^rX7o>P}(7~DCW);t}
zYhXaqh;bq=0u=6At%6~P&R>aS-NaN4Y8ykIliH+?ag(x9k^td0r7;U_V|VpzQIUd#
zk09X#BrK_X?=cV<b*LG?mj8~gk=eZ!0)GQF9Oms!K_u38&p{Gw4?0taJ5%~PGxNB`
z481PI8g!-)aVF;kox+jk@I{dO%sTHV(>osjADp-N4ljcIAD_42hRD;-TU`3*Zs#pX
z(EYr{0OEDtf{3>hhq)2{|MBw{m$FMgb>5=<f6{pi4r7d{44utkjPoi(gJMO)&0&ne
zI4VQu5c!G9&=4X&UKtu1D;jAc&&5$08WxLak26<|eT-!1SB8d@>{FGYkHw1eO|tWF
zRE9>JcA#Sj`^t5o!|b<Co#)UUi-{F~_|WqldWECg&Tt*1@K;x?sqcQA!&~v6+P%%$
z0kiFzLmg({HD?IS#%oS=n4Q<0I51nUgZXyvHBX9|&DX(vv-_H3B0M^+#&H~^>#>iY
zY9qQm_VEKwfN<>NV<u7R*oUA>A7yZlecZsVbAhijELDQc>?a2@v!NWw%#Ly(Gh51a
z?n8UZfy`_w2Qss(9LTh-JoyzJeEHGyAj;s6b5*Zs2Yu=Y$=EJP3g&Y?uRTKYs69e5
zt;-RTrJYAeUgNODw7-2uBDTP^GxogwEU}+z`)RNrT~-x#VlDR5%BS>Vj*xKsX6GjR
z3EstL_X>{5Gv8v)j|9g|Hs?qt6|9`GyJBy*!w%l4UhLz@gTYvlMOcx=SCK_mk;PV#
zMOKl;Rgv9+|2uWyi-r8?6vS?wf`Ds}O83tPj+*Gqi8*T`#}M*y=tM8WL$G7%JpeI8
zRb*+Z$dXi%rKloHP(_xWiYz%58EQ)Ea<&q^F0wmu5mXa7;o;Oum%f<9dxGiiP+tTh
zf92-I?q^ntBP-eYoI2K{BQ2cl`RBSNdACN}4Lm%p_m#V!S9wXtG&=iBuf1}5&ph^P
zuAd$gjQv`8J)O?Du+>|!UdYld%5Mh#G7@*<TOhq#m;SRj<V=hxFx8tu=Q#n9I16aa
zvk;sK*_k-S9i3(x*_n7($3y<n-Y&b3p6>caaACSN!&TeQDfIN#{8OZv{Io`K^THFS
zVzbnaZf8z-#DOy*|J<pQaD2uz#}sKWmE3z&*U|-bp5>oAhtl@n-OtyVgPf<G-(lOD
zj_`=bo#6;i2krA$CvMWoqwYs|CIg&%gy-px%1m{H$1+oUglG2ex*p--epy7bf}^|%
z3NYTq=R`No99|Ni$dS^z2gdQ^eR4nGaH*k*`_3CqbELI(Ty^Ou<Y*t)%2STS%hNHA
zrwacIkL9yG<sI2QBCwRp9y3_;m&CJssmuh=X?RM<dKXXhI5m-7)#b;^%QopHkG6Ac
zKJQ|VQPp=wzEHEfXQcHSPi;v-ecA3n<QUg+e+^=Y9DnSg-gvq0@fN&~A3w!0BomUw
zTMagZi+H_HK8Txi+1w9~E2+G?cQCM2=anM6dnNBAB(mEZSgJF5$;tS1e<yE`7&=Hj
z+id5H*uB%ku?J^{3-*<MDm?mdxL^<Ox^aQ_p2QsR8ur{fv)H)^WjOgIW-@=>c8BqW
z>lK!vpzid+c`nXh8cv}nNqEEX)=}XY#~1tNg$t4oj0$J*Oo>Ak^$EYKh!u?qdw4mO
z*F<bBE}VKcDeK{p;nB5;+*G>QO&poaQ(9fTZsiAie$2GSK7C`JLizl(#3z13={#W_
zjy*gr(Gw5Xk<MW@<XkXMDl2!nT5wZ1c0B;K^YEF?4`4G@VL^+1eEBxh!t^1rCDn*_
zD?9n4J92vp`1(xsLHG1LAZ`)n4b{`8<bA(2B2KzI;!B4iZln^`@w{Df7KvQ=R;Xa&
z!`{%z<RvyU81I(9Px42<PRRqOpFdXloKL3xX*yPirSoe%AGVkDcXrz~;aFyPbO(=G
zXC!WefWppd9i81<T2LJ0Wu*%T@)%P5kwF=W`xgkwiQ+8qd|_5G=q`?BlOQV`58`%k
zI~Urf3Gt8+$L_k<&-}uB^4uS5DHHPH24g@u6ps1B1zXBSwp}OsHZ;TK%tsT~0uU_n
z61`ks9ODJ3*j3>e^^ZO%kPDh0-IUl0SjB`DUkCu6ESIuWdEm~K777!FPqn_ACR&;u
zyC&6g-Rr3rbuQvU`Qj|o?qY`z^@0Lk1Dzb^?(?wIS-u$`SRWV_sq>N+wVj8+xkUe(
z@KslrUT+X}m8Y~{3O#vdgoR^eJe%8II#|sb4O!MEeq&lgOB6*=7KoNFOXS^FZTnR{
zc9o~>j{+WB5qBBWcR$x5Wm<3r#e}nf6;n@+U^j4gZ&d$uoBGovbK$hV+OU^y{lz8Z
z?%?LFf~a0PKeE#EVk=bYt!Reh=usnY#SZJ@BG>u2oR`hJNk?k+Y?8O4hQvo|Nu~RP
zc^8(0y*O566f(n3f{=k2f(ttl$(r8ijg)|=TI0ZpH0TpASK<{Jgb}oapv2j!jFC#b
z-l%y7%!xdMha~g#>EWiY!m}cy2bp&Mms^{iE~3`}2dPKe&k%ijC?R2a0<n;siQlF(
zjU~(*?QK(s^@&s$t|(`UAVVSk#G~o7Q%u?&g2RbSQ`#O%Xo@6cs!~r*r=D(7tNp~4
zE43+E4kt2GY4g)*t4!LcO*>CXdMJmvQkK-uDD{zFr5d^bZ|Ro^Ut&^b=od`$Q9wp=
z3%?p~yf2ab1_M9~2>Yg$dMf$_g4+Iyp26}x;<DA1(a$LS6@_Q17(FkQ`5bk|UQ&02
z>rE%&lCxT0{&1>=`V*Jxk!b#<$&o_|#HpL~hf}?%Kb$H~e>TU@Y>u%uhx*9G)tfGK
zokKc9Rk8^+)qTZgo?<f>rsC=&;ZCPY?#ywC&7s}_l&Pt>defmMS$#ysb>=wn3)3X^
z5jke2;_6MOx;a!_XO6Wthx$n^PsP<o=5;z%TxX7-C<nMq1%hnXN$1r^RFX+-IB;s-
zv;CC3jefK8p*i&&*^{j<O<v0~*X1kmhdsOn@W-8IU`Nj<!lbwFl|}ZL=gN|K1TU?+
zGnDb7?iN^H#~it06F-ShgRyS>!#q_6`Y#Gc9-ER;b}Lg`X+hYT!SZv)%&=!mxPIc4
z$<xL|L61!(Xu2lsl}jh9=#SBmE=6yo**0QCI^uxpT$+wJFCFokBIXHEk`JigXX`If
z{THj!k>5yHI?Yx(MwO097h&3Shsrh)QukPBj;icnI>MihFqK|NM3?zCRX;bBsQp3J
z|0x<eCG6Zf)z+J*ddH_rG4;MVk9ti+FddOpy-n$eqI86*_fJIV-W0dJgJQFq=^Au3
z`OXV+*}B^ApspLzIZa*PQIRI%#&pE{s%t6{-TD7Wc(eGwXwO@bfT3Cbf5f`r|I2Wl
z#{X5F;s3&|;s590aQVNw$mRb<W4+ODk(~u`nEyP!W!Zjaxd|&wj7%jin&OQPqzo;c
z`9D3}!%Z{Qvh1S(Zb~&w#T$KF?RRGd!&rM7zt~J-Z91)(lQ;U3O>5>IcNXeVZqsYx
zu@(F%ok^(mMxV5qTJ=!{E}Lz^pZI1vZ31uUodD9IbUoZe?Rd-pPJV?Zi4X5GgH#;e
zTw&6cAJ>WRzV<<W{HqW0;|G2U5@HWe3D*}DswBQ)_dC{n4O1*Jsa~qG38uOUrn%oK
z=4%pu!X^}w#HSR&AI^EkVVo*Of0kJvm@5EYYF0qE2|>8kAEDL8VVo*ie>U?Xn^`C$
zS&NA=&el$+O4gsv@q}{JN7`+ea&@>)!xmMN{xlBEV#4Cr<%_SJnJ-?7K-HZu{@(IM
zFA-<piyh*N%^G8O(wCN9^t+XzGzjdO^r`X53+<2PWt80}e(*W?QQq^G2@ZibjD$C^
z^0|JDyXvw-w@SsX?q2M2+Pu_6XnkhuyIA%8DjiXmju@<n*+g_*52WA`e*~U1f6SX|
z`J;u$Fy-k2;MH_-rd^*?JtpF{bcErL`RRyl=?DWr9|J&oJ(8+l{E_<8{4oz4NO7#m
zK=rnzOELAXewKPo#NKp-;g1W`5$~iUOuauOq6>fY#wN~$Ir=mUnOerEmgDI>rj{?O
zFca}!I^r|J;shdGx?phhK`(v8`*gK4@sX92m*%OUUhuIl-9NZn`a$t8oLoYJjL7jE
z@Ax`rRyl5Rw%<<9f!%X%|IgF<i~9O6VM%m~DvQZ0GA3`c@{Z`9cOH2)Hu|ODn^kEO
zKd;0Wc2E2uiG?51_i|pCZ4*{0;g#JJUMq+?`>*1ZRtVncATSi`6-i`AI{MEz=T!dc
zRuF}LhHKmH_}u->iBrrSD1cs^OzGZ=U+`<E552vCi|OMpxVlXrWmhnDlnrItDC>J0
z@TKG#_~dQ4b;VOBe=L2y?QM4*-A!ICt!~@uhIhhqBk;f<^MKA<aVH4v3S9Iq0?axT
zWsc;b>+QJzf(Z`7m(BaFt~_L5j|PdWvh}9qDnCI>rwfUCe$x^}SOnDLCoVteKEKW<
zRXDantk5Fuzkh6asQL|twuF!Va8?_KaVoX`Y>tO*jv;hM_^Ovi>ht$x>(UFl^k;k`
z%iM^vCq}{)Vc=bgDr?0rsoK`%wRMfPmE`d;aC|gzeB+Ny)27(Wg`Jr{R2-jYb4<56
zrgr9-*6CDn1_<c5N8)~)qsr!(nTq=x;`lh__<M4A+a(NsJAZ^@GuwGbs68B;#zOpu
zOH`Ao`VcBkR4BYJ0ytnzVtF`bmtm*^>usuaq!QhoQJg1KxlD5yHLbYIZWbMu-64uA
z`)0S1()E2}#!T1ei5WfSb>j5gSBN;YKQWogjeUtB)G73rKKB9IF8xtAvTmETbh>2L
ztw3gJ+Q^Z9P=|d11re_T=@BtrR1PeehQnL2nqM=5DqgWJ#`;fiv9H;EW4T(&g0ks>
zBh{H@HwGfDp0Z$lrdl7aA3v6lm67li%ELG8e#K1WpW=R}>gzm^19xDY!YA5Z=*A~h
zcIo`Kw=Dne<P)m7^vSj@UBd(LGqXUtIW_L}grS~ue*PZQoTx^)_=Lq7>FomPT!O!_
zw2+a1_lwVFS|nYkf!`OLcbk7*d>sL3@U`5cYdJoPF5S<j&bD;q95C1_JW^+{^-Ua^
zWhIffJZ0C^>s_UP4q4)(!qc*Dc%szO-=2Y=s?O5c-SHIJXVG*!&35NSi>JcHE}q7A
z!&79RMbpO(nlcQUe%BREZ~oBbkAbf5%^)m<A+R9(cl*j@H<A|9WNdsX#~3+~$E8E6
z;G(_5=y{8sb>8UZ8h(1%@IvF*>x~}7u_A}$iH12Es@26#oi{oFETTyaI6Y&b?0_>N
zo69ND`4DQ~?3ruRh5=!uH!3x-oMTebJfNTo<%dAt_*D$9A#K;E_(kGjTE=sqXuP~p
z^BR>NL;MfGko9Uz_$o4cqj#%Zy-pTcnO9u!dYGNoJj#q*I4#E;EijYBg<>wzdvTY<
z?#iJ=Z*+zt7}rxURr5u&oOt~$qdfhJ_EZE2=Bwa38+@%&?@{X5!#TyyDsbzq_!4~r
zHcCJ3-`jR^m1%wx6T#Bz+Zgg|slrn80yse8YVz9t_U{e(-{1kz(tvcfN2*lj&G{qs
zWaOB(E4$7wx56vG46md~7z^5Up=M6l*_x<T9$s3V)R{3{u(fQxWt8)YrIA&oIcmy}
z@G<kFp+-*J4~F|DA_RfKzVNuPRr#8mKxHPJMpWBxESw?#k>qG2?5Fs5=R>D@pmuxG
zJY;6Zwds*$DXIOZ{2OVXe{b>|U`Ouiz>#`SiF3*wur60a$*DJ1?SOq2SN8$il|`Fj
z)a40z4L7|YuQn9dPc$r#Zy|+b@HO0yui<ul4Yvz86G!5nsx+E;GA21Qawa(w^NJCk
z1NFTa1zPWP#YYL{k4#=eD_oZDj$Az$=JI`aY+gx-o}Dd@KjvW=CqIVY62WU}BDh&B
ztpN1ei0$c!Zz^JBI$}*a!Z5*JM5N@gf9ZUYtp@+koiEB6Vt2pTJFCllvHknq=Zo(0
zVnBRCFIgV;Mu!_-bTsiLa=4>^=Wa{PqDc+)Q;L$d1xEKAVXnk$=bT>>VCS3#*2SE&
z7}q~6WYiZK;!Wut3}JRrKDhIBkvm@(O{ET?doZUytA|{y#=5M}<#nxp<w}Sw9!5p^
z$9s&W^X{r{vPyCSG}?9kPRZe#eU?rZ0~^kmu;{(wK1lR?ajhd2F)STnNc3w&XkOR;
zx~|(HhKNT-zX3fnn{bz<HySi<-eZ2ZnA@<p-^bbDjcT3F9j}RXv(r5H#$C2EeoT~j
z*aOsHW}Q{uXoN7Br#Jc&6L~c8w8?i=y!u=>pEQKxt)EThqZ2PCOfM8yehWwOT^Lcs
z^)=<>BzCvj`pzOM5LxXpmc>bT?d87YVsGd~Vxuj`8+`|~mavZ#E{w^NR|fYao+J+9
zDCQ+<XJ=7e_Na^(Es;nkYl-A4>w-x1M)f~TB(R|zh@u;%d?=APMI%W+nfR%|3Ks5S
z7I=_%w2Ou~MHdk@CFndnsy+)fU50~!Il>#b0A+00vH|h}accgB|1*u)S!D9RYfd>L
z&(TB?9%W2DaBlCB<_0g#YTk-_m<2R<eBaC+g>>%zL_1k{!Z;b}GM{wPr+IepwDq9-
z6d`hHce?!(B`h5yGW=|s49mqrU#AKiQIL)>^tp-%L!V!OAkzfujqae`mLu>Edq4-y
zkTcF#AZ@%xZM1^HsvVX(j)5k%<qbs{MXWdaCSgXPkbO*~+KWh6a+vMr(`CYnT4?h@
zDc<Nj!YoU1XGPU(spT`)1+~0KqVBVzeIHcwp||3v#4;0lD>OTwP9GnUliW*x7UcyU
z-THX%@cJxSI#LqBO34fm`u@aCl_yTwQ0DSG)AYd<@3Blo5LkU|DFG?^>7s7{%;*=1
zI!zyI8WPp)*|w4U#WAWTy3j}WS@#ezmS4GaqlvcB2HN`lywO~rY2@WwPbQZVwKPL?
za$k3H_%p4s`o(|UdLoDB|5KCc|Lyfe^_Mh_KGk&^eR`IQpTIvdUcBUT$IG18x{sGd
ziu$nevh~UIc)8upml`jR*nIylkC$Bf{e$D>6BYkc$4fcn@Zxjb$4dpR`B#sZ-v3j_
zOQ9JrbzR5H*P||e*eY}4CRa)CjaI_OrR2?ubo87t3MKFKDSCRI`K(i~di)7SM(lgi
ztD=E>2Vdcl)u?^<yCTFv&}1itjP#^17}q~6LZk%6atiEH|9899f1mXkv902Mm~v7-
zUDl&%{q%T~@{YXlRd)>G4Q9$T`d_x?n1+19L_h2*vj@q?;yhe%$B?qul6slg@^Kdr
z-il0u(5EC%8Rm~zi;69jk?}`YA7b7)PV0@j>5<(@!SerZinnA7g&~n8=V>0u6J2lV
zPS^hpT;1&N-Pa2jNmh+LHr6(2^5g2Mzh@!5z@+*J7DA6rSgqc;>ZJyK{+^+*bYwU_
zaT@w&WlFFr1fG}Vb_+22=I7-%eem;g0sK!|6u+v>f6tWI_UY8Rw7XunBMrka6(hZ_
z)=L1BFdu8u?bPcYe#}7n40KJM?WEBkP8Fm-oXV*`+qRYDaMxqcldJ3|jghk3`OPl-
z#y>qajBGcJqLVj3k10K`F=Cd^?<Rw)qS7CCBe%B7rO(TlrPYaDGxd{9S_}ptc1xf3
z{1H3)%#QI+{TyeOcs2ZQD(S9=bh|0(Dz2v@DV!=EBWgtk;(X#F5tVdv_1@?nVN+VK
zD{)xW-B~s|?9_yv?0j$Z0%B0#Ii6T3+X-0Zo%H5bdAHN_UA5LnDDO@R_c;Hq^6py3
zaYFrrP;B&eb*9(Optn;4K2&e#GlS3S?e4>!*4xcg1S09YM`^1S&p-K!#EsHBC1N`S
zyV7?*8$3~|FEu3gLA~7t=<O~{_m9ze>cNEMLVmEvx#wrhCIh3iLy47`@I7jdjLXj`
zy(AnPm!G%-e_Ouge<}OM6jx_wM&cl4Kv_3g3cit6bqV#qY-#!EBL-J?m9+<t)z$Hu
z!+v@x(LzX!9gW>JQ!f8RU$=z#w*NBvwzi*38<?lZiH5KRHGgE{sx4L!3yGdt`i)7(
zXqc;#t3xGs)LneE(n)rnS!G=;J{I8WzWDekD!JnLEYad5=jutkdo+pXR*Ic3j4IZ7
z4VqD0Kf$bG`4&<<%DM?*_iL4PJkbK2IfPGf!>8(ta(N8lefeH)RyN5t8e;Wxm(sZI
zD+Osby6fjIAS6)N6aCzyMn9K_e`)&{8Lz{$Q{(kXjn|)mP8%^M9bpuA<>?52I>IRK
z?ny_SmyR&{-s_0a^wK$h25zRy%_QTE-X-eS?%X2g#ro2(V;ft*XqXq9Hm@W$_4%-K
zlPeT#{q6}4#blOV5IK=m`bmz*l#X25EXd2!)eZhuko}quOA09$wzOz}PNU&j@^)5I
z_N=A23KRP95SENNO3pXWe&Hl|4be_DiS8X4zUp3d?Eg);?9<<KW5=7=@3|BF<?=;V
z(~x^dm2G2|9BIoKPIwo!Sy{la>01n&F8oK?w505nTKORy{PCW)McujYAG-19wz-U+
z<P3GPLDkpOs4|_r2)N96rKJ~F9C`Ho@Lfm3F>g4Y{ZP23wFkSGJ>h~|F-eqo<}EQO
z@fOvvf0=U*lb1d(+{e2Yc$X>A;HG~#)+<~vG4Dm2FIY>KDrK45J<Axfr1WLx<uByM
znV`)ZZ5L(89<$jSJz?DFEV=$-9oJraqcatPdSc#pz`4{{I}@K=Z%293MD0w3DB4T|
zD7`ilW|Ur&aTMQ$bp)l?j>N%rHjDP>o=M-eJ5>Y<k+(z>&Ni#?N<5>OIBX_R7yOvE
zTrKTu;<pxy_Y_}sbAArCNu3p=XtW;iq7v?28>x3GM(H+)G2W;iP!c-=!(W<OOhjJs
zg~Qnm&jxesKVfG)yn<OLT=QNJJTNq4BpN?N4s1l@4G$fQgVPhi{6ZXK<Ot&!E5~FU
zg>p>65td^rj>&Q$KaHOPGoAU3mB0J#Z-1Lwx*4Sx&>l@pn_)OGDZ0g#19HZaLHxY*
z6nrB2IP9lNGs}>fR<9)~vlzVO=vXe=wzm_@o6WS;+aShBy_C-s+BcC+9VO&_{~>FJ
zX{%Z~T_p17?j&*+McatQ=?J6fde^|1ycPQH&R-;0xNDGUhL((NOgeAq2XZp@JQ{fy
z1-QhMSZgUk>kAQ64wag<`bw+pTv14y6B}(PW-o74=h&E|Vz(gu-;(2Y|J!tWF($l1
zrc7pNin=`?)za65im$2n=~!J62rv1wqGNsY!}0NSODHdVVTk0t?f!e`TKc{O%Bbn+
z@r`PAQP{Z_3Mdg>Tnh!1sIY6HfD#!FuZ03iL=)FS0VVm+#I;aBiD=?lD4;|%aV->3
zBAU1s3MdgxTsx(0uzKi`GM5j~?&-LtuUa+D_Pg{lw!eR+{$5Y_hU2$zbf7Fx-M-6=
zxzeRVL-JxVn#t<HJ?V}zjOO!na995Sf&RH)Snuqg%S<O6O{@eMw|~NowtsTm{+ULR
zss4EvOs**BCvmAdRFWV4vxR^U>7Qu6Qqx6Z^nas^#Jv8mchN9)(W?)3k)K7M4FsII
zpI%ZwY0qcZekw4Gu5^*<C%ucebd37xoF3g~{pU(W2pL`H=k1^XUH12XDO8y0!P#sk
zh!_)tnItY}k~rvn;&Bp`#HY@?HlFQ^j72T$DCgcsZwlXan1d$FC~x%$dk%yP8Xtfn
zCo`c=9#T3e9KSX@?1V=;7Z`EIOm0=o{|Ii=S?A5nOFY(O*vFeCPAjKcl(VgIX@-Cw
zp9a3_%ZMy*fe{;VbvhzP5$n<sh3SaNiddA67?+MP^!h9jUFr4a)QVWLh&MVK8Wc`+
zOc0!u#CoN0GQ;4cm<!K1mgIdxEJ8T>d^~$(WNenVLNv)@<okNMEqoV<9Cu^5=ItIO
zp89aXN$(RCieB^RwD4Uor=p5I9XdmJOE?BTu9`li^yA_97jnYR<dM$B24&85Y@=9Z
z4+f>yp<VE&6;<LY!`vA3eM?_S;c@!Nwm&beMiukoSJRDuW-3_u*#qFwL`+RbOi@Hd
zI^y<pM6>XCUpnH>bi@$lxG5d+rF4Wr@MnqWCJ#bc@xBj%=GZK=>5210F*ukx+rTti
z`ED$ebKsn#bTUiFL^?7{`xsKO@_)>ndmx_e+H{RGK06f|1)*TNW>=4r_}9Gi0*Kzq
ze08KFt895O_A6#;CglhJX!KD!JH@&E$m*PgO!l#|_chY)#93TGsu?@m{@tYO%;=4j
znS^e>?1Z-V*u;C1+7w~ZYoVKxZD8w9JtH2beI<tkT<it4*uU{5e)07T7fgV)*3SsE
z&2aluV()Ddd%sW|o5KSGB#UR?#_@2E8G*6ShCLnOtH$R&IH5Q;JKvP<Ag3IPF)Pf>
zDTz%(z{tKa7JNL1-K&30?5#J)%gYv|*5jIkTL^5MXYrX>i>EjiHB}YImf0ff3tcI>
z(3O&fTF#FtZGF_FQ9uB<dO?2*7r6R^NU_nH!+q>lRA}PeLpEzFN!x3-e)R34hwO&}
z%;L2r@rx?n1(k56n%zBa@$Yp{mrVzg1{bkhI=BBk9r4ckv05LDJ&+x$I8t_fF!s$H
zNqrS@08r=GkIxY}(11631Q&E*g?cE9Gq!{*&HD;N!iQ`5E=YKVSyROR&G5w)YIx$h
zI#{c##eYJp@cLSyW1gz#Zb9V0ZDcdYL=%g?E%^qherTbxz(gM;HR;Y0QXB~k_Mug#
zBL)dUSXC3>xIv4()gWy;7iL<#VR5qfktCI~LVSMdU~&}eF#VQ8|CK5+;QeuRq4x)M
z{%Xp`P&KxlqNSkM*;bXVeKdKJL;^^HNDpM+iFbJ75Q|SV2#zIi(fmV~GauM-k@z}u
ziZ&kI1N^Zv*!IrEjc$;(x@p{)(e%Iu1Bt&HIZrZhcD}US$uZ#6!as>>b5=-xH1L-=
zb%*{7Oqg7S-Z>U<11Wh~L}wIw7au7BLdM0;Vlwjudbx%mSdZdA=Pzjm!m^q)633Xt
zr)Z4u2O5Px&}fc!(jJRH$ul1ve=-REUHtv&dg0F-4S|*}IQ*nLj$J%{43(u)jUW|B
z%eF|{eLB)K+U!LIA^+aQ6jOA-`?R5nt__mCaBp&>Ib2}*U3!49t{WelRR!W1_&1!H
z=7`Kl9KX(Vyq8_S_!YE7KSJMaE0<2!kSM}$hlEk+&Ad-Sxgvt;h=bz!UnasV_dEG}
zS9nTePZ@aDl->~g@f<2K6|tYIx2;U;(K7=oaXN8>1@x8ri1MajG-UwjWWjTL8lFRf
zXT!Y!Y9ek+N0=5YCc@=6UF1=__AH}hE021klW|+1!_J?@aKyQnQdXGLwb~0_(BX}0
zKSS(k)3S};s8Q*St`FCo>cRA$nHUC#Ff5}&jG*+Z;TT#Cb3z)X;olpsIZnFWnTaAm
zDsd92fh^X*bH|3X_cIi%w942abfl=A1wj$xmtnvWc~O7DKgsm<rzM+La1(_Q5#1$R
z+FqS_%}`+Jwqyb0_U<aft(4<I?#4)a9^zUKn8BaB0~9N|JPi**eg?JXBwi{p<n!+;
z!%MBEKiVo%^NWHzT%y+=`L?Y~$Ec?sN_U763O@NwddftUr6WvF^-V{JzAX`&zCH8}
z!<WOcA6FBBh|tl~8~r}chrSl+=v8`tq$5}KRQ3>4MFYWLWAw}6$B%8m?S1N}{2tQ!
z<_xiqz7_fIv>cfdW~u+fS+mC4&s08b11#M{I(n21BZZ0jT)7JUQ8gC_P^LUohl}A6
z`|(V2aiC&j*;8jMkm9GS`0iz7077qX^gCe8oY+sFpD@w{$`5A8!#6pvB<4<I)#FJN
zJBe_?>atHKe<4U{cl?It^5eM=`OA-exiq)@*r&Y}zau8Fl&Uf&c^XOzs!MMUco*jc
zoHc>SuAPBMG7u;~HgraPbd62)omaVP@DG`h-L2)vt4o{Y$%^c5FF)Q|x+1cxBjjIG
zeyly<ol{d>vn$h<SoXirkBtVFh52KsC*aJ@FXUV7MDvBFC8}H8Yh}f2OP&xBRDYFa
zuQym5fWXCMi$zg(Lygk368++kyFNUP)+_9{>b!v_@(v^B5zTT(6HnZOQaPUAQ!0;~
zNd<3tqbsQ*9D63grzEyOmX%4P-^G4VTF}X_O4!*d4R?^-B?Yah?;ji>LBwGaI+ghT
z-MS~D^s_SMkrDm13NLY<pF-P8oOz-Ucp0}>*~<h>lToa6mTy#%=mm;B`-(@u6Lww-
zlO?f*a!Z^)sT7P`qB@ha#Ch)Y5-F@cL%0eflg$H(U8`flr>^e$kef^5`GXC$#Ab~&
z<-eyxp4`0=X06o&C10WU$qGfpCu4QJDO{H^G7{0|KrTgjv+Q%pZB*6?zjtvcBU(KZ
zeFBFr*(DZ^hspK%uy^sKQ<XVx#^Qo^yiv1iG^whorKoVmDoG6&4e)3}T5{VR0DJq&
zDyP;`m^Z3(5Aun`yix6cFqf>9i4Ur(>=c0B#kag)DfXuZ7?24$@qv(&9|$>Bnb!rt
ziZ3&`syfe})JO7ZwEhh44WUZkYbwv|Qq>s?HoJffKQZaK;Nl+zEx7`jAknwK@Z*hc
zmw-UsNl9K^*Q4(K!gQ~O?R5(kYfAgs4p#1`nK0=+Z}jUl$?zfdTRi-8hPe01Aq2)J
z*OVV0?tQYaac?U>KFIrI2JUg6^F}o?#^s}h)%Q_vR0BpmbE5qC9p0$u!M`zD?XCQo
zYKh-B$iv0QNiF%+{`h#hq$pgM`AKHFu#0a(4GnmoyoEfeG`iwi=f8RnT@%@LEFSb+
zS&91d44L|nDG+%J?eut0p!_81RRwv*$4mTIR`yQQ>)z7)c^sIf9HodlL*B(F({<09
zN{5RE7kDj>e@c6mGC7fm)cQI0AY^qN(0;z~p&Oy}yIl(Sa7wR`-t$a!#L#q?J%Kw7
zO))xE|0uV9ZH~0#={x_K8V9BKcaDK7P-@4(f4D&WOU6L5&@@-`soMV$>AR1~luG~4
z(6_Ge>&kW>Iwv(qI$2I~0<uD)S3kof`U`>G_E!qpHadT2;tjT`!iiru{ntt+1#Yl`
z4JMG&MW@nO{dfwirN-4!e!SgVaSZ^yD8VXu1!-TTH!_kJ$pyJ(BtMRe_vmlcb<1q&
z)y3;Ka~-c?r5be3QEhWc4ExH7Q=y7eCGpZ884ST6ipN$U2mXm~Nx|W=amgg5Av9Qg
z!>Tg4bZSb9LQ#Ts^3N0@7Z>dFM*m1Q(>sPs-{kVocNnnZpC3StOTX@gRn$-R^rcnO
zJw<k_)n#-4m86trr~AAWx=HHps+i%TT)$@UQ0=XFma2JKzy#MvMhVIMooQ$oKJ}65
z@nt&i|BT;0MG4rmq$GH{+SS-}!}u8qbd;zVTDz-{Wg-vCFS6uz6Xd;=wh%S_&8Xl}
zGmY^s&Kx(=8{J5=$DQSkHtLIPSF3NWH~L$BcYCAX1T|95kL`k`f}}V4U4=)I9xHcx
z7eg+M;dt>Wr!MkVbz%9*^3pbnt9XuL!UY&Ov|p-oz79wBc)W{yI}MT6>T%_z?d8X)
zS~76?F<{Zggz{qmA$hI**lxq6ywTYNr}&|fW;*XHD*vvh!dsy=e+r&RIjPyU>R-d&
zQ=?C)3o?^Ns>f7fyI;l$cV?uDkCUVAk9SuI1G>O$T<!80;$2m${biFVxx8$mck%el
zaSOcWJk7Y@lwFw|MPfyHE541(yZFY;^5Y9i^U9C^#%pG97fy>bQP=WiNJVLQb|yY+
zA$YnPnj4b3+bhEsIa@?Tjgjgp<2>G3-@}`foxBr&2FkYQ)8kj|FZ)IE2c(qKBCKMI
zGD=vl>eNx?#D1&^HTIOm3OGXX@8z}gw8X1|)!w+)E0*G|jO2Y%cEMOg9bnW_ZyE<0
zD|N5YSjFTp=WRXpMoh!c04rGi*vH#$L|*BX;$kKm)o8(L$2cFo)YO&YC!0jZb5V-H
zM^UIj!nJo-l`Za+BECw4?7RlJ8CE`$%M4!A@;g?#B^oiTF5|53-rmU@)n{hEA9al}
zb$Kg>6PV&(sr6F#jAtc>nv8{#@3~SO5r2zrB0FJ>dxz}?!`RQQB>!v4D<uVgE$iDB
zsIrpzUrVnH$1c;_bMEbu*vk^IXtoKFu(&>yvm6Qu)Q7Ab-DQ$C^Yi{h;*Yu}lEV}$
z6R+cB-wMls(mPnimrf~;J+11BuX<Y2QR%mlE;v0^p|G%Xu0cxJ`DRX6{wA3`y?#@K
zNtIe65Nqu4+`bJ&LT@6hN`bvl-_xhS;<%}~IR0k?NBl2BLgJP`nFae&7rf-xQ+P+K
z{(_bmnz1;#Fq!qTmKTXP(7)0igfzSAAdWS`52q5xHUc{9hlkC;eOilJ?zl_MUl#UG
ze>k#YihwSC%M3X)i7wv?eiOAQ6u>-}36Q<B{k9IbT3gj9Q&s7f&Oy6;n@T7*CBU3h
zAi!Vkwy_oBS85aYui%Q!D&%+hb}|_NDyo<4z|GQ9m&^LsB(AWq^fp4hJJ0-1WfVK_
zlw>_O7MB(~W0S8_tcm~NIwvj9cV9*r{%xo?V#lyu=LCD0arJ#yzFU%#M7+`eq>7X@
z;*BoD_y5B>C*6N%l2g<4$o>x7lGT5Iy>m>gQ~HyCdcE@kC8X|)v{&Mp{^c2jTXaWc
zY*s6{5#3%js|8o-?W{G?JjWCqi)pAhIrdwzX6A^By`~vueY0ZaBydcE&i>Xs|3+!g
zn3=7dh;nx}+pJrDtV+W17h26{MKhno$={n%G5~9of|K86SlM~c-UHM2v+ny>xRo&S
z&a_xh=f|+R4Cg7Wu7b|2Jo9<#Y(7R!rTdJ$PyT@trK-AIs;Y`Me87<yhS;eIbFI?Y
z`zliQ_<%i_R8Go_#33`SmF|><_#EqgB@kPbpG`g;K>A@H1`FcEBd9DZp2QP*csTRO
zBmbMZcY(9As{a3HhEYevp7D-mI@V;EmzeU`7X)<%X5fqtI^HR7l!cV0sAqt@;L&pq
za5^5PB+bgNlwB|@Ee-JogCZl^h431bj);05M-i<A0pb7tti7Le83w|#|Le<3=j><S
z_u6Z%z1G@m?@dTMNuAW8ZJx*ZjUBQycC=)IsXHf++9^o2s;IVah$83!73x&W_?fbM
zjm%GSYiddwm1>zyE>@n6*~X2nnOXMPgw;nCz`!OHAYC|IMg897gPTmv3~W5%?pD9f
zuPhM5s>qJQO(sXE31_}5)179z3Yr)GrXRy=S=b^|>;aa1UHue(^^M+8F;5abM&-ks
zv&SDst`4^SD&q%gKT7q!31d)LT#)}FIY-^Sj&FhUdt5~;Ejj^$>U*A9Lxa>rz8jXA
zkyOzqxtU6Rf#{~>Lsoo;VES?T1SYCY9`9d~$Gg=#(bpppvWYpcsah7KYuF>v-UWl?
zyc4@MZmQlUw9Tp78Iu-yqN&oRl0iCLLeIQhWKzUFs#E)3UnG!=ZPcx@)Bi#*TCzW^
zpFuxc(krOTB3!px5LnW`RYZD;T@(w%!=LjV@%tbx!$d4Om7{(J#`I}?m(A)}W|h-S
z!|6;b?MzTR;>K=`5Qhhft=V7JPb5X27>)Vs-*J%NkutGLJhjfkX$5DZM(qg2?$>^h
zw#|Mj@PCJmLCw-~a8cVqDEyr}v<}7pCYaVyFNiV+6fg+fGRQ;VJ`1q(cPoLWWU783
zjpN18BPdEN(?5kJwdqsgx+wgxVhqMXT6Kqe4-f{yw-W0SY-bRaSdTcpdJhFwBF63s
zE;6fcSw!7<<lUwNHLd0S9Za^=vS7x^?CJS5F8M%|Yh}9*+uA9tIqIyL<)Yrv81Rh^
z{acW_0WuBd?vYsEAA@X=z8F$!-Z|e<lY;htykDWt0(@rfuKfL^h72YsW6l5^ySCM|
z!D(wia%d+3T~HUFE1BtwFYq({Lz`*MxNrem@1XpxYuqI61<A!Kdu%Y*Lk_Xr$jz;p
z)h!JiqI}af_d)^J=?~u}B+cpAk2uX~5m;^V-MNbRRFK*wD2$~r<g-Y_;Ju^9dOl$r
zYin|G5zM5XzBM?zj<gN^dysldBu7Qk>Ar_079a}d+T5^CoJ@LZiB%8dtrZ6>bYitQ
ztI7iSZ-YAO%>1act}`*_9G@+6oq$2LfT3H1e3Kp14JE4gL1f*15!oScIhg;5-I{+z
zWQV`)@^+BdV@F{y*B!)QN{Q@|Pk17`$^sDCc?1eW*iIrd_Rw)<_+X8j@AwqW^=1G$
ze5L3ofRx0Y)_}OZyVT|IT3~&ZY(9BANokp3Uo*`bX>_DoS$Hr8o(@+*m&ZP;J}`5)
zGh;S${|U+1Fng}k!XbL0uZ~5=cqcBH)z#Y1@kOPJ{Zw=u;zon^=DYI%jHJLLFrgI~
z1SG@JW5CVLxs(il1$T+$cj@0VjeeXQ6QuTIz_LG_R4ppPVWNSE-hi!kP|>JAT}<9S
zz((DHPkll?f$u;%XRu6*bRG%P6O43d`8DEF%dG7n9fwv*NM{F_zh_wk392V`|Dq?`
zWLZtd%S}=0gJ*s9b7edWUUit{9Pur#eGx+%oPVju(Z(0vMNFvtd&813nYFD$UkFn7
z!EwdFn&$rxkbZbDe^g>fsM98XT^1h66;-%BU8{2Y(TVkk1k)rM4u2DyJFEF{tbmh9
z8~zrz`7k^1gfl7=>mNiiVd@j>7X+y<5fF;ZppA+kty|)Xn#LhOu&8M)gdj2tZ8AF9
zz+?9=NbSaa7`Vsag_etfS@?|x)4qZ;iZ*tP6D_VdtAJTe$@jsZL!pCU`hH9n-v}Yc
z+xMs8g?uAFUa_0fpI`)rPah{^Z`}RezG|VpvSEp>aEmJj7uskY`Xbjelg@B=%C&bV
z)}Iqh|AT}Jypc3cY4W<hP$&?9Is)Zo!lqr3vx3wF1%YZE%ZTuLrG7sir0)QNY!2j`
z++wu@CCT4HrIN#pb>BwqEi6w7i+HnR2fKBz75GX-sp!~6(vXb9NJFym&SB=W7Yq{7
z+)7Xrks@Q|zMX5ACOi9ulTd86mmH*jg|K3Bg829xYLL5+>&X5j*=}$8bE?Cq15BU3
z5ly|QKer&_Ur8I*4IG^ihztEAZ1^nyr{h~vo8zN|*(qvj8tP<+sYfQRsH}@0A^GX#
zHy!$ZpZbv<tTU29mJVcUDj#h!IX7%6NLNM1a~Sle$-~ytw}9e`_NOS#C4%%%S>1U7
zC^EC%#HS%dxIbBh-9t6KiK{C??NdP7-i-HNP*=14Sj5v?IRH^$eIkp}b-Q6nI1l;J
zaPJ#{N-wGoYLOInE?>Pt5?tR(ESCBp)u_O*xXya%{(+{%)JlRPTEXk%Z#Z~;9T}A-
z_bvdeO#&7#<2r`&{941Srfc3$1Nb0yBj^`QA0zTjzW?zc^)lat&I(fhfItX+G)O%_
z$N)mA&6E-;2GeiXXdOY0`=~`m1Ubd<vOqDp0cqg4xd$T)MW<9Yp-{H64UP?|DL9cA
z>ee;Spd~LpCd2ArhU5}!u?5$tr}9n7ZZ_AZK>t_PH%@+#;Ua_7HN&(9<uCt-iLj|l
z5e2LWN@bnFwC6iaN@fmihtoB~l7lS=Qxh#x>y4El$RcSOsRO!lDa(QFN5Xvo4z@HX
z7|fkil{;Z<LYhh)5ms;b8$z0kSO4zB>K??B@Gr=a1^b3;zbJ976jv%0QvSxGVY<+7
zNimD6gg8NGAQN3#DrX75!^dgD8>Z%aNjCr5D-IRTrDYYc1zKcASbBs0X}Rd;7g$7U
zu|B0|R*)rpjItWaN8M0Td+_ZBc`a(<aPZ?qV9H9FUJZby#HSD#lULRsRuQDXNpMR<
zK9AToW)Qu3tb)U?tmlg4F$&Vqm;Fsuzd-yGt%2Gng1JC?p8_f`hwZjjcA2UjUPeD=
zLcrMjSAo=FEB#PKUwg*^{|zE%hG$Zp*KawzY^I9^%01G>7gr<68O7CTC^D3LL?zut
zc0X;8+6HH&^svkC;!6}E_W8GnV?%z6I2b~B5fvBPp9vg_?H>%u`S$<(-)esf6$@ZP
z-gW@1g42hGu6Fz(`Tj1rQ-XTI^alP$1BmG6*GRJBaD@f(q5=Vj%duv{DF)SvzZ@fe
za?SgP*vFrd7WkMAq6O(+L~OQ%99O|p%BnrLSZ$JOT{nv4^BCN?jC__5VdV2&3n1fP
zp)7rok4QdjXLS(_j$Gro$YHEHh;d>ZCnF{lr>Bu|6sPC8B6|F^sCs<3=+Q>SVmaXV
ze0W=U3-A(Q+!jomCl*u?t5V-#BE#?UXZ%c!WuV=L7o^6qB0xSnhBGLxgcIL#6Fp1S
zjUaV=iGRyOW%xI>h=19Lu>!Cn{)<m;K>&)}f&vt|1qmopG;l;zc?l9+45)<!UiA7@
z5e2$nLM0jBve}>I%qZ*el73v1zP^e}ti(mvGyBp8N_l1h6T(KYT|hZ%wVV0RA}-S_
zDd3sWpkZ<9bExCRsh`Ty<SFyHXzKqPkh$EZ|7uPDbxbX;!cBfzedWNW+>}jnpX{on
z$89@R@<J%8NTuFpdg)l4K6y8Fw~kdUna*%Nqtwez-HG=)gVe>EW4_pC?Zz>bFF%qa
zBkt}-QljK<oKfRxza;Ygz9KjE6^V@?e9m)p*3L)V+Bvx@cly`_Gd5i-X1Eq2ED`U=
z(XS>>3tR`AkSQ=VR2|jRQu|qeX{}HeR<nXdEF$pm2pa3nCFUx3=^|St@|D5y#}Sv9
zu{ADXi|pNS1>wp^-f#poj_<IN<s@Q@5w7mqJEDKs1lv;CWj(I!NBFkL-n|@8r^<SH
zY}Ctk4O_<nKCgj9LoFS@_3~)HWKVD{rN-rrmxXyiV(VmTmX{It=U07N?eAjyyye6`
zw==e)#QHkC$#-6eG7^UGh$@WfOdpA08BT)<Noekv7tFoPOF)x<84jaDw-i^>SomfB
zsQwpTceM5FYwF1!;XG>V4WV7b1BKp+tE(1Z4Ac^|ybqpmDI+gi7)~g11xdV7t<m~4
zsCWJ^7xN$0NB&X0^MAaUzkeZr@=@D(iUfcyxSF$shTkpVU{TO~5(Fz7!1!VVcl0sf
zKlRQ(shIzp<S(+PSlP;SC(Ozd^((JOa7li+E7NsUtm)mHcPM>`$l)D?PDOtIMJHud
z5IKHkxPoXQ4Av8Hq=+=Z^yl~vhmfn_6C|;*;1hH!AI>KzNY5^i+J`)n(S?eOGj(}y
z$X{B7{N_Gp_DF=9vYCw+^Z$wb#hH4hY^Dy?0PUT=^e%wHvx5(JrhZ#Oa1m*I)Gx0E
z(e10n{vO!J_)@*|7ws+KTS$w&N$(hz+%kBy7wccpSN`7hf2o-NhCcFl^oDm^G5@)J
z<o|>xZ7JoEidUwPJ9VO-qUyGnI=1BGHqP)aF)Ku`8tGAD!F?%LY~R2$lsZUC8#%-4
zJ}46zQ-(UTuxS)!kX=Agk2;_GZxQ+O0%>d~*E>W@g`^Y=T&z;B1mS7G%40{tSQo*y
z5Yaz8$4g>&uX60<P%Q$A+@fswIbzku-PJU(Q}_?02bU@NsJVPboOuf&6wbUgZheX8
zW(}_S)FCX2ZmuU|AH!PHAL?Y^_q->9xz)SKnm3&R%20i^ejjni<uT>SzTlkKhGTUc
z1mlw-xsG3C%G5x9{eTMAhy7(@VW;&vDoRR#{ik?>1lVUSz>+VqymX}(uA3zw{QWBQ
zTReaV82(m1VJ?D^tQQ}aS!^4l$ye9lgx4K^5qxP_!lR(G7IGkh+=pS3NnE*0WjbE#
zc89G0;U&~+#=FWV<o6Tq;IqNNk0FS-xl2{<lCjiTIq8Rq_i%+fmJ*5g?g-KckRCSh
z^&d~ksmLQ+&|-L`$CDW=om7!{F`6g|kk%;TYjK6%rsDBC`l;n=n6K<}R7QcF!p||=
zMV9>$m`#!H=1Hw^Ec@_?Wy4m=w4yWm(u&U50wHPZj4d!yk<yBmMr@n$6!BW)>8qZt
zYgbEOW>DDdFxmyvzm2KO+v{qL<rYY=V_vn9thd00#}~(@=KpQM{{@;anU<1zwyG=K
z85P-L`b#4EhbMswg^uCZ=LxGYB5w3x2Rr<WQ!L==Y*|Lx!biQ%-`MT&Xvp6pJen5a
z5%P2q?(mK+z`hNBG7H9u!~^O7t{d?8GI0mj-$tx3?~-SomG1t(ns8h&a@~u$1p{|@
zug`bOi;gWGMdxOQ7e-y&epDYEVN(eRBZw8&yZ+(rQOyj#NJQHhXqpZ>z;9=P>Cxnd
zXG7qE!Na^LDJO~Ft%#=Jx3F}j-0o9;P)M1>Y7$vG{r*?}{iROW+?yeW6UnNg6MWHe
zg`y2uM3i!ZPZ?E6k^HHYBYnzYg_QY#Ln-_Dl-&y{ai3D*Q`RkyI{#76p<cyLPs4hl
zkTTns`MpnBR7lx}G6f0vN^OuuPdR^;4<z7*PMrqeeDuQZs;~-8Dk7;OhJJ9)uzz87
zFA;gd^<INK*!S{)LNA|WDHJpY_>}5G$|WUh@OGii0j#g8Y9aS`2uSz;B?4a+d`Bri
z_bIm(QZDp>&H0pcA?3@yW0(1q3koT7Nb!83faSY}5BnjGbotZY;@cuW5GDr^%lJ<i
z#S;*|XUI1oGnMeO)3nf-rf(iK;RE1r)W71ae?Y$UGgdf3w{?Z%Cs%;bGs9ueb0$_2
zTljNUM6)o3xB9j5K$kPM4|%Nl@GwZefUG|&Mb;boK-OuI$P?b;3GffgUE5!I0jPIA
z_aTg`LO^uxO8-8~UQKrdnj>8IQU}vBXlf_f0+(x)g;RjH_%C+~@G}~;lLvksanJvT
zJaCfd9@qcHk<2uf4mTmwm@0ZIgW3o)s9nztg+Jqux2R0j_f7n<{B*8}Ka~4`a><a0
zfm2VB)>Y3|MVTF<BHLbkCNYg3vEoO24#<6ay|`aRfeuQ!)=`voDBKOgITU_YAw%m*
zI^g2gu8dG6QuZeuS<<T#wRSqCg%1bdb1N3L_cIZ^&)Dcvs(s4Fr+rG#@1pKs9CiP!
z-rYYK)8B_N4I{AsxWPTmn&<}i1fi(z?VOqous(-HfAdW72%f;wcn^+76+YW16Fsj$
zxh3;pRh7WAe>j|MB@tW79Io|`f!$kV3wQE3|9uXJsZZZ|D(dYMsM3+YP~o^6XWis=
zWt!A6H8{hfbw|>|DmmM8X5decJBjOB*j;wymGb`2CR2P2b>~k8DAV%aD^vVS_*Bm(
zDK^X=2j#X_edOBl@P3h3B{*MB?WTG0Oqw!w=}t|#6LY4rVOf}5rcSC0mdQDluB0RR
zR_jH_u6F+cneBXq_uEwmZuzrypgWtC<45wUiW-2NxltcMx&<98V+r2pn=WbpmQHlj
zyz?B7#=WS)jr+MStMU41NQEM^t;ihyn)Df7K<&=&DwezPdql@__b5*+XZI!NufN7B
z8sIAm-`K<noPK8C7)(*`6Q8_GeXUGheWd{AdUta-)num2780b+B5%~kXl_1dedH=b
zsuUDXc~VUUY1JF*FrDjH@A>{A)h3TYC)bl!z3Y5&vDINmx3i~QDg4m(cj=r5H*nzF
zkmKa}F7wCq-D~c3W3cAlT|H2kaCAePaEB5&^BWX(&@4<X)$}*^n*UdA{;gNrnEyW+
zkc;!*zhwUZAK=*T`Oka2f9^4>@dM32Q?PW2gUBhgY2*^5o?;>l$_}4j_YF+42Dp8U
zoaL~K?<=@LEd`*VdPaA^^@U=GUTuBd*;muk>G8|m?$=j|_oiBj=OUy$g+6XCCN7J{
z1N}vqc*i0)?6Xu4U|8a~M*3%b&kRTLx8%HgDL&HZY+=N(=^~xD)|Mi-h;X9-2T6DZ
zZgJWlg)Z2SV!4|g-Q8zZ<rd5&TYm4UHbkBCP;}2v3;rYyI?*YtM>*dIr2pv}b91C)
zjQ*CJn*1LgwTiybYm&ZD)>S6BoUvhoDt7f3e*gf5^HQ$;;&-7Z-jA?vJ~HYm>&7F|
zcoK#2l)_W=`g@v&1@@0m)l?kg7}=K<{_z8DnjTT-deQ49#cfHi?5AywUY~~R`?1(O
zlrZN6rPM;Vej<KW!fm6*3rVxdm`RGO3L3@};PQ@tH7sj*H-De!ZJ&T#dcN!0TT(h_
z5nUbdh#TX?E$OOF<13{rwxuh=1IXy{s4r6a;}x#H-HY{wPlM2X&(dt4dzEr{%**t;
zKdE%SJ{bP9PgO*!(}2jf@ZWk8-wynD_pP}5+jRvE=beURcVzQ4{{L*l_b0U4wG$Q=
zE+`pYQ^(;KKQEok)sV77j|nm{@1wYb=4o9su9G>s0KO&))V|?k2EOG3bykE6*vK|W
z;UJ|3lS3-A?bRHEAk4MdHC2#gQ`e5xi;`CDdK6DL+3DIjKtjP6a&7*mKR6labmpz8
zYno6C=M=wak0i1{KPAk060PL_y1>o&{$x^38;t>U{36_i2;>u4ozoKt$Fk8=5n3V(
z^|fUW)fIft)NzfEJ*wE1Uqbl!T>NN!xo`lMlW<ews)~c+d-@@1gpcdQl&)z{Ox=7?
ze7};E;q=O0opNv=lWW0Gb9H6w&^4ESs^^<C{k=ek7w-jnmw~!<ms@<ucA4D^lzAe#
z^2OxqO^NmUPJXg*C(z$?4N#T86KJVEqC0^e?dwh;HTqlE4;`MpLT7Tbr_?ko5u`ru
zmw}a-Pto$-I~r+8Jnm-sj#%d99&QFBB{{4j&OIDf*f^)kuXK=pA^Z^)6yR9`i30@*
z-X&og8Y6TN?7pCQZYpD@4Mh}}7d*!j$0@<)>^JIy^hbfa&YomjxZxY|_zKNK_9nv`
z_+~Ai7Oyw2N|54mDp&6oJ?!wJT6GprJtchdPkr($rtYlGKeo_ie}?Y}Q#vjQ_0EZd
zUt9JQQkZ^qfG!H+x;t(pTAM#`o-1{mYT;E+<;ar5uP)?yRoNcD-({QP8yo8zo1n%b
z$lE#AlAfk~Pd7Ydh0}0|&Ee-M;ri2*J>klEU=GLbnuC_Sak-Mxq760uuq&N<e}f~B
zzjeB<yvesf8_qM{=SZU?fzNLIlb!&jTso=w5zBnlz}V2M*h-m9iJoUw`AlEgY|=~G
z&iJ;QeB0NM+?1SpWksBGW4w20r8;g2zec?7_uz1O^d5zs-{fwi>5tPma)w42r1pUI
z$Fh60<r*i9$xO4POsx=^t5~^@jr-g(JiVGdg}bM?yf%AEovvu*m+RTu2k|?Y-@*J2
z;g^d|Pif@0k>41<G<HfmzwP{v<yRMjjBCyQZ>KttX&=`*^!Xt5OVFS-H_ZeWd~)ju
z&$e{9AYq9xb|e9Qll@$B6E66BA+0Aju}h{?h{;XtbLpM<<fa{4yQU2$O8*EBDF$Q3
zV0$q*wip~&3{EHpr3UJsdmlHL_7LCnAilF&hweI#iDfT?g5Kp-`DFtCuzQ37@$-r1
zM%{Pg2ef3*xsvmT9XmGzLCzg^3{bZEdo5dIQ*yp>V-J$apJ~b(d*)>2Y!;W~FxdVa
zmbwyJzMc6m@B@=GVq2~|hA#-E6&_jkG-)T!4Hhq``81XUTQBJ<m&Lm2$c>zUVAPtK
z*2#eLyWcE**;2-24J+D)J{qL2Fb1|L=EV|s511YDPf)7D?we`jox}x?o$$sY{TDmr
zd2agd7Ypv<BH%}Y>&~Ep%-gZd^9{@FY?pgi<C>RRfNTtRt>p5}I(snK+UcCo%1v%J
zWNWw}B>CRXlV54gY;Jw(wWhUQ-(tSoGVjF~a{)-t9}DnsciUV6F*`ao8MZ_(O>WvD
zNKaSYOq(SN9MgW|$oAJHgkR%Np}uH#cXzXUw$GS$HP{RfY{^b#hB>vd006|2R}2DM
z?o}{*JmkW4hPflzLAqX81#pE?v7v8sAPKQJn7eOc!{OYj$=+IG!x7w?!mv^+f=oR-
z^qJ?A-QC0C%_p(V%Y*0Q7|GYzj@{fH-#xS3JGXGcXznsyu^7zVb2s^3rCP`?SFF_V
zEy}Ttthg=8hLuDMp9PH>ZjkBWVu?S1!7H+#aU0I3@xURQ+NIKFgkyK#XHZOkj~wB7
z$`+y9c+BtNw}~-`dmPjrT*w0&o0G$^x4erotag6zpqq+Mk^sH;aK_{MT0qvYOjnCQ
z9TG42=;UZs1DDpV&EMhK<l7s4RdT3NLc6c(c@lh^G8Kh2RNa)FbS1|~YN;><Seu4U
zlcjtrSJ|)45A@|`Q?7*XM#Ee(S3T@FC`?4@C3N;nOXS7sVw?M7ZVG4dT>!^qTr<LJ
zi75q#eBQ!ulx8z8!83bhJDv@va1@cPS!0r|!;Eh_-%KylTc_QKTQfJ!W_;FAS4B0!
z{2{<AtS)V6CyaFAI~&UT^NyzHZ$u`C;aKpanlc`ggROA(IYDv>XNtkG!mkq-%x$V1
zenbY>hDypcn4AC4S!J5UJ}Yvkq+^-K?a1j0G?1pu@)@VrADvmAc|W;w1Cs9$@>EDr
z)^GClg9r}vQBqPW$bC#^Ik9`{3pp+}bRl2TGF5DU{W|<4=dm-+svpj&R*1*sq{RAT
zIduk=A^IH_r1bDmb7mQpB-Wo9q;>^Db_-lJ0dgG0la}Nt>Zingg7VbXlsnnZZcY0O
zV<H+G(w|(2Veh5lxs%<QH?c}GaO!OoCO$%|<8}OftK;BcZhNI2c)NzN+JU!+$f16=
zWPd$_VIVMc3}8&Qkoo@i=lo<R<#&YwnrmoGjD>F~|2p;6=|MvmIuIbe0GgK6vSwD+
z0WL0>A%4?Z*~#_mCAoMblzUfMtD?AO=0FuI9uoEKz*x?qMb1*CPxk|M^0hmwi{}cJ
zQ*0&vri4I7T34T28deYrW*kE)hxwIDV?%ktWV9w{ZY{YoB<rANFn4TabMCygO^J<_
z!L$PzR$>F=+uH(o&g^Od?(+%KPrxZ3<g+52As!~oI~>eQPlL)6->l+hQ1KXBYBEbh
zE@#JUrG7X_(5N~Hl0%D)^$77eXjvb$ydK$y)!~fRi}34O7G^RoAU=ws8lleXp6tT(
zPUl>S-I@A`GYhW=WmpX>wRs`^DC<j*{taEBJ!{uRwY(ngPb)V62CGuI`l-u2LXPIl
zQ^}XR6B|15_@PllV7H^R5m2^do+hR#xoREY;}qmO!q&_)O%L%a$Er0=iTAtX`=FLa
zd6=C=+$FfGb>XV2QNdiUnoewFnyXbXv5}#z*C2aW!8;)q-Dfr7Z<S`_%AQrfznkx&
z3lTCan{=m5MbNywfPUPAus^x>Bu@8UG@r`l*L(s(?gtnc{s~BVz1GiCr<<klP1u-&
zt8o?>0ba)l(R&fExjigCDVPfbNNhMWeqmz6+41v<J-TYrXA>Jf9Y2%sF;$ZePHZ?P
zexkA+YqcjfGzQJ<gXY(J_8vde1`zH@br!P2T&nn}ApJWxe^~ZKyoN}rr39@%#oXaj
zFvNm9k(i?M7oVoSa9{q+<U1XtP9Vr&S?|I>5aider<2qK%Q%o^#vva+>FHg-0h4rM
zj)KzjtyD9%Y53nR5IX<Ywq)i{0n!9ft*2c{P;e)hC<ar-;0zy(AKIM#N}&iPq9O|F
zmYH3sLYeiCSsR#M5kJT`peWyf52^wEqhmwpNlpB)f0?zUdc>;u-hCG!MIF(w^p8WT
zsk>ORh|=)%FT9O!k2eK^NxuWAK$3A)!tr>$@H>7$(?h_RnX8Dfzkj?xDZ2*gL$R{B
zWy|x`#X<VJ%)DKZ#{J}(r5rBoZc40!7VoAG7XgW_>xN&^6Bhv~u3HnNZ(C0f&08wG
zir{!R|LNx~THOx!Fa}UzGoSt$k_@b{DtC%bJ4`;Fx72%{vwj#JO<(yQ9r-hV3i##j
zd%T_c9)OKjgtrh<4d7FAZsb^c0Y80_60qg)=ZwQ03JKpL3W=hdG6i+OAMCqHkxd!9
zKGh2y-i+ym3)1G0C43O!%JtT5B@a>Wj^z(*_=q6=&$Y6D>(m`^c3z(0lwz~RI=8pI
z<E_1uDjV4O4R4|Lmh1^rbR*7g=&q)pph&bl!h>>C5c3jrF`4Hc?VTnGZ}h1-_W~gD
z<cyDr-DT%1CAa6XLziByd?~)#`M)JQ?K=G+`6*gqE1sOnfz&Po4m@7yH_)RW!TpQD
zI)eHlRuZg&@e!@rQFcpl>(J9Vmi}id1PbU1r{iq)mQVDb50-x}@Uuj9g1xE>haqV4
zEt=Oqf)Q~LO!!6#_M&;^4dZV!O;dD);#vS1X804!-7t?Nb`&1BpZhxPXMwOhUq9Z7
z>8tnvDU>6ehXgD6`T4tC+BoXO=9k{w@tG1aIx?MHd#B5F6uDID$G+63{r5^5mtkr@
zzG-2d8X7h&&ksY;m<4{kM@a@~Yhqa*WaN=ja8g<GFP|r&|Hb?Ye#?t@EDifpD42T^
zS1s1X_hZG5?`7Q7X;A&+J2h-Zyy`ftVRLvKqOr+cT{{Y_)F@df|Ig_RjX*ec4ccs^
zr!AyQndP>#?ynNxO=;`oHQUK0Z}PxO46j6h_?YF4u7>X5t10um6@;4@^N9CZ6q)J-
z`XL1l;S=Z_{6UK9Vj22J5u|37kAEz){O-uaxn+YqIZ1apLOW|wINI@6kppOcb@&Es
zRCj=42;!LvJ$pGge;2UEpzul0CBkn&pqko!?sHRl5(pwR4)+%0aS#oM6RE+AT@?nu
zS2^5r)oDSW&frFT6z$V@D-b`30qo#`y=5VdltOoS2A;Z>4y9HYYX~w2P*3<K?Dhk-
zu2<ncSnG45)~l^`<X=_s&B~SW{??Q5yY^j`=vd>NGLEBTOp^ez)scB{q@%j$K>OGY
zW{9P$?v9_pbQ2wOT#b_ivTs(c4ASqD?&9uptrGX^LfpPCAJX%=QC!b0C8Eq~kiaAz
ziwn~0q}u+4$in(#GU*&c%BLT6^5!b=d7~^A$gJxU8=!?pgSjhW3txs720{yWFc#Ab
z5}K_kz-2EJ5DohVI_#6Z3ig!X@-}iS)Um><r;5Vtjw2HlS>bOkM3*qNpb1n*>h6r+
zMa(_@_@qDF@;_VNH7m?D@=<lB=LVy5gxusS6nG!vGJP(yUE_c-51?l=B_tQhn@xRt
z%cqYA_{iiBIzsSJ+q)Oka{J%vrhXulpy^UitqAv-Gow^+&kl(72J;~GH=?$zL1Yn1
zkBC56K+%tB6_t*5q%eWG2+|YD7k-OBPR`!`4o0|{)?+Z?qwjvu(fx*EC8Imdfv0qI
zBZ%6{=ssor7smesOtx``T~r9_5O+Eui|d(11n4dm(PbJ*K^?ykuNvMT{Vt{eDrY0V
zqOgx3z;I|IeG?4OxlY9iA(@4DFhtua&o1a>lGyTGsvn+y9bBLfma6Ajrk-aTUy1qQ
zXN!$KSf0P*FZp`KcO@U!Wb==pviqQN>))A=ntk6Mo8~Q1ZB`EASy5I6GH?^>^ZGe&
zaa;C2t3OxW7|Y(KdU&y`Df7=*c6U}Jj&;2d%QaWcj%8y*+Okuy<Tql$*8`1O>N@rg
zXVO%p592jHhywAeTeHXD#+2WmtLzYo^4!Hi?)~!@o~7}ie6(gK@&5_DWORC+uFb;|
zfJGi9VDMMDppd+*8C2hz;r2Uouh-F=cIBvf*5}Z3!26HkqK`WERtJ^YxH*XM!+HTH
zesU}~lDCIb^#*IT9LpTqoVkF_BHpjb@WhOoAz+ml!!4<a`*ar#>K)mdn`L#k=I*sx
zTXPT93xN4QF*w#Y4hQ_u5_*yv87asG8h%aw8)tgCKs?;|iGR;PZ=~6N@-=TfPkwDF
z^PbB&(0VX!4tx@^l=DDTWtU|hOnfYR4(8<*@m&(b4(h1qKtM&u0TO8X(}X>cm9Hbj
z9$hT+DE4OHyC6Z$`EPyE$HH1~A{J*1S;qWxT-lZ(diBgO0~H&<@Lrbw)G-qAYujjH
z>#9+KAp~LyfH*Df3b3Ek!aj~3V9mCSQ($Z?cdZ&$cwn|=e}0(S(d>7Q#%44FdsZwr
zmYnC-#<F|X#|}M^UA&m~mw4#QJ^!jrChLWEnb7yy7h={VTG&3*snlm1O{eM=Q0+9G
zs#id@)ub!PZLf)21PRbNaEL&=0(6t@rg?f`RR4G$vW88F=Xn~p3xY+oOiM*V4H~Oi
z@b}km4eGPL0MzxYR{j@+BB&oj$pwuJKEG!a3)JhZ+U<tAxUqo8z&;SvM=<ujK>ilZ
z|DOZ-sTe^d&FA2}vD}6A;|vQ{=db&m6Ae2Qf8L{Qxg#4}c};Un?xNW}2cai&|1>^O
zt1WjEhRCDxU-TtLQiAJZ#(`w58nI={UuRR>q-T^rP6pjlBV2FGgt300*-1P!dD6g+
zJ7T$$c!u+mx>)X;wfS{pUEj{5nk@_1z2^n~&Hb?KA8E$2w}~gfTg7<VvKQ5Gdtyhc
zoE;{d!B|8%*)ibgX^o}qujaLgxryo3HFS#Y4GN#34rgCTK01hs;`i~8P8<C7p$f-e
zRc|fzW=Gb9b1ZX;PUua)@mvc1459h&Q?q;1@4n3&VLl0^Zw;Rpoen<hnY#RPLJ>Y^
zsaY>Sk1H^Z=j@@ba;7l>COwXvz&us2#layi?<Be~r0B2AHKyV3$u+)_s+acYSVyXU
zo(n_p&Gi$BtW#i0wq-Eo6PCt9ti#S=hGpf{OVW;w=&@(dM|e=BnHQhkGtx}3D)R41
zPayyw@m1NA(y96xs@7hW_FcD!rG3}!ZE4^2%!o#nm7+<0=F)fF9+~!C*E`dF@t5-v
zL_ziz-8X&BBJul@B?nY$mJS;&953dFAlmTmdQJW_1R6Sfo-9rLXq33S3k=Nf>~j6I
zl#E&iJ2E-~GAkjY*5vAOJqK$Yf{toR>FCqVnaiv5AMwT3BGZVL*u(g|Anj<W@jVTL
z<FXtlC4-M${u$TQqs6Fwd`5`wSHu=+=<O1s3(`|q6UzwiYDOZaAlK+E3xzSue@0C#
zH@P-{iqG3^RP9$V9_kHWL3E4de6GWNu3O7;jjj!Q)Y~Z6PCl1hEefk4OICO?1Bp5k
z<6Nyn){5gYrw-2RTL`O<HTvlEAL}yDhkKRrnzb<`2bFa<`t}==d7isgVt@Z>_$Hl=
zW;fKcE(ithpAx&~4cRs90p7o{97NCaNxXcQODHpI=T9I#NWaSDG``zag;eW8)j_(7
zOqsVEIv0lh8sA-94ZU_;PN1setmLbe9Vaf3TY0|YWQH$M0Z)l<Q`Ft^k5p6}+d&x!
z$^AWbw9?WWX$(1sel1eJynJMS=8Jc#==mjl88=amaE#BKxQSNc-|u<N^P4U?rLhU#
zRjoeomOXRWv#hv(<{sF~fA?^QM7NSTIlR6qK5IdOapeDSlJ93)%r!{8qRKL9lkIj;
z4l?&6LZV+RbE{Z;kbYDjCgpLJGUWeOB=*&s*hdN+X5=7#>oOx*WhK{SM#7pU*JMUQ
z=aOr9aVfv)FzZ&jlV%;AQd@oy3a%utx~cqjrPZkZdFbc?pOW_i<h=A&{&!YUd?DRs
z^Yj;B$NlYM)a{gWjCw5GI{%UN8>KqK54u_^RIQZI1iuxF`$4i-R5s2%Ka{bbOpf1U
zNE6_btE<L0XGU)d_4c6X+rd4#ng^4+s>3&oCLA#G-~6YevIZk3AGxO+X=;BWq5O#;
zlB`3qtPKz83GVq;rv1nW(Vb9*T&zsy#xtvasSA(G>!?KuV8TT-@5UP=iyN;!gLuGu
z8-2p)Lc-Ih1Be}zFjx?}qmYmggx**eB|KP2xLXNNksv$rw%*UsLfMx6x$xJ$pYf%_
z`x$5W_cP9-Vd*c0`!P+Z)FT=b=#8GNsHWZ4%xQH>h!GfMLMDO1^3E+`>~8&L@@JfA
zW-sLO{8a>dzptV0@V>^~{1o2TP~3<1zDE88;p<!ZZvE27vL~i^UqdbPzJ~Q9_ppGJ
z|0n%~;`P3UqKofq$bZbg@w`A7dYYJ(t@9{uby6Iltu`cd$pn#O>x3vUG4gPo;yhg4
zS`0u@Xx&=u!VqE<5XP9BtVpFI|Iio#uv3CTBVHA700rCOT69Lim<~t}=0gj~_56<E
zg42Qe)sB$v*GIXnk2S1_+1?%BR&20hQ5E0?p?q~B`f5cA8N*u4ZMWGDyg^V^s_Tgy
z)Rx)QmU%}7xX-F(umZLDsUW)A<t!+qqY8)7R*?FGHH$g}eA?SGL)tPEDV4H*wI);U
zR*!~dx|cy+*FT!l)AF+(;Ucc~CLS3O6P8}9vE+B?FpfOAWN`7XH)VPAuKj(v;7<P~
zxpl=;dYGu3>+aJRQ?7OBH@KYjCPE8p$dJFN%|jE7aX(_Ip(fLhzXLKOtL^>=na~U7
zboD;}eU*XxeMi5Td5vARW7X(*DnFGt7}7P1gb^jAP~`UvD<6wHuKHydS;LAR9wcvM
zg+Sb3YS0AYEzq&x9^(;V=h}&?Rs#B7K;PMEZ}wI*kKo}xdlh%r&R30f6>*aR>tdOK
z`X0!v&|~-HpPQhe2q|;vt)8L+b%*MAP%Kj^w66%oBg^Eoh85vvx-FV#<%qL#<ft(J
z7z5YD-)J>4@!_uIYR!(RYt5cENC=`;-dKk$8Z+P}ChwcHFYCwPP~Od3Eik8#0+LoV
z255~|9l{Ot;ru@^IJhBPM7Dy6AtfpQd?D>*K6|~NS)lKKK-%`!;*jR7y+0$89%u~_
zsEY!F6cD#eT_R%4-YNWyiPky@NQO9^-v~3Sf@v~>n(O?R$gi_aT-^;i-R>2_V^y4I
zOY}1=IfWmbbpRYlSl#sQqDsSq8<p(bmmZiv`(4QyMC?F_n~BNnWTKzA5KGx)LYY6C
zO!V#}5{csdi-O6!k5t76$n{wQOmpVqP05v&@qP$4(m(_`nL#v1NC+*MmYnrtumY$7
zEp-aCM@eG|3~tpNQ^*WlwNb!e*Cg1{SF3QG%}~!t(rXKVi#Gx+tU(=Zye2t_td$L&
zV02YiGGYyYi~S=|y*-l@SBPZ{==n7hMOPj7nh$9C*#ighx0D$^R~O3($&rr0_!rx<
z9d&KlZ-DfVv}LavoZlDGSiC=LF9vBQZ=)9_9UM$|cEAP9V#m~>(y|7&4DRX&lws8)
zYnFnoJdz64$tPGM7NnQ|67su36cEy425r#$J5$!=M_Y;_vs2dPhZeug)R*Vk=`PXy
zppHN1_a`y@s8MBt)+%601M+Jx*1#dj0YUn5Sa7&rc<tyGlyTUx54k}e!<QiacRKH|
z<T)1tOSDn2O)Tl}gst%iTD@@uT;2wb42f{0Q32ryl7qC?Y|_Xjn&@T4NiH&fUdUCZ
z%#AkJ$>OOJ!=B=MTKP2>Ilg)lqYr2B$MCA0ltxlhft0XEw8_Sl?TBrItc3pDw#Huv
zuq7@8z*Z3|16aq!5EF{V%F2$DHOm7d@)?74Fk}pmnl#FO8yka&&@Ko#?mR|7k>z)s
zkq5OJENcx>lx<+BgLTq1?r6bl(h=$zn|f|4QgKh(i@dKpk@s^Ha7sz?b<<12eTZpV
zTwRZ>b7g(yZ_f`mf+{%CnEXth=FGX9!cTx&WtnP-D6hFcF|pi@Qw);#7^BKPIFYaX
zf>A~}-|+k^ypa~m%T9*Nl~sQ-5qi8pGQ9O+@}@9GT;C0x;~Ll}YTz|U)t_hl9;=`a
zZlZi7zerx|<?lbiv2!TrFiC1+-P7p(nCyI^*%*DFN1!RYQ*zzzyvvC?*qS|qh3v$^
z$#r{}h{rdC-R8~3IO~G`$#r`MsW)K(S{9jCS#WJlEvy#80ToAB;@W+2T$rmS+axgx
z4B{E1z|n1T-A8a1-AUE%<%|%#n;WF$7nxi)fL(7qVJLAJ3rxD3D(nmmk0^kwZsF$?
z65;t36JSMhN}~I94R5OBt=Z8q?@4fT`q`Q}2mC*a{fW#8F#8?F!gP_{B(@$#)vU8+
z_Z*1zbQu4r!EKqt>a`5kk*lI-59kXN^Mh!3)8rUqZ~{&K61I*cc7IL3+2Qs1aTYMB
z{V9J6AI7LBl*&mnwLL!Q0!PR4Fzi_o!GryPfI%nMVg4FUz>oM^Kp%}*ZmjcPIUlFn
zosB~_YX|-6ft6#j=MEW@J)^NTI~ig0lR(uKPF)Q+W7+C@eB|aG#E=eI+R@*AH&(8F
zo*Ba26U=%{a5IMyGd{cs|8Q4)-z4NWhKkFNR^T9g4mCP9F~Wsl69*G2V-vks-#+;&
zRNvJP+=FSKiOj6iBA1Pe^mHU?r>ECQPZytHu^9>0RdWmcNH&^AD}hNLjT7qygEAK!
z#%EnqcJx4&BL*W(Z%s~f%PVqs;gCp??c$oRTuqsqJl`!$)I6dqJl|DIV{#|bLEcZK
z7kq=`hzJB46`-}zv8bt%h6t)&{Tq|HUM(s2ko=)vv&m204s$9c$s74LlH4;$FND^q
zmSJ98Y+P!|XrO>FLICnaJRxA3$yfsaS+{0QP`Bc>C0$BO0N^^io#~nF|K|^E1k<IQ
zvFUL$(%52gjuON%s}<MMIPAGz*i%59$H7X6IKOlu5N9T#a#L22UIbN}DJgv?A&gBy
z`uie!tu_u{kU9{9N7f0n%zf8LOdEo(v+&e*jWjumZwOy2kVl|K0_}<cVk23iCGTZM
zj#B`r7IDjFKOD&vh~5EgAJg!k!Ftg74h6IcPy+ANV}e)m*gd%33gEiVN6bjmZJmZP
zOfCf+h6^T&4+oH(sYI0i2P|St_Gfdf>R)RtV}`!Lo^FbG8&7gkEit?>LPRTE3oCDa
zbl!|2FSo+nYV!NOw$b=mYv!^1t_lm~+A8yUioqJs?{kdDgM~rrPOAq_+m?Afmg&kL
zPhH35h7W4X!b;)b?J6=>TN@3eXvMH$#NeEZt1Fqd0rmM$QJ*$E4phC_>iUK^wOAyE
zXpL%wKZ#MHXvpy~e3U<?KbGL#wiwm{fYRYzl?#D)ud)i1F|3X+ORo8v<eF2M@w%>l
z<TaGy3sM^?au?o+;)FILK_Qd~kD-hl$FDH0CcK)(S&If(CA18mq`wku=9Gvs-zi#C
zd$RCcc=r%^cjK7siB$F?tV7IJ7aw?O_5dRa*@1sd*BK6jnAUp`y}2$r&nhoUonMe=
zyZV7Dj+)@POwMJ@&GF;tI_srvruQP7I*m$`lDS}D*GO}4B&OC;$;aH_!gHXOqU>zP
zRf@w64>wv$2^_BF;yT<lYRG=9;9846qu<P^M(YLv<NB=Mql{>gCP&pNiM4vvAO#R8
zM-2`yWb4J&W!b-mfj(GZS*GSXZVKX<>=9m#pNrS?&95&!l5#%p3W5!9`sYsm&c{|~
zL`Ts5j2uyzk!BZSMg|coL#sY!#H3LZMI#O4Kb;ZiPnhawB+Ec!*#Y(5+pghFi8SFT
zVz)Y~J&L1}55FUpSuVt=rV!fZsQMSNxi}^Sn2JzNIR<~`!5ntWh2_WTmBShn;jwQ2
zk{E9ZM}D8RtzIK@__;`}1iy-<p5|+-W8I}tDxHVK+*qG*A;!9r&^E^kO?7&jD(Z+`
z{cN;9r(v;y4^>>)IL@sVaqzNqt@w)Y7b<}1Y-M2x<t$zf@EY-^f-aIl6?p>%qXcwP
zH^d(*qK$=fL>spCqa6r#f5H*Olx$WU!e@CS6KI6_E^0g%ZwikiuGq{X099UQF)^N7
zIW6h@P2rp^a!rD$qx}%mrN9`SaWB@~XgSI?KDh-HbM)t{yzK$Ru+C_`3guzm%U*U`
z)2aB_m0nw+rRY{*)SSIdl7_uCs&|>%yoraKFZj|uQ2g-TJzRkWiq-l?#bYmor6N;c
zRN=TazpN{AgfSz4lwW5Q>dR8#O$5$fAfws~=LkDG4lqT-?@h36*R0On>^iqB{%o78
zdkpg3vrSnv3|?w+iL2r#CfC)vb5>3d@tSABG&kJ!-rq|DDrCHEE&u|>4H0fI(tApJ
zPdCuL2nK@IYz#|Od%i6j%bT4!J8@lWwvq9ANVE?s*p!AG2m5CwYK&#BU=6&iU3R9r
z^IKqTMLSctCk(~)Gyn40Mi}X7OrO|`PUy-W;=$L7RlNwpF0-QvvD=Ek`;n_5wSbaE
z5OJ!+5CSj(nD;3nc%}WFCK73pT)e;$OWvs|9oYEpV@O5@7+W4PX0GIwR1zJF(FTEA
zw(lggO%~IKvINlTx>_p4@?shJW;B93EyyH-C8nlqBQi+~GKn1dT98Q^0b$EHk5dsy
z8n(;&WLRXYdlTE7Gc`14Uz44aq5JhuUg>UVUo8wxuDbtXXvTcT!+D~Wg1%~KVxV++
z`-axlB1m9~Y%$wwSIa;eW=C~@w-mOF3#$rvf}KTV7~@_t`+0CCKlyiYcZC}4ei**P
zv*0xjubhbmC$T$;0-wrxh0N<NpJ$5R^mI@mesPN$yGrJ#Dk5k0ZReTf+W(HHw($Ej
zR#NhIN|rbLQ(`#MQ)H@eVx3Z)DSrY}&M@ZdvF@7u<)39`kdnqh%hkYzwGcfGZsBK6
z&KGXx*0>Psp6)*?o4FwU0~JLmo+_dE5-l}@CA=ep$v+R`BwfZ}n*s<H{)VECBy6|?
z)q;|`8RB?kOmus%uXT--N?zf0Hm|CAwJxdMRk&9|HA`gvmh3NXxpfv<-ce*?dtNTg
z3-G9>lf1sE_@@-__SK_p&_|1$UxvQ%Gm9|PVzvno`gwQDo;NPav)aWso!ZL#?S7}E
zQLO*_^v+q>WJ!}i9GT90G5)tf#}dYm8NJT@ARXi9^FLtxuZ%Uu|IwMo`5R?oa(q8~
zpEx`BQ2Zs9y-{?5e{g(xmSa%Z+isxi@;6QCM6PGjvFxQV>6kI;wrt}XndoEL5%eu<
z6q7x!gh|I>$YRoMHrH1elb%Q%^Uv6hhbxU79DdCapO^PprG{8%gS2jrf>Y}U;70nu
zh#|4$BOu9(l4L-y5o;7c#2>LP;#_?(a`>$ckGzBP&z@n6fqBG7Tu<9|FVK`0JcfKD
zLpC6M%Z=SQd9(qwR&nn3HSU-xS>=o`B^Mch?XYN=eci1yZVL;uda2PPS`f661pw7X
zv=&@T*pc0M7lQ1LQ+k;zPmsQoIdb-oZ)>)2>A4b6*glm=PS$cXwGo&rZJ%lcrcSd5
zjEMFiMnroMBVrB9lsGPe$TlR4vONf+;P5BNQsZYrhvAh>Xf$6%dJM-AJ=3u%(P4<~
z+W6h~7*#KRJMA;ZZ`m_2!64K%L5{w}SnAvYBUsyAKwv^OwgVvn-LG-Hhfr<)Bgm2A
zF6vm+A8!(0ONE|edY71=2-(UcSM8V-ZS(T9xsaH?8T2zpSciW^hc$`ei?r$V$A6z6
zRF(^ZA1Xh1=F|_&50GvO{9u%(%(Jf#!Ve~Rp{<l3Oe1dF{9urE_P@yw7N4>$e!%HL
z`A|#~e>2{2vm1UHOQ?3-TY@i0>2IL&vM=`zNcJt^3LUR{{O|~~{d_^}$nk}XTnN5!
zGNIml;U3y_eBl;CW*1GU8=g1FSoHrNZ_te|j()`-ru5Ap#`fY5$84QHj6bxTKj_-9
zE%<|={xA5$YEI;Y8(d+xzIgtC8M7CE_~91(A+ZI2_{vuK!|y&_&L5T)_`??ZBAZ@L
zUn~j@a@E<2w%AtABtBGa@$PnG5>8tj<hG?Ed8;5dY^g2o8l*l;hjkOcNv0GHgft@l
z>+!vyFUlI`R#HzZdkaaEi(uuj_0_IXyYY6!%gph=uP@H-Ltp%!i6SNX;_jfF$0OvB
zyH7N(kk*k-sf?QNNW|C<een`kJoPZeO7+EG@oj2#L0{w=fqzS1lpybT!L2R?FOWM;
znP}eIsJL}~Q9MC+5N)SgwWY>bl)H-CW@VCsCRS5w5`*cB9{`>Qo#2@CH=rHR$fP+5
zZD;eHtxc}qElAC01j&_nyn%zi6(aR=9AX2Z9NYFHQ<yVi^zvoj`rpAuz6Jg7TLpeo
z(Et8IR6);3dcEK>rrP0CxgH^p49^dX`rl`XoEgiud+|nHg93~WI2V=WDn0hfk#3~K
zOSoy!;o2`-vyF_ZF9(EUtlvS3BOC&mi6+-mqVL?bKKG!K+<#P0OYS2s_a8{UF~OYD
zzczrrrr&MNtmW<_!Yn-UO7|M%-HgPcspf|eX!?6XWoX*bA?<Ojw8!I{vj3~SP%gz|
zi*`p0R{L@bgSI%5>-LH7nq0T{<XyS{ZYdN!Q$9N47ZWniJ6_Rr4m+_$|3c}7clXu{
z<Nw=-Kf39KS21+c3m5MQNT*6I*CEnkeNLW@?9aM9+|6UT`u%a@xh&IEE4cYPD2slR
z8BIG#;T*U*Ib^pW{YSW8v=?lCoyCpklKo)6^DI|@j~(x5Kt3m>HOj#W8t|w;S=G9Y
zR<1;t0*H8b9aFX#E%zS?4Z14!1aQ)CWkOsufy(h<ErKw7>Tg0Br)>Gn>_)y#*@_WZ
z7xkNtYMlC4*5{jyK*7}Z{Q1YZUe6+5X|HqiN$M7=<{?P)k(~80!X{_!Nuc*Q-iAw+
zjYC|kWPX-7waei!X8^J5S@(4mFv~R%&=B2k|Cimj&3@%>&(CRf-G7FbO1u9@n$8w_
zy<^nt_tCq0_j<S9y@p6^f7Jv<*JT}XYsvmhz|=KUsW;eDENxDgB4h{WPT!PVUmZ-}
z!!W?+GL}1TWA@~YTp_5L#X&)&QaIn$UT3b!xFht*MS8d|F7s%3KU|?H`)kA4H-psd
zUTw?ZlpL~SEIR?$z;SHWP8jTND{I4tYj9iUE7H9#L^Ery=Ryd4VLlbLUw-w57=M03
z9jL|nI*wlks5sDc4nG}Bo8IlxbtxKwtaELd&7O&T6&i9(<Tw|Ci5x+wjEQWy*17#N
zJh>tRqA8F~T{~4%yD^W}%*A-3osT2h#q1T1ZZ}1efNeXYEsq|DW;whmGrA_6g*pi*
zG9W?5U!{)H3F=U?>$`}{<OQ4BJ_+o{Por=y>v@@*+}xA{_8%DGI?9n4_z7xE9>ocf
z!<Y}VykK5|`0yS!&m`@Gb|S>!pHzp#5=uT>oU7TD*?O~QGT&-;>p6zL7In-<%8fQS
zgFB95B(3jn(S~1h&taZ2e@?!%A^9Hr1nqqFM*get+9@Mh-7OtnYrvduz{D^X>(#;_
zS`d#+olAm;DsRG9gr9~CnzD1P+`HVVWDOQUwuW7-5+n*J0uuT2QH_AnA<-vY2qYR#
zs9bp}#UiOt@zNbjPBY0D7z`5QVJ_-C7O~H7W|q-nlfoNuNoGYDCG(3A%Hqd`dU<{8
z@DJHkYRUeuLy8snQHwsZ#Swml(#fOXnP&qc4{MD$8s=6UYQ6)uy0QPlg&6zwg#N|Y
z*}*J2Sn4d7AH9rA;rp<xtq-K)tq75>cY|3Hq$b;79CH;S>Gf)x<`Wr=pJwsKa3tu#
zF41yYz{H4g*iIHqY>eSG2xMagA1a=+q?{VizvzI3BSRq?x1ah2RBnbGopAnJnc?-e
zF32~L_*$4`{>8lU!e6nEOj`c#k;eDaSJQ{^dp`09KJqjZydZKPpR{=H8<Z{@e%-~6
zpP9eF=if*Sa!A<j^PdvsKNfrrk1FIJ=JQtp59P1(`9Bfm{}zA=`xo->;`5*2^RGdr
zRp<XcLY=2S+GY-yyIA_O!s6XE(yG6clxQj6E)nGWu7cEb6?C3+Ce%#kTO!DY<a+qP
zakSc-4|GGSWqiQs`ErI5%TBbFTFZxKQIlLpB+GT2m4$u4k|~aQOH|}BSD4^92Pf_*
z=Kw;Ch%|z<E>?0>@c&#0D%h9Mzo3Gh$4kJo?G#S}B5s&~YX86tAUmRl!#%7h9)2Yw
zitxCoKzW4qLkw#<t*0fb(G!cfP_)21D`>1>1#NeVLJh_ymiTA?QLt%v^`sNxvw<Pc
zYHZ<8iD-hmwdSst=zCoueYHz}LPYA*We~la?{YKhZ<WIlpU7Be3L4!h*UW2w=l*dH
zNv+LK=J_i+)Ix_!YdZ(bF0XAIF|LEY11&_{Kl5vx1N<em&wm&dV1XSFT-C`rKuh>l
zA>jlaUw@K>*4#}~#CLLYB_Ort=1=4&f6%^C>N1aZ9P6E5!h7Mor5$<-(k$=LGsKj2
z=m8=;o`(ZLyuO>7JJ2;1|8A7`AEJ*wyY(&08y_F#e2fY2JLfo;b9j{V72w%-&d>Yy
zgVb(LaWGBrO%2!Gvc+uNhdS8+IKp2OK&eRq$BO7>m)cm??sbc0@988~?rLsBZ|K_i
zl_-|P!OhdxD{bgnwvrwvblJ|aq0a`_-ml0*HpMazb}GbClbYBe@9^5gxLD>{wq=x+
z67wwEJDX1#%TB8aUp2AHq$Q#O{!f=RB635Ts=d4NOt*jKn~Dvy^6}c_g9)<0KsLp*
z=I2Fb37Fi4WA=FRKhIZJKWN_0ru-OW>KX}rB$INLJ^9Zp(I4q)J_ZU!?fCI$ACyuX
zev(pK`hP^*e>Jh>)nhA=;s8~4dO{6m{>k9>jAie$aSgRA^El5$XJSL|oI{Qvxss3U
zgG&i(zc5eVx&LQ|3TN;6p8ec7TR%hB2G^co1)s%X9}&xj85`!Rnf3#cw7{-liH~Ko
zomSF;bLhe#y#w`z3rO>FdT{Nf{m{DB_Y0<fjX*4^dmu-X&MvZ6SPmF91>arBC9s_%
zxCU=${!~{k?5?SNB=cNm={2uaz>2TgT=7>bOr_`yVc?A5N;h&RuWh=YUwaJX=0}q2
zc5Mv4yZE4YbVKl2#5ZT2h*jFO#47)sTz54)Vd`!$t&_x~H^X>?>8l7b2eXMs-O*;5
zf|-R2!yS`h;|#piEiKu7Y_c;^l4Ayp%bv=q+!6?>(EuTPqd*-y<Z(8@W#v!5!)hPQ
z-A$KVEl{HZ;yVO_xsSN(c5^c;&@Qi8ZylTVSH#DoH*c<`kAEhZYhSBcN=6y(B_xUH
zsWrK=>gon*KR<>8sBRhY90g(G?W8Yl+1rI3V-9%(T=^3PDyN=m*ALEL0ItgK_2!4<
ze;cIUV}4x9BR=ISpOPU(O~v=K3qR*S=F`vi>D6?VE2C(J)+@sAi>*2OfMSz(@Co9#
zW}eQsJuKW$8vbSMrMkAtZftt9RZLgCd;H1XlOQIIK>jo}QbHM6?B(a8;9|b~L|8ix
zS#1knPXs`mDRL<jk2Orw!38kv)XFOU#&@n-xU#15oy@b>ylQB+$<QpFW{jWQ46<Ic
zQh%H7=euHIcmG_fR>N}R$+dSU*Pk<K!qI6GxqgDq<z{Lp@|yMMJ|`TznlUh=sG`@b
zfB!(m$i7HSh0XEifS5A{kKT;q@vpa3==vy_2JRp3U}$4STV+=KrL7XrCr@;}k#<H^
zIDraX{~#|)pYBkkS&*~rN9#%L5;V>%45nu^yl_A=tSg{<Sq_oHOUEV`Cj70(3G!F?
zM<avOR6yh(j&%1^>q9qBrg`&|>sAFk2SRRL4w8onE3*kAxo_F1ly2U}>g(rwVYquT
ztle5i2KbJgQW#hEMyqRCd>*(_&VefcWPt;Z6fjo-9^Vdt^dR-{4BwSZP<S6qlr)xg
z7jj7N2Sri(XAZb2`Yw1{YjQw2N)vVphXOz@I5AgSfPT^0_rktLw3ej?(DyC+I(v)0
z4za!#L3<{E%RI{w&6PVPUtPyD_G^OXM}oQEtjw%WuIx;#Pq<amw5FatX9jbJ@0Q_?
zj81ZrbQN7&*u7)&wPSH|sH|MqHuRB>zc%seMUYA}ZkXew{(R!WGKo*)jTXVR9bdHw
z(8eNo7DQJnZ83l;TMS?_P_y1R`tRo$G4NUf&p;r!q5v^l9nIg%2sS}q{XM-+_k&$r
z83-&`=53YAJUClX=SwC^KE`QPF&pKA4QT$W+A_xN!UM>$MK{N8(aoid27N_X8-%}v
zM;B|g`RrBe<LmmUb$^EentSkMDm79`zak&>UF#QhEoqe)K%n#no(i<4fX%DGMwA~8
z?F+~U_;!+=Rlcp=l`Xl6HC5^ucS7sx7U)fXlide~D}dbnYbf@>cZiw)YpP%HS6zHD
zU@kX+6tG?AW2cWb27B`a{R~|iZ?<`B&SEs|j30q!JTNxwhCH=gikvaAHg?ToT~QGm
zc3(Gfm+hLJSk1c@1H1UpTy%2qc4@~#W5>_{^djF<eC&3zx#}7{r2hpPDhCa^M%Nr{
zVOcb$cdK~jjK)}IbRC~+kRZC+^ffLxxS><`8)c`fquJQ=JkPOHw*9X>aI;5OqcFe;
zEdJd(`kgoXY_@S-ueJ;Ao=9V7pxu<Tzpb_nF46rIkxVu)mRvALjZ3qvY0F;7Q59}8
zN8aS7fgp97!PeF}dw=3xPQv9bT?%pTJozdfC9Z5uZsyqGvs5rLH()LZ(@l^U#*!L!
z<$Q`)H0R>SEk)W;GhAl`Mck-hFn35}YV(wHVwG#~v0@1onRMJ{Ma0D(@z=0CtYTS9
zEjB(WY3DHiXlcma%^BS;GSH^2XtW33O__C#bE}&CmE-a6*f*D&`b&eaO}@6S;ay&c
zS;IM*#j%C2R)rUeM;9=xtDl?qkwYH8P{PIqjcu9pfcXXHyS0Wm`qr&(=*Gls(#`uw
z=G`DbtaU76tF{{>IoyVse*q0eocb2%R~MBxB8YFRy}EC-RP<b5zW>AvKMQK<fX=Z#
zYgb#IVxEi~UB0k>q9$`nj4M78>LY53vRYtZ6sS`mpX5j+vYlzjLFzH0kXCB-StqN1
zba6tgtFcD;TRqyur?zJ8`OU<TgM!rmk}|KIPNr8pFhaBeuh)_GS}X$^7gj%9RHt_n
z#Jr4&`Fu>w7ju+!bj=xLC%KMf!I0n}g2Ez#gY(UF&wTZIo!d7!V$R6li1H>-e#4e2
zn(TQ}@bo5$hRr<>Iew1&WnC<H=?<}>obC^%9SO(b6R}JdmfS>c55G@{7|gAhQPrB9
z-c1-Jw~p|8moS&b=S?eSXUH%z*p&f5s-~w|V)AduBR5aA^Fb@tUE?02CD?vY=Go+{
zFD6$vL3sO4+9R?4-1tWl>v@RdHu~YmCEwEAC4OAf;|2!paLAy?f$rLTQ;id_<<wVf
zf(~c6%x1G%=%#wa=)38^K6yE5Q+JSB!l!>bDb1l=7N>0u&Gr+Vpi8#atbbnh(js7Y
zp8-b|TA4KbA7%=5>#gzWZFQ>Wo`O8R&CZACF+PK50k4MPmM^?IpLRkWI`w)1xBhV>
zVqC)za98c<fO`!&%7I%4;+FvT59Pp>&vyh|?YsZq0<L!jYGw%*Cl{R^$_4I%$0pY8
z@J9Y@yT?5@CDy|jq-~^EXxee|(5^S^BBo0x7Z3(s-TXv6f;ILMm_ZqXC}9jmUQx;*
z!sRA-Yzqm(mzlz-w~kIGow(g3YJHCwKx<}4TWZ1!Xf-jVvLZ<T517;QTC5jZ{DFsT
zfL2P6Je8vbf@vvQ{K|iNniGg3w7B&D9L?!Y!3dCjGq|3)+fENJiUt*49#s~`Wh?D{
zAHy|oJPs_fceR6nw$5o0Yb44Ru~-ynj{@VOz=S9;(FIcV2?h99ewUWJ*D{KqtpNX&
zN4#GD6c$g^zx<h;jqvMaqkFe1S|{6G_iRJmi<5q_%pY7VG%iRDfg?nPCKd`!h^{G$
z3cX$FTXH=QQc@ROIoD@jbXNTgI@Y`NJ;l<qNp>&gMWr>GTt_7$T^lz_A<oQl7k8F-
z8#`(@8C$d0ui=LUazJZ#Zl0i|0(PJt)514FyG3m0{oW)8o+;EyI=Gpek@y|hn(1nF
zFE(Pu_+db0$@!`bf_Z0GReh6NY^!)xDizdLRPYMgLhdailz8tG`28WOx4|_qD=ZC9
z1O*cB@x<6&n9?oq3(I#HckNi<SiLWG9`z>P<887pTHtK=9AM(TE7()Dn5%dMgMjY*
zx=71-*56b*)ZJtnKUHkKy)Ad0!K5wcllh*lvFko7&T8i`1;9qy^eUEp$R%>krLcxW
zf`_b+WgarL$xpdMHX~hvl<b7>G;`zGv?FUYdiNBaUh)cNJb}N2h^E~cG1!`8<C0bL
z`l2}E=7ZNIZ4z=5Dyd-&&9!EJ-OW#1Zk%G&fian%DIu23Ba5%27K;t0eF4b%W*b%n
zb88as;o9Hy5kagD#IykN{AVnH)7Zfl;JSiSfmGtXmB9Dwgi`EWZopXupB@>^*qTqD
z2N`Ql(sCRR=1#1Xju51tAr~Pkf6|4heW43c{e3P({ioA0@~vd4P+SVb+4l)()BhAI
zwClpmevLHAR*xM*&VPoh#w1>j6HkaSUZ?;tM}bBK^8GE-L-h$hlsti73rvgx;}poR
z<S<KN9?NdqE9Vdi<>p`hHxxi5y=Kwle3d92PS0{(<V6&-Wfk-Z;la4Xkp3N~3-1z?
z<d{C!lgb~)P$bt5ir|wIOlt)s5G)K9q*z>0=SB*KOz`N%HI(`N(VxTH5FEUHD3&`*
z8k{z8A<l`~T^JXkEH519AEML3+Ix-b(ih?R47wpapUH2G?}Yt2Jg1N-dt&}tU()ew
z0limOzWp<yxd$|apjr!rpsMp1lOxo7QbqlW#gq5E7BJPk>}tl>AbpTTi?jKITt|AM
zV-@fI@%GG|_zsEncXaU9uQ3FyNF%C-&xuzLzoTQyyp=2{p4GtYW>aA-cdzw<*9m4V
zH2FSA>18~dpW$HS?tBafALU%57Yh>l1s7+)bcTb8T5@o2F$_oI`5bFFQ#7Dym=RrY
z{l|%D%dBgXXKrLK<FpvctKD15D+xksyMFdNF2v@l+yS@gqf@fATDWJ;&aB|E)z!~=
zL0-TOiRWR%8%Phm=4tnG=m}!!p3QPULh~d5=X5s`w8suv$~|;^*4jg0r&896i-7X0
zHaP50sKRYf$wNNhY|EE2028FlR;VOP0VgXhV@78tF4vPZKQkUNqAJ-rb~u+Y-mFh|
zZp}|2h9T|0z@t;YrIVr+Lr!C$uGL^#E%R5hf-r+e_!&KzGMY)fr>L2{o?p)yBRau2
zbXiGZ;RqL7KuA0xaJlEJu<8L*YhZTi9x>-+CmP_iZbn;aZfbDVHGKGr#cLxzJNL8V
zU^6bJJF&_q5Et+=6dUizc{zG*{^eCpj-FzI5VRH^4mx2UayKEzawotC+!7Q_o6C4o
zytp-06-Mh7t3xbvUH#qEt0kkbQlMY?E=9fNR~=<3D0DGoT0~z3$Qq-WWl&yR(Vr6P
zZ?v2gD(bR|NRgXnzIUBJFV16ullHkHj%Tw+$T=}u5hn!G9$~&qCWP6XC_02b$7xoX
z%`fffX7eZf`VpF|LHL=Hc5{xadhzpKhc?`+GV(oReCa2d;xJ1Ar^kVh{e$$od~XdB
zZb9_`!6aY^P{m`}0;&F$K%&YcKzOThWb~#O{h3XsSk8-BFeRHYx^(wC$BXsGP;un;
zq8*(}sqPB;mxgJ88sST#ACpZYhMvF3)sX%zJ|m&-?3kHZ`<trdYbf%YVe$!Li0J1Z
zLFUa{BCx_YEMckTU7>}sg)dcwUnH{7-h5z<p0_qX5{4>0@0()A+VFAk$}CL2)SY;b
z%Jmq8zSbn(>kd+@pfJCGq8+5|LDFI#t#R)1a1Vyw`263=8p<^(;s=I}ezl$WZ&Sd9
zjNR53c>p>%Jq2Ft%fkt%MT*^FcnED<;uDP^26`D_tHAlNGKJsA=31Z&@a}OmvaQjD
z;}BKhU%<`cdLBdSFv*}+m^u+1KfmOkj`9u^ChbOU$#HHSm_Yqn#r-<)g|g-xdz%S9
z_Js~E-eHcyTLn%e*8Iz?VL;y;KUi%jZ1R(Xy<x<^#R<M>1IC_c5;0Q8Dr~;FscWH7
z7P;s6fEHnPzhn%AU~^3{dx^sF3lJ_?N02YP#KSGbKQ!+!<N;)05DVv>sdae04*8YL
zr(L6Jp44w{ZZ}EhW`qZ9qp%1E%uz7~<P+Qe_n%6bYz!Zuc|YHJBJ5}MvR`uXSX!@~
ze2cvwmcE=UiY9JOygz^M2-13<oW5DFob(e`)31nkSbV<f1u+m)-h%WDth3=>+WU$$
zzW(7y@vAAQTH6vq^E>^+G0M%<vTX@-*B>HbK1KKFJou|yF<s~$bs)xCTcGzytt+mg
z;oS}aD0r)F!u3Xg2<7wS+cx2bdRN8axZX%8!SRvBn$>cfWc2dITeC!@N4%}#^>$<m
zkENq-e#_U5&*Rh~Eg<Q!sXdhWd_KI%c>n0XI^KUGw!ZLO@|4hbAJRuSMs&;VxRT2=
zkB1$=|6hPdS9lggq32gvbE$vA4-5EF6%N-lUS4_l{fE;no<qfZHgUP$r|uyX%ssAO
z?h>d-dx(>jQwr=w7J!<*Y5~1>omxd{G*@?vwG`J@(lQIfA5shN$zEQ`Q>(YQx(VGt
zsOQJJ@sf>-o4P3*5n2h6-OUb%T+5@&F$tVrM|KHBMpz_3Y-fqsbTQ^R?O{7+<ivZA
z6rsdBnsh4t5O8;R@>@dVXNI405#ZpD2+a%!*>`mUvq(BzZK$-v@HtE!@x!6TXNU_Y
zxlCz|_v?fi-owO4mp7bf8NBD7_jQ~?wlZJGvlZdrM{CWz-*hTlgvmDsW~V#-C;rK%
z<ipY#+%{#9UQUqx%;chhCA#lSw`DVQx^$<GKO`4ei6AwL%xDz@RK7Kv9>gz>J7cmB
z*AW_%{hbt<G1;GXTk@|2$JXqvYxs#}s_XMzCX2*x9COIp*aLs~z57Qs+DUC)xVaj2
zcR*Wk*ZQ`8!|T~gCAK0H`)gZfTt1eWfY0n$Sk;v7zBUN&ueg*w<}ZNw^Sj}k3%Z%v
z{G6LNZdPZhrXoB6o>6w*i~Y8etu{b3R@;|eLBZz5jevGTI@>{tl^E?zV|>i^9|Lh@
z+ez`y<$HJ+5B0HN+8j(4)4+yAfkp-LFZ1%Iw>u7IUsk34{#;}1ydIhHhP36rQr{?R
z!H{0Yz@CF(0x4BPAs!yZe8oZF{NUA&3v?q-3vEqb91=TZU2JH6>a(%rhRR8M#c~(m
zLpcdf^?Lqp;1a9kj^b$Zk7G*KkEm_*3BTbJ%&n4a_+m0_O1!skFiq}tx!6*fo2I=-
zH*&Fs37j~l{nNsWEgV{Sx#jsA;o(PPKGJVJ4+Q8}?^|KVRB$TtC%<ZAgBkm@d=AIf
z_Y?hoGDtPkAlLfi?>*Z_hs`+BHHHM!ZYK_;sh{@_lm0->MS8iyZBVkiu%m720*>^O
z7|$VV&r&S8hJY=lwFGP_#kx6~OM|9&(<VVUz;wgh@~z8Io1z8yt8a6NFg6j(orsdx
zR!@)aWigkA_bk6^tx?85VG;o?4>t&pg1M&KO;-iI_a?!H&8?Z6t?nd72-)N=X89{@
z++6ysW9nZdvXq}Q(EO`CX39z~8e2lkCdV?Ls?shbThHzE?*LcHZ+<f)G31jSAHzCR
znRzyM+|u0T3kutmJ4}i*lanq6uj=Os!Vd`6C14&z9Oejih=JXI2I2oHuIs_v#;T@F
zXKv!s=3Hz6`}{99CG$;9iFG?nlJK%~F#Q5DBYf=;Om7rY9=BxSOVuFh4!QOvlY-oo
z+miV+EP2$L%sZ8TZsC6S^#72Nm1D+Qlp~uQyD=zQq8n%6w|-x@<|KQAc$SA*EH{dY
zo34adu1P^-Xt@#0lbb@fbI#-Hyywc?4;Ic=uH&2~dZcZtw`LZ&;@>1@fh&IbCW4w1
zm9vgmVcl<_!pX(`V#$U4|9U^L#<~;Lb)V|;IAR8jVD4bEQ>?YJk26-^ZjhQM2^dG$
zVEXPtB8i&X{X6_=heT3Y!%qI>F24=<Ie5+`XYRN=_zv$R==7k+lii)eG5P!k*fk~J
ztPCG4!@riy!p8gX&v=O^WTjOOWp*qMAB~rIlvTQ=yo#C0bq$-DM>%SA#TLF+6@G+h
z-jgpc{}8qJF0Yp(`Y8WxqRaJVwCQqv`86W8(3d4t7U<ddDa=v)v^($ksczmY@<C=c
z^J!v=nzPotqUL-QUtV*T;d9%>?^B&@*ytPS%^^O#OyLd4X@z<09^M(hI>Usn8P2Te
z9w&XsXEOCWJ}?J6N-rVun23Ctk^Xj2dbk?^@bYRI4-AiCuB{*bn$byQwC{3og>N%A
zJ|FnT>K)~yPr%vO?%;5MjVi%+MbpDV?eO4U`LNsT?s%Lh`et4eHLiEJXGq7;7LTIr
zkLz546~DIB3A|U+MEI~d)!Fr62#mZq=B%X`OQvQwnFmxjGGb_!zxq{&V53!TIEn=F
z8m|qto%gy)YxWvRd-g69*kD`Z7;)Alv8K#FhOP;6+CanCKBk{x_lf;AW&RkXWJitV
zPOrY-PVngopBt4WvtvUiPl4z~s~Ny3mUSBgP09B`Qm0inXKt6E*PJ=hq@Fqn9}K~4
z(JX8FL?F?ISLzdLG<&0PpTh~Y`~)c+j)}WR(jfj}k^$Q?dAsm5cF3BxLsrKQc_Nmp
zPQ-FY&W$ZxU(MsY)v?NVfJG%nks~W(3s+X>AG~4X=C(ucbam`me|)a_R~44AUs4su
zqL)*-D^fZM9!+xSlk>*E|7vP7sbRGD>@<F+>uqvTdnO+(oood(0?(|*$i)IS;@myf
zncRalMCSML^Y|wlzvT!~alu^RV0CjJhy&4m%93kuckN_cZCU(!{tM#@k2ESv&?If%
zEc}S&9Jb^Z3{l57aV-ai^Zl4KVMsQq*|&8dk}v&zF|RY4ZGvFWSFEO`e!Ss8Yr0YI
zliB-OU~J@~IAPd*Y9`33Lv7jV4xkrmhwBCbsV%oaQEj>V41;oa3C7{|48q`v%SkH$
z1gVv)H3NuIQ(H5Q-~(Pr1i%Ngi!=^Y0A;SRP5~|i<DN(YjRZ_Kju9|PrJX>dlExB1
z7EB5n{+ua(+4^c8+MO}*1lNmtS~E*|Bh(StTWv#ab|Hs6Nk(JYZbDR~1smO?mi-2B
zSLDwhI^TwL4k1BJZQ8G=<sglZK4zFDZJG6LnRijA+DNO(KY*JHbM$GhSTV35=hlRn
z;2d9^N7vZNSTrHRR&IxIbJi0IZ%@no(_hv%HowMPpE?GR9k~#+ZniE?&{&5h$MJ(b
zN*}p)PQcp;XjCI;b0c$NQszdLaIOViji_3b@IDT$xl1Yu*ZR1D`em{dS7&j~?=zXK
zpa!-t>?{xWX%_abGWT?okGWN=>}N|#Td0`IbwzGwzN4O(l~PycFpj+9HrED-2g!H=
zh<SoTpTJpruy%i`$j@U>Ec@S~JVDrI#yyP)oSQOF>a-0a)5}Ok8#+<7m~CPk??W<r
z8Odk^Yp{;eBws=>O1xK;i#VuJDxch_iQ+yvo3`A8WBJN|{w2c^-QS|<@F>v3t-GFn
zcaHF7n?!t~tLDjwh)psoKmS#VPZdwOWv`wlvo@vR>2A!b`Y?#Ssf<N}Jl&eY>^+)P
zcXOD-g9rh}=)_a*bdLyR0^!W_wk_l6D8dJM7zZ;t$q=i2oEN=4PHYn)a3K>eu#Dly
zBK!a$jPML0?p0m?eT0a}v_N-FnGL@|OpcJ@a6^U-zbV0m{e%m6Gqbm|xv;mh1Cfqy
zx3wNkf6>rkk7yo0YNZkk6@O&rrXsu~s;B7;vwz6X*s<tq-Vl4sFX9>njwKGn9YWtF
z+{NKlQ`dAe1(8-Tb$GIe8xw0bk2(eN>;76Wb<_r_<tCkYS7e6`(B>BY$WHej6DeZO
z?KGoDKb+c?c~o4prnN*V(<`%V={miPd~?(b+ak4K;CFF#96H*?wQ7UZs{lnRF;*9x
zK+meL>p9)qm8Hl1TJ^9v)XAUN91rAWSa2+s4xgOfO{P8^i;tvcFV;6DAFITUf-0No
zO1}1@wAV=kbCVYk*mqJe{M`61I8CLOP{7u?KKy^N_0*!9$nT>Wn9AZSBTKn%axzoP
zQNPIfcLf>r=^YVQ@#(db(PZ5Auzaf1PU;HUN%`16yiDQmj7ufxV$nY}`<T;E?;}k{
zmfHNzD`eaVzl^r3^B1M_5~d=&?iH`G8r>9R_Rm?p@n8B;h0=h5duFXWvl4B&>WFmN
zmaEPHZJ|Q`N`0~Vy<UR8aVkxsfse`F+|78#WbMofh6P*MQeS79hu6gq&c)VZESq$|
z@Ll8kX-{0&EXu>-S<+LT*niVCgoKlvH!*hCl-#%nE-6SELF#tWkS+%6qJdbpn&nTP
zZjclA9cd?m&nYHc2plyEjZ+9Dk~ri<uhwDHC3VFw5*x&tAR$8n^<XcOBC$A8n>Eyl
z+Q=(h-%gfx0(A<EC4gwf!|4PNt>^#&M5|NPiS|YX=tz6a_+a>Rbf{J*?6u~s!B!{i
zwdNLRxcSA)9d_TrxO_Lmvw>%>ePKd3RlWf-499U$x5^DajQ2<Rg-xC<d-+nuVU>Ga
zzvF^bC%^ORu>lHj4;)QERzR=Qj>$|$8kD&T&VsG*d+33NWkezeIxFFJ*aXi90V0(&
z^I`@Y_utV8s5E>K-A+@aS0%!+^u_HCd|e1>{!T&a0QD5pzdXyr-S_|x$;Fld=WsWN
zn;mkcr~vt)$gh#7uX$q~ak1PF>u1|9FOx8{@}t%)who;>ke?v6D}QC}x$OzJV82Ud
z@<?<5{k2-_pw+>W7yUV_-7tL(viMkyv(~~|?I_g?aQ?xh@Soc`V1-a8N>&I?GIZ=3
z%#Bsb^qXF}AHB}n<GJb09Y-bB9~H;#>)4LLGBf6mGxV=dtgnk7m{<=HB-TR(FH$D4
z9x}Lx0M3-@Y5Q7_C0^6xZhrg(GHFBRT%zrp$#(2ysf9-)*_WI*;U%yP54v&g1iqom
z$%+Q=cd;DPJB>ic(c|V=WXpx4XH4`#N-TjQqTGrOoN;W`NF4PRuBeE={~vqb0Z;YU
zKYj^O8HG^EO;)l;p@Hm~>`+-(6t3>Q_RJ`fBu$a1RA@*`L!_i7k<gS<E{YZ{{NLyE
zx!3CZt?ziA@ALaVPxtlWoX^?kz0Ui*&%%;ifhYj!PH;LVBl!*bNdjEVf`#zLAAoQ;
z|AD$WQ#bhxf*zbw<JC=0MWZM>g1Qe<#C!pGAv=soGG-BE4lDTXB*vi?c*UJ*7{={=
zq3OdmiO|-KkXC`v+0oK!WYZEzkYvbyJSZRe%W%1i-YfyAO~%Ml2bu`Gc&7k7V!psm
z9z$q6U=4pa9WaOZZ!;KRFx+uLB%-=mRXEjQ_le@mPYf}LV4H>@9*1=owiMsS;g7%w
z-~!CYw_qWd)Px)O0;k4&0p9)$SVQM!;zg$-j{<M}1&m^xp?-fX2zCeWz=B{6;WQ9W
z%oo@uoQ8QoUPK8o@<&fb9&LDEPZW8yAb%B>Ulz_%V;(8q_$`<RPCZzOp+pg2!NfcZ
zVKbWq3Xz7&FpoIMYab|58K!RoZPBp4LYIX)5kJGeN8SWj^8v2cVeXH3f&n!KI*Vur
zS69%z1m1|=a4O?HJuc=mH_bWb^EjF-EI5M9N5DtxpNGMto4f;~C14S25EDR(48;s!
z4{NMO5H^TW-BKJ6@NhVoGqLLEQjh>d4WM!f<Y3YpxQNs6{bkoMeG6+NZsul~n(-}h
zPaqp8Q!s8IoMDIU&dmg0ha=8EKnXM|!s9!r3DAx@$*g7+S=)~!>k!Y8gc^@o01yvB
zYth5g7~utCp38wd0Kf@>dp6UHF__}}Oj8;AOnKwc+W@fF6t+JBInzUj;69vnQirh)
zE%qmDgHCY_g7)PF9JE<zV8f*VeF-E0?Gx^2xXe6w2D{9LfXRR{hzJZO3;@nX4Gm*C
z&zo=n%7XRrOYrmnDwUyOV)`sz3PLd>H>kE4Ffr@@0bsykC|QQeLA!Dj$U}(7?!Q=%
zt}SM4@)&3nXY`>71}r9d1Ve&h5Q6Jfpn1cf#2Zh5fYFemcOax-1DFf==m+pmpnnVS
z!Ad`CT)87!B3!=!MX!T@P$3$IKo@ZZ2WS{shyZ{flGlR|StJ;9y{ABGDCuw7A4c0A
zn05!{GGHe}(x5d#RY;J-0M`u8Fm?ei8U~<j0&ITW%kZL|Y*pYlhNsAD7%nPFH+en&
zxly7F3*IQvh`C!On!$zChrof#h)^Iy$Ks8@1s@~ytgTo@n5xCtP>5+;`0hE-n822`
zRpKmGFw(iUGAcuA7qeYR^V-U28&bZuG8%&PFT63h3bs`OwHs++^oMA74>Sdr&*yMS
z{}Bw=AnE16LDFkcCmy^4=mCNSAsCc3gdR}VFl41%LK;L{320m($rEP42UGnmqqjm8
zAom!1PzKs6N^lklL*?Ksf=l>>>4@MMqbrS{DSL*o3V<461&tOeFdCr7C0xc!LyaA@
z!y%n`Bz75CXCN8+%fu{*&hIcf5?5#|ZW)$}3Fnar=1ouo(*L0rOTYmWk5--NB0ShQ
z0F@xvVYmE^;4E~Z*a*(jgn;ijO9BFifg=!D9f2dL90!Le0No<_U^BGaB>5PF%#mPb
z9&{T935(=oh#pK*^d*LtH4T{4XSg8-)73$ACpH1JKo&FR`8aDpP9%I#*}r?Vig24T
z@5i(7#$#`{V!Ip|o3(!DoD!}MfZ~dF0hp&yLFK~rC^)QciZ&etO+`B}8M_gJ;OOiM
z8W(ncHU>2n7B-HfcEyzs+j5-(P)D7?)>VNouoTGdG`Qs&9nN7a%m3)CZ~}R_<nKI<
zbBPlKb_fpgR6QeD8-k4)hl$#(ZuP@G+dXJIzA&_J$U=f<9KvnN5RH7qHfivoJ-cGy
z0_$a<4NimmPX(YOL;Fu3LpjX-rzTisKkph^?ZLZ`X7<dDy10d9)aHbLPf~g|a0HqY
zf|a%h-3<_Q6QA$hMJzRlYq~j>?B^Y#+x@|w(;XloQ%1ophERUe{o|~I#u9V|Ed-1i
zG?%bL0DxDyEanT?;L2bjik1Erc(4@8!KCCgxJ(oYKeT`esOo|}kmj)Ee=nfLeBMb6
z%y2*oPzI_$=xz{<PkDIP?EpWf!XUi{oAn^fB7Mm>zLpj-Y<@$9IqT33uK4kKjR2VQ
z;9FIIQebLBgfEPrhfjQrl(5ltu(kehQyyw<2`<xhp|wac4cs!~Ku-LnaCZYj35Z${
zE<Nw_c;l16s~fY>7A~reiDJ<WoCFT5QQ&xR#sHflO`p-2A2oYeBVnq&3C+a6V}%j(
zHfTQDB#&z^u%!jA0|&4VP2N62z1XY@rcFjz8&a`Bm!T_Rx4yu5g5)6Bm)C%PiRqt=
zb%m!8Y|K)F-Rq5sm%w73)99AbHlbo%oJQgOLPD-%$B%jj-Qfd-U<Ac%9_pJ0<izCT
zUgUuvJT(LoirHrKKi%dVkmI-8>~R8b^ZVg#PP%hq==1;|zzzb2P7lCAI&8I}7FHY3
zy`tqUtaJorj8u<<2Q5{D$=nkiki?FaqT580B*4rBwC{@yO0a6z7J44lOtS@z3PCDH
z6Q*Ok@m4g$_b|AjD>p_E@<@vCMl?N=e7`3U`W>L%K{@MJgcGzqw6>!bYj^?Ha9C+W
z4R=ND1X~okIRhHb$j59t!gcZm9B${KsZ7+tp+&&bkRU?y@_1<o!YY^!o?)HZ39TN{
zDIkWkL)`iMtl42U0zHz@?h)t_fB>`@G#ouh-5%_Gz;V3u+^EMeaA>r>xr&C63le*w
zGi}e%$9D`yPlbI3%-IB!Ik2IgsUt8hhoeI`(F_b|06+=6gAev#6VovU0~a!m86#^G
zC-Q+M5X_2g{tPA009rIcErTRVU;=GMKu$h`$*JTWh%XtMHs~=RYxYZ&fy+>xAq&)7
z$WXouF$LEg2J1#hVw`jm)3VX%g$jc#NLBd0w?h~uKzBxBG+_Z2^k+my!tb)*i=zk^
zfmw7V&`2>m&H-o;u*4r0NFnAU7@H;rQljJ3AhP4I3V7rB0km{C7?uWOd>ApG@p%*`
ztty6*7VY3LvZ7^-BB_ofjHs<aI3Ps2q6adXm}N5&4IIQkG?;S{qOaon#^MuDorCJy
zR1Bc_n#yTbbR;tj0EU~mdDo%$e9*B>FXVzDV=SabrtSss4a+R?=n2K2@KrMsvio32
z7}h=5Aq^lI)<xd<r4TTxn{-5y%x<;KIf65NTn_*f9TFU&1#sX2Lt4N`sByFwfDKG&
zOh-4QVpcH`AY#lo@fbRWjqLX@4|Me%76pA3M|}lrNF}&`dc-7<zmt#jaya1wQ*D@A
zmqQ1Kol7_Yp9rBE47S6j&m(ycG%u5+GK5f=P2xJb3BIfbcY(oNiou&;;vD47Kgy8i
z3??>D%EWXaIu$@T2>vq#IQWggG(krP_;6zZGIV2SI*?Ann}Ce^U`1w4S>lL{{_8;*
zhVMb+Ssdaoob<qCrilX-5kEG%0-YgEAMimVV#*bIvImr_z{QxtV=`25@Pc8|5D60&
zTyGd|syT+Z7#8oa{RpTIU{!`d#P0irH3q=u@R@$XWH@W_!`WdAAPh}ujrcH9K$+>!
z(7A;Wbb`?v@gv-?#%SB`SdLIr7-E~1PC?^)H4OO7r9Y(XLckCm8$!TnzEFX%K^xHY
zd>k>W;p_nY2*4Xxy@VkRV?C692ZbUN95Ux(R340ZfXZW_HOTUt0Q)8}y^=QpSvcuN
zSb}l1Do9SNz_3w^Cq?$+T<{{6K!&?NB`<YH%1Z$xFL&Y%UWuxG3gk3Ma{7nyo~6A*
zwO~V8NA)l%LOU@`g3u0(f>Os;L^W_vBmx9}b{&qfVvG+qMFdtlGQZ-L&qbeTbrSy+
z1j?t|V4rL;n*;fP^4J;nuXX!@xA27$5F`;GEmA@m2g%S;V=(-Jw8T6B-73rjGDHhJ
z=-i7r3P2KQBWU%^Sw#%^F{~tE9>{k9Cw!PpV;(S?yJ1nVd`7}NV9<BLJYd+i0Z)qQ
z<ruhuah(ws2-fz6n8%ejUL8D0XF7Nr2j)@u9%fO1b!imKbq<f+46&oRf&kkJu-6Vz
z!ZKWciC>8&Jk|_^V3C}Sv;tfo!SzX|TEeIZI>B5_HBYf)F-f7aSS0O0c|p5Jc^T@<
z6YwJSCFv<H`Ed1RxLkwVOF)q*lqdriDHc_jo5@f#a4Q-LZ-#KBa3I+*x<5)_B%}92
zr?BHng01ictJ8paR-hI%n+1V21|9FwhA6bghaStKtH1|#j1A5|Bp`j2PQ*f35@7vc
zH~PK_r^yk?!FMuNit(V$G#tejKzvdI%v_o4)DwZ|AYe$jN7mEPV^$|*#hZ2o=n)8S
z4AT&M621-abtwb5<Te5AWHd-Vh8Cx=9rLkx-*FIN&>l8YLmU7fUw`BK>H6C(c;^g1
z!>0|Eb|jT@Lv}<CIS(<qNmvL8U@E;IoYL`(xCDsnXaVRqLqN$`_y<IW5hGGjARM&}
zQ&PZ>r~p?}jxy8~b^sTu!jhpXeT1^XK-LTi|8*3HHYER;;=lw*peI4EODBL2HE3BQ
zAagAA1dt7<)#O1|0BpcF6MP6kKv%R`45<)AL`y+au~nchC;-2|r4oD~4ietNU|I_6
zVpzG4y<zF;7=~^Z*i^C;;-Fl4w4Y!j_?ab3GfSS1N)~~VX;RqQk`*L^LJ@tspmK3r
z0N7noxei#lY_OuB192TKrT88F18u1d&>KyN9YLCCG#Eje4G=JzG%N5jfoo>r?PJQw
z^&;?1pNWA8RXGlQ3czP6T2V(Z)O-jb6$q+m8w3iGMj=HI0_&@o<ru(|3vmolOOs)C
zTMTs@4(@@Nl!6_aSl9bGad_syJQHXHS!<Im8qHHkaKk5z%aF_<c?ZrIu<FJF-wg5t
zV{<c9@;i(X@>9krZXT-84zCa@=!NDe*Fx1>FY6{@^)d+8JjHVG0z=qjf*1f(TrBWY
zBIYT}Krm*b7BTb|WG#Uqb7&m}8wD|m2t634yfE~>iI8<jJ~FM~CmHfF6Pt*c!vqXf
zf#f7=0dK-|Fo@Ax+mJXph+vPNdP=y0qOc7C#NPz|W=MzuA8Bcbm?dD6s*B5?gx7&)
ze+a_HKZWp;r`U*u8e9Tk{bMp@RSiCzl|yDkT;muzQW1O`Bxj>OqUEJys8ogtgt6Jj
zAmJfHx}cE?%!h+RSrWE+jxlcGgB^@xBL}c#DDTJOgbz~CwE$AMOz-X;Dbt(bn~t_k
z4O4S?<G%n~3{!Pr2N?v6Qg`U+83<fP??#1Ca1I_CZ9IYhMzFLE1dL{BZ3r{K8PEW+
z4tg18P#=r;0ztw9EQUbpa1{sf@+W{FhDs0169}TPnt|vF;ESaCaAgB58%hv_P5L#E
z2hB}lFn7O1BDjclH-pQ&ZXKvuKtf1c201$)zp>Cb1@<_hh5Fyl1?@7&HWYg@?ObjQ
z#G|eI=5Ufk2`r*B0;eL2D1jz`<^f$U-{4471jhjE6_A5E(X1*4Dn++8X<&N-%#+^X
zb87s~8*IcvsZcxdA!{`T3uMkw0@({ywTYa>*9A1%c)<rF<Az5A1K3vVwmqOU4;>;c
z2ZazugF!nBwqb?2=FU*2@Plj3Sfh-Xi#>3%4cT`NLFn*xpSe(;F-y5gTsihSigDZ<
zIJJh^_&~;>A{b}b7-m(Bjv3k)vj1VmBh+!`HkdyHY|kr*B!(FkVY3AX6go`0q6=w9
zTq+5Mw|uZL0;ciC{hm!611=riYu0uVrpeg8>^2+l4S_NUs;VT+Koe-CN*xx!B+R7Y
zX0JeAv}~b-PzC?M$Ox4ouwi?E*a2RH+cq%s2Rfj`G=J!UADKVqAr}Um3gm)1KM7o9
z{+J2wPkM)$KSY787_|<YxFYTV8+QPHH`Ab@8=iRxF$P31t#?V?*uI1j<_=rL-NP3>
z^dMj~Gb^G*LkcIYU>N(;_KZs1k)oSadmOemx4>TaFVHu1l?@7l?aeLS5Y!AyAxP|u
zT3JbjFxWXc4jkO3ffUwZHjT&dIl`=n;b)NEf5WaQ0AN8JUWRbQut{LJM8?J{Eb#X%
zi})HDKzi87$h0@Y5mFee>C?KghJsdtK!)xAq`Lrm2Blne2CmW~6B8ZT$_8iJC-Ip0
z02G6s0U9YQYB6bH47x1}PsAFES>T3?3LVC(uN*3a3jct7fQX=@Pupmvn5b9*`sHA2
zx+oxX(PE+jzMu{ls`DoBz=Rm9tnIBUM2AB(KAhyd9XXt&!8g4F3}*Pi5R0PWeXS-4
zVQ}0ZA5$k^#|6G0G>@U9ft*4#3`HR^P3MBaVg#yzv2aA}K)Y2LDheO!ZL&cdLTwrD
z??!$Mv&jaZkiTYFn#N&insGmtrVacsv4(<;lLMP!_ni!QVK5g)AxYin2t8a?FnD_H
z((j&L>vKdGVc9jKHR!!iD2yUdBGgf1GJ8EL)EJ$AgL7{tW3auM#z|m4$8QBQPBO;)
z$5FeIjA7%)M#jbuxbYtRWq3Fd`EklMhK(N^@%|+l!^RJ$ZQK|(elVx4#yZH4`Uhni
zn}8VO!_Wkx1A)^Dkr)aU#)cx~BjV!_^%{<%8~0)VssREV00cwPutAuKEg!H#{?OR<
z@hEQWdh{4k3x-L08t}|!#^EGB?3vwK1R(Ur%5m^8-`KT+nt2mEv5;%5ya{OMG+e?5
zSMP;@Z^YGmu)z)zqla!WjT4^4gy}VeBqyVX)Q}F6ioW>KS^5Ozi&KIkkP!|oqr+(l
z4Bsi(@gU5b%x9c5**F>YKPTA(a?qg#dq52A#7VLTq`)p5xF`f%8E^p^u=^&-9uNUL
zZ<6c*39#`w$sP~@N6OG`J#le}0$Ab}!fO$zV)UcgpG7`6Fa*ys0YAaxV{{7;A<Xl4
z2Ka-#UiwK!=!s9>cqNGJXoAgk@mPNR5)gRYj17C=mkY(hMd|SP4eBx~x?>M^ei2=2
z2v>)<oyQLCVAqKACZOc>82C3>UL^;RD7*{2n7#?n<Fy&yZ^2%LYiETfEbgbrVuDVG
zF!J(|AP6lXqN_L1su6zmhOvVIp-tWvo-M;7+6E)A_sj$!0&7>o03rdneiYhjoV*wa
z0Zd!<@R4j3f-qBrg~PK5$-x@NnxH*70L=y)!)8v1K(9E(BhrZb#A=*u69DfnU4y5b
z&@)cgb$Cw?bjX{qbekvX87Ebhw{b2?WP^8<^a2tm0B-cql|1l#g-w8QGS%349@Pq7
znmEm&i=hL?<I`2470e^vH0z<`-7f*8x=EJ}l**K^!)W#iMzij~T}kD-$JyeZjqOl{
z(j4LKFJX9JXuyUKN!V?W<JuTBGe@tqECMLO>j6+U{zgXJGcoL90hVrT{D3XJ<<B_K
zIhMGW+AMF)HOm4!*Mf=<nV}oJ>r??*Yv~BHs7sUL+GLo$O1e?rJ}yx}10I`#&Xu=w
z#<fc<O0?w!z(AMHH82<Y%!c}m*&HAO2vrZ@sR!WIa|Aa4{=6{|;4Or83qss8Uiwm~
z7JJkzT6o|tLd$FvFf2bK55p<3LbM<SnM;+ycWDlyg&EdB3s{8YV1y8g;2eyQ7>wXS
z5nW4$KMsPy2gn1CUYaD`2vi4Z2oA7FD6>c^59G!w22HcK+a#$RtzmVW^uC2BuZ)vE
zVV-x)cQ`cP2CJI$UM#mUiR;$3@MzRes<42ExaS&cemMuV!)zf3{sY%(zU7VG4qn8T
zIxq!?=RSb1pgiNGcTkOTEf%g@q62C4lggn+i&;%3buA`Ib^1xyP3k&OU|kFNEx788
z>)PPcB&pW8?j?$aF(s+rxbBTPS0yaLm?yzSLeSv%&^2hYNpFjZW(`FmsmZwRm9geE
zDm#4A1R;rXExg@^!GQtj%|JWwj3{a&E)U?mEq<R(kFK3bQoXLNd5UC}nK;4DI7J@0
zHs-Thl^+_H_rZ-4ot$l=i($M<cukwm%#U3q)1wb%3<x|jMi-B0b_BMAcw)SZgFin$
zv|s#v1rlDJ@D$t?PVj#BV<7<F!_Qe)&%jaNz($YgplfYuVrjIDXz1qSOY$Vr$V95o
zN`Io8hX;vDC3=#m9u%Jd8ksUGpMkaYV(Vo@Ya2tN4atM%L-r?%>yiEZ$o|G8H%}79
zj1($P^e5AZUgSW3Ph^rpzoB{=`A6qb)E6guyHSZg{y}cOKAuEhlK)DYH&I5?a~3M&
z=lLzjo`JrB)E}1eN6N7QAh^*2DWo5k^z-)U4+8K<1$|eJE(U&-nMfn~1^BwrNJJkh
zG0@*F2=L_Q?n{y*2KbWPs3f8X+26}&CA1Vnh8JLQ9AOkD6!pIgVZiCT@WFn67c<lo
z43)q6uMo(~5e9(Y`=Kb<zE9X4n<>IVooSWye0){v*8?y5^pBdTT<aPamA>s<uCc`?
z;aD}V{s&<OrjhmYD_xq`e5;AQb>dDi&ym};g`!?l%i9Yzx64^S8F)wQxq4%l@;3hS
z+OL(4j;mY8J^rJ8r0TgG&D@WtjY7ow*!Gzm=Bv|H*b@0{{~=ak7P-rAMTIwu!#s;B
zUe2>R^4P9G=E2fe4y%F|ujah#7AaGo7``b6F7L7;T%>+=FTQbz-T39pHKz(6&@07u
zQ+6s0oXDJ$9Th1_A|H1xI<?{sZB|-V0i11+Ugl#m`BSj6)I#zOT~nz(=K@l&!L%U3
zM^ij_m&orO>)$%7ZmwBt^!b@JvrB@+ys}SS%{yz*SQq$p%z5LF5s_xB7e%7zJ6W9w
zjs8n-WQHu9aQ110ufO!Mji>pKWKD>ey|icg<Yi7v*EvLX-MbXKe}YAG;I_O<ZIjDa
zoIKi=?dp7J@uiDz%v-^`<JTOKn91pq)*vM8!&Wde%{{X1)aJJ?TrwM%oY7#F3fY*;
zKGr63mto(eU=^N2w$D{~(%JdGEDc+x@I<AJ-Ysp(8OM2Vi=%~~T6WX1!z}KnriezR
zoZsMhZs25H;Cua7{Opxi_t&l#R?aS6WDu)hv|EZQ(~#krw?HFv;v5#|SjDJAS7HTy
z$Df<#_;KxLgTs~VtK{<Te0<t*zHH0$ysVjATs%89**6~}P0kjU6AH<GdV201sohfp
zmz;Ijm)ejn;<lE1!G$?iHV+~XN9QkGA{UrbQe@vDYdE8G@xci>hx*>^GwriIu4Uqq
znsVZTidB@HRqd43ZZ~DGNBOU+y1#qIt9fTNr!{o=sDHe0YNqYl#nggKyKc7ertP+z
zm*&V!TCT7AaY6sV)#~pu-X-3?uMqzJBR7Wv|KgB0(gn&K?(`E2D|a;<zBMDD;db^I
zue7L(3*)W~T+fe^KI$?zGTp(oWc(Vv4T^eJTj5#BTb`4-0&b7Fu}z8ClAtJihm=ph
zBj!+^T5q_-X_qT0{qXtr6?=^uCbC^S8S5n>B(yxM$|}Y~rufryB!v+lG<9EBpKjL}
zwcSQl?fizLW45TbuscTF;ym$GPxnmNsabC<-(ORo7j^Xwtvf%;^{tG$(EaNf@8bKb
z(%1DKoRfE4=24r*c-uuOmS%RmrreahGp~D#&s9#8V>ekBlkrWI^*K>+LX?b-L)XCz
z`B(2ZkUvXhsGQitw<7)JiOLi1YO9Vnt(nKG=3CUSrTJvRs+%g?z6dY=(6NH}qRaCt
zhjfL$tfqP+;VI$Bm7N^cjiy&+ql2y7qu3X2lo=;g>$_W;L=X0+zsx`PG2vU_*!UAS
z)Dx`vIJ*++0)&*G>G!BTjabx6%l}sKB3}NI;PiOH^O%Mt`!}v!Vs)1;S*7lqK+)zC
z(Nf)K#LC}w^8B8ysgGV<*(Yq)e`Cqa0jHR)cH*Wc$vLl<eK~f}^+3|@yS@uoy?yB}
zvTF0ExM`G@u;xnRMe+?CEiOK5YCDf9J$2f1rDXl13r||Dh%49cZF35l8g`WZb^3%U
zed75X0*~%bd~RU8s&GtokI2PshT}wU`abVjF{OCzwU&bZuCJZ_iF2e}jr2n19IU#o
zvs2++)C+E3gG5=C-MJB(#QfEs>XnCyYfMA@?dI=p=cArK*x2v0=<KVU)~6eun9tVQ
za(3Zzxmn!h3;0OW-)?K|F%Z1eqLddPvVWq(q-kr-Y}razek6!<JXl>lQ+wTufK_)F
zw$k+1Jtz(RU++H}58$X5fo{-UxxJno1stHzezUKAe^~aU2j+a^N;$LEHwzR-Yu5H>
zC7xK@Gi8sU!@U+|&as_~`3O(ClF4`CU(M6y^qe=15J5e^)S~hJtMJmtRy%X1)aTFj
zIV*WHd<<c;<ol=$-hKI3O6F+^&%Tg3k!{Ol|B5dxbp+P;3iYmsjupI7%u-s&^XP2n
z`aPzHS=4;w%+=0BmV^n>l#kE45-BZq?wq!>d(Y;xb5*}l?~6>l5hv^Do>>&9Cn`tC
zZC$@(l815}PtkOrU988R4)7k1n5w#GAX7jj??zvVP_y`*Q-ojz<s-eVM|KK473scS
zI=82Lrq>;{=k=-g#-8J_CwOIaq+c+ZRl;Je9Atj3XjWSAtar9Ad{22l>y~-A$@Wmu
zzEbTQH@0P2PHG4yAJ0liTQ*C}R_p$oiLFn&+70UZ9mj;f2p0)t?SC?`QAV|&Z{oe%
z{OnQ*6^Ay2Z3q@Mk({V@{E~rv^&*9-E>|9}*~?-@oiVV?*6*>lfQf~^;iSa+Ek|2w
zdgS=(SGui_mKDlcTp3z%%!2%tcb@Sw!;ChYGgo~&l_l>!N-t2bnYU@X^wN91#RW^2
z9`%=6e0f{-qRL~2l?p0c;m1~5I#i{v*jVosev4kZuH<}8Rqdk{+u~&GW=wx`XXY8d
z=8W~bzQ$VB$Y1%occS8B_NZykzwY$8XQIg6<L2JqG-<&un=3@gCrjJ?-%oa)b8cGk
zDdV}d``KCrDqo2U=#aOp+Wqv&m+JZF&8~PITIX2Up?GFrXS?!Dw;sxLsSTpuva&Or
za#vlfE)(H&^DOS!T%`8NiX3-3MSW6qX1M=+%e#FQO0{iKf?`J=if(zZ(UKk?H!y`O
znBD1)OY&mxIaLpwr#P8>&UshG+UFxCTHN;O*=oUz<+|}4VzR|2avpiCEnaOlW2H!}
zb${UYoTse!#)?f%oa7W_dxb;3C|`Gewq9-^QS&s%=ge<}s~6(=V_xu0xxMZDyGIV;
z=hm~2-(G&(^%|dk2oJAfnyv4XvjT?iGYiA>Urn{XU%F<8I2sQSACx><P-a(hOWUs5
zO_Y3RVRTFH$0IJR(L&Dpit>-{<$2T|jIARCSB;n9TCjFq`p2FZKJ#47qf;pR#22kw
z&(Sz5X+!o3Uycde;|UVW#<vT09@)HqLikahgoU|8wzj6FyvjWHmX!;?<~doroRk|f
zA!v-&8sQfj`U1`A@%?JCH^!fRr(59h{>jk~bJp$;3IBZP>-B^F`|Dc{H#W8HoGKYe
zn7CwzJ9qa4`sxX9swL&LpO)Iz-(UVljQXvuvv`AX_NsD^gcn;AQWs?DojhnByKnqT
zy-CW!NyqC6Q>|xJ+g`g8dD<tu|ItIsM#n`0Y81~4Tz-XhSEjmb`dk`+J7b-hQ2r8k
z$Ba|72h++eBG&c<?Bc(*nY(GPBTMKMo6qyh)_1E<vCmQTPtT}dKWVDVtqUbQXM5F~
zW^R5V;(0q#;<DC#lE$keCq5JT?_J%$@${ql_V2!ZJiR5af4AkCZOQqw1GeW#7vu$A
z4~}UjEt6_&6Q~n1)Ns7j=;V|wUELTa(x84q<(QE|wwY(ASfx&loYCEO)mEOEZ{D37
zC#hDe$%KAkUlt(vq)0qL*h5g=flbJhSY@s6x!lNdMa+!JTg`+g&RIFn*GJ^eb@qha
zT2CfTA6F@U=vs!Fz|OuV-ZsydNgn<}K@C&MTL_Kkd-jsD^22z{><_3u&|cPGcf_Bk
z_@3^L_#JN+tKTZ+Jh?1NsAB7E3#|jESneH_-7GaD)t<d1cX>7S+M-9hY9lz^FY$$y
zFB7*(^^m8&XMd2j>Qjkx%t@u<iM`u5+zDuK_ur+`M^l^JCnQ$Xxu4gXKii$V*(z^u
zxX-p``gx5B?#<7uW1CBwd)%xp9TFDQ=>M|u+<}rz_PjKggZyNE?YBMN$8<WSn^jle
zk>dEYir@Fb!(-%-y)k^Lr_-GD<W`8DJGs2{s128pvv2uwUW)&HzVQ`OkB;4tDIlz5
zdv4pdt#an+(188x{U#aTnz*hr_Jh*(B0tW9?HgC^$WN-jI`(k=9WKrb_8ut#ik`=o
z>=ECe*!{?!f(&wm8Sr<f^Mvsjzq4G=U3}f;4x2pt@L_^)MXO?#)!x}ogh~ow{64m2
zTMb_krWz-la+AAGyD?jjzdU4zi>l(-YYE*C9=dL~;*Bs1YY@tM(OOYJUUncv<p|s3
z?f#Df2QDjq$$ev(bo;2!mi@*T42`aAO!9a(&SKglLq+F+4H0zlOs?^VcIe!Yjf~G>
zGgWxlP~)kWSral*H&OMmvioLvp?8&sXJ-Z!JgO^L_TbF|U!JuCJu98`KNpT&Fmr1l
zDV;dsYLF-|iDSWx-0tl$XU3V>XzW{7Mw`FCNoP)i*v7l^f}gu24o793nEq)mWvx&!
zwa7mD2zzd=lGDe!W4wH(){R_7J2qZCF|T^h60Sx+%Is<uI~D({4s%Z`a4l`>cl}&F
zCt(#^P|#<#c6skByzF0&_?X8`@~v5rFFueI;?QOzDOeNLXlIzqcFn*1eNu!RPx_8D
z%7>oKKD=kI3*Ct;JRs&nn>1_o499m5o=Z;VqUmfdnEHZ4Cir#b<aOhuACF<N$dK}{
z%C5^WTY8socgJBz%Eg@itaYzv(Px>sn>9wthIvhGWm{{{XLanXv2^)$!;9LJISwpf
z%jULSGwnlcnHQ}+Gj6^#%Tu!bp{dWk?Xn9tuOv!-S+GQQ=H#0kPDcu>j6Q2Btorn2
zT-yfE_|>l;q{?!xOSSj$tk`KcH^W%xLH(E+Pp2jCd_m4t_pJ~X+WEfPHcCJtdU~VZ
zoeQ%p`&AUmCmu1(s0?U-BV#B2Y!3T0whh(16XH^<?mwBhsr}B8-FMb<cdX$rt~(mX
zYR<!FwRHX)SB|e6qc0OBSlsQ_yYe3SLRIJ?x!1Px8TbTfj=8JZX;pqtQuD;-iI&@L
zigeuIJ@w_<@s@_>H5ILPs(V}>S<G89ky|-r`;7)+$2SDJ%scO(dk+1iA~O^1o;*j>
zYu~P%ce~)2Vn=#8E>u(ZY>Znkdqw~KWUkoDEAs3=zY*o(SeUK-Ha%l;ZhhMN4gGg2
zzHKPF5<<T_rMIY#cr&haO#O`m%Z2jN`0ka?yl=L6%;BSGJV1O<JlXs0>!nrEl~yzQ
z=S0}O8v9vv>c=A4)ml&F&6nIZ&weBNqOH4+YZLF56%R9A1ns6+ux&iPKXJ#E`YmjW
zRO8oj+<zzZBu>bx#>h>8`^>ey<;k%|{BMGC_oY<ZmA?;bPkUCPn7X?ne2L<#Bk7ra
zPerPHB`&w5?GWoQyJzUjk$&vs^3-6-D>7xVrXh3z&WZ|034Qt52j9qaP4&yqd>yS`
zz0PIzhM9F)?5VZ7>7t@h#|>wCjBQ^b^?a>#@wTG$rT3<srPgq5o86Y&LS3O&vNN`O
zVrA+i3oZw~9pXGykvipBlf>5aPoJ_;+rCh*!fV3XqvfgI1MA1mzddf|lXJU+FNdAk
z!++ZS7FW=cuO+9tJz~?g-}sjJ-qmWoy}5eL#IG7r33uKZJ`6XtvlV3N)f(TEG~L#T
zpZ%+dnACz-BKf@{?{*j!mxkW(Pjk9nk{5SY)?ms(p>^ksP2A_J!eF){zjgX}kqIwj
zRyh^juYTxXwrmz#y#4c8QH5=9iqhtG?99B#x+=u&c<7XDrFA`PoSY`*?8)&S)4J`D
zhU0op2Xz&rdEZ#c)pl<CWLGPGdXw@+PnFffh&9A1+H>rdGZ9=7{qobk1!s#8AN!g2
zn{XN3*gb8d*xW*a1pBhS`z*ye`=+Rb?0q~V@RCGrdcte*BfHYpn|7A@t|0_*&dhy(
z$E~pCU<Khx8@+i<u`TDJPg)9%e5*SjS-x@STVrxhuZU;$#s=GZcNy*cCx;_n&y9GM
zG@kVY#Z2g7OI^g)N!kiIoV#vCr@z#=J~zH$Viv1~*U5nF#>&U_{MOxhAsaUd?#+3B
zrNY?YK<V|c<hpGK%-<GI@C`cXkQ4k=v5F&)dkWVJ4bQQqt7`X_b#i%TbEi*8%3X86
z^0IBH?0#h#i7D^xLp*lvI8dEx9TvLejd?O5%VlAGzC`BM%6+@0!d<o}C8_+X*<;Al
z1Fr;p7`s@w|6;1#Zq<8A2Zc@F?tdJjyZ0>YCf{EAN@%MWNxIj^IO;Ix8e-6yO|_R?
zqLy<Q6htW?gE!)XQxjA6$UhA5^M8{+quDZM+;&sGn#_i#dt292a*wg@WmmW))Y0#p
zeP;ahg`W#AgcsTKNvv>?<E#+~jf-DpAlcDW$~vQ0{W8trYM~l?<(}BHuS2fP>zldM
zwszcjXUVcP74cdJKkr)C*zd}h5bO{%LGqcf@VvObIT7)Wm#=s)zS}S^vG2x?oYrcJ
z#~oS?vFVBS`H7!r6lmM(9?ZY-?b(!#ldfy>JFT5%()QK(x`oyHqf5SS{nnisFs;pB
z-)6d^w9DDf(r-;WS8>+3ScJ%1j6Jga>=K<8+2|r$BbQy1F8eKiEvd9>*Hvy(oVQkA
z>{9OP@g}80hD#2gwtXgi(d1>cXn3effnn{1P4}ZywGxgTNIuMc_yKR18{0W`%{gNl
zy;o!_-tW=a-uJ3KsWCe0>MX^kd91I*E_!6nXdKYnK)b!boa@cQ=F%~Dw={^WJ8i5k
zoqckxk+wmgs`Baqy=6jrNAF7ZHr2bF-r`dHzL%73&OWL0kY51F!ME}G{V(Nxwry%F
zEyf8b?z^{kV?|9e7w6^x@4Y;C$LFu<%$O24kQ2~R_>LZvbC#$a_i-)@g~N(nTj297
z<M_Qiy=O)D&2b9xi`y*y+{#3e)av${RNAhVx2ntJWb=i~2hMgJRy-#abizq%Uf+?g
zFG5=qY@G|l#<eB~Yw_)rqE#J_E&815y|gZJ(YaOA8^_K!y>fe__k!EEFJ@JrlKt$l
z;IQpD1@mXFW;NG4x|B%)B|IGS7A!LNPm#N~W>(Od#~UBKdcOT&{-+!4Z3o9aW-+<=
z_CVWY@i#_dT{6b&56geEtUs``sDEn5VUGDhP5C^TuHWdvS<x#CKVCDL)E87(Yx|I@
z%O}RBT|;h;k+}8dl4KUQlkBvs_nt4)DqmN3&w85qCFKs=8|EBV*6Z(OnVN||Go@Rw
zA9CpYwE2@`MY0xe;+zky`g}3o>qL)kCXNx8*S}OSJ4fKiY8{7%=O1vHFOk~)yy^3^
z3vb`vRyz4nv*tqYPWEGmRL#mK^S-+ry1ldX@JG9d*lko`0qlotMy#+bqr}2SU=?Jz
zY77@{I>EwWp$Bu}Ru#+@X1LM}SBBxjg)CUS3d4oMvF~XN7bYaw_bi4xo#Dc5D_A&@
z;m&5b>I_$o;mR{yU|=l0GQ$;TxC#t+Cc{<4UA(9NcmD%;e&OIhj2<*s{>2CXStNis
z_=SW2ED8w3{|h)!WytS;)wnR1QQrS2;{(!9|Kqage;fy(Lj1x3z~Ddm1NCwU2O10>
z{!i(s|D*iC0ysc(1On^_BM@MYfcykDCCvE?{}N-cOf0%qwpw=JmGJf<8=5QzmrR8{
zKS~T&+08>M5T$e{Q>iGShnpW3;6d{6L>>>XmDsnZZ-ADenVvavZLICBJ*fd&TKYCt
zUKA`D!3%QR7+4clqHv>tKyM#UEWn#a3((Rd5d3`biu^tC^8HD{R8+8ku%DKeoxV)~
z4G#|p@zL@m1rexZ53Jo(sxQh;2vwnA?eM`J)Z~B3uYcfc_rRrrx39Db@2m#a4miSJ
z0Q`l(AE7&KfY6gRz`{Zp0EEEa%)kHpNuyau;-4L6fPd|m$jJ5!|38M`aQrjzJ(>>w
zN&F+eM{)pB8p|&^@INaDM&kdM9QY^4f&U9~0O<qBRx)xt_}lsb;lFS^!1NAZPl^_W
zi~#oce#6Iu(c=J<E|}wiC@TSO7x;U>?^-)%M99BRABe%r{e}M#@cr&%IR2UV9!&@T
zB>s^;faJi)@!*#n_>J-4zgiBA#Q)#W2V!uN|0M@-IQ-uK|7&sp=>y1a|4SeEseRx-
zCI{d`(_i|)f8IXyZ^Qr3^nrf@|42RjH^_niIy>RNYCeEOF8U204@T>QOuAs|h5rN{
zAbo&!&_47_9~i9<{yXu{#P?`A_$Tp?^Z_CwOrV3|>jisI*kAblx2_j3=>XOZuyNrp
zfM!G%%j_?Ic)fu5AJ7N>CjS5H>_h)f{Qpc2{1f<R1L`Cq3jHMqez<NpnhyMZ{IuN2
z9t2qKbPEVT0Q_^m;d0>r0v(LRKfCZRIWThF_`e<hNFSJiNcdkX2Y!tQKM@PV<-llt
zkSQ17k|AvWz>Ht|z<+%I$Y?q66ZHNxdN}@>_#RCM%z42-fq%4KfaCy(ff4%$evJn|
z9uIzs=$|AQP6wm$&!mfgQVxv7|1W*u_v{1zj(H&y-=pc^pOgd0PRNu4Lv|uIrC)O3
ze@_k!;s2K$_+OI)XkIWAja|Ry1%JvufI#+let$+EnE7j7@IO5-_$Tm>?1aDM0D<tc
z^97^lhyO}D;b?u3sV6e^!heDeMveo&^nsu01OH0=Gx0r|4*p5}BYgm!_ZmqDe|uiQ
z@_XltnCFLn?|cyRJP?yF(Y`cYXdd%ilA8w&JNLu1)BoN%rJtQoVxB`{&i9ynK6oyP
zc^-+eE-?CB((j!|LZJL3zdxc6FzEnZNdCw75&hkH;V=CEm<opD|7UXGpTNJ^XL|nC
zel|{4gS1D>tb;a;vmp7ADWOCXg#tH*Q``yT4B<X%A~}HM&j`Z<s6Jt&5djpqG<-yW
zhc6lKw#Lh$Dif%1NeTR%_4G`LjH|;PC_XfF5w@<UCk0(qP9d!c^Z_5yjc7~?fjh`O
zeEi&eiExj2Al!(J|AyzcC6kH1Zj_ZIqK#V+$<vMIW`kNK=^JRqOpez#ctyIUk3Ws%
z?@1<llA#)Oxj8j3Ab?Dv5%qMf^;O`ia|)5>4L5QJQYa*U8qtE}>4Oz2M}*7FSNi+-
zuOw2TE+W~>i%Oyq-MnZd3bcVrBU<X|8AGkZ+h@YK0$tCI;%OTiK++;gQkf0=&2*Gd
zxTk$&N-W)A`%y_m4=fpx1|<>~5TzwOrJ02Si2SduIMH%)z2Wr7H_z^vxCOg{p8-0|
zIg(hYn_ILz)hlyH>$BziI)=ynmcQFq2Mgx(!(Af7{k?DvFg$C(;1UA4B&qU}%!_ZF
z^-Oe!uByjxHz&ds^Kkijpsy!}3U?CGmke0<lp~_V!9Kpe%y5!F)@jn<HS_>yNW!2a
zOTZ(^pB%W-o9Ks8FNTMqcs(-0I!y`Pzm9OuKo!=nQSEXxA?g~~{9ePLTq5?fAko~2
z)})niX}%mreEJOHlY>w{AP1lddlH3;F4gyN^GB6J@5t^nHy?kz6T{ojXdh9DXhJ3G
zktvkG02)ySF~R~O<J$ZY{T;gKA7e{#NvilD1&k;cK)@_p(v#@s?+L}p!R`D&z#eet
zysr;j`wtXtqCZHMBkEz&udRbQ(Z<@Gh$I2CqT%&0(;?PIx7QP8n3w<idw6&&;rIRn
zzLpUUa6F<)p#caf&>{r|1>%T$hx+FMQU&hK$9ssXT!xVb&4&iHtR{tO5eX28WnPA%
z6~i7xP_+oeg(!s*B*A^k;2Yj*R4Aed4;<j*MnsP8(l~;NA0{WrUPMdi6yVAWdu{=L
z*8p#tu^ZL<H@c=z_9x9?v=NCslms4WK#;<^9_$X3$OnHq@aJq`Zun!mUaW8Mg9Ofc
z!{QA>ys@VoppTyL`hdR|dBj@;G?1TEkg&cOzo2}Bf=1jX6o}XlQ4fXeYXUhHZD?*D
ztC4`kUxlCsfOz)uLEP#|@^TCGW%f%cL^6cv9!eu&L^Yy4h*1qfNFISS5|aBw=<5(Y
z4Quxh0Z>RZiVq3sl|~8yVU532K_z-o$bNY45#|3zJ~S%)iF^SRGWKc)!U9gp7z1Lp
z0PT_e0?<f>BiR#2--s4qJ%qeCt9%!wXKPK=wYC`6ah<IQ>mXMcu2nkzO<;UCGQQ6;
zTxR^=bpx37pz475h~TggSe$1pBU(WtG093$Ky(8U@Iw(6ZXrH?fdKdrlA#Sz&n>{s
z!-p0M63@-Uo8&o^4v$A5AX>Wl!LTPSNtH&dh6oNDuz}eO91Wn5A4qUUc_Y&4VS@z%
zvaYW$*#pT2hQ5MEZmeEB8!F$}Kv&;@(G`#mkZJTFf%-K%9a1VR-26j{`XtbKJYnPs
z9WEfhOK;^yfj%OEk7_VPZ>4B41Qu$_cj=ju#Umh)2s}iB)W9)=0{FZ1cK)OgU^N=N
z?1J+oy!$~i2%#~Qi65mm@g%wVTHzE;ra%Ty1%MHwFp8W1N<fWLh!RmA{wp&W@kiwi
z)jy=ke3zctKP!q48H62(Xh}3`|86=&CV0X4izy6}VGe5F<wN-KL-?`t_gNE2GVuht
zMij^M`hZYDsvsJTO+2aM3K*S@qysxDf*vy!(Jv5mHyE3}+<ZY>_3<M9W=V*62L&FK
z`WyWjRw!!Ih?idePPvOgAEiK}Da<CDcq$LJ8dRD;*y8Wt_#5S_{F};E{a2Jb$d@)G
zN|28SE?TH^Knu7~0*I@s{RX~=C&w9cP!f^-S2Bkm0*>|(;~ielh=}2M9~>)xC;>)f
z$H!58WQAcDk3&*oc)1LbIFj!@AUP%|lvF~7F|qX^6XRUGNQ2p-@9;gyHzuHWAq|tN
zFeuOw>{Rfa-{l+D4rb0j(2%)ajD~zy9&@sXsR>ZAKS)jdr6@nxfQd#{D$NZhWN!GR
z5M#FAg3r&(0qH%ul;42!h;n2ksk0Dy{Jc>=?$_^^GrCdVmBW;u_)G?y<^7@YghIj}
zlUhxp_>+8@vyboPE}{c`((DZr0vMvPDL6bC7KZ8e-_xrxmdq9@Y)JdVsP#ACI7nY+
zcmt4n;O^rK>Mn`;TXLA$PZRQpDo2Tbg0m!*sU$FSU=wg$uS3&)82SC&XhU>@KWp~0
z#KX!(f|WQ_9&<#%Cj9t&YID@gMwkCbGku5OAsv-5xiJXA-&^|~{`*-+eh(jiw1L2M
zFb{M?@4x+q5QNz%i7}BSsLavu^A00uD5)XGoV3!-Bb1=5qGqv(pgdOt{?9>P(4ajD
znsdMh*EcCcYTTznn5%;OR0*mKpW1I!$W$8$dZ65`1WOb{HyGARW{fcyLxSBXBt37E
z$LhiKL;3_zq%XlX*cTa17Qx&lFaUj70y!i7fUpQ|x+3U<y~%@S<LT!Cucc8)1U(uB
zC9ozB`ho|2WHfn$BqJJTL!zOH4;6x;7Bc)JfQkhcC49bU5;VLHya1bEADV}^9<ZxF
zGzsAewa0=SL?YODlOe>L<m)?FjWOAeWI^%|B-ntisK1Cn4W%NKk!S>8A9se2jC2Ho
z7KPvr&&d%CsTQDx(ojE!`>h%6XG8-i{F%`X{=?Fuj@ShF5J2a!@$~UhCFo(3a8x}C
zV@5mAUIy<5;zKdc!I-T9W{U(#1r5+=nTj=npYGt+dS^3(r8Wk(Or8er9{yM$l0rlo
zG&EpF10?rHrXS)SWct9>P-od?$Y2BZI5g8I+4^{_2GiV-iHS-eIzy2#axTM+Hz<`I
zyto$v%#BPzD6=CZS_reY;bADBB@!;aC?9;_q=<hkB-)yo!FzqWSk(||Ww!_~9;LLh
zw;lX|lotBKQZ57)lN5qI3^<g1Ay^fto_bzxLkT6RgT^xkkN<K20&p3Y6??;Szb9uy
z=C7r9aSPpc{J2$WUmw|LbK57C^^+7XyX2Vdl9)O7T-rfr-iW1Nd+#Pmi(h$p?AnuS
zrv8LzJ=4Suv4U++XIsBsM7ZE{@<DV5%{NSbyS=l)((u%yMXMhLl~+wL`pA8_;#t3p
z)ikNxyS8R`T}}6-s>pUJuV^<GUnzd(=3K@1E0(*hve7?~(7Jbnf>5x-?68d9+QuuH
zHG6F@ZOA&AUFqr;aaP?@GTPf)acl7{n~jUeiC2wXO3Q1E*=XCHqGFfkXP<U6tX?{!
zvb#J`Y(`qN#P*vL0tCa(oY%^Bu(x;7*rL!^^){g7XwK0&AD633d5k-Ef}OW}!lUzl
zhYqaCWSYF5t`h!(i^u=`k44Xlk=^ajXGS@M_gOgSN2kZg>~7oX!58*y!csZKh=Ggw
zk7*xrzZN!-3F(VC)YjNH>X=Zn7fO6tE^^n|!=<*1>xs&n)#R!#Dw`Cxmu%H#iyZ5|
z?E!aMBbR#3lTE8D3k0NDGW$)of7@*vYSGb9=|#<ZtQAZ$+S)m7eZFB+$l=I`6UF`S
zO}ZRnHY0A!HNI;!k%9c4@qvvqAFEd6I3JW(I<UX-6YqU$pVZA+d0keTEi0C~#jk##
zaP8&`4Ktaq-1VCx@*~aWYBj8VOnuIke(_=yr=97>1J~o_*RbTuvK$xusuWVf|KXbU
zsl2zj%f*kgo^Ix{jpn`B-G9JJG+prXf;e7Yo&_xnw!h+P3P#43zXUy?e~%a^^(lJc
zxq2e!wSvRL-Y=(^36A5?^j*=ZVNjG9B$cxK!AnJfbF5$Pf15YEbp2S5O?H>qoxXi5
zHu9O6^l;iSGrb`9g-S`|vgVy%XmznSudMgedG1rI&R14gRVAL!>fU`<$<x*6vD(Um
zgpNm_Hy-az=ULmovx#DmyftcROQ~g=eBh0#n-o6yQHxfqpIXW7A-_b!Mn*(5>u5@)
z+pVts1ugH7n}@foIrUlYi{0(SWXi45m0zBAt+ttO(0KFdi6C9W`<Kbmldq0_|3Tkt
zpI~k9yQBww^;UQG?{2?wJ-pSB=k@NdY=<9+I5x==Hx!nC*hCj-+|Zy~@4VYnyz$u4
zYkvuDj7<Lu`ggQp(7)ziYl-kaqy1&^<{eST?{ptM6YP_a{$iKYHcLk#jq3Yrk6#St
zdi5#e=@EA0xSoo>r{QtU6QtJK>dk78^-b!|qb*uzq2j6%c`%G$$7|_>g}SSyw~kqy
zFP>FzYyD7q+^XCKB1K+PMIsBX@gxeR<;b3#?|buOeuUQJIbYS+gcDho67KhG)>PM3
z{#0J(prtPCxVh*^22W@6hp@;4(#F>*1>BtB?&>;e0<()mr+oQ*+eL`q#(K?-7TJ)Z
zXw%zE8_$VG2CN8~nw>RQcvHh|ZW9NZPomc9O_oy=9+zqwuqWA1+Oaf)Yk!rz;>SBD
zsR0iir=PG4Chw1Oe|m<!EoPC+*^u=+qP^r+{0;gaBVw{BYr12eLR7N--7~A6v-TzL
zFcAx0Z_sO#c;)f<4$-&bU$-w36xb1DYI7$<P}tyw+@Zb~>-uCD+kDD7N7z717@!tk
zikiQ3?5rBnY9AGmBW>y(D+a#Zj5xnsDZ1G^IdRjwT6XO-uhQrVeS%$l4VgC*@1GZJ
zd$GoJ=Nqm|;TyVbX3qAsdRgB$aCw~H^t@b+NzYgeB<uZjVgu%_+v&6P;QYHedY-kH
zAGB{jzOC2S@Wp_xo#FC;uIY7rHcbH&oB3{~ze>~L_m19oh;^6Wbi43rx5A=Q9ZBUh
z1(_DVE{(%lryAw;I&WPX-zEO6&!J_Vo~onb>-GyQiaY(DR?ziBsYYWs4V)i2<O_|D
zUldKv-EG|SfPaP8HG}d+hfKfntXlp$p`m2Wt~sBoXS<7OuF!cjru0*S`9z_C36s|8
z-U`tx3D+}xC{A{jDm>*YoxF+XV1_)YD|8cI$dQ=WX4~0nyOZVao6g+#P?}TqB<m;6
zCGVYIFMQz;;pO`Et>0Gu=FGG(lY4T0`vNaWchBT5Nll^_u!dX9)kl>rkZdddrndEZ
zbP;F2aODQQIWK&rPQQz(jZ!O>iCAd3{z6vp>Yyf>yQkF^%G4q$Tl3RhrBb9m_E>Y6
zzSC)_nGmsjUxoZj`Q0vN<^|-2i*rRCE>Cvdmd0b+NPjInz1J<>%_d1c_^)vto(u8+
z-^mYoS^nPeNg%A9Bx`v6mi(2cvy@&u)!rDeH)QMjz$42u^4PAPY-}Hp&8ZbwN%HKv
zA#;l$XkeSOubn@X{_;lQYr*vX#Kw%uvxT<`{D~1A5jSSV?3op#&*6UNo`$U813gX$
zgTwi)8GD@{s`PmK<UU@sO~ZG6=VNuw+&iu{(`R-nzTEjC;66dnB)5CzQvT^S<^de+
zkzJy~hqT9C%j}OCa7ueudT(!BfSbs;F|#($AnDA{*qnM=keWUJ`MkI1+9zLju5Q?_
zU3k6LB6C~=xr}(?%2{*1gSxr5B6k;R72eusy}M9(RmQ<(vQpO?Y7=kn_qy7@!oc)p
zD9v<pjsxZ4JRYO{8Qscv{Ync|Xa80H|1jSm_Uot3%f_;1%kE6}I8&E8zoof3{nAqv
zJ&V#0cf+(SZIv6SM|YWD5u3lT+kt)G1_N8y#?&TJZ*CriuBx^L*G1k_r^`PGPF#3n
zxnzJ@Z@{)VTZ!h1DS=Pj7TjIbsXkTXetA!nuxxz7V+WepIE9`QTXPrEb85JHwRXj@
zA9Jwlvi>5mF#2AEu6{U2bcwUVrtL=!Cs}yTXyr|~)v=|u`{Thy((^h$y;>Vc_86DU
z9jvkBrI+ft&_{}LsTDFD=f`9|yz4p6tNT;AtcmCZfA#b2#V*|RZ4oO=Nx_|C%Vx5V
zqZqHF@A)Pv_^N6Ksd;LBJx|?4+w-$RF3HZHce?0r((eEF*-Iu|sSNq#uf#4>ezW$@
z!59|@i^-YC@@})7k5fG|<~)Z-qtM6aPakm4TgQ_dW3*MD+_WPqWK~6adKc?A@$8u3
zjR9Mx=@rd24{COpSCBN&)p~wmL7L{-Ca>|HGHF}rHN{Wwnw3*eY1{AB;p-QiEtVVh
zMESUsPK86C`pxby17FDxZ>xzek(Xa9JTQTCN&QJP`^l`?maCp}_}`=?&=vG@IYTCB
zWQtr2r_sEx$d{|{A<b*t#WpQDeN)tyi1UwKJ74wlWG$X!`0}mG)_^xFSIn6mpr3Ms
ztHg0-ZT1l{ep}j+ym)<?_fMkCiL<ZLC()OGO$k1{zm|KxhD7Pd4W~Y;%+b4CJSB?1
zAoq0gV)lc1w_oMaj7(lGd9j8j7?jq#rO2{p7j^obQ=$>auC_a{w7T#awQJd~8zURU
zPO+JM`KWy9nqHyRGat*HP2m@4eK7BuYS_6}+1Zg!lcY85pS}(l!}HqnT90jEzi9CO
z7Z*B8@~-x49dlg!LVNGabbk4rk;N_7tL`hOQL}Db*YB#)yrj`LEsc_{b9e*yLX|5^
z%_dxHx6;l2*mA}y;`#MXL*c@cX|gKKjeO*9Ym2wN{}xi#)f%26aBq&(ib|C-k@YUY
zQga)Rdfgu{Bc&H1`Owd$ZENb`;ISvl5^n3BGft$c)e|@HKHsyeyQ-~8PIiXRi}L?<
zy@_`7&h#4jd!L)xt24b8Ja_kUw>%a5Ok(N^s%*4qvA@;WxV>estIvF1Q0R6weAnI!
z)r(T=jvu%ryI|q+NA?v5o~Yj*NBAVPni$&E7&r6M44DCq$e6K$!oDTMPYJ;nnq<|d
z^*?{xwo_rRsd2FSnCoGM4@&(+zrJ|V89@5NN7{dO)l-$#n`A;I*Hg+OoY!7hyG1{;
z-R<Ih<M%wmk5ZEMs#P4#bfDxlM1=Oz1^fjIS-uQZ<;rRmNX(B?xcVTjK1+fxF6_hk
zedNUIPKl`><|u5x?kB?9pFd;awuAj~RlB0^-i#1SQ+l|+?(u`&lPo3f9v};TlcVgE
zOS&4F^klXr%m4bkQKtHlCTsM<P5Eb*PHgtR6qBbP{BUZn)jprr?I*6>2vg_&W_sdl
zneYLnlUaQFcaNy{2_8)06{_F=ae1_APYj#%s`kt`-fUA2+*8k$%vElB*IoF;=d`DN
zpu+C<C$i`76Y^i~zTA`TdYk7<k$|bueUFUWndv25iyowYZ4H0Bc)RLn1Ls@u1(zGI
zOi1{$M5biNwwW7?MJ-QHyXC6;RqERPo58}p?YH^nJMSwCHlO&OX7y%f%#~%29X>{y
zIGCPuzr@jWH#&_kiEP5vKtE=ly)r8)_C<Yp#v{AXS9JNciv;Z4jCQ{c+9IlWDniC=
zApG*YIn-TwGxT_J#A45;t(kbD+-~0|%EhV)c1|R{wfuVo=jp4x7KojY(@_vx?jPPY
zL9$0dd)p?NTrrtFoofzx&3ZK3<R*F7&ZZ+<-@Sfy>cK+kKz8d(`P10O+EvwO*nK`C
zmjA%~P*3aO;O4!bUj*IZ_82`tT1UK8I($QE#hmT$Z_{l>%$Bf@U1B%(X3-{z1ve8~
zv_#i#4l^T9HB!-98A_`*ZJ4TL_SP_t^2T%G@{2m@jf;YOlV|DgrMRkp)_qzgY`yq2
z=sj!-dA?qE-m8a3vh6q%CK8?9I_1=U{=i4nzCGjlymn8`aE{t=B9-NIxVvq+X^yIZ
z@H^)NCIs`jDGiDfUd|H>NXzfn;5t+2D-)C_>bk^NFK_Ow$?`JeTc)<P^s`59I^Du1
zA#OmOa=QOHkB$1=g&l_j>Xpyu-V~SL9<LF(LUwAeHKCfr{`ux=5q{^T&ld9@D3_T+
zU3cqlRj2lmfUniGCvU`RRv4;|U-J3P9?^#%o@)yvX0gl6lDPWuk+fGAhjhc6M^yin
zms?9T)VyLSGyJB7oSnIsQn&bh=jV$Pb2Hxhs$S$ecA~+;#*#HcM1p&%lXpikd*Kz+
z;tgksmG`9VCya*ipZOj+e}_jx{`_yqeuXw({e>TY80YxBq^q0z#w&6!wm+@%HQlm?
zx=pB9EA$B)4_&@Obndm@dEI7pFD!`#PUQBFJI%{`I21CnTYXg$9+4#<*VkOiZs}@M
ze=4Q+Iz768Rp2gLOlGgyI-b>RaUX8W7szgBy<p#c|KiqFul>ir=uVaLUR|@N_o2#)
z*rL=`?_OIw_r)fYwBPtw>u@_6546bJB%e}s*0oWS*HbV2xVffoTnpR$Xs23%Z<)L=
zzvvvOB5~aC@VW3tf1mswAD8a&iyJZ?+NTI)5@mACv(}uox-rLjZtr+faN4(Jl#Q0c
zed2ZzI_?cdYi#BR2xToen!2S(=!HwM%KPHWxe5U;{gq_DeZhZOe@FD6wx`t4wC1Dr
z?WvSki6(q^><)J;ScPoYZQSm?pp5<Exc2p9vo>6guMFf^L94nnw<<<oXB+EY@txz(
z9x>L?_LDi7^?bY3trI6?c|~6EsdR5G&hF+{HhfamQ+~MKr8Z^HG^66XVvB91E?<k`
zcajdQyRmZjwKlcx=C6(~6I~DTD}CD*DwJOJ^|1QEyv?cNS#M+~<dvM5H|gHCynd0I
z1}Wni-XX3|UN$M0=6dhiyiCpDn+qk3hrhX{YR9z9FTSoT69cKTmVwp_6zvr!<zEz}
zUgEf}V|(<=+Jgc@$1+Sg{CK}P-8U<cDH?F~64Rf1Z_jk@t&=*;Zrm~NTcySs9~%1?
zNNzC8zk>b;?N{GPyTNLH=mGlQdc?~4bY+x+^W#<XI`x|Pu2JZ>W^o@#NIVmHYohn~
z;+Aa7g7Z@JjZ!Q-UD&1;>4m&Z5}tA-nBAK$lUuTO<(q|kHI&jWv0TO6{Du5)rwh+H
zEW2oJS3v%U7w)@aXH<SIxmY9gvT!NeR(kc}gv<_kS#u$;cNLnGuBHkc8uOfd>(Q-8
z{C#1sBEmwNcDyXCuybgxqjz|ooWJG6RqmB}tWS#5j(fS?R!JOx-(=FUX&25+mgVS{
zB-I`7eDSUG@zD(?Y7aNPj8+ob={`en8UHk2ZLR_lgUcL+0oNB5lTC7j=iLrD{o-VV
zuS+3siu<P>mD?8FRg^h1!8x*b$=ZyaY9uMizdC<~d}9K1HM-7U%vrTFvWZ2-Z`#(S
z#^#B+>!zmdo8%bwil=90)Kwlnl}DP7+cLHvYFpZ{YG>Z7=c^|4tIHiqXOC4Ih||6~
zZ_L{1+1zDK2NYurPM-LzJ9XuOY5J$SHogkKU%&dGgIZ34-^+WY_v>;OU8@S6swO^n
zxl3@yrLl@Z+q(AlI^T>7$*$nhesL>q3o%5;Bgy1iPon(_&)u~93sM{hjy!OfzRh;g
zYJTBwhDmYvst&j(bDaLR%qoKaRnCU;CDTveS2&=b8fPV7bof|t=jF}wv+5PM$X+je
z*yUKsDs0^3Ph783cekmjU7tJ6eOlPAhlzSuGsP6-B6mAPE|Ht;M~<3u#5CA+u6|TV
zKXJx0(`|Pr?e#vgSLB1owFCAE`RBb8OC&tw?j~o(kc~`)RfS^JOwAIMRn4T7R6Lq$
zI~JRjY-cUD?m4PsSedarYLlsO*Y2|1C-?dJbOR>!#hRB-zH{bEd2i>M;2fIa%_rO6
zziv#u&8|2;af3nMvDqH{wja1Bw|>c#vwX1g)y})iT@4@Ec)aIYE$14Rl~V64$eLFe
zIlrp$YT&L-k)b|(Rcu$b&9ri$ProfS_j-B!k|l+!GuSpCU0C@cSZD9U@%#M7F14?I
zrEa;8zW*I%yp-L9NKHM73lq-Jl_NK-bNetOZGi81tbMh1tut-;lC7IpTe#gchgb3b
z`tM(AzxqqVCxH;&*5!L5^m@yiXEQ3>KP>Li{FFL2*(~^V_BPk!>alB2@z@nmCJN>R
z2h0ys>er%oO>?~<y2CK&gqHU$wxXTZ&ey%)inctodeQW%drhnRgBC7vReGIAk7z@A
z_WS*Zr>Bx^?yY$o9$)hIY&BKA`=c$pM^5`$O^@c?bQTt|UA7)>G66*TE$#y2XaR07
zshl`J>4{=Q?<YnSfwU!ed@85r@qBJF+1o2-yX#$DM(xG`cD2~_E6M{GReLVvabFWz
zo_pb{A94IKKaQGA-G?dkYeYfw{c*E>$~OAko;OyD;NhxhD6bmhcA(ui&86O5J+z|3
zvs%B)(NEx9exe%7?u8w1>O%i2{}(-fzJf(F=B|B6))|go(Mt=(gI<4LmOJOPk{kQ>
zIzq|ow++prdl#R%<0P^^&?Hgk^>cE>W>ZgtoegXyPOA;_qqde6pLrPWwUl^<v*mr<
zzUb$~8GAd<$nd_OEx7-BO+k|8uBf0Ddn~52h^Nr<Ix_ZU8MN}b`4jtQ29{lAA9K~5
zb+N6P1LsM@3c0tRt$l9`*d4Ol;@4uTYuLeg_5H~d?&UMuk6B1tJPA(U(Q<9Im)Jvj
z|HCWX1cbt8dpVtANqRRkP*O5;T}IM?rzn^MqqOA@Jvilbb;VNR@z>MR2KGsx-E=2b
zu=W43_a<OXool1^vywm<C5RShR!9((VJ!#<3X%XS4rro?L$QWIiUUd%EY68oi>(7#
zt5&T|oVE(Kptjo9A*i+5Y6WYpt<-|0t+oyUQ9%&i|6N%bwY&d!_J96!o%0>`zP9a#
zWF@RXh`I0QenuI7n{r!Oocy_D;3RSBu50rWdu0ymd33|R|NJ}uzsEJ(e)%j=w#nn^
z;q6Y2z2EAnt`#iy9=h(=C0B|?!#{VK`+)9p=D@pOp6YdF|Dl4?#NWx$!#39T>3A!k
zYw+u}r$5?~{@_t_+|tQw=7{?(zkmAutgJy<+YWY!vsZ6>IPl|#hgbIUt)IJap75l>
zb6R@28x6;Hiym~Sy5F2|`;Xu&;de`u8h^;1H2GRhWyz@A;dz_J(X{Hx*TtcJkIvqa
zsK*_9GO(6}-xnXLe&*f0;*}B^Ox`$bk)coBYUi7eyR8^=BjSgmiNymy-Jh$dZob;s
z^Xo&tD;zwZJevFPUH{3--@Ci}&(u%I%Fp}Pl(~z0916X4OS5*N__p`$&3>;8D4R9w
zV!*@K{(C%%|M^$(fBoyG|NPYbx47p2^?z^tZ}BMp=U>E(^X)0OhWxZ9EVcChgoK*+
zN0$!m;{W}Pfa=4aNE)79y4Y4>SXWc=<8R5|ZVOMCKTGYmdB>7!nRda<xc9#Z`F8nN
zOK$ppgT8#@a^Y6pg)0vqp5EusXV=l?RYTgU)}49q(-qF=8#Z70CU&g1&l?BF{uy4G
zeC5uMWpt(c$E&+MsV_YAYE$8#U!T^0cIvZ*_bYYF6BF`>f5h87_}vQ^H!T>wed(3-
zLgw%1o$pWm=a29IjK7~-{Ho6Pr#j!C>U@9dfB1*7^ZlvL_oq7FpXz*ns`LG+|KX?3
zm#&a7WfUZgh%?TA|IG+>>V)CRDM@(P!8(|cv2Yd+df*lW9>)B)pB)uvo(~)wH)i+*
zIUb2;=eDfJF}5w3flQ_nfin*5jCAS?m$zJi8QZg@9Pr%83zxG$uK8&Aa{ulw<}S>C
z9gilP?&d!n&osux%(&wV|J&o4KX05kvCNKI?^Yhp%aHg?lWelV{6M7s^W|}`<nJzT
zI+?x`a_3SbbMx|<SEas|DO@}$WB#&$J^tUHe0=Q@xV6B{@tf{F{`!pf=kG6{mGk-w
zm;UF=XW%jlo}0J3fqy#wtW2C!vAgs?A3rBIo6T%k@BTmDf2JS61Xyq@<Aq!K=i4z)
z@Y!DLpS})74$i=^^%&c$7$0)G>;2siobCBH&juR5(0MpRfPduv?(?_-Fk@jRGZQt#
z{0(h)Ii_oYN9v7Vc}~{6?0g*3G0nxB#)3`9wS3<iZ{;6KIYI1X)xU4}*xkPQ>%b=_
zpBd-;caN9(a;6`8rj%s9sNL~i_^D!s%#0lr=I7J){8%r?goo?`GUgu;yUQD|8*hAm
zGi4P_&wDSN_ZN=KRB*`jtURViV}D$~JRB9lKl916vT;HqbB^V3_V?5B4aO8^>@UdP
zKjt{>5T0?a?B&Cmj%U0*{G7o~oc_(tzIeOL55&tiioa9s&I|iQ@&A6gB<2V5Z!czl
zJp4<?KMz+oY}!e4bMY)9uFc>qRQ^o-+-%Hru>;17nVJsHvM^7eco5R&M7RJhb{T_T
zcvvzsYhE56VVp554<}_ZaDrwAFaZhUANZRN&sE~!4a~&jmKh7O3Sb_t_5kj+z!>~L
z=7ERI`~{FVFMUoH;6BL0bUa(SU>5!phaZ?u$P9KmFhzwYiL=-*=cOc(@uV3mNI3Mx
zjJlfxJ!}GrxfQ!ck}+uVZ$8JI^JL@aOh1$_oI?CvW&0b^?(xFs*Y1-v&3vW7ir|Ea
zaSHQqp1=R6WoU`R1>n4V8P5-d05j4TWTK8f#?KPV@CR1W&SHFd8Of!+%IF>*WM7WX
z)sYOOd%WsEMhM8kbl_f+l>J2yC;QN@sx*-kId#cu`ZZ^O05WJdIZLSNNxJd?zD!Hh
z(aJ02%1XQp`-6St+g-_pY5f$gljxNxJ__&c<a%A2>o4TCfihA-`H~;hrMUtLA>^eD
z$brQq<dfIO!7P}kBb~EIhZ&FyNxMmIHpy2)3chotBoRUeXA&ee3}jUP9#T1%91k#4
zwovuj<P367KDjcN?5j$r2i$1zr-iCIVLEwO5l9Hu_fSGId5XT31#$`&l1&Mkt8^j}
zN`N3CH=fWWKuJ*?mrNi^ilF2Y{<97?dNd}Na1xTHPDDW+-6TSege&pLSsa=lN_!^6
zz{LcSJ2xSJQBJ5hQ{mf+??eXkG_QpGTvbR$X3ngYVLbp3zK5n|=D#JGJThZ!df2%N
z6^cNJ=7NmVJ>dwCp8mdWk4CECiZ-Rs3musxxywUjDt<A*&sU_+%c@HQO&3+-TZ$@G
zdS0lcMwQGxs!65^l|r|JjHkJpWY<}lp_=d#KD{42xfck<evuPs;u-_zZ{FB@RinQ~
zs!GpFt5NXXvKOdABZT86i3`3J*A#NI7mVlAq8Pv7{6uA(lHSGfiv+^^M&k`y86=C2
zuZ)gZ1|@;n2|xy3Rc9|yT!6#3iLQE?4vy$Ea`W?Z=RV3f>pVfPsNzr1H=KoE_3`Hf
z@JKIsL)EXL!NY^*a#TJ$#tpjxLB$ZPUcU1ojNR#30)}yKI>Ig(dn)iDK+V(hX$9+n
z&K@edKGa{9-2vnJ4qS2?K!GOzsqsD!<6c9$#h~y}X7;OwDp(pNe-p00#%(kppN0ms
z(y$UqHweEXd)1NTyB_cQR5k;&a}b(`JRQd^LC_A+TuC_K@AB!$6QQTBPU<v4ReBym
z0wN7n{ejf3^NV<`L8ycqyjhNT&w~)+0<jO3@RU^oFofLDJ?#PTT$30)>p31Pd0K*|
zBZ5100q2~1F^Ou)c;p205Jz^DL|?7a6tu=78Bd{&Loy=xx7b!0GIa0=rzef>zW2%v
z(9odtX?)`0?%ZK;A{HRTOXl!(Pto+}^t9!7NH@XLl6mAvbPf<fBKKl|+OVmg`99*1
z9$_u?^5-o);6H9~>C*TZe_bv2pVU>BP@q)^5Gq&d1PUMbkoCN#W+ykd)^<0lB(}h(
zm|Inh+Lb<zTm$@?^B5X@IC*~&g1%54xi|A{EzApmb2*UrS0FwW^em9R-SM1UEJdJN
zF6u3R0?Y5TfXrRc?Fx~QG-@pB7}1SF98Q3EUc~NMg1PD0;>Dl=8Je)1cH<YL$=ayJ
zFl9Nu5!sK&lJjd}4aSWq03Q|^ZUx}O9?AR}q4$?xfNZ4RDMyJOBY%H8k^V_>i$dOa
zK@W1gBUKOyGu4DbeHgmEOTBp-U$+a8vvxjn5Py(vh{`5;K;SlhlzLUbazTlQN8JGL
z1wM*8(nAonxHsOh$^mq^7Ll?b4$-?^gWAc%WE9laIuXtd4PCAe{5oJ(FWSEg=|K#<
zRkB9;L><+PI(nfYPdEdg&;t~G8wRXupc~YFzYGbz`V6VlI_R~thjz43Rh7daAdNsz
z=-naZn%OB_piu{^Dhca}qK3>Z*CQmPJO;S50X!m$WEAO9?g5^U+PLU0()ZK)&Ktdv
zD6c|D>R})~vO|Pufj{D=7OK>56=;Ywb@L;&zFLKZh$Oj(pXe!}NHbXbs2#aFqFVgy
zP35X8^hnl7p5t?B)%f|m?P)uDR81as>j%JJP{hqw56JsoE%<#>dsGX&sgE0%um2#k
zmxBsF?ZjlJ^~qkE*68a$WJNOm-J0bjUzndjp+seZKuOcJNR>V-bZpYvS2+;TlTMIP
zh{rrf<pYIAX1FtdA*mb5snf>Gw3FhUG}^d0X`H}qrPM*<QvkcYMs1ribpAUqWTA`U
zx38b$sh4e>%!51f>mcfyq;kUSpqGE~bbh4s40N7>&NI+?20G6`=Nafc1D$7}^9*#J
zfzC6~c?LSqK<63gJOiC)pz{oLo`KFY(0K+r&p_uH=sW|RXW;*rGvGNg>jnNFfIoow
ze;-Wm&HTT+4gYsG@&6VwZsKa%730+V<k<IV?`qtE_Wqd`@c}M7<75a)jwid3fjZK4
z2KkzX1W4LOPCGy-l1X1ULM{xi^Ci8={9nnHIzKOf7;<J;j-r4rj_X5~z#v8=C>t9~
zexMmbx{@EI(cTkd6yAljw~WL@I~exT)F?8W{PRmXdeUeGzS-yrWFlGj_z0bxLMGGS
zLx|8Todff*Ixtt*cU&RKp9lGnMS9}ZCRib04T1m|h7|&mU`znWl=)y402Y>!fp`g5
z2I-X}OXMgLCdXq5Ac4>nrEtkhP=bAcOE<6@&~Pb3_}XIORw8uQ{Pll912x~Fn#zxN
z&K3=jobn~|b`uq;6M{h?#6p2EC5(UsNnKWwX#QB=JwACb2V|>hAE@wd*z~AAPDy?m
z22rp`G&3!{?zRdW265xihz?OTa5&*y$re>#Oz%X6!(zjy21xQS;YHy|48Y@MVSpDW
zo}Z|6!^oc2CCQ>^g?=m9qmXido*KS$rg#@9lz4+4ws=&zx`=RH_^E`XNeRXIQV?)t
zMKagw*T^?Wbwc?4aZ1eh^75-!fNG3pGJfcy719<AHp81MkoY?d0_b;rc#;am%TPR~
zydP+SkCdQkL>($Q8h(~j-E^^?EUj(=6>3DGgXg0xQRw-@DD+K?7GWjwxQ(`PN>JBx
zoY1Csr5gRlrlo0N$3TMy)pEnoGJpSMX^MM18tK2Y!hhFZ|Mh8N|22ayVJ8AkenfJ`
z{$*<-^Zehd=zoX9Sdfcc!)hl#18!<$nE$-~hb6}qajU5LoJaL}HG~&mp_G6oyWq35
zY_c@rLR97jI(L&cStoYU`R~)577rG^BGOfkT<nO?P^3x(63J2N^Wgg@*Qs1xZiq-%
zn$k#5jy%XGs;S3R#hk%zvYoko=&k97%K^jb9jYdA(a*nqK0j5_m^xta_iI&Wx_x{3
zGI@^_b6U<kgV1c~c7j&Z)cm|*c~7F=BTCdUXGwJ|r&>KBOErT~p)>b}C!9S#x8`F~
zz0QwA;xoCi`B?91y1hl8M8v|o;y)`-rL7HxusacwM|a*$Zs=dACjEMsxGJ`W8$hvj
zOEMi@Ucf7D^bX^A<%KmX*20#h&m_GkFM?2Ybjf7?#N>ewk0<6OMXn9}>AlRg(M8c$
z)5T-11F^Mo@P_)p!FR`}rnVELh}%3z7WbiN_w}bj_iW$xdEoNWpjUZ>KtvE^vGIQ&
zfuQ&dSv)kYcvvbnVv2DAMWj&1=gi^W&fL!3*0Zup{!KWO2{KU!FFh0J;zs7*xhpfl
z>jZ>dm{J<DbIt4WyCDaAglrypI%M0Tj0^SGCP~v=CtPc2K6{O*q<m|?m&j&v6|NKR
zsT<DTBPyt{W}-qb;o{GMK#xY`sa%tL%k-;y<4<M!bI+VZ690u;H%VaQIRYq$+vlJ`
z-*^r&|4y8PSB}FVdBkPO+Cj;ZVx?|Yef8Y3KdPo)=$`;GZ`42X2b4Lve<0A_gM0wD
zp}Y|OFbI^R=0vpN4`vy-XSjtI&~0vEE$22j&%cqY@g{C_p}ltA#QU|J6}3ESuhRYJ
zT16>!`7^4Tq)zIn%AnGq`a?l?1VOd=LA5_B`N7`KL7_qQoDXVatKfO<jSrjPWbLy1
zwLx=JZ^@JD(YkBZ-XEO6HwW5l(srWHT5!LkKetC0v=pYPt3^bgJZ^P1XIW~lD)7>>
zR5H2-9;C)*t8W-m@!{m~b4^3=C5@U0s-Y>py6qyxT~?EN=THqK$+<(b5%kNxmCfsu
z9k*xkrkx3wvms4{E@y|{dwXdB1u@y65dDn*C`S0tG!cGC7muNfA&B`nzLHdR_Mimt
z!zUA&A5VOSm<N=YmQ84>gnPM^c55w#@O7)GaEY3VqCiUFD>ENc6xUMhL31ftF;L9M
z5wVO<9M05Iu<`GXn!2CZTs*=*SEQ}IUd$Zze6hSX*HvB%e#Q9O%*PbP*NfSs&a1&k
zHGbT5)DO?uAJxFzSNwgrOqmok?W8hx{4!;aEXcd8jQ#*W1(idR@_EP!kJKqi%9z6F
zvXqk)dQP>(gw!kxsa<w5q#j}tV=qi^gC)@#{i*HIX=^S(Odx(H)CPVt@OUlkxI_q~
zk91P#y@#ll!T<vS`lTBJ3seaFvk5@r25If8BLpF(VZ({(`l%CF=nw1)IVqspau(-@
z#$GKM{UPXr@2IdFHYg`lS}WD_C={H6e;wh)rpnMT{M0`v+-QhRo=c&*A#G_HB6`eN
zwG(4se*7nXzOQ8kF=ZW{QNAFSKi$;{+rOdFa)O7SnHe(!%VDZ4sHg=+qT(9khFy!^
zgXJ(Xd7P3?0go-!1eu(4Enbt%=waFz4?co8?uxqL)IuL14IfgOnt1GpZL1QU@z=PS
z9kJ{Mv??@aYbbWaau;5SDOTTMEwS*)iBe@;)ir5Vqc<anNo#!)mGM<`rFXC*_Ptix
zw!P7)h!J7>7~hk=p8`jJu~0u$&7W~1m_j=#Cy<Bl3TvX!BC4&gWJX@bM;YH~1fdOr
z<gf;zB-0^jVo5CRx=J-TY2w)QyqL?G!G)5*1C9W$)bprP3az2qoT$fZs1~PE>iad+
zk4co^F4gVOPEr0y2kHh%K}2F{^5he+DwzX&k|AO;9NlxBJc|FEDHD@4*OO|?cZ75v
z&81zl9D$&@f70HeMbo(sRH7U|9u-7|n&8%{zxxzm-MWHx4mvfwvK1QDT<#hCZ#RbT
zzeIfke)~02(J-Fh9{kuif}>-e^MljpXs)zv$mCySG`G%6Rf#{d@Y<q@0xT-I2zUa{
z?#L03BKvzdavWY4NuX=OSS3Up+X91TYyJ`yIP}lPcgSZ${b`z8p|A6*)GPMmovfAn
zL8z=!5{H%4u2boHd;`r_Hhag>+>>=)XK1d2Pzi932vw%LN{`{sve)FKE5B_<#1Xx;
zS;2j6zk*xoC2w}{)#LA$bNEq_)=TfO7bG6(5qE0d<RX}w2YoWP`N+7i*hjkQ(ARmo
zaTlJzo7YsyBSQ1TAd{LxwQ3#YjR0QXUQP-age673%ma<yq2O!p*SX^Bx%3`*4)z{D
zoz_MYmHYiO2-yEl@0HZX^YG@L`Kttv^~4#9&$~+1f@VL_NI7xhD0pq{?c?`uz<0_5
zXWn;8sMt@O<GT>QD&M^WK5ZY};_G0hk07BQUgIhfR`~!7o6Ds=VgqT9VD65&tGEtx
zSHajHTBJUpQ%~1`Oid7DS3#^R^twm9cTcl44n->egomyx)?$sU_1-B?g_^rz?T1S{
zb^ynNEA?uJUQNXKVyPE&^%yvWSM2pOP+n>`xz`WJ+qbq)etze9!E=5`+t$|l*2&NI
zJo9eJlo~GI1L|mOu?u}EC~kj3Rqsgm_gj?N3nn3+jFSeh#<aACYlD<>e{kDasKe{P
zmCym`)yk2lA1thefM+C1>X6>*Wtf@oB;%2aH>K#Q4E3i_CVsh7`4|N4=&pwP>`4Pc
zqylwCG&#jto2&gv&XWV=mh1m~l=ha=(4`nX8y_h}Puw0M^oZoj>-)nDU-`WOg=k7Z
zy(4l&_&FG8t{nO5bUtSk1uiZ?yL5A@Zp!^*hWz0OAfaA7uviPPBge<VwUu9$<m%ga
z7l;Xc$m1k5koRaVbvUhszC<2Fufyx0;*j;^Jn91Q@ZEARR{z{gBP>$_4LuPKP@YM@
z6Y{L`$un#~UI)J5`SbEx#1U$9hs=wB8yq^W2cUMDK^P723?31#Bvc_G2OWS{ffQzv
z8fu@b%hRVWZcpJ+^9HQX!7L6Gquq{OrRU@Xf?5Q9kn~%8bLSA=t}X*O2yF<-XO~g=
zF485=+Gku|p~}#)QvJbGY;wX^(!G6h5$M)9Kru1xOhOWm@fEv;E#m~78PFX48eUPI
zEg17#4-(wtX+C$Y4(2<+nhu2gu2hCxA}TA(wE$X@%Y`+t23;n-Rs5BxauIOQ^H}+g
zBI(1Dl3M(POzgTL%e_d?k>x@~LRBqFaX~lWA#}NtLV7>E%UnyAt0~DnkE;5qe}T<A
z&#0-)!)kH}2*#^Ff5-7WtvC>`IvX%9#8ChV?L*4n5X1Yq7q27+??Fp^(QtW3DV!Kx
zb>bZbABhaoEg<?O`5igh4l_p^#1W#8x*>FNNZU~fg;3G!+5QN|tdcL?FT7e8;vV^p
z(};NCQ(x3PtQoqieNmWvNdijSI_J)y*@8Qd9;24<FJxTp4!^MC18&YpCie^eNY4vE
zkdfo~I1*L;0Jk9N`K<_e7(P1GFcF6Pd=}+8a(tYjUANUo03AJ^3v{B!Tohyg2QEVW
zig)!k2z{<xn8o{X%&tfNmq@Pq`t3JmHzE;ndTjX=7$%Z0oq_fz8h%DoA1v1WBGyIn
zE+a*iKnP*+wRpP}ctIZBzZ5^VyiDl_BW^4)M7+1a(EkbLFl{XL%^dD;Zq6ylsZzZW
zw+@<`U>j^x9)FJiTIf-HLFJw1Q+#I<3Qr-1w3qlSlA{zfB5O3Y6+MrbHbBJrDx5Dx
zYY}&tAYknG)f%O=!CU*pfcRBchvx=PjcrrXWSg?6Ytyrq5^3mh->s0gaJ8O7<?iT1
zG<>*x@j=)=T>o~;egX1Dv06Y2(S)1wdeM-Y>FUi|b!_njk(>Lwp|=gUk@^CsCFoC@
z+u%X;{nzkVXsb9rB(WoK)w;>m0c-t23p~@@_x0W~4C}*f1kG=WJ~nB17X?t`r9s8N
z2c3gfI`Bk7?i)ot3=maNa8|kc<1up(QJz@UJ#5a;{ojVz>>=)-P`pN@zNf3$)j#j?
z;$@K5h62JWp@I<e<xUiSdR*W>l()RC<9GOR+WvjVrJK^Bk3MRXY|DoOx$?(jIs(e8
zZ^xou{zb74SYwt3ro4Ze$4B1C$+1f^B1h|`$Bv>tzo1(w@oC=bA8sM;0|cS4c}Y!L
zr1)Xi5WS-PrYAZjMze<B={9GF$A;<Qgf{mY^cfgI6+eIO3?D(_tGVs@<F@wu9Q`au
z)Ud!K@|Y8|QDABC3_;rQu!x@p-Qkn_RMWGiiwrZhg0;x6tavUe=A0ULD~Gs$=!!b{
zmD6g?3U%eq5T3^=WH7u_z5x=&w-((hka!Xj&-Kf_yq1$({X6;s1^xlU;(TBQ)!=cQ
z(5ny3{Y$MD%tihcyj`GkuOK*S57JQ(Ivs%;Vvj>5>IuTWL_lkg%V<dSyE3UanzP<N
z=}q+Ksn26RYZrz8N@pb9lzBCyMv`lA!m@51$-Rw!ibB^En?r63izcJD!qL@Dv*@_i
zQ0*Z!>_XhWpU`iL)Tb!!5&2phdWim_L=&Ho4!?=E{uL5(6A5b2^`LoQp=#uC37tVF
z{qNi+J>$L;FS&`nMc<G;d1ugZbd>D)0(C1#We!)7GGi_mjUPasJ$qa2fV95rQ~AR5
z{p5D#pYQxMGHRQmBaUeH3;zq%t>1k$@2SSW8Qt@nRChqw_fMhUFVyJo(X{~dH8tT{
z;Lxwp#RGn$P6_$X{YNyQKX#MBzxsW69n}jr|4<rSQB4ZZ`3Y_cqrVM6=Y?ax^jmri
z={3TkM^G86KnGpW9`u25e5LQ`PY(!_KNcR?Eu3144(P~>I;w6nT8I9n2^_T@y^FS>
z;sbt?H%W&g-=JkkJrFGpOql2U)@S6H(sg9=M`*7Q=;SSEVo4x+mwdjO9J3e2?I4Hh
z&`z|8^yaNcZzByUeG4g8k#TR3?yJyp)U5!mAms~is~YigP&Uetai<}eg7T3H%|ePS
zzg@G*?n*4(^Ik>CNa33^5p^4jM#DAqin#9_G`qX+>kDqIrVcz%Zhlr8a;4!t=|Z9Y
z`kP~iUZ<+d54HQY-R&P;N8L$jp&T1U+@D0mHK97CA>iU4!h#<}9+!QurrZ*~ece}o
z&iCmF-@_?-Vfv@OhYtv+YJE?nlnH0;7AiLfi`K<ofAu?|RxjL4_rByW{IXQIze2e4
zpiuiS;qnj5gz93^?jm8qmj0j9uH)6ho{NO)57B!hG5nqWRfT9J>A9A4$S5Rx(!J-Q
z*M<A$?-s_*6b{WqX~O8&b;7vm!KWsp@kl-pjTD|&k;0i8@7blKU#2i~GTB!_`lOI(
z97&8oiAd&xq-Ze7my*tdcazRxBoTyO6Fp6?Bt<lL6dH!cAi;1HFN~F;7~~Lz!qI4Q
zaGY?QB7t;>COxC@;0c7H5F|k~N(mH=h$cNGqz5hj&S4<xkAef=^AFxfh!BbTq28jI
zivBWJaq#E;P#@&b7xh9tgx~cLf7aa#b(O3Ia?p2ko_-p>8pK62j<yE5{v}RN`At0e
zvUuuO{-{>GaKcTo@{D-wN$@=e=S7nemUf^=;rl=|u2kIqU|_^wLD|>Ee|}dg-gsPG
zd}ILUTk*bcO8r)pi&vKUy;UJ1N=rp!wur`-h*I~8oVBGP=p9kSYTpOTeg7;d^{vVF
z{VBuu&H~Zkxuw4K(|muQESj@j6uG5T<gF3)TqY{mBpOgs>Nk3^Nce^?nk^!-O2tc(
zeV-`;4rYj)m8E_;V@1Shp*q=b(YW2hf_UNLp=g3|^|(@DkxaNeMyMVloE1?j%nkP2
z8xYb?3$ubs<C6Oc(|ZfGal%_eONC{j!fnCA{n5hms8XReP`GP=_^wE}nJg6+^bjuY
zE-dOtCG;s3uJRI1?@G!0%6j*FN0ieIdG=q>P4tH60n)h(Nw^C42#^P!^N?{}kqdGw
zCArRiVkf@<N53$yQnIgr^l>A*yZFU;l#vp5(%*^f%lDh0@SDUV39jE891UMV5QpG%
zH5t^G%llI;;Ay7PXX%b#gN6(lLALyf++Z{O46z|xpM#o5JwWg*${^<`N{|n#tcG9S
z*Z01JDA6PJuVWBV<u6Dj0|nqYYQATC8voe}mA9+FXUIIaFQ&=jz6H7-k<X4J1m#uS
zt1U>4U){Pn;J=(PV`wFs2l$B)k4zT8Ly})W@_{G?{4_1C3M_HlhhP4+sJt~kqXBfe
zxeYYzz;6{BM4*Y(NdIzJ3$%~sZrRl4sgNd(eqJ}{5!5N6M7<kkKW-YREiTdjLe_5m
zc_aa(U@791Kc`95I=Fru0{lL8mV!9A#({@8Px}>DC=4)KON?=FiYZo=2&+`PTH}Vh
zAp-}<^8<g<Xf!kzbvU@T+|FGYxK&dE4rxHW4#)88KSxKO7N-_%OEZ<{$UjjcbgY&|
zpZE-Nb3xURn_E{mvzDXK)z+4jkgg3*W1s>^SKST(6}*j(t;c7C$Ni{XL^U;uwdHvB
z?L_dW_{B=O{s^pvyA^;8m6ZsM!Xp#yC1(P6kgg>FCqO4e_$@3r3YYoIT4x@Dwzt7$
zbE|SBv^?WFE@(X^gq?)9`?F{GGRI*`ZOxBzDbVB)1o(v)5j9&bC+X;rp7>??Xx9@V
zJyfl5c{)PQPOYs_T-?-DtVYklY3N4$g0ATq6l=f0?>ytXeWCnubFTVl74)p7X@s6s
zLatT-KLU-%S`0N^2SR9wigb1he}p>lUr2nBbLu^rtbz<g?%IA%&ZN)BY6s`vLY-uQ
zev^*UA`V~QN~4S5F-r7Y%uzoSb7XvQXif80`QU#zm-wU=RqIn)$+l;BDra3e7ft60
zUK#sG0>?N=#LN-VoPhq#Q6<bP^8=9_jsI!)Y>!08SKytlLsH{vJRifMs#{xXl%*fT
z+?Wvc+68+iLE@5@1pLKx{-^T{be@6EGthYkI?q7o8Te1mfagfni~Jvd;J?8CN0I|3
z7LvntSOB2Oi1$m$@pWWC3>o(``5MW0!V-WR$*0GY3dKaD0gxud20)V404O9ER*C@L
zBdK4H(jpquds_h@&L{wkV+4TV7|Y6O@5GOc{C^B7B9~(NUrOo@81a7!rvIPP(XSct
zKb@RLCYPA-Kc@fPSp3h>e*ugCG5sHJ!v75Yk7MyaL;oF&_}@tXU$x+WBmF;ZhyPjn
zueaiV6a7yy;eR9j|H}sd8|nW6Gycc)zttB18|goT|FQHCUTNX~9aFl63t9Z1o*y0>
zGlQl7_&qWc{m+t<3-d)^05h+jMvH1H2xfk_<s0#Og%r;uPbI}Wb9CZehs67g4nP+M
zCg}!;?+rhb;E5%G`~=1USo<560Mf+~*a2u5r|iO@r0PP}0Z7LZfJ!<lIeuKVzJsG$
z3o7nmWyIveO24p`m|H-<;fLlc<KvX^5U0$m(*$o+il2gxxUJmiMPVo4YVt+$V~%Gs
z&}uj=Z637th&J^40&SM)>Je=i*_|;1;<fkvgFSxL{t+rA9%<iA#)3fDrgv*KO8vWu
zX_8kHPjbeODOuZ8doxncmDDZ^;7{~%PpBPP7O=b`VCCL`x#EDCk!21TvcO5K2?VU2
zxF#U^en5UjKtjHYD<cX>PD}<~bX3=U;eo@3ZB@j*>B?!+pU*!*c-6C>0M-P4AWMhs
zj~Xz1W?JrhOLbcU_UU8+yH5M{6m8KZRgRkK$PwQv5lJK*))T;*K$zJR81**45qknp
zT(Ku`U$zr#0{V==%cPd^1pG38-!?y0g*}0RJ+Ei0&U|}0+2{!rwwz%!f$m%XFna<|
zdoY^7c#9{%XaZ-?+#BJ;cmh}x_`<Ky<O#G*Tg?R$K8ZMOGzC6lO@V3P%a{UzeX%L9
zl`#b(=3rA`E5(=szuB4sTPI^vV9FG13dE=;*H26i8hw0Za#GZspwF=>5R)BqI9;6d
zsmT-w*n&-gX}1_tpe51P6cF7g4Ic78)f6bBmNTXR^>z<xp;W%yRunjU?V&{!kTRk`
z1A18$7?Fow6a^&y=w(p=djjYsQDCTtesF#D?AI)&K>tYeqA9@m1235Zx49iJm;y*S
z@fJ1()Jh)pSh*gX0+c@GGwK{keW{}^1_jkmw3-5ZJvIfXBBLoF9fM5)ZEm@pDX{Ju
zvX}x@QpB19=k~04$rMo4+L;0uQmblTGzHXc>K9A_EDE3(O@YhV=p|F&XWZX-*%VNz
zUor(Sd`B;t0{E)vMN@#$4_-C}uqc53#uP9g)y@=Pj{2f0z#R2uQ^0i87fk_t)L&jO
z1+qddrT`WNrrVkVCoyfdm;xuC*_#5}qnFy70$3C{{jw>rq4@<<0E+@yR#V_T>hW8#
zKCCE!Jpq|X6vzqv(JBgL%>z~xSTu-WMFH#yxV=6vCp0!w<)4|sdtI5AKZEpneO_ul
z)i#&v9sQeogeUcUQVE5=q}p0yeW?3sA5jhXwk}dFVf$%HF=+-h@qKE_Wop{ksw7YR
ztD$@__6%t5X(mMTY72d&{A}#x>8TUD%*xNn0_tZ_$)#wdQ&xKZOrlPrSeU`dnUyy)
zYXPCl9@PW?j)2e;&>&HcTUZ(T4xy=HdS46D7iETi$N@>i95@^~F00`6JRzSrGbbr|
zdn{3xt(={7+X)U|o50a!Pr!#!39!-->%k}ugh^?Duobr<^T>kZ$(tCbAvSZr)oE~e
zij{_4@=YeEA$F1!I}HhWc_XPCZ`OiHNga*R#DiDD#HpLsHf_~NPtW(~%dSD5Gp)v~
zI^BPZj@o}wb1i>Se(0O`)0aYCv-07W;F~{Da^-T|V+vi4>jGU?yM7;j<2|2J>iFg2
z6Ilv4K0RulM@F4eI(nk?DZMH(GZaC7qOy5d6lhjuzdqCdmk;85VQMIE0>P?vRM`QI
zy1eq!j6oCJ#|7mU(nX}-ZJPUC2Itm_8*hwUK<~gh+ua<G^uJbmI%V9F@6`wc)`h{A
z8_8R@yNpZbC|!V4@-NwiZv=06u2dzwozq;bp=-qQvJEca1QQ+e-%fou^Qj=~@n%(4
z*|;0Y#i4}H!sz~eLe)}jSlf@V&|^Zf4xIT5k8)ty2LU$^#L*Y}kAQ|YP(n^s;cw#`
z#z(+HMQYR5Dn%=dAGsiQv2(V<aZAqlmgEUuVRr~$K(IO&;52nlRSo`$ZzOgLss8|n
zAQ!qM_Kv%A)~k@Z@j-D7cN8Q;Jfz$V+m!LXP7M(!0H#2lI(%iAN1PbM;6RXSC5<CE
zX<QYda;3fZ1fCaq!yA}bogJ`)2Yb-W({bLCKu1F8?KII1CN6!WVr_GBueQW&NqLk{
z#VUBErjA+#6{`~6;(GUjUIQNxhkIY`{v_|jf<SoV(s-{V*yp7w46Kwk!K1*6tk&_n
zQmM(Q`O%9q%Amko=s{J@84aIqieJkcaNe2lEu$B80ND)uRPrEo94eXzDU(Gm9Yo=t
zjRmS^DA+&n)1YiZ(d>Gf5bb#l(wdv^33mn6!eN8%i($RpsNdCh2)emhyhBB&XJyw`
z^O>5`IcaW`lu>1*+3MD)>;+T2XpwXketFh$g&QGh5w#^Z=hC^cxrx!r_$zYhIf9N3
zf{?YbW$(9?;i8fOmT6-IK!Go~X)mtR4oa2OOT8usQ_o{5B#&JgbB#h9B+=NH$r+k+
z1p6`v8}KSMp(N*b#+RwY5iZu3nRBz`)tGw+#4TaDQPlG_*Td_ny=$lgPSm9}R8>k+
zu<PAmk3+!|NBW(d>*f~#QvXsov?->Z1BdEsKpF|BB-e)@f}Ijs2o?xNcn(f>1lE-4
zV^n2m?}c*+-dG2!nNej-rp(vheLg_AjuB;s<+W|xV^U=%;9y%&*O1HOWI*A!c>M$V
z`%vLL;F)ZhbS%0^b6H#FGwi$I7jo*%yasH`I1m<F#<4$R%LD{rTP8j$NAfC>TdMgh
zK!tC<2-`9iS>`5V%a~-DP|kcM)nnHw#+7Npu1qeLW$axUk91e7E2GD<Oc-Z@KBOi{
zPIHHy3f6Ye*p~^c!Ey~p&k8f!eX#OqmTRyxQ?H&Q^^Qu$))i=bLGitNlZ(`I)OxO5
zKN*rgCp`4GgZq=X#)WMwom`)3_Gnm*M%O&XK|TrqYcyK3M<Z`m@QV+rWsFEuv4320
z>>YUTcv{<Xt4R}yO&ToHthF_1ut=jfnKaQ}Ffnh}@rTWS>(cZ(`th|pCYPqQW|~k@
zoUjVZG&2)v59tls!(SuK%jP;rvY}VK^5N2!$VlwdNQ*(BCURcWo_Giz7ev|h2EN2#
z5^GZ9+Uhw3U6h||^=ek~OPU+K8LuY1xt8^6Ah^mX))2yCj?!O^<r;r!*;9*JgP!y4
z)SBZ9F9UVlMy<IV>CUP(PK;X9?^UeU)COtg+2D4y5OgNBChgUc9S=S=sx|#lhx8s+
zYd&$3-6P`_CbgzH6SyX|Ms}BKVbvOE{L7A<G776Te{$rkTJ!8tLYk5?sWmqppP1B|
zKl+D(ul(VFvuMfykt2TF-K5quDSWMJjSHjJ)X$LL8zBI!*34$q8ZI)cH77H9#Dr-U
zwWfk<w5T;vU{q^DPGYr2fHPm}dv<C~+8^n6sKG|HMnhgVsWk!)R%<?H)S7j4oJFmH
zXC}3V5SrB*8A<)lsx|P`q}C9#OlnOGPHeGijVAUZlUf5ZlUkE9oBG5>`h~OhCoXT*
z<jTAK)IYOo%?9aj7PaOz!u$?CR%_A%21Z8jG^#c0lEhZEhBM!&*7WaEsi9m=YRyX0
zqSjP05T8|R&dF<}7_FGpn%`u(R<*_<#i-VJbiry({zDtJ#-oZ+Yi?n+X3t@DU(%@7
zeB=0)x8guyx+-8p2!1rMT4U(?23BhjR%_~!=Mt>e7_eG1#$)&iR;~E~t2M)u<!xB4
z8AD;U#^ocd)<j1$YE1&Ns5N&QgjYkxM!7g84q((8-)6H~^F;!Uw&wV=YRxiaRBLLm
zT65RUnM7u_CKQZnO%bEkjE(7a%SNr)8|7+IYuq|mwdS)ROsnv>no+H}BlN*)%}-$_
zwdSYz+a|TfFvS-{@)N9D6NDZtt~04MYZO&xwFdVX&1%h+OsS1p6XGy7<fg4!117bm
zL)pxzHR@swqt@)7)C-x_nsX^4WL0Z2IasY}GpRK*zsG9L@7~(Kuv#;-%Bt49t-N4S
zYiMB9nzM{r!}v{~vue$nl>LlaQ;XG_0qCY2nbaB|wXIr%mT}B#%^!?flUiY`)>IUD
zTGW~zghj0hpe$<5uD}ykwdSny<FzKW=3&?zMy=UzR%?(>QDISQ>H@;7YRzD<QEO87
z*{L=A<d3at&AM3pewazEaYZ(2&4#1Ms@4$5tk%4n7HLsyx}LJAHNB?Ws5QLjX0@hx
z+*TX4CgOyRTH_+Hs5NV5YRziRbdH@`Q@28GRcl~_Nv#1-lUh?ta_!Wb8Z0x}sx{Tv
zt+A>#y-wSzHR}ReEo#k(Iaal%Q50^Y*6<8wwWiNcR<)+rTUNEk7g^LA61$D8T2o4i
ztZI!DGOINlWL9f*q^DV}!ES|Ft#LtCwI%>r)S8cc*W0Ky2couF)SB_@t!mB0I;&dK
z?V3fcnRwBv){Otds@A0ZV58P_`_`h?$n<8l#^Invt(o|#RjpARu&6b%f0@;qiN#j6
zrn}mz){H2%sx<?VRjnbBS*<A~z0GP(0J5kxF36(RaFAK80c28Z0+2<m;UKeG<ASVe
zO$4%0Yf_%ss5P^P+Nd?9)E%o@Qz}$j)tXY@t5&t9)c3Getts_AVO48Biob57)}(xC
zqt>K+XrtB~pj|C$&2Eygs5OU42di2$e!f+$QM_(ZYr4y=YE8;)8?{D|VpeM$WEQn%
z{9vnEla_2zYn+f-t>GZET5~`+&Z5=;GO0BKkyWiJ6n|${Yc#?8Olr*m(M*e4!$D@X
z<{j~87PaQ)oToNwO{qBDs@5D7FSM#P8DLdwu8YRms5L3y*{C%s-`J=%DYj}&iq=N0
zNhz>VYf|Rgs5L2DY}A^R5*xK9CCf&wNm1IUHRH!w)tZ!XHfl{ugpFF05@e&+qztuD
zYf_?Y)S491My*NdW24p#?`c(QCVE=c8i9vdtx0jSQEO7XY}A?*4;!_nOyOsv)=VN^
zP-}XewWu|Y$VRPkdt^~-Jdmwg)A&ejuhy*ad_k?z#C>a0YXF(l8t8aYt#MdvRcpYc
z)~pIF*=JU3V6;iC;bJevq}H7O%fVKyX^4JqtJZXHvZ^&enA92p{gPTkAd6b#N7$$}
zZ^aF_s5LT+S|iIft2G+xb(31dYcZ=eBTrb=8pt)NHAJmht>HDiq}Bj3sWn}jENTrj
znbaDnFsU_;f`3qJ;E+kJfsrP)281uFH6S&qHGoWNO<_n+vsweKCbb4yO==B1H>ox7
z%%s*pg-NXel}W9EN|RaxX(qL%Bt&IaYdqU6YK<eZs5Nh5x5lj2a5+}BMla^Ppw?7i
zx5lE@5Xh?5m>RuUt?7Xqy(YD0VzybW`Cu+I?>^UaNx$E|gwSK}dUo0J+jnrMDd{L0
zzib6e2wLC$eA$135<9Qcc?LSq!2e-q;NQ;wM`5or4bR6j{r~@P{$FO9|JRZB^Z)ch
z7YzSDG0y*2I{R7X|8;b+dH(-jWSMpTzm)d2&i}sx*7^T3I@)Ibf9hkK`F|qaJpUgz
z&NBbct`IQJ|94Yb=KlrBi~+z104WP?=KsrZ0KjMfSOtK4H~?Tj|NmtEdXoXb3INk3
zcJu$GH~?TX|6lC8$8P@r>ZAIwnpxzZ`LICbkdhI9Ez7q(UN~P#UUguj0B?rZwXdvT
zqW~SEh8|25KqNVai{3a2uzT3_@Wla=O-3ys$5{223z#UtMn($|(sZ?gu>vILwws~=
zr)G-JD8Lj2$i0oD0F~jlm?%KLvY$;9KrKs%a5F{$^6%J10dNzbF~S>10UjBn0K;?2
zY@+}rD9bhqK$bRFHxctqNr3T85#SX|5`ZZJWLc8{xCrn73eg~BOade(OK}k(Wu*V9
z3jZ^E{XY`>A1EAzr_xx||B3&lHIbYAKdJENn@B%S0x(5@3BUVq=zo<>0^lORd7C5v
zM*X*Jk^r~}kfifJ&n5wMmFq@sGbI837WI$(+KBp%Nq`_0^)pF;EH(+i6ag62KVa(j
zYw@eN%Ss0IhjSp#+ymIo1_212`V7tiY~V0G0EY7$a{%2~&X02dXTFE4Ymenj!!>}o
z=y%1`pOv;T041&g*v0_vF*Se!Ckx{5FxCKY3}6{X{LvLS1~4}{unQXlc!m-GkJ0<1
z8^vRuu!w(2ec)7#`1_h-0KB*lO)-Gkp9k&?T4F)`WlRykCI*nk{2y}+K*Q7k*cbp}
zYXIiqag13p5ymlqQl<tFa>^J3__{}V$fqMiKDRLbQ@93T8w02{LVjDukJuW(aN8IF
zGS&cIhyfsD4FE%aJH~&5sR3AH0LWMau!{j8V-0|f0gN=q0Fbc;U>5_ZVQT<3F@REr
z@tb1+rML!Qi2-cIH2|9!z!PH)z$ONOm>Ph648UM!{JND*plzd>7(fkM1F*yZ?wxC6
zY5<lPKoE`r7>qRln-~CMYXJ5!0Neq<;M_h2z;pl<#V^DFs@NKUT?_!9AxquC8UsLD
zTm!%dwL$!NVjtH4@Ih@6KVoYDFU0`tj%q>th^YbKquL;T=BW5%_Avki#u@;7R2#&P
zTMnlCYK;MW#nb@IF@Qj<9a&=l*O?lCB?h3xH2}L90Hx8}#Q+L$4d8_sz%OhKz%~YO
zpQ!=Z!~hPg(0^i%0nETP0CNn$f!P!jp5BIA02&+vFtz}OfqB;vWX*_QY}W?xo(pp+
zep&`aPaeCLO#?i!Ndw%c=asLB^_uR@rU6nJj&7R<xW}XcYS}bExfP>(?5<|g0JWAh
zKyNk;a6dS^FwmF=$Tg+`_Ek}5UP=S(F{c4`sGCe_fJ|c=pjKLAN(0<8rU4dXE{oFu
zWm1DF4FC)Ni)nye8DCn{02$3MrUCZ&IIv*=6h)yFYZ!p~9{(S67(kRCZ4(9<1FI6>
zz+r$yV;EqoF$}O(R&5Of@bDDBISfF1U$Y4VVA`2x3<Dfw!T{?Gn0MNT0d`QIYyrO=
zY#3lG&2=P9VE~%@mNg7eS%-g-Exf>n0R-JFVE{)T+b}>W44NLqh5=F;)ER3V27m_p
zFo2#Z517ILbzY0?!vM$B7=_w|0dN-py$}Xq0MLtJ0PfUm#DoE|nJ|Et42J={q?^9Z
zo?;UQ2)oOM0X7-K0N?ss!vLd;ku?n9fq!oH+T%=*zsH%U?ZN<;FwAr|yc`BlUYOJ3
zmmAY&t^-VKPQ-Zt3^a3^aUH<t4($=tJhy=BG`9fGWrIpxKDHpPV-Icv6u?l#BFttG
z6yY?$1GIwKFw=SumjRY?H>f|%?I<>;0r;3;J|Q+1o5BEm%r5zEaz3&R12FKi%@PKv
z$MAB0Z1Kl7VE_y-({LDo7<o<xi!_>b;n<~c30z6K8Z@9W7*LC=UM0Y9tQ4;%VT~+~
zR`~a+0)i%8@i$1+Ao=1VaA<!{yShkMOW%I}+{FbytW+!hI-8rNf+#%-UBZAGq^;s1
zAL?mZ`R^;i8ABYxx1tKs4rEi4j2i%;RIZXK*K~Y?F4L|uk5%gX#;JDdGR^nHWB3oB
zKc|<w`Bq}OP5L;Z%kD0~r(sQ6n&OTW(XKzqJZR~+WTYbTGADTdE8$2I=OLl_GHI7`
z`of!jms;f4D6InDi*?l9a{QcrM|op|-T`&#*Q^Sgp_g6YK_S3n*#)`0L5dVNn0ugs
zHI0JX$e>c+zO7c{+pVkp8M@<lt3r{3EKYj!nyfbDw4}Wix_D5Z@|}s&Q^I@eLJb6w
z<|oC$2~`jHg`iyr&q7c8K$QaU9-dGXfToSus!;0j6Ji$`JQOq<;t)2s9NS%7?+NHN
z;|)|#is>PYM}G)tkC7o%-4g|U;fajn-nZ#dEjdx$^qAV#7vTH2w!?-n*Kx<TpKCOb
zivjKlLXqT7B@l+g2p)Rkk;$17x>@*0BCVZ_QaI?L=R?nwG`?eHk>hwn3gWpx^sEez
z3v<0A=!X~btf9G2)2c!qK2`K{!mdl-^1Vc#rm&_eVbFZT6GddrZ+GKe=?m$GT=k9H
zjpb43D!Emq)*7C*2?9zw$emfVmS{u0wXVw~M}u-4Q@?<uBbIk|TA6ot2Hc1qikYh@
zTadI&0PYzQ$7;fb#6bg5Et2RfH6djt<k~=T^R{aENXM{N8g~qqO0O`i^%?FM?9?kv
ztaaF?#9Cjzv10IXyf^7xt+F%>)I%|7U4BNLnLJ-j&R73%w#xDFTEzihRX|Aa9|BJX
zvlcUy^?(p#)>Vk1tiN<)3I^py${KHoKZ=(cCCfXu2jGH1l~{TgQ`U(WhtwQZK5m^<
z;E$v*X0>!_QUA5U500MYSGsgzC~N=oZ^_lSd_}lm@M;3uI_E-UG+`_lU@I@bn&xVk
z)|S7869#g?%btu415e1|^6Od{&N_1Z%v=4r={R5z(~dqv&K&?OXjOA@#DE2@b$}xV
zM$me|7%?b!cyHUTN7%;3QH|Aa8#(K+(_@RLV9ttWpyB%y@BEB8tLB#g%|`k=reR>@
ztT^V<e?lJJCfy|C{VP-2HOikY7;JFBwt&M}s+8fZU%;nGHsE_cTQV5EcAFGu47R?y
zwRpd=VQ|5H5(cf2TbYJI{kQ&=qy4v{f&2YeNA%Z!DdtP>7(we-5RMqqioCVg4M@Ug
zNNYi?A$oavqbCzGFc@KLe`Cmifvta)^Nb+_`R#)+o(&l=uvP8AgbWzi8gV>s`a8u4
z8EI>?xn!`P6U=8q24{%AZ!x&F0?$TzT}e_Z?>;iM4BYFOmO=2WHjG;z6~1LG8AyYQ
zerNh1&>DQ$J-5i3GWa;qgXOJBxeRShTwunnjk<~;_s2!%l7W%7_QNHEpxlsKr#fn;
z!lWOkZ`~JJln&lnoH6)r%ZJNrjihyOW3T)EMN~6YZz8R|Flm)LckyB>2EHQjJ!den
z)=JuEl!%3`GmIgFhh3?3Mf;mf$bf~dZ!sYQLYp&z=@@(&VxYLDj6tznYh<kfIXGi5
z`EOY34JKn?!&)g0NWWz}1|em?sOx4jthLJ;W5(bgS?ee!W5BT1&rKPFT(y5iCu{v0
zKS6Y|)=t*i$y!YrgHG1^Ut+BdX4X2mE>Pq7Z3&b(I}slM907q#my!}ErxMUOp8_(t
z-(mQ`1&CDKG!u-1a}gIfU&waDnA8iJX=A+3gYZyXXyrGNUL3%A19vs;LqIeU<2A(1
z?Kk++ef^i85D<g^3o+5~7LE{X{lOFeO2tWoF~^HY*#8v?-}H+~8q?2dn(T+fpVF`r
z-5;ZYX;&alrE&q6l5bp`l42@(x05bbPl)Ugo+QC#P$C@mJ>dlhmyO~c62%;VR2sIO
zAxjBfAN=yMUqEaLaQG!9{-^qq9{pC6UL_?ij^u?yQL#?MYjAXCT;TWBP_4Q)R{)ZC
zT-}^*{p1nxqvxn;gA2;v&Jv_`^Q8L>e%qH@9rmflM+k}uI;rn0e6upCq2N_r-%4fZ
z+pW5lmC7Z(H-Sn?Rt$+><_t1@<x`#8z${rpq!CX8PCpp&GzX_2FrF42Q)ootZ1(}W
zS-KCU9CP<!pPLy@Te}b7VTRL2HtlWcK1^6J=5eJ>_dz?++I_%!AKQIEGIRGK3ryXI
zr#wsd!C{NB`{2jJ-G_wFP)|$u0l(BWbsqw^a?IU_V_@n&w0N4k4?;)M+<j1isr#Vd
znY#~T1m^C83QXMx9+<ih+L4y-Lphkb4+u=%hm}1n-G>t#w)^0><uVwv4;W3e*$0fK
z!I*u(Xc~;!2V8vsWA*`~X{_Vp*QyvzJF(dZjHXF8`+(6j7_$!;O@lG}z@TYk_JKju
z#_R(|(_qX#U^I>2#>d$Q22C5Y4;W25v)Kn{w?WhJX<|BbxcVSqvkw?e9}q`6v)KoX
zre$pQ0i)??OZLHtrrXcAN|&<Thb1hV)=X+Nb|2Q2J6XC9Nu!*YAe(W2?AZac2NyBg
z=-`DKow56n)9;F3He8QZ#EnTwJ^`QZzQdKK)8E1H;^--(zInPA#KD{Y4?}F7cenEl
zbe@6EGw{FV8ThySKdh7g|1aSGrH|^BzQ51PxR&SpY{miK^^1KQL&-9n1E>(K2(QC$
zQya;@2x0VZBL7{OW!@(8zlK5oD4ZexoO$dzfQ^YfjQ%nCpQK8cFzDY*{$&jMH<JH8
zObWn6{;@KeuQZYWi_AU%HB0{cFew1@I)Dyl9{_&MU?Km^_<xRt{O90(0M>N?r<r{K
z%sK!w`Ttd9ME@r8fB81DT?TM!V-vFsz)Jp0jp*M*{ws{=pC$j3m??iV`CrMPe|8zb
zG8X-t$^U1oD4S&fC-61^+hqU;H))N_0F2~+qv#d941gv78Wo=MHxBuaIB8u5FkOn#
zKOXWok^e|$%HKl%ABv02%K#Yi?~2jCh5R?!tpdR0e>{W!E#x0h__Lb;@Pz+%2K_VS
ze*r`OS2O6}O#bg#_5c{kf4j{dfPyZV{HtyD0ATW8h{^xAM)Yqc|0e<&^lv5q9>zTY
zX7Vp%_W)q>zn<L#U?Tr11VjC;<Uhx<2f#@F1*Sa!nEd-#_5hg4{}T)Pw~+soyCGlq
zFq8jg%N_s|`9ERV1Hi5UKz4foSn`i-_W-cuAKC8#u#o>&u<ik1$Um~#1Hh7hWV;8z
zO#YGW9sm>hZ?o<JK(#FSUufO~U?l%3rab^g@;^bq?g3!Pe~0ZJ0G9mgEqef1^51U1
z2LP`DSlQHOM*lYCU(M_RxOdK${4Z}{(7%=ZBilUyX7Z10_5iTtAKC2zFq8jhc6$IA
z@{jEI0I-iICjZE04}gjMBilUyX7Z0~3B}eu0A})!A1~WI0H&j+?ngFz08Hc`+3o=_
zlYi!@);$1b^8YtSHIn~DmOTKN{GT`N0bt4h63ZR{hWwYA_W-cu|98tC03-Q-XtM{v
zME=|C_W&5l|1Fz604DOkncV}xl7BbLc)w1=?g7B$zru+AS@Q3ct4x{|ay1VR%(B$q
zI_NKbIL(UvlX69PBLIW_F+rAbmUUNJu)ivu#2W#O*na}SZUn#!0q&i%VE<@L{pFU8
z0J~Z0Z^HgDz4<GQ8v)GNpUTxNVm1P>*k8(wIj7Yq*fHlA6ZVh6)E|#IkLS~(@Jy_m
zJ+HFC{)x&J@l{srj~4>WUZA*O!v2640{mdz2!Iy?<XblaNM<a|%h;81!HE6wfb%#>
zMk|Z`@qlv|(?$SaiO&HS{H}~E#en}crIw8Vcp*Tk4fr4VhIJzV1O7P=UIhPQa+i4{
z03LHLvV#B6qJLR70x)CFXPAuuEcnOVzxE~YkGX%475oF2-3WlOe4D#@BLIe-l~(Z2
z3ovg4aOA|=Yy@Dyzh;VYBY+Y7*Dtr(2*AuZ-v;YO08IAZvV#9J4R#v=j_L9Di9Pt2
zHY2-@0PK7-vfBuN!T;o<j+el{?yz+u05i#4jW+_A!2e~rWh21oVg<j$yb-_*{>e7W
zMgSA|pTEl6x)Fd~2(a9`5x@xkG57!Fg^d8p3oSp`gMZT`GYkG{k1BicKehl*-`j(K
z%>5s}0RFknFMxl{{qMa1{(m@*tQ!H?spV$VMgSA|$J~FKc_RQbwS2}3{=;)|ZrcR@
zHDCh&1Zf8U^ePMZ$KN0p@b8*#0sl0&&;tJTDl7O$PG;~AT`l0hDb5W3WlFvU{HyOf
zTEKtR7%TXvxf(P0r#-CTU*>Vd2K<KyTfsklL1_#Ask=Qa;2*hIz&|*f!M_yMS;7Bp
zp&9(++ckrKlwk$`?b&wVKh)5}0{(%vfPd_%vEUymEZ|?(#|r-2-7Mgr3bTU$kP-{{
z@7v1?{vp~1{5Kkktl%GWe~lUZORBBlA32!8f05%#Gx!gWTWJRWG*@5-|33IFHWvIh
zWm&<0ylb@;{3DeW{Ff*!;9on)7W|uMt*KU~mTCh3*&}SgKiS;^{zJ;FYYghF;Qx8L
z1^m<8M|R-9w%8W@tN1#ZX?cPAm!-Dg|7_JETksFQ7Vv*1-U9wh11#X*@TLX)gTey-
zFCMUhe^_A;{)K(4;2({!f`0**SzW+@f10bafPW5{z(4rffd5<7HsHUbs|EZE94+8K
zh%kZwUA+}}dw~i3gUSm2Pp`3n|NU#N;Gh1^*8=_}iB|BRDNVA1f8=Tf|Csyd+kt;r
zVF&&v^|pe4|H>UU;9tyNV*&rjIAYC$fBx$>;Gg!jfd9}WW`h9>{@tCJ4F(MO-@e<p
z!N3Uq!Nmgpr?0Yrf6V<2#uWx;@Q=CwDhv2eQtq??|NDBMv4H=#hVz&e1`PN|&Svoc
zMo|~@4ug*a=kzn~Fff7tA-|he7_i`f@v<)L3Ile`I>rY4|M-zD_}}v3J}db5FZ$62
z{Nt**75qb@75w9vv>E(w{+iifz=Hpqp3Y|Qzr(}b3jRY3Z(G2>T+8k+V8Q?2>@P5a
zf7|^9N;~jB)40FD1pfbVe}NJFGy4l{!9Sj{?%ZF{xxb)ue?jN|g3kQ~|AYGr>ewOc
zA!&gm(T5~``}NgyA^W<M9#?kzov!e^tOK6^4qVav2LC;(5-vmKp8UP84sUi7x}3nB
z#T+P+BItSo97)*sHIPe>>FCmaJ)GbRp0gZ%!Ku;6QCG4oC#FONNzocrlyk^2mjMCX
zLo#VniPRGU|Mm4}IsekhIHe&Y;R`V>Rk;YR7uG~^odbM^f?G*i$OYXu&L!kjXMX=_
zX8^8}w}rAIa3yBnhBI8aeTGxIl(YZK>a~4TQ=$~u2UrxRJMTz*JW(ltD7oi0yhO*%
z6JGNy=}uM*)c6$i@~s~IKqEaM;K-yTL@vVwe|8`L@#lfo_HzK)U#i+6^K|Um277i-
zu<YJZg1y`SwL2Tc>|nY0cU;qBS2jHD=W1Tr0Aa~|x82iJeyd7mG{oVp4ag8?-r9hd
zHgMRj4S2GgXWH6u3{!98)`k|XuW4(8-~DQtX={V30k3Xgwl*kqPNuC5V}LYmZBSY0
zJr~%m4cc<N*MZ&IP_D<a2(z^T8SwWBv$bJmJ8j<Dfa`Yb)`p|Far`2_$A9l<wl?e}
zfZf_~9H;P1_#W7;4N<dsrmYQlS(#~T!{zB%LtwTx6c=NGo7vjnG!)pa4Y(x5Zf&?w
z4(!&3p0&VkZOGLEyR`usc&4ol&Tbmh)&}If#=Nyb+i#}RpzQwwz2DcW%xCHSO%uI0
zZEg6s^xnL+0Z*2*^nUc{`WZFw>*hh9oWFa<8y>Wk?dWmNK@6WRD>!~Nd6*c!J2~us
zOAOX|r#jC-=Nafc1OL~Zfq%>Y`(XYr`~NooPg>^xHKhIgKe;fx&X@Eu&j0KDys$)R
zm;WDR%>R$I&i~Wi6Rq?A5Nw_Qr=us?%>O?=Vl)4r&N0vbk1Mpy|Icv28vslT00J!Y
z|H-6z{(oVa&HO(e|DXKA{68N5zhOWBKY#sScJu#|Q+D(Jc>F)bX8zxIkB{B_|D*ai
z;|2gs{6#a<!Y%#(5gnpx2KaL&TU31+;9oe5-2fn9fPWG*>d#|=|NKOy8w31xNwVl!
zq2EgOn1KJznc`i*0{`4>6$AWr;is5U|Kfb9&8R<#+yD2CqyBkT;Lq^>77YBuoAIds
zcg9iw>%)^Qz#sGeBUa$g@cwoN_=5^Hnuh&D&ok5hmSO*Gw#a{D(^3ZcYtW!t<FLPf
zvNQ!x`;YYBS>eBHumAcqvHzMumyE;yA2G<kY)xdI|9chv?{Lh>fATYC+CR*HUjM`F
zu>X7;<d2Defi3diq)j#=|9$MRzX&7$#in6@Fd_ew>#WFMdUE7J3-Wi9?aVbH|KaSg
z|IcRRKbRTz_qIX)nD|?&{!gNqVgEh0$p6f})fVLM$BAH(e{Xi!-_?rzBP2H-F+qRJ
zuzzc~0SEn!!~Q&G*dKAc^1_<U!~TnyVgHgHc-lXC;6rxU|ED(?<X;qhRXpZ8Gwk1Q
z@P_)p!Q)d?+nHhimCbW-(BC-h-)sA}&jXhSy=olxFSSShLw`&w9+qky_9t`Zn1}tP
z`8Qu0_Wz5W_BSH`oy@R*S;)a2A)7~rY%>n~8zxE9Ty2N_3uH67w!{92sL)He_QU>Y
zRd1q#vLE)xyV59!+vi>y_J0y_S+dqT?2l}M{%p@5&n9{g@_Av{pZQ>x!G75PX(LzT
zZ8z-y7qwUEZW;D3rB3QB!~XlM$Ui8w-5B(@8}?TR%}uo%_Q!<(nzY@1*#D_<+TRBG
zlN~Q1|Asbu<iD&2rQSJI^Wv~STD)mzg59t`f*3sKFT%9ncG$m(E`}iH<GeoEreS}C
ziM-k2upoa-{87TaT*_|P9}`!Q;yHi&VSn^8^2fygZ;oml_D3W9b47N;{zzWS4)xm&
z`=ghUKR#;53-^^B_HPWDc2a2>_J1e(1LoO>9rk~cIweVI9rm9b6H;R{?En9;_df7Z
zU1k3N%}k(_#FSdJ)JDCfq0lyg(55ZY6cRFl1O`YUv{Zr+G6P9FBxy1!P@_dbtTt_N
z#jjPf+g8!m-Dp|MuDC|UEvsEOTGp~_U8BX7U0Ka)wYbI1(EEEo=bU@z&dd$1>-Y70
z{a&x1_XYXPJm;L}ob#OLJm)$8?)=lcQr5jUXD<8ym>)oS^jiOA|5vQbKT~jgarR~Z
zuNGKNS=MF$Ywl=%?>C;*m;Eo>mGmzAhr8?KvcJ60e>2zp&24{6uJ`Y}v1;z5Ep3So
z-sr!5ZmN6pmMbe)th`TttmVNk{+GMa|E5hRU#i^lRL`Od-c{7iYw~yByjt$}^P2n%
zlDvePjs6#9pa1zc$o>ACKclYq-?C~`<vQ!4|05gy&$G{eAupreU44<d-v9geo~+pL
z{<m|#e_oqh?>~9>C!V{K`~8c%TjS5T8~xQEpMQO^ywAM);ro8Rt><TIqyKg``k#A#
z@pHd1_xoR5wrR<8+ke0K=W@UQ(Zwk?`q}6IEAEn4&m5j98~w7+f5!!}uU5=+*yv}U
z|DUgWd7iU#UWzxFZ~4N%Z27*s(SLp0qy^qafAh)(t-aMFZ57vF%LV^y+>L(r`Tug>
znfvFRox(;x`~07uH|_Mi=|fj0<%0i@?0MD=%l>lh?be>PT<~AZ1^>Ubp8kxw;s2Q$
zb-{n%yj0SCpZVL&`^?n^|4+?Z=6j#{_y2}#9Nh5tF8KF{!{6kt{}1Y)n0MHk^~CPQ
zhpvni&iV{D{JG#?+<W1F%e%}|3va*aCpGf2aW?v`zUOx~Thj_H^)B<rK7G^D-`=F&
zW&V3^i@vdLB|o9_x7Lk!$_4+{Nmp%iUuOP_-mdpvX8zo!eFcBLY2M>sW22va{>wjh
zX{}_yP4G!qY<fm^@8@rF-)8QRvAoUvyRUG=UtjQNv;XKNt6!Nk)4a%B_W2#11+Os=
z-_a`<{Cm0JKmLig%MJgxbHl$^F8F`j+WUO>+NJaLE6c|pt<^XD<%0j>-HV$psJUqQ
zr}PE?6zQg3e$6xLhQEGa`B;JV#D_1}H~i&&<r}|I@XdJ_6#nx(z0oiG{I6IWANc8)
zfB6Hs;qP7WfA`daf8X?HKeyhVVxxan*DV*k)4k!pF)SDS7h93-VQ%<eTX|7Mc>A7P
zxZ%G?-|%0#r}ovS?&F649&1sNzTvMg`2VWttM7flz2P5z=z+g@_lvK7O5O0kMBY(u
zF8DuH`0yp%@V}&Z^(Fd(zmxuXdWZk@<Uc;!w)ofF@PFEUJ$Y~4bC<iXClA+z3e^q&
zs)sFW^VDk}mmB_E@VC?re=hjH|KZQd4S%`df04f7&jtV6R)3;E-SFpv|7Z6t{=D4q
z=Ys!#?72|g@UP^8|0j={8~$AIx4Gf}{QKlB&5Z>!kIM~zx!_-@ZurXu|59_qUoQAx
z#_!h88>_tFIcH|cTz$j;q`Kg5sT=-W@L!~E_@9#t`RwyQYi{^|n+yJb<KFO>3;w_C
zKfC(ndEby5{`2mC%GoS8{9k$K8(i?8!wvtv-0<gu|7?B3fAMc*pMST$;m-yCefow!
z>iXhnfx6-Eu+RUY#p80r|0i<6f8OA{e~}yhKfdCZ>Vp5~S)1gBKNtM@IfHk6h#US~
z@Gnp|{JG%&<(j5VFLL&Y3;x~i4Sz29SDG9CT=4&nd&7V3Jm+^c`i4Ij{M+S*|1)Ri
zeT57DzjAN*|DC$v|2B2Qzlz_fl?(o1b;Dm>@UOXkvBM32F8IG$-|+w7RqXRmRyX{s
zTG{6>R5$$Pf`83(^Gdkk&jtV5w?1`@8~$>^|KsY0f9jOJ;9uKy-z(hkmka*i<c5DQ
zH~i&-e~rH3&jtS%xZyuAdBeY1(eKx}*JH-H;Q!65U%7dsdaHVLaE5!sp9}uY=7#^=
ze>!^ff~Ov}tVi_)|MxjZ_1n}}f9ivae`VgL{^u_?b$v&_O+E5ax!}LZ`ju7kJ-OlE
zEf@UXx4-Kj9Q7vkKmV0?!(U(UKlJ31?m4UGPL}tme`w)Ta>M^wF8F_Din`(dDi{1e
zz5F@-9(DHlFP0nr4)0N4{_EPZS(iKVBK3u-_NVQlxsR(${(7(fiK`x%`v!H%KeN}*
zugtR7f3IBf|M^Wfdwcx{WUv2IFFy4-x#S<X*MGOW*MG}fx#S<X*YCWpz5b`<lK;DT
znY!8Qe~e51fqVT=*Axcr^?ye$`3LUxf0;}E-&U9Wf9~7sck=i89dpTF@AbcQ>7&2n
zb?Uyo{@<y+{txOms(X9=&QoTue^=IC|D$HF|7TqC58CVhwz=eA@Yc^|@Aap=Oa6b*
zUjK@$z5Z?9UjHxECI3I|_5W$F|KyXI7pgx$$9tjrvwzy_|I=RopZ5CywAcR!?)CqB
z_6yZ7K9}=C_1f=R=7s8xWnQTMs+Idf^<7glFH|ouFI2yF|K!i+-&toyXkMuPi%Ado
zU#Na_`lSDb>MviDd7*lNWnQRWY3IFA-3fUwR4-WJd!c%5eX;jK_1(MK_SU=J?{i<M
zK5wgKUZ{R{iu*$KukOEMvU_LUGA~qrG335b{iP{+FI0Cd^FsBP%e)t=zigQosvok<
z3)QC;pXY_@Lza1=dV^(NsD6c&`$F}_{4%iK^)4_kRG)hpuLv@`-j;cx`nY9YsGhdW
z3)O#bnHQ=bvdjzByDjrV^`n+~q59?m^FsBx-M0Heb-YM!t?NtcZ}48I&imA-)L4$b
zw0=S6h3aLY`*L2W&aU@n?}h44DDy&f@AR!Br*GX|?<d_Cs$ctyk61tbSk)67))#!i
z`qZ!Iee@lh<}S0|a@B&?&-RS3wqAYULyiCS|GSN)KUMfo68Mt@{v?4vN#Os}64+2z
z*J#(TS+jc0MtfCP(vEj_^=)gnx5u}4_23;@{_y7Zj$XU2vDR*D?d&A(mbl&4)p<|6
zCmD~~$u1jKq|lF~+o&QZ<u`=wyW+cu+?R;iCS@$%*0Zadlsbt&pQWuG3C+<&(wXw3
z!tu`JLc4P3tjYyDO-}xFs%Y7<Y)ahL)zj10Et|(Y{`l)Ud*W?f+d4bAd1-facK0Ri
zSZlJ?PVVZCyA|=rUsYGvV9z3|kEcJpvGbnRL`TeC8IN_euI;!tzR;f48&FQgr>V6E
z$#ise_S&sIam3eUCt7>9xfuuXt!wRx*-Kj6?&|Bly{97?zrD31+1#-`ZqJz&yV_o8
zZ}00(+Laa8-EhOyta@gZtC`A8P%by#+SYsGb<#LpnTQjWClbG>qs_<AA8)o4*p0BN
zt7mDVwYPn?Xpi01nb;-z(<h?e(UEMod&#syiN6=g^)9s89$R5wW#2IWx)sP!@x8rv
z&8o&#%Qo5*aHe58OdD+N>aivJ>s<M-s#_beJq8&S>+RUqX}8B)WAUC`{qWk+o;|B~
zwlsT3XK&xutsQM0D55P{B-`Vn_DXM5PEyW|wlq&i=QhJv`o>mNdhXo0w&WpCc09U~
z=(Z?VPTcHx-L0{h@Xd*2___T!Q@OStezH5Ril40#(p7TRIH$WVv@PnArAT$UC)sWE
zdAoUKMDyHeuk4C-Y~3XVbGt}m1jXO5n(p2h>)mMCi|l4G1C6nTwoL~XLQ_xIww~7Q
zLV~b?UkKN6Y4?>&tm|&Lk-s!Pf9EgbJO8WrzkvVJuJhI3>#VIi=38ya9(yY`gD*n3
zp8q#muD<bs9a3q1CHLGv!MRx~KTG9ksXQ%f{*7d9T`vW3AC{!88p~SOytHD0`aA!|
zXuUP7cUIf1UK3}-n$;_puH9&7+N7&H-f71=Fg;03>_U5{WzWH+C3apt)#~ZmzO{Fu
zWzC&y&D9LN^yrVhc2{pQzI~xcPn#EnsUA{K6>7w=?T`+HHYws#lFC;T6{5>@4Qel~
zHq)Bv>ZTjCEZ!OKX;n(xc-zuCI}yJpo)G<Prw_+_Rdn{JxtDKQ62Vm0uy!@kwJ2-4
zwl7_4FX`xP?b$VVs#TjvbnRHziLu<)8IP?+64*gYb+@JJ^19M;tG=^!OF~;B_jA|w
z?w)vWueG!%9!G&<eQn9Qu2|e!*Bf8mNfSppdL>OHzNK%QNwc)8r_B)RT052DT-%Px
zjWxAyi=#!Iq;2ZyxCbe1gV@v2Md#gR0#KgXM0b1ZmUyzZGq$R4`xeYZQ@m$;M{;Fr
zN9WSMPF42Wo^5^G>A;doG1pdar5Z(5;V=|Ex3%_kAkwZ*F|ZLv8f#5or>Y}mPsHQh
z*4plPTSsd`r>pJhY3<ZStZi$f)^xx4b;7NFXVPP#g%rK6uC=W_ZZ*c@tqBAp(YtyO
zsSM*{@-3}9^i=;x7+H1QePqkK2O3&CV~KdP$WOG(q;NB8q|0d@8On9mYN;0`>d6r2
z2N45fUT^s-(ipR9F|D1*er0R#T~;LC+jd*Lr&ly%O}w|Ok5-I!Aon^f+BRwhH4$&^
zjjxFJbjA}aTkoX4*`$t65kc!tYG@>}vbDP#g|`}4uZeHt#}?u}E=4+tuAY{))!5|<
zy))U<m9QGI(8`a{O3-VBQP-MCm=tT{Ju((%C)3|LM5d<EF^KXGNZlw&Msp?XHSz7O
zQXaR;Zfq48iDNTj@y@ngmNKJO9sQuSbC**6Iz4tMesXZc{Om)r9T9GA?Mo!r#P6hs
zQGvEZAFVGnwVD#GNye}3*1FD)yZf-quv9}(ZzCD)v^-U{>e@RJF-?r1P5M)_cq*Be
zaGQhyep|04T}+gyHWpKTRm`<2o%Sj8N6$0R-ChyB@zx4(ax9UE=3qsdtjMiYh+(KV
zek)qkjg6=Gt?pKaB&!7)JGXYZZABGnN<~@H+S}2lK8bDW)pAwerMUV-*Y@pQoej!0
zSP|!S@bYX}vv#R#-Lm{gad5>=aQ%&m;=yU5FXD#g#ucx_EwNO*^ZDtG5w}>Gp{6&U
zv}exhovB=vHq&qB+WzLUceLVwCh!wtyKLfPopn7k{P0v;x5v><<_Al=`Z^h~XX?=$
z(av)fXr@lMA(PHE{%&?8qb&LSbK{8?d2s{y#ZW^$G1L@>vHX0`UtUj%bwVG1Y`2=6
zD5<%Ho@rwh?V0XZrQy($%Jb_*E_M<R+?5*ok*U9yj12)#tBc7+*H&9ubQuA=yA$yw
zeX(cz4#pxBzSlLlZb!8ADCK>nJFV{YzBRQb+uE(#zGT<BZoKBW7l7Zhy)_{N5fiQY
zo$<Cl)hD!V!$98MhmWvCQtO2HM_33&6+2GBdb*g#_{eKIwzbpnJu7K@J;L49(M^8z
zzU1=0?cEp;uHnCYk=7gBLRS&toIjtG@Yi<3tqp7Io15|VU0zC!ldX5f5oKrG?sj$3
zs8e2iSE-P@%<II~(P)_t8puD^1$)G1OGb99KbPG2S$#jL%%P7vdXQ88C9N^$dD=^m
zh|COUm#e8Mw%HVKA(gqXBF4aHSJyT*+0Az})h}9D-CVn7S$(s;v~kT!1XsUERXLZx
zws|V88C-1flrR8NXH_XRIW4zQJe1Ae-rCv6*d?>_&aEBW`j~@avRrXm7gEIPNNsbi
z-BjD$Kq+S9n9QCxJGnhJTS}0df0jJd{J@(^FZ6Z$ymT33rTk*AfpYnqaZyZXOijhS
z33EAB*{SIP<x+luEdvFP#A~L`uh&X(BL1lKZ9QFoM0#-(|A6F{Z8vVUw`H97R#`hK
z7i-lilWk?TbY~E4L*JyG>sGI7u3y#cHg)5wNd0=6yfLD6P2%OYhp{(iIm8=4#DCq|
z;V$X~qzkeMLHw20W-S<req<QumIwPp2iGI3o~bK!_w+e8ewM!aJEj@HbK|@9RpSm;
zVv*Dw%bmU8kXZoBO@BvMpSx_<tAwOFo|^RUz{85m0D+-W6Rx`Tjq~c3)~YoFZ~Z98
zp7{7lvwAg{Ss|UTgOPcry+ay3R~L*#a?4k1Y*Vj2vmyouGwxMv7r%PuyqOi-r6bIA
z>)<ZkB)jkfnF35G=ZW~LEZV$vMCu?*9~oxnE8qX7c<196Pi%Fo+s6Fpyp^1YkM^?|
z=zH{7YL+$g`i(0OFMfw!uyO^M%U_Lqh9`qYEHfr)&8TZ$W3Q}TQO`1ieNW}w`8V2g
z>aMo0kE~tRx68h+a{f)yxp=f|>@EV>w&x^eNH%_SqP0`aP<cImdpyzY3k>+kWSa!L
zuqo6#8D}nOkq&%~q;5K5%CshiVPY!IVp*b_^gX>>eR);O!r3ApfsayGnJL>cm9ghs
zGnXV+t6EC_{?xWz-PzXG-rv^N(a-p0_^kH(1m$*2Pm`!Zmpxme&sO#5%E~mT94;T3
zP}vptWW^8qa$CG-OBbD0cXeH0yCSlxc4hr7x79}1)dwYlwzh9eFKfkptmI+T`mjD7
zoibP}1L4&hE%v1kDsO!>lf<s*VBpUr2#Vh*F+~1K9$V<FEc=-!DE<;1L#42_ALB;1
zt6RIfldMB9tZdz3+Ci;$Y~5vR-^G?0e@_Ri&Md3Ox1(7}GPWzEOL}bVpnM~&;_G!G
zbP1Q2rKXv4RZrIXs8@G2kD&DRJ57vCwxWl!7UyLgluoZ|ZBeUQrWsUu^;)h!zlGIm
z+{mdn;#C8H2+UnCM2|8;hD9}B#dYy_0X6xu(I&Mx;_A_BbUJvs{jRqI>B`!>*X#bU
zew*Fjjq__HRh{gQ^>_PAYukFYKu<!|wn9#yOVZ&?^7F#%<ZQb+-kY4WwKdTjzuIOh
z-OCOE6PB1=$7DogcwPo3a5f$!3v}^BSGO$MxqMs}N}#WcPxowD#g;`#S}2>1UD4a#
zwSz^0j0)wkblU@aX(zf`#S+RYLR&j4iy3`ljg)miwM~)7K@%EP49^phsI5sHdL@sF
z1ZzT>gh6^Nt46Ay+jCZ<Zap1LBkY;p3duYPpJ{AP#?Hof#<%unGtXqBKA9CKTk*$a
z>8?4)%r;|6A+!=Az3Ln0R@%L4fxDMX?267V>B8=gM-FTC6`#-E(#P_YtYMRMJ551P
zLc6-ugom`YvI8t^Y?GEoAa(_YrK7WlO&|3H$)ibP*s?-MxlH#Kdv*`QNKiRk8uMpc
z#<U(*wrvLHwUHIFa-f%!X0oT6Z10k}vOH2h%9~`naKb0j)j2z9Hdk!d0o5xnk&L}i
ztLQsC!yLe^R@T|=9kOL8>vFg#s%8v#qInF#vNFNmTvBb{xaD*GNX<~oX<;>^Xg_m6
z)xq8NRnt8NC|HZ*Y3k=%x9s%V4q^{s;o5&UX0{zvo~KuvAUl{fx6{Q&uF6q8e>(r1
z&X-PRYVH%5Ux#ll=cN;G*-aH}uVoHbq2*(&xwJp}#A>nI{?+X)XNgdJ4_=(zr`Bij
zQ6w^JNhVv;$9r4RM^}A<(#I>-ws&>gM3a>potSY=7PQX$h#t4fQdO*LJIh;U`(Ecv
zxf5;YO>NtCde<=$t&_>8o36Jf;Y(L7U!}o)HEv=tT!y4pyZQF0y>?AhY>t}1ioB?7
zvJ3UoOsb_X=A@^KAm60gkVUyw-lSvCrOWHNqQDcTV^dVpvFk~G9kO2DeLhjS`ae^z
zq^aJc?4;}n>jKE?ir3~MiCq6)=EL>+%!S^pF%y9eYwFjoi#Bhx-GwZ7hKG6UjjJtP
z?V>YZ6_?o($JMIPgRzxll(b@M6AaC92Rf@Ko|J7;88G#jWqG5NRgoEItO|Td2$bEb
z&~Bflh7n6Sb=KMlOH5XMo%*{oX+RcMS&C0a65VRgz<h?8J5X5JHr-OLorIh1ch59a
zBXPbYJF&TvPTNYW!dN@fB35N>utt_RO_rXk0&3p}ptr(81-YG#+;q1g3-p`dL>ofr
zNx;zP7oUvAAOfueQc~rrooBg(W{B`F<IG!g89La0Vj8wU&&1}>UwFff3$J^JwS+;7
zwTfA?3OIEtJ9=on`nsV@?O>?w)s0iFWzp43YNPh*rsl@gtJW@L7n=hp+27XGFIm?Z
zjbx~3{XEe>FWQRwJ2GDg&3sYpWbLQ6aaH{qn@_jZuUSi03oSMKlcrH~Icsj)&JO-;
zZRHQ`F&7D0bMff8boYMU!NYqses7P)e>2!)@WTe*Yw-UVe8!~LRwDoJzFX@R@d1PT
z4SvkvCk@WJrq`NPdEI)K!-gw1ihS9vW&z*l8r{o;(cNt?n`0$=`r?*yC$n~T+)k&L
zBmH|m@bnhD;+!e^!4tZ^E*^i4?=P9~vj(R<snb^)JZb3uJnMUU@O1Dr)h@6&JMQF9
zw(>LkQ8{a=>g>^mij5o@Qoa`JV`_N`qpD`lVm;kuhb%sg%!Bl@G4uMY+G4+a`KdKJ
zZ*78QN|~G*j<}I_rMR*^8)hZ?Hrltqux+-Iy&QC~Bz*pBgkN`_aJQZBd;QNMqAsqw
z;l`U5ykp_b)wl4ihW}PUC|o#c@&!{aoLW@;hLVe>UHryNroZXUm(I9MbAHR^rEh)P
z+wCi6URgHls@Zd{zUJEUin;SD=U;cd3a?#K7pY&mtf6uFis;H!tDA0Jv$lENZMUz#
z<DIQr+E`iG*4}aFU5V|TUEO#0^d|f6*|Briy^>g$<66Z?f7YDbdR5w$#gnI8v#(*_
zD{lx{ldQsNR^=6y7fzmZZAm!v7QRonDle{l!{iG$?`tTChYM945+9kSkEhfae0Bmn
zo)gcFKM|fZ@n14%U99t2Z@wRYV|Kp#&G#mQ)7<b&vg1vZpG!Y!((O0t_M3dC8LWJJ
z<poA4h$R2nolp9MD1U5vmgMGES&5D<yIQv==CyWr%x$ySyke)#x<X^cBH4W1)Xs2}
zfU3?RTGBT&5!m_Xgcau&;+%hAeqmi<K2$7HUcHyttSn`My_CtWyW*V|z5rWz$<}R~
z^Z}#}&fG21Ip<Q@J=)r_(^7rfigmT=^DQJ@C^ebe)w8Yqy2{Gy7WO84Bxx=+es=(M
zdn+SG_Op4H)`y?${C@|Jn|xe!^LM{@Kdj4f;vtPk&G!Wcj~Kce?tag%Rpy%rYm+O!
zO$?b#w>BXMIfk;SyR}0dI?P1R`xKbImo;WuHol1&-S+GxIq_p&W+qyGxXVmO2ncU$
z<zT9tOLjQx^_zM)v9+mF&K1d%AMOPOgvU6-BddIwCp*0y2jV=GoJKN_3Rh~pDL=6r
z$%iVwD{qm#PMgozm&X4wD}68Sb@C76pwhb{-t>nTAUpkQ7eL2XO%_;C6^=w(djo_0
zRac)?d{2M>m*w};zjpa^3!v+h#6)iYUr5jBBQ{FXzn<Jxe#%$|>z4{Q)^`)z>zlT~
z`mRi=^TL_H%Q}`DBQJbMM~tId-jf$D3ntiX_sI)q53P$VII*Fgyl`&>m>}H089|i1
z^g4W#8j#Ktj)-M|%1$59L$mk?^g<P`2Sz2{oZ@T#zHmKU>bl9_-1I8kEB!>_Zt1hb
z1B#!;-(UPWS%Ye?);0U8tLz*)J?Lt?zuyjyf6FaF@ugm_31Q>8QrNm(s$!AY*WS5G
zx9w|L8_+|8U42VloMczGH<D+i+u)|En7?tZ?9$j2<c`{v(M@aXZ(Ucvs;++1s@0Kt
zDTj<WuT=&WXM+5VDSj;$ZnO!wSQFI4B+IMDN{-WTn8>RIKZ(pj`)i0&qD+{-@{3-J
zgN`%-kB-=^%IjmEYZ&7sRlEo9Fyp-G6AvQw%#+oBBu!@MRgv<-GfDHq+Y)R?W=F_M
zF9opFV4>%B`i4m-OIGavvqi@-Y1DhduxqVYUv~oA#Kz^U=GtZE)H_b6bw#zci1&J3
zW%XMdta9t!)_bhQ))iL-_>4Hjvb)Ewv@BiE60P*{k?ghqIzid|f%H9n*JSn;vsJ;h
zj~kGZ<L#Ep%9=lSz9nV1Dk>_h_)d16<+9V-<~8-TD=XG=G^;s7jjXO)w~})-74@sU
zb=ua>wstu{Bva#njPj)`D^0Tf&??8yJMp@E#JH=Oa4UKD$oaR#E-Rn!>r7~xyED$E
z8y2obfO5h~wgkD?!cjCi!>dlV^ty+6BuS>~b+ysjHRZNz8MF|}IfS6PnEMr$wb91f
zwXSyMHk7tk>gJEMhH4IfTfN@ec;)hhuNuWBf73|1F}!$aZ@Vm^v~ES1*>R+-C%<a^
z{%17qKdLeE4;qX9UgPJ!u5nLFW2eCugKshD{ErTwWWK*VuD}1p;E2J;46ZjAGI;9u
zI{tG8zh-d3E1LcR^ZnC?|5iDmYiIhM){~oA@@DzLW(A3TL1qqmCYWREl~Qj~^4nB@
z8;XoPR66Y{RxHXI8eD;ACs6KnHeW9yEn)cfvSTmXPF`_zu_-!}PEL8D{dlOJZB(11
zVjHu^XCdd9zpU|Dg}Vc#G%k<dKag-urJgx*%duDa;W>s#r_ZugI)*!QHW|g(u@M7G
zHDhcR8hcXhmeN-JViDt8U_2S?WlKSh4QPhJ@n)CLmL4#Bqa0;Xk3M83j+0V;drP9L
z?Jig)66W@ei8lei3eH@1#>A9!r9z$w;+cHk<K-J1uUdQL6{fbqg;Nv9+@P)8972FN
z)VU#wn5#z_vy&HJadI7>yihG4<4;UbTO5SEbc(B+%w6`;{;Ja7zh7Rb<oB4tuN!=>
zLDQp+8mF1>M-A32)AUPMXuQGT52E_}`&Vjw%-}(T?=bOhH@Lyz*A4!U!LJxTKQ`$;
zX|8nLZOW$#%^!dNQPt85RyOOoXog#1S<zC?jPt7Xs$>27tKT3RV<1YM>|qN^bWq)z
z!vrKb2k!=QWL_pqnbD3A8U1CIKqcUOo2)6Tk<jYv^g57eMQ<Nv*e1>f=Q3M8o*Z{p
z2L$~2;m2n4U7!o%xzE1To!hvb$_9C>DY2(AN+daaC|{-+{^cF%wA?+(lwOaqVhT8g
z-L-@JSL*T0m)%EdvuO)gPFeHQ`ra#NCUqA!$9O~wGY4g}?aJ(hv-8u@Cniv68Hsbd
zmGmHQu`r*R?kAK=)`;?osLop0Ce-blUZY9rT#ZrnQYsTrfC-8#MO(L~F)v%3C*^eo
z1*mZ)H;cRby2PuSs1}*(n=0JZ*|o#H!-+R*cXAITyNv2!g=^hsFLK4IYN=Z<*OS%F
zZ^jw+-Fo8N<DAY<bkSAR9{g?kyqAqnD3=h;6Kr26PLS6`+3joc=MH@9mW;02oFwL`
zv)V|LBb(}osNLJ$%8>-Nh};I1B54WbrcbtW`Qo0AE;-X@cgXOid01vGyke17=1nN`
zCet5emVAYKn$|RBX8g(>pR?qEQrH|OZ0)8|wSjTVC0l{=J^;CN5oj1p`Tg+%Eml^3
zt^l;t&Rx-tHW_}6_nwhsMn1ydlLDX3&}uV#$JyuXK;?Pc7n`U~u8|40G;U`Wq4L@{
zTepoIe3sMmJiJ1vobx)XOrEfUdf;~3xvx`q1ublUMT6zTAs1fhz#B~yt{UrnCba*i
z8F5t1652$T&g-MPGv?QmRWc3_=&QWhGb&Zz;PS>gwlO6VPiijjE${{&Qsl`wM<Ijx
zk&2@k(r--jW?KzUk23KjbAJ;Xd+V<9;0N|_*;~!md}9e3rB7umUr`Qby9+9Gu-6eg
z6JJeSUq^}@d2q!<9WG;p<~Ehud(t)5?d^$@NLU7Q4?xcex!3AT;U5osxdFN<V<;5E
ztZ?{v1B%)hlR1O>VEhx~zqsqSTN8b~ti2Xo9=`eHC6@K>5I;on=(tlp-Llf39(N8t
zU|EMhH|`vGknc~9J9{6ptRMZ|xN`y=Ju&X|FR-ls7sj15X%jyjcbZ9;_z85d`lsX0
z2v~l4+$rRD)&{^Ta1@M!<^MJA#J~jDFX7+;u=p3_&X9ZuN5B#A6j=I8@&T*C>2J2I
zF)#v_j=={k2m9swe~&xEV9U$nPVuFdH4H|;F|Y;fKSMs?;P1!>EPVyOf@jB_YJR7B
z5R8GN-~ll4`*G(mI0BA=E#u=(*=6tplVCJ8?hJwn@G#g9j(~&UDKHIAe+&H6$Q2v{
zli(<L0PH_E?u>%vuOg?*sh^c{s=(2Ll#>9*!YStj*grYtOfMzgg(;^WOiWEVr@+CY
zlvDav@D0QVhrzvIq9o-E%lC^?P8uAzIOUYT4L)y7IZ?3ql9V$Dj)0?JVtUFc<|WSk
zZ%R4UVCkDvP77EKCczeP02~AlgTvqmm<G>)rI(W4CLUM?Ccr2-1SY`|Z~z<yhrls#
z1WbctVDSvnUqOCgIoJY5zy#O=j)DE)z~w3Dn1q)ikD1_G$p?(u)CVk|NqN8lu=Gmu
z2dls_Fecxxr2Jq@S;{FaBfnWGry1-A6W{>27aRcx!8CXnEWe8K3Vn9UDVs$-z-q8~
z4(Y+_tEnH@e+}{k2d^dntB40yg9GK%0~`dC;1D<f4uc255pWo+u0RgV9!uxK7aRr?
z@_in114qFzaBx0y;_c^SU<^!LM>)Y!u#oe^(d$VM4uc255pWnxgQvjiD)a*E2d7^{
z`M`3p|3=CQ7T=U|4uFH;32+QN114^!U9N>Mm;}cb(H>ySV)%h0U|BieYseoQsU?3f
zy@d2&e;xT$P);x=7@^!?`BKWkJ3mU7K?kcFNCzgsVQ>gMA=n6iUUojPoOs{}*bla>
zB!6(YiSIZM>02omSiFYz087C$U^!SkANhb~U_V$54uZ|#7`Ru$n<*EV22X**>uAsG
zh<`in0S<zD!C`O^903o5#qT8E_2dIqfl)9D4uVN=2pj;1!GqukI1G+~C%`l~Cf_&E
zj#Z@FNIk*+caaa6*hIa+>dn*_9BQTfHy}r_1x$lU`5vP@@*NxjhvU@yM&z`O_}~zj
z1V_OEu(%!l0;|DeU;;b^4uENJ2%LTs<ps;ZG#CNPJIEJo0h8bWcmN!^ll;Lk@C2Ah
zP%p5$3%M+yK41$t3?38grhULPSo{vk(?dDIYOon>Nx~nD_EBD;??i6kAb3W?cfofd
z*pIxx()S==FbWO}9XtUhz%j5NEWDZWf~8>Td&vhZ2NPfv+zYmVgWw=|3>*eW!IAsW
zpK5Rq^#J=nK)Jxd4^tkYgJri+&Ic$DIQTH_0FLb^-$n5GIQfA?pMXD@_$2ZYI(Pys
z9VGo?_<%8R_%Xu4>c?ppa0r}UL;HOiK48mdkUKd1S;E1g&(Th`q<@m~fz_X<KJpzL
z21|#K^AgGhM!?Z8P!6#Fi{vBU!4a_fuaQq3_$Blh90Zf#C^!g~K8;)?96SZKfN5|5
zoE{-QSPl+@5wQ3$>A@E8AUF!10Q>)j`1SDlTj~QQz<zKHJPh`KnRWw*!NR4`!7{M?
z2=T!|a4%T;75IYbzoQ)_{HyR?Mt;M@1B<^#Ja8Bs1V_NbVD;DG54L=R@-|R@Fanl-
zllWlb8QNX&82L7m|F>utaP-^o0f(L?J(vckFDKnUqK{ztKT%&W3LXIaN01ZP@;&6a
zf_%UPSbUuR2abYcVD&%KK2h*_(u3tcB7ZRYW6HG>`isN|%YRCKtH}3f$O}yTC;Y+a
zf5Cq>`TY_)82t_L!GYh>K49s~@M$97-%&qs2pj~<|A+Pf2f#C6^cCuREBT$J9N-W*
z1Q!1u{Qz6QQ{VuYmT++T8srO>gCk%B90gmz@^Q)|m?l54#UULy08U>^dazv3N;@rJ
zc_{4+fYsnZFbWQXE#L_-0gi$FU|}<Sz*2A!tO7^DX0Ws{?d$~;lSl`SfW_;GH#zM@
z!RQ5PXAm3$hrv;B6dVK3fN8M!HtIbk?UaF~U^Q3`HiIo-0_+F(f`i~7I0POB%P%Bf
za2QO3qu})0`976$g8ik$1Iuml1*6~@umvn$4_-ljU_aOl4uT1A1l$XbfrDV_O!$Ds
zSCSuCJ_|lzbavWF-a$HW5KM!|z~VXN2bP0pz$jS!PVxiGzyw$gR$om!faTY~SLk3G
z90JQXkngo=ryop!L*M{-3>*PR!QyiGgDv3n7U}_3fkR*v90g<G7}yV{!2@7%1^mE%
za8$y<;*Ic~iyXjFFaeg%Lk?g+I0#l(A_p)5j)249DfvF1a)W7b`nyPX1NngE;1C!E
zkAb7$C|G<W@xgwubQ9&hiTuFg1*8K@!6C35JO);SqhJ&~1Ga$0n~?`t4i1A+a1@Mz
zX|NwGeFyx&=t9zi<u?<*mGrkj2S*oE4sdJ<?Xrb*_0%6sETi7wKoj{3-b%gN;IoGQ
z1C}>aJ}_|`<%q!tECX9^r(MCZ4b%r5Xdxar1Rev^;3=?tBl&`3U?fgC-vwWA02}~^
z!GmDSCdv&CfoH(#&E&V0a)4!Ebt~lrN5Ek)y@l{?l&6hwa41H3!1Ar|1xvTV7i<BC
z!O?c&x07E7@&luH($3%*m<G%5qTU_U6D$Wyw<A|@u#5HwN5E6y@DB9uPVxt%;NVX3
z0~5Q*4=lfzc!K@#xeNLS;UoAV<O8O`;sovg5##_4gGn&@XM}@;AE!KE%OmjL4t|36
z14lne`8r7tmV^C&4qtE(JOB<qPIwpf0n5Rb&k_#yg9pGgco?ky9QBd#zaxG(-@i&c
zumwB-jttX&VE@->2Qc~#^!9Gb4_1NYN6|a^4)%k^-$cIPAb0{C`6cmtXpb@43mgFl
z!NFgVFF5>b>IbHOLpghq^Ka1$u>WP`2$r8gj^GG*3LN_#@xkc-kbjc&U;<2o2f*@I
zs25lbj({!TDX<?*gTvtTKI8|MgK01V_MfHv@*NxjTYiuIzXyKf=n<HBm3+W4a6rC0
zv=2B6j)3LXIcE&)51(^NcOZwtb51ol0JeZ>upf+0I_C_6{orA67#sn|z*Au9<a16M
zjDpj5lKuktfGtzcISKh*bk5le4i&>kzE3;n6z+o0#pDZ?UvkcA21nj>&KU+rFFofJ
z-%I{8&N*dZ@#W{7Bv@X0&KUs5-by?$YEyo}GV*&j>1L51Sbi1xfi2)5I5da+`iXbV
zIVS>+T}wEaE~h?V%Ut+?)$_>jJ;<r@oD&0wu0Q9Dg4I=|e=q#ODsb>d$^#DEM0w=<
zf^*IZaQGePoalYfZ-x%07oBs?faSHwb2nIb&N%?~N01*lTu(mlBmPq8V4{Kiz|uzK
z@_y3yQBH7d2lWN}?}Z;&{O)s3`5xp2#=!pfoO6c2;`h=X;OP4)$6o6DN$Lj<gD1e2
zLFD`a;vYQc90Z4-AU;_7dD?j&`3+GnaO6wW^MjQ4DDneGj#2;n`Ti~B3|4=Ka)B-1
zBR*LCJn=t7`jeFV!^Hb{@&N~aLAk-|Uy?sK42}u?zX^YU^k=9KIC{aWPGo@eQ(kq3
zz=4Zjb<$wVbm$Kf{-#%*5wLv5t4`rV#JlWOrwSZ;`>Rgb!_;T_t4>ld`l>Ss4y__S
zII^1f`^mrQRVNBgxAaqR?;5LM=d^;$i!Ye6zu<ytLNDe2&ST@wH71TgaD2-uBTV8?
zd0^Z*8s<aEw5268mS0q~W6Ex8@mp@b=K8XkP*uDLIPD+Co!=Gmp|)h&o>2IUp{XTP
zYKubafE7iMqx?_s|MWkOJI{vPc%fq|JahzDUzFf)q$tz@)D|^O@Ry|WRPle9|Lr5=
z&VNqk!;+F|4}~b=o^Yh3Dg3d*sU<Tg$`awYna>gRxxT2JsAu?ZKR@o=0qXKf&UHn#
z{9SGSMoOkgsFF`vfn_xjzfMu~ACX%%^!uSp-P}j$&CriRuW^Z>&=b&4Ll?QakI?r*
ze+fF~)_Ww*AoTUDzhbT}t4`z^+HQ)a_ze?&gz%fZR63s%&`&~Nl0)YQ3#}RdGVZ+1
zM;Cc;sm8LQe^KZNZC|KS<hZP4bLeAQjJ47tDwUM0iujKazfvemOQzkfno0$$ay1iv
zh;YDrs`-?F@Fet~3stq(@{$=3hU-i0fx<}1oPCpOODgwF4)sqhnX|0KUQ#lHI5eQj
zS!6s!`t|=xeNB5m9Ez08cu3MeSh%EQ&VZ!fH@UWC!JZ42mONGvz5^v#5GkpwEt#_<
zmtPh9((r2-&FI0t5ap42SKjSadqoj>AbTVrrB?N;qCa$#?pj6Be}rEY`u)%`C#rq}
zQoeoYqrImvv_i9_J`F`}u5N06dr5babZ@48+(+s=2>tYrX@8+3iw8r<WFTByV($}q
z?U_VLLtBs*lv-C>4Ml6A)cGj&(sCmIG5F1Rk#%rBYku{@kMiv+L`HiiA*;~4bNDUO
z?JoA9oc{d+=^1YPda|m-4!z42lIT-2@hVS_I}0Tq<u-DllzR$^xJtFEgz<<z?InH<
z@gER^vLB&Us8nN7XUP<i>p{W~5x&8Md-`dwMyM-Q<18=Qtc2>elcXD!@{$fSYRXG{
zsP+wQC!ucDI%!~(xK1~)$bI@G%Fn*WfR}EWq-!j(yFI<AFS>Q2&spUtgGUU0-SAs)
z`0YW@?446freS0n$zJlFPS^nPo+REIC7yYNeh~U0=p{lUdLu;@`mjH~p^N-anE1Cz
zd?kOhV;_2r{6%GIlyYe6D0~X(Pbc9&L*m0{HT)xdEQNj=I>S<4JHltjR3D#ZMH{of
zN*W$%-xz!<|DF95A*lAfO*OBGT=LmVcn#qnm2k@Ykm&h?Vfw7!E-Wjl3B7A-NoAeV
zch5R3&FJR{d>(<%=Y)^4W2(K;@6bop2!L{ke9jQh{@J*5kr*f?ANqmmr{M<*bi2|v
z(s8PYQg#7<{$t$vxao%jAtg`xn8>pxw2zwCxn0`yml#P}NZ0<K?Dv>_9uA>L4@tf9
z>{X;>Gcs9#0n0H~^+n+wlxRU+KnPi=etnF5rm^4lA(M|^ey}rkH9QGEVk$h*MW~;Y
zvk=p^nf<rVd*vjGDQCTBR~yByQqJ(>Ql9*hGID>GfTei_RrXu*Ns!Nz?BBh^$njxm
z=U{m(D`^TnAIPn~s5vluGd@Xsogkmx><`YCe3Ty0UefRF&@Xl4qInHPn^eCy21ELN
z@rC$DzrsES*jr^Emz8vfcN!^r2DiQlt(=3Bc@!y%^s5&5&3S3uc@v-AN6MFkUJ3oL
zgoyt6?YhaQGW79mvo7{~h;&bquF;flf_A<%x1FUtqW5E@Kk}P#=bt>excwvi=cEyT
z32A6SO1~|g%6R)S{uQ5fzYYBp9aq#w`E%8T&taeSehH@@4~OVSW;|Xldc%0KZ*oNR
zMtljzr2w@t?I!gbfL}ZO{@U=%s~`OE5B?%sizTwI-w5eXlm0J+km>)lduBX0*(rIX
zrGCE~ccvP74un>T9Z=&`s74D!Igqdud6ZM}1^+Yd{F(5_PVNcafjH`lLU(KX9VPq-
z;mW@ve4Vk=G3ZC3UuM#+fnLVve(29a7oEt~(|4B4Xi&q0(xZdKI~kCE82ahgk^U6%
zEcU;1^G`#c0{yk}FDu4g5>JgkQdS-*e>L<O(61LlRzIWs%eBuW{UAoX%AEW~p8e1l
zxO_>!Clp08`jPNK!snbPeAwi#$`z1)lyIrvMB!<|&mzC8B}<ilo0q?oyYvk@y(_mS
z)1Fn(r@@zD#CxQ?Q4?SJ>xy4!B??ko)JmrzJVAIn>Hh4zcA61Ibw?Qqa;>%QcZcC~
zlyeH-lH4=)Bjd+0ICo)_{7ztFQK%t@q`HE%eIWv>;haOt<EQ*W`i=1m#cB9Swmpgx
zx0-ZQIQQ@iZ`@cpkv(5ta=ak?%tQkRyqftx0KX?WC-E;{e`HiO{gDBo&F^4DilY9n
z4Mm~7e8-+4clxaId8Im{r>Eds>5MyTgrM4`kx{!A2h1~fs-G2KMEel$trE{X<zN}~
zZs@lNP5BGVGflbTs;82pi7#?#CjM^Xf5pW2+eI~=X6)kXlE=cK_npTu3crK!dkKD@
znTTJbXJ?m}oD97;kX?fq0j)o0;MZiOobP-5g2v%GZMSPe_rNdT{ZO-dJ<dg@VV~fq
z?10L}jDOIl6r>!o^B(C}N$3{z-1q~~=Rm*Ki>>(_gkA&vDxu$6GHn&o7JV6pz8?C=
zyz#KX^Bb3m-=oHh<s~nLLf;N@977M6R4&c#WJ(XFU(EbAlybDhbYZ02<<K92euXBf
zzg7H=KtBY%Qp$mT?Q_>5?9i_mMZ9?ipY=q8o+s_vPr4_=DW5+S<R7Z>Q`R(Q6a<Z*
zsubD}9Fg)BvXAS@gMOUnM~5dD<kVSMi2W*N;<0m5%DGMms-Iv2+O-{*@N&W*A^Zt1
zJhTb>rZh|B6D54k<dnno!+V4tgKh`V`=QSWpdWxfEr%}h8iGCrdQ7+n**)5uNlBJ3
zCeu4vP0-F+z1L609;e|a<^5;F&-Bw^|GXyjbWk^t`b93m9>eG3!pA(-U<>qy3)qhq
z8s&XR{3HK*2fb>~<Q=}&a95pldk&Jmo%F69G3nL3h{3^KFIi8O{R4%X5lQ}|q(3d`
zjXn&BUb_Abt1QM=Vmq0^$QLu`k>XbIzm&?gUzl>13qjdE?5mk4-RY%RR)lOxyiCbf
z*+0_lCf(g8-GfqZv(BK_Etn&0%NdL!Mei(`voyb*l>LL>A^2t5{q^vpXR|Uy+3-X%
z?JoSz!0$Nx+W(;PVNq7Q<;%AB5gh!N;Me&F@$=U=!;hj_az1j})NK1B<CvV6oC3X4
z@=<mMd#C0#Yu)LsvR@}m`Wqx3UO_i4BYel8FChJVLr)lb;hUNNLHGCDa^jRiUl08k
zp8g<Bcb@!&nK4jwnetW<KT7-=#VO}~!e5ootRvbCNyZGS>6`g1hC}ppFX_5T_pqd!
zpkIrtowd$o9C@)z$4Gya^o^39eD{QQVV0H_HBdik?^A@oMEHAH{}TRr^G-D$t93(h
zzSai2DSBcra;dr$dp0fQH1IjMU$l7rLKjf-j}gCy_*Z1-AGB^6!7+I>aQrsw93tn#
zlK&+sXPe}&<gDg#SUDDzjN^T)ENc;Frnkxu8YA6$(%os&?Frq5oT5cr`MaE6EIy3X
zZ#oM>j}dP`;^p-F(7mqNkU;HEL}cM;ddle*JyGRBPxO4d&TDwAjI5aH0dQ$is~1q`
z`@Et^<R#~E?Kh>InMUtSdu8O6X)lr2uaQ?n-m1fLJ$j40PD%OR%()gITVArBw@e8s
zTGZlS4$$@w$G?GeEnYgK&y~h_D)$jNQz=)@QvPPrb(8LQk`DQqc`W50kabqqZV&kF
zHrBJYNQ|Q2lA}VB_d)pCm!_N*UO!ZJoSv=M^Zw26`9_LZY0fypON%0W#jl`Uu!75q
zHuwVJE#)nI3-)G4%K0^)&r{yd_)AB5mln~wx#gAq+zh`%@Oz^vuUX$<{nV^mFQwHe
zbk;y^^m{t#<-GL%%Z#0qGVus~2>O%IuTvELN6LQ;`f=!Igfx-;_=qkmnn?_dRzxk^
zcq0xJ)nTRl(=TWIdP~arH;<nhZ)h1aABs}`gA<p(ne_JMsjU5<et5|_?*{1a_vT9(
zzdN(ertFaTdt1d0<vZT>MWJU22wG=jwi%E>)l2dpBmebpO*!kb?U3?!^77vt{#bDS
zON+wWBqYB8OJvh-f&z%Yl_+KWu{rN)^uoWsliB}?vh-JryAH+Q7tD-K^x!ajDz8X6
zxc}ZG^bzQDptG#wJwliB^EUKce?AR;26W7#_elKdOaLYRT#u^tuN?XU=(vsEQ_iOd
z^cv`^g_>(GQ8>DuH^58$B=I*Be~s6lm0v||*(W-MNzw_HNO>jxLE`V9nR33sXU#t|
z4$E$t#K(10es~p8P7r_El_}@z5}&YrvR<wCJ?eFAtW`r1BdVn2GqRO_RLsKFBc%H~
zQ?9&mQthv)`AC%gHF6HvUGw$h7Whq>mD2kPQWhSOZxZ@6=zcj0eE|9l=>GYl_<RRV
z{F?*%joSCij0ZA)&lK&<U!P_GIy9krs&dJ_h|^c49J-13NV&?Ozm!84e@yOAoP{p3
z({g6LVo!K&iQVH$R`HDy&z{YBR*7dG;oA>=26T7rK!SvR0QxlOEL(Vw(1)N;fzC9~
zdxU<>#AkWedxSn};;Z#r6Vd|8J&u#``J!i^bL^X}_q+%D=C_UwMay$6XoHM2S&K~Q
zQ5F1~ZTjccDd$DWQ|X`aPbx#5=$xJpFDdHtKI2-6JO@bk0_lEf((MUtQ2t4Xac0W8
zqR^dqD8m0R@gBP-<@|$*w=bmRj{idujY_lLC7XjfFUnO-+%eKExEB8>sNYF!%BtMi
zR{fdPNYw`=8%%{I_f^`<Q@-^=R{j|_#LpCYM+x6aIO^&>l5Y(9Zs<QU`fJ8R%4^0$
z^f!DDTAStI-m1)%@I6R+dtSC)3g2PqbD)1oa#MZ=?dYHH!<Y4PSqj8gV64$2pX#Av
zSJI?^lJp-f;7g{Rh#Ou<X^bSbA1iV%pNYQCPdUr@?2Au5kc07~R^|AeQvMj}DoLl-
zZzL^`$g>}M1N2!!ApbqGNzTCBY~(5TeAWk~I}E-1Jn2plzMF8|e(#ZTj6uI2y1#vd
zUU((;HGnSniXMUPFSo>(dq#%>=uzm;=Fp{{av$j=bi{4yxk>rj@>Rn368;k5HKrXn
z=W!T8s1-H|KS=nr>rH)>oMa_hKT@7!CcID5n<oN}Lf=`Ha-IqCMU6{p+|c7pX3Ae%
z6u!VTH={_TDE!s})%I#JLi%Ny{JAORECzHt(d3-ck)gwwdsUAp@n#V3W-s0@ubfgI
zxp%dGaNKz;%onAv=%mrtM)8aB;`dBmR&um3^c@_4ob_+5hoZM~PwS-{jeo7=aeIkP
zpOt-db|G2kmQUJY5c!-U{!z;1pZ6;LhkhFRBv0<}!3USrON&A*Fw3V#uOF79sLw7i
zekr}=E@~(36M=pb`Wr>gsyyKZ2vp6BCI6U&FHAZA#b+yYtYlhD??d-PKXP-*`I$+#
zPtJ>|c~khaLH%!t_&XP+oLhwt`Rog=F!9^G-r6AjPfuwima==NNcR}&o)!Xf58Q9e
zUpSN4%Ks>%1K5jGPAW)`r0Zj4v71Uz)ud@A{!6voKM@8>@05R|_RB-Nz4%MS12<`P
zV-a2Cb%6BUOSq39>CGebA?Wu*FLa5Z(2qgi4c+Y%5-jvl=sTfL7J_+%eg?Ym_tUGO
z%YD3d=nqL;C12w=+3x8b6n=TpU9M%6Xu>Z-x}&7a^+#KvAA!y?ocBn4`5hREU+hu!
zKE;5Ee}m9f{^~p%=WA|Pa*|anNq?Al$4T$^10v8zpuYh90?}tBci(y+$1}X~O$Jo?
z!X%E_1eN5o>g{?RXZjrUrH=a=rk|Sg4(@!Daog5u+(sum=}%G8wJ+n|h?hUn_Q|=K
zJ%!=H0ylqR(kJ-ePyEvj*yBljp}fKCugc$SEZJWWUPY%^knh+nD_RpsSNqgbu2WJU
z?hRJ(*{6@HT<la*dCxsp{bf2Ef)YPr;y)<o;RfXVfOqbyNko`6Tx;{B>LvFvkCXmZ
zQB+m0%sel1PR(7{4;>9GeSHxpy8>#fYNgvr?s-0YYsy*W$y>Fzs@F2v_23j$rlqu{
zj#8vEq&vAL<$PN@K#<(kev)_I<4myFb%jOmBG)jVxg+KLw<(8zy(6;^(^zt-AoTfs
zyRKa<(dz;DOxa-U6yN1h;~(@x(CdXjYwZc$=Zz~;pJRldBz&XE|6ysbiO!YOgvJBq
zYT8fi*Ys<#Uo9zpj!5+*rN>JDmohtjFJkqb_koVwjTT9Hnn}NTW6Jrt=|92qD6`(k
zImNGXST>-g)e2TQ{0_p;YE3!20bT!4Bg4zmBKf<_{FOsnJQDu|@tcUhMF^D3oB!FU
zloS**R#zl}dVDA((SG8~Iakq#3HBL2sx{v8Bb9$5@`{jt_m-4%uP`LNS?`Z}{RKai
z19x*!Oaw^;x|>;^Q}fQfq(4gfHD-LtlUHVbC+CkY3f4!h-=dEv;CGz+u)j3rd06&6
z9tt<exhu8KfuG@>OKA!n2@*amtWpfd&N%Z|Z`@PknD(FOTc*v`yt|C}QR266OF6BQ
zuhP?)a^sfrSI#F&16A=qNxVbE`;due#(ngN!<VLgmWxp{(-%?AC~=2KH>I6*Zc`rr
zz6#EgJ`ajtmt&X0F$9)1Ps4^tInu)K&Y*SC5NE7RL0CZaFK{-Ku8M_`Ceqz(^u_Ee
zss2Gzg}&@JJN0t>I@4X2tMy2)znEU9$I$`!F1Rb@d_?489<d8@Kl~{4cL^<7GOYti
ziag}L_>@G-xy_RYx@peGy7Ewm4zdKIN-$@IPZ#Cfj<k32Jp9+rl=FMZNA>%RJ-yd!
zZf&omy{n0Tn)tU#e03fOEvG}`fKF*D(tA!4FGf7OE8`dMll`zg;pP&1y*I8)yaD1Z
zc#U{s4-XTsiFj)LMCn=feBgu$XPR$W%UG$oU7t@HgT9`0QddQ9)$~F(l)9l$6}ovu
z?xoP%q1!GIl(bbQenjX>PMLm@%#oACj}d=Ae3l2qHyV#c(5fKu4-o$l@pnpmWxwDr
z=lX4*Ui$2{-2b<_xpyn^mHo-ngQmQ5&1PmV_N$PI!DiCC^XLHoxG7|;pJ%{K{?cv{
z(w`(f!%$9n@!QY~%&qEg3F4h5-rW*Ul{0VMr6zQH_Of^tQ4f-?@^0?$dg(ItV|<l!
z+clv(v(riYjgszu(%mBI%p>}92KpiBGliz~N1w-)a*F(?Uq^o<{2eAdv%ZoUKirNh
z@gu}PPW*%ypMInFe=>H&B#``*#Glraa(0>cd*l%Nl$Fff*o}gAfbed@pZCUd>gylR
z{o_GR_(~ZMAkpPn$|fqJMW6J3o#b~4epWKmK6^q;z$9-T)&AF09>U%IriWx6=HI8s
z=VTq_jJB*^2C7D?{-n41QqCb^nA0CZkGsQ!1Zq1c?}yk;{Lg5TN0;|S%(y3iULx<0
zm<C<RH%Pz5=&sLhf2r3f=^99Pi8roO_WbpsALrCd4Wz37qkMCAWUqe+-zw-e(Dxg@
z0sW;ie3J}143%Do(c^P7>64`2zcb}5F?RbQId^HwrTj%LZ)PmQK+BuyNkdV%-7xiN
zx{={2wrB*t_urdxUg5KD2mC<yyo0PZqU-QkUgS>a6jSEV(A^n;)NeWyu$p(LoF1=y
zYovVm4`%;Po!baMomCiP!6<^&O#0pLG4p-ZUQusc;`I8SNy}-k!`aKLqW1%&TfloK
z{*lj8els6ZeoNlGp(ezTv><;rWbB&QrBV1Df!|W$r|hWPFMD0rLiyK)H)6ktr}jaV
zJy@I7KgvwFdtUyb&~mST(CPNcJ(N9@!~1gOAwFIyS;t6!Xm>DwsrOzJJ}<k!FZcX4
z_?vq@vc4ZW-#Mrl{7%4c|NH#*13T+K&z`X#94mb11Y!)m6lhk=xi_g-^-cI6d;IH{
z8?)pl?@O6M_&r`fVIS7aBR&7*Mv<ETq^35MqKAW|U%!|2J3fm(1obmH_87E}D&-p`
z{b|y#k@TuvS$=1nW!P8q)HLC9K9F)=&6a!4`6o3`MNYE0n6GZ!PZ*{>^3AX0$s_F%
zTflg-FXjCE1$<F@P5<@VbJ%A5@d@)8K~e!3X%is%jF3;mL#&gUew#OsczyYtc&++W
z$-uZj<^1PFa?8@M3F~w4welGxpZh;@o_t<keO@!4!i9`4A5A&m`D5i4*gmVV0$L9e
z<g@c*%uD~cd|p!z<o!RpKb~^_^^eQvRItA3`pCFn%|iFtPo$hHO+Nm6ZgLmKj4Pg>
zAnzMG`>B-koUC^#d+hF8g}*jQ#TE}tKVlc<eMFBuo^o#R><9hE%x_pP*M6Uz{_~p;
z7Ov5_ERxLiBk&u8-~FFXdG{0j=MmNVJ9;bY?@e;pDtP%_`Abz8r{nO+ITxna`Qk{;
zR6JTlN#rwrojc#3PC1gK-+eIqyrhhq@?NDWpT%DCS=+lD|CsWHHf5VTv2({r*F?IF
zl1|w<Isc{YoV3#^!uJ#Yw1i`S%zCDt$3NkgRs!`rdpZuY{W&v!ua$8aAHlzVkm=tm
z5Z0%$i_ajhZ{dHA;IDia5A=I@6wgUxO1<R0P)FgHkPKA2;}mKCSoY(&=|Q{8ML^#{
zBB|FP>CTd_*`#A%Xc-l2C}LMa<Ty<Df+x(pYLnVlQ0v1dpm#%OnU99g(8r+P4?S=H
zYZ3B+F6P;Ngnub?iC^pzL7`Vc-wpjjA6?2Dg}xKI>u+ekUblmUCkTI%@ZX9)hmRMO
zOp}pFKP|w3<o9{}bXhlBF6&V0JU8pE1KhL2&)~=je)zhn&)^t-3rUY4>F*-x@5y3V
zc%-0Y$}`^@`R@0Wd$w=VK;eVohoo!DBjp~0|N5cq^V>o%WMiuv`lS*Pd99>WqBo_`
zcS1iS^m<u$lv_dU%ds>=hWKByO|(MQLE=Y=-@yB|l2Sj_&T8H&yXnKaBhb#;4OZpp
zC;lT}%-^>-0DV97-1+zr^!o$iAA`O-fIbR+Cv;_ir4Bq&-!ss=q5IoU=*2b6_n}|J
zXZMkIE309C3>`52tA(m(`d5Si$^S-Urv_yG)jcPAMS<#IxZ09ht=lAtzyB%Lb3MD3
z>F4Tv@LJ}xwK+zN;~QKc%d%^-X;cNzW5VxH%GtzcpPz(1+E=LjZCc>I?4-($rAc>$
zbkCY}6Rdkaojnba$hscYwY2wNr<}hO0(QlJo=N$|jL&-}bH-9it*0!^64;^KoK2DB
zBIg14Jqf>NAt*bR>F*LgMEGgK%Oo5<Wpa%%kT1GjM+iSlcy4>2g8mZp5*^ixpEmq*
z>C=}m9|(wF4*dn_ZxRmV@7{-!_sU89TzU(1DQ_-430=yQOCNwP<(J{neWcz8O?<T;
z#K|~0MPinV)VYykgg1RD<$PEYDY-Qgi7`Ozs#$js{T?IU5#n7g@ysLq3+u4Y&`%0Y
z%l#*=Vd{reM)>ZhQ_j~e=8N)QnMVctuTr`X1v<*S41=|?fKzkm1ADIl0jlKE)(540
z$5PIx#V#WE5OZ0UH)L_y>;{?kCtd^ZrIR|jkJMY<*VhEyZ^y-6$@}{x{#l8f85h+$
zZs<SVcV<YS<}dH}oAHm?@)Q2@zCSyF-U59Nbe5UDN8-zS0c!%{4?u5l<5SNVjiA~e
z`ex`a2^ZZy|KYZegdZck@;lT!<c5bY4w(qjey1dS1p6-Gs{JOMf3T7kzE%7_x^B*T
zQbfF&fM!zf7YUe`XvHfd%NQG1$G^)y9iMgi8PYIjqMmL8O1uH$oh9B{6VI#@6Il*8
zQE}pn{Nz1}mEX%BA4Z_hfqsdkH;-z66Mu$F1cjc4zJU0-_F_5%xbXMWqr@+VF8seM
ze2`<{d^G<YK{ChmN^0eg_QUT<`2AW4IqjnMY1F)5-9wXYw|@+36_ML9_%uDo_#=D}
zlaU*z*S5K0Q{(v<@!E-p8({RE@!6~oZD)Yi#~5_GNqtL~F@6%i+r)oZ{1N{;f|`HT
z>U;4uvL_dyHpc!)e@npc5%{5wCV$og%s7c_lkjcUs`iohRvsb#n<YN|K|BrB{?Ly?
zXBk(~<vyIyN1&h1p-cZb1%29a&W}rc-GAg266%rg!Up;y;VK^$E+??`BYewDxYWT~
z#ePDI*28M(>q)2Rvd_?}>CMo)q38N93Fz(6r)bvduke@mZf=G?$wwESgV2TlT|!s(
zNwpXKfpfCAX8Y|De}wptyw3R225I8IK>QzM^Jm|3Podha#?7&D)e#Bfc6||do-!L*
zX5f|bM;fW`Kj-_;EzsMc-yr<WBk_~a_d~zkC4xd9fc^sXujJ4VLf`%Ul*9Io_elI<
z=#M~GcEyAU{RH&m&<}dCHGg?;Y5VhL{%69(J{B%#{DywHj4wI;FthHc^n6*#?t<_~
zLxGyUMBY3T*aJA{6F^rIl=AK+|K0zZuNQ;RcS6tg6AqjB51Tp&h#rqXKTG_pg`o79
zjBx<O_muE4!l(Qo<#c%A;>YR*y(qL|I>>s$uP)$=vTw^}zRh@;Ij0%=QjQbK3}AWo
zLbq^Nen|`b7QB%1y=SUj4cu~^m2FYg$5j1^*G;@4l~Vr^`XKc70QzC*n*-=0(ANjh
zPeE_Wp^H4y&>Ntu{;T9A@~A5kJ0szx2u1h>g-iLW377Ku{VAb0Lznv4d=|U40e(VH
zK;M}|mwvbx`flh~7`f;9(PmwuhLfx^Dtns(^h$RF02bB=f7*ZOzqg^*ORyK-xt+=o
zmz{F9B|35_>Kt1Pex)nXC-`0E`3;$M<h*{-#5*Pel)SbmczxL&_a&db<a6{#?03GN
zd^S&%&v`l-d6e;gjC@|;y}}ntKUeL&uH=!6!oLYA&jK1xIsfH7!$(hIkG*&_0OPv&
zAH412{rZzWvM2E)#DDB(*lB4$#dmqhp%Cv>lLVYDeIpK)oTQYkiE5%GiGT7`%6a>R
ze4(G2d4A5l*6<~hbi;TvCove(&WELZ|DD;V4_@ar_Nqa7*ZJ<88J9)>3Rk1AzslUR
zJrBP~Ndxa6S&)A#N6IDdVLlC?ABr48Tg5@bVK57J4YFVtI{geI%C}gy7-3BLZpoAu
zq3$aj2tODKF`bg-3)1qm@P80~J6~enEqbv+)~(n_+9&Tj<2)VfY|k(>eG5J#YErq<
z|Gl<oz58_;!L{-#EtoS8-BY+PJP=a-QQi-|{<r2npk&G;{d9U0`!&$-Ruuh5+PNJ1
zjF-8mS;!aK&HuiXaBrbr;-F88Xr-N7h`;j{v(A@ePu2d1?1RN~dY@S+lyb;>s$U@e
zTlwrhVwVm>KM5UoPT3dMWl%I7L(<86t*4#M-nW!?9)msy`Zpx1D!=k4^n8aor8m$s
zj>%_rJn|0p(Ote!@~OHNeTPql@G+0bCkp)t^q9~{pE=J<=MjdK(rh0oKK;Z$OZ+*8
zhd>qo4?v&x`;_x3A*gclUJc`?%3=~nlx@!~@vSGxd%Aa$j$z(=L>}_q?nBTY^r*U>
z)6nPep6(JKUGz@g>up2-h0s;I<*d)hIxH)fS$33zq^ufek<?2Zb0|{3B>WG-|9#o~
zv&Y$O*}SBG4Uuk23O~q<6XslICf$mX%HEtZa1Z3Gko+s;s^^Pb<bC9);rAmchk1l9
z?<YURd&|G&5<$sd-dEm!j&lnp|A#}F_nojl>3`o*MEs-)4kpNPBi;V+d*oHl3HtJp
z{0~6y=KbhwW5_w3njVx})nDR6@Ac}RX&2R>L^(LMo+a|7^1iIBn>^k*?KJ$JwbGvd
zYvyyA@p3t{uKhXujNO#-R5v4!g0y~bUyz<q9!90C;xrcJc6dFGh~5pr?@9O_ka|zR
zuP29}dJkVt4jZ$x6mCl1WAHx>f4^L(6IQs6{>J;`{dB2cDf9)<zu>jE8voTj<h=Wm
zoKKz=yl|i_n(#}&?~!oYJ6GU;FHDX<5n(nJz9E>O5}1@*-e3Rhq_nm}tX#AkJvjmW
zB=nzNKqTboAI}(u%zHA`zV7mp{o(K(!TEUpxx5E|_Zzb1Blcb1i~l6_NBOMn6zgJU
zKFi{iXHG-7K=K76YP84bKk28Gq@ClE-aNwh0Q95KT|51toHy{F>*M}#t{Z2jV`^PN
z-oIaSQQA3c+ReYuML#k3uQ^H@`a-@#sjqve{#MEa?d-I)bG>xfj2u<_tM<z511&2#
z`IhjX;jk>o_cT;{mBS(dztfkeopVwy|M;-Kz<mP;BZT%0r9TW3|HxZ;KR2Ise^CA`
z?(e=r<xX&pm0`<l|Fez6*sBf&=k$k_0sTSrF)ihR|D*st$>`%!S>IS*vO64}5<Kto
z^f9^~eJD$3oolKhpBVI-S*9MU-roM#7Bqupm!(o|2II^{dMTg$&cP$3tCNL+jQn%X
zCn!IUm;8jop9|JwB~alvCj9svgN$A&d1l5B+4{^iPfO(dYS#FnR89Pe>O0V1e)r%N
zK5PBY_!BZw4n3GXP|L*$y^yDt6C@SC3y=Q~pQG^EnQdn>^~~s*DDCrT85A^`7}`1J
ztSRF!n^OS+Q8^$Upq9ETD*N|N^5=IL-mFTb|A@Rwp+5^<elPAd<d6OrhTj=1f93K>
zJ_-1p<#!zX`KbCsx8|jtOA05*$6x;@M)-hLSk9qb6`VcC#*(2R0g#!tLxmgg=dMd<
z-S<}YhkgWl{PnDhQ2%!Y7eGx>RsG@j0>3xmuYW0J*bDt6^n0a1^bh>mq~D)CNO;YS
zX}#Vjad<@khM~7Zzf72`{xRYFG#r|qtubhzuu<o83Nbb{%hS$DA!PblW}M5&UtXNX
zJD&p7i5De9=jMo~m+Y95i<zLS`jgKQ@_D1=W1ezwFZ83(TXXGVW%y=9Dnkc$Q8SYG
zhly`RdC$M_$g-oM&?8=at>0xtIYs>4#6M>E@4;`YRO%vpGyOn*Z)DD@v|eu#-aL|D
z8T3l%M}*+duSVViVTxx)HmRrlUdd77t952c!&A+F`Tdg9&_5ys<ouwVEAX!`Eh~8}
zB(Fcuvfr8V4UxWKby~kCM|kjv9vqYWpjTYOmrVO*>_=vuI(*qRz7`^`Uk{4kh5hFD
zF;2q9$LIgL9wf=fzBgYF2B6P@{>^+n7|iH_p72P!3={v^cc-1V<i<ye-|!kn-*l1q
zW5hqg?|m#5d#2hEe`QY?FE_kC!#^W$`5l;N-<z!uBJV2b$DwbQe34=BzOlUW^r!j$
zg?4wf{|}$j_obar!^V9?PvrMzcJKE4!5KYao+0-<4xLX=PLTd2>6Kgz<0^1W@_S!e
z-yfyi{_{#$RZ(Qrf%o96kFu+v=c8qt@sHo1*6Z+o{kLV(tjFwSMcymGRgTi{T1eMG
zI*zgV`wef=;?=wGao1({5^po{t~BxXgj!wmr{r{y@NU8<OSpNYpAB!u{z1RQC4xdf
z0bSzDXZMlMW1E>DL!a*wL7^A6V*jE0?UK+-p+A|!zY2O4^h3~l`K<e~nujSr!kdTP
zk==`<L`{(HEa`Tebbh~7z5j&y66agiY6IXcd)3k)Vi7cfMF~kR<rs$FoIPp1kC16k
z%EA5!&OlCssx=HrcZPILq<cmf<)otsc<Z*eykN|lvV-MY&>zxWUr0Ko2d*C%{+qDZ
z-?S%QN|YAjpXGOTcJo=*fxB5<cKJzoKjG`|Pdj}k9M>x=e30-Xgl{+D90<<}A0~VX
zzth9Aj^fYygBLFSeU$J8gs(8`n3;QU;SpR}W4N`$FXbt2qdWt~Po=!<*L(aVyqxf7
z37@FEQNrguIB|IsgzqGrZ3tCf8rtJ8`ZhrLlZ1;Im-k!>2>l@RqtK=8tPL6ZF!a;V
zD}{c0hJFIN^^lntHfQK#&}TruO5*d{d;#gFg)zoA=;}Tf^~V2T5Mrr{5#8OO7I~Hv
zui@de^IV88+3nw+k*79rQtlSwpXPUy)V;!Rae?G0^dxlaqiN^z0x%p_bRiA!XUc)J
z^TRM-(97Waz{=lO>nml!^AT2@Ct=PP<j=%VKFR+K`Rx99cDY2h#c}2b{GOBiPDghA
zLZd!)K`Q2A9;z<omfy=d&hI}Bid<B=>8g3>L(F<~Q&`@d7vRA*%6rfPR+jbnCH7;8
ze5MShog$M@@VLY48}bauDnA7~&{!mLNW<@0ewWJM4wBFGt<>i){_o`zgWvwgvhxvr
z>WBWw<7ww<Pu|R*^gXYSdGa<Bdx<|p{5hY&-sS7xZ>Y2B&wBnW^%y1o`p>4F-+KC_
z+9fl8&-g`3pXLVZlX5&I|MG3f|MUFLl$1APH`O^(b>GDpT(NN?-xlJx|7F@)$!EE@
zC?NDC^v9t4`>oP{=trQ}O{7N|KRm)^>hN8nNEmF-<EBgu;E^JlJ3#xDB&*5)jO0I*
z_THOo*8SAFf;xW}k=yp~FlvO2clnZ5(pR<f=Zk6Q&y5^{)7J*37da+LzxgTF9RlPi
zhop=c)lC-Zmj{Vob13cH=EbK>zV+}=_y;VbFOqJQbnSng*6X{fz1WU1={S{VvRNkE
z*5>o_BB`JJzTC7gVTZHpml@w_hfq4uO}CPyZ<Y<_r_;^?qjwL<dB_LDE9D$3>xTO#
zsRODw`vsw&;~?g|=xkY0crK#Lko7!@V`6{r_a-&fy~eHVxcvUzvwxG;>+0C&J^bDT
zs}S|>MjWM5<M<ikRsL<-`J@oMcw5|UJvJC+K}L_%B9F2=(HG)>En6ObeW5BRas;Bs
zRnhkt>Fp!@-kaoSo(R|v{Veo1c<q`w4<m2DF^y8Ie!z)xqT76S$(oVK`xtzVeg*%{
z@G<M1!Tr1`^nv`|fm5}jh?i$B2pTii<dLzUBA4pB&@X<U?;pJK;|H4c&(K4<{6t++
z6#ArB8MnctzxR{=EWhX1nQfmk^R{~5y_lNtBhuY-3P`~j?&eEK{+^_?pyYFkd@Oz!
z@LJEVWY!7PI<~SaW<9t@-Y6HqjPtjD6_~%Ck4b-vCeXj5X~z+H&|aRuRVlw4A+5=D
zo7;D0ZiZ+gMUrkW>GuCUzoY1-W0g#wkLPZpq*LlhxiaJK0n!bV?#XA2-$MWPucv3$
z=goUIYUI*iuK1KjO%R|LH1gkaSYOl<C?MTm#J)A-ur?h_JKy26?qAXeskwd;fVjCU
zip;B#q#x`h{!7IFH&2f;_APTiniKA_kuKs;vowBnLOz@Mfav20eD42NI`<x`+Vl;P
zw@JFxee<6hE2NA(q9?_j=p*T0kV+_d=J+w0@kbdij=={A6h&cKJ;1?H1GBVul6<=P
z9Z7Y6geqkANkjMRQYt-Z^*-ZLO1dG^&Ea<@Kj4l3%3ol=O3vJxw;rukuaku<JWRS%
zq}$E!Nj?k@t(R^(UTrTzA!@XU7u&KD%}0r)@+<9<{pYmvWg)0?-e&ajJ}=#^vb~m3
zOSK-;OuEhdUghJSKD+tJ7O5%cYW0E#oq2=YCGaNFlAFqZ5I)cHdzXJmxuqRXkk01!
zF`p~sOQs!j?4juw-JEI*ZpB!B0A1FMuaZx7H~Pl!ZgyXKzI=?|%YNwh0}L2Ch{Dj+
z0SY5omBRWU`RwO+GpUx_pS<6}>xU%2gL;ziLDPTy`(2rR3{&6Dp&#bgOZ9}{Q`k$?
zx@Nu^(A{0_6GiT(5d5B}Evl1|cgBuq?CY|U{h{znlLAYi{7mV`2jF-7ZRea@WL!{s
zXY^;cUf<L!F06Pfd!Uupy<a7EQGVa`_!Z}z4W2xdz0a)UDZkgVi)^I@D1h8-2@Lq(
z*~KX3O7!6G&phXRf1>eDy?4my%khHn8-x9EwVxpRHw?cy{Ql{)llU^B+zr3(@ZScj
zA1}O9HwyDdR+-64K4mQQ?C1AX*SsMspPc?=@?qch;oywwig*cDzDP0PWF+~>@9N&q
z@2oyrsPi#?wSRxAGK906wLDBa<*pbv7KQ(wj55*4!u31Ej-DZ(qt)k}cY5{-|5T5+
zU-Jwby;9y1rnQSRl%y+9GM~TYoKs}V=U+dR)lSylZALCMmj1+WbvuQ~5LO~h=F0p}
z!sigb7kl~Z<g+o0Pv$=9FnsRk_hsex0j2!|<kb}VxL**SwaNS>1f&(`k=H3$m$Be;
zoZqYc`D?d-M4WmCu?6|w7`e=m=Fgw7(UYUBp9O}<t1$utR!%^lXjaJnATD(vE2^l*
zo8o&I?`}J%--AIb%KX6&J**G!EtUHw;)v-FjFVnJjF9g5?fl-Yv48&gpt~L#E~ADS
zjYR5bX*V4_XKPixy*DeK9&n~pM)_UmXE&YGzf&rO<`Mca=$kj6)B9(Ns{8Gz#D}i-
zeS++RvV*4IHif>6c=GK$2Od92Kz@6Qb<pR6B0HE*Z8_&0pA13evs~7Hg6zZ6lJ3wC
zV3%WT5Qkp2P~*t~_%&TR?i}&#B>mIyi^};8_5P};{(YXN@IB!ment*rcjfo1H@Ba2
z-g}8#z6sYs*yj(0A1@3np>p(Nu&COJJ>++p-{g%i89y=OcPqJaAF3^o8Iz(%3CNeX
zZ(Nn%(QfEJ=RD+%tC?{uGp?I_Sh0{r-2lm|az`ll82s+v%kMdxd654-b?B)%7b0_J
z^_z>8IlnZi8eHUAwTtzE5Au7`0rk&27s7ZTFVhVum#S$M{Px0c#%1G9gDF?`?@M-v
zZw&d&DDmZybn-jmQ|>?K)O!A~nKyM~9K;OMNioB+E$=y(;@Y1fo&Di+zTW|K)2Smz
zUP{SF>MOrbe)NHJ&J*4^o0&i6)%R#YQ($eCccb~q@0@qPW!!o3VwmUj%N+e_lyfIv
zzc@&IQaa7=82p@T$DQ%ZAY}Lj^*^q4gu*|(?EL(uznl5O{&UWA*SP$0>g%@~?8F5u
zDA1v`BA3A;20!bo{C>O{Z<SqT-CHlX=#DS#GC;f+hR-=yNPFsa_%qBExjFc_0`}<m
zB9q8kHE$l4_+LNg%n-huk-}hiJX11dqguhgoAbZynJ*PsQnZY}MAGB$8PXm7#<~Be
zy>kzbq$=}&%|(#mGT}Z5LL+yO(7DVoBNr>vNoK;#WZEP%44_mx-Ib)7PIuFnnaqG|
zP((zKEFhq;7==X;k*F&I-Xb^gN@NicWH;VMfmNa_2&>}0m+#xD>U8gKpM9R+f7AnW
zx<2)u_ndmqIq!MTsp|CKY5N!Unj2SQfAKGC*}rVq$Ia9<7W>`PDfs>^>EY_WalB!H
zH!Sdm1>Ug08y0xO0&iI04GX+sfj2Dhf49KII#)7}AvH}L>hodgUV7?`?d!@X-lF2;
zwg+R9@{)*;hJEN|2s#dxe`(!_^esr2;X3cP^I_LteqFcSZ(Qgyc6bTM$M~CFNqNhI
zkEw+&{p&bO<X>86U{N5OB*d11ABfZv-r|s>LF;F0iOW$CuQT}AT@!~NHSqE3p01?E
zCvk4|UMp7}XAh)S{_B6&`-wyT?>IMm&f@&ZC8{6U|Gy{4!~WF;-HUd86zNk)cOiWR
z>2CXJeGfu<EYcN7JCSZiI*4=|(#w!ukMwq=_ac21=~GB|A$<kuZu_Hrq{kv%fwU9p
zW~75iw;{a@>Geo&M|v;PN0B~-bQjWBknVN>%13%E(iKQMk#0shh;$p$%aC4=^me58
zB7GF;Q%H9qeFf=m2cmqW$0A*Uv=ixOq)ydQY~dX$$2o9B(`884#A5G=9KUIxoGq0j
zt&J-iTTgB-%URPuG_^KHTN_(WQ0_R5#T_H1!~mtGf~LdvDV;6(g}l?4&6WJdw$)uH
zml8ub8_Jd&2g>P8>g06FY2>rvL~+<@Ozp^$K21vny|T?O6w|qE=)|LI1wWJE4EU7K
zl$^$NHckJQ{89RMkWT1YE|n-HoJN1x8!RM7d~Y~KdF@Pdc!@$Gu|sp%=L?b~M%oi2
z=_D1MBZc%&qm-f=2Z}|fF_{|~@w25W!~P#n*-y&03i7X9=*p*+a8Twaak=7;?ffYE
zz`n`+S>HmJ&gk6$fQX#U{j+%PqkL+je}nl;3tizQ<mY{*;8C5Qd(kW8%dC9!-!}pr
zkId%J&2O5{Zu-E!+wxB>bm@%!yd=&vGP3_?J6V47vzv*rZ@2t5UyMW0<_8jy!~CzE
z)2sRp`)12;{`g5uFtqg~ht=QYEZs_1+1J~-`TIB~q<+orRM#Kap)Ey+ZEE>#ewjr6
zwGg!OtMC8Ps{A%zy^8!czj1z^!>jXulo;E@=2x5F$Mz*iht1o1rggQ?oPL=859Xi1
zJTZa%Q<aHVb2Vt<SbAMm{(ktaeoWx2?+z=ld{E<jqAI_|Bey-M`D|V``Re{Vf&6Cw
zDa12V$baiS;T{t)MM&?c%AYE9$dyz<TkKc+hci@{e{WU(wU=rBwU=rBORWP!jkTX?
zouUu>(Eny7i@zH7(H5<iuRi}i<y{)cZ}Hi(|7HHCDKA^d%8wwvi2N_}KSz1Frk3C0
zljD(p8s@kDY4x{$u&b*4SC<YFp}1|S<}i7I^pBle`XaGl{T;-IPJ`y34LAS1{C}#-
zKfAA%KfAByKi&#PYULXKFZ#gD?mx1h=3lm-<{x{TNopDipE`f1bFN~vid+7Zs<_>b
zr94cn?4W22<-gekak1)D%C@l+%s>4Wt^XEw&~&_&{@;T#+x?sW=J8pp{Npdw{I{RU
zx#y1R^5?G1|Fno|w{oF7@4_PTwl+@&FD{~**!&mfi=7)6x<MqL7ttzZYN0Eiga0g|
z9&PhbnD6e`{1WDGc5L1V^F17!55jy&WnB{HdsfzGVZN7RemTtdcFf;~`976(U6?O*
z%s+;CgJXU#%=dN7pN08;m33m6@9&uZ3G)LS^DAL~pkw|b%nzdRuj44p52gibExydL
zaT}ID#If-h=GC*Jj={ywA9y&14xWY=I(yUae8q%+9#>BQpLmb*o#1Q0Bj+oZcM6DY
z1E2Mj%R2zXt^v1plxO+Gz5+fqsPghmp4gAU-JQzi**dX5(Ekf~Ccyk<apw{ma9scX
zi&S2ok(2CE;Iki4F3-A&p9Vg4nR0n{P5j;9%MNkrjGni{X<P#CUas=;jG3<A2|j*>
z^6$|(ACH6gU#VQ46%+rh@k3n}bL5#XrMpu(T>p2T>@s%b*)65V5a;`i;C>OVIA;>C
z)s9@>TD({E%<rH5#JSvtbuJfMIm+N}6~7$3dLQN%(SL{&#k>GBICl%5KVF`M9^2Qk
zf@eg2{<!0Zs<rNGuSIH~iCt>v{7Thy2)O%*@|B3w_-|>mJ;$C=9>IoDjCd{mamY6u
z(JqQ@J|CzfKU{|wp~pE=_1HZ4A@G?<SpN-m^n4QX{m^6kU3b)x|9l<(<vRQub@+Gd
z@aa1I={o$E#JRskZg<6=2>+dhi<L*g%|6EwuhlM5;xaD$_E5W=VLYLnGRv{f`1#;e
z4?fN@eqNXlfsdW5ykDdp=Y8Na;4b*}Ccjzb=_cj4)%cb$pETYV<_{Y03G=6ncZ1V8
zAHOob4jlLON8@Y5oHs1lZc}TN_lp+Vj|7iEJ_3FcxC`!rx0#+8^y7ZJjdz6kdB)qq
zJY)QwVg5ejr-3ilg0C{Z5*+t?lkw$Yey8zPa5$!WiP!2^Ux$4E-W^(CM3e6r{~h#z
z&ltZd%wIPCgD~fCpY7j&cbFe(d?d_I26w@2yqrqBR{hVc!`IZ|8|(0MiE}+)YgRj;
zd7UiyE8sA{a|!rg!56F9oNManzlAvaf&3|LB6%z1zfwp3(K`Icb@;P&_^*j`xl>!U
zT#j$}SVWskwd}b^9exOL@naXO9(#^p?d9~S-E3XeR7cOMI($tXz5(UBU(|BtZ&y<N
z-%WghbBNQA`Pa%#fKRjx%6*cM9KP|lg?ZZe;oxY<5#w(O^9zk16y{~)sE_&K9mY=y
z%fHw7Nnw78@#Dh$gT{{v^ACf&DA)So4a94;?}W%Nbtd|>y<9bqa}Rg~d<^^>b@Y6j
zIQNI?$FyB8fc%fa-R~&B5S;%One;>Ot5MP4fyaNS@;5;KZ{Q6-Q7(UTkFGV)LRHFr
zQTaC^e>m}4_j`05eiHOd@sAqNF(dyv&Y8s754fAd_E}d)PY?7&&kyVIp=Yd0Poa*U
zQPVS|dhBm^Tn-)|R{k#3^HboH;9J4J3LZ(T{3`G#!27|E0)K%x-|zVOdcU+1lVi~y
z%H!a?Pr%1v;8Ae%1Ixi1zz<S!ryG3sJ*wZHM-G8cgWJBt82C8&5zzB-@I1KH=ZoO+
zDm~u=kAmCE@K@js;8y>?fzQ5M>uL2li1wS=KGWc4pHsjm!R@}*f{$0pC&2UI_P0iM
z8i(C%Tk=|P7xLC#p96QmkA!_50iQZg>wgURzk!c|o1Q;|$H8q~*+3I6-)|J$?0f>a
zQ>CB3q|NeE=W4m8|2*(9@S{<m61WTgHt?&!8^Fyzw}Vfjy$*o<H^FDm(Q?iHPlHc`
z+w<l>m>zIz$0f9&kp2&Db~p+=U#0(a@Hn{jpH1LVaO-bba0lG%^C9r5En0uG!vyhK
ze(X--;y)*JTt5ptJP1DVDdqB=b-MN<`1GfhuUw=VZ2UGPv|O{pLV9t4?T`mI`yUD(
z2e<y&3LdSJ-$1-p{m&-O^>^;n`uqy@FN4p5%Xh))+CQ57T`Di%?I!+N@W|(s%XhDd
zKW2LFRxaPECeGj4;d1-Gp!}qT1nF2zoAb=azocBgvrPO%<6l-T-$^Fk4nA|Qa^6qj
zV-P%YpYrc2cHRd*3ohU7rE52VPd}jYlaRj;eC(^r<vX}^?Q!t_-zt~y%o6_-c>D$B
z@|{@X2h&y&-`5QP*bN<5%fD2A@ci$Te+9e%9{s&?`OYd`yWaG?6xQ>w>6umjIOg$R
z6R*|ozlZ$fUNI>#hjRCzjRme}WN+m+!=A^0Pwk^TLh}<JrxEA=*)XX6*5;Q!@Hn{b
z7ma{N!EHQVM!Z%%uO=?_d5e}S-<_m#C&9-KRW9FMB>p&f{}IaNJBY+*!K240m+uS`
z-<>KZ{jFKKe8-RY$>7mbmCJYXh;K6amCEHicf>CSpEzB)e20!WKi6aZQ?7FPP8{)v
zh>L$qtKDo||BQGoJNz1Y`g>K6{3bH#SwtCG&+G-N$Lx6+@mhM0fqcB6^5!?{?bn?t
z^7}fEE$pPy=8pBk=kMdOM6GhSki6sUH*dc>EqdnfOBWz-&*wNdA0HHX@{U#e(l-&`
zkL=ukqbqX9%D;|t7kK<cjY}==x)*%nLAB>X$Uh1my<Er9p1AO$$?vav1|a{M>Az6r
z%isr)VYxn$@47;0xXE!W@qMYi)?*!wVd|`a{CM6Kxuqy~J^0u@TJG(t#@Pby?ycq8
zxVyl3L3teV9{`_zK=n6+e++!eSAGuogm9b$lCMEN-=TJs?_SdNAJ&ndfqZ|~6)hIO
z&4N4E>3yAyG8RxE!FF?ZDyQ&3j-}w^cPp3QexNHyfJdKmMb7MSis>mSUkrPm0iJ(G
zx%HDS;i4k+&-teR*|7XDc>fQS??SFi!QHafQ+|7ou3cM4|6P!G##E2RMfZWvV*O?D
z-nYOf{#Er~f^we#pDHPbdv=}yj|{5*lOX?V@R|3h{Nr!Z3$F-=P$1cpD#q<Hy_d?X
z_n`L{!5a$7|AagzgO5!sPl2xx9#D*r>mWb-UhTJsF3<}Z@bOt!0CgKVM!}swxN=VJ
zQI5;Or!IHpyj8JtBlryZ6`jiQS^5yc=V0<E@qK9@!=7hV><K;5U+8_w-}0u6yTHfp
zQhp@r|C;EZ|GaE5byT+J)F)Kl`uP&@armnYDzzW@jIZ|jH2B-V^U!1VInngosPa+B
zcbcASwOosnH=BH)j%)eOFy+aEPp?pU`R#S$mw-DLDM$Blt_6>O8GMlz{Auv9l-8$z
zf$}d2*U!O!zYX~){O4&4_3HEBlT~(m34G>jT7UUYA7`Pdg6%x>uqz74UCXfyJbIZc
z=eH<!jsx%KA7P|J{suRtEhhgd<+KeV$LZix2kU)NHRRX;K6Z@CTe;_gkAG0*<!{qb
zj_u&HUvnkD{_8lGfk*#EiOu`>2p7@NKMz9QLH{(r`a|%B&uV?l&p!vAZ_)Z(4Q<bZ
zM?SCR9*K6`gB-ZsOR(U>gi}!e4=Qi=KLvdH-;_UucI*J3=+OGeZ;+G1^T20d&z&eF
zB^)P#WLq761@uh8Zy$*~H-Sf<c7<HKKrh@zd|!SW8vAuN-XDOx^P<XsNyVKXgHNT^
zZsa!Q_&Ip=6y=`--vu5){4fUoXW=*rBufr~f4JTi`UI{W2tI>;ct7|N;O=L%T=|<|
zbgc<|I<I^T^4;L$=et6F1KvxV<C8m1Qx9+Pi4XY+^dIwAJHZ>CRXvA8&y~=#?6`Iz
zrsw03pZcQ8=VAXxA^$m)yAXPQ0{QV_?I-U6e;&O50==&y_+P=t;Qy^YdsAR6^B2bZ
z5|n!|xO<%HzYcm%0*_b4C#%4nlT>~O<YVAt_q#%DU7RvKh!bc#OOE$~&z|ebxq2;H
z-w|i~-`o<m|DBMJJf`vwp#G15PmU<JvH3Ib{5G{uSxRx7*TAP=Qu*D$m(WDO_UYfO
z_a(mtPuC6xkBq7OU64N>d;)eRv&(U+$^X)o^Crbk7x>s|s^8+<EyNpW+%2>HdB}T^
z&*S;XS>Rdl@#j>}JHU5>_kY_J@(u8t!N(APUIl)K=|P+<e~Xr`O@TX@UwR?`ZSeSQ
zu8<4Ce*&KWm2#VBp9dfFl=E{kKK=;aaJ#n4C5oNJw86#ppNQ#wy}m#%ECrv%xO+R~
zj}(rRK(ZY2<2SlOKL$N9)Bkhj??j$;;PEdg9|F&T&wN?=yTNY&&#%^cJ_LTBaGV5^
z$00wxMdhDbs26`(NB&jFM=)M!J4KEIDF7Dxd|LIK0)7N|{}rwflRp`J?4ML#y%7D~
zVep2Jsr(txvliTiKiMC=4?KR0wwL^EOuDw+^q_zCLH-i(@!xB?@*5>|?JDq@54j?F
z4dkyi{TRPnz;6NX|D@`96ZqXGzexGF(XZ|UpS)S?DSrc$@;o7Y{`+Z9o1Sr%m%rUg
z^8W!o=Bs|&*LqzzDiKKbBL~avGWJuIxAAy5xPx{y|NnMyx2nBXfakB$`dIwGMR=e<
zd@MmevbUD|o&|d0gW&yJabJ+X0eq@z9DNo%|FA2POCWzg_{>4-ndNVO(Y5b_Pn@j!
z&EGy{`kS;q$3o9<h2tcU{1x)EkRM0=m(YV1wr9g3s%P0k&2%t$gntB_jz-1KvBGf@
zNKS{m`_Hb>VO)!YPl9K`2f-WQpF6>e;8P!Uh5QBlO7JM=@hic<0G_`^>%R{CYv9wj
zxk6Il)8G?-Q~oY=l;?~euX;{|{PW=M%W4Pt8+UZ=FW}Qy|5|*qTZHX7|2R}Qt!FQG
z<>GO$e<S$BCzbz5t~yQ(Jbr@K=Th+Vz#HIa^5BEQaS})_5l;Kt*Qg$HcXC_@9<3S|
zp9GJ?54>5$ojZi%B#?YnINjI%s$YJ~k*<FSeEd3>&K##l{&k$EBHG_3uUC6s2|K)K
ze23~W|MoI?^pCE?$6pso;_P!I^jxEQ<ZnCErQ^USo^eI+7!`L`f%iYF+{Q~g_&DO~
z-5{R;cTk_tf?ohWjecVD@=oyh4^{u?7ifm-z-P}>UVxrkz#E3!glq%<7vmY_yMsRj
zKK)@=NDKIr;F0$$|K0+<Fatg|tGq$6vkN?4)$X&xArwd!zfJ8t{vT~ZUtORV4+Nh~
zD}Nq&P5^hW&~`Z#^6SCl&$%L520u?YG6#|z<fl+iYnPqi;~TWxgBEJ0ag&FAY+n8}
zc>m)nZ|!~;c*6n8<!{rIs&APd>|@B^;3ocz@IVFe@g>MlUgHY+G4AVi@R>p72Z1j=
zO6@uJ87<ew*IU6OCn~4xa-0Z0js9%w{WHP)x33ntvmn34^grwhF~5`scaBm0r$PQ=
z@bRaW{|5YW@aU-W$G~p^pMt-&`rIiTLV@I)rXTU`GF*EEJib%)TYEhTJ_EmM>z7}G
zk3pWcx#ajy)8DIlzPnKQf}_>W4d_3%UT6T%f6x`dFQ~Y41b8%~{G;HFrssO)w}QVz
zI8Fk|2I8`wI=WrxVqAN-$kTh~@IUSXz2Jj8t=f+A+dXutARL(k$>orDzv2pA2R(P1
z9`t{^->-nrz`r#?*TdlbRq{`md`|V>4*6ezPyJr`*T7!}&sVkMB67SOS40rs+MKvI
zakkHmRrWbT<e@Z>oC!UXKhyTT4%g1ABmbT{{6gYf?$LNJdNK68ANr$*s{RD{$HAxX
zc7?13|2(*heb)&1S542?T_NvBKl~y1Ohomc5BcYa^Zw79tM-3pAwPbG%G0)(9B(4W
z#rB-RK97Cx;2`kGfcBqvqTJ)aUCcY{p{E^uGO7BPFVG8{z{jx9@UP$r@YxTzBDf2B
z^58QksGc*xFEaTXRNm&PD}+NRkW4^+{9%>1`~5Qb^v$aOOyrrWqvuJ;&%#e04*8#h
z$FcspAN+UV6E|tOt8l*yk5fB4-&Jn?_5kq7CbhHqpJRygenR#4Q<@>~V&7~z$~_%?
z>^-XA>e(S2LV@HQ$WQH3d7Ed`;1P_Ak04JOd;<OX!{F}+&)=zft_J@n(}Vs@+XZsm
z13vwn+W&6Y=d0i|XDYXT@+0smtb-nco?n7D;5p8hz+X0b%tvnre;qvfH&;joe4pdd
z|1s~F{2|8wtn!DyNi!S;-hj9o*l7lL;oq)>{xgifL+|T5;2Xf>SO>{(0MfOz@kd;d
z?16o*0-vgS-f@%ZubO{92R?~7Z7-Djb>TP(B-4-|tJ)X+6?ntfT#<eTd3HNN?H2#6
z^7k&%3rB(HkJbCN_@N1WBC33U+}9bzBhVR4)<Zt>DOa$??dJ;*O6un#<fp!=@|#ef
zE5O~Vxc#5N$Ie%IxHspHI{Lo``EkU1-$WH2A-?azWzMVk{wJ{Wgy~29%|HAG+_^=|
zZAOM!@JLm^a!zDB&p-ATPV@fz)o)mwxdMFrKGpvcvaT_C?DLp^I1fCsSoK^A`3(3N
z=J8hWG2%Sm+4li$zPsA=T&j99Xy3cQXAyTTg`Nk%`<JP_#Sf2~JobA>ApdVBf1mcB
zt<e8F<9Hrt{_}P43G7dP0($m6N&D?I_TRd}4+U?yN$c}5=wAUoj`?B*<U33c*2@;J
zc7sn`p!GCAb1rxse(xR7GYH=Qg35mqydWGWf#g!iPhotG;@Y*~Gt;h+7s2lV&wpRJ
z`QZn_XYpK{hPfO+1n;kkyMAu+JJddpFI4$IfyW130UuKAEG9=Pam6=cLga6b(x-#L
zr<SOmKSTZ~@aU6jhf`qxQ@|t3l)ni1Gr=ABpDyq&@QDXpAyM#iP5&p9?+JbZ_za$#
zd=dN~gySTTTnqW>TeUuRzqf*qXY{`0H|!|i1K?52%X*dGn=*cw>gj?#e*_-+k@A~R
z_H*F<KUV%M`19cIk;*qi&+De=53We=zCbf9Ia%8!iuZ+l=y?mc)1Won9|OA;eD*@s
zZ*f%2^jxRh`c<EBC=DdTknjJ9>bLiit^}W6u6nFL+y*{_{i3bVbq{g&KmGV#%<16Y
zfc$t?_3-x+`FIN4#kzZgV&`|@arA#WmE#rgnUAWTPeaerM)-}buE?FI;?CjVF6y}i
z{8;drpR4?7;H$v%RrBl`@F}#r_2-S?{a;o+CFn_lH(aCROa7KHUAqK){A8`aJ!iiH
zJo1q0IemdDx(j?ZrSjIF?*|`4`_7`=M~FAj`y>;sgCLrG7xLqS+P=1)dJ;T}eWyK;
z>)*jAA9aP?4Zhnc=$|(#C-)-90pLzT^}hx6KLmW{ER~1269IRBqTKpt)Z|}Mz8f;E
z25*4hI~u&t<VRHA=Hh<v{$DD$=PASBlMkyse~Nl;1E0b;IuiP?5{{EV^3RZW;jc{o
zesBlxWoha3ezM7<e|`kIo(7LB(fa%j_1PsnP#`|O2KlkWRo?pBo5+!}KcD`D@*hC{
zEyCyPi9+6aQRSy0ayoebY0Ax?^ca8G70Cw3d*G4xs{GgY)eBp}8-AejZ-)GP!DmL5
z-?>mPjDtrJe`X+mGkE?E)t?5x1AO)&<rcr)3qC!j`nwirhR47on8$5?e-eBO&sh?X
zpE3TT>iG-m`675jQOhks{#Edag38|jz9$7v+%6L@D1Vn$$2k<-!8&3i_;Qo~mCEmj
zay!9iAJlSRgM1(O<o8v6J$M;>{5<9QFa7?Ca0msGyCLr$sQP!}+7xm2C)Ll*zYqBd
z>@V#P`CowdV_e&O{YUVz3tW-B2=a@X)jm@{)pCol+fw7GPY>*HB)Gdq^-RG39}7N%
zeNl^t&jfFHLiJyTay!At{#|(i`Zt5my2`hqK10HhIgnfe`TV=JJ{RKJM@;`V)zbkz
z9|!OM<Z6-J4F1(R`k#dSB;x-V7PPy-XRp(8-->d75ANQp{AKVxTi_q!${)l19s}O+
zRpozz{Hfsmduu%}f_$%W%wH77%i)1f;d#@m;1_~Vg6{?X0dObl3fT;Pz45Ab*6rZa
z&03#-g#0A<EaH6XW^z0LK9+Xn{I80gAApZvr0sGA_zd{W?J95k2CslmU9J2D*kL#7
zU_7qJtKx)Z!l5*foDBK=kd}J`uAN#(z8mth*f+4a<s9&+r*`-j`i~Djj(Pl#;1`2C
zM`*dHfnNqbhJC8DQJ-<}sf$&=ty{lDoa4HQs`rH+hWzwjRR5*W^Q6fm4qOcWbI4DA
zT;;pLUjXla(iQS7?EEtL%+1OVL;aU5SNl8D%Ku$*InI&b@d?%c6Y#f#&)lH$OTkYA
zpFq1?|LHRhdFlpoc;Hj_sQyvZbEnCdlv{g!fH?2>HdO8R-U#{0jVixuf$F~<Jn{=y
zz{`rA&x5-$mG1$6%=Db0+}34JfzKk2`Y7a|10TQ06|xHDz69QXo9a0fes#eLwX=(T
zY#Vp`g3n&1dLD)T6TzbxzbWw3!N*}Aiw9!h&fiqe$&lYfJc7@`Bn|nQOI^X2<Ki~(
zezYUqjvOBZpPF^$-1tA5o;#FZB3J3_Y2ePV@(W>~uN%Kj`B{+vSMdBI9WS?n|IFmE
zj{YY2Z@?$8-uyiHE5>h9`@aPKI=K6!E5!DN_BmDCCB9AhhtUs@0&jqS*bjP60iQ&F
zu<>{X_!Q#m10f#=pZ<~Re+2w|)AJkUzeKqOa0l_N#aCm(kvWij%=BQsJ`vX@!Kb&Y
z9X#-dz$cDYz8U;G#;fZ8Gw><Q<Htb$1@QPP)$=^~f0-WacO7zoUf6x5+Bv#Z<$r^5
zu?*bBKH+De=ScAJk7|GT(gMBE0v@?l_1p&eGmK-us2%()@QHV+y!nSd@cb37NS*+B
z58VB<^7~Ql1>g->|Gpjaqu?`$t51OZW#AKtm-d1D)utz>`i};`349jsGkgjB3&s%_
zk$L5K0DSUudSB0ge@{400?BibZ@5V1M{(^x!Sf$eei-`U?yI=H<{yU&r}xLu|E>PV
z8J}<^(+$YFk~r@hSI52WkdMBi@}Gm<;=++RkZgr~9`?6=lI`H`#ajOv<oN*jG@duz
z2YwxR1nZ;Sz&~a3Bd!o@uY15JN3|c?y#FomD4wU-eD{6gJii}yoc2I;bLVNuPi0j9
zl_>Wm<6lsI0eAxqe2$BzeyV&8_*;py{s!n@3?3yO!RKId7WB;C?h1YZcD?|7`ZcxN
z-@psde?XP~G03}5sl3foSAyq1q57lHa|`(RxysLx(jDh+@Ua%vvl{*Fe(?B5RQ?+9
zpMXz1q5J~qf6@3+s^>N6f7$e)y=)%bhc>3zo(+$yd?(}&CeHSZR6W-|0rKOYQF-&{
zr-4s`UkyE-#?Mpvqfq}Ia0h-V0(lSIHNOEq4BqgJE96-4GWhg5<u9Y*uQU!nb|K_%
z2cP+l$}a<d7<?S@|C!)Vf=^b(;lBZ&K>U0J<Y&R%XZ3!60{&O<nX-<TOTiDN4NSIw
z|6M8{0e?IA)SfCox<D_iCC=?~b5-1XHsr^jbw$wZGXOq~?{$tq|0s9_@w}~@J_J5l
z6-QlT`ft#B9*lOp8GH(U&*HATnA4a38@?5j5|^R=Uxs}22U^d4QJ=@bBj}&B-66*=
za2NHo{`p7Y^Z)MUtB~*igw}Hj^!y!s67$Xr;7iXy|9_v_`KNG9t>EL2svZ~jyBd7*
zVOKOXLeIOvCwi6d+D$KHg+nNiydUyoxL<3pkAqL2r+N-Up4-4@mTEl@0>2l$0r8v7
z*FOM{d|36+GDnW*gySTTyaf62@4G?|#kB=A5V(Ij3)K$YXve+4<L9fqwb%Z_kvWjO
z9r6<xkB8veso*nspJxnwE%;QUmOBX^ucLpMIDgOa_^Nf##dYLwfd1KAT+#d{=y!_A
zL^kUe8k5eB#7M@=CkjQs;1x@WjPDiGBY8@;`a6oDs|9}~w=H-%bd@!FrF1FdZ`MC=
z@1@cOKUqpsmTY-sz%SGgPYij(iEJw4&%ZX1$tAaXq&1T$cmoALu{B&9DKDQ%q_YqT
zt4M@v>Ur^=j=sKgyv|MCvA(X2-JaLj+Pu6qoJnqh>QpYILl+9UOvX!RQ~Y=FgZ3(C
z16LZ!h^5Askiei{N)CIeT(Zo6Q=e6&lZjF;Yzh?`%;dIvNh*kKmZO_0k-8ens^$D_
zs)ke|n;foLOwg<~@`-jex>MU`%`MJIVyj=sjZo)F7D~lZd2o<Edfr*F9&deDZ=dHm
zDZk(krHk}y30`T$OJ;Iezv$FJ9@)kl%H#$T881b4DSC<Ws6#(NKpn8;ry5tRq8+rF
zLLUDZg8sCDN2V?8aP-FzQst469h4<-MrKc!LZXRe(k~WMelbZE-`Y-Tyx<r8Qjt%#
z@p*50DBI3Iv#_;ebl6YO{j~deGPR#g?pRMZR&)}6k%!2TpCujZI?h?s(e1@HcK7x*
zHmz)Gbp|p!**=LvDxDq7(Z^zm`!fTt==&*eBw<Vj4eN4}KG~CGW4&kh#nv{ibdu==
zYssa2P6|8nC03Oz6})mOoncWw!^ZbV{XscHWeN5ArM8|8O-<|kLe|glJ#9{8%D(o}
zCZ{b!<110}t7JCN7%%Klp=O6&fL|hIJE^^?ZT#Xou4SUdE9JMQJ+7`ZT8stGlKIua
zGpZ>6o&<Ggzm(!z^zxL^$<uFGc;)P1dXx;2P0|pdOIt)0U-t^dgu|LDCz2tXET+8V
zU_vennQKSQLKTxNm5R-sRn*BfwqRAoQe3f=zl}OpuvUU<RdtoeIZ)NMxf50qswsnc
z6>ZfFs3>%4)$&j#XJm=yXzR+xl`W^Pbl6hV7~T9cBv~3b>(32*PAC0r(NC@3!8rY{
zvhQtAmxgoYlGoL{x;rG>P93<A9w^fYs}irsuFZ}3<aD=lKJ>;FQK~>OMHR>ulfwy~
zJID!0x0BS9j~jcv*ruMIj_y9My{pHIxAm=ch{fB&sAuDb&R(x$L!4Z)$fyb(O>6wp
zTKe&nzQjPrkLBn$TeLq$wLFieryO}&D!w>KW2sb1XNS1+m(pA1Uz&o_TumAQ@vin5
zb@CzV)16d8XC^UZ1E4g*GG&?e=5)jhWZbsGP>+9MJVC#%VkO&f3wVFZO#?#z^{C<=
z{a8$f+*}WN0jINf!0F-t`=a!J6aC*z|F<}ublyqlopjzw=j=tqJ*CJ+Is=KKzoL~?
z>IZUcN%9kUJ5BjGCFfLT_dAkLQ^_ToX@}@nV)(3B9`J@UdHFn2&Qv}R6>{6{&RLFz
zWQndfri+CH%~_1L7t$sAF&WBCosN_jhZ9XmymFp?AqKu9Dpx3ENRewB;*(|-Yo0IG
zToFs;(<CM4OAh<w3CpFym3q#dF+1eZ6rVygfcX&@P%()UaAhz}0m}Rgg2Uo9C$Xm1
z6}4x#CK_e6bFAcfs74IYL|YuSFRW^<ccD%h&CPXGHMi7J)!Z7bT}E^3@;Vom*UPcI
zUJe@fHE*zaMZFxS*2_VUX=<u!qUW_WFSJDKn7t)h$A~S>r`A!`+Fb8K9kaKrs8ijR
zQ|ok}mX-C&SXJ*nR@EuIHCm_e=6WV+ZK<bfd7bLEN^n)9Q@5U4$B3<~>fGS+raEoD
zytz(8EvLQQnr*(kb(KR=Tz+nK;*X?D97<|X>t!h%QqN%*Qa*=^b8$Ag3J7D(P!S}(
zn!jezP4zlYQ%jxpYoZYd<>ub3EOm2pi>Yvx6WK&&$4(#BtbL7tT}(WtsZ`fSIJ9b-
ze>F+oy|PvbU#?n$gf9jc2i`EvgjMF#@`DQ@%b&<|bWBs=(A=^wTz3lCIOt}P+82UL
z7E_zfCdtbe{m|meE^=C<GYHmojDKO7rclaV@<+mj&I!@{n&;_<BGCVr$hJTL-CRQ$
z<_ngJITx$KP|a2Pe=a^O6D)sujq)q&OkF!>a=dP_Ziyv6hDsunCbOb>ajCLC3$_HV
zv9AAV;H;?QVwzg&c=jf8N~*i6g7te6s$w0fvb_+#3z3?01@o8DDlq3nOf7GLc;SAd
z3(G*v=UL(YNWQcK8xI;pMYTaf+NwH44RumzxRom%F{DZ=7VIpw9T?3_92U)Mb`9XX
zLSnl&K<jndjH#W!x!I9H&fTWAgiJr3J#8C0ypHa6TI=h=-#&-d+9}6tKc~BGLsyKX
z0#~$Ayfy1Lu5MfJZS3sq?dbFR+E%ac@SIp8ljP{XGgsh6xU-snRI!I*_af=Yqz95-
zvRIbYzZ$$~!%dWW{x-6*l$EAFzSDQQWVH}Wrn_nN6lx<{I*?$VR!AH-I<)G*P5`X{
zSEtGMb;n|Bz18bC#@2bgUGx`qNrKiCvfSX+#HJ$km=aYu8%rlv`&0x+&R%|Nve?9-
zJ1^Jg6-YcMaWgH#c)ifOgLX+q=%zEy>h<S(9emlRJ1u7Oyc8MqlEYhFcg^~))iJNR
zv86G*V<laLc0PQ6PNunWIoC8si}QGSU~Auwyzf*mYgnLfB-O{;bzLc5DV@`{VSO)5
z>GbHTa~-YMJ4rW7Z}3Zr9@^8PpRFWmwk2KN;*j-tEf_AH1Y!v;pEHK{O=w?c#Pdh_
zCo4&+obTJvzE=7x?T-|a<dTvj`FYC9d2A`lI)(dDV8Jqw&L(L0r>huGP*uc;U0M2t
z&61eK>nRRWLDFViL^he<5!TN)NKID}q7P!0&51%f!8>tMR;EZTE%~eKC*Fas_zAi(
zngZu{z~UxZJ;eqSR7<uTH8S@NKPByyPV}X>ZX6us60})jI(_$Y_w~B^Hh6Q}X?+`F
zyqP9TW2#Sz*7xDt;gwt}z0ISPE!-=6x!kz2`{VErePU~IBr!?>ZWmdzJzbDxoHtCH
zQnak%niOc=ohs+G|5hfJAsRA;Tn^K&^(wMAjkWMLBpeQ$jSb?#B3e6iqdeSYB}@gA
z_v5h>s1I-S(RJ=0)osVs=@?a&w2`%{P4@NJe6%myMf+~fNIFY58T8=1Z_Jjd+W1oQ
zP_<|*(^c&-Y|M0)jG0S0)IR=JkCe@gaq4C1!5!RaaoVd*OJ~vUpu5)dx<W^mhkO_R
zifoyDgVmy!c0LnB#0PVF2WfT;w1dq%kX@;wGqRN?yZP<R3w-hsT!BzGrxm%jaj{kr
zokcA~?31QYaa&k3X)^<`mt(iKo@Rd<?nOTD@r$`~fkHWF4LR-k7H9LYLt@uZ3~Q!o
zr;w|<kASO@ElG#RBbVj0cXYOGTHoh&Y+2jU*51+M(L~Y#cix@L#>h{0jQX9$UfnQ9
z6fi=bG^d*vGMd=Ku_<LRQN0qWaGj`pDvd{hQ(ozna$ec`iv?@E776#D%Dh2+lD9zE
zJeBHh>h5~irVg*G-Ra<|sEg{SQE0Dh=#y#H<#+NnBNgqeZR=g@ZD`x#t?%e|V!Ss(
z9XORvNq;KRG}!HLuiY)oLb0~Kjx`&5&f(T3mzqv)^-HUDmN)Oj5ib3PFgYl;3iWYz
z&u}{Ov&CMlt4+pOF2BRu)YrMPl%s!}RyZ_I(NmTktL1r-vw_wvLq0nU>%4RO%XD8n
zk74*pIk`gRY0#YGPgHi_JsvvZZ)C4sHw8C!Z|d!6r{JQG?r11H!fiWS`YzuHCOPy0
zX=J%&YrG=mCm$J{<k<tSO>uCs-p@)Wj?t!kMWgy&c1hgDE4C8V+B%(W9GE0Z<$~|D
zrBa;~JoM!#LK&n8#b*c0*~q8MG{P;+ZiF}Hc&yGh+gjP!5|1v0;I`)93r~CqY6{sD
z-5Hk?90KS)Te{}z$1w$u6z#xfl^iYB<jyzd#c9cXZP0~~^jc?-p4k+uf(jZcteECv
z_Ih+9GED7;0!~aj_?!cq--;@+o}NI6n_i!$r5sI%)E6kC@ik;4i*^=Q%j_<Dw;ZE+
z-YA86r4_B=LCl^gCeImkE?}ecJ<ju*WUwB8B*71+5K;sJl5*1uaR4i=*|CZqSV6n>
zzQkpGvwksFDq!f?@R~nUVi{A3PGt$I{en85bP0bnFEdM5k;bExNxhjb_7%!mem28B
zi@cE<d@g*g%*M0>%iF`ee02g5v9+=;^@2`eF4W5S*{}(@k5cSq^GRFMAJz7TF{nRl
zAF?$_%~*%x)>48Wa}96x1{3MbTp1K;NFdI)K|YOV6&R1@;hLl$n!nVJNdA-kCXF-l
z6XBH}uSs<;T7wO)Y52K;IJDua8HapSQbwzcFlx~aev0ON4z>!F@V&@O53g&Z#{ur#
zT_Cm&4mumNL5AMJB~es5Eb&c@=AIHg&Pe&a{t!P6=1$#_8LW7OzyR7<8ukmD=+T6Y
zA*bBZ%zc+!1>a?`EK%M`!z7a~`qD{gXPtWTAkV+yVb2|dLQr<lRDO}IQ%F{uht!iz
zDvO-nLWWADR|Tl@Tx_q0PDIZG+ho&6ritECp)bex>hNgMSdB(&qDVJE>#I;#fDt!}
zTkhaVNt_TBjCqOuMRGe0UPo>sY<_-XBH^>=CkHS#dMV<e{RHVymC=FjPikqU!^4Vh
zE9fLvCyME$%sb(H0XNHG0h^Tk$(G(sj!Z^6Xe7wmMsiV2!!JD`B#?lY7B}>)3}%9P
zs5;iD+;g}SknMN`XPcT=dK4guTSpsp(G%xU>Mz~p5pMUsbjluQ@hO>$mu2W}QY0b1
zRcd5fZKw#{y))vE6#W`21>Mj?oy9)VHKf=%(^Q;T%`s1If*(<mjXctTwhOmeJTXL5
zq>dDF)$08bCsZb0ib=F%iX8hRerQE=g6tc{DA?v21${@Qso4?Yr3Jbd_MPGK#WXT#
zWG-a8B-5L+WqMv}!}lC|4F(Ot5vWW)vC^n?nsT8)eN_7nPc72&=4HvQykOBqJ!$UR
zh>4Up6SxT~YXh{Cd0I+YyR3n6=RGvb6jBa_pp;JryG+CLrZF1p<eo@|+O`thb`{A<
zZlt(a_kQ&%&S;I#bEK~Kd0j+T(R;)ISdq@<&00*vy@{v1fn-efGk8Q+IYf#ay|(pT
zYr1upga-{-iQEgXL$G1SI~t_|O_Sk<8LAHNssaPllZKpBQw&djR6=~c1-1aYZf-QX
zBQmHi-MWgjqD!Z!_oT{6YC8&n)FPPowGnAS;5%G@dS=_l&#dJ>sIs!rL~|KAuMv91
zC|ql9L5}CR1?l-|wrWX1gKgd}Mo(|2*VEhPwYT-PNuW;^T}?AzIe#`kc0D_hrolbp
zbBB<HDXp?3D3VS@+PHgGmZ&08>1Ra^`>4lK^9`nlDl3r<ZR=>&6x-M?J69C5S0+ap
z-#T^5l3#8V4Hg8oB6SV{#WnB;U29-Qi0AU<3{4YMk|TFT?a`OxAV&MSj45sf@)%MT
z-kG9aQOcDwfk*+<15Nv-bTT-WFtbqTLa(537YMfsnXWrmp!FXQQH|2H%hD?{p4F|g
zSfpyq?e=X*6t@P<fpCJ}JDS@q!Qzk>MB=AM>E$Y_`n+}~wKA`0U`;D`>M9bZ>0p;o
zLw4kb0zE&xMdqwdq`0}s(~TsgH;Wct>~n{sK~4sa4b!eDc_mwT$jG2|CcXB7SgNw`
zSs4;E6%7`7tcY27Uc-i7o6OR44JA<oTMdy4&psN2VpA{MwQW!~Y5REmaMVQq7c0Tj
zwx;DCxofNvsy13AwuvS3iGg&6)-$xol5M1JdMBz#FJ5r}sCY~n*#x*ktEs`&3k;V0
z>i&YIHhPOhjFq7@w?MUx7rGyQhpQq{<#hNh5ebfxycVW~Ff}@da%6U?kmn8Y8%^pR
zJjAs;BuY7nkeoqYd(2y-U}T5-by4=;Dl?157`$d{*Y$>sj;gW2U5aZ)UMf}0*^@wR
z?mn%7`0>#azZ~YVJC+Y*N3<t(OL9@c%`|#pO?pseMy)y1lLl!_vKQGSLym_wk0`$D
z+n(u4_2p<;MDq;yhNQgVk*D2f8j6&Q908^l%z+$P)9xj`yUBB~mQC(DQJlYhN^3%T
zX|hDIlo+2Tl_oWPRd8FR0i`Sb;8r57+jJfhw}yc&w`%jZ%&;6^W9=8VgG3g#Esi;5
z^@`RQ?Rh&KD9R+Q!JcfpR0ce+^|_^J>rjSmiM)H*U$Oh(4%W0nde~6FA=r?W{kGzu
z)4}^@G%6A!-MLaH@63vB&N4u)OBSYS5EhmfrqrUemgd)+5D0Te2+ryuD-34Jw8zSA
zM~@x0krS5!io@x_l9%CuLID$xLW|ZY^cOd#JDLdSs82|1mkM)()$USO39_fekNss8
zA2tV9?;LV_)_0|PxC6E{c0R=W(&Q_3qJ0~BUz6T^)7ruuY<8`=%|ppF56`}wE;%?W
z--`q(foDowN^NH*t3k>|uaj-crpe7xKUc4nW4|RWLvO{-pOfS!Y{je&!>@iog-s9X
zL^4I{o`=&zdzIJ$*wE2VF$zC}@_PGvxc)U>Y{Ph{3}Nma@|08Tv7KHcljSw}Sa}(l
zoDM%ak);<YBs*H?koS92G>P}jMfUWNi|6~wo+eGeGy+(2rYLQpj$v*iJJbX94QG0@
z)TcqVmEKcS>v5n!MORG_G{NywAHG~CtIAdyb|csN^qLw!ZkZe0u!{7``AU1}4Ut5V
zHkSEiSPKDZ+|W&ND8f5|9IiU*TJYlQMsnja^te}ZkD*|gJCf`h2FIL@3Z5Rj6CB2o
ztzuic?8QA<A4n8bqurbmwtH&K801nbLy4y)zDZdyV0)KNxz&296LQ6z4YUjy+#v&%
z9vjFbi|{Dp49T?4aJ1Q$NzmI7gA}1vR^gH-S6vnJWO&-Z-Lfi}>?(F-Q)oJARCF^o
z9d9Oao#=5S$7V#}t5{FGRG?X~NPXe#1g%_B4((;o^B&#(nOp4B8@u`_nCB8QGkM^&
zKAPjFU0g4j8St=3XT$ZmAzA6rB4CJoCvC}7(c~%FRP0*0PS&(!7+pBfhpG-q&w^>o
zaH}jaI7>w|P`d$s2YWbG@Wd@p;8b9@6nZ-1)QYC7LO-l+!fnQ#&)=?%isi584bZDJ
z;!t#;4bfnyCs36yU!Vtj+=bc7+$1)>X%3;Ni<^{Zx5NOCMp<KX5h#EcJ*wH}$s(12
zH-Drz(6Hx}YD{Zy-NBgW!aSZ$YCgmkH=g0m4jw9VPl3f@R$Lf1QO$wo6XY=Di4}jP
zpn7{c5O~lO#*s(waDwAD>5lv={Qsg=xHdNHlHH{zbWykD=XLZA290!S2TC9EbD&ER
zhAfQP(mnKOl${zcE4@uL_g1<J&n;m>n`+vRDUk0f7R&TX28U}@Xl0EeJ(>d-dNf5`
zVvRsMTECQqE=}2UF@RRUo{Uy1p<9r1`yk<{nZ_^2h5Q|#aQ~zHvKHlUa8Qp)7plDj
zEiCveA#_FEF$N*!t8#bZ8~MhQY2H`BnyLlwQc*ABhv;>tNqsmJcpHOzAGxj!z0^W4
z!;i?@8d1DVLXl~Hhj_$xdV0qbJ?%_|*MYJJTMRv#&@e`vxjGOTIou*TOUT@!lc+qx
z;sqpk7=0APEmTa{{1beif;*H=XSAO!Z+ui%>G7V8?VDos{6g00v`HiDN2vtsj&-(S
zg%OAiSfSL794_@YTLkLc1%ZurxLF(D9A5S6P^HRNw!H}<Pn^F_rHeu?qJws)5q|5|
zuSDSFtLaN3<~Mnv&9CV58%1Yr^Efj<U5RCQ>z7stJT|Nvd_U?EZEsB6DKANf$h%m7
z)jjf(n!qo~Rsugax7npV=NF|DW1w`5@?wt1W+j57rAH>MUzA}dP0oN`(C6MQ4|Byw
z(<+<#g{?4cjPPx9rQ{`dd!gO#mHI5*0wxig!ep_C4MuE)=s4@*SBtonWQL;xSnu2u
z7~b^=k2CRoL3c}UD&(^Cg)s@hW!h((V3Uxxc<C7mwd35d*KHl!>Y)BYPb8&gvRtRJ
zON}Hx#Wv;O_i0Ln+vg#|J85wJ5~^bPK%0_SA<;Osl`%akqaI5o(c4*66;i|-(psoA
z5mUAS+nF9^QKVe-d-Hx$dM}UQBDX$gr8%8nSCWZJw=m^)U@)04$ocT))wx_|?u{0I
zG+njZ+f|%12{tw<tU%-_&l^&HN+QTX+5Zl=LJ!$VT8bPLn?icNG&U`$J&#_%!Fz91
zX_k|2O5ZoDH`7V?oeS66{lP>z!w+A0AuFp=i&=_n6a+!A2qp&U84@|$Vve3wl8DR*
zysa4Dw3^<Nh?^m)mj<4Q*L(|v>|oC!XfZ=pCEvy4f&8SsR?yqmW^ca9TSx_r?a(_&
zLxF)ynJdqY*fd2_#%(;5OgXVW{xZ-STEOs|bWHhaBL^SimNfve(Lp)`euB(G9)&wu
zFZ`5rEp`)CkB7-5c2nHpXjf{`8Q}K^y;!VkemGO6!NnWHGLvwx=Uv+Nj^5bZHZ5tK
z^P1u;#Q$q_+OdsZ2&RdbvN`(DjfMtqPf{+GAd6HscY^UBd&0Bn>se&++OAi|M;k9F
zNq<#5x<S697wAB=Tp~+jHm^KBrRiLD{AgcF?vQt^+1~Tq4Bn5Ry7OZwyoAShtsBm@
zf*xAXNYF!O4Za{rx64D1hO(A|<vZ1mTr+t?HVi$(s;r@DD#_$!D^ooKtxd&`VEoAh
z?s;X3@Js0y&Kzppxi?DY-O~1SiXKH$1{Brq=-iOZ6lf9<b4cLID`0wgQ1Vxz&N=}I
zzLSMF0Z2EdbeYS-u{}30&m=T?a?6lq>A$d>nO9}`iZi`@o8V{g^wdu`W8_^@3o)t8
z>bDoThZ82pONPhh8plK7!p=?<va(50**?-y!7sQv=uV!OEYXI%H{gYK)>|k*-$@Ve
v_z|AkN&AU+L5@}k>>xSd)u5cWJ;Mdl9v{8)6=w7#sGhH6R{+Pwd(Qt2;i{G&


From c629eb35f1e65a7cef8fbbf12b4844db204edf35 Mon Sep 17 00:00:00 2001
From: Myria <myriachan@gmail.com>
Date: Sat, 3 Jun 2017 10:15:12 -0700
Subject: [PATCH 202/317] Added 11.3 and 11.4 system calls SetGpuProt and
 SetWifiEnabled.  Also, switched from C99 to C11 to get _Static_assert.

---
 ctrtool/Makefile   | 2 +-
 ctrtool/syscalls.c | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 55bc16b2..8f07f97e 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -5,7 +5,7 @@ OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c))) $(foreach
 # Compiler Settings
 OUTPUT = ctrtool
 CXXFLAGS = -I.
-CFLAGS = -O2 -Wall -Wno-unused-variable  -Wno-unused-result -I. -std=c99
+CFLAGS = -O2 -Wall -Wno-unused-variable  -Wno-unused-result -I. -std=c11
 CC = gcc
 CXX = g++
 SYS := $(shell gcc -dumpmachine)
diff --git a/ctrtool/syscalls.c b/ctrtool/syscalls.c
index edf8e8c4..cd37cf81 100644
--- a/ctrtool/syscalls.c
+++ b/ctrtool/syscalls.c
@@ -95,8 +95,8 @@ static const char *const syscall_list[NUM_SYSCALLS] =
 	"StopDma",                           // 56
 	"GetDmaState",                       // 57
 	"RestartDma",                        // 58
-	NULL,                                // 59
-	NULL,                                // 5A
+	"SetGpuProt",                        // 59
+	"SetWifiEnabled",                    // 5A
 	NULL,                                // 5B
 	NULL,                                // 5C
 	NULL,                                // 5D
@@ -139,7 +139,8 @@ static const char *const syscall_list[NUM_SYSCALLS] =
 
 void syscall_get_name(char *output, size_t size, unsigned int call_num)
 {
-	typedef char StaticAssert[sizeof(syscall_list) / sizeof(syscall_list[0]) == NUM_SYSCALLS ? 1 : -1];
+	_Static_assert(sizeof(syscall_list) / sizeof(syscall_list[0]) == NUM_SYSCALLS,
+		"syscall table length mismatch");
 
 	if (size == 0)
 	{

From 4d5d9582a207eaaec4aa7fd141d5407205ed552d Mon Sep 17 00:00:00 2001
From: Myria <myriachan@gmail.com>
Date: Sat, 3 Jun 2017 10:17:27 -0700
Subject: [PATCH 203/317] Warning fix.  Uninitialized variable shouldn't have
 happened because it'd mean header was corrupt...?

---
 ctrtool/cwav.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ctrtool/cwav.c b/ctrtool/cwav.c
index cf9f59b8..c87ede4e 100644
--- a/ctrtool/cwav.c
+++ b/ctrtool/cwav.c
@@ -814,6 +814,8 @@ int cwav_pcm_setup(cwav_pcmstate* state, cwav_context* ctx, int isloop)
 			startoffset = getle32(ctx->infoheader.loopstart);
 		else if (ctx->infoheader.encoding == CWAV_ENCODING_PCM16)
 			startoffset = getle32(ctx->infoheader.loopstart) * 2;
+		else
+			startoffset = 0;
 	}
 	else
 	{

From 3cca6a7a9330e43e6d70c13710d957df0bff484b Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 5 Jun 2017 11:27:23 +0800
Subject: [PATCH 204/317] [ctrtool] Fix uninitialised variable warning.

---
 ctrtool/cwav.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/cwav.c b/ctrtool/cwav.c
index cf9f59b8..4b644d43 100644
--- a/ctrtool/cwav.c
+++ b/ctrtool/cwav.c
@@ -792,7 +792,7 @@ int cwav_pcm_setup(cwav_pcmstate* state, cwav_context* ctx, int isloop)
 {
 	u32 channelcount = ctx->channelcount;
 	u32 i;
-	u32 startoffset;
+	u32 startoffset = 0;
 
 
 	if (ctx->channel == 0)

From 56ef8b41d18f598afa5cb0c777e4a24a10f899d8 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 5 Jun 2017 11:31:18 +0800
Subject: [PATCH 205/317] [ctrtool] Re-added "--seed" option,
 simplified/corrected common-key selection logic.

---
 ctrtool/cia.c      | 12 +++---
 ctrtool/keyset.cpp | 91 ++++++++++++++++++++++++++++++----------------
 ctrtool/keyset.h   |  7 +++-
 ctrtool/main.c     | 31 +++++++++-------
 ctrtool/settings.c |  7 ++--
 ctrtool/settings.h |  2 +-
 ctrtool/tik.c      | 46 ++++++++---------------
 ctrtool/tik.h      |  6 +--
 8 files changed, 111 insertions(+), 91 deletions(-)

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index 4723c709..cac32601 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -211,14 +211,12 @@ void cia_process(cia_context* ctx, u32 actions)
 
 	tik_process(&ctx->tik, actions);
 	memset(ctx->iv, 0, 16);
-
-	
-
-	if (settings_get_common_keyX(ctx->usersettings))
-		tik_get_titlekey(&ctx->tik, ctx->titlekey);
-	else if(settings_get_title_key(ctx->usersettings))
-		memcpy(ctx->titlekey, settings_get_title_key(ctx->usersettings), 16);
 		
+	if (tik_get_titlekey(&ctx->tik))
+		memcpy(ctx->titlekey, tik_get_titlekey(&ctx->tik), 16);
+	else if (settings_get_title_key(ctx->usersettings))
+		memcpy(ctx->titlekey, settings_get_title_key(ctx->usersettings), 16);
+
 	tmd_set_file(&ctx->tmd, ctx->file);
 	tmd_set_offset(&ctx->tmd, ctx->offsettmd);
 	tmd_set_size(&ctx->tmd, ctx->sizetmd);
diff --git a/ctrtool/keyset.cpp b/ctrtool/keyset.cpp
index dd793003..b4e67633 100644
--- a/ctrtool/keyset.cpp
+++ b/ctrtool/keyset.cpp
@@ -36,8 +36,6 @@ static unsigned char hextobin(char c)
 void keyset_init(keyset* keys, u32 actions)
 {
 	const key128 defaultkeys_retail[] = {
-		// common keyX
-		{{0x61, 0x70, 0x85, 0x71, 0x9b, 0x7c, 0xfb, 0x31, 0x6d, 0xf4, 0xdf, 0x2e, 0x83, 0x62, 0xc6, 0xe2}, 1},
 		// fixed system key - unknown if used/correct?
 		{{0x52, 0x7c, 0xe6, 0x30, 0xa9, 0xca, 0x30, 0x5f, 0x36, 0x96, 0xf3, 0xcd, 0xe9, 0x54, 0x19, 0x4b}, 1},
 		// NCCH 0x2c keyX
@@ -47,11 +45,21 @@ void keyset_init(keyset* keys, u32 actions)
 		// NCCH 0x18 keyX N9.3
 		{{0x82, 0xe9, 0xc9, 0xbe, 0xbf, 0xb8, 0xbd, 0xb8, 0x75, 0xec, 0xc0, 0xa0, 0x7d, 0x47, 0x43, 0x74}, 1},
 		// NCCH 0x1B keyX N9.6
-		{{0x45, 0xad, 0x04, 0x95, 0x39, 0x92, 0xc7, 0xc8, 0x93, 0x72, 0x4a, 0x9a, 0x7b, 0xce, 0x61, 0x82}, 1}
+		{{0x45, 0xad, 0x04, 0x95, 0x39, 0x92, 0xc7, 0xc8, 0x93, 0x72, 0x4a, 0x9a, 0x7b, 0xce, 0x61, 0x82}, 1},
+		// common key index0 (application)
+		{{0x64, 0xC5, 0xFD, 0x55, 0xDD, 0x3A, 0xD9, 0x88, 0x32, 0x5B, 0xAA, 0xEC, 0x52, 0x43, 0xDB, 0x98}, 1},
+		// common key index1 (system)
+		{{0x4A, 0xAA, 0x3D, 0x0E, 0x27, 0xD4, 0xD7, 0x28, 0xD0, 0xB1, 0xB4, 0x33, 0xF0, 0xF9, 0xCB, 0xC8}, 1},
+		// common key index2
+		{{0xFB, 0xB0, 0xEF, 0x8C, 0xDB, 0xB0, 0xD8, 0xE4, 0x53, 0xCD, 0x99, 0x34, 0x43, 0x71, 0x69, 0x7F}, 1},
+		// common key index3
+		{{0x25, 0x95, 0x9B, 0x7A, 0xD0, 0x40, 0x9F, 0x72, 0x68, 0x41, 0x98, 0xBA, 0x2E, 0xCD, 0x7D, 0xC6}, 1},
+		// common key index4
+		{{0x7A, 0xDA, 0x22, 0xCA, 0xFF, 0xC4, 0x76, 0xCC, 0x82, 0x97, 0xA0, 0xC7, 0xCE, 0xEE, 0xEE, 0xBE}, 1},
+		// common key index5
+		{{0xA5, 0x05, 0x1C, 0xA1, 0xB3, 0x7D, 0xCF, 0x3A, 0xFB, 0xCF, 0x8C, 0xC1, 0xED, 0xD9, 0xCE, 0x02}, 1},
 	};
 	const key128 defaultkeys_dev[] = {
-		// common keyX
-		{{0xbd, 0x4f, 0xe7, 0xe7, 0x33, 0xc7, 0x55, 0xfc, 0xe7, 0x54, 0x0e, 0xab, 0xbd, 0x8a, 0xc3, 0x0d}, 1},
 		// fixed system key
 		{{0x52, 0x7c, 0xe6, 0x30, 0xa9, 0xca, 0x30, 0x5f, 0x36, 0x96, 0xf3, 0xcd, 0xe9, 0x54, 0x19, 0x4b}, 1},
 		// NCCH 0x2c keyX
@@ -61,7 +69,19 @@ void keyset_init(keyset* keys, u32 actions)
 		// NCCH 0x18 keyX N9.3
 		{{0x30, 0x4b, 0xf1, 0x46, 0x83, 0x72, 0xee, 0x64, 0x11, 0x5e, 0xbd, 0x40, 0x93, 0xd8, 0x42, 0x76}, 1},
 		// NCCH 0x1B keyX N9.6
-		{{0x6c, 0x8b, 0x29, 0x44, 0xa0, 0x72, 0x60, 0x35, 0xf9, 0x41, 0xdf, 0xc0, 0x18, 0x52, 0x4f, 0xb6}, 1}
+		{{0x6c, 0x8b, 0x29, 0x44, 0xa0, 0x72, 0x60, 0x35, 0xf9, 0x41, 0xdf, 0xc0, 0x18, 0x52, 0x4f, 0xb6}, 1},
+		// common key index0
+		{{0x55, 0xA3, 0xF8, 0x72, 0xBD, 0xC8, 0x0C, 0x55, 0x5A, 0x65, 0x43, 0x81, 0x13, 0x9E, 0x15, 0x3B}, 1},
+		// common key index1
+		{{0x44, 0x34, 0xED, 0x14, 0x82, 0x0C, 0xA1, 0xEB, 0xAB, 0x82, 0xC1, 0x6E, 0x7B, 0xEF, 0x0C, 0x25}, 1},
+		// common key index2
+		{{0xF6, 0x2E, 0x3F, 0x95, 0x8E, 0x28, 0xA2, 0x1F, 0x28, 0x9E, 0xEC, 0x71, 0xA8, 0x66, 0x29, 0xDC}, 1},
+		// common key index3
+		{{0x2B, 0x49, 0xCB, 0x6F, 0x99, 0x98, 0xD9, 0xAD, 0x94, 0xF2, 0xED, 0xE7, 0xB5, 0xDA, 0x3E, 0x27}, 1},
+		// common key index4
+		{{0x75, 0x05, 0x52, 0xBF, 0xAA, 0x1C, 0x04, 0x07, 0x55, 0xC8, 0xD5, 0x9A, 0x55, 0xF9, 0xAD, 0x1F}, 1},
+		// common key index5
+		{{0xAA, 0xDA, 0x4C, 0xA8, 0xF6, 0xE5, 0xA9, 0x77, 0xE0, 0xA0, 0xF9, 0xE4, 0x76, 0xCF, 0x0D, 0x63}, 1},
 	};
 
 	memset(keys, 0, sizeof(keyset));
@@ -69,21 +89,23 @@ void keyset_init(keyset* keys, u32 actions)
 	if (actions & PlainFlag)
 		return;
 
-	if (!(actions & DevFlag)) {
-		memcpy(&keys->commonkeyX, &defaultkeys_retail[0], sizeof(key128));
-		memcpy(&keys->ncchfixedsystemkey, &defaultkeys_retail[1], sizeof(key128));
-		memcpy(&keys->ncchkeyX_old, &defaultkeys_retail[2], sizeof(key128));
-		memcpy(&keys->ncchkeyX_seven, &defaultkeys_retail[3], sizeof(key128));
-		memcpy(&keys->ncchkeyX_ninethree, &defaultkeys_retail[4], sizeof(key128));
-		memcpy(&keys->ncchkeyX_ninesix, &defaultkeys_retail[5], sizeof(key128));
-	} else {
-		memcpy(&keys->commonkeyX, &defaultkeys_dev[0], sizeof(key128));
-		memcpy(&keys->ncchfixedsystemkey, &defaultkeys_dev[1], sizeof(key128));
-		memcpy(&keys->ncchkeyX_old, &defaultkeys_dev[2], sizeof(key128));
-		memcpy(&keys->ncchkeyX_seven, &defaultkeys_dev[3], sizeof(key128));
-		memcpy(&keys->ncchkeyX_ninethree, &defaultkeys_dev[4], sizeof(key128));
-		memcpy(&keys->ncchkeyX_ninesix, &defaultkeys_dev[5], sizeof(key128));
+	// select keyset
+	const key128* default_keys = (actions & DevFlag)? defaultkeys_dev : defaultkeys_retail;
+
+	u32 key_index = 0;
+	// set ncch keys
+	memcpy(&keys->ncchfixedsystemkey, &default_keys[key_index++], sizeof(key128));
+	memcpy(&keys->ncchkeyX_old, &default_keys[key_index++], sizeof(key128));
+	memcpy(&keys->ncchkeyX_seven, &default_keys[key_index++], sizeof(key128));
+	memcpy(&keys->ncchkeyX_ninethree, &default_keys[key_index++], sizeof(key128));
+	memcpy(&keys->ncchkeyX_ninesix, &default_keys[key_index++], sizeof(key128));
+
+	// set common keys
+	for (u32 i = 0; i < COMMONKEY_NUM; i++)
+	{
+		memcpy(&keys->commonkey[i], &default_keys[key_index++], sizeof(key128));
 	}
+
 }
 
 int keyset_load_key(TiXmlHandle node, unsigned char* key, unsigned int size, int* valid)
@@ -206,13 +228,13 @@ int keyset_load(keyset* keys, const char* fname, int verbose)
 	keyset_load_rsakey2048(root.FirstChild("ncchrsakey"), &keys->ncchrsakey);
 	keyset_load_rsakey2048(root.FirstChild("ncchdescrsakey"), &keys->ncchdescrsakey);
 	keyset_load_rsakey2048(root.FirstChild("firmrsakey"), &keys->firmrsakey);
-	keyset_load_key128(root.FirstChild("commonkeyx"), &keys->commonkeyX);
+	/*
 	keyset_load_key128(root.FirstChild("ncchfixedsystemkey"), &keys->ncchfixedsystemkey);
 	keyset_load_key128(root.FirstChild("ncchkeyxold"), &keys->ncchkeyX_old);
 	keyset_load_key128(root.FirstChild("ncchkeyxseven"), &keys->ncchkeyX_seven);
 	keyset_load_key128(root.FirstChild("ncchkeyxninethree"), &keys->ncchkeyX_ninethree);
 	keyset_load_key128(root.FirstChild("ncchkeyxninesix"), &keys->ncchkeyX_ninesix);
-
+	*/
 
 	return 1;
 }
@@ -225,8 +247,15 @@ void keyset_merge(keyset* keys, keyset* src)
 		keyset_set_key128(&keys->v, src->v.data);\
 } while (0)
 
+	// todo complete key copy
+	/* COPY_IF_VALID(commonkey[0]); */
+	//if ()
+	for (size_t i = 0; i < COMMONKEY_NUM; i++)
+	{
+		COPY_IF_VALID(commonkey[i]);
+	}
 	COPY_IF_VALID(titlekey);
-	COPY_IF_VALID(commonkeyX);
+	COPY_IF_VALID(seed_fallback);
 	COPY_IF_VALID(ncchfixedsystemkey);
 	COPY_IF_VALID(ncchkeyX_old);
 	COPY_IF_VALID(ncchkeyX_seven);
@@ -235,8 +264,8 @@ void keyset_merge(keyset* keys, keyset* src)
 	if (src->seed_num > 0)
 	{
 		keys->seed_num = src->seed_num;
-		keys->seed_db = (seeddb_entry*)calloc(src->seed_num, sizeof(seeddb_entry));
-		memcpy(keys->seed_db, src->seed_db, src->seed_num * sizeof(seeddb_entry));
+		keys->seed_db = (seeddb_entry*)calloc(keys->seed_num, sizeof(seeddb_entry));
+		memcpy(keys->seed_db, src->seed_db, keys->seed_num * sizeof(seeddb_entry));
 	}
 
 #undef COPY_IF_VALID
@@ -253,11 +282,6 @@ void keyset_parse_key128(key128* key, char* keytext, int keylen)
 	keyset_parse_key(keytext, keylen, key->data, 16, &key->valid);
 }
 
-void keyset_parse_commonkeyX(keyset* keys, char* keytext, int keylen)
-{
-	keyset_parse_key128(&keys->commonkeyX, keytext, keylen);
-}
-
 void keyset_parse_titlekey(keyset* keys, char* keytext, int keylen)
 {
 	keyset_parse_key128(&keys->titlekey, keytext, keylen);
@@ -315,6 +339,12 @@ void keyset_parse_seeddb(keyset* keys, char* path)
 	fread(keys->seed_db, keys->seed_num * sizeof(seeddb_entry), 1, fp);
 }
 
+void keyset_parse_seed_fallback(keyset* keys, char* keytext, int keylen)
+{
+	keyset_parse_key128(&keys->seed_fallback, keytext, keylen);
+}
+
+
 void keyset_dump_rsakey(rsakey2048* key, const char* keytitle)
 {
 	if (key->keytype == RSAKEY_INVALID)
@@ -355,7 +385,6 @@ void keyset_dump(keyset* keys)
 	DUMP_KEY(ncchkeyX_ninethree, "NCCH N9.3 KEYX");
 	DUMP_KEY(ncchkeyX_ninesix, "NCCH N9.6 KEYX");
 	DUMP_KEY(ncchfixedsystemkey, "NCCH FIXEDSYSTEMKEY");
-	DUMP_KEY(commonkeyX, "COMMON KEYX");
 #undef DUMP_KEY
 
 	keyset_dump_rsakey(&keys->ncsdrsakey, "NCSD RSA KEY");
diff --git a/ctrtool/keyset.h b/ctrtool/keyset.h
index 3d6610fb..4d9235dd 100644
--- a/ctrtool/keyset.h
+++ b/ctrtool/keyset.h
@@ -7,6 +7,8 @@
 extern "C" {
 #endif
 
+#define COMMONKEY_NUM 6
+
 typedef enum
 {
 	KEY_ERR_LEN_MISMATCH,
@@ -59,8 +61,9 @@ typedef struct
 	u32 seed_num;
 	seeddb_entry* seed_db;
 
+	key128 commonkey[COMMONKEY_NUM];
 	key128 titlekey;
-	key128 commonkeyX;
+	key128 seed_fallback;
 	key128 ncchfixedsystemkey;
 	key128 ncchkeyX_old;
 	key128 ncchkeyX_seven;
@@ -75,7 +78,6 @@ typedef struct
 void keyset_init(keyset* keys, u32 actions);
 int keyset_load(keyset* keys, const char* fname, int verbose);
 void keyset_merge(keyset* keys, keyset* src);
-void keyset_parse_commonkeyX(keyset* keys, char* keytext, int keylen);
 void keyset_parse_titlekey(keyset* keys, char* keytext, int keylen);
 void keyset_parse_ncchkeyX_old(keyset* keys, char* keytext, int keylen);
 void keyset_parse_ncchfixedsystemkey(keyset* keys, char* keytext, int keylen);
@@ -83,6 +85,7 @@ void keyset_parse_ncchkeyX_seven(keyset* keys, char* keytext, int keylen);
 void keyset_parse_ncchkeyX_ninethree(keyset* keys, char* keytext, int keylen);
 void keyset_parse_ncchkeyX_ninesix(keyset* keys, char* keytext, int keylen);
 void keyset_parse_seeddb(keyset* keys, char* path);
+void keyset_parse_seed_fallback(keyset* keys, char* keytext, int keylen);
 void keyset_dump(keyset* keys);
 
 #ifdef __cplusplus
diff --git a/ctrtool/main.c b/ctrtool/main.c
index 17113746..3c949586 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -54,11 +54,12 @@ static void usage(const char *argv0)
 		   "  -y, --verify       Verify hashes and signatures.\n"
 		   "  -d, --dev          Decrypt with development keys instead of retail.\n"
 		   "  --unitsize=size    Set media unit size (default 0x200).\n"
-		   "  --commonkey=key    Set common key.\n"
+//		   "  --commonkey=key    Set common key.\n"
 		   "  --titlekey=key     Set tik title key.\n"
-		   "  --ncchkey=key      Set ncch key.\n"
-		   "  --ncchsyskey=key   Set ncch fixed system key.\n"
+//		   "  --ncchkey=key      Set ncch key.\n"
+//		   "  --ncchsyskey=key   Set ncch fixed system key.\n"
 		   "  --seeddb=file      Set seeddb for ncch seed crypto.\n"
+		   "  --seed=key         Set specific seed for ncch seed crypto.\n"
 		   "  --showkeys         Show the keys being used.\n"
 		   "  --showsyscalls     Show system call names instead of numbers.\n"
 		   "  -t, --intype=type	 Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
@@ -138,8 +139,8 @@ int main(int argc, char* argv[])
 			{"raw", 0, NULL, 'r'},
 			{"unitsize", 1, NULL, 9},
 			{"showkeys", 0, NULL, 10},
-			{"commonkeyx", 1, NULL, 11},
-			{"ncchkeyxold", 1, NULL, 12},
+			//{"commonkeyx", 1, NULL, 11},
+			//{"ncchkeyxold", 1, NULL, 12},
 			{"intype", 1, NULL, 't'},
 			{"lzssout", 1, NULL, 13},
 			{"firmdir", 1, NULL, 14},
@@ -153,10 +154,11 @@ int main(int argc, char* argv[])
 			{"titlekey", 1, NULL, 22},
 			{"plainrgn", 1, NULL, 23},
 			{"showsyscalls", 0, NULL, 24},
-			{"ncchkeyxseven", 1, NULL, 25},
-			{"ncchkeyxninethree", 1, NULL, 26},
-			{"ncchkeyxninesix", 1, NULL, 27},
+			//{"ncchkeyxseven", 1, NULL, 25},
+			//{"ncchkeyxninethree", 1, NULL, 26},
+			//{"ncchkeyxninesix", 1, NULL, 27},
 			{"seeddb", 1, NULL, 28},
+			{"seed", 1, NULL, 29 },
 			{NULL},
 		};
 
@@ -237,11 +239,11 @@ int main(int argc, char* argv[])
 			case 8: settings_set_exefs_dir_path(&ctx.usersettings, optarg); break;
 			case 9: settings_set_mediaunit_size(&ctx.usersettings, strtoul(optarg, 0, 0)); break;
 			case 10: ctx.actions |= ShowKeysFlag; break;
-			case 11: keyset_parse_commonkeyX(&tmpkeys, optarg, strlen(optarg)); break;
-			case 12: keyset_parse_ncchkeyX_old(&tmpkeys, optarg, strlen(optarg)); break;
+			//case 11: keyset_parse_commonkeyX(&tmpkeys, optarg, strlen(optarg)); break;
+			//case 12: keyset_parse_ncchkeyX_old(&tmpkeys, optarg, strlen(optarg)); break;
 			case 13: settings_set_lzss_path(&ctx.usersettings, optarg); break;
 			case 14: settings_set_firm_dir_path(&ctx.usersettings, optarg); break;
-			case 15: keyset_parse_ncchfixedsystemkey(&tmpkeys, optarg, strlen(optarg)); break;
+			//case 15: keyset_parse_ncchfixedsystemkey(&tmpkeys, optarg, strlen(optarg)); break;
 			case 16: settings_set_wav_path(&ctx.usersettings, optarg); break;
 			case 17: settings_set_romfs_dir_path(&ctx.usersettings, optarg); break;
 			case 18: settings_set_list_romfs_files(&ctx.usersettings, 1); break;
@@ -251,10 +253,11 @@ int main(int argc, char* argv[])
 			case 22: keyset_parse_titlekey(&tmpkeys, optarg, strlen(optarg)); break;
 			case 23: settings_set_plainrgn_path(&ctx.usersettings, optarg); break;
 			case 24: ctx.actions |= ShowSyscallsFlag; break;
-			case 25: keyset_parse_ncchkeyX_seven(&tmpkeys, optarg, strlen(optarg)); break;
-			case 26: keyset_parse_ncchkeyX_ninethree(&tmpkeys, optarg, strlen(optarg)); break;
-			case 27: keyset_parse_ncchkeyX_ninesix(&tmpkeys, optarg, strlen(optarg)); break;
+			//case 25: keyset_parse_ncchkeyX_seven(&tmpkeys, optarg, strlen(optarg)); break;
+			//case 26: keyset_parse_ncchkeyX_ninethree(&tmpkeys, optarg, strlen(optarg)); break;
+			//case 27: keyset_parse_ncchkeyX_ninesix(&tmpkeys, optarg, strlen(optarg)); break;
 			case 28: keyset_parse_seeddb(&tmpkeys, optarg); break;
+			case 29: keyset_parse_seed_fallback(&tmpkeys, optarg, strlen(optarg)); break;
 
 			default:
 				usage(argv[0]);
diff --git a/ctrtool/settings.c b/ctrtool/settings.c
index 15523b01..9fbf0567 100644
--- a/ctrtool/settings.c
+++ b/ctrtool/settings.c
@@ -168,9 +168,10 @@ unsigned char* settings_get_ncchkeyX_ninesix(settings* usersettings)
 	GETKEY(usersettings, ncchkeyX_ninesix);
 }
 
-unsigned char* settings_get_common_keyX(settings* usersettings)
+unsigned char* settings_get_common_key(settings* usersettings, u8 index)
 {
-	GETKEY(usersettings, commonkeyX);
+	if (index > (COMMONKEY_NUM - 1)) return NULL;
+	GETKEY(usersettings, commonkey[index]);
 }
 
 unsigned char* settings_get_seed(settings* usersettings, u64 title_id)
@@ -182,7 +183,7 @@ unsigned char* settings_get_seed(settings* usersettings, u64 title_id)
 			return usersettings->keys.seed_db[i].seed;
 		}
 	}
-	return NULL;
+	GETKEY(usersettings, seed_fallback);
 }
 
 unsigned char* settings_get_title_key(settings* usersettings)
diff --git a/ctrtool/settings.h b/ctrtool/settings.h
index c90947b2..e634eaa3 100644
--- a/ctrtool/settings.h
+++ b/ctrtool/settings.h
@@ -51,7 +51,7 @@ unsigned char* settings_get_ncchkeyX_old(settings* usersettings);
 unsigned char* settings_get_ncchkeyX_seven(settings* usersettings);
 unsigned char* settings_get_ncchkeyX_ninethree(settings* usersettings);
 unsigned char* settings_get_ncchkeyX_ninesix(settings* usersettings);
-unsigned char* settings_get_common_keyX(settings* usersettings);
+unsigned char* settings_get_common_key(settings* usersettings, u8 index);
 unsigned char* settings_get_seed(settings* usersettings, u64 title_id);
 unsigned char* settings_get_title_key(settings* usersettings);
 int settings_get_ignore_programid(settings* usersettings);
diff --git a/ctrtool/tik.c b/ctrtool/tik.c
index 0c1b69ce..285f403c 100644
--- a/ctrtool/tik.c
+++ b/ctrtool/tik.c
@@ -32,9 +32,9 @@ void tik_set_usersettings(tik_context* ctx, settings* usersettings)
 	ctx->usersettings = usersettings;
 }
 
-void tik_get_titlekey(tik_context* ctx, u8 key[0x10])
+const unsigned char* tik_get_titlekey(tik_context* ctx)
 {
-	memcpy(key, ctx->titlekey, 0x10);
+	return ctx->titlekey.valid ? ctx->titlekey.data : NULL;
 }
 
 void tik_get_titleid(tik_context* ctx, u8 titleid[8])
@@ -48,38 +48,24 @@ void tik_get_iv(tik_context* ctx, u8 iv[16])
 	memcpy(iv, ctx->tik.title_id, 8);
 }
 
-void tik_decrypt_titlekey(tik_context* ctx, u8 decryptedkey[0x10]) 
+int tik_decrypt_titlekey(tik_context* ctx, u8 decryptedkey[0x10]) 
 {
 	u8 iv[16];
-	u8* keyX = settings_get_common_keyX(ctx->usersettings);
-	const u8 keyYs[6][16] = {
-		// application titles (eShop titles)
-		{0xd0, 0x7b, 0x33, 0x7f, 0x9c, 0xa4, 0x38, 0x59, 0x32, 0xa2, 0xe2, 0x57, 0x23, 0x23, 0x2e, 0xb9},
-		// system titles
-		{0x0c, 0x76, 0x72, 0x30, 0xf0, 0x99, 0x8f, 0x1c, 0x46, 0x82, 0x82, 0x02, 0xfa, 0xac, 0xbe, 0x4c},
-		// these are unused
-		{0xc4, 0x75, 0xcb, 0x3a, 0xb8, 0xc7, 0x88, 0xbb, 0x57, 0x5e, 0x12, 0xa1, 0x09, 0x07, 0xb8, 0xa4},
-		{0xe4, 0x86, 0xee, 0xe3, 0xd0, 0xc0, 0x9c, 0x90, 0x2f, 0x66, 0x86, 0xd4, 0xc0, 0x6f, 0x64, 0x9f},
-		{0xed, 0x31, 0xba, 0x9c, 0x04, 0xb0, 0x67, 0x50, 0x6c, 0x44, 0x97, 0xa3, 0x5b, 0x78, 0x04, 0xfc},
-		{0x5e, 0x66, 0x99, 0x8a, 0xb4, 0xe8, 0x93, 0x16, 0x06, 0x85, 0x0f, 0xd7, 0xa1, 0x6d, 0xd7, 0x55},
-	};
-	u8 key[16];
+	u8* commonkey = settings_get_common_key(ctx->usersettings, ctx->tik.commonkey_idx);
 
 	memset(decryptedkey, 0, 0x10);
-
-	if (!keyX)
+	if (!commonkey)
 	{
-		fprintf(stdout, "Warning, could not read common key.\n");
+		fprintf(stdout, "Error, could not read common key.\n");
+		return 1;
 	}
-	else
-	{
-		ctr_aes_keygen(keyX, keyYs[(ctx->tik.title_id[3] & 0x10) ? 1 : 0], key);
-		memset(iv, 0, 0x10);
-		memcpy(iv, ctx->tik.title_id, 8);
+	
+	memset(iv, 0, 0x10);
+	memcpy(iv, ctx->tik.title_id, 8);
 
-		ctr_init_cbc_decrypt(&ctx->aes, key, iv);
-		ctr_decrypt_cbc(&ctx->aes, ctx->tik.encrypted_title_key, decryptedkey, 0x10);
-	}
+	ctr_init_cbc_decrypt(&ctx->aes, commonkey, iv);
+	ctr_decrypt_cbc(&ctx->aes, ctx->tik.encrypted_title_key, decryptedkey, 0x10);
+	return 0;
 }
 
 void tik_process(tik_context* ctx, u32 actions)
@@ -93,7 +79,7 @@ void tik_process(tik_context* ctx, u32 actions)
 	fseeko64(ctx->file, ctx->offset, SEEK_SET);
 	fread((u8*)&ctx->tik, 1, sizeof(eticket), ctx->file);
 
-	tik_decrypt_titlekey(ctx, ctx->titlekey);
+	ctx->titlekey.valid = tik_decrypt_titlekey(ctx, ctx->titlekey.data) == 0 ? 1 : 0;
 
 	if (actions & InfoFlag)
 	{
@@ -122,8 +108,8 @@ void tik_print(tik_context* ctx)
 
 	memdump(stdout, "Encrypted Titlekey:     ", tik->encrypted_title_key, 0x10);
 	
-	if (settings_get_common_keyX(ctx->usersettings))
-		memdump(stdout, "Decrypted Titlekey:     ", ctx->titlekey, 0x10);
+	if (ctx->titlekey.valid)
+		memdump(stdout, "Decrypted Titlekey:     ", ctx->titlekey.data, 0x10);
 
 	memdump(stdout,	"Ticket ID:              ", tik->ticket_id, 0x08);
 	fprintf(stdout, "Ticket Version:         %d\n", getle16(tik->ticket_version));
diff --git a/ctrtool/tik.h b/ctrtool/tik.h
index 1aa05966..4d85aaa2 100644
--- a/ctrtool/tik.h
+++ b/ctrtool/tik.h
@@ -43,7 +43,7 @@ typedef struct
 	FILE* file;
 	u64 offset;
 	u32 size;
-	u8 titlekey[16];
+	key128 titlekey;
 	eticket tik;
 	ctr_aes_context aes;
 	settings* usersettings;
@@ -54,10 +54,10 @@ void tik_set_file(tik_context* ctx, FILE* file);
 void tik_set_offset(tik_context* ctx, u64 offset);
 void tik_set_size(tik_context* ctx, u32 size);
 void tik_set_usersettings(tik_context* ctx, settings* usersettings);
-void tik_get_titlekey(tik_context* ctx, u8 key[0x10]);
+const unsigned char* tik_get_titlekey(tik_context* ctx);
 void tik_get_titleid(tik_context* ctx, u8 titleid[8]);
 void tik_get_iv(tik_context* ctx, u8 iv[0x10]);
-void tik_decrypt_titlekey(tik_context* ctx, u8 decryptedkey[0x10]);
+int tik_decrypt_titlekey(tik_context* ctx, u8 decryptedkey[0x10]);
 void tik_print(tik_context* ctx);
 void tik_process(tik_context* ctx, u32 actions);
 

From b8b92d8bfafeb5229894affbba423aebf0c67eba Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 5 Jun 2017 11:32:13 +0800
Subject: [PATCH 206/317] [ctrtool] Rewrote NCCH crypto. "--exefs" is still
 broken.

---
 ctrtool/exefs.c |  26 ++---
 ctrtool/exefs.h |   3 +-
 ctrtool/ncch.c  | 284 ++++++++++++++++++++++++++----------------------
 ctrtool/ncch.h  |  12 +-
 4 files changed, 168 insertions(+), 157 deletions(-)

diff --git a/ctrtool/exefs.c b/ctrtool/exefs.c
index 150a405d..cca86270 100644
--- a/ctrtool/exefs.c
+++ b/ctrtool/exefs.c
@@ -48,10 +48,10 @@ void exefs_set_encrypted(exefs_context* ctx, u32 encrypted)
 	ctx->encrypted = encrypted;
 }
 
-void exefs_set_keys(exefs_context* ctx, u8 key[16], u8 special_key[16])
+void exefs_set_keys(exefs_context* ctx, u8 key0[16], u8 key1[16])
 {
-	memcpy(ctx->key, key, 16);
-	memcpy(ctx->special_key, special_key, 16);
+	memcpy(ctx->key[0], key0, 16);
+	memcpy(ctx->key[1], key1, 16);
 }
 
 void exefs_set_counter(exefs_context* ctx, u8 counter[16])
@@ -109,7 +109,7 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 	}
 
 	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-	ctr_init_key(&ctx->aes, ctx->key);
+	ctr_init_key(&ctx->aes, ctx->key[0]);
 	ctr_init_counter(&ctx->aes, ctx->counter);
 	ctr_add_counter(&ctx->aes, offset / 0x10);
 
@@ -132,12 +132,10 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 		}
 
 		if (ctx->encrypted) {
-			// .code and .firm use a special key on 7.0+
-			if (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES)
-				ctr_init_key(&ctx->aes, ctx->special_key);
-			ctr_crypt_counter(&ctx->aes, compressedbuffer, compressedbuffer, compressedsize);
-			if (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES)
-				ctr_init_key(&ctx->aes, ctx->key);
+			if (strncmp((const char*)section->name, "icon", 8) == 0 || strncmp((const char*)section->name, "banner", 8) == 0)
+				ctr_init_key(&ctx->aes, ctx->key[0]);
+			else
+				ctr_init_key(&ctx->aes, ctx->key[1]);
 		}
 
 
@@ -203,7 +201,7 @@ void exefs_read_header(exefs_context* ctx, u32 flags)
 	fread(&ctx->header, 1, sizeof(exefs_header), ctx->file);
 
 	if (ctx->encrypted) {
-		ctr_init_key(&ctx->aes, ctx->key);
+		ctr_init_key(&ctx->aes, ctx->key[0]);
 		ctr_init_counter(&ctx->aes, ctx->counter);
 		ctr_crypt_counter(&ctx->aes, (u8*)&ctx->header, (u8*)&ctx->header, sizeof(exefs_header));
 	}
@@ -261,10 +259,10 @@ int exefs_verify(exefs_context* ctx, u32 index, u32 flags)
 		return 0;
 
 	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-	if (index == 0 && (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES))
-		ctr_init_key(&ctx->aes, ctx->special_key);
+	if (strncmp((const char*)section->name, "icon", 8) == 0 || strncmp((const char*)section->name, "banner", 8) == 0)
+		ctr_init_key(&ctx->aes, ctx->key[0]);
 	else
-		ctr_init_key(&ctx->aes, ctx->key);
+		ctr_init_key(&ctx->aes, ctx->key[1]);
 	ctr_init_counter(&ctx->aes, ctx->counter);
 	ctr_add_counter(&ctx->aes, offset / 0x10);
 
diff --git a/ctrtool/exefs.h b/ctrtool/exefs.h
index 16e6152e..cef22ce7 100644
--- a/ctrtool/exefs.h
+++ b/ctrtool/exefs.h
@@ -29,8 +29,7 @@ typedef struct
 	settings* usersettings;
 	u8 partitionid[8];
 	u8 counter[16];
-	u8 key[16];
-	u8 special_key[16];
+	u8 key[2][16];
 	u64 offset;
 	u64 size;
 	exefs_header header;
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index a847ac20..09bab9b7 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -79,7 +79,7 @@ void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type)
 }
 
 
-
+/* this is broken */
 int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 {
 	u64 offset = 0;
@@ -93,6 +93,7 @@ int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 		{
 			offset = ncch_get_exefs_offset(ctx);
 			size = ncch_get_exefs_size(ctx);
+			ctr_init_key(&ctx->aes, ctx->key[0]);
 		}
 		break;
 
@@ -100,6 +101,7 @@ int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 		{
 			offset = ncch_get_romfs_offset(ctx);
 			size = ncch_get_romfs_size(ctx);
+			ctr_init_key(&ctx->aes, ctx->key[1]);
 		}
 		break;
 
@@ -107,6 +109,7 @@ int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 		{
 			offset = ncch_get_exheader_offset(ctx);
 			size = ncch_get_exheader_size(ctx) * 2;
+			ctr_init_key(&ctx->aes, ctx->key[0]);
 		}
 		break;
 	
@@ -136,7 +139,7 @@ int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
 	ctx->extractflags = flags;
 	fseeko64(ctx->file, offset, SEEK_SET);
 	ncch_get_counter(ctx, counter, type);
-	ctr_init_key(&ctx->aes, ctx->key);
+	
 	ctr_init_counter(&ctx->aes, counter);
 
 	return 1;
@@ -351,7 +354,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	exheader_set_programid(&ctx->exheader, ctx->header.programid);
 	exheader_set_hash(&ctx->exheader, ctx->header.extendedheaderhash);
 	exheader_set_counter(&ctx->exheader, exheadercounter);
-	exheader_set_key(&ctx->exheader, ctx->key);
+	exheader_set_key(&ctx->exheader, ctx->key[0]);
 	exheader_set_encrypted(&ctx->exheader, ctx->encrypted);
 
 	exefs_set_file(&ctx->exefs, ctx->file);
@@ -360,7 +363,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	exefs_set_partitionid(&ctx->exefs, ctx->header.partitionid);
 	exefs_set_usersettings(&ctx->exefs, ctx->usersettings);
 	exefs_set_counter(&ctx->exefs, exefscounter);
-	exefs_set_keys(&ctx->exefs, ctx->key, ctx->special_key);
+	exefs_set_keys(&ctx->exefs, ctx->key[0], ctx->key[1]);
 	exefs_set_encrypted(&ctx->exefs, ctx->encrypted);
 
 	romfs_set_file(&ctx->romfs, ctx->file);
@@ -368,10 +371,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	romfs_set_size(&ctx->romfs, ncch_get_romfs_size(ctx));
 	romfs_set_usersettings(&ctx->romfs, ctx->usersettings);
 	romfs_set_counter(&ctx->romfs, romfscounter);
-	if (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES)
-		romfs_set_key(&ctx->romfs, ctx->special_key);
-	else
-		romfs_set_key(&ctx->romfs, ctx->key);
+	romfs_set_key(&ctx->romfs, ctx->key[1]);
 	romfs_set_encrypted(&ctx->romfs, ctx->encrypted);
 
 	exheader_read(&ctx->exheader, actions);
@@ -392,11 +392,18 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	if ((actions & ShowKeysFlag) && ctx->encrypted)
 	{
 		fprintf(stdout, "Using key(s):\n");
-		memdump(stdout, "  0x2C: ", ctx->key, 0x10);
-		if (ctx->encrypted & NCCHCRYPTO_SPECIAL_FSES)
+		if (ctx->encrypted == NCCHCRYPTO_FIXED)
 		{
-			fprintf(stdout, "  special (%02x): ", ctx->header.flags[3]);
-			memdump(stdout, "", ctx->special_key, 0x10);
+			memdump(stdout, "  Key:  ", ctx->key[0], 0x10);
+		}
+		else
+		{
+			memdump(stdout, "  0x2C: ", ctx->key[0], 0x10);
+			if (memcmp(ctx->key[0], ctx->key[1], 0x10) != 0)
+			{
+				fprintf(stdout, "  special (%02x): ", ctx->header.flags[3]);
+				memdump(stdout, "", ctx->key[1], 0x10);
+			}
 		}
 	}
 
@@ -510,150 +517,163 @@ u64 ncch_get_mediaunit_size(ncch_context* ctx)
 
 void ncch_determine_key(ncch_context* ctx, u32 actions)
 {
-	exheader_header exheader;
-	u8* key;
-	u8* seed;
-	ctr_ncchheader* header = &ctx->header;
+	u8 exheader_buffer[0x400];
 	u8 seedbuf[0x20];
-	u8 seedhash[0x20];
-	u8 keyX[0x10], keyY[0x10], seedKeyY[0x10];
-
-	ctx->encrypted = 0;
-	memset(ctx->key, 0, 0x10);
-
-	if (actions & PlainFlag)
+	u8* seed;
+	u8 hash[0x20];
+	ctr_ncchheader* header = &ctx->header;	
+	struct sNcchKeyslot
 	{
-		ctx->encrypted = 0;
-	} 
-	else
+		u8 x[0x10];
+		u8 y[0x10];
+		u8 key[0x10];
+	} key[2];
+
+
+	// Check if the NCCH is already decrypted, by checking if the exheader hash matches
+	// Otherwise, use determination rules
+	fseeko64(ctx->file, ncch_get_exheader_offset(ctx), SEEK_SET);
+	memset(exheader_buffer, 0, getle32(header->extendedheadersize));
+	fread(exheader_buffer, 1, getle32(header->extendedheadersize), ctx->file);
+	ctr_sha_256(exheader_buffer, getle32(header->extendedheadersize), hash);
+	if (!memcmp(hash, header->extendedheaderhash, 32))
 	{
-		// No explicit NCCH key defined, so we try to decide
-		// In almost all of these scenarios, the normal 0x2C NCCH keyX will be the default,
-		// except for the old fixedkey crypto, where we'll override it anyway, so let's just
-		// set the 0x2C keyX first.
-		key = settings_get_ncchkeyX_old(ctx->usersettings);
-		if (key)
-			memcpy(keyX, key, 0x10);
-		else
-			fprintf(stderr, "Warning, could not read NCCH base key. Decryption will likely fail.\n");
+		// exheader hash matches, so probably decrypted
+		ctx->encrypted = NCCHCRYPTO_NONE;
+		if (!(header->flags[7] & 4))
+			fprintf(stderr, "Warning, exheader is decrypted but the NCCH says it isn't.\n"
+				"This NCCH will likely break on console.\n");
+		return;
+	}
 
-		// The keyY is normally the beginning of the NCCH header signature. In case seed crypto
-		// changes that, we'll override it below.
-		memcpy(keyY, header->signature, 0x10);
-		memcpy(seedKeyY, keyY, 0x10);
+	// if not plain flag set and not ncch unencrypted flag set
+	// determine the keys
+	if (!(actions & PlainFlag) && !(header->flags[7] & 4))
+	{
+		// fixed key crypto
+		if (header->flags[7] & 1)
+		{
+			ctx->encrypted = NCCHCRYPTO_FIXED;
+			if (programid_is_system(header->programid))
+			{
+				if (settings_get_ncch_fixedsystemkey(ctx->usersettings) == NULL)
+				{
+					fprintf(stderr, "Error, could not read system fixed key.\n");
+					ctx->encrypted = NCCHCRYPTO_BROKEN;
+					return;
+				}
 
-		// 0x2c crypto is normally used; we override it where necessary
-		ctr_aes_keygen(keyX, keyY, ctx->key);
+				memcpy(key[0].key, settings_get_ncch_fixedsystemkey(ctx->usersettings), 0x10);
+			}
+			else
+			{
+				memset(key[0].key, 0x00, 0x10);
+			}
 
-		// Seed crypto can be used alongside any other crypto type, so we'll need to figure this out early.
-		if (header->flags[7] & 0x20)
+			memcpy(key[1].key, key[0].key, 0x10);
+		}
+		// secure crypto
+		else
 		{
-			ctx->encrypted = NCCHCRYPTO_SEED;
-			seed = settings_get_seed(ctx->usersettings, getle64(header->partitionid));
-			if (!seed)
+			ctx->encrypted = NCCHCRYPTO_SECURE;
+			if (settings_get_ncchkeyX_old(ctx->usersettings) == NULL)
 			{
-				fprintf(stderr, "This title uses seed crypto, but no seed is set in seedDB, unable to decrypt.\n"
-						"Use -p to avoid decryption or use --seeddb=dbfile to specify the seedDB.\n");
+				fprintf(stderr, "Error, could not read NCCH base keyX.\n");
 				ctx->encrypted = NCCHCRYPTO_BROKEN;
 				return;
 			}
 
-			memcpy(seedbuf, seed, 0x10);
-			// Assumes running on little endian
-			memcpy(seedbuf + 0x10, header->programid, sizeof(header->programid));
-			ctr_sha_256(seedbuf, 0x18, seedhash);
-			if (memcmp(seedhash, header->seedcheck, sizeof(header->seedcheck))) {
-				fprintf(stderr, "Seed check mismatch. (Got: %02x%02x%02x%02x, expected: %02x%02x%02x%02x)\n",
-						seedhash[0], seedhash[1], seedhash[2], seedhash[3],
-						header->seedcheck[0], header->seedcheck[1], header->seedcheck[2], header->seedcheck[3]);
+			// setup regular keyslot seeds (exheader, exefs:icon|banner)
+			memcpy(key[0].x, settings_get_ncchkeyX_old(ctx->usersettings), 0x10);
+			memcpy(key[0].y, header->signature, 0x10);
+
+			// setup second keyslot seed (romfs, exefs:!(icon|banner))
+			// - get keyX
+			if (header->flags[3] == 0)
+			{
+				memcpy(key[1].x, key[0].x, 0x10);
+			}
+			else if (header->flags[3] == 1)
+			{
+				if (settings_get_ncchkeyX_seven(ctx->usersettings) == NULL)
+				{
+					fprintf(stderr, "Error, could not read NCCH 7.0 keyX.\n");
+					return;
+				}
+				memcpy(key[1].x, settings_get_ncchkeyX_seven(ctx->usersettings), 0x10);
+			}
+			else if (header->flags[3] == 10)
+			{
+				if (settings_get_ncchkeyX_ninethree(ctx->usersettings) == NULL)
+				{
+					fprintf(stderr, "Error, could not read NCCH 9.3 keyX.\n");
+					return;
+				}
+				memcpy(key[1].x, settings_get_ncchkeyX_ninethree(ctx->usersettings), 0x10);
+			}
+			else if (header->flags[3] == 11)
+			{
+				if (settings_get_ncchkeyX_ninesix(ctx->usersettings) == NULL)
+				{
+					fprintf(stderr, "Error, could not read NCCH 9.6 keyX.\n");
+					return;
+				}
+				memcpy(key[1].x, settings_get_ncchkeyX_ninesix(ctx->usersettings), 0x10);
+			}
+			else
+			{
+				fprintf(stderr, "Warning, unknown NCCH crypto method.\n");
 				ctx->encrypted = NCCHCRYPTO_BROKEN;
 				return;
 			}
 
-			memcpy(seedbuf, header->signature, 0x10);
-			memcpy(seedbuf + 0x10, seed, 0x10);
-			ctr_sha_256(seedbuf, 0x20, seedhash);
-			memcpy(seedKeyY, seedhash, 0x10);
-		}
-
-		// Check if the NCCH is already decrypted, by reading the programid in the exheader
-		// Otherwise, use determination rules
-		fseeko64(ctx->file, ncch_get_exheader_offset(ctx), SEEK_SET);
-		memset(&exheader, 0, sizeof(exheader));
-		fread(&exheader, 1, sizeof(exheader), ctx->file);
-
-		if (!memcmp(exheader.arm11systemlocalcaps.programid, ctx->header.programid, 8))
-		{
-			// program id's match, so it's probably not encrypted
-			ctx->encrypted = NCCHCRYPTO_NONE;
-			if (!(header->flags[7] & 4))
-				fprintf(stderr, "Warning, exheader seems decrypted but the NCCH says it isn't.\n"
-						"This NCCH will likely break on console.\n");
-		}
-		else if (header->flags[7] & 4) // no crypto
-		{
-			ctx->encrypted = NCCHCRYPTO_NONE;
-		}
-		else if (header->flags[7] & 1) // fixed key crypto
-		{
-			ctx->encrypted = NCCHCRYPTO_FIXED;
-			if (programid_is_system(header->programid))
+			// - get keyY
+			if (header->flags[7] & 0x20)
 			{
-				// fixed system key
-				key = settings_get_ncch_fixedsystemkey(ctx->usersettings);
-				if (!key) {
-					fprintf(stderr, "Error, could not read system fixed key.\n");
+				seed = settings_get_seed(ctx->usersettings, getle64(header->partitionid));
+				if (!seed)
+				{
+					fprintf(stderr, "This title uses seed crypto, but no seed is set, unable to decrypt.\n"
+						"Use -p to avoid decryption or use --seeddb=dbfile or --seed=SEEDHERE.\n");
 					ctx->encrypted = NCCHCRYPTO_BROKEN;
-				} else {
-					memcpy(ctx->key, key, 0x10);
+					return;
 				}
+
+				memcpy(seedbuf, seed, 0x10);
+				// Assumes running on little endian
+				memcpy(seedbuf + 0x10, header->programid, sizeof(header->programid));
+				ctr_sha_256(seedbuf, 0x18, hash);
+				if (memcmp(hash, header->seedcheck, sizeof(header->seedcheck))) {
+					fprintf(stderr, "Seed check mismatch. (Got: %02x%02x%02x%02x, expected: %02x%02x%02x%02x)\n",
+						hash[0], hash[1], hash[2], hash[3],
+						header->seedcheck[0], header->seedcheck[1], header->seedcheck[2], header->seedcheck[3]);
+					ctx->encrypted = NCCHCRYPTO_BROKEN;
+					return;
+				}
+
+				memcpy(seedbuf, header->signature, 0x10);
+				memcpy(seedbuf + 0x10, seed, 0x10);
+				ctr_sha_256(seedbuf, 0x20, hash);
+				memcpy(key[1].y, hash, 0x10);
 			}
 			else
 			{
-				// null key
-				memset(ctx->key, 0, 0x10);
+				memcpy(key[1].y, key[0].y, 0x10);
 			}
+
+
+			// generate keys
+			ctr_aes_keygen(key[0].x, key[0].y, key[0].key);
+			ctr_aes_keygen(key[1].x, key[1].y, key[1].key);
 		}
-		else if (header->flags[3] == 0x01) // 7.0 crypto
-		{
-			ctx->encrypted = NCCHCRYPTO_SEVEN;
-			key = settings_get_ncchkeyX_seven(ctx->usersettings);
-			if (!key) {
-				fprintf(stderr, "Error, could not read NCCH 7.0 keyX.\n");
-				return;
-			}
-			ctr_aes_keygen(key, seedKeyY, ctx->special_key);
-		}
-		else if (header->flags[3] == 0x0A) // N9.3 crypto
-		{
-			ctx->encrypted = NCCHCRYPTO_NINETHREE;
-			key = settings_get_ncchkeyX_ninethree(ctx->usersettings);
-			if (!key) {
-				fprintf(stderr, "Error, could not read NCCH 9.3 keyX.\n");
-				return;
-			}
-			ctr_aes_keygen(key, seedKeyY, ctx->special_key);
-		}
-		else if (header->flags[3] == 0x0B) // N9.6 crypto
-		{
-			ctx->encrypted = NCCHCRYPTO_NINESIX;
-			key = settings_get_ncchkeyX_ninesix(ctx->usersettings);
-			if (!key) {
-				fprintf(stderr, "Error, could not read NCCH 9.6 keyX.\n");
-				return;
-			}
-			ctr_aes_keygen(key, seedKeyY, ctx->special_key);
-		}
-		else if (header->flags[3] != 0) // unknown special crypto
-		{
-			fprintf(stderr, "Warning, unknown NCCH crypto method.\n");
-			ctx->encrypted = NCCHCRYPTO_BROKEN;
-		}
-		else
-		{
-			// old/normal NCCH crypto
-			ctx->encrypted = NCCHCRYPTO_OLD;
-		}
+
+		// save keys
+		memcpy(ctx->key[0], key[0].key, 0x10);
+		memcpy(ctx->key[1], key[1].key, 0x10);
+	}
+	else
+	{
+		ctx->encrypted = NCCHCRYPTO_NONE;
 	}
 }
 
diff --git a/ctrtool/ncch.h b/ctrtool/ncch.h
index 79f89578..d480ed6e 100644
--- a/ctrtool/ncch.h
+++ b/ctrtool/ncch.h
@@ -24,13 +24,8 @@ typedef enum
 {
 	NCCHCRYPTO_NONE		= 0,		//< already decrypted
 	NCCHCRYPTO_FIXED	= 1,		//< fixed key crypto, used for SDK-made application titles and very very old system titles
-	NCCHCRYPTO_OLD 		= (1<<1),	//< crypto used before 7.0
-	NCCHCRYPTO_SEVEN	= (1<<2),	//< crypto used starting with 7.0
-	NCCHCRYPTO_NINETHREE	= (1<<3),	//< crypto used on N3DS starting with 9.3
-	NCCHCRYPTO_NINESIX	= (1<<4),	//< crypto used on N3DS starting with 9.6
-	NCCHCRYPTO_SEED		= (1<<5),	//< crypto used starting with 9.6 for preloading titles
-	NCCHCRYPTO_SPECIAL_FSES = NCCHCRYPTO_SEVEN | NCCHCRYPTO_NINETHREE | NCCHCRYPTO_NINESIX | NCCHCRYPTO_SEED, //< ExeFS and RomFS need new keys
-	NCCHCRYPTO_BROKEN	= 0xFF		//< Internal: seed crypto required but no seed set
+	NCCHCRYPTO_SECURE	= (1<<1),	//< hardware generated key
+	NCCHCRYPTO_BROKEN	= 0xFF		//< Internal: failed to generate key, but encryption still used
 } ctr_ncchcryptotype;
 
 typedef struct
@@ -70,8 +65,7 @@ typedef struct
 typedef struct
 {
 	FILE* file;
-	u8 key[16];
-	u8 special_key[16]; // used with the 7.x+ crypto methods
+	u8 key[2][16];
 	u8 seed[16];
 	u32 encrypted;
 	u64 offset;

From 20f708450b9c6e7f64eafa6c2a8eeb25a630c69a Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 6 Jun 2017 12:44:12 +0800
Subject: [PATCH 207/317] [ctrtool] Fixed seed crypto.

---
 ctrtool/exefs.c    |  4 ++--
 ctrtool/exefs.h    |  4 ++--
 ctrtool/exheader.c |  4 ++--
 ctrtool/exheader.h |  4 ++--
 ctrtool/ncch.c     | 14 +++++++-------
 ctrtool/ncch.h     |  2 +-
 ctrtool/ncsd.c     |  2 +-
 ctrtool/ncsd.h     |  2 +-
 8 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/ctrtool/exefs.c b/ctrtool/exefs.c
index cca86270..58e344ca 100644
--- a/ctrtool/exefs.c
+++ b/ctrtool/exefs.c
@@ -33,9 +33,9 @@ void exefs_set_usersettings(exefs_context* ctx, settings* usersettings)
 	ctx->usersettings = usersettings;
 }
 
-void exefs_set_partitionid(exefs_context* ctx, u8 partitionid[8])
+void exefs_set_titleid(exefs_context* ctx, u8 titleid[8])
 {
-	memcpy(ctx->partitionid, partitionid, 8);
+	memcpy(ctx->titleid, titleid, 8);
 }
 
 void exefs_set_compressedflag(exefs_context* ctx, int compressedflag)
diff --git a/ctrtool/exefs.h b/ctrtool/exefs.h
index cef22ce7..2d1c4102 100644
--- a/ctrtool/exefs.h
+++ b/ctrtool/exefs.h
@@ -27,7 +27,7 @@ typedef struct
 {
 	FILE* file;
 	settings* usersettings;
-	u8 partitionid[8];
+	u8 titleid[8];
 	u8 counter[16];
 	u8 key[2][16];
 	u64 offset;
@@ -45,7 +45,7 @@ void exefs_set_file(exefs_context* ctx, FILE* file);
 void exefs_set_offset(exefs_context* ctx, u64 offset);
 void exefs_set_size(exefs_context* ctx, u64 size);
 void exefs_set_usersettings(exefs_context* ctx, settings* usersettings);
-void exefs_set_partitionid(exefs_context* ctx, u8 partitionid[8]);
+void exefs_set_titleid(exefs_context* ctx, u8 titleid[8]);
 void exefs_set_counter(exefs_context* ctx, u8 counter[16]);
 void exefs_set_compressedflag(exefs_context* ctx, int compressedflag);
 void exefs_set_keys(exefs_context* ctx, u8 key[16], u8 special_key[16]);
diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
index 21473de0..86609d84 100644
--- a/ctrtool/exheader.c
+++ b/ctrtool/exheader.c
@@ -34,9 +34,9 @@ void exheader_set_usersettings(exheader_context* ctx, settings* usersettings)
 	ctx->usersettings = usersettings;
 }
 
-void exheader_set_partitionid(exheader_context* ctx, u8 partitionid[8])
+void exheader_set_titleid(exheader_context* ctx, u8 titleid[8])
 {
-	memcpy(ctx->partitionid, partitionid, 8);
+	memcpy(ctx->titleid, titleid, 8);
 }
 
 void exheader_set_programid(exheader_context* ctx, u8 programid[8])
diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
index 09f751ea..7f4ce496 100644
--- a/ctrtool/exheader.h
+++ b/ctrtool/exheader.h
@@ -149,7 +149,7 @@ typedef struct
 	int haveread;
 	FILE* file;
 	settings* usersettings;
-	u8 partitionid[8];
+	u8 titleid[8];
 	u8 programid[8];
 	u8 hash[32];
 	u8 counter[16];
@@ -183,7 +183,7 @@ void exheader_init(exheader_context* ctx);
 void exheader_set_file(exheader_context* ctx, FILE* file);
 void exheader_set_offset(exheader_context* ctx, u64 offset);
 void exheader_set_size(exheader_context* ctx, u64 size);
-void exheader_set_partitionid(exheader_context* ctx, u8 partitionid[8]);
+void exheader_set_titleid(exheader_context* ctx, u8 titleid[8]);
 void exheader_set_counter(exheader_context* ctx, u8 counter[16]);
 void exheader_set_programid(exheader_context* ctx, u8 programid[8]);
 void exheader_set_hash(exheader_context* ctx, u8 hash[32]);
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 09bab9b7..14ff9a93 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -50,7 +50,7 @@ void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type)
 {
 	u32 version = getle16(ctx->header.version);
 	u32 mediaunitsize = (u32) ncch_get_mediaunit_size(ctx);
-	u8* partitionid = ctx->header.partitionid;
+	u8* titleid = ctx->header.titleid;
 	u32 i;
 	u64 x = 0;
 
@@ -59,7 +59,7 @@ void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type)
 	if (version == 2 || version == 0)
 	{
 		for(i=0; i<8; i++)
-			counter[i] = partitionid[7-i];
+			counter[i] = titleid[7-i];
 		counter[8] = type;
 	}
 	else if (version == 1)
@@ -72,7 +72,7 @@ void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type)
 			x = getle32(ctx->header.romfsoffset) * mediaunitsize;
 
 		for(i=0; i<8; i++)
-			counter[i] = partitionid[i];
+			counter[i] = titleid[i];
 		for(i=0; i<4; i++)
 			counter[12+i] = (u8) (x>>((3-i)*8));
 	}
@@ -350,7 +350,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	exheader_set_offset(&ctx->exheader, ncch_get_exheader_offset(ctx) );
 	exheader_set_size(&ctx->exheader, ncch_get_exheader_size(ctx) );
 	exheader_set_usersettings(&ctx->exheader, ctx->usersettings);
-	exheader_set_partitionid(&ctx->exheader, ctx->header.partitionid);
+	exheader_set_titleid(&ctx->exheader, ctx->header.titleid);
 	exheader_set_programid(&ctx->exheader, ctx->header.programid);
 	exheader_set_hash(&ctx->exheader, ctx->header.extendedheaderhash);
 	exheader_set_counter(&ctx->exheader, exheadercounter);
@@ -360,7 +360,7 @@ void ncch_process(ncch_context* ctx, u32 actions)
 	exefs_set_file(&ctx->exefs, ctx->file);
 	exefs_set_offset(&ctx->exefs, ncch_get_exefs_offset(ctx) );
 	exefs_set_size(&ctx->exefs, ncch_get_exefs_size(ctx) );
-	exefs_set_partitionid(&ctx->exefs, ctx->header.partitionid);
+	exefs_set_titleid(&ctx->exefs, ctx->header.titleid);
 	exefs_set_usersettings(&ctx->exefs, ctx->usersettings);
 	exefs_set_counter(&ctx->exefs, exefscounter);
 	exefs_set_keys(&ctx->exefs, ctx->key[0], ctx->key[1]);
@@ -630,7 +630,7 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 			// - get keyY
 			if (header->flags[7] & 0x20)
 			{
-				seed = settings_get_seed(ctx->usersettings, getle64(header->partitionid));
+				seed = settings_get_seed(ctx->usersettings, getle64(header->programid));
 				if (!seed)
 				{
 					fprintf(stderr, "This title uses seed crypto, but no seed is set, unable to decrypt.\n"
@@ -735,7 +735,7 @@ void ncch_print(ncch_context* ctx)
 	else
 		memdump(stdout, "Signature (FAIL):       ", header->signature, 0x100);
 	fprintf(stdout, "Content size:           0x%08"PRIx64"\n", getle32(header->contentsize)*mediaunitsize);
-	fprintf(stdout, "Partition id:           %016"PRIx64"\n", getle64(header->partitionid));
+	fprintf(stdout, "Title id:           %016"PRIx64"\n", getle64(header->titleid));
 	fprintf(stdout, "Maker code:             %.2s\n", header->makercode);
 	fprintf(stdout, "Version:                %d\n", getle16(header->version));
 	fprintf(stdout, "Title seed check:       %08x\n", getle32(header->seedcheck));
diff --git a/ctrtool/ncch.h b/ctrtool/ncch.h
index d480ed6e..94d29687 100644
--- a/ctrtool/ncch.h
+++ b/ctrtool/ncch.h
@@ -33,7 +33,7 @@ typedef struct
 	u8 signature[0x100];
 	u8 magic[4];
 	u8 contentsize[4];
-	u8 partitionid[8];
+	u8 titleid[8];
 	u8 makercode[2];
 	u8 version[2];
 	u8 seedcheck[4];
diff --git a/ctrtool/ncsd.c b/ctrtool/ncsd.c
index 4a7d9284..ab9fae8f 100644
--- a/ctrtool/ncsd.c
+++ b/ctrtool/ncsd.c
@@ -147,7 +147,7 @@ void ncsd_print(ncsd_context* ctx)
 		if (partitionsize != 0)
 		{
 			fprintf(stdout, "Partition %d            \n", i);
-			memdump(stdout, " Id:                    ", header->partitionid+i*8, 8);
+			memdump(stdout, " Id:                    ", header->titleid+i*8, 8);
 			fprintf(stdout, " Area:                  0x%08X-0x%08X\n", partitionoffset, partitionoffset+partitionsize);
 			fprintf(stdout, " Filesystem:            %02X\n", header->partitionfstype[i]);
 			fprintf(stdout, " Encryption:            %02X\n", header->partitioncrypttype[i]);
diff --git a/ctrtool/ncsd.h b/ctrtool/ncsd.h
index afd895a6..2d6ee53b 100644
--- a/ctrtool/ncsd.h
+++ b/ctrtool/ncsd.h
@@ -25,7 +25,7 @@ typedef struct
 	u8 additionalheadersize[4];
 	u8 sectorzerooffset[4];
 	u8 flags[8];
-	u8 partitionid[0x40];
+	u8 titleid[0x40];
 	u8 reserved[0x30];
 } ctr_ncsdheader;
 

From b53b2ce8fea4a4e25fdc971ca865425c5e9dcc12 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 6 Jun 2017 12:57:10 +0800
Subject: [PATCH 208/317] [ctrtool] Fix typo.

---
 ctrtool/ncch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 14ff9a93..ff3f6696 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -735,7 +735,7 @@ void ncch_print(ncch_context* ctx)
 	else
 		memdump(stdout, "Signature (FAIL):       ", header->signature, 0x100);
 	fprintf(stdout, "Content size:           0x%08"PRIx64"\n", getle32(header->contentsize)*mediaunitsize);
-	fprintf(stdout, "Title id:           %016"PRIx64"\n", getle64(header->titleid));
+	fprintf(stdout, "Title id:               %016"PRIx64"\n", getle64(header->titleid));
 	fprintf(stdout, "Maker code:             %.2s\n", header->makercode);
 	fprintf(stdout, "Version:                %d\n", getle16(header->version));
 	fprintf(stdout, "Title seed check:       %08x\n", getle32(header->seedcheck));

From cbfa5398a921817064dc2dd3862d654c408bde7f Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 6 Jun 2017 12:58:49 +0800
Subject: [PATCH 209/317] [ctrtool] Fix compiling on Visual Studio.

---
 ctrtool/syscalls.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ctrtool/syscalls.c b/ctrtool/syscalls.c
index cd37cf81..f4505357 100644
--- a/ctrtool/syscalls.c
+++ b/ctrtool/syscalls.c
@@ -139,8 +139,13 @@ static const char *const syscall_list[NUM_SYSCALLS] =
 
 void syscall_get_name(char *output, size_t size, unsigned int call_num)
 {
+#ifdef _MSC_VER
+	typedef char StaticAssert[sizeof(syscall_list) / sizeof(syscall_list[0]) == NUM_SYSCALLS ? 1 : -1];
+#else
 	_Static_assert(sizeof(syscall_list) / sizeof(syscall_list[0]) == NUM_SYSCALLS,
 		"syscall table length mismatch");
+#endif
+	
 
 	if (size == 0)
 	{

From e5b79babc8f0a958d1ba0a6d14e0d62bc7bc8f2f Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Tue, 6 Jun 2017 14:00:46 +0800
Subject: [PATCH 210/317] [ctrtool] Catch failure to load ncch keyX properly.

---
 ctrtool/ncch.c | 55 ++++++++++++++++++++++----------------------------
 1 file changed, 24 insertions(+), 31 deletions(-)

diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index ff3f6696..67e684b8 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -520,6 +520,7 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 	u8 exheader_buffer[0x400];
 	u8 seedbuf[0x20];
 	u8* seed;
+	u8* keyX = NULL;
 	u8 hash[0x20];
 	ctr_ncchheader* header = &ctx->header;	
 	struct sNcchKeyslot
@@ -589,44 +590,36 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 
 			// setup second keyslot seed (romfs, exefs:!(icon|banner))
 			// - get keyX
-			if (header->flags[3] == 0)
-			{
-				memcpy(key[1].x, key[0].x, 0x10);
-			}
-			else if (header->flags[3] == 1)
-			{
-				if (settings_get_ncchkeyX_seven(ctx->usersettings) == NULL)
-				{
-					fprintf(stderr, "Error, could not read NCCH 7.0 keyX.\n");
-					return;
-				}
-				memcpy(key[1].x, settings_get_ncchkeyX_seven(ctx->usersettings), 0x10);
-			}
-			else if (header->flags[3] == 10)
-			{
-				if (settings_get_ncchkeyX_ninethree(ctx->usersettings) == NULL)
-				{
-					fprintf(stderr, "Error, could not read NCCH 9.3 keyX.\n");
-					return;
-				}
-				memcpy(key[1].x, settings_get_ncchkeyX_ninethree(ctx->usersettings), 0x10);
-			}
-			else if (header->flags[3] == 11)
+
+			switch (header->flags[3])
 			{
-				if (settings_get_ncchkeyX_ninesix(ctx->usersettings) == NULL)
-				{
-					fprintf(stderr, "Error, could not read NCCH 9.6 keyX.\n");
-					return;
-				}
-				memcpy(key[1].x, settings_get_ncchkeyX_ninesix(ctx->usersettings), 0x10);
+			case(0):
+				keyX = settings_get_ncchkeyX_old(ctx->usersettings);
+				break;
+			case(1):
+				keyX = settings_get_ncchkeyX_seven(ctx->usersettings);
+				break;
+			case(10):
+				keyX = settings_get_ncchkeyX_ninethree(ctx->usersettings);
+				break;
+			case(11):
+				keyX = settings_get_ncchkeyX_ninesix(ctx->usersettings);
+				break;
+			default:
+				fprintf(stderr, "Warning, unknown NCCH crypto method.\n");
+				ctx->encrypted = NCCHCRYPTO_BROKEN;
+				return;
 			}
-			else
+
+			if (keyX == NULL)
 			{
-				fprintf(stderr, "Warning, unknown NCCH crypto method.\n");
+				fprintf(stderr, "Error, could not read NCCH keyX.\n");
 				ctx->encrypted = NCCHCRYPTO_BROKEN;
 				return;
 			}
 
+			memcpy(key[1].x, keyX, 0x10);
+
 			// - get keyY
 			if (header->flags[7] & 0x20)
 			{

From b14842897c14fb86048e70bc0cf0331dfd6358fb Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Wed, 12 Jul 2017 16:34:07 +1000
Subject: [PATCH 211/317] [ctrtool] Fixed decryption of exefs.

---
 ctrtool/exefs.c | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/ctrtool/exefs.c b/ctrtool/exefs.c
index 58e344ca..51e522f6 100644
--- a/ctrtool/exefs.c
+++ b/ctrtool/exefs.c
@@ -73,7 +73,7 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 	u8* decompressedbuffer = 0;
 	filepath* dirpath = 0;
 	
-	
+	// determine offset/size of target
 	offset = getle32(section->offset) + sizeof(exefs_header);
 	size = getle32(section->size);
 	dirpath = settings_get_exefs_dir_path(ctx->usersettings);
@@ -87,6 +87,7 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 		return;
 	}
 
+	// create new file
 	memset(name, 0, sizeof(name));
 	memcpy(name, section->name, 8);
 
@@ -108,11 +109,24 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 		goto clean;
 	}
 
+	// seek in source file to location of target data
 	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-	ctr_init_key(&ctx->aes, ctx->key[0]);
-	ctr_init_counter(&ctx->aes, ctx->counter);
-	ctr_add_counter(&ctx->aes, offset / 0x10);
 
+	// do decryption prep
+	if (ctx->encrypted)
+	{
+		// setup aes counter
+		ctr_init_counter(&ctx->aes, ctx->counter);
+		ctr_add_counter(&ctx->aes, offset / 0x10);
+
+		// setup key
+		if (strncmp((const char*)section->name, "icon", 8) == 0 || strncmp((const char*)section->name, "banner", 8) == 0)
+			ctr_init_key(&ctx->aes, ctx->key[0]);
+		else
+			ctr_init_key(&ctx->aes, ctx->key[1]);
+	}
+
+	// if this is file0, and compression is set or forced: decompress section
 	if (index == 0 && (ctx->compressedflag || (flags & DecompressCodeFlag)) && ((flags & RawFlag) == 0))
 	{
 		fprintf(stdout, "Decompressing section %s to %s...\n", name, outfname);
@@ -131,12 +145,9 @@ void exefs_save(exefs_context* ctx, u32 index, u32 flags)
 			goto clean;
 		}
 
-		if (ctx->encrypted) {
-			if (strncmp((const char*)section->name, "icon", 8) == 0 || strncmp((const char*)section->name, "banner", 8) == 0)
-				ctr_init_key(&ctx->aes, ctx->key[0]);
-			else
-				ctr_init_key(&ctx->aes, ctx->key[1]);
-		}
+		// decrypt if required
+		if (ctx->encrypted)
+			ctr_crypt_counter(&ctx->aes, compressedbuffer, compressedbuffer, compressedsize);
 
 
 		decompressedsize = lzss_get_decompressed_size(compressedbuffer, compressedsize);

From 61bf664fdacca5d0c2aafcb5e28faf5253e772db Mon Sep 17 00:00:00 2001
From: d0k3 <tore.anon@gmail.com>
Date: Sun, 29 Oct 2017 14:58:55 +0100
Subject: [PATCH 212/317] Always link compiler libs statically on Windows.

---
 ctrtool/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 8f07f97e..798f688b 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -15,14 +15,14 @@ ifneq (, $(findstring linux, $(SYS)))
 else ifneq(, $(findstring cygwin, $(SYS)))
     # Cygwin
     CFLAGS += -Wno-unused-but-set-variable -DUSE_FILE32API
-    LIBS += -liconv
+    LIBS += -liconv -static-libgcc -static-libstdc++
 else ifneq(, $(findstring darwin, $(SYS)))
     # OS X
     LIBS += -liconv
 else
     #Windows Build CFG
     CFLAGS += -Wno-unused-but-set-variable
-    LIBS += -static-libgcc
+    LIBS += -static-libgcc -static-libstdc++
 endif
 
 main: $(OBJS)

From acb110323e1b89c20c14002ca9f4b6a77dfabf62 Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Fri, 12 Jan 2018 21:00:53 +0800
Subject: [PATCH 213/317] [ctrtool] Fixes issue #60

---
 ctrtool/exefs.c |  2 +-
 ctrtool/exefs.h |  7 ++--
 ctrtool/ncch.c  | 97 ++++++++++++++++++++++++++++++++++++++++++++++---
 3 files changed, 96 insertions(+), 10 deletions(-)

diff --git a/ctrtool/exefs.c b/ctrtool/exefs.c
index 51e522f6..465bc8b3 100644
--- a/ctrtool/exefs.c
+++ b/ctrtool/exefs.c
@@ -315,7 +315,7 @@ void exefs_print(exefs_context* ctx)
 	u32 sectsize;
 
 	fprintf(stdout, "\nExeFS:\n");
-	for(i=0; i<8; i++)
+	for(i=0; i<EXEFS_SECTION_NUM; i++)
 	{
 		exefs_sectionheader* section = (exefs_sectionheader*)(ctx->header.section + i);
 
diff --git a/ctrtool/exefs.h b/ctrtool/exefs.h
index 2d1c4102..fd6e8f09 100644
--- a/ctrtool/exefs.h
+++ b/ctrtool/exefs.h
@@ -7,6 +7,7 @@
 #include "filepath.h"
 #include "settings.h"
 
+#define EXEFS_SECTION_NUM 8
 
 typedef struct
 {
@@ -18,9 +19,9 @@ typedef struct
 
 typedef struct
 {
-	exefs_sectionheader section[8];
+	exefs_sectionheader section[EXEFS_SECTION_NUM];
 	u8 reserved[0x80];
-	u8 hashes[8][0x20];
+	u8 hashes[EXEFS_SECTION_NUM][0x20];
 } exefs_header;
 
 typedef struct
@@ -35,7 +36,7 @@ typedef struct
 	exefs_header header;
 	ctr_aes_context aes;
 	ctr_sha256_context sha;
-	int hashcheck[8];
+	int hashcheck[EXEFS_SECTION_NUM];
 	int compressedflag;
 	int encrypted;
 } exefs_context;
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 67e684b8..7099788c 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -182,6 +182,7 @@ void ncch_save(ncch_context* ctx, u32 type, u32 flags)
 	FILE* fout = 0;
 	filepath* path = 0;
 	u8 buffer[16*1024];
+	exefs_header exefs_hdr;
 
 
 	if (0 == ncch_extract_prepare(ctx, type, flags))
@@ -215,22 +216,106 @@ void ncch_save(ncch_context* ctx, u32 type, u32 flags)
 		case NCCHTYPE_PLAINRGN: fprintf(stdout, "Saving Plain Region...\n"); break;
 	}
 
-	while(1)
+	// special crypto considerations for exefs when two keys are used
+	if (type == NCCHTYPE_EXEFS && ctx->header.flags[3] > 0 && ctx->encrypted)
 	{
 		u32 read_len;
 
-		if (0 == ncch_extract_buffer(ctx, buffer, sizeof(buffer), &read_len, type == NCCHTYPE_LOGO || type == NCCHTYPE_PLAINRGN))
+		// read header
+		if (0 == ncch_extract_buffer(ctx, (u8*)&exefs_hdr, sizeof(exefs_hdr), &read_len, 0))
 			goto clean;
 
-		if (read_len == 0)
-			break;
-
-		if (read_len != fwrite(buffer, 1, read_len, fout))
+		if (read_len != fwrite(&exefs_hdr, 1, read_len, fout))
 		{
 			fprintf(stdout, "Error writing output file\n");
 			goto clean;
 		}
+
+		for (int i = 0; i < 8; i++)
+		{
+			
+			// get section size
+			u32 section_size = getle32(exefs_hdr.section[i].size);
+			u32 section_padding = align(section_size, 0x200)-section_size;
+
+			// skip empty sections
+			if (section_size == 0)
+				continue;
+
+			// select correct key
+			if (strncmp((char*)exefs_hdr.section[i].name, "icon", 8) == 0 || strncmp((char*)exefs_hdr.section[i].name, "banner", 8) == 0)
+				ctr_init_key(&ctx->aes, ctx->key[0]);
+			else
+				ctr_init_key(&ctx->aes, ctx->key[1]);
+
+			// set counter
+			u8 ctr[16];
+			ncch_get_counter(ctx, ctr, NCCHTYPE_EXEFS);
+			ctr_init_counter(&ctx->aes, ctr);
+			ctr_add_counter(&ctx->aes, (getle32(exefs_hdr.section[i].offset) + sizeof(exefs_header)) / 0x10);
+
+			// extract data
+			while (section_size > 0)
+			{
+				read_len = sizeof(buffer);
+				if (read_len > section_size)
+					read_len = section_size;
+
+
+				if (read_len != fread(buffer, 1, read_len, ctx->file))
+				{
+					fprintf(stdout, "Error reading input file\n");
+					goto clean;
+				}
+
+				ctr_crypt_counter(&ctx->aes, buffer, buffer, read_len);
+
+				if (read_len != fwrite(buffer, 1, read_len, fout))
+				{
+					fprintf(stdout, "Error writing output file\n");
+					goto clean;
+				}
+
+
+				section_size -= read_len;
+			}
+
+			// skip the padding
+			if (section_padding)
+			{
+				fseeko64(ctx->file, section_padding, SEEK_CUR);
+				memset(buffer, 0, section_padding);
+				if (section_padding != fwrite(buffer, 1, section_padding, fout))
+				{
+					fprintf(stdout, "Error writing output file\n");
+					goto clean;
+				}
+
+			}
+
+			ctx->extractsize -= section_size + section_padding;
+		}
 	}
+	else
+	{
+		while (1)
+		{
+			u32 read_len;
+
+			if (0 == ncch_extract_buffer(ctx, buffer, sizeof(buffer), &read_len, (type == NCCHTYPE_LOGO || type == NCCHTYPE_PLAINRGN)))
+				goto clean;
+
+			if (read_len == 0)
+				break;
+
+			if (read_len != fwrite(buffer, 1, read_len, fout))
+			{
+				fprintf(stdout, "Error writing output file\n");
+				goto clean;
+			}
+		}
+	}
+	
 clean:
 	if (fout)
 		fclose(fout);

From 148811d8b2daefc03e896bb8e83ef06d2172943a Mon Sep 17 00:00:00 2001
From: Jonir Rings <peterpuyi@live.cn>
Date: Wed, 16 May 2018 01:04:33 +0800
Subject: [PATCH 214/317] makefile fix: make complains "Extraneous text after
 `else' directive" and cause incorrect platform judgement on osx

---
 ctrtool/Makefile | 4 ++--
 makerom/Makefile | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index 798f688b..be6e85b7 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -12,11 +12,11 @@ SYS := $(shell gcc -dumpmachine)
 ifneq (, $(findstring linux, $(SYS)))
     # Linux
     CFLAGS += -Wno-unused-but-set-variable
-else ifneq(, $(findstring cygwin, $(SYS)))
+else ifneq (, $(findstring cygwin, $(SYS)))
     # Cygwin
     CFLAGS += -Wno-unused-but-set-variable -DUSE_FILE32API
     LIBS += -liconv -static-libgcc -static-libstdc++
-else ifneq(, $(findstring darwin, $(SYS)))
+else ifneq (, $(findstring darwin, $(SYS)))
     # OS X
     LIBS += -liconv
 else
diff --git a/makerom/Makefile b/makerom/Makefile
index f7ae6262..5192bf4c 100644
--- a/makerom/Makefile
+++ b/makerom/Makefile
@@ -10,11 +10,11 @@ SYS := $(shell gcc -dumpmachine)
 ifneq (, $(findstring linux, $(SYS)))
     # Linux
     CFLAGS += -Wno-unused-but-set-variable
-else ifneq(, $(findstring cygwin, $(SYS)))
+else ifneq (, $(findstring cygwin, $(SYS)))
     # Cygwin
     CFLAGS += -Wno-unused-but-set-variable
     LIBS += -liconv
-else ifneq(, $(findstring darwin, $(SYS)))
+else ifneq (, $(findstring darwin, $(SYS)))
     # OS X
     LIBS += -liconv
 else

From 046bb359ee95423938886dbf477d00690aaecd3e Mon Sep 17 00:00:00 2001
From: Khangaroo <khang06@users.noreply.github.com>
Date: Sun, 3 Jun 2018 19:02:50 -0400
Subject: [PATCH 215/317] Always assume exheader is 1024 bytes long (#70)

* always assume exheader is 1024 bytes long

* oops
---
 ctrtool/ncch.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 7099788c..781cc96e 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -416,6 +416,12 @@ void ncch_process(ncch_context* ctx, u32 actions)
 		return;
 	}
 
+	if (getle32(ctx->header.extendedheadersize) != 0x400)
+	{
+		fprintf(stdout, "Error, exheader is 0x%02x bytes long, expected 0x0400\n", getle32(ctx->header.extendedheadersize));
+		return;
+	}
+
 	ncch_determine_key(ctx, actions);
 
 	ncch_get_counter(ctx, exheadercounter, NCCHTYPE_EXHEADER);
@@ -619,9 +625,9 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 	// Check if the NCCH is already decrypted, by checking if the exheader hash matches
 	// Otherwise, use determination rules
 	fseeko64(ctx->file, ncch_get_exheader_offset(ctx), SEEK_SET);
-	memset(exheader_buffer, 0, getle32(header->extendedheadersize));
-	fread(exheader_buffer, 1, getle32(header->extendedheadersize), ctx->file);
-	ctr_sha_256(exheader_buffer, getle32(header->extendedheadersize), hash);
+	memset(exheader_buffer, 0, 0x400);
+	fread(exheader_buffer, 1, 0x400, ctx->file);
+	ctr_sha_256(exheader_buffer, 0x400, hash);
 	if (!memcmp(hash, header->extendedheaderhash, 32))
 	{
 		// exheader hash matches, so probably decrypted
@@ -825,7 +831,7 @@ void ncch_print(ncch_context* ctx)
 	else
 		memdump(stdout, "Logo hash (FAIL):       ", header->logohash, 0x20);
 	fprintf(stdout, "Product code:           %.16s\n", header->productcode);
-	fprintf(stdout, "Exheader size:          %08x\n", getle32(header->extendedheadersize));
+	fprintf(stdout, "Exheader size:          00000400\n"); //this is always the same
 	if (ctx->exheaderhashcheck == Unchecked)
 		memdump(stdout, "Exheader hash:          ", header->extendedheaderhash, 0x20);
 	else if (ctx->exheaderhashcheck == Good)

From 52dbe5e187a2d5b1ea2fbf6537db7cc058d09f66 Mon Sep 17 00:00:00 2001
From: Steveice10 <Steveice10@gmail.com>
Date: Fri, 6 Jul 2018 17:01:51 -0700
Subject: [PATCH 216/317] Only extract contents marked in the CIA content
 index.

---
 ctrtool/cia.c   |  32 +++++++++++++++++---------------
 ctrtool/ctrtool | Bin 0 -> 279024 bytes
 2 files changed, 17 insertions(+), 15 deletions(-)
 create mode 100755 ctrtool/ctrtool

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index cac32601..a0347633 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -102,23 +102,25 @@ void cia_save(cia_context* ctx, u32 type, u32 flags)
 			chunk = (ctr_tmd_contentchunk*)(body->contentinfo + (sizeof(ctr_tmd_contentinfo) * TMD_MAX_CONTENTS));
 
 			for(i = 0; i < getbe16(body->contentcount); i++) {
-				sprintf(tmpname, "%s.%04x.%08x", path->pathname, getbe16(chunk->index), getbe32(chunk->id));
-				fprintf(stdout, "Saving content #%04x to %s\n", getbe16(chunk->index), tmpname);
-				
-				contentflags = getbe16(chunk->type);
-				docrypto = contentflags & 1 && !(flags & PlainFlag);
-
-				if(docrypto) // Decrypt if needed
-				{
-					ctx->iv[0] = (getbe16(chunk->index) >> 8) & 0xff;
-					ctx->iv[1] = getbe16(chunk->index) & 0xff;
-
-					ctr_init_cbc_decrypt(&ctx->aes, ctx->titlekey, ctx->iv);
-				}
+				if(ctx->header.contentindex[i >> 3] & (0x80 >> (i & 7))) {
+					sprintf(tmpname, "%s.%04x.%08x", path->pathname, getbe16(chunk->index), getbe32(chunk->id));
+					fprintf(stdout, "Saving content #%04x to %s\n", getbe16(chunk->index), tmpname);
+
+					contentflags = getbe16(chunk->type);
+					docrypto = contentflags & 1 && !(flags & PlainFlag);
+
+					if(docrypto) // Decrypt if needed
+					{
+						ctx->iv[0] = (getbe16(chunk->index) >> 8) & 0xff;
+						ctx->iv[1] = getbe16(chunk->index) & 0xff;
 
-				cia_save_blob(ctx, tmpname, offset, getbe64(chunk->size) & 0xffffffff, docrypto);
+						ctr_init_cbc_decrypt(&ctx->aes, ctx->titlekey, ctx->iv);
+					}
 
-				offset += getbe64(chunk->size) & 0xffffffff;
+					cia_save_blob(ctx, tmpname, offset, getbe64(chunk->size) & 0xffffffff, docrypto);
+
+					offset += getbe64(chunk->size) & 0xffffffff;
+				}
 				chunk++;
 			}
 
diff --git a/ctrtool/ctrtool b/ctrtool/ctrtool
new file mode 100755
index 0000000000000000000000000000000000000000..484368dfcfdb5c3c2a3f19265852a7e7e0c8a2e7
GIT binary patch
literal 279024
zcmce933yaR)^>Lm2uQp^K{JZdN~=K;6E&I$8M{dbZfk;J(~P1aLIP-jNV*{kNU+n8
zYjZWDIN~yjJL57k>aYu)umoHq=!l{cap5)riJ~F0<$q6A-R_&x_|5-6-}A>u?ya{@
zojSFhb85NO^YikD$Jy;R^Do}^XB!K7IN}l!>DMHfBsP~V%hm(`_P3pD>jso!Tq0I}
zwhPwgGfB|J<4NhV;y55b`w2SpX-Y`XL=pFUk5D;rw%N?5&E{ZXN=LG$SMvDu$^i^F
zpRPVEXiK|^Kh1O`9;FM<<LSclcslc$BIGxpX8EXW^#529FF!qqqd)UWwDec_oo^Do
zPddO8%FkE(GBTU_G}DbjI+F9h{Yw#qqeXsQ)k{+^PG~;OcDSs3>g`uud0F|SOUtKD
z_g7t7m37snS6w-{a>n4xS-FWn(T*57jxnIx6IH?Dsk#ZH_+5LB9!)QK`s6=7<$qTC
z-k)5tFzF$RbK!rp-E4_?v-gW5%#Htt;s1f>Ebf>6Q>fn?&mKALip@t(1Jvc;?MVK6
z1P77g_wYL*?C;_K?1E2S7dZ8c-{Ui}3p@b){NE|XrY`vJ=>pffz#r@azrG86N*DM$
zUEs^Qz}I(yQ}5{gJLT=)Mg3HDffsav$8~{ccOg%YF6iUBpns?f`omrHtB<<i^H~>o
zMHl$-F7UiA@OQhA)71t2U%H?_*aiKuF3MZiMf;|9!GA#){GaWDeoYto-q8j9(k}Rq
z=z{)47xcGvLBFyK`i3s(Z|;Kr@h<2OcR@d=i+Z@S3qJip@4)}^pQ8)@GrQpPk1p_a
zUEpLF9CD@ze~$luPfrd3?!f=@pQ{W0-$VZ1wzF*2i@2RO?eV3cCw!TNUnuZe2_GZ)
zEEl+GXKk>1mA*+6FS&$l-Bq^Y;>puyOfRnVmCW=N7u$-xV+)EWmCh`kJhjqSI&*A6
zZuyMqrDIEOFE8bBzaMk+*c(S?q!$-Ytg0%xed?@?jH~fpUQ$_E?7O?7w0P?DvKe`l
zRaI4SMd{4S8PiM3r~2+Lo|SGZmXlr%HkDI<FZIN#l49SKnKNb=-(E7QxMb$clDmti
zm(DIOFP%QwHwEm8pu#`1w0PFknLd9>Ihao`nTCHSl^4!p&yvDf1kRpD)i90M0Ny4~
zoLF2*p$uE`xaqT}PM=gfy0p?it(3?na<WR_%!w6u+e)jZ`fO!0DoUr@fJ~n_t->~=
z!iN;Lsg)(=6;n!VWxmq#avlkK6vkIF@y_CjQ|>G-E16nutML0KPAQpbn|9}<sWWY}
zDl2AAo$f2M`DT>Qm|Z#(^r*E`v;`xcT3K09GO^TFHo4SSX`5J5UOr<Yu||<?(@LjR
zmikz>)BV$IWtF9+cM?b<p@nDoAtz<VV`f}+B@0$E5(ri{v3y2lDKYcS@R!@B3Eq_x
zOQx4mkxFJxCN`xrXWEcCfMWE7$+oiDGpG6>(9F^j6nWx|>9f#O#HhqKqm2HUN-QT%
znTgzZ$rzC!W%b4zs%$ECf_u=dimOmXK9XzNj9E+~DnfBF)xGGL(@LgJx0OMb88dB_
z(*<M5P-+{In_GOv;B;GVQIUI?w>V?)6@#;^fow~_HX`3U41`E<C4Voz-13$Y11}$(
zi2)l24=?Ty|4R_DiR?+#-Pl`qf%DYy@EG}9QYYNxO|dr2NO+k0-DVuc(4QUuorW=O
z>Yu_3?>>dnGzkJb@<23;FT}Izqt_9iWZQ*!N^>_0ce8yb!aHBT6Vs3c+fO3w8~6}Z
zO}y<ylwZ8<GLavW+xkqMnryRmxAlNyOZ=An^>1+36K$u9u>Y*7J*dXcCC3+k=Dftz
zU(FtlXNh@>i7yklD&ejzT#!NuA1Ux63BOt36C}J$;8P@gp1><4e2KuTB>XjjS4;R-
zf!9j-PJ!1+_*Vj7D&hMDzD&Z83w*hRpSqRT&k6~53VgMMUnB6agpU^ZHVMB&;7t-<
zBk)}kUMuis311>`L&BdCc&mi}OW^Gi-XL(Bud`kJK;TId{<*+YB>X#pr%L#b0(VIG
zQGusPc(+Dg|LGFmTi{s|K0x3u3BO$6s)XkXyimf61YRWJQw2Uj!u<lDBH{N7yh6gC
z7I>9}zb5c%34dGQwG#fW!0ROZGl4Ia@O=VbCgE)YUoPPZ+eH7D@Y4joTEYhiJS^c?
z3VfS{=Lx(?!fzD#E(tFac(a7h6u2Sb^90^1;r9!?UBaIhxXs_W|Gy&eBne+H@DvH(
zCGb=UZxgsf!n<$h^_(W*$pTN8@csg?lJIPSS4+4@;I$H7B=9;3FBAAu3HJ$nnS=)g
zzFflpCh!#!{*u5~OZaMmhb4TQz_&^Ge+1qn;ol2<mxSBj;q}}s;b#imknl?d-YVh4
z1l}&;*9qJ<t8@RkQQ%1uULx=m2`?A8OTy;}T$S(#1YRiN%LHB|;VT6`LBih^_!J5M
zO5ha|eo)|55`IkJ)e_#D78vkXE8!OjyiUTe75GvKA0_Z*5<W@b%O(6Cfrlmh0fBFm
z@aF{HB;jufe3yhb3fz$JPXyj7;ok_nUBZ7BxNUal{*(M3ueT%#KTqH(5}qaSR0$s;
zaEF8!3Or51iv_Mqc-mYpU!jEGKZ(m(B;nr*e1e1@7|rRYNVshb$15bfkHD)W{2j4y
zUM=C*+{F3RO8CNY9Iun`C4zpbg!d`p^vfl@S=7S{3BT?ZPQO~hCkZ?(;dKJvCgINu
zyh*}W3w)P^HwnC1!oL-`A>r);Z<X*~<GK9p67CRqQdQ^vxm@gbq)2#5Dd&?a;WrE1
zA>pGR=JaV2p0$YMSrYCN_3x7K;k0m$KUKmj1YRiNUtGuOizM7x!|@3c-j5dc@Ha)m
z2MN4F!iNgHO2VHM@>EOsctKw);pGCalkm9$Un=2?1-?wepA`6V34dA0vqHkx3;NX(
z{+__Y68_@#ynePx_$-0%lJFwYj?EJO=i50SL&BE|yj8+C3%p&zd+MBz?e5O~wx5tc
zNy5!`Op)-Rf<9Hk^9AmZ@bLmqlknq0&U6W%E9kQ%+-ygegg+_hRSADp;Dr*tUf@L%
z-cz*u1PPxa#>Er~&k}frgx@!U*K@UmSBUnlmGJQ;oW4%N7Ycl-gpbYT^vfi?=6;SZ
zm+*d~yelN!Y~R%qK2*?$CERS^Z4$m&$k`;}<$}*H37;$QW(i*`a6`hM6nLwIzbf!{
z3Ev^)vE9?TpT8&QlO#MLkJnp@gn#VexI@BgMLVWR_}mGcK3&3J6nK_|x4JpKOTr%t
za$J>gvmFa1e2^$tk%aFM`A(4Vd_g}&!p94|Lc+@hUM1mXJ622hVnJUk;mtyxIthPO
z&@Ywn^#Wfe;qM82xr8?l<Mp;e!dD19EaA&UJ8qNknu|D}CJBE>;JYOJD%vo?U$cbY
zF_+_pgq!WyD&d!l`e~Q&p`yIDIi34+zQB_te7wL@B)nYUsS-X{;0_6Q33<{a{7FHd
zF5zZ7W=Z&ZLGO}qvmI3lU!KA1tx&=bq;q_Ngs(RBs)Y9w`PNDJAb~HH@Sy@<CgJ%4
zUoPR}1-?SU%LTq#!siM+Ea8g<zD>fP6nK+_zbf!u624yG%@Y2ez-^+Q%=Pdl5l)x!
zy}X{YB;54#RT&rbg%WPI%LEB;74%ai+@!CP@T70JJk=6z($`6Ns-Ryg;U@iZ2~QLB
zD<s^c4@-EKpx-9pO(MKY!c{?UNO+OJ+a<hC%p+{#X|~tjdhvQllJF*hr%1Rugwv-=
z_+B5!9TIMs^9~6gB>GRfgbx*XmW1aE+$G`T1+GeXxxfo0yiLecB;kt%{R9a&$IBE6
ze^t;|NVqv(swDh9L0>K5A78`ktyaRn5cRxN!d(YA{W1wR`_&2wFBJ5vCEV;+#)8iJ
z-wfOC>x>V1LA0-g=L*~<;a-7HkZ`BKt0nv$fiIKrqtEkv!xBDH&^Jr?Sb^IDo#pQ>
zaEF8!3EU;&B?6xy;bj7^mhc$@Unb%40uM|0EP*#m_`L$R)pV9WC~${_YXWyk_(KAp
zAmL94yjsGa75Fj<e_7yR34cT2%@XbqxGmUO{<j70knpVncS(4Yz$ZxfX9BO5@UH~E
zOu`QeJS^dD0&kY^4uRVic9y@_i=zKa_~`<#mhiOCIeo2!X9&Db!mk$iQVG9a;L9ZZ
zc7ZRK@OuTmLc*UA_-YCNx4^>^-YD>G68@FIn<V@ff$x&=Ub}fcG)wqJ0yiYwCGb`W
zuM&8>gx3k&A)Oy;5q2<L!haOFOTya(UMS(m1U^B+<G$tPsuF$?on6Rb9y|Z1x(nRs
z0&ndCPZf4t=I`hNPqW|`LKHgdK!2_-@S-m8iZ1ZlF7Rbt;HF(7`K|KQ340{t%e%l$
zdqwngPR%S=vn5|E-ZY<&UpkX*`Z{>E?Xuuk6CnPYE%-Gih^Jw}hg$Gf3;t&dK0)+P
zl9SHhn19ux|IpcamkHu&o_iyFm<3;Ep?6zw^E@2U=UVX8YF^&%z$kC?&tbuNkL59G
z7Chc0#xvc5N6*{=&$8f@xB2I?;8fS<pK8HLCiAb*g5$tV^smT*_l%-8+XM@a13}Th
zDHdEDk!Nug790nDqJLEu{M0CFvsGJg#e&ybaI>#bbe#pao||53!B4mFS!Th-Ck`xj
zxdrcQp<iLa&#>UDE%=!hJZ!;JE%-JI{wE9GWWmp};JYmN*%rLnf}7uhP_$ve&#}<A
zTJUo%c)JCsv#-%V;eS#eaYR9kSqpxi1y8Zy=Uebp3(iLZk91gYr-eSvf?r_4(=GT#
z7Cg&>r&(~91s`a^RSSNx1uwMVmss#33qHt#Pq5&ZTJR|re6R(tu;7<j@G1+QZo#W9
zc!mY9wcwXq@Hz{Ag#}+~!LPL7%Pja+7JRt{&$8evEO@pBUv0tZOtSeGw&2&AAf9UA
zK$03t3|=?DrUt{lxQ-?@usLaytt0axKpht>!M{p>7v3m5g;GYEJMeeG{S+n@8fjwT
z`zTDRGZJRudnimQGqQq(XHu9{Wn>u(-$7wgk&!wUzMaCP8Y9&#d^3fqyGJTmcr=B{
zL`5dB@O2a>)fg#c;b9ael^Aic@HG@BRTxQU;mavZDlp<;;fpCusxOkl!sk<%R9?i!
z!e>#KR9&R?B!CM}qcEwsNHYufq%f(rND~XkQJ73?B+SA`y$F+vi>zSbpD0YKEwYS-
z_fwcuTBMGJ_fnWtS)`hUKc_IMut)_9@1QWLuE+!yeuu)OvLb~n+(2PcRS_2puca`l
zs7N{szd>PAO%VqRzf56LNs$y5ewM<diXt`^ew@Ojf+DRasQeF6*g@fD7QUatq;eun
zEPNk@N!3KcEPM}zNyS7~u<%R@lWK`9W8pg}Oe!T($HKQ$m|UMoH4EQNVNxxT3Kkws
zVNxlP2`qdag-Mk}3R!p<g-L}(Tr7MIg-LZp(pmU&3X{r+I9T{%3X`gcq_FV$6eblB
zv9a)36eiUWX+6%`pTeXPBF!w^lftA5B26qDM`2O{kuVD%RS~A4A6db|KT(*5d}J95
z@24=iK9M?v-8W_ISVIny`$qRTul7qun|tgy?Zg;WKPTvqv#ARXsDH=Tc4{c$0;&U5
zt8r!l$Oz}_Z#k>c&GPk0PKUbs&eFRp2UkriCxY}RK&Y>Gy70^hA68#cwI$9h1oE{b
zYnP#^j5g%#)$dJhtYJK8v>Nwe%&5A@>B?wRwMJF*IFpQYd@iEuoMWTM$qYT7%uo|W
zYF&ZWtm?@(qD=YP585GB?|apqaW>-<bfrLhhf;GKnjz4Bx3WmZkk!KK#Dsuq-__9^
zSj=)xY1ts&>@9DJx1^Sr^FukI0%#^Zv+a&JaPBZRqiup=CAbBe1X9<a<V>f`MH7j1
zj>wEyAR%%)0%|BH7kn~yWV9Lg9qZ_T$bBMS7Lj=|We}R{OkHb(jK)qxQxTbFyD-Km
zF7hV?7I1NiGSY*m-=B~4f$bd`VO2Zw(?5w-l6vGLRUg%1Ed0Q3i+qhbP(zswL`RXv
z#P@-|3)JL>ydvv3)svv27BO0&iXty^aM2%R@$I`{c5jSXHQF#Tou|9OWOgnw`wIhe
zt^t_Qma)UQ`zUXGZL6_?;<FJ?S#O}C8&42)A?MTG<TISW-W>etdLd~ElxXBQ+69ID
z(gYV1xQ~O|OmGB&I{=E7az(Z<ikufg!DRaG*QiWKiTDN1VWG+4-vrii@GcXqBXAA}
z$D81t1eS4dgb5BOa1;kGH^K7=9Lm9SOz=1?MdTt5CYfL(fv0isFw{M3sD}tVfq{hL
ze`SKx2s8jH{cBL07}i>2C~*&>^>H294N6TvjJ3cCyHb+{lb3BMi_`H`^;ezgkJ-TY
zw$u<G)~dG0c;gMbEwqG<6BVPK4Qp*rU~keXW1T5Ra5Khc$cIh`($}`yZEbuoyOiL|
z=%%W6$oQ~?cxUdN3`K&m3Dr=CabvWjvMErD0F1v<b1q~+Ml`5`JA951A76p?p30&=
z=oA>#U*r2KjNSWGds9bq#*Pg%hk}+czC>SIO9PR09#wzRISA!YLyI|cNOnCaNW#in
zu>deKcZ^4=`4<x4HCI(?E+h4@p5<)wFH%G6Svo#mDPfFJEEggF9>YN_y*CceRcd}k
zwJHnqAyv+B@8|+0xEnGFJwd(%N#=lmMUrTFB;i|83IBmGf>bpWy%s^QJ}Z^pH}ELZ
zvlN_>k6ij!gC7`hQS&l7)L@4%(HPLq#U<@LNxh;MQ`a7?T?r0K1o?u^q{nZ$)ji&Q
ztNS*0@g}s(fHJPz3?!vyxSZ8>W^Vz1#NpsJluZ-`1h$BVipj~n$$g^|oE?iI56N1}
zi4#c3SSbS{Y!>rjgw0|;ig!!DtDT2j&W4uDaX3)mVDDHic<YqQ+s}5+<x3GZb2*5x
znahuOx8$<-W#sa2(kZCfpYXkI#7iS=;*RKO2>CuiwIAa8`HHrVj>v9|EKwD4kR&o1
zDXih?)Uz#3eeZ{z#d|=6P4Os<A=HONcnI&NsDC3oHV`lR7<u(1Q7yc8+}oM=Y4ds5
z<oy%kO@3SPZsGUn<KVZJN-Owz16x^t`vLWBZM0L*>&)|9gki+Frv4gDp0B}J?=j8*
zZsGru8~ks!@F$ub1)X{SgfP;W;>M4RiQ66T7Ital!0r^V%h&c9udIr(q3~{m1se*k
zN03TQ?{z$ic_|2%tO1+Nq%bYD`06V$b|mF{B5aEF1;S=6HsjqQ)?F*X&ll?vGzYM<
zc85E&9wovi>k@=b)}?qSzh{qeC*CZXjDH82D6vfJHiUO$1PUcdKFLm|sgghP46v<*
zO)+(0&a~U%37vv|yOB~E&-_e9&%7Eac{D#Eh?&;_KxqQn!yx}a(WRj`Y>_9BUW94z
zMM4OBL-TCLUX_ZQ*@}ZV#O^tsHbu}vquV0Ipalt?%^{NN&LpH4BSSgKTY}_PPI9^6
zLP{m_Cn5<YpGL(yAAnHxIrVVOj6uI(SSG-CLOwphB(-xsY_9e(=s<Erko<C(yK`>?
z7I{(gMP5VL$U>xPKQj(`wU2I7wY_TK+t$Ld`Fi61LYN{wxsp9{)+4WuzAJ|eu>Gv`
z_fU=GWapCSn0ProvfF)qG0lAd@vwBh9v#g>e{VANxSrF4(PzfdW8g`({$#wWwW{^T
zwW@uq`q4>WA228t43avU%UC{U`s$oSq_g=i8>a?x&IJ`T)_1;SIGz{hU>@DK7a(IY
zWZatg#jpW3`>mTgr;p4*T-ji=xOHo5QN<Z;k+DBg9k@`CMHLv_urX^<KQ>kIG;AuX
zizPsOx#N%HvzVFhI=u&z&p+aykICmB#TQ~S`bY6YF<tnhc=gObj(7F_<M^Vp|2Tfa
zIe#2K>D)h#ACJlNAIVRX<v)rai^+MH@t8fpedrci<U_loWqJ5dp-01LZ8&2J8h8a>
z&HjcbdU>q<qx3LQCjI9BhTe$L@A_}(kH_c_{5SM8krMKgv)GmVuIiJCv(KkGILD=|
zY(sJMUMoXmA9NsXGNz*srtlJHg!$7w&OO$v9UnJ_7O+A}aJ#R7X3Ym%6h5v3TkP)a
zLC#rMYb{<jBdh-=QMK<eJ{}EYnQi#@cte=jVhXAT!b!B`#a%KmuR*Ecufq?170-+?
z1lU6aUd(@=1QI3u{rX=D5>eh-ymnRIXnR*#+Z*jaR|;42u)3g;#((5_c%n=nENG<h
z9$69#)A)|m#KJV5BfeOe#!qBYEKK7$GBy^b@f-2P!Ze;DSH{9Lej?6Tn8r(_Pb^I1
zBa#pc(|Cydj9L=%()f>j8w=BTk9-^p)A)#N7GZ4_9|&f9XsdWd#lpOzVqsoUX1Gi_
z6jmEYpo)-x@9s+P5h<PYrHE%M8HnFRz3F50CheGZMAc3hLl0t=;7+(N15_<Hr7@Q*
zAZvP|w`KZXj6Q|av(AK;w~SBXtcK>N7!MzS0c^}=8Q((8YKXH<#3vb*Jf7zliyx<I
zzc3o=?jsz;YDjLsN{3!(SMBZE7>BabR-0#AjUk5B2<py!oP@@ts-aW3qqvP&YYo)(
zcKANm#`IG|xheKBNoy%l%eqeTj?=J2z%tZ+;cLX#8cSQKPLd!!S~{8yA8(=ASVq1!
zV@ISCMBo&<sSlGSxWk`7HDQ*II}M>zjAK?|dNt;vbJ)1}w-7zbdt!`sn6frjz%;6G
zb*Nn0R~b8Qxiyl^bBXCcD}8k*dR96l`Fy|Cz>c$4XP+S>QYz0;Lt~P3)vjIN$5lHh
zu5(S=j7z{2p2NXVZl9J<%IZ*q!}VbuZg?V-y4hLos&=@gx7nU*V3R#R`y1bx%E~Kf
z3ci>n_Zy@=sC>6D{uE#@o2>0?Y-B4eLyScRDm>3@&sbrRUTY6DE5VMc?tu<P8QHjr
zw|0!gt^HL0L%e$p^`m_K<`j2eZ}-6WO5VVaj(pW}MOmFXajQrBNLiWCeP?@KFkE$2
z!Njmf+pY#0?18QJ;S}NC+3e{Nt{v9l&EDzj@6m^M1l#Uz)Q6`ap}LeObwi4l&5%dV
zUu$)*HS-R9-@V?5cMtrDh_i%#ZdSA(8IR^XZ5y#+0(?XQh}_$G?jCI$32?3lZ3EIk
zyE3~$U1}zF2Yyv%ZEjg7=RanRf|6(KHroSPDIWZDs<Lvo#~!xts!iyr1|oK4<riw;
z*AD+4*6U*Rx0;gYWrWT2NZYGB{_mEjz2mXhBgQ@O9e4KjdCBet4P@BdtQ|eIed5%B
zVOO!}>3?@qj9*5Wmz&sJ-m6<}FOY?aEX99-`UB~cpEtxIQ&K`Z(eGWB#a@py3!_&1
zPSy4s&!TgXdGt9`kWN`SHqqw3yiY=HpKei(``5C<Z&&rXPDj3;d?+stO1K)#L7#9&
z9{%aAtlUoZu&p-XOf|3{_3)k=IEs2uwa+)us=C4Er7)6NSj9+Ss~G+s7=bR<gN-Nm
zSw~Y@-C<=$H>PAoK5nc_kc}4OEMKoo$k*>o%GW3MLfKM{x!1E9EEZyW85QjP5SGY{
zQuex!Ejs@N@0gVL!fedG#aM@sM>~mGud#whB;{jVJ&$)tm8$)KnI<>Qw5$?Y4BYA;
zbNRZXs=2;Z1C5TgR3nkoJa$mZ@w5nkf{1v-kcPw%{Ul%8Paa2Fr?yF@w)sZYJ~O^o
z?Y4s8x4u!-afmzWyH7l89yC*|eV7&`@o9ZrMJ1=kD)|}|CrvmRvHqiKyU_TmUYTO{
zBX}*;fg0?!*LA4bt^R{8|1i3Jk5*xxq5DR!b`lMsy^l74;OJDOOdYb|?!XCU*3dld
zfH@CBCfZk2%SYKdM{bH5+^s5kyVT%8RnJSotKkkDfIc~{%--P+e5d3E5BksRTm~iB
zilU<&4zoozd9`oJ<brX&wl`n<UKyC+G#;fag1dc#+<F1}bW5_eyiJ{|j_h3aHowvG
z2qaFbOn0|!N$}4`-o6?)y0a6u4^W&^GZTt7S6Ss5bh2!i=DGA_qy#`&oi~)=RP_Q>
z+SlzWbgD-)yrHoPcpsbCt`2<PJMe(VelYM|JGd+NU5Ye#&j@P`a1XtqE3q<kW$$cb
z=Ap=Gh;oA&c;tpWgN{=s$0Ns45~KFp*nE}hob@ke`1JV>RDP22qT6mmPs@W#f{Nv4
znzz^Q)2~F|{C#?_)`|%+>qpu<s(u5wH98{Sk3?T)?a$*g+ANXVc_i=u8QUY<Ga0e)
zKQgv+wUgedhon*0-fKJsQZ+Od4l`Bb6=RarE8^824gPEb;b36D1Zb*y1xnSUfoVcN
z>}kFe14S%>`um`~>7-@ZxL8f9uH_43>^FRVi>a=bZjmQ)Nrv5KncqgvzM@mOaZybI
zzo}7-Ts%gmD7|k;!OM*frT0w^yxf+q^e#@vOPNdQJ=ukq>4i$~8HIS6H9_e;djekW
ztx$T;ufWSf5=`m6h#m+&P{)D~(gVT2En~q)>4D%=D_HPpdLZ~>m<3;=2ZH}>V!_wx
zf#Aw!7F<OS1UIy@;70aX6<4M$A_JnV92Qr*i0<zrdq7IEQ%fX~&L8VcWR<(s<LquP
zgO*G*4hs#E6w@GysOi*A#;;#9Wx(5aT*eM~kQr^PJ5pCX7KU~WQYAL#vMYsxVSi8L
z!8>K0s?SMU%UAb*Fp6)r+YtS=s{flo`kd6Yv<PJk=Mmdz!E8Smf@po<ZDMNYonQr$
z#G^=Hm&Vu`r}HF_Pz3q_BC^;xF^-O>Oq5_11{fj(JW}P6Uy8_Ecw{_sN6I1|85WU$
z7Abk;6dw7Uh&)fEgltGz#UmGr$OMW+8CJ3~C`-c1%5daI)GP)QuRmzfG1!D{La8my
zQsdkPAR`>QkID@9a0)X7zhGvnYX2dQHDKb^i~{ZJH4c!jJ%#Am0^@b>LlSL|w#8Th
zuB^JCNiU+U4q_S`IA>$ifbwOA*OZ5kpB+Y@W<GwHnL?h>BiJ<VQcxz|9^(fr;zFv7
zwoY=9yl=gS#Zb*)!XlE%%YAl4UIf9o$R|ETaSx)Rek-mb#6=Y{iH*DVbad4H-^n+U
z)~v~-?<JWE8_aAM{$FH!^eZ%9bU`h0J(9+Pb!)3~sUadif641l)n=z|vgjLxlcaD;
z=kV2?=9Aj0YINAxd=2V2J@V)gVqT55qhU|}k;Bw~ZVX6fnSU`yWPWHeO`(j3P+g$_
zal>d5MuK*WkkUiG{GI9W0vzN#s9=v;q9Kc5{=n~VxmB(IA%Tb^bFo-!^?%r*0&0Yh
z$HDrtPNKaFUyt;R8d8YeKTu(6_9lPN&?7AO9sbiukqB2rl*6Mz3(QN0AB25=<#mjF
z4|cR4AW2{aXeA|<z-6g$H8dgxUdqfK`Fg?``Pt#hbFnnqcqx`zwU5Zg{Dei}q9Jj%
zNIawv{_t^h=J!!OJJtBvNya-EN$|1QbdL3nea1yJY_oUydy1if`oRMAUEq4lS_dkf
zb=+IA6#Qp!c8`xNV!W#nV~hHy<jzeAJ=%==whU~KvxruHl$znd;U2@8!U9|ZX_orE
ziK@QjOefwUXQK@S(AHsxn%&_4k$jvCI7;K;oDYOmq<<V<?O?_ZZ~b?PxuL~_ZAf>0
zsAh00(y2#&RJ9MZ#`=AU#@Q~~B;HK>CE+hRI<61BHMkul%v-{WL_&+I)vH+5GTuNv
zxI+s`;A~^|bF^Vt3=QiJJwU9zp@qa5+MamBSfda@(!gGQVHM&F^cM|^Kgb#`UoUs2
zbAJ(M9{PdI7D{kpFB4two(L^vnfgZi30{zsOga|Lm=}IAlfy^mABP&yA&lkd1s?5J
zZzvC9j7zHjI#G>3MZIDayahXX3w;rjf*AM-ZukqMQUUsUxG86dWOD}^?Vce+oxTBX
zxc#XftwVYJq>4@Q+4rgOb65_;kweRqw4S8rVSSHP!mLSdNR>tFd1)v%s>ln+6Z3DJ
z!iZKuO+V@?q2zIwVDrL(%(za|bMmvXc`*YOPTjXCW<&pio;-zjeZEbLLZ+ypaw_h4
zr^9&fbLx$UjLr1yob+5u3cVFe9eD~=8M`wMW^}Y{F-j1qQx_byxoo!Cm(dEsOVl#d
z+4HrpslOW^V514{J~`rSQWGh_aAxg<GW_*ol;HwP8CGOr+`O_ITw@B(ebZXn*I~uv
zGcmGBdd@VI7nTej061L)PR2|m#8^BV?-+yQ5T6nD>No{}HZlB=)vIHRn*ytIXnf`T
zIFM0#K}m~A#wgIZu?<E&l6oWE(w=d!K!4RqJuP3)IRyFg^~{4L=2H-g+Aq*<&)0qg
zx97l3+wWC8A0qclS?)&1XH2A8$|!VtMwr?(p1e;z^T5?;uRSatUT7$15@^UX$~;C9
zTY178Si&(WD2Pawh`f#Eh-K?xIfKnqeF?7v?#_Od6=2qItpx`;l0mSMZ6spd*ib-_
zZ*K|Z_9F+y&AL*~{xlLCIp0P+@<9?&5o6Aym>(70<%j)qYd@pnX%!GlW%?_udfR@b
zcHXmQJZc3xjp;UH)KLNt8Q!7dScC6;wACDBcgxyy%{C>iR)r!%tNjaE!(Us++NcjD
zqNDA;On2Mn6u;sQd>iLKODISe<~>mUdyEsvgJOIXqR7a*FuA190@RG?j_3^Qn(+EI
zDFx&0Avm>#!me8lNUPtuS9{n6BI5-UUlzq3gzLaTy_lolX|E8=&?_v>U6kery=sDS
zHK*DJDpd<ip@dfw6ndE6LvIo}A}ZJeN6{WmBN97ELX07DSjy9;6G?o4;*o&*ow5HK
z%7zZ7G~q4u3dw~8D|iB?e&ZP>5+o7dHPHl5<4tW0w1ad4)r1yEp~NARJe7wi72>k+
zh&%{wXtlR$XweklFxuRIM3{;Z4ZFu?>@d5-6s+db%19NuMH)Jt@!+S_|F4GwjwLjx
z05*z^9)#+ZMbtNP4zYKY-raZ)1%_hB8CqLuBxP^<iY{(H(8!0@5HI69&{`;B`og8G
zY;;w3B+f3wDW6=J%jhW|KA*%!>KmDHG5HaGNeVwHh5ssr7fRuqJB1rbU7<RERrUEa
z*J)hD4(AdU*oPVVuM6s{P{jI3JPtB$s{0-PY)WVUY<7hd?(DyXx~bZT)M$ICEKKeh
zZ!h7mrQyk@m05_f`ZFS41zb&nhZbc)x|si`t)d2rg#~?4l)gJ=3q51;krs?Ui~b(7
zfzCCOx(GB@L0$juwEXH;>L<BrSh-HeBArvcf|Mkmm*-{yb*WddsX0y3E%S08o0nh7
z7xf0iT*c<)&@>rN*q4h@Ceudlf>t)J|AdwuTN;dKcT!L1^9*K2u&FWlJ6as~E7~SC
zlm|~JScReEKYbl_MX*oOcA5JT;Q!G8@W05ye>w4Q`50v}Nz3ZsABVA_M;_~OR6!EF
z)~~(#wDd7v{Z<z<UyUQ$!2{!T(K5=0Ud@iO0s!wQs(vr5L^m%yA>&t^`*M@JiUp&*
zURpzw5!h=FG~3;^W1YR+wH{|OMI>V>ngXX%;8d*t?2RV^MQaEf3E};56xUmTDMZ7l
zPjk2B-GJ362Xgkpp-E-(XnW}0LGR?{q_G#w-3P&5Kp3cA94|<_0E(9hmTp`XMf*h2
zD-C{N?NAiSGEQZ5hdQMmYP4q(PeNm<UB+IZ(WD-)J}(PZSZK5WMqsEHcKTIFO*Nw$
zpKw&AP`>dJ3*|eD)U~i|^k-AgYw{wl5Q~JW_90v1Cs)gOvI)&c9%_A0H9O*OM$H6g
z5Zl@s#-5s%J4BmEXBB`michRk4Hpk|DviUqIEuzf<23qkG+LlEBMt~vb2`;7y=2h~
zm<^?Xivp~XQSFhFq@}sPI~JDPhRZIv5?*ki6~ZbjADvC3E|ime-T>=#pvGw+n&v6r
z8Ml8#13_!h>g)H%2foIpz>?GHyM~=d(VeuhL3Bg5uwUih9qQxE*DrW9oerv;vzQ*C
zoHrfJdwLF`;0~JLDtSBMMD+q!xUmU@gmNC>M2{2Ec0sWpHB84mIYl`rf^8_nL&TQz
z*hUm{oxO-c&wPXulV|59W}M<hP<Y_2VxN+-xrk@82$Xrju%Nk*(d0Y(aGH2dGoR6z
zvfRdKpj9}{p8l*%vl-0}!RH!AGv3*c)2!n(GZ+o6C{wA=01d>!Y?j1X%1NexBr46%
zA2JFjr<lblZU+S_mhv+R*O9YkYz1}8sidiC|4j`XtMXkC^86iCz8{dm)kv;=j`=TI
z67j~PASWXKZZ*W4I5q+3g=Gxt6U=imUi*M~M=^WpzG)40Ew-ku=e#u-o|ss1$3l@;
zf69Qd_hO7JI8cN)joJ+ZEsP{|P`?oKZOd%4#;Jk`dj<p1jp-kks$mA1uT63~VC}rR
z$63LS*{j-?$b*z^9r^z!;po|pD>Y3JQ`<#ID<RF=E~SQkPl1pQLQdlRy-CwbNHb34
zle5WEH4{<|q!4KsQq58Uc?n_#j&=BYyBianpr^%UZXYqnO2BEw1aI~MUoLGIJb_Ok
zhzdkDZ4+hPPFc4?nBWc29Q8)3_PLoV(A<5&UQ#F8*qU^(@V~v5G$xG0l5++`?aoEi
z%puf)@d2v;2sAgXJ}SX463HtnXVX2*wA1PAZ7Anvq+~V5JXW{%F&pQ38Eq|h!LNm5
z!LndB&7;vYR?pdkW5>o!@b<8IZ7Amq@L;ovX2f{3cMSjg9Ua&l!9GWKWO1b50Gq$B
zs-0w01Ec*tGQT-r1Fdso*VG+2nTibvs#n9K{kXF^81LIRLhp5T9;Vs$yx_M=%>{^r
z-`!oQxf8`l4j8C2kr&27Ph{2duvx$0tAVew@?B-+r%a@mFNd(-Axrjs5LRwNIg>$w
zBXAGk4y255{oY<+_B>H-B&wT9*G1RA82#0ZKC^_;qXE#m#=}HAII0%|&GQ>;YQks?
zYHn>;z0v(QP)px><J7=6^E*d0);wt@i+lxVhU?iQo9G*4c#Gc;A}yG_7Z1py<ZXle
zFP%NW2C-T3PA9>;kucAYC&a7fFBn(YX+_-{E$?E+vYv!O!s$rJYCHH4B&YF?#e-Cg
z=>+$J4w3?E9*FQ@s|i!~G}ejQ8oDdNXVArQB*8)50lg^N)sCP_j48++%zJ}*r|y!m
z8+|20m3GkZfTm>v_Rp>T3DHZ4!9|=w(^;fuSgDp0oDR`F@MW+M?mrWg%N2;{J!s`S
zW<3dgHD9U8frwbqfYRFTi$I+FK<&}}b}YBnoJ9H26@3d(g?eT-i4-<I0+W`f-B=pK
z0UjDdg-F5rxw}3>-Tc8zpq&C=E7a}NjQb!>8<eBo_vk=ok<J4-=HH)!<9twp<9u*z
z+Y|?qPdUlSKSfEZILUZMk^qvoILYo9$z7Zzn~^|(zJKK;t79a0aFR0^NeW1&bCO45
zBojHw;q4@g10>gTl9@4*@tmZIk+?vT#z}67k&NRcuQ8HpkR)=FK{1k%oaBBYX(U<p
zrm=eI5hEGFNhX7&dLPNMk&}F%8m$)>C-H!Uv`HEcCcq!OfEqLKYdpS8U?cxmeDQ&=
zf2a??jI_L$*K!5W14$##v&p|uFpq9y9kLpfkvsVOoHhI~mKQT&AA^J`JlL`MN^ldX
zTy0yZr=u@mKLNXN$u6Yt)Z2R?y>Sn+gIjVj-f3Mcg+@whOCK?xAx(|7w1fia_jK~u
z)?Gr~vX2u7U%r9#2hKzvZ-5sFH(ih#Dr5n@zlp3VS+uA%Rf2z}LNC}{1eCjhVpT2k
zIWXdb;UA4C{~b_^7$Ulf=Hr|LQ}ARxQJF>nRHWwN2bDV=QG1jZx-esROYdkH<~?vM
z)tBQ|p8KNmr#yX7{|(hNI<!NG@nEs??7Juw!7B!8D5oDX!~pmOy~C(R7D(*hL`sE>
zoKPzM$4QYSQAIhBByt9tg+3QU6@Q8MwPgF)xWkw$r-6SaDkQRleGrnojwsHtP+US;
z{X%74!6_ai3Y?jX@+c%8JBi`}P#6QZGG)Q-FIJKc2RiyHi|F1BbjamsMh#z0B&=nh
z=G3kBgHf3>BXJCT+%j!Awnj1G-4)$`U0aU$#%^P#l$MuiHzu@vBifyy85LWHC)iq=
zm>;!zOv$WLho{812EW;2YaE_b;wYG*YTe4Tk-fI!d$5*&@O8=6V`fjqFWxwEK~i2?
zG94rv{1uQvtL(Kk7jz349f`C8c75ycRGYfmSL(Q7dimW0RW4xUX0$%H8$?$Hx{YI~
z9NN7ke`E-v&Gog_x$e;($FLjR?$x6`Ht_3-=ImDH(S|2QPLI(MA2Q}VzcHmg{D#lu
zN;ALxQM*TU?Vxk7sl@4*t;5ga(zz#2EH$aYdt_>46*D-9%^f@1G15KKgYr5?-$a>5
zo?vm+kXVktfyK{>#W!}#oiVeN>N!#hv`$^^nL4v{qR%k~{5%D@jQ)Bn{jeLxjA8Vd
zoPO+0`Hqn#(<iytmLNZp0*%D0;Kp9;n_jkJfpVpwTvUDZjh^XWxYtdlRNXwKxBF4B
z+Y-3Vj`|DgYWyzLG{@K(GpJ@Zzz$QLt)^ZBR_IWvk=MX3I^Kw?mZ(;jI&!C!PP~)R
zQ?3h%td8P~5Z^dFb?S`iAahq#luw;V60^P;DQ3bUVoYi2B!_1htAOix7HD7XC`RX#
z7m^rzV4+^C$EX;@lJN1s_R>y_fvFB0sIa)!9_JKVNcgrzoSPALHp`dCc3id3)X*c_
zurj9ZY*x=}pgo)~wLP>$#^wjK3?Is|oz8T_Wh{4E@h;v3Ja8<_zmAsvr$p5pJ0MlT
zXAE;1I<4op$3gx^40*USbRY+tv~2O@(K^aJl=I|iSc>lszM<eGEF9(QiH`GWcH`?y
zE9H9P8dwr|QS``H^1>lK%+pOmI<{=g+>M2#Q|gg(C`hYkNcZ`9RxXvC3q3fO&78}*
z#0823(m_lYxUi)g%(2E3#~H+N@!yw#*qlCva`yK|txzqELM&<{!T$vm;m1I^AEM`6
zf^397{QGjG&DUQbsSO*7nXg}ZAqf-8c@`;JaI$O@<`Q4vqr=l-VSdEsB18dZ97aon
zYA&b{?{BVt`+4x7y4dKXD(U+gJrqw91mA;KG*1{wLcwxW036QG9MK9uXeLXO$R5lG
z<&6*hPo>c_b=Y-qxR)};iUrICw^orSc`uHR54NAZ!3J|C77!Y%;7|VkLLED{7ot5T
zeO*-o&0Vmq{e$t3JybHd3g|!lGeOpW(s}<G67Jl8Zc_DCRrs2Re;<BAoJZIOvuf$>
zHBRc))ZzEhhd!$gz-Mj@R-h&TV{FmC^uJdNx&Y##@<$<m6!FId{-7>|?uv6*-Q8JB
z601<}O3i+xuRe;o;n#QpbK*li2LmC=ogJ(Ok?$1X#Dj2UrN?=iJ1clUBIZ$qCmMlO
zHCiTGM0}rXm`RcO(MT*(Ao7t~L>_4hHZh(gtjV)Ccxs58Maf8fGvZW4EHop=S|WNO
zq6QI+6_wOXk&K9-88Kc&pgii4CU-DMU6v)GaY;!Klh0yk@UR%FD2gF%P>59CV32eQ
zi=%ExabEqkCSV2nznxgBD9~S`MK|kt;VnJA*+2NMtDc91KYI1zB5qe{o$ZkE{swmX
z_%jR%kbU7d*e3oV<KG;wM;%ZrGa&+ulYb@cw$jH=XQ=uL%9Hl^^U#gmTF?hta?+?n
z#I)B1aL}kjSsgUKmX)Lge?iK~nJ_)ZGjEf<(i7*OgOSw%1=WGcL}Drw4Mrn-D0vN7
z=Z4mf%|AQsFN_%gTJtMnZtuZiH25JI*XIb2kitWyaE27VPzoQ#u5y&0tER(uHa0kD
zQuDEcL`~dD4=$?92Ki1#j^OyD@Go#aKsyrMIEC_lJqwi!uj>%$Z9{k9EDv4w0hRZ4
zuh^2s!{F(~2leNmU1(2~Dw_60=U~`Fkt;RdVVeUROG?cXc;SBU*Xx;vdmL=m(CDPi
zSEfw#%xA&Qz)~dX$$Jp*#R;$~rlX&sm`{1i35bF2dKC~Gu1lOjNM@`-EQU}G3oW-R
zK@HjpzI6u3m&Yl=*AZkA&{pkYN^ucV&~EQS3hbxPnL;`7oOuAu*>3MdK~qaKFLIha
zr!WDk(5#H+T0v7sH1~0ub)3d$(wq$%>X8!>jVH<QB*?W*#wZ|Umvd@)k`g4T{~8PS
zP|V-0;}R|<&S{);2`9V5<XkUkmJv+?r^(?oWhTwvK|{HJhYeMc`>Q<noj_RbJ$Vx9
zt7h(#1?T0&`DGA7$ZvYGvX3`8=L(t?M6;07Y~(aWCQW~l`(&OwY~lM9waK{A%v|Rw
zhMSpt@u}=;a6}dC#acWy(p!|l1w4b>IQa-OgAIaa3DMX&%{81R*Q9wIG!fkAfbDpU
zR4A4tHTz57<?yeJ*D+5a&4Hu9dnm$qiU6#C^<dX~uy06=n~@$V{2w6VD;DvScfm<o
zQ&JY*P2Cs)Y-}hCk0B4Wet#cy(Yw!O=C!{N&xIj{Dd<&yLSG)jvseO7AUpx*hi7wm
z4IfElXM{V1BrjuZV+gYc4kuH6(3X?&OFt&)NaBK4)H6ShGI|+|h_0IG4syB+d2Tj{
z#k$u*kr~+&cng0|wfYWM@jTfBzJt4Zy^{=3qO#~`6q=1R3PZt!z%Q!bQ1qS<WCFAk
zTF;3b*absS9Ltl0;#k{@sz}dC0*$d36d0u;M8-xh6vn9Iz_lOQmWw&d{1ze^|KbU5
zMuNy7BGNOTf-**Ct5zekhtUjZq9KT8ngyDOsTq*9pN-@V=pK=o$0%Lj56{G8k@tsC
zP7kC2(OS;yPVgd)Miv!Sa~~+9&5?XI7@;}XgQ|wK4%uM5EMb*Y106^=Uk)Yxdo!ml
zpofx&)q<R-y0ffi@T_biD>B8%>da1AtvHKi#U7#+$aYiq3NZ}jjAG3C9%Y1?L&z?{
zJw$aZU&V_c_-;JIT7)9bmpueuau$g1e?SPnzjh-b`);O?o*5tGTPXOF^8$G%cj9Z~
zeAxqh!RKF$Pv+j3x+V|E=qb36lLId2b>gxXLj;nr2j_Ap=dwP=g<K_L^GaSu^0L5X
zcVBB6eVhw>a4r{cE`JkTHY{<HpJv<(E_4!YIKIGUA6@J-PT9wyO*rIE{eavJ)W$v5
z4EmnVGhh$ivYQiG%dST)z%7LqBPWRV9LXaw&Y*nsOFzLlL&Yowt@-^XIXY@~i|_pE
zAvWJnIH+jO2znY{|C@E_JBV|3i~lRu$@Y<LBadCroW$~qIWdtHltAxmho})J+!(yK
z_Q889f8Rszz4-fHdZ+uJAWjct@S70>NsYR*F=AX;k^!SfD8Yvqb;`=4#;UJ?X$_H!
zIfHEpzh&?gF}Q&kbR5CFI69xOevd{+1FmfgkP)~0dNu~=WC0W^s{73<rZLx%D{g#-
zqrX_|OY!I8-#D!Fq4><h$6kA#@x+%{6<!;ipVLX0J;sH|(@GZ0pJJDywOiig<9{5x
z+6Dd&9YE*@p9h}-Mem-XlXhY8IntZ7hZf33#jm6DgLEEMuX`1C#n`?BU#|sJY8d#%
zG|Nf2APvRvcZUdB5Yo8m&8WYn{`UNb3n}R@x~*RbAa?$v^Z8qx2kCUagO2ldI*%ir
z=jG==@r{ppFl)hqG`BRDN(F$O-d0slaH;jpSnMwEKAybs*UzBFn3qIfEIr5H6Hpy6
z;Ey1LTNx0u)$r0J68<7yAAqx$5yqYnb|lb4KZKqqKC94-!QD#DMwAjmiW-@mMRFb7
z*|(-D3;#pK*E3fL`VnuyglSu0nw6RXAg22tFg$U%G~S<*58IXk&=`eUWh<L|(MX}3
zVR2lyl5Ker40!u$U%Is~798uimS#|I+g!+TJ^kwq6+pE8%)rnTatTtX_+EMjoz}D9
zLn#yBvpoa9@xOun5XevU6>ViD_!J4hU^7)~Y%szhuLe%TeY>3&z^Oj=K{n{;B;?hy
z(zHLx8sgbff@$rxk+s`IM1Mto$x|u*Ebubp8z}xc#7Cw_*AbCV3Fz3jQ<*REe3tzS
zB-ew)_|FQnKHN9u>+{FEZ_L+MK^NNC=U-xuUF4Gbg$jV2@I_hFx3Rb9Vuxt~@DV^q
zZglKwvn^Yy#QFHR)r(_IZf&zsiFa)iwcukAowwlkyamxB#uCVe?Ns-IZ>ee6eqT!_
z_Al2`<M4u_<D7)tY7RmEY!<@~L?1D>VgqVH3*o-G)RJyY6}Nb_Z_I?yqecUz&EDlJ
zKowqSld8BBCe)Y!8K~>5cT!2wqC?rZRe}%OSc_7HbZSxfkJONKVE>3QjBSFAr?UY#
zxBQg|$J5uf-YZ6=c(1sLo%<cU8r6($fD=nzoR!z`J!At05rX+caMV_*xd#mt*+4!d
z^H1@qGFYU7g##?o%;QYHw_8>k%Ikv4qR#^JlWe{okt^ZY&^o9*AB~QGs5gA$heaIv
zD)B#<(&12ylN#zB{+@<Wy%DeMI4!E|@X7O|9WDq<gYP%eQKRlqkTjiFe}wt~HE$fs
zhu*gd^vvI4)4wfLW<B#?r=gm?eTg9RSrG7v;PQW>WkNZB1%T?L9+r6taxhvsem8Ko
zTcKxmLo;DB@>3o$fg<>RV=^Leyl1?zo<(KmMVVhu0F?aU-Xy^srlI!n_XH~LZvNhj
zblQh_$9A><a#-PXoWRERRT4@?XRBM*iSemt?(7ZOYS5h{SD~q5<NBi$5C`9NYWq=u
zh42V4v@b>OSn9$Kb>FLjU~BU{yk_7v@T(n52)~kFIGB464tmgnUMOcFSb@ncK)}R!
zjn&Ux06p4KRzEpZKTRC}3&Ve6cpl-aIqqgSug?O)mjQ<h^BNz%V^YvEzS+nv6@+UX
zXdz6{eS?uN$wyUSJcX+jSUm*W$(s(CA33m1EZ#r$%>88AeV~kNVZF8*oTvxX9~V7<
zsv`w7g+vp_Xej;}igyq#)*p#SI>poM$#Nc$ofj3~tcPY}C|rvJqy3ChR>V`_tFha$
z*f=+uU*)b^QcCn1v`4_6`3jSnuP_S#+Wn`{Af_XTH2(|DNirU#DIJ`TeW5yLi+1?F
z#QE90jBky35D7<z(WKfQcVM&KSP%CH-+(6gBQ0y#J`uXsa=1an*!NP)3hr;bc$8{u
z4n|@v^}Uzieo+2O&0O@DmUrn~Mkx82W9Q2!o42AGa3=Xv6vXUTSatDg?WnGYKu&F(
z90n13%@+2^JdCz7w!UIsvNRNLF>O#**T}xHLoEnRfc<+l*yigQTF9-gAMJfNt~Nk7
zXUe^C!Et)SU)23bK%8(t$li6MgQ_?~3YiuXt*R~hIYzDy{9r+SG{p;>LM(sM3vYl3
z8vws>-wJC<z5mhCp{pHQ!-8Ll&#bu%j-JHRHx7pjvGku8SKpkZ)gxdl>#@x@d*c8^
zwhR#U0_Qiy8wkhY>FN-K4MaCe`>8Ca+NRI6E4hue38ybONlg78ZVk{A=e(Iqi8t~G
z+3Cz`!mEd#a+z<T*043<^vm$gExUV{=}+xHTNAD@iE;juiND|gor|MuMP2N<*s0=~
zuhlpU*>kb82+x|Z&!r5kaZbRyGH|i8f<2cwtJ(8OXB~S!?_9>7uR2$-=UdJ&d#-mj
z;c4+cYn*8S@X_7FHaxLgP(e1>u?8zW=npU;IQB<fA95YSYp-;?;uICWz}H5=hl8I5
z&CK1+ts}Y-6&Y%n>>6h}7&5DEy!sM)F1oCbJ%8Am5PuoIrjNH9S1d;aoE?%O>g@P?
z!qK6sAg^`-DC(%MqJK0lYDeyfpe`#;tmbR=Ydc81#zlwlpucDzBb@iKe62Au0-1|;
zHv11P0@19w(Q>x{8-Ks?pGOoiQhp{jP(MX<U2{BXzww_teeXu@wB$ceu%4%8%^#Yd
zYP^Xr8gu9aQs1B)J3TJQiKj=8j2$^ta-6k+*}g?x(2zg|QETFsm_Wi<g*V-TYY-FP
zh2yoLgYg(R3$>m2IRhBC)CC=s2S8e3#i*~L2VcCcrgAPo%~5>cJ6U|<15!NMd;Ued
zu=O}|pK7#W66)5%mr@?E0<+F@>)?jnf4ujV)I8UdaB4hc+>B$;&-wcD&ylyPZK1Wq
z?O>+rZ~qMl8PWTBa2E@1HeNxH-3kYd_j+5*hv*JL;bI&>Q`5;zvXBk^q5T%LvzoX}
zS(t(q8=&uTlvT%{5Y6kOZvZf=#YYc5<sJp@FeU4Oz-YetBK6mtp$r^1lv&5O5oJ7%
z2xaBCxrpqKNEQ*Mhy^@i9wNG#5t}Gt3XixK5eI(}DYjC?4Lpxs09E}F)S!*sI|3nC
zx(Qg`LYg&*7WgBzpg}Yf#7)uq+jW49Qd|-T(gzr)%vE5{*5!V90fo@tUP2_dbCNqb
z$r~ogyC88dIL_A}$5NGraz=m#o)p1sCGuPJKrBSEZx}Q0<BLrXbJib&HTEat&`L%#
zre#RogXgf=%wZ}hwa>KAancI0EkB=c3w)#0M-p)KZhucV?q|?5Zv@Z4*VhL2UaRVV
zr%$<!E0GAD1B)E*Qcb<US^pD>L4JeD`cy8&7gWCcI7x_;TxXKBJkQ$E$KXerLAl0(
zf50V=7$2wZ1tSf?lM6v(&WYR<`5@Rw$35;#MGmm?*ioEw(m0)G*AHpv=4M)CucoY^
z``R&UMM>>kl7XfqC0vsIhp7x>;!H6vqMZEH=>wabxcbJw1fpyK5xb1Ul;<p>>Hvql
zAodU+L&LcB5m=YK&7m&XVngZz-Pi3rRF@ruEx8zUH7FF5<8JUWGn+?jk|?uKW(jcS
zKqF(E`Q4Ik6hDVb&pxcwWP^XcUfPY;vM#35XzZ4e4(y|%U};EbmU%IfU`n50#PdS;
zLLBP$40C0;oLGX(w>;^=pIG!gW^@514`u!ba2b^>xE?ZduYSj~jB}DPl_!0JCmn+l
z@D=XfNUN-jSM_lzL+!q@q1c)^748uPTm(|H#50kVaR&N6yLTGnU+B9RXwehnpB@<h
zkz<(fpg;0HJ`0J^psz!O$eCD_ig`rfKG4Gb7-q)CYIKFjE8H*L=s*GTlvVqT(~uaS
zlG**^QNUk*JRkRLY>xBajeirAAkAShSGBod*@J5kV5QgMNPcOp`a#Mfk=N5d!6x!0
za<a5<@?!v5H(?*0V>vvVQtYJa3uVp~8T%FyU({r@hxaF{*ErRUoGL-7nJgs0rhJt0
zct21Es5o3=u)P2Yl$sHO82u?q{0R}?$k}$ZLfrFtn;gbFU$q!Vld!Nc`WaO2S~ktJ
z>~~t$^VGonR2$|Kp-Oy;G6WZIuRw~>82Iq~UM{%asm35+f$!q*{Xcid=&G>Q%cvG}
zQ{j^P@nwZ@)5Lf{5MvbgTAlwZs<G~O*3VL@?D&g17ij?gVEycWu>Y$ZNDkx8^AFwR
zWLM+Cp&HQ#o&vsa<MzFqm}%ofXq^7(1iLKtgDH2+2X-hcSHXS9nA}L2SbRNv9)c>~
zgZVw3v{!oPv3;rA)li6X%h#W4qGVVS!}0^UeN<iyQ&sEbH2#6v%o^?o;$!uFSUufG
z8kzRbVC*m(rAv3j!HX+Vy$&`VGWBFAxyK>suJggr)LmgTxRHxSVXLey>y1aBit1JO
z*tM863(`>X`#+pdPW}n>;ufSDWAvi7)aRucm8_gOuYy3;^(o~4=$Q|IhN<4fr*V%q
z-4OxZse#1IdNpOe4Uyn6h%L<;M``gXlsOSpT+vL0G#J*S8Rti+ti1G?byDijVG~1n
zPE0|9&>cvclLkuDAj8`*1z86PQMDH&(g=7SsbG0e1!n9b8hrnIkVMa%Ysx%|=leNe
zlN;*_dZwT9y&W8Ikb}2x&Rd{juEtD?I|E70lmCw+#w_k#6!{s|?#h2(M-`^$%m#$6
zu;dA<au+zhb&eM?_yGiH<$Hm)ZR+mt$!p@lzoRCYF*xS-e{u^0=^NMCgokp{SpmlN
zF{`JV76sO!IwSi|GL__kKRG|;Ik2BK83S2dgvZWnv1{&(9~h%kU_jH>J`XY`w=soK
zy^`G`-R}gu*mg-6gBmwsXt_>5F20K0%SZ2g{5F7+#!vE^1L$w(L_3k5b3f#Y>;zNH
zlXcJ49Y?-8uN9-K8YDLTMr4(6je2AUzQ|(ZuX|^IJ=9%Qw#B|L4AIqBmhl(rj#$h3
zg0iY}dW6gB!%51juo%zMd;!5u{8TBvtbS`!86&D8ac#;62w3t{l@C}FQ=hO8{n-7;
zG_yR6?`D=El|>WOIF|xI*THo}dmd+}VeUi)q9dNt13lxQaWVRUs%>J6<NpLH8hS(v
zx}?wmtkXS3iv-Uw!ac^_;6gJw;v1dGDM4~FF`HY4hjo2~Wwk5`RyKq?6O8qgnC0g4
zU}Y%9k1qo1*HT`rFHooa3+00g-h2<Cao6uh<Kn{0Xczy6R(je%!lu~N{*TEd%ZX$s
zk&J`wF$N;bsJ#rfDG$(x_U@Z-FQ5CyKr^m`!hK(XaEklw!N|tk*3gS_g~)+anzESs
zk*)Wj5cFw)A6aCC3$!EJ51xU)7*{RDvP^#(UszAL8u8;<JQir}##xB-X7BNxH%#~B
zU}bspeEKZnU&rlWzzBYQlo9y%Fy8?@jqZ?G^j9;{y{CcmwfczWp~Y?`_k{87V@L${
z;OyVc1}X+FRy4Mz7~2sQfKE@rv?yr^3ZMjslMU{?`X<(|%=O$)m|;1ApW+yU`%UO_
z6Z-bbcnz|l4ia$L*j#)PgfE7m;7%N~NAI@~UoHiX^`CW$p4+_6fjZQ16-Kblk4{KG
z>46h_t55|V`!T8?-007bV9~7=C=#xBgLWDYkv-YRa8r`@11k*sbfpQ&Lj9b<-TucU
z;bZ<7*1=&)lP`fDhLg%V>-X3JHh!iS36<4tz{J=V>4swPc_;?Ra)?OZA|axyfwB_x
z89U%UB+^2AI$hQydONp!n2!6C(AkOACSx0@&GCq;gSV1=fq`zDida)Khe)VvQA~&k
z6$T~1$M<jjj}cRl%yd2i^;Q4l`a`GvyZ`Av9)1iG-v{GEFTNHPXdDlrT^5zWZcQ}e
zj-mGNbl~Qr4WqroheK!3=G;)AZhTwdgbq(I1|vj^;v29^kY_k}sMm(FX+DQ>8V{vx
zpuuhME6(Ti;Tr$@qo}b}zaZ%u#^-qVXl)+lbqc4lFkbrQ>Q`Q6ypKrTcPR|n9EY;1
z&3FxAyr0jRKFveU4U<ZICB`#6l!o<I;}N{C9Ypm=cYz!-f>_q1-Bj$xn!BmVXa^T*
zD*8c*O-B6Rn7!cc62JGBjc44&h#MwFRpAcV>8KHWD!lI$V-!-T`p|={xiswL4m{-5
zwje6rxC&9;z+7hqE(xPv05R~*N4&b4-uVaWxhcLY3UCeIxy&h|n`P;uH}hNHsJ@C}
z{QE8nXN0-fWJ%P(y%q4pKS5`Pznp|u{1OCSuf<y!Z|<AC{5&4pvPChlBOSWU(Kv!y
z1=V`*By1g}(PcNIL2V@eihB;|Lu>rGwY*e4w*$-AY-!J{k5K8wf$=yoQVwdWA2f!?
zIMR;dhQ?7~IBpM2_{sQ=A-H<heh90Fao!Lv%WO>9KtHQ#Y{!y~H-4He<j2UJ2YrQg
zKl)S?_r6YY;zPjRVC~g5U$6IjUakKo!5d$Ug~~Z8#$UlR#|C#p33elrP(hMMYZm$T
z8mV9T9Z6l^+_PZd_ptHq>-0gt5CWku#$ALrrO+-}ig7X6kY;kQ<*0rL;p^Z*G|q9y
zPJvAydqxs2Kj~#}KzB*g#tuv%&#x~jP<_syjb5x^tf($t)T2kJ@X?~OUqy@QCu1F=
z3-rkoVA-(c^%_EW8@R=-O-nVNMrh5$PVYl{pDiTmNBgy=BVX6=kAt9t*yoD4&z$=a
zX!k7EQ_LQVpFm;t5C7*I$^XeZjqKkNNQ^{gXJK0|xF5j0Uz9F8qwc6`bU_c4eW67I
z)Hq4Ak*Z?7>ltz-sduUPJ(ik>S%^BAhPTkYj!<E0ql@(?@S0-Y{)FnAqSCoBkx44u
zsyd(Ucm-7&HhQZQ+2H^*!vvfb*h<4QWepvy3%U9LOd8l4IGU^se+OURm1oy0i+)6-
z6I0p@AmtsMxKL}RYTGF6Kyq}$gb~zJaS|9_2e{@_bCds(lpl`^k47Y+K~gYDzYI;`
zR#p|q5p_BaEZ~9bALuZ0{FDk~0$ZNLr4Qtlyot3S%K0(m4725&j}?=CZtXv~<3M$X
ze@MXPux)wvHt)o(WV=w-JX^uUHsgz5Iy$b?=lX4L(=-SCUB-4m#6c~?$I2rCc>;Tt
zfuG>BER|i9l&|~ysdSr8xibyk5na#<+n!)#&}tM;h0oXOao0jPl2E4Qp2T&uW!m+}
zz1d&+Kc;$M;-@Pc!P%p19E&Y>{mLr5<vTsp#ZxzS%ttNeJJoy?v#2HBt!;5D8}a|^
zpW*)o`zB>0_D%ZjY}aezNl~rC7tS5^?Wg2WI^~AO911J>o3QJQo#(CCKiT*tzG^w?
z&2I9)S?1R8xi9SrkpEE_sz{+wQdyoh1H@>ZEHxXgtpv+3Utolxs#NVL`a=>#FCTc+
zeo`w;)hbd*A01%+J=c!dQl}0H<;}O${h2Vn)O#(X0heri3d{RSGe!f>2}Lchs$ev1
z`77LkH;r@aNXd7aPmA$DcjB{&b>IM6VSbWjFrZJ+&&A>1VB;yQHn30EwePW@t!+Z%
z^`h_2`F&-^htQtXNBX0Wm|i1316OK1)OF!cW#Hz5Bf&O!K*}Qxh6_fD$Xg*TAVe9r
zV&RRTF9D&I9Kr2M&5w8oH#7$J645CV+^AGX#_j_9L3k*GBW(G|^e5n7!9FP~e>O&A
zu@I}3IhfD6vvKv7vak*ew9m<W=?R|@H+5hW(|ZUvs3BL<aAnodG&p5PjJ_<f|6i!k
zoA;nX`+=I7ZuU)YZ%k{AnW#(ZaVbXo1N<%3_yKQN(1qk=XvG@AD5xRT(ooEg#z%(@
z)Dq|w33ikx0Ug7kEb0e6%YHW!ERuA$JsW%9z8<LNq{w>o8TNHei)P%2e7HZy_fxJl
zd`t%H#okFTjj$4=AjI|amOY>U3;TW-ar%AxPWk_@+xL3tg}N^6J3jegSMPbXw%8FH
z+^5X6GOPv6<_=Pc%<gZa-Uh6*ou@H17%|4cADNA(CY5YFeyd?Pv+*gg@na%vS5Kdp
zZ=8t~+{EoE({OP|-pE?A>1V`j`Y%s|BK}res1i0Ew)z(=+eB@85{~a9FJ{vR!KQx)
zn?4;j9k&1NR@ihqv+1-W)XApL>vf&pFKW|6_on0z{D$m0oC5s9jOVN*qZp}K7eoh1
zFh(JSLDr9~_%MC!pOZZ3oe6IHr*3;AdKfOooBJnb%+r`LpQjqvB1NZiU59c-1|T}>
ze;LOPk^L?c_WK}0G5fs-p^pq?-cNkq=t2u@PV2%>_x?h%)BAd27+s>H3`o@3PDjr-
zVgP=&8|lc4H0Ki6Qo6&7e=i;P7cA=)E@frM>LMhzpA4KVQf_D^t%(~@6z^8%KUn+$
zXg*o%3HyJDbuH#yejDv&pHnXzZhDfagh8PZsieCerwF)I^wUEp+}a^pa=~@m_+b*E
zbnqLGSH4eTklW#)8`-a>w^Vm%Tp!QCqjccs(J&T&@C^;vre!xNi-r?VWI_DN^~7AX
zKsylm08GTZ4zVf9%6#Y5G)q0`!DWMKBlV$G)yIlh@iFE8Ycf9P9I;DTxhd2KtKqm$
zXB*HVKw(bf`z>O0fn%toUHY)@!QE~}{St%5+fd&g-&Sw;B?out_rxpSqxBte_V%{=
zINvGSr}c;W+duuN!`^OhXsb`a#;Ue|V1wOgt53p79J0}Ft<P*2O1t)n7dtD#a&#_t
zZBZO%>REZDJwcF?pN)D@YDhm9gc6(u_SOP@3cOJlu3TCL?*r-&lNc!GBIc>27+bNp
zMZaB$vtoygKOsQYJPDN({FzzS<QG1Ztl%)Lz!)3v7i+MTmNfL0{9x(O-)Ly~el4Gq
zelF0ybBFR$L7z6T)onjQlY%^LUJB)vkGxu5H@4SW#*5jX{yTd*^6@{kr^UiR{+IT&
z>9_Xu95@lwXZ{!LX&kEg|Jj~yd6E({d)jl?Z|rG(H#E-qnowrO@<seD)p!bT|3B<$
zH{{dVo;sNfu%~C!%m0c!J&!p3zCES<|JUv5T|abfPhWrzp{X&J0NJlC2-lC>Q>Erc
zL~~o3Pj5_Tk~a*Cijzw?@^bGaGN*emV2#fs%$#B~p3Es!APy$Kig#7dQ=z74PC?UX
zdZx6*;~26R7g>664Snd$>-C{4VdK~=74uds9VDpn^D6QO9)_J84(r-0KQt{RX76So
zE3$W~bnx(Y1mGq0@`kQu^J<v9fw*IKkK2xk04AuIZ@cZAJ=)|}<EEu#o%@HbV7B=$
zScQV2$8?*13M0sFj`$s`#ruPC%z$>${jh%+`<sme2)YMu&eJBR!Vf6I5v5Z2rmXNo
z@u^$~R08?2TR>(HqsYA?2LQ$9!?0&PK9TI%jCgea0Si&K-`K(E{Fj(kfGK177+8w+
zQB&XWm5omJi_Y5f`Rfg=Ibpxh;7SdCOF%U4)p!ftl<L8v4je17CW3~oc>(Pg8qtR|
z$K%wjdLDXiz7v~_xS|Y4r7l!4DaFZg=N81mjKSIR4%~d5p1|A{YHBRf;71mCPk<o|
z^;hkf(P1YOtF%~3L(<`f4b1|jKD-DuSMw$q)r9@!q?(Ds81^Vr86#0+pYD{jxeteA
zjUQ{G+T8jvv=V%cWWv<n;&Y=h`FbNwATPpsH<+CSr<*R94s5}!3{ztzcq7@S&<&|5
zBsy}6eiuG@ot=u)evi4cNAyvGmmt1H=lufqp_Z>dzzUJL4`a!T>Z<@m(K6gCz$}1f
z&e~RbyRb(q6CqNCC}ZJ$rv5S8^S`qnr(%)g59VVtumnjm{g?KmS&&=iV}JkOvmXtt
zF8&|qV?maf*^hTV`i=cqU_*D<i#p`<u_+6LnlNs|+y4*yu@#E~ykGF&m;0IaaM@bp
zZ$_j(-kD;~jnQvR<zYPcFw|L|14eQXVC+ksPYYO3aIw$)H3L5e%m%O7w>M$`C+D#y
zI*vl$L%h{Nn<_>-q(SJ77CZ2Lh8ICvn5CY;hKAO_6ejiBX~=a0t#(qNm2!kPN*j#E
zbB|D$%`3vOlA1?BFcgQmpQfjM*4cCm_#R^c(vtr*bw1{-qp63(Ut;$=9x^gnzw!Nt
z*wGL17-PYX|9-*El#6x<6EsA8b;(#~61#`UxE<P!D35||%hTp~MfpDa&@A6gynLxB
zP~=ml1Ecw2Cerc%t#|S7-u-PLnL|VC5=dv+KQ!md9>DDE@(_CI+P>q6jCRs)!x!Lo
zADu0nO#yrpj-OpkEa4GxzB3Swb2y2m0C3{&Dcp4+&KR;uYrZ~vsIaoEQ{Y~)$+)EN
zi1GAZ<gL#u$0C&RFy57w1sC84qY5rU>pcNpc+a~KXYHKYCg}1|&g&nXZ!^v!f$2m5
z-Gm45ae$zI81(EYz|nhI{KZBIkH1HX|D4AUGS1`iH%swrd3?HI=keD_@sIQPE6w<`
zr1*Pye3tR`*G#^n?{}8(X2etBpXJfJdGr!f{2@HK%earnuan}>=J6gg{s}4m*gPtJ
z9;We)%nljXa6XlsZn2rqPDY2x{aHMIj1>PS#fLJ70_KMUh5<m^j6!=9;+rhI;<w0G
z=8Z<(AHrrPS|SCs#vIOftkKZSiht}qR{XJMzPB(o<BG6pmyTrBNA12rc<+z*njQ3Y
zLvl|B$NBnJA4R81P9f%cq8G=6(W$l}pXHq8d0>gr-jg%@3nCsw1UibIIT%sKk8`Oe
z=8ZS9xFmP+Wba`2l691ic>Dw-mB)|b@u!)R{)@*?GTQgBl4MBnf2H_P&RKxPS0o{@
zHtu0?UIo)PlcBE2AuPr-SI@toA9hgTI`q-6$5_Wn8oG3|8d?R_msjD{KE<ZTM%whi
z`f+N4F`s2TuL4@I4?H`M4%HNB>|;z8cz(#A;;}a)ikwUG7ma)tg#}d_Q`aIeLic6D
z-8>3OE8fK+H2fy7o_X>ptGW-NA=J>k3i^T1D_Fvue9(ZP;Do58R~bo8CSdd1no)=|
zmc)`G-z4MbuUKUy^W-DV<kNWaws$Bw|HS0~Fm^U@R#w&ipTqEWfZ+@RhKkD6n4n~w
zlmcaBjtu%7eU9SwjndN6%dIrEoKZ_nXc*<`cnaT=d$TTODrKc*DTv|>?}{jj7``%q
zz;hU25R`Y}|NX7~oHJ+4?ms^tne*(|wbxpE?X}ikd++~H^^25V{`Kn-cv4iuzq{%$
zQ;y!xD^x#;VhBpy$Td%rWwf>W1Ib9|E{W;P)1XAtyn{4{@>rtr6!k;i3o#wPc#ph`
zN1@HJ;WrGt-nLUX4-(P&E!E-bAJJOwmNDU>cQq(N&rsSqlvRF1WjNf`AbY|yL#SZ2
z!be<<Yr^H!2*zm@J4xYw+__1ssmAwFjepB8B<}UV8SV0EOC~?}hgvwwf@VE`F=n!C
zfN(cy1h8G-){XUT-1Wg`g}n8oHx3d}=$>Z`R9OqLCE*G5ogFuXH!W6To(Alz!(?0A
z2D|lG%hpnArl?vs`f9wuR~^!RYiOY4hST8&n&EbiC0)ZrVZ3MLP8o$pY$HBZV-wuj
z-q!ED0W{}o5Fa4upBl$1*>JxVvX&~t4evyIbq#lPBo7GxOtK-A4n|n(?`Wu{t=nR3
ztqcy&BQt*n@Rr&SKoWH_S)DlN;n5T-?P&Zzb#%igI}$!!OJ2AUEj0foOa#8Md6zWN
zn$!h(I0|Qa5>rnXmnmj$O*oL9JG=c;AA|Ptp(|c&KXyycXI5On=Gm@r#f_AQ+Fow<
zER4r|8388j&rj$S&lB8K`-yL_^LOX-2C0jJ6?W_n|CK#K^FTA5d81dD(=l<@Tfq_R
zCENQq9S_RX$@%(WDtMO{Yf#L1bHvyd<)}{fRJiFTSOO1HpY-TO4PVHP9|a?I8;@;w
zzCY|w)_&u{K_y<z5`Q|@$q`FXNRI%U(G04YxQ-cq0Vrkggdw^~SvW71du}4W?BGo_
zHugNiyQZVK{C5X^qx+#?aJS_?WywU%n@_#S-R_6F`X2h>Nvr5`sJqa!I%|!kmqQ%`
zMWm&5^vC-;wO%*$=fe3WNrx#*R?}%%_Liex(A*IZ7M<Ui5H`Xips7dDth)gb9CN>`
zI$PdE0JxXjCN;9QaeQvlZbH=>-b_4|-AD<C#>STT%2w4Y$fnneVVzT!SVIrd5X>bp
zK20+q3gb-eUi2}a4P(7rqZStqEPGQHXnAq-J@M2i_l{;utajQDIk38*VN2b#|13%z
z`kV}@kOv>f8aAgUABfdohED?U_s|C4UFyHdzvcB8;=4$`!2d+704EnxlwU!KX&vt|
z_H5XEY2CDjMD4WO`qWNqsF;@NTZpFUz%Q-L0l7>E-f;Ol-Qb7hJoRcAF7fzwPIhw}
zI&b+To?7m;v=8DLrpmUTm!6*~*n@BbS3;lhiHIGK1fDtJ3G7?ZJ6}grNb&4$upe1}
z_LW`#U{^XKZ%l59+pcYp7H+K99wu)PhVy(yv!OlwHTnMN*2L5=Ghd_geHEh@!rw<S
zh5~=zvj+aYfugAK;niw|XgGmV3@%ADok9cbQ3~RcMM?3Bw@(O<Z<Ix{ID=`uFqQoU
zhiG&hYmOG?_hhr|4(~VEoXzt6E+W?f?n}9yf{e2(<17xZs6Wu|&!<?sZI5)|-}?JX
zl>W1*|Fhh;83?8IuZz;Jgu{yI6{8n0{>qZ^FWIf}*K?=q-1R_ImYBMcf3xEd8;PlJ
z^HW!KbNOhqd?vEy?2M)GfBJrBkS{=3YAch>e1v>1UfUcVL!)UbVHx$QPUr5j>y^yc
zf@DfGT_*vY<G2|Z(Y4^U{5AiYpB=+Z=ZC^`-@u&HWDb@PtRy!~xPO&%8WE9}Xc{L3
zHg=Ul(Y4wmHm<T^VgAds%H){};N)g2((@T_X~<!<#@h%*G+!IHbcLt&0Mu}Z!a2j=
z85pU=FBZ3bVbXN8mErOrt!0*`f`4=x-@fp48cB~{l4yFE?D4^NKgd5*R%^SzT1bxF
zC-gMT%|Ar8o6o>Arv-Qtz*gYDsk?w@=MPwPt~JTv&Y@P^t#YMw8liH_R8H}K#rD3V
za;5xygvvdna>taEt4UGL5A?v;+>cCMocVo<R00~B*N1bu30pbNK%tihZ}_<<CD(U8
z!q&}T99i|p%;7+Yawt<qnPN_&sfV%g4eV*`4*!VPTj3dlo}o6y*Z9G~a1(gouks%x
z--wmF`9OHx>t;G3uBI$5qr6^i3tvP$*6DuPwkvQZ3>P|6&+A_l7C+b*u~&Q81?c_J
zdm6rrHa#3>;{=O3=*^ypHVVaxSo2Zwec`<nH&X3`XX{S9s(N^Re;tS#%i~iI)NzsS
z@bST>wqI)1JP|&_H=1a=o1*@(hqPkm?*~s1@4)jQyL53p?QM|#Wnpq2r3rgx4`+Ay
zFoVcz?<TzEx=!|b6qcELUgG%zKl`YsLX%cfHE0hOgx8>Zc!|eX<9qy^1P$_?)xKl?
z%Ms({o=0ME2^(u$cw(_?QdOm%BpzSD`Af$i#r`Cx)!!)fx9hb+e+TybTmAJ>ZR>At
zv1*H|{>%QhN8_8I{_ZGNy6fNT@5AEw&M8(s|Nrbyr%pA#iR$n0VkO0c{Tuk)Qta>T
zR|}|Fi%$5@<LijG`jqF7S-BE-PN6OA+%uUZNQ{6>d-ih)*4->*v89JvBRL$7V`{Q|
zs$-Up@G9#TKk{RmcD5ft_kQB>RzENXG&S2Nt}>Xr6n+eEKvu9ByvnYhS)-`jDS}s%
zpgsID&UaHxq&jsR??^Po1zTsssvt+un{v;uCO?9~&pn|z8NRqefNFNP2ZYU3bN&KV
zDgU3qkNgZz)V#>e6+=c9HJtlZN!rfB@PBY!MfEkD@TaPMyw!%Y!%JO#F<43ci#qCm
z&DGb|sMSAP^>skOW=5EG^~ErBoPW|XY9;r-|149rbf0|!5oclcdy3i3uNRxFxjJg4
zWPX(#NUx*}Dxt-3+Btqs8I1wS<`;zVnPkQIyP`Ep6dtNViJO$zI}&hg-2IVZ$^;!+
z;16E0&q@ZKczh9STV;5;OA--W(tyx+Ng5tS28Cnz)=FDh$G*aV#N#1hW`k2xK*FIO
zi96pbgLiaef<9j5Ly~Y1*LJ&<=Se9P)&4{sta2$hsM8H42)*!J`;aaZj^k%Q0PK=*
zG{4yDn85K~T@^4U@l@jmz-eqP*FHxZ?P&EJ!nvYZ1SW|6&O-Vjj<p0H*crhaG|s+4
zw`pumG_9rzd^w=$g@!9wUk7RH?QgV*>>VtXV<NwCPRs*sT0z2T2TaRol3pd%O!zEO
z&0bbA;bWwhsAkbTQ#*vCSUa`WPW`j=IUv$zc-+Mvp>5b<r2dVN>gDboC2mBFZ-du@
z#y<jh{sK@4zq3+3$Vw@&syYuXKZFvz*RXCLm94;vNIUY#&}Hd8<@!*^IzyrTCMNBH
z4{U5xt0`kUMY($iS?BHH_pS3;>ilI$>gFj;3|3_#3WeX4&GPW6sFn99M=O-Lcbc#Q
zEl#vn{zfa2{);auJp4N%(C)CW{XG<R=kGsZw&CUot2EPr*!)}H29{zxi^fY&Hr`fK
zcc7o3fUXganYjmruYM7bqaBdMkKQZjrRUwj)>qK@goe5sRu0cp9|o_z53BdDBJ=TI
z%`UV1vSU58$eDm6HEuG0x$@P7*mwq*Y@TCDK|8k~$oruk;0XBk@JYIq>ENQd+r#zf
z^j`M9>S<~Prn9Oi->VpG@8m`S&ec15ruaTPN}wW&_wY`>SJyO9L{VE5arYbXa7x$u
zlb4JeMUhYA;lIP9op`ul*D={P(a@}}4fDCW)b=}Qg%pN1x1PV@3CqCU{Fcpq8~0T<
zTtBO_o-M~)CWH$xjm_uLQ%x)7FG|Ty=;>w4+Wdlk9D%gUdf_1J74RXlbL7*=&MWD~
z;U`z~M`DJ;^T1L5bV_v4KiRAYweg{#8WS=faGW!^fepl4hU5oQa60YVbPxbn6hL}F
zs8Pzfr0^o#ITQH@leAIhM`9RLBQdONwWQ0hNYI^$+TS13%Z-0b?}i^*?U{x4?kATP
zsKwz9H<Tf0Z-CEr>+DY@hFzw+sWx!57%_!2g?VxBZ45Mb(FDG0@hXo9f1(6L&=7@C
z4%L?D1Z}@f>>NJ^ZjN{g+#FYen+d|r$^S*zz_?L|NY5VyhZpTFhPedW(sq=v*K%{O
z2iow$7u4G=2-U^mD2*f9&}wu;86uH-g?u2{MwOqZbqvueF@1ev*j3e6gl8btBfcEn
zcnxI|O;1q>JX|g3$-E)1Mq(HZk=OuY>#MI1ds7XpJX<}P{KT+Zt84S?4BV-Fi!2qR
z|IYY6&+h{5y={!|f=M0YJB>M7I=-hd^YTBS71^VV_a=RRi*H(M`x~uQm9%!YTI*KQ
z+E&Cew7*V6c<Qd|DS{$5@@<Og*38NJ%+~ylW+qVTT1x5f_oBZVxZA$CtNI~|vV}3V
z`nUWD=i?ZS2!h5lB!36p0MDg@XD9^<qdRpg@HG5qv2b27yA=GA3jVaD;2ah7OA4Ms
z!SI(D*CqRLwl5~95)V{Ql)}v3SZ(-=tsGx5`zc%T%#$7GJHMHiv9&1N1*{D6f5}2B
zPGn5x8ecJ=9{15f))r5#jUQ_9$<{Pb(r(kj@KJo-)LWTlVC{+})Yv25%FVruX2L#8
ztmX06^2mb>L3<@=#H+&J&@jcWP_adet=KWH*ddC!Gx@iv4EJ9+z`k7o>@R5B;Wu4<
z^KM1;-}|fi`=`7U?KYh5iik+zPh1ysU6C9u*sje{u82*Fv98DrSLDBoQ0)GeP@pv|
zTG)h%!yG2Artq90kjc<+n-Y1yNAP{H)L=i`TDx}^FpzT<jiQS^OpC^q5PBE|3e51I
zWQX4dq^zw*(GsQZ+E^^W#DTw*cK3PL-KFa8C+aRYw^d`kaglZX3We!&RB<3D(JhTU
zO?q^L*=SY$49W1c6ZDCuiFBoVs$2DU2&TldI2ze9JG@0x;$8_!FHxtRvuj-kyRjk|
z)QWFfGg8j*Ds5)FTsm5p`eXT;MiXPo>j#Ws!(rerU3+)xkGm`7IM+})(9qDGof>+E
zHLp4BGN#*2XHfS}Se97M;<dg7IglH<Y#~Fr6@JU#ULqfI1IN$}i+Mr5)XaIpu%c7w
z^mUZ$%i>UT1J4wgF~HP4Xf+PZQ|Uhf^T$-RnQ;%5!&Vk6C+*poc~V+a?lCYSIT;RE
z$b!#_zeLlIG&8a_<6N&Ff)&x9sxl~Yk4du*H!d)`9P7&Lp-gd>+~P`x3n=0m<e04*
z-0`>#W2bBI!eWE6gu?q>gD<->yGt89A!_gk#Rg}HVBCM^3h!_YmKPh8X%yDE25)m^
zc9k~x=H<qCrso{(ie3CE{r;6=!py$;g@Kg0eus7HHyagONil%x<1#-k?eN>K!%D&R
zM^|japA8uYON*r_mTi>&$~2Nvi!F6MP0pcg$BcbaK;%Y#7Fvg6nKoHdx2Yk$fzsJR
zX$l=qAsXq=&uV@$<Li6yJ1IUfdrXJ_@_QkDDZiylS_qgN;c5!BJ>c|9W~_Oz-*1r?
zCAsLw*5x;9Epz&^bEJn0JLR8Sn!jBH|6Qm2cbNdi`phZr2kex8O-FvV;`e`Iq2Xr5
zq7ZtO$q=sp1`|ofb<|F_W(wsBGM`b8LmGq?3?*NQ-d!@kzN&JPh!m<rScD-=k>6p3
zz-Yy2^>=hhe=Ak!2K6TwR<XZ+CGDK0A~V&_5fqUf#3erh^Dd>yht(km^4cz{SNe~w
z&&hP9@`KgJWlCRFn(nmNtD42c0~fDl>b11w`!?>aY^az;WM;QHBt_Hz_CFezrD%vb
zy!JAh>SN&4(*D4m6wE)^@%^s8@9OwoqVHQfzMs(dH67p2>iaUjJMUK%_L~bgnM~Q@
zOoE$g*>Nth^Xv2?LHG_pVOwYitK=rai<O$2tA#!M(evzbo;z-wS3eG7{P8h}aZCv@
z)@wo7Xsys<iJAK?tu<2?s`CzOY=NJfyP8&IL{+I_nJ@Jx=<_f>nLp>y0m%O&&DwhV
z*rhQ4LlD`?WBf&EnzcF(g)X`#ybD7(+FmjHefS2xnThmZhVo#(y&Q+Wp24h;)o04T
zd<R{~3BtzKT2$2Gyud~!?j;#<0j07hvo#r>-z0#>)$+SwmYqwIV4XBie>b5E`&Q_N
z392wbzjOCqVdL8**E4~cL&CHrKPintrQ{F7_b@y9Jcmzn1#d#Q%To}3)e4Nmfkhiw
zD)O{6ke0n+l<I#?*@Cb=yc}=4kZ{Rn6P41<FH=%3E1_;XTRwLl%zlm<fnqcUh0m_1
zAwnjpj_}wXj!}6Gh#^V{-UxmB)_B^(5&Q;?{KUIHolADYA6x6^46*=AtMQ_Rk%Z&P
zF!<WT6RZW`BfhHI!FRmDhtFnl_@I(<jeR66U4+o6a8MDxA>m*LAK>gZ_-<8soH=T4
zvi&ALP9IN3AB<#ocn2TW{qFE;e%hJE@cgOnp6x`_KOnu`U)l5=zt||Mk=es#LqNgU
z*)XZ^sipVlU`-ccCYrur)HxL1_N@6?h6(Xiv?tA~KSIv+aOfeI5+kJ`PcXqoglAIC
zVZ3K}_Bt?5lpVua!Pa=9=~dB&Vxz)iT`_qbt0^USVMecw{^fw{VR!heFJPYimd^tJ
zi`?Fa2$C-!GP&lwR-fNO%8{gC&s4-`F+~*-T~HF=(thE%uZnGIwmhm$mCc1KR9;fn
z&2TeWuUgiQLe@NGeciGIJ@?;}U&wq+nYCo*ml|-Whd^eYr0_d!KyRO#a^csCpNyOL
z$cvv{^*P2q=OHVMlfS@czVTqmc#;3~`;5-z7RED5o!>B#TPAK96>|`QV6Gk(odL8b
z6%ZlARO~_V7S6j$W^zyOWG-dOp3h+LGJ7ZUL;j9l>Ml}Kvo*^evC1F4XEOT>m#8|v
zA&sA$!uU^nO5>;P{7XiAaC#`5@Qm1@VT|)>-}4zrH^7EcC$K8+rhcb)0?V`@Jw^}t
zW)>K?j)~C}Kg;A|w!91(+n#W7&NWE~SsKW~MQ~33e7X*oT}0KQdyDti&GqytzJB>a
zuhOgRJV3bb_8V{1<(qxyOax_#r(W}BUv%x&*IswiwG$<8`r=@aqH-TXO4o1t)rW^W
zaVX-4@EY4<;b$(?Z#x(~dV$B8CcB@S#MI)hgBdD<rnnF^T+-pc=cb#0!&lvozgsxI
zwR)hJ9nKl3k;CanV!iJtz_1fhlK|*&R;nKefTpeKMBUc>4X}FnDjiP0;F)O{$JnpL
zyR@oAZZ1kO`pw_$_v+(Weew^K+(-L~`)-Jb>2!bAC-0;8f~T2I3eK1crtnsCXycXQ
zp$)=G?arH_wZKq*35+$i4sh8%ek1u>$yz(LdJrWT#P^^U1AgFnbOdJdNkXJ#N;l>P
z=M%jg-k(g<p@w1knRJHU;s<Nl19hBFh1;m_kKT^|ne5E4-CP$Avy26<*=6+L>F)67
z^edA%b4j7r_{5p*elR}+L)}J))NdHd<q&;h4Zq=vsEI@5z0N~IVt2z^uVcCWX$M2W
zw{sqXZ~N1qYcE&xKU(s4swJ4U?LQa-ejN?4gXsUk$}gmpto#K%t>QbMZ0{Rt?;+Z2
z`!n*ZCQZJe;TFn&*d&|<UE6*cuBE5q{)NS3cwmhswofNak0Mbq8C?^1Zt4O`as#g*
z9++35I1LzlMBIXVX)}`7e)iFuVIV*I^aSxy_IXh|T>MQ26>ujJp_5#kQkHF$?IA)*
z`ELA}wy_-4_8{6WX_JN?olHY@*{3I#wD$|w9^)hbdYA8)<bOHJ|C#c??ee{n{9PDV
zz>~ikzK`TY_R%X`xw?{ae~!wHE0#;=p3@v4WFU<FL5*+{+sn<;jg4Nnw;-zN7wO#i
zq57d~5x8!KUz}Fmo(VRxG`00{`$vmLq_{xZMfm^X@9dHgr*g-izyg<GaBE>pSl+m{
zhux?%arR^yUb&}fe*IEJhM(hl#yV;sBiS+j8ozYwCMP73s%RcT3#5Jon+Qu87XRsa
zRx<n&<=}?Xej{$slR(ocVk+T`^U2BG);&y6q_H&?EU2&8#jNX^n5uO<`8GYGBOD4J
z|C^dHZD$8v1})NRPG!MT<~?Kv&FR=;+XyMlZ+d)TW`X~<Vtp}bhteN=1H7al2dBHx
z<wNvtvAwvh$o7e*b;9VBg<{MS)|dT}t@(bj-A7%!D<;6#j}+!b&H2UrZ@T;^lz&Gt
zKUvKGt;?TIe*Q{GZS7Ym{~5TqI8UztVc|Id?|ivtA1aP3#eIB3onL&qFtPMW!${((
zg{f)dhlX?bG@o)h*DwhFk$@m$SXc@B<!7>@g%?932bYVFVrnU94Ms~5xAneE4>k~R
zCk_p>j}phg^(5)+-!;+XeP6({7d^vo0X>?acu;$SM3GgBDdD}!wox?h<Sl}L%X#Dg
zKaAe_E4SJG%^YJI!7-t6)21G`hhBNgI2L|zuHfcKYq<Nb5qmx&a^!B=6Fy7|KXz%S
z@J;2aO%9Y1qmDiqc4s^~wk>Aq>7rYewJ6Mxk;2iHn0f<vW?|EYUlXo#&ZOP)p^%rQ
zHU4HCo(ec@AT^!4XsA#~uA%Q$_H-=Z4Bd#e^H5m%UGRBSM8AL9<aXn?c)#53qr#nk
z(dcT1|5{7u$UmVv*j%_vgI26?l;6kY%jstM*SP%C!<DZ7mS0)@y9@cgA?;qt5?X(m
zT=Q3bPpZiX^0N0j`BL*_A*)_y@jzEiqKaw{6!Of(-kVW1C%$TKEo5D)YVVQdW$%>)
zq}mmQys_$SzEyKlv1WWB>kL(U)K!yUrP{DU-cVJ`S~VwZYx)+lhN;^1uA116YC9f`
z#@0{OE_8WL=-0ea$QwxBrTMRr8Lbb|{r$;ZF7R?JxA%{V;OYI$5N3uSY_fGR{H$86
zQBwU0teOwe<fR>vH(w_V>905%xXo}51&jPm^>EM=M#I{mu@+FnxcjUN8io3B-{Y3+
z@g$Ev+uY}bpi!s_pLL%;*&0ju65rXmYG+<8%pWugGvSS-y6={9Yt;*~B00O|mzHK3
z(SoeVN>*(#Yks-)<^@JNvW_ceA+s9|!{r75MqN0FOj1QIXLU(0$F`PY7TMM#AEQY2
zNp&O)e3{Selj>bxqg<v|VttP0lfP^}ANyxvuDzMBM89!E!!N3!R^?slfTG8cz}`{M
zM89(e(V+xV)ZxP4T8H916<ow;_DNw-UrStOp~Izons(c`@#C=V_XR6*3Y{>X!y2xZ
zjo2_y0-i(sYr=`FDEYx|9-HCAVtXNR7tRP`DJToa7eBk`^UKB0uKGN__$iA??dAuN
zq;*%|?ExO{k~8`3?7cg%7Yg?e&NYqY6x<|ElLQVg>k^M8(e@epT`<U<gZ;GoW>?Gj
z;=kg3vmpup$9=P(h!6j#c=FErH192Nmb0io2T!-sdPh8S@bvqgz5%y;qTg9V`P(be
z@4Qh|tSgNti}D8*_M2_}(WN9Va7<CUH>coUuI1~b6@HsUdlQQHpa>7`F)@w((KGxN
zmVtit3A$E?)A`^yN>7xOZkJ%nq5Neam!Y+eAKBTa1#*P<%Y5men~ut!)-WN_SV2N2
z+oxLGsWW#&bQzRvD;6}C6d5~L;Qp|;4if!Pw0x!L*C_qt`Pf)Pc6twUrwP|UH8yt*
zK9hL*Vs2Qvq$>|ZbRmv#+F9MRz4X>jZpxv92M_LkwQA{clliYcFaKlZ?<Y^jUZ_Kr
zI=c&-Ew2WPYs(hT`=XKct#W_ZK2E!y@|o1+y(cB6PSc>Y(lPSS#KI%a()`-@FI#7+
z`d1yW620_SIkVp?U()5IZ+++5#b<Oa3n$WG;lSfn!W*%!XaLFATyR5hO0`$s;Dz7x
zn1eZypIe5S`ZG_E(*6UVCFo{X!(ia+8f-s~QI+*>63^7f8#fL~Og+bdzfew~y>veY
zBVV^8J!`L2gtyUk+fcKcN&>47h2!Z<fz?faq?@{7Trn=ijfb03!F$nbT7BF@TB&(u
zwSpwW)GGvLQ(rhz{r7<<+hjmD*Z+^qC*WaK2Z4$ltw8~AYjpbFZ+>BijsUX9d!|RW
zo+<vCS}k5I(HURSh^8zQ+ji0!HFVbcCiTFsKS2tpBxvSg&&xp^NJQ5eqzF{+8(iZC
zhA352xl94v8;jAdg*ez;&HfiV=OmgotBM+-^`YT!X(j)o5`RU@{pgdWp`&GgVd31*
zAd*{A@}x^|t25CY-Z=hKM@HCgVPt4-9fQlCNqHyF<ScM}=;f}Dg*h6`UuQ0rsTw};
zRg4xKNAkO1f8O&1aNGbK<_9RWQ<J0|WFW$WlT0IT09d_%b2VM%@fCr2H_}nz?5~qF
z-T7^#=tis*unUZ~f2xf|YUFl+kx{M{W*Pna@FaeuOaw@<1j{@;k>csmixW*vl*rz1
zoPm??dA?*RYzlwMrROM`QuzLt1`B}`Pg9@{77pgSVvQ72M-M{*!m=5N8!lL$W?d}d
zzB}?j$k6*ffsiSWgOG1&p#SAcbXSQY>4cA(aVm4V%8YYm*4;~)K|o>sSeZ%MzdurC
zj#U}Q+{L3Z-xS)08YU|q?o^rPPgK=4qTc%;HXMlsYLeUZC#O5z<l!Fi2r~%(OL$N~
zlQ=tyc@Ec6CEMs`R)d`vLB>mMaQuJ6P$BbUEpryLyeW)bcIeQhdLYi$>aWjHYpk5l
zkX+)w2zGF^Y@!9_=b!&Z1XV|V>XKl)bLZe1b54a?C?_9I^l~64MQ_t}Y<=vm8ZWr3
zdK4v+FNEKGM6le(%Ug@Wi}<ZW!rWW+1uyH0FvVS+M3Y^QiCIX+j#<F)YPs6s?}9tc
z0RkSA3qDGh*H?Stnc$)@qfaM9f+6mFMCTC<7eSxuPei%rYK|_HigFT7XEXWIEJfHL
z&sx2(`D?mL>TmX;9CMw|C9zHz+$|5>2;_;1*ha*5T*mUQ4+3p%pNaI3Lfm?P5{I?b
zUy@>D;oZW6gf8&i98hUi!vYgaRFt0~3A(4@+7uEnlAnL|7`Av_jfOF3tApp0%lJ==
zXr(%z3)ju=LCT4uiMe81TDyUZt`j9)5FeH1$vruSGq>K|QQ5dXmcJ1Wc6RaJ>7|na
zULD0E5S|P?#MPc>#cFBDf~XWub@KW6hEtU^*YFpvnfR;mvG6sjh{+qlO#Uxa4gFfU
ztu&tIl8%Rd?d2N!``c>tekmx)trzfO#ueDbqnO6u1g;Vt1*Jd>*)`S2h7Y8qmE1AP
zrU&w|?I@5R$-~A)*wx(O(fBco;bLJbJ8lnJXln6z-H%yE^`#GqF>kTw;hyC;(uZB>
zMXavdes11>#N#kvLfB;hpY%6KC-HIfx21CT*;7m52$wmB%)+~Ef1*S<Na@Twyy!il
z=1I-0J>G5{b^~737I!@jHc`j+boC_LIa&hgkE=cm_OOR$jt0;)7I9+u6(M!gLRWVq
zR0gN<r`{hzQx6G-g%3l4b|c<okN_5H`W5=5%p{eWsWQt%rAJOLtT*m{ZI9a_!f);e
zHM<s8)}NAmyNKW5Jt9QqZdgw)^7y{y=pwMGzp`Pv+v$5Y{KH<;=*PdYh9fkmqw@=@
zx(5lUjQUN|Cc`;CqlEx(7EW^3bK-1C^6jt{_zL~eZaCs2+*$j3Hng?<xd@Lbl+n#F
ziGDq>H$M4ZYR^vh#|Jm{>Gb`{``s_lv#7WBU>9IPIP*7LlC%2KPUX?3bzg5rmy+Yv
z;p)(_dxW!>ILNW;f;x@{=n%&wYU(zL_F(>TP>{!Y2Bn5A9<~zPg<l&Zsev}cer$XA
zN51Mt@4S(!>r!(;%ptprXaU!i`rWvVeDMvV*?k*1rzbQVKlO#1$CBN+IW|7_0<OgR
zZgBL1U`6dTel_M5Ur8}F*OfD-?#QXTezLd$(zu^ecT$RW>T(wxq?KE{!M-c_QP-`k
zWmC^MN3-@!*~G&_WvQ01PbybiK6=GXm*nbCMGn55t2?zz9Yf)=@X55I`_gYbEtsDh
zQ_jt?1nboe1f+d+)3{1~^x}rKb-_wN6=+TW$=D`M2e`zYNANTM4f|%E|My+UpDNla
z=r4m<4#FpEB!4=>K#KR{escewQ?^{#q|@Rfs6r@vLw{;Thik2t`De4-diZ!+6H}-5
z>fgyub}sAs*O(5+KdLpPJ)C!1hi0zzp)Pw%9~2X)9hO5Vt;wXKMG*kK1l1?ZC{>gC
zEC%vKmVq2z7zj5BAln{%ov~~(k{=4Mqj{~;|HWUyh}`d3?(!|C;=ey9ck7q~;phJs
zu81MF&}d<4ZO1oKM_##H%@s6B96!?O^3lQ(hE}fTQuT8l-|UXmUn8AlAEnjV*)Ww9
zr(3``>m+4cSDI|AqO`ossCO(ehaz?At#Gu)G<rc|D%hex#hX86Sf%>qmmZ<7{*<y~
zAC!1nC5oyNJ=Dyh#0Nl}??xLA|2210N~3mf*7jhF=h9>|l0o--bI^Vr!{`2Ew?Aj|
zh#T-aKg~SJuFw1p7%t9#-twE&IOYPVx5CQ}Kdgawkha=Lw5BE)p;J)n&xOiq#tm@i
z=nsB=0MT-Wa}^A50wXLFLWsp5Vz2E9^QHvg@+ZQ0Nf;B=aA)L42`!};-}pf*=0{N?
zOE2Sye{yU72aG;U(`*smfA4<#H>`_KTxwr(qx~-OX|fKv{%_rve+T9N{rmD~P`a?5
z&N~Fd=O=xo&>!2K5TSlhA>ZNu65+pLCz6t}167Cqh*<o{4w`xJ<!8gAS#6A^*T9P5
zSPiprAz|iv@aKHKrgQJ?x>9{X)yBEA0urpxv8`|9&E3pB)r-O}02mKcXhv5CXu9|u
zmV_aNlxQt4wKpKqN4<b&L#C^}OFP>8p4vl=D2v*AS5;|jI5)pn<r+X*TTh4Q;KfOa
zd42j%3i?dIhY<5dztPa99%x>Fbc|kfxBI|L#!r8VsWa$6jBP43H}o=+I&Qb-O{uL7
zJ=-qR{0Q1|<6@IijbrLS<)Vh|xm&upXn}Jgh|bns^j_?3AgU05C7!-!fZi7FGN~>Y
zUg?cq*|5cdqY2gFKe9%cYIxCNuBC?61$eC_0GHxBntz}6F1kjd^@UM{BS#kSHc@oY
zwD>Ja&Z|*>A#gI^*1bYZ-v%V!RWhM#UgT5rj>%M*cVUi7|HqX3nUQx*c%zC*14RQG
zU>cAggrAslPXE)@8mq!LC?Cxa=-oU2$o|6jC+VYA{G*66wsc>5iexmgJ`2JL{B+EA
zO*uffhtHFck+9S|7{<m(;nZyNBIO3|eHo#5tB`Drx7vwzvtl~tL+S0nJr#0rE&D8C
zci^Kv$*i|e*3UI!?iKvB{_ApAbwk<T6rK(MX$f~=*l2h!1>j}@uwSTx9Oe3JfP_Ur
zn3>G4lG_}Z5AfnMGd(hPh0W?(RdTaeFema)T%@Kt-*16_HLCOd7yooWMyK~Kf~RND
zcn3eqKgm{@cP8Gres{LcVTnkW`uqRMe|Zt>ed(K83c$xY7#p6!0JDv1otP5z{lcv+
zP681uraqi4+#Y@;9TS>S3MBi(HeUL59Zt6R(qZHk<#UlAUcbmttO$l>+HJSXJQAYN
zS0RG#ZRnM~-+F(o;V|0mxXoiSa|DfQE&c(4;H<aA<81ZTv5udnZ4fziO6qj7k7RA5
zS=ykN)B8$9{2*e+N*2SZ_6{sB#olR;`otE8t0Y%*BQO88(_?mhiBB#1y2h71y>#$C
zd-V;UYx}M}cR$~_N(_~;v2bsjW{)>)L4DervR|)2V5#yiC=j|5XY7ykp1tAQCczhB
zs@6Zr(*Mp+So%wYAAW_Q9qxjYWSnkGYOoI64&&u(c=I%(4&A4NKWH-eWRu@elMm5k
z+hfE(RD4JI#{#d70>QE!pI+Fg{CmT9=&@9u`Ps8>&LGggQkUyPluX@eKc7s^8}-18
zew3k6F#`w%3|{lW<Iz-~EomuE`BZsMdxlvZPDx!@mzy-`q6_Lydvr3NH}-N0jp}Lt
zbibGT5szlA@?wh}TX*rYXCg?>s0_#7PZ;I_^^?mCs?m?cS@Yrap!w|FnAoJ?GhX%r
z`gyJXPpRA~T~B*b&ENDJUQY31Z#3@ddBX?}kWFM*0}@XiKJB7Gv%1vxIwSFPUH5~$
z=5g>+8-dwe#rruudCo5ybawW_?x>ZQ?7=ZJB-+s6N#|Hgu#^CWpamCuTXVKMmk6Jc
zt?PauIO{;$Ul>h?{PMGRP6HO9^pqk>r;~DHH-^nR))}A6zxe;fr?qD&eS&5Tr9%v*
z)@q`NQYYUFc;&og30^_(xs{22XIF+>?(IPAkWWYKy&8aU`#XnQ^>fpV4&0ssZZ9k1
zcF4cPt?32D_dg83LrU?>Wwo33c*FL762H$1ze9@n{Zl9Wy8W7$Qx|1;_(6{VdASGJ
zL9j>n+=2ZUnSh$wdT$#Mqif~$PEGIB<lEq)rpHJQyYJP!yRA~keSd^Eg3;6_-yYxe
ze*F;<-`iVOGOAC5LaEX3G;HHCx%MB+{c$LK^dwau*~+K8TW%u>WMGs3QCYd?2=6Nk
zC*Om;wdYWM|4b0#;>Usw2*+&?(c?PQx}tvn18Qo$DadIv&8G9vlVqyiqtSw@fdv{^
zw&Gj#ZfC3t(|o4Hz=MDbXyeJ$D);dhAa_?+AxT=H><VxeUazvb=kUCig@3!-eoKrA
zDG&2G`Lwdc)DeQ!%q6y;1pF=gSdxw;HPRol6?<<3kiqm(X#7|K(%%8{4w)K2J%9k$
zay~UgLtBS@%RfxE@k^1usS7i~!i!+y+yf8Nwz+^=W5Qpe3J43mfs{o|acs0t*sCZ!
zrWy*zHJ<9->hBh#@Ql-q!eh~WU<6ci)_J3^E)@&EM%Q(tw>E4AyuJqQp>XkVgZ9v^
z1p;@Y5Co=$@I~e2=FX(!@YmDr_wV@4;?*bonfso_H%_zgc0P>(au>xM4+w{A!mnU*
zrWy|&svl6ysB>qAKZbc({Q9WYVHpKReGqJRm2_%RYa*j9LEIRiG5fK&!a7Gl!Tt!Z
z-f4qB-o=QA5AHH8R5JqiYI`__>^y^`k;y;}E;og<NJCTA1?pn7Bfvr@|3mX4=zB7i
zz}SIXMBh!}eJ9%IRz3yfC+WM0Y-cAly-?q6^60XL=)KVViEwu5`hIbT|C7FNqrKEc
zJPUjueVQ7|diKu3SlLBsJe?CRV8;Cc46qSd?T3{=7YsFN!H^qy1~n{%<@W*&7Gd{g
zRJi45R^~X$1aE;8BDivQb=O*szu<P2%-x2QaZ%53zAL%^M=D8sr>eacL;?jbreNd#
zt_`!)@%3q(1f#-xT=`{`r}QZ*-R$M=D_7echJ5}gs+Nv7x?jW3Ju02DaOgr$V`Og{
zCCq;J96@|Tt$tr?zwLCv4KCT#-mmbRY$<bLw)lH!cpbm9Pf7_><?~$*zWUsiUU=pC
z*6b+p<I^AUJ6JPEf&!JsbeZrlI7QW-$#Kjgees#&>Q9CsTYd;L5Sd(@>=PHDQZ<%d
zU6>zqqKG|J?4)3MTBb)`uK^~4CuQt~<D(vj@=@$@CW-3NqsPWQL%E|hTk)X!D-|wf
z^w;*YqCV>9#!ckt>Gi&L$m-bK>`i5y*O!G|_@Mx;+_-O>pGe0bw%ui!*MuAR0sHGk
zxVQKj%(nyGY~_Wg4Kthp7jVmk^*<j9QMSv6NwEgc4e)<NqCHh(TdF<7Zq(wYlF3$W
zoHU^NA$rq**}5dWS-oa&x!GC?7W=V{;i}_xf6{I(CNHujRu?>}RhFO^xAt=Vkc&jC
zv8r>GipR>;{cq|DO(|8(J|ui<CLcyoyD<GBDZL7uY51-rVEEsdTm^4l!&eHA%D8(O
zf_(BdEE~mxP*ytk&=TRYhMpq1U@e^|<Bb8`*)9RmtP}8U&qV70Y^3`p+V1Mmg(R1r
zDZ5g(Q-12_)l@A*{A9fJKiN;6?W3Cpb+W&SryjyQL6>s;_0RY1$!&?wI-<lLU~53J
zp?2Tie(fU#xajS;&(UXU;HAE*((CpfH=yfE{WWeY@_E4!)`AXftA5;!_Xj#Pt<o;W
zb9d@Zh75>;Zr8WOI_@8?(MNRuaLQ$L+&}zf5{L;NeFuMdibHxb_0K32)1Ad%av$Y(
zXK{>#L9R}>jyj#-we?g!Lv2|&Bh7&CgdMyy;SD1-T^2E({)wk@8c*suu{r}vt=y1p
z8Z5MO{-Z(S?ZRqqwjKHB=2+R{y6PTU`^sse7IbBshJqR{8nBy97V9_Xf2m|A`4oIP
z^}nsa$cF<~5##UNb3<rcVYh!*ctz+1B1+8^>uTgZ4AA8GTDA&MSE^N{n=A4SSLEly
zft7hqWwImBB;9Fdz9rO*B%!UJ@EL8uB&IH6aCO<=y<1Cr;}ef>koLE>F8l1eV@NQG
zzZt&}!}^YEVn_XF*$*A?p4)0jJkGULBiB(P{9)F>eT{sQJ_jtx=5e_`$Ft`Zeu282
z>OXooZ8D@kQ^w*W=c{66lzEEFyt|OOfK0&|wpZI|ZYINx=Es&$^Iz(Uot{J!E?01J
z|E;tzXNa-e$cNPQhMyWtr>kJ@{s)!a)n)%m*^6EFu`YXNNw!WFgpa!HGMD{3W%qQo
z?^gCSm%a7|?dxr}@!X^ITA)ij)%1JH!^J;D9pq^93H<c<Iknl&WoMMyg#*tp(7-eK
zfQ8eI#_uaYP>wc1;x}my%(s8e8hn%ndo?}gnmxrea4gk7ub+i8-j%MckAG5ZD@9ud
z+!qDhL$qang$_I0lcv%k?#w=;^PNnk@OLm+{#)p2Mfq3r!4D!Xrp!|+Gg)O$r%ZUq
zXAAnU-QRLyw2ZUt4L0*R+JJf7VBl7_O(ka~Pf%iRuI5*G?j3ekl8dREPUIUQUdffx
z*(W7#<P00gbvy&ekoed8ra_}-n`FI<#>rkVsBvG9n<|18*{KV}*i7f+K<mYT&S3Fe
zja&wv3U`|3e^!K>IEfK9Sxvb(^AF5qopqY4p6jxIT%bu2o`?1S=>l&t5T$tmHQe(1
zPu3I|;lTfY&H2=fhN|J+t4~0-;0#Bk{N;-}=)roU_geFD(_N*fp8tI}$d2Qsm!d4r
zMT*%bN`4B1EyORTd1fwmJ95uka_1~qTmSiTiJL__rDZnXE`%`^JfV+NF#TEnEa2Xq
zO0DiUdD%;b$Vk3+S6Qt7JG;8X>aV)U%U##g76_el!W;kiFLh1B?LR(MhSP8PsF4bE
z`-x0$Hdoe!KeznYkB`*HPwb=icD?IbaF^E_)n@BrC3BzGmf7!;`)iBx-TIxfWe-4>
z$o8q#Aqh++B4*q^K5v0S5U=r;TCBVGMDoU4Ch&8m`#FN2OZn;N9;`N%gw6cPG$AMS
z^&VS2SEPd#8J(xFQ?yrcik6Xnm-4ra@(BEBRart72VE@R7`GFxCP5nf->O&W*To*u
zBulN(t<^&>0Wmt{Isxe|_g}3}NnBPvQHMgk@QGgtj&Yi%BkVdw%5V^g6DHyKM?{kO
z5aP#m)E^-rGQrwp^LNV*(K%lFi!YM?Rjb9FxFL0c{y$M#)rhdi17hk638|#z)RY&6
z-|^h&L*R|jg@kZ{H)wc?CKP!Ep$V~_WQEf|{2ZrQa~53W2QMlNb5uC%;Rv`y)8(LD
zpwn$-<RUy24(-SvOTGXbVbNty@s4+753%eE*&d*QAqo)mJ2K0o%pq!EltN*`(-#zb
z-XL?4F`|LmMU<cG$dZRdSymB$FTscH;Yu7MhS5aRA1oj8m}_=pIOEA;*3Xs2<#-Un
z=<tRAb(kE1N#3LzaRg{jG|B-pOESJ%Xb{<hFxXRCsmAigRJ*KqJF?K-6HSUEoAB=w
z_N4p8&kIN7lhkwmgy%)vd==ke>tN=9d5>4Q9S!#06qw(*Wk|`CL1{-U1nV^?PePSW
zfvK*Mx_IskR0DLR`cd{42J`A!N=#YaOdsO3j;jat*2f(T7HEbP*hc!C%vP|sh6cm!
zzmkCdA+h)QG%6J$f$h09ncP&ngljxh?HXP)+x6J+GYg1V!!7jTY@o3IgGE4aDiC1J
zPtG^M57Q&Ko-0Ea5051)e-+8$hNBAjxFq?4y{McH-mtx_NH3h&2?L(iO?ILzq)WHq
z!h1TA%bX66ycetPqOP!&Ff@j#<l=+ICtq;<LNZ`IM6uMASDuJ4<8_`?zR9446AP%}
zHQ>mO$gzz}yRYN)fv18#DwrFOY~jfTi*)pJO^hEQ)8YjLU7z!G1VEzc7EOp;#-r@F
z-7zc5O1ev&^bD&yN@DvmEr}YFMHkMVS!}{wbGeIdc3p+<{ic|6j2h1lz-eN2ran>3
z>1sI`h*72AcT~#5b{HFubm0n^+i;a=T0w>(5jXgna1(;AfIXS4hQM##qw53NQ+$rH
z7Az+FDWWgi4<hjCl*#{!{IDx7IpvqE2lx=`vJb#NJO$NN66lKYIzGOQgz=zu+7|uD
zP3V;xJwK6K!v`8hV(J_GXbgGhYnACJl4zB6!<y@u?tQp~J)OI*i?FFjkOvVH{ux^O
z8Q@bVmdVxkD3A1|xmS_a)_pq1ed{lfrG4o2Y2&2?vd6TDr@KCCcsI4Udzp77$1l^l
zA9F5{c)f7mAkb2$cmqX4n@mLC;MuB9X6Yz~K6|nlt5dr6nM<wLerRUtU|ZV*v$s>W
z?X}rLS=%yUsl!Gs!Pk^6L(!4zve&`ez)&(FrdAIkhpo)q`0X{@%W)&$xkLD3E>|{j
zChT?I<*L&*7<1(1#8ja?yqC^!FDMrM*74b=m1b8s%l|x?)c{B3O!u=N${TV^sfV%p
zLejGIm5Yd}=1!oxZfvD(zo~EAO$9x4^y2!f^&aEo)5{tNP35U(BC>{ssbPy!qu;%q
zr;3MHn+#50xhlNwGve6?4SMF^VA~nyU}nQvENB{R$@Gib58uWW0NnX;a5eHOHP4X8
z-QEpd+NKlSE*w6Vnm1i2eJIS)1Eo6f*}-wfY~$&qabMrWopt;G*TFv&8@5>P`{fo&
zr~8!${_o##=oJmrD^K|=yEun7I)5Q5x)H7usI{=$mm2r<_;Ks=WeA9LF5Shua`n7J
zpbnlKZD)~R2`di=xTh<I(>fa<-3IWNcj*RA3Or2qiqG(w=vNz?=Jj99HFBxMb$t{4
zyaDO#xokmsye)R_pvkpe22ZZ-KRED)FRo2=73Y}LP-GhBB6G=<rcxs!|4X(Ozz9=l
z*is-&{OnW^`HY|h!b~ou+0zFg`{5Y^PJ=m|G!Q~*D(Kb`Km;I<h>P&gq_^FrejCHj
zTWflaj<edI9Q61AKHvcME8$UUDqC^dlWwpKCC2rJe9>m$#f1+(z(EB#_#8i{c?k{v
z^hCd#D^uBvD}xC`@*pnq?>B~DwtnmBcV0=ij38+jghV6w-2lUNGy4kQdf+Vnmf-p^
zJ`?>Wl;HZ9M8Amx)bFH9uskHu?}}<r90S`!@-yhG;NNKs&$RwOl*`=E*ooNVgMJQ*
z@N*7;u?~Qd$9D$c1Owpu5&$$_1K><H#%ikt%DF=TWduxc3ZQfWlo9y~1Eo&l?P7yN
zHyH_nl=(A?OgBE@@TXn^cq{y${)UOCI6ojv{F=WdnD`B!{}L0zf&jS|e0=*9{km}k
zAk`-NU0(-C<$zS1{}B*$%(vXcw;T7vWv@%z%<Ul1+io(9=Q$0>7v+HE#R%CN7h7D;
zHSmYZ>u=%TuJz+JH#Tr2BJuRVZTi!XK$~DfrMmCCcwFBu9ER(k?@F)YLu71;$(;Wa
z+blLuY2>(>u94qcBUct1If+KPCHh_6KmR;HMsh}|x!#rkp_RX&SpFEwcTM!Ww158R
z9pz1i;|Vlb@agtXL4M!VRa5L!#rK&7@jVD3F1-fv9jrup`@texr;*-@YYbQIk`!EI
z*Y|2aX?*r^C&9VScQoIT1V73B>__<K=lH3I0T0vlojK$}`pP$W3ShvYF^3XO-N{U2
zJazF#x7>70em8O|!o%c!WN+fz8@)8q_?~`nE;;d3<<!?2)=LHuE$R<jmm2m)s`21w
z6H{NJ1iwC)XgYy58~1lhG*$7#%O0KPfQC2v*hJG;`OY4F2A`uZ$3>*^B%VI{%Y087
zeR&@Tf8wd5k0)W&<$V)P!&E;vq0-BqO_*pc;qV!5IvHQ)#aj|h(!a9fD@UKfOPeOd
z{&_h;(|uh{e9Dqi%lTS7<zO;WU~nqhdNR8(zY|Yg-<L~TV~cD1a*6D~um71rWY44j
zim&Ns{MAI0_B#<<|H1d9(dSh*+*&*NAWLQ!`fS|KkG(=#c0zwI>m9{2R5Szp$rS?M
zUUO_aN9$PQ!7tWl`1j<5sf3enPQ)5|HSX_SKhF3Ut)mao#EGU$5q+H8Yr25H-jyq)
zr{A2A+aocxjHJ|aGg<laA0ZcLqHDvF#{GR8=Ido+CTQ8>+AjTa7qpL>(7)jgy;UQ>
z&&d_P<dy^P<dF~RPyFSEXQ9RnenXAQhR1bzO73RDAhv~-Q9qJ@ZNG5(Fc6PxIEStn
z=tTN&+z$oM<40T8;07068{&=oc_wKO)%b)XzGwxz@@zRt`6|AQ`SO315N$koL87UG
zG#V{WG|7r=++UGs+NZK7^Th=q%)9(ye20Gmq)zL*hvP&6A-VHz_H(sn_<Ivm6Znl8
z{J=DEr#^;yxu<6oK2YADml|$4p8fl6EQBe9StCwHb@J~^A1jz9I*h4Cq-$0(rw4bM
z)9Q<RI`-b4`1Sl0#{?3;Ztgih(bS@;7kp^C?BBIKGwpzgZ8{W;I=0ZUw64&3%33zG
zZ4(54LMm7;&jY8abc%!ShJ+_$y<vC^vXDvnCPsxL;KWqW0xL9)g88(2?B%{b3We57
zz4~$6<t889zQRC!Czy#}k;f5r!Xhto9$GU?glrKhd}?Q_hKJ#(9Q=u8WxVMzxc&!b
z3~O^}xwVs+I+Fg9uVwV&1~KEdb+K-~YvK>WLupofxFpK@xgpO=Pvtiq2A4tL$e2AJ
z4CZ~l4Q@FY%>RHD6W$@4vbo_uq)Cp5Qn!WIyVNoA9pJFgDOK`^hO=EddZ(R%!5JaY
z|N2+!(IN;s)+_L*@lumEKtCnb(ojN=3^CU<2_eusya#5j6KYaZUT9^`Ns$%JOBC6q
ziKcfo#3>8KCM6nTM}KzaPM49hp9)}^+$87K*cATu??q~US4aV%Ay^_4W#c~b+hX3i
zQQiphzOB5UcH|L7#?1OL)*`Ccws1m6i`X&B=_x~k_plw2huC<xH8%IK(KB>jW={oY
zc4acuPnGGxX!GbXhtMuG1?AfePv}#+-j~=bja#nBeuKw<Z^X>|d>xTfiDki?yzrb#
zyqrqBG@kPkiKTTxGpSsGv6FJV8ggOv((JW^DKS3SLCOd*c9=bLKw`Q0az?N<dv3Mm
zen9RiiKUtltwdebWxvri!I6rWgBQp1CPVhxo^{zDqpj9eZ%-vKe6FcpJwA9_rDvuR
z%f|;>Qwcczvg%pmwYFYZ{e<ku**=azn!0h6pFM9#_Tn)Fw^(N%dfCe>eO@xo1TT{{
zH1VRBy?q1`>y*c3cX6$1^XlfgJnFWGY3yZh^wKS@xJ|issIGdt*OEug3Dx~5)nRHM
z<T<9^jcacwim^L~H4d@!)6&{Qp|;beYy_?4EDxFBB|$VK9p4W5lsCa^**MUP<1l-L
zFj6o14?np$-Lm!=xe|v;^ud|6Uh-vKC{q=BEo=L0p~+3{G2@FrJwusGy%=qA;9vlN
ztfBJ?kE?20+PkRJ9%bp+3ITIytQY?v9pCE*FGr09TyFOs?e(I{;gm%^p@<(};Uy7D
zYy2uEJ_j8RX0Vr9*7xwM-pB;=1^gf{P8L9}JCf%%<igenTJqg_JIdIyEgj&O!B=t_
zbG9YlJ2hpkhOd8*Ez87T^kKSDEK623e?&UD1FZSM8)-bU@fYQqYFT%TpIqxD-#90C
zU+=r?zVdy)sznJga_KJL#f$AQX+TddrGlddhr5o(ViA)_M-BsqGX|fGDid|5{AkER
zK%6JF4tnt=eib(^?eeM?`^i_mIKOe%aJJEl!B_(7NH<FEVHcDd+LUz~nL&|H$6uqX
zfd&M$FO)gL*O=%r?<ZgLnesf@wYEp&#@oSw!km&VjPsdS_Ba3CtIB)HH@O_uk8Sp1
z+&VU(ug3zxaMLmFpn>Q4SbNNr^&)3Fc*$i}q~q@x0LtXO9kASk-ofr#pB|Eo&DG2w
zUM$v2#YAw!go?%Yrh}Gr)n32q126fWAAcdkwP!Khv~LKKmW@aH0i)a8opp{hH*6TE
zcRK#M7wjZcsQ@OXUk5)UotF8@b!knLmW@49HZR(`q~S1Pi;~;Y$yc9w`0c;vy>f&y
zyyeIC!T1>A>~|&sD?@B(S_|PasvqOEv{j@;O^y2<H67oTn)1Glv}JvNKfWHIt!x{$
zR6w~JV9WYm<Psn6C3iyPbk$2jI~0x+xA~q=^RYMZqHAb$(i=U1`sP-r<Mj~J&0J`2
z{c*ZCzQf>Z%fvVO$(8A(s{2)x-h70Yg!NzNo98PL1M7PD@pTlC=nc=#-Ph&P`4^A&
zVsE8$gAeyHx#dP_3A+#sY`<EMiH2x96UwTv&K8ne9BeCtZS|6DOQ-;YE#%r@TN!Mt
zI0F&Epa8Y%L$7KdV0ba+ZZlPwr34`@pi}!^&&+LQY&J|<bA@_m;vX_fHj8l|$6d+r
zh)i;0p+qYbWr&K8Ujcso<Wisaq_+E2&1twNxgwo=aQFxPKKQE4zksjdkTC2*<TOnp
zidxolZlc|bD^ue%6s#~P;N2Dta=VvYtw`$@Q54$pYdvgha>_`&6BxZJ2p|l2h^?xn
zUVOD5YxQ!2O>iQ#HQbi1P?a)!rfi60vLmIYEr{PkcLSlNE0d0Ip%Rjvx*K{lw%(pe
ze(1%+=YIE-vG;i8*Hq7-J3m;OW`YLq`nasC_Gs*}6=_1d=(=Sq<lIIc(xSf?Lso4l
zP&FNFA)OKx04`XN&2a?G20yuq+Qn+f<E@924?)TI2uF;+n@PfSRA1#)y$eYNWw1OG
zd))>XV{l6ggA19VFvn6y)kr!qOeHW(xLdhu*oL{BmKmi6t6{GC#^A>^%+=|n*d-m~
zP{Rf<368dQ0l&a#@WMyMVfnG8Y?c@XG#Hky{%(vrh_NmVlV(==$>kJuO;D=SFj-UI
z_2U~d$q$gZ`dzglUG<s`|D#Oo#dIv<_lTM-E!ztN7W3NjQk+H%^JRn?Wzunkw5a(}
zk(wVcOi?$vJe_QrJ>w5OR(s`j)vaFDM}Dk112-l=W|@a{As}nmjL%>uw0VBXu+uv4
zp#o6zgTgSWv)oTEqM4{l2PIotd!^&#Z}8)*GRf^$eS=@MDqZ!apbS=JVl8ZQ(!;<s
zY(ooDHsIfqseuO35;8TnyLl--Th8p%97=waL3%P)wNbSSl2X5iMj3CGK`@hSKgSIs
zmo^?IO(PbblN;VW11D%&=DMDUB*aNdLL`HzehfWH@Jg&}R&MI=#n+^hdt5mx9*!Kb
zCR%$@27blAC=|xmWa3NxU?oy9Q`PDxcc<g4)3H5t>TxcqWh-L>bbf6p2p-#$RaS35
zj#|>@atFEvrBHh75$QOBK$+<z$`<o;JtC-G<c+WKm_?+b5Y6(c7J(2i_iSQbQ<B}2
z7Ref|qPgLxr?oILE!P&OWsJG>ic>|9xAeY@kHVN?<~T}Ol#k{RWty~==D@+9WhhMG
z)UR6LONID{fQeB9b){X?N172Mv$_%gt9em#EhOH+YWb#NT}nfnvB*v@Nk?m`%Ie8D
zQ7YrhJyv8X3#>6O%b<B8Q?=2{{VloRwmx{W_iCYGkbZ2J@=+CX!%yxsP9~P6x8xZo
zn?TDb)Onm-44PCb?Kq(u6)7F<0x!Pbmr}vvxxlO1?^mHb@Oz~f1GA_K(gP6_$TWRB
zc4DX-7^)VVd~ZMgky8bc>*=@(rIXvpID$&1CP)@BT4{XB!IGM7(0<@ot>pEgf%RXX
z_XEnaob2$D3s`5FuJ5v_o@4_DG^TsLpfAw#G3nTwPA#HqPudtd4s$mTJ$FQkP|G@q
zNzPs`37$Uo;ve~N5z0_}xsQ$+Q}OPs?DS-We1Y}8cLy1z5J5i24jN~CrIC<gvJ+lZ
z8`ApLK}bH<O2JI7BxBCOzq~iuEBC9L(WRv$R=r4-E>fLDt-R^fn?*-2wmO=dhKzhV
zh8Pwpce=3|9yA2_^;PWusJ;fqNTXr8!N*ZWc{2~{ejuH*YQGm3UwbhYS&eeOS`>du
z!-wENEUmjYD+j+!`T!Aw<aWwt^@iY~mNXtMCh--|Jlg%8U&5@?4p<(mno$X)=}k+s
zX0g_>WVLLrz)nfWUIJiY&#n9P(uMkdY?FcS=7kgn3?j7jBr+1Lyr~gM!O^d^y{Ik@
zWsL)0apcdNa(`641^N6WssY&8r?psXz0|zcBmLM~r@|IieOA(t;q8mYCJmM)hqZm3
z6RHQ&E$?e=s8^|H>p%Eqi(h^fMxa*7r5P0Vf+k=q73u-%I&=&x=n#cK3$%}Fi!zOF
zSkPNrQPxeR1#gV56=ly9JJuVO15PNnnTaTr74%tXAr0>xuWB>8EW<;$lj=2%<%!Er
zIri+w@XP>qYa-pUt)FRct!N{F682BW0eE#Li7BUn^~eP8q+2%kVsL#)lyS1uhfFii
z%MGAk^uE=!gV=Sy!o$=z3yG51uT3sKC)f2$=>XkC8mu#rLRJ+vCwItlS_(Q*vzRIA
zxU{rXG)+)N{5Wgm4nGNKn_09zOffZt<4k;A>e-g>{PKM`275CT`!Jo{mx--SSMA6o
z`Fu4Uyhar)A}x~GrhEhAF@9`0$%RR8AiU;dr{aN`9${Q68O=*OwKfiSr6SCd+lyS3
zXLKK_NL8<km#S7X<_tzp45mcW`2dTiAAnZ)<+vI$!Hbr(Hi5P2GU;M%CfJfmy6^Y<
zQlXc9<ukFB8Rlin+9Lp!kx~MyGJhB~(C%CrnjT16IbY}q)IcHPyEiquN0z0+mE6cT
zN77Z8&%}2?|4jU42x)aTAAt$SFPUBxpg+F$VQgoTFO!pc=8m)GwP&zKFb1mV39QUd
zw_u_r_fnkY(ag+@1`Rzy{q~Fu%>_cUALGw@_}3;bv00g5y|q6-lUzmtn5RXVOiQVH
zmW4V;E+s{>bk+QH)ywFk#&ek%5UtF_&_7<4^3>ASPu<_H+N}v6h4cw<0A^7)$Xy4S
z*CKA^OUNX_DR6JbHUOBhWtOln1D6N;DGI9F7&?XaQRp!1fM4tS0uyNtT(C{=tgEQ)
zTf4*jgVMp<5YZCW56tB5I(6}{T9{8#Sg<+|m2<Sll|~(dJ;2M`DW{QU;;!0O%%z1^
z?4y*_vE)`T1|%RGb^e_+8e6b46N3TTDl%N6gsN#kleSj46%TO?dP=KAqw94n0374%
zh=4SW4El0>ryqMEjmlcZ09Br5VC&F+Z2%>$PAzNaY)u9g7yTr;DHCr?$M#E8T9Jt@
z<6JA1`q^kdrmDIE@vtTuA45iHw5+X2#}D}Bw^q+qi-!1?O!6hizP&QR2IEZOp2f0V
zu1_EU9R6i|2#}U7jNGu%vX%)E9!8htD2bpbjQ~x8GNy0qktBD|#181ba$!@lqrLaJ
z1U93hW#XWGdCGa#zyxak$7#;kBp1;HZ5|;s19Ojbat#AbSG@v0g_~qMmmnoy`VG%x
z%cPERUVKf2*G%rJ8ioqlHyL7O=Co|;g$u^@KQ<F@x9ko538={gA1kH>kqe`)rm@4J
zB2ER4)fO-vr)x5|dsRy^h>j$6RtXrx@Cq-+@ryUqG#JLOk<dC9hiD<>20d87?+d-4
z0<!|XI>6|R<+p&b(CBF_PU0R1kVEfQ(5p1QU~JZh*E30wZ{UU^T(c04Y&nt!&&zQW
z48b-+c3QqegUHtVjkE(Tl+`;Ez%{EriSIR;<OW5bv}^(2@3S6m#J2(((#coSxxWp)
zZg~C+bkjdw^$(FDb}*g0W+a`7$8g#K6OHmA^U=JLjKbxj$Q(4J_h4EB0|pHp9Vk?I
zpG9gb4nDJsDIluEKh7i%h$1r#7g)w0`&GOAI7na4i5DvLGgTC(i7>t)k&bW0NJAg*
zpANS0E5bNhA^>av<4jbN83UU4)?VVmv1NX8E6Aih&|_s<Ho?VP5Zs$GN#pk!WFkc(
z{s7_AGO>^S*jDBpIo;*0)|9Z%q7d<eC?A!WW;IF0*AdEH@k|`m1Is4~uqxfS0b#zO
z2g8tF97a<IZ8rDd(SMj)e>TdmwS)@1wIW?5&O@TV;>Y&8WIwi^fm5o41}0ske{JZW
z#wRAZ!mQa^($ogSzLOCuExC?{95)J?OTu?!Uk!rNF)%1&u3tL#uDP0kUDjSgRpI<}
z+$C)74|-vD41)?Uj^(3Dz0yhicYJ)T1!%0GI>Jw`7iEwlRuxKY>PykX(s2wd7-f?*
zAas(g-9;}+jV%x(VhxBf9ht(wS;jR5<d=qH^l80<iY+2`Z=?y$Md+vBfj)R3MmNbQ
zR2p-W`oQpx?&z7}!=Oo~`ED<FSMPUz|HNf}(3VdAgVFT&V|zXMPPWo4stQ7umiZ{M
zy)mD1ndb)tH0T!wV1q66M>oA(9eSoz<PV|<MDbza<bLrz0#T&&tG1@A4n(Mly+iqa
zK8qi!b<6q$je~M+G{$j0<&k6i-Qwx6j`7OqthH8*{ay~~DxMS#P_Km=8Dyk6yysB^
z$zCoSlsfrx{g%^6|6m}zDH}<qt+r@<b9pfVXid(q$Y!#^y(>+<gW+8nKfa$dTo=pK
z64sM5etoRrB%@#CBXTi&Xh0KSb*2iJ1Sjt98~E0=y*J8uj_soxWDSZ9t^r!vKwS;X
zI2<$TACc$*Mp^d|nE_D7V8UE?t|^0NEA`-Y7+nQ%J+Ovi?3>7`S`S7+ofi{oz#YN{
zD{*atNJ6TCbhLLm0D`@!CdTJ$;d2Z>C8?2_jHH)rEkq0^3ci1uLua8eFusyBhw;r|
zoa~iyBvWTI7+>k3f41tM6=vNmGqYXR&DtZS2w}a!=Bxy4UF=QA;Yyir`_x&%MUVLe
z*qGhPeP#>tfrW}oMId8qz2zq{q?XP3kMmETAq%zDS*S7>%|hL2jbouQ^JJc~dby1z
zx$uAo1wxiNZYf!*;yUAUx-D9$+E<|zc20?fDpJcr-6s^`0|uJ4n5lkM8<1h63RNwe
z!8Xq4Jvc?|dtHL|g>&%Ba!T594&@j=GJ5u?u~}sGGV53=PG6LP<0Y|hg$uBb&B`(=
z`66>?k325;&r}nvw+Ih2eRf2&6NR%<c!jy;MX&{Q9s49`2<A%ofIM)HRr<kk4(nzz
zTmL&40e%5!$FG9b?6ao}E$Ag!@yz!YCufP5tG1_On1c`lG|TQ;EVG%8Wkx$&SZ0sI
zJaov!KGMLPIjxC`5u<i7;H8#>ahcn)m&NG+WHb9!_$CZltwLoCbPyN2$B%u$jcYO}
zWpWsAuVXF6<MdCswjB|p-4k@#%VAkfV0mbdRO;Y1geYcYDWb6^g=p%SW$AON=q&7l
zv#~G<faHPzpWW8Td{>)?%7y8kW~GJ>lHL@IFl`1rHRR_&HOvItq=T~&g-w{6xAge(
zC(P8|lZhSllG`(}oj!Z3NnDf*gc5Da;0p;b!3db-dmU&+u7(9fo58!3Nhz+vti_Bk
zAbh*C;VBHZp_MsQ4c*$D*{;0|ZO*)f`6Di=+AOnQn=^Z;($9~*CA&qY_nrvT7z2q6
zj!#n(_ZwG}ghsv~lYEcD0%0~*1lpl3nAFT9cm5lwo=uZ7;)UubFupM6PsWZjRJYOv
z4m%n1^s!#3*3m&Nt!$EscCFT(WQmM<tSvTyZ~?S|>y0T}DWy#AOwC(z`&XZbdDF6X
z4rW+YV!Ja{>(fb07c7~TR6$sSW=vXr%b53KEb-d$Gp+^%(wU1IDWMsLY~aHl+-VJ~
z4XhrOQm&K}_KL{GS(L^>C}aMOf-%3{kI6Lj@JA!E35c)}BGTG1bk?Jy7<<z*0voiO
z6)9}*r>FpErX=<}ohc>4IYtBKo{;W%8<XIW6C&*hkwcMVT2(>#K_Ps${t00`8+9A7
zbQh9mnt8|P`Xg=d<u<Igbex9U5GL(KtZxGA;HypUb+C?;T<k5(8`gLBZe<sHO(tkF
ztgn|_xT?+2|DFfaGoNyUPuBe&m_DpGc&XOdR}t;vR2iB!>dFZ1rrgAF6Gw&Nag~bD
zPA)tS+TZY!`#Ij8u3F5lx>xmz{OYkawpd~TAq3VZ*gWpXW;<UI%1P*-mM3{XB(T*|
zTH#LZCpspdR;r&I^dlbM7>N_L<WRm1l-u#AY3U@X?_opY%G}mH<1pVW%+C-PAwq<I
zNVx{wA-Ug9;}-|dR1z`vXhMm@6`(=N+dfAjjKgVjqn1hro0@ml-H)!)o;f<AqzMQ|
zBctqk)ZcXMqqB2^hq;v&9BVb!YFQB2B_4SLd8YX{_ZG3ew!gVOBfmY^)~_PA*Me;p
zA@<X8dM{2_9VCv#V=q0vOVdC0vgEZ?jhIZ=BAW9s`UWkR#^K818xChLP#<FQ>6i`3
z6ZBGPCVMk-RzNj5t|Yqg*_Y~qX`)lm1*fy#!QL+mzti*&YxkR(81|j1gR+C<6r2Ui
zm@V?ILjod2+dhnn?$~Yy+nHc@CXPAuuB=L|AKFP__y7R%JD(1=W>ArnuOQXsYnYX;
zdheXvUB{h&<%`|fFR)ed1CatP<=ouxFR{iN;#rS7t(4|i-C;dPkp%0&_Byvd7iu`&
z#06VKmXAfr;3z!cDJW$h`>{e9s{tE6_>>N4#f;%6#OHxSj$(M5WKSAV55?GPcE-$M
zYHzH}AwmXhB>{t*F<ds<`gSY}={dOpr>pTja-QQ4IA}GQI4$oNBvqlgO%?QrN6s7w
z7!@=ls|YE#1rN<8><UA-oHPgh7)$Xs#V$?L+DaIQR#ub>z9OOk^pUJ@2D6CrK1A7+
zAtr_ZCG<OU+P<OU3S_ZJhaHxMrh(%9x-`{knJS!`@1UEX@L$7*4Z!t}8Fp^&lp%#B
zHd<U2_Yf(La=fzYpe`CdSSJ^e64^)EmSywSyt5QKyqFoSuC}xLk*%&fysG84y6*F|
z#r|<&f!)v-*N&0IIi-XyE)>Q)?bhGJjuSy>h&o18ObJ+ep&&Q}LAIQe8$L!Evt;XR
zrzPrv;eM=I9oDTHLljj2WPe+)S-TXb5b2Rvc1w!1IB<5Z?l|Tc6YN7eLzg7D%q$Vi
z9C-?a8FYCdl1a}*iQ*U{k~kAsCJ^()54PJhVdq!7+yp3WRSx~q<d#g;hiB)e4r=Q4
z^zmAE@j*)L#}+~rxAd~=6i9(%3NOEku?|N|FTC<DDUKSHMOw4^M1>A7W=6{|ncAMV
z<(D04TYk}tLtB2;Y!Bik@SNiKr7b3hQ34mUCA6_i{jSUEONS7}Ckn#AfgZRI5N8PI
zL&t)o1We}JrMc|M;L^lYm#+X#wZq#WmjU!BcpPNdC%4FeWKr1)LE72#i)cauO9ehi
zrO{e}1W<!H?+1gcS#`-00Vs<D7}v@sVMVbrR*BV7KAT{_d27}qG21Zzv0O9w#IkAt
zvwaaZdnWhbQKPDkI*H=!W}?s$eS%&Sd&iuhv?aGm2Tky`(X+fHxDEC@LYUhCx-2la
z!Fo3qP8PgPsZzHA@fU3KEfVv>3^YS52_P&p*p{cc9TYR)$8LidY8gQ#Oul4BE<XMD
zv549Z1L;N!<$z;MBALLBc+g^f0;h=3AJeR(65Avf5{-;Uf;Mm0)H0K~rL8|L9V@D?
zcTH$*XIsl!lEV!z(q`Lu*n!)gb>k|<bF!z*=ei>eKJ@>U_Px0`ILM%FSZ2X}=1Pmu
z7MMl1Ds77CItYS2wJJjeHkX2boR_<A_<`>Y&!nq%XOg=!v3=*}t{PaDK}pBrVy_S<
zu6<}%M5q}{9hVCo@a#mna%W)&&=Wfgz?4p+%)7kJ%#Wy4FG?{-44(OdT(NSCe0kAc
z^U)q)49P6H0*??)(y_O!Q|Pe{*N^gXefcPMR;F)(B<_2wNP@8Uv%{++vVcr0E#694
zNY7SLMnv&t&eD2;GAN!~F~&=%<NQ&jWXX&4!3%827+Ge^TdGg|4#Eu@>nkq1H?sjx
ztjmNf<Q~hgT>@?gd1CR5y%4z$L!-@FXhTdSg$QWC=3IVW?ygh%SB$zKU4<}VKIWlK
z1+;k;0H6)he7Su{r;2FvvdgW=#JAC%%PrDo8QXN)6@0=7#CDV`kcU9}MH?o-P^}aZ
z^QI997Xu+l#Oko#gXWLYxF^Kk8$joqZr)%(bj%wV=78h$PnkE8O(IeUbqI_>y8FZ-
zVFMOsijf-E<W_tc)+ahzVa~KsomHE4{likq;9*`&{0}<?-P!Rt{lXi1{ihVJW-*hJ
zTZ<HO-(hdu$ZR~gOelm17KNf*C<NmyAeVK-h|>yj*wi3@dpfyPHLG4vC)pe2A#nB-
z2!c`E@!7fIWhN>4+5}Z3*vI1JciB*7gD2Zbxsn31obe8@lY>Z#ulABl3YFUr&#;Ua
z%J!nHR(h5FhaZ21vVPSXc94ChAd-9rRwStMV@ue0^5raO>!IBdb#W-h0^Qfw{$U7u
z(7alm<^^u>5iC%!wVA`mQTABSNL-1OXS@%mDL!nLkM*jM=hg(xF<a13tu-uODPAFp
zSF|yPpMzdV4<XOOB6-&P7Vrs)7#^^JO2{NDW2xa7upo~>Wdea<feCq-%8*By9pr%`
z%7r}ZwdDm%`tfG%f#FvG?A+9^%<c8v8ztzQt@fUD)fURL4e*je6l3^gX<|<%cM7U^
z>oF`-)-OVBp;mjc@NnDmN`xXxSH@ZQa<OM<U-*BUN|ZgEY;!w67b~?4J2{=C13U&O
z`L>v(6(fXAB2$|CT)AP8nrN_L4}62_26WnXob)hN)jETZ%YLoz8);-w28+MNv&}G&
z(a2U4_X9QdNPoi_It_?0Ewz0H70|+plpzp~G7JE%tQTY+TZV1|eUD-rmVFgeCmG#j
zLKK)uj8Kk`g>=$-bM+X%49tSd1LST;{ZVzJraT{VVDR?l?P<hBd`W8dNiWQwf;)|j
z409YNZDqT_C(;isT3ZBo`qVsH*o#`h^&xFoY%msmz~!QUf$wHMtp9?e36g^p78&Ir
zedMvk3j%=(MKxO>kZ}hz6|~Zmn7HsDT(LdF9w{5iD0-SYVOmjZ_+xR1;tDmFX3QL-
z@M~C5jnyX<LW1EMT<yp}l?2{vEZr(O?V-bTTIg5s$f_VMI9(WIF(8n)8sgxLC3A(1
zYb?Nm{G{TG(0F5SVs!Zd-rTiV<|uY)If7q>Bs7hMzC!RhT6l^!q@Y~csH5(KhkfPp
zi{pO9mrNj#rpTP8;Xk-X3wqUxbTY(=Yu54nf_Wf95F`Q7alSbs$QuPA<idu@;%}>0
zM*(`3CmV#~@?#Wx3_z@Vh3#~>vnlieHl~A2zpM79tDuG|D}+m^S=*OW8uHQ_>Noc=
z`!8l8NJ3lz_12&5x3~bUWAR&`o$GUgSI)adz%fGxUr)Tq;G6wXjI@5Vq_ti2vCtn`
z`bARsW=%QbpnNT|1ysrxrw_mkmv*f36^EoKMd@JL;$bleUUU>9tjD-xslY8zLfKw&
zsSLzUF>iBz6F&c2Y%|^;^Vu2WO<ir9v=Htl7j2A=paPmLkx<|{H~fplk}{cuc&#a9
zJIup6k+G=F1)Sq-7g>B7jx(VhKcvpkSaDm(*-2r8!I2Y`isCrgx$cQ0C34$AMsx0M
zVgo~$^tH4fMuooYRm(ik*_p9YTWNBgZB}eX1mW9iFWBgS*pB(PHbF^H&GCh!q+YW=
zDfR&u77FkaK-M4lkCnp9=7;h~0_V$^a0Z*WA4WHi9a~gb)<{VlAFP_~AhWj|d-T*j
z!ZoyLjZ8zG>7mG`fd(X|`8qbw=%FR89VAprFuW!;_nb*b&hqg#^JG_y37oIM_ZXoR
zZK%@x-SZU}g38MZ4%f5mFkb{QR~h1HrM~g~fq2~+fb&`|Ly)+Q4z&@2MLypO$7tAu
zj|EjiX2Up+z!p1Xa|rBche>;j8tM)^3&i(2%yUukFzOrDQM`zWdl{I@9lkj#b9QdP
z=iPoUn4Qh>I6pw&V%6B@$YB0k!@T@dYiX_&^-+>gAK~5S<VXw;5yJy{;`7U@LmRzt
zd8Bg`D)yFaLJ-CE!L|a+%QFa`Haj4p7j!LzdCs{$d(M0SW=1fjd^AO3_Lx{n;@Mwg
zFHV?FM?Dkb1_p~!SB7jAknFd<{~vL010Pj&?fqv+0s(;u8Z|0vu;VSM)g}$Jq+rQF
zM$hO(P(i7-mKJMmFKvBE6e|KcIW2R?QQE7$-qzdN*4}Gd+j?6|@eLD@6Of_-L{U_t
zh@2t3qYzQZ|NGnf%w$ls&vT#a=kG_d&z!Sg)?RDvwbxpE?Y+&)odgeDFU%XkbD!~5
zDIcD}mHB*qs26!8dvM864Zg#6M_YV6yY+~zFJNbY5j?M-AZF+d5vHh+tS&A7NFZ$`
z@MP0aEHQcvNsLK1P}RYn%mEN+jU8K9e_MyKVt7Gjc&%BKTcZfMHUREhnIkh6)gW>n
zLv>~}puayyHF-VhHS4s>R2(HAV+!QaJq1uh3A4r~jdm9iWPFH&2*^Rk967YW21o}K
zUW)|63^QSc+K96z`slAOoY`SO-rB_Wv0DDFPOv$q7OK!$Ey+O-q#m5GhafQ4mY7%b
zG-0|LV(79bn1)3fjRi%DGFk1?R3M6wk&$3>1(YBQ6E4yk=PlE&*a%ZXy8%(hlpn+U
zbt1V;#nM$@2lUtC#KET6LG>Cl`_`i^{u2l=T&+I3o)K2K3scVkF+7Ijlob=rT9D#(
zoFW|kF}#xae9>V!jo=XJG9pU#3UhfPU<L=T7#BnX;TxBqkaaQU5%ef*2dPDL55a1F
zqN|!UxF+`5@tM#<lqACo#H(p8c%9`5WfixZ1vqlpDY<Fj^5`Qc_&;8qs0Ax5fxOs+
zh7?+5=j5gk$}a)5gdq7ti2NFf|1ZEd^A;X-lp<!A!?mR4h7{U0B&En`L?}6ELdrRa
zng|@Sk#NeuoUvT05MhHnvuj8jq>K)L*8-XUfVCf_TS-Y}PR`S1(@>*E9!VdfRf~Ld
z((^OJIf|G4P*R2NfyykGA)=@b5hX{VrGr_;YvWtNj10obhcASqe^j67upTuPIxi=X
zIKf{G1q!e-hn{j}<bgg-mEH!LszsTdlZ~>a4%0krg)3*1QH@a8qmM=U|NHZ(MySg2
z_P_<9SDHo;kjH}WGR?=VP=j^tpAh2t(UsqRNI<VX4#8M3RMAJwAYjI9kh<JO3kr-5
zN@_hcs3T`H7*%yS+3*e`z`&fw(0onnBi6F0h?rqljz}8Va+;M>SkB^dhRJ4v-Jr61
z)@Ra@gSfEZHE6@e&|1%_tj|r#j5<RUzE7(YorcV!F+|xk#4tK`mB?dFyqvX|v+b}>
zsMlJMgRBi@DMS@4JP-g1@Ano@V)8WR(I)iPnUNlAEhPZd>@V!032ZrfAo6S;K<}+F
zMU2<_$K26F358~1Nzth5@Xf_TMBKp?YZa+F;$0J{ij|?t`ZY;wm+Mb)cKB{{{twZE
z?@$IuDW(H3cd0>{bMo45phlYor-#1t(dbH>2APlGt}~8vkih~k3}lF|Zwi^!*9AEH
zWX35lNY*tjk31<DgM6Z0NMXE$@&Ic%C2I9S_9)g_cd?dlv?!-=Fhdwt@>mrZtAHD`
zXoPi01#_h<fdqV2+mC5tESmT!BjK1hjMs8I-jYGo&eF2FjtZp+AvSVhk!?Cr5rS-J
z!JEs16Ad3_&{M4WV?KUozA1=KfpFc{`)ufOtii}$Tpz~c!M<mF=mS~J!xD!<>HW)-
zGWQ;L&3)fy_xLE(Zn;xOyrpQ^(54GAQ%){2;}Rbo%i8#9i4~y;@6@^>K+Yoqe7qJ#
z@QBbVeRSj}W^<E#v1qbEv4Av|RAgxy$S}fTi1&7_iHu`EAZ+{wM#KjBDYT1&m}lb+
z4d|0l0JJ=*(8kQ;M7rZVk|&Bitky+yDs^3uiHud3dbGU(sYQ2Dl|}4f_+10v2V9F<
zLWM*pZDnwnncVm+$tZ%DC4zt&tC}(u!$kz+pnclXKt9|=YFq@5Ph1n%Rym@yqfwFO
z%uMWoWA-*+$sdK|_URl!n94;Exo?AL_SAE@Z^Os6-+zK2e~4WX@!I$Bm0plZ7$2^N
z2s67S#?v%`=Qc+SP431$mGjeThXBN&b6XjIh90amq6di{K}kc8*O36^3LLml%{XwE
z1d)mZw;IPE-0$PQ6&{HfGDKnB^tC)uRyJuJH49OUzT2do1I9g=s5Kjykr9?Cb@Euw
zZ_14Ov~fi3Hj6=`31){GDwZbH$8s=h3(THbC=)F4{@w0OfHIr#-R4y-RA$Bo%Nmv_
zO_|8427@dOO7>(PA6GW>^QXiI?qCF>^R5d#xFQeENoCQJQ|;TDDD}ha$5X^NV@ewj
zUyP5in?Bj!^){dqR&9KI+7+j=kVI=6j0>C{gk!Lpi;rB<yM)ng$E&tE@3ig4>8jyo
z2%@h<UgObUNnxp28aC`7r8OYIH7jRr(};H5wD@P^I9gzgMR*|bC7OjB;u+17lbSZu
z2#z*=%P(+HBN=H2V~=)>c#&F#|Gakl`I(vcI-%_@t{Od)@eT&)AHl{94D|=mMTHcj
z!eE`l$^B+xhtpqCujPT-j;Zw-OmE^br~x&1%ZY618=bh(`6Nd~@z&y}7}M`4mKw+z
zXCYph**4g|lQDt_MR2KO9Zdt@Hdf-60YoCR3lV=gar4+_l)>MsXbengt<Y<apkC1)
zJ7>W7Dl3a|)AlN-&`)GI4qBFc4G5SXlKZ{LWO5V#K^`V_Rif{r0)g`;56;<c{IeQT
zBUTv~E#h=1@gJJp+lYZzyanzF6PdvzvKg&}#rijgS{PU$SI7YMGcL^1AECxNs)Ew^
zXm_wc4#1o3+(E8kM0vzBqfUWsd5zbQ8qL%K88opwOe*&ow%SZ?MumwvHvP~G2=Xc%
zjMG(9nP|dfvAsXOtj}>$fvFU?#10Oz&}3Ci<xuGMqyGB%L!&s<R9S$Im<6*;$O@oB
zT6m`pK?Xq5at*Qao97aku5p6<ymp@nfH>Hci_exf(7vL6D6-owI*t#b<3lKIOeF&k
zv9@AHCu@~Jqv>Qb6e1>-npuyKkkXUB8Y#7TP<%u$85n>G%s;|n<cT$rCTvLCVYY12
zFr1z>gdn~IYbu}vmh4c2H`Uxn3*0ssW_TR5Nr~2&ptlS$w%MuVgBm6nq|HPO>a#*7
zA1I)SAuomUq-atczpZHdAg~au!<smS-8v%%t%FsTEb}<f@$?$Y;+7c1`I}FSjkk%|
zuwVN~q3nhfS)#LOLAehLBmprpiUDQ_jz`6OD2^o`Q#|Z1gNN74XQ!BAtu`r;1Qhcs
z9t4Wpy@?p~1r)*EXNZC%#1FHZqKp*U;psJ0-{1&?RTzV0!x&_=YTS)j!TO_Ig-EM=
zaFU5GSg4w2C9v4CWVWDyN;~WoN&<f!PMvkKeyIRkK%pdb`W0iT1+*~{C5A~*ju^xF
zkz&@zaj5hd@@VwsMoNx6diQ?v>`@HKL)d+^26?d7dD2lC0eOH%pDcOs^yq6Jd6eCd
z2TNU$Dz_z%40a}9R{Y4r?k<rBrvt}j(_9l<tTV0s&imc^3kcC{Qs{$LX_-J?;CF(3
zYN;K;_@Oy;aaOmnwrwm+!I+@|6`(Za!HL6@9EAaS)?vaM@;uFu7KKJ|P7qtBjJ1dl
zbF0NXix^ArSX$Cx0S*0V@+^~gQ}o4h5_wKXrm%{k*h>@Wvp}m&sHco{=&C@UJcaVa
z&Jji=v&7M4wBQKj*`;Wbd$1X44f1&Aso=B^pfNTh{WMXZ{E%%z$cY4*vK#W~<PXTB
z+?G6?YBbO{vWz@fUm_0%oQX8KM~e!z8;LY2n)LL&mqVAPObKBvm|G&T%t@B$lv#d%
z8~1}%NsLLs2r|Qm7L<t+(1%D`8JK<aQDBgv4-K>D5&Gb`QoK0l7O~W!twtIdM47b7
zx($ZTN7JXtY@#w`#-<Z}tWAgQ=uHYJ^iZO>1jY3u2_(t{^9%%1eGeH70?<y}5!;ze
z==gY+y-)*ARYVrME906>S%%co4D*SMO1n^FvBb>Nbz;*%dZO4kxZdQGMUP6*Bf5}b
zfUGt4q=0R$&w6HElej?kgia##XYcpUx?1L7$iwoc0W3)RK}|^OeE~73<rJF1ei>pc
zC}KMS(wdG<O#a4nw1u!;jB~|+05R>-IcqzZBTRJiBiM~47?T1_;WU`C*oZ_mpnz#h
zslq?0pS3>}fF`YX7MhTRvJ&bSSdaGr6ZZV8{ImiFvb;?N+8+uN?ikh-+J-U~R4FA4
zeJxkzn?oqg$T3kT`D%HGNPE>(Cr``UlQP3mu~AcG9ukvlP+-hS3nuNOyXceDF%vtg
zuM8R_9+WgTCtpv1HLZ~eYigq$nIO(4(;I6?zN#e~ENq0!GgvUk?6~dDX8e+qGGCV2
zqAjfqlo#19%MaV%@z_nLn9vh_W$f=aW(z-FH!=Y#86(9^0Dcpj<Z7|<RG#dp2J6g|
zWSpUtv9^{d+dw>F><`7DT*G-cvNaYp4U~Yxj1sYoRiXe!Ln-zQLjvq1^BR{JJK<zh
zjMpMCHfun05lg{9geb^Ia4Ok`(S7=-EtmShLIj$#YBj{#b_@zMnw#AMspt?CE3+*R
zJ=y%&K1dK4y_rC~GvqRYMi*pmAM(8!znNu_&znumKLXU!N?G!>($~XirLTEft^5G3
z<e5>N@vBIG0=Jt&y8*u-`UFHgL(oW`JZ!&^f`G4+^%aq4mHDA#xqwLI!4@+U{4PTt
z>^+qyJLC!S_K}CY?S?$K5Fn4@PXh8V#H1dWt->E94@~oq$b+Nn|A0JlCmco|#m5Ka
zvG&a-w9-x1M#9(`lvAN!!2=3;)`~oaEIbvE<yHF$vY@}<iP2ZcV!}^scDPHFF*{A)
zuu<)db((@}aJ483XLI!NidoBB<Dr+aGo|1Xg%aA?l=<{nY!c+Zv2`R<jg^xlk+E<1
zB=Y3qOtwHC+D67%69;*HA8oO0W@IwucQOMJ`lp&8kKO;Mye}x5Or7VNIE;ZkzqNbg
zn6YdNB|Dxw39~m?)Iw4q`!^9jy?uaXPIR{q$U3ZZvuBY=1npl$L+dtx$#=PVlC~<F
zQzt;oFoUITx%{aXqL?8>m0Eg~O(Vn843$EON2~zB>4A69(nbEKzTpC0c%k94LtYc(
zojO+a1d?qjZW@ur#wF&+g7*pE4JWEV7WDlm%KCNOj>J!d*dDn`8*ni&Ig7@6Ihk^p
z2xth*DB4ttB9SLxT5?}hF)atdjpRATxcbZ_dLLdmn-6kW2$j!RI&xhiO;$NFCia@M
z6<0ah5B$7CXV}#W9L5<b?<3r^12maQNZqrukBKk^r+Eh^(}eN+=^etvP7`v;ynR8Y
z`D_g0SLCpKh?<58?^<z}{4x$1gA`t9pE1sJp1KD~nrW6jmHRuat*PKag>w>c3I-5z
z*oG{CZa$Im^F_-j_)F<3^QRy_3PE7$fns<p)Ud_T&rsmxJEW{3i)o%+3CjYS9Ozw)
zSwrpXv^kRnc+88;r;oDM2{b_$4h)nWP4c#jXd?O=^Cj@eAbDj4g7MlHb0xL>8{`@k
zP(^E!%B2M_j2Sjhj#we;5Iz^;oWrarf`8mnWGDSQj3Qfx9)TiwBzI~<2ZYi5`GD10
zpvl1tGPC7;-J}hl?D>_pAdgG|LHJ?`0@@HS+X8|Ze}EZi%q#@NN#U@POVgL)k()xa
zsc|A-A)F9oV4UD@us=5C$B7Eyd8c_IAkcR$L9|g@;{<{rSWwxvJ<&aL^8JYrP5@%)
zo^n`wBA77~fnUHHzFPdp9B&a~ih$`?Vs_X8BX(uLFoIT+2jbX)uu^PcwKS0hpOnUm
zvM^TYuYLqnk=7<q-X=&M_E3a8K1za1S+SZAX22oR^>At!N^GJwmV-Crs4)(H<W2Ok
z{l9)^u~ry~a2Hxt30|7*#ezp;WjnJxOCq1pk}<O0c#;VV7C;;5QEq?oK>NEuMPph4
zNDZMu3;`o4q@v;9X85wdA5C(pmP0sXtad4@&Xv}f!PH<~OqNU#PA6ZvHFF#_q9rs#
zNV)sFj<vbz6c)A#sna16il}3w0Sl;~F2?R)f|A)HVT34`@C#PL3@yy@KC)7VKy_1H
zZm~tn2J2PWl%O~ar=?-s_shYc@mzMYxS;he^%a4&&PK>HeJOy~_@xwWH2_5L!{8K6
zdD97YWZ>RH`^w8Jty4(09i#+~OT?B58I|r;yWz1tv##|_h+KkY0;!%j`%f}6l(xaK
z{2+-OxRY~hIXlfvV#b)Pl|Xr>2_{@tkzgOA>`gPF;@jd(a>TTAHjLu&bgm)%e1<%(
z@~z6(%&s=!tQh{28DxB{9OQvz2=cKR43%|qx+1rhCFI$HWC9H38B{JMYKtEPrz~qS
zy9anh&5(v;>I^mPDhZU3gtg;AgWas)*xBtko5d1<$`}kno1p+P@r<-(4#NYMc7!Q*
zgd*f?WS3VemZwVotdV#}<EgKfI|!P|3ZfnpPn}z-Soel_>e8xsYSPH2)VVeB)Z8&m
zsYwk@sY@M>9iLusTy(*GyiUgej*>2NI?gRq%Iz&pi`+kc^D$nOfAh_O-*%|lIrIES
zj)!&59qF9;$J@^v#J8&J_I`I9Y0cb=hF-{*F+4Z?{>9{}q|OPex-L)st(+sgmo8Ye
z{^zCbysR9sZuaNMSnia5?a?wljdV(T{`<enc&c&E%sjTNfm~I`zj93t>6l^1PP>}4
z;lJ*D=Sp&L3#zH^ss-HWbH_9tMy`8=7dHTMl-oX0kftJ2E{5IH$2&9NfpsAcN#8u)
zNgW@n-r>}D-caf!&n*ja4|KRyhi5m|?+xFs^TOkq=E&rx8Hd;`$5HWR;oCk-?K)OJ
zo@pv0M8HYD))P;~xcQM7iz%f%>reHnrfNT?BAYRP50+h5si)eu)RJUdSv)<i+)0fa
z)>!Xfhk)GDSj~3RgSt!mtl#MH`SEi{xEtn<DIiGS`Q3b-GlCQ7jS{gX+1<ct>ka<C
z`)#?byJ609`geXN@#)F5)l+ueB~E%OxrebDlx{wjE$Pj}dYsI)Wlr+V9;bRYkt9y_
zs^sfE$pdBAWk`Xs9T-`a7(%geL+d-Q+mXGNabeHj=gzKqV5R7Rl9uVZ1K?7=gcrt&
z=7;tz=@)Kw_?hYq|7}X?p{r6;LWi=S*LUv8i0<=BS|;empVmP^kti1+@tRUPsUQ5=
zVo?xyD65nDL2@d@)s0h1-=nVgvfcJw)M8t&mG`~uBfQVupJ2$W6$kD{ht>rr<a6@4
z!gJ4sqgEqaS+&TX><nBUUY;t6aLD93^(y)Lcz!o>zghCY=fgj|6H+f4!+WQi2*@Se
z7WtJX?kq@c^zY^{c88mxH7NAk)$jDga%5;F-3lJd=f}9n$-FI_AM2;b`LSY>N}I1F
zc;szq@JPP?dYm8QQ1ppaHXqb5kK`K|Jd$sa9_Po7A{lA(4Gtd3Hzar@-%vfyk8%6L
z#2TBAt1ZkU`Gy6L<U3lA^JCl_F>#E|R}nmt@7Umxe8=f=e(ZRX2AdB|n@94U5ImCa
zL_N-ros>>$Y;t@)N6t@lY>DB)BPC7_9x1^k&l8>bu~W4vjQghQO3VdKEhpJaR$x8u
zdz_UgM|LK3_fPucp~Cyaq5ryzxhG*HO%@QpHB!k7=-*Kip#tO?E$G2r5q7y#z`QU5
z%}O_TATQP$IqE!+YmJdWuyIF%m2BLDpt=It))+Cu%}H${Vk>nhb$diz7lT}>6Z_?y
z-{^nI@QQ_~uajTbeIaBH?zL2<MkZPT2|RhpD0l+V2pBop2xwL~0+E%DKxM@vP-VZx
zp!0V=c!+_*?LB?+Bsw*Yu9X@6%!#^BeySwot=pW^_aSc#FF2I{S;}+SXSnsd>J<={
z3x(1k1g)OADWuihKf;TV66tyHt8#)}7|Vm-&<B1^4tysE{^T6^(^B_Fs%X;OP~&9o
zjnwc%*B3W%6S6t%bBkZBE4x$KM~g~wcd>)&S1rITFS1sJpq0nD%zx2bp1{*1p8#TB
z?{$7p%&h;lKhV3>&eT#}M8S1?MgCWR&l@hmRQI9OV8f27^<g)|SLh`?St$)~a$$kq
z((x)yjCnqSdF=G4j_3KP#!isXD91;RicYq3WMgESCdq6GRI_sTF?w8-{a*gJzm!`k
zAM2-=mx;6$fNJC{_c?NVhe&DGUH7wikomnhoEvRB1>g~`0#6=j2;Vt@7Oo0^uk=wz
zcOE5GBs?s}Wl*sy{?+KypX?`96Acf8{N^tgEbv_8u9;I++ZJ9}F`(wIVpG~a+D6+#
z_1@gqoeuO$A!(u+d|W5gGAB?cCI;#RvN6CHQY}E&#9-7-3<e$YsbgX=<R+RC*O>af
zM%tqds@)E=JzT{kK{7Hw#=`C+`kZ{KCO5U_^^b{x{(-Cx^bcAOxD-(t=pPe<AvQ4>
zVH1M^Hqpu63=xF?xI%vS_$~05F!r5u8CJ=IAx>dCVPAmN<eS{)6e~}9!wYeHF*(U_
zWZY(dEm2qV+e5wCljv4~ex}=D_DRLD^oF>N>HiWc3WOgxsBJU%vn@90*&KbM%Hqji
z)x*_+R-dz!NgWaYhFaj<(x~JAgdV>(k}vZYbtoXqM*j+~k>ZN%fI^e`rC@CaY798u
zPpn%6V<EAGUkBIP6T<`O!-C!_kU8i-ntr){SZdP`D|3!O&#@X*PyW{j<YoGYreE*V
zirZQ)4Y2tCrWJEbkVcNdSGM+TDE+^rA9w#I(A$i3XiTk;PW+siq^9DT`KTF_=yeEm
zKMW1!g4;fS!X;J#5pO=?Y&JAMn?=7I{mN3m<v#;VMlXFtlFZzpvsmIQddZU~DX}cf
z#0`xKc$aCC7qxB3Mj^haqcu{2gx7!FRnmiJ>^XfNKT=a}FHhb6a5>+?v5w5Bqn%`X
zsCHLvXLw<!bL%_0s;h<bnTOoFZ-i~!$=o#AlxG47WlD}tdC7ez-TJ!f3dcN3m#Jj^
zvn{W9rQYXHE1F^NAj;eoQ5%WOkU#U%D;;|LY5G-q|8d+&->bq_KW5eIjFLY)_oQdG
zmZ!Qijb|3MzdK;y`tZW_(bNVuc18KwIB<O<FB((pCuRnp)ZR0I8@d**NG;D)4Ac*9
z(OOdL*RF4@U0=IAxobvreo3u!Pjvn$Mg`Yg-g?M%>L=;ehyz62mzp{Al+T<7FsC2?
z$<w&2>CEy|m7F{f5TCqt-n@Azx?~<@z(0BK5M@1fTj^;<Qh52GD=9TW@;J^u4$h7S
zZ}vX0hg;Qe<Y`G`W>kN)_5C~f)82DxV`xwNfdSP^Ql0HxW!0V0YERl*(~Nx=%$WUf
zd0}Q&9?OncfXwI3XnYv$xvQKr0n#NAiq&A*4*tk?a>Xbja8kPrB(#tRrrL96>~m%`
ztLir^6CA-Vmfyu%dYSZ4miz}oetanGHRvj1nXZ!6#(`MRtU-3*z~<G?N-p?er8%A&
zwGut)@%Kg`gG!!pGNu3h)(FIX#nXw@sO93efX%|KTwKolxUghk22!y;hJc2*THB&w
zXP*{}+g~qN-3{S|``BN^DakXGCT8GT7m&npynq$C3K!7UO5sd*1`Rx5-d1pIUg1kQ
zdvaOT1-91>T%xwIaw=9zk(tQM5v$!-+g7`#c3<{$h&2ZSYf$Cq#g?NrT6vS37P)=c
zU-~PJSY1Q<w$UW8r_!Zg+&cnAzWGzP9%!SF&Cy#AhzG;1m+*H{5z_e91M~EuKG4{&
zT0jWKV1EFYHxV2$xTEx)JtI`2$X3wuWJmE}el6CY?y%&0NAV!N&>tsretG+WQgbKS
z`DMYln!ufcZs?rw!i3w8=h-d`sjrD~$`S*Yo7csT7KmS~<o9{0#--(P?hkCNUov-D
z^3dRL>*G|MJTx@iIs-7cF741Ddwm?Fy%pHFeD$R|4UBUpTfNIke+lb`{&-l-?Nv_Q
zoSyK)4iMar6S=|*-wiJu_XQSSDs>NqHhJwVhpbq{<}KIm1#c@0-j<uUA*U|tJE<ra
z;zf6n@^(E*WxRe@%fDc#Bz3Rk(ghvGLxm6hG4?NTzPMX(KDK}k0PY!pD>;__5*I>+
zfRVf3y|P5zIXO6qa!1N61ve$QqPk$PHXD^*9t$sQ%e^kkzpgBNU2bCJ1*?D)tX&3H
z3wvb%dzFQKq*MP6x1PgdwQX5VpumM_thVrWT6k~%Y!2QrPP!I&8z4|wyzZJDyc~HJ
zUbr{BaMWitX8EP?y7nEy>%QPEcn#hPuerBikhg+$c>rr?0PFhjLY$w`%J9NnpknZ+
zOf_}acEKj}`<b}*iTMn*Y&jUA`zwSiFf$mRXczBa0}WhOMD0;Hz>sZZ(DfSI^)aUF
zpR`?XDDX!V+)sv6;?`}`nDY*s-W*=AJHrmBcy2)54YCRbRJgTS*yF}GWoO{ptBb?#
zEWN(<Db-pqc)@$e0F5apgF?&Qe&tSTVwqpVFvJXB#1bMNfJCG+k-5GmQ}F~DnMc<o
zGLhBsbVVf2{qIid;_^5{b|ep#dZ^){N)Kar7@0mMc_0+N<1Z9UZtcf*AZD9i^^RbL
zW0wXz60X$AoV}n%BkAPS03|bz;nu-pZ`mo{J^6<HBd|4Oi4q=}uBZ(!d<Mdd3meyr
zsIcOK^z4I0P#~PB8>i(QJ`?7)6%ww2FyqE!XB>Zi-QaiQb%WQ$Q-clDJIO;;Ef2v?
zRq<rDs;Pci%P%E$oaB;_sra>0j$evb|J`&lb)0&G2k#R6aU27}gXwW450%*;84?0t
z#{h|<>|gqRo1tj*@%y-GypO&KTubTk=@ZivO5$~uO_|A6tI?4X><6oBDB~*8#>}MN
z^hJZ?bxwJ_ZgM4_Fn2sNDzo<0{e_^@zjjEtIrB0!6tH&jjuBjty&`-^4<ydqNGQx|
zvYt&=!e-efz{yQ-_NUYtwp4^tO_}DJ=@hM`D0>7Aepwj{FI=m=L@Z;br>p~~tKxNp
zZuvmLY?69M!<}gk8Jd+uKz6Ng>NNXkRAfQ;3No$?FJw@0Q&f223-NS9b5nO^ye`hb
z9sFE)p>8NBKd&yaj0v%a`oarYKJkqtfk;asUdN<#<FcZrx@dV*UCDE7Fub6y@gTYP
zhZk}$3KeT0YqpK2o8K;q*Ilc^z45wH?>TkN%YYhf=ny|Q#M58a&vi`Wlj=&K|Cg%5
z3!jSD4QK77O<>TxQ%4@wF*K^xySm{^!wcKvf*@WO9T~4HdCy7hm#~f_f7EeWw;cy4
zHuv($NNjSx%WT>c7dI+Y%8%FG1VP7fDAp1oExhn~!FgUC-{}n1z|Xb=OhWXgZj?E0
z%2zIWva0C(x^b*G7)Ivf+NSzv!tSMT7n%v7Ex`4T(e5BF+b`)evQRr-*u-b*HFW!|
zM3uo!>RBo_A}crb(8xjhUeJY6Oj5Q7@w)HB@EBaw+G{A79`_!!a%%U}0}*d|cp)1v
zeEBEM^g!hRECQmMt_o;4K{R{|0<NOOYDOgBNJy*$yBD$2wNIP{T;ii;MNnxaY6@t4
z9&~PiKW7~Uzo+(+WAHKXPE*}^xDXar5MlFr8CS1?S`Y+k*W})!6tV|0H~w>PD|rjT
zU*Nauc_ChR9^y*$s^DjSE>^8<e3bw8eYKkHmU=6xlCPDwJPY26W9Ux}55rI5&$zLy
zXrVT4VV+^vgyQFcafA8H7rkZmOx(xN;B859yl%pnf*j0clq1JRdR}r8bFn5}DFf)8
z3LxJl_Mzmcy2jK|sq;%T|D`V0WS5#axVEi8!1wv@kO|eFFyiC1lZ?`T(lPpVas@ax
z;$wfI_&9W$#K*=0@v-ehQ)=_kr{%@Ri-VNuc`KiVVB&w9(v1=w(25nloxvD>nts4W
zhE$0<GDy3&*n~mWf<y+ZimhXmA}NM5?v+8LWr!+&j;4GhKYsaarH%&nxwbEmR?Nj4
z<8>FB=^wu0`0aPktDB<H28(O7_iCI8eaI$_gx=f$)Znwy1DwLf74I^PB|8W~>|h*M
zF^+?Mf*MSSxMxH?D66r6d@)QENRV;RjjKTmWeCD^H|XKiMFwLaOJI6~6pf8UfdDO`
z_NNVCLXeT5NKaZ=g8+RQu0VKdzT*TgBV?}a0U~pfH%p3i4_;HfaFZrI#`r6YHA#=%
z+;3edJy`g_Hq1#6M8}Je?rmy*tEmq4FKdP_yRE5hMNX@Nc5l;PY@i)RpMrRMQI)`!
z3chWmM%}o#Yz{*RFr*T%8VuP&Ad^BwkxLX933wgEVZ$=&8UL?|r$@b&mk|LWIkNIR
z$waGwfkaI=NN=Qu;5#3pSjo|e<X8z;e{m#S9SnDg4TuG8^OB>Fy>f4@<oLiCKZ4{4
zFMK&yC=eF{<^NP-zz5Hp;)N2!N&q7@%*a2Y#9%Ve+}j;k2$Cn`#`0(QNk-JPZ~9QN
zk$noE%)TYzu)7--C3-2*ebGy_r4*Mw4&Z3&EsVE=7wdXzmTkX-e|B2tvflP?7Ppqd
zBAZGQp_S}j;Dm-f937h4sSED=`)A-^tZifPw^FIGW2clBMQbVs=pJ?_*;C%KEuQR<
z=QmaqPkQBv`gdC%#adx;tw2E0Soa4SlYM8ZMz0dG`bR&jy5|?v?HhOwG^XB^NB$Q$
z2nAJGEvhkEZ7Pb_Z){oAefy$aK)O`j?vNAo8Fl+0eo*49OrO(ixw|sb;O=Yw=gfrO
zrc7ff<gRI%7EPV<0cd5X2oDE>d!`9|Dv9_b<etPA!Fno-tf6@FsSt=GW<0qm%!Txy
zo!T3nKPA#TzdT;=H$UKRXnDT-5!RoZ|0CC2_h+tJ5EKqCoZ71jRC;MBys(Tqm}llE
zR6bF^EZlk}wgYuMdjvr4!4W7xy8q1jcJG`UGw1f!a<l9U9Fn^XtG(!gOvNcVdO7I<
zF+SEWkA{ET?o^|+4M?Q>bJ|Iw9-DG?QKFhewrock>*hW2`aLZiy!4Xeu4oz9eack}
zjCamS_d{tWgXdHed39Y6^<B4lDT^F-UETQVlD*;Z9mk>_XU;{rd^)NlSvv6_z1QxS
z5Yk(fTE-8SlMU_^39)$qmtUS0*zr#Ki$woMbpYv3hH+0*_)l-e!+&ZgeU0=0k>q$o
zs<fw!48&tpac2b=E+vK$iq%!6v!aqO6xs6{^%O5gieMp~L)Tv5R&ws}@>QDpUglpm
zsCS8?`Pw&CnWzrcyMuZOoh2@+J24Cg44*=q9Nh3GLUOI1;>EMjnr5*GJEvT~1EAry
z_f-ziA5l5|2`WDv?gmVc2JEqODnAa$F=u8mJI<;4I3NeX4OKus^5cMfB#^UWJO|V6
ze;?;HKwbmnV?GYZ#{fCbjX4b;2jmSv-T>sz#{szm<PMNe{x~3?4CIr6eA>qW`7|J(
z2ISK}4#=ki`E($^`s0B7Y9PNF$glZ0AioC4uL1H|g4{{&nD@UU83ih0ky=TU{yYV*
zrDicryc%{-V<8?Twg-*;JpxDDx0F=B%Z=@6jz?LY>>Uuk^F^jCw>NypZ%Mg8BXenQ
zYDG-P3Uo6OuzT*)>olna^TY+|$SE9=5Yt&R+p0KL2AR9Z3IAzz!u}%~G?*yZwOue#
z>}eXtk)p3NQLN!Q!FX~_k=YB^DTouHCFiFqPO!i)Et`}sIU!O1O3Pi&4Ag|gJ7wKR
z_t{rX>Chr9s3LAh54DAV%w7}}f%Y;7RpN~TeJ8IkCDQ*ypQ75Y*Uc=mHb#7(W`%84
z0B$A>00(H!#MnZ2UeOFhkYH6@*OG2$<|E$qVAC*+@J+lUR+i!~JIQsL>WHF_C)e`S
z=A;NF`feHL)G3~qF6q?9?NwCW#lKgmW(hbV6!J|%`~kx>V<%CzB6Lw@Vi>{lYJzxA
zUzjkvpUixhD4xJMZ4;R9zFV#@QCm6io61Q)ymA5``zklVmcGCX&Q<2gDV~5cl7H#%
zR(=eC<9(RGbobq0x-(e$UjrQWoWOMV-H{&y;3EMX2mU!V!g!;!9$)0#4Djm>SA_qx
z^h3zGxoMc<PQ@-n;(h?#cy1?{sZL+e{Tc!hK<%n|8!bEsvrs#`-WB-@KQa>AH&^ML
z7w!@tw%%$kFIhHOl1NWz&|{+bBBoE$)J0?DM@#N3%SLc9Tfc5wb|B9Sus)^{b0|l$
zaUv6qs*QvV2|S}tfg_ywAymaoV`MrJS{nZ*R!1+ux`LnF-sW>qNNvPjCJ~w5T_JlS
z)hR`l;{eiQl;sn|t7^Cs8>&i*k_SF>11^K*tTVvR%F^<R;tVSL7QYDmd}`WKf9(&=
zdY4Rx$^TmbUx%}z`$U5eyiWw+mYc}R6R|EFcSG~VPWomfNpJJX>4_z^`!W^F1Tvm@
z|EeD-@aX0;|2sgHCU-}%?Ujw2N%nl^hCj+{N}t&9&rk(L)U=`H5AW+-e>yk$@}>UU
zRA}IcUc%W;Mt^Tif3qZ7|JLjwIWcD9>wq{j?rp)5dfQk-2t|Ltd#D#(+6Y1-WSdtd
z($|+YVOgCKZGVG9Yxe1Y+!=2mo&CWyM6e5wwfp>EP|kGYKY5$_=aSmCMCzZ*4r?!1
z_s2$c>i36R|3Jg(D@rmGS*VyZ+DTtf=G@~X$F&y`JUC-*V`kzZC%HA0s9w@N%=)LC
zq>ojq3<Iz+>N{I@q}fdTmM;D{m>S>@!K#X;ma%4eoUFdaly6(l$7`iyB~JR5vcs_N
zw+ifASQluHlw~Sj5jI4X8g=KeTCnf<P2}$7)ch3_>R_<kH-GF6e{TT)hK7fQ!^8S7
zU4Vfqqdc|OAlLs6z8l6Pt1`7mg5(My;SA37RIQuWF0EdgTpn^}a9ZApCI+@kosm`6
z*IxSE5-|4#Cw*g?Fq4_>nW)#HwQKD9Dr+Iw@dSJ|4{^f3UVZ(}r8zue6xJVVd9Jo?
z=~V^sMbxLdGET2EW3`j6c-~zx=btqDjYx9z);+jDZM=h_1Fr|+^h#HFZrj}Li`a8n
z)IHSJ4=~A|-sb)^y5#yj?XUIEG?s;E$^RJ?O12GX?<qF?2R{&LZvwVicHV287ld?c
zjcVQ(i^A^1JY>%6HLS>>4)yUtTWH?w;$HE=GN-=1Wd{_g_A}QErE+5Y!tq`0hl>4!
zW(ll$n8+4zf`w0)v25|LfE>``wP>cPw>~@jMQ6qed{*4+Q@tG*NoXbO+57Q@7iR{W
zA%d%|y|*~|8e*^;y7b1^b|nUu9B8cH(egq;3zAbnQ@cI;9XhLDee}xr_bmdr7zKVB
z5HiySERy(Yf44YV|H|x(<(@ehpTQ9XTm18HW6>$of{%vK1}>5$;=5LMd8$opk{N7d
z2qcbzQ3KhIP}7XI3(_S^;%oiJ`R9b{*SD;ZRh~z{Vf+(#QRF;g;XiZ5cte4G;rOd;
z6dvzyC)y`{X-UX$f46`8>;3DOgl}I1pvi;d=X@gu2S+ordh6evTN6(=l`&wQ86D34
zmz>O~)qVbn3Xjl)cJWL7(mA_Q>l>@vLLF}JtkdJb4-$#RKENO^3;42w>KT4XANK5Q
z*+m#z^W<oHYDxXtTO<l>Lwlo(8pu`sQmneGwwDt#sbqH|lUR*_tZ8I<QgRpH^V-)N
z;m?5wwEB~p+~cg>8HZIi2pKu|RWKeh*UU+_jW=A=-|s-BRoLsXknb?WHGubBYzP^j
zJT!hzb7Oi^N&BJxF`OaQdt%y&@JE13q`ykHo{z${I!`fEvKExEt6(K-39l0jUS@$y
zl%qcHYS|g9Up?nj(PWmu@k`6%GoFrBujbrG`on3uQ=Tq!a`>P_^-F}0w&n%~Dd?Ov
zCTar566r}u&D!2r^^&U=;C5|SpVj%TjYPhi&c_1^IBU1KZ8vRT%;)G6t6h`5$#ALl
z|50^n33!$%KB+7*W660&*iN^je+cqV@^^N7Sy2n?HdMAFeL)G(hv(mA`i?(lMteLt
zuC1tLR3_Ss#2{=J|DVdmle60>H$2s@a<y&lnw!c2WF7^JY%Mn}HUqtW_3SN+0IGLx
zm%C=x7oGH6=z0S+bKd0OXA|{<pSkWcH!ce;K}dHG5BMfMm;*UVo<|hic#If@hwI8|
z;Z4)oB2({DQ|V#yPV2dZ15L<OtP&W}snluQsoFv!iNsh;ZgUdp$0PIjE?tIYan8b-
z9U0^QX%1sE-Bc1!f2RH@*3vFugVxMQ4XREh`G#vX_vaJ>BQdx%Q)0Y#n!85|H3h%R
zIf=t;&0J>0PdxoOEUMvj_ES#!6#SI<)XLD^UW^x?D%Tzjl%c|XIa1|+d0Q_FAT4F&
zM;AVT;}ph!(U0+3XLEu#T4UQ!PrReV?(C_b87XhMhy5NXS)tjH8tgVa_*`bjevt^_
z0k0TsjOnkI-q|>6|4qbz+cxX80J@ekLSK?kIk}lV`qk`|ZY$~3-WW5H3L+<6-p#sn
zf&Babo4?WnV6LrmC#Q!pZC>QAm~{ml#w|MM()~H&Fb2?ar+(D4*Dbs846zX`b^<-%
zb*Cd9tAFOk-&_8A=DI<B{I!2QoD82cUH%d7{#}mKEZ_CXf0&5?<#dS&Ef*`G2B&rr
z?N}m(PqV&P?U`ABUkW`CeHinJBazvBqTFTvV_N-Tj*>=OVQOiSMmut;AG(E|5$u8r
z{NiRht$(5Ucy>sjYc&t{=i%VC%EwGJ|Mc}G(T<pj&f+Q(M*LVOeLfgq+sinsn3|E_
z1Pt{(QohCiRxl@LF^tbnZOweUH+itPrMq_D<!FRPABtX)P2s*~P+ECHd+17C!MCNU
zb*ViDPdc7wr+)=mEkrLF!H$|q;MxZ8?Gz73i182Qq9Od_4i;Pxr>wX#m5gOdG42f(
zC{pj%FS}(;W-5f*4y0M5UuT>dTQO*gyGJa*H(p%XNTYbiQ<WM=CbAy?Hz8q2n8wU?
zp=kZolDW?}8nxD6NvNxdqvK;d9mCe}yC3bNpNYR_WsG_J2}O#SxLOGcHsJ4vxK-~b
zuKznbnasak*h_6zXr9(O*6yMH`j^A4KjnSA{?+EAgV5-g0KllQEf>aT%#I*j&`Pa6
zka`D6JL@du2`aEx)B=CVnc`GG-F<W)eUQ)kIDiFHW{e$9`eJFU{+~JJ#jN|Vv7`T9
zF%bhlA6kUI(sCwzRFxak!Mtb!fOq<_JW!9bTR58lIsT8n55K`|L|C$^a;;Hk(x;^R
zVOuf+E&)lLN#Otf9V0rBTP%h@ubylB7D`uf>ML-Qv=T-Rf|Wy*QQ~*{KeeCV*uSAK
zLm&SAlZ+^8UJ?}ju=eNV+CSq1?bm;F`zL;M`#-Z9<&thY-j6t*I}6A2lIkU9Jg?~+
z&lrY|PH^uV&&(K*!frUpjpy2%!0-Qa{Tt|x3I6&({i|n5UTEJW_94;XwQDd{-WDs<
z=;5~d7%VyVMG{-a^k?A4G>73~rK5IHe|>kj^&$jVqJC4j^;#a%u|SQeb&O`X2cFzr
z)ba_dMjY2i&jNj-zttzA%pfIE7WtApL$m4(_s7u^lj9D-@E=y*Lm&;H5RA8dLZ<l(
z{S@^uB~s$Q2YA*XJX=$q#0!kJ&oALUJg-48CO-(mu66~&Sp_p&Fb*_wHu`5VXzkei
zGa|SoGa&>GOJZoV4e=RVVrd0u_mIB+DT-GXg=6RFlJnAoG1e|F;}kdlzBdp7nM-?`
z@KU_M=ErFGPbHC5arR<HS5AJK-A?=cWw~yI-O+s2mU>X_-VJfB{-d=|W`0f&+~VJp
z&)nKfhHSA$>!urwzr)g7yPGjgXY8om7tnj!VRFk6y|0W^skTq;P<uQ5ueZo4;3W^1
zhg<&>5?hQ6-^~V4^uVwi=AHI?-cdtvV*E*dnYksJIY;rxW~vkWG&sRHs4;wmS0UWG
zki3EXniyW37+sXPursxM-hqMPAHKz>WVQyw%&F%<heV`2{Db>==cJh(4Ps57rH`2k
z30IsMY4A@+N(ii$+2Vb?kC4FbWk@a8B->ui%u*6bj%BBgN>V*_0~^{)xb;so;Qxx%
zc2h-tJabMcF}68U8E&0Iw?KlRb}t02(RsHNof&q|;ju$#?(JS<>G5cP>VVl~W~M44
z{$1NKq$&WJo!ohTW9O_pks9H+X*sz|EVeAh%!N<RJ5YM#QOWG*0WRAM9h3go#+8PD
zcsvD?*-P~{%i92N{`E{Vh7hey0;4r}pDA$xqzL9c%);3WIF@YF$Zbh^;m+K<M&3n}
zJ3{dp`(}MZ1o{D0M8k_4q0Fq#RC~j`-hnrKBQxts9!hUWB(q<e_YRPiQ7q|SDi2Oi
zIQ+wRfG+hyX7JqtAd#Mk;j;t#xg`18IJ^?F{ML5G2bT1>`)>LfR>-qtziL6!|2#Is
z;=KNl^lSM2$NcXA;o2By5l%^s0>2nme?%KHvTLDzK7Zz%L&=_@H<o3KdCNSrsDvy_
z`^IN<$|Li5gZ;Z$XCRoFoUmQ(eJB_at&uWbXyV??6cy|r{3R`#-I0|dVJe%(%g|nu
zxvlrmp+o!EjOaX_Eg18fv#BKnmHc)dt%MuVtuE~6gd3kuc@0G<F)tQ7)mhmB_*!Q4
z5D7M}VIC3ct^Wx~JPm0X<jm;wN-8iRI$2w3n(>sAxejr=<GN3V7f<NT6XV8d22b(&
zwi|}Z^s||+-*DA}D6Z2(rqjuHhTeFT3AEVg?}N7$U94W^xv}LkB8$~=u_8<;yg+Y5
z<QoTA!u*G&^^KzpoxAT?kj(b;O2z>nae<>M05i2bI|1V4<kupEK~eX=`d40esCSVe
z&!v3r!~c=yH@S|@1Zk9KkPCM6y0GTVbD7hRJf|JJ)=0U&`U~baX17(2iFZ(y+5**M
zsvZ|fWFCx|ZHuX$iOj>1F7q0#3+o3a7#`^A_eOj^uyDmTU*&$xL|n5$N%{3(BK2@&
zJ*j^@>XrNlkMYCF+#AszuSCXLkVI=pxVA>x^ijf#P|z=HYP~)3kjZ~n<UUeanj<BY
zs)UY8|JOc!HoIE=X~=h~PpMkw#YhqUt@OAE4%j=e!nB{Y<rCQGxYfh0pN5`h;zRoR
zbGO>hcs6*g^Y}&zja9%TFc6YhY)tb^>u;zzj9zsa4jE@~pslcLN~!SHr-Zr!k(D2B
zG(%PXu|Z2MKedKtYKPx1_v(jchS&Q_kf%<F9z4zq9y8bU^Bc1PsP0tw#bl;`f6R5j
z9Ur`{GMmc$WAoYnDflpQF~hmYe~*6H9lk??59NL(So-(&ttW;$@#Iu@CVR$*TWiSu
zs2rF;U%e#tJUGA7--s2hsckSH!3(^A(d@4X-tL37)2)$K3S}nuLaqi1jY{7YktZbc
z{od+Meve^#nQqFFVRCy{|CGmr<F`_YGlN&UHenhJFj-TBHntRVhD-P9x$)!B!UNRD
z{U_Wh4R9tBrYPhWV>(&(@gFe!aMN>u=$NLcX|fc8X?~NY9iXV^Fp%&a<LQSQovul8
zmS(=md1H^)qX1*3;JHSyuq4z~tXf7o8C+*cpCJk4D$gWKeTuN%zdk`#1V9{=+s`^U
z@DnQMH1b?6c4~0I$vr|X>3sEtla{6>GIPq#OON}ME?;_^Fw4)PB0X%nn#h!#<<$3F
zKZC<oYS%<{DtUKReE(hrsKc@iTIOv^SM=lBEd~8>U4w2AVR;ybVfeQ5VJ41ms9h7|
zewY1wS@l|O)`bVINz^|bzHJRe<K$aPwIho|@l<*Dxtec<H;{*NmI9F30$R@wFjjoQ
zY7Tf1%l&aok~u(~OvPES#~mRxnLe6@87Q(5S#=hyS`6cfcUID2pq`#XLhTA152fd&
z6QAl4Z5J8ZzUt)lCEBOSPth1~1hf|gQCAQLj|XyUV@}pMDJy^cI%BuCeAPO(U5q`%
zz=cSGQFs<}cyEm?r@io<Lp2txXEEHWfl<368z#AGLG6ZYDHaZvWB3PuWnOjUnGE$@
zzaz`uSiUP>b#iKH_DN<Cteh*Ut|+@tC5R!D><|XbZchzrCv}$vSUvav$n%VtY<aMe
zI!941+P<ZKBZt^r-IzM$&tOE;gF8j?$-4cA;IveSKNt;MXl*v5xmkD-7x%STAdhpc
z=Nk6sG8!m6{}^CP&IB{mJ<8#!0o`O~#3>sKp~CLDs0s{#nPPs1f`*D3(E(w2{v~fY
z&H{B%Lf1colYXM<l1TVZF_@qtqLuoYsNy<U=BEmcKyFAPE~P(=U|G05=>00f^ukZ4
z0Af~ooPtTO)gUhqep?`TCQ@zSxq)1x`GptP7*e4FgaIyz*RKx$;CMRGM0Dcu*&&7c
zkooqm=p{#P=m3P>&M*I|Z)*+A($BvX0EOf*B!?D|#(&N*RM>rw$}Gx7l0*J`j0a_X
zL+^_pw6ZGsouW|oXNF&nG{2{o7uv_D;>JE+k;>2U(%5n0BSgylu{~;#nTc7b;xK>L
zFhItBji+`;pERx*Ysfw>#?wFM`*p^;A;{ziUN`OB&)^G9q#{rPJzZ1-uyTqP`SNGt
z@x*z?5&lmjXlr}@hX_D5HfA%fvO<f!G1b#D2PJ-F!HgK_Pr8mvevOU(8tf<-`U30b
zQLFjZOxylzOl~x}s{2^^zw+fyG#G9<F4%wln8|h1M&q?dze{zPQzHE0ZyC*Jk(3h1
z-aP9&+OpL;o1e)8{hGhoh=*Ov46|-Yq%V<UziGyb+BFN#PY)(^<#p|#!kLDsGy;`-
z+4k?!uh%7B%`Y|=+_Wa$9|L<(yt<PW!FV{<$#F`?z0Nr;q5z(CVvmqpMaeE|8^E{V
zJSm<~5gJjS)^tBzxZar4&!%4d7%B<s%r?yN0{7_1+O|N2KN*j_jxIs3!F=WBJ`@_s
zG0pDHBSjD#s|9Cvbeig(Dm+$6ekS9_n6WHDJyon)CsMnO#1ykt#q(oNb0hwAxWRvv
ziPq>;_ZEJZT_^fg(MplYXo~p5t=JmL;uhin26i&%;gIVYc;o0~8&QZ&Mf3Y*CjoZA
zAKa~HmAbtQ7dp~`Y^^b$rB^_^w$BHJPUNkB@;5(3zn%Jo&?g_9<D@F2s+0t3E7Nrj
zhv6R%Vqmb<f^ekND!-gtvr<b|A4tAi9G<kqK9ysnB->bqj1`4%pG0mdLbDWlDrLS`
z=?O<e2RdT;t1=V6*c)!GC1dj4a_c{droUSv5mA}k9-4K%GvgKMyQj}zL0#>eii3Vf
zpVVrE)~hZln~)iNP<=&wp2(^dn+FDV;=bI`7&_E)GGwNyzg{WvWMG)p&rrz`h2$fO
zCVP8Z7SR@qvSo5d-|uA34e4SFvU>vz6)K%GN+LQ(N^r6GPmRR@FEyvn`;+p+u8@92
z|Bops$I;l0AdLWnmWP>Jt9o0?!~_yICWn(jQl(zC{s-l{!(hT3$7A?kKs-@K_U_w)
z{!C`1P{=DfQy6Sr3?Fp=$RG6$5xRl+YxeTtZqB*&<Eg(tBI$;q`k`khI1+1sHTV!X
z)(n%{Dw7pUa4>t_{1u4mXo@BKu&dQ6a|D|FUUKr>GDA)tPCD;Svx>I#A6l~)%bI;D
zux2-4&31c@!^?;8XV{=7_l<C?yxxh_Yb;IWV(tBR=vtz_r)3Hapv1jq!%hU|Oa3c-
zb6Bw+)2IJFp4+@`Z4gcfXqo)M{p-2>QDYBuFVFpE;f*a*e_x80qTRX+z=fvW%-NgJ
z+F*lmUq95_{ZoG#{kHVU`$PXOUw}?W@)=p;wz57m@!5RD5HbWIQ83(EBkRcz%cmYR
z%GTlYc^l|(GCAW9jYj$`3V?)_{_|h9Q}6sYP}R|jBV}e>C(<>XoQ61mgFGsKpGhA!
z79(@ND28q>2L*bGf8$GNbZw8!BNIe5?uw26X)yfRzd-#B-|;LT;E!pTaz)W6tN8m^
z1AllmS#GPmeO5+Xfw5O={D(ILY(E?&p(dWWrQH8z@G9K8g+h(>@6I`+X~q@;5KB1w
zJcob8q=s8G*%9&=02Z4f%A@rgXK#^#TF#+*x4`oQWS2;z;>?0J|662}$|^kOCw&dh
z$ztbQpAtO^CR#hMoV^nm=0=k}lfrkdr<2K^;~&#7GyaG0FP4NaSkInP?J5qnotv3G
zSB~3hyvZ~c>2Y#)fDyW&L-YS*Rs0c#Xv&~Pn99Dv&{XfukPhwh?*mYYg0L(1oQ5-D
zYnc7BWMgQJEZq7XJ?aB7K}F$ej!g<zTk7f5OM(EgmN)ua5X8a+h3BsX7iM01)vrR|
zI6u?)xe_L+N2!RKP*Rg!h+k<m_>gxwnU)evpXE+98%cKa1S7ogVK4Mq&4`)l1cpD>
z(XMzkCq_*z(<8S^Co<RK_INFNNh9ZAJw==5T0FSaU&DoRrspUk{%F(nX_ukpy8YDo
zJ_Ve54NJ@7Gjb6dpiRJMtQ9E8rI{N`Fmr85PD{reJG^E2CmKwP{w1{im1%Iy<PfSR
z7=kt<sj~>hSBG7!5ss?_vf_mrF_Tn#6Ry{LBa%RkskM#iY0OHRyOM1sF=A}R09P%*
zW8KoCvyxiB28N@_ZK3F5xd9A%;xnFd(sA^e5@ITLJ8OMyD^D#;ZVqv3aJW_7dmx05
z&S+XX295ehqN`5UxLJ*hdF|$bucW%MrCKY=ON%279ci>VEeC7&J!W|4RP;u*J4JS=
z#sYpK|0^%xzu$?1o*PfmC&kr|iAlwupu+H{_%z#S%rNX&8*6s!i#hh3&W9*<nrWHM
zf&={0mvi6pg<v`<^uNcBv`qaeQ(ca!6UK`8o^?)zhm~i?>cs-wua6k!M?M;!WIwZL
z!OEmCU53?UsMs92+F$T0=0w0&hF`vPMRs;Da>{BqpnzlfHAk+2%jI(b@66zh_#<#t
z@Ji-bO_YdNmJv;Sk8xxyRY)4~Rsrp!?A)?&>@inezC+L@ZCf@91HiP)8tb>u?UWni
zYFTt6mAiIBBe`ZZrtgo;1C#8@>Q$lku96(Q<`CQ*KN{dN*Od5+U+L>n^fJ?@=;b-y
z%-#ov)cQ!jzsOh{;Ij-JWMnkOasBV%f;H@kqfHFUp~cji>s*!TzkVrt{$Kds$iQXe
z0~amMj7*ND)^#7ffbQnHPGHB#<}cgMGvV%wg|<g84bZPxT&ZOKU?Bc#bXwGXr5WCq
zX)Qs*fWI`~Q%f*1JDF=L=xU|^0^IVYE4u$xhWa!iZF0e^X3I<8YPAy{UJG?b)7pKc
zRtDH9PAxh)?CD2UA&&^YnKU)+vg{x6@Uo(&K{`uhh-cV2s9)FE$q6Bc(lkADO~^lS
zU5;UIGHzkT9s}oe|3~=`)6EC+vu=jwgGvsPwcjm4Uh26zhXexrroImkQvd)O8b8A|
z{wn6Y=w;E%8|#}R)8;OZqG{Hz4`;rEH$>gJ#!v`1+Vps4W@)*?R}u4-jnzFmvUiq3
ze866fdc@%krB(4vjQ!7uh3;59b0hM%*Wd7*F%#ngiQ_!5b$nh=&OsH=v{XPYi3x(R
zJIejBf@oUwOHK8Mnj;1|WEWognTneK%McAHrl*!=FU6S7|IYsH02al{%dnyg{pGbQ
zOhlBzNZvNb%q6#7?WD#LYapK>s%4EmmeClfOz&4B9`mNgG-TF0tL5pywXxA33JiAj
zbv$cftg+$lM#}8;-8J$o_`(h=kNM+GN~H)SpSrqWde7TQ*dROoC)NfPw)_cnN0>10
z_%}1fLUkM(OazL6b<#s?+q#dDTtE^l1h%Ka3V6a%+pq7Y=qMG{;VR;lF)GS=T8$kP
z{X9i0^Zsm=Z@1-#D0leR-u2z}%mN$37p&HX#uwn9!Tx3jxanxvJqAU>I8Ao?&-T4N
zh@3+()Mzxw_T+FBJfra^^jrV<R%O1K^YJvmnM4_$d_o){)BPn(xza8ck}cQw%Xv1I
zuR5@gzANf|7#%o1H(v;T&%!@KnH7%9wt<a)9k5ZI`&C<=!AB&h&fuf4y2J4i)RzUc
zTzxzJP0!o<v<w`$D#{JSv!?X<G8Qws)#z4=st<r2o<9(Ti3%eLV%&$@l~MmRF52<V
z>aET|f=k$uTG1hQ6~2eAtl}Are+2iF+-Lr`gF1g=>ttn$I*sd6lvSP9zxxmBO$PO9
z<3Rnh1RnF71GH9~*9~xG@Lq=!^WFeWuwA^qC+v10=<%R#mb_2Ge)WeqsYmbDWPd~g
zV`LSGj2Ia#i09`<Mc93l*K#9Dr+Tf^W?jQOe-vkgSo_bIetAAI@#MI*Zrvu0LYkbT
zm8D&xg?0$v9}zpr45-4}STHtQBV~NBc8ST2cs86z$wcb@h!%AGE7k+Tqf#a`JkF#*
z0<G;nWy#oOEGLs&rfQAM<GrN9bn)^v-$qqrgmaSGdWS;3J~B3{E^>gc%lyJ%zEojS
zd|sdbOkj`%@#KVbD`UhYB-(ZH(KP=LtAx_0stgNllpwD1zl5-jnw9yBj6-#!W*T*c
z|LMwu1{wJ-r8Nd0)geAu<0DKB#s=K)x8ve7^)!FKPyRIuWV%q>_HB+TL<<<hKa?0Y
zplF~?mf#(!TFiVp#(z8ju#xvn*!LPN=OtRBR``d4Ps|q4>w|L5Fuwc>o1O`vfpvlb
zQ6sKc+4p{W@ScflhyRzp_fGJBjMe*6&*p17EBMmDg2Z)wua6I2m-G7azSl*;>q=Ws
zwC~HCFum4{rfK@BB$`Z1mUQ=aGt=9JBt&_+{Ny$JLKv#m^j6=OgLv_=Ub^2yf}$Nf
z#XDBauvTX<ygLZMtj^0@Ctb1IVPR*r&#`W@Wl|-(6*s`)2;&J9=+c^qcxPWxsD(4H
zTMeJ_qj{9VWUZ(5Y7}2dnZ3ZkVF!VnSQET`r2w+@!;$BxjQVGNj-e6Mtuq8u9oDYo
z?5JIZ@WfLky9(i<hBs^t;rW%|&(>m?-_-Jt%4au$TH0;>08Ur}Y!nXvF+OBz<?-==
z{n2a`7S>!q$|3&}#<ei=8Xv`R4F)ZT{Kdh0d~=3c^GWHE7BGdA&)VLo{s1TV>;54=
z?zg4G^Y=;w8mtN^Tf;vppIs~=3W!W(8fgH3f&o&eiKFubBrdh@II!F-M4E|Ux0%tJ
zr!%I_`ejz<pUKQF)9@Whcp;Z2`8T6M;AOwp#3MeVH;<TdEz8v^^&^cA`M<I69yZ7_
z!sn3xBm3??jeg{SCM@HLgrAJqv4XetaPc$PG}p{o>vpVUUzK#f<U+YK&3IxQ^=ScS
zovE8%;Ts8B{h66pTV|Sfl6Qy6?e_`0pQBdMxhG{Rm3JR)1RWlRE&e)N%Rey|^z#Oj
z?<ONq%T=@E&v@EMjqJN9g<vqdmy~%n=bw-FEvuL{m0Pzh7fn;6&<h`o+$R)}K4ji0
z+%2WZiJV?&mpNet<{4#GACy)9NnndT{MS(%;n7x|OKpa%k?YDP1p7;a&!70fXM{?T
ze?Oni+6+;wpn4JS@~Z(X&xGASlu+%hPYLP*DZD^FZRW3sBlGw`97Oa<O%-zEUZdFv
z?VLDAwwBmH1+6|zmX{6Il;e+i2}=0`IvB&nL5wa+9>?03F(3(rL?UpE&Cj;uT6jdZ
zdN+G_)Dotg7L}w8oX4$GOifof$;S<Hikc_J@w~>;=fB6A%bYoJqJ51voyQ)Ame7*N
z+yf{MY`}UDU#AHaGkSyRM|PJ{Uyvi<28F9e=3u!A_dwHP3Cj$!6uVNGno-?%c-X0r
zQ>H*32do&7Oti=Wk_X^MqtFn1+43{$pCaAi1ZncLKwwfRR{MsNY0jyptZo4hdTCS#
ztVl8MvWoSR>$hrX8Gfwv*Md_+P(tK#^AgcZ{>^{Szdu9oQDvPKMz<a(MmYNzTy=9N
zp*oKfzR$jpzjGV(6Z#jOog&ZNTKz23&#%y(xu@x;md(zV3uo>zXDeVW{PQ->1IjeE
z9Sxbs$q6wkk&Z-U-;L2Ig~N3v4r_*Xo*<eY&Bo7wKndDRpHz3!51Lt$W&e@PoOyeu
zH`@E$g!vp497z8-raTcBToN*uRjK{{b;~6P@#Jf(7ku({e)B$B-4>O3cl}D+(kEz1
zRIL&zVONg6hqTrNm#&p8EA~HW7Nx@Oe#urzfc<_m>I2J7WBWvylO9Ef_UFc?2rZNT
zKBd%8hix>1UvG-GoStN5Nh|1MST!FPb`JoEI8aw*^yyRh>_&x*_8PuJk&6m1X^;z{
z+*madR5*6PXLqyV3nnHyAQ|;_BRRwF1OqhDF9@>z{$O0CLhz@}G+`mmOW`BIp1>Js
z<jZYnYLYKMq(h(@Z^@|UIoPSH^(ynN<u-u>bjZX10bWMf23)y`tr*Fs5cZZoto^{*
zfBSjGfXEJ`0|m{A@de4tus3v>*ZqWFdwyShws8{%*0=&|h8IXzqcbND^_vqVbeqG6
zC8VmfWVfn`V{u^EGXJV2fRwpmJfnpTYyOs{8bf%lt(IUH#P*O!^JZUoDh4{2WoU3F
zKM<d)`ZxNgEDI`X`I}^3`eMAf2pCR-iognzLr}7Jote8P%r6<wzGs{kmd$(SnuEsE
zs-oTt-zf)I`1S`4yD3(*tQg)JE?P_2#f?sCm=cNIpfxH|G-R6V{#*gS^$cyfTtk8R
zQ_JoNEFo?XqKKq}cy5gEpx7d-&=~PW7(c~vIEZ+&B)c8j89rn;NVVs`YKL>{w~;iK
zj<V&Jn@p|Lha9iomGb;I5mw@@3FPa3S^ZX*Suj%c6L9o#DDc(<kS`HzgiduB@YFT`
zEDPCB>A7s<SwznVc5%+0&)LWCw~g`Yj+cGh*QW_R7N$Q_F(I&FHyVi1GOH<@)(apL
zjtqVUq8~AXoX|H4<u&Ug6%krRg&Kc%!2d6To}dHa`7?t?jd3r#{U6!)V<}+r34ew_
z{;d6`C+_F?ls%tu!@XsPdI|5?oa&h$dvD$??|o*@5dPNB9bgdMeFi@o%&T*9uPS*p
z-MqRg_o`G%LeW>29$rz{R5Xw~j@~1tw)-=tD!n{sZt(K+-6xvL^zy3Q%S*cptHV6s
z1umV`6O|w%_16mi7L3?fPi>p$*6{Ko&#fhy?YW;NdDC<2NNPNH6v=NrcQnb<p8Glb
z^7ABL_1rNepYz;$lAn0)7fAMc?pTslo;!{t>$zu>O!3?=lAPeV<4Ml%aCJ<v2<*9y
zJU!yMF_Jqx_Z*VDJ@;IaXFM0os>wLX7d`hpk|xhZ67?SMxe1a}J-3PE2G6~K1Q;ig
zkYzFnEu+}>j`G}#Na*6lBo}wMQ%G#f(|DqhFOh8VTwIU6>pk~!lHYsomr3aQS4b#&
z1<4T4{VK^HJ$E{Z>$zVe8S1&L+4jEexid&Mc`l&=y|;NTE62SLdhS&umw7I661{sn
z+^b1!%QJZ*mp0%7=66X}c<%Q|7JKeBBu{$owIqu?mq_K_Cp`Ch`>UCx#dBLows|g_
zC<NS%B=>nP8)$lO@!Xq8&h^~ylT7s7n@O5GTrF(amgn&l^W0lW{@}T{k(79@+)W_8
zm89NtU6LPrE~h5+c6ja&NtS!=e3F0l+!V=mp8GE(=XtKSi~rPfZzs9gGinCtyn|m~
z^V~a0ZtHLtkl2>*;^|7y>=Ie#xj*68LC^g+lBu4156LT@`|l)Q@Z6u0yy&?<Bbo2H
z_mX_pbN_?na?kxa$?rV(7bIZdJ`%Y0mn3xdS0o!e_tzx%bh!7E*p?sQ321*yLebxm
zob9>4CxLq0(bM}$&;0|*bDsN0k{3MpPb4Ef_aTx_&;4(b|MuKJlRWIXe<7*!j7M&l
z=gPJBj^{2US?RfdBU#?zE+VllKhD#;p8EvJL!PT>ik+VOB+2bWJdglwyZyF=1nyf(
z@`mR=MRKv{E+bjxxgN>Cdu|5_+`OEG&aNQ2)^ndG`IhIdB$?ac{+-0O+{x4Fp1Ya^
z%B~^#ndh!0`M&2qM?$~Wku-Sj^CZ9U+!sio?0S-`J@-YDsOP>!a*yY3AbHetUnV)r
zb6+6=s#i(iw~ZuThucMBTYiHl8re+plIOlja+>FEA$i(!eUe_!&5}Ijxm!sXy4@sy
z_uOqHj0sJ8|K_<nNMP!nBrxGF5?E_D$qvumW0Soki#y!6NNmeJJpIOV-ytdWj0!m1
zbKm9HFFp4?lD~NFK@xyIMDna>R?5HNxpFl@r4R`(`;kDNVv=^xEg{+NxuqnqWPcLi
z(DHo04!4ZNwp`8=d^n5*>3K8>(o??o8qcjD`K{+3O9BRtvoDV)`Ksquk{~@#AVGSb
zNV3;+Pa*-o!$}YhCzDL^+*3$S@Z3{Lke*c}w&e&<7kcjLB>g=1pGXFH?kDZbkt7VR
zYWwn2B=D&06u9}*BzJi3nIsX<m1~YM@fi}bDCEm!E+BcGxqt*D)sdXs;f^A)Esx>p
zRwO^k0wg~PRM&)gK9Zm0dq{qglaTx*=OXz@7|0DI)F%bto1QBr<tEQqRn5!=`~tr*
z5(ex!B#g#$Nlxl;9TMAef+rB$L_%8^knBeClbnO(CrKjtN#N#-NMM+YNv`zVDI~)@
z6T^Rn=U&3ECp`C35=Ox^l7D3`AYm9@Mlyl9faHb__sb-<<>@@lMDmlQk^CgpNPdz=
zBtHop`wbFWzKUczlAmO>=Uz?nj^}=hgi$30ZlmY^GfA80N-3#iE+B!0zDqKRxqxJ0
zhkFf)ZMm5zXxT#YYa~BO50amRwq}vglbcA8)ZZr=jN~Vwz-*GsJogroZ+Pw;5@g3*
zl3TslykorBtv~l-w;k)nl4Cn!t){8i{6;U98s)|QWxE$+!*lHR+q_t2uot`ImtO47
zZZEdr_g?Hry!&yx7yH-mda=81_F{MM^kP3D&%d4C5xd7$bMHPc_8(_?v7e9kV!ycC
zi`{pJ7yIQ%FZQcnd9h!g>c#Ho`8TxwpWD3He_iXv9(cfu{q`y^_Pc5?_WPGRVh`GC
z9y-H|{de4p{duJq`^)#d*u($s#r}Ga7hCwE7yH{Eyx5|<yx1dqyx5~a``8vQ_V{1D
z*b^^#vBh8XVo!duBi3fCd8);WEi3h6-bG%l<4G^J{C8e##c(h7bcq*RIlznkeX18*
zwcLw6v(Ae>`%^F0$?w(gc(FA!vG&xC*mJg;^%Q%N+Fwd|u?+zHGM#*7vln~yw_a@H
zjb5y)%Zt5spBH<bqMP3EVsG5w#Wp|d#oip^#kS1oi216<NxPK@phw3X!{r)M`*863
zyT)<Yl3T(1WEZFCgx!--X6=j9i+IF78t7zPNg6J_%@~EvNx35_fIQ%@DoUHD%;Zq&
zZoR_ysBH;d{hW|Z<cu^$oXlWC!wnctsZ5$jD-0YgZ*};~3@EDL|F)*5-dEGj|Kpn0
zzptj+|8Y&*-dEF>u|o9!q<8ZD72@eXsHww^1h`K=p{LRtzx97rdHQaZdLNlGlkq!Q
z;)FU2TRejnlcvQ`_niy42(|~mqIGOGm--pLt}qrv5PEydawpZ&mYVvwlWKa1-2CkD
zQ^Uk?u`VZh%R@!Y+~XO0r~?%7GI>i^QOh7>h-Bq<;!~GO)P2sB@cHfQ_vU&IhKjA{
zl&Xi)O^<W(Pg}Z$UooHi7xaBPWmB=2lefHF)N+2VlA>}|vNZQIY<_n5*|1*2mZjs<
zx;WxR?wI+_2EFSrfcUfMlzGCYF@q<m4bi5TL?vKz-{PlQ-f&V=*Qc5=IAfh1vG-_S
zz3H^w>$KhLh`puv>DXIiV{cslsr1yhOn*Y1;e|!v#cja-`8~$8ySuHmt+^x_doPrX
zy%p+y1}ucy>SOPPTW>YxyE1HnOqYJ|Uw}6=x~dS^m0y4(4r}L=?{CLRA3Itl+11tI
zk0rlpgww4`Pcg6CO;DC`Fc28p^Ad*m)Eo-3&j3JBe@CpRuRGzSf@j~~6b)RtyRS<v
zuuHOwh3l5Hj*v4+&eRgJtoF6F3G#-Px4&L8zr4Ht2)U;!w-@Bbdu;N9$#Pa*ZP|f)
z=9ed9JqCwa&9#RSM3gkqkd|MgQ^c`V5OX~o+gWIx`gpk0vCc$hI%DE1op2i~y5h^{
z#cDstL9U-fp*#vlfmZx19e&SyimpvJ`FXcH!{fVSSm$8*_VVbLE&r&^ksr}!$Gleg
zX;rOSR;%eIT0iz1oFZyM0XqCMCR+d=QMN}VAp#Iu00A+67t9oPKY;*OFPzLhCQDyc
z!~3f0np9Yo9L7OaihavhwLwi#l?9G^a~125z5*DRtyg&?&wqGW#RV{~ez%}vH>emG
ziv?~UjI;Zy8h2P#^ZH=?L19&A_f?fVysEmss&-#s8?l%xsA_CsRc{w`P+t5#sJ6b4
z@8ExaSXH|Y6m(F>`vpWu9$wY2`l`D8!>amCUsWyN3aTlFJqjSYqOY2Y53A;if@)6h
zqaz3_>OO8k_c05)%NKMHS<pRbLHB?K-6adUL-28|Gi_KACb(NG0Sp3hw%vgQXWxZu
z2F_;3Payqs3t~@5X?9Y7mCl{IdmMj1FtqO0Hz#9M&0tWCtyQ<oo4k7RhtC!j&3C^_
z-ta<`BzJ`nljkO%P_0GHqw-aB_^a7|WA;au{<DjuO9xGijy<pUfn2{2n6)LjD624}
zT<Of{CY#AGGL^7L-JLD~?Qp+aFVn^pfK4lGK`GZxCS$T?jy=wlH++9*!c=U&Te;Am
zk<?fIURGzQ|M2p!t>dK~H<Lb4-h(y!%0~pv`^!JrS3dlK@){+5<sTe+gz`7{m4Ej9
zzV8<Pb0}|*49XF#!#~L4k&bCB6n2sBlQq}&Wm-=rhg`_U7e*cG^}k*R$K)0ubCYS6
zCR5~ZmlI4bi0mGYQuv7(I89x!9rOEP3T0?HF_TqkX{QW|CRBuv$kKAo5k4DT2gzy_
z(hn52Uw!GXmL|g_Pc*M&zbdjbH>c;_1AG8*7Qg)5ua+u(b21C&8{kn~O3jnyqm@=b
zQTD;Z%GzJ~viIi8nkQTK&V1Rn!^+xU`LYk?%bF)!_Tqe5MSAqXY=7m;N{v=$oKo{-
z%WA>O_SZkGto@ZQi+~NvnkQQp9VI9$-Kei!`zv2|TfVG$vSojfFIx@-eP!*hd|5NC
z7?|w@W2WaBxw0yEiGiM3Jm#m&-*i!`ZE=;dz?S7TaAXQaP&%f<tz*8vW4)Bx*IiE9
zF|VC8J7g_4oJ64oR)v6fVa}FaaA6OHNmU6|v!m%kmFwwf5XeOf^2($5-IPg9-KGpq
z#sRLWJ?R$x+{J}dk64|e!_T~pLJ>4%6_vva&KGl~O*OmB=HO@je}g|ivWRGVcoDe}
zKC*~d>F^@8|EP$#;P4`Hetl#sBL3k;<X-&9BBJ@>MeaGQNCT)|4td%N=N}dxz;hc)
z^p83%6Lg;?CP4R0-m<=^Wf%(Zt$gwC{|t9e{}!mAPN4m*Hu3F?bM(269FBAYIO!)p
z#yk-tEl-tWxKpesdCPN0-B^{5aa&wt=^M;jL#g@-RUM~b_k~I9`|g)i<S?F`eP)g)
zf!*+=`EGgAQ+C6P0xD$zQu}YJ6R=aEX|{)&K8k%LUk=CLG?te7P|gBkj=f_&d1auL
zxdNP&zHy7D*{Qq0<f3N{CKsvK{x|~(LN#65P8PFQk39F-Jbu$%7Eq+59lfPLQ!b-<
zW=78ra(yz$Wm`@5gjy2n9fgdVm@d6ah2{y8%;<}PLVNx-U$xNy)1?gsxoU!3e>b^G
zPv;YZ#_XH+M}jGoo;<P+?|B2;lA14~Kf7n=yS(g~f-c8JGEGA1(r3tG2XJQe5}U`r
z%(nO!mCm)e@Y8)lB)QGDmo8mkva~;XA|1<FW4BO?-(gw+0aiF?M&B0HeZHNL_+TV&
zX7r802YFBp%1Vt`&5WKIe30MQelYmYjQ)D?p(y|1A&b{(!3X)#Z3(OVjJ`Pd@Eq)7
zKUl3~^tr)@$IOS)_L~cO{L~qy#|yOBhz%5UnJ&S->Mz*0-^6sHHF7lBR?dyEA1J|>
z%(0QhR9@fNd{QnmL<;Agsq@MYYcJV0Mr|&jy9H9*wAfIYm(v9-0FUddotdgDii&cO
z=6aDi_R?#_8Onq(CrP$VQyX%e+1DNZmyaswW3Hqr(&7Ix$hY_!VV;5mKBb}i!JY^8
zJ_kh#U^g=mt!gx;%5!r~-{1v)3zqr#!CJv5$cq|CgPgoF_@AaE^+GTE-P@W^{m2}_
z`mcrS9~#%|)y?lq8Lp3YhW||#YwIr!-&ujWR%VW@da{jIHaQ5UT7%fm!^g5yGneCJ
za&T%)?q`n*OBc0u{e`b)CEeKRm*c)<zh9TlY*dCaH4tR}GQ8V;VnJ!Gw+Cu$Ib>Nt
zIT=EE4_I3Dz2C%la&r$(qD6)Ck992|+B^K&21-Co#}+wbV_i2M|NpV~HgHx|Rpb9b
z!I02FlOjdEDCnRA4zKbu=nTx@pffP?q9~9IGZ&b=^Ww}MUJR51jcJ(DqN3vIp|YaF
zqBJ9#1Qi)FQc6=Q(&@?SPD4s%Iz9pS_g!o6eeOAT?g%|SpU?mE|NMUFo^{WDS$plZ
z*Is+=wfEVF7VZ*bx7S`VKG*LZ1asO~EP*uT!yZ{dN)~-q%0D7FZ1O?HCv4gU%DvVk
zh+V18Jxmm}YN7WB3RSZ@>Ezyd>!-_zqC;9}usRg-O?55QyhxZaSl@q%4{?lBa?h8A
zkG227kXRy=7*Cp$!CcssQ0pIG8u<9#mMD{EHpyg)Kj=_#lSsBnxlvLk7Imq-#APX~
z1;+RVy7=aaiPeVI8wI7A_Gu>Jj#SicxpS^*nyo<#-6k2qYy?^SH4~tc7Bxc4yaU}k
zQyY7^tP#Z9LIXY_zt!z{KpxkrJK_S)7)m#49lz2wA>y2hI*v61am?<1t`4FMM>Vc3
zv6qFs<>-CFOo<My!TKal3{xg^>4Wc-Jst8ZwRR%}cjFy~>+PV|=IoU;?T>cDUe}8E
zbZ^CY(+bL#+Lq|5_#6~gs3mW{?YHDdS7dI<nEzQzJ}*kdQoi$Yza`oeZ>o9~2}x_o
z3|%9OPAIi~qGaEq@)PQld7ucjBq!C9zY4_}`lL!2x?V2gFsoiS!?g^&;|DTBiptgz
zA;LDu9}+61ZHWRU+IM0P)<@)6WS^tjO6bGV6YKQ@>N;Dx8dQh-b7&y8*&h3$GLd}(
zOv~@<W?MHZr4pF{bO^#7nMSBq08g@V_G$O$be)Z4&MYNR&``JxvYmk?b^3Fb;4;;d
zzo{?P?JqoIfWKl2&=;@<0<mVbZZLT03x5XB^%*I;MU4CSYU<)AdbLRwYXolk;Kr9T
zw1vA6Qu%kOsF;<-N|)?oF@)bWL<GsI7NHonSODMfQltnsiNuP5Ue>qsJ&6lN3Z+QP
zz}oMd{!X9UeVz%wR71?WENB6g(Ux8CY-dpWu#{;lItX8>j2Q$n-%AT779Gsms?%v1
zdZ)SQAXgHabjACPLJk=|=4~wc>AJN)y`u3pSM)cCI(N%bdM%$dILPVbaJjooxxC98
zuh8T(!pXC3@~TFA0?ix-W7QLPHLTVedZp--t#+4q#+#xK*a|qv<(cZ1DcY&4Eh|0;
z8D;B>4)*HSo?lJV_T){rUhjD*pw3O&wkw<a{0X~Ey6v17je)k)qFZaxb;uDIGUqjt
z`5Bk_hvCd+F7u~N=IbQ$!!GmIaOTTh=H({yWs>;;m-*gs<~O@ct2)?h5i+in%ndH{
zl5pmqxXkC8%$Kg5$wxMS%ItrL7spx#%7-wVXTvPT&J(F6Sw!Qjm+%`&Xi){{_|WKZ
z?xu4%@%PiL$3<9n8X3HHDyvwS-m#U`2Rc3@e@P83GFvVU%IN^nCrypA%Y`7fB^nS5
zNZVGCZXQpN)YoM?lbmh&gRB^LvG3DV7O}C}E|wg*f#3Oo-^KFVX%^!qk&!mSRB4qJ
z!!<u!2Yt%RcuX9~q63U}J4Tjb&4L5ci@&TSsQwh4WRx9taOcw`B+wh$f@}V+EufaR
z#1lwjiVo$3;vh-g#5DBrGH8{&SJE39bpXt;sE@HRXjBdq>d@Uq1%@iwsujX5)TQU_
zzM^jYRg~j|s;d9pwzuWGeo44~vF+|Ye>LY1l9dCmq{xK9!^ENl>xh<f`XH^lTZJ7h
z;}$$AV9EypiR!_sEYYZKi8DodD1E(_CgN|x0X3|Y<G+{3iBBoM@9zWOj}5+e8+<nk
zzKa9+zC?bzrxmYcMril=Hh>Z)OHJF&)GW&#;TtuslPYuz1XVWN#eR_30v%&^3yyjp
z&$4~nwuo&;etVr22KhWNl?~Fe&1Jb7*Ho6Tuq|K3*QD`%P8!RLQdHe6AM3;(X(}u3
z>~CW9DLe4npbE_TuFu7rZjFa;Pfax$Pq=B+w}|ZCs818yW264I&^3x%#HB0YSYn+S
z7?xu)jAZCA18D0n&@rP`s`$zblNuknX|pqZajwB^g~Xl-xKIsBF^Ss}zrz%A{Wrrk
z=4B$gH|7AbJvL^TYfOg<pjvE!_E48dfZrZV$pg~AqOI5nvmGkGwT}$tW%-)!I=4AL
z-*qSq<3SB3I&`AaE*gpDol5Vui0W=RO~Ys?-6LSi^MJ%1@3*FdDJs1WDzUpvT`3*%
zKjG(t`5E~6aU#3(a}}{Y^7EIsTjBWM;-~PDc9s=eehTC{zc|QGA`K&ae&+i8yx|G>
z8R@0`Jb_k#pIg~hOk{Be3S0?W)Qlk8EmGGz@zb4Bxk=C(dW<@=@-fE5AJ(z4H)6(y
zl_jS^rfTJga`yEg5hHZ{TIQi4L?7#sy(?~W>^&qBa+>1$kjV?%(%INeOnYFf(>o$<
zmQx6^RZ-yO!LrU*QIa+Ll$td(gsdOSdBnsL7M?h6KW3V7jOv8jT{>J2FgAAIYP$Cl
z#xULc0w9r#0W7R^qVit<L0n_av-4%#bPh1FJ{xjvE^V7DB5ji*#S|&_i#UOlHqvi0
zdypwGdoU@ZJM_>{N|qwNu2a#|+1ThxxknR?f<VmcbkjWwg=^7XN<2?voVGhlvUR>k
zGs`eQH+4R)YPRQE&<Iu|r)qiq&*`;P_gD+e%23MyvG8>DroALOTj?*F%!J2>9hCX0
zp85czZg-REsrYW~sT_9T6Zc<Wdy1y#Q#8$PF*P)yXxFbzc#Q*1XGl#tl{|z6+*v?n
z4CH`V+$@!S)>QT`Q`sIs;{95gbSDK2hTe!(TAd^{BGrmhIZWLcf_@J@!aIb{4Pts|
z)WCnQhm^x<wUl<N<)=`eSq?JyP$VR6EoEi2sol!dH?C5(V}(!Le%Q*I1J<h4{b4vc
zwBaJ$jMRW|lLz5W&EcjdWolcZaAFX(*{;#T*+vtZ!v4(i{uK65hE7v0Vlmtz?0nb?
zy4?o|v~Qm2FVm%;P<Nvfd2YRO)Q9k&nt)3XHo@zJ?N`_>IuyQ^i4NQPH52}qTYt4h
zc)G10W2rQK_rKTr-&n48_S|~M^5PWBBd6-~PzGPI4N^XTH^Arg6-B~qiy<B#<1`@a
zysysHr6q%R0M*OFtW4Bt`!M=Lo>L3Q1T$f-#>pHdX)R?FfNpGjj?+e+*SO_{#d8om
zoqW_z+;7y;miV+(Yn<9=oR1DO=66Q#U5eJ1k14Hh&&f#Z*i+Jq9#lG2`Tf0b20DkP
z)A<*v($IPPd0{%ko;s29w!|i#W@QT#1#ZSuGxhKou!)TBZy7ksw1a}eb1h$DrfFHd
zD*rbRHH8KD5=aT?T7$)w`?B!?bv>@uHJQ)J3a*Sp8fK`lKG4U1zLq+iWhG~R{oX$$
zDKh(+UKR}qm8#$R2(wkcJ*u(Y^;_o`(lwl$7s9%9kzn$tSbrkiHJ<J<-mlc$oa^gk
zx6cvAb)Li3R&)$bS_=90q2X>NIH^i3BfOZH0lJ4llT;w`-b*U|=37#ys_iS%IYN2n
z+TI-ZPPGmFS8E&RYO{+&=4VfC_z1OO)xgkvoDaVaGanyH-*GX=H#m=>lNQO^slT|~
zrx?r8y#vde56a6H9X`h_x6Y-erlO-rMw9q+4>S#EE;@=2SG-#N%{Eq_#1HxhrSMez
zoMWoD%in%#{dE-3PL55VA-!q4@ju3ToQL3_@oct?o5ZWhGC~GV_q+{z8#!ZO`a7PU
z@x3<V--|S(I3je|-ISj3uirHopV5r*bZ4wskcansz3h4Jj?V?COO8pS?&}uUJ*HBh
zx);+kZm=2WrBU~Add6#P#+=O5$ryq<ciNm&^QS+8o*SYfVEe$fJ6+0_zb7PRe!n)&
zJ3`gY6l%9pl?bAYpVzFJy3Cl1_kihdS?9@~TsK@>!?^yIH9)gzCw{UAT*!VVR5yoE
zr7MFEGmEA4mp_i0<{d<N9P%2)_tx|XB6#_kFsx<VE8i9{W#4zOlmFUR-Xu6G63UpE
z%vQkVG=)L-gx-kePNaNM@{W7AyhU)dS0{HH=$^_15#-4)%d8{g3QzO6yU9qbPUnfC
z{nX+=>}H5FAk^wKR#IZjQ_=oC5h_n?IoqxdR68@ta8BtUACNnwn@U{o#SfXM+7cf)
z*I?<~rDTXtg?9}uGuWQkO&k4#G{<OZ;vT5zc(@mZbQ!IN08GZ)#+M?mPK(4!5bL*2
zfVzZO`=*bmYE#wzJ=Y20ufRcrL>75%{?A}L<kMfW&Div;HbWSqyh|Pl@@~5Hi{o7a
zv>k6zL8!9&P-Q3toz|k{=?W08OLXyPxitizN;0hGB(awmp-A-jqAg|Ftz?P<Hr!T8
z-9AFO-PO4{grnnKrzJN_ISkLq;Y@OKW~l8qlF@JbQII?9L99XeYNrP6LH5wih}@Zg
zeQibUG|F_YwM0IDjndo>cknTa1EyUB=RA$}cU4~<DY>37&2qb{cZ%(6^Z$e6JBVw0
z=MSjF%qv>IF6PZLRqhhul?@sE(%;TKirJ{{L}sd25-$psk^>TM&ry_#&L<wgj7%M*
z54RD7B7~9R=0OznhtE?=Fe8nZL$p6-A2|6uUh11Q8~DF>wZTuz6JA`_=1Q13lMGVb
z>t=404O%GF!}X2E{Y>d^+R~kSAJ7Vv3LOzzrSRR93(y`s^&_-`X6>)J$F^zT9<lEd
z1NtyLnx5h&8{x&^H$>nU*)_iP8jr;=fJ`Z@#tkKuVVxI&#afBn7v5XG%&Z-`<}7f!
z<2UYHNkr`}%ja*JMX&X><%0Z};c31AJv5~q<VKKh%02Nb+zif?lhtQxH3Dj!4Z`2H
zg!czXY#BJ`#&qj`zNGeRw>`d|bErIz&!!Z`+wvES6GDFO&yOjT<d<@>j`;YIS#a3%
zUIz|a9AvmaYBPrYhlQOf|9^@)Yq0the&AK5@VhfIQn>t;Fom11?3u#wl4<EMlT!%4
zBopCT0m2su5r*&sbe|=>hn17#?L)s;%HJx^Ncp#Ax{+SCy#4hRLQiP5^l+aH{9N^t
zEeGBEqy|IQs1#YDGl%Z10=eajrPP3`l=(*`^d@THF@2pB*aclJ)ipg~UTH&->X8k`
zF9!)j^;o0sM$ImhD0#Jt<IH2J<4DB__W_J!dC4+(9zc(l&D$F|9X3}CQ#slt-KM9+
z)Lj0(i?%b*eJ?^^%eY^Co!qo>iO7R_Srd(Ubu+JW$`J=WBBrE&7}7Tuy+n+Tz^i(3
zQ|n`kUh2F;@^o`!s|5_&?@Z;|cI{VtUhQvkJvG`Z_!3F@1lb{S*uMGn8Jr-CP!n<^
z?_#=<UKU^mif*r`vv|)`42KFeNIJd>VWv@h5#+z9NE#^HfYAD|tXbUZh_iI&{YWR2
zO&(<E3A?t$Z%>{OW}#8YB^mrdS0TB?NqVo?72PT7PiCp>vjvW#_ZW&$RPtT#w#0)5
zw+LGoW-$g3)zHBz7^$=0f7Xh+dhwnX>i;_G#BC|gd&Gxxr-s<>^;4PF|31I|PZ_(2
zVsxw)M>iF{%xmPY@XGEyX(I>h4k;-`?VKW!Lz}-BG^s?{f~glHvy!v(yDvw@i6Quq
zfGHpPDs#XlX;dhGVuj=%EBS|-{5P8X3nl+T&CeL;grsJCw`3e<G7d2rizMS1lTql(
zJ4Y@-qzvzpV?`(SdwimRH)@H~<bGLtcZA02$A%!Ny_k;~+m=(XnBS#|tjEsZIH2QP
zbyE24r-_E-4{wK((T0-Genp%34G2nn<AgL3-U(+ADxEq90dy!e(w}P&aCRTYdDvy)
z?t0j?g7Mv!_#qP)v$C%xB08(N-QAXP^Q86U`|fXaz*+;4Ia>8o!YYr8sb*u*TTr6%
zum<8d>G767vAK~H#7@KWV+a%1D4gJyg_A$pUzFS<+!GW1br2^0VcMt>GO81=1|ry=
z@e<ElE|}&I(79F|?4=29xic)mz^q5B)jmyWxojGHSX}^WXZd#C0i*Nzn2B)#Y*cW#
zxoj@<9coe_{(<@O$Vi%R+3?yW+8bnCY%(f<SBKf<VP-Bvl@<xsm?Uom{5y8uYi?$u
zarKu;Hx;GXc>!B#Po41V@Bb7{@|0Lc54<HEdJ4<v`H*EKD5U7mz+x?<CDH-umQk*g
zAzAb4%l9()-eLgl{*aO6pKSwE%areZ37TH{ZzIXlM;xe;W>_g>!Pb4zz$%&^wkrmH
z*w-t5A}zDxhwD(WbnZ&6QX`HgG9e&h?iz8?cl*F&3{7j>BG+w+7b8Jp#I|KrdG>uf
ze&~e7Fz9C6>KJ&|mNvGnt#Xh`Xt>Ih|6u?$QiW8LKLG*}&$h%=#uijv8i=PYZHcQ)
zeEM3^nz(&k_RQFG9rjlThp<b$Vn1l&Pk}wxVi&8h7~&6Di$ShsNVgj7gnWlgxAqwP
z9QiHEtA*28DbpclEGLQ1Hd)o8nCGHl%;Si=CtTPJo$3teQ@oX5d;~^cOy9r*UCdM+
zpXh2k^H~viIk3-=Z%e$vMS8}Ku-DwqQ2n2Z(s&Yn{kF(87fHCUL8+T$ryb{yzMzEf
zWZJpjluAs#h|=c7zsvRURIb4`*FbW0e5yNb%aj<Ow)yF_z5K-hZPz*4;w9907!JA`
z2d8R$)Rahk<-%@sz4^RP{ew2wTFqrltvv@xwoH12-w#kh;AMmnm|)7qcH!bD1DWra
z-^R+l2@(@8auaHrC1oVs*}7K3Kd9woU3^SBq-ETR|B%)`XL_Rj%@avp&eDFxGXn3#
z^(}^lKWAmcdO<qYZw9e`?9^BnBhcHM8XpP@GOpp~d3^eg(~EK(axN$z&xaIPVW>T$
zi#E5++eu@#TVa`VDc&-kLq{5SQ@^GE!$<WHNz;!LC|i7cdgWMJrTFqRy0}HJ45R9H
zB>ZuGyNar@sl3ETh21TmmMg`IoApLAOTaIfmAVlyQ3-JKvf-d;9@{4`J|lhEmN*}z
zX?zak+G%s;foy4U);)XC-N(f5cq}!?4hksVgnl<p@aF1rVBohV1lC-kHPzo~k~;&R
zkP_>pgpsblP@P@ch1NDsuE@Pmm4(_U2$e2ym}}74!8KH_BP}#feS)#NTP`?85{G?W
zz?6PpfWOziaRSffaj@XIJU+STh<YyD(><53QY7&qD3ps<)N?6I#|hGe5C24(Ad9Yc
za1Q|~u|{q__>U952ddlNnOL%>4cEYg)SPB|&9wTMnbY#k1j7s>Wz3vr`XXoxl+lL7
zpSU^R+5$H+mz>fTkjud!Jz=~gf<kP8C%|HDfm>)p*cM2i7lKkPD@k2TU5ah606nyO
zyy5wGw<ym)!@fb{slS1e83I$Wj7hML-+TQj|3#{9D>`C2<jCZrR_zed!>;5xg6Pk5
z-uj{=rbA>2rX6yu&2`9LI^^?Y^gHBNAn&YVq_<1YeM9CBGgHYTmpGl0o;*af&GJwH
zmr4Dj5N}gINU9NM8*!Uv*O}-NXcNW;U-<gGlnt*!gS~D0SLOO5qx8G1v3d++6%h%K
z?2wF1I2{>rmg%1PA}c@oE98jQA9wa=O~3y@=DSmwk8%l~w9JT%U=oq}ILNHXTrM)`
z%tz<_%67w2Hz%5KV}s&xgoDy;i8p^PJRdlGOh9v}ccx5IJ()SlP7lwQ=VLMpnCHdv
z-0q&kd!xPB9?@*Zrl(u9fB$^GAHA65LpJ((qC0OCegrUYeA=%`YhIOlR?3#UXQ+5o
z+F*3q5Yy2?&+H(-{lRvhR9PE1YIMeS_jT>E?e6-iPmQ)aq0b==+r}K)trbu1^UG-~
zzL$E|R(#n#(~8%GBGZZmA|EL)VK)s%?q{UUVXsyZ6u`oOS1Ur(yD%b;$;}1adxeHz
z<K|*A9g|^w7Bb*=h>m|6xqOe-yA~Ic>^h28{R7d`(ce1H;6@OX@PG1bu69{rkcz`Z
zraMiQySj~LJ_e5M28YqihhCSaNfqW)a?7~S+A4}&6}~L#c>JtPiiVh#Hs>WSr|q4Z
zo`_MN-yR}ne2|!F-H5ruRv{lN)D{^DZnqOgzZ5Zl-fTGYpv$>_uZqU+c+SWfP5s%E
zLC!p7a2U=!_F6h;zHh4->8fbag|H)Lt;~OhGmC7_-jXxi$zs~MPQHt5iIIMzT_@je
zOYhGL?X?bY(xZ$>&6;l;?cK$KqKu?trq{Kz^1u*an<UW(nlvPpB!gd);D{!j)pNae
z9?m@-9lK{aO-<Z!6gHwu(2R56CtY-kHF;J@sR{}yIuR^ZsXqG`9gOBaFgFk6I;DcG
za~f96C7*<{?}Mnj74xILP9kKy{ep~)HzN@bK|~L8PjJSnLP@`)6;pg#+$$6A4e9i`
zH}iD3m)VN>=bwG<Js{oTrX<HbBUz#_P%YooSwU?}p5=U(|2wx^>!nPyo&oD(b*d+e
zzs-={{Rd<0?E3`lYnk%kgEZyE4r(^}5g*Fg{P#%yKbriTP5w2K|7$KkG~GC;$B}SM
zXkIQfHwFFuXRv5szg8()C^fupY8Y*57$-FpY7NecwyiKH+`y_Q-DsV@Mk3E}LRu@9
zXIYRF5hr`3C)Bs$&P~Z->)W*yp4Y~yro7?<&+G{)ocKeO%d>O+dfW0RAOL3c+7o!4
z;*q5!xv8OZE0*OGsEXZvnK+QuTR$#f$~m+!QI(K|jqBfcrto^jYCR*ZKTe6iu@XKG
zm)yp8_z<-r;|Dr8QY#{{Zw?!;BOb@pHe{U)Y<zg=L(U^#zb9Yhy8t?^b{H+XQnW*O
z_mXoAh>c=mp``lhF{6LMq+7n3TG=i`jPAb%0`xaR^42+00Sr`ku^fnom(XL7{*{Jz
z%Eo?bSMp`y1rh!Vk=|KLesR#LW5U%k-qj+mP=l_kRa@IbWgEIzc9&n->9*&W@7SIp
z-K#j)ufnb?|AqE^<Q*$}l-8y(?@Ph}Wu9w~Uz<5A<e0~oHvBG{%Z`q8kv&{xdg>Cr
z`}4?Jd9R>LMth~rrB`tNCUbXQ)}5lPo+*<4Y$|=hQG(!bEt;V!)uqFJWV$p&+%P5X
zg|!%QDiRQ=GWrX1*r7{ld?7Q9_kb{sYj;W=|0>rG+PXr7b>rI7AVocJ?da}q6#a^*
z9w<63uFc3qT!3q;Qr)OI!hss;|99eAad#TWrO{}uY;_#Dea;MVvVNc7Yb!3Mpq)_C
zmiUuVFo&^;2B26kZ5FCHcOZIJ*GX-O#4ZsAnQ=@m)9V+Q90z<o7r)WZ!S3+K44&6y
zDw2ZknmoIc^|&g0D*C9r!GIJ<rF-PK3u?3TJH#B4n2XP*xYNkl0sJ>N8T=o2_{qGO
zrgX3?Z7MYFnPcf#YVs-41AQgS06uA)U);<`-`bMD5dA49VKn`qr0bGUA3rCL6Q61v
z<<d81C{OicP#ebjPWQF59m+|?{QkZ4%_n91qgg^j(P3^;kX=W9@j9+{BAQ;VesG#(
z0G-w)>nQScX>MUx7r6n)ghy|`3sjazjrT|*K9>IYSftu6s`a#5kdXIWtrk_Sy?w3a
zVzKPySakpWnCoqm%k=gYCWk9{d?N+Gm*t}Q{X1}L3o^`)>Fy%SX%FoNp>irtxpKQ9
z&xl#exG&gRzHz3Kr@gVjC(q<E<bBlSa0O$wV4aJGys6;s*lVT3a%h%w>U_%RORb?=
z1iK0EHA>N#1z&w!Wz-09DteU^vQD76-$$FsVLENcCuIh)DH8&y&+mr%#>}WMHiZ;f
zQvlgt9_5oO;v){9gP7boRs`18cz{fHHQ(|(V{_P)Z>LfkNJ*T0MJ;4;S!9$q>Eit|
z1Bq;4W%PMKtL7PdV*Qf?*qTNJ&EB+*Xg#B-lJ-2s0@9Glj}SAM!KA|Yqx*&LZ3($O
z)Cps?5^RiJ$z^)`b0&u?_)%N%BQ6>wGP~O9du-WJQP&I+TmMjtW^$nZzdVv@FudPY
zWC(x#K0~<L;ewC)UjTQo{%)tOirZkN){m66CC2_%I!YSqjI<Z6qL<W|{I*Ui9?#R+
zS+-dy%ke`zT+b!G2ZjfF_T11<ZHZ@(*jhrDt*k(HQ)70JZ}=&C?p^qyt6VAFth7kw
zQ0mS;jse9f>Ykmk?#md?zRgMhav#L8jYV&8@x&X_HNi_g-cmA6Z;DP7P9u|Q{IaLy
z-{hiLoW_(^kCX;XEIOtKO+K`NRRlXOvWj@_!vdxp0VFOL@*GOmJtEz`4yD!=DcZ6g
zx3o$BnbTRJJ*-?|VAC<N7&aEYYWRfTStikm92xkO9J@KYxVcaHy?E_zb?Mi9SGa5@
zS^pX<G`Z+Ub#U=>LeZ;@gIs}=J6(aU;^Bun&($kuJD&k@Ul50Rsttn^XzSE_jFyLO
z`Mp`KXxp31dP~m0Ej^Nl`|1X(rxL;Let(a!OeD*qc$~RWM{xr$@H_4a7G^LV4^Gp(
zLmZq-oNnI#wS4Z4;+BC=T<W)0`DPD!?a;*;t!>N4&Pd~9%fRMTDR)1Uuk+G*#0p<|
zH0#%49!Wm-GkTC@bC?pjQit~YkEc8@wkKIFXQ$m6l_@5-Tb|+`V;oo1{$NySOVsH9
zEAC_0zb=<;XFoPX(&Vpu`30IOteb85gZS4^S^nbvsrqgEoAV=1y3#0Gk)nvax`=l<
z|Nr)!*0TH)4BeK21K*!6vk@7UtulQXsmhk;9qu`Bg%0wZ^1e9#R@m#Ky3gWKydT-o
zt%m}&RCZ6b_A9G^2zZ<f&*S!^%-%zB@QS(ba$X(C=}UXc7pIo4IE(BtwRCwt-JIca
z_9?(|f75&N50veXrP!X{j+TL+OC>7r;Q##;%jj1m4MR}-%D?qz)QjD;LnivVSr(6r
zmY3fCjF`$T1MeCX-e=NFNOTN;`kz`QC(6shJM=HBk$qT@-1L%~h=VW@Lp$^>1K)4(
z%B<kp_ch9$vVHR{c{l&ETl-{lI8z&S4TOZH(Ljv9nfMK{Kw1VKd2jkaD3ew^B9o;N
z(fRWHmDKZMdHxj7-Fxs8-H>VK<=+S+o1c2t%8K1Hh&Mx4PaOHU>+$85BiD09Zc3*z
z(#*W+?*0xK;Cd0WtO?h4{gA>O40Y7o(UFmhK}lw1q(X9+SlBHCdk^&a<}kV3Ed&2_
zfuHDlx|L!*wX2&XFMB@Ku6Lr(rUj(H(LmRUkV@@s`E#Ykes8vn%U@-ha@IdgzqI8G
zLp4Wp*>cIqam`e#gs%zr2_CFi7S((@XYCL&a+23xy_8yPeDd3J>lz0@p3m4`qtVP7
z!mLipDUhmdfc9d`z(>vx^U(UB2Y=m{r9mQy{Zr4BY)c&fnoZ~T2jA?O=e{guOUudp
z_n)VD?zq@8@Gsq{(0SoAt`<wx{q7k=gWl@7)-O5<&bPI$4b@sl+qYx+ZNsA55_AE`
zd%0~zJNHPbwxV6@4BQKl=K~fVk_es;w;R}g%)msKfyd+o5AMe8_pX%l>s#975S7<?
zbMc4QZcpMAaj{~ZcTU#WWGYq$K<6+Md#RsSbZ4hr3=KB<*YP#}$RmSqOL4EFZRYp-
zt~25{^XJ}v9B7MIbgU!S`mQtML)LfoZe&}!dYkxkwy$r$e*J-UO=8t=+c=>3iR$fV
z{kv&~kmkat_bS@$XCLy>Bj~|{CqoW}B%q0#_Uz|>?^$_{e6N?z9YKFFXA0j^7FWic
zk382sXFmPQB++;%^uFj1Sx)WVFKlZW*8*c$VSNpdc;Z=IVd3)PhV-nDKS{U1m&06V
zud5{Ddp9ux#f8F<#1F_Kj57oJ4r)|z{=(p#XmGy#A#he3oX0rse<*AHbF_o<$0)1I
zLzYZ@ie`ORKk2J}_nuF+8)j1N`mVF%%k`D(^<C%0`%ift#PNIdD=+JdUgdS?1QAG9
z(J|@8WAcgs?*QB(*d?xG9>03Zcuv-Rd49&x?w2;Sn0Ln$pL^?V>+pjQS>Jh*CU=}K
z_|_imm37}XsaIOSI~}_A%i8cpD(Vay^*a+KN=I_#{ixCG7p&haIr8>2zDwvlvvV=1
z{7ieonI3nU%#Ae`Q(7h;(|Z-+`l3Xy&SlC2{kgF7b|Je_j#CJi<hwsxid!zgA3`%)
z`h4PU4%qcRgZJmxuRY3}_Pi}jOXY209ZSa)$)FUza~|m6TL;`7Ib8p85vokuhnwfU
zswM_M5>2{9MQGM{CD&fcuHa29c6W~vKI6Q;N5GUkKw{28CvCl5)`(;sYqGwvR<m9v
zS+i|cyjqBkI#!Jc@^0|uRFNRlZoR6wWn8N%_fJ6L*iZ4ebOt^Ipfihn>P=svd^fc7
zW&{g(cRN*o>R!M0Rr*<nhfB`dAOa}41A?3PdZXM}?RQ_sK2Dt3dADSeUQf%P){~~Y
z$$#VN<u^S~{tJaJ>0AB&+>k5OVOv0-C3<yCGV0$nGCnwz^Q~c;Gu;*5S4(#O<N?W?
zvUPH0PDYcoyZy43af9uwp8FT1K=)ClySKu4cWG1Z8tubhuB0z2pAj=v-dw%bl7ZhO
z$5HecXMK<8=j>klZ~5F-qwAZzJKX&b?grYd4cmjAp(y94P?mN_`LsdlD$Bb=FK82{
z<c)~Sz|@~3<9?l!((8=Ncx7lkD4C0|rql1+dk+^2*#}YZrJ~T<?aP2qe@O>M!hb2p
zowr*aoN${;HwWijIi=YmXD+$j^{ZOmPH`aK9?&;&qnBM&-sM^Mm8YVd3KBIMoT}j&
z7csQT@V59=6|Ks;?;;s+riwG|X!w!j?zqZ0=cOX9%n_|$bolYff&daPI6!~8&#Wlx
z4u=Z=#gKFuZfz&uA*R*CqO2uX-m0t(_J(qOyyl*vE@k4qa+8$ABF}uUKI=P0t$e|!
zSJ8n^F%&iX;#Bsf;q12tvdgWEnms?2eR??iwSnyYOq<6;_7l<8-b!vqi5Wk_0mIiu
zn=LEAa9Y<+UF|+=-rldQX-C{S$|h1JZ>fovF?IaHFuXm$n$){&m&Zkd^|iKZ?wR0z
zPP|u+TS#m=TX+Yp=@8di_d3*TZ&Oh#bhr2F{GO?(O4ZrsUXAc{-WFtZ8%PdV8GRdL
zyi=tAfQYY}KfZ~^GZ#MSw%7LJmceIqTnZ-aKoN`eYj^d|`o!D(YA)KvH1R}xZ{3XP
zbL0Dl=w!kt9YgU~5ns$KL;Xm?-)!|mVG`5*eP8d6=xtrqQ2;Uf@zcV~C(=;9LJpa?
z_7+ckLQmD)zZ$LcF6oq(al27BOfqMpo)WK7Jgw~4DVz1!1&|YNb6U1FwhG~m@}TpQ
z^+mgSb;#GhC5rD<`WQ%`-^-2N&d-y9qne@jVEZJ-icqZIx7_XIg!X%z4mFh?*vMts
z`pqIyqXVTu7nufitk4F1yq*SKEd20q{&<}>?jCG%J!NuD7G?X^KF!7DLLz-K3XncQ
z`?wUi)D-xnDR8b7*e?ahi7Y49tv%?)SMX$~jY59P2Tsw~GNvRJA>`8rs;`TN;A5B5
zxsoLiKZ1DnWYedY{;Ej%bEp?*h8*I?Qnhe9Z?gEQO76t5wW^{u{FayrPc{az9P~4W
zE3@0Q)+bWtTf&Dp?7FwG>B+*T(pFgBbZBEy=pzv3N+QI6+~m8As+;vky-fR{?j1Lt
zpY>RuYgupWQ`UwS<X5{bo(my{)$w86<b6QDYumV2Vnvd<_ad2b_c?1r1EXs{pM2e4
z^bf+Dgtt5?-GaH(qPK4=hI=j%dN8*zKlSQw*@2-s`V#luTlv&`1Nv%z(d*{LRCcV@
ziR7_9lwzkvWjXH39;kd)T56h@caASudHovCrOIA(>ET`-52f-T3$*&di`B{qWNC!P
zb!%Vu;v9M^I`nu%N|5pMe=ww<1|L>{)AB(+C3PW7r8mq)=Z8#-XM(Ha9O}u)sj@GS
z`nnjfh9ei*Mj>=Er1uIn)1P2G^m05qFO@?MogKE*x;S@O&*iyWrfz=HU(cC0Ko*~3
zwinGpWskf@2d!Vb&5YJ<I@B7krlRfLUcP73RJk>psd*Q_y^eRMCh5L{>`B@VvMuH)
z_ZCi3fXCR(Tg>(mPyJQ#Z*R-*D>x)a8>bNL&%)-#vRdEXJio61L3%Ng*Mug-QNaE4
zMNRE|W0~lwB9Qh%`fL?Wqb-{`vr*P}{o2i*e&%!=owXBGJGEu{4L|vbK`i5ar*GQC
z^8$~onPke7R5SI)MGd$|mQY!3MVlEnN<BAj^lF~BnGD;E1oVGHWqzBo^%T7PBUlVC
z_wY+gWNrA6`~;nnoV6il9=B^HOrvJZeMS^%6SEz2B5yBF*GzoaL8cPi5$pF30yLLy
zW*{FD=CS$SRJ4uc?aar!>|Xh&xHC^#b$P1XD&04gEas-4^lOT;HtaPmxAlbcHzC7L
zjt47+2cYnPS*WjRU<T+TLenztfjR+G&PC59_C2mMzyTwDXItiW%7M58>cMoEoV_ZA
z==^K(_%meuoO1dmoO7?uc}`kRmYJL399k;SW4G)5_(j_~KBOa4d1P*X$~O777c?C*
zgizFb+>L~69<=v5dqV)s4Sv9=PvXbYto8dA`yXs(&o9ET)UO(_jVW(F6q@@Uy2P!y
z0h6Q^l<U{N;oWl<f3xn9dGn9Vy}O4RuH9a%T<ZiRKK^6nn)p7&xHX?Un5)0?=ju}X
zX`z;-_J(tu6{IIK=G$GuzrTW@npLD;Cv&FUT(RC<@T2DA7+LdTOOUDEiruB6FZ7YS
z0xp!^kYU%QN2SUt{q?TVK{D|nM~yq1=IvlTuvf@w<|kvx43*y<)1ku1l5e?-L1@RR
zm<~El^WyeO>}~W~sO(omWnF>Pdb(ByNK2nT*9ejF@^PO(n4e6qeO@s?IkeN~CG)dg
zkvASt;!+o4{0z4$l6HwX!~ca=SdPWPLHq~)B&09e+cATYXUa0p<b~1Q(oB)k2VL1R
zA`*9`%Br4}vgi0^+tbR<Gi9$c?`2(X%eIWWyh?DtlDHJRz#J0hoGw_j!d-)avM^*6
zc6^seL)YOn++uyxri=C{U2Q+|+w_KQQzv8E*NymXK%@57vs^6A`dB=mPIGo&BgZc@
z7c|vcye;Eumm8W_e$%k5^Zlmg(p1fN+nN!Cz2?FZ)QIRH^|<ft_%e-=OPj!?%^yus
z`x-<WypbenjBw_CsiYk?X}(Q5&ZkLisRz?a{VtWX!X`anOYKi3El4Z%tyEGzNeuQf
z9qhVuEmk%|&5Qt?+}oQ<LoXS#=9ZU?MP}4idO>^{X11c?e7o#-`YigB!4VMf(Zn3!
zrgu~NKv*}SCsY<Tv3+M&Vqe8=O^NMZJXcGU%6!Pws;1klKU0aFX@B=#DJtW6ml@A8
z2isAYYwEnTxe<z4OEv4e&(wYFaaZGoevM<KMv)Pgam_^!nKKFhIO;cVC(V?>vWvS>
zCRiR=dd?R8B1}kcbaw&-gAyQad12V+@U@sGe^0d~Q&G#fGww8rn}4khrAqdD)zzU)
z|M_O3%>@9}QphwIO}ya)_EBgJ^;3>($iG11S(ZfkR+%C3%v5c8*EE)5!tN9;uI#=J
zdtSRZ6T8{F(AIv-M<s8`OHo+~c6`e|h>>$$)_vEDT_CudOX;|IbX=o!zY3VV8F-q!
zmNLp~G1`RJBmCMY2^Q-+`sgO<z5R||DOGs?Uq$6)ZCEG8ZRSTmMdn^bJ6&$=kLN@l
z{r(?nIfAwl*NkCKqnu_EW-Z#;@ndbCjD}3Ca>TCda$IjYt^8$v{zc^9lMm5}ZIAhC
z^1+vd#zkgP;~XpMWe$IH?;P{CsgripaLO(VbjI4lYMXTz`I+5>z!!OhN4w!`vcA%r
zeBTFuYz+)s<U!uRz=AW<#*059B1r%IGR;UA=4mrHFZ4>{w+EH$?V!SIbknKp9eH~7
zc1BF4Wwug1oRrTysvR3Sp(H)%gkjXjgaR56G@<+(y!ML7oolo3^LaWW@qzEF#+~oH
z8ph_xN8=vA=Ag*DT}`ErLI96#i8GF96RAN~Su&(0X|GYex0$o$dujMyjOj0ml#pl*
zaQnq{dCbep+VBFrG}H2?M~zIhjN4Q${qag-qY(|mNaxxAPtYZfpR0>eaoe{C1pz9U
z=bB}$zP4QjVQ;5c;~6v2|1Ohep<TJ)HH+p!L>&NIyEX0~`wV;*D?ocSYs1%!3|Pcg
zNXU$kbZ`(JW5IC5j@p)SZBc0yH<~dqiM0*>y&byGMn#&tbgxz0eKA+yYJ#fpvQL1_
z1i1-Rz8At+iTDjQjkLsKtLV5t8)7@{wIB6TQMW$&zFIs`a4SZ-c2r|F06!BGp-_G}
zJQ4Ph=0g2?S&o4){BrtVzvr6*_e(FX-<O}7xtX|g5hG|bZ#bDZVtC~I@vpR@7~3y^
zwA~PYp&?Cr9dejuNz+^I7=k*>c8Fyy;}Z-Y$`ZO{mW4gKSfv=FPORT{l{lU2<!4@=
zP6S=5-2~@h?OyC{nRm~&4gB)oIrhzOuj5-1V=pJ8E4ciiW!&FBVAych3(7Sr5=WY?
zXr%p_cU@d%jyiFjPzj}<oM7hdwOWuH&pP)ip~`hgg6qNpNC_^D98u>$lxdf^TC_3O
zHOfgWn6$T-u9w<VJ3RSt8|E|~V$dFFD&0pu<yGln<+jKY+E&|hnQhPb=W(&jlbqJ^
z^66JK?;&bsI-nCsD^-PQJE2nSDXR_Mlw<SS39!_3LQ9{gmq;WIu9iN}nV)nsSQ?LM
zEveaT7n773b23jO@Jv2Z+W|NyH72Bcc!LLQe0hw;rRknWBu3mq#Fl>tq3fkqkZW1-
zB2!@DFO+qMy!aTY*N8;6p`<H~l94_o>CR5+&%<J0NeO#WT91PNY@?tTAL!>Ho?65Q
zWosG0&n_YF$#47Q9rE}7(|akz{`czLmo!LminVHRIwjak?46#v<|k$)s)~96tLwC`
z0hjiRX;H-1YrFNOo+_4`yy)G0{c4<H2M?*9Iwrm346{Y7CQUER$DRqbEKdfn?ji}d
zWSClRxklzq(Hn8!sjfr8y8imQtLvytG}0HL3V&)0|L&|jRf|HkH2byOPc8e4Ub_-k
z>1CGsyek`vv|?oaPj?8zWeqO^Q<vQ=<4<1+1>aAM8_>PSA+m9Wyp#n$I<6Ax4L9;G
zOX2(6zlcxoF&2EkHseFaLpGXg!tFv=TcYGSHy-j+ydP(O8c*-nF^bKAlshD(d-AT)
zuixp<>(X6V@dlUcO4YTR>#|1K96s$%%weIT0>cfvrb?qZq5jEiqdBK3;q-3D6#T)G
z%W6DX87@cVZAay8ljBbrc4K8tW;9;zZH5np&nglM@kR*Rk3KlSh}xpcZZqm<8&zzv
zqhh6)JNnp`I2)yGM%4C{vTIju!@$BtVt&$e*;*1mR3pkAjCeGCV_>J%PObQOF$U7q
zP1c4Bj4*5$Z&bI!4Yu&T6iz8lW3>zATM#&*UY8gcG}`aau+B2ptKwc?wC!w~yUmM_
z7s`xU<VM*vIxn_W$=$}Lsx(q{rjz2Pzu>Z)=|1%{ct$n7IzQ{o(k=JPEQ1qO_fobM
zH2vI;hn905U5Hx_QkB;8jRim(7HxB7KX5N5&BFafd)S`q^D%PMVN8Vc_6VODXcL;(
zO559|H3dy?yMfl0cv{@(;;hxy%KT|tEAuDl=W{Ac8FLDQ`M3879-T<P{4EUT5#Llp
zN45dYnSc);-Kg}h-H0HrD{lJqD&(}OCC=YUc1?9}0Yb!4@o9;q`gO+Q$^Na9xQ-ag
zwj~}qq|aL*d7T#@Eg4M*T^T58y=pDvZdqWsR)^}&+(+Y#U=Q_6ZwZ?j@3wsZ8uOn~
z+dq_L==vW^3ovn9xl$;+PvY#bSS;q7i{b4hj6^dsHoB3qzGz(^ZIxUZ(=zUnd4|-s
zXQUvFm5W1K#%;CHdNZ1dUQG0THu`gtTUe2`L3c<UJF+&MBV?M#yz6u&yH1w<>pI?M
z{5Yx|m!JHN5MHz{5byJFvek|`%ub9)YA@O*J@E!gr&+tOxLNxX`(>R=9MfeGy60Q9
z+r$=?hLu@c{5L-#mqquhU$Tf81p_nDu*Yhq?Mzrf8tUGOhVPgyL7%4QMN2k08s=LX
zZVk{dPiS};t3MMBg_ee)X*3)~TlUC@tJ7$h6{2CWrQ!JlDL(uhD_BpS83~u^$4a=U
zfBA_GeX0FvCM7+%cdS<?W!Ww-W*}+3I(Mq{hL^qbI%k>}Hnl@<75m$a;v-*Y0PCxq
znldGo@?<#W@>I%pQW9gnM!^s7lhN*0%Q6RLi`nhI(y{0$)EiqAF?!!esCD8~S)bes
z{nzSeZEz@{D(&9E!|=xFP%>wO*NtO-dY$jq&w1?7jdhk*@(L+C*K7X~@%;A$n&h~t
z95lth42ts}k|P<7{nxEM-Y<R@f6oc;sQX4}Zu-JZ3~+P4U_J_YhD<{(<DR)$z?7E&
ziKU=kzxIV*jq_=so*+m&iP&d0Lr)K79JWUZ`84b*vF`LJVefl}vkS9Wu$LO_F@ya>
zg1s-;C8s%G?8@|Nyv|mZcSYmiX1P&8Zbe`@Da$_Ey9{?^$9i~WvWel{&LLn)mGx1K
zUsTSE=ZjLe_{he)Wawq>&s>v9&Zl#a!0}Xa^E@7&q008+UeC}=8_&=)>a8Y!DqrY`
z81gWnY3*^&0dp-#ug3SSUwi!Cd;5bIYM-K!og7d--uZ45@jW5}C*C7;N*8m8+~?)L
zeNbfHK9JV#;iU(6>fPpqmM$n{F;q6le<x1%#`FzO5}7IA*vK7s?p-W*PF>2``?Ut4
z*{xs*R#KYt7rXp6CgZyf;WWD|XX)pvZZ_p!Rr(<P7yD(Xx}(My-ij3bK)S7E+_Q63
z#(oD#obhFq0@tFxO3S>X=BwJQA`>cD{CJf!s&Hay)}@7f1^3n&O)nMPGNb9uf_Vi^
zCkp14v<%z$a>Scg+%iJooRZ;xpj-MbOMHGC_@6j&X8f{Izgapm>(UJ}%)FAO|1N2I
zv#{y)g5(9<!2DFN;)%a){4)ct?}9}I3kwz%e4yZtryfY<e@X}kpX89=>Hm6p%ua!S
zm%iQc&8JWH?t4bjgGUz4Uh%P_`uf`XoXCt@rcaC1E?wFXjYn!52}>jO<u%Kqk!%w=
zC3n@Z+zGK&Igy5{yQA)Dct0;#zM{4<RvD?OjYsOE<&}}8Rk5h7nDt*U-;!8u#hr>M
zQeD+hT^_Gko-yC@@`mM+K<0RDZDdK+vXPQGQdk}@w-ir`r2bhteS9XL5FN}FiFC_X
zER~tY26JZ4mm<pL)qJbM{Ah?StB%&hBNesv^^JA$Xk|a|hFP-;z3BxrO1yr;@=5)?
zVptWecW6=#88&ikLqBguW%m@xLuXJ~NpwXt78%wpPbwvnJ*;7P07XA<Ud^2~wJU49
z@ncJ;dJ}T_bM0vUjFCSR$Mfg5qB-8oSzf{H(utA6XhX%w$ckuvLse~!K|@35_w!0?
z8)?|gf|-Spr40f6!=O2kHhWfNWqnmVs+rQ#=H6P8Dw~#eYbu4d`Z%W*%r1<~DVvc>
zm9%*c(a4;_8PmrE=ujS!HVsLn`i5vU%p_ONVGI_Pv^j;5g1Wj`RYiH+Z@I%M^%Yjt
zM=Rn~TRP1zsyGdIBTHlD%lriCFZzD=EN}L$UU7L%Wh@$rmoMROKrRhmZ;IB}(4|s5
z$ks?dFLGU^AQr1#8L5meX$;_&T1lH;TVE0FA<dMlsjV4N9;;hkUej0&X|~*)<>mF!
z%1B)~V_mwcss`LPt*pLk1!I_$y85bG5?80n8JyMSRW;eeBjxpm+Az+_=!z<6s*Xx^
z4(IH~ni_3-ZB3*h7LC>g(&p4fE2_$4QlhqA>XLsJXF)|pw4os~t+qZI8EunXTB+ub
z#8=k^2Km&2IYs?EC6o3wtZs-$t1HT5F~e3*acB7B<)~^HJ>P?0s4rM6Lwodmt<0gT
zs)<K+OxsR!qlyk_sHm^1i`Uu_%{XPWOs$F|0g>!RBOSv9tF$Xy)WL8sTNJ`@&or?L
zx$tJxlxutSAr&8)Q@$cvDT;4KWdpjy5;qQ2Fe|=1S|7QkyuL~$R&xq*Qq8E*GS)|3
zJAuCwa>tey-|dYaKS4mhqE+!|O(hIkZqyKxU$v~JJl<FzV5PDtl@KvxyG{ruXhZyj
znbW2fM~W-!BeUleL`rKb8)J>iFK=dfbvk;jW7x<EkUKqX?6_XiUho!F)K=HkBMZ^W
zMc#sj%1C)#-6C&xw7Q%gt`F-fnx8us{`+hTj5onLEY^6_JEoSRK}6z08qm;V#_ODD
zy$ZSME;DjwM;l^Q)pR+^Bf2ag$w-mTO9%IzNDk)UZGXZMejg<qC%nN6z%LLUB5WYU
z2!({PgbN7039s@J?LNY0LX1#I7)m(KtE4Xwb`Z7_HV`TagL$2|^$2xwTgY+XLBbKj
zQNoq~bs~A&A5J8*34;j(2)zk1VcYpSy2=PfMCW2RTaS#~T3=hUEOKXb_4Rh9wfXDn
zYnRoRS4XNU{i!{i*($jDXe?Te9`zYJta7C2NUxOcL<dD?%!-s(R!Tn`aT0dxWM=Dg
z`5NNLdqpa5dOn6oM)gooR#q}&TEW~Ivt}yBp7PDPZO+^x#Gt2iJDoyWCDsspTNRHq
zxKUb_nslHm#xV8fs3HnxvGX?>R_SOJ?t5lDGt<<I?24^3qteXtk`FvaDMYGjme#uQ
zrgEwE1n^9&tz@!^LRE;J#{NMZQ|aNc0UlLdsr2gdRXR<W4l(JGYy-9FO1I{(uT87X
z+FPzZ(!;fNPY>7T(tD^+RpL9ePt(IShT5m;;TqqueM^{$!sx>ML@2F+>-UYTuP|CC
z3b&@h&2L7Vpr}TT7Xj%>RZ(8$=f=kBI!2d|*B1B7m-z!QoW<Zz35J!!YQ!Uyaae=N
z6G)F_&y21dQ#eQMNS8jXY+i)<nwcY*D)WsgUu0(alF^ZA<rT|Qb-45yl~HDT)P+pz
zZnmT`Op`KYc?C<CR@Go}M9}MZ1}JptrC1)3_;Oun1gsOkyb2?Krdb^vu?_N{i_7aP
zSC-fN&(pDV$Rt+jG?F4y>B7c3Z`$11#>~Z(&Azq1s%TYRZGAj4quPL50*0Wb`}m4$
ztD~jSnx$3s)prc5yhBFQ$R$-Z-pVD?$D-mIuplumh2(fGtsXg&m5u6AT|Y^ds+u|$
zV`d>`Qml<8i?meI%)-(FZ@&D&bgHOZ?aiBc)67}7&h+|CpE0`>Ljg<9*>6r@6b@@d
z;!<RU($IO+YU@^`KI6-4LjtEJnXZ?@mVgxZA|@eZ38WGNJ?SblJ!R()VONkbGRok>
zit<>M%nts%w6vV=QodCf3txC-B*)^biPx{LtHn@@$V$eq*NwxXQ2MA*E`v*t6a;4<
zN2}9A@Me}SmR&JFgI|75w<V|Map|_b(m%Af+dA>a##kgWJ~BFY)C6zT_(|i&PZ~YJ
ztE^wWs%k~uos()N#V2`gYW8X>Dwgx7q0+;8_Ttr*UhM9M22WV&Rje#uLC)yX2CsgJ
zZ>1W6Vp6CtuZVkfF~*W7Gl^Fbt&cZ&@v1w$idszE8Xl^n@p6NqvZ~%=#>YkAF>NoY
zZHNl2TDsb+FJI|3GFqj#yoTkqD<vBk#UfW?kXEHfPzbpVs~gDT)z?-pZIHNFRYP1K
zJm`(p*48z6vD#&|US-r-dle`u2#d#}Qcy{*Usj`)flLj1PgZ%AOBBesojYq*NhG^s
zc%&v;g`Ufapu=uxTs^Yi)W)h<Tx>NFn11sbSo`SHg4#M6kTMV#Me>A6*Y%raq9*l=
zL`GEQL`IAdKKZ>phqmhQL`Ij^jwDl0|K={QYKZVZW;%<6rR9w=W@H`zQfdT_l@TLs
zhZqzX64E;notu`z9IfYcswj^&)b><Qoz$b;bA*QKSy{zcN8`YEMvp88l{y?mBSz54
zu1q9y6Dv17M65<JO>!cYwKZ49BaJn6C`~PKr<5?lGDU}`OcoW$ir9?eWRghDxk7SU
zc{2EKs9K?hp-7n3bDDFt%_&&SzgtxN)HaPaL|9leE8EpegBGFFM~q+{nj*Z=v@9Ym
zrJ49oYU|WVBXrS=EFy4SiTew=uZk&_5l*(Js5%1K99mEvt*k1i%^3O`o$b0cch%_J
z+~KCAlh`SsS0bb&<BNbO3o}eUBf6GVl2P)R$jH*#`iKk~eU50ysHlw?AsKwkeko-%
zHnF6>Q(-$!l`JhR!YuNstXLA238;}}mZgwXH`26-%04lyt6Ay9Vv!nFbs-kwXjp>l
zNXy5iCyYjzB5L7mUm#L*oUY&_3q+OWXp3_qPRZp&&}}&plv_?jv|CP(Lrv5kxzQt1
z8pW3rQO&ZbU&-xr=0xle*YP|;Fd^>B_7p)98=7CI&7X12v}rR!Wox88(koM{Fy~gm
z5hvif>a8oUr-x;B*JQ&&*BHN>T@l8hS%n*CpwTFG<?-dFoTx&-jP{frOC=<vXLhR5
zFW@RE6E%-mFB7VCOiB%+d{8{_$uAISOVO(6^f{@_t{LP;Yfm8<NwDOY+{9v0u<T{E
z;98(Pkg0;%wbk7#(A=3SFu5~T;7=e*5PwRTQIv3z$cPpk*>Bp6f>0-p(D^PCUDKEd
ztCouUFB+*>E{yXzW|+Vj4wg%G|J<sIJFR{TFaW{rA$utvRIy!B%yLt&U%>U?G&?7!
z7mz91&nygZ1u)&pgPGOZ2#o+4EkREEMW>4)md@#Ew-($IW+1~XRI^{6gy0x5Omma_
z6m|+Q%u<9(ZkhIRm6O1HVrR(Qk^PG17a<`bqQh1JXi)0bDHItgh61Wjr`F6$BD=OG
zwi=@#Dt@n(%cC`DIni}8otfICLx%TLdowEgBa?(KyR}iv`VEnC#`h3%UHb78$$o@?
zw46w`6Mjl~jPNDGCc;X>t%Ms14{kPL9KR#>`Q5-bH=RiSp70dm+k`I?RuIYwHxpbr
zfs=WDPg-0s{r~pgXJ+8do6UxY&s!)w+HHS7Y~eNw>n&Vv;Rk?o2|4uf{!g4pUiJXK
zGhjXN7la`Xo=E<NK74}o<@|n%U|qeQxIRbcj-3!05t&n5FnZkhw3t!)JT`aYc#|Xj
zSxWSqi<0Q>piOgl%c^WfLqlW6%_Pz=mQuSoq9yD<al1_`h)kPZlJdp{)5IZ+W3^kl
zl$&Fwf6TWqYHzNZH{JadHX-b)m)gvR)(!QwjhWmVxN)s-B$8oWWy)HQSbf#9<#FpY
z)Ml7et2>Q?39Q--=Bc%8T3WpuNEG)m^~#Di80)xWI>r`5C*X<`hng;&%)B2cWl&A4
zt*#b3RrOrARO?I(#G9%@6^Y~DuOzfCcU*L->0A~Pyao84#I{%Wd1X~Y1zz-urPcg3
zI<`C}Zgt%iTIAQG-rohYZdznXOG}W&zDWut1lwU&<@i5wXJ+if%A2O*L}gpk_!4{0
zR~pJ^1g)C@;#9$(%>R+>73!IFJP}hpNSE`w+4Xoz&#PyNX{8!#NzHWA0)KlXGB>o{
zq*C@y!>^w;3@VI#(1|`Oeiyk;iD-kU&=Bd_^$IgpT7pG4qcGSS#Dx*221vKzF5}g3
zt6P}}-KGt_iB-xBv1c7pRSs67>!S5+0LVbcDOU&443E*P+)hE<RI5uN*{Ek<KNfTT
zESWTAiltp@kGObYayWii?szKq1T%lHYH)I+{iEfz2DcND6IsT{Wgkb3eaukAnyz=~
zp`aEMPHHfFiZ+4O1*Hn-l#M7TESpv;izH4V^x%ENGZ8JXb|};QZ=pnkc1CGII$G!O
z!?>w53;LA9&!@tJk_qx>)OgRw!FZ{zi$&|PLtU2`m7pENUM{=EL1m|jfi##wNAb__
zFD2e;#;D<m8$?!^wqbg>g8XJB60TE_534Z$DN^!HU5$lYTh9>&grYv>sTDt$Y`xhP
zP5Q7?f4QW06I0VX-=99WHjbaTTX8?VP<BK0I7XNauKpR~t}(|oswx8tF++Oj@Q3r$
z1<HqraOtV~@ychwA4t!LKaidg|C}^^W!dAmAH`8CLnytcgg!Q{<@kqoRSDL0+8GE%
zW%6-gM67T2E$VTM1^>BrYC4P5aB9FGdR=6i5l5DoOH;g%^3u=jp9Rx>UO4=u8&MAz
z_vIv<?ics@Ao#KTE7FPw%cs&)#r^U!Ml${5m~7~uoTieOljS87c^5U5$U}O%yxJ@I
z&L&7l$SG&JYl4@RJUJCVfN&n+J%oXT_YvMt;GzxhQo?0~VT9p?5rol%YYBOTse~B>
zc}<?9j9xk6P68J(c^@Hsg76=NhY61peopu!;RNA*y*y9eZ@rly_XTYsJVAJk5TOyb
z5I#wGfiRf&d}4&B2t#T7#|dX}%z8ax0F3w+;T9TtJ`HUrJVj%FOk)qx*d&cDp`p8Z
zMXrQ~zKe#wb^-jOp>t{Ik&8U<tK9YS*bv%JL!Zg^yjOBK(>luYZW`}-Kb-7&-z)IE
z!eY<6XO`#Pb*txHv)J>Vt@6Ajaq!>kbeo%F#D8fOn{KCx_E*n@?yp!?Y#aiz;bJ4w
zTrk1B;$;aw8%N4)b);x~6?3|`M09bz)w6cTBBH(^(F*;%+oSch4c_#sRnbZ>lFdYW
zn>y&CmBZOHj#f0913}h0@MbbUl{433dRJm7$Q<D8Q!j8ZiS6>5#`2gqZFyC!(wocS
zkC^O08)uR=&ga!tGJA+a+?zAA;HDz4pHRiDP+EQ`T3go3;XyrY<Y<-)##B%rBKvn0
zzGgS(w0fSzDhwBmphs{?sks>58ww_b_J*L>EN!$@09`mCaOfmG!AEB{>G8_?PFaf%
zC4(6+DncyZS}`L670q-9eKMx%W|y9?s!m&QF&V-qRXoPz52*icX}IO$VrFQ)w%p8G
z<Cuz6i`N4SL%nU?R~vzZ02|QKp#+}|l3+Y#8BnDX(oh8xLa3$*anbs0&JogD-y@5W
z7Ktdu`b&%RYo5ANV6e-Nq|;{d;uhzu96uVwUC5-4wLf|lo66po&ODhM+WTZOk5EFW
zBpf6z-sfa;>{;fyKk!wa=StkWiR*VVxs`B)Fqr2T_?F^B@1^`j;34D?1{3-dP<P&~
z<@I8Lraa2B8N+;GmO_ywC=GFa>ws-2m#u&}IoQ=0*-y7_G+|{GZthssol*QpORx&>
zj9?2hWE*N_GefFz)^N(u(shJ&lP{IgA6!lJlwWIGA_rvP<a|Nx({CLMhEgTJ7UNd7
zXqAG@>lnr7P$`|-sJO1u@$qw<K{g8vx*X+34JN$A!6x==a@gq5V|$Dq%e9g0oJAue
z>SXh}d_^rMer$p)5HKh~i)&eMR4$oPxkObm(RSBjPEk=|anbA|%QkkQrG8N~frCTY
zH`K~L9bys;DO10Dntu?byH3?DADJ9fRFw(*nPwL^A>%7z?HWCCVR9OE*xjMw){pOe
z?m~9pIse9XUb?y+HgeQ>v<M^FYQZ!@a^>IH+*~7Fo*s@1Te=X-KSxJTN{(HA&h+Uq
zCDA@!Xg46;9tyNOlrKP=+HHY+s`mqU3{~CvsQChTddg>XVRwY-^_qO$5oXS(6O-Kn
zF=f*888vw7dQHAl*K6{fx?VeOjsEF=9>D1pw}m9bQb=c&yo4241Kx9^-0T`Sca;^I
zAYSYFk@2~tzV^;&4TDeQzrHqR&d7N;<2_t$e;2K)iX*jhKF7Nu>VCR&Ii(!SVbErb
zPUY59J{C!BeIS2Yf;px=SC8{B6sqF(=Nvg9Y=48*{Bnm`1YKH;pC_G6lP?tO=S`!<
z$C?&T{%MW%^&E=u8#GflI6clZ+k@t%jU2V(FsdGIG!Ld}b2y(`x16J-E-@8hG8C-<
zv2h8-%<pL+skc9wMB>r8Rn-`nLZ1GZR$fyPjoIIl*Z$PJrVppeixzUEGWa;J22z3%
zh5&osrJ#NZ=k@D7h2nOw@!qr;+wtb`I+IaVe9r2cishUFt-2crOKr`lOp!Bfg9>UY
zrHEJ9XpYo7Jh0Rlsp7K|Av5@8%`HzR%{^JJyGPTb`h*PE;QE<cTgK5W7*ta!#LbT0
z)fjDvk4ldiogOhJJz{Kngf|QSl^YB4+f*JH7BebC53`o0a#%t&14n~v8#$<7BIkpp
zL?}XIZz+#KcDFPudZ|={R;RC3ac`<vBi<}M6jmrN2+WDsWA3=&T^6lZ9~Tm1%{eQu
z$}uOR>f5ti48`eb)4KQ^Q~_O$2-n3{)2Fke6;aM=uw@aB7@Zz5COu+odIU%0Ybs}m
zohfh1a8QY(a)IX=<^&kxXnR52Ce!3#p*M%E=I*i6IcmN<LtgwFT8m4nE*AuKg+O`(
zFo*NRGDy`GBGHVu8|oU#FOn6%l}%xDw6PM`EPO6tqj80+-*kh<+X}q7;xy$zeKZtH
zU5)}lVn;cuxT>bn<TO#Ke6pV{B${q_Pl_}w2@shfRuy}Y1gqp{<AAl4*ci?@`dqeA
zptPqYqbg@*a;#4ICB&QR%gQ<S?Tee4Hf(Y9Pq+%zK;bAOZsMV#GAEmM^6^<{i%37%
zpP}K?V9SLfC37gkjv&;UsZEdGd2-sbvX&{zoKL5a5d`I1m{grnaWfguwV1W(zF`w*
z9SeHIz#Q=Ooeg>bNRE7_Vyf*S(0(2VL1m+cKND6t??i>QQZJX3G-R^-@1o}7YH$`+
z5K1xM*BVUF-zGJ1<RNsr88d^jc2_|Ro=|z4$_8b3TS%=x%IYzM49TW!n4fY)!&t(`
z;<fgRTlGk?EVIoba%oi*U%&nf_?gq`(^us}tqYiU(4bbVZC@b8pz+gbVYfuGxO8n}
zh72xU6*Xrb(zB$er?bhW*Ri(ECKMBP4Lq6b3(OhB`j+tM`%We|@La-g%P(sdn`01i
z!dN>laFDjpKQbZyG5;ts2NeCI$jVoDIyeK}%2$`3fo_wYcGfvq0dF61ya=y?Ln0^0
z0*)CoKx`Y-gbw(W{6Z!n<+2DR1hHv*EPvd25nZdYCgi~164{-RrIBg3p_?VG|GJSL
zJd?eIB>^U-q&ILVM9gaUk`ilFWHiNYal%W?yt&gyj2d53q(3Gw>e*LmaO2%=*N81A
z{iBO#IlU$O)LuVbRKPde7_-I*yk%<Rt7PxPE-T%JnQNb++xbite_$8LX|xJQK<Xrr
zPle%AVB7_H?fcbT*CK*p5kjzep?JQdCy*~JN}A8l=IMS(7?TcEADvF`HMo}w_4Pwu
z0I07V&6>hGMFX*;@UqtPvRT7&Z|Yor*F<~X^+GO~;qaG;z|fY!Kb&GSx^0VSx)+(w
z>|lI9A?C1dqeT(B=?lsXsXoQF14Yawo5#$hWY9#LWEiG$kAvlI9L*tK_vkZtCx5BX
zC$CQ7O%1s<p}=`P<t+)r&J_9TTM)_6k{RX%?Wa{TC&=m9p8YA20z@x`*XOqphY`M1
zSW%xjjW>2PoTG=yvuDrZ6%I*H9m*WWG1AIfmd&yc99@NN<>W9olH32RzE|B}eE(bA
z>(a;TJ;2L7FZZ0Y&R%?faj)o^y*1ABa);!eeO8~V&pq>u3(3QNMsCT;<f@xaCb!H?
zg>^Pg;)9_};!E*MlJ^19%t*@ocU|V_(~cdV_HSX@KlF~j$DRo(TRw1seH#MXIl6D<
z_N&;!@h&FFJ{4Oxx<_?2@EXE6!eqh}!ZgAS1lg-%3&)#7;EEUBuZjYf5$+^Z6Ye6g
zrQ@w9G!dE!pC){kAbVL~A$*-6ds>eWzE9Xgc!KaWp^fl7;T6K~34b7T5MC$zmGDnO
zuU@o=AXjx~5e5?8Pq>IMj3E1B*AgZYrVwr-$UfNug4`ZkPFO~$B{UK~M7Wo5A3<)T
zeUR`u!dD1iC47hQUBV9tKO#Iq_zB@>gy#s)6J8<wiO@;-JK-(D3BuXzzrCAqG2wE;
z2*Mb`M8af30pTXX&4gPCw-N3jL<v=dI|(ZZA116Pe3Z~a_!QyOgf9`kO86Gx5yFoN
zPZORayhQjd;rE0;5nd<!gYY&%?*5Z&|KCHnm@u4hHDMg#TEb+)6v7RJd4$^t3kY`*
z<W}ap2n~dlgl57g2%jZ<iSP}=!-Pi&KP0pfeoFW`;U&T=gg+2IXZKrWFBX#YpPARx
z+Hq5!9&f<;9l2~+!!^SiF4LiI^+w>(2-<X&ob{ErE;!F-PKKf~bVEbmpuEhZ>`br7
zD`d;{X0Nc!E4<meS$1E=kL(VJ#%g(ifa)6DDPXF-44<_*NQ!me&#SDhXq1-@co(Lj
zvc7?RxYhi`os#;gFOr)_IiqV+c!$USTcCPvQDnORB9zuEZuCM9NTuG7k||#8hv8b%
zm9rUfBU-y*WF)(;oT)|5%9O{%TOeDLqR;&|x0yxjm?dlQ$$Mpln+cwEOxPAr@)b2#
z7N|3GR!L#xrlQ;Co2P3><_4Z-P8>NV{5U@FIDN+aqC)fjEeI%&3YX)Q=7Cqs3ybDV
z^J6Su+<v^sLr^Z*YttSuHj|fPo6jF>bGaTbibbW1Mh3FVnlEDG^=$`RMB;^SE{V6*
z8lxlA5)0yZWY}hkHrSL&k!W=tFF3}_m!;>$gB6T+B-!JEF1L%8vs+53k$o49$r(eK
z#bR+KoZOk3M+(bKnVLp6wz6}F>%L8mKPZZ3O=s}Pp(U(7bLQC`cyb6`UDFB+<`x9-
z>8a|uRr9N3g;vz%h2W^JaUBtCGes-PWtS+Nv7(&qBRQeHBpN9<yK-XoDt6n+0Wk6!
z4CK|Ts$&YFZsc-LU%80nMPkvKW%1?ND){O0;9YUKxX<TL=B2V!dGL&^sH+2i4X%h0
z*U>&W8<{dCk{emG25TW48Rw-gON&VoAChe_*J6Z=bxV`dBd!ZYdyMslxbEgl=_OId
zVN|y2Jj~QoeECu|lt$-z+=Z~Bs<shKDPonbczt8kTa7Dml(&>u!lE?Es}MuqlQHV$
zG4DsNxsF>khc#R$F9+7avFs&{ORqL;8}8i|$(xcPrp{Z5T9_hQ&6|Qsl!q&aHC*XU
zxzfAR8&>HJi!JqrE%Wk*j2JPjVZ;ck7_vYGWWlh8MT@TM=jB}wpCj_}ptutiQ{c(F
zEaI_Kp{JT`TI$imFIQ7p&TdE4rUfIs>#0nd(?G9PaWrluvaH>Ag^Nig3FCyxsiYy(
zk(_Li)KdChE~%gshjY{>;t8Kp?eJ)Zw$GF1z2iTbP_8f%Zd|gHCZTZ{mbLW@7G<mC
zyLg$j?hs>pxb7))xP^b3V<vKUl|dpuCrv7;s=2eMrcwpPAki#F#fRw0Tz*CkHw(n4
zs(7U%;pHiIwBxDjuE>Dauj8HY7l@etd+5C-wY9MnDU&8~(MRoyXgboKDNJiih>J5I
z56`S3W1MHF=MDCQ-{7<#>1BenX2vfPaaA`aU)4ipE2`?_obZY02D>ub&N7oGu@6=g
z&z?S`qzH8U%!nbyKc|?G9xN1DnYywDtsQb{tn6NY3eV{f(7n8!u1=Hw?&aq)q))Rj
zeWh*l=U)7}lP2BMEzV34X+3KmQ+y92VHIu$o*#Wx8t2}*ypiMXC`OG|>Xfx?!*O?y
zKHI6E=kfX+nA}Z06E#|RW1ej}%WNNy6&}_PnqRa=u>90=<_Z00%imJfP=%^8ahd-9
zPv_roIhl8tdv)GbX6}hxCll@!S47-%UWE1J6&!`0>|GIy^Jkg-xvQ~OKzUtl!({LE
zAIUPX+dr02-v0~#j|cy^%YfLw|6c@_>E6E+<g9gi_*eQe&AOKbOSE2XeBI&2C|>Dt
zGKwo`M%MHCJBnw-C>K$I>0u(sTP>>sd=~L~bX0ak49xiI1yzei5))BdKNMA>YY&gb
zotG=-tSA2d3G#P>;$bn0e^r&7{LG8YoiV?(<PKfc-!W(I>=`p}xMSL^c{Ar4YuQ+v
zc|!s=C<dumpI2gmt2yfIY2SDb*veXE#y_d~t<1PO#KAsk(i~~9HHfUiq7w!#Yc<UM
zxem_o=8rWQHK(zFWF`@7t-Mn0Xk#V?F&V2D%Ox{jN9;S}XYo{|9T6tg)`LxSy7*IO
zk|EqsS9BMqR~l-yjco-|>J$w)CH>Pd2h*xB2IA>Z&sl$K9|jm~I2th1MCQX)D9-~O
z-ZPuhb55F+9uvk4)oP3yixm3gV5k;J5rh?{Zij5m9H89t^0WxE0wO)}@2syzjR_Iw
zjT)=ZzEvmH^t$NG$=e5d-lHhc{xi6zkKb!bP9zWTuEN$^xsQ+MP4l@!kB{wb1?B=<
zfrY>$!1=)Az!-4wZ6}iJfO){pz=go=z%{^D;8x%vU@P!d;1OUK@HntP4)?*g^WHcx
z4>%UM5LgUc16&B)1grzL0yhAU0=EDMFW_!KU<q(9a1HPU;0|B{n70sogLuyaSPWbP
zTnO9*tOITZZUF88ZUMFecK{Cp_X3XqUjQBjCV<C*$ASG9ajzinc?<>)1?B)J0P}z)
zz!KnM;6h*=7z1tut^sZZZUXKEZUycG?f@PJwgQg=4+48%NWH*8z~jIiV9p2NJ8&Uz
z18@y+8*nSI71;j{=mh2g2V4Xlz@flRz<gjUa5?ZO@Bv`XV#)#60K0%YfJ1pn=OAzb
zu!JvNm&h}4F|hxV6UjBeg}?`ZYk&^{^D4N15m*8|20Q|sz$VI3U<vRza51odCHw#$
z1nvZuEJf~sYk-4!UuFle5O@$cA9xfP10Dyi1Fl&{eZWn?UBIotgTNiYc8OmOKHw4H
zfJ^D051vTo0b7A}z=d~G9(V+J7<d$T6nGryMW8Rnos_`Az-(X+Fb|jqECZGRD}f7v
ztAH`!Cg2g^VTrGXe?!0vTnLQS(Z9fhz+=FL_29b<JaO6sTnO9@i~)B5j{{!?u4$w{
zfIEQwFNc0$1b7fQ7I*|$3_J>42s{p~1NL8mTmW-`TY!1M9l#RcUf@FD3&0pK0o(*U
z4$N5z{-Hbr=K_zerhkDsYtRS49UG9tVbJkW>IW{|h#UcPJ_bL5TY-n=nfn5=uOJ<m
z2Rs5S1NP?*flA<-&(QDk{8{)e&%i-ff*+UzYz5{64+7@`j{uhgj{?^KkAIH-mh>+m
zFX*YGz+BN+UnE`Nf1XG_3OoWF%xr!Xm<wFE4Y>m5d<p&lOTJ7#;8x%PU@Pzl@F?&Y
z@HnvdRnYkr=mQQ0<^Xem`M@>6#lR!LII!fK@E6z$?9FE3QQ#opabOOx|F<Xy91NTb
z%mFS3<^k6LOMnjmW59<beh2&n_W$;YWMAGJ+X^fM?f}jQwgO|ogTQsbBf!nTqrmOJ
z<G@y6e?H!I2sjw{DliAw1<V8XA3?pq2yh{AEHDNv2Ce}v1n$@gUBK4wGQNOY`50Xe
zKI<L8d|>}a$Op^=iZ43`+z4C)+zQ+T+zH$Y+y~qNJPbVeDE-5R>JeZraLxA_N5CCF
zpuM@&x0`kX*R;|epnM;9pTq+X0~h`ndPjkG5B&&i1s(wQe-gg)GU36e;4knva09SE
z_t0(u?f||4T(ckkjiLPq&?CV9&rt7J(tiq{fk%LgfrAgyF5uQf^e?dg^YCpPd;|^!
z<^d-FOMoT7g}}wY7%(pJFEHMKt-!wHp$j+|coaAmnD<NM0l4r*`d#2}pbxke7`c}G
zz+zzkBj5w(0k;Cz01p6n0FMFX-rK<wp!c`X4?O-d{RYf=1-=0{{TKZ<k@9~+UV!~y
zM?M7pgZ4}!Kd=Ot^Co-)<^k6LOMnjm7Xlvw#(=wkN8h47lcD3E^b_#NangYcPr@f)
zPA|@I<?#%R0As+hz%{^P;3nWg;8tKAa0hS$uobukco4V)coeu7cpUfwaO=Bx4{8eS
z?8|#pz&zka;3nReIt<L|&pTJwK@V^)@F;LO@HlV{u>U!nO#luCJ_O7G?gEwoUjQCF
z7kaOUo&mgv1>AHVc!5WNZvgYoKbahmPk!J~;2PirU@Nc^*#AA?mw4a-V9o_6lY<JV
zA2=5{m@{t6ft!Ha<eBqrM}T?2H-II;zEj~Fa4;|i%muCi76LZ`=L2^DW58D6I$#cG
z<qk?baL_dB<IG$ou;l%;Ti}K85x5n27`Q{;BP#^o#qb*#yYyu8f+C)Q*}yds$^#c(
z4qjjk*e>zFH-MXfeW!yDI2gDCm<wzL76NmIaux)*5V#q*6}TOE1lS5J$)@}b^v`hG
z0nE9Ib^u#}yCi-D@=**N37>!mb5ACZ0*{Y^e={gQhVy~I)@zZc8!11Tb^td4_W^fY
zM|*CfKen7qE(W#&;{rcVKMUN-`IHjy{|Dy{fvx`u9l)($I+@%F+yUGN9Q+mNEQN01
zVBo@spbOZ4JMsxE`4;c*0dpRv{WB@|ecCPXv6IO|z^y-^+$`|yA{|)rB<aB8z|FuT
zPtjgrY~RUb?=sS#hF;)8U>w*A+y?BwpY{S{zyrWFz$5b92K_gK4_FDz`3dv``#%Hy
z5)V8Kj2)z3X9Iu6_yHaS&Ijf^N525`4#8hwD==pc&p!tra4T>f@HlWQ@aXd=lL_FF
z7m@q9!~;u!YYvkScm%i=xUe03z*b=2dDQni<R7@^zvw?;>+fj~aO)pv_bt%-r<2Jt
zfye02TZ#WW`~eRBZ}iA~o|DiEeC&*5a_H^69}O%7&ODP3fB_4#_^uQ1$^psbcHm#n
zOC}Ehmz|$X9tB=MFqzC<;Cb=)C6n`kV=qi5R{<-5TY&!o+yy)YJPbVZqGYlQI374?
zA!km26M$QR^MTI+R{@U<raUm~V#)*0zJ&6?)xa)b?9ycNA?V%++z0$3@KxXuVDH;J
z@4taVf&C-22RIs735)?Z0Ji`i0zL-Z2RsCP75EykH|?4^B$-_E0nfYfGV%fIFHa^9
z0^c{3b^~7oUT}x!Z5x(M<^ex=MKU>f5#RR(<^c}^7XtqaxCZzpa4WF?mC0l)FdujX
z_(9-t;Aen?!Mg*P2YeQ|5E#!+CI@`b^F9yE1x~#>nJfeD1J(gca`>zca20ST@LAv?
zVBv^l@)+>Rk<fW3?Y<_N91CpCO(y38`;Sg0<G_2yB$Jzg^T#HWj{+YDz5pCLE}47-
zct7xh82ki|1uh;>dEkCv9GH78<$+%VJ_;N;f%3qIfNubECQ`nd_5sHNr%s|>z&`^w
z03(y(FK{XF0PvH*1n~U4WU_CK=iLs>1|9$w1IJHECYJ+02HXf7bRBXD+<HCbfyaOe
z;G}%Y*Frxq8~6)gG4P>jlm~7sOeQx03ya_z@EPD?;Lz#F7w}17q>gcQ1Lc6{7sGF0
zG4KK4-N2pyhrPECkE*)%$4_PgM1n(5su58KMNE}q!iz>lO-Mps2rz~~BSj}~6B5nK
zm;?-p8il5)0n-*ORjSdV(w5rPi<Y+3#!3;D+SF2uO1;riOD)>;N-0{%d_QaN&z?DR
zG8656?(_V9fAl<rHRrR|UVHDg*IxVO>^TGa1ZW@V_Clls?JkC2-(*>XpqZeZ^WoQ^
z!3FRG(1V~`K-(6=??5N|;CG<6fF?Fu)_%~*po1l$P%&ufqEM(F^t+&)pyNwJp>3cK
zfbIp|33?cG0CY?X-m9<}b_VSPEd`yj1nmS`47w3?HRyKG0nh`WmzN>mR+JBPGH5qw
zF6g<}B443Pkq-0_=uXhHzl3z4%dUgpg6;#IxB`2w*TZi?+d!*94}-1+J;jgug3bZm
z1^O)LVbJ$M$E-xVmxn@AL63kIgFaA!d_i56s4wVh&>qmYLHj_9tKiq5Pl2Y~4Et51
zUw}RZ>H{qapq)Suf_8zft3i6u&7ggtJ)i@iHMQ`|Hq@^U_5ywV2KXgt`i*EO&>qmu
za$k@7pnpFGx(@Vp(5;|nH^AROOF$2S-VT~nj<^Dv2Kpgr0cdI?{0;O8&~>1{0No1u
z9_SuWs|o2rr-CL`ATEHWftG?6fYyW7g0_RM1KkL^6?7};9?+ejhd}#4lPdAfkRZ~7
zP6jOi^?}xcR)Ver?F8Kl`Y`Ao&>ql3puYf3szQ5$rh&c(S^zrcCZq?Q0=f>g7<4OW
z4d@=wPS8W34}&IETh<QHG|)Yu1)%#uYe5fzt^+*=x)n638R<b&K@WkZfhGkkD-$#g
zv;edKv<wvA+Oldv*MYWyZUucGbPs4!3(|v50ZpnweL>SeZvia;-2z$*`YPx;&;y`b
zLEi`61De{3^q_M<la}Kg4`>?bYS04Edq8VJkAZf9p1T761iApU540R~0JIS_r55Qx
z(?Q<^^?}Y@34a7F2kipg1lj}o1ZW@VcF+OPcR^F?VDFoe9yAlw2Raut2wDo-1zH2z
z1G)pW5A-<b0O*u9^iTL}JLmz>ZJ@_NkAhBIg>tV#`diRXZb5p`{h)oIu3M4ct>~w>
zBR|mMJCGmf*V-Wu+PxO>0(49V;v?wo>k#KaQ#+w|HPWv~zXu)Jg?<9M@_zJN(B5w#
z9q6=gVmtud_aMdtQ18R&cekPb-AD(zWed`Qraq2)l+z391HBd$FQ&Jic>?7C{SdSV
zbmEgJH)tm40B9*_3hL1enhv@a)Cc-C&>(0x=m6+bpeZQ#)U7BV^4ko$4|F`bpj-*J
zlvoLEDG6te8I{zPFe*jxiTLZwJ`uV|1bD@kM}Grf<Wpu~zsQXbo|L(s)S|J;Hz&1Q
zS5LU&!Wom#6%{G?%f(;q9IOuoz$I82{;Gi){eofmw1N(-9oT9Iwh`Dm2euX1MhCVN
zShoY~1Gde99R#++fgJ<3%YltafPEa87uW#@HWSz(2UY;=hyz;&%*u(jK@iv&2euYi
zDliYk<q})T`-sK^o1_qpZ3C9>z<PldJFtDgY8}`iU~3)NabVrRj6W1e-Y&#oV0TKs
zb37^QU2{CCo$g$Zw<9szleT6=t|#4<JKB?$?eS)NQXw(NlT?^o;z=vC0lK`)pv%gQ
zu0s&mL}2#1t_7Crz%~IJ@4&VJO95v0vtD3h9GJYbDanBy0+#5&jsuhO+4ZHs*N>zA
zc5E`RV-746*bxU-3~a!Gl><BMz*>PFa$xI#9duxuf%QAE9$*I?*e+oE9oT+g`+$v-
zcElw<br@Km1Cxi#du^EX*YUvi*f5iRD)3(5_CB4(^rBy`H2jq^{e=R+Lpoi#p41LE
zJZ4Rz-;<iHe1@{^On+Vs*)p4KD)`$VE9F03WT9n^Yq2K@ABDFEJgKjfC*?T^p4g`f
zpCw&~lxK}Q-{Y+wt+L4WB+X6MF)w9=_D@xIC7UO*MIP@Lji|C^Cgdi=cTN_axTFll
zz`Ve&6yO>u-;Jt#lW|)MUM_g5o{=)l^?2udQu911D1wT)U63n=+!WE_lq=A3Ql}k|
zD}~%uVYwXE$sev$F6xvC{z1srLe?j;h0-1f<sH(e*Cf_xX>{V;Wc25`s%^4g*u58`
zl8<*J;`7jQ!*-=%dx%<T|6<6tLw1}1xCAQ))(H$t0(A-23hbB-6Wgr=R-JbuG()6N
z?=`NQl<h=*3wZ0mn=3qAg6#md3)oo-!Mp@?FR(sf+XYj8R~YuYd{4RS8>3Z-f_79l
z8^*yUx)RYz%I2O3oum*wo}~gS1-4c&=(<nh;0E^`k9U3I98X&3h-^=K$H*K{=9*E9
zJU-Vop3J$PbOcBUKv0K8(OnKbo1sViR4&0<fo%e2kAdreZM4ZryKM&61?(r15GvQZ
zP@hgW0&PcPzK+E{SGgk=&r7zlAif`I$LHhO6Jori-Qa>BuXpEpyqyxqJ0y;;8JUlw
zH;q;WNAC<59JUdkorpsF3QmL~eF6EeanJL3OTuk0a=DNz`xH5;cRl3FAvXb^<r1tN
zSUoV+Z;5RL)&>k!P?s0~Zw1y03{x)pN1-Rnb=_#yBMOq0uDy`yv!xUL@;<)3z|aNM
zCD;*QdmLC28h;nCKTuA5aw4!UJnzmI487&H(b{d&aGNRe;K}!-bU!U%|63OBe{<ks
z>0nnwc7GA}<MCPAqSJ+*#(0?T8Ax!o*&VYmS<-Amn%sFOLXU*g<cIsLN^?8XAdDGj
zmNa{jrUz-ToMb+ZG>fCth%Mx$jK`72ZlCeMjsdfefoZ^wIOJvn8*pGgV22%;d`JBd
zutdoZm*k7DKw1ZZnKl-z6IeemR6|{YbptzK!wP_H2euzrwMeOc0Yh}k_|lP>EBzwh
zlfKl^E#@YF(UXR#6^?O8D!SxLeNumHIZzk+3FkYij}>{cu6O7vNUn;W{~)QvpJHk6
z;uE2}MOSlp+*5Hj5RS8RlM7z(q|V#zNh#dxNs>COMY?rJcZbYJP@mYbCR<`nuBSV}
zeY$J3Clm3<5pJ@RgTT?R9e5tpt5|**AG#Nu2rb6FHBZV1pY4!wa82ShC{s4dGzVo8
zyQHG=_d)hP#*h14#nJI^p2R<vDa&1%5UWJclZC%(=t}kBxgvGh=L2`ZE+|T&jKBzG
z^yj=}xGFyvB#R$xg^pd<MB=E-L3RS`wPAo%JM06#19*o3s=r}uWPfwPF~XTFH6OK4
zj=^A_Qi7N%>2OKDUSO+%U91p|%>=dyn7z*w0Nd!mmI3Q>U_oG=4s0#3b-<Erd29l<
z)`4vU)(-3xn_MsT+55~s>a+K)L)2%-j#HmKZ3+e@sqg2QhZl4*Fe%@|f~m3DhuDi=
zA+r|5-gLkPkV#y0B7`ko#zQs7g71sx=P1#+$ra|KnwP9bnslUDO21$4LcHp97f3%Y
zkbYd?Nq7HOf}{6kCre-3fwZNIF<)R>`m&m17J0f7-Q&?oq_>*@i8RId8$h~cU&L=x
zh_O{)!&tUK#zp(MuKfBMPuD2-$)n=*H6)iYB5N$#(~q{p+*;e_W{eUADuyouuf6g_
z=zg%YAF8;o;=x=`SAt7oxUGmX=64~@VWio`zOvpmFFLlNf4jRAJZaE^q^JSrGDs(F
zuvhY{J`oDwv(7Iv|5<>MK07))We;)kok(+EIQAe7=Q(-dd5*G2zNbCWeNDXBgDj=L
z`0$^c!I>mwz$I8U{!7KV8+*TM1GW~}=arO>#ht*qfz^cD2C>*a=R(~(MixjM%=cuu
zAC#skiV^O_j{Bi&SJR2mJ)$2z(BU%k<JIs-OmpG7bCTi1{ETUny3+9fcuZhZgC|0D
zf~d5ZFU!2g=US+v2NGkBge<Hq$S#BI#UhJKuu@=c!0h8)EwEN#_L#96SkNKY1x(HY
z89DLUEx>AljSja_WG<@ONZEyL)PGlk`-|u^nL`H%bXC>nN1!jQ8Nb&Nj_s)52ANl`
zPaM+bU3Vt9$HmqsYbL30E&|flmdL!n09YBY?ZD)_)w-WW%3K)jSGgXa`=Z!xHCOfZ
zEzp&^@<ixksM3C|;(3mYTdoDVMbHcKlU?m*Fj3_?fOP#xC-DOFw-g`90I+T6;p~UB
zx9a~9f5&)lpVu$&wExuQ-ZLVmExCNq^*<Hy2>H;36jlaoJFuYSjcYdk>Vc))d?NI!
z01NHwP}kb9Ulk;md6Hh(ErHD4;VM!A4DL1+Nwy(<H`1RY?WX(^5kS_a=$FZ8B8hd{
zGj+QhfP7cmiBO^BhfCUO0N7q&FoU`TllM352WI-BV5z{40JHn>RA2+ZjBkou7O=w(
zxl&+<Y;qGJR}1VQFdsfk+1JRrBgvP%5YbEYtOI{M&XQd#d|cu~n}L-BtHQd@=0mY!
zHGBvw*%&^bk4DKt@<Y(I_Kp*wMtqKr2hBFaan=DN7A9l-g3sWiq)=s?ib1glI_!Nt
z3)o&@b~}{<+XKvQr&?gU9CE9H^#ap5=sdcB?F5ElN?l@`Ex>jFv-{T$VB3M2c1(xd
zUg~>EQmT1RWV}JZbamL{KZ1eylyw^7SNn<3%Zvq`E{umAvc_AJ=)O&yN^c3sBvRt4
zob5e+=ZVmINn0d7toBDRhjh&e8*;8P-V3naZkkWoPtO1P?uwq@%UR%JVD|dTx!?j|
zcALr>;ap($`HP$v&H^SwuUuj)IXgTXnBDerjyThyPtFw21ZKCXoG(sy$jMpbsle=c
z$hqS*hn$>2o(#<1mU1513(Q^?Ih#BYn5l=fo19Zl1$IHW4I<-qk*7Dog-NnEJWt3^
zmN8)m(u`k&F+tLx9qyBM*dTMK^@;N&jzz|V0*qU~j@370o99=r{#y05q*ToJq3>;|
zv-LH#-w_!T@@4Fu3w>XU+1W6NN*k0ySM6GqO?2VHtyPQvs)3aWknib9aLrSzX>?0V
z&Q)&(FHLypb5)E9n}PQNx5uR(U<ZKNePb7}{lM&Y-Vbb_13L_?&xU15erKTH06UAe
z-yr)u+$X_WvP1TH){LCz3A&EP+$WLx=0eBTFGtqPWx&dSZ2|Tz$pd|H$UZvOs6+N{
zijti>>(Z0bFwljkdTmg*9l8%e_cR$>E5mK?Xe%`z$n^x>+Y)3zk(Ms-1lNq}7}+^u
zec}f9eX@-oW7jGVv-HfIA=4^kC4QHV&6~|%IT3P6hfw2ZWL%Hzi*YV8kl=nU_Q0-&
zPtn&7ear5_9vAIDWbLc`I9IQI+Y{WS@uwon&-$Qm@4b=z(>1PY6@sLl4ujVZ-WYtA
zOWMgg6aED3|GJ%IpK2L&dpo&CnIB%)tMMz+r`S&A?)#-`Lw6C;9>9k-$h_F?l%tzk
z>MOr3A-~5b<F8y|?*U+kf#t`TmpR%m*8_VWk8N++T2}h9p#1QC|99;t-xXN))!6N~
z4ZI+D_V()qRuAm|y8T*FzlmpIyoYXiSCOUK&#@j+d%*O~a@W6NHXmlCH^pi`wo`$p
z+}<TsEZ&HGlfE7qlZW&Pm2bFzdtx_Hks2rZp{sM_|4sX3!VKwWWBk7#Yg+bKdt6g{
zZ@JiLFLNx}u@RbzwDSFo@^8d$+jZczf_Ek4<SM}5W?<dGR!Ojr#2P#^v9HyQ{oU6l
z#v0_P>kxG9d+0={A?){<-wjz?GHzwL+R>IV7f>=@%{&MDqu;{0YkXGg3XWIBz%6{g
zz&;L@13L~`JJ!ndc5EH6Bak!W+A^rx3~T_{>ynQeLn8Z}*yEFZ&MfSJM?H$2n=JFN
zG}tISWFSxgu@54c6sJSwap(`Cyp`17DbE+UPlo*h$L@rlU!{Ao4nZ0-ZxVat0^14<
zQ<AVf&@HWHz<Yqt7hKKx7h%lLO>Tm{Bo?g(zaRYZ(PJ;hu};~?<ueM`mvj{|&cFs(
z=M^No@&Wm54=m;>U*8LTJ&)jbNTdBljf;-hmhb8Ma)RsWn5~>6b(6Ws#7XeiEhj=5
z_$>D4zP*|o+n-}j2D<>Vt&qJ?WYyXX`!;Lj8QY@p^F7fSgxu=SsB<%9yFP<X`QFf`
z&!|(rTeR&n=uABq^Ni1^GZ(UZK1HYW=X%KXLGCvRxQX=VSnVTG<i{~vhrYW5x~iYx
zT1?s7?C;FiYZkMH15eg))yVQN(v&03(s*;1$eg*zGjNjo=GcL?AlaQO97sEM+7~9P
z-=Zo#4|9v}VDE!|$bC)qd_wixB2WKGu0LqE4tG<iJ=yI!bW#DbF7O<~U;F542<mm$
zR_NURee4U$!a>CX^anokP&%<6@4gXx6;aV(f$A3rk+$F&^a}|%%I=QXr^XZYEK@Bv
z@SH0~@Y6dUv!P-p9R3)-ck?%Vj#(D0#$D?jMNz#<uLW9>e(O&;uUBzFX8c_Lg0~Yq
zF`Zm8kJ$oj2QYiQ+yQL61KSI%2bk!ROJYnvux-HP{e-&iamR493MM?Ci{0q5k0AQe
z&&RxKC-xQN`A}qR#(t^W{mt0(Up0S{KG6<+6MOOd$l>xu=F`RDb)0G&Ji>NQO^DSr
z&?DpPUg%1H9^<9xQg(H>VD7KR(nH{F`~~)&T;Qo#ruNV<7hRLsiXNk%!7NC2??nA&
zBS}3Xca?^33U$Pn_Lw;Z`Ta6_AEW@-Okj!N%O!HlfTaT)p%9G)flYN_Yk{RXuuZ@w
z12b(Y`nCb{0yAr8!FqvBbYS~{N%^qNsV<Q_M1AN^>Z->7$EoijDPSZXIrf*-`~oZ1
zH3{w?#coUtNPA+&1FVN<LUr{8hzI!I*h<McVte(hq9ttL+~jf`u=Awkhx@{2r0YgH
zQxEaK9$?#m<+2^Iii<ywX}>c;M$Z_XSv?aJ|C51k+ujqQ2gClSp7Rw)&#{#MVfE;q
z9J_ZEB~OK_V(7A7JrR0R^s0KIY&>V;Dh^jvx{~q_`5tCF<fVP&650i9H88u+Yys8=
z%<fw|fVDcXy}*JtO!`DWuzFxJPtkp%MA^3hx5p`ed${f@HmLS53imy>f0lbeyuQ~4
zT?N>r*z#-apM-Te+9eWWap(fwDrTd&?vLq5nAH8zlZgnQ6Meu0`DWs87xGT}&56+O
z@mcK7IeBEfk;5-Pbi`vsAhC~y3ClL5Et1c&FT+C)!kY+QKX_$^$2}Wqr%doBzZTi!
z5v&-P7uY0`#|86R^4-_jz@#7Oc@gZQ=0$Q&LT|9ja|Ds?gscy;3q%&%jvaDNLY>pP
z$%y8@up4m(>>ZG8g>2OjSyztsG>rP$vJa`BJxW69KLbd&4e7Q>Is`r13iC9cZ^Qz8
z$oi!Sd-72eXti^uY@c-z&L933Yc<gq%l0ypdD3Bf#8R=Be4n=)X|W}*E~%G%w|5(`
zN<ox9_@wjvB_592AODFD>_NJNNVhgRUBm}4TXEsITU0_AUiw8MI&UVvXX=%-@|*-c
zM9Mc2couMbze@);8<@R+%J+>Wy&aS99?x`O@;&5qV51}-T#|=;CwVF`wRRvT-%l2O
zCRR&d-AaAS@mbpiP5Y^5K9<Hj^Kk^a%AkKmSXacx@y~qJL{F`dR?3z21^6v=<%aux
zWc-fo@u(P5<mvOeUW?iDi;|@sI-#rUcPBzQQmz_L$`Z6g7CvqPz6bb6g5$YSr|k7|
zomK>AhlgXd&P{gRW_Igka{*hyYZ5!$oi5eJhoEEa>qB*0(=gux?w0bG#M51v?7GwF
z&X3aFhGe<WvF`ULLT^ReAhOS;&Wb1-<l-^J_hQDleA)Yq5ftYnyM7;QTMYS1-o42C
z@c!6&t2LjR(--My#y+<z_QV}edtzo@l<c}WcIM){cmt8;doyxYLi(W(*fL;$!e{Z*
z4KA$z*2}ZiPT8057=ie*W~6JYiYMVEE#?Rim+!Twymcb<T6k=a_>!s%&O`9bp+xi_
z#4PgsWcSmt2WdH;r25<u<g@M%k$p6&i+q=UEiii@o(QZRSXBQ9w%Q?=3#`o{C*R3$
z1(pQea^cph$A3X!6#~FEj{OFVJYEERGxyYU+HR!ThBO%BIDRh=&yRM3*9)H6GfII-
zAF#u~)S4al(nk*hOMUx9=!RkE?DS8cJH;K-uzAVl(3K9wv){qFJo@^2nSU`3VRT+I
z0>19L8*#QMY6r&kO+fZdnd0OxdD5_xfD>4-1iCMD%O!Q#h&<Zf#d{M3z$N3tR$yCz
zbqH`>__-T$xm8C140m}l-07nYc`{CRL$n|1jw4<Auyt4aUPYcBm#f*c15ZGD@f2{6
zYrdxs51{wE7I^wybzoM3mk(Ypcyqv;170?G%fY)brp*eI-PH+kQdJ_Ael{!bU0C<0
z6QO@e-Bh1}-`k(Ts6Hc$%Ik(cgTXvT+ISCi<i3Y@bA)3M&Jqnd*TXi((VLYq%bTAp
zF=hM=JWu-biO{)WU5<VjS>ws*{z^<$dC7$_am-0#;+T<3J-U#0=OM)DPtQBw)1Tz}
zAf~c{<Syts09{>w!Fd|#z}JVL6Gh_ke2FK<?@OR5*3$>q2Fc<DY<BF%>~k-6-F^k1
zeHBjoYuSr)A5e>;ID7=qa`W^_&A)<h=K2pXZ~JtAl=`{bW5=@anZ{n|>m0zlF;GR!
zUsH;t2jEP78tOJ*DwHKB4D{OlFl2inds=kfj`be*fcp~M7sOufsiQ*DR<mcpz8~Q{
z<+Zqh-wwM^zbU~z``TCoobL1MpleI<VCX5Rl1uIX0?V2|7&<1tpq}w6KUB|nBV(It
zKi5;bXJ9W4GCHEnlk+g)Cx3Ww8+r1l=iA4jzaPKB@ek3Dup9nfM7sM|FuO!z6;;x}
zPP+vAExy6fB&Tez%k_*+R`!SFJtaG?!TTWS!|UbjsC}=h&@(XForWx;HmlSQLl)9+
zMEZh7c#j0r+n>o|uZz!Qmts340Xk$84%6IlwdbhwqWhuaVCi6ZJQKZ#f%OBc2<yc>
zYQ3E4=b3o)YdI5N?)uG8weUEJ&FPn7zQ1HJ^kaOMOX`~oYzMGg1%U0>%eh*f(^t<#
z@)0au*Ep)H_tT1zWG&JkLwfnm2kl4KNbJIy3j1>o`elELyDjzrr4+)&t$ol}wiNGO
z5PebYiZeHC)tqGa>_{8WNfv(|g9%LebrHJ{<Igx^Il{FhX6(sL&V{Zr=sI#e-t{1z
zZ}`69u1t*OyznC=?S`JI%kd5lX)~<Xc+Mdb!_@qaF)T|~I58fTW+!9pVo!h?sp~Q5
z-3PrN;<GLve1YSIW8RKAE6xeVP%E2w;uE=-VZ5##4BaNWaH;wOI|%IJ(EvWB{%#y(
zbZ#XVL3b*Wc0<qJX849u4A=a&IyPZ>aWC)XDQ_7Jy(K)f^BRoI<*r|kR^1lfAoc8r
z%*58gP^ZYC92;c5GQ{Vxiiqk%dC7Qe9)*-4`P9piA9VeOy4K5C346bewZ<$=#`a>=
zsxwE<G+_OTf}lW{`iKqJLH9xE9xJ+WrQvTguzp~R1b`@?zaS~j{h^DY%4*^y>Gwc(
z{0h8NMr3gbb^w?U*!2q0*Z{E2z{U`h{+D<Ko}U1FS1{zWUe;IkHMgAAa6Z$-b6uPk
ziwa;eC`tb-g}%&{gP}F?^ogD7qti-Tbs}9C(oJQ2vX?{6Eu|a>k!kd^yz8Ph>3Z&m
zuGX9JP8TTyF0sd9U|DT=4~;_fm?!~k;;O+=74u}DpD(co+YI(|M1^u5;4}n{OvFh9
zUHe$0Vz=bsgTC3f42F&}5Aoq@U}?7whWvs_-C;O6KP$Fx2d^HyCCoo|tamkN9|{Ng
z1?r>>JRyugUl#QBLEq}t@T0IkILdlC7sY3aD#jOKF4;RY#$#s^$*u8NP!!yT*oDtJ
zeqvUk_N=&Di%~H*85^sNrSp>U9X>r+>h?$abx42fXHKvCdMDELA)V7sV#BTAjlX>;
zPyA*VcxB*y5Z#86=W3YNah``~5(%!sm`$k9m8D#T^}-#4A^E){=?nHTAQBhn>h*M2
z!m#r*@rQEg+kDqx=rnwmD;<BWz_tQg$?|q$g%RG*@bo0PKDMs}3zAj+k><!6#scvn
z%&v_O?E)`z?O^D3*;sOvIWkXLpv&Cja$gbKhb82ym^=PzoL9Rywyo2_+XkNec9zZy
z&w1_V2qJqOMF_?+9u4g+{Jz?1=n8h?{bEohm$YRUurccgL-HG3G3x?t{N7C=4y7%O
zsUHKA^sNKXWo^LwpN7??+EShMQBO68mR9Z8OWCGop?voZhHeb&Q)?{cXUaDU!)3$V
zJ;ilAX5k8xk3d%&bZzg#+%pL`aoddR((cjjuGnpcD15}Tb+qd`PtWK8K4g2kN8b!8
z_hr0yZ%M$XYk*uw#C0t`V7WWmM_>`?65Izt^P$3Z7e34buo!d>fCZp=xGx8lJeGpG
zvTPb$tw0I@RDntgR}DUh3O@nezQJsa+nX>Rhv#}228YZ$RK0WYT`!k>rE6%D6ePF8
zY&)UL!u!c?8#&a5>e-?46*V_fGtdoKuYVEi^#z_o_`>RdD<IR-6#(Y|%mtVWuo7VG
zqtx>C0p+7J=U~6+vBA(CvRM?X?NlFN+qJt~&&I5So^#4O>1IDU7@82a2O>KAlNx^_
z{+=senOPB2S6=c&6h+=^*NgX^or%vnZs(jlatU65fm`7p27f2`pR@CQ5&oDQ%X%7o
zgwsg+wg`VJ_<i7?ZRcMb;TMDdD){P5wwiY%|M?MqJ@`_-^X=)&Bm7SAcY}{9TO|M1
z2!9*+{or3@=hsB|d%-^pe!TJ>2LFBVC)m?3j-(%h$<smb&$9E&BK)b~zYBi3o$vaR
z5)k_qgMSa+cUKt2&kghI!T&Gt7e?`m!u(Fr5B^8uXvTi-50gc}3uqho&ukwIy=PCK
zx5n){pj4<f?t{$D&kXAG>|q_hOfWhIz@LP7?X9%y$nSJxMtOsgk@p+6KxV%SLPiJj
zalh(P8A)B`O1Q;WtlqLR>Y+ET@>*x=cdg*L7<lqG>L-JtS<sRAy>laa3ZN$~qNg2s
zjo*oPF52^Q|5OP`KHcDNe-7^i#OH8XZj98o7yMn|$Mczf@c#flwt^z*8zbqhxp*cv
z4BrdB`{(h~XMum(F#K}xKR*n=9sJqD@VmiZ2)-I`O<TB=RC|hjdL?~t{POindhkE7
z*WdMzNIT}Ee9z<EqEUQpU@tH)_^ZJGpD6wZ+JL~M47re*i}xv>VV5b5*ti<}EbwIv
z4Ywiu>2`=n`nBNKf*&s~Z2|v!@W<QJFO2Bl1%Ame=?{Wm0De3lNJPPwfsaR{k@5v1
z`X_^51O8Mye|dzT3x4x3`B#H4^+PX+=)W$Kel7Snfd9Ci@9I_p(vRf*LofegFmxQB
z6PwS8=+OOkKm<i@6XYJodotyF6p3XvIqAD+DVI_0bp-i6jQ429%da1L&cpjOe=hl*
z9j(Xpj4rq2my~E(KY^S)`%O%A$n{3#(jm7DaZ|~?kLYatSYj9DywK5!z`1KoNPidI
zE>o*@iLdlP=9H81jyHS`>uHMc`@o+9KB^eu+k9;R`~}0LPbtDz3c!yy#-xMa2!6aV
z#0P#Y_>1lNyYwI{<qv}YF!&eR`8Hqc0)H#`8|-}7-Kv7B{@|bH3B?`b`@la1{PXPT
zuaDSgfa&A))s%TyD<gf}`h!0a{8R1v7ew^?m_8mq2!0~cpKecI5=q|${&CblUiu#J
z2ZrJIfq!rq{s8#<hvBDS;jniYemeNQ;Kv(peBi$cemwgI!QTh|MfUpJ<}h90_k$mA
z4%GwxYv5mKPjB;|KJX6=lYRjFSBK%J%-8jcmw!6=PY;vc2mY2}_(AX=0RMb@`E7H+
zF7P*lAFqG)d`kMhPf0)UDd|%d=={go%U2xnPkDFohGEL*1AiU(Y9G(UFg?Xnu{Q{Q
z+c5kt@Fjl4OWy;2*)aS*@C%0F4}hOJ3_k^v)3jmu@^0qTVfa4qlZN33!9Ru=Kh|zv
zn|->#KQs)#2mJlR@cY2u1O82R{jPe|fD%6kz@LEf#akoDm!zeB@%ZWBp9X%s{^tYV
zI}ASv{)NNvyTG4048I5btHAfz>sJ`@&pz;{4#OV+U+O>2p1v-UKIIzS{-3w=t0Vk$
z@TVhvy!hn<f4K4m!H-uynNutqqs!Nb&xw1nYi9b8%oS|q*a1D|C`Y_<%DcR87^a-Z
zz+VY|yf~LyqWfVyJ7<Ew1nJ}P<(=WV;9qaIqf0NA#Sh!SzYF|pqxgE#Ec{L2?*u=d
zop*r02mDNX`j$vL?FV1Rk$B}h2EL2~@%X8WbpF%q`fYxa3I5ASAJ6_};14&>wShle
z`8I(+T={l@FZMabUOwAi!+!9e0w2|k_>fBrh<%SS{~SAC79_YAerl<nr^M^$@=o_<
zSU1KS$I8I31pmpXb?sx}b!{8??_*tdmpy;iZK?pO{lPEBx@%n&e@&Rb1N`ma$McW<
z;P-+bZytIK{G;GU?E|=OQu@78e<YN5@T;@Iwm#@?jjSVPL*@yrH@+KH#>c~DTn2tR
z))@=29trnjcTsrlx*Gg)tRLd>H-q1WbwhJh`i5}&o#4Ow;$Y~FsQmYZ^FILo<~@V@
zeK4jDE<M>08y}bS!|*3AK`g|&tRhPPvatTy;LEzLC5o>%7exOu@Sg)e5XFz=zZ(2R
z{O&+J{$}utz`r3Xy`Joe{+-}&1b<}|U$>#~4}kwZ`0;$`IQS*6#7{r*i&%?*A20oE
z@Kf-639-s2u{;f(b1C@W!{@}5aS<PoSpKLoqguE6Aon)po)o!HQljO)rRAhP+mPS&
z_&tVM_#F19pyqo4ZGxUw@bmCFahFYxD=XY)1JLmRWa9Oklrp><9Q=0Z2<PFtHJm;j
zeAlak`ki=TpPCcq`@p{t{KlyCI&exIg5b9e!|wurH~0uow*2)1OVam%{|Wf(qxkE>
z`S*cei{GkP6V+#K5BHe?@b}`kE8^)-kpT(6VS#0`E&s?KW;*y6f<G^cKR2Ae5Bw$I
zW0_$~pC9H2!M_Xq-$cd5y(%txk)#X!nfv&R*4S74<xQo+5}ECgIRcrT_#AE{k$GCn
zi0^F~kNt$-4Tipq&xt!R${AgH&t#QIiao8R=p&E=iO9J0rm*Na3_X)yA5`!DN?dEx
zBl&HN<Tw6v_)Q1M{TOKy>l|`Fh{(-`+|=I>h8_^Pg$}t+EhpvLgaSPXxmdm~{2k!;
zfIl6d!*y$jq~8zzFTkH_=X1|W>LtHf_$v6aub3z=Of&XDz1(i)F3LXMFTvjUt&+o0
z?e*vIIF<!|`&)yd>+Jcs^rpF#vmE^Az~2zXzgrd53#=XdsR!b>x0E$_8rlIe5@!=H
zx0O}5rK*+WwHLZF|A5~^!RK&&T=%KGgnt<PZQy@9ivMt!KV})mtGDCVWh(fMarjcs
z)YG9K{PSU}#K$m^wcGSeWin;cR_OUIe(we0HzMP@CR~n<;P(&1-wyt1@5GL~6QOb+
z_~qc=8Kr-9SpO05e*yj!JHJA)Rr$uFG53H!)6VA}o77Vt5+4A+1|Jh&N{-Y)`h*@H
zm7ZnLGvVF%KD-+Ibnw4v&xf5#>aiL8?}8t%oIAnq0YBZIp3erPoLf=OUhtLQe8E;u
zo8O3BALPdT5iw8t!sl#q(ig6d^o6OI%uhQQzdps_=Yk)vJo3AjrQpk)FR^!Y#BRDg
zE2RabJo0;(PeD%3d?jwR$%%cB>UI)2`JK!T{4UUL(YL`Nw=>e72T`uc@5L{7q94B-
z0{)dzeLOSV$0vhdc4#nkGx7=hw5wTVAnlY3eh>KZ>Mid~=>=c4!$&7YblBQK^mIbc
zn7_oIPi+Ig9Q=6xuowIq@Z*(Z2g<RM`V()BUykwR=pT@qfii{bYkOui6a3e~ztzrn
zspeCDUkd*8_v4Szt>AZq|7cYD&0%|P1pnN>;&-;9_&Rudfo%uB5&TtlzW9c1AACP#
zc0s1nF5}V<9mLkhz#n;dFw_vm*BkA^PpyEjf*&t^Cio8wlfDf6gW!KPO1~c9M1LFj
zOFoDni#LJ)CiwBv?*PB}!}#g<gWm`KsrLMB`_#w4-xY`NMVeGpd<Xc?B;dv#$G;be
z2eTnlgx}%XY0ty;Bh`-5Khw^_@2-IVU(k_w=BQ{r--+m13q8&M6MGIKw%P*zHt_F=
z%IB7_zw82k41NbJ9{(Wtm7&47dku+Ih_&EfWY=%olb#IzR`BD^33I`JEl&Cr=&S~R
zAAa9T*4A>V_6N2H*kuA3`?jhoDgGw#-vNJ_-Trv7qew{l9pIn!g<<wTz`q3iX?Fd#
z{flGZ%WrC(Y3JL{N~BifndLD2Oz>xef3`in?JPtY_?Lr^RZpaTwteI_@TY>08DNB8
zXsbW?6NcgM0RNuB!O*=?_UQ=QXFvEy(Iyw#_1m5k90MP}4i}f7ibd(xsqxE~3H}4%
zx7qc(^ahl)PZ{_xBY*iliE#V6lijBM+Q9#b3+*3O{+Z$OZvuaxI~1B5#m`oJFI4UT
z|C7W}=;TD3ei^UbiOPr~a{w|2lkodfb{!&9snjSxvM`C6IvV@ME}I^AeRw_M1^;&J
zCqHPfhZ?us8>BK)*IdXP85;_{kI&({y8fifF&R+$B+P+RLLoPFBxc}0<L_F}KP5Af
zD}&sFr-njJBOtffCMRVMj0o#%hupiVp->^poH)lOr}bSa`lMV3P_D!?L!kzH{oS=;
z8y^S11i#DoL=^wgFn{85?6sd23e7_n;WE4Dsy3AJCY=lY_+7mYDTlmR!PHC2yIPr0
z&1cdfS9xA2bOL%3e`1r9vmgUXos#QBewi2G_syW&u1lXx5fHY<-*(7tx-b-e&+m{k
z@#=em<~_O1u?~=_^T5ZUrx$vp`sTvj*c{mZi}$+kPP86P#797*YewLO#BU_<u4%-b
zF6#jo@2<V5Bf)ye@X9a#YJ&Ad%)2pXA;ncA=3A9IrRRzf_as=2BUV_CP#y?$-7w;&
zus+Fs%z2Q{7*Sy@nW9Q_Qq714>uV;9730<=Sl{Q}N!O1ESoauh8Aw-f>z@<wtFSu9
zG2=nc8L`mH)tZv8Ip+GvZEa*Vldc+(XDy8_I<}(Hvi_KG-bR=89oBrzM2JosalN%j
zYa4ybj2|ReM@&(qVn2zKv9ll(F0H_NG-2XLE-NHSzT-+;@3z*t&ruaFcvG-HC5+gg
zsLlSUYs5#1)@xFZgRT)9Mp#d|@$tv*5#JeMbx374C63rN!rCey|0{9Ce~+*}OzcE6
z!<gf8ehUxW>OMB|rP0>gqagq=Wzw~l^_7GXcw^0r2_J(m*k$kG!|&W9`V+0k63Y}e
zaUrU29d%#SJqpq1qMwYi21i`9Z<O`SC^e25C;AWlj|Ki?f&W<GKNk3p1^$0#fqt1l
z;p!&UcUbHE5(68q1*A(!Ye;V+-AMX<(%q!LC4HOpebVEkp50piWYWt?OGs}ZT}!%-
zbR+4bq(3D61?j7#Z<79r^zWpfkdAy&=Rc10Jksf;IizKzb)+ju?;(AJ^!ubgBYlPR
z4bnf89wklOqw_z7^gPm;q<N%ENNY%&NpB;)hx8HB?~(2#-A{Uybks{a-;+ttAvNv(
zzonN^PcCU0X$@&B>6b|#AbpZ_2k9Qt*Gb<aO?X+C`*hMTkj^13B3(jSL0V7xS?hHx
z<u{OalRiuO3hCRVACUfwblfYtoEMN@O?nM!HR&y+&T?%a{%z9jq%S(;f5-bjk{%&F
zd9TiY5@{xBKB<q?PwLFy+^4NRPkp?nTI)MVdbmX2TZ=RuPx^AHzQ6p7nszMKbR+M_
zm+5<>zn}VxzNGPL(k{|1q&rCaNDq=8BOS9$r}vT?{abI-<xdG{{!-GCuj~8FuV`xI
zvsj+FRT>YH9w^fHljTP_aZS8l)2XDhNjFn|8Sm>!SCe)cInwV^ekbqul0Gp{>t9J~
z%2&qnT~(?1n@D$&j$S`}`HHFEl<zpx#Vg-7%A4|yW_fFAk4)0L@^!wZoI#dzS%t<s
zNK13{{n~pzTRC?zT|LY3Y2|#4^2Uydc{-nc>cxPjba+O>@~tk{{3l2Uvi1Gfz8t%J
zuTjov$9U!Ir~EdD9ZmWA=jeQTNKFa5S-!OwX#UHjmwZ9r->^EmeAAiFZ07T6<;$Y{
zX3EDa-_{JB&*5}UP5E}PeC9qLok;ytNk41(Iw}8Y<%^eZ-)AhJN#FObuAhlV2Ja{C
ztnWY^Jn4^Gk5fK14xSbV&m``wM*(qDzB0#s7vtRnV{|$CNDHpe_wTl9dWiAwv$o4o
z%74~&*>}0l=K%9H<;^;*ai@KJ#7%w8-kXyq5is~Ej{A#wkEiVFDpLm~EDNUt)RlO@
z&i@SFr?=?wLGAYgGtVOMNKjpw<jcOPT!#OT!BCUj%kMGEh5aIRrQ`9TTq8BH`pCyq
zSan^9y-vCCG+AAE#H=nHyNJ3dhJz5gd{kq}@9@fn<0tAGMS41EfqKY^@7VEPelJfh
zQ|_K~^*xKJ-*pM-U)WyO94$J?`$IHji1(&k1H4~K{>Qvm@9U+a|1U`|`+>6z9rT9>
zNS`2mmUK7i>!k0I9wi-liPm@;=@imSNavC+A*~@@N!mgB0O=E?&ywyYeVz0@(xap!
zFJ=CuQ%El%olClew1#vgX$R>8q)(7OOS+r%b<+1pkCKkeWd5X6NG~CsOS*)#hIA!q
z2k8T(Pmn%Kx|{TMQfK=)?+@Ln`-c<1;&IbsqB(86&56Sgl3y5yUq}9A@=Y9y&IQl7
z;_!|9CtGy+%)Lo(O1&UXdei?(<M0!yXj~k=iBn~9_$F>u#NnH`QWJ-7;!IN<{*5f3
zI}X2*{FUSzyBNBXA8wDsUq$|x<M5lwzdKI;CN6$0PI?o^ABvM+J)=S%kHz7eap=2o
z`0BYY(mx%CKbGb9#^K9zb-8{Php(PHgTI@6C2ac-M`hL37bm?sHvx$^;_%J5^mZKm
zpQHW{;-o)~{G)OBr<1RLK#?~#lFH9xo`~JQ%s75(96pX_{GVKDZ|eLrNG~OwM_NgG
zJLyBD&yc=I`Zno5NXNXT^<F@lMcPK%Me2+z&Px52^G1mWcuHseo%a$yX5;Uu?fxp<
z|BLq$AI`;}>!2=&++Tpd{G6Q2y=nOi7JuHGIW1#ax)aFoPEXIsOrJF)1HzwjxpBZP
zQ>%}XbXzWq+Y1idZE;%bz!SssGdshL*_xS`MdKqaGk=T5M_Fc`6OAX~J85=Ae|B3Z
zS!Uj4=eqHu;%0spjVD`Xo*Iphv4Wg;MB^u0{V~Qzx8<?S{5D#CtmWmrHyTf|syXkD
z#>ZJH>W9qiDBgEqonraa%VM4Qsg{{X+c|E`QqBB18vmS?#d&o!ewr0)-sZMWxBBiF
zI?lUg_R9Hjw4O7p{uuKDw>80P|4J-9X7(S^BK;@P`g<sX=ua}f#lj^nyJVHospV#B
zVoAJ9kRQ{#OXpk80b2S@EIo2=TlAzm_TfdJ;N=cHpSW}19!Fr2?*wZb>ucgcy~2mK
z%h##LJO{w7x*oy*3D(f|eGYi6^1l=Ze=QFF-%9^jE1mvn#;?D}k^g5Ld@v4v5-Kis
z>nn!<t`1GCvx%2iXu!-1^MJ>yS25*-YqY$X2iC=rZ;gZB5(jUOgX0WG%<|j^T<R5+
z2Evu52@ZV3#&^fT<+tY(tg%-2PjtYo#=Tr06E7#8rBKTn3$a-CISsg!r}r0HQ2o{v
zKFYRLEcxlc6VN-tae)2e>NxUwaq#(Za2Y3J<$E1)DQC(FUC!ULUTtyY+l_ppHcT$<
z^Kcw_nYP5r_j_^hr;YxLv|{znT$JhOz@=UK_u&JsEcHLW%YfTh`sLl|%Klwik9ub+
z(!2v);y^#+fRB3KBcAmV<00$yzQN^(mE<D+p~0Ug&WZm282rc4_)&xZFdF~F;NOYH
z2MyjGjmt13<<Hs_jgK^VS2RA_;OnAs5Aj~wf$nBa1Rl$t=K~jeT3fUMZqwGV<d~k|
z?Znl4Ou@U7c=?aCyn1gWa367Bug3q3ddjt&c>k*!SMRk0z5=+kd-?CQU^nIO1RkrL
z^1d{YxAtp6Q?JK~Cpz%wh$lJl-xD9>z;Oyp)px?*bU6!E=`CxJcop%5#K)ijVxPzV
zrRCovK7;tZ$2G2gR~ft#;)@40Zq|2q5Z^RX*DIZRx{2>0Zq8Tj0v^jgeQ|JOx70Ud
z+iju)H+J(naAUX04*Z=s`F;Rg#oM=azB1RA%akYWK<x5Nb>OBv=?>hKXQl(6fQi0}
zC(QR^ovn2ZaqoZYeCHDXD)DyWdBppS9^z))8Ht5}==b((J-L*hL%f~%HN@{E-cNi6
z@t+wz61Z>~d^9#5M1MJPGr!6w-tCZIL%g53@t>a(_j3Q<l>Y;xpZFJ8o(#k})n3Gn
zo;KjI{LQql#d)=}eYe`yRg#72r`sI3Y2O|PZrXRd1HZ?VQvx_H(;r_YeiGMfx|hlM
zXI-z+4*V11$qqaP8zaj8f7SZ0R=ME)Uc|HhqH)t7JBhawH|_ow@qPzB2^%Y-Ka1rr
zq5d0)Tg<nNxO`1YwF_~h{{rx1waWx-xF=ZStl}8!mss*?YJ-00`sfO!XXrXb-g#|d
zp6p!jEGF(;AJr;7L)S0212=mxtg0ekje~CielFszd5(jTKwUp4Zk~G=68}B$NwO+w
zJ5M3TpARejCtK!uxH{Vni9$GVtny67y7v_1+xL)GjP9eZnZ(U={yT_YM|{c*?I%Ab
zzLI$N&$MUyiQffW%4wb>!&2({D&@_&gHwtB9JtuQJl8V&Xzx&dw)zsAWu33H$Gcjz
zd|$E#%nI-#;8L%2^~2lvE)qM;r3z<eHc||HoNZl+?xU`9>iJ2w)^C>atAI;6H}iR#
z$@goN_cG9$eYEco@8ZB1p#B$#zj>$DU&wlmK*go}UEkCNZ)br{B_8}(E5I<Mu1Ubf
z&gQvi3h|kg&w4@YG5d14#8V2i;GL9T0$l3#I_ou#cq{Rl%X9%veCQy)z^`%jeHo;A
zjCg;A#;>Oy`Kq>Rmqi*d`+$2XZ_a@jfA~9bbB^Ql)H4blMA?USFm^tdc;#g}-wl*6
zBHj_uxcXiVc+JG+J&1Bm(!}Z{-phW0;Zj{2iKh@p@zk}Mc(7UPSKl`Q=MAH$T+121
zIt*OeYk<$UyER+A$Xx0bJX`Bg@5TUcG8$Cc#hl-{mhzVa7d_^DkLh3Yfs39ePS<+w
zqWq1-2ghstNlmOv@t`zTe0YfYn&<y0wz_r@AD};&w7;W%Z>5$qcKZwEUDxXj&2!n2
za4;!n|DUzIdG0uYcv`BKU#HpDRN~!xG>}0&n|S#Tw4c94yok7Op4Kykcr9?T=T4T#
z)awq)2dV!;%72}>Ilplc@$V4tWyigl_$$P_j%naY;%^xJ4CDxF>iRozd7r0T#;;C>
zVZ}b5FyMVpv#s-qCydhdGV`k|h+Cty9o(8&i;4H&r4`&mJvByts@B79Y28n}r&kMB
zQvQ3yJMy$V24i*o3U~_k$AVm!QQX=``5+ra{YEdC?+`cVh~&H3a=Fm)rCrQ<9@F1b
zfr}ly#ahm^V;b?44>fMauWagBda5p`?BB_Cz0u>4Zzg`qHCq1LTHLyic+ZU*pUZN-
zNPOKSjaN|qF!A0WYQaUs{{dXpYpIssKzu9$m*D2yk7@U5z@@(BjN9s6@<=nAcsu>X
z#JwfNzn!4<&(g%IB<`!x8FJXR))4QaU){j+JPKUmN$M?nUeQf_J8&uI#A>ZLhxl)(
zXMp=KMa18v{3#o?d>iqPjXVuw;=>p;kkt2-<yzkKyBWkScC7nYuN>mNDca6gQhyn7
zbIxfe@w<rkGtQg-`ylad#&a{CK1RH}Lo0Zm?fw+;EXup7|5@S|@so(}B<^DXdz|He
z(dhZ5R;=Fbk2Jp}-d&&-OroCmiC12&6)Yh>4g)&6(vWM4!m*F{Ma^1CiCM&p^R=E?
z#9z&{EHC=6bHBX=^3v|lUaRGe-Ii02ypKk%YE7(W;^thNeAiK~9_o3zLhCVQei8UM
zS#NUR*x3Jd>dE5xj^RUH{ltAs_5B@MopqS{Q>!#Ejq)x`FvPFAf35-JZ>JFNdqm?V
zUoY|g3XNY(J=1_sLOIR(FEd_b0~h;zSg!MJr2Jy)X@5_*uX>j}c$LI=ovY;ol<!bD
zZ*1g2%A0eyW*+_maj(N~Um@P*sP8+#rJSoB<J}3$_d4Q9YAWLo`{`<yDeG#DcgahL
zag`Fki1K~O8i%{8YYy?mQ*?b_CVnk(dEcX4Yc;XzOunyZz}UY9xRk%xQT`2-57G|F
z)bjxG-gh;SMErZit$tlj_1gmA{fKzieOk~*`CY_QSkXTae}i~dr3Q>&eMH=xt8JnD
zDQD=oYR=0+OkI<JOTCilKPK*F0T;jRqJ9%k7Atuswvn5tXIF)`vl&P3R(foL{P?Xn
z_z$UP!pT~XnWyzB`ID`q7iheldOjrn?l~HNgZRm6K8gMLZVjBJ&262ha0=PTC2{a#
z>IuH1h5yDh*AXwT)PQN<R^ol%(D+M~zZ<yNxrFs9C;p_8=Z%f*q@J$Rbip|cSib^3
z4so)*LywQ`O!F7Y-<qQB!0u;RXX<t|&v{enpd*N<Y|#qLW7-MC&3VgjQ-2<CDSweX
z_`r2O@oLJa&)2|B#2XFHj%DK8YTy#b%(+)gOVsss$}eF1nsH$p@qWeuGr#&7@$%=i
zeLi6OzC_%5O#?R)KXjG0L&_sMzcS{#-{_GCdAM>Y|32}qceS7?|38VhoTTmWiDp}8
zPt^LK@@Sml$-07g7v~9PKDmf^&qG>)@t-ddFOvsSxE|GP>t5n1l^QVp{aXsBkc~VI
zT-s|2+sll1ebh6dSnHp`G=C-T<NOxpQrEwToAcXWCVtvky1w1?a})Qb0GE8t_b5#J
zE+oF)v0l4@da|z7ikqo_1#sC9S;zUjvCrL<_Z4bEvwqn^JcS)DgL-~Oyi2`k1&=p~
zzeL=ega3^-hxMVtDP$uqY%EB<%z1Yc-@L%p_&%tGM>EYulsD(j#}dy2KF)Q9<ved#
zLOodw{HDH@#JykC3h2I8tC8QK@hhqSZsN}N-9p@aPoRbJKPNtVvNpgv;(sFECoh-5
zwTAdn;9`euj&U&M9BqfbceUUh>__r?f3Z(HJDl;`^Qhlqg^b;%Qhxdwx;!hH?;PSg
z9P`h5;1W;FxqD;hJ19SJR4aIp<++!*`98;8)c+W8sh4y9wuAD%GqnQsTTe){i+KM6
zUCv7CIY|8BT#cJJHb}hO(Y|B7+CEu~C#FAMNW90T^EGz60=SfOyI<=!<MlGiH;mSJ
z(9+lK#J%jN7Zd*qaMANB*QZm7e;c^0zjip*U(W)UcJvl$K@*2x11@?Faeh^x+1C5S
z7jRxNjX0DmJx_BSJWl*f;z1f%{eBa8=Misbzy6Ijhm{Fj@}2S}U0*#KTGlm`_dc%`
zo49lX@qw`kiec>823+*i)1Gikb=^<-6vl1SAHSz?3fai+IQW~?)4x><Phpw?;_|*t
zxlYo=IstqV;zK#dca!fK=jw81jnVZr<xB@I?b7#jg3@5(;e}?MGC|}2qW;T_{4xzJ
zCZ0pQ{9_H6@oo`uFE?_QQ{E38TSh~!uTnmJk7k)T{3P-I4>WG<|E$7?sIguKF72|h
z%%zxSTzH3i%=fFl$)xYi6FUq&w>A=vq2luqEy!+Zok~1woVJg7oO3qu{cfFauO`+-
zz@<Fqdwdr$-)!KreoWzWThm@;)YI!2r&@`(bKEy}mTg!m=RlQK%xxNL8*s_@jIZm0
zWHR61Qr>r;28^D5;yooAH}T;g#E;f%Jts54<jFeUbe6~T>#4*CxSskG^UVY<@xgq*
zF_ri{CC?ihsiK~sqnttFy_H(n`2U^2ReyAhFOO2b=K(F>$UMGJ{1l(AR|E0aiOcV?
z$YtvFKg8P|el8PQ)sGzU_H^Ru>_Bg8cd;fDx9-*Ysm{tEUY@6MY&WT^(8x2MBoe=l
zc-MLjoJ0K$#C=peg7RyCi~Wz?iU!4%PW)?>H{UC5pq@U3Q^-dCLiu*~3)7beiT8)J
z@D`>y8G%de<H^!?zJYi;@vOgSU={PdT;UY5k@=Jlay&A2SPER)-F&as^si>h_vdLP
z#-1C9m%pp=&ohs25U*LK%PH@~lIwZm>!xe`VGUdRflI#S+*dUH<zvcQw2zsGBwwKI
z5OmCE&Lln~N$WqEcDR_hm+fA`eDjF+{9FSgh%X{uP@?sGn|K>>%Q5~wKs;rU7Q`}8
zT~842ZPoX?Sf1U)`yKJ&E#kqAT2TGAHIlwh+}Ek~n0du9;scI&J~mC;CyN8irObCC
zaItd=pZlDv)mfJkKhFI<Gak(+ZoV&Q=G%?b-^+ZB|J+7-^L^%Pss9_4H{V;_Nc?BS
z`+lqo=qLUX^&DXQxrz8Yz-69kzBidne1Ljh=6Z_V*g6Xisp=ch?Z_}>%>pj{$XBTq
zBvDTh@tLEvyqO191DF2Zwo3Q+Zpyb%zLyofoA_-?eyo-BN3F+{vy<}PyLEjhv0c7u
z^w1BDJs$xs<#+DGJV*JgTXcrFRoC0ZUzdZOxE@#k<Gerd?%!%)*C<U#qN9l&%17ve
z<WPPBaql(_<ZE@-#lWRJ&gbm8N}h>rq>S>LtF!{+KQ~i<|I=F7oFDrNaIteA&ogYL
zu7@dqfX@Mqf9^1PW@!B!maNyPr~78zUggyDC(5UDBkEk*|DV96Ugmq_Chnb#4^kfU
z-T^bto(o*;Hc+4yn|fVEJY}uMO*<A7?{~=G09^8I<a+!JmUA`bt!@pNxb!vRHOqB<
z)q58q@;veOd@Vmo6TDkfm$R!_16=l49|4zqU7W|7b?a-G*hsysTrCeVbtO+FK3CtH
z_&<fXm-AjGv!)Su#`!#jQ>l$y8wanao_@}Y%zjQA@g6>3GwaPe<LG$+xYXCYcj9#B
z{d?-!>DBfO5I;&hg<nv9i+(cd3)&9l+cltm!yIW&1ulMKzUOcJWD4bj?AKoEPbY5P
z2Vv$9OBGHb8wparhyC;;^6n;X-iKiH{D8RcpccHxt?3Tp-e2kRoAGg%!fhGy;~Pf4
zPy=I#{~fq`UUN{}4TrSUHFg^9<Cs^UPCVG7<-SEdpC@kKJ7LQIMdCh=?<U_0;{BW-
zGK^U(fJ^%haG%Z0qwb~r>I-!_*RUOT0GIt+FZZ>4EYGWyZ|A(oj0=Ax?&UasKjmFm
z$V<NC9s7G{5jXEaG5vZ5@mIM{H+TVY^F9g>^)Cl5{js0xWt!PqLEJl8SE!2Z+hOGQ
zXaxvs>iVXU=Y;ER;*SEC@zlJZAend%<$L#P{bpR=Nj!al7Bu7IFR9184<Lnl-T*H4
zG4C@$cu|)N4K4NReqP^?XS<wA-1nizPtwFXpLlzM7OW&bi+FFR23{pT&**W)!{x-^
zo~iu--CSKA3g?ZDd@~OI4D}4q4^2Gz(V0@Oq2K>{f%4`(DIM%KC*tT&!Gc}IE3P-q
zKErh2Dn8$*3wa95dNuKsn>3I_e^>@w_BoyBF=~xG_Y;hrZz1mO({?udZ1(~eKS|?!
zW-Rl4nDV`=G|)!;r^MU1PPvo#JH*Q!@#Gls%g1TMyiEDA({+8#`&*u%pUhV{g>0mp
z^6gxQewDmih@1DX<Pq-zE_OEW!7=^rN0bjft21O6wO%0ZmDh~o;^RYWA93GHTCwSO
ze<i-$F`rCE$2modM*V*la4C;@?~N(XOeKG^<$Y3%^EjjBBi{9a#?jr>^(Epx8}vQR
zZPgMt?{VU`vbCQ00?warrJk+Cv({?B%tM|d-tCwV{EoQgXy3mooJwuvgwex(Wa8VH
znY!K0dy`t2<^tk94*gdV?|okj%4>?{DgrL{bgm;RDIa`L%dOYMY9xNo9IXJ$Pjz)F
zoHsV|Fy&Jm<#~p9d65=2{;-F*^)rn(u$;dm-ZQB2NzCJ2;_bALm-q(?=Z&4r(soN{
zzT?Ro3ta4A-uGqZb>|bG&h_Bql)s94f|VLDzUm{M@)$cJ$@Rp`d$hb6uj`2qaN>3v
z<5HWE|4_?6M8{eKT*?{bcxu+sPf|YXQ7v!g56>xFWA^`F13u0U@bjokwEiupYQvj$
zIS07J)vi~x;8K?JBH~X>(emtmRxa^$mfz&Hi26r!KODn>x@w8f<bL~E#M_DQ=KSB3
z=OOA(`L;GNv$3`jw;bbpufh2o){NJC70%3Tq@VKL^E7xed4C5k_P?I%0@LnEmumbt
zaWfvJ0T;XVIs8ADxcm;UT<2+Gl~Rv+uiL4_Z=<|*Sl4#~?SC)vlnolM(8StIeCp?Q
zyEIbI&x!YZLj$J#FB9K*o|a!p`45RZ<K9V_s7Srq@6#FnnDS=;m*=6~j_09Y04{bj
z???MQ<*%k5-y#i|`RY94J&yTF9rc*^JehvlPWcO2{u`+ON#dp1x?VNJdx`gR!-?5j
zdx6XOOy~KoHz<F-<2=&G#OEy3`WvYK%*(WWI_7G8H}Op3LGDY`Z~~nVT<p{1=+`$8
zf7|gK?H=mc%IA-_v)#W-+@fDqF<)P@)N6uO_OkIb&G<3pyUO&v8DCxmF73FL?P&0~
zDBr$B%WtOszY+Ix-eubN81bHWwV)XvM_jJ!>pTy325{A1I9?n13yEj-=!$YWYt10u
z#d+Eamgj2fzl-~I7!K66gz`S0zV{HXBJT8))x-xlj!&Zew-nAB8+jVIwBzcp>UKBl
zqc^ChoO;Z-^S3y9+*fEjq_5M;P5eBAco!S?dgeVHxa7N*`NHh#@=@N()AuId8saG&
z2Ti|Qt8gZ^k^iE+^ZP7&iJSMVso#e{y5!lq{N0sWiP3)n@s(-XKJ4CBfx>MW^5b<z
z&n69+eX!-grM~yDzno9`^_2gF^Xe(YzfbwO9M_B;_E6sIn7{2O-cElue)xgHsnkYX
zSL*tvd`E+3eE%GAAMKpNH0KjH@7Xl-w<6-J+q8Y&r~G>21CMCHl;<JfvhFbNlQVwO
zLwPU1XLKv|>?Ce+z%>5(D)pH6|C#m6J4&93ZR7~`1Q%$KZf%_)?)*N*nOAB1JpDJ_
ze?LMzlIsHE&UMF?z@>f7`#McO4FH!o=3KAcM0xXmQ6qmJ^>?k(`I-LvB=Me+x;#0W
zZS5qU)unM`x820wo~_&EI?BIi<OemtFlzmcc#!*k*HiwV27guq_v>t|q^q@kEIyZ+
zLHQ}bm7nvu&$Yy7Q$C9s8h<DRF8gfey@;ulzmD?hEI5a4tCsp_JDy_>##wi-p`IS@
zGn?`Ee(Jf$F-|>0+`JFf$iGNEzK3)HP5FOK`DKps{F(CdyW4WL(QY3Te|V~HmwB3P
zP0rHx9Joy52Z`qp@1Y>vRb8dTo#XXQ#CyJ>Gc@bjcH-%ddEF-9V*f11zWVnl-^FwO
z0ZU&$RXA^K<W~wm*_zFL><h^|M!d_?<$0O-m~8DQ&VBN;ftxuVMHR`Q{L59^J|$$9
zD0!?eI6nS__zjeA=YGqX#5Ys^ImYuw;y)+ey-))u5r3I@&&L`t^OiS>_tKw@{9lRp
zJM27ij;^osIhvPvkn`~KneSD=WnPh$rvVfHmk@uS{!>i(+ki_umht&@H}Ou&KYNW!
zAzvl_6y?o(c1^!~9=P;h=l67ePyA)a_;nn(l(T2MR&4e$PDOwc+#Dn~{bdSq@97CD
zLAqO~%TzcEXCn(JpU(F%Y$0zc@hncPl8M*G(Q_McnIC3xK56Q^iF$gtVflzImi0LC
zzB64)^FrdU67T(v&TxiiTkk5Ig|Lx-Qr`O&t>7Qj<IdIg>EgP^#Q*WY#s22~*VCx$
z3d+ASs1@vIzCq$i=^8jl`3=N-Dm7r{Gmjg5zQ%8&{11RjzUKYjChq-`@)pnYWKjMs
zh4aQn{vHQE1%534@StPgY?{Jt3ivS}xRmEGzyJF=;uX}B$T(@nwYz}J{=dcfKh11C
zPI=#2t$@e)tREOXH)*@oGr>E=yEy+jkNN%sxawd0UZ?S&F_=h5y}V!63XV}vD)FwL
zYG5q!$-t#v>73V@dR<BRKDL*^=MgvWZ|8Aa>(n%zuaD>0vslhf%6re!^)i0Dow#|A
zHHJ%dy-mFLMSXAD_XzQF`sWDByD<Tl`et=$plYP1Cj*yyIlo7I4&{4cKe<dCyMp++
zlXN))nr)R44~8^QMZAW1`tuq%o%n6UzcyLxG5Y|I89f{~&3N=f;{A_m1=Dmg>zBlP
z*-&Oa{A=J+FY}&o(@#I3ym_zsmDDr2K+7j`+%)pJz{PIPeW&Xv?|gpLOnHm@B*y-0
zi2K+siL^r(@xGsH;C13#i1$3D9q{|azYkpM<vd6F0&(ZQ)?36saro^&sK1x}#k9*P
zjDJ$!X*?ISl=)63?#<Q)n@PNY_!P$5?-IX}cn!}3uOhzD=z*WgW&COz@orGLOgru-
zUhY^Q{f@YKFaHU*PIo%$Bjq2c)b|f-VqHYMeTN2Cu>mdt?xl>KlmHhyJI`CzQBOMk
z(3EpEap(7=H&D+y?kk%3+)dp4&Va#xqV(8HqCdYz`OCS_faX)z`*Gw?C>-BYp0C@h
zp7Lj-UrD`oa6V?{Y?l*%m-;7AzLfYD?xUVc{4U^P=M;`d<A|>}IPE-z_`}50do*D1
z?Zn@oq|0g6rw52z{2rq21^7*I;sYmX#GD5>PP{xp<EES`#k!omTo@gsqO*XD9nAaO
zFJn1pQa+vjWBTu0;{Bj<nek;Q@!(pm_$ke{YKWWP?bu2D>%_ab9--S>4-s#7`2P=y
z_c6Yi@;nb*%KtO&!z^RHKBT<!`{2?}B7e})j#mPgcI+Rc6}+aK!J0?h{2qz1=dIK;
zl73?1z}G1M2M*N#!}>l<-285di6^fBmvK3r=Zm^2|2E~5Sg%&%{~+E!r~#92!UA3X
zAPsNkv1bvtwrTl^)H9p-wwb!3(}~v-AE5tm+F`W=7rU9?M=^HzK5^%JFkUcvO0{AP
zH|qLth4aQn2B~MSV;y=H)-x)Oy{d)rONr`AC*HS1x7ShXnyql&*ocqv{m4hI?V4DA
z;vaI~em(In;-y@t&>gL3j2^@lxy*R62e{bB`JCksl<%t5@;4`GnuztDSAUH9|5V_z
zzhr)QVJx{*fQucn9OK1o;F52U<Jt_$FQI(!x7t4cV7`^a`)BBOe}M9<jebYJ`v&zp
zzc2qR<+~j6dlep4C3W*x;NGFIHR2lfyGJzB^y|+N@8QAc8n*jn;8Ncb9)!P;I<KUB
zcb*2u6E7v+%XUAD_;tinzNLZD+Duk}c)LSSJMsQCTK;0{xd*tEr_<rLTPQzzmbSAw
z*YsPX=RU3ATI%^T@$PpuVC-;|xR>)uR>N{*13~qRTrEF_dd3m&<G%fGh)*EiO*?;{
z_+;Wee4bKCd>-+XA8Ozw+GnZJQ>O7zly4y3?%1!p8@R+b^Sc`<l;1@8)JwE|4r^k)
zs&ER~$h*MB&dzb_W9sSU^JrtYq(xfZ`TT1Fa24mdPe^lH7g9cx`va#i?|jPdAFm5|
zKJjJ5yLW2Cv=gr-{wv2iaUJm_zSm+M<$nNN>g7C_^-Ib-->>oq;tw)j;Z|KIA<l{(
z^Sf5362A<%)Ytr8N(=GDly^DmdlTh*%C#WFhSfoN=X;a7Dc@J1<vrB@9PyPLUuF^C
zPuzEpw%cC%)w@Ri25sldh@ZMxm%p6;X4?1j#C^|e#TXXVl}+6H9evO4ZCQ1Vb*<B?
ztcHrZMvxUP70UxweN*Fde^aovuBowQ+RRy*nO0SEYfI~jni_~y2bu%R>snd^&HmN~
ze-&f{EtcP3-Q-_h-&9#q@2_rcYHsmYtZ1{Uni_)jf!09vv`c5qOph((uR#g?70t~R
ztNek+*5*}KO>;#<z+b(hp<xx0*zWvN)+o`IKx=DV<MI|1tEII$P|<)76@eE2je%9m
z15%%PdDrIWE%4_oT(GEgTE=A==~h*1Gw`~VHB}&iw%R}iDrEcUhnnhX!HVWqyiDEj
z{mTQbEvr!HhK8o<K%foAXhyzTEW@g)YnGga_*?3hH&(Q+Xb$*S2Ab<?RvA?_b@hQ@
zMQbhOS{th6|GFFT|BBYSdMSR@%@r$2{M9YNit1ohgTJD_zNxCBHDGjzkbfv+x=QV@
zYp95oEW-lBuQ{ke(BE27Ss$>0b&b`5HlmGHRZ>DB{+5cB%sInC<*QH{WoZ4;Uk@L!
zs_H5r9%u{H2&?{<79mY7RkamjQ&_30DY(kNxO8sDC9O>$nWieuO${oEqJCJkxuUAo
zUtQ5!A%-$ija4mTs^%8SrKPrFI*C8n+*B24X;GLT)~ZHpNXvsS?T^OS6>70c(Dv5c
zMU_?w{^pjZ<1Yh$)A2XMD#3jT?n`iAf_q7;oU9sNZB?QvS4hJ)1nc}QD=Pi9^+ENy
zVMTr9b5mn0?x)qYG*?WUuGr#1e!GXvQ1H#ob*%xFuB8FCL>=lH0v22qUOcTT7_|IL
zi!&}OEi9W~?4O@qw6Mg#B(G#qA&PHj6fTI(@MV|g6xdTtpRQHq=FQDsTwLnUTadFb
zw{SteXq#2nQX6Qil8>4A(Ard4*Qo9?X6f?y>zhyqe9p)ytt)G&FQ{m&t`GQXZ}8Qr
z(p*9@^plo=$ob|~-4J1CI<-vCj8-J+Gp1)MU6)cAW>7g!&-9V)t5pJ*Q6QWdQiesU
z>d=!K(Kq36u%UczYp4%2H#bEAH1N^|^H`8Yst4D#<u&AGT;})tO7coeul3Jeydb9(
zCinZ1^U?*Esmd=vpU;?HT-SJGUSoAmZC!nJo^O%=vn9K<u(2i3+&U*v)6^UYr!ATH
zS<_#l(`VNp-u^F=XOsjQnpQ?K9;VRqY?Yl=i0lw}RF2Jo#ysEf1^$$@RiBnTW4bbQ
zUVWeeW56sQf@^D@FVkPR&_B1ZIInJ)VrR@yNpqX3R!G{+VmR(xgb-VDisUs`HA$Qp
zM%g@vwtuT6^H__VriOpJ7BpZf`r^NpXU3(f_SvoQ=E@bVfklDV+?jbRhpA$W6f?4`
z;n5j0qgDNTIxf+U_L<eNpQ<jcJ8GoA&8cV!T$&$f&A})F&#UrP`RYDv8y06=qQf2r
z8-H<LcCH`u4#ZU_nh_J7u6jL$CFc1M+u$y_7?W~lN;&H4hIPatsb(!|t!M~J%FkMQ
z6LG`>nI#xT7GNr*Ob`{d{x|9_gF*8eTkBd^{ktZ$7b+t|$IZN(R#eoBqD2}0%FkXL
zN}A3(OH9oA4YA(;T5BdcL7v3_ygG57p{@BDHT&n5WY5pTxS1=XfgiuI<IgJ~Sdd#{
z`E##bkUhUJ2fV0>X>~Nv(u%pH<<Bo(I48T<zi{r{MR}$E((F0Kd43B~y}mvxE5EpK
zPL6;2wCU4k!2ug98VHq@`DaX<321>Wz+P6`#5kF^QdrJ@o13BV(j`ttEa88r1+3tT
z*2=&osyqyJDo_WSXDz8~scX$EF%fWa<Bg3?H#e#bqr-E~ba5Ir9m1pyc7tV>mKN%v
zN1~rfqelZOzf3D{(-}mo6KQA6&PXq9G7hFKG|y>?p&`~6)xT6B^u$NId+u~-l3Ab>
zx}vhhs%ya<y($phbS<sbO)FZXF=-%O9S#c>i(sckGQHsJLTW88o0FSenw?i^VH%{?
zG_vOK%ZwWH+t%91QpCByuvv_LahXJpB^C86K4aHX)84A)Rl!z&psG^M;{7NEmNK^l
zpuMz^HBb%F)a;z&MwhrH5I_eQ+ANorR#Yy6Lfs^~!6nSWBa|BtX{4Dd_GuT_!67$L
zRbPQ=36`Zf;^bJ$`KtrE;8m3}e>JvdNyB~_)4%AYs=p{Zi@~7}i`HhWEdrRsYXb~%
zvCKtS8aXBzl6$098JRgvjaUG-Vi=k+y;LoI@)~3yi?)_5v@p9Z^EcI3>;5%kx>Zq+
zg@^8E5shj%5MLQO98|^#!fJ)9T&S|CdX=dOg2K=ar1Q{|+>$`B9)2A))3n)@UDAXY
z;~0b^CJ<$4q6Lfmnewr8RWOhj;Yzb-Ojpyf0EZKV4tsy|ElO8C#1{5qbZc9|)92PT
zw_w5`bMuw9zJeBQs;Pl9M{-vc&A@1A3ldnya=GrW!g>z#NNj1C_LKxF0H{^5>Xl8)
zn~YwG3N_6E=_v3M-PP$?m*imai)f9-LbSF^N}E(muG9-{QK{F##^I=k{W&+?bde$b
zz@CL#g-2G#CX7f=u7W2rjzoo*hCp>)#R}O~iJddUb=3L`Q;7Ni5K9+Xmg|++rnpgU
zoWOF}!3l4hm}R=nHmuY1^lMfGnpfpEt-xkPc>1b*yPDe%j*S#CA;)riAW#DeIspDz
z{(x*C=;ZdSwWEm1hem#-HY!3Z?`~1sNq)q0f6I+^LA}MHqGBXI)YMlj*UfJC-OQ>A
z3=J~R5=X?wh)NY`RB_70M*FII7JC~em=QPm_hx{q6t?aVbN!~`c0Kz-bbp(PO}Og3
zss>#fZ4EP+*ryxf>}q#IT0J_FvES&yiVh>22zF<{aF6Y~hRZ6dWb;N+G&j{d%kJo!
z7=M;TkD!u(2m?=MZc`yPv9M-biOnZ}4W?XrA~9rAiJ*k}2PX1r@W76efBLLT{40X+
z8`Xog4aNAE7Pe&92Wu<xY8}(XNQLwUAKa~_S~hb~In|$95$$3a@{(-SI*9PivYXK~
zszbuL8k!nq8$?EfdYNshT}5VvNKqd!BZTItj8)TC*RAxUfufs5^;V@%^+CrPFJp%4
zg@ui+oGu`BYjbPU3df{WMp|sb`Ge@Kb$Xy35{hgSo2XbGEY8#Wt!S4(;6_{P(Zl|&
zIjGda)}8gF36liu6kz&Q*XUn?fm=^uWKyn&L0T{3Hw@5f7NPe#BLjunWR;+)d^{Y=
zlr}iyqM^<hDG%eNbdx&7TeZO#DX|)P5P<?K>zY=yEUJSou^S=tVHmxtwmII+kzO92
z%{WS+oC1y#t_VzkWtE;qin(opA$o3Xgw#9%1Akp(^YTXBgQdky_n`S=Z`C4$U_I*K
z7{OKllG$=q(+Uiz%`6?}O{!}|iiG71TLYaJRjCYQTq4`bDr!d6L|L^FKHgL<Tj=4*
zjmk>AQ?0_#b;M00y;PbqN{=+i(1B!Djy%aw1Fcz)NP8)F9lFUfOU*Y_gx60HI5g<G
z`u$aH74l#MGr3zFi-d?f$aoZ)3BU#F1C7xx&=6>-Y6wPSNYC!2_hcoaMXafc8y&xM
z>H`(crL}b}s%~~?aBdFj#|V0xTAnoMnpq7uR@XUvb7hMPJ2lZo<3j?~Fj&L}qT2ui
z@^U=csYBz{-58#?hi4P2RqVrJ)H)Z|X&hn-Y4fVu0Hz*ja0!{vp-rJ?m>Fslc#+!Y
z%>yr3@9<HXGRSi;UGMNy7g+-6hIcM4<Av~WzItxC01a#J-Hq6<_G3e$l~0J^keqHI
znhc4fLz~b<R(qdR;YfOfJd2R1FQ0YOsko)0^^H|68OGA#KBd_Hr5R?A9uL}r65L@x
z-~TJ^T6*L<s&ESd;vtY(Ai>TA76_Eq++jR!i;ZJvA}r-$;mJc0(xqpn$J237_t4$*
zFj5pFAq6&w1&fGP*s)-d73(ZnMyyz&NNf;40Ct4$JCCY5b?-QF7|Fi<xK+36)Omd8
zQPs_czS!K@8c{E0W>Ye5k5_a*sk4sN?h(6IC{n@%5Mnm&O3tN$!pJQOFu3X`4<nbM
z+tMv)N@}aO*nOxddhif3gaYaI9;&%_!0wjFbpSb(GZXFv$8stvRkdeX>EbxJ8)8*=
zK|9DEQ;zf$0Ev)V9WU?4X(e4ueU+?^xc<rSNGjTV8m{^3XnF|ufkUikBX*;RgM&#X
z$LKyjIM1yQ@c~X9gEgQ5_=K!zAe|P_pjtu7a?u`1j!1zO=HQCou>%<g_pFXo+yICr
z8gGfROSlCFRo2v}X3s2?bzp|;g&U~31Tn8!Hjw8U!$GO1k}Z%}9$2XsKFyx485hLe
zqf7t{0eaO(SL3Sf!n-kOMJ`I{!Av@Mo(_U2Qw}OXn`Doi_Z+p5CL-U<>6zhHhx2L^
zn&=M4j!T!3Ya>?E7Yj;&)74BHLpkjsQk8q-{Rigm@!RZC*MT+0u~Og(6N*X(otK$A
z=oiYF0V}s^s%S<|^d0&n$pbJB%@CKj31FKo7AG<ZlCj309&n4o>bw>1zK+n(WO+8h
zbICRL_stuHN|y{ZLPH>q!UDBcw@;U=#WJx&64oTcMlNv^d|I;DHTAA3=@=D&N5NYo
zZfT)?;mBi2rZqm7N`WZXLYBg)LH#WrW{#%4eD>Aha&kCq+xr(6?Fm5Rf{11Pusvha
z#JQ11Ee%an4#Q%i&P1FgcE-`#L@h30V1M_O7n=<NqKom~^sH&F<Mj*^Y3U|m@eda}
zH*em4?X_oa-D#WQ4-_X-_i8uRXLh7T65%|K=N0;>*IivbC3Nubdtw0EeaD}(<U9=A
z5>+vLfOcep=y93AKwI;Z#cC&VsCEw>s@PgQI~d5sAqV8SDM*i8I{f3NVcEwFaRjJ_
z$?_P%W>(^G02$s~-(5VvIG-TNQTwOF##|0Dp;^NB_EBFWL5SGV$0mjpmBYc%6>(*i
z!oo(4!4wYt8Onxg6zk)Wl}mHx2+4zy&oGxo5#52JW9u@O6TokCiNZ(c8bjw(DtMCE
zRdEvQP`a|Fad#^+5f9wQkh;!1YDU^*Ruq8L)Bx^j%}+Z%0aeT`<&dIWL%-#9?XuYu
z`Nz5lsLEPZeuwfP+3Iu#qoI}<Izb9_Se;{tt+r&%y~#So2M{)aXQmuL=cL4D&6cQh
zPS34nt>8ppdI*>#gT1>w$fkC5hp`>hQqh>#+)k;CF>L{RSy;`~HqEmOlyFRL0f9XL
zUnxB#m}P#BXfzJrbWX<>9_*QBt|ODl^Y)2X=6F*hd>N4xK^i^~{h>O9Y;GPBrPhSC
zWo9EujgVe-#0q70DAuC}70jh}98wPdg}EHb>Y#T_gMDRY<ciz$`S8Gt4%U1Td?IR<
zw^^&VI&#ocMm<?bBdi<OqKeup(fL#nJ}y$n|FPskC+X6owrPyu6@q0n+*k3g8Tj3M
zm2`FegZ>H#nNQWHBm&ZMa3<~}1a=`u-~-L;5WwgV=<=)O6hDA~u=s)nZfgGmg-WLw
zQ!2gvG!Q7Gp87<YK)FiWs)*cwLy@1#vTAmSVUFZiHHFzJ4%W_N<v|l@8aufoW*<VJ
zCsi`0eu42itibUXzFvu3d&S;xUV@7rV$IHQVF4o;G+Pd%RxNn8<W%?-))dQ-77H(m
z%q_|z4a1PvE9)(Elg`*Wh+r0qq5$R6Qj$2l#CCINy7dv$Qc&^9>qP-CB5`~`$rM{Z
zJ4J5&EcPTbOM01tHe2mU(<tB~V~0KV26YVQRUHF)9zr3aFF5jijH1W(g5mmzT{*<y
zZ#NsVmOBh3<~jp&2kv%q#}(rQe~57n<@YmIEvP1v;fN>Ad_;ma?r)e)M?4uLb6?c>
z`tqRA!R+oCNRYwp@P<7(NSfx%*m2ecmv!pysW>MHgi7dVx*E?=s2WL_n2`*odRK4?
zo|DyK^Mlj%;pi5kA;`|7W{yyACIQ&G(pV?nk<iP=DYjIMh>}_c5mI0}2>KRVk{%9j
zzR|rIi5q=uv6#gap>SfJ#x~&r5^f2A1c6FQvM`>SffC!93D3dYcz&Go$oML<q1&b)
zKaMw?FDyn8A|%P96XwtQD7hR^#ndk|W|jp-0A4XNM{YD5!QrJu4^7^jaYe+~<(>)z
zU9w(1MpSrPbel!$vyt|w0D?fz2!h>R++{5aCqZU1T-$<)fF2Xav9qL!R+F=dR07q(
z)LcYyHjvCv<lh#7A%q<e;C)azyzYpQr=U(a(=0eo1eOosiLI)~QocKEKHBlxQH<3m
zk7;&*nItyJR(sSH?d}V=t$r+vffJP~M+3G{(JWu*N*lYm-bt*BXJz}I?(fuoHCy*s
z*T9^*#u5(ls*qg5UZw^*;cyT5R?hM#FVPzucAY;;S8&-Z+byZ?I9q{M6uA!hyIvuQ
zN94y^EW)Pt=y<$OjzOJ64k4s?sYp}@pdC&xCI?DZ@)4^zI?RwcE2nDe$O_X1?RwEd
zXBw^+&6gMjlqZwgY|S4@*}VJ&xv2|IMd>7@5mXy`&WPi9vW9O)`Ai>k%|(-I1=+MR
zvzaMHEy-Gi2uF&uh92{S)Em^T7@T2+okTM-#^=s+@dVS7C8is%7gbCrJXU>jnV(`B
zWP2s<#TcjpN^{snA2G0ujG9?oT@lFpeq3UMN9aoK=qyuzjEDE`93N-#C!r-6#vLTN
zB27nyojlSx)joHokl9ShT0T^HfC|1DmH7<w7*XoRRZPLWH0$>DgYn%nn^CG3twL^_
z2*0f$E{}`4aozzF>I_wsI_Yy$Pr!bHxU<2ahzS>KUm6-UH_RVkX-jL12j|Jh@Nq%P
z!#$X~EZ6oxh9L#GVQUWUA$Qd*E?r*+cD4K<KX4lm8`!}e+6ZlLND=X~lhu9+j=9n*
zHwhgZ4@s?1tZ=v_TjUWl4xS7FV1jIE)??~slaP)njN&&U4AN98&Fxg-Q=VC0WK8bq
zNy&-g%}*zx*6<s!FRn`arp2NkE3FtWKucE9WUUkIKRuDv^g_5I(l?2gsvO6B*K{XA
zn5nc5b_uFQc#kAx3RFS>vVTmifDo@BM@SQzrHh8C<0McfI;JS|yygAXflibW8SaTn
z8ocdl_f$y`yXb5;az_rDO0t(JS|zHRn>FVLQMGw2N5xmw6Qil3i^P!t<9NhMNyT*q
zWl5hb)D{jCW?e4MO`&QglQb&z28w;yn2+XT9G{u#Go9}=OxoQU2EJIZ$W+(Z0}`i|
z=)@%dW^-rt>Jj$U-D5fS?FFmAPykd4EIXGVvRRH!8G)MCI;NMPSBlEDXNb^CE?9{r
zMFyMY^HJy&=9Elt`V=o@<7A8sNVy2y^~HI+hi!Md8FoH7Z(+aguaANY$vtyD5l;ti
zQN*4I4W}8CV*9BII#)RcIgP4la42$6nQt}y7M&}EvCqaOnXE9x=#CesnFy8awygxh
zawmLb-0De(0GHN_8B->apTxALy|W@5g+iD2ptvhyQ{6p&RCifu&Yol=iduQHh)E^<
zfr=W*-a#4*5%m~k;X=5L5jl-B7QYeuS;<LxRUnnIUfb}pQ=kIty33@`S?Z$ow%tR*
zPtbXx$!&xoE?DxQh#QuIzL8p7s=6XVnM{@_`<hfEFSG-9NKvT6g<}M=WYM|7*>Sr~
zRukXJc`c2Xa=)SXWc-Nf=r~{qh#E!d(@1YJ5Je<2#0J7DB%@d@{B`h>ZwAZjCU%(B
z;Skw97KV~j^O6=W3ly@!QuFf3u0fz1vTIL0wrITCc`spmAuWfqQ`C2`>#pH6gH2Qi
z76-kVsL1+~Y_F?q{%MNh8p+{K&!$Lk?5|GMguz{yM#fH*6xF<86}&H=9(Rj)F=*eK
zK9Zg3n*Pd~T~_!IbnONRs%36Av=l_PoawHVKx&qfpnif>sTLKx>56R#cdLG7G2<FV
zrHjoZg1<mH;6HJX7*5yiD>>8e0S8bxCq<KMY}D>qF`+;rsQ{a@u7nCZbxD(<h#~bC
znQId>4UkUi^;2R*Vq17t1<7LKj4^{0nl&sTWYtI6Cq2XN!DE6_#6H72(<Fqef&$Y5
zkTBsT)izdXh?*Pl?qD_VGkAhV5tXIMOYXlYP{wFcP2S<xfSyM4)7cCKChZP<9VseL
zu5}jb=JGA&s@9S%!|I&kzycmxaaKh(M0MKaLa`g?ChJhKYOlfD+%&Z*rv*S2;w?)D
zL%=5#754CSsY;Ui$Iv|iigIo-SThz-Qiyc5&9xGJX~Y86+x_wK-~a{I`x6Z+F1EKS
zn)ejDlmN?XJ}OI~VN9?&kT$|-^QwBUVBLFSv92*1mCD1SUC5D713g*mG$RyI2!_q5
zcE`X?h!tpst3K;-n{nN3pmSP;4IoAx4XqBS?S&vG^T-PZ*gBKj;x-#towQt*&GfY~
zjr}Q-HU*nsdh$WZLniZ=r6E#mTXmCTLqw#=VE$GrOae+JbtQO(+j4+SJ4tRo$&$xg
zBo0I~ntg$Bfn_Pi;pO5)Be91|LO)<5Ch*|*N&F&4f>gwX|0|qkl&O(MPjI^{+TGo-
z-mFMTZfkT0Y=CJ*Gv&@XzbN54ASTj`DO_u;M*YL(5Jy%h<;8Y;ny@4<_Rmh%C_g1t
z#CyS?n-h~sL7*H$A}K1bq%4jr5$C`I2nerqew_>>%Sm#WU1*Sbq1n<?JJN9>KAxW7
zOSAbLJolHDx3S7=*{~a}YTwp9Qj5E%5W3QUuX{Vj(WFR6yg!{U$e^Y<zQTEiX7B92
z0ITT-K_Sh-VpYi@3O7`Xo{VjZVES@qnt5tXKcN67DBPKfe)IDD9F%K+JXzu74=DND
zx3ODZ3Ks*@dG)+hMpd?etKJRCY;i>-jv;IjmG?FE=z5&dYm?&>+4V>A2P5^^E$rvZ
zF)LVb29ug^p6}#r8GTd#l%vXoYp!(<Ymoz2O2AB0Z%&kEy`jY@29AMQ0LJ5)++|6)
zqr#*Du9Dg(ABwAL0!1T(>c=T}XseuCMkZ6lOhcrI63dfbQXUCk2EAvzDxm~Ma8f2U
z^Ll2Pk2y6&c(cPz8t?)hRY+Q`UCPsRCCUg|BsXl?FR_1-kvf6`Mx~$_q_X6%kH)%u
z+-LxfeW#>5|Cv*$%C6m-jd6z284evozP6R@X9XE6Bus#u;3N_V$hgVrVal#t)i|eo
z`i_0!c~g4ennDJbHQV>rOG_nZ&M-jtIL^p7+XRIjJ<ds;!hj=p1EDnH6uzj7fUqGp
zGEA!tR_L%0q)zRr7^4FmV22vqxg2vP@fRi@8Gk`B4Ne(}Dusigi;Hm}vd=ZH?8@e*
z)HJ+2=YELELGX$0z9CEz#G&bUPO?YSYkCTuU|P?TE{xA4K^3j7WrGhU%lU-0#VE%{
zt@l(8@4L@Ur%EJlRZn?nTazq`^z)J^ayd#(zqLX^4~{Iut}0mU$pxr{t$MsGatUC7
z7{nmpvEYb}R8R}Vfp!oOZr%+oQ*c+e-JQtUd(-6_C)5OB-_mIHnk<b5VQQvRa(xCD
zNf$9p6zUY)rSmXImYiFkvo7NT2W8-BH4)=9T;7)#h3ZVE-L-~*ZKe(te^eCAat4Cb
zqDFeiI<deWnwjx45BJ*yUGoE-j`A#I7+gB35LMg5J+#8aI)B?=(&JEDj*`|3(}mxe
z5)@W*=Ud+^$8wALPMM@{yQJ;!;hJL3>0q#W>W5NL5hb$Ae*!gf?z@`;ksC+|`ZaCe
zo}nh>lL!V->B>W+o_h(E-dGeKV8I@^1r}G=>XlcS%k)U&LKQtGLLQ-oM>`^TRg<O*
z7q!WC-|!t3Pg#y(LSK7tQHHhe_*tqJz+{TKltClg21oXkb4juh@0wSLJD|FQ05<8=
zNq5)Q(Vhi3a7sZMjJV8O_i&m+;am5}Ph#AVJ4h~EwVfbBwB%wBhO39iu$8!CL%m#&
z{1sfy$?{|{oG);+C-%KOy~a5b`VI$94);!RipkT+G!6MqstSe&59jD_AlLO$zd>G)
z`$EDSYy`xXp4pf;+N+b<dN35x9<Cv3gP~x-;c_8oWeg`rcEsw@0owXIbh?lIA{RWd
zz>Wr$J~TI_efVqk!-t|v86fuf?xQ`THT-WV&(~)m3osb&>+yJYF75w&;qO23NL)K6
zc`&jUe)V(R{W*4guD_LY`gvBfx8JoFe!ZIR)E9Q#cKWoztFryt+WYl8>CXQ4Jf`~J
zAAPj&=f7hw{JLfB{d`|Pci6k-xz}IDKX3nmz3}T#Kd*Q4!nu3<Z|KK^S8(NT40!vE
zFX|V5{ht2-f!$xzk3XC6Q8E74?Z9on{>s|<`29J4eSq)(TeSbDwfF0L)}G_%P<;IM
z@!;op!8P&z-ua4t<Jb3|()a#+Z}0Q}rM17Mw+()@p)dS;#TxR$Hg)^o;4{+1$UJz>
z4s`abpM#HE<d0)5|9*`(W&0CrpRN`C{hV;W{;q2O;YfS;>$mK8Mf{oG&fovOYX4dL
zJq^DaJNWHF>+}XM-o-zT-|2tV+WYmHSMg=>ceQxUmw&{+vi*S_c<$FfeLXg)>G$WV
z{guxs!TfsjD7N?Y^H1Ne+TVRc+xzv0J~3;+v6g>-#T%aO?aQ>W`nG(%vC>cK=lOfT
z{vCJow+y`f$l8xSVf%lfEyv{TZ(94C*8b6#@MZCLwRp{!|G__(Exv#MO&$OHZ)%TM
zZ2r#QKJLUvczF5z58l%DAH1dQzspXGKX32X&sFUQkF@>Zk+%N}J1_pconOCNwfEmk
z{_q#t{<kjp*2mSNFTUi@!?7>DdoXzPwm$#lZT;kLt{AM{RlEA-oA&$-|G=)^{`=ME
zKArMfv6!@Y*PegnC)xpjpWzSq=ks>`Mfvox>z(@ld;ic+U&FcY<)1&-Kl>V9^tJ!O
O4VAQ~ss`2D!T$h|d)hGo

literal 0
HcmV?d00001


From f585df73a4cc9c54235aa589fd4924f8c2663588 Mon Sep 17 00:00:00 2001
From: profi200 <fd3194@gmx.de>
Date: Sat, 28 Jul 2018 22:17:33 +0200
Subject: [PATCH 217/317] Fixed CFA handling which broke in commit 046bb359.
 Fixes #73.

---
 ctrtool/ctrtool | Bin 279024 -> 0 bytes
 ctrtool/ncch.c  |  18 ++++++++++--------
 2 files changed, 10 insertions(+), 8 deletions(-)
 delete mode 100755 ctrtool/ctrtool

diff --git a/ctrtool/ctrtool b/ctrtool/ctrtool
deleted file mode 100755
index 484368dfcfdb5c3c2a3f19265852a7e7e0c8a2e7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 279024
zcmce933yaR)^>Lm2uQp^K{JZdN~=K;6E&I$8M{dbZfk;J(~P1aLIP-jNV*{kNU+n8
zYjZWDIN~yjJL57k>aYu)umoHq=!l{cap5)riJ~F0<$q6A-R_&x_|5-6-}A>u?ya{@
zojSFhb85NO^YikD$Jy;R^Do}^XB!K7IN}l!>DMHfBsP~V%hm(`_P3pD>jso!Tq0I}
zwhPwgGfB|J<4NhV;y55b`w2SpX-Y`XL=pFUk5D;rw%N?5&E{ZXN=LG$SMvDu$^i^F
zpRPVEXiK|^Kh1O`9;FM<<LSclcslc$BIGxpX8EXW^#529FF!qqqd)UWwDec_oo^Do
zPddO8%FkE(GBTU_G}DbjI+F9h{Yw#qqeXsQ)k{+^PG~;OcDSs3>g`uud0F|SOUtKD
z_g7t7m37snS6w-{a>n4xS-FWn(T*57jxnIx6IH?Dsk#ZH_+5LB9!)QK`s6=7<$qTC
z-k)5tFzF$RbK!rp-E4_?v-gW5%#Htt;s1f>Ebf>6Q>fn?&mKALip@t(1Jvc;?MVK6
z1P77g_wYL*?C;_K?1E2S7dZ8c-{Ui}3p@b){NE|XrY`vJ=>pffz#r@azrG86N*DM$
zUEs^Qz}I(yQ}5{gJLT=)Mg3HDffsav$8~{ccOg%YF6iUBpns?f`omrHtB<<i^H~>o
zMHl$-F7UiA@OQhA)71t2U%H?_*aiKuF3MZiMf;|9!GA#){GaWDeoYto-q8j9(k}Rq
z=z{)47xcGvLBFyK`i3s(Z|;Kr@h<2OcR@d=i+Z@S3qJip@4)}^pQ8)@GrQpPk1p_a
zUEpLF9CD@ze~$luPfrd3?!f=@pQ{W0-$VZ1wzF*2i@2RO?eV3cCw!TNUnuZe2_GZ)
zEEl+GXKk>1mA*+6FS&$l-Bq^Y;>puyOfRnVmCW=N7u$-xV+)EWmCh`kJhjqSI&*A6
zZuyMqrDIEOFE8bBzaMk+*c(S?q!$-Ytg0%xed?@?jH~fpUQ$_E?7O?7w0P?DvKe`l
zRaI4SMd{4S8PiM3r~2+Lo|SGZmXlr%HkDI<FZIN#l49SKnKNb=-(E7QxMb$clDmti
zm(DIOFP%QwHwEm8pu#`1w0PFknLd9>Ihao`nTCHSl^4!p&yvDf1kRpD)i90M0Ny4~
zoLF2*p$uE`xaqT}PM=gfy0p?it(3?na<WR_%!w6u+e)jZ`fO!0DoUr@fJ~n_t->~=
z!iN;Lsg)(=6;n!VWxmq#avlkK6vkIF@y_CjQ|>G-E16nutML0KPAQpbn|9}<sWWY}
zDl2AAo$f2M`DT>Qm|Z#(^r*E`v;`xcT3K09GO^TFHo4SSX`5J5UOr<Yu||<?(@LjR
zmikz>)BV$IWtF9+cM?b<p@nDoAtz<VV`f}+B@0$E5(ri{v3y2lDKYcS@R!@B3Eq_x
zOQx4mkxFJxCN`xrXWEcCfMWE7$+oiDGpG6>(9F^j6nWx|>9f#O#HhqKqm2HUN-QT%
znTgzZ$rzC!W%b4zs%$ECf_u=dimOmXK9XzNj9E+~DnfBF)xGGL(@LgJx0OMb88dB_
z(*<M5P-+{In_GOv;B;GVQIUI?w>V?)6@#;^fow~_HX`3U41`E<C4Voz-13$Y11}$(
zi2)l24=?Ty|4R_DiR?+#-Pl`qf%DYy@EG}9QYYNxO|dr2NO+k0-DVuc(4QUuorW=O
z>Yu_3?>>dnGzkJb@<23;FT}Izqt_9iWZQ*!N^>_0ce8yb!aHBT6Vs3c+fO3w8~6}Z
zO}y<ylwZ8<GLavW+xkqMnryRmxAlNyOZ=An^>1+36K$u9u>Y*7J*dXcCC3+k=Dftz
zU(FtlXNh@>i7yklD&ejzT#!NuA1Ux63BOt36C}J$;8P@gp1><4e2KuTB>XjjS4;R-
zf!9j-PJ!1+_*Vj7D&hMDzD&Z83w*hRpSqRT&k6~53VgMMUnB6agpU^ZHVMB&;7t-<
zBk)}kUMuis311>`L&BdCc&mi}OW^Gi-XL(Bud`kJK;TId{<*+YB>X#pr%L#b0(VIG
zQGusPc(+Dg|LGFmTi{s|K0x3u3BO$6s)XkXyimf61YRWJQw2Uj!u<lDBH{N7yh6gC
z7I>9}zb5c%34dGQwG#fW!0ROZGl4Ia@O=VbCgE)YUoPPZ+eH7D@Y4joTEYhiJS^c?
z3VfS{=Lx(?!fzD#E(tFac(a7h6u2Sb^90^1;r9!?UBaIhxXs_W|Gy&eBne+H@DvH(
zCGb=UZxgsf!n<$h^_(W*$pTN8@csg?lJIPSS4+4@;I$H7B=9;3FBAAu3HJ$nnS=)g
zzFflpCh!#!{*u5~OZaMmhb4TQz_&^Ge+1qn;ol2<mxSBj;q}}s;b#imknl?d-YVh4
z1l}&;*9qJ<t8@RkQQ%1uULx=m2`?A8OTy;}T$S(#1YRiN%LHB|;VT6`LBih^_!J5M
zO5ha|eo)|55`IkJ)e_#D78vkXE8!OjyiUTe75GvKA0_Z*5<W@b%O(6Cfrlmh0fBFm
z@aF{HB;jufe3yhb3fz$JPXyj7;ok_nUBZ7BxNUal{*(M3ueT%#KTqH(5}qaSR0$s;
zaEF8!3Or51iv_Mqc-mYpU!jEGKZ(m(B;nr*e1e1@7|rRYNVshb$15bfkHD)W{2j4y
zUM=C*+{F3RO8CNY9Iun`C4zpbg!d`p^vfl@S=7S{3BT?ZPQO~hCkZ?(;dKJvCgINu
zyh*}W3w)P^HwnC1!oL-`A>r);Z<X*~<GK9p67CRqQdQ^vxm@gbq)2#5Dd&?a;WrE1
zA>pGR=JaV2p0$YMSrYCN_3x7K;k0m$KUKmj1YRiNUtGuOizM7x!|@3c-j5dc@Ha)m
z2MN4F!iNgHO2VHM@>EOsctKw);pGCalkm9$Un=2?1-?wepA`6V34dA0vqHkx3;NX(
z{+__Y68_@#ynePx_$-0%lJFwYj?EJO=i50SL&BE|yj8+C3%p&zd+MBz?e5O~wx5tc
zNy5!`Op)-Rf<9Hk^9AmZ@bLmqlknq0&U6W%E9kQ%+-ygegg+_hRSADp;Dr*tUf@L%
z-cz*u1PPxa#>Er~&k}frgx@!U*K@UmSBUnlmGJQ;oW4%N7Ycl-gpbYT^vfi?=6;SZ
zm+*d~yelN!Y~R%qK2*?$CERS^Z4$m&$k`;}<$}*H37;$QW(i*`a6`hM6nLwIzbf!{
z3Ev^)vE9?TpT8&QlO#MLkJnp@gn#VexI@BgMLVWR_}mGcK3&3J6nK_|x4JpKOTr%t
za$J>gvmFa1e2^$tk%aFM`A(4Vd_g}&!p94|Lc+@hUM1mXJ622hVnJUk;mtyxIthPO
z&@Ywn^#Wfe;qM82xr8?l<Mp;e!dD19EaA&UJ8qNknu|D}CJBE>;JYOJD%vo?U$cbY
zF_+_pgq!WyD&d!l`e~Q&p`yIDIi34+zQB_te7wL@B)nYUsS-X{;0_6Q33<{a{7FHd
zF5zZ7W=Z&ZLGO}qvmI3lU!KA1tx&=bq;q_Ngs(RBs)Y9w`PNDJAb~HH@Sy@<CgJ%4
zUoPR}1-?SU%LTq#!siM+Ea8g<zD>fP6nK+_zbf!u624yG%@Y2ez-^+Q%=Pdl5l)x!
zy}X{YB;54#RT&rbg%WPI%LEB;74%ai+@!CP@T70JJk=6z($`6Ns-Ryg;U@iZ2~QLB
zD<s^c4@-EKpx-9pO(MKY!c{?UNO+OJ+a<hC%p+{#X|~tjdhvQllJF*hr%1Rugwv-=
z_+B5!9TIMs^9~6gB>GRfgbx*XmW1aE+$G`T1+GeXxxfo0yiLecB;kt%{R9a&$IBE6
ze^t;|NVqv(swDh9L0>K5A78`ktyaRn5cRxN!d(YA{W1wR`_&2wFBJ5vCEV;+#)8iJ
z-wfOC>x>V1LA0-g=L*~<;a-7HkZ`BKt0nv$fiIKrqtEkv!xBDH&^Jr?Sb^IDo#pQ>
zaEF8!3EU;&B?6xy;bj7^mhc$@Unb%40uM|0EP*#m_`L$R)pV9WC~${_YXWyk_(KAp
zAmL94yjsGa75Fj<e_7yR34cT2%@XbqxGmUO{<j70knpVncS(4Yz$ZxfX9BO5@UH~E
zOu`QeJS^dD0&kY^4uRVic9y@_i=zKa_~`<#mhiOCIeo2!X9&Db!mk$iQVG9a;L9ZZ
zc7ZRK@OuTmLc*UA_-YCNx4^>^-YD>G68@FIn<V@ff$x&=Ub}fcG)wqJ0yiYwCGb`W
zuM&8>gx3k&A)Oy;5q2<L!haOFOTya(UMS(m1U^B+<G$tPsuF$?on6Rb9y|Z1x(nRs
z0&ndCPZf4t=I`hNPqW|`LKHgdK!2_-@S-m8iZ1ZlF7Rbt;HF(7`K|KQ340{t%e%l$
zdqwngPR%S=vn5|E-ZY<&UpkX*`Z{>E?Xuuk6CnPYE%-Gih^Jw}hg$Gf3;t&dK0)+P
zl9SHhn19ux|IpcamkHu&o_iyFm<3;Ep?6zw^E@2U=UVX8YF^&%z$kC?&tbuNkL59G
z7Chc0#xvc5N6*{=&$8f@xB2I?;8fS<pK8HLCiAb*g5$tV^smT*_l%-8+XM@a13}Th
zDHdEDk!Nug790nDqJLEu{M0CFvsGJg#e&ybaI>#bbe#pao||53!B4mFS!Th-Ck`xj
zxdrcQp<iLa&#>UDE%=!hJZ!;JE%-JI{wE9GWWmp};JYmN*%rLnf}7uhP_$ve&#}<A
zTJUo%c)JCsv#-%V;eS#eaYR9kSqpxi1y8Zy=Uebp3(iLZk91gYr-eSvf?r_4(=GT#
z7Cg&>r&(~91s`a^RSSNx1uwMVmss#33qHt#Pq5&ZTJR|re6R(tu;7<j@G1+QZo#W9
zc!mY9wcwXq@Hz{Ag#}+~!LPL7%Pja+7JRt{&$8evEO@pBUv0tZOtSeGw&2&AAf9UA
zK$03t3|=?DrUt{lxQ-?@usLaytt0axKpht>!M{p>7v3m5g;GYEJMeeG{S+n@8fjwT
z`zTDRGZJRudnimQGqQq(XHu9{Wn>u(-$7wgk&!wUzMaCP8Y9&#d^3fqyGJTmcr=B{
zL`5dB@O2a>)fg#c;b9ael^Aic@HG@BRTxQU;mavZDlp<;;fpCusxOkl!sk<%R9?i!
z!e>#KR9&R?B!CM}qcEwsNHYufq%f(rND~XkQJ73?B+SA`y$F+vi>zSbpD0YKEwYS-
z_fwcuTBMGJ_fnWtS)`hUKc_IMut)_9@1QWLuE+!yeuu)OvLb~n+(2PcRS_2puca`l
zs7N{szd>PAO%VqRzf56LNs$y5ewM<diXt`^ew@Ojf+DRasQeF6*g@fD7QUatq;eun
zEPNk@N!3KcEPM}zNyS7~u<%R@lWK`9W8pg}Oe!T($HKQ$m|UMoH4EQNVNxxT3Kkws
zVNxlP2`qdag-Mk}3R!p<g-L}(Tr7MIg-LZp(pmU&3X{r+I9T{%3X`gcq_FV$6eblB
zv9a)36eiUWX+6%`pTeXPBF!w^lftA5B26qDM`2O{kuVD%RS~A4A6db|KT(*5d}J95
z@24=iK9M?v-8W_ISVIny`$qRTul7qun|tgy?Zg;WKPTvqv#ARXsDH=Tc4{c$0;&U5
zt8r!l$Oz}_Z#k>c&GPk0PKUbs&eFRp2UkriCxY}RK&Y>Gy70^hA68#cwI$9h1oE{b
zYnP#^j5g%#)$dJhtYJK8v>Nwe%&5A@>B?wRwMJF*IFpQYd@iEuoMWTM$qYT7%uo|W
zYF&ZWtm?@(qD=YP585GB?|apqaW>-<bfrLhhf;GKnjz4Bx3WmZkk!KK#Dsuq-__9^
zSj=)xY1ts&>@9DJx1^Sr^FukI0%#^Zv+a&JaPBZRqiup=CAbBe1X9<a<V>f`MH7j1
zj>wEyAR%%)0%|BH7kn~yWV9Lg9qZ_T$bBMS7Lj=|We}R{OkHb(jK)qxQxTbFyD-Km
zF7hV?7I1NiGSY*m-=B~4f$bd`VO2Zw(?5w-l6vGLRUg%1Ed0Q3i+qhbP(zswL`RXv
z#P@-|3)JL>ydvv3)svv27BO0&iXty^aM2%R@$I`{c5jSXHQF#Tou|9OWOgnw`wIhe
zt^t_Qma)UQ`zUXGZL6_?;<FJ?S#O}C8&42)A?MTG<TISW-W>etdLd~ElxXBQ+69ID
z(gYV1xQ~O|OmGB&I{=E7az(Z<ikufg!DRaG*QiWKiTDN1VWG+4-vrii@GcXqBXAA}
z$D81t1eS4dgb5BOa1;kGH^K7=9Lm9SOz=1?MdTt5CYfL(fv0isFw{M3sD}tVfq{hL
ze`SKx2s8jH{cBL07}i>2C~*&>^>H294N6TvjJ3cCyHb+{lb3BMi_`H`^;ezgkJ-TY
zw$u<G)~dG0c;gMbEwqG<6BVPK4Qp*rU~keXW1T5Ra5Khc$cIh`($}`yZEbuoyOiL|
z=%%W6$oQ~?cxUdN3`K&m3Dr=CabvWjvMErD0F1v<b1q~+Ml`5`JA951A76p?p30&=
z=oA>#U*r2KjNSWGds9bq#*Pg%hk}+czC>SIO9PR09#wzRISA!YLyI|cNOnCaNW#in
zu>deKcZ^4=`4<x4HCI(?E+h4@p5<)wFH%G6Svo#mDPfFJEEggF9>YN_y*CceRcd}k
zwJHnqAyv+B@8|+0xEnGFJwd(%N#=lmMUrTFB;i|83IBmGf>bpWy%s^QJ}Z^pH}ELZ
zvlN_>k6ij!gC7`hQS&l7)L@4%(HPLq#U<@LNxh;MQ`a7?T?r0K1o?u^q{nZ$)ji&Q
ztNS*0@g}s(fHJPz3?!vyxSZ8>W^Vz1#NpsJluZ-`1h$BVipj~n$$g^|oE?iI56N1}
zi4#c3SSbS{Y!>rjgw0|;ig!!DtDT2j&W4uDaX3)mVDDHic<YqQ+s}5+<x3GZb2*5x
znahuOx8$<-W#sa2(kZCfpYXkI#7iS=;*RKO2>CuiwIAa8`HHrVj>v9|EKwD4kR&o1
zDXih?)Uz#3eeZ{z#d|=6P4Os<A=HONcnI&NsDC3oHV`lR7<u(1Q7yc8+}oM=Y4ds5
z<oy%kO@3SPZsGUn<KVZJN-Owz16x^t`vLWBZM0L*>&)|9gki+Frv4gDp0B}J?=j8*
zZsGru8~ks!@F$ub1)X{SgfP;W;>M4RiQ66T7Ital!0r^V%h&c9udIr(q3~{m1se*k
zN03TQ?{z$ic_|2%tO1+Nq%bYD`06V$b|mF{B5aEF1;S=6HsjqQ)?F*X&ll?vGzYM<
zc85E&9wovi>k@=b)}?qSzh{qeC*CZXjDH82D6vfJHiUO$1PUcdKFLm|sgghP46v<*
zO)+(0&a~U%37vv|yOB~E&-_e9&%7Eac{D#Eh?&;_KxqQn!yx}a(WRj`Y>_9BUW94z
zMM4OBL-TCLUX_ZQ*@}ZV#O^tsHbu}vquV0Ipalt?%^{NN&LpH4BSSgKTY}_PPI9^6
zLP{m_Cn5<YpGL(yAAnHxIrVVOj6uI(SSG-CLOwphB(-xsY_9e(=s<Erko<C(yK`>?
z7I{(gMP5VL$U>xPKQj(`wU2I7wY_TK+t$Ld`Fi61LYN{wxsp9{)+4WuzAJ|eu>Gv`
z_fU=GWapCSn0ProvfF)qG0lAd@vwBh9v#g>e{VANxSrF4(PzfdW8g`({$#wWwW{^T
zwW@uq`q4>WA228t43avU%UC{U`s$oSq_g=i8>a?x&IJ`T)_1;SIGz{hU>@DK7a(IY
zWZatg#jpW3`>mTgr;p4*T-ji=xOHo5QN<Z;k+DBg9k@`CMHLv_urX^<KQ>kIG;AuX
zizPsOx#N%HvzVFhI=u&z&p+aykICmB#TQ~S`bY6YF<tnhc=gObj(7F_<M^Vp|2Tfa
zIe#2K>D)h#ACJlNAIVRX<v)rai^+MH@t8fpedrci<U_loWqJ5dp-01LZ8&2J8h8a>
z&HjcbdU>q<qx3LQCjI9BhTe$L@A_}(kH_c_{5SM8krMKgv)GmVuIiJCv(KkGILD=|
zY(sJMUMoXmA9NsXGNz*srtlJHg!$7w&OO$v9UnJ_7O+A}aJ#R7X3Ym%6h5v3TkP)a
zLC#rMYb{<jBdh-=QMK<eJ{}EYnQi#@cte=jVhXAT!b!B`#a%KmuR*Ecufq?170-+?
z1lU6aUd(@=1QI3u{rX=D5>eh-ymnRIXnR*#+Z*jaR|;42u)3g;#((5_c%n=nENG<h
z9$69#)A)|m#KJV5BfeOe#!qBYEKK7$GBy^b@f-2P!Ze;DSH{9Lej?6Tn8r(_Pb^I1
zBa#pc(|Cydj9L=%()f>j8w=BTk9-^p)A)#N7GZ4_9|&f9XsdWd#lpOzVqsoUX1Gi_
z6jmEYpo)-x@9s+P5h<PYrHE%M8HnFRz3F50CheGZMAc3hLl0t=;7+(N15_<Hr7@Q*
zAZvP|w`KZXj6Q|av(AK;w~SBXtcK>N7!MzS0c^}=8Q((8YKXH<#3vb*Jf7zliyx<I
zzc3o=?jsz;YDjLsN{3!(SMBZE7>BabR-0#AjUk5B2<py!oP@@ts-aW3qqvP&YYo)(
zcKANm#`IG|xheKBNoy%l%eqeTj?=J2z%tZ+;cLX#8cSQKPLd!!S~{8yA8(=ASVq1!
zV@ISCMBo&<sSlGSxWk`7HDQ*II}M>zjAK?|dNt;vbJ)1}w-7zbdt!`sn6frjz%;6G
zb*Nn0R~b8Qxiyl^bBXCcD}8k*dR96l`Fy|Cz>c$4XP+S>QYz0;Lt~P3)vjIN$5lHh
zu5(S=j7z{2p2NXVZl9J<%IZ*q!}VbuZg?V-y4hLos&=@gx7nU*V3R#R`y1bx%E~Kf
z3ci>n_Zy@=sC>6D{uE#@o2>0?Y-B4eLyScRDm>3@&sbrRUTY6DE5VMc?tu<P8QHjr
zw|0!gt^HL0L%e$p^`m_K<`j2eZ}-6WO5VVaj(pW}MOmFXajQrBNLiWCeP?@KFkE$2
z!Njmf+pY#0?18QJ;S}NC+3e{Nt{v9l&EDzj@6m^M1l#Uz)Q6`ap}LeObwi4l&5%dV
zUu$)*HS-R9-@V?5cMtrDh_i%#ZdSA(8IR^XZ5y#+0(?XQh}_$G?jCI$32?3lZ3EIk
zyE3~$U1}zF2Yyv%ZEjg7=RanRf|6(KHroSPDIWZDs<Lvo#~!xts!iyr1|oK4<riw;
z*AD+4*6U*Rx0;gYWrWT2NZYGB{_mEjz2mXhBgQ@O9e4KjdCBet4P@BdtQ|eIed5%B
zVOO!}>3?@qj9*5Wmz&sJ-m6<}FOY?aEX99-`UB~cpEtxIQ&K`Z(eGWB#a@py3!_&1
zPSy4s&!TgXdGt9`kWN`SHqqw3yiY=HpKei(``5C<Z&&rXPDj3;d?+stO1K)#L7#9&
z9{%aAtlUoZu&p-XOf|3{_3)k=IEs2uwa+)us=C4Er7)6NSj9+Ss~G+s7=bR<gN-Nm
zSw~Y@-C<=$H>PAoK5nc_kc}4OEMKoo$k*>o%GW3MLfKM{x!1E9EEZyW85QjP5SGY{
zQuex!Ejs@N@0gVL!fedG#aM@sM>~mGud#whB;{jVJ&$)tm8$)KnI<>Qw5$?Y4BYA;
zbNRZXs=2;Z1C5TgR3nkoJa$mZ@w5nkf{1v-kcPw%{Ul%8Paa2Fr?yF@w)sZYJ~O^o
z?Y4s8x4u!-afmzWyH7l89yC*|eV7&`@o9ZrMJ1=kD)|}|CrvmRvHqiKyU_TmUYTO{
zBX}*;fg0?!*LA4bt^R{8|1i3Jk5*xxq5DR!b`lMsy^l74;OJDOOdYb|?!XCU*3dld
zfH@CBCfZk2%SYKdM{bH5+^s5kyVT%8RnJSotKkkDfIc~{%--P+e5d3E5BksRTm~iB
zilU<&4zoozd9`oJ<brX&wl`n<UKyC+G#;fag1dc#+<F1}bW5_eyiJ{|j_h3aHowvG
z2qaFbOn0|!N$}4`-o6?)y0a6u4^W&^GZTt7S6Ss5bh2!i=DGA_qy#`&oi~)=RP_Q>
z+SlzWbgD-)yrHoPcpsbCt`2<PJMe(VelYM|JGd+NU5Ye#&j@P`a1XtqE3q<kW$$cb
z=Ap=Gh;oA&c;tpWgN{=s$0Ns45~KFp*nE}hob@ke`1JV>RDP22qT6mmPs@W#f{Nv4
znzz^Q)2~F|{C#?_)`|%+>qpu<s(u5wH98{Sk3?T)?a$*g+ANXVc_i=u8QUY<Ga0e)
zKQgv+wUgedhon*0-fKJsQZ+Od4l`Bb6=RarE8^824gPEb;b36D1Zb*y1xnSUfoVcN
z>}kFe14S%>`um`~>7-@ZxL8f9uH_43>^FRVi>a=bZjmQ)Nrv5KncqgvzM@mOaZybI
zzo}7-Ts%gmD7|k;!OM*frT0w^yxf+q^e#@vOPNdQJ=ukq>4i$~8HIS6H9_e;djekW
ztx$T;ufWSf5=`m6h#m+&P{)D~(gVT2En~q)>4D%=D_HPpdLZ~>m<3;=2ZH}>V!_wx
zf#Aw!7F<OS1UIy@;70aX6<4M$A_JnV92Qr*i0<zrdq7IEQ%fX~&L8VcWR<(s<LquP
zgO*G*4hs#E6w@GysOi*A#;;#9Wx(5aT*eM~kQr^PJ5pCX7KU~WQYAL#vMYsxVSi8L
z!8>K0s?SMU%UAb*Fp6)r+YtS=s{flo`kd6Yv<PJk=Mmdz!E8Smf@po<ZDMNYonQr$
z#G^=Hm&Vu`r}HF_Pz3q_BC^;xF^-O>Oq5_11{fj(JW}P6Uy8_Ecw{_sN6I1|85WU$
z7Abk;6dw7Uh&)fEgltGz#UmGr$OMW+8CJ3~C`-c1%5daI)GP)QuRmzfG1!D{La8my
zQsdkPAR`>QkID@9a0)X7zhGvnYX2dQHDKb^i~{ZJH4c!jJ%#Am0^@b>LlSL|w#8Th
zuB^JCNiU+U4q_S`IA>$ifbwOA*OZ5kpB+Y@W<GwHnL?h>BiJ<VQcxz|9^(fr;zFv7
zwoY=9yl=gS#Zb*)!XlE%%YAl4UIf9o$R|ETaSx)Rek-mb#6=Y{iH*DVbad4H-^n+U
z)~v~-?<JWE8_aAM{$FH!^eZ%9bU`h0J(9+Pb!)3~sUadif641l)n=z|vgjLxlcaD;
z=kV2?=9Aj0YINAxd=2V2J@V)gVqT55qhU|}k;Bw~ZVX6fnSU`yWPWHeO`(j3P+g$_
zal>d5MuK*WkkUiG{GI9W0vzN#s9=v;q9Kc5{=n~VxmB(IA%Tb^bFo-!^?%r*0&0Yh
z$HDrtPNKaFUyt;R8d8YeKTu(6_9lPN&?7AO9sbiukqB2rl*6Mz3(QN0AB25=<#mjF
z4|cR4AW2{aXeA|<z-6g$H8dgxUdqfK`Fg?``Pt#hbFnnqcqx`zwU5Zg{Dei}q9Jj%
zNIawv{_t^h=J!!OJJtBvNya-EN$|1QbdL3nea1yJY_oUydy1if`oRMAUEq4lS_dkf
zb=+IA6#Qp!c8`xNV!W#nV~hHy<jzeAJ=%==whU~KvxruHl$znd;U2@8!U9|ZX_orE
ziK@QjOefwUXQK@S(AHsxn%&_4k$jvCI7;K;oDYOmq<<V<?O?_ZZ~b?PxuL~_ZAf>0
zsAh00(y2#&RJ9MZ#`=AU#@Q~~B;HK>CE+hRI<61BHMkul%v-{WL_&+I)vH+5GTuNv
zxI+s`;A~^|bF^Vt3=QiJJwU9zp@qa5+MamBSfda@(!gGQVHM&F^cM|^Kgb#`UoUs2
zbAJ(M9{PdI7D{kpFB4two(L^vnfgZi30{zsOga|Lm=}IAlfy^mABP&yA&lkd1s?5J
zZzvC9j7zHjI#G>3MZIDayahXX3w;rjf*AM-ZukqMQUUsUxG86dWOD}^?Vce+oxTBX
zxc#XftwVYJq>4@Q+4rgOb65_;kweRqw4S8rVSSHP!mLSdNR>tFd1)v%s>ln+6Z3DJ
z!iZKuO+V@?q2zIwVDrL(%(za|bMmvXc`*YOPTjXCW<&pio;-zjeZEbLLZ+ypaw_h4
zr^9&fbLx$UjLr1yob+5u3cVFe9eD~=8M`wMW^}Y{F-j1qQx_byxoo!Cm(dEsOVl#d
z+4HrpslOW^V514{J~`rSQWGh_aAxg<GW_*ol;HwP8CGOr+`O_ITw@B(ebZXn*I~uv
zGcmGBdd@VI7nTej061L)PR2|m#8^BV?-+yQ5T6nD>No{}HZlB=)vIHRn*ytIXnf`T
zIFM0#K}m~A#wgIZu?<E&l6oWE(w=d!K!4RqJuP3)IRyFg^~{4L=2H-g+Aq*<&)0qg
zx97l3+wWC8A0qclS?)&1XH2A8$|!VtMwr?(p1e;z^T5?;uRSatUT7$15@^UX$~;C9
zTY178Si&(WD2Pawh`f#Eh-K?xIfKnqeF?7v?#_Od6=2qItpx`;l0mSMZ6spd*ib-_
zZ*K|Z_9F+y&AL*~{xlLCIp0P+@<9?&5o6Aym>(70<%j)qYd@pnX%!GlW%?_udfR@b
zcHXmQJZc3xjp;UH)KLNt8Q!7dScC6;wACDBcgxyy%{C>iR)r!%tNjaE!(Us++NcjD
zqNDA;On2Mn6u;sQd>iLKODISe<~>mUdyEsvgJOIXqR7a*FuA190@RG?j_3^Qn(+EI
zDFx&0Avm>#!me8lNUPtuS9{n6BI5-UUlzq3gzLaTy_lolX|E8=&?_v>U6kery=sDS
zHK*DJDpd<ip@dfw6ndE6LvIo}A}ZJeN6{WmBN97ELX07DSjy9;6G?o4;*o&*ow5HK
z%7zZ7G~q4u3dw~8D|iB?e&ZP>5+o7dHPHl5<4tW0w1ad4)r1yEp~NARJe7wi72>k+
zh&%{wXtlR$XweklFxuRIM3{;Z4ZFu?>@d5-6s+db%19NuMH)Jt@!+S_|F4GwjwLjx
z05*z^9)#+ZMbtNP4zYKY-raZ)1%_hB8CqLuBxP^<iY{(H(8!0@5HI69&{`;B`og8G
zY;;w3B+f3wDW6=J%jhW|KA*%!>KmDHG5HaGNeVwHh5ssr7fRuqJB1rbU7<RERrUEa
z*J)hD4(AdU*oPVVuM6s{P{jI3JPtB$s{0-PY)WVUY<7hd?(DyXx~bZT)M$ICEKKeh
zZ!h7mrQyk@m05_f`ZFS41zb&nhZbc)x|si`t)d2rg#~?4l)gJ=3q51;krs?Ui~b(7
zfzCCOx(GB@L0$juwEXH;>L<BrSh-HeBArvcf|Mkmm*-{yb*WddsX0y3E%S08o0nh7
z7xf0iT*c<)&@>rN*q4h@Ceudlf>t)J|AdwuTN;dKcT!L1^9*K2u&FWlJ6as~E7~SC
zlm|~JScReEKYbl_MX*oOcA5JT;Q!G8@W05ye>w4Q`50v}Nz3ZsABVA_M;_~OR6!EF
z)~~(#wDd7v{Z<z<UyUQ$!2{!T(K5=0Ud@iO0s!wQs(vr5L^m%yA>&t^`*M@JiUp&*
zURpzw5!h=FG~3;^W1YR+wH{|OMI>V>ngXX%;8d*t?2RV^MQaEf3E};56xUmTDMZ7l
zPjk2B-GJ362Xgkpp-E-(XnW}0LGR?{q_G#w-3P&5Kp3cA94|<_0E(9hmTp`XMf*h2
zD-C{N?NAiSGEQZ5hdQMmYP4q(PeNm<UB+IZ(WD-)J}(PZSZK5WMqsEHcKTIFO*Nw$
zpKw&AP`>dJ3*|eD)U~i|^k-AgYw{wl5Q~JW_90v1Cs)gOvI)&c9%_A0H9O*OM$H6g
z5Zl@s#-5s%J4BmEXBB`michRk4Hpk|DviUqIEuzf<23qkG+LlEBMt~vb2`;7y=2h~
zm<^?Xivp~XQSFhFq@}sPI~JDPhRZIv5?*ki6~ZbjADvC3E|ime-T>=#pvGw+n&v6r
z8Ml8#13_!h>g)H%2foIpz>?GHyM~=d(VeuhL3Bg5uwUih9qQxE*DrW9oerv;vzQ*C
zoHrfJdwLF`;0~JLDtSBMMD+q!xUmU@gmNC>M2{2Ec0sWpHB84mIYl`rf^8_nL&TQz
z*hUm{oxO-c&wPXulV|59W}M<hP<Y_2VxN+-xrk@82$Xrju%Nk*(d0Y(aGH2dGoR6z
zvfRdKpj9}{p8l*%vl-0}!RH!AGv3*c)2!n(GZ+o6C{wA=01d>!Y?j1X%1NexBr46%
zA2JFjr<lblZU+S_mhv+R*O9YkYz1}8sidiC|4j`XtMXkC^86iCz8{dm)kv;=j`=TI
z67j~PASWXKZZ*W4I5q+3g=Gxt6U=imUi*M~M=^WpzG)40Ew-ku=e#u-o|ss1$3l@;
zf69Qd_hO7JI8cN)joJ+ZEsP{|P`?oKZOd%4#;Jk`dj<p1jp-kks$mA1uT63~VC}rR
z$63LS*{j-?$b*z^9r^z!;po|pD>Y3JQ`<#ID<RF=E~SQkPl1pQLQdlRy-CwbNHb34
zle5WEH4{<|q!4KsQq58Uc?n_#j&=BYyBianpr^%UZXYqnO2BEw1aI~MUoLGIJb_Ok
zhzdkDZ4+hPPFc4?nBWc29Q8)3_PLoV(A<5&UQ#F8*qU^(@V~v5G$xG0l5++`?aoEi
z%puf)@d2v;2sAgXJ}SX463HtnXVX2*wA1PAZ7Anvq+~V5JXW{%F&pQ38Eq|h!LNm5
z!LndB&7;vYR?pdkW5>o!@b<8IZ7Amq@L;ovX2f{3cMSjg9Ua&l!9GWKWO1b50Gq$B
zs-0w01Ec*tGQT-r1Fdso*VG+2nTibvs#n9K{kXF^81LIRLhp5T9;Vs$yx_M=%>{^r
z-`!oQxf8`l4j8C2kr&27Ph{2duvx$0tAVew@?B-+r%a@mFNd(-Axrjs5LRwNIg>$w
zBXAGk4y255{oY<+_B>H-B&wT9*G1RA82#0ZKC^_;qXE#m#=}HAII0%|&GQ>;YQks?
zYHn>;z0v(QP)px><J7=6^E*d0);wt@i+lxVhU?iQo9G*4c#Gc;A}yG_7Z1py<ZXle
zFP%NW2C-T3PA9>;kucAYC&a7fFBn(YX+_-{E$?E+vYv!O!s$rJYCHH4B&YF?#e-Cg
z=>+$J4w3?E9*FQ@s|i!~G}ejQ8oDdNXVArQB*8)50lg^N)sCP_j48++%zJ}*r|y!m
z8+|20m3GkZfTm>v_Rp>T3DHZ4!9|=w(^;fuSgDp0oDR`F@MW+M?mrWg%N2;{J!s`S
zW<3dgHD9U8frwbqfYRFTi$I+FK<&}}b}YBnoJ9H26@3d(g?eT-i4-<I0+W`f-B=pK
z0UjDdg-F5rxw}3>-Tc8zpq&C=E7a}NjQb!>8<eBo_vk=ok<J4-=HH)!<9twp<9u*z
z+Y|?qPdUlSKSfEZILUZMk^qvoILYo9$z7Zzn~^|(zJKK;t79a0aFR0^NeW1&bCO45
zBojHw;q4@g10>gTl9@4*@tmZIk+?vT#z}67k&NRcuQ8HpkR)=FK{1k%oaBBYX(U<p
zrm=eI5hEGFNhX7&dLPNMk&}F%8m$)>C-H!Uv`HEcCcq!OfEqLKYdpS8U?cxmeDQ&=
zf2a??jI_L$*K!5W14$##v&p|uFpq9y9kLpfkvsVOoHhI~mKQT&AA^J`JlL`MN^ldX
zTy0yZr=u@mKLNXN$u6Yt)Z2R?y>Sn+gIjVj-f3Mcg+@whOCK?xAx(|7w1fia_jK~u
z)?Gr~vX2u7U%r9#2hKzvZ-5sFH(ih#Dr5n@zlp3VS+uA%Rf2z}LNC}{1eCjhVpT2k
zIWXdb;UA4C{~b_^7$Ulf=Hr|LQ}ARxQJF>nRHWwN2bDV=QG1jZx-esROYdkH<~?vM
z)tBQ|p8KNmr#yX7{|(hNI<!NG@nEs??7Juw!7B!8D5oDX!~pmOy~C(R7D(*hL`sE>
zoKPzM$4QYSQAIhBByt9tg+3QU6@Q8MwPgF)xWkw$r-6SaDkQRleGrnojwsHtP+US;
z{X%74!6_ai3Y?jX@+c%8JBi`}P#6QZGG)Q-FIJKc2RiyHi|F1BbjamsMh#z0B&=nh
z=G3kBgHf3>BXJCT+%j!Awnj1G-4)$`U0aU$#%^P#l$MuiHzu@vBifyy85LWHC)iq=
zm>;!zOv$WLho{812EW;2YaE_b;wYG*YTe4Tk-fI!d$5*&@O8=6V`fjqFWxwEK~i2?
zG94rv{1uQvtL(Kk7jz349f`C8c75ycRGYfmSL(Q7dimW0RW4xUX0$%H8$?$Hx{YI~
z9NN7ke`E-v&Gog_x$e;($FLjR?$x6`Ht_3-=ImDH(S|2QPLI(MA2Q}VzcHmg{D#lu
zN;ALxQM*TU?Vxk7sl@4*t;5ga(zz#2EH$aYdt_>46*D-9%^f@1G15KKgYr5?-$a>5
zo?vm+kXVktfyK{>#W!}#oiVeN>N!#hv`$^^nL4v{qR%k~{5%D@jQ)Bn{jeLxjA8Vd
zoPO+0`Hqn#(<iytmLNZp0*%D0;Kp9;n_jkJfpVpwTvUDZjh^XWxYtdlRNXwKxBF4B
z+Y-3Vj`|DgYWyzLG{@K(GpJ@Zzz$QLt)^ZBR_IWvk=MX3I^Kw?mZ(;jI&!C!PP~)R
zQ?3h%td8P~5Z^dFb?S`iAahq#luw;V60^P;DQ3bUVoYi2B!_1htAOix7HD7XC`RX#
z7m^rzV4+^C$EX;@lJN1s_R>y_fvFB0sIa)!9_JKVNcgrzoSPALHp`dCc3id3)X*c_
zurj9ZY*x=}pgo)~wLP>$#^wjK3?Is|oz8T_Wh{4E@h;v3Ja8<_zmAsvr$p5pJ0MlT
zXAE;1I<4op$3gx^40*USbRY+tv~2O@(K^aJl=I|iSc>lszM<eGEF9(QiH`GWcH`?y
zE9H9P8dwr|QS``H^1>lK%+pOmI<{=g+>M2#Q|gg(C`hYkNcZ`9RxXvC3q3fO&78}*
z#0823(m_lYxUi)g%(2E3#~H+N@!yw#*qlCva`yK|txzqELM&<{!T$vm;m1I^AEM`6
zf^397{QGjG&DUQbsSO*7nXg}ZAqf-8c@`;JaI$O@<`Q4vqr=l-VSdEsB18dZ97aon
zYA&b{?{BVt`+4x7y4dKXD(U+gJrqw91mA;KG*1{wLcwxW036QG9MK9uXeLXO$R5lG
z<&6*hPo>c_b=Y-qxR)};iUrICw^orSc`uHR54NAZ!3J|C77!Y%;7|VkLLED{7ot5T
zeO*-o&0Vmq{e$t3JybHd3g|!lGeOpW(s}<G67Jl8Zc_DCRrs2Re;<BAoJZIOvuf$>
zHBRc))ZzEhhd!$gz-Mj@R-h&TV{FmC^uJdNx&Y##@<$<m6!FId{-7>|?uv6*-Q8JB
z601<}O3i+xuRe;o;n#QpbK*li2LmC=ogJ(Ok?$1X#Dj2UrN?=iJ1clUBIZ$qCmMlO
zHCiTGM0}rXm`RcO(MT*(Ao7t~L>_4hHZh(gtjV)Ccxs58Maf8fGvZW4EHop=S|WNO
zq6QI+6_wOXk&K9-88Kc&pgii4CU-DMU6v)GaY;!Klh0yk@UR%FD2gF%P>59CV32eQ
zi=%ExabEqkCSV2nznxgBD9~S`MK|kt;VnJA*+2NMtDc91KYI1zB5qe{o$ZkE{swmX
z_%jR%kbU7d*e3oV<KG;wM;%ZrGa&+ulYb@cw$jH=XQ=uL%9Hl^^U#gmTF?hta?+?n
z#I)B1aL}kjSsgUKmX)Lge?iK~nJ_)ZGjEf<(i7*OgOSw%1=WGcL}Drw4Mrn-D0vN7
z=Z4mf%|AQsFN_%gTJtMnZtuZiH25JI*XIb2kitWyaE27VPzoQ#u5y&0tER(uHa0kD
zQuDEcL`~dD4=$?92Ki1#j^OyD@Go#aKsyrMIEC_lJqwi!uj>%$Z9{k9EDv4w0hRZ4
zuh^2s!{F(~2leNmU1(2~Dw_60=U~`Fkt;RdVVeUROG?cXc;SBU*Xx;vdmL=m(CDPi
zSEfw#%xA&Qz)~dX$$Jp*#R;$~rlX&sm`{1i35bF2dKC~Gu1lOjNM@`-EQU}G3oW-R
zK@HjpzI6u3m&Yl=*AZkA&{pkYN^ucV&~EQS3hbxPnL;`7oOuAu*>3MdK~qaKFLIha
zr!WDk(5#H+T0v7sH1~0ub)3d$(wq$%>X8!>jVH<QB*?W*#wZ|Umvd@)k`g4T{~8PS
zP|V-0;}R|<&S{);2`9V5<XkUkmJv+?r^(?oWhTwvK|{HJhYeMc`>Q<noj_RbJ$Vx9
zt7h(#1?T0&`DGA7$ZvYGvX3`8=L(t?M6;07Y~(aWCQW~l`(&OwY~lM9waK{A%v|Rw
zhMSpt@u}=;a6}dC#acWy(p!|l1w4b>IQa-OgAIaa3DMX&%{81R*Q9wIG!fkAfbDpU
zR4A4tHTz57<?yeJ*D+5a&4Hu9dnm$qiU6#C^<dX~uy06=n~@$V{2w6VD;DvScfm<o
zQ&JY*P2Cs)Y-}hCk0B4Wet#cy(Yw!O=C!{N&xIj{Dd<&yLSG)jvseO7AUpx*hi7wm
z4IfElXM{V1BrjuZV+gYc4kuH6(3X?&OFt&)NaBK4)H6ShGI|+|h_0IG4syB+d2Tj{
z#k$u*kr~+&cng0|wfYWM@jTfBzJt4Zy^{=3qO#~`6q=1R3PZt!z%Q!bQ1qS<WCFAk
zTF;3b*absS9Ltl0;#k{@sz}dC0*$d36d0u;M8-xh6vn9Iz_lOQmWw&d{1ze^|KbU5
zMuNy7BGNOTf-**Ct5zekhtUjZq9KT8ngyDOsTq*9pN-@V=pK=o$0%Lj56{G8k@tsC
zP7kC2(OS;yPVgd)Miv!Sa~~+9&5?XI7@;}XgQ|wK4%uM5EMb*Y106^=Uk)Yxdo!ml
zpofx&)q<R-y0ffi@T_biD>B8%>da1AtvHKi#U7#+$aYiq3NZ}jjAG3C9%Y1?L&z?{
zJw$aZU&V_c_-;JIT7)9bmpueuau$g1e?SPnzjh-b`);O?o*5tGTPXOF^8$G%cj9Z~
zeAxqh!RKF$Pv+j3x+V|E=qb36lLId2b>gxXLj;nr2j_Ap=dwP=g<K_L^GaSu^0L5X
zcVBB6eVhw>a4r{cE`JkTHY{<HpJv<(E_4!YIKIGUA6@J-PT9wyO*rIE{eavJ)W$v5
z4EmnVGhh$ivYQiG%dST)z%7LqBPWRV9LXaw&Y*nsOFzLlL&Yowt@-^XIXY@~i|_pE
zAvWJnIH+jO2znY{|C@E_JBV|3i~lRu$@Y<LBadCroW$~qIWdtHltAxmho})J+!(yK
z_Q889f8Rszz4-fHdZ+uJAWjct@S70>NsYR*F=AX;k^!SfD8Yvqb;`=4#;UJ?X$_H!
zIfHEpzh&?gF}Q&kbR5CFI69xOevd{+1FmfgkP)~0dNu~=WC0W^s{73<rZLx%D{g#-
zqrX_|OY!I8-#D!Fq4><h$6kA#@x+%{6<!;ipVLX0J;sH|(@GZ0pJJDywOiig<9{5x
z+6Dd&9YE*@p9h}-Mem-XlXhY8IntZ7hZf33#jm6DgLEEMuX`1C#n`?BU#|sJY8d#%
zG|Nf2APvRvcZUdB5Yo8m&8WYn{`UNb3n}R@x~*RbAa?$v^Z8qx2kCUagO2ldI*%ir
z=jG==@r{ppFl)hqG`BRDN(F$O-d0slaH;jpSnMwEKAybs*UzBFn3qIfEIr5H6Hpy6
z;Ey1LTNx0u)$r0J68<7yAAqx$5yqYnb|lb4KZKqqKC94-!QD#DMwAjmiW-@mMRFb7
z*|(-D3;#pK*E3fL`VnuyglSu0nw6RXAg22tFg$U%G~S<*58IXk&=`eUWh<L|(MX}3
zVR2lyl5Ker40!u$U%Is~798uimS#|I+g!+TJ^kwq6+pE8%)rnTatTtX_+EMjoz}D9
zLn#yBvpoa9@xOun5XevU6>ViD_!J4hU^7)~Y%szhuLe%TeY>3&z^Oj=K{n{;B;?hy
z(zHLx8sgbff@$rxk+s`IM1Mto$x|u*Ebubp8z}xc#7Cw_*AbCV3Fz3jQ<*REe3tzS
zB-ew)_|FQnKHN9u>+{FEZ_L+MK^NNC=U-xuUF4Gbg$jV2@I_hFx3Rb9Vuxt~@DV^q
zZglKwvn^Yy#QFHR)r(_IZf&zsiFa)iwcukAowwlkyamxB#uCVe?Ns-IZ>ee6eqT!_
z_Al2`<M4u_<D7)tY7RmEY!<@~L?1D>VgqVH3*o-G)RJyY6}Nb_Z_I?yqecUz&EDlJ
zKowqSld8BBCe)Y!8K~>5cT!2wqC?rZRe}%OSc_7HbZSxfkJONKVE>3QjBSFAr?UY#
zxBQg|$J5uf-YZ6=c(1sLo%<cU8r6($fD=nzoR!z`J!At05rX+caMV_*xd#mt*+4!d
z^H1@qGFYU7g##?o%;QYHw_8>k%Ikv4qR#^JlWe{okt^ZY&^o9*AB~QGs5gA$heaIv
zD)B#<(&12ylN#zB{+@<Wy%DeMI4!E|@X7O|9WDq<gYP%eQKRlqkTjiFe}wt~HE$fs
zhu*gd^vvI4)4wfLW<B#?r=gm?eTg9RSrG7v;PQW>WkNZB1%T?L9+r6taxhvsem8Ko
zTcKxmLo;DB@>3o$fg<>RV=^Leyl1?zo<(KmMVVhu0F?aU-Xy^srlI!n_XH~LZvNhj
zblQh_$9A><a#-PXoWRERRT4@?XRBM*iSemt?(7ZOYS5h{SD~q5<NBi$5C`9NYWq=u
zh42V4v@b>OSn9$Kb>FLjU~BU{yk_7v@T(n52)~kFIGB464tmgnUMOcFSb@ncK)}R!
zjn&Ux06p4KRzEpZKTRC}3&Ve6cpl-aIqqgSug?O)mjQ<h^BNz%V^YvEzS+nv6@+UX
zXdz6{eS?uN$wyUSJcX+jSUm*W$(s(CA33m1EZ#r$%>88AeV~kNVZF8*oTvxX9~V7<
zsv`w7g+vp_Xej;}igyq#)*p#SI>poM$#Nc$ofj3~tcPY}C|rvJqy3ChR>V`_tFha$
z*f=+uU*)b^QcCn1v`4_6`3jSnuP_S#+Wn`{Af_XTH2(|DNirU#DIJ`TeW5yLi+1?F
z#QE90jBky35D7<z(WKfQcVM&KSP%CH-+(6gBQ0y#J`uXsa=1an*!NP)3hr;bc$8{u
z4n|@v^}Uzieo+2O&0O@DmUrn~Mkx82W9Q2!o42AGa3=Xv6vXUTSatDg?WnGYKu&F(
z90n13%@+2^JdCz7w!UIsvNRNLF>O#**T}xHLoEnRfc<+l*yigQTF9-gAMJfNt~Nk7
zXUe^C!Et)SU)23bK%8(t$li6MgQ_?~3YiuXt*R~hIYzDy{9r+SG{p;>LM(sM3vYl3
z8vws>-wJC<z5mhCp{pHQ!-8Ll&#bu%j-JHRHx7pjvGku8SKpkZ)gxdl>#@x@d*c8^
zwhR#U0_Qiy8wkhY>FN-K4MaCe`>8Ca+NRI6E4hue38ybONlg78ZVk{A=e(Iqi8t~G
z+3Cz`!mEd#a+z<T*043<^vm$gExUV{=}+xHTNAD@iE;juiND|gor|MuMP2N<*s0=~
zuhlpU*>kb82+x|Z&!r5kaZbRyGH|i8f<2cwtJ(8OXB~S!?_9>7uR2$-=UdJ&d#-mj
z;c4+cYn*8S@X_7FHaxLgP(e1>u?8zW=npU;IQB<fA95YSYp-;?;uICWz}H5=hl8I5
z&CK1+ts}Y-6&Y%n>>6h}7&5DEy!sM)F1oCbJ%8Am5PuoIrjNH9S1d;aoE?%O>g@P?
z!qK6sAg^`-DC(%MqJK0lYDeyfpe`#;tmbR=Ydc81#zlwlpucDzBb@iKe62Au0-1|;
zHv11P0@19w(Q>x{8-Ks?pGOoiQhp{jP(MX<U2{BXzww_teeXu@wB$ceu%4%8%^#Yd
zYP^Xr8gu9aQs1B)J3TJQiKj=8j2$^ta-6k+*}g?x(2zg|QETFsm_Wi<g*V-TYY-FP
zh2yoLgYg(R3$>m2IRhBC)CC=s2S8e3#i*~L2VcCcrgAPo%~5>cJ6U|<15!NMd;Ued
zu=O}|pK7#W66)5%mr@?E0<+F@>)?jnf4ujV)I8UdaB4hc+>B$;&-wcD&ylyPZK1Wq
z?O>+rZ~qMl8PWTBa2E@1HeNxH-3kYd_j+5*hv*JL;bI&>Q`5;zvXBk^q5T%LvzoX}
zS(t(q8=&uTlvT%{5Y6kOZvZf=#YYc5<sJp@FeU4Oz-YetBK6mtp$r^1lv&5O5oJ7%
z2xaBCxrpqKNEQ*Mhy^@i9wNG#5t}Gt3XixK5eI(}DYjC?4Lpxs09E}F)S!*sI|3nC
zx(Qg`LYg&*7WgBzpg}Yf#7)uq+jW49Qd|-T(gzr)%vE5{*5!V90fo@tUP2_dbCNqb
z$r~ogyC88dIL_A}$5NGraz=m#o)p1sCGuPJKrBSEZx}Q0<BLrXbJib&HTEat&`L%#
zre#RogXgf=%wZ}hwa>KAancI0EkB=c3w)#0M-p)KZhucV?q|?5Zv@Z4*VhL2UaRVV
zr%$<!E0GAD1B)E*Qcb<US^pD>L4JeD`cy8&7gWCcI7x_;TxXKBJkQ$E$KXerLAl0(
zf50V=7$2wZ1tSf?lM6v(&WYR<`5@Rw$35;#MGmm?*ioEw(m0)G*AHpv=4M)CucoY^
z``R&UMM>>kl7XfqC0vsIhp7x>;!H6vqMZEH=>wabxcbJw1fpyK5xb1Ul;<p>>Hvql
zAodU+L&LcB5m=YK&7m&XVngZz-Pi3rRF@ruEx8zUH7FF5<8JUWGn+?jk|?uKW(jcS
zKqF(E`Q4Ik6hDVb&pxcwWP^XcUfPY;vM#35XzZ4e4(y|%U};EbmU%IfU`n50#PdS;
zLLBP$40C0;oLGX(w>;^=pIG!gW^@514`u!ba2b^>xE?ZduYSj~jB}DPl_!0JCmn+l
z@D=XfNUN-jSM_lzL+!q@q1c)^748uPTm(|H#50kVaR&N6yLTGnU+B9RXwehnpB@<h
zkz<(fpg;0HJ`0J^psz!O$eCD_ig`rfKG4Gb7-q)CYIKFjE8H*L=s*GTlvVqT(~uaS
zlG**^QNUk*JRkRLY>xBajeirAAkAShSGBod*@J5kV5QgMNPcOp`a#Mfk=N5d!6x!0
za<a5<@?!v5H(?*0V>vvVQtYJa3uVp~8T%FyU({r@hxaF{*ErRUoGL-7nJgs0rhJt0
zct21Es5o3=u)P2Yl$sHO82u?q{0R}?$k}$ZLfrFtn;gbFU$q!Vld!Nc`WaO2S~ktJ
z>~~t$^VGonR2$|Kp-Oy;G6WZIuRw~>82Iq~UM{%asm35+f$!q*{Xcid=&G>Q%cvG}
zQ{j^P@nwZ@)5Lf{5MvbgTAlwZs<G~O*3VL@?D&g17ij?gVEycWu>Y$ZNDkx8^AFwR
zWLM+Cp&HQ#o&vsa<MzFqm}%ofXq^7(1iLKtgDH2+2X-hcSHXS9nA}L2SbRNv9)c>~
zgZVw3v{!oPv3;rA)li6X%h#W4qGVVS!}0^UeN<iyQ&sEbH2#6v%o^?o;$!uFSUufG
z8kzRbVC*m(rAv3j!HX+Vy$&`VGWBFAxyK>suJggr)LmgTxRHxSVXLey>y1aBit1JO
z*tM863(`>X`#+pdPW}n>;ufSDWAvi7)aRucm8_gOuYy3;^(o~4=$Q|IhN<4fr*V%q
z-4OxZse#1IdNpOe4Uyn6h%L<;M``gXlsOSpT+vL0G#J*S8Rti+ti1G?byDijVG~1n
zPE0|9&>cvclLkuDAj8`*1z86PQMDH&(g=7SsbG0e1!n9b8hrnIkVMa%Ysx%|=leNe
zlN;*_dZwT9y&W8Ikb}2x&Rd{juEtD?I|E70lmCw+#w_k#6!{s|?#h2(M-`^$%m#$6
zu;dA<au+zhb&eM?_yGiH<$Hm)ZR+mt$!p@lzoRCYF*xS-e{u^0=^NMCgokp{SpmlN
zF{`JV76sO!IwSi|GL__kKRG|;Ik2BK83S2dgvZWnv1{&(9~h%kU_jH>J`XY`w=soK
zy^`G`-R}gu*mg-6gBmwsXt_>5F20K0%SZ2g{5F7+#!vE^1L$w(L_3k5b3f#Y>;zNH
zlXcJ49Y?-8uN9-K8YDLTMr4(6je2AUzQ|(ZuX|^IJ=9%Qw#B|L4AIqBmhl(rj#$h3
zg0iY}dW6gB!%51juo%zMd;!5u{8TBvtbS`!86&D8ac#;62w3t{l@C}FQ=hO8{n-7;
zG_yR6?`D=El|>WOIF|xI*THo}dmd+}VeUi)q9dNt13lxQaWVRUs%>J6<NpLH8hS(v
zx}?wmtkXS3iv-Uw!ac^_;6gJw;v1dGDM4~FF`HY4hjo2~Wwk5`RyKq?6O8qgnC0g4
zU}Y%9k1qo1*HT`rFHooa3+00g-h2<Cao6uh<Kn{0Xczy6R(je%!lu~N{*TEd%ZX$s
zk&J`wF$N;bsJ#rfDG$(x_U@Z-FQ5CyKr^m`!hK(XaEklw!N|tk*3gS_g~)+anzESs
zk*)Wj5cFw)A6aCC3$!EJ51xU)7*{RDvP^#(UszAL8u8;<JQir}##xB-X7BNxH%#~B
zU}bspeEKZnU&rlWzzBYQlo9y%Fy8?@jqZ?G^j9;{y{CcmwfczWp~Y?`_k{87V@L${
z;OyVc1}X+FRy4Mz7~2sQfKE@rv?yr^3ZMjslMU{?`X<(|%=O$)m|;1ApW+yU`%UO_
z6Z-bbcnz|l4ia$L*j#)PgfE7m;7%N~NAI@~UoHiX^`CW$p4+_6fjZQ16-Kblk4{KG
z>46h_t55|V`!T8?-007bV9~7=C=#xBgLWDYkv-YRa8r`@11k*sbfpQ&Lj9b<-TucU
z;bZ<7*1=&)lP`fDhLg%V>-X3JHh!iS36<4tz{J=V>4swPc_;?Ra)?OZA|axyfwB_x
z89U%UB+^2AI$hQydONp!n2!6C(AkOACSx0@&GCq;gSV1=fq`zDida)Khe)VvQA~&k
z6$T~1$M<jjj}cRl%yd2i^;Q4l`a`GvyZ`Av9)1iG-v{GEFTNHPXdDlrT^5zWZcQ}e
zj-mGNbl~Qr4WqroheK!3=G;)AZhTwdgbq(I1|vj^;v29^kY_k}sMm(FX+DQ>8V{vx
zpuuhME6(Ti;Tr$@qo}b}zaZ%u#^-qVXl)+lbqc4lFkbrQ>Q`Q6ypKrTcPR|n9EY;1
z&3FxAyr0jRKFveU4U<ZICB`#6l!o<I;}N{C9Ypm=cYz!-f>_q1-Bj$xn!BmVXa^T*
zD*8c*O-B6Rn7!cc62JGBjc44&h#MwFRpAcV>8KHWD!lI$V-!-T`p|={xiswL4m{-5
zwje6rxC&9;z+7hqE(xPv05R~*N4&b4-uVaWxhcLY3UCeIxy&h|n`P;uH}hNHsJ@C}
z{QE8nXN0-fWJ%P(y%q4pKS5`Pznp|u{1OCSuf<y!Z|<AC{5&4pvPChlBOSWU(Kv!y
z1=V`*By1g}(PcNIL2V@eihB;|Lu>rGwY*e4w*$-AY-!J{k5K8wf$=yoQVwdWA2f!?
zIMR;dhQ?7~IBpM2_{sQ=A-H<heh90Fao!Lv%WO>9KtHQ#Y{!y~H-4He<j2UJ2YrQg
zKl)S?_r6YY;zPjRVC~g5U$6IjUakKo!5d$Ug~~Z8#$UlR#|C#p33elrP(hMMYZm$T
z8mV9T9Z6l^+_PZd_ptHq>-0gt5CWku#$ALrrO+-}ig7X6kY;kQ<*0rL;p^Z*G|q9y
zPJvAydqxs2Kj~#}KzB*g#tuv%&#x~jP<_syjb5x^tf($t)T2kJ@X?~OUqy@QCu1F=
z3-rkoVA-(c^%_EW8@R=-O-nVNMrh5$PVYl{pDiTmNBgy=BVX6=kAt9t*yoD4&z$=a
zX!k7EQ_LQVpFm;t5C7*I$^XeZjqKkNNQ^{gXJK0|xF5j0Uz9F8qwc6`bU_c4eW67I
z)Hq4Ak*Z?7>ltz-sduUPJ(ik>S%^BAhPTkYj!<E0ql@(?@S0-Y{)FnAqSCoBkx44u
zsyd(Ucm-7&HhQZQ+2H^*!vvfb*h<4QWepvy3%U9LOd8l4IGU^se+OURm1oy0i+)6-
z6I0p@AmtsMxKL}RYTGF6Kyq}$gb~zJaS|9_2e{@_bCds(lpl`^k47Y+K~gYDzYI;`
zR#p|q5p_BaEZ~9bALuZ0{FDk~0$ZNLr4Qtlyot3S%K0(m4725&j}?=CZtXv~<3M$X
ze@MXPux)wvHt)o(WV=w-JX^uUHsgz5Iy$b?=lX4L(=-SCUB-4m#6c~?$I2rCc>;Tt
zfuG>BER|i9l&|~ysdSr8xibyk5na#<+n!)#&}tM;h0oXOao0jPl2E4Qp2T&uW!m+}
zz1d&+Kc;$M;-@Pc!P%p19E&Y>{mLr5<vTsp#ZxzS%ttNeJJoy?v#2HBt!;5D8}a|^
zpW*)o`zB>0_D%ZjY}aezNl~rC7tS5^?Wg2WI^~AO911J>o3QJQo#(CCKiT*tzG^w?
z&2I9)S?1R8xi9SrkpEE_sz{+wQdyoh1H@>ZEHxXgtpv+3Utolxs#NVL`a=>#FCTc+
zeo`w;)hbd*A01%+J=c!dQl}0H<;}O${h2Vn)O#(X0heri3d{RSGe!f>2}Lchs$ev1
z`77LkH;r@aNXd7aPmA$DcjB{&b>IM6VSbWjFrZJ+&&A>1VB;yQHn30EwePW@t!+Z%
z^`h_2`F&-^htQtXNBX0Wm|i1316OK1)OF!cW#Hz5Bf&O!K*}Qxh6_fD$Xg*TAVe9r
zV&RRTF9D&I9Kr2M&5w8oH#7$J645CV+^AGX#_j_9L3k*GBW(G|^e5n7!9FP~e>O&A
zu@I}3IhfD6vvKv7vak*ew9m<W=?R|@H+5hW(|ZUvs3BL<aAnodG&p5PjJ_<f|6i!k
zoA;nX`+=I7ZuU)YZ%k{AnW#(ZaVbXo1N<%3_yKQN(1qk=XvG@AD5xRT(ooEg#z%(@
z)Dq|w33ikx0Ug7kEb0e6%YHW!ERuA$JsW%9z8<LNq{w>o8TNHei)P%2e7HZy_fxJl
zd`t%H#okFTjj$4=AjI|amOY>U3;TW-ar%AxPWk_@+xL3tg}N^6J3jegSMPbXw%8FH
z+^5X6GOPv6<_=Pc%<gZa-Uh6*ou@H17%|4cADNA(CY5YFeyd?Pv+*gg@na%vS5Kdp
zZ=8t~+{EoE({OP|-pE?A>1V`j`Y%s|BK}res1i0Ew)z(=+eB@85{~a9FJ{vR!KQx)
zn?4;j9k&1NR@ihqv+1-W)XApL>vf&pFKW|6_on0z{D$m0oC5s9jOVN*qZp}K7eoh1
zFh(JSLDr9~_%MC!pOZZ3oe6IHr*3;AdKfOooBJnb%+r`LpQjqvB1NZiU59c-1|T}>
ze;LOPk^L?c_WK}0G5fs-p^pq?-cNkq=t2u@PV2%>_x?h%)BAd27+s>H3`o@3PDjr-
zVgP=&8|lc4H0Ki6Qo6&7e=i;P7cA=)E@frM>LMhzpA4KVQf_D^t%(~@6z^8%KUn+$
zXg*o%3HyJDbuH#yejDv&pHnXzZhDfagh8PZsieCerwF)I^wUEp+}a^pa=~@m_+b*E
zbnqLGSH4eTklW#)8`-a>w^Vm%Tp!QCqjccs(J&T&@C^;vre!xNi-r?VWI_DN^~7AX
zKsylm08GTZ4zVf9%6#Y5G)q0`!DWMKBlV$G)yIlh@iFE8Ycf9P9I;DTxhd2KtKqm$
zXB*HVKw(bf`z>O0fn%toUHY)@!QE~}{St%5+fd&g-&Sw;B?out_rxpSqxBte_V%{=
zINvGSr}c;W+duuN!`^OhXsb`a#;Ue|V1wOgt53p79J0}Ft<P*2O1t)n7dtD#a&#_t
zZBZO%>REZDJwcF?pN)D@YDhm9gc6(u_SOP@3cOJlu3TCL?*r-&lNc!GBIc>27+bNp
zMZaB$vtoygKOsQYJPDN({FzzS<QG1Ztl%)Lz!)3v7i+MTmNfL0{9x(O-)Ly~el4Gq
zelF0ybBFR$L7z6T)onjQlY%^LUJB)vkGxu5H@4SW#*5jX{yTd*^6@{kr^UiR{+IT&
z>9_Xu95@lwXZ{!LX&kEg|Jj~yd6E({d)jl?Z|rG(H#E-qnowrO@<seD)p!bT|3B<$
zH{{dVo;sNfu%~C!%m0c!J&!p3zCES<|JUv5T|abfPhWrzp{X&J0NJlC2-lC>Q>Erc
zL~~o3Pj5_Tk~a*Cijzw?@^bGaGN*emV2#fs%$#B~p3Es!APy$Kig#7dQ=z74PC?UX
zdZx6*;~26R7g>664Snd$>-C{4VdK~=74uds9VDpn^D6QO9)_J84(r-0KQt{RX76So
zE3$W~bnx(Y1mGq0@`kQu^J<v9fw*IKkK2xk04AuIZ@cZAJ=)|}<EEu#o%@HbV7B=$
zScQV2$8?*13M0sFj`$s`#ruPC%z$>${jh%+`<sme2)YMu&eJBR!Vf6I5v5Z2rmXNo
z@u^$~R08?2TR>(HqsYA?2LQ$9!?0&PK9TI%jCgea0Si&K-`K(E{Fj(kfGK177+8w+
zQB&XWm5omJi_Y5f`Rfg=Ibpxh;7SdCOF%U4)p!ftl<L8v4je17CW3~oc>(Pg8qtR|
z$K%wjdLDXiz7v~_xS|Y4r7l!4DaFZg=N81mjKSIR4%~d5p1|A{YHBRf;71mCPk<o|
z^;hkf(P1YOtF%~3L(<`f4b1|jKD-DuSMw$q)r9@!q?(Ds81^Vr86#0+pYD{jxeteA
zjUQ{G+T8jvv=V%cWWv<n;&Y=h`FbNwATPpsH<+CSr<*R94s5}!3{ztzcq7@S&<&|5
zBsy}6eiuG@ot=u)evi4cNAyvGmmt1H=lufqp_Z>dzzUJL4`a!T>Z<@m(K6gCz$}1f
z&e~RbyRb(q6CqNCC}ZJ$rv5S8^S`qnr(%)g59VVtumnjm{g?KmS&&=iV}JkOvmXtt
zF8&|qV?maf*^hTV`i=cqU_*D<i#p`<u_+6LnlNs|+y4*yu@#E~ykGF&m;0IaaM@bp
zZ$_j(-kD;~jnQvR<zYPcFw|L|14eQXVC+ksPYYO3aIw$)H3L5e%m%O7w>M$`C+D#y
zI*vl$L%h{Nn<_>-q(SJ77CZ2Lh8ICvn5CY;hKAO_6ejiBX~=a0t#(qNm2!kPN*j#E
zbB|D$%`3vOlA1?BFcgQmpQfjM*4cCm_#R^c(vtr*bw1{-qp63(Ut;$=9x^gnzw!Nt
z*wGL17-PYX|9-*El#6x<6EsA8b;(#~61#`UxE<P!D35||%hTp~MfpDa&@A6gynLxB
zP~=ml1Ecw2Cerc%t#|S7-u-PLnL|VC5=dv+KQ!md9>DDE@(_CI+P>q6jCRs)!x!Lo
zADu0nO#yrpj-OpkEa4GxzB3Swb2y2m0C3{&Dcp4+&KR;uYrZ~vsIaoEQ{Y~)$+)EN
zi1GAZ<gL#u$0C&RFy57w1sC84qY5rU>pcNpc+a~KXYHKYCg}1|&g&nXZ!^v!f$2m5
z-Gm45ae$zI81(EYz|nhI{KZBIkH1HX|D4AUGS1`iH%swrd3?HI=keD_@sIQPE6w<`
zr1*Pye3tR`*G#^n?{}8(X2etBpXJfJdGr!f{2@HK%earnuan}>=J6gg{s}4m*gPtJ
z9;We)%nljXa6XlsZn2rqPDY2x{aHMIj1>PS#fLJ70_KMUh5<m^j6!=9;+rhI;<w0G
z=8Z<(AHrrPS|SCs#vIOftkKZSiht}qR{XJMzPB(o<BG6pmyTrBNA12rc<+z*njQ3Y
zLvl|B$NBnJA4R81P9f%cq8G=6(W$l}pXHq8d0>gr-jg%@3nCsw1UibIIT%sKk8`Oe
z=8ZS9xFmP+Wba`2l691ic>Dw-mB)|b@u!)R{)@*?GTQgBl4MBnf2H_P&RKxPS0o{@
zHtu0?UIo)PlcBE2AuPr-SI@toA9hgTI`q-6$5_Wn8oG3|8d?R_msjD{KE<ZTM%whi
z`f+N4F`s2TuL4@I4?H`M4%HNB>|;z8cz(#A;;}a)ikwUG7ma)tg#}d_Q`aIeLic6D
z-8>3OE8fK+H2fy7o_X>ptGW-NA=J>k3i^T1D_Fvue9(ZP;Do58R~bo8CSdd1no)=|
zmc)`G-z4MbuUKUy^W-DV<kNWaws$Bw|HS0~Fm^U@R#w&ipTqEWfZ+@RhKkD6n4n~w
zlmcaBjtu%7eU9SwjndN6%dIrEoKZ_nXc*<`cnaT=d$TTODrKc*DTv|>?}{jj7``%q
zz;hU25R`Y}|NX7~oHJ+4?ms^tne*(|wbxpE?X}ikd++~H^^25V{`Kn-cv4iuzq{%$
zQ;y!xD^x#;VhBpy$Td%rWwf>W1Ib9|E{W;P)1XAtyn{4{@>rtr6!k;i3o#wPc#ph`
zN1@HJ;WrGt-nLUX4-(P&E!E-bAJJOwmNDU>cQq(N&rsSqlvRF1WjNf`AbY|yL#SZ2
z!be<<Yr^H!2*zm@J4xYw+__1ssmAwFjepB8B<}UV8SV0EOC~?}hgvwwf@VE`F=n!C
zfN(cy1h8G-){XUT-1Wg`g}n8oHx3d}=$>Z`R9OqLCE*G5ogFuXH!W6To(Alz!(?0A
z2D|lG%hpnArl?vs`f9wuR~^!RYiOY4hST8&n&EbiC0)ZrVZ3MLP8o$pY$HBZV-wuj
z-q!ED0W{}o5Fa4upBl$1*>JxVvX&~t4evyIbq#lPBo7GxOtK-A4n|n(?`Wu{t=nR3
ztqcy&BQt*n@Rr&SKoWH_S)DlN;n5T-?P&Zzb#%igI}$!!OJ2AUEj0foOa#8Md6zWN
zn$!h(I0|Qa5>rnXmnmj$O*oL9JG=c;AA|Ptp(|c&KXyycXI5On=Gm@r#f_AQ+Fow<
zER4r|8388j&rj$S&lB8K`-yL_^LOX-2C0jJ6?W_n|CK#K^FTA5d81dD(=l<@Tfq_R
zCENQq9S_RX$@%(WDtMO{Yf#L1bHvyd<)}{fRJiFTSOO1HpY-TO4PVHP9|a?I8;@;w
zzCY|w)_&u{K_y<z5`Q|@$q`FXNRI%U(G04YxQ-cq0Vrkggdw^~SvW71du}4W?BGo_
zHugNiyQZVK{C5X^qx+#?aJS_?WywU%n@_#S-R_6F`X2h>Nvr5`sJqa!I%|!kmqQ%`
zMWm&5^vC-;wO%*$=fe3WNrx#*R?}%%_Liex(A*IZ7M<Ui5H`Xips7dDth)gb9CN>`
zI$PdE0JxXjCN;9QaeQvlZbH=>-b_4|-AD<C#>STT%2w4Y$fnneVVzT!SVIrd5X>bp
zK20+q3gb-eUi2}a4P(7rqZStqEPGQHXnAq-J@M2i_l{;utajQDIk38*VN2b#|13%z
z`kV}@kOv>f8aAgUABfdohED?U_s|C4UFyHdzvcB8;=4$`!2d+704EnxlwU!KX&vt|
z_H5XEY2CDjMD4WO`qWNqsF;@NTZpFUz%Q-L0l7>E-f;Ol-Qb7hJoRcAF7fzwPIhw}
zI&b+To?7m;v=8DLrpmUTm!6*~*n@BbS3;lhiHIGK1fDtJ3G7?ZJ6}grNb&4$upe1}
z_LW`#U{^XKZ%l59+pcYp7H+K99wu)PhVy(yv!OlwHTnMN*2L5=Ghd_geHEh@!rw<S
zh5~=zvj+aYfugAK;niw|XgGmV3@%ADok9cbQ3~RcMM?3Bw@(O<Z<Ix{ID=`uFqQoU
zhiG&hYmOG?_hhr|4(~VEoXzt6E+W?f?n}9yf{e2(<17xZs6Wu|&!<?sZI5)|-}?JX
zl>W1*|Fhh;83?8IuZz;Jgu{yI6{8n0{>qZ^FWIf}*K?=q-1R_ImYBMcf3xEd8;PlJ
z^HW!KbNOhqd?vEy?2M)GfBJrBkS{=3YAch>e1v>1UfUcVL!)UbVHx$QPUr5j>y^yc
zf@DfGT_*vY<G2|Z(Y4^U{5AiYpB=+Z=ZC^`-@u&HWDb@PtRy!~xPO&%8WE9}Xc{L3
zHg=Ul(Y4wmHm<T^VgAds%H){};N)g2((@T_X~<!<#@h%*G+!IHbcLt&0Mu}Z!a2j=
z85pU=FBZ3bVbXN8mErOrt!0*`f`4=x-@fp48cB~{l4yFE?D4^NKgd5*R%^SzT1bxF
zC-gMT%|Ar8o6o>Arv-Qtz*gYDsk?w@=MPwPt~JTv&Y@P^t#YMw8liH_R8H}K#rD3V
za;5xygvvdna>taEt4UGL5A?v;+>cCMocVo<R00~B*N1bu30pbNK%tihZ}_<<CD(U8
z!q&}T99i|p%;7+Yawt<qnPN_&sfV%g4eV*`4*!VPTj3dlo}o6y*Z9G~a1(gouks%x
z--wmF`9OHx>t;G3uBI$5qr6^i3tvP$*6DuPwkvQZ3>P|6&+A_l7C+b*u~&Q81?c_J
zdm6rrHa#3>;{=O3=*^ypHVVaxSo2Zwec`<nH&X3`XX{S9s(N^Re;tS#%i~iI)NzsS
z@bST>wqI)1JP|&_H=1a=o1*@(hqPkm?*~s1@4)jQyL53p?QM|#Wnpq2r3rgx4`+Ay
zFoVcz?<TzEx=!|b6qcELUgG%zKl`YsLX%cfHE0hOgx8>Zc!|eX<9qy^1P$_?)xKl?
z%Ms({o=0ME2^(u$cw(_?QdOm%BpzSD`Af$i#r`Cx)!!)fx9hb+e+TybTmAJ>ZR>At
zv1*H|{>%QhN8_8I{_ZGNy6fNT@5AEw&M8(s|Nrbyr%pA#iR$n0VkO0c{Tuk)Qta>T
zR|}|Fi%$5@<LijG`jqF7S-BE-PN6OA+%uUZNQ{6>d-ih)*4->*v89JvBRL$7V`{Q|
zs$-Up@G9#TKk{RmcD5ft_kQB>RzENXG&S2Nt}>Xr6n+eEKvu9ByvnYhS)-`jDS}s%
zpgsID&UaHxq&jsR??^Po1zTsssvt+un{v;uCO?9~&pn|z8NRqefNFNP2ZYU3bN&KV
zDgU3qkNgZz)V#>e6+=c9HJtlZN!rfB@PBY!MfEkD@TaPMyw!%Y!%JO#F<43ci#qCm
z&DGb|sMSAP^>skOW=5EG^~ErBoPW|XY9;r-|149rbf0|!5oclcdy3i3uNRxFxjJg4
zWPX(#NUx*}Dxt-3+Btqs8I1wS<`;zVnPkQIyP`Ep6dtNViJO$zI}&hg-2IVZ$^;!+
z;16E0&q@ZKczh9STV;5;OA--W(tyx+Ng5tS28Cnz)=FDh$G*aV#N#1hW`k2xK*FIO
zi96pbgLiaef<9j5Ly~Y1*LJ&<=Se9P)&4{sta2$hsM8H42)*!J`;aaZj^k%Q0PK=*
zG{4yDn85K~T@^4U@l@jmz-eqP*FHxZ?P&EJ!nvYZ1SW|6&O-Vjj<p0H*crhaG|s+4
zw`pumG_9rzd^w=$g@!9wUk7RH?QgV*>>VtXV<NwCPRs*sT0z2T2TaRol3pd%O!zEO
z&0bbA;bWwhsAkbTQ#*vCSUa`WPW`j=IUv$zc-+Mvp>5b<r2dVN>gDboC2mBFZ-du@
z#y<jh{sK@4zq3+3$Vw@&syYuXKZFvz*RXCLm94;vNIUY#&}Hd8<@!*^IzyrTCMNBH
z4{U5xt0`kUMY($iS?BHH_pS3;>ilI$>gFj;3|3_#3WeX4&GPW6sFn99M=O-Lcbc#Q
zEl#vn{zfa2{);auJp4N%(C)CW{XG<R=kGsZw&CUot2EPr*!)}H29{zxi^fY&Hr`fK
zcc7o3fUXganYjmruYM7bqaBdMkKQZjrRUwj)>qK@goe5sRu0cp9|o_z53BdDBJ=TI
z%`UV1vSU58$eDm6HEuG0x$@P7*mwq*Y@TCDK|8k~$oruk;0XBk@JYIq>ENQd+r#zf
z^j`M9>S<~Prn9Oi->VpG@8m`S&ec15ruaTPN}wW&_wY`>SJyO9L{VE5arYbXa7x$u
zlb4JeMUhYA;lIP9op`ul*D={P(a@}}4fDCW)b=}Qg%pN1x1PV@3CqCU{Fcpq8~0T<
zTtBO_o-M~)CWH$xjm_uLQ%x)7FG|Ty=;>w4+Wdlk9D%gUdf_1J74RXlbL7*=&MWD~
z;U`z~M`DJ;^T1L5bV_v4KiRAYweg{#8WS=faGW!^fepl4hU5oQa60YVbPxbn6hL}F
zs8Pzfr0^o#ITQH@leAIhM`9RLBQdONwWQ0hNYI^$+TS13%Z-0b?}i^*?U{x4?kATP
zsKwz9H<Tf0Z-CEr>+DY@hFzw+sWx!57%_!2g?VxBZ45Mb(FDG0@hXo9f1(6L&=7@C
z4%L?D1Z}@f>>NJ^ZjN{g+#FYen+d|r$^S*zz_?L|NY5VyhZpTFhPedW(sq=v*K%{O
z2iow$7u4G=2-U^mD2*f9&}wu;86uH-g?u2{MwOqZbqvueF@1ev*j3e6gl8btBfcEn
zcnxI|O;1q>JX|g3$-E)1Mq(HZk=OuY>#MI1ds7XpJX<}P{KT+Zt84S?4BV-Fi!2qR
z|IYY6&+h{5y={!|f=M0YJB>M7I=-hd^YTBS71^VV_a=RRi*H(M`x~uQm9%!YTI*KQ
z+E&Cew7*V6c<Qd|DS{$5@@<Og*38NJ%+~ylW+qVTT1x5f_oBZVxZA$CtNI~|vV}3V
z`nUWD=i?ZS2!h5lB!36p0MDg@XD9^<qdRpg@HG5qv2b27yA=GA3jVaD;2ah7OA4Ms
z!SI(D*CqRLwl5~95)V{Ql)}v3SZ(-=tsGx5`zc%T%#$7GJHMHiv9&1N1*{D6f5}2B
zPGn5x8ecJ=9{15f))r5#jUQ_9$<{Pb(r(kj@KJo-)LWTlVC{+})Yv25%FVruX2L#8
ztmX06^2mb>L3<@=#H+&J&@jcWP_adet=KWH*ddC!Gx@iv4EJ9+z`k7o>@R5B;Wu4<
z^KM1;-}|fi`=`7U?KYh5iik+zPh1ysU6C9u*sje{u82*Fv98DrSLDBoQ0)GeP@pv|
zTG)h%!yG2Artq90kjc<+n-Y1yNAP{H)L=i`TDx}^FpzT<jiQS^OpC^q5PBE|3e51I
zWQX4dq^zw*(GsQZ+E^^W#DTw*cK3PL-KFa8C+aRYw^d`kaglZX3We!&RB<3D(JhTU
zO?q^L*=SY$49W1c6ZDCuiFBoVs$2DU2&TldI2ze9JG@0x;$8_!FHxtRvuj-kyRjk|
z)QWFfGg8j*Ds5)FTsm5p`eXT;MiXPo>j#Ws!(rerU3+)xkGm`7IM+})(9qDGof>+E
zHLp4BGN#*2XHfS}Se97M;<dg7IglH<Y#~Fr6@JU#ULqfI1IN$}i+Mr5)XaIpu%c7w
z^mUZ$%i>UT1J4wgF~HP4Xf+PZQ|Uhf^T$-RnQ;%5!&Vk6C+*poc~V+a?lCYSIT;RE
z$b!#_zeLlIG&8a_<6N&Ff)&x9sxl~Yk4du*H!d)`9P7&Lp-gd>+~P`x3n=0m<e04*
z-0`>#W2bBI!eWE6gu?q>gD<->yGt89A!_gk#Rg}HVBCM^3h!_YmKPh8X%yDE25)m^
zc9k~x=H<qCrso{(ie3CE{r;6=!py$;g@Kg0eus7HHyagONil%x<1#-k?eN>K!%D&R
zM^|japA8uYON*r_mTi>&$~2Nvi!F6MP0pcg$BcbaK;%Y#7Fvg6nKoHdx2Yk$fzsJR
zX$l=qAsXq=&uV@$<Li6yJ1IUfdrXJ_@_QkDDZiylS_qgN;c5!BJ>c|9W~_Oz-*1r?
zCAsLw*5x;9Epz&^bEJn0JLR8Sn!jBH|6Qm2cbNdi`phZr2kex8O-FvV;`e`Iq2Xr5
zq7ZtO$q=sp1`|ofb<|F_W(wsBGM`b8LmGq?3?*NQ-d!@kzN&JPh!m<rScD-=k>6p3
zz-Yy2^>=hhe=Ak!2K6TwR<XZ+CGDK0A~V&_5fqUf#3erh^Dd>yht(km^4cz{SNe~w
z&&hP9@`KgJWlCRFn(nmNtD42c0~fDl>b11w`!?>aY^az;WM;QHBt_Hz_CFezrD%vb
zy!JAh>SN&4(*D4m6wE)^@%^s8@9OwoqVHQfzMs(dH67p2>iaUjJMUK%_L~bgnM~Q@
zOoE$g*>Nth^Xv2?LHG_pVOwYitK=rai<O$2tA#!M(evzbo;z-wS3eG7{P8h}aZCv@
z)@wo7Xsys<iJAK?tu<2?s`CzOY=NJfyP8&IL{+I_nJ@Jx=<_f>nLp>y0m%O&&DwhV
z*rhQ4LlD`?WBf&EnzcF(g)X`#ybD7(+FmjHefS2xnThmZhVo#(y&Q+Wp24h;)o04T
zd<R{~3BtzKT2$2Gyud~!?j;#<0j07hvo#r>-z0#>)$+SwmYqwIV4XBie>b5E`&Q_N
z392wbzjOCqVdL8**E4~cL&CHrKPintrQ{F7_b@y9Jcmzn1#d#Q%To}3)e4Nmfkhiw
zD)O{6ke0n+l<I#?*@Cb=yc}=4kZ{Rn6P41<FH=%3E1_;XTRwLl%zlm<fnqcUh0m_1
zAwnjpj_}wXj!}6Gh#^V{-UxmB)_B^(5&Q;?{KUIHolADYA6x6^46*=AtMQ_Rk%Z&P
zF!<WT6RZW`BfhHI!FRmDhtFnl_@I(<jeR66U4+o6a8MDxA>m*LAK>gZ_-<8soH=T4
zvi&ALP9IN3AB<#ocn2TW{qFE;e%hJE@cgOnp6x`_KOnu`U)l5=zt||Mk=es#LqNgU
z*)XZ^sipVlU`-ccCYrur)HxL1_N@6?h6(Xiv?tA~KSIv+aOfeI5+kJ`PcXqoglAIC
zVZ3K}_Bt?5lpVua!Pa=9=~dB&Vxz)iT`_qbt0^USVMecw{^fw{VR!heFJPYimd^tJ
zi`?Fa2$C-!GP&lwR-fNO%8{gC&s4-`F+~*-T~HF=(thE%uZnGIwmhm$mCc1KR9;fn
z&2TeWuUgiQLe@NGeciGIJ@?;}U&wq+nYCo*ml|-Whd^eYr0_d!KyRO#a^csCpNyOL
z$cvv{^*P2q=OHVMlfS@czVTqmc#;3~`;5-z7RED5o!>B#TPAK96>|`QV6Gk(odL8b
z6%ZlARO~_V7S6j$W^zyOWG-dOp3h+LGJ7ZUL;j9l>Ml}Kvo*^evC1F4XEOT>m#8|v
zA&sA$!uU^nO5>;P{7XiAaC#`5@Qm1@VT|)>-}4zrH^7EcC$K8+rhcb)0?V`@Jw^}t
zW)>K?j)~C}Kg;A|w!91(+n#W7&NWE~SsKW~MQ~33e7X*oT}0KQdyDti&GqytzJB>a
zuhOgRJV3bb_8V{1<(qxyOax_#r(W}BUv%x&*IswiwG$<8`r=@aqH-TXO4o1t)rW^W
zaVX-4@EY4<;b$(?Z#x(~dV$B8CcB@S#MI)hgBdD<rnnF^T+-pc=cb#0!&lvozgsxI
zwR)hJ9nKl3k;CanV!iJtz_1fhlK|*&R;nKefTpeKMBUc>4X}FnDjiP0;F)O{$JnpL
zyR@oAZZ1kO`pw_$_v+(Weew^K+(-L~`)-Jb>2!bAC-0;8f~T2I3eK1crtnsCXycXQ
zp$)=G?arH_wZKq*35+$i4sh8%ek1u>$yz(LdJrWT#P^^U1AgFnbOdJdNkXJ#N;l>P
z=M%jg-k(g<p@w1knRJHU;s<Nl19hBFh1;m_kKT^|ne5E4-CP$Avy26<*=6+L>F)67
z^edA%b4j7r_{5p*elR}+L)}J))NdHd<q&;h4Zq=vsEI@5z0N~IVt2z^uVcCWX$M2W
zw{sqXZ~N1qYcE&xKU(s4swJ4U?LQa-ejN?4gXsUk$}gmpto#K%t>QbMZ0{Rt?;+Z2
z`!n*ZCQZJe;TFn&*d&|<UE6*cuBE5q{)NS3cwmhswofNak0Mbq8C?^1Zt4O`as#g*
z9++35I1LzlMBIXVX)}`7e)iFuVIV*I^aSxy_IXh|T>MQ26>ujJp_5#kQkHF$?IA)*
z`ELA}wy_-4_8{6WX_JN?olHY@*{3I#wD$|w9^)hbdYA8)<bOHJ|C#c??ee{n{9PDV
zz>~ikzK`TY_R%X`xw?{ae~!wHE0#;=p3@v4WFU<FL5*+{+sn<;jg4Nnw;-zN7wO#i
zq57d~5x8!KUz}Fmo(VRxG`00{`$vmLq_{xZMfm^X@9dHgr*g-izyg<GaBE>pSl+m{
zhux?%arR^yUb&}fe*IEJhM(hl#yV;sBiS+j8ozYwCMP73s%RcT3#5Jon+Qu87XRsa
zRx<n&<=}?Xej{$slR(ocVk+T`^U2BG);&y6q_H&?EU2&8#jNX^n5uO<`8GYGBOD4J
z|C^dHZD$8v1})NRPG!MT<~?Kv&FR=;+XyMlZ+d)TW`X~<Vtp}bhteN=1H7al2dBHx
z<wNvtvAwvh$o7e*b;9VBg<{MS)|dT}t@(bj-A7%!D<;6#j}+!b&H2UrZ@T;^lz&Gt
zKUvKGt;?TIe*Q{GZS7Ym{~5TqI8UztVc|Id?|ivtA1aP3#eIB3onL&qFtPMW!${((
zg{f)dhlX?bG@o)h*DwhFk$@m$SXc@B<!7>@g%?932bYVFVrnU94Ms~5xAneE4>k~R
zCk_p>j}phg^(5)+-!;+XeP6({7d^vo0X>?acu;$SM3GgBDdD}!wox?h<Sl}L%X#Dg
zKaAe_E4SJG%^YJI!7-t6)21G`hhBNgI2L|zuHfcKYq<Nb5qmx&a^!B=6Fy7|KXz%S
z@J;2aO%9Y1qmDiqc4s^~wk>Aq>7rYewJ6Mxk;2iHn0f<vW?|EYUlXo#&ZOP)p^%rQ
zHU4HCo(ec@AT^!4XsA#~uA%Q$_H-=Z4Bd#e^H5m%UGRBSM8AL9<aXn?c)#53qr#nk
z(dcT1|5{7u$UmVv*j%_vgI26?l;6kY%jstM*SP%C!<DZ7mS0)@y9@cgA?;qt5?X(m
zT=Q3bPpZiX^0N0j`BL*_A*)_y@jzEiqKaw{6!Of(-kVW1C%$TKEo5D)YVVQdW$%>)
zq}mmQys_$SzEyKlv1WWB>kL(U)K!yUrP{DU-cVJ`S~VwZYx)+lhN;^1uA116YC9f`
z#@0{OE_8WL=-0ea$QwxBrTMRr8Lbb|{r$;ZF7R?JxA%{V;OYI$5N3uSY_fGR{H$86
zQBwU0teOwe<fR>vH(w_V>905%xXo}51&jPm^>EM=M#I{mu@+FnxcjUN8io3B-{Y3+
z@g$Ev+uY}bpi!s_pLL%;*&0ju65rXmYG+<8%pWugGvSS-y6={9Yt;*~B00O|mzHK3
z(SoeVN>*(#Yks-)<^@JNvW_ceA+s9|!{r75MqN0FOj1QIXLU(0$F`PY7TMM#AEQY2
zNp&O)e3{Selj>bxqg<v|VttP0lfP^}ANyxvuDzMBM89!E!!N3!R^?slfTG8cz}`{M
zM89(e(V+xV)ZxP4T8H916<ow;_DNw-UrStOp~Izons(c`@#C=V_XR6*3Y{>X!y2xZ
zjo2_y0-i(sYr=`FDEYx|9-HCAVtXNR7tRP`DJToa7eBk`^UKB0uKGN__$iA??dAuN
zq;*%|?ExO{k~8`3?7cg%7Yg?e&NYqY6x<|ElLQVg>k^M8(e@epT`<U<gZ;GoW>?Gj
z;=kg3vmpup$9=P(h!6j#c=FErH192Nmb0io2T!-sdPh8S@bvqgz5%y;qTg9V`P(be
z@4Qh|tSgNti}D8*_M2_}(WN9Va7<CUH>coUuI1~b6@HsUdlQQHpa>7`F)@w((KGxN
zmVtit3A$E?)A`^yN>7xOZkJ%nq5Neam!Y+eAKBTa1#*P<%Y5men~ut!)-WN_SV2N2
z+oxLGsWW#&bQzRvD;6}C6d5~L;Qp|;4if!Pw0x!L*C_qt`Pf)Pc6twUrwP|UH8yt*
zK9hL*Vs2Qvq$>|ZbRmv#+F9MRz4X>jZpxv92M_LkwQA{clliYcFaKlZ?<Y^jUZ_Kr
zI=c&-Ew2WPYs(hT`=XKct#W_ZK2E!y@|o1+y(cB6PSc>Y(lPSS#KI%a()`-@FI#7+
z`d1yW620_SIkVp?U()5IZ+++5#b<Oa3n$WG;lSfn!W*%!XaLFATyR5hO0`$s;Dz7x
zn1eZypIe5S`ZG_E(*6UVCFo{X!(ia+8f-s~QI+*>63^7f8#fL~Og+bdzfew~y>veY
zBVV^8J!`L2gtyUk+fcKcN&>47h2!Z<fz?faq?@{7Trn=ijfb03!F$nbT7BF@TB&(u
zwSpwW)GGvLQ(rhz{r7<<+hjmD*Z+^qC*WaK2Z4$ltw8~AYjpbFZ+>BijsUX9d!|RW
zo+<vCS}k5I(HURSh^8zQ+ji0!HFVbcCiTFsKS2tpBxvSg&&xp^NJQ5eqzF{+8(iZC
zhA352xl94v8;jAdg*ez;&HfiV=OmgotBM+-^`YT!X(j)o5`RU@{pgdWp`&GgVd31*
zAd*{A@}x^|t25CY-Z=hKM@HCgVPt4-9fQlCNqHyF<ScM}=;f}Dg*h6`UuQ0rsTw};
zRg4xKNAkO1f8O&1aNGbK<_9RWQ<J0|WFW$WlT0IT09d_%b2VM%@fCr2H_}nz?5~qF
z-T7^#=tis*unUZ~f2xf|YUFl+kx{M{W*Pna@FaeuOaw@<1j{@;k>csmixW*vl*rz1
zoPm??dA?*RYzlwMrROM`QuzLt1`B}`Pg9@{77pgSVvQ72M-M{*!m=5N8!lL$W?d}d
zzB}?j$k6*ffsiSWgOG1&p#SAcbXSQY>4cA(aVm4V%8YYm*4;~)K|o>sSeZ%MzdurC
zj#U}Q+{L3Z-xS)08YU|q?o^rPPgK=4qTc%;HXMlsYLeUZC#O5z<l!Fi2r~%(OL$N~
zlQ=tyc@Ec6CEMs`R)d`vLB>mMaQuJ6P$BbUEpryLyeW)bcIeQhdLYi$>aWjHYpk5l
zkX+)w2zGF^Y@!9_=b!&Z1XV|V>XKl)bLZe1b54a?C?_9I^l~64MQ_t}Y<=vm8ZWr3
zdK4v+FNEKGM6le(%Ug@Wi}<ZW!rWW+1uyH0FvVS+M3Y^QiCIX+j#<F)YPs6s?}9tc
z0RkSA3qDGh*H?Stnc$)@qfaM9f+6mFMCTC<7eSxuPei%rYK|_HigFT7XEXWIEJfHL
z&sx2(`D?mL>TmX;9CMw|C9zHz+$|5>2;_;1*ha*5T*mUQ4+3p%pNaI3Lfm?P5{I?b
zUy@>D;oZW6gf8&i98hUi!vYgaRFt0~3A(4@+7uEnlAnL|7`Av_jfOF3tApp0%lJ==
zXr(%z3)ju=LCT4uiMe81TDyUZt`j9)5FeH1$vruSGq>K|QQ5dXmcJ1Wc6RaJ>7|na
zULD0E5S|P?#MPc>#cFBDf~XWub@KW6hEtU^*YFpvnfR;mvG6sjh{+qlO#Uxa4gFfU
ztu&tIl8%Rd?d2N!``c>tekmx)trzfO#ueDbqnO6u1g;Vt1*Jd>*)`S2h7Y8qmE1AP
zrU&w|?I@5R$-~A)*wx(O(fBco;bLJbJ8lnJXln6z-H%yE^`#GqF>kTw;hyC;(uZB>
zMXavdes11>#N#kvLfB;hpY%6KC-HIfx21CT*;7m52$wmB%)+~Ef1*S<Na@Twyy!il
z=1I-0J>G5{b^~737I!@jHc`j+boC_LIa&hgkE=cm_OOR$jt0;)7I9+u6(M!gLRWVq
zR0gN<r`{hzQx6G-g%3l4b|c<okN_5H`W5=5%p{eWsWQt%rAJOLtT*m{ZI9a_!f);e
zHM<s8)}NAmyNKW5Jt9QqZdgw)^7y{y=pwMGzp`Pv+v$5Y{KH<;=*PdYh9fkmqw@=@
zx(5lUjQUN|Cc`;CqlEx(7EW^3bK-1C^6jt{_zL~eZaCs2+*$j3Hng?<xd@Lbl+n#F
ziGDq>H$M4ZYR^vh#|Jm{>Gb`{``s_lv#7WBU>9IPIP*7LlC%2KPUX?3bzg5rmy+Yv
z;p)(_dxW!>ILNW;f;x@{=n%&wYU(zL_F(>TP>{!Y2Bn5A9<~zPg<l&Zsev}cer$XA
zN51Mt@4S(!>r!(;%ptprXaU!i`rWvVeDMvV*?k*1rzbQVKlO#1$CBN+IW|7_0<OgR
zZgBL1U`6dTel_M5Ur8}F*OfD-?#QXTezLd$(zu^ecT$RW>T(wxq?KE{!M-c_QP-`k
zWmC^MN3-@!*~G&_WvQ01PbybiK6=GXm*nbCMGn55t2?zz9Yf)=@X55I`_gYbEtsDh
zQ_jt?1nboe1f+d+)3{1~^x}rKb-_wN6=+TW$=D`M2e`zYNANTM4f|%E|My+UpDNla
z=r4m<4#FpEB!4=>K#KR{escewQ?^{#q|@Rfs6r@vLw{;Thik2t`De4-diZ!+6H}-5
z>fgyub}sAs*O(5+KdLpPJ)C!1hi0zzp)Pw%9~2X)9hO5Vt;wXKMG*kK1l1?ZC{>gC
zEC%vKmVq2z7zj5BAln{%ov~~(k{=4Mqj{~;|HWUyh}`d3?(!|C;=ey9ck7q~;phJs
zu81MF&}d<4ZO1oKM_##H%@s6B96!?O^3lQ(hE}fTQuT8l-|UXmUn8AlAEnjV*)Ww9
zr(3``>m+4cSDI|AqO`ossCO(ehaz?At#Gu)G<rc|D%hex#hX86Sf%>qmmZ<7{*<y~
zAC!1nC5oyNJ=Dyh#0Nl}??xLA|2210N~3mf*7jhF=h9>|l0o--bI^Vr!{`2Ew?Aj|
zh#T-aKg~SJuFw1p7%t9#-twE&IOYPVx5CQ}Kdgawkha=Lw5BE)p;J)n&xOiq#tm@i
z=nsB=0MT-Wa}^A50wXLFLWsp5Vz2E9^QHvg@+ZQ0Nf;B=aA)L42`!};-}pf*=0{N?
zOE2Sye{yU72aG;U(`*smfA4<#H>`_KTxwr(qx~-OX|fKv{%_rve+T9N{rmD~P`a?5
z&N~Fd=O=xo&>!2K5TSlhA>ZNu65+pLCz6t}167Cqh*<o{4w`xJ<!8gAS#6A^*T9P5
zSPiprAz|iv@aKHKrgQJ?x>9{X)yBEA0urpxv8`|9&E3pB)r-O}02mKcXhv5CXu9|u
zmV_aNlxQt4wKpKqN4<b&L#C^}OFP>8p4vl=D2v*AS5;|jI5)pn<r+X*TTh4Q;KfOa
zd42j%3i?dIhY<5dztPa99%x>Fbc|kfxBI|L#!r8VsWa$6jBP43H}o=+I&Qb-O{uL7
zJ=-qR{0Q1|<6@IijbrLS<)Vh|xm&upXn}Jgh|bns^j_?3AgU05C7!-!fZi7FGN~>Y
zUg?cq*|5cdqY2gFKe9%cYIxCNuBC?61$eC_0GHxBntz}6F1kjd^@UM{BS#kSHc@oY
zwD>Ja&Z|*>A#gI^*1bYZ-v%V!RWhM#UgT5rj>%M*cVUi7|HqX3nUQx*c%zC*14RQG
zU>cAggrAslPXE)@8mq!LC?Cxa=-oU2$o|6jC+VYA{G*66wsc>5iexmgJ`2JL{B+EA
zO*uffhtHFck+9S|7{<m(;nZyNBIO3|eHo#5tB`Drx7vwzvtl~tL+S0nJr#0rE&D8C
zci^Kv$*i|e*3UI!?iKvB{_ApAbwk<T6rK(MX$f~=*l2h!1>j}@uwSTx9Oe3JfP_Ur
zn3>G4lG_}Z5AfnMGd(hPh0W?(RdTaeFema)T%@Kt-*16_HLCOd7yooWMyK~Kf~RND
zcn3eqKgm{@cP8Gres{LcVTnkW`uqRMe|Zt>ed(K83c$xY7#p6!0JDv1otP5z{lcv+
zP681uraqi4+#Y@;9TS>S3MBi(HeUL59Zt6R(qZHk<#UlAUcbmttO$l>+HJSXJQAYN
zS0RG#ZRnM~-+F(o;V|0mxXoiSa|DfQE&c(4;H<aA<81ZTv5udnZ4fziO6qj7k7RA5
zS=ykN)B8$9{2*e+N*2SZ_6{sB#olR;`otE8t0Y%*BQO88(_?mhiBB#1y2h71y>#$C
zd-V;UYx}M}cR$~_N(_~;v2bsjW{)>)L4DervR|)2V5#yiC=j|5XY7ykp1tAQCczhB
zs@6Zr(*Mp+So%wYAAW_Q9qxjYWSnkGYOoI64&&u(c=I%(4&A4NKWH-eWRu@elMm5k
z+hfE(RD4JI#{#d70>QE!pI+Fg{CmT9=&@9u`Ps8>&LGggQkUyPluX@eKc7s^8}-18
zew3k6F#`w%3|{lW<Iz-~EomuE`BZsMdxlvZPDx!@mzy-`q6_Lydvr3NH}-N0jp}Lt
zbibGT5szlA@?wh}TX*rYXCg?>s0_#7PZ;I_^^?mCs?m?cS@Yrap!w|FnAoJ?GhX%r
z`gyJXPpRA~T~B*b&ENDJUQY31Z#3@ddBX?}kWFM*0}@XiKJB7Gv%1vxIwSFPUH5~$
z=5g>+8-dwe#rruudCo5ybawW_?x>ZQ?7=ZJB-+s6N#|Hgu#^CWpamCuTXVKMmk6Jc
zt?PauIO{;$Ul>h?{PMGRP6HO9^pqk>r;~DHH-^nR))}A6zxe;fr?qD&eS&5Tr9%v*
z)@q`NQYYUFc;&og30^_(xs{22XIF+>?(IPAkWWYKy&8aU`#XnQ^>fpV4&0ssZZ9k1
zcF4cPt?32D_dg83LrU?>Wwo33c*FL762H$1ze9@n{Zl9Wy8W7$Qx|1;_(6{VdASGJ
zL9j>n+=2ZUnSh$wdT$#Mqif~$PEGIB<lEq)rpHJQyYJP!yRA~keSd^Eg3;6_-yYxe
ze*F;<-`iVOGOAC5LaEX3G;HHCx%MB+{c$LK^dwau*~+K8TW%u>WMGs3QCYd?2=6Nk
zC*Om;wdYWM|4b0#;>Usw2*+&?(c?PQx}tvn18Qo$DadIv&8G9vlVqyiqtSw@fdv{^
zw&Gj#ZfC3t(|o4Hz=MDbXyeJ$D);dhAa_?+AxT=H><VxeUazvb=kUCig@3!-eoKrA
zDG&2G`Lwdc)DeQ!%q6y;1pF=gSdxw;HPRol6?<<3kiqm(X#7|K(%%8{4w)K2J%9k$
zay~UgLtBS@%RfxE@k^1usS7i~!i!+y+yf8Nwz+^=W5Qpe3J43mfs{o|acs0t*sCZ!
zrWy*zHJ<9->hBh#@Ql-q!eh~WU<6ci)_J3^E)@&EM%Q(tw>E4AyuJqQp>XkVgZ9v^
z1p;@Y5Co=$@I~e2=FX(!@YmDr_wV@4;?*bonfso_H%_zgc0P>(au>xM4+w{A!mnU*
zrWy|&svl6ysB>qAKZbc({Q9WYVHpKReGqJRm2_%RYa*j9LEIRiG5fK&!a7Gl!Tt!Z
z-f4qB-o=QA5AHH8R5JqiYI`__>^y^`k;y;}E;og<NJCTA1?pn7Bfvr@|3mX4=zB7i
zz}SIXMBh!}eJ9%IRz3yfC+WM0Y-cAly-?q6^60XL=)KVViEwu5`hIbT|C7FNqrKEc
zJPUjueVQ7|diKu3SlLBsJe?CRV8;Cc46qSd?T3{=7YsFN!H^qy1~n{%<@W*&7Gd{g
zRJi45R^~X$1aE;8BDivQb=O*szu<P2%-x2QaZ%53zAL%^M=D8sr>eacL;?jbreNd#
zt_`!)@%3q(1f#-xT=`{`r}QZ*-R$M=D_7echJ5}gs+Nv7x?jW3Ju02DaOgr$V`Og{
zCCq;J96@|Tt$tr?zwLCv4KCT#-mmbRY$<bLw)lH!cpbm9Pf7_><?~$*zWUsiUU=pC
z*6b+p<I^AUJ6JPEf&!JsbeZrlI7QW-$#Kjgees#&>Q9CsTYd;L5Sd(@>=PHDQZ<%d
zU6>zqqKG|J?4)3MTBb)`uK^~4CuQt~<D(vj@=@$@CW-3NqsPWQL%E|hTk)X!D-|wf
z^w;*YqCV>9#!ckt>Gi&L$m-bK>`i5y*O!G|_@Mx;+_-O>pGe0bw%ui!*MuAR0sHGk
zxVQKj%(nyGY~_Wg4Kthp7jVmk^*<j9QMSv6NwEgc4e)<NqCHh(TdF<7Zq(wYlF3$W
zoHU^NA$rq**}5dWS-oa&x!GC?7W=V{;i}_xf6{I(CNHujRu?>}RhFO^xAt=Vkc&jC
zv8r>GipR>;{cq|DO(|8(J|ui<CLcyoyD<GBDZL7uY51-rVEEsdTm^4l!&eHA%D8(O
zf_(BdEE~mxP*ytk&=TRYhMpq1U@e^|<Bb8`*)9RmtP}8U&qV70Y^3`p+V1Mmg(R1r
zDZ5g(Q-12_)l@A*{A9fJKiN;6?W3Cpb+W&SryjyQL6>s;_0RY1$!&?wI-<lLU~53J
zp?2Tie(fU#xajS;&(UXU;HAE*((CpfH=yfE{WWeY@_E4!)`AXftA5;!_Xj#Pt<o;W
zb9d@Zh75>;Zr8WOI_@8?(MNRuaLQ$L+&}zf5{L;NeFuMdibHxb_0K32)1Ad%av$Y(
zXK{>#L9R}>jyj#-we?g!Lv2|&Bh7&CgdMyy;SD1-T^2E({)wk@8c*suu{r}vt=y1p
z8Z5MO{-Z(S?ZRqqwjKHB=2+R{y6PTU`^sse7IbBshJqR{8nBy97V9_Xf2m|A`4oIP
z^}nsa$cF<~5##UNb3<rcVYh!*ctz+1B1+8^>uTgZ4AA8GTDA&MSE^N{n=A4SSLEly
zft7hqWwImBB;9Fdz9rO*B%!UJ@EL8uB&IH6aCO<=y<1Cr;}ef>koLE>F8l1eV@NQG
zzZt&}!}^YEVn_XF*$*A?p4)0jJkGULBiB(P{9)F>eT{sQJ_jtx=5e_`$Ft`Zeu282
z>OXooZ8D@kQ^w*W=c{66lzEEFyt|OOfK0&|wpZI|ZYINx=Es&$^Iz(Uot{J!E?01J
z|E;tzXNa-e$cNPQhMyWtr>kJ@{s)!a)n)%m*^6EFu`YXNNw!WFgpa!HGMD{3W%qQo
z?^gCSm%a7|?dxr}@!X^ITA)ij)%1JH!^J;D9pq^93H<c<Iknl&WoMMyg#*tp(7-eK
zfQ8eI#_uaYP>wc1;x}my%(s8e8hn%ndo?}gnmxrea4gk7ub+i8-j%MckAG5ZD@9ud
z+!qDhL$qang$_I0lcv%k?#w=;^PNnk@OLm+{#)p2Mfq3r!4D!Xrp!|+Gg)O$r%ZUq
zXAAnU-QRLyw2ZUt4L0*R+JJf7VBl7_O(ka~Pf%iRuI5*G?j3ekl8dREPUIUQUdffx
z*(W7#<P00gbvy&ekoed8ra_}-n`FI<#>rkVsBvG9n<|18*{KV}*i7f+K<mYT&S3Fe
zja&wv3U`|3e^!K>IEfK9Sxvb(^AF5qopqY4p6jxIT%bu2o`?1S=>l&t5T$tmHQe(1
zPu3I|;lTfY&H2=fhN|J+t4~0-;0#Bk{N;-}=)roU_geFD(_N*fp8tI}$d2Qsm!d4r
zMT*%bN`4B1EyORTd1fwmJ95uka_1~qTmSiTiJL__rDZnXE`%`^JfV+NF#TEnEa2Xq
zO0DiUdD%;b$Vk3+S6Qt7JG;8X>aV)U%U##g76_el!W;kiFLh1B?LR(MhSP8PsF4bE
z`-x0$Hdoe!KeznYkB`*HPwb=icD?IbaF^E_)n@BrC3BzGmf7!;`)iBx-TIxfWe-4>
z$o8q#Aqh++B4*q^K5v0S5U=r;TCBVGMDoU4Ch&8m`#FN2OZn;N9;`N%gw6cPG$AMS
z^&VS2SEPd#8J(xFQ?yrcik6Xnm-4ra@(BEBRart72VE@R7`GFxCP5nf->O&W*To*u
zBulN(t<^&>0Wmt{Isxe|_g}3}NnBPvQHMgk@QGgtj&Yi%BkVdw%5V^g6DHyKM?{kO
z5aP#m)E^-rGQrwp^LNV*(K%lFi!YM?Rjb9FxFL0c{y$M#)rhdi17hk638|#z)RY&6
z-|^h&L*R|jg@kZ{H)wc?CKP!Ep$V~_WQEf|{2ZrQa~53W2QMlNb5uC%;Rv`y)8(LD
zpwn$-<RUy24(-SvOTGXbVbNty@s4+753%eE*&d*QAqo)mJ2K0o%pq!EltN*`(-#zb
z-XL?4F`|LmMU<cG$dZRdSymB$FTscH;Yu7MhS5aRA1oj8m}_=pIOEA;*3Xs2<#-Un
z=<tRAb(kE1N#3LzaRg{jG|B-pOESJ%Xb{<hFxXRCsmAigRJ*KqJF?K-6HSUEoAB=w
z_N4p8&kIN7lhkwmgy%)vd==ke>tN=9d5>4Q9S!#06qw(*Wk|`CL1{-U1nV^?PePSW
zfvK*Mx_IskR0DLR`cd{42J`A!N=#YaOdsO3j;jat*2f(T7HEbP*hc!C%vP|sh6cm!
zzmkCdA+h)QG%6J$f$h09ncP&ngljxh?HXP)+x6J+GYg1V!!7jTY@o3IgGE4aDiC1J
zPtG^M57Q&Ko-0Ea5051)e-+8$hNBAjxFq?4y{McH-mtx_NH3h&2?L(iO?ILzq)WHq
z!h1TA%bX66ycetPqOP!&Ff@j#<l=+ICtq;<LNZ`IM6uMASDuJ4<8_`?zR9446AP%}
zHQ>mO$gzz}yRYN)fv18#DwrFOY~jfTi*)pJO^hEQ)8YjLU7z!G1VEzc7EOp;#-r@F
z-7zc5O1ev&^bD&yN@DvmEr}YFMHkMVS!}{wbGeIdc3p+<{ic|6j2h1lz-eN2ran>3
z>1sI`h*72AcT~#5b{HFubm0n^+i;a=T0w>(5jXgna1(;AfIXS4hQM##qw53NQ+$rH
z7Az+FDWWgi4<hjCl*#{!{IDx7IpvqE2lx=`vJb#NJO$NN66lKYIzGOQgz=zu+7|uD
zP3V;xJwK6K!v`8hV(J_GXbgGhYnACJl4zB6!<y@u?tQp~J)OI*i?FFjkOvVH{ux^O
z8Q@bVmdVxkD3A1|xmS_a)_pq1ed{lfrG4o2Y2&2?vd6TDr@KCCcsI4Udzp77$1l^l
zA9F5{c)f7mAkb2$cmqX4n@mLC;MuB9X6Yz~K6|nlt5dr6nM<wLerRUtU|ZV*v$s>W
z?X}rLS=%yUsl!Gs!Pk^6L(!4zve&`ez)&(FrdAIkhpo)q`0X{@%W)&$xkLD3E>|{j
zChT?I<*L&*7<1(1#8ja?yqC^!FDMrM*74b=m1b8s%l|x?)c{B3O!u=N${TV^sfV%p
zLejGIm5Yd}=1!oxZfvD(zo~EAO$9x4^y2!f^&aEo)5{tNP35U(BC>{ssbPy!qu;%q
zr;3MHn+#50xhlNwGve6?4SMF^VA~nyU}nQvENB{R$@Gib58uWW0NnX;a5eHOHP4X8
z-QEpd+NKlSE*w6Vnm1i2eJIS)1Eo6f*}-wfY~$&qabMrWopt;G*TFv&8@5>P`{fo&
zr~8!${_o##=oJmrD^K|=yEun7I)5Q5x)H7usI{=$mm2r<_;Ks=WeA9LF5Shua`n7J
zpbnlKZD)~R2`di=xTh<I(>fa<-3IWNcj*RA3Or2qiqG(w=vNz?=Jj99HFBxMb$t{4
zyaDO#xokmsye)R_pvkpe22ZZ-KRED)FRo2=73Y}LP-GhBB6G=<rcxs!|4X(Ozz9=l
z*is-&{OnW^`HY|h!b~ou+0zFg`{5Y^PJ=m|G!Q~*D(Kb`Km;I<h>P&gq_^FrejCHj
zTWflaj<edI9Q61AKHvcME8$UUDqC^dlWwpKCC2rJe9>m$#f1+(z(EB#_#8i{c?k{v
z^hCd#D^uBvD}xC`@*pnq?>B~DwtnmBcV0=ij38+jghV6w-2lUNGy4kQdf+Vnmf-p^
zJ`?>Wl;HZ9M8Amx)bFH9uskHu?}}<r90S`!@-yhG;NNKs&$RwOl*`=E*ooNVgMJQ*
z@N*7;u?~Qd$9D$c1Owpu5&$$_1K><H#%ikt%DF=TWduxc3ZQfWlo9y~1Eo&l?P7yN
zHyH_nl=(A?OgBE@@TXn^cq{y${)UOCI6ojv{F=WdnD`B!{}L0zf&jS|e0=*9{km}k
zAk`-NU0(-C<$zS1{}B*$%(vXcw;T7vWv@%z%<Ul1+io(9=Q$0>7v+HE#R%CN7h7D;
zHSmYZ>u=%TuJz+JH#Tr2BJuRVZTi!XK$~DfrMmCCcwFBu9ER(k?@F)YLu71;$(;Wa
z+blLuY2>(>u94qcBUct1If+KPCHh_6KmR;HMsh}|x!#rkp_RX&SpFEwcTM!Ww158R
z9pz1i;|Vlb@agtXL4M!VRa5L!#rK&7@jVD3F1-fv9jrup`@texr;*-@YYbQIk`!EI
z*Y|2aX?*r^C&9VScQoIT1V73B>__<K=lH3I0T0vlojK$}`pP$W3ShvYF^3XO-N{U2
zJazF#x7>70em8O|!o%c!WN+fz8@)8q_?~`nE;;d3<<!?2)=LHuE$R<jmm2m)s`21w
z6H{NJ1iwC)XgYy58~1lhG*$7#%O0KPfQC2v*hJG;`OY4F2A`uZ$3>*^B%VI{%Y087
zeR&@Tf8wd5k0)W&<$V)P!&E;vq0-BqO_*pc;qV!5IvHQ)#aj|h(!a9fD@UKfOPeOd
z{&_h;(|uh{e9Dqi%lTS7<zO;WU~nqhdNR8(zY|Yg-<L~TV~cD1a*6D~um71rWY44j
zim&Ns{MAI0_B#<<|H1d9(dSh*+*&*NAWLQ!`fS|KkG(=#c0zwI>m9{2R5Szp$rS?M
zUUO_aN9$PQ!7tWl`1j<5sf3enPQ)5|HSX_SKhF3Ut)mao#EGU$5q+H8Yr25H-jyq)
zr{A2A+aocxjHJ|aGg<laA0ZcLqHDvF#{GR8=Ido+CTQ8>+AjTa7qpL>(7)jgy;UQ>
z&&d_P<dy^P<dF~RPyFSEXQ9RnenXAQhR1bzO73RDAhv~-Q9qJ@ZNG5(Fc6PxIEStn
z=tTN&+z$oM<40T8;07068{&=oc_wKO)%b)XzGwxz@@zRt`6|AQ`SO315N$koL87UG
zG#V{WG|7r=++UGs+NZK7^Th=q%)9(ye20Gmq)zL*hvP&6A-VHz_H(sn_<Ivm6Znl8
z{J=DEr#^;yxu<6oK2YADml|$4p8fl6EQBe9StCwHb@J~^A1jz9I*h4Cq-$0(rw4bM
z)9Q<RI`-b4`1Sl0#{?3;Ztgih(bS@;7kp^C?BBIKGwpzgZ8{W;I=0ZUw64&3%33zG
zZ4(54LMm7;&jY8abc%!ShJ+_$y<vC^vXDvnCPsxL;KWqW0xL9)g88(2?B%{b3We57
zz4~$6<t889zQRC!Czy#}k;f5r!Xhto9$GU?glrKhd}?Q_hKJ#(9Q=u8WxVMzxc&!b
z3~O^}xwVs+I+Fg9uVwV&1~KEdb+K-~YvK>WLupofxFpK@xgpO=Pvtiq2A4tL$e2AJ
z4CZ~l4Q@FY%>RHD6W$@4vbo_uq)Cp5Qn!WIyVNoA9pJFgDOK`^hO=EddZ(R%!5JaY
z|N2+!(IN;s)+_L*@lumEKtCnb(ojN=3^CU<2_eusya#5j6KYaZUT9^`Ns$%JOBC6q
ziKcfo#3>8KCM6nTM}KzaPM49hp9)}^+$87K*cATu??q~US4aV%Ay^_4W#c~b+hX3i
zQQiphzOB5UcH|L7#?1OL)*`Ccws1m6i`X&B=_x~k_plw2huC<xH8%IK(KB>jW={oY
zc4acuPnGGxX!GbXhtMuG1?AfePv}#+-j~=bja#nBeuKw<Z^X>|d>xTfiDki?yzrb#
zyqrqBG@kPkiKTTxGpSsGv6FJV8ggOv((JW^DKS3SLCOd*c9=bLKw`Q0az?N<dv3Mm
zen9RiiKUtltwdebWxvri!I6rWgBQp1CPVhxo^{zDqpj9eZ%-vKe6FcpJwA9_rDvuR
z%f|;>Qwcczvg%pmwYFYZ{e<ku**=azn!0h6pFM9#_Tn)Fw^(N%dfCe>eO@xo1TT{{
zH1VRBy?q1`>y*c3cX6$1^XlfgJnFWGY3yZh^wKS@xJ|issIGdt*OEug3Dx~5)nRHM
z<T<9^jcacwim^L~H4d@!)6&{Qp|;beYy_?4EDxFBB|$VK9p4W5lsCa^**MUP<1l-L
zFj6o14?np$-Lm!=xe|v;^ud|6Uh-vKC{q=BEo=L0p~+3{G2@FrJwusGy%=qA;9vlN
ztfBJ?kE?20+PkRJ9%bp+3ITIytQY?v9pCE*FGr09TyFOs?e(I{;gm%^p@<(};Uy7D
zYy2uEJ_j8RX0Vr9*7xwM-pB;=1^gf{P8L9}JCf%%<igenTJqg_JIdIyEgj&O!B=t_
zbG9YlJ2hpkhOd8*Ez87T^kKSDEK623e?&UD1FZSM8)-bU@fYQqYFT%TpIqxD-#90C
zU+=r?zVdy)sznJga_KJL#f$AQX+TddrGlddhr5o(ViA)_M-BsqGX|fGDid|5{AkER
zK%6JF4tnt=eib(^?eeM?`^i_mIKOe%aJJEl!B_(7NH<FEVHcDd+LUz~nL&|H$6uqX
zfd&M$FO)gL*O=%r?<ZgLnesf@wYEp&#@oSw!km&VjPsdS_Ba3CtIB)HH@O_uk8Sp1
z+&VU(ug3zxaMLmFpn>Q4SbNNr^&)3Fc*$i}q~q@x0LtXO9kASk-ofr#pB|Eo&DG2w
zUM$v2#YAw!go?%Yrh}Gr)n32q126fWAAcdkwP!Khv~LKKmW@aH0i)a8opp{hH*6TE
zcRK#M7wjZcsQ@OXUk5)UotF8@b!knLmW@49HZR(`q~S1Pi;~;Y$yc9w`0c;vy>f&y
zyyeIC!T1>A>~|&sD?@B(S_|PasvqOEv{j@;O^y2<H67oTn)1Glv}JvNKfWHIt!x{$
zR6w~JV9WYm<Psn6C3iyPbk$2jI~0x+xA~q=^RYMZqHAb$(i=U1`sP-r<Mj~J&0J`2
z{c*ZCzQf>Z%fvVO$(8A(s{2)x-h70Yg!NzNo98PL1M7PD@pTlC=nc=#-Ph&P`4^A&
zVsE8$gAeyHx#dP_3A+#sY`<EMiH2x96UwTv&K8ne9BeCtZS|6DOQ-;YE#%r@TN!Mt
zI0F&Epa8Y%L$7KdV0ba+ZZlPwr34`@pi}!^&&+LQY&J|<bA@_m;vX_fHj8l|$6d+r
zh)i;0p+qYbWr&K8Ujcso<Wisaq_+E2&1twNxgwo=aQFxPKKQE4zksjdkTC2*<TOnp
zidxolZlc|bD^ue%6s#~P;N2Dta=VvYtw`$@Q54$pYdvgha>_`&6BxZJ2p|l2h^?xn
zUVOD5YxQ!2O>iQ#HQbi1P?a)!rfi60vLmIYEr{PkcLSlNE0d0Ip%Rjvx*K{lw%(pe
ze(1%+=YIE-vG;i8*Hq7-J3m;OW`YLq`nasC_Gs*}6=_1d=(=Sq<lIIc(xSf?Lso4l
zP&FNFA)OKx04`XN&2a?G20yuq+Qn+f<E@924?)TI2uF;+n@PfSRA1#)y$eYNWw1OG
zd))>XV{l6ggA19VFvn6y)kr!qOeHW(xLdhu*oL{BmKmi6t6{GC#^A>^%+=|n*d-m~
zP{Rf<368dQ0l&a#@WMyMVfnG8Y?c@XG#Hky{%(vrh_NmVlV(==$>kJuO;D=SFj-UI
z_2U~d$q$gZ`dzglUG<s`|D#Oo#dIv<_lTM-E!ztN7W3NjQk+H%^JRn?Wzunkw5a(}
zk(wVcOi?$vJe_QrJ>w5OR(s`j)vaFDM}Dk112-l=W|@a{As}nmjL%>uw0VBXu+uv4
zp#o6zgTgSWv)oTEqM4{l2PIotd!^&#Z}8)*GRf^$eS=@MDqZ!apbS=JVl8ZQ(!;<s
zY(ooDHsIfqseuO35;8TnyLl--Th8p%97=waL3%P)wNbSSl2X5iMj3CGK`@hSKgSIs
zmo^?IO(PbblN;VW11D%&=DMDUB*aNdLL`HzehfWH@Jg&}R&MI=#n+^hdt5mx9*!Kb
zCR%$@27blAC=|xmWa3NxU?oy9Q`PDxcc<g4)3H5t>TxcqWh-L>bbf6p2p-#$RaS35
zj#|>@atFEvrBHh75$QOBK$+<z$`<o;JtC-G<c+WKm_?+b5Y6(c7J(2i_iSQbQ<B}2
z7Ref|qPgLxr?oILE!P&OWsJG>ic>|9xAeY@kHVN?<~T}Ol#k{RWty~==D@+9WhhMG
z)UR6LONID{fQeB9b){X?N172Mv$_%gt9em#EhOH+YWb#NT}nfnvB*v@Nk?m`%Ie8D
zQ7YrhJyv8X3#>6O%b<B8Q?=2{{VloRwmx{W_iCYGkbZ2J@=+CX!%yxsP9~P6x8xZo
zn?TDb)Onm-44PCb?Kq(u6)7F<0x!Pbmr}vvxxlO1?^mHb@Oz~f1GA_K(gP6_$TWRB
zc4DX-7^)VVd~ZMgky8bc>*=@(rIXvpID$&1CP)@BT4{XB!IGM7(0<@ot>pEgf%RXX
z_XEnaob2$D3s`5FuJ5v_o@4_DG^TsLpfAw#G3nTwPA#HqPudtd4s$mTJ$FQkP|G@q
zNzPs`37$Uo;ve~N5z0_}xsQ$+Q}OPs?DS-We1Y}8cLy1z5J5i24jN~CrIC<gvJ+lZ
z8`ApLK}bH<O2JI7BxBCOzq~iuEBC9L(WRv$R=r4-E>fLDt-R^fn?*-2wmO=dhKzhV
zh8Pwpce=3|9yA2_^;PWusJ;fqNTXr8!N*ZWc{2~{ejuH*YQGm3UwbhYS&eeOS`>du
z!-wENEUmjYD+j+!`T!Aw<aWwt^@iY~mNXtMCh--|Jlg%8U&5@?4p<(mno$X)=}k+s
zX0g_>WVLLrz)nfWUIJiY&#n9P(uMkdY?FcS=7kgn3?j7jBr+1Lyr~gM!O^d^y{Ik@
zWsL)0apcdNa(`641^N6WssY&8r?psXz0|zcBmLM~r@|IieOA(t;q8mYCJmM)hqZm3
z6RHQ&E$?e=s8^|H>p%Eqi(h^fMxa*7r5P0Vf+k=q73u-%I&=&x=n#cK3$%}Fi!zOF
zSkPNrQPxeR1#gV56=ly9JJuVO15PNnnTaTr74%tXAr0>xuWB>8EW<;$lj=2%<%!Er
zIri+w@XP>qYa-pUt)FRct!N{F682BW0eE#Li7BUn^~eP8q+2%kVsL#)lyS1uhfFii
z%MGAk^uE=!gV=Sy!o$=z3yG51uT3sKC)f2$=>XkC8mu#rLRJ+vCwItlS_(Q*vzRIA
zxU{rXG)+)N{5Wgm4nGNKn_09zOffZt<4k;A>e-g>{PKM`275CT`!Jo{mx--SSMA6o
z`Fu4Uyhar)A}x~GrhEhAF@9`0$%RR8AiU;dr{aN`9${Q68O=*OwKfiSr6SCd+lyS3
zXLKK_NL8<km#S7X<_tzp45mcW`2dTiAAnZ)<+vI$!Hbr(Hi5P2GU;M%CfJfmy6^Y<
zQlXc9<ukFB8Rlin+9Lp!kx~MyGJhB~(C%CrnjT16IbY}q)IcHPyEiquN0z0+mE6cT
zN77Z8&%}2?|4jU42x)aTAAt$SFPUBxpg+F$VQgoTFO!pc=8m)GwP&zKFb1mV39QUd
zw_u_r_fnkY(ag+@1`Rzy{q~Fu%>_cUALGw@_}3;bv00g5y|q6-lUzmtn5RXVOiQVH
zmW4V;E+s{>bk+QH)ywFk#&ek%5UtF_&_7<4^3>ASPu<_H+N}v6h4cw<0A^7)$Xy4S
z*CKA^OUNX_DR6JbHUOBhWtOln1D6N;DGI9F7&?XaQRp!1fM4tS0uyNtT(C{=tgEQ)
zTf4*jgVMp<5YZCW56tB5I(6}{T9{8#Sg<+|m2<Sll|~(dJ;2M`DW{QU;;!0O%%z1^
z?4y*_vE)`T1|%RGb^e_+8e6b46N3TTDl%N6gsN#kleSj46%TO?dP=KAqw94n0374%
zh=4SW4El0>ryqMEjmlcZ09Br5VC&F+Z2%>$PAzNaY)u9g7yTr;DHCr?$M#E8T9Jt@
z<6JA1`q^kdrmDIE@vtTuA45iHw5+X2#}D}Bw^q+qi-!1?O!6hizP&QR2IEZOp2f0V
zu1_EU9R6i|2#}U7jNGu%vX%)E9!8htD2bpbjQ~x8GNy0qktBD|#181ba$!@lqrLaJ
z1U93hW#XWGdCGa#zyxak$7#;kBp1;HZ5|;s19Ojbat#AbSG@v0g_~qMmmnoy`VG%x
z%cPERUVKf2*G%rJ8ioqlHyL7O=Co|;g$u^@KQ<F@x9ko538={gA1kH>kqe`)rm@4J
zB2ER4)fO-vr)x5|dsRy^h>j$6RtXrx@Cq-+@ryUqG#JLOk<dC9hiD<>20d87?+d-4
z0<!|XI>6|R<+p&b(CBF_PU0R1kVEfQ(5p1QU~JZh*E30wZ{UU^T(c04Y&nt!&&zQW
z48b-+c3QqegUHtVjkE(Tl+`;Ez%{EriSIR;<OW5bv}^(2@3S6m#J2(((#coSxxWp)
zZg~C+bkjdw^$(FDb}*g0W+a`7$8g#K6OHmA^U=JLjKbxj$Q(4J_h4EB0|pHp9Vk?I
zpG9gb4nDJsDIluEKh7i%h$1r#7g)w0`&GOAI7na4i5DvLGgTC(i7>t)k&bW0NJAg*
zpANS0E5bNhA^>av<4jbN83UU4)?VVmv1NX8E6Aih&|_s<Ho?VP5Zs$GN#pk!WFkc(
z{s7_AGO>^S*jDBpIo;*0)|9Z%q7d<eC?A!WW;IF0*AdEH@k|`m1Is4~uqxfS0b#zO
z2g8tF97a<IZ8rDd(SMj)e>TdmwS)@1wIW?5&O@TV;>Y&8WIwi^fm5o41}0ske{JZW
z#wRAZ!mQa^($ogSzLOCuExC?{95)J?OTu?!Uk!rNF)%1&u3tL#uDP0kUDjSgRpI<}
z+$C)74|-vD41)?Uj^(3Dz0yhicYJ)T1!%0GI>Jw`7iEwlRuxKY>PykX(s2wd7-f?*
zAas(g-9;}+jV%x(VhxBf9ht(wS;jR5<d=qH^l80<iY+2`Z=?y$Md+vBfj)R3MmNbQ
zR2p-W`oQpx?&z7}!=Oo~`ED<FSMPUz|HNf}(3VdAgVFT&V|zXMPPWo4stQ7umiZ{M
zy)mD1ndb)tH0T!wV1q66M>oA(9eSoz<PV|<MDbza<bLrz0#T&&tG1@A4n(Mly+iqa
zK8qi!b<6q$je~M+G{$j0<&k6i-Qwx6j`7OqthH8*{ay~~DxMS#P_Km=8Dyk6yysB^
z$zCoSlsfrx{g%^6|6m}zDH}<qt+r@<b9pfVXid(q$Y!#^y(>+<gW+8nKfa$dTo=pK
z64sM5etoRrB%@#CBXTi&Xh0KSb*2iJ1Sjt98~E0=y*J8uj_soxWDSZ9t^r!vKwS;X
zI2<$TACc$*Mp^d|nE_D7V8UE?t|^0NEA`-Y7+nQ%J+Ovi?3>7`S`S7+ofi{oz#YN{
zD{*atNJ6TCbhLLm0D`@!CdTJ$;d2Z>C8?2_jHH)rEkq0^3ci1uLua8eFusyBhw;r|
zoa~iyBvWTI7+>k3f41tM6=vNmGqYXR&DtZS2w}a!=Bxy4UF=QA;Yyir`_x&%MUVLe
z*qGhPeP#>tfrW}oMId8qz2zq{q?XP3kMmETAq%zDS*S7>%|hL2jbouQ^JJc~dby1z
zx$uAo1wxiNZYf!*;yUAUx-D9$+E<|zc20?fDpJcr-6s^`0|uJ4n5lkM8<1h63RNwe
z!8Xq4Jvc?|dtHL|g>&%Ba!T594&@j=GJ5u?u~}sGGV53=PG6LP<0Y|hg$uBb&B`(=
z`66>?k325;&r}nvw+Ih2eRf2&6NR%<c!jy;MX&{Q9s49`2<A%ofIM)HRr<kk4(nzz
zTmL&40e%5!$FG9b?6ao}E$Ag!@yz!YCufP5tG1_On1c`lG|TQ;EVG%8Wkx$&SZ0sI
zJaov!KGMLPIjxC`5u<i7;H8#>ahcn)m&NG+WHb9!_$CZltwLoCbPyN2$B%u$jcYO}
zWpWsAuVXF6<MdCswjB|p-4k@#%VAkfV0mbdRO;Y1geYcYDWb6^g=p%SW$AON=q&7l
zv#~G<faHPzpWW8Td{>)?%7y8kW~GJ>lHL@IFl`1rHRR_&HOvItq=T~&g-w{6xAge(
zC(P8|lZhSllG`(}oj!Z3NnDf*gc5Da;0p;b!3db-dmU&+u7(9fo58!3Nhz+vti_Bk
zAbh*C;VBHZp_MsQ4c*$D*{;0|ZO*)f`6Di=+AOnQn=^Z;($9~*CA&qY_nrvT7z2q6
zj!#n(_ZwG}ghsv~lYEcD0%0~*1lpl3nAFT9cm5lwo=uZ7;)UubFupM6PsWZjRJYOv
z4m%n1^s!#3*3m&Nt!$EscCFT(WQmM<tSvTyZ~?S|>y0T}DWy#AOwC(z`&XZbdDF6X
z4rW+YV!Ja{>(fb07c7~TR6$sSW=vXr%b53KEb-d$Gp+^%(wU1IDWMsLY~aHl+-VJ~
z4XhrOQm&K}_KL{GS(L^>C}aMOf-%3{kI6Lj@JA!E35c)}BGTG1bk?Jy7<<z*0voiO
z6)9}*r>FpErX=<}ohc>4IYtBKo{;W%8<XIW6C&*hkwcMVT2(>#K_Ps${t00`8+9A7
zbQh9mnt8|P`Xg=d<u<Igbex9U5GL(KtZxGA;HypUb+C?;T<k5(8`gLBZe<sHO(tkF
ztgn|_xT?+2|DFfaGoNyUPuBe&m_DpGc&XOdR}t;vR2iB!>dFZ1rrgAF6Gw&Nag~bD
zPA)tS+TZY!`#Ij8u3F5lx>xmz{OYkawpd~TAq3VZ*gWpXW;<UI%1P*-mM3{XB(T*|
zTH#LZCpspdR;r&I^dlbM7>N_L<WRm1l-u#AY3U@X?_opY%G}mH<1pVW%+C-PAwq<I
zNVx{wA-Ug9;}-|dR1z`vXhMm@6`(=N+dfAjjKgVjqn1hro0@ml-H)!)o;f<AqzMQ|
zBctqk)ZcXMqqB2^hq;v&9BVb!YFQB2B_4SLd8YX{_ZG3ew!gVOBfmY^)~_PA*Me;p
zA@<X8dM{2_9VCv#V=q0vOVdC0vgEZ?jhIZ=BAW9s`UWkR#^K818xChLP#<FQ>6i`3
z6ZBGPCVMk-RzNj5t|Yqg*_Y~qX`)lm1*fy#!QL+mzti*&YxkR(81|j1gR+C<6r2Ui
zm@V?ILjod2+dhnn?$~Yy+nHc@CXPAuuB=L|AKFP__y7R%JD(1=W>ArnuOQXsYnYX;
zdheXvUB{h&<%`|fFR)ed1CatP<=ouxFR{iN;#rS7t(4|i-C;dPkp%0&_Byvd7iu`&
z#06VKmXAfr;3z!cDJW$h`>{e9s{tE6_>>N4#f;%6#OHxSj$(M5WKSAV55?GPcE-$M
zYHzH}AwmXhB>{t*F<ds<`gSY}={dOpr>pTja-QQ4IA}GQI4$oNBvqlgO%?QrN6s7w
z7!@=ls|YE#1rN<8><UA-oHPgh7)$Xs#V$?L+DaIQR#ub>z9OOk^pUJ@2D6CrK1A7+
zAtr_ZCG<OU+P<OU3S_ZJhaHxMrh(%9x-`{knJS!`@1UEX@L$7*4Z!t}8Fp^&lp%#B
zHd<U2_Yf(La=fzYpe`CdSSJ^e64^)EmSywSyt5QKyqFoSuC}xLk*%&fysG84y6*F|
z#r|<&f!)v-*N&0IIi-XyE)>Q)?bhGJjuSy>h&o18ObJ+ep&&Q}LAIQe8$L!Evt;XR
zrzPrv;eM=I9oDTHLljj2WPe+)S-TXb5b2Rvc1w!1IB<5Z?l|Tc6YN7eLzg7D%q$Vi
z9C-?a8FYCdl1a}*iQ*U{k~kAsCJ^()54PJhVdq!7+yp3WRSx~q<d#g;hiB)e4r=Q4
z^zmAE@j*)L#}+~rxAd~=6i9(%3NOEku?|N|FTC<DDUKSHMOw4^M1>A7W=6{|ncAMV
z<(D04TYk}tLtB2;Y!Bik@SNiKr7b3hQ34mUCA6_i{jSUEONS7}Ckn#AfgZRI5N8PI
zL&t)o1We}JrMc|M;L^lYm#+X#wZq#WmjU!BcpPNdC%4FeWKr1)LE72#i)cauO9ehi
zrO{e}1W<!H?+1gcS#`-00Vs<D7}v@sVMVbrR*BV7KAT{_d27}qG21Zzv0O9w#IkAt
zvwaaZdnWhbQKPDkI*H=!W}?s$eS%&Sd&iuhv?aGm2Tky`(X+fHxDEC@LYUhCx-2la
z!Fo3qP8PgPsZzHA@fU3KEfVv>3^YS52_P&p*p{cc9TYR)$8LidY8gQ#Oul4BE<XMD
zv549Z1L;N!<$z;MBALLBc+g^f0;h=3AJeR(65Avf5{-;Uf;Mm0)H0K~rL8|L9V@D?
zcTH$*XIsl!lEV!z(q`Lu*n!)gb>k|<bF!z*=ei>eKJ@>U_Px0`ILM%FSZ2X}=1Pmu
z7MMl1Ds77CItYS2wJJjeHkX2boR_<A_<`>Y&!nq%XOg=!v3=*}t{PaDK}pBrVy_S<
zu6<}%M5q}{9hVCo@a#mna%W)&&=Wfgz?4p+%)7kJ%#Wy4FG?{-44(OdT(NSCe0kAc
z^U)q)49P6H0*??)(y_O!Q|Pe{*N^gXefcPMR;F)(B<_2wNP@8Uv%{++vVcr0E#694
zNY7SLMnv&t&eD2;GAN!~F~&=%<NQ&jWXX&4!3%827+Ge^TdGg|4#Eu@>nkq1H?sjx
ztjmNf<Q~hgT>@?gd1CR5y%4z$L!-@FXhTdSg$QWC=3IVW?ygh%SB$zKU4<}VKIWlK
z1+;k;0H6)he7Su{r;2FvvdgW=#JAC%%PrDo8QXN)6@0=7#CDV`kcU9}MH?o-P^}aZ
z^QI997Xu+l#Oko#gXWLYxF^Kk8$joqZr)%(bj%wV=78h$PnkE8O(IeUbqI_>y8FZ-
zVFMOsijf-E<W_tc)+ahzVa~KsomHE4{likq;9*`&{0}<?-P!Rt{lXi1{ihVJW-*hJ
zTZ<HO-(hdu$ZR~gOelm17KNf*C<NmyAeVK-h|>yj*wi3@dpfyPHLG4vC)pe2A#nB-
z2!c`E@!7fIWhN>4+5}Z3*vI1JciB*7gD2Zbxsn31obe8@lY>Z#ulABl3YFUr&#;Ua
z%J!nHR(h5FhaZ21vVPSXc94ChAd-9rRwStMV@ue0^5raO>!IBdb#W-h0^Qfw{$U7u
z(7alm<^^u>5iC%!wVA`mQTABSNL-1OXS@%mDL!nLkM*jM=hg(xF<a13tu-uODPAFp
zSF|yPpMzdV4<XOOB6-&P7Vrs)7#^^JO2{NDW2xa7upo~>Wdea<feCq-%8*By9pr%`
z%7r}ZwdDm%`tfG%f#FvG?A+9^%<c8v8ztzQt@fUD)fURL4e*je6l3^gX<|<%cM7U^
z>oF`-)-OVBp;mjc@NnDmN`xXxSH@ZQa<OM<U-*BUN|ZgEY;!w67b~?4J2{=C13U&O
z`L>v(6(fXAB2$|CT)AP8nrN_L4}62_26WnXob)hN)jETZ%YLoz8);-w28+MNv&}G&
z(a2U4_X9QdNPoi_It_?0Ewz0H70|+plpzp~G7JE%tQTY+TZV1|eUD-rmVFgeCmG#j
zLKK)uj8Kk`g>=$-bM+X%49tSd1LST;{ZVzJraT{VVDR?l?P<hBd`W8dNiWQwf;)|j
z409YNZDqT_C(;isT3ZBo`qVsH*o#`h^&xFoY%msmz~!QUf$wHMtp9?e36g^p78&Ir
zedMvk3j%=(MKxO>kZ}hz6|~Zmn7HsDT(LdF9w{5iD0-SYVOmjZ_+xR1;tDmFX3QL-
z@M~C5jnyX<LW1EMT<yp}l?2{vEZr(O?V-bTTIg5s$f_VMI9(WIF(8n)8sgxLC3A(1
zYb?Nm{G{TG(0F5SVs!Zd-rTiV<|uY)If7q>Bs7hMzC!RhT6l^!q@Y~csH5(KhkfPp
zi{pO9mrNj#rpTP8;Xk-X3wqUxbTY(=Yu54nf_Wf95F`Q7alSbs$QuPA<idu@;%}>0
zM*(`3CmV#~@?#Wx3_z@Vh3#~>vnlieHl~A2zpM79tDuG|D}+m^S=*OW8uHQ_>Noc=
z`!8l8NJ3lz_12&5x3~bUWAR&`o$GUgSI)adz%fGxUr)Tq;G6wXjI@5Vq_ti2vCtn`
z`bARsW=%QbpnNT|1ysrxrw_mkmv*f36^EoKMd@JL;$bleUUU>9tjD-xslY8zLfKw&
zsSLzUF>iBz6F&c2Y%|^;^Vu2WO<ir9v=Htl7j2A=paPmLkx<|{H~fplk}{cuc&#a9
zJIup6k+G=F1)Sq-7g>B7jx(VhKcvpkSaDm(*-2r8!I2Y`isCrgx$cQ0C34$AMsx0M
zVgo~$^tH4fMuooYRm(ik*_p9YTWNBgZB}eX1mW9iFWBgS*pB(PHbF^H&GCh!q+YW=
zDfR&u77FkaK-M4lkCnp9=7;h~0_V$^a0Z*WA4WHi9a~gb)<{VlAFP_~AhWj|d-T*j
z!ZoyLjZ8zG>7mG`fd(X|`8qbw=%FR89VAprFuW!;_nb*b&hqg#^JG_y37oIM_ZXoR
zZK%@x-SZU}g38MZ4%f5mFkb{QR~h1HrM~g~fq2~+fb&`|Ly)+Q4z&@2MLypO$7tAu
zj|EjiX2Up+z!p1Xa|rBche>;j8tM)^3&i(2%yUukFzOrDQM`zWdl{I@9lkj#b9QdP
z=iPoUn4Qh>I6pw&V%6B@$YB0k!@T@dYiX_&^-+>gAK~5S<VXw;5yJy{;`7U@LmRzt
zd8Bg`D)yFaLJ-CE!L|a+%QFa`Haj4p7j!LzdCs{$d(M0SW=1fjd^AO3_Lx{n;@Mwg
zFHV?FM?Dkb1_p~!SB7jAknFd<{~vL010Pj&?fqv+0s(;u8Z|0vu;VSM)g}$Jq+rQF
zM$hO(P(i7-mKJMmFKvBE6e|KcIW2R?QQE7$-qzdN*4}Gd+j?6|@eLD@6Of_-L{U_t
zh@2t3qYzQZ|NGnf%w$ls&vT#a=kG_d&z!Sg)?RDvwbxpE?Y+&)odgeDFU%XkbD!~5
zDIcD}mHB*qs26!8dvM864Zg#6M_YV6yY+~zFJNbY5j?M-AZF+d5vHh+tS&A7NFZ$`
z@MP0aEHQcvNsLK1P}RYn%mEN+jU8K9e_MyKVt7Gjc&%BKTcZfMHUREhnIkh6)gW>n
zLv>~}puayyHF-VhHS4s>R2(HAV+!QaJq1uh3A4r~jdm9iWPFH&2*^Rk967YW21o}K
zUW)|63^QSc+K96z`slAOoY`SO-rB_Wv0DDFPOv$q7OK!$Ey+O-q#m5GhafQ4mY7%b
zG-0|LV(79bn1)3fjRi%DGFk1?R3M6wk&$3>1(YBQ6E4yk=PlE&*a%ZXy8%(hlpn+U
zbt1V;#nM$@2lUtC#KET6LG>Cl`_`i^{u2l=T&+I3o)K2K3scVkF+7Ijlob=rT9D#(
zoFW|kF}#xae9>V!jo=XJG9pU#3UhfPU<L=T7#BnX;TxBqkaaQU5%ef*2dPDL55a1F
zqN|!UxF+`5@tM#<lqACo#H(p8c%9`5WfixZ1vqlpDY<Fj^5`Qc_&;8qs0Ax5fxOs+
zh7?+5=j5gk$}a)5gdq7ti2NFf|1ZEd^A;X-lp<!A!?mR4h7{U0B&En`L?}6ELdrRa
zng|@Sk#NeuoUvT05MhHnvuj8jq>K)L*8-XUfVCf_TS-Y}PR`S1(@>*E9!VdfRf~Ld
z((^OJIf|G4P*R2NfyykGA)=@b5hX{VrGr_;YvWtNj10obhcASqe^j67upTuPIxi=X
zIKf{G1q!e-hn{j}<bgg-mEH!LszsTdlZ~>a4%0krg)3*1QH@a8qmM=U|NHZ(MySg2
z_P_<9SDHo;kjH}WGR?=VP=j^tpAh2t(UsqRNI<VX4#8M3RMAJwAYjI9kh<JO3kr-5
zN@_hcs3T`H7*%yS+3*e`z`&fw(0onnBi6F0h?rqljz}8Va+;M>SkB^dhRJ4v-Jr61
z)@Ra@gSfEZHE6@e&|1%_tj|r#j5<RUzE7(YorcV!F+|xk#4tK`mB?dFyqvX|v+b}>
zsMlJMgRBi@DMS@4JP-g1@Ano@V)8WR(I)iPnUNlAEhPZd>@V!032ZrfAo6S;K<}+F
zMU2<_$K26F358~1Nzth5@Xf_TMBKp?YZa+F;$0J{ij|?t`ZY;wm+Mb)cKB{{{twZE
z?@$IuDW(H3cd0>{bMo45phlYor-#1t(dbH>2APlGt}~8vkih~k3}lF|Zwi^!*9AEH
zWX35lNY*tjk31<DgM6Z0NMXE$@&Ic%C2I9S_9)g_cd?dlv?!-=Fhdwt@>mrZtAHD`
zXoPi01#_h<fdqV2+mC5tESmT!BjK1hjMs8I-jYGo&eF2FjtZp+AvSVhk!?Cr5rS-J
z!JEs16Ad3_&{M4WV?KUozA1=KfpFc{`)ufOtii}$Tpz~c!M<mF=mS~J!xD!<>HW)-
zGWQ;L&3)fy_xLE(Zn;xOyrpQ^(54GAQ%){2;}Rbo%i8#9i4~y;@6@^>K+Yoqe7qJ#
z@QBbVeRSj}W^<E#v1qbEv4Av|RAgxy$S}fTi1&7_iHu`EAZ+{wM#KjBDYT1&m}lb+
z4d|0l0JJ=*(8kQ;M7rZVk|&Bitky+yDs^3uiHud3dbGU(sYQ2Dl|}4f_+10v2V9F<
zLWM*pZDnwnncVm+$tZ%DC4zt&tC}(u!$kz+pnclXKt9|=YFq@5Ph1n%Rym@yqfwFO
z%uMWoWA-*+$sdK|_URl!n94;Exo?AL_SAE@Z^Os6-+zK2e~4WX@!I$Bm0plZ7$2^N
z2s67S#?v%`=Qc+SP431$mGjeThXBN&b6XjIh90amq6di{K}kc8*O36^3LLml%{XwE
z1d)mZw;IPE-0$PQ6&{HfGDKnB^tC)uRyJuJH49OUzT2do1I9g=s5Kjykr9?Cb@Euw
zZ_14Ov~fi3Hj6=`31){GDwZbH$8s=h3(THbC=)F4{@w0OfHIr#-R4y-RA$Bo%Nmv_
zO_|8427@dOO7>(PA6GW>^QXiI?qCF>^R5d#xFQeENoCQJQ|;TDDD}ha$5X^NV@ewj
zUyP5in?Bj!^){dqR&9KI+7+j=kVI=6j0>C{gk!Lpi;rB<yM)ng$E&tE@3ig4>8jyo
z2%@h<UgObUNnxp28aC`7r8OYIH7jRr(};H5wD@P^I9gzgMR*|bC7OjB;u+17lbSZu
z2#z*=%P(+HBN=H2V~=)>c#&F#|Gakl`I(vcI-%_@t{Od)@eT&)AHl{94D|=mMTHcj
z!eE`l$^B+xhtpqCujPT-j;Zw-OmE^br~x&1%ZY618=bh(`6Nd~@z&y}7}M`4mKw+z
zXCYph**4g|lQDt_MR2KO9Zdt@Hdf-60YoCR3lV=gar4+_l)>MsXbengt<Y<apkC1)
zJ7>W7Dl3a|)AlN-&`)GI4qBFc4G5SXlKZ{LWO5V#K^`V_Rif{r0)g`;56;<c{IeQT
zBUTv~E#h=1@gJJp+lYZzyanzF6PdvzvKg&}#rijgS{PU$SI7YMGcL^1AECxNs)Ew^
zXm_wc4#1o3+(E8kM0vzBqfUWsd5zbQ8qL%K88opwOe*&ow%SZ?MumwvHvP~G2=Xc%
zjMG(9nP|dfvAsXOtj}>$fvFU?#10Oz&}3Ci<xuGMqyGB%L!&s<R9S$Im<6*;$O@oB
zT6m`pK?Xq5at*Qao97aku5p6<ymp@nfH>Hci_exf(7vL6D6-owI*t#b<3lKIOeF&k
zv9@AHCu@~Jqv>Qb6e1>-npuyKkkXUB8Y#7TP<%u$85n>G%s;|n<cT$rCTvLCVYY12
zFr1z>gdn~IYbu}vmh4c2H`Uxn3*0ssW_TR5Nr~2&ptlS$w%MuVgBm6nq|HPO>a#*7
zA1I)SAuomUq-atczpZHdAg~au!<smS-8v%%t%FsTEb}<f@$?$Y;+7c1`I}FSjkk%|
zuwVN~q3nhfS)#LOLAehLBmprpiUDQ_jz`6OD2^o`Q#|Z1gNN74XQ!BAtu`r;1Qhcs
z9t4Wpy@?p~1r)*EXNZC%#1FHZqKp*U;psJ0-{1&?RTzV0!x&_=YTS)j!TO_Ig-EM=
zaFU5GSg4w2C9v4CWVWDyN;~WoN&<f!PMvkKeyIRkK%pdb`W0iT1+*~{C5A~*ju^xF
zkz&@zaj5hd@@VwsMoNx6diQ?v>`@HKL)d+^26?d7dD2lC0eOH%pDcOs^yq6Jd6eCd
z2TNU$Dz_z%40a}9R{Y4r?k<rBrvt}j(_9l<tTV0s&imc^3kcC{Qs{$LX_-J?;CF(3
zYN;K;_@Oy;aaOmnwrwm+!I+@|6`(Za!HL6@9EAaS)?vaM@;uFu7KKJ|P7qtBjJ1dl
zbF0NXix^ArSX$Cx0S*0V@+^~gQ}o4h5_wKXrm%{k*h>@Wvp}m&sHco{=&C@UJcaVa
z&Jji=v&7M4wBQKj*`;Wbd$1X44f1&Aso=B^pfNTh{WMXZ{E%%z$cY4*vK#W~<PXTB
z+?G6?YBbO{vWz@fUm_0%oQX8KM~e!z8;LY2n)LL&mqVAPObKBvm|G&T%t@B$lv#d%
z8~1}%NsLLs2r|Qm7L<t+(1%D`8JK<aQDBgv4-K>D5&Gb`QoK0l7O~W!twtIdM47b7
zx($ZTN7JXtY@#w`#-<Z}tWAgQ=uHYJ^iZO>1jY3u2_(t{^9%%1eGeH70?<y}5!;ze
z==gY+y-)*ARYVrME906>S%%co4D*SMO1n^FvBb>Nbz;*%dZO4kxZdQGMUP6*Bf5}b
zfUGt4q=0R$&w6HElej?kgia##XYcpUx?1L7$iwoc0W3)RK}|^OeE~73<rJF1ei>pc
zC}KMS(wdG<O#a4nw1u!;jB~|+05R>-IcqzZBTRJiBiM~47?T1_;WU`C*oZ_mpnz#h
zslq?0pS3>}fF`YX7MhTRvJ&bSSdaGr6ZZV8{ImiFvb;?N+8+uN?ikh-+J-U~R4FA4
zeJxkzn?oqg$T3kT`D%HGNPE>(Cr``UlQP3mu~AcG9ukvlP+-hS3nuNOyXceDF%vtg
zuM8R_9+WgTCtpv1HLZ~eYigq$nIO(4(;I6?zN#e~ENq0!GgvUk?6~dDX8e+qGGCV2
zqAjfqlo#19%MaV%@z_nLn9vh_W$f=aW(z-FH!=Y#86(9^0Dcpj<Z7|<RG#dp2J6g|
zWSpUtv9^{d+dw>F><`7DT*G-cvNaYp4U~Yxj1sYoRiXe!Ln-zQLjvq1^BR{JJK<zh
zjMpMCHfun05lg{9geb^Ia4Ok`(S7=-EtmShLIj$#YBj{#b_@zMnw#AMspt?CE3+*R
zJ=y%&K1dK4y_rC~GvqRYMi*pmAM(8!znNu_&znumKLXU!N?G!>($~XirLTEft^5G3
z<e5>N@vBIG0=Jt&y8*u-`UFHgL(oW`JZ!&^f`G4+^%aq4mHDA#xqwLI!4@+U{4PTt
z>^+qyJLC!S_K}CY?S?$K5Fn4@PXh8V#H1dWt->E94@~oq$b+Nn|A0JlCmco|#m5Ka
zvG&a-w9-x1M#9(`lvAN!!2=3;)`~oaEIbvE<yHF$vY@}<iP2ZcV!}^scDPHFF*{A)
zuu<)db((@}aJ483XLI!NidoBB<Dr+aGo|1Xg%aA?l=<{nY!c+Zv2`R<jg^xlk+E<1
zB=Y3qOtwHC+D67%69;*HA8oO0W@IwucQOMJ`lp&8kKO;Mye}x5Or7VNIE;ZkzqNbg
zn6YdNB|Dxw39~m?)Iw4q`!^9jy?uaXPIR{q$U3ZZvuBY=1npl$L+dtx$#=PVlC~<F
zQzt;oFoUITx%{aXqL?8>m0Eg~O(Vn843$EON2~zB>4A69(nbEKzTpC0c%k94LtYc(
zojO+a1d?qjZW@ur#wF&+g7*pE4JWEV7WDlm%KCNOj>J!d*dDn`8*ni&Ig7@6Ihk^p
z2xth*DB4ttB9SLxT5?}hF)atdjpRATxcbZ_dLLdmn-6kW2$j!RI&xhiO;$NFCia@M
z6<0ah5B$7CXV}#W9L5<b?<3r^12maQNZqrukBKk^r+Eh^(}eN+=^etvP7`v;ynR8Y
z`D_g0SLCpKh?<58?^<z}{4x$1gA`t9pE1sJp1KD~nrW6jmHRuat*PKag>w>c3I-5z
z*oG{CZa$Im^F_-j_)F<3^QRy_3PE7$fns<p)Ud_T&rsmxJEW{3i)o%+3CjYS9Ozw)
zSwrpXv^kRnc+88;r;oDM2{b_$4h)nWP4c#jXd?O=^Cj@eAbDj4g7MlHb0xL>8{`@k
zP(^E!%B2M_j2Sjhj#we;5Iz^;oWrarf`8mnWGDSQj3Qfx9)TiwBzI~<2ZYi5`GD10
zpvl1tGPC7;-J}hl?D>_pAdgG|LHJ?`0@@HS+X8|Ze}EZi%q#@NN#U@POVgL)k()xa
zsc|A-A)F9oV4UD@us=5C$B7Eyd8c_IAkcR$L9|g@;{<{rSWwxvJ<&aL^8JYrP5@%)
zo^n`wBA77~fnUHHzFPdp9B&a~ih$`?Vs_X8BX(uLFoIT+2jbX)uu^PcwKS0hpOnUm
zvM^TYuYLqnk=7<q-X=&M_E3a8K1za1S+SZAX22oR^>At!N^GJwmV-Crs4)(H<W2Ok
z{l9)^u~ry~a2Hxt30|7*#ezp;WjnJxOCq1pk}<O0c#;VV7C;;5QEq?oK>NEuMPph4
zNDZMu3;`o4q@v;9X85wdA5C(pmP0sXtad4@&Xv}f!PH<~OqNU#PA6ZvHFF#_q9rs#
zNV)sFj<vbz6c)A#sna16il}3w0Sl;~F2?R)f|A)HVT34`@C#PL3@yy@KC)7VKy_1H
zZm~tn2J2PWl%O~ar=?-s_shYc@mzMYxS;he^%a4&&PK>HeJOy~_@xwWH2_5L!{8K6
zdD97YWZ>RH`^w8Jty4(09i#+~OT?B58I|r;yWz1tv##|_h+KkY0;!%j`%f}6l(xaK
z{2+-OxRY~hIXlfvV#b)Pl|Xr>2_{@tkzgOA>`gPF;@jd(a>TTAHjLu&bgm)%e1<%(
z@~z6(%&s=!tQh{28DxB{9OQvz2=cKR43%|qx+1rhCFI$HWC9H38B{JMYKtEPrz~qS
zy9anh&5(v;>I^mPDhZU3gtg;AgWas)*xBtko5d1<$`}kno1p+P@r<-(4#NYMc7!Q*
zgd*f?WS3VemZwVotdV#}<EgKfI|!P|3ZfnpPn}z-Soel_>e8xsYSPH2)VVeB)Z8&m
zsYwk@sY@M>9iLusTy(*GyiUgej*>2NI?gRq%Iz&pi`+kc^D$nOfAh_O-*%|lIrIES
zj)!&59qF9;$J@^v#J8&J_I`I9Y0cb=hF-{*F+4Z?{>9{}q|OPex-L)st(+sgmo8Ye
z{^zCbysR9sZuaNMSnia5?a?wljdV(T{`<enc&c&E%sjTNfm~I`zj93t>6l^1PP>}4
z;lJ*D=Sp&L3#zH^ss-HWbH_9tMy`8=7dHTMl-oX0kftJ2E{5IH$2&9NfpsAcN#8u)
zNgW@n-r>}D-caf!&n*ja4|KRyhi5m|?+xFs^TOkq=E&rx8Hd;`$5HWR;oCk-?K)OJ
zo@pv0M8HYD))P;~xcQM7iz%f%>reHnrfNT?BAYRP50+h5si)eu)RJUdSv)<i+)0fa
z)>!Xfhk)GDSj~3RgSt!mtl#MH`SEi{xEtn<DIiGS`Q3b-GlCQ7jS{gX+1<ct>ka<C
z`)#?byJ609`geXN@#)F5)l+ueB~E%OxrebDlx{wjE$Pj}dYsI)Wlr+V9;bRYkt9y_
zs^sfE$pdBAWk`Xs9T-`a7(%geL+d-Q+mXGNabeHj=gzKqV5R7Rl9uVZ1K?7=gcrt&
z=7;tz=@)Kw_?hYq|7}X?p{r6;LWi=S*LUv8i0<=BS|;empVmP^kti1+@tRUPsUQ5=
zVo?xyD65nDL2@d@)s0h1-=nVgvfcJw)M8t&mG`~uBfQVupJ2$W6$kD{ht>rr<a6@4
z!gJ4sqgEqaS+&TX><nBUUY;t6aLD93^(y)Lcz!o>zghCY=fgj|6H+f4!+WQi2*@Se
z7WtJX?kq@c^zY^{c88mxH7NAk)$jDga%5;F-3lJd=f}9n$-FI_AM2;b`LSY>N}I1F
zc;szq@JPP?dYm8QQ1ppaHXqb5kK`K|Jd$sa9_Po7A{lA(4Gtd3Hzar@-%vfyk8%6L
z#2TBAt1ZkU`Gy6L<U3lA^JCl_F>#E|R}nmt@7Umxe8=f=e(ZRX2AdB|n@94U5ImCa
zL_N-ros>>$Y;t@)N6t@lY>DB)BPC7_9x1^k&l8>bu~W4vjQghQO3VdKEhpJaR$x8u
zdz_UgM|LK3_fPucp~Cyaq5ryzxhG*HO%@QpHB!k7=-*Kip#tO?E$G2r5q7y#z`QU5
z%}O_TATQP$IqE!+YmJdWuyIF%m2BLDpt=It))+Cu%}H${Vk>nhb$diz7lT}>6Z_?y
z-{^nI@QQ_~uajTbeIaBH?zL2<MkZPT2|RhpD0l+V2pBop2xwL~0+E%DKxM@vP-VZx
zp!0V=c!+_*?LB?+Bsw*Yu9X@6%!#^BeySwot=pW^_aSc#FF2I{S;}+SXSnsd>J<={
z3x(1k1g)OADWuihKf;TV66tyHt8#)}7|Vm-&<B1^4tysE{^T6^(^B_Fs%X;OP~&9o
zjnwc%*B3W%6S6t%bBkZBE4x$KM~g~wcd>)&S1rITFS1sJpq0nD%zx2bp1{*1p8#TB
z?{$7p%&h;lKhV3>&eT#}M8S1?MgCWR&l@hmRQI9OV8f27^<g)|SLh`?St$)~a$$kq
z((x)yjCnqSdF=G4j_3KP#!isXD91;RicYq3WMgESCdq6GRI_sTF?w8-{a*gJzm!`k
zAM2-=mx;6$fNJC{_c?NVhe&DGUH7wikomnhoEvRB1>g~`0#6=j2;Vt@7Oo0^uk=wz
zcOE5GBs?s}Wl*sy{?+KypX?`96Acf8{N^tgEbv_8u9;I++ZJ9}F`(wIVpG~a+D6+#
z_1@gqoeuO$A!(u+d|W5gGAB?cCI;#RvN6CHQY}E&#9-7-3<e$YsbgX=<R+RC*O>af
zM%tqds@)E=JzT{kK{7Hw#=`C+`kZ{KCO5U_^^b{x{(-Cx^bcAOxD-(t=pPe<AvQ4>
zVH1M^Hqpu63=xF?xI%vS_$~05F!r5u8CJ=IAx>dCVPAmN<eS{)6e~}9!wYeHF*(U_
zWZY(dEm2qV+e5wCljv4~ex}=D_DRLD^oF>N>HiWc3WOgxsBJU%vn@90*&KbM%Hqji
z)x*_+R-dz!NgWaYhFaj<(x~JAgdV>(k}vZYbtoXqM*j+~k>ZN%fI^e`rC@CaY798u
zPpn%6V<EAGUkBIP6T<`O!-C!_kU8i-ntr){SZdP`D|3!O&#@X*PyW{j<YoGYreE*V
zirZQ)4Y2tCrWJEbkVcNdSGM+TDE+^rA9w#I(A$i3XiTk;PW+siq^9DT`KTF_=yeEm
zKMW1!g4;fS!X;J#5pO=?Y&JAMn?=7I{mN3m<v#;VMlXFtlFZzpvsmIQddZU~DX}cf
z#0`xKc$aCC7qxB3Mj^haqcu{2gx7!FRnmiJ>^XfNKT=a}FHhb6a5>+?v5w5Bqn%`X
zsCHLvXLw<!bL%_0s;h<bnTOoFZ-i~!$=o#AlxG47WlD}tdC7ez-TJ!f3dcN3m#Jj^
zvn{W9rQYXHE1F^NAj;eoQ5%WOkU#U%D;;|LY5G-q|8d+&->bq_KW5eIjFLY)_oQdG
zmZ!Qijb|3MzdK;y`tZW_(bNVuc18KwIB<O<FB((pCuRnp)ZR0I8@d**NG;D)4Ac*9
z(OOdL*RF4@U0=IAxobvreo3u!Pjvn$Mg`Yg-g?M%>L=;ehyz62mzp{Al+T<7FsC2?
z$<w&2>CEy|m7F{f5TCqt-n@Azx?~<@z(0BK5M@1fTj^;<Qh52GD=9TW@;J^u4$h7S
zZ}vX0hg;Qe<Y`G`W>kN)_5C~f)82DxV`xwNfdSP^Ql0HxW!0V0YERl*(~Nx=%$WUf
zd0}Q&9?OncfXwI3XnYv$xvQKr0n#NAiq&A*4*tk?a>Xbja8kPrB(#tRrrL96>~m%`
ztLir^6CA-Vmfyu%dYSZ4miz}oetanGHRvj1nXZ!6#(`MRtU-3*z~<G?N-p?er8%A&
zwGut)@%Kg`gG!!pGNu3h)(FIX#nXw@sO93efX%|KTwKolxUghk22!y;hJc2*THB&w
zXP*{}+g~qN-3{S|``BN^DakXGCT8GT7m&npynq$C3K!7UO5sd*1`Rx5-d1pIUg1kQ
zdvaOT1-91>T%xwIaw=9zk(tQM5v$!-+g7`#c3<{$h&2ZSYf$Cq#g?NrT6vS37P)=c
zU-~PJSY1Q<w$UW8r_!Zg+&cnAzWGzP9%!SF&Cy#AhzG;1m+*H{5z_e91M~EuKG4{&
zT0jWKV1EFYHxV2$xTEx)JtI`2$X3wuWJmE}el6CY?y%&0NAV!N&>tsretG+WQgbKS
z`DMYln!ufcZs?rw!i3w8=h-d`sjrD~$`S*Yo7csT7KmS~<o9{0#--(P?hkCNUov-D
z^3dRL>*G|MJTx@iIs-7cF741Ddwm?Fy%pHFeD$R|4UBUpTfNIke+lb`{&-l-?Nv_Q
zoSyK)4iMar6S=|*-wiJu_XQSSDs>NqHhJwVhpbq{<}KIm1#c@0-j<uUA*U|tJE<ra
z;zf6n@^(E*WxRe@%fDc#Bz3Rk(ghvGLxm6hG4?NTzPMX(KDK}k0PY!pD>;__5*I>+
zfRVf3y|P5zIXO6qa!1N61ve$QqPk$PHXD^*9t$sQ%e^kkzpgBNU2bCJ1*?D)tX&3H
z3wvb%dzFQKq*MP6x1PgdwQX5VpumM_thVrWT6k~%Y!2QrPP!I&8z4|wyzZJDyc~HJ
zUbr{BaMWitX8EP?y7nEy>%QPEcn#hPuerBikhg+$c>rr?0PFhjLY$w`%J9NnpknZ+
zOf_}acEKj}`<b}*iTMn*Y&jUA`zwSiFf$mRXczBa0}WhOMD0;Hz>sZZ(DfSI^)aUF
zpR`?XDDX!V+)sv6;?`}`nDY*s-W*=AJHrmBcy2)54YCRbRJgTS*yF}GWoO{ptBb?#
zEWN(<Db-pqc)@$e0F5apgF?&Qe&tSTVwqpVFvJXB#1bMNfJCG+k-5GmQ}F~DnMc<o
zGLhBsbVVf2{qIid;_^5{b|ep#dZ^){N)Kar7@0mMc_0+N<1Z9UZtcf*AZD9i^^RbL
zW0wXz60X$AoV}n%BkAPS03|bz;nu-pZ`mo{J^6<HBd|4Oi4q=}uBZ(!d<Mdd3meyr
zsIcOK^z4I0P#~PB8>i(QJ`?7)6%ww2FyqE!XB>Zi-QaiQb%WQ$Q-clDJIO;;Ef2v?
zRq<rDs;Pci%P%E$oaB;_sra>0j$evb|J`&lb)0&G2k#R6aU27}gXwW450%*;84?0t
z#{h|<>|gqRo1tj*@%y-GypO&KTubTk=@ZivO5$~uO_|A6tI?4X><6oBDB~*8#>}MN
z^hJZ?bxwJ_ZgM4_Fn2sNDzo<0{e_^@zjjEtIrB0!6tH&jjuBjty&`-^4<ydqNGQx|
zvYt&=!e-efz{yQ-_NUYtwp4^tO_}DJ=@hM`D0>7Aepwj{FI=m=L@Z;br>p~~tKxNp
zZuvmLY?69M!<}gk8Jd+uKz6Ng>NNXkRAfQ;3No$?FJw@0Q&f223-NS9b5nO^ye`hb
z9sFE)p>8NBKd&yaj0v%a`oarYKJkqtfk;asUdN<#<FcZrx@dV*UCDE7Fub6y@gTYP
zhZk}$3KeT0YqpK2o8K;q*Ilc^z45wH?>TkN%YYhf=ny|Q#M58a&vi`Wlj=&K|Cg%5
z3!jSD4QK77O<>TxQ%4@wF*K^xySm{^!wcKvf*@WO9T~4HdCy7hm#~f_f7EeWw;cy4
zHuv($NNjSx%WT>c7dI+Y%8%FG1VP7fDAp1oExhn~!FgUC-{}n1z|Xb=OhWXgZj?E0
z%2zIWva0C(x^b*G7)Ivf+NSzv!tSMT7n%v7Ex`4T(e5BF+b`)evQRr-*u-b*HFW!|
zM3uo!>RBo_A}crb(8xjhUeJY6Oj5Q7@w)HB@EBaw+G{A79`_!!a%%U}0}*d|cp)1v
zeEBEM^g!hRECQmMt_o;4K{R{|0<NOOYDOgBNJy*$yBD$2wNIP{T;ii;MNnxaY6@t4
z9&~PiKW7~Uzo+(+WAHKXPE*}^xDXar5MlFr8CS1?S`Y+k*W})!6tV|0H~w>PD|rjT
zU*Nauc_ChR9^y*$s^DjSE>^8<e3bw8eYKkHmU=6xlCPDwJPY26W9Ux}55rI5&$zLy
zXrVT4VV+^vgyQFcafA8H7rkZmOx(xN;B859yl%pnf*j0clq1JRdR}r8bFn5}DFf)8
z3LxJl_Mzmcy2jK|sq;%T|D`V0WS5#axVEi8!1wv@kO|eFFyiC1lZ?`T(lPpVas@ax
z;$wfI_&9W$#K*=0@v-ehQ)=_kr{%@Ri-VNuc`KiVVB&w9(v1=w(25nloxvD>nts4W
zhE$0<GDy3&*n~mWf<y+ZimhXmA}NM5?v+8LWr!+&j;4GhKYsaarH%&nxwbEmR?Nj4
z<8>FB=^wu0`0aPktDB<H28(O7_iCI8eaI$_gx=f$)Znwy1DwLf74I^PB|8W~>|h*M
zF^+?Mf*MSSxMxH?D66r6d@)QENRV;RjjKTmWeCD^H|XKiMFwLaOJI6~6pf8UfdDO`
z_NNVCLXeT5NKaZ=g8+RQu0VKdzT*TgBV?}a0U~pfH%p3i4_;HfaFZrI#`r6YHA#=%
z+;3edJy`g_Hq1#6M8}Je?rmy*tEmq4FKdP_yRE5hMNX@Nc5l;PY@i)RpMrRMQI)`!
z3chWmM%}o#Yz{*RFr*T%8VuP&Ad^BwkxLX933wgEVZ$=&8UL?|r$@b&mk|LWIkNIR
z$waGwfkaI=NN=Qu;5#3pSjo|e<X8z;e{m#S9SnDg4TuG8^OB>Fy>f4@<oLiCKZ4{4
zFMK&yC=eF{<^NP-zz5Hp;)N2!N&q7@%*a2Y#9%Ve+}j;k2$Cn`#`0(QNk-JPZ~9QN
zk$noE%)TYzu)7--C3-2*ebGy_r4*Mw4&Z3&EsVE=7wdXzmTkX-e|B2tvflP?7Ppqd
zBAZGQp_S}j;Dm-f937h4sSED=`)A-^tZifPw^FIGW2clBMQbVs=pJ?_*;C%KEuQR<
z=QmaqPkQBv`gdC%#adx;tw2E0Soa4SlYM8ZMz0dG`bR&jy5|?v?HhOwG^XB^NB$Q$
z2nAJGEvhkEZ7Pb_Z){oAefy$aK)O`j?vNAo8Fl+0eo*49OrO(ixw|sb;O=Yw=gfrO
zrc7ff<gRI%7EPV<0cd5X2oDE>d!`9|Dv9_b<etPA!Fno-tf6@FsSt=GW<0qm%!Txy
zo!T3nKPA#TzdT;=H$UKRXnDT-5!RoZ|0CC2_h+tJ5EKqCoZ71jRC;MBys(Tqm}llE
zR6bF^EZlk}wgYuMdjvr4!4W7xy8q1jcJG`UGw1f!a<l9U9Fn^XtG(!gOvNcVdO7I<
zF+SEWkA{ET?o^|+4M?Q>bJ|Iw9-DG?QKFhewrock>*hW2`aLZiy!4Xeu4oz9eack}
zjCamS_d{tWgXdHed39Y6^<B4lDT^F-UETQVlD*;Z9mk>_XU;{rd^)NlSvv6_z1QxS
z5Yk(fTE-8SlMU_^39)$qmtUS0*zr#Ki$woMbpYv3hH+0*_)l-e!+&ZgeU0=0k>q$o
zs<fw!48&tpac2b=E+vK$iq%!6v!aqO6xs6{^%O5gieMp~L)Tv5R&ws}@>QDpUglpm
zsCS8?`Pw&CnWzrcyMuZOoh2@+J24Cg44*=q9Nh3GLUOI1;>EMjnr5*GJEvT~1EAry
z_f-ziA5l5|2`WDv?gmVc2JEqODnAa$F=u8mJI<;4I3NeX4OKus^5cMfB#^UWJO|V6
ze;?;HKwbmnV?GYZ#{fCbjX4b;2jmSv-T>sz#{szm<PMNe{x~3?4CIr6eA>qW`7|J(
z2ISK}4#=ki`E($^`s0B7Y9PNF$glZ0AioC4uL1H|g4{{&nD@UU83ih0ky=TU{yYV*
zrDicryc%{-V<8?Twg-*;JpxDDx0F=B%Z=@6jz?LY>>Uuk^F^jCw>NypZ%Mg8BXenQ
zYDG-P3Uo6OuzT*)>olna^TY+|$SE9=5Yt&R+p0KL2AR9Z3IAzz!u}%~G?*yZwOue#
z>}eXtk)p3NQLN!Q!FX~_k=YB^DTouHCFiFqPO!i)Et`}sIU!O1O3Pi&4Ag|gJ7wKR
z_t{rX>Chr9s3LAh54DAV%w7}}f%Y;7RpN~TeJ8IkCDQ*ypQ75Y*Uc=mHb#7(W`%84
z0B$A>00(H!#MnZ2UeOFhkYH6@*OG2$<|E$qVAC*+@J+lUR+i!~JIQsL>WHF_C)e`S
z=A;NF`feHL)G3~qF6q?9?NwCW#lKgmW(hbV6!J|%`~kx>V<%CzB6Lw@Vi>{lYJzxA
zUzjkvpUixhD4xJMZ4;R9zFV#@QCm6io61Q)ymA5``zklVmcGCX&Q<2gDV~5cl7H#%
zR(=eC<9(RGbobq0x-(e$UjrQWoWOMV-H{&y;3EMX2mU!V!g!;!9$)0#4Djm>SA_qx
z^h3zGxoMc<PQ@-n;(h?#cy1?{sZL+e{Tc!hK<%n|8!bEsvrs#`-WB-@KQa>AH&^ML
z7w!@tw%%$kFIhHOl1NWz&|{+bBBoE$)J0?DM@#N3%SLc9Tfc5wb|B9Sus)^{b0|l$
zaUv6qs*QvV2|S}tfg_ywAymaoV`MrJS{nZ*R!1+ux`LnF-sW>qNNvPjCJ~w5T_JlS
z)hR`l;{eiQl;sn|t7^Cs8>&i*k_SF>11^K*tTVvR%F^<R;tVSL7QYDmd}`WKf9(&=
zdY4Rx$^TmbUx%}z`$U5eyiWw+mYc}R6R|EFcSG~VPWomfNpJJX>4_z^`!W^F1Tvm@
z|EeD-@aX0;|2sgHCU-}%?Ujw2N%nl^hCj+{N}t&9&rk(L)U=`H5AW+-e>yk$@}>UU
zRA}IcUc%W;Mt^Tif3qZ7|JLjwIWcD9>wq{j?rp)5dfQk-2t|Ltd#D#(+6Y1-WSdtd
z($|+YVOgCKZGVG9Yxe1Y+!=2mo&CWyM6e5wwfp>EP|kGYKY5$_=aSmCMCzZ*4r?!1
z_s2$c>i36R|3Jg(D@rmGS*VyZ+DTtf=G@~X$F&y`JUC-*V`kzZC%HA0s9w@N%=)LC
zq>ojq3<Iz+>N{I@q}fdTmM;D{m>S>@!K#X;ma%4eoUFdaly6(l$7`iyB~JR5vcs_N
zw+ifASQluHlw~Sj5jI4X8g=KeTCnf<P2}$7)ch3_>R_<kH-GF6e{TT)hK7fQ!^8S7
zU4Vfqqdc|OAlLs6z8l6Pt1`7mg5(My;SA37RIQuWF0EdgTpn^}a9ZApCI+@kosm`6
z*IxSE5-|4#Cw*g?Fq4_>nW)#HwQKD9Dr+Iw@dSJ|4{^f3UVZ(}r8zue6xJVVd9Jo?
z=~V^sMbxLdGET2EW3`j6c-~zx=btqDjYx9z);+jDZM=h_1Fr|+^h#HFZrj}Li`a8n
z)IHSJ4=~A|-sb)^y5#yj?XUIEG?s;E$^RJ?O12GX?<qF?2R{&LZvwVicHV287ld?c
zjcVQ(i^A^1JY>%6HLS>>4)yUtTWH?w;$HE=GN-=1Wd{_g_A}QErE+5Y!tq`0hl>4!
zW(ll$n8+4zf`w0)v25|LfE>``wP>cPw>~@jMQ6qed{*4+Q@tG*NoXbO+57Q@7iR{W
zA%d%|y|*~|8e*^;y7b1^b|nUu9B8cH(egq;3zAbnQ@cI;9XhLDee}xr_bmdr7zKVB
z5HiySERy(Yf44YV|H|x(<(@ehpTQ9XTm18HW6>$of{%vK1}>5$;=5LMd8$opk{N7d
z2qcbzQ3KhIP}7XI3(_S^;%oiJ`R9b{*SD;ZRh~z{Vf+(#QRF;g;XiZ5cte4G;rOd;
z6dvzyC)y`{X-UX$f46`8>;3DOgl}I1pvi;d=X@gu2S+ordh6evTN6(=l`&wQ86D34
zmz>O~)qVbn3Xjl)cJWL7(mA_Q>l>@vLLF}JtkdJb4-$#RKENO^3;42w>KT4XANK5Q
z*+m#z^W<oHYDxXtTO<l>Lwlo(8pu`sQmneGwwDt#sbqH|lUR*_tZ8I<QgRpH^V-)N
z;m?5wwEB~p+~cg>8HZIi2pKu|RWKeh*UU+_jW=A=-|s-BRoLsXknb?WHGubBYzP^j
zJT!hzb7Oi^N&BJxF`OaQdt%y&@JE13q`ykHo{z${I!`fEvKExEt6(K-39l0jUS@$y
zl%qcHYS|g9Up?nj(PWmu@k`6%GoFrBujbrG`on3uQ=Tq!a`>P_^-F}0w&n%~Dd?Ov
zCTar566r}u&D!2r^^&U=;C5|SpVj%TjYPhi&c_1^IBU1KZ8vRT%;)G6t6h`5$#ALl
z|50^n33!$%KB+7*W660&*iN^je+cqV@^^N7Sy2n?HdMAFeL)G(hv(mA`i?(lMteLt
zuC1tLR3_Ss#2{=J|DVdmle60>H$2s@a<y&lnw!c2WF7^JY%Mn}HUqtW_3SN+0IGLx
zm%C=x7oGH6=z0S+bKd0OXA|{<pSkWcH!ce;K}dHG5BMfMm;*UVo<|hic#If@hwI8|
z;Z4)oB2({DQ|V#yPV2dZ15L<OtP&W}snluQsoFv!iNsh;ZgUdp$0PIjE?tIYan8b-
z9U0^QX%1sE-Bc1!f2RH@*3vFugVxMQ4XREh`G#vX_vaJ>BQdx%Q)0Y#n!85|H3h%R
zIf=t;&0J>0PdxoOEUMvj_ES#!6#SI<)XLD^UW^x?D%Tzjl%c|XIa1|+d0Q_FAT4F&
zM;AVT;}ph!(U0+3XLEu#T4UQ!PrReV?(C_b87XhMhy5NXS)tjH8tgVa_*`bjevt^_
z0k0TsjOnkI-q|>6|4qbz+cxX80J@ekLSK?kIk}lV`qk`|ZY$~3-WW5H3L+<6-p#sn
zf&Babo4?WnV6LrmC#Q!pZC>QAm~{ml#w|MM()~H&Fb2?ar+(D4*Dbs846zX`b^<-%
zb*Cd9tAFOk-&_8A=DI<B{I!2QoD82cUH%d7{#}mKEZ_CXf0&5?<#dS&Ef*`G2B&rr
z?N}m(PqV&P?U`ABUkW`CeHinJBazvBqTFTvV_N-Tj*>=OVQOiSMmut;AG(E|5$u8r
z{NiRht$(5Ucy>sjYc&t{=i%VC%EwGJ|Mc}G(T<pj&f+Q(M*LVOeLfgq+sinsn3|E_
z1Pt{(QohCiRxl@LF^tbnZOweUH+itPrMq_D<!FRPABtX)P2s*~P+ECHd+17C!MCNU
zb*ViDPdc7wr+)=mEkrLF!H$|q;MxZ8?Gz73i182Qq9Od_4i;Pxr>wX#m5gOdG42f(
zC{pj%FS}(;W-5f*4y0M5UuT>dTQO*gyGJa*H(p%XNTYbiQ<WM=CbAy?Hz8q2n8wU?
zp=kZolDW?}8nxD6NvNxdqvK;d9mCe}yC3bNpNYR_WsG_J2}O#SxLOGcHsJ4vxK-~b
zuKznbnasak*h_6zXr9(O*6yMH`j^A4KjnSA{?+EAgV5-g0KllQEf>aT%#I*j&`Pa6
zka`D6JL@du2`aEx)B=CVnc`GG-F<W)eUQ)kIDiFHW{e$9`eJFU{+~JJ#jN|Vv7`T9
zF%bhlA6kUI(sCwzRFxak!Mtb!fOq<_JW!9bTR58lIsT8n55K`|L|C$^a;;Hk(x;^R
zVOuf+E&)lLN#Otf9V0rBTP%h@ubylB7D`uf>ML-Qv=T-Rf|Wy*QQ~*{KeeCV*uSAK
zLm&SAlZ+^8UJ?}ju=eNV+CSq1?bm;F`zL;M`#-Z9<&thY-j6t*I}6A2lIkU9Jg?~+
z&lrY|PH^uV&&(K*!frUpjpy2%!0-Qa{Tt|x3I6&({i|n5UTEJW_94;XwQDd{-WDs<
z=;5~d7%VyVMG{-a^k?A4G>73~rK5IHe|>kj^&$jVqJC4j^;#a%u|SQeb&O`X2cFzr
z)ba_dMjY2i&jNj-zttzA%pfIE7WtApL$m4(_s7u^lj9D-@E=y*Lm&;H5RA8dLZ<l(
z{S@^uB~s$Q2YA*XJX=$q#0!kJ&oALUJg-48CO-(mu66~&Sp_p&Fb*_wHu`5VXzkei
zGa|SoGa&>GOJZoV4e=RVVrd0u_mIB+DT-GXg=6RFlJnAoG1e|F;}kdlzBdp7nM-?`
z@KU_M=ErFGPbHC5arR<HS5AJK-A?=cWw~yI-O+s2mU>X_-VJfB{-d=|W`0f&+~VJp
z&)nKfhHSA$>!urwzr)g7yPGjgXY8om7tnj!VRFk6y|0W^skTq;P<uQ5ueZo4;3W^1
zhg<&>5?hQ6-^~V4^uVwi=AHI?-cdtvV*E*dnYksJIY;rxW~vkWG&sRHs4;wmS0UWG
zki3EXniyW37+sXPursxM-hqMPAHKz>WVQyw%&F%<heV`2{Db>==cJh(4Ps57rH`2k
z30IsMY4A@+N(ii$+2Vb?kC4FbWk@a8B->ui%u*6bj%BBgN>V*_0~^{)xb;so;Qxx%
zc2h-tJabMcF}68U8E&0Iw?KlRb}t02(RsHNof&q|;ju$#?(JS<>G5cP>VVl~W~M44
z{$1NKq$&WJo!ohTW9O_pks9H+X*sz|EVeAh%!N<RJ5YM#QOWG*0WRAM9h3go#+8PD
zcsvD?*-P~{%i92N{`E{Vh7hey0;4r}pDA$xqzL9c%);3WIF@YF$Zbh^;m+K<M&3n}
zJ3{dp`(}MZ1o{D0M8k_4q0Fq#RC~j`-hnrKBQxts9!hUWB(q<e_YRPiQ7q|SDi2Oi
zIQ+wRfG+hyX7JqtAd#Mk;j;t#xg`18IJ^?F{ML5G2bT1>`)>LfR>-qtziL6!|2#Is
z;=KNl^lSM2$NcXA;o2By5l%^s0>2nme?%KHvTLDzK7Zz%L&=_@H<o3KdCNSrsDvy_
z`^IN<$|Li5gZ;Z$XCRoFoUmQ(eJB_at&uWbXyV??6cy|r{3R`#-I0|dVJe%(%g|nu
zxvlrmp+o!EjOaX_Eg18fv#BKnmHc)dt%MuVtuE~6gd3kuc@0G<F)tQ7)mhmB_*!Q4
z5D7M}VIC3ct^Wx~JPm0X<jm;wN-8iRI$2w3n(>sAxejr=<GN3V7f<NT6XV8d22b(&
zwi|}Z^s||+-*DA}D6Z2(rqjuHhTeFT3AEVg?}N7$U94W^xv}LkB8$~=u_8<;yg+Y5
z<QoTA!u*G&^^KzpoxAT?kj(b;O2z>nae<>M05i2bI|1V4<kupEK~eX=`d40esCSVe
z&!v3r!~c=yH@S|@1Zk9KkPCM6y0GTVbD7hRJf|JJ)=0U&`U~baX17(2iFZ(y+5**M
zsvZ|fWFCx|ZHuX$iOj>1F7q0#3+o3a7#`^A_eOj^uyDmTU*&$xL|n5$N%{3(BK2@&
zJ*j^@>XrNlkMYCF+#AszuSCXLkVI=pxVA>x^ijf#P|z=HYP~)3kjZ~n<UUeanj<BY
zs)UY8|JOc!HoIE=X~=h~PpMkw#YhqUt@OAE4%j=e!nB{Y<rCQGxYfh0pN5`h;zRoR
zbGO>hcs6*g^Y}&zja9%TFc6YhY)tb^>u;zzj9zsa4jE@~pslcLN~!SHr-Zr!k(D2B
zG(%PXu|Z2MKedKtYKPx1_v(jchS&Q_kf%<F9z4zq9y8bU^Bc1PsP0tw#bl;`f6R5j
z9Ur`{GMmc$WAoYnDflpQF~hmYe~*6H9lk??59NL(So-(&ttW;$@#Iu@CVR$*TWiSu
zs2rF;U%e#tJUGA7--s2hsckSH!3(^A(d@4X-tL37)2)$K3S}nuLaqi1jY{7YktZbc
z{od+Meve^#nQqFFVRCy{|CGmr<F`_YGlN&UHenhJFj-TBHntRVhD-P9x$)!B!UNRD
z{U_Wh4R9tBrYPhWV>(&(@gFe!aMN>u=$NLcX|fc8X?~NY9iXV^Fp%&a<LQSQovul8
zmS(=md1H^)qX1*3;JHSyuq4z~tXf7o8C+*cpCJk4D$gWKeTuN%zdk`#1V9{=+s`^U
z@DnQMH1b?6c4~0I$vr|X>3sEtla{6>GIPq#OON}ME?;_^Fw4)PB0X%nn#h!#<<$3F
zKZC<oYS%<{DtUKReE(hrsKc@iTIOv^SM=lBEd~8>U4w2AVR;ybVfeQ5VJ41ms9h7|
zewY1wS@l|O)`bVINz^|bzHJRe<K$aPwIho|@l<*Dxtec<H;{*NmI9F30$R@wFjjoQ
zY7Tf1%l&aok~u(~OvPES#~mRxnLe6@87Q(5S#=hyS`6cfcUID2pq`#XLhTA152fd&
z6QAl4Z5J8ZzUt)lCEBOSPth1~1hf|gQCAQLj|XyUV@}pMDJy^cI%BuCeAPO(U5q`%
zz=cSGQFs<}cyEm?r@io<Lp2txXEEHWfl<368z#AGLG6ZYDHaZvWB3PuWnOjUnGE$@
zzaz`uSiUP>b#iKH_DN<Cteh*Ut|+@tC5R!D><|XbZchzrCv}$vSUvav$n%VtY<aMe
zI!941+P<ZKBZt^r-IzM$&tOE;gF8j?$-4cA;IveSKNt;MXl*v5xmkD-7x%STAdhpc
z=Nk6sG8!m6{}^CP&IB{mJ<8#!0o`O~#3>sKp~CLDs0s{#nPPs1f`*D3(E(w2{v~fY
z&H{B%Lf1colYXM<l1TVZF_@qtqLuoYsNy<U=BEmcKyFAPE~P(=U|G05=>00f^ukZ4
z0Af~ooPtTO)gUhqep?`TCQ@zSxq)1x`GptP7*e4FgaIyz*RKx$;CMRGM0Dcu*&&7c
zkooqm=p{#P=m3P>&M*I|Z)*+A($BvX0EOf*B!?D|#(&N*RM>rw$}Gx7l0*J`j0a_X
zL+^_pw6ZGsouW|oXNF&nG{2{o7uv_D;>JE+k;>2U(%5n0BSgylu{~;#nTc7b;xK>L
zFhItBji+`;pERx*Ysfw>#?wFM`*p^;A;{ziUN`OB&)^G9q#{rPJzZ1-uyTqP`SNGt
z@x*z?5&lmjXlr}@hX_D5HfA%fvO<f!G1b#D2PJ-F!HgK_Pr8mvevOU(8tf<-`U30b
zQLFjZOxylzOl~x}s{2^^zw+fyG#G9<F4%wln8|h1M&q?dze{zPQzHE0ZyC*Jk(3h1
z-aP9&+OpL;o1e)8{hGhoh=*Ov46|-Yq%V<UziGyb+BFN#PY)(^<#p|#!kLDsGy;`-
z+4k?!uh%7B%`Y|=+_Wa$9|L<(yt<PW!FV{<$#F`?z0Nr;q5z(CVvmqpMaeE|8^E{V
zJSm<~5gJjS)^tBzxZar4&!%4d7%B<s%r?yN0{7_1+O|N2KN*j_jxIs3!F=WBJ`@_s
zG0pDHBSjD#s|9Cvbeig(Dm+$6ekS9_n6WHDJyon)CsMnO#1ykt#q(oNb0hwAxWRvv
ziPq>;_ZEJZT_^fg(MplYXo~p5t=JmL;uhin26i&%;gIVYc;o0~8&QZ&Mf3Y*CjoZA
zAKa~HmAbtQ7dp~`Y^^b$rB^_^w$BHJPUNkB@;5(3zn%Jo&?g_9<D@F2s+0t3E7Nrj
zhv6R%Vqmb<f^ekND!-gtvr<b|A4tAi9G<kqK9ysnB->bqj1`4%pG0mdLbDWlDrLS`
z=?O<e2RdT;t1=V6*c)!GC1dj4a_c{droUSv5mA}k9-4K%GvgKMyQj}zL0#>eii3Vf
zpVVrE)~hZln~)iNP<=&wp2(^dn+FDV;=bI`7&_E)GGwNyzg{WvWMG)p&rrz`h2$fO
zCVP8Z7SR@qvSo5d-|uA34e4SFvU>vz6)K%GN+LQ(N^r6GPmRR@FEyvn`;+p+u8@92
z|Bops$I;l0AdLWnmWP>Jt9o0?!~_yICWn(jQl(zC{s-l{!(hT3$7A?kKs-@K_U_w)
z{!C`1P{=DfQy6Sr3?Fp=$RG6$5xRl+YxeTtZqB*&<Eg(tBI$;q`k`khI1+1sHTV!X
z)(n%{Dw7pUa4>t_{1u4mXo@BKu&dQ6a|D|FUUKr>GDA)tPCD;Svx>I#A6l~)%bI;D
zux2-4&31c@!^?;8XV{=7_l<C?yxxh_Yb;IWV(tBR=vtz_r)3Hapv1jq!%hU|Oa3c-
zb6Bw+)2IJFp4+@`Z4gcfXqo)M{p-2>QDYBuFVFpE;f*a*e_x80qTRX+z=fvW%-NgJ
z+F*lmUq95_{ZoG#{kHVU`$PXOUw}?W@)=p;wz57m@!5RD5HbWIQ83(EBkRcz%cmYR
z%GTlYc^l|(GCAW9jYj$`3V?)_{_|h9Q}6sYP}R|jBV}e>C(<>XoQ61mgFGsKpGhA!
z79(@ND28q>2L*bGf8$GNbZw8!BNIe5?uw26X)yfRzd-#B-|;LT;E!pTaz)W6tN8m^
z1AllmS#GPmeO5+Xfw5O={D(ILY(E?&p(dWWrQH8z@G9K8g+h(>@6I`+X~q@;5KB1w
zJcob8q=s8G*%9&=02Z4f%A@rgXK#^#TF#+*x4`oQWS2;z;>?0J|662}$|^kOCw&dh
z$ztbQpAtO^CR#hMoV^nm=0=k}lfrkdr<2K^;~&#7GyaG0FP4NaSkInP?J5qnotv3G
zSB~3hyvZ~c>2Y#)fDyW&L-YS*Rs0c#Xv&~Pn99Dv&{XfukPhwh?*mYYg0L(1oQ5-D
zYnc7BWMgQJEZq7XJ?aB7K}F$ej!g<zTk7f5OM(EgmN)ua5X8a+h3BsX7iM01)vrR|
zI6u?)xe_L+N2!RKP*Rg!h+k<m_>gxwnU)evpXE+98%cKa1S7ogVK4Mq&4`)l1cpD>
z(XMzkCq_*z(<8S^Co<RK_INFNNh9ZAJw==5T0FSaU&DoRrspUk{%F(nX_ukpy8YDo
zJ_Ve54NJ@7Gjb6dpiRJMtQ9E8rI{N`Fmr85PD{reJG^E2CmKwP{w1{im1%Iy<PfSR
z7=kt<sj~>hSBG7!5ss?_vf_mrF_Tn#6Ry{LBa%RkskM#iY0OHRyOM1sF=A}R09P%*
zW8KoCvyxiB28N@_ZK3F5xd9A%;xnFd(sA^e5@ITLJ8OMyD^D#;ZVqv3aJW_7dmx05
z&S+XX295ehqN`5UxLJ*hdF|$bucW%MrCKY=ON%279ci>VEeC7&J!W|4RP;u*J4JS=
z#sYpK|0^%xzu$?1o*PfmC&kr|iAlwupu+H{_%z#S%rNX&8*6s!i#hh3&W9*<nrWHM
zf&={0mvi6pg<v`<^uNcBv`qaeQ(ca!6UK`8o^?)zhm~i?>cs-wua6k!M?M;!WIwZL
z!OEmCU53?UsMs92+F$T0=0w0&hF`vPMRs;Da>{BqpnzlfHAk+2%jI(b@66zh_#<#t
z@Ji-bO_YdNmJv;Sk8xxyRY)4~Rsrp!?A)?&>@inezC+L@ZCf@91HiP)8tb>u?UWni
zYFTt6mAiIBBe`ZZrtgo;1C#8@>Q$lku96(Q<`CQ*KN{dN*Od5+U+L>n^fJ?@=;b-y
z%-#ov)cQ!jzsOh{;Ij-JWMnkOasBV%f;H@kqfHFUp~cji>s*!TzkVrt{$Kds$iQXe
z0~amMj7*ND)^#7ffbQnHPGHB#<}cgMGvV%wg|<g84bZPxT&ZOKU?Bc#bXwGXr5WCq
zX)Qs*fWI`~Q%f*1JDF=L=xU|^0^IVYE4u$xhWa!iZF0e^X3I<8YPAy{UJG?b)7pKc
zRtDH9PAxh)?CD2UA&&^YnKU)+vg{x6@Uo(&K{`uhh-cV2s9)FE$q6Bc(lkADO~^lS
zU5;UIGHzkT9s}oe|3~=`)6EC+vu=jwgGvsPwcjm4Uh26zhXexrroImkQvd)O8b8A|
z{wn6Y=w;E%8|#}R)8;OZqG{Hz4`;rEH$>gJ#!v`1+Vps4W@)*?R}u4-jnzFmvUiq3
ze866fdc@%krB(4vjQ!7uh3;59b0hM%*Wd7*F%#ngiQ_!5b$nh=&OsH=v{XPYi3x(R
zJIejBf@oUwOHK8Mnj;1|WEWognTneK%McAHrl*!=FU6S7|IYsH02al{%dnyg{pGbQ
zOhlBzNZvNb%q6#7?WD#LYapK>s%4EmmeClfOz&4B9`mNgG-TF0tL5pywXxA33JiAj
zbv$cftg+$lM#}8;-8J$o_`(h=kNM+GN~H)SpSrqWde7TQ*dROoC)NfPw)_cnN0>10
z_%}1fLUkM(OazL6b<#s?+q#dDTtE^l1h%Ka3V6a%+pq7Y=qMG{;VR;lF)GS=T8$kP
z{X9i0^Zsm=Z@1-#D0leR-u2z}%mN$37p&HX#uwn9!Tx3jxanxvJqAU>I8Ao?&-T4N
zh@3+()Mzxw_T+FBJfra^^jrV<R%O1K^YJvmnM4_$d_o){)BPn(xza8ck}cQw%Xv1I
zuR5@gzANf|7#%o1H(v;T&%!@KnH7%9wt<a)9k5ZI`&C<=!AB&h&fuf4y2J4i)RzUc
zTzxzJP0!o<v<w`$D#{JSv!?X<G8Qws)#z4=st<r2o<9(Ti3%eLV%&$@l~MmRF52<V
z>aET|f=k$uTG1hQ6~2eAtl}Are+2iF+-Lr`gF1g=>ttn$I*sd6lvSP9zxxmBO$PO9
z<3Rnh1RnF71GH9~*9~xG@Lq=!^WFeWuwA^qC+v10=<%R#mb_2Ge)WeqsYmbDWPd~g
zV`LSGj2Ia#i09`<Mc93l*K#9Dr+Tf^W?jQOe-vkgSo_bIetAAI@#MI*Zrvu0LYkbT
zm8D&xg?0$v9}zpr45-4}STHtQBV~NBc8ST2cs86z$wcb@h!%AGE7k+Tqf#a`JkF#*
z0<G;nWy#oOEGLs&rfQAM<GrN9bn)^v-$qqrgmaSGdWS;3J~B3{E^>gc%lyJ%zEojS
zd|sdbOkj`%@#KVbD`UhYB-(ZH(KP=LtAx_0stgNllpwD1zl5-jnw9yBj6-#!W*T*c
z|LMwu1{wJ-r8Nd0)geAu<0DKB#s=K)x8ve7^)!FKPyRIuWV%q>_HB+TL<<<hKa?0Y
zplF~?mf#(!TFiVp#(z8ju#xvn*!LPN=OtRBR``d4Ps|q4>w|L5Fuwc>o1O`vfpvlb
zQ6sKc+4p{W@ScflhyRzp_fGJBjMe*6&*p17EBMmDg2Z)wua6I2m-G7azSl*;>q=Ws
zwC~HCFum4{rfK@BB$`Z1mUQ=aGt=9JBt&_+{Ny$JLKv#m^j6=OgLv_=Ub^2yf}$Nf
z#XDBauvTX<ygLZMtj^0@Ctb1IVPR*r&#`W@Wl|-(6*s`)2;&J9=+c^qcxPWxsD(4H
zTMeJ_qj{9VWUZ(5Y7}2dnZ3ZkVF!VnSQET`r2w+@!;$BxjQVGNj-e6Mtuq8u9oDYo
z?5JIZ@WfLky9(i<hBs^t;rW%|&(>m?-_-Jt%4au$TH0;>08Ur}Y!nXvF+OBz<?-==
z{n2a`7S>!q$|3&}#<ei=8Xv`R4F)ZT{Kdh0d~=3c^GWHE7BGdA&)VLo{s1TV>;54=
z?zg4G^Y=;w8mtN^Tf;vppIs~=3W!W(8fgH3f&o&eiKFubBrdh@II!F-M4E|Ux0%tJ
zr!%I_`ejz<pUKQF)9@Whcp;Z2`8T6M;AOwp#3MeVH;<TdEz8v^^&^cA`M<I69yZ7_
z!sn3xBm3??jeg{SCM@HLgrAJqv4XetaPc$PG}p{o>vpVUUzK#f<U+YK&3IxQ^=ScS
zovE8%;Ts8B{h66pTV|Sfl6Qy6?e_`0pQBdMxhG{Rm3JR)1RWlRE&e)N%Rey|^z#Oj
z?<ONq%T=@E&v@EMjqJN9g<vqdmy~%n=bw-FEvuL{m0Pzh7fn;6&<h`o+$R)}K4ji0
z+%2WZiJV?&mpNet<{4#GACy)9NnndT{MS(%;n7x|OKpa%k?YDP1p7;a&!70fXM{?T
ze?Oni+6+;wpn4JS@~Z(X&xGASlu+%hPYLP*DZD^FZRW3sBlGw`97Oa<O%-zEUZdFv
z?VLDAwwBmH1+6|zmX{6Il;e+i2}=0`IvB&nL5wa+9>?03F(3(rL?UpE&Cj;uT6jdZ
zdN+G_)Dotg7L}w8oX4$GOifof$;S<Hikc_J@w~>;=fB6A%bYoJqJ51voyQ)Ame7*N
z+yf{MY`}UDU#AHaGkSyRM|PJ{Uyvi<28F9e=3u!A_dwHP3Cj$!6uVNGno-?%c-X0r
zQ>H*32do&7Oti=Wk_X^MqtFn1+43{$pCaAi1ZncLKwwfRR{MsNY0jyptZo4hdTCS#
ztVl8MvWoSR>$hrX8Gfwv*Md_+P(tK#^AgcZ{>^{Szdu9oQDvPKMz<a(MmYNzTy=9N
zp*oKfzR$jpzjGV(6Z#jOog&ZNTKz23&#%y(xu@x;md(zV3uo>zXDeVW{PQ->1IjeE
z9Sxbs$q6wkk&Z-U-;L2Ig~N3v4r_*Xo*<eY&Bo7wKndDRpHz3!51Lt$W&e@PoOyeu
zH`@E$g!vp497z8-raTcBToN*uRjK{{b;~6P@#Jf(7ku({e)B$B-4>O3cl}D+(kEz1
zRIL&zVONg6hqTrNm#&p8EA~HW7Nx@Oe#urzfc<_m>I2J7WBWvylO9Ef_UFc?2rZNT
zKBd%8hix>1UvG-GoStN5Nh|1MST!FPb`JoEI8aw*^yyRh>_&x*_8PuJk&6m1X^;z{
z+*madR5*6PXLqyV3nnHyAQ|;_BRRwF1OqhDF9@>z{$O0CLhz@}G+`mmOW`BIp1>Js
z<jZYnYLYKMq(h(@Z^@|UIoPSH^(ynN<u-u>bjZX10bWMf23)y`tr*Fs5cZZoto^{*
zfBSjGfXEJ`0|m{A@de4tus3v>*ZqWFdwyShws8{%*0=&|h8IXzqcbND^_vqVbeqG6
zC8VmfWVfn`V{u^EGXJV2fRwpmJfnpTYyOs{8bf%lt(IUH#P*O!^JZUoDh4{2WoU3F
zKM<d)`ZxNgEDI`X`I}^3`eMAf2pCR-iognzLr}7Jote8P%r6<wzGs{kmd$(SnuEsE
zs-oTt-zf)I`1S`4yD3(*tQg)JE?P_2#f?sCm=cNIpfxH|G-R6V{#*gS^$cyfTtk8R
zQ_JoNEFo?XqKKq}cy5gEpx7d-&=~PW7(c~vIEZ+&B)c8j89rn;NVVs`YKL>{w~;iK
zj<V&Jn@p|Lha9iomGb;I5mw@@3FPa3S^ZX*Suj%c6L9o#DDc(<kS`HzgiduB@YFT`
zEDPCB>A7s<SwznVc5%+0&)LWCw~g`Yj+cGh*QW_R7N$Q_F(I&FHyVi1GOH<@)(apL
zjtqVUq8~AXoX|H4<u&Ug6%krRg&Kc%!2d6To}dHa`7?t?jd3r#{U6!)V<}+r34ew_
z{;d6`C+_F?ls%tu!@XsPdI|5?oa&h$dvD$??|o*@5dPNB9bgdMeFi@o%&T*9uPS*p
z-MqRg_o`G%LeW>29$rz{R5Xw~j@~1tw)-=tD!n{sZt(K+-6xvL^zy3Q%S*cptHV6s
z1umV`6O|w%_16mi7L3?fPi>p$*6{Ko&#fhy?YW;NdDC<2NNPNH6v=NrcQnb<p8Glb
z^7ABL_1rNepYz;$lAn0)7fAMc?pTslo;!{t>$zu>O!3?=lAPeV<4Ml%aCJ<v2<*9y
zJU!yMF_Jqx_Z*VDJ@;IaXFM0os>wLX7d`hpk|xhZ67?SMxe1a}J-3PE2G6~K1Q;ig
zkYzFnEu+}>j`G}#Na*6lBo}wMQ%G#f(|DqhFOh8VTwIU6>pk~!lHYsomr3aQS4b#&
z1<4T4{VK^HJ$E{Z>$zVe8S1&L+4jEexid&Mc`l&=y|;NTE62SLdhS&umw7I661{sn
z+^b1!%QJZ*mp0%7=66X}c<%Q|7JKeBBu{$owIqu?mq_K_Cp`Ch`>UCx#dBLows|g_
zC<NS%B=>nP8)$lO@!Xq8&h^~ylT7s7n@O5GTrF(amgn&l^W0lW{@}T{k(79@+)W_8
zm89NtU6LPrE~h5+c6ja&NtS!=e3F0l+!V=mp8GE(=XtKSi~rPfZzs9gGinCtyn|m~
z^V~a0ZtHLtkl2>*;^|7y>=Ie#xj*68LC^g+lBu4156LT@`|l)Q@Z6u0yy&?<Bbo2H
z_mX_pbN_?na?kxa$?rV(7bIZdJ`%Y0mn3xdS0o!e_tzx%bh!7E*p?sQ321*yLebxm
zob9>4CxLq0(bM}$&;0|*bDsN0k{3MpPb4Ef_aTx_&;4(b|MuKJlRWIXe<7*!j7M&l
z=gPJBj^{2US?RfdBU#?zE+VllKhD#;p8EvJL!PT>ik+VOB+2bWJdglwyZyF=1nyf(
z@`mR=MRKv{E+bjxxgN>Cdu|5_+`OEG&aNQ2)^ndG`IhIdB$?ac{+-0O+{x4Fp1Ya^
z%B~^#ndh!0`M&2qM?$~Wku-Sj^CZ9U+!sio?0S-`J@-YDsOP>!a*yY3AbHetUnV)r
zb6+6=s#i(iw~ZuThucMBTYiHl8re+plIOlja+>FEA$i(!eUe_!&5}Ijxm!sXy4@sy
z_uOqHj0sJ8|K_<nNMP!nBrxGF5?E_D$qvumW0Soki#y!6NNmeJJpIOV-ytdWj0!m1
zbKm9HFFp4?lD~NFK@xyIMDna>R?5HNxpFl@r4R`(`;kDNVv=^xEg{+NxuqnqWPcLi
z(DHo04!4ZNwp`8=d^n5*>3K8>(o??o8qcjD`K{+3O9BRtvoDV)`Ksquk{~@#AVGSb
zNV3;+Pa*-o!$}YhCzDL^+*3$S@Z3{Lke*c}w&e&<7kcjLB>g=1pGXFH?kDZbkt7VR
zYWwn2B=D&06u9}*BzJi3nIsX<m1~YM@fi}bDCEm!E+BcGxqt*D)sdXs;f^A)Esx>p
zRwO^k0wg~PRM&)gK9Zm0dq{qglaTx*=OXz@7|0DI)F%bto1QBr<tEQqRn5!=`~tr*
z5(ex!B#g#$Nlxl;9TMAef+rB$L_%8^knBeClbnO(CrKjtN#N#-NMM+YNv`zVDI~)@
z6T^Rn=U&3ECp`C35=Ox^l7D3`AYm9@Mlyl9faHb__sb-<<>@@lMDmlQk^CgpNPdz=
zBtHop`wbFWzKUczlAmO>=Uz?nj^}=hgi$30ZlmY^GfA80N-3#iE+B!0zDqKRxqxJ0
zhkFf)ZMm5zXxT#YYa~BO50amRwq}vglbcA8)ZZr=jN~Vwz-*GsJogroZ+Pw;5@g3*
zl3TslykorBtv~l-w;k)nl4Cn!t){8i{6;U98s)|QWxE$+!*lHR+q_t2uot`ImtO47
zZZEdr_g?Hry!&yx7yH-mda=81_F{MM^kP3D&%d4C5xd7$bMHPc_8(_?v7e9kV!ycC
zi`{pJ7yIQ%FZQcnd9h!g>c#Ho`8TxwpWD3He_iXv9(cfu{q`y^_Pc5?_WPGRVh`GC
z9y-H|{de4p{duJq`^)#d*u($s#r}Ga7hCwE7yH{Eyx5|<yx1dqyx5~a``8vQ_V{1D
z*b^^#vBh8XVo!duBi3fCd8);WEi3h6-bG%l<4G^J{C8e##c(h7bcq*RIlznkeX18*
zwcLw6v(Ae>`%^F0$?w(gc(FA!vG&xC*mJg;^%Q%N+Fwd|u?+zHGM#*7vln~yw_a@H
zjb5y)%Zt5spBH<bqMP3EVsG5w#Wp|d#oip^#kS1oi216<NxPK@phw3X!{r)M`*863
zyT)<Yl3T(1WEZFCgx!--X6=j9i+IF78t7zPNg6J_%@~EvNx35_fIQ%@DoUHD%;Zq&
zZoR_ysBH;d{hW|Z<cu^$oXlWC!wnctsZ5$jD-0YgZ*};~3@EDL|F)*5-dEGj|Kpn0
zzptj+|8Y&*-dEF>u|o9!q<8ZD72@eXsHww^1h`K=p{LRtzx97rdHQaZdLNlGlkq!Q
z;)FU2TRejnlcvQ`_niy42(|~mqIGOGm--pLt}qrv5PEydawpZ&mYVvwlWKa1-2CkD
zQ^Uk?u`VZh%R@!Y+~XO0r~?%7GI>i^QOh7>h-Bq<;!~GO)P2sB@cHfQ_vU&IhKjA{
zl&Xi)O^<W(Pg}Z$UooHi7xaBPWmB=2lefHF)N+2VlA>}|vNZQIY<_n5*|1*2mZjs<
zx;WxR?wI+_2EFSrfcUfMlzGCYF@q<m4bi5TL?vKz-{PlQ-f&V=*Qc5=IAfh1vG-_S
zz3H^w>$KhLh`puv>DXIiV{cslsr1yhOn*Y1;e|!v#cja-`8~$8ySuHmt+^x_doPrX
zy%p+y1}ucy>SOPPTW>YxyE1HnOqYJ|Uw}6=x~dS^m0y4(4r}L=?{CLRA3Itl+11tI
zk0rlpgww4`Pcg6CO;DC`Fc28p^Ad*m)Eo-3&j3JBe@CpRuRGzSf@j~~6b)RtyRS<v
zuuHOwh3l5Hj*v4+&eRgJtoF6F3G#-Px4&L8zr4Ht2)U;!w-@Bbdu;N9$#Pa*ZP|f)
z=9ed9JqCwa&9#RSM3gkqkd|MgQ^c`V5OX~o+gWIx`gpk0vCc$hI%DE1op2i~y5h^{
z#cDstL9U-fp*#vlfmZx19e&SyimpvJ`FXcH!{fVSSm$8*_VVbLE&r&^ksr}!$Gleg
zX;rOSR;%eIT0iz1oFZyM0XqCMCR+d=QMN}VAp#Iu00A+67t9oPKY;*OFPzLhCQDyc
z!~3f0np9Yo9L7OaihavhwLwi#l?9G^a~125z5*DRtyg&?&wqGW#RV{~ez%}vH>emG
ziv?~UjI;Zy8h2P#^ZH=?L19&A_f?fVysEmss&-#s8?l%xsA_CsRc{w`P+t5#sJ6b4
z@8ExaSXH|Y6m(F>`vpWu9$wY2`l`D8!>amCUsWyN3aTlFJqjSYqOY2Y53A;if@)6h
zqaz3_>OO8k_c05)%NKMHS<pRbLHB?K-6adUL-28|Gi_KACb(NG0Sp3hw%vgQXWxZu
z2F_;3Payqs3t~@5X?9Y7mCl{IdmMj1FtqO0Hz#9M&0tWCtyQ<oo4k7RhtC!j&3C^_
z-ta<`BzJ`nljkO%P_0GHqw-aB_^a7|WA;au{<DjuO9xGijy<pUfn2{2n6)LjD624}
zT<Of{CY#AGGL^7L-JLD~?Qp+aFVn^pfK4lGK`GZxCS$T?jy=wlH++9*!c=U&Te;Am
zk<?fIURGzQ|M2p!t>dK~H<Lb4-h(y!%0~pv`^!JrS3dlK@){+5<sTe+gz`7{m4Ej9
zzV8<Pb0}|*49XF#!#~L4k&bCB6n2sBlQq}&Wm-=rhg`_U7e*cG^}k*R$K)0ubCYS6
zCR5~ZmlI4bi0mGYQuv7(I89x!9rOEP3T0?HF_TqkX{QW|CRBuv$kKAo5k4DT2gzy_
z(hn52Uw!GXmL|g_Pc*M&zbdjbH>c;_1AG8*7Qg)5ua+u(b21C&8{kn~O3jnyqm@=b
zQTD;Z%GzJ~viIi8nkQTK&V1Rn!^+xU`LYk?%bF)!_Tqe5MSAqXY=7m;N{v=$oKo{-
z%WA>O_SZkGto@ZQi+~NvnkQQp9VI9$-Kei!`zv2|TfVG$vSojfFIx@-eP!*hd|5NC
z7?|w@W2WaBxw0yEiGiM3Jm#m&-*i!`ZE=;dz?S7TaAXQaP&%f<tz*8vW4)Bx*IiE9
zF|VC8J7g_4oJ64oR)v6fVa}FaaA6OHNmU6|v!m%kmFwwf5XeOf^2($5-IPg9-KGpq
z#sRLWJ?R$x+{J}dk64|e!_T~pLJ>4%6_vva&KGl~O*OmB=HO@je}g|ivWRGVcoDe}
zKC*~d>F^@8|EP$#;P4`Hetl#sBL3k;<X-&9BBJ@>MeaGQNCT)|4td%N=N}dxz;hc)
z^p83%6Lg;?CP4R0-m<=^Wf%(Zt$gwC{|t9e{}!mAPN4m*Hu3F?bM(269FBAYIO!)p
z#yk-tEl-tWxKpesdCPN0-B^{5aa&wt=^M;jL#g@-RUM~b_k~I9`|g)i<S?F`eP)g)
zf!*+=`EGgAQ+C6P0xD$zQu}YJ6R=aEX|{)&K8k%LUk=CLG?te7P|gBkj=f_&d1auL
zxdNP&zHy7D*{Qq0<f3N{CKsvK{x|~(LN#65P8PFQk39F-Jbu$%7Eq+59lfPLQ!b-<
zW=78ra(yz$Wm`@5gjy2n9fgdVm@d6ah2{y8%;<}PLVNx-U$xNy)1?gsxoU!3e>b^G
zPv;YZ#_XH+M}jGoo;<P+?|B2;lA14~Kf7n=yS(g~f-c8JGEGA1(r3tG2XJQe5}U`r
z%(nO!mCm)e@Y8)lB)QGDmo8mkva~;XA|1<FW4BO?-(gw+0aiF?M&B0HeZHNL_+TV&
zX7r802YFBp%1Vt`&5WKIe30MQelYmYjQ)D?p(y|1A&b{(!3X)#Z3(OVjJ`Pd@Eq)7
zKUl3~^tr)@$IOS)_L~cO{L~qy#|yOBhz%5UnJ&S->Mz*0-^6sHHF7lBR?dyEA1J|>
z%(0QhR9@fNd{QnmL<;Agsq@MYYcJV0Mr|&jy9H9*wAfIYm(v9-0FUddotdgDii&cO
z=6aDi_R?#_8Onq(CrP$VQyX%e+1DNZmyaswW3Hqr(&7Ix$hY_!VV;5mKBb}i!JY^8
zJ_kh#U^g=mt!gx;%5!r~-{1v)3zqr#!CJv5$cq|CgPgoF_@AaE^+GTE-P@W^{m2}_
z`mcrS9~#%|)y?lq8Lp3YhW||#YwIr!-&ujWR%VW@da{jIHaQ5UT7%fm!^g5yGneCJ
za&T%)?q`n*OBc0u{e`b)CEeKRm*c)<zh9TlY*dCaH4tR}GQ8V;VnJ!Gw+Cu$Ib>Nt
zIT=EE4_I3Dz2C%la&r$(qD6)Ck992|+B^K&21-Co#}+wbV_i2M|NpV~HgHx|Rpb9b
z!I02FlOjdEDCnRA4zKbu=nTx@pffP?q9~9IGZ&b=^Ww}MUJR51jcJ(DqN3vIp|YaF
zqBJ9#1Qi)FQc6=Q(&@?SPD4s%Iz9pS_g!o6eeOAT?g%|SpU?mE|NMUFo^{WDS$plZ
z*Is+=wfEVF7VZ*bx7S`VKG*LZ1asO~EP*uT!yZ{dN)~-q%0D7FZ1O?HCv4gU%DvVk
zh+V18Jxmm}YN7WB3RSZ@>Ezyd>!-_zqC;9}usRg-O?55QyhxZaSl@q%4{?lBa?h8A
zkG227kXRy=7*Cp$!CcssQ0pIG8u<9#mMD{EHpyg)Kj=_#lSsBnxlvLk7Imq-#APX~
z1;+RVy7=aaiPeVI8wI7A_Gu>Jj#SicxpS^*nyo<#-6k2qYy?^SH4~tc7Bxc4yaU}k
zQyY7^tP#Z9LIXY_zt!z{KpxkrJK_S)7)m#49lz2wA>y2hI*v61am?<1t`4FMM>Vc3
zv6qFs<>-CFOo<My!TKal3{xg^>4Wc-Jst8ZwRR%}cjFy~>+PV|=IoU;?T>cDUe}8E
zbZ^CY(+bL#+Lq|5_#6~gs3mW{?YHDdS7dI<nEzQzJ}*kdQoi$Yza`oeZ>o9~2}x_o
z3|%9OPAIi~qGaEq@)PQld7ucjBq!C9zY4_}`lL!2x?V2gFsoiS!?g^&;|DTBiptgz
zA;LDu9}+61ZHWRU+IM0P)<@)6WS^tjO6bGV6YKQ@>N;Dx8dQh-b7&y8*&h3$GLd}(
zOv~@<W?MHZr4pF{bO^#7nMSBq08g@V_G$O$be)Z4&MYNR&``JxvYmk?b^3Fb;4;;d
zzo{?P?JqoIfWKl2&=;@<0<mVbZZLT03x5XB^%*I;MU4CSYU<)AdbLRwYXolk;Kr9T
zw1vA6Qu%kOsF;<-N|)?oF@)bWL<GsI7NHonSODMfQltnsiNuP5Ue>qsJ&6lN3Z+QP
zz}oMd{!X9UeVz%wR71?WENB6g(Ux8CY-dpWu#{;lItX8>j2Q$n-%AT779Gsms?%v1
zdZ)SQAXgHabjACPLJk=|=4~wc>AJN)y`u3pSM)cCI(N%bdM%$dILPVbaJjooxxC98
zuh8T(!pXC3@~TFA0?ix-W7QLPHLTVedZp--t#+4q#+#xK*a|qv<(cZ1DcY&4Eh|0;
z8D;B>4)*HSo?lJV_T){rUhjD*pw3O&wkw<a{0X~Ey6v17je)k)qFZaxb;uDIGUqjt
z`5Bk_hvCd+F7u~N=IbQ$!!GmIaOTTh=H({yWs>;;m-*gs<~O@ct2)?h5i+in%ndH{
zl5pmqxXkC8%$Kg5$wxMS%ItrL7spx#%7-wVXTvPT&J(F6Sw!Qjm+%`&Xi){{_|WKZ
z?xu4%@%PiL$3<9n8X3HHDyvwS-m#U`2Rc3@e@P83GFvVU%IN^nCrypA%Y`7fB^nS5
zNZVGCZXQpN)YoM?lbmh&gRB^LvG3DV7O}C}E|wg*f#3Oo-^KFVX%^!qk&!mSRB4qJ
z!!<u!2Yt%RcuX9~q63U}J4Tjb&4L5ci@&TSsQwh4WRx9taOcw`B+wh$f@}V+EufaR
z#1lwjiVo$3;vh-g#5DBrGH8{&SJE39bpXt;sE@HRXjBdq>d@Uq1%@iwsujX5)TQU_
zzM^jYRg~j|s;d9pwzuWGeo44~vF+|Ye>LY1l9dCmq{xK9!^ENl>xh<f`XH^lTZJ7h
z;}$$AV9EypiR!_sEYYZKi8DodD1E(_CgN|x0X3|Y<G+{3iBBoM@9zWOj}5+e8+<nk
zzKa9+zC?bzrxmYcMril=Hh>Z)OHJF&)GW&#;TtuslPYuz1XVWN#eR_30v%&^3yyjp
z&$4~nwuo&;etVr22KhWNl?~Fe&1Jb7*Ho6Tuq|K3*QD`%P8!RLQdHe6AM3;(X(}u3
z>~CW9DLe4npbE_TuFu7rZjFa;Pfax$Pq=B+w}|ZCs818yW264I&^3x%#HB0YSYn+S
z7?xu)jAZCA18D0n&@rP`s`$zblNuknX|pqZajwB^g~Xl-xKIsBF^Ss}zrz%A{Wrrk
z=4B$gH|7AbJvL^TYfOg<pjvE!_E48dfZrZV$pg~AqOI5nvmGkGwT}$tW%-)!I=4AL
z-*qSq<3SB3I&`AaE*gpDol5Vui0W=RO~Ys?-6LSi^MJ%1@3*FdDJs1WDzUpvT`3*%
zKjG(t`5E~6aU#3(a}}{Y^7EIsTjBWM;-~PDc9s=eehTC{zc|QGA`K&ae&+i8yx|G>
z8R@0`Jb_k#pIg~hOk{Be3S0?W)Qlk8EmGGz@zb4Bxk=C(dW<@=@-fE5AJ(z4H)6(y
zl_jS^rfTJga`yEg5hHZ{TIQi4L?7#sy(?~W>^&qBa+>1$kjV?%(%INeOnYFf(>o$<
zmQx6^RZ-yO!LrU*QIa+Ll$td(gsdOSdBnsL7M?h6KW3V7jOv8jT{>J2FgAAIYP$Cl
z#xULc0w9r#0W7R^qVit<L0n_av-4%#bPh1FJ{xjvE^V7DB5ji*#S|&_i#UOlHqvi0
zdypwGdoU@ZJM_>{N|qwNu2a#|+1ThxxknR?f<VmcbkjWwg=^7XN<2?voVGhlvUR>k
zGs`eQH+4R)YPRQE&<Iu|r)qiq&*`;P_gD+e%23MyvG8>DroALOTj?*F%!J2>9hCX0
zp85czZg-REsrYW~sT_9T6Zc<Wdy1y#Q#8$PF*P)yXxFbzc#Q*1XGl#tl{|z6+*v?n
z4CH`V+$@!S)>QT`Q`sIs;{95gbSDK2hTe!(TAd^{BGrmhIZWLcf_@J@!aIb{4Pts|
z)WCnQhm^x<wUl<N<)=`eSq?JyP$VR6EoEi2sol!dH?C5(V}(!Le%Q*I1J<h4{b4vc
zwBaJ$jMRW|lLz5W&EcjdWolcZaAFX(*{;#T*+vtZ!v4(i{uK65hE7v0Vlmtz?0nb?
zy4?o|v~Qm2FVm%;P<Nvfd2YRO)Q9k&nt)3XHo@zJ?N`_>IuyQ^i4NQPH52}qTYt4h
zc)G10W2rQK_rKTr-&n48_S|~M^5PWBBd6-~PzGPI4N^XTH^Arg6-B~qiy<B#<1`@a
zysysHr6q%R0M*OFtW4Bt`!M=Lo>L3Q1T$f-#>pHdX)R?FfNpGjj?+e+*SO_{#d8om
zoqW_z+;7y;miV+(Yn<9=oR1DO=66Q#U5eJ1k14Hh&&f#Z*i+Jq9#lG2`Tf0b20DkP
z)A<*v($IPPd0{%ko;s29w!|i#W@QT#1#ZSuGxhKou!)TBZy7ksw1a}eb1h$DrfFHd
zD*rbRHH8KD5=aT?T7$)w`?B!?bv>@uHJQ)J3a*Sp8fK`lKG4U1zLq+iWhG~R{oX$$
zDKh(+UKR}qm8#$R2(wkcJ*u(Y^;_o`(lwl$7s9%9kzn$tSbrkiHJ<J<-mlc$oa^gk
zx6cvAb)Li3R&)$bS_=90q2X>NIH^i3BfOZH0lJ4llT;w`-b*U|=37#ys_iS%IYN2n
z+TI-ZPPGmFS8E&RYO{+&=4VfC_z1OO)xgkvoDaVaGanyH-*GX=H#m=>lNQO^slT|~
zrx?r8y#vde56a6H9X`h_x6Y-erlO-rMw9q+4>S#EE;@=2SG-#N%{Eq_#1HxhrSMez
zoMWoD%in%#{dE-3PL55VA-!q4@ju3ToQL3_@oct?o5ZWhGC~GV_q+{z8#!ZO`a7PU
z@x3<V--|S(I3je|-ISj3uirHopV5r*bZ4wskcansz3h4Jj?V?COO8pS?&}uUJ*HBh
zx);+kZm=2WrBU~Add6#P#+=O5$ryq<ciNm&^QS+8o*SYfVEe$fJ6+0_zb7PRe!n)&
zJ3`gY6l%9pl?bAYpVzFJy3Cl1_kihdS?9@~TsK@>!?^yIH9)gzCw{UAT*!VVR5yoE
zr7MFEGmEA4mp_i0<{d<N9P%2)_tx|XB6#_kFsx<VE8i9{W#4zOlmFUR-Xu6G63UpE
z%vQkVG=)L-gx-kePNaNM@{W7AyhU)dS0{HH=$^_15#-4)%d8{g3QzO6yU9qbPUnfC
z{nX+=>}H5FAk^wKR#IZjQ_=oC5h_n?IoqxdR68@ta8BtUACNnwn@U{o#SfXM+7cf)
z*I?<~rDTXtg?9}uGuWQkO&k4#G{<OZ;vT5zc(@mZbQ!IN08GZ)#+M?mPK(4!5bL*2
zfVzZO`=*bmYE#wzJ=Y20ufRcrL>75%{?A}L<kMfW&Div;HbWSqyh|Pl@@~5Hi{o7a
zv>k6zL8!9&P-Q3toz|k{=?W08OLXyPxitizN;0hGB(awmp-A-jqAg|Ftz?P<Hr!T8
z-9AFO-PO4{grnnKrzJN_ISkLq;Y@OKW~l8qlF@JbQII?9L99XeYNrP6LH5wih}@Zg
zeQibUG|F_YwM0IDjndo>cknTa1EyUB=RA$}cU4~<DY>37&2qb{cZ%(6^Z$e6JBVw0
z=MSjF%qv>IF6PZLRqhhul?@sE(%;TKirJ{{L}sd25-$psk^>TM&ry_#&L<wgj7%M*
z54RD7B7~9R=0OznhtE?=Fe8nZL$p6-A2|6uUh11Q8~DF>wZTuz6JA`_=1Q13lMGVb
z>t=404O%GF!}X2E{Y>d^+R~kSAJ7Vv3LOzzrSRR93(y`s^&_-`X6>)J$F^zT9<lEd
z1NtyLnx5h&8{x&^H$>nU*)_iP8jr;=fJ`Z@#tkKuVVxI&#afBn7v5XG%&Z-`<}7f!
z<2UYHNkr`}%ja*JMX&X><%0Z};c31AJv5~q<VKKh%02Nb+zif?lhtQxH3Dj!4Z`2H
zg!czXY#BJ`#&qj`zNGeRw>`d|bErIz&!!Z`+wvES6GDFO&yOjT<d<@>j`;YIS#a3%
zUIz|a9AvmaYBPrYhlQOf|9^@)Yq0the&AK5@VhfIQn>t;Fom11?3u#wl4<EMlT!%4
zBopCT0m2su5r*&sbe|=>hn17#?L)s;%HJx^Ncp#Ax{+SCy#4hRLQiP5^l+aH{9N^t
zEeGBEqy|IQs1#YDGl%Z10=eajrPP3`l=(*`^d@THF@2pB*aclJ)ipg~UTH&->X8k`
zF9!)j^;o0sM$ImhD0#Jt<IH2J<4DB__W_J!dC4+(9zc(l&D$F|9X3}CQ#slt-KM9+
z)Lj0(i?%b*eJ?^^%eY^Co!qo>iO7R_Srd(Ubu+JW$`J=WBBrE&7}7Tuy+n+Tz^i(3
zQ|n`kUh2F;@^o`!s|5_&?@Z;|cI{VtUhQvkJvG`Z_!3F@1lb{S*uMGn8Jr-CP!n<^
z?_#=<UKU^mif*r`vv|)`42KFeNIJd>VWv@h5#+z9NE#^HfYAD|tXbUZh_iI&{YWR2
zO&(<E3A?t$Z%>{OW}#8YB^mrdS0TB?NqVo?72PT7PiCp>vjvW#_ZW&$RPtT#w#0)5
zw+LGoW-$g3)zHBz7^$=0f7Xh+dhwnX>i;_G#BC|gd&Gxxr-s<>^;4PF|31I|PZ_(2
zVsxw)M>iF{%xmPY@XGEyX(I>h4k;-`?VKW!Lz}-BG^s?{f~glHvy!v(yDvw@i6Quq
zfGHpPDs#XlX;dhGVuj=%EBS|-{5P8X3nl+T&CeL;grsJCw`3e<G7d2rizMS1lTql(
zJ4Y@-qzvzpV?`(SdwimRH)@H~<bGLtcZA02$A%!Ny_k;~+m=(XnBS#|tjEsZIH2QP
zbyE24r-_E-4{wK((T0-Genp%34G2nn<AgL3-U(+ADxEq90dy!e(w}P&aCRTYdDvy)
z?t0j?g7Mv!_#qP)v$C%xB08(N-QAXP^Q86U`|fXaz*+;4Ia>8o!YYr8sb*u*TTr6%
zum<8d>G767vAK~H#7@KWV+a%1D4gJyg_A$pUzFS<+!GW1br2^0VcMt>GO81=1|ry=
z@e<ElE|}&I(79F|?4=29xic)mz^q5B)jmyWxojGHSX}^WXZd#C0i*Nzn2B)#Y*cW#
zxoj@<9coe_{(<@O$Vi%R+3?yW+8bnCY%(f<SBKf<VP-Bvl@<xsm?Uom{5y8uYi?$u
zarKu;Hx;GXc>!B#Po41V@Bb7{@|0Lc54<HEdJ4<v`H*EKD5U7mz+x?<CDH-umQk*g
zAzAb4%l9()-eLgl{*aO6pKSwE%areZ37TH{ZzIXlM;xe;W>_g>!Pb4zz$%&^wkrmH
z*w-t5A}zDxhwD(WbnZ&6QX`HgG9e&h?iz8?cl*F&3{7j>BG+w+7b8Jp#I|KrdG>uf
ze&~e7Fz9C6>KJ&|mNvGnt#Xh`Xt>Ih|6u?$QiW8LKLG*}&$h%=#uijv8i=PYZHcQ)
zeEM3^nz(&k_RQFG9rjlThp<b$Vn1l&Pk}wxVi&8h7~&6Di$ShsNVgj7gnWlgxAqwP
z9QiHEtA*28DbpclEGLQ1Hd)o8nCGHl%;Si=CtTPJo$3teQ@oX5d;~^cOy9r*UCdM+
zpXh2k^H~viIk3-=Z%e$vMS8}Ku-DwqQ2n2Z(s&Yn{kF(87fHCUL8+T$ryb{yzMzEf
zWZJpjluAs#h|=c7zsvRURIb4`*FbW0e5yNb%aj<Ow)yF_z5K-hZPz*4;w9907!JA`
z2d8R$)Rahk<-%@sz4^RP{ew2wTFqrltvv@xwoH12-w#kh;AMmnm|)7qcH!bD1DWra
z-^R+l2@(@8auaHrC1oVs*}7K3Kd9woU3^SBq-ETR|B%)`XL_Rj%@avp&eDFxGXn3#
z^(}^lKWAmcdO<qYZw9e`?9^BnBhcHM8XpP@GOpp~d3^eg(~EK(axN$z&xaIPVW>T$
zi#E5++eu@#TVa`VDc&-kLq{5SQ@^GE!$<WHNz;!LC|i7cdgWMJrTFqRy0}HJ45R9H
zB>ZuGyNar@sl3ETh21TmmMg`IoApLAOTaIfmAVlyQ3-JKvf-d;9@{4`J|lhEmN*}z
zX?zak+G%s;foy4U);)XC-N(f5cq}!?4hksVgnl<p@aF1rVBohV1lC-kHPzo~k~;&R
zkP_>pgpsblP@P@ch1NDsuE@Pmm4(_U2$e2ym}}74!8KH_BP}#feS)#NTP`?85{G?W
zz?6PpfWOziaRSffaj@XIJU+STh<YyD(><53QY7&qD3ps<)N?6I#|hGe5C24(Ad9Yc
za1Q|~u|{q__>U952ddlNnOL%>4cEYg)SPB|&9wTMnbY#k1j7s>Wz3vr`XXoxl+lL7
zpSU^R+5$H+mz>fTkjud!Jz=~gf<kP8C%|HDfm>)p*cM2i7lKkPD@k2TU5ah606nyO
zyy5wGw<ym)!@fb{slS1e83I$Wj7hML-+TQj|3#{9D>`C2<jCZrR_zed!>;5xg6Pk5
z-uj{=rbA>2rX6yu&2`9LI^^?Y^gHBNAn&YVq_<1YeM9CBGgHYTmpGl0o;*af&GJwH
zmr4Dj5N}gINU9NM8*!Uv*O}-NXcNW;U-<gGlnt*!gS~D0SLOO5qx8G1v3d++6%h%K
z?2wF1I2{>rmg%1PA}c@oE98jQA9wa=O~3y@=DSmwk8%l~w9JT%U=oq}ILNHXTrM)`
z%tz<_%67w2Hz%5KV}s&xgoDy;i8p^PJRdlGOh9v}ccx5IJ()SlP7lwQ=VLMpnCHdv
z-0q&kd!xPB9?@*Zrl(u9fB$^GAHA65LpJ((qC0OCegrUYeA=%`YhIOlR?3#UXQ+5o
z+F*3q5Yy2?&+H(-{lRvhR9PE1YIMeS_jT>E?e6-iPmQ)aq0b==+r}K)trbu1^UG-~
zzL$E|R(#n#(~8%GBGZZmA|EL)VK)s%?q{UUVXsyZ6u`oOS1Ur(yD%b;$;}1adxeHz
z<K|*A9g|^w7Bb*=h>m|6xqOe-yA~Ic>^h28{R7d`(ce1H;6@OX@PG1bu69{rkcz`Z
zraMiQySj~LJ_e5M28YqihhCSaNfqW)a?7~S+A4}&6}~L#c>JtPiiVh#Hs>WSr|q4Z
zo`_MN-yR}ne2|!F-H5ruRv{lN)D{^DZnqOgzZ5Zl-fTGYpv$>_uZqU+c+SWfP5s%E
zLC!p7a2U=!_F6h;zHh4->8fbag|H)Lt;~OhGmC7_-jXxi$zs~MPQHt5iIIMzT_@je
zOYhGL?X?bY(xZ$>&6;l;?cK$KqKu?trq{Kz^1u*an<UW(nlvPpB!gd);D{!j)pNae
z9?m@-9lK{aO-<Z!6gHwu(2R56CtY-kHF;J@sR{}yIuR^ZsXqG`9gOBaFgFk6I;DcG
za~f96C7*<{?}Mnj74xILP9kKy{ep~)HzN@bK|~L8PjJSnLP@`)6;pg#+$$6A4e9i`
zH}iD3m)VN>=bwG<Js{oTrX<HbBUz#_P%YooSwU?}p5=U(|2wx^>!nPyo&oD(b*d+e
zzs-={{Rd<0?E3`lYnk%kgEZyE4r(^}5g*Fg{P#%yKbriTP5w2K|7$KkG~GC;$B}SM
zXkIQfHwFFuXRv5szg8()C^fupY8Y*57$-FpY7NecwyiKH+`y_Q-DsV@Mk3E}LRu@9
zXIYRF5hr`3C)Bs$&P~Z->)W*yp4Y~yro7?<&+G{)ocKeO%d>O+dfW0RAOL3c+7o!4
z;*q5!xv8OZE0*OGsEXZvnK+QuTR$#f$~m+!QI(K|jqBfcrto^jYCR*ZKTe6iu@XKG
zm)yp8_z<-r;|Dr8QY#{{Zw?!;BOb@pHe{U)Y<zg=L(U^#zb9Yhy8t?^b{H+XQnW*O
z_mXoAh>c=mp``lhF{6LMq+7n3TG=i`jPAb%0`xaR^42+00Sr`ku^fnom(XL7{*{Jz
z%Eo?bSMp`y1rh!Vk=|KLesR#LW5U%k-qj+mP=l_kRa@IbWgEIzc9&n->9*&W@7SIp
z-K#j)ufnb?|AqE^<Q*$}l-8y(?@Ph}Wu9w~Uz<5A<e0~oHvBG{%Z`q8kv&{xdg>Cr
z`}4?Jd9R>LMth~rrB`tNCUbXQ)}5lPo+*<4Y$|=hQG(!bEt;V!)uqFJWV$p&+%P5X
zg|!%QDiRQ=GWrX1*r7{ld?7Q9_kb{sYj;W=|0>rG+PXr7b>rI7AVocJ?da}q6#a^*
z9w<63uFc3qT!3q;Qr)OI!hss;|99eAad#TWrO{}uY;_#Dea;MVvVNc7Yb!3Mpq)_C
zmiUuVFo&^;2B26kZ5FCHcOZIJ*GX-O#4ZsAnQ=@m)9V+Q90z<o7r)WZ!S3+K44&6y
zDw2ZknmoIc^|&g0D*C9r!GIJ<rF-PK3u?3TJH#B4n2XP*xYNkl0sJ>N8T=o2_{qGO
zrgX3?Z7MYFnPcf#YVs-41AQgS06uA)U);<`-`bMD5dA49VKn`qr0bGUA3rCL6Q61v
z<<d81C{OicP#ebjPWQF59m+|?{QkZ4%_n91qgg^j(P3^;kX=W9@j9+{BAQ;VesG#(
z0G-w)>nQScX>MUx7r6n)ghy|`3sjazjrT|*K9>IYSftu6s`a#5kdXIWtrk_Sy?w3a
zVzKPySakpWnCoqm%k=gYCWk9{d?N+Gm*t}Q{X1}L3o^`)>Fy%SX%FoNp>irtxpKQ9
z&xl#exG&gRzHz3Kr@gVjC(q<E<bBlSa0O$wV4aJGys6;s*lVT3a%h%w>U_%RORb?=
z1iK0EHA>N#1z&w!Wz-09DteU^vQD76-$$FsVLENcCuIh)DH8&y&+mr%#>}WMHiZ;f
zQvlgt9_5oO;v){9gP7boRs`18cz{fHHQ(|(V{_P)Z>LfkNJ*T0MJ;4;S!9$q>Eit|
z1Bq;4W%PMKtL7PdV*Qf?*qTNJ&EB+*Xg#B-lJ-2s0@9Glj}SAM!KA|Yqx*&LZ3($O
z)Cps?5^RiJ$z^)`b0&u?_)%N%BQ6>wGP~O9du-WJQP&I+TmMjtW^$nZzdVv@FudPY
zWC(x#K0~<L;ewC)UjTQo{%)tOirZkN){m66CC2_%I!YSqjI<Z6qL<W|{I*Ui9?#R+
zS+-dy%ke`zT+b!G2ZjfF_T11<ZHZ@(*jhrDt*k(HQ)70JZ}=&C?p^qyt6VAFth7kw
zQ0mS;jse9f>Ykmk?#md?zRgMhav#L8jYV&8@x&X_HNi_g-cmA6Z;DP7P9u|Q{IaLy
z-{hiLoW_(^kCX;XEIOtKO+K`NRRlXOvWj@_!vdxp0VFOL@*GOmJtEz`4yD!=DcZ6g
zx3o$BnbTRJJ*-?|VAC<N7&aEYYWRfTStikm92xkO9J@KYxVcaHy?E_zb?Mi9SGa5@
zS^pX<G`Z+Ub#U=>LeZ;@gIs}=J6(aU;^Bun&($kuJD&k@Ul50Rsttn^XzSE_jFyLO
z`Mp`KXxp31dP~m0Ej^Nl`|1X(rxL;Let(a!OeD*qc$~RWM{xr$@H_4a7G^LV4^Gp(
zLmZq-oNnI#wS4Z4;+BC=T<W)0`DPD!?a;*;t!>N4&Pd~9%fRMTDR)1Uuk+G*#0p<|
zH0#%49!Wm-GkTC@bC?pjQit~YkEc8@wkKIFXQ$m6l_@5-Tb|+`V;oo1{$NySOVsH9
zEAC_0zb=<;XFoPX(&Vpu`30IOteb85gZS4^S^nbvsrqgEoAV=1y3#0Gk)nvax`=l<
z|Nr)!*0TH)4BeK21K*!6vk@7UtulQXsmhk;9qu`Bg%0wZ^1e9#R@m#Ky3gWKydT-o
zt%m}&RCZ6b_A9G^2zZ<f&*S!^%-%zB@QS(ba$X(C=}UXc7pIo4IE(BtwRCwt-JIca
z_9?(|f75&N50veXrP!X{j+TL+OC>7r;Q##;%jj1m4MR}-%D?qz)QjD;LnivVSr(6r
zmY3fCjF`$T1MeCX-e=NFNOTN;`kz`QC(6shJM=HBk$qT@-1L%~h=VW@Lp$^>1K)4(
z%B<kp_ch9$vVHR{c{l&ETl-{lI8z&S4TOZH(Ljv9nfMK{Kw1VKd2jkaD3ew^B9o;N
z(fRWHmDKZMdHxj7-Fxs8-H>VK<=+S+o1c2t%8K1Hh&Mx4PaOHU>+$85BiD09Zc3*z
z(#*W+?*0xK;Cd0WtO?h4{gA>O40Y7o(UFmhK}lw1q(X9+SlBHCdk^&a<}kV3Ed&2_
zfuHDlx|L!*wX2&XFMB@Ku6Lr(rUj(H(LmRUkV@@s`E#Ykes8vn%U@-ha@IdgzqI8G
zLp4Wp*>cIqam`e#gs%zr2_CFi7S((@XYCL&a+23xy_8yPeDd3J>lz0@p3m4`qtVP7
z!mLipDUhmdfc9d`z(>vx^U(UB2Y=m{r9mQy{Zr4BY)c&fnoZ~T2jA?O=e{guOUudp
z_n)VD?zq@8@Gsq{(0SoAt`<wx{q7k=gWl@7)-O5<&bPI$4b@sl+qYx+ZNsA55_AE`
zd%0~zJNHPbwxV6@4BQKl=K~fVk_es;w;R}g%)msKfyd+o5AMe8_pX%l>s#975S7<?
zbMc4QZcpMAaj{~ZcTU#WWGYq$K<6+Md#RsSbZ4hr3=KB<*YP#}$RmSqOL4EFZRYp-
zt~25{^XJ}v9B7MIbgU!S`mQtML)LfoZe&}!dYkxkwy$r$e*J-UO=8t=+c=>3iR$fV
z{kv&~kmkat_bS@$XCLy>Bj~|{CqoW}B%q0#_Uz|>?^$_{e6N?z9YKFFXA0j^7FWic
zk382sXFmPQB++;%^uFj1Sx)WVFKlZW*8*c$VSNpdc;Z=IVd3)PhV-nDKS{U1m&06V
zud5{Ddp9ux#f8F<#1F_Kj57oJ4r)|z{=(p#XmGy#A#he3oX0rse<*AHbF_o<$0)1I
zLzYZ@ie`ORKk2J}_nuF+8)j1N`mVF%%k`D(^<C%0`%ift#PNIdD=+JdUgdS?1QAG9
z(J|@8WAcgs?*QB(*d?xG9>03Zcuv-Rd49&x?w2;Sn0Ln$pL^?V>+pjQS>Jh*CU=}K
z_|_imm37}XsaIOSI~}_A%i8cpD(Vay^*a+KN=I_#{ixCG7p&haIr8>2zDwvlvvV=1
z{7ieonI3nU%#Ae`Q(7h;(|Z-+`l3Xy&SlC2{kgF7b|Je_j#CJi<hwsxid!zgA3`%)
z`h4PU4%qcRgZJmxuRY3}_Pi}jOXY209ZSa)$)FUza~|m6TL;`7Ib8p85vokuhnwfU
zswM_M5>2{9MQGM{CD&fcuHa29c6W~vKI6Q;N5GUkKw{28CvCl5)`(;sYqGwvR<m9v
zS+i|cyjqBkI#!Jc@^0|uRFNRlZoR6wWn8N%_fJ6L*iZ4ebOt^Ipfihn>P=svd^fc7
zW&{g(cRN*o>R!M0Rr*<nhfB`dAOa}41A?3PdZXM}?RQ_sK2Dt3dADSeUQf%P){~~Y
z$$#VN<u^S~{tJaJ>0AB&+>k5OVOv0-C3<yCGV0$nGCnwz^Q~c;Gu;*5S4(#O<N?W?
zvUPH0PDYcoyZy43af9uwp8FT1K=)ClySKu4cWG1Z8tubhuB0z2pAj=v-dw%bl7ZhO
z$5HecXMK<8=j>klZ~5F-qwAZzJKX&b?grYd4cmjAp(y94P?mN_`LsdlD$Bb=FK82{
z<c)~Sz|@~3<9?l!((8=Ncx7lkD4C0|rql1+dk+^2*#}YZrJ~T<?aP2qe@O>M!hb2p
zowr*aoN${;HwWijIi=YmXD+$j^{ZOmPH`aK9?&;&qnBM&-sM^Mm8YVd3KBIMoT}j&
z7csQT@V59=6|Ks;?;;s+riwG|X!w!j?zqZ0=cOX9%n_|$bolYff&daPI6!~8&#Wlx
z4u=Z=#gKFuZfz&uA*R*CqO2uX-m0t(_J(qOyyl*vE@k4qa+8$ABF}uUKI=P0t$e|!
zSJ8n^F%&iX;#Bsf;q12tvdgWEnms?2eR??iwSnyYOq<6;_7l<8-b!vqi5Wk_0mIiu
zn=LEAa9Y<+UF|+=-rldQX-C{S$|h1JZ>fovF?IaHFuXm$n$){&m&Zkd^|iKZ?wR0z
zPP|u+TS#m=TX+Yp=@8di_d3*TZ&Oh#bhr2F{GO?(O4ZrsUXAc{-WFtZ8%PdV8GRdL
zyi=tAfQYY}KfZ~^GZ#MSw%7LJmceIqTnZ-aKoN`eYj^d|`o!D(YA)KvH1R}xZ{3XP
zbL0Dl=w!kt9YgU~5ns$KL;Xm?-)!|mVG`5*eP8d6=xtrqQ2;Uf@zcV~C(=;9LJpa?
z_7+ckLQmD)zZ$LcF6oq(al27BOfqMpo)WK7Jgw~4DVz1!1&|YNb6U1FwhG~m@}TpQ
z^+mgSb;#GhC5rD<`WQ%`-^-2N&d-y9qne@jVEZJ-icqZIx7_XIg!X%z4mFh?*vMts
z`pqIyqXVTu7nufitk4F1yq*SKEd20q{&<}>?jCG%J!NuD7G?X^KF!7DLLz-K3XncQ
z`?wUi)D-xnDR8b7*e?ahi7Y49tv%?)SMX$~jY59P2Tsw~GNvRJA>`8rs;`TN;A5B5
zxsoLiKZ1DnWYedY{;Ej%bEp?*h8*I?Qnhe9Z?gEQO76t5wW^{u{FayrPc{az9P~4W
zE3@0Q)+bWtTf&Dp?7FwG>B+*T(pFgBbZBEy=pzv3N+QI6+~m8As+;vky-fR{?j1Lt
zpY>RuYgupWQ`UwS<X5{bo(my{)$w86<b6QDYumV2Vnvd<_ad2b_c?1r1EXs{pM2e4
z^bf+Dgtt5?-GaH(qPK4=hI=j%dN8*zKlSQw*@2-s`V#luTlv&`1Nv%z(d*{LRCcV@
ziR7_9lwzkvWjXH39;kd)T56h@caASudHovCrOIA(>ET`-52f-T3$*&di`B{qWNC!P
zb!%Vu;v9M^I`nu%N|5pMe=ww<1|L>{)AB(+C3PW7r8mq)=Z8#-XM(Ha9O}u)sj@GS
z`nnjfh9ei*Mj>=Er1uIn)1P2G^m05qFO@?MogKE*x;S@O&*iyWrfz=HU(cC0Ko*~3
zwinGpWskf@2d!Vb&5YJ<I@B7krlRfLUcP73RJk>psd*Q_y^eRMCh5L{>`B@VvMuH)
z_ZCi3fXCR(Tg>(mPyJQ#Z*R-*D>x)a8>bNL&%)-#vRdEXJio61L3%Ng*Mug-QNaE4
zMNRE|W0~lwB9Qh%`fL?Wqb-{`vr*P}{o2i*e&%!=owXBGJGEu{4L|vbK`i5ar*GQC
z^8$~onPke7R5SI)MGd$|mQY!3MVlEnN<BAj^lF~BnGD;E1oVGHWqzBo^%T7PBUlVC
z_wY+gWNrA6`~;nnoV6il9=B^HOrvJZeMS^%6SEz2B5yBF*GzoaL8cPi5$pF30yLLy
zW*{FD=CS$SRJ4uc?aar!>|Xh&xHC^#b$P1XD&04gEas-4^lOT;HtaPmxAlbcHzC7L
zjt47+2cYnPS*WjRU<T+TLenztfjR+G&PC59_C2mMzyTwDXItiW%7M58>cMoEoV_ZA
z==^K(_%meuoO1dmoO7?uc}`kRmYJL399k;SW4G)5_(j_~KBOa4d1P*X$~O777c?C*
zgizFb+>L~69<=v5dqV)s4Sv9=PvXbYto8dA`yXs(&o9ET)UO(_jVW(F6q@@Uy2P!y
z0h6Q^l<U{N;oWl<f3xn9dGn9Vy}O4RuH9a%T<ZiRKK^6nn)p7&xHX?Un5)0?=ju}X
zX`z;-_J(tu6{IIK=G$GuzrTW@npLD;Cv&FUT(RC<@T2DA7+LdTOOUDEiruB6FZ7YS
z0xp!^kYU%QN2SUt{q?TVK{D|nM~yq1=IvlTuvf@w<|kvx43*y<)1ku1l5e?-L1@RR
zm<~El^WyeO>}~W~sO(omWnF>Pdb(ByNK2nT*9ejF@^PO(n4e6qeO@s?IkeN~CG)dg
zkvASt;!+o4{0z4$l6HwX!~ca=SdPWPLHq~)B&09e+cATYXUa0p<b~1Q(oB)k2VL1R
zA`*9`%Br4}vgi0^+tbR<Gi9$c?`2(X%eIWWyh?DtlDHJRz#J0hoGw_j!d-)avM^*6
zc6^seL)YOn++uyxri=C{U2Q+|+w_KQQzv8E*NymXK%@57vs^6A`dB=mPIGo&BgZc@
z7c|vcye;Eumm8W_e$%k5^Zlmg(p1fN+nN!Cz2?FZ)QIRH^|<ft_%e-=OPj!?%^yus
z`x-<WypbenjBw_CsiYk?X}(Q5&ZkLisRz?a{VtWX!X`anOYKi3El4Z%tyEGzNeuQf
z9qhVuEmk%|&5Qt?+}oQ<LoXS#=9ZU?MP}4idO>^{X11c?e7o#-`YigB!4VMf(Zn3!
zrgu~NKv*}SCsY<Tv3+M&Vqe8=O^NMZJXcGU%6!Pws;1klKU0aFX@B=#DJtW6ml@A8
z2isAYYwEnTxe<z4OEv4e&(wYFaaZGoevM<KMv)Pgam_^!nKKFhIO;cVC(V?>vWvS>
zCRiR=dd?R8B1}kcbaw&-gAyQad12V+@U@sGe^0d~Q&G#fGww8rn}4khrAqdD)zzU)
z|M_O3%>@9}QphwIO}ya)_EBgJ^;3>($iG11S(ZfkR+%C3%v5c8*EE)5!tN9;uI#=J
zdtSRZ6T8{F(AIv-M<s8`OHo+~c6`e|h>>$$)_vEDT_CudOX;|IbX=o!zY3VV8F-q!
zmNLp~G1`RJBmCMY2^Q-+`sgO<z5R||DOGs?Uq$6)ZCEG8ZRSTmMdn^bJ6&$=kLN@l
z{r(?nIfAwl*NkCKqnu_EW-Z#;@ndbCjD}3Ca>TCda$IjYt^8$v{zc^9lMm5}ZIAhC
z^1+vd#zkgP;~XpMWe$IH?;P{CsgripaLO(VbjI4lYMXTz`I+5>z!!OhN4w!`vcA%r
zeBTFuYz+)s<U!uRz=AW<#*059B1r%IGR;UA=4mrHFZ4>{w+EH$?V!SIbknKp9eH~7
zc1BF4Wwug1oRrTysvR3Sp(H)%gkjXjgaR56G@<+(y!ML7oolo3^LaWW@qzEF#+~oH
z8ph_xN8=vA=Ag*DT}`ErLI96#i8GF96RAN~Su&(0X|GYex0$o$dujMyjOj0ml#pl*
zaQnq{dCbep+VBFrG}H2?M~zIhjN4Q${qag-qY(|mNaxxAPtYZfpR0>eaoe{C1pz9U
z=bB}$zP4QjVQ;5c;~6v2|1Ohep<TJ)HH+p!L>&NIyEX0~`wV;*D?ocSYs1%!3|Pcg
zNXU$kbZ`(JW5IC5j@p)SZBc0yH<~dqiM0*>y&byGMn#&tbgxz0eKA+yYJ#fpvQL1_
z1i1-Rz8At+iTDjQjkLsKtLV5t8)7@{wIB6TQMW$&zFIs`a4SZ-c2r|F06!BGp-_G}
zJQ4Ph=0g2?S&o4){BrtVzvr6*_e(FX-<O}7xtX|g5hG|bZ#bDZVtC~I@vpR@7~3y^
zwA~PYp&?Cr9dejuNz+^I7=k*>c8Fyy;}Z-Y$`ZO{mW4gKSfv=FPORT{l{lU2<!4@=
zP6S=5-2~@h?OyC{nRm~&4gB)oIrhzOuj5-1V=pJ8E4ciiW!&FBVAych3(7Sr5=WY?
zXr%p_cU@d%jyiFjPzj}<oM7hdwOWuH&pP)ip~`hgg6qNpNC_^D98u>$lxdf^TC_3O
zHOfgWn6$T-u9w<VJ3RSt8|E|~V$dFFD&0pu<yGln<+jKY+E&|hnQhPb=W(&jlbqJ^
z^66JK?;&bsI-nCsD^-PQJE2nSDXR_Mlw<SS39!_3LQ9{gmq;WIu9iN}nV)nsSQ?LM
zEveaT7n773b23jO@Jv2Z+W|NyH72Bcc!LLQe0hw;rRknWBu3mq#Fl>tq3fkqkZW1-
zB2!@DFO+qMy!aTY*N8;6p`<H~l94_o>CR5+&%<J0NeO#WT91PNY@?tTAL!>Ho?65Q
zWosG0&n_YF$#47Q9rE}7(|akz{`czLmo!LminVHRIwjak?46#v<|k$)s)~96tLwC`
z0hjiRX;H-1YrFNOo+_4`yy)G0{c4<H2M?*9Iwrm346{Y7CQUER$DRqbEKdfn?ji}d
zWSClRxklzq(Hn8!sjfr8y8imQtLvytG}0HL3V&)0|L&|jRf|HkH2byOPc8e4Ub_-k
z>1CGsyek`vv|?oaPj?8zWeqO^Q<vQ=<4<1+1>aAM8_>PSA+m9Wyp#n$I<6Ax4L9;G
zOX2(6zlcxoF&2EkHseFaLpGXg!tFv=TcYGSHy-j+ydP(O8c*-nF^bKAlshD(d-AT)
zuixp<>(X6V@dlUcO4YTR>#|1K96s$%%weIT0>cfvrb?qZq5jEiqdBK3;q-3D6#T)G
z%W6DX87@cVZAay8ljBbrc4K8tW;9;zZH5np&nglM@kR*Rk3KlSh}xpcZZqm<8&zzv
zqhh6)JNnp`I2)yGM%4C{vTIju!@$BtVt&$e*;*1mR3pkAjCeGCV_>J%PObQOF$U7q
zP1c4Bj4*5$Z&bI!4Yu&T6iz8lW3>zATM#&*UY8gcG}`aau+B2ptKwc?wC!w~yUmM_
z7s`xU<VM*vIxn_W$=$}Lsx(q{rjz2Pzu>Z)=|1%{ct$n7IzQ{o(k=JPEQ1qO_fobM
zH2vI;hn905U5Hx_QkB;8jRim(7HxB7KX5N5&BFafd)S`q^D%PMVN8Vc_6VODXcL;(
zO559|H3dy?yMfl0cv{@(;;hxy%KT|tEAuDl=W{Ac8FLDQ`M3879-T<P{4EUT5#Llp
zN45dYnSc);-Kg}h-H0HrD{lJqD&(}OCC=YUc1?9}0Yb!4@o9;q`gO+Q$^Na9xQ-ag
zwj~}qq|aL*d7T#@Eg4M*T^T58y=pDvZdqWsR)^}&+(+Y#U=Q_6ZwZ?j@3wsZ8uOn~
z+dq_L==vW^3ovn9xl$;+PvY#bSS;q7i{b4hj6^dsHoB3qzGz(^ZIxUZ(=zUnd4|-s
zXQUvFm5W1K#%;CHdNZ1dUQG0THu`gtTUe2`L3c<UJF+&MBV?M#yz6u&yH1w<>pI?M
z{5Yx|m!JHN5MHz{5byJFvek|`%ub9)YA@O*J@E!gr&+tOxLNxX`(>R=9MfeGy60Q9
z+r$=?hLu@c{5L-#mqquhU$Tf81p_nDu*Yhq?Mzrf8tUGOhVPgyL7%4QMN2k08s=LX
zZVk{dPiS};t3MMBg_ee)X*3)~TlUC@tJ7$h6{2CWrQ!JlDL(uhD_BpS83~u^$4a=U
zfBA_GeX0FvCM7+%cdS<?W!Ww-W*}+3I(Mq{hL^qbI%k>}Hnl@<75m$a;v-*Y0PCxq
znldGo@?<#W@>I%pQW9gnM!^s7lhN*0%Q6RLi`nhI(y{0$)EiqAF?!!esCD8~S)bes
z{nzSeZEz@{D(&9E!|=xFP%>wO*NtO-dY$jq&w1?7jdhk*@(L+C*K7X~@%;A$n&h~t
z95lth42ts}k|P<7{nxEM-Y<R@f6oc;sQX4}Zu-JZ3~+P4U_J_YhD<{(<DR)$z?7E&
ziKU=kzxIV*jq_=so*+m&iP&d0Lr)K79JWUZ`84b*vF`LJVefl}vkS9Wu$LO_F@ya>
zg1s-;C8s%G?8@|Nyv|mZcSYmiX1P&8Zbe`@Da$_Ey9{?^$9i~WvWel{&LLn)mGx1K
zUsTSE=ZjLe_{he)Wawq>&s>v9&Zl#a!0}Xa^E@7&q008+UeC}=8_&=)>a8Y!DqrY`
z81gWnY3*^&0dp-#ug3SSUwi!Cd;5bIYM-K!og7d--uZ45@jW5}C*C7;N*8m8+~?)L
zeNbfHK9JV#;iU(6>fPpqmM$n{F;q6le<x1%#`FzO5}7IA*vK7s?p-W*PF>2``?Ut4
z*{xs*R#KYt7rXp6CgZyf;WWD|XX)pvZZ_p!Rr(<P7yD(Xx}(My-ij3bK)S7E+_Q63
z#(oD#obhFq0@tFxO3S>X=BwJQA`>cD{CJf!s&Hay)}@7f1^3n&O)nMPGNb9uf_Vi^
zCkp14v<%z$a>Scg+%iJooRZ;xpj-MbOMHGC_@6j&X8f{Izgapm>(UJ}%)FAO|1N2I
zv#{y)g5(9<!2DFN;)%a){4)ct?}9}I3kwz%e4yZtryfY<e@X}kpX89=>Hm6p%ua!S
zm%iQc&8JWH?t4bjgGUz4Uh%P_`uf`XoXCt@rcaC1E?wFXjYn!52}>jO<u%Kqk!%w=
zC3n@Z+zGK&Igy5{yQA)Dct0;#zM{4<RvD?OjYsOE<&}}8Rk5h7nDt*U-;!8u#hr>M
zQeD+hT^_Gko-yC@@`mM+K<0RDZDdK+vXPQGQdk}@w-ir`r2bhteS9XL5FN}FiFC_X
zER~tY26JZ4mm<pL)qJbM{Ah?StB%&hBNesv^^JA$Xk|a|hFP-;z3BxrO1yr;@=5)?
zVptWecW6=#88&ikLqBguW%m@xLuXJ~NpwXt78%wpPbwvnJ*;7P07XA<Ud^2~wJU49
z@ncJ;dJ}T_bM0vUjFCSR$Mfg5qB-8oSzf{H(utA6XhX%w$ckuvLse~!K|@35_w!0?
z8)?|gf|-Spr40f6!=O2kHhWfNWqnmVs+rQ#=H6P8Dw~#eYbu4d`Z%W*%r1<~DVvc>
zm9%*c(a4;_8PmrE=ujS!HVsLn`i5vU%p_ONVGI_Pv^j;5g1Wj`RYiH+Z@I%M^%Yjt
zM=Rn~TRP1zsyGdIBTHlD%lriCFZzD=EN}L$UU7L%Wh@$rmoMROKrRhmZ;IB}(4|s5
z$ks?dFLGU^AQr1#8L5meX$;_&T1lH;TVE0FA<dMlsjV4N9;;hkUej0&X|~*)<>mF!
z%1B)~V_mwcss`LPt*pLk1!I_$y85bG5?80n8JyMSRW;eeBjxpm+Az+_=!z<6s*Xx^
z4(IH~ni_3-ZB3*h7LC>g(&p4fE2_$4QlhqA>XLsJXF)|pw4os~t+qZI8EunXTB+ub
z#8=k^2Km&2IYs?EC6o3wtZs-$t1HT5F~e3*acB7B<)~^HJ>P?0s4rM6Lwodmt<0gT
zs)<K+OxsR!qlyk_sHm^1i`Uu_%{XPWOs$F|0g>!RBOSv9tF$Xy)WL8sTNJ`@&or?L
zx$tJxlxutSAr&8)Q@$cvDT;4KWdpjy5;qQ2Fe|=1S|7QkyuL~$R&xq*Qq8E*GS)|3
zJAuCwa>tey-|dYaKS4mhqE+!|O(hIkZqyKxU$v~JJl<FzV5PDtl@KvxyG{ruXhZyj
znbW2fM~W-!BeUleL`rKb8)J>iFK=dfbvk;jW7x<EkUKqX?6_XiUho!F)K=HkBMZ^W
zMc#sj%1C)#-6C&xw7Q%gt`F-fnx8us{`+hTj5onLEY^6_JEoSRK}6z08qm;V#_ODD
zy$ZSME;DjwM;l^Q)pR+^Bf2ag$w-mTO9%IzNDk)UZGXZMejg<qC%nN6z%LLUB5WYU
z2!({PgbN7039s@J?LNY0LX1#I7)m(KtE4Xwb`Z7_HV`TagL$2|^$2xwTgY+XLBbKj
zQNoq~bs~A&A5J8*34;j(2)zk1VcYpSy2=PfMCW2RTaS#~T3=hUEOKXb_4Rh9wfXDn
zYnRoRS4XNU{i!{i*($jDXe?Te9`zYJta7C2NUxOcL<dD?%!-s(R!Tn`aT0dxWM=Dg
z`5NNLdqpa5dOn6oM)gooR#q}&TEW~Ivt}yBp7PDPZO+^x#Gt2iJDoyWCDsspTNRHq
zxKUb_nslHm#xV8fs3HnxvGX?>R_SOJ?t5lDGt<<I?24^3qteXtk`FvaDMYGjme#uQ
zrgEwE1n^9&tz@!^LRE;J#{NMZQ|aNc0UlLdsr2gdRXR<W4l(JGYy-9FO1I{(uT87X
z+FPzZ(!;fNPY>7T(tD^+RpL9ePt(IShT5m;;TqqueM^{$!sx>ML@2F+>-UYTuP|CC
z3b&@h&2L7Vpr}TT7Xj%>RZ(8$=f=kBI!2d|*B1B7m-z!QoW<Zz35J!!YQ!Uyaae=N
z6G)F_&y21dQ#eQMNS8jXY+i)<nwcY*D)WsgUu0(alF^ZA<rT|Qb-45yl~HDT)P+pz
zZnmT`Op`KYc?C<CR@Go}M9}MZ1}JptrC1)3_;Oun1gsOkyb2?Krdb^vu?_N{i_7aP
zSC-fN&(pDV$Rt+jG?F4y>B7c3Z`$11#>~Z(&Azq1s%TYRZGAj4quPL50*0Wb`}m4$
ztD~jSnx$3s)prc5yhBFQ$R$-Z-pVD?$D-mIuplumh2(fGtsXg&m5u6AT|Y^ds+u|$
zV`d>`Qml<8i?meI%)-(FZ@&D&bgHOZ?aiBc)67}7&h+|CpE0`>Ljg<9*>6r@6b@@d
z;!<RU($IO+YU@^`KI6-4LjtEJnXZ?@mVgxZA|@eZ38WGNJ?SblJ!R()VONkbGRok>
zit<>M%nts%w6vV=QodCf3txC-B*)^biPx{LtHn@@$V$eq*NwxXQ2MA*E`v*t6a;4<
zN2}9A@Me}SmR&JFgI|75w<V|Map|_b(m%Af+dA>a##kgWJ~BFY)C6zT_(|i&PZ~YJ
ztE^wWs%k~uos()N#V2`gYW8X>Dwgx7q0+;8_Ttr*UhM9M22WV&Rje#uLC)yX2CsgJ
zZ>1W6Vp6CtuZVkfF~*W7Gl^Fbt&cZ&@v1w$idszE8Xl^n@p6NqvZ~%=#>YkAF>NoY
zZHNl2TDsb+FJI|3GFqj#yoTkqD<vBk#UfW?kXEHfPzbpVs~gDT)z?-pZIHNFRYP1K
zJm`(p*48z6vD#&|US-r-dle`u2#d#}Qcy{*Usj`)flLj1PgZ%AOBBesojYq*NhG^s
zc%&v;g`Ufapu=uxTs^Yi)W)h<Tx>NFn11sbSo`SHg4#M6kTMV#Me>A6*Y%raq9*l=
zL`GEQL`IAdKKZ>phqmhQL`Ij^jwDl0|K={QYKZVZW;%<6rR9w=W@H`zQfdT_l@TLs
zhZqzX64E;notu`z9IfYcswj^&)b><Qoz$b;bA*QKSy{zcN8`YEMvp88l{y?mBSz54
zu1q9y6Dv17M65<JO>!cYwKZ49BaJn6C`~PKr<5?lGDU}`OcoW$ir9?eWRghDxk7SU
zc{2EKs9K?hp-7n3bDDFt%_&&SzgtxN)HaPaL|9leE8EpegBGFFM~q+{nj*Z=v@9Ym
zrJ49oYU|WVBXrS=EFy4SiTew=uZk&_5l*(Js5%1K99mEvt*k1i%^3O`o$b0cch%_J
z+~KCAlh`SsS0bb&<BNbO3o}eUBf6GVl2P)R$jH*#`iKk~eU50ysHlw?AsKwkeko-%
zHnF6>Q(-$!l`JhR!YuNstXLA238;}}mZgwXH`26-%04lyt6Ay9Vv!nFbs-kwXjp>l
zNXy5iCyYjzB5L7mUm#L*oUY&_3q+OWXp3_qPRZp&&}}&plv_?jv|CP(Lrv5kxzQt1
z8pW3rQO&ZbU&-xr=0xle*YP|;Fd^>B_7p)98=7CI&7X12v}rR!Wox88(koM{Fy~gm
z5hvif>a8oUr-x;B*JQ&&*BHN>T@l8hS%n*CpwTFG<?-dFoTx&-jP{frOC=<vXLhR5
zFW@RE6E%-mFB7VCOiB%+d{8{_$uAISOVO(6^f{@_t{LP;Yfm8<NwDOY+{9v0u<T{E
z;98(Pkg0;%wbk7#(A=3SFu5~T;7=e*5PwRTQIv3z$cPpk*>Bp6f>0-p(D^PCUDKEd
ztCouUFB+*>E{yXzW|+Vj4wg%G|J<sIJFR{TFaW{rA$utvRIy!B%yLt&U%>U?G&?7!
z7mz91&nygZ1u)&pgPGOZ2#o+4EkREEMW>4)md@#Ew-($IW+1~XRI^{6gy0x5Omma_
z6m|+Q%u<9(ZkhIRm6O1HVrR(Qk^PG17a<`bqQh1JXi)0bDHItgh61Wjr`F6$BD=OG
zwi=@#Dt@n(%cC`DIni}8otfICLx%TLdowEgBa?(KyR}iv`VEnC#`h3%UHb78$$o@?
zw46w`6Mjl~jPNDGCc;X>t%Ms14{kPL9KR#>`Q5-bH=RiSp70dm+k`I?RuIYwHxpbr
zfs=WDPg-0s{r~pgXJ+8do6UxY&s!)w+HHS7Y~eNw>n&Vv;Rk?o2|4uf{!g4pUiJXK
zGhjXN7la`Xo=E<NK74}o<@|n%U|qeQxIRbcj-3!05t&n5FnZkhw3t!)JT`aYc#|Xj
zSxWSqi<0Q>piOgl%c^WfLqlW6%_Pz=mQuSoq9yD<al1_`h)kPZlJdp{)5IZ+W3^kl
zl$&Fwf6TWqYHzNZH{JadHX-b)m)gvR)(!QwjhWmVxN)s-B$8oWWy)HQSbf#9<#FpY
z)Ml7et2>Q?39Q--=Bc%8T3WpuNEG)m^~#Di80)xWI>r`5C*X<`hng;&%)B2cWl&A4
zt*#b3RrOrARO?I(#G9%@6^Y~DuOzfCcU*L->0A~Pyao84#I{%Wd1X~Y1zz-urPcg3
zI<`C}Zgt%iTIAQG-rohYZdznXOG}W&zDWut1lwU&<@i5wXJ+if%A2O*L}gpk_!4{0
zR~pJ^1g)C@;#9$(%>R+>73!IFJP}hpNSE`w+4Xoz&#PyNX{8!#NzHWA0)KlXGB>o{
zq*C@y!>^w;3@VI#(1|`Oeiyk;iD-kU&=Bd_^$IgpT7pG4qcGSS#Dx*221vKzF5}g3
zt6P}}-KGt_iB-xBv1c7pRSs67>!S5+0LVbcDOU&443E*P+)hE<RI5uN*{Ek<KNfTT
zESWTAiltp@kGObYayWii?szKq1T%lHYH)I+{iEfz2DcND6IsT{Wgkb3eaukAnyz=~
zp`aEMPHHfFiZ+4O1*Hn-l#M7TESpv;izH4V^x%ENGZ8JXb|};QZ=pnkc1CGII$G!O
z!?>w53;LA9&!@tJk_qx>)OgRw!FZ{zi$&|PLtU2`m7pENUM{=EL1m|jfi##wNAb__
zFD2e;#;D<m8$?!^wqbg>g8XJB60TE_534Z$DN^!HU5$lYTh9>&grYv>sTDt$Y`xhP
zP5Q7?f4QW06I0VX-=99WHjbaTTX8?VP<BK0I7XNauKpR~t}(|oswx8tF++Oj@Q3r$
z1<HqraOtV~@ychwA4t!LKaidg|C}^^W!dAmAH`8CLnytcgg!Q{<@kqoRSDL0+8GE%
zW%6-gM67T2E$VTM1^>BrYC4P5aB9FGdR=6i5l5DoOH;g%^3u=jp9Rx>UO4=u8&MAz
z_vIv<?ics@Ao#KTE7FPw%cs&)#r^U!Ml${5m~7~uoTieOljS87c^5U5$U}O%yxJ@I
z&L&7l$SG&JYl4@RJUJCVfN&n+J%oXT_YvMt;GzxhQo?0~VT9p?5rol%YYBOTse~B>
zc}<?9j9xk6P68J(c^@Hsg76=NhY61peopu!;RNA*y*y9eZ@rly_XTYsJVAJk5TOyb
z5I#wGfiRf&d}4&B2t#T7#|dX}%z8ax0F3w+;T9TtJ`HUrJVj%FOk)qx*d&cDp`p8Z
zMXrQ~zKe#wb^-jOp>t{Ik&8U<tK9YS*bv%JL!Zg^yjOBK(>luYZW`}-Kb-7&-z)IE
z!eY<6XO`#Pb*txHv)J>Vt@6Ajaq!>kbeo%F#D8fOn{KCx_E*n@?yp!?Y#aiz;bJ4w
zTrk1B;$;aw8%N4)b);x~6?3|`M09bz)w6cTBBH(^(F*;%+oSch4c_#sRnbZ>lFdYW
zn>y&CmBZOHj#f0913}h0@MbbUl{433dRJm7$Q<D8Q!j8ZiS6>5#`2gqZFyC!(wocS
zkC^O08)uR=&ga!tGJA+a+?zAA;HDz4pHRiDP+EQ`T3go3;XyrY<Y<-)##B%rBKvn0
zzGgS(w0fSzDhwBmphs{?sks>58ww_b_J*L>EN!$@09`mCaOfmG!AEB{>G8_?PFaf%
zC4(6+DncyZS}`L670q-9eKMx%W|y9?s!m&QF&V-qRXoPz52*icX}IO$VrFQ)w%p8G
z<Cuz6i`N4SL%nU?R~vzZ02|QKp#+}|l3+Y#8BnDX(oh8xLa3$*anbs0&JogD-y@5W
z7Ktdu`b&%RYo5ANV6e-Nq|;{d;uhzu96uVwUC5-4wLf|lo66po&ODhM+WTZOk5EFW
zBpf6z-sfa;>{;fyKk!wa=StkWiR*VVxs`B)Fqr2T_?F^B@1^`j;34D?1{3-dP<P&~
z<@I8Lraa2B8N+;GmO_ywC=GFa>ws-2m#u&}IoQ=0*-y7_G+|{GZthssol*QpORx&>
zj9?2hWE*N_GefFz)^N(u(shJ&lP{IgA6!lJlwWIGA_rvP<a|Nx({CLMhEgTJ7UNd7
zXqAG@>lnr7P$`|-sJO1u@$qw<K{g8vx*X+34JN$A!6x==a@gq5V|$Dq%e9g0oJAue
z>SXh}d_^rMer$p)5HKh~i)&eMR4$oPxkObm(RSBjPEk=|anbA|%QkkQrG8N~frCTY
zH`K~L9bys;DO10Dntu?byH3?DADJ9fRFw(*nPwL^A>%7z?HWCCVR9OE*xjMw){pOe
z?m~9pIse9XUb?y+HgeQ>v<M^FYQZ!@a^>IH+*~7Fo*s@1Te=X-KSxJTN{(HA&h+Uq
zCDA@!Xg46;9tyNOlrKP=+HHY+s`mqU3{~CvsQChTddg>XVRwY-^_qO$5oXS(6O-Kn
zF=f*888vw7dQHAl*K6{fx?VeOjsEF=9>D1pw}m9bQb=c&yo4241Kx9^-0T`Sca;^I
zAYSYFk@2~tzV^;&4TDeQzrHqR&d7N;<2_t$e;2K)iX*jhKF7Nu>VCR&Ii(!SVbErb
zPUY59J{C!BeIS2Yf;px=SC8{B6sqF(=Nvg9Y=48*{Bnm`1YKH;pC_G6lP?tO=S`!<
z$C?&T{%MW%^&E=u8#GflI6clZ+k@t%jU2V(FsdGIG!Ld}b2y(`x16J-E-@8hG8C-<
zv2h8-%<pL+skc9wMB>r8Rn-`nLZ1GZR$fyPjoIIl*Z$PJrVppeixzUEGWa;J22z3%
zh5&osrJ#NZ=k@D7h2nOw@!qr;+wtb`I+IaVe9r2cishUFt-2crOKr`lOp!Bfg9>UY
zrHEJ9XpYo7Jh0Rlsp7K|Av5@8%`HzR%{^JJyGPTb`h*PE;QE<cTgK5W7*ta!#LbT0
z)fjDvk4ldiogOhJJz{Kngf|QSl^YB4+f*JH7BebC53`o0a#%t&14n~v8#$<7BIkpp
zL?}XIZz+#KcDFPudZ|={R;RC3ac`<vBi<}M6jmrN2+WDsWA3=&T^6lZ9~Tm1%{eQu
z$}uOR>f5ti48`eb)4KQ^Q~_O$2-n3{)2Fke6;aM=uw@aB7@Zz5COu+odIU%0Ybs}m
zohfh1a8QY(a)IX=<^&kxXnR52Ce!3#p*M%E=I*i6IcmN<LtgwFT8m4nE*AuKg+O`(
zFo*NRGDy`GBGHVu8|oU#FOn6%l}%xDw6PM`EPO6tqj80+-*kh<+X}q7;xy$zeKZtH
zU5)}lVn;cuxT>bn<TO#Ke6pV{B${q_Pl_}w2@shfRuy}Y1gqp{<AAl4*ci?@`dqeA
zptPqYqbg@*a;#4ICB&QR%gQ<S?Tee4Hf(Y9Pq+%zK;bAOZsMV#GAEmM^6^<{i%37%
zpP}K?V9SLfC37gkjv&;UsZEdGd2-sbvX&{zoKL5a5d`I1m{grnaWfguwV1W(zF`w*
z9SeHIz#Q=Ooeg>bNRE7_Vyf*S(0(2VL1m+cKND6t??i>QQZJX3G-R^-@1o}7YH$`+
z5K1xM*BVUF-zGJ1<RNsr88d^jc2_|Ro=|z4$_8b3TS%=x%IYzM49TW!n4fY)!&t(`
z;<fgRTlGk?EVIoba%oi*U%&nf_?gq`(^us}tqYiU(4bbVZC@b8pz+gbVYfuGxO8n}
zh72xU6*Xrb(zB$er?bhW*Ri(ECKMBP4Lq6b3(OhB`j+tM`%We|@La-g%P(sdn`01i
z!dN>laFDjpKQbZyG5;ts2NeCI$jVoDIyeK}%2$`3fo_wYcGfvq0dF61ya=y?Ln0^0
z0*)CoKx`Y-gbw(W{6Z!n<+2DR1hHv*EPvd25nZdYCgi~164{-RrIBg3p_?VG|GJSL
zJd?eIB>^U-q&ILVM9gaUk`ilFWHiNYal%W?yt&gyj2d53q(3Gw>e*LmaO2%=*N81A
z{iBO#IlU$O)LuVbRKPde7_-I*yk%<Rt7PxPE-T%JnQNb++xbite_$8LX|xJQK<Xrr
zPle%AVB7_H?fcbT*CK*p5kjzep?JQdCy*~JN}A8l=IMS(7?TcEADvF`HMo}w_4Pwu
z0I07V&6>hGMFX*;@UqtPvRT7&Z|Yor*F<~X^+GO~;qaG;z|fY!Kb&GSx^0VSx)+(w
z>|lI9A?C1dqeT(B=?lsXsXoQF14Yawo5#$hWY9#LWEiG$kAvlI9L*tK_vkZtCx5BX
zC$CQ7O%1s<p}=`P<t+)r&J_9TTM)_6k{RX%?Wa{TC&=m9p8YA20z@x`*XOqphY`M1
zSW%xjjW>2PoTG=yvuDrZ6%I*H9m*WWG1AIfmd&yc99@NN<>W9olH32RzE|B}eE(bA
z>(a;TJ;2L7FZZ0Y&R%?faj)o^y*1ABa);!eeO8~V&pq>u3(3QNMsCT;<f@xaCb!H?
zg>^Pg;)9_};!E*MlJ^19%t*@ocU|V_(~cdV_HSX@KlF~j$DRo(TRw1seH#MXIl6D<
z_N&;!@h&FFJ{4Oxx<_?2@EXE6!eqh}!ZgAS1lg-%3&)#7;EEUBuZjYf5$+^Z6Ye6g
zrQ@w9G!dE!pC){kAbVL~A$*-6ds>eWzE9Xgc!KaWp^fl7;T6K~34b7T5MC$zmGDnO
zuU@o=AXjx~5e5?8Pq>IMj3E1B*AgZYrVwr-$UfNug4`ZkPFO~$B{UK~M7Wo5A3<)T
zeUR`u!dD1iC47hQUBV9tKO#Iq_zB@>gy#s)6J8<wiO@;-JK-(D3BuXzzrCAqG2wE;
z2*Mb`M8af30pTXX&4gPCw-N3jL<v=dI|(ZZA116Pe3Z~a_!QyOgf9`kO86Gx5yFoN
zPZORayhQjd;rE0;5nd<!gYY&%?*5Z&|KCHnm@u4hHDMg#TEb+)6v7RJd4$^t3kY`*
z<W}ap2n~dlgl57g2%jZ<iSP}=!-Pi&KP0pfeoFW`;U&T=gg+2IXZKrWFBX#YpPARx
z+Hq5!9&f<;9l2~+!!^SiF4LiI^+w>(2-<X&ob{ErE;!F-PKKf~bVEbmpuEhZ>`br7
zD`d;{X0Nc!E4<meS$1E=kL(VJ#%g(ifa)6DDPXF-44<_*NQ!me&#SDhXq1-@co(Lj
zvc7?RxYhi`os#;gFOr)_IiqV+c!$USTcCPvQDnORB9zuEZuCM9NTuG7k||#8hv8b%
zm9rUfBU-y*WF)(;oT)|5%9O{%TOeDLqR;&|x0yxjm?dlQ$$Mpln+cwEOxPAr@)b2#
z7N|3GR!L#xrlQ;Co2P3><_4Z-P8>NV{5U@FIDN+aqC)fjEeI%&3YX)Q=7Cqs3ybDV
z^J6Su+<v^sLr^Z*YttSuHj|fPo6jF>bGaTbibbW1Mh3FVnlEDG^=$`RMB;^SE{V6*
z8lxlA5)0yZWY}hkHrSL&k!W=tFF3}_m!;>$gB6T+B-!JEF1L%8vs+53k$o49$r(eK
z#bR+KoZOk3M+(bKnVLp6wz6}F>%L8mKPZZ3O=s}Pp(U(7bLQC`cyb6`UDFB+<`x9-
z>8a|uRr9N3g;vz%h2W^JaUBtCGes-PWtS+Nv7(&qBRQeHBpN9<yK-XoDt6n+0Wk6!
z4CK|Ts$&YFZsc-LU%80nMPkvKW%1?ND){O0;9YUKxX<TL=B2V!dGL&^sH+2i4X%h0
z*U>&W8<{dCk{emG25TW48Rw-gON&VoAChe_*J6Z=bxV`dBd!ZYdyMslxbEgl=_OId
zVN|y2Jj~QoeECu|lt$-z+=Z~Bs<shKDPonbczt8kTa7Dml(&>u!lE?Es}MuqlQHV$
zG4DsNxsF>khc#R$F9+7avFs&{ORqL;8}8i|$(xcPrp{Z5T9_hQ&6|Qsl!q&aHC*XU
zxzfAR8&>HJi!JqrE%Wk*j2JPjVZ;ck7_vYGWWlh8MT@TM=jB}wpCj_}ptutiQ{c(F
zEaI_Kp{JT`TI$imFIQ7p&TdE4rUfIs>#0nd(?G9PaWrluvaH>Ag^Nig3FCyxsiYy(
zk(_Li)KdChE~%gshjY{>;t8Kp?eJ)Zw$GF1z2iTbP_8f%Zd|gHCZTZ{mbLW@7G<mC
zyLg$j?hs>pxb7))xP^b3V<vKUl|dpuCrv7;s=2eMrcwpPAki#F#fRw0Tz*CkHw(n4
zs(7U%;pHiIwBxDjuE>Dauj8HY7l@etd+5C-wY9MnDU&8~(MRoyXgboKDNJiih>J5I
z56`S3W1MHF=MDCQ-{7<#>1BenX2vfPaaA`aU)4ipE2`?_obZY02D>ub&N7oGu@6=g
z&z?S`qzH8U%!nbyKc|?G9xN1DnYywDtsQb{tn6NY3eV{f(7n8!u1=Hw?&aq)q))Rj
zeWh*l=U)7}lP2BMEzV34X+3KmQ+y92VHIu$o*#Wx8t2}*ypiMXC`OG|>Xfx?!*O?y
zKHI6E=kfX+nA}Z06E#|RW1ej}%WNNy6&}_PnqRa=u>90=<_Z00%imJfP=%^8ahd-9
zPv_roIhl8tdv)GbX6}hxCll@!S47-%UWE1J6&!`0>|GIy^Jkg-xvQ~OKzUtl!({LE
zAIUPX+dr02-v0~#j|cy^%YfLw|6c@_>E6E+<g9gi_*eQe&AOKbOSE2XeBI&2C|>Dt
zGKwo`M%MHCJBnw-C>K$I>0u(sTP>>sd=~L~bX0ak49xiI1yzei5))BdKNMA>YY&gb
zotG=-tSA2d3G#P>;$bn0e^r&7{LG8YoiV?(<PKfc-!W(I>=`p}xMSL^c{Ar4YuQ+v
zc|!s=C<dumpI2gmt2yfIY2SDb*veXE#y_d~t<1PO#KAsk(i~~9HHfUiq7w!#Yc<UM
zxem_o=8rWQHK(zFWF`@7t-Mn0Xk#V?F&V2D%Ox{jN9;S}XYo{|9T6tg)`LxSy7*IO
zk|EqsS9BMqR~l-yjco-|>J$w)CH>Pd2h*xB2IA>Z&sl$K9|jm~I2th1MCQX)D9-~O
z-ZPuhb55F+9uvk4)oP3yixm3gV5k;J5rh?{Zij5m9H89t^0WxE0wO)}@2syzjR_Iw
zjT)=ZzEvmH^t$NG$=e5d-lHhc{xi6zkKb!bP9zWTuEN$^xsQ+MP4l@!kB{wb1?B=<
zfrY>$!1=)Az!-4wZ6}iJfO){pz=go=z%{^D;8x%vU@P!d;1OUK@HntP4)?*g^WHcx
z4>%UM5LgUc16&B)1grzL0yhAU0=EDMFW_!KU<q(9a1HPU;0|B{n70sogLuyaSPWbP
zTnO9*tOITZZUF88ZUMFecK{Cp_X3XqUjQBjCV<C*$ASG9ajzinc?<>)1?B)J0P}z)
zz!KnM;6h*=7z1tut^sZZZUXKEZUycG?f@PJwgQg=4+48%NWH*8z~jIiV9p2NJ8&Uz
z18@y+8*nSI71;j{=mh2g2V4Xlz@flRz<gjUa5?ZO@Bv`XV#)#60K0%YfJ1pn=OAzb
zu!JvNm&h}4F|hxV6UjBeg}?`ZYk&^{^D4N15m*8|20Q|sz$VI3U<vRza51odCHw#$
z1nvZuEJf~sYk-4!UuFle5O@$cA9xfP10Dyi1Fl&{eZWn?UBIotgTNiYc8OmOKHw4H
zfJ^D051vTo0b7A}z=d~G9(V+J7<d$T6nGryMW8Rnos_`Az-(X+Fb|jqECZGRD}f7v
ztAH`!Cg2g^VTrGXe?!0vTnLQS(Z9fhz+=FL_29b<JaO6sTnO9@i~)B5j{{!?u4$w{
zfIEQwFNc0$1b7fQ7I*|$3_J>42s{p~1NL8mTmW-`TY!1M9l#RcUf@FD3&0pK0o(*U
z4$N5z{-Hbr=K_zerhkDsYtRS49UG9tVbJkW>IW{|h#UcPJ_bL5TY-n=nfn5=uOJ<m
z2Rs5S1NP?*flA<-&(QDk{8{)e&%i-ff*+UzYz5{64+7@`j{uhgj{?^KkAIH-mh>+m
zFX*YGz+BN+UnE`Nf1XG_3OoWF%xr!Xm<wFE4Y>m5d<p&lOTJ7#;8x%PU@Pzl@F?&Y
z@HnvdRnYkr=mQQ0<^Xem`M@>6#lR!LII!fK@E6z$?9FE3QQ#opabOOx|F<Xy91NTb
z%mFS3<^k6LOMnjmW59<beh2&n_W$;YWMAGJ+X^fM?f}jQwgO|ogTQsbBf!nTqrmOJ
z<G@y6e?H!I2sjw{DliAw1<V8XA3?pq2yh{AEHDNv2Ce}v1n$@gUBK4wGQNOY`50Xe
zKI<L8d|>}a$Op^=iZ43`+z4C)+zQ+T+zH$Y+y~qNJPbVeDE-5R>JeZraLxA_N5CCF
zpuM@&x0`kX*R;|epnM;9pTq+X0~h`ndPjkG5B&&i1s(wQe-gg)GU36e;4knva09SE
z_t0(u?f||4T(ckkjiLPq&?CV9&rt7J(tiq{fk%LgfrAgyF5uQf^e?dg^YCpPd;|^!
z<^d-FOMoT7g}}wY7%(pJFEHMKt-!wHp$j+|coaAmnD<NM0l4r*`d#2}pbxke7`c}G
zz+zzkBj5w(0k;Cz01p6n0FMFX-rK<wp!c`X4?O-d{RYf=1-=0{{TKZ<k@9~+UV!~y
zM?M7pgZ4}!Kd=Ot^Co-)<^k6LOMnjm7Xlvw#(=wkN8h47lcD3E^b_#NangYcPr@f)
zPA|@I<?#%R0As+hz%{^P;3nWg;8tKAa0hS$uobukco4V)coeu7cpUfwaO=Bx4{8eS
z?8|#pz&zka;3nReIt<L|&pTJwK@V^)@F;LO@HlV{u>U!nO#luCJ_O7G?gEwoUjQCF
z7kaOUo&mgv1>AHVc!5WNZvgYoKbahmPk!J~;2PirU@Nc^*#AA?mw4a-V9o_6lY<JV
zA2=5{m@{t6ft!Ha<eBqrM}T?2H-II;zEj~Fa4;|i%muCi76LZ`=L2^DW58D6I$#cG
z<qk?baL_dB<IG$ou;l%;Ti}K85x5n27`Q{;BP#^o#qb*#yYyu8f+C)Q*}yds$^#c(
z4qjjk*e>zFH-MXfeW!yDI2gDCm<wzL76NmIaux)*5V#q*6}TOE1lS5J$)@}b^v`hG
z0nE9Ib^u#}yCi-D@=**N37>!mb5ACZ0*{Y^e={gQhVy~I)@zZc8!11Tb^td4_W^fY
zM|*CfKen7qE(W#&;{rcVKMUN-`IHjy{|Dy{fvx`u9l)($I+@%F+yUGN9Q+mNEQN01
zVBo@spbOZ4JMsxE`4;c*0dpRv{WB@|ecCPXv6IO|z^y-^+$`|yA{|)rB<aB8z|FuT
zPtjgrY~RUb?=sS#hF;)8U>w*A+y?BwpY{S{zyrWFz$5b92K_gK4_FDz`3dv``#%Hy
z5)V8Kj2)z3X9Iu6_yHaS&Ijf^N525`4#8hwD==pc&p!tra4T>f@HlWQ@aXd=lL_FF
z7m@q9!~;u!YYvkScm%i=xUe03z*b=2dDQni<R7@^zvw?;>+fj~aO)pv_bt%-r<2Jt
zfye02TZ#WW`~eRBZ}iA~o|DiEeC&*5a_H^69}O%7&ODP3fB_4#_^uQ1$^psbcHm#n
zOC}Ehmz|$X9tB=MFqzC<;Cb=)C6n`kV=qi5R{<-5TY&!o+yy)YJPbVZqGYlQI374?
zA!km26M$QR^MTI+R{@U<raUm~V#)*0zJ&6?)xa)b?9ycNA?V%++z0$3@KxXuVDH;J
z@4taVf&C-22RIs735)?Z0Ji`i0zL-Z2RsCP75EykH|?4^B$-_E0nfYfGV%fIFHa^9
z0^c{3b^~7oUT}x!Z5x(M<^ex=MKU>f5#RR(<^c}^7XtqaxCZzpa4WF?mC0l)FdujX
z_(9-t;Aen?!Mg*P2YeQ|5E#!+CI@`b^F9yE1x~#>nJfeD1J(gca`>zca20ST@LAv?
zVBv^l@)+>Rk<fW3?Y<_N91CpCO(y38`;Sg0<G_2yB$Jzg^T#HWj{+YDz5pCLE}47-
zct7xh82ki|1uh;>dEkCv9GH78<$+%VJ_;N;f%3qIfNubECQ`nd_5sHNr%s|>z&`^w
z03(y(FK{XF0PvH*1n~U4WU_CK=iLs>1|9$w1IJHECYJ+02HXf7bRBXD+<HCbfyaOe
z;G}%Y*Frxq8~6)gG4P>jlm~7sOeQx03ya_z@EPD?;Lz#F7w}17q>gcQ1Lc6{7sGF0
zG4KK4-N2pyhrPECkE*)%$4_PgM1n(5su58KMNE}q!iz>lO-Mps2rz~~BSj}~6B5nK
zm;?-p8il5)0n-*ORjSdV(w5rPi<Y+3#!3;D+SF2uO1;riOD)>;N-0{%d_QaN&z?DR
zG8656?(_V9fAl<rHRrR|UVHDg*IxVO>^TGa1ZW@V_Clls?JkC2-(*>XpqZeZ^WoQ^
z!3FRG(1V~`K-(6=??5N|;CG<6fF?Fu)_%~*po1l$P%&ufqEM(F^t+&)pyNwJp>3cK
zfbIp|33?cG0CY?X-m9<}b_VSPEd`yj1nmS`47w3?HRyKG0nh`WmzN>mR+JBPGH5qw
zF6g<}B443Pkq-0_=uXhHzl3z4%dUgpg6;#IxB`2w*TZi?+d!*94}-1+J;jgug3bZm
z1^O)LVbJ$M$E-xVmxn@AL63kIgFaA!d_i56s4wVh&>qmYLHj_9tKiq5Pl2Y~4Et51
zUw}RZ>H{qapq)Suf_8zft3i6u&7ggtJ)i@iHMQ`|Hq@^U_5ywV2KXgt`i*EO&>qmu
za$k@7pnpFGx(@Vp(5;|nH^AROOF$2S-VT~nj<^Dv2Kpgr0cdI?{0;O8&~>1{0No1u
z9_SuWs|o2rr-CL`ATEHWftG?6fYyW7g0_RM1KkL^6?7};9?+ejhd}#4lPdAfkRZ~7
zP6jOi^?}xcR)Ver?F8Kl`Y`Ao&>ql3puYf3szQ5$rh&c(S^zrcCZq?Q0=f>g7<4OW
z4d@=wPS8W34}&IETh<QHG|)Yu1)%#uYe5fzt^+*=x)n638R<b&K@WkZfhGkkD-$#g
zv;edKv<wvA+Oldv*MYWyZUucGbPs4!3(|v50ZpnweL>SeZvia;-2z$*`YPx;&;y`b
zLEi`61De{3^q_M<la}Kg4`>?bYS04Edq8VJkAZf9p1T761iApU540R~0JIS_r55Qx
z(?Q<^^?}Y@34a7F2kipg1lj}o1ZW@VcF+OPcR^F?VDFoe9yAlw2Raut2wDo-1zH2z
z1G)pW5A-<b0O*u9^iTL}JLmz>ZJ@_NkAhBIg>tV#`diRXZb5p`{h)oIu3M4ct>~w>
zBR|mMJCGmf*V-Wu+PxO>0(49V;v?wo>k#KaQ#+w|HPWv~zXu)Jg?<9M@_zJN(B5w#
z9q6=gVmtud_aMdtQ18R&cekPb-AD(zWed`Qraq2)l+z391HBd$FQ&Jic>?7C{SdSV
zbmEgJH)tm40B9*_3hL1enhv@a)Cc-C&>(0x=m6+bpeZQ#)U7BV^4ko$4|F`bpj-*J
zlvoLEDG6te8I{zPFe*jxiTLZwJ`uV|1bD@kM}Grf<Wpu~zsQXbo|L(s)S|J;Hz&1Q
zS5LU&!Wom#6%{G?%f(;q9IOuoz$I82{;Gi){eofmw1N(-9oT9Iwh`Dm2euX1MhCVN
zShoY~1Gde99R#++fgJ<3%YltafPEa87uW#@HWSz(2UY;=hyz;&%*u(jK@iv&2euYi
zDliYk<q})T`-sK^o1_qpZ3C9>z<PldJFtDgY8}`iU~3)NabVrRj6W1e-Y&#oV0TKs
zb37^QU2{CCo$g$Zw<9szleT6=t|#4<JKB?$?eS)NQXw(NlT?^o;z=vC0lK`)pv%gQ
zu0s&mL}2#1t_7Crz%~IJ@4&VJO95v0vtD3h9GJYbDanBy0+#5&jsuhO+4ZHs*N>zA
zc5E`RV-746*bxU-3~a!Gl><BMz*>PFa$xI#9duxuf%QAE9$*I?*e+oE9oT+g`+$v-
zcElw<br@Km1Cxi#du^EX*YUvi*f5iRD)3(5_CB4(^rBy`H2jq^{e=R+Lpoi#p41LE
zJZ4Rz-;<iHe1@{^On+Vs*)p4KD)`$VE9F03WT9n^Yq2K@ABDFEJgKjfC*?T^p4g`f
zpCw&~lxK}Q-{Y+wt+L4WB+X6MF)w9=_D@xIC7UO*MIP@Lji|C^Cgdi=cTN_axTFll
zz`Ve&6yO>u-;Jt#lW|)MUM_g5o{=)l^?2udQu911D1wT)U63n=+!WE_lq=A3Ql}k|
zD}~%uVYwXE$sev$F6xvC{z1srLe?j;h0-1f<sH(e*Cf_xX>{V;Wc25`s%^4g*u58`
zl8<*J;`7jQ!*-=%dx%<T|6<6tLw1}1xCAQ))(H$t0(A-23hbB-6Wgr=R-JbuG()6N
z?=`NQl<h=*3wZ0mn=3qAg6#md3)oo-!Mp@?FR(sf+XYj8R~YuYd{4RS8>3Z-f_79l
z8^*yUx)RYz%I2O3oum*wo}~gS1-4c&=(<nh;0E^`k9U3I98X&3h-^=K$H*K{=9*E9
zJU-Vop3J$PbOcBUKv0K8(OnKbo1sViR4&0<fo%e2kAdreZM4ZryKM&61?(r15GvQZ
zP@hgW0&PcPzK+E{SGgk=&r7zlAif`I$LHhO6Jori-Qa>BuXpEpyqyxqJ0y;;8JUlw
zH;q;WNAC<59JUdkorpsF3QmL~eF6EeanJL3OTuk0a=DNz`xH5;cRl3FAvXb^<r1tN
zSUoV+Z;5RL)&>k!P?s0~Zw1y03{x)pN1-Rnb=_#yBMOq0uDy`yv!xUL@;<)3z|aNM
zCD;*QdmLC28h;nCKTuA5aw4!UJnzmI487&H(b{d&aGNRe;K}!-bU!U%|63OBe{<ks
z>0nnwc7GA}<MCPAqSJ+*#(0?T8Ax!o*&VYmS<-Amn%sFOLXU*g<cIsLN^?8XAdDGj
zmNa{jrUz-ToMb+ZG>fCth%Mx$jK`72ZlCeMjsdfefoZ^wIOJvn8*pGgV22%;d`JBd
zutdoZm*k7DKw1ZZnKl-z6IeemR6|{YbptzK!wP_H2euzrwMeOc0Yh}k_|lP>EBzwh
zlfKl^E#@YF(UXR#6^?O8D!SxLeNumHIZzk+3FkYij}>{cu6O7vNUn;W{~)QvpJHk6
z;uE2}MOSlp+*5Hj5RS8RlM7z(q|V#zNh#dxNs>COMY?rJcZbYJP@mYbCR<`nuBSV}
zeY$J3Clm3<5pJ@RgTT?R9e5tpt5|**AG#Nu2rb6FHBZV1pY4!wa82ShC{s4dGzVo8
zyQHG=_d)hP#*h14#nJI^p2R<vDa&1%5UWJclZC%(=t}kBxgvGh=L2`ZE+|T&jKBzG
z^yj=}xGFyvB#R$xg^pd<MB=E-L3RS`wPAo%JM06#19*o3s=r}uWPfwPF~XTFH6OK4
zj=^A_Qi7N%>2OKDUSO+%U91p|%>=dyn7z*w0Nd!mmI3Q>U_oG=4s0#3b-<Erd29l<
z)`4vU)(-3xn_MsT+55~s>a+K)L)2%-j#HmKZ3+e@sqg2QhZl4*Fe%@|f~m3DhuDi=
zA+r|5-gLkPkV#y0B7`ko#zQs7g71sx=P1#+$ra|KnwP9bnslUDO21$4LcHp97f3%Y
zkbYd?Nq7HOf}{6kCre-3fwZNIF<)R>`m&m17J0f7-Q&?oq_>*@i8RId8$h~cU&L=x
zh_O{)!&tUK#zp(MuKfBMPuD2-$)n=*H6)iYB5N$#(~q{p+*;e_W{eUADuyouuf6g_
z=zg%YAF8;o;=x=`SAt7oxUGmX=64~@VWio`zOvpmFFLlNf4jRAJZaE^q^JSrGDs(F
zuvhY{J`oDwv(7Iv|5<>MK07))We;)kok(+EIQAe7=Q(-dd5*G2zNbCWeNDXBgDj=L
z`0$^c!I>mwz$I8U{!7KV8+*TM1GW~}=arO>#ht*qfz^cD2C>*a=R(~(MixjM%=cuu
zAC#skiV^O_j{Bi&SJR2mJ)$2z(BU%k<JIs-OmpG7bCTi1{ETUny3+9fcuZhZgC|0D
zf~d5ZFU!2g=US+v2NGkBge<Hq$S#BI#UhJKuu@=c!0h8)EwEN#_L#96SkNKY1x(HY
z89DLUEx>AljSja_WG<@ONZEyL)PGlk`-|u^nL`H%bXC>nN1!jQ8Nb&Nj_s)52ANl`
zPaM+bU3Vt9$HmqsYbL30E&|flmdL!n09YBY?ZD)_)w-WW%3K)jSGgXa`=Z!xHCOfZ
zEzp&^@<ixksM3C|;(3mYTdoDVMbHcKlU?m*Fj3_?fOP#xC-DOFw-g`90I+T6;p~UB
zx9a~9f5&)lpVu$&wExuQ-ZLVmExCNq^*<Hy2>H;36jlaoJFuYSjcYdk>Vc))d?NI!
z01NHwP}kb9Ulk;md6Hh(ErHD4;VM!A4DL1+Nwy(<H`1RY?WX(^5kS_a=$FZ8B8hd{
zGj+QhfP7cmiBO^BhfCUO0N7q&FoU`TllM352WI-BV5z{40JHn>RA2+ZjBkou7O=w(
zxl&+<Y;qGJR}1VQFdsfk+1JRrBgvP%5YbEYtOI{M&XQd#d|cu~n}L-BtHQd@=0mY!
zHGBvw*%&^bk4DKt@<Y(I_Kp*wMtqKr2hBFaan=DN7A9l-g3sWiq)=s?ib1glI_!Nt
z3)o&@b~}{<+XKvQr&?gU9CE9H^#ap5=sdcB?F5ElN?l@`Ex>jFv-{T$VB3M2c1(xd
zUg~>EQmT1RWV}JZbamL{KZ1eylyw^7SNn<3%Zvq`E{umAvc_AJ=)O&yN^c3sBvRt4
zob5e+=ZVmINn0d7toBDRhjh&e8*;8P-V3naZkkWoPtO1P?uwq@%UR%JVD|dTx!?j|
zcALr>;ap($`HP$v&H^SwuUuj)IXgTXnBDerjyThyPtFw21ZKCXoG(sy$jMpbsle=c
z$hqS*hn$>2o(#<1mU1513(Q^?Ih#BYn5l=fo19Zl1$IHW4I<-qk*7Dog-NnEJWt3^
zmN8)m(u`k&F+tLx9qyBM*dTMK^@;N&jzz|V0*qU~j@370o99=r{#y05q*ToJq3>;|
zv-LH#-w_!T@@4Fu3w>XU+1W6NN*k0ySM6GqO?2VHtyPQvs)3aWknib9aLrSzX>?0V
z&Q)&(FHLypb5)E9n}PQNx5uR(U<ZKNePb7}{lM&Y-Vbb_13L_?&xU15erKTH06UAe
z-yr)u+$X_WvP1TH){LCz3A&EP+$WLx=0eBTFGtqPWx&dSZ2|Tz$pd|H$UZvOs6+N{
zijti>>(Z0bFwljkdTmg*9l8%e_cR$>E5mK?Xe%`z$n^x>+Y)3zk(Ms-1lNq}7}+^u
zec}f9eX@-oW7jGVv-HfIA=4^kC4QHV&6~|%IT3P6hfw2ZWL%Hzi*YV8kl=nU_Q0-&
zPtn&7ear5_9vAIDWbLc`I9IQI+Y{WS@uwon&-$Qm@4b=z(>1PY6@sLl4ujVZ-WYtA
zOWMgg6aED3|GJ%IpK2L&dpo&CnIB%)tMMz+r`S&A?)#-`Lw6C;9>9k-$h_F?l%tzk
z>MOr3A-~5b<F8y|?*U+kf#t`TmpR%m*8_VWk8N++T2}h9p#1QC|99;t-xXN))!6N~
z4ZI+D_V()qRuAm|y8T*FzlmpIyoYXiSCOUK&#@j+d%*O~a@W6NHXmlCH^pi`wo`$p
z+}<TsEZ&HGlfE7qlZW&Pm2bFzdtx_Hks2rZp{sM_|4sX3!VKwWWBk7#Yg+bKdt6g{
zZ@JiLFLNx}u@RbzwDSFo@^8d$+jZczf_Ek4<SM}5W?<dGR!Ojr#2P#^v9HyQ{oU6l
z#v0_P>kxG9d+0={A?){<-wjz?GHzwL+R>IV7f>=@%{&MDqu;{0YkXGg3XWIBz%6{g
zz&;L@13L~`JJ!ndc5EH6Bak!W+A^rx3~T_{>ynQeLn8Z}*yEFZ&MfSJM?H$2n=JFN
zG}tISWFSxgu@54c6sJSwap(`Cyp`17DbE+UPlo*h$L@rlU!{Ao4nZ0-ZxVat0^14<
zQ<AVf&@HWHz<Yqt7hKKx7h%lLO>Tm{Bo?g(zaRYZ(PJ;hu};~?<ueM`mvj{|&cFs(
z=M^No@&Wm54=m;>U*8LTJ&)jbNTdBljf;-hmhb8Ma)RsWn5~>6b(6Ws#7XeiEhj=5
z_$>D4zP*|o+n-}j2D<>Vt&qJ?WYyXX`!;Lj8QY@p^F7fSgxu=SsB<%9yFP<X`QFf`
z&!|(rTeR&n=uABq^Ni1^GZ(UZK1HYW=X%KXLGCvRxQX=VSnVTG<i{~vhrYW5x~iYx
zT1?s7?C;FiYZkMH15eg))yVQN(v&03(s*;1$eg*zGjNjo=GcL?AlaQO97sEM+7~9P
z-=Zo#4|9v}VDE!|$bC)qd_wixB2WKGu0LqE4tG<iJ=yI!bW#DbF7O<~U;F542<mm$
zR_NURee4U$!a>CX^anokP&%<6@4gXx6;aV(f$A3rk+$F&^a}|%%I=QXr^XZYEK@Bv
z@SH0~@Y6dUv!P-p9R3)-ck?%Vj#(D0#$D?jMNz#<uLW9>e(O&;uUBzFX8c_Lg0~Yq
zF`Zm8kJ$oj2QYiQ+yQL61KSI%2bk!ROJYnvux-HP{e-&iamR493MM?Ci{0q5k0AQe
z&&RxKC-xQN`A}qR#(t^W{mt0(Up0S{KG6<+6MOOd$l>xu=F`RDb)0G&Ji>NQO^DSr
z&?DpPUg%1H9^<9xQg(H>VD7KR(nH{F`~~)&T;Qo#ruNV<7hRLsiXNk%!7NC2??nA&
zBS}3Xca?^33U$Pn_Lw;Z`Ta6_AEW@-Okj!N%O!HlfTaT)p%9G)flYN_Yk{RXuuZ@w
z12b(Y`nCb{0yAr8!FqvBbYS~{N%^qNsV<Q_M1AN^>Z->7$EoijDPSZXIrf*-`~oZ1
zH3{w?#coUtNPA+&1FVN<LUr{8hzI!I*h<McVte(hq9ttL+~jf`u=Awkhx@{2r0YgH
zQxEaK9$?#m<+2^Iii<ywX}>c;M$Z_XSv?aJ|C51k+ujqQ2gClSp7Rw)&#{#MVfE;q
z9J_ZEB~OK_V(7A7JrR0R^s0KIY&>V;Dh^jvx{~q_`5tCF<fVP&650i9H88u+Yys8=
z%<fw|fVDcXy}*JtO!`DWuzFxJPtkp%MA^3hx5p`ed${f@HmLS53imy>f0lbeyuQ~4
zT?N>r*z#-apM-Te+9eWWap(fwDrTd&?vLq5nAH8zlZgnQ6Meu0`DWs87xGT}&56+O
z@mcK7IeBEfk;5-Pbi`vsAhC~y3ClL5Et1c&FT+C)!kY+QKX_$^$2}Wqr%doBzZTi!
z5v&-P7uY0`#|86R^4-_jz@#7Oc@gZQ=0$Q&LT|9ja|Ds?gscy;3q%&%jvaDNLY>pP
z$%y8@up4m(>>ZG8g>2OjSyztsG>rP$vJa`BJxW69KLbd&4e7Q>Is`r13iC9cZ^Qz8
z$oi!Sd-72eXti^uY@c-z&L933Yc<gq%l0ypdD3Bf#8R=Be4n=)X|W}*E~%G%w|5(`
zN<ox9_@wjvB_592AODFD>_NJNNVhgRUBm}4TXEsITU0_AUiw8MI&UVvXX=%-@|*-c
zM9Mc2couMbze@);8<@R+%J+>Wy&aS99?x`O@;&5qV51}-T#|=;CwVF`wRRvT-%l2O
zCRR&d-AaAS@mbpiP5Y^5K9<Hj^Kk^a%AkKmSXacx@y~qJL{F`dR?3z21^6v=<%aux
zWc-fo@u(P5<mvOeUW?iDi;|@sI-#rUcPBzQQmz_L$`Z6g7CvqPz6bb6g5$YSr|k7|
zomK>AhlgXd&P{gRW_Igka{*hyYZ5!$oi5eJhoEEa>qB*0(=gux?w0bG#M51v?7GwF
z&X3aFhGe<WvF`ULLT^ReAhOS;&Wb1-<l-^J_hQDleA)Yq5ftYnyM7;QTMYS1-o42C
z@c!6&t2LjR(--My#y+<z_QV}edtzo@l<c}WcIM){cmt8;doyxYLi(W(*fL;$!e{Z*
z4KA$z*2}ZiPT8057=ie*W~6JYiYMVEE#?Rim+!Twymcb<T6k=a_>!s%&O`9bp+xi_
z#4PgsWcSmt2WdH;r25<u<g@M%k$p6&i+q=UEiii@o(QZRSXBQ9w%Q?=3#`o{C*R3$
z1(pQea^cph$A3X!6#~FEj{OFVJYEERGxyYU+HR!ThBO%BIDRh=&yRM3*9)H6GfII-
zAF#u~)S4al(nk*hOMUx9=!RkE?DS8cJH;K-uzAVl(3K9wv){qFJo@^2nSU`3VRT+I
z0>19L8*#QMY6r&kO+fZdnd0OxdD5_xfD>4-1iCMD%O!Q#h&<Zf#d{M3z$N3tR$yCz
zbqH`>__-T$xm8C140m}l-07nYc`{CRL$n|1jw4<Auyt4aUPYcBm#f*c15ZGD@f2{6
zYrdxs51{wE7I^wybzoM3mk(Ypcyqv;170?G%fY)brp*eI-PH+kQdJ_Ael{!bU0C<0
z6QO@e-Bh1}-`k(Ts6Hc$%Ik(cgTXvT+ISCi<i3Y@bA)3M&Jqnd*TXi((VLYq%bTAp
zF=hM=JWu-biO{)WU5<VjS>ws*{z^<$dC7$_am-0#;+T<3J-U#0=OM)DPtQBw)1Tz}
zAf~c{<Syts09{>w!Fd|#z}JVL6Gh_ke2FK<?@OR5*3$>q2Fc<DY<BF%>~k-6-F^k1
zeHBjoYuSr)A5e>;ID7=qa`W^_&A)<h=K2pXZ~JtAl=`{bW5=@anZ{n|>m0zlF;GR!
zUsH;t2jEP78tOJ*DwHKB4D{OlFl2inds=kfj`be*fcp~M7sOufsiQ*DR<mcpz8~Q{
z<+Zqh-wwM^zbU~z``TCoobL1MpleI<VCX5Rl1uIX0?V2|7&<1tpq}w6KUB|nBV(It
zKi5;bXJ9W4GCHEnlk+g)Cx3Ww8+r1l=iA4jzaPKB@ek3Dup9nfM7sM|FuO!z6;;x}
zPP+vAExy6fB&Tez%k_*+R`!SFJtaG?!TTWS!|UbjsC}=h&@(XForWx;HmlSQLl)9+
zMEZh7c#j0r+n>o|uZz!Qmts340Xk$84%6IlwdbhwqWhuaVCi6ZJQKZ#f%OBc2<yc>
zYQ3E4=b3o)YdI5N?)uG8weUEJ&FPn7zQ1HJ^kaOMOX`~oYzMGg1%U0>%eh*f(^t<#
z@)0au*Ep)H_tT1zWG&JkLwfnm2kl4KNbJIy3j1>o`elELyDjzrr4+)&t$ol}wiNGO
z5PebYiZeHC)tqGa>_{8WNfv(|g9%LebrHJ{<Igx^Il{FhX6(sL&V{Zr=sI#e-t{1z
zZ}`69u1t*OyznC=?S`JI%kd5lX)~<Xc+Mdb!_@qaF)T|~I58fTW+!9pVo!h?sp~Q5
z-3PrN;<GLve1YSIW8RKAE6xeVP%E2w;uE=-VZ5##4BaNWaH;wOI|%IJ(EvWB{%#y(
zbZ#XVL3b*Wc0<qJX849u4A=a&IyPZ>aWC)XDQ_7Jy(K)f^BRoI<*r|kR^1lfAoc8r
z%*58gP^ZYC92;c5GQ{Vxiiqk%dC7Qe9)*-4`P9piA9VeOy4K5C346bewZ<$=#`a>=
zsxwE<G+_OTf}lW{`iKqJLH9xE9xJ+WrQvTguzp~R1b`@?zaS~j{h^DY%4*^y>Gwc(
z{0h8NMr3gbb^w?U*!2q0*Z{E2z{U`h{+D<Ko}U1FS1{zWUe;IkHMgAAa6Z$-b6uPk
ziwa;eC`tb-g}%&{gP}F?^ogD7qti-Tbs}9C(oJQ2vX?{6Eu|a>k!kd^yz8Ph>3Z&m
zuGX9JP8TTyF0sd9U|DT=4~;_fm?!~k;;O+=74u}DpD(co+YI(|M1^u5;4}n{OvFh9
zUHe$0Vz=bsgTC3f42F&}5Aoq@U}?7whWvs_-C;O6KP$Fx2d^HyCCoo|tamkN9|{Ng
z1?r>>JRyugUl#QBLEq}t@T0IkILdlC7sY3aD#jOKF4;RY#$#s^$*u8NP!!yT*oDtJ
zeqvUk_N=&Di%~H*85^sNrSp>U9X>r+>h?$abx42fXHKvCdMDELA)V7sV#BTAjlX>;
zPyA*VcxB*y5Z#86=W3YNah``~5(%!sm`$k9m8D#T^}-#4A^E){=?nHTAQBhn>h*M2
z!m#r*@rQEg+kDqx=rnwmD;<BWz_tQg$?|q$g%RG*@bo0PKDMs}3zAj+k><!6#scvn
z%&v_O?E)`z?O^D3*;sOvIWkXLpv&Cja$gbKhb82ym^=PzoL9Rywyo2_+XkNec9zZy
z&w1_V2qJqOMF_?+9u4g+{Jz?1=n8h?{bEohm$YRUurccgL-HG3G3x?t{N7C=4y7%O
zsUHKA^sNKXWo^LwpN7??+EShMQBO68mR9Z8OWCGop?voZhHeb&Q)?{cXUaDU!)3$V
zJ;ilAX5k8xk3d%&bZzg#+%pL`aoddR((cjjuGnpcD15}Tb+qd`PtWK8K4g2kN8b!8
z_hr0yZ%M$XYk*uw#C0t`V7WWmM_>`?65Izt^P$3Z7e34buo!d>fCZp=xGx8lJeGpG
zvTPb$tw0I@RDntgR}DUh3O@nezQJsa+nX>Rhv#}228YZ$RK0WYT`!k>rE6%D6ePF8
zY&)UL!u!c?8#&a5>e-?46*V_fGtdoKuYVEi^#z_o_`>RdD<IR-6#(Y|%mtVWuo7VG
zqtx>C0p+7J=U~6+vBA(CvRM?X?NlFN+qJt~&&I5So^#4O>1IDU7@82a2O>KAlNx^_
z{+=senOPB2S6=c&6h+=^*NgX^or%vnZs(jlatU65fm`7p27f2`pR@CQ5&oDQ%X%7o
zgwsg+wg`VJ_<i7?ZRcMb;TMDdD){P5wwiY%|M?MqJ@`_-^X=)&Bm7SAcY}{9TO|M1
z2!9*+{or3@=hsB|d%-^pe!TJ>2LFBVC)m?3j-(%h$<smb&$9E&BK)b~zYBi3o$vaR
z5)k_qgMSa+cUKt2&kghI!T&Gt7e?`m!u(Fr5B^8uXvTi-50gc}3uqho&ukwIy=PCK
zx5n){pj4<f?t{$D&kXAG>|q_hOfWhIz@LP7?X9%y$nSJxMtOsgk@p+6KxV%SLPiJj
zalh(P8A)B`O1Q;WtlqLR>Y+ET@>*x=cdg*L7<lqG>L-JtS<sRAy>laa3ZN$~qNg2s
zjo*oPF52^Q|5OP`KHcDNe-7^i#OH8XZj98o7yMn|$Mczf@c#flwt^z*8zbqhxp*cv
z4BrdB`{(h~XMum(F#K}xKR*n=9sJqD@VmiZ2)-I`O<TB=RC|hjdL?~t{POindhkE7
z*WdMzNIT}Ee9z<EqEUQpU@tH)_^ZJGpD6wZ+JL~M47re*i}xv>VV5b5*ti<}EbwIv
z4Ywiu>2`=n`nBNKf*&s~Z2|v!@W<QJFO2Bl1%Ame=?{Wm0De3lNJPPwfsaR{k@5v1
z`X_^51O8Mye|dzT3x4x3`B#H4^+PX+=)W$Kel7Snfd9Ci@9I_p(vRf*LofegFmxQB
z6PwS8=+OOkKm<i@6XYJodotyF6p3XvIqAD+DVI_0bp-i6jQ429%da1L&cpjOe=hl*
z9j(Xpj4rq2my~E(KY^S)`%O%A$n{3#(jm7DaZ|~?kLYatSYj9DywK5!z`1KoNPidI
zE>o*@iLdlP=9H81jyHS`>uHMc`@o+9KB^eu+k9;R`~}0LPbtDz3c!yy#-xMa2!6aV
z#0P#Y_>1lNyYwI{<qv}YF!&eR`8Hqc0)H#`8|-}7-Kv7B{@|bH3B?`b`@la1{PXPT
zuaDSgfa&A))s%TyD<gf}`h!0a{8R1v7ew^?m_8mq2!0~cpKecI5=q|${&CblUiu#J
z2ZrJIfq!rq{s8#<hvBDS;jniYemeNQ;Kv(peBi$cemwgI!QTh|MfUpJ<}h90_k$mA
z4%GwxYv5mKPjB;|KJX6=lYRjFSBK%J%-8jcmw!6=PY;vc2mY2}_(AX=0RMb@`E7H+
zF7P*lAFqG)d`kMhPf0)UDd|%d=={go%U2xnPkDFohGEL*1AiU(Y9G(UFg?Xnu{Q{Q
z+c5kt@Fjl4OWy;2*)aS*@C%0F4}hOJ3_k^v)3jmu@^0qTVfa4qlZN33!9Ru=Kh|zv
zn|->#KQs)#2mJlR@cY2u1O82R{jPe|fD%6kz@LEf#akoDm!zeB@%ZWBp9X%s{^tYV
zI}ASv{)NNvyTG4048I5btHAfz>sJ`@&pz;{4#OV+U+O>2p1v-UKIIzS{-3w=t0Vk$
z@TVhvy!hn<f4K4m!H-uynNutqqs!Nb&xw1nYi9b8%oS|q*a1D|C`Y_<%DcR87^a-Z
zz+VY|yf~LyqWfVyJ7<Ew1nJ}P<(=WV;9qaIqf0NA#Sh!SzYF|pqxgE#Ec{L2?*u=d
zop*r02mDNX`j$vL?FV1Rk$B}h2EL2~@%X8WbpF%q`fYxa3I5ASAJ6_};14&>wShle
z`8I(+T={l@FZMabUOwAi!+!9e0w2|k_>fBrh<%SS{~SAC79_YAerl<nr^M^$@=o_<
zSU1KS$I8I31pmpXb?sx}b!{8??_*tdmpy;iZK?pO{lPEBx@%n&e@&Rb1N`ma$McW<
z;P-+bZytIK{G;GU?E|=OQu@78e<YN5@T;@Iwm#@?jjSVPL*@yrH@+KH#>c~DTn2tR
z))@=29trnjcTsrlx*Gg)tRLd>H-q1WbwhJh`i5}&o#4Ow;$Y~FsQmYZ^FILo<~@V@
zeK4jDE<M>08y}bS!|*3AK`g|&tRhPPvatTy;LEzLC5o>%7exOu@Sg)e5XFz=zZ(2R
z{O&+J{$}utz`r3Xy`Joe{+-}&1b<}|U$>#~4}kwZ`0;$`IQS*6#7{r*i&%?*A20oE
z@Kf-639-s2u{;f(b1C@W!{@}5aS<PoSpKLoqguE6Aon)po)o!HQljO)rRAhP+mPS&
z_&tVM_#F19pyqo4ZGxUw@bmCFahFYxD=XY)1JLmRWa9Oklrp><9Q=0Z2<PFtHJm;j
zeAlak`ki=TpPCcq`@p{t{KlyCI&exIg5b9e!|wurH~0uow*2)1OVam%{|Wf(qxkE>
z`S*cei{GkP6V+#K5BHe?@b}`kE8^)-kpT(6VS#0`E&s?KW;*y6f<G^cKR2Ae5Bw$I
zW0_$~pC9H2!M_Xq-$cd5y(%txk)#X!nfv&R*4S74<xQo+5}ECgIRcrT_#AE{k$GCn
zi0^F~kNt$-4Tipq&xt!R${AgH&t#QIiao8R=p&E=iO9J0rm*Na3_X)yA5`!DN?dEx
zBl&HN<Tw6v_)Q1M{TOKy>l|`Fh{(-`+|=I>h8_^Pg$}t+EhpvLgaSPXxmdm~{2k!;
zfIl6d!*y$jq~8zzFTkH_=X1|W>LtHf_$v6aub3z=Of&XDz1(i)F3LXMFTvjUt&+o0
z?e*vIIF<!|`&)yd>+Jcs^rpF#vmE^Az~2zXzgrd53#=XdsR!b>x0E$_8rlIe5@!=H
zx0O}5rK*+WwHLZF|A5~^!RK&&T=%KGgnt<PZQy@9ivMt!KV})mtGDCVWh(fMarjcs
z)YG9K{PSU}#K$m^wcGSeWin;cR_OUIe(we0HzMP@CR~n<;P(&1-wyt1@5GL~6QOb+
z_~qc=8Kr-9SpO05e*yj!JHJA)Rr$uFG53H!)6VA}o77Vt5+4A+1|Jh&N{-Y)`h*@H
zm7ZnLGvVF%KD-+Ibnw4v&xf5#>aiL8?}8t%oIAnq0YBZIp3erPoLf=OUhtLQe8E;u
zo8O3BALPdT5iw8t!sl#q(ig6d^o6OI%uhQQzdps_=Yk)vJo3AjrQpk)FR^!Y#BRDg
zE2RabJo0;(PeD%3d?jwR$%%cB>UI)2`JK!T{4UUL(YL`Nw=>e72T`uc@5L{7q94B-
z0{)dzeLOSV$0vhdc4#nkGx7=hw5wTVAnlY3eh>KZ>Mid~=>=c4!$&7YblBQK^mIbc
zn7_oIPi+Ig9Q=6xuowIq@Z*(Z2g<RM`V()BUykwR=pT@qfii{bYkOui6a3e~ztzrn
zspeCDUkd*8_v4Szt>AZq|7cYD&0%|P1pnN>;&-;9_&Rudfo%uB5&TtlzW9c1AACP#
zc0s1nF5}V<9mLkhz#n;dFw_vm*BkA^PpyEjf*&t^Cio8wlfDf6gW!KPO1~c9M1LFj
zOFoDni#LJ)CiwBv?*PB}!}#g<gWm`KsrLMB`_#w4-xY`NMVeGpd<Xc?B;dv#$G;be
z2eTnlgx}%XY0ty;Bh`-5Khw^_@2-IVU(k_w=BQ{r--+m13q8&M6MGIKw%P*zHt_F=
z%IB7_zw82k41NbJ9{(Wtm7&47dku+Ih_&EfWY=%olb#IzR`BD^33I`JEl&Cr=&S~R
zAAa9T*4A>V_6N2H*kuA3`?jhoDgGw#-vNJ_-Trv7qew{l9pIn!g<<wTz`q3iX?Fd#
z{flGZ%WrC(Y3JL{N~BifndLD2Oz>xef3`in?JPtY_?Lr^RZpaTwteI_@TY>08DNB8
zXsbW?6NcgM0RNuB!O*=?_UQ=QXFvEy(Iyw#_1m5k90MP}4i}f7ibd(xsqxE~3H}4%
zx7qc(^ahl)PZ{_xBY*iliE#V6lijBM+Q9#b3+*3O{+Z$OZvuaxI~1B5#m`oJFI4UT
z|C7W}=;TD3ei^UbiOPr~a{w|2lkodfb{!&9snjSxvM`C6IvV@ME}I^AeRw_M1^;&J
zCqHPfhZ?us8>BK)*IdXP85;_{kI&({y8fifF&R+$B+P+RLLoPFBxc}0<L_F}KP5Af
zD}&sFr-njJBOtffCMRVMj0o#%hupiVp->^poH)lOr}bSa`lMV3P_D!?L!kzH{oS=;
z8y^S11i#DoL=^wgFn{85?6sd23e7_n;WE4Dsy3AJCY=lY_+7mYDTlmR!PHC2yIPr0
z&1cdfS9xA2bOL%3e`1r9vmgUXos#QBewi2G_syW&u1lXx5fHY<-*(7tx-b-e&+m{k
z@#=em<~_O1u?~=_^T5ZUrx$vp`sTvj*c{mZi}$+kPP86P#797*YewLO#BU_<u4%-b
zF6#jo@2<V5Bf)ye@X9a#YJ&Ad%)2pXA;ncA=3A9IrRRzf_as=2BUV_CP#y?$-7w;&
zus+Fs%z2Q{7*Sy@nW9Q_Qq714>uV;9730<=Sl{Q}N!O1ESoauh8Aw-f>z@<wtFSu9
zG2=nc8L`mH)tZv8Ip+GvZEa*Vldc+(XDy8_I<}(Hvi_KG-bR=89oBrzM2JosalN%j
zYa4ybj2|ReM@&(qVn2zKv9ll(F0H_NG-2XLE-NHSzT-+;@3z*t&ruaFcvG-HC5+gg
zsLlSUYs5#1)@xFZgRT)9Mp#d|@$tv*5#JeMbx374C63rN!rCey|0{9Ce~+*}OzcE6
z!<gf8ehUxW>OMB|rP0>gqagq=Wzw~l^_7GXcw^0r2_J(m*k$kG!|&W9`V+0k63Y}e
zaUrU29d%#SJqpq1qMwYi21i`9Z<O`SC^e25C;AWlj|Ki?f&W<GKNk3p1^$0#fqt1l
z;p!&UcUbHE5(68q1*A(!Ye;V+-AMX<(%q!LC4HOpebVEkp50piWYWt?OGs}ZT}!%-
zbR+4bq(3D61?j7#Z<79r^zWpfkdAy&=Rc10Jksf;IizKzb)+ju?;(AJ^!ubgBYlPR
z4bnf89wklOqw_z7^gPm;q<N%ENNY%&NpB;)hx8HB?~(2#-A{Uybks{a-;+ttAvNv(
zzonN^PcCU0X$@&B>6b|#AbpZ_2k9Qt*Gb<aO?X+C`*hMTkj^13B3(jSL0V7xS?hHx
z<u{OalRiuO3hCRVACUfwblfYtoEMN@O?nM!HR&y+&T?%a{%z9jq%S(;f5-bjk{%&F
zd9TiY5@{xBKB<q?PwLFy+^4NRPkp?nTI)MVdbmX2TZ=RuPx^AHzQ6p7nszMKbR+M_
zm+5<>zn}VxzNGPL(k{|1q&rCaNDq=8BOS9$r}vT?{abI-<xdG{{!-GCuj~8FuV`xI
zvsj+FRT>YH9w^fHljTP_aZS8l)2XDhNjFn|8Sm>!SCe)cInwV^ekbqul0Gp{>t9J~
z%2&qnT~(?1n@D$&j$S`}`HHFEl<zpx#Vg-7%A4|yW_fFAk4)0L@^!wZoI#dzS%t<s
zNK13{{n~pzTRC?zT|LY3Y2|#4^2Uydc{-nc>cxPjba+O>@~tk{{3l2Uvi1Gfz8t%J
zuTjov$9U!Ir~EdD9ZmWA=jeQTNKFa5S-!OwX#UHjmwZ9r->^EmeAAiFZ07T6<;$Y{
zX3EDa-_{JB&*5}UP5E}PeC9qLok;ytNk41(Iw}8Y<%^eZ-)AhJN#FObuAhlV2Ja{C
ztnWY^Jn4^Gk5fK14xSbV&m``wM*(qDzB0#s7vtRnV{|$CNDHpe_wTl9dWiAwv$o4o
z%74~&*>}0l=K%9H<;^;*ai@KJ#7%w8-kXyq5is~Ej{A#wkEiVFDpLm~EDNUt)RlO@
z&i@SFr?=?wLGAYgGtVOMNKjpw<jcOPT!#OT!BCUj%kMGEh5aIRrQ`9TTq8BH`pCyq
zSan^9y-vCCG+AAE#H=nHyNJ3dhJz5gd{kq}@9@fn<0tAGMS41EfqKY^@7VEPelJfh
zQ|_K~^*xKJ-*pM-U)WyO94$J?`$IHji1(&k1H4~K{>Qvm@9U+a|1U`|`+>6z9rT9>
zNS`2mmUK7i>!k0I9wi-liPm@;=@imSNavC+A*~@@N!mgB0O=E?&ywyYeVz0@(xap!
zFJ=CuQ%El%olClew1#vgX$R>8q)(7OOS+r%b<+1pkCKkeWd5X6NG~CsOS*)#hIA!q
z2k8T(Pmn%Kx|{TMQfK=)?+@Ln`-c<1;&IbsqB(86&56Sgl3y5yUq}9A@=Y9y&IQl7
z;_!|9CtGy+%)Lo(O1&UXdei?(<M0!yXj~k=iBn~9_$F>u#NnH`QWJ-7;!IN<{*5f3
zI}X2*{FUSzyBNBXA8wDsUq$|x<M5lwzdKI;CN6$0PI?o^ABvM+J)=S%kHz7eap=2o
z`0BYY(mx%CKbGb9#^K9zb-8{Php(PHgTI@6C2ac-M`hL37bm?sHvx$^;_%J5^mZKm
zpQHW{;-o)~{G)OBr<1RLK#?~#lFH9xo`~JQ%s75(96pX_{GVKDZ|eLrNG~OwM_NgG
zJLyBD&yc=I`Zno5NXNXT^<F@lMcPK%Me2+z&Px52^G1mWcuHseo%a$yX5;Uu?fxp<
z|BLq$AI`;}>!2=&++Tpd{G6Q2y=nOi7JuHGIW1#ax)aFoPEXIsOrJF)1HzwjxpBZP
zQ>%}XbXzWq+Y1idZE;%bz!SssGdshL*_xS`MdKqaGk=T5M_Fc`6OAX~J85=Ae|B3Z
zS!Uj4=eqHu;%0spjVD`Xo*Iphv4Wg;MB^u0{V~Qzx8<?S{5D#CtmWmrHyTf|syXkD
z#>ZJH>W9qiDBgEqonraa%VM4Qsg{{X+c|E`QqBB18vmS?#d&o!ewr0)-sZMWxBBiF
zI?lUg_R9Hjw4O7p{uuKDw>80P|4J-9X7(S^BK;@P`g<sX=ua}f#lj^nyJVHospV#B
zVoAJ9kRQ{#OXpk80b2S@EIo2=TlAzm_TfdJ;N=cHpSW}19!Fr2?*wZb>ucgcy~2mK
z%h##LJO{w7x*oy*3D(f|eGYi6^1l=Ze=QFF-%9^jE1mvn#;?D}k^g5Ld@v4v5-Kis
z>nn!<t`1GCvx%2iXu!-1^MJ>yS25*-YqY$X2iC=rZ;gZB5(jUOgX0WG%<|j^T<R5+
z2Evu52@ZV3#&^fT<+tY(tg%-2PjtYo#=Tr06E7#8rBKTn3$a-CISsg!r}r0HQ2o{v
zKFYRLEcxlc6VN-tae)2e>NxUwaq#(Za2Y3J<$E1)DQC(FUC!ULUTtyY+l_ppHcT$<
z^Kcw_nYP5r_j_^hr;YxLv|{znT$JhOz@=UK_u&JsEcHLW%YfTh`sLl|%Klwik9ub+
z(!2v);y^#+fRB3KBcAmV<00$yzQN^(mE<D+p~0Ug&WZm282rc4_)&xZFdF~F;NOYH
z2MyjGjmt13<<Hs_jgK^VS2RA_;OnAs5Aj~wf$nBa1Rl$t=K~jeT3fUMZqwGV<d~k|
z?Znl4Ou@U7c=?aCyn1gWa367Bug3q3ddjt&c>k*!SMRk0z5=+kd-?CQU^nIO1RkrL
z^1d{YxAtp6Q?JK~Cpz%wh$lJl-xD9>z;Oyp)px?*bU6!E=`CxJcop%5#K)ijVxPzV
zrRCovK7;tZ$2G2gR~ft#;)@40Zq|2q5Z^RX*DIZRx{2>0Zq8Tj0v^jgeQ|JOx70Ud
z+iju)H+J(naAUX04*Z=s`F;Rg#oM=azB1RA%akYWK<x5Nb>OBv=?>hKXQl(6fQi0}
zC(QR^ovn2ZaqoZYeCHDXD)DyWdBppS9^z))8Ht5}==b((J-L*hL%f~%HN@{E-cNi6
z@t+wz61Z>~d^9#5M1MJPGr!6w-tCZIL%g53@t>a(_j3Q<l>Y;xpZFJ8o(#k})n3Gn
zo;KjI{LQql#d)=}eYe`yRg#72r`sI3Y2O|PZrXRd1HZ?VQvx_H(;r_YeiGMfx|hlM
zXI-z+4*V11$qqaP8zaj8f7SZ0R=ME)Uc|HhqH)t7JBhawH|_ow@qPzB2^%Y-Ka1rr
zq5d0)Tg<nNxO`1YwF_~h{{rx1waWx-xF=ZStl}8!mss*?YJ-00`sfO!XXrXb-g#|d
zp6p!jEGF(;AJr;7L)S0212=mxtg0ekje~CielFszd5(jTKwUp4Zk~G=68}B$NwO+w
zJ5M3TpARejCtK!uxH{Vni9$GVtny67y7v_1+xL)GjP9eZnZ(U={yT_YM|{c*?I%Ab
zzLI$N&$MUyiQffW%4wb>!&2({D&@_&gHwtB9JtuQJl8V&Xzx&dw)zsAWu33H$Gcjz
zd|$E#%nI-#;8L%2^~2lvE)qM;r3z<eHc||HoNZl+?xU`9>iJ2w)^C>atAI;6H}iR#
z$@goN_cG9$eYEco@8ZB1p#B$#zj>$DU&wlmK*go}UEkCNZ)br{B_8}(E5I<Mu1Ubf
z&gQvi3h|kg&w4@YG5d14#8V2i;GL9T0$l3#I_ou#cq{Rl%X9%veCQy)z^`%jeHo;A
zjCg;A#;>Oy`Kq>Rmqi*d`+$2XZ_a@jfA~9bbB^Ql)H4blMA?USFm^tdc;#g}-wl*6
zBHj_uxcXiVc+JG+J&1Bm(!}Z{-phW0;Zj{2iKh@p@zk}Mc(7UPSKl`Q=MAH$T+121
zIt*OeYk<$UyER+A$Xx0bJX`Bg@5TUcG8$Cc#hl-{mhzVa7d_^DkLh3Yfs39ePS<+w
zqWq1-2ghstNlmOv@t`zTe0YfYn&<y0wz_r@AD};&w7;W%Z>5$qcKZwEUDxXj&2!n2
za4;!n|DUzIdG0uYcv`BKU#HpDRN~!xG>}0&n|S#Tw4c94yok7Op4Kykcr9?T=T4T#
z)awq)2dV!;%72}>Ilplc@$V4tWyigl_$$P_j%naY;%^xJ4CDxF>iRozd7r0T#;;C>
zVZ}b5FyMVpv#s-qCydhdGV`k|h+Cty9o(8&i;4H&r4`&mJvByts@B79Y28n}r&kMB
zQvQ3yJMy$V24i*o3U~_k$AVm!QQX=``5+ra{YEdC?+`cVh~&H3a=Fm)rCrQ<9@F1b
zfr}ly#ahm^V;b?44>fMauWagBda5p`?BB_Cz0u>4Zzg`qHCq1LTHLyic+ZU*pUZN-
zNPOKSjaN|qF!A0WYQaUs{{dXpYpIssKzu9$m*D2yk7@U5z@@(BjN9s6@<=nAcsu>X
z#JwfNzn!4<&(g%IB<`!x8FJXR))4QaU){j+JPKUmN$M?nUeQf_J8&uI#A>ZLhxl)(
zXMp=KMa18v{3#o?d>iqPjXVuw;=>p;kkt2-<yzkKyBWkScC7nYuN>mNDca6gQhyn7
zbIxfe@w<rkGtQg-`ylad#&a{CK1RH}Lo0Zm?fw+;EXup7|5@S|@so(}B<^DXdz|He
z(dhZ5R;=Fbk2Jp}-d&&-OroCmiC12&6)Yh>4g)&6(vWM4!m*F{Ma^1CiCM&p^R=E?
z#9z&{EHC=6bHBX=^3v|lUaRGe-Ii02ypKk%YE7(W;^thNeAiK~9_o3zLhCVQei8UM
zS#NUR*x3Jd>dE5xj^RUH{ltAs_5B@MopqS{Q>!#Ejq)x`FvPFAf35-JZ>JFNdqm?V
zUoY|g3XNY(J=1_sLOIR(FEd_b0~h;zSg!MJr2Jy)X@5_*uX>j}c$LI=ovY;ol<!bD
zZ*1g2%A0eyW*+_maj(N~Um@P*sP8+#rJSoB<J}3$_d4Q9YAWLo`{`<yDeG#DcgahL
zag`Fki1K~O8i%{8YYy?mQ*?b_CVnk(dEcX4Yc;XzOunyZz}UY9xRk%xQT`2-57G|F
z)bjxG-gh;SMErZit$tlj_1gmA{fKzieOk~*`CY_QSkXTae}i~dr3Q>&eMH=xt8JnD
zDQD=oYR=0+OkI<JOTCilKPK*F0T;jRqJ9%k7Atuswvn5tXIF)`vl&P3R(foL{P?Xn
z_z$UP!pT~XnWyzB`ID`q7iheldOjrn?l~HNgZRm6K8gMLZVjBJ&262ha0=PTC2{a#
z>IuH1h5yDh*AXwT)PQN<R^ol%(D+M~zZ<yNxrFs9C;p_8=Z%f*q@J$Rbip|cSib^3
z4so)*LywQ`O!F7Y-<qQB!0u;RXX<t|&v{enpd*N<Y|#qLW7-MC&3VgjQ-2<CDSweX
z_`r2O@oLJa&)2|B#2XFHj%DK8YTy#b%(+)gOVsss$}eF1nsH$p@qWeuGr#&7@$%=i
zeLi6OzC_%5O#?R)KXjG0L&_sMzcS{#-{_GCdAM>Y|32}qceS7?|38VhoTTmWiDp}8
zPt^LK@@Sml$-07g7v~9PKDmf^&qG>)@t-ddFOvsSxE|GP>t5n1l^QVp{aXsBkc~VI
zT-s|2+sll1ebh6dSnHp`G=C-T<NOxpQrEwToAcXWCVtvky1w1?a})Qb0GE8t_b5#J
zE+oF)v0l4@da|z7ikqo_1#sC9S;zUjvCrL<_Z4bEvwqn^JcS)DgL-~Oyi2`k1&=p~
zzeL=ega3^-hxMVtDP$uqY%EB<%z1Yc-@L%p_&%tGM>EYulsD(j#}dy2KF)Q9<ved#
zLOodw{HDH@#JykC3h2I8tC8QK@hhqSZsN}N-9p@aPoRbJKPNtVvNpgv;(sFECoh-5
zwTAdn;9`euj&U&M9BqfbceUUh>__r?f3Z(HJDl;`^Qhlqg^b;%Qhxdwx;!hH?;PSg
z9P`h5;1W;FxqD;hJ19SJR4aIp<++!*`98;8)c+W8sh4y9wuAD%GqnQsTTe){i+KM6
zUCv7CIY|8BT#cJJHb}hO(Y|B7+CEu~C#FAMNW90T^EGz60=SfOyI<=!<MlGiH;mSJ
z(9+lK#J%jN7Zd*qaMANB*QZm7e;c^0zjip*U(W)UcJvl$K@*2x11@?Faeh^x+1C5S
z7jRxNjX0DmJx_BSJWl*f;z1f%{eBa8=Misbzy6Ijhm{Fj@}2S}U0*#KTGlm`_dc%`
zo49lX@qw`kiec>823+*i)1Gikb=^<-6vl1SAHSz?3fai+IQW~?)4x><Phpw?;_|*t
zxlYo=IstqV;zK#dca!fK=jw81jnVZr<xB@I?b7#jg3@5(;e}?MGC|}2qW;T_{4xzJ
zCZ0pQ{9_H6@oo`uFE?_QQ{E38TSh~!uTnmJk7k)T{3P-I4>WG<|E$7?sIguKF72|h
z%%zxSTzH3i%=fFl$)xYi6FUq&w>A=vq2luqEy!+Zok~1woVJg7oO3qu{cfFauO`+-
zz@<Fqdwdr$-)!KreoWzWThm@;)YI!2r&@`(bKEy}mTg!m=RlQK%xxNL8*s_@jIZm0
zWHR61Qr>r;28^D5;yooAH}T;g#E;f%Jts54<jFeUbe6~T>#4*CxSskG^UVY<@xgq*
zF_ri{CC?ihsiK~sqnttFy_H(n`2U^2ReyAhFOO2b=K(F>$UMGJ{1l(AR|E0aiOcV?
z$YtvFKg8P|el8PQ)sGzU_H^Ru>_Bg8cd;fDx9-*Ysm{tEUY@6MY&WT^(8x2MBoe=l
zc-MLjoJ0K$#C=peg7RyCi~Wz?iU!4%PW)?>H{UC5pq@U3Q^-dCLiu*~3)7beiT8)J
z@D`>y8G%de<H^!?zJYi;@vOgSU={PdT;UY5k@=Jlay&A2SPER)-F&as^si>h_vdLP
z#-1C9m%pp=&ohs25U*LK%PH@~lIwZm>!xe`VGUdRflI#S+*dUH<zvcQw2zsGBwwKI
z5OmCE&Lln~N$WqEcDR_hm+fA`eDjF+{9FSgh%X{uP@?sGn|K>>%Q5~wKs;rU7Q`}8
zT~842ZPoX?Sf1U)`yKJ&E#kqAT2TGAHIlwh+}Ek~n0du9;scI&J~mC;CyN8irObCC
zaItd=pZlDv)mfJkKhFI<Gak(+ZoV&Q=G%?b-^+ZB|J+7-^L^%Pss9_4H{V;_Nc?BS
z`+lqo=qLUX^&DXQxrz8Yz-69kzBidne1Ljh=6Z_V*g6Xisp=ch?Z_}>%>pj{$XBTq
zBvDTh@tLEvyqO191DF2Zwo3Q+Zpyb%zLyofoA_-?eyo-BN3F+{vy<}PyLEjhv0c7u
z^w1BDJs$xs<#+DGJV*JgTXcrFRoC0ZUzdZOxE@#k<Gerd?%!%)*C<U#qN9l&%17ve
z<WPPBaql(_<ZE@-#lWRJ&gbm8N}h>rq>S>LtF!{+KQ~i<|I=F7oFDrNaIteA&ogYL
zu7@dqfX@Mqf9^1PW@!B!maNyPr~78zUggyDC(5UDBkEk*|DV96Ugmq_Chnb#4^kfU
z-T^bto(o*;Hc+4yn|fVEJY}uMO*<A7?{~=G09^8I<a+!JmUA`bt!@pNxb!vRHOqB<
z)q58q@;veOd@Vmo6TDkfm$R!_16=l49|4zqU7W|7b?a-G*hsysTrCeVbtO+FK3CtH
z_&<fXm-AjGv!)Su#`!#jQ>l$y8wanao_@}Y%zjQA@g6>3GwaPe<LG$+xYXCYcj9#B
z{d?-!>DBfO5I;&hg<nv9i+(cd3)&9l+cltm!yIW&1ulMKzUOcJWD4bj?AKoEPbY5P
z2Vv$9OBGHb8wparhyC;;^6n;X-iKiH{D8RcpccHxt?3Tp-e2kRoAGg%!fhGy;~Pf4
zPy=I#{~fq`UUN{}4TrSUHFg^9<Cs^UPCVG7<-SEdpC@kKJ7LQIMdCh=?<U_0;{BW-
zGK^U(fJ^%haG%Z0qwb~r>I-!_*RUOT0GIt+FZZ>4EYGWyZ|A(oj0=Ax?&UasKjmFm
z$V<NC9s7G{5jXEaG5vZ5@mIM{H+TVY^F9g>^)Cl5{js0xWt!PqLEJl8SE!2Z+hOGQ
zXaxvs>iVXU=Y;ER;*SEC@zlJZAend%<$L#P{bpR=Nj!al7Bu7IFR9184<Lnl-T*H4
zG4C@$cu|)N4K4NReqP^?XS<wA-1nizPtwFXpLlzM7OW&bi+FFR23{pT&**W)!{x-^
zo~iu--CSKA3g?ZDd@~OI4D}4q4^2Gz(V0@Oq2K>{f%4`(DIM%KC*tT&!Gc}IE3P-q
zKErh2Dn8$*3wa95dNuKsn>3I_e^>@w_BoyBF=~xG_Y;hrZz1mO({?udZ1(~eKS|?!
zW-Rl4nDV`=G|)!;r^MU1PPvo#JH*Q!@#Gls%g1TMyiEDA({+8#`&*u%pUhV{g>0mp
z^6gxQewDmih@1DX<Pq-zE_OEW!7=^rN0bjft21O6wO%0ZmDh~o;^RYWA93GHTCwSO
ze<i-$F`rCE$2modM*V*la4C;@?~N(XOeKG^<$Y3%^EjjBBi{9a#?jr>^(Epx8}vQR
zZPgMt?{VU`vbCQ00?warrJk+Cv({?B%tM|d-tCwV{EoQgXy3mooJwuvgwex(Wa8VH
znY!K0dy`t2<^tk94*gdV?|okj%4>?{DgrL{bgm;RDIa`L%dOYMY9xNo9IXJ$Pjz)F
zoHsV|Fy&Jm<#~p9d65=2{;-F*^)rn(u$;dm-ZQB2NzCJ2;_bALm-q(?=Z&4r(soN{
zzT?Ro3ta4A-uGqZb>|bG&h_Bql)s94f|VLDzUm{M@)$cJ$@Rp`d$hb6uj`2qaN>3v
z<5HWE|4_?6M8{eKT*?{bcxu+sPf|YXQ7v!g56>xFWA^`F13u0U@bjokwEiupYQvj$
zIS07J)vi~x;8K?JBH~X>(emtmRxa^$mfz&Hi26r!KODn>x@w8f<bL~E#M_DQ=KSB3
z=OOA(`L;GNv$3`jw;bbpufh2o){NJC70%3Tq@VKL^E7xed4C5k_P?I%0@LnEmumbt
zaWfvJ0T;XVIs8ADxcm;UT<2+Gl~Rv+uiL4_Z=<|*Sl4#~?SC)vlnolM(8StIeCp?Q
zyEIbI&x!YZLj$J#FB9K*o|a!p`45RZ<K9V_s7Srq@6#FnnDS=;m*=6~j_09Y04{bj
z???MQ<*%k5-y#i|`RY94J&yTF9rc*^JehvlPWcO2{u`+ON#dp1x?VNJdx`gR!-?5j
zdx6XOOy~KoHz<F-<2=&G#OEy3`WvYK%*(WWI_7G8H}Op3LGDY`Z~~nVT<p{1=+`$8
zf7|gK?H=mc%IA-_v)#W-+@fDqF<)P@)N6uO_OkIb&G<3pyUO&v8DCxmF73FL?P&0~
zDBr$B%WtOszY+Ix-eubN81bHWwV)XvM_jJ!>pTy325{A1I9?n13yEj-=!$YWYt10u
z#d+Eamgj2fzl-~I7!K66gz`S0zV{HXBJT8))x-xlj!&Zew-nAB8+jVIwBzcp>UKBl
zqc^ChoO;Z-^S3y9+*fEjq_5M;P5eBAco!S?dgeVHxa7N*`NHh#@=@N()AuId8saG&
z2Ti|Qt8gZ^k^iE+^ZP7&iJSMVso#e{y5!lq{N0sWiP3)n@s(-XKJ4CBfx>MW^5b<z
z&n69+eX!-grM~yDzno9`^_2gF^Xe(YzfbwO9M_B;_E6sIn7{2O-cElue)xgHsnkYX
zSL*tvd`E+3eE%GAAMKpNH0KjH@7Xl-w<6-J+q8Y&r~G>21CMCHl;<JfvhFbNlQVwO
zLwPU1XLKv|>?Ce+z%>5(D)pH6|C#m6J4&93ZR7~`1Q%$KZf%_)?)*N*nOAB1JpDJ_
ze?LMzlIsHE&UMF?z@>f7`#McO4FH!o=3KAcM0xXmQ6qmJ^>?k(`I-LvB=Me+x;#0W
zZS5qU)unM`x820wo~_&EI?BIi<OemtFlzmcc#!*k*HiwV27guq_v>t|q^q@kEIyZ+
zLHQ}bm7nvu&$Yy7Q$C9s8h<DRF8gfey@;ulzmD?hEI5a4tCsp_JDy_>##wi-p`IS@
zGn?`Ee(Jf$F-|>0+`JFf$iGNEzK3)HP5FOK`DKps{F(CdyW4WL(QY3Te|V~HmwB3P
zP0rHx9Joy52Z`qp@1Y>vRb8dTo#XXQ#CyJ>Gc@bjcH-%ddEF-9V*f11zWVnl-^FwO
z0ZU&$RXA^K<W~wm*_zFL><h^|M!d_?<$0O-m~8DQ&VBN;ftxuVMHR`Q{L59^J|$$9
zD0!?eI6nS__zjeA=YGqX#5Ys^ImYuw;y)+ey-))u5r3I@&&L`t^OiS>_tKw@{9lRp
zJM27ij;^osIhvPvkn`~KneSD=WnPh$rvVfHmk@uS{!>i(+ki_umht&@H}Ou&KYNW!
zAzvl_6y?o(c1^!~9=P;h=l67ePyA)a_;nn(l(T2MR&4e$PDOwc+#Dn~{bdSq@97CD
zLAqO~%TzcEXCn(JpU(F%Y$0zc@hncPl8M*G(Q_McnIC3xK56Q^iF$gtVflzImi0LC
zzB64)^FrdU67T(v&TxiiTkk5Ig|Lx-Qr`O&t>7Qj<IdIg>EgP^#Q*WY#s22~*VCx$
z3d+ASs1@vIzCq$i=^8jl`3=N-Dm7r{Gmjg5zQ%8&{11RjzUKYjChq-`@)pnYWKjMs
zh4aQn{vHQE1%534@StPgY?{Jt3ivS}xRmEGzyJF=;uX}B$T(@nwYz}J{=dcfKh11C
zPI=#2t$@e)tREOXH)*@oGr>E=yEy+jkNN%sxawd0UZ?S&F_=h5y}V!63XV}vD)FwL
zYG5q!$-t#v>73V@dR<BRKDL*^=MgvWZ|8Aa>(n%zuaD>0vslhf%6re!^)i0Dow#|A
zHHJ%dy-mFLMSXAD_XzQF`sWDByD<Tl`et=$plYP1Cj*yyIlo7I4&{4cKe<dCyMp++
zlXN))nr)R44~8^QMZAW1`tuq%o%n6UzcyLxG5Y|I89f{~&3N=f;{A_m1=Dmg>zBlP
z*-&Oa{A=J+FY}&o(@#I3ym_zsmDDr2K+7j`+%)pJz{PIPeW&Xv?|gpLOnHm@B*y-0
zi2K+siL^r(@xGsH;C13#i1$3D9q{|azYkpM<vd6F0&(ZQ)?36saro^&sK1x}#k9*P
zjDJ$!X*?ISl=)63?#<Q)n@PNY_!P$5?-IX}cn!}3uOhzD=z*WgW&COz@orGLOgru-
zUhY^Q{f@YKFaHU*PIo%$Bjq2c)b|f-VqHYMeTN2Cu>mdt?xl>KlmHhyJI`CzQBOMk
z(3EpEap(7=H&D+y?kk%3+)dp4&Va#xqV(8HqCdYz`OCS_faX)z`*Gw?C>-BYp0C@h
zp7Lj-UrD`oa6V?{Y?l*%m-;7AzLfYD?xUVc{4U^P=M;`d<A|>}IPE-z_`}50do*D1
z?Zn@oq|0g6rw52z{2rq21^7*I;sYmX#GD5>PP{xp<EES`#k!omTo@gsqO*XD9nAaO
zFJn1pQa+vjWBTu0;{Bj<nek;Q@!(pm_$ke{YKWWP?bu2D>%_ab9--S>4-s#7`2P=y
z_c6Yi@;nb*%KtO&!z^RHKBT<!`{2?}B7e})j#mPgcI+Rc6}+aK!J0?h{2qz1=dIK;
zl73?1z}G1M2M*N#!}>l<-285di6^fBmvK3r=Zm^2|2E~5Sg%&%{~+E!r~#92!UA3X
zAPsNkv1bvtwrTl^)H9p-wwb!3(}~v-AE5tm+F`W=7rU9?M=^HzK5^%JFkUcvO0{AP
zH|qLth4aQn2B~MSV;y=H)-x)Oy{d)rONr`AC*HS1x7ShXnyql&*ocqv{m4hI?V4DA
z;vaI~em(In;-y@t&>gL3j2^@lxy*R62e{bB`JCksl<%t5@;4`GnuztDSAUH9|5V_z
zzhr)QVJx{*fQucn9OK1o;F52U<Jt_$FQI(!x7t4cV7`^a`)BBOe}M9<jebYJ`v&zp
zzc2qR<+~j6dlep4C3W*x;NGFIHR2lfyGJzB^y|+N@8QAc8n*jn;8Ncb9)!P;I<KUB
zcb*2u6E7v+%XUAD_;tinzNLZD+Duk}c)LSSJMsQCTK;0{xd*tEr_<rLTPQzzmbSAw
z*YsPX=RU3ATI%^T@$PpuVC-;|xR>)uR>N{*13~qRTrEF_dd3m&<G%fGh)*EiO*?;{
z_+;Wee4bKCd>-+XA8Ozw+GnZJQ>O7zly4y3?%1!p8@R+b^Sc`<l;1@8)JwE|4r^k)
zs&ER~$h*MB&dzb_W9sSU^JrtYq(xfZ`TT1Fa24mdPe^lH7g9cx`va#i?|jPdAFm5|
zKJjJ5yLW2Cv=gr-{wv2iaUJm_zSm+M<$nNN>g7C_^-Ib-->>oq;tw)j;Z|KIA<l{(
z^Sf5362A<%)Ytr8N(=GDly^DmdlTh*%C#WFhSfoN=X;a7Dc@J1<vrB@9PyPLUuF^C
zPuzEpw%cC%)w@Ri25sldh@ZMxm%p6;X4?1j#C^|e#TXXVl}+6H9evO4ZCQ1Vb*<B?
ztcHrZMvxUP70UxweN*Fde^aovuBowQ+RRy*nO0SEYfI~jni_~y2bu%R>snd^&HmN~
ze-&f{EtcP3-Q-_h-&9#q@2_rcYHsmYtZ1{Uni_)jf!09vv`c5qOph((uR#g?70t~R
ztNek+*5*}KO>;#<z+b(hp<xx0*zWvN)+o`IKx=DV<MI|1tEII$P|<)76@eE2je%9m
z15%%PdDrIWE%4_oT(GEgTE=A==~h*1Gw`~VHB}&iw%R}iDrEcUhnnhX!HVWqyiDEj
z{mTQbEvr!HhK8o<K%foAXhyzTEW@g)YnGga_*?3hH&(Q+Xb$*S2Ab<?RvA?_b@hQ@
zMQbhOS{th6|GFFT|BBYSdMSR@%@r$2{M9YNit1ohgTJD_zNxCBHDGjzkbfv+x=QV@
zYp95oEW-lBuQ{ke(BE27Ss$>0b&b`5HlmGHRZ>DB{+5cB%sInC<*QH{WoZ4;Uk@L!
zs_H5r9%u{H2&?{<79mY7RkamjQ&_30DY(kNxO8sDC9O>$nWieuO${oEqJCJkxuUAo
zUtQ5!A%-$ija4mTs^%8SrKPrFI*C8n+*B24X;GLT)~ZHpNXvsS?T^OS6>70c(Dv5c
zMU_?w{^pjZ<1Yh$)A2XMD#3jT?n`iAf_q7;oU9sNZB?QvS4hJ)1nc}QD=Pi9^+ENy
zVMTr9b5mn0?x)qYG*?WUuGr#1e!GXvQ1H#ob*%xFuB8FCL>=lH0v22qUOcTT7_|IL
zi!&}OEi9W~?4O@qw6Mg#B(G#qA&PHj6fTI(@MV|g6xdTtpRQHq=FQDsTwLnUTadFb
zw{SteXq#2nQX6Qil8>4A(Ard4*Qo9?X6f?y>zhyqe9p)ytt)G&FQ{m&t`GQXZ}8Qr
z(p*9@^plo=$ob|~-4J1CI<-vCj8-J+Gp1)MU6)cAW>7g!&-9V)t5pJ*Q6QWdQiesU
z>d=!K(Kq36u%UczYp4%2H#bEAH1N^|^H`8Yst4D#<u&AGT;})tO7coeul3Jeydb9(
zCinZ1^U?*Esmd=vpU;?HT-SJGUSoAmZC!nJo^O%=vn9K<u(2i3+&U*v)6^UYr!ATH
zS<_#l(`VNp-u^F=XOsjQnpQ?K9;VRqY?Yl=i0lw}RF2Jo#ysEf1^$$@RiBnTW4bbQ
zUVWeeW56sQf@^D@FVkPR&_B1ZIInJ)VrR@yNpqX3R!G{+VmR(xgb-VDisUs`HA$Qp
zM%g@vwtuT6^H__VriOpJ7BpZf`r^NpXU3(f_SvoQ=E@bVfklDV+?jbRhpA$W6f?4`
z;n5j0qgDNTIxf+U_L<eNpQ<jcJ8GoA&8cV!T$&$f&A})F&#UrP`RYDv8y06=qQf2r
z8-H<LcCH`u4#ZU_nh_J7u6jL$CFc1M+u$y_7?W~lN;&H4hIPatsb(!|t!M~J%FkMQ
z6LG`>nI#xT7GNr*Ob`{d{x|9_gF*8eTkBd^{ktZ$7b+t|$IZN(R#eoBqD2}0%FkXL
zN}A3(OH9oA4YA(;T5BdcL7v3_ygG57p{@BDHT&n5WY5pTxS1=XfgiuI<IgJ~Sdd#{
z`E##bkUhUJ2fV0>X>~Nv(u%pH<<Bo(I48T<zi{r{MR}$E((F0Kd43B~y}mvxE5EpK
zPL6;2wCU4k!2ug98VHq@`DaX<321>Wz+P6`#5kF^QdrJ@o13BV(j`ttEa88r1+3tT
z*2=&osyqyJDo_WSXDz8~scX$EF%fWa<Bg3?H#e#bqr-E~ba5Ir9m1pyc7tV>mKN%v
zN1~rfqelZOzf3D{(-}mo6KQA6&PXq9G7hFKG|y>?p&`~6)xT6B^u$NId+u~-l3Ab>
zx}vhhs%ya<y($phbS<sbO)FZXF=-%O9S#c>i(sckGQHsJLTW88o0FSenw?i^VH%{?
zG_vOK%ZwWH+t%91QpCByuvv_LahXJpB^C86K4aHX)84A)Rl!z&psG^M;{7NEmNK^l
zpuMz^HBb%F)a;z&MwhrH5I_eQ+ANorR#Yy6Lfs^~!6nSWBa|BtX{4Dd_GuT_!67$L
zRbPQ=36`Zf;^bJ$`KtrE;8m3}e>JvdNyB~_)4%AYs=p{Zi@~7}i`HhWEdrRsYXb~%
zvCKtS8aXBzl6$098JRgvjaUG-Vi=k+y;LoI@)~3yi?)_5v@p9Z^EcI3>;5%kx>Zq+
zg@^8E5shj%5MLQO98|^#!fJ)9T&S|CdX=dOg2K=ar1Q{|+>$`B9)2A))3n)@UDAXY
z;~0b^CJ<$4q6Lfmnewr8RWOhj;Yzb-Ojpyf0EZKV4tsy|ElO8C#1{5qbZc9|)92PT
zw_w5`bMuw9zJeBQs;Pl9M{-vc&A@1A3ldnya=GrW!g>z#NNj1C_LKxF0H{^5>Xl8)
zn~YwG3N_6E=_v3M-PP$?m*imai)f9-LbSF^N}E(muG9-{QK{F##^I=k{W&+?bde$b
zz@CL#g-2G#CX7f=u7W2rjzoo*hCp>)#R}O~iJddUb=3L`Q;7Ni5K9+Xmg|++rnpgU
zoWOF}!3l4hm}R=nHmuY1^lMfGnpfpEt-xkPc>1b*yPDe%j*S#CA;)riAW#DeIspDz
z{(x*C=;ZdSwWEm1hem#-HY!3Z?`~1sNq)q0f6I+^LA}MHqGBXI)YMlj*UfJC-OQ>A
z3=J~R5=X?wh)NY`RB_70M*FII7JC~em=QPm_hx{q6t?aVbN!~`c0Kz-bbp(PO}Og3
zss>#fZ4EP+*ryxf>}q#IT0J_FvES&yiVh>22zF<{aF6Y~hRZ6dWb;N+G&j{d%kJo!
z7=M;TkD!u(2m?=MZc`yPv9M-biOnZ}4W?XrA~9rAiJ*k}2PX1r@W76efBLLT{40X+
z8`Xog4aNAE7Pe&92Wu<xY8}(XNQLwUAKa~_S~hb~In|$95$$3a@{(-SI*9PivYXK~
zszbuL8k!nq8$?EfdYNshT}5VvNKqd!BZTItj8)TC*RAxUfufs5^;V@%^+CrPFJp%4
zg@ui+oGu`BYjbPU3df{WMp|sb`Ge@Kb$Xy35{hgSo2XbGEY8#Wt!S4(;6_{P(Zl|&
zIjGda)}8gF36liu6kz&Q*XUn?fm=^uWKyn&L0T{3Hw@5f7NPe#BLjunWR;+)d^{Y=
zlr}iyqM^<hDG%eNbdx&7TeZO#DX|)P5P<?K>zY=yEUJSou^S=tVHmxtwmII+kzO92
z%{WS+oC1y#t_VzkWtE;qin(opA$o3Xgw#9%1Akp(^YTXBgQdky_n`S=Z`C4$U_I*K
z7{OKllG$=q(+Uiz%`6?}O{!}|iiG71TLYaJRjCYQTq4`bDr!d6L|L^FKHgL<Tj=4*
zjmk>AQ?0_#b;M00y;PbqN{=+i(1B!Djy%aw1Fcz)NP8)F9lFUfOU*Y_gx60HI5g<G
z`u$aH74l#MGr3zFi-d?f$aoZ)3BU#F1C7xx&=6>-Y6wPSNYC!2_hcoaMXafc8y&xM
z>H`(crL}b}s%~~?aBdFj#|V0xTAnoMnpq7uR@XUvb7hMPJ2lZo<3j?~Fj&L}qT2ui
z@^U=csYBz{-58#?hi4P2RqVrJ)H)Z|X&hn-Y4fVu0Hz*ja0!{vp-rJ?m>Fslc#+!Y
z%>yr3@9<HXGRSi;UGMNy7g+-6hIcM4<Av~WzItxC01a#J-Hq6<_G3e$l~0J^keqHI
znhc4fLz~b<R(qdR;YfOfJd2R1FQ0YOsko)0^^H|68OGA#KBd_Hr5R?A9uL}r65L@x
z-~TJ^T6*L<s&ESd;vtY(Ai>TA76_Eq++jR!i;ZJvA}r-$;mJc0(xqpn$J237_t4$*
zFj5pFAq6&w1&fGP*s)-d73(ZnMyyz&NNf;40Ct4$JCCY5b?-QF7|Fi<xK+36)Omd8
zQPs_czS!K@8c{E0W>Ye5k5_a*sk4sN?h(6IC{n@%5Mnm&O3tN$!pJQOFu3X`4<nbM
z+tMv)N@}aO*nOxddhif3gaYaI9;&%_!0wjFbpSb(GZXFv$8stvRkdeX>EbxJ8)8*=
zK|9DEQ;zf$0Ev)V9WU?4X(e4ueU+?^xc<rSNGjTV8m{^3XnF|ufkUikBX*;RgM&#X
z$LKyjIM1yQ@c~X9gEgQ5_=K!zAe|P_pjtu7a?u`1j!1zO=HQCou>%<g_pFXo+yICr
z8gGfROSlCFRo2v}X3s2?bzp|;g&U~31Tn8!Hjw8U!$GO1k}Z%}9$2XsKFyx485hLe
zqf7t{0eaO(SL3Sf!n-kOMJ`I{!Av@Mo(_U2Qw}OXn`Doi_Z+p5CL-U<>6zhHhx2L^
zn&=M4j!T!3Ya>?E7Yj;&)74BHLpkjsQk8q-{Rigm@!RZC*MT+0u~Og(6N*X(otK$A
z=oiYF0V}s^s%S<|^d0&n$pbJB%@CKj31FKo7AG<ZlCj309&n4o>bw>1zK+n(WO+8h
zbICRL_stuHN|y{ZLPH>q!UDBcw@;U=#WJx&64oTcMlNv^d|I;DHTAA3=@=D&N5NYo
zZfT)?;mBi2rZqm7N`WZXLYBg)LH#WrW{#%4eD>Aha&kCq+xr(6?Fm5Rf{11Pusvha
z#JQ11Ee%an4#Q%i&P1FgcE-`#L@h30V1M_O7n=<NqKom~^sH&F<Mj*^Y3U|m@eda}
zH*em4?X_oa-D#WQ4-_X-_i8uRXLh7T65%|K=N0;>*IivbC3Nubdtw0EeaD}(<U9=A
z5>+vLfOcep=y93AKwI;Z#cC&VsCEw>s@PgQI~d5sAqV8SDM*i8I{f3NVcEwFaRjJ_
z$?_P%W>(^G02$s~-(5VvIG-TNQTwOF##|0Dp;^NB_EBFWL5SGV$0mjpmBYc%6>(*i
z!oo(4!4wYt8Onxg6zk)Wl}mHx2+4zy&oGxo5#52JW9u@O6TokCiNZ(c8bjw(DtMCE
zRdEvQP`a|Fad#^+5f9wQkh;!1YDU^*Ruq8L)Bx^j%}+Z%0aeT`<&dIWL%-#9?XuYu
z`Nz5lsLEPZeuwfP+3Iu#qoI}<Izb9_Se;{tt+r&%y~#So2M{)aXQmuL=cL4D&6cQh
zPS34nt>8ppdI*>#gT1>w$fkC5hp`>hQqh>#+)k;CF>L{RSy;`~HqEmOlyFRL0f9XL
zUnxB#m}P#BXfzJrbWX<>9_*QBt|ODl^Y)2X=6F*hd>N4xK^i^~{h>O9Y;GPBrPhSC
zWo9EujgVe-#0q70DAuC}70jh}98wPdg}EHb>Y#T_gMDRY<ciz$`S8Gt4%U1Td?IR<
zw^^&VI&#ocMm<?bBdi<OqKeup(fL#nJ}y$n|FPskC+X6owrPyu6@q0n+*k3g8Tj3M
zm2`FegZ>H#nNQWHBm&ZMa3<~}1a=`u-~-L;5WwgV=<=)O6hDA~u=s)nZfgGmg-WLw
zQ!2gvG!Q7Gp87<YK)FiWs)*cwLy@1#vTAmSVUFZiHHFzJ4%W_N<v|l@8aufoW*<VJ
zCsi`0eu42itibUXzFvu3d&S;xUV@7rV$IHQVF4o;G+Pd%RxNn8<W%?-))dQ-77H(m
z%q_|z4a1PvE9)(Elg`*Wh+r0qq5$R6Qj$2l#CCINy7dv$Qc&^9>qP-CB5`~`$rM{Z
zJ4J5&EcPTbOM01tHe2mU(<tB~V~0KV26YVQRUHF)9zr3aFF5jijH1W(g5mmzT{*<y
zZ#NsVmOBh3<~jp&2kv%q#}(rQe~57n<@YmIEvP1v;fN>Ad_;ma?r)e)M?4uLb6?c>
z`tqRA!R+oCNRYwp@P<7(NSfx%*m2ecmv!pysW>MHgi7dVx*E?=s2WL_n2`*odRK4?
zo|DyK^Mlj%;pi5kA;`|7W{yyACIQ&G(pV?nk<iP=DYjIMh>}_c5mI0}2>KRVk{%9j
zzR|rIi5q=uv6#gap>SfJ#x~&r5^f2A1c6FQvM`>SffC!93D3dYcz&Go$oML<q1&b)
zKaMw?FDyn8A|%P96XwtQD7hR^#ndk|W|jp-0A4XNM{YD5!QrJu4^7^jaYe+~<(>)z
zU9w(1MpSrPbel!$vyt|w0D?fz2!h>R++{5aCqZU1T-$<)fF2Xav9qL!R+F=dR07q(
z)LcYyHjvCv<lh#7A%q<e;C)azyzYpQr=U(a(=0eo1eOosiLI)~QocKEKHBlxQH<3m
zk7;&*nItyJR(sSH?d}V=t$r+vffJP~M+3G{(JWu*N*lYm-bt*BXJz}I?(fuoHCy*s
z*T9^*#u5(ls*qg5UZw^*;cyT5R?hM#FVPzucAY;;S8&-Z+byZ?I9q{M6uA!hyIvuQ
zN94y^EW)Pt=y<$OjzOJ64k4s?sYp}@pdC&xCI?DZ@)4^zI?RwcE2nDe$O_X1?RwEd
zXBw^+&6gMjlqZwgY|S4@*}VJ&xv2|IMd>7@5mXy`&WPi9vW9O)`Ai>k%|(-I1=+MR
zvzaMHEy-Gi2uF&uh92{S)Em^T7@T2+okTM-#^=s+@dVS7C8is%7gbCrJXU>jnV(`B
zWP2s<#TcjpN^{snA2G0ujG9?oT@lFpeq3UMN9aoK=qyuzjEDE`93N-#C!r-6#vLTN
zB27nyojlSx)joHokl9ShT0T^HfC|1DmH7<w7*XoRRZPLWH0$>DgYn%nn^CG3twL^_
z2*0f$E{}`4aozzF>I_wsI_Yy$Pr!bHxU<2ahzS>KUm6-UH_RVkX-jL12j|Jh@Nq%P
z!#$X~EZ6oxh9L#GVQUWUA$Qd*E?r*+cD4K<KX4lm8`!}e+6ZlLND=X~lhu9+j=9n*
zHwhgZ4@s?1tZ=v_TjUWl4xS7FV1jIE)??~slaP)njN&&U4AN98&Fxg-Q=VC0WK8bq
zNy&-g%}*zx*6<s!FRn`arp2NkE3FtWKucE9WUUkIKRuDv^g_5I(l?2gsvO6B*K{XA
zn5nc5b_uFQc#kAx3RFS>vVTmifDo@BM@SQzrHh8C<0McfI;JS|yygAXflibW8SaTn
z8ocdl_f$y`yXb5;az_rDO0t(JS|zHRn>FVLQMGw2N5xmw6Qil3i^P!t<9NhMNyT*q
zWl5hb)D{jCW?e4MO`&QglQb&z28w;yn2+XT9G{u#Go9}=OxoQU2EJIZ$W+(Z0}`i|
z=)@%dW^-rt>Jj$U-D5fS?FFmAPykd4EIXGVvRRH!8G)MCI;NMPSBlEDXNb^CE?9{r
zMFyMY^HJy&=9Elt`V=o@<7A8sNVy2y^~HI+hi!Md8FoH7Z(+aguaANY$vtyD5l;ti
zQN*4I4W}8CV*9BII#)RcIgP4la42$6nQt}y7M&}EvCqaOnXE9x=#CesnFy8awygxh
zawmLb-0De(0GHN_8B->apTxALy|W@5g+iD2ptvhyQ{6p&RCifu&Yol=iduQHh)E^<
zfr=W*-a#4*5%m~k;X=5L5jl-B7QYeuS;<LxRUnnIUfb}pQ=kIty33@`S?Z$ow%tR*
zPtbXx$!&xoE?DxQh#QuIzL8p7s=6XVnM{@_`<hfEFSG-9NKvT6g<}M=WYM|7*>Sr~
zRukXJc`c2Xa=)SXWc-Nf=r~{qh#E!d(@1YJ5Je<2#0J7DB%@d@{B`h>ZwAZjCU%(B
z;Skw97KV~j^O6=W3ly@!QuFf3u0fz1vTIL0wrITCc`spmAuWfqQ`C2`>#pH6gH2Qi
z76-kVsL1+~Y_F?q{%MNh8p+{K&!$Lk?5|GMguz{yM#fH*6xF<86}&H=9(Rj)F=*eK
zK9Zg3n*Pd~T~_!IbnONRs%36Av=l_PoawHVKx&qfpnif>sTLKx>56R#cdLG7G2<FV
zrHjoZg1<mH;6HJX7*5yiD>>8e0S8bxCq<KMY}D>qF`+;rsQ{a@u7nCZbxD(<h#~bC
znQId>4UkUi^;2R*Vq17t1<7LKj4^{0nl&sTWYtI6Cq2XN!DE6_#6H72(<Fqef&$Y5
zkTBsT)izdXh?*Pl?qD_VGkAhV5tXIMOYXlYP{wFcP2S<xfSyM4)7cCKChZP<9VseL
zu5}jb=JGA&s@9S%!|I&kzycmxaaKh(M0MKaLa`g?ChJhKYOlfD+%&Z*rv*S2;w?)D
zL%=5#754CSsY;Ui$Iv|iigIo-SThz-Qiyc5&9xGJX~Y86+x_wK-~a{I`x6Z+F1EKS
zn)ejDlmN?XJ}OI~VN9?&kT$|-^QwBUVBLFSv92*1mCD1SUC5D713g*mG$RyI2!_q5
zcE`X?h!tpst3K;-n{nN3pmSP;4IoAx4XqBS?S&vG^T-PZ*gBKj;x-#towQt*&GfY~
zjr}Q-HU*nsdh$WZLniZ=r6E#mTXmCTLqw#=VE$GrOae+JbtQO(+j4+SJ4tRo$&$xg
zBo0I~ntg$Bfn_Pi;pO5)Be91|LO)<5Ch*|*N&F&4f>gwX|0|qkl&O(MPjI^{+TGo-
z-mFMTZfkT0Y=CJ*Gv&@XzbN54ASTj`DO_u;M*YL(5Jy%h<;8Y;ny@4<_Rmh%C_g1t
z#CyS?n-h~sL7*H$A}K1bq%4jr5$C`I2nerqew_>>%Sm#WU1*Sbq1n<?JJN9>KAxW7
zOSAbLJolHDx3S7=*{~a}YTwp9Qj5E%5W3QUuX{Vj(WFR6yg!{U$e^Y<zQTEiX7B92
z0ITT-K_Sh-VpYi@3O7`Xo{VjZVES@qnt5tXKcN67DBPKfe)IDD9F%K+JXzu74=DND
zx3ODZ3Ks*@dG)+hMpd?etKJRCY;i>-jv;IjmG?FE=z5&dYm?&>+4V>A2P5^^E$rvZ
zF)LVb29ug^p6}#r8GTd#l%vXoYp!(<Ymoz2O2AB0Z%&kEy`jY@29AMQ0LJ5)++|6)
zqr#*Du9Dg(ABwAL0!1T(>c=T}XseuCMkZ6lOhcrI63dfbQXUCk2EAvzDxm~Ma8f2U
z^Ll2Pk2y6&c(cPz8t?)hRY+Q`UCPsRCCUg|BsXl?FR_1-kvf6`Mx~$_q_X6%kH)%u
z+-LxfeW#>5|Cv*$%C6m-jd6z284evozP6R@X9XE6Bus#u;3N_V$hgVrVal#t)i|eo
z`i_0!c~g4ennDJbHQV>rOG_nZ&M-jtIL^p7+XRIjJ<ds;!hj=p1EDnH6uzj7fUqGp
zGEA!tR_L%0q)zRr7^4FmV22vqxg2vP@fRi@8Gk`B4Ne(}Dusigi;Hm}vd=ZH?8@e*
z)HJ+2=YELELGX$0z9CEz#G&bUPO?YSYkCTuU|P?TE{xA4K^3j7WrGhU%lU-0#VE%{
zt@l(8@4L@Ur%EJlRZn?nTazq`^z)J^ayd#(zqLX^4~{Iut}0mU$pxr{t$MsGatUC7
z7{nmpvEYb}R8R}Vfp!oOZr%+oQ*c+e-JQtUd(-6_C)5OB-_mIHnk<b5VQQvRa(xCD
zNf$9p6zUY)rSmXImYiFkvo7NT2W8-BH4)=9T;7)#h3ZVE-L-~*ZKe(te^eCAat4Cb
zqDFeiI<deWnwjx45BJ*yUGoE-j`A#I7+gB35LMg5J+#8aI)B?=(&JEDj*`|3(}mxe
z5)@W*=Ud+^$8wALPMM@{yQJ;!;hJL3>0q#W>W5NL5hb$Ae*!gf?z@`;ksC+|`ZaCe
zo}nh>lL!V->B>W+o_h(E-dGeKV8I@^1r}G=>XlcS%k)U&LKQtGLLQ-oM>`^TRg<O*
z7q!WC-|!t3Pg#y(LSK7tQHHhe_*tqJz+{TKltClg21oXkb4juh@0wSLJD|FQ05<8=
zNq5)Q(Vhi3a7sZMjJV8O_i&m+;am5}Ph#AVJ4h~EwVfbBwB%wBhO39iu$8!CL%m#&
z{1sfy$?{|{oG);+C-%KOy~a5b`VI$94);!RipkT+G!6MqstSe&59jD_AlLO$zd>G)
z`$EDSYy`xXp4pf;+N+b<dN35x9<Cv3gP~x-;c_8oWeg`rcEsw@0owXIbh?lIA{RWd
zz>Wr$J~TI_efVqk!-t|v86fuf?xQ`THT-WV&(~)m3osb&>+yJYF75w&;qO23NL)K6
zc`&jUe)V(R{W*4guD_LY`gvBfx8JoFe!ZIR)E9Q#cKWoztFryt+WYl8>CXQ4Jf`~J
zAAPj&=f7hw{JLfB{d`|Pci6k-xz}IDKX3nmz3}T#Kd*Q4!nu3<Z|KK^S8(NT40!vE
zFX|V5{ht2-f!$xzk3XC6Q8E74?Z9on{>s|<`29J4eSq)(TeSbDwfF0L)}G_%P<;IM
z@!;op!8P&z-ua4t<Jb3|()a#+Z}0Q}rM17Mw+()@p)dS;#TxR$Hg)^o;4{+1$UJz>
z4s`abpM#HE<d0)5|9*`(W&0CrpRN`C{hV;W{;q2O;YfS;>$mK8Mf{oG&fovOYX4dL
zJq^DaJNWHF>+}XM-o-zT-|2tV+WYmHSMg=>ceQxUmw&{+vi*S_c<$FfeLXg)>G$WV
z{guxs!TfsjD7N?Y^H1Ne+TVRc+xzv0J~3;+v6g>-#T%aO?aQ>W`nG(%vC>cK=lOfT
z{vCJow+y`f$l8xSVf%lfEyv{TZ(94C*8b6#@MZCLwRp{!|G__(Exv#MO&$OHZ)%TM
zZ2r#QKJLUvczF5z58l%DAH1dQzspXGKX32X&sFUQkF@>Zk+%N}J1_pconOCNwfEmk
z{_q#t{<kjp*2mSNFTUi@!?7>DdoXzPwm$#lZT;kLt{AM{RlEA-oA&$-|G=)^{`=ME
zKArMfv6!@Y*PegnC)xpjpWzSq=ks>`Mfvox>z(@ld;ic+U&FcY<)1&-Kl>V9^tJ!O
O4VAQ~ss`2D!T$h|d)hGo

diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
index 781cc96e..a5516dd8 100644
--- a/ctrtool/ncch.c
+++ b/ctrtool/ncch.c
@@ -416,9 +416,10 @@ void ncch_process(ncch_context* ctx, u32 actions)
 		return;
 	}
 
-	if (getle32(ctx->header.extendedheadersize) != 0x400)
+	const u32 exheaderSize = getle32(ctx->header.extendedheadersize);
+	if (exheaderSize != 0x400 && exheaderSize != 0)
 	{
-		fprintf(stdout, "Error, exheader is 0x%02x bytes long, expected 0x0400\n", getle32(ctx->header.extendedheadersize));
+		fprintf(stdout, "Error, exheader is 0x%02x bytes long, expected 0x400 or 0\n", getle32(ctx->header.extendedheadersize));
 		return;
 	}
 
@@ -612,8 +613,9 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 	u8 seedbuf[0x20];
 	u8* seed;
 	u8* keyX = NULL;
-	u8 hash[0x20];
-	ctr_ncchheader* header = &ctx->header;	
+	u8 hash[0x20] = {0};
+	ctr_ncchheader* header = &ctx->header;
+	const u32 exheaderSize = getle32(header->extendedheadersize);
 	struct sNcchKeyslot
 	{
 		u8 x[0x10];
@@ -625,9 +627,9 @@ void ncch_determine_key(ncch_context* ctx, u32 actions)
 	// Check if the NCCH is already decrypted, by checking if the exheader hash matches
 	// Otherwise, use determination rules
 	fseeko64(ctx->file, ncch_get_exheader_offset(ctx), SEEK_SET);
-	memset(exheader_buffer, 0, 0x400);
-	fread(exheader_buffer, 1, 0x400, ctx->file);
-	ctr_sha_256(exheader_buffer, 0x400, hash);
+	memset(exheader_buffer, 0, exheaderSize);
+	fread(exheader_buffer, 1, exheaderSize, ctx->file);
+	ctr_sha_256(exheader_buffer, exheaderSize, hash);
 	if (!memcmp(hash, header->extendedheaderhash, 32))
 	{
 		// exheader hash matches, so probably decrypted
@@ -831,7 +833,7 @@ void ncch_print(ncch_context* ctx)
 	else
 		memdump(stdout, "Logo hash (FAIL):       ", header->logohash, 0x20);
 	fprintf(stdout, "Product code:           %.16s\n", header->productcode);
-	fprintf(stdout, "Exheader size:          00000400\n"); //this is always the same
+	fprintf(stdout, "Exheader size:          0x%x\n", getle32(header->extendedheadersize));
 	if (ctx->exheaderhashcheck == Unchecked)
 		memdump(stdout, "Exheader hash:          ", header->extendedheaderhash, 0x20);
 	else if (ctx->exheaderhashcheck == Good)

From b941838adbdee83d9ec91b735bed71004109bc1c Mon Sep 17 00:00:00 2001
From: jakcron <jkrcarr@gmail.com>
Date: Mon, 20 Aug 2018 14:17:32 +0800
Subject: [PATCH 218/317] [ctrtool] Fix ctrtool bug where content wouldn't
 extract.

---
 ctrtool/cia.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index a0347633..6d4cdb88 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -42,6 +42,7 @@ void cia_save(cia_context* ctx, u32 type, u32 flags)
 	u64 offset;
 	u64 size;
 	u16 contentflags;
+	u16 contentindex;
 	u8 docrypto;
 	filepath* path = 0;
 	ctr_tmd_body *body;
@@ -102,17 +103,18 @@ void cia_save(cia_context* ctx, u32 type, u32 flags)
 			chunk = (ctr_tmd_contentchunk*)(body->contentinfo + (sizeof(ctr_tmd_contentinfo) * TMD_MAX_CONTENTS));
 
 			for(i = 0; i < getbe16(body->contentcount); i++) {
-				if(ctx->header.contentindex[i >> 3] & (0x80 >> (i & 7))) {
-					sprintf(tmpname, "%s.%04x.%08x", path->pathname, getbe16(chunk->index), getbe32(chunk->id));
-					fprintf(stdout, "Saving content #%04x to %s\n", getbe16(chunk->index), tmpname);
-
-					contentflags = getbe16(chunk->type);
-					docrypto = contentflags & 1 && !(flags & PlainFlag);
-
+				contentflags = getbe16(chunk->type);
+				contentindex = getbe16(chunk->index);
+				docrypto = (contentflags & 1) && !(flags & PlainFlag);
+
+				if(ctx->header.contentindex[contentindex >> 3] & (0x80 >> (contentindex & 7))) {
+					sprintf(tmpname, "%s.%04x.%08x", path->pathname, contentindex, getbe32(chunk->id));
+					fprintf(stdout, "Saving content #%04x to %s\n", contentindex, tmpname);
+					
 					if(docrypto) // Decrypt if needed
 					{
-						ctx->iv[0] = (getbe16(chunk->index) >> 8) & 0xff;
-						ctx->iv[1] = getbe16(chunk->index) & 0xff;
+						ctx->iv[0] = (contentindex >> 8) & 0xff;
+						ctx->iv[1] = contentindex & 0xff;
 
 						ctr_init_cbc_decrypt(&ctx->aes, ctx->titlekey, ctx->iv);
 					}

From 7b0a7bfaab2ec4c04167b23c557e438bbaca4fde Mon Sep 17 00:00:00 2001
From: Steven Smith <Steveice10@gmail.com>
Date: Wed, 17 Oct 2018 05:08:29 -0700
Subject: [PATCH 219/317] Fix verifying incomplete DLC CIAs. (#76)

---
 ctrtool/cia.c | 39 ++++++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 17 deletions(-)

diff --git a/ctrtool/cia.c b/ctrtool/cia.c
index 6d4cdb88..85b16b89 100644
--- a/ctrtool/cia.c
+++ b/ctrtool/cia.c
@@ -251,6 +251,7 @@ void cia_process(cia_context* ctx, u32 actions)
 void cia_verify_contents(cia_context *ctx, u32 actions)
 {
 	u16 contentflags;
+	u16 contentindex;
 	ctr_tmd_body *body;
 	ctr_tmd_contentchunk *chunk;
 	u8 *verify_buf;
@@ -264,30 +265,34 @@ void cia_verify_contents(cia_context *ctx, u32 actions)
 	fseeko64(ctx->file, ctx->offset + ctx->offsetcontent, SEEK_SET);
 	for(i = 0; i < getbe16(body->contentcount); i++) 
 	{
-		content_size = getbe64(chunk->size) & 0xffffffff;
+		contentindex = getbe16(chunk->index);
 
-		contentflags = getbe16(chunk->type);
+		if(ctx->header.contentindex[contentindex >> 3] & (0x80 >> (contentindex & 7)))
+		{
+			content_size = getbe64(chunk->size) & 0xffffffff;
 
-		verify_buf = malloc(content_size);
-		fread(verify_buf, content_size, 1, ctx->file);
+			contentflags = getbe16(chunk->type);
 
-		if(contentflags & 1 && !(actions & PlainFlag)) // Decrypt if needed
-		{
-			ctx->iv[0] = (getbe16(chunk->index) >> 8) & 0xff;
-			ctx->iv[1] = getbe16(chunk->index) & 0xff;
+			verify_buf = malloc(content_size);
+			fread(verify_buf, content_size, 1, ctx->file);
 
-			ctr_init_cbc_decrypt(&ctx->aes, ctx->titlekey, ctx->iv);
-		
-			ctr_decrypt_cbc(&ctx->aes, verify_buf, verify_buf, content_size);
-		}
+			if(contentflags & 1 && !(actions & PlainFlag)) // Decrypt if needed
+			{
+				ctx->iv[0] = (contentindex >> 8) & 0xff;
+				ctx->iv[1] = contentindex & 0xff;
 
-		if (ctr_sha_256_verify(verify_buf, content_size, chunk->hash) == Good)
-			ctx->tmd.content_hash_stat[i] = 1;
-		else
-			ctx->tmd.content_hash_stat[i] = 2;
+				ctr_init_cbc_decrypt(&ctx->aes, ctx->titlekey, ctx->iv);
+			
+				ctr_decrypt_cbc(&ctx->aes, verify_buf, verify_buf, content_size);
+			}
 
-		free(verify_buf);
+			if (ctr_sha_256_verify(verify_buf, content_size, chunk->hash) == Good)
+				ctx->tmd.content_hash_stat[i] = 1;
+			else
+				ctx->tmd.content_hash_stat[i] = 2;
 
+			free(verify_buf);
+		}
 		chunk++;
 	}
 }

From f19dea3482e74e78ac284ad43b15dc5af44e443f Mon Sep 17 00:00:00 2001
From: Margen67 <Margen67@users.noreply.github.com>
Date: Sat, 27 Jul 2019 02:37:35 -0700
Subject: [PATCH 220/317] Create .appveyor.yml for CI

---
 .appveyor.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .appveyor.yml

diff --git a/.appveyor.yml b/.appveyor.yml
new file mode 100644
index 00000000..8ed1c448
--- /dev/null
+++ b/.appveyor.yml
@@ -0,0 +1,29 @@
+version: '{build}'
+
+os:
+- Visual Studio 2017
+- Ubuntu1804
+
+install:
+- cmd: set PATH=%PATH%;C:\mingw-w64\x86_64-8.1.0-posix-seh-rt_v6-rev0\mingw64\bin
+
+build_script:
+  - cmd: |
+      mingw32-make -j 6 -C ctrtool
+      mingw32-make -j 6 -C makerom
+  - sh: |
+      make -j 2 -C ctrtool
+      make -j 2 -C makerom
+
+after_build:
+  - cmd: |
+      move ctrtool\ctrtool.exe && move makerom\makerom.exe
+      7z a Project_CTR.zip ctrtool.exe makerom.exe
+  - sh: |
+      cd ctrtool && 7z u ../Project_CTR.zip ctrtool
+      cd ../makerom && 7z u ../Project_CTR.zip makerom
+
+test: off
+
+artifacts:
+  - path: Project_CTR.zip

From 3083d87871b4fde35a2ad4de45fb8c37f59cd737 Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Fri, 2 Aug 2019 11:08:11 +0800
Subject: [PATCH 221/317] Update .appveyor.yml

---
 .appveyor.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.appveyor.yml b/.appveyor.yml
index 8ed1c448..7c0550fe 100644
--- a/.appveyor.yml
+++ b/.appveyor.yml
@@ -1,8 +1,8 @@
 version: '{build}'
 
 os:
-- Visual Studio 2017
-- Ubuntu1804
+- MinGW-w64 (Windows)
+- Ubuntu1804 (Linux)
 
 install:
 - cmd: set PATH=%PATH%;C:\mingw-w64\x86_64-8.1.0-posix-seh-rt_v6-rev0\mingw64\bin

From 06d44bf5f034575683e41ecbf2192c79d04bdca1 Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Fri, 2 Aug 2019 11:11:15 +0800
Subject: [PATCH 222/317] Revert changes

---
 .appveyor.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.appveyor.yml b/.appveyor.yml
index 7c0550fe..8ed1c448 100644
--- a/.appveyor.yml
+++ b/.appveyor.yml
@@ -1,8 +1,8 @@
 version: '{build}'
 
 os:
-- MinGW-w64 (Windows)
-- Ubuntu1804 (Linux)
+- Visual Studio 2017
+- Ubuntu1804
 
 install:
 - cmd: set PATH=%PATH%;C:\mingw-w64\x86_64-8.1.0-posix-seh-rt_v6-rev0\mingw64\bin

From ce4f09ba0e77cf463eb58a84c9d416155a7adda7 Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Sat, 3 Aug 2019 11:48:38 +0800
Subject: [PATCH 223/317] Update README.md

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README.md b/README.md
index bbbe88e9..cb927b98 100644
--- a/README.md
+++ b/README.md
@@ -4,3 +4,8 @@ Project_CTR
 ctrtool - updated version of neimod's ctrtool.
 
 makerom - creates CTR cxi/cfa/cci/cia files.
+
+## CI Builds
+Thanks to @Margen67 we have AppVeyor make new builds for each commit to master.
+
+Download them here: https://ci.appveyor.com/project/jakcron/project-ctr

From 501c1714b386ae3ad8433ad3dd867f2261530f84 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Tue, 13 Aug 2019 21:17:40 +0800
Subject: [PATCH 224/317] Undo regression and re-add `-ckeyid` and
 `-ncchseckey`

---
 makerom/keyset.c        |  6 +++---
 makerom/keyset.h        |  2 +-
 makerom/user_settings.c | 19 ++++++++++++-------
 3 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/makerom/keyset.c b/makerom/keyset.c
index 4ff402ec..c706c912 100644
--- a/makerom/keyset.c
+++ b/makerom/keyset.c
@@ -73,7 +73,7 @@ int LoadKeysFromResources(keys_struct *keys)
 		/* AES Keys */
 		// CIA
 		//SetCommonKey(keys, zeros_aesKey,1);
-		if(keys->aes.currentCommonKey > 0xff)
+		if(keys->aes.currentCommonKey > MAX_CMN_KEY)
 			SetCurrentCommonKey(keys,0);
 	
 		// NCCH
@@ -101,7 +101,7 @@ int LoadKeysFromResources(keys_struct *keys)
 		for(int i = 0; i < 6; i++)
 			SetCommonKey(keys, ctr_common_etd_key_dpki[i],i);
 
-		if(keys->aes.currentCommonKey > 0xff)
+		if(keys->aes.currentCommonKey > MAX_CMN_KEY)
 			SetCurrentCommonKey(keys,0);
 	
 		// NCCH
@@ -133,7 +133,7 @@ int LoadKeysFromResources(keys_struct *keys)
 		for (int i = 0; i < 6; i++)
 			SetCommonKey(keys, ctr_common_etd_key_ppki[i], i);
 
-		if(keys->aes.currentCommonKey > 0xff)
+		if(keys->aes.currentCommonKey > MAX_CMN_KEY)
 			SetCurrentCommonKey(keys,0);
 	
 		// NCCH
diff --git a/makerom/keyset.h b/makerom/keyset.h
index 2a35b382..887f3de4 100644
--- a/makerom/keyset.h
+++ b/makerom/keyset.h
@@ -4,7 +4,7 @@
 typedef enum
 {
 	AES_128_KEY_SIZE = 16,
-	MAX_CMN_KEY = MAX_U8,
+	MAX_CMN_KEY = 0x05,
 	MAX_NCCH_KEYX = MAX_U8
 } keydata_limits;
 
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index f995857a..67f4a5d2 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -89,6 +89,7 @@ void SetDefaults(user_settings *set)
 
 	// Build NCCH Info
 	set->ncch.useSecCrypto = true;
+	set->ncch.keyXID = 0;
 	set->ncch.buildNcch0 = true;
 	set->ncch.includeExefsLogo = false;
 	set->common.outFormat = NCCH;
@@ -115,7 +116,7 @@ void SetDefaults(user_settings *set)
 	set->cia.useDataTitleVer = false;
 	set->cia.useFullTitleVer = false;
 	set->cia.randomTitleKey = false;
-	set->common.keys.aes.currentCommonKey = MAX_U8 + 1; // invalid so changes can be detected
+	set->common.keys.aes.currentCommonKey = 0;
 	for (int i = 0; i < CIA_MAX_CONTENT; i++)
 		set->cia.contentId[i] = MAX_U32 + 1; // invalid so changes can be detected
 }
@@ -196,7 +197,6 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		}
 		return 2;
 	}
-	/*
 	else if (strcmp(argv[i], "-ckeyid") == 0) {
 		if (ParamNum != 1) {
 			PrintArgReqParam(argv[i], 1);
@@ -224,7 +224,6 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		}
 		return 2;
 	}
-	*/
 	else if (strcmp(argv[i], "-showkeys") == 0) {
 		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
@@ -903,7 +902,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.16 (C) 3DSGuy 2017\n");
+	printf("CTR MAKEROM v0.16.1 (C) 3DSGuy 2017\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 
@@ -952,10 +951,16 @@ void DisplayExtendedHelp(char *app_name)
 	printf("                                    't' Test(false) Keys & prod Certs\n");
 	printf("                                    'd' Development Keys & Certs\n");
 	printf("                                    'p' Production Keys & Certs\n");
-	//printf(" -ckeyid        <index>             Override the automatic common key selection\n");
-	//printf(" -ncchseckey    <index>             Ncch keyX index ('0'=1.0+, '1'=7.0+)\n");
+	printf(" -ckeyid        <index>             Ticket Common Key Index, defaults to 0x00\n");
+	printf("                                    0x00 : Applications / eShop\n");
+	printf("                                    0x01 : System Titles\n");
+	printf("                                    0x02-0x05 : Unused\n");
+	printf(" -ncchseckey    <index>             NCCH KeyX index, defaults to 0x00\n");
+	printf("                                    0x00 : FW 1.0.0+\n");
+	printf("                                    0x01 : FW 7.0.0+\n");
+	printf("                                    0x0a : FW 9.3.0+ (New3DS only)\n");
+	printf("                                    0x0b : FW 9.6.0+ (New3DS only)\n");
 	printf(" -showkeys                          Display the loaded key chain\n");
-	//printf(" -fsign                             False sign digital signatures\n");
 	printf(" -ignoresign                        Ignore invalid signatures\n");
 	printf("NCCH OPTIONS:\n");
 	printf(" -elf           <file>              ELF file\n");

From b3cb4aa1dca1defa5b014d476cc4b42e2a93c026 Mon Sep 17 00:00:00 2001
From: 3DSGuy <3dsguy.dev@gmail.com>
Date: Tue, 28 Apr 2020 21:17:22 +0800
Subject: [PATCH 225/317] Add version text to CTRTool.

---
 ctrtool/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/main.c b/ctrtool/main.c
index 3c949586..1cbc04b8 100644
--- a/ctrtool/main.c
+++ b/ctrtool/main.c
@@ -38,7 +38,7 @@ typedef struct
 static void usage(const char *argv0)
 {
 	fprintf(stderr,
-		   "CTRTOOL (c) neimod, 3DSGuy.\n"
+		   "CTRTOOL v0.7 (c) neimod, 3DSGuy.\n"
 		   "Built: %s %s\n"
            "\n"
 		   "Usage: %s [options...] <file>\n"

From e6baadf069ccb5c0dd3d1a78606a160f5e3f4f27 Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Tue, 28 Apr 2020 21:27:29 +0800
Subject: [PATCH 226/317] Bump version to v0.16.2

---
 makerom/user_settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 67f4a5d2..c6df9663 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -902,7 +902,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.16.1 (C) 3DSGuy 2017\n");
+	printf("CTR MAKEROM v0.16.2 (C) 3DSGuy 2020\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 

From 81fb1774d569f1d68ffe2848784fcae135377950 Mon Sep 17 00:00:00 2001
From: Jhynjhiruu <cub3r12@gmail.com>
Date: Sat, 9 May 2020 17:07:31 +0100
Subject: [PATCH 227/317] Change homebrew logo

Fix the crash on CHN 3DSes by replacing the existing homebrew logo.bin with PabloMK7's one
---
 makerom/ncch_logo.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/ncch_logo.h b/makerom/ncch_logo.h
index 018d2a86..c28e10ee 100644
--- a/makerom/ncch_logo.h
+++ b/makerom/ncch_logo.h
@@ -27,5 +27,5 @@ static const unsigned char iQue_without_ISBN_LZ[0x2000] =
 
 static const unsigned char Homebrew_LZ[0x2000] =
 {
-	0x11, 0x9C, 0x21, 0x00, 0x00, 0x64, 0x61, 0x72, 0x63, 0xFF, 0xFE, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7C, 0x21, 0x00, 0x00, 0x83, 0x30, 0x09, 0x24, 0x03, 0x00, 0x00, 0x40, 0x20, 0x03, 0x30, 0x13, 0xAB, 0x30, 0x18, 0x0F, 0x20, 0x1D, 0x02, 0xA0, 0x0B, 0x06, 0x20, 0x2B, 0x30, 0x18, 0x5A, 0x05, 0x20, 0x35, 0x10, 0x20, 0x39, 0x30, 0x2B, 0xA4, 0x20, 0x20, 0x40, 0xEA, 0x30, 0x45, 0x20, 0x1C, 0x30, 0x0B, 0x70, 0x60, 0x23, 0x08, 0x20, 0x59, 0x7A, 0x85, 0x30, 0x5D, 0x09, 0x00, 0x00, 0x28, 0x20, 0x2C, 0xA2, 0x20, 0x69, 0x21, 0x80, 0x19, 0x20, 0x0B, 0x04, 0x00, 0x00, 0xC4, 0x60, 0x47, 0xA0, 0x30, 0x5F, 0xCE, 0x20, 0x81, 0xC0, 0x1D, 0x00, 0x00, 0x9C, 0xA5, 0x20, 0x89, 0x12, 0x20, 0x75, 0x60, 0x1E, 0x50, 0x0B, 0x56, 0x30, 0x81, 0x55, 0x1F, 0x50, 0x17, 0x9A, 0x20, 0x8D, 0xA0, 0x60, 0x0B, 0xDE, 0x20, 0x99, 0x2A, 0x40, 0x20, 0x50, 0x2F, 0x22, 0x20, 0x9C, 0xE0, 0x60, 0x0B, 0x00, 0x20, 0x00, 0x2E, 0x20, 0xCB, 0x62, 0x00, 0x6C, 0x00, 0x79, 0x20, 0x00, 0x74, 0x20, 0xD5, 0x4E, 0x00, 0x69, 0x00, 0x6E, 0xA0, 0x20, 0x09, 0x65, 0x20, 0x05, 0x64, 0x00, 0x6F, 0x00, 0x4C, 0xA2, 0x20, 0x03, 0x67, 0x20, 0x07, 0x5F, 0x00, 0x55, 0x20, 0x03, 0x30, 0xAA, 0x20, 0x01, 0x2E, 0x20, 0x2D, 0x63, 0x01, 0x20, 0x2F, 0x44, 0x00, 0x40, 0x2F, 0x74, 0xA3, 0x20, 0x5F, 0x6D, 0x20, 0x51, 0x00, 0x00, 0x68, 0x40, 0x75, 0x70, 0x5D, 0x57, 0x62, 0x20, 0x6B, 0x74, 0x20, 0x81, 0x6F, 0x20, 0x1D, 0x70, 0x61, 0x30, 0x29, 0xD7, 0xF0, 0x27, 0x30, 0x21, 0x70, 0xE0, 0x21, 0x61, 0x20, 0xB1, 0x50, 0x2B, 0x01, 0x10, 0x8D, 0x18, 0x5F, 0x00, 0x53, 0x20, 0xBD, 0x30, 0xDD, 0x65, 0x00, 0x4F, 0x2F, 0x00, 0x75, 0x20, 0xF3, 0x43, 0x80, 0xD1, 0x30, 0x47, 0x01, 0x31, 0x01, 0x00, 0x10, 0x43, 0x6F, 0x42, 0x01, 0x80, 0x43, 0x00, 0x90, 0x87, 0x41, 0x03, 0x20, 0x43, 0x01, 0x90, 0x87, 0x00, 0x90, 0xCB, 0x01, 0x90, 0x87, 0xE0, 0x00, 0x91, 0x0F, 0xF1, 0x53, 0x90, 0x02, 0x43, 0x4C, 0x59, 0x54, 0xFF, 0x2C, 0xFE, 0x14, 0x33, 0x21, 0x02, 0x33, 0x03, 0x33, 0x0F, 0x6C, 0x79, 0x31, 0x74, 0x31, 0x30, 0x11, 0x43, 0x3C, 0x00, 0xC8, 0x43, 0x23, 0x0D, 0x03, 0x43, 0x74, 0x78, 0x6C, 0x31, 0x24, 0x63, 0x50, 0x22, 0xFA, 0x00, 0x00, 0x68, 0x62, 0x6C, 0x6F, 0x67, 0x6F, 0x5F, 0x00, 0x74, 0x6F, 0x70, 0x2E, 0x62, 0x63, 0x6C, 0x69, 0x81, 0x32, 0x18, 0x00, 0x6D, 0x61, 0x74, 0x31, 0x60, 0x63, 0x74, 0x86, 0x33, 0x57, 0x48, 0x62, 0x4D, 0x61, 0x32, 0xC3, 0xB0, 0x70, 0xFF, 0x35, 0xFF, 0xFF, 0x30, 0x03, 0x00, 0x40, 0x02, 0x15, 0x43, 0xB2, 0x04, 0x30, 0x5E, 0x98, 0xA0, 0xA3, 0x80, 0x3F, 0x50, 0x03, 0x23, 0x93, 0x61, 0x6E, 0x31, 0x48, 0x4C, 0x33, 0xE8, 0x04, 0xFF, 0x20, 0x5B, 0x52, 0x6F, 0x6F, 0x07, 0x74, 0x50, 0x61, 0x6E, 0x65, 0xE0, 0x60, 0x00, 0x80, 0x0E, 0x70, 0x47, 0x86, 0x50, 0xCF, 0x70, 0x61, 0x73, 0x31, 0x33, 0xDB, 0x70, 0x53, 0x03, 0xB3, 0x80, 0x53, 0x30, 0x01, 0x70, 0x50, 0xA0, 0x9B, 0x20, 0x42, 0x30, 0x03, 0x80, 0x53, 0x0B, 0x69, 0x63, 0x31, 0x80, 0x34, 0x90, 0x07, 0x30, 0xA7, 0x00, 0x11, 0x03, 0xC7, 0x01, 0x50, 0xA7, 0x23, 0x08, 0x00, 0x80, 0x41, 0xF1, 0x2B, 0x71, 0x95, 0x91, 0x1B, 0x83, 0xF1, 0x27, 0x80, 0x3F, 0x70, 0x61, 0x65, 0x60, 0xDB, 0x50, 0x07, 0x0C, 0x67, 0x72, 0x70, 0x31, 0x35, 0x21, 0x51, 0x33, 0x47, 0x72, 0xCD, 0x24, 0xDB, 0x82, 0x03, 0x67, 0x72, 0x51, 0x07, 0x30, 0x23, 0x3C, 0x25, 0x45, 0x07, 0x47, 0x5F, 0x41, 0x5F, 0x30, 0xA1, 0x02, 0x25, 0x37, 0x00, 0x01, 0x17, 0xD7, 0xF1, 0xD7, 0x30, 0x5F, 0x2C, 0x40, 0x3B, 0x42, 0xC0, 0x3B, 0x35, 0x7C, 0x00, 0x90, 0x2B, 0x67, 0x43, 0x00, 0x20, 0x2B, 0xD1, 0x7F, 0x67, 0x72, 0x50, 0xC7, 0x00, 0xB1, 0xE1, 0x01, 0x12, 0xBF, 0x40, 0xA0, 0x00, 0xB2, 0xBF, 0x62, 0x6F, 0x74, 0x74, 0x6F, 0x6D, 0xF2, 0x62, 0xC2, 0x09, 0x52, 0xBF, 0x50, 0xCF, 0x07, 0x52, 0xBF, 0xF0, 0xC2, 0x00, 0xE2, 0xBF, 0x42, 0xC3, 0x10, 0x00, 0xF2, 0xBF, 0x10, 0x76, 0x70, 0x1E, 0xF0, 0xF0, 0x0F, 0x0F, 0x30, 0x03, 0x02, 0x70, 0x1F, 0x9B, 0x4E, 0x44, 0xD7, 0x00, 0x2C, 0x8F, 0x00, 0x2D, 0x7F, 0x7D, 0x9D, 0xEE, 0x00, 0x4D, 0x9D, 0x11, 0x90, 0x00, 0xEF, 0x4E, 0x84, 0x06, 0x00, 0xA1, 0x00, 0x4D, 0xBD, 0x2B, 0xEE, 0x00, 0x00, 0xDB, 0xF6, 0xC5, 0x60, 0x77, 0x8D, 0x00, 0x30, 0x67, 0x3D, 0x23, 0xD5, 0x3D, 0x27, 0x40, 0x67, 0xFE, 0x00, 0x4E, 0x1D, 0x2A, 0x7A, 0xBE, 0x00, 0x00, 0x50, 0xFF, 0x57, 0xE9, 0x80, 0x17, 0xC5, 0x00, 0x4E, 0x5D, 0xFF, 0xA0, 0x79, 0x00, 0x50, 0x1F, 0x5F, 0x63, 0x1E, 0xD0, 0x00, 0xCF, 0x00, 0x7B, 0x38, 0x4F, 0x84, 0x00, 0xD1, 0x5D, 0x03, 0xF1, 0xEF, 0xFF, 0x1F, 0xF0, 0xF0, 0xFF, 0x81, 0xEF, 0x81, 0xFF, 0x3F, 0x8E, 0x21, 0xC6, 0x20, 0x1A, 0xE0, 0x20, 0x20, 0x92, 0x0F, 0x92, 0x1F, 0xC0, 0xF7, 0x00, 0x00, 0xFD, 0x02, 0xFF, 0xFF, 0x6E, 0xFF, 0x11, 0x06, 0x4E, 0x7A, 0xFF, 0x00, 0xFD, 0x00, 0x00, 0xF7, 0xC0, 0x01, 0x05, 0x00, 0x00, 0x00, 0x5E, 0xFF, 0x11, 0xFF, 0xFF, 0xF6, 0x0B, 0x08, 0x7F, 0x60, 0x10, 0xCF, 0x61, 0x73, 0xFF, 0xFF, 0x10, 0x01, 0x60, 0xFF, 0xCF, 0xE6, 0xFF, 0x7F, 0x0B, 0x71, 0x87, 0x04, 0xFA, 0x2C, 0xFF, 0x90, 0x03, 0x2D, 0x95, 0x4F, 0xFF, 0x04, 0xFC, 0x2C, 0xFF, 0xFF, 0x03, 0x00, 0x01, 0xA5, 0xFF, 0x90, 0x04, 0x5F, 0xCF, 0x10, 0x00, 0xEF, 0x2E, 0xD7, 0xA0, 0xF6, 0x18, 0x00, 0x00, 0xFC, 0x80, 0x47, 0x2D, 0x69, 0xFC, 0x00, 0x00, 0x01, 0xF6, 0x90, 0xFF, 0x5E, 0xFF, 0x01, 0x03, 0x3D, 0x72, 0x02, 0xC3, 0x0D, 0x8F, 0x20, 0xFF, 0xDF, 0x20, 0x42, 0xFF, 0x08, 0x00, 0x6E, 0xFF, 0x02, 0x40, 0xB3, 0x20, 0xFF, 0xC6, 0x83, 0x80, 0x77, 0xFA, 0x3E, 0xFF, 0x40, 0x04, 0x50, 0x9F, 0x41, 0xFF, 0x40, 0x01, 0x2D, 0xE4, 0x3E, 0xFA, 0x40, 0xFF, 0xEF, 0xFE, 0x04, 0x01, 0x08, 0xF5, 0xF1, 0x0D, 0x22, 0xEB, 0xAF, 0xEF, 0x00, 0xF0, 0xF0, 0x5F, 0x1F, 0xF1, 0xF5, 0x0F, 0x0D, 0x09, 0xFE, 0xEF, 0x08, 0x01, 0x72, 0xFF, 0xFF, 0x04, 0x53, 0x02, 0x07, 0xA0, 0xF6, 0xFF, 0x5E, 0xFC, 0x30, 0x5C, 0x7D, 0xE7, 0x20, 0x0C, 0x10, 0xF6, 0x90, 0x6E, 0x20, 0x48, 0xFF, 0xC3, 0x00, 0xFF, 0x01, 0x20, 0xFF, 0x0D, 0x8F, 0x00, 0x00, 0xDF, 0x32, 0x59, 0xB8, 0x22, 0xF2, 0x02, 0x20, 0x0F, 0x32, 0xF8, 0x30, 0x7D, 0xFC, 0xF8, 0x04, 0x00, 0x07, 0xF4, 0xF0, 0x0A, 0x0E, 0xF1, 0xF4, 0xFF, 0x00, 0xFD, 0xF8, 0xEC, 0xF5, 0xE0, 0xC0, 0x90, 0x2F, 0x00, 0x9F, 0x50, 0x10, 0xFF, 0xFF, 0xAF, 0x5F, 0xA0, 0x10, 0x50, 0x1F, 0x0D, 0x2E, 0x8D, 0x04, 0xF3, 0xF7, 0x08, 0x0C, 0x0C, 0xFA, 0xFD, 0x0C, 0x2F, 0x90, 0x3E, 0x77, 0x1F, 0x8F, 0x03, 0xCF, 0x8F, 0xFF, 0xFD, 0x5F, 0x1F, 0x06, 0x03, 0xEF, 0x00, 0xE2, 0x6C, 0xF4, 0x00, 0xF0, 0x1F, 0x02, 0x73, 0xEA, 0x01, 0x10, 0x1D, 0x00, 0xD0, 0x37, 0xA4, 0x63, 0xC2, 0xDF, 0x00, 0x6E, 0x28, 0x00, 0xC3, 0x6C, 0x00, 0x73, 0xEA, 0x2B, 0x01, 0x60, 0xFF, 0x30, 0x69, 0x00, 0x3F, 0x89, 0xFE, 0xFC, 0x20, 0x79, 0x3F, 0xFF, 0x00, 0x70, 0x7D, 0x23, 0x1B, 0x4F, 0xF5, 0x00, 0x7D, 0xE7, 0xF8, 0x00, 0x40, 0x0D, 0x10, 0x14, 0xCE, 0x01, 0x43, 0x4C, 0x49, 0x4D, 0xFF, 0xFE, 0x46, 0x14, 0x2F, 0xFF, 0x02, 0x02, 0x28, 0x24, 0x6E, 0x35, 0xA2, 0x69, 0x10, 0x6D, 0x61, 0x67, 0x24, 0x79, 0x00, 0x80, 0x00, 0x40, 0xFF, 0x52, 0x7D, 0x30, 0x0C, 0x07, 0x8F, 0xFF, 0x57, 0x9F, 0x38, 0x79, 0x00, 0x58, 0x7D, 0x00, 0xF0, 0x1F, 0x40, 0xD8, 0xB6, 0x53, 0x74, 0xDF, 0x00, 0x88, 0x27, 0x57, 0x5F, 0xFF, 0x28, 0x69, 0x00, 0x3F, 0xFF, 0xEF, 0xDD, 0x28, 0x79, 0x3F, 0xFF, 0xB2, 0x63, 0xDC, 0xFF, 0xFF, 0x98, 0x7D, 0xC7, 0x00, 0x67, 0xFF, 0x7F, 0x9D, 0x4F, 0xFF, 0x47, 0x0F, 0x48, 0xE5, 0x89, 0x47, 0x30, 0xD9, 0x50, 0xDD, 0x2F, 0xFF, 0x17, 0xE8, 0x00, 0xBF, 0x00, 0x4F, 0xFF, 0x02, 0x00, 0x10, 0x37, 0x00, 0x68, 0x7F, 0x01, 0x50, 0x7F, 0xB1, 0x00, 0x14, 0x92, 0x2F, 0x84, 0xBE, 0x00, 0x3F, 0xFF, 0x0E, 0x00, 0x20, 0x69, 0x9D, 0xF9, 0x05, 0x24, 0x9C, 0x61, 0xEF, 0x38, 0x67, 0x20, 0x04, 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0x38, 0x7F, 0x83, 0x28, 0x7D, 0x10, 0x90, 0x0F, 0x0F, 0xE0, 0x29, 0x17, 0x72, 0x1F, 0x50, 0xE0, 0x20, 0x0F, 0x10, 0x38, 0x79, 0x1B, 0xFF, 0xFF, 0x02, 0x02, 0x00, 0xFF, 0xB1, 0xDF, 0xFF, 0x20, 0x40, 0x2C, 0x02, 0x01, 0x1B, 0xFD, 0x80, 0xFF, 0xFD, 0x20, 0xB1, 0x20, 0x38, 0x00, 0xDF, 0xDF, 0x08, 0x01, 0x09, 0xF0, 0xF0, 0x0E, 0xD5, 0x2A, 0xC9, 0x28, 0x69, 0x1A, 0x30, 0x27, 0x0E, 0x20, 0x0F, 0x01, 0x2A, 0xDD, 0x90, 0x88, 0x5F, 0xF5, 0x7F, 0x38, 0xF7, 0xFF, 0xFE, 0x1A, 0xFF, 0x3A, 0xF5, 0x02, 0x2A, 0xF5, 0x30, 0x29, 0x50, 0x1D, 0xF0, 0x29, 0x83, 0xF0, 0x30, 0xF0, 0x7F, 0x25, 0xDE, 0x3A, 0x31, 0xD1, 0xF9, 0xFF, 0x7F, 0x60, 0xFE, 0x30, 0x8B, 0x6A, 0x3D, 0xFE, 0xF8, 0x2F, 0xCF, 0xC0, 0x44, 0x00, 0x28, 0x60, 0x01, 0xFF, 0xF5, 0x30, 0xA2, 0x2E, 0xAF, 0x80, 0x6A, 0x55, 0x03, 0x00, 0x30, 0xFF, 0xFE, 0xFF, 0xCF, 0x90, 0x32, 0x19, 0xFF, 0x38, 0x3A, 0x6D, 0xAF, 0xBF, 0xFF, 0xFF, 0x21, 0x2F, 0x0F, 0x29, 0x0A, 0xFB, 0x00, 0x00, 0xF2, 0x20, 0x87, 0x40, 0x2F, 0x20, 0x0F, 0xAF, 0x0F, 0x00, 0x11, 0xF2, 0xFB, 0x03, 0xFF, 0xE8, 0xFF, 0xBF, 0x1E, 0x9F, 0x22, 0x6E, 0x4A, 0x91, 0x01, 0xAF, 0xCF, 0xFF, 0xFF, 0x3F, 0x0F, 0xEF, 0x20, 0x0F, 0x67, 0x2E, 0x21, 0xFF, 0x72, 0x27, 0xFF, 0x03, 0x5B, 0x82, 0x70, 0x7F, 0x86, 0x77, 0x80, 0x01, 0x60, 0x7F, 0xF7, 0xF2, 0x7F, 0xBF, 0xD0, 0x70, 0xFF, 0x21, 0xFF, 0x20, 0x20, 0x03, 0xB1, 0xF5, 0xBF, 0x2F, 0x21, 0x23, 0x80, 0x39, 0x9F, 0xF2, 0xFD, 0xFF, 0x0B, 0x06, 0xFF, 0xDF, 0x00, 0x02, 0x00, 0x2F, 0x6F, 0x70, 0xB0, 0xBF, 0xFF, 0x40, 0xF1, 0x20, 0xC3, 0x07, 0x02, 0xDF, 0x7F, 0x00, 0x00, 0x02, 0xFB, 0xF6, 0xFD, 0xFF, 0xF2, 0xD0, 0x20, 0xB1, 0x0C, 0x1E, 0x00, 0x00, 0x07, 0x72, 0x87, 0x03, 0x74, 0x7F, 0x29, 0x73, 0xD4, 0x7F, 0x10, 0xE5, 0x56, 0xFD, 0x38, 0xF8, 0x00, 0x84, 0xBF, 0x41, 0x4E, 0x74, 0xBF, 0x9C, 0x63, 0x1A, 0x05, 0x70, 0x61, 0x74, 0x31, 0x3C, 0x63, 0x60, 0x1C, 0x67, 0x7B, 0x60, 0xF1, 0x22, 0x27, 0x3A, 0x7E, 0x53, 0x63, 0x65, 0x6E, 0x65, 0x08, 0x4F, 0x75, 0x74, 0x43, 0x2F, 0xFF, 0x47, 0x5F, 0x43, 0x10, 0x5F, 0x30, 0x30, 0xDF, 0xFF, 0x70, 0x61, 0x69, 0x31, 0x4D, 0x4C, 0x8B, 0x5A, 0x02, 0x00, 0x35, 0x19, 0x30, 0x43, 0x40, 0x2F, 0xFF, 0x04, 0x48, 0x62, 0x4D, 0x61, 0x74, 0x00, 0x2F, 0xFF, 0x48, 0x62, 0x0D, 0x52, 0x6F, 0x6F, 0x74, 0xE0, 0x48, 0x02, 0xE0, 0x9F, 0x42, 0x40, 0x9F, 0x56, 0x42, 0x08, 0x80, 0x9F, 0x41, 0x41, 0x3F, 0x41, 0x10, 0x0C, 0x81, 0x3F, 0x05, 0x33, 0x1F, 0x77, 0x00, 0xA2, 0x13, 0x49, 0x99, 0x58, 0x3D, 0x71, 0x8A, 0x00, 0x3A, 0x75, 0x0A, 0xEF, 0xE4, 0xC9, 0xFC, 0xB1, 0x00, 0x00, 0x99, 0x02, 0x63, 0xA9, 0x9B, 0x74, 0xE0, 0x00, 0x38, 0xD3, 0x33, 0xC0, 0x52, 0x6A, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+	0x11, 0x40, 0xE6, 0x00, 0x00, 0x64, 0x61, 0x72, 0x63, 0xFF, 0xFE, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x20, 0xE6, 0x00, 0x00, 0x83, 0x30, 0x09, 0x64, 0x03, 0x00, 0x00, 0x80, 0x20, 0x03, 0x30, 0x13, 0xAB, 0x30, 0x18, 0x11, 0x20, 0x1D, 0x02, 0xA0, 0x0B, 0x06, 0x20, 0x2B, 0x30, 0x18, 0x5A, 0x09, 0x20, 0x35, 0x10, 0x20, 0x39, 0x30, 0x2B, 0xAC, 0x20, 0x20, 0x54, 0xAA, 0x20, 0x45, 0x40, 0x20, 0x1C, 0x0C, 0x20, 0x2C, 0x98, 0x20, 0x51, 0x60, 0x55, 0x08, 0x50, 0x38, 0xDC, 0x30, 0x0B, 0x0A, 0x50, 0x23, 0x20, 0x20, 0x51, 0x05, 0x20, 0x0D, 0x00, 0x00, 0xE8, 0x20, 0x50, 0x64, 0x30, 0x0B, 0xA5, 0x20, 0x40, 0x78, 0x20, 0x6F, 0xA8, 0x01, 0x50, 0x53, 0x0E, 0x20, 0x89, 0x40, 0xB2, 0x30, 0x75, 0x14, 0x00, 0x00, 0x28, 0x04, 0x00, 0x24, 0x00, 0xC8, 0x20, 0x81, 0x80, 0x18, 0x20, 0x0B, 0x80, 0x00, 0x28, 0x00, 0xE4, 0x30, 0x8D, 0x99, 0x20, 0x17, 0x20, 0x00, 0x00, 0x53, 0xFA, 0x30, 0x17, 0xB9, 0x50, 0x0B, 0x12, 0x02, 0x50, 0x8F, 0x30, 0xA7, 0x48, 0x1C, 0x20, 0xA8, 0xC0, 0xD9, 0x20, 0xBF, 0x05, 0x00, 0x00, 0x41, 0x4C, 0x20, 0xB4, 0x40, 0xDF, 0x00, 0x00, 0xE0, 0x20, 0xB0, 0x10, 0x00, 0x00, 0x2E, 0x20, 0xE3, 0x61, 0x00, 0x6E, 0x00, 0x14, 0x69, 0x00, 0x6D, 0x20, 0xED, 0x4E, 0x20, 0x07, 0x6E, 0x00, 0x10, 0x74, 0x00, 0x65, 0x20, 0x11, 0x64, 0x00, 0x6F, 0x00, 0x51, 0x4C, 0x20, 0x03, 0x67, 0x20, 0x07, 0x5F, 0x00, 0x44, 0x20, 0x03, 0x41, 0x30, 0x20, 0x01, 0x5F, 0x00, 0x53, 0x00, 0x63, 0x40, 0x1F, 0x05, 0x65, 0x00, 0x4F, 0x00, 0x75, 0x20, 0x2B, 0x41, 0x20, 0x43, 0x5A, 0x62, 0x20, 0x13, 0x6C, 0x40, 0x47, 0x02, 0x50, 0x43, 0x42, 0x03, 0x20, 0x43, 0x43, 0xBD, 0x01, 0x80, 0x87, 0x55, 0x04, 0xC0, 0x43, 0x01, 0x90, 0xCB, 0x00, 0x90, 0x87, 0xF1, 0x53, 0x74, 0x41, 0x9F, 0x51, 0x67, 0x22, 0x8F, 0x6D, 0x21, 0xAD, 0x73, 0x00, 0x6B, 0x81, 0x73, 0xAA, 0x51, 0xB7, 0x62, 0x21, 0x89, 0x62, 0x21, 0x85, 0x6C, 0x21, 0xB9, 0x73, 0xB5, 0xE0, 0x1B, 0x6C, 0x61, 0xC3, 0xD0, 0x31, 0x77, 0x21, 0xF5, 0x76, 0x00, 0x20, 0x2D, 0xBF, 0x30, 0x43, 0x79, 0x22, 0x01, 0x01, 0x32, 0x0B, 0x71, 0xF7, 0x00, 0xF0, 0x2F, 0x71, 0x6F, 0xD0, 0x2F, 0x81, 0x00, 0xB0, 0x02, 0x43, 0x4C, 0x41, 0x4E, 0xFF, 0xFE, 0x22, 0xEC, 0x18, 0x00, 0x02, 0x02, 0x33, 0x43, 0x23, 0x67, 0x00, 0x70, 0x61, 0x1A, 0x74, 0x31, 0x3C, 0x63, 0x7E, 0x33, 0x99, 0x28, 0x23, 0x9D, 0xA1, 0x20, 0x00, 0xF0, 0x43, 0x8C, 0x53, 0x63, 0x65, 0x6E, 0x65, 0x08, 0x4F, 0x75, 0x74, 0x41, 0x23, 0xB1, 0x47, 0x5F, 0x41, 0x10, 0x5F, 0x30, 0x30, 0xD0, 0x60, 0x70, 0x61, 0x69, 0x31, 0x54, 0x5C, 0x23, 0xAC, 0x50, 0x43, 0xBE, 0x06, 0x33, 0x46, 0x00, 0x2C, 0xB5, 0x23, 0xDD, 0xCC, 0x33, 0xAB, 0x23, 0xCD, 0x54, 0x23, 0xD1, 0xC4, 0x23, 0xD5, 0x43, 0x10, 0x23, 0xD0, 0x6D, 0x61, 0x73, 0x6B, 0xF0, 0x40, 0x33, 0xF0, 0x85, 0x34, 0x0D, 0x43, 0x4C, 0x56, 0x43, 0x33, 0xFC, 0x0C, 0x34, 0x19, 0xF2, 0x20, 0x2C, 0x33, 0xEB, 0x40, 0x0B, 0x44, 0x16, 0x7F, 0x43, 0x20, 0x51, 0xC1, 0xF9, 0x23, 0xCD, 0x30, 0x86, 0x30, 0x5D, 0xA0, 0x0B, 0x34, 0x4A, 0x82, 0x42, 0x00, 0x10, 0x0B, 0x5C, 0x7F, 0x20, 0x13, 0x8A, 0x20, 0x17, 0x30, 0x3B, 0x90, 0x0B, 0xAB, 0xAA, 0x5C, 0xE2, 0x20, 0x47, 0x9C, 0x40, 0x2F, 0xB0, 0x0B, 0x34, 0x90, 0x62, 0x75, 0x06, 0x62, 0x62, 0x6C, 0x65, 0x73, 0xC0, 0xE3, 0xA0, 0x9F, 0x49, 0xF9, 0x80, 0x9F, 0x24, 0xA6, 0x31, 0x37, 0x90, 0x9F, 0x34, 0xCE, 0x8C, 0x42, 0x34, 0xBC, 0xBC, 0x80, 0x43, 0x31, 0x02, 0x90, 0x43, 0x00, 0x41, 0x27, 0x25, 0x19, 0x51, 0x27, 0x54, 0x53, 0x8D, 0x81, 0x27, 0x01, 0x02, 0x00, 0x24, 0x76, 0x61, 0x27, 0x1C, 0x21, 0x03, 0x2D, 0x60, 0xC0, 0x51, 0xFE, 0x44, 0xE0, 0x0B, 0x72, 0x14, 0xA0, 0xE0, 0x0B, 0x03, 0x90, 0xC0, 0x29, 0xA5, 0x14, 0xBE, 0x00, 0x40, 0xF7, 0x00, 0x60, 0x6F, 0x8A, 0xF0, 0xF7, 0x75, 0x64, 0x4F, 0x22, 0x3A, 0x9E, 0x21, 0x7F, 0x80, 0x79, 0x3F, 0x30, 0x0B, 0x00, 0x40, 0xFF, 0x01, 0x50, 0x4B, 0x20, 0x3F, 0xCF, 0x3B, 0x90, 0x4B, 0xFF, 0x30, 0x0B, 0x00, 0xD2, 0xBF, 0x35, 0xF7, 0xB2, 0xBF, 0x25, 0xD2, 0x82, 0xBF, 0x20, 0xEB, 0xC2, 0xBF, 0x8B, 0x32, 0x20, 0x47, 0x5F, 0x42, 0x00, 0x42, 0xBF, 0xBC, 0x26, 0x75, 0x50, 0x2D, 0xAA, 0x92, 0xBF, 0x6C, 0x26, 0xA1, 0xA8, 0x26, 0xA5, 0xE4, 0x26, 0xA9, 0x24, 0xBF, 0x26, 0x95, 0x70, 0x26, 0x99, 0x01, 0xB2, 0xBF, 0x92, 0x2B, 0x93, 0x90, 0x01, 0xB2, 0x5F, 0xB0, 0x3F, 0xF7, 0x01, 0xF2, 0x57, 0xF0, 0x3B, 0x01, 0xB2, 0x4F, 0x92, 0xE3, 0x48, 0x23, 0x73, 0x52, 0x4F, 0x02, 0xB2, 0x1F, 0x14, 0xCD, 0xCC, 0x4C, 0x24, 0x5A, 0x20, 0x23, 0xBF, 0x00, 0x40, 0xEC, 0x30, 0x0B, 0x02, 0xA2, 0x1F, 0x20, 0x4B, 0xCC, 0x22, 0x1F, 0x30, 0x4B, 0x80, 0x3F, 0xFC, 0x50, 0x0B, 0x00, 0xD4, 0xDF, 0x38, 0x44, 0xB4, 0xDF, 0x31, 0x95, 0x74, 0xDF, 0xF1, 0x00, 0x62, 0xFF, 0xC4, 0xDF, 0x30, 0xA0, 0x47, 0x5F, 0x43, 0x00, 0x44, 0xDF, 0xB0, 0xAA, 0x28, 0x95, 0x0F, 0xE4, 0xDF, 0x78, 0x28, 0xC1, 0xB4, 0x28, 0xC5, 0xF0, 0xB1, 0x28, 0xC9, 0x30, 0x02, 0x22, 0x1F, 0xF4, 0x3F, 0xDB, 0xB6, 0x91, 0x25, 0x62, 0x4C, 0x60, 0x25, 0x66, 0x7F, 0x43, 0x30, 0x0B, 0x02, 0x52, 0x2B, 0x60, 0x41, 0xFC, 0x02, 0x92, 0x2B, 0x50, 0x3B, 0x02, 0x52, 0x2B, 0x39, 0xCE, 0x02, 0x14, 0x4B, 0x95, 0x4F, 0x80, 0xBF, 0xFE, 0x51, 0xD3, 0x01, 0xD2, 0x1F, 0x00, 0x30, 0x3F, 0x00, 0xB6, 0xDF, 0x02, 0x71, 0xFF, 0x36, 0xDF, 0x51, 0xFF, 0x08, 0xB5, 0x46, 0xDF, 0x34, 0x3A, 0x83, 0x2A, 0xC1, 0xBC, 0x2A, 0xC5, 0xF8, 0x30, 0x0F, 0xAE, 0x2A, 0xB5, 0x74, 0x2A, 0xB9, 0xB4, 0x35, 0xA3, 0x01, 0xE6, 0xE7, 0x00, 0xF2, 0x07, 0x6C, 0x1C, 0x6F, 0x67, 0x6F, 0x00, 0xA7, 0x33, 0x01, 0x52, 0x07, 0x0D, 0xE2, 0x43, 0x77, 0x61, 0x7F, 0x76, 0xE7, 0xC5, 0xD7, 0x3F, 0x38, 0xF3, 0x3C, 0x47, 0x56, 0x27, 0xF2, 0x87, 0x44, 0xB3, 0x60, 0xBC, 0xD6, 0xEB, 0x40, 0x17, 0x40, 0x0D, 0xD7, 0xA3, 0xBB, 0x87, 0x37, 0x67, 0x66, 0x66, 0xE6, 0x3F, 0xC8, 0x2F, 0x02, 0x62, 0xAB, 0x00, 0xF9, 0x9F, 0xDE, 0x3C, 0xB3, 0x03, 0x36, 0xDF, 0x98, 0x2D, 0x4C, 0x57, 0x0D, 0x92, 0xBF, 0x3A, 0x87, 0xB0, 0xB7, 0x2D, 0x85, 0xEC, 0x39, 0xEF, 0x2D, 0x75, 0x68, 0x62, 0xBF, 0x3C, 0xC3, 0x02, 0xF6, 0xE7, 0xFF, 0x02, 0x52, 0xB3, 0xE6, 0xE7, 0x0E, 0xA7, 0x23, 0x01, 0x72, 0xBF, 0x34, 0x87, 0x3F, 0x29, 0xEA, 0x8B, 0x37, 0x67, 0xFD, 0x24, 0x9A, 0x47, 0x73, 0x82, 0xCB, 0x9A, 0x27, 0x50, 0x23, 0x52, 0xCB, 0x20, 0x82, 0xCB, 0xE0, 0x6A, 0x1B, 0x32, 0xE3, 0x29, 0x83, 0xF0, 0x42, 0xCD, 0xCC, 0x0C, 0x7F, 0x40, 0x5C, 0x4A, 0x57, 0xBB, 0x32, 0xFB, 0x04, 0xF7, 0xBB, 0xFC, 0x9F, 0x3F, 0xA7, 0x03, 0x3C, 0x9F, 0x75, 0x28, 0x2F, 0xEF, 0x5C, 0x9F, 0x95, 0xBF, 0xD4, 0x2F, 0xFB, 0x18, 0x2F, 0xF7, 0x77, 0x5C, 0x39, 0xFB, 0x6C, 0x9F, 0x3C, 0xC7, 0xDC, 0x09, 0x2C, 0xA7, 0x01, 0xB6, 0x13, 0x01, 0x0C, 0xA7, 0xFF, 0x10, 0x02, 0xAC, 0xEB, 0x02, 0xD3, 0xA7, 0x4D, 0x2F, 0x28, 0x42, 0x3D, 0x3B, 0x4D, 0x47, 0x46, 0x73, 0x22, 0xF2, 0x84, 0xCE, 0x57, 0xE1, 0x65, 0x2D, 0x3E, 0x33, 0xA7, 0xA4, 0x70, 0x7C, 0x0D, 0x63, 0x8F, 0x40, 0x2F, 0x02, 0xF3, 0x8F, 0x01, 0x4D, 0x6B, 0x04, 0x30, 0x13, 0xFF, 0xFF, 0x30, 0xFF, 0xFF, 0x3F, 0x3B, 0x10, 0x13, 0x70, 0x07, 0x77, 0x77, 0x77, 0x77, 0x60, 0x6E, 0xA0, 0x07, 0x00, 0xF0, 0x1F, 0xBB, 0xBB, 0x55, 0x55, 0x03, 0x12, 0x23, 0x23, 0x23, 0x70, 0x07, 0xDD, 0xDD, 0x20, 0x0F, 0x5B, 0x1C, 0x5B, 0x5B, 0xFD, 0x60, 0x07, 0x00, 0x70, 0x1F, 0x70, 0x27, 0xAA, 0xAA, 0x8C, 0x20, 0x3F, 0x8B, 0x8B, 0x8B, 0x70, 0x07, 0x40, 0x4F, 0xC3, 0xC3, 0x60, 0xC3, 0x70, 0x07, 0x00, 0xF0, 0x1F, 0x11, 0x11, 0x11, 0x11, 0x02, 0x00, 0xF8, 0xF8, 0xF8, 0x11, 0x00, 0x11, 0x11, 0x0A, 0xFE, 0x20, 0x07, 0x4A, 0x81, 0xA0, 0x07, 0x70, 0x17, 0x70, 0x27, 0xF0, 0x1F, 0x0A, 0xF0, 0x0F, 0x43, 0x12, 0x4C, 0x49, 0x4D, 0x7F, 0x9F, 0x28, 0x04, 0x5F, 0x1F, 0x69, 0x15, 0x6D, 0x61, 0x67, 0x3B, 0x8F, 0x10, 0x2D, 0x55, 0x0A, 0x3F, 0xFB, 0xE0, 0x20, 0x17, 0x10, 0x19, 0x74, 0x7F, 0x10, 0x26, 0x72, 0x4F, 0x7F, 0xBB, 0xFF, 0x37, 0x0B, 0x10, 0x02, 0x02, 0x02, 0x7A, 0x4F, 0x01, 0xFE, 0x03, 0x00, 0x00, 0x62, 0x21, 0x21, 0x21, 0x33, 0x33, 0x33, 0x33, 0x00, 0xB6, 0x18, 0x18, 0x18, 0x33, 0x33, 0xFF, 0xFF, 0x10, 0x01, 0x03, 0x03, 0x2E, 0x41, 0x11, 0x01, 0x02, 0x30, 0xFD, 0x5F, 0xD8, 0x30, 0x07, 0x70, 0x17, 0x90, 0x1F, 0x50, 0x17, 0x00, 0x00, 0x1F, 0x73, 0x00, 0x00, 0x1F, 0x40, 0x10, 0x40, 0x3F, 0xBB, 0x33, 0x73, 0xAA, 0x1F, 0x1F, 0x0D, 0x1F, 0xFF, 0xFF, 0xF7, 0x4A, 0xC7, 0x20, 0x5F, 0x11, 0x30, 0x5F, 0x06, 0x03, 0xFF, 0x10, 0xFF, 0x57, 0x27, 0xDC, 0x10, 0x25, 0x76, 0x5F, 0x0E, 0x37, 0x00, 0x1F, 0x43, 0xD7, 0x7E, 0x4F, 0x0F, 0x20, 0x01, 0xB3, 0xE7, 0x04, 0xF0, 0x07, 0x5E, 0xF0, 0x2E, 0xC8, 0x00, 0x00, 0x20, 0x0F, 0x10, 0x25, 0x7A, 0x5F, 0x73, 0xEF, 0x10, 0x2F, 0x73, 0xFF, 0x01, 0x10, 0x00, 0xEF, 0x0E, 0x10, 0x2D, 0xB7, 0xFF, 0xBC, 0x08, 0xCE, 0x88, 0x08, 0x4A, 0x13, 0x13, 0x13, 0xFF, 0x6F, 0x00, 0x00, 0x88, 0x70, 0x88, 0x5F, 0xEF, 0x50, 0x07, 0x04, 0x00, 0x1F, 0x80, 0x88, 0x88, 0x0A, 0x00, 0x37, 0x37, 0x37, 0xCB, 0xFF, 0xEC, 0xFF, 0x42, 0x18, 0x16, 0x16, 0x16, 0x10, 0x25, 0x7F, 0xEF, 0x10, 0x07, 0x0F, 0x57, 0x7F, 0xFF, 0x7F, 0x40, 0x06, 0x00, 0x2F, 0xFF, 0xB7, 0xBB, 0x37, 0x33, 0x6A, 0x0A, 0x00, 0x0A, 0x0A, 0xBB, 0xBB, 0x33, 0x33, 0x05, 0x02, 0x38, 0x02, 0x02, 0xFF, 0xFF, 0x70, 0x17, 0x02, 0x80, 0x1F, 0x7B, 0x33, 0x77, 0x01, 0x4E, 0x1F, 0x1F, 0x1F, 0xF7, 0xFF, 0xF7, 0x10, 0x25, 0xD5, 0x67, 0x01, 0xE8, 0xFF, 0x01, 0x6B, 0x11, 0x11, 0x11, 0x8F, 0xFF, 0x44, 0x0F, 0x2C, 0xEF, 0x03, 0x03, 0x03, 0x05, 0x7D, 0x5F, 0x1E, 0xFF, 0x18, 0x10, 0xFF, 0x6B, 0x24, 0x57, 0x7D, 0xCF, 0x0F, 0xFF, 0x00, 0x07, 0xFF, 0x20, 0x20, 0x20, 0x20, 0x10, 0x25, 0x89, 0x6F, 0x63, 0xEF, 0x06, 0x73, 0xFF, 0xC1, 0x73, 0xEF, 0x07, 0x73, 0xFF, 0x7F, 0xB3, 0x7F, 0x37, 0x0A, 0x00, 0x28, 0xDF, 0x04, 0x31, 0x33, 0x9D, 0xD9, 0x21, 0x2E, 0x87, 0x11, 0x11, 0x1C, 0xDD, 0xDD, 0xA1, 0x00, 0x2E, 0x8F, 0x70, 0x17, 0x01, 0x20, 0x1F, 0x9D, 0x81, 0x80, 0x00, 0x2E, 0xCF, 0xDD, 0x7B, 0x31, 0x73, 0x4E, 0x1E, 0x1E, 0x41, 0x1E, 0x10, 0x25, 0xF3, 0xFF, 0xCF, 0x01, 0x0F, 0xF8, 0x40, 0xA3, 0xCF, 0x00, 0x0F, 0x00, 0x0F, 0x0F, 0x82, 0x1B, 0x1B, 0x1B, 0xA0, 0x05, 0x28, 0xFF, 0x10, 0x39, 0x5F, 0xFE, 0xFF, 0xF0, 0xFF, 0x22, 0x15, 0x16, 0x16, 0x16, 0x79, 0x6F, 0xF0, 0x20, 0x0F, 0xA2, 0x20, 0x0F, 0x84, 0x10, 0x15, 0x8F, 0xFF, 0xF0, 0xFF, 0x08, 0x04, 0xBF, 0xCF, 0xDE, 0xFF, 0x04, 0xCE, 0x0E, 0x01, 0x01, 0x01, 0xFB, 0xFF, 0x88, 0xCC, 0x00, 0x8E, 0x88, 0x0B, 0x34, 0x34, 0x34, 0xCC, 0xCC, 0x78, 0x88, 0x40, 0x07, 0xFC, 0x1F, 0x70, 0x17, 0x01, 0xF0, 0x1F, 0x0F, 0xFF, 0x80, 0xD0, 0x4B, 0xEF, 0x20, 0x56, 0xE8, 0x30, 0x5F, 0xFD, 0xFF, 0xFC, 0xFF, 0x1F, 0x62, 0x0F, 0x0F, 0x2C, 0x85, 0x05, 0x5F, 0xFF, 0x73, 0xEF, 0x06, 0x23, 0xFF, 0xC3, 0xEF, 0x83, 0x10, 0x01, 0x73, 0xFF, 0xB7, 0xDD, 0x37, 0x13, 0x6A, 0x2E, 0x2F, 0x02, 0xA9, 0x7F, 0x84, 0x00, 0x49, 0xBF, 0x33, 0x13, 0xDD, 0xFD, 0x39, 0xDF, 0x7B, 0xFF, 0x75, 0x73, 0x05, 0xC2, 0x7F, 0x10, 0x06, 0xFE, 0xE7, 0x00, 0x23, 0xFF, 0x07, 0x10, 0x07, 0xB3, 0xFF, 0x01, 0x29, 0x91, 0xF8, 0x3E, 0x87, 0x7F, 0xFF, 0x39, 0xA1, 0x0C, 0xBE, 0x7F, 0x10, 0x05, 0xFD, 0xFF, 0x7F, 0x00, 0x0F, 0x22, 0xFF, 0x20, 0xBF, 0xCF, 0xFE, 0xFF, 0xEE, 0x00, 0x38, 0xFF, 0xCC, 0x08, 0xCC, 0xCE, 0xCC, 0x61, 0x2C, 0xA8, 0xEE, 0xEE, 0xFF, 0x38, 0xFF, 0x01, 0x00, 0x2D, 0x17, 0x70, 0x17, 0x01, 0xF0, 0x1F, 0xFF, 0xFF, 0xF8, 0x20, 0xFF, 0x4B, 0x28, 0xEF, 0xCC, 0xEE, 0xEC, 0xFE, 0x63, 0x1E, 0x24, 0x24, 0x24, 0x0F, 0xFF, 0xFF, 0x73, 0xEF, 0x10, 0x14, 0x73, 0xFF, 0x10, 0x08, 0xFF, 0x67, 0x08, 0x80, 0xE7, 0xFF, 0xCE, 0xCC, 0xEF, 0x88, 0x4B, 0x2C, 0x2C, 0x64, 0x2C, 0x03, 0x9E, 0x7F, 0x57, 0xFF, 0xCC, 0x8C, 0x5E, 0xD7, 0xCB, 0xFF, 0x1A, 0xE8, 0xFF, 0x47, 0x10, 0x00, 0xAD, 0x7F, 0x10, 0x26, 0x25, 0x17, 0x7F, 0xCF, 0xFF, 0xEF, 0x00, 0xFF, 0x0F, 0x0A, 0x02, 0x02, 0x02, 0x17, 0x33, 0x10, 0x17, 0x11, 0x71, 0x20, 0x07, 0x11, 0x11, 0x11, 0x11, 0x7E, 0xA3, 0x4E, 0xAF, 0xDD, 0x17, 0x70, 0x17, 0x90, 0x1F, 0xDE, 0xCF, 0x01, 0x70, 0x1F, 0xFF, 0x0D, 0x7D, 0x11, 0x71, 0x65, 0x20, 0x6F, 0xAF, 0x0F, 0xF0, 0x5D, 0x8F, 0x54, 0xF7, 0xCF, 0xFF, 0xFE, 0x2E, 0xC7, 0x42, 0x10, 0x24, 0x35, 0x37, 0x0F, 0xFF, 0x07, 0x0F, 0x12, 0x03, 0x03, 0x03, 0xF0, 0x0F, 0x00, 0x1D, 0x07, 0x03, 0xDD, 0x17, 0xD0, 0xF3, 0xEF, 0xF3, 0xFF, 0xF0, 0x23, 0xEF, 0x82, 0x1D, 0x1D, 0x1D, 0xE0, 0x7F, 0xFF, 0xF0, 0x0F, 0x10, 0x4C, 0x03, 0xFF, 0xF7, 0xFF, 0x77, 0x0A, 0x01, 0x00, 0x01, 0x01, 0x77, 0x77, 0x77, 0x77, 0xDA, 0x08, 0x38, 0x08, 0x08, 0xFF, 0xFF, 0x70, 0x17, 0x00, 0xF0, 0x1F, 0xFF, 0x7F, 0x77, 0x30, 0xF7, 0x07, 0x2A, 0xBF, 0x10, 0x02, 0x87, 0xFF, 0xCF, 0xFF, 0x0F, 0xCB, 0xD4, 0x21, 0x7F, 0x00, 0x17, 0xFF, 0x01, 0x06, 0xC7, 0xFF, 0xF7, 0x10, 0x0B, 0xEB, 0xFF, 0x01, 0x00, 0x00, 0x13, 0x00, 0x62, 0x22, 0x22, 0x22, 0x33, 0x33, 0x03, 0x00, 0x00, 0x03, 0x29, 0x29, 0x29, 0xFE, 0x5F, 0x70, 0x17, 0xE0, 0x90, 0x1F, 0xDE, 0x5F, 0x00, 0xF0, 0x1F, 0x1E, 0xFF, 0x10, 0xFF, 0x6B, 0x10, 0x0A, 0x0A, 0x0A, 0x7F, 0xFF, 0x0F, 0xFF, 0x00, 0xFF, 0x08, 0x20, 0x20, 0x20, 0x20, 0x10, 0x00, 0x0F, 0xFF, 0xEF, 0xFF, 0xEF, 0x40, 0x0E, 0x00, 0x2F, 0x4F, 0xCE, 0xC8, 0xCE, 0x88, 0x4F, 0x2C, 0x00, 0x2C, 0x2C, 0x88, 0x88, 0xAA, 0xAA, 0x1B, 0x34, 0x38, 0x34, 0x34, 0xFF, 0x77, 0x70, 0x17, 0x02, 0xA0, 0x1F, 0x8A, 0x17, 0x35, 0x01, 0x35, 0x35, 0xCC, 0xE8, 0x88, 0xE8, 0x4B, 0x20, 0x67, 0xBF, 0x00, 0x1F, 0xD7, 0xFE, 0x10, 0x0C, 0xCF, 0xE7, 0x04, 0xFE, 0x5F, 0xF3, 0xEF, 0x10, 0x00, 0x83, 0xFF, 0x10, 0x16, 0x6F, 0x4F, 0xFE, 0x5F, 0x00, 0x0A, 0x00, 0x8F, 0x00, 0x0B, 0x37, 0x37, 0x37, 0x81, 0x04, 0x93, 0xFF, 0x80, 0xFF, 0x4B, 0x1F, 0x1F, 0x1F, 0x10, 0x27, 0x73, 0xFF, 0xB3, 0x2F, 0xFF, 0xEE, 0x3F, 0xEF, 0x20, 0x06, 0xEE, 0x43, 0x00, 0x4D, 0xD7, 0x70, 0x17, 0xAB, 0x00, 0xE0, 0x1F, 0xEF, 0x00, 0x50, 0x3F, 0xFE, 0x2A, 0x3F, 0x22, 0x10, 0x27, 0x53, 0xE7, 0x10, 0x01, 0xDD, 0xC7, 0x00, 0xE9, 0xFF, 0x01, 0x6B, 0x0A, 0x0A, 0x0A, 0xF7, 0x01, 0x77, 0x77, 0x77, 0x5A, 0x08, 0x08, 0x08, 0x20, 0x06, 0x21, 0x77, 0xDA, 0x20, 0x07, 0x00, 0x00, 0x70, 0x07, 0xBD, 0x2F, 0xF0, 0x70, 0x17, 0x90, 0x1F, 0xDD, 0x37, 0x70, 0x37, 0xFF, 0xF7, 0x77, 0xF7, 0x08, 0x4E, 0x0F, 0x0F, 0x0F, 0x8D, 0x67, 0x10, 0x00, 0xD0, 0x08, 0x43, 0x29, 0x29, 0x29, 0xFF, 0xEF, 0xFB, 0xFF, 0xF1, 0x30, 0xFF, 0x0F, 0x45, 0x8F, 0x10, 0x25, 0xED, 0x1F, 0x0F, 0xFF, 0xFF, 0x00, 0x1D, 0x03, 0x03, 0x03, 0xF0, 0x0F, 0x03, 0x7D, 0x07, 0x2F, 0xFA, 0xF0, 0x00, 0x30, 0x0F, 0x00, 0xF0, 0xFF, 0xF0, 0xFF, 0x82, 0x1D, 0x1D, 0x1D, 0xE8, 0x7F, 0xFF, 0xF0, 0x0F, 0x10, 0x2C, 0xA3, 0xFF, 0x70, 0x10, 0x07, 0xC3, 0xFF, 0xBF, 0xFF, 0x3F, 0xC0, 0x5F, 0x07, 0x8F, 0xFF, 0x0F, 0x0A, 0x02, 0x02, 0x02, 0x01, 0x00, 0xEF, 0x13, 0x11, 0x82, 0x21, 0x21, 0x21, 0x11, 0x1C, 0x11, 0x11, 0x11, 0x00, 0x36, 0x07, 0x70, 0x17, 0x01, 0x00, 0x1F, 0x10, 0x11, 0x04, 0x11, 0x0A, 0x37, 0x37, 0x37, 0xFA, 0x1F, 0x3D, 0xFF, 0x1F, 0x71, 0xFF, 0x8B, 0x20, 0x67, 0x95, 0xFF, 0x26, 0x87, 0x2A, 0x5F, 0x10, 0x06, 0x0F, 0x2F, 0x08, 0x00, 0xFF, 0x08, 0x0C, 0xA1, 0x87, 0xFF, 0xDF, 0xFF, 0x30, 0xCF, 0x0E, 0x3B, 0xE4, 0xEB, 0xCF, 0xCC, 0xCC, 0xCE, 0xCC, 0x00, 0x61, 0x20, 0x20, 0x20, 0xEE, 0xEE, 0xFF, 0xFF, 0x74, 0x01, 0x00, 0x28, 0x17, 0x70, 0x17, 0x00, 0x00, 0x1F, 0x80, 0xD0, 0x1F, 0xCC, 0xED, 0x01, 0xCC, 0xEC, 0xAA, 0x1F, 0x1F, 0x1F, 0xF3, 0x27, 0xFF, 0x63, 0x57, 0x3C, 0x1F, 0x6F, 0xFF, 0xFE, 0xFF, 0xFE, 0x10, 0x06, 0x7F, 0xFF, 0x43, 0xEF, 0xFC, 0xF3, 0xFF, 0x03, 0xA9, 0xFF, 0x00, 0x4A, 0x47, 0xF3, 0xEF, 0x10, 0x06, 0x83, 0xFF, 0x0E, 0xEF, 0x6F, 0xB7, 0xBB, 0x00, 0x37, 0x33, 0x6A, 0x0A, 0x0A, 0x0A, 0xFF, 0xEF, 0xA7, 0x82, 0xF7, 0x10, 0x3C, 0xF7, 0x77, 0x77, 0x24, 0xE7, 0x2D, 0x17, 0x70, 0x07, 0x38, 0x00, 0x00, 0x77, 0x07, 0x57, 0x0F, 0x70, 0x1F, 0xBB, 0xBB, 0x33, 0x30, 0x73, 0x05, 0x43, 0x2F, 0xD0, 0x1F, 0xBB, 0x7B, 0x33, 0xF7, 0x6A, 0x0B, 0xAD, 0x57, 0x20, 0x3F, 0x01, 0x3D, 0x4F, 0xFE, 0x2C, 0xF7, 0x4B, 0xDA, 0xA4, 0xF7, 0x0F, 0x73, 0xFF, 0x0F, 0x26, 0x88, 0x26, 0x5E, 0x20, 0x10, 0x15, 0xAC, 0xF7, 0x0F, 0x70, 0x16, 0xAC, 0xE7, 0xF0, 0x0F, 0x03, 0x96, 0xE7, 0xF0, 0xFF, 0xA2, 0x16, 0x31, 0x16, 0x16, 0xF0, 0x0F, 0x07, 0x8F, 0xFF, 0xEF, 0xFF, 0xEF, 0x30, 0x9C, 0x80, 0xFF, 0xFF, 0x8A, 0xCC, 0x8E, 0x88, 0x0B, 0x34, 0x34, 0x0F, 0x34, 0xCC, 0xCC, 0x88, 0x40, 0x07, 0xFF, 0xFF, 0x70, 0x17, 0x01, 0x00, 0x1F, 0x41, 0x8C, 0x00, 0x50, 0x3F, 0xC9, 0xFF, 0xEC, 0xFF, 0x62, 0x07, 0xB1, 0x07, 0xC0, 0x10, 0x1E, 0x73, 0xFF, 0x10, 0x1E, 0x70, 0x87, 0xBF, 0xFF, 0x8F, 0x4F, 0x0F, 0x0F, 0x00, 0x0F, 0x08, 0x08, 0x8C, 0x88, 0x62, 0x29, 0x29, 0x43, 0x29, 0xFF, 0xFF, 0x00, 0x00, 0x88, 0x88, 0x5E, 0xFF, 0x50, 0x07, 0x80, 0x02, 0x00, 0x1F, 0x80, 0x00, 0xA8, 0x0F, 0x36, 0x36, 0x36, 0x07, 0xFD, 0xFF, 0xF8, 0xFF, 0x43, 0x20, 0x67, 0x10, 0x27, 0x03, 0xEF, 0x0B, 0xEE, 0x57, 0x01, 0x43, 0x4C, 0x49, 0x4D, 0xFF, 0xFE, 0x14, 0x3F, 0xA5, 0x02, 0x02, 0x28, 0x80, 0x00, 0x00, 0x01, 0x2F, 0xFB, 0x69, 0x08, 0x6D, 0x61, 0x67, 0x10, 0x3F, 0xB8, 0x01, 0x00, 0x01, 0x70, 0x0A, 0x54, 0x83, 0x44, 0xC9, 0x04, 0x30, 0x05, 0x1F, 0xA2, 0xFF, 0x11, 0x00, 0x7D, 0x17, 0x17, 0x17, 0xCC, 0xDC, 0x55, 0x55, 0x00, 0xC9, 0x3D, 0x3D, 0x3D, 0xFF, 0xF0, 0x0F, 0x0F, 0x60, 0x70, 0x20, 0x07, 0x3F, 0xB9, 0x02, 0xF8, 0xF8, 0xF8, 0x1B, 0x01, 0xFF, 0x71, 0xFF, 0x59, 0x14, 0x14, 0x14, 0x85, 0x4F, 0x01, 0xF0, 0xF0, 0xF0, 0xE4, 0x91, 0x91, 0x91, 0x10, 0x07, 0xFF, 0xDF, 0x00, 0xBF, 0x93, 0x3F, 0x37, 0x18, 0x04, 0x04, 0x04, 0xC0, 0x7F, 0xFF, 0x2F, 0x16, 0x0F, 0x70, 0x08, 0x08, 0x08, 0x99, 0x00, 0x99, 0x55, 0x55, 0xED, 0x2C, 0x2C, 0x2C, 0x2A, 0x10, 0xF1, 0x11, 0xFF, 0x31, 0xE7, 0xF0, 0xFF, 0x00, 0x00, 0x40, 0x22, 0x21, 0xC3, 0x0F, 0xFF, 0xF0, 0xF0, 0x8C, 0xD3, 0x3C, 0xD3, 0xD3, 0x10, 0x0F, 0x0D, 0xB7, 0xE3, 0xEF, 0xF3, 0xFF, 0x83, 0xEF, 0x77, 0x7F, 0x20, 0x77, 0x12, 0x2F, 0xF7, 0x03, 0x55, 0x50, 0x77, 0xCD, 0x00, 0x7E, 0x7E, 0x7E, 0x9D, 0xEE, 0x55, 0x11, 0xA5, 0x82, 0x20, 0x07, 0xFF, 0x7F, 0x77, 0x77, 0x26, 0x22, 0x67, 0xFF, 0x20, 0xFF, 0xF7, 0x4F, 0xFF, 0xCC, 0x8C, 0x11, 0x11, 0xED, 0x00, 0x9E, 0x9E, 0x9E, 0xAE, 0x51, 0x10, 0xF5, 0xB9, 0x10, 0x3B, 0x3B, 0x3B, 0xFF, 0xFF, 0xFB, 0xFF, 0xF3, 0xFF, 0x41, 0x62, 0x29, 0xAF, 0x7F, 0x93, 0x7F, 0x37, 0xB8, 0x2D, 0xB7, 0x90, 0x20, 0x36, 0x77, 0x06, 0x2F, 0xFF, 0x77, 0xFF, 0x77, 0x77, 0x40, 0x66, 0x22, 0xAF, 0x95, 0xEA, 0x57, 0x01, 0xB1, 0x5D, 0x00, 0x5D, 0x5D, 0x00, 0x00, 0xDD, 0xDD, 0xE1, 0x9F, 0x35, 0x9F, 0x9F, 0x40, 0x17, 0x29, 0xDF, 0xF7, 0x20, 0x5F, 0x22, 0x3D, 0xE4, 0x5C, 0x40, 0x50, 0x17, 0xAA, 0xF0, 0x5F, 0x20, 0x40, 0x35, 0x2B, 0x7B, 0xFF, 0x10, 0x73, 0xFF, 0x82, 0x2A, 0x0F, 0xC3, 0xD1, 0x1F, 0x13, 0x00, 0x98, 0x2A, 0x2A, 0x2A, 0x77, 0x77, 0x77, 0x77, 0x60, 0x6E, 0x2F, 0xFF, 0x70, 0x3F, 0x33, 0x73, 0xDD, 0xDD, 0x81, 0x00, 0x8F, 0x8F, 0x8F, 0x4A, 0xD5, 0x50, 0x57, 0xAD, 0x08, 0x3C, 0x3C, 0x3C, 0x7F, 0x20, 0xD7, 0x2A, 0x01, 0x01, 0x41, 0x01, 0x70, 0x67, 0x9D, 0xEA, 0x57, 0x11, 0xA9, 0x20, 0xDF, 0xE0, 0x70, 0x67, 0x70, 0x77, 0x7F, 0xFF, 0x8E, 0x54, 0x10, 0xF7, 0xD5, 0x80, 0x2A, 0x67, 0x55, 0xA8, 0x7F, 0x15, 0xB5, 0x2B, 0x2B, 0x2E, 0x2B, 0xF7, 0x20, 0x60, 0x2E, 0x30, 0x3F, 0x21, 0x07, 0x30, 0xA7, 0x35, 0x08, 0x22, 0x55, 0x11, 0x85, 0x20, 0x5F, 0xAA, 0x1B, 0x11, 0x04, 0x51, 0x8D, 0x8E, 0x8E, 0x8E, 0xFF, 0xFF, 0x39, 0x7B, 0x00, 0x73, 0xF3, 0xCC, 0x61, 0x61, 0x61, 0xFF, 0x7F, 0x38, 0xFF, 0x7F, 0x31, 0x4F, 0x7F, 0xFF, 0x70, 0x47, 0x93, 0x9B, 0x37, 0x06, 0x33, 0xD8, 0x38, 0x38, 0x38, 0x70, 0x47, 0x21, 0x16, 0x77, 0x41, 0x2E, 0x23, 0xC7, 0x7F, 0xF7, 0x77, 0xFF, 0x03, 0x20, 0xA7, 0x10, 0x00, 0x00, 0x5D, 0x50, 0xFF, 0x59, 0x11, 0x75, 0xAD, 0xC0, 0x31, 0x7F, 0xE3, 0xEF, 0x39, 0xFF, 0x73, 0xF7, 0xF0, 0x51, 0x30, 0x51, 0x51, 0x73, 0xFF, 0xB3, 0xEF, 0x6C, 0xD4, 0xD4, 0xD4, 0x80, 0x73, 0xFF, 0x23, 0x10, 0xC4, 0xFD, 0xA1, 0xCF, 0xCF, 0x57, 0xCF, 0x31, 0x1F, 0x96, 0x61, 0x7F, 0xA6, 0x4B, 0x2F, 0x51, 0x77, 0x00, 0x70, 0xFF, 0xF7, 0x71, 0x77, 0x71, 0xC7, 0x71, 0x77, 0x71, 0x67, 0xC1, 0x61, 0x77, 0x71, 0x67, 0x81, 0x3F, 0x80, 0x61, 0xE7, 0x0E, 0x15, 0x50, 0x77, 0xB5, 0x28, 0x28, 0x5A, 0x28, 0x21, 0xE7, 0x11, 0x31, 0xE7, 0x20, 0xD7, 0xF7, 0xB1, 0x5F, 0x1D, 0x00, 0x3C, 0x31, 0xF1, 0xB0, 0xA2, 0xA2, 0xA2, 0xB7, 0x83, 0x22, 0x1F, 0x78, 0x15, 0x15, 0x15, 0x7F, 0x22, 0x1F, 0x30, 0xF7, 0x8D, 0x82, 0x1F, 0xAA, 0x57, 0x11, 0x30, 0xF7, 0x22, 0x1F, 0x5D, 0x42, 0x1F, 0xC2, 0x61, 0x77, 0x7F, 0x87, 0x22, 0x53, 0x11, 0x55, 0x31, 0x7F, 0xBD, 0x01, 0x39, 0x33, 0x73, 0xD8, 0x83, 0x83, 0x83, 0x31, 0x67, 0xC0, 0x42, 0x5F, 0x62, 0x07, 0x9F, 0xE9, 0x97, 0x1F, 0x30, 0x05, 0x01, 0x05, 0x05, 0xFB, 0xFF, 0x1D, 0x11, 0x85, 0x21, 0x9F, 0x60, 0x7F, 0x22, 0x38, 0xBF, 0xBF, 0x9D, 0x3C, 0x31, 0x71, 0xD4, 0x00, 0xA3, 0xA3, 0xA3, 0xF7, 0x6F, 0xF7, 0x1F, 0x22, 0xDA, 0x32, 0x17, 0x22, 0xF7, 0x07, 0x32, 0x1F, 0x20, 0xA7, 0x66, 0x2F, 0xFC, 0xE1, 0x00, 0xDD, 0x1F, 0x11, 0xB4, 0x6B, 0x6B, 0x6B, 0xEE, 0x01, 0x50, 0x11, 0xF1, 0xB5, 0x6C, 0x6C, 0x6C, 0xFF, 0xFF, 0x40, 0x79, 0x32, 0xDF, 0x16, 0x16, 0x16, 0xFF, 0x83, 0xFF, 0x31, 0x1F, 0x14, 0x22, 0xDF, 0xF0, 0x3F, 0xA5, 0xAA, 0x1D, 0x40, 0xBF, 0x00, 0x1D, 0x1E, 0x11, 0xF1, 0xD0, 0xB4, 0xB4, 0xB4, 0x83, 0xFF, 0xFF, 0x99, 0x99, 0x99, 0x99, 0x23, 0xA0, 0x07, 0x05, 0x00, 0x1F, 0xA0, 0x97, 0xEF, 0xBF, 0x00, 0x33, 0xFF, 0x7F, 0xB7, 0x00, 0x88, 0x13, 0x10, 0xF5, 0xF5, 0xF5, 0x21, 0xF9, 0xBB, 0x1D, 0xF9, 0xF9, 0x02, 0xF9, 0xCF, 0xED, 0xE0, 0xEC, 0x94, 0x27, 0xFF, 0xEF, 0x10, 0xFE, 0xEE, 0xEE, 0x33, 0xF7, 0x3B, 0xF7, 0x88, 0x00, 0x00, 0x86, 0xE2, 0xE2, 0xE2, 0x00, 0x1F, 0x1F, 0xF0, 0x00, 0x0E, 0xFD, 0xFD, 0xFD, 0x3E, 0xF0, 0x0E, 0x0E, 0x41, 0x8C, 0x23, 0xBF, 0xFF, 0x1F, 0x00, 0x10, 0x07, 0x28, 0x2B, 0x00, 0xFE, 0xBF, 0xF0, 0x3F, 0x68, 0x40, 0x40, 0x40, 0x00, 0xC3, 0x01, 0x17, 0x13, 0xB4, 0x6E, 0x6E, 0x6E, 0x04, 0xFE, 0xE3, 0xF0, 0x0F, 0x8C, 0x21, 0x97, 0xE1, 0x00, 0x00, 0x0F, 0x8F, 0x80, 0xDF, 0xDF, 0xDF, 0x00, 0xB7, 0x10, 0x01, 0x80, 0x26, 0x2F, 0xFC, 0x57, 0xBB, 0x80, 0xAA, 0x00, 0x35, 0xE7, 0xE7, 0xE7, 0x00, 0xE3, 0xF0, 0xE0, 0x00, 0x10, 0xFA, 0xFA, 0xFA, 0xF1, 0xFF, 0xF0, 0xFF, 0x40, 0x93, 0x21, 0x47, 0xB9, 0xF7, 0x8C, 0x00, 0x35, 0xEA, 0x01, 0xEA, 0xEA, 0x00, 0xDE, 0xFF, 0x10, 0x06, 0x2F, 0xFC, 0x00, 0xDE, 0x3C, 0xCE, 0x0E, 0x54, 0x06, 0x06, 0x06, 0x00, 0x32, 0x33, 0x0E, 0x00, 0x13, 0xF7, 0xF7, 0xF7, 0x05, 0x1C, 0x79, 0x71, 0xF3, 0xD0, 0x22, 0x2F, 0xFF, 0x26, 0xEF, 0x00, 0x68, 0x4E, 0x4E, 0x4E, 0x1F, 0x3C, 0x70, 0xF0, 0x0C, 0x54, 0xE6, 0xE6, 0xE6, 0x70, 0x0F, 0x78, 0xC7, 0x80, 0xB3, 0x19, 0x88, 0x88, 0x32, 0x20, 0x9F, 0x20, 0x97, 0x00, 0x06, 0x28, 0xC3, 0x04, 0xE1, 0xC1, 0xE0, 0xEE, 0xB4, 0x22, 0x67, 0xCC, 0x4C, 0x10, 0xBB, 0xBB, 0x0D, 0x20, 0x6F, 0x7B, 0x00, 0x08, 0xFF, 0x00, 0x22, 0xF1, 0xF1, 0xF1, 0xEE, 0x1E, 0xFE, 0x0E, 0x00, 0x8F, 0x1E, 0x1E, 0x1E, 0x3E, 0x00, 0x0F, 0xEF, 0x00, 0x80, 0xAF, 0xAF, 0xAF, 0x00, 0x7E, 0x10, 0x11, 0x80, 0x30, 0x9F, 0x45, 0x80, 0x91, 0x88, 0x35, 0xFC, 0xFC, 0x02, 0xFC, 0xCC, 0xE0, 0x00, 0xF0, 0x6F, 0x20, 0x77, 0xC1, 0x08, 0xEF, 0xE0, 0xEE, 0xD0, 0x20, 0xD7, 0x88, 0x44, 0xBB, 0x00, 0x19, 0x15, 0xFB, 0xFB, 0xFB, 0x00, 0x00, 0x08, 0x21, 0xDD, 0x22, 0x35, 0x3F, 0x10, 0xEE, 0x0E, 0x58, 0x27, 0x87, 0x04, 0xCE, 0xCC, 0x0F, 0x00, 0x4B, 0x20, 0x9F, 0x1E, 0x7C, 0x00, 0x70, 0xF0, 0x70, 0xE5, 0xE5, 0xE5, 0xB7, 0xC3, 0x10, 0x37, 0x1F, 0x34, 0x20, 0xB7, 0x10, 0xFF, 0xFF, 0xF0, 0x41, 0x10, 0x29, 0x57, 0xC1, 0xE1, 0x1F, 0x07, 0x70, 0x24, 0x3F, 0x00, 0xE9, 0xFE, 0x03, 0x00, 0x86, 0xDB, 0xDB, 0xDB, 0x06, 0x4C, 0xA0, 0x00, 0xEA, 0x79, 0x20, 0xF7, 0x79, 0x77, 0xBD, 0x00, 0xB8, 0x70, 0x33, 0x78, 0xC5, 0xC5, 0xC5, 0xBB, 0x08, 0x5B, 0xAA, 0xAA, 0x51, 0x20, 0x3F, 0x39, 0xFF, 0x0C, 0x00, 0x00, 0x33, 0xF6, 0xF6, 0xF6, 0x11, 0x31, 0x55, 0x00, 0x45, 0x3D, 0x19, 0x19, 0x19, 0xCB, 0x00, 0x07, 0x00, 0xFF, 0x80, 0xBF, 0xBF, 0xBF, 0xCE, 0x3C, 0x10, 0x00, 0x71, 0x74, 0xE9, 0xE9, 0xE9, 0x08, 0xFF, 0x73, 0x04, 0x0F, 0x50, 0x18, 0x18, 0x18, 0x21, 0x77, 0xF0, 0x0A, 0xC2, 0x31, 0xAF, 0x29, 0xC8, 0xD0, 0x48, 0x48, 0x48, 0x77, 0xEF, 0xBF, 0x01, 0x93, 0x80, 0xC8, 0x3A, 0xF4, 0xF4, 0xF4, 0xF4, 0x0F, 0x06, 0xF5, 0x5F, 0xA8, 0x8A, 0x31, 0x20, 0x9F, 0x2F, 0x3F, 0x0C, 0x41, 0xC4, 0x21, 0x8F, 0xFE, 0xEF, 0xFE, 0xEF, 0x26, 0x2F, 0xFF, 0x04, 0x1E, 0x3C, 0x8F, 0x0E, 0x90, 0x25, 0x1F, 0x00, 0x10, 0x10, 0x00, 0x70, 0x67, 0x21, 0x17, 0x3C, 0xFD, 0xF1, 0xF1, 0x08, 0xA4, 0x70, 0x70, 0x70, 0x7A, 0x17, 0x3C, 0xFC, 0x70, 0x04, 0xF1, 0x88, 0xB2, 0xB2, 0xB2, 0x91, 0x67, 0x0F, 0xB0, 0xE0, 0x46, 0x3F, 0x61, 0x87, 0x71, 0x67, 0xDC, 0x01, 0x11, 0x11, 0x2A, 0x82, 0x2A, 0x33, 0x80, 0x00, 0x89, 0x88, 0x3A, 0x2F, 0xFC, 0x1F, 0x00, 0xE8, 0x80, 0xEE, 0xB9, 0xC6, 0xC6, 0xC6, 0xD9, 0x00, 0xEE, 0xEA, 0xEE, 0xAD, 0x60, 0x60, 0x60, 0x87, 0x08, 0xBE, 0x88, 0x30, 0x6C, 0x20, 0xE7, 0x87, 0xFE, 0x1F, 0x00, 0x00, 0xD1, 0xAD, 0xAD, 0xAD, 0xFF, 0xC6, 0xEE, 0x27, 0x0F, 0x90, 0x23, 0xF7, 0x37, 0x33, 0x21, 0x3F, 0x20, 0xD7, 0x2F, 0x7F, 0x00, 0xE8, 0x37, 0xFE, 0xFE, 0xFE, 0x15, 0x19, 0xA0, 0x20, 0xAA, 0x79, 0x24, 0xBF, 0x00, 0x38, 0xFF, 0x70, 0x14, 0x84, 0x21, 0x6F, 0x12, 0x11, 0x54, 0x55, 0x31, 0x07, 0x1B, 0xF7, 0x10, 0x8E, 0x00, 0x39, 0x22, 0x1F, 0xEF, 0x9E, 0x00, 0x30, 0x41, 0x32, 0x22, 0xA7, 0x8B, 0x83, 0x37, 0x07, 0xCC, 0x44, 0x1F, 0x20, 0xEE, 0xDF, 0x40, 0xA7, 0x16, 0x71, 0xCF, 0xB0, 0x52, 0x01, 0x52, 0x52, 0x3C, 0x00, 0x0E, 0x08, 0xA4, 0x21, 0x2F, 0x00, 0x3C, 0xFC, 0xF0, 0xF1, 0x8C, 0xC2, 0xC2, 0xC2, 0x00, 0x3C, 0x78, 0x8F, 0x0E, 0xB0, 0x4D, 0x4D, 0x4D, 0x04, 0xEF, 0x3E, 0x00, 0x70, 0x70, 0x21, 0x3F, 0x7A, 0xEF, 0x00, 0xF0, 0xFF, 0x2F, 0x09, 0x09, 0x09, 0x33, 0x52, 0x10, 0x00, 0xF0, 0x67, 0x22, 0x6F, 0x3C, 0xBB, 0xF0, 0x33, 0x00, 0xA4, 0x50, 0x50, 0x50, 0x3E, 0xF0, 0x0F, 0x0E, 0x41, 0x90, 0x20, 0x27, 0xFF, 0x3F, 0x00, 0x70, 0x0A, 0x21, 0x7F, 0x04, 0xC3, 0xF3, 0x1F, 0x07, 0xA8, 0x22, 0xC7, 0xFF, 0xEF, 0x82, 0x52, 0x47, 0x7C, 0xFF, 0xF0, 0xF7, 0x80, 0x20, 0x27, 0x9F, 0x08, 0xE3, 0x3F, 0x0F, 0x30, 0x21, 0x7F, 0x3C, 0x78, 0x70, 0x20, 0xF3, 0xB0, 0x21, 0x17, 0xC3, 0xE1, 0x0F, 0x0F, 0x90, 0x84, 0x2B, 0x4F, 0x01, 0x00, 0x03, 0xFF, 0x32, 0x17, 0xC3, 0xE1, 0x11, 0xE0, 0xF8, 0x90, 0x31, 0x2F, 0xA3, 0x00, 0xE0, 0x31, 0xC7, 0x06, 0xC3, 0xFE, 0xF8, 0xFE, 0xAC, 0x20, 0x5F, 0x09, 0x27, 0xFF, 0xFF, 0xEC, 0xBB, 0xEF, 0xF0, 0x0F, 0x81, 0xEF, 0x0F, 0x53, 0x57, 0x00, 0x00, 0x0F, 0x00, 0xF0, 0x02, 0x0F, 0x98, 0x84, 0x84, 0x84, 0xFF, 0x2A, 0x91, 0x42, 0x00, 0xE3, 0xE3, 0xE3, 0xFF, 0x30, 0xF0, 0x8F, 0x8C, 0x00, 0x82, 0x82, 0x82, 0x78, 0xF7, 0x0E, 0x00, 0x8C, 0x00, 0xBE, 0xBE, 0xBE, 0x00, 0x00, 0xFE, 0xF0, 0x1C, 0xAE, 0x24, 0x57, 0xF0, 0x23, 0xEF, 0x42, 0x28, 0x17, 0x41, 0xDF, 0x23, 0x67, 0x38, 0x00, 0xBB, 0x73, 0x77, 0xD6, 0x44, 0x44, 0x44, 0xFF, 0x0C, 0x00, 0xFF, 0x0F, 0x1C, 0x2A, 0xD7, 0x2A, 0xD1, 0x00, 0xB3, 0x00, 0xE8, 0xE8, 0xE8, 0x9B, 0xCB, 0x37, 0x17, 0xD4, 0x10, 0x3A, 0x3A, 0x3A, 0x71, 0x57, 0x80, 0xF7, 0xF0, 0xF0, 0x68, 0x30, 0x38, 0xA7, 0x2A, 0xEF, 0xC8, 0x23, 0xFF, 0x87, 0x87, 0xF0, 0x38, 0xF0, 0x90, 0x4A, 0xD7, 0xE0, 0x97, 0x2C, 0xB7, 0x8C, 0x80, 0x80, 0x44, 0x80, 0x00, 0x10, 0x0F, 0xFF, 0x0F, 0x93, 0x4D, 0x5E, 0x0F, 0xFF, 0x6E, 0xE0, 0x28, 0x6F, 0x00, 0x00, 0x0F, 0xF0, 0x23, 0xEF, 0x20, 0x77, 0x23, 0xB6, 0xFF, 0x0D, 0x60, 0x30, 0x30, 0x30, 0x00, 0x00, 0x0F, 0x24, 0x78, 0x0C, 0x50, 0x9F, 0x3E, 0xFF, 0xA2, 0x30, 0xDF, 0xE0, 0x0F, 0x2F, 0xF8, 0x43, 0xEF, 0x21, 0x06, 0x0F, 0x60, 0xD4, 0x3D, 0x57, 0x63, 0xFF, 0x30, 0x7C, 0x8E, 0x0E, 0x70, 0x14, 0x1A, 0x1A, 0x1A, 0x2F, 0xF9, 0x7F, 0x3D, 0x67, 0x5F, 0x99, 0x1C, 0x00, 0x88, 0x71, 0x34, 0xE7, 0x34, 0x87, 0x2D, 0x77, 0x8F, 0x70, 0x10, 0x00, 0xF7, 0xF9, 0x26, 0x67, 0xCC, 0xCC, 0xAA, 0xAA, 0x60, 0x31, 0x2D, 0x87, 0x70, 0x07, 0xAA, 0xAA, 0x77, 0x77, 0xB2, 0x14, 0x20, 0x20, 0x20, 0x30, 0x07, 0x96, 0x20, 0x07, 0x77, 0xA1, 0x00, 0x88, 0xF8, 0x95, 0xD6, 0xD6, 0xD6, 0x09, 0xFF, 0x10, 0xEC, 0x0F, 0x90, 0x27, 0x57, 0xBB, 0x72, 0x66, 0xF6, 0x0E, 0x11, 0x02, 0x02, 0x02, 0x00, 0x37, 0xFF, 0x3B, 0xEF, 0x8B, 0xFF, 0x38, 0x02, 0x70, 0x70, 0x78, 0xD5, 0xD5, 0xD5, 0x7F, 0xFF, 0x87, 0x08, 0xF7, 0x0F, 0x0F, 0x6C, 0x20, 0x8F, 0xFF, 0xDF, 0x77, 0x24, 0x57, 0x0D, 0x2C, 0x47, 0x83, 0xC3, 0x73, 0x47, 0xB8, 0xBB, 0xB9, 0x3E, 0x07, 0x87, 0x21, 0x67, 0x3C, 0x2F, 0x2F, 0xF9, 0x80, 0x06, 0x2E, 0x17, 0x43, 0xCF, 0x21, 0x77, 0x88, 0x90, 0x90, 0x90, 0x01, 0x01, 0xFF, 0x2E, 0x2F, 0x70, 0x88, 0x31, 0x77, 0x8A, 0x6F, 0xD0, 0x0F, 0x7F, 0x7F, 0x0F, 0x0F, 0x00, 0x10, 0x07, 0x07, 0x07, 0xF8, 0x00, 0x0D, 0xFF, 0x41, 0x02, 0x25, 0x7F, 0xFF, 0x7C, 0xFF, 0x0F, 0x10, 0x2A, 0x17, 0x50, 0x78, 0x22, 0x50, 0x82, 0x25, 0x17, 0x33, 0x91, 0x00, 0xC8, 0x65, 0x37, 0x24, 0xF7, 0x28, 0x79, 0xAA, 0x3D, 0x3A, 0x8F, 0x3C, 0x53, 0xFF, 0x06, 0x2B, 0x62, 0x60, 0x66, 0x59, 0x2C, 0xEF, 0x81, 0x1F, 0xAC, 0xA1, 0x91, 0x1F, 0x92, 0x21, 0x1F, 0xFF, 0x6F, 0x66, 0x66, 0x30, 0xC7, 0x00, 0xCB, 0xE9, 0xEC, 0xFC, 0xAC, 0x71, 0x71, 0x71, 0x06, 0x9F, 0x3C, 0x8F, 0x8F, 0x54, 0x2D, 0x0F, 0x3A, 0x47, 0xA2, 0x84, 0x3F, 0xFF, 0x5C, 0xFF, 0x0F, 0x8B, 0x25, 0xE7, 0x08, 0x00, 0x10, 0x3F, 0x33, 0x0B, 0x2F, 0xFC, 0x3C, 0x9B, 0x70, 0x33, 0x09, 0xB4, 0xB6, 0xB6, 0xB6, 0x24, 0x27, 0xFF, 0xA0, 0x25, 0x57, 0x04, 0x10, 0xDD, 0xFF, 0x11, 0x02, 0x2F, 0xFC, 0xC1, 0x7F, 0x00, 0x03, 0x00, 0xAC, 0xCE, 0xCE, 0xCE, 0xC4, 0xC4, 0x10, 0xBB, 0x13, 0x03, 0x2F, 0xFC, 0xCC, 0xA0, 0x00, 0xF0, 0x41, 0x57, 0x25, 0x47, 0xEA, 0xF0, 0xEE, 0x0A, 0x95, 0x20, 0x2F, 0x04, 0xBF, 0xB8, 0x30, 0x71, 0x34, 0x22, 0x97, 0x07, 0x33, 0x14, 0x5F, 0x00, 0xD5, 0x32, 0xCF, 0x10, 0x51, 0xBF, 0x01, 0x00, 0x22, 0xFF, 0xFE, 0x47, 0x3F, 0x87, 0x80, 0xF0, 0x30, 0x1F, 0xF5, 0xA0, 0x26, 0xCF, 0x47, 0x2A, 0xF7, 0x83, 0xC1, 0xE0, 0xF8, 0xB4, 0x12, 0xC3, 0xC3, 0xC3, 0x07, 0xFB, 0xFF, 0xFF, 0x7F, 0x57, 0x17, 0xDF, 0x08, 0x9D, 0xCF, 0xCC, 0x98, 0x2F, 0xEF, 0x88, 0x88, 0xAA, 0x36, 0xAA, 0xE5, 0x2F, 0xE7, 0x31, 0xB0, 0xE4, 0x41, 0xE7, 0x5F, 0xFF, 0xC9, 0x0E, 0xFC, 0xE8, 0xFF, 0xC9, 0x31, 0x5F, 0x00, 0x63, 0xFF, 0x30, 0x3F, 0xB8, 0x84, 0xA0, 0x3F, 0xFF, 0xE0, 0xF0, 0xE0, 0x31, 0xFF, 0x3C, 0x39, 0x10, 0x8E, 0x8C, 0xB8, 0x2C, 0x0F, 0xAD, 0xFF, 0xA8, 0xFF, 0x00, 0xC3, 0x24, 0x24, 0x24, 0xFF, 0xFE, 0xFF, 0xEE, 0x41, 0x0E, 0x2B, 0x77, 0x08, 0x00, 0x88, 0xFF, 0x62, 0x27, 0x77, 0x04, 0x10, 0xFF, 0x11, 0x11, 0x4A, 0x27, 0xCF, 0xAE, 0xD9, 0x10, 0xAF, 0x8A, 0xA9, 0x26, 0x67, 0xDB, 0x55, 0xAA, 0xAA, 0x41, 0x6D, 0x25, 0xA7, 0x01, 0x00, 0x11, 0x01, 0x46, 0x27, 0x97, 0x42, 0x37, 0x26, 0xBF, 0x78, 0xEC, 0xEC, 0xEC, 0x20, 0x16, 0xAA, 0x00, 0x8D, 0xB1, 0xB1, 0xB1, 0xD9, 0xED, 0xCC, 0xEC, 0x41, 0xD4, 0x23, 0x8F, 0xCB, 0xFD, 0xE8, 0xFC, 0xA8, 0x45, 0x47, 0xBF, 0x57, 0xFF, 0xFE, 0x20, 0x58, 0x3F, 0xFF, 0x70, 0xC7, 0xF3, 0xFF, 0x70, 0xD7, 0x80, 0x87, 0x0A, 0xCF, 0xFF, 0x0F, 0x87, 0x53, 0xFF, 0xEF, 0x43, 0xFF, 0xDF, 0x20, 0xFF, 0xCF, 0x3F, 0xFF, 0xCB, 0xDD, 0xAB, 0xAA, 0xA5, 0x86, 0x36, 0xEF, 0xFF, 0xDC, 0xF0, 0x0A, 0x27, 0xF7, 0x2F, 0x2F, 0xFF, 0x40, 0x93, 0x27, 0x5F, 0x99, 0xA9, 0xAA, 0xEA, 0xA5, 0x81, 0x01, 0x81, 0x81, 0xF9, 0xFF, 0xF8, 0xFF, 0x63, 0x5A, 0x77, 0xA1, 0x73, 0xFF, 0xDB, 0x43, 0xFF, 0x9F, 0xFF, 0x8F, 0x87, 0x29, 0xFF, 0x04, 0xBA, 0xBB, 0xAE, 0xAA, 0x85, 0x2D, 0x37, 0x80, 0xFF, 0x40, 0xFD, 0x47, 0xEF, 0xF0, 0x58, 0xFF, 0x8E, 0xC9, 0x31, 0x03, 0x31, 0x31, 0xDD, 0xFA, 0xAA, 0xFA, 0x30, 0x57, 0x30, 0xA7, 0x82, 0x3C, 0xCF, 0x38, 0x7B, 0x8C, 0x88, 0xC8, 0x52, 0x37, 0x11, 0x40, 0x26, 0x2D, 0x7F, 0xDE, 0xDC, 0xEF, 0xCE, 0x58, 0x13, 0x00, 0x13, 0x13, 0xBA, 0x55, 0xAE, 0x8A, 0x8D, 0xA1, 0x01, 0xA1, 0xA1, 0x32, 0x33, 0xDD, 0x1D, 0x43, 0x44, 0x47, 0x10, 0x11, 0x11, 0xCA, 0x24, 0xFF, 0x33, 0x33, 0xAA, 0xAA, 0x42, 0x59, 0x2F, 0xB7, 0x55, 0xAB, 0xA8, 0xAA, 0x30, 0x1F, 0x1E, 0x08, 0x3E, 0x11, 0xF0, 0x70, 0x23, 0xC7, 0x8F, 0x78, 0x8F, 0x20, 0x0F, 0x74, 0x23, 0x47, 0x9D, 0xEC, 0xA8, 0xFE, 0xC5, 0xC8, 0x29, 0x6F, 0x91, 0x5F, 0xAB, 0x33, 0x3B, 0x1C, 0x00, 0x10, 0x10, 0x22, 0x11, 0x2A, 0x2F, 0xEC, 0xAE, 0xDD, 0xAF, 0x40, 0xD7, 0xAA, 0xC1, 0x21, 0x5F, 0x31, 0x47, 0xFF, 0x00, 0x11, 0x11, 0x56, 0x25, 0x57, 0xB4, 0x21, 0x67, 0xDC, 0x38, 0xBF, 0xA0, 0x5F, 0xEA, 0x30, 0x7F, 0x7F, 0xA1, 0x00, 0x00, 0xF8, 0x59, 0xEB, 0xEB, 0xEB, 0x85, 0xFF, 0x10, 0xE8, 0xFF, 0xCD, 0x20, 0xBF, 0xCD, 0xED, 0xEC, 0xFE, 0x68, 0xCC, 0x20, 0xC7, 0x00, 0x35, 0xFF, 0x23, 0x2E, 0x2B, 0xDE, 0x9D, 0xCE, 0xFD, 0xC2, 0x3F, 0xF3, 0xFF, 0x81, 0xFF, 0x7F, 0xFF, 0x21, 0x6F, 0x3D, 0xB7, 0xBC, 0x32, 0x1F, 0x10, 0x5C, 0x5C, 0x5C, 0x7F, 0xFF, 0xEF, 0xDE, 0xEF, 0xCE, 0x66, 0x16, 0x2D, 0x97, 0x29, 0x97, 0x10, 0x26, 0x32, 0x1F, 0x20, 0xA7, 0x5A, 0x82, 0x29, 0xEF, 0x9E, 0xD9, 0xAE, 0x8A, 0xB1, 0x25, 0xC7, 0x3B, 0x82, 0x61, 0x07, 0xEE, 0xEE, 0x11, 0x11, 0x83, 0x29, 0x3F, 0x00, 0x08, 0x1E, 0x11, 0xF0, 0xAC, 0x22, 0x1F, 0xD5, 0xAA, 0xAA, 0x25, 0xEA, 0x8D, 0x27, 0xDF, 0xDD, 0xEA, 0x51, 0x67, 0x1E, 0x2A, 0x47, 0x44, 0x80, 0x34, 0x0F, 0xEF, 0xFF, 0xEF, 0x3E, 0x67, 0xED, 0xFF, 0x1D, 0xEC, 0xFF, 0x62, 0xAF, 0xFF, 0x78, 0x07, 0x2F, 0xF9, 0xFD, 0x3E, 0xFF, 0x06, 0xDF, 0x9C, 0xCF, 0xCE, 0x58, 0x2E, 0x97, 0x72, 0xFF, 0x97, 0x08, 0xC3, 0xC0, 0xE8, 0x94, 0x25, 0x27, 0xFE, 0x70, 0xFF, 0x00, 0x0E, 0xB3, 0x35, 0x35, 0x35, 0x8D, 0xFE, 0xA8, 0x61, 0xFF, 0x41, 0x5F, 0x60, 0xB7, 0x78, 0x00, 0x0E, 0x1C, 0x3A, 0xC7, 0x05, 0xCC, 0xA4, 0x00, 0xF0, 0x2F, 0x28, 0xA7, 0xDA, 0x62, 0x37, 0x83, 0x72, 0x27, 0xC3, 0xFD, 0xF8, 0xFC, 0xA4, 0x28, 0xE7, 0x7F, 0xFF, 0x1E, 0xFD, 0xFF, 0xFC, 0x4E, 0x9F, 0x07, 0x8F, 0xFF, 0x07, 0x64, 0x87, 0x37, 0xDF, 0x02, 0xE7, 0x2F, 0xFF, 0xF0, 0x0F, 0x2C, 0xA0, 0xFF, 0x02, 0xAD, 0xDF, 0xF0, 0x0F, 0x0B, 0x81, 0x47, 0xBB, 0x2F, 0xA8, 0x03, 0x00, 0x20, 0x0F, 0x3F, 0x92, 0x31, 0x17, 0x0F, 0x29, 0x08, 0x00, 0x30, 0x0F, 0xFE, 0x03, 0x70, 0x5F, 0x71, 0x67, 0xF0, 0x0F, 0x07, 0x0A, 0x9F, 0x29, 0x9F, 0xC2, 0x1F, 0xE0, 0x0F, 0x00, 0xBC, 0x29, 0x9F, 0x06, 0xB2, 0x1F, 0xE0, 0x0F, 0x10, 0x09, 0x70, 0x07, 0x10, 0x66, 0x73, 0xFF, 0x43, 0x4C, 0x04, 0x49, 0x4D, 0xFF, 0xFE, 0x14, 0x3A, 0x65, 0x02, 0x28, 0x08, 0x20, 0x00, 0x00, 0x01, 0x2F, 0xE3, 0x69, 0x6D, 0x61, 0x21, 0x67, 0x10, 0x2F, 0xEB, 0xE1, 0x00, 0x28, 0x00, 0x3D, 0x9B, 0x72, 0x00, 0x20, 0x17, 0x04, 0x90, 0x01, 0x2E, 0x47, 0xF8, 0x80, 0x10, 0x5B, 0x80, 0x07, 0x80, 0x00, 0x88, 0x77, 0x77, 0x4A, 0xF8, 0x88, 0x09, 0x84, 0x85, 0x20, 0x07, 0x29, 0xFF, 0x8B, 0x04, 0xF6, 0xDF, 0x88, 0x30, 0x17, 0x00, 0xFE, 0x8B, 0x03, 0x04, 0x00, 0xDF, 0xDD, 0x81, 0x11, 0xFF, 0x9D, 0x25, 0x00, 0x16, 0xFF, 0xDD, 0xDD, 0xA1, 0x40, 0x17, 0xC0, 0x70, 0x07, 0x00, 0x50, 0x1F, 0xEE, 0xC8, 0x11, 0x71, 0x45, 0xFE, 0x60, 0x8C, 0x27, 0xB8, 0xF7, 0x3F, 0x77, 0x77, 0x31, 0xFF, 0x8C, 0x0B, 0x04, 0x88, 0x4C, 0x33, 0x20, 0x7F, 0x8A, 0x2E, 0x52, 0xE0, 0x7F, 0x03, 0x00, 0x77, 0xF7, 0x0B, 0xF8, 0x81, 0x2F, 0xFA, 0x10, 0x1C, 0xE7, 0x77, 0x28, 0x80, 0x7F, 0x23, 0x07, 0x89, 0x00, 0x02, 0xE7, 0xCC, 0xE8, 0x77, 0x00, 0x11, 0x45, 0xFF, 0x8C, 0x14, 0xFD, 0x6E, 0x11, 0x00, 0x00, 0x45, 0xFE, 0xAC, 0x34, 0x80, 0x88, 0x7F, 0x05, 0x77, 0x0B, 0xFF, 0x81, 0x02, 0x23, 0xAF, 0x17, 0x33, 0xAF, 0x00, 0x01, 0x80, 0xBB, 0xBB, 0x0B, 0xF8, 0xDE, 0x55, 0x00, 0x44, 0x20, 0x00, 0x22, 0x29, 0xFE, 0xDA, 0x40, 0x10, 0x00, 0x20, 0xDD, 0x53, 0xA7, 0x80, 0x11, 0x99, 0x87, 0x00, 0xF8, 0xC2, 0x41, 0x11, 0x00, 0x20, 0x22, 0x45, 0x00, 0xFF, 0xBA, 0x20, 0x11, 0x01, 0xEE, 0x00, 0x22, 0x00, 0xF8, 0xB7, 0x0F, 0x44, 0x80, 0x09, 0xC8, 0x2B, 0x00, 0xF1, 0xD6, 0x4C, 0x00, 0x00, 0xBB, 0xBB, 0x0D, 0x13, 0xFF, 0xDB, 0x51, 0x4D, 0xAF, 0xF8, 0xA8, 0x5D, 0xB7, 0x20, 0x07, 0x20, 0x17, 0x11, 0x20, 0x47, 0xEE, 0xCA, 0x30, 0x11, 0x11, 0x02, 0x22, 0x22, 0x25, 0xFF, 0xCA, 0x30, 0xF0, 0x1F, 0x00, 0x01, 0x00, 0x22, 0x22, 0x65, 0xFF, 0xCA, 0x40, 0x90, 0x07, 0xC3, 0x00, 0x50, 0x1F, 0x00, 0x70, 0x3F, 0x11, 0x71, 0x22, 0x00, 0x30, 0x5F, 0x00, 0x70, 0x7F, 0x00, 0x48, 0xDC, 0x88, 0x99, 0x47, 0xF8, 0xD7, 0x4E, 0x00, 0x2A, 0x12, 0x99, 0x11, 0x47, 0xF8, 0xBB, 0x41, 0x86, 0x80, 0x9F, 0x11, 0x23, 0x22, 0x23, 0x20, 0xBF, 0x74, 0x47, 0x88, 0x00, 0x88, 0x73, 0x77, 0x8A, 0xF8, 0x9E, 0x1F, 0x12, 0x08, 0x51, 0x22, 0x02, 0x21, 0x30, 0xA7, 0x40, 0x88, 0x08, 0x00, 0x69, 0xEF, 0xCB, 0x41, 0x08, 0x00, 0xF7, 0xFF, 0x40, 0x22, 0xAB, 0x9F, 0x2A, 0x12, 0x98, 0x11, 0x47, 0xF1, 0x3B, 0xBB, 0x3A, 0x44, 0x7F, 0x21, 0x47, 0xFB, 0xBF, 0x08, 0x24, 0x5F, 0x00, 0x31, 0x77, 0x80, 0x01, 0x7B, 0xE7, 0x06, 0x44, 0x51, 0x77, 0x49, 0xFF, 0x8C, 0x00, 0x15, 0x08, 0x08, 0x77, 0xF7, 0x82, 0xF8, 0x96, 0x41, 0x16, 0x10, 0x0C, 0x93, 0x9F, 0xFF, 0x77, 0x0A, 0xF8, 0x81, 0x2E, 0x6E, 0xA0, 0xDD, 0xFF, 0x44, 0x23, 0x8F, 0x2D, 0xFF, 0x8B, 0x03, 0x15, 0x00, 0x22, 0xDF, 0xCD, 0x61, 0xFF, 0xAD, 0x25, 0x00, 0xC8, 0x33, 0x9F, 0x26, 0xAF, 0x84, 0xA8, 0x53, 0x9F, 0xC5, 0x84, 0x91, 0x40, 0x88, 0x32, 0xCF, 0x00, 0x20, 0x88, 0xEE, 0x2D, 0xFF, 0x28, 0xDB, 0x41, 0x33, 0xC7, 0x65, 0x23, 0xC7, 0x44, 0x80, 0x89, 0x80, 0x43, 0x87, 0x21, 0x22, 0x22, 0x32, 0x23, 0xF8, 0xBE, 0x41, 0x1D, 0xF3, 0x7F, 0x01, 0x00, 0x22, 0x32, 0x43, 0xA0, 0x17, 0xF0, 0x10, 0x01, 0x80, 0x07, 0x64, 0x27, 0x34, 0x17, 0x00, 0x34, 0xBF, 0x08, 0x10, 0xBF, 0x3B, 0x00, 0x0F, 0xF8, 0xDE, 0x54, 0x22, 0x51, 0xDC, 0xFD, 0xA0, 0x41, 0xAF, 0x10, 0x24, 0xFF, 0xFF, 0xA8, 0x00, 0x10, 0x11, 0x03, 0x22, 0x00, 0x45, 0xEF, 0xBA, 0x20, 0x74, 0x57, 0x34, 0x47, 0x89, 0x48, 0xFF, 0x40, 0xCE, 0x88, 0x35, 0x2F, 0x2A, 0x11, 0x30, 0x2F, 0x20, 0xBD, 0x35, 0x74, 0xBF, 0x08, 0x10, 0x88, 0x19, 0x4B, 0xE8, 0x31, 0xD7, 0x75, 0x3F, 0x20, 0x47, 0x06, 0x20, 0x47, 0xEE, 0x8C, 0x10, 0x07, 0x31, 0x85, 0xEE, 0x9C, 0x24, 0x74, 0x9F, 0x80, 0x57, 0x60, 0x47, 0xC0, 0x70, 0x57, 0x84, 0x9F, 0x11, 0x98, 0x31, 0x65, 0xFF, 0xBD, 0x06, 0x34, 0x8E, 0xCC, 0x11, 0x77, 0x00, 0x44, 0x9F, 0x24, 0x57, 0x86, 0x86, 0x10, 0x01, 0x34, 0x57, 0x80, 0xFF, 0x7F, 0x03, 0x00, 0x2F, 0xFF, 0x2A, 0xBF, 0x37, 0x00, 0x52, 0xF8, 0x8A, 0x11, 0x8C, 0xEE, 0x17, 0x11, 0xD0, 0x4A, 0x7F, 0x20, 0x27, 0x06, 0xA0, 0x17, 0x21, 0xA2, 0x11, 0x89, 0x80, 0x36, 0x1F, 0x44, 0x00, 0xB3, 0xBB, 0x09, 0xFF, 0xDB, 0x10, 0x52, 0x04, 0x20, 0x5A, 0xE7, 0x11, 0x88, 0x91, 0x89, 0x05, 0x47, 0xF8, 0xC9, 0x4F, 0x17, 0x23, 0x88, 0x41, 0x22, 0x17, 0x21, 0x01, 0x00, 0x57, 0x3F, 0x04, 0x20, 0xBB, 0xFB, 0x20, 0x27, 0x71, 0x51, 0x77, 0x57, 0xF7, 0x3F, 0x24, 0x20, 0x00, 0x02, 0xF1, 0x10, 0x01, 0xA3, 0xAF, 0xF8, 0x08, 0x64, 0xDF, 0x24, 0x0F, 0x38, 0x6F, 0x27, 0xCF, 0x03, 0xE5, 0x7F, 0x10, 0x23, 0x02, 0x00, 0x43, 0xF1, 0xB7, 0x16, 0x11, 0x75, 0x22, 0x00, 0x60, 0x25, 0x49, 0x07, 0xF4, 0x9F, 0x8C, 0x19, 0x4F, 0xF8, 0xD7, 0x2E, 0x4D, 0x22, 0x24, 0x91, 0x8D, 0x24, 0x47, 0x44, 0x9F, 0x44, 0x5F, 0x22, 0x7C, 0x22, 0x36, 0x0F, 0x74, 0x27, 0x28, 0xB7, 0x4A, 0x2F, 0x89, 0x4F, 0x44, 0xBB, 0x60, 0x3B, 0x32, 0xBF, 0xF8, 0xFF, 0xFE, 0x7F, 0x98, 0x19, 0x27, 0x18, 0xF8, 0xC1, 0x47, 0x80, 0x4F, 0x00, 0x6D, 0xBF, 0x88, 0x88, 0x71, 0xFE, 0x4D, 0xE7, 0x00, 0x4D, 0xFF, 0x2E, 0x17, 0x70, 0x07, 0x02, 0x40, 0x1F, 0x00, 0xBE, 0x3F, 0x7A, 0xAF, 0x88, 0x58, 0x91, 0x3A, 0xAF, 0x40, 0xFE, 0x8F, 0x7A, 0xAF, 0xCC, 0xE8, 0x88, 0x30, 0xEE, 0x21, 0x27, 0x3F, 0x73, 0x9F, 0x33, 0xAB, 0x91, 0x89, 0x5E, 0x27, 0x20, 0x2F, 0x11, 0x27, 0x28, 0x35, 0xB7, 0x73, 0x9F, 0x73, 0xC7, 0x15, 0x3F, 0x21, 0x20, 0x00, 0x5A, 0x7F, 0x27, 0x57, 0x3A, 0x47, 0x10, 0x0A, 0xF3, 0x9F, 0x10, 0x00, 0x89, 0x17, 0x68, 0xCF, 0xC1, 0x74, 0x2F, 0x01, 0xFD, 0x9F, 0xCA, 0xCC, 0xBF, 0xBB, 0x05, 0x4E, 0x17, 0xE1, 0x00, 0x5E, 0x1F, 0x9E, 0x37, 0x00, 0x5E, 0x3F, 0x15, 0x11, 0x20, 0x22, 0x3D, 0x8F, 0xF8, 0x00, 0x8D, 0xFF, 0x6E, 0x8F, 0x77, 0x4F, 0x10, 0x1C, 0x83, 0x87, 0x10, 0x2C, 0x62, 0xD7, 0x43, 0x4C, 0x49, 0x10, 0x4D, 0xFF, 0xFE, 0x2F, 0xA6, 0x00, 0x02, 0x02, 0x28, 0xC3, 0x2D, 0xFD, 0x3D, 0xEF, 0x69, 0x6D, 0x61, 0x67, 0x2F, 0xFE, 0x20, 0x0C, 0x1C, 0x40, 0x00, 0x0A, 0x3E, 0x10, 0x4E, 0x15, 0x00, 0x50, 0x03, 0x43, 0x4C, 0x24, 0x59, 0x54, 0x70, 0x3F, 0x80, 0x05, 0x47, 0xAE, 0x00, 0x6C, 0x18, 0x79, 0x74, 0x31, 0x30, 0x51, 0x3E, 0x3B, 0x00, 0x00, 0xA0, 0x00, 0x43, 0x00, 0x00, 0x70, 0x43, 0x74, 0x78, 0x6C, 0x32, 0x31, 0x40, 0x2F, 0xED, 0x2B, 0x90, 0x00, 0x0C, 0x2F, 0xF5, 0x1A, 0xC0, 0x2F, 0xF9, 0x2B, 0x3C, 0x00, 0x62, 0x75, 0x62, 0x62, 0x6C, 0x00, 0x65, 0x73, 0x2E, 0x62, 0x63, 0x6C, 0x69, 0x6D, 0x04, 0x00, 0x6D, 0x61, 0x73, 0x6B, 0x60, 0x0A, 0x77, 0x61, 0x60, 0x76, 0x80, 0x16, 0x2F, 0xFD, 0x6D, 0x61, 0x74, 0x31, 0x8C, 0xCD, 0x2E, 0x8C, 0x2B, 0xB0, 0x00, 0x1C, 0x30, 0x63, 0x2F, 0xF9, 0xD4, 0x2F, 0xFD, 0x66, 0x24, 0x2E, 0xA0, 0x30, 0x35, 0x5F, 0x30, 0x4C, 0x7A, 0xC0, 0xA8, 0xFF, 0x56, 0xFF, 0x00, 0x50, 0x01, 0x15, 0x40, 0x9B, 0x04, 0x30, 0x4A, 0x2F, 0xFF, 0x60, 0x4F, 0xC0, 0x50, 0xDD, 0x80, 0x3F, 0x50, 0x03, 0x80, 0x93, 0x00, 0x00, 0x52, 0x00, 0x60, 0x4F, 0x17, 0x80, 0x55, 0x06, 0x3F, 0x35, 0x05, 0x20, 0xFD, 0xB1, 0x27, 0x90, 0x4F, 0x81, 0x20, 0xB4, 0x22, 0x40, 0x24, 0x02, 0x10, 0x66, 0x2F, 0xFD, 0x47, 0x07, 0x61, 0x4A, 0x01, 0x04, 0x05, 0x50, 0xE2, 0x00, 0x20, 0xB8, 0x00, 0xB0, 0xB7, 0x1E, 0x02, 0x00, 0x05, 0x31, 0x02, 0x31, 0x4A, 0x31, 0x4E, 0x00, 0x50, 0xB7, 0x31, 0x82, 0x04, 0xD0, 0xB7, 0x70, 0x61, 0x6E, 0x31, 0x4C, 0x40, 0xC3, 0xFF, 0x00, 0x00, 0x52, 0x6F, 0x6F, 0x74, 0x50, 0x61, 0x6E, 0x78, 0x65, 0x00, 0x92, 0x21, 0xF2, 0x3B, 0x71, 0x67, 0x52, 0x17, 0x70, 0x61, 0x73, 0x21, 0x31, 0x08, 0x2F, 0xFD, 0x70, 0x69, 0x63, 0x31, 0x3D, 0xE5, 0xE0, 0x30, 0x53, 0x00, 0x71, 0x17, 0x2F, 0xFC, 0xC0, 0x80, 0x00, 0x80, 0xBF, 0xA4, 0x00, 0x90, 0x53, 0xF2, 0x22, 0x6B, 0x9A, 0x43, 0x71, 0xF7, 0x6F, 0xBB, 0x5F, 0xE7, 0x40, 0x03, 0x02, 0x62, 0x89, 0x62, 0xC5, 0x61, 0x37, 0x71, 0xF3, 0x31, 0x4B, 0x2E, 0x80, 0x3F, 0x30, 0x7F, 0xA0, 0x60, 0xD3, 0x00, 0x71, 0x47, 0x2F, 0xFC, 0xB8, 0x0B, 0x00, 0x00, 0x48, 0x42, 0x22, 0xCF, 0xC1, 0xE3, 0x11, 0x61, 0x8F, 0x5A, 0x80, 0x22, 0xEB, 0x80, 0x80, 0x7F, 0x72, 0x7F, 0x03, 0x21, 0xB5, 0xCD, 0x23, 0xCC, 0x6C, 0x42, 0x5B, 0x33, 0x33, 0x5B, 0x41, 0xB7, 0x50, 0x0F, 0x2F, 0x20, 0x40, 0x50, 0x0F, 0x20, 0xF0, 0x93, 0xE2, 0x43, 0x00, 0x60, 0x9F, 0x00, 0x12, 0xF2, 0xBB, 0x02, 0x40, 0x9F, 0x01, 0x22, 0x55, 0x2F, 0xFF, 0x31, 0x93, 0x3E, 0x50, 0x8B, 0x30, 0x07, 0xBE, 0x30, 0x0F, 0x14, 0x60, 0x9B, 0x30, 0x07, 0x01, 0x10, 0x9F, 0x51, 0xBF, 0x00, 0x93, 0x8F, 0x80, 0x03, 0xFD, 0x3F, 0x40, 0x00, 0xFE, 0x0F, 0xA1, 0x7F, 0xD3, 0x2B, 0x01, 0x10, 0x7E, 0x1B, 0x44, 0x98, 0x3D, 0xFC, 0x00, 0x01, 0x3F, 0xF9, 0x74, 0x49, 0x23, 0xA3, 0x41, 0xAB, 0x50, 0x07, 0xE1, 0x1F, 0x61, 0x65, 0x42, 0x47, 0x0C, 0x67, 0x72, 0x70, 0x31, 0x34, 0x1F, 0x32, 0x97, 0x47, 0x72, 0x13, 0x6F, 0x75, 0x70, 0xA4, 0xBA, 0x67, 0x72, 0x52, 0x6B, 0x30, 0x23, 0x8F, 0x32, 0xBF, 0x47, 0x5F, 0x41, 0xC4, 0x36, 0x34, 0x9B, 0xF3, 0xFB, 0xF4, 0x5B, 0xD5, 0xF3, 0x63, 0x90, 0x4B, 0x42, 0x03, 0x40, 0x4B, 0x2C, 0x40, 0x97, 0x43, 0xC4, 0xCE, 0xCD, 0x35, 0x93, 0xF4, 0xE3, 0x67, 0x72, 0x50, 0xEF, 0xB5, 0x7F, 0xE0, 0x24, 0x87, 0x5E, 0x11, 0x00, 0x05, 0x7F, 0xC8, 0x85, 0x7F, 0x33, 0xB3, 0x35, 0x3F, 0x35, 0xDB, 0x1E, 0xA8, 0x2F, 0xFF, 0x29, 0x2F, 0xFD, 0x34, 0x00, 0x05, 0x83, 0x6C, 0x6F, 0x67, 0x6F, 0x6F, 0x00, 0xD5, 0x8E, 0x35, 0x8B, 0x30, 0x22, 0x32, 0x34, 0xF0, 0x36, 0x1A, 0x31, 0x63, 0x55, 0xD8, 0x2F, 0xFF, 0x5C, 0x26, 0x3C, 0xAC, 0x02, 0x65, 0x8F, 0x02, 0x00, 0xA5, 0x8F, 0xFA, 0x30, 0x91, 0x01, 0xB5, 0xDF, 0x35, 0x8F, 0x95, 0xDF, 0x00, 0x15, 0x8F, 0x44, 0x26, 0x44, 0x40, 0x77, 0x24, 0x51, 0x2B, 0xB5, 0x8F, 0x01, 0xF5, 0xF7, 0x6A, 0x65, 0xF7, 0x90, 0xBB, 0x00, 0x25, 0xFB, 0xE1, 0x00, 0x36, 0x0F, 0x37, 0x64, 0x26, 0x13, 0x10, 0x24, 0x02, 0x11, 0x03, 0x36, 0x13, 0x7C, 0x03, 0x03, 0xA6, 0x13, 0x04, 0x30, 0xD3, 0x03, 0x56, 0x2F, 0x52, 0xC7, 0x04, 0x36, 0x2F, 0x6E, 0xAB, 0x6F, 0xE1, 0xE5, 0xAF, 0x76, 0x2F, 0x48, 0x38, 0x1B, 0x28, 0xB6, 0x40, 0x07, 0x05, 0x86, 0x2F, 0x57, 0x04, 0x06, 0x06, 0x2F, 0x20, 0x01, 0xC6, 0xCF, 0x02, 0x86, 0x2F, 0x4A, 0x1C, 0x77, 0x4F, 0xEE, 0x67, 0x4B, 0x46, 0xCB, 0x01, 0xA6, 0x2F, 0xFF, 0x00, 0x83, 0xDF, 0x39, 0x94, 0x50, 0x03, 0xF0, 0x86, 0xC6, 0x33, 0xCD, 0xCC, 0x4C, 0x3F, 0x30, 0x03, 0x57, 0x6F, 0x38, 0x7F, 0x42, 0x00, 0x16, 0xCF, 0xB7, 0xEF, 0x0B, 0x56, 0xAF, 0x3A, 0xEF, 0xF6, 0xAF, 0x3A, 0x70, 0xFA, 0x43, 0xEF, 0xFA, 0xBB, 0xF5, 0x3B, 0x01, 0x36, 0xCF, 0x5C, 0x00, 0x26, 0xCF, 0x3B, 0x77, 0xFB, 0x17, 0xFA, 0xBF, 0x80, 0x04, 0x36, 0xDF, 0x1F, 0xBC, 0xAB, 0xC4, 0xF4, 0xA7, 0x73, 0x00, 0x0A, 0x1A, 0x5D, 0x17, 0xE0, 0x62, 0x0D, 0xCB, 0x00, 0x15, 0x4B, 0xAE, 0x36, 0xE9, 0x22, 0xD6, 0xBC, 0x00, 0x84, 0x95, 0x43, 0x89, 0x8A, 0x34, 0x9F, 0xB6, 0x00, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
\ No newline at end of file

From d9204e52ac1c470b0ffee9f5e1f2c12a7c1d9951 Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Sun, 10 May 2020 10:30:37 +0800
Subject: [PATCH 228/317] Update version string to 0.17

---
 makerom/user_settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index c6df9663..3e498b6e 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -902,7 +902,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.16.2 (C) 3DSGuy 2020\n");
+	printf("CTR MAKEROM v0.17 (C) 3DSGuy 2020\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 

From 45f06e32b2f5b79b0423c2489411e130d401b143 Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Sun, 10 May 2020 12:50:35 +0800
Subject: [PATCH 229/317] Add old homebrew logo under name "HomebrewLegacy"

---
 makerom/ncch.c      | 9 +++++++++
 makerom/ncch_logo.h | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/makerom/ncch.c b/makerom/ncch.c
index d054cacf..da77ff0d 100644
--- a/makerom/ncch.c
+++ b/makerom/ncch.c
@@ -363,6 +363,15 @@ int ImportLogo(ncch_settings *set)
 			}
 			memcpy(set->sections.logo.buffer, Homebrew_LZ, 0x2000);
 		}
+		else if (strcasecmp(set->rsfSet->BasicInfo.Logo, "homebrewlegacy") == 0) {
+			set->sections.logo.size = 0x2000;
+			set->sections.logo.buffer = malloc(set->sections.logo.size);
+			if (!set->sections.logo.buffer) {
+				fprintf(stderr, "[NCCH ERROR] Not enough memory\n");
+				return MEM_ERROR;
+			}
+			memcpy(set->sections.logo.buffer, HomebrewLegacy_LZ, 0x2000);
+		}
 		else if(strcasecmp(set->rsfSet->BasicInfo.Logo,"none") != 0){
 			fprintf(stderr,"[NCCH ERROR] Invalid logo name\n");
 			return NCCH_BAD_RSF_SET;
diff --git a/makerom/ncch_logo.h b/makerom/ncch_logo.h
index c28e10ee..67518170 100644
--- a/makerom/ncch_logo.h
+++ b/makerom/ncch_logo.h
@@ -28,4 +28,9 @@ static const unsigned char iQue_without_ISBN_LZ[0x2000] =
 static const unsigned char Homebrew_LZ[0x2000] =
 {
 	0x11, 0x40, 0xE6, 0x00, 0x00, 0x64, 0x61, 0x72, 0x63, 0xFF, 0xFE, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x20, 0xE6, 0x00, 0x00, 0x83, 0x30, 0x09, 0x64, 0x03, 0x00, 0x00, 0x80, 0x20, 0x03, 0x30, 0x13, 0xAB, 0x30, 0x18, 0x11, 0x20, 0x1D, 0x02, 0xA0, 0x0B, 0x06, 0x20, 0x2B, 0x30, 0x18, 0x5A, 0x09, 0x20, 0x35, 0x10, 0x20, 0x39, 0x30, 0x2B, 0xAC, 0x20, 0x20, 0x54, 0xAA, 0x20, 0x45, 0x40, 0x20, 0x1C, 0x0C, 0x20, 0x2C, 0x98, 0x20, 0x51, 0x60, 0x55, 0x08, 0x50, 0x38, 0xDC, 0x30, 0x0B, 0x0A, 0x50, 0x23, 0x20, 0x20, 0x51, 0x05, 0x20, 0x0D, 0x00, 0x00, 0xE8, 0x20, 0x50, 0x64, 0x30, 0x0B, 0xA5, 0x20, 0x40, 0x78, 0x20, 0x6F, 0xA8, 0x01, 0x50, 0x53, 0x0E, 0x20, 0x89, 0x40, 0xB2, 0x30, 0x75, 0x14, 0x00, 0x00, 0x28, 0x04, 0x00, 0x24, 0x00, 0xC8, 0x20, 0x81, 0x80, 0x18, 0x20, 0x0B, 0x80, 0x00, 0x28, 0x00, 0xE4, 0x30, 0x8D, 0x99, 0x20, 0x17, 0x20, 0x00, 0x00, 0x53, 0xFA, 0x30, 0x17, 0xB9, 0x50, 0x0B, 0x12, 0x02, 0x50, 0x8F, 0x30, 0xA7, 0x48, 0x1C, 0x20, 0xA8, 0xC0, 0xD9, 0x20, 0xBF, 0x05, 0x00, 0x00, 0x41, 0x4C, 0x20, 0xB4, 0x40, 0xDF, 0x00, 0x00, 0xE0, 0x20, 0xB0, 0x10, 0x00, 0x00, 0x2E, 0x20, 0xE3, 0x61, 0x00, 0x6E, 0x00, 0x14, 0x69, 0x00, 0x6D, 0x20, 0xED, 0x4E, 0x20, 0x07, 0x6E, 0x00, 0x10, 0x74, 0x00, 0x65, 0x20, 0x11, 0x64, 0x00, 0x6F, 0x00, 0x51, 0x4C, 0x20, 0x03, 0x67, 0x20, 0x07, 0x5F, 0x00, 0x44, 0x20, 0x03, 0x41, 0x30, 0x20, 0x01, 0x5F, 0x00, 0x53, 0x00, 0x63, 0x40, 0x1F, 0x05, 0x65, 0x00, 0x4F, 0x00, 0x75, 0x20, 0x2B, 0x41, 0x20, 0x43, 0x5A, 0x62, 0x20, 0x13, 0x6C, 0x40, 0x47, 0x02, 0x50, 0x43, 0x42, 0x03, 0x20, 0x43, 0x43, 0xBD, 0x01, 0x80, 0x87, 0x55, 0x04, 0xC0, 0x43, 0x01, 0x90, 0xCB, 0x00, 0x90, 0x87, 0xF1, 0x53, 0x74, 0x41, 0x9F, 0x51, 0x67, 0x22, 0x8F, 0x6D, 0x21, 0xAD, 0x73, 0x00, 0x6B, 0x81, 0x73, 0xAA, 0x51, 0xB7, 0x62, 0x21, 0x89, 0x62, 0x21, 0x85, 0x6C, 0x21, 0xB9, 0x73, 0xB5, 0xE0, 0x1B, 0x6C, 0x61, 0xC3, 0xD0, 0x31, 0x77, 0x21, 0xF5, 0x76, 0x00, 0x20, 0x2D, 0xBF, 0x30, 0x43, 0x79, 0x22, 0x01, 0x01, 0x32, 0x0B, 0x71, 0xF7, 0x00, 0xF0, 0x2F, 0x71, 0x6F, 0xD0, 0x2F, 0x81, 0x00, 0xB0, 0x02, 0x43, 0x4C, 0x41, 0x4E, 0xFF, 0xFE, 0x22, 0xEC, 0x18, 0x00, 0x02, 0x02, 0x33, 0x43, 0x23, 0x67, 0x00, 0x70, 0x61, 0x1A, 0x74, 0x31, 0x3C, 0x63, 0x7E, 0x33, 0x99, 0x28, 0x23, 0x9D, 0xA1, 0x20, 0x00, 0xF0, 0x43, 0x8C, 0x53, 0x63, 0x65, 0x6E, 0x65, 0x08, 0x4F, 0x75, 0x74, 0x41, 0x23, 0xB1, 0x47, 0x5F, 0x41, 0x10, 0x5F, 0x30, 0x30, 0xD0, 0x60, 0x70, 0x61, 0x69, 0x31, 0x54, 0x5C, 0x23, 0xAC, 0x50, 0x43, 0xBE, 0x06, 0x33, 0x46, 0x00, 0x2C, 0xB5, 0x23, 0xDD, 0xCC, 0x33, 0xAB, 0x23, 0xCD, 0x54, 0x23, 0xD1, 0xC4, 0x23, 0xD5, 0x43, 0x10, 0x23, 0xD0, 0x6D, 0x61, 0x73, 0x6B, 0xF0, 0x40, 0x33, 0xF0, 0x85, 0x34, 0x0D, 0x43, 0x4C, 0x56, 0x43, 0x33, 0xFC, 0x0C, 0x34, 0x19, 0xF2, 0x20, 0x2C, 0x33, 0xEB, 0x40, 0x0B, 0x44, 0x16, 0x7F, 0x43, 0x20, 0x51, 0xC1, 0xF9, 0x23, 0xCD, 0x30, 0x86, 0x30, 0x5D, 0xA0, 0x0B, 0x34, 0x4A, 0x82, 0x42, 0x00, 0x10, 0x0B, 0x5C, 0x7F, 0x20, 0x13, 0x8A, 0x20, 0x17, 0x30, 0x3B, 0x90, 0x0B, 0xAB, 0xAA, 0x5C, 0xE2, 0x20, 0x47, 0x9C, 0x40, 0x2F, 0xB0, 0x0B, 0x34, 0x90, 0x62, 0x75, 0x06, 0x62, 0x62, 0x6C, 0x65, 0x73, 0xC0, 0xE3, 0xA0, 0x9F, 0x49, 0xF9, 0x80, 0x9F, 0x24, 0xA6, 0x31, 0x37, 0x90, 0x9F, 0x34, 0xCE, 0x8C, 0x42, 0x34, 0xBC, 0xBC, 0x80, 0x43, 0x31, 0x02, 0x90, 0x43, 0x00, 0x41, 0x27, 0x25, 0x19, 0x51, 0x27, 0x54, 0x53, 0x8D, 0x81, 0x27, 0x01, 0x02, 0x00, 0x24, 0x76, 0x61, 0x27, 0x1C, 0x21, 0x03, 0x2D, 0x60, 0xC0, 0x51, 0xFE, 0x44, 0xE0, 0x0B, 0x72, 0x14, 0xA0, 0xE0, 0x0B, 0x03, 0x90, 0xC0, 0x29, 0xA5, 0x14, 0xBE, 0x00, 0x40, 0xF7, 0x00, 0x60, 0x6F, 0x8A, 0xF0, 0xF7, 0x75, 0x64, 0x4F, 0x22, 0x3A, 0x9E, 0x21, 0x7F, 0x80, 0x79, 0x3F, 0x30, 0x0B, 0x00, 0x40, 0xFF, 0x01, 0x50, 0x4B, 0x20, 0x3F, 0xCF, 0x3B, 0x90, 0x4B, 0xFF, 0x30, 0x0B, 0x00, 0xD2, 0xBF, 0x35, 0xF7, 0xB2, 0xBF, 0x25, 0xD2, 0x82, 0xBF, 0x20, 0xEB, 0xC2, 0xBF, 0x8B, 0x32, 0x20, 0x47, 0x5F, 0x42, 0x00, 0x42, 0xBF, 0xBC, 0x26, 0x75, 0x50, 0x2D, 0xAA, 0x92, 0xBF, 0x6C, 0x26, 0xA1, 0xA8, 0x26, 0xA5, 0xE4, 0x26, 0xA9, 0x24, 0xBF, 0x26, 0x95, 0x70, 0x26, 0x99, 0x01, 0xB2, 0xBF, 0x92, 0x2B, 0x93, 0x90, 0x01, 0xB2, 0x5F, 0xB0, 0x3F, 0xF7, 0x01, 0xF2, 0x57, 0xF0, 0x3B, 0x01, 0xB2, 0x4F, 0x92, 0xE3, 0x48, 0x23, 0x73, 0x52, 0x4F, 0x02, 0xB2, 0x1F, 0x14, 0xCD, 0xCC, 0x4C, 0x24, 0x5A, 0x20, 0x23, 0xBF, 0x00, 0x40, 0xEC, 0x30, 0x0B, 0x02, 0xA2, 0x1F, 0x20, 0x4B, 0xCC, 0x22, 0x1F, 0x30, 0x4B, 0x80, 0x3F, 0xFC, 0x50, 0x0B, 0x00, 0xD4, 0xDF, 0x38, 0x44, 0xB4, 0xDF, 0x31, 0x95, 0x74, 0xDF, 0xF1, 0x00, 0x62, 0xFF, 0xC4, 0xDF, 0x30, 0xA0, 0x47, 0x5F, 0x43, 0x00, 0x44, 0xDF, 0xB0, 0xAA, 0x28, 0x95, 0x0F, 0xE4, 0xDF, 0x78, 0x28, 0xC1, 0xB4, 0x28, 0xC5, 0xF0, 0xB1, 0x28, 0xC9, 0x30, 0x02, 0x22, 0x1F, 0xF4, 0x3F, 0xDB, 0xB6, 0x91, 0x25, 0x62, 0x4C, 0x60, 0x25, 0x66, 0x7F, 0x43, 0x30, 0x0B, 0x02, 0x52, 0x2B, 0x60, 0x41, 0xFC, 0x02, 0x92, 0x2B, 0x50, 0x3B, 0x02, 0x52, 0x2B, 0x39, 0xCE, 0x02, 0x14, 0x4B, 0x95, 0x4F, 0x80, 0xBF, 0xFE, 0x51, 0xD3, 0x01, 0xD2, 0x1F, 0x00, 0x30, 0x3F, 0x00, 0xB6, 0xDF, 0x02, 0x71, 0xFF, 0x36, 0xDF, 0x51, 0xFF, 0x08, 0xB5, 0x46, 0xDF, 0x34, 0x3A, 0x83, 0x2A, 0xC1, 0xBC, 0x2A, 0xC5, 0xF8, 0x30, 0x0F, 0xAE, 0x2A, 0xB5, 0x74, 0x2A, 0xB9, 0xB4, 0x35, 0xA3, 0x01, 0xE6, 0xE7, 0x00, 0xF2, 0x07, 0x6C, 0x1C, 0x6F, 0x67, 0x6F, 0x00, 0xA7, 0x33, 0x01, 0x52, 0x07, 0x0D, 0xE2, 0x43, 0x77, 0x61, 0x7F, 0x76, 0xE7, 0xC5, 0xD7, 0x3F, 0x38, 0xF3, 0x3C, 0x47, 0x56, 0x27, 0xF2, 0x87, 0x44, 0xB3, 0x60, 0xBC, 0xD6, 0xEB, 0x40, 0x17, 0x40, 0x0D, 0xD7, 0xA3, 0xBB, 0x87, 0x37, 0x67, 0x66, 0x66, 0xE6, 0x3F, 0xC8, 0x2F, 0x02, 0x62, 0xAB, 0x00, 0xF9, 0x9F, 0xDE, 0x3C, 0xB3, 0x03, 0x36, 0xDF, 0x98, 0x2D, 0x4C, 0x57, 0x0D, 0x92, 0xBF, 0x3A, 0x87, 0xB0, 0xB7, 0x2D, 0x85, 0xEC, 0x39, 0xEF, 0x2D, 0x75, 0x68, 0x62, 0xBF, 0x3C, 0xC3, 0x02, 0xF6, 0xE7, 0xFF, 0x02, 0x52, 0xB3, 0xE6, 0xE7, 0x0E, 0xA7, 0x23, 0x01, 0x72, 0xBF, 0x34, 0x87, 0x3F, 0x29, 0xEA, 0x8B, 0x37, 0x67, 0xFD, 0x24, 0x9A, 0x47, 0x73, 0x82, 0xCB, 0x9A, 0x27, 0x50, 0x23, 0x52, 0xCB, 0x20, 0x82, 0xCB, 0xE0, 0x6A, 0x1B, 0x32, 0xE3, 0x29, 0x83, 0xF0, 0x42, 0xCD, 0xCC, 0x0C, 0x7F, 0x40, 0x5C, 0x4A, 0x57, 0xBB, 0x32, 0xFB, 0x04, 0xF7, 0xBB, 0xFC, 0x9F, 0x3F, 0xA7, 0x03, 0x3C, 0x9F, 0x75, 0x28, 0x2F, 0xEF, 0x5C, 0x9F, 0x95, 0xBF, 0xD4, 0x2F, 0xFB, 0x18, 0x2F, 0xF7, 0x77, 0x5C, 0x39, 0xFB, 0x6C, 0x9F, 0x3C, 0xC7, 0xDC, 0x09, 0x2C, 0xA7, 0x01, 0xB6, 0x13, 0x01, 0x0C, 0xA7, 0xFF, 0x10, 0x02, 0xAC, 0xEB, 0x02, 0xD3, 0xA7, 0x4D, 0x2F, 0x28, 0x42, 0x3D, 0x3B, 0x4D, 0x47, 0x46, 0x73, 0x22, 0xF2, 0x84, 0xCE, 0x57, 0xE1, 0x65, 0x2D, 0x3E, 0x33, 0xA7, 0xA4, 0x70, 0x7C, 0x0D, 0x63, 0x8F, 0x40, 0x2F, 0x02, 0xF3, 0x8F, 0x01, 0x4D, 0x6B, 0x04, 0x30, 0x13, 0xFF, 0xFF, 0x30, 0xFF, 0xFF, 0x3F, 0x3B, 0x10, 0x13, 0x70, 0x07, 0x77, 0x77, 0x77, 0x77, 0x60, 0x6E, 0xA0, 0x07, 0x00, 0xF0, 0x1F, 0xBB, 0xBB, 0x55, 0x55, 0x03, 0x12, 0x23, 0x23, 0x23, 0x70, 0x07, 0xDD, 0xDD, 0x20, 0x0F, 0x5B, 0x1C, 0x5B, 0x5B, 0xFD, 0x60, 0x07, 0x00, 0x70, 0x1F, 0x70, 0x27, 0xAA, 0xAA, 0x8C, 0x20, 0x3F, 0x8B, 0x8B, 0x8B, 0x70, 0x07, 0x40, 0x4F, 0xC3, 0xC3, 0x60, 0xC3, 0x70, 0x07, 0x00, 0xF0, 0x1F, 0x11, 0x11, 0x11, 0x11, 0x02, 0x00, 0xF8, 0xF8, 0xF8, 0x11, 0x00, 0x11, 0x11, 0x0A, 0xFE, 0x20, 0x07, 0x4A, 0x81, 0xA0, 0x07, 0x70, 0x17, 0x70, 0x27, 0xF0, 0x1F, 0x0A, 0xF0, 0x0F, 0x43, 0x12, 0x4C, 0x49, 0x4D, 0x7F, 0x9F, 0x28, 0x04, 0x5F, 0x1F, 0x69, 0x15, 0x6D, 0x61, 0x67, 0x3B, 0x8F, 0x10, 0x2D, 0x55, 0x0A, 0x3F, 0xFB, 0xE0, 0x20, 0x17, 0x10, 0x19, 0x74, 0x7F, 0x10, 0x26, 0x72, 0x4F, 0x7F, 0xBB, 0xFF, 0x37, 0x0B, 0x10, 0x02, 0x02, 0x02, 0x7A, 0x4F, 0x01, 0xFE, 0x03, 0x00, 0x00, 0x62, 0x21, 0x21, 0x21, 0x33, 0x33, 0x33, 0x33, 0x00, 0xB6, 0x18, 0x18, 0x18, 0x33, 0x33, 0xFF, 0xFF, 0x10, 0x01, 0x03, 0x03, 0x2E, 0x41, 0x11, 0x01, 0x02, 0x30, 0xFD, 0x5F, 0xD8, 0x30, 0x07, 0x70, 0x17, 0x90, 0x1F, 0x50, 0x17, 0x00, 0x00, 0x1F, 0x73, 0x00, 0x00, 0x1F, 0x40, 0x10, 0x40, 0x3F, 0xBB, 0x33, 0x73, 0xAA, 0x1F, 0x1F, 0x0D, 0x1F, 0xFF, 0xFF, 0xF7, 0x4A, 0xC7, 0x20, 0x5F, 0x11, 0x30, 0x5F, 0x06, 0x03, 0xFF, 0x10, 0xFF, 0x57, 0x27, 0xDC, 0x10, 0x25, 0x76, 0x5F, 0x0E, 0x37, 0x00, 0x1F, 0x43, 0xD7, 0x7E, 0x4F, 0x0F, 0x20, 0x01, 0xB3, 0xE7, 0x04, 0xF0, 0x07, 0x5E, 0xF0, 0x2E, 0xC8, 0x00, 0x00, 0x20, 0x0F, 0x10, 0x25, 0x7A, 0x5F, 0x73, 0xEF, 0x10, 0x2F, 0x73, 0xFF, 0x01, 0x10, 0x00, 0xEF, 0x0E, 0x10, 0x2D, 0xB7, 0xFF, 0xBC, 0x08, 0xCE, 0x88, 0x08, 0x4A, 0x13, 0x13, 0x13, 0xFF, 0x6F, 0x00, 0x00, 0x88, 0x70, 0x88, 0x5F, 0xEF, 0x50, 0x07, 0x04, 0x00, 0x1F, 0x80, 0x88, 0x88, 0x0A, 0x00, 0x37, 0x37, 0x37, 0xCB, 0xFF, 0xEC, 0xFF, 0x42, 0x18, 0x16, 0x16, 0x16, 0x10, 0x25, 0x7F, 0xEF, 0x10, 0x07, 0x0F, 0x57, 0x7F, 0xFF, 0x7F, 0x40, 0x06, 0x00, 0x2F, 0xFF, 0xB7, 0xBB, 0x37, 0x33, 0x6A, 0x0A, 0x00, 0x0A, 0x0A, 0xBB, 0xBB, 0x33, 0x33, 0x05, 0x02, 0x38, 0x02, 0x02, 0xFF, 0xFF, 0x70, 0x17, 0x02, 0x80, 0x1F, 0x7B, 0x33, 0x77, 0x01, 0x4E, 0x1F, 0x1F, 0x1F, 0xF7, 0xFF, 0xF7, 0x10, 0x25, 0xD5, 0x67, 0x01, 0xE8, 0xFF, 0x01, 0x6B, 0x11, 0x11, 0x11, 0x8F, 0xFF, 0x44, 0x0F, 0x2C, 0xEF, 0x03, 0x03, 0x03, 0x05, 0x7D, 0x5F, 0x1E, 0xFF, 0x18, 0x10, 0xFF, 0x6B, 0x24, 0x57, 0x7D, 0xCF, 0x0F, 0xFF, 0x00, 0x07, 0xFF, 0x20, 0x20, 0x20, 0x20, 0x10, 0x25, 0x89, 0x6F, 0x63, 0xEF, 0x06, 0x73, 0xFF, 0xC1, 0x73, 0xEF, 0x07, 0x73, 0xFF, 0x7F, 0xB3, 0x7F, 0x37, 0x0A, 0x00, 0x28, 0xDF, 0x04, 0x31, 0x33, 0x9D, 0xD9, 0x21, 0x2E, 0x87, 0x11, 0x11, 0x1C, 0xDD, 0xDD, 0xA1, 0x00, 0x2E, 0x8F, 0x70, 0x17, 0x01, 0x20, 0x1F, 0x9D, 0x81, 0x80, 0x00, 0x2E, 0xCF, 0xDD, 0x7B, 0x31, 0x73, 0x4E, 0x1E, 0x1E, 0x41, 0x1E, 0x10, 0x25, 0xF3, 0xFF, 0xCF, 0x01, 0x0F, 0xF8, 0x40, 0xA3, 0xCF, 0x00, 0x0F, 0x00, 0x0F, 0x0F, 0x82, 0x1B, 0x1B, 0x1B, 0xA0, 0x05, 0x28, 0xFF, 0x10, 0x39, 0x5F, 0xFE, 0xFF, 0xF0, 0xFF, 0x22, 0x15, 0x16, 0x16, 0x16, 0x79, 0x6F, 0xF0, 0x20, 0x0F, 0xA2, 0x20, 0x0F, 0x84, 0x10, 0x15, 0x8F, 0xFF, 0xF0, 0xFF, 0x08, 0x04, 0xBF, 0xCF, 0xDE, 0xFF, 0x04, 0xCE, 0x0E, 0x01, 0x01, 0x01, 0xFB, 0xFF, 0x88, 0xCC, 0x00, 0x8E, 0x88, 0x0B, 0x34, 0x34, 0x34, 0xCC, 0xCC, 0x78, 0x88, 0x40, 0x07, 0xFC, 0x1F, 0x70, 0x17, 0x01, 0xF0, 0x1F, 0x0F, 0xFF, 0x80, 0xD0, 0x4B, 0xEF, 0x20, 0x56, 0xE8, 0x30, 0x5F, 0xFD, 0xFF, 0xFC, 0xFF, 0x1F, 0x62, 0x0F, 0x0F, 0x2C, 0x85, 0x05, 0x5F, 0xFF, 0x73, 0xEF, 0x06, 0x23, 0xFF, 0xC3, 0xEF, 0x83, 0x10, 0x01, 0x73, 0xFF, 0xB7, 0xDD, 0x37, 0x13, 0x6A, 0x2E, 0x2F, 0x02, 0xA9, 0x7F, 0x84, 0x00, 0x49, 0xBF, 0x33, 0x13, 0xDD, 0xFD, 0x39, 0xDF, 0x7B, 0xFF, 0x75, 0x73, 0x05, 0xC2, 0x7F, 0x10, 0x06, 0xFE, 0xE7, 0x00, 0x23, 0xFF, 0x07, 0x10, 0x07, 0xB3, 0xFF, 0x01, 0x29, 0x91, 0xF8, 0x3E, 0x87, 0x7F, 0xFF, 0x39, 0xA1, 0x0C, 0xBE, 0x7F, 0x10, 0x05, 0xFD, 0xFF, 0x7F, 0x00, 0x0F, 0x22, 0xFF, 0x20, 0xBF, 0xCF, 0xFE, 0xFF, 0xEE, 0x00, 0x38, 0xFF, 0xCC, 0x08, 0xCC, 0xCE, 0xCC, 0x61, 0x2C, 0xA8, 0xEE, 0xEE, 0xFF, 0x38, 0xFF, 0x01, 0x00, 0x2D, 0x17, 0x70, 0x17, 0x01, 0xF0, 0x1F, 0xFF, 0xFF, 0xF8, 0x20, 0xFF, 0x4B, 0x28, 0xEF, 0xCC, 0xEE, 0xEC, 0xFE, 0x63, 0x1E, 0x24, 0x24, 0x24, 0x0F, 0xFF, 0xFF, 0x73, 0xEF, 0x10, 0x14, 0x73, 0xFF, 0x10, 0x08, 0xFF, 0x67, 0x08, 0x80, 0xE7, 0xFF, 0xCE, 0xCC, 0xEF, 0x88, 0x4B, 0x2C, 0x2C, 0x64, 0x2C, 0x03, 0x9E, 0x7F, 0x57, 0xFF, 0xCC, 0x8C, 0x5E, 0xD7, 0xCB, 0xFF, 0x1A, 0xE8, 0xFF, 0x47, 0x10, 0x00, 0xAD, 0x7F, 0x10, 0x26, 0x25, 0x17, 0x7F, 0xCF, 0xFF, 0xEF, 0x00, 0xFF, 0x0F, 0x0A, 0x02, 0x02, 0x02, 0x17, 0x33, 0x10, 0x17, 0x11, 0x71, 0x20, 0x07, 0x11, 0x11, 0x11, 0x11, 0x7E, 0xA3, 0x4E, 0xAF, 0xDD, 0x17, 0x70, 0x17, 0x90, 0x1F, 0xDE, 0xCF, 0x01, 0x70, 0x1F, 0xFF, 0x0D, 0x7D, 0x11, 0x71, 0x65, 0x20, 0x6F, 0xAF, 0x0F, 0xF0, 0x5D, 0x8F, 0x54, 0xF7, 0xCF, 0xFF, 0xFE, 0x2E, 0xC7, 0x42, 0x10, 0x24, 0x35, 0x37, 0x0F, 0xFF, 0x07, 0x0F, 0x12, 0x03, 0x03, 0x03, 0xF0, 0x0F, 0x00, 0x1D, 0x07, 0x03, 0xDD, 0x17, 0xD0, 0xF3, 0xEF, 0xF3, 0xFF, 0xF0, 0x23, 0xEF, 0x82, 0x1D, 0x1D, 0x1D, 0xE0, 0x7F, 0xFF, 0xF0, 0x0F, 0x10, 0x4C, 0x03, 0xFF, 0xF7, 0xFF, 0x77, 0x0A, 0x01, 0x00, 0x01, 0x01, 0x77, 0x77, 0x77, 0x77, 0xDA, 0x08, 0x38, 0x08, 0x08, 0xFF, 0xFF, 0x70, 0x17, 0x00, 0xF0, 0x1F, 0xFF, 0x7F, 0x77, 0x30, 0xF7, 0x07, 0x2A, 0xBF, 0x10, 0x02, 0x87, 0xFF, 0xCF, 0xFF, 0x0F, 0xCB, 0xD4, 0x21, 0x7F, 0x00, 0x17, 0xFF, 0x01, 0x06, 0xC7, 0xFF, 0xF7, 0x10, 0x0B, 0xEB, 0xFF, 0x01, 0x00, 0x00, 0x13, 0x00, 0x62, 0x22, 0x22, 0x22, 0x33, 0x33, 0x03, 0x00, 0x00, 0x03, 0x29, 0x29, 0x29, 0xFE, 0x5F, 0x70, 0x17, 0xE0, 0x90, 0x1F, 0xDE, 0x5F, 0x00, 0xF0, 0x1F, 0x1E, 0xFF, 0x10, 0xFF, 0x6B, 0x10, 0x0A, 0x0A, 0x0A, 0x7F, 0xFF, 0x0F, 0xFF, 0x00, 0xFF, 0x08, 0x20, 0x20, 0x20, 0x20, 0x10, 0x00, 0x0F, 0xFF, 0xEF, 0xFF, 0xEF, 0x40, 0x0E, 0x00, 0x2F, 0x4F, 0xCE, 0xC8, 0xCE, 0x88, 0x4F, 0x2C, 0x00, 0x2C, 0x2C, 0x88, 0x88, 0xAA, 0xAA, 0x1B, 0x34, 0x38, 0x34, 0x34, 0xFF, 0x77, 0x70, 0x17, 0x02, 0xA0, 0x1F, 0x8A, 0x17, 0x35, 0x01, 0x35, 0x35, 0xCC, 0xE8, 0x88, 0xE8, 0x4B, 0x20, 0x67, 0xBF, 0x00, 0x1F, 0xD7, 0xFE, 0x10, 0x0C, 0xCF, 0xE7, 0x04, 0xFE, 0x5F, 0xF3, 0xEF, 0x10, 0x00, 0x83, 0xFF, 0x10, 0x16, 0x6F, 0x4F, 0xFE, 0x5F, 0x00, 0x0A, 0x00, 0x8F, 0x00, 0x0B, 0x37, 0x37, 0x37, 0x81, 0x04, 0x93, 0xFF, 0x80, 0xFF, 0x4B, 0x1F, 0x1F, 0x1F, 0x10, 0x27, 0x73, 0xFF, 0xB3, 0x2F, 0xFF, 0xEE, 0x3F, 0xEF, 0x20, 0x06, 0xEE, 0x43, 0x00, 0x4D, 0xD7, 0x70, 0x17, 0xAB, 0x00, 0xE0, 0x1F, 0xEF, 0x00, 0x50, 0x3F, 0xFE, 0x2A, 0x3F, 0x22, 0x10, 0x27, 0x53, 0xE7, 0x10, 0x01, 0xDD, 0xC7, 0x00, 0xE9, 0xFF, 0x01, 0x6B, 0x0A, 0x0A, 0x0A, 0xF7, 0x01, 0x77, 0x77, 0x77, 0x5A, 0x08, 0x08, 0x08, 0x20, 0x06, 0x21, 0x77, 0xDA, 0x20, 0x07, 0x00, 0x00, 0x70, 0x07, 0xBD, 0x2F, 0xF0, 0x70, 0x17, 0x90, 0x1F, 0xDD, 0x37, 0x70, 0x37, 0xFF, 0xF7, 0x77, 0xF7, 0x08, 0x4E, 0x0F, 0x0F, 0x0F, 0x8D, 0x67, 0x10, 0x00, 0xD0, 0x08, 0x43, 0x29, 0x29, 0x29, 0xFF, 0xEF, 0xFB, 0xFF, 0xF1, 0x30, 0xFF, 0x0F, 0x45, 0x8F, 0x10, 0x25, 0xED, 0x1F, 0x0F, 0xFF, 0xFF, 0x00, 0x1D, 0x03, 0x03, 0x03, 0xF0, 0x0F, 0x03, 0x7D, 0x07, 0x2F, 0xFA, 0xF0, 0x00, 0x30, 0x0F, 0x00, 0xF0, 0xFF, 0xF0, 0xFF, 0x82, 0x1D, 0x1D, 0x1D, 0xE8, 0x7F, 0xFF, 0xF0, 0x0F, 0x10, 0x2C, 0xA3, 0xFF, 0x70, 0x10, 0x07, 0xC3, 0xFF, 0xBF, 0xFF, 0x3F, 0xC0, 0x5F, 0x07, 0x8F, 0xFF, 0x0F, 0x0A, 0x02, 0x02, 0x02, 0x01, 0x00, 0xEF, 0x13, 0x11, 0x82, 0x21, 0x21, 0x21, 0x11, 0x1C, 0x11, 0x11, 0x11, 0x00, 0x36, 0x07, 0x70, 0x17, 0x01, 0x00, 0x1F, 0x10, 0x11, 0x04, 0x11, 0x0A, 0x37, 0x37, 0x37, 0xFA, 0x1F, 0x3D, 0xFF, 0x1F, 0x71, 0xFF, 0x8B, 0x20, 0x67, 0x95, 0xFF, 0x26, 0x87, 0x2A, 0x5F, 0x10, 0x06, 0x0F, 0x2F, 0x08, 0x00, 0xFF, 0x08, 0x0C, 0xA1, 0x87, 0xFF, 0xDF, 0xFF, 0x30, 0xCF, 0x0E, 0x3B, 0xE4, 0xEB, 0xCF, 0xCC, 0xCC, 0xCE, 0xCC, 0x00, 0x61, 0x20, 0x20, 0x20, 0xEE, 0xEE, 0xFF, 0xFF, 0x74, 0x01, 0x00, 0x28, 0x17, 0x70, 0x17, 0x00, 0x00, 0x1F, 0x80, 0xD0, 0x1F, 0xCC, 0xED, 0x01, 0xCC, 0xEC, 0xAA, 0x1F, 0x1F, 0x1F, 0xF3, 0x27, 0xFF, 0x63, 0x57, 0x3C, 0x1F, 0x6F, 0xFF, 0xFE, 0xFF, 0xFE, 0x10, 0x06, 0x7F, 0xFF, 0x43, 0xEF, 0xFC, 0xF3, 0xFF, 0x03, 0xA9, 0xFF, 0x00, 0x4A, 0x47, 0xF3, 0xEF, 0x10, 0x06, 0x83, 0xFF, 0x0E, 0xEF, 0x6F, 0xB7, 0xBB, 0x00, 0x37, 0x33, 0x6A, 0x0A, 0x0A, 0x0A, 0xFF, 0xEF, 0xA7, 0x82, 0xF7, 0x10, 0x3C, 0xF7, 0x77, 0x77, 0x24, 0xE7, 0x2D, 0x17, 0x70, 0x07, 0x38, 0x00, 0x00, 0x77, 0x07, 0x57, 0x0F, 0x70, 0x1F, 0xBB, 0xBB, 0x33, 0x30, 0x73, 0x05, 0x43, 0x2F, 0xD0, 0x1F, 0xBB, 0x7B, 0x33, 0xF7, 0x6A, 0x0B, 0xAD, 0x57, 0x20, 0x3F, 0x01, 0x3D, 0x4F, 0xFE, 0x2C, 0xF7, 0x4B, 0xDA, 0xA4, 0xF7, 0x0F, 0x73, 0xFF, 0x0F, 0x26, 0x88, 0x26, 0x5E, 0x20, 0x10, 0x15, 0xAC, 0xF7, 0x0F, 0x70, 0x16, 0xAC, 0xE7, 0xF0, 0x0F, 0x03, 0x96, 0xE7, 0xF0, 0xFF, 0xA2, 0x16, 0x31, 0x16, 0x16, 0xF0, 0x0F, 0x07, 0x8F, 0xFF, 0xEF, 0xFF, 0xEF, 0x30, 0x9C, 0x80, 0xFF, 0xFF, 0x8A, 0xCC, 0x8E, 0x88, 0x0B, 0x34, 0x34, 0x0F, 0x34, 0xCC, 0xCC, 0x88, 0x40, 0x07, 0xFF, 0xFF, 0x70, 0x17, 0x01, 0x00, 0x1F, 0x41, 0x8C, 0x00, 0x50, 0x3F, 0xC9, 0xFF, 0xEC, 0xFF, 0x62, 0x07, 0xB1, 0x07, 0xC0, 0x10, 0x1E, 0x73, 0xFF, 0x10, 0x1E, 0x70, 0x87, 0xBF, 0xFF, 0x8F, 0x4F, 0x0F, 0x0F, 0x00, 0x0F, 0x08, 0x08, 0x8C, 0x88, 0x62, 0x29, 0x29, 0x43, 0x29, 0xFF, 0xFF, 0x00, 0x00, 0x88, 0x88, 0x5E, 0xFF, 0x50, 0x07, 0x80, 0x02, 0x00, 0x1F, 0x80, 0x00, 0xA8, 0x0F, 0x36, 0x36, 0x36, 0x07, 0xFD, 0xFF, 0xF8, 0xFF, 0x43, 0x20, 0x67, 0x10, 0x27, 0x03, 0xEF, 0x0B, 0xEE, 0x57, 0x01, 0x43, 0x4C, 0x49, 0x4D, 0xFF, 0xFE, 0x14, 0x3F, 0xA5, 0x02, 0x02, 0x28, 0x80, 0x00, 0x00, 0x01, 0x2F, 0xFB, 0x69, 0x08, 0x6D, 0x61, 0x67, 0x10, 0x3F, 0xB8, 0x01, 0x00, 0x01, 0x70, 0x0A, 0x54, 0x83, 0x44, 0xC9, 0x04, 0x30, 0x05, 0x1F, 0xA2, 0xFF, 0x11, 0x00, 0x7D, 0x17, 0x17, 0x17, 0xCC, 0xDC, 0x55, 0x55, 0x00, 0xC9, 0x3D, 0x3D, 0x3D, 0xFF, 0xF0, 0x0F, 0x0F, 0x60, 0x70, 0x20, 0x07, 0x3F, 0xB9, 0x02, 0xF8, 0xF8, 0xF8, 0x1B, 0x01, 0xFF, 0x71, 0xFF, 0x59, 0x14, 0x14, 0x14, 0x85, 0x4F, 0x01, 0xF0, 0xF0, 0xF0, 0xE4, 0x91, 0x91, 0x91, 0x10, 0x07, 0xFF, 0xDF, 0x00, 0xBF, 0x93, 0x3F, 0x37, 0x18, 0x04, 0x04, 0x04, 0xC0, 0x7F, 0xFF, 0x2F, 0x16, 0x0F, 0x70, 0x08, 0x08, 0x08, 0x99, 0x00, 0x99, 0x55, 0x55, 0xED, 0x2C, 0x2C, 0x2C, 0x2A, 0x10, 0xF1, 0x11, 0xFF, 0x31, 0xE7, 0xF0, 0xFF, 0x00, 0x00, 0x40, 0x22, 0x21, 0xC3, 0x0F, 0xFF, 0xF0, 0xF0, 0x8C, 0xD3, 0x3C, 0xD3, 0xD3, 0x10, 0x0F, 0x0D, 0xB7, 0xE3, 0xEF, 0xF3, 0xFF, 0x83, 0xEF, 0x77, 0x7F, 0x20, 0x77, 0x12, 0x2F, 0xF7, 0x03, 0x55, 0x50, 0x77, 0xCD, 0x00, 0x7E, 0x7E, 0x7E, 0x9D, 0xEE, 0x55, 0x11, 0xA5, 0x82, 0x20, 0x07, 0xFF, 0x7F, 0x77, 0x77, 0x26, 0x22, 0x67, 0xFF, 0x20, 0xFF, 0xF7, 0x4F, 0xFF, 0xCC, 0x8C, 0x11, 0x11, 0xED, 0x00, 0x9E, 0x9E, 0x9E, 0xAE, 0x51, 0x10, 0xF5, 0xB9, 0x10, 0x3B, 0x3B, 0x3B, 0xFF, 0xFF, 0xFB, 0xFF, 0xF3, 0xFF, 0x41, 0x62, 0x29, 0xAF, 0x7F, 0x93, 0x7F, 0x37, 0xB8, 0x2D, 0xB7, 0x90, 0x20, 0x36, 0x77, 0x06, 0x2F, 0xFF, 0x77, 0xFF, 0x77, 0x77, 0x40, 0x66, 0x22, 0xAF, 0x95, 0xEA, 0x57, 0x01, 0xB1, 0x5D, 0x00, 0x5D, 0x5D, 0x00, 0x00, 0xDD, 0xDD, 0xE1, 0x9F, 0x35, 0x9F, 0x9F, 0x40, 0x17, 0x29, 0xDF, 0xF7, 0x20, 0x5F, 0x22, 0x3D, 0xE4, 0x5C, 0x40, 0x50, 0x17, 0xAA, 0xF0, 0x5F, 0x20, 0x40, 0x35, 0x2B, 0x7B, 0xFF, 0x10, 0x73, 0xFF, 0x82, 0x2A, 0x0F, 0xC3, 0xD1, 0x1F, 0x13, 0x00, 0x98, 0x2A, 0x2A, 0x2A, 0x77, 0x77, 0x77, 0x77, 0x60, 0x6E, 0x2F, 0xFF, 0x70, 0x3F, 0x33, 0x73, 0xDD, 0xDD, 0x81, 0x00, 0x8F, 0x8F, 0x8F, 0x4A, 0xD5, 0x50, 0x57, 0xAD, 0x08, 0x3C, 0x3C, 0x3C, 0x7F, 0x20, 0xD7, 0x2A, 0x01, 0x01, 0x41, 0x01, 0x70, 0x67, 0x9D, 0xEA, 0x57, 0x11, 0xA9, 0x20, 0xDF, 0xE0, 0x70, 0x67, 0x70, 0x77, 0x7F, 0xFF, 0x8E, 0x54, 0x10, 0xF7, 0xD5, 0x80, 0x2A, 0x67, 0x55, 0xA8, 0x7F, 0x15, 0xB5, 0x2B, 0x2B, 0x2E, 0x2B, 0xF7, 0x20, 0x60, 0x2E, 0x30, 0x3F, 0x21, 0x07, 0x30, 0xA7, 0x35, 0x08, 0x22, 0x55, 0x11, 0x85, 0x20, 0x5F, 0xAA, 0x1B, 0x11, 0x04, 0x51, 0x8D, 0x8E, 0x8E, 0x8E, 0xFF, 0xFF, 0x39, 0x7B, 0x00, 0x73, 0xF3, 0xCC, 0x61, 0x61, 0x61, 0xFF, 0x7F, 0x38, 0xFF, 0x7F, 0x31, 0x4F, 0x7F, 0xFF, 0x70, 0x47, 0x93, 0x9B, 0x37, 0x06, 0x33, 0xD8, 0x38, 0x38, 0x38, 0x70, 0x47, 0x21, 0x16, 0x77, 0x41, 0x2E, 0x23, 0xC7, 0x7F, 0xF7, 0x77, 0xFF, 0x03, 0x20, 0xA7, 0x10, 0x00, 0x00, 0x5D, 0x50, 0xFF, 0x59, 0x11, 0x75, 0xAD, 0xC0, 0x31, 0x7F, 0xE3, 0xEF, 0x39, 0xFF, 0x73, 0xF7, 0xF0, 0x51, 0x30, 0x51, 0x51, 0x73, 0xFF, 0xB3, 0xEF, 0x6C, 0xD4, 0xD4, 0xD4, 0x80, 0x73, 0xFF, 0x23, 0x10, 0xC4, 0xFD, 0xA1, 0xCF, 0xCF, 0x57, 0xCF, 0x31, 0x1F, 0x96, 0x61, 0x7F, 0xA6, 0x4B, 0x2F, 0x51, 0x77, 0x00, 0x70, 0xFF, 0xF7, 0x71, 0x77, 0x71, 0xC7, 0x71, 0x77, 0x71, 0x67, 0xC1, 0x61, 0x77, 0x71, 0x67, 0x81, 0x3F, 0x80, 0x61, 0xE7, 0x0E, 0x15, 0x50, 0x77, 0xB5, 0x28, 0x28, 0x5A, 0x28, 0x21, 0xE7, 0x11, 0x31, 0xE7, 0x20, 0xD7, 0xF7, 0xB1, 0x5F, 0x1D, 0x00, 0x3C, 0x31, 0xF1, 0xB0, 0xA2, 0xA2, 0xA2, 0xB7, 0x83, 0x22, 0x1F, 0x78, 0x15, 0x15, 0x15, 0x7F, 0x22, 0x1F, 0x30, 0xF7, 0x8D, 0x82, 0x1F, 0xAA, 0x57, 0x11, 0x30, 0xF7, 0x22, 0x1F, 0x5D, 0x42, 0x1F, 0xC2, 0x61, 0x77, 0x7F, 0x87, 0x22, 0x53, 0x11, 0x55, 0x31, 0x7F, 0xBD, 0x01, 0x39, 0x33, 0x73, 0xD8, 0x83, 0x83, 0x83, 0x31, 0x67, 0xC0, 0x42, 0x5F, 0x62, 0x07, 0x9F, 0xE9, 0x97, 0x1F, 0x30, 0x05, 0x01, 0x05, 0x05, 0xFB, 0xFF, 0x1D, 0x11, 0x85, 0x21, 0x9F, 0x60, 0x7F, 0x22, 0x38, 0xBF, 0xBF, 0x9D, 0x3C, 0x31, 0x71, 0xD4, 0x00, 0xA3, 0xA3, 0xA3, 0xF7, 0x6F, 0xF7, 0x1F, 0x22, 0xDA, 0x32, 0x17, 0x22, 0xF7, 0x07, 0x32, 0x1F, 0x20, 0xA7, 0x66, 0x2F, 0xFC, 0xE1, 0x00, 0xDD, 0x1F, 0x11, 0xB4, 0x6B, 0x6B, 0x6B, 0xEE, 0x01, 0x50, 0x11, 0xF1, 0xB5, 0x6C, 0x6C, 0x6C, 0xFF, 0xFF, 0x40, 0x79, 0x32, 0xDF, 0x16, 0x16, 0x16, 0xFF, 0x83, 0xFF, 0x31, 0x1F, 0x14, 0x22, 0xDF, 0xF0, 0x3F, 0xA5, 0xAA, 0x1D, 0x40, 0xBF, 0x00, 0x1D, 0x1E, 0x11, 0xF1, 0xD0, 0xB4, 0xB4, 0xB4, 0x83, 0xFF, 0xFF, 0x99, 0x99, 0x99, 0x99, 0x23, 0xA0, 0x07, 0x05, 0x00, 0x1F, 0xA0, 0x97, 0xEF, 0xBF, 0x00, 0x33, 0xFF, 0x7F, 0xB7, 0x00, 0x88, 0x13, 0x10, 0xF5, 0xF5, 0xF5, 0x21, 0xF9, 0xBB, 0x1D, 0xF9, 0xF9, 0x02, 0xF9, 0xCF, 0xED, 0xE0, 0xEC, 0x94, 0x27, 0xFF, 0xEF, 0x10, 0xFE, 0xEE, 0xEE, 0x33, 0xF7, 0x3B, 0xF7, 0x88, 0x00, 0x00, 0x86, 0xE2, 0xE2, 0xE2, 0x00, 0x1F, 0x1F, 0xF0, 0x00, 0x0E, 0xFD, 0xFD, 0xFD, 0x3E, 0xF0, 0x0E, 0x0E, 0x41, 0x8C, 0x23, 0xBF, 0xFF, 0x1F, 0x00, 0x10, 0x07, 0x28, 0x2B, 0x00, 0xFE, 0xBF, 0xF0, 0x3F, 0x68, 0x40, 0x40, 0x40, 0x00, 0xC3, 0x01, 0x17, 0x13, 0xB4, 0x6E, 0x6E, 0x6E, 0x04, 0xFE, 0xE3, 0xF0, 0x0F, 0x8C, 0x21, 0x97, 0xE1, 0x00, 0x00, 0x0F, 0x8F, 0x80, 0xDF, 0xDF, 0xDF, 0x00, 0xB7, 0x10, 0x01, 0x80, 0x26, 0x2F, 0xFC, 0x57, 0xBB, 0x80, 0xAA, 0x00, 0x35, 0xE7, 0xE7, 0xE7, 0x00, 0xE3, 0xF0, 0xE0, 0x00, 0x10, 0xFA, 0xFA, 0xFA, 0xF1, 0xFF, 0xF0, 0xFF, 0x40, 0x93, 0x21, 0x47, 0xB9, 0xF7, 0x8C, 0x00, 0x35, 0xEA, 0x01, 0xEA, 0xEA, 0x00, 0xDE, 0xFF, 0x10, 0x06, 0x2F, 0xFC, 0x00, 0xDE, 0x3C, 0xCE, 0x0E, 0x54, 0x06, 0x06, 0x06, 0x00, 0x32, 0x33, 0x0E, 0x00, 0x13, 0xF7, 0xF7, 0xF7, 0x05, 0x1C, 0x79, 0x71, 0xF3, 0xD0, 0x22, 0x2F, 0xFF, 0x26, 0xEF, 0x00, 0x68, 0x4E, 0x4E, 0x4E, 0x1F, 0x3C, 0x70, 0xF0, 0x0C, 0x54, 0xE6, 0xE6, 0xE6, 0x70, 0x0F, 0x78, 0xC7, 0x80, 0xB3, 0x19, 0x88, 0x88, 0x32, 0x20, 0x9F, 0x20, 0x97, 0x00, 0x06, 0x28, 0xC3, 0x04, 0xE1, 0xC1, 0xE0, 0xEE, 0xB4, 0x22, 0x67, 0xCC, 0x4C, 0x10, 0xBB, 0xBB, 0x0D, 0x20, 0x6F, 0x7B, 0x00, 0x08, 0xFF, 0x00, 0x22, 0xF1, 0xF1, 0xF1, 0xEE, 0x1E, 0xFE, 0x0E, 0x00, 0x8F, 0x1E, 0x1E, 0x1E, 0x3E, 0x00, 0x0F, 0xEF, 0x00, 0x80, 0xAF, 0xAF, 0xAF, 0x00, 0x7E, 0x10, 0x11, 0x80, 0x30, 0x9F, 0x45, 0x80, 0x91, 0x88, 0x35, 0xFC, 0xFC, 0x02, 0xFC, 0xCC, 0xE0, 0x00, 0xF0, 0x6F, 0x20, 0x77, 0xC1, 0x08, 0xEF, 0xE0, 0xEE, 0xD0, 0x20, 0xD7, 0x88, 0x44, 0xBB, 0x00, 0x19, 0x15, 0xFB, 0xFB, 0xFB, 0x00, 0x00, 0x08, 0x21, 0xDD, 0x22, 0x35, 0x3F, 0x10, 0xEE, 0x0E, 0x58, 0x27, 0x87, 0x04, 0xCE, 0xCC, 0x0F, 0x00, 0x4B, 0x20, 0x9F, 0x1E, 0x7C, 0x00, 0x70, 0xF0, 0x70, 0xE5, 0xE5, 0xE5, 0xB7, 0xC3, 0x10, 0x37, 0x1F, 0x34, 0x20, 0xB7, 0x10, 0xFF, 0xFF, 0xF0, 0x41, 0x10, 0x29, 0x57, 0xC1, 0xE1, 0x1F, 0x07, 0x70, 0x24, 0x3F, 0x00, 0xE9, 0xFE, 0x03, 0x00, 0x86, 0xDB, 0xDB, 0xDB, 0x06, 0x4C, 0xA0, 0x00, 0xEA, 0x79, 0x20, 0xF7, 0x79, 0x77, 0xBD, 0x00, 0xB8, 0x70, 0x33, 0x78, 0xC5, 0xC5, 0xC5, 0xBB, 0x08, 0x5B, 0xAA, 0xAA, 0x51, 0x20, 0x3F, 0x39, 0xFF, 0x0C, 0x00, 0x00, 0x33, 0xF6, 0xF6, 0xF6, 0x11, 0x31, 0x55, 0x00, 0x45, 0x3D, 0x19, 0x19, 0x19, 0xCB, 0x00, 0x07, 0x00, 0xFF, 0x80, 0xBF, 0xBF, 0xBF, 0xCE, 0x3C, 0x10, 0x00, 0x71, 0x74, 0xE9, 0xE9, 0xE9, 0x08, 0xFF, 0x73, 0x04, 0x0F, 0x50, 0x18, 0x18, 0x18, 0x21, 0x77, 0xF0, 0x0A, 0xC2, 0x31, 0xAF, 0x29, 0xC8, 0xD0, 0x48, 0x48, 0x48, 0x77, 0xEF, 0xBF, 0x01, 0x93, 0x80, 0xC8, 0x3A, 0xF4, 0xF4, 0xF4, 0xF4, 0x0F, 0x06, 0xF5, 0x5F, 0xA8, 0x8A, 0x31, 0x20, 0x9F, 0x2F, 0x3F, 0x0C, 0x41, 0xC4, 0x21, 0x8F, 0xFE, 0xEF, 0xFE, 0xEF, 0x26, 0x2F, 0xFF, 0x04, 0x1E, 0x3C, 0x8F, 0x0E, 0x90, 0x25, 0x1F, 0x00, 0x10, 0x10, 0x00, 0x70, 0x67, 0x21, 0x17, 0x3C, 0xFD, 0xF1, 0xF1, 0x08, 0xA4, 0x70, 0x70, 0x70, 0x7A, 0x17, 0x3C, 0xFC, 0x70, 0x04, 0xF1, 0x88, 0xB2, 0xB2, 0xB2, 0x91, 0x67, 0x0F, 0xB0, 0xE0, 0x46, 0x3F, 0x61, 0x87, 0x71, 0x67, 0xDC, 0x01, 0x11, 0x11, 0x2A, 0x82, 0x2A, 0x33, 0x80, 0x00, 0x89, 0x88, 0x3A, 0x2F, 0xFC, 0x1F, 0x00, 0xE8, 0x80, 0xEE, 0xB9, 0xC6, 0xC6, 0xC6, 0xD9, 0x00, 0xEE, 0xEA, 0xEE, 0xAD, 0x60, 0x60, 0x60, 0x87, 0x08, 0xBE, 0x88, 0x30, 0x6C, 0x20, 0xE7, 0x87, 0xFE, 0x1F, 0x00, 0x00, 0xD1, 0xAD, 0xAD, 0xAD, 0xFF, 0xC6, 0xEE, 0x27, 0x0F, 0x90, 0x23, 0xF7, 0x37, 0x33, 0x21, 0x3F, 0x20, 0xD7, 0x2F, 0x7F, 0x00, 0xE8, 0x37, 0xFE, 0xFE, 0xFE, 0x15, 0x19, 0xA0, 0x20, 0xAA, 0x79, 0x24, 0xBF, 0x00, 0x38, 0xFF, 0x70, 0x14, 0x84, 0x21, 0x6F, 0x12, 0x11, 0x54, 0x55, 0x31, 0x07, 0x1B, 0xF7, 0x10, 0x8E, 0x00, 0x39, 0x22, 0x1F, 0xEF, 0x9E, 0x00, 0x30, 0x41, 0x32, 0x22, 0xA7, 0x8B, 0x83, 0x37, 0x07, 0xCC, 0x44, 0x1F, 0x20, 0xEE, 0xDF, 0x40, 0xA7, 0x16, 0x71, 0xCF, 0xB0, 0x52, 0x01, 0x52, 0x52, 0x3C, 0x00, 0x0E, 0x08, 0xA4, 0x21, 0x2F, 0x00, 0x3C, 0xFC, 0xF0, 0xF1, 0x8C, 0xC2, 0xC2, 0xC2, 0x00, 0x3C, 0x78, 0x8F, 0x0E, 0xB0, 0x4D, 0x4D, 0x4D, 0x04, 0xEF, 0x3E, 0x00, 0x70, 0x70, 0x21, 0x3F, 0x7A, 0xEF, 0x00, 0xF0, 0xFF, 0x2F, 0x09, 0x09, 0x09, 0x33, 0x52, 0x10, 0x00, 0xF0, 0x67, 0x22, 0x6F, 0x3C, 0xBB, 0xF0, 0x33, 0x00, 0xA4, 0x50, 0x50, 0x50, 0x3E, 0xF0, 0x0F, 0x0E, 0x41, 0x90, 0x20, 0x27, 0xFF, 0x3F, 0x00, 0x70, 0x0A, 0x21, 0x7F, 0x04, 0xC3, 0xF3, 0x1F, 0x07, 0xA8, 0x22, 0xC7, 0xFF, 0xEF, 0x82, 0x52, 0x47, 0x7C, 0xFF, 0xF0, 0xF7, 0x80, 0x20, 0x27, 0x9F, 0x08, 0xE3, 0x3F, 0x0F, 0x30, 0x21, 0x7F, 0x3C, 0x78, 0x70, 0x20, 0xF3, 0xB0, 0x21, 0x17, 0xC3, 0xE1, 0x0F, 0x0F, 0x90, 0x84, 0x2B, 0x4F, 0x01, 0x00, 0x03, 0xFF, 0x32, 0x17, 0xC3, 0xE1, 0x11, 0xE0, 0xF8, 0x90, 0x31, 0x2F, 0xA3, 0x00, 0xE0, 0x31, 0xC7, 0x06, 0xC3, 0xFE, 0xF8, 0xFE, 0xAC, 0x20, 0x5F, 0x09, 0x27, 0xFF, 0xFF, 0xEC, 0xBB, 0xEF, 0xF0, 0x0F, 0x81, 0xEF, 0x0F, 0x53, 0x57, 0x00, 0x00, 0x0F, 0x00, 0xF0, 0x02, 0x0F, 0x98, 0x84, 0x84, 0x84, 0xFF, 0x2A, 0x91, 0x42, 0x00, 0xE3, 0xE3, 0xE3, 0xFF, 0x30, 0xF0, 0x8F, 0x8C, 0x00, 0x82, 0x82, 0x82, 0x78, 0xF7, 0x0E, 0x00, 0x8C, 0x00, 0xBE, 0xBE, 0xBE, 0x00, 0x00, 0xFE, 0xF0, 0x1C, 0xAE, 0x24, 0x57, 0xF0, 0x23, 0xEF, 0x42, 0x28, 0x17, 0x41, 0xDF, 0x23, 0x67, 0x38, 0x00, 0xBB, 0x73, 0x77, 0xD6, 0x44, 0x44, 0x44, 0xFF, 0x0C, 0x00, 0xFF, 0x0F, 0x1C, 0x2A, 0xD7, 0x2A, 0xD1, 0x00, 0xB3, 0x00, 0xE8, 0xE8, 0xE8, 0x9B, 0xCB, 0x37, 0x17, 0xD4, 0x10, 0x3A, 0x3A, 0x3A, 0x71, 0x57, 0x80, 0xF7, 0xF0, 0xF0, 0x68, 0x30, 0x38, 0xA7, 0x2A, 0xEF, 0xC8, 0x23, 0xFF, 0x87, 0x87, 0xF0, 0x38, 0xF0, 0x90, 0x4A, 0xD7, 0xE0, 0x97, 0x2C, 0xB7, 0x8C, 0x80, 0x80, 0x44, 0x80, 0x00, 0x10, 0x0F, 0xFF, 0x0F, 0x93, 0x4D, 0x5E, 0x0F, 0xFF, 0x6E, 0xE0, 0x28, 0x6F, 0x00, 0x00, 0x0F, 0xF0, 0x23, 0xEF, 0x20, 0x77, 0x23, 0xB6, 0xFF, 0x0D, 0x60, 0x30, 0x30, 0x30, 0x00, 0x00, 0x0F, 0x24, 0x78, 0x0C, 0x50, 0x9F, 0x3E, 0xFF, 0xA2, 0x30, 0xDF, 0xE0, 0x0F, 0x2F, 0xF8, 0x43, 0xEF, 0x21, 0x06, 0x0F, 0x60, 0xD4, 0x3D, 0x57, 0x63, 0xFF, 0x30, 0x7C, 0x8E, 0x0E, 0x70, 0x14, 0x1A, 0x1A, 0x1A, 0x2F, 0xF9, 0x7F, 0x3D, 0x67, 0x5F, 0x99, 0x1C, 0x00, 0x88, 0x71, 0x34, 0xE7, 0x34, 0x87, 0x2D, 0x77, 0x8F, 0x70, 0x10, 0x00, 0xF7, 0xF9, 0x26, 0x67, 0xCC, 0xCC, 0xAA, 0xAA, 0x60, 0x31, 0x2D, 0x87, 0x70, 0x07, 0xAA, 0xAA, 0x77, 0x77, 0xB2, 0x14, 0x20, 0x20, 0x20, 0x30, 0x07, 0x96, 0x20, 0x07, 0x77, 0xA1, 0x00, 0x88, 0xF8, 0x95, 0xD6, 0xD6, 0xD6, 0x09, 0xFF, 0x10, 0xEC, 0x0F, 0x90, 0x27, 0x57, 0xBB, 0x72, 0x66, 0xF6, 0x0E, 0x11, 0x02, 0x02, 0x02, 0x00, 0x37, 0xFF, 0x3B, 0xEF, 0x8B, 0xFF, 0x38, 0x02, 0x70, 0x70, 0x78, 0xD5, 0xD5, 0xD5, 0x7F, 0xFF, 0x87, 0x08, 0xF7, 0x0F, 0x0F, 0x6C, 0x20, 0x8F, 0xFF, 0xDF, 0x77, 0x24, 0x57, 0x0D, 0x2C, 0x47, 0x83, 0xC3, 0x73, 0x47, 0xB8, 0xBB, 0xB9, 0x3E, 0x07, 0x87, 0x21, 0x67, 0x3C, 0x2F, 0x2F, 0xF9, 0x80, 0x06, 0x2E, 0x17, 0x43, 0xCF, 0x21, 0x77, 0x88, 0x90, 0x90, 0x90, 0x01, 0x01, 0xFF, 0x2E, 0x2F, 0x70, 0x88, 0x31, 0x77, 0x8A, 0x6F, 0xD0, 0x0F, 0x7F, 0x7F, 0x0F, 0x0F, 0x00, 0x10, 0x07, 0x07, 0x07, 0xF8, 0x00, 0x0D, 0xFF, 0x41, 0x02, 0x25, 0x7F, 0xFF, 0x7C, 0xFF, 0x0F, 0x10, 0x2A, 0x17, 0x50, 0x78, 0x22, 0x50, 0x82, 0x25, 0x17, 0x33, 0x91, 0x00, 0xC8, 0x65, 0x37, 0x24, 0xF7, 0x28, 0x79, 0xAA, 0x3D, 0x3A, 0x8F, 0x3C, 0x53, 0xFF, 0x06, 0x2B, 0x62, 0x60, 0x66, 0x59, 0x2C, 0xEF, 0x81, 0x1F, 0xAC, 0xA1, 0x91, 0x1F, 0x92, 0x21, 0x1F, 0xFF, 0x6F, 0x66, 0x66, 0x30, 0xC7, 0x00, 0xCB, 0xE9, 0xEC, 0xFC, 0xAC, 0x71, 0x71, 0x71, 0x06, 0x9F, 0x3C, 0x8F, 0x8F, 0x54, 0x2D, 0x0F, 0x3A, 0x47, 0xA2, 0x84, 0x3F, 0xFF, 0x5C, 0xFF, 0x0F, 0x8B, 0x25, 0xE7, 0x08, 0x00, 0x10, 0x3F, 0x33, 0x0B, 0x2F, 0xFC, 0x3C, 0x9B, 0x70, 0x33, 0x09, 0xB4, 0xB6, 0xB6, 0xB6, 0x24, 0x27, 0xFF, 0xA0, 0x25, 0x57, 0x04, 0x10, 0xDD, 0xFF, 0x11, 0x02, 0x2F, 0xFC, 0xC1, 0x7F, 0x00, 0x03, 0x00, 0xAC, 0xCE, 0xCE, 0xCE, 0xC4, 0xC4, 0x10, 0xBB, 0x13, 0x03, 0x2F, 0xFC, 0xCC, 0xA0, 0x00, 0xF0, 0x41, 0x57, 0x25, 0x47, 0xEA, 0xF0, 0xEE, 0x0A, 0x95, 0x20, 0x2F, 0x04, 0xBF, 0xB8, 0x30, 0x71, 0x34, 0x22, 0x97, 0x07, 0x33, 0x14, 0x5F, 0x00, 0xD5, 0x32, 0xCF, 0x10, 0x51, 0xBF, 0x01, 0x00, 0x22, 0xFF, 0xFE, 0x47, 0x3F, 0x87, 0x80, 0xF0, 0x30, 0x1F, 0xF5, 0xA0, 0x26, 0xCF, 0x47, 0x2A, 0xF7, 0x83, 0xC1, 0xE0, 0xF8, 0xB4, 0x12, 0xC3, 0xC3, 0xC3, 0x07, 0xFB, 0xFF, 0xFF, 0x7F, 0x57, 0x17, 0xDF, 0x08, 0x9D, 0xCF, 0xCC, 0x98, 0x2F, 0xEF, 0x88, 0x88, 0xAA, 0x36, 0xAA, 0xE5, 0x2F, 0xE7, 0x31, 0xB0, 0xE4, 0x41, 0xE7, 0x5F, 0xFF, 0xC9, 0x0E, 0xFC, 0xE8, 0xFF, 0xC9, 0x31, 0x5F, 0x00, 0x63, 0xFF, 0x30, 0x3F, 0xB8, 0x84, 0xA0, 0x3F, 0xFF, 0xE0, 0xF0, 0xE0, 0x31, 0xFF, 0x3C, 0x39, 0x10, 0x8E, 0x8C, 0xB8, 0x2C, 0x0F, 0xAD, 0xFF, 0xA8, 0xFF, 0x00, 0xC3, 0x24, 0x24, 0x24, 0xFF, 0xFE, 0xFF, 0xEE, 0x41, 0x0E, 0x2B, 0x77, 0x08, 0x00, 0x88, 0xFF, 0x62, 0x27, 0x77, 0x04, 0x10, 0xFF, 0x11, 0x11, 0x4A, 0x27, 0xCF, 0xAE, 0xD9, 0x10, 0xAF, 0x8A, 0xA9, 0x26, 0x67, 0xDB, 0x55, 0xAA, 0xAA, 0x41, 0x6D, 0x25, 0xA7, 0x01, 0x00, 0x11, 0x01, 0x46, 0x27, 0x97, 0x42, 0x37, 0x26, 0xBF, 0x78, 0xEC, 0xEC, 0xEC, 0x20, 0x16, 0xAA, 0x00, 0x8D, 0xB1, 0xB1, 0xB1, 0xD9, 0xED, 0xCC, 0xEC, 0x41, 0xD4, 0x23, 0x8F, 0xCB, 0xFD, 0xE8, 0xFC, 0xA8, 0x45, 0x47, 0xBF, 0x57, 0xFF, 0xFE, 0x20, 0x58, 0x3F, 0xFF, 0x70, 0xC7, 0xF3, 0xFF, 0x70, 0xD7, 0x80, 0x87, 0x0A, 0xCF, 0xFF, 0x0F, 0x87, 0x53, 0xFF, 0xEF, 0x43, 0xFF, 0xDF, 0x20, 0xFF, 0xCF, 0x3F, 0xFF, 0xCB, 0xDD, 0xAB, 0xAA, 0xA5, 0x86, 0x36, 0xEF, 0xFF, 0xDC, 0xF0, 0x0A, 0x27, 0xF7, 0x2F, 0x2F, 0xFF, 0x40, 0x93, 0x27, 0x5F, 0x99, 0xA9, 0xAA, 0xEA, 0xA5, 0x81, 0x01, 0x81, 0x81, 0xF9, 0xFF, 0xF8, 0xFF, 0x63, 0x5A, 0x77, 0xA1, 0x73, 0xFF, 0xDB, 0x43, 0xFF, 0x9F, 0xFF, 0x8F, 0x87, 0x29, 0xFF, 0x04, 0xBA, 0xBB, 0xAE, 0xAA, 0x85, 0x2D, 0x37, 0x80, 0xFF, 0x40, 0xFD, 0x47, 0xEF, 0xF0, 0x58, 0xFF, 0x8E, 0xC9, 0x31, 0x03, 0x31, 0x31, 0xDD, 0xFA, 0xAA, 0xFA, 0x30, 0x57, 0x30, 0xA7, 0x82, 0x3C, 0xCF, 0x38, 0x7B, 0x8C, 0x88, 0xC8, 0x52, 0x37, 0x11, 0x40, 0x26, 0x2D, 0x7F, 0xDE, 0xDC, 0xEF, 0xCE, 0x58, 0x13, 0x00, 0x13, 0x13, 0xBA, 0x55, 0xAE, 0x8A, 0x8D, 0xA1, 0x01, 0xA1, 0xA1, 0x32, 0x33, 0xDD, 0x1D, 0x43, 0x44, 0x47, 0x10, 0x11, 0x11, 0xCA, 0x24, 0xFF, 0x33, 0x33, 0xAA, 0xAA, 0x42, 0x59, 0x2F, 0xB7, 0x55, 0xAB, 0xA8, 0xAA, 0x30, 0x1F, 0x1E, 0x08, 0x3E, 0x11, 0xF0, 0x70, 0x23, 0xC7, 0x8F, 0x78, 0x8F, 0x20, 0x0F, 0x74, 0x23, 0x47, 0x9D, 0xEC, 0xA8, 0xFE, 0xC5, 0xC8, 0x29, 0x6F, 0x91, 0x5F, 0xAB, 0x33, 0x3B, 0x1C, 0x00, 0x10, 0x10, 0x22, 0x11, 0x2A, 0x2F, 0xEC, 0xAE, 0xDD, 0xAF, 0x40, 0xD7, 0xAA, 0xC1, 0x21, 0x5F, 0x31, 0x47, 0xFF, 0x00, 0x11, 0x11, 0x56, 0x25, 0x57, 0xB4, 0x21, 0x67, 0xDC, 0x38, 0xBF, 0xA0, 0x5F, 0xEA, 0x30, 0x7F, 0x7F, 0xA1, 0x00, 0x00, 0xF8, 0x59, 0xEB, 0xEB, 0xEB, 0x85, 0xFF, 0x10, 0xE8, 0xFF, 0xCD, 0x20, 0xBF, 0xCD, 0xED, 0xEC, 0xFE, 0x68, 0xCC, 0x20, 0xC7, 0x00, 0x35, 0xFF, 0x23, 0x2E, 0x2B, 0xDE, 0x9D, 0xCE, 0xFD, 0xC2, 0x3F, 0xF3, 0xFF, 0x81, 0xFF, 0x7F, 0xFF, 0x21, 0x6F, 0x3D, 0xB7, 0xBC, 0x32, 0x1F, 0x10, 0x5C, 0x5C, 0x5C, 0x7F, 0xFF, 0xEF, 0xDE, 0xEF, 0xCE, 0x66, 0x16, 0x2D, 0x97, 0x29, 0x97, 0x10, 0x26, 0x32, 0x1F, 0x20, 0xA7, 0x5A, 0x82, 0x29, 0xEF, 0x9E, 0xD9, 0xAE, 0x8A, 0xB1, 0x25, 0xC7, 0x3B, 0x82, 0x61, 0x07, 0xEE, 0xEE, 0x11, 0x11, 0x83, 0x29, 0x3F, 0x00, 0x08, 0x1E, 0x11, 0xF0, 0xAC, 0x22, 0x1F, 0xD5, 0xAA, 0xAA, 0x25, 0xEA, 0x8D, 0x27, 0xDF, 0xDD, 0xEA, 0x51, 0x67, 0x1E, 0x2A, 0x47, 0x44, 0x80, 0x34, 0x0F, 0xEF, 0xFF, 0xEF, 0x3E, 0x67, 0xED, 0xFF, 0x1D, 0xEC, 0xFF, 0x62, 0xAF, 0xFF, 0x78, 0x07, 0x2F, 0xF9, 0xFD, 0x3E, 0xFF, 0x06, 0xDF, 0x9C, 0xCF, 0xCE, 0x58, 0x2E, 0x97, 0x72, 0xFF, 0x97, 0x08, 0xC3, 0xC0, 0xE8, 0x94, 0x25, 0x27, 0xFE, 0x70, 0xFF, 0x00, 0x0E, 0xB3, 0x35, 0x35, 0x35, 0x8D, 0xFE, 0xA8, 0x61, 0xFF, 0x41, 0x5F, 0x60, 0xB7, 0x78, 0x00, 0x0E, 0x1C, 0x3A, 0xC7, 0x05, 0xCC, 0xA4, 0x00, 0xF0, 0x2F, 0x28, 0xA7, 0xDA, 0x62, 0x37, 0x83, 0x72, 0x27, 0xC3, 0xFD, 0xF8, 0xFC, 0xA4, 0x28, 0xE7, 0x7F, 0xFF, 0x1E, 0xFD, 0xFF, 0xFC, 0x4E, 0x9F, 0x07, 0x8F, 0xFF, 0x07, 0x64, 0x87, 0x37, 0xDF, 0x02, 0xE7, 0x2F, 0xFF, 0xF0, 0x0F, 0x2C, 0xA0, 0xFF, 0x02, 0xAD, 0xDF, 0xF0, 0x0F, 0x0B, 0x81, 0x47, 0xBB, 0x2F, 0xA8, 0x03, 0x00, 0x20, 0x0F, 0x3F, 0x92, 0x31, 0x17, 0x0F, 0x29, 0x08, 0x00, 0x30, 0x0F, 0xFE, 0x03, 0x70, 0x5F, 0x71, 0x67, 0xF0, 0x0F, 0x07, 0x0A, 0x9F, 0x29, 0x9F, 0xC2, 0x1F, 0xE0, 0x0F, 0x00, 0xBC, 0x29, 0x9F, 0x06, 0xB2, 0x1F, 0xE0, 0x0F, 0x10, 0x09, 0x70, 0x07, 0x10, 0x66, 0x73, 0xFF, 0x43, 0x4C, 0x04, 0x49, 0x4D, 0xFF, 0xFE, 0x14, 0x3A, 0x65, 0x02, 0x28, 0x08, 0x20, 0x00, 0x00, 0x01, 0x2F, 0xE3, 0x69, 0x6D, 0x61, 0x21, 0x67, 0x10, 0x2F, 0xEB, 0xE1, 0x00, 0x28, 0x00, 0x3D, 0x9B, 0x72, 0x00, 0x20, 0x17, 0x04, 0x90, 0x01, 0x2E, 0x47, 0xF8, 0x80, 0x10, 0x5B, 0x80, 0x07, 0x80, 0x00, 0x88, 0x77, 0x77, 0x4A, 0xF8, 0x88, 0x09, 0x84, 0x85, 0x20, 0x07, 0x29, 0xFF, 0x8B, 0x04, 0xF6, 0xDF, 0x88, 0x30, 0x17, 0x00, 0xFE, 0x8B, 0x03, 0x04, 0x00, 0xDF, 0xDD, 0x81, 0x11, 0xFF, 0x9D, 0x25, 0x00, 0x16, 0xFF, 0xDD, 0xDD, 0xA1, 0x40, 0x17, 0xC0, 0x70, 0x07, 0x00, 0x50, 0x1F, 0xEE, 0xC8, 0x11, 0x71, 0x45, 0xFE, 0x60, 0x8C, 0x27, 0xB8, 0xF7, 0x3F, 0x77, 0x77, 0x31, 0xFF, 0x8C, 0x0B, 0x04, 0x88, 0x4C, 0x33, 0x20, 0x7F, 0x8A, 0x2E, 0x52, 0xE0, 0x7F, 0x03, 0x00, 0x77, 0xF7, 0x0B, 0xF8, 0x81, 0x2F, 0xFA, 0x10, 0x1C, 0xE7, 0x77, 0x28, 0x80, 0x7F, 0x23, 0x07, 0x89, 0x00, 0x02, 0xE7, 0xCC, 0xE8, 0x77, 0x00, 0x11, 0x45, 0xFF, 0x8C, 0x14, 0xFD, 0x6E, 0x11, 0x00, 0x00, 0x45, 0xFE, 0xAC, 0x34, 0x80, 0x88, 0x7F, 0x05, 0x77, 0x0B, 0xFF, 0x81, 0x02, 0x23, 0xAF, 0x17, 0x33, 0xAF, 0x00, 0x01, 0x80, 0xBB, 0xBB, 0x0B, 0xF8, 0xDE, 0x55, 0x00, 0x44, 0x20, 0x00, 0x22, 0x29, 0xFE, 0xDA, 0x40, 0x10, 0x00, 0x20, 0xDD, 0x53, 0xA7, 0x80, 0x11, 0x99, 0x87, 0x00, 0xF8, 0xC2, 0x41, 0x11, 0x00, 0x20, 0x22, 0x45, 0x00, 0xFF, 0xBA, 0x20, 0x11, 0x01, 0xEE, 0x00, 0x22, 0x00, 0xF8, 0xB7, 0x0F, 0x44, 0x80, 0x09, 0xC8, 0x2B, 0x00, 0xF1, 0xD6, 0x4C, 0x00, 0x00, 0xBB, 0xBB, 0x0D, 0x13, 0xFF, 0xDB, 0x51, 0x4D, 0xAF, 0xF8, 0xA8, 0x5D, 0xB7, 0x20, 0x07, 0x20, 0x17, 0x11, 0x20, 0x47, 0xEE, 0xCA, 0x30, 0x11, 0x11, 0x02, 0x22, 0x22, 0x25, 0xFF, 0xCA, 0x30, 0xF0, 0x1F, 0x00, 0x01, 0x00, 0x22, 0x22, 0x65, 0xFF, 0xCA, 0x40, 0x90, 0x07, 0xC3, 0x00, 0x50, 0x1F, 0x00, 0x70, 0x3F, 0x11, 0x71, 0x22, 0x00, 0x30, 0x5F, 0x00, 0x70, 0x7F, 0x00, 0x48, 0xDC, 0x88, 0x99, 0x47, 0xF8, 0xD7, 0x4E, 0x00, 0x2A, 0x12, 0x99, 0x11, 0x47, 0xF8, 0xBB, 0x41, 0x86, 0x80, 0x9F, 0x11, 0x23, 0x22, 0x23, 0x20, 0xBF, 0x74, 0x47, 0x88, 0x00, 0x88, 0x73, 0x77, 0x8A, 0xF8, 0x9E, 0x1F, 0x12, 0x08, 0x51, 0x22, 0x02, 0x21, 0x30, 0xA7, 0x40, 0x88, 0x08, 0x00, 0x69, 0xEF, 0xCB, 0x41, 0x08, 0x00, 0xF7, 0xFF, 0x40, 0x22, 0xAB, 0x9F, 0x2A, 0x12, 0x98, 0x11, 0x47, 0xF1, 0x3B, 0xBB, 0x3A, 0x44, 0x7F, 0x21, 0x47, 0xFB, 0xBF, 0x08, 0x24, 0x5F, 0x00, 0x31, 0x77, 0x80, 0x01, 0x7B, 0xE7, 0x06, 0x44, 0x51, 0x77, 0x49, 0xFF, 0x8C, 0x00, 0x15, 0x08, 0x08, 0x77, 0xF7, 0x82, 0xF8, 0x96, 0x41, 0x16, 0x10, 0x0C, 0x93, 0x9F, 0xFF, 0x77, 0x0A, 0xF8, 0x81, 0x2E, 0x6E, 0xA0, 0xDD, 0xFF, 0x44, 0x23, 0x8F, 0x2D, 0xFF, 0x8B, 0x03, 0x15, 0x00, 0x22, 0xDF, 0xCD, 0x61, 0xFF, 0xAD, 0x25, 0x00, 0xC8, 0x33, 0x9F, 0x26, 0xAF, 0x84, 0xA8, 0x53, 0x9F, 0xC5, 0x84, 0x91, 0x40, 0x88, 0x32, 0xCF, 0x00, 0x20, 0x88, 0xEE, 0x2D, 0xFF, 0x28, 0xDB, 0x41, 0x33, 0xC7, 0x65, 0x23, 0xC7, 0x44, 0x80, 0x89, 0x80, 0x43, 0x87, 0x21, 0x22, 0x22, 0x32, 0x23, 0xF8, 0xBE, 0x41, 0x1D, 0xF3, 0x7F, 0x01, 0x00, 0x22, 0x32, 0x43, 0xA0, 0x17, 0xF0, 0x10, 0x01, 0x80, 0x07, 0x64, 0x27, 0x34, 0x17, 0x00, 0x34, 0xBF, 0x08, 0x10, 0xBF, 0x3B, 0x00, 0x0F, 0xF8, 0xDE, 0x54, 0x22, 0x51, 0xDC, 0xFD, 0xA0, 0x41, 0xAF, 0x10, 0x24, 0xFF, 0xFF, 0xA8, 0x00, 0x10, 0x11, 0x03, 0x22, 0x00, 0x45, 0xEF, 0xBA, 0x20, 0x74, 0x57, 0x34, 0x47, 0x89, 0x48, 0xFF, 0x40, 0xCE, 0x88, 0x35, 0x2F, 0x2A, 0x11, 0x30, 0x2F, 0x20, 0xBD, 0x35, 0x74, 0xBF, 0x08, 0x10, 0x88, 0x19, 0x4B, 0xE8, 0x31, 0xD7, 0x75, 0x3F, 0x20, 0x47, 0x06, 0x20, 0x47, 0xEE, 0x8C, 0x10, 0x07, 0x31, 0x85, 0xEE, 0x9C, 0x24, 0x74, 0x9F, 0x80, 0x57, 0x60, 0x47, 0xC0, 0x70, 0x57, 0x84, 0x9F, 0x11, 0x98, 0x31, 0x65, 0xFF, 0xBD, 0x06, 0x34, 0x8E, 0xCC, 0x11, 0x77, 0x00, 0x44, 0x9F, 0x24, 0x57, 0x86, 0x86, 0x10, 0x01, 0x34, 0x57, 0x80, 0xFF, 0x7F, 0x03, 0x00, 0x2F, 0xFF, 0x2A, 0xBF, 0x37, 0x00, 0x52, 0xF8, 0x8A, 0x11, 0x8C, 0xEE, 0x17, 0x11, 0xD0, 0x4A, 0x7F, 0x20, 0x27, 0x06, 0xA0, 0x17, 0x21, 0xA2, 0x11, 0x89, 0x80, 0x36, 0x1F, 0x44, 0x00, 0xB3, 0xBB, 0x09, 0xFF, 0xDB, 0x10, 0x52, 0x04, 0x20, 0x5A, 0xE7, 0x11, 0x88, 0x91, 0x89, 0x05, 0x47, 0xF8, 0xC9, 0x4F, 0x17, 0x23, 0x88, 0x41, 0x22, 0x17, 0x21, 0x01, 0x00, 0x57, 0x3F, 0x04, 0x20, 0xBB, 0xFB, 0x20, 0x27, 0x71, 0x51, 0x77, 0x57, 0xF7, 0x3F, 0x24, 0x20, 0x00, 0x02, 0xF1, 0x10, 0x01, 0xA3, 0xAF, 0xF8, 0x08, 0x64, 0xDF, 0x24, 0x0F, 0x38, 0x6F, 0x27, 0xCF, 0x03, 0xE5, 0x7F, 0x10, 0x23, 0x02, 0x00, 0x43, 0xF1, 0xB7, 0x16, 0x11, 0x75, 0x22, 0x00, 0x60, 0x25, 0x49, 0x07, 0xF4, 0x9F, 0x8C, 0x19, 0x4F, 0xF8, 0xD7, 0x2E, 0x4D, 0x22, 0x24, 0x91, 0x8D, 0x24, 0x47, 0x44, 0x9F, 0x44, 0x5F, 0x22, 0x7C, 0x22, 0x36, 0x0F, 0x74, 0x27, 0x28, 0xB7, 0x4A, 0x2F, 0x89, 0x4F, 0x44, 0xBB, 0x60, 0x3B, 0x32, 0xBF, 0xF8, 0xFF, 0xFE, 0x7F, 0x98, 0x19, 0x27, 0x18, 0xF8, 0xC1, 0x47, 0x80, 0x4F, 0x00, 0x6D, 0xBF, 0x88, 0x88, 0x71, 0xFE, 0x4D, 0xE7, 0x00, 0x4D, 0xFF, 0x2E, 0x17, 0x70, 0x07, 0x02, 0x40, 0x1F, 0x00, 0xBE, 0x3F, 0x7A, 0xAF, 0x88, 0x58, 0x91, 0x3A, 0xAF, 0x40, 0xFE, 0x8F, 0x7A, 0xAF, 0xCC, 0xE8, 0x88, 0x30, 0xEE, 0x21, 0x27, 0x3F, 0x73, 0x9F, 0x33, 0xAB, 0x91, 0x89, 0x5E, 0x27, 0x20, 0x2F, 0x11, 0x27, 0x28, 0x35, 0xB7, 0x73, 0x9F, 0x73, 0xC7, 0x15, 0x3F, 0x21, 0x20, 0x00, 0x5A, 0x7F, 0x27, 0x57, 0x3A, 0x47, 0x10, 0x0A, 0xF3, 0x9F, 0x10, 0x00, 0x89, 0x17, 0x68, 0xCF, 0xC1, 0x74, 0x2F, 0x01, 0xFD, 0x9F, 0xCA, 0xCC, 0xBF, 0xBB, 0x05, 0x4E, 0x17, 0xE1, 0x00, 0x5E, 0x1F, 0x9E, 0x37, 0x00, 0x5E, 0x3F, 0x15, 0x11, 0x20, 0x22, 0x3D, 0x8F, 0xF8, 0x00, 0x8D, 0xFF, 0x6E, 0x8F, 0x77, 0x4F, 0x10, 0x1C, 0x83, 0x87, 0x10, 0x2C, 0x62, 0xD7, 0x43, 0x4C, 0x49, 0x10, 0x4D, 0xFF, 0xFE, 0x2F, 0xA6, 0x00, 0x02, 0x02, 0x28, 0xC3, 0x2D, 0xFD, 0x3D, 0xEF, 0x69, 0x6D, 0x61, 0x67, 0x2F, 0xFE, 0x20, 0x0C, 0x1C, 0x40, 0x00, 0x0A, 0x3E, 0x10, 0x4E, 0x15, 0x00, 0x50, 0x03, 0x43, 0x4C, 0x24, 0x59, 0x54, 0x70, 0x3F, 0x80, 0x05, 0x47, 0xAE, 0x00, 0x6C, 0x18, 0x79, 0x74, 0x31, 0x30, 0x51, 0x3E, 0x3B, 0x00, 0x00, 0xA0, 0x00, 0x43, 0x00, 0x00, 0x70, 0x43, 0x74, 0x78, 0x6C, 0x32, 0x31, 0x40, 0x2F, 0xED, 0x2B, 0x90, 0x00, 0x0C, 0x2F, 0xF5, 0x1A, 0xC0, 0x2F, 0xF9, 0x2B, 0x3C, 0x00, 0x62, 0x75, 0x62, 0x62, 0x6C, 0x00, 0x65, 0x73, 0x2E, 0x62, 0x63, 0x6C, 0x69, 0x6D, 0x04, 0x00, 0x6D, 0x61, 0x73, 0x6B, 0x60, 0x0A, 0x77, 0x61, 0x60, 0x76, 0x80, 0x16, 0x2F, 0xFD, 0x6D, 0x61, 0x74, 0x31, 0x8C, 0xCD, 0x2E, 0x8C, 0x2B, 0xB0, 0x00, 0x1C, 0x30, 0x63, 0x2F, 0xF9, 0xD4, 0x2F, 0xFD, 0x66, 0x24, 0x2E, 0xA0, 0x30, 0x35, 0x5F, 0x30, 0x4C, 0x7A, 0xC0, 0xA8, 0xFF, 0x56, 0xFF, 0x00, 0x50, 0x01, 0x15, 0x40, 0x9B, 0x04, 0x30, 0x4A, 0x2F, 0xFF, 0x60, 0x4F, 0xC0, 0x50, 0xDD, 0x80, 0x3F, 0x50, 0x03, 0x80, 0x93, 0x00, 0x00, 0x52, 0x00, 0x60, 0x4F, 0x17, 0x80, 0x55, 0x06, 0x3F, 0x35, 0x05, 0x20, 0xFD, 0xB1, 0x27, 0x90, 0x4F, 0x81, 0x20, 0xB4, 0x22, 0x40, 0x24, 0x02, 0x10, 0x66, 0x2F, 0xFD, 0x47, 0x07, 0x61, 0x4A, 0x01, 0x04, 0x05, 0x50, 0xE2, 0x00, 0x20, 0xB8, 0x00, 0xB0, 0xB7, 0x1E, 0x02, 0x00, 0x05, 0x31, 0x02, 0x31, 0x4A, 0x31, 0x4E, 0x00, 0x50, 0xB7, 0x31, 0x82, 0x04, 0xD0, 0xB7, 0x70, 0x61, 0x6E, 0x31, 0x4C, 0x40, 0xC3, 0xFF, 0x00, 0x00, 0x52, 0x6F, 0x6F, 0x74, 0x50, 0x61, 0x6E, 0x78, 0x65, 0x00, 0x92, 0x21, 0xF2, 0x3B, 0x71, 0x67, 0x52, 0x17, 0x70, 0x61, 0x73, 0x21, 0x31, 0x08, 0x2F, 0xFD, 0x70, 0x69, 0x63, 0x31, 0x3D, 0xE5, 0xE0, 0x30, 0x53, 0x00, 0x71, 0x17, 0x2F, 0xFC, 0xC0, 0x80, 0x00, 0x80, 0xBF, 0xA4, 0x00, 0x90, 0x53, 0xF2, 0x22, 0x6B, 0x9A, 0x43, 0x71, 0xF7, 0x6F, 0xBB, 0x5F, 0xE7, 0x40, 0x03, 0x02, 0x62, 0x89, 0x62, 0xC5, 0x61, 0x37, 0x71, 0xF3, 0x31, 0x4B, 0x2E, 0x80, 0x3F, 0x30, 0x7F, 0xA0, 0x60, 0xD3, 0x00, 0x71, 0x47, 0x2F, 0xFC, 0xB8, 0x0B, 0x00, 0x00, 0x48, 0x42, 0x22, 0xCF, 0xC1, 0xE3, 0x11, 0x61, 0x8F, 0x5A, 0x80, 0x22, 0xEB, 0x80, 0x80, 0x7F, 0x72, 0x7F, 0x03, 0x21, 0xB5, 0xCD, 0x23, 0xCC, 0x6C, 0x42, 0x5B, 0x33, 0x33, 0x5B, 0x41, 0xB7, 0x50, 0x0F, 0x2F, 0x20, 0x40, 0x50, 0x0F, 0x20, 0xF0, 0x93, 0xE2, 0x43, 0x00, 0x60, 0x9F, 0x00, 0x12, 0xF2, 0xBB, 0x02, 0x40, 0x9F, 0x01, 0x22, 0x55, 0x2F, 0xFF, 0x31, 0x93, 0x3E, 0x50, 0x8B, 0x30, 0x07, 0xBE, 0x30, 0x0F, 0x14, 0x60, 0x9B, 0x30, 0x07, 0x01, 0x10, 0x9F, 0x51, 0xBF, 0x00, 0x93, 0x8F, 0x80, 0x03, 0xFD, 0x3F, 0x40, 0x00, 0xFE, 0x0F, 0xA1, 0x7F, 0xD3, 0x2B, 0x01, 0x10, 0x7E, 0x1B, 0x44, 0x98, 0x3D, 0xFC, 0x00, 0x01, 0x3F, 0xF9, 0x74, 0x49, 0x23, 0xA3, 0x41, 0xAB, 0x50, 0x07, 0xE1, 0x1F, 0x61, 0x65, 0x42, 0x47, 0x0C, 0x67, 0x72, 0x70, 0x31, 0x34, 0x1F, 0x32, 0x97, 0x47, 0x72, 0x13, 0x6F, 0x75, 0x70, 0xA4, 0xBA, 0x67, 0x72, 0x52, 0x6B, 0x30, 0x23, 0x8F, 0x32, 0xBF, 0x47, 0x5F, 0x41, 0xC4, 0x36, 0x34, 0x9B, 0xF3, 0xFB, 0xF4, 0x5B, 0xD5, 0xF3, 0x63, 0x90, 0x4B, 0x42, 0x03, 0x40, 0x4B, 0x2C, 0x40, 0x97, 0x43, 0xC4, 0xCE, 0xCD, 0x35, 0x93, 0xF4, 0xE3, 0x67, 0x72, 0x50, 0xEF, 0xB5, 0x7F, 0xE0, 0x24, 0x87, 0x5E, 0x11, 0x00, 0x05, 0x7F, 0xC8, 0x85, 0x7F, 0x33, 0xB3, 0x35, 0x3F, 0x35, 0xDB, 0x1E, 0xA8, 0x2F, 0xFF, 0x29, 0x2F, 0xFD, 0x34, 0x00, 0x05, 0x83, 0x6C, 0x6F, 0x67, 0x6F, 0x6F, 0x00, 0xD5, 0x8E, 0x35, 0x8B, 0x30, 0x22, 0x32, 0x34, 0xF0, 0x36, 0x1A, 0x31, 0x63, 0x55, 0xD8, 0x2F, 0xFF, 0x5C, 0x26, 0x3C, 0xAC, 0x02, 0x65, 0x8F, 0x02, 0x00, 0xA5, 0x8F, 0xFA, 0x30, 0x91, 0x01, 0xB5, 0xDF, 0x35, 0x8F, 0x95, 0xDF, 0x00, 0x15, 0x8F, 0x44, 0x26, 0x44, 0x40, 0x77, 0x24, 0x51, 0x2B, 0xB5, 0x8F, 0x01, 0xF5, 0xF7, 0x6A, 0x65, 0xF7, 0x90, 0xBB, 0x00, 0x25, 0xFB, 0xE1, 0x00, 0x36, 0x0F, 0x37, 0x64, 0x26, 0x13, 0x10, 0x24, 0x02, 0x11, 0x03, 0x36, 0x13, 0x7C, 0x03, 0x03, 0xA6, 0x13, 0x04, 0x30, 0xD3, 0x03, 0x56, 0x2F, 0x52, 0xC7, 0x04, 0x36, 0x2F, 0x6E, 0xAB, 0x6F, 0xE1, 0xE5, 0xAF, 0x76, 0x2F, 0x48, 0x38, 0x1B, 0x28, 0xB6, 0x40, 0x07, 0x05, 0x86, 0x2F, 0x57, 0x04, 0x06, 0x06, 0x2F, 0x20, 0x01, 0xC6, 0xCF, 0x02, 0x86, 0x2F, 0x4A, 0x1C, 0x77, 0x4F, 0xEE, 0x67, 0x4B, 0x46, 0xCB, 0x01, 0xA6, 0x2F, 0xFF, 0x00, 0x83, 0xDF, 0x39, 0x94, 0x50, 0x03, 0xF0, 0x86, 0xC6, 0x33, 0xCD, 0xCC, 0x4C, 0x3F, 0x30, 0x03, 0x57, 0x6F, 0x38, 0x7F, 0x42, 0x00, 0x16, 0xCF, 0xB7, 0xEF, 0x0B, 0x56, 0xAF, 0x3A, 0xEF, 0xF6, 0xAF, 0x3A, 0x70, 0xFA, 0x43, 0xEF, 0xFA, 0xBB, 0xF5, 0x3B, 0x01, 0x36, 0xCF, 0x5C, 0x00, 0x26, 0xCF, 0x3B, 0x77, 0xFB, 0x17, 0xFA, 0xBF, 0x80, 0x04, 0x36, 0xDF, 0x1F, 0xBC, 0xAB, 0xC4, 0xF4, 0xA7, 0x73, 0x00, 0x0A, 0x1A, 0x5D, 0x17, 0xE0, 0x62, 0x0D, 0xCB, 0x00, 0x15, 0x4B, 0xAE, 0x36, 0xE9, 0x22, 0xD6, 0xBC, 0x00, 0x84, 0x95, 0x43, 0x89, 0x8A, 0x34, 0x9F, 0xB6, 0x00, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+static const unsigned char HomebrewLegacy_LZ[0x2000] =
+{
+	0x11, 0x9C, 0x21, 0x00, 0x00, 0x64, 0x61, 0x72, 0x63, 0xFF, 0xFE, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7C, 0x21, 0x00, 0x00, 0x83, 0x30, 0x09, 0x24, 0x03, 0x00, 0x00, 0x40, 0x20, 0x03, 0x30, 0x13, 0xAB, 0x30, 0x18, 0x0F, 0x20, 0x1D, 0x02, 0xA0, 0x0B, 0x06, 0x20, 0x2B, 0x30, 0x18, 0x5A, 0x05, 0x20, 0x35, 0x10, 0x20, 0x39, 0x30, 0x2B, 0xA4, 0x20, 0x20, 0x40, 0xEA, 0x30, 0x45, 0x20, 0x1C, 0x30, 0x0B, 0x70, 0x60, 0x23, 0x08, 0x20, 0x59, 0x7A, 0x85, 0x30, 0x5D, 0x09, 0x00, 0x00, 0x28, 0x20, 0x2C, 0xA2, 0x20, 0x69, 0x21, 0x80, 0x19, 0x20, 0x0B, 0x04, 0x00, 0x00, 0xC4, 0x60, 0x47, 0xA0, 0x30, 0x5F, 0xCE, 0x20, 0x81, 0xC0, 0x1D, 0x00, 0x00, 0x9C, 0xA5, 0x20, 0x89, 0x12, 0x20, 0x75, 0x60, 0x1E, 0x50, 0x0B, 0x56, 0x30, 0x81, 0x55, 0x1F, 0x50, 0x17, 0x9A, 0x20, 0x8D, 0xA0, 0x60, 0x0B, 0xDE, 0x20, 0x99, 0x2A, 0x40, 0x20, 0x50, 0x2F, 0x22, 0x20, 0x9C, 0xE0, 0x60, 0x0B, 0x00, 0x20, 0x00, 0x2E, 0x20, 0xCB, 0x62, 0x00, 0x6C, 0x00, 0x79, 0x20, 0x00, 0x74, 0x20, 0xD5, 0x4E, 0x00, 0x69, 0x00, 0x6E, 0xA0, 0x20, 0x09, 0x65, 0x20, 0x05, 0x64, 0x00, 0x6F, 0x00, 0x4C, 0xA2, 0x20, 0x03, 0x67, 0x20, 0x07, 0x5F, 0x00, 0x55, 0x20, 0x03, 0x30, 0xAA, 0x20, 0x01, 0x2E, 0x20, 0x2D, 0x63, 0x01, 0x20, 0x2F, 0x44, 0x00, 0x40, 0x2F, 0x74, 0xA3, 0x20, 0x5F, 0x6D, 0x20, 0x51, 0x00, 0x00, 0x68, 0x40, 0x75, 0x70, 0x5D, 0x57, 0x62, 0x20, 0x6B, 0x74, 0x20, 0x81, 0x6F, 0x20, 0x1D, 0x70, 0x61, 0x30, 0x29, 0xD7, 0xF0, 0x27, 0x30, 0x21, 0x70, 0xE0, 0x21, 0x61, 0x20, 0xB1, 0x50, 0x2B, 0x01, 0x10, 0x8D, 0x18, 0x5F, 0x00, 0x53, 0x20, 0xBD, 0x30, 0xDD, 0x65, 0x00, 0x4F, 0x2F, 0x00, 0x75, 0x20, 0xF3, 0x43, 0x80, 0xD1, 0x30, 0x47, 0x01, 0x31, 0x01, 0x00, 0x10, 0x43, 0x6F, 0x42, 0x01, 0x80, 0x43, 0x00, 0x90, 0x87, 0x41, 0x03, 0x20, 0x43, 0x01, 0x90, 0x87, 0x00, 0x90, 0xCB, 0x01, 0x90, 0x87, 0xE0, 0x00, 0x91, 0x0F, 0xF1, 0x53, 0x90, 0x02, 0x43, 0x4C, 0x59, 0x54, 0xFF, 0x2C, 0xFE, 0x14, 0x33, 0x21, 0x02, 0x33, 0x03, 0x33, 0x0F, 0x6C, 0x79, 0x31, 0x74, 0x31, 0x30, 0x11, 0x43, 0x3C, 0x00, 0xC8, 0x43, 0x23, 0x0D, 0x03, 0x43, 0x74, 0x78, 0x6C, 0x31, 0x24, 0x63, 0x50, 0x22, 0xFA, 0x00, 0x00, 0x68, 0x62, 0x6C, 0x6F, 0x67, 0x6F, 0x5F, 0x00, 0x74, 0x6F, 0x70, 0x2E, 0x62, 0x63, 0x6C, 0x69, 0x81, 0x32, 0x18, 0x00, 0x6D, 0x61, 0x74, 0x31, 0x60, 0x63, 0x74, 0x86, 0x33, 0x57, 0x48, 0x62, 0x4D, 0x61, 0x32, 0xC3, 0xB0, 0x70, 0xFF, 0x35, 0xFF, 0xFF, 0x30, 0x03, 0x00, 0x40, 0x02, 0x15, 0x43, 0xB2, 0x04, 0x30, 0x5E, 0x98, 0xA0, 0xA3, 0x80, 0x3F, 0x50, 0x03, 0x23, 0x93, 0x61, 0x6E, 0x31, 0x48, 0x4C, 0x33, 0xE8, 0x04, 0xFF, 0x20, 0x5B, 0x52, 0x6F, 0x6F, 0x07, 0x74, 0x50, 0x61, 0x6E, 0x65, 0xE0, 0x60, 0x00, 0x80, 0x0E, 0x70, 0x47, 0x86, 0x50, 0xCF, 0x70, 0x61, 0x73, 0x31, 0x33, 0xDB, 0x70, 0x53, 0x03, 0xB3, 0x80, 0x53, 0x30, 0x01, 0x70, 0x50, 0xA0, 0x9B, 0x20, 0x42, 0x30, 0x03, 0x80, 0x53, 0x0B, 0x69, 0x63, 0x31, 0x80, 0x34, 0x90, 0x07, 0x30, 0xA7, 0x00, 0x11, 0x03, 0xC7, 0x01, 0x50, 0xA7, 0x23, 0x08, 0x00, 0x80, 0x41, 0xF1, 0x2B, 0x71, 0x95, 0x91, 0x1B, 0x83, 0xF1, 0x27, 0x80, 0x3F, 0x70, 0x61, 0x65, 0x60, 0xDB, 0x50, 0x07, 0x0C, 0x67, 0x72, 0x70, 0x31, 0x35, 0x21, 0x51, 0x33, 0x47, 0x72, 0xCD, 0x24, 0xDB, 0x82, 0x03, 0x67, 0x72, 0x51, 0x07, 0x30, 0x23, 0x3C, 0x25, 0x45, 0x07, 0x47, 0x5F, 0x41, 0x5F, 0x30, 0xA1, 0x02, 0x25, 0x37, 0x00, 0x01, 0x17, 0xD7, 0xF1, 0xD7, 0x30, 0x5F, 0x2C, 0x40, 0x3B, 0x42, 0xC0, 0x3B, 0x35, 0x7C, 0x00, 0x90, 0x2B, 0x67, 0x43, 0x00, 0x20, 0x2B, 0xD1, 0x7F, 0x67, 0x72, 0x50, 0xC7, 0x00, 0xB1, 0xE1, 0x01, 0x12, 0xBF, 0x40, 0xA0, 0x00, 0xB2, 0xBF, 0x62, 0x6F, 0x74, 0x74, 0x6F, 0x6D, 0xF2, 0x62, 0xC2, 0x09, 0x52, 0xBF, 0x50, 0xCF, 0x07, 0x52, 0xBF, 0xF0, 0xC2, 0x00, 0xE2, 0xBF, 0x42, 0xC3, 0x10, 0x00, 0xF2, 0xBF, 0x10, 0x76, 0x70, 0x1E, 0xF0, 0xF0, 0x0F, 0x0F, 0x30, 0x03, 0x02, 0x70, 0x1F, 0x9B, 0x4E, 0x44, 0xD7, 0x00, 0x2C, 0x8F, 0x00, 0x2D, 0x7F, 0x7D, 0x9D, 0xEE, 0x00, 0x4D, 0x9D, 0x11, 0x90, 0x00, 0xEF, 0x4E, 0x84, 0x06, 0x00, 0xA1, 0x00, 0x4D, 0xBD, 0x2B, 0xEE, 0x00, 0x00, 0xDB, 0xF6, 0xC5, 0x60, 0x77, 0x8D, 0x00, 0x30, 0x67, 0x3D, 0x23, 0xD5, 0x3D, 0x27, 0x40, 0x67, 0xFE, 0x00, 0x4E, 0x1D, 0x2A, 0x7A, 0xBE, 0x00, 0x00, 0x50, 0xFF, 0x57, 0xE9, 0x80, 0x17, 0xC5, 0x00, 0x4E, 0x5D, 0xFF, 0xA0, 0x79, 0x00, 0x50, 0x1F, 0x5F, 0x63, 0x1E, 0xD0, 0x00, 0xCF, 0x00, 0x7B, 0x38, 0x4F, 0x84, 0x00, 0xD1, 0x5D, 0x03, 0xF1, 0xEF, 0xFF, 0x1F, 0xF0, 0xF0, 0xFF, 0x81, 0xEF, 0x81, 0xFF, 0x3F, 0x8E, 0x21, 0xC6, 0x20, 0x1A, 0xE0, 0x20, 0x20, 0x92, 0x0F, 0x92, 0x1F, 0xC0, 0xF7, 0x00, 0x00, 0xFD, 0x02, 0xFF, 0xFF, 0x6E, 0xFF, 0x11, 0x06, 0x4E, 0x7A, 0xFF, 0x00, 0xFD, 0x00, 0x00, 0xF7, 0xC0, 0x01, 0x05, 0x00, 0x00, 0x00, 0x5E, 0xFF, 0x11, 0xFF, 0xFF, 0xF6, 0x0B, 0x08, 0x7F, 0x60, 0x10, 0xCF, 0x61, 0x73, 0xFF, 0xFF, 0x10, 0x01, 0x60, 0xFF, 0xCF, 0xE6, 0xFF, 0x7F, 0x0B, 0x71, 0x87, 0x04, 0xFA, 0x2C, 0xFF, 0x90, 0x03, 0x2D, 0x95, 0x4F, 0xFF, 0x04, 0xFC, 0x2C, 0xFF, 0xFF, 0x03, 0x00, 0x01, 0xA5, 0xFF, 0x90, 0x04, 0x5F, 0xCF, 0x10, 0x00, 0xEF, 0x2E, 0xD7, 0xA0, 0xF6, 0x18, 0x00, 0x00, 0xFC, 0x80, 0x47, 0x2D, 0x69, 0xFC, 0x00, 0x00, 0x01, 0xF6, 0x90, 0xFF, 0x5E, 0xFF, 0x01, 0x03, 0x3D, 0x72, 0x02, 0xC3, 0x0D, 0x8F, 0x20, 0xFF, 0xDF, 0x20, 0x42, 0xFF, 0x08, 0x00, 0x6E, 0xFF, 0x02, 0x40, 0xB3, 0x20, 0xFF, 0xC6, 0x83, 0x80, 0x77, 0xFA, 0x3E, 0xFF, 0x40, 0x04, 0x50, 0x9F, 0x41, 0xFF, 0x40, 0x01, 0x2D, 0xE4, 0x3E, 0xFA, 0x40, 0xFF, 0xEF, 0xFE, 0x04, 0x01, 0x08, 0xF5, 0xF1, 0x0D, 0x22, 0xEB, 0xAF, 0xEF, 0x00, 0xF0, 0xF0, 0x5F, 0x1F, 0xF1, 0xF5, 0x0F, 0x0D, 0x09, 0xFE, 0xEF, 0x08, 0x01, 0x72, 0xFF, 0xFF, 0x04, 0x53, 0x02, 0x07, 0xA0, 0xF6, 0xFF, 0x5E, 0xFC, 0x30, 0x5C, 0x7D, 0xE7, 0x20, 0x0C, 0x10, 0xF6, 0x90, 0x6E, 0x20, 0x48, 0xFF, 0xC3, 0x00, 0xFF, 0x01, 0x20, 0xFF, 0x0D, 0x8F, 0x00, 0x00, 0xDF, 0x32, 0x59, 0xB8, 0x22, 0xF2, 0x02, 0x20, 0x0F, 0x32, 0xF8, 0x30, 0x7D, 0xFC, 0xF8, 0x04, 0x00, 0x07, 0xF4, 0xF0, 0x0A, 0x0E, 0xF1, 0xF4, 0xFF, 0x00, 0xFD, 0xF8, 0xEC, 0xF5, 0xE0, 0xC0, 0x90, 0x2F, 0x00, 0x9F, 0x50, 0x10, 0xFF, 0xFF, 0xAF, 0x5F, 0xA0, 0x10, 0x50, 0x1F, 0x0D, 0x2E, 0x8D, 0x04, 0xF3, 0xF7, 0x08, 0x0C, 0x0C, 0xFA, 0xFD, 0x0C, 0x2F, 0x90, 0x3E, 0x77, 0x1F, 0x8F, 0x03, 0xCF, 0x8F, 0xFF, 0xFD, 0x5F, 0x1F, 0x06, 0x03, 0xEF, 0x00, 0xE2, 0x6C, 0xF4, 0x00, 0xF0, 0x1F, 0x02, 0x73, 0xEA, 0x01, 0x10, 0x1D, 0x00, 0xD0, 0x37, 0xA4, 0x63, 0xC2, 0xDF, 0x00, 0x6E, 0x28, 0x00, 0xC3, 0x6C, 0x00, 0x73, 0xEA, 0x2B, 0x01, 0x60, 0xFF, 0x30, 0x69, 0x00, 0x3F, 0x89, 0xFE, 0xFC, 0x20, 0x79, 0x3F, 0xFF, 0x00, 0x70, 0x7D, 0x23, 0x1B, 0x4F, 0xF5, 0x00, 0x7D, 0xE7, 0xF8, 0x00, 0x40, 0x0D, 0x10, 0x14, 0xCE, 0x01, 0x43, 0x4C, 0x49, 0x4D, 0xFF, 0xFE, 0x46, 0x14, 0x2F, 0xFF, 0x02, 0x02, 0x28, 0x24, 0x6E, 0x35, 0xA2, 0x69, 0x10, 0x6D, 0x61, 0x67, 0x24, 0x79, 0x00, 0x80, 0x00, 0x40, 0xFF, 0x52, 0x7D, 0x30, 0x0C, 0x07, 0x8F, 0xFF, 0x57, 0x9F, 0x38, 0x79, 0x00, 0x58, 0x7D, 0x00, 0xF0, 0x1F, 0x40, 0xD8, 0xB6, 0x53, 0x74, 0xDF, 0x00, 0x88, 0x27, 0x57, 0x5F, 0xFF, 0x28, 0x69, 0x00, 0x3F, 0xFF, 0xEF, 0xDD, 0x28, 0x79, 0x3F, 0xFF, 0xB2, 0x63, 0xDC, 0xFF, 0xFF, 0x98, 0x7D, 0xC7, 0x00, 0x67, 0xFF, 0x7F, 0x9D, 0x4F, 0xFF, 0x47, 0x0F, 0x48, 0xE5, 0x89, 0x47, 0x30, 0xD9, 0x50, 0xDD, 0x2F, 0xFF, 0x17, 0xE8, 0x00, 0xBF, 0x00, 0x4F, 0xFF, 0x02, 0x00, 0x10, 0x37, 0x00, 0x68, 0x7F, 0x01, 0x50, 0x7F, 0xB1, 0x00, 0x14, 0x92, 0x2F, 0x84, 0xBE, 0x00, 0x3F, 0xFF, 0x0E, 0x00, 0x20, 0x69, 0x9D, 0xF9, 0x05, 0x24, 0x9C, 0x61, 0xEF, 0x38, 0x67, 0x20, 0x04, 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0x38, 0x7F, 0x83, 0x28, 0x7D, 0x10, 0x90, 0x0F, 0x0F, 0xE0, 0x29, 0x17, 0x72, 0x1F, 0x50, 0xE0, 0x20, 0x0F, 0x10, 0x38, 0x79, 0x1B, 0xFF, 0xFF, 0x02, 0x02, 0x00, 0xFF, 0xB1, 0xDF, 0xFF, 0x20, 0x40, 0x2C, 0x02, 0x01, 0x1B, 0xFD, 0x80, 0xFF, 0xFD, 0x20, 0xB1, 0x20, 0x38, 0x00, 0xDF, 0xDF, 0x08, 0x01, 0x09, 0xF0, 0xF0, 0x0E, 0xD5, 0x2A, 0xC9, 0x28, 0x69, 0x1A, 0x30, 0x27, 0x0E, 0x20, 0x0F, 0x01, 0x2A, 0xDD, 0x90, 0x88, 0x5F, 0xF5, 0x7F, 0x38, 0xF7, 0xFF, 0xFE, 0x1A, 0xFF, 0x3A, 0xF5, 0x02, 0x2A, 0xF5, 0x30, 0x29, 0x50, 0x1D, 0xF0, 0x29, 0x83, 0xF0, 0x30, 0xF0, 0x7F, 0x25, 0xDE, 0x3A, 0x31, 0xD1, 0xF9, 0xFF, 0x7F, 0x60, 0xFE, 0x30, 0x8B, 0x6A, 0x3D, 0xFE, 0xF8, 0x2F, 0xCF, 0xC0, 0x44, 0x00, 0x28, 0x60, 0x01, 0xFF, 0xF5, 0x30, 0xA2, 0x2E, 0xAF, 0x80, 0x6A, 0x55, 0x03, 0x00, 0x30, 0xFF, 0xFE, 0xFF, 0xCF, 0x90, 0x32, 0x19, 0xFF, 0x38, 0x3A, 0x6D, 0xAF, 0xBF, 0xFF, 0xFF, 0x21, 0x2F, 0x0F, 0x29, 0x0A, 0xFB, 0x00, 0x00, 0xF2, 0x20, 0x87, 0x40, 0x2F, 0x20, 0x0F, 0xAF, 0x0F, 0x00, 0x11, 0xF2, 0xFB, 0x03, 0xFF, 0xE8, 0xFF, 0xBF, 0x1E, 0x9F, 0x22, 0x6E, 0x4A, 0x91, 0x01, 0xAF, 0xCF, 0xFF, 0xFF, 0x3F, 0x0F, 0xEF, 0x20, 0x0F, 0x67, 0x2E, 0x21, 0xFF, 0x72, 0x27, 0xFF, 0x03, 0x5B, 0x82, 0x70, 0x7F, 0x86, 0x77, 0x80, 0x01, 0x60, 0x7F, 0xF7, 0xF2, 0x7F, 0xBF, 0xD0, 0x70, 0xFF, 0x21, 0xFF, 0x20, 0x20, 0x03, 0xB1, 0xF5, 0xBF, 0x2F, 0x21, 0x23, 0x80, 0x39, 0x9F, 0xF2, 0xFD, 0xFF, 0x0B, 0x06, 0xFF, 0xDF, 0x00, 0x02, 0x00, 0x2F, 0x6F, 0x70, 0xB0, 0xBF, 0xFF, 0x40, 0xF1, 0x20, 0xC3, 0x07, 0x02, 0xDF, 0x7F, 0x00, 0x00, 0x02, 0xFB, 0xF6, 0xFD, 0xFF, 0xF2, 0xD0, 0x20, 0xB1, 0x0C, 0x1E, 0x00, 0x00, 0x07, 0x72, 0x87, 0x03, 0x74, 0x7F, 0x29, 0x73, 0xD4, 0x7F, 0x10, 0xE5, 0x56, 0xFD, 0x38, 0xF8, 0x00, 0x84, 0xBF, 0x41, 0x4E, 0x74, 0xBF, 0x9C, 0x63, 0x1A, 0x05, 0x70, 0x61, 0x74, 0x31, 0x3C, 0x63, 0x60, 0x1C, 0x67, 0x7B, 0x60, 0xF1, 0x22, 0x27, 0x3A, 0x7E, 0x53, 0x63, 0x65, 0x6E, 0x65, 0x08, 0x4F, 0x75, 0x74, 0x43, 0x2F, 0xFF, 0x47, 0x5F, 0x43, 0x10, 0x5F, 0x30, 0x30, 0xDF, 0xFF, 0x70, 0x61, 0x69, 0x31, 0x4D, 0x4C, 0x8B, 0x5A, 0x02, 0x00, 0x35, 0x19, 0x30, 0x43, 0x40, 0x2F, 0xFF, 0x04, 0x48, 0x62, 0x4D, 0x61, 0x74, 0x00, 0x2F, 0xFF, 0x48, 0x62, 0x0D, 0x52, 0x6F, 0x6F, 0x74, 0xE0, 0x48, 0x02, 0xE0, 0x9F, 0x42, 0x40, 0x9F, 0x56, 0x42, 0x08, 0x80, 0x9F, 0x41, 0x41, 0x3F, 0x41, 0x10, 0x0C, 0x81, 0x3F, 0x05, 0x33, 0x1F, 0x77, 0x00, 0xA2, 0x13, 0x49, 0x99, 0x58, 0x3D, 0x71, 0x8A, 0x00, 0x3A, 0x75, 0x0A, 0xEF, 0xE4, 0xC9, 0xFC, 0xB1, 0x00, 0x00, 0x99, 0x02, 0x63, 0xA9, 0x9B, 0x74, 0xE0, 0x00, 0x38, 0xD3, 0x33, 0xC0, 0x52, 0x6A, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
 };
\ No newline at end of file

From 9f20fed0776eb9798834f238f5e83973b543161b Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Mon, 11 May 2020 16:57:26 +0800
Subject: [PATCH 230/317] Remove references to appveyor

---
 .appveyor.yml | 29 -----------------------------
 README.md     |  7 +------
 2 files changed, 1 insertion(+), 35 deletions(-)
 delete mode 100644 .appveyor.yml

diff --git a/.appveyor.yml b/.appveyor.yml
deleted file mode 100644
index 8ed1c448..00000000
--- a/.appveyor.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-version: '{build}'
-
-os:
-- Visual Studio 2017
-- Ubuntu1804
-
-install:
-- cmd: set PATH=%PATH%;C:\mingw-w64\x86_64-8.1.0-posix-seh-rt_v6-rev0\mingw64\bin
-
-build_script:
-  - cmd: |
-      mingw32-make -j 6 -C ctrtool
-      mingw32-make -j 6 -C makerom
-  - sh: |
-      make -j 2 -C ctrtool
-      make -j 2 -C makerom
-
-after_build:
-  - cmd: |
-      move ctrtool\ctrtool.exe && move makerom\makerom.exe
-      7z a Project_CTR.zip ctrtool.exe makerom.exe
-  - sh: |
-      cd ctrtool && 7z u ../Project_CTR.zip ctrtool
-      cd ../makerom && 7z u ../Project_CTR.zip makerom
-
-test: off
-
-artifacts:
-  - path: Project_CTR.zip
diff --git a/README.md b/README.md
index cb927b98..ce2a7b7b 100644
--- a/README.md
+++ b/README.md
@@ -3,9 +3,4 @@ Project_CTR
 
 ctrtool - updated version of neimod's ctrtool.
 
-makerom - creates CTR cxi/cfa/cci/cia files.
-
-## CI Builds
-Thanks to @Margen67 we have AppVeyor make new builds for each commit to master.
-
-Download them here: https://ci.appveyor.com/project/jakcron/project-ctr
+makerom - creates CTR cxi/cfa/cci/cia files.
\ No newline at end of file

From f33d66c6df9530ed2c0e01a6e55becf408b73390 Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Mon, 11 May 2020 16:57:40 +0800
Subject: [PATCH 231/317] Add github actions

---
 .github/workflows/build_master.yml | 34 ++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 .github/workflows/build_master.yml

diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
new file mode 100644
index 00000000..9c4e8bcd
--- /dev/null
+++ b/.github/workflows/build_master.yml
@@ -0,0 +1,34 @@
+name: Compile Master Branch
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  release:
+    types: [ created ]
+
+jobs:
+  build:
+    name: Compile ${{ matrix.prog }} for ${{ matrix.dist }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        dist: [ubuntu_x86_64, macos_x86_64, win_x86_64]
+        prog: [ctrtool, makerom]
+        include:
+         - dist: win_x86_64
+           os: windows-2016
+           binExt: .exe
+         - dist: ubuntu_x86_64
+           os: ubuntu-latest
+         - dist: macos_x86_64
+           os: macos-latest
+    steps:
+    - uses: actions/checkout@v1
+    - name: Compile ${{ matrix.prog }}
+      run: cd ${{ matrix.prog }}; make ${{ matrix.makeArgs }};
+    - uses: actions/upload-artifact@v2
+      with:
+        name: ${{ matrix.prog }}-${{ matrix.dist }}
+        path: ${{ matrix.prog }}/${{ matrix.prog }}${{ matrix.binExt }}
\ No newline at end of file

From 85a0ba610ece97f0947f2eabc8df0e24a554dc33 Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Mon, 11 May 2020 17:00:52 +0800
Subject: [PATCH 232/317] Update windows ctrtool makefile.

---
 ctrtool/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/Makefile b/ctrtool/Makefile
index be6e85b7..cd515a4e 100644
--- a/ctrtool/Makefile
+++ b/ctrtool/Makefile
@@ -22,7 +22,7 @@ else ifneq (, $(findstring darwin, $(SYS)))
 else
     #Windows Build CFG
     CFLAGS += -Wno-unused-but-set-variable
-    LIBS += -static-libgcc -static-libstdc++
+    LIBS += -static-libgcc -static-libstdc++ -static -lpthread
 endif
 
 main: $(OBJS)

From 6ebef3c42aee8b373cbb3f837b3fa66e8ba41917 Mon Sep 17 00:00:00 2001
From: xprism1 <xprism01@gmail.com>
Date: Mon, 25 Jan 2021 17:26:22 +0800
Subject: [PATCH 233/317] Add support for custom decrypted TitleKey

---
 makerom/cia.c           | 6 ++++++
 makerom/tik.c           | 2 +-
 makerom/user_settings.c | 9 +++++++++
 makerom/user_settings.h | 1 +
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index 492181ac..fb9f1786 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -184,6 +184,12 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	
 	if(usrset->cia.randomTitleKey)
 		rndset(ciaset->common.titleKey,AES_128_KEY_SIZE);
+	else if(usrset->cia.titleKey){
+    for (size_t count = 0; count < sizeof(ciaset->common.titleKey)/sizeof(ciaset->common.titleKey[0]); count++) {
+      sscanf(usrset->cia.titleKey, "%2hhx", &ciaset->common.titleKey[count]);
+      usrset->cia.titleKey += 2;
+    }
+	}
 	else
 		clrmem(ciaset->common.titleKey,AES_128_KEY_SIZE);
 
diff --git a/makerom/tik.c b/makerom/tik.c
index df955992..f28f2e54 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -65,7 +65,7 @@ void SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 	SetLimits(hdr,ciaset);
 	
 	// Crypt TitleKey
-	if(ciaset->content.encryptCia)
+	if(ciaset->content.encryptCia || ciaset->common.titleKey)
 		CryptTitleKey(ciaset->common.titleKey, hdr->encryptedTitleKey, hdr->titleId, ciaset->keys, ENC);
 	else
 		rndset(hdr->encryptedTitleKey,AES_128_KEY_SIZE);
diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 3e498b6e..e5e07e93 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -559,6 +559,14 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		set->cia.randomTitleKey = true;
 		return 1;
 	}
+	else if (strcmp(argv[i], "-titlekey") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
+			return USR_ARG_REQ_PARAM;
+		}
+    set->cia.titleKey = argv[i + 1];
+		return 2;
+	}
 	else if (strcmp(argv[i], "-dlc") == 0) {
 		if (ParamNum) {
 			PrintNoNeedParam(argv[i]);
@@ -990,6 +998,7 @@ void DisplayExtendedHelp(char *app_name)
 	printf(" -dver          <version>           Data-title version\n");
 	printf(" -deviceid      <hex id>            3DS unique device ID\n");
 	printf(" -esaccid       <hex id>            e-Shop account ID\n");
+	printf(" -titlekey      <titlekey>          Specify decrypted title key\n");
 	printf(" -rand                              Use a random title key\n");
 	printf(" -dlc                               Create DLC CIA\n");
 	printf(" -srl           <srl file>          Package a TWL SRL in a CIA\n");
diff --git a/makerom/user_settings.h b/makerom/user_settings.h
index ba6af79e..e09ec504 100644
--- a/makerom/user_settings.h
+++ b/makerom/user_settings.h
@@ -284,6 +284,7 @@ typedef struct
 	
 	struct{
 		bool randomTitleKey;
+		char *titleKey;
 		bool encryptCia;
 		bool DlcContent;
 		bool includeUpdateNcch;

From 928d9151965df067103b23507690e410d8735ae3 Mon Sep 17 00:00:00 2001
From: xprism1 <xprism01@gmail.com>
Date: Wed, 27 Jan 2021 02:09:39 +0800
Subject: [PATCH 234/317] Respect content.encryptCia

---
 makerom/tik.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/tik.c b/makerom/tik.c
index f28f2e54..df955992 100644
--- a/makerom/tik.c
+++ b/makerom/tik.c
@@ -65,7 +65,7 @@ void SetupTicketHeader(tik_hdr *hdr, cia_settings *ciaset)
 	SetLimits(hdr,ciaset);
 	
 	// Crypt TitleKey
-	if(ciaset->content.encryptCia || ciaset->common.titleKey)
+	if(ciaset->content.encryptCia)
 		CryptTitleKey(ciaset->common.titleKey, hdr->encryptedTitleKey, hdr->titleId, ciaset->keys, ENC);
 	else
 		rndset(hdr->encryptedTitleKey,AES_128_KEY_SIZE);

From 24149fcf6e52fd74ead01c457e55e79109c18207 Mon Sep 17 00:00:00 2001
From: xprism1 <xprism01@gmail.com>
Date: Wed, 27 Jan 2021 02:12:47 +0800
Subject: [PATCH 235/317] Override content.encryptCia when titlekey specified

---
 makerom/cia.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/makerom/cia.c b/makerom/cia.c
index fb9f1786..00c7bddd 100644
--- a/makerom/cia.c
+++ b/makerom/cia.c
@@ -160,7 +160,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	ciaset->verbose = usrset->common.verbose;
 	
 	ciaset->tmd.titleType = TYPE_CTR;
-	ciaset->content.encryptCia = usrset->common.rsfSet.Option.EnableCrypt;
+	ciaset->content.encryptCia = usrset->common.rsfSet.Option.EnableCrypt || usrset->cia.titleKey != NULL;
 	ciaset->content.IsDlc = usrset->cia.DlcContent;
 	if(ciaset->keys->aes.commonKey[ciaset->keys->aes.currentCommonKey] == NULL && ciaset->content.encryptCia){
 		fprintf(stderr,"[CIA WARNING] Common Key could not be loaded, CIA will not be encrypted\n");
@@ -185,10 +185,10 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset)
 	if(usrset->cia.randomTitleKey)
 		rndset(ciaset->common.titleKey,AES_128_KEY_SIZE);
 	else if(usrset->cia.titleKey){
-    for (size_t count = 0; count < sizeof(ciaset->common.titleKey)/sizeof(ciaset->common.titleKey[0]); count++) {
-      sscanf(usrset->cia.titleKey, "%2hhx", &ciaset->common.titleKey[count]);
-      usrset->cia.titleKey += 2;
-    }
+		for (size_t count = 0; count < sizeof(ciaset->common.titleKey)/sizeof(ciaset->common.titleKey[0]); count++) {
+			sscanf(usrset->cia.titleKey, "%2hhx", &ciaset->common.titleKey[count]);
+			usrset->cia.titleKey += 2;
+		}
 	}
 	else
 		clrmem(ciaset->common.titleKey,AES_128_KEY_SIZE);

From 73aeef12b8b977bdda43b7f67b0dcca9a0cea068 Mon Sep 17 00:00:00 2001
From: xprism1 <xprism01@gmail.com>
Date: Wed, 27 Jan 2021 02:19:55 +0800
Subject: [PATCH 236/317] Override content.encryptCia when titlekey specified

---
 makerom/user_settings.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index e5e07e93..3583e9c3 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -564,7 +564,7 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 			PrintArgReqParam(argv[i], 1);
 			return USR_ARG_REQ_PARAM;
 		}
-    set->cia.titleKey = argv[i + 1];
+		set->cia.titleKey = argv[i + 1];
 		return 2;
 	}
 	else if (strcmp(argv[i], "-dlc") == 0) {
@@ -998,7 +998,7 @@ void DisplayExtendedHelp(char *app_name)
 	printf(" -dver          <version>           Data-title version\n");
 	printf(" -deviceid      <hex id>            3DS unique device ID\n");
 	printf(" -esaccid       <hex id>            e-Shop account ID\n");
-	printf(" -titlekey      <titlekey>          Specify decrypted title key\n");
+	printf(" -titlekey      <titlekey>          Specify decrypted title key (Overrides \"EnableCrypt\" in RSF to true)\n");
 	printf(" -rand                              Use a random title key\n");
 	printf(" -dlc                               Create DLC CIA\n");
 	printf(" -srl           <srl file>          Package a TWL SRL in a CIA\n");

From d8cede313c3c05b40ae5291fdba7261c1964af0e Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 27 Mar 2021 12:18:45 +0800
Subject: [PATCH 237/317] Update ticket definition for makerom.

---
 makerom/tik.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/makerom/tik.h b/makerom/tik.h
index 8cc351d5..bfce48fb 100644
--- a/makerom/tik.h
+++ b/makerom/tik.h
@@ -64,7 +64,9 @@ typedef struct
 	u8 padding2[8];
 	u8 licenceType;
 	u8 keyId;
-	u8 padding3[0x2A];
+	u8 propertyMask[2];
+	u8 customData[0x14];
+	u8 padding3[0x14];
 	u8 eshopAccId[4];
 	u8 padding4;
 	u8 audit;

From c9a198814b1c5316cd300bd919d47bf0001f93f1 Mon Sep 17 00:00:00 2001
From: Margen67 <Margen67@users.noreply.github.com>
Date: Sun, 2 May 2021 23:37:54 -1000
Subject: [PATCH 238/317] build_master: Improvements

Add workflow_dispatch: https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
Upgrade windows-2016 to windows-latest.
Add -j to makeArgs.
Upgrade checkout to v2.
Use working-directory instead of cd for compile.
Add if-no-files-found: error to upload-artifact.
---
 .github/workflows/build_master.yml | 36 ++++++++++++++++++------------
 1 file changed, 22 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index 9c4e8bcd..437e2b64 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -7,6 +7,7 @@ on:
     branches: [ master ]
   release:
     types: [ created ]
+  workflow_dispatch:
 
 jobs:
   build:
@@ -17,18 +18,25 @@ jobs:
         dist: [ubuntu_x86_64, macos_x86_64, win_x86_64]
         prog: [ctrtool, makerom]
         include:
-         - dist: win_x86_64
-           os: windows-2016
-           binExt: .exe
-         - dist: ubuntu_x86_64
-           os: ubuntu-latest
-         - dist: macos_x86_64
-           os: macos-latest
+          - dist: win_x86_64
+            os: windows-latest
+            makeArgs: -j $env:NUMBER_OF_PROCESSORS
+            binExt: .exe
+          - dist: ubuntu_x86_64
+            os: ubuntu-latest
+            makeArgs: -j$(nproc)
+          - dist: macos_x86_64
+            os: macos-latest
+            makeArgs: -j$(sysctl -n hw.activecpu)
     steps:
-    - uses: actions/checkout@v1
-    - name: Compile ${{ matrix.prog }}
-      run: cd ${{ matrix.prog }}; make ${{ matrix.makeArgs }};
-    - uses: actions/upload-artifact@v2
-      with:
-        name: ${{ matrix.prog }}-${{ matrix.dist }}
-        path: ${{ matrix.prog }}/${{ matrix.prog }}${{ matrix.binExt }}
\ No newline at end of file
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Compile ${{ matrix.prog }}
+        working-directory: ${{ matrix.prog }}
+        run: make ${{ matrix.makeArgs }}
+      - uses: actions/upload-artifact@v2
+        with:
+          name: ${{ matrix.prog }}-${{ matrix.dist }}
+          path: ${{ matrix.prog }}/${{ matrix.prog }}${{ matrix.binExt }}
+          if-no-files-found: error

From b7ee685b5be1b3bb886a62e0be4f489d2fafd2b6 Mon Sep 17 00:00:00 2001
From: Jack <jakcron.dev@gmail.com>
Date: Wed, 21 Jul 2021 16:50:43 +0800
Subject: [PATCH 239/317] Update README.md

Looking for feedback on the future of ProjectCTR
---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ce2a7b7b..6587032d 100644
--- a/README.md
+++ b/README.md
@@ -3,4 +3,8 @@ Project_CTR
 
 ctrtool - updated version of neimod's ctrtool.
 
-makerom - creates CTR cxi/cfa/cci/cia files.
\ No newline at end of file
+makerom - creates CTR cxi/cfa/cci/cia files.
+
+# Community Input Wanted
+I'm looking for some feedback on where to take Project_CTR, see here:
+https://github.com/3DSGuy/Project_CTR/issues/103

From 416431c24e5423b235850394e4775c696ed7d6ad Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 28 Nov 2021 12:49:45 +0800
Subject: [PATCH 240/317] Bump version number to v0.18

---
 makerom/user_settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/user_settings.c b/makerom/user_settings.c
index 3583e9c3..469bf381 100644
--- a/makerom/user_settings.c
+++ b/makerom/user_settings.c
@@ -910,7 +910,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.17 (C) 3DSGuy 2020\n");
+	printf("CTR MAKEROM v0.18 (C) 3DSGuy 2021\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 

From ef3a1bc2e6e7510ba781f96b480e17fc8e580738 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 12 Mar 2022 14:13:01 +0800
Subject: [PATCH 241/317] Remove old ctrtool source code.

---
 ctrtool/LICENSE                   |   22 -
 ctrtool/Makefile                  |   32 -
 ctrtool/aes_keygen.c              |  100 --
 ctrtool/aes_keygen.h              |    8 -
 ctrtool/cia.c                     |  317 -----
 ctrtool/cia.h                     |   72 -
 ctrtool/ctr.c                     |  357 -----
 ctrtool/ctr.h                     |  149 ---
 ctrtool/ctrtool.sln               |   20 -
 ctrtool/ctrtool.vcproj            |  442 -------
 ctrtool/ctrtool.vcxproj           |  164 ---
 ctrtool/ctrtool.vcxproj.filters   |  225 ----
 ctrtool/cwav.c                    | 1003 --------------
 ctrtool/cwav.h                    |  205 ---
 ctrtool/exefs.c                   |  342 -----
 ctrtool/exefs.h                   |   61 -
 ctrtool/exheader.c                |  704 ----------
 ctrtool/exheader.h                |  202 ---
 ctrtool/filepath.c                |   90 --
 ctrtool/filepath.h                |   20 -
 ctrtool/firm.c                    |  257 ----
 ctrtool/firm.h                    |   57 -
 ctrtool/info.h                    |   16 -
 ctrtool/ivfc.c                    |  247 ----
 ctrtool/ivfc.h                    |   78 --
 ctrtool/keyset.cpp                |  395 ------
 ctrtool/keyset.h                  |   96 --
 ctrtool/lzss.c                    |  195 ---
 ctrtool/lzss.h                    |   26 -
 ctrtool/main.c                    |  488 -------
 ctrtool/ncch.c                    |  880 -------------
 ctrtool/ncch.h                    |  113 --
 ctrtool/ncsd.c                    |  165 ---
 ctrtool/ncsd.h                    |   57 -
 ctrtool/oschar.c                  |  210 ---
 ctrtool/oschar.h                  |   95 --
 ctrtool/polarssl/aes.c            | 1164 ----------------
 ctrtool/polarssl/aes.h            |  139 --
 ctrtool/polarssl/bignum.c         | 2038 -----------------------------
 ctrtool/polarssl/bignum.h         |  533 --------
 ctrtool/polarssl/bn_mul.h         |  736 -----------
 ctrtool/polarssl/config.h         |  336 -----
 ctrtool/polarssl/padlock.h        |   98 --
 ctrtool/polarssl/rsa.c            |  823 ------------
 ctrtool/polarssl/rsa.h            |  353 -----
 ctrtool/polarssl/sha2.c           |  702 ----------
 ctrtool/polarssl/sha2.h           |  155 ---
 ctrtool/romfs.c                   |  406 ------
 ctrtool/romfs.h                   |   99 --
 ctrtool/settings.c                |  314 -----
 ctrtool/settings.h                |   81 --
 ctrtool/stream.c                  |  138 --
 ctrtool/stream.h                  |   45 -
 ctrtool/syscalls.c                |  171 ---
 ctrtool/syscalls.h                |   19 -
 ctrtool/tik.c                     |  127 --
 ctrtool/tik.h                     |   64 -
 ctrtool/tinyxml/tinystr.cpp       |  111 --
 ctrtool/tinyxml/tinystr.h         |  305 -----
 ctrtool/tinyxml/tinyxml.cpp       | 1886 --------------------------
 ctrtool/tinyxml/tinyxml.h         | 1805 -------------------------
 ctrtool/tinyxml/tinyxmlerror.cpp  |   52 -
 ctrtool/tinyxml/tinyxmlparser.cpp | 1638 -----------------------
 ctrtool/tmd.c                     |  180 ---
 ctrtool/tmd.h                     |  103 --
 ctrtool/types.h                   |   44 -
 ctrtool/utils.c                   |  239 ----
 ctrtool/utils.h                   |   59 -
 ctrtool/windows/getopt.c          | 1047 ---------------
 ctrtool/windows/getopt.h          |  172 ---
 ctrtool/windows/getopt1.c         |  188 ---
 71 files changed, 24280 deletions(-)
 delete mode 100644 ctrtool/LICENSE
 delete mode 100644 ctrtool/Makefile
 delete mode 100644 ctrtool/aes_keygen.c
 delete mode 100644 ctrtool/aes_keygen.h
 delete mode 100644 ctrtool/cia.c
 delete mode 100644 ctrtool/cia.h
 delete mode 100644 ctrtool/ctr.c
 delete mode 100644 ctrtool/ctr.h
 delete mode 100644 ctrtool/ctrtool.sln
 delete mode 100644 ctrtool/ctrtool.vcproj
 delete mode 100644 ctrtool/ctrtool.vcxproj
 delete mode 100644 ctrtool/ctrtool.vcxproj.filters
 delete mode 100644 ctrtool/cwav.c
 delete mode 100644 ctrtool/cwav.h
 delete mode 100644 ctrtool/exefs.c
 delete mode 100644 ctrtool/exefs.h
 delete mode 100644 ctrtool/exheader.c
 delete mode 100644 ctrtool/exheader.h
 delete mode 100644 ctrtool/filepath.c
 delete mode 100644 ctrtool/filepath.h
 delete mode 100644 ctrtool/firm.c
 delete mode 100644 ctrtool/firm.h
 delete mode 100644 ctrtool/info.h
 delete mode 100644 ctrtool/ivfc.c
 delete mode 100644 ctrtool/ivfc.h
 delete mode 100644 ctrtool/keyset.cpp
 delete mode 100644 ctrtool/keyset.h
 delete mode 100644 ctrtool/lzss.c
 delete mode 100644 ctrtool/lzss.h
 delete mode 100644 ctrtool/main.c
 delete mode 100644 ctrtool/ncch.c
 delete mode 100644 ctrtool/ncch.h
 delete mode 100644 ctrtool/ncsd.c
 delete mode 100644 ctrtool/ncsd.h
 delete mode 100644 ctrtool/oschar.c
 delete mode 100644 ctrtool/oschar.h
 delete mode 100644 ctrtool/polarssl/aes.c
 delete mode 100644 ctrtool/polarssl/aes.h
 delete mode 100644 ctrtool/polarssl/bignum.c
 delete mode 100644 ctrtool/polarssl/bignum.h
 delete mode 100644 ctrtool/polarssl/bn_mul.h
 delete mode 100644 ctrtool/polarssl/config.h
 delete mode 100644 ctrtool/polarssl/padlock.h
 delete mode 100644 ctrtool/polarssl/rsa.c
 delete mode 100644 ctrtool/polarssl/rsa.h
 delete mode 100644 ctrtool/polarssl/sha2.c
 delete mode 100644 ctrtool/polarssl/sha2.h
 delete mode 100644 ctrtool/romfs.c
 delete mode 100644 ctrtool/romfs.h
 delete mode 100644 ctrtool/settings.c
 delete mode 100644 ctrtool/settings.h
 delete mode 100644 ctrtool/stream.c
 delete mode 100644 ctrtool/stream.h
 delete mode 100644 ctrtool/syscalls.c
 delete mode 100644 ctrtool/syscalls.h
 delete mode 100644 ctrtool/tik.c
 delete mode 100644 ctrtool/tik.h
 delete mode 100644 ctrtool/tinyxml/tinystr.cpp
 delete mode 100644 ctrtool/tinyxml/tinystr.h
 delete mode 100644 ctrtool/tinyxml/tinyxml.cpp
 delete mode 100644 ctrtool/tinyxml/tinyxml.h
 delete mode 100644 ctrtool/tinyxml/tinyxmlerror.cpp
 delete mode 100644 ctrtool/tinyxml/tinyxmlparser.cpp
 delete mode 100644 ctrtool/tmd.c
 delete mode 100644 ctrtool/tmd.h
 delete mode 100644 ctrtool/types.h
 delete mode 100644 ctrtool/utils.c
 delete mode 100644 ctrtool/utils.h
 delete mode 100644 ctrtool/windows/getopt.c
 delete mode 100644 ctrtool/windows/getopt.h
 delete mode 100644 ctrtool/windows/getopt1.c

diff --git a/ctrtool/LICENSE b/ctrtool/LICENSE
deleted file mode 100644
index 37685952..00000000
--- a/ctrtool/LICENSE
+++ /dev/null
@@ -1,22 +0,0 @@
-MIT License
-
-Copyright (c) 2012 neimod
-Copyright (c) 2014 3DSGuy
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
\ No newline at end of file
diff --git a/ctrtool/Makefile b/ctrtool/Makefile
deleted file mode 100644
index cd515a4e..00000000
--- a/ctrtool/Makefile
+++ /dev/null
@@ -1,32 +0,0 @@
-# Sources
-SRC_DIR = . polarssl tinyxml
-OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c))) $(foreach dir,$(SRC_DIR),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp)))
-
-# Compiler Settings
-OUTPUT = ctrtool
-CXXFLAGS = -I.
-CFLAGS = -O2 -Wall -Wno-unused-variable  -Wno-unused-result -I. -std=c11
-CC = gcc
-CXX = g++
-SYS := $(shell gcc -dumpmachine)
-ifneq (, $(findstring linux, $(SYS)))
-    # Linux
-    CFLAGS += -Wno-unused-but-set-variable
-else ifneq (, $(findstring cygwin, $(SYS)))
-    # Cygwin
-    CFLAGS += -Wno-unused-but-set-variable -DUSE_FILE32API
-    LIBS += -liconv -static-libgcc -static-libstdc++
-else ifneq (, $(findstring darwin, $(SYS)))
-    # OS X
-    LIBS += -liconv
-else
-    #Windows Build CFG
-    CFLAGS += -Wno-unused-but-set-variable
-    LIBS += -static-libgcc -static-libstdc++ -static -lpthread
-endif
-
-main: $(OBJS)
-	$(CXX) -o $(OUTPUT) $(OBJS) $(LIBS)
-
-clean:
-	rm -rf $(OUTPUT) $(OBJS)
diff --git a/ctrtool/aes_keygen.c b/ctrtool/aes_keygen.c
deleted file mode 100644
index eb81bdff..00000000
--- a/ctrtool/aes_keygen.c
+++ /dev/null
@@ -1,100 +0,0 @@
-#include "aes_keygen.h"
-
-// 128bit wrap-around math
-int32_t wrap_index(int32_t i)
-{
-	return i < 0 ? ((i % 16) + 16) % 16 : (i > 15 ? i % 16 : i);
-}
-
-void n128_rrot(const uint8_t *in, uint32_t rot, uint8_t *out)
-{
-	uint32_t bit_shift, byte_shift;
-
-	rot = rot % 128;
-	byte_shift = rot / 8;
-	bit_shift = rot % 8;
-
-	for (int32_t i = 0; i < 16; i++) {
-		out[i] = (in[wrap_index(i - byte_shift)] >> bit_shift) | (in[wrap_index(i - byte_shift - 1)] << (8 - bit_shift));
-	}
-
-}
-
-void n128_lrot(const uint8_t *in, uint32_t rot, uint8_t *out)
-{
-	uint32_t bit_shift, byte_shift;
-
-	rot = rot % 128;
-	byte_shift = rot / 8;
-	bit_shift = rot % 8;
-
-	for (int32_t i = 0; i < 16; i++) {
-		out[i] = (in[wrap_index(i + byte_shift)] << bit_shift) | (in[wrap_index(i + byte_shift + 1)] >> (8 - bit_shift));
-	}
-}
-
-/* out = a + b
-*/
-void n128_add(const uint8_t *a, const uint8_t *b, uint8_t *out)
-{
-	uint8_t carry = 0;
-	uint32_t sum = 0;
-
-	for (int i = 15; i >= 0; i--) {
-		sum = a[i] + b[i] + carry;
-		carry = sum >> 8;
-		out[i] = sum & 0xff;
-	}
-}
-
-/* out = a - b
-*/
-void n128_sub(const uint8_t *a, const uint8_t *b, uint8_t *out)
-{
-	uint8_t carry = 0;
-	uint32_t sum = 0;
-
-	for (int i = 15; i >= 0; i--) {
-		sum = a[i] - (b[i] + carry);
-
-		// check to see if anything was borrowed from next byte
-		if (a[i] < (b[i] + carry)) {
-			sum += 0x100;
-			carry = 1;
-		}
-		else {
-			carry = 0;
-		}
-
-		// set value
-		out[i] = sum & 0xff;
-	}
-}
-
-void n128_xor(const uint8_t *a, const uint8_t *b, uint8_t *out)
-{
-	for (int i = 0; i < 16; i++) {
-		out[i] = a[i] ^ b[i];
-	}
-}
-
-// keygen algorithm
-void ctr_aes_keygen(const uint8_t *x, const uint8_t *y, uint8_t *key)
-{
-	static const uint8_t KEYGEN_CONST[16] = { 0x1F, 0xF9, 0xE9, 0xAA, 0xC5, 0xFE, 0x04, 0x08, 0x02, 0x45, 0x91, 0xDC, 0x5D, 0x52, 0x76, 0x8A };
-
-	// overall algo:
-	// key = (((x <<< 2) ^ y) + KEYGEN_CONST) >>> 41
-	uint8_t x_rot[16], key_xy[16], key_xyc[16];
-
-	// x_rot = x <<< 2
-	n128_lrot(x, 2, x_rot);
-
-	// key_xy = x_rot ^ y
-	n128_xor(x_rot, y, key_xy);
-
-	// key_xyc = key_xy + KEYGEN_CONST
-	n128_add(key_xy, KEYGEN_CONST, key_xyc);
-
-	n128_rrot(key_xyc, 41, key);
-}
\ No newline at end of file
diff --git a/ctrtool/aes_keygen.h b/ctrtool/aes_keygen.h
deleted file mode 100644
index dae87a3c..00000000
--- a/ctrtool/aes_keygen.h
+++ /dev/null
@@ -1,8 +0,0 @@
-#pragma once
-#include <stdint.h>
-
-/*
-	AES Key generator for the Nintendo 3DS (CTR) Consoles
-*/
-
-void ctr_aes_keygen(const uint8_t *x, const uint8_t *y, uint8_t *key);
diff --git a/ctrtool/cia.c b/ctrtool/cia.c
deleted file mode 100644
index 85b16b89..00000000
--- a/ctrtool/cia.c
+++ /dev/null
@@ -1,317 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "types.h"
-#include "utils.h"
-#include "cia.h"
-#include <inttypes.h>
-
-
-void cia_init(cia_context* ctx)
-{
-	memset(ctx, 0, sizeof(cia_context));
-
-	tik_init(&ctx->tik);
-	tmd_init(&ctx->tmd);
-}
-
-void cia_set_file(cia_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void cia_set_offset(cia_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void cia_set_size(cia_context* ctx, u64 size)
-{
-	ctx->size = size;
-}
-
-
-void cia_set_usersettings(cia_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-
-void cia_save(cia_context* ctx, u32 type, u32 flags)
-{
-	u64 offset;
-	u64 size;
-	u16 contentflags;
-	u16 contentindex;
-	u8 docrypto;
-	filepath* path = 0;
-	ctr_tmd_body *body;
-	ctr_tmd_contentchunk *chunk;
-	unsigned int i;
-	char tmpname[255];
-
-	switch(type)
-	{
-		case CIATYPE_CERTS:
-			offset = ctx->offsetcerts;
-			size = ctx->sizecert;
-			path = settings_get_certs_path(ctx->usersettings);
-		break;
-
-		case CIATYPE_TIK:
-			offset = ctx->offsettik;
-			size = ctx->sizetik;
-			path = settings_get_tik_path(ctx->usersettings);
-		break;
-
-		case CIATYPE_TMD:
-			offset = ctx->offsettmd;
-			size = ctx->sizetmd;
-			path = settings_get_tmd_path(ctx->usersettings);
-		break;
-		
-		case CIATYPE_CONTENT:
-			offset = ctx->offsetcontent;
-			size = ctx->sizecontent;
-			path = settings_get_content_path(ctx->usersettings);
-			
-		break;
-
-		case CIATYPE_META:
-			offset = ctx->offsetmeta;
-			size = ctx->sizemeta;
-			path = settings_get_meta_path(ctx->usersettings);;
-		break;
-
-		default:
-			fprintf(stderr, "Error, unknown CIA type specified\n");
-			return;	
-		break;
-	}
-
-	if (path == 0 || path->valid == 0)
-		return;
-
-	switch(type)
-	{
-		case CIATYPE_CERTS: fprintf(stdout, "Saving certs to %s\n", path->pathname); break;
-		case CIATYPE_TIK: fprintf(stdout, "Saving tik to %s\n", path->pathname); break;
-		case CIATYPE_TMD: fprintf(stdout, "Saving tmd to %s\n", path->pathname); break;
-		case CIATYPE_CONTENT:
-
-			body  = tmd_get_body(&ctx->tmd);
-			chunk = (ctr_tmd_contentchunk*)(body->contentinfo + (sizeof(ctr_tmd_contentinfo) * TMD_MAX_CONTENTS));
-
-			for(i = 0; i < getbe16(body->contentcount); i++) {
-				contentflags = getbe16(chunk->type);
-				contentindex = getbe16(chunk->index);
-				docrypto = (contentflags & 1) && !(flags & PlainFlag);
-
-				if(ctx->header.contentindex[contentindex >> 3] & (0x80 >> (contentindex & 7))) {
-					sprintf(tmpname, "%s.%04x.%08x", path->pathname, contentindex, getbe32(chunk->id));
-					fprintf(stdout, "Saving content #%04x to %s\n", contentindex, tmpname);
-					
-					if(docrypto) // Decrypt if needed
-					{
-						ctx->iv[0] = (contentindex >> 8) & 0xff;
-						ctx->iv[1] = contentindex & 0xff;
-
-						ctr_init_cbc_decrypt(&ctx->aes, ctx->titlekey, ctx->iv);
-					}
-
-					cia_save_blob(ctx, tmpname, offset, getbe64(chunk->size) & 0xffffffff, docrypto);
-
-					offset += getbe64(chunk->size) & 0xffffffff;
-				}
-				chunk++;
-			}
-
-			memset(ctx->iv, 0, 16);
-
-			return;
-		break;
-
-		case CIATYPE_META: fprintf(stdout, "Saving meta to %s\n", path->pathname); break;
-	}
-
-	cia_save_blob(ctx, path->pathname, offset, size, 0);
-}
-
-void cia_save_blob(cia_context *ctx, char *out_path, u64 offset, u64 size, int do_cbc) 
-{
-	FILE *fout = 0;
-	u8 buffer[16*1024];
-
-	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-
-	fout = fopen(out_path, "wb");
-	if (fout == NULL)
-	{
-		fprintf(stdout, "Error opening out file %s\n", out_path);
-		goto clean;
-	}
-
-	while(size)
-	{
-		u32 max = sizeof(buffer);
-		if (max > size)
-			max = (u32) size;
-
-		if (max != fread(buffer, 1, max, ctx->file))
-		{
-			fprintf(stdout, "Error reading file\n");
-			goto clean;
-		}
-
-		if (do_cbc == 1)
-			ctr_decrypt_cbc(&ctx->aes, buffer, buffer, max);
-
-		if (max != fwrite(buffer, 1, max, fout))
-		{
-			fprintf(stdout, "Error writing file\n");
-			goto clean;
-		}
-
-		size -= max;
-	}
-
-clean:
-	if (fout)
-		fclose(fout);
-}
-
-
-void cia_process(cia_context* ctx, u32 actions)
-{	
-	fseeko64(ctx->file, 0, SEEK_SET);
-
-	if (fread(&ctx->header, 1, sizeof(ctr_ciaheader), ctx->file) != sizeof(ctr_ciaheader))
-	{
-		fprintf(stderr, "Error reading CIA header\n");
-		goto clean;
-	}
-
-	ctx->sizeheader = getle32(ctx->header.headersize);
-	ctx->sizecert = getle32(ctx->header.certsize);
-	ctx->sizetik = getle32(ctx->header.ticketsize);
-	ctx->sizetmd = getle32(ctx->header.tmdsize);
-	ctx->sizecontent = getle64(ctx->header.contentsize);
-	ctx->sizemeta = getle32(ctx->header.metasize);
-	
-	ctx->offsetcerts = align(ctx->sizeheader, 64);
-	ctx->offsettik = align((u32) (ctx->offsetcerts + ctx->sizecert), 64);
-	ctx->offsettmd = align((u32) (ctx->offsettik + ctx->sizetik), 64);
-	ctx->offsetcontent = align((u32) (ctx->offsettmd + ctx->sizetmd), 64);
-	ctx->offsetmeta = align64(ctx->offsetcontent + ctx->sizecontent, 64);
-
-	if (actions & InfoFlag)
-		cia_print(ctx);
-
-
-	tik_set_file(&ctx->tik, ctx->file);
-	tik_set_offset(&ctx->tik, ctx->offsettik);
-	tik_set_size(&ctx->tik, ctx->sizetik);
-	tik_set_usersettings(&ctx->tik, ctx->usersettings);
-
-	tik_process(&ctx->tik, actions);
-	memset(ctx->iv, 0, 16);
-		
-	if (tik_get_titlekey(&ctx->tik))
-		memcpy(ctx->titlekey, tik_get_titlekey(&ctx->tik), 16);
-	else if (settings_get_title_key(ctx->usersettings))
-		memcpy(ctx->titlekey, settings_get_title_key(ctx->usersettings), 16);
-
-	tmd_set_file(&ctx->tmd, ctx->file);
-	tmd_set_offset(&ctx->tmd, ctx->offsettmd);
-	tmd_set_size(&ctx->tmd, ctx->sizetmd);
-	tmd_set_usersettings(&ctx->tmd, ctx->usersettings);
-	tmd_process(&ctx->tmd, (actions & ~InfoFlag));
-
-	if (actions & VerifyFlag)
-	{
-		cia_verify_contents(ctx, actions);
-	}
-
-	if (actions & InfoFlag || actions & VerifyFlag)
-		tmd_print(&ctx->tmd);
-
-	if (actions & ExtractFlag)
-	{
-		cia_save(ctx, CIATYPE_CERTS, actions);
-		cia_save(ctx, CIATYPE_TMD, actions);
-		cia_save(ctx, CIATYPE_TIK, actions);
-		cia_save(ctx, CIATYPE_META, actions);
-		cia_save(ctx, CIATYPE_CONTENT, actions);
-	}
-
-clean:
-	return;
-}
-
-void cia_verify_contents(cia_context *ctx, u32 actions)
-{
-	u16 contentflags;
-	u16 contentindex;
-	ctr_tmd_body *body;
-	ctr_tmd_contentchunk *chunk;
-	u8 *verify_buf;
-	u32 content_size=0;
-	unsigned i;
-
-	// verify TMD content hashes, requires decryption ..
-	body  = tmd_get_body(&ctx->tmd);
-	chunk = (ctr_tmd_contentchunk*)(body->contentinfo + (sizeof(ctr_tmd_contentinfo) * TMD_MAX_CONTENTS));
-
-	fseeko64(ctx->file, ctx->offset + ctx->offsetcontent, SEEK_SET);
-	for(i = 0; i < getbe16(body->contentcount); i++) 
-	{
-		contentindex = getbe16(chunk->index);
-
-		if(ctx->header.contentindex[contentindex >> 3] & (0x80 >> (contentindex & 7)))
-		{
-			content_size = getbe64(chunk->size) & 0xffffffff;
-
-			contentflags = getbe16(chunk->type);
-
-			verify_buf = malloc(content_size);
-			fread(verify_buf, content_size, 1, ctx->file);
-
-			if(contentflags & 1 && !(actions & PlainFlag)) // Decrypt if needed
-			{
-				ctx->iv[0] = (contentindex >> 8) & 0xff;
-				ctx->iv[1] = contentindex & 0xff;
-
-				ctr_init_cbc_decrypt(&ctx->aes, ctx->titlekey, ctx->iv);
-			
-				ctr_decrypt_cbc(&ctx->aes, verify_buf, verify_buf, content_size);
-			}
-
-			if (ctr_sha_256_verify(verify_buf, content_size, chunk->hash) == Good)
-				ctx->tmd.content_hash_stat[i] = 1;
-			else
-				ctx->tmd.content_hash_stat[i] = 2;
-
-			free(verify_buf);
-		}
-		chunk++;
-	}
-}
-
-void cia_print(cia_context* ctx)
-{
-	ctr_ciaheader* header = &ctx->header;
-
-	fprintf(stdout, "Header size             0x%08x\n", getle32(header->headersize));
-	fprintf(stdout, "Type                    %04x\n", getle16(header->type));
-	fprintf(stdout, "Version                 %04x\n", getle16(header->version));
-	fprintf(stdout, "Certificates offset:    0x%"PRIx64"\n", ctx->offsetcerts);
-	fprintf(stdout, "Certificates size:      0x%x\n", ctx->sizecert);
-	fprintf(stdout, "Ticket offset:          0x%"PRIx64"\n", ctx->offsettik);
-	fprintf(stdout, "Ticket size             0x%x\n", ctx->sizetik);
-	fprintf(stdout, "TMD offset:             0x%"PRIx64"\n", ctx->offsettmd);
-	fprintf(stdout, "TMD size:               0x%x\n", ctx->sizetmd);
-	fprintf(stdout, "Meta offset:            0x%"PRIx64"\n", ctx->offsetmeta);
-	fprintf(stdout, "Meta size:              0x%x\n", ctx->sizemeta);
-	fprintf(stdout, "Content offset:         0x%"PRIx64"\n", ctx->offsetcontent);
-	fprintf(stdout, "Content size:           0x%"PRIx64"\n", ctx->sizecontent);
-}
diff --git a/ctrtool/cia.h b/ctrtool/cia.h
deleted file mode 100644
index 52b01521..00000000
--- a/ctrtool/cia.h
+++ /dev/null
@@ -1,72 +0,0 @@
-#ifndef _CIA_H_
-#define _CIA_H_
-
-#include "types.h"
-#include "filepath.h"
-#include "tik.h"
-#include "tmd.h"
-#include "ctr.h"
-#include "settings.h"
-
-typedef enum
-{
-	CIATYPE_CERTS,
-	CIATYPE_TMD,
-	CIATYPE_TIK,
-	CIATYPE_CONTENT,
-	CIATYPE_META,
-} cia_types;
-
-typedef struct
-{
-	u8 headersize[4];
-	u8 type[2];
-	u8 version[2];
-	u8 certsize[4];
-	u8 ticketsize[4];
-	u8 tmdsize[4];
-	u8 metasize[4];
-	u8 contentsize[8];
-	u8 contentindex[0x2000];
-} ctr_ciaheader;
-
-typedef struct
-{
-	FILE* file;
-	u64 offset;
-	u64 size;
-	u8 titlekey[16];
-	u8 iv[16];
-	ctr_ciaheader header;
-	ctr_aes_context aes;
-	settings* usersettings;
-
-	tik_context tik;
-	tmd_context tmd;
-
-	u32 sizeheader;
-	u32 sizecert;
-	u32 sizetik;
-	u32 sizetmd;
-	u64 sizecontent;
-	u32 sizemeta;
-	
-	u64 offsetcerts;
-	u64 offsettik;
-	u64 offsettmd;
-	u64 offsetcontent;
-	u64 offsetmeta;
-} cia_context;
-
-void cia_init(cia_context* ctx);
-void cia_set_file(cia_context* ctx, FILE* file);
-void cia_set_offset(cia_context* ctx, u64 offset);
-void cia_set_size(cia_context* ctx, u64 size);
-void cia_set_usersettings(cia_context* ctx, settings* usersettings);
-void cia_print(cia_context* ctx);
-void cia_save(cia_context* ctx, u32 type, u32 flags);
-void cia_process(cia_context* ctx, u32 actions);
-void cia_save_blob(cia_context *ctx, char *out_path, u64 offset, u64 size, int do_cbc);
-void cia_verify_contents(cia_context *ctx, u32 actions);
-
-#endif // _CIA_H_
diff --git a/ctrtool/ctr.c b/ctrtool/ctr.c
deleted file mode 100644
index 54cfc0fa..00000000
--- a/ctrtool/ctr.c
+++ /dev/null
@@ -1,357 +0,0 @@
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-
-#include "ctr.h"
-#include "utils.h"
-
-
-void ctr_set_iv( ctr_aes_context* ctx,
-				  u8 iv[16] )
-{
-	memcpy(ctx->iv, iv, 16);
-}
-
-void ctr_add_counter( ctr_aes_context* ctx,
-				      u32 block_num )
-{
-	u32 ctr[4];
-	ctr[3] = getbe32(&ctx->ctr[0]);
-	ctr[2] = getbe32(&ctx->ctr[4]);
-	ctr[1] = getbe32(&ctx->ctr[8]);
-	ctr[0] = getbe32(&ctx->ctr[12]);
-
-	for (u32 i = 0; i < 4; i++) {
-		u64 total = ctr[i] + block_num;
-		// if there wasn't a wrap around, add the two together and exit
-		if (total <= 0xffffffff) {
-			ctr[i] += block_num;
-			break;
-		}
-
-		// add the difference
-		ctr[i] = (u32)(total - 0x100000000);
-		// carry to next word
-		block_num = (u32)(total >> 32);
-	}
-	
-	putbe32(ctx->ctr + 0x00, ctr[3]);
-	putbe32(ctx->ctr + 0x04, ctr[2]);
-	putbe32(ctx->ctr + 0x08, ctr[1]);
-	putbe32(ctx->ctr + 0x0C, ctr[0]);
-}
-				  
-void ctr_set_counter( ctr_aes_context* ctx,
-				      u8 ctr[16] )
-{
-	memcpy(ctx->ctr, ctr, 16);
-}
-
-
-void ctr_init_key(ctr_aes_context* ctx,
-				       u8 key[16])
-{
-	aes_setkey_enc(&ctx->aes, key, 128);
-}
-
-void ctr_init_counter( ctr_aes_context* ctx,
-				       u8 ctr[16] )
-{
-	ctr_set_counter(ctx, ctr);
-}
-
-
-void ctr_crypt_counter_block( ctr_aes_context* ctx, 
-						      u8 input[16], 
-						      u8 output[16] )
-{
-	int i;
-	u8 stream[16];
-
-
-	aes_crypt_ecb(&ctx->aes, AES_ENCRYPT, ctx->ctr, stream);
-
-
-	if (input)
-	{
-		for(i=0; i<16; i++)
-		{
-			output[i] = stream[i] ^ input[i];
-		}
-	}
-	else
-	{
-		for(i=0; i<16; i++)
-			output[i] = stream[i];
-	}
-
-	ctr_add_counter(ctx, 1);
-}
-
-
-void ctr_crypt_counter( ctr_aes_context* ctx, 
-					    u8* input, 
-					    u8* output,
-					    u32 size )
-{
-	u8 stream[16];
-	u32 i;
-
-	while(size >= 16)
-	{
-		ctr_crypt_counter_block(ctx, input, output);
-
-		if (input)
-			input += 16;
-		if (output)
-			output += 16;
-
-		size -= 16;
-	}
-
-	if (size)
-	{
-		memset(stream, 0, 16);
-		ctr_crypt_counter_block(ctx, stream, stream);
-
-		if (input)
-		{
-			for(i=0; i<size; i++)
-				output[i] = input[i] ^ stream[i];
-		}
-		else
-		{
-			memcpy(output, stream, size);
-		}
-	}
-}
-
-void ctr_init_cbc_encrypt( ctr_aes_context* ctx,
-						   u8 key[16],
-						   u8 iv[16] )
-{
-	aes_setkey_enc(&ctx->aes, key, 128);
-	ctr_set_iv(ctx, iv);
-}
-
-void ctr_init_cbc_decrypt( ctr_aes_context* ctx,
-						   u8 key[16],
-						   u8 iv[16] )
-{
-	aes_setkey_dec(&ctx->aes, key, 128);
-	ctr_set_iv(ctx, iv);
-}
-
-void ctr_encrypt_cbc( ctr_aes_context* ctx, 
-					  u8* input,
-					  u8* output,
-					  u32 size )
-{
-	aes_crypt_cbc(&ctx->aes, AES_ENCRYPT, size, ctx->iv, input, output);
-}
-
-void ctr_decrypt_cbc( ctr_aes_context* ctx, 
-					  u8* input,
-					  u8* output,
-					  u32 size )
-{
-	aes_crypt_cbc(&ctx->aes, AES_DECRYPT, size, ctx->iv, input, output);
-}
-
-void ctr_sha_256( const u8* data, 
-				  u32 size, 
-				  u8 hash[0x20] )
-{
-	sha2(data, size, hash, 0);
-}
-
-int ctr_sha_256_verify( const u8* data, 
-				  u32 size, 
-				  const u8 checkhash[0x20] )
-{
-	u8 hash[0x20];
-
-	sha2(data, size, hash, 0);
-
-	if (memcmp(hash, checkhash, 0x20) == 0)
-		return Good;
-	else
-		return Fail;
-}
-
-void ctr_sha_256_init( ctr_sha256_context* ctx )
-{
-	sha2_starts(&ctx->sha, 0);
-}
-
-void ctr_sha_256_update( ctr_sha256_context* ctx, 
-							    const u8* data,
-								u32 size )
-{
-	sha2_update(&ctx->sha, data, size);
-}
-
-
-void ctr_sha_256_finish( ctr_sha256_context* ctx, 
-							    u8 hash[0x20] )
-{
-	sha2_finish(&ctx->sha, hash);
-}
-
-
-void ctr_rsa_init_key_pubmodulus(rsakey2048* key, u8 modulus[0x100])
-{
-	u8 exponent[3] = {0x01, 0x00, 0x01};
-
-	ctr_rsa_init_key_pub(key, modulus, exponent);
-}
-
-void ctr_rsa_init_key_pub(rsakey2048* key, u8 modulus[0x100], u8 exponent[3])
-{
-	key->keytype = RSAKEY_PUB;
-	memcpy(key->n, modulus, 0x100);
-	memcpy(key->e, exponent, 3);
-}
-
-int ctr_rsa_init(ctr_rsa_context* ctx, rsakey2048* key)
-{
-	rsa_init(&ctx->rsa, RSA_PKCS_V15, 0);
-	ctx->rsa.len = 0x100;
-
-	if (key->keytype == RSAKEY_INVALID)
-		goto clean;
-
-	if (mpi_read_binary(&ctx->rsa.N, key->n, sizeof(key->n)))
-		goto clean;
-	if (mpi_read_binary(&ctx->rsa.E, key->e, sizeof(key->e)))
-		goto clean;
-	if (rsa_check_pubkey(&ctx->rsa))
-		goto clean;
-
-	if (key->keytype == RSAKEY_PRIV)
-	{
-		if (mpi_read_binary(&ctx->rsa.D, key->d, sizeof(key->d)))
-			goto clean;
-		if (mpi_read_binary(&ctx->rsa.P, key->p, sizeof(key->p)))
-			goto clean;
-		if (mpi_read_binary(&ctx->rsa.Q, key->q, sizeof(key->q)))
-			goto clean;
-		if (mpi_read_binary(&ctx->rsa.DP, key->dp, sizeof(key->dp)))
-			goto clean;
-		if (mpi_read_binary(&ctx->rsa.DQ, key->dq, sizeof(key->dq)))
-			goto clean;
-		if (mpi_read_binary(&ctx->rsa.QP, key->qp, sizeof(key->qp)))
-			goto clean;
-		if (rsa_check_privkey(&ctx->rsa))
-			goto clean;
-	}
-
-	return 1;
-clean:
-	return 0;
-}
-
-int ctr_rsa_verify_hash(const u8 signature[0x100], const u8 hash[0x20], rsakey2048* key)
-{
-	ctr_rsa_context ctx;
-	u32 result;
-//	u8 output[0x100];
-
-	if (key->keytype == RSAKEY_INVALID)
-		return Fail;
-
-	ctr_rsa_init(&ctx, key);
-// 	memset(output, 0, 0x100);
-//	result = ctr_rsa_public(signature, output, key);
-//	printf("Result = %d\n", result);
-//	memdump(stdout, "output: ", output, 0x100);
-
-	result = rsa_pkcs1_verify(&ctx.rsa, RSA_PUBLIC, SIG_RSA_SHA256, 0x20, hash, (u8*)signature);
-
-	ctr_rsa_free(&ctx);
-
-	if (result == 0)
-		return Good;
-	else
-		return Fail;
-}
-
-
-int ctr_rsa_sign_hash(const u8 hash[0x20], u8 signature[0x100], rsakey2048* key)
-{
-	ctr_rsa_context ctx;
-	u32 result;
-
-	ctr_rsa_init(&ctx, key);
-
-	result = rsa_pkcs1_verify(&ctx.rsa, RSA_PUBLIC, SIG_RSA_SHA256, 0x20, hash, (u8*)signature);
-	result = rsa_pkcs1_sign(&ctx.rsa, RSA_PRIVATE, SIG_RSA_SHA256, 0x20, hash, signature);
-
-	ctr_rsa_free(&ctx);
-
-	if (result == 0)
-		return 1;
-	else
-		return 0;
-}
-
-int ctr_rsa_public(const u8 signature[0x100], u8 output[0x100], rsakey2048* key)
-{
-	ctr_rsa_context ctx;
-	u32 result;
-
-	ctr_rsa_init(&ctx, key);
-
-	result = rsa_public(&ctx.rsa, signature, output);
-
-	ctr_rsa_free(&ctx);
-
-	if (result == 0)
-		return 1;
-	else
-		return 0;
-}
-
-
-void ctr_rsa_free(ctr_rsa_context* ctx)
-{
-	rsa_free(&ctx->rsa);
-}
-
-/*
- * Generate DP, DQ, QP based on private key
- */ 
-#if 0
-static int ctr_rsa_key_init(ctr_rsa_context* ctx )
-{
-    int ret;
-    mpi P1, Q1;
-
-    mpi_init( &P1, &Q1, NULL );
-
-    MPI_CHK( mpi_sub_int( &P1, &ctx->rsa.P, 1 ) );
-    MPI_CHK( mpi_sub_int( &Q1, &ctx->rsa.Q, 1 ) );
-
-	/*
-     * DP = D mod (P - 1)
-     * DQ = D mod (Q - 1)
-     * QP = Q^-1 mod P
-     */
-    MPI_CHK( mpi_mod_mpi( &ctx->rsa.DP, &ctx->rsa.D, &P1 ) );
-    MPI_CHK( mpi_mod_mpi( &ctx->rsa.DQ, &ctx->rsa.D, &Q1 ) );
-    MPI_CHK( mpi_inv_mod( &ctx->rsa.QP, &ctx->rsa.Q, &ctx->rsa.P ) );
-
-cleanup:
-
-    mpi_free(&Q1, &P1, NULL );
-
-    if( ret != 0 )
-    {
-        rsa_free( &ctx->rsa );
-        return( POLARSSL_ERR_RSA_KEY_GEN_FAILED | ret );
-    }
-
-    return( 0 );   
-}
-#endif
\ No newline at end of file
diff --git a/ctrtool/ctr.h b/ctrtool/ctr.h
deleted file mode 100644
index 48b61e55..00000000
--- a/ctrtool/ctr.h
+++ /dev/null
@@ -1,149 +0,0 @@
-#ifndef _CTR_H_
-#define _CTR_H_
-
-#include "polarssl/aes.h"
-#include "polarssl/rsa.h"
-#include "polarssl/sha2.h"
-#include "types.h"
-#include "keyset.h"
-
-#define MAGIC_NCCH 0x4843434E
-#define MAGIC_NCSD 0x4453434E
-#define MAGIC_FIRM 0x4D524946
-#define MAGIC_CWAV 0x56415743
-#define MAGIC_IVFC 0x43465649
-
-#define SIZE_128MB (128 * 1024 * 1024)
-
-typedef enum
-{
-	FILETYPE_UNKNOWN = 0,
-	FILETYPE_CCI,
-	FILETYPE_CXI,
-	FILETYPE_CIA,
-	FILETYPE_EXHEADER,
-	FILETYPE_TMD,
-	FILETYPE_LZSS,
-	FILETYPE_FIRM,
-	FILETYPE_CWAV,
-	FILETYPE_EXEFS,
-	FILETYPE_ROMFS
-} ctr_filetypes;
-
-typedef struct
-{
-	u8 ctr[16];
-	u8 iv[16];
-	aes_context aes;
-} ctr_aes_context;
-
-typedef struct
-{
-	rsa_context rsa;
-} ctr_rsa_context;
-
-typedef struct
-{
-	sha2_context sha;
-} ctr_sha256_context;
-
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-void		ctr_set_iv( ctr_aes_context* ctx, 
-						 u8 iv[16] );
-
-void		ctr_add_counter( ctr_aes_context* ctx,
-						     u32 block_num );
-
-void		ctr_set_counter( ctr_aes_context* ctx, 
-						 u8 ctr[16] );
-
-void		ctr_init_key(ctr_aes_context* ctx,
-						 u8 key[16]);
-
-
-void		ctr_init_counter( ctr_aes_context* ctx, 
-						 u8 ctr[16] );
-
-
-void		ctr_crypt_counter_block( ctr_aes_context* ctx, 
-								     u8 input[16], 
-								     u8 output[16] );
-
-
-void		ctr_crypt_counter( ctr_aes_context* ctx, 
-							   u8* input, 
-							   u8* output,
-							   u32 size );
-
-
-void		ctr_init_cbc_encrypt( ctr_aes_context* ctx,
-							   u8 key[16],
-							   u8 iv[16] );
-
-void		ctr_init_cbc_decrypt( ctr_aes_context* ctx,
-							   u8 key[16],
-							   u8 iv[16] );
-
-void		ctr_encrypt_cbc( ctr_aes_context* ctx, 
-							  u8* input,
-							  u8* output,
-							  u32 size );
-
-void		ctr_decrypt_cbc( ctr_aes_context* ctx, 
-							  u8* input,
-							  u8* output,
-							  u32 size );
-
-void		ctr_rsa_init_key_pubmodulus( rsakey2048* key, 
-											u8 modulus[0x100] );
-
-void		ctr_rsa_init_key_pub( rsakey2048* key, 
-									u8 modulus[0x100], 
-									u8 exponent[3] );
-
-int			ctr_rsa_init( ctr_rsa_context* ctx, 
-						  rsakey2048* key );
-
-
-void		ctr_rsa_free( ctr_rsa_context* ctx );
-
-int			ctr_rsa_verify_hash( const u8 signature[0x100], 
-								 const u8 hash[0x20], 
-								 rsakey2048* key);
-
-int			ctr_rsa_sign_hash( const u8 hash[0x20], 
-							   u8 signature[0x100], 
-							   rsakey2048* key );
-
-int			ctr_rsa_public( const u8 signature[0x100], 
-						    u8 output[0x100], 
-							rsakey2048* key );
-
-void		ctr_sha_256( const u8* data, 
-						 u32 size, 
-						 u8 hash[0x20] );
-
-int			ctr_sha_256_verify( const u8* data, 
-								u32 size, 
-								const u8 checkhash[0x20] );
-
-
-void		ctr_sha_256_init( ctr_sha256_context* ctx );
-
-void		ctr_sha_256_update( ctr_sha256_context* ctx, 
-							    const u8* data,
-								u32 size );
-
-
-void		ctr_sha_256_finish( ctr_sha256_context* ctx, 
-							    u8 hash[0x20] );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // _CTR_H_
diff --git a/ctrtool/ctrtool.sln b/ctrtool/ctrtool.sln
deleted file mode 100644
index ab9464c1..00000000
--- a/ctrtool/ctrtool.sln
+++ /dev/null
@@ -1,20 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 2012
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ctrtool", "ctrtool.vcxproj", "{96F5CA15-30DA-4DF5-9DFF-523D58D38001}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Win32 = Debug|Win32
-		Release|Win32 = Release|Win32
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{96F5CA15-30DA-4DF5-9DFF-523D58D38001}.Debug|Win32.ActiveCfg = Debug|Win32
-		{96F5CA15-30DA-4DF5-9DFF-523D58D38001}.Debug|Win32.Build.0 = Debug|Win32
-		{96F5CA15-30DA-4DF5-9DFF-523D58D38001}.Release|Win32.ActiveCfg = Release|Win32
-		{96F5CA15-30DA-4DF5-9DFF-523D58D38001}.Release|Win32.Build.0 = Release|Win32
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
diff --git a/ctrtool/ctrtool.vcproj b/ctrtool/ctrtool.vcproj
deleted file mode 100644
index d3e8b0d3..00000000
--- a/ctrtool/ctrtool.vcproj
+++ /dev/null
@@ -1,442 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9,00"
-	Name="ctrtool"
-	ProjectGUID="{96F5CA15-30DA-4DF5-9DFF-523D58D38001}"
-	RootNamespace="ctrtooltje"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="196613"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				AdditionalIncludeDirectories="windows;."
-				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-				DisableSpecificWarnings="4996"
-				UseFullPaths="false"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="1"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="2"
-				EnableIntrinsicFunctions="true"
-				AdditionalIncludeDirectories="windows;."
-				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
-				RuntimeLibrary="2"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="c:\dev\tools\bin\ctrtool.exe"
-				LinkIncremental="1"
-				GenerateDebugInformation="true"
-				SubSystem="1"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\cia.c"
-				>
-			</File>
-			<File
-				RelativePath=".\ctr.c"
-				>
-			</File>
-			<File
-				RelativePath=".\cwav.c"
-				>
-			</File>
-			<File
-				RelativePath=".\exefs.c"
-				>
-			</File>
-			<File
-				RelativePath=".\exheader.c"
-				>
-			</File>
-			<File
-				RelativePath=".\filepath.c"
-				>
-			</File>
-			<File
-				RelativePath=".\firm.c"
-				>
-			</File>
-			<File
-				RelativePath=".\windows\getopt.c"
-				>
-			</File>
-			<File
-				RelativePath=".\windows\getopt1.c"
-				>
-			</File>
-			<File
-				RelativePath=".\ivfc.c"
-				>
-			</File>
-			<File
-				RelativePath=".\keyset.cpp"
-				>
-			</File>
-			<File
-				RelativePath=".\lzss.c"
-				>
-			</File>
-			<File
-				RelativePath=".\main.c"
-				>
-			</File>
-			<File
-				RelativePath=".\ncch.c"
-				>
-			</File>
-			<File
-				RelativePath=".\ncsd.c"
-				>
-			</File>
-			<File
-				RelativePath=".\romfs.c"
-				>
-			</File>
-			<File
-				RelativePath=".\settings.c"
-				>
-			</File>
-			<File
-				RelativePath=".\stream.c"
-				>
-			</File>
-			<File
-				RelativePath=".\tik.c"
-				>
-			</File>
-			<File
-				RelativePath=".\tmd.c"
-				>
-			</File>
-			<File
-				RelativePath=".\utils.c"
-				>
-			</File>
-			<Filter
-				Name="polarssl"
-				>
-				<File
-					RelativePath=".\polarssl\aes.c"
-					>
-				</File>
-				<File
-					RelativePath=".\polarssl\bignum.c"
-					>
-				</File>
-				<File
-					RelativePath=".\polarssl\rsa.c"
-					>
-				</File>
-				<File
-					RelativePath=".\polarssl\sha2.c"
-					>
-				</File>
-			</Filter>
-			<Filter
-				Name="tinyxml"
-				>
-				<File
-					RelativePath=".\tinyxml\tinystr.cpp"
-					>
-				</File>
-				<File
-					RelativePath=".\tinyxml\tinyxml.cpp"
-					>
-				</File>
-				<File
-					RelativePath=".\tinyxml\tinyxmlerror.cpp"
-					>
-				</File>
-				<File
-					RelativePath=".\tinyxml\tinyxmlparser.cpp"
-					>
-				</File>
-			</Filter>
-		</Filter>
-		<Filter
-			Name="Header Files"
-			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
-			>
-			<File
-				RelativePath=".\cia.h"
-				>
-			</File>
-			<File
-				RelativePath=".\ctr.h"
-				>
-			</File>
-			<File
-				RelativePath=".\cwav.h"
-				>
-			</File>
-			<File
-				RelativePath=".\exefs.h"
-				>
-			</File>
-			<File
-				RelativePath=".\exheader.h"
-				>
-			</File>
-			<File
-				RelativePath=".\filepath.h"
-				>
-			</File>
-			<File
-				RelativePath=".\firm.h"
-				>
-			</File>
-			<File
-				RelativePath=".\windows\getopt.h"
-				>
-			</File>
-			<File
-				RelativePath=".\info.h"
-				>
-			</File>
-			<File
-				RelativePath=".\ivfc.h"
-				>
-			</File>
-			<File
-				RelativePath=".\keyset.h"
-				>
-			</File>
-			<File
-				RelativePath=".\lzss.h"
-				>
-			</File>
-			<File
-				RelativePath=".\ncch.h"
-				>
-			</File>
-			<File
-				RelativePath=".\ncsd.h"
-				>
-			</File>
-			<File
-				RelativePath=".\romfs.h"
-				>
-			</File>
-			<File
-				RelativePath=".\settings.h"
-				>
-			</File>
-			<File
-				RelativePath=".\stream.h"
-				>
-			</File>
-			<File
-				RelativePath=".\tik.h"
-				>
-			</File>
-			<File
-				RelativePath=".\tmd.h"
-				>
-			</File>
-			<File
-				RelativePath=".\types.h"
-				>
-			</File>
-			<File
-				RelativePath=".\utils.h"
-				>
-			</File>
-			<Filter
-				Name="polarssl"
-				>
-				<File
-					RelativePath=".\polarssl\aes.h"
-					>
-				</File>
-				<File
-					RelativePath=".\polarssl\bignum.h"
-					>
-				</File>
-				<File
-					RelativePath=".\polarssl\bn_mul.h"
-					>
-				</File>
-				<File
-					RelativePath=".\polarssl\config.h"
-					>
-				</File>
-				<File
-					RelativePath=".\polarssl\rsa.h"
-					>
-				</File>
-				<File
-					RelativePath=".\polarssl\sha2.h"
-					>
-				</File>
-			</Filter>
-			<Filter
-				Name="tinyxml"
-				>
-				<File
-					RelativePath=".\tinyxml\tinystr.h"
-					>
-				</File>
-				<File
-					RelativePath=".\tinyxml\tinyxml.h"
-					>
-				</File>
-			</Filter>
-		</Filter>
-		<Filter
-			Name="Resource Files"
-			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
-			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
-			>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
diff --git a/ctrtool/ctrtool.vcxproj b/ctrtool/ctrtool.vcxproj
deleted file mode 100644
index 21abef9d..00000000
--- a/ctrtool/ctrtool.vcxproj
+++ /dev/null
@@ -1,164 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup Label="ProjectConfigurations">
-    <ProjectConfiguration Include="Debug|Win32">
-      <Configuration>Debug</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|Win32">
-      <Configuration>Release</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
-  </ItemGroup>
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>{96F5CA15-30DA-4DF5-9DFF-523D58D38001}</ProjectGuid>
-    <RootNamespace>ctrtooltje</RootNamespace>
-    <Keyword>Win32Proj</Keyword>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v140</PlatformToolset>
-    <CharacterSet>Unicode</CharacterSet>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <PlatformToolset>v140</PlatformToolset>
-    <CharacterSet>Unicode</CharacterSet>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-  <ImportGroup Label="ExtensionSettings">
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <PropertyGroup Label="UserMacros" />
-  <PropertyGroup>
-    <_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
-    <IntDir>$(Configuration)\</IntDir>
-    <LinkIncremental>true</LinkIncremental>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
-    <IntDir>$(Configuration)\</IntDir>
-    <LinkIncremental>false</LinkIncremental>
-  </PropertyGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <ClCompile>
-      <Optimization>Disabled</Optimization>
-      <AdditionalIncludeDirectories>windows;.;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WIN32;_CRT_SECURE_NO_WARNINGS;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <MinimalRebuild>true</MinimalRebuild>
-      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
-      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
-      <PrecompiledHeader />
-      <WarningLevel>Level3</WarningLevel>
-      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
-      <DisableSpecificWarnings>4996;%(DisableSpecificWarnings)</DisableSpecificWarnings>
-      <UseFullPaths>false</UseFullPaths>
-    </ClCompile>
-    <Link>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <SubSystem>Console</SubSystem>
-      <TargetMachine>MachineX86</TargetMachine>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
-    <ClCompile>
-      <Optimization>MaxSpeed</Optimization>
-      <IntrinsicFunctions>true</IntrinsicFunctions>
-      <AdditionalIncludeDirectories>windows;.;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <PreprocessorDefinitions>WIN32;_CRT_SECURE_NO_WARNINGS;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <PrecompiledHeader />
-      <WarningLevel>Level3</WarningLevel>
-      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
-    </ClCompile>
-    <Link>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <SubSystem>Console</SubSystem>
-      <OptimizeReferences>true</OptimizeReferences>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <TargetMachine>MachineX86</TargetMachine>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemGroup>
-    <ClCompile Include="aes_keygen.c" />
-    <ClCompile Include="cia.c" />
-    <ClCompile Include="ctr.c" />
-    <ClCompile Include="cwav.c" />
-    <ClCompile Include="exefs.c" />
-    <ClCompile Include="exheader.c" />
-    <ClCompile Include="filepath.c" />
-    <ClCompile Include="firm.c" />
-    <ClCompile Include="oschar.c" />
-    <ClCompile Include="syscalls.c" />
-    <ClCompile Include="windows\getopt.c" />
-    <ClCompile Include="windows\getopt1.c" />
-    <ClCompile Include="ivfc.c" />
-    <ClCompile Include="keyset.cpp" />
-    <ClCompile Include="lzss.c" />
-    <ClCompile Include="main.c" />
-    <ClCompile Include="ncch.c" />
-    <ClCompile Include="ncsd.c" />
-    <ClCompile Include="romfs.c" />
-    <ClCompile Include="settings.c" />
-    <ClCompile Include="stream.c" />
-    <ClCompile Include="tik.c" />
-    <ClCompile Include="tmd.c" />
-    <ClCompile Include="utils.c" />
-    <ClCompile Include="polarssl\aes.c" />
-    <ClCompile Include="polarssl\bignum.c" />
-    <ClCompile Include="polarssl\rsa.c" />
-    <ClCompile Include="polarssl\sha2.c" />
-    <ClCompile Include="tinyxml\tinystr.cpp" />
-    <ClCompile Include="tinyxml\tinyxml.cpp" />
-    <ClCompile Include="tinyxml\tinyxmlerror.cpp" />
-    <ClCompile Include="tinyxml\tinyxmlparser.cpp" />
-  </ItemGroup>
-  <ItemGroup>
-    <ClInclude Include="aes_keygen.h" />
-    <ClInclude Include="cia.h" />
-    <ClInclude Include="ctr.h" />
-    <ClInclude Include="cwav.h" />
-    <ClInclude Include="exefs.h" />
-    <ClInclude Include="exheader.h" />
-    <ClInclude Include="filepath.h" />
-    <ClInclude Include="firm.h" />
-    <ClInclude Include="oschar.h" />
-    <ClInclude Include="syscalls.h" />
-    <ClInclude Include="windows\getopt.h" />
-    <ClInclude Include="info.h" />
-    <ClInclude Include="ivfc.h" />
-    <ClInclude Include="keyset.h" />
-    <ClInclude Include="lzss.h" />
-    <ClInclude Include="ncch.h" />
-    <ClInclude Include="ncsd.h" />
-    <ClInclude Include="romfs.h" />
-    <ClInclude Include="settings.h" />
-    <ClInclude Include="stream.h" />
-    <ClInclude Include="tik.h" />
-    <ClInclude Include="tmd.h" />
-    <ClInclude Include="types.h" />
-    <ClInclude Include="utils.h" />
-    <ClInclude Include="polarssl\aes.h" />
-    <ClInclude Include="polarssl\bignum.h" />
-    <ClInclude Include="polarssl\bn_mul.h" />
-    <ClInclude Include="polarssl\config.h" />
-    <ClInclude Include="polarssl\rsa.h" />
-    <ClInclude Include="polarssl\sha2.h" />
-    <ClInclude Include="tinyxml\tinystr.h" />
-    <ClInclude Include="tinyxml\tinyxml.h" />
-  </ItemGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  <ImportGroup Label="ExtensionTargets">
-  </ImportGroup>
-</Project>
\ No newline at end of file
diff --git a/ctrtool/ctrtool.vcxproj.filters b/ctrtool/ctrtool.vcxproj.filters
deleted file mode 100644
index 8f0b3927..00000000
--- a/ctrtool/ctrtool.vcxproj.filters
+++ /dev/null
@@ -1,225 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup>
-    <Filter Include="Source Files">
-      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
-      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
-    </Filter>
-    <Filter Include="Source Files\polarssl">
-      <UniqueIdentifier>{dfec7c2d-ac92-481f-a1eb-732b0669b7d1}</UniqueIdentifier>
-    </Filter>
-    <Filter Include="Source Files\tinyxml">
-      <UniqueIdentifier>{dd509a5e-b804-4879-b0b7-876718c9621a}</UniqueIdentifier>
-    </Filter>
-    <Filter Include="Header Files">
-      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
-      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
-    </Filter>
-    <Filter Include="Header Files\polarssl">
-      <UniqueIdentifier>{d16b9918-7159-4a81-a0b7-521c2b2f8a30}</UniqueIdentifier>
-    </Filter>
-    <Filter Include="Header Files\tinyxml">
-      <UniqueIdentifier>{492dc50f-e790-426b-b991-86306ad69fd4}</UniqueIdentifier>
-    </Filter>
-    <Filter Include="Resource Files">
-      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
-      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav</Extensions>
-    </Filter>
-  </ItemGroup>
-  <ItemGroup>
-    <ClCompile Include="cia.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="ctr.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="cwav.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="exefs.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="exheader.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="filepath.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="firm.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="windows\getopt.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="windows\getopt1.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="ivfc.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="keyset.cpp">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="lzss.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="main.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="ncch.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="ncsd.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="romfs.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="settings.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="stream.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="tik.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="tmd.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="utils.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\aes.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\bignum.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\rsa.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="polarssl\sha2.c">
-      <Filter>Source Files\polarssl</Filter>
-    </ClCompile>
-    <ClCompile Include="tinyxml\tinystr.cpp">
-      <Filter>Source Files\tinyxml</Filter>
-    </ClCompile>
-    <ClCompile Include="tinyxml\tinyxml.cpp">
-      <Filter>Source Files\tinyxml</Filter>
-    </ClCompile>
-    <ClCompile Include="tinyxml\tinyxmlerror.cpp">
-      <Filter>Source Files\tinyxml</Filter>
-    </ClCompile>
-    <ClCompile Include="tinyxml\tinyxmlparser.cpp">
-      <Filter>Source Files\tinyxml</Filter>
-    </ClCompile>
-    <ClCompile Include="oschar.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="syscalls.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="aes_keygen.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-  </ItemGroup>
-  <ItemGroup>
-    <ClInclude Include="cia.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="ctr.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="cwav.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="exefs.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="exheader.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="filepath.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="firm.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="windows\getopt.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="info.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="ivfc.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="keyset.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="lzss.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="ncch.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="ncsd.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="romfs.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="settings.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="stream.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="tik.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="tmd.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="types.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="utils.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="polarssl\aes.h">
-      <Filter>Header Files\polarssl</Filter>
-    </ClInclude>
-    <ClInclude Include="polarssl\bignum.h">
-      <Filter>Header Files\polarssl</Filter>
-    </ClInclude>
-    <ClInclude Include="polarssl\bn_mul.h">
-      <Filter>Header Files\polarssl</Filter>
-    </ClInclude>
-    <ClInclude Include="polarssl\config.h">
-      <Filter>Header Files\polarssl</Filter>
-    </ClInclude>
-    <ClInclude Include="polarssl\rsa.h">
-      <Filter>Header Files\polarssl</Filter>
-    </ClInclude>
-    <ClInclude Include="polarssl\sha2.h">
-      <Filter>Header Files\polarssl</Filter>
-    </ClInclude>
-    <ClInclude Include="tinyxml\tinystr.h">
-      <Filter>Header Files\tinyxml</Filter>
-    </ClInclude>
-    <ClInclude Include="tinyxml\tinyxml.h">
-      <Filter>Header Files\tinyxml</Filter>
-    </ClInclude>
-    <ClInclude Include="oschar.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="syscalls.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-    <ClInclude Include="aes_keygen.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
-  </ItemGroup>
-</Project>
\ No newline at end of file
diff --git a/ctrtool/cwav.c b/ctrtool/cwav.c
deleted file mode 100644
index cfe39d80..00000000
--- a/ctrtool/cwav.c
+++ /dev/null
@@ -1,1003 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "types.h"
-#include "cwav.h"
-#include "utils.h"
-#include "stream.h"
-
-#define BUFFERSIZE (4*1024)
-#define SAMPLECOUNT 1024
-
-static const int ima_adpcm_step_table[89] = { 
-  7, 8, 9, 10, 11, 12, 13, 14, 16, 17, 
-  19, 21, 23, 25, 28, 31, 34, 37, 41, 45, 
-  50, 55, 60, 66, 73, 80, 88, 97, 107, 118, 
-  130, 143, 157, 173, 190, 209, 230, 253, 279, 307,
-  337, 371, 408, 449, 494, 544, 598, 658, 724, 796,
-  876, 963, 1060, 1166, 1282, 1411, 1552, 1707, 1878, 2066, 
-  2272, 2499, 2749, 3024, 3327, 3660, 4026, 4428, 4871, 5358,
-  5894, 6484, 7132, 7845, 8630, 9493, 10442, 11487, 12635, 13899, 
-  15289, 16818, 18500, 20350, 22385, 24623, 27086, 29794, 32767 
-};
-
-static const int ima_adpcm_index_table[16] = {
-  -1, -1, -1, -1, 2, 4, 6, 8,
-  -1, -1, -1, -1, 2, 4, 6, 8
-}; 
-
-void cwav_init(cwav_context* ctx)
-{
-	memset(ctx, 0, sizeof(cwav_context));
-}
-
-void cwav_set_file(cwav_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void cwav_set_offset(cwav_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void cwav_set_size(cwav_context* ctx, u64 size)
-{
-	ctx->size = size;
-}
-
-void cwav_set_usersettings(cwav_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-void cwav_process(cwav_context* ctx, u32 actions)
-{
-	u32 i;
-	u32 infoheaderoffset;
-
-	fseeko64(ctx->file, ctx->offset, SEEK_SET);
-	fread(&ctx->header, 1, sizeof(cwav_header), ctx->file);
-
-	infoheaderoffset = getle32(ctx->header.infoblockref.offset);
-
-	fseeko64(ctx->file, ctx->offset + infoheaderoffset, SEEK_SET);
-	fread(&ctx->infoheader, 1, sizeof(cwav_infoheader), ctx->file);
-
-	ctx->channelcount = getle32(ctx->infoheader.channelcount);
-	if (ctx->channelcount)
-	{
-		ctx->channel = malloc(ctx->channelcount * sizeof(cwav_channel));
-
-		for(i=0; i<ctx->channelcount; i++)
-		{
-			fread(&ctx->channel[i].inforef, sizeof(cwav_reference), 1, ctx->file);
-		}
-
-		for(i=0; i<ctx->channelcount; i++)
-		{
-			u32 channeloffset = infoheaderoffset + 0x1C + getle32(ctx->channel[i].inforef.offset);
-
-			fseeko64(ctx->file, ctx->offset + channeloffset, SEEK_SET);
-			fread(&ctx->channel[i].info, sizeof(cwav_channelinfo), 1, ctx->file);
-
-			if (ctx->infoheader.encoding == CWAV_ENCODING_DSPADPCM)
-			{
-				if (getle16(ctx->channel[i].info.codecref.idtype) == 0x300)
-				{
-					u32 codecoffset = channeloffset + getle32(ctx->channel[i].info.codecref.offset);
-
-					fseeko64(ctx->file, ctx->offset + codecoffset, SEEK_SET);
-					fread(&ctx->channel[i].infodspadpcm, sizeof(cwav_dspadpcminfo), 1, ctx->file);
-				}
-			}
-			else if (ctx->infoheader.encoding == CWAV_ENCODING_IMAADPCM)
-			{
-				if (getle16(ctx->channel[i].info.codecref.idtype) == 0x301)
-				{
-					u32 codecoffset = channeloffset + getle32(ctx->channel[i].info.codecref.offset);
-
-					fseeko64(ctx->file, ctx->offset + codecoffset, SEEK_SET);
-					fread(&ctx->channel[i].infoimaadpcm, sizeof(cwav_imaadpcminfo), 1, ctx->file);
-				}
-			}
-		}
-	}
-	
-
-	if (actions & InfoFlag)
-	{
-		cwav_print(ctx);
-	}
-
-	if (actions & ExtractFlag)
-	{
-		filepath* path = settings_get_wav_path(ctx->usersettings);
-
-		if (path && path->valid)
-			cwav_save_to_wav(ctx, path->pathname);
-	}
-
-
-	free(ctx->channel);
-}
-
-
-void cwav_write_wav_header(cwav_context* ctx, stream_out_context* outstreamctx, u32 size)
-{
-	wav_pcm_header header;
-	u32 samplerate = getle32(ctx->infoheader.samplerate);
-	u32 channelcount = ctx->channelcount;
-
-
-	putle32(header.chunkid, 0x46464952);
-	putle32(header.chunksize, 36 + size);
-	putle32(header.format, 0x45564157);
-	putle32(header.subchunk1id, 0x20746d66);
-	putle32(header.subchunk1size, 16);
-	putle16(header.audioformat, 1);
-	putle16(header.numchannels, channelcount);
-	putle32(header.samplerate, samplerate);
-	putle32(header.byterate, samplerate * channelcount * 2);
-	putle16(header.blockalign, channelcount * 2);
-	putle16(header.bitspersample, 16);
-
-	putle32(header.subchunk2id, 0x61746164);
-	putle32(header.subchunk2size, size);
-
-	stream_out_buffer(outstreamctx, &header, sizeof(wav_pcm_header));
-}
-
-int cwav_dspadpcm_decode_to_wav(cwav_context* ctx, stream_out_context* outstreamctx)
-{
-	u32 s, c, i;
-	int result = 0;
-	cwav_dspadpcmstate state;
-	u32 loopcount = settings_get_cwav_loopcount(ctx->usersettings);
-
-	cwav_dspadpcm_init(&state);
-
-	if (0 == cwav_dspadpcm_allocate(&state, ctx))
-		goto clean;
-
-	for(i=0; i<1+loopcount; i++)
-	{
-		int isloop = (i != 0);
-
-		if (0 == cwav_dspadpcm_setup(&state, ctx, isloop))
-			goto clean;
-
-		while(1)
-		{
-			if (0 == cwav_dspadpcm_decode(&state, ctx))
-				goto clean;
-
-			if (state.samplecountavailable == 0)
-				break;
-
-			for(s=0; s<state.samplecountavailable; s++)
-			{
-				for(c=0; c<ctx->channelcount; c++)
-				{
-					s16 sampledata = state.channelstate[c].samplebuffer[s];
-
-					if (!stream_out_byte(outstreamctx, 0xFF & sampledata) || !stream_out_byte(outstreamctx, 0xFF & (sampledata>>8)))
-					{
-						fprintf(stderr, "Error writing output stream\n");
-						goto clean;
-					}
-				}
-			}	
-		}
-	}
-
-	result = 1;
-
-clean:
-	cwav_dspadpcm_destroy(&state);
-
-	return result;
-}
-
-
-int cwav_imaadpcm_decode_to_wav(cwav_context* ctx, stream_out_context* outstreamctx)
-{
-	u32 s, c, i;
-	int result = 0;
-	cwav_imaadpcmstate state;
-	u32 loopcount = settings_get_cwav_loopcount(ctx->usersettings);
-
-
-	cwav_imaadpcm_init(&state);
-	if (0 == cwav_imaadpcm_allocate(&state, ctx))
-		goto clean;
-
-	for(i=0; i<1+loopcount; i++)
-	{
-		int isloop = (i != 0);
-
-		if (0 == cwav_imaadpcm_setup(&state, ctx, isloop))
-			goto clean;
-
-		while(1)
-		{
-			if (0 == cwav_imaadpcm_decode(&state, ctx))
-				goto clean;
-
-			if (state.samplecountavailable == 0)
-				break;
-
-			for(s=0; s<state.samplecountavailable; s++)
-			{
-				for(c=0; c<ctx->channelcount; c++)
-				{
-					s16 sampledata = state.channelstate[c].samplebuffer[s];
-
-					if (!stream_out_byte(outstreamctx, 0xFF & sampledata) || !stream_out_byte(outstreamctx, 0xFF & (sampledata>>8)))
-					{
-						fprintf(stderr, "Error writing output stream\n");
-						goto clean;
-					}
-				}
-			}	
-		}
-	}
-
-	result = 1;
-
-clean:
-	cwav_imaadpcm_destroy(&state);
-
-	return result;
-}
-
-
-int cwav_pcm_decode_to_wav(cwav_context* ctx, stream_out_context* outstreamctx)
-{
-	u32 s, c, i;
-	int result = 0;
-	cwav_pcmstate state;
-	u32 loopcount = settings_get_cwav_loopcount(ctx->usersettings);
-
-
-	cwav_pcm_init(&state);
-
-
-	if (0 == cwav_pcm_allocate(&state, ctx))
-		goto clean;
-
-	for(i=0; i<1+loopcount; i++)
-	{
-		int isloop = (i != 0);
-
-		if (0 == cwav_pcm_setup(&state, ctx, isloop))
-			goto clean;
-
-		while(1)
-		{
-			if (0 == cwav_pcm_decode(&state, ctx))
-				goto clean;
-
-			if (state.samplecountavailable == 0)
-				break;
-
-			for(s=0; s<state.samplecountavailable; s++)
-			{
-				for(c=0; c<ctx->channelcount; c++)
-				{
-					s16 sampledata = state.channelstate[c].samplebuffer[s];
-
-					if (!stream_out_byte(outstreamctx, 0xFF & sampledata) || !stream_out_byte(outstreamctx, 0xFF & (sampledata>>8)))
-					{
-						fprintf(stderr, "Error writing output stream\n");
-						goto clean;
-					}
-				}
-			}	
-		}
-	}
-
-	result = 1;
-
-clean:
-	cwav_pcm_destroy(&state);
-
-	return result;
-}
-
-int cwav_save_to_wav(cwav_context* ctx, const char* filepath)
-{
-	u32 startposition = 0;
-	u32 endposition = 0;
-	int result = 0;
-	FILE* outfile = 0;	
-	stream_out_context outstreamctx;
-
-
-	stream_out_init(&outstreamctx);
-
-	if (ctx->channelcount == 0)
-		goto clean;
-
-	fprintf(stdout, "Saving sound data to %s...\n", filepath);
-	outfile = fopen(filepath, "wb");
-	if (!outfile)
-	{
-		fprintf(stderr, "Error could not open file %s for writing.\n", filepath);
-		goto clean;
-	}
-
-	stream_out_allocate(&outstreamctx, BUFFERSIZE, outfile);
-	stream_out_skip(&outstreamctx, sizeof(wav_pcm_header));
-	stream_out_position(&outstreamctx, &startposition);
-
-	if (ctx->infoheader.encoding == CWAV_ENCODING_DSPADPCM)
-		result = cwav_dspadpcm_decode_to_wav(ctx, &outstreamctx);
-	else if (ctx->infoheader.encoding == CWAV_ENCODING_IMAADPCM)
-		result = cwav_imaadpcm_decode_to_wav(ctx, &outstreamctx);
-	else if (ctx->infoheader.encoding == CWAV_ENCODING_PCM16)
-		result = cwav_pcm_decode_to_wav(ctx, &outstreamctx);
-	else if (ctx->infoheader.encoding == CWAV_ENCODING_PCM8)
-		result = cwav_pcm_decode_to_wav(ctx, &outstreamctx);
-
-	if (!result)
-		goto clean;
-
-	stream_out_position(&outstreamctx, &endposition);
-
-	stream_out_seek(&outstreamctx, 0);
-	cwav_write_wav_header(ctx, &outstreamctx, endposition-startposition);
-	stream_out_flush(&outstreamctx);
-	result = 1;
-
-clean:
-	stream_out_destroy(&outstreamctx);
-
-	if (outfile)
-		fclose(outfile);
-
-	return result;
-}
-
-void cwav_dspadpcm_init(cwav_dspadpcmstate* state)
-{
-	memset(state, 0, sizeof(cwav_dspadpcmstate));
-}
-
-int cwav_dspadpcm_allocate(cwav_dspadpcmstate* state, cwav_context* ctx)
-{
-	u32 channelcount = ctx->channelcount;
-
-
-	state->samplebuffer = malloc(sizeof(s16) * SAMPLECOUNT * channelcount);
-	state->channelstate = malloc(sizeof(cwav_dspadpcmchannelstate) * channelcount);
-	state->samplecountcapacity = SAMPLECOUNT;
-	state->samplecountavailable = 0;
-	state->samplecountremaining = 0;
-
-	if (ctx->channel == 0)
-		return 0;
-
-	if (state->samplebuffer == 0 || state->channelstate == 0)
-	{
-		fprintf(stderr, "Error allocating memory\n");
-		return 0;
-	}
-
-	return 1;
-}
-
-int cwav_dspadpcm_setup(cwav_dspadpcmstate* state, cwav_context* ctx, int isloop)
-{
-	u32 channelcount = ctx->channelcount;
-	u32 i;
-	u32 startoffset = 0;
-
-
-	if (ctx->channel == 0)
-		return 0;
-
-	if (state->samplebuffer == 0 || state->channelstate == 0)
-		return 0;
-
-	state->samplecountavailable = 0;
-
-	if (isloop)
-	{
-		state->samplecountremaining = getle32(ctx->infoheader.loopend) - getle32(ctx->infoheader.loopstart);
-
-		startoffset = getle32(ctx->infoheader.loopstart) * 8 / 14;
-	}
-	else
-	{
-		state->samplecountremaining = getle32(ctx->infoheader.loopend);
-		startoffset = 0;
-	}
-
-	
-
-	for(i=0; i<channelcount; i++)
-	{
-		cwav_channel* adpcmchannel = &ctx->channel[i];
-		cwav_dspadpcminfo* adpcminfo = &adpcmchannel->infodspadpcm;
-
-		if (getle16(adpcmchannel->info.codecref.idtype) != 0x300)
-		{
-			fprintf(stderr, "Error, not DSP-ADPCM format.\n");
-			return 0;
-		}
-
-		state->channelstate[i].samplebuffer = state->samplebuffer + SAMPLECOUNT * i;
-		state->channelstate[i].sampleoffset = (u32) (ctx->offset + getle32(adpcmchannel->info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8 + startoffset);
-		if (isloop)
-		{
-			state->channelstate[i].yn1 = getle16(adpcminfo->loopyn1);
-			state->channelstate[i].yn2 = getle16(adpcminfo->loopyn2);
-		}
-		else
-		{
-			state->channelstate[i].yn1 = getle16(adpcminfo->yn1);
-			state->channelstate[i].yn2 = getle16(adpcminfo->yn2);
-		}
-		stream_in_allocate(&state->channelstate[i].instreamctx, BUFFERSIZE, ctx->file);
-		stream_in_seek(&state->channelstate[i].instreamctx, state->channelstate[i].sampleoffset);
-	}
-
-	return 1;
-}
-
-// decode dsp-adpcm to pcm signed 16-bit
-int cwav_dspadpcm_decode(cwav_dspadpcmstate* state, cwav_context* ctx)
-{
-	u32 i, c;
-	u32 maxsamplecount;
-	u32 channelcount = ctx->channelcount;
-	
-	if (ctx->channel == 0 || state->samplebuffer == 0 || state->channelstate == 0)
-		return 0;
-
-
-	state->samplecountavailable = 0;
-	if (state->samplecountremaining <= 0)
-	{
-		return 1;
-	}
-
-	while(state->samplecountremaining > 0)
-	{
-		u32 samplecountavailable = state->samplecountcapacity - state->samplecountavailable;
-
-		if (state->samplecountremaining < 14)
-			maxsamplecount = state->samplecountremaining;
-		else
-			maxsamplecount = 14;
-
-		if (samplecountavailable < maxsamplecount)
-			break;
-
-		for(c=0; c<channelcount; c++)
-		{	
-			cwav_dspadpcmchannelstate* channelstate = &state->channelstate[c];
-
-			s16* samplebuffer = channelstate->samplebuffer + state->samplecountavailable;
-			stream_in_context* instreamctx = &channelstate->instreamctx;
-			s16 yn1 = channelstate->yn1;
-			s16 yn2 = channelstate->yn2;
-			cwav_channel* adpcmchannel = &ctx->channel[c];
-			cwav_dspadpcminfo* adpcminfo = &adpcmchannel->infodspadpcm;
-			
-			u8 data;
-			u8 lonibble;
-			u8 hinibble;
-			s16 coef1;
-			s16 coef2;
-			u32 shift;
-			s16 table[14];
-
-			stream_in_reseek(instreamctx);
-
-
-			if (0 == stream_in_byte(instreamctx, &data))
-			{
-				fprintf(stderr, "Error reading input stream\n");
-				return 1;
-			}
-
-			lonibble = data & 0xF;
-			hinibble = data>>4;
-
-			coef1 = getle16(adpcminfo->coef[hinibble*2+0]);
-			coef2 = getle16(adpcminfo->coef[hinibble*2+1]);
-			shift = 17 - lonibble;
-
-			for(i=0; i<7; i++)
-			{
-				stream_in_byte(instreamctx, &data);
-				table[i*2+0] = data>>4;
-				table[i*2+1] = data & 0xF;
-			}
-
-
-			for(i=0; i<maxsamplecount; i++)
-			{
-				s32 x = table[i] << 28;
-				s32 xshifted = x >> shift;
-
-				s32 prediction = (yn1 * coef1 + yn2 * coef2 + xshifted + 0x400)>>11;
-				
-				if (prediction < -0x8000)
-					prediction = -0x8000;
-				if (prediction > 0x7FFF)
-					prediction = 0x7FFF;
-
-				yn2 = yn1;
-				yn1 = prediction;
-
-				samplebuffer[i] = prediction;
-			}
-
-			channelstate->yn1 = yn1;
-			channelstate->yn2 = yn2;
-		}
-
-		state->samplecountremaining -= maxsamplecount;
-		state->samplecountavailable += maxsamplecount;
-	}
-
-	return 1;
-}
-
-void cwav_dspadpcm_destroy(cwav_dspadpcmstate* state)
-{
-	free(state->channelstate);
-	free(state->samplebuffer);
-
-	state->channelstate = 0;
-	state->samplebuffer = 0;
-}
-
-void cwav_imaadpcm_init(cwav_imaadpcmstate* state)
-{
-	memset(state, 0, sizeof(cwav_imaadpcmstate));
-}
-
-
-int cwav_imaadpcm_allocate(cwav_imaadpcmstate* state, cwav_context* ctx)
-{
-	u32 channelcount = ctx->channelcount;
-
-
-	state->samplebuffer = malloc(sizeof(s16) * SAMPLECOUNT * channelcount);
-	state->channelstate = malloc(sizeof(cwav_imaadpcmchannelstate) * channelcount);
-	state->samplecountcapacity = SAMPLECOUNT;
-	state->samplecountavailable = 0;
-	state->samplecountremaining = 0;
-
-	if (ctx->channel == 0)
-		return 0;
-
-	if (state->samplebuffer == 0 || state->channelstate == 0)
-	{
-		fprintf(stderr, "Error allocating memory\n");
-		return 0;
-	}
-
-	return 1;
-}
-
-int cwav_imaadpcm_setup(cwav_imaadpcmstate* state, cwav_context* ctx, int isloop)
-{
-	u32 channelcount = ctx->channelcount;
-	u32 i;
-	u32 startoffset = 0;
-
-
-	if (ctx->channel == 0)
-		return 0;
-
-	if (state->samplebuffer == 0 || state->channelstate == 0)
-	{
-		fprintf(stderr, "Error allocating memory\n");
-		return 0;
-	}
-
-	state->samplecountavailable = 0;
-	if (isloop)
-	{
-		state->samplecountremaining = getle32(ctx->infoheader.loopend) - getle32(ctx->infoheader.loopstart);
-
-		startoffset = getle32(ctx->infoheader.loopstart) / 2;
-	}
-	else
-	{
-		state->samplecountremaining = getle32(ctx->infoheader.loopend);
-		startoffset = 0;
-	}
-
-	for(i=0; i<channelcount; i++)
-	{
-		cwav_channel* adpcmchannel = &ctx->channel[i];
-		cwav_imaadpcminfo* adpcminfo = &adpcmchannel->infoimaadpcm;
-
-		if (getle16(adpcmchannel->info.codecref.idtype) != 0x301)
-		{
-			fprintf(stderr, "Error, not IMA-ADPCM format.\n");
-			return 0;
-		}
-
-		state->channelstate[i].samplebuffer = state->samplebuffer + SAMPLECOUNT * i;
-		state->channelstate[i].sampleoffset = (u32) (ctx->offset + getle32(adpcmchannel->info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8 + startoffset);
-		if (isloop)
-		{
-			state->channelstate[i].data = getle16(adpcminfo->loopdata);
-			state->channelstate[i].tableindex = adpcminfo->looptableindex;
-		}
-		else
-		{
-			state->channelstate[i].data = getle16(adpcminfo->data);
-			state->channelstate[i].tableindex = adpcminfo->tableindex;
-		}
-		stream_in_allocate(&state->channelstate[i].instreamctx, BUFFERSIZE, ctx->file);
-		stream_in_seek(&state->channelstate[i].instreamctx, state->channelstate[i].sampleoffset);
-	}
-
-	return 1;
-}
-
-u8 cwav_imaadpcm_clamp_tableindex(u8 tableindex, int inc)
-{
-	int unclamped = tableindex + inc;
-
-	if (unclamped < 0)
-		unclamped = 0;
-	if (unclamped > 88)
-		unclamped = 88;
-
-	return unclamped;
-}
-
-// decode ima-adpcm to pcm signed 16-bit
-int cwav_imaadpcm_decode(cwav_imaadpcmstate* state, cwav_context* ctx)
-{
-	u32 i, c;
-	u32 maxsamplecount;
-	u32 channelcount = ctx->channelcount;
-	
-	if (ctx->channel == 0 || state->samplebuffer == 0 || state->channelstate == 0)
-		return 0;
-
-
-	state->samplecountavailable = 0;
-	if (state->samplecountremaining <= 0)
-	{
-		return 1;
-	}
-
-	while(state->samplecountremaining > 0)
-	{
-		u32 samplecountavailable = state->samplecountcapacity - state->samplecountavailable;
-
-		if (state->samplecountremaining < 2)
-			maxsamplecount = state->samplecountremaining;
-		else
-			maxsamplecount = 2;
-
-		if (samplecountavailable < maxsamplecount)
-			break;
-
-		for(c=0; c<channelcount; c++)
-		{	
-			cwav_imaadpcmchannelstate* channelstate = &state->channelstate[c];
-
-			s16* samplebuffer = channelstate->samplebuffer + state->samplecountavailable;
-			stream_in_context* instreamctx = &channelstate->instreamctx;
-			s16 prediction = channelstate->data;
-			u8 tableindex = channelstate->tableindex;
-			cwav_channel* adpcmchannel = &ctx->channel[c];
-			cwav_imaadpcminfo* adpcminfo = &adpcmchannel->infoimaadpcm;			
-			u8 data;
-
-
-			stream_in_reseek(instreamctx);
-
-
-			if (0 == stream_in_byte(instreamctx, &data))
-			{
-				fprintf(stderr, "Error reading input stream\n");
-				return 1;
-			}
-
-
-			for(i=0; i<maxsamplecount; i++)
-			{
-				s32 nibble = data & 0xF;
-				s32 step = 0;
-				s32 diff = 0;
-
-
-				tableindex = cwav_imaadpcm_clamp_tableindex(tableindex, 0);
-				step = ima_adpcm_step_table[tableindex];
-				tableindex = cwav_imaadpcm_clamp_tableindex(tableindex, ima_adpcm_index_table[nibble]); 
-				
-				diff = step/8;
-				if (nibble & 1) diff += step/4;
-				if (nibble & 2) diff += step/2;
-				if (nibble & 4) diff += step;
-
-				if (nibble & 8) 
-					prediction -= diff;
-				else 
-					prediction += diff;
-
-				if (prediction < -0x8000)
-					prediction = -0x8000;
-				if (prediction > 0x7FFF)
-					prediction = 0x7FFF;
-
-				samplebuffer[i] = prediction;
-				data >>= 4;
-			}
-
-			channelstate->data = prediction;
-			channelstate->tableindex = tableindex;
-		}
-
-		state->samplecountremaining -= maxsamplecount;
-		state->samplecountavailable += maxsamplecount;
-	}
-
-	return 1;
-}
-
-void cwav_imaadpcm_destroy(cwav_imaadpcmstate* state)
-{
-	free(state->channelstate);
-	free(state->samplebuffer);
-
-	state->channelstate = 0;
-	state->samplebuffer = 0;
-}
-
-
-void cwav_pcm_init(cwav_pcmstate* state)
-{
-	memset(state, 0, sizeof(cwav_pcmstate));
-}
-
-int cwav_pcm_allocate(cwav_pcmstate* state, cwav_context* ctx)
-{
-	u32 channelcount = ctx->channelcount;
-
-
-	state->samplebuffer = malloc(sizeof(s16) * SAMPLECOUNT * channelcount);
-	state->channelstate = malloc(sizeof(cwav_pcmchannelstate) * channelcount);
-	state->samplecountcapacity = SAMPLECOUNT;
-	state->samplecountavailable = 0;
-	state->samplecountremaining = 0;
-
-	if (ctx->channel == 0)
-		return 0;
-
-	if (state->samplebuffer == 0 || state->channelstate == 0)
-	{
-		fprintf(stderr, "Error allocating memory\n");
-		return 0;
-	}
-
-	return 1;
-}
-
-int cwav_pcm_setup(cwav_pcmstate* state, cwav_context* ctx, int isloop)
-{
-	u32 channelcount = ctx->channelcount;
-	u32 i;
-	u32 startoffset = 0;
-
-
-	if (ctx->channel == 0)
-		return 0;
-
-	if (state->samplebuffer == 0 || state->channelstate == 0)
-	{
-		fprintf(stderr, "Error allocating memory\n");
-		return 0;
-	}
-
-	state->samplecountavailable = 0;
-	state->samplecountcapacity = SAMPLECOUNT;
-	if (isloop)
-	{
-		state->samplecountremaining = getle32(ctx->infoheader.loopend) - getle32(ctx->infoheader.loopstart);
-
-		if (ctx->infoheader.encoding == CWAV_ENCODING_PCM8)
-			startoffset = getle32(ctx->infoheader.loopstart);
-		else if (ctx->infoheader.encoding == CWAV_ENCODING_PCM16)
-			startoffset = getle32(ctx->infoheader.loopstart) * 2;
-		else
-			startoffset = 0;
-	}
-	else
-	{
-		state->samplecountremaining = getle32(ctx->infoheader.loopend);
-		startoffset = 0;
-	}
-
-	for(i=0; i<channelcount; i++)
-	{
-		cwav_channel* pcmchannel = &ctx->channel[i];
-
-		state->channelstate[i].samplebuffer = state->samplebuffer + SAMPLECOUNT * i;
-		state->channelstate[i].sampleoffset = (u32) (ctx->offset + getle32(pcmchannel->info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8 + startoffset);
-		stream_in_allocate(&state->channelstate[i].instreamctx, BUFFERSIZE, ctx->file);
-		stream_in_seek(&state->channelstate[i].instreamctx, state->channelstate[i].sampleoffset);
-	}
-
-	return 1;
-}
-
-// decode pcm to pcm signed 16-bit
-int cwav_pcm_decode(cwav_pcmstate* state, cwav_context* ctx)
-{
-	u32 i, c;
-	u32 maxsamplecount;
-	u32 channelcount = ctx->channelcount;
-	
-	if (ctx->channel == 0 || state->samplebuffer == 0 || state->channelstate == 0)
-		return 0;
-
-
-	state->samplecountavailable = 0;
-	if (state->samplecountremaining <= 0)
-	{
-		return 1;
-	}
-
-	while(state->samplecountremaining > 0)
-	{
-		u32 samplecountavailable = state->samplecountcapacity - state->samplecountavailable;
-
-		if (state->samplecountremaining < 1)
-			maxsamplecount = state->samplecountremaining;
-		else
-			maxsamplecount = 1;
-
-		if (samplecountavailable < maxsamplecount)
-			break;
-
-		for(c=0; c<channelcount; c++)
-		{	
-			cwav_pcmchannelstate* channelstate = &state->channelstate[c];
-
-			s16* samplebuffer = channelstate->samplebuffer + state->samplecountavailable;
-			stream_in_context* instreamctx = &channelstate->instreamctx;
-			cwav_channel* pcmchannel = &ctx->channel[c];
-			
-
-			stream_in_reseek(instreamctx);
-
-			for(i=0; i<maxsamplecount; i++)
-			{
-				u8 datalo, datahi;
-
-				if (ctx->infoheader.encoding == CWAV_ENCODING_PCM16)
-				{
-					if (0 == stream_in_byte(instreamctx, &datalo) || 0 == stream_in_byte(instreamctx, &datahi))
-					{
-						fprintf(stderr, "Error reading input stream\n");
-						return 1;
-					}
-					samplebuffer[i] = (datahi << 8) | datalo;
-				}
-				else if (ctx->infoheader.encoding == CWAV_ENCODING_PCM8)
-				{
-					if (0 == stream_in_byte(instreamctx, &datahi))
-					{
-						fprintf(stderr, "Error reading input stream\n");
-						return 1;
-					}
-					samplebuffer[i] = (datahi << 8);
-				}
-			}
-		}
-
-		state->samplecountremaining -= maxsamplecount;
-		state->samplecountavailable += maxsamplecount;
-	}
-
-	return 1;
-}
-
-void cwav_pcm_destroy(cwav_pcmstate* state)
-{
-	free(state->channelstate);
-	free(state->samplebuffer);
-
-	state->channelstate = 0;
-	state->samplebuffer = 0;
-}
-
-const char* cwav_encoding_string(u8 encoding)
-{
-	switch(encoding)
-	{
-		case CWAV_ENCODING_DSPADPCM: return "DSP-ADPCM";
-		case CWAV_ENCODING_IMAADPCM: return "IMA-ADPCM";
-		case CWAV_ENCODING_PCM8: return "PCM8";
-		case CWAV_ENCODING_PCM16: return "PCM16";
-		default: return "UNKNOWN";
-	}
-}
-
-void cwav_print(cwav_context* ctx)
-{
-	cwav_header* header = &ctx->header;
-	cwav_infoheader* infoheader = &ctx->infoheader;
-	u32 i;
-	u32 infoheaderoffset = (u32) (ctx->offset + getle32(ctx->header.infoblockref.offset));
-	u32 channelcount = getle32(infoheader->channelcount);
-
-	fprintf(stdout, "Header:                 %c%c%c%c\n", header->magic[0], header->magic[1], header->magic[2], header->magic[3]);
-	fprintf(stdout, "Byte order mark:        0x%04X\n", getle16(header->byteordermark));
-	fprintf(stdout, "Header size:            0x%04X\n", getle16(header->headersize));
-	fprintf(stdout, "Version:                0x%08X\n", getle32(header->version));
-	fprintf(stdout, "Total size:             0x%08X\n", getle32(header->totalsize));
-	fprintf(stdout, "Data blocks:            0x%04X\n", getle16(header->datablocks));
-	fprintf(stdout, "Info block idtype:      0x%04X\n", getle16(header->infoblockref.idtype));
-	fprintf(stdout, "Info block offset:      0x%08X\n", getle32(header->infoblockref.offset));
-	fprintf(stdout, "Info block size:        0x%08X\n", getle32(header->infoblockref.size));
-	fprintf(stdout, "Data block idtype:      0x%04X\n", getle16(header->datablockref.idtype));
-	fprintf(stdout, "Data block offset:      0x%08X\n", getle32(header->datablockref.offset));
-	fprintf(stdout, "Data block size:        0x%08X\n", getle32(header->datablockref.size));
-	fprintf(stdout, "\n");
-	fprintf(stdout, "Header:                 %c%c%c%c\n", infoheader->magic[0], infoheader->magic[1], infoheader->magic[2], infoheader->magic[3]);
-	fprintf(stdout, "Size:                   0x%08X\n", getle32(infoheader->size));
-	fprintf(stdout, "Encoding:               0x%02X (%s)\n", infoheader->encoding, cwav_encoding_string(infoheader->encoding));
-	fprintf(stdout, "Looped:                 0x%02X\n", infoheader->looped);
-	fprintf(stdout, "Samplerate:             %d\n", getle32(infoheader->samplerate));
-	fprintf(stdout, "Loop start:             0x%08X\n", getle32(infoheader->loopstart));
-	fprintf(stdout, "Loop end:               0x%08X\n", getle32(infoheader->loopend));
-	fprintf(stdout, "Channels:               %d\n", channelcount);
-	if (ctx->channel != 0) 
-	{
-		for(i=0; i<channelcount; i++)
-		{
-			u32 channeloffset = infoheaderoffset + 0x1C + getle32(ctx->channel[i].inforef.offset);
-			u32 codecoffset = channeloffset + getle32(ctx->channel[i].info.codecref.offset);
-			u32 sampleoffset = (u32) (ctx->offset + getle32(ctx->channel[i].info.sampleref.offset) + getle32(ctx->header.datablockref.offset) + 8);
-
-			fprintf(stdout, "Channel %d:\n", i);
-			fprintf(stdout, " > Channel ref idtype:  0x%04X\n", getle16(ctx->channel[i].inforef.idtype));
-			fprintf(stdout, " > Channel ref offset:  0x%08X\n", channeloffset);
-			fprintf(stdout, " > Sample ref idtype:   0x%04X\n", getle16(ctx->channel[i].info.sampleref.idtype));
-			fprintf(stdout, " > Sample ref offset:   0x%08X\n", sampleoffset);
-			fprintf(stdout, " > Codec ref idtype:    0x%04X\n", getle16(ctx->channel[i].info.codecref.idtype));
-			fprintf(stdout, " > Codec ref offset:    0x%08X\n", codecoffset);
-
-
-#ifdef CWAV_CODEC_PRINT
-			if (ctx->infoheader.encoding == CWAV_ENCODING_DSPADPCM && getle16(ctx->channel[i].info.codecref.idtype) == 0x300)
-			{
-				u32 j;
-
-				for(j=0; j<16; j++)
-					fprintf(stdout, " > Adpcm coef %02d:       0x%04X\n", j, getle16(ctx->channel[i].infodspadpcm.coef[j]));
-				fprintf(stdout, " > Adpcm scale:         0x%04X\n", getle16(ctx->channel[i].infodspadpcm.scale));
-				fprintf(stdout, " > Adpcm yn1:           0x%04X\n", getle16(ctx->channel[i].infodspadpcm.yn1));
-				fprintf(stdout, " > Adpcm yn2:           0x%04X\n", getle16(ctx->channel[i].infodspadpcm.yn2));
-				fprintf(stdout, " > Adpcm loop scale:    0x%04X\n", getle16(ctx->channel[i].infodspadpcm.loopscale));
-				fprintf(stdout, " > Adpcm loop yn1:      0x%04X\n", getle16(ctx->channel[i].infodspadpcm.loopyn1));
-				fprintf(stdout, " > Adpcm loop yn2:      0x%04X\n", getle16(ctx->channel[i].infodspadpcm.loopyn2));
-			}
-
-			if (ctx->infoheader.encoding == CWAV_ENCODING_IMAADPCM && getle16(ctx->channel[i].info.codecref.idtype) == 0x301)
-			{
-				fprintf(stdout, " > Adpcm data:          0x%04X\n", getle16(ctx->channel[i].infoimaadpcm.data));
-				fprintf(stdout, " > Adpcm tblindex:      0x%02X\n", ctx->channel[i].infoimaadpcm.tableindex);
-				fprintf(stdout, " > Adpcm loopdata:      0x%04X\n", getle16(ctx->channel[i].infoimaadpcm.loopdata));
-				fprintf(stdout, " > Adpcm looptblindex:  0x%02X\n", ctx->channel[i].infoimaadpcm.looptableindex);
-			}
-#endif
-		}
-	}
-}
diff --git a/ctrtool/cwav.h b/ctrtool/cwav.h
deleted file mode 100644
index 180f4b00..00000000
--- a/ctrtool/cwav.h
+++ /dev/null
@@ -1,205 +0,0 @@
-#ifndef _CWAV_H_
-#define _CWAV_H_
-
-#include <stdio.h>
-#include "types.h"
-#include "settings.h"
-#include "stream.h"
-
-#define CWAV_ENCODING_PCM8			0
-#define CWAV_ENCODING_PCM16			1
-#define CWAV_ENCODING_DSPADPCM		2
-#define CWAV_ENCODING_IMAADPCM		3
-
-typedef struct
-{
-	u8 idtype[2];
-	u8 padding[2];
-	u8 offset[4];
-} cwav_reference;
-
-typedef struct
-{
-	u8 idtype[2];
-	u8 padding[2];
-	u8 offset[4];
-	u8 size[4];
-} cwav_sizedreference;
-
-
-typedef struct
-{
-	u8 magic[4];
-	u8 byteordermark[2];
-	u8 headersize[2];
-	u8 version[4];
-	u8 totalsize[4];
-	u8 datablocks[2];
-	u8 reserved[2];
-	cwav_sizedreference infoblockref;
-	cwav_sizedreference datablockref;
-} cwav_header;
-
-typedef struct
-{
-	u8 magic[4];
-	u8 size[4];
-	u8 encoding;
-	u8 looped;
-	u8 padding[2];
-	u8 samplerate[4];
-	u8 loopstart[4];
-	u8 loopend[4];
-	u8 reserved[4];
-	u8 channelcount[4];
-} cwav_infoheader;
-
-typedef struct
-{
-	cwav_reference sampleref;
-	cwav_reference codecref;
-	u8 reserved[4];
-} cwav_channelinfo;
-
-typedef struct
-{
-	u8 coef[16][2];
-	u8 scale[2];
-	u8 yn1[2];
-	u8 yn2[2];
-	u8 loopscale[2];
-	u8 loopyn1[2];
-	u8 loopyn2[2];
-} cwav_dspadpcminfo;
-
-typedef struct
-{
-	u8 data[2];
-	u8 tableindex;
-	u8 padding;
-	u8 loopdata[2];
-	u8 looptableindex;
-	u8 looppadding;
-} cwav_imaadpcminfo;
-
-
-typedef struct
-{
-	s16 yn1;
-	s16 yn2;
-	u32 sampleoffset;
-	s16* samplebuffer;
-	stream_in_context instreamctx;
-} cwav_dspadpcmchannelstate;
-
-typedef struct
-{
-	cwav_dspadpcmchannelstate* channelstate;
-	s16* samplebuffer;
-	u32 samplecountavailable;
-	u32 samplecountcapacity;
-	u32 samplecountremaining;
-} cwav_dspadpcmstate;
-
-typedef struct
-{
-	s16 data;
-	u8 tableindex;
-	u32 sampleoffset;
-	s16* samplebuffer;
-	stream_in_context instreamctx;
-} cwav_imaadpcmchannelstate;
-
-typedef struct
-{
-	cwav_imaadpcmchannelstate* channelstate;
-	s16* samplebuffer;
-	u32 samplecountavailable;
-	u32 samplecountcapacity;
-	u32 samplecountremaining;
-} cwav_imaadpcmstate;
-
-typedef struct
-{
-	u32 sampleoffset;
-	s16* samplebuffer;
-	stream_in_context instreamctx;
-} cwav_pcmchannelstate;
-
-typedef struct
-{
-	cwav_pcmchannelstate* channelstate;
-	s16* samplebuffer;
-	u32 samplecountavailable;
-	u32 samplecountcapacity;
-	u32 samplecountremaining;
-} cwav_pcmstate;
-
-
-typedef struct
-{
-	cwav_reference inforef;
-	cwav_channelinfo info;
-	cwav_dspadpcminfo infodspadpcm;
-	cwav_imaadpcminfo infoimaadpcm;
-} cwav_channel;
-
-typedef struct
-{
-	u8 chunkid[4];
-	u8 chunksize[4];
-	u8 format[4];
-	u8 subchunk1id[4];
-	u8 subchunk1size[4];
-	u8 audioformat[2];
-	u8 numchannels[2];
-	u8 samplerate[4];
-	u8 byterate[4];
-	u8 blockalign[2];
-	u8 bitspersample[2];
-	u8 subchunk2id[4];
-	u8 subchunk2size[4];
-} wav_pcm_header;
-
-typedef struct
-{
-	FILE* file;
-	settings* usersettings;
-	u64 offset;
-	u64 size;
-	u32 channelcount;
-	cwav_header header;
-	cwav_infoheader infoheader;
-	cwav_channel* channel;
-} cwav_context;
-
-void cwav_init(cwav_context* ctx);
-void cwav_set_file(cwav_context* ctx, FILE* file);
-void cwav_set_offset(cwav_context* ctx, u64 offset);
-void cwav_set_size(cwav_context* ctx, u64 size);
-void cwav_set_usersettings(cwav_context* ctx, settings* usersettings);
-void cwav_process(cwav_context* ctx, u32 actions);
-void cwav_dspadpcm_init(cwav_dspadpcmstate* state);
-int cwav_dspadpcm_allocate(cwav_dspadpcmstate* state, cwav_context* ctx);
-int  cwav_dspadpcm_setup(cwav_dspadpcmstate* state, cwav_context* ctx, int isloop);
-int  cwav_dspadpcm_decode(cwav_dspadpcmstate* state, cwav_context* ctx);
-int	 cwav_dspadpcm_decode_to_wav(cwav_context* ctx, stream_out_context* outstreamctx);
-void cwav_dspadpcm_destroy(cwav_dspadpcmstate* state);
-void cwav_imaadpcm_init(cwav_imaadpcmstate* state);
-int  cwav_imaadpcm_allocate(cwav_imaadpcmstate* state, cwav_context* ctx);
-int  cwav_imaadpcm_setup(cwav_imaadpcmstate* state, cwav_context* ctx, int isloop);
-int  cwav_imaadpcm_decode(cwav_imaadpcmstate* state, cwav_context* ctx);
-int	 cwav_imaadpcm_decode_to_wav(cwav_context* ctx, stream_out_context* outstreamctx);
-u8   cwav_imaadpcm_clamp_tableindex(u8 tableindex, int inc);
-void cwav_imaadpcm_destroy(cwav_imaadpcmstate* state);
-void cwav_pcm_init(cwav_pcmstate* state);
-int  cwav_pcm_allocate(cwav_pcmstate* state, cwav_context* ctx);
-int  cwav_pcm_setup(cwav_pcmstate* state, cwav_context* ctx, int isloop);
-int  cwav_pcm_decode(cwav_pcmstate* state, cwav_context* ctx);
-int	 cwav_pcm_decode_to_wav(cwav_context* ctx, stream_out_context* outstreamctx);
-void cwav_pcm_destroy(cwav_pcmstate* state);
-void cwav_write_wav_header(cwav_context* ctx, stream_out_context* outstreamctx, u32 size);
-int  cwav_save_to_wav(cwav_context* ctx, const char* filepath);
-void cwav_print(cwav_context* ctx);
-
-#endif // _CWAV_H_
diff --git a/ctrtool/exefs.c b/ctrtool/exefs.c
deleted file mode 100644
index 465bc8b3..00000000
--- a/ctrtool/exefs.c
+++ /dev/null
@@ -1,342 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "types.h"
-#include "exefs.h"
-#include "utils.h"
-#include "ncch.h"
-#include "lzss.h"
-
-void exefs_init(exefs_context* ctx)
-{
-	memset(ctx, 0, sizeof(exefs_context));
-}
-
-void exefs_set_file(exefs_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void exefs_set_offset(exefs_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void exefs_set_size(exefs_context* ctx, u64 size)
-{
-	ctx->size = size;
-}
-
-void exefs_set_usersettings(exefs_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-void exefs_set_titleid(exefs_context* ctx, u8 titleid[8])
-{
-	memcpy(ctx->titleid, titleid, 8);
-}
-
-void exefs_set_compressedflag(exefs_context* ctx, int compressedflag)
-{
-	ctx->compressedflag = compressedflag;
-}
-
-void exefs_set_encrypted(exefs_context* ctx, u32 encrypted)
-{
-	ctx->encrypted = encrypted;
-}
-
-void exefs_set_keys(exefs_context* ctx, u8 key0[16], u8 key1[16])
-{
-	memcpy(ctx->key[0], key0, 16);
-	memcpy(ctx->key[1], key1, 16);
-}
-
-void exefs_set_counter(exefs_context* ctx, u8 counter[16])
-{
-	memcpy(ctx->counter, counter, 16);
-}
-
-void exefs_save(exefs_context* ctx, u32 index, u32 flags)
-{
-	exefs_sectionheader* section = (exefs_sectionheader*)(ctx->header.section + index);
-	char outfname[MAX_PATH];
-	char name[64];
-	u32 offset;
-	u32 size;
-	FILE* fout;
-	u32 compressedsize = 0;
-	u32 decompressedsize = 0;
-	u8* compressedbuffer = 0;
-	u8* decompressedbuffer = 0;
-	filepath* dirpath = 0;
-	
-	// determine offset/size of target
-	offset = getle32(section->offset) + sizeof(exefs_header);
-	size = getle32(section->size);
-	dirpath = settings_get_exefs_dir_path(ctx->usersettings);
-
-	if (size == 0 || dirpath == 0 || dirpath->valid == 0)
-		return;
-
-	if (size >= ctx->size)
-	{
-		fprintf(stderr, "Error, ExeFS section %d size invalid\n", index);
-		return;
-	}
-
-	// create new file
-	memset(name, 0, sizeof(name));
-	memcpy(name, section->name, 8);
-
-	
-	memcpy(outfname, dirpath->pathname, MAX_PATH);
-	strcat(outfname, "/");
-
-	if (name[0] == '.')
-		strcat(outfname, name+1);
-	else
-		strcat(outfname, name);
-	strcat(outfname, ".bin");
-
-	fout = fopen(outfname, "wb");
-
-	if (fout == 0)
-	{
-		fprintf(stderr, "Error, failed to create file %s\n", outfname);
-		goto clean;
-	}
-
-	// seek in source file to location of target data
-	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-
-	// do decryption prep
-	if (ctx->encrypted)
-	{
-		// setup aes counter
-		ctr_init_counter(&ctx->aes, ctx->counter);
-		ctr_add_counter(&ctx->aes, offset / 0x10);
-
-		// setup key
-		if (strncmp((const char*)section->name, "icon", 8) == 0 || strncmp((const char*)section->name, "banner", 8) == 0)
-			ctr_init_key(&ctx->aes, ctx->key[0]);
-		else
-			ctr_init_key(&ctx->aes, ctx->key[1]);
-	}
-
-	// if this is file0, and compression is set or forced: decompress section
-	if (index == 0 && (ctx->compressedflag || (flags & DecompressCodeFlag)) && ((flags & RawFlag) == 0))
-	{
-		fprintf(stdout, "Decompressing section %s to %s...\n", name, outfname);
-
-		compressedsize = size;
-		compressedbuffer = malloc(compressedsize);
-
-		if (compressedbuffer == 0)
-		{
-			fprintf(stdout, "Error allocating memory\n");
-			goto clean;
-		}
-		if (compressedsize != fread(compressedbuffer, 1, compressedsize, ctx->file))
-		{
-			fprintf(stdout, "Error reading input file\n");
-			goto clean;
-		}
-
-		// decrypt if required
-		if (ctx->encrypted)
-			ctr_crypt_counter(&ctx->aes, compressedbuffer, compressedbuffer, compressedsize);
-
-
-		decompressedsize = lzss_get_decompressed_size(compressedbuffer, compressedsize);
-		decompressedbuffer = malloc(decompressedsize);
-		if (decompressedbuffer == 0)
-		{
-			fprintf(stdout, "Error allocating memory\n");
-			goto clean;
-		}
-
-		if (0 == lzss_decompress(compressedbuffer, compressedsize, decompressedbuffer, decompressedsize))
-			goto clean;
-
-		if (decompressedsize != fwrite(decompressedbuffer, 1, decompressedsize, fout))
-		{
-			fprintf(stdout, "Error writing output file\n");
-			goto clean;
-		}		
-	}
-	else
-	{
-		u8 buffer[16 * 1024];
-
-		fprintf(stdout, "Saving section %s to %s...\n", name, outfname);
-
-		while(size)
-		{
-			u32 max = sizeof(buffer);
-			if (max > size)
-				max = size;
-
-			if (max != fread(buffer, 1, max, ctx->file))
-			{
-				fprintf(stdout, "Error reading input file\n");
-				goto clean;
-			}
-
-			if (ctx->encrypted)
-				ctr_crypt_counter(&ctx->aes, buffer, buffer, max);
-
-			if (max != fwrite(buffer, 1, max, fout))
-			{
-				fprintf(stdout, "Error writing output file\n");
-				goto clean;
-			}
-
-			size -= max;
-		}
-	}
-
-clean:
-	if (fout)
-		fclose(fout);
-	free(compressedbuffer);
-	free(decompressedbuffer);
-	return;
-}
-
-void exefs_read_header(exefs_context* ctx, u32 flags)
-{
-	fseeko64(ctx->file, ctx->offset, SEEK_SET);
-	fread(&ctx->header, 1, sizeof(exefs_header), ctx->file);
-
-	if (ctx->encrypted) {
-		ctr_init_key(&ctx->aes, ctx->key[0]);
-		ctr_init_counter(&ctx->aes, ctx->counter);
-		ctr_crypt_counter(&ctx->aes, (u8*)&ctx->header, (u8*)&ctx->header, sizeof(exefs_header));
-	}
-		
-}
-
-void exefs_calculate_hash(exefs_context* ctx, u8 hash[32])
-{
-	ctr_sha_256((const u8*)&ctx->header, sizeof(exefs_header), hash);
-}
-
-void exefs_process(exefs_context* ctx, u32 actions)
-{
-	u32 i;
-
-	exefs_read_header(ctx, actions);
-
-	if (actions & VerifyFlag)
-	{	
-		for(i=0; i<8; i++)
-			ctx->hashcheck[i] = exefs_verify(ctx, i, actions)? Good : Fail;
-	}
-
-	if (actions & InfoFlag)
-	{
-		exefs_print(ctx);
-	}
-
-	if (actions & ExtractFlag)
-	{
-		filepath* dirpath = settings_get_exefs_dir_path(ctx->usersettings);
-
-		if (dirpath && dirpath->valid)
-		{
-			makedir(dirpath->pathname);
-			for(i=0; i<8; i++)
-				exefs_save(ctx, i, actions);
-		}
-	}
-}
-
-int exefs_verify(exefs_context* ctx, u32 index, u32 flags)
-{
-	exefs_sectionheader* section = (exefs_sectionheader*)(ctx->header.section + index);
-	u32 offset;
-	u32 size;
-	u8 buffer[16 * 1024];
-	u8 hash[0x20];
-	
-
-	offset = getle32(section->offset) + sizeof(exefs_header);
-	size = getle32(section->size);
-
-	if (size == 0)
-		return 0;
-
-	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-	if (strncmp((const char*)section->name, "icon", 8) == 0 || strncmp((const char*)section->name, "banner", 8) == 0)
-		ctr_init_key(&ctx->aes, ctx->key[0]);
-	else
-		ctr_init_key(&ctx->aes, ctx->key[1]);
-	ctr_init_counter(&ctx->aes, ctx->counter);
-	ctr_add_counter(&ctx->aes, offset / 0x10);
-
-	ctr_sha_256_init(&ctx->sha);
-
-	while(size)
-	{
-		u32 max = sizeof(buffer);
-		if (max > size)
-			max = size;
-
-		if (max != fread(buffer, 1, max, ctx->file))
-		{
-			fprintf(stdout, "Error reading input file\n");
-			goto clean;
-		}
-
-		if (ctx->encrypted)
-			ctr_crypt_counter(&ctx->aes, buffer, buffer, max);
-
-		ctr_sha_256_update(&ctx->sha, buffer, max);
-
-		size -= max;
-	}	
-
-	ctr_sha_256_finish(&ctx->sha, hash);
-
-	if (memcmp(hash, ctx->header.hashes[7-index], 0x20) == 0)
-		return 1;
-clean:
-	return 0;
-}
-
-void exefs_print(exefs_context* ctx)
-{
-	u32 i;
-	char sectname[9];
-	u32 sectoffset;
-	u32 sectsize;
-
-	fprintf(stdout, "\nExeFS:\n");
-	for(i=0; i<EXEFS_SECTION_NUM; i++)
-	{
-		exefs_sectionheader* section = (exefs_sectionheader*)(ctx->header.section + i);
-
-
-		memset(sectname, 0, sizeof(sectname));
-		memcpy(sectname, section->name, 8);
-
-		sectoffset = getle32(section->offset);
-		sectsize = getle32(section->size);
-
-		if (sectsize)
-		{
-			fprintf(stdout, "Section name:           %s\n", sectname);
-			fprintf(stdout, "Section offset:         0x%08x\n", sectoffset + 0x200);
-			fprintf(stdout, "Section size:           0x%08x\n", sectsize);
-			if (ctx->hashcheck[i] == Good)
-				memdump(stdout, "Section hash (GOOD):    ", ctx->header.hashes[7-i], 0x20);
-			else if (ctx->hashcheck[i] == Fail)
-				memdump(stdout, "Section hash (FAIL):    ", ctx->header.hashes[7-i], 0x20);
-			else
-				memdump(stdout, "Section hash:           ", ctx->header.hashes[7-i], 0x20);
-		}
-	}
-}
diff --git a/ctrtool/exefs.h b/ctrtool/exefs.h
deleted file mode 100644
index fd6e8f09..00000000
--- a/ctrtool/exefs.h
+++ /dev/null
@@ -1,61 +0,0 @@
-#ifndef _EXEFS_H_
-#define _EXEFS_H_
-
-#include "types.h"
-#include "info.h"
-#include "ctr.h"
-#include "filepath.h"
-#include "settings.h"
-
-#define EXEFS_SECTION_NUM 8
-
-typedef struct
-{
-	u8 name[8];
-	u8 offset[4];
-	u8 size[4];
-} exefs_sectionheader;
-
-
-typedef struct
-{
-	exefs_sectionheader section[EXEFS_SECTION_NUM];
-	u8 reserved[0x80];
-	u8 hashes[EXEFS_SECTION_NUM][0x20];
-} exefs_header;
-
-typedef struct
-{
-	FILE* file;
-	settings* usersettings;
-	u8 titleid[8];
-	u8 counter[16];
-	u8 key[2][16];
-	u64 offset;
-	u64 size;
-	exefs_header header;
-	ctr_aes_context aes;
-	ctr_sha256_context sha;
-	int hashcheck[EXEFS_SECTION_NUM];
-	int compressedflag;
-	int encrypted;
-} exefs_context;
-
-void exefs_init(exefs_context* ctx);
-void exefs_set_file(exefs_context* ctx, FILE* file);
-void exefs_set_offset(exefs_context* ctx, u64 offset);
-void exefs_set_size(exefs_context* ctx, u64 size);
-void exefs_set_usersettings(exefs_context* ctx, settings* usersettings);
-void exefs_set_titleid(exefs_context* ctx, u8 titleid[8]);
-void exefs_set_counter(exefs_context* ctx, u8 counter[16]);
-void exefs_set_compressedflag(exefs_context* ctx, int compressedflag);
-void exefs_set_keys(exefs_context* ctx, u8 key[16], u8 special_key[16]);
-void exefs_set_encrypted(exefs_context* ctx, u32 encrypted);
-void exefs_read_header(exefs_context* ctx, u32 flags);
-void exefs_calculate_hash(exefs_context* ctx, u8 hash[32]);
-void exefs_process(exefs_context* ctx, u32 actions);
-void exefs_print(exefs_context* ctx);
-void exefs_save(exefs_context* ctx, u32 index, u32 flags);
-int exefs_verify(exefs_context* ctx, u32 index, u32 flags);
-void exefs_determine_key(exefs_context* ctx, u32 actions);
-#endif // _EXEFS_H_
diff --git a/ctrtool/exheader.c b/ctrtool/exheader.c
deleted file mode 100644
index 86609d84..00000000
--- a/ctrtool/exheader.c
+++ /dev/null
@@ -1,704 +0,0 @@
-#include <stdbool.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "types.h"
-#include "exheader.h"
-#include "utils.h"
-#include "ncch.h"
-#include "syscalls.h"
-#include <inttypes.h>
-
-void exheader_init(exheader_context* ctx)
-{
-	memset(ctx, 0, sizeof(exheader_context));
-}
-
-void exheader_set_file(exheader_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void exheader_set_offset(exheader_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void exheader_set_size(exheader_context* ctx, u64 size)
-{
-	ctx->size = size;
-}
-
-void exheader_set_usersettings(exheader_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-void exheader_set_titleid(exheader_context* ctx, u8 titleid[8])
-{
-	memcpy(ctx->titleid, titleid, 8);
-}
-
-void exheader_set_programid(exheader_context* ctx, u8 programid[8])
-{
-	memcpy(ctx->programid, programid, 8);
-}
-
-void exheader_set_hash(exheader_context* ctx, u8 hash[32])
-{
-	memcpy(ctx->hash, hash, 32);
-}
-
-void exheader_set_counter(exheader_context* ctx, u8 counter[16])
-{
-	memcpy(ctx->counter, counter, 16);
-}
-
-int exheader_get_compressedflag(exheader_context* ctx)
-{
-	return ctx->compressedflag;
-}
-
-void exheader_set_encrypted(exheader_context* ctx, u32 encrypted)
-{
-	ctx->encrypted = encrypted;
-}
-
-void exheader_set_key(exheader_context* ctx, u8 key[16])
-{
-	memcpy(ctx->key, key, 16);
-}
-
-
-void exheader_read(exheader_context* ctx, u32 actions)
-{
-	if (ctx->haveread == 0)
-	{
-		fseeko64(ctx->file, ctx->offset, SEEK_SET);
-		fread(&ctx->header, 1, sizeof(exheader_header), ctx->file);
-
-		ctr_init_key(&ctx->aes, ctx->key);
-		ctr_init_counter(&ctx->aes, ctx->counter);
-		if (ctx->encrypted)
-			ctr_crypt_counter(&ctx->aes, (u8*)&ctx->header, (u8*)&ctx->header, sizeof(exheader_header));
-
-		ctx->haveread = 1;
-	}
-}
-
-int exheader_hash_valid(exheader_context* ctx)
-{
-	u8 hash[32];
-	ctr_sha_256((u8*)&ctx->header, 0x400, hash);
-
-	if(memcmp(ctx->hash,hash,0x20)){
-		fprintf(stderr, "Error, exheader hash mismatch. Wrong key?\n");
-		return 0;
-	}
-	
-	return 1;
-}
-
-int exheader_programid_valid(exheader_context* ctx)
-{
-	if (!settings_get_ignore_programid(ctx->usersettings))
-	{
-		if (memcmp(ctx->header.arm11systemlocalcaps.programid, ctx->programid, 8))
-		{
-			fprintf(stderr, "Error, program id mismatch. Wrong key?\n");
-			return 0;
-		}
-	}
-
-	return 1;
-}
-
-void exheader_deserialise_arm11localcaps_permissions(exheader_arm11systemlocalcaps_deserialised *caps, const exheader_arm11systemlocalcaps *arm11)
-{
-	int i;
-
-	memset(caps, 0, sizeof(exheader_arm11systemlocalcaps_deserialised));
-
-	memcpy(caps->program_id, arm11->programid, 8);
-	caps->core_version = getle32(arm11->coreversion);
-
-	caps->enable_l2_cache = (arm11->flag[0] >> 0) & 1;
-	caps->new3ds_cpu_speed = (arm11->flag[0] >> 1) & 1;
-	caps->new3ds_systemmode = (arm11->flag[1] >> 0) & 15;
-
-	caps->ideal_processor = (arm11->flag[2] >> 0) & 3;
-	caps->affinity_mask = (arm11->flag[2] >> 2) & 3;
-	caps->old3ds_systemmode = (arm11->flag[2] >> 4) & 15;
-
-	caps->priority = (s8)arm11->flag[3];
-
-	// storage info
-	if (arm11->storageinfo.otherattributes & 2) {
-		caps->extdata_id = 0;
-		for (i = 0; i < 3; i++)
-			caps->other_user_saveid[i] = 0;
-		caps->use_other_variation_savedata = 0;
-
-		for (i = 0; i < 3; i++)
-			caps->accessible_saveid[i] = 0xfffff & (getle64(arm11->storageinfo.accessibleuniqueids) >> 20 * (2 - i));
-		for (i = 0; i < 3; i++)
-			caps->accessible_saveid[i+3] = 0xfffff & (getle64(arm11->storageinfo.extsavedataid) >> 20 * (2 - i));
-	}
-	else {
-		caps->extdata_id = getle64(arm11->storageinfo.extsavedataid);
-		for (i = 0; i < 3; i++)
-			caps->other_user_saveid[i] = 0xfffff & (getle64(arm11->storageinfo.accessibleuniqueids) >> 20 * (2 - i));
-		caps->use_other_variation_savedata = (getle64(arm11->storageinfo.accessibleuniqueids) >> 60) & 1;
-
-		for (i = 0; i < 6; i++)
-			caps->accessible_saveid[i] = 0;
-	}
-
-	caps->system_saveid[0] = getle32(arm11->storageinfo.systemsavedataid);
-	caps->system_saveid[1] = getle32(arm11->storageinfo.systemsavedataid + 4);
-	caps->accessinfo = getle64(arm11->storageinfo.accessinfo) & ~((u64)0xff00000000000000);
-
-	// Service Access Control
-	for (i = 0; i < 34; i++)
-		strncpy(caps->service_access_control[i], (char*)arm11->serviceaccesscontrol[i], 8);
-
-	caps->resource_limit_category = arm11->resourcelimitcategory;
-}
-
-int exheader_process(exheader_context* ctx, u32 actions)
-{
-	exheader_read(ctx, actions);
-
-	if (ctx->header.codesetinfo.flags.flag & 1)
-		ctx->compressedflag = 1;
-
-	exheader_deserialise_arm11localcaps_permissions(&ctx->system_local_caps, &ctx->header.arm11systemlocalcaps);
-
-	if (actions & VerifyFlag)
-		exheader_verify(ctx);
-
-	if (actions & InfoFlag)
-		exheader_print(ctx, actions);
-
-	return 1;
-}
-
-void exheader_print_arm9accesscontrol(exheader_context* ctx)
-{
-	unsigned int i;
-	unsigned int flags[15*8];
-
-	fprintf(stdout, "ARM9 Desc. version:     0x%X\n", ctx->header.arm9accesscontrol.descversion);
-
-	for(i=0; i<15*8; i++)
-	{
-		if (ctx->header.arm9accesscontrol.descriptors[i/8] & (1<<(i&7)))
-			flags[i] = 1;
-		else
-			flags[i] = 0;
-	}
-
-	fprintf(stdout, "Mount NAND fs:          %s\n", flags[0]? "YES" : "NO");
-	fprintf(stdout, "Mount NAND RO write fs: %s\n", flags[1]? "YES" : "NO");
-	fprintf(stdout, "Mount NAND TWL fs:      %s\n", flags[2]? "YES" : "NO");
-	fprintf(stdout, "Mount NAND W fs:        %s\n", flags[3]? "YES" : "NO");
-	fprintf(stdout, "Mount CARD SPI fs:      %s\n", flags[4]? "YES" : "NO");
-	fprintf(stdout, "Use SDIF3:              %s\n", flags[5]? "YES" : "NO");
-	fprintf(stdout, "Create seed:            %s\n", flags[6]? "YES" : "NO");
-	fprintf(stdout, "Use CARD SPI:           %s\n", flags[7]? "YES" : "NO");
-	fprintf(stdout, "SD Application:         %s\n", flags[8]? "YES" : "NO");
-	fprintf(stdout, "Use Direct SDMC:        %s\n", flags[9]? "YES" : "NO");
-
-	for(i=10; i<15*8; i++)
-	{
-		if (flags[i])
-			fprintf(stdout, "Unknown flag:           %d\n", i);
-	}
-}
-
-void exheader_print_arm11kernelcapabilities(exheader_context* ctx, u32 actions)
-{
-	unsigned int i, j;
-	unsigned int systemcallmask[8];
-	unsigned int unknowndescriptor[28];
-	unsigned int svccount = 0;
-	unsigned int svcmask = 0;
-	unsigned int interrupt[0x80];
-	unsigned int interruptcount = 0;
-
-	memset(systemcallmask, 0, sizeof(systemcallmask));
-	memset(interrupt, 0, sizeof(interrupt));
-
-	for(i=0; i<28; i++)
-	{
-		unsigned int descriptor = getle32(ctx->header.arm11kernelcaps.descriptors[i]);
-
-		unknowndescriptor[i] = 0;
-
-		if ((descriptor & (0x1f<<27)) == (0x1e<<27))
-			systemcallmask[(descriptor>>24) & 7] = descriptor & 0x00FFFFFF;
-		else if ((descriptor & (0x7f<<25)) == (0x7e<<25))
-			fprintf(stdout, "Kernel release version: %d.%d\n", (descriptor>>8)&0xFF, (descriptor>>0)&0xFF);
-		else if ((descriptor & (0xf<<28)) == (0xe<<28))
-		{
-			for(j=0; j<4; j++)
-				interrupt[(descriptor >> (j*7)) & 0x7F] = 1;
-		}
-		else if ((descriptor & (0xff<<24)) == (0xfe<<24))
-			fprintf(stdout, "Handle table size:      0x%X\n", descriptor & 0x3FF);
-		else if ((descriptor & (0xfff<<20)) == (0xffe<<20))
-			fprintf(stdout, "Mapping IO address:     0x%X (%s)\n", (descriptor & 0xFFFFF)<<12, (descriptor&(1<<20))?"RO":"RW");
-		else if ((descriptor & (0x7ff<<21)) == (0x7fc<<21))
-			fprintf(stdout, "Mapping static address: 0x%X (%s)\n", (descriptor & 0x1FFFFF)<<12, (descriptor&(1<<20))?"RO":"RW");
-		else if ((descriptor & (0x1ff<<23)) == (0x1fe<<23))
-		{
-			unsigned int memorytype = (descriptor>>8)&15;
-			fprintf(stdout, "Kernel flags:           \n");
-			fprintf(stdout, " > Allow debug:         %s\n", (descriptor&(1<<0))?"YES":"NO");
-			fprintf(stdout, " > Force debug:         %s\n", (descriptor&(1<<1))?"YES":"NO");
-			fprintf(stdout, " > Allow non-alphanum:  %s\n", (descriptor&(1<<2))?"YES":"NO");
-			fprintf(stdout, " > Shared page writing: %s\n", (descriptor&(1<<3))?"YES":"NO");
-			fprintf(stdout, " > Privilege priority:  %s\n", (descriptor&(1<<4))?"YES":"NO");
-			fprintf(stdout, " > Allow main() args:   %s\n", (descriptor&(1<<5))?"YES":"NO");
-			fprintf(stdout, " > Shared device mem:   %s\n", (descriptor&(1<<6))?"YES":"NO");
-			fprintf(stdout, " > Runnable on sleep:   %s\n", (descriptor&(1<<7))?"YES":"NO");
-			fprintf(stdout, " > Special memory:      %s\n", (descriptor&(1<<12))?"YES":"NO");
-			fprintf(stdout, " > Access Core 2:       %s\n", (descriptor&(1<<13))?"YES":"NO");
-			
-
-			switch(memorytype)
-			{
-			case 1: fprintf(stdout, " > Memory type:         APPLICATION\n"); break;
-			case 2: fprintf(stdout, " > Memory type:         SYSTEM\n"); break;
-			case 3: fprintf(stdout, " > Memory type:         BASE\n"); break;
-			default: fprintf(stdout, " > Memory type:         Unknown (%d)\n", memorytype); break;
-			}
-		}
-		else if (descriptor != 0xFFFFFFFF)
-			unknowndescriptor[i] = 1;
-	}
-
-	fprintf(stdout, "Allowed systemcalls:    ");
-	if(!(actions & ShowSyscallsFlag))
-	{
-		for(i=0; i<8; i++)
-		{
-			for(j=0; j<24; j++)
-			{
-				svcmask = systemcallmask[i];
-
-				if (svcmask & (1<<j))
-				{
-					unsigned int svcid = i*24+j;
-					if (svccount == 0)
-					{
-						fprintf(stdout, "0x%02X", svcid);
-					}
-					else if ( (svccount & 7) == 0)
-					{
-						fprintf(stdout, "                        ");
-						fprintf(stdout, "0x%02X", svcid);
-					}
-					else
-					{
-						fprintf(stdout, ", 0x%02X", svcid);
-					}
-
-					svccount++;
-					if ( (svccount & 7) == 0)
-					{
-						fprintf(stdout, "\n");
-					}
-				}
-			}
-		}
-		if (svccount & 7)
-			fprintf(stdout, "\n");
-		if (svccount == 0)
-			fprintf(stdout, "none\n");
-	}
-	else
-	{
-		fprintf(stdout, "\n");
-
-		for(i=0; i<8; i++)
-		{
-			for(j=0; j<24; j++)
-			{
-				svcmask = systemcallmask[i];
-
-				if (svcmask & (1 << j))
-				{
-					unsigned int svcid = i * 24 + j;
-					char svcname[128];
-
-					syscall_get_name(svcname, sizeof(svcname), svcid);
-
-					fprintf(stdout, " > 0x%02X %s\n", svcid, svcname);
-				}
-			}
-		}
-	}
-
-	fprintf(stdout, "Allowed interrupts:     ");
-	for(i=0; i<0x7F; i++)
-	{
-		if (interrupt[i])
-		{
-			if (interruptcount == 0)
-			{
-				fprintf(stdout, "0x%02X", i);
-			}
-			else if ( (interruptcount & 7) == 0)
-			{
-				fprintf(stdout, "                        ");
-				fprintf(stdout, "0x%02X", i);
-			}
-			else
-			{
-				fprintf(stdout, ", 0x%02X", i);
-			}
-
-			interruptcount++;
-			if ( (interruptcount & 7) == 0)
-			{
-				fprintf(stdout, "\n");
-			}
-		}
-	}
-	if (interruptcount & 7)
-		fprintf(stdout, "\n");
-	if (interruptcount == 0)
-		fprintf(stdout, "none\n");
-
-	for(i=0; i<28; i++)
-	{
-		unsigned int descriptor = getle32(ctx->header.arm11kernelcaps.descriptors[i]);
-
-		if (unknowndescriptor[i])
-			fprintf(stdout, "Unknown descriptor:     %08X\n", descriptor);
-	}
-}
-
-char* exheader_print_accessinfobit(u32 bit, char *str)
-{
-	switch(bit)
-	{
-		case 0 : 
-			sprintf(str,"Category System Application");
-			break;
-		case 1 : 
-			sprintf(str,"Category Hardware Check");
-			break;
-		case 2 : 
-			sprintf(str,"Category File System Tool");
-			break;
-		case 3 : 
-			sprintf(str,"Debug");
-			break;
-		case 4 : 
-			sprintf(str,"TWL Card Backup");
-			break;
-		case 5 : 
-			sprintf(str,"TWL Nand Data");
-			break;
-		case 6 : 
-			sprintf(str,"BOSS");
-			break;
-		case 7 : 
-			sprintf(str,"Direct SDMC");
-			break;
-		case 8 : 
-			sprintf(str,"Core");
-			break;
-		case 9 : 
-			sprintf(str,"CTR NAND RO");
-			break;
-		case 10 : 
-			sprintf(str,"CTR NAND RW");
-			break;
-		case 11 : 
-			sprintf(str,"CTR NAND RO (Write Access)");
-			break;
-		case 12 : 
-			sprintf(str,"Category System Settings");
-			break;
-		case 13 : 
-			sprintf(str,"CARD BOARD");
-			break;
-		case 14 : 
-			sprintf(str,"Export Import IVS");
-			break;
-		case 15 : 
-			sprintf(str,"Direct SDMC (Write Only)");
-			break;
-		case 16 : 
-			sprintf(str,"Switch Cleanup");
-			break;
-		case 17 : 
-			sprintf(str,"Save Data Move");
-			break;
-		case 18 : 
-			sprintf(str,"Shop");
-			break;
-		case 19 : 
-			sprintf(str,"Shell");
-			break;
-		case 20 : 
-			sprintf(str,"Category HomeMenu");
-			break;
-		case 21 : 
-			sprintf(str,"Seed DB");
-			break;
-		default : 
-			sprintf(str,"Bit %d (unknown)",bit);
-			break;
-	}
-	
-	return str;
-}
-
-void exheader_print_arm11accessinfo(exheader_context* ctx)
-{
-	char str[100];
-	u64 i, bit;
-	for(i = 0; i < 56; i++)
-	{
-		bit = ((u64)1 << i);
-		if((ctx->system_local_caps.accessinfo & bit) == bit)
-			fprintf(stdout, " > %s\n",exheader_print_accessinfobit((u32)i,str)); 
-	}
-}
-
-void exheader_print_arm11storageinfo(exheader_context* ctx)
-{
-	u32 i;
-
-	fprintf(stdout, "Ext savedata id:        0x%"PRIx64"\n",ctx->system_local_caps.extdata_id);
-	for(i = 0; i < 2; i++)
-		fprintf(stdout, "System savedata id %d:   0x%x %s\n",i+1, ctx->system_local_caps.system_saveid[i],exheader_getvalidstring(ctx->validsystemsaveID[i]));
-	for(i = 0; i < 3; i++)
-		fprintf(stdout, "OtherUserSaveDataId%d:   0x%x\n",i+1, ctx->system_local_caps.other_user_saveid[i]);
-	fprintf(stdout, "Accessible Savedata Ids:\n");
-	for(i = 0; i < 6; i++)
-	{
-		if(ctx->system_local_caps.accessible_saveid[i] != 0x00000)
-			fprintf(stdout, " > 0x%05x\n", ctx->system_local_caps.accessible_saveid[i]);
-	}
-	
-	fprintf(stdout, "Other Variation Saves:  %s\n", ctx->system_local_caps.use_other_variation_savedata ? "Accessible" : "Inaccessible");
-	fprintf(stdout, "Access info:            0x%"PRIx64" %s\n", ctx->system_local_caps.accessinfo,exheader_getvalidstring(ctx->validaccessinfo));
-	exheader_print_arm11accessinfo(ctx);	
-}
-
-int exheader_signature_verify(exheader_context* ctx, rsakey2048* key)
-{
-	u8 hash[0x20];
-
-	ctr_sha_256(ctx->header.accessdesc.ncchpubkeymodulus, 0x300, hash);
-	return ctr_rsa_verify_hash(ctx->header.accessdesc.signature, hash, key);
-}
-
-void exheader_verify(exheader_context* ctx)
-{
-	unsigned int i, j;
-	exheader_arm11systemlocalcaps_deserialised accessdesc;
-
-	exheader_deserialise_arm11localcaps_permissions(&accessdesc, &ctx->header.accessdesc.arm11systemlocalcaps);
-
-	ctx->validsystemsaveID[0] = Good;
-	ctx->validsystemsaveID[1] = Good;
-	ctx->validaccessinfo = Good;
-	ctx->validcoreversion = Good;
-	ctx->validprogramid = Good;
-	ctx->validpriority = Good;
-	ctx->validaffinitymask = Good;
-	ctx->valididealprocessor = Good;
-	ctx->validold3dssystemmode = Good;
-	ctx->validnew3dssystemmode = Good;
-	ctx->validenablel2cache = Good;
-	ctx->validnew3dscpuspeed = Good;
-	ctx->validservicecontrol = Good;
-
-	for(i=0; i<8; i++)
-	{
-		if (ctx->system_local_caps.program_id[i] == accessdesc.program_id[i] || accessdesc.program_id[i] == 0xFF)
-			continue;
-		ctx->validprogramid = Fail;
-		break;
-	}
-
-	if (ctx->system_local_caps.core_version != accessdesc.core_version)
-		ctx->validcoreversion = Fail;
-
-	if (ctx->system_local_caps.priority < accessdesc.priority)
-		ctx->validpriority = Fail;
-
-	if((1<<ctx->system_local_caps.ideal_processor & accessdesc.ideal_processor) == 0)
-		ctx->valididealprocessor = Fail;
-
-	if (ctx->system_local_caps.affinity_mask & ~accessdesc.affinity_mask)
-		ctx->validaffinitymask = Fail;
-
-	if (ctx->system_local_caps.old3ds_systemmode > accessdesc.old3ds_systemmode)
-		ctx->validold3dssystemmode = Fail;
-
-	if (ctx->system_local_caps.new3ds_systemmode > accessdesc.new3ds_systemmode)
-		ctx->validnew3dssystemmode = Fail;
-
-	if (ctx->system_local_caps.enable_l2_cache != accessdesc.enable_l2_cache)
-		ctx->validenablel2cache = Fail;
-
-	if (ctx->system_local_caps.new3ds_cpu_speed != accessdesc.new3ds_cpu_speed)
-		ctx->validnew3dscpuspeed = Fail;
-
-
-
-
-	// Storage Info Verify
-	if(ctx->system_local_caps.system_saveid[0] & ~accessdesc.system_saveid[0])
-		ctx->validsystemsaveID[0] = Fail;
-	if(ctx->system_local_caps.system_saveid[1] & ~accessdesc.system_saveid[1])
-		ctx->validsystemsaveID[1] = Fail;
-
-
-	if (ctx->system_local_caps.accessinfo & ~accessdesc.accessinfo)
-		ctx->validaccessinfo = Fail;
-
-	// Service Access Control
-	for (i = 0; i < 34; i++) {
-		if (strlen(ctx->system_local_caps.service_access_control[i]) == 0)
-			continue;
-
-		for (j = 0; j < 34; j++) {
-			if (strcmp(ctx->system_local_caps.service_access_control[i], accessdesc.service_access_control[j]) == 0)
-				break;
-		}
-
-		if (strcmp(ctx->system_local_caps.service_access_control[i], accessdesc.service_access_control[j]) == 0)
-			continue;
-
-		ctx->validservicecontrol = Fail;
-	}
-
-	if (ctx->usersettings)
-		ctx->validsignature = exheader_signature_verify(ctx, &ctx->usersettings->keys.ncchdescrsakey);
-}
-
-const char* exheader_getvalidstring(int valid)
-{
-	if (valid == 0)
-		return "";
-	else if (valid == 1)
-		return "(GOOD)";
-	else
-		return "(FAIL)";
-}
-
-const char* exheader_getsystemmodestring(u8 systemmode)
-{
-	switch (systemmode)
-	{
-	case (sysmode_64MB) :
-		return "64MB";
-	case (sysmode_96MB) :
-		return "96MB";
-	case (sysmode_80MB) :
-		return "80MB";
-	case (sysmode_72MB) :
-		return "72MB";
-	case (sysmode_32MB) :
-		return "32MB";
-	default:
-		return "Unknown";
-	}
-}
-
-const char* exheader_getsystemmodeextstring(u8 systemmodeext, u8 systemmode)
-{
-	switch (systemmodeext)
-	{
-	case (sysmode_ext_LEGACY) :
-		return exheader_getsystemmodestring(systemmode);
-	case (sysmode_ext_124MB) :
-		return "124MB";
-	case (sysmode_ext_178MB) :
-		return "178MB";
-	default:
-		return "124MB";
-	}
-}
-
-
-void exheader_print(exheader_context* ctx, u32 actions)
-{
-	u32 i;
-	u64 savedatasize = getle64(ctx->header.systeminfo.savedatasize);
-	exheader_codesetinfo* codesetinfo = &ctx->header.codesetinfo;
-
-
-	fprintf(stdout, "\nExtended header:\n");
-	if (ctx->validsignature == Unchecked)
-		memdump(stdout, "Signature:              ", ctx->header.accessdesc.signature, 0x100);
-	else if (ctx->validsignature == Good)
-		memdump(stdout, "Signature (GOOD):       ", ctx->header.accessdesc.signature, 0x100);
-	else if (ctx->validsignature == Fail)
-		memdump(stdout, "Signature (FAIL):       ", ctx->header.accessdesc.signature, 0x100);
-	printf("\n");
-	memdump(stdout, "NCCH Hdr RSA Modulus:   ", ctx->header.accessdesc.ncchpubkeymodulus, 0x100);
-	fprintf(stdout, "Name:                   %.8s\n", codesetinfo->name);
-	fprintf(stdout, "Flag:                   %02X ", codesetinfo->flags.flag);
-	if (codesetinfo->flags.flag & 1)
-		fprintf(stdout, "[compressed]");
-	if (codesetinfo->flags.flag & 2)
-		fprintf(stdout, "[sd app]");
-	fprintf(stdout, "\n");
-	fprintf(stdout, "Remaster version:       %04X\n", getle16(codesetinfo->flags.remasterversion));
-
-	fprintf(stdout, "Code text address:      0x%08X\n", getle32(codesetinfo->text.address));
-	fprintf(stdout, "Code text size:         0x%08X\n", getle32(codesetinfo->text.codesize));
-	fprintf(stdout, "Code text max pages:    0x%08X (0x%08X)\n", getle32(codesetinfo->text.nummaxpages), getle32(codesetinfo->text.nummaxpages)*0x1000);
-	fprintf(stdout, "Code ro address:        0x%08X\n", getle32(codesetinfo->ro.address));
-	fprintf(stdout, "Code ro size:           0x%08X\n", getle32(codesetinfo->ro.codesize));
-	fprintf(stdout, "Code ro max pages:      0x%08X (0x%08X)\n", getle32(codesetinfo->ro.nummaxpages), getle32(codesetinfo->ro.nummaxpages)*0x1000);
-	fprintf(stdout, "Code data address:      0x%08X\n", getle32(codesetinfo->data.address));
-	fprintf(stdout, "Code data size:         0x%08X\n", getle32(codesetinfo->data.codesize));
-	fprintf(stdout, "Code data max pages:    0x%08X (0x%08X)\n", getle32(codesetinfo->data.nummaxpages), getle32(codesetinfo->data.nummaxpages)*0x1000);
-	fprintf(stdout, "Code bss size:          0x%08X\n", getle32(codesetinfo->bsssize));
-	fprintf(stdout, "Code stack size:        0x%08X\n", getle32(codesetinfo->stacksize));
-
-	for(i=0; i<0x30; i++)
-	{
-		if (getle64(ctx->header.deplist.programid[i]) != 0x0000000000000000UL)
-			fprintf(stdout, "Dependency:             %016"PRIx64"\n", getle64(ctx->header.deplist.programid[i]));
-	}
-	if(savedatasize < sizeKB)
-		fprintf(stdout, "Savedata size:          0x%"PRIx64"\n", savedatasize);
-	else if(savedatasize < sizeMB)
-		fprintf(stdout, "Savedata size:          %"PRIu64"K\n", savedatasize/sizeKB);
-	else
-		fprintf(stdout, "Savedata size:          %"PRIu64"M\n", savedatasize/sizeMB);
-	fprintf(stdout, "Jump id:                %016"PRIx64"\n", getle64(ctx->header.systeminfo.jumpid));
-
-	fprintf(stdout, "Program id:             %016"PRIx64" %s\n", getle64(ctx->header.arm11systemlocalcaps.programid), exheader_getvalidstring(ctx->validprogramid));
-	fprintf(stdout, "Core version:           0x%X\n", getle32(ctx->header.arm11systemlocalcaps.coreversion));
-	fprintf(stdout, "System mode:            %s %s\n", exheader_getsystemmodestring(ctx->system_local_caps.old3ds_systemmode), exheader_getvalidstring(ctx->validold3dssystemmode));
-	fprintf(stdout, "System mode (New3DS):   %s %s\n", exheader_getsystemmodeextstring(ctx->system_local_caps.new3ds_systemmode, ctx->system_local_caps.old3ds_systemmode), exheader_getvalidstring(ctx->validnew3dssystemmode));
-	fprintf(stdout, "CPU Speed (New3DS):     %s %s\n", ctx->system_local_caps.new3ds_cpu_speed? "804MHz" : "268MHz", exheader_getvalidstring(ctx->validnew3dscpuspeed));
-	fprintf(stdout, "Enable L2 Cache:        %s %s\n", ctx->system_local_caps.enable_l2_cache ? "YES" : "NO", exheader_getvalidstring(ctx->validnew3dscpuspeed));
-	fprintf(stdout, "Ideal processor:        %d %s\n", ctx->system_local_caps.ideal_processor, exheader_getvalidstring(ctx->valididealprocessor));
-	fprintf(stdout, "Affinity mask:          %d %s\n", ctx->system_local_caps.affinity_mask, exheader_getvalidstring(ctx->validaffinitymask));
-	fprintf(stdout, "Main thread priority:   %d %s\n", ctx->system_local_caps.priority, exheader_getvalidstring(ctx->validpriority));
-	// print resource limit descriptor too? currently mostly zeroes...
-	exheader_print_arm11storageinfo(ctx);
-	exheader_print_arm11kernelcapabilities(ctx, actions);
-	exheader_print_arm9accesscontrol(ctx);
-
-	fprintf(stdout, "Service access: %s\n", exheader_getvalidstring(ctx->validservicecontrol));
-	for(i=0; i<34; i++)
-	{
-		if (strlen(ctx->system_local_caps.service_access_control[i]) > 0)
-			fprintf(stdout, " > %s\n", ctx->system_local_caps.service_access_control[i]);
-	}
-	fprintf(stdout, "Reslimit category:      %02X\n", ctx->header.arm11systemlocalcaps.resourcelimitcategory);
-}
diff --git a/ctrtool/exheader.h b/ctrtool/exheader.h
deleted file mode 100644
index 7f4ce496..00000000
--- a/ctrtool/exheader.h
+++ /dev/null
@@ -1,202 +0,0 @@
-#ifndef _EXHEADER_H_
-#define _EXHEADER_H_
-
-#include <stdio.h>
-#include "types.h"
-#include "ctr.h"
-#include "settings.h"
-
-typedef enum
-{
-	sysmode_64MB,
-	sysmode_UNK,
-	sysmode_96MB,
-	sysmode_80MB,
-	sysmode_72MB,
-	sysmode_32MB,
-} exheader_systemmode;
-
-typedef enum
-{
-	sysmode_ext_LEGACY,
-	sysmode_ext_124MB,
-	sysmode_ext_178MB,
-} exheader_systemmodeext;
-
-typedef struct
-{
-	u8 reserved[5];
-	u8 flag;
-	u8 remasterversion[2];
-} exheader_systeminfoflags;
-
-typedef struct
-{
-	u8 address[4];
-	u8 nummaxpages[4];
-	u8 codesize[4];
-} exheader_codesegmentinfo;
-
-typedef struct
-{
-	u8 name[8];
-	exheader_systeminfoflags flags;
-	exheader_codesegmentinfo text;
-	u8 stacksize[4];
-	exheader_codesegmentinfo ro;
-	u8 reserved[4];
-	exheader_codesegmentinfo data;
-	u8 bsssize[4];
-} exheader_codesetinfo;
-
-typedef struct
-{
-	u8 programid[0x30][8];
-} exheader_dependencylist;
-
-typedef struct
-{
-	u8 savedatasize[8];
-	u8 jumpid[8];
-	u8 reserved2[0x30];
-} exheader_systeminfo;
-
-typedef struct
-{
-	u8 extsavedataid[8];
-	u8 systemsavedataid[8];
-	u8 accessibleuniqueids[8];
-	u8 accessinfo[7];
-	u8 otherattributes;
-} exheader_storageinfo;
-
-typedef struct
-{
-	u8 programid[8];
-	u8 coreversion[4];
-	u8 flag[4];
-	u8 resourcelimitdescriptor[0x10][2];
-	exheader_storageinfo storageinfo;
-	u8 serviceaccesscontrol[34][8];
-	u8 reserved[0xf];
-	u8 resourcelimitcategory;
-} exheader_arm11systemlocalcaps;
-
-typedef struct 
-{
-	u8 program_id[8];
-	u32 core_version;
-
-	// flag
-	u8 enable_l2_cache;
-	u8 new3ds_cpu_speed;
-	u8 new3ds_systemmode;
-	u8 ideal_processor;
-	u8 affinity_mask;
-	u8 old3ds_systemmode;
-	s8 priority;
-
-	// storageinfo
-	u64 extdata_id;
-	u32 other_user_saveid[3];
-	u8 use_other_variation_savedata;
-	u32 accessible_saveid[6];
-	u32 system_saveid[2];
-	u64 accessinfo;
-
-
-	char service_access_control[34][10];
-	u8 resource_limit_category;
-} exheader_arm11systemlocalcaps_deserialised;
-
-typedef struct
-{
-	u8 descriptors[28][4];
-	u8 reserved[0x10];
-} exheader_arm11kernelcapabilities;
-
-typedef struct
-{
-	u8 descriptors[15];
-	u8 descversion;
-} exheader_arm9accesscontrol;
-
-typedef struct
-{
-	// systemcontrol info {
-	//   coreinfo {
-	exheader_codesetinfo codesetinfo;
-	exheader_dependencylist deplist;
-	//   }
-	exheader_systeminfo systeminfo;
-	// }
-	// accesscontrolinfo {
-	exheader_arm11systemlocalcaps arm11systemlocalcaps;
-	exheader_arm11kernelcapabilities arm11kernelcaps;
-	exheader_arm9accesscontrol arm9accesscontrol;
-	// }
-	struct {
-		u8 signature[0x100];
-		u8 ncchpubkeymodulus[0x100];
-		exheader_arm11systemlocalcaps arm11systemlocalcaps;
-		exheader_arm11kernelcapabilities arm11kernelcaps;
-		exheader_arm9accesscontrol arm9accesscontrol;
-	} accessdesc;
-} exheader_header;
-
-typedef struct
-{
-	int haveread;
-	FILE* file;
-	settings* usersettings;
-	u8 titleid[8];
-	u8 programid[8];
-	u8 hash[32];
-	u8 counter[16];
-	u8 key[16];
-	u64 offset;
-	u64 size;
-	exheader_header header;
-
-	exheader_arm11systemlocalcaps_deserialised system_local_caps;
-
-	ctr_aes_context aes;
-	ctr_rsa_context rsa;
-	int compressedflag;
-	int encrypted;
-	int validprogramid;
-	int validpriority;
-	int validaffinitymask;
-	int valididealprocessor;
-	int validold3dssystemmode;
-	int validnew3dssystemmode;
-	int validenablel2cache;
-	int validnew3dscpuspeed;
-	int validcoreversion;
-	int validsystemsaveID[2];
-	int validaccessinfo;
-	int validservicecontrol;
-	int validsignature;
-} exheader_context;
-
-void exheader_init(exheader_context* ctx);
-void exheader_set_file(exheader_context* ctx, FILE* file);
-void exheader_set_offset(exheader_context* ctx, u64 offset);
-void exheader_set_size(exheader_context* ctx, u64 size);
-void exheader_set_titleid(exheader_context* ctx, u8 titleid[8]);
-void exheader_set_counter(exheader_context* ctx, u8 counter[16]);
-void exheader_set_programid(exheader_context* ctx, u8 programid[8]);
-void exheader_set_hash(exheader_context* ctx, u8 hash[32]);
-void exheader_set_encrypted(exheader_context* ctx, u32 encrypted);
-void exheader_set_key(exheader_context* ctx, u8 key[16]);
-void exheader_set_usersettings(exheader_context* ctx, settings* usersettings);
-int exheader_get_compressedflag(exheader_context* ctx);
-void exheader_read(exheader_context* ctx, u32 actions);
-int exheader_process(exheader_context* ctx, u32 actions);
-const char* exheader_getvalidstring(int valid);
-void exheader_print(exheader_context* ctx, u32 actions);
-void exheader_verify(exheader_context* ctx);
-int exheader_hash_valid(exheader_context* ctx);
-int exheader_programid_valid(exheader_context* ctx);
-
-#endif // _EXHEADER_H_
diff --git a/ctrtool/filepath.c b/ctrtool/filepath.c
deleted file mode 100644
index 366bb65b..00000000
--- a/ctrtool/filepath.c
+++ /dev/null
@@ -1,90 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "types.h"
-#include "filepath.h"
-
-void filepath_init(filepath* fpath)
-{
-	fpath->valid = 0;
-}
-
-void filepath_copy(filepath* fpath, filepath* copy)
-{
-	if (copy != 0 && copy->valid)
-		memcpy(fpath, copy, sizeof(filepath));
-	else
-		memset(fpath, 0, sizeof(filepath));
-}
-
-void filepath_append_utf16(filepath* fpath, const u8* name)
-{
-	u32 size;
-
-
-	if (fpath->valid == 0)
-		return;
-
-	size = strlen(fpath->pathname);
-
-	if (size > 0 && size < (MAX_PATH-1))
-	{
-		if (fpath->pathname[size-1] != PATH_SEPERATOR)
-			fpath->pathname[size++] = PATH_SEPERATOR;
-	}
-
-	while(size < (MAX_PATH-1))
-	{
-		u8 lo = *name++;
-		u8 hi = *name++;
-		u16 code = (hi<<8) | lo;
-
-		if (code == 0)
-			break;
-
-		// convert non-ANSI to '#', because unicode support is too much work
-		if (code > 0x7F)
-			code = '#';
-		
-		fpath->pathname[size++] = (char) code;
-	}
-
-	fpath->pathname[size] = 0;
-
-	if (size >= (MAX_PATH-1))
-		fpath->valid = 0;
-}
-
-void filepath_append(filepath* fpath, const char* format, ...)
-{
-	char tmppath[MAX_PATH];
-	va_list args;
-
-	if (fpath->valid == 0)
-		return;
-
-	memset(tmppath, 0, MAX_PATH);
-    
-	va_start(args, format);
-    vsprintf(tmppath, format, args);
-    va_end(args);
-
-	strcat(fpath->pathname, "/");
-	strcat(fpath->pathname, tmppath);
-}
-
-void filepath_set(filepath* fpath, const char* path)
-{
-	fpath->valid = 1;
-	memset(fpath->pathname, 0, MAX_PATH);
-	strncpy(fpath->pathname, path, MAX_PATH);
-}
-
-const char* filepath_get(filepath* fpath)
-{
-	if (fpath->valid == 0)
-		return 0;
-	else
-		return fpath->pathname;
-}
diff --git a/ctrtool/filepath.h b/ctrtool/filepath.h
deleted file mode 100644
index 9f6d72c0..00000000
--- a/ctrtool/filepath.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef _FILEPATH_H_
-#define _FILEPATH_H_
-
-#include "types.h"
-#include "utils.h"
-
-typedef struct
-{
-	char pathname[MAX_PATH];
-	int valid;
-} filepath;
-
-void filepath_init(filepath* fpath);
-void filepath_copy(filepath* fpath, filepath* copy);
-void filepath_append_utf16(filepath* fpath, const u8* name);
-void filepath_append(filepath* fpath, const char* format, ...);
-void filepath_set(filepath* fpath, const char* path);
-const char* filepath_get(filepath* fpath);
-
-#endif // _FILEPATH_H_
diff --git a/ctrtool/firm.c b/ctrtool/firm.c
deleted file mode 100644
index 491f4a7e..00000000
--- a/ctrtool/firm.c
+++ /dev/null
@@ -1,257 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "types.h"
-#include "firm.h"
-#include "utils.h"
-
-void firm_init(firm_context* ctx)
-{
-	memset(ctx, 0, sizeof(firm_context));
-}
-
-void firm_set_file(firm_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void firm_set_offset(firm_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void firm_set_size(firm_context* ctx, u32 size)
-{
-	ctx->size = size;
-}
-
-void firm_set_usersettings(firm_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-void firm_save(firm_context* ctx, u32 index, u32 flags)
-{
-	firm_sectionheader* section = (firm_sectionheader*)(ctx->header.section + index);
-	u32 offset;
-	u32 size;
-	u32 address;
-	FILE* fout;
-	filepath outpath;
-	u8 buffer[16 * 1024];
-	
-	
-	offset = getle32(section->offset);
-	size = getle32(section->size);
-	address = getle32(section->address);
-	filepath_copy(&outpath, settings_get_firm_dir_path(ctx->usersettings));
-	filepath_append(&outpath, "firm_%d_%08X.bin", index, address);
-
-	if (size == 0 || outpath.valid == 0)
-		return;
-
-	if (size >= ctx->size)
-	{
-		fprintf(stderr, "Error, firm section %d size invalid\n", index);
-		return;
-	}
-
-	fout = fopen(outpath.pathname, "wb");
-	if (fout == 0)
-	{
-		fprintf(stderr, "Error, failed to create file %s\n", outpath.pathname);
-		goto clean;
-	}
-	
-	
-
-	fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-	fprintf(stdout, "Saving section %d to %s...\n", index, outpath.pathname);
-
-	while(size)
-	{
-		u32 max = sizeof(buffer);
-		if (max > size)
-			max = size;
-
-		if (max != fread(buffer, 1, max, ctx->file))
-		{
-			fprintf(stdout, "Error reading input file\n");
-			goto clean;
-		}
-
-		if (max != fwrite(buffer, 1, max, fout))
-		{
-			fprintf(stdout, "Error writing output file\n");
-			goto clean;
-		}
-
-		size -= max;
-	}
-
-
-clean:
-	return;
-}
-
-
-void firm_process(firm_context* ctx, u32 actions)
-{
-	u32 i;
-
-	fseeko64(ctx->file, ctx->offset, SEEK_SET);
-	fread(&ctx->header, 1, sizeof(firm_header), ctx->file);
-
-	if (getle32(ctx->header.magic) != MAGIC_FIRM)
-	{
-		fprintf(stdout, "Error, FIRM segment corrupted\n");
-		return;
-	}
-
-
-	if (actions & VerifyFlag)
-	{
-		firm_verify(ctx, actions);
-		firm_signature_verify(ctx);
-	}
-
-	if (actions & InfoFlag)
-	{
-		firm_print(ctx);
-	}
-
-	if (actions & ExtractFlag)
-	{
-		filepath* dirpath = settings_get_firm_dir_path(ctx->usersettings);
-
-		if (dirpath && dirpath->valid)
-		{
-			makedir(dirpath->pathname);
-			for(i=0; i<4; i++)
-				firm_save(ctx, i, actions);
-		}
-	}
-}
-
-int firm_verify(firm_context* ctx, u32 flags)
-{
-	unsigned int i;
-	u32 offset;
-	u32 size;
-	u8 buffer[16 * 1024];
-	u8 hash[0x20];
-
-
-	for(i=0; i<4; i++)
-	{
-		firm_sectionheader* section = (firm_sectionheader*)(ctx->header.section + i);
-	
-
-		offset = getle32(section->offset);
-		size = getle32(section->size);
-
-		if (size == 0)
-			return 0;
-
-		fseeko64(ctx->file, ctx->offset + offset, SEEK_SET);
-
-		ctr_sha_256_init(&ctx->sha);
-
-		while(size)
-		{
-			u32 max = sizeof(buffer);
-			if (max > size)
-				max = size;
-
-			if (max != fread(buffer, 1, max, ctx->file))
-			{
-				fprintf(stdout, "Error reading input file\n");
-				goto clean;
-			}
-
-			ctr_sha_256_update(&ctx->sha, buffer, max);
-
-			size -= max;
-		}	
-
-		ctr_sha_256_finish(&ctx->sha, hash);
-
-
-		if (memcmp(hash, section->hash, 0x20) == 0)
-			ctx->hashcheck[i] = Good;
-		else
-			ctx->hashcheck[i] = Fail;
-	}
-
-
-clean:
-	return 0;
-}
-
-
-void firm_signature_verify(firm_context* ctx)
-{
-	u8 hash[0x20];
-
-	if (ctx->usersettings)
-	{
-		ctr_sha_256(ctx->header.magic, 0x100, hash);
-		ctx->headersigcheck = ctr_rsa_verify_hash(ctx->header.signature, hash, &ctx->usersettings->keys.firmrsakey);
-	}
-}
-
-
-void firm_print(firm_context* ctx)
-{
-	u32 i;
-	u32 address;
-	u32 copyMethod;
-	u32 offset;
-	u32 size;
-	u32 priority = getle32(ctx->header.priority);
-	u32 entrypointarm11 = getle32(ctx->header.entrypointarm11);
-	u32 entrypointarm9 = getle32(ctx->header.entrypointarm9);
-
-	fprintf(stdout, "\nFIRM:\n");
-	if (ctx->headersigcheck == Unchecked)
-		memdump(stdout, "Signature:              ", ctx->header.signature, 0x100);
-	else if (ctx->headersigcheck == Good)
-		memdump(stdout, "Signature (GOOD):       ", ctx->header.signature, 0x100);
-	else
-		memdump(stdout, "Signature (FAIL):       ", ctx->header.signature, 0x100);
-
-	fprintf(stdout, "\n");
-	fprintf(stdout, "Priority:               %u\n", priority);
-	fprintf(stdout, "Entrypoint ARM9:        0x%08X\n", entrypointarm9);
-	fprintf(stdout, "Entrypoint ARM11:       0x%08X\n", entrypointarm11);
-	fprintf(stdout, "\n");
-
-
-	for(i=0; i<4; i++)
-	{
-		firm_sectionheader* section = (firm_sectionheader*)(ctx->header.section + i);
-
-
-		offset = getle32(section->offset);
-		size = getle32(section->size);
-		address = getle32(section->address);
-		copyMethod = getle32(section->copyMethod);
-
-		if (size)
-		{
-			fprintf(stdout, "Section %d              \n", i);
-			fprintf(stdout, " Copy Method:           %s\n", copyMethod==0 ? "NDMA" : copyMethod==1 ? "XDMA" :
-															copyMethod==2 ? "memcpy" : "UNKNOWN");
-			fprintf(stdout, " Address:               0x%08X\n", address);
-			fprintf(stdout, " Offset:                0x%08X\n", offset);
-			fprintf(stdout, " Size:                  0x%08X\n", size);			
-			if (ctx->hashcheck[i] == Good)
-				memdump(stdout, " Hash (GOOD):           ", section->hash, 0x20);
-			else if (ctx->hashcheck[i] == Fail)
-				memdump(stdout, " Hash (FAIL):           ", section->hash, 0x20);
-			else
-				memdump(stdout, " Hash:                  ", section->hash, 0x20);
-		}
-	}
-}
diff --git a/ctrtool/firm.h b/ctrtool/firm.h
deleted file mode 100644
index 5d1ebbcf..00000000
--- a/ctrtool/firm.h
+++ /dev/null
@@ -1,57 +0,0 @@
-#ifndef _FIRM_H_
-#define _FIRM_H_
-
-#include "types.h"
-#include "info.h"
-#include "ctr.h"
-#include "filepath.h"
-#include "settings.h"
-
-
-typedef struct
-{
-	u8 offset[4];
-	u8 address[4];
-	u8 size[4];
-	u8 copyMethod[4];
-	u8 hash[32];
-} firm_sectionheader;
-
-
-
-
-typedef struct
-{
-	u8 magic[4];
-	u8 priority[4];
-	u8 entrypointarm11[4];
-	u8 entrypointarm9[4];
-	u8 reserved1[0x30];
-	firm_sectionheader section[4];
-	u8 signature[0x100];
-} firm_header;
-
-typedef struct
-{
-	FILE* file;
-	settings* usersettings;
-	u64 offset;
-	u32 size;
-	firm_header header;
-	ctr_sha256_context sha;
-	int hashcheck[4];
-	int headersigcheck;
-} firm_context;
-
-void firm_init(firm_context* ctx);
-void firm_set_file(firm_context* ctx, FILE* file);
-void firm_set_offset(firm_context* ctx, u64 offset);
-void firm_set_size(firm_context* ctx, u32 size);
-void firm_set_usersettings(firm_context* ctx, settings* usersettings);
-void firm_process(firm_context* ctx, u32 actions);
-void firm_print(firm_context* ctx);
-void firm_save(firm_context* ctx, u32 index, u32 flags);
-int firm_verify(firm_context* ctx, u32 flags);
-void firm_signature_verify(firm_context* ctx);
-
-#endif // _FIRM_H_
diff --git a/ctrtool/info.h b/ctrtool/info.h
deleted file mode 100644
index fac4117c..00000000
--- a/ctrtool/info.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#ifndef _INFO_H_
-#define _INFO_H_
-
-#include "types.h"
-#include "keyset.h"
-
-typedef struct
-{
-	FILE* file;
-	keyset* keys;
-	u32 offset;
-	const u8* blob;
-	u32 blobsize;
-} infocontext;
-
-#endif // _INFO_H_
diff --git a/ctrtool/ivfc.c b/ctrtool/ivfc.c
deleted file mode 100644
index 4a77a676..00000000
--- a/ctrtool/ivfc.c
+++ /dev/null
@@ -1,247 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include "types.h"
-#include "utils.h"
-#include "ivfc.h"
-#include "ctr.h"
-
-void ivfc_init(ivfc_context* ctx)
-{
-	memset(ctx, 0, sizeof(ivfc_context));
-}
-
-void ivfc_set_usersettings(ivfc_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-void ivfc_set_offset(ivfc_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void ivfc_set_size(ivfc_context* ctx, u64 size)
-{
-	ctx->size = size;
-}
-
-void ivfc_set_file(ivfc_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void ivfc_set_encrypted(ivfc_context* ctx, u32 encrypted)
-{
-	ctx->encrypted = encrypted;
-}
-
-void ivfc_set_key(ivfc_context* ctx, u8 key[16])
-{
-	ctr_init_key(&ctx->aes, key);
-}
-
-void ivfc_set_counter(ivfc_context* ctx, u8 counter[16])
-{
-	memcpy(ctx->counter, counter, 16);
-}
-
-void ivfc_fseek(ivfc_context* ctx, u64 offset)
-{
-	u64 data_pos = offset - ctx->offset;
-	fseeko64(ctx->file, offset, SEEK_SET);
-
-	if (ctx->encrypted) {
-		//printf("start fseek encrypted prep\n");
-		ctr_init_counter(&ctx->aes, ctx->counter);
-		//printf("middle fseek encrypted prep\n");
-		ctr_add_counter(&ctx->aes, (u32)(data_pos / 0x10));
-		//printf("finish fseek encrypted prep\n");
-	}
-}
-
-size_t ivfc_fread(ivfc_context* ctx, void* buffer, size_t size, size_t count)
-{
-	size_t read;
-	if ((read = fread(buffer, size, count, ctx->file)) != count) {
-		//printf("ivfc_fread() fail\n");
-		return read;
-	}
-	if (ctx->encrypted) {
-		ctr_crypt_counter(&ctx->aes, buffer, buffer, size*read);
-	}
-	return read;
-}
-
-
-void ivfc_process(ivfc_context* ctx, u32 actions)
-{
-	ivfc_fseek(ctx, ctx->offset);
-	ivfc_fread(ctx, &ctx->header, 1, sizeof(ivfc_header));
-
-	if (getle32(ctx->header.magic) != MAGIC_IVFC)
-	{
-		fprintf(stdout, "Error, IVFC segment corrupted\n");
-		return;
-	}
-
-	if (getle32(ctx->header.id) == 0x10000)
-	{
-		ctx->levelcount = 3;
-
-		ctx->level[2].hashblocksize = 1 << getle32(ctx->header.level3.blocksize);
-		ctx->level[1].hashblocksize = 1 << getle32(ctx->header.level2.blocksize);
-		ctx->level[0].hashblocksize = 1 << getle32(ctx->header.level1.blocksize);
-
-		ctx->bodyoffset = align64(IVFC_HEADER_SIZE + getle32(ctx->header.masterhashsize), ctx->level[2].hashblocksize);
-		ctx->bodysize = getle64(ctx->header.level3.hashdatasize);
-		
-		ctx->level[2].dataoffset = ctx->bodyoffset;
-		ctx->level[2].datasize = align64(ctx->bodysize, ctx->level[2].hashblocksize);
-
-		ctx->level[0].dataoffset = ctx->level[2].dataoffset + ctx->level[2].datasize;
-		ctx->level[0].datasize = align64(getle64(ctx->header.level1.hashdatasize), ctx->level[0].hashblocksize);
-
-		ctx->level[1].dataoffset = ctx->level[0].dataoffset + ctx->level[0].datasize;
-		ctx->level[1].datasize = align64(getle64(ctx->header.level2.hashdatasize), ctx->level[1].hashblocksize);
-
-		ctx->level[0].hashoffset = IVFC_HEADER_SIZE;
-		ctx->level[1].hashoffset = ctx->level[0].dataoffset;
-		ctx->level[2].hashoffset = ctx->level[1].dataoffset;
-	}
-
-	if (actions & VerifyFlag)
-		ivfc_verify(ctx, actions);
-
-	if (actions & InfoFlag)
-		ivfc_print(ctx);		
-
-}
-
-void ivfc_verify(ivfc_context* ctx, u32 flags)
-{
-	u32 i, j;
-	u32 blockcount;
-
-	for(i=0; i<ctx->levelcount; i++)
-	{
-		ivfc_level* level = ctx->level + i;
-
-		level->hashcheck = Fail;
-	}
-
-	// Import IVFC level hashes
-	uint8_t *levelhash[IVFC_MAX_LEVEL] = { NULL };
-
-	for (i=0; i<ctx->levelcount; i++)
-	{
-		blockcount = (u32)(ctx->level[i].datasize / ctx->level[i].hashblocksize);
-		u32 read_size = align(blockcount * 0x20, ctx->level[i].hashblocksize);
-		levelhash[i] = malloc(read_size);
-		ivfc_read(ctx, ctx->level[i].hashoffset, read_size, levelhash[i]);
-	}
-
-	// Verify blocks
-	for (i=0; i<ctx->levelcount; i++)
-	{
-		blockcount = (u32) (ctx->level[i].datasize / ctx->level[i].hashblocksize);
-		if (ctx->level[i].datasize % ctx->level[i].hashblocksize != 0)
-		{
-			fprintf(stderr, "Error, IVFC block size mismatch\n");
-			return;
-		}
-
-		ctx->level[i].hashcheck = Good;
-
-		for (j=0; j<blockcount; j++)
-		{
-			u8 calchash[32];
-			
-			// a hash level
-			if (i < 2) {
-				ctr_sha_256(levelhash[i+1] + ctx->level[i].hashblocksize * j, ctx->level[i].hashblocksize, calchash);
-			}
-			// a data level
-			else {
-				ivfc_read(ctx, ctx->level[i].dataoffset + j * ctx->level[i].hashblocksize, ctx->level[i].hashblocksize, ctx->buffer);
-				ctr_sha_256(ctx->buffer, (u32)ctx->level[i].hashblocksize, calchash);
-			}
-
-			if (memcmp(calchash, levelhash[i] + 0x20 * j, 0x20) != 0) {
-				ctx->level[i].hashcheck = Fail;
-			}
-				
-		}
-	}
-
-	// Free level hashes
-	for (int i = 0; i < 3; i++) {
-		free(levelhash[i]);
-	}
-}
-
-void ivfc_read(ivfc_context* ctx, u64 offset, u64 size, u8* buffer)
-{
-	if ( (offset > ctx->size) || (offset+size > ctx->size) )
-	{
-		fprintf(stderr, "Error, IVFC offset out of range (offset=0x%08"PRIx64", size=0x%08"PRIx64")\n", offset, size);
-		return;
-	}
-
-	ivfc_fseek(ctx, ctx->offset + offset);
-	if (size != ivfc_fread(ctx, buffer, 1, (size_t) size))
-	{
-		fprintf(stderr, "Error, IVFC could not read file\n");
-		return;
-	}
-}
-
-void ivfc_hash(ivfc_context* ctx, u64 offset, u64 size, u8* hash)
-{
-	if (size > IVFC_MAX_BUFFERSIZE)
-	{
-		fprintf(stderr, "Error, IVFC hash block size too big.\n");
-		return;
-	}
-
-	ivfc_read(ctx, offset, size, ctx->buffer);
-
-	ctr_sha_256(ctx->buffer, (u32) size, hash);
-}
-
-void ivfc_print(ivfc_context* ctx)
-{
-	u32 i;
-	ivfc_header* header = &ctx->header;
-
-	fprintf(stdout, "\nIVFC:\n");
-
-	fprintf(stdout, "Header:                 %.4s\n", header->magic);
-	fprintf(stdout, "Id:                     %08x\n", getle32(header->id));
-
-	for(i=0; i<ctx->levelcount; i++)
-	{
-		ivfc_level* level = ctx->level + i;
-
-		fprintf(stdout, "\n");
-		if (level->hashcheck == Unchecked)
-			fprintf(stdout, "Level %d:               \n", i);
-		else
-			fprintf(stdout, "Level %d (%s):          \n", i, level->hashcheck == Good? "GOOD" : "FAIL");
-		fprintf(stdout, " Data offset:           0x%08"PRIx64"\n", ctx->offset + level->dataoffset);
-		fprintf(stdout, " Data size:             0x%08"PRIx64"\n", level->datasize);
-		fprintf(stdout, " Hash offset:           0x%08"PRIx64"\n", ctx->offset + level->hashoffset);
-		fprintf(stdout, " Hash block size:       0x%08x\n", level->hashblocksize);
-	}
-}
-
-u64 ivfc_get_body_offset(ivfc_context* ctx)
-{
-	return ctx->bodyoffset;
-}
-
-u64 ivfc_get_body_size(ivfc_context* ctx)
-{
-	return ctx->bodysize;
-}
-
diff --git a/ctrtool/ivfc.h b/ctrtool/ivfc.h
deleted file mode 100644
index 67b5c7e6..00000000
--- a/ctrtool/ivfc.h
+++ /dev/null
@@ -1,78 +0,0 @@
-#ifndef __IVFC_H__
-#define __IVFC_H__
-
-#include "types.h"
-#include "ctr.h"
-#include "settings.h"
-
-#define IVFC_HEADER_SIZE 0x60
-#define IVFC_MAX_LEVEL 4
-#define IVFC_MAX_BUFFERSIZE 0x4000
-
-typedef struct
-{
-	u8 logicaloffset[8];
-	u8 hashdatasize[8];
-	u8 blocksize[4];
-	u8 reserved[4];
-} ivfc_levelheader;
-
-typedef struct
-{
-	u64 dataoffset;
-	u64 datasize;
-	u64 hashoffset;
-	u32 hashblocksize;
-	int hashcheck;
-} ivfc_level;
-
-typedef struct
-{
-	u8 magic[4];
-	u8 id[4];
-	u8 masterhashsize[4];
-	ivfc_levelheader level1;
-	ivfc_levelheader level2;
-	ivfc_levelheader level3;
-	u8 reserved[4];
-	u8 optionalsize[4];
-} ivfc_header;
-
-typedef struct
-{
-	FILE* file;
-	u64 offset;
-	u64 size;
-	settings* usersettings;
-	u8 counter[16];
-	ctr_aes_context aes;
-	int encrypted;
-
-	ivfc_header header;
-
-	u32 levelcount;
-	ivfc_level level[IVFC_MAX_LEVEL];
-	u64 bodyoffset;
-	u64 bodysize;
-	u8 buffer[IVFC_MAX_BUFFERSIZE];
-} ivfc_context;
-
-void ivfc_init(ivfc_context* ctx);
-void ivfc_process(ivfc_context* ctx, u32 actions);
-void ivfc_set_offset(ivfc_context* ctx, u64 offset);
-void ivfc_set_size(ivfc_context* ctx, u64 size);
-void ivfc_set_file(ivfc_context* ctx, FILE* file);
-void ivfc_set_usersettings(ivfc_context* ctx, settings* usersettings);
-void ivfc_set_encrypted(ivfc_context* ctx, u32 encrypted);
-void ivfc_set_key(ivfc_context* ctx, u8 key[16]);
-void ivfc_set_counter(ivfc_context* ctx, u8 counter[16]);
-void ivfc_fseek(ivfc_context* ctx, u64 offset);
-size_t ivfc_fread(ivfc_context* ctx, void* buffer, size_t size, size_t count);
-
-void ivfc_verify(ivfc_context* ctx, u32 flags);
-void ivfc_print(ivfc_context* ctx);
-
-void ivfc_read(ivfc_context* ctx, u64 offset, u64 size, u8* buffer);
-void ivfc_hash(ivfc_context* ctx, u64 offset, u64 size, u8* hash);
-
-#endif // __IVFC_H__
diff --git a/ctrtool/keyset.cpp b/ctrtool/keyset.cpp
deleted file mode 100644
index b4e67633..00000000
--- a/ctrtool/keyset.cpp
+++ /dev/null
@@ -1,395 +0,0 @@
-#include <stdio.h>
-#include "keyset.h"
-#include "utils.h"
-#include "tinyxml/tinyxml.h"
-
-static void keyset_set_key128(key128* key, unsigned char* keydata);
-static void keyset_parse_key128(key128* key, char* keytext, int keylen);
-static int keyset_parse_key(const char* text, unsigned int textlen, unsigned char* key, unsigned int size, int* valid);
-static int keyset_load_rsakey2048(TiXmlElement* elem, rsakey2048* key);
-static int keyset_load_key128(TiXmlHandle node, key128* key);
-static int keyset_load_key(TiXmlHandle node, unsigned char* key, unsigned int maxsize, int* valid);
-
-static int ishex(char c)
-{
-	if (c >= '0' && c <= '9')
-		return 1;
-	if (c >= 'A' && c <= 'F')
-		return 1;
-	if (c >= 'a' && c <= 'f')
-		return 1;
-	return 0;
-
-}
-
-static unsigned char hextobin(char c)
-{
-	if (c >= '0' && c <= '9')
-		return c-'0';
-	if (c >= 'A' && c <= 'F')
-		return c-'A'+0xA;
-	if (c >= 'a' && c <= 'f')
-		return c-'a'+0xA;
-	return 0;
-}
-
-void keyset_init(keyset* keys, u32 actions)
-{
-	const key128 defaultkeys_retail[] = {
-		// fixed system key - unknown if used/correct?
-		{{0x52, 0x7c, 0xe6, 0x30, 0xa9, 0xca, 0x30, 0x5f, 0x36, 0x96, 0xf3, 0xcd, 0xe9, 0x54, 0x19, 0x4b}, 1},
-		// NCCH 0x2c keyX
-		{{0xb9, 0x8e, 0x95, 0xce, 0xca, 0x3e, 0x4d, 0x17, 0x1f, 0x76, 0xa9, 0x4d, 0xe9, 0x34, 0xc0, 0x53}, 1},
-		// NCCH 0x25 keyX 7.x
-		{{0xce, 0xe7, 0xd8, 0xab, 0x30, 0xc0, 0x0d, 0xae, 0x85, 0x0e, 0xf5, 0xe3, 0x82, 0xac, 0x5a, 0xf3}, 1},
-		// NCCH 0x18 keyX N9.3
-		{{0x82, 0xe9, 0xc9, 0xbe, 0xbf, 0xb8, 0xbd, 0xb8, 0x75, 0xec, 0xc0, 0xa0, 0x7d, 0x47, 0x43, 0x74}, 1},
-		// NCCH 0x1B keyX N9.6
-		{{0x45, 0xad, 0x04, 0x95, 0x39, 0x92, 0xc7, 0xc8, 0x93, 0x72, 0x4a, 0x9a, 0x7b, 0xce, 0x61, 0x82}, 1},
-		// common key index0 (application)
-		{{0x64, 0xC5, 0xFD, 0x55, 0xDD, 0x3A, 0xD9, 0x88, 0x32, 0x5B, 0xAA, 0xEC, 0x52, 0x43, 0xDB, 0x98}, 1},
-		// common key index1 (system)
-		{{0x4A, 0xAA, 0x3D, 0x0E, 0x27, 0xD4, 0xD7, 0x28, 0xD0, 0xB1, 0xB4, 0x33, 0xF0, 0xF9, 0xCB, 0xC8}, 1},
-		// common key index2
-		{{0xFB, 0xB0, 0xEF, 0x8C, 0xDB, 0xB0, 0xD8, 0xE4, 0x53, 0xCD, 0x99, 0x34, 0x43, 0x71, 0x69, 0x7F}, 1},
-		// common key index3
-		{{0x25, 0x95, 0x9B, 0x7A, 0xD0, 0x40, 0x9F, 0x72, 0x68, 0x41, 0x98, 0xBA, 0x2E, 0xCD, 0x7D, 0xC6}, 1},
-		// common key index4
-		{{0x7A, 0xDA, 0x22, 0xCA, 0xFF, 0xC4, 0x76, 0xCC, 0x82, 0x97, 0xA0, 0xC7, 0xCE, 0xEE, 0xEE, 0xBE}, 1},
-		// common key index5
-		{{0xA5, 0x05, 0x1C, 0xA1, 0xB3, 0x7D, 0xCF, 0x3A, 0xFB, 0xCF, 0x8C, 0xC1, 0xED, 0xD9, 0xCE, 0x02}, 1},
-	};
-	const key128 defaultkeys_dev[] = {
-		// fixed system key
-		{{0x52, 0x7c, 0xe6, 0x30, 0xa9, 0xca, 0x30, 0x5f, 0x36, 0x96, 0xf3, 0xcd, 0xe9, 0x54, 0x19, 0x4b}, 1},
-		// NCCH 0x2c keyX
-		{{0x51, 0x02, 0x07, 0x51, 0x55, 0x07, 0xcb, 0xb1, 0x8e, 0x24, 0x3d, 0xcb, 0x85, 0xe2, 0x3a, 0x1d}, 1},
-		// NCCH 0x25 keyX 7.x
-		{{0x81, 0x90, 0x7a, 0x4b, 0x6f, 0x1b, 0x47, 0x32, 0x3a, 0x67, 0x79, 0x74, 0xce, 0x4a, 0xd7, 0x1b}, 1},
-		// NCCH 0x18 keyX N9.3
-		{{0x30, 0x4b, 0xf1, 0x46, 0x83, 0x72, 0xee, 0x64, 0x11, 0x5e, 0xbd, 0x40, 0x93, 0xd8, 0x42, 0x76}, 1},
-		// NCCH 0x1B keyX N9.6
-		{{0x6c, 0x8b, 0x29, 0x44, 0xa0, 0x72, 0x60, 0x35, 0xf9, 0x41, 0xdf, 0xc0, 0x18, 0x52, 0x4f, 0xb6}, 1},
-		// common key index0
-		{{0x55, 0xA3, 0xF8, 0x72, 0xBD, 0xC8, 0x0C, 0x55, 0x5A, 0x65, 0x43, 0x81, 0x13, 0x9E, 0x15, 0x3B}, 1},
-		// common key index1
-		{{0x44, 0x34, 0xED, 0x14, 0x82, 0x0C, 0xA1, 0xEB, 0xAB, 0x82, 0xC1, 0x6E, 0x7B, 0xEF, 0x0C, 0x25}, 1},
-		// common key index2
-		{{0xF6, 0x2E, 0x3F, 0x95, 0x8E, 0x28, 0xA2, 0x1F, 0x28, 0x9E, 0xEC, 0x71, 0xA8, 0x66, 0x29, 0xDC}, 1},
-		// common key index3
-		{{0x2B, 0x49, 0xCB, 0x6F, 0x99, 0x98, 0xD9, 0xAD, 0x94, 0xF2, 0xED, 0xE7, 0xB5, 0xDA, 0x3E, 0x27}, 1},
-		// common key index4
-		{{0x75, 0x05, 0x52, 0xBF, 0xAA, 0x1C, 0x04, 0x07, 0x55, 0xC8, 0xD5, 0x9A, 0x55, 0xF9, 0xAD, 0x1F}, 1},
-		// common key index5
-		{{0xAA, 0xDA, 0x4C, 0xA8, 0xF6, 0xE5, 0xA9, 0x77, 0xE0, 0xA0, 0xF9, 0xE4, 0x76, 0xCF, 0x0D, 0x63}, 1},
-	};
-
-	memset(keys, 0, sizeof(keyset));
-
-	if (actions & PlainFlag)
-		return;
-
-	// select keyset
-	const key128* default_keys = (actions & DevFlag)? defaultkeys_dev : defaultkeys_retail;
-
-	u32 key_index = 0;
-	// set ncch keys
-	memcpy(&keys->ncchfixedsystemkey, &default_keys[key_index++], sizeof(key128));
-	memcpy(&keys->ncchkeyX_old, &default_keys[key_index++], sizeof(key128));
-	memcpy(&keys->ncchkeyX_seven, &default_keys[key_index++], sizeof(key128));
-	memcpy(&keys->ncchkeyX_ninethree, &default_keys[key_index++], sizeof(key128));
-	memcpy(&keys->ncchkeyX_ninesix, &default_keys[key_index++], sizeof(key128));
-
-	// set common keys
-	for (u32 i = 0; i < COMMONKEY_NUM; i++)
-	{
-		memcpy(&keys->commonkey[i], &default_keys[key_index++], sizeof(key128));
-	}
-
-}
-
-int keyset_load_key(TiXmlHandle node, unsigned char* key, unsigned int size, int* valid)
-{
-	TiXmlElement* elem = node.ToElement();
-
-	if (valid)
-		*valid = 0;
-
-	if (!elem)
-		return 0;
-
-	const char* text = elem->GetText();
-	unsigned int textlen = strlen(text);
-
-	int status = keyset_parse_key(text, textlen, key, size, valid);
-
-	if (status == KEY_ERR_LEN_MISMATCH)
-	{
-		fprintf(stderr, "Error size mismatch for key \"%s/%s\"\n", elem->Parent()->Value(), elem->Value());
-		return 0;
-	}
-	
-	return 1;
-}
-
-
-int keyset_parse_key(const char* text, unsigned int textlen, unsigned char* key, unsigned int size, int* valid)
-{
-	unsigned int i, j;
-	unsigned int hexcount = 0;
-
-
-	if (valid)
-		*valid = 0;
-
-	for(i=0; i<textlen; i++)
-	{
-		if (ishex(text[i]))
-			hexcount++;
-	}
-
-	if (hexcount != size*2)
-	{
-		fprintf(stdout, "Error, expected %d hex characters when parsing text \"", size*2);
-		for(i=0; i<textlen; i++)
-			fprintf(stdout, "%c", text[i]);
-		fprintf(stdout, "\"\n");
-		
-		return KEY_ERR_LEN_MISMATCH;
-	}
-
-	for(i=0, j=0; i<textlen; i++)
-	{
-		if (ishex(text[i]))
-		{
-			if ( (j&1) == 0 )
-				key[j/2] = hextobin(text[i])<<4;
-			else
-				key[j/2] |= hextobin(text[i]);
-			j++;
-		}
-	}
-
-	if (valid)
-		*valid = 1;
-	
-	return KEY_OK;
-}
-
-int keyset_load_key128(TiXmlHandle node, key128* key)
-{
-	return keyset_load_key(node, key->data, sizeof(key->data), &key->valid);
-}
-
-int keyset_load_rsakey2048(TiXmlHandle node, rsakey2048* key)
-{
-	key->keytype = RSAKEY_INVALID;
-
-	if (!keyset_load_key(node.FirstChild("N"), key->n, sizeof(key->n), 0))
-		goto clean;
-	if (!keyset_load_key(node.FirstChild("E"), key->e, sizeof(key->e), 0))
-		goto clean;
-	key->keytype = RSAKEY_PUB;
-
-	if (!keyset_load_key(node.FirstChild("D"), key->d, sizeof(key->d), 0))
-		goto clean;
-	if (!keyset_load_key(node.FirstChild("P"), key->p, sizeof(key->p), 0))
-		goto clean;
-	if (!keyset_load_key(node.FirstChild("Q"), key->q, sizeof(key->q), 0))
-		goto clean;
-	if (!keyset_load_key(node.FirstChild("DP"), key->dp, sizeof(key->dp), 0))
-		goto clean;
-	if (!keyset_load_key(node.FirstChild("DQ"), key->dq, sizeof(key->dq), 0))
-		goto clean;
-	if (!keyset_load_key(node.FirstChild("QP"), key->qp, sizeof(key->qp), 0))
-		goto clean;
-
-	key->keytype = RSAKEY_PRIV;
-clean:
-	return (key->keytype != RSAKEY_INVALID);
-}
-
-int keyset_load(keyset* keys, const char* fname, int verbose)
-{
-	TiXmlDocument doc(fname);
-	bool loadOkay = doc.LoadFile();
-
-	if (!loadOkay)
-	{
-		if (verbose)
-			fprintf(stderr, "Could not load keyset file \"%s\", error: %s.\n", fname, doc.ErrorDesc() );
-
-		return 0;
-	}
-
-	TiXmlHandle root = doc.FirstChild("document");
-
-	keyset_load_rsakey2048(root.FirstChild("ncsdrsakey"), &keys->ncsdrsakey);
-	keyset_load_rsakey2048(root.FirstChild("ncchrsakey"), &keys->ncchrsakey);
-	keyset_load_rsakey2048(root.FirstChild("ncchdescrsakey"), &keys->ncchdescrsakey);
-	keyset_load_rsakey2048(root.FirstChild("firmrsakey"), &keys->firmrsakey);
-	/*
-	keyset_load_key128(root.FirstChild("ncchfixedsystemkey"), &keys->ncchfixedsystemkey);
-	keyset_load_key128(root.FirstChild("ncchkeyxold"), &keys->ncchkeyX_old);
-	keyset_load_key128(root.FirstChild("ncchkeyxseven"), &keys->ncchkeyX_seven);
-	keyset_load_key128(root.FirstChild("ncchkeyxninethree"), &keys->ncchkeyX_ninethree);
-	keyset_load_key128(root.FirstChild("ncchkeyxninesix"), &keys->ncchkeyX_ninesix);
-	*/
-
-	return 1;
-}
-
-
-void keyset_merge(keyset* keys, keyset* src)
-{
-#define COPY_IF_VALID(v) do {\
-	if (src->v.valid && !keys->v.valid)\
-		keyset_set_key128(&keys->v, src->v.data);\
-} while (0)
-
-	// todo complete key copy
-	/* COPY_IF_VALID(commonkey[0]); */
-	//if ()
-	for (size_t i = 0; i < COMMONKEY_NUM; i++)
-	{
-		COPY_IF_VALID(commonkey[i]);
-	}
-	COPY_IF_VALID(titlekey);
-	COPY_IF_VALID(seed_fallback);
-	COPY_IF_VALID(ncchfixedsystemkey);
-	COPY_IF_VALID(ncchkeyX_old);
-	COPY_IF_VALID(ncchkeyX_seven);
-	COPY_IF_VALID(ncchkeyX_ninethree);
-	COPY_IF_VALID(ncchkeyX_ninesix);
-	if (src->seed_num > 0)
-	{
-		keys->seed_num = src->seed_num;
-		keys->seed_db = (seeddb_entry*)calloc(keys->seed_num, sizeof(seeddb_entry));
-		memcpy(keys->seed_db, src->seed_db, keys->seed_num * sizeof(seeddb_entry));
-	}
-
-#undef COPY_IF_VALID
-}
-
-void keyset_set_key128(key128* key, unsigned char* keydata)
-{
-	memcpy(key->data, keydata, 16);
-	key->valid = 1;
-}
-
-void keyset_parse_key128(key128* key, char* keytext, int keylen)
-{
-	keyset_parse_key(keytext, keylen, key->data, 16, &key->valid);
-}
-
-void keyset_parse_titlekey(keyset* keys, char* keytext, int keylen)
-{
-	keyset_parse_key128(&keys->titlekey, keytext, keylen);
-}
-
-void keyset_parse_ncchkeyX_old(keyset* keys, char* keytext, int keylen)
-{
-	keyset_parse_key128(&keys->ncchkeyX_old, keytext, keylen);
-}
-
-void keyset_parse_ncchfixedsystemkey(keyset* keys, char* keytext, int keylen)
-{
-	keyset_parse_key128(&keys->ncchfixedsystemkey, keytext, keylen);
-}
-
-void keyset_parse_ncchkeyX_seven(keyset* keys, char* keytext, int keylen)
-{
-	keyset_parse_key128(&keys->ncchkeyX_seven, keytext, keylen);
-}
-
-void keyset_parse_ncchkeyX_ninethree(keyset* keys, char* keytext, int keylen)
-{
-	keyset_parse_key128(&keys->ncchkeyX_ninethree, keytext, keylen);
-}
-
-void keyset_parse_ncchkeyX_ninesix(keyset* keys, char* keytext, int keylen)
-{
-	keyset_parse_key128(&keys->ncchkeyX_ninesix, keytext, keylen);
-}
-
-void keyset_parse_seeddb(keyset* keys, char* path)
-{
-	//keyset_parse_key128(&keys->seed, keytext, keylen);
-	FILE* fp = fopen(path, "rb");
-	if (fp == NULL)
-	{
-		printf("[ERROR] Failed to load SeedDB (failed to open file)\n");
-		return;
-	}
-
-	seeddb_header hdr;
-	fread(&hdr, sizeof(seeddb_header), 1, fp);
-
-	keys->seed_num = getle32(hdr.n_entries);
-	for (u32 i = 0; i < 0xC; i++)
-	{
-		if (hdr.padding[i] != 0x00)
-		{
-			printf("[ERROR] SeedDB is corrupt. (padding malformed)\n");
-			return;
-		}
-	}
-	
-	keys->seed_db = (seeddb_entry*)calloc(keys->seed_num, sizeof(seeddb_entry));
-	fread(keys->seed_db, keys->seed_num * sizeof(seeddb_entry), 1, fp);
-}
-
-void keyset_parse_seed_fallback(keyset* keys, char* keytext, int keylen)
-{
-	keyset_parse_key128(&keys->seed_fallback, keytext, keylen);
-}
-
-
-void keyset_dump_rsakey(rsakey2048* key, const char* keytitle)
-{
-	if (key->keytype == RSAKEY_INVALID)
-		return;
-
-
-	fprintf(stdout, "%s\n", keytitle);
-
-	memdump(stdout, "Modulus: ", key->n, 256);
-	memdump(stdout, "Exponent: ", key->e, 3);
-
-	if (key->keytype == RSAKEY_PRIV)
-	{
-		memdump(stdout, "P: ", key->p, 128);
-		memdump(stdout, "Q: ", key->q, 128);
-	}
-	fprintf(stdout, "\n");
-}
-
-void keyset_dump_key128(key128* key, const char* keytitle)
-{
-	if (key->valid)
-	{
-		fprintf(stdout, "%s\n", keytitle);
-		memdump(stdout, "", key->data, 16);
-		fprintf(stdout, "\n");
-	}
-}
-
-void keyset_dump(keyset* keys)
-{
-#define DUMP_KEY(n, s) do {\
-	keyset_dump_key128(&keys->n, (s));\
-} while(0)
-	fprintf(stdout, "Current keyset:          \n");
-	DUMP_KEY(ncchkeyX_old, "NCCH OLD KEYX");
-	DUMP_KEY(ncchkeyX_seven, "NCCH 7.0 KEYX");
-	DUMP_KEY(ncchkeyX_ninethree, "NCCH N9.3 KEYX");
-	DUMP_KEY(ncchkeyX_ninesix, "NCCH N9.6 KEYX");
-	DUMP_KEY(ncchfixedsystemkey, "NCCH FIXEDSYSTEMKEY");
-#undef DUMP_KEY
-
-	keyset_dump_rsakey(&keys->ncsdrsakey, "NCSD RSA KEY");
-	keyset_dump_rsakey(&keys->ncchdescrsakey, "NCCH DESC RSA KEY");
-
-	fprintf(stdout, "\n");
-}
-
diff --git a/ctrtool/keyset.h b/ctrtool/keyset.h
deleted file mode 100644
index 4d9235dd..00000000
--- a/ctrtool/keyset.h
+++ /dev/null
@@ -1,96 +0,0 @@
-#ifndef _KEYSET_H_
-#define _KEYSET_H_
-
-#include "types.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#define COMMONKEY_NUM 6
-
-typedef enum
-{
-	KEY_ERR_LEN_MISMATCH,
-	KEY_ERR_INVALID_NODE,
-	KEY_OK
-} keystatus;
-
-typedef enum
-{
-	RSAKEY_INVALID,
-	RSAKEY_PRIV,
-	RSAKEY_PUB
-} rsakeytype;
-
-typedef struct
-{
-	u8 title_id[8];
-	u8 seed[0x10];
-	u8 padding[0x8];
-} seeddb_entry;
-
-typedef struct
-{
-	u8 n_entries[4];
-	u8 padding[0xC];
-} seeddb_header;
-
-
-typedef struct
-{
-	unsigned char n[256];
-	unsigned char e[3];
-	unsigned char d[256];
-	unsigned char p[128];
-	unsigned char q[128];
-	unsigned char dp[128];
-	unsigned char dq[128];
-	unsigned char qp[128];
-	rsakeytype keytype;
-} rsakey2048;
-
-typedef struct
-{
-	unsigned char data[16];
-	int valid;
-} key128;
-
-typedef struct
-{
-	u32 seed_num;
-	seeddb_entry* seed_db;
-
-	key128 commonkey[COMMONKEY_NUM];
-	key128 titlekey;
-	key128 seed_fallback;
-	key128 ncchfixedsystemkey;
-	key128 ncchkeyX_old;
-	key128 ncchkeyX_seven;
-	key128 ncchkeyX_ninethree;
-	key128 ncchkeyX_ninesix;
-	rsakey2048 ncsdrsakey;
-	rsakey2048 ncchrsakey;
-	rsakey2048 ncchdescrsakey;
-	rsakey2048 firmrsakey;
-} keyset;
-
-void keyset_init(keyset* keys, u32 actions);
-int keyset_load(keyset* keys, const char* fname, int verbose);
-void keyset_merge(keyset* keys, keyset* src);
-void keyset_parse_titlekey(keyset* keys, char* keytext, int keylen);
-void keyset_parse_ncchkeyX_old(keyset* keys, char* keytext, int keylen);
-void keyset_parse_ncchfixedsystemkey(keyset* keys, char* keytext, int keylen);
-void keyset_parse_ncchkeyX_seven(keyset* keys, char* keytext, int keylen);
-void keyset_parse_ncchkeyX_ninethree(keyset* keys, char* keytext, int keylen);
-void keyset_parse_ncchkeyX_ninesix(keyset* keys, char* keytext, int keylen);
-void keyset_parse_seeddb(keyset* keys, char* path);
-void keyset_parse_seed_fallback(keyset* keys, char* keytext, int keylen);
-void keyset_dump(keyset* keys);
-
-#ifdef __cplusplus
-}
-#endif
-
-
-#endif // _KEYSET_H_
diff --git a/ctrtool/lzss.c b/ctrtool/lzss.c
deleted file mode 100644
index 1a853a5b..00000000
--- a/ctrtool/lzss.c
+++ /dev/null
@@ -1,195 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include "types.h"
-#include "utils.h"
-#include "lzss.h"
-
-void lzss_init(lzss_context* ctx)
-{
-	memset(ctx, 0, sizeof(lzss_context));
-}
-
-void lzss_set_usersettings(lzss_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-void lzss_set_offset(lzss_context* ctx, u32 offset)
-{
-	ctx->offset = offset;
-}
-
-void lzss_set_size(lzss_context* ctx, u32 size)
-{
-	ctx->size = size;
-}
-
-void lzss_set_file(lzss_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-
-void lzss_process(lzss_context* ctx, u32 actions)
-{
-	unsigned int compressedsize;
-	unsigned char* compressedbuffer = 0;
-	unsigned int decompressedsize;
-	unsigned char* decompressedbuffer = 0;
-	FILE* fout = 0;
-
-
-	fseeko64(ctx->file, ctx->offset, SEEK_SET);
-	
-
-	if (actions & ExtractFlag)
-	{
-		
-		filepath* path = settings_get_lzss_path(ctx->usersettings);
-
-		if (path == 0 || path->valid == 0)
-			goto clean;
-
-		fout = fopen(path->pathname, "wb");
-		if (0 == fout)
-		{
-			fprintf(stdout, "Error opening out file %s\n", path->pathname);
-			goto clean;
-		}
-		compressedsize = ctx->size;
-		compressedbuffer = malloc(compressedsize);
-		if (1 != fread(compressedbuffer, compressedsize, 1, ctx->file))
-		{
-			fprintf(stdout, "Error read input file\n");
-			goto clean;
-		}
-
-		decompressedsize = lzss_get_decompressed_size(compressedbuffer, compressedsize);
-		decompressedbuffer = malloc(decompressedsize);
-
-		printf("Compressed: %d\n", compressedsize);
-		printf("Decompressed: %d\n", decompressedsize);
-		
-		if (decompressedbuffer == 0)
-		{
-			fprintf(stdout, "Error allocating memory\n");
-			goto clean;
-		}
-
-		if (0 == lzss_decompress(compressedbuffer, compressedsize, decompressedbuffer, decompressedsize))
-			goto clean;
-
-		printf("Saving decompressed lzss blob to %s...\n", path->pathname);
-		if (decompressedsize != fwrite(decompressedbuffer, 1, decompressedsize, fout))
-		{
-			fprintf(stdout, "Error writing output file\n");
-			goto clean;
-		}
-	}
-
-clean:
-	free(decompressedbuffer);
-	free(compressedbuffer);
-	if (fout)
-		fclose(fout);
-}
-
-
-u32 lzss_get_decompressed_size(u8* compressed, u32 compressedsize)
-{
-	u8* footer = compressed + compressedsize - 8;
-
-	//u32 buffertopandbottom = getle32(footer+0);
-	u32 originalbottom = getle32(footer+4);
-
-	return originalbottom + compressedsize;
-}
-
-int lzss_decompress(u8* compressed, u32 compressedsize, u8* decompressed, u32 decompressedsize)
-{
-	u8* footer = compressed + compressedsize - 8;
-	u32 buffertopandbottom = getle32(footer+0);
-	//u32 originalbottom = getle32(footer+4);
-	u32 i, j;
-	u32 out = decompressedsize;
-	u32 index = compressedsize - ((buffertopandbottom>>24)&0xFF);
-	u32 segmentoffset;
-	u32 segmentsize;
-	u8 control;
-	u32 stopindex = compressedsize - (buffertopandbottom&0xFFFFFF);
-
-	memset(decompressed, 0, decompressedsize);
-	memcpy(decompressed, compressed, compressedsize);
-
-	
-	while(index > stopindex)
-	{
-		control = compressed[--index];
-		
-
-		for(i=0; i<8; i++)
-		{
-			if (index <= stopindex)
-				break;
-
-			if (index <= 0)
-				break;
-
-			if (out <= 0)
-				break;
-
-			if (control & 0x80)
-			{
-				if (index < 2)
-				{
-					fprintf(stderr, "Error, compression out of bounds\n");
-					goto clean;
-				}
-
-				index -= 2;
-
-				segmentoffset = compressed[index] | (compressed[index+1]<<8);
-				segmentsize = ((segmentoffset >> 12)&15)+3;
-				segmentoffset &= 0x0FFF;
-				segmentoffset += 2;
-
-				
-				if (out < segmentsize)
-				{
-					fprintf(stderr, "Error, compression out of bounds\n");
-					goto clean;
-				}
-
-				for(j=0; j<segmentsize; j++)
-				{
-					u8 data;
-					
-					if (out+segmentoffset >= decompressedsize)
-					{
-						fprintf(stderr, "Error, compression out of bounds\n");
-						goto clean;
-					}
-
-					data  = decompressed[out+segmentoffset];
-					decompressed[--out] = data;
-				}
-			}
-			else
-			{
-				if (out < 1)
-				{
-					fprintf(stderr, "Error, compression out of bounds\n");
-					goto clean;
-				}
-				decompressed[--out] = compressed[--index];
-			}
-
-			control <<= 1;
-		}
-	}
-
-	return 1;
-clean:
-	return 0;
-}
diff --git a/ctrtool/lzss.h b/ctrtool/lzss.h
deleted file mode 100644
index 64a5b2fc..00000000
--- a/ctrtool/lzss.h
+++ /dev/null
@@ -1,26 +0,0 @@
-#ifndef _LZSS_H_
-#define _LZSS_H_
-
-#include "types.h"
-#include "settings.h"
-
-typedef struct
-{
-	FILE* file;
-	u32 offset;
-	u32 size;
-	settings* usersettings;
-} lzss_context;
-
-void lzss_init(lzss_context* ctx);
-void lzss_process(lzss_context* ctx, u32 actions);
-void lzss_set_offset(lzss_context* ctx, u32 offset);
-void lzss_set_size(lzss_context* ctx, u32 size);
-void lzss_set_file(lzss_context* ctx, FILE* file);
-void lzss_set_usersettings(lzss_context* ctx, settings* usersettings);
-
-u32 lzss_get_decompressed_size(u8* compressed, u32 compressedsize);
-int lzss_decompress(u8* compressed, u32 compressedsize, u8* decompressed, u32 decompressedsize);
-
-
-#endif // _LZSS_H_
diff --git a/ctrtool/main.c b/ctrtool/main.c
deleted file mode 100644
index 1cbc04b8..00000000
--- a/ctrtool/main.c
+++ /dev/null
@@ -1,488 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <getopt.h>
-#include "utils.h"
-#include "ctr.h"
-#include "ncch.h"
-#include "ncsd.h"
-#include "cia.h"
-#include "tmd.h"
-#include "tik.h"
-#include "lzss.h"
-#include "keyset.h"
-#include "exefs.h"
-#include "info.h"
-#include "settings.h"
-#include "firm.h"
-#include "cwav.h"
-#include "romfs.h"
-
-enum cryptotype
-{
-	Plain,
-	CTR,
-	CBC
-};
-
-
-typedef struct
-{
-	int actions;
-	u32 filetype;
-	FILE* infile;
-	u64 infilesize;
-	settings usersettings;
-} toolcontext;
-
-static void usage(const char *argv0)
-{
-	fprintf(stderr,
-		   "CTRTOOL v0.7 (c) neimod, 3DSGuy.\n"
-		   "Built: %s %s\n"
-           "\n"
-		   "Usage: %s [options...] <file>\n"
-           "Options:\n"
-           "  -i, --info         Show file info.\n"
-		   "                          This is the default action.\n"
-           "  -x, --extract      Extract data from file.\n"
-		   "                          This is also the default action.\n"
-		   "  -p, --plain        Extract data without decrypting.\n"
-		   "  -r, --raw          Keep raw data, don't unpack.\n"
-		   "  -k, --keyset=file  Specify keyset file.\n"
-		   "  -v, --verbose      Give verbose output.\n"
-		   "  -y, --verify       Verify hashes and signatures.\n"
-		   "  -d, --dev          Decrypt with development keys instead of retail.\n"
-		   "  --unitsize=size    Set media unit size (default 0x200).\n"
-//		   "  --commonkey=key    Set common key.\n"
-		   "  --titlekey=key     Set tik title key.\n"
-//		   "  --ncchkey=key      Set ncch key.\n"
-//		   "  --ncchsyskey=key   Set ncch fixed system key.\n"
-		   "  --seeddb=file      Set seeddb for ncch seed crypto.\n"
-		   "  --seed=key         Set specific seed for ncch seed crypto.\n"
-		   "  --showkeys         Show the keys being used.\n"
-		   "  --showsyscalls     Show system call names instead of numbers.\n"
-		   "  -t, --intype=type	 Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
-		   "                        firm, cwav, exefs, romfs]\n"
-		   "LZSS options:\n"
-		   "  --lzssout=file	 Specify lzss output file\n"
-		   "CXI/CCI options:\n"
-		   "  -n, --ncch=index   Specify NCCH partition index.\n"
-		   "  --exheader=file    Specify Extended Header file path.\n"
-		   "  --logo=file        Specify Logo file path.\n"
-		   "  --plainrgn=file    Specify Plain region file path\n"
-		   "  --exefs=file       Specify ExeFS file path.\n"
-		   "  --exefsdir=dir     Specify ExeFS directory path.\n"
-		   "  --romfs=file       Specify RomFS file path.\n"
-		   "  --romfsdir=dir     Specify RomFS directory path.\n"
-		   "  --listromfs        List files in RomFS.\n" 
-		   "CIA options:\n"
-		   "  --certs=file       Specify Certificate chain file path.\n"
-		   "  --tik=file         Specify Ticket file path.\n"
-		   "  --tmd=file         Specify TMD file path.\n"
-		   "  --contents=file    Specify Contents file path.\n"
-		   "  --meta=file        Specify Meta file path.\n"
-		   "FIRM options:\n"
-		   "  --firmdir=dir      Specify Firm directory path.\n"
-		   "CWAV options:\n"
-		   "  --wav=file         Specify wav output file.\n"
-		   "  --wavloops=count   Specify wav loop count, default 0.\n"
-		   "EXEFS options:\n"
-		   "  --decompresscode   Decompress .code section\n"
-		   "                     (only needed when using raw EXEFS file)\n"
-           "\n",
-		   __TIME__, __DATE__, argv0);
-   exit(1);
-}
-
-
-int main(int argc, char* argv[])
-{
-	toolcontext ctx;
-	u8 magic[4];
-	char infname[512];
-	int c;
-	u32 ncchindex = 0;
-	char keysetfname[512] = "keys.xml";
-	keyset tmpkeys;
-	unsigned int checkkeysetfile = 0;
-
-	memset(&ctx, 0, sizeof(toolcontext));
-	ctx.actions = InfoFlag | ExtractFlag;
-	ctx.filetype = FILETYPE_UNKNOWN;
-
-	settings_init(&ctx.usersettings);
-	keyset_init(&tmpkeys, 0);
-
-
-	while (1) 
-	{
-		int option_index;
-		static struct option long_options[] = 
-		{
-			{"extract", 0, NULL, 'x'},
-			{"plain", 0, NULL, 'p'},
-			{"info", 0, NULL, 'i'},
-			{"exefs", 1, NULL, 0},
-			{"romfs", 1, NULL, 1},
-			{"exheader", 1, NULL, 2},
-			{"certs", 1, NULL, 3},
-			{"tik", 1, NULL, 4},
-			{"tmd", 1, NULL, 5},
-			{"contents", 1, NULL, 6},
-			{"meta", 1, NULL, 7},
-			{"exefsdir", 1, NULL, 8},
-			{"keyset", 1, NULL, 'k'},
-			{"ncch", 1, NULL, 'n'},
-			{"verbose", 0, NULL, 'v'},
-			{"verify", 0, NULL, 'y'},
-			{"raw", 0, NULL, 'r'},
-			{"unitsize", 1, NULL, 9},
-			{"showkeys", 0, NULL, 10},
-			//{"commonkeyx", 1, NULL, 11},
-			//{"ncchkeyxold", 1, NULL, 12},
-			{"intype", 1, NULL, 't'},
-			{"lzssout", 1, NULL, 13},
-			{"firmdir", 1, NULL, 14},
-			{"ncchsyskey", 1, NULL, 15},
-			{"wav", 1, NULL, 16},
-			{"romfsdir", 1, NULL, 17},
-			{"listromfs", 0, NULL, 18},
-			{"wavloops", 1, NULL, 19},
-			{"logo", 1, NULL, 20},
-			{"decompresscode", 0, NULL, 21},
-			{"titlekey", 1, NULL, 22},
-			{"plainrgn", 1, NULL, 23},
-			{"showsyscalls", 0, NULL, 24},
-			//{"ncchkeyxseven", 1, NULL, 25},
-			//{"ncchkeyxninethree", 1, NULL, 26},
-			//{"ncchkeyxninesix", 1, NULL, 27},
-			{"seeddb", 1, NULL, 28},
-			{"seed", 1, NULL, 29 },
-			{NULL},
-		};
-
-		c = getopt_long(argc, argv, "dryxivpk:n:t:", long_options, &option_index);
-		if (c == -1)
-			break;
-
-		switch (c) 
-		{
-			case 'x':
-				ctx.actions |= ExtractFlag;
-			break;
-
-			case 'v':
-				ctx.actions |= VerboseFlag;
-			break;
-
-			case 'y':
-				ctx.actions |= VerifyFlag;
-			break;
-
-			case 'd':
-				ctx.actions |= DevFlag;
-			break;
-
-			case 'p':
-				ctx.actions |= PlainFlag;
-			break;
-
-			case 'r':
-				ctx.actions |= RawFlag;
-			break;
-
-			case 'i':
-				ctx.actions |= InfoFlag;
-			break;
-
-			case 'n':
-				ncchindex = strtoul(optarg, 0, 0);
-			break;
-
-			case 'k':
-				strncpy(keysetfname, optarg, sizeof(keysetfname));
-				checkkeysetfile = 1;
-			break;
-
-			case 't':
-				if (!strcmp(optarg, "exheader"))
-					ctx.filetype = FILETYPE_EXHEADER;
-				else if (!strcmp(optarg, "ncch"))
-					ctx.filetype = FILETYPE_CXI;
-				else if (!strcmp(optarg, "ncsd"))
-					ctx.filetype = FILETYPE_CCI;
-				else if (!strcmp(optarg, "cia"))
-					ctx.filetype = FILETYPE_CIA;
-				else if (!strcmp(optarg, "tmd"))
-					ctx.filetype = FILETYPE_TMD;
-				else if (!strcmp(optarg, "lzss"))
-					ctx.filetype = FILETYPE_LZSS;
-				else if (!strcmp(optarg, "firm"))
-					ctx.filetype = FILETYPE_FIRM;
-				else if (!strcmp(optarg, "cwav"))
-					ctx.filetype = FILETYPE_CWAV;
-				else if (!strcmp(optarg, "exefs"))
-					ctx.filetype = FILETYPE_EXEFS;
-				else if (!strcmp(optarg, "romfs"))
-					ctx.filetype = FILETYPE_ROMFS;
-			break;
-
-			case 0: settings_set_exefs_path(&ctx.usersettings, optarg); break;
-			case 1: settings_set_romfs_path(&ctx.usersettings, optarg); break;
-			case 2: settings_set_exheader_path(&ctx.usersettings, optarg); break;
-			case 3: settings_set_certs_path(&ctx.usersettings, optarg); break;
-			case 4: settings_set_tik_path(&ctx.usersettings, optarg); break;
-			case 5: settings_set_tmd_path(&ctx.usersettings, optarg); break;
-			case 6: settings_set_content_path(&ctx.usersettings, optarg); break;
-			case 7: settings_set_meta_path(&ctx.usersettings, optarg); break;
-			case 8: settings_set_exefs_dir_path(&ctx.usersettings, optarg); break;
-			case 9: settings_set_mediaunit_size(&ctx.usersettings, strtoul(optarg, 0, 0)); break;
-			case 10: ctx.actions |= ShowKeysFlag; break;
-			//case 11: keyset_parse_commonkeyX(&tmpkeys, optarg, strlen(optarg)); break;
-			//case 12: keyset_parse_ncchkeyX_old(&tmpkeys, optarg, strlen(optarg)); break;
-			case 13: settings_set_lzss_path(&ctx.usersettings, optarg); break;
-			case 14: settings_set_firm_dir_path(&ctx.usersettings, optarg); break;
-			//case 15: keyset_parse_ncchfixedsystemkey(&tmpkeys, optarg, strlen(optarg)); break;
-			case 16: settings_set_wav_path(&ctx.usersettings, optarg); break;
-			case 17: settings_set_romfs_dir_path(&ctx.usersettings, optarg); break;
-			case 18: settings_set_list_romfs_files(&ctx.usersettings, 1); break;
-			case 19: settings_set_cwav_loopcount(&ctx.usersettings, strtoul(optarg, 0, 0)); break;
-			case 20: settings_set_logo_path(&ctx.usersettings, optarg); break;
-			case 21: ctx.actions |= DecompressCodeFlag; break;
-			case 22: keyset_parse_titlekey(&tmpkeys, optarg, strlen(optarg)); break;
-			case 23: settings_set_plainrgn_path(&ctx.usersettings, optarg); break;
-			case 24: ctx.actions |= ShowSyscallsFlag; break;
-			//case 25: keyset_parse_ncchkeyX_seven(&tmpkeys, optarg, strlen(optarg)); break;
-			//case 26: keyset_parse_ncchkeyX_ninethree(&tmpkeys, optarg, strlen(optarg)); break;
-			//case 27: keyset_parse_ncchkeyX_ninesix(&tmpkeys, optarg, strlen(optarg)); break;
-			case 28: keyset_parse_seeddb(&tmpkeys, optarg); break;
-			case 29: keyset_parse_seed_fallback(&tmpkeys, optarg, strlen(optarg)); break;
-
-			default:
-				usage(argv[0]);
-		}
-	}
-
-	if (optind == argc - 1) 
-	{
-		// Exactly one extra argument - an input file
-		strncpy(infname, argv[optind], sizeof(infname));
-	} 
-	else if ( (optind < argc) || (argc == 1) )
-	{
-		// Too many extra args
-		usage(argv[0]);
-	}
-
-	keyset_init(&ctx.usersettings.keys, ctx.actions);
-	keyset_load(&ctx.usersettings.keys, keysetfname, (ctx.actions & VerboseFlag) | checkkeysetfile);
-	keyset_merge(&ctx.usersettings.keys, &tmpkeys);
-	if (ctx.actions & ShowKeysFlag)
-		keyset_dump(&ctx.usersettings.keys);
-
-	ctx.infilesize = _fsize(infname);
-	ctx.infile = fopen(infname, "rb");
-
-	if (ctx.infile == 0) 
-	{
-		fprintf(stderr, "error: could not open input file!\n");
-		return -1;
-	}
-
-	if (ctx.filetype == FILETYPE_UNKNOWN)
-	{
-		fseeko64(ctx.infile, 0x100, SEEK_SET);
-		fread(&magic, 1, 4, ctx.infile);
-
-		switch(getle32(magic))
-		{
-			case MAGIC_NCCH:
-				ctx.filetype = FILETYPE_CXI;
-			break;
-
-			case MAGIC_NCSD:
-				ctx.filetype = FILETYPE_CCI;
-			break;
-
-			default:
-			break;
-		}
-	}
-
-	if (ctx.filetype == FILETYPE_UNKNOWN)
-	{
-		fseeko64(ctx.infile, 0, SEEK_SET);
-		fread(magic, 1, 4, ctx.infile);
-		
-		switch(getle32(magic))
-		{
-			case 0x2020:
-				ctx.filetype = FILETYPE_CIA;
-			break;
-
-			case MAGIC_FIRM:
-				ctx.filetype = FILETYPE_FIRM;
-			break;
-
-			case MAGIC_CWAV:
-				ctx.filetype = FILETYPE_CWAV;
-			break;
-
-			case MAGIC_IVFC:
-				ctx.filetype = FILETYPE_ROMFS; // TODO: need to determine more here.. savegames use IVFC too, but is not ROMFS.
-			break;
-		}
-	}
-
-	if (ctx.filetype == FILETYPE_UNKNOWN)
-	{
-		fprintf(stdout, "Unknown file\n");
-		exit(1);
-	}
-
-
-	switch(ctx.filetype)
-	{
-		case FILETYPE_CCI:
-		{
-			ncsd_context ncsdctx;
-
-			ncsd_init(&ncsdctx);
-			ncsd_set_file(&ncsdctx, ctx.infile);
-			ncsd_set_size(&ncsdctx, ctx.infilesize);
-			ncsd_set_ncch_index(&ncsdctx, ncchindex);
-			ncsd_set_usersettings(&ncsdctx, &ctx.usersettings);
-			ncsd_process(&ncsdctx, ctx.actions);
-			
-			break;			
-		}
-
-		case FILETYPE_FIRM:
-		{
-			firm_context firmctx;
-
-			firm_init(&firmctx);
-			firm_set_file(&firmctx, ctx.infile);
-			firm_set_size(&firmctx, (u32) ctx.infilesize);
-			firm_set_usersettings(&firmctx, &ctx.usersettings);
-			firm_process(&firmctx, ctx.actions);
-			
-			break;			
-		}
-		
-		case FILETYPE_CXI:
-		{
-			ncch_context ncchctx;
-
-			ncch_init(&ncchctx);
-			ncch_set_file(&ncchctx, ctx.infile);
-			ncch_set_size(&ncchctx, ctx.infilesize);
-			ncch_set_usersettings(&ncchctx, &ctx.usersettings);
-			ncch_process(&ncchctx, ctx.actions);
-
-			break;
-		}
-		
-
-		case FILETYPE_CIA:
-		{
-			cia_context ciactx;
-
-			cia_init(&ciactx);
-			cia_set_file(&ciactx, ctx.infile);
-			cia_set_size(&ciactx, ctx.infilesize);
-			cia_set_usersettings(&ciactx, &ctx.usersettings);
-			cia_process(&ciactx, ctx.actions);
-
-			break;
-		}
-
-		case FILETYPE_EXHEADER:
-		{
-			exheader_context exheaderctx;
-
-			exheader_init(&exheaderctx);
-			exheader_set_file(&exheaderctx, ctx.infile);
-			exheader_set_size(&exheaderctx, ctx.infilesize);
-			settings_set_ignore_programid(&ctx.usersettings, 1);
-
-			exheader_set_usersettings(&exheaderctx, &ctx.usersettings);
-			exheader_process(&exheaderctx, ctx.actions);
-	
-			break;
-		}
-
-		case FILETYPE_TMD:
-		{
-			tmd_context tmdctx;
-
-			tmd_init(&tmdctx);
-			tmd_set_file(&tmdctx, ctx.infile);
-			tmd_set_size(&tmdctx, (u32) ctx.infilesize);
-			tmd_set_usersettings(&tmdctx, &ctx.usersettings);
-			tmd_process(&tmdctx, ctx.actions);
-	
-			break;
-		}
-
-		case FILETYPE_LZSS:
-		{
-			lzss_context lzssctx;
-
-			lzss_init(&lzssctx);
-			lzss_set_file(&lzssctx, ctx.infile);
-			lzss_set_size(&lzssctx, (u32) ctx.infilesize);
-			lzss_set_usersettings(&lzssctx, &ctx.usersettings);
-			lzss_process(&lzssctx, ctx.actions);
-	
-			break;
-		}
-
-
-		case FILETYPE_CWAV:
-		{
-			cwav_context cwavctx;
-
-			cwav_init(&cwavctx);
-			cwav_set_file(&cwavctx, ctx.infile);
-			cwav_set_size(&cwavctx, ctx.infilesize);
-			cwav_set_usersettings(&cwavctx, &ctx.usersettings);
-			cwav_process(&cwavctx, ctx.actions);
-	
-			break;
-		}
-		
-		case FILETYPE_EXEFS:
-		{
-			exefs_context exefsctx;
-
-			exefs_init(&exefsctx);
-			exefs_set_file(&exefsctx, ctx.infile);
-			exefs_set_size(&exefsctx, ctx.infilesize);
-			exefs_set_usersettings(&exefsctx, &ctx.usersettings);
-			exefs_process(&exefsctx, ctx.actions);
-	
-			break;
-		}
-
-		case FILETYPE_ROMFS:
-		{
-			romfs_context romfsctx;
-
-			romfs_init(&romfsctx);
-			romfs_set_file(&romfsctx, ctx.infile);
-			romfs_set_size(&romfsctx, ctx.infilesize);
-			romfs_set_usersettings(&romfsctx, &ctx.usersettings);
-			romfs_set_encrypted(&romfsctx, 0);
-			romfs_process(&romfsctx, ctx.actions);
-	
-			break;
-		}
-	}
-	
-	if (ctx.infile)
-		fclose(ctx.infile);
-
-	return 0;
-}
diff --git a/ctrtool/ncch.c b/ctrtool/ncch.c
deleted file mode 100644
index a5516dd8..00000000
--- a/ctrtool/ncch.c
+++ /dev/null
@@ -1,880 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include "types.h"
-#include "ncch.h"
-#include "utils.h"
-#include "ctr.h"
-#include "settings.h"
-#include "aes_keygen.h"
-#include <inttypes.h>
-
-static int programid_is_system(u8 programid[8])
-{
-	u32 hiprogramid = getle32(programid+4);
-	
-	if ( ((hiprogramid >> 14) == 0x10) && (hiprogramid & 0x10) )
-		return 1;
-	else
-		return 0;
-}
-
-
-void ncch_init(ncch_context* ctx)
-{
-	memset(ctx, 0, sizeof(ncch_context));
-	exefs_init(&ctx->exefs);
-}
-
-void ncch_set_usersettings(ncch_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-void ncch_set_offset(ncch_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void ncch_set_size(ncch_context* ctx, u64 size)
-{
-	ctx->size = size;
-}
-
-void ncch_set_file(ncch_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type)
-{
-	u32 version = getle16(ctx->header.version);
-	u32 mediaunitsize = (u32) ncch_get_mediaunit_size(ctx);
-	u8* titleid = ctx->header.titleid;
-	u32 i;
-	u64 x = 0;
-
-	memset(counter, 0, 16);
-
-	if (version == 2 || version == 0)
-	{
-		for(i=0; i<8; i++)
-			counter[i] = titleid[7-i];
-		counter[8] = type;
-	}
-	else if (version == 1)
-	{
-		if (type == NCCHTYPE_EXHEADER)
-			x = 0x200;
-		else if (type == NCCHTYPE_EXEFS)
-			x = getle32(ctx->header.exefsoffset) * mediaunitsize;
-		else if (type == NCCHTYPE_ROMFS)
-			x = getle32(ctx->header.romfsoffset) * mediaunitsize;
-
-		for(i=0; i<8; i++)
-			counter[i] = titleid[i];
-		for(i=0; i<4; i++)
-			counter[12+i] = (u8) (x>>((3-i)*8));
-	}
-}
-
-
-/* this is broken */
-int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags)
-{
-	u64 offset = 0;
-	u64 size = 0;
-	u8 counter[16];
-
-
-	switch(type)
-	{	
-		case NCCHTYPE_EXEFS:
-		{
-			offset = ncch_get_exefs_offset(ctx);
-			size = ncch_get_exefs_size(ctx);
-			ctr_init_key(&ctx->aes, ctx->key[0]);
-		}
-		break;
-
-		case NCCHTYPE_ROMFS:
-		{
-			offset = ncch_get_romfs_offset(ctx);
-			size = ncch_get_romfs_size(ctx);
-			ctr_init_key(&ctx->aes, ctx->key[1]);
-		}
-		break;
-
-		case NCCHTYPE_EXHEADER:
-		{
-			offset = ncch_get_exheader_offset(ctx);
-			size = ncch_get_exheader_size(ctx) * 2;
-			ctr_init_key(&ctx->aes, ctx->key[0]);
-		}
-		break;
-	
-		case NCCHTYPE_LOGO:
-		{
-			offset = ncch_get_logo_offset(ctx);
-			size = ncch_get_logo_size(ctx);
-		}
-		break;
-
-		case NCCHTYPE_PLAINRGN:
-		{
-			offset = ncch_get_plainrgn_offset(ctx);
-			size = ncch_get_plainrgn_size(ctx);
-		}
-		break;
-
-		default:
-		{
-			fprintf(stderr, "Error invalid NCCH type\n");
-			goto clean;
-		}
-		break;
-	}
-
-	ctx->extractsize = size;
-	ctx->extractflags = flags;
-	fseeko64(ctx->file, offset, SEEK_SET);
-	ncch_get_counter(ctx, counter, type);
-	
-	ctr_init_counter(&ctx->aes, counter);
-
-	return 1;
-
-clean:
-	return 0;
-}
-
-int ncch_extract_buffer(ncch_context* ctx, u8* buffer, u32 buffersize, u32* outsize, u8 nocrypto)
-{
-	u32 read_len = buffersize;
-
-	if (read_len > ctx->extractsize)
-		read_len = (u32) ctx->extractsize;
-
-	*outsize = read_len;
-
-	if (ctx->extractsize)
-	{
-		if (read_len != fread(buffer, 1, read_len, ctx->file))
-		{
-			fprintf(stdout, "Error reading input file\n");
-			goto clean;
-		}
-
-		if (ctx->encrypted && !nocrypto)
-			ctr_crypt_counter(&ctx->aes, buffer, buffer, read_len);
-
-		ctx->extractsize -= read_len;
-	}
-
-	return 1;
-
-clean:
-	return 0;
-}
-
-void ncch_save(ncch_context* ctx, u32 type, u32 flags)
-{
-	FILE* fout = 0;
-	filepath* path = 0;
-	u8 buffer[16*1024];
-	exefs_header exefs_hdr;
-
-
-	if (0 == ncch_extract_prepare(ctx, type, flags))
-		goto clean;
-
-	switch(type)
-	{	
-		case NCCHTYPE_EXEFS: path = settings_get_exefs_path(ctx->usersettings); break;
-		case NCCHTYPE_ROMFS: path = settings_get_romfs_path(ctx->usersettings); break;
-		case NCCHTYPE_EXHEADER: path = settings_get_exheader_path(ctx->usersettings); break;
-		case NCCHTYPE_LOGO: path = settings_get_logo_path(ctx->usersettings); break;
-		case NCCHTYPE_PLAINRGN: path = settings_get_plainrgn_path(ctx->usersettings); break;
-	}
-
-	if (path == 0 || path->valid == 0)
-		goto clean;
-
-	fout = fopen(path->pathname, "wb");
-	if (0 == fout)
-	{
-		fprintf(stdout, "Error opening out file %s\n", path->pathname);
-		goto clean;
-	}
-
-	switch(type)
-	{
-		case NCCHTYPE_EXEFS: fprintf(stdout, "Saving ExeFS...\n"); break;
-		case NCCHTYPE_ROMFS: fprintf(stdout, "Saving RomFS...\n"); break;
-		case NCCHTYPE_EXHEADER: fprintf(stdout, "Saving Extended Header...\n"); break;
-		case NCCHTYPE_LOGO: fprintf(stdout, "Saving Logo...\n"); break;
-		case NCCHTYPE_PLAINRGN: fprintf(stdout, "Saving Plain Region...\n"); break;
-	}
-
-	// special crypto considerations for exefs when two keys are used
-	if (type == NCCHTYPE_EXEFS && ctx->header.flags[3] > 0 && ctx->encrypted)
-	{
-		u32 read_len;
-
-		// read header
-		if (0 == ncch_extract_buffer(ctx, (u8*)&exefs_hdr, sizeof(exefs_hdr), &read_len, 0))
-			goto clean;
-
-		if (read_len != fwrite(&exefs_hdr, 1, read_len, fout))
-		{
-			fprintf(stdout, "Error writing output file\n");
-			goto clean;
-		}
-
-		for (int i = 0; i < 8; i++)
-		{
-			
-			// get section size
-			u32 section_size = getle32(exefs_hdr.section[i].size);
-			u32 section_padding = align(section_size, 0x200)-section_size;
-
-			// skip empty sections
-			if (section_size == 0)
-				continue;
-
-			// select correct key
-			if (strncmp((char*)exefs_hdr.section[i].name, "icon", 8) == 0 || strncmp((char*)exefs_hdr.section[i].name, "banner", 8) == 0)
-				ctr_init_key(&ctx->aes, ctx->key[0]);
-			else
-				ctr_init_key(&ctx->aes, ctx->key[1]);
-
-			// set counter
-			u8 ctr[16];
-			ncch_get_counter(ctx, ctr, NCCHTYPE_EXEFS);
-			ctr_init_counter(&ctx->aes, ctr);
-			ctr_add_counter(&ctx->aes, (getle32(exefs_hdr.section[i].offset) + sizeof(exefs_header)) / 0x10);
-
-			// extract data
-			while (section_size > 0)
-			{
-				read_len = sizeof(buffer);
-				if (read_len > section_size)
-					read_len = section_size;
-
-
-				if (read_len != fread(buffer, 1, read_len, ctx->file))
-				{
-					fprintf(stdout, "Error reading input file\n");
-					goto clean;
-				}
-
-				ctr_crypt_counter(&ctx->aes, buffer, buffer, read_len);
-
-				if (read_len != fwrite(buffer, 1, read_len, fout))
-				{
-					fprintf(stdout, "Error writing output file\n");
-					goto clean;
-				}
-
-
-				section_size -= read_len;
-			}
-
-			// skip the padding
-			if (section_padding)
-			{
-				fseeko64(ctx->file, section_padding, SEEK_CUR);
-				memset(buffer, 0, section_padding);
-				if (section_padding != fwrite(buffer, 1, section_padding, fout))
-				{
-					fprintf(stdout, "Error writing output file\n");
-					goto clean;
-				}
-
-			}
-
-			ctx->extractsize -= section_size + section_padding;
-		}
-	}
-	else
-	{
-		while (1)
-		{
-			u32 read_len;
-
-			if (0 == ncch_extract_buffer(ctx, buffer, sizeof(buffer), &read_len, (type == NCCHTYPE_LOGO || type == NCCHTYPE_PLAINRGN)))
-				goto clean;
-
-			if (read_len == 0)
-				break;
-
-			if (read_len != fwrite(buffer, 1, read_len, fout))
-			{
-				fprintf(stdout, "Error writing output file\n");
-				goto clean;
-			}
-		}
-	}
-	
-clean:
-	if (fout)
-		fclose(fout);
-	return;
-}
-
-void ncch_verify(ncch_context* ctx, u32 flags)
-{
-	u32 mediaunitsize = (u32) ncch_get_mediaunit_size(ctx);
-	u32 exefshashregionsize = getle32(ctx->header.exefshashregionsize) * mediaunitsize;
-	u32 romfshashregionsize = getle32(ctx->header.romfshashregionsize) * mediaunitsize;
-	u32 exheaderhashregionsize = getle32(ctx->header.extendedheadersize);
-	u32 logohashregionsize = getle32(ctx->header.logosize) * mediaunitsize;
-	u8* exefshashregion = 0;
-	u8* romfshashregion = 0;
-	u8* exheaderhashregion = 0;
-	u8* logohashregion = 0;
-	u8* tmphash = 0;
-	rsakey2048 ncchrsakey;
-
-	if (exefshashregionsize >= SIZE_128MB || romfshashregionsize >= SIZE_128MB || exheaderhashregionsize >= SIZE_128MB || logohashregionsize >= SIZE_128MB)
-		goto clean;
-
-	exefshashregion = malloc(exefshashregionsize);
-	romfshashregion = malloc(romfshashregionsize);
-	exheaderhashregion = malloc(exheaderhashregionsize);
-	logohashregion = malloc(logohashregionsize);
-
-
-	if (ctx->usersettings)
-	{
-		if ( (ctx->header.flags[5] & 3) == 1)
-			ctx->headersigcheck = ncch_signature_verify(ctx, &ctx->usersettings->keys.ncchrsakey);
-		else 
-		{
-			ctr_rsa_init_key_pubmodulus(&ncchrsakey, ctx->exheader.header.accessdesc.ncchpubkeymodulus);
-			ctx->headersigcheck =  ncch_signature_verify(ctx, &ncchrsakey);
-		}
-	}
-
-	if (exefshashregionsize)
-	{
-		if (0 == ncch_extract_prepare(ctx, NCCHTYPE_EXEFS, flags))
-			goto clean;
-		if (0 == ncch_extract_buffer(ctx, exefshashregion, exefshashregionsize, &exefshashregionsize,0))
-			goto clean;
-		ctx->exefshashcheck = ctr_sha_256_verify(exefshashregion, exefshashregionsize, ctx->header.exefssuperblockhash);
-	}
-	if (romfshashregionsize)
-	{
-		if (0 == ncch_extract_prepare(ctx, NCCHTYPE_ROMFS, flags))
-			goto clean;
-		if (0 == ncch_extract_buffer(ctx, romfshashregion, romfshashregionsize, &romfshashregionsize,0))
-			goto clean;
-		ctx->romfshashcheck = ctr_sha_256_verify(romfshashregion, romfshashregionsize, ctx->header.romfssuperblockhash);
-	}
-	if (exheaderhashregionsize)
-	{
-		if (0 == ncch_extract_prepare(ctx, NCCHTYPE_EXHEADER, flags))
-			goto clean;
-		if (0 == ncch_extract_buffer(ctx, exheaderhashregion, exheaderhashregionsize, &exheaderhashregionsize,0))
-			goto clean;
-		ctx->exheaderhashcheck = ctr_sha_256_verify(exheaderhashregion, exheaderhashregionsize, ctx->header.extendedheaderhash);
-	}
-	if (logohashregionsize)
-	{
-		if (0 == ncch_extract_prepare(ctx, NCCHTYPE_LOGO, flags))
-			goto clean;
-		if (0 == ncch_extract_buffer(ctx, logohashregion, logohashregionsize, &logohashregionsize,1))
-			goto clean;
-		ctx->logohashcheck = ctr_sha_256_verify(logohashregion, logohashregionsize, ctx->header.logohash);
-	}
-
-
-	free(exefshashregion);
-	free(romfshashregion);
-	free(exheaderhashregion);
-	free(logohashregion);
-clean:
-	return;
-}
-
-
-void ncch_process(ncch_context* ctx, u32 actions)
-{
-	u8 exheadercounter[16];
-	u8 exefscounter[16];
-	u8 romfscounter[16];
-	int result = 1;
-
-
-	fseeko64(ctx->file, ctx->offset, SEEK_SET);
-	fread(&ctx->header, 1, 0x200, ctx->file);
-
-	if (getle32(ctx->header.magic) != MAGIC_NCCH)
-	{
-		fprintf(stdout, "Error, NCCH segment corrupted\n");
-		return;
-	}
-
-	const u32 exheaderSize = getle32(ctx->header.extendedheadersize);
-	if (exheaderSize != 0x400 && exheaderSize != 0)
-	{
-		fprintf(stdout, "Error, exheader is 0x%02x bytes long, expected 0x400 or 0\n", getle32(ctx->header.extendedheadersize));
-		return;
-	}
-
-	ncch_determine_key(ctx, actions);
-
-	ncch_get_counter(ctx, exheadercounter, NCCHTYPE_EXHEADER);
-	ncch_get_counter(ctx, exefscounter, NCCHTYPE_EXEFS);
-	ncch_get_counter(ctx, romfscounter, NCCHTYPE_ROMFS);
-
-	if (actions & ShowKeysFlag)
-	{
-		fprintf(stdout, "Counter(s):\n");
-		memdump(stdout, "  exheader: ", exheadercounter, 0x10);
-		memdump(stdout, "  ExeFS: ", exefscounter, 0x10);
-		memdump(stdout, "  RomFS: ", romfscounter, 0x10);
-	}
-
-
-	exheader_set_file(&ctx->exheader, ctx->file);
-	exheader_set_offset(&ctx->exheader, ncch_get_exheader_offset(ctx) );
-	exheader_set_size(&ctx->exheader, ncch_get_exheader_size(ctx) );
-	exheader_set_usersettings(&ctx->exheader, ctx->usersettings);
-	exheader_set_titleid(&ctx->exheader, ctx->header.titleid);
-	exheader_set_programid(&ctx->exheader, ctx->header.programid);
-	exheader_set_hash(&ctx->exheader, ctx->header.extendedheaderhash);
-	exheader_set_counter(&ctx->exheader, exheadercounter);
-	exheader_set_key(&ctx->exheader, ctx->key[0]);
-	exheader_set_encrypted(&ctx->exheader, ctx->encrypted);
-
-	exefs_set_file(&ctx->exefs, ctx->file);
-	exefs_set_offset(&ctx->exefs, ncch_get_exefs_offset(ctx) );
-	exefs_set_size(&ctx->exefs, ncch_get_exefs_size(ctx) );
-	exefs_set_titleid(&ctx->exefs, ctx->header.titleid);
-	exefs_set_usersettings(&ctx->exefs, ctx->usersettings);
-	exefs_set_counter(&ctx->exefs, exefscounter);
-	exefs_set_keys(&ctx->exefs, ctx->key[0], ctx->key[1]);
-	exefs_set_encrypted(&ctx->exefs, ctx->encrypted);
-
-	romfs_set_file(&ctx->romfs, ctx->file);
-	romfs_set_offset(&ctx->romfs, ncch_get_romfs_offset(ctx));
-	romfs_set_size(&ctx->romfs, ncch_get_romfs_size(ctx));
-	romfs_set_usersettings(&ctx->romfs, ctx->usersettings);
-	romfs_set_counter(&ctx->romfs, romfscounter);
-	romfs_set_key(&ctx->romfs, ctx->key[1]);
-	romfs_set_encrypted(&ctx->romfs, ctx->encrypted);
-
-	exheader_read(&ctx->exheader, actions);
-
-
-	if (actions & VerifyFlag)
-		ncch_verify(ctx, actions);
-
-	if (actions & InfoFlag)
-		ncch_print(ctx);		
-
-	if (ctx->encrypted == NCCHCRYPTO_BROKEN)
-	{
-		fprintf(stderr, "Error, NCCH encryption broken.\n");
-		return;
-	}
-
-	if ((actions & ShowKeysFlag) && ctx->encrypted)
-	{
-		fprintf(stdout, "Using key(s):\n");
-		if (ctx->encrypted == NCCHCRYPTO_FIXED)
-		{
-			memdump(stdout, "  Key:  ", ctx->key[0], 0x10);
-		}
-		else
-		{
-			memdump(stdout, "  0x2C: ", ctx->key[0], 0x10);
-			if (memcmp(ctx->key[0], ctx->key[1], 0x10) != 0)
-			{
-				fprintf(stdout, "  special (%02x): ", ctx->header.flags[3]);
-				memdump(stdout, "", ctx->key[1], 0x10);
-			}
-		}
-	}
-
-	if (actions & ExtractFlag)
-	{
-		ncch_save(ctx, NCCHTYPE_EXEFS, actions);
-		ncch_save(ctx, NCCHTYPE_ROMFS, actions);
-		ncch_save(ctx, NCCHTYPE_EXHEADER, actions);
-		ncch_save(ctx, NCCHTYPE_LOGO, actions);
-		ncch_save(ctx, NCCHTYPE_PLAINRGN, actions);
-	}
-
-
-	if (result && ncch_get_exheader_size(ctx))
-	{
-		if (!exheader_hash_valid(&ctx->exheader))
-			return;
-
-		result = exheader_process(&ctx->exheader, actions);
-	} 
-
-	if (result && ncch_get_exefs_size(ctx))
-	{
-		if(ncch_get_exheader_size(ctx))
-			exefs_set_compressedflag(&ctx->exefs, exheader_get_compressedflag(&ctx->exheader));
-		exefs_process(&ctx->exefs, actions);
-	}
-
-	if (result && ncch_get_romfs_size(ctx))
-	{
-		romfs_process(&ctx->romfs, actions);
-	}
-}
-
-int ncch_signature_verify(ncch_context* ctx, rsakey2048* key)
-{
-	u8 hash[0x20];
-
-	ctr_sha_256(ctx->header.magic, 0x100, hash);
-	return ctr_rsa_verify_hash(ctx->header.signature, hash, key);
-}
-
-
-u64 ncch_get_exefs_offset(ncch_context* ctx)
-{
-	return ctx->offset + getle32(ctx->header.exefsoffset) * ncch_get_mediaunit_size(ctx);
-}
-
-u64 ncch_get_exefs_size(ncch_context* ctx)
-{
-	return getle32(ctx->header.exefssize) * ncch_get_mediaunit_size(ctx);
-}
-
-u64 ncch_get_romfs_offset(ncch_context* ctx)
-{
-	return ctx->offset + getle32(ctx->header.romfsoffset) * ncch_get_mediaunit_size(ctx);
-}
-
-u64 ncch_get_romfs_size(ncch_context* ctx)
-{
-	return getle32(ctx->header.romfssize) * ncch_get_mediaunit_size(ctx);
-}
-
-u64 ncch_get_exheader_offset(ncch_context* ctx)
-{
-	return ctx->offset + 0x200;
-}
-
-u64 ncch_get_exheader_size(ncch_context* ctx)
-{
-	return getle32(ctx->header.extendedheadersize);
-}
-
-u64 ncch_get_logo_offset(ncch_context* ctx)
-{
-	return ctx->offset + getle32(ctx->header.logooffset) * ncch_get_mediaunit_size(ctx);
-}
-
-u64 ncch_get_logo_size(ncch_context* ctx)
-{
-	return getle32(ctx->header.logosize) * ncch_get_mediaunit_size(ctx);
-}
-
-u64 ncch_get_plainrgn_offset(ncch_context* ctx)
-{
-	return ctx->offset + getle32(ctx->header.plainregionoffset) * ncch_get_mediaunit_size(ctx);
-}
-
-u64 ncch_get_plainrgn_size(ncch_context* ctx)
-{
-	return getle32(ctx->header.plainregionsize) * ncch_get_mediaunit_size(ctx);
-}
-
-
-u64 ncch_get_mediaunit_size(ncch_context* ctx)
-{
-	unsigned int mediaunitsize = settings_get_mediaunit_size(ctx->usersettings);
-
-	if (mediaunitsize == 0)
-	{
-		unsigned short version = getle16(ctx->header.version);
-		if (version == 1)
-			mediaunitsize = 1;
-		else if (version == 2 || version == 0)
-			mediaunitsize = 1 << (ctx->header.flags[6] + 9);
-	}
-
-	return mediaunitsize;
-}
-
-
-void ncch_determine_key(ncch_context* ctx, u32 actions)
-{
-	u8 exheader_buffer[0x400];
-	u8 seedbuf[0x20];
-	u8* seed;
-	u8* keyX = NULL;
-	u8 hash[0x20] = {0};
-	ctr_ncchheader* header = &ctx->header;
-	const u32 exheaderSize = getle32(header->extendedheadersize);
-	struct sNcchKeyslot
-	{
-		u8 x[0x10];
-		u8 y[0x10];
-		u8 key[0x10];
-	} key[2];
-
-
-	// Check if the NCCH is already decrypted, by checking if the exheader hash matches
-	// Otherwise, use determination rules
-	fseeko64(ctx->file, ncch_get_exheader_offset(ctx), SEEK_SET);
-	memset(exheader_buffer, 0, exheaderSize);
-	fread(exheader_buffer, 1, exheaderSize, ctx->file);
-	ctr_sha_256(exheader_buffer, exheaderSize, hash);
-	if (!memcmp(hash, header->extendedheaderhash, 32))
-	{
-		// exheader hash matches, so probably decrypted
-		ctx->encrypted = NCCHCRYPTO_NONE;
-		if (!(header->flags[7] & 4))
-			fprintf(stderr, "Warning, exheader is decrypted but the NCCH says it isn't.\n"
-				"This NCCH will likely break on console.\n");
-		return;
-	}
-
-	// if not plain flag set and not ncch unencrypted flag set
-	// determine the keys
-	if (!(actions & PlainFlag) && !(header->flags[7] & 4))
-	{
-		// fixed key crypto
-		if (header->flags[7] & 1)
-		{
-			ctx->encrypted = NCCHCRYPTO_FIXED;
-			if (programid_is_system(header->programid))
-			{
-				if (settings_get_ncch_fixedsystemkey(ctx->usersettings) == NULL)
-				{
-					fprintf(stderr, "Error, could not read system fixed key.\n");
-					ctx->encrypted = NCCHCRYPTO_BROKEN;
-					return;
-				}
-
-				memcpy(key[0].key, settings_get_ncch_fixedsystemkey(ctx->usersettings), 0x10);
-			}
-			else
-			{
-				memset(key[0].key, 0x00, 0x10);
-			}
-
-			memcpy(key[1].key, key[0].key, 0x10);
-		}
-		// secure crypto
-		else
-		{
-			ctx->encrypted = NCCHCRYPTO_SECURE;
-			if (settings_get_ncchkeyX_old(ctx->usersettings) == NULL)
-			{
-				fprintf(stderr, "Error, could not read NCCH base keyX.\n");
-				ctx->encrypted = NCCHCRYPTO_BROKEN;
-				return;
-			}
-
-			// setup regular keyslot seeds (exheader, exefs:icon|banner)
-			memcpy(key[0].x, settings_get_ncchkeyX_old(ctx->usersettings), 0x10);
-			memcpy(key[0].y, header->signature, 0x10);
-
-			// setup second keyslot seed (romfs, exefs:!(icon|banner))
-			// - get keyX
-
-			switch (header->flags[3])
-			{
-			case(0):
-				keyX = settings_get_ncchkeyX_old(ctx->usersettings);
-				break;
-			case(1):
-				keyX = settings_get_ncchkeyX_seven(ctx->usersettings);
-				break;
-			case(10):
-				keyX = settings_get_ncchkeyX_ninethree(ctx->usersettings);
-				break;
-			case(11):
-				keyX = settings_get_ncchkeyX_ninesix(ctx->usersettings);
-				break;
-			default:
-				fprintf(stderr, "Warning, unknown NCCH crypto method.\n");
-				ctx->encrypted = NCCHCRYPTO_BROKEN;
-				return;
-			}
-
-			if (keyX == NULL)
-			{
-				fprintf(stderr, "Error, could not read NCCH keyX.\n");
-				ctx->encrypted = NCCHCRYPTO_BROKEN;
-				return;
-			}
-
-			memcpy(key[1].x, keyX, 0x10);
-
-			// - get keyY
-			if (header->flags[7] & 0x20)
-			{
-				seed = settings_get_seed(ctx->usersettings, getle64(header->programid));
-				if (!seed)
-				{
-					fprintf(stderr, "This title uses seed crypto, but no seed is set, unable to decrypt.\n"
-						"Use -p to avoid decryption or use --seeddb=dbfile or --seed=SEEDHERE.\n");
-					ctx->encrypted = NCCHCRYPTO_BROKEN;
-					return;
-				}
-
-				memcpy(seedbuf, seed, 0x10);
-				// Assumes running on little endian
-				memcpy(seedbuf + 0x10, header->programid, sizeof(header->programid));
-				ctr_sha_256(seedbuf, 0x18, hash);
-				if (memcmp(hash, header->seedcheck, sizeof(header->seedcheck))) {
-					fprintf(stderr, "Seed check mismatch. (Got: %02x%02x%02x%02x, expected: %02x%02x%02x%02x)\n",
-						hash[0], hash[1], hash[2], hash[3],
-						header->seedcheck[0], header->seedcheck[1], header->seedcheck[2], header->seedcheck[3]);
-					ctx->encrypted = NCCHCRYPTO_BROKEN;
-					return;
-				}
-
-				memcpy(seedbuf, header->signature, 0x10);
-				memcpy(seedbuf + 0x10, seed, 0x10);
-				ctr_sha_256(seedbuf, 0x20, hash);
-				memcpy(key[1].y, hash, 0x10);
-			}
-			else
-			{
-				memcpy(key[1].y, key[0].y, 0x10);
-			}
-
-
-			// generate keys
-			ctr_aes_keygen(key[0].x, key[0].y, key[0].key);
-			ctr_aes_keygen(key[1].x, key[1].y, key[1].key);
-		}
-
-		// save keys
-		memcpy(ctx->key[0], key[0].key, 0x10);
-		memcpy(ctx->key[1], key[1].key, 0x10);
-	}
-	else
-	{
-		ctx->encrypted = NCCHCRYPTO_NONE;
-	}
-}
-
-static const char* formtypetostring(unsigned char flags)
-{
-	unsigned char formtype = flags & 3;
-
-	switch(formtype)
-	{
-	case 0: return "Not assigned";
-	case 1: return "Simple content";
-	case 2: return "Executable content without RomFS";
-	case 3: return "Executable content";
-	default: return "Unknown";
-	}
-}
-
-static const char* contenttypetostring(unsigned char flags)
-{
-	unsigned char contenttype = flags>>2;
-
-	switch(contenttype)
-	{
-	case 0: return "Application";
-	case 1: return "System Update";
-	case 2: return "Manual";
-	case 3: return "Child";
-	case 4: return "Trial";
-	case 5: return "Extended System Update";
-	default: return "Unknown";
-	}
-}
-
-static const char* contentplatformtostring(unsigned char platform)
-{
-	switch (platform)
-	{
-	case 1: return "CTR";
-	case 2: return "SNAKE";
-	default: return "Unknown";
-	}
-}
-
-
-
-void ncch_print(ncch_context* ctx)
-{
-	ctr_ncchheader *header = &ctx->header;
-	u64 offset = ctx->offset;
-	u64 mediaunitsize = ncch_get_mediaunit_size(ctx);
-
-	fprintf(stdout, "\nNCCH:\n");
-
-	fprintf(stdout, "Header:                 %.4s\n", header->magic);
-	if (ctx->headersigcheck == Unchecked)
-		memdump(stdout, "Signature:              ", header->signature, 0x100);
-	else if (ctx->headersigcheck == Good)
-		memdump(stdout, "Signature (GOOD):       ", header->signature, 0x100);
-	else
-		memdump(stdout, "Signature (FAIL):       ", header->signature, 0x100);
-	fprintf(stdout, "Content size:           0x%08"PRIx64"\n", getle32(header->contentsize)*mediaunitsize);
-	fprintf(stdout, "Title id:               %016"PRIx64"\n", getle64(header->titleid));
-	fprintf(stdout, "Maker code:             %.2s\n", header->makercode);
-	fprintf(stdout, "Version:                %d\n", getle16(header->version));
-	fprintf(stdout, "Title seed check:       %08x\n", getle32(header->seedcheck));
-	fprintf(stdout, "Program id:             %016"PRIx64"\n", getle64(header->programid));
-	if(ctx->logohashcheck == Unchecked)
-		memdump(stdout, "Logo hash:              ", header->logohash, 0x20);
-	else if(ctx->logohashcheck == Good)
-		memdump(stdout, "Logo hash (GOOD):       ", header->logohash, 0x20);
-	else
-		memdump(stdout, "Logo hash (FAIL):       ", header->logohash, 0x20);
-	fprintf(stdout, "Product code:           %.16s\n", header->productcode);
-	fprintf(stdout, "Exheader size:          0x%x\n", getle32(header->extendedheadersize));
-	if (ctx->exheaderhashcheck == Unchecked)
-		memdump(stdout, "Exheader hash:          ", header->extendedheaderhash, 0x20);
-	else if (ctx->exheaderhashcheck == Good)
-		memdump(stdout, "Exheader hash (GOOD):   ", header->extendedheaderhash, 0x20);
-	else
-		memdump(stdout, "Exheader hash (FAIL):   ", header->extendedheaderhash, 0x20);
-	fprintf(stdout, "Flags:                  %016"PRIx64"\n", getle64(header->flags));
-	fprintf(stdout, " > Mediaunit size:      0x%x\n", (u32)mediaunitsize);
-	if (header->flags[7] & 4)
-		fprintf(stdout, " > Crypto key:          None\n");
-	else if (header->flags[7] & 1)
-		fprintf(stdout, " > Crypto key:          %s\n", programid_is_system(header->programid)? "Fixed":"Zeros");
-	else
-		fprintf(stdout, " > Crypto key:          Secure (%d)%s\n", header->flags[3], header->flags[7] & 32? " (KeyY seeded)" : "");
-	fprintf(stdout, " > Form type:           %s\n", formtypetostring(header->flags[5]));
-	fprintf(stdout, " > Content type:        %s\n", contenttypetostring(header->flags[5]));
-	fprintf(stdout, " > Content platform:    %s\n", contentplatformtostring(header->flags[4]));
-	if (header->flags[7] & 2)
-		fprintf(stdout, " > No RomFS mount\n");
-
-
-	fprintf(stdout, "Plain region offset:    0x%08"PRIx64"\n", getle32(header->plainregionsize)? offset+getle32(header->plainregionoffset)*mediaunitsize : 0);
-	fprintf(stdout, "Plain region size:      0x%08"PRIx64"\n", getle32(header->plainregionsize)*mediaunitsize);
-	fprintf(stdout, "Logo offset:            0x%08"PRIx64"\n", getle32(header->logosize)? offset+getle32(header->logooffset)*mediaunitsize : 0);
-	fprintf(stdout, "Logo size:              0x%08"PRIx64"\n", getle32(header->logosize)*mediaunitsize);
-	fprintf(stdout, "ExeFS offset:           0x%08"PRIx64"\n", getle32(header->exefssize)? offset+getle32(header->exefsoffset)*mediaunitsize : 0);
-	fprintf(stdout, "ExeFS size:             0x%08"PRIx64"\n", getle32(header->exefssize)*mediaunitsize);
-	fprintf(stdout, "ExeFS hash region size: 0x%08"PRIx64"\n", getle32(header->exefshashregionsize)*mediaunitsize);
-	fprintf(stdout, "RomFS offset:           0x%08"PRIx64"\n", getle32(header->romfssize)? offset+getle32(header->romfsoffset)*mediaunitsize : 0);
-	fprintf(stdout, "RomFS size:             0x%08"PRIx64"\n", getle32(header->romfssize)*mediaunitsize);
-	fprintf(stdout, "RomFS hash region size: 0x%08"PRIx64"\n", getle32(header->romfshashregionsize)*mediaunitsize);
-	if (ctx->exefshashcheck == Unchecked)
-		memdump(stdout, "ExeFS Hash:             ", header->exefssuperblockhash, 0x20);
-	else if (ctx->exefshashcheck == Good)
-		memdump(stdout, "ExeFS Hash (GOOD):      ", header->exefssuperblockhash, 0x20);
-	else
-		memdump(stdout, "ExeFS Hash (FAIL):      ", header->exefssuperblockhash, 0x20);
-	if (ctx->romfshashcheck == Unchecked)
-		memdump(stdout, "RomFS Hash:             ", header->romfssuperblockhash, 0x20);
-	else if (ctx->romfshashcheck == Good)
-		memdump(stdout, "RomFS Hash (GOOD):      ", header->romfssuperblockhash, 0x20);
-	else
-		memdump(stdout, "RomFS Hash (FAIL):      ", header->romfssuperblockhash, 0x20);
-}
diff --git a/ctrtool/ncch.h b/ctrtool/ncch.h
deleted file mode 100644
index 94d29687..00000000
--- a/ctrtool/ncch.h
+++ /dev/null
@@ -1,113 +0,0 @@
-#ifndef _NCCH_H_
-#define _NCCH_H_
-
-#include <stdio.h>
-#include "types.h"
-#include "keyset.h"
-#include "filepath.h"
-#include "ctr.h"
-#include "exefs.h"
-#include "romfs.h"
-#include "exheader.h"
-#include "settings.h"
-
-typedef enum
-{
-	NCCHTYPE_EXHEADER = 1,
-	NCCHTYPE_EXEFS = 2,
-	NCCHTYPE_ROMFS = 3,
-	NCCHTYPE_LOGO = 4,
-	NCCHTYPE_PLAINRGN = 5,
-} ctr_ncchtypes;
-
-typedef enum
-{
-	NCCHCRYPTO_NONE		= 0,		//< already decrypted
-	NCCHCRYPTO_FIXED	= 1,		//< fixed key crypto, used for SDK-made application titles and very very old system titles
-	NCCHCRYPTO_SECURE	= (1<<1),	//< hardware generated key
-	NCCHCRYPTO_BROKEN	= 0xFF		//< Internal: failed to generate key, but encryption still used
-} ctr_ncchcryptotype;
-
-typedef struct
-{
-	u8 signature[0x100];
-	u8 magic[4];
-	u8 contentsize[4];
-	u8 titleid[8];
-	u8 makercode[2];
-	u8 version[2];
-	u8 seedcheck[4];
-	u8 programid[8];
-	u8 reserved1[0x10];
-	u8 logohash[0x20];
-	u8 productcode[0x10];
-	u8 extendedheaderhash[0x20];
-	u8 extendedheadersize[4];
-	u8 reserved2[4];
-	u8 flags[8];
-	u8 plainregionoffset[4];
-	u8 plainregionsize[4];
-	u8 logooffset[4];
-	u8 logosize[4];
-	u8 exefsoffset[4];
-	u8 exefssize[4];
-	u8 exefshashregionsize[4];
-	u8 reserved4[4];
-	u8 romfsoffset[4];
-	u8 romfssize[4];
-	u8 romfshashregionsize[4];
-	u8 reserved5[4];
-	u8 exefssuperblockhash[0x20];
-	u8 romfssuperblockhash[0x20];
-} ctr_ncchheader;
-
-
-typedef struct
-{
-	FILE* file;
-	u8 key[2][16];
-	u8 seed[16];
-	u32 encrypted;
-	u64 offset;
-	u64 size;
-	settings* usersettings;
-	ctr_ncchheader header;
-	ctr_aes_context aes;
-	exefs_context exefs;
-	romfs_context romfs;
-	exheader_context exheader;
-	int exefshashcheck;
-	int romfshashcheck;
-	int exheaderhashcheck;
-	int logohashcheck;
-	int headersigcheck;
-	u64 extractsize;
-	u32 extractflags;
-} ncch_context;
-
-void ncch_init(ncch_context* ctx);
-void ncch_process(ncch_context* ctx, u32 actions);
-void ncch_set_offset(ncch_context* ctx, u64 offset);
-void ncch_set_size(ncch_context* ctx, u64 size);
-void ncch_set_file(ncch_context* ctx, FILE* file);
-void ncch_set_usersettings(ncch_context* ctx, settings* usersettings);
-u64 ncch_get_exefs_offset(ncch_context* ctx);
-u64 ncch_get_exefs_size(ncch_context* ctx);
-u64 ncch_get_romfs_offset(ncch_context* ctx);
-u64 ncch_get_romfs_size(ncch_context* ctx);
-u64 ncch_get_exheader_offset(ncch_context* ctx);
-u64 ncch_get_exheader_size(ncch_context* ctx);
-u64 ncch_get_logo_offset(ncch_context* ctx);
-u64 ncch_get_logo_size(ncch_context* ctx);
-u64 ncch_get_plainrgn_offset(ncch_context* ctx);
-u64 ncch_get_plainrgn_size(ncch_context* ctx);
-void ncch_print(ncch_context* ctx);
-int ncch_signature_verify(ncch_context* ctx, rsakey2048* key);
-void ncch_verify(ncch_context* ctx, u32 flags);
-void ncch_save(ncch_context* ctx, u32 type, u32 flags);
-int ncch_extract_prepare(ncch_context* ctx, u32 type, u32 flags);
-int ncch_extract_buffer(ncch_context* ctx, u8* buffer, u32 buffersize, u32* outsize, u8 nocrypto);
-u64 ncch_get_mediaunit_size(ncch_context* ctx);
-void ncch_get_counter(ncch_context* ctx, u8 counter[16], u8 type);
-void ncch_determine_key(ncch_context* ctx, u32 actions);
-#endif // _NCCH_H_
diff --git a/ctrtool/ncsd.c b/ctrtool/ncsd.c
deleted file mode 100644
index ab9fae8f..00000000
--- a/ctrtool/ncsd.c
+++ /dev/null
@@ -1,165 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-
-#include "types.h"
-#include "ncsd.h"
-#include "utils.h"
-#include "ctr.h"
-#include <inttypes.h>
-
-
-void ncsd_init(ncsd_context* ctx)
-{
-	memset(ctx, 0, sizeof(ncsd_context));
-}
-
-void ncsd_set_offset(ncsd_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void ncsd_set_file(ncsd_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void ncsd_set_size(ncsd_context* ctx, u64 size)
-{
-	ctx->size = size;
-}
-
-void ncsd_set_ncch_index(ncsd_context* ctx, u32 ncch_index)
-{
-	ctx->ncch_index = ncch_index;
-}
-
-void ncsd_set_usersettings(ncsd_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-int ncsd_signature_verify(const void* blob, rsakey2048* key)
-{
-	u8* message = (u8*)blob + 0x100;
-	u8* sig = (u8*)blob;
-	u8 hash[0x20];
-
-	ctr_sha_256(message, 0x100, hash);
-	return ctr_rsa_verify_hash(sig, hash, key);
-}
-
-u64 ncsd_get_mediaunit_size(ncsd_context* ctx)
-{
-	unsigned int mediaunitsize = settings_get_mediaunit_size(ctx->usersettings);
-
-	if (mediaunitsize == 0)
-		mediaunitsize = 1<<(9+ctx->header.flags[6]);
-
-	return mediaunitsize;
-}
-
-void ncsd_process(ncsd_context* ctx, u32 actions)
-{
-	fseeko64(ctx->file, ctx->offset, SEEK_SET);
-	fread(&ctx->header, 1, 0x200, ctx->file);
-
-	if (getle32(ctx->header.magic) != MAGIC_NCSD)
-	{
-		fprintf(stdout, "Error, NCSD segment corrupted\n");
-		return;
-	}
-
-
-	if (actions & VerifyFlag)
-	{
-		if (ctx->usersettings)
-			ctx->headersigcheck = ncsd_signature_verify(&ctx->header, &ctx->usersettings->keys.ncsdrsakey);
-	}
-
-	if (actions & InfoFlag)
-		ncsd_print(ctx);
-
-	if(ctx->ncch_index > 7 || ctx->header.partitiongeometry[ctx->ncch_index].size == 0)
-	{
-		fprintf(stderr," ERROR NCSD partition %d, does not exist\n",ctx->ncch_index);
-		return;
-	}
-		
-	ncch_set_file(&ctx->ncch, ctx->file);
-	ncch_set_offset(&ctx->ncch, ctx->header.partitiongeometry[ctx->ncch_index].offset * ncsd_get_mediaunit_size(ctx));
-	ncch_set_size(&ctx->ncch, ctx->header.partitiongeometry[ctx->ncch_index].size * ncsd_get_mediaunit_size(ctx));
-	ncch_set_usersettings(&ctx->ncch, ctx->usersettings);
-	ncch_process(&ctx->ncch, actions);
-}
-
-const char* ncsd_print_mediatype(u8 type)
-{
-	switch(type)
-	{
-		case 0 : return "Internal Device";
-		case 1 : return "Card1";
-		case 2 : return "Card2";
-		case 3 : return "Extended Device";
-		default: return "Unknown";
-	}
-}
-
-const char* ncsd_print_carddevice(u8 type)
-{
-	switch(type)
-	{
-		case 1 : return "NorFlash";
-		case 2 : return "None";
-		case 3 : return "BT";
-		default: return "Unknown";
-	}
-}
-
-void ncsd_print(ncsd_context* ctx)
-{
-	char magic[5];
-	ctr_ncsdheader* header = &ctx->header;
-	unsigned int i;
-	unsigned int mediaunitsize = (unsigned int) ncsd_get_mediaunit_size(ctx);
-
-
-	memcpy(magic, header->magic, 4);
-	magic[4] = 0;
-
-	fprintf(stdout, "Header:                 %s\n", magic);
-	if (ctx->headersigcheck == Unchecked)
-		memdump(stdout, "Signature:              ", header->signature, 0x100);
-	else if (ctx->headersigcheck == Good)
-		memdump(stdout, "Signature (GOOD):       ", header->signature, 0x100);
-	else
-		memdump(stdout, "Signature (FAIL):       ", header->signature, 0x100);       
-	fprintf(stdout, "Media size:             0x%08x\n", getle32(header->mediasize));
-	fprintf(stdout, "Media id:               %016"PRIx64"\n", getle64(header->mediaid));
-	//memdump(stdout, "Partition FS type:      ", header->partitionfstype, 8);
-	//memdump(stdout, "Partition crypt type:   ", header->partitioncrypttype, 8);
-	//memdump(stdout, "Partition offset/size:  ", header->partitionoffsetandsize, 0x40);
-	fprintf(stdout, "\n");
-	for(i=0; i<8; i++)
-	{
-		u32 partitionoffset = header->partitiongeometry[i].offset * mediaunitsize;
-		u32 partitionsize = header->partitiongeometry[i].size * mediaunitsize;
-
-		if (partitionsize != 0)
-		{
-			fprintf(stdout, "Partition %d            \n", i);
-			memdump(stdout, " Id:                    ", header->titleid+i*8, 8);
-			fprintf(stdout, " Area:                  0x%08X-0x%08X\n", partitionoffset, partitionoffset+partitionsize);
-			fprintf(stdout, " Filesystem:            %02X\n", header->partitionfstype[i]);
-			fprintf(stdout, " Encryption:            %02X\n", header->partitioncrypttype[i]);
-			fprintf(stdout, "\n");
-		}
-	}
-	memdump(stdout, "Extended header hash:   ", header->extendedheaderhash, 0x20);
-	memdump(stdout, "Additional header size: ", header->additionalheadersize, 4);
-	memdump(stdout, "Sector zero offset:     ", header->sectorzerooffset, 4);
-	memdump(stdout, "Flags:                  ", header->flags, 8);
-	fprintf(stdout, " > Mediaunit size:      0x%X\n", mediaunitsize);
-	fprintf(stdout, " > Mediatype:           %s\n", ncsd_print_mediatype(header->flags[5]));
-	fprintf(stdout, " > Card Device:         %s\n", ncsd_print_carddevice(header->flags[3] | header->flags[7]));
-
-}
diff --git a/ctrtool/ncsd.h b/ctrtool/ncsd.h
deleted file mode 100644
index 2d6ee53b..00000000
--- a/ctrtool/ncsd.h
+++ /dev/null
@@ -1,57 +0,0 @@
-#ifndef _NCSD_H_
-#define _NCSD_H_
-
-#include "types.h"
-#include "keyset.h"
-#include "settings.h"
-#include "ncch.h"
-
-typedef struct
-{
-	u32 offset;
-	u32 size;
-} ncsd_partition_geometry;
-
-typedef struct
-{
-	u8 signature[0x100];
-	u8 magic[4];
-	u8 mediasize[4];
-	u8 mediaid[8];
-	u8 partitionfstype[8];
-	u8 partitioncrypttype[8];
-	ncsd_partition_geometry partitiongeometry[8];
-	u8 extendedheaderhash[0x20];
-	u8 additionalheadersize[4];
-	u8 sectorzerooffset[4];
-	u8 flags[8];
-	u8 titleid[0x40];
-	u8 reserved[0x30];
-} ctr_ncsdheader;
-
-
-typedef struct
-{
-	FILE* file;
-	u64 offset;
-	u64 size;
-	u32 ncch_index;
-	ctr_ncsdheader header;
-	settings* usersettings;
-	int headersigcheck;
-	ncch_context ncch;
-} ncsd_context;
-
-
-void ncsd_init(ncsd_context* ctx);
-void ncsd_set_offset(ncsd_context* ctx, u64 offset);
-void ncsd_set_size(ncsd_context* ctx, u64 size);
-void ncsd_set_ncch_index(ncsd_context* ctx, u32 ncch_index);
-void ncsd_set_file(ncsd_context* ctx, FILE* file);
-void ncsd_set_usersettings(ncsd_context* ctx, settings* usersettings);
-int ncsd_signature_verify(const void* blob, rsakey2048* key);
-void ncsd_process(ncsd_context* ctx, u32 actions);
-void ncsd_print(ncsd_context* ctx);
-u64 ncsd_get_mediaunit_size(ncsd_context* ctx);
-
-#endif // _NCSD_H_
diff --git a/ctrtool/oschar.c b/ctrtool/oschar.c
deleted file mode 100644
index ac8ddcc7..00000000
--- a/ctrtool/oschar.c
+++ /dev/null
@@ -1,210 +0,0 @@
-#include <stdlib.h>
-#ifndef _WIN32
-#ifndef __CYGWIN__
-#define LIBICONV_PLUG
-#endif
-#include <iconv.h>
-#endif
-#include "oschar.h"
-
-int os_fstat(const oschar_t *path)
-{
-	struct _osstat st;
-	return os_stat(path, &st);
-}
-
-uint64_t os_fsize(const oschar_t *path)
-{
-	struct _osstat st;
-	if (os_stat(path, &st) != 0)
-		return 0;
-	else
-		return st.st_size;
-}
-
-int os_makedir(const oschar_t *dir)
-{
-#ifdef _WIN32
-	return _wmkdir(dir);
-#else
-	return mkdir(dir, 0777);
-#endif
-}
-
-uint32_t utf16_strlen(const utf16char_t *str)
-{
-	uint32_t i;
-	for (i = 0; str[i] != 0x0; i++);
-	return i;
-}
-
-void utf16_fputs(const utf16char_t *str, FILE *out)
-{
-	oschar_t *_str = os_CopyConvertUTF16Str(str);
-	os_fputs(_str, out);
-	free(_str);
-}
-
-char* strcopy_8to8(const char *src)
-{
-	uint32_t src_len;
-	char *dst;
-
-	if (!src)
-		return NULL;
-
-	src_len = strlen(src);
-
-	// Allocate memory for expanded string
-	dst = calloc(src_len + 1, sizeof(char));
-	if (!dst)
-		return NULL;
-
-	// Copy elements from src into dst
-	strncpy(dst, src, src_len);
-
-	return dst;
-}
-
-utf16char_t* strcopy_8to16(const char *src)
-{
-	uint32_t src_len, i;
-	utf16char_t *dst;
-
-	if (!src)
-		return NULL;
-
-	src_len = strlen(src);
-
-	// Allocate memory for expanded string
-	dst = calloc(src_len + 1, sizeof(utf16char_t));
-	if (!dst)
-		return NULL;
-
-	// Copy elements from src into dst
-	for (i = 0; i < src_len; i++)
-		dst[i] = src[i];
-
-	return dst;
-}
-
-
-utf16char_t* strcopy_16to16(const utf16char_t *src)
-{
-	uint32_t src_len, i;
-	utf16char_t *dst;
-
-	if (!src)
-		return NULL;
-
-	src_len = utf16_strlen(src);
-
-	// Allocate memory for expanded string
-	dst = calloc(src_len + 1, sizeof(utf16char_t));
-	if (!dst)
-		return NULL;
-
-	// Copy elements from src into dst
-	for (i = 0; i < src_len; i++)
-		dst[i] = src[i];
-
-	return dst;
-}
-
-#ifndef _WIN32
-utf16char_t* strcopy_UTF8toUTF16(const char *src)
-{
-	uint32_t src_len, dst_len;
-	size_t in_bytes, out_bytes;
-	utf16char_t *dst;
-	char *in, *out;
-
-	if (!src)
-		return NULL;
-
-	src_len = strlen(src);
-	dst_len = src_len + 1;
-
-	// Allocate memory for string
-	dst = calloc(dst_len, sizeof(utf16char_t));
-	if (!dst)
-		return NULL;
-
-	in = (char*)src;
-	out = (char*)dst;
-	in_bytes = src_len*sizeof(char);
-	out_bytes = dst_len*sizeof(utf16char_t);
-
-	iconv_t cd = iconv_open("UTF-16LE", "UTF-8");
-	iconv(cd, &in, &in_bytes, &out, &out_bytes);
-	iconv_close(cd);
-	return dst;
-}
-
-char* strcopy_UTF16toUTF8(const utf16char_t *src)
-{
-	uint32_t src_len, dst_len;
-	size_t in_bytes, out_bytes;
-	char *dst;
-	char *in, *out;
-
-	if (!src)
-		return NULL;
-
-	src_len = utf16_strlen(src);
-	// UTF-8 can use up to 3 bytes per UTF-16 code unit, or four for a surrogate pair
-	dst_len = src_len * 3;
-
-	// Allocate memory for string
-	dst = calloc(dst_len, sizeof(char));
-	if (!dst)
-		return NULL;
-
-	in = (char*)src;
-	out = (char*)dst;
-	in_bytes = src_len*sizeof(uint16_t);
-	out_bytes = dst_len*sizeof(char);
-
-	iconv_t cd = iconv_open("UTF-8", "UTF-16LE");
-	iconv(cd, &in, &in_bytes, &out, &out_bytes);
-	iconv_close(cd);
-	return dst;
-}
-#endif
-
-oschar_t* os_AppendToPath(const oschar_t *src, const oschar_t *add)
-{
-	uint32_t len;
-	oschar_t *new_path;
-
-	len = os_strlen(src) + os_strlen(add) + 0x10;
-	new_path = calloc(len, sizeof(oschar_t));
-
-#ifdef _WIN32
-	_snwprintf(new_path, len, L"%s%c%s", src, OS_PATH_SEPARATOR, add);
-#else
-	snprintf(new_path, len, "%s%c%s", src, OS_PATH_SEPARATOR, add);
-#endif
-
-	return new_path;
-}
-
-oschar_t* os_AppendUTF16StrToPath(const oschar_t *src, const utf16char_t *add)
-{
-	uint32_t len;
-	oschar_t *new_path, *_add;
-
-	_add = os_CopyConvertUTF16Str(add);
-
-	len = os_strlen(src) + os_strlen(_add) + 0x10;
-	new_path = calloc(len, sizeof(oschar_t));
-
-#ifdef _WIN32
-	_snwprintf(new_path, len, L"%s%c%s", src, OS_PATH_SEPARATOR, _add);
-#else
-	snprintf(new_path, len, "%s%c%s", src, OS_PATH_SEPARATOR, _add);
-#endif
-
-	free(_add);
-	return new_path;
-}
diff --git a/ctrtool/oschar.h b/ctrtool/oschar.h
deleted file mode 100644
index 9c788b07..00000000
--- a/ctrtool/oschar.h
+++ /dev/null
@@ -1,95 +0,0 @@
-#pragma once
-#include <stdio.h>
-#include <string.h>
-#include <inttypes.h>
-#include <sys/stat.h>
-#ifdef _WIN32
-#include <wchar.h>
-#endif
-
-// Nintendo uses UTF16-LE chars for extended ASCII support
-typedef uint16_t utf16char_t;
-
-// Native OS char type for unicode support
-#ifdef _WIN32
-typedef wchar_t oschar_t; // UTF16-LE
-#else
-typedef char oschar_t; // UTF8
-#endif
-
-// Simple redirect macros for functions and types
-#ifdef _WIN32
-#define os_strlen wcslen
-#define os_strcmp wcscmp
-#define os_fputs fputws
-
-#define os_CopyStr strcopy_16to16
-#define os_CopyConvertCharStr strcopy_8to16
-#define os_CopyConvertUTF16Str strcopy_16to16
-#define utf16_CopyStr strcopy_16to16
-#define utf16_CopyConvertOsStr strcopy_16to16
-
-#define _osdirent _wdirent
-#define _OSDIR _WDIR
-#define os_readdir _wreaddir
-#define os_opendir _wopendir
-#define os_closedir _wclosedir
-#define os_chdir _wchdir
-
-#define _osstat _stat64
-#define os_stat _wstat64
-
-#define os_fopen _wfopen
-#define OS_MODE_READ L"rb"
-#define OS_MODE_WRITE L"wb"
-#define OS_MODE_EDIT L"rb+"
-#define OS_PATH_SEPARATOR '\\'
-#else
-#define os_strlen strlen
-#define os_strcmp strcmp
-#define os_fputs fputs
-
-#define os_CopyStr strcopy_8to8
-#define os_CopyConvertUTF16Str strcopy_UTF16toUTF8
-#define os_CopyConvertCharStr strcopy_8to8
-#define utf16_CopyStr strcopy_16to16
-#define utf16_CopyConvertOsStr strcopy_UTF8toUTF16
-
-#define _osdirent dirent
-#define _OSDIR DIR
-#define os_readdir readdir
-#define os_opendir opendir
-#define os_closedir closedir
-#define os_chdir chdir
-
-#define _osstat stat
-#define os_stat stat
-
-#define os_fopen fopen
-#define OS_MODE_READ "rb"
-#define OS_MODE_WRITE "wb"
-#define OS_MODE_EDIT "rb+"
-#define OS_PATH_SEPARATOR '/'
-#endif
-
-/* File related */
-int os_fstat(const oschar_t* path);
-uint64_t os_fsize(const oschar_t* path);
-int os_makedir(const oschar_t *dir);
-
-/* UTF16 String property functions */
-uint32_t utf16_strlen(const utf16char_t* str);
-void utf16_fputs(const utf16char_t *str, FILE *out);
-
-/* String Copy and Conversion */
-char* strcopy_8to8(const char *src);
-utf16char_t* strcopy_8to16(const char *src);
-utf16char_t* strcopy_16to16(const utf16char_t *src);
-#ifndef _WIN32
-utf16char_t* strcopy_UTF8toUTF16(const char *src);
-char* strcopy_UTF16toUTF8(const utf16char_t *src);
-#endif
-
-/* String Append and Create */
-oschar_t* os_AppendToPath(const oschar_t *src, const oschar_t *add);
-oschar_t* os_AppendUTF16StrToPath(const oschar_t *src, const utf16char_t *add);
\ No newline at end of file
diff --git a/ctrtool/polarssl/aes.c b/ctrtool/polarssl/aes.c
deleted file mode 100644
index 45f74a61..00000000
--- a/ctrtool/polarssl/aes.c
+++ /dev/null
@@ -1,1164 +0,0 @@
-/*
- *  FIPS-197 compliant AES implementation
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
- *
- *  http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
- *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_AES_C)
-
-#include "polarssl/aes.h"
-#include "polarssl/padlock.h"
-
-#include <string.h>
-
-/*
- * 32-bit integer manipulation macros (little endian)
- */
-#ifndef GET_ULONG_LE
-#define GET_ULONG_LE(n,b,i)                             \
-{                                                       \
-    (n) = ( (unsigned long) (b)[(i)    ]       )        \
-        | ( (unsigned long) (b)[(i) + 1] <<  8 )        \
-        | ( (unsigned long) (b)[(i) + 2] << 16 )        \
-        | ( (unsigned long) (b)[(i) + 3] << 24 );       \
-}
-#endif
-
-#ifndef PUT_ULONG_LE
-#define PUT_ULONG_LE(n,b,i)                             \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n)       );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
-}
-#endif
-
-#if defined(POLARSSL_AES_ROM_TABLES)
-/*
- * Forward S-box
- */
-static const unsigned char FSb[256] =
-{
-    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
-    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
-    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
-    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
-    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
-    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
-    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
-    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
-    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
-    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
-    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
-    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
-    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
-    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
-    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
-    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
-    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
-    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
-    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
-    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
-    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
-    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
-    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
-    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
-    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
-    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
-    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
-    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
-    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
-    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
-    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
-    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
-};
-
-/*
- * Forward tables
- */
-#define FT \
-\
-    V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
-    V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
-    V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
-    V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
-    V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
-    V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
-    V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
-    V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
-    V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
-    V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
-    V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
-    V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
-    V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
-    V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
-    V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
-    V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
-    V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
-    V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
-    V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
-    V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
-    V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
-    V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
-    V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
-    V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
-    V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
-    V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
-    V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
-    V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
-    V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
-    V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
-    V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
-    V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
-    V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
-    V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
-    V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
-    V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
-    V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
-    V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
-    V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
-    V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
-    V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
-    V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
-    V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
-    V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
-    V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
-    V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
-    V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
-    V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
-    V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
-    V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
-    V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
-    V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
-    V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
-    V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
-    V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
-    V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
-    V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
-    V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
-    V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
-    V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
-    V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
-    V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
-    V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
-    V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
-
-#define V(a,b,c,d) 0x##a##b##c##d
-static const unsigned long FT0[256] = { FT };
-#undef V
-
-#define V(a,b,c,d) 0x##b##c##d##a
-static const unsigned long FT1[256] = { FT };
-#undef V
-
-#define V(a,b,c,d) 0x##c##d##a##b
-static const unsigned long FT2[256] = { FT };
-#undef V
-
-#define V(a,b,c,d) 0x##d##a##b##c
-static const unsigned long FT3[256] = { FT };
-#undef V
-
-#undef FT
-
-/*
- * Reverse S-box
- */
-static const unsigned char RSb[256] =
-{
-    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
-    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
-    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
-    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
-    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
-    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
-    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
-    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
-    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
-    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
-    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
-    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
-    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
-    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
-    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
-    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
-    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
-    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
-    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
-    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
-    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
-    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
-    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
-    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
-    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
-    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
-    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
-    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
-    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
-    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
-    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
-    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
-};
-
-/*
- * Reverse tables
- */
-#define RT \
-\
-    V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
-    V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
-    V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
-    V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
-    V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
-    V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
-    V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
-    V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
-    V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
-    V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
-    V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
-    V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
-    V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
-    V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
-    V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
-    V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
-    V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
-    V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
-    V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
-    V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
-    V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
-    V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
-    V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
-    V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
-    V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
-    V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
-    V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
-    V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
-    V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
-    V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
-    V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
-    V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
-    V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
-    V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
-    V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
-    V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
-    V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
-    V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
-    V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
-    V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
-    V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
-    V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
-    V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
-    V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
-    V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
-    V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
-    V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
-    V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
-    V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
-    V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
-    V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
-    V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
-    V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
-    V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
-    V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
-    V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
-    V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
-    V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
-    V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
-    V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
-    V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
-    V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
-    V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
-    V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
-
-#define V(a,b,c,d) 0x##a##b##c##d
-static const unsigned long RT0[256] = { RT };
-#undef V
-
-#define V(a,b,c,d) 0x##b##c##d##a
-static const unsigned long RT1[256] = { RT };
-#undef V
-
-#define V(a,b,c,d) 0x##c##d##a##b
-static const unsigned long RT2[256] = { RT };
-#undef V
-
-#define V(a,b,c,d) 0x##d##a##b##c
-static const unsigned long RT3[256] = { RT };
-#undef V
-
-#undef RT
-
-/*
- * Round constants
- */
-static const unsigned long RCON[10] =
-{
-    0x00000001, 0x00000002, 0x00000004, 0x00000008,
-    0x00000010, 0x00000020, 0x00000040, 0x00000080,
-    0x0000001B, 0x00000036
-};
-
-#else
-
-/*
- * Forward S-box & tables
- */
-static unsigned char FSb[256];
-static unsigned long FT0[256]; 
-static unsigned long FT1[256]; 
-static unsigned long FT2[256]; 
-static unsigned long FT3[256]; 
-
-/*
- * Reverse S-box & tables
- */
-static unsigned char RSb[256];
-static unsigned long RT0[256];
-static unsigned long RT1[256];
-static unsigned long RT2[256];
-static unsigned long RT3[256];
-
-/*
- * Round constants
- */
-static unsigned long RCON[10];
-
-/*
- * Tables generation code
- */
-#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
-#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
-#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
-
-static int aes_init_done = 0;
-
-static void aes_gen_tables( void )
-{
-    int i, x, y, z;
-    int pow[256];
-    int log[256];
-
-    /*
-     * compute pow and log tables over GF(2^8)
-     */
-    for( i = 0, x = 1; i < 256; i++ )
-    {
-        pow[i] = x;
-        log[x] = i;
-        x = ( x ^ XTIME( x ) ) & 0xFF;
-    }
-
-    /*
-     * calculate the round constants
-     */
-    for( i = 0, x = 1; i < 10; i++ )
-    {
-        RCON[i] = (unsigned long) x;
-        x = XTIME( x ) & 0xFF;
-    }
-
-    /*
-     * generate the forward and reverse S-boxes
-     */
-    FSb[0x00] = 0x63;
-    RSb[0x63] = 0x00;
-
-    for( i = 1; i < 256; i++ )
-    {
-        x = pow[255 - log[i]];
-
-        y  = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
-        x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
-        x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
-        x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
-        x ^= y ^ 0x63;
-
-        FSb[i] = (unsigned char) x;
-        RSb[x] = (unsigned char) i;
-    }
-
-    /*
-     * generate the forward and reverse tables
-     */
-    for( i = 0; i < 256; i++ )
-    {
-        x = FSb[i];
-        y = XTIME( x ) & 0xFF;
-        z =  ( y ^ x ) & 0xFF;
-
-        FT0[i] = ( (unsigned long) y       ) ^
-                 ( (unsigned long) x <<  8 ) ^
-                 ( (unsigned long) x << 16 ) ^
-                 ( (unsigned long) z << 24 );
-
-        FT1[i] = ROTL8( FT0[i] );
-        FT2[i] = ROTL8( FT1[i] );
-        FT3[i] = ROTL8( FT2[i] );
-
-        x = RSb[i];
-
-        RT0[i] = ( (unsigned long) MUL( 0x0E, x )       ) ^
-                 ( (unsigned long) MUL( 0x09, x ) <<  8 ) ^
-                 ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
-                 ( (unsigned long) MUL( 0x0B, x ) << 24 );
-
-        RT1[i] = ROTL8( RT0[i] );
-        RT2[i] = ROTL8( RT1[i] );
-        RT3[i] = ROTL8( RT2[i] );
-    }
-}
-
-#endif
-
-/*
- * AES key schedule (encryption)
- */
-int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize )
-{
-    int i;
-    unsigned long *RK;
-
-#if !defined(POLARSSL_AES_ROM_TABLES)
-    if( aes_init_done == 0 )
-    {
-        aes_gen_tables();
-        aes_init_done = 1;
-    }
-#endif
-
-    switch( keysize )
-    {
-        case 128: ctx->nr = 10; break;
-        case 192: ctx->nr = 12; break;
-        case 256: ctx->nr = 14; break;
-        default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
-    }
-
-#if defined(PADLOCK_ALIGN16)
-    ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
-#else
-    ctx->rk = RK = ctx->buf;
-#endif
-
-    for( i = 0; i < (keysize >> 5); i++ )
-    {
-        GET_ULONG_LE( RK[i], key, i << 2 );
-    }
-
-    switch( ctx->nr )
-    {
-        case 10:
-
-            for( i = 0; i < 10; i++, RK += 4 )
-            {
-                RK[4]  = RK[0] ^ RCON[i] ^
-                ( (unsigned long) FSb[ ( RK[3] >>  8 ) & 0xFF ]       ) ^
-                ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) FSb[ ( RK[3]       ) & 0xFF ] << 24 );
-
-                RK[5]  = RK[1] ^ RK[4];
-                RK[6]  = RK[2] ^ RK[5];
-                RK[7]  = RK[3] ^ RK[6];
-            }
-            break;
-
-        case 12:
-
-            for( i = 0; i < 8; i++, RK += 6 )
-            {
-                RK[6]  = RK[0] ^ RCON[i] ^
-                ( (unsigned long) FSb[ ( RK[5] >>  8 ) & 0xFF ]       ) ^
-                ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) FSb[ ( RK[5]       ) & 0xFF ] << 24 );
-
-                RK[7]  = RK[1] ^ RK[6];
-                RK[8]  = RK[2] ^ RK[7];
-                RK[9]  = RK[3] ^ RK[8];
-                RK[10] = RK[4] ^ RK[9];
-                RK[11] = RK[5] ^ RK[10];
-            }
-            break;
-
-        case 14:
-
-            for( i = 0; i < 7; i++, RK += 8 )
-            {
-                RK[8]  = RK[0] ^ RCON[i] ^
-                ( (unsigned long) FSb[ ( RK[7] >>  8 ) & 0xFF ]       ) ^
-                ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) FSb[ ( RK[7]       ) & 0xFF ] << 24 );
-
-                RK[9]  = RK[1] ^ RK[8];
-                RK[10] = RK[2] ^ RK[9];
-                RK[11] = RK[3] ^ RK[10];
-
-                RK[12] = RK[4] ^
-                ( (unsigned long) FSb[ ( RK[11]       ) & 0xFF ]       ) ^
-                ( (unsigned long) FSb[ ( RK[11] >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
-
-                RK[13] = RK[5] ^ RK[12];
-                RK[14] = RK[6] ^ RK[13];
-                RK[15] = RK[7] ^ RK[14];
-            }
-            break;
-
-        default:
-
-            break;
-    }
-
-    return( 0 );
-}
-
-/*
- * AES key schedule (decryption)
- */
-int aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize )
-{
-    int i, j;
-    aes_context cty;
-    unsigned long *RK;
-    unsigned long *SK;
-    int ret;
-
-    switch( keysize )
-    {
-        case 128: ctx->nr = 10; break;
-        case 192: ctx->nr = 12; break;
-        case 256: ctx->nr = 14; break;
-        default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
-    }
-
-#if defined(PADLOCK_ALIGN16)
-    ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
-#else
-    ctx->rk = RK = ctx->buf;
-#endif
-
-    ret = aes_setkey_enc( &cty, key, keysize );
-    if( ret != 0 )
-        return( ret );
-
-    SK = cty.rk + cty.nr * 4;
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-
-    for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
-    {
-        for( j = 0; j < 4; j++, SK++ )
-        {
-            *RK++ = RT0[ FSb[ ( *SK       ) & 0xFF ] ] ^
-                    RT1[ FSb[ ( *SK >>  8 ) & 0xFF ] ] ^
-                    RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
-                    RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
-        }
-    }
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-
-    memset( &cty, 0, sizeof( aes_context ) );
-
-    return( 0 );
-}
-
-#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
-{                                               \
-    X0 = *RK++ ^ FT0[ ( Y0       ) & 0xFF ] ^   \
-                 FT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y3 >> 24 ) & 0xFF ];    \
-                                                \
-    X1 = *RK++ ^ FT0[ ( Y1       ) & 0xFF ] ^   \
-                 FT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y0 >> 24 ) & 0xFF ];    \
-                                                \
-    X2 = *RK++ ^ FT0[ ( Y2       ) & 0xFF ] ^   \
-                 FT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y1 >> 24 ) & 0xFF ];    \
-                                                \
-    X3 = *RK++ ^ FT0[ ( Y3       ) & 0xFF ] ^   \
-                 FT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y2 >> 24 ) & 0xFF ];    \
-}
-
-#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
-{                                               \
-    X0 = *RK++ ^ RT0[ ( Y0       ) & 0xFF ] ^   \
-                 RT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y1 >> 24 ) & 0xFF ];    \
-                                                \
-    X1 = *RK++ ^ RT0[ ( Y1       ) & 0xFF ] ^   \
-                 RT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y2 >> 24 ) & 0xFF ];    \
-                                                \
-    X2 = *RK++ ^ RT0[ ( Y2       ) & 0xFF ] ^   \
-                 RT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y3 >> 24 ) & 0xFF ];    \
-                                                \
-    X3 = *RK++ ^ RT0[ ( Y3       ) & 0xFF ] ^   \
-                 RT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y0 >> 24 ) & 0xFF ];    \
-}
-
-/*
- * AES-ECB block encryption/decryption
- */
-int aes_crypt_ecb( aes_context *ctx,
-                    int mode,
-                    const unsigned char input[16],
-                    unsigned char output[16] )
-{
-    int i;
-    unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
-
-#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
-    if( padlock_supports( PADLOCK_ACE ) )
-    {
-        if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
-            return( 0 );
-
-        // If padlock data misaligned, we just fall back to
-        // unaccelerated mode
-        //
-    }
-#endif
-
-    RK = ctx->rk;
-
-    GET_ULONG_LE( X0, input,  0 ); X0 ^= *RK++;
-    GET_ULONG_LE( X1, input,  4 ); X1 ^= *RK++;
-    GET_ULONG_LE( X2, input,  8 ); X2 ^= *RK++;
-    GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
-
-    if( mode == AES_DECRYPT )
-    {
-        for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
-        {
-            AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
-            AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
-        }
-
-        AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
-
-        X0 = *RK++ ^ \
-                ( (unsigned long) RSb[ ( Y0       ) & 0xFF ]       ) ^
-                ( (unsigned long) RSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
-
-        X1 = *RK++ ^ \
-                ( (unsigned long) RSb[ ( Y1       ) & 0xFF ]       ) ^
-                ( (unsigned long) RSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
-
-        X2 = *RK++ ^ \
-                ( (unsigned long) RSb[ ( Y2       ) & 0xFF ]       ) ^
-                ( (unsigned long) RSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
-
-        X3 = *RK++ ^ \
-                ( (unsigned long) RSb[ ( Y3       ) & 0xFF ]       ) ^
-                ( (unsigned long) RSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
-    }
-    else /* AES_ENCRYPT */
-    {
-        for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
-        {
-            AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
-            AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
-        }
-
-        AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
-
-        X0 = *RK++ ^ \
-                ( (unsigned long) FSb[ ( Y0       ) & 0xFF ]       ) ^
-                ( (unsigned long) FSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
-
-        X1 = *RK++ ^ \
-                ( (unsigned long) FSb[ ( Y1       ) & 0xFF ]       ) ^
-                ( (unsigned long) FSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
-
-        X2 = *RK++ ^ \
-                ( (unsigned long) FSb[ ( Y2       ) & 0xFF ]       ) ^
-                ( (unsigned long) FSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
-
-        X3 = *RK++ ^ \
-                ( (unsigned long) FSb[ ( Y3       ) & 0xFF ]       ) ^
-                ( (unsigned long) FSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
-    }
-
-    PUT_ULONG_LE( X0, output,  0 );
-    PUT_ULONG_LE( X1, output,  4 );
-    PUT_ULONG_LE( X2, output,  8 );
-    PUT_ULONG_LE( X3, output, 12 );
-
-    return( 0 );
-}
-
-/*
- * AES-CBC buffer encryption/decryption
- */
-int aes_crypt_cbc( aes_context *ctx,
-                    int mode,
-                    int length,
-                    unsigned char iv[16],
-                    const unsigned char *input,
-                    unsigned char *output )
-{
-    int i;
-    unsigned char temp[16];
-
-    if( length % 16 )
-        return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
-
-#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
-    if( padlock_supports( PADLOCK_ACE ) )
-    {
-        if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
-            return( 0 );
-        
-        // If padlock data misaligned, we just fall back to
-        // unaccelerated mode
-        //
-    }
-#endif
-
-    if( mode == AES_DECRYPT )
-    {
-        while( length > 0 )
-        {
-            memcpy( temp, input, 16 );
-            aes_crypt_ecb( ctx, mode, input, output );
-
-            for( i = 0; i < 16; i++ )
-                output[i] = (unsigned char)( output[i] ^ iv[i] );
-
-            memcpy( iv, temp, 16 );
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-    }
-    else
-    {
-        while( length > 0 )
-        {
-            for( i = 0; i < 16; i++ )
-                output[i] = (unsigned char)( input[i] ^ iv[i] );
-
-            aes_crypt_ecb( ctx, mode, output, output );
-            memcpy( iv, output, 16 );
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-    }
-
-    return( 0 );
-}
-
-/*
- * AES-CFB128 buffer encryption/decryption
- */
-int aes_crypt_cfb128( aes_context *ctx,
-                       int mode,
-                       int length,
-                       int *iv_off,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int c, n = *iv_off;
-
-    if( mode == AES_DECRYPT )
-    {
-        while( length-- )
-        {
-            if( n == 0 )
-                aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
-
-            c = *input++;
-            *output++ = (unsigned char)( c ^ iv[n] );
-            iv[n] = (unsigned char) c;
-
-            n = (n + 1) & 0x0F;
-        }
-    }
-    else
-    {
-        while( length-- )
-        {
-            if( n == 0 )
-                aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
-
-            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
-
-            n = (n + 1) & 0x0F;
-        }
-    }
-
-    *iv_off = n;
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <stdio.h>
-
-/*
- * AES test vectors from:
- *
- * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
- */
-static const unsigned char aes_test_ecb_dec[3][16] =
-{
-    { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
-      0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
-    { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
-      0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
-    { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
-      0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
-};
-
-static const unsigned char aes_test_ecb_enc[3][16] =
-{
-    { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
-      0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
-    { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
-      0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
-    { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
-      0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
-};
-
-static const unsigned char aes_test_cbc_dec[3][16] =
-{
-    { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
-      0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
-    { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
-      0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
-    { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
-      0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
-};
-
-static const unsigned char aes_test_cbc_enc[3][16] =
-{
-    { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
-      0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
-    { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
-      0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
-    { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
-      0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
-};
-
-/*
- * AES-CFB128 test vectors from:
- *
- * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
- */
-static const unsigned char aes_test_cfb128_key[3][32] =
-{
-    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
-      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
-    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
-      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
-      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
-    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
-      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
-      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
-      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
-};
-
-static const unsigned char aes_test_cfb128_iv[16] =
-{
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
-};
-
-static const unsigned char aes_test_cfb128_pt[64] =
-{
-    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
-    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
-    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
-    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
-    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
-    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
-    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
-    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
-};
-
-static const unsigned char aes_test_cfb128_ct[3][64] =
-{
-    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
-      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
-      0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
-      0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
-      0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
-      0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
-      0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
-      0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
-    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
-      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
-      0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
-      0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
-      0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
-      0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
-      0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
-      0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
-    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
-      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
-      0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
-      0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
-      0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
-      0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
-      0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
-      0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
-};
-
-/*
- * Checkup routine
- */
-int aes_self_test( int verbose )
-{
-    int i, j, u, v, offset;
-    unsigned char key[32];
-    unsigned char buf[64];
-    unsigned char prv[16];
-    unsigned char iv[16];
-    aes_context ctx;
-
-    memset( key, 0, 32 );
-
-    /*
-     * ECB mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  AES-ECB-%3d (%s): ", 128 + u * 64,
-                    ( v == AES_DECRYPT ) ? "dec" : "enc" );
-
-        memset( buf, 0, 16 );
-
-        if( v == AES_DECRYPT )
-        {
-            aes_setkey_dec( &ctx, key, 128 + u * 64 );
-
-            for( j = 0; j < 10000; j++ )
-                aes_crypt_ecb( &ctx, v, buf, buf );
-
-            if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-        else
-        {
-            aes_setkey_enc( &ctx, key, 128 + u * 64 );
-
-            for( j = 0; j < 10000; j++ )
-                aes_crypt_ecb( &ctx, v, buf, buf );
-
-            if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    /*
-     * CBC mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  AES-CBC-%3d (%s): ", 128 + u * 64,
-                    ( v == AES_DECRYPT ) ? "dec" : "enc" );
-
-        memset( iv , 0, 16 );
-        memset( prv, 0, 16 );
-        memset( buf, 0, 16 );
-
-        if( v == AES_DECRYPT )
-        {
-            aes_setkey_dec( &ctx, key, 128 + u * 64 );
-
-            for( j = 0; j < 10000; j++ )
-                aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
-
-            if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-        else
-        {
-            aes_setkey_enc( &ctx, key, 128 + u * 64 );
-
-            for( j = 0; j < 10000; j++ )
-            {
-                unsigned char tmp[16];
-
-                aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
-
-                memcpy( tmp, prv, 16 );
-                memcpy( prv, buf, 16 );
-                memcpy( buf, tmp, 16 );
-            }
-
-            if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    /*
-     * CFB128 mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  AES-CFB128-%3d (%s): ", 128 + u * 64,
-                    ( v == AES_DECRYPT ) ? "dec" : "enc" );
-
-        memcpy( iv,  aes_test_cfb128_iv, 16 );
-        memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
-
-        offset = 0;
-        aes_setkey_enc( &ctx, key, 128 + u * 64 );
-
-        if( v == AES_DECRYPT )
-        {
-            memcpy( buf, aes_test_cfb128_ct[u], 64 );
-            aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
-
-            if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-        else
-        {
-            memcpy( buf, aes_test_cfb128_pt, 64 );
-            aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
-
-            if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/ctrtool/polarssl/aes.h b/ctrtool/polarssl/aes.h
deleted file mode 100644
index 5576680e..00000000
--- a/ctrtool/polarssl/aes.h
+++ /dev/null
@@ -1,139 +0,0 @@
-/**
- * \file aes.h
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_AES_H
-#define POLARSSL_AES_H
-
-#define AES_ENCRYPT     1
-#define AES_DECRYPT     0
-
-#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH                 -0x0800
-#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH               -0x0810
-
-/**
- * \brief          AES context structure
- */
-typedef struct
-{
-    int nr;                     /*!<  number of rounds  */
-    unsigned long *rk;          /*!<  AES round keys    */
-    unsigned long buf[68];      /*!<  unaligned data    */
-}
-aes_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          AES key schedule (encryption)
- *
- * \param ctx      AES context to be initialized
- * \param key      encryption key
- * \param keysize  must be 128, 192 or 256
- *
- * \return         0 if successful, or POLARSSL_ERR_AES_INVALID_KEY_LENGTH
- */
-int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize );
-
-/**
- * \brief          AES key schedule (decryption)
- *
- * \param ctx      AES context to be initialized
- * \param key      decryption key
- * \param keysize  must be 128, 192 or 256
- *
- * \return         0 if successful, or POLARSSL_ERR_AES_INVALID_KEY_LENGTH
- */
-int aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize );
-
-/**
- * \brief          AES-ECB block encryption/decryption
- *
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
- *
- * \return         0 if successful
- */
-int aes_crypt_ecb( aes_context *ctx,
-                    int mode,
-                    const unsigned char input[16],
-                    unsigned char output[16] );
-
-/**
- * \brief          AES-CBC buffer encryption/decryption
- *                 Length should be a multiple of the block
- *                 size (16 bytes)
- *
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if successful, or POLARSSL_ERR_AES_INVALID_INPUT_LENGTH
- */
-int aes_crypt_cbc( aes_context *ctx,
-                    int mode,
-                    int length,
-                    unsigned char iv[16],
-                    const unsigned char *input,
-                    unsigned char *output );
-
-/**
- * \brief          AES-CFB128 buffer encryption/decryption.
- *
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param length   length of the input data
- * \param iv_off   offset in IV (updated after use)
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if successful
- */
-int aes_crypt_cfb128( aes_context *ctx,
-                       int mode,
-                       int length,
-                       int *iv_off,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int aes_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* aes.h */
diff --git a/ctrtool/polarssl/bignum.c b/ctrtool/polarssl/bignum.c
deleted file mode 100644
index 78e9384d..00000000
--- a/ctrtool/polarssl/bignum.c
+++ /dev/null
@@ -1,2038 +0,0 @@
-/*
- *  Multi-precision integer library
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  This MPI implementation is based on:
- *
- *  http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf
- *  http://www.stillhq.com/extracted/gnupg-api/mpi/
- *  http://math.libtomcrypt.com/files/tommath.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_BIGNUM_C)
-
-#include "polarssl/bignum.h"
-#include "polarssl/bn_mul.h"
-
-#include <string.h>
-#include <stdlib.h>
-#include <stdarg.h>
-
-#define ciL    ((int) sizeof(t_int))    /* chars in limb  */
-#define biL    (ciL << 3)               /* bits  in limb  */
-#define biH    (ciL << 2)               /* half limb size */
-
-/*
- * Convert between bits/chars and number of limbs
- */
-#define BITS_TO_LIMBS(i)  (((i) + biL - 1) / biL)
-#define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
-
-/*
- * Initialize one or more mpi
- */
-void mpi_init( mpi *X, ... )
-{
-    va_list args;
-
-    va_start( args, X );
-
-    while( X != NULL )
-    {
-        X->s = 1;
-        X->n = 0;
-        X->p = NULL;
-
-        X = va_arg( args, mpi* );
-    }
-
-    va_end( args );
-}
-
-/*
- * Unallocate one or more mpi
- */
-void mpi_free( mpi *X, ... )
-{
-    va_list args;
-
-    va_start( args, X );
-
-    while( X != NULL )
-    {
-        if( X->p != NULL )
-        {
-            memset( X->p, 0, X->n * ciL );
-            free( X->p );
-        }
-
-        X->s = 1;
-        X->n = 0;
-        X->p = NULL;
-
-        X = va_arg( args, mpi* );
-    }
-
-    va_end( args );
-}
-
-/*
- * Enlarge to the specified number of limbs
- */
-int mpi_grow( mpi *X, int nblimbs )
-{
-    t_int *p;
-
-    if( X->n < nblimbs )
-    {
-        if( ( p = (t_int *) malloc( nblimbs * ciL ) ) == NULL )
-            return( 1 );
-
-        memset( p, 0, nblimbs * ciL );
-
-        if( X->p != NULL )
-        {
-            memcpy( p, X->p, X->n * ciL );
-            memset( X->p, 0, X->n * ciL );
-            free( X->p );
-        }
-
-        X->n = nblimbs;
-        X->p = p;
-    }
-
-    return( 0 );
-}
-
-/*
- * Copy the contents of Y into X
- */
-int mpi_copy( mpi *X, const mpi *Y )
-{
-    int ret, i;
-
-    if( X == Y )
-        return( 0 );
-
-    for( i = Y->n - 1; i > 0; i-- )
-        if( Y->p[i] != 0 )
-            break;
-    i++;
-
-    X->s = Y->s;
-
-    MPI_CHK( mpi_grow( X, i ) );
-
-    memset( X->p, 0, X->n * ciL );
-    memcpy( X->p, Y->p, i * ciL );
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Swap the contents of X and Y
- */
-void mpi_swap( mpi *X, mpi *Y )
-{
-    mpi T;
-
-    memcpy( &T,  X, sizeof( mpi ) );
-    memcpy(  X,  Y, sizeof( mpi ) );
-    memcpy(  Y, &T, sizeof( mpi ) );
-}
-
-/*
- * Set value from integer
- */
-int mpi_lset( mpi *X, int z )
-{
-    int ret;
-
-    MPI_CHK( mpi_grow( X, 1 ) );
-    memset( X->p, 0, X->n * ciL );
-
-    X->p[0] = ( z < 0 ) ? -z : z;
-    X->s    = ( z < 0 ) ? -1 : 1;
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Return the number of least significant bits
- */
-int mpi_lsb( const mpi *X )
-{
-    int i, j, count = 0;
-
-    for( i = 0; i < X->n; i++ )
-        for( j = 0; j < (int) biL; j++, count++ )
-            if( ( ( X->p[i] >> j ) & 1 ) != 0 )
-                return( count );
-
-    return( 0 );
-}
-
-/*
- * Return the number of most significant bits
- */
-int mpi_msb( const mpi *X )
-{
-    int i, j;
-
-    for( i = X->n - 1; i > 0; i-- )
-        if( X->p[i] != 0 )
-            break;
-
-    for( j = biL - 1; j >= 0; j-- )
-        if( ( ( X->p[i] >> j ) & 1 ) != 0 )
-            break;
-
-    return( ( i * biL ) + j + 1 );
-}
-
-/*
- * Return the total size in bytes
- */
-int mpi_size( const mpi *X )
-{
-    return( ( mpi_msb( X ) + 7 ) >> 3 );
-}
-
-/*
- * Convert an ASCII character to digit value
- */
-static int mpi_get_digit( t_int *d, int radix, char c )
-{
-    *d = 255;
-
-    if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
-    if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
-    if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
-
-    if( *d >= (t_int) radix )
-        return( POLARSSL_ERR_MPI_INVALID_CHARACTER );
-
-    return( 0 );
-}
-
-/*
- * Import from an ASCII string
- */
-int mpi_read_string( mpi *X, int radix, const char *s )
-{
-    int ret, i, j, n, slen;
-    t_int d;
-    mpi T;
-
-    if( radix < 2 || radix > 16 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    mpi_init( &T, NULL );
-
-    slen = strlen( s );
-
-    if( radix == 16 )
-    {
-        n = BITS_TO_LIMBS( slen << 2 );
-
-        MPI_CHK( mpi_grow( X, n ) );
-        MPI_CHK( mpi_lset( X, 0 ) );
-
-        for( i = slen - 1, j = 0; i >= 0; i--, j++ )
-        {
-            if( i == 0 && s[i] == '-' )
-            {
-                X->s = -1;
-                break;
-            }
-
-            MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
-            X->p[j / (2 * ciL)] |= d << ( (j % (2 * ciL)) << 2 );
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_lset( X, 0 ) );
-
-        for( i = 0; i < slen; i++ )
-        {
-            if( i == 0 && s[i] == '-' )
-            {
-                X->s = -1;
-                continue;
-            }
-
-            MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
-            MPI_CHK( mpi_mul_int( &T, X, radix ) );
-
-            if( X->s == 1 )
-            {
-                MPI_CHK( mpi_add_int( X, &T, d ) );
-            }
-            else
-            {
-                MPI_CHK( mpi_sub_int( X, &T, d ) );
-            }
-        }
-    }
-
-cleanup:
-
-    mpi_free( &T, NULL );
-
-    return( ret );
-}
-
-/*
- * Helper to write the digits high-order first
- */
-static int mpi_write_hlp( mpi *X, int radix, char **p )
-{
-    int ret;
-    t_int r;
-
-    if( radix < 2 || radix > 16 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    MPI_CHK( mpi_mod_int( &r, X, radix ) );
-    MPI_CHK( mpi_div_int( X, NULL, X, radix ) );
-
-    if( mpi_cmp_int( X, 0 ) != 0 )
-        MPI_CHK( mpi_write_hlp( X, radix, p ) );
-
-    if( r < 10 )
-        *(*p)++ = (char)( r + 0x30 );
-    else
-        *(*p)++ = (char)( r + 0x37 );
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Export into an ASCII string
- */
-int mpi_write_string( const mpi *X, int radix, char *s, int *slen )
-{
-    int ret = 0, n;
-    char *p;
-    mpi T;
-
-    if( radix < 2 || radix > 16 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    n = mpi_msb( X );
-    if( radix >=  4 ) n >>= 1;
-    if( radix >= 16 ) n >>= 1;
-    n += 3;
-
-    if( *slen < n )
-    {
-        *slen = n;
-        return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
-    }
-
-    p = s;
-    mpi_init( &T, NULL );
-
-    if( X->s == -1 )
-        *p++ = '-';
-
-    if( radix == 16 )
-    {
-        int c, i, j, k;
-
-        for( i = X->n - 1, k = 0; i >= 0; i-- )
-        {
-            for( j = ciL - 1; j >= 0; j-- )
-            {
-                c = ( X->p[i] >> (j << 3) ) & 0xFF;
-
-                if( c == 0 && k == 0 && (i + j) != 0 )
-                    continue;
-
-                p += sprintf( p, "%02X", c );
-                k = 1;
-            }
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_copy( &T, X ) );
-
-        if( T.s == -1 )
-            T.s = 1;
-
-        MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
-    }
-
-    *p++ = '\0';
-    *slen = p - s;
-
-cleanup:
-
-    mpi_free( &T, NULL );
-
-    return( ret );
-}
-
-/*
- * Read X from an opened file
- */
-int mpi_read_file( mpi *X, int radix, FILE *fin )
-{
-    t_int d;
-    int slen;
-    char *p;
-    char s[1024];
-
-    memset( s, 0, sizeof( s ) );
-    if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
-        return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
-
-    slen = strlen( s );
-    if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
-    if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
-
-    p = s + slen;
-    while( --p >= s )
-        if( mpi_get_digit( &d, radix, *p ) != 0 )
-            break;
-
-    return( mpi_read_string( X, radix, p + 1 ) );
-}
-
-/*
- * Write X into an opened file (or stdout if fout == NULL)
- */
-int mpi_write_file( const char *p, const mpi *X, int radix, FILE *fout )
-{
-    int n, ret;
-    size_t slen;
-    size_t plen;
-    char s[2048];
-
-    n = sizeof( s );
-    memset( s, 0, n );
-    n -= 2;
-
-    MPI_CHK( mpi_write_string( X, radix, s, (int *) &n ) );
-
-    if( p == NULL ) p = "";
-
-    plen = strlen( p );
-    slen = strlen( s );
-    s[slen++] = '\r';
-    s[slen++] = '\n';
-
-    if( fout != NULL )
-    {
-        if( fwrite( p, 1, plen, fout ) != plen ||
-            fwrite( s, 1, slen, fout ) != slen )
-            return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
-    }
-    else
-        printf( "%s%s", p, s );
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Import X from unsigned binary data, big endian
- */
-int mpi_read_binary( mpi *X, const unsigned char *buf, int buflen )
-{
-    int ret, i, j, n;
-
-    for( n = 0; n < buflen; n++ )
-        if( buf[n] != 0 )
-            break;
-
-    MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
-    MPI_CHK( mpi_lset( X, 0 ) );
-
-    for( i = buflen - 1, j = 0; i >= n; i--, j++ )
-        X->p[j / ciL] |= ((t_int) buf[i]) << ((j % ciL) << 3);
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Export X into unsigned binary data, big endian
- */
-int mpi_write_binary( const mpi *X, unsigned char *buf, int buflen )
-{
-    int i, j, n;
-
-    n = mpi_size( X );
-
-    if( buflen < n )
-        return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
-
-    memset( buf, 0, buflen );
-
-    for( i = buflen - 1, j = 0; n > 0; i--, j++, n-- )
-        buf[i] = (unsigned char)( X->p[j / ciL] >> ((j % ciL) << 3) );
-
-    return( 0 );
-}
-
-/*
- * Left-shift: X <<= count
- */
-int mpi_shift_l( mpi *X, int count )
-{
-    int ret, i, v0, t1;
-    t_int r0 = 0, r1;
-
-    v0 = count / (biL    );
-    t1 = count & (biL - 1);
-
-    i = mpi_msb( X ) + count;
-
-    if( X->n * (int) biL < i )
-        MPI_CHK( mpi_grow( X, BITS_TO_LIMBS( i ) ) );
-
-    ret = 0;
-
-    /*
-     * shift by count / limb_size
-     */
-    if( v0 > 0 )
-    {
-        for( i = X->n - 1; i >= v0; i-- )
-            X->p[i] = X->p[i - v0];
-
-        for( ; i >= 0; i-- )
-            X->p[i] = 0;
-    }
-
-    /*
-     * shift by count % limb_size
-     */
-    if( t1 > 0 )
-    {
-        for( i = v0; i < X->n; i++ )
-        {
-            r1 = X->p[i] >> (biL - t1);
-            X->p[i] <<= t1;
-            X->p[i] |= r0;
-            r0 = r1;
-        }
-    }
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Right-shift: X >>= count
- */
-int mpi_shift_r( mpi *X, int count )
-{
-    int i, v0, v1;
-    t_int r0 = 0, r1;
-
-    v0 = count /  biL;
-    v1 = count & (biL - 1);
-
-    /*
-     * shift by count / limb_size
-     */
-    if( v0 > 0 )
-    {
-        for( i = 0; i < X->n - v0; i++ )
-            X->p[i] = X->p[i + v0];
-
-        for( ; i < X->n; i++ )
-            X->p[i] = 0;
-    }
-
-    /*
-     * shift by count % limb_size
-     */
-    if( v1 > 0 )
-    {
-        for( i = X->n - 1; i >= 0; i-- )
-        {
-            r1 = X->p[i] << (biL - v1);
-            X->p[i] >>= v1;
-            X->p[i] |= r0;
-            r0 = r1;
-        }
-    }
-
-    return( 0 );
-}
-
-/*
- * Compare unsigned values
- */
-int mpi_cmp_abs( const mpi *X, const mpi *Y )
-{
-    int i, j;
-
-    for( i = X->n - 1; i >= 0; i-- )
-        if( X->p[i] != 0 )
-            break;
-
-    for( j = Y->n - 1; j >= 0; j-- )
-        if( Y->p[j] != 0 )
-            break;
-
-    if( i < 0 && j < 0 )
-        return( 0 );
-
-    if( i > j ) return(  1 );
-    if( j > i ) return( -1 );
-
-    for( ; i >= 0; i-- )
-    {
-        if( X->p[i] > Y->p[i] ) return(  1 );
-        if( X->p[i] < Y->p[i] ) return( -1 );
-    }
-
-    return( 0 );
-}
-
-/*
- * Compare signed values
- */
-int mpi_cmp_mpi( const mpi *X, const mpi *Y )
-{
-    int i, j;
-
-    for( i = X->n - 1; i >= 0; i-- )
-        if( X->p[i] != 0 )
-            break;
-
-    for( j = Y->n - 1; j >= 0; j-- )
-        if( Y->p[j] != 0 )
-            break;
-
-    if( i < 0 && j < 0 )
-        return( 0 );
-
-    if( i > j ) return(  X->s );
-    if( j > i ) return( -X->s );
-
-    if( X->s > 0 && Y->s < 0 ) return(  1 );
-    if( Y->s > 0 && X->s < 0 ) return( -1 );
-
-    for( ; i >= 0; i-- )
-    {
-        if( X->p[i] > Y->p[i] ) return(  X->s );
-        if( X->p[i] < Y->p[i] ) return( -X->s );
-    }
-
-    return( 0 );
-}
-
-/*
- * Compare signed values
- */
-int mpi_cmp_int( const mpi *X, int z )
-{
-    mpi Y;
-    t_int p[1];
-
-    *p  = ( z < 0 ) ? -z : z;
-    Y.s = ( z < 0 ) ? -1 : 1;
-    Y.n = 1;
-    Y.p = p;
-
-    return( mpi_cmp_mpi( X, &Y ) );
-}
-
-/*
- * Unsigned addition: X = |A| + |B|  (HAC 14.7)
- */
-int mpi_add_abs( mpi *X, const mpi *A, const mpi *B )
-{
-    int ret, i, j;
-    t_int *o, *p, c;
-
-    if( X == B )
-    {
-        const mpi *T = A; A = X; B = T;
-    }
-
-    if( X != A )
-        MPI_CHK( mpi_copy( X, A ) );
-   
-    /*
-     * X should always be positive as a result of unsigned additions.
-     */
-    X->s = 1;
-
-    for( j = B->n - 1; j >= 0; j-- )
-        if( B->p[j] != 0 )
-            break;
-
-    MPI_CHK( mpi_grow( X, j + 1 ) );
-
-    o = B->p; p = X->p; c = 0;
-
-    for( i = 0; i <= j; i++, o++, p++ )
-    {
-        *p +=  c; c  = ( *p <  c );
-        *p += *o; c += ( *p < *o );
-    }
-
-    while( c != 0 )
-    {
-        if( i >= X->n )
-        {
-            MPI_CHK( mpi_grow( X, i + 1 ) );
-            p = X->p + i;
-        }
-
-        *p += c; c = ( *p < c ); i++;
-    }
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Helper for mpi substraction
- */
-static void mpi_sub_hlp( int n, t_int *s, t_int *d )
-{
-    int i;
-    t_int c, z;
-
-    for( i = c = 0; i < n; i++, s++, d++ )
-    {
-        z = ( *d <  c );     *d -=  c;
-        c = ( *d < *s ) + z; *d -= *s;
-    }
-
-    while( c != 0 )
-    {
-        z = ( *d < c ); *d -= c;
-        c = z; i++; d++;
-    }
-}
-
-/*
- * Unsigned substraction: X = |A| - |B|  (HAC 14.9)
- */
-int mpi_sub_abs( mpi *X, const mpi *A, const mpi *B )
-{
-    mpi TB;
-    int ret, n;
-
-    if( mpi_cmp_abs( A, B ) < 0 )
-        return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
-
-    mpi_init( &TB, NULL );
-
-    if( X == B )
-    {
-        MPI_CHK( mpi_copy( &TB, B ) );
-        B = &TB;
-    }
-
-    if( X != A )
-        MPI_CHK( mpi_copy( X, A ) );
-
-    /*
-     * X should always be positive as a result of unsigned substractions.
-     */
-    X->s = 1;
-
-    ret = 0;
-
-    for( n = B->n - 1; n >= 0; n-- )
-        if( B->p[n] != 0 )
-            break;
-
-    mpi_sub_hlp( n + 1, B->p, X->p );
-
-cleanup:
-
-    mpi_free( &TB, NULL );
-
-    return( ret );
-}
-
-/*
- * Signed addition: X = A + B
- */
-int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B )
-{
-    int ret, s = A->s;
-
-    if( A->s * B->s < 0 )
-    {
-        if( mpi_cmp_abs( A, B ) >= 0 )
-        {
-            MPI_CHK( mpi_sub_abs( X, A, B ) );
-            X->s =  s;
-        }
-        else
-        {
-            MPI_CHK( mpi_sub_abs( X, B, A ) );
-            X->s = -s;
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_add_abs( X, A, B ) );
-        X->s = s;
-    }
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Signed substraction: X = A - B
- */
-int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B )
-{
-    int ret, s = A->s;
-
-    if( A->s * B->s > 0 )
-    {
-        if( mpi_cmp_abs( A, B ) >= 0 )
-        {
-            MPI_CHK( mpi_sub_abs( X, A, B ) );
-            X->s =  s;
-        }
-        else
-        {
-            MPI_CHK( mpi_sub_abs( X, B, A ) );
-            X->s = -s;
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_add_abs( X, A, B ) );
-        X->s = s;
-    }
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Signed addition: X = A + b
- */
-int mpi_add_int( mpi *X, const mpi *A, int b )
-{
-    mpi _B;
-    t_int p[1];
-
-    p[0] = ( b < 0 ) ? -b : b;
-    _B.s = ( b < 0 ) ? -1 : 1;
-    _B.n = 1;
-    _B.p = p;
-
-    return( mpi_add_mpi( X, A, &_B ) );
-}
-
-/*
- * Signed substraction: X = A - b
- */
-int mpi_sub_int( mpi *X, const mpi *A, int b )
-{
-    mpi _B;
-    t_int p[1];
-
-    p[0] = ( b < 0 ) ? -b : b;
-    _B.s = ( b < 0 ) ? -1 : 1;
-    _B.n = 1;
-    _B.p = p;
-
-    return( mpi_sub_mpi( X, A, &_B ) );
-}
-
-/*
- * Helper for mpi multiplication
- */ 
-static void mpi_mul_hlp( int i, t_int *s, t_int *d, t_int b )
-{
-    t_int c = 0, t = 0;
-
-#if defined(MULADDC_HUIT)
-    for( ; i >= 8; i -= 8 )
-    {
-        MULADDC_INIT
-        MULADDC_HUIT
-        MULADDC_STOP
-    }
-
-    for( ; i > 0; i-- )
-    {
-        MULADDC_INIT
-        MULADDC_CORE
-        MULADDC_STOP
-    }
-#else
-    for( ; i >= 16; i -= 16 )
-    {
-        MULADDC_INIT
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_STOP
-    }
-
-    for( ; i >= 8; i -= 8 )
-    {
-        MULADDC_INIT
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_STOP
-    }
-
-    for( ; i > 0; i-- )
-    {
-        MULADDC_INIT
-        MULADDC_CORE
-        MULADDC_STOP
-    }
-#endif
-
-    t++;
-
-    do {
-        *d += c; c = ( *d < c ); d++;
-    }
-    while( c != 0 );
-}
-
-/*
- * Baseline multiplication: X = A * B  (HAC 14.12)
- */
-int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B )
-{
-    int ret, i, j;
-    mpi TA, TB;
-
-    mpi_init( &TA, &TB, NULL );
-
-    if( X == A ) { MPI_CHK( mpi_copy( &TA, A ) ); A = &TA; }
-    if( X == B ) { MPI_CHK( mpi_copy( &TB, B ) ); B = &TB; }
-
-    for( i = A->n - 1; i >= 0; i-- )
-        if( A->p[i] != 0 )
-            break;
-
-    for( j = B->n - 1; j >= 0; j-- )
-        if( B->p[j] != 0 )
-            break;
-
-    MPI_CHK( mpi_grow( X, i + j + 2 ) );
-    MPI_CHK( mpi_lset( X, 0 ) );
-
-    for( i++; j >= 0; j-- )
-        mpi_mul_hlp( i, A->p, X->p + j, B->p[j] );
-
-    X->s = A->s * B->s;
-
-cleanup:
-
-    mpi_free( &TB, &TA, NULL );
-
-    return( ret );
-}
-
-/*
- * Baseline multiplication: X = A * b
- */
-int mpi_mul_int( mpi *X, const mpi *A, t_int b )
-{
-    mpi _B;
-    t_int p[1];
-
-    _B.s = 1;
-    _B.n = 1;
-    _B.p = p;
-    p[0] = b;
-
-    return( mpi_mul_mpi( X, A, &_B ) );
-}
-
-/*
- * Division by mpi: A = Q * B + R  (HAC 14.20)
- */
-int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B )
-{
-    int ret, i, n, t, k;
-    mpi X, Y, Z, T1, T2;
-
-    if( mpi_cmp_int( B, 0 ) == 0 )
-        return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
-
-    mpi_init( &X, &Y, &Z, &T1, &T2, NULL );
-
-    if( mpi_cmp_abs( A, B ) < 0 )
-    {
-        if( Q != NULL ) MPI_CHK( mpi_lset( Q, 0 ) );
-        if( R != NULL ) MPI_CHK( mpi_copy( R, A ) );
-        return( 0 );
-    }
-
-    MPI_CHK( mpi_copy( &X, A ) );
-    MPI_CHK( mpi_copy( &Y, B ) );
-    X.s = Y.s = 1;
-
-    MPI_CHK( mpi_grow( &Z, A->n + 2 ) );
-    MPI_CHK( mpi_lset( &Z,  0 ) );
-    MPI_CHK( mpi_grow( &T1, 2 ) );
-    MPI_CHK( mpi_grow( &T2, 3 ) );
-
-    k = mpi_msb( &Y ) % biL;
-    if( k < (int) biL - 1 )
-    {
-        k = biL - 1 - k;
-        MPI_CHK( mpi_shift_l( &X, k ) );
-        MPI_CHK( mpi_shift_l( &Y, k ) );
-    }
-    else k = 0;
-
-    n = X.n - 1;
-    t = Y.n - 1;
-    mpi_shift_l( &Y, biL * (n - t) );
-
-    while( mpi_cmp_mpi( &X, &Y ) >= 0 )
-    {
-        Z.p[n - t]++;
-        mpi_sub_mpi( &X, &X, &Y );
-    }
-    mpi_shift_r( &Y, biL * (n - t) );
-
-    for( i = n; i > t ; i-- )
-    {
-        if( X.p[i] >= Y.p[t] )
-            Z.p[i - t - 1] = ~0;
-        else
-        {
-#if defined(POLARSSL_HAVE_LONGLONG)
-            t_dbl r;
-
-            r  = (t_dbl) X.p[i] << biL;
-            r |= (t_dbl) X.p[i - 1];
-            r /= Y.p[t];
-            if( r > ((t_dbl) 1 << biL) - 1)
-                r = ((t_dbl) 1 << biL) - 1;
-
-            Z.p[i - t - 1] = (t_int) r;
-#else
-            /*
-             * __udiv_qrnnd_c, from gmp/longlong.h
-             */
-            t_int q0, q1, r0, r1;
-            t_int d0, d1, d, m;
-
-            d  = Y.p[t];
-            d0 = ( d << biH ) >> biH;
-            d1 = ( d >> biH );
-
-            q1 = X.p[i] / d1;
-            r1 = X.p[i] - d1 * q1;
-            r1 <<= biH;
-            r1 |= ( X.p[i - 1] >> biH );
-
-            m = q1 * d0;
-            if( r1 < m )
-            {
-                q1--, r1 += d;
-                while( r1 >= d && r1 < m )
-                    q1--, r1 += d;
-            }
-            r1 -= m;
-
-            q0 = r1 / d1;
-            r0 = r1 - d1 * q0;
-            r0 <<= biH;
-            r0 |= ( X.p[i - 1] << biH ) >> biH;
-
-            m = q0 * d0;
-            if( r0 < m )
-            {
-                q0--, r0 += d;
-                while( r0 >= d && r0 < m )
-                    q0--, r0 += d;
-            }
-            r0 -= m;
-
-            Z.p[i - t - 1] = ( q1 << biH ) | q0;
-#endif
-        }
-
-        Z.p[i - t - 1]++;
-        do
-        {
-            Z.p[i - t - 1]--;
-
-            MPI_CHK( mpi_lset( &T1, 0 ) );
-            T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
-            T1.p[1] = Y.p[t];
-            MPI_CHK( mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
-
-            MPI_CHK( mpi_lset( &T2, 0 ) );
-            T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
-            T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
-            T2.p[2] = X.p[i];
-        }
-        while( mpi_cmp_mpi( &T1, &T2 ) > 0 );
-
-        MPI_CHK( mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
-        MPI_CHK( mpi_shift_l( &T1,  biL * (i - t - 1) ) );
-        MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
-
-        if( mpi_cmp_int( &X, 0 ) < 0 )
-        {
-            MPI_CHK( mpi_copy( &T1, &Y ) );
-            MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
-            MPI_CHK( mpi_add_mpi( &X, &X, &T1 ) );
-            Z.p[i - t - 1]--;
-        }
-    }
-
-    if( Q != NULL )
-    {
-        mpi_copy( Q, &Z );
-        Q->s = A->s * B->s;
-    }
-
-    if( R != NULL )
-    {
-        mpi_shift_r( &X, k );
-        mpi_copy( R, &X );
-
-        R->s = A->s;
-        if( mpi_cmp_int( R, 0 ) == 0 )
-            R->s = 1;
-    }
-
-cleanup:
-
-    mpi_free( &X, &Y, &Z, &T1, &T2, NULL );
-
-    return( ret );
-}
-
-/*
- * Division by int: A = Q * b + R
- *
- * Returns 0 if successful
- *         1 if memory allocation failed
- *         POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0
- */
-int mpi_div_int( mpi *Q, mpi *R, const mpi *A, int b )
-{
-    mpi _B;
-    t_int p[1];
-
-    p[0] = ( b < 0 ) ? -b : b;
-    _B.s = ( b < 0 ) ? -1 : 1;
-    _B.n = 1;
-    _B.p = p;
-
-    return( mpi_div_mpi( Q, R, A, &_B ) );
-}
-
-/*
- * Modulo: R = A mod B
- */
-int mpi_mod_mpi( mpi *R, const mpi *A, const mpi *B )
-{
-    int ret;
-
-    if( mpi_cmp_int( B, 0 ) < 0 )
-        return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
-
-    MPI_CHK( mpi_div_mpi( NULL, R, A, B ) );
-
-    while( mpi_cmp_int( R, 0 ) < 0 )
-      MPI_CHK( mpi_add_mpi( R, R, B ) );
-
-    while( mpi_cmp_mpi( R, B ) >= 0 )
-      MPI_CHK( mpi_sub_mpi( R, R, B ) );
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Modulo: r = A mod b
- */
-int mpi_mod_int( t_int *r, const mpi *A, int b )
-{
-    int i;
-    t_int x, y, z;
-
-    if( b == 0 )
-        return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
-
-    if( b < 0 )
-        return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
-
-    /*
-     * handle trivial cases
-     */
-    if( b == 1 )
-    {
-        *r = 0;
-        return( 0 );
-    }
-
-    if( b == 2 )
-    {
-        *r = A->p[0] & 1;
-        return( 0 );
-    }
-
-    /*
-     * general case
-     */
-    for( i = A->n - 1, y = 0; i >= 0; i-- )
-    {
-        x  = A->p[i];
-        y  = ( y << biH ) | ( x >> biH );
-        z  = y / b;
-        y -= z * b;
-
-        x <<= biH;
-        y  = ( y << biH ) | ( x >> biH );
-        z  = y / b;
-        y -= z * b;
-    }
-
-    /*
-     * If A is negative, then the current y represents a negative value.
-     * Flipping it to the positive side.
-     */
-    if( A->s < 0 && y != 0 )
-        y = b - y;
-
-    *r = y;
-
-    return( 0 );
-}
-
-/*
- * Fast Montgomery initialization (thanks to Tom St Denis)
- */
-static void mpi_montg_init( t_int *mm, const mpi *N )
-{
-    t_int x, m0 = N->p[0];
-
-    x  = m0;
-    x += ( ( m0 + 2 ) & 4 ) << 1;
-    x *= ( 2 - ( m0 * x ) );
-
-    if( biL >= 16 ) x *= ( 2 - ( m0 * x ) );
-    if( biL >= 32 ) x *= ( 2 - ( m0 * x ) );
-    if( biL >= 64 ) x *= ( 2 - ( m0 * x ) );
-
-    *mm = ~x + 1;
-}
-
-/*
- * Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
- */
-static void mpi_montmul( mpi *A, const mpi *B, const mpi *N, t_int mm, const mpi *T )
-{
-    int i, n, m;
-    t_int u0, u1, *d;
-
-    memset( T->p, 0, T->n * ciL );
-
-    d = T->p;
-    n = N->n;
-    m = ( B->n < n ) ? B->n : n;
-
-    for( i = 0; i < n; i++ )
-    {
-        /*
-         * T = (T + u0*B + u1*N) / 2^biL
-         */
-        u0 = A->p[i];
-        u1 = ( d[0] + u0 * B->p[0] ) * mm;
-
-        mpi_mul_hlp( m, B->p, d, u0 );
-        mpi_mul_hlp( n, N->p, d, u1 );
-
-        *d++ = u0; d[n + 1] = 0;
-    }
-
-    memcpy( A->p, d, (n + 1) * ciL );
-
-    if( mpi_cmp_abs( A, N ) >= 0 )
-        mpi_sub_hlp( n, N->p, A->p );
-    else
-        /* prevent timing attacks */
-        mpi_sub_hlp( n, A->p, T->p );
-}
-
-/*
- * Montgomery reduction: A = A * R^-1 mod N
- */
-static void mpi_montred( mpi *A, const mpi *N, t_int mm, const mpi *T )
-{
-    t_int z = 1;
-    mpi U;
-
-    U.n = U.s = z;
-    U.p = &z;
-
-    mpi_montmul( A, &U, N, mm, T );
-}
-
-/*
- * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
- */
-int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
-{
-    int ret, i, j, wsize, wbits;
-    int bufsize, nblimbs, nbits;
-    t_int ei, mm, state;
-    mpi RR, T, W[64];
-
-    if( mpi_cmp_int( N, 0 ) < 0 || ( N->p[0] & 1 ) == 0 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    /*
-     * Init temps and window size
-     */
-    mpi_montg_init( &mm, N );
-    mpi_init( &RR, &T, NULL );
-    memset( W, 0, sizeof( W ) );
-
-    i = mpi_msb( E );
-
-    wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
-            ( i >  79 ) ? 4 : ( i >  23 ) ? 3 : 1;
-
-    j = N->n + 1;
-    MPI_CHK( mpi_grow( X, j ) );
-    MPI_CHK( mpi_grow( &W[1],  j ) );
-    MPI_CHK( mpi_grow( &T, j * 2 ) );
-
-    /*
-     * If 1st call, pre-compute R^2 mod N
-     */
-    if( _RR == NULL || _RR->p == NULL )
-    {
-        MPI_CHK( mpi_lset( &RR, 1 ) );
-        MPI_CHK( mpi_shift_l( &RR, N->n * 2 * biL ) );
-        MPI_CHK( mpi_mod_mpi( &RR, &RR, N ) );
-
-        if( _RR != NULL )
-            memcpy( _RR, &RR, sizeof( mpi ) );
-    }
-    else
-        memcpy( &RR, _RR, sizeof( mpi ) );
-
-    /*
-     * W[1] = A * R^2 * R^-1 mod N = A * R mod N
-     */
-    if( mpi_cmp_mpi( A, N ) >= 0 )
-        mpi_mod_mpi( &W[1], A, N );
-    else   mpi_copy( &W[1], A );
-
-    mpi_montmul( &W[1], &RR, N, mm, &T );
-
-    /*
-     * X = R^2 * R^-1 mod N = R mod N
-     */
-    MPI_CHK( mpi_copy( X, &RR ) );
-    mpi_montred( X, N, mm, &T );
-
-    if( wsize > 1 )
-    {
-        /*
-         * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
-         */
-        j =  1 << (wsize - 1);
-
-        MPI_CHK( mpi_grow( &W[j], N->n + 1 ) );
-        MPI_CHK( mpi_copy( &W[j], &W[1]    ) );
-
-        for( i = 0; i < wsize - 1; i++ )
-            mpi_montmul( &W[j], &W[j], N, mm, &T );
-    
-        /*
-         * W[i] = W[i - 1] * W[1]
-         */
-        for( i = j + 1; i < (1 << wsize); i++ )
-        {
-            MPI_CHK( mpi_grow( &W[i], N->n + 1 ) );
-            MPI_CHK( mpi_copy( &W[i], &W[i - 1] ) );
-
-            mpi_montmul( &W[i], &W[1], N, mm, &T );
-        }
-    }
-
-    nblimbs = E->n;
-    bufsize = 0;
-    nbits   = 0;
-    wbits   = 0;
-    state   = 0;
-
-    while( 1 )
-    {
-        if( bufsize == 0 )
-        {
-            if( nblimbs-- == 0 )
-                break;
-
-            bufsize = sizeof( t_int ) << 3;
-        }
-
-        bufsize--;
-
-        ei = (E->p[nblimbs] >> bufsize) & 1;
-
-        /*
-         * skip leading 0s
-         */
-        if( ei == 0 && state == 0 )
-            continue;
-
-        if( ei == 0 && state == 1 )
-        {
-            /*
-             * out of window, square X
-             */
-            mpi_montmul( X, X, N, mm, &T );
-            continue;
-        }
-
-        /*
-         * add ei to current window
-         */
-        state = 2;
-
-        nbits++;
-        wbits |= (ei << (wsize - nbits));
-
-        if( nbits == wsize )
-        {
-            /*
-             * X = X^wsize R^-1 mod N
-             */
-            for( i = 0; i < wsize; i++ )
-                mpi_montmul( X, X, N, mm, &T );
-
-            /*
-             * X = X * W[wbits] R^-1 mod N
-             */
-            mpi_montmul( X, &W[wbits], N, mm, &T );
-
-            state--;
-            nbits = 0;
-            wbits = 0;
-        }
-    }
-
-    /*
-     * process the remaining bits
-     */
-    for( i = 0; i < nbits; i++ )
-    {
-        mpi_montmul( X, X, N, mm, &T );
-
-        wbits <<= 1;
-
-        if( (wbits & (1 << wsize)) != 0 )
-            mpi_montmul( X, &W[1], N, mm, &T );
-    }
-
-    /*
-     * X = A^E * R * R^-1 mod N = A^E mod N
-     */
-    mpi_montred( X, N, mm, &T );
-
-cleanup:
-
-    for( i = (1 << (wsize - 1)); i < (1 << wsize); i++ )
-        mpi_free( &W[i], NULL );
-
-    if( _RR != NULL )
-         mpi_free( &W[1], &T, NULL );
-    else mpi_free( &W[1], &T, &RR, NULL );
-
-    return( ret );
-}
-
-/*
- * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
- */
-int mpi_gcd( mpi *G, const mpi *A, const mpi *B )
-{
-    int ret, lz, lzt;
-    mpi TG, TA, TB;
-
-    mpi_init( &TG, &TA, &TB, NULL );
-
-    MPI_CHK( mpi_copy( &TA, A ) );
-    MPI_CHK( mpi_copy( &TB, B ) );
-
-    lz = mpi_lsb( &TA );
-    lzt = mpi_lsb( &TB );
-
-    if ( lzt < lz )
-        lz = lzt;
-
-    MPI_CHK( mpi_shift_r( &TA, lz ) );
-    MPI_CHK( mpi_shift_r( &TB, lz ) );
-
-    TA.s = TB.s = 1;
-
-    while( mpi_cmp_int( &TA, 0 ) != 0 )
-    {
-        MPI_CHK( mpi_shift_r( &TA, mpi_lsb( &TA ) ) );
-        MPI_CHK( mpi_shift_r( &TB, mpi_lsb( &TB ) ) );
-
-        if( mpi_cmp_mpi( &TA, &TB ) >= 0 )
-        {
-            MPI_CHK( mpi_sub_abs( &TA, &TA, &TB ) );
-            MPI_CHK( mpi_shift_r( &TA, 1 ) );
-        }
-        else
-        {
-            MPI_CHK( mpi_sub_abs( &TB, &TB, &TA ) );
-            MPI_CHK( mpi_shift_r( &TB, 1 ) );
-        }
-    }
-
-    MPI_CHK( mpi_shift_l( &TB, lz ) );
-    MPI_CHK( mpi_copy( G, &TB ) );
-
-cleanup:
-
-    mpi_free( &TB, &TA, &TG, NULL );
-
-    return( ret );
-}
-
-#if defined(POLARSSL_GENPRIME)
-
-/*
- * Modular inverse: X = A^-1 mod N  (HAC 14.61 / 14.64)
- */
-int mpi_inv_mod( mpi *X, const mpi *A, const mpi *N )
-{
-    int ret;
-    mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
-
-    if( mpi_cmp_int( N, 0 ) <= 0 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    mpi_init( &TA, &TU, &U1, &U2, &G,
-              &TB, &TV, &V1, &V2, NULL );
-
-    MPI_CHK( mpi_gcd( &G, A, N ) );
-
-    if( mpi_cmp_int( &G, 1 ) != 0 )
-    {
-        ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
-        goto cleanup;
-    }
-
-    MPI_CHK( mpi_mod_mpi( &TA, A, N ) );
-    MPI_CHK( mpi_copy( &TU, &TA ) );
-    MPI_CHK( mpi_copy( &TB, N ) );
-    MPI_CHK( mpi_copy( &TV, N ) );
-
-    MPI_CHK( mpi_lset( &U1, 1 ) );
-    MPI_CHK( mpi_lset( &U2, 0 ) );
-    MPI_CHK( mpi_lset( &V1, 0 ) );
-    MPI_CHK( mpi_lset( &V2, 1 ) );
-
-    do
-    {
-        while( ( TU.p[0] & 1 ) == 0 )
-        {
-            MPI_CHK( mpi_shift_r( &TU, 1 ) );
-
-            if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
-            {
-                MPI_CHK( mpi_add_mpi( &U1, &U1, &TB ) );
-                MPI_CHK( mpi_sub_mpi( &U2, &U2, &TA ) );
-            }
-
-            MPI_CHK( mpi_shift_r( &U1, 1 ) );
-            MPI_CHK( mpi_shift_r( &U2, 1 ) );
-        }
-
-        while( ( TV.p[0] & 1 ) == 0 )
-        {
-            MPI_CHK( mpi_shift_r( &TV, 1 ) );
-
-            if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
-            {
-                MPI_CHK( mpi_add_mpi( &V1, &V1, &TB ) );
-                MPI_CHK( mpi_sub_mpi( &V2, &V2, &TA ) );
-            }
-
-            MPI_CHK( mpi_shift_r( &V1, 1 ) );
-            MPI_CHK( mpi_shift_r( &V2, 1 ) );
-        }
-
-        if( mpi_cmp_mpi( &TU, &TV ) >= 0 )
-        {
-            MPI_CHK( mpi_sub_mpi( &TU, &TU, &TV ) );
-            MPI_CHK( mpi_sub_mpi( &U1, &U1, &V1 ) );
-            MPI_CHK( mpi_sub_mpi( &U2, &U2, &V2 ) );
-        }
-        else
-        {
-            MPI_CHK( mpi_sub_mpi( &TV, &TV, &TU ) );
-            MPI_CHK( mpi_sub_mpi( &V1, &V1, &U1 ) );
-            MPI_CHK( mpi_sub_mpi( &V2, &V2, &U2 ) );
-        }
-    }
-    while( mpi_cmp_int( &TU, 0 ) != 0 );
-
-    while( mpi_cmp_int( &V1, 0 ) < 0 )
-        MPI_CHK( mpi_add_mpi( &V1, &V1, N ) );
-
-    while( mpi_cmp_mpi( &V1, N ) >= 0 )
-        MPI_CHK( mpi_sub_mpi( &V1, &V1, N ) );
-
-    MPI_CHK( mpi_copy( X, &V1 ) );
-
-cleanup:
-
-    mpi_free( &V2, &V1, &TV, &TB, &G,
-              &U2, &U1, &TU, &TA, NULL );
-
-    return( ret );
-}
-
-static const int small_prime[] =
-{
-        3,    5,    7,   11,   13,   17,   19,   23,
-       29,   31,   37,   41,   43,   47,   53,   59,
-       61,   67,   71,   73,   79,   83,   89,   97,
-      101,  103,  107,  109,  113,  127,  131,  137,
-      139,  149,  151,  157,  163,  167,  173,  179,
-      181,  191,  193,  197,  199,  211,  223,  227,
-      229,  233,  239,  241,  251,  257,  263,  269,
-      271,  277,  281,  283,  293,  307,  311,  313,
-      317,  331,  337,  347,  349,  353,  359,  367,
-      373,  379,  383,  389,  397,  401,  409,  419,
-      421,  431,  433,  439,  443,  449,  457,  461,
-      463,  467,  479,  487,  491,  499,  503,  509,
-      521,  523,  541,  547,  557,  563,  569,  571,
-      577,  587,  593,  599,  601,  607,  613,  617,
-      619,  631,  641,  643,  647,  653,  659,  661,
-      673,  677,  683,  691,  701,  709,  719,  727,
-      733,  739,  743,  751,  757,  761,  769,  773,
-      787,  797,  809,  811,  821,  823,  827,  829,
-      839,  853,  857,  859,  863,  877,  881,  883,
-      887,  907,  911,  919,  929,  937,  941,  947,
-      953,  967,  971,  977,  983,  991,  997, -103
-};
-
-/*
- * Miller-Rabin primality test  (HAC 4.24)
- */
-int mpi_is_prime( mpi *X, int (*f_rng)(void *), void *p_rng )
-{
-    int ret, i, j, n, s, xs;
-    mpi W, R, T, A, RR;
-    unsigned char *p;
-
-    if( mpi_cmp_int( X, 0 ) == 0 ||
-        mpi_cmp_int( X, 1 ) == 0 )
-        return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
-
-    if( mpi_cmp_int( X, 2 ) == 0 )
-        return( 0 );
-
-    mpi_init( &W, &R, &T, &A, &RR, NULL );
-
-    xs = X->s; X->s = 1;
-
-    /*
-     * test trivial factors first
-     */
-    if( ( X->p[0] & 1 ) == 0 )
-        return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
-
-    for( i = 0; small_prime[i] > 0; i++ )
-    {
-        t_int r;
-
-        if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
-            return( 0 );
-
-        MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
-
-        if( r == 0 )
-            return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
-    }
-
-    /*
-     * W = |X| - 1
-     * R = W >> lsb( W )
-     */
-    MPI_CHK( mpi_sub_int( &W, X, 1 ) );
-    s = mpi_lsb( &W );
-    MPI_CHK( mpi_copy( &R, &W ) );
-    MPI_CHK( mpi_shift_r( &R, s ) );
-
-    i = mpi_msb( X );
-    /*
-     * HAC, table 4.4
-     */
-    n = ( ( i >= 1300 ) ?  2 : ( i >=  850 ) ?  3 :
-          ( i >=  650 ) ?  4 : ( i >=  350 ) ?  8 :
-          ( i >=  250 ) ? 12 : ( i >=  150 ) ? 18 : 27 );
-
-    for( i = 0; i < n; i++ )
-    {
-        /*
-         * pick a random A, 1 < A < |X| - 1
-         */
-        MPI_CHK( mpi_grow( &A, X->n ) );
-
-        p = (unsigned char *) A.p;
-        for( j = 0; j < A.n * ciL; j++ )
-            *p++ = (unsigned char) f_rng( p_rng );
-
-        j = mpi_msb( &A ) - mpi_msb( &W );
-        MPI_CHK( mpi_shift_r( &A, j + 1 ) );
-        A.p[0] |= 3;
-
-        /*
-         * A = A^R mod |X|
-         */
-        MPI_CHK( mpi_exp_mod( &A, &A, &R, X, &RR ) );
-
-        if( mpi_cmp_mpi( &A, &W ) == 0 ||
-            mpi_cmp_int( &A,  1 ) == 0 )
-            continue;
-
-        j = 1;
-        while( j < s && mpi_cmp_mpi( &A, &W ) != 0 )
-        {
-            /*
-             * A = A * A mod |X|
-             */
-            MPI_CHK( mpi_mul_mpi( &T, &A, &A ) );
-            MPI_CHK( mpi_mod_mpi( &A, &T, X  ) );
-
-            if( mpi_cmp_int( &A, 1 ) == 0 )
-                break;
-
-            j++;
-        }
-
-        /*
-         * not prime if A != |X| - 1 or A == 1
-         */
-        if( mpi_cmp_mpi( &A, &W ) != 0 ||
-            mpi_cmp_int( &A,  1 ) == 0 )
-        {
-            ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
-            break;
-        }
-    }
-
-cleanup:
-
-    X->s = xs;
-
-    mpi_free( &RR, &A, &T, &R, &W, NULL );
-
-    return( ret );
-}
-
-/*
- * Prime number generation
- */
-int mpi_gen_prime( mpi *X, int nbits, int dh_flag,
-                   int (*f_rng)(void *), void *p_rng )
-{
-    int ret, k, n;
-    unsigned char *p;
-    mpi Y;
-
-    if( nbits < 3 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    mpi_init( &Y, NULL );
-
-    n = BITS_TO_LIMBS( nbits );
-
-    MPI_CHK( mpi_grow( X, n ) );
-    MPI_CHK( mpi_lset( X, 0 ) );
-
-    p = (unsigned char *) X->p;
-    for( k = 0; k < X->n * ciL; k++ )
-        *p++ = (unsigned char) f_rng( p_rng );
-
-    k = mpi_msb( X );
-    if( k < nbits ) MPI_CHK( mpi_shift_l( X, nbits - k ) );
-    if( k > nbits ) MPI_CHK( mpi_shift_r( X, k - nbits ) );
-
-    X->p[0] |= 3;
-
-    if( dh_flag == 0 )
-    {
-        while( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
-        {
-            if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
-                goto cleanup;
-
-            MPI_CHK( mpi_add_int( X, X, 2 ) );
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_sub_int( &Y, X, 1 ) );
-        MPI_CHK( mpi_shift_r( &Y, 1 ) );
-
-        while( 1 )
-        {
-            if( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) == 0 )
-            {
-                if( ( ret = mpi_is_prime( &Y, f_rng, p_rng ) ) == 0 )
-                    break;
-
-                if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
-                    goto cleanup;
-            }
-
-            if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
-                goto cleanup;
-
-            MPI_CHK( mpi_add_int( &Y, X, 1 ) );
-            MPI_CHK( mpi_add_int(  X, X, 2 ) );
-            MPI_CHK( mpi_shift_r( &Y, 1 ) );
-        }
-    }
-
-cleanup:
-
-    mpi_free( &Y, NULL );
-
-    return( ret );
-}
-
-#endif
-
-#if defined(POLARSSL_SELF_TEST)
-
-#define GCD_PAIR_COUNT	3
-
-static const int gcd_pairs[GCD_PAIR_COUNT][3] =
-{
-    { 693, 609, 21 },
-    { 1764, 868, 28 },
-    { 768454923, 542167814, 1 }
-};
-
-/*
- * Checkup routine
- */
-int mpi_self_test( int verbose )
-{
-    int ret, i;
-    mpi A, E, N, X, Y, U, V;
-
-    mpi_init( &A, &E, &N, &X, &Y, &U, &V, NULL );
-
-    MPI_CHK( mpi_read_string( &A, 16,
-        "EFE021C2645FD1DC586E69184AF4A31E" \
-        "D5F53E93B5F123FA41680867BA110131" \
-        "944FE7952E2517337780CB0DB80E61AA" \
-        "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
-
-    MPI_CHK( mpi_read_string( &E, 16,
-        "B2E7EFD37075B9F03FF989C7C5051C20" \
-        "34D2A323810251127E7BF8625A4F49A5" \
-        "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
-        "5B5C25763222FEFCCFC38B832366C29E" ) );
-
-    MPI_CHK( mpi_read_string( &N, 16,
-        "0066A198186C18C10B2F5ED9B522752A" \
-        "9830B69916E535C8F047518A889A43A5" \
-        "94B6BED27A168D31D4A52F88925AA8F5" ) );
-
-    MPI_CHK( mpi_mul_mpi( &X, &A, &N ) );
-
-    MPI_CHK( mpi_read_string( &U, 16,
-        "602AB7ECA597A3D6B56FF9829A5E8B85" \
-        "9E857EA95A03512E2BAE7391688D264A" \
-        "A5663B0341DB9CCFD2C4C5F421FEC814" \
-        "8001B72E848A38CAE1C65F78E56ABDEF" \
-        "E12D3C039B8A02D6BE593F0BBBDA56F1" \
-        "ECF677152EF804370C1A305CAF3B5BF1" \
-        "30879B56C61DE584A0F53A2447A51E" ) );
-
-    if( verbose != 0 )
-        printf( "  MPI test #1 (mul_mpi): " );
-
-    if( mpi_cmp_mpi( &X, &U ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-    MPI_CHK( mpi_div_mpi( &X, &Y, &A, &N ) );
-
-    MPI_CHK( mpi_read_string( &U, 16,
-        "256567336059E52CAE22925474705F39A94" ) );
-
-    MPI_CHK( mpi_read_string( &V, 16,
-        "6613F26162223DF488E9CD48CC132C7A" \
-        "0AC93C701B001B092E4E5B9F73BCD27B" \
-        "9EE50D0657C77F374E903CDFA4C642" ) );
-
-    if( verbose != 0 )
-        printf( "  MPI test #2 (div_mpi): " );
-
-    if( mpi_cmp_mpi( &X, &U ) != 0 ||
-        mpi_cmp_mpi( &Y, &V ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-    MPI_CHK( mpi_exp_mod( &X, &A, &E, &N, NULL ) );
-
-    MPI_CHK( mpi_read_string( &U, 16,
-        "36E139AEA55215609D2816998ED020BB" \
-        "BD96C37890F65171D948E9BC7CBAA4D9" \
-        "325D24D6A3C12710F10A09FA08AB87" ) );
-
-    if( verbose != 0 )
-        printf( "  MPI test #3 (exp_mod): " );
-
-    if( mpi_cmp_mpi( &X, &U ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-    MPI_CHK( mpi_inv_mod( &X, &A, &N ) );
-
-    MPI_CHK( mpi_read_string( &U, 16,
-        "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
-        "C3DBA76456363A10869622EAC2DD84EC" \
-        "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
-
-    if( verbose != 0 )
-        printf( "  MPI test #4 (inv_mod): " );
-
-    if( mpi_cmp_mpi( &X, &U ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-    if( verbose != 0 )
-        printf( "  MPI test #5 (simple gcd): " );
-
-    for ( i = 0; i < GCD_PAIR_COUNT; i++)
-    {
-        MPI_CHK( mpi_lset( &X, gcd_pairs[i][0] ) );
-	MPI_CHK( mpi_lset( &Y, gcd_pairs[i][1] ) );
-
-	MPI_CHK( mpi_gcd( &A, &X, &Y ) );
-
-	if( mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
-	{
-		if( verbose != 0 )
-			printf( "failed at %d\n", i );
-
-		return( 1 );
-	}
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-cleanup:
-
-    if( ret != 0 && verbose != 0 )
-        printf( "Unexpected error, return code = %08X\n", ret );
-
-    mpi_free( &V, &U, &Y, &X, &N, &E, &A, NULL );
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( ret );
-}
-
-#endif
-
-#endif
diff --git a/ctrtool/polarssl/bignum.h b/ctrtool/polarssl/bignum.h
deleted file mode 100644
index 80399a22..00000000
--- a/ctrtool/polarssl/bignum.h
+++ /dev/null
@@ -1,533 +0,0 @@
-/**
- * \file bignum.h
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_BIGNUM_H
-#define POLARSSL_BIGNUM_H
-
-#include <stdio.h>
-
-#define POLARSSL_ERR_MPI_FILE_IO_ERROR                     0x0002
-#define POLARSSL_ERR_MPI_BAD_INPUT_DATA                    0x0004
-#define POLARSSL_ERR_MPI_INVALID_CHARACTER                 0x0006
-#define POLARSSL_ERR_MPI_BUFFER_TOO_SMALL                  0x0008
-#define POLARSSL_ERR_MPI_NEGATIVE_VALUE                    0x000A
-#define POLARSSL_ERR_MPI_DIVISION_BY_ZERO                  0x000C
-#define POLARSSL_ERR_MPI_NOT_ACCEPTABLE                    0x000E
-
-#define MPI_CHK(f) if( ( ret = f ) != 0 ) goto cleanup
-
-/*
- * Define the base integer type, architecture-wise
- */
-#if defined(POLARSSL_HAVE_INT8)
-typedef unsigned char  t_int;
-typedef unsigned short t_dbl;
-#else
-#if defined(POLARSSL_HAVE_INT16)
-typedef unsigned short t_int;
-typedef unsigned long  t_dbl;
-#else
-  typedef unsigned long t_int;
-  #if defined(_MSC_VER) && defined(_M_IX86)
-  typedef unsigned __int64 t_dbl;
-  #else
-    #if defined(__amd64__) || defined(__x86_64__)    || \
-        defined(__ppc64__) || defined(__powerpc64__) || \
-        defined(__ia64__)  || defined(__alpha__)
-    typedef unsigned int t_dbl __attribute__((mode(TI)));
-    #else
-      #if defined(POLARSSL_HAVE_LONGLONG)
-      typedef unsigned long long t_dbl;
-      #endif
-    #endif
-  #endif
-#endif
-#endif
-
-/**
- * \brief          MPI structure
- */
-typedef struct
-{
-    int s;              /*!<  integer sign      */
-    int n;              /*!<  total # of limbs  */
-    t_int *p;           /*!<  pointer to limbs  */
-}
-mpi;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Initialize one or more mpi
- */
-void mpi_init( mpi *X, ... );
-
-/**
- * \brief          Unallocate one or more mpi
- */
-void mpi_free( mpi *X, ... );
-
-/**
- * \brief          Enlarge to the specified number of limbs
- *
- * \param X        MPI to grow
- * \param nblimbs  The target number of limbs
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_grow( mpi *X, int nblimbs );
-
-/**
- * \brief          Copy the contents of Y into X
- *
- * \param X        Destination MPI
- * \param Y        Source MPI
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_copy( mpi *X, const mpi *Y );
-
-/**
- * \brief          Swap the contents of X and Y
- *
- * \param X        First MPI value
- * \param Y        Second MPI value
- */
-void mpi_swap( mpi *X, mpi *Y );
-
-/**
- * \brief          Set value from integer
- *
- * \param X        MPI to set
- * \param z        Value to use
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_lset( mpi *X, int z );
-
-/**
- * \brief          Return the number of least significant bits
- *
- * \param X        MPI to use
- */
-int mpi_lsb( const mpi *X );
-
-/**
- * \brief          Return the number of most significant bits
- *
- * \param X        MPI to use
- */
-int mpi_msb( const mpi *X );
-
-/**
- * \brief          Return the total size in bytes
- *
- * \param X        MPI to use
- */
-int mpi_size( const mpi *X );
-
-/**
- * \brief          Import from an ASCII string
- *
- * \param X        Destination MPI
- * \param radix    Input numeric base
- * \param s        Null-terminated string buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_MPI_XXX error code
- */
-int mpi_read_string( mpi *X, int radix, const char *s );
-
-/**
- * \brief          Export into an ASCII string
- *
- * \param X        Source MPI
- * \param radix    Output numeric base
- * \param s        String buffer
- * \param slen     String buffer size
- *
- * \return         0 if successful, or an POLARSSL_ERR_MPI_XXX error code.
- *                 *slen is always updated to reflect the amount
- *                 of data that has (or would have) been written.
- *
- * \note           Call this function with *slen = 0 to obtain the
- *                 minimum required buffer size in *slen.
- */
-int mpi_write_string( const mpi *X, int radix, char *s, int *slen );
-
-/**
- * \brief          Read X from an opened file
- *
- * \param X        Destination MPI
- * \param radix    Input numeric base
- * \param fin      Input file handle
- *
- * \return         0 if successful, or an POLARSSL_ERR_MPI_XXX error code
- */
-int mpi_read_file( mpi *X, int radix, FILE *fin );
-
-/**
- * \brief          Write X into an opened file, or stdout if fout is NULL
- *
- * \param p        Prefix, can be NULL
- * \param X        Source MPI
- * \param radix    Output numeric base
- * \param fout     Output file handle (can be NULL)
- *
- * \return         0 if successful, or an POLARSSL_ERR_MPI_XXX error code
- *
- * \note           Set fout == NULL to print X on the console.
- */
-int mpi_write_file( const char *p, const mpi *X, int radix, FILE *fout );
-
-/**
- * \brief          Import X from unsigned binary data, big endian
- *
- * \param X        Destination MPI
- * \param buf      Input buffer
- * \param buflen   Input buffer size
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_read_binary( mpi *X, const unsigned char *buf, int buflen );
-
-/**
- * \brief          Export X into unsigned binary data, big endian
- *
- * \param X        Source MPI
- * \param buf      Output buffer
- * \param buflen   Output buffer size
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_BUFFER_TOO_SMALL if buf isn't large enough
- */
-int mpi_write_binary( const mpi *X, unsigned char *buf, int buflen );
-
-/**
- * \brief          Left-shift: X <<= count
- *
- * \param X        MPI to shift
- * \param count    Amount to shift
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_shift_l( mpi *X, int count );
-
-/**
- * \brief          Right-shift: X >>= count
- *
- * \param X        MPI to shift
- * \param count    Amount to shift
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_shift_r( mpi *X, int count );
-
-/**
- * \brief          Compare unsigned values
- *
- * \param X        Left-hand MPI
- * \param Y        Right-hand MPI
- *
- * \return         1 if |X| is greater than |Y|,
- *                -1 if |X| is lesser  than |Y| or
- *                 0 if |X| is equal to |Y|
- */
-int mpi_cmp_abs( const mpi *X, const mpi *Y );
-
-/**
- * \brief          Compare signed values
- *
- * \param X        Left-hand MPI
- * \param Y        Right-hand MPI
- *
- * \return         1 if X is greater than Y,
- *                -1 if X is lesser  than Y or
- *                 0 if X is equal to Y
- */
-int mpi_cmp_mpi( const mpi *X, const mpi *Y );
-
-/**
- * \brief          Compare signed values
- *
- * \param X        Left-hand MPI
- * \param z        The integer value to compare to
- *
- * \return         1 if X is greater than z,
- *                -1 if X is lesser  than z or
- *                 0 if X is equal to z
- */
-int mpi_cmp_int( const mpi *X, int z );
-
-/**
- * \brief          Unsigned addition: X = |A| + |B|
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_add_abs( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Unsigned substraction: X = |A| - |B|
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_NEGATIVE_VALUE if B is greater than A
- */
-int mpi_sub_abs( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Signed addition: X = A + B
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Signed substraction: X = A - B
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Signed addition: X = A + b
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to add
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_add_int( mpi *X, const mpi *A, int b );
-
-/**
- * \brief          Signed substraction: X = A - b
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to subtract
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_sub_int( mpi *X, const mpi *A, int b );
-
-/**
- * \brief          Baseline multiplication: X = A * B
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Baseline multiplication: X = A * b
- *                 Note: b is an unsigned integer type, thus
- *                 Negative values of b are ignored.
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to multiply with
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_mul_int( mpi *X, const mpi *A, t_int b );
-
-/**
- * \brief          Division by mpi: A = Q * B + R
- *
- * \param Q        Destination MPI for the quotient
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed,
- *                 POLARSSL_ERR_MPI_DIVISION_BY_ZERO if B == 0
- *
- * \note           Either Q or R can be NULL.
- */
-int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B );
-
-/**
- * \brief          Division by int: A = Q * b + R
- *
- * \param Q        Destination MPI for the quotient
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param b        Integer to divide by
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed,
- *                 POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0
- *
- * \note           Either Q or R can be NULL.
- */
-int mpi_div_int( mpi *Q, mpi *R, const mpi *A, int b );
-
-/**
- * \brief          Modulo: R = A mod B
- *
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed,
- *                 POLARSSL_ERR_MPI_DIVISION_BY_ZERO if B == 0,
- *                 POLARSSL_ERR_MPI_NEGATIVE_VALUE if B < 0
- */
-int mpi_mod_mpi( mpi *R, const mpi *A, const mpi *B );
-
-/**
- * \brief          Modulo: r = A mod b
- *
- * \param r        Destination t_int
- * \param A        Left-hand MPI
- * \param b        Integer to divide by
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed,
- *                 POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0,
- *                 POLARSSL_ERR_MPI_NEGATIVE_VALUE if b < 0
- */
-int mpi_mod_int( t_int *r, const mpi *A, int b );
-
-/**
- * \brief          Sliding-window exponentiation: X = A^E mod N
- *
- * \param X        Destination MPI 
- * \param A        Left-hand MPI
- * \param E        Exponent MPI
- * \param N        Modular MPI
- * \param _RR      Speed-up MPI used for recalculations
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed,
- *                 POLARSSL_ERR_MPI_BAD_INPUT_DATA if N is negative or even
- *
- * \note           _RR is used to avoid re-computing R*R mod N across
- *                 multiple calls, which speeds up things a bit. It can
- *                 be set to NULL if the extra performance is unneeded.
- */
-int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR );
-
-/**
- * \brief          Greatest common divisor: G = gcd(A, B)
- *
- * \param G        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed
- */
-int mpi_gcd( mpi *G, const mpi *A, const mpi *B );
-
-/**
- * \brief          Modular inverse: X = A^-1 mod N
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param N        Right-hand MPI
- *
- * \return         0 if successful,
- *                 1 if memory allocation failed,
- *                 POLARSSL_ERR_MPI_BAD_INPUT_DATA if N is negative or nil
-                   POLARSSL_ERR_MPI_NOT_ACCEPTABLE if A has no inverse mod N
- */
-int mpi_inv_mod( mpi *X, const mpi *A, const mpi *N );
-
-/**
- * \brief          Miller-Rabin primality test
- *
- * \param X        MPI to check
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- *
- * \return         0 if successful (probably prime),
- *                 1 if memory allocation failed,
- *                 POLARSSL_ERR_MPI_NOT_ACCEPTABLE if X is not prime
- */
-int mpi_is_prime( mpi *X, int (*f_rng)(void *), void *p_rng );
-
-/**
- * \brief          Prime number generation
- *
- * \param X        Destination MPI
- * \param nbits    Required size of X in bits
- * \param dh_flag  If 1, then (X-1)/2 will be prime too
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- *
- * \return         0 if successful (probably prime),
- *                 1 if memory allocation failed,
- *                 POLARSSL_ERR_MPI_BAD_INPUT_DATA if nbits is < 3
- */
-int mpi_gen_prime( mpi *X, int nbits, int dh_flag,
-                   int (*f_rng)(void *), void *p_rng );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int mpi_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* bignum.h */
diff --git a/ctrtool/polarssl/bn_mul.h b/ctrtool/polarssl/bn_mul.h
deleted file mode 100644
index a73d5fb0..00000000
--- a/ctrtool/polarssl/bn_mul.h
+++ /dev/null
@@ -1,736 +0,0 @@
-/**
- * \file bn_mul.h
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *      Multiply source vector [s] with b, add result
- *       to destination vector [d] and set carry c.
- *
- *      Currently supports:
- *
- *         . IA-32 (386+)         . AMD64 / EM64T
- *         . IA-32 (SSE2)         . Motorola 68000
- *         . PowerPC, 32-bit      . MicroBlaze
- *         . PowerPC, 64-bit      . TriCore
- *         . SPARC v8             . ARM v3+
- *         . Alpha                . MIPS32
- *         . C, longlong          . C, generic
- */
-#ifndef POLARSSL_BN_MUL_H
-#define POLARSSL_BN_MUL_H
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_HAVE_ASM)
-
-#if defined(__GNUC__)
-#if defined(__i386__)
-
-#define MULADDC_INIT                \
-    asm( "                          \
-        movl   %%ebx, %0;           \
-        movl   %5, %%esi;           \
-        movl   %6, %%edi;           \
-        movl   %7, %%ecx;           \
-        movl   %8, %%ebx;           \
-        "
-
-#define MULADDC_CORE                \
-        "                           \
-        lodsl;                      \
-        mull   %%ebx;               \
-        addl   %%ecx,   %%eax;      \
-        adcl   $0,      %%edx;      \
-        addl   (%%edi), %%eax;      \
-        adcl   $0,      %%edx;      \
-        movl   %%edx,   %%ecx;      \
-        stosl;                      \
-        "
-
-#if defined(POLARSSL_HAVE_SSE2)
-
-#define MULADDC_HUIT                    \
-        "                               \
-        movd     %%ecx,     %%mm1;      \
-        movd     %%ebx,     %%mm0;      \
-        movd     (%%edi),   %%mm3;      \
-        paddq    %%mm3,     %%mm1;      \
-        movd     (%%esi),   %%mm2;      \
-        pmuludq  %%mm0,     %%mm2;      \
-        movd     4(%%esi),  %%mm4;      \
-        pmuludq  %%mm0,     %%mm4;      \
-        movd     8(%%esi),  %%mm6;      \
-        pmuludq  %%mm0,     %%mm6;      \
-        movd     12(%%esi), %%mm7;      \
-        pmuludq  %%mm0,     %%mm7;      \
-        paddq    %%mm2,     %%mm1;      \
-        movd     4(%%edi),  %%mm3;      \
-        paddq    %%mm4,     %%mm3;      \
-        movd     8(%%edi),  %%mm5;      \
-        paddq    %%mm6,     %%mm5;      \
-        movd     12(%%edi), %%mm4;      \
-        paddq    %%mm4,     %%mm7;      \
-        movd     %%mm1,     (%%edi);    \
-        movd     16(%%esi), %%mm2;      \
-        pmuludq  %%mm0,     %%mm2;      \
-        psrlq    $32,       %%mm1;      \
-        movd     20(%%esi), %%mm4;      \
-        pmuludq  %%mm0,     %%mm4;      \
-        paddq    %%mm3,     %%mm1;      \
-        movd     24(%%esi), %%mm6;      \
-        pmuludq  %%mm0,     %%mm6;      \
-        movd     %%mm1,     4(%%edi);   \
-        psrlq    $32,       %%mm1;      \
-        movd     28(%%esi), %%mm3;      \
-        pmuludq  %%mm0,     %%mm3;      \
-        paddq    %%mm5,     %%mm1;      \
-        movd     16(%%edi), %%mm5;      \
-        paddq    %%mm5,     %%mm2;      \
-        movd     %%mm1,     8(%%edi);   \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm7,     %%mm1;      \
-        movd     20(%%edi), %%mm5;      \
-        paddq    %%mm5,     %%mm4;      \
-        movd     %%mm1,     12(%%edi);  \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm2,     %%mm1;      \
-        movd     24(%%edi), %%mm5;      \
-        paddq    %%mm5,     %%mm6;      \
-        movd     %%mm1,     16(%%edi);  \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm4,     %%mm1;      \
-        movd     28(%%edi), %%mm5;      \
-        paddq    %%mm5,     %%mm3;      \
-        movd     %%mm1,     20(%%edi);  \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm6,     %%mm1;      \
-        movd     %%mm1,     24(%%edi);  \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm3,     %%mm1;      \
-        movd     %%mm1,     28(%%edi);  \
-        addl     $32,       %%edi;      \
-        addl     $32,       %%esi;      \
-        psrlq    $32,       %%mm1;      \
-        movd     %%mm1,     %%ecx;      \
-        "
-
-#define MULADDC_STOP            \
-        "                       \
-        emms;                   \
-        movl   %4, %%ebx;       \
-        movl   %%ecx, %1;       \
-        movl   %%edi, %2;       \
-        movl   %%esi, %3;       \
-        "                       \
-        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
-        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-        : "eax", "ecx", "edx", "esi", "edi"             \
-    );
-
-#else
-
-#define MULADDC_STOP            \
-        "                       \
-        movl   %4, %%ebx;       \
-        movl   %%ecx, %1;       \
-        movl   %%edi, %2;       \
-        movl   %%esi, %3;       \
-        "                       \
-        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
-        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-        : "eax", "ecx", "edx", "esi", "edi"             \
-    );
-#endif /* SSE2 */
-#endif /* i386 */
-
-#if defined(__amd64__) || defined (__x86_64__)
-
-#define MULADDC_INIT                            \
-    asm( "movq   %0, %%rsi      " :: "m" (s));  \
-    asm( "movq   %0, %%rdi      " :: "m" (d));  \
-    asm( "movq   %0, %%rcx      " :: "m" (c));  \
-    asm( "movq   %0, %%rbx      " :: "m" (b));  \
-    asm( "xorq   %r8, %r8       " );
-
-#define MULADDC_CORE                            \
-    asm( "movq  (%rsi),%rax     " );            \
-    asm( "mulq   %rbx           " );            \
-    asm( "addq   $8,   %rsi     " );            \
-    asm( "addq   %rcx, %rax     " );            \
-    asm( "movq   %r8,  %rcx     " );            \
-    asm( "adcq   $0,   %rdx     " );            \
-    asm( "nop                   " );            \
-    asm( "addq   %rax, (%rdi)   " );            \
-    asm( "adcq   %rdx, %rcx     " );            \
-    asm( "addq   $8,   %rdi     " );
-
-#define MULADDC_STOP                            \
-    asm( "movq   %%rcx, %0      " : "=m" (c));  \
-    asm( "movq   %%rdi, %0      " : "=m" (d));  \
-    asm( "movq   %%rsi, %0      " : "=m" (s) :: \
-    "rax", "rcx", "rdx", "rbx", "rsi", "rdi", "r8" );
-
-#endif /* AMD64 */
-
-#if defined(__mc68020__) || defined(__mcpu32__)
-
-#define MULADDC_INIT                            \
-    asm( "movl   %0, %%a2       " :: "m" (s));  \
-    asm( "movl   %0, %%a3       " :: "m" (d));  \
-    asm( "movl   %0, %%d3       " :: "m" (c));  \
-    asm( "movl   %0, %%d2       " :: "m" (b));  \
-    asm( "moveq  #0, %d0        " );
-
-#define MULADDC_CORE                            \
-    asm( "movel  %a2@+, %d1     " );            \
-    asm( "mulul  %d2, %d4:%d1   " );            \
-    asm( "addl   %d3, %d1       " );            \
-    asm( "addxl  %d0, %d4       " );            \
-    asm( "moveq  #0,  %d3       " );            \
-    asm( "addl   %d1, %a3@+     " );            \
-    asm( "addxl  %d4, %d3       " );
-
-#define MULADDC_STOP                            \
-    asm( "movl   %%d3, %0       " : "=m" (c));  \
-    asm( "movl   %%a3, %0       " : "=m" (d));  \
-    asm( "movl   %%a2, %0       " : "=m" (s) :: \
-    "d0", "d1", "d2", "d3", "d4", "a2", "a3" );
-
-#define MULADDC_HUIT                            \
-    asm( "movel  %a2@+, %d1     " );            \
-    asm( "mulul  %d2, %d4:%d1   " );            \
-    asm( "addxl  %d3, %d1       " );            \
-    asm( "addxl  %d0, %d4       " );            \
-    asm( "addl   %d1, %a3@+     " );            \
-    asm( "movel  %a2@+, %d1     " );            \
-    asm( "mulul  %d2, %d3:%d1   " );            \
-    asm( "addxl  %d4, %d1       " );            \
-    asm( "addxl  %d0, %d3       " );            \
-    asm( "addl   %d1, %a3@+     " );            \
-    asm( "movel  %a2@+, %d1     " );            \
-    asm( "mulul  %d2, %d4:%d1   " );            \
-    asm( "addxl  %d3, %d1       " );            \
-    asm( "addxl  %d0, %d4       " );            \
-    asm( "addl   %d1, %a3@+     " );            \
-    asm( "movel  %a2@+, %d1     " );            \
-    asm( "mulul  %d2, %d3:%d1   " );            \
-    asm( "addxl  %d4, %d1       " );            \
-    asm( "addxl  %d0, %d3       " );            \
-    asm( "addl   %d1, %a3@+     " );            \
-    asm( "movel  %a2@+, %d1     " );            \
-    asm( "mulul  %d2, %d4:%d1   " );            \
-    asm( "addxl  %d3, %d1       " );            \
-    asm( "addxl  %d0, %d4       " );            \
-    asm( "addl   %d1, %a3@+     " );            \
-    asm( "movel  %a2@+, %d1     " );            \
-    asm( "mulul  %d2, %d3:%d1   " );            \
-    asm( "addxl  %d4, %d1       " );            \
-    asm( "addxl  %d0, %d3       " );            \
-    asm( "addl   %d1, %a3@+     " );            \
-    asm( "movel  %a2@+, %d1     " );            \
-    asm( "mulul  %d2, %d4:%d1   " );            \
-    asm( "addxl  %d3, %d1       " );            \
-    asm( "addxl  %d0, %d4       " );            \
-    asm( "addl   %d1, %a3@+     " );            \
-    asm( "movel  %a2@+, %d1     " );            \
-    asm( "mulul  %d2, %d3:%d1   " );            \
-    asm( "addxl  %d4, %d1       " );            \
-    asm( "addxl  %d0, %d3       " );            \
-    asm( "addl   %d1, %a3@+     " );            \
-    asm( "addxl  %d0, %d3       " );
-
-#endif /* MC68000 */
-
-#if defined(__powerpc__)   || defined(__ppc__)
-#if defined(__powerpc64__) || defined(__ppc64__)
-
-#if defined(__MACH__) && defined(__APPLE__)
-
-#define MULADDC_INIT                            \
-    asm( "ld     r3, %0         " :: "m" (s));  \
-    asm( "ld     r4, %0         " :: "m" (d));  \
-    asm( "ld     r5, %0         " :: "m" (c));  \
-    asm( "ld     r6, %0         " :: "m" (b));  \
-    asm( "addi   r3, r3, -8     " );            \
-    asm( "addi   r4, r4, -8     " );            \
-    asm( "addic  r5, r5,  0     " );
-
-#define MULADDC_CORE                            \
-    asm( "ldu    r7, 8(r3)      " );            \
-    asm( "mulld  r8, r7, r6     " );            \
-    asm( "mulhdu r9, r7, r6     " );            \
-    asm( "adde   r8, r8, r5     " );            \
-    asm( "ld     r7, 8(r4)      " );            \
-    asm( "addze  r5, r9         " );            \
-    asm( "addc   r8, r8, r7     " );            \
-    asm( "stdu   r8, 8(r4)      " );
-
-#define MULADDC_STOP                            \
-    asm( "addze  r5, r5         " );            \
-    asm( "addi   r4, r4, 8      " );            \
-    asm( "addi   r3, r3, 8      " );            \
-    asm( "std    r5, %0         " : "=m" (c));  \
-    asm( "std    r4, %0         " : "=m" (d));  \
-    asm( "std    r3, %0         " : "=m" (s) :: \
-    "r3", "r4", "r5", "r6", "r7", "r8", "r9" );
-
-#else
-
-#define MULADDC_INIT                            \
-    asm( "ld     %%r3, %0       " :: "m" (s));  \
-    asm( "ld     %%r4, %0       " :: "m" (d));  \
-    asm( "ld     %%r5, %0       " :: "m" (c));  \
-    asm( "ld     %%r6, %0       " :: "m" (b));  \
-    asm( "addi   %r3, %r3, -8   " );            \
-    asm( "addi   %r4, %r4, -8   " );            \
-    asm( "addic  %r5, %r5,  0   " );
-
-#define MULADDC_CORE                            \
-    asm( "ldu    %r7, 8(%r3)    " );            \
-    asm( "mulld  %r8, %r7, %r6  " );            \
-    asm( "mulhdu %r9, %r7, %r6  " );            \
-    asm( "adde   %r8, %r8, %r5  " );            \
-    asm( "ld     %r7, 8(%r4)    " );            \
-    asm( "addze  %r5, %r9       " );            \
-    asm( "addc   %r8, %r8, %r7  " );            \
-    asm( "stdu   %r8, 8(%r4)    " );
-
-#define MULADDC_STOP                            \
-    asm( "addze  %r5, %r5       " );            \
-    asm( "addi   %r4, %r4, 8    " );            \
-    asm( "addi   %r3, %r3, 8    " );            \
-    asm( "std    %%r5, %0       " : "=m" (c));  \
-    asm( "std    %%r4, %0       " : "=m" (d));  \
-    asm( "std    %%r3, %0       " : "=m" (s) :: \
-    "r3", "r4", "r5", "r6", "r7", "r8", "r9" );
-
-#endif
-
-#else /* PPC32 */
-
-#if defined(__MACH__) && defined(__APPLE__)
-
-#define MULADDC_INIT                            \
-    asm( "lwz    r3, %0         " :: "m" (s));  \
-    asm( "lwz    r4, %0         " :: "m" (d));  \
-    asm( "lwz    r5, %0         " :: "m" (c));  \
-    asm( "lwz    r6, %0         " :: "m" (b));  \
-    asm( "addi   r3, r3, -4     " );            \
-    asm( "addi   r4, r4, -4     " );            \
-    asm( "addic  r5, r5,  0     " );
-
-#define MULADDC_CORE                            \
-    asm( "lwzu   r7, 4(r3)      " );            \
-    asm( "mullw  r8, r7, r6     " );            \
-    asm( "mulhwu r9, r7, r6     " );            \
-    asm( "adde   r8, r8, r5     " );            \
-    asm( "lwz    r7, 4(r4)      " );            \
-    asm( "addze  r5, r9         " );            \
-    asm( "addc   r8, r8, r7     " );            \
-    asm( "stwu   r8, 4(r4)      " );
-
-#define MULADDC_STOP                            \
-    asm( "addze  r5, r5         " );            \
-    asm( "addi   r4, r4, 4      " );            \
-    asm( "addi   r3, r3, 4      " );            \
-    asm( "stw    r5, %0         " : "=m" (c));  \
-    asm( "stw    r4, %0         " : "=m" (d));  \
-    asm( "stw    r3, %0         " : "=m" (s) :: \
-    "r3", "r4", "r5", "r6", "r7", "r8", "r9" );
-
-#else
-
-#define MULADDC_INIT                            \
-    asm( "lwz    %%r3, %0       " :: "m" (s));  \
-    asm( "lwz    %%r4, %0       " :: "m" (d));  \
-    asm( "lwz    %%r5, %0       " :: "m" (c));  \
-    asm( "lwz    %%r6, %0       " :: "m" (b));  \
-    asm( "addi   %r3, %r3, -4   " );            \
-    asm( "addi   %r4, %r4, -4   " );            \
-    asm( "addic  %r5, %r5,  0   " );
-
-#define MULADDC_CORE                            \
-    asm( "lwzu   %r7, 4(%r3)    " );            \
-    asm( "mullw  %r8, %r7, %r6  " );            \
-    asm( "mulhwu %r9, %r7, %r6  " );            \
-    asm( "adde   %r8, %r8, %r5  " );            \
-    asm( "lwz    %r7, 4(%r4)    " );            \
-    asm( "addze  %r5, %r9       " );            \
-    asm( "addc   %r8, %r8, %r7  " );            \
-    asm( "stwu   %r8, 4(%r4)    " );
-
-#define MULADDC_STOP                            \
-    asm( "addze  %r5, %r5       " );            \
-    asm( "addi   %r4, %r4, 4    " );            \
-    asm( "addi   %r3, %r3, 4    " );            \
-    asm( "stw    %%r5, %0       " : "=m" (c));  \
-    asm( "stw    %%r4, %0       " : "=m" (d));  \
-    asm( "stw    %%r3, %0       " : "=m" (s) :: \
-    "r3", "r4", "r5", "r6", "r7", "r8", "r9" );
-
-#endif
-
-#endif /* PPC32 */
-#endif /* PPC64 */
-
-#if defined(__sparc__)
-
-#define MULADDC_INIT                            \
-    asm( "ld     %0, %%o0       " :: "m" (s));  \
-    asm( "ld     %0, %%o1       " :: "m" (d));  \
-    asm( "ld     %0, %%o2       " :: "m" (c));  \
-    asm( "ld     %0, %%o3       " :: "m" (b));
-
-#define MULADDC_CORE                            \
-    asm( "ld    [%o0], %o4      " );            \
-    asm( "inc      4,  %o0      " );            \
-    asm( "ld    [%o1], %o5      " );            \
-    asm( "umul   %o3,  %o4, %o4 " );            \
-    asm( "addcc  %o4,  %o2, %o4 " );            \
-    asm( "rd      %y,  %g1      " );            \
-    asm( "addx   %g1,    0, %g1 " );            \
-    asm( "addcc  %o4,  %o5, %o4 " );            \
-    asm( "st     %o4, [%o1]     " );            \
-    asm( "addx   %g1,    0, %o2 " );            \
-    asm( "inc      4,  %o1      " );
-
-#define MULADDC_STOP                            \
-    asm( "st     %%o2, %0       " : "=m" (c));  \
-    asm( "st     %%o1, %0       " : "=m" (d));  \
-    asm( "st     %%o0, %0       " : "=m" (s) :: \
-    "g1", "o0", "o1", "o2", "o3", "o4", "o5" );
-
-#endif /* SPARCv8 */
-
-#if defined(__microblaze__) || defined(microblaze)
-
-#define MULADDC_INIT                            \
-    asm( "lwi   r3,   %0        " :: "m" (s));  \
-    asm( "lwi   r4,   %0        " :: "m" (d));  \
-    asm( "lwi   r5,   %0        " :: "m" (c));  \
-    asm( "lwi   r6,   %0        " :: "m" (b));  \
-    asm( "andi  r7,   r6, 0xffff" );            \
-    asm( "bsrli r6,   r6, 16    " );
-
-#define MULADDC_CORE                            \
-    asm( "lhui  r8,   r3,   0   " );            \
-    asm( "addi  r3,   r3,   2   " );            \
-    asm( "lhui  r9,   r3,   0   " );            \
-    asm( "addi  r3,   r3,   2   " );            \
-    asm( "mul   r10,  r9,  r6   " );            \
-    asm( "mul   r11,  r8,  r7   " );            \
-    asm( "mul   r12,  r9,  r7   " );            \
-    asm( "mul   r13,  r8,  r6   " );            \
-    asm( "bsrli  r8, r10,  16   " );            \
-    asm( "bsrli  r9, r11,  16   " );            \
-    asm( "add   r13, r13,  r8   " );            \
-    asm( "add   r13, r13,  r9   " );            \
-    asm( "bslli r10, r10,  16   " );            \
-    asm( "bslli r11, r11,  16   " );            \
-    asm( "add   r12, r12, r10   " );            \
-    asm( "addc  r13, r13,  r0   " );            \
-    asm( "add   r12, r12, r11   " );            \
-    asm( "addc  r13, r13,  r0   " );            \
-    asm( "lwi   r10,  r4,   0   " );            \
-    asm( "add   r12, r12, r10   " );            \
-    asm( "addc  r13, r13,  r0   " );            \
-    asm( "add   r12, r12,  r5   " );            \
-    asm( "addc   r5, r13,  r0   " );            \
-    asm( "swi   r12,  r4,   0   " );            \
-    asm( "addi   r4,  r4,   4   " );
-
-#define MULADDC_STOP                            \
-    asm( "swi   r5,   %0        " : "=m" (c));  \
-    asm( "swi   r4,   %0        " : "=m" (d));  \
-    asm( "swi   r3,   %0        " : "=m" (s) :: \
-     "r3", "r4" , "r5" , "r6" , "r7" , "r8" ,   \
-     "r9", "r10", "r11", "r12", "r13" );
-
-#endif /* MicroBlaze */
-
-#if defined(__tricore__)
-
-#define MULADDC_INIT                            \
-    asm( "ld.a   %%a2, %0       " :: "m" (s));  \
-    asm( "ld.a   %%a3, %0       " :: "m" (d));  \
-    asm( "ld.w   %%d4, %0       " :: "m" (c));  \
-    asm( "ld.w   %%d1, %0       " :: "m" (b));  \
-    asm( "xor    %d5, %d5       " );
-
-#define MULADDC_CORE                            \
-    asm( "ld.w   %d0,   [%a2+]      " );        \
-    asm( "madd.u %e2, %e4, %d0, %d1 " );        \
-    asm( "ld.w   %d0,   [%a3]       " );        \
-    asm( "addx   %d2,    %d2,  %d0  " );        \
-    asm( "addc   %d3,    %d3,    0  " );        \
-    asm( "mov    %d4,    %d3        " );        \
-    asm( "st.w  [%a3+],  %d2        " );
-
-#define MULADDC_STOP                            \
-    asm( "st.w   %0, %%d4       " : "=m" (c));  \
-    asm( "st.a   %0, %%a3       " : "=m" (d));  \
-    asm( "st.a   %0, %%a2       " : "=m" (s) :: \
-    "d0", "d1", "e2", "d4", "a2", "a3" );
-
-#endif /* TriCore */
-
-#if defined(__arm__)
-
-#define MULADDC_INIT                            \
-    asm( "ldr    r0, %0         " :: "m" (s));  \
-    asm( "ldr    r1, %0         " :: "m" (d));  \
-    asm( "ldr    r2, %0         " :: "m" (c));  \
-    asm( "ldr    r3, %0         " :: "m" (b));
-
-#define MULADDC_CORE                            \
-    asm( "ldr    r4, [r0], #4   " );            \
-    asm( "mov    r5, #0         " );            \
-    asm( "ldr    r6, [r1]       " );            \
-    asm( "umlal  r2, r5, r3, r4 " );            \
-    asm( "adds   r7, r6, r2     " );            \
-    asm( "adc    r2, r5, #0     " );            \
-    asm( "str    r7, [r1], #4   " );
-
-#define MULADDC_STOP                            \
-    asm( "str    r2, %0         " : "=m" (c));  \
-    asm( "str    r1, %0         " : "=m" (d));  \
-    asm( "str    r0, %0         " : "=m" (s) :: \
-    "r0", "r1", "r2", "r3", "r4", "r5", "r6", "r7" );
-
-#endif /* ARMv3 */
-
-#if defined(__alpha__)
-
-#define MULADDC_INIT                            \
-    asm( "ldq    $1, %0         " :: "m" (s));  \
-    asm( "ldq    $2, %0         " :: "m" (d));  \
-    asm( "ldq    $3, %0         " :: "m" (c));  \
-    asm( "ldq    $4, %0         " :: "m" (b));
-
-#define MULADDC_CORE                            \
-    asm( "ldq    $6,  0($1)     " );            \
-    asm( "addq   $1,  8, $1     " );            \
-    asm( "mulq   $6, $4, $7     " );            \
-    asm( "umulh  $6, $4, $6     " );            \
-    asm( "addq   $7, $3, $7     " );            \
-    asm( "cmpult $7, $3, $3     " );            \
-    asm( "ldq    $5,  0($2)     " );            \
-    asm( "addq   $7, $5, $7     " );            \
-    asm( "cmpult $7, $5, $5     " );            \
-    asm( "stq    $7,  0($2)     " );            \
-    asm( "addq   $2,  8, $2     " );            \
-    asm( "addq   $6, $3, $3     " );            \
-    asm( "addq   $5, $3, $3     " );
-
-#define MULADDC_STOP                            \
-    asm( "stq    $3, %0         " : "=m" (c));  \
-    asm( "stq    $2, %0         " : "=m" (d));  \
-    asm( "stq    $1, %0         " : "=m" (s) :: \
-    "$1", "$2", "$3", "$4", "$5", "$6", "$7" );
-
-#endif /* Alpha */
-
-#if defined(__mips__)
-
-#define MULADDC_INIT                            \
-    asm( "lw     $10, %0        " :: "m" (s));  \
-    asm( "lw     $11, %0        " :: "m" (d));  \
-    asm( "lw     $12, %0        " :: "m" (c));  \
-    asm( "lw     $13, %0        " :: "m" (b));
-
-#define MULADDC_CORE                            \
-    asm( "lw     $14, 0($10)    " );            \
-    asm( "multu  $13, $14       " );            \
-    asm( "addi   $10, $10, 4    " );            \
-    asm( "mflo   $14            " );            \
-    asm( "mfhi   $9             " );            \
-    asm( "addu   $14, $12, $14  " );            \
-    asm( "lw     $15, 0($11)    " );            \
-    asm( "sltu   $12, $14, $12  " );            \
-    asm( "addu   $15, $14, $15  " );            \
-    asm( "sltu   $14, $15, $14  " );            \
-    asm( "addu   $12, $12, $9   " );            \
-    asm( "sw     $15, 0($11)    " );            \
-    asm( "addu   $12, $12, $14  " );            \
-    asm( "addi   $11, $11, 4    " );
-
-#define MULADDC_STOP                            \
-    asm( "sw     $12, %0        " : "=m" (c));  \
-    asm( "sw     $11, %0        " : "=m" (d));  \
-    asm( "sw     $10, %0        " : "=m" (s) :: \
-    "$9", "$10", "$11", "$12", "$13", "$14", "$15" );
-
-#endif /* MIPS */
-#endif /* GNUC */
-
-#if (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
-
-#define MULADDC_INIT                            \
-    __asm   mov     esi, s                      \
-    __asm   mov     edi, d                      \
-    __asm   mov     ecx, c                      \
-    __asm   mov     ebx, b
-
-#define MULADDC_CORE                            \
-    __asm   lodsd                               \
-    __asm   mul     ebx                         \
-    __asm   add     eax, ecx                    \
-    __asm   adc     edx, 0                      \
-    __asm   add     eax, [edi]                  \
-    __asm   adc     edx, 0                      \
-    __asm   mov     ecx, edx                    \
-    __asm   stosd
-
-#if defined(POLARSSL_HAVE_SSE2)
-
-#define EMIT __asm _emit
-
-#define MULADDC_HUIT                            \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0xC9             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0xC3             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x1F             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x16             \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x04  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x08  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x7E  EMIT 0x0C  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xF8             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x5F  EMIT 0x04  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xDC             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x08  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xEE             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x67  EMIT 0x0C  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xFC             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x0F             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x56  EMIT 0x10  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x14  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x18  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x04  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x5E  EMIT 0x1C  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xD8             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCD             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x10  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xD5             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x08  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCF             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x14  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xE5             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x0C  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x18  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xF5             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x10  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCC             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x1C  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xDD             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x14  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCE             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x18  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x1C  \
-    EMIT 0x83  EMIT 0xC7  EMIT 0x20             \
-    EMIT 0x83  EMIT 0xC6  EMIT 0x20             \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0xC9
-
-#define MULADDC_STOP                            \
-    EMIT 0x0F  EMIT 0x77                        \
-    __asm   mov     c, ecx                      \
-    __asm   mov     d, edi                      \
-    __asm   mov     s, esi                      \
-
-#else
-
-#define MULADDC_STOP                            \
-    __asm   mov     c, ecx                      \
-    __asm   mov     d, edi                      \
-    __asm   mov     s, esi                      \
-
-#endif /* SSE2 */
-#endif /* MSVC */
-
-#endif /* POLARSSL_HAVE_ASM */
-
-#if !defined(MULADDC_CORE)
-#if defined(POLARSSL_HAVE_LONGLONG)
-
-#define MULADDC_INIT                    \
-{                                       \
-    t_dbl r;                            \
-    t_int r0, r1;
-
-#define MULADDC_CORE                    \
-    r   = *(s++) * (t_dbl) b;           \
-    r0  = r;                            \
-    r1  = r >> biL;                     \
-    r0 += c;  r1 += (r0 <  c);          \
-    r0 += *d; r1 += (r0 < *d);          \
-    c = r1; *(d++) = r0;
-
-#define MULADDC_STOP                    \
-}
-
-#else
-#define MULADDC_INIT                    \
-{                                       \
-    t_int s0, s1, b0, b1;               \
-    t_int r0, r1, rx, ry;               \
-    b0 = ( b << biH ) >> biH;           \
-    b1 = ( b >> biH );
-
-#define MULADDC_CORE                    \
-    s0 = ( *s << biH ) >> biH;          \
-    s1 = ( *s >> biH ); s++;            \
-    rx = s0 * b1; r0 = s0 * b0;         \
-    ry = s1 * b0; r1 = s1 * b1;         \
-    r1 += ( rx >> biH );                \
-    r1 += ( ry >> biH );                \
-    rx <<= biH; ry <<= biH;             \
-    r0 += rx; r1 += (r0 < rx);          \
-    r0 += ry; r1 += (r0 < ry);          \
-    r0 +=  c; r1 += (r0 <  c);          \
-    r0 += *d; r1 += (r0 < *d);          \
-    c = r1; *(d++) = r0;
-
-#define MULADDC_STOP                    \
-}
-
-#endif /* C (generic)  */
-#endif /* C (longlong) */
-
-#endif /* bn_mul.h */
diff --git a/ctrtool/polarssl/config.h b/ctrtool/polarssl/config.h
deleted file mode 100644
index 267e2dde..00000000
--- a/ctrtool/polarssl/config.h
+++ /dev/null
@@ -1,336 +0,0 @@
-/**
- * \file config.h
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * This set of compile-time options may be used to enable
- * or disable features selectively, and reduce the global
- * memory footprint.
- */
-#ifndef POLARSSL_CONFIG_H
-#define POLARSSL_CONFIG_H
-
-#ifndef _CRT_SECURE_NO_DEPRECATE
-#define _CRT_SECURE_NO_DEPRECATE 1
-#endif
-
-/*
- * Uncomment if native integers are 8-bit wide.
- *
-#define POLARSSL_HAVE_INT8
- */
-
-/*
- * Uncomment if native integers are 16-bit wide.
- *
-#define POLARSSL_HAVE_INT16
- */
-
-/*
- * Uncomment if the compiler supports long long.
- *
-#define POLARSSL_HAVE_LONGLONG
- */
-
-/*
- * Uncomment to enable the use of assembly code.
- *
- * Requires support for asm() in compiler.
- *
- * Used in:
- *      library/timing.c
- *      library/padlock.c
- *      include/polarssl/bn_mul.h
- *
- */
-//#define POLARSSL_HAVE_ASM
-
-/*
- * Uncomment if the CPU supports SSE2 (IA-32 specific).
- *
-#define POLARSSL_HAVE_SSE2
- */
-
-/*
- * Enable all SSL/TLS debugging messages.
- */
-#define POLARSSL_DEBUG_MSG
-
-/*
- * Enable the checkup functions (*_self_test).
- */
-//#define POLARSSL_SELF_TEST
-
-/*
- * Enable run-time version information functions
- */
-#define POLARSSL_VERSION_C
-
-/*
- * Enable the prime-number generation code.
- */
-#define POLARSSL_GENPRIME
-
-/*
- * Uncomment this macro to store the AES tables in ROM.
- *
-#define POLARSSL_AES_ROM_TABLES
- */
-
-/*
- * Module:  library/aes.c
- * Caller:  library/ssl_tls.c
- *
- * This module enables the following ciphersuites:
- *      SSL_RSA_AES_128_SHA
- *      SSL_RSA_AES_256_SHA
- *      SSL_EDH_RSA_AES_256_SHA
- */
-#define POLARSSL_AES_C
-
-/*
- * Module:  library/arc4.c
- * Caller:  library/ssl_tls.c
- *
- * This module enables the following ciphersuites:
- *      SSL_RSA_RC4_128_MD5
- *      SSL_RSA_RC4_128_SHA
- */
-#define POLARSSL_ARC4_C
-
-/*
- * Module:  library/base64.c
- * Caller:  library/x509parse.c
- *
- * This module is required for X.509 support.
- */
-#define POLARSSL_BASE64_C
-
-/*
- * Module:  library/bignum.c
- * Caller:  library/dhm.c
- *          library/rsa.c
- *          library/ssl_tls.c
- *          library/x509parse.c
- *
- * This module is required for RSA and DHM support.
- */
-#define POLARSSL_BIGNUM_C
-
-/*
- * Module:  library/camellia.c
- * Caller:  library/ssl_tls.c
- *
- * This module enabled the following cipher suites:
- *      SSL_RSA_CAMELLIA_128_SHA
- *      SSL_RSA_CAMELLIA_256_SHA
- *      SSL_EDH_RSA_CAMELLIA_256_SHA
- */
-#define POLARSSL_CAMELLIA_C
-
-/*
- * Module:  library/certs.c
- * Caller:
- *
- * This module is used for testing (ssl_client/server).
- */
-#define POLARSSL_CERTS_C
-
-/*
- * Module:  library/debug.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *          library/ssl_tls.c
- *
- * This module provides debugging functions.
- */
-#define POLARSSL_DEBUG_C
-
-/*
- * Module:  library/des.c
- * Caller:  library/ssl_tls.c
- *
- * This module enables the following ciphersuites:
- *      SSL_RSA_DES_168_SHA
- *      SSL_EDH_RSA_DES_168_SHA
- */
-#define POLARSSL_DES_C
-
-/*
- * Module:  library/dhm.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *
- * This module enables the following ciphersuites:
- *      SSL_EDH_RSA_DES_168_SHA
- *      SSL_EDH_RSA_AES_256_SHA
- *      SSL_EDH_RSA_CAMELLIA_256_SHA
- */
-#define POLARSSL_DHM_C
-
-/*
- * Module:  library/havege.c
- * Caller:
- *
- * This module enables the HAVEGE random number generator.
- */
-#define POLARSSL_HAVEGE_C
-
-/*
- * Module:  library/md2.c
- * Caller:  library/x509parse.c
- *
- * Uncomment to enable support for (rare) MD2-signed X.509 certs.
- *
-#define POLARSSL_MD2_C
- */
-
-/*
- * Module:  library/md4.c
- * Caller:  library/x509parse.c
- *
- * Uncomment to enable support for (rare) MD4-signed X.509 certs.
- *
-#define POLARSSL_MD4_C
- */
-
-/*
- * Module:  library/md5.c
- * Caller:  library/ssl_tls.c
- *          library/x509parse.c
- *
- * This module is required for SSL/TLS and X.509.
- */
-#define POLARSSL_MD5_C
-
-/*
- * Module:  library/net.c
- * Caller:
- *
- * This module provides TCP/IP networking routines.
- */
-#define POLARSSL_NET_C
-
-/*
- * Module:  library/padlock.c
- * Caller:  library/aes.c
- *
- * This modules adds support for the VIA PadLock on x86.
- */
-#define POLARSSL_PADLOCK_C
-
-/*
- * Module:  library/rsa.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *          library/ssl_tls.c
- *          library/x509.c
- *
- * This module is required for SSL/TLS and MD5-signed certificates.
- */
-#define POLARSSL_RSA_C
-
-/*
- * Module:  library/sha1.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *          library/ssl_tls.c
- *          library/x509parse.c
- *
- * This module is required for SSL/TLS and SHA1-signed certificates.
- */
-#define POLARSSL_SHA1_C
-
-/*
- * Module:  library/sha2.c
- * Caller:
- *
- * This module adds support for SHA-224 and SHA-256.
- */
-#define POLARSSL_SHA2_C
-
-/*
- * Module:  library/sha4.c
- * Caller:
- *
- * This module adds support for SHA-384 and SHA-512.
- */
-#define POLARSSL_SHA4_C
-
-/*
- * Module:  library/ssl_cli.c
- * Caller:
- *
- * This module is required for SSL/TLS client support.
- */
-#define POLARSSL_SSL_CLI_C
-
-/*
- * Module:  library/ssl_srv.c
- * Caller:
- *
- * This module is required for SSL/TLS server support.
- */
-#define POLARSSL_SSL_SRV_C
-
-/*
- * Module:  library/ssl_tls.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *
- * This module is required for SSL/TLS.
- */
-#define POLARSSL_SSL_TLS_C
-
-/*
- * Module:  library/timing.c
- * Caller:  library/havege.c
- *
- * This module is used by the HAVEGE random number generator.
- */
-#define POLARSSL_TIMING_C
-
-/*
- * Module:  library/x509parse.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *          library/ssl_tls.c
- *
- * This module is required for X.509 certificate parsing.
- */
-#define POLARSSL_X509_PARSE_C
-
-/*
- * Module:  library/x509_write.c
- * Caller:
- *
- * This module is required for X.509 certificate writing.
- */
-#define POLARSSL_X509_WRITE_C
-
-/*
- * Module:  library/xtea.c
- * Caller:
- */
-#define POLARSSL_XTEA_C
-
-#endif /* config.h */
diff --git a/ctrtool/polarssl/padlock.h b/ctrtool/polarssl/padlock.h
deleted file mode 100644
index 12fa7d3c..00000000
--- a/ctrtool/polarssl/padlock.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/**
- * \file padlock.h
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_PADLOCK_H
-#define POLARSSL_PADLOCK_H
-
-#include "polarssl/aes.h"
-
-#if defined(POLARSSL_HAVE_ASM) && defined(__GNUC__) && defined(__i386__)
-
-#ifndef POLARSSL_HAVE_X86
-#define POLARSSL_HAVE_X86
-#endif
-
-#define PADLOCK_RNG 0x000C
-#define PADLOCK_ACE 0x00C0
-#define PADLOCK_PHE 0x0C00
-#define PADLOCK_PMM 0x3000
-
-#define PADLOCK_ALIGN16(x) (unsigned long *) (16 + ((long) x & ~15))
-
-#define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED                    -0x08E0
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          PadLock detection routine
- *
- * \param          The feature to detect
- *
- * \return         1 if CPU has support for the feature, 0 otherwise
- */
-int padlock_supports( int feature );
-
-/**
- * \brief          PadLock AES-ECB block en(de)cryption
- *
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
- *
- * \return         0 if success, 1 if operation failed
- */
-int padlock_xcryptecb( aes_context *ctx,
-                       int mode,
-                       const unsigned char input[16],
-                       unsigned char output[16] );
-
-/**
- * \brief          PadLock AES-CBC buffer en(de)cryption
- *
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if success, 1 if operation failed
- */
-int padlock_xcryptcbc( aes_context *ctx,
-                       int mode,
-                       int length,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* HAVE_X86  */
-
-#endif /* padlock.h */
diff --git a/ctrtool/polarssl/rsa.c b/ctrtool/polarssl/rsa.c
deleted file mode 100644
index 77404fcc..00000000
--- a/ctrtool/polarssl/rsa.c
+++ /dev/null
@@ -1,823 +0,0 @@
-/*
- *  The RSA public-key cryptosystem
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
- *
- *  http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
- *  http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_RSA_C)
-
-#include "polarssl/rsa.h"
-
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-
-/*
- * Initialize an RSA context
- */
-void rsa_init( rsa_context *ctx,
-               int padding,
-               int hash_id )
-{
-    memset( ctx, 0, sizeof( rsa_context ) );
-
-    ctx->padding = padding;
-    ctx->hash_id = hash_id;
-}
-
-#if defined(POLARSSL_GENPRIME)
-
-/*
- * Generate an RSA keypair
- */
-int rsa_gen_key( rsa_context *ctx,
-        int (*f_rng)(void *),
-        void *p_rng,
-        int nbits, int exponent )
-{
-    int ret;
-    mpi P1, Q1, H, G;
-
-    if( f_rng == NULL || nbits < 128 || exponent < 3 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    mpi_init( &P1, &Q1, &H, &G, NULL );
-
-    /*
-     * find primes P and Q with Q < P so that:
-     * GCD( E, (P-1)*(Q-1) ) == 1
-     */
-    MPI_CHK( mpi_lset( &ctx->E, exponent ) );
-
-    do
-    {
-        MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0, 
-                                f_rng, p_rng ) );
-
-        MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
-                                f_rng, p_rng ) );
-
-        if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
-            mpi_swap( &ctx->P, &ctx->Q );
-
-        if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
-            continue;
-
-        MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
-        if( mpi_msb( &ctx->N ) != nbits )
-            continue;
-
-        MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
-        MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
-        MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
-        MPI_CHK( mpi_gcd( &G, &ctx->E, &H  ) );
-    }
-    while( mpi_cmp_int( &G, 1 ) != 0 );
-
-    /*
-     * D  = E^-1 mod ((P-1)*(Q-1))
-     * DP = D mod (P - 1)
-     * DQ = D mod (Q - 1)
-     * QP = Q^-1 mod P
-     */
-    MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H  ) );
-    MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
-    MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
-    MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
-
-    ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
-
-cleanup:
-
-    mpi_free( &G, &H, &Q1, &P1, NULL );
-
-    if( ret != 0 )
-    {
-        rsa_free( ctx );
-        return( POLARSSL_ERR_RSA_KEY_GEN_FAILED | ret );
-    }
-
-    return( 0 );   
-}
-
-#endif
-
-/*
- * Check a public RSA key
- */
-int rsa_check_pubkey( const rsa_context *ctx )
-{
-    if( !ctx->N.p || !ctx->E.p )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    if( ( ctx->N.p[0] & 1 ) == 0 || 
-        ( ctx->E.p[0] & 1 ) == 0 )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    if( mpi_msb( &ctx->N ) < 128 ||
-        mpi_msb( &ctx->N ) > 4096 )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    if( mpi_msb( &ctx->E ) < 2 ||
-        mpi_msb( &ctx->E ) > 64 )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    return( 0 );
-}
-
-/*
- * Check a private RSA key
- */
-int rsa_check_privkey( const rsa_context *ctx )
-{
-    int ret;
-    mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2;
-
-    if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
-        return( ret );
-
-    if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    mpi_init( &PQ, &DE, &P1, &Q1, &H, &I, &G, &G2, &L1, &L2, NULL );
-
-    MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
-    MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
-    MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
-    MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
-    MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
-    MPI_CHK( mpi_gcd( &G, &ctx->E, &H  ) );
-
-    MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
-    MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );  
-    MPI_CHK( mpi_mod_mpi( &I, &DE, &L1  ) );
-
-    /*
-     * Check for a valid PKCS1v2 private key
-     */
-    if( mpi_cmp_mpi( &PQ, &ctx->N ) == 0 &&
-        mpi_cmp_int( &L2, 0 ) == 0 &&
-        mpi_cmp_int( &I, 1 ) == 0 &&
-        mpi_cmp_int( &G, 1 ) == 0 )
-    {
-        mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, &G2, &L1, &L2, NULL );
-        return( 0 );
-    }
-
-    
-cleanup:
-
-    mpi_free( &G, &I, &H, &Q1, &P1, &DE, &PQ, &G2, &L1, &L2, NULL );
-    return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED | ret );
-}
-
-/*
- * Do an RSA public key operation
- */
-int rsa_public( rsa_context *ctx,
-                const unsigned char *input,
-                unsigned char *output )
-{
-    int ret, olen;
-    mpi T;
-
-    mpi_init( &T, NULL );
-
-    MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
-
-    if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
-    {
-        mpi_free( &T, NULL );
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    olen = ctx->len;
-    MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
-    MPI_CHK( mpi_write_binary( &T, output, olen ) );
-
-cleanup:
-
-    mpi_free( &T, NULL );
-
-    if( ret != 0 )
-        return( POLARSSL_ERR_RSA_PUBLIC_FAILED | ret );
-
-    return( 0 );
-}
-
-/*
- * Do an RSA private key operation
- */
-int rsa_private( rsa_context *ctx,
-                 const unsigned char *input,
-                 unsigned char *output )
-{
-    int ret, olen;
-    mpi T, T1, T2;
-
-    mpi_init( &T, &T1, &T2, NULL );
-
-    MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
-
-    if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
-    {
-        mpi_free( &T, NULL );
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-#if 0
-    MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
-#else
-    /*
-     * faster decryption using the CRT
-     *
-     * T1 = input ^ dP mod P
-     * T2 = input ^ dQ mod Q
-     */
-    MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
-    MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
-
-    /*
-     * T = (T1 - T2) * (Q^-1 mod P) mod P
-     */
-    MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
-    MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
-    MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
-
-    /*
-     * output = T2 + T * Q
-     */
-    MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
-    MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
-#endif
-
-    olen = ctx->len;
-    MPI_CHK( mpi_write_binary( &T, output, olen ) );
-
-cleanup:
-
-    mpi_free( &T, &T1, &T2, NULL );
-
-    if( ret != 0 )
-        return( POLARSSL_ERR_RSA_PRIVATE_FAILED | ret );
-
-    return( 0 );
-}
-
-/*
- * Add the message padding, then do an RSA operation
- */
-int rsa_pkcs1_encrypt( rsa_context *ctx,
-                       int (*f_rng)(void *),
-                       void *p_rng,
-                       int mode, int  ilen,
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int nb_pad, olen;
-    unsigned char *p = output;
-
-    olen = ctx->len;
-
-    switch( ctx->padding )
-    {
-        case RSA_PKCS_V15:
-
-            if( ilen < 0 || olen < ilen + 11 || f_rng == NULL )
-                return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-            nb_pad = olen - 3 - ilen;
-
-            *p++ = 0;
-            *p++ = RSA_CRYPT;
-
-            while( nb_pad-- > 0 )
-            {
-                int rng_dl = 100;
-
-                do {
-                    *p = (unsigned char) f_rng( p_rng );
-                } while( *p == 0 && --rng_dl );
-
-                // Check if RNG failed to generate data
-                //
-                if( rng_dl == 0 )
-                    return POLARSSL_ERR_RSA_RNG_FAILED;
-
-                p++;
-            }
-            *p++ = 0;
-            memcpy( p, input, ilen );
-            break;
-
-        default:
-
-            return( POLARSSL_ERR_RSA_INVALID_PADDING );
-    }
-
-    return( ( mode == RSA_PUBLIC )
-            ? rsa_public(  ctx, output, output )
-            : rsa_private( ctx, output, output ) );
-}
-
-/*
- * Do an RSA operation, then remove the message padding
- */
-int rsa_pkcs1_decrypt( rsa_context *ctx,
-                       int mode, int *olen,
-                       const unsigned char *input,
-                       unsigned char *output,
-                       int output_max_len)
-{
-    int ret, ilen;
-    unsigned char *p;
-    unsigned char buf[1024];
-
-    ilen = ctx->len;
-
-    if( ilen < 16 || ilen > (int) sizeof( buf ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    ret = ( mode == RSA_PUBLIC )
-          ? rsa_public(  ctx, input, buf )
-          : rsa_private( ctx, input, buf );
-
-    if( ret != 0 )
-        return( ret );
-
-    p = buf;
-
-    switch( ctx->padding )
-    {
-        case RSA_PKCS_V15:
-
-            if( *p++ != 0 || *p++ != RSA_CRYPT )
-                return( POLARSSL_ERR_RSA_INVALID_PADDING );
-
-            while( *p != 0 )
-            {
-                if( p >= buf + ilen - 1 )
-                    return( POLARSSL_ERR_RSA_INVALID_PADDING );
-                p++;
-            }
-            p++;
-            break;
-
-        default:
-
-            return( POLARSSL_ERR_RSA_INVALID_PADDING );
-    }
-
-    if (ilen - (int)(p - buf) > output_max_len)
-    	return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
-
-    *olen = ilen - (int)(p - buf);
-    memcpy( output, p, *olen );
-
-    return( 0 );
-}
-
-/*
- * Do an RSA operation to sign the message digest
- */
-int rsa_pkcs1_sign( rsa_context *ctx,
-                    int mode,
-                    int hash_id,
-                    int hashlen,
-                    const unsigned char *hash,
-                    unsigned char *sig )
-{
-    int nb_pad, olen;
-    unsigned char *p = sig;
-
-    olen = ctx->len;
-
-    switch( ctx->padding )
-    {
-        case RSA_PKCS_V15:
-
-            switch( hash_id )
-            {
-                case SIG_RSA_RAW:
-                    nb_pad = olen - 3 - hashlen;
-                    break;
-
-                case SIG_RSA_MD2:
-                case SIG_RSA_MD4:
-                case SIG_RSA_MD5:
-                    nb_pad = olen - 3 - 34;
-                    break;
-
-                case SIG_RSA_SHA1:
-                    nb_pad = olen - 3 - 35;
-                    break;
-
-                case SIG_RSA_SHA224:
-                    nb_pad = olen - 3 - 47;
-                    break;
-
-                case SIG_RSA_SHA256:
-                    nb_pad = olen - 3 - 51;
-                    break;
-
-                case SIG_RSA_SHA384:
-                    nb_pad = olen - 3 - 67;
-                    break;
-
-                case SIG_RSA_SHA512:
-                    nb_pad = olen - 3 - 83;
-                    break;
-
-
-                default:
-                    return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-            }
-
-            if( nb_pad < 8 )
-                return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-            *p++ = 0;
-            *p++ = RSA_SIGN;
-            memset( p, 0xFF, nb_pad );
-            p += nb_pad;
-            *p++ = 0;
-            break;
-
-        default:
-
-            return( POLARSSL_ERR_RSA_INVALID_PADDING );
-    }
-
-    switch( hash_id )
-    {
-        case SIG_RSA_RAW:
-            memcpy( p, hash, hashlen );
-            break;
-
-        case SIG_RSA_MD2:
-            memcpy( p, ASN1_HASH_MDX, 18 );
-            memcpy( p + 18, hash, 16 );
-            p[13] = 2; break;
-
-        case SIG_RSA_MD4:
-            memcpy( p, ASN1_HASH_MDX, 18 );
-            memcpy( p + 18, hash, 16 );
-            p[13] = 4; break;
-
-        case SIG_RSA_MD5:
-            memcpy( p, ASN1_HASH_MDX, 18 );
-            memcpy( p + 18, hash, 16 );
-            p[13] = 5; break;
-
-        case SIG_RSA_SHA1:
-            memcpy( p, ASN1_HASH_SHA1, 15 );
-            memcpy( p + 15, hash, 20 );
-            break;
-
-        case SIG_RSA_SHA224:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 28 );
-            p[1] += 28; p[14] = 4; p[18] += 28; break;
-
-        case SIG_RSA_SHA256:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 32 );
-            p[1] += 32; p[14] = 1; p[18] += 32; break;
-
-        case SIG_RSA_SHA384:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 48 );
-            p[1] += 48; p[14] = 2; p[18] += 48; break;
-
-        case SIG_RSA_SHA512:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 64 );
-            p[1] += 64; p[14] = 3; p[18] += 64; break;
-
-        default:
-            return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    return( ( mode == RSA_PUBLIC )
-            ? rsa_public(  ctx, sig, sig )
-            : rsa_private( ctx, sig, sig ) );
-}
-
-/*
- * Do an RSA operation and check the message digest
- */
-int rsa_pkcs1_verify( rsa_context *ctx,
-                      int mode,
-                      int hash_id,
-                      int hashlen,
-                      const unsigned char *hash,
-                      unsigned char *sig )
-{
-    int ret, len, siglen;
-    unsigned char *p, c;
-    unsigned char buf[1024];
-
-    siglen = ctx->len;
-
-    if( siglen < 16 || siglen > (int) sizeof( buf ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    ret = ( mode == RSA_PUBLIC )
-          ? rsa_public(  ctx, sig, buf )
-          : rsa_private( ctx, sig, buf );
-
-    if( ret != 0 )
-        return( ret );
-
-    p = buf;
-
-    switch( ctx->padding )
-    {
-        case RSA_PKCS_V15:
-
-            if( *p++ != 0 || *p++ != RSA_SIGN )
-                return( POLARSSL_ERR_RSA_INVALID_PADDING );
-
-            while( *p != 0 )
-            {
-                if( p >= buf + siglen - 1 || *p != 0xFF )
-                    return( POLARSSL_ERR_RSA_INVALID_PADDING );
-                p++;
-            }
-            p++;
-            break;
-
-        default:
-
-            return( POLARSSL_ERR_RSA_INVALID_PADDING );
-    }
-
-    len = siglen - (int)( p - buf );
-
-    if( len == 34 )
-    {
-        c = p[13];
-        p[13] = 0;
-
-        if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
-            return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-
-        if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
-            ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
-            ( c == 5 && hash_id == SIG_RSA_MD5 ) )
-        {
-            if( memcmp( p + 18, hash, 16 ) == 0 ) 
-                return( 0 );
-            else
-                return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-        }
-    }
-
-    if( len == 35 && hash_id == SIG_RSA_SHA1 )
-    {
-        if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
-            memcmp( p + 15, hash, 20 ) == 0 )
-            return( 0 );
-        else
-            return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-    }
-    if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
-        ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
-        ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
-        ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
-    {
-    	c = p[1] - 17;
-        p[1] = 17;
-        p[14] = 0;
-
-        if( p[18] == c &&
-                memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
-                memcmp( p + 19, hash, c ) == 0 )
-            return( 0 );
-        else
-            return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-    }
-
-    if( len == hashlen && hash_id == SIG_RSA_RAW )
-    {
-        if( memcmp( p, hash, hashlen ) == 0 )
-            return( 0 );
-        else
-            return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-    }
-
-    return( POLARSSL_ERR_RSA_INVALID_PADDING );
-}
-
-/*
- * Free the components of an RSA key
- */
-void rsa_free( rsa_context *ctx )
-{
-    mpi_free( &ctx->RQ, &ctx->RP, &ctx->RN,
-              &ctx->QP, &ctx->DQ, &ctx->DP,
-              &ctx->Q,  &ctx->P,  &ctx->D,
-              &ctx->E,  &ctx->N,  NULL );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include "polarssl/sha1.h"
-
-/*
- * Example RSA-1024 keypair, for test purposes
- */
-#define KEY_LEN 128
-
-#define RSA_N   "9292758453063D803DD603D5E777D788" \
-                "8ED1D5BF35786190FA2F23EBC0848AEA" \
-                "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
-                "7130B9CED7ACDF54CFC7555AC14EEBAB" \
-                "93A89813FBF3C4F8066D2D800F7C38A8" \
-                "1AE31942917403FF4946B0A83D3D3E05" \
-                "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
-                "5E94BB77B07507233A0BC7BAC8F90F79"
-
-#define RSA_E   "10001"
-
-#define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
-                "66CA472BC44D253102F8B4A9D3BFA750" \
-                "91386C0077937FE33FA3252D28855837" \
-                "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
-                "DF79C5CE07EE72C7F123142198164234" \
-                "CABB724CF78B8173B9F880FC86322407" \
-                "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
-                "071513A1E85B5DFA031F21ECAE91A34D"
-
-#define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
-                "2C01CAD19EA484A87EA4377637E75500" \
-                "FCB2005C5C7DD6EC4AC023CDA285D796" \
-                "C3D9E75E1EFC42488BB4F1D13AC30A57"
-
-#define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
-                "E211C2B9E5DB1ED0BF61D0D9899620F4" \
-                "910E4168387E3C30AA1E00C339A79508" \
-                "8452DD96A9A5EA5D9DCA68DA636032AF"
-
-#define RSA_DP  "C1ACF567564274FB07A0BBAD5D26E298" \
-                "3C94D22288ACD763FD8E5600ED4A702D" \
-                "F84198A5F06C2E72236AE490C93F07F8" \
-                "3CC559CD27BC2D1CA488811730BB5725"
-
-#define RSA_DQ  "4959CBF6F8FEF750AEE6977C155579C7" \
-                "D8AAEA56749EA28623272E4F7D0592AF" \
-                "7C1F1313CAC9471B5C523BFE592F517B" \
-                "407A1BD76C164B93DA2D32A383E58357"
-
-#define RSA_QP  "9AE7FBC99546432DF71896FC239EADAE" \
-                "F38D18D2B2F0E2DD275AA977E2BF4411" \
-                "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
-                "A74206CEC169D74BF5A8C50D6F48EA08"
-
-#define PT_LEN  24
-#define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
-                "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
-
-static int myrand( void *rng_state )
-{
-    if( rng_state != NULL )
-        rng_state  = NULL;
-
-    return( rand() );
-}
-
-/*
- * Checkup routine
- */
-int rsa_self_test( int verbose )
-{
-    int len;
-    rsa_context rsa;
-    unsigned char sha1sum[20];
-    unsigned char rsa_plaintext[PT_LEN];
-    unsigned char rsa_decrypted[PT_LEN];
-    unsigned char rsa_ciphertext[KEY_LEN];
-
-    rsa_init( &rsa, RSA_PKCS_V15, 0 );
-
-    rsa.len = KEY_LEN;
-    mpi_read_string( &rsa.N , 16, RSA_N  );
-    mpi_read_string( &rsa.E , 16, RSA_E  );
-    mpi_read_string( &rsa.D , 16, RSA_D  );
-    mpi_read_string( &rsa.P , 16, RSA_P  );
-    mpi_read_string( &rsa.Q , 16, RSA_Q  );
-    mpi_read_string( &rsa.DP, 16, RSA_DP );
-    mpi_read_string( &rsa.DQ, 16, RSA_DQ );
-    mpi_read_string( &rsa.QP, 16, RSA_QP );
-
-    if( verbose != 0 )
-        printf( "  RSA key validation: " );
-
-    if( rsa_check_pubkey(  &rsa ) != 0 ||
-        rsa_check_privkey( &rsa ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n  PKCS#1 encryption : " );
-
-    memcpy( rsa_plaintext, RSA_PT, PT_LEN );
-
-    if( rsa_pkcs1_encrypt( &rsa, &myrand, NULL, RSA_PUBLIC, PT_LEN,
-                           rsa_plaintext, rsa_ciphertext ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n  PKCS#1 decryption : " );
-
-    if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
-                           rsa_ciphertext, rsa_decrypted,
-			   sizeof(rsa_decrypted) ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n  PKCS#1 data sign  : " );
-
-    sha1( rsa_plaintext, PT_LEN, sha1sum );
-
-    if( rsa_pkcs1_sign( &rsa, RSA_PRIVATE, SIG_RSA_SHA1, 20,
-                        sha1sum, rsa_ciphertext ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n  PKCS#1 sig. verify: " );
-
-    if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20,
-                          sha1sum, rsa_ciphertext ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n\n" );
-
-    rsa_free( &rsa );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/ctrtool/polarssl/rsa.h b/ctrtool/polarssl/rsa.h
deleted file mode 100644
index 5fae7947..00000000
--- a/ctrtool/polarssl/rsa.h
+++ /dev/null
@@ -1,353 +0,0 @@
-/**
- * \file rsa.h
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_RSA_H
-#define POLARSSL_RSA_H
-
-#include "polarssl/bignum.h"
-
-/*
- * RSA Error codes
- */
-#define POLARSSL_ERR_RSA_BAD_INPUT_DATA                    -0x0400
-#define POLARSSL_ERR_RSA_INVALID_PADDING                   -0x0410
-#define POLARSSL_ERR_RSA_KEY_GEN_FAILED                    -0x0420
-#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED                  -0x0430
-#define POLARSSL_ERR_RSA_PUBLIC_FAILED                     -0x0440
-#define POLARSSL_ERR_RSA_PRIVATE_FAILED                    -0x0450
-#define POLARSSL_ERR_RSA_VERIFY_FAILED                     -0x0460
-#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE                  -0x0470
-#define POLARSSL_ERR_RSA_RNG_FAILED                        -0x0480
-
-/*
- * PKCS#1 constants
- */
-#define SIG_RSA_RAW     0
-#define SIG_RSA_MD2     2
-#define SIG_RSA_MD4     3
-#define SIG_RSA_MD5     4
-#define SIG_RSA_SHA1	5
-#define SIG_RSA_SHA224	14
-#define SIG_RSA_SHA256	11
-#define	SIG_RSA_SHA384	12
-#define SIG_RSA_SHA512	13
-
-#define RSA_PUBLIC      0
-#define RSA_PRIVATE     1
-
-#define RSA_PKCS_V15    0
-#define RSA_PKCS_V21    1
-
-#define RSA_SIGN        1
-#define RSA_CRYPT       2
-
-#define ASN1_STR_CONSTRUCTED_SEQUENCE	"\x30"
-#define ASN1_STR_NULL			        "\x05"
-#define ASN1_STR_OID			        "\x06"
-#define ASN1_STR_OCTET_STRING		    "\x04"
-
-#define OID_DIGEST_ALG_MDX	        "\x2A\x86\x48\x86\xF7\x0D\x02\x00"
-#define OID_HASH_ALG_SHA1	        "\x2b\x0e\x03\x02\x1a"
-#define OID_HASH_ALG_SHA2X	        "\x60\x86\x48\x01\x65\x03\x04\x02\x00"
-
-#define OID_ISO_MEMBER_BODIES	    "\x2a"
-#define OID_ISO_IDENTIFIED_ORG	    "\x2b"
-
-/*
- * ISO Member bodies OID parts
- */
-#define OID_COUNTRY_US		        "\x86\x48"
-#define OID_RSA_DATA_SECURITY	    "\x86\xf7\x0d"
-
-/*
- * ISO Identified organization OID parts
- */
-#define OID_OIW_SECSIG_SHA1	        "\x0e\x03\x02\x1a"
-
-/*
- * DigestInfo ::= SEQUENCE {
- *   digestAlgorithm DigestAlgorithmIdentifier,
- *   digest Digest }
- *
- * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
- *
- * Digest ::= OCTET STRING
- */
-#define ASN1_HASH_MDX					        \
-(							                    \
-    ASN1_STR_CONSTRUCTED_SEQUENCE "\x20"		\
-      ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C"		\
-        ASN1_STR_OID "\x08"				        \
-	  OID_DIGEST_ALG_MDX				        \
-	ASN1_STR_NULL "\x00"				        \
-      ASN1_STR_OCTET_STRING "\x10"			    \
-)
-
-#define ASN1_HASH_SHA1					        \
-    ASN1_STR_CONSTRUCTED_SEQUENCE "\x21"		\
-      ASN1_STR_CONSTRUCTED_SEQUENCE "\x09"		\
-        ASN1_STR_OID "\x05"				        \
-	  OID_HASH_ALG_SHA1				            \
-        ASN1_STR_NULL "\x00"				    \
-      ASN1_STR_OCTET_STRING "\x14"
-
-#define ASN1_HASH_SHA2X					        \
-    ASN1_STR_CONSTRUCTED_SEQUENCE "\x11"		\
-      ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d"		\
-        ASN1_STR_OID "\x09"				        \
-	  OID_HASH_ALG_SHA2X				        \
-        ASN1_STR_NULL "\x00"				    \
-      ASN1_STR_OCTET_STRING "\x00"
-
-/**
- * \brief          RSA context structure
- */
-typedef struct
-{
-    int ver;                    /*!<  always 0          */
-    int len;                    /*!<  size(N) in chars  */
-
-    mpi N;                      /*!<  public modulus    */
-    mpi E;                      /*!<  public exponent   */
-
-    mpi D;                      /*!<  private exponent  */
-    mpi P;                      /*!<  1st prime factor  */
-    mpi Q;                      /*!<  2nd prime factor  */
-    mpi DP;                     /*!<  D % (P - 1)       */
-    mpi DQ;                     /*!<  D % (Q - 1)       */
-    mpi QP;                     /*!<  1 / (Q % P)       */
-
-    mpi RN;                     /*!<  cached R^2 mod N  */
-    mpi RP;                     /*!<  cached R^2 mod P  */
-    mpi RQ;                     /*!<  cached R^2 mod Q  */
-
-    int padding;                /*!<  1.5 or OAEP/PSS   */
-    int hash_id;                /*!<  hash identifier   */
-}
-rsa_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Initialize an RSA context
- *
- * \param ctx      RSA context to be initialized
- * \param padding  RSA_PKCS_V15 or RSA_PKCS_V21
- * \param hash_id  RSA_PKCS_V21 hash identifier
- *
- * \note           The hash_id parameter is actually ignored
- *                 when using RSA_PKCS_V15 padding.
- *
- * \note           Currently, RSA_PKCS_V21 padding
- *                 is not supported.
- */
-void rsa_init( rsa_context *ctx,
-               int padding,
-               int hash_id);
-
-/**
- * \brief          Generate an RSA keypair
- *
- * \param ctx      RSA context that will hold the key
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- * \param nbits    size of the public key in bits
- * \param exponent public exponent (e.g., 65537)
- *
- * \note           rsa_init() must be called beforehand to setup
- *                 the RSA context.
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- */
-int rsa_gen_key( rsa_context *ctx,
-                 int (*f_rng)(void *),
-                 void *p_rng,
-                 int nbits, int exponent );
-
-/**
- * \brief          Check a public RSA key
- *
- * \param ctx      RSA context to be checked
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- */
-int rsa_check_pubkey( const rsa_context *ctx );
-
-/**
- * \brief          Check a private RSA key
- *
- * \param ctx      RSA context to be checked
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- */
-int rsa_check_privkey( const rsa_context *ctx );
-
-/**
- * \brief          Do an RSA public key operation
- *
- * \param ctx      RSA context
- * \param input    input buffer
- * \param output   output buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           This function does NOT take care of message
- *                 padding. Also, be sure to set input[0] = 0 or assure that
- *                 input is smaller than N.
- *
- * \note           The input and output buffers must be large
- *                 enough (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_public( rsa_context *ctx,
-                const unsigned char *input,
-                unsigned char *output );
-
-/**
- * \brief          Do an RSA private key operation
- *
- * \param ctx      RSA context
- * \param input    input buffer
- * \param output   output buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The input and output buffers must be large
- *                 enough (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_private( rsa_context *ctx,
-                 const unsigned char *input,
-                 unsigned char *output );
-
-/**
- * \brief          Add the message padding, then do an RSA operation
- *
- * \param ctx      RSA context
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param ilen     contains the plaintext length
- * \param input    buffer holding the data to be encrypted
- * \param output   buffer that will hold the ciphertext
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_pkcs1_encrypt( rsa_context *ctx,
-                       int (*f_rng)(void *),
-                       void *p_rng,
-                       int mode, int  ilen,
-                       const unsigned char *input,
-                       unsigned char *output );
-
-/**
- * \brief          Do an RSA operation, then remove the message padding
- *
- * \param ctx      RSA context
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param input    buffer holding the encrypted data
- * \param output   buffer that will hold the plaintext
- * \param olen     will contain the plaintext length
- * \param output_max_len	maximum length of the output buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- *                 an error is thrown.
- */
-int rsa_pkcs1_decrypt( rsa_context *ctx,
-                       int mode, int *olen,
-                       const unsigned char *input,
-                       unsigned char *output,
-		               int output_max_len );
-
-/**
- * \brief          Do a private RSA to sign a message digest
- *
- * \param ctx      RSA context
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen  message digest length (for SIG_RSA_RAW only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer that will hold the ciphertext
- *
- * \return         0 if the signing operation was successful,
- *                 or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_pkcs1_sign( rsa_context *ctx,
-                    int mode,
-                    int hash_id,
-                    int hashlen,
-                    const unsigned char *hash,
-                    unsigned char *sig );
-
-/**
- * \brief          Do a public RSA and check the message digest
- *
- * \param ctx      points to an RSA public key
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen  message digest length (for SIG_RSA_RAW only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer holding the ciphertext
- *
- * \return         0 if the verify operation was successful,
- *                 or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_pkcs1_verify( rsa_context *ctx,
-                      int mode,
-                      int hash_id,
-                      int hashlen,
-                      const unsigned char *hash,
-                      unsigned char *sig );
-
-/**
- * \brief          Free the components of an RSA key
- *
- * \param ctx      RSA Context to free
- */
-void rsa_free( rsa_context *ctx );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int rsa_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* rsa.h */
diff --git a/ctrtool/polarssl/sha2.c b/ctrtool/polarssl/sha2.c
deleted file mode 100644
index dd5ae98a..00000000
--- a/ctrtool/polarssl/sha2.c
+++ /dev/null
@@ -1,702 +0,0 @@
-/*
- *  FIPS-180-2 compliant SHA-256 implementation
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
- *
- *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_SHA2_C)
-
-#include "polarssl/sha2.h"
-
-#include <string.h>
-#include <stdio.h>
-
-/*
- * 32-bit integer manipulation macros (big endian)
- */
-#ifndef GET_ULONG_BE
-#define GET_ULONG_BE(n,b,i)                             \
-{                                                       \
-    (n) = ( (unsigned long) (b)[(i)    ] << 24 )        \
-        | ( (unsigned long) (b)[(i) + 1] << 16 )        \
-        | ( (unsigned long) (b)[(i) + 2] <<  8 )        \
-        | ( (unsigned long) (b)[(i) + 3]       );       \
-}
-#endif
-
-#ifndef PUT_ULONG_BE
-#define PUT_ULONG_BE(n,b,i)                             \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-}
-#endif
-
-/*
- * SHA-256 context setup
- */
-void sha2_starts( sha2_context *ctx, int is224 )
-{
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    if( is224 == 0 )
-    {
-        /* SHA-256 */
-        ctx->state[0] = 0x6A09E667;
-        ctx->state[1] = 0xBB67AE85;
-        ctx->state[2] = 0x3C6EF372;
-        ctx->state[3] = 0xA54FF53A;
-        ctx->state[4] = 0x510E527F;
-        ctx->state[5] = 0x9B05688C;
-        ctx->state[6] = 0x1F83D9AB;
-        ctx->state[7] = 0x5BE0CD19;
-    }
-    else
-    {
-        /* SHA-224 */
-        ctx->state[0] = 0xC1059ED8;
-        ctx->state[1] = 0x367CD507;
-        ctx->state[2] = 0x3070DD17;
-        ctx->state[3] = 0xF70E5939;
-        ctx->state[4] = 0xFFC00B31;
-        ctx->state[5] = 0x68581511;
-        ctx->state[6] = 0x64F98FA7;
-        ctx->state[7] = 0xBEFA4FA4;
-    }
-
-    ctx->is224 = is224;
-}
-
-static void sha2_process( sha2_context *ctx, const unsigned char data[64] )
-{
-    unsigned long temp1, temp2, W[64];
-    unsigned long A, B, C, D, E, F, G, H;
-
-    GET_ULONG_BE( W[ 0], data,  0 );
-    GET_ULONG_BE( W[ 1], data,  4 );
-    GET_ULONG_BE( W[ 2], data,  8 );
-    GET_ULONG_BE( W[ 3], data, 12 );
-    GET_ULONG_BE( W[ 4], data, 16 );
-    GET_ULONG_BE( W[ 5], data, 20 );
-    GET_ULONG_BE( W[ 6], data, 24 );
-    GET_ULONG_BE( W[ 7], data, 28 );
-    GET_ULONG_BE( W[ 8], data, 32 );
-    GET_ULONG_BE( W[ 9], data, 36 );
-    GET_ULONG_BE( W[10], data, 40 );
-    GET_ULONG_BE( W[11], data, 44 );
-    GET_ULONG_BE( W[12], data, 48 );
-    GET_ULONG_BE( W[13], data, 52 );
-    GET_ULONG_BE( W[14], data, 56 );
-    GET_ULONG_BE( W[15], data, 60 );
-
-#define  SHR(x,n) ((x & 0xFFFFFFFF) >> n)
-#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
-
-#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^  SHR(x, 3))
-#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^  SHR(x,10))
-
-#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
-#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
-
-#define F0(x,y,z) ((x & y) | (z & (x | y)))
-#define F1(x,y,z) (z ^ (x & (y ^ z)))
-
-#define R(t)                                    \
-(                                               \
-    W[t] = S1(W[t -  2]) + W[t -  7] +          \
-           S0(W[t - 15]) + W[t - 16]            \
-)
-
-#define P(a,b,c,d,e,f,g,h,x,K)                  \
-{                                               \
-    temp1 = h + S3(e) + F1(e,f,g) + K + x;      \
-    temp2 = S2(a) + F0(a,b,c);                  \
-    d += temp1; h = temp1 + temp2;              \
-}
-
-    A = ctx->state[0];
-    B = ctx->state[1];
-    C = ctx->state[2];
-    D = ctx->state[3];
-    E = ctx->state[4];
-    F = ctx->state[5];
-    G = ctx->state[6];
-    H = ctx->state[7];
-
-    P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
-    P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
-    P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
-    P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
-    P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
-    P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
-    P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
-    P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
-    P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
-    P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
-    P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
-    P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
-    P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
-    P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
-    P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
-    P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
-    P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
-    P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
-    P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
-    P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
-    P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
-    P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
-    P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
-    P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
-    P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
-    P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
-    P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
-    P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
-    P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
-    P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
-    P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
-    P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
-    P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
-    P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
-    P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
-    P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
-    P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
-    P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
-    P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
-    P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
-    P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
-    P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
-    P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
-    P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
-    P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
-    P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
-    P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
-    P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
-    P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
-    P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
-    P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
-    P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
-    P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
-    P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
-    P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
-    P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
-    P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
-    P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
-    P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
-    P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
-    P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
-    P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
-    P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
-    P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
-
-    ctx->state[0] += A;
-    ctx->state[1] += B;
-    ctx->state[2] += C;
-    ctx->state[3] += D;
-    ctx->state[4] += E;
-    ctx->state[5] += F;
-    ctx->state[6] += G;
-    ctx->state[7] += H;
-}
-
-/*
- * SHA-256 process buffer
- */
-void sha2_update( sha2_context *ctx, const unsigned char *input, int ilen )
-{
-    int fill;
-    unsigned long left;
-
-    if( ilen <= 0 )
-        return;
-
-    left = ctx->total[0] & 0x3F;
-    fill = 64 - left;
-
-    ctx->total[0] += ilen;
-    ctx->total[0] &= 0xFFFFFFFF;
-
-    if( ctx->total[0] < (unsigned long) ilen )
-        ctx->total[1]++;
-
-    if( left && ilen >= fill )
-    {
-        memcpy( (void *) (ctx->buffer + left),
-                (void *) input, fill );
-        sha2_process( ctx, ctx->buffer );
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while( ilen >= 64 )
-    {
-        sha2_process( ctx, input );
-        input += 64;
-        ilen  -= 64;
-    }
-
-    if( ilen > 0 )
-    {
-        memcpy( (void *) (ctx->buffer + left),
-                (void *) input, ilen );
-    }
-}
-
-static const unsigned char sha2_padding[64] =
-{
- 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/*
- * SHA-256 final digest
- */
-void sha2_finish( sha2_context *ctx, unsigned char output[32] )
-{
-    unsigned long last, padn;
-    unsigned long high, low;
-    unsigned char msglen[8];
-
-    high = ( ctx->total[0] >> 29 )
-         | ( ctx->total[1] <<  3 );
-    low  = ( ctx->total[0] <<  3 );
-
-    PUT_ULONG_BE( high, msglen, 0 );
-    PUT_ULONG_BE( low,  msglen, 4 );
-
-    last = ctx->total[0] & 0x3F;
-    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
-
-    sha2_update( ctx, (unsigned char *) sha2_padding, padn );
-    sha2_update( ctx, msglen, 8 );
-
-    PUT_ULONG_BE( ctx->state[0], output,  0 );
-    PUT_ULONG_BE( ctx->state[1], output,  4 );
-    PUT_ULONG_BE( ctx->state[2], output,  8 );
-    PUT_ULONG_BE( ctx->state[3], output, 12 );
-    PUT_ULONG_BE( ctx->state[4], output, 16 );
-    PUT_ULONG_BE( ctx->state[5], output, 20 );
-    PUT_ULONG_BE( ctx->state[6], output, 24 );
-
-    if( ctx->is224 == 0 )
-        PUT_ULONG_BE( ctx->state[7], output, 28 );
-}
-
-/*
- * output = SHA-256( input buffer )
- */
-void sha2( const unsigned char *input, int ilen,
-           unsigned char output[32], int is224 )
-{
-    sha2_context ctx;
-
-    sha2_starts( &ctx, is224 );
-    sha2_update( &ctx, input, ilen );
-    sha2_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha2_context ) );
-}
-
-/*
- * output = SHA-256( file contents )
- */
-int sha2_file( const char *path, unsigned char output[32], int is224 )
-{
-    FILE *f;
-    size_t n;
-    sha2_context ctx;
-    unsigned char buf[1024];
-
-    if( ( f = fopen( path, "rb" ) ) == NULL )
-        return( 1 );
-
-    sha2_starts( &ctx, is224 );
-
-    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
-        sha2_update( &ctx, buf, (int) n );
-
-    sha2_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha2_context ) );
-
-    if( ferror( f ) != 0 )
-    {
-        fclose( f );
-        return( 2 );
-    }
-
-    fclose( f );
-    return( 0 );
-}
-
-/*
- * SHA-256 HMAC context setup
- */
-void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, int keylen,
-                       int is224 )
-{
-    int i;
-    unsigned char sum[32];
-
-    if( keylen > 64 )
-    {
-        sha2( key, keylen, sum, is224 );
-        keylen = ( is224 ) ? 28 : 32;
-        key = sum;
-    }
-
-    memset( ctx->ipad, 0x36, 64 );
-    memset( ctx->opad, 0x5C, 64 );
-
-    for( i = 0; i < keylen; i++ )
-    {
-        ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
-        ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
-    }
-
-    sha2_starts( ctx, is224 );
-    sha2_update( ctx, ctx->ipad, 64 );
-
-    memset( sum, 0, sizeof( sum ) );
-}
-
-/*
- * SHA-256 HMAC process buffer
- */
-void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, int ilen )
-{
-    sha2_update( ctx, input, ilen );
-}
-
-/*
- * SHA-256 HMAC final digest
- */
-void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
-{
-    int is224, hlen;
-    unsigned char tmpbuf[32];
-
-    is224 = ctx->is224;
-    hlen = ( is224 == 0 ) ? 32 : 28;
-
-    sha2_finish( ctx, tmpbuf );
-    sha2_starts( ctx, is224 );
-    sha2_update( ctx, ctx->opad, 64 );
-    sha2_update( ctx, tmpbuf, hlen );
-    sha2_finish( ctx, output );
-
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
-}
-
-/*
- * SHA-256 HMAC context reset
- */
-void sha2_hmac_reset( sha2_context *ctx )
-{
-    sha2_starts( ctx, ctx->is224 );
-    sha2_update( ctx, ctx->ipad, 64 );
-}
-
-/*
- * output = HMAC-SHA-256( hmac key, input buffer )
- */
-void sha2_hmac( const unsigned char *key, int keylen,
-                const unsigned char *input, int ilen,
-                unsigned char output[32], int is224 )
-{
-    sha2_context ctx;
-
-    sha2_hmac_starts( &ctx, key, keylen, is224 );
-    sha2_hmac_update( &ctx, input, ilen );
-    sha2_hmac_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha2_context ) );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-/*
- * FIPS-180-2 test vectors
- */
-static unsigned char sha2_test_buf[3][57] = 
-{
-    { "abc" },
-    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
-    { "" }
-};
-
-static const int sha2_test_buflen[3] =
-{
-    3, 56, 1000
-};
-
-static const unsigned char sha2_test_sum[6][32] =
-{
-    /*
-     * SHA-224 test vectors
-     */
-    { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
-      0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
-      0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
-      0xE3, 0x6C, 0x9D, 0xA7 },
-    { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
-      0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
-      0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
-      0x52, 0x52, 0x25, 0x25 },
-    { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
-      0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
-      0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
-      0x4E, 0xE7, 0xAD, 0x67 },
-
-    /*
-     * SHA-256 test vectors
-     */
-    { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
-      0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
-      0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
-      0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
-    { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
-      0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
-      0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
-      0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
-    { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
-      0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
-      0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
-      0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
-};
-
-/*
- * RFC 4231 test vectors
- */
-static unsigned char sha2_hmac_test_key[7][26] =
-{
-    { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
-      "\x0B\x0B\x0B\x0B" },
-    { "Jefe" },
-    { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
-      "\xAA\xAA\xAA\xAA" },
-    { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
-      "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
-    { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
-      "\x0C\x0C\x0C\x0C" },
-    { "" }, /* 0xAA 131 times */
-    { "" }
-};
-
-static const int sha2_hmac_test_keylen[7] =
-{
-    20, 4, 20, 25, 20, 131, 131
-};
-
-static unsigned char sha2_hmac_test_buf[7][153] =
-{
-    { "Hi There" },
-    { "what do ya want for nothing?" },
-    { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
-    { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
-    { "Test With Truncation" },
-    { "Test Using Larger Than Block-Size Key - Hash Key First" },
-    { "This is a test using a larger than block-size key "
-      "and a larger than block-size data. The key needs to "
-      "be hashed before being used by the HMAC algorithm." }
-};
-
-static const int sha2_hmac_test_buflen[7] =
-{
-    8, 28, 50, 50, 20, 54, 152
-};
-
-static const unsigned char sha2_hmac_test_sum[14][32] =
-{
-    /*
-     * HMAC-SHA-224 test vectors
-     */
-    { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
-      0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
-      0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
-      0x53, 0x68, 0x4B, 0x22 },
-    { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
-      0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
-      0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
-      0x8F, 0xD0, 0x5E, 0x44 },
-    { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
-      0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
-      0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
-      0xEC, 0x83, 0x33, 0xEA },
-    { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
-      0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
-      0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
-      0xE7, 0xAF, 0xEC, 0x5A },
-    { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
-      0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
-    { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
-      0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
-      0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
-      0x3F, 0xA6, 0x87, 0x0E },
-    { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
-      0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
-      0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
-      0xF6, 0xF5, 0x65, 0xD1 },
-
-    /*
-     * HMAC-SHA-256 test vectors
-     */
-    { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
-      0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
-      0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
-      0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
-    { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
-      0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
-      0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
-      0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
-    { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
-      0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
-      0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
-      0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
-    { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
-      0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
-      0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
-      0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
-    { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
-      0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
-    { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
-      0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
-      0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
-      0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
-    { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
-      0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
-      0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
-      0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
-};
-
-/*
- * Checkup routine
- */
-int sha2_self_test( int verbose )
-{
-    int i, j, k, buflen;
-    unsigned char buf[1024];
-    unsigned char sha2sum[32];
-    sha2_context ctx;
-
-    for( i = 0; i < 6; i++ )
-    {
-        j = i % 3;
-        k = i < 3;
-
-        if( verbose != 0 )
-            printf( "  SHA-%d test #%d: ", 256 - k * 32, j + 1 );
-
-        sha2_starts( &ctx, k );
-
-        if( j == 2 )
-        {
-            memset( buf, 'a', buflen = 1000 );
-
-            for( j = 0; j < 1000; j++ )
-                sha2_update( &ctx, buf, buflen );
-        }
-        else
-            sha2_update( &ctx, sha2_test_buf[j],
-                               sha2_test_buflen[j] );
-
-        sha2_finish( &ctx, sha2sum );
-
-        if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    for( i = 0; i < 14; i++ )
-    {
-        j = i % 7;
-        k = i < 7;
-
-        if( verbose != 0 )
-            printf( "  HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
-
-        if( j == 5 || j == 6 )
-        {
-            memset( buf, '\xAA', buflen = 131 );
-            sha2_hmac_starts( &ctx, buf, buflen, k );
-        }
-        else
-            sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
-                                    sha2_hmac_test_keylen[j], k );
-
-        sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
-                                sha2_hmac_test_buflen[j] );
-
-        sha2_hmac_finish( &ctx, sha2sum );
-
-        buflen = ( j == 4 ) ? 16 : 32 - k * 4;
-
-        if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/ctrtool/polarssl/sha2.h b/ctrtool/polarssl/sha2.h
deleted file mode 100644
index be4ae56a..00000000
--- a/ctrtool/polarssl/sha2.h
+++ /dev/null
@@ -1,155 +0,0 @@
-/**
- * \file sha2.h
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_SHA2_H
-#define POLARSSL_SHA2_H
-
-/**
- * \brief          SHA-256 context structure
- */
-typedef struct
-{
-    unsigned long total[2];     /*!< number of bytes processed  */
-    unsigned long state[8];     /*!< intermediate digest state  */
-    unsigned char buffer[64];   /*!< data block being processed */
-
-    unsigned char ipad[64];     /*!< HMAC: inner padding        */
-    unsigned char opad[64];     /*!< HMAC: outer padding        */
-    int is224;                  /*!< 0 => SHA-256, else SHA-224 */
-}
-sha2_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          SHA-256 context setup
- *
- * \param ctx      context to be initialized
- * \param is224    0 = use SHA256, 1 = use SHA224
- */
-void sha2_starts( sha2_context *ctx, int is224 );
-
-/**
- * \brief          SHA-256 process buffer
- *
- * \param ctx      SHA-256 context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void sha2_update( sha2_context *ctx, const unsigned char *input, int ilen );
-
-/**
- * \brief          SHA-256 final digest
- *
- * \param ctx      SHA-256 context
- * \param output   SHA-224/256 checksum result
- */
-void sha2_finish( sha2_context *ctx, unsigned char output[32] );
-
-/**
- * \brief          Output = SHA-256( input buffer )
- *
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   SHA-224/256 checksum result
- * \param is224    0 = use SHA256, 1 = use SHA224
- */
-void sha2( const unsigned char *input, int ilen,
-           unsigned char output[32], int is224 );
-
-/**
- * \brief          Output = SHA-256( file contents )
- *
- * \param path     input file name
- * \param output   SHA-224/256 checksum result
- * \param is224    0 = use SHA256, 1 = use SHA224
- *
- * \return         0 if successful, 1 if fopen failed,
- *                 or 2 if fread failed
- */
-int sha2_file( const char *path, unsigned char output[32], int is224 );
-
-/**
- * \brief          SHA-256 HMAC context setup
- *
- * \param ctx      HMAC context to be initialized
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param is224    0 = use SHA256, 1 = use SHA224
- */
-void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, int keylen,
-                       int is224 );
-
-/**
- * \brief          SHA-256 HMAC process buffer
- *
- * \param ctx      HMAC context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, int ilen );
-
-/**
- * \brief          SHA-256 HMAC final digest
- *
- * \param ctx      HMAC context
- * \param output   SHA-224/256 HMAC checksum result
- */
-void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] );
-
-/**
- * \brief          SHA-256 HMAC context reset
- *
- * \param ctx      HMAC context to be reset
- */
-void sha2_hmac_reset( sha2_context *ctx );
-
-/**
- * \brief          Output = HMAC-SHA-256( hmac key, input buffer )
- *
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   HMAC-SHA-224/256 result
- * \param is224    0 = use SHA256, 1 = use SHA224
- */
-void sha2_hmac( const unsigned char *key, int keylen,
-                const unsigned char *input, int ilen,
-                unsigned char output[32], int is224 );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int sha2_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* sha2.h */
diff --git a/ctrtool/romfs.c b/ctrtool/romfs.c
deleted file mode 100644
index 6f004674..00000000
--- a/ctrtool/romfs.c
+++ /dev/null
@@ -1,406 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include "types.h"
-#include "romfs.h"
-#include "utils.h"
-
-void romfs_init(romfs_context* ctx)
-{
-	memset(ctx, 0, sizeof(romfs_context));
-	ivfc_init(&ctx->ivfc);
-}
-
-void romfs_set_file(romfs_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void romfs_set_offset(romfs_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void romfs_set_size(romfs_context* ctx, u64 size)
-{
-	ctx->size = size;
-}
-
-void romfs_set_usersettings(romfs_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-void romfs_set_encrypted(romfs_context* ctx, u32 encrypted)
-{
-	ctx->encrypted = encrypted;
-}
-
-void romfs_set_key(romfs_context* ctx, u8 key[16])
-{
-	memcpy(ctx->key, key, 16);
-	ctr_init_key(&ctx->aes, key);
-}
-
-void romfs_set_counter(romfs_context* ctx, u8 counter[16])
-{
-	memcpy(ctx->counter, counter, 16);
-}
-
-void romfs_fseek(romfs_context* ctx, u64 offset)
-{
-	u64 data_pos = offset - ctx->offset;
-	fseeko64(ctx->file, offset, SEEK_SET);
-
-	if (ctx->encrypted) {
-		ctr_init_counter(&ctx->aes, ctx->counter);
-		ctr_add_counter(&ctx->aes, (u32)(data_pos / 0x10));
-	}
-}
-
-size_t romfs_fread(romfs_context* ctx, void* buffer, size_t size, size_t count)
-{
-	size_t read;
-	if ((read = fread(buffer, size, count, ctx->file)) != count) {
-		//printf("romfs_fread() fail\n");
-		return read;
-	}
-	if (ctx->encrypted) {
-		ctr_crypt_counter(&ctx->aes, buffer, buffer, size*read);
-	}
-	return read;
-}
-
-void romfs_process(romfs_context* ctx, u32 actions)
-{
-	u32 dirblockoffset = 0;
-	u32 dirblocksize = 0;
-	u32 fileblockoffset = 0;
-	u32 fileblocksize = 0;
-
-	ivfc_set_offset(&ctx->ivfc, ctx->offset);
-	ivfc_set_size(&ctx->ivfc, ctx->size);
-	ivfc_set_file(&ctx->ivfc, ctx->file);
-	ivfc_set_usersettings(&ctx->ivfc, ctx->usersettings);
-	ivfc_set_counter(&ctx->ivfc, ctx->counter);
-	ivfc_set_key(&ctx->ivfc, ctx->key);
-	ivfc_set_encrypted(&ctx->ivfc, ctx->encrypted);
-	ivfc_process(&ctx->ivfc, actions);
-
-	romfs_fseek(ctx, ctx->offset);
-	romfs_fread(ctx, &ctx->header, 1, sizeof(romfs_header));
-
-	if (getle32(ctx->header.magic) != MAGIC_IVFC)
-	{
-		fprintf(stdout, "Error, RomFS corrupted\n");
-		return;
-	}
-
-	ctx->infoblockoffset = (u32) (ctx->offset + 0x1000);
-
-	romfs_fseek(ctx, ctx->infoblockoffset);
-	romfs_fread(ctx, &ctx->infoheader, 1, sizeof(romfs_infoheader));
-	
-	if (getle32(ctx->infoheader.headersize) != sizeof(romfs_infoheader))
-	{
-		fprintf(stderr, "Error, info header mismatch\n");
-		return;
-	}
-
-	dirblockoffset = ctx->infoblockoffset + getle32(ctx->infoheader.section[1].offset);
-	dirblocksize = getle32(ctx->infoheader.section[1].size);
-	fileblockoffset = ctx->infoblockoffset + getle32(ctx->infoheader.section[3].offset);
-	fileblocksize = getle32(ctx->infoheader.section[3].size);
-
-	u32 hdrsize = getle32(ctx->infoheader.dataoffset);
-	u8 *block = malloc(hdrsize);
-	romfs_fseek(ctx, ctx->infoblockoffset);
-	romfs_fread(ctx, block, hdrsize, 1);
-
-	ctx->dirblock = malloc(dirblocksize);
-	ctx->dirblocksize = dirblocksize;
-	if(ctx->dirblock)
-		memcpy(ctx->dirblock, block + getle32(ctx->infoheader.section[1].offset), dirblocksize);
-
-	ctx->fileblock = malloc(fileblocksize);
-	ctx->fileblocksize = fileblocksize;
-	if (ctx->fileblock)
-		memcpy(ctx->fileblock, block + getle32(ctx->infoheader.section[3].offset), fileblocksize);
-
-	free(block);
-
-	ctx->datablockoffset = ctx->infoblockoffset + getle32(ctx->infoheader.dataoffset);
-
-	if (actions & InfoFlag)
-		romfs_print(ctx);
-
-	if (settings_get_romfs_dir_path(ctx->usersettings)->valid)
-		ctx->extractdir = os_CopyConvertCharStr(settings_get_romfs_dir_path(ctx->usersettings)->pathname);
-	else
-		ctx->extractdir = NULL;
-
-	romfs_visit_dir(ctx, 0, 0, actions, ctx->extractdir);
-	free(ctx->extractdir);
-}
-
-int romfs_dirblock_read(romfs_context* ctx, u32 diroffset, u32 dirsize, void* buffer)
-{
-	if (!ctx->dirblock)
-		return 0;
-
-	if (diroffset+dirsize > ctx->dirblocksize)
-		return 0;
-
-	memcpy(buffer, ctx->dirblock + diroffset, dirsize);
-	return 1;
-}
-
-int romfs_dirblock_readentry(romfs_context* ctx, u32 diroffset, romfs_direntry* entry)
-{
-	u32 size_without_name = sizeof(romfs_direntry) - ROMFS_MAXNAMESIZE;
-	u32 namesize;
-
-
-	if (!ctx->dirblock)
-		return 0;
-
-	if (!romfs_dirblock_read(ctx, diroffset, size_without_name, entry))
-		return 0;
-	
-	namesize = getle32(entry->namesize);
-	if (namesize > (ROMFS_MAXNAMESIZE-2))
-		namesize = (ROMFS_MAXNAMESIZE-2);
-	memset(entry->name + namesize, 0, 2);
-	if (!romfs_dirblock_read(ctx, diroffset + size_without_name, namesize, entry->name))
-		return 0;
-
-	return 1;
-}
-
-
-int romfs_fileblock_read(romfs_context* ctx, u32 fileoffset, u32 filesize, void* buffer)
-{
-	if (!ctx->fileblock)
-		return 0;
-
-	if (fileoffset+filesize > ctx->fileblocksize)
-		return 0;
-
-	memcpy(buffer, ctx->fileblock + fileoffset, filesize);
-	return 1;
-}
-
-int romfs_fileblock_readentry(romfs_context* ctx, u32 fileoffset, romfs_fileentry* entry)
-{
-	u32 size_without_name = sizeof(romfs_fileentry) - ROMFS_MAXNAMESIZE;
-	u32 namesize;
-
-
-	if (!ctx->fileblock)
-		return 0;
-
-	if (!romfs_fileblock_read(ctx, fileoffset, size_without_name, entry))
-		return 0;
-	
-	namesize = getle32(entry->namesize);
-	if (namesize > (ROMFS_MAXNAMESIZE-2))
-		namesize = (ROMFS_MAXNAMESIZE-2);
-	memset(entry->name + namesize, 0, 2);
-	if (!romfs_fileblock_read(ctx, fileoffset + size_without_name, namesize, entry->name))
-		return 0;
-
-	return 1;
-}
-
-
-
-void romfs_visit_dir(romfs_context* ctx, u32 diroffset, u32 depth, u32 actions, const oschar_t* rootpath)
-{
-	u32 siblingoffset;
-	u32 childoffset;
-	u32 fileoffset;
-	oschar_t* currentpath;
-	romfs_direntry* entry = &ctx->direntry;
-
-
-	if (!romfs_dirblock_readentry(ctx, diroffset, entry))
-		return;
-
-
-//	fprintf(stdout, "%08X %08X %08X %08X %08X ", 
-//			getle32(entry->parentoffset), getle32(entry->siblingoffset), getle32(entry->childoffset), 
-//			getle32(entry->fileoffset), getle32(entry->weirdoffset));
-//	fwprintf(stdout, L"%ls\n", entry->name);
-
-
-	if (rootpath && os_strlen(rootpath))
-	{
-		if (utf16_strlen((const utf16char_t*)entry->name) > 0)
-			currentpath = os_AppendUTF16StrToPath(rootpath, (const utf16char_t*)entry->name);
-		else // root dir, use the provided extract path instead of the empty root name.
-			currentpath = os_CopyStr(rootpath);
-
-		if (currentpath)
-		{
-			os_makedir(currentpath);
-		}
-		else
-		{
-			fputs("Error creating directory in root ", stderr);
-			os_fputs(rootpath, stderr);
-			fputs("\n", stderr);
-			return;
-		}
-	}
-	else
-	{
-		currentpath = os_CopyConvertUTF16Str((const utf16char_t*)entry->name);
-		if (settings_get_list_romfs_files(ctx->usersettings))
-		{
-			u32 i;
-
-			for(i=0; i<depth; i++)
-				printf(" ");
-			os_fputs(currentpath, stdout);
-			fputs("\n", stdout);
-		}
-		free(currentpath);
-		currentpath = NULL;
-	}
-	
-
-	siblingoffset = getle32(entry->siblingoffset);
-	childoffset = getle32(entry->childoffset);
-	fileoffset = getle32(entry->fileoffset);
-
-	if (fileoffset != (~0))
-		romfs_visit_file(ctx, fileoffset, depth+1, actions, currentpath);
-
-	if (childoffset != (~0))
-		romfs_visit_dir(ctx, childoffset, depth+1, actions, currentpath);
-
-	if (siblingoffset != (~0))
-		romfs_visit_dir(ctx, siblingoffset, depth, actions, rootpath);
-
-	free(currentpath);
-}
-
-
-void romfs_visit_file(romfs_context* ctx, u32 fileoffset, u32 depth, u32 actions, const oschar_t* rootpath)
-{
-	u32 siblingoffset = 0;
-	oschar_t* currentpath = NULL;
-	romfs_fileentry* entry = &ctx->fileentry;
-
-
-	if (!romfs_fileblock_readentry(ctx, fileoffset, entry))
-		return;
-
-
-//	fprintf(stdout, "%08X %08X %016llX %016llX %08X ", 
-//		getle32(entry->parentdiroffset), getle32(entry->siblingoffset), ctx->datablockoffset+getle64(entry->dataoffset),
-//			getle64(entry->datasize), getle32(entry->unknown));
-//	fwprintf(stdout, L"%ls\n", entry->name);
-
-	if (rootpath && os_strlen(rootpath))
-	{
-		currentpath = os_AppendUTF16StrToPath(rootpath, (const utf16char_t*)entry->name);
-		if (currentpath)
-		{
-			fputs("Saving ", stdout);
-			os_fputs(currentpath, stdout);
-			fputs("...\n", stdout);
-			romfs_extract_datafile(ctx, getle64(entry->dataoffset), getle64(entry->datasize), currentpath);
-		}
-		else
-		{
-			fputs("Error creating file in root ", stderr);
-			os_fputs(rootpath, stderr);
-			fputs("\n", stderr);
-			return;
-		}
-	}
-	else
-	{
-		currentpath = os_CopyConvertUTF16Str((const utf16char_t*)entry->name);
-		if (settings_get_list_romfs_files(ctx->usersettings))
-		{
-			u32 i;
-
-			for(i=0; i<depth; i++)
-				printf(" ");
-			os_fputs(currentpath, stdout);
-			fputs("\n", stdout);
-		}
-		free(currentpath);
-		currentpath = NULL;
-	}
-
-	siblingoffset = getle32(entry->siblingoffset);
-
-	if (siblingoffset != (~0))
-		romfs_visit_file(ctx, siblingoffset, depth, actions, rootpath);
-
-	free(currentpath);
-}
-
-void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, const oschar_t* path)
-{
-	FILE* outfile = 0;
-	u32 max;
-	u8 buffer[4096];
-
-
-	if (path == NULL || os_strlen(path) == 0)
-		goto clean;
-
-	offset += ctx->datablockoffset;
-
-	romfs_fseek(ctx, offset);
-	outfile = os_fopen(path, OS_MODE_WRITE);
-	if (outfile == NULL)
-	{
-		fprintf(stderr, "Error opening file for writing\n");
-		goto clean;
-	}
-
-	while(size)
-	{
-		max = sizeof(buffer);
-		if (max > size)
-			max = (u32) size;
-
-		if (max != romfs_fread(ctx, buffer, 1, max))
-		{
-			fprintf(stderr, "Error reading file\n");
-			goto clean;
-		}
-
-		if (max != fwrite(buffer, 1, max, outfile))
-		{
-			fprintf(stderr, "Error writing file\n");
-			goto clean;
-		}
-
-		size -= max;
-	}
-clean:
-	if (outfile)
-		fclose(outfile);
-}
-
-
-void romfs_print(romfs_context* ctx)
-{
-	u32 i;
-
-	fprintf(stdout, "\nRomFS:\n");
-
-	fprintf(stdout, "Header size:            0x%08X\n", getle32(ctx->infoheader.headersize));
-	for(i=0; i<4; i++)
-	{
-		fprintf(stdout, "Section %d offset:       0x%08"PRIX64"\n", i, ctx->offset + 0x1000 + getle32(ctx->infoheader.section[i].offset));
-		fprintf(stdout, "Section %d size:         0x%08X\n", i, getle32(ctx->infoheader.section[i].size));
-	}
-
-	fprintf(stdout, "Data offset:            0x%08"PRIX64"\n", ctx->offset + 0x1000 + getle32(ctx->infoheader.dataoffset));
-}
diff --git a/ctrtool/romfs.h b/ctrtool/romfs.h
deleted file mode 100644
index 7706be59..00000000
--- a/ctrtool/romfs.h
+++ /dev/null
@@ -1,99 +0,0 @@
-#ifndef __ROMFS_H__
-#define __ROMFS_H__
-
-#include "types.h"
-#include "info.h"
-#include "ctr.h"
-#include "oschar.h"
-#include "settings.h"
-#include "ivfc.h"
-
-#define ROMFS_MAXNAMESIZE	254		// limit set by ctrtool
-
-typedef struct
-{
-	u8 magic[4];
-} romfs_header;
-
-typedef struct
-{
-	u8 offset[4];
-	u8 size[4];
-} romfs_sectionheader;
-
-typedef struct
-{
-	u8 headersize[4];
-	romfs_sectionheader section[4];
-	u8 dataoffset[4];
-} romfs_infoheader;
-
-
-typedef struct
-{
-	u8 parentoffset[4];
-	u8 siblingoffset[4];
-	u8 childoffset[4];
-	u8 fileoffset[4];
-	u8 weirdoffset[4]; // this one is weird. it always points to a dir entry, but seems unrelated to the romfs structure.
-	u8 namesize[4];
-	u8 name[ROMFS_MAXNAMESIZE];
-} romfs_direntry;
-
-typedef struct
-{
-	u8 parentdiroffset[4];
-	u8 siblingoffset[4];
-	u8 dataoffset[8];
-	u8 datasize[8];
-	u8 weirdoffset[4]; // this one is also weird. it always points to a file entry, but seems unrelated to the romfs structure.
-	u8 namesize[4];
-	u8 name[ROMFS_MAXNAMESIZE];
-} romfs_fileentry;
-
-
-typedef struct
-{
-	FILE* file;
-	oschar_t* extractdir;
-	settings* usersettings;
-	u8 counter[16];
-	u8 key[16];
-	u64 offset;
-	u64 size;
-	romfs_header header;
-	romfs_infoheader infoheader;
-	u8* dirblock;
-	u32 dirblocksize;
-	u8* fileblock;
-	u32 fileblocksize;
-	u32 datablockoffset;
-	u32 infoblockoffset;
-	romfs_direntry direntry;
-	romfs_fileentry fileentry;
-	ivfc_context ivfc;
-	ctr_aes_context aes;
-	int encrypted;
-} romfs_context;
-
-void romfs_init(romfs_context* ctx);
-void romfs_set_file(romfs_context* ctx, FILE* file);
-void romfs_set_offset(romfs_context* ctx, u64 offset);
-void romfs_set_size(romfs_context* ctx, u64 size);
-void romfs_set_usersettings(romfs_context* ctx, settings* usersettings);
-void romfs_set_encrypted(romfs_context* ctx, u32 encrypted);
-void romfs_set_key(romfs_context* ctx, u8 key[16]);
-void romfs_set_counter(romfs_context* ctx, u8 counter[16]);
-void romfs_fseek(romfs_context* ctx, u64 offset);
-size_t romfs_fread(romfs_context* ctx, void* buffer, size_t size, size_t count);
-int  romfs_dirblock_read(romfs_context* ctx, u32 diroffset, u32 dirsize, void* buffer);
-int  romfs_dirblock_readentry(romfs_context* ctx, u32 diroffset, romfs_direntry* entry);
-int  romfs_fileblock_read(romfs_context* ctx, u32 fileoffset, u32 filesize, void* buffer);
-int  romfs_fileblock_readentry(romfs_context* ctx, u32 fileoffset, romfs_fileentry* entry);
-void romfs_visit_dir(romfs_context* ctx, u32 diroffset, u32 depth, u32 actions, const oschar_t* rootpath);
-void romfs_visit_file(romfs_context* ctx, u32 fileoffset, u32 depth, u32 actions, const oschar_t* rootpath);
-void romfs_extract_datafile(romfs_context* ctx, u64 offset, u64 size, const oschar_t* path);
-void romfs_process(romfs_context* ctx, u32 actions);
-void romfs_print(romfs_context* ctx);
-
-#endif // __ROMFS_H__
diff --git a/ctrtool/settings.c b/ctrtool/settings.c
deleted file mode 100644
index 9fbf0567..00000000
--- a/ctrtool/settings.c
+++ /dev/null
@@ -1,314 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include "settings.h"
-
-void settings_init(settings* usersettings)
-{
-	memset(usersettings, 0, sizeof(settings));
-}
-
-filepath* settings_get_wav_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->wavpath;
-	else
-		return 0;
-}
-
-filepath* settings_get_lzss_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->lzsspath;
-	else
-		return 0;
-}
-
-filepath* settings_get_exefs_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->exefspath;
-	else
-		return 0;
-}
-
-filepath* settings_get_romfs_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->romfspath;
-	else
-		return 0;
-}
-
-filepath* settings_get_exheader_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->exheaderpath;
-	else
-		return 0;
-}
-
-filepath* settings_get_logo_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->logopath;
-	else
-		return 0;
-}
-
-filepath* settings_get_exefs_dir_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->exefsdirpath;
-	else
-		return 0;
-}
-
-filepath* settings_get_romfs_dir_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->romfsdirpath;
-	else
-		return 0;
-}
-
-filepath* settings_get_firm_dir_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->firmdirpath;
-	else
-		return 0;
-}
-
-
-filepath* settings_get_certs_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->certspath;
-	else
-		return 0;
-}
-
-filepath* settings_get_tik_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->tikpath;
-	else
-		return 0;
-}
-
-filepath* settings_get_tmd_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->tmdpath;
-	else
-		return 0;
-}
-
-filepath* settings_get_content_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->contentpath;
-	else
-		return 0;
-}
-
-filepath* settings_get_meta_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->metapath;
-	else
-		return 0;
-}
-
-filepath* settings_get_plainrgn_path(settings* usersettings)
-{
-	if (usersettings)
-		return &usersettings->plainrgnpath;
-	else
-		return 0;
-}
-
-unsigned int settings_get_mediaunit_size(settings* usersettings)
-{
-	if (usersettings)
-		return usersettings->mediaunitsize;
-	else
-		return 0;
-}
-
-#define GETKEY(s, k)	do {\
-	if ((s) && (s)->keys.k.valid)\
-		return (s)->keys.k.data;\
-	else\
-		return NULL;\
-} while (0)
-
-unsigned char* settings_get_ncch_fixedsystemkey(settings* usersettings)
-{
-	GETKEY(usersettings, ncchfixedsystemkey);
-}
-
-unsigned char* settings_get_ncchkeyX_old(settings* usersettings)
-{
-	GETKEY(usersettings, ncchkeyX_old);
-}
-
-unsigned char* settings_get_ncchkeyX_seven(settings* usersettings)
-{
-	GETKEY(usersettings, ncchkeyX_seven);
-}
-
-unsigned char* settings_get_ncchkeyX_ninethree(settings* usersettings)
-{
-	GETKEY(usersettings, ncchkeyX_ninethree);
-}
-
-unsigned char* settings_get_ncchkeyX_ninesix(settings* usersettings)
-{
-	GETKEY(usersettings, ncchkeyX_ninesix);
-}
-
-unsigned char* settings_get_common_key(settings* usersettings, u8 index)
-{
-	if (index > (COMMONKEY_NUM - 1)) return NULL;
-	GETKEY(usersettings, commonkey[index]);
-}
-
-unsigned char* settings_get_seed(settings* usersettings, u64 title_id)
-{
-	for (u32 i = 0; i < usersettings->keys.seed_num; i++)
-	{
-		if (title_id == getle64(usersettings->keys.seed_db[i].title_id))
-		{
-			return usersettings->keys.seed_db[i].seed;
-		}
-	}
-	GETKEY(usersettings, seed_fallback);
-}
-
-unsigned char* settings_get_title_key(settings* usersettings)
-{
-	GETKEY(usersettings, titlekey);
-}
-
-#undef GETKEY
-
-int settings_get_ignore_programid(settings* usersettings)
-{
-	if (usersettings)
-		return usersettings->ignoreprogramid;
-	else
-		return 0;
-}
-
-int settings_get_list_romfs_files(settings* usersettings)
-{
-	if (usersettings)
-		return usersettings->listromfs;
-	else
-		return 0;
-}
-
-int settings_get_cwav_loopcount(settings* usersettings)
-{
-	if (usersettings)
-		return usersettings->cwavloopcount;
-	else
-		return 0;
-}
-
-void settings_set_wav_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->wavpath, path);
-}
-
-void settings_set_lzss_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->lzsspath, path);
-}
-
-void settings_set_exefs_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->exefspath, path);
-}
-
-void settings_set_romfs_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->romfspath, path);
-}
-
-void settings_set_firm_dir_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->firmdirpath, path);
-}
-
-
-void settings_set_exheader_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->exheaderpath, path);
-}
-
-void settings_set_logo_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->logopath, path);
-}
-
-void settings_set_certs_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->certspath, path);
-}
-
-void settings_set_tik_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->tikpath, path);
-}
-
-void settings_set_tmd_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->tmdpath, path);
-}
-
-void settings_set_content_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->contentpath, path);
-}
-
-void settings_set_meta_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->metapath, path);
-}
-
-void settings_set_exefs_dir_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->exefsdirpath, path);
-}
-
-void settings_set_romfs_dir_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->romfsdirpath, path);
-}
-
-void settings_set_plainrgn_path(settings* usersettings, const char* path)
-{
-	filepath_set(&usersettings->plainrgnpath, path);
-}
-
-void settings_set_mediaunit_size(settings* usersettings, unsigned int size)
-{
-	usersettings->mediaunitsize = size;
-}
-
-void settings_set_ignore_programid(settings* usersettings, int enable)
-{
-	usersettings->ignoreprogramid = enable;
-}
-
-void settings_set_list_romfs_files(settings* usersettings, int enable)
-{
-	usersettings->listromfs = enable;
-}
-
-void settings_set_cwav_loopcount(settings* usersettings, u32 loopcount)
-{
-	usersettings->cwavloopcount = loopcount;
-}
diff --git a/ctrtool/settings.h b/ctrtool/settings.h
deleted file mode 100644
index e634eaa3..00000000
--- a/ctrtool/settings.h
+++ /dev/null
@@ -1,81 +0,0 @@
-#ifndef _SETTINGS_H_
-#define _SETTINGS_H_
-
-#include "types.h"
-#include "keyset.h"
-#include "filepath.h"
-
-typedef struct
-{
-	keyset keys;
-	filepath exefspath;
-	filepath exefsdirpath;
-	filepath firmdirpath;
-	filepath romfspath;
-	filepath romfsdirpath;
-	filepath exheaderpath;
-	filepath logopath;
-	filepath plainrgnpath;
-	filepath certspath;
-	filepath contentpath;
-	filepath tikpath;
-	filepath tmdpath;
-	filepath metapath;	
-	filepath lzsspath;
-	filepath wavpath;
-	unsigned int mediaunitsize;
-	int ignoreprogramid;
-	int listromfs;
-	u32 cwavloopcount;
-} settings;
-
-void settings_init(settings* usersettings);
-filepath* settings_get_lzss_path(settings* usersettings);
-filepath* settings_get_exefs_path(settings* usersettings);
-filepath* settings_get_romfs_path(settings* usersettings);
-filepath* settings_get_exheader_path(settings* usersettings);
-filepath* settings_get_logo_path(settings* usersettings);
-filepath* settings_get_certs_path(settings* usersettings);
-filepath* settings_get_tik_path(settings* usersettings);
-filepath* settings_get_tmd_path(settings* usersettings);
-filepath* settings_get_content_path(settings* usersettings);
-filepath* settings_get_meta_path(settings* usersettings);
-filepath* settings_get_exefs_dir_path(settings* usersettings);
-filepath* settings_get_romfs_dir_path(settings* usersettings);
-filepath* settings_get_firm_dir_path(settings* usersettings);
-filepath* settings_get_wav_path(settings* usersettings);
-filepath* settings_get_plainrgn_path(settings* usersettings);
-unsigned int settings_get_mediaunit_size(settings* usersettings);
-unsigned char* settings_get_ncch_fixedsystemkey(settings* usersettings);
-unsigned char* settings_get_ncchkeyX_old(settings* usersettings);
-unsigned char* settings_get_ncchkeyX_seven(settings* usersettings);
-unsigned char* settings_get_ncchkeyX_ninethree(settings* usersettings);
-unsigned char* settings_get_ncchkeyX_ninesix(settings* usersettings);
-unsigned char* settings_get_common_key(settings* usersettings, u8 index);
-unsigned char* settings_get_seed(settings* usersettings, u64 title_id);
-unsigned char* settings_get_title_key(settings* usersettings);
-int settings_get_ignore_programid(settings* usersettings);
-int settings_get_list_romfs_files(settings* usersettings);
-int settings_get_cwav_loopcount(settings* usersettings);
-
-void settings_set_lzss_path(settings* usersettings, const char* path);
-void settings_set_exefs_path(settings* usersettings, const char* path);
-void settings_set_romfs_path(settings* usersettings, const char* path);
-void settings_set_exheader_path(settings* usersettings, const char* path);
-void settings_set_logo_path(settings* usersettings, const char* path);
-void settings_set_certs_path(settings* usersettings, const char* path);
-void settings_set_tik_path(settings* usersettings, const char* path);
-void settings_set_tmd_path(settings* usersettings, const char* path);
-void settings_set_content_path(settings* usersettings, const char* path);
-void settings_set_meta_path(settings* usersettings, const char* path);
-void settings_set_exefs_dir_path(settings* usersettings, const char* path);
-void settings_set_romfs_dir_path(settings* usersettings, const char* path);
-void settings_set_firm_dir_path(settings* usersettings, const char* path);
-void settings_set_wav_path(settings* usersettings, const char* path);
-void settings_set_plainrgn_path(settings* usersettings, const char* path);
-void settings_set_mediaunit_size(settings* usersettings, unsigned int size);
-void settings_set_ignore_programid(settings* usersettings, int enable);
-void settings_set_list_romfs_files(settings* usersettings, int enable);
-void settings_set_cwav_loopcount(settings* usersettings, u32 loopcount);
-
-#endif // _SETTINGS_H_
diff --git a/ctrtool/stream.c b/ctrtool/stream.c
deleted file mode 100644
index dfb1ac6f..00000000
--- a/ctrtool/stream.c
+++ /dev/null
@@ -1,138 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-
-#include "types.h"
-#include "stream.h"
-
-
-void stream_in_init(stream_in_context* ctx)
-{
-	memset(ctx, 0, sizeof(stream_in_context));
-}
-
-void stream_out_init(stream_out_context* ctx)
-{
-	memset(ctx, 0, sizeof(stream_out_context));
-}
-
-void stream_in_allocate(stream_in_context* ctx, u32 buffersize, FILE* file)
-{
-	ctx->inbuffer = malloc(buffersize);
-	ctx->inbuffersize = buffersize;
-	ctx->infile = file;
-	ctx->infileposition = 0;
-}
-
-void stream_out_allocate(stream_out_context* ctx, u32 buffersize, FILE* file)
-{
-	ctx->outbuffer = malloc(buffersize);
-	ctx->outbuffersize = buffersize;
-	ctx->outfile = file;
-}
-
-void stream_in_destroy(stream_in_context* ctx)
-{
-	free(ctx->inbuffer);
-	ctx->inbuffer = 0;
-}
-
-void stream_out_destroy(stream_out_context* ctx)
-{
-	free(ctx->outbuffer);
-	ctx->outbuffer = 0;
-}
-
-int stream_in_byte(stream_in_context* ctx, u8* byte)
-{
-	if (ctx->inbufferpos >= ctx->inbufferavailable)
-	{
-		size_t readbytes = fread(ctx->inbuffer, 1, ctx->inbuffersize, ctx->infile);
-		if (readbytes <= 0)
-			return 0;
-
-		ctx->inbufferavailable = readbytes;
-		ctx->inbufferpos = 0;
-		ctx->infileposition += readbytes;
-	}
-
-	*byte = ctx->inbuffer[ctx->inbufferpos++];
-	return 1;
-}
-
-void stream_in_seek(stream_in_context* ctx, u32 position)
-{
-	fseek(ctx->infile, position, SEEK_SET);
-	ctx->infileposition = position;
-	ctx->inbufferpos = 0;
-	ctx->inbufferavailable = 0;
-}
-
-void stream_in_reseek(stream_in_context* ctx)
-{
-	fseek(ctx->infile, ctx->infileposition, SEEK_SET);
-}
-
-
-void stream_out_seek(stream_out_context* ctx, u32 position)
-{
-	stream_out_flush(ctx);
-
-	fseek(ctx->outfile, position, SEEK_SET);
-}
-
-void stream_out_skip(stream_out_context* ctx, u32 size)
-{
-	stream_out_flush(ctx);
-
-	fseek(ctx->outfile, size, SEEK_CUR);
-}
-
-int stream_out_byte(stream_out_context* ctx, u8 byte)
-{
-	if (ctx->outbufferpos >= ctx->outbuffersize)
-	{
-		if (stream_out_flush(ctx) == 0)
-			return 0;
-	}
-
-	ctx->outbuffer[ctx->outbufferpos++] = byte;
-	return 1;
-}
-
-int stream_out_buffer(stream_out_context* ctx, const void* buffer, u32 size)
-{
-	u32 i;
-
-	for(i=0; i<size; i++)
-	{
-		if (!stream_out_byte(ctx, ((u8*)buffer)[i]))
-			return 0;
-	}
-
-	return 1;
-}
-
-int stream_out_flush(stream_out_context* ctx)
-{
-	if (ctx->outbufferpos > 0)
-	{
-		size_t writtenbytes = fwrite(ctx->outbuffer, 1, ctx->outbufferpos, ctx->outfile);
-		if (writtenbytes == 0) // will be zero if nothing is written
-			return 0;
-
-
-		ctx->outbufferpos = 0;
-	}
-	return 1;
-}
-
-void stream_out_position(stream_out_context* ctx, u32* position)
-{
-	stream_out_flush(ctx);
-
-	*position = ftell(ctx->outfile);
-}
-
-
diff --git a/ctrtool/stream.h b/ctrtool/stream.h
deleted file mode 100644
index df5bcbc9..00000000
--- a/ctrtool/stream.h
+++ /dev/null
@@ -1,45 +0,0 @@
-#ifndef __STREAM_H__
-#define __STREAM_H__
-
-#include <stdio.h>
-#include "types.h"
-
-typedef struct
-{
-	FILE* infile;
-	u32 infileposition;
-	u8* inbuffer;
-	u32 inbuffersize;
-	u32 inbufferavailable;
-	u32 inbufferpos;
-} stream_in_context;
-
-typedef struct
-{
-	FILE* outfile;
-	u8* outbuffer;
-	u32 outbuffersize;
-	u32 outbufferpos;
-} stream_out_context;
-
-// create/destroy
-void stream_in_init(stream_in_context* ctx);
-void stream_in_allocate(stream_in_context* ctx, u32 buffersize, FILE* file);
-void stream_in_destroy(stream_in_context* ctx);
-void stream_out_init(stream_out_context* ctx);
-void stream_out_allocate(stream_out_context* ctx, u32 buffersize, FILE* file);
-void stream_out_destroy(stream_out_context* ctx);
-
-// read/write operations
-int  stream_in_byte(stream_in_context* ctx, u8* byte);
-void stream_in_seek(stream_in_context* ctx, u32 position);
-void stream_in_reseek(stream_in_context* ctx);
-
-int  stream_out_byte(stream_out_context* ctx, u8 byte);
-int  stream_out_buffer(stream_out_context* ctx, const void* buffer, u32 size);
-int  stream_out_flush(stream_out_context* ctx);
-void stream_out_seek(stream_out_context* ctx, u32 position);
-void stream_out_skip(stream_out_context* ctx, u32 size);
-void stream_out_position(stream_out_context* ctx, u32* position);
-
-#endif // __STREAM_H__
diff --git a/ctrtool/syscalls.c b/ctrtool/syscalls.c
deleted file mode 100644
index f4505357..00000000
--- a/ctrtool/syscalls.c
+++ /dev/null
@@ -1,171 +0,0 @@
-#include <stddef.h>
-#include <stdio.h>
-#include <string.h>
-#include "syscalls.h"
-
-// List of 3DS system calls.  NULL indicates unknown.
-static const char *const syscall_list[NUM_SYSCALLS] =
-{
-	NULL,                                // 00
-	"ControlMemory",                     // 01
-	"QueryMemory",                       // 02
-	"ExitProcess",                       // 03
-	"GetProcessAffinityMask",            // 04
-	"SetProcessAffinityMask",            // 05
-	"GetProcessIdealProcessor",          // 06
-	"SetProcessIdealProcessor",          // 07
-	"CreateThread",                      // 08
-	"ExitThread",                        // 09
-	"SleepThread",                       // 0A
-	"GetThreadPriority",                 // 0B
-	"SetThreadPriority",                 // 0C
-	"GetThreadAffinityMask",             // 0D
-	"SetThreadAffinityMask",             // 0E
-	"GetThreadIdealProcessor",           // 0F
-	"SetThreadIdealProcessor",           // 10
-	"GetCurrentProcessorNumber",         // 11
-	"Run",                               // 12
-	"CreateMutex",                       // 13
-	"ReleaseMutex",                      // 14
-	"CreateSemaphore",                   // 15
-	"ReleaseSemaphore",                  // 16
-	"CreateEvent",                       // 17
-	"SignalEvent",                       // 18
-	"ClearEvent",                        // 19
-	"CreateTimer",                       // 1A
-	"SetTimer",                          // 1B
-	"CancelTimer",                       // 1C
-	"ClearTimer",                        // 1D
-	"CreateMemoryBlock",                 // 1E
-	"MapMemoryBlock",                    // 1F
-	"UnmapMemoryBlock",                  // 20
-	"CreateAddressArbiter",              // 21
-	"ArbitrateAddress",                  // 22
-	"CloseHandle",                       // 23
-	"WaitSynchronization1",              // 24
-	"WaitSynchronizationN",              // 25
-	"SignalAndWait",                     // 26
-	"DuplicateHandle",                   // 27
-	"GetSystemTick",                     // 28
-	"GetHandleInfo",                     // 29
-	"GetSystemInfo",                     // 2A
-	"GetProcessInfo",                    // 2B
-	"GetThreadInfo",                     // 2C
-	"ConnectToPort",                     // 2D
-	"SendSyncRequest1",                  // 2E
-	"SendSyncRequest2",                  // 2F
-	"SendSyncRequest3",                  // 30
-	"SendSyncRequest4",                  // 31
-	"SendSyncRequest",                   // 32
-	"OpenProcess",                       // 33
-	"OpenThread",                        // 34
-	"GetProcessId",                      // 35
-	"GetProcessIdOfThread",              // 36
-	"GetThreadId",                       // 37
-	"GetResourceLimit",                  // 38
-	"GetResourceLimitLimitValues",       // 39
-	"GetResourceLimitCurrentValues",     // 3A
-	"GetThreadContext",                  // 3B
-	"Break",                             // 3C
-	"OutputDebugString",                 // 3D
-	"ControlPerformanceCounter",         // 3E
-	NULL,                                // 3F
-	NULL,                                // 40
-	NULL,                                // 41
-	NULL,                                // 42
-	NULL,                                // 43
-	NULL,                                // 44
-	NULL,                                // 45
-	NULL,                                // 46
-	"CreatePort",                        // 47
-	"CreateSessionToPort",               // 48
-	"CreateSession",                     // 49
-	"AcceptSession",                     // 4A
-	"ReplyAndReceive1",                  // 4B
-	"ReplyAndReceive2",                  // 4C
-	"ReplyAndReceive3",                  // 4D
-	"ReplyAndReceive4",                  // 4E
-	"ReplyAndReceive",                   // 4F
-	"BindInterrupt",                     // 50
-	"UnbindInterrupt",                   // 51
-	"InvalidateProcessDataCache",        // 52
-	"StoreProcessDataCache",             // 53
-	"FlushProcessDataCache",             // 54
-	"StartInterProcessDma",              // 55
-	"StopDma",                           // 56
-	"GetDmaState",                       // 57
-	"RestartDma",                        // 58
-	"SetGpuProt",                        // 59
-	"SetWifiEnabled",                    // 5A
-	NULL,                                // 5B
-	NULL,                                // 5C
-	NULL,                                // 5D
-	NULL,                                // 5E
-	NULL,                                // 5F
-	"DebugActiveProcess",                // 60
-	"BreakDebugProcess",                 // 61
-	"TerminateDebugProcess",             // 62
-	"GetProcessDebugEvent",              // 63
-	"ContinueDebugEvent",                // 64
-	"GetProcessList",                    // 65
-	"GetThreadList",                     // 66
-	"GetDebugThreadContext",             // 67
-	"SetDebugThreadContext",             // 68
-	"QueryDebugProcessMemory",           // 69
-	"ReadProcessMemory",                 // 6A
-	"WriteProcessMemory",                // 6B
-	"SetHardwareBreakPoint",             // 6C
-	"GetDebugThreadParam",               // 6D
-	NULL,                                // 6E
-	NULL,                                // 6F
-	"ControlProcessMemory",              // 70
-	"MapProcessMemory",                  // 71
-	"UnmapProcessMemory",                // 72
-	"CreateCodeSet",                     // 73
-	NULL,                                // 74
-	"CreateProcess",                     // 75
-	"TerminateProcess",                  // 76
-	"SetProcessResourceLimits",          // 77
-	"CreateResourceLimit",               // 78
-	"SetResourceLimitValues",            // 79
-	"AddCodeSegment",                    // 7A
-	"Backdoor",                          // 7B
-	"KernelSetState",                    // 7C
-	"QueryProcessMemory",                // 7D
-	NULL,                                // 7E
-	NULL,                                // 7F
-};
-
-
-void syscall_get_name(char *output, size_t size, unsigned int call_num)
-{
-#ifdef _MSC_VER
-	typedef char StaticAssert[sizeof(syscall_list) / sizeof(syscall_list[0]) == NUM_SYSCALLS ? 1 : -1];
-#else
-	_Static_assert(sizeof(syscall_list) / sizeof(syscall_list[0]) == NUM_SYSCALLS,
-		"syscall table length mismatch");
-#endif
-	
-
-	if (size == 0)
-	{
-		return;
-	}
-
-	const char *name = NULL;
-	if (call_num < (unsigned int) NUM_SYSCALLS)
-	{
-		name = syscall_list[call_num];
-	}
-
-	char name_buf[] = "UnknownXX";
-	sprintf(&name_buf[sizeof(name_buf) - 3], "%02X", call_num & 0xFFu);
-
-	name = name ? name : name_buf;
-
-	size_t length = strlen(name);
-	length = (length > (size - 1)) ? (size - 1) : length;
-
-	memcpy(output, name, length);
-	output[length] = '\0';
-}
diff --git a/ctrtool/syscalls.h b/ctrtool/syscalls.h
deleted file mode 100644
index 5afca898..00000000
--- a/ctrtool/syscalls.h
+++ /dev/null
@@ -1,19 +0,0 @@
-#ifndef _SYSCALLS_H_
-#define _SYSCALLS_H_
-
-#include <stddef.h>
-
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-
-enum { NUM_SYSCALLS = 0x80 };
-
-void syscall_get_name(char *output, size_t size, unsigned int call_num);
-
-#ifdef __cplusplus
-} // extern "C"
-#endif
-
-#endif
diff --git a/ctrtool/tik.c b/ctrtool/tik.c
deleted file mode 100644
index 285f403c..00000000
--- a/ctrtool/tik.c
+++ /dev/null
@@ -1,127 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "aes_keygen.h"
-#include "tik.h"
-#include "ctr.h"
-#include "utils.h"
-
-void tik_init(tik_context* ctx)
-{
-	memset(ctx, 0, sizeof(tik_context));
-}
-
-void tik_set_file(tik_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void tik_set_offset(tik_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void tik_set_size(tik_context* ctx, u32 size)
-{
-	ctx->size = size;
-}
-
-void tik_set_usersettings(tik_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-const unsigned char* tik_get_titlekey(tik_context* ctx)
-{
-	return ctx->titlekey.valid ? ctx->titlekey.data : NULL;
-}
-
-void tik_get_titleid(tik_context* ctx, u8 titleid[8])
-{
-	memcpy(titleid, ctx->tik.title_id, 8);
-}
-
-void tik_get_iv(tik_context* ctx, u8 iv[16])
-{
-	memset(iv, 0, 16);
-	memcpy(iv, ctx->tik.title_id, 8);
-}
-
-int tik_decrypt_titlekey(tik_context* ctx, u8 decryptedkey[0x10]) 
-{
-	u8 iv[16];
-	u8* commonkey = settings_get_common_key(ctx->usersettings, ctx->tik.commonkey_idx);
-
-	memset(decryptedkey, 0, 0x10);
-	if (!commonkey)
-	{
-		fprintf(stdout, "Error, could not read common key.\n");
-		return 1;
-	}
-	
-	memset(iv, 0, 0x10);
-	memcpy(iv, ctx->tik.title_id, 8);
-
-	ctr_init_cbc_decrypt(&ctx->aes, commonkey, iv);
-	ctr_decrypt_cbc(&ctx->aes, ctx->tik.encrypted_title_key, decryptedkey, 0x10);
-	return 0;
-}
-
-void tik_process(tik_context* ctx, u32 actions)
-{
-	if (ctx->size < sizeof(eticket))
-	{
-		fprintf(stderr, "Error, ticket size too small\n");
-		goto clean;
-	}
-
-	fseeko64(ctx->file, ctx->offset, SEEK_SET);
-	fread((u8*)&ctx->tik, 1, sizeof(eticket), ctx->file);
-
-	ctx->titlekey.valid = tik_decrypt_titlekey(ctx, ctx->titlekey.data) == 0 ? 1 : 0;
-
-	if (actions & InfoFlag)
-	{
-		tik_print(ctx); 
-	}
-
-clean:
-	return;
-}
-
-void tik_print(tik_context* ctx)
-{
-	int i;
-	eticket* tik = &ctx->tik;
-
-	fprintf(stdout, "\nTicket content:\n");
-	fprintf(stdout,
-		"Signature Type:         %08x\n"
-		"Issuer:                 %s\n",
-		getle32(tik->sig_type), tik->issuer
-	);
-
-	fprintf(stdout, "Signature:\n");
-	hexdump(tik->signature, 0x100);
-	fprintf(stdout, "\n");
-
-	memdump(stdout, "Encrypted Titlekey:     ", tik->encrypted_title_key, 0x10);
-	
-	if (ctx->titlekey.valid)
-		memdump(stdout, "Decrypted Titlekey:     ", ctx->titlekey.data, 0x10);
-
-	memdump(stdout,	"Ticket ID:              ", tik->ticket_id, 0x08);
-	fprintf(stdout, "Ticket Version:         %d\n", getle16(tik->ticket_version));
-	memdump(stdout,	"Title ID:               ", tik->title_id, 0x08);
-	fprintf(stdout, "Common Key Index:       %d\n", tik->commonkey_idx);
-
-	fprintf(stdout, "Content permission map:\n");
-	for(i = 0; i < 0x40; i++) {
-		printf(" %02x", tik->content_permissions[i]);
-
-		if ((i+1) % 8 == 0)
-			printf("\n");
-	}
-	printf("\n");
-}
diff --git a/ctrtool/tik.h b/ctrtool/tik.h
deleted file mode 100644
index 4d85aaa2..00000000
--- a/ctrtool/tik.h
+++ /dev/null
@@ -1,64 +0,0 @@
-#ifndef __TIK_H__
-#define __TIK_H__
-
-#include "types.h"
-#include "keyset.h"
-#include "ctr.h"
-#include "settings.h"
-
-typedef struct 
-{
-	u8 enable_timelimit[4];
-	u8 timelimit_seconds[4];
-} timelimit_entry;
-
-typedef struct 
-{
-	u8 sig_type[4];
-	u8 signature[0x100];
-	u8 padding1[0x3c];
-	u8 issuer[0x40];
-	u8 ecdsa[0x3c];
-	u8 padding2[0x03];
-	u8 encrypted_title_key[0x10];
-	u8 unknown;
-	u8 ticket_id[8];
-	u8 console_id[4];
-	u8 title_id[8];
-	u8 sys_access[2];
-	u8 ticket_version[2];
-	u8 time_mask[4];
-	u8 permit_mask[4];
-	u8 title_export;
-	u8 commonkey_idx;
-	u8 unknown_buf[0x30];
-	u8 content_permissions[0x40];
-	u8 padding0[2];
-
-	timelimit_entry timelimits[8];	
-} eticket;
-
-typedef struct
-{
-	FILE* file;
-	u64 offset;
-	u32 size;
-	key128 titlekey;
-	eticket tik;
-	ctr_aes_context aes;
-	settings* usersettings;
-} tik_context;
-
-void tik_init(tik_context* ctx);
-void tik_set_file(tik_context* ctx, FILE* file);
-void tik_set_offset(tik_context* ctx, u64 offset);
-void tik_set_size(tik_context* ctx, u32 size);
-void tik_set_usersettings(tik_context* ctx, settings* usersettings);
-const unsigned char* tik_get_titlekey(tik_context* ctx);
-void tik_get_titleid(tik_context* ctx, u8 titleid[8]);
-void tik_get_iv(tik_context* ctx, u8 iv[0x10]);
-int tik_decrypt_titlekey(tik_context* ctx, u8 decryptedkey[0x10]);
-void tik_print(tik_context* ctx);
-void tik_process(tik_context* ctx, u32 actions);
-
-#endif
diff --git a/ctrtool/tinyxml/tinystr.cpp b/ctrtool/tinyxml/tinystr.cpp
deleted file mode 100644
index 6ca4dc82..00000000
--- a/ctrtool/tinyxml/tinystr.cpp
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
-www.sourceforge.net/projects/tinyxml
-
-This software is provided 'as-is', without any express or implied
-warranty. In no event will the authors be held liable for any
-damages arising from the use of this software.
-
-Permission is granted to anyone to use this software for any
-purpose, including commercial applications, and to alter it and
-redistribute it freely, subject to the following restrictions:
-
-1. The origin of this software must not be misrepresented; you must
-not claim that you wrote the original software. If you use this
-software in a product, an acknowledgment in the product documentation
-would be appreciated but is not required.
-
-2. Altered source versions must be plainly marked as such, and
-must not be misrepresented as being the original software.
-
-3. This notice may not be removed or altered from any source
-distribution.
-*/
-
-
-#ifndef TIXML_USE_STL
-
-#include "tinyxml/tinystr.h"
-
-// Error value for find primitive
-const TiXmlString::size_type TiXmlString::npos = static_cast< TiXmlString::size_type >(-1);
-
-
-// Null rep.
-TiXmlString::Rep TiXmlString::nullrep_ = { 0, 0, { '\0' } };
-
-
-void TiXmlString::reserve (size_type cap)
-{
-	if (cap > capacity())
-	{
-		TiXmlString tmp;
-		tmp.init(length(), cap);
-		memcpy(tmp.start(), data(), length());
-		swap(tmp);
-	}
-}
-
-
-TiXmlString& TiXmlString::assign(const char* str, size_type len)
-{
-	size_type cap = capacity();
-	if (len > cap || cap > 3*(len + 8))
-	{
-		TiXmlString tmp;
-		tmp.init(len);
-		memcpy(tmp.start(), str, len);
-		swap(tmp);
-	}
-	else
-	{
-		memmove(start(), str, len);
-		set_size(len);
-	}
-	return *this;
-}
-
-
-TiXmlString& TiXmlString::append(const char* str, size_type len)
-{
-	size_type newsize = length() + len;
-	if (newsize > capacity())
-	{
-		reserve (newsize + capacity());
-	}
-	memmove(finish(), str, len);
-	set_size(newsize);
-	return *this;
-}
-
-
-TiXmlString operator + (const TiXmlString & a, const TiXmlString & b)
-{
-	TiXmlString tmp;
-	tmp.reserve(a.length() + b.length());
-	tmp += a;
-	tmp += b;
-	return tmp;
-}
-
-TiXmlString operator + (const TiXmlString & a, const char* b)
-{
-	TiXmlString tmp;
-	TiXmlString::size_type b_len = static_cast<TiXmlString::size_type>( strlen(b) );
-	tmp.reserve(a.length() + b_len);
-	tmp += a;
-	tmp.append(b, b_len);
-	return tmp;
-}
-
-TiXmlString operator + (const char* a, const TiXmlString & b)
-{
-	TiXmlString tmp;
-	TiXmlString::size_type a_len = static_cast<TiXmlString::size_type>( strlen(a) );
-	tmp.reserve(a_len + b.length());
-	tmp.append(a, a_len);
-	tmp += b;
-	return tmp;
-}
-
-
-#endif	// TIXML_USE_STL
diff --git a/ctrtool/tinyxml/tinystr.h b/ctrtool/tinyxml/tinystr.h
deleted file mode 100644
index 89cca334..00000000
--- a/ctrtool/tinyxml/tinystr.h
+++ /dev/null
@@ -1,305 +0,0 @@
-/*
-www.sourceforge.net/projects/tinyxml
-
-This software is provided 'as-is', without any express or implied
-warranty. In no event will the authors be held liable for any
-damages arising from the use of this software.
-
-Permission is granted to anyone to use this software for any
-purpose, including commercial applications, and to alter it and
-redistribute it freely, subject to the following restrictions:
-
-1. The origin of this software must not be misrepresented; you must
-not claim that you wrote the original software. If you use this
-software in a product, an acknowledgment in the product documentation
-would be appreciated but is not required.
-
-2. Altered source versions must be plainly marked as such, and
-must not be misrepresented as being the original software.
-
-3. This notice may not be removed or altered from any source
-distribution.
-*/
-
-
-#ifndef TIXML_USE_STL
-
-#ifndef TIXML_STRING_INCLUDED
-#define TIXML_STRING_INCLUDED
-
-#include <assert.h>
-#include <string.h>
-
-/*	The support for explicit isn't that universal, and it isn't really
-	required - it is used to check that the TiXmlString class isn't incorrectly
-	used. Be nice to old compilers and macro it here:
-*/
-#if defined(_MSC_VER) && (_MSC_VER >= 1200 )
-	// Microsoft visual studio, version 6 and higher.
-	#define TIXML_EXPLICIT explicit
-#elif defined(__GNUC__) && (__GNUC__ >= 3 )
-	// GCC version 3 and higher.s
-	#define TIXML_EXPLICIT explicit
-#else
-	#define TIXML_EXPLICIT
-#endif
-
-
-/*
-   TiXmlString is an emulation of a subset of the std::string template.
-   Its purpose is to allow compiling TinyXML on compilers with no or poor STL support.
-   Only the member functions relevant to the TinyXML project have been implemented.
-   The buffer allocation is made by a simplistic power of 2 like mechanism : if we increase
-   a string and there's no more room, we allocate a buffer twice as big as we need.
-*/
-class TiXmlString
-{
-  public :
-	// The size type used
-  	typedef size_t size_type;
-
-	// Error value for find primitive
-	static const size_type npos; // = -1;
-
-
-	// TiXmlString empty constructor
-	TiXmlString () : rep_(&nullrep_)
-	{
-	}
-
-	// TiXmlString copy constructor
-	TiXmlString ( const TiXmlString & copy) : rep_(0)
-	{
-		init(copy.length());
-		memcpy(start(), copy.data(), length());
-	}
-
-	// TiXmlString constructor, based on a string
-	TIXML_EXPLICIT TiXmlString ( const char * copy) : rep_(0)
-	{
-		init( static_cast<size_type>( strlen(copy) ));
-		memcpy(start(), copy, length());
-	}
-
-	// TiXmlString constructor, based on a string
-	TIXML_EXPLICIT TiXmlString ( const char * str, size_type len) : rep_(0)
-	{
-		init(len);
-		memcpy(start(), str, len);
-	}
-
-	// TiXmlString destructor
-	~TiXmlString ()
-	{
-		quit();
-	}
-
-	TiXmlString& operator = (const char * copy)
-	{
-		return assign( copy, (size_type)strlen(copy));
-	}
-
-	TiXmlString& operator = (const TiXmlString & copy)
-	{
-		return assign(copy.start(), copy.length());
-	}
-
-
-	// += operator. Maps to append
-	TiXmlString& operator += (const char * suffix)
-	{
-		return append(suffix, static_cast<size_type>( strlen(suffix) ));
-	}
-
-	// += operator. Maps to append
-	TiXmlString& operator += (char single)
-	{
-		return append(&single, 1);
-	}
-
-	// += operator. Maps to append
-	TiXmlString& operator += (const TiXmlString & suffix)
-	{
-		return append(suffix.data(), suffix.length());
-	}
-
-
-	// Convert a TiXmlString into a null-terminated char *
-	const char * c_str () const { return rep_->str; }
-
-	// Convert a TiXmlString into a char * (need not be null terminated).
-	const char * data () const { return rep_->str; }
-
-	// Return the length of a TiXmlString
-	size_type length () const { return rep_->size; }
-
-	// Alias for length()
-	size_type size () const { return rep_->size; }
-
-	// Checks if a TiXmlString is empty
-	bool empty () const { return rep_->size == 0; }
-
-	// Return capacity of string
-	size_type capacity () const { return rep_->capacity; }
-
-
-	// single char extraction
-	const char& at (size_type index) const
-	{
-		assert( index < length() );
-		return rep_->str[ index ];
-	}
-
-	// [] operator
-	char& operator [] (size_type index) const
-	{
-		assert( index < length() );
-		return rep_->str[ index ];
-	}
-
-	// find a char in a string. Return TiXmlString::npos if not found
-	size_type find (char lookup) const
-	{
-		return find(lookup, 0);
-	}
-
-	// find a char in a string from an offset. Return TiXmlString::npos if not found
-	size_type find (char tofind, size_type offset) const
-	{
-		if (offset >= length()) return npos;
-
-		for (const char* p = c_str() + offset; *p != '\0'; ++p)
-		{
-		   if (*p == tofind) return static_cast< size_type >( p - c_str() );
-		}
-		return npos;
-	}
-
-	void clear ()
-	{
-		//Lee:
-		//The original was just too strange, though correct:
-		//	TiXmlString().swap(*this);
-		//Instead use the quit & re-init:
-		quit();
-		init(0,0);
-	}
-
-	/*	Function to reserve a big amount of data when we know we'll need it. Be aware that this
-		function DOES NOT clear the content of the TiXmlString if any exists.
-	*/
-	void reserve (size_type cap);
-
-	TiXmlString& assign (const char* str, size_type len);
-
-	TiXmlString& append (const char* str, size_type len);
-
-	void swap (TiXmlString& other)
-	{
-		Rep* r = rep_;
-		rep_ = other.rep_;
-		other.rep_ = r;
-	}
-
-  private:
-
-	void init(size_type sz) { init(sz, sz); }
-	void set_size(size_type sz) { rep_->str[ rep_->size = sz ] = '\0'; }
-	char* start() const { return rep_->str; }
-	char* finish() const { return rep_->str + rep_->size; }
-
-	struct Rep
-	{
-		size_type size, capacity;
-		char str[1];
-	};
-
-	void init(size_type sz, size_type cap)
-	{
-		if (cap)
-		{
-			// Lee: the original form:
-			//	rep_ = static_cast<Rep*>(operator new(sizeof(Rep) + cap));
-			// doesn't work in some cases of new being overloaded. Switching
-			// to the normal allocation, although use an 'int' for systems
-			// that are overly picky about structure alignment.
-			const size_type bytesNeeded = sizeof(Rep) + cap;
-			const size_type intsNeeded = ( bytesNeeded + sizeof(int) - 1 ) / sizeof( int ); 
-			rep_ = reinterpret_cast<Rep*>( new int[ intsNeeded ] );
-
-			rep_->str[ rep_->size = sz ] = '\0';
-			rep_->capacity = cap;
-		}
-		else
-		{
-			rep_ = &nullrep_;
-		}
-	}
-
-	void quit()
-	{
-		if (rep_ != &nullrep_)
-		{
-			// The rep_ is really an array of ints. (see the allocator, above).
-			// Cast it back before delete, so the compiler won't incorrectly call destructors.
-			delete [] ( reinterpret_cast<int*>( rep_ ) );
-		}
-	}
-
-	Rep * rep_;
-	static Rep nullrep_;
-
-} ;
-
-
-inline bool operator == (const TiXmlString & a, const TiXmlString & b)
-{
-	return    ( a.length() == b.length() )				// optimization on some platforms
-	       && ( strcmp(a.c_str(), b.c_str()) == 0 );	// actual compare
-}
-inline bool operator < (const TiXmlString & a, const TiXmlString & b)
-{
-	return strcmp(a.c_str(), b.c_str()) < 0;
-}
-
-inline bool operator != (const TiXmlString & a, const TiXmlString & b) { return !(a == b); }
-inline bool operator >  (const TiXmlString & a, const TiXmlString & b) { return b < a; }
-inline bool operator <= (const TiXmlString & a, const TiXmlString & b) { return !(b < a); }
-inline bool operator >= (const TiXmlString & a, const TiXmlString & b) { return !(a < b); }
-
-inline bool operator == (const TiXmlString & a, const char* b) { return strcmp(a.c_str(), b) == 0; }
-inline bool operator == (const char* a, const TiXmlString & b) { return b == a; }
-inline bool operator != (const TiXmlString & a, const char* b) { return !(a == b); }
-inline bool operator != (const char* a, const TiXmlString & b) { return !(b == a); }
-
-TiXmlString operator + (const TiXmlString & a, const TiXmlString & b);
-TiXmlString operator + (const TiXmlString & a, const char* b);
-TiXmlString operator + (const char* a, const TiXmlString & b);
-
-
-/*
-   TiXmlOutStream is an emulation of std::ostream. It is based on TiXmlString.
-   Only the operators that we need for TinyXML have been developped.
-*/
-class TiXmlOutStream : public TiXmlString
-{
-public :
-
-	// TiXmlOutStream << operator.
-	TiXmlOutStream & operator << (const TiXmlString & in)
-	{
-		*this += in;
-		return *this;
-	}
-
-	// TiXmlOutStream << operator.
-	TiXmlOutStream & operator << (const char * in)
-	{
-		*this += in;
-		return *this;
-	}
-
-} ;
-
-#endif	// TIXML_STRING_INCLUDED
-#endif	// TIXML_USE_STL
diff --git a/ctrtool/tinyxml/tinyxml.cpp b/ctrtool/tinyxml/tinyxml.cpp
deleted file mode 100644
index cec7b8cb..00000000
--- a/ctrtool/tinyxml/tinyxml.cpp
+++ /dev/null
@@ -1,1886 +0,0 @@
-/*
-www.sourceforge.net/projects/tinyxml
-Original code by Lee Thomason (www.grinninglizard.com)
-
-This software is provided 'as-is', without any express or implied
-warranty. In no event will the authors be held liable for any
-damages arising from the use of this software.
-
-Permission is granted to anyone to use this software for any
-purpose, including commercial applications, and to alter it and
-redistribute it freely, subject to the following restrictions:
-
-1. The origin of this software must not be misrepresented; you must
-not claim that you wrote the original software. If you use this
-software in a product, an acknowledgment in the product documentation
-would be appreciated but is not required.
-
-2. Altered source versions must be plainly marked as such, and
-must not be misrepresented as being the original software.
-
-3. This notice may not be removed or altered from any source
-distribution.
-*/
-
-#include <ctype.h>
-
-#ifdef TIXML_USE_STL
-#include <sstream>
-#include <iostream>
-#endif
-
-#include "tinyxml/tinyxml.h"
-
-FILE* TiXmlFOpen( const char* filename, const char* mode );
-
-bool TiXmlBase::condenseWhiteSpace = true;
-
-// Microsoft compiler security
-FILE* TiXmlFOpen( const char* filename, const char* mode )
-{
-	#if defined(_MSC_VER) && (_MSC_VER >= 1400 )
-		FILE* fp = 0;
-		errno_t err = fopen_s( &fp, filename, mode );
-		if ( !err && fp )
-			return fp;
-		return 0;
-	#else
-		return fopen( filename, mode );
-	#endif
-}
-
-void TiXmlBase::EncodeString( const TIXML_STRING& str, TIXML_STRING* outString )
-{
-	int i=0;
-
-	while( i<(int)str.length() )
-	{
-		unsigned char c = (unsigned char) str[i];
-
-		if (    c == '&' 
-		     && i < ( (int)str.length() - 2 )
-			 && str[i+1] == '#'
-			 && str[i+2] == 'x' )
-		{
-			// Hexadecimal character reference.
-			// Pass through unchanged.
-			// &#xA9;	-- copyright symbol, for example.
-			//
-			// The -1 is a bug fix from Rob Laveaux. It keeps
-			// an overflow from happening if there is no ';'.
-			// There are actually 2 ways to exit this loop -
-			// while fails (error case) and break (semicolon found).
-			// However, there is no mechanism (currently) for
-			// this function to return an error.
-			while ( i<(int)str.length()-1 )
-			{
-				outString->append( str.c_str() + i, 1 );
-				++i;
-				if ( str[i] == ';' )
-					break;
-			}
-		}
-		else if ( c == '&' )
-		{
-			outString->append( entity[0].str, entity[0].strLength );
-			++i;
-		}
-		else if ( c == '<' )
-		{
-			outString->append( entity[1].str, entity[1].strLength );
-			++i;
-		}
-		else if ( c == '>' )
-		{
-			outString->append( entity[2].str, entity[2].strLength );
-			++i;
-		}
-		else if ( c == '\"' )
-		{
-			outString->append( entity[3].str, entity[3].strLength );
-			++i;
-		}
-		else if ( c == '\'' )
-		{
-			outString->append( entity[4].str, entity[4].strLength );
-			++i;
-		}
-		else if ( c < 32 )
-		{
-			// Easy pass at non-alpha/numeric/symbol
-			// Below 32 is symbolic.
-			char buf[ 32 ];
-			
-			#if defined(TIXML_SNPRINTF)		
-				TIXML_SNPRINTF( buf, sizeof(buf), "&#x%02X;", (unsigned) ( c & 0xff ) );
-			#else
-				sprintf( buf, "&#x%02X;", (unsigned) ( c & 0xff ) );
-			#endif		
-
-			//*ME:	warning C4267: convert 'size_t' to 'int'
-			//*ME:	Int-Cast to make compiler happy ...
-			outString->append( buf, (int)strlen( buf ) );
-			++i;
-		}
-		else
-		{
-			//char realc = (char) c;
-			//outString->append( &realc, 1 );
-			*outString += (char) c;	// somewhat more efficient function call.
-			++i;
-		}
-	}
-}
-
-
-TiXmlNode::TiXmlNode( NodeType _type ) : TiXmlBase()
-{
-	parent = 0;
-	type = _type;
-	firstChild = 0;
-	lastChild = 0;
-	prev = 0;
-	next = 0;
-}
-
-
-TiXmlNode::~TiXmlNode()
-{
-	TiXmlNode* node = firstChild;
-	TiXmlNode* temp = 0;
-
-	while ( node )
-	{
-		temp = node;
-		node = node->next;
-		delete temp;
-	}	
-}
-
-
-void TiXmlNode::CopyTo( TiXmlNode* target ) const
-{
-	target->SetValue (value.c_str() );
-	target->userData = userData; 
-	target->location = location;
-}
-
-
-void TiXmlNode::Clear()
-{
-	TiXmlNode* node = firstChild;
-	TiXmlNode* temp = 0;
-
-	while ( node )
-	{
-		temp = node;
-		node = node->next;
-		delete temp;
-	}	
-
-	firstChild = 0;
-	lastChild = 0;
-}
-
-
-TiXmlNode* TiXmlNode::LinkEndChild( TiXmlNode* node )
-{
-	assert( node->parent == 0 || node->parent == this );
-	assert( node->GetDocument() == 0 || node->GetDocument() == this->GetDocument() );
-
-	if ( node->Type() == TiXmlNode::TINYXML_DOCUMENT )
-	{
-		delete node;
-		if ( GetDocument() ) 
-			GetDocument()->SetError( TIXML_ERROR_DOCUMENT_TOP_ONLY, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return 0;
-	}
-
-	node->parent = this;
-
-	node->prev = lastChild;
-	node->next = 0;
-
-	if ( lastChild )
-		lastChild->next = node;
-	else
-		firstChild = node;			// it was an empty list.
-
-	lastChild = node;
-	return node;
-}
-
-
-TiXmlNode* TiXmlNode::InsertEndChild( const TiXmlNode& addThis )
-{
-	if ( addThis.Type() == TiXmlNode::TINYXML_DOCUMENT )
-	{
-		if ( GetDocument() ) 
-			GetDocument()->SetError( TIXML_ERROR_DOCUMENT_TOP_ONLY, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return 0;
-	}
-	TiXmlNode* node = addThis.Clone();
-	if ( !node )
-		return 0;
-
-	return LinkEndChild( node );
-}
-
-
-TiXmlNode* TiXmlNode::InsertBeforeChild( TiXmlNode* beforeThis, const TiXmlNode& addThis )
-{	
-	if ( !beforeThis || beforeThis->parent != this ) {
-		return 0;
-	}
-	if ( addThis.Type() == TiXmlNode::TINYXML_DOCUMENT )
-	{
-		if ( GetDocument() ) 
-			GetDocument()->SetError( TIXML_ERROR_DOCUMENT_TOP_ONLY, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return 0;
-	}
-
-	TiXmlNode* node = addThis.Clone();
-	if ( !node )
-		return 0;
-	node->parent = this;
-
-	node->next = beforeThis;
-	node->prev = beforeThis->prev;
-	if ( beforeThis->prev )
-	{
-		beforeThis->prev->next = node;
-	}
-	else
-	{
-		assert( firstChild == beforeThis );
-		firstChild = node;
-	}
-	beforeThis->prev = node;
-	return node;
-}
-
-
-TiXmlNode* TiXmlNode::InsertAfterChild( TiXmlNode* afterThis, const TiXmlNode& addThis )
-{
-	if ( !afterThis || afterThis->parent != this ) {
-		return 0;
-	}
-	if ( addThis.Type() == TiXmlNode::TINYXML_DOCUMENT )
-	{
-		if ( GetDocument() ) 
-			GetDocument()->SetError( TIXML_ERROR_DOCUMENT_TOP_ONLY, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return 0;
-	}
-
-	TiXmlNode* node = addThis.Clone();
-	if ( !node )
-		return 0;
-	node->parent = this;
-
-	node->prev = afterThis;
-	node->next = afterThis->next;
-	if ( afterThis->next )
-	{
-		afterThis->next->prev = node;
-	}
-	else
-	{
-		assert( lastChild == afterThis );
-		lastChild = node;
-	}
-	afterThis->next = node;
-	return node;
-}
-
-
-TiXmlNode* TiXmlNode::ReplaceChild( TiXmlNode* replaceThis, const TiXmlNode& withThis )
-{
-	if ( !replaceThis )
-		return 0;
-
-	if ( replaceThis->parent != this )
-		return 0;
-
-	if ( withThis.ToDocument() ) {
-		// A document can never be a child.	Thanks to Noam.
-		TiXmlDocument* document = GetDocument();
-		if ( document ) 
-			document->SetError( TIXML_ERROR_DOCUMENT_TOP_ONLY, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return 0;
-	}
-
-	TiXmlNode* node = withThis.Clone();
-	if ( !node )
-		return 0;
-
-	node->next = replaceThis->next;
-	node->prev = replaceThis->prev;
-
-	if ( replaceThis->next )
-		replaceThis->next->prev = node;
-	else
-		lastChild = node;
-
-	if ( replaceThis->prev )
-		replaceThis->prev->next = node;
-	else
-		firstChild = node;
-
-	delete replaceThis;
-	node->parent = this;
-	return node;
-}
-
-
-bool TiXmlNode::RemoveChild( TiXmlNode* removeThis )
-{
-	if ( !removeThis ) {
-		return false;
-	}
-
-	if ( removeThis->parent != this )
-	{	
-		assert( 0 );
-		return false;
-	}
-
-	if ( removeThis->next )
-		removeThis->next->prev = removeThis->prev;
-	else
-		lastChild = removeThis->prev;
-
-	if ( removeThis->prev )
-		removeThis->prev->next = removeThis->next;
-	else
-		firstChild = removeThis->next;
-
-	delete removeThis;
-	return true;
-}
-
-const TiXmlNode* TiXmlNode::FirstChild( const char * _value ) const
-{
-	const TiXmlNode* node;
-	for ( node = firstChild; node; node = node->next )
-	{
-		if ( strcmp( node->Value(), _value ) == 0 )
-			return node;
-	}
-	return 0;
-}
-
-
-const TiXmlNode* TiXmlNode::LastChild( const char * _value ) const
-{
-	const TiXmlNode* node;
-	for ( node = lastChild; node; node = node->prev )
-	{
-		if ( strcmp( node->Value(), _value ) == 0 )
-			return node;
-	}
-	return 0;
-}
-
-
-const TiXmlNode* TiXmlNode::IterateChildren( const TiXmlNode* previous ) const
-{
-	if ( !previous )
-	{
-		return FirstChild();
-	}
-	else
-	{
-		assert( previous->parent == this );
-		return previous->NextSibling();
-	}
-}
-
-
-const TiXmlNode* TiXmlNode::IterateChildren( const char * val, const TiXmlNode* previous ) const
-{
-	if ( !previous )
-	{
-		return FirstChild( val );
-	}
-	else
-	{
-		assert( previous->parent == this );
-		return previous->NextSibling( val );
-	}
-}
-
-
-const TiXmlNode* TiXmlNode::NextSibling( const char * _value ) const 
-{
-	const TiXmlNode* node;
-	for ( node = next; node; node = node->next )
-	{
-		if ( strcmp( node->Value(), _value ) == 0 )
-			return node;
-	}
-	return 0;
-}
-
-
-const TiXmlNode* TiXmlNode::PreviousSibling( const char * _value ) const
-{
-	const TiXmlNode* node;
-	for ( node = prev; node; node = node->prev )
-	{
-		if ( strcmp( node->Value(), _value ) == 0 )
-			return node;
-	}
-	return 0;
-}
-
-
-void TiXmlElement::RemoveAttribute( const char * name )
-{
-    #ifdef TIXML_USE_STL
-	TIXML_STRING str( name );
-	TiXmlAttribute* node = attributeSet.Find( str );
-	#else
-	TiXmlAttribute* node = attributeSet.Find( name );
-	#endif
-	if ( node )
-	{
-		attributeSet.Remove( node );
-		delete node;
-	}
-}
-
-const TiXmlElement* TiXmlNode::FirstChildElement() const
-{
-	const TiXmlNode* node;
-
-	for (	node = FirstChild();
-			node;
-			node = node->NextSibling() )
-	{
-		if ( node->ToElement() )
-			return node->ToElement();
-	}
-	return 0;
-}
-
-
-const TiXmlElement* TiXmlNode::FirstChildElement( const char * _value ) const
-{
-	const TiXmlNode* node;
-
-	for (	node = FirstChild( _value );
-			node;
-			node = node->NextSibling( _value ) )
-	{
-		if ( node->ToElement() )
-			return node->ToElement();
-	}
-	return 0;
-}
-
-
-const TiXmlElement* TiXmlNode::NextSiblingElement() const
-{
-	const TiXmlNode* node;
-
-	for (	node = NextSibling();
-			node;
-			node = node->NextSibling() )
-	{
-		if ( node->ToElement() )
-			return node->ToElement();
-	}
-	return 0;
-}
-
-
-const TiXmlElement* TiXmlNode::NextSiblingElement( const char * _value ) const
-{
-	const TiXmlNode* node;
-
-	for (	node = NextSibling( _value );
-			node;
-			node = node->NextSibling( _value ) )
-	{
-		if ( node->ToElement() )
-			return node->ToElement();
-	}
-	return 0;
-}
-
-
-const TiXmlDocument* TiXmlNode::GetDocument() const
-{
-	const TiXmlNode* node;
-
-	for( node = this; node; node = node->parent )
-	{
-		if ( node->ToDocument() )
-			return node->ToDocument();
-	}
-	return 0;
-}
-
-
-TiXmlElement::TiXmlElement (const char * _value)
-	: TiXmlNode( TiXmlNode::TINYXML_ELEMENT )
-{
-	firstChild = lastChild = 0;
-	value = _value;
-}
-
-
-#ifdef TIXML_USE_STL
-TiXmlElement::TiXmlElement( const std::string& _value ) 
-	: TiXmlNode( TiXmlNode::TINYXML_ELEMENT )
-{
-	firstChild = lastChild = 0;
-	value = _value;
-}
-#endif
-
-
-TiXmlElement::TiXmlElement( const TiXmlElement& copy)
-	: TiXmlNode( TiXmlNode::TINYXML_ELEMENT )
-{
-	firstChild = lastChild = 0;
-	copy.CopyTo( this );	
-}
-
-
-TiXmlElement& TiXmlElement::operator=( const TiXmlElement& base )
-{
-	ClearThis();
-	base.CopyTo( this );
-	return *this;
-}
-
-
-TiXmlElement::~TiXmlElement()
-{
-	ClearThis();
-}
-
-
-void TiXmlElement::ClearThis()
-{
-	Clear();
-	while( attributeSet.First() )
-	{
-		TiXmlAttribute* node = attributeSet.First();
-		attributeSet.Remove( node );
-		delete node;
-	}
-}
-
-
-const char* TiXmlElement::Attribute( const char* name ) const
-{
-	const TiXmlAttribute* node = attributeSet.Find( name );
-	if ( node )
-		return node->Value();
-	return 0;
-}
-
-
-#ifdef TIXML_USE_STL
-const std::string* TiXmlElement::Attribute( const std::string& name ) const
-{
-	const TiXmlAttribute* attrib = attributeSet.Find( name );
-	if ( attrib )
-		return &attrib->ValueStr();
-	return 0;
-}
-#endif
-
-
-const char* TiXmlElement::Attribute( const char* name, int* i ) const
-{
-	const TiXmlAttribute* attrib = attributeSet.Find( name );
-	const char* result = 0;
-
-	if ( attrib ) {
-		result = attrib->Value();
-		if ( i ) {
-			attrib->QueryIntValue( i );
-		}
-	}
-	return result;
-}
-
-
-#ifdef TIXML_USE_STL
-const std::string* TiXmlElement::Attribute( const std::string& name, int* i ) const
-{
-	const TiXmlAttribute* attrib = attributeSet.Find( name );
-	const std::string* result = 0;
-
-	if ( attrib ) {
-		result = &attrib->ValueStr();
-		if ( i ) {
-			attrib->QueryIntValue( i );
-		}
-	}
-	return result;
-}
-#endif
-
-
-const char* TiXmlElement::Attribute( const char* name, double* d ) const
-{
-	const TiXmlAttribute* attrib = attributeSet.Find( name );
-	const char* result = 0;
-
-	if ( attrib ) {
-		result = attrib->Value();
-		if ( d ) {
-			attrib->QueryDoubleValue( d );
-		}
-	}
-	return result;
-}
-
-
-#ifdef TIXML_USE_STL
-const std::string* TiXmlElement::Attribute( const std::string& name, double* d ) const
-{
-	const TiXmlAttribute* attrib = attributeSet.Find( name );
-	const std::string* result = 0;
-
-	if ( attrib ) {
-		result = &attrib->ValueStr();
-		if ( d ) {
-			attrib->QueryDoubleValue( d );
-		}
-	}
-	return result;
-}
-#endif
-
-
-int TiXmlElement::QueryIntAttribute( const char* name, int* ival ) const
-{
-	const TiXmlAttribute* attrib = attributeSet.Find( name );
-	if ( !attrib )
-		return TIXML_NO_ATTRIBUTE;
-	return attrib->QueryIntValue( ival );
-}
-
-
-int TiXmlElement::QueryUnsignedAttribute( const char* name, unsigned* value ) const
-{
-	const TiXmlAttribute* node = attributeSet.Find( name );
-	if ( !node )
-		return TIXML_NO_ATTRIBUTE;
-
-	int ival = 0;
-	int result = node->QueryIntValue( &ival );
-	*value = (unsigned)ival;
-	return result;
-}
-
-
-int TiXmlElement::QueryBoolAttribute( const char* name, bool* bval ) const
-{
-	const TiXmlAttribute* node = attributeSet.Find( name );
-	if ( !node )
-		return TIXML_NO_ATTRIBUTE;
-	
-	int result = TIXML_WRONG_TYPE;
-	if (    StringEqual( node->Value(), "true", true, TIXML_ENCODING_UNKNOWN ) 
-		 || StringEqual( node->Value(), "yes", true, TIXML_ENCODING_UNKNOWN ) 
-		 || StringEqual( node->Value(), "1", true, TIXML_ENCODING_UNKNOWN ) ) 
-	{
-		*bval = true;
-		result = TIXML_SUCCESS;
-	}
-	else if (    StringEqual( node->Value(), "false", true, TIXML_ENCODING_UNKNOWN ) 
-			  || StringEqual( node->Value(), "no", true, TIXML_ENCODING_UNKNOWN ) 
-			  || StringEqual( node->Value(), "0", true, TIXML_ENCODING_UNKNOWN ) ) 
-	{
-		*bval = false;
-		result = TIXML_SUCCESS;
-	}
-	return result;
-}
-
-
-
-#ifdef TIXML_USE_STL
-int TiXmlElement::QueryIntAttribute( const std::string& name, int* ival ) const
-{
-	const TiXmlAttribute* attrib = attributeSet.Find( name );
-	if ( !attrib )
-		return TIXML_NO_ATTRIBUTE;
-	return attrib->QueryIntValue( ival );
-}
-#endif
-
-
-int TiXmlElement::QueryDoubleAttribute( const char* name, double* dval ) const
-{
-	const TiXmlAttribute* attrib = attributeSet.Find( name );
-	if ( !attrib )
-		return TIXML_NO_ATTRIBUTE;
-	return attrib->QueryDoubleValue( dval );
-}
-
-
-#ifdef TIXML_USE_STL
-int TiXmlElement::QueryDoubleAttribute( const std::string& name, double* dval ) const
-{
-	const TiXmlAttribute* attrib = attributeSet.Find( name );
-	if ( !attrib )
-		return TIXML_NO_ATTRIBUTE;
-	return attrib->QueryDoubleValue( dval );
-}
-#endif
-
-
-void TiXmlElement::SetAttribute( const char * name, int val )
-{	
-	TiXmlAttribute* attrib = attributeSet.FindOrCreate( name );
-	if ( attrib ) {
-		attrib->SetIntValue( val );
-	}
-}
-
-
-#ifdef TIXML_USE_STL
-void TiXmlElement::SetAttribute( const std::string& name, int val )
-{	
-	TiXmlAttribute* attrib = attributeSet.FindOrCreate( name );
-	if ( attrib ) {
-		attrib->SetIntValue( val );
-	}
-}
-#endif
-
-
-void TiXmlElement::SetDoubleAttribute( const char * name, double val )
-{	
-	TiXmlAttribute* attrib = attributeSet.FindOrCreate( name );
-	if ( attrib ) {
-		attrib->SetDoubleValue( val );
-	}
-}
-
-
-#ifdef TIXML_USE_STL
-void TiXmlElement::SetDoubleAttribute( const std::string& name, double val )
-{	
-	TiXmlAttribute* attrib = attributeSet.FindOrCreate( name );
-	if ( attrib ) {
-		attrib->SetDoubleValue( val );
-	}
-}
-#endif 
-
-
-void TiXmlElement::SetAttribute( const char * cname, const char * cvalue )
-{
-	TiXmlAttribute* attrib = attributeSet.FindOrCreate( cname );
-	if ( attrib ) {
-		attrib->SetValue( cvalue );
-	}
-}
-
-
-#ifdef TIXML_USE_STL
-void TiXmlElement::SetAttribute( const std::string& _name, const std::string& _value )
-{
-	TiXmlAttribute* attrib = attributeSet.FindOrCreate( _name );
-	if ( attrib ) {
-		attrib->SetValue( _value );
-	}
-}
-#endif
-
-
-void TiXmlElement::Print( FILE* cfile, int depth ) const
-{
-	int i;
-	assert( cfile );
-	for ( i=0; i<depth; i++ ) {
-		fprintf( cfile, "    " );
-	}
-
-	fprintf( cfile, "<%s", value.c_str() );
-
-	const TiXmlAttribute* attrib;
-	for ( attrib = attributeSet.First(); attrib; attrib = attrib->Next() )
-	{
-		fprintf( cfile, " " );
-		attrib->Print( cfile, depth );
-	}
-
-	// There are 3 different formatting approaches:
-	// 1) An element without children is printed as a <foo /> node
-	// 2) An element with only a text child is printed as <foo> text </foo>
-	// 3) An element with children is printed on multiple lines.
-	TiXmlNode* node;
-	if ( !firstChild )
-	{
-		fprintf( cfile, " />" );
-	}
-	else if ( firstChild == lastChild && firstChild->ToText() )
-	{
-		fprintf( cfile, ">" );
-		firstChild->Print( cfile, depth + 1 );
-		fprintf( cfile, "</%s>", value.c_str() );
-	}
-	else
-	{
-		fprintf( cfile, ">" );
-
-		for ( node = firstChild; node; node=node->NextSibling() )
-		{
-			if ( !node->ToText() )
-			{
-				fprintf( cfile, "\n" );
-			}
-			node->Print( cfile, depth+1 );
-		}
-		fprintf( cfile, "\n" );
-		for( i=0; i<depth; ++i ) {
-			fprintf( cfile, "    " );
-		}
-		fprintf( cfile, "</%s>", value.c_str() );
-	}
-}
-
-
-void TiXmlElement::CopyTo( TiXmlElement* target ) const
-{
-	// superclass:
-	TiXmlNode::CopyTo( target );
-
-	// Element class: 
-	// Clone the attributes, then clone the children.
-	const TiXmlAttribute* attribute = 0;
-	for(	attribute = attributeSet.First();
-	attribute;
-	attribute = attribute->Next() )
-	{
-		target->SetAttribute( attribute->Name(), attribute->Value() );
-	}
-
-	TiXmlNode* node = 0;
-	for ( node = firstChild; node; node = node->NextSibling() )
-	{
-		target->LinkEndChild( node->Clone() );
-	}
-}
-
-bool TiXmlElement::Accept( TiXmlVisitor* visitor ) const
-{
-	if ( visitor->VisitEnter( *this, attributeSet.First() ) ) 
-	{
-		for ( const TiXmlNode* node=FirstChild(); node; node=node->NextSibling() )
-		{
-			if ( !node->Accept( visitor ) )
-				break;
-		}
-	}
-	return visitor->VisitExit( *this );
-}
-
-
-TiXmlNode* TiXmlElement::Clone() const
-{
-	TiXmlElement* clone = new TiXmlElement( Value() );
-	if ( !clone )
-		return 0;
-
-	CopyTo( clone );
-	return clone;
-}
-
-
-const char* TiXmlElement::GetText() const
-{
-	const TiXmlNode* child = this->FirstChild();
-	if ( child ) {
-		const TiXmlText* childText = child->ToText();
-		if ( childText ) {
-			return childText->Value();
-		}
-	}
-	return 0;
-}
-
-
-TiXmlDocument::TiXmlDocument() : TiXmlNode( TiXmlNode::TINYXML_DOCUMENT )
-{
-	tabsize = 4;
-	useMicrosoftBOM = false;
-	ClearError();
-}
-
-TiXmlDocument::TiXmlDocument( const char * documentName ) : TiXmlNode( TiXmlNode::TINYXML_DOCUMENT )
-{
-	tabsize = 4;
-	useMicrosoftBOM = false;
-	value = documentName;
-	ClearError();
-}
-
-
-#ifdef TIXML_USE_STL
-TiXmlDocument::TiXmlDocument( const std::string& documentName ) : TiXmlNode( TiXmlNode::TINYXML_DOCUMENT )
-{
-	tabsize = 4;
-	useMicrosoftBOM = false;
-    value = documentName;
-	ClearError();
-}
-#endif
-
-
-TiXmlDocument::TiXmlDocument( const TiXmlDocument& copy ) : TiXmlNode( TiXmlNode::TINYXML_DOCUMENT )
-{
-	copy.CopyTo( this );
-}
-
-
-TiXmlDocument& TiXmlDocument::operator=( const TiXmlDocument& copy )
-{
-	Clear();
-	copy.CopyTo( this );
-	return *this;
-}
-
-
-bool TiXmlDocument::LoadFile( TiXmlEncoding encoding )
-{
-	return LoadFile( Value(), encoding );
-}
-
-
-bool TiXmlDocument::SaveFile() const
-{
-	return SaveFile( Value() );
-}
-
-bool TiXmlDocument::LoadFile( const char* _filename, TiXmlEncoding encoding )
-{
-	TIXML_STRING filename( _filename );
-	value = filename;
-
-	// reading in binary mode so that tinyxml can normalize the EOL
-	FILE* file = TiXmlFOpen( value.c_str (), "rb" );	
-
-	if ( file )
-	{
-		bool result = LoadFile( file, encoding );
-		fclose( file );
-		return result;
-	}
-	else
-	{
-		SetError( TIXML_ERROR_OPENING_FILE, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return false;
-	}
-}
-
-bool TiXmlDocument::LoadFile( FILE* file, TiXmlEncoding encoding )
-{
-	if ( !file ) 
-	{
-		SetError( TIXML_ERROR_OPENING_FILE, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return false;
-	}
-
-	// Delete the existing data:
-	Clear();
-	location.Clear();
-
-	// Get the file size, so we can pre-allocate the string. HUGE speed impact.
-	long length = 0;
-	fseek( file, 0, SEEK_END );
-	length = ftell( file );
-	fseek( file, 0, SEEK_SET );
-
-	// Strange case, but good to handle up front.
-	if ( length <= 0 )
-	{
-		SetError( TIXML_ERROR_DOCUMENT_EMPTY, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return false;
-	}
-
-	// Subtle bug here. TinyXml did use fgets. But from the XML spec:
-	// 2.11 End-of-Line Handling
-	// <snip>
-	// <quote>
-	// ...the XML processor MUST behave as if it normalized all line breaks in external 
-	// parsed entities (including the document entity) on input, before parsing, by translating 
-	// both the two-character sequence #xD #xA and any #xD that is not followed by #xA to 
-	// a single #xA character.
-	// </quote>
-	//
-	// It is not clear fgets does that, and certainly isn't clear it works cross platform. 
-	// Generally, you expect fgets to translate from the convention of the OS to the c/unix
-	// convention, and not work generally.
-
-	/*
-	while( fgets( buf, sizeof(buf), file ) )
-	{
-		data += buf;
-	}
-	*/
-
-	char* buf = new char[ length+1 ];
-	buf[0] = 0;
-
-	if ( fread( buf, length, 1, file ) != 1 ) {
-		delete [] buf;
-		SetError( TIXML_ERROR_OPENING_FILE, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return false;
-	}
-
-	// Process the buffer in place to normalize new lines. (See comment above.)
-	// Copies from the 'p' to 'q' pointer, where p can advance faster if
-	// a newline-carriage return is hit.
-	//
-	// Wikipedia:
-	// Systems based on ASCII or a compatible character set use either LF  (Line feed, '\n', 0x0A, 10 in decimal) or 
-	// CR (Carriage return, '\r', 0x0D, 13 in decimal) individually, or CR followed by LF (CR+LF, 0x0D 0x0A)...
-	//		* LF:    Multics, Unix and Unix-like systems (GNU/Linux, AIX, Xenix, Mac OS X, FreeBSD, etc.), BeOS, Amiga, RISC OS, and others
-    //		* CR+LF: DEC RT-11 and most other early non-Unix, non-IBM OSes, CP/M, MP/M, DOS, OS/2, Microsoft Windows, Symbian OS
-    //		* CR:    Commodore 8-bit machines, Apple II family, Mac OS up to version 9 and OS-9
-
-	const char* p = buf;	// the read head
-	char* q = buf;			// the write head
-	const char CR = 0x0d;
-	const char LF = 0x0a;
-
-	buf[length] = 0;
-	while( *p ) {
-		assert( p < (buf+length) );
-		assert( q <= (buf+length) );
-		assert( q <= p );
-
-		if ( *p == CR ) {
-			*q++ = LF;
-			p++;
-			if ( *p == LF ) {		// check for CR+LF (and skip LF)
-				p++;
-			}
-		}
-		else {
-			*q++ = *p++;
-		}
-	}
-	assert( q <= (buf+length) );
-	*q = 0;
-
-	Parse( buf, 0, encoding );
-
-	delete [] buf;
-	return !Error();
-}
-
-
-bool TiXmlDocument::SaveFile( const char * filename ) const
-{
-	// The old c stuff lives on...
-	FILE* fp = TiXmlFOpen( filename, "w" );
-	if ( fp )
-	{
-		bool result = SaveFile( fp );
-		fclose( fp );
-		return result;
-	}
-	return false;
-}
-
-
-bool TiXmlDocument::SaveFile( FILE* fp ) const
-{
-	if ( useMicrosoftBOM ) 
-	{
-		const unsigned char TIXML_UTF_LEAD_0 = 0xefU;
-		const unsigned char TIXML_UTF_LEAD_1 = 0xbbU;
-		const unsigned char TIXML_UTF_LEAD_2 = 0xbfU;
-
-		fputc( TIXML_UTF_LEAD_0, fp );
-		fputc( TIXML_UTF_LEAD_1, fp );
-		fputc( TIXML_UTF_LEAD_2, fp );
-	}
-	Print( fp, 0 );
-	return (ferror(fp) == 0);
-}
-
-
-void TiXmlDocument::CopyTo( TiXmlDocument* target ) const
-{
-	TiXmlNode::CopyTo( target );
-
-	target->error = error;
-	target->errorId = errorId;
-	target->errorDesc = errorDesc;
-	target->tabsize = tabsize;
-	target->errorLocation = errorLocation;
-	target->useMicrosoftBOM = useMicrosoftBOM;
-
-	TiXmlNode* node = 0;
-	for ( node = firstChild; node; node = node->NextSibling() )
-	{
-		target->LinkEndChild( node->Clone() );
-	}	
-}
-
-
-TiXmlNode* TiXmlDocument::Clone() const
-{
-	TiXmlDocument* clone = new TiXmlDocument();
-	if ( !clone )
-		return 0;
-
-	CopyTo( clone );
-	return clone;
-}
-
-
-void TiXmlDocument::Print( FILE* cfile, int depth ) const
-{
-	assert( cfile );
-	for ( const TiXmlNode* node=FirstChild(); node; node=node->NextSibling() )
-	{
-		node->Print( cfile, depth );
-		fprintf( cfile, "\n" );
-	}
-}
-
-
-bool TiXmlDocument::Accept( TiXmlVisitor* visitor ) const
-{
-	if ( visitor->VisitEnter( *this ) )
-	{
-		for ( const TiXmlNode* node=FirstChild(); node; node=node->NextSibling() )
-		{
-			if ( !node->Accept( visitor ) )
-				break;
-		}
-	}
-	return visitor->VisitExit( *this );
-}
-
-
-const TiXmlAttribute* TiXmlAttribute::Next() const
-{
-	// We are using knowledge of the sentinel. The sentinel
-	// have a value or name.
-	if ( next->value.empty() && next->name.empty() )
-		return 0;
-	return next;
-}
-
-/*
-TiXmlAttribute* TiXmlAttribute::Next()
-{
-	// We are using knowledge of the sentinel. The sentinel
-	// have a value or name.
-	if ( next->value.empty() && next->name.empty() )
-		return 0;
-	return next;
-}
-*/
-
-const TiXmlAttribute* TiXmlAttribute::Previous() const
-{
-	// We are using knowledge of the sentinel. The sentinel
-	// have a value or name.
-	if ( prev->value.empty() && prev->name.empty() )
-		return 0;
-	return prev;
-}
-
-/*
-TiXmlAttribute* TiXmlAttribute::Previous()
-{
-	// We are using knowledge of the sentinel. The sentinel
-	// have a value or name.
-	if ( prev->value.empty() && prev->name.empty() )
-		return 0;
-	return prev;
-}
-*/
-
-void TiXmlAttribute::Print( FILE* cfile, int /*depth*/, TIXML_STRING* str ) const
-{
-	TIXML_STRING n, v;
-
-	EncodeString( name, &n );
-	EncodeString( value, &v );
-
-	if (value.find ('\"') == TIXML_STRING::npos) {
-		if ( cfile ) {
-			fprintf (cfile, "%s=\"%s\"", n.c_str(), v.c_str() );
-		}
-		if ( str ) {
-			(*str) += n; (*str) += "=\""; (*str) += v; (*str) += "\"";
-		}
-	}
-	else {
-		if ( cfile ) {
-			fprintf (cfile, "%s='%s'", n.c_str(), v.c_str() );
-		}
-		if ( str ) {
-			(*str) += n; (*str) += "='"; (*str) += v; (*str) += "'";
-		}
-	}
-}
-
-
-int TiXmlAttribute::QueryIntValue( int* ival ) const
-{
-	if ( TIXML_SSCANF( value.c_str(), "%d", ival ) == 1 )
-		return TIXML_SUCCESS;
-	return TIXML_WRONG_TYPE;
-}
-
-int TiXmlAttribute::QueryDoubleValue( double* dval ) const
-{
-	if ( TIXML_SSCANF( value.c_str(), "%lf", dval ) == 1 )
-		return TIXML_SUCCESS;
-	return TIXML_WRONG_TYPE;
-}
-
-void TiXmlAttribute::SetIntValue( int _value )
-{
-	char buf [64];
-	#if defined(TIXML_SNPRINTF)		
-		TIXML_SNPRINTF(buf, sizeof(buf), "%d", _value);
-	#else
-		sprintf (buf, "%d", _value);
-	#endif
-	SetValue (buf);
-}
-
-void TiXmlAttribute::SetDoubleValue( double _value )
-{
-	char buf [256];
-	#if defined(TIXML_SNPRINTF)		
-		TIXML_SNPRINTF( buf, sizeof(buf), "%g", _value);
-	#else
-		sprintf (buf, "%g", _value);
-	#endif
-	SetValue (buf);
-}
-
-int TiXmlAttribute::IntValue() const
-{
-	return atoi (value.c_str ());
-}
-
-double  TiXmlAttribute::DoubleValue() const
-{
-	return atof (value.c_str ());
-}
-
-
-TiXmlComment::TiXmlComment( const TiXmlComment& copy ) : TiXmlNode( TiXmlNode::TINYXML_COMMENT )
-{
-	copy.CopyTo( this );
-}
-
-
-TiXmlComment& TiXmlComment::operator=( const TiXmlComment& base )
-{
-	Clear();
-	base.CopyTo( this );
-	return *this;
-}
-
-
-void TiXmlComment::Print( FILE* cfile, int depth ) const
-{
-	assert( cfile );
-	for ( int i=0; i<depth; i++ )
-	{
-		fprintf( cfile,  "    " );
-	}
-	fprintf( cfile, "<!--%s-->", value.c_str() );
-}
-
-
-void TiXmlComment::CopyTo( TiXmlComment* target ) const
-{
-	TiXmlNode::CopyTo( target );
-}
-
-
-bool TiXmlComment::Accept( TiXmlVisitor* visitor ) const
-{
-	return visitor->Visit( *this );
-}
-
-
-TiXmlNode* TiXmlComment::Clone() const
-{
-	TiXmlComment* clone = new TiXmlComment();
-
-	if ( !clone )
-		return 0;
-
-	CopyTo( clone );
-	return clone;
-}
-
-
-void TiXmlText::Print( FILE* cfile, int depth ) const
-{
-	assert( cfile );
-	if ( cdata )
-	{
-		int i;
-		fprintf( cfile, "\n" );
-		for ( i=0; i<depth; i++ ) {
-			fprintf( cfile, "    " );
-		}
-		fprintf( cfile, "<![CDATA[%s]]>\n", value.c_str() );	// unformatted output
-	}
-	else
-	{
-		TIXML_STRING buffer;
-		EncodeString( value, &buffer );
-		fprintf( cfile, "%s", buffer.c_str() );
-	}
-}
-
-
-void TiXmlText::CopyTo( TiXmlText* target ) const
-{
-	TiXmlNode::CopyTo( target );
-	target->cdata = cdata;
-}
-
-
-bool TiXmlText::Accept( TiXmlVisitor* visitor ) const
-{
-	return visitor->Visit( *this );
-}
-
-
-TiXmlNode* TiXmlText::Clone() const
-{	
-	TiXmlText* clone = 0;
-	clone = new TiXmlText( "" );
-
-	if ( !clone )
-		return 0;
-
-	CopyTo( clone );
-	return clone;
-}
-
-
-TiXmlDeclaration::TiXmlDeclaration( const char * _version,
-									const char * _encoding,
-									const char * _standalone )
-	: TiXmlNode( TiXmlNode::TINYXML_DECLARATION )
-{
-	version = _version;
-	encoding = _encoding;
-	standalone = _standalone;
-}
-
-
-#ifdef TIXML_USE_STL
-TiXmlDeclaration::TiXmlDeclaration(	const std::string& _version,
-									const std::string& _encoding,
-									const std::string& _standalone )
-	: TiXmlNode( TiXmlNode::TINYXML_DECLARATION )
-{
-	version = _version;
-	encoding = _encoding;
-	standalone = _standalone;
-}
-#endif
-
-
-TiXmlDeclaration::TiXmlDeclaration( const TiXmlDeclaration& copy )
-	: TiXmlNode( TiXmlNode::TINYXML_DECLARATION )
-{
-	copy.CopyTo( this );	
-}
-
-
-TiXmlDeclaration& TiXmlDeclaration::operator=( const TiXmlDeclaration& copy )
-{
-	Clear();
-	copy.CopyTo( this );
-	return *this;
-}
-
-
-void TiXmlDeclaration::Print( FILE* cfile, int /*depth*/, TIXML_STRING* str ) const
-{
-	if ( cfile ) fprintf( cfile, "<?xml " );
-	if ( str )	 (*str) += "<?xml ";
-
-	if ( !version.empty() ) {
-		if ( cfile ) fprintf (cfile, "version=\"%s\" ", version.c_str ());
-		if ( str ) { (*str) += "version=\""; (*str) += version; (*str) += "\" "; }
-	}
-	if ( !encoding.empty() ) {
-		if ( cfile ) fprintf (cfile, "encoding=\"%s\" ", encoding.c_str ());
-		if ( str ) { (*str) += "encoding=\""; (*str) += encoding; (*str) += "\" "; }
-	}
-	if ( !standalone.empty() ) {
-		if ( cfile ) fprintf (cfile, "standalone=\"%s\" ", standalone.c_str ());
-		if ( str ) { (*str) += "standalone=\""; (*str) += standalone; (*str) += "\" "; }
-	}
-	if ( cfile ) fprintf( cfile, "?>" );
-	if ( str )	 (*str) += "?>";
-}
-
-
-void TiXmlDeclaration::CopyTo( TiXmlDeclaration* target ) const
-{
-	TiXmlNode::CopyTo( target );
-
-	target->version = version;
-	target->encoding = encoding;
-	target->standalone = standalone;
-}
-
-
-bool TiXmlDeclaration::Accept( TiXmlVisitor* visitor ) const
-{
-	return visitor->Visit( *this );
-}
-
-
-TiXmlNode* TiXmlDeclaration::Clone() const
-{	
-	TiXmlDeclaration* clone = new TiXmlDeclaration();
-
-	if ( !clone )
-		return 0;
-
-	CopyTo( clone );
-	return clone;
-}
-
-
-void TiXmlUnknown::Print( FILE* cfile, int depth ) const
-{
-	for ( int i=0; i<depth; i++ )
-		fprintf( cfile, "    " );
-	fprintf( cfile, "<%s>", value.c_str() );
-}
-
-
-void TiXmlUnknown::CopyTo( TiXmlUnknown* target ) const
-{
-	TiXmlNode::CopyTo( target );
-}
-
-
-bool TiXmlUnknown::Accept( TiXmlVisitor* visitor ) const
-{
-	return visitor->Visit( *this );
-}
-
-
-TiXmlNode* TiXmlUnknown::Clone() const
-{
-	TiXmlUnknown* clone = new TiXmlUnknown();
-
-	if ( !clone )
-		return 0;
-
-	CopyTo( clone );
-	return clone;
-}
-
-
-TiXmlAttributeSet::TiXmlAttributeSet()
-{
-	sentinel.next = &sentinel;
-	sentinel.prev = &sentinel;
-}
-
-
-TiXmlAttributeSet::~TiXmlAttributeSet()
-{
-	assert( sentinel.next == &sentinel );
-	assert( sentinel.prev == &sentinel );
-}
-
-
-void TiXmlAttributeSet::Add( TiXmlAttribute* addMe )
-{
-    #ifdef TIXML_USE_STL
-	assert( !Find( TIXML_STRING( addMe->Name() ) ) );	// Shouldn't be multiply adding to the set.
-	#else
-	assert( !Find( addMe->Name() ) );	// Shouldn't be multiply adding to the set.
-	#endif
-
-	addMe->next = &sentinel;
-	addMe->prev = sentinel.prev;
-
-	sentinel.prev->next = addMe;
-	sentinel.prev      = addMe;
-}
-
-void TiXmlAttributeSet::Remove( TiXmlAttribute* removeMe )
-{
-	TiXmlAttribute* node;
-
-	for( node = sentinel.next; node != &sentinel; node = node->next )
-	{
-		if ( node == removeMe )
-		{
-			node->prev->next = node->next;
-			node->next->prev = node->prev;
-			node->next = 0;
-			node->prev = 0;
-			return;
-		}
-	}
-	assert( 0 );		// we tried to remove a non-linked attribute.
-}
-
-
-#ifdef TIXML_USE_STL
-TiXmlAttribute* TiXmlAttributeSet::Find( const std::string& name ) const
-{
-	for( TiXmlAttribute* node = sentinel.next; node != &sentinel; node = node->next )
-	{
-		if ( node->name == name )
-			return node;
-	}
-	return 0;
-}
-
-TiXmlAttribute* TiXmlAttributeSet::FindOrCreate( const std::string& _name )
-{
-	TiXmlAttribute* attrib = Find( _name );
-	if ( !attrib ) {
-		attrib = new TiXmlAttribute();
-		Add( attrib );
-		attrib->SetName( _name );
-	}
-	return attrib;
-}
-#endif
-
-
-TiXmlAttribute* TiXmlAttributeSet::Find( const char* name ) const
-{
-	for( TiXmlAttribute* node = sentinel.next; node != &sentinel; node = node->next )
-	{
-		if ( strcmp( node->name.c_str(), name ) == 0 )
-			return node;
-	}
-	return 0;
-}
-
-
-TiXmlAttribute* TiXmlAttributeSet::FindOrCreate( const char* _name )
-{
-	TiXmlAttribute* attrib = Find( _name );
-	if ( !attrib ) {
-		attrib = new TiXmlAttribute();
-		Add( attrib );
-		attrib->SetName( _name );
-	}
-	return attrib;
-}
-
-
-#ifdef TIXML_USE_STL	
-std::istream& operator>> (std::istream & in, TiXmlNode & base)
-{
-	TIXML_STRING tag;
-	tag.reserve( 8 * 1000 );
-	base.StreamIn( &in, &tag );
-
-	base.Parse( tag.c_str(), 0, TIXML_DEFAULT_ENCODING );
-	return in;
-}
-#endif
-
-
-#ifdef TIXML_USE_STL	
-std::ostream& operator<< (std::ostream & out, const TiXmlNode & base)
-{
-	TiXmlPrinter printer;
-	printer.SetStreamPrinting();
-	base.Accept( &printer );
-	out << printer.Str();
-
-	return out;
-}
-
-
-std::string& operator<< (std::string& out, const TiXmlNode& base )
-{
-	TiXmlPrinter printer;
-	printer.SetStreamPrinting();
-	base.Accept( &printer );
-	out.append( printer.Str() );
-
-	return out;
-}
-#endif
-
-
-TiXmlHandle TiXmlHandle::FirstChild() const
-{
-	if ( node )
-	{
-		TiXmlNode* child = node->FirstChild();
-		if ( child )
-			return TiXmlHandle( child );
-	}
-	return TiXmlHandle( 0 );
-}
-
-
-TiXmlHandle TiXmlHandle::FirstChild( const char * value ) const
-{
-	if ( node )
-	{
-		TiXmlNode* child = node->FirstChild( value );
-		if ( child )
-			return TiXmlHandle( child );
-	}
-	return TiXmlHandle( 0 );
-}
-
-
-TiXmlHandle TiXmlHandle::FirstChildElement() const
-{
-	if ( node )
-	{
-		TiXmlElement* child = node->FirstChildElement();
-		if ( child )
-			return TiXmlHandle( child );
-	}
-	return TiXmlHandle( 0 );
-}
-
-
-TiXmlHandle TiXmlHandle::FirstChildElement( const char * value ) const
-{
-	if ( node )
-	{
-		TiXmlElement* child = node->FirstChildElement( value );
-		if ( child )
-			return TiXmlHandle( child );
-	}
-	return TiXmlHandle( 0 );
-}
-
-
-TiXmlHandle TiXmlHandle::Child( int count ) const
-{
-	if ( node )
-	{
-		int i;
-		TiXmlNode* child = node->FirstChild();
-		for (	i=0;
-				child && i<count;
-				child = child->NextSibling(), ++i )
-		{
-			// nothing
-		}
-		if ( child )
-			return TiXmlHandle( child );
-	}
-	return TiXmlHandle( 0 );
-}
-
-
-TiXmlHandle TiXmlHandle::Child( const char* value, int count ) const
-{
-	if ( node )
-	{
-		int i;
-		TiXmlNode* child = node->FirstChild( value );
-		for (	i=0;
-				child && i<count;
-				child = child->NextSibling( value ), ++i )
-		{
-			// nothing
-		}
-		if ( child )
-			return TiXmlHandle( child );
-	}
-	return TiXmlHandle( 0 );
-}
-
-
-TiXmlHandle TiXmlHandle::ChildElement( int count ) const
-{
-	if ( node )
-	{
-		int i;
-		TiXmlElement* child = node->FirstChildElement();
-		for (	i=0;
-				child && i<count;
-				child = child->NextSiblingElement(), ++i )
-		{
-			// nothing
-		}
-		if ( child )
-			return TiXmlHandle( child );
-	}
-	return TiXmlHandle( 0 );
-}
-
-
-TiXmlHandle TiXmlHandle::ChildElement( const char* value, int count ) const
-{
-	if ( node )
-	{
-		int i;
-		TiXmlElement* child = node->FirstChildElement( value );
-		for (	i=0;
-				child && i<count;
-				child = child->NextSiblingElement( value ), ++i )
-		{
-			// nothing
-		}
-		if ( child )
-			return TiXmlHandle( child );
-	}
-	return TiXmlHandle( 0 );
-}
-
-
-bool TiXmlPrinter::VisitEnter( const TiXmlDocument& )
-{
-	return true;
-}
-
-bool TiXmlPrinter::VisitExit( const TiXmlDocument& )
-{
-	return true;
-}
-
-bool TiXmlPrinter::VisitEnter( const TiXmlElement& element, const TiXmlAttribute* firstAttribute )
-{
-	DoIndent();
-	buffer += "<";
-	buffer += element.Value();
-
-	for( const TiXmlAttribute* attrib = firstAttribute; attrib; attrib = attrib->Next() )
-	{
-		buffer += " ";
-		attrib->Print( 0, 0, &buffer );
-	}
-
-	if ( !element.FirstChild() ) 
-	{
-		buffer += " />";
-		DoLineBreak();
-	}
-	else 
-	{
-		buffer += ">";
-		if (    element.FirstChild()->ToText()
-			  && element.LastChild() == element.FirstChild()
-			  && element.FirstChild()->ToText()->CDATA() == false )
-		{
-			simpleTextPrint = true;
-			// no DoLineBreak()!
-		}
-		else
-		{
-			DoLineBreak();
-		}
-	}
-	++depth;	
-	return true;
-}
-
-
-bool TiXmlPrinter::VisitExit( const TiXmlElement& element )
-{
-	--depth;
-	if ( !element.FirstChild() ) 
-	{
-		// nothing.
-	}
-	else 
-	{
-		if ( simpleTextPrint )
-		{
-			simpleTextPrint = false;
-		}
-		else
-		{
-			DoIndent();
-		}
-		buffer += "</";
-		buffer += element.Value();
-		buffer += ">";
-		DoLineBreak();
-	}
-	return true;
-}
-
-
-bool TiXmlPrinter::Visit( const TiXmlText& text )
-{
-	if ( text.CDATA() )
-	{
-		DoIndent();
-		buffer += "<![CDATA[";
-		buffer += text.Value();
-		buffer += "]]>";
-		DoLineBreak();
-	}
-	else if ( simpleTextPrint )
-	{
-		TIXML_STRING str;
-		TiXmlBase::EncodeString( text.ValueTStr(), &str );
-		buffer += str;
-	}
-	else
-	{
-		DoIndent();
-		TIXML_STRING str;
-		TiXmlBase::EncodeString( text.ValueTStr(), &str );
-		buffer += str;
-		DoLineBreak();
-	}
-	return true;
-}
-
-
-bool TiXmlPrinter::Visit( const TiXmlDeclaration& declaration )
-{
-	DoIndent();
-	declaration.Print( 0, 0, &buffer );
-	DoLineBreak();
-	return true;
-}
-
-
-bool TiXmlPrinter::Visit( const TiXmlComment& comment )
-{
-	DoIndent();
-	buffer += "<!--";
-	buffer += comment.Value();
-	buffer += "-->";
-	DoLineBreak();
-	return true;
-}
-
-
-bool TiXmlPrinter::Visit( const TiXmlUnknown& unknown )
-{
-	DoIndent();
-	buffer += "<";
-	buffer += unknown.Value();
-	buffer += ">";
-	DoLineBreak();
-	return true;
-}
-
diff --git a/ctrtool/tinyxml/tinyxml.h b/ctrtool/tinyxml/tinyxml.h
deleted file mode 100644
index eea0f069..00000000
--- a/ctrtool/tinyxml/tinyxml.h
+++ /dev/null
@@ -1,1805 +0,0 @@
-/*
-www.sourceforge.net/projects/tinyxml
-Original code by Lee Thomason (www.grinninglizard.com)
-
-This software is provided 'as-is', without any express or implied
-warranty. In no event will the authors be held liable for any
-damages arising from the use of this software.
-
-Permission is granted to anyone to use this software for any
-purpose, including commercial applications, and to alter it and
-redistribute it freely, subject to the following restrictions:
-
-1. The origin of this software must not be misrepresented; you must
-not claim that you wrote the original software. If you use this
-software in a product, an acknowledgment in the product documentation
-would be appreciated but is not required.
-
-2. Altered source versions must be plainly marked as such, and
-must not be misrepresented as being the original software.
-
-3. This notice may not be removed or altered from any source
-distribution.
-*/
-
-
-#ifndef TINYXML_INCLUDED
-#define TINYXML_INCLUDED
-
-#ifdef _MSC_VER
-#pragma warning( push )
-#pragma warning( disable : 4530 )
-#pragma warning( disable : 4786 )
-#endif
-
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-
-// Help out windows:
-#if defined( _DEBUG ) && !defined( DEBUG )
-#define DEBUG
-#endif
-
-#ifdef TIXML_USE_STL
-	#include <string>
- 	#include <iostream>
-	#include <sstream>
-	#define TIXML_STRING		std::string
-#else
-	#include "tinyxml/tinystr.h"
-	#define TIXML_STRING		TiXmlString
-#endif
-
-// Deprecated library function hell. Compilers want to use the
-// new safe versions. This probably doesn't fully address the problem,
-// but it gets closer. There are too many compilers for me to fully
-// test. If you get compilation troubles, undefine TIXML_SAFE
-#define TIXML_SAFE
-
-#ifdef TIXML_SAFE
-	#if defined(_MSC_VER) && (_MSC_VER >= 1400 )
-		// Microsoft visual studio, version 2005 and higher.
-		#define TIXML_SNPRINTF _snprintf_s
-		#define TIXML_SSCANF   sscanf_s
-	#elif defined(_MSC_VER) && (_MSC_VER >= 1200 )
-		// Microsoft visual studio, version 6 and higher.
-		//#pragma message( "Using _sn* functions." )
-		#define TIXML_SNPRINTF _snprintf
-		#define TIXML_SSCANF   sscanf
-	#elif defined(__GNUC__) && (__GNUC__ >= 3 )
-		// GCC version 3 and higher.s
-		//#warning( "Using sn* functions." )
-		#define TIXML_SNPRINTF snprintf
-		#define TIXML_SSCANF   sscanf
-	#else
-		#define TIXML_SNPRINTF snprintf
-		#define TIXML_SSCANF   sscanf
-	#endif
-#endif	
-
-class TiXmlDocument;
-class TiXmlElement;
-class TiXmlComment;
-class TiXmlUnknown;
-class TiXmlAttribute;
-class TiXmlText;
-class TiXmlDeclaration;
-class TiXmlParsingData;
-
-const int TIXML_MAJOR_VERSION = 2;
-const int TIXML_MINOR_VERSION = 6;
-const int TIXML_PATCH_VERSION = 2;
-
-/*	Internal structure for tracking location of items 
-	in the XML file.
-*/
-struct TiXmlCursor
-{
-	TiXmlCursor()		{ Clear(); }
-	void Clear()		{ row = col = -1; }
-
-	int row;	// 0 based.
-	int col;	// 0 based.
-};
-
-
-/**
-	Implements the interface to the "Visitor pattern" (see the Accept() method.)
-	If you call the Accept() method, it requires being passed a TiXmlVisitor
-	class to handle callbacks. For nodes that contain other nodes (Document, Element)
-	you will get called with a VisitEnter/VisitExit pair. Nodes that are always leaves
-	are simply called with Visit().
-
-	If you return 'true' from a Visit method, recursive parsing will continue. If you return
-	false, <b>no children of this node or its sibilings</b> will be Visited.
-
-	All flavors of Visit methods have a default implementation that returns 'true' (continue 
-	visiting). You need to only override methods that are interesting to you.
-
-	Generally Accept() is called on the TiXmlDocument, although all nodes suppert Visiting.
-
-	You should never change the document from a callback.
-
-	@sa TiXmlNode::Accept()
-*/
-class TiXmlVisitor
-{
-public:
-	virtual ~TiXmlVisitor() {}
-
-	/// Visit a document.
-	virtual bool VisitEnter( const TiXmlDocument& /*doc*/ )			{ return true; }
-	/// Visit a document.
-	virtual bool VisitExit( const TiXmlDocument& /*doc*/ )			{ return true; }
-
-	/// Visit an element.
-	virtual bool VisitEnter( const TiXmlElement& /*element*/, const TiXmlAttribute* /*firstAttribute*/ )	{ return true; }
-	/// Visit an element.
-	virtual bool VisitExit( const TiXmlElement& /*element*/ )		{ return true; }
-
-	/// Visit a declaration
-	virtual bool Visit( const TiXmlDeclaration& /*declaration*/ )	{ return true; }
-	/// Visit a text node
-	virtual bool Visit( const TiXmlText& /*text*/ )					{ return true; }
-	/// Visit a comment node
-	virtual bool Visit( const TiXmlComment& /*comment*/ )			{ return true; }
-	/// Visit an unknown node
-	virtual bool Visit( const TiXmlUnknown& /*unknown*/ )			{ return true; }
-};
-
-// Only used by Attribute::Query functions
-enum 
-{ 
-	TIXML_SUCCESS,
-	TIXML_NO_ATTRIBUTE,
-	TIXML_WRONG_TYPE
-};
-
-
-// Used by the parsing routines.
-enum TiXmlEncoding
-{
-	TIXML_ENCODING_UNKNOWN,
-	TIXML_ENCODING_UTF8,
-	TIXML_ENCODING_LEGACY
-};
-
-const TiXmlEncoding TIXML_DEFAULT_ENCODING = TIXML_ENCODING_UNKNOWN;
-
-/** TiXmlBase is a base class for every class in TinyXml.
-	It does little except to establish that TinyXml classes
-	can be printed and provide some utility functions.
-
-	In XML, the document and elements can contain
-	other elements and other types of nodes.
-
-	@verbatim
-	A Document can contain:	Element	(container or leaf)
-							Comment (leaf)
-							Unknown (leaf)
-							Declaration( leaf )
-
-	An Element can contain:	Element (container or leaf)
-							Text	(leaf)
-							Attributes (not on tree)
-							Comment (leaf)
-							Unknown (leaf)
-
-	A Decleration contains: Attributes (not on tree)
-	@endverbatim
-*/
-class TiXmlBase
-{
-	friend class TiXmlNode;
-	friend class TiXmlElement;
-	friend class TiXmlDocument;
-
-public:
-	TiXmlBase()	:	userData(0)		{}
-	virtual ~TiXmlBase()			{}
-
-	/**	All TinyXml classes can print themselves to a filestream
-		or the string class (TiXmlString in non-STL mode, std::string
-		in STL mode.) Either or both cfile and str can be null.
-		
-		This is a formatted print, and will insert 
-		tabs and newlines.
-		
-		(For an unformatted stream, use the << operator.)
-	*/
-	virtual void Print( FILE* cfile, int depth ) const = 0;
-
-	/**	The world does not agree on whether white space should be kept or
-		not. In order to make everyone happy, these global, static functions
-		are provided to set whether or not TinyXml will condense all white space
-		into a single space or not. The default is to condense. Note changing this
-		value is not thread safe.
-	*/
-	static void SetCondenseWhiteSpace( bool condense )		{ condenseWhiteSpace = condense; }
-
-	/// Return the current white space setting.
-	static bool IsWhiteSpaceCondensed()						{ return condenseWhiteSpace; }
-
-	/** Return the position, in the original source file, of this node or attribute.
-		The row and column are 1-based. (That is the first row and first column is
-		1,1). If the returns values are 0 or less, then the parser does not have
-		a row and column value.
-
-		Generally, the row and column value will be set when the TiXmlDocument::Load(),
-		TiXmlDocument::LoadFile(), or any TiXmlNode::Parse() is called. It will NOT be set
-		when the DOM was created from operator>>.
-
-		The values reflect the initial load. Once the DOM is modified programmatically
-		(by adding or changing nodes and attributes) the new values will NOT update to
-		reflect changes in the document.
-
-		There is a minor performance cost to computing the row and column. Computation
-		can be disabled if TiXmlDocument::SetTabSize() is called with 0 as the value.
-
-		@sa TiXmlDocument::SetTabSize()
-	*/
-	int Row() const			{ return location.row + 1; }
-	int Column() const		{ return location.col + 1; }	///< See Row()
-
-	void  SetUserData( void* user )			{ userData = user; }	///< Set a pointer to arbitrary user data.
-	void* GetUserData()						{ return userData; }	///< Get a pointer to arbitrary user data.
-	const void* GetUserData() const 		{ return userData; }	///< Get a pointer to arbitrary user data.
-
-	// Table that returs, for a given lead byte, the total number of bytes
-	// in the UTF-8 sequence.
-	static const int utf8ByteTable[256];
-
-	virtual const char* Parse(	const char* p, 
-								TiXmlParsingData* data, 
-								TiXmlEncoding encoding /*= TIXML_ENCODING_UNKNOWN */ ) = 0;
-
-	/** Expands entities in a string. Note this should not contian the tag's '<', '>', etc, 
-		or they will be transformed into entities!
-	*/
-	static void EncodeString( const TIXML_STRING& str, TIXML_STRING* out );
-
-	enum
-	{
-		TIXML_NO_ERROR = 0,
-		TIXML_ERROR,
-		TIXML_ERROR_OPENING_FILE,
-		TIXML_ERROR_PARSING_ELEMENT,
-		TIXML_ERROR_FAILED_TO_READ_ELEMENT_NAME,
-		TIXML_ERROR_READING_ELEMENT_VALUE,
-		TIXML_ERROR_READING_ATTRIBUTES,
-		TIXML_ERROR_PARSING_EMPTY,
-		TIXML_ERROR_READING_END_TAG,
-		TIXML_ERROR_PARSING_UNKNOWN,
-		TIXML_ERROR_PARSING_COMMENT,
-		TIXML_ERROR_PARSING_DECLARATION,
-		TIXML_ERROR_DOCUMENT_EMPTY,
-		TIXML_ERROR_EMBEDDED_NULL,
-		TIXML_ERROR_PARSING_CDATA,
-		TIXML_ERROR_DOCUMENT_TOP_ONLY,
-
-		TIXML_ERROR_STRING_COUNT
-	};
-
-protected:
-
-	static const char* SkipWhiteSpace( const char*, TiXmlEncoding encoding );
-
-	inline static bool IsWhiteSpace( char c )		
-	{ 
-		return ( isspace( (unsigned char) c ) || c == '\n' || c == '\r' ); 
-	}
-	inline static bool IsWhiteSpace( int c )
-	{
-		if ( c < 256 )
-			return IsWhiteSpace( (char) c );
-		return false;	// Again, only truly correct for English/Latin...but usually works.
-	}
-
-	#ifdef TIXML_USE_STL
-	static bool	StreamWhiteSpace( std::istream * in, TIXML_STRING * tag );
-	static bool StreamTo( std::istream * in, int character, TIXML_STRING * tag );
-	#endif
-
-	/*	Reads an XML name into the string provided. Returns
-		a pointer just past the last character of the name,
-		or 0 if the function has an error.
-	*/
-	static const char* ReadName( const char* p, TIXML_STRING* name, TiXmlEncoding encoding );
-
-	/*	Reads text. Returns a pointer past the given end tag.
-		Wickedly complex options, but it keeps the (sensitive) code in one place.
-	*/
-	static const char* ReadText(	const char* in,				// where to start
-									TIXML_STRING* text,			// the string read
-									bool ignoreWhiteSpace,		// whether to keep the white space
-									const char* endTag,			// what ends this text
-									bool ignoreCase,			// whether to ignore case in the end tag
-									TiXmlEncoding encoding );	// the current encoding
-
-	// If an entity has been found, transform it into a character.
-	static const char* GetEntity( const char* in, char* value, int* length, TiXmlEncoding encoding );
-
-	// Get a character, while interpreting entities.
-	// The length can be from 0 to 4 bytes.
-	inline static const char* GetChar( const char* p, char* _value, int* length, TiXmlEncoding encoding )
-	{
-		assert( p );
-		if ( encoding == TIXML_ENCODING_UTF8 )
-		{
-			*length = utf8ByteTable[ *((const unsigned char*)p) ];
-			assert( *length >= 0 && *length < 5 );
-		}
-		else
-		{
-			*length = 1;
-		}
-
-		if ( *length == 1 )
-		{
-			if ( *p == '&' )
-				return GetEntity( p, _value, length, encoding );
-			*_value = *p;
-			return p+1;
-		}
-		else if ( *length )
-		{
-			//strncpy( _value, p, *length );	// lots of compilers don't like this function (unsafe),
-												// and the null terminator isn't needed
-			for( int i=0; p[i] && i<*length; ++i ) {
-				_value[i] = p[i];
-			}
-			return p + (*length);
-		}
-		else
-		{
-			// Not valid text.
-			return 0;
-		}
-	}
-
-	// Return true if the next characters in the stream are any of the endTag sequences.
-	// Ignore case only works for english, and should only be relied on when comparing
-	// to English words: StringEqual( p, "version", true ) is fine.
-	static bool StringEqual(	const char* p,
-								const char* endTag,
-								bool ignoreCase,
-								TiXmlEncoding encoding );
-
-	static const char* errorString[ TIXML_ERROR_STRING_COUNT ];
-
-	TiXmlCursor location;
-
-    /// Field containing a generic user pointer
-	void*			userData;
-	
-	// None of these methods are reliable for any language except English.
-	// Good for approximation, not great for accuracy.
-	static int IsAlpha( unsigned char anyByte, TiXmlEncoding encoding );
-	static int IsAlphaNum( unsigned char anyByte, TiXmlEncoding encoding );
-	inline static int ToLower( int v, TiXmlEncoding encoding )
-	{
-		if ( encoding == TIXML_ENCODING_UTF8 )
-		{
-			if ( v < 128 ) return tolower( v );
-			return v;
-		}
-		else
-		{
-			return tolower( v );
-		}
-	}
-	static void ConvertUTF32ToUTF8( unsigned long input, char* output, int* length );
-
-private:
-	TiXmlBase( const TiXmlBase& );				// not implemented.
-	void operator=( const TiXmlBase& base );	// not allowed.
-
-	struct Entity
-	{
-		const char*     str;
-		unsigned int	strLength;
-		char		    chr;
-	};
-	enum
-	{
-		NUM_ENTITY = 5,
-		MAX_ENTITY_LENGTH = 6
-
-	};
-	static Entity entity[ NUM_ENTITY ];
-	static bool condenseWhiteSpace;
-};
-
-
-/** The parent class for everything in the Document Object Model.
-	(Except for attributes).
-	Nodes have siblings, a parent, and children. A node can be
-	in a document, or stand on its own. The type of a TiXmlNode
-	can be queried, and it can be cast to its more defined type.
-*/
-class TiXmlNode : public TiXmlBase
-{
-	friend class TiXmlDocument;
-	friend class TiXmlElement;
-
-public:
-	#ifdef TIXML_USE_STL	
-
-	    /** An input stream operator, for every class. Tolerant of newlines and
-		    formatting, but doesn't expect them.
-	    */
-	    friend std::istream& operator >> (std::istream& in, TiXmlNode& base);
-
-	    /** An output stream operator, for every class. Note that this outputs
-		    without any newlines or formatting, as opposed to Print(), which
-		    includes tabs and new lines.
-
-		    The operator<< and operator>> are not completely symmetric. Writing
-		    a node to a stream is very well defined. You'll get a nice stream
-		    of output, without any extra whitespace or newlines.
-		    
-		    But reading is not as well defined. (As it always is.) If you create
-		    a TiXmlElement (for example) and read that from an input stream,
-		    the text needs to define an element or junk will result. This is
-		    true of all input streams, but it's worth keeping in mind.
-
-		    A TiXmlDocument will read nodes until it reads a root element, and
-			all the children of that root element.
-	    */	
-	    friend std::ostream& operator<< (std::ostream& out, const TiXmlNode& base);
-
-		/// Appends the XML node or attribute to a std::string.
-		friend std::string& operator<< (std::string& out, const TiXmlNode& base );
-
-	#endif
-
-	/** The types of XML nodes supported by TinyXml. (All the
-			unsupported types are picked up by UNKNOWN.)
-	*/
-	enum NodeType
-	{
-		TINYXML_DOCUMENT,
-		TINYXML_ELEMENT,
-		TINYXML_COMMENT,
-		TINYXML_UNKNOWN,
-		TINYXML_TEXT,
-		TINYXML_DECLARATION,
-		TINYXML_TYPECOUNT
-	};
-
-	virtual ~TiXmlNode();
-
-	/** The meaning of 'value' changes for the specific type of
-		TiXmlNode.
-		@verbatim
-		Document:	filename of the xml file
-		Element:	name of the element
-		Comment:	the comment text
-		Unknown:	the tag contents
-		Text:		the text string
-		@endverbatim
-
-		The subclasses will wrap this function.
-	*/
-	const char *Value() const { return value.c_str (); }
-
-    #ifdef TIXML_USE_STL
-	/** Return Value() as a std::string. If you only use STL,
-	    this is more efficient than calling Value().
-		Only available in STL mode.
-	*/
-	const std::string& ValueStr() const { return value; }
-	#endif
-
-	const TIXML_STRING& ValueTStr() const { return value; }
-
-	/** Changes the value of the node. Defined as:
-		@verbatim
-		Document:	filename of the xml file
-		Element:	name of the element
-		Comment:	the comment text
-		Unknown:	the tag contents
-		Text:		the text string
-		@endverbatim
-	*/
-	void SetValue(const char * _value) { value = _value;}
-
-    #ifdef TIXML_USE_STL
-	/// STL std::string form.
-	void SetValue( const std::string& _value )	{ value = _value; }
-	#endif
-
-	/// Delete all the children of this node. Does not affect 'this'.
-	void Clear();
-
-	/// One step up the DOM.
-	TiXmlNode* Parent()							{ return parent; }
-	const TiXmlNode* Parent() const				{ return parent; }
-
-	const TiXmlNode* FirstChild()	const		{ return firstChild; }	///< The first child of this node. Will be null if there are no children.
-	TiXmlNode* FirstChild()						{ return firstChild; }
-	const TiXmlNode* FirstChild( const char * value ) const;			///< The first child of this node with the matching 'value'. Will be null if none found.
-	/// The first child of this node with the matching 'value'. Will be null if none found.
-	TiXmlNode* FirstChild( const char * _value ) {
-		// Call through to the const version - safe since nothing is changed. Exiting syntax: cast this to a const (always safe)
-		// call the method, cast the return back to non-const.
-		return const_cast< TiXmlNode* > ((const_cast< const TiXmlNode* >(this))->FirstChild( _value ));
-	}
-	const TiXmlNode* LastChild() const	{ return lastChild; }		/// The last child of this node. Will be null if there are no children.
-	TiXmlNode* LastChild()	{ return lastChild; }
-	
-	const TiXmlNode* LastChild( const char * value ) const;			/// The last child of this node matching 'value'. Will be null if there are no children.
-	TiXmlNode* LastChild( const char * _value ) {
-		return const_cast< TiXmlNode* > ((const_cast< const TiXmlNode* >(this))->LastChild( _value ));
-	}
-
-    #ifdef TIXML_USE_STL
-	const TiXmlNode* FirstChild( const std::string& _value ) const	{	return FirstChild (_value.c_str ());	}	///< STL std::string form.
-	TiXmlNode* FirstChild( const std::string& _value )				{	return FirstChild (_value.c_str ());	}	///< STL std::string form.
-	const TiXmlNode* LastChild( const std::string& _value ) const	{	return LastChild (_value.c_str ());	}	///< STL std::string form.
-	TiXmlNode* LastChild( const std::string& _value )				{	return LastChild (_value.c_str ());	}	///< STL std::string form.
-	#endif
-
-	/** An alternate way to walk the children of a node.
-		One way to iterate over nodes is:
-		@verbatim
-			for( child = parent->FirstChild(); child; child = child->NextSibling() )
-		@endverbatim
-
-		IterateChildren does the same thing with the syntax:
-		@verbatim
-			child = 0;
-			while( child = parent->IterateChildren( child ) )
-		@endverbatim
-
-		IterateChildren takes the previous child as input and finds
-		the next one. If the previous child is null, it returns the
-		first. IterateChildren will return null when done.
-	*/
-	const TiXmlNode* IterateChildren( const TiXmlNode* previous ) const;
-	TiXmlNode* IterateChildren( const TiXmlNode* previous ) {
-		return const_cast< TiXmlNode* >( (const_cast< const TiXmlNode* >(this))->IterateChildren( previous ) );
-	}
-
-	/// This flavor of IterateChildren searches for children with a particular 'value'
-	const TiXmlNode* IterateChildren( const char * value, const TiXmlNode* previous ) const;
-	TiXmlNode* IterateChildren( const char * _value, const TiXmlNode* previous ) {
-		return const_cast< TiXmlNode* >( (const_cast< const TiXmlNode* >(this))->IterateChildren( _value, previous ) );
-	}
-
-    #ifdef TIXML_USE_STL
-	const TiXmlNode* IterateChildren( const std::string& _value, const TiXmlNode* previous ) const	{	return IterateChildren (_value.c_str (), previous);	}	///< STL std::string form.
-	TiXmlNode* IterateChildren( const std::string& _value, const TiXmlNode* previous ) {	return IterateChildren (_value.c_str (), previous);	}	///< STL std::string form.
-	#endif
-
-	/** Add a new node related to this. Adds a child past the LastChild.
-		Returns a pointer to the new object or NULL if an error occured.
-	*/
-	TiXmlNode* InsertEndChild( const TiXmlNode& addThis );
-
-
-	/** Add a new node related to this. Adds a child past the LastChild.
-
-		NOTE: the node to be added is passed by pointer, and will be
-		henceforth owned (and deleted) by tinyXml. This method is efficient
-		and avoids an extra copy, but should be used with care as it
-		uses a different memory model than the other insert functions.
-
-		@sa InsertEndChild
-	*/
-	TiXmlNode* LinkEndChild( TiXmlNode* addThis );
-
-	/** Add a new node related to this. Adds a child before the specified child.
-		Returns a pointer to the new object or NULL if an error occured.
-	*/
-	TiXmlNode* InsertBeforeChild( TiXmlNode* beforeThis, const TiXmlNode& addThis );
-
-	/** Add a new node related to this. Adds a child after the specified child.
-		Returns a pointer to the new object or NULL if an error occured.
-	*/
-	TiXmlNode* InsertAfterChild(  TiXmlNode* afterThis, const TiXmlNode& addThis );
-
-	/** Replace a child of this node.
-		Returns a pointer to the new object or NULL if an error occured.
-	*/
-	TiXmlNode* ReplaceChild( TiXmlNode* replaceThis, const TiXmlNode& withThis );
-
-	/// Delete a child of this node.
-	bool RemoveChild( TiXmlNode* removeThis );
-
-	/// Navigate to a sibling node.
-	const TiXmlNode* PreviousSibling() const			{ return prev; }
-	TiXmlNode* PreviousSibling()						{ return prev; }
-
-	/// Navigate to a sibling node.
-	const TiXmlNode* PreviousSibling( const char * ) const;
-	TiXmlNode* PreviousSibling( const char *_prev ) {
-		return const_cast< TiXmlNode* >( (const_cast< const TiXmlNode* >(this))->PreviousSibling( _prev ) );
-	}
-
-    #ifdef TIXML_USE_STL
-	const TiXmlNode* PreviousSibling( const std::string& _value ) const	{	return PreviousSibling (_value.c_str ());	}	///< STL std::string form.
-	TiXmlNode* PreviousSibling( const std::string& _value ) 			{	return PreviousSibling (_value.c_str ());	}	///< STL std::string form.
-	const TiXmlNode* NextSibling( const std::string& _value) const		{	return NextSibling (_value.c_str ());	}	///< STL std::string form.
-	TiXmlNode* NextSibling( const std::string& _value) 					{	return NextSibling (_value.c_str ());	}	///< STL std::string form.
-	#endif
-
-	/// Navigate to a sibling node.
-	const TiXmlNode* NextSibling() const				{ return next; }
-	TiXmlNode* NextSibling()							{ return next; }
-
-	/// Navigate to a sibling node with the given 'value'.
-	const TiXmlNode* NextSibling( const char * ) const;
-	TiXmlNode* NextSibling( const char* _next ) {
-		return const_cast< TiXmlNode* >( (const_cast< const TiXmlNode* >(this))->NextSibling( _next ) );
-	}
-
-	/** Convenience function to get through elements.
-		Calls NextSibling and ToElement. Will skip all non-Element
-		nodes. Returns 0 if there is not another element.
-	*/
-	const TiXmlElement* NextSiblingElement() const;
-	TiXmlElement* NextSiblingElement() {
-		return const_cast< TiXmlElement* >( (const_cast< const TiXmlNode* >(this))->NextSiblingElement() );
-	}
-
-	/** Convenience function to get through elements.
-		Calls NextSibling and ToElement. Will skip all non-Element
-		nodes. Returns 0 if there is not another element.
-	*/
-	const TiXmlElement* NextSiblingElement( const char * ) const;
-	TiXmlElement* NextSiblingElement( const char *_next ) {
-		return const_cast< TiXmlElement* >( (const_cast< const TiXmlNode* >(this))->NextSiblingElement( _next ) );
-	}
-
-    #ifdef TIXML_USE_STL
-	const TiXmlElement* NextSiblingElement( const std::string& _value) const	{	return NextSiblingElement (_value.c_str ());	}	///< STL std::string form.
-	TiXmlElement* NextSiblingElement( const std::string& _value)				{	return NextSiblingElement (_value.c_str ());	}	///< STL std::string form.
-	#endif
-
-	/// Convenience function to get through elements.
-	const TiXmlElement* FirstChildElement()	const;
-	TiXmlElement* FirstChildElement() {
-		return const_cast< TiXmlElement* >( (const_cast< const TiXmlNode* >(this))->FirstChildElement() );
-	}
-
-	/// Convenience function to get through elements.
-	const TiXmlElement* FirstChildElement( const char * _value ) const;
-	TiXmlElement* FirstChildElement( const char * _value ) {
-		return const_cast< TiXmlElement* >( (const_cast< const TiXmlNode* >(this))->FirstChildElement( _value ) );
-	}
-
-    #ifdef TIXML_USE_STL
-	const TiXmlElement* FirstChildElement( const std::string& _value ) const	{	return FirstChildElement (_value.c_str ());	}	///< STL std::string form.
-	TiXmlElement* FirstChildElement( const std::string& _value )				{	return FirstChildElement (_value.c_str ());	}	///< STL std::string form.
-	#endif
-
-	/** Query the type (as an enumerated value, above) of this node.
-		The possible types are: TINYXML_DOCUMENT, TINYXML_ELEMENT, TINYXML_COMMENT,
-								TINYXML_UNKNOWN, TINYXML_TEXT, and TINYXML_DECLARATION.
-	*/
-	int Type() const	{ return type; }
-
-	/** Return a pointer to the Document this node lives in.
-		Returns null if not in a document.
-	*/
-	const TiXmlDocument* GetDocument() const;
-	TiXmlDocument* GetDocument() {
-		return const_cast< TiXmlDocument* >( (const_cast< const TiXmlNode* >(this))->GetDocument() );
-	}
-
-	/// Returns true if this node has no children.
-	bool NoChildren() const						{ return !firstChild; }
-
-	virtual const TiXmlDocument*    ToDocument()    const { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual const TiXmlElement*     ToElement()     const { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual const TiXmlComment*     ToComment()     const { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual const TiXmlUnknown*     ToUnknown()     const { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual const TiXmlText*        ToText()        const { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual const TiXmlDeclaration* ToDeclaration() const { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-
-	virtual TiXmlDocument*          ToDocument()    { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual TiXmlElement*           ToElement()	    { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual TiXmlComment*           ToComment()     { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual TiXmlUnknown*           ToUnknown()	    { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual TiXmlText*	            ToText()        { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-	virtual TiXmlDeclaration*       ToDeclaration() { return 0; } ///< Cast to a more defined type. Will return null if not of the requested type.
-
-	/** Create an exact duplicate of this node and return it. The memory must be deleted
-		by the caller. 
-	*/
-	virtual TiXmlNode* Clone() const = 0;
-
-	/** Accept a hierchical visit the nodes in the TinyXML DOM. Every node in the 
-		XML tree will be conditionally visited and the host will be called back
-		via the TiXmlVisitor interface.
-
-		This is essentially a SAX interface for TinyXML. (Note however it doesn't re-parse
-		the XML for the callbacks, so the performance of TinyXML is unchanged by using this
-		interface versus any other.)
-
-		The interface has been based on ideas from:
-
-		- http://www.saxproject.org/
-		- http://c2.com/cgi/wiki?HierarchicalVisitorPattern 
-
-		Which are both good references for "visiting".
-
-		An example of using Accept():
-		@verbatim
-		TiXmlPrinter printer;
-		tinyxmlDoc.Accept( &printer );
-		const char* xmlcstr = printer.CStr();
-		@endverbatim
-	*/
-	virtual bool Accept( TiXmlVisitor* visitor ) const = 0;
-
-protected:
-	TiXmlNode( NodeType _type );
-
-	// Copy to the allocated object. Shared functionality between Clone, Copy constructor,
-	// and the assignment operator.
-	void CopyTo( TiXmlNode* target ) const;
-
-	#ifdef TIXML_USE_STL
-	    // The real work of the input operator.
-	virtual void StreamIn( std::istream* in, TIXML_STRING* tag ) = 0;
-	#endif
-
-	// Figure out what is at *p, and parse it. Returns null if it is not an xml node.
-	TiXmlNode* Identify( const char* start, TiXmlEncoding encoding );
-
-	TiXmlNode*		parent;
-	NodeType		type;
-
-	TiXmlNode*		firstChild;
-	TiXmlNode*		lastChild;
-
-	TIXML_STRING	value;
-
-	TiXmlNode*		prev;
-	TiXmlNode*		next;
-
-private:
-	TiXmlNode( const TiXmlNode& );				// not implemented.
-	void operator=( const TiXmlNode& base );	// not allowed.
-};
-
-
-/** An attribute is a name-value pair. Elements have an arbitrary
-	number of attributes, each with a unique name.
-
-	@note The attributes are not TiXmlNodes, since they are not
-		  part of the tinyXML document object model. There are other
-		  suggested ways to look at this problem.
-*/
-class TiXmlAttribute : public TiXmlBase
-{
-	friend class TiXmlAttributeSet;
-
-public:
-	/// Construct an empty attribute.
-	TiXmlAttribute() : TiXmlBase()
-	{
-		document = 0;
-		prev = next = 0;
-	}
-
-	#ifdef TIXML_USE_STL
-	/// std::string constructor.
-	TiXmlAttribute( const std::string& _name, const std::string& _value )
-	{
-		name = _name;
-		value = _value;
-		document = 0;
-		prev = next = 0;
-	}
-	#endif
-
-	/// Construct an attribute with a name and value.
-	TiXmlAttribute( const char * _name, const char * _value )
-	{
-		name = _name;
-		value = _value;
-		document = 0;
-		prev = next = 0;
-	}
-
-	const char*		Name()  const		{ return name.c_str(); }		///< Return the name of this attribute.
-	const char*		Value() const		{ return value.c_str(); }		///< Return the value of this attribute.
-	#ifdef TIXML_USE_STL
-	const std::string& ValueStr() const	{ return value; }				///< Return the value of this attribute.
-	#endif
-	int				IntValue() const;									///< Return the value of this attribute, converted to an integer.
-	double			DoubleValue() const;								///< Return the value of this attribute, converted to a double.
-
-	// Get the tinyxml string representation
-	const TIXML_STRING& NameTStr() const { return name; }
-
-	/** QueryIntValue examines the value string. It is an alternative to the
-		IntValue() method with richer error checking.
-		If the value is an integer, it is stored in 'value' and 
-		the call returns TIXML_SUCCESS. If it is not
-		an integer, it returns TIXML_WRONG_TYPE.
-
-		A specialized but useful call. Note that for success it returns 0,
-		which is the opposite of almost all other TinyXml calls.
-	*/
-	int QueryIntValue( int* _value ) const;
-	/// QueryDoubleValue examines the value string. See QueryIntValue().
-	int QueryDoubleValue( double* _value ) const;
-
-	void SetName( const char* _name )	{ name = _name; }				///< Set the name of this attribute.
-	void SetValue( const char* _value )	{ value = _value; }				///< Set the value.
-
-	void SetIntValue( int _value );										///< Set the value from an integer.
-	void SetDoubleValue( double _value );								///< Set the value from a double.
-
-    #ifdef TIXML_USE_STL
-	/// STL std::string form.
-	void SetName( const std::string& _name )	{ name = _name; }	
-	/// STL std::string form.	
-	void SetValue( const std::string& _value )	{ value = _value; }
-	#endif
-
-	/// Get the next sibling attribute in the DOM. Returns null at end.
-	const TiXmlAttribute* Next() const;
-	TiXmlAttribute* Next() {
-		return const_cast< TiXmlAttribute* >( (const_cast< const TiXmlAttribute* >(this))->Next() ); 
-	}
-
-	/// Get the previous sibling attribute in the DOM. Returns null at beginning.
-	const TiXmlAttribute* Previous() const;
-	TiXmlAttribute* Previous() {
-		return const_cast< TiXmlAttribute* >( (const_cast< const TiXmlAttribute* >(this))->Previous() ); 
-	}
-
-	bool operator==( const TiXmlAttribute& rhs ) const { return rhs.name == name; }
-	bool operator<( const TiXmlAttribute& rhs )	 const { return name < rhs.name; }
-	bool operator>( const TiXmlAttribute& rhs )  const { return name > rhs.name; }
-
-	/*	Attribute parsing starts: first letter of the name
-						 returns: the next char after the value end quote
-	*/
-	virtual const char* Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding );
-
-	// Prints this Attribute to a FILE stream.
-	virtual void Print( FILE* cfile, int depth ) const {
-		Print( cfile, depth, 0 );
-	}
-	void Print( FILE* cfile, int depth, TIXML_STRING* str ) const;
-
-	// [internal use]
-	// Set the document pointer so the attribute can report errors.
-	void SetDocument( TiXmlDocument* doc )	{ document = doc; }
-
-private:
-	TiXmlAttribute( const TiXmlAttribute& );				// not implemented.
-	void operator=( const TiXmlAttribute& base );	// not allowed.
-
-	TiXmlDocument*	document;	// A pointer back to a document, for error reporting.
-	TIXML_STRING name;
-	TIXML_STRING value;
-	TiXmlAttribute*	prev;
-	TiXmlAttribute*	next;
-};
-
-
-/*	A class used to manage a group of attributes.
-	It is only used internally, both by the ELEMENT and the DECLARATION.
-	
-	The set can be changed transparent to the Element and Declaration
-	classes that use it, but NOT transparent to the Attribute
-	which has to implement a next() and previous() method. Which makes
-	it a bit problematic and prevents the use of STL.
-
-	This version is implemented with circular lists because:
-		- I like circular lists
-		- it demonstrates some independence from the (typical) doubly linked list.
-*/
-class TiXmlAttributeSet
-{
-public:
-	TiXmlAttributeSet();
-	~TiXmlAttributeSet();
-
-	void Add( TiXmlAttribute* attribute );
-	void Remove( TiXmlAttribute* attribute );
-
-	const TiXmlAttribute* First()	const	{ return ( sentinel.next == &sentinel ) ? 0 : sentinel.next; }
-	TiXmlAttribute* First()					{ return ( sentinel.next == &sentinel ) ? 0 : sentinel.next; }
-	const TiXmlAttribute* Last() const		{ return ( sentinel.prev == &sentinel ) ? 0 : sentinel.prev; }
-	TiXmlAttribute* Last()					{ return ( sentinel.prev == &sentinel ) ? 0 : sentinel.prev; }
-
-	TiXmlAttribute*	Find( const char* _name ) const;
-	TiXmlAttribute* FindOrCreate( const char* _name );
-
-#	ifdef TIXML_USE_STL
-	TiXmlAttribute*	Find( const std::string& _name ) const;
-	TiXmlAttribute* FindOrCreate( const std::string& _name );
-#	endif
-
-
-private:
-	//*ME:	Because of hidden/disabled copy-construktor in TiXmlAttribute (sentinel-element),
-	//*ME:	this class must be also use a hidden/disabled copy-constructor !!!
-	TiXmlAttributeSet( const TiXmlAttributeSet& );	// not allowed
-	void operator=( const TiXmlAttributeSet& );	// not allowed (as TiXmlAttribute)
-
-	TiXmlAttribute sentinel;
-};
-
-
-/** The element is a container class. It has a value, the element name,
-	and can contain other elements, text, comments, and unknowns.
-	Elements also contain an arbitrary number of attributes.
-*/
-class TiXmlElement : public TiXmlNode
-{
-public:
-	/// Construct an element.
-	TiXmlElement (const char * in_value);
-
-	#ifdef TIXML_USE_STL
-	/// std::string constructor.
-	TiXmlElement( const std::string& _value );
-	#endif
-
-	TiXmlElement( const TiXmlElement& );
-
-	TiXmlElement& operator=( const TiXmlElement& base );
-
-	virtual ~TiXmlElement();
-
-	/** Given an attribute name, Attribute() returns the value
-		for the attribute of that name, or null if none exists.
-	*/
-	const char* Attribute( const char* name ) const;
-
-	/** Given an attribute name, Attribute() returns the value
-		for the attribute of that name, or null if none exists.
-		If the attribute exists and can be converted to an integer,
-		the integer value will be put in the return 'i', if 'i'
-		is non-null.
-	*/
-	const char* Attribute( const char* name, int* i ) const;
-
-	/** Given an attribute name, Attribute() returns the value
-		for the attribute of that name, or null if none exists.
-		If the attribute exists and can be converted to an double,
-		the double value will be put in the return 'd', if 'd'
-		is non-null.
-	*/
-	const char* Attribute( const char* name, double* d ) const;
-
-	/** QueryIntAttribute examines the attribute - it is an alternative to the
-		Attribute() method with richer error checking.
-		If the attribute is an integer, it is stored in 'value' and 
-		the call returns TIXML_SUCCESS. If it is not
-		an integer, it returns TIXML_WRONG_TYPE. If the attribute
-		does not exist, then TIXML_NO_ATTRIBUTE is returned.
-	*/	
-	int QueryIntAttribute( const char* name, int* _value ) const;
-	/// QueryUnsignedAttribute examines the attribute - see QueryIntAttribute().
-	int QueryUnsignedAttribute( const char* name, unsigned* _value ) const;
-	/** QueryBoolAttribute examines the attribute - see QueryIntAttribute(). 
-		Note that '1', 'true', or 'yes' are considered true, while '0', 'false'
-		and 'no' are considered false.
-	*/
-	int QueryBoolAttribute( const char* name, bool* _value ) const;
-	/// QueryDoubleAttribute examines the attribute - see QueryIntAttribute().
-	int QueryDoubleAttribute( const char* name, double* _value ) const;
-	/// QueryFloatAttribute examines the attribute - see QueryIntAttribute().
-	int QueryFloatAttribute( const char* name, float* _value ) const {
-		double d;
-		int result = QueryDoubleAttribute( name, &d );
-		if ( result == TIXML_SUCCESS ) {
-			*_value = (float)d;
-		}
-		return result;
-	}
-
-    #ifdef TIXML_USE_STL
-	/// QueryStringAttribute examines the attribute - see QueryIntAttribute().
-	int QueryStringAttribute( const char* name, std::string* _value ) const {
-		const char* cstr = Attribute( name );
-		if ( cstr ) {
-			*_value = std::string( cstr );
-			return TIXML_SUCCESS;
-		}
-		return TIXML_NO_ATTRIBUTE;
-	}
-
-	/** Template form of the attribute query which will try to read the
-		attribute into the specified type. Very easy, very powerful, but
-		be careful to make sure to call this with the correct type.
-		
-		NOTE: This method doesn't work correctly for 'string' types that contain spaces.
-
-		@return TIXML_SUCCESS, TIXML_WRONG_TYPE, or TIXML_NO_ATTRIBUTE
-	*/
-	template< typename T > int QueryValueAttribute( const std::string& name, T* outValue ) const
-	{
-		const TiXmlAttribute* node = attributeSet.Find( name );
-		if ( !node )
-			return TIXML_NO_ATTRIBUTE;
-
-		std::stringstream sstream( node->ValueStr() );
-		sstream >> *outValue;
-		if ( !sstream.fail() )
-			return TIXML_SUCCESS;
-		return TIXML_WRONG_TYPE;
-	}
-
-	int QueryValueAttribute( const std::string& name, std::string* outValue ) const
-	{
-		const TiXmlAttribute* node = attributeSet.Find( name );
-		if ( !node )
-			return TIXML_NO_ATTRIBUTE;
-		*outValue = node->ValueStr();
-		return TIXML_SUCCESS;
-	}
-	#endif
-
-	/** Sets an attribute of name to a given value. The attribute
-		will be created if it does not exist, or changed if it does.
-	*/
-	void SetAttribute( const char* name, const char * _value );
-
-    #ifdef TIXML_USE_STL
-	const std::string* Attribute( const std::string& name ) const;
-	const std::string* Attribute( const std::string& name, int* i ) const;
-	const std::string* Attribute( const std::string& name, double* d ) const;
-	int QueryIntAttribute( const std::string& name, int* _value ) const;
-	int QueryDoubleAttribute( const std::string& name, double* _value ) const;
-
-	/// STL std::string form.
-	void SetAttribute( const std::string& name, const std::string& _value );
-	///< STL std::string form.
-	void SetAttribute( const std::string& name, int _value );
-	///< STL std::string form.
-	void SetDoubleAttribute( const std::string& name, double value );
-	#endif
-
-	/** Sets an attribute of name to a given value. The attribute
-		will be created if it does not exist, or changed if it does.
-	*/
-	void SetAttribute( const char * name, int value );
-
-	/** Sets an attribute of name to a given value. The attribute
-		will be created if it does not exist, or changed if it does.
-	*/
-	void SetDoubleAttribute( const char * name, double value );
-
-	/** Deletes an attribute with the given name.
-	*/
-	void RemoveAttribute( const char * name );
-    #ifdef TIXML_USE_STL
-	void RemoveAttribute( const std::string& name )	{	RemoveAttribute (name.c_str ());	}	///< STL std::string form.
-	#endif
-
-	const TiXmlAttribute* FirstAttribute() const	{ return attributeSet.First(); }		///< Access the first attribute in this element.
-	TiXmlAttribute* FirstAttribute() 				{ return attributeSet.First(); }
-	const TiXmlAttribute* LastAttribute()	const 	{ return attributeSet.Last(); }		///< Access the last attribute in this element.
-	TiXmlAttribute* LastAttribute()					{ return attributeSet.Last(); }
-
-	/** Convenience function for easy access to the text inside an element. Although easy
-		and concise, GetText() is limited compared to getting the TiXmlText child
-		and accessing it directly.
-	
-		If the first child of 'this' is a TiXmlText, the GetText()
-		returns the character string of the Text node, else null is returned.
-
-		This is a convenient method for getting the text of simple contained text:
-		@verbatim
-		<foo>This is text</foo>
-		const char* str = fooElement->GetText();
-		@endverbatim
-
-		'str' will be a pointer to "This is text". 
-		
-		Note that this function can be misleading. If the element foo was created from
-		this XML:
-		@verbatim
-		<foo><b>This is text</b></foo> 
-		@endverbatim
-
-		then the value of str would be null. The first child node isn't a text node, it is
-		another element. From this XML:
-		@verbatim
-		<foo>This is <b>text</b></foo> 
-		@endverbatim
-		GetText() will return "This is ".
-
-		WARNING: GetText() accesses a child node - don't become confused with the 
-				 similarly named TiXmlHandle::Text() and TiXmlNode::ToText() which are 
-				 safe type casts on the referenced node.
-	*/
-	const char* GetText() const;
-
-	/// Creates a new Element and returns it - the returned element is a copy.
-	virtual TiXmlNode* Clone() const;
-	// Print the Element to a FILE stream.
-	virtual void Print( FILE* cfile, int depth ) const;
-
-	/*	Attribtue parsing starts: next char past '<'
-						 returns: next char past '>'
-	*/
-	virtual const char* Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding );
-
-	virtual const TiXmlElement*     ToElement()     const { return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-	virtual TiXmlElement*           ToElement()	          { return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-
-	/** Walk the XML tree visiting this node and all of its children. 
-	*/
-	virtual bool Accept( TiXmlVisitor* visitor ) const;
-
-protected:
-
-	void CopyTo( TiXmlElement* target ) const;
-	void ClearThis();	// like clear, but initializes 'this' object as well
-
-	// Used to be public [internal use]
-	#ifdef TIXML_USE_STL
-	virtual void StreamIn( std::istream * in, TIXML_STRING * tag );
-	#endif
-	/*	[internal use]
-		Reads the "value" of the element -- another element, or text.
-		This should terminate with the current end tag.
-	*/
-	const char* ReadValue( const char* in, TiXmlParsingData* prevData, TiXmlEncoding encoding );
-
-private:
-	TiXmlAttributeSet attributeSet;
-};
-
-
-/**	An XML comment.
-*/
-class TiXmlComment : public TiXmlNode
-{
-public:
-	/// Constructs an empty comment.
-	TiXmlComment() : TiXmlNode( TiXmlNode::TINYXML_COMMENT ) {}
-	/// Construct a comment from text.
-	TiXmlComment( const char* _value ) : TiXmlNode( TiXmlNode::TINYXML_COMMENT ) {
-		SetValue( _value );
-	}
-	TiXmlComment( const TiXmlComment& );
-	TiXmlComment& operator=( const TiXmlComment& base );
-
-	virtual ~TiXmlComment()	{}
-
-	/// Returns a copy of this Comment.
-	virtual TiXmlNode* Clone() const;
-	// Write this Comment to a FILE stream.
-	virtual void Print( FILE* cfile, int depth ) const;
-
-	/*	Attribtue parsing starts: at the ! of the !--
-						 returns: next char past '>'
-	*/
-	virtual const char* Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding );
-
-	virtual const TiXmlComment*  ToComment() const	{ return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-	virtual		  TiXmlComment*  ToComment()		{ return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-
-	/** Walk the XML tree visiting this node and all of its children. 
-	*/
-	virtual bool Accept( TiXmlVisitor* visitor ) const;
-
-protected:
-	void CopyTo( TiXmlComment* target ) const;
-
-	// used to be public
-	#ifdef TIXML_USE_STL
-	virtual void StreamIn( std::istream * in, TIXML_STRING * tag );
-	#endif
-//	virtual void StreamOut( TIXML_OSTREAM * out ) const;
-
-private:
-
-};
-
-
-/** XML text. A text node can have 2 ways to output the next. "normal" output 
-	and CDATA. It will default to the mode it was parsed from the XML file and
-	you generally want to leave it alone, but you can change the output mode with 
-	SetCDATA() and query it with CDATA().
-*/
-class TiXmlText : public TiXmlNode
-{
-	friend class TiXmlElement;
-public:
-	/** Constructor for text element. By default, it is treated as 
-		normal, encoded text. If you want it be output as a CDATA text
-		element, set the parameter _cdata to 'true'
-	*/
-	TiXmlText (const char * initValue ) : TiXmlNode (TiXmlNode::TINYXML_TEXT)
-	{
-		SetValue( initValue );
-		cdata = false;
-	}
-	virtual ~TiXmlText() {}
-
-	#ifdef TIXML_USE_STL
-	/// Constructor.
-	TiXmlText( const std::string& initValue ) : TiXmlNode (TiXmlNode::TINYXML_TEXT)
-	{
-		SetValue( initValue );
-		cdata = false;
-	}
-	#endif
-
-	TiXmlText( const TiXmlText& copy ) : TiXmlNode( TiXmlNode::TINYXML_TEXT )	{ copy.CopyTo( this ); }
-	TiXmlText& operator=( const TiXmlText& base )							 	{ base.CopyTo( this ); return *this; }
-
-	// Write this text object to a FILE stream.
-	virtual void Print( FILE* cfile, int depth ) const;
-
-	/// Queries whether this represents text using a CDATA section.
-	bool CDATA() const				{ return cdata; }
-	/// Turns on or off a CDATA representation of text.
-	void SetCDATA( bool _cdata )	{ cdata = _cdata; }
-
-	virtual const char* Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding );
-
-	virtual const TiXmlText* ToText() const { return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-	virtual TiXmlText*       ToText()       { return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-
-	/** Walk the XML tree visiting this node and all of its children. 
-	*/
-	virtual bool Accept( TiXmlVisitor* content ) const;
-
-protected :
-	///  [internal use] Creates a new Element and returns it.
-	virtual TiXmlNode* Clone() const;
-	void CopyTo( TiXmlText* target ) const;
-
-	bool Blank() const;	// returns true if all white space and new lines
-	// [internal use]
-	#ifdef TIXML_USE_STL
-	virtual void StreamIn( std::istream * in, TIXML_STRING * tag );
-	#endif
-
-private:
-	bool cdata;			// true if this should be input and output as a CDATA style text element
-};
-
-
-/** In correct XML the declaration is the first entry in the file.
-	@verbatim
-		<?xml version="1.0" standalone="yes"?>
-	@endverbatim
-
-	TinyXml will happily read or write files without a declaration,
-	however. There are 3 possible attributes to the declaration:
-	version, encoding, and standalone.
-
-	Note: In this version of the code, the attributes are
-	handled as special cases, not generic attributes, simply
-	because there can only be at most 3 and they are always the same.
-*/
-class TiXmlDeclaration : public TiXmlNode
-{
-public:
-	/// Construct an empty declaration.
-	TiXmlDeclaration()   : TiXmlNode( TiXmlNode::TINYXML_DECLARATION ) {}
-
-#ifdef TIXML_USE_STL
-	/// Constructor.
-	TiXmlDeclaration(	const std::string& _version,
-						const std::string& _encoding,
-						const std::string& _standalone );
-#endif
-
-	/// Construct.
-	TiXmlDeclaration(	const char* _version,
-						const char* _encoding,
-						const char* _standalone );
-
-	TiXmlDeclaration( const TiXmlDeclaration& copy );
-	TiXmlDeclaration& operator=( const TiXmlDeclaration& copy );
-
-	virtual ~TiXmlDeclaration()	{}
-
-	/// Version. Will return an empty string if none was found.
-	const char *Version() const			{ return version.c_str (); }
-	/// Encoding. Will return an empty string if none was found.
-	const char *Encoding() const		{ return encoding.c_str (); }
-	/// Is this a standalone document?
-	const char *Standalone() const		{ return standalone.c_str (); }
-
-	/// Creates a copy of this Declaration and returns it.
-	virtual TiXmlNode* Clone() const;
-	// Print this declaration to a FILE stream.
-	virtual void Print( FILE* cfile, int depth, TIXML_STRING* str ) const;
-	virtual void Print( FILE* cfile, int depth ) const {
-		Print( cfile, depth, 0 );
-	}
-
-	virtual const char* Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding );
-
-	virtual const TiXmlDeclaration* ToDeclaration() const { return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-	virtual TiXmlDeclaration*       ToDeclaration()       { return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-
-	/** Walk the XML tree visiting this node and all of its children. 
-	*/
-	virtual bool Accept( TiXmlVisitor* visitor ) const;
-
-protected:
-	void CopyTo( TiXmlDeclaration* target ) const;
-	// used to be public
-	#ifdef TIXML_USE_STL
-	virtual void StreamIn( std::istream * in, TIXML_STRING * tag );
-	#endif
-
-private:
-
-	TIXML_STRING version;
-	TIXML_STRING encoding;
-	TIXML_STRING standalone;
-};
-
-
-/** Any tag that tinyXml doesn't recognize is saved as an
-	unknown. It is a tag of text, but should not be modified.
-	It will be written back to the XML, unchanged, when the file
-	is saved.
-
-	DTD tags get thrown into TiXmlUnknowns.
-*/
-class TiXmlUnknown : public TiXmlNode
-{
-public:
-	TiXmlUnknown() : TiXmlNode( TiXmlNode::TINYXML_UNKNOWN )	{}
-	virtual ~TiXmlUnknown() {}
-
-	TiXmlUnknown( const TiXmlUnknown& copy ) : TiXmlNode( TiXmlNode::TINYXML_UNKNOWN )		{ copy.CopyTo( this ); }
-	TiXmlUnknown& operator=( const TiXmlUnknown& copy )										{ copy.CopyTo( this ); return *this; }
-
-	/// Creates a copy of this Unknown and returns it.
-	virtual TiXmlNode* Clone() const;
-	// Print this Unknown to a FILE stream.
-	virtual void Print( FILE* cfile, int depth ) const;
-
-	virtual const char* Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding );
-
-	virtual const TiXmlUnknown*     ToUnknown()     const	{ return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-	virtual TiXmlUnknown*           ToUnknown()				{ return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-
-	/** Walk the XML tree visiting this node and all of its children. 
-	*/
-	virtual bool Accept( TiXmlVisitor* content ) const;
-
-protected:
-	void CopyTo( TiXmlUnknown* target ) const;
-
-	#ifdef TIXML_USE_STL
-	virtual void StreamIn( std::istream * in, TIXML_STRING * tag );
-	#endif
-
-private:
-
-};
-
-
-/** Always the top level node. A document binds together all the
-	XML pieces. It can be saved, loaded, and printed to the screen.
-	The 'value' of a document node is the xml file name.
-*/
-class TiXmlDocument : public TiXmlNode
-{
-public:
-	/// Create an empty document, that has no name.
-	TiXmlDocument();
-	/// Create a document with a name. The name of the document is also the filename of the xml.
-	TiXmlDocument( const char * documentName );
-
-	#ifdef TIXML_USE_STL
-	/// Constructor.
-	TiXmlDocument( const std::string& documentName );
-	#endif
-
-	TiXmlDocument( const TiXmlDocument& copy );
-	TiXmlDocument& operator=( const TiXmlDocument& copy );
-
-	virtual ~TiXmlDocument() {}
-
-	/** Load a file using the current document value.
-		Returns true if successful. Will delete any existing
-		document data before loading.
-	*/
-	bool LoadFile( TiXmlEncoding encoding = TIXML_DEFAULT_ENCODING );
-	/// Save a file using the current document value. Returns true if successful.
-	bool SaveFile() const;
-	/// Load a file using the given filename. Returns true if successful.
-	bool LoadFile( const char * filename, TiXmlEncoding encoding = TIXML_DEFAULT_ENCODING );
-	/// Save a file using the given filename. Returns true if successful.
-	bool SaveFile( const char * filename ) const;
-	/** Load a file using the given FILE*. Returns true if successful. Note that this method
-		doesn't stream - the entire object pointed at by the FILE*
-		will be interpreted as an XML file. TinyXML doesn't stream in XML from the current
-		file location. Streaming may be added in the future.
-	*/
-	bool LoadFile( FILE*, TiXmlEncoding encoding = TIXML_DEFAULT_ENCODING );
-	/// Save a file using the given FILE*. Returns true if successful.
-	bool SaveFile( FILE* ) const;
-
-	#ifdef TIXML_USE_STL
-	bool LoadFile( const std::string& filename, TiXmlEncoding encoding = TIXML_DEFAULT_ENCODING )			///< STL std::string version.
-	{
-		return LoadFile( filename.c_str(), encoding );
-	}
-	bool SaveFile( const std::string& filename ) const		///< STL std::string version.
-	{
-		return SaveFile( filename.c_str() );
-	}
-	#endif
-
-	/** Parse the given null terminated block of xml data. Passing in an encoding to this
-		method (either TIXML_ENCODING_LEGACY or TIXML_ENCODING_UTF8 will force TinyXml
-		to use that encoding, regardless of what TinyXml might otherwise try to detect.
-	*/
-	virtual const char* Parse( const char* p, TiXmlParsingData* data = 0, TiXmlEncoding encoding = TIXML_DEFAULT_ENCODING );
-
-	/** Get the root element -- the only top level element -- of the document.
-		In well formed XML, there should only be one. TinyXml is tolerant of
-		multiple elements at the document level.
-	*/
-	const TiXmlElement* RootElement() const		{ return FirstChildElement(); }
-	TiXmlElement* RootElement()					{ return FirstChildElement(); }
-
-	/** If an error occurs, Error will be set to true. Also,
-		- The ErrorId() will contain the integer identifier of the error (not generally useful)
-		- The ErrorDesc() method will return the name of the error. (very useful)
-		- The ErrorRow() and ErrorCol() will return the location of the error (if known)
-	*/	
-	bool Error() const						{ return error; }
-
-	/// Contains a textual (english) description of the error if one occurs.
-	const char * ErrorDesc() const	{ return errorDesc.c_str (); }
-
-	/** Generally, you probably want the error string ( ErrorDesc() ). But if you
-		prefer the ErrorId, this function will fetch it.
-	*/
-	int ErrorId()	const				{ return errorId; }
-
-	/** Returns the location (if known) of the error. The first column is column 1, 
-		and the first row is row 1. A value of 0 means the row and column wasn't applicable
-		(memory errors, for example, have no row/column) or the parser lost the error. (An
-		error in the error reporting, in that case.)
-
-		@sa SetTabSize, Row, Column
-	*/
-	int ErrorRow() const	{ return errorLocation.row+1; }
-	int ErrorCol() const	{ return errorLocation.col+1; }	///< The column where the error occured. See ErrorRow()
-
-	/** SetTabSize() allows the error reporting functions (ErrorRow() and ErrorCol())
-		to report the correct values for row and column. It does not change the output
-		or input in any way.
-		
-		By calling this method, with a tab size
-		greater than 0, the row and column of each node and attribute is stored
-		when the file is loaded. Very useful for tracking the DOM back in to
-		the source file.
-
-		The tab size is required for calculating the location of nodes. If not
-		set, the default of 4 is used. The tabsize is set per document. Setting
-		the tabsize to 0 disables row/column tracking.
-
-		Note that row and column tracking is not supported when using operator>>.
-
-		The tab size needs to be enabled before the parse or load. Correct usage:
-		@verbatim
-		TiXmlDocument doc;
-		doc.SetTabSize( 8 );
-		doc.Load( "myfile.xml" );
-		@endverbatim
-
-		@sa Row, Column
-	*/
-	void SetTabSize( int _tabsize )		{ tabsize = _tabsize; }
-
-	int TabSize() const	{ return tabsize; }
-
-	/** If you have handled the error, it can be reset with this call. The error
-		state is automatically cleared if you Parse a new XML block.
-	*/
-	void ClearError()						{	error = false; 
-												errorId = 0; 
-												errorDesc = ""; 
-												errorLocation.row = errorLocation.col = 0; 
-												//errorLocation.last = 0; 
-											}
-
-	/** Write the document to standard out using formatted printing ("pretty print"). */
-	void Print() const						{ Print( stdout, 0 ); }
-
-	/* Write the document to a string using formatted printing ("pretty print"). This
-		will allocate a character array (new char[]) and return it as a pointer. The
-		calling code pust call delete[] on the return char* to avoid a memory leak.
-	*/
-	//char* PrintToMemory() const; 
-
-	/// Print this Document to a FILE stream.
-	virtual void Print( FILE* cfile, int depth = 0 ) const;
-	// [internal use]
-	void SetError( int err, const char* errorLocation, TiXmlParsingData* prevData, TiXmlEncoding encoding );
-
-	virtual const TiXmlDocument*    ToDocument()    const { return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-	virtual TiXmlDocument*          ToDocument()          { return this; } ///< Cast to a more defined type. Will return null not of the requested type.
-
-	/** Walk the XML tree visiting this node and all of its children. 
-	*/
-	virtual bool Accept( TiXmlVisitor* content ) const;
-
-protected :
-	// [internal use]
-	virtual TiXmlNode* Clone() const;
-	#ifdef TIXML_USE_STL
-	virtual void StreamIn( std::istream * in, TIXML_STRING * tag );
-	#endif
-
-private:
-	void CopyTo( TiXmlDocument* target ) const;
-
-	bool error;
-	int  errorId;
-	TIXML_STRING errorDesc;
-	int tabsize;
-	TiXmlCursor errorLocation;
-	bool useMicrosoftBOM;		// the UTF-8 BOM were found when read. Note this, and try to write.
-};
-
-
-/**
-	A TiXmlHandle is a class that wraps a node pointer with null checks; this is
-	an incredibly useful thing. Note that TiXmlHandle is not part of the TinyXml
-	DOM structure. It is a separate utility class.
-
-	Take an example:
-	@verbatim
-	<Document>
-		<Element attributeA = "valueA">
-			<Child attributeB = "value1" />
-			<Child attributeB = "value2" />
-		</Element>
-	<Document>
-	@endverbatim
-
-	Assuming you want the value of "attributeB" in the 2nd "Child" element, it's very 
-	easy to write a *lot* of code that looks like:
-
-	@verbatim
-	TiXmlElement* root = document.FirstChildElement( "Document" );
-	if ( root )
-	{
-		TiXmlElement* element = root->FirstChildElement( "Element" );
-		if ( element )
-		{
-			TiXmlElement* child = element->FirstChildElement( "Child" );
-			if ( child )
-			{
-				TiXmlElement* child2 = child->NextSiblingElement( "Child" );
-				if ( child2 )
-				{
-					// Finally do something useful.
-	@endverbatim
-
-	And that doesn't even cover "else" cases. TiXmlHandle addresses the verbosity
-	of such code. A TiXmlHandle checks for null	pointers so it is perfectly safe 
-	and correct to use:
-
-	@verbatim
-	TiXmlHandle docHandle( &document );
-	TiXmlElement* child2 = docHandle.FirstChild( "Document" ).FirstChild( "Element" ).Child( "Child", 1 ).ToElement();
-	if ( child2 )
-	{
-		// do something useful
-	@endverbatim
-
-	Which is MUCH more concise and useful.
-
-	It is also safe to copy handles - internally they are nothing more than node pointers.
-	@verbatim
-	TiXmlHandle handleCopy = handle;
-	@endverbatim
-
-	What they should not be used for is iteration:
-
-	@verbatim
-	int i=0; 
-	while ( true )
-	{
-		TiXmlElement* child = docHandle.FirstChild( "Document" ).FirstChild( "Element" ).Child( "Child", i ).ToElement();
-		if ( !child )
-			break;
-		// do something
-		++i;
-	}
-	@endverbatim
-
-	It seems reasonable, but it is in fact two embedded while loops. The Child method is 
-	a linear walk to find the element, so this code would iterate much more than it needs 
-	to. Instead, prefer:
-
-	@verbatim
-	TiXmlElement* child = docHandle.FirstChild( "Document" ).FirstChild( "Element" ).FirstChild( "Child" ).ToElement();
-
-	for( child; child; child=child->NextSiblingElement() )
-	{
-		// do something
-	}
-	@endverbatim
-*/
-class TiXmlHandle
-{
-public:
-	/// Create a handle from any node (at any depth of the tree.) This can be a null pointer.
-	TiXmlHandle( TiXmlNode* _node )					{ this->node = _node; }
-	/// Copy constructor
-	TiXmlHandle( const TiXmlHandle& ref )			{ this->node = ref.node; }
-	TiXmlHandle operator=( const TiXmlHandle& ref ) { if ( &ref != this ) this->node = ref.node; return *this; }
-
-	/// Return a handle to the first child node.
-	TiXmlHandle FirstChild() const;
-	/// Return a handle to the first child node with the given name.
-	TiXmlHandle FirstChild( const char * value ) const;
-	/// Return a handle to the first child element.
-	TiXmlHandle FirstChildElement() const;
-	/// Return a handle to the first child element with the given name.
-	TiXmlHandle FirstChildElement( const char * value ) const;
-
-	/** Return a handle to the "index" child with the given name. 
-		The first child is 0, the second 1, etc.
-	*/
-	TiXmlHandle Child( const char* value, int index ) const;
-	/** Return a handle to the "index" child. 
-		The first child is 0, the second 1, etc.
-	*/
-	TiXmlHandle Child( int index ) const;
-	/** Return a handle to the "index" child element with the given name. 
-		The first child element is 0, the second 1, etc. Note that only TiXmlElements
-		are indexed: other types are not counted.
-	*/
-	TiXmlHandle ChildElement( const char* value, int index ) const;
-	/** Return a handle to the "index" child element. 
-		The first child element is 0, the second 1, etc. Note that only TiXmlElements
-		are indexed: other types are not counted.
-	*/
-	TiXmlHandle ChildElement( int index ) const;
-
-	#ifdef TIXML_USE_STL
-	TiXmlHandle FirstChild( const std::string& _value ) const				{ return FirstChild( _value.c_str() ); }
-	TiXmlHandle FirstChildElement( const std::string& _value ) const		{ return FirstChildElement( _value.c_str() ); }
-
-	TiXmlHandle Child( const std::string& _value, int index ) const			{ return Child( _value.c_str(), index ); }
-	TiXmlHandle ChildElement( const std::string& _value, int index ) const	{ return ChildElement( _value.c_str(), index ); }
-	#endif
-
-	/** Return the handle as a TiXmlNode. This may return null.
-	*/
-	TiXmlNode* ToNode() const			{ return node; } 
-	/** Return the handle as a TiXmlElement. This may return null.
-	*/
-	TiXmlElement* ToElement() const		{ return ( ( node && node->ToElement() ) ? node->ToElement() : 0 ); }
-	/**	Return the handle as a TiXmlText. This may return null.
-	*/
-	TiXmlText* ToText() const			{ return ( ( node && node->ToText() ) ? node->ToText() : 0 ); }
-	/** Return the handle as a TiXmlUnknown. This may return null.
-	*/
-	TiXmlUnknown* ToUnknown() const		{ return ( ( node && node->ToUnknown() ) ? node->ToUnknown() : 0 ); }
-
-	/** @deprecated use ToNode. 
-		Return the handle as a TiXmlNode. This may return null.
-	*/
-	TiXmlNode* Node() const			{ return ToNode(); } 
-	/** @deprecated use ToElement. 
-		Return the handle as a TiXmlElement. This may return null.
-	*/
-	TiXmlElement* Element() const	{ return ToElement(); }
-	/**	@deprecated use ToText()
-		Return the handle as a TiXmlText. This may return null.
-	*/
-	TiXmlText* Text() const			{ return ToText(); }
-	/** @deprecated use ToUnknown()
-		Return the handle as a TiXmlUnknown. This may return null.
-	*/
-	TiXmlUnknown* Unknown() const	{ return ToUnknown(); }
-
-private:
-	TiXmlNode* node;
-};
-
-
-/** Print to memory functionality. The TiXmlPrinter is useful when you need to:
-
-	-# Print to memory (especially in non-STL mode)
-	-# Control formatting (line endings, etc.)
-
-	When constructed, the TiXmlPrinter is in its default "pretty printing" mode.
-	Before calling Accept() you can call methods to control the printing
-	of the XML document. After TiXmlNode::Accept() is called, the printed document can
-	be accessed via the CStr(), Str(), and Size() methods.
-
-	TiXmlPrinter uses the Visitor API.
-	@verbatim
-	TiXmlPrinter printer;
-	printer.SetIndent( "\t" );
-
-	doc.Accept( &printer );
-	fprintf( stdout, "%s", printer.CStr() );
-	@endverbatim
-*/
-class TiXmlPrinter : public TiXmlVisitor
-{
-public:
-	TiXmlPrinter() : depth( 0 ), simpleTextPrint( false ),
-					 buffer(), indent( "    " ), lineBreak( "\n" ) {}
-
-	virtual bool VisitEnter( const TiXmlDocument& doc );
-	virtual bool VisitExit( const TiXmlDocument& doc );
-
-	virtual bool VisitEnter( const TiXmlElement& element, const TiXmlAttribute* firstAttribute );
-	virtual bool VisitExit( const TiXmlElement& element );
-
-	virtual bool Visit( const TiXmlDeclaration& declaration );
-	virtual bool Visit( const TiXmlText& text );
-	virtual bool Visit( const TiXmlComment& comment );
-	virtual bool Visit( const TiXmlUnknown& unknown );
-
-	/** Set the indent characters for printing. By default 4 spaces
-		but tab (\t) is also useful, or null/empty string for no indentation.
-	*/
-	void SetIndent( const char* _indent )			{ indent = _indent ? _indent : "" ; }
-	/// Query the indention string.
-	const char* Indent()							{ return indent.c_str(); }
-	/** Set the line breaking string. By default set to newline (\n). 
-		Some operating systems prefer other characters, or can be
-		set to the null/empty string for no indenation.
-	*/
-	void SetLineBreak( const char* _lineBreak )		{ lineBreak = _lineBreak ? _lineBreak : ""; }
-	/// Query the current line breaking string.
-	const char* LineBreak()							{ return lineBreak.c_str(); }
-
-	/** Switch over to "stream printing" which is the most dense formatting without 
-		linebreaks. Common when the XML is needed for network transmission.
-	*/
-	void SetStreamPrinting()						{ indent = "";
-													  lineBreak = "";
-													}	
-	/// Return the result.
-	const char* CStr()								{ return buffer.c_str(); }
-	/// Return the length of the result string.
-	size_t Size()									{ return buffer.size(); }
-
-	#ifdef TIXML_USE_STL
-	/// Return the result.
-	const std::string& Str()						{ return buffer; }
-	#endif
-
-private:
-	void DoIndent()	{
-		for( int i=0; i<depth; ++i )
-			buffer += indent;
-	}
-	void DoLineBreak() {
-		buffer += lineBreak;
-	}
-
-	int depth;
-	bool simpleTextPrint;
-	TIXML_STRING buffer;
-	TIXML_STRING indent;
-	TIXML_STRING lineBreak;
-};
-
-
-#ifdef _MSC_VER
-#pragma warning( pop )
-#endif
-
-#endif
diff --git a/ctrtool/tinyxml/tinyxmlerror.cpp b/ctrtool/tinyxml/tinyxmlerror.cpp
deleted file mode 100644
index a4c6989c..00000000
--- a/ctrtool/tinyxml/tinyxmlerror.cpp
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
-www.sourceforge.net/projects/tinyxml
-Original code (2.0 and earlier )copyright (c) 2000-2006 Lee Thomason (www.grinninglizard.com)
-
-This software is provided 'as-is', without any express or implied 
-warranty. In no event will the authors be held liable for any 
-damages arising from the use of this software.
-
-Permission is granted to anyone to use this software for any 
-purpose, including commercial applications, and to alter it and 
-redistribute it freely, subject to the following restrictions:
-
-1. The origin of this software must not be misrepresented; you must
-not claim that you wrote the original software. If you use this
-software in a product, an acknowledgment in the product documentation
-would be appreciated but is not required.
-
-2. Altered source versions must be plainly marked as such, and
-must not be misrepresented as being the original software.
-
-3. This notice may not be removed or altered from any source
-distribution.
-*/
-
-#include "tinyxml/tinyxml.h"
-
-// The goal of the seperate error file is to make the first
-// step towards localization. tinyxml (currently) only supports
-// english error messages, but the could now be translated.
-//
-// It also cleans up the code a bit.
-//
-
-const char* TiXmlBase::errorString[ TiXmlBase::TIXML_ERROR_STRING_COUNT ] =
-{
-	"No error",
-	"Error",
-	"Failed to open file",
-	"Error parsing Element.",
-	"Failed to read Element name",
-	"Error reading Element value.",
-	"Error reading Attributes.",
-	"Error: empty tag.",
-	"Error reading end tag.",
-	"Error parsing Unknown.",
-	"Error parsing Comment.",
-	"Error parsing Declaration.",
-	"Error document empty.",
-	"Error null (0) or unexpected EOF found in input stream.",
-	"Error parsing CDATA.",
-	"Error when TiXmlDocument added to document, because TiXmlDocument can only be at the root.",
-};
diff --git a/ctrtool/tinyxml/tinyxmlparser.cpp b/ctrtool/tinyxml/tinyxmlparser.cpp
deleted file mode 100644
index 64ea5597..00000000
--- a/ctrtool/tinyxml/tinyxmlparser.cpp
+++ /dev/null
@@ -1,1638 +0,0 @@
-/*
-www.sourceforge.net/projects/tinyxml
-Original code by Lee Thomason (www.grinninglizard.com)
-
-This software is provided 'as-is', without any express or implied 
-warranty. In no event will the authors be held liable for any 
-damages arising from the use of this software.
-
-Permission is granted to anyone to use this software for any 
-purpose, including commercial applications, and to alter it and 
-redistribute it freely, subject to the following restrictions:
-
-1. The origin of this software must not be misrepresented; you must 
-not claim that you wrote the original software. If you use this
-software in a product, an acknowledgment in the product documentation
-would be appreciated but is not required.
-
-2. Altered source versions must be plainly marked as such, and 
-must not be misrepresented as being the original software.
-
-3. This notice may not be removed or altered from any source 
-distribution.
-*/
-
-#include <ctype.h>
-#include <stddef.h>
-
-#include "tinyxml/tinyxml.h"
-
-//#define DEBUG_PARSER
-#if defined( DEBUG_PARSER )
-#	if defined( DEBUG ) && defined( _MSC_VER )
-#		include <windows.h>
-#		define TIXML_LOG OutputDebugString
-#	else
-#		define TIXML_LOG printf
-#	endif
-#endif
-
-// Note tha "PutString" hardcodes the same list. This
-// is less flexible than it appears. Changing the entries
-// or order will break putstring.	
-TiXmlBase::Entity TiXmlBase::entity[ TiXmlBase::NUM_ENTITY ] = 
-{
-	{ "&amp;",  5, '&' },
-	{ "&lt;",   4, '<' },
-	{ "&gt;",   4, '>' },
-	{ "&quot;", 6, '\"' },
-	{ "&apos;", 6, '\'' }
-};
-
-// Bunch of unicode info at:
-//		http://www.unicode.org/faq/utf_bom.html
-// Including the basic of this table, which determines the #bytes in the
-// sequence from the lead byte. 1 placed for invalid sequences --
-// although the result will be junk, pass it through as much as possible.
-// Beware of the non-characters in UTF-8:	
-//				ef bb bf (Microsoft "lead bytes")
-//				ef bf be
-//				ef bf bf 
-
-const unsigned char TIXML_UTF_LEAD_0 = 0xefU;
-const unsigned char TIXML_UTF_LEAD_1 = 0xbbU;
-const unsigned char TIXML_UTF_LEAD_2 = 0xbfU;
-
-const int TiXmlBase::utf8ByteTable[256] = 
-{
-	//	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x00
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x10
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x20
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x30
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x40
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x50
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x60
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x70	End of ASCII range
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x80 0x80 to 0xc1 invalid
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0x90 
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0xa0 
-		1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	// 0xb0 
-		1,	1,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	// 0xc0 0xc2 to 0xdf 2 byte
-		2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	2,	// 0xd0
-		3,	3,	3,	3,	3,	3,	3,	3,	3,	3,	3,	3,	3,	3,	3,	3,	// 0xe0 0xe0 to 0xef 3 byte
-		4,	4,	4,	4,	4,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1,	1	// 0xf0 0xf0 to 0xf4 4 byte, 0xf5 and higher invalid
-};
-
-
-void TiXmlBase::ConvertUTF32ToUTF8( unsigned long input, char* output, int* length )
-{
-	const unsigned long BYTE_MASK = 0xBF;
-	const unsigned long BYTE_MARK = 0x80;
-	const unsigned long FIRST_BYTE_MARK[7] = { 0x00, 0x00, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC };
-
-	if (input < 0x80) 
-		*length = 1;
-	else if ( input < 0x800 )
-		*length = 2;
-	else if ( input < 0x10000 )
-		*length = 3;
-	else if ( input < 0x200000 )
-		*length = 4;
-	else
-		{ *length = 0; return; }	// This code won't covert this correctly anyway.
-
-	output += *length;
-
-	// Scary scary fall throughs.
-	switch (*length) 
-	{
-		case 4:
-			--output; 
-			*output = (char)((input | BYTE_MARK) & BYTE_MASK); 
-			input >>= 6;
-		case 3:
-			--output; 
-			*output = (char)((input | BYTE_MARK) & BYTE_MASK); 
-			input >>= 6;
-		case 2:
-			--output; 
-			*output = (char)((input | BYTE_MARK) & BYTE_MASK); 
-			input >>= 6;
-		case 1:
-			--output; 
-			*output = (char)(input | FIRST_BYTE_MARK[*length]);
-	}
-}
-
-
-/*static*/ int TiXmlBase::IsAlpha( unsigned char anyByte, TiXmlEncoding /*encoding*/ )
-{
-	// This will only work for low-ascii, everything else is assumed to be a valid
-	// letter. I'm not sure this is the best approach, but it is quite tricky trying
-	// to figure out alhabetical vs. not across encoding. So take a very 
-	// conservative approach.
-
-//	if ( encoding == TIXML_ENCODING_UTF8 )
-//	{
-		if ( anyByte < 127 )
-			return isalpha( anyByte );
-		else
-			return 1;	// What else to do? The unicode set is huge...get the english ones right.
-//	}
-//	else
-//	{
-//		return isalpha( anyByte );
-//	}
-}
-
-
-/*static*/ int TiXmlBase::IsAlphaNum( unsigned char anyByte, TiXmlEncoding /*encoding*/ )
-{
-	// This will only work for low-ascii, everything else is assumed to be a valid
-	// letter. I'm not sure this is the best approach, but it is quite tricky trying
-	// to figure out alhabetical vs. not across encoding. So take a very 
-	// conservative approach.
-
-//	if ( encoding == TIXML_ENCODING_UTF8 )
-//	{
-		if ( anyByte < 127 )
-			return isalnum( anyByte );
-		else
-			return 1;	// What else to do? The unicode set is huge...get the english ones right.
-//	}
-//	else
-//	{
-//		return isalnum( anyByte );
-//	}
-}
-
-
-class TiXmlParsingData
-{
-	friend class TiXmlDocument;
-  public:
-	void Stamp( const char* now, TiXmlEncoding encoding );
-
-	const TiXmlCursor& Cursor() const	{ return cursor; }
-
-  private:
-	// Only used by the document!
-	TiXmlParsingData( const char* start, int _tabsize, int row, int col )
-	{
-		assert( start );
-		stamp = start;
-		tabsize = _tabsize;
-		cursor.row = row;
-		cursor.col = col;
-	}
-
-	TiXmlCursor		cursor;
-	const char*		stamp;
-	int				tabsize;
-};
-
-
-void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding )
-{
-	assert( now );
-
-	// Do nothing if the tabsize is 0.
-	if ( tabsize < 1 )
-	{
-		return;
-	}
-
-	// Get the current row, column.
-	int row = cursor.row;
-	int col = cursor.col;
-	const char* p = stamp;
-	assert( p );
-
-	while ( p < now )
-	{
-		// Treat p as unsigned, so we have a happy compiler.
-		const unsigned char* pU = (const unsigned char*)p;
-
-		// Code contributed by Fletcher Dunn: (modified by lee)
-		switch (*pU) {
-			case 0:
-				// We *should* never get here, but in case we do, don't
-				// advance past the terminating null character, ever
-				return;
-
-			case '\r':
-				// bump down to the next line
-				++row;
-				col = 0;				
-				// Eat the character
-				++p;
-
-				// Check for \r\n sequence, and treat this as a single character
-				if (*p == '\n') {
-					++p;
-				}
-				break;
-
-			case '\n':
-				// bump down to the next line
-				++row;
-				col = 0;
-
-				// Eat the character
-				++p;
-
-				// Check for \n\r sequence, and treat this as a single
-				// character.  (Yes, this bizarre thing does occur still
-				// on some arcane platforms...)
-				if (*p == '\r') {
-					++p;
-				}
-				break;
-
-			case '\t':
-				// Eat the character
-				++p;
-
-				// Skip to next tab stop
-				col = (col / tabsize + 1) * tabsize;
-				break;
-
-			case TIXML_UTF_LEAD_0:
-				if ( encoding == TIXML_ENCODING_UTF8 )
-				{
-					if ( *(p+1) && *(p+2) )
-					{
-						// In these cases, don't advance the column. These are
-						// 0-width spaces.
-						if ( *(pU+1)==TIXML_UTF_LEAD_1 && *(pU+2)==TIXML_UTF_LEAD_2 )
-							p += 3;	
-						else if ( *(pU+1)==0xbfU && *(pU+2)==0xbeU )
-							p += 3;	
-						else if ( *(pU+1)==0xbfU && *(pU+2)==0xbfU )
-							p += 3;	
-						else
-							{ p +=3; ++col; }	// A normal character.
-					}
-				}
-				else
-				{
-					++p;
-					++col;
-				}
-				break;
-
-			default:
-				if ( encoding == TIXML_ENCODING_UTF8 )
-				{
-					// Eat the 1 to 4 byte utf8 character.
-					int step = TiXmlBase::utf8ByteTable[*((const unsigned char*)p)];
-					if ( step == 0 )
-						step = 1;		// Error case from bad encoding, but handle gracefully.
-					p += step;
-
-					// Just advance one column, of course.
-					++col;
-				}
-				else
-				{
-					++p;
-					++col;
-				}
-				break;
-		}
-	}
-	cursor.row = row;
-	cursor.col = col;
-	assert( cursor.row >= -1 );
-	assert( cursor.col >= -1 );
-	stamp = p;
-	assert( stamp );
-}
-
-
-const char* TiXmlBase::SkipWhiteSpace( const char* p, TiXmlEncoding encoding )
-{
-	if ( !p || !*p )
-	{
-		return 0;
-	}
-	if ( encoding == TIXML_ENCODING_UTF8 )
-	{
-		while ( *p )
-		{
-			const unsigned char* pU = (const unsigned char*)p;
-			
-			// Skip the stupid Microsoft UTF-8 Byte order marks
-			if (	*(pU+0)==TIXML_UTF_LEAD_0
-				 && *(pU+1)==TIXML_UTF_LEAD_1 
-				 && *(pU+2)==TIXML_UTF_LEAD_2 )
-			{
-				p += 3;
-				continue;
-			}
-			else if(*(pU+0)==TIXML_UTF_LEAD_0
-				 && *(pU+1)==0xbfU
-				 && *(pU+2)==0xbeU )
-			{
-				p += 3;
-				continue;
-			}
-			else if(*(pU+0)==TIXML_UTF_LEAD_0
-				 && *(pU+1)==0xbfU
-				 && *(pU+2)==0xbfU )
-			{
-				p += 3;
-				continue;
-			}
-
-			if ( IsWhiteSpace( *p ) )		// Still using old rules for white space.
-				++p;
-			else
-				break;
-		}
-	}
-	else
-	{
-		while ( *p && IsWhiteSpace( *p ) )
-			++p;
-	}
-
-	return p;
-}
-
-#ifdef TIXML_USE_STL
-/*static*/ bool TiXmlBase::StreamWhiteSpace( std::istream * in, TIXML_STRING * tag )
-{
-	for( ;; )
-	{
-		if ( !in->good() ) return false;
-
-		int c = in->peek();
-		// At this scope, we can't get to a document. So fail silently.
-		if ( !IsWhiteSpace( c ) || c <= 0 )
-			return true;
-
-		*tag += (char) in->get();
-	}
-}
-
-/*static*/ bool TiXmlBase::StreamTo( std::istream * in, int character, TIXML_STRING * tag )
-{
-	//assert( character > 0 && character < 128 );	// else it won't work in utf-8
-	while ( in->good() )
-	{
-		int c = in->peek();
-		if ( c == character )
-			return true;
-		if ( c <= 0 )		// Silent failure: can't get document at this scope
-			return false;
-
-		in->get();
-		*tag += (char) c;
-	}
-	return false;
-}
-#endif
-
-// One of TinyXML's more performance demanding functions. Try to keep the memory overhead down. The
-// "assign" optimization removes over 10% of the execution time.
-//
-const char* TiXmlBase::ReadName( const char* p, TIXML_STRING * name, TiXmlEncoding encoding )
-{
-	// Oddly, not supported on some comilers,
-	//name->clear();
-	// So use this:
-	*name = "";
-	assert( p );
-
-	// Names start with letters or underscores.
-	// Of course, in unicode, tinyxml has no idea what a letter *is*. The
-	// algorithm is generous.
-	//
-	// After that, they can be letters, underscores, numbers,
-	// hyphens, or colons. (Colons are valid ony for namespaces,
-	// but tinyxml can't tell namespaces from names.)
-	if (    p && *p 
-		 && ( IsAlpha( (unsigned char) *p, encoding ) || *p == '_' ) )
-	{
-		const char* start = p;
-		while(		p && *p
-				&&	(		IsAlphaNum( (unsigned char ) *p, encoding ) 
-						 || *p == '_'
-						 || *p == '-'
-						 || *p == '.'
-						 || *p == ':' ) )
-		{
-			//(*name) += *p; // expensive
-			++p;
-		}
-		if ( p-start > 0 ) {
-			name->assign( start, p-start );
-		}
-		return p;
-	}
-	return 0;
-}
-
-const char* TiXmlBase::GetEntity( const char* p, char* value, int* length, TiXmlEncoding encoding )
-{
-	// Presume an entity, and pull it out.
-    TIXML_STRING ent;
-	int i;
-	*length = 0;
-
-	if ( *(p+1) && *(p+1) == '#' && *(p+2) )
-	{
-		unsigned long ucs = 0;
-		ptrdiff_t delta = 0;
-		unsigned mult = 1;
-
-		if ( *(p+2) == 'x' )
-		{
-			// Hexadecimal.
-			if ( !*(p+3) ) return 0;
-
-			const char* q = p+3;
-			q = strchr( q, ';' );
-
-			if ( !q || !*q ) return 0;
-
-			delta = q-p;
-			--q;
-
-			while ( *q != 'x' )
-			{
-				if ( *q >= '0' && *q <= '9' )
-					ucs += mult * (*q - '0');
-				else if ( *q >= 'a' && *q <= 'f' )
-					ucs += mult * (*q - 'a' + 10);
-				else if ( *q >= 'A' && *q <= 'F' )
-					ucs += mult * (*q - 'A' + 10 );
-				else 
-					return 0;
-				mult *= 16;
-				--q;
-			}
-		}
-		else
-		{
-			// Decimal.
-			if ( !*(p+2) ) return 0;
-
-			const char* q = p+2;
-			q = strchr( q, ';' );
-
-			if ( !q || !*q ) return 0;
-
-			delta = q-p;
-			--q;
-
-			while ( *q != '#' )
-			{
-				if ( *q >= '0' && *q <= '9' )
-					ucs += mult * (*q - '0');
-				else 
-					return 0;
-				mult *= 10;
-				--q;
-			}
-		}
-		if ( encoding == TIXML_ENCODING_UTF8 )
-		{
-			// convert the UCS to UTF-8
-			ConvertUTF32ToUTF8( ucs, value, length );
-		}
-		else
-		{
-			*value = (char)ucs;
-			*length = 1;
-		}
-		return p + delta + 1;
-	}
-
-	// Now try to match it.
-	for( i=0; i<NUM_ENTITY; ++i )
-	{
-		if ( strncmp( entity[i].str, p, entity[i].strLength ) == 0 )
-		{
-			assert( strlen( entity[i].str ) == entity[i].strLength );
-			*value = entity[i].chr;
-			*length = 1;
-			return ( p + entity[i].strLength );
-		}
-	}
-
-	// So it wasn't an entity, its unrecognized, or something like that.
-	*value = *p;	// Don't put back the last one, since we return it!
-	//*length = 1;	// Leave unrecognized entities - this doesn't really work.
-					// Just writes strange XML.
-	return p+1;
-}
-
-
-bool TiXmlBase::StringEqual( const char* p,
-							 const char* tag,
-							 bool ignoreCase,
-							 TiXmlEncoding encoding )
-{
-	assert( p );
-	assert( tag );
-	if ( !p || !*p )
-	{
-		assert( 0 );
-		return false;
-	}
-
-	const char* q = p;
-
-	if ( ignoreCase )
-	{
-		while ( *q && *tag && ToLower( *q, encoding ) == ToLower( *tag, encoding ) )
-		{
-			++q;
-			++tag;
-		}
-
-		if ( *tag == 0 )
-			return true;
-	}
-	else
-	{
-		while ( *q && *tag && *q == *tag )
-		{
-			++q;
-			++tag;
-		}
-
-		if ( *tag == 0 )		// Have we found the end of the tag, and everything equal?
-			return true;
-	}
-	return false;
-}
-
-const char* TiXmlBase::ReadText(	const char* p, 
-									TIXML_STRING * text, 
-									bool trimWhiteSpace, 
-									const char* endTag, 
-									bool caseInsensitive,
-									TiXmlEncoding encoding )
-{
-    *text = "";
-	if (    !trimWhiteSpace			// certain tags always keep whitespace
-		 || !condenseWhiteSpace )	// if true, whitespace is always kept
-	{
-		// Keep all the white space.
-		while (	   p && *p
-				&& !StringEqual( p, endTag, caseInsensitive, encoding )
-			  )
-		{
-			int len;
-			char cArr[4] = { 0, 0, 0, 0 };
-			p = GetChar( p, cArr, &len, encoding );
-			text->append( cArr, len );
-		}
-	}
-	else
-	{
-		bool whitespace = false;
-
-		// Remove leading white space:
-		p = SkipWhiteSpace( p, encoding );
-		while (	   p && *p
-				&& !StringEqual( p, endTag, caseInsensitive, encoding ) )
-		{
-			if ( *p == '\r' || *p == '\n' )
-			{
-				whitespace = true;
-				++p;
-			}
-			else if ( IsWhiteSpace( *p ) )
-			{
-				whitespace = true;
-				++p;
-			}
-			else
-			{
-				// If we've found whitespace, add it before the
-				// new character. Any whitespace just becomes a space.
-				if ( whitespace )
-				{
-					(*text) += ' ';
-					whitespace = false;
-				}
-				int len;
-				char cArr[4] = { 0, 0, 0, 0 };
-				p = GetChar( p, cArr, &len, encoding );
-				if ( len == 1 )
-					(*text) += cArr[0];	// more efficient
-				else
-					text->append( cArr, len );
-			}
-		}
-	}
-	if ( p && *p )
-		p += strlen( endTag );
-	return ( p && *p ) ? p : 0;
-}
-
-#ifdef TIXML_USE_STL
-
-void TiXmlDocument::StreamIn( std::istream * in, TIXML_STRING * tag )
-{
-	// The basic issue with a document is that we don't know what we're
-	// streaming. Read something presumed to be a tag (and hope), then
-	// identify it, and call the appropriate stream method on the tag.
-	//
-	// This "pre-streaming" will never read the closing ">" so the
-	// sub-tag can orient itself.
-
-	if ( !StreamTo( in, '<', tag ) ) 
-	{
-		SetError( TIXML_ERROR_PARSING_EMPTY, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return;
-	}
-
-	while ( in->good() )
-	{
-		int tagIndex = (int) tag->length();
-		while ( in->good() && in->peek() != '>' )
-		{
-			int c = in->get();
-			if ( c <= 0 )
-			{
-				SetError( TIXML_ERROR_EMBEDDED_NULL, 0, 0, TIXML_ENCODING_UNKNOWN );
-				break;
-			}
-			(*tag) += (char) c;
-		}
-
-		if ( in->good() )
-		{
-			// We now have something we presume to be a node of 
-			// some sort. Identify it, and call the node to
-			// continue streaming.
-			TiXmlNode* node = Identify( tag->c_str() + tagIndex, TIXML_DEFAULT_ENCODING );
-
-			if ( node )
-			{
-				node->StreamIn( in, tag );
-				bool isElement = node->ToElement() != 0;
-				delete node;
-				node = 0;
-
-				// If this is the root element, we're done. Parsing will be
-				// done by the >> operator.
-				if ( isElement )
-				{
-					return;
-				}
-			}
-			else
-			{
-				SetError( TIXML_ERROR, 0, 0, TIXML_ENCODING_UNKNOWN );
-				return;
-			}
-		}
-	}
-	// We should have returned sooner.
-	SetError( TIXML_ERROR, 0, 0, TIXML_ENCODING_UNKNOWN );
-}
-
-#endif
-
-const char* TiXmlDocument::Parse( const char* p, TiXmlParsingData* prevData, TiXmlEncoding encoding )
-{
-	ClearError();
-
-	// Parse away, at the document level. Since a document
-	// contains nothing but other tags, most of what happens
-	// here is skipping white space.
-	if ( !p || !*p )
-	{
-		SetError( TIXML_ERROR_DOCUMENT_EMPTY, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return 0;
-	}
-
-	// Note that, for a document, this needs to come
-	// before the while space skip, so that parsing
-	// starts from the pointer we are given.
-	location.Clear();
-	if ( prevData )
-	{
-		location.row = prevData->cursor.row;
-		location.col = prevData->cursor.col;
-	}
-	else
-	{
-		location.row = 0;
-		location.col = 0;
-	}
-	TiXmlParsingData data( p, TabSize(), location.row, location.col );
-	location = data.Cursor();
-
-	if ( encoding == TIXML_ENCODING_UNKNOWN )
-	{
-		// Check for the Microsoft UTF-8 lead bytes.
-		const unsigned char* pU = (const unsigned char*)p;
-		if (	*(pU+0) && *(pU+0) == TIXML_UTF_LEAD_0
-			 && *(pU+1) && *(pU+1) == TIXML_UTF_LEAD_1
-			 && *(pU+2) && *(pU+2) == TIXML_UTF_LEAD_2 )
-		{
-			encoding = TIXML_ENCODING_UTF8;
-			useMicrosoftBOM = true;
-		}
-	}
-
-    p = SkipWhiteSpace( p, encoding );
-	if ( !p )
-	{
-		SetError( TIXML_ERROR_DOCUMENT_EMPTY, 0, 0, TIXML_ENCODING_UNKNOWN );
-		return 0;
-	}
-
-	while ( p && *p )
-	{
-		TiXmlNode* node = Identify( p, encoding );
-		if ( node )
-		{
-			p = node->Parse( p, &data, encoding );
-			LinkEndChild( node );
-		}
-		else
-		{
-			break;
-		}
-
-		// Did we get encoding info?
-		if (    encoding == TIXML_ENCODING_UNKNOWN
-			 && node->ToDeclaration() )
-		{
-			TiXmlDeclaration* dec = node->ToDeclaration();
-			const char* enc = dec->Encoding();
-			assert( enc );
-
-			if ( *enc == 0 )
-				encoding = TIXML_ENCODING_UTF8;
-			else if ( StringEqual( enc, "UTF-8", true, TIXML_ENCODING_UNKNOWN ) )
-				encoding = TIXML_ENCODING_UTF8;
-			else if ( StringEqual( enc, "UTF8", true, TIXML_ENCODING_UNKNOWN ) )
-				encoding = TIXML_ENCODING_UTF8;	// incorrect, but be nice
-			else 
-				encoding = TIXML_ENCODING_LEGACY;
-		}
-
-		p = SkipWhiteSpace( p, encoding );
-	}
-
-	// Was this empty?
-	if ( !firstChild ) {
-		SetError( TIXML_ERROR_DOCUMENT_EMPTY, 0, 0, encoding );
-		return 0;
-	}
-
-	// All is well.
-	return p;
-}
-
-void TiXmlDocument::SetError( int err, const char* pError, TiXmlParsingData* data, TiXmlEncoding encoding )
-{	
-	// The first error in a chain is more accurate - don't set again!
-	if ( error )
-		return;
-
-	assert( err > 0 && err < TIXML_ERROR_STRING_COUNT );
-	error   = true;
-	errorId = err;
-	errorDesc = errorString[ errorId ];
-
-	errorLocation.Clear();
-	if ( pError && data )
-	{
-		data->Stamp( pError, encoding );
-		errorLocation = data->Cursor();
-	}
-}
-
-
-TiXmlNode* TiXmlNode::Identify( const char* p, TiXmlEncoding encoding )
-{
-	TiXmlNode* returnNode = 0;
-
-	p = SkipWhiteSpace( p, encoding );
-	if( !p || !*p || *p != '<' )
-	{
-		return 0;
-	}
-
-	p = SkipWhiteSpace( p, encoding );
-
-	if ( !p || !*p )
-	{
-		return 0;
-	}
-
-	// What is this thing? 
-	// - Elements start with a letter or underscore, but xml is reserved.
-	// - Comments: <!--
-	// - Decleration: <?xml
-	// - Everthing else is unknown to tinyxml.
-	//
-
-	const char* xmlHeader = { "<?xml" };
-	const char* commentHeader = { "<!--" };
-	const char* dtdHeader = { "<!" };
-	const char* cdataHeader = { "<![CDATA[" };
-
-	if ( StringEqual( p, xmlHeader, true, encoding ) )
-	{
-		#ifdef DEBUG_PARSER
-			TIXML_LOG( "XML parsing Declaration\n" );
-		#endif
-		returnNode = new TiXmlDeclaration();
-	}
-	else if ( StringEqual( p, commentHeader, false, encoding ) )
-	{
-		#ifdef DEBUG_PARSER
-			TIXML_LOG( "XML parsing Comment\n" );
-		#endif
-		returnNode = new TiXmlComment();
-	}
-	else if ( StringEqual( p, cdataHeader, false, encoding ) )
-	{
-		#ifdef DEBUG_PARSER
-			TIXML_LOG( "XML parsing CDATA\n" );
-		#endif
-		TiXmlText* text = new TiXmlText( "" );
-		text->SetCDATA( true );
-		returnNode = text;
-	}
-	else if ( StringEqual( p, dtdHeader, false, encoding ) )
-	{
-		#ifdef DEBUG_PARSER
-			TIXML_LOG( "XML parsing Unknown(1)\n" );
-		#endif
-		returnNode = new TiXmlUnknown();
-	}
-	else if (    IsAlpha( *(p+1), encoding )
-			  || *(p+1) == '_' )
-	{
-		#ifdef DEBUG_PARSER
-			TIXML_LOG( "XML parsing Element\n" );
-		#endif
-		returnNode = new TiXmlElement( "" );
-	}
-	else
-	{
-		#ifdef DEBUG_PARSER
-			TIXML_LOG( "XML parsing Unknown(2)\n" );
-		#endif
-		returnNode = new TiXmlUnknown();
-	}
-
-	if ( returnNode )
-	{
-		// Set the parent, so it can report errors
-		returnNode->parent = this;
-	}
-	return returnNode;
-}
-
-#ifdef TIXML_USE_STL
-
-void TiXmlElement::StreamIn (std::istream * in, TIXML_STRING * tag)
-{
-	// We're called with some amount of pre-parsing. That is, some of "this"
-	// element is in "tag". Go ahead and stream to the closing ">"
-	while( in->good() )
-	{
-		int c = in->get();
-		if ( c <= 0 )
-		{
-			TiXmlDocument* document = GetDocument();
-			if ( document )
-				document->SetError( TIXML_ERROR_EMBEDDED_NULL, 0, 0, TIXML_ENCODING_UNKNOWN );
-			return;
-		}
-		(*tag) += (char) c ;
-		
-		if ( c == '>' )
-			break;
-	}
-
-	if ( tag->length() < 3 ) return;
-
-	// Okay...if we are a "/>" tag, then we're done. We've read a complete tag.
-	// If not, identify and stream.
-
-	if (    tag->at( tag->length() - 1 ) == '>' 
-		 && tag->at( tag->length() - 2 ) == '/' )
-	{
-		// All good!
-		return;
-	}
-	else if ( tag->at( tag->length() - 1 ) == '>' )
-	{
-		// There is more. Could be:
-		//		text
-		//		cdata text (which looks like another node)
-		//		closing tag
-		//		another node.
-		for ( ;; )
-		{
-			StreamWhiteSpace( in, tag );
-
-			// Do we have text?
-			if ( in->good() && in->peek() != '<' ) 
-			{
-				// Yep, text.
-				TiXmlText text( "" );
-				text.StreamIn( in, tag );
-
-				// What follows text is a closing tag or another node.
-				// Go around again and figure it out.
-				continue;
-			}
-
-			// We now have either a closing tag...or another node.
-			// We should be at a "<", regardless.
-			if ( !in->good() ) return;
-			assert( in->peek() == '<' );
-			int tagIndex = (int) tag->length();
-
-			bool closingTag = false;
-			bool firstCharFound = false;
-
-			for( ;; )
-			{
-				if ( !in->good() )
-					return;
-
-				int c = in->peek();
-				if ( c <= 0 )
-				{
-					TiXmlDocument* document = GetDocument();
-					if ( document )
-						document->SetError( TIXML_ERROR_EMBEDDED_NULL, 0, 0, TIXML_ENCODING_UNKNOWN );
-					return;
-				}
-				
-				if ( c == '>' )
-					break;
-
-				*tag += (char) c;
-				in->get();
-
-				// Early out if we find the CDATA id.
-				if ( c == '[' && tag->size() >= 9 )
-				{
-					size_t len = tag->size();
-					const char* start = tag->c_str() + len - 9;
-					if ( strcmp( start, "<![CDATA[" ) == 0 ) {
-						assert( !closingTag );
-						break;
-					}
-				}
-
-				if ( !firstCharFound && c != '<' && !IsWhiteSpace( c ) )
-				{
-					firstCharFound = true;
-					if ( c == '/' )
-						closingTag = true;
-				}
-			}
-			// If it was a closing tag, then read in the closing '>' to clean up the input stream.
-			// If it was not, the streaming will be done by the tag.
-			if ( closingTag )
-			{
-				if ( !in->good() )
-					return;
-
-				int c = in->get();
-				if ( c <= 0 )
-				{
-					TiXmlDocument* document = GetDocument();
-					if ( document )
-						document->SetError( TIXML_ERROR_EMBEDDED_NULL, 0, 0, TIXML_ENCODING_UNKNOWN );
-					return;
-				}
-				assert( c == '>' );
-				*tag += (char) c;
-
-				// We are done, once we've found our closing tag.
-				return;
-			}
-			else
-			{
-				// If not a closing tag, id it, and stream.
-				const char* tagloc = tag->c_str() + tagIndex;
-				TiXmlNode* node = Identify( tagloc, TIXML_DEFAULT_ENCODING );
-				if ( !node )
-					return;
-				node->StreamIn( in, tag );
-				delete node;
-				node = 0;
-
-				// No return: go around from the beginning: text, closing tag, or node.
-			}
-		}
-	}
-}
-#endif
-
-const char* TiXmlElement::Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding )
-{
-	p = SkipWhiteSpace( p, encoding );
-	TiXmlDocument* document = GetDocument();
-
-	if ( !p || !*p )
-	{
-		if ( document ) document->SetError( TIXML_ERROR_PARSING_ELEMENT, 0, 0, encoding );
-		return 0;
-	}
-
-	if ( data )
-	{
-		data->Stamp( p, encoding );
-		location = data->Cursor();
-	}
-
-	if ( *p != '<' )
-	{
-		if ( document ) document->SetError( TIXML_ERROR_PARSING_ELEMENT, p, data, encoding );
-		return 0;
-	}
-
-	p = SkipWhiteSpace( p+1, encoding );
-
-	// Read the name.
-	const char* pErr = p;
-
-    p = ReadName( p, &value, encoding );
-	if ( !p || !*p )
-	{
-		if ( document )	document->SetError( TIXML_ERROR_FAILED_TO_READ_ELEMENT_NAME, pErr, data, encoding );
-		return 0;
-	}
-
-    TIXML_STRING endTag ("</");
-	endTag += value;
-
-	// Check for and read attributes. Also look for an empty
-	// tag or an end tag.
-	while ( p && *p )
-	{
-		pErr = p;
-		p = SkipWhiteSpace( p, encoding );
-		if ( !p || !*p )
-		{
-			if ( document ) document->SetError( TIXML_ERROR_READING_ATTRIBUTES, pErr, data, encoding );
-			return 0;
-		}
-		if ( *p == '/' )
-		{
-			++p;
-			// Empty tag.
-			if ( *p  != '>' )
-			{
-				if ( document ) document->SetError( TIXML_ERROR_PARSING_EMPTY, p, data, encoding );		
-				return 0;
-			}
-			return (p+1);
-		}
-		else if ( *p == '>' )
-		{
-			// Done with attributes (if there were any.)
-			// Read the value -- which can include other
-			// elements -- read the end tag, and return.
-			++p;
-			p = ReadValue( p, data, encoding );		// Note this is an Element method, and will set the error if one happens.
-			if ( !p || !*p ) {
-				// We were looking for the end tag, but found nothing.
-				// Fix for [ 1663758 ] Failure to report error on bad XML
-				if ( document ) document->SetError( TIXML_ERROR_READING_END_TAG, p, data, encoding );
-				return 0;
-			}
-
-			// We should find the end tag now
-			// note that:
-			// </foo > and
-			// </foo> 
-			// are both valid end tags.
-			if ( StringEqual( p, endTag.c_str(), false, encoding ) )
-			{
-				p += endTag.length();
-				p = SkipWhiteSpace( p, encoding );
-				if ( p && *p && *p == '>' ) {
-					++p;
-					return p;
-				}
-				if ( document ) document->SetError( TIXML_ERROR_READING_END_TAG, p, data, encoding );
-				return 0;
-			}
-			else
-			{
-				if ( document ) document->SetError( TIXML_ERROR_READING_END_TAG, p, data, encoding );
-				return 0;
-			}
-		}
-		else
-		{
-			// Try to read an attribute:
-			TiXmlAttribute* attrib = new TiXmlAttribute();
-			if ( !attrib )
-			{
-				return 0;
-			}
-
-			attrib->SetDocument( document );
-			pErr = p;
-			p = attrib->Parse( p, data, encoding );
-
-			if ( !p || !*p )
-			{
-				if ( document ) document->SetError( TIXML_ERROR_PARSING_ELEMENT, pErr, data, encoding );
-				delete attrib;
-				return 0;
-			}
-
-			// Handle the strange case of double attributes:
-			#ifdef TIXML_USE_STL
-			TiXmlAttribute* node = attributeSet.Find( attrib->NameTStr() );
-			#else
-			TiXmlAttribute* node = attributeSet.Find( attrib->Name() );
-			#endif
-			if ( node )
-			{
-				if ( document ) document->SetError( TIXML_ERROR_PARSING_ELEMENT, pErr, data, encoding );
-				delete attrib;
-				return 0;
-			}
-
-			attributeSet.Add( attrib );
-		}
-	}
-	return p;
-}
-
-
-const char* TiXmlElement::ReadValue( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding )
-{
-	TiXmlDocument* document = GetDocument();
-
-	// Read in text and elements in any order.
-	const char* pWithWhiteSpace = p;
-	p = SkipWhiteSpace( p, encoding );
-
-	while ( p && *p )
-	{
-		if ( *p != '<' )
-		{
-			// Take what we have, make a text element.
-			TiXmlText* textNode = new TiXmlText( "" );
-
-			if ( !textNode )
-			{
-			    return 0;
-			}
-
-			if ( TiXmlBase::IsWhiteSpaceCondensed() )
-			{
-				p = textNode->Parse( p, data, encoding );
-			}
-			else
-			{
-				// Special case: we want to keep the white space
-				// so that leading spaces aren't removed.
-				p = textNode->Parse( pWithWhiteSpace, data, encoding );
-			}
-
-			if ( !textNode->Blank() )
-				LinkEndChild( textNode );
-			else
-				delete textNode;
-		} 
-		else 
-		{
-			// We hit a '<'
-			// Have we hit a new element or an end tag? This could also be
-			// a TiXmlText in the "CDATA" style.
-			if ( StringEqual( p, "</", false, encoding ) )
-			{
-				return p;
-			}
-			else
-			{
-				TiXmlNode* node = Identify( p, encoding );
-				if ( node )
-				{
-					p = node->Parse( p, data, encoding );
-					LinkEndChild( node );
-				}				
-				else
-				{
-					return 0;
-				}
-			}
-		}
-		pWithWhiteSpace = p;
-		p = SkipWhiteSpace( p, encoding );
-	}
-
-	if ( !p )
-	{
-		if ( document ) document->SetError( TIXML_ERROR_READING_ELEMENT_VALUE, 0, 0, encoding );
-	}	
-	return p;
-}
-
-
-#ifdef TIXML_USE_STL
-void TiXmlUnknown::StreamIn( std::istream * in, TIXML_STRING * tag )
-{
-	while ( in->good() )
-	{
-		int c = in->get();	
-		if ( c <= 0 )
-		{
-			TiXmlDocument* document = GetDocument();
-			if ( document )
-				document->SetError( TIXML_ERROR_EMBEDDED_NULL, 0, 0, TIXML_ENCODING_UNKNOWN );
-			return;
-		}
-		(*tag) += (char) c;
-
-		if ( c == '>' )
-		{
-			// All is well.
-			return;		
-		}
-	}
-}
-#endif
-
-
-const char* TiXmlUnknown::Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding )
-{
-	TiXmlDocument* document = GetDocument();
-	p = SkipWhiteSpace( p, encoding );
-
-	if ( data )
-	{
-		data->Stamp( p, encoding );
-		location = data->Cursor();
-	}
-	if ( !p || !*p || *p != '<' )
-	{
-		if ( document ) document->SetError( TIXML_ERROR_PARSING_UNKNOWN, p, data, encoding );
-		return 0;
-	}
-	++p;
-    value = "";
-
-	while ( p && *p && *p != '>' )
-	{
-		value += *p;
-		++p;
-	}
-
-	if ( !p )
-	{
-		if ( document )	
-			document->SetError( TIXML_ERROR_PARSING_UNKNOWN, 0, 0, encoding );
-	}
-	if ( p && *p == '>' )
-		return p+1;
-	return p;
-}
-
-#ifdef TIXML_USE_STL
-void TiXmlComment::StreamIn( std::istream * in, TIXML_STRING * tag )
-{
-	while ( in->good() )
-	{
-		int c = in->get();	
-		if ( c <= 0 )
-		{
-			TiXmlDocument* document = GetDocument();
-			if ( document )
-				document->SetError( TIXML_ERROR_EMBEDDED_NULL, 0, 0, TIXML_ENCODING_UNKNOWN );
-			return;
-		}
-
-		(*tag) += (char) c;
-
-		if ( c == '>' 
-			 && tag->at( tag->length() - 2 ) == '-'
-			 && tag->at( tag->length() - 3 ) == '-' )
-		{
-			// All is well.
-			return;		
-		}
-	}
-}
-#endif
-
-
-const char* TiXmlComment::Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding )
-{
-	TiXmlDocument* document = GetDocument();
-	value = "";
-
-	p = SkipWhiteSpace( p, encoding );
-
-	if ( data )
-	{
-		data->Stamp( p, encoding );
-		location = data->Cursor();
-	}
-	const char* startTag = "<!--";
-	const char* endTag   = "-->";
-
-	if ( !StringEqual( p, startTag, false, encoding ) )
-	{
-		if ( document )
-			document->SetError( TIXML_ERROR_PARSING_COMMENT, p, data, encoding );
-		return 0;
-	}
-	p += strlen( startTag );
-
-	// [ 1475201 ] TinyXML parses entities in comments
-	// Oops - ReadText doesn't work, because we don't want to parse the entities.
-	// p = ReadText( p, &value, false, endTag, false, encoding );
-	//
-	// from the XML spec:
-	/*
-	 [Definition: Comments may appear anywhere in a document outside other markup; in addition, 
-	              they may appear within the document type declaration at places allowed by the grammar. 
-				  They are not part of the document's character data; an XML processor MAY, but need not, 
-				  make it possible for an application to retrieve the text of comments. For compatibility, 
-				  the string "--" (double-hyphen) MUST NOT occur within comments.] Parameter entity 
-				  references MUST NOT be recognized within comments.
-
-				  An example of a comment:
-
-				  <!-- declarations for <head> & <body> -->
-	*/
-
-    value = "";
-	// Keep all the white space.
-	while (	p && *p && !StringEqual( p, endTag, false, encoding ) )
-	{
-		value.append( p, 1 );
-		++p;
-	}
-	if ( p && *p ) 
-		p += strlen( endTag );
-
-	return p;
-}
-
-
-const char* TiXmlAttribute::Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding )
-{
-	p = SkipWhiteSpace( p, encoding );
-	if ( !p || !*p ) return 0;
-
-	if ( data )
-	{
-		data->Stamp( p, encoding );
-		location = data->Cursor();
-	}
-	// Read the name, the '=' and the value.
-	const char* pErr = p;
-	p = ReadName( p, &name, encoding );
-	if ( !p || !*p )
-	{
-		if ( document ) document->SetError( TIXML_ERROR_READING_ATTRIBUTES, pErr, data, encoding );
-		return 0;
-	}
-	p = SkipWhiteSpace( p, encoding );
-	if ( !p || !*p || *p != '=' )
-	{
-		if ( document ) document->SetError( TIXML_ERROR_READING_ATTRIBUTES, p, data, encoding );
-		return 0;
-	}
-
-	++p;	// skip '='
-	p = SkipWhiteSpace( p, encoding );
-	if ( !p || !*p )
-	{
-		if ( document ) document->SetError( TIXML_ERROR_READING_ATTRIBUTES, p, data, encoding );
-		return 0;
-	}
-	
-	const char* end;
-	const char SINGLE_QUOTE = '\'';
-	const char DOUBLE_QUOTE = '\"';
-
-	if ( *p == SINGLE_QUOTE )
-	{
-		++p;
-		end = "\'";		// single quote in string
-		p = ReadText( p, &value, false, end, false, encoding );
-	}
-	else if ( *p == DOUBLE_QUOTE )
-	{
-		++p;
-		end = "\"";		// double quote in string
-		p = ReadText( p, &value, false, end, false, encoding );
-	}
-	else
-	{
-		// All attribute values should be in single or double quotes.
-		// But this is such a common error that the parser will try
-		// its best, even without them.
-		value = "";
-		while (    p && *p											// existence
-				&& !IsWhiteSpace( *p )								// whitespace
-				&& *p != '/' && *p != '>' )							// tag end
-		{
-			if ( *p == SINGLE_QUOTE || *p == DOUBLE_QUOTE ) {
-				// [ 1451649 ] Attribute values with trailing quotes not handled correctly
-				// We did not have an opening quote but seem to have a 
-				// closing one. Give up and throw an error.
-				if ( document ) document->SetError( TIXML_ERROR_READING_ATTRIBUTES, p, data, encoding );
-				return 0;
-			}
-			value += *p;
-			++p;
-		}
-	}
-	return p;
-}
-
-#ifdef TIXML_USE_STL
-void TiXmlText::StreamIn( std::istream * in, TIXML_STRING * tag )
-{
-	while ( in->good() )
-	{
-		int c = in->peek();	
-		if ( !cdata && (c == '<' ) ) 
-		{
-			return;
-		}
-		if ( c <= 0 )
-		{
-			TiXmlDocument* document = GetDocument();
-			if ( document )
-				document->SetError( TIXML_ERROR_EMBEDDED_NULL, 0, 0, TIXML_ENCODING_UNKNOWN );
-			return;
-		}
-
-		(*tag) += (char) c;
-		in->get();	// "commits" the peek made above
-
-		if ( cdata && c == '>' && tag->size() >= 3 ) {
-			size_t len = tag->size();
-			if ( (*tag)[len-2] == ']' && (*tag)[len-3] == ']' ) {
-				// terminator of cdata.
-				return;
-			}
-		}    
-	}
-}
-#endif
-
-const char* TiXmlText::Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding encoding )
-{
-	value = "";
-	TiXmlDocument* document = GetDocument();
-
-	if ( data )
-	{
-		data->Stamp( p, encoding );
-		location = data->Cursor();
-	}
-
-	const char* const startTag = "<![CDATA[";
-	const char* const endTag   = "]]>";
-
-	if ( cdata || StringEqual( p, startTag, false, encoding ) )
-	{
-		cdata = true;
-
-		if ( !StringEqual( p, startTag, false, encoding ) )
-		{
-			if ( document )
-				document->SetError( TIXML_ERROR_PARSING_CDATA, p, data, encoding );
-			return 0;
-		}
-		p += strlen( startTag );
-
-		// Keep all the white space, ignore the encoding, etc.
-		while (	   p && *p
-				&& !StringEqual( p, endTag, false, encoding )
-			  )
-		{
-			value += *p;
-			++p;
-		}
-
-		TIXML_STRING dummy; 
-		p = ReadText( p, &dummy, false, endTag, false, encoding );
-		return p;
-	}
-	else
-	{
-		bool ignoreWhite = true;
-
-		const char* end = "<";
-		p = ReadText( p, &value, ignoreWhite, end, false, encoding );
-		if ( p && *p )
-			return p-1;	// don't truncate the '<'
-		return 0;
-	}
-}
-
-#ifdef TIXML_USE_STL
-void TiXmlDeclaration::StreamIn( std::istream * in, TIXML_STRING * tag )
-{
-	while ( in->good() )
-	{
-		int c = in->get();
-		if ( c <= 0 )
-		{
-			TiXmlDocument* document = GetDocument();
-			if ( document )
-				document->SetError( TIXML_ERROR_EMBEDDED_NULL, 0, 0, TIXML_ENCODING_UNKNOWN );
-			return;
-		}
-		(*tag) += (char) c;
-
-		if ( c == '>' )
-		{
-			// All is well.
-			return;
-		}
-	}
-}
-#endif
-
-const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXmlEncoding _encoding )
-{
-	p = SkipWhiteSpace( p, _encoding );
-	// Find the beginning, find the end, and look for
-	// the stuff in-between.
-	TiXmlDocument* document = GetDocument();
-	if ( !p || !*p || !StringEqual( p, "<?xml", true, _encoding ) )
-	{
-		if ( document ) document->SetError( TIXML_ERROR_PARSING_DECLARATION, 0, 0, _encoding );
-		return 0;
-	}
-	if ( data )
-	{
-		data->Stamp( p, _encoding );
-		location = data->Cursor();
-	}
-	p += 5;
-
-	version = "";
-	encoding = "";
-	standalone = "";
-
-	while ( p && *p )
-	{
-		if ( *p == '>' )
-		{
-			++p;
-			return p;
-		}
-
-		p = SkipWhiteSpace( p, _encoding );
-		if ( StringEqual( p, "version", true, _encoding ) )
-		{
-			TiXmlAttribute attrib;
-			p = attrib.Parse( p, data, _encoding );		
-			version = attrib.Value();
-		}
-		else if ( StringEqual( p, "encoding", true, _encoding ) )
-		{
-			TiXmlAttribute attrib;
-			p = attrib.Parse( p, data, _encoding );		
-			encoding = attrib.Value();
-		}
-		else if ( StringEqual( p, "standalone", true, _encoding ) )
-		{
-			TiXmlAttribute attrib;
-			p = attrib.Parse( p, data, _encoding );		
-			standalone = attrib.Value();
-		}
-		else
-		{
-			// Read over whatever it is.
-			while( p && *p && *p != '>' && !IsWhiteSpace( *p ) )
-				++p;
-		}
-	}
-	return 0;
-}
-
-bool TiXmlText::Blank() const
-{
-	for ( unsigned i=0; i<value.length(); i++ )
-		if ( !IsWhiteSpace( value[i] ) )
-			return false;
-	return true;
-}
-
diff --git a/ctrtool/tmd.c b/ctrtool/tmd.c
deleted file mode 100644
index 95d23276..00000000
--- a/ctrtool/tmd.c
+++ /dev/null
@@ -1,180 +0,0 @@
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include "tmd.h"
-#include "utils.h"
-#include <inttypes.h>
-
-
-void tmd_init(tmd_context* ctx)
-{
-	memset(ctx, 0, sizeof(tmd_context));
-}
-
-void tmd_set_file(tmd_context* ctx, FILE* file)
-{
-	ctx->file = file;
-}
-
-void tmd_set_offset(tmd_context* ctx, u64 offset)
-{
-	ctx->offset = offset;
-}
-
-void tmd_set_size(tmd_context* ctx, u32 size)
-{
-	ctx->size = size;
-}
-
-void tmd_set_usersettings(tmd_context* ctx, settings* usersettings)
-{
-	ctx->usersettings = usersettings;
-}
-
-void tmd_process(tmd_context* ctx, u32 actions)
-{
-	if (ctx->buffer == 0)
-		ctx->buffer = malloc(ctx->size);
-
-	if (ctx->buffer)
-	{
-		fseeko64(ctx->file, ctx->offset, SEEK_SET);
-		fread(ctx->buffer, 1, ctx->size, ctx->file);
-
-		if (actions & InfoFlag)
-		{
-			tmd_print(ctx);
-		}
-	}
-}
-
-ctr_tmd_body *tmd_get_body(tmd_context *ctx) 
-{
-	unsigned int type = getbe32(ctx->buffer);
-	ctr_tmd_body *body = NULL;
-
-	if (type == TMD_RSA_2048_SHA256 || type == TMD_RSA_2048_SHA1)
-	{
-		body = (ctr_tmd_body*)(ctx->buffer + sizeof(ctr_tmd_header_2048));
-	}
-	else if (type == TMD_RSA_4096_SHA256 || type == TMD_RSA_4096_SHA1)
-	{
-		body = (ctr_tmd_body*)(ctx->buffer + sizeof(ctr_tmd_header_4096));
-	}
-
-	return body;
-}
-
-const char* tmd_get_type_string(unsigned int type)
-{
-	switch(type)
-	{
-	case TMD_RSA_2048_SHA256: return "RSA 2048 - SHA256";
-	case TMD_RSA_4096_SHA256: return "RSA 4096 - SHA256";
-	case TMD_RSA_2048_SHA1: return "RSA 2048 - SHA1";
-	case TMD_RSA_4096_SHA1: return "RSA 4096 - SHA1";
-	default:
-		return "unknown";
-	}
-}
-
-void tmd_print(tmd_context* ctx)
-{
-	unsigned int type = getbe32(ctx->buffer);
-	ctr_tmd_header_4096* header4096 = 0;
-	ctr_tmd_header_2048* header2048 = 0;
-	ctr_tmd_body* body = 0;
-	unsigned int contentcount = 0;
-	unsigned int savesize = 0;
-	unsigned int titlever = 0;
-	unsigned int i;
-
-	if (type == TMD_RSA_2048_SHA256 || type == TMD_RSA_2048_SHA1)
-	{
-		header2048 = (ctr_tmd_header_2048*)ctx->buffer;
-	}
-	else if (type == TMD_RSA_4096_SHA256 || type == TMD_RSA_4096_SHA1)
-	{
-		header4096 = (ctr_tmd_header_4096*)ctx->buffer;
-	}
-	else
-	{
-		return;
-	}
-
-	body = tmd_get_body(ctx);
-
-	contentcount = getbe16(body->contentcount);
-	savesize = getle32(body->savedatasize);
-	titlever = getbe16(body->titleversion);
-	
-	fprintf(stdout, "\nTMD header:\n");
-	fprintf(stdout, "Signature type:         %s\n", tmd_get_type_string(type));
-	fprintf(stdout, "Issuer:                 %s\n", body->issuer);
-	fprintf(stdout, "Version:                %d\n", body->version);
-	fprintf(stdout, "CA CRL version:         %d\n", body->ca_crl_version);
-	fprintf(stdout, "Signer CRL version:     %d\n", body->signer_crl_version);
-	memdump(stdout, "System version:         ", body->systemversion, 8);
-	memdump(stdout, "Title id:               ", body->titleid, 8);
-	fprintf(stdout, "Title type:             %08x\n", getbe32(body->titletype));
-	fprintf(stdout, "Group id:               %04x\n", getbe16(body->groupid));
-	if(savesize < sizeKB)
-		fprintf(stdout, "Save Size:              %08x\n", savesize);
-	else if(savesize < sizeMB)
-		fprintf(stdout, "Save Size:              %dKB (%08x)\n", savesize/sizeKB, savesize);
-	else
-		fprintf(stdout, "Save Size:              %dMB (%08x)\n", savesize/sizeMB, savesize);
-	fprintf(stdout, "Access rights:          %08x\n", getbe32(body->accessrights));
-	fprintf(stdout, "Title version:          %d.%d.%d (v%d)\n", (titlever >> 10) & 0x3F, (titlever >> 4) & 0x3F, titlever & 0xF, titlever);
-	fprintf(stdout, "Content count:          %04x\n", getbe16(body->contentcount));
-	fprintf(stdout, "Boot content:           %04x\n", getbe16(body->bootcontent));
-	memdump(stdout, "Hash:                   ", body->hash, 32);
-
-	fprintf(stdout, "\nTMD content info:\n");
-	for(i = 0; i < TMD_MAX_CONTENTS; i++)
-	{
-		ctr_tmd_contentinfo* info = (ctr_tmd_contentinfo*)(body->contentinfo + sizeof(ctr_tmd_contentinfo)*i);
-
-		if (getbe16(info->commandcount) == 0)
-			continue;
-
-		fprintf(stdout, "Content index:          %04x\n", getbe16(info->index));
-		fprintf(stdout, "Command count:          %04x\n", getbe16(info->commandcount));
-		memdump(stdout, "Unknown:                ", info->unk, 32);
-	}
-	fprintf(stdout, "\nTMD contents:\n");
-	for(i = 0; i < contentcount; i++)
-	{
-		ctr_tmd_contentchunk* chunk = (ctr_tmd_contentchunk*)(body->contentinfo + 36*64 + i*48);
-		unsigned short type = getbe16(chunk->type);
-
-		fprintf(stdout, "Content id:             %08x\n", getbe32(chunk->id));
-		fprintf(stdout, "Content index:          %04x\n", getbe16(chunk->index));
-		fprintf(stdout, "Content type:           %04x", getbe16(chunk->type));
-		if (type)
-		{
-			fprintf(stdout, " ");
-			if (type & 1)
-				fprintf(stdout, "[encrypted]");
-			if (type & 2)
-				fprintf(stdout, "[disc]");
-			if (type & 4)
-				fprintf(stdout, "[cfm]");
-			if (type & 0x4000)
-				fprintf(stdout, "[optional]");
-			if (type & 0x8000)
-				fprintf(stdout, "[shared]");
-		}
-		fprintf(stdout, "\n");
-		fprintf(stdout, "Content size:           %016"PRIx64"\n", getbe64(chunk->size));
-
-		switch(ctx->content_hash_stat[i]) {
-			case 1:  memdump(stdout, "Content hash [OK]:      ", chunk->hash, 32); break;
-			case 2:  memdump(stdout, "Content hash [FAIL]:    ", chunk->hash, 32); break;
-			default: memdump(stdout, "Content hash:           ", chunk->hash, 32); break; 
-		}
-
-		fprintf(stdout, "\n");
-	}
-}
diff --git a/ctrtool/tmd.h b/ctrtool/tmd.h
deleted file mode 100644
index d9701a7d..00000000
--- a/ctrtool/tmd.h
+++ /dev/null
@@ -1,103 +0,0 @@
-#ifndef _TMD_H_
-#define _TMD_H_
-
-#include "types.h"
-#include "settings.h"
-
-#define TMD_MAX_CONTENTS 64
-
-typedef enum
-{
-	TMD_RSA_2048_SHA256 = 0x00010004,
-	TMD_RSA_4096_SHA256 = 0x00010003,
-	TMD_RSA_2048_SHA1   = 0x00010001,
-	TMD_RSA_4096_SHA1   = 0x00010000
-} ctr_tmdtype;
-
-
-typedef struct
-{
-	unsigned char padding[60];
-	unsigned char issuer[64];
-	unsigned char version;
-	unsigned char ca_crl_version;
-	unsigned char signer_crl_version;
-	unsigned char padding2;
-	unsigned char systemversion[8];
-	unsigned char titleid[8];
-	unsigned char titletype[4];
-	unsigned char groupid[2];
-	unsigned char savedatasize[4];
-	unsigned char privsavedatasize[4];
-	unsigned char padding3[4];
-	unsigned char twlflag;
-	unsigned char padding4[0x31];
-	unsigned char accessrights[4];
-	unsigned char titleversion[2];
-	unsigned char contentcount[2];
-	unsigned char bootcontent[2];
-	unsigned char padding5[2];
-	unsigned char hash[32];
-	unsigned char contentinfo[36*64];
-} ctr_tmd_body;
-
-typedef struct
-{
-	unsigned char index[2];
-	unsigned char commandcount[2];
-	unsigned char unk[32];
-} ctr_tmd_contentinfo;
-
-
-typedef struct
-{
-	unsigned char id[4];
-	unsigned char index[2];
-	unsigned char type[2];
-	unsigned char size[8];
-	unsigned char hash[32];
-} ctr_tmd_contentchunk;
-
-
-typedef struct
-{
-	unsigned char signaturetype[4];
-	unsigned char signature[256];
-} ctr_tmd_header_2048;
-
-typedef struct
-{
-	unsigned char signaturetype[4];
-	unsigned char signature[512];
-} ctr_tmd_header_4096;
-
-typedef struct
-{
-	FILE* file;
-	u64 offset;
-	u32 size;
-	u8* buffer;
-	u8 content_hash_stat[64];
-	settings* usersettings;
-} tmd_context;
-
-
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-void tmd_init(tmd_context* ctx);
-void tmd_set_file(tmd_context* ctx, FILE* file);
-void tmd_set_offset(tmd_context* ctx, u64 offset);
-void tmd_set_size(tmd_context* ctx, u32 size);
-void tmd_set_usersettings(tmd_context* ctx, settings* usersettings);
-void tmd_print(tmd_context* ctx);
-void tmd_process(tmd_context* ctx, u32 actions);
-ctr_tmd_body *tmd_get_body(tmd_context *ctx);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // _TMD_H_
diff --git a/ctrtool/types.h b/ctrtool/types.h
deleted file mode 100644
index c35e2ba8..00000000
--- a/ctrtool/types.h
+++ /dev/null
@@ -1,44 +0,0 @@
-#ifndef __TYPES_H__
-#define __TYPES_H__
-
-#include <stdint.h>
-#include <inttypes.h>
-
-typedef uint8_t			u8;
-typedef uint16_t		u16;
-typedef uint32_t		u32;
-typedef uint64_t		u64;
-
-typedef int8_t			s8;
-typedef int16_t			s16;
-typedef int32_t			s32;
-typedef int64_t			s64;
-
-enum flags
-{
-	ExtractFlag = (1<<0),
-	InfoFlag = (1<<1),
-	PlainFlag = (1<<2),
-	VerboseFlag = (1<<3),
-	VerifyFlag = (1<<4),
-	RawFlag = (1<<5),
-	ShowKeysFlag = (1<<6),
-	DecompressCodeFlag = (1<<7),
-	ShowSyscallsFlag = (1<<8),
-	DevFlag = (1<<9),
-};
-
-enum validstate
-{
-	Unchecked = 0,
-	Good = 1,
-	Fail = 2,
-};
-
-enum sizeunits
-{
-	sizeKB = 0x400,
-	sizeMB = 0x100000,
-};
-
-#endif
diff --git a/ctrtool/utils.c b/ctrtool/utils.c
deleted file mode 100644
index 92125e5b..00000000
--- a/ctrtool/utils.c
+++ /dev/null
@@ -1,239 +0,0 @@
-#include <stdio.h>
-#include <string.h>
-#include <sys/stat.h>
-#ifdef _WIN32
-#include <direct.h>
-#endif
-#include "utils.h"
-
-
-
-u32 align(u32 offset, u32 alignment)
-{
-	u32 mask = ~(alignment-1);
-
-	return (offset + (alignment-1)) & mask;
-}
-
-u64 align64(u64 offset, u32 alignment)
-{
-	u64 mask = ~(u64)(alignment-1);
-
-	return (offset + (alignment-1)) & mask;
-}
-
-u64 getle64(const u8* p)
-{
-	u64 n = p[0];
-
-	n |= (u64)p[1]<<8;
-	n |= (u64)p[2]<<16;
-	n |= (u64)p[3]<<24;
-	n |= (u64)p[4]<<32;
-	n |= (u64)p[5]<<40;
-	n |= (u64)p[6]<<48;
-	n |= (u64)p[7]<<56;
-	return n;
-}
-
-u64 getbe64(const u8* p)
-{
-	u64 n = 0;
-
-	n |= (u64)p[0]<<56;
-	n |= (u64)p[1]<<48;
-	n |= (u64)p[2]<<40;
-	n |= (u64)p[3]<<32;
-	n |= (u64)p[4]<<24;
-	n |= (u64)p[5]<<16;
-	n |= (u64)p[6]<<8;
-	n |= (u64)p[7]<<0;
-	return n;
-}
-
-u32 getle32(const u8* p)
-{
-	return (p[0]<<0) | (p[1]<<8) | (p[2]<<16) | (p[3]<<24);
-}
-
-u32 getbe32(const u8* p)
-{
-	return (p[0]<<24) | (p[1]<<16) | (p[2]<<8) | (p[3]<<0);
-}
-
-u32 getle16(const u8* p)
-{
-	return (p[0]<<0) | (p[1]<<8);
-}
-
-u32 getbe16(const u8* p)
-{
-	return (p[0]<<8) | (p[1]<<0);
-}
-
-void putle16(u8* p, u16 n)
-{
-	p[0] = (u8) n;
-	p[1] = (u8) (n>>8);
-}
-
-void putle32(u8* p, u32 n)
-{
-	p[0] = (u8) n;
-	p[1] = (u8) (n>>8);
-	p[2] = (u8) (n>>16);
-	p[3] = (u8) (n>>24);
-}
-
-void putle64(u8* p, u64 n)
-{
-	p[0] = (u8) n;
-	p[1] = (u8) (n >> 8);
-	p[2] = (u8) (n >> 16);
-	p[3] = (u8) (n >> 24);
-	p[4] = (u8) (n >> 32);
-	p[5] = (u8) (n >> 40);
-	p[6] = (u8) (n >> 48);
-	p[7] = (u8) (n >> 56);
-}
-
-void putbe16(u8* p, u16 n)
-{
-	p[1] = (u8) n;
-	p[0] = (u8) (n >> 8);
-}
-
-void putbe32(u8* p, u32 n)
-{
-	p[3] = (u8) n;
-	p[2] = (u8) (n >> 8);
-	p[1] = (u8) (n >> 16);
-	p[0] = (u8) (n >> 24);
-}
-
-void putbe64(u8* p, u64 n)
-{
-	p[7] = (u8) n;
-	p[6] = (u8) (n >> 8);
-	p[5] = (u8) (n >> 16);
-	p[4] = (u8) (n >> 24);
-	p[3] = (u8) (n >> 32);
-	p[2] = (u8) (n >> 40);
-	p[1] = (u8) (n >> 48);
-	p[0] = (u8) (n >> 56);
-}
-
-void readkeyfile(u8* key, const char* keyfname)
-{
-	u64 keysize = _fsize(keyfname);
-	FILE* f = fopen(keyfname, "rb");
-	
-	if (0 == f)
-	{
-		fprintf(stdout, "Error opening key file\n");
-		goto clean;
-	}
-
-	if (keysize != 16)
-	{
-		fprintf(stdout, "Error key size mismatch, got %"PRIu64", expected %d\n", keysize, 16);
-		goto clean;
-	}
-
-	if (16 != fread(key, 1, 16, f))
-	{
-		fprintf(stdout, "Error reading key file\n");
-		goto clean;
-	}
-
-clean:
-	if (f)
-		fclose(f);
-}
-
-void hexdump(void *ptr, int buflen)
-{
-	u8 *buf = (u8*)ptr;
-	int i, j;
-
-	for (i=0; i<buflen; i+=16)
-	{
-		printf("%06x: ", i);
-		for (j=0; j<16; j++)
-		{ 
-			if (i+j < buflen)
-			{
-				printf("%02x ", buf[i+j]);
-			}
-			else
-			{
-				printf("   ");
-			}
-		}
-
-		printf(" ");
-
-		for (j=0; j<16; j++) 
-		{
-			if (i+j < buflen)
-			{
-				printf("%c", (buf[i+j] >= 0x20 && buf[i+j] <= 0x7e) ? buf[i+j] : '.');
-			}
-		}
-		printf("\n");
-	}
-}
-
-void memdump(FILE* fout, const char* prefix, const u8* data, u32 size)
-{
-	u32 i;
-	u32 prefixlen = strlen(prefix);
-	u32 offs = 0;
-	u32 line = 0;
-	while(size)
-	{
-		u32 max = 32;
-
-		if (max > size)
-			max = size;
-
-		if (line==0)
-			fprintf(fout, "%s", prefix);
-		else
-			fprintf(fout, "%*s", prefixlen, "");
-
-
-		for(i=0; i<max; i++)
-			fprintf(fout, "%02X", data[offs+i]);
-		fprintf(fout, "\n");
-		line++;
-		size -= max;
-		offs += max;
-	}
-}
-
-int makedir(const char* dir)
-{
-#ifdef _WIN32
-	return _mkdir(dir);
-#else
-	return mkdir(dir, 0777);
-#endif
-}
-
-u64 _fsize(const char *filename)
-{
-#ifdef _WIN32
-	struct _stat64 st;
-	if (_stat64(filename, &st) != 0)
-		return 0;
-	else
-		return st.st_size;
-#else
-	struct stat st;
-	if (stat(filename, &st) != 0)
-		return 0;
-	else
-		return st.st_size;
-#endif
-}
\ No newline at end of file
diff --git a/ctrtool/utils.h b/ctrtool/utils.h
deleted file mode 100644
index eb68fcbc..00000000
--- a/ctrtool/utils.h
+++ /dev/null
@@ -1,59 +0,0 @@
-#ifndef _UTILS_H_
-#define _UTILS_H_
-
-#include "types.h"
-
-#ifdef _WIN32
-#define PATH_SEPERATOR '\\'
-#else
-#define PATH_SEPERATOR '/'
-#endif
-
-#ifndef MAX_PATH
-	#define MAX_PATH 255
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-u32 align(u32 offset, u32 alignment);
-u64 align64(u64 offset, u32 alignment);
-u64 getle64(const u8* p);
-u32 getle32(const u8* p);
-u32 getle16(const u8* p);
-u64 getbe64(const u8* p);
-u32 getbe32(const u8* p);
-u32 getbe16(const u8* p);
-void putle16(u8* p, u16 n);
-void putle32(u8* p, u32 n);
-void putle64(u8* p, u64 n);
-void putbe16(u8* p, u16 n);
-void putbe32(u8* p, u32 n);
-void putbe64(u8* p, u64 n);
-
-void readkeyfile(u8* key, const char* keyfname);
-void memdump(FILE* fout, const char* prefix, const u8* data, u32 size);
-void hexdump(void *ptr, int buflen);
-int key_load(char *name, u8 *out_buf);
-
-int makedir(const char* dir);
-
-u64 _fsize(const char *filename);
-
-#ifdef _MSC_VER
-inline int fseeko64(FILE *__stream, long long __off, int __whence)
-{
-	return _fseeki64(__stream, __off, __whence);
-}
-#elif __APPLE__ || __CYGWIN__
-    #define fseeko64 fseek // OS X file I/O is 64bit
-#elif __linux__
-    extern int fseeko64 (FILE *__stream, __off64_t __off, int __whence);
-#endif
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // _UTILS_H_
diff --git a/ctrtool/windows/getopt.c b/ctrtool/windows/getopt.c
deleted file mode 100644
index ca5cb5ce..00000000
--- a/ctrtool/windows/getopt.c
+++ /dev/null
@@ -1,1047 +0,0 @@
-/* Getopt for GNU.
-   NOTE: getopt is now part of the C library, so if you don't know what
-   "Keep this file name-space clean" means, talk to drepper@gnu.org
-   before changing it!
-
-   Copyright (C) 1987, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99
-   	Free Software Foundation, Inc.
-
-   The GNU C Library is free software; you can redistribute it and/or
-   modify it under the terms of the GNU Library General Public License as
-   published by the Free Software Foundation; either version 2 of the
-   License, or (at your option) any later version.
-
-   The GNU C Library is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   Library General Public License for more details.
-
-   You should have received a copy of the GNU Library General Public
-   License along with the GNU C Library; see the file COPYING.LIB.  If not,
-   write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-   Boston, MA 02111-1307, USA.  */
-
-/* This tells Alpha OSF/1 not to define a getopt prototype in <stdio.h>.
-   Ditto for AIX 3.2 and <stdlib.h>.  */
-#ifndef _NO_PROTO
-# define _NO_PROTO
-#endif
-
-#ifdef HAVE_CONFIG_H
-# include "config.h"
-#endif
-
-#if !defined __STDC__ || !__STDC__
-/* This is a separate conditional since some stdc systems
-   reject `defined (const)'.  */
-# ifndef const
-#  define const
-# endif
-#endif
-
-#include <stdio.h>
-
-/* Comment out all this code if we are using the GNU C Library, and are not
-   actually compiling the library itself.  This code is part of the GNU C
-   Library, but also included in many other GNU distributions.  Compiling
-   and linking in this code is a waste when using the GNU C library
-   (especially if it is a shared library).  Rather than having every GNU
-   program understand `configure --with-gnu-libc' and omit the object files,
-   it is simpler to just do this in the source for each such file.  */
-
-#define GETOPT_INTERFACE_VERSION 2
-#if !defined _LIBC && defined __GLIBC__ && __GLIBC__ >= 2
-# include <gnu-versions.h>
-# if _GNU_GETOPT_INTERFACE_VERSION == GETOPT_INTERFACE_VERSION
-#  define ELIDE_CODE
-# endif
-#endif
-
-#ifndef ELIDE_CODE
-
-
-/* This needs to come after some library #include
-   to get __GNU_LIBRARY__ defined.  */
-#ifdef	__GNU_LIBRARY__
-/* Don't include stdlib.h for non-GNU C libraries because some of them
-   contain conflicting prototypes for getopt.  */
-# include <stdlib.h>
-# include <unistd.h>
-#endif	/* GNU C library.  */
-
-#ifdef VMS
-# include <unixlib.h>
-# if HAVE_STRING_H - 0
-#  include <string.h>
-# endif
-#endif
-
-#ifndef _
-/* This is for other GNU distributions with internationalized messages.
-   When compiling libc, the _ macro is predefined.  */
-# ifdef HAVE_LIBINTL_H
-#  include <libintl.h>
-#  define _(msgid)	gettext (msgid)
-# else
-#  define _(msgid)	(msgid)
-# endif
-#endif
-
-/* This version of `getopt' appears to the caller like standard Unix `getopt'
-   but it behaves differently for the user, since it allows the user
-   to intersperse the options with the other arguments.
-
-   As `getopt' works, it permutes the elements of ARGV so that,
-   when it is done, all the options precede everything else.  Thus
-   all application programs are extended to handle flexible argument order.
-
-   Setting the environment variable POSIXLY_CORRECT disables permutation.
-   Then the behavior is completely standard.
-
-   GNU application programs can use a third alternative mode in which
-   they can distinguish the relative order of options and other arguments.  */
-
-#include "getopt.h"
-
-/* For communication from `getopt' to the caller.
-   When `getopt' finds an option that takes an argument,
-   the argument value is returned here.
-   Also, when `ordering' is RETURN_IN_ORDER,
-   each non-option ARGV-element is returned here.  */
-
-char *optarg;
-
-/* Index in ARGV of the next element to be scanned.
-   This is used for communication to and from the caller
-   and for communication between successive calls to `getopt'.
-
-   On entry to `getopt', zero means this is the first call; initialize.
-
-   When `getopt' returns -1, this is the index of the first of the
-   non-option elements that the caller should itself scan.
-
-   Otherwise, `optind' communicates from one call to the next
-   how much of ARGV has been scanned so far.  */
-
-/* 1003.2 says this must be 1 before any call.  */
-int optind = 1;
-
-/* Formerly, initialization of getopt depended on optind==0, which
-   causes problems with re-calling getopt as programs generally don't
-   know that. */
-
-int __getopt_initialized;
-
-/* The next char to be scanned in the option-element
-   in which the last option character we returned was found.
-   This allows us to pick up the scan where we left off.
-
-   If this is zero, or a null string, it means resume the scan
-   by advancing to the next ARGV-element.  */
-
-static char *nextchar;
-
-/* Callers store zero here to inhibit the error message
-   for unrecognized options.  */
-
-int opterr = 1;
-
-/* Set to an option character which was unrecognized.
-   This must be initialized on some systems to avoid linking in the
-   system's own getopt implementation.  */
-
-int optopt = '?';
-
-/* Describe how to deal with options that follow non-option ARGV-elements.
-
-   If the caller did not specify anything,
-   the default is REQUIRE_ORDER if the environment variable
-   POSIXLY_CORRECT is defined, PERMUTE otherwise.
-
-   REQUIRE_ORDER means don't recognize them as options;
-   stop option processing when the first non-option is seen.
-   This is what Unix does.
-   This mode of operation is selected by either setting the environment
-   variable POSIXLY_CORRECT, or using `+' as the first character
-   of the list of option characters.
-
-   PERMUTE is the default.  We permute the contents of ARGV as we scan,
-   so that eventually all the non-options are at the end.  This allows options
-   to be given in any order, even with programs that were not written to
-   expect this.
-
-   RETURN_IN_ORDER is an option available to programs that were written
-   to expect options and other ARGV-elements in any order and that care about
-   the ordering of the two.  We describe each non-option ARGV-element
-   as if it were the argument of an option with character code 1.
-   Using `-' as the first character of the list of option characters
-   selects this mode of operation.
-
-   The special argument `--' forces an end of option-scanning regardless
-   of the value of `ordering'.  In the case of RETURN_IN_ORDER, only
-   `--' can cause `getopt' to return -1 with `optind' != ARGC.  */
-
-static enum
-{
-  REQUIRE_ORDER, PERMUTE, RETURN_IN_ORDER
-} ordering;
-
-/* Value of POSIXLY_CORRECT environment variable.  */
-static char *posixly_correct;
-
-#ifdef	__GNU_LIBRARY__
-/* We want to avoid inclusion of string.h with non-GNU libraries
-   because there are many ways it can cause trouble.
-   On some systems, it contains special magic macros that don't work
-   in GCC.  */
-# include <string.h>
-# define my_index	strchr
-#else
-
-#include <string.h>
-
-/* Avoid depending on library functions or files
-   whose names are inconsistent.  */
-
-#ifndef getenv
-extern char *getenv ();
-#endif
-
-static char *
-my_index (str, chr)
-     const char *str;
-     int chr;
-{
-  while (*str)
-    {
-      if (*str == chr)
-	return (char *) str;
-      str++;
-    }
-  return 0;
-}
-
-/* If using GCC, we can safely declare strlen this way.
-   If not using GCC, it is ok not to declare it.  */
-#ifdef __GNUC__
-/* Note that Motorola Delta 68k R3V7 comes with GCC but not stddef.h.
-   That was relevant to code that was here before.  */
-# if (!defined __STDC__ || !__STDC__) && !defined strlen
-/* gcc with -traditional declares the built-in strlen to return int,
-   and has done so at least since version 2.4.5. -- rms.  */
-extern int strlen (const char *);
-# endif /* not __STDC__ */
-#endif /* __GNUC__ */
-
-#endif /* not __GNU_LIBRARY__ */
-
-/* Handle permutation of arguments.  */
-
-/* Describe the part of ARGV that contains non-options that have
-   been skipped.  `first_nonopt' is the index in ARGV of the first of them;
-   `last_nonopt' is the index after the last of them.  */
-
-static int first_nonopt;
-static int last_nonopt;
-
-#ifdef _LIBC
-/* Bash 2.0 gives us an environment variable containing flags
-   indicating ARGV elements that should not be considered arguments.  */
-
-/* Defined in getopt_init.c  */
-extern char *__getopt_nonoption_flags;
-
-static int nonoption_flags_max_len;
-static int nonoption_flags_len;
-
-static int original_argc;
-static char *const *original_argv;
-
-/* Make sure the environment variable bash 2.0 puts in the environment
-   is valid for the getopt call we must make sure that the ARGV passed
-   to getopt is that one passed to the process.  */
-static void
-__attribute__ ((unused))
-store_args_and_env (int argc, char *const *argv)
-{
-  /* XXX This is no good solution.  We should rather copy the args so
-     that we can compare them later.  But we must not use malloc(3).  */
-  original_argc = argc;
-  original_argv = argv;
-}
-# ifdef text_set_element
-text_set_element (__libc_subinit, store_args_and_env);
-# endif /* text_set_element */
-
-# define SWAP_FLAGS(ch1, ch2) \
-  if (nonoption_flags_len > 0)						      \
-    {									      \
-      char __tmp = __getopt_nonoption_flags[ch1];			      \
-      __getopt_nonoption_flags[ch1] = __getopt_nonoption_flags[ch2];	      \
-      __getopt_nonoption_flags[ch2] = __tmp;				      \
-    }
-#else	/* !_LIBC */
-# define SWAP_FLAGS(ch1, ch2)
-#endif	/* _LIBC */
-
-/* Exchange two adjacent subsequences of ARGV.
-   One subsequence is elements [first_nonopt,last_nonopt)
-   which contains all the non-options that have been skipped so far.
-   The other is elements [last_nonopt,optind), which contains all
-   the options processed since those non-options were skipped.
-
-   `first_nonopt' and `last_nonopt' are relocated so that they describe
-   the new indices of the non-options in ARGV after they are moved.  */
-
-#if defined __STDC__ && __STDC__
-static void exchange (char **);
-#endif
-
-static void
-exchange (argv)
-     char **argv;
-{
-  int bottom = first_nonopt;
-  int middle = last_nonopt;
-  int top = optind;
-  char *tem;
-
-  /* Exchange the shorter segment with the far end of the longer segment.
-     That puts the shorter segment into the right place.
-     It leaves the longer segment in the right place overall,
-     but it consists of two parts that need to be swapped next.  */
-
-#ifdef _LIBC
-  /* First make sure the handling of the `__getopt_nonoption_flags'
-     string can work normally.  Our top argument must be in the range
-     of the string.  */
-  if (nonoption_flags_len > 0 && top >= nonoption_flags_max_len)
-    {
-      /* We must extend the array.  The user plays games with us and
-	 presents new arguments.  */
-      char *new_str = malloc (top + 1);
-      if (new_str == NULL)
-	nonoption_flags_len = nonoption_flags_max_len = 0;
-      else
-	{
-	  memset (__mempcpy (new_str, __getopt_nonoption_flags,
-			     nonoption_flags_max_len),
-		  '\0', top + 1 - nonoption_flags_max_len);
-	  nonoption_flags_max_len = top + 1;
-	  __getopt_nonoption_flags = new_str;
-	}
-    }
-#endif
-
-  while (top > middle && middle > bottom)
-    {
-      if (top - middle > middle - bottom)
-	{
-	  /* Bottom segment is the short one.  */
-	  int len = middle - bottom;
-	  register int i;
-
-	  /* Swap it with the top part of the top segment.  */
-	  for (i = 0; i < len; i++)
-	    {
-	      tem = argv[bottom + i];
-	      argv[bottom + i] = argv[top - (middle - bottom) + i];
-	      argv[top - (middle - bottom) + i] = tem;
-	      SWAP_FLAGS (bottom + i, top - (middle - bottom) + i);
-	    }
-	  /* Exclude the moved bottom segment from further swapping.  */
-	  top -= len;
-	}
-      else
-	{
-	  /* Top segment is the short one.  */
-	  int len = top - middle;
-	  register int i;
-
-	  /* Swap it with the bottom part of the bottom segment.  */
-	  for (i = 0; i < len; i++)
-	    {
-	      tem = argv[bottom + i];
-	      argv[bottom + i] = argv[middle + i];
-	      argv[middle + i] = tem;
-	      SWAP_FLAGS (bottom + i, middle + i);
-	    }
-	  /* Exclude the moved top segment from further swapping.  */
-	  bottom += len;
-	}
-    }
-
-  /* Update records for the slots the non-options now occupy.  */
-
-  first_nonopt += (optind - last_nonopt);
-  last_nonopt = optind;
-}
-
-/* Initialize the internal data when the first call is made.  */
-
-#if defined __STDC__ && __STDC__
-static const char *_getopt_initialize (int, char *const *, const char *);
-#endif
-static const char *
-_getopt_initialize (argc, argv, optstring)
-     int argc;
-     char *const *argv;
-     const char *optstring;
-{
-  /* Start processing options with ARGV-element 1 (since ARGV-element 0
-     is the program name); the sequence of previously skipped
-     non-option ARGV-elements is empty.  */
-
-  first_nonopt = last_nonopt = optind;
-
-  nextchar = NULL;
-
-  posixly_correct = getenv ("POSIXLY_CORRECT");
-
-  /* Determine how to handle the ordering of options and nonoptions.  */
-
-  if (optstring[0] == '-')
-    {
-      ordering = RETURN_IN_ORDER;
-      ++optstring;
-    }
-  else if (optstring[0] == '+')
-    {
-      ordering = REQUIRE_ORDER;
-      ++optstring;
-    }
-  else if (posixly_correct != NULL)
-    ordering = REQUIRE_ORDER;
-  else
-    ordering = PERMUTE;
-
-#ifdef _LIBC
-  if (posixly_correct == NULL
-      && argc == original_argc && argv == original_argv)
-    {
-      if (nonoption_flags_max_len == 0)
-	{
-	  if (__getopt_nonoption_flags == NULL
-	      || __getopt_nonoption_flags[0] == '\0')
-	    nonoption_flags_max_len = -1;
-	  else
-	    {
-	      const char *orig_str = __getopt_nonoption_flags;
-	      int len = nonoption_flags_max_len = strlen (orig_str);
-	      if (nonoption_flags_max_len < argc)
-		nonoption_flags_max_len = argc;
-	      __getopt_nonoption_flags =
-		(char *) malloc (nonoption_flags_max_len);
-	      if (__getopt_nonoption_flags == NULL)
-		nonoption_flags_max_len = -1;
-	      else
-		memset (__mempcpy (__getopt_nonoption_flags, orig_str, len),
-			'\0', nonoption_flags_max_len - len);
-	    }
-	}
-      nonoption_flags_len = nonoption_flags_max_len;
-    }
-  else
-    nonoption_flags_len = 0;
-#endif
-
-  return optstring;
-}
-
-/* Scan elements of ARGV (whose length is ARGC) for option characters
-   given in OPTSTRING.
-
-   If an element of ARGV starts with '-', and is not exactly "-" or "--",
-   then it is an option element.  The characters of this element
-   (aside from the initial '-') are option characters.  If `getopt'
-   is called repeatedly, it returns successively each of the option characters
-   from each of the option elements.
-
-   If `getopt' finds another option character, it returns that character,
-   updating `optind' and `nextchar' so that the next call to `getopt' can
-   resume the scan with the following option character or ARGV-element.
-
-   If there are no more option characters, `getopt' returns -1.
-   Then `optind' is the index in ARGV of the first ARGV-element
-   that is not an option.  (The ARGV-elements have been permuted
-   so that those that are not options now come last.)
-
-   OPTSTRING is a string containing the legitimate option characters.
-   If an option character is seen that is not listed in OPTSTRING,
-   return '?' after printing an error message.  If you set `opterr' to
-   zero, the error message is suppressed but we still return '?'.
-
-   If a char in OPTSTRING is followed by a colon, that means it wants an arg,
-   so the following text in the same ARGV-element, or the text of the following
-   ARGV-element, is returned in `optarg'.  Two colons mean an option that
-   wants an optional arg; if there is text in the current ARGV-element,
-   it is returned in `optarg', otherwise `optarg' is set to zero.
-
-   If OPTSTRING starts with `-' or `+', it requests different methods of
-   handling the non-option ARGV-elements.
-   See the comments about RETURN_IN_ORDER and REQUIRE_ORDER, above.
-
-   Long-named options begin with `--' instead of `-'.
-   Their names may be abbreviated as long as the abbreviation is unique
-   or is an exact match for some defined option.  If they have an
-   argument, it follows the option name in the same ARGV-element, separated
-   from the option name by a `=', or else the in next ARGV-element.
-   When `getopt' finds a long-named option, it returns 0 if that option's
-   `flag' field is nonzero, the value of the option's `val' field
-   if the `flag' field is zero.
-
-   The elements of ARGV aren't really const, because we permute them.
-   But we pretend they're const in the prototype to be compatible
-   with other systems.
-
-   LONGOPTS is a vector of `struct option' terminated by an
-   element containing a name which is zero.
-
-   LONGIND returns the index in LONGOPT of the long-named option found.
-   It is only valid when a long-named option has been found by the most
-   recent call.
-
-   If LONG_ONLY is nonzero, '-' as well as '--' can introduce
-   long-named options.  */
-
-int
-_getopt_internal (argc, argv, optstring, longopts, longind, long_only)
-     int argc;
-     char *const *argv;
-     const char *optstring;
-     const struct option *longopts;
-     int *longind;
-     int long_only;
-{
-  optarg = NULL;
-
-  if (optind == 0 || !__getopt_initialized)
-    {
-      if (optind == 0)
-	optind = 1;	/* Don't scan ARGV[0], the program name.  */
-      optstring = _getopt_initialize (argc, argv, optstring);
-      __getopt_initialized = 1;
-    }
-
-  /* Test whether ARGV[optind] points to a non-option argument.
-     Either it does not have option syntax, or there is an environment flag
-     from the shell indicating it is not an option.  The later information
-     is only used when the used in the GNU libc.  */
-#ifdef _LIBC
-# define NONOPTION_P (argv[optind][0] != '-' || argv[optind][1] == '\0'	      \
-		      || (optind < nonoption_flags_len			      \
-			  && __getopt_nonoption_flags[optind] == '1'))
-#else
-# define NONOPTION_P (argv[optind][0] != '-' || argv[optind][1] == '\0')
-#endif
-
-  if (nextchar == NULL || *nextchar == '\0')
-    {
-      /* Advance to the next ARGV-element.  */
-
-      /* Give FIRST_NONOPT & LAST_NONOPT rational values if OPTIND has been
-	 moved back by the user (who may also have changed the arguments).  */
-      if (last_nonopt > optind)
-	last_nonopt = optind;
-      if (first_nonopt > optind)
-	first_nonopt = optind;
-
-      if (ordering == PERMUTE)
-	{
-	  /* If we have just processed some options following some non-options,
-	     exchange them so that the options come first.  */
-
-	  if (first_nonopt != last_nonopt && last_nonopt != optind)
-	    exchange ((char **) argv);
-	  else if (last_nonopt != optind)
-	    first_nonopt = optind;
-
-	  /* Skip any additional non-options
-	     and extend the range of non-options previously skipped.  */
-
-	  while (optind < argc && NONOPTION_P)
-	    optind++;
-	  last_nonopt = optind;
-	}
-
-      /* The special ARGV-element `--' means premature end of options.
-	 Skip it like a null option,
-	 then exchange with previous non-options as if it were an option,
-	 then skip everything else like a non-option.  */
-
-      if (optind != argc && !strcmp (argv[optind], "--"))
-	{
-	  optind++;
-
-	  if (first_nonopt != last_nonopt && last_nonopt != optind)
-	    exchange ((char **) argv);
-	  else if (first_nonopt == last_nonopt)
-	    first_nonopt = optind;
-	  last_nonopt = argc;
-
-	  optind = argc;
-	}
-
-      /* If we have done all the ARGV-elements, stop the scan
-	 and back over any non-options that we skipped and permuted.  */
-
-      if (optind == argc)
-	{
-	  /* Set the next-arg-index to point at the non-options
-	     that we previously skipped, so the caller will digest them.  */
-	  if (first_nonopt != last_nonopt)
-	    optind = first_nonopt;
-	  return -1;
-	}
-
-      /* If we have come to a non-option and did not permute it,
-	 either stop the scan or describe it to the caller and pass it by.  */
-
-      if (NONOPTION_P)
-	{
-	  if (ordering == REQUIRE_ORDER)
-	    return -1;
-	  optarg = argv[optind++];
-	  return 1;
-	}
-
-      /* We have found another option-ARGV-element.
-	 Skip the initial punctuation.  */
-
-      nextchar = (argv[optind] + 1
-		  + (longopts != NULL && argv[optind][1] == '-'));
-    }
-
-  /* Decode the current option-ARGV-element.  */
-
-  /* Check whether the ARGV-element is a long option.
-
-     If long_only and the ARGV-element has the form "-f", where f is
-     a valid short option, don't consider it an abbreviated form of
-     a long option that starts with f.  Otherwise there would be no
-     way to give the -f short option.
-
-     On the other hand, if there's a long option "fubar" and
-     the ARGV-element is "-fu", do consider that an abbreviation of
-     the long option, just like "--fu", and not "-f" with arg "u".
-
-     This distinction seems to be the most useful approach.  */
-
-  if (longopts != NULL
-      && (argv[optind][1] == '-'
-	  || (long_only && (argv[optind][2] || !my_index (optstring, argv[optind][1])))))
-    {
-      char *nameend;
-      const struct option *p;
-      const struct option *pfound = NULL;
-      int exact = 0;
-      int ambig = 0;
-      int indfound = -1;
-      int option_index;
-
-      for (nameend = nextchar; *nameend && *nameend != '='; nameend++)
-	/* Do nothing.  */ ;
-
-      /* Test all long options for either exact match
-	 or abbreviated matches.  */
-      for (p = longopts, option_index = 0; p->name; p++, option_index++)
-	if (!strncmp (p->name, nextchar, nameend - nextchar))
-	  {
-	    if ((unsigned int) (nameend - nextchar)
-		== (unsigned int) strlen (p->name))
-	      {
-		/* Exact match found.  */
-		pfound = p;
-		indfound = option_index;
-		exact = 1;
-		break;
-	      }
-	    else if (pfound == NULL)
-	      {
-		/* First nonexact match found.  */
-		pfound = p;
-		indfound = option_index;
-	      }
-	    else
-	      /* Second or later nonexact match found.  */
-	      ambig = 1;
-	  }
-
-      if (ambig && !exact)
-	{
-	  if (opterr)
-	    fprintf (stderr, _("%s: option `%s' is ambiguous\n"),
-		     argv[0], argv[optind]);
-	  nextchar += strlen (nextchar);
-	  optind++;
-	  optopt = 0;
-	  return '?';
-	}
-
-      if (pfound != NULL)
-	{
-	  option_index = indfound;
-	  optind++;
-	  if (*nameend)
-	    {
-	      /* Don't test has_arg with >, because some C compilers don't
-		 allow it to be used on enums.  */
-	      if (pfound->has_arg)
-		optarg = nameend + 1;
-	      else
-		{
-		  if (opterr)
-		    {
-		      if (argv[optind - 1][1] == '-')
-			/* --option */
-			fprintf (stderr,
-				 _("%s: option `--%s' doesn't allow an argument\n"),
-				 argv[0], pfound->name);
-		      else
-			/* +option or -option */
-			fprintf (stderr,
-				 _("%s: option `%c%s' doesn't allow an argument\n"),
-				 argv[0], argv[optind - 1][0], pfound->name);
-		    }
-
-		  nextchar += strlen (nextchar);
-
-		  optopt = pfound->val;
-		  return '?';
-		}
-	    }
-	  else if (pfound->has_arg == 1)
-	    {
-	      if (optind < argc)
-		optarg = argv[optind++];
-	      else
-		{
-		  if (opterr)
-		    fprintf (stderr,
-			   _("%s: option `%s' requires an argument\n"),
-			   argv[0], argv[optind - 1]);
-		  nextchar += strlen (nextchar);
-		  optopt = pfound->val;
-		  return optstring[0] == ':' ? ':' : '?';
-		}
-	    }
-	  nextchar += strlen (nextchar);
-	  if (longind != NULL)
-	    *longind = option_index;
-	  if (pfound->flag)
-	    {
-	      *(pfound->flag) = pfound->val;
-	      return 0;
-	    }
-	  return pfound->val;
-	}
-
-      /* Can't find it as a long option.  If this is not getopt_long_only,
-	 or the option starts with '--' or is not a valid short
-	 option, then it's an error.
-	 Otherwise interpret it as a short option.  */
-      if (!long_only || argv[optind][1] == '-'
-	  || my_index (optstring, *nextchar) == NULL)
-	{
-	  if (opterr)
-	    {
-	      if (argv[optind][1] == '-')
-		/* --option */
-		fprintf (stderr, _("%s: unrecognized option `--%s'\n"),
-			 argv[0], nextchar);
-	      else
-		/* +option or -option */
-		fprintf (stderr, _("%s: unrecognized option `%c%s'\n"),
-			 argv[0], argv[optind][0], nextchar);
-	    }
-	  nextchar = (char *) "";
-	  optind++;
-	  optopt = 0;
-	  return '?';
-	}
-    }
-
-  /* Look at and handle the next short option-character.  */
-
-  {
-    char c = *nextchar++;
-    char *temp = my_index (optstring, c);
-
-    /* Increment `optind' when we start to process its last character.  */
-    if (*nextchar == '\0')
-      ++optind;
-
-    if (temp == NULL || c == ':')
-      {
-	if (opterr)
-	  {
-	    if (posixly_correct)
-	      /* 1003.2 specifies the format of this message.  */
-	      fprintf (stderr, _("%s: illegal option -- %c\n"),
-		       argv[0], c);
-	    else
-	      fprintf (stderr, _("%s: invalid option -- %c\n"),
-		       argv[0], c);
-	  }
-	optopt = c;
-	return '?';
-      }
-    /* Convenience. Treat POSIX -W foo same as long option --foo */
-    if (temp[0] == 'W' && temp[1] == ';')
-      {
-	char *nameend;
-	const struct option *p;
-	const struct option *pfound = NULL;
-	int exact = 0;
-	int ambig = 0;
-	int indfound = 0;
-	int option_index;
-
-	/* This is an option that requires an argument.  */
-	if (*nextchar != '\0')
-	  {
-	    optarg = nextchar;
-	    /* If we end this ARGV-element by taking the rest as an arg,
-	       we must advance to the next element now.  */
-	    optind++;
-	  }
-	else if (optind == argc)
-	  {
-	    if (opterr)
-	      {
-		/* 1003.2 specifies the format of this message.  */
-		fprintf (stderr, _("%s: option requires an argument -- %c\n"),
-			 argv[0], c);
-	      }
-	    optopt = c;
-	    if (optstring[0] == ':')
-	      c = ':';
-	    else
-	      c = '?';
-	    return c;
-	  }
-	else
-	  /* We already incremented `optind' once;
-	     increment it again when taking next ARGV-elt as argument.  */
-	  optarg = argv[optind++];
-
-	/* optarg is now the argument, see if it's in the
-	   table of longopts.  */
-
-	for (nextchar = nameend = optarg; *nameend && *nameend != '='; nameend++)
-	  /* Do nothing.  */ ;
-
-	/* Test all long options for either exact match
-	   or abbreviated matches.  */
-	for (p = longopts, option_index = 0; p->name; p++, option_index++)
-	  if (!strncmp (p->name, nextchar, nameend - nextchar))
-	    {
-	      if ((unsigned int) (nameend - nextchar) == strlen (p->name))
-		{
-		  /* Exact match found.  */
-		  pfound = p;
-		  indfound = option_index;
-		  exact = 1;
-		  break;
-		}
-	      else if (pfound == NULL)
-		{
-		  /* First nonexact match found.  */
-		  pfound = p;
-		  indfound = option_index;
-		}
-	      else
-		/* Second or later nonexact match found.  */
-		ambig = 1;
-	    }
-	if (ambig && !exact)
-	  {
-	    if (opterr)
-	      fprintf (stderr, _("%s: option `-W %s' is ambiguous\n"),
-		       argv[0], argv[optind]);
-	    nextchar += strlen (nextchar);
-	    optind++;
-	    return '?';
-	  }
-	if (pfound != NULL)
-	  {
-	    option_index = indfound;
-	    if (*nameend)
-	      {
-		/* Don't test has_arg with >, because some C compilers don't
-		   allow it to be used on enums.  */
-		if (pfound->has_arg)
-		  optarg = nameend + 1;
-		else
-		  {
-		    if (opterr)
-		      fprintf (stderr, _("\
-%s: option `-W %s' doesn't allow an argument\n"),
-			       argv[0], pfound->name);
-
-		    nextchar += strlen (nextchar);
-		    return '?';
-		  }
-	      }
-	    else if (pfound->has_arg == 1)
-	      {
-		if (optind < argc)
-		  optarg = argv[optind++];
-		else
-		  {
-		    if (opterr)
-		      fprintf (stderr,
-			       _("%s: option `%s' requires an argument\n"),
-			       argv[0], argv[optind - 1]);
-		    nextchar += strlen (nextchar);
-		    return optstring[0] == ':' ? ':' : '?';
-		  }
-	      }
-	    nextchar += strlen (nextchar);
-	    if (longind != NULL)
-	      *longind = option_index;
-	    if (pfound->flag)
-	      {
-		*(pfound->flag) = pfound->val;
-		return 0;
-	      }
-	    return pfound->val;
-	  }
-	  nextchar = NULL;
-	  return 'W';	/* Let the application handle it.   */
-      }
-    if (temp[1] == ':')
-      {
-	if (temp[2] == ':')
-	  {
-	    /* This is an option that accepts an argument optionally.  */
-	    if (*nextchar != '\0')
-	      {
-		optarg = nextchar;
-		optind++;
-	      }
-	    else
-	      optarg = NULL;
-	    nextchar = NULL;
-	  }
-	else
-	  {
-	    /* This is an option that requires an argument.  */
-	    if (*nextchar != '\0')
-	      {
-		optarg = nextchar;
-		/* If we end this ARGV-element by taking the rest as an arg,
-		   we must advance to the next element now.  */
-		optind++;
-	      }
-	    else if (optind == argc)
-	      {
-		if (opterr)
-		  {
-		    /* 1003.2 specifies the format of this message.  */
-		    fprintf (stderr,
-			   _("%s: option requires an argument -- %c\n"),
-			   argv[0], c);
-		  }
-		optopt = c;
-		if (optstring[0] == ':')
-		  c = ':';
-		else
-		  c = '?';
-	      }
-	    else
-	      /* We already incremented `optind' once;
-		 increment it again when taking next ARGV-elt as argument.  */
-	      optarg = argv[optind++];
-	    nextchar = NULL;
-	  }
-      }
-    return c;
-  }
-}
-
-int
-getopt (argc, argv, optstring)
-     int argc;
-     char *const *argv;
-     const char *optstring;
-{
-  return _getopt_internal (argc, argv, optstring,
-			   (const struct option *) 0,
-			   (int *) 0,
-			   0);
-}
-
-#endif	/* Not ELIDE_CODE.  */
-
-#ifdef TEST
-
-/* Compile with -DTEST to make an executable for use in testing
-   the above definition of `getopt'.  */
-
-int
-main (argc, argv)
-     int argc;
-     char **argv;
-{
-  int c;
-  int digit_optind = 0;
-
-  while (1)
-    {
-      int this_option_optind = optind ? optind : 1;
-
-      c = getopt (argc, argv, "abc:d:0123456789");
-      if (c == -1)
-	break;
-
-      switch (c)
-	{
-	case '0':
-	case '1':
-	case '2':
-	case '3':
-	case '4':
-	case '5':
-	case '6':
-	case '7':
-	case '8':
-	case '9':
-	  if (digit_optind != 0 && digit_optind != this_option_optind)
-	    printf ("digits occur in two different argv-elements.\n");
-	  digit_optind = this_option_optind;
-	  printf ("option %c\n", c);
-	  break;
-
-	case 'a':
-	  printf ("option a\n");
-	  break;
-
-	case 'b':
-	  printf ("option b\n");
-	  break;
-
-	case 'c':
-	  printf ("option c with value `%s'\n", optarg);
-	  break;
-
-	case '?':
-	  break;
-
-	default:
-	  printf ("?? getopt returned character code 0%o ??\n", c);
-	}
-    }
-
-  if (optind < argc)
-    {
-      printf ("non-option ARGV-elements: ");
-      while (optind < argc)
-	printf ("%s ", argv[optind++]);
-      printf ("\n");
-    }
-
-  exit (0);
-}
-
-#endif /* TEST */
diff --git a/ctrtool/windows/getopt.h b/ctrtool/windows/getopt.h
deleted file mode 100644
index b65740db..00000000
--- a/ctrtool/windows/getopt.h
+++ /dev/null
@@ -1,172 +0,0 @@
-/* Declarations for getopt.
-  Copyright (C) 1989,90,91,92,93,94,96,97,98 Free Software Foundation, Inc.
-  This file is part of the GNU C Library.
-
-  The GNU C Library is free software; you can redistribute it and/or
-  modify it under the terms of the GNU Library General Public License as
-  published by the Free Software Foundation; either version 2 of the
-  License, or (at your option) any later version.
-
-  The GNU C Library is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-  Library General Public License for more details.
-
-  You should have received a copy of the GNU Library General Public
-  License along with the GNU C Library; see the file COPYING.LIB.  If not,
-  write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-  Boston, MA 02111-1307, USA.  */
-
-#ifndef _GETOPT_H
-
-#ifndef __need_getopt
-# define _GETOPT_H 1
-#endif
-
-#ifdef	__cplusplus
-extern "C"
-{
-#endif
-
-    /* For communication from `getopt' to the caller.
-       When `getopt' finds an option that takes an argument,
-       the argument value is returned here.
-       Also, when `ordering' is RETURN_IN_ORDER,
-       each non-option ARGV-element is returned here.  */
-
-    extern char *optarg;
-
-    /* Index in ARGV of the next element to be scanned.
-       This is used for communication to and from the caller
-       and for communication between successive calls to `getopt'.
-     
-       On entry to `getopt', zero means this is the first call; initialize.
-     
-       When `getopt' returns -1, this is the index of the first of the
-       non-option elements that the caller should itself scan.
-     
-       Otherwise, `optind' communicates from one call to the next
-       how much of ARGV has been scanned so far.  */
-
-    extern int optind;
-
-    /* Callers store zero here to inhibit the error message `getopt' prints
-       for unrecognized options.  */
-
-    extern int opterr;
-
-    /* Set to an option character which was unrecognized.  */
-
-    extern int optopt;
-
-#ifndef __need_getopt
-    /* Describe the long-named options requested by the application.
-       The LONG_OPTIONS argument to getopt_long or getopt_long_only is a vector
-       of `struct option' terminated by an element containing a name which is
-       zero.
-     
-       The field `has_arg' is:
-       no_argument		(or 0) if the option does not take an argument,
-       required_argument	(or 1) if the option requires an argument,
-       optional_argument 	(or 2) if the option takes an optional argument.
-     
-       If the field `flag' is not NULL, it points to a variable that is set
-       to the value given in the field `val' when the option is found, but
-       left unchanged if the option is not found.
-     
-       To have a long-named option do something other than set an `int' to
-       a compiled-in constant, such as set a value from `optarg', set the
-       option's `flag' field to zero and its `val' field to a nonzero
-       value (the equivalent single-letter option character, if there is
-       one).  For long options that have a zero `flag' field, `getopt'
-       returns the contents of the `val' field.  */
-
-    struct option {
-# if defined __STDC__ && __STDC__
-        const char *name;
-# else
-
-        char *name;
-# endif
-        /* has_arg can't be an enum because some compilers complain about
-           type mismatches in all the code that assumes it is an int.  */
-        int has_arg;
-        int *flag;
-        int val;
-    };
-
-    /* Names for the values of the `has_arg' field of `struct option'.  */
-
-# define no_argument		0
-# define required_argument	1
-# define optional_argument	2
-#endif	/* need getopt */
-
-
-    /* Get definitions and prototypes for functions to process the
-       arguments in ARGV (ARGC of them, minus the program name) for
-       options given in OPTS.
-     
-       Return the option character from OPTS just read.  Return -1 when
-       there are no more options.  For unrecognized options, or options
-       missing arguments, `optopt' is set to the option letter, and '?' is
-       returned.
-     
-       The OPTS string is a list of characters which are recognized option
-       letters, optionally followed by colons, specifying that that letter
-       takes an argument, to be placed in `optarg'.
-     
-       If a letter in OPTS is followed by two colons, its argument is
-       optional.  This behavior is specific to the GNU `getopt'.
-     
-       The argument `--' causes premature termination of argument
-       scanning, explicitly telling `getopt' that there are no more
-       options.
-     
-       If OPTS begins with `--', then non-option arguments are treated as
-       arguments to the option '\0'.  This behavior is specific to the GNU
-       `getopt'.  */
-
-#if defined __STDC__ && __STDC__
-# ifdef __GNU_LIBRARY__
-    /* Many other libraries have conflicting prototypes for getopt, with
-       differences in the consts, in stdlib.h.  To avoid compilation
-       errors, only prototype getopt for the GNU C library.  */
-    extern int getopt (int __argc, char *const *__argv, const char *__shortopts);
-# else /* not __GNU_LIBRARY__ */
-    extern int getopt ();
-# endif /* __GNU_LIBRARY__ */
-
-# ifndef __need_getopt
-
-    extern int getopt_long (int argc, char ** argv, const char * shortopts,
-                                const struct option * longopts, int * longind);
-
-    extern int getopt_long_only (int __argc, char *const *__argv,
-                                     const char *__shortopts,
-                                     const struct option *__longopts, int *__longind);
-
-    /* Internal only.  Users should not call this directly.  */
-    extern int _getopt_internal (int __argc, char *const *__argv,
-                                     const char *__shortopts,
-                                     const struct option *__longopts, int *__longind,
-                                     int __long_only);
-# endif
-#else /* not __STDC__ */
-    extern int getopt ();
-# ifndef __need_getopt
-    extern int getopt_long ();
-    extern int getopt_long_only ();
-
-    extern int _getopt_internal ();
-# endif
-#endif /* __STDC__ */
-
-#ifdef	__cplusplus
-}
-#endif
-
-/* Make sure we later can get all the definitions and declarations.  */
-#undef __need_getopt
-
-#endif /* getopt.h */
diff --git a/ctrtool/windows/getopt1.c b/ctrtool/windows/getopt1.c
deleted file mode 100644
index 00c3071c..00000000
--- a/ctrtool/windows/getopt1.c
+++ /dev/null
@@ -1,188 +0,0 @@
-/* getopt_long and getopt_long_only entry points for GNU getopt.
-   Copyright (C) 1987,88,89,90,91,92,93,94,96,97,98
-     Free Software Foundation, Inc.
-   This file is part of the GNU C Library.
-
-   The GNU C Library is free software; you can redistribute it and/or
-   modify it under the terms of the GNU Library General Public License as
-   published by the Free Software Foundation; either version 2 of the
-   License, or (at your option) any later version.
-
-   The GNU C Library is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-   Library General Public License for more details.
-
-   You should have received a copy of the GNU Library General Public
-   License along with the GNU C Library; see the file COPYING.LIB.  If not,
-   write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-   Boston, MA 02111-1307, USA.  */
-
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-
-#include "getopt.h"
-
-#if !defined __STDC__ || !__STDC__
-/* This is a separate conditional since some stdc systems
-   reject `defined (const)'.  */
-#ifndef const
-#define const
-#endif
-#endif
-
-#include <stdio.h>
-
-/* Comment out all this code if we are using the GNU C Library, and are not
-   actually compiling the library itself.  This code is part of the GNU C
-   Library, but also included in many other GNU distributions.  Compiling
-   and linking in this code is a waste when using the GNU C library
-   (especially if it is a shared library).  Rather than having every GNU
-   program understand `configure --with-gnu-libc' and omit the object files,
-   it is simpler to just do this in the source for each such file.  */
-
-#define GETOPT_INTERFACE_VERSION 2
-#if !defined _LIBC && defined __GLIBC__ && __GLIBC__ >= 2
-#include <gnu-versions.h>
-#if _GNU_GETOPT_INTERFACE_VERSION == GETOPT_INTERFACE_VERSION
-#define ELIDE_CODE
-#endif
-#endif
-
-#ifndef ELIDE_CODE
-
-
-/* This needs to come after some library #include
-   to get __GNU_LIBRARY__ defined.  */
-#ifdef __GNU_LIBRARY__
-#include <stdlib.h>
-#endif
-
-#ifndef	NULL
-#define NULL 0
-#endif
-
-int
-getopt_long (argc, argv, options, long_options, opt_index)
-     int argc;
-     char **argv;
-     const char *options;
-     const struct option *long_options;
-     int *opt_index;
-{
-  return _getopt_internal (argc, argv, options, long_options, opt_index, 0);
-}
-
-/* Like getopt_long, but '-' as well as '--' can indicate a long option.
-   If an option that starts with '-' (not '--') doesn't match a long option,
-   but does match a short option, it is parsed as a short option
-   instead.  */
-
-int
-getopt_long_only (argc, argv, options, long_options, opt_index)
-     int argc;
-     char *const *argv;
-     const char *options;
-     const struct option *long_options;
-     int *opt_index;
-{
-  return _getopt_internal (argc, argv, options, long_options, opt_index, 1);
-}
-
-
-#endif	/* Not ELIDE_CODE.  */
-
-#ifdef TEST
-
-#include <stdio.h>
-
-int
-main (argc, argv)
-     int argc;
-     char **argv;
-{
-  int c;
-  int digit_optind = 0;
-
-  while (1)
-    {
-      int this_option_optind = optind ? optind : 1;
-      int option_index = 0;
-      static struct option long_options[] =
-      {
-	{"add", 1, 0, 0},
-	{"append", 0, 0, 0},
-	{"delete", 1, 0, 0},
-	{"verbose", 0, 0, 0},
-	{"create", 0, 0, 0},
-	{"file", 1, 0, 0},
-	{0, 0, 0, 0}
-      };
-
-      c = getopt_long (argc, argv, "abc:d:0123456789",
-		       long_options, &option_index);
-      if (c == -1)
-	break;
-
-      switch (c)
-	{
-	case 0:
-	  printf ("option %s", long_options[option_index].name);
-	  if (optarg)
-	    printf (" with arg %s", optarg);
-	  printf ("\n");
-	  break;
-
-	case '0':
-	case '1':
-	case '2':
-	case '3':
-	case '4':
-	case '5':
-	case '6':
-	case '7':
-	case '8':
-	case '9':
-	  if (digit_optind != 0 && digit_optind != this_option_optind)
-	    printf ("digits occur in two different argv-elements.\n");
-	  digit_optind = this_option_optind;
-	  printf ("option %c\n", c);
-	  break;
-
-	case 'a':
-	  printf ("option a\n");
-	  break;
-
-	case 'b':
-	  printf ("option b\n");
-	  break;
-
-	case 'c':
-	  printf ("option c with value `%s'\n", optarg);
-	  break;
-
-	case 'd':
-	  printf ("option d with value `%s'\n", optarg);
-	  break;
-
-	case '?':
-	  break;
-
-	default:
-	  printf ("?? getopt returned character code 0%o ??\n", c);
-	}
-    }
-
-  if (optind < argc)
-    {
-      printf ("non-option ARGV-elements: ");
-      while (optind < argc)
-	printf ("%s ", argv[optind++]);
-      printf ("\n");
-    }
-
-  exit (0);
-}
-
-#endif /* TEST */

From cf1ec3dda32194a3b886bc141686bd6d9a5667ca Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 12 Mar 2022 14:14:13 +0800
Subject: [PATCH 242/317] Separate build scripts for MakeROM and CTRTool

---
 .github/workflows/{build_master.yml => Build_MakeROM.yml} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename .github/workflows/{build_master.yml => Build_MakeROM.yml} (97%)

diff --git a/.github/workflows/build_master.yml b/.github/workflows/Build_MakeROM.yml
similarity index 97%
rename from .github/workflows/build_master.yml
rename to .github/workflows/Build_MakeROM.yml
index 437e2b64..8e3fd3f4 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/Build_MakeROM.yml
@@ -16,7 +16,7 @@ jobs:
     strategy:
       matrix:
         dist: [ubuntu_x86_64, macos_x86_64, win_x86_64]
-        prog: [ctrtool, makerom]
+        prog: [makerom]
         include:
           - dist: win_x86_64
             os: windows-latest

From 74db0204f3ad47ffde37c1cd90293869f6a52511 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 12 Mar 2022 15:58:46 +0800
Subject: [PATCH 243/317] Update gitignore

---
 .gitignore | 317 +++++++++++++++++++++++++++++++++++------------------
 1 file changed, 212 insertions(+), 105 deletions(-)

diff --git a/.gitignore b/.gitignore
index 7872f095..fbf0828c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,68 +1,81 @@
-#################
-## Eclipse
-#################
-
-*.pydevproject
-.project
-.metadata
-bin/
-tmp/
-*.tmp
-*.bak
-*.swp
-*~.nib
-local.properties
-.classpath
-.settings/
-.loadpath
-
-# External tool builders
-.externalToolBuilders/
-
-# Locally stored "Eclipse launch configurations"
-*.launch
-
-# CDT-specific
-.cproject
-
-# PDT-specific
-.buildpath
-
-
-#################
-## Visual Studio
-#################
+bin/*
+data/*
+*.o
+*.a
+*.so.*
+.DS_Store
+.vscode/*
 
 ## Ignore Visual Studio temporary files, build results, and
 ## files generated by popular Visual Studio add-ons.
-
-*.VC.opendb
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
 
 # User-specific files
 *.suo
 *.user
+*.userosscache
 *.sln.docstates
 
-# Build results
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
 
+# Build results
 [Dd]ebug/
+[Dd]ebugPublic/
 [Rr]elease/
+[Rr]eleases/
 x64/
-build/
+x86/
+bld/
 [Bb]in/
 [Oo]bj/
+[Ll]og/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
 
 # MSTest test Results
 [Tt]est[Rr]esult*/
 [Bb]uild[Ll]og.*
 
+# NUNIT
+*.VisualState.xml
+TestResult.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+**/Properties/launchSettings.json
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
 *_i.c
 *_p.c
+*_i.h
 *.ilk
 *.meta
 *.obj
+*.iobj
 *.pch
 *.pdb
+*.ipdb
 *.pgc
 *.pgd
 *.rsp
@@ -77,21 +90,34 @@ build/
 *.vssscc
 .builds
 *.pidb
-*.log
+*.svclog
 *.scc
 
+# Chutzpah Test files
+_Chutzpah*
+
 # Visual C++ cache files
 ipch/
 *.aps
 *.ncb
+*.opendb
 *.opensdf
 *.sdf
 *.cachefile
+*.VC.db
+*.VC.VC.opendb
 
 # Visual Studio profiler
 *.psess
 *.vsp
 *.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
 
 # Guidance Automation Toolkit
 *.gpState
@@ -99,6 +125,10 @@ ipch/
 # ReSharper is a .NET coding add-in
 _ReSharper*/
 *.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
 
 # TeamCity is a build add-in
 _TeamCity*
@@ -106,9 +136,25 @@ _TeamCity*
 # DotCover is a Code Coverage Tool
 *.dotCover
 
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
 # NCrunch
-*.ncrunch*
+_NCrunch_*
 .*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
 
 # Installshield output folder
 [Ee]xpress/
@@ -127,105 +173,166 @@ DocProject/Help/html
 publish/
 
 # Publish Web Output
-*.Publish.xml
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
 *.pubxml
-
-# NuGet Packages Directory
-## TODO: If you have NuGet Package Restore enabled, uncomment the next line
-#packages/
-
-# Windows Azure Build Output
-csx
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
 *.build.csdef
 
-# Windows Store app package directory
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
 AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!*.[Cc]ache/
 
 # Others
-sql/
-*.Cache
 ClientBin/
-[Ss]tyle[Cc]op.*
 ~$*
 *~
 *.dbmdl
-*.[Pp]ublish.xml
+*.dbproj.schemaview
+*.jfm
 *.pfx
 *.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk 
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
 
 # RIA/Silverlight projects
 Generated_Code/
 
-# Backup & report files from converting an old project file to a newer
-# Visual Studio version. Backup files are not needed, because we have git ;-)
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
 _UpgradeReport_Files/
 Backup*/
 UpgradeLog*.XML
 UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
 
 # SQL Server files
-App_Data/*.mdf
-App_Data/*.ldf
+*.mdf
+*.ldf
+*.ndf
 
-#############
-## Windows detritus
-#############
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
 
-# Windows image file caches
-Thumbs.db
-ehthumbs.db
+# Microsoft Fakes
+FakesAssemblies/
 
-# Folder config file
-Desktop.ini
+# GhostDoc plugin setting file
+*.GhostDoc.xml
 
-# Recycle Bin used on file shares
-$RECYCLE.BIN/
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
 
-# Mac crap
-.DS_Store
+# Visual Studio 6 build log
+*.plg
 
+# Visual Studio 6 workspace options file
+*.opt
 
-#############
-## Python
-#############
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
 
-*.py[co]
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
 
-# Packages
-*.egg
-*.egg-info
-dist/
-build/
-eggs/
-parts/
-var/
-sdist/
-develop-eggs/
-.installed.cfg
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
 
-# Installer logs
-pip-log.txt
+# FAKE - F# Make
+.fake/
 
-# Unit test / coverage reports
-.coverage
-.tox
+# JetBrains Rider
+.idea/
+*.sln.iml
 
-#Translations
-*.mo
+# CodeRush
+.cr/
 
-#Mr Developer
-.mr.developer.cfg
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
 
-*.o
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output 
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
 
-#CTR
-*.cxi
-*.cfa
-*.cci
-*.3ds
-*.cia
-
-#exec
-*.exe
-*.db
-/.vs/slnx.sqlite
+# MFractors (Xamarin productivity tool) working folder 
+.mfractor/
\ No newline at end of file

From 6ad2f13c50819a34d4fe106fcd371ca3a17b499d Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 12 Mar 2022 16:00:10 +0800
Subject: [PATCH 244/317] Change title for MakeROM workflow

---
 .github/workflows/Build_MakeROM.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/Build_MakeROM.yml b/.github/workflows/Build_MakeROM.yml
index 8e3fd3f4..f6db2083 100644
--- a/.github/workflows/Build_MakeROM.yml
+++ b/.github/workflows/Build_MakeROM.yml
@@ -1,4 +1,4 @@
-name: Compile Master Branch
+name: Compile MakeROM (on master branch)
 
 on:
   push:

From 800f5776bca9c509d7db691b39b471e57c1b0b9c Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 12 Mar 2022 16:00:33 +0800
Subject: [PATCH 245/317] Add source code for ctrtool

---
 ctrtool/build/visualstudio/CTRTool.sln        |   90 +
 .../visualstudio/CTRTool/CTRTool.vcxproj      |  192 +
 .../CTRTool/CTRTool.vcxproj.filters           |  111 +
 ctrtool/deps/libbroadon-es/LICENSE            |   21 +
 ctrtool/deps/libbroadon-es/README.md          |    2 +
 .../build/visualstudio/libbroadon-es.sln      |   62 +
 .../libbroadon-es/libbroadon-es.vcxproj       |  151 +
 .../libbroadon-es.vcxproj.filters             |   48 +
 ctrtool/deps/libbroadon-es/include/brd/es.h   |    7 +
 .../libbroadon-es/include/brd/es/es_cert.h    |  101 +
 .../libbroadon-es/include/brd/es/es_sign.h    |   73 +
 .../libbroadon-es/include/brd/es/es_ticket.h  |  232 +
 .../libbroadon-es/include/brd/es/es_tmd.h     |  129 +
 .../deps/libbroadon-es/include/brd/es/types.h |   73 +
 ctrtool/deps/libbroadon-es/makefile           |  193 +
 ctrtool/deps/libbroadon-es/src/Dummy.cpp      |  138 +
 ctrtool/deps/libfmt/LICENSE.rst               |   27 +
 ctrtool/deps/libfmt/README.md                 |    2 +
 .../deps/libfmt/build/visualstudio/libfmt.sln |   31 +
 .../build/visualstudio/libfmt/libfmt.vcxproj  |  171 +
 .../libfmt/libfmt.vcxproj.filters             |   66 +
 ctrtool/deps/libfmt/include/fmt/args.h        |  234 +
 ctrtool/deps/libfmt/include/fmt/chrono.h      | 2067 ++++
 ctrtool/deps/libfmt/include/fmt/color.h       |  638 ++
 ctrtool/deps/libfmt/include/fmt/compile.h     |  642 ++
 ctrtool/deps/libfmt/include/fmt/core.h        | 3236 ++++++
 ctrtool/deps/libfmt/include/fmt/format-inl.h  | 2643 +++++
 ctrtool/deps/libfmt/include/fmt/format.h      | 3104 ++++++
 ctrtool/deps/libfmt/include/fmt/locale.h      |    2 +
 ctrtool/deps/libfmt/include/fmt/os.h          |  527 +
 ctrtool/deps/libfmt/include/fmt/ostream.h     |  135 +
 ctrtool/deps/libfmt/include/fmt/printf.h      |  657 ++
 ctrtool/deps/libfmt/include/fmt/ranges.h      |  793 ++
 ctrtool/deps/libfmt/include/fmt/xchar.h       |  236 +
 ctrtool/deps/libfmt/makefile                  |  197 +
 ctrtool/deps/libfmt/src/format.cc             |  124 +
 ctrtool/deps/libfmt/src/os.cc                 |  361 +
 ctrtool/deps/libmbedtls/BUILDING.md           |   31 +
 ctrtool/deps/libmbedtls/LICENSE               |    2 +
 ctrtool/deps/libmbedtls/README.md             |    2 +
 ctrtool/deps/libmbedtls/apache-2.0.txt        |  202 +
 .../build/visualstudio/libmbedtls.sln         |   31 +
 .../libmbedtls/libmbedtls.vcxproj             |  289 +
 .../libmbedtls/libmbedtls.vcxproj.filters     |  492 +
 ctrtool/deps/libmbedtls/include/mbedtls/aes.h |  674 ++
 .../deps/libmbedtls/include/mbedtls/aesni.h   |  138 +
 .../deps/libmbedtls/include/mbedtls/arc4.h    |  146 +
 .../deps/libmbedtls/include/mbedtls/aria.h    |  370 +
 .../deps/libmbedtls/include/mbedtls/asn1.h    |  358 +
 .../libmbedtls/include/mbedtls/asn1write.h    |  329 +
 .../deps/libmbedtls/include/mbedtls/base64.h  |   98 +
 .../deps/libmbedtls/include/mbedtls/bignum.h  |  984 ++
 .../libmbedtls/include/mbedtls/blowfish.h     |  287 +
 .../deps/libmbedtls/include/mbedtls/bn_mul.h  |  916 ++
 .../libmbedtls/include/mbedtls/camellia.h     |  326 +
 ctrtool/deps/libmbedtls/include/mbedtls/ccm.h |  310 +
 .../deps/libmbedtls/include/mbedtls/certs.h   |  252 +
 .../libmbedtls/include/mbedtls/chacha20.h     |  226 +
 .../libmbedtls/include/mbedtls/chachapoly.h   |  358 +
 .../libmbedtls/include/mbedtls/check_config.h |  708 ++
 .../deps/libmbedtls/include/mbedtls/cipher.h  |  872 ++
 .../include/mbedtls/cipher_internal.h         |  125 +
 .../deps/libmbedtls/include/mbedtls/cmac.h    |  213 +
 .../libmbedtls/include/mbedtls/compat-1.3.h   | 2531 +++++
 .../deps/libmbedtls/include/mbedtls/config.h  | 3344 ++++++
 .../libmbedtls/include/mbedtls/ctr_drbg.h     |  512 +
 .../deps/libmbedtls/include/mbedtls/debug.h   |  265 +
 ctrtool/deps/libmbedtls/include/mbedtls/des.h |  356 +
 ctrtool/deps/libmbedtls/include/mbedtls/dhm.h | 1096 ++
 .../deps/libmbedtls/include/mbedtls/ecdh.h    |  440 +
 .../deps/libmbedtls/include/mbedtls/ecdsa.h   |  604 +
 .../deps/libmbedtls/include/mbedtls/ecjpake.h |  277 +
 ctrtool/deps/libmbedtls/include/mbedtls/ecp.h | 1132 ++
 .../libmbedtls/include/mbedtls/ecp_internal.h |  299 +
 .../deps/libmbedtls/include/mbedtls/entropy.h |  289 +
 .../libmbedtls/include/mbedtls/entropy_poll.h |  110 +
 .../deps/libmbedtls/include/mbedtls/error.h   |  129 +
 ctrtool/deps/libmbedtls/include/mbedtls/gcm.h |  326 +
 .../deps/libmbedtls/include/mbedtls/havege.h  |   81 +
 .../deps/libmbedtls/include/mbedtls/hkdf.h    |  141 +
 .../libmbedtls/include/mbedtls/hmac_drbg.h    |  415 +
 ctrtool/deps/libmbedtls/include/mbedtls/md.h  |  468 +
 ctrtool/deps/libmbedtls/include/mbedtls/md2.h |  306 +
 ctrtool/deps/libmbedtls/include/mbedtls/md4.h |  311 +
 ctrtool/deps/libmbedtls/include/mbedtls/md5.h |  311 +
 .../libmbedtls/include/mbedtls/md_internal.h  |  115 +
 .../include/mbedtls/memory_buffer_alloc.h     |  151 +
 ctrtool/deps/libmbedtls/include/mbedtls/net.h |   37 +
 .../libmbedtls/include/mbedtls/net_sockets.h  |  271 +
 .../deps/libmbedtls/include/mbedtls/nist_kw.h |  184 +
 ctrtool/deps/libmbedtls/include/mbedtls/oid.h |  605 +
 .../deps/libmbedtls/include/mbedtls/padlock.h |  126 +
 ctrtool/deps/libmbedtls/include/mbedtls/pem.h |  136 +
 ctrtool/deps/libmbedtls/include/mbedtls/pk.h  |  755 ++
 .../libmbedtls/include/mbedtls/pk_internal.h  |  138 +
 .../deps/libmbedtls/include/mbedtls/pkcs11.h  |  175 +
 .../deps/libmbedtls/include/mbedtls/pkcs12.h  |  130 +
 .../deps/libmbedtls/include/mbedtls/pkcs5.h   |  109 +
 .../libmbedtls/include/mbedtls/platform.h     |  367 +
 .../include/mbedtls/platform_time.h           |   82 +
 .../include/mbedtls/platform_util.h           |  196 +
 .../libmbedtls/include/mbedtls/poly1305.h     |  192 +
 .../libmbedtls/include/mbedtls/ripemd160.h    |  237 +
 ctrtool/deps/libmbedtls/include/mbedtls/rsa.h | 1274 +++
 .../libmbedtls/include/mbedtls/rsa_internal.h |  226 +
 .../deps/libmbedtls/include/mbedtls/sha1.h    |  352 +
 .../deps/libmbedtls/include/mbedtls/sha256.h  |  297 +
 .../deps/libmbedtls/include/mbedtls/sha512.h  |  300 +
 ctrtool/deps/libmbedtls/include/mbedtls/ssl.h | 3262 ++++++
 .../libmbedtls/include/mbedtls/ssl_cache.h    |  150 +
 .../include/mbedtls/ssl_ciphersuites.h        |  540 +
 .../libmbedtls/include/mbedtls/ssl_cookie.h   |  115 +
 .../libmbedtls/include/mbedtls/ssl_internal.h |  782 ++
 .../libmbedtls/include/mbedtls/ssl_ticket.h   |  142 +
 .../libmbedtls/include/mbedtls/threading.h    |  122 +
 .../deps/libmbedtls/include/mbedtls/timing.h  |  153 +
 .../deps/libmbedtls/include/mbedtls/version.h |  112 +
 .../deps/libmbedtls/include/mbedtls/x509.h    |  337 +
 .../libmbedtls/include/mbedtls/x509_crl.h     |  174 +
 .../libmbedtls/include/mbedtls/x509_crt.h     |  785 ++
 .../libmbedtls/include/mbedtls/x509_csr.h     |  307 +
 .../deps/libmbedtls/include/mbedtls/xtea.h    |  139 +
 ctrtool/deps/libmbedtls/makefile              |  197 +
 ctrtool/deps/libmbedtls/src/aes.c             | 2233 ++++
 ctrtool/deps/libmbedtls/src/aesni.c           |  470 +
 ctrtool/deps/libmbedtls/src/arc4.c            |  201 +
 ctrtool/deps/libmbedtls/src/aria.c            | 1079 ++
 ctrtool/deps/libmbedtls/src/asn1parse.c       |  389 +
 ctrtool/deps/libmbedtls/src/asn1write.c       |  421 +
 ctrtool/deps/libmbedtls/src/base64.c          |  293 +
 ctrtool/deps/libmbedtls/src/bignum.c          | 2866 +++++
 ctrtool/deps/libmbedtls/src/blowfish.c        |  696 ++
 ctrtool/deps/libmbedtls/src/camellia.c        | 1114 ++
 ctrtool/deps/libmbedtls/src/ccm.c             |  545 +
 ctrtool/deps/libmbedtls/src/certs.c           | 1753 +++
 ctrtool/deps/libmbedtls/src/chacha20.c        |  570 +
 ctrtool/deps/libmbedtls/src/chachapoly.c      |  540 +
 ctrtool/deps/libmbedtls/src/cipher.c          | 1158 ++
 ctrtool/deps/libmbedtls/src/cipher_wrap.c     | 2272 ++++
 ctrtool/deps/libmbedtls/src/cmac.c            | 1078 ++
 ctrtool/deps/libmbedtls/src/ctr_drbg.c        |  722 ++
 ctrtool/deps/libmbedtls/src/debug.c           |  450 +
 ctrtool/deps/libmbedtls/src/des.c             | 1064 ++
 ctrtool/deps/libmbedtls/src/dhm.c             |  712 ++
 ctrtool/deps/libmbedtls/src/ecdh.c            |  676 ++
 ctrtool/deps/libmbedtls/src/ecdsa.c           |  991 ++
 ctrtool/deps/libmbedtls/src/ecjpake.c         | 1140 ++
 ctrtool/deps/libmbedtls/src/ecp.c             | 2999 +++++
 ctrtool/deps/libmbedtls/src/ecp_curves.c      | 1470 +++
 ctrtool/deps/libmbedtls/src/entropy.c         |  721 ++
 ctrtool/deps/libmbedtls/src/entropy_poll.c    |  236 +
 ctrtool/deps/libmbedtls/src/error.c           |  916 ++
 ctrtool/deps/libmbedtls/src/gcm.c             |  994 ++
 ctrtool/deps/libmbedtls/src/havege.c          |  253 +
 ctrtool/deps/libmbedtls/src/hkdf.c            |  192 +
 ctrtool/deps/libmbedtls/src/hmac_drbg.c       |  625 ++
 ctrtool/deps/libmbedtls/src/md.c              |  475 +
 ctrtool/deps/libmbedtls/src/md2.c             |  363 +
 ctrtool/deps/libmbedtls/src/md4.c             |  484 +
 ctrtool/deps/libmbedtls/src/md5.c             |  498 +
 ctrtool/deps/libmbedtls/src/md_wrap.c         |  586 +
 .../deps/libmbedtls/src/memory_buffer_alloc.c |  750 ++
 ctrtool/deps/libmbedtls/src/net_sockets.c     |  668 ++
 ctrtool/deps/libmbedtls/src/nist_kw.c         |  755 ++
 ctrtool/deps/libmbedtls/src/oid.c             |  758 ++
 ctrtool/deps/libmbedtls/src/padlock.c         |  170 +
 ctrtool/deps/libmbedtls/src/pem.c             |  490 +
 ctrtool/deps/libmbedtls/src/pk.c              |  546 +
 ctrtool/deps/libmbedtls/src/pk_wrap.c         |  719 ++
 ctrtool/deps/libmbedtls/src/pkcs11.c          |  240 +
 ctrtool/deps/libmbedtls/src/pkcs12.c          |  365 +
 ctrtool/deps/libmbedtls/src/pkcs5.c           |  411 +
 ctrtool/deps/libmbedtls/src/pkparse.c         | 1538 +++
 ctrtool/deps/libmbedtls/src/pkwrite.c         |  566 +
 ctrtool/deps/libmbedtls/src/platform.c        |  348 +
 ctrtool/deps/libmbedtls/src/platform_util.c   |  139 +
 ctrtool/deps/libmbedtls/src/poly1305.c        |  559 +
 ctrtool/deps/libmbedtls/src/ripemd160.c       |  559 +
 ctrtool/deps/libmbedtls/src/rsa.c             | 2729 +++++
 ctrtool/deps/libmbedtls/src/rsa_internal.c    |  492 +
 ctrtool/deps/libmbedtls/src/sha1.c            |  573 +
 ctrtool/deps/libmbedtls/src/sha256.c          |  586 +
 ctrtool/deps/libmbedtls/src/sha512.c          |  636 ++
 ctrtool/deps/libmbedtls/src/ssl_cache.c       |  327 +
 .../deps/libmbedtls/src/ssl_ciphersuites.c    | 2373 ++++
 ctrtool/deps/libmbedtls/src/ssl_cli.c         | 3636 ++++++
 ctrtool/deps/libmbedtls/src/ssl_cookie.c      |  256 +
 ctrtool/deps/libmbedtls/src/ssl_srv.c         | 4379 ++++++++
 ctrtool/deps/libmbedtls/src/ssl_ticket.c      |  485 +
 ctrtool/deps/libmbedtls/src/ssl_tls.c         | 9791 +++++++++++++++++
 ctrtool/deps/libmbedtls/src/threading.c       |  187 +
 ctrtool/deps/libmbedtls/src/timing.c          |  536 +
 ctrtool/deps/libmbedtls/src/version.c         |   50 +
 .../deps/libmbedtls/src/version_features.c    |  785 ++
 ctrtool/deps/libmbedtls/src/x509.c            | 1072 ++
 ctrtool/deps/libmbedtls/src/x509_create.c     |  379 +
 ctrtool/deps/libmbedtls/src/x509_crl.c        |  773 ++
 ctrtool/deps/libmbedtls/src/x509_crt.c        | 2730 +++++
 ctrtool/deps/libmbedtls/src/x509_csr.c        |  419 +
 ctrtool/deps/libmbedtls/src/x509write_crt.c   |  522 +
 ctrtool/deps/libmbedtls/src/x509write_csr.c   |  302 +
 ctrtool/deps/libmbedtls/src/xtea.c            |  277 +
 ctrtool/deps/libnintendo-n3ds/LICENSE         |   21 +
 ctrtool/deps/libnintendo-n3ds/README.md       |    2 +
 .../build/visualstudio/libnintendo-n3ds.sln   |   71 +
 .../libnintendo-n3ds/libnintendo-n3ds.vcxproj |  185 +
 .../libnintendo-n3ds.vcxproj.filters          |  147 +
 .../deps/libnintendo-n3ds/include/ntd/n3ds.h  |   26 +
 .../include/ntd/n3ds/CciFsSnapshotGenerator.h |   19 +
 .../include/ntd/n3ds/CiaFsSnapshotGenerator.h |   19 +
 .../include/ntd/n3ds/CtrKeyGenerator.h        |   19 +
 .../include/ntd/n3ds/ExeFsSnapshotGenerator.h |   14 +
 .../include/ntd/n3ds/IvfcStream.h             |  141 +
 .../include/ntd/n3ds/RomFsSnapshotGenerator.h |   30 +
 .../libnintendo-n3ds/include/ntd/n3ds/bcwav.h |  212 +
 .../libnintendo-n3ds/include/ntd/n3ds/cci.h   |  258 +
 .../libnintendo-n3ds/include/ntd/n3ds/cia.h   |   61 +
 .../libnintendo-n3ds/include/ntd/n3ds/cro.h   |  160 +
 .../libnintendo-n3ds/include/ntd/n3ds/crr.h   |   48 +
 .../libnintendo-n3ds/include/ntd/n3ds/es.h    |    5 +
 .../include/ntd/n3ds/es/Certificate.h         |  117 +
 .../include/ntd/n3ds/es/ISigner.h             |   18 +
 .../include/ntd/n3ds/es/RsaSigner.h           |   30 +
 .../include/ntd/n3ds/es/Signature.h           |   50 +
 .../include/ntd/n3ds/es/Ticket.h              |   72 +
 .../include/ntd/n3ds/es/TitleMetaData.h       |  106 +
 .../libnintendo-n3ds/include/ntd/n3ds/exefs.h |   33 +
 .../include/ntd/n3ds/exheader.h               |  317 +
 .../libnintendo-n3ds/include/ntd/n3ds/firm.h  |   40 +
 .../libnintendo-n3ds/include/ntd/n3ds/ivfc.h  |   70 +
 .../libnintendo-n3ds/include/ntd/n3ds/ncch.h  |  158 +
 .../libnintendo-n3ds/include/ntd/n3ds/romfs.h |   62 +
 .../libnintendo-n3ds/include/ntd/n3ds/smdh.h  |  128 +
 .../include/ntd/n3ds/systemupdater.h          |  129 +
 ctrtool/deps/libnintendo-n3ds/makefile        |  193 +
 .../src/CciFsSnapshotGenerator.cpp            |  131 +
 .../src/CiaFsSnapshotGenerator.cpp            |  241 +
 .../libnintendo-n3ds/src/CtrKeyGenerator.cpp  |   99 +
 .../src/ExeFsSnapshotGenerator.cpp            |  122 +
 .../deps/libnintendo-n3ds/src/IvfcStream.cpp  |  467 +
 .../src/RomFsSnapshotGenerator.cpp            |  360 +
 .../libnintendo-n3ds/src/es/Certificate.cpp   |  200 +
 .../libnintendo-n3ds/src/es/RsaSigner.cpp     |   84 +
 .../libnintendo-n3ds/src/es/Signature.cpp     |  138 +
 .../deps/libnintendo-n3ds/src/es/Ticket.cpp   |  182 +
 .../libnintendo-n3ds/src/es/TitleMetaData.cpp |  135 +
 ctrtool/deps/libtoolchain/BUILDING.md         |   44 +
 ctrtool/deps/libtoolchain/Doxyfile            | 2565 +++++
 ctrtool/deps/libtoolchain/DoxygenMainpage.md  |    3 +
 ctrtool/deps/libtoolchain/LICENSE             |   20 +
 ctrtool/deps/libtoolchain/README.md           |   46 +
 .../libtoolchain-test.vcxproj                 |  325 +
 .../libtoolchain-test.vcxproj.filters         |  567 +
 .../build/visualstudio/libtoolchain.sln       |   64 +
 .../libtoolchain/libtoolchain.vcxproj         |  350 +
 .../libtoolchain/libtoolchain.vcxproj.filters |  690 ++
 ctrtool/deps/libtoolchain/include/tc.h        |   37 +
 .../include/tc/AccessViolationException.h     |   57 +
 .../include/tc/ArgumentException.h            |   57 +
 .../include/tc/ArgumentNullException.h        |   57 +
 .../include/tc/ArgumentOutOfRangeException.h  |   57 +
 .../include/tc/ArithmeticException.h          |   57 +
 .../deps/libtoolchain/include/tc/ByteData.h   |  102 +
 .../deps/libtoolchain/include/tc/Exception.h  |   71 +
 .../include/tc/InvalidOperationException.h    |   57 +
 .../include/tc/NotImplementedException.h      |   57 +
 .../include/tc/NotSupportedException.h        |   57 +
 .../include/tc/ObjectDisposedException.h      |   57 +
 .../deps/libtoolchain/include/tc/Optional.h   |  151 +
 .../include/tc/OutOfMemoryException.h         |   57 +
 .../include/tc/OverflowException.h            |   57 +
 .../include/tc/PlatformErrorHandlingUtil.h    |   46 +
 .../libtoolchain/include/tc/ResourceStatus.h  |   29 +
 .../include/tc/SecurityException.h            |   57 +
 .../include/tc/UnauthorisedAccessException.h  |   57 +
 ctrtool/deps/libtoolchain/include/tc/bn.h     |   17 +
 .../libtoolchain/include/tc/bn/binary_utils.h |   39 +
 .../libtoolchain/include/tc/bn/bitarray.h     |   69 +
 .../libtoolchain/include/tc/bn/endian_types.h |  233 +
 ctrtool/deps/libtoolchain/include/tc/bn/pad.h |   29 +
 .../deps/libtoolchain/include/tc/bn/string.h  |  141 +
 ctrtool/deps/libtoolchain/include/tc/cli.h    |   14 +
 .../libtoolchain/include/tc/cli/FormatUtil.h  |  105 +
 .../include/tc/cli/OptionParser.h             |  285 +
 ctrtool/deps/libtoolchain/include/tc/crypto.h |   85 +
 .../tc/crypto/Aes128CbcEncryptedStream.h      |  168 +
 .../include/tc/crypto/Aes128CbcEncryptor.h    |   94 +
 .../tc/crypto/Aes128CtrEncryptedStream.h      |  166 +
 .../include/tc/crypto/Aes128CtrEncryptor.h    |  115 +
 .../include/tc/crypto/Aes128EcbEncryptor.h    |   84 +
 .../include/tc/crypto/Aes128XtsEncryptor.h    |  104 +
 .../include/tc/crypto/Aes192CbcEncryptor.h    |   94 +
 .../include/tc/crypto/Aes192CtrEncryptor.h    |  115 +
 .../include/tc/crypto/Aes192EcbEncryptor.h    |   84 +
 .../include/tc/crypto/Aes256CbcEncryptor.h    |   94 +
 .../include/tc/crypto/Aes256CtrEncryptor.h    |  115 +
 .../include/tc/crypto/Aes256EcbEncryptor.h    |   84 +
 .../include/tc/crypto/Aes256XtsEncryptor.h    |  104 +
 .../include/tc/crypto/AesEncryptor.h          |  140 +
 .../include/tc/crypto/CbcEncryptor.h          |  177 +
 .../include/tc/crypto/CryptoException.h       |   57 +
 .../include/tc/crypto/CtrEncryptor.h          |  154 +
 .../include/tc/crypto/EcbEncryptor.h          |  146 +
 .../include/tc/crypto/HmacGenerator.h         |  219 +
 .../include/tc/crypto/HmacMd5Generator.h      |   45 +
 .../include/tc/crypto/HmacSha1Generator.h     |   45 +
 .../include/tc/crypto/HmacSha256Generator.h   |   45 +
 .../include/tc/crypto/HmacSha512Generator.h   |   45 +
 .../include/tc/crypto/Md5Generator.h          |  221 +
 .../include/tc/crypto/Pbkdf1KeyDeriver.h      |  116 +
 .../include/tc/crypto/Pbkdf1Md5KeyDeriver.h   |   47 +
 .../include/tc/crypto/Pbkdf1Sha1KeyDeriver.h  |   47 +
 .../include/tc/crypto/Pbkdf2KeyDeriver.h      |  118 +
 .../include/tc/crypto/Pbkdf2Sha1KeyDeriver.h  |   47 +
 .../tc/crypto/Pbkdf2Sha256KeyDeriver.h        |   47 +
 .../tc/crypto/Pbkdf2Sha512KeyDeriver.h        |   47 +
 .../tc/crypto/PseudoRandomByteGenerator.h     |   65 +
 .../libtoolchain/include/tc/crypto/RsaKey.h   |   75 +
 .../include/tc/crypto/RsaKeyGenerator.h       |   71 +
 .../include/tc/crypto/RsaOaepEncryptor.h      |  246 +
 .../tc/crypto/RsaOaepSha256Encryptor.h        |  201 +
 .../tc/crypto/RsaOaepSha512Encryptor.h        |  139 +
 .../include/tc/crypto/RsaPkcs1Md5Signer.h     |  144 +
 .../include/tc/crypto/RsaPkcs1Sha1Signer.h    |  144 +
 .../include/tc/crypto/RsaPkcs1Sha256Signer.h  |  144 +
 .../include/tc/crypto/RsaPkcs1Sha512Signer.h  |  144 +
 .../include/tc/crypto/RsaPkcs1Signer.h        |  172 +
 .../include/tc/crypto/RsaPssSha256Signer.h    |  144 +
 .../include/tc/crypto/RsaPssSha512Signer.h    |  144 +
 .../include/tc/crypto/RsaPssSigner.h          |  208 +
 .../include/tc/crypto/Sha1Generator.h         |  221 +
 .../include/tc/crypto/Sha256Generator.h       |  216 +
 .../include/tc/crypto/Sha512Generator.h       |  217 +
 .../include/tc/crypto/XtsEncryptor.h          |  167 +
 .../include/tc/crypto/detail/AesImpl.h        |  102 +
 .../include/tc/crypto/detail/BlockUtilImpl.h  |   69 +
 .../include/tc/crypto/detail/CbcModeImpl.h    |  130 +
 .../include/tc/crypto/detail/CtrModeImpl.h    |  113 +
 .../include/tc/crypto/detail/EcbModeImpl.h    |  147 +
 .../include/tc/crypto/detail/HmacImpl.h       |  107 +
 .../include/tc/crypto/detail/Md5Impl.h        |   44 +
 .../include/tc/crypto/detail/Pbkdf1Impl.h     |  159 +
 .../include/tc/crypto/detail/Pbkdf2Impl.h     |  179 +
 .../include/tc/crypto/detail/PrbgImpl.h       |   61 +
 .../include/tc/crypto/detail/RsaImpl.h        |  119 +
 .../tc/crypto/detail/RsaKeyGeneratorImpl.h    |   79 +
 .../include/tc/crypto/detail/RsaOaepPadding.h |  169 +
 .../tc/crypto/detail/RsaPkcs1Padding.h        |  117 +
 .../include/tc/crypto/detail/RsaPssPadding.h  |  260 +
 .../include/tc/crypto/detail/Sha1Impl.h       |   44 +
 .../include/tc/crypto/detail/Sha2Impl.h       |   57 +
 .../include/tc/crypto/detail/XtsModeImpl.h    |  330 +
 ctrtool/deps/libtoolchain/include/tc/io.h     |   48 +
 .../include/tc/io/BasicPathResolver.h         |  109 +
 .../include/tc/io/ConcatenatedStream.h        |  205 +
 .../tc/io/DirectoryNotEmptyException.h        |   57 +
 .../tc/io/DirectoryNotFoundException.h        |   57 +
 .../libtoolchain/include/tc/io/FileAccess.h   |   23 +
 .../include/tc/io/FileExistsException.h       |   57 +
 .../libtoolchain/include/tc/io/FileMode.h     |   26 +
 .../include/tc/io/FileNotFoundException.h     |   57 +
 .../libtoolchain/include/tc/io/FileStream.h   |  240 +
 .../libtoolchain/include/tc/io/IFileSystem.h  |  124 +
 .../libtoolchain/include/tc/io/IOException.h  |   57 +
 .../deps/libtoolchain/include/tc/io/IOUtil.h  |   63 +
 .../include/tc/io/IPathResolver.h             |   40 +
 .../include/tc/io/IPortablePathResolver.h     |   37 +
 .../include/tc/io/IReadableSink.h             |   28 +
 .../deps/libtoolchain/include/tc/io/ISink.h   |   46 +
 .../deps/libtoolchain/include/tc/io/ISource.h |   39 +
 .../deps/libtoolchain/include/tc/io/IStream.h |  117 +
 .../include/tc/io/LocalFileSystem.h           |  143 +
 .../libtoolchain/include/tc/io/MemorySource.h |   68 +
 .../libtoolchain/include/tc/io/MemoryStream.h |  155 +
 .../include/tc/io/OverlayedSource.h           |   96 +
 .../include/tc/io/PaddingSource.h             |   59 +
 .../deps/libtoolchain/include/tc/io/Path.h    |  253 +
 .../include/tc/io/PathTooLongException.h      |   57 +
 .../libtoolchain/include/tc/io/PathUtil.h     |   39 +
 .../libtoolchain/include/tc/io/SeekOrigin.h   |   23 +
 .../libtoolchain/include/tc/io/StreamSink.h   |   76 +
 .../libtoolchain/include/tc/io/StreamSource.h |   66 +
 .../libtoolchain/include/tc/io/StreamUtil.h   |   37 +
 .../include/tc/io/SubFileSystem.h             |  136 +
 .../deps/libtoolchain/include/tc/io/SubSink.h |   77 +
 .../libtoolchain/include/tc/io/SubSource.h    |   64 +
 .../libtoolchain/include/tc/io/SubStream.h    |  155 +
 .../include/tc/io/VirtualFileSystem.h         |  212 +
 ctrtool/deps/libtoolchain/include/tc/os.h     |   13 +
 .../libtoolchain/include/tc/os/Environment.h  |   28 +
 .../libtoolchain/include/tc/os/UnicodeMain.h  |   71 +
 ctrtool/deps/libtoolchain/include/tc/string.h |   12 +
 .../include/tc/string/TranscodeUtil.h         |   77 +
 .../include/tc/string/detail/utf16.h          |   22 +
 .../include/tc/string/detail/utf8.h           |   39 +
 ctrtool/deps/libtoolchain/include/tc/types.h  |   65 +
 ctrtool/deps/libtoolchain/makefile            |  197 +
 ctrtool/deps/libtoolchain/src/ByteData.cpp    |  110 +
 ctrtool/deps/libtoolchain/src/Exception.cpp   |   46 +
 .../src/PlatformErrorHandlingUtil.cpp         |   41 +
 .../deps/libtoolchain/src/cli/FormatUtil.cpp  |  222 +
 .../libtoolchain/src/cli/OptionParser.cpp     |  185 +
 .../src/crypto/Aes128CbcEncryptedStream.cpp   |  328 +
 .../src/crypto/Aes128CbcEncryptor.cpp         |   15 +
 .../src/crypto/Aes128CtrEncryptedStream.cpp   |  284 +
 .../src/crypto/Aes128CtrEncryptor.cpp         |   24 +
 .../src/crypto/Aes128EcbEncryptor.cpp         |   15 +
 .../src/crypto/Aes128XtsEncryptor.cpp         |   15 +
 .../src/crypto/Aes192CbcEncryptor.cpp         |   15 +
 .../src/crypto/Aes192CtrEncryptor.cpp         |   24 +
 .../src/crypto/Aes192EcbEncryptor.cpp         |   15 +
 .../src/crypto/Aes256CbcEncryptor.cpp         |   15 +
 .../src/crypto/Aes256CtrEncryptor.cpp         |   24 +
 .../src/crypto/Aes256EcbEncryptor.cpp         |   15 +
 .../src/crypto/Aes256XtsEncryptor.cpp         |   15 +
 .../src/crypto/HmacMd5Generator.cpp           |    9 +
 .../src/crypto/HmacSha1Generator.cpp          |    9 +
 .../src/crypto/HmacSha256Generator.cpp        |    9 +
 .../src/crypto/HmacSha512Generator.cpp        |    9 +
 .../libtoolchain/src/crypto/Md5Generator.cpp  |   11 +
 .../src/crypto/Pbkdf1Md5KeyDeriver.cpp        |    8 +
 .../src/crypto/Pbkdf1Sha1KeyDeriver.cpp       |    8 +
 .../src/crypto/Pbkdf2Sha1KeyDeriver.cpp       |    8 +
 .../src/crypto/Pbkdf2Sha256KeyDeriver.cpp     |    8 +
 .../src/crypto/Pbkdf2Sha512KeyDeriver.cpp     |    8 +
 .../src/crypto/PseudoRandomByteGenerator.cpp  |    7 +
 .../deps/libtoolchain/src/crypto/RsaKey.cpp   |   29 +
 .../src/crypto/RsaKeyGenerator.cpp            |    7 +
 .../src/crypto/RsaOaepSha256Encryptor.cpp     |   43 +
 .../src/crypto/RsaOaepSha512Encryptor.cpp     |   29 +
 .../src/crypto/RsaPkcs1Md5Signer.cpp          |   43 +
 .../src/crypto/RsaPkcs1Sha1Signer.cpp         |   43 +
 .../src/crypto/RsaPkcs1Sha256Signer.cpp       |   43 +
 .../src/crypto/RsaPkcs1Sha512Signer.cpp       |   43 +
 .../src/crypto/RsaPssSha256Signer.cpp         |   43 +
 .../src/crypto/RsaPssSha512Signer.cpp         |   43 +
 .../libtoolchain/src/crypto/Sha1Generator.cpp |   12 +
 .../src/crypto/Sha256Generator.cpp            |   11 +
 .../src/crypto/Sha512Generator.cpp            |   11 +
 .../src/crypto/detail/AesImpl.cpp             |   51 +
 .../src/crypto/detail/Md5Impl.cpp             |   44 +
 .../src/crypto/detail/PrbgImpl.cpp            |   50 +
 .../src/crypto/detail/RsaImpl.cpp             |  140 +
 .../src/crypto/detail/RsaKeyGeneratorImpl.cpp |   85 +
 .../src/crypto/detail/Sha1Impl.cpp            |   44 +
 .../src/crypto/detail/Sha2Impl.cpp            |   58 +
 .../libtoolchain/src/io/BasicPathResolver.cpp |   97 +
 .../src/io/ConcatenatedStream.cpp             |  370 +
 .../deps/libtoolchain/src/io/FileStream.cpp   |  752 ++
 ctrtool/deps/libtoolchain/src/io/IOUtil.cpp   |   40 +
 .../libtoolchain/src/io/LocalFileSystem.cpp   |  419 +
 .../deps/libtoolchain/src/io/MemorySource.cpp |   49 +
 .../deps/libtoolchain/src/io/MemoryStream.cpp |  155 +
 .../libtoolchain/src/io/OverlayedSource.cpp   |  143 +
 .../libtoolchain/src/io/PaddingSource.cpp     |   34 +
 ctrtool/deps/libtoolchain/src/io/Path.cpp     |  331 +
 ctrtool/deps/libtoolchain/src/io/PathUtil.cpp |   12 +
 .../deps/libtoolchain/src/io/StreamSink.cpp   |   54 +
 .../deps/libtoolchain/src/io/StreamSource.cpp |   55 +
 .../deps/libtoolchain/src/io/StreamUtil.cpp   |   22 +
 .../libtoolchain/src/io/SubFileSystem.cpp     |  216 +
 ctrtool/deps/libtoolchain/src/io/SubSink.cpp  |   73 +
 .../deps/libtoolchain/src/io/SubSource.cpp    |   66 +
 .../deps/libtoolchain/src/io/SubStream.cpp    |  183 +
 .../libtoolchain/src/io/VirtualFileSystem.cpp |  192 +
 .../deps/libtoolchain/src/os/Environment.cpp  |   40 +
 .../libtoolchain/src/string/TranscodeUtil.cpp |  165 +
 ctrtool/deps/libtoolchain/src/types.cpp       |   26 +
 .../libtoolchain/test/ByteData_TestClass.cpp  |  671 ++
 .../libtoolchain/test/ByteData_TestClass.h    |   23 +
 .../libtoolchain/test/FileSystemTestUtil.cpp  |    3 +
 .../libtoolchain/test/FileSystemTestUtil.h    |   79 +
 ctrtool/deps/libtoolchain/test/ITestClass.h   |    8 +
 .../libtoolchain/test/Optional_TestClass.cpp  |  300 +
 .../libtoolchain/test/Optional_TestClass.h    |   20 +
 ctrtool/deps/libtoolchain/test/PbkdfUtil.cpp  |  245 +
 ctrtool/deps/libtoolchain/test/PbkdfUtil.h    |   34 +
 .../deps/libtoolchain/test/RsaOaepUtil.cpp    |  172 +
 ctrtool/deps/libtoolchain/test/RsaOaepUtil.h  |   34 +
 .../deps/libtoolchain/test/RsaPkcs1Util.cpp   |  146 +
 ctrtool/deps/libtoolchain/test/RsaPkcs1Util.h |   31 +
 ctrtool/deps/libtoolchain/test/RsaPssUtil.cpp |  143 +
 ctrtool/deps/libtoolchain/test/RsaPssUtil.h   |   32 +
 .../deps/libtoolchain/test/SinkTestUtil.cpp   |   90 +
 ctrtool/deps/libtoolchain/test/SinkTestUtil.h |   42 +
 .../deps/libtoolchain/test/SourceTestUtil.cpp |   32 +
 .../deps/libtoolchain/test/SourceTestUtil.h   |    9 +
 .../deps/libtoolchain/test/StreamTestUtil.cpp |  125 +
 .../deps/libtoolchain/test/StreamTestUtil.h   |  154 +
 .../test/bn_binaryutils_TestClass.cpp         |  173 +
 .../test/bn_binaryutils_TestClass.h           |   25 +
 .../test/bn_bitarrayByteBEBitBE_TestClass.cpp |  238 +
 .../test/bn_bitarrayByteBEBitBE_TestClass.h   |   19 +
 .../test/bn_bitarrayByteBEBitLE_TestClass.cpp |  238 +
 .../test/bn_bitarrayByteBEBitLE_TestClass.h   |   19 +
 .../test/bn_bitarrayByteLEBitBE_TestClass.cpp |  238 +
 .../test/bn_bitarrayByteLEBitBE_TestClass.h   |   19 +
 .../test/bn_bitarrayByteLEBitLE_TestClass.cpp |  238 +
 .../test/bn_bitarrayByteLEBitLE_TestClass.h   |   19 +
 .../libtoolchain/test/bn_endian_TestClass.cpp |  778 ++
 .../libtoolchain/test/bn_endian_TestClass.h   |   32 +
 .../libtoolchain/test/bn_pad_TestClass.cpp    |   55 +
 .../deps/libtoolchain/test/bn_pad_TestClass.h |   14 +
 .../libtoolchain/test/bn_string_TestClass.cpp |  219 +
 .../libtoolchain/test/bn_string_TestClass.h   |   16 +
 .../test/cli_FormatUtil_TestClass.cpp         |  366 +
 .../test/cli_FormatUtil_TestClass.h           |   15 +
 .../test/cli_OptionParser_TestClass.cpp       |  770 ++
 .../test/cli_OptionParser_TestClass.h         |   20 +
 ...pto_Aes128CbcEncryptedStream_TestClass.cpp |  265 +
 ...rypto_Aes128CbcEncryptedStream_TestClass.h |   29 +
 .../crypto_Aes128CbcEncryptor_TestClass.cpp   |  570 +
 .../crypto_Aes128CbcEncryptor_TestClass.h     |   33 +
 ...pto_Aes128CtrEncryptedStream_TestClass.cpp |  265 +
 ...rypto_Aes128CtrEncryptedStream_TestClass.h |   29 +
 .../crypto_Aes128CtrEncryptor_TestClass.cpp   |  543 +
 .../crypto_Aes128CtrEncryptor_TestClass.h     |   34 +
 .../crypto_Aes128EcbEncryptor_TestClass.cpp   |  523 +
 .../crypto_Aes128EcbEncryptor_TestClass.h     |   32 +
 .../test/crypto_Aes128Encryptor_TestClass.cpp | 1016 ++
 .../test/crypto_Aes128Encryptor_TestClass.h   |   30 +
 .../crypto_Aes128XtsEncryptor_TestClass.cpp   |  691 ++
 .../crypto_Aes128XtsEncryptor_TestClass.h     |   35 +
 .../crypto_Aes192CbcEncryptor_TestClass.cpp   |  570 +
 .../crypto_Aes192CbcEncryptor_TestClass.h     |   33 +
 .../crypto_Aes192CtrEncryptor_TestClass.cpp   |  543 +
 .../crypto_Aes192CtrEncryptor_TestClass.h     |   34 +
 .../crypto_Aes192EcbEncryptor_TestClass.cpp   |  523 +
 .../crypto_Aes192EcbEncryptor_TestClass.h     |   32 +
 .../test/crypto_Aes192Encryptor_TestClass.cpp | 1336 +++
 .../test/crypto_Aes192Encryptor_TestClass.h   |   30 +
 .../crypto_Aes256CbcEncryptor_TestClass.cpp   |  570 +
 .../crypto_Aes256CbcEncryptor_TestClass.h     |   33 +
 .../crypto_Aes256CtrEncryptor_TestClass.cpp   |  543 +
 .../crypto_Aes256CtrEncryptor_TestClass.h     |   34 +
 .../crypto_Aes256EcbEncryptor_TestClass.cpp   |  523 +
 .../crypto_Aes256EcbEncryptor_TestClass.h     |   32 +
 .../test/crypto_Aes256Encryptor_TestClass.cpp | 1656 +++
 .../test/crypto_Aes256Encryptor_TestClass.h   |   30 +
 .../crypto_Aes256XtsEncryptor_TestClass.cpp   |  575 +
 .../crypto_Aes256XtsEncryptor_TestClass.h     |   35 +
 .../crypto_HmacMd5Generator_TestClass.cpp     |  547 +
 .../test/crypto_HmacMd5Generator_TestClass.h  |   34 +
 .../crypto_HmacSha1Generator_TestClass.cpp    |  547 +
 .../test/crypto_HmacSha1Generator_TestClass.h |   34 +
 .../crypto_HmacSha256Generator_TestClass.cpp  |  547 +
 .../crypto_HmacSha256Generator_TestClass.h    |   34 +
 .../crypto_HmacSha512Generator_TestClass.cpp  |  547 +
 .../crypto_HmacSha512Generator_TestClass.h    |   34 +
 .../test/crypto_Md5Generator_TestClass.cpp    |  490 +
 .../test/crypto_Md5Generator_TestClass.h      |   18 +
 .../crypto_Pbkdf1Md5KeyDeriver_TestClass.cpp  |  285 +
 .../crypto_Pbkdf1Md5KeyDeriver_TestClass.h    |   15 +
 .../crypto_Pbkdf1Sha1KeyDeriver_TestClass.cpp |  285 +
 .../crypto_Pbkdf1Sha1KeyDeriver_TestClass.h   |   15 +
 .../crypto_Pbkdf2Sha1KeyDeriver_TestClass.cpp |  286 +
 .../crypto_Pbkdf2Sha1KeyDeriver_TestClass.h   |   15 +
 ...rypto_Pbkdf2Sha256KeyDeriver_TestClass.cpp |  287 +
 .../crypto_Pbkdf2Sha256KeyDeriver_TestClass.h |   15 +
 ...rypto_Pbkdf2Sha512KeyDeriver_TestClass.cpp |  286 +
 .../crypto_Pbkdf2Sha512KeyDeriver_TestClass.h |   15 +
 ...to_PseudoRandomByteGenerator_TestClass.cpp |  226 +
 ...ypto_PseudoRandomByteGenerator_TestClass.h |   14 +
 ...o_Rsa1024OaepSha256Encryptor_TestClass.cpp |  673 ++
 ...pto_Rsa1024OaepSha256Encryptor_TestClass.h |   23 +
 ...crypto_Rsa1024Pkcs1Md5Signer_TestClass.cpp |  498 +
 .../crypto_Rsa1024Pkcs1Md5Signer_TestClass.h  |   22 +
 ...rypto_Rsa1024Pkcs1Sha1Signer_TestClass.cpp |  498 +
 .../crypto_Rsa1024Pkcs1Sha1Signer_TestClass.h |   22 +
 ...pto_Rsa1024Pkcs1Sha256Signer_TestClass.cpp |  498 +
 ...rypto_Rsa1024Pkcs1Sha256Signer_TestClass.h |   22 +
 ...pto_Rsa1024Pkcs1Sha512Signer_TestClass.cpp |  498 +
 ...rypto_Rsa1024Pkcs1Sha512Signer_TestClass.h |   22 +
 ...rypto_Rsa1024PssSha256Signer_TestClass.cpp |  502 +
 .../crypto_Rsa1024PssSha256Signer_TestClass.h |   22 +
 ...rypto_Rsa1024PssSha512Signer_TestClass.cpp |  503 +
 .../crypto_Rsa1024PssSha512Signer_TestClass.h |   22 +
 ...o_Rsa2048OaepSha256Encryptor_TestClass.cpp |  673 ++
 ...pto_Rsa2048OaepSha256Encryptor_TestClass.h |   23 +
 ...o_Rsa2048OaepSha512Encryptor_TestClass.cpp |  673 ++
 ...pto_Rsa2048OaepSha512Encryptor_TestClass.h |   23 +
 ...crypto_Rsa2048Pkcs1Md5Signer_TestClass.cpp |  498 +
 .../crypto_Rsa2048Pkcs1Md5Signer_TestClass.h  |   22 +
 ...rypto_Rsa2048Pkcs1Sha1Signer_TestClass.cpp |  498 +
 .../crypto_Rsa2048Pkcs1Sha1Signer_TestClass.h |   22 +
 ...pto_Rsa2048Pkcs1Sha256Signer_TestClass.cpp |  498 +
 ...rypto_Rsa2048Pkcs1Sha256Signer_TestClass.h |   22 +
 ...pto_Rsa2048Pkcs1Sha512Signer_TestClass.cpp |  498 +
 ...rypto_Rsa2048Pkcs1Sha512Signer_TestClass.h |   22 +
 ...rypto_Rsa2048PssSha256Signer_TestClass.cpp |  502 +
 .../crypto_Rsa2048PssSha256Signer_TestClass.h |   22 +
 ...rypto_Rsa2048PssSha512Signer_TestClass.cpp |  502 +
 .../crypto_Rsa2048PssSha512Signer_TestClass.h |   22 +
 ...o_Rsa4096OaepSha256Encryptor_TestClass.cpp |  673 ++
 ...pto_Rsa4096OaepSha256Encryptor_TestClass.h |   23 +
 ...o_Rsa4096OaepSha512Encryptor_TestClass.cpp |  673 ++
 ...pto_Rsa4096OaepSha512Encryptor_TestClass.h |   23 +
 ...crypto_Rsa4096Pkcs1Md5Signer_TestClass.cpp |  498 +
 .../crypto_Rsa4096Pkcs1Md5Signer_TestClass.h  |   22 +
 ...rypto_Rsa4096Pkcs1Sha1Signer_TestClass.cpp |  498 +
 .../crypto_Rsa4096Pkcs1Sha1Signer_TestClass.h |   22 +
 ...pto_Rsa4096Pkcs1Sha256Signer_TestClass.cpp |  498 +
 ...rypto_Rsa4096Pkcs1Sha256Signer_TestClass.h |   22 +
 ...pto_Rsa4096Pkcs1Sha512Signer_TestClass.cpp |  498 +
 ...rypto_Rsa4096Pkcs1Sha512Signer_TestClass.h |   22 +
 ...rypto_Rsa4096PssSha256Signer_TestClass.cpp |  502 +
 .../crypto_Rsa4096PssSha256Signer_TestClass.h |   22 +
 ...rypto_Rsa4096PssSha512Signer_TestClass.cpp |  502 +
 .../crypto_Rsa4096PssSha512Signer_TestClass.h |   22 +
 .../test/crypto_Sha1Generator_TestClass.cpp   |  462 +
 .../test/crypto_Sha1Generator_TestClass.h     |   18 +
 .../test/crypto_Sha256Generator_TestClass.cpp |  462 +
 .../test/crypto_Sha256Generator_TestClass.h   |   18 +
 .../test/crypto_Sha512Generator_TestClass.cpp |  462 +
 .../test/crypto_Sha512Generator_TestClass.h   |   18 +
 .../test/io_BasicPathResolver_TestClass.cpp   |  292 +
 .../test/io_BasicPathResolver_TestClass.h     |   20 +
 .../test/io_ConcatenatedStream_TestClass.cpp  | 2645 +++++
 .../test/io_ConcatenatedStream_TestClass.h    |   50 +
 .../test/io_FileStream_TestClass.cpp          | 2070 ++++
 .../test/io_FileStream_TestClass.h            |   94 +
 .../test/io_LocalFileSystem_TestClass.cpp     |  535 +
 .../test/io_LocalFileSystem_TestClass.h       |   35 +
 .../test/io_MemorySource_TestClass.cpp        |  200 +
 .../test/io_MemorySource_TestClass.h          |   17 +
 .../test/io_MemoryStream_TestClass.cpp        | 1028 ++
 .../test/io_MemoryStream_TestClass.h          |   43 +
 .../test/io_OverlayedSource_TestClass.cpp     |  377 +
 .../test/io_OverlayedSource_TestClass.h       |   21 +
 .../test/io_PaddingSource_TestClass.cpp       |  134 +
 .../test/io_PaddingSource_TestClass.h         |   13 +
 .../libtoolchain/test/io_Path_TestClass.cpp   | 1197 ++
 .../libtoolchain/test/io_Path_TestClass.h     |   35 +
 .../test/io_StreamSink_TestClass.cpp          |  307 +
 .../test/io_StreamSink_TestClass.h            |   23 +
 .../test/io_StreamSource_TestClass.cpp        |  206 +
 .../test/io_StreamSource_TestClass.h          |   16 +
 .../test/io_SubFileSystem_TestClass.cpp       |  736 ++
 .../test/io_SubFileSystem_TestClass.h         |   19 +
 .../test/io_SubSink_TestClass.cpp             |  352 +
 .../libtoolchain/test/io_SubSink_TestClass.h  |   24 +
 .../test/io_SubSource_TestClass.cpp           |  141 +
 .../test/io_SubSource_TestClass.h             |   13 +
 .../test/io_SubStream_TestClass.cpp           |  344 +
 .../test/io_SubStream_TestClass.h             |   18 +
 .../test/io_VirtualFileSystem_TestClass.cpp   | 2543 +++++
 .../test/io_VirtualFileSystem_TestClass.h     |   21 +
 ctrtool/deps/libtoolchain/test/main.cpp       |  195 +
 .../test/string_TranscodeUtil_TestClass.cpp   |   69 +
 .../test/string_TranscodeUtil_TestClass.h     |   13 +
 ctrtool/makefile                              |  177 +
 ctrtool/src/CciProcess.cpp                    |  567 +
 ctrtool/src/CciProcess.h                      |   70 +
 ctrtool/src/CiaProcess.cpp                    |  913 ++
 ctrtool/src/CiaProcess.h                      |  128 +
 ctrtool/src/CrrProcess.cpp                    |  192 +
 ctrtool/src/CrrProcess.h                      |   46 +
 ctrtool/src/ExHeaderProcess.cpp               |  993 ++
 ctrtool/src/ExHeaderProcess.h                 |   92 +
 ctrtool/src/ExeFsProcess.cpp                  |  275 +
 ctrtool/src/ExeFsProcess.h                    |   49 +
 ctrtool/src/FirmProcess.cpp                   |  396 +
 ctrtool/src/FirmProcess.h                     |   71 +
 ctrtool/src/IvfcProcess.cpp                   |  199 +
 ctrtool/src/IvfcProcess.h                     |   50 +
 ctrtool/src/KeyBag.cpp                        |  945 ++
 ctrtool/src/KeyBag.h                          |  128 +
 ctrtool/src/LzssProcess.cpp                   |   54 +
 ctrtool/src/LzssProcess.h                     |   25 +
 ctrtool/src/NcchProcess.cpp                   |  968 ++
 ctrtool/src/NcchProcess.h                     |   92 +
 ctrtool/src/RomFsProcess.cpp                  |  231 +
 ctrtool/src/RomFsProcess.h                    |   48 +
 ctrtool/src/Settings.cpp                      |  704 ++
 ctrtool/src/Settings.h                        |  175 +
 ctrtool/src/cwav.h                            |  152 +
 ctrtool/src/lzss.c                            |  107 +
 ctrtool/src/lzss.h                            |   13 +
 ctrtool/src/main.cpp                          |  245 +
 ctrtool/src/types.h                           |   15 +
 ctrtool/src/version.h                         |    7 +
 681 files changed, 219734 insertions(+)
 create mode 100644 ctrtool/build/visualstudio/CTRTool.sln
 create mode 100644 ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj
 create mode 100644 ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters
 create mode 100644 ctrtool/deps/libbroadon-es/LICENSE
 create mode 100644 ctrtool/deps/libbroadon-es/README.md
 create mode 100644 ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es.sln
 create mode 100644 ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj
 create mode 100644 ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj.filters
 create mode 100644 ctrtool/deps/libbroadon-es/include/brd/es.h
 create mode 100644 ctrtool/deps/libbroadon-es/include/brd/es/es_cert.h
 create mode 100644 ctrtool/deps/libbroadon-es/include/brd/es/es_sign.h
 create mode 100644 ctrtool/deps/libbroadon-es/include/brd/es/es_ticket.h
 create mode 100644 ctrtool/deps/libbroadon-es/include/brd/es/es_tmd.h
 create mode 100644 ctrtool/deps/libbroadon-es/include/brd/es/types.h
 create mode 100644 ctrtool/deps/libbroadon-es/makefile
 create mode 100644 ctrtool/deps/libbroadon-es/src/Dummy.cpp
 create mode 100644 ctrtool/deps/libfmt/LICENSE.rst
 create mode 100644 ctrtool/deps/libfmt/README.md
 create mode 100644 ctrtool/deps/libfmt/build/visualstudio/libfmt.sln
 create mode 100644 ctrtool/deps/libfmt/build/visualstudio/libfmt/libfmt.vcxproj
 create mode 100644 ctrtool/deps/libfmt/build/visualstudio/libfmt/libfmt.vcxproj.filters
 create mode 100644 ctrtool/deps/libfmt/include/fmt/args.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/chrono.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/color.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/compile.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/core.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/format-inl.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/format.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/locale.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/os.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/ostream.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/printf.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/ranges.h
 create mode 100644 ctrtool/deps/libfmt/include/fmt/xchar.h
 create mode 100644 ctrtool/deps/libfmt/makefile
 create mode 100644 ctrtool/deps/libfmt/src/format.cc
 create mode 100644 ctrtool/deps/libfmt/src/os.cc
 create mode 100644 ctrtool/deps/libmbedtls/BUILDING.md
 create mode 100644 ctrtool/deps/libmbedtls/LICENSE
 create mode 100644 ctrtool/deps/libmbedtls/README.md
 create mode 100644 ctrtool/deps/libmbedtls/apache-2.0.txt
 create mode 100644 ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls.sln
 create mode 100644 ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj
 create mode 100644 ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj.filters
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/aes.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/aesni.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/arc4.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/aria.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/asn1.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/asn1write.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/base64.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/bignum.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/blowfish.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/bn_mul.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/camellia.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ccm.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/certs.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/chacha20.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/chachapoly.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/check_config.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/cipher.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/cipher_internal.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/cmac.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/compat-1.3.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/config.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ctr_drbg.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/debug.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/des.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/dhm.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ecdh.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ecdsa.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ecjpake.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ecp.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ecp_internal.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/entropy.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/entropy_poll.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/error.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/gcm.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/havege.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/hkdf.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/hmac_drbg.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/md.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/md2.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/md4.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/md5.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/md_internal.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/memory_buffer_alloc.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/net.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/net_sockets.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/nist_kw.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/oid.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/padlock.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/pem.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/pk.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/pk_internal.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/pkcs11.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/pkcs12.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/pkcs5.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/platform.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/platform_time.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/platform_util.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/poly1305.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ripemd160.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/rsa.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/rsa_internal.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/sha1.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/sha256.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/sha512.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ssl.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ssl_cache.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ssl_ciphersuites.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ssl_cookie.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ssl_internal.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/ssl_ticket.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/threading.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/timing.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/version.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/x509.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/x509_crl.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/x509_crt.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/x509_csr.h
 create mode 100644 ctrtool/deps/libmbedtls/include/mbedtls/xtea.h
 create mode 100644 ctrtool/deps/libmbedtls/makefile
 create mode 100644 ctrtool/deps/libmbedtls/src/aes.c
 create mode 100644 ctrtool/deps/libmbedtls/src/aesni.c
 create mode 100644 ctrtool/deps/libmbedtls/src/arc4.c
 create mode 100644 ctrtool/deps/libmbedtls/src/aria.c
 create mode 100644 ctrtool/deps/libmbedtls/src/asn1parse.c
 create mode 100644 ctrtool/deps/libmbedtls/src/asn1write.c
 create mode 100644 ctrtool/deps/libmbedtls/src/base64.c
 create mode 100644 ctrtool/deps/libmbedtls/src/bignum.c
 create mode 100644 ctrtool/deps/libmbedtls/src/blowfish.c
 create mode 100644 ctrtool/deps/libmbedtls/src/camellia.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ccm.c
 create mode 100644 ctrtool/deps/libmbedtls/src/certs.c
 create mode 100644 ctrtool/deps/libmbedtls/src/chacha20.c
 create mode 100644 ctrtool/deps/libmbedtls/src/chachapoly.c
 create mode 100644 ctrtool/deps/libmbedtls/src/cipher.c
 create mode 100644 ctrtool/deps/libmbedtls/src/cipher_wrap.c
 create mode 100644 ctrtool/deps/libmbedtls/src/cmac.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ctr_drbg.c
 create mode 100644 ctrtool/deps/libmbedtls/src/debug.c
 create mode 100644 ctrtool/deps/libmbedtls/src/des.c
 create mode 100644 ctrtool/deps/libmbedtls/src/dhm.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ecdh.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ecdsa.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ecjpake.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ecp.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ecp_curves.c
 create mode 100644 ctrtool/deps/libmbedtls/src/entropy.c
 create mode 100644 ctrtool/deps/libmbedtls/src/entropy_poll.c
 create mode 100644 ctrtool/deps/libmbedtls/src/error.c
 create mode 100644 ctrtool/deps/libmbedtls/src/gcm.c
 create mode 100644 ctrtool/deps/libmbedtls/src/havege.c
 create mode 100644 ctrtool/deps/libmbedtls/src/hkdf.c
 create mode 100644 ctrtool/deps/libmbedtls/src/hmac_drbg.c
 create mode 100644 ctrtool/deps/libmbedtls/src/md.c
 create mode 100644 ctrtool/deps/libmbedtls/src/md2.c
 create mode 100644 ctrtool/deps/libmbedtls/src/md4.c
 create mode 100644 ctrtool/deps/libmbedtls/src/md5.c
 create mode 100644 ctrtool/deps/libmbedtls/src/md_wrap.c
 create mode 100644 ctrtool/deps/libmbedtls/src/memory_buffer_alloc.c
 create mode 100644 ctrtool/deps/libmbedtls/src/net_sockets.c
 create mode 100644 ctrtool/deps/libmbedtls/src/nist_kw.c
 create mode 100644 ctrtool/deps/libmbedtls/src/oid.c
 create mode 100644 ctrtool/deps/libmbedtls/src/padlock.c
 create mode 100644 ctrtool/deps/libmbedtls/src/pem.c
 create mode 100644 ctrtool/deps/libmbedtls/src/pk.c
 create mode 100644 ctrtool/deps/libmbedtls/src/pk_wrap.c
 create mode 100644 ctrtool/deps/libmbedtls/src/pkcs11.c
 create mode 100644 ctrtool/deps/libmbedtls/src/pkcs12.c
 create mode 100644 ctrtool/deps/libmbedtls/src/pkcs5.c
 create mode 100644 ctrtool/deps/libmbedtls/src/pkparse.c
 create mode 100644 ctrtool/deps/libmbedtls/src/pkwrite.c
 create mode 100644 ctrtool/deps/libmbedtls/src/platform.c
 create mode 100644 ctrtool/deps/libmbedtls/src/platform_util.c
 create mode 100644 ctrtool/deps/libmbedtls/src/poly1305.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ripemd160.c
 create mode 100644 ctrtool/deps/libmbedtls/src/rsa.c
 create mode 100644 ctrtool/deps/libmbedtls/src/rsa_internal.c
 create mode 100644 ctrtool/deps/libmbedtls/src/sha1.c
 create mode 100644 ctrtool/deps/libmbedtls/src/sha256.c
 create mode 100644 ctrtool/deps/libmbedtls/src/sha512.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ssl_cache.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ssl_ciphersuites.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ssl_cli.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ssl_cookie.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ssl_srv.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ssl_ticket.c
 create mode 100644 ctrtool/deps/libmbedtls/src/ssl_tls.c
 create mode 100644 ctrtool/deps/libmbedtls/src/threading.c
 create mode 100644 ctrtool/deps/libmbedtls/src/timing.c
 create mode 100644 ctrtool/deps/libmbedtls/src/version.c
 create mode 100644 ctrtool/deps/libmbedtls/src/version_features.c
 create mode 100644 ctrtool/deps/libmbedtls/src/x509.c
 create mode 100644 ctrtool/deps/libmbedtls/src/x509_create.c
 create mode 100644 ctrtool/deps/libmbedtls/src/x509_crl.c
 create mode 100644 ctrtool/deps/libmbedtls/src/x509_crt.c
 create mode 100644 ctrtool/deps/libmbedtls/src/x509_csr.c
 create mode 100644 ctrtool/deps/libmbedtls/src/x509write_crt.c
 create mode 100644 ctrtool/deps/libmbedtls/src/x509write_csr.c
 create mode 100644 ctrtool/deps/libmbedtls/src/xtea.c
 create mode 100644 ctrtool/deps/libnintendo-n3ds/LICENSE
 create mode 100644 ctrtool/deps/libnintendo-n3ds/README.md
 create mode 100644 ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds.sln
 create mode 100644 ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds/libnintendo-n3ds.vcxproj
 create mode 100644 ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds/libnintendo-n3ds.vcxproj.filters
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CciFsSnapshotGenerator.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CiaFsSnapshotGenerator.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CtrKeyGenerator.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ExeFsSnapshotGenerator.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/IvfcStream.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/RomFsSnapshotGenerator.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/bcwav.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cia.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cro.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/crr.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Certificate.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/ISigner.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/RsaSigner.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Signature.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Ticket.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/TitleMetaData.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/exefs.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/exheader.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/firm.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ivfc.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ncch.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/romfs.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/smdh.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/systemupdater.h
 create mode 100644 ctrtool/deps/libnintendo-n3ds/makefile
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/CciFsSnapshotGenerator.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/CiaFsSnapshotGenerator.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/CtrKeyGenerator.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/ExeFsSnapshotGenerator.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/IvfcStream.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/RomFsSnapshotGenerator.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/es/Certificate.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/es/RsaSigner.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/es/Signature.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/es/Ticket.cpp
 create mode 100644 ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp
 create mode 100644 ctrtool/deps/libtoolchain/BUILDING.md
 create mode 100644 ctrtool/deps/libtoolchain/Doxyfile
 create mode 100644 ctrtool/deps/libtoolchain/DoxygenMainpage.md
 create mode 100644 ctrtool/deps/libtoolchain/LICENSE
 create mode 100644 ctrtool/deps/libtoolchain/README.md
 create mode 100644 ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain-test/libtoolchain-test.vcxproj
 create mode 100644 ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain-test/libtoolchain-test.vcxproj.filters
 create mode 100644 ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain.sln
 create mode 100644 ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain/libtoolchain.vcxproj
 create mode 100644 ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain/libtoolchain.vcxproj.filters
 create mode 100644 ctrtool/deps/libtoolchain/include/tc.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/AccessViolationException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/ArgumentException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/ArgumentNullException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/ArgumentOutOfRangeException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/ArithmeticException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/ByteData.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/Exception.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/InvalidOperationException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/NotImplementedException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/NotSupportedException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/ObjectDisposedException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/Optional.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/OutOfMemoryException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/OverflowException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/PlatformErrorHandlingUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/ResourceStatus.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/SecurityException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/UnauthorisedAccessException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/bn.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/bn/binary_utils.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/bn/bitarray.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/bn/endian_types.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/bn/pad.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/bn/string.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/cli.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/cli/FormatUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/cli/OptionParser.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CbcEncryptedStream.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CbcEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CtrEncryptedStream.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CtrEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes128EcbEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes128XtsEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes192CbcEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes192CtrEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes192EcbEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes256CbcEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes256CtrEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes256EcbEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Aes256XtsEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/AesEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/CbcEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/CryptoException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/CtrEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/EcbEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/HmacGenerator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/HmacMd5Generator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha1Generator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha256Generator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha512Generator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Md5Generator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1KeyDeriver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1Md5KeyDeriver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1Sha1KeyDeriver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2KeyDeriver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha1KeyDeriver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha256KeyDeriver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha512KeyDeriver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/PseudoRandomByteGenerator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaKey.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaKeyGenerator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepSha256Encryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepSha512Encryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Md5Signer.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha1Signer.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha256Signer.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha512Signer.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Signer.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSha256Signer.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSha512Signer.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSigner.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Sha1Generator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Sha256Generator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/Sha512Generator.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/XtsEncryptor.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/AesImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/BlockUtilImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/CbcModeImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/CtrModeImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/EcbModeImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/HmacImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/Md5Impl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/Pbkdf1Impl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/Pbkdf2Impl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/PrbgImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaKeyGeneratorImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaOaepPadding.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaPkcs1Padding.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaPssPadding.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/Sha1Impl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/Sha2Impl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/crypto/detail/XtsModeImpl.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/BasicPathResolver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/ConcatenatedStream.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/DirectoryNotEmptyException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/DirectoryNotFoundException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/FileAccess.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/FileExistsException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/FileMode.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/FileNotFoundException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/FileStream.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/IFileSystem.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/IOException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/IOUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/IPathResolver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/IPortablePathResolver.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/IReadableSink.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/ISink.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/ISource.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/IStream.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/LocalFileSystem.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/MemorySource.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/MemoryStream.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/OverlayedSource.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/PaddingSource.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/Path.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/PathTooLongException.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/PathUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/SeekOrigin.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/StreamSink.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/StreamSource.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/StreamUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/SubFileSystem.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/SubSink.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/SubSource.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/SubStream.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/io/VirtualFileSystem.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/os.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/os/Environment.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/os/UnicodeMain.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/string.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/string/TranscodeUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/string/detail/utf16.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/string/detail/utf8.h
 create mode 100644 ctrtool/deps/libtoolchain/include/tc/types.h
 create mode 100644 ctrtool/deps/libtoolchain/makefile
 create mode 100644 ctrtool/deps/libtoolchain/src/ByteData.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/Exception.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/PlatformErrorHandlingUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/cli/FormatUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/cli/OptionParser.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes128CbcEncryptedStream.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes128CbcEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes128CtrEncryptedStream.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes128CtrEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes128EcbEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes128XtsEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes192CbcEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes192CtrEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes192EcbEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes256CbcEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes256CtrEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes256EcbEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Aes256XtsEncryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/HmacMd5Generator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/HmacSha1Generator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/HmacSha256Generator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/HmacSha512Generator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Md5Generator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Pbkdf1Md5KeyDeriver.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Pbkdf1Sha1KeyDeriver.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha1KeyDeriver.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha256KeyDeriver.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha512KeyDeriver.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/PseudoRandomByteGenerator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaKey.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaKeyGenerator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaOaepSha256Encryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaOaepSha512Encryptor.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Md5Signer.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha1Signer.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha256Signer.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha512Signer.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaPssSha256Signer.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/RsaPssSha512Signer.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Sha1Generator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Sha256Generator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/Sha512Generator.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/detail/AesImpl.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/detail/Md5Impl.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/detail/PrbgImpl.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/detail/RsaImpl.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/detail/RsaKeyGeneratorImpl.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/detail/Sha1Impl.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/crypto/detail/Sha2Impl.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/BasicPathResolver.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/ConcatenatedStream.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/FileStream.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/IOUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/LocalFileSystem.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/MemorySource.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/MemoryStream.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/OverlayedSource.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/PaddingSource.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/Path.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/PathUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/StreamSink.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/StreamSource.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/StreamUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/SubFileSystem.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/SubSink.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/SubSource.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/SubStream.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/io/VirtualFileSystem.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/os/Environment.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/string/TranscodeUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/src/types.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/ByteData_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/ByteData_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/FileSystemTestUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/FileSystemTestUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/test/ITestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/Optional_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/Optional_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/PbkdfUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/PbkdfUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/test/RsaOaepUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/RsaOaepUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/test/RsaPkcs1Util.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/RsaPkcs1Util.h
 create mode 100644 ctrtool/deps/libtoolchain/test/RsaPssUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/RsaPssUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/test/SinkTestUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/SinkTestUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/test/SourceTestUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/SourceTestUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/test/StreamTestUtil.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/StreamTestUtil.h
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_binaryutils_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_binaryutils_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitBE_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitBE_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitLE_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitLE_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitBE_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitBE_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitLE_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitLE_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_endian_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_endian_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_pad_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_pad_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_string_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/bn_string_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/cli_FormatUtil_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/cli_FormatUtil_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/cli_OptionParser_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/cli_OptionParser_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptedStream_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptedStream_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptedStream_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptedStream_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128EcbEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128EcbEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128Encryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128Encryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128XtsEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes128XtsEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes192CbcEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes192CbcEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes192CtrEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes192CtrEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes192EcbEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes192EcbEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes192Encryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes192Encryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256CbcEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256CbcEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256CtrEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256CtrEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256EcbEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256EcbEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256Encryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256Encryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256XtsEncryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Aes256XtsEncryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_HmacMd5Generator_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_HmacMd5Generator_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_HmacSha1Generator_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_HmacSha1Generator_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_HmacSha256Generator_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_HmacSha256Generator_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_HmacSha512Generator_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_HmacSha512Generator_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Md5Generator_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Md5Generator_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Md5KeyDeriver_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Md5KeyDeriver_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Sha1KeyDeriver_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Sha1KeyDeriver_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha1KeyDeriver_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha1KeyDeriver_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha256KeyDeriver_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha256KeyDeriver_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha512KeyDeriver_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha512KeyDeriver_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_PseudoRandomByteGenerator_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_PseudoRandomByteGenerator_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024OaepSha256Encryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024OaepSha256Encryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Md5Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Md5Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha1Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha1Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha256Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha256Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha512Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha512Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha256Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha256Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha512Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha512Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha256Encryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha256Encryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha512Encryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha512Encryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Md5Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Md5Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha1Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha1Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha256Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha256Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha512Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha512Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha256Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha256Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha512Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha512Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha256Encryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha256Encryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha512Encryptor_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha512Encryptor_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Md5Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Md5Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha1Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha1Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha256Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha256Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha512Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha512Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha256Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha256Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha512Signer_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha512Signer_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Sha1Generator_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Sha1Generator_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Sha256Generator_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Sha256Generator_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Sha512Generator_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/crypto_Sha512Generator_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_BasicPathResolver_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_BasicPathResolver_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_ConcatenatedStream_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_ConcatenatedStream_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_FileStream_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_FileStream_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_LocalFileSystem_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_LocalFileSystem_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_MemorySource_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_MemorySource_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_MemoryStream_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_MemoryStream_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_OverlayedSource_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_OverlayedSource_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_PaddingSource_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_PaddingSource_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_Path_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_Path_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_StreamSink_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_StreamSink_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_StreamSource_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_StreamSource_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_SubFileSystem_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_SubFileSystem_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_SubSink_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_SubSink_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_SubSource_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_SubSource_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_SubStream_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_SubStream_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/io_VirtualFileSystem_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/io_VirtualFileSystem_TestClass.h
 create mode 100644 ctrtool/deps/libtoolchain/test/main.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/string_TranscodeUtil_TestClass.cpp
 create mode 100644 ctrtool/deps/libtoolchain/test/string_TranscodeUtil_TestClass.h
 create mode 100644 ctrtool/makefile
 create mode 100644 ctrtool/src/CciProcess.cpp
 create mode 100644 ctrtool/src/CciProcess.h
 create mode 100644 ctrtool/src/CiaProcess.cpp
 create mode 100644 ctrtool/src/CiaProcess.h
 create mode 100644 ctrtool/src/CrrProcess.cpp
 create mode 100644 ctrtool/src/CrrProcess.h
 create mode 100644 ctrtool/src/ExHeaderProcess.cpp
 create mode 100644 ctrtool/src/ExHeaderProcess.h
 create mode 100644 ctrtool/src/ExeFsProcess.cpp
 create mode 100644 ctrtool/src/ExeFsProcess.h
 create mode 100644 ctrtool/src/FirmProcess.cpp
 create mode 100644 ctrtool/src/FirmProcess.h
 create mode 100644 ctrtool/src/IvfcProcess.cpp
 create mode 100644 ctrtool/src/IvfcProcess.h
 create mode 100644 ctrtool/src/KeyBag.cpp
 create mode 100644 ctrtool/src/KeyBag.h
 create mode 100644 ctrtool/src/LzssProcess.cpp
 create mode 100644 ctrtool/src/LzssProcess.h
 create mode 100644 ctrtool/src/NcchProcess.cpp
 create mode 100644 ctrtool/src/NcchProcess.h
 create mode 100644 ctrtool/src/RomFsProcess.cpp
 create mode 100644 ctrtool/src/RomFsProcess.h
 create mode 100644 ctrtool/src/Settings.cpp
 create mode 100644 ctrtool/src/Settings.h
 create mode 100644 ctrtool/src/cwav.h
 create mode 100644 ctrtool/src/lzss.c
 create mode 100644 ctrtool/src/lzss.h
 create mode 100644 ctrtool/src/main.cpp
 create mode 100644 ctrtool/src/types.h
 create mode 100644 ctrtool/src/version.h

diff --git a/ctrtool/build/visualstudio/CTRTool.sln b/ctrtool/build/visualstudio/CTRTool.sln
new file mode 100644
index 00000000..0612a167
--- /dev/null
+++ b/ctrtool/build/visualstudio/CTRTool.sln
@@ -0,0 +1,90 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31229.75
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CTRTool", "CTRTool\CTRTool.vcxproj", "{CADDA22C-5FED-4DAB-A87E-AFBD279DB367}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfmt", "..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj", "{F4B0540E-0AAE-4006-944B-356944EF61FA}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libmbedtls", "..\..\deps\libmbedtls\build\visualstudio\libmbedtls\libmbedtls.vcxproj", "{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libtoolchain", "..\..\deps\libtoolchain\build\visualstudio\libtoolchain\libtoolchain.vcxproj", "{E194E4B8-1482-40A2-901B-75D4387822E9}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbroadon-es", "..\..\deps\libbroadon-es\build\visualstudio\libbroadon-es\libbroadon-es.vcxproj", "{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libnintendo-n3ds", "..\..\deps\libnintendo-n3ds\build\visualstudio\libnintendo-n3ds\libnintendo-n3ds.vcxproj", "{7789491C-5403-4613-B06B-DB0C58E19A01}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "deps", "deps", "{1AF77D36-45A2-412E-A540-F559B78A6471}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{CADDA22C-5FED-4DAB-A87E-AFBD279DB367}.Debug|x64.ActiveCfg = Debug|x64
+		{CADDA22C-5FED-4DAB-A87E-AFBD279DB367}.Debug|x64.Build.0 = Debug|x64
+		{CADDA22C-5FED-4DAB-A87E-AFBD279DB367}.Debug|x86.ActiveCfg = Debug|Win32
+		{CADDA22C-5FED-4DAB-A87E-AFBD279DB367}.Debug|x86.Build.0 = Debug|Win32
+		{CADDA22C-5FED-4DAB-A87E-AFBD279DB367}.Release|x64.ActiveCfg = Release|x64
+		{CADDA22C-5FED-4DAB-A87E-AFBD279DB367}.Release|x64.Build.0 = Release|x64
+		{CADDA22C-5FED-4DAB-A87E-AFBD279DB367}.Release|x86.ActiveCfg = Release|Win32
+		{CADDA22C-5FED-4DAB-A87E-AFBD279DB367}.Release|x86.Build.0 = Release|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.ActiveCfg = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.Build.0 = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.ActiveCfg = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.Build.0 = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.ActiveCfg = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.Build.0 = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.ActiveCfg = Release|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.Build.0 = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.ActiveCfg = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.Build.0 = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.ActiveCfg = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.Build.0 = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.ActiveCfg = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.Build.0 = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.ActiveCfg = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.Build.0 = Release|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x64.ActiveCfg = Debug|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x64.Build.0 = Debug|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x86.ActiveCfg = Debug|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x86.Build.0 = Debug|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x64.ActiveCfg = Release|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x64.Build.0 = Release|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x86.ActiveCfg = Release|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x86.Build.0 = Release|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x64.ActiveCfg = Debug|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x64.Build.0 = Debug|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x86.ActiveCfg = Debug|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x86.Build.0 = Debug|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x64.ActiveCfg = Release|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x64.Build.0 = Release|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x86.ActiveCfg = Release|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x86.Build.0 = Release|Win32
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Debug|x64.ActiveCfg = Debug|x64
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Debug|x64.Build.0 = Debug|x64
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Debug|x86.ActiveCfg = Debug|Win32
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Debug|x86.Build.0 = Debug|Win32
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Release|x64.ActiveCfg = Release|x64
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Release|x64.Build.0 = Release|x64
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Release|x86.ActiveCfg = Release|Win32
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{F4B0540E-0AAE-4006-944B-356944EF61FA} = {1AF77D36-45A2-412E-A540-F559B78A6471}
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C} = {1AF77D36-45A2-412E-A540-F559B78A6471}
+		{E194E4B8-1482-40A2-901B-75D4387822E9} = {1AF77D36-45A2-412E-A540-F559B78A6471}
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838} = {1AF77D36-45A2-412E-A540-F559B78A6471}
+		{7789491C-5403-4613-B06B-DB0C58E19A01} = {1AF77D36-45A2-412E-A540-F559B78A6471}
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {10D725B5-08F6-43F3-A28F-7B034F1ADEFC}
+	EndGlobalSection
+EndGlobal
diff --git a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj
new file mode 100644
index 00000000..69ff2fe8
--- /dev/null
+++ b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj
@@ -0,0 +1,192 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{cadda22c-5fed-4dab-a87e-afbd279db367}</ProjectGuid>
+    <RootNamespace>CTRTool</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(SolutionDir)..\..\deps\libbroadon-es\include;$(SolutionDir)..\..\deps\libnintendo-n3ds\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(SolutionDir)..\..\deps\libbroadon-es\include;$(SolutionDir)..\..\deps\libnintendo-n3ds\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(SolutionDir)..\..\deps\libbroadon-es\include;$(SolutionDir)..\..\deps\libnintendo-n3ds\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(SolutionDir)..\..\deps\libbroadon-es\include;$(SolutionDir)..\..\deps\libnintendo-n3ds\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\src\CciProcess.h" />
+    <ClInclude Include="..\..\..\src\CiaProcess.h" />
+    <ClInclude Include="..\..\..\src\CrrProcess.h" />
+    <ClInclude Include="..\..\..\src\cwav.h" />
+    <ClInclude Include="..\..\..\src\ExeFsProcess.h" />
+    <ClInclude Include="..\..\..\src\ExHeaderProcess.h" />
+    <ClInclude Include="..\..\..\src\FirmProcess.h" />
+    <ClInclude Include="..\..\..\src\IvfcProcess.h" />
+    <ClInclude Include="..\..\..\src\KeyBag.h" />
+    <ClInclude Include="..\..\..\src\lzss.h" />
+    <ClInclude Include="..\..\..\src\LzssProcess.h" />
+    <ClInclude Include="..\..\..\src\NcchProcess.h" />
+    <ClInclude Include="..\..\..\src\RomFsProcess.h" />
+    <ClInclude Include="..\..\..\src\Settings.h" />
+    <ClInclude Include="..\..\..\src\types.h" />
+    <ClInclude Include="..\..\..\src\version.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\CciProcess.cpp" />
+    <ClCompile Include="..\..\..\src\CiaProcess.cpp" />
+    <ClCompile Include="..\..\..\src\CrrProcess.cpp" />
+    <ClCompile Include="..\..\..\src\ExeFsProcess.cpp" />
+    <ClCompile Include="..\..\..\src\ExHeaderProcess.cpp" />
+    <ClCompile Include="..\..\..\src\FirmProcess.cpp" />
+    <ClCompile Include="..\..\..\src\IvfcProcess.cpp" />
+    <ClCompile Include="..\..\..\src\KeyBag.cpp" />
+    <ClCompile Include="..\..\..\src\lzss.c" />
+    <ClCompile Include="..\..\..\src\LzssProcess.cpp" />
+    <ClCompile Include="..\..\..\src\main.cpp" />
+    <ClCompile Include="..\..\..\src\NcchProcess.cpp" />
+    <ClCompile Include="..\..\..\src\RomFsProcess.cpp" />
+    <ClCompile Include="..\..\..\src\Settings.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj">
+      <Project>{f4b0540e-0aae-4006-944b-356944ef61fa}</Project>
+    </ProjectReference>
+    <ProjectReference Include="..\..\..\deps\libmbedtls\build\visualstudio\libmbedtls\libmbedtls.vcxproj">
+      <Project>{7a7c66f3-2b5b-4e23-85d8-2a74fedad92c}</Project>
+    </ProjectReference>
+    <ProjectReference Include="..\..\..\deps\libbroadon-es\build\visualstudio\libbroadon-es\libbroadon-es.vcxproj">
+      <Project>{8a35d7dc-293a-4669-9c1e-4f45abfe8838}</Project>
+    </ProjectReference>
+    <ProjectReference Include="..\..\..\deps\libnintendo-n3ds\build\visualstudio\libnintendo-n3ds\libnintendo-n3ds.vcxproj">
+      <Project>{7789491c-5403-4613-b06b-db0c58e19a01}</Project>
+    </ProjectReference>
+    <ProjectReference Include="..\..\..\deps\libtoolchain\build\visualstudio\libtoolchain\libtoolchain.vcxproj">
+      <Project>{e194e4b8-1482-40a2-901b-75d4387822e9}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters
new file mode 100644
index 00000000..947c47c1
--- /dev/null
+++ b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters
@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\src\CciProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\CiaProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\CrrProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\cwav.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\ExeFsProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\ExHeaderProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\FirmProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\IvfcProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\KeyBag.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\lzss.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\LzssProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\NcchProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\RomFsProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\Settings.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\lzss.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\CciProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\CiaProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\CrrProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ExeFsProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ExHeaderProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\FirmProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\IvfcProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\KeyBag.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\LzssProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\main.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\NcchProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\RomFsProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\Settings.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libbroadon-es/LICENSE b/ctrtool/deps/libbroadon-es/LICENSE
new file mode 100644
index 00000000..38e64e9d
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Jack
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/ctrtool/deps/libbroadon-es/README.md b/ctrtool/deps/libbroadon-es/README.md
new file mode 100644
index 00000000..80668971
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/README.md
@@ -0,0 +1,2 @@
+# libbroadon-es
+C++ Library for processing Nintendo's ES DRM formats.
diff --git a/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es.sln b/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es.sln
new file mode 100644
index 00000000..d1cc8fce
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es.sln
@@ -0,0 +1,62 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31229.75
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbroadon-es", "libbroadon-es\libbroadon-es.vcxproj", "{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfmt", "..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj", "{F4B0540E-0AAE-4006-944B-356944EF61FA}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libmbedtls", "..\..\deps\libmbedtls\build\visualstudio\libmbedtls\libmbedtls.vcxproj", "{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libtoolchain", "..\..\deps\libtoolchain\build\visualstudio\libtoolchain\libtoolchain.vcxproj", "{E194E4B8-1482-40A2-901B-75D4387822E9}"
+EndProject
+
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x64.ActiveCfg = Debug|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x64.Build.0 = Debug|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x86.ActiveCfg = Debug|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x86.Build.0 = Debug|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x64.ActiveCfg = Release|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x64.Build.0 = Release|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x86.ActiveCfg = Release|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x86.Build.0 = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.ActiveCfg = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.Build.0 = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.ActiveCfg = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.Build.0 = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.ActiveCfg = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.Build.0 = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.ActiveCfg = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.Build.0 = Release|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x64.ActiveCfg = Debug|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x64.Build.0 = Debug|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x86.ActiveCfg = Debug|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x86.Build.0 = Debug|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x64.ActiveCfg = Release|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x64.Build.0 = Release|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x86.ActiveCfg = Release|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x86.Build.0 = Release|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.ActiveCfg = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.Build.0 = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.ActiveCfg = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.Build.0 = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.ActiveCfg = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.Build.0 = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.ActiveCfg = Release|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {76A6C1B6-F1C0-467F-B3A1-D7BDCBAA4FC0}
+	EndGlobalSection
+EndGlobal
diff --git a/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj b/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj
new file mode 100644
index 00000000..a83e05a9
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj
@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{8a35d7dc-293a-4669-9c1e-4f45abfe8838}</ProjectGuid>
+    <RootNamespace>libnintendoesdrm</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\Dummy.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\brd\es.h" />
+    <ClInclude Include="..\..\..\include\brd\es\es_cert.h" />
+    <ClInclude Include="..\..\..\include\brd\es\es_sign.h" />
+    <ClInclude Include="..\..\..\include\brd\es\es_ticket.h" />
+    <ClInclude Include="..\..\..\include\brd\es\es_tmd.h" />
+    <ClInclude Include="..\..\..\include\brd\es\types.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="$(SolutionDir)..\..\deps\libmbedtls\build\visualstudio\libmbedtls\libmbedtls.vcxproj">
+      <Project>{7a7c66f3-2b5b-4e23-85d8-2a74fedad92c}</Project>
+    </ProjectReference>
+    <ProjectReference Include="$(SolutionDir)..\..\deps\libtoolchain\build\visualstudio\libtoolchain\libtoolchain.vcxproj">
+      <Project>{e194e4b8-1482-40a2-901b-75d4387822e9}</Project>
+    </ProjectReference>
+    <ProjectReference Include="$(SolutionDir)..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj">
+      <Project>{f4b0540e-0aae-4006-944b-356944ef61fa}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj.filters b/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj.filters
new file mode 100644
index 00000000..ec5de4d7
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj.filters
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Header Files\brd">
+      <UniqueIdentifier>{ba10896d-aa46-41de-9331-2c89a9ddf64a}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\brd\es">
+      <UniqueIdentifier>{c67a3de1-eb64-4733-a6e6-cdcb7be43b60}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\Dummy.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\brd\es\es_cert.h">
+      <Filter>Header Files\brd\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\brd\es\es_sign.h">
+      <Filter>Header Files\brd\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\brd\es\es_ticket.h">
+      <Filter>Header Files\brd\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\brd\es\es_tmd.h">
+      <Filter>Header Files\brd\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\brd\es\types.h">
+      <Filter>Header Files\brd\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\brd\es.h">
+      <Filter>Header Files\brd</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libbroadon-es/include/brd/es.h b/ctrtool/deps/libbroadon-es/include/brd/es.h
new file mode 100644
index 00000000..1ccf8f82
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/include/brd/es.h
@@ -0,0 +1,7 @@
+#pragma once
+
+// definitions
+#include <brd/es/es_sign.h>
+#include <brd/es/es_cert.h>
+#include <brd/es/es_ticket.h>
+#include <brd/es/es_tmd.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libbroadon-es/include/brd/es/es_cert.h b/ctrtool/deps/libbroadon-es/include/brd/es/es_cert.h
new file mode 100644
index 00000000..f5a7a059
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/include/brd/es/es_cert.h
@@ -0,0 +1,101 @@
+#pragma once
+#include <brd/es/es_sign.h>
+
+namespace brd { namespace es {
+    /**
+     @enum ESCertPubKeyType
+     @brief ES Certificate public key type definition
+     */
+enum class ESCertPubKeyType : uint32_t
+{
+    RSA4096 = 0, /* RSA 4096 bit key */
+    RSA2048 = 1, /* RSA 2048 bit key */
+    ECC = 2, /* ECC pub key 512 bits */
+};
+
+static const size_t ES_CERT_NAME_SIZE = 64;
+using ESCertName = tc::bn::string<ES_CERT_NAME_SIZE>;
+using ESServerId = ESCertName;
+using ESDeviceId = ESCertName;
+
+template <size_t _size>
+using ESPubKeyPad = std::array<byte_t, _size>; 
+
+/* pack to 4 byte boundaries */
+#pragma pack(push,4)
+
+struct ESCertHeader
+{
+    tc::bn::be32<ESCertPubKeyType> pubKeyType; // ESCertPubKeyType
+    union {
+        ESServerId serverId;
+        ESDeviceId deviceId;
+    } name;
+    tc::bn::be32<uint32_t> date; // unix time-stamp
+};
+static_assert(sizeof(ESCertHeader) == 72, "ESCertHeader size");
+
+struct ESCertRsa2048PublicKey
+{
+	Rsa2048PublicKey      pubKey;
+    ESPubKeyPad<52>       pad;
+};
+static_assert(sizeof(ESCertRsa2048PublicKey) == 312, "ESCertRsa2048PublicKey size");
+
+struct ESCertRsa4096PublicKey
+{
+	Rsa4096PublicKey      pubKey;
+    ESPubKeyPad<52>       pad;
+};
+static_assert(sizeof(ESCertRsa4096PublicKey) == 568, "ESCertRsa4096PublicKey size");
+
+struct ESCertEcc233PublicKey
+{
+	Ecc233PublicKey       pubKey;
+    ESPubKeyPad<60>       pad;
+};
+static_assert(sizeof(ESCertEcc233PublicKey) == 120, "ESCertEcc233PublicKey size");
+
+struct ESRootCert
+{
+	ESSigRsa4096             sig;
+	ESCertHeader             head;
+	ESCertRsa4096PublicKey   body;
+};
+static_assert(sizeof(ESRootCert) == 1280, "ESRootCert size");
+
+struct ESCACert
+{
+	ESSigRsa4096             sig;
+	ESCertHeader             head;
+	ESCertRsa2048PublicKey   body;
+};
+static_assert(sizeof(ESCACert) == 1024, "ESCACert size");
+
+struct ESCASignedCert
+{
+	ESSigRsa2048             sig;
+	ESCertHeader             head;
+	ESCertRsa2048PublicKey   body;
+};
+static_assert(sizeof(ESCASignedCert) == 768, "ESCASignedCert size");
+
+struct ESDeviceCert
+{
+	ESSigRsa2048             sig;
+	ESCertHeader             head;
+	ESCertEcc233PublicKey    body;
+};
+static_assert(sizeof(ESDeviceCert) == 576, "ESDeviceCert size");
+
+struct ESDeviceSignedCert
+{
+	ESSigEcc233              sig;
+	ESCertHeader             head;
+	ESCertEcc233PublicKey    body;
+};
+static_assert(sizeof(ESDeviceSignedCert) == 384, "ESDeviceSignedCert size");
+
+#pragma pack(pop)
+
+}} // namespace brd::es
diff --git a/ctrtool/deps/libbroadon-es/include/brd/es/es_sign.h b/ctrtool/deps/libbroadon-es/include/brd/es/es_sign.h
new file mode 100644
index 00000000..4f313ea8
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/include/brd/es/es_sign.h
@@ -0,0 +1,73 @@
+#pragma once
+#include <brd/es/types.h>
+
+namespace brd { namespace es {
+	/**
+     @enum ESSigType
+     @brief ES Signature type definition
+     */
+enum class ESSigType : uint32_t
+{
+    RSA4096_SHA1 = 0x00010000, /* RSA 4096 bit signature */
+    RSA2048_SHA1 = 0x00010001, /* RSA 2048 bit signature */
+    ECC_SHA1 = 0x00010002, /* ECC signature 512 bits */
+    RSA4096_SHA256 = 0x00010003, /* RSA 4096 bit sig using SHA-256 */
+    RSA2048_SHA256 = 0x00010004, /* RSA 2048 bit sig using SHA-256 */ // note that Switch Ticket has this word swapped
+    ECC_SHA256 = 0x00010005, /* ECC sig 512 bits using SHA-256 */
+    HMAC_SHA1 = 0x00010006, /* HMAC-SHA1 160 bit signature */
+};
+
+static const size_t ES_ISSUER_SIZE = 64;
+
+	/**
+	 * @class ESIssuer
+	 * @brief The signature issuer ASCII encoded certificate hierarchy. Padded with nulls.
+	 * 
+	 * Examples: 
+	 * Root (issued by Root)
+	 * Root-CAxxxxxxxx (issued by Certifcate Authority server xxxxxxxx)
+	 * Root-CAxxxxxxxx-XSxxxxxxxx (issued by Ticket/Transaction server xxxxxxxx)
+	 * Root-CAxxxxxxxx-CPxxxxxxxx (issued by Content Publishing server xxxxxxxx)
+	 * Root-CAxxxxxxxx-MSxxxxxxxx (issued by Manufacturing server xxxxxxxx)
+	 * Root-CAxxxxxxxx-MSxxxxxxxx-YYxxxxxxxx (issued by Device with of type YY and serial number xxxxxxxx)
+	 * 
+	 * xxxxxxxx represents the server/device serial number encoded in hex. (e.g. XS0000000f is ticket server 15).
+	 */
+using ESIssuer = tc::bn::string<ES_ISSUER_SIZE>;  
+
+template <size_t _size>
+using ESSigPad = tc::bn::pad<_size>; 
+
+/* pack to 4 byte boundaries */
+#pragma pack(push,4)
+
+struct ESSigRsa2048
+{
+	tc::bn::be32<ESSigType>    sigType;
+	Rsa2048Sig     sig;
+	ESSigPad<60>   pad;
+	ESIssuer       issuer;
+};
+static_assert(sizeof(ESSigRsa2048) == 384, "ESSigRsa2048 size");
+
+struct ESSigRsa4096
+{
+	tc::bn::be32<ESSigType>    sigType;
+	Rsa4096Sig    sig;
+	ESSigPad<60>  pad;
+	ESIssuer      issuer;
+};
+static_assert(sizeof(ESSigRsa4096) == 640, "ESSigRsa4096 size");
+
+struct ESSigEcc233
+{
+	tc::bn::be32<ESSigType>    sigType;
+	Ecc233Sig     sig;
+	ESSigPad<64>  pad;
+	ESIssuer      issuer;
+};
+static_assert(sizeof(ESSigEcc233) == 192, "ESSigEcc233 size");
+
+#pragma pack(pop)
+
+}} // namespace brd::es
\ No newline at end of file
diff --git a/ctrtool/deps/libbroadon-es/include/brd/es/es_ticket.h b/ctrtool/deps/libbroadon-es/include/brd/es/es_ticket.h
new file mode 100644
index 00000000..e9a38fe1
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/include/brd/es/es_ticket.h
@@ -0,0 +1,232 @@
+#pragma once
+#include <brd/es/es_sign.h>
+
+namespace brd { namespace es {
+
+// ES license types
+enum class ESLicenseType : uint8_t
+{
+    PERMANENT = 0,
+    DEMO = 1,
+    TRIAL = 2,
+    RENTAL = 3,
+    SUBSCRIPTION = 4,
+    SERVICE = 5,
+};
+static const uint8_t ES_LICENSE_MASK = 0xf;
+
+// ES title-level limit codes
+enum class ESLimitCode : uint32_t
+{
+    DURATION_TIME = 1,
+    ABSOLUTE_TIME = 2,
+    NUM_TITLES = 3,
+    NUM_LAUNCH = 4,
+    ELAPSED_TIME = 5,
+};
+static const uint32_t ES_MAX_LIMIT_TYPE = 8;
+
+// ES item-level rights
+enum class ESItemType : uint32_t
+{
+    PERMANENT = 1,
+    SUBSCRIPTION = 2,
+    CONTENT = 3,
+    CONTENT_CONSUMPTION = 4,
+    ACCESS_TITLE = 5,
+	LIMITED_RESOURCE = 6,
+};
+
+enum class ESPropertyMaskFlag : uint16_t
+{
+	PRE_INSTALL = 0x1, // bit0
+	SHARED_TITLE = 0x2, // bit1
+	ALLOW_ALL_CONTENT = 0x4, // bit2
+	DEVICE_LINK_INDEPENDENT = 0x8, // bit3
+	VOLATILE = 0x10, // bit4
+	ELICENSE_REQUIRED = 0x20, // bit5
+};
+
+enum class ESV1SectionHeaderFlag : uint16_t
+{
+	COMPRESSED = 0x1 // ironically this is defined but not supported, probably for future use
+};
+
+enum class ESV2TitleKekType : byte_t
+{
+	AES128_CBC,
+	RSA2048
+};
+
+#pragma pack(push, 4)
+
+#ifdef _WIN32
+#pragma warning(disable : 4200) // silence warnings for usage of empty arrays in stucts
+#endif
+
+struct ESLimitedPlayEntry
+{
+    tc::bn::be32<uint32_t> code; //ESLimitCode
+    tc::bn::be32<uint32_t> limit;
+};
+static_assert(sizeof(ESLimitedPlayEntry) == 8, "ESLimitedPlayEntry size");
+
+using ESSysAccessMask = std::array<byte_t, 2>;
+using ESTicketCustomData = std::array<byte_t, 20>;
+using ESTicketReserved = std::array<byte_t, 25>;
+using ESCidxMask = std::array<byte_t, 64>;
+using ESLimitedPlayArray = std::array<ESLimitedPlayEntry, 8>;
+
+using ESReferenceId = std::array<byte_t, 16>;
+
+using ESV1CidxMask = std::array<byte_t, 128>;
+
+using ESV2TitleKey = std::array<byte_t, kRsa2048Size>;
+using ESRightsId = std::array<byte_t, 16>;
+using ESV2TicketReserved = std::array<byte_t, 8>;
+
+struct ESTicket
+{
+    ESSigRsa2048              sig;               // RSA 2048-bit sign of the ticket
+    Ecc233PublicKey           serverPubKey;      // Ticketing server public key
+    uint8_t                   version;           // Ticket data structure version number
+    uint8_t                   caCrlVersion;      // CA CRL version number
+    uint8_t                   signerCrlVersion;  // Signer CRL version number
+    Aes128Key                 titleKey;          // Published title key
+    /* 1 byte alignment padding */
+    tc::bn::be64<uint64_t>    ticketId;          // Unique 64bit ticket ID
+    tc::bn::be32<uint32_t>    deviceId;          // Unique 32bit device ID
+    tc::bn::be64<uint64_t>    titleId;           // Unique 64bit title ID
+    ESSysAccessMask           sysAccessMask;     // 16-bit cidx mask to indicate which
+                                                 // of the first 16 pieces of contents
+                                                 // can be accessed by the system app
+    tc::bn::be16<uint16_t>    ticketVersion;     // 16-bit ticket version
+    tc::bn::be32<uint32_t>    accessTitleId;     // 32-bit title ID for access control
+    tc::bn::be32<uint32_t>    accessTitleMask;   // 32-bit title ID mask
+    uint8_t                   licenseType;       //
+    uint8_t                   keyId;             // Common key ID
+    tc::bn::be16<uint16_t>    propertyMask;      // 16-bit property mask
+    ESTicketCustomData        customData;        // 20-byte custom data
+    ESTicketReserved          reserved;          // 25-byte reserved info
+    uint8_t                   audit;             //
+    /* 2 bytes alignment padding */
+    ESCidxMask                cidxMask;          // Bit-mask of the content indices
+    ESLimitedPlayArray        limits;            // Limited play entries
+};
+static_assert(sizeof(ESTicket) == 676, "ESTicket size");
+
+struct ESV1TicketHeader
+{
+    tc::bn::be16<uint16_t>  hdrVersion;         // Version of the ticket header
+    tc::bn::be16<uint16_t>  hdrSize;            // Size of ticket header
+    tc::bn::be32<uint32_t>  ticketSize;         // Size of the v1 portion of the ticket
+    tc::bn::be32<uint32_t>  sectHdrOfst;        // Offset of the section header table
+    tc::bn::be16<uint16_t>  nSectHdrs;          // Number of section headers
+    tc::bn::be16<uint16_t>  sectHdrEntrySize;   // Size of each section header
+    tc::bn::be32<uint32_t>  flags;              // Miscellaneous attributes
+};
+static_assert(sizeof(ESV1TicketHeader) == 20, "ESV1TicketHeader size");
+
+struct ESV1SectionHeader
+{
+    tc::bn::be32<uint32_t>  sectOfst;       // Offset of this section
+    tc::bn::be32<uint32_t>  nRecords;       // Number of records in this section
+    tc::bn::be32<uint32_t>  recordSize;     // Size of each record
+    tc::bn::be32<uint32_t>  sectionSize;    // Total size of this section
+    tc::bn::be16<uint16_t>  sectionType;    // Type code of this section
+    tc::bn::be16<uint16_t>  flags;          // Miscellaneous attributes
+};
+static_assert(sizeof(ESV1SectionHeader) == 20, "ESV1SectionHeader size");
+
+struct ESV1Ticket
+{
+    ESTicket          head;
+    ESV1TicketHeader  v1Head;
+    ESV1SectionHeader sectHdrs[];
+};
+static_assert(sizeof(ESV1Ticket) == 696, "ESV1Ticket size");
+
+struct ESV1PermanentRecord
+{
+    ESReferenceId          referenceId;        // Reference ID
+    tc::bn::be32<uint32_t> referenceIdAttr;    // Reference ID attributes
+};
+static_assert(sizeof(ESV1PermanentRecord) == 20, "ESV1PermanentRecord size");
+
+struct ESV1SubscriptionRecord
+{
+    tc::bn::be32<uint32_t>  limit;              // Expiration time
+    ESReferenceId           referenceId;        // Reference ID
+    tc::bn::be32<uint32_t>  referenceIdAttr;    // Reference ID attributes
+};
+static_assert(sizeof(ESV1SubscriptionRecord) == 24, "ESV1SubscriptionRecord size");
+
+struct ESV1ContentRecord
+{
+    tc::bn::be32<uint32_t>  offset;             // Offset content index
+    ESV1CidxMask            accessMask;         // Access mask
+};
+static_assert(sizeof(ESV1ContentRecord) == 132, "ESV1ContentRecord size");
+
+struct ESV1ContentConsumptionRecord
+{
+    tc::bn::be16<uint16_t>  index;              // Content index
+    tc::bn::be16<uint16_t>  code;               // Limit code
+    tc::bn::be32<uint32_t>  limit;              // Limit value
+};
+static_assert(sizeof(ESV1ContentConsumptionRecord) == 8, "ESV1ContentConsumptionRecord size");
+
+struct ESV1AccessTitleRecord
+{
+    tc::bn::be64<uint64_t>  accessTitleId;      // Access title ID
+    tc::bn::be64<uint64_t>  accessTitleMask;    // Access title mask
+};
+static_assert(sizeof(ESV1AccessTitleRecord) == 16, "ESV1AccessTitleRecord size");
+
+struct ESV1LimitedResourceRecord
+{
+    tc::bn::be32<uint32_t>  limit;              // Expiration time
+    ESReferenceId           referenceId;        // Reference ID
+    tc::bn::be32<uint32_t>  referenceIdAttr;    // Reference ID attributes
+};
+static_assert(sizeof(ESV1LimitedResourceRecord) == 24, "ESV1LimitedResourceRecord size");
+
+struct ESV2Ticket
+{
+    ESSigRsa2048            sig;                // RSA 2048-bit sign of the ticket
+    ESV2TitleKey            titleKey;           // Published title key
+    uint8_t                 version;            // Ticket data structure version number
+	uint8_t                 keyType;            // Title key encryption key type
+	tc::bn::le16<uint16_t>  ticketVersion;      // 16-bit ticket version
+	uint8_t                 licenseType;
+    uint8_t                 keyId;              // Common key ID
+    tc::bn::le16<uint16_t>  propertyMask;       // 16-bit property mask
+	ESV2TicketReserved      reservedRegion;     // probably the accessTitleId & mask
+	tc::bn::le64<uint64_t>  ticketId;           // Unique 64bit ticket ID
+	tc::bn::le64<uint64_t>  deviceId;           // Unique 64bit device ID
+	ESRightsId              rightsId;           // Unique 128bit rights ID
+	tc::bn::le32<uint32_t>  accountId;          // Unique 32bit account ID
+	tc::bn::le32<uint32_t>  sectTotalSize;      // Total size of sections
+	tc::bn::le32<uint32_t>  sectHdrOffset;      // Offset of the section header table
+	tc::bn::le16<uint16_t>  nSectHdrs;          // Number of section headers
+	tc::bn::le16<uint16_t>  nSectHdrEntrySize;  // Size of each section header
+};
+static_assert(sizeof(ESV2Ticket) == 704, "ESV2Ticket size");
+
+struct ESV2SectionHeader
+{
+    tc::bn::le32<uint32_t>  sectOfst;       // Offset of this section
+    tc::bn::le32<uint32_t>  recordSize;     // Size of each record
+    tc::bn::le32<uint32_t>  sectionSize;    // Total size of this section
+	tc::bn::le16<uint16_t>  nRecords;       // Number of records in this section
+    tc::bn::le16<uint16_t>  sectionType;    // Type code of this section
+};
+static_assert(sizeof(ESV2SectionHeader) == 16, "ESV2SectionHeader size");
+
+#ifdef _WIN32
+#pragma warning(default : 4200)
+#endif
+
+#pragma pack(pop)
+
+}} // namespace brd::es
\ No newline at end of file
diff --git a/ctrtool/deps/libbroadon-es/include/brd/es/es_tmd.h b/ctrtool/deps/libbroadon-es/include/brd/es/es_tmd.h
new file mode 100644
index 00000000..8bab8438
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/include/brd/es/es_tmd.h
@@ -0,0 +1,129 @@
+#pragma once
+#include <brd/es/es_sign.h>
+
+namespace brd { namespace es {
+
+// ES title type
+enum class ESTitleType : uint32_t
+{
+    NC_TITLE = 0x1, // bit0 NetCard - End-of-life
+    NG_TITLE = 0x2, // bit1 Wii/NDEV
+    DS_TITLE = 0x4, // bit2 TWL/DSi
+    DATA     = 0x8, // bit3 boring data title
+    CT_TITLE = 0x40, // bit6 CTR/3DS
+    GVM_TITLE = 0x80, // bit7 GVM = ? (from BroadOn libraries)
+    CAFE_TITLE = 0x100, // bit8 WiiU (from WiiU sdk)
+};
+
+// ES content type
+enum ESContentType : uint16_t
+{
+    ESContentType_ENCRYPTED = 0x1, // bit0 (from broadOn & b4)
+    ESContentType_DISC = 0x2, // bit1 (from broadOn & b4)
+    ESContentType_HASHED = 0x2, // bit1 (from b4)
+    ESContentType_CFM = 0x4, // bit3 (from broadOn & b4)
+    ESContentType_SHA1_HASH = 0x2000, // bit13 from b4 (wiiu sdk)
+    ESContentType_OPTIONAL = 0x4000, // bit14 (from broadOn & b4)
+    ESContentType_SHARED = 0x8000, // bit15 (from broadOn & b4)
+};
+
+//
+// Maximum possible content index value is 64K - 2, since
+// the maximum number of contents per title is 64K - 1
+//
+static const size_t ES_CONTENT_INDEX_MAX = 65534;
+
+
+// There are a maximum of 64 CMD groups, each with a maximum of 1K CMDs
+static const size_t ES_MAX_CMDS_IN_GROUP = 1024;
+static const size_t ES_MAX_CMD_GROUPS = 64;
+
+#pragma pack(push, 4)
+
+#ifdef _WIN32
+#pragma warning(disable : 4200) // silence warnings for usage of empty arrays in stucts
+#endif
+
+struct ESContentMeta
+{
+	tc::bn::be32<uint32_t> cid;    // 32-bit content ID
+    tc::bn::be16<uint16_t> index;  // Content index, unique per title
+    tc::bn::be16<uint16_t> type;   // Content type
+    tc::bn::be64<uint64_t> size;   // Unencrypted content size in bytes
+    Sha1Hash               hash;   // Hash of the content
+};
+static_assert(sizeof(ESContentMeta) == 36, "ESContentMeta size");
+
+struct ESV1ContentMeta
+{
+    tc::bn::be32<uint32_t> cid;    // 32-bit content ID
+    tc::bn::be16<uint16_t> index;  // Content index, unique per title
+    tc::bn::be16<uint16_t> type;   // Content type
+    tc::bn::be64<uint64_t> size;   // Unencrypted content size in bytes
+    Sha256Hash             hash;   // Hash of the content
+};
+static_assert(sizeof(ESV1ContentMeta) == 48, "ESV1ContentMeta size");
+
+struct ESTitleMetaHeader
+{
+    using ESTmdCustomData = std::array<uint8_t, 32>;
+    using ESTmdReserved = std::array<uint8_t, 30>;
+
+    uint8_t                   version;            // TMD version number
+    uint8_t                   caCrlVersion;       // CA CRL version number
+    uint8_t                   signerCrlVersion;   // Signer CRL version number
+    tc::bn::be64<uint64_t>    sysVersion;         // System software version number
+    tc::bn::be64<uint64_t>    titleId;            // 64-bit title id
+    tc::bn::be32<ESTitleType> type;               // 32-bit title type
+    tc::bn::be16<uint16_t>    groupId;
+    ESTmdCustomData           customData;         // 32-byte custom data
+    ESTmdReserved             reserved;           // 30-byte reserved info
+    tc::bn::be32<uint32_t>    accessRights;       // Rights to system resources
+    tc::bn::be16<uint16_t>    titleVersion;       // 16-bit title version
+    tc::bn::be16<uint16_t>    numContents;        // Number of contents
+    tc::bn::be16<uint16_t>    bootIndex;          // Boot content index
+    tc::bn::be16<uint16_t>    minorTitleVersion;  // 16-bit minor title version
+};
+static_assert(sizeof(ESTitleMetaHeader) == 100, "ESTitleMetaHeader size");
+
+struct ESV1ContentMetaGroup
+{
+    tc::bn::be16<uint16_t> offset;             // Offset content index
+    tc::bn::be16<uint16_t> nCmds;              // Number of CMDs in this group
+    Sha256Hash             groupHash;          // Hash for this group of CMDs
+};
+static_assert(sizeof(ESV1ContentMetaGroup) == 36, "ESV1ContentMetaGroup size");
+
+struct ESV1TitleMetaHeader
+{
+    using ESV1ContentMetaGroupArray = std::array<ESV1ContentMetaGroup, ES_MAX_CMD_GROUPS>;
+
+    Sha256Hash                hash;          // Hash for the CMD groups
+    ESV1ContentMetaGroupArray cmdGroups;
+};
+static_assert(sizeof(ESV1TitleMetaHeader) == 2336, "ESV1TitleMetaHeader size");
+
+struct ESTitleMeta
+{
+    ESSigRsa2048      sig;            // RSA 2048-bit sign of the TMD header
+    ESTitleMetaHeader head;
+    ESContentMeta     contents[];     // CMD array sorted by content index
+};
+static_assert(sizeof(ESTitleMeta) == 484, "ESTitleMeta size");
+
+struct ESV1TitleMeta
+{
+    ESSigRsa2048        sig;            // RSA 2048-bit sign of the TMD header
+    ESTitleMetaHeader   head;
+    ESV1TitleMetaHeader v1Head;         // Extension to the v0 TMD header
+    ESV1ContentMeta     contents[];     // CMD array sorted by content index
+};
+static_assert(sizeof(ESV1TitleMeta) == 2820, "ESV1TitleMeta size");
+
+#ifdef _WIN32
+#pragma warning(default : 4200)
+#endif
+
+#pragma pack(pop)
+
+}} // namespace brd::es
\ No newline at end of file
diff --git a/ctrtool/deps/libbroadon-es/include/brd/es/types.h b/ctrtool/deps/libbroadon-es/include/brd/es/types.h
new file mode 100644
index 00000000..2a944074
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/include/brd/es/types.h
@@ -0,0 +1,73 @@
+#pragma once
+#include <tc/types.h>
+
+namespace brd { namespace es {
+
+#pragma pack(push,4)
+
+static const size_t kAes128KeySize = 16;
+using Aes128Key = std::array<uint8_t, kAes128KeySize>;
+
+static const size_t kAes192KeySize = 24;
+using Aes192Key = std::array<uint8_t, kAes192KeySize>;
+
+static const size_t kAes256KeySize = 32;
+using Aes256Key = std::array<uint8_t, kAes256KeySize>;
+
+static const size_t kSha1Size = 20;
+using Sha1Hash = std::array<uint8_t, kSha1Size>;
+using Sha1Hmac = std::array<uint8_t, kSha1Size>;
+
+static const size_t kSha256Size = 32;
+using Sha256Hash = std::array<uint8_t, kSha256Size>;
+using Sha256Hmac = std::array<uint8_t, kSha256Size>;
+
+static const size_t kRsaPublicExponentSize = 4;
+using RsaPublicExponent = std::array<uint8_t, kRsaPublicExponentSize>;
+
+static const size_t kRsa2048Size = 0x100;
+using Rsa2048Integer = std::array<uint8_t, kRsa2048Size>;
+struct Rsa2048PublicKey
+{
+	Rsa2048Integer m; // modulus
+	RsaPublicExponent e; // public_exponent
+};
+struct Rsa2048PrivateKey
+{
+	Rsa2048Integer m; // modulus
+	Rsa2048Integer d; // private_exponent
+};
+using Rsa2048Sig = Rsa2048Integer;
+
+static const size_t kRsa4096Size = 0x200;
+using Rsa4096Integer = std::array<uint8_t, kRsa4096Size>;
+struct Rsa4096PublicKey
+{
+	Rsa4096Integer m; // modulus
+	RsaPublicExponent e; // public_exponent
+};
+struct Rsa4096PrivateKey
+{
+	Rsa4096Integer m; // modulus
+	Rsa4096Integer d; // private_exponent
+};
+using Rsa4096Sig = Rsa4096Integer;
+
+static const size_t kEcc233Size = 60;
+using Ecc233Integer = std::array<uint8_t, kEcc233Size / 2>;
+struct Ecc233Point
+{
+	Ecc233Integer x;
+	Ecc233Integer y;
+};
+using Ecc233PrivateKey = Ecc233Integer;
+using Ecc233PublicKey = Ecc233Point;
+struct Ecc233Sig
+{
+	Ecc233Integer r;
+	Ecc233Integer s;
+};
+
+#pragma pack(pop)
+
+}} // namespace brd::es
\ No newline at end of file
diff --git a/ctrtool/deps/libbroadon-es/makefile b/ctrtool/deps/libbroadon-es/makefile
new file mode 100644
index 00000000..87521a45
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/makefile
@@ -0,0 +1,193 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 5
+
+# Project Name
+PROJECT_NAME = libbroadon-es
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+PROJECT_INCLUDE_PATH = include
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Shared Library Definitions
+PROJECT_SO_VER_MAJOR = 0
+PROJECT_SO_VER_MINOR = 1
+PROJECT_SO_VER_PATCH = 0
+PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
+PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
+
+# Project Dependencies
+PROJECT_DEPEND = mbedtls toolchain
+PROJECT_DEPEND_LOCAL_DIR = libmbedtls libtoolchain
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
+	INC +=
+	LIB +=
+	ARFLAGS = rc	
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building static library
+#	- 'shared_lib' for building shared library
+#	- 'program' for building the program
+#	- 'test_program' for building the test program
+# These can typically be used together however *_lib and program should not be used together
+all: static_lib
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+shared_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)
+	@gcc -shared -Wl,-soname,$(PROJECT_SONAME) -o "$(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/ctrtool/deps/libbroadon-es/src/Dummy.cpp b/ctrtool/deps/libbroadon-es/src/Dummy.cpp
new file mode 100644
index 00000000..0e29ff25
--- /dev/null
+++ b/ctrtool/deps/libbroadon-es/src/Dummy.cpp
@@ -0,0 +1,138 @@
+#include <iostream>
+#include <brd/es.h>
+
+#ifdef _WIN32
+#pragma warning(disable : 4101) // silence warnings for unused local variables
+#endif
+
+namespace brd {
+	namespace es {
+
+		int dummy_method1a()
+		{
+			// types
+			brd::es::Aes128Key Aes128Key_var;
+			brd::es::Aes192Key Aes192Key_var;
+			brd::es::Aes256Key Aes256Key_var;
+			brd::es::Sha1Hash Sha1Hash_var;
+			brd::es::Sha1Hmac Sha1Hmac_var;
+			brd::es::Sha256Hash Sha256Hash_var;
+			brd::es::Sha256Hmac Sha256Hmac_var;
+			brd::es::RsaPublicExponent RsaPublicExponent_var;
+			brd::es::Rsa2048Integer Rsa2048Integer_var;
+			brd::es::Rsa2048PublicKey Rsa2048PublicKey_var;
+			brd::es::Rsa2048PrivateKey Rsa2048PrivateKey_var;
+			brd::es::Rsa2048Sig Rsa2048Sig_var;
+			return 11;
+		}
+
+		int dummy_method1b()
+		{
+			// types
+			brd::es::Rsa4096Integer Rsa4096Integer_var;
+			brd::es::Rsa4096PublicKey Rsa4096PublicKey_var;
+			brd::es::Rsa4096PrivateKey Rsa4096PrivateKey_var;
+			brd::es::Rsa4096Sig Rsa4096Sig_var;
+			brd::es::Ecc233Integer Ecc233Integer_var;
+			brd::es::Ecc233Point Ecc233Point_var;
+			brd::es::Ecc233PrivateKey Ecc233PrivateKey_var;
+			brd::es::Ecc233PublicKey Ecc233PublicKey_var;
+			brd::es::Ecc233Sig Ecc233Sig_var;
+
+			return 01323;
+		}
+
+		int dummy_method2()
+		{
+			// sign
+			brd::es::ESSigType ESSigType_var;
+			size_t ES_ISSUER_SIZE_var = brd::es::ES_ISSUER_SIZE;
+			brd::es::ESIssuer ESIssuer_var;
+			brd::es::ESSigRsa2048 ESSigRsa2048_struct;
+			brd::es::ESSigRsa4096 ESSigRsa4096_struct;
+			brd::es::ESSigEcc233 ESSigEcc233_struct;
+
+			return 1232;
+		}
+
+		int dummy_method3()
+		{
+			// cert
+			brd::es::ESCertPubKeyType ESCertPubKeyType_var;
+			size_t ES_CERT_NAME_SIZE_var = brd::es::ES_CERT_NAME_SIZE;
+			brd::es::ESCertName ESCertName_var;
+			brd::es::ESServerId ESServerId_var;
+			brd::es::ESDeviceId ESDeviceId_var;
+			brd::es::ESCertHeader ESCertHeader_struct;
+			brd::es::ESCertRsa2048PublicKey ESCertRsa2048PublicKey_struct;
+			brd::es::ESCertRsa4096PublicKey ESCertRsa4096PublicKey_struct;
+			brd::es::ESCertEcc233PublicKey ESCertEcc233PublicKey_struct;
+			brd::es::ESRootCert ESRootCert_struct;
+			brd::es::ESCACert ESCACert_struct;
+			brd::es::ESCASignedCert ESCASignedCert_struct;
+			brd::es::ESDeviceCert ESDeviceCert_struct;
+			brd::es::ESDeviceSignedCert ESDeviceSignedCert_struct;
+
+			return 55;
+		}
+
+		int dummy_method4()
+		{
+			// tik
+			brd::es::ESLicenseType ESLicenseType_var;
+			uint8_t ES_LICENSE_MASK_var = brd::es::ES_LICENSE_MASK;
+			brd::es::ESLimitCode ESLimitCode_var;
+			uint32_t ES_MAX_LIMIT_TYPE_var = brd::es::ES_MAX_LIMIT_TYPE;
+			brd::es::ESItemType ESItemType_var;
+			brd::es::ESPropertyMaskFlag ESPropertyMaskFlag_var;
+			brd::es::ESV1SectionHeaderFlag ESV1SectionHeaderFlag_var;
+			brd::es::ESV2TitleKekType ESV2TitleKekType_var;
+			brd::es::ESLimitedPlayEntry ESLimitedPlayEntry_struct;
+			brd::es::ESSysAccessMask ESSysAccessMask_var;
+			brd::es::ESTicketCustomData ESTicketCustomData_var;
+			brd::es::ESTicketReserved ESTicketReserved_var;
+			brd::es::ESCidxMask ESCidxMask_var;
+			brd::es::ESLimitedPlayArray ESLimitedPlayArray_var;
+			brd::es::ESReferenceId ESReferenceId_var;
+			brd::es::ESV1CidxMask ESV1CidxMask_var;
+			brd::es::ESV2TitleKey ESV2TitleKey_var;
+			brd::es::ESRightsId ESRightsId_var;
+			brd::es::ESV2TicketReserved ESV2TicketReserved_var;
+			brd::es::ESTicket ESTicket_struct;
+			brd::es::ESV1TicketHeader ESV1TicketHeader_struct;
+			brd::es::ESV1SectionHeader ESV1SectionHeader_struct;
+			brd::es::ESV1Ticket ESV1Ticket_struct;
+			brd::es::ESV1PermanentRecord ESV1PermanentRecord_struct;
+			brd::es::ESV1SubscriptionRecord ESV1SubscriptionRecord_struct;
+			brd::es::ESV1ContentRecord ESV1ContentRecord_struct;
+			brd::es::ESV1ContentConsumptionRecord ESV1ContentConsumptionRecord_struct;
+			brd::es::ESV1AccessTitleRecord ESV1AccessTitleRecord_struct;
+			brd::es::ESV1LimitedResourceRecord ESV1LimitedResourceRecord_struct;
+			brd::es::ESV2Ticket ESV2Ticket_struct;
+			brd::es::ESV2SectionHeader ESV2SectionHeader_struct;
+
+			return 0;
+		}
+
+		int dummy_method5()
+		{
+			// tmd
+			brd::es::ESTitleType ESTitleType_var;
+			brd::es::ESContentType ESContentType_var;
+			size_t ES_CONTENT_INDEX_MAX_var = brd::es::ES_CONTENT_INDEX_MAX;
+			size_t ES_MAX_CMDS_IN_GROUP_var = brd::es::ES_MAX_CMDS_IN_GROUP;
+			brd::es::ESContentMeta ESContentMeta_struct;
+			brd::es::ESV1ContentMeta ESV1ContentMeta_struct;
+			brd::es::ESTitleMetaHeader ESTitleMetaHeader_struct;
+			brd::es::ESV1ContentMetaGroup ESV1ContentMetaGroup_struct;
+			brd::es::ESV1TitleMetaHeader ESV1TitleMetaHeader_struct;
+			brd::es::ESTitleMeta ESTitleMeta_struct;
+			brd::es::ESV1TitleMeta ESV1TitleMeta_struct;
+			return 54;
+		}
+
+	}
+}
+#ifdef _WIN32
+#pragma warning(default : 4101)
+#endif
\ No newline at end of file
diff --git a/ctrtool/deps/libfmt/LICENSE.rst b/ctrtool/deps/libfmt/LICENSE.rst
new file mode 100644
index 00000000..8f921680
--- /dev/null
+++ b/ctrtool/deps/libfmt/LICENSE.rst
@@ -0,0 +1,27 @@
+Copyright (c) 2012 - present, Victor Zverovich
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+--- Optional exception to the license ---
+
+As an exception, if, as a result of your compiling your source code, portions
+of this Software are embedded into a machine-executable object form of such
+source code, you may redistribute such embedded portions in such object form
+without including the above copyright and permission notices.
\ No newline at end of file
diff --git a/ctrtool/deps/libfmt/README.md b/ctrtool/deps/libfmt/README.md
new file mode 100644
index 00000000..ce8069f7
--- /dev/null
+++ b/ctrtool/deps/libfmt/README.md
@@ -0,0 +1,2 @@
+# libfmt
+Clone of {fmt} (https://github.com/fmtlib/fmt)
diff --git a/ctrtool/deps/libfmt/build/visualstudio/libfmt.sln b/ctrtool/deps/libfmt/build/visualstudio/libfmt.sln
new file mode 100644
index 00000000..368aee4c
--- /dev/null
+++ b/ctrtool/deps/libfmt/build/visualstudio/libfmt.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31229.75
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfmt", "libfmt\libfmt.vcxproj", "{F4B0540E-0AAE-4006-944B-356944EF61FA}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.ActiveCfg = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.Build.0 = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.ActiveCfg = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.Build.0 = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.ActiveCfg = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.Build.0 = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.ActiveCfg = Release|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {EA4E4F87-6367-4723-8641-6767757CD6DD}
+	EndGlobalSection
+EndGlobal
diff --git a/ctrtool/deps/libfmt/build/visualstudio/libfmt/libfmt.vcxproj b/ctrtool/deps/libfmt/build/visualstudio/libfmt/libfmt.vcxproj
new file mode 100644
index 00000000..61a5ca35
--- /dev/null
+++ b/ctrtool/deps/libfmt/build/visualstudio/libfmt/libfmt.vcxproj
@@ -0,0 +1,171 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{f4b0540e-0aae-4006-944b-356944ef61fa}</ProjectGuid>
+    <RootNamespace>libfmt</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\fmt\args.h" />
+    <ClInclude Include="..\..\..\include\fmt\chrono.h" />
+    <ClInclude Include="..\..\..\include\fmt\color.h" />
+    <ClInclude Include="..\..\..\include\fmt\compile.h" />
+    <ClInclude Include="..\..\..\include\fmt\core.h" />
+    <ClInclude Include="..\..\..\include\fmt\format-inl.h" />
+    <ClInclude Include="..\..\..\include\fmt\format.h" />
+    <ClInclude Include="..\..\..\include\fmt\locale.h" />
+    <ClInclude Include="..\..\..\include\fmt\os.h" />
+    <ClInclude Include="..\..\..\include\fmt\ostream.h" />
+    <ClInclude Include="..\..\..\include\fmt\printf.h" />
+    <ClInclude Include="..\..\..\include\fmt\ranges.h" />
+    <ClInclude Include="..\..\..\include\fmt\xchar.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\format.cc" />
+    <ClCompile Include="..\..\..\src\os.cc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libfmt/build/visualstudio/libfmt/libfmt.vcxproj.filters b/ctrtool/deps/libfmt/build/visualstudio/libfmt/libfmt.vcxproj.filters
new file mode 100644
index 00000000..61b8ad12
--- /dev/null
+++ b/ctrtool/deps/libfmt/build/visualstudio/libfmt/libfmt.vcxproj.filters
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\fmt\args.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\chrono.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\color.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\compile.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\core.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\format.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\format-inl.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\locale.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\os.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\ostream.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\printf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\ranges.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\fmt\xchar.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\format.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\os.cc">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libfmt/include/fmt/args.h b/ctrtool/deps/libfmt/include/fmt/args.h
new file mode 100644
index 00000000..9a8e4ed2
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/args.h
@@ -0,0 +1,234 @@
+// Formatting library for C++ - dynamic format arguments
+//
+// Copyright (c) 2012 - present, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_ARGS_H_
+#define FMT_ARGS_H_
+
+#include <functional>  // std::reference_wrapper
+#include <memory>      // std::unique_ptr
+#include <vector>
+
+#include "core.h"
+
+FMT_BEGIN_NAMESPACE
+
+namespace detail {
+
+template <typename T> struct is_reference_wrapper : std::false_type {};
+template <typename T>
+struct is_reference_wrapper<std::reference_wrapper<T>> : std::true_type {};
+
+template <typename T> const T& unwrap(const T& v) { return v; }
+template <typename T> const T& unwrap(const std::reference_wrapper<T>& v) {
+  return static_cast<const T&>(v);
+}
+
+class dynamic_arg_list {
+  // Workaround for clang's -Wweak-vtables. Unlike for regular classes, for
+  // templates it doesn't complain about inability to deduce single translation
+  // unit for placing vtable. So storage_node_base is made a fake template.
+  template <typename = void> struct node {
+    virtual ~node() = default;
+    std::unique_ptr<node<>> next;
+  };
+
+  template <typename T> struct typed_node : node<> {
+    T value;
+
+    template <typename Arg>
+    FMT_CONSTEXPR typed_node(const Arg& arg) : value(arg) {}
+
+    template <typename Char>
+    FMT_CONSTEXPR typed_node(const basic_string_view<Char>& arg)
+        : value(arg.data(), arg.size()) {}
+  };
+
+  std::unique_ptr<node<>> head_;
+
+ public:
+  template <typename T, typename Arg> const T& push(const Arg& arg) {
+    auto new_node = std::unique_ptr<typed_node<T>>(new typed_node<T>(arg));
+    auto& value = new_node->value;
+    new_node->next = std::move(head_);
+    head_ = std::move(new_node);
+    return value;
+  }
+};
+}  // namespace detail
+
+/**
+  \rst
+  A dynamic version of `fmt::format_arg_store`.
+  It's equipped with a storage to potentially temporary objects which lifetimes
+  could be shorter than the format arguments object.
+
+  It can be implicitly converted into `~fmt::basic_format_args` for passing
+  into type-erased formatting functions such as `~fmt::vformat`.
+  \endrst
+ */
+template <typename Context>
+class dynamic_format_arg_store
+#if FMT_GCC_VERSION && FMT_GCC_VERSION < 409
+    // Workaround a GCC template argument substitution bug.
+    : public basic_format_args<Context>
+#endif
+{
+ private:
+  using char_type = typename Context::char_type;
+
+  template <typename T> struct need_copy {
+    static constexpr detail::type mapped_type =
+        detail::mapped_type_constant<T, Context>::value;
+
+    enum {
+      value = !(detail::is_reference_wrapper<T>::value ||
+                std::is_same<T, basic_string_view<char_type>>::value ||
+                std::is_same<T, detail::std_string_view<char_type>>::value ||
+                (mapped_type != detail::type::cstring_type &&
+                 mapped_type != detail::type::string_type &&
+                 mapped_type != detail::type::custom_type))
+    };
+  };
+
+  template <typename T>
+  using stored_type = conditional_t<detail::is_string<T>::value &&
+                                        !has_formatter<T, Context>::value &&
+                                        !detail::is_reference_wrapper<T>::value,
+                                    std::basic_string<char_type>, T>;
+
+  // Storage of basic_format_arg must be contiguous.
+  std::vector<basic_format_arg<Context>> data_;
+  std::vector<detail::named_arg_info<char_type>> named_info_;
+
+  // Storage of arguments not fitting into basic_format_arg must grow
+  // without relocation because items in data_ refer to it.
+  detail::dynamic_arg_list dynamic_args_;
+
+  friend class basic_format_args<Context>;
+
+  unsigned long long get_types() const {
+    return detail::is_unpacked_bit | data_.size() |
+           (named_info_.empty()
+                ? 0ULL
+                : static_cast<unsigned long long>(detail::has_named_args_bit));
+  }
+
+  const basic_format_arg<Context>* data() const {
+    return named_info_.empty() ? data_.data() : data_.data() + 1;
+  }
+
+  template <typename T> void emplace_arg(const T& arg) {
+    data_.emplace_back(detail::make_arg<Context>(arg));
+  }
+
+  template <typename T>
+  void emplace_arg(const detail::named_arg<char_type, T>& arg) {
+    if (named_info_.empty()) {
+      constexpr const detail::named_arg_info<char_type>* zero_ptr{nullptr};
+      data_.insert(data_.begin(), {zero_ptr, 0});
+    }
+    data_.emplace_back(detail::make_arg<Context>(detail::unwrap(arg.value)));
+    auto pop_one = [](std::vector<basic_format_arg<Context>>* data) {
+      data->pop_back();
+    };
+    std::unique_ptr<std::vector<basic_format_arg<Context>>, decltype(pop_one)>
+        guard{&data_, pop_one};
+    named_info_.push_back({arg.name, static_cast<int>(data_.size() - 2u)});
+    data_[0].value_.named_args = {named_info_.data(), named_info_.size()};
+    guard.release();
+  }
+
+ public:
+  constexpr dynamic_format_arg_store() = default;
+
+  /**
+    \rst
+    Adds an argument into the dynamic store for later passing to a formatting
+    function.
+
+    Note that custom types and string types (but not string views) are copied
+    into the store dynamically allocating memory if necessary.
+
+    **Example**::
+
+      fmt::dynamic_format_arg_store<fmt::format_context> store;
+      store.push_back(42);
+      store.push_back("abc");
+      store.push_back(1.5f);
+      std::string result = fmt::vformat("{} and {} and {}", store);
+    \endrst
+  */
+  template <typename T> void push_back(const T& arg) {
+    if (detail::const_check(need_copy<T>::value))
+      emplace_arg(dynamic_args_.push<stored_type<T>>(arg));
+    else
+      emplace_arg(detail::unwrap(arg));
+  }
+
+  /**
+    \rst
+    Adds a reference to the argument into the dynamic store for later passing to
+    a formatting function.
+
+    **Example**::
+
+      fmt::dynamic_format_arg_store<fmt::format_context> store;
+      char band[] = "Rolling Stones";
+      store.push_back(std::cref(band));
+      band[9] = 'c'; // Changing str affects the output.
+      std::string result = fmt::vformat("{}", store);
+      // result == "Rolling Scones"
+    \endrst
+  */
+  template <typename T> void push_back(std::reference_wrapper<T> arg) {
+    static_assert(
+        need_copy<T>::value,
+        "objects of built-in types and string views are always copied");
+    emplace_arg(arg.get());
+  }
+
+  /**
+    Adds named argument into the dynamic store for later passing to a formatting
+    function. ``std::reference_wrapper`` is supported to avoid copying of the
+    argument. The name is always copied into the store.
+  */
+  template <typename T>
+  void push_back(const detail::named_arg<char_type, T>& arg) {
+    const char_type* arg_name =
+        dynamic_args_.push<std::basic_string<char_type>>(arg.name).c_str();
+    if (detail::const_check(need_copy<T>::value)) {
+      emplace_arg(
+          fmt::arg(arg_name, dynamic_args_.push<stored_type<T>>(arg.value)));
+    } else {
+      emplace_arg(fmt::arg(arg_name, arg.value));
+    }
+  }
+
+  /** Erase all elements from the store */
+  void clear() {
+    data_.clear();
+    named_info_.clear();
+    dynamic_args_ = detail::dynamic_arg_list();
+  }
+
+  /**
+    \rst
+    Reserves space to store at least *new_cap* arguments including
+    *new_cap_named* named arguments.
+    \endrst
+  */
+  void reserve(size_t new_cap, size_t new_cap_named) {
+    FMT_ASSERT(new_cap >= new_cap_named,
+               "Set of arguments includes set of named arguments");
+    data_.reserve(new_cap);
+    named_info_.reserve(new_cap_named);
+  }
+};
+
+FMT_END_NAMESPACE
+
+#endif  // FMT_ARGS_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/chrono.h b/ctrtool/deps/libfmt/include/fmt/chrono.h
new file mode 100644
index 00000000..682efd8d
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/chrono.h
@@ -0,0 +1,2067 @@
+// Formatting library for C++ - chrono support
+//
+// Copyright (c) 2012 - present, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_CHRONO_H_
+#define FMT_CHRONO_H_
+
+#include <algorithm>
+#include <chrono>
+#include <ctime>
+#include <iterator>
+#include <locale>
+#include <ostream>
+#include <type_traits>
+
+#include "format.h"
+
+FMT_BEGIN_NAMESPACE
+
+// Enable tzset.
+#ifndef FMT_USE_TZSET
+// UWP doesn't provide _tzset.
+#  if FMT_HAS_INCLUDE("winapifamily.h")
+#    include <winapifamily.h>
+#  endif
+#  if defined(_WIN32) && (!defined(WINAPI_FAMILY) || \
+                          (WINAPI_FAMILY == WINAPI_FAMILY_DESKTOP_APP))
+#    define FMT_USE_TZSET 1
+#  else
+#    define FMT_USE_TZSET 0
+#  endif
+#endif
+
+// Enable safe chrono durations, unless explicitly disabled.
+#ifndef FMT_SAFE_DURATION_CAST
+#  define FMT_SAFE_DURATION_CAST 1
+#endif
+#if FMT_SAFE_DURATION_CAST
+
+// For conversion between std::chrono::durations without undefined
+// behaviour or erroneous results.
+// This is a stripped down version of duration_cast, for inclusion in fmt.
+// See https://github.com/pauldreik/safe_duration_cast
+//
+// Copyright Paul Dreik 2019
+namespace safe_duration_cast {
+
+template <typename To, typename From,
+          FMT_ENABLE_IF(!std::is_same<From, To>::value &&
+                        std::numeric_limits<From>::is_signed ==
+                            std::numeric_limits<To>::is_signed)>
+FMT_CONSTEXPR To lossless_integral_conversion(const From from, int& ec) {
+  ec = 0;
+  using F = std::numeric_limits<From>;
+  using T = std::numeric_limits<To>;
+  static_assert(F::is_integer, "From must be integral");
+  static_assert(T::is_integer, "To must be integral");
+
+  // A and B are both signed, or both unsigned.
+  if (detail::const_check(F::digits <= T::digits)) {
+    // From fits in To without any problem.
+  } else {
+    // From does not always fit in To, resort to a dynamic check.
+    if (from < (T::min)() || from > (T::max)()) {
+      // outside range.
+      ec = 1;
+      return {};
+    }
+  }
+  return static_cast<To>(from);
+}
+
+/**
+ * converts From to To, without loss. If the dynamic value of from
+ * can't be converted to To without loss, ec is set.
+ */
+template <typename To, typename From,
+          FMT_ENABLE_IF(!std::is_same<From, To>::value &&
+                        std::numeric_limits<From>::is_signed !=
+                            std::numeric_limits<To>::is_signed)>
+FMT_CONSTEXPR To lossless_integral_conversion(const From from, int& ec) {
+  ec = 0;
+  using F = std::numeric_limits<From>;
+  using T = std::numeric_limits<To>;
+  static_assert(F::is_integer, "From must be integral");
+  static_assert(T::is_integer, "To must be integral");
+
+  if (detail::const_check(F::is_signed && !T::is_signed)) {
+    // From may be negative, not allowed!
+    if (fmt::detail::is_negative(from)) {
+      ec = 1;
+      return {};
+    }
+    // From is positive. Can it always fit in To?
+    if (detail::const_check(F::digits > T::digits) &&
+        from > static_cast<From>(detail::max_value<To>())) {
+      ec = 1;
+      return {};
+    }
+  }
+
+  if (detail::const_check(!F::is_signed && T::is_signed &&
+                          F::digits >= T::digits) &&
+      from > static_cast<From>(detail::max_value<To>())) {
+    ec = 1;
+    return {};
+  }
+  return static_cast<To>(from);  // Lossless conversion.
+}
+
+template <typename To, typename From,
+          FMT_ENABLE_IF(std::is_same<From, To>::value)>
+FMT_CONSTEXPR To lossless_integral_conversion(const From from, int& ec) {
+  ec = 0;
+  return from;
+}  // function
+
+// clang-format off
+/**
+ * converts From to To if possible, otherwise ec is set.
+ *
+ * input                            |    output
+ * ---------------------------------|---------------
+ * NaN                              | NaN
+ * Inf                              | Inf
+ * normal, fits in output           | converted (possibly lossy)
+ * normal, does not fit in output   | ec is set
+ * subnormal                        | best effort
+ * -Inf                             | -Inf
+ */
+// clang-format on
+template <typename To, typename From,
+          FMT_ENABLE_IF(!std::is_same<From, To>::value)>
+FMT_CONSTEXPR To safe_float_conversion(const From from, int& ec) {
+  ec = 0;
+  using T = std::numeric_limits<To>;
+  static_assert(std::is_floating_point<From>::value, "From must be floating");
+  static_assert(std::is_floating_point<To>::value, "To must be floating");
+
+  // catch the only happy case
+  if (std::isfinite(from)) {
+    if (from >= T::lowest() && from <= (T::max)()) {
+      return static_cast<To>(from);
+    }
+    // not within range.
+    ec = 1;
+    return {};
+  }
+
+  // nan and inf will be preserved
+  return static_cast<To>(from);
+}  // function
+
+template <typename To, typename From,
+          FMT_ENABLE_IF(std::is_same<From, To>::value)>
+FMT_CONSTEXPR To safe_float_conversion(const From from, int& ec) {
+  ec = 0;
+  static_assert(std::is_floating_point<From>::value, "From must be floating");
+  return from;
+}
+
+/**
+ * safe duration cast between integral durations
+ */
+template <typename To, typename FromRep, typename FromPeriod,
+          FMT_ENABLE_IF(std::is_integral<FromRep>::value),
+          FMT_ENABLE_IF(std::is_integral<typename To::rep>::value)>
+To safe_duration_cast(std::chrono::duration<FromRep, FromPeriod> from,
+                      int& ec) {
+  using From = std::chrono::duration<FromRep, FromPeriod>;
+  ec = 0;
+  // the basic idea is that we need to convert from count() in the from type
+  // to count() in the To type, by multiplying it with this:
+  struct Factor
+      : std::ratio_divide<typename From::period, typename To::period> {};
+
+  static_assert(Factor::num > 0, "num must be positive");
+  static_assert(Factor::den > 0, "den must be positive");
+
+  // the conversion is like this: multiply from.count() with Factor::num
+  // /Factor::den and convert it to To::rep, all this without
+  // overflow/underflow. let's start by finding a suitable type that can hold
+  // both To, From and Factor::num
+  using IntermediateRep =
+      typename std::common_type<typename From::rep, typename To::rep,
+                                decltype(Factor::num)>::type;
+
+  // safe conversion to IntermediateRep
+  IntermediateRep count =
+      lossless_integral_conversion<IntermediateRep>(from.count(), ec);
+  if (ec) return {};
+  // multiply with Factor::num without overflow or underflow
+  if (detail::const_check(Factor::num != 1)) {
+    const auto max1 = detail::max_value<IntermediateRep>() / Factor::num;
+    if (count > max1) {
+      ec = 1;
+      return {};
+    }
+    const auto min1 =
+        (std::numeric_limits<IntermediateRep>::min)() / Factor::num;
+    if (count < min1) {
+      ec = 1;
+      return {};
+    }
+    count *= Factor::num;
+  }
+
+  if (detail::const_check(Factor::den != 1)) count /= Factor::den;
+  auto tocount = lossless_integral_conversion<typename To::rep>(count, ec);
+  return ec ? To() : To(tocount);
+}
+
+/**
+ * safe duration_cast between floating point durations
+ */
+template <typename To, typename FromRep, typename FromPeriod,
+          FMT_ENABLE_IF(std::is_floating_point<FromRep>::value),
+          FMT_ENABLE_IF(std::is_floating_point<typename To::rep>::value)>
+To safe_duration_cast(std::chrono::duration<FromRep, FromPeriod> from,
+                      int& ec) {
+  using From = std::chrono::duration<FromRep, FromPeriod>;
+  ec = 0;
+  if (std::isnan(from.count())) {
+    // nan in, gives nan out. easy.
+    return To{std::numeric_limits<typename To::rep>::quiet_NaN()};
+  }
+  // maybe we should also check if from is denormal, and decide what to do about
+  // it.
+
+  // +-inf should be preserved.
+  if (std::isinf(from.count())) {
+    return To{from.count()};
+  }
+
+  // the basic idea is that we need to convert from count() in the from type
+  // to count() in the To type, by multiplying it with this:
+  struct Factor
+      : std::ratio_divide<typename From::period, typename To::period> {};
+
+  static_assert(Factor::num > 0, "num must be positive");
+  static_assert(Factor::den > 0, "den must be positive");
+
+  // the conversion is like this: multiply from.count() with Factor::num
+  // /Factor::den and convert it to To::rep, all this without
+  // overflow/underflow. let's start by finding a suitable type that can hold
+  // both To, From and Factor::num
+  using IntermediateRep =
+      typename std::common_type<typename From::rep, typename To::rep,
+                                decltype(Factor::num)>::type;
+
+  // force conversion of From::rep -> IntermediateRep to be safe,
+  // even if it will never happen be narrowing in this context.
+  IntermediateRep count =
+      safe_float_conversion<IntermediateRep>(from.count(), ec);
+  if (ec) {
+    return {};
+  }
+
+  // multiply with Factor::num without overflow or underflow
+  if (detail::const_check(Factor::num != 1)) {
+    constexpr auto max1 = detail::max_value<IntermediateRep>() /
+                          static_cast<IntermediateRep>(Factor::num);
+    if (count > max1) {
+      ec = 1;
+      return {};
+    }
+    constexpr auto min1 = std::numeric_limits<IntermediateRep>::lowest() /
+                          static_cast<IntermediateRep>(Factor::num);
+    if (count < min1) {
+      ec = 1;
+      return {};
+    }
+    count *= static_cast<IntermediateRep>(Factor::num);
+  }
+
+  // this can't go wrong, right? den>0 is checked earlier.
+  if (detail::const_check(Factor::den != 1)) {
+    using common_t = typename std::common_type<IntermediateRep, intmax_t>::type;
+    count /= static_cast<common_t>(Factor::den);
+  }
+
+  // convert to the to type, safely
+  using ToRep = typename To::rep;
+
+  const ToRep tocount = safe_float_conversion<ToRep>(count, ec);
+  if (ec) {
+    return {};
+  }
+  return To{tocount};
+}
+}  // namespace safe_duration_cast
+#endif
+
+// Prevents expansion of a preceding token as a function-style macro.
+// Usage: f FMT_NOMACRO()
+#define FMT_NOMACRO
+
+namespace detail {
+template <typename T = void> struct null {};
+inline null<> localtime_r FMT_NOMACRO(...) { return null<>(); }
+inline null<> localtime_s(...) { return null<>(); }
+inline null<> gmtime_r(...) { return null<>(); }
+inline null<> gmtime_s(...) { return null<>(); }
+
+inline const std::locale& get_classic_locale() {
+  static const auto& locale = std::locale::classic();
+  return locale;
+}
+
+template <typename CodeUnit> struct codecvt_result {
+  static constexpr const size_t max_size = 32;
+  CodeUnit buf[max_size];
+  CodeUnit* end;
+};
+template <typename CodeUnit>
+constexpr const size_t codecvt_result<CodeUnit>::max_size;
+
+template <typename CodeUnit>
+void write_codecvt(codecvt_result<CodeUnit>& out, string_view in_buf,
+                   const std::locale& loc) {
+  using codecvt = std::codecvt<CodeUnit, char, std::mbstate_t>;
+#if FMT_CLANG_VERSION
+#  pragma clang diagnostic push
+#  pragma clang diagnostic ignored "-Wdeprecated"
+  auto& f = std::use_facet<codecvt>(loc);
+#  pragma clang diagnostic pop
+#else
+  auto& f = std::use_facet<codecvt>(loc);
+#endif
+  auto mb = std::mbstate_t();
+  const char* from_next = nullptr;
+  auto result = f.in(mb, in_buf.begin(), in_buf.end(), from_next,
+                     std::begin(out.buf), std::end(out.buf), out.end);
+  if (result != std::codecvt_base::ok)
+    FMT_THROW(format_error("failed to format time"));
+}
+
+template <typename OutputIt>
+auto write_encoded_tm_str(OutputIt out, string_view in, const std::locale& loc)
+    -> OutputIt {
+  if (detail::is_utf8() && loc != get_classic_locale()) {
+    // char16_t and char32_t codecvts are broken in MSVC (linkage errors) and
+    // gcc-4.
+#if FMT_MSC_VER != 0 || \
+    (defined(__GLIBCXX__) && !defined(_GLIBCXX_USE_DUAL_ABI))
+    // The _GLIBCXX_USE_DUAL_ABI macro is always defined in libstdc++ from gcc-5
+    // and newer.
+    using code_unit = wchar_t;
+#else
+    using code_unit = char32_t;
+#endif
+
+    using unit_t = codecvt_result<code_unit>;
+    unit_t unit;
+    write_codecvt(unit, in, loc);
+    // In UTF-8 is used one to four one-byte code units.
+    auto&& buf = basic_memory_buffer<char, unit_t::max_size * 4>();
+    for (code_unit* p = unit.buf; p != unit.end; ++p) {
+      uint32_t c = static_cast<uint32_t>(*p);
+      if (sizeof(code_unit) == 2 && c >= 0xd800 && c <= 0xdfff) {
+        // surrogate pair
+        ++p;
+        if (p == unit.end || (c & 0xfc00) != 0xd800 ||
+            (*p & 0xfc00) != 0xdc00) {
+          FMT_THROW(format_error("failed to format time"));
+        }
+        c = (c << 10) + static_cast<uint32_t>(*p) - 0x35fdc00;
+      }
+      if (c < 0x80) {
+        buf.push_back(static_cast<char>(c));
+      } else if (c < 0x800) {
+        buf.push_back(static_cast<char>(0xc0 | (c >> 6)));
+        buf.push_back(static_cast<char>(0x80 | (c & 0x3f)));
+      } else if ((c >= 0x800 && c <= 0xd7ff) || (c >= 0xe000 && c <= 0xffff)) {
+        buf.push_back(static_cast<char>(0xe0 | (c >> 12)));
+        buf.push_back(static_cast<char>(0x80 | ((c & 0xfff) >> 6)));
+        buf.push_back(static_cast<char>(0x80 | (c & 0x3f)));
+      } else if (c >= 0x10000 && c <= 0x10ffff) {
+        buf.push_back(static_cast<char>(0xf0 | (c >> 18)));
+        buf.push_back(static_cast<char>(0x80 | ((c & 0x3ffff) >> 12)));
+        buf.push_back(static_cast<char>(0x80 | ((c & 0xfff) >> 6)));
+        buf.push_back(static_cast<char>(0x80 | (c & 0x3f)));
+      } else {
+        FMT_THROW(format_error("failed to format time"));
+      }
+    }
+    return copy_str<char>(buf.data(), buf.data() + buf.size(), out);
+  }
+  return copy_str<char>(in.data(), in.data() + in.size(), out);
+}
+
+template <typename Char, typename OutputIt,
+          FMT_ENABLE_IF(!std::is_same<Char, char>::value)>
+auto write_tm_str(OutputIt out, string_view sv, const std::locale& loc)
+    -> OutputIt {
+  codecvt_result<Char> unit;
+  write_codecvt(unit, sv, loc);
+  return copy_str<Char>(unit.buf, unit.end, out);
+}
+
+template <typename Char, typename OutputIt,
+          FMT_ENABLE_IF(std::is_same<Char, char>::value)>
+auto write_tm_str(OutputIt out, string_view sv, const std::locale& loc)
+    -> OutputIt {
+  return write_encoded_tm_str(out, sv, loc);
+}
+
+template <typename Char>
+inline void do_write(buffer<Char>& buf, const std::tm& time,
+                     const std::locale& loc, char format, char modifier) {
+  auto&& format_buf = formatbuf<std::basic_streambuf<Char>>(buf);
+  auto&& os = std::basic_ostream<Char>(&format_buf);
+  os.imbue(loc);
+  using iterator = std::ostreambuf_iterator<Char>;
+  const auto& facet = std::use_facet<std::time_put<Char, iterator>>(loc);
+  auto end = facet.put(os, os, Char(' '), &time, format, modifier);
+  if (end.failed()) FMT_THROW(format_error("failed to format time"));
+}
+
+template <typename Char, typename OutputIt,
+          FMT_ENABLE_IF(!std::is_same<Char, char>::value)>
+auto write(OutputIt out, const std::tm& time, const std::locale& loc,
+           char format, char modifier = 0) -> OutputIt {
+  auto&& buf = get_buffer<Char>(out);
+  do_write<Char>(buf, time, loc, format, modifier);
+  return buf.out();
+}
+
+template <typename Char, typename OutputIt,
+          FMT_ENABLE_IF(std::is_same<Char, char>::value)>
+auto write(OutputIt out, const std::tm& time, const std::locale& loc,
+           char format, char modifier = 0) -> OutputIt {
+  auto&& buf = basic_memory_buffer<Char>();
+  do_write<char>(buf, time, loc, format, modifier);
+  return write_encoded_tm_str(out, string_view(buf.data(), buf.size()), loc);
+}
+
+}  // namespace detail
+
+FMT_MODULE_EXPORT_BEGIN
+
+/**
+  Converts given time since epoch as ``std::time_t`` value into calendar time,
+  expressed in local time. Unlike ``std::localtime``, this function is
+  thread-safe on most platforms.
+ */
+inline std::tm localtime(std::time_t time) {
+  struct dispatcher {
+    std::time_t time_;
+    std::tm tm_;
+
+    dispatcher(std::time_t t) : time_(t) {}
+
+    bool run() {
+      using namespace fmt::detail;
+      return handle(localtime_r(&time_, &tm_));
+    }
+
+    bool handle(std::tm* tm) { return tm != nullptr; }
+
+    bool handle(detail::null<>) {
+      using namespace fmt::detail;
+      return fallback(localtime_s(&tm_, &time_));
+    }
+
+    bool fallback(int res) { return res == 0; }
+
+#if !FMT_MSC_VER
+    bool fallback(detail::null<>) {
+      using namespace fmt::detail;
+      std::tm* tm = std::localtime(&time_);
+      if (tm) tm_ = *tm;
+      return tm != nullptr;
+    }
+#endif
+  };
+  dispatcher lt(time);
+  // Too big time values may be unsupported.
+  if (!lt.run()) FMT_THROW(format_error("time_t value out of range"));
+  return lt.tm_;
+}
+
+inline std::tm localtime(
+    std::chrono::time_point<std::chrono::system_clock> time_point) {
+  return localtime(std::chrono::system_clock::to_time_t(time_point));
+}
+
+/**
+  Converts given time since epoch as ``std::time_t`` value into calendar time,
+  expressed in Coordinated Universal Time (UTC). Unlike ``std::gmtime``, this
+  function is thread-safe on most platforms.
+ */
+inline std::tm gmtime(std::time_t time) {
+  struct dispatcher {
+    std::time_t time_;
+    std::tm tm_;
+
+    dispatcher(std::time_t t) : time_(t) {}
+
+    bool run() {
+      using namespace fmt::detail;
+      return handle(gmtime_r(&time_, &tm_));
+    }
+
+    bool handle(std::tm* tm) { return tm != nullptr; }
+
+    bool handle(detail::null<>) {
+      using namespace fmt::detail;
+      return fallback(gmtime_s(&tm_, &time_));
+    }
+
+    bool fallback(int res) { return res == 0; }
+
+#if !FMT_MSC_VER
+    bool fallback(detail::null<>) {
+      std::tm* tm = std::gmtime(&time_);
+      if (tm) tm_ = *tm;
+      return tm != nullptr;
+    }
+#endif
+  };
+  dispatcher gt(time);
+  // Too big time values may be unsupported.
+  if (!gt.run()) FMT_THROW(format_error("time_t value out of range"));
+  return gt.tm_;
+}
+
+inline std::tm gmtime(
+    std::chrono::time_point<std::chrono::system_clock> time_point) {
+  return gmtime(std::chrono::system_clock::to_time_t(time_point));
+}
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+// Writes two-digit numbers a, b and c separated by sep to buf.
+// The method by Pavel Novikov based on
+// https://johnnylee-sde.github.io/Fast-unsigned-integer-to-time-string/.
+inline void write_digit2_separated(char* buf, unsigned a, unsigned b,
+                                   unsigned c, char sep) {
+  unsigned long long digits =
+      a | (b << 24) | (static_cast<unsigned long long>(c) << 48);
+  // Convert each value to BCD.
+  // We have x = a * 10 + b and we want to convert it to BCD y = a * 16 + b.
+  // The difference is
+  //   y - x = a * 6
+  // a can be found from x:
+  //   a = floor(x / 10)
+  // then
+  //   y = x + a * 6 = x + floor(x / 10) * 6
+  // floor(x / 10) is (x * 205) >> 11 (needs 16 bits).
+  digits += (((digits * 205) >> 11) & 0x000f00000f00000f) * 6;
+  // Put low nibbles to high bytes and high nibbles to low bytes.
+  digits = ((digits & 0x00f00000f00000f0) >> 4) |
+           ((digits & 0x000f00000f00000f) << 8);
+  auto usep = static_cast<unsigned long long>(sep);
+  // Add ASCII '0' to each digit byte and insert separators.
+  digits |= 0x3030003030003030 | (usep << 16) | (usep << 40);
+
+  constexpr const size_t len = 8;
+  if (const_check(is_big_endian())) {
+    char tmp[len];
+    memcpy(tmp, &digits, len);
+    std::reverse_copy(tmp, tmp + len, buf);
+  } else {
+    memcpy(buf, &digits, len);
+  }
+}
+
+template <typename Period> FMT_CONSTEXPR inline const char* get_units() {
+  if (std::is_same<Period, std::atto>::value) return "as";
+  if (std::is_same<Period, std::femto>::value) return "fs";
+  if (std::is_same<Period, std::pico>::value) return "ps";
+  if (std::is_same<Period, std::nano>::value) return "ns";
+  if (std::is_same<Period, std::micro>::value) return "µs";
+  if (std::is_same<Period, std::milli>::value) return "ms";
+  if (std::is_same<Period, std::centi>::value) return "cs";
+  if (std::is_same<Period, std::deci>::value) return "ds";
+  if (std::is_same<Period, std::ratio<1>>::value) return "s";
+  if (std::is_same<Period, std::deca>::value) return "das";
+  if (std::is_same<Period, std::hecto>::value) return "hs";
+  if (std::is_same<Period, std::kilo>::value) return "ks";
+  if (std::is_same<Period, std::mega>::value) return "Ms";
+  if (std::is_same<Period, std::giga>::value) return "Gs";
+  if (std::is_same<Period, std::tera>::value) return "Ts";
+  if (std::is_same<Period, std::peta>::value) return "Ps";
+  if (std::is_same<Period, std::exa>::value) return "Es";
+  if (std::is_same<Period, std::ratio<60>>::value) return "m";
+  if (std::is_same<Period, std::ratio<3600>>::value) return "h";
+  return nullptr;
+}
+
+enum class numeric_system {
+  standard,
+  // Alternative numeric system, e.g. 十二 instead of 12 in ja_JP locale.
+  alternative
+};
+
+// Parses a put_time-like format string and invokes handler actions.
+template <typename Char, typename Handler>
+FMT_CONSTEXPR const Char* parse_chrono_format(const Char* begin,
+                                              const Char* end,
+                                              Handler&& handler) {
+  auto ptr = begin;
+  while (ptr != end) {
+    auto c = *ptr;
+    if (c == '}') break;
+    if (c != '%') {
+      ++ptr;
+      continue;
+    }
+    if (begin != ptr) handler.on_text(begin, ptr);
+    ++ptr;  // consume '%'
+    if (ptr == end) FMT_THROW(format_error("invalid format"));
+    c = *ptr++;
+    switch (c) {
+    case '%':
+      handler.on_text(ptr - 1, ptr);
+      break;
+    case 'n': {
+      const Char newline[] = {'\n'};
+      handler.on_text(newline, newline + 1);
+      break;
+    }
+    case 't': {
+      const Char tab[] = {'\t'};
+      handler.on_text(tab, tab + 1);
+      break;
+    }
+    // Year:
+    case 'Y':
+      handler.on_year(numeric_system::standard);
+      break;
+    case 'y':
+      handler.on_short_year(numeric_system::standard);
+      break;
+    case 'C':
+      handler.on_century(numeric_system::standard);
+      break;
+    case 'G':
+      handler.on_iso_week_based_year();
+      break;
+    case 'g':
+      handler.on_iso_week_based_short_year();
+      break;
+    // Day of the week:
+    case 'a':
+      handler.on_abbr_weekday();
+      break;
+    case 'A':
+      handler.on_full_weekday();
+      break;
+    case 'w':
+      handler.on_dec0_weekday(numeric_system::standard);
+      break;
+    case 'u':
+      handler.on_dec1_weekday(numeric_system::standard);
+      break;
+    // Month:
+    case 'b':
+    case 'h':
+      handler.on_abbr_month();
+      break;
+    case 'B':
+      handler.on_full_month();
+      break;
+    case 'm':
+      handler.on_dec_month(numeric_system::standard);
+      break;
+    // Day of the year/month:
+    case 'U':
+      handler.on_dec0_week_of_year(numeric_system::standard);
+      break;
+    case 'W':
+      handler.on_dec1_week_of_year(numeric_system::standard);
+      break;
+    case 'V':
+      handler.on_iso_week_of_year(numeric_system::standard);
+      break;
+    case 'j':
+      handler.on_day_of_year();
+      break;
+    case 'd':
+      handler.on_day_of_month(numeric_system::standard);
+      break;
+    case 'e':
+      handler.on_day_of_month_space(numeric_system::standard);
+      break;
+    // Hour, minute, second:
+    case 'H':
+      handler.on_24_hour(numeric_system::standard);
+      break;
+    case 'I':
+      handler.on_12_hour(numeric_system::standard);
+      break;
+    case 'M':
+      handler.on_minute(numeric_system::standard);
+      break;
+    case 'S':
+      handler.on_second(numeric_system::standard);
+      break;
+    // Other:
+    case 'c':
+      handler.on_datetime(numeric_system::standard);
+      break;
+    case 'x':
+      handler.on_loc_date(numeric_system::standard);
+      break;
+    case 'X':
+      handler.on_loc_time(numeric_system::standard);
+      break;
+    case 'D':
+      handler.on_us_date();
+      break;
+    case 'F':
+      handler.on_iso_date();
+      break;
+    case 'r':
+      handler.on_12_hour_time();
+      break;
+    case 'R':
+      handler.on_24_hour_time();
+      break;
+    case 'T':
+      handler.on_iso_time();
+      break;
+    case 'p':
+      handler.on_am_pm();
+      break;
+    case 'Q':
+      handler.on_duration_value();
+      break;
+    case 'q':
+      handler.on_duration_unit();
+      break;
+    case 'z':
+      handler.on_utc_offset();
+      break;
+    case 'Z':
+      handler.on_tz_name();
+      break;
+    // Alternative representation:
+    case 'E': {
+      if (ptr == end) FMT_THROW(format_error("invalid format"));
+      c = *ptr++;
+      switch (c) {
+      case 'Y':
+        handler.on_year(numeric_system::alternative);
+        break;
+      case 'y':
+        handler.on_offset_year();
+        break;
+      case 'C':
+        handler.on_century(numeric_system::alternative);
+        break;
+      case 'c':
+        handler.on_datetime(numeric_system::alternative);
+        break;
+      case 'x':
+        handler.on_loc_date(numeric_system::alternative);
+        break;
+      case 'X':
+        handler.on_loc_time(numeric_system::alternative);
+        break;
+      default:
+        FMT_THROW(format_error("invalid format"));
+      }
+      break;
+    }
+    case 'O':
+      if (ptr == end) FMT_THROW(format_error("invalid format"));
+      c = *ptr++;
+      switch (c) {
+      case 'y':
+        handler.on_short_year(numeric_system::alternative);
+        break;
+      case 'm':
+        handler.on_dec_month(numeric_system::alternative);
+        break;
+      case 'U':
+        handler.on_dec0_week_of_year(numeric_system::alternative);
+        break;
+      case 'W':
+        handler.on_dec1_week_of_year(numeric_system::alternative);
+        break;
+      case 'V':
+        handler.on_iso_week_of_year(numeric_system::alternative);
+        break;
+      case 'd':
+        handler.on_day_of_month(numeric_system::alternative);
+        break;
+      case 'e':
+        handler.on_day_of_month_space(numeric_system::alternative);
+        break;
+      case 'w':
+        handler.on_dec0_weekday(numeric_system::alternative);
+        break;
+      case 'u':
+        handler.on_dec1_weekday(numeric_system::alternative);
+        break;
+      case 'H':
+        handler.on_24_hour(numeric_system::alternative);
+        break;
+      case 'I':
+        handler.on_12_hour(numeric_system::alternative);
+        break;
+      case 'M':
+        handler.on_minute(numeric_system::alternative);
+        break;
+      case 'S':
+        handler.on_second(numeric_system::alternative);
+        break;
+      default:
+        FMT_THROW(format_error("invalid format"));
+      }
+      break;
+    default:
+      FMT_THROW(format_error("invalid format"));
+    }
+    begin = ptr;
+  }
+  if (begin != ptr) handler.on_text(begin, ptr);
+  return ptr;
+}
+
+template <typename Derived> struct null_chrono_spec_handler {
+  FMT_CONSTEXPR void unsupported() {
+    static_cast<Derived*>(this)->unsupported();
+  }
+  FMT_CONSTEXPR void on_year(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_short_year(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_offset_year() { unsupported(); }
+  FMT_CONSTEXPR void on_century(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_iso_week_based_year() { unsupported(); }
+  FMT_CONSTEXPR void on_iso_week_based_short_year() { unsupported(); }
+  FMT_CONSTEXPR void on_abbr_weekday() { unsupported(); }
+  FMT_CONSTEXPR void on_full_weekday() { unsupported(); }
+  FMT_CONSTEXPR void on_dec0_weekday(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_dec1_weekday(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_abbr_month() { unsupported(); }
+  FMT_CONSTEXPR void on_full_month() { unsupported(); }
+  FMT_CONSTEXPR void on_dec_month(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_dec0_week_of_year(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_dec1_week_of_year(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_iso_week_of_year(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_day_of_year() { unsupported(); }
+  FMT_CONSTEXPR void on_day_of_month(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_day_of_month_space(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_24_hour(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_12_hour(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_minute(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_second(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_datetime(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_loc_date(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_loc_time(numeric_system) { unsupported(); }
+  FMT_CONSTEXPR void on_us_date() { unsupported(); }
+  FMT_CONSTEXPR void on_iso_date() { unsupported(); }
+  FMT_CONSTEXPR void on_12_hour_time() { unsupported(); }
+  FMT_CONSTEXPR void on_24_hour_time() { unsupported(); }
+  FMT_CONSTEXPR void on_iso_time() { unsupported(); }
+  FMT_CONSTEXPR void on_am_pm() { unsupported(); }
+  FMT_CONSTEXPR void on_duration_value() { unsupported(); }
+  FMT_CONSTEXPR void on_duration_unit() { unsupported(); }
+  FMT_CONSTEXPR void on_utc_offset() { unsupported(); }
+  FMT_CONSTEXPR void on_tz_name() { unsupported(); }
+};
+
+struct tm_format_checker : null_chrono_spec_handler<tm_format_checker> {
+  FMT_NORETURN void unsupported() { FMT_THROW(format_error("no format")); }
+
+  template <typename Char>
+  FMT_CONSTEXPR void on_text(const Char*, const Char*) {}
+  FMT_CONSTEXPR void on_year(numeric_system) {}
+  FMT_CONSTEXPR void on_short_year(numeric_system) {}
+  FMT_CONSTEXPR void on_offset_year() {}
+  FMT_CONSTEXPR void on_century(numeric_system) {}
+  FMT_CONSTEXPR void on_iso_week_based_year() {}
+  FMT_CONSTEXPR void on_iso_week_based_short_year() {}
+  FMT_CONSTEXPR void on_abbr_weekday() {}
+  FMT_CONSTEXPR void on_full_weekday() {}
+  FMT_CONSTEXPR void on_dec0_weekday(numeric_system) {}
+  FMT_CONSTEXPR void on_dec1_weekday(numeric_system) {}
+  FMT_CONSTEXPR void on_abbr_month() {}
+  FMT_CONSTEXPR void on_full_month() {}
+  FMT_CONSTEXPR void on_dec_month(numeric_system) {}
+  FMT_CONSTEXPR void on_dec0_week_of_year(numeric_system) {}
+  FMT_CONSTEXPR void on_dec1_week_of_year(numeric_system) {}
+  FMT_CONSTEXPR void on_iso_week_of_year(numeric_system) {}
+  FMT_CONSTEXPR void on_day_of_year() {}
+  FMT_CONSTEXPR void on_day_of_month(numeric_system) {}
+  FMT_CONSTEXPR void on_day_of_month_space(numeric_system) {}
+  FMT_CONSTEXPR void on_24_hour(numeric_system) {}
+  FMT_CONSTEXPR void on_12_hour(numeric_system) {}
+  FMT_CONSTEXPR void on_minute(numeric_system) {}
+  FMT_CONSTEXPR void on_second(numeric_system) {}
+  FMT_CONSTEXPR void on_datetime(numeric_system) {}
+  FMT_CONSTEXPR void on_loc_date(numeric_system) {}
+  FMT_CONSTEXPR void on_loc_time(numeric_system) {}
+  FMT_CONSTEXPR void on_us_date() {}
+  FMT_CONSTEXPR void on_iso_date() {}
+  FMT_CONSTEXPR void on_12_hour_time() {}
+  FMT_CONSTEXPR void on_24_hour_time() {}
+  FMT_CONSTEXPR void on_iso_time() {}
+  FMT_CONSTEXPR void on_am_pm() {}
+  FMT_CONSTEXPR void on_utc_offset() {}
+  FMT_CONSTEXPR void on_tz_name() {}
+};
+
+inline const char* tm_wday_full_name(int wday) {
+  static constexpr const char* full_name_list[] = {
+      "Sunday",   "Monday", "Tuesday", "Wednesday",
+      "Thursday", "Friday", "Saturday"};
+  return wday >= 0 && wday <= 6 ? full_name_list[wday] : "?";
+}
+inline const char* tm_wday_short_name(int wday) {
+  static constexpr const char* short_name_list[] = {"Sun", "Mon", "Tue", "Wed",
+                                                    "Thu", "Fri", "Sat"};
+  return wday >= 0 && wday <= 6 ? short_name_list[wday] : "???";
+}
+
+inline const char* tm_mon_full_name(int mon) {
+  static constexpr const char* full_name_list[] = {
+      "January", "February", "March",     "April",   "May",      "June",
+      "July",    "August",   "September", "October", "November", "December"};
+  return mon >= 0 && mon <= 11 ? full_name_list[mon] : "?";
+}
+inline const char* tm_mon_short_name(int mon) {
+  static constexpr const char* short_name_list[] = {
+      "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+      "Jul", "Aug", "Sep", "Oct", "Nov", "Dec",
+  };
+  return mon >= 0 && mon <= 11 ? short_name_list[mon] : "???";
+}
+
+template <typename T, typename = void>
+struct has_member_data_tm_gmtoff : std::false_type {};
+template <typename T>
+struct has_member_data_tm_gmtoff<T, void_t<decltype(T::tm_gmtoff)>>
+    : std::true_type {};
+
+template <typename T, typename = void>
+struct has_member_data_tm_zone : std::false_type {};
+template <typename T>
+struct has_member_data_tm_zone<T, void_t<decltype(T::tm_zone)>>
+    : std::true_type {};
+
+#if FMT_USE_TZSET
+inline void tzset_once() {
+  static bool init = []() -> bool {
+    _tzset();
+    return true;
+  }();
+  ignore_unused(init);
+}
+#endif
+
+template <typename OutputIt, typename Char> class tm_writer {
+ private:
+  static constexpr int days_per_week = 7;
+
+  const std::locale& loc_;
+  const bool is_classic_;
+  OutputIt out_;
+  const std::tm& tm_;
+
+  auto tm_sec() const noexcept -> int {
+    FMT_ASSERT(tm_.tm_sec >= 0 && tm_.tm_sec <= 61, "");
+    return tm_.tm_sec;
+  }
+  auto tm_min() const noexcept -> int {
+    FMT_ASSERT(tm_.tm_min >= 0 && tm_.tm_min <= 59, "");
+    return tm_.tm_min;
+  }
+  auto tm_hour() const noexcept -> int {
+    FMT_ASSERT(tm_.tm_hour >= 0 && tm_.tm_hour <= 23, "");
+    return tm_.tm_hour;
+  }
+  auto tm_mday() const noexcept -> int {
+    FMT_ASSERT(tm_.tm_mday >= 1 && tm_.tm_mday <= 31, "");
+    return tm_.tm_mday;
+  }
+  auto tm_mon() const noexcept -> int {
+    FMT_ASSERT(tm_.tm_mon >= 0 && tm_.tm_mon <= 11, "");
+    return tm_.tm_mon;
+  }
+  auto tm_year() const noexcept -> long long { return 1900ll + tm_.tm_year; }
+  auto tm_wday() const noexcept -> int {
+    FMT_ASSERT(tm_.tm_wday >= 0 && tm_.tm_wday <= 6, "");
+    return tm_.tm_wday;
+  }
+  auto tm_yday() const noexcept -> int {
+    FMT_ASSERT(tm_.tm_yday >= 0 && tm_.tm_yday <= 365, "");
+    return tm_.tm_yday;
+  }
+
+  auto tm_hour12() const noexcept -> int {
+    const auto h = tm_hour();
+    const auto z = h < 12 ? h : h - 12;
+    return z == 0 ? 12 : z;
+  }
+
+  // POSIX and the C Standard are unclear or inconsistent about what %C and %y
+  // do if the year is negative or exceeds 9999. Use the convention that %C
+  // concatenated with %y yields the same output as %Y, and that %Y contains at
+  // least 4 characters, with more only if necessary.
+  auto split_year_lower(long long year) const noexcept -> int {
+    auto l = year % 100;
+    if (l < 0) l = -l;  // l in [0, 99]
+    return static_cast<int>(l);
+  }
+
+  // Algorithm:
+  // https://en.wikipedia.org/wiki/ISO_week_date#Calculating_the_week_number_from_a_month_and_day_of_the_month_or_ordinal_date
+  auto iso_year_weeks(long long curr_year) const noexcept -> int {
+    const auto prev_year = curr_year - 1;
+    const auto curr_p =
+        (curr_year + curr_year / 4 - curr_year / 100 + curr_year / 400) %
+        days_per_week;
+    const auto prev_p =
+        (prev_year + prev_year / 4 - prev_year / 100 + prev_year / 400) %
+        days_per_week;
+    return 52 + ((curr_p == 4 || prev_p == 3) ? 1 : 0);
+  }
+  auto iso_week_num(int tm_yday, int tm_wday) const noexcept -> int {
+    return (tm_yday + 11 - (tm_wday == 0 ? days_per_week : tm_wday)) /
+           days_per_week;
+  }
+  auto tm_iso_week_year() const noexcept -> long long {
+    const auto year = tm_year();
+    const auto w = iso_week_num(tm_yday(), tm_wday());
+    if (w < 1) return year - 1;
+    if (w > iso_year_weeks(year)) return year + 1;
+    return year;
+  }
+  auto tm_iso_week_of_year() const noexcept -> int {
+    const auto year = tm_year();
+    const auto w = iso_week_num(tm_yday(), tm_wday());
+    if (w < 1) return iso_year_weeks(year - 1);
+    if (w > iso_year_weeks(year)) return 1;
+    return w;
+  }
+
+  void write1(int value) {
+    *out_++ = static_cast<char>('0' + to_unsigned(value) % 10);
+  }
+  void write2(int value) {
+    const char* d = digits2(to_unsigned(value) % 100);
+    *out_++ = *d++;
+    *out_++ = *d;
+  }
+
+  void write_year_extended(long long year) {
+    // At least 4 characters.
+    int width = 4;
+    if (year < 0) {
+      *out_++ = '-';
+      year = 0 - year;
+      --width;
+    }
+    uint32_or_64_or_128_t<long long> n = to_unsigned(year);
+    const int num_digits = count_digits(n);
+    if (width > num_digits) out_ = std::fill_n(out_, width - num_digits, '0');
+    out_ = format_decimal<Char>(out_, n, num_digits).end;
+  }
+  void write_year(long long year) {
+    if (year >= 0 && year < 10000) {
+      write2(static_cast<int>(year / 100));
+      write2(static_cast<int>(year % 100));
+    } else {
+      write_year_extended(year);
+    }
+  }
+
+  void write_utc_offset(long offset) {
+    if (offset < 0) {
+      *out_++ = '-';
+      offset = -offset;
+    } else {
+      *out_++ = '+';
+    }
+    offset /= 60;
+    write2(static_cast<int>(offset / 60));
+    write2(static_cast<int>(offset % 60));
+  }
+  template <typename T, FMT_ENABLE_IF(has_member_data_tm_gmtoff<T>::value)>
+  void format_utc_offset_impl(const T& tm) {
+    write_utc_offset(tm.tm_gmtoff);
+  }
+  template <typename T, FMT_ENABLE_IF(!has_member_data_tm_gmtoff<T>::value)>
+  void format_utc_offset_impl(const T& tm) {
+#if defined(_WIN32) && defined(_UCRT)
+#  if FMT_USE_TZSET
+    tzset_once();
+#  endif
+    long offset = 0;
+    _get_timezone(&offset);
+    if (tm.tm_isdst) {
+      long dstbias = 0;
+      _get_dstbias(&dstbias);
+      offset += dstbias;
+    }
+    write_utc_offset(-offset);
+#else
+    ignore_unused(tm);
+    format_localized('z');
+#endif
+  }
+
+  template <typename T, FMT_ENABLE_IF(has_member_data_tm_zone<T>::value)>
+  void format_tz_name_impl(const T& tm) {
+    if (is_classic_)
+      out_ = write_tm_str<Char>(out_, tm.tm_zone, loc_);
+    else
+      format_localized('Z');
+  }
+  template <typename T, FMT_ENABLE_IF(!has_member_data_tm_zone<T>::value)>
+  void format_tz_name_impl(const T&) {
+    format_localized('Z');
+  }
+
+  void format_localized(char format, char modifier = 0) {
+    out_ = write<Char>(out_, tm_, loc_, format, modifier);
+  }
+
+ public:
+  tm_writer(const std::locale& loc, OutputIt out, const std::tm& tm)
+      : loc_(loc),
+        is_classic_(loc_ == get_classic_locale()),
+        out_(out),
+        tm_(tm) {}
+
+  OutputIt out() const { return out_; }
+
+  FMT_CONSTEXPR void on_text(const Char* begin, const Char* end) {
+    out_ = copy_str<Char>(begin, end, out_);
+  }
+
+  void on_abbr_weekday() {
+    if (is_classic_)
+      out_ = write(out_, tm_wday_short_name(tm_wday()));
+    else
+      format_localized('a');
+  }
+  void on_full_weekday() {
+    if (is_classic_)
+      out_ = write(out_, tm_wday_full_name(tm_wday()));
+    else
+      format_localized('A');
+  }
+  void on_dec0_weekday(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard) return write1(tm_wday());
+    format_localized('w', 'O');
+  }
+  void on_dec1_weekday(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard) {
+      auto wday = tm_wday();
+      write1(wday == 0 ? days_per_week : wday);
+    } else {
+      format_localized('u', 'O');
+    }
+  }
+
+  void on_abbr_month() {
+    if (is_classic_)
+      out_ = write(out_, tm_mon_short_name(tm_mon()));
+    else
+      format_localized('b');
+  }
+  void on_full_month() {
+    if (is_classic_)
+      out_ = write(out_, tm_mon_full_name(tm_mon()));
+    else
+      format_localized('B');
+  }
+
+  void on_datetime(numeric_system ns) {
+    if (is_classic_) {
+      on_abbr_weekday();
+      *out_++ = ' ';
+      on_abbr_month();
+      *out_++ = ' ';
+      on_day_of_month_space(numeric_system::standard);
+      *out_++ = ' ';
+      on_iso_time();
+      *out_++ = ' ';
+      on_year(numeric_system::standard);
+    } else {
+      format_localized('c', ns == numeric_system::standard ? '\0' : 'E');
+    }
+  }
+  void on_loc_date(numeric_system ns) {
+    if (is_classic_)
+      on_us_date();
+    else
+      format_localized('x', ns == numeric_system::standard ? '\0' : 'E');
+  }
+  void on_loc_time(numeric_system ns) {
+    if (is_classic_)
+      on_iso_time();
+    else
+      format_localized('X', ns == numeric_system::standard ? '\0' : 'E');
+  }
+  void on_us_date() {
+    char buf[8];
+    write_digit2_separated(buf, to_unsigned(tm_mon() + 1),
+                           to_unsigned(tm_mday()),
+                           to_unsigned(split_year_lower(tm_year())), '/');
+    out_ = copy_str<Char>(std::begin(buf), std::end(buf), out_);
+  }
+  void on_iso_date() {
+    auto year = tm_year();
+    char buf[10];
+    size_t offset = 0;
+    if (year >= 0 && year < 10000) {
+      copy2(buf, digits2(to_unsigned(year / 100)));
+    } else {
+      offset = 4;
+      write_year_extended(year);
+      year = 0;
+    }
+    write_digit2_separated(buf + 2, static_cast<unsigned>(year % 100),
+                           to_unsigned(tm_mon() + 1), to_unsigned(tm_mday()),
+                           '-');
+    out_ = copy_str<Char>(std::begin(buf) + offset, std::end(buf), out_);
+  }
+
+  void on_utc_offset() { format_utc_offset_impl(tm_); }
+  void on_tz_name() { format_tz_name_impl(tm_); }
+
+  void on_year(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard)
+      return write_year(tm_year());
+    format_localized('Y', 'E');
+  }
+  void on_short_year(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard)
+      return write2(split_year_lower(tm_year()));
+    format_localized('y', 'O');
+  }
+  void on_offset_year() {
+    if (is_classic_) return write2(split_year_lower(tm_year()));
+    format_localized('y', 'E');
+  }
+
+  void on_century(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard) {
+      auto year = tm_year();
+      auto upper = year / 100;
+      if (year >= -99 && year < 0) {
+        // Zero upper on negative year.
+        *out_++ = '-';
+        *out_++ = '0';
+      } else if (upper >= 0 && upper < 100) {
+        write2(static_cast<int>(upper));
+      } else {
+        out_ = write<Char>(out_, upper);
+      }
+    } else {
+      format_localized('C', 'E');
+    }
+  }
+
+  void on_dec_month(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard)
+      return write2(tm_mon() + 1);
+    format_localized('m', 'O');
+  }
+
+  void on_dec0_week_of_year(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard)
+      return write2((tm_yday() + days_per_week - tm_wday()) / days_per_week);
+    format_localized('U', 'O');
+  }
+  void on_dec1_week_of_year(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard) {
+      auto wday = tm_wday();
+      write2((tm_yday() + days_per_week -
+              (wday == 0 ? (days_per_week - 1) : (wday - 1))) /
+             days_per_week);
+    } else {
+      format_localized('W', 'O');
+    }
+  }
+  void on_iso_week_of_year(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard)
+      return write2(tm_iso_week_of_year());
+    format_localized('V', 'O');
+  }
+
+  void on_iso_week_based_year() { write_year(tm_iso_week_year()); }
+  void on_iso_week_based_short_year() {
+    write2(split_year_lower(tm_iso_week_year()));
+  }
+
+  void on_day_of_year() {
+    auto yday = tm_yday() + 1;
+    write1(yday / 100);
+    write2(yday % 100);
+  }
+  void on_day_of_month(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard) return write2(tm_mday());
+    format_localized('d', 'O');
+  }
+  void on_day_of_month_space(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard) {
+      auto mday = to_unsigned(tm_mday()) % 100;
+      const char* d2 = digits2(mday);
+      *out_++ = mday < 10 ? ' ' : d2[0];
+      *out_++ = d2[1];
+    } else {
+      format_localized('e', 'O');
+    }
+  }
+
+  void on_24_hour(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard) return write2(tm_hour());
+    format_localized('H', 'O');
+  }
+  void on_12_hour(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard)
+      return write2(tm_hour12());
+    format_localized('I', 'O');
+  }
+  void on_minute(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard) return write2(tm_min());
+    format_localized('M', 'O');
+  }
+  void on_second(numeric_system ns) {
+    if (is_classic_ || ns == numeric_system::standard) return write2(tm_sec());
+    format_localized('S', 'O');
+  }
+
+  void on_12_hour_time() {
+    if (is_classic_) {
+      char buf[8];
+      write_digit2_separated(buf, to_unsigned(tm_hour12()),
+                             to_unsigned(tm_min()), to_unsigned(tm_sec()), ':');
+      out_ = copy_str<Char>(std::begin(buf), std::end(buf), out_);
+      *out_++ = ' ';
+      on_am_pm();
+    } else {
+      format_localized('r');
+    }
+  }
+  void on_24_hour_time() {
+    write2(tm_hour());
+    *out_++ = ':';
+    write2(tm_min());
+  }
+  void on_iso_time() {
+    char buf[8];
+    write_digit2_separated(buf, to_unsigned(tm_hour()), to_unsigned(tm_min()),
+                           to_unsigned(tm_sec()), ':');
+    out_ = copy_str<Char>(std::begin(buf), std::end(buf), out_);
+  }
+
+  void on_am_pm() {
+    if (is_classic_) {
+      *out_++ = tm_hour() < 12 ? 'A' : 'P';
+      *out_++ = 'M';
+    } else {
+      format_localized('p');
+    }
+  }
+
+  // These apply to chrono durations but not tm.
+  void on_duration_value() {}
+  void on_duration_unit() {}
+};
+
+struct chrono_format_checker : null_chrono_spec_handler<chrono_format_checker> {
+  FMT_NORETURN void unsupported() { FMT_THROW(format_error("no date")); }
+
+  template <typename Char>
+  FMT_CONSTEXPR void on_text(const Char*, const Char*) {}
+  FMT_CONSTEXPR void on_24_hour(numeric_system) {}
+  FMT_CONSTEXPR void on_12_hour(numeric_system) {}
+  FMT_CONSTEXPR void on_minute(numeric_system) {}
+  FMT_CONSTEXPR void on_second(numeric_system) {}
+  FMT_CONSTEXPR void on_12_hour_time() {}
+  FMT_CONSTEXPR void on_24_hour_time() {}
+  FMT_CONSTEXPR void on_iso_time() {}
+  FMT_CONSTEXPR void on_am_pm() {}
+  FMT_CONSTEXPR void on_duration_value() {}
+  FMT_CONSTEXPR void on_duration_unit() {}
+};
+
+template <typename T, FMT_ENABLE_IF(std::is_integral<T>::value)>
+inline bool isnan(T) {
+  return false;
+}
+template <typename T, FMT_ENABLE_IF(std::is_floating_point<T>::value)>
+inline bool isnan(T value) {
+  return std::isnan(value);
+}
+
+template <typename T, FMT_ENABLE_IF(std::is_integral<T>::value)>
+inline bool isfinite(T) {
+  return true;
+}
+
+// Converts value to Int and checks that it's in the range [0, upper).
+template <typename T, typename Int, FMT_ENABLE_IF(std::is_integral<T>::value)>
+inline Int to_nonnegative_int(T value, Int upper) {
+  FMT_ASSERT(value >= 0 && to_unsigned(value) <= to_unsigned(upper),
+             "invalid value");
+  (void)upper;
+  return static_cast<Int>(value);
+}
+template <typename T, typename Int, FMT_ENABLE_IF(!std::is_integral<T>::value)>
+inline Int to_nonnegative_int(T value, Int upper) {
+  if (value < 0 || value > static_cast<T>(upper))
+    FMT_THROW(format_error("invalid value"));
+  return static_cast<Int>(value);
+}
+
+template <typename T, FMT_ENABLE_IF(std::is_integral<T>::value)>
+inline T mod(T x, int y) {
+  return x % static_cast<T>(y);
+}
+template <typename T, FMT_ENABLE_IF(std::is_floating_point<T>::value)>
+inline T mod(T x, int y) {
+  return std::fmod(x, static_cast<T>(y));
+}
+
+// If T is an integral type, maps T to its unsigned counterpart, otherwise
+// leaves it unchanged (unlike std::make_unsigned).
+template <typename T, bool INTEGRAL = std::is_integral<T>::value>
+struct make_unsigned_or_unchanged {
+  using type = T;
+};
+
+template <typename T> struct make_unsigned_or_unchanged<T, true> {
+  using type = typename std::make_unsigned<T>::type;
+};
+
+#if FMT_SAFE_DURATION_CAST
+// throwing version of safe_duration_cast
+template <typename To, typename FromRep, typename FromPeriod>
+To fmt_safe_duration_cast(std::chrono::duration<FromRep, FromPeriod> from) {
+  int ec;
+  To to = safe_duration_cast::safe_duration_cast<To>(from, ec);
+  if (ec) FMT_THROW(format_error("cannot format duration"));
+  return to;
+}
+#endif
+
+template <typename Rep, typename Period,
+          FMT_ENABLE_IF(std::is_integral<Rep>::value)>
+inline std::chrono::duration<Rep, std::milli> get_milliseconds(
+    std::chrono::duration<Rep, Period> d) {
+  // this may overflow and/or the result may not fit in the
+  // target type.
+#if FMT_SAFE_DURATION_CAST
+  using CommonSecondsType =
+      typename std::common_type<decltype(d), std::chrono::seconds>::type;
+  const auto d_as_common = fmt_safe_duration_cast<CommonSecondsType>(d);
+  const auto d_as_whole_seconds =
+      fmt_safe_duration_cast<std::chrono::seconds>(d_as_common);
+  // this conversion should be nonproblematic
+  const auto diff = d_as_common - d_as_whole_seconds;
+  const auto ms =
+      fmt_safe_duration_cast<std::chrono::duration<Rep, std::milli>>(diff);
+  return ms;
+#else
+  auto s = std::chrono::duration_cast<std::chrono::seconds>(d);
+  return std::chrono::duration_cast<std::chrono::milliseconds>(d - s);
+#endif
+}
+
+// Returns the number of fractional digits in the range [0, 18] according to the
+// C++20 spec. If more than 18 fractional digits are required then returns 6 for
+// microseconds precision.
+constexpr int count_fractional_digits(long long num, long long den, int n = 0) {
+  return num % den == 0
+             ? n
+             : (n > 18 ? 6 : count_fractional_digits(num * 10, den, n + 1));
+}
+
+constexpr long long pow10(std::uint32_t n) {
+  return n == 0 ? 1 : 10 * pow10(n - 1);
+}
+
+template <class Rep, class Period,
+          FMT_ENABLE_IF(std::numeric_limits<Rep>::is_signed)>
+constexpr std::chrono::duration<Rep, Period> abs(
+    std::chrono::duration<Rep, Period> d) {
+  // We need to compare the duration using the count() method directly
+  // due to a compiler bug in clang-11 regarding the spaceship operator,
+  // when -Wzero-as-null-pointer-constant is enabled.
+  // In clang-12 the bug has been fixed. See
+  // https://bugs.llvm.org/show_bug.cgi?id=46235 and the reproducible example:
+  // https://www.godbolt.org/z/Knbb5joYx.
+  return d.count() >= d.zero().count() ? d : -d;
+}
+
+template <class Rep, class Period,
+          FMT_ENABLE_IF(!std::numeric_limits<Rep>::is_signed)>
+constexpr std::chrono::duration<Rep, Period> abs(
+    std::chrono::duration<Rep, Period> d) {
+  return d;
+}
+
+template <typename Char, typename Rep, typename OutputIt,
+          FMT_ENABLE_IF(std::is_integral<Rep>::value)>
+OutputIt format_duration_value(OutputIt out, Rep val, int) {
+  return write<Char>(out, val);
+}
+
+template <typename Char, typename Rep, typename OutputIt,
+          FMT_ENABLE_IF(std::is_floating_point<Rep>::value)>
+OutputIt format_duration_value(OutputIt out, Rep val, int precision) {
+  auto specs = basic_format_specs<Char>();
+  specs.precision = precision;
+  specs.type = precision >= 0 ? presentation_type::fixed_lower
+                              : presentation_type::general_lower;
+  return write<Char>(out, val, specs);
+}
+
+template <typename Char, typename OutputIt>
+OutputIt copy_unit(string_view unit, OutputIt out, Char) {
+  return std::copy(unit.begin(), unit.end(), out);
+}
+
+template <typename OutputIt>
+OutputIt copy_unit(string_view unit, OutputIt out, wchar_t) {
+  // This works when wchar_t is UTF-32 because units only contain characters
+  // that have the same representation in UTF-16 and UTF-32.
+  utf8_to_utf16 u(unit);
+  return std::copy(u.c_str(), u.c_str() + u.size(), out);
+}
+
+template <typename Char, typename Period, typename OutputIt>
+OutputIt format_duration_unit(OutputIt out) {
+  if (const char* unit = get_units<Period>())
+    return copy_unit(string_view(unit), out, Char());
+  *out++ = '[';
+  out = write<Char>(out, Period::num);
+  if (const_check(Period::den != 1)) {
+    *out++ = '/';
+    out = write<Char>(out, Period::den);
+  }
+  *out++ = ']';
+  *out++ = 's';
+  return out;
+}
+
+class get_locale {
+ private:
+  union {
+    std::locale locale_;
+  };
+  bool has_locale_ = false;
+
+ public:
+  get_locale(bool localized, locale_ref loc) : has_locale_(localized) {
+    if (localized)
+      ::new (&locale_) std::locale(loc.template get<std::locale>());
+  }
+  ~get_locale() {
+    if (has_locale_) locale_.~locale();
+  }
+  operator const std::locale&() const {
+    return has_locale_ ? locale_ : get_classic_locale();
+  }
+};
+
+template <typename FormatContext, typename OutputIt, typename Rep,
+          typename Period>
+struct chrono_formatter {
+  FormatContext& context;
+  OutputIt out;
+  int precision;
+  bool localized = false;
+  // rep is unsigned to avoid overflow.
+  using rep =
+      conditional_t<std::is_integral<Rep>::value && sizeof(Rep) < sizeof(int),
+                    unsigned, typename make_unsigned_or_unchanged<Rep>::type>;
+  rep val;
+  using seconds = std::chrono::duration<rep>;
+  seconds s;
+  using milliseconds = std::chrono::duration<rep, std::milli>;
+  bool negative;
+
+  using char_type = typename FormatContext::char_type;
+  using tm_writer_type = tm_writer<OutputIt, char_type>;
+
+  chrono_formatter(FormatContext& ctx, OutputIt o,
+                   std::chrono::duration<Rep, Period> d)
+      : context(ctx),
+        out(o),
+        val(static_cast<rep>(d.count())),
+        negative(false) {
+    if (d.count() < 0) {
+      val = 0 - val;
+      negative = true;
+    }
+
+    // this may overflow and/or the result may not fit in the
+    // target type.
+#if FMT_SAFE_DURATION_CAST
+    // might need checked conversion (rep!=Rep)
+    auto tmpval = std::chrono::duration<rep, Period>(val);
+    s = fmt_safe_duration_cast<seconds>(tmpval);
+#else
+    s = std::chrono::duration_cast<seconds>(
+        std::chrono::duration<rep, Period>(val));
+#endif
+  }
+
+  // returns true if nan or inf, writes to out.
+  bool handle_nan_inf() {
+    if (isfinite(val)) {
+      return false;
+    }
+    if (isnan(val)) {
+      write_nan();
+      return true;
+    }
+    // must be +-inf
+    if (val > 0) {
+      write_pinf();
+    } else {
+      write_ninf();
+    }
+    return true;
+  }
+
+  Rep hour() const { return static_cast<Rep>(mod((s.count() / 3600), 24)); }
+
+  Rep hour12() const {
+    Rep hour = static_cast<Rep>(mod((s.count() / 3600), 12));
+    return hour <= 0 ? 12 : hour;
+  }
+
+  Rep minute() const { return static_cast<Rep>(mod((s.count() / 60), 60)); }
+  Rep second() const { return static_cast<Rep>(mod(s.count(), 60)); }
+
+  std::tm time() const {
+    auto time = std::tm();
+    time.tm_hour = to_nonnegative_int(hour(), 24);
+    time.tm_min = to_nonnegative_int(minute(), 60);
+    time.tm_sec = to_nonnegative_int(second(), 60);
+    return time;
+  }
+
+  void write_sign() {
+    if (negative) {
+      *out++ = '-';
+      negative = false;
+    }
+  }
+
+  void write(Rep value, int width) {
+    write_sign();
+    if (isnan(value)) return write_nan();
+    uint32_or_64_or_128_t<int> n =
+        to_unsigned(to_nonnegative_int(value, max_value<int>()));
+    int num_digits = detail::count_digits(n);
+    if (width > num_digits) out = std::fill_n(out, width - num_digits, '0');
+    out = format_decimal<char_type>(out, n, num_digits).end;
+  }
+
+  template <class Duration> void write_fractional_seconds(Duration d) {
+    constexpr auto num_fractional_digits =
+        count_fractional_digits(Duration::period::num, Duration::period::den);
+
+    using subsecond_precision = std::chrono::duration<
+        typename std::common_type<typename Duration::rep,
+                                  std::chrono::seconds::rep>::type,
+        std::ratio<1, detail::pow10(num_fractional_digits)>>;
+    if (std::ratio_less<typename subsecond_precision::period,
+                        std::chrono::seconds::period>::value) {
+      *out++ = '.';
+      // Don't convert long double to integer seconds to avoid overflow.
+      using sec = conditional_t<
+          std::is_same<typename Duration::rep, long double>::value,
+          std::chrono::duration<long double>, std::chrono::seconds>;
+      auto fractional = detail::abs(d) - std::chrono::duration_cast<sec>(d);
+      const auto subseconds =
+          std::chrono::treat_as_floating_point<
+              typename subsecond_precision::rep>::value
+              ? fractional.count()
+              : std::chrono::duration_cast<subsecond_precision>(fractional)
+                    .count();
+      uint32_or_64_or_128_t<long long> n =
+          to_unsigned(to_nonnegative_int(subseconds, max_value<long long>()));
+      int num_digits = detail::count_digits(n);
+      if (num_fractional_digits > num_digits)
+        out = std::fill_n(out, num_fractional_digits - num_digits, '0');
+      out = format_decimal<char_type>(out, n, num_digits).end;
+    }
+  }
+
+  void write_nan() { std::copy_n("nan", 3, out); }
+  void write_pinf() { std::copy_n("inf", 3, out); }
+  void write_ninf() { std::copy_n("-inf", 4, out); }
+
+  template <typename Callback, typename... Args>
+  void format_tm(const tm& time, Callback cb, Args... args) {
+    if (isnan(val)) return write_nan();
+    get_locale loc(localized, context.locale());
+    auto w = tm_writer_type(loc, out, time);
+    (w.*cb)(args...);
+    out = w.out();
+  }
+
+  void on_text(const char_type* begin, const char_type* end) {
+    std::copy(begin, end, out);
+  }
+
+  // These are not implemented because durations don't have date information.
+  void on_abbr_weekday() {}
+  void on_full_weekday() {}
+  void on_dec0_weekday(numeric_system) {}
+  void on_dec1_weekday(numeric_system) {}
+  void on_abbr_month() {}
+  void on_full_month() {}
+  void on_datetime(numeric_system) {}
+  void on_loc_date(numeric_system) {}
+  void on_loc_time(numeric_system) {}
+  void on_us_date() {}
+  void on_iso_date() {}
+  void on_utc_offset() {}
+  void on_tz_name() {}
+  void on_year(numeric_system) {}
+  void on_short_year(numeric_system) {}
+  void on_offset_year() {}
+  void on_century(numeric_system) {}
+  void on_iso_week_based_year() {}
+  void on_iso_week_based_short_year() {}
+  void on_dec_month(numeric_system) {}
+  void on_dec0_week_of_year(numeric_system) {}
+  void on_dec1_week_of_year(numeric_system) {}
+  void on_iso_week_of_year(numeric_system) {}
+  void on_day_of_year() {}
+  void on_day_of_month(numeric_system) {}
+  void on_day_of_month_space(numeric_system) {}
+
+  void on_24_hour(numeric_system ns) {
+    if (handle_nan_inf()) return;
+
+    if (ns == numeric_system::standard) return write(hour(), 2);
+    auto time = tm();
+    time.tm_hour = to_nonnegative_int(hour(), 24);
+    format_tm(time, &tm_writer_type::on_24_hour, ns);
+  }
+
+  void on_12_hour(numeric_system ns) {
+    if (handle_nan_inf()) return;
+
+    if (ns == numeric_system::standard) return write(hour12(), 2);
+    auto time = tm();
+    time.tm_hour = to_nonnegative_int(hour12(), 12);
+    format_tm(time, &tm_writer_type::on_12_hour, ns);
+  }
+
+  void on_minute(numeric_system ns) {
+    if (handle_nan_inf()) return;
+
+    if (ns == numeric_system::standard) return write(minute(), 2);
+    auto time = tm();
+    time.tm_min = to_nonnegative_int(minute(), 60);
+    format_tm(time, &tm_writer_type::on_minute, ns);
+  }
+
+  void on_second(numeric_system ns) {
+    if (handle_nan_inf()) return;
+
+    if (ns == numeric_system::standard) {
+      write(second(), 2);
+      write_fractional_seconds(std::chrono::duration<rep, Period>{val});
+      return;
+    }
+    auto time = tm();
+    time.tm_sec = to_nonnegative_int(second(), 60);
+    format_tm(time, &tm_writer_type::on_second, ns);
+  }
+
+  void on_12_hour_time() {
+    if (handle_nan_inf()) return;
+    format_tm(time(), &tm_writer_type::on_12_hour_time);
+  }
+
+  void on_24_hour_time() {
+    if (handle_nan_inf()) {
+      *out++ = ':';
+      handle_nan_inf();
+      return;
+    }
+
+    write(hour(), 2);
+    *out++ = ':';
+    write(minute(), 2);
+  }
+
+  void on_iso_time() {
+    on_24_hour_time();
+    *out++ = ':';
+    if (handle_nan_inf()) return;
+    on_second(numeric_system::standard);
+  }
+
+  void on_am_pm() {
+    if (handle_nan_inf()) return;
+    format_tm(time(), &tm_writer_type::on_am_pm);
+  }
+
+  void on_duration_value() {
+    if (handle_nan_inf()) return;
+    write_sign();
+    out = format_duration_value<char_type>(out, val, precision);
+  }
+
+  void on_duration_unit() {
+    out = format_duration_unit<char_type, Period>(out);
+  }
+};
+
+FMT_END_DETAIL_NAMESPACE
+
+#if defined(__cpp_lib_chrono) && __cpp_lib_chrono >= 201907
+using weekday = std::chrono::weekday;
+#else
+// A fallback version of weekday.
+class weekday {
+ private:
+  unsigned char value;
+
+ public:
+  weekday() = default;
+  explicit constexpr weekday(unsigned wd) noexcept
+      : value(static_cast<unsigned char>(wd != 7 ? wd : 0)) {}
+  constexpr unsigned c_encoding() const noexcept { return value; }
+};
+
+class year_month_day {};
+#endif
+
+// A rudimentary weekday formatter.
+template <typename Char> struct formatter<weekday, Char> {
+ private:
+  bool localized = false;
+
+ public:
+  FMT_CONSTEXPR auto parse(basic_format_parse_context<Char>& ctx)
+      -> decltype(ctx.begin()) {
+    auto begin = ctx.begin(), end = ctx.end();
+    if (begin != end && *begin == 'L') {
+      ++begin;
+      localized = true;
+    }
+    return begin;
+  }
+
+  template <typename FormatContext>
+  auto format(weekday wd, FormatContext& ctx) const -> decltype(ctx.out()) {
+    auto time = std::tm();
+    time.tm_wday = static_cast<int>(wd.c_encoding());
+    detail::get_locale loc(localized, ctx.locale());
+    auto w = detail::tm_writer<decltype(ctx.out()), Char>(loc, ctx.out(), time);
+    w.on_abbr_weekday();
+    return w.out();
+  }
+};
+
+template <typename Rep, typename Period, typename Char>
+struct formatter<std::chrono::duration<Rep, Period>, Char> {
+ private:
+  basic_format_specs<Char> specs;
+  int precision = -1;
+  using arg_ref_type = detail::arg_ref<Char>;
+  arg_ref_type width_ref;
+  arg_ref_type precision_ref;
+  bool localized = false;
+  basic_string_view<Char> format_str;
+  using duration = std::chrono::duration<Rep, Period>;
+
+  struct spec_handler {
+    formatter& f;
+    basic_format_parse_context<Char>& context;
+    basic_string_view<Char> format_str;
+
+    template <typename Id> FMT_CONSTEXPR arg_ref_type make_arg_ref(Id arg_id) {
+      context.check_arg_id(arg_id);
+      return arg_ref_type(arg_id);
+    }
+
+    FMT_CONSTEXPR arg_ref_type make_arg_ref(basic_string_view<Char> arg_id) {
+      context.check_arg_id(arg_id);
+      return arg_ref_type(arg_id);
+    }
+
+    FMT_CONSTEXPR arg_ref_type make_arg_ref(detail::auto_id) {
+      return arg_ref_type(context.next_arg_id());
+    }
+
+    void on_error(const char* msg) { FMT_THROW(format_error(msg)); }
+    FMT_CONSTEXPR void on_fill(basic_string_view<Char> fill) {
+      f.specs.fill = fill;
+    }
+    FMT_CONSTEXPR void on_align(align_t align) { f.specs.align = align; }
+    FMT_CONSTEXPR void on_width(int width) { f.specs.width = width; }
+    FMT_CONSTEXPR void on_precision(int _precision) {
+      f.precision = _precision;
+    }
+    FMT_CONSTEXPR void end_precision() {}
+
+    template <typename Id> FMT_CONSTEXPR void on_dynamic_width(Id arg_id) {
+      f.width_ref = make_arg_ref(arg_id);
+    }
+
+    template <typename Id> FMT_CONSTEXPR void on_dynamic_precision(Id arg_id) {
+      f.precision_ref = make_arg_ref(arg_id);
+    }
+  };
+
+  using iterator = typename basic_format_parse_context<Char>::iterator;
+  struct parse_range {
+    iterator begin;
+    iterator end;
+  };
+
+  FMT_CONSTEXPR parse_range do_parse(basic_format_parse_context<Char>& ctx) {
+    auto begin = ctx.begin(), end = ctx.end();
+    if (begin == end || *begin == '}') return {begin, begin};
+    spec_handler handler{*this, ctx, format_str};
+    begin = detail::parse_align(begin, end, handler);
+    if (begin == end) return {begin, begin};
+    begin = detail::parse_width(begin, end, handler);
+    if (begin == end) return {begin, begin};
+    if (*begin == '.') {
+      if (std::is_floating_point<Rep>::value)
+        begin = detail::parse_precision(begin, end, handler);
+      else
+        handler.on_error("precision not allowed for this argument type");
+    }
+    if (begin != end && *begin == 'L') {
+      ++begin;
+      localized = true;
+    }
+    end = detail::parse_chrono_format(begin, end,
+                                      detail::chrono_format_checker());
+    return {begin, end};
+  }
+
+ public:
+  FMT_CONSTEXPR auto parse(basic_format_parse_context<Char>& ctx)
+      -> decltype(ctx.begin()) {
+    auto range = do_parse(ctx);
+    format_str = basic_string_view<Char>(
+        &*range.begin, detail::to_unsigned(range.end - range.begin));
+    return range.end;
+  }
+
+  template <typename FormatContext>
+  auto format(const duration& d, FormatContext& ctx) const
+      -> decltype(ctx.out()) {
+    auto specs_copy = specs;
+    auto precision_copy = precision;
+    auto begin = format_str.begin(), end = format_str.end();
+    // As a possible future optimization, we could avoid extra copying if width
+    // is not specified.
+    basic_memory_buffer<Char> buf;
+    auto out = std::back_inserter(buf);
+    detail::handle_dynamic_spec<detail::width_checker>(specs_copy.width,
+                                                       width_ref, ctx);
+    detail::handle_dynamic_spec<detail::precision_checker>(precision_copy,
+                                                           precision_ref, ctx);
+    if (begin == end || *begin == '}') {
+      out = detail::format_duration_value<Char>(out, d.count(), precision_copy);
+      detail::format_duration_unit<Char, Period>(out);
+    } else {
+      detail::chrono_formatter<FormatContext, decltype(out), Rep, Period> f(
+          ctx, out, d);
+      f.precision = precision_copy;
+      f.localized = localized;
+      detail::parse_chrono_format(begin, end, f);
+    }
+    return detail::write(
+        ctx.out(), basic_string_view<Char>(buf.data(), buf.size()), specs_copy);
+  }
+};
+
+template <typename Char, typename Duration>
+struct formatter<std::chrono::time_point<std::chrono::system_clock, Duration>,
+                 Char> : formatter<std::tm, Char> {
+  FMT_CONSTEXPR formatter() {
+    this->do_parse(default_specs,
+                   default_specs + sizeof(default_specs) / sizeof(Char));
+  }
+
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    return this->do_parse(ctx.begin(), ctx.end(), true);
+  }
+
+  template <typename FormatContext>
+  auto format(std::chrono::time_point<std::chrono::system_clock> val,
+              FormatContext& ctx) const -> decltype(ctx.out()) {
+    return formatter<std::tm, Char>::format(localtime(val), ctx);
+  }
+
+  static constexpr const Char default_specs[] = {'%', 'F', ' ', '%', 'T'};
+};
+
+template <typename Char, typename Duration>
+constexpr const Char
+    formatter<std::chrono::time_point<std::chrono::system_clock, Duration>,
+              Char>::default_specs[];
+
+template <typename Char> struct formatter<std::tm, Char> {
+ private:
+  enum class spec {
+    unknown,
+    year_month_day,
+    hh_mm_ss,
+  };
+  spec spec_ = spec::unknown;
+  basic_string_view<Char> specs;
+
+ protected:
+  template <typename It>
+  FMT_CONSTEXPR auto do_parse(It begin, It end, bool with_default = false)
+      -> It {
+    if (begin != end && *begin == ':') ++begin;
+    end = detail::parse_chrono_format(begin, end, detail::tm_format_checker());
+    if (!with_default || end != begin)
+      specs = {begin, detail::to_unsigned(end - begin)};
+    // basic_string_view<>::compare isn't constexpr before C++17.
+    if (specs.size() == 2 && specs[0] == Char('%')) {
+      if (specs[1] == Char('F'))
+        spec_ = spec::year_month_day;
+      else if (specs[1] == Char('T'))
+        spec_ = spec::hh_mm_ss;
+    }
+    return end;
+  }
+
+ public:
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    return this->do_parse(ctx.begin(), ctx.end());
+  }
+
+  template <typename FormatContext>
+  auto format(const std::tm& tm, FormatContext& ctx) const
+      -> decltype(ctx.out()) {
+    const auto loc_ref = ctx.locale();
+    detail::get_locale loc(static_cast<bool>(loc_ref), loc_ref);
+    auto w = detail::tm_writer<decltype(ctx.out()), Char>(loc, ctx.out(), tm);
+    if (spec_ == spec::year_month_day)
+      w.on_iso_date();
+    else if (spec_ == spec::hh_mm_ss)
+      w.on_iso_time();
+    else
+      detail::parse_chrono_format(specs.begin(), specs.end(), w);
+    return w.out();
+  }
+};
+
+FMT_MODULE_EXPORT_END
+FMT_END_NAMESPACE
+
+#endif  // FMT_CHRONO_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/color.h b/ctrtool/deps/libfmt/include/fmt/color.h
new file mode 100644
index 00000000..dfbe4829
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/color.h
@@ -0,0 +1,638 @@
+// Formatting library for C++ - color support
+//
+// Copyright (c) 2018 - present, Victor Zverovich and fmt contributors
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_COLOR_H_
+#define FMT_COLOR_H_
+
+#include "format.h"
+
+// __declspec(deprecated) is broken in some MSVC versions.
+#if FMT_MSC_VER
+#  define FMT_DEPRECATED_NONMSVC
+#else
+#  define FMT_DEPRECATED_NONMSVC FMT_DEPRECATED
+#endif
+
+FMT_BEGIN_NAMESPACE
+FMT_MODULE_EXPORT_BEGIN
+
+enum class color : uint32_t {
+  alice_blue = 0xF0F8FF,               // rgb(240,248,255)
+  antique_white = 0xFAEBD7,            // rgb(250,235,215)
+  aqua = 0x00FFFF,                     // rgb(0,255,255)
+  aquamarine = 0x7FFFD4,               // rgb(127,255,212)
+  azure = 0xF0FFFF,                    // rgb(240,255,255)
+  beige = 0xF5F5DC,                    // rgb(245,245,220)
+  bisque = 0xFFE4C4,                   // rgb(255,228,196)
+  black = 0x000000,                    // rgb(0,0,0)
+  blanched_almond = 0xFFEBCD,          // rgb(255,235,205)
+  blue = 0x0000FF,                     // rgb(0,0,255)
+  blue_violet = 0x8A2BE2,              // rgb(138,43,226)
+  brown = 0xA52A2A,                    // rgb(165,42,42)
+  burly_wood = 0xDEB887,               // rgb(222,184,135)
+  cadet_blue = 0x5F9EA0,               // rgb(95,158,160)
+  chartreuse = 0x7FFF00,               // rgb(127,255,0)
+  chocolate = 0xD2691E,                // rgb(210,105,30)
+  coral = 0xFF7F50,                    // rgb(255,127,80)
+  cornflower_blue = 0x6495ED,          // rgb(100,149,237)
+  cornsilk = 0xFFF8DC,                 // rgb(255,248,220)
+  crimson = 0xDC143C,                  // rgb(220,20,60)
+  cyan = 0x00FFFF,                     // rgb(0,255,255)
+  dark_blue = 0x00008B,                // rgb(0,0,139)
+  dark_cyan = 0x008B8B,                // rgb(0,139,139)
+  dark_golden_rod = 0xB8860B,          // rgb(184,134,11)
+  dark_gray = 0xA9A9A9,                // rgb(169,169,169)
+  dark_green = 0x006400,               // rgb(0,100,0)
+  dark_khaki = 0xBDB76B,               // rgb(189,183,107)
+  dark_magenta = 0x8B008B,             // rgb(139,0,139)
+  dark_olive_green = 0x556B2F,         // rgb(85,107,47)
+  dark_orange = 0xFF8C00,              // rgb(255,140,0)
+  dark_orchid = 0x9932CC,              // rgb(153,50,204)
+  dark_red = 0x8B0000,                 // rgb(139,0,0)
+  dark_salmon = 0xE9967A,              // rgb(233,150,122)
+  dark_sea_green = 0x8FBC8F,           // rgb(143,188,143)
+  dark_slate_blue = 0x483D8B,          // rgb(72,61,139)
+  dark_slate_gray = 0x2F4F4F,          // rgb(47,79,79)
+  dark_turquoise = 0x00CED1,           // rgb(0,206,209)
+  dark_violet = 0x9400D3,              // rgb(148,0,211)
+  deep_pink = 0xFF1493,                // rgb(255,20,147)
+  deep_sky_blue = 0x00BFFF,            // rgb(0,191,255)
+  dim_gray = 0x696969,                 // rgb(105,105,105)
+  dodger_blue = 0x1E90FF,              // rgb(30,144,255)
+  fire_brick = 0xB22222,               // rgb(178,34,34)
+  floral_white = 0xFFFAF0,             // rgb(255,250,240)
+  forest_green = 0x228B22,             // rgb(34,139,34)
+  fuchsia = 0xFF00FF,                  // rgb(255,0,255)
+  gainsboro = 0xDCDCDC,                // rgb(220,220,220)
+  ghost_white = 0xF8F8FF,              // rgb(248,248,255)
+  gold = 0xFFD700,                     // rgb(255,215,0)
+  golden_rod = 0xDAA520,               // rgb(218,165,32)
+  gray = 0x808080,                     // rgb(128,128,128)
+  green = 0x008000,                    // rgb(0,128,0)
+  green_yellow = 0xADFF2F,             // rgb(173,255,47)
+  honey_dew = 0xF0FFF0,                // rgb(240,255,240)
+  hot_pink = 0xFF69B4,                 // rgb(255,105,180)
+  indian_red = 0xCD5C5C,               // rgb(205,92,92)
+  indigo = 0x4B0082,                   // rgb(75,0,130)
+  ivory = 0xFFFFF0,                    // rgb(255,255,240)
+  khaki = 0xF0E68C,                    // rgb(240,230,140)
+  lavender = 0xE6E6FA,                 // rgb(230,230,250)
+  lavender_blush = 0xFFF0F5,           // rgb(255,240,245)
+  lawn_green = 0x7CFC00,               // rgb(124,252,0)
+  lemon_chiffon = 0xFFFACD,            // rgb(255,250,205)
+  light_blue = 0xADD8E6,               // rgb(173,216,230)
+  light_coral = 0xF08080,              // rgb(240,128,128)
+  light_cyan = 0xE0FFFF,               // rgb(224,255,255)
+  light_golden_rod_yellow = 0xFAFAD2,  // rgb(250,250,210)
+  light_gray = 0xD3D3D3,               // rgb(211,211,211)
+  light_green = 0x90EE90,              // rgb(144,238,144)
+  light_pink = 0xFFB6C1,               // rgb(255,182,193)
+  light_salmon = 0xFFA07A,             // rgb(255,160,122)
+  light_sea_green = 0x20B2AA,          // rgb(32,178,170)
+  light_sky_blue = 0x87CEFA,           // rgb(135,206,250)
+  light_slate_gray = 0x778899,         // rgb(119,136,153)
+  light_steel_blue = 0xB0C4DE,         // rgb(176,196,222)
+  light_yellow = 0xFFFFE0,             // rgb(255,255,224)
+  lime = 0x00FF00,                     // rgb(0,255,0)
+  lime_green = 0x32CD32,               // rgb(50,205,50)
+  linen = 0xFAF0E6,                    // rgb(250,240,230)
+  magenta = 0xFF00FF,                  // rgb(255,0,255)
+  maroon = 0x800000,                   // rgb(128,0,0)
+  medium_aquamarine = 0x66CDAA,        // rgb(102,205,170)
+  medium_blue = 0x0000CD,              // rgb(0,0,205)
+  medium_orchid = 0xBA55D3,            // rgb(186,85,211)
+  medium_purple = 0x9370DB,            // rgb(147,112,219)
+  medium_sea_green = 0x3CB371,         // rgb(60,179,113)
+  medium_slate_blue = 0x7B68EE,        // rgb(123,104,238)
+  medium_spring_green = 0x00FA9A,      // rgb(0,250,154)
+  medium_turquoise = 0x48D1CC,         // rgb(72,209,204)
+  medium_violet_red = 0xC71585,        // rgb(199,21,133)
+  midnight_blue = 0x191970,            // rgb(25,25,112)
+  mint_cream = 0xF5FFFA,               // rgb(245,255,250)
+  misty_rose = 0xFFE4E1,               // rgb(255,228,225)
+  moccasin = 0xFFE4B5,                 // rgb(255,228,181)
+  navajo_white = 0xFFDEAD,             // rgb(255,222,173)
+  navy = 0x000080,                     // rgb(0,0,128)
+  old_lace = 0xFDF5E6,                 // rgb(253,245,230)
+  olive = 0x808000,                    // rgb(128,128,0)
+  olive_drab = 0x6B8E23,               // rgb(107,142,35)
+  orange = 0xFFA500,                   // rgb(255,165,0)
+  orange_red = 0xFF4500,               // rgb(255,69,0)
+  orchid = 0xDA70D6,                   // rgb(218,112,214)
+  pale_golden_rod = 0xEEE8AA,          // rgb(238,232,170)
+  pale_green = 0x98FB98,               // rgb(152,251,152)
+  pale_turquoise = 0xAFEEEE,           // rgb(175,238,238)
+  pale_violet_red = 0xDB7093,          // rgb(219,112,147)
+  papaya_whip = 0xFFEFD5,              // rgb(255,239,213)
+  peach_puff = 0xFFDAB9,               // rgb(255,218,185)
+  peru = 0xCD853F,                     // rgb(205,133,63)
+  pink = 0xFFC0CB,                     // rgb(255,192,203)
+  plum = 0xDDA0DD,                     // rgb(221,160,221)
+  powder_blue = 0xB0E0E6,              // rgb(176,224,230)
+  purple = 0x800080,                   // rgb(128,0,128)
+  rebecca_purple = 0x663399,           // rgb(102,51,153)
+  red = 0xFF0000,                      // rgb(255,0,0)
+  rosy_brown = 0xBC8F8F,               // rgb(188,143,143)
+  royal_blue = 0x4169E1,               // rgb(65,105,225)
+  saddle_brown = 0x8B4513,             // rgb(139,69,19)
+  salmon = 0xFA8072,                   // rgb(250,128,114)
+  sandy_brown = 0xF4A460,              // rgb(244,164,96)
+  sea_green = 0x2E8B57,                // rgb(46,139,87)
+  sea_shell = 0xFFF5EE,                // rgb(255,245,238)
+  sienna = 0xA0522D,                   // rgb(160,82,45)
+  silver = 0xC0C0C0,                   // rgb(192,192,192)
+  sky_blue = 0x87CEEB,                 // rgb(135,206,235)
+  slate_blue = 0x6A5ACD,               // rgb(106,90,205)
+  slate_gray = 0x708090,               // rgb(112,128,144)
+  snow = 0xFFFAFA,                     // rgb(255,250,250)
+  spring_green = 0x00FF7F,             // rgb(0,255,127)
+  steel_blue = 0x4682B4,               // rgb(70,130,180)
+  tan = 0xD2B48C,                      // rgb(210,180,140)
+  teal = 0x008080,                     // rgb(0,128,128)
+  thistle = 0xD8BFD8,                  // rgb(216,191,216)
+  tomato = 0xFF6347,                   // rgb(255,99,71)
+  turquoise = 0x40E0D0,                // rgb(64,224,208)
+  violet = 0xEE82EE,                   // rgb(238,130,238)
+  wheat = 0xF5DEB3,                    // rgb(245,222,179)
+  white = 0xFFFFFF,                    // rgb(255,255,255)
+  white_smoke = 0xF5F5F5,              // rgb(245,245,245)
+  yellow = 0xFFFF00,                   // rgb(255,255,0)
+  yellow_green = 0x9ACD32              // rgb(154,205,50)
+};                                     // enum class color
+
+enum class terminal_color : uint8_t {
+  black = 30,
+  red,
+  green,
+  yellow,
+  blue,
+  magenta,
+  cyan,
+  white,
+  bright_black = 90,
+  bright_red,
+  bright_green,
+  bright_yellow,
+  bright_blue,
+  bright_magenta,
+  bright_cyan,
+  bright_white
+};
+
+enum class emphasis : uint8_t {
+  bold = 1,
+  faint = 1 << 1,
+  italic = 1 << 2,
+  underline = 1 << 3,
+  blink = 1 << 4,
+  reverse = 1 << 5,
+  conceal = 1 << 6,
+  strikethrough = 1 << 7,
+};
+
+// rgb is a struct for red, green and blue colors.
+// Using the name "rgb" makes some editors show the color in a tooltip.
+struct rgb {
+  FMT_CONSTEXPR rgb() : r(0), g(0), b(0) {}
+  FMT_CONSTEXPR rgb(uint8_t r_, uint8_t g_, uint8_t b_) : r(r_), g(g_), b(b_) {}
+  FMT_CONSTEXPR rgb(uint32_t hex)
+      : r((hex >> 16) & 0xFF), g((hex >> 8) & 0xFF), b(hex & 0xFF) {}
+  FMT_CONSTEXPR rgb(color hex)
+      : r((uint32_t(hex) >> 16) & 0xFF),
+        g((uint32_t(hex) >> 8) & 0xFF),
+        b(uint32_t(hex) & 0xFF) {}
+  uint8_t r;
+  uint8_t g;
+  uint8_t b;
+};
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+// color is a struct of either a rgb color or a terminal color.
+struct color_type {
+  FMT_CONSTEXPR color_type() FMT_NOEXCEPT : is_rgb(), value{} {}
+  FMT_CONSTEXPR color_type(color rgb_color) FMT_NOEXCEPT : is_rgb(true),
+                                                           value{} {
+    value.rgb_color = static_cast<uint32_t>(rgb_color);
+  }
+  FMT_CONSTEXPR color_type(rgb rgb_color) FMT_NOEXCEPT : is_rgb(true), value{} {
+    value.rgb_color = (static_cast<uint32_t>(rgb_color.r) << 16) |
+                      (static_cast<uint32_t>(rgb_color.g) << 8) | rgb_color.b;
+  }
+  FMT_CONSTEXPR color_type(terminal_color term_color) FMT_NOEXCEPT : is_rgb(),
+                                                                     value{} {
+    value.term_color = static_cast<uint8_t>(term_color);
+  }
+  bool is_rgb;
+  union color_union {
+    uint8_t term_color;
+    uint32_t rgb_color;
+  } value;
+};
+
+FMT_END_DETAIL_NAMESPACE
+
+/** A text style consisting of foreground and background colors and emphasis. */
+class text_style {
+ public:
+  FMT_CONSTEXPR text_style(emphasis em = emphasis()) FMT_NOEXCEPT
+      : set_foreground_color(),
+        set_background_color(),
+        ems(em) {}
+
+  FMT_CONSTEXPR text_style& operator|=(const text_style& rhs) {
+    if (!set_foreground_color) {
+      set_foreground_color = rhs.set_foreground_color;
+      foreground_color = rhs.foreground_color;
+    } else if (rhs.set_foreground_color) {
+      if (!foreground_color.is_rgb || !rhs.foreground_color.is_rgb)
+        FMT_THROW(format_error("can't OR a terminal color"));
+      foreground_color.value.rgb_color |= rhs.foreground_color.value.rgb_color;
+    }
+
+    if (!set_background_color) {
+      set_background_color = rhs.set_background_color;
+      background_color = rhs.background_color;
+    } else if (rhs.set_background_color) {
+      if (!background_color.is_rgb || !rhs.background_color.is_rgb)
+        FMT_THROW(format_error("can't OR a terminal color"));
+      background_color.value.rgb_color |= rhs.background_color.value.rgb_color;
+    }
+
+    ems = static_cast<emphasis>(static_cast<uint8_t>(ems) |
+                                static_cast<uint8_t>(rhs.ems));
+    return *this;
+  }
+
+  friend FMT_CONSTEXPR text_style operator|(text_style lhs,
+                                            const text_style& rhs) {
+    return lhs |= rhs;
+  }
+
+  FMT_DEPRECATED_NONMSVC FMT_CONSTEXPR text_style& operator&=(
+      const text_style& rhs) {
+    return and_assign(rhs);
+  }
+
+  FMT_DEPRECATED_NONMSVC friend FMT_CONSTEXPR text_style
+  operator&(text_style lhs, const text_style& rhs) {
+    return lhs.and_assign(rhs);
+  }
+
+  FMT_CONSTEXPR bool has_foreground() const FMT_NOEXCEPT {
+    return set_foreground_color;
+  }
+  FMT_CONSTEXPR bool has_background() const FMT_NOEXCEPT {
+    return set_background_color;
+  }
+  FMT_CONSTEXPR bool has_emphasis() const FMT_NOEXCEPT {
+    return static_cast<uint8_t>(ems) != 0;
+  }
+  FMT_CONSTEXPR detail::color_type get_foreground() const FMT_NOEXCEPT {
+    FMT_ASSERT(has_foreground(), "no foreground specified for this style");
+    return foreground_color;
+  }
+  FMT_CONSTEXPR detail::color_type get_background() const FMT_NOEXCEPT {
+    FMT_ASSERT(has_background(), "no background specified for this style");
+    return background_color;
+  }
+  FMT_CONSTEXPR emphasis get_emphasis() const FMT_NOEXCEPT {
+    FMT_ASSERT(has_emphasis(), "no emphasis specified for this style");
+    return ems;
+  }
+
+ private:
+  FMT_CONSTEXPR text_style(bool is_foreground,
+                           detail::color_type text_color) FMT_NOEXCEPT
+      : set_foreground_color(),
+        set_background_color(),
+        ems() {
+    if (is_foreground) {
+      foreground_color = text_color;
+      set_foreground_color = true;
+    } else {
+      background_color = text_color;
+      set_background_color = true;
+    }
+  }
+
+  // DEPRECATED!
+  FMT_CONSTEXPR text_style& and_assign(const text_style& rhs) {
+    if (!set_foreground_color) {
+      set_foreground_color = rhs.set_foreground_color;
+      foreground_color = rhs.foreground_color;
+    } else if (rhs.set_foreground_color) {
+      if (!foreground_color.is_rgb || !rhs.foreground_color.is_rgb)
+        FMT_THROW(format_error("can't AND a terminal color"));
+      foreground_color.value.rgb_color &= rhs.foreground_color.value.rgb_color;
+    }
+
+    if (!set_background_color) {
+      set_background_color = rhs.set_background_color;
+      background_color = rhs.background_color;
+    } else if (rhs.set_background_color) {
+      if (!background_color.is_rgb || !rhs.background_color.is_rgb)
+        FMT_THROW(format_error("can't AND a terminal color"));
+      background_color.value.rgb_color &= rhs.background_color.value.rgb_color;
+    }
+
+    ems = static_cast<emphasis>(static_cast<uint8_t>(ems) &
+                                static_cast<uint8_t>(rhs.ems));
+    return *this;
+  }
+
+  friend FMT_CONSTEXPR_DECL text_style fg(detail::color_type foreground)
+      FMT_NOEXCEPT;
+
+  friend FMT_CONSTEXPR_DECL text_style bg(detail::color_type background)
+      FMT_NOEXCEPT;
+
+  detail::color_type foreground_color;
+  detail::color_type background_color;
+  bool set_foreground_color;
+  bool set_background_color;
+  emphasis ems;
+};
+
+/** Creates a text style from the foreground (text) color. */
+FMT_CONSTEXPR inline text_style fg(detail::color_type foreground) FMT_NOEXCEPT {
+  return text_style(true, foreground);
+}
+
+/** Creates a text style from the background color. */
+FMT_CONSTEXPR inline text_style bg(detail::color_type background) FMT_NOEXCEPT {
+  return text_style(false, background);
+}
+
+FMT_CONSTEXPR inline text_style operator|(emphasis lhs,
+                                          emphasis rhs) FMT_NOEXCEPT {
+  return text_style(lhs) | rhs;
+}
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+template <typename Char> struct ansi_color_escape {
+  FMT_CONSTEXPR ansi_color_escape(detail::color_type text_color,
+                                  const char* esc) FMT_NOEXCEPT {
+    // If we have a terminal color, we need to output another escape code
+    // sequence.
+    if (!text_color.is_rgb) {
+      bool is_background = esc == string_view("\x1b[48;2;");
+      uint32_t value = text_color.value.term_color;
+      // Background ASCII codes are the same as the foreground ones but with
+      // 10 more.
+      if (is_background) value += 10u;
+
+      size_t index = 0;
+      buffer[index++] = static_cast<Char>('\x1b');
+      buffer[index++] = static_cast<Char>('[');
+
+      if (value >= 100u) {
+        buffer[index++] = static_cast<Char>('1');
+        value %= 100u;
+      }
+      buffer[index++] = static_cast<Char>('0' + value / 10u);
+      buffer[index++] = static_cast<Char>('0' + value % 10u);
+
+      buffer[index++] = static_cast<Char>('m');
+      buffer[index++] = static_cast<Char>('\0');
+      return;
+    }
+
+    for (int i = 0; i < 7; i++) {
+      buffer[i] = static_cast<Char>(esc[i]);
+    }
+    rgb color(text_color.value.rgb_color);
+    to_esc(color.r, buffer + 7, ';');
+    to_esc(color.g, buffer + 11, ';');
+    to_esc(color.b, buffer + 15, 'm');
+    buffer[19] = static_cast<Char>(0);
+  }
+  FMT_CONSTEXPR ansi_color_escape(emphasis em) FMT_NOEXCEPT {
+    uint8_t em_codes[num_emphases] = {};
+    if (has_emphasis(em, emphasis::bold)) em_codes[0] = 1;
+    if (has_emphasis(em, emphasis::faint)) em_codes[1] = 2;
+    if (has_emphasis(em, emphasis::italic)) em_codes[2] = 3;
+    if (has_emphasis(em, emphasis::underline)) em_codes[3] = 4;
+    if (has_emphasis(em, emphasis::blink)) em_codes[4] = 5;
+    if (has_emphasis(em, emphasis::reverse)) em_codes[5] = 7;
+    if (has_emphasis(em, emphasis::conceal)) em_codes[6] = 8;
+    if (has_emphasis(em, emphasis::strikethrough)) em_codes[7] = 9;
+
+    size_t index = 0;
+    for (size_t i = 0; i < num_emphases; ++i) {
+      if (!em_codes[i]) continue;
+      buffer[index++] = static_cast<Char>('\x1b');
+      buffer[index++] = static_cast<Char>('[');
+      buffer[index++] = static_cast<Char>('0' + em_codes[i]);
+      buffer[index++] = static_cast<Char>('m');
+    }
+    buffer[index++] = static_cast<Char>(0);
+  }
+  FMT_CONSTEXPR operator const Char*() const FMT_NOEXCEPT { return buffer; }
+
+  FMT_CONSTEXPR const Char* begin() const FMT_NOEXCEPT { return buffer; }
+  FMT_CONSTEXPR_CHAR_TRAITS const Char* end() const FMT_NOEXCEPT {
+    return buffer + std::char_traits<Char>::length(buffer);
+  }
+
+ private:
+  static constexpr size_t num_emphases = 8;
+  Char buffer[7u + 3u * num_emphases + 1u];
+
+  static FMT_CONSTEXPR void to_esc(uint8_t c, Char* out,
+                                   char delimiter) FMT_NOEXCEPT {
+    out[0] = static_cast<Char>('0' + c / 100);
+    out[1] = static_cast<Char>('0' + c / 10 % 10);
+    out[2] = static_cast<Char>('0' + c % 10);
+    out[3] = static_cast<Char>(delimiter);
+  }
+  static FMT_CONSTEXPR bool has_emphasis(emphasis em,
+                                         emphasis mask) FMT_NOEXCEPT {
+    return static_cast<uint8_t>(em) & static_cast<uint8_t>(mask);
+  }
+};
+
+template <typename Char>
+FMT_CONSTEXPR ansi_color_escape<Char> make_foreground_color(
+    detail::color_type foreground) FMT_NOEXCEPT {
+  return ansi_color_escape<Char>(foreground, "\x1b[38;2;");
+}
+
+template <typename Char>
+FMT_CONSTEXPR ansi_color_escape<Char> make_background_color(
+    detail::color_type background) FMT_NOEXCEPT {
+  return ansi_color_escape<Char>(background, "\x1b[48;2;");
+}
+
+template <typename Char>
+FMT_CONSTEXPR ansi_color_escape<Char> make_emphasis(emphasis em) FMT_NOEXCEPT {
+  return ansi_color_escape<Char>(em);
+}
+
+template <typename Char>
+inline void fputs(const Char* chars, FILE* stream) FMT_NOEXCEPT {
+  std::fputs(chars, stream);
+}
+
+template <>
+inline void fputs<wchar_t>(const wchar_t* chars, FILE* stream) FMT_NOEXCEPT {
+  std::fputws(chars, stream);
+}
+
+template <typename Char> inline void reset_color(FILE* stream) FMT_NOEXCEPT {
+  fputs("\x1b[0m", stream);
+}
+
+template <> inline void reset_color<wchar_t>(FILE* stream) FMT_NOEXCEPT {
+  fputs(L"\x1b[0m", stream);
+}
+
+template <typename Char>
+inline void reset_color(buffer<Char>& buffer) FMT_NOEXCEPT {
+  auto reset_color = string_view("\x1b[0m");
+  buffer.append(reset_color.begin(), reset_color.end());
+}
+
+template <typename Char>
+void vformat_to(buffer<Char>& buf, const text_style& ts,
+                basic_string_view<Char> format_str,
+                basic_format_args<buffer_context<type_identity_t<Char>>> args) {
+  bool has_style = false;
+  if (ts.has_emphasis()) {
+    has_style = true;
+    auto emphasis = detail::make_emphasis<Char>(ts.get_emphasis());
+    buf.append(emphasis.begin(), emphasis.end());
+  }
+  if (ts.has_foreground()) {
+    has_style = true;
+    auto foreground = detail::make_foreground_color<Char>(ts.get_foreground());
+    buf.append(foreground.begin(), foreground.end());
+  }
+  if (ts.has_background()) {
+    has_style = true;
+    auto background = detail::make_background_color<Char>(ts.get_background());
+    buf.append(background.begin(), background.end());
+  }
+  detail::vformat_to(buf, format_str, args, {});
+  if (has_style) detail::reset_color<Char>(buf);
+}
+
+FMT_END_DETAIL_NAMESPACE
+
+template <typename S, typename Char = char_t<S>>
+void vprint(std::FILE* f, const text_style& ts, const S& format,
+            basic_format_args<buffer_context<type_identity_t<Char>>> args) {
+  basic_memory_buffer<Char> buf;
+  detail::vformat_to(buf, ts, to_string_view(format), args);
+  buf.push_back(Char(0));
+  detail::fputs(buf.data(), f);
+}
+
+/**
+  \rst
+  Formats a string and prints it to the specified file stream using ANSI
+  escape sequences to specify text formatting.
+
+  **Example**::
+
+    fmt::print(fmt::emphasis::bold | fg(fmt::color::red),
+               "Elapsed time: {0:.2f} seconds", 1.23);
+  \endrst
+ */
+template <typename S, typename... Args,
+          FMT_ENABLE_IF(detail::is_string<S>::value)>
+void print(std::FILE* f, const text_style& ts, const S& format_str,
+           const Args&... args) {
+  vprint(f, ts, format_str,
+         fmt::make_args_checked<Args...>(format_str, args...));
+}
+
+/**
+  \rst
+  Formats a string and prints it to stdout using ANSI escape sequences to
+  specify text formatting.
+
+  **Example**::
+
+    fmt::print(fmt::emphasis::bold | fg(fmt::color::red),
+               "Elapsed time: {0:.2f} seconds", 1.23);
+  \endrst
+ */
+template <typename S, typename... Args,
+          FMT_ENABLE_IF(detail::is_string<S>::value)>
+void print(const text_style& ts, const S& format_str, const Args&... args) {
+  return print(stdout, ts, format_str, args...);
+}
+
+template <typename S, typename Char = char_t<S>>
+inline std::basic_string<Char> vformat(
+    const text_style& ts, const S& format_str,
+    basic_format_args<buffer_context<type_identity_t<Char>>> args) {
+  basic_memory_buffer<Char> buf;
+  detail::vformat_to(buf, ts, to_string_view(format_str), args);
+  return fmt::to_string(buf);
+}
+
+/**
+  \rst
+  Formats arguments and returns the result as a string using ANSI
+  escape sequences to specify text formatting.
+
+  **Example**::
+
+    #include <fmt/color.h>
+    std::string message = fmt::format(fmt::emphasis::bold | fg(fmt::color::red),
+                                      "The answer is {}", 42);
+  \endrst
+*/
+template <typename S, typename... Args, typename Char = char_t<S>>
+inline std::basic_string<Char> format(const text_style& ts, const S& format_str,
+                                      const Args&... args) {
+  return fmt::vformat(ts, to_string_view(format_str),
+                      fmt::make_args_checked<Args...>(format_str, args...));
+}
+
+/**
+  Formats a string with the given text_style and writes the output to ``out``.
+ */
+template <typename OutputIt, typename Char,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, Char>::value)>
+OutputIt vformat_to(
+    OutputIt out, const text_style& ts, basic_string_view<Char> format_str,
+    basic_format_args<buffer_context<type_identity_t<Char>>> args) {
+  auto&& buf = detail::get_buffer<Char>(out);
+  detail::vformat_to(buf, ts, format_str, args);
+  return detail::get_iterator(buf);
+}
+
+/**
+  \rst
+  Formats arguments with the given text_style, writes the result to the output
+  iterator ``out`` and returns the iterator past the end of the output range.
+
+  **Example**::
+
+    std::vector<char> out;
+    fmt::format_to(std::back_inserter(out),
+                   fmt::emphasis::bold | fg(fmt::color::red), "{}", 42);
+  \endrst
+*/
+template <typename OutputIt, typename S, typename... Args,
+          bool enable = detail::is_output_iterator<OutputIt, char_t<S>>::value&&
+              detail::is_string<S>::value>
+inline auto format_to(OutputIt out, const text_style& ts, const S& format_str,
+                      Args&&... args) ->
+    typename std::enable_if<enable, OutputIt>::type {
+  return vformat_to(out, ts, to_string_view(format_str),
+                    fmt::make_args_checked<Args...>(format_str, args...));
+}
+
+FMT_MODULE_EXPORT_END
+FMT_END_NAMESPACE
+
+#endif  // FMT_COLOR_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/compile.h b/ctrtool/deps/libfmt/include/fmt/compile.h
new file mode 100644
index 00000000..1dba3ddb
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/compile.h
@@ -0,0 +1,642 @@
+// Formatting library for C++ - experimental format string compilation
+//
+// Copyright (c) 2012 - present, Victor Zverovich and fmt contributors
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_COMPILE_H_
+#define FMT_COMPILE_H_
+
+#include "format.h"
+
+FMT_BEGIN_NAMESPACE
+namespace detail {
+
+// An output iterator that counts the number of objects written to it and
+// discards them.
+class counting_iterator {
+ private:
+  size_t count_;
+
+ public:
+  using iterator_category = std::output_iterator_tag;
+  using difference_type = std::ptrdiff_t;
+  using pointer = void;
+  using reference = void;
+  using _Unchecked_type = counting_iterator;  // Mark iterator as checked.
+
+  struct value_type {
+    template <typename T> void operator=(const T&) {}
+  };
+
+  counting_iterator() : count_(0) {}
+
+  size_t count() const { return count_; }
+
+  counting_iterator& operator++() {
+    ++count_;
+    return *this;
+  }
+  counting_iterator operator++(int) {
+    auto it = *this;
+    ++*this;
+    return it;
+  }
+
+  friend counting_iterator operator+(counting_iterator it, difference_type n) {
+    it.count_ += static_cast<size_t>(n);
+    return it;
+  }
+
+  value_type operator*() const { return {}; }
+};
+
+template <typename Char, typename InputIt>
+inline counting_iterator copy_str(InputIt begin, InputIt end,
+                                  counting_iterator it) {
+  return it + (end - begin);
+}
+
+template <typename OutputIt> class truncating_iterator_base {
+ protected:
+  OutputIt out_;
+  size_t limit_;
+  size_t count_ = 0;
+
+  truncating_iterator_base() : out_(), limit_(0) {}
+
+  truncating_iterator_base(OutputIt out, size_t limit)
+      : out_(out), limit_(limit) {}
+
+ public:
+  using iterator_category = std::output_iterator_tag;
+  using value_type = typename std::iterator_traits<OutputIt>::value_type;
+  using difference_type = std::ptrdiff_t;
+  using pointer = void;
+  using reference = void;
+  using _Unchecked_type =
+      truncating_iterator_base;  // Mark iterator as checked.
+
+  OutputIt base() const { return out_; }
+  size_t count() const { return count_; }
+};
+
+// An output iterator that truncates the output and counts the number of objects
+// written to it.
+template <typename OutputIt,
+          typename Enable = typename std::is_void<
+              typename std::iterator_traits<OutputIt>::value_type>::type>
+class truncating_iterator;
+
+template <typename OutputIt>
+class truncating_iterator<OutputIt, std::false_type>
+    : public truncating_iterator_base<OutputIt> {
+  mutable typename truncating_iterator_base<OutputIt>::value_type blackhole_;
+
+ public:
+  using value_type = typename truncating_iterator_base<OutputIt>::value_type;
+
+  truncating_iterator() = default;
+
+  truncating_iterator(OutputIt out, size_t limit)
+      : truncating_iterator_base<OutputIt>(out, limit) {}
+
+  truncating_iterator& operator++() {
+    if (this->count_++ < this->limit_) ++this->out_;
+    return *this;
+  }
+
+  truncating_iterator operator++(int) {
+    auto it = *this;
+    ++*this;
+    return it;
+  }
+
+  value_type& operator*() const {
+    return this->count_ < this->limit_ ? *this->out_ : blackhole_;
+  }
+};
+
+template <typename OutputIt>
+class truncating_iterator<OutputIt, std::true_type>
+    : public truncating_iterator_base<OutputIt> {
+ public:
+  truncating_iterator() = default;
+
+  truncating_iterator(OutputIt out, size_t limit)
+      : truncating_iterator_base<OutputIt>(out, limit) {}
+
+  template <typename T> truncating_iterator& operator=(T val) {
+    if (this->count_++ < this->limit_) *this->out_++ = val;
+    return *this;
+  }
+
+  truncating_iterator& operator++() { return *this; }
+  truncating_iterator& operator++(int) { return *this; }
+  truncating_iterator& operator*() { return *this; }
+};
+
+// A compile-time string which is compiled into fast formatting code.
+class compiled_string {};
+
+template <typename S>
+struct is_compiled_string : std::is_base_of<compiled_string, S> {};
+
+/**
+  \rst
+  Converts a string literal *s* into a format string that will be parsed at
+  compile time and converted into efficient formatting code. Requires C++17
+  ``constexpr if`` compiler support.
+
+  **Example**::
+
+    // Converts 42 into std::string using the most efficient method and no
+    // runtime format string processing.
+    std::string s = fmt::format(FMT_COMPILE("{}"), 42);
+  \endrst
+ */
+#if defined(__cpp_if_constexpr) && defined(__cpp_return_type_deduction)
+#  define FMT_COMPILE(s) \
+    FMT_STRING_IMPL(s, fmt::detail::compiled_string, explicit)
+#else
+#  define FMT_COMPILE(s) FMT_STRING(s)
+#endif
+
+#if FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+template <typename Char, size_t N,
+          fmt::detail_exported::fixed_string<Char, N> Str>
+struct udl_compiled_string : compiled_string {
+  using char_type = Char;
+  constexpr operator basic_string_view<char_type>() const {
+    return {Str.data, N - 1};
+  }
+};
+#endif
+
+template <typename T, typename... Tail>
+const T& first(const T& value, const Tail&...) {
+  return value;
+}
+
+#if defined(__cpp_if_constexpr) && defined(__cpp_return_type_deduction)
+template <typename... Args> struct type_list {};
+
+// Returns a reference to the argument at index N from [first, rest...].
+template <int N, typename T, typename... Args>
+constexpr const auto& get([[maybe_unused]] const T& first,
+                          [[maybe_unused]] const Args&... rest) {
+  static_assert(N < 1 + sizeof...(Args), "index is out of bounds");
+  if constexpr (N == 0)
+    return first;
+  else
+    return detail::get<N - 1>(rest...);
+}
+
+template <typename Char, typename... Args>
+constexpr int get_arg_index_by_name(basic_string_view<Char> name,
+                                    type_list<Args...>) {
+  return get_arg_index_by_name<Args...>(name);
+}
+
+template <int N, typename> struct get_type_impl;
+
+template <int N, typename... Args> struct get_type_impl<N, type_list<Args...>> {
+  using type =
+      remove_cvref_t<decltype(detail::get<N>(std::declval<Args>()...))>;
+};
+
+template <int N, typename T>
+using get_type = typename get_type_impl<N, T>::type;
+
+template <typename T> struct is_compiled_format : std::false_type {};
+
+template <typename Char> struct text {
+  basic_string_view<Char> data;
+  using char_type = Char;
+
+  template <typename OutputIt, typename... Args>
+  constexpr OutputIt format(OutputIt out, const Args&...) const {
+    return write<Char>(out, data);
+  }
+};
+
+template <typename Char>
+struct is_compiled_format<text<Char>> : std::true_type {};
+
+template <typename Char>
+constexpr text<Char> make_text(basic_string_view<Char> s, size_t pos,
+                               size_t size) {
+  return {{&s[pos], size}};
+}
+
+template <typename Char> struct code_unit {
+  Char value;
+  using char_type = Char;
+
+  template <typename OutputIt, typename... Args>
+  constexpr OutputIt format(OutputIt out, const Args&...) const {
+    return write<Char>(out, value);
+  }
+};
+
+// This ensures that the argument type is convertible to `const T&`.
+template <typename T, int N, typename... Args>
+constexpr const T& get_arg_checked(const Args&... args) {
+  const auto& arg = detail::get<N>(args...);
+  if constexpr (detail::is_named_arg<remove_cvref_t<decltype(arg)>>()) {
+    return arg.value;
+  } else {
+    return arg;
+  }
+}
+
+template <typename Char>
+struct is_compiled_format<code_unit<Char>> : std::true_type {};
+
+// A replacement field that refers to argument N.
+template <typename Char, typename T, int N> struct field {
+  using char_type = Char;
+
+  template <typename OutputIt, typename... Args>
+  constexpr OutputIt format(OutputIt out, const Args&... args) const {
+    return write<Char>(out, get_arg_checked<T, N>(args...));
+  }
+};
+
+template <typename Char, typename T, int N>
+struct is_compiled_format<field<Char, T, N>> : std::true_type {};
+
+// A replacement field that refers to argument with name.
+template <typename Char> struct runtime_named_field {
+  using char_type = Char;
+  basic_string_view<Char> name;
+
+  template <typename OutputIt, typename T>
+  constexpr static bool try_format_argument(
+      OutputIt& out,
+      // [[maybe_unused]] due to unused-but-set-parameter warning in GCC 7,8,9
+      [[maybe_unused]] basic_string_view<Char> arg_name, const T& arg) {
+    if constexpr (is_named_arg<typename std::remove_cv<T>::type>::value) {
+      if (arg_name == arg.name) {
+        out = write<Char>(out, arg.value);
+        return true;
+      }
+    }
+    return false;
+  }
+
+  template <typename OutputIt, typename... Args>
+  constexpr OutputIt format(OutputIt out, const Args&... args) const {
+    bool found = (try_format_argument(out, name, args) || ...);
+    if (!found) {
+      FMT_THROW(format_error("argument with specified name is not found"));
+    }
+    return out;
+  }
+};
+
+template <typename Char>
+struct is_compiled_format<runtime_named_field<Char>> : std::true_type {};
+
+// A replacement field that refers to argument N and has format specifiers.
+template <typename Char, typename T, int N> struct spec_field {
+  using char_type = Char;
+  formatter<T, Char> fmt;
+
+  template <typename OutputIt, typename... Args>
+  constexpr FMT_INLINE OutputIt format(OutputIt out,
+                                       const Args&... args) const {
+    const auto& vargs =
+        fmt::make_format_args<basic_format_context<OutputIt, Char>>(args...);
+    basic_format_context<OutputIt, Char> ctx(out, vargs);
+    return fmt.format(get_arg_checked<T, N>(args...), ctx);
+  }
+};
+
+template <typename Char, typename T, int N>
+struct is_compiled_format<spec_field<Char, T, N>> : std::true_type {};
+
+template <typename L, typename R> struct concat {
+  L lhs;
+  R rhs;
+  using char_type = typename L::char_type;
+
+  template <typename OutputIt, typename... Args>
+  constexpr OutputIt format(OutputIt out, const Args&... args) const {
+    out = lhs.format(out, args...);
+    return rhs.format(out, args...);
+  }
+};
+
+template <typename L, typename R>
+struct is_compiled_format<concat<L, R>> : std::true_type {};
+
+template <typename L, typename R>
+constexpr concat<L, R> make_concat(L lhs, R rhs) {
+  return {lhs, rhs};
+}
+
+struct unknown_format {};
+
+template <typename Char>
+constexpr size_t parse_text(basic_string_view<Char> str, size_t pos) {
+  for (size_t size = str.size(); pos != size; ++pos) {
+    if (str[pos] == '{' || str[pos] == '}') break;
+  }
+  return pos;
+}
+
+template <typename Args, size_t POS, int ID, typename S>
+constexpr auto compile_format_string(S format_str);
+
+template <typename Args, size_t POS, int ID, typename T, typename S>
+constexpr auto parse_tail(T head, S format_str) {
+  if constexpr (POS !=
+                basic_string_view<typename S::char_type>(format_str).size()) {
+    constexpr auto tail = compile_format_string<Args, POS, ID>(format_str);
+    if constexpr (std::is_same<remove_cvref_t<decltype(tail)>,
+                               unknown_format>())
+      return tail;
+    else
+      return make_concat(head, tail);
+  } else {
+    return head;
+  }
+}
+
+template <typename T, typename Char> struct parse_specs_result {
+  formatter<T, Char> fmt;
+  size_t end;
+  int next_arg_id;
+};
+
+constexpr int manual_indexing_id = -1;
+
+template <typename T, typename Char>
+constexpr parse_specs_result<T, Char> parse_specs(basic_string_view<Char> str,
+                                                  size_t pos, int next_arg_id) {
+  str.remove_prefix(pos);
+  auto ctx = basic_format_parse_context<Char>(str, {}, next_arg_id);
+  auto f = formatter<T, Char>();
+  auto end = f.parse(ctx);
+  return {f, pos + fmt::detail::to_unsigned(end - str.data()) + 1,
+          next_arg_id == 0 ? manual_indexing_id : ctx.next_arg_id()};
+}
+
+template <typename Char> struct arg_id_handler {
+  arg_ref<Char> arg_id;
+
+  constexpr int operator()() {
+    FMT_ASSERT(false, "handler cannot be used with automatic indexing");
+    return 0;
+  }
+  constexpr int operator()(int id) {
+    arg_id = arg_ref<Char>(id);
+    return 0;
+  }
+  constexpr int operator()(basic_string_view<Char> id) {
+    arg_id = arg_ref<Char>(id);
+    return 0;
+  }
+
+  constexpr void on_error(const char* message) {
+    FMT_THROW(format_error(message));
+  }
+};
+
+template <typename Char> struct parse_arg_id_result {
+  arg_ref<Char> arg_id;
+  const Char* arg_id_end;
+};
+
+template <int ID, typename Char>
+constexpr auto parse_arg_id(const Char* begin, const Char* end) {
+  auto handler = arg_id_handler<Char>{arg_ref<Char>{}};
+  auto arg_id_end = parse_arg_id(begin, end, handler);
+  return parse_arg_id_result<Char>{handler.arg_id, arg_id_end};
+}
+
+template <typename T, typename Enable = void> struct field_type {
+  using type = remove_cvref_t<T>;
+};
+
+template <typename T>
+struct field_type<T, enable_if_t<detail::is_named_arg<T>::value>> {
+  using type = remove_cvref_t<decltype(T::value)>;
+};
+
+template <typename T, typename Args, size_t END_POS, int ARG_INDEX, int NEXT_ID,
+          typename S>
+constexpr auto parse_replacement_field_then_tail(S format_str) {
+  using char_type = typename S::char_type;
+  constexpr auto str = basic_string_view<char_type>(format_str);
+  constexpr char_type c = END_POS != str.size() ? str[END_POS] : char_type();
+  if constexpr (c == '}') {
+    return parse_tail<Args, END_POS + 1, NEXT_ID>(
+        field<char_type, typename field_type<T>::type, ARG_INDEX>(),
+        format_str);
+  } else if constexpr (c == ':') {
+    constexpr auto result = parse_specs<typename field_type<T>::type>(
+        str, END_POS + 1, NEXT_ID == manual_indexing_id ? 0 : NEXT_ID);
+    return parse_tail<Args, result.end, result.next_arg_id>(
+        spec_field<char_type, typename field_type<T>::type, ARG_INDEX>{
+            result.fmt},
+        format_str);
+  }
+}
+
+// Compiles a non-empty format string and returns the compiled representation
+// or unknown_format() on unrecognized input.
+template <typename Args, size_t POS, int ID, typename S>
+constexpr auto compile_format_string(S format_str) {
+  using char_type = typename S::char_type;
+  constexpr auto str = basic_string_view<char_type>(format_str);
+  if constexpr (str[POS] == '{') {
+    if constexpr (POS + 1 == str.size())
+      FMT_THROW(format_error("unmatched '{' in format string"));
+    if constexpr (str[POS + 1] == '{') {
+      return parse_tail<Args, POS + 2, ID>(make_text(str, POS, 1), format_str);
+    } else if constexpr (str[POS + 1] == '}' || str[POS + 1] == ':') {
+      static_assert(ID != manual_indexing_id,
+                    "cannot switch from manual to automatic argument indexing");
+      constexpr auto next_id =
+          ID != manual_indexing_id ? ID + 1 : manual_indexing_id;
+      return parse_replacement_field_then_tail<get_type<ID, Args>, Args,
+                                               POS + 1, ID, next_id>(
+          format_str);
+    } else {
+      constexpr auto arg_id_result =
+          parse_arg_id<ID>(str.data() + POS + 1, str.data() + str.size());
+      constexpr auto arg_id_end_pos = arg_id_result.arg_id_end - str.data();
+      constexpr char_type c =
+          arg_id_end_pos != str.size() ? str[arg_id_end_pos] : char_type();
+      static_assert(c == '}' || c == ':', "missing '}' in format string");
+      if constexpr (arg_id_result.arg_id.kind == arg_id_kind::index) {
+        static_assert(
+            ID == manual_indexing_id || ID == 0,
+            "cannot switch from automatic to manual argument indexing");
+        constexpr auto arg_index = arg_id_result.arg_id.val.index;
+        return parse_replacement_field_then_tail<get_type<arg_index, Args>,
+                                                 Args, arg_id_end_pos,
+                                                 arg_index, manual_indexing_id>(
+            format_str);
+      } else if constexpr (arg_id_result.arg_id.kind == arg_id_kind::name) {
+        constexpr auto arg_index =
+            get_arg_index_by_name(arg_id_result.arg_id.val.name, Args{});
+        if constexpr (arg_index != invalid_arg_index) {
+          constexpr auto next_id =
+              ID != manual_indexing_id ? ID + 1 : manual_indexing_id;
+          return parse_replacement_field_then_tail<
+              decltype(get_type<arg_index, Args>::value), Args, arg_id_end_pos,
+              arg_index, next_id>(format_str);
+        } else {
+          if constexpr (c == '}') {
+            return parse_tail<Args, arg_id_end_pos + 1, ID>(
+                runtime_named_field<char_type>{arg_id_result.arg_id.val.name},
+                format_str);
+          } else if constexpr (c == ':') {
+            return unknown_format();  // no type info for specs parsing
+          }
+        }
+      }
+    }
+  } else if constexpr (str[POS] == '}') {
+    if constexpr (POS + 1 == str.size())
+      FMT_THROW(format_error("unmatched '}' in format string"));
+    return parse_tail<Args, POS + 2, ID>(make_text(str, POS, 1), format_str);
+  } else {
+    constexpr auto end = parse_text(str, POS + 1);
+    if constexpr (end - POS > 1) {
+      return parse_tail<Args, end, ID>(make_text(str, POS, end - POS),
+                                       format_str);
+    } else {
+      return parse_tail<Args, end, ID>(code_unit<char_type>{str[POS]},
+                                       format_str);
+    }
+  }
+}
+
+template <typename... Args, typename S,
+          FMT_ENABLE_IF(detail::is_compiled_string<S>::value)>
+constexpr auto compile(S format_str) {
+  constexpr auto str = basic_string_view<typename S::char_type>(format_str);
+  if constexpr (str.size() == 0) {
+    return detail::make_text(str, 0, 0);
+  } else {
+    constexpr auto result =
+        detail::compile_format_string<detail::type_list<Args...>, 0, 0>(
+            format_str);
+    return result;
+  }
+}
+#endif  // defined(__cpp_if_constexpr) && defined(__cpp_return_type_deduction)
+}  // namespace detail
+
+FMT_MODULE_EXPORT_BEGIN
+
+#if defined(__cpp_if_constexpr) && defined(__cpp_return_type_deduction)
+
+template <typename CompiledFormat, typename... Args,
+          typename Char = typename CompiledFormat::char_type,
+          FMT_ENABLE_IF(detail::is_compiled_format<CompiledFormat>::value)>
+FMT_INLINE std::basic_string<Char> format(const CompiledFormat& cf,
+                                          const Args&... args) {
+  auto s = std::basic_string<Char>();
+  cf.format(std::back_inserter(s), args...);
+  return s;
+}
+
+template <typename OutputIt, typename CompiledFormat, typename... Args,
+          FMT_ENABLE_IF(detail::is_compiled_format<CompiledFormat>::value)>
+constexpr FMT_INLINE OutputIt format_to(OutputIt out, const CompiledFormat& cf,
+                                        const Args&... args) {
+  return cf.format(out, args...);
+}
+
+template <typename S, typename... Args,
+          FMT_ENABLE_IF(detail::is_compiled_string<S>::value)>
+FMT_INLINE std::basic_string<typename S::char_type> format(const S&,
+                                                           Args&&... args) {
+  if constexpr (std::is_same<typename S::char_type, char>::value) {
+    constexpr auto str = basic_string_view<typename S::char_type>(S());
+    if constexpr (str.size() == 2 && str[0] == '{' && str[1] == '}') {
+      const auto& first = detail::first(args...);
+      if constexpr (detail::is_named_arg<
+                        remove_cvref_t<decltype(first)>>::value) {
+        return fmt::to_string(first.value);
+      } else {
+        return fmt::to_string(first);
+      }
+    }
+  }
+  constexpr auto compiled = detail::compile<Args...>(S());
+  if constexpr (std::is_same<remove_cvref_t<decltype(compiled)>,
+                             detail::unknown_format>()) {
+    return format(static_cast<basic_string_view<typename S::char_type>>(S()),
+                  std::forward<Args>(args)...);
+  } else {
+    return format(compiled, std::forward<Args>(args)...);
+  }
+}
+
+template <typename OutputIt, typename S, typename... Args,
+          FMT_ENABLE_IF(detail::is_compiled_string<S>::value)>
+FMT_CONSTEXPR OutputIt format_to(OutputIt out, const S&, Args&&... args) {
+  constexpr auto compiled = detail::compile<Args...>(S());
+  if constexpr (std::is_same<remove_cvref_t<decltype(compiled)>,
+                             detail::unknown_format>()) {
+    return format_to(out,
+                     static_cast<basic_string_view<typename S::char_type>>(S()),
+                     std::forward<Args>(args)...);
+  } else {
+    return format_to(out, compiled, std::forward<Args>(args)...);
+  }
+}
+#endif
+
+template <typename OutputIt, typename S, typename... Args,
+          FMT_ENABLE_IF(detail::is_compiled_string<S>::value)>
+format_to_n_result<OutputIt> format_to_n(OutputIt out, size_t n,
+                                         const S& format_str, Args&&... args) {
+  auto it = format_to(detail::truncating_iterator<OutputIt>(out, n), format_str,
+                      std::forward<Args>(args)...);
+  return {it.base(), it.count()};
+}
+
+template <typename S, typename... Args,
+          FMT_ENABLE_IF(detail::is_compiled_string<S>::value)>
+size_t formatted_size(const S& format_str, const Args&... args) {
+  return format_to(detail::counting_iterator(), format_str, args...).count();
+}
+
+template <typename S, typename... Args,
+          FMT_ENABLE_IF(detail::is_compiled_string<S>::value)>
+void print(std::FILE* f, const S& format_str, const Args&... args) {
+  memory_buffer buffer;
+  format_to(std::back_inserter(buffer), format_str, args...);
+  detail::print(f, {buffer.data(), buffer.size()});
+}
+
+template <typename S, typename... Args,
+          FMT_ENABLE_IF(detail::is_compiled_string<S>::value)>
+void print(const S& format_str, const Args&... args) {
+  print(stdout, format_str, args...);
+}
+
+#if FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+inline namespace literals {
+template <detail_exported::fixed_string Str>
+constexpr detail::udl_compiled_string<
+    remove_cvref_t<decltype(Str.data[0])>,
+    sizeof(Str.data) / sizeof(decltype(Str.data[0])), Str>
+operator""_cf() {
+  return {};
+}
+}  // namespace literals
+#endif
+
+FMT_MODULE_EXPORT_END
+FMT_END_NAMESPACE
+
+#endif  // FMT_COMPILE_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/core.h b/ctrtool/deps/libfmt/include/fmt/core.h
new file mode 100644
index 00000000..92a7aa1d
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/core.h
@@ -0,0 +1,3236 @@
+// Formatting library for C++ - the core API for char/UTF-8
+//
+// Copyright (c) 2012 - present, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_CORE_H_
+#define FMT_CORE_H_
+
+#include <cstddef>  // std::byte
+#include <cstdio>   // std::FILE
+#include <cstring>
+#include <iterator>
+#include <limits>
+#include <string>
+#include <type_traits>
+
+// The fmt library version in the form major * 10000 + minor * 100 + patch.
+#define FMT_VERSION 80101
+
+#if defined(__clang__) && !defined(__ibmxl__)
+#  define FMT_CLANG_VERSION (__clang_major__ * 100 + __clang_minor__)
+#else
+#  define FMT_CLANG_VERSION 0
+#endif
+
+#if defined(__GNUC__) && !defined(__clang__) && !defined(__INTEL_COMPILER) && \
+    !defined(__NVCOMPILER)
+#  define FMT_GCC_VERSION (__GNUC__ * 100 + __GNUC_MINOR__)
+#else
+#  define FMT_GCC_VERSION 0
+#endif
+
+#ifndef FMT_GCC_PRAGMA
+// Workaround _Pragma bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=59884.
+#  if FMT_GCC_VERSION >= 504
+#    define FMT_GCC_PRAGMA(arg) _Pragma(arg)
+#  else
+#    define FMT_GCC_PRAGMA(arg)
+#  endif
+#endif
+
+#ifdef __ICL
+#  define FMT_ICC_VERSION __ICL
+#elif defined(__INTEL_COMPILER)
+#  define FMT_ICC_VERSION __INTEL_COMPILER
+#else
+#  define FMT_ICC_VERSION 0
+#endif
+
+#ifdef __NVCC__
+#  define FMT_NVCC __NVCC__
+#else
+#  define FMT_NVCC 0
+#endif
+
+#ifdef _MSC_VER
+#  define FMT_MSC_VER _MSC_VER
+#  define FMT_MSC_WARNING(...) __pragma(warning(__VA_ARGS__))
+#else
+#  define FMT_MSC_VER 0
+#  define FMT_MSC_WARNING(...)
+#endif
+
+#ifdef __has_feature
+#  define FMT_HAS_FEATURE(x) __has_feature(x)
+#else
+#  define FMT_HAS_FEATURE(x) 0
+#endif
+
+#if defined(__has_include) &&                             \
+    (!defined(__INTELLISENSE__) || FMT_MSC_VER > 1900) && \
+    (!FMT_ICC_VERSION || FMT_ICC_VERSION >= 1600)
+#  define FMT_HAS_INCLUDE(x) __has_include(x)
+#else
+#  define FMT_HAS_INCLUDE(x) 0
+#endif
+
+#ifdef __has_cpp_attribute
+#  define FMT_HAS_CPP_ATTRIBUTE(x) __has_cpp_attribute(x)
+#else
+#  define FMT_HAS_CPP_ATTRIBUTE(x) 0
+#endif
+
+#ifdef _MSVC_LANG
+#  define FMT_CPLUSPLUS _MSVC_LANG
+#else
+#  define FMT_CPLUSPLUS __cplusplus
+#endif
+
+#define FMT_HAS_CPP14_ATTRIBUTE(attribute) \
+  (FMT_CPLUSPLUS >= 201402L && FMT_HAS_CPP_ATTRIBUTE(attribute))
+
+#define FMT_HAS_CPP17_ATTRIBUTE(attribute) \
+  (FMT_CPLUSPLUS >= 201703L && FMT_HAS_CPP_ATTRIBUTE(attribute))
+
+// Check if relaxed C++14 constexpr is supported.
+// GCC doesn't allow throw in constexpr until version 6 (bug 67371).
+#ifndef FMT_USE_CONSTEXPR
+#  define FMT_USE_CONSTEXPR                                           \
+    (FMT_HAS_FEATURE(cxx_relaxed_constexpr) || FMT_MSC_VER >= 1912 || \
+     (FMT_GCC_VERSION >= 600 && __cplusplus >= 201402L)) &&           \
+        !FMT_NVCC && !FMT_ICC_VERSION
+#endif
+#if FMT_USE_CONSTEXPR
+#  define FMT_CONSTEXPR constexpr
+#  define FMT_CONSTEXPR_DECL constexpr
+#else
+#  define FMT_CONSTEXPR
+#  define FMT_CONSTEXPR_DECL
+#endif
+
+#if ((__cplusplus >= 202002L) &&                              \
+     (!defined(_GLIBCXX_RELEASE) || _GLIBCXX_RELEASE > 9)) || \
+    (__cplusplus >= 201709L && FMT_GCC_VERSION >= 1002)
+#  define FMT_CONSTEXPR20 constexpr
+#else
+#  define FMT_CONSTEXPR20
+#endif
+
+// Check if constexpr std::char_traits<>::compare,length is supported.
+#if defined(__GLIBCXX__)
+#  if __cplusplus >= 201703L && defined(_GLIBCXX_RELEASE) && \
+      _GLIBCXX_RELEASE >= 7  // GCC 7+ libstdc++ has _GLIBCXX_RELEASE.
+#    define FMT_CONSTEXPR_CHAR_TRAITS constexpr
+#  endif
+#elif defined(_LIBCPP_VERSION) && __cplusplus >= 201703L && \
+    _LIBCPP_VERSION >= 4000
+#  define FMT_CONSTEXPR_CHAR_TRAITS constexpr
+#elif FMT_MSC_VER >= 1914 && _MSVC_LANG >= 201703L
+#  define FMT_CONSTEXPR_CHAR_TRAITS constexpr
+#endif
+#ifndef FMT_CONSTEXPR_CHAR_TRAITS
+#  define FMT_CONSTEXPR_CHAR_TRAITS
+#endif
+
+// Check if exceptions are disabled.
+#ifndef FMT_EXCEPTIONS
+#  if (defined(__GNUC__) && !defined(__EXCEPTIONS)) || \
+      FMT_MSC_VER && !_HAS_EXCEPTIONS
+#    define FMT_EXCEPTIONS 0
+#  else
+#    define FMT_EXCEPTIONS 1
+#  endif
+#endif
+
+// Define FMT_USE_NOEXCEPT to make fmt use noexcept (C++11 feature).
+#ifndef FMT_USE_NOEXCEPT
+#  define FMT_USE_NOEXCEPT 0
+#endif
+
+#if FMT_USE_NOEXCEPT || FMT_HAS_FEATURE(cxx_noexcept) || \
+    FMT_GCC_VERSION >= 408 || FMT_MSC_VER >= 1900
+#  define FMT_DETECTED_NOEXCEPT noexcept
+#  define FMT_HAS_CXX11_NOEXCEPT 1
+#else
+#  define FMT_DETECTED_NOEXCEPT throw()
+#  define FMT_HAS_CXX11_NOEXCEPT 0
+#endif
+
+#ifndef FMT_NOEXCEPT
+#  if FMT_EXCEPTIONS || FMT_HAS_CXX11_NOEXCEPT
+#    define FMT_NOEXCEPT FMT_DETECTED_NOEXCEPT
+#  else
+#    define FMT_NOEXCEPT
+#  endif
+#endif
+
+// [[noreturn]] is disabled on MSVC and NVCC because of bogus unreachable code
+// warnings.
+#if FMT_EXCEPTIONS && FMT_HAS_CPP_ATTRIBUTE(noreturn) && !FMT_MSC_VER && \
+    !FMT_NVCC
+#  define FMT_NORETURN [[noreturn]]
+#else
+#  define FMT_NORETURN
+#endif
+
+#if __cplusplus == 201103L || __cplusplus == 201402L
+#  if defined(__INTEL_COMPILER) || defined(__PGI)
+#    define FMT_FALLTHROUGH
+#  elif defined(__clang__)
+#    define FMT_FALLTHROUGH [[clang::fallthrough]]
+#  elif FMT_GCC_VERSION >= 700 && \
+      (!defined(__EDG_VERSION__) || __EDG_VERSION__ >= 520)
+#    define FMT_FALLTHROUGH [[gnu::fallthrough]]
+#  else
+#    define FMT_FALLTHROUGH
+#  endif
+#elif FMT_HAS_CPP17_ATTRIBUTE(fallthrough)
+#  define FMT_FALLTHROUGH [[fallthrough]]
+#else
+#  define FMT_FALLTHROUGH
+#endif
+
+#ifndef FMT_NODISCARD
+#  if FMT_HAS_CPP17_ATTRIBUTE(nodiscard)
+#    define FMT_NODISCARD [[nodiscard]]
+#  else
+#    define FMT_NODISCARD
+#  endif
+#endif
+
+#ifndef FMT_USE_FLOAT
+#  define FMT_USE_FLOAT 1
+#endif
+#ifndef FMT_USE_DOUBLE
+#  define FMT_USE_DOUBLE 1
+#endif
+#ifndef FMT_USE_LONG_DOUBLE
+#  define FMT_USE_LONG_DOUBLE 1
+#endif
+
+#ifndef FMT_INLINE
+#  if FMT_GCC_VERSION || FMT_CLANG_VERSION
+#    define FMT_INLINE inline __attribute__((always_inline))
+#  else
+#    define FMT_INLINE inline
+#  endif
+#endif
+
+#ifndef FMT_DEPRECATED
+#  if FMT_HAS_CPP14_ATTRIBUTE(deprecated) || FMT_MSC_VER >= 1900
+#    define FMT_DEPRECATED [[deprecated]]
+#  else
+#    if (defined(__GNUC__) && !defined(__LCC__)) || defined(__clang__)
+#      define FMT_DEPRECATED __attribute__((deprecated))
+#    elif FMT_MSC_VER
+#      define FMT_DEPRECATED __declspec(deprecated)
+#    else
+#      define FMT_DEPRECATED /* deprecated */
+#    endif
+#  endif
+#endif
+
+#ifndef FMT_BEGIN_NAMESPACE
+#  define FMT_BEGIN_NAMESPACE \
+    namespace fmt {           \
+    inline namespace v8 {
+#  define FMT_END_NAMESPACE \
+    }                       \
+    }
+#endif
+
+#ifndef FMT_MODULE_EXPORT
+#  define FMT_MODULE_EXPORT
+#  define FMT_MODULE_EXPORT_BEGIN
+#  define FMT_MODULE_EXPORT_END
+#  define FMT_BEGIN_DETAIL_NAMESPACE namespace detail {
+#  define FMT_END_DETAIL_NAMESPACE }
+#endif
+
+#if !defined(FMT_HEADER_ONLY) && defined(_WIN32)
+#  define FMT_CLASS_API FMT_MSC_WARNING(suppress : 4275)
+#  ifdef FMT_EXPORT
+#    define FMT_API __declspec(dllexport)
+#  elif defined(FMT_SHARED)
+#    define FMT_API __declspec(dllimport)
+#  endif
+#else
+#  define FMT_CLASS_API
+#  if defined(FMT_EXPORT) || defined(FMT_SHARED)
+#    if defined(__GNUC__) || defined(__clang__)
+#      define FMT_API __attribute__((visibility("default")))
+#    endif
+#  endif
+#endif
+#ifndef FMT_API
+#  define FMT_API
+#endif
+
+// libc++ supports string_view in pre-c++17.
+#if (FMT_HAS_INCLUDE(<string_view>) &&                       \
+     (__cplusplus > 201402L || defined(_LIBCPP_VERSION))) || \
+    (defined(_MSVC_LANG) && _MSVC_LANG > 201402L && _MSC_VER >= 1910)
+#  include <string_view>
+#  define FMT_USE_STRING_VIEW
+#elif FMT_HAS_INCLUDE("experimental/string_view") && __cplusplus >= 201402L
+#  include <experimental/string_view>
+#  define FMT_USE_EXPERIMENTAL_STRING_VIEW
+#endif
+
+#ifndef FMT_UNICODE
+#  define FMT_UNICODE !FMT_MSC_VER
+#endif
+
+#ifndef FMT_CONSTEVAL
+#  if ((FMT_GCC_VERSION >= 1000 || FMT_CLANG_VERSION >= 1101) &&      \
+       __cplusplus > 201703L && !defined(__apple_build_version__)) || \
+      (defined(__cpp_consteval) &&                                    \
+       (!FMT_MSC_VER || _MSC_FULL_VER >= 193030704))
+// consteval is broken in MSVC before VS2022 and Apple clang 13.
+#    define FMT_CONSTEVAL consteval
+#    define FMT_HAS_CONSTEVAL
+#  else
+#    define FMT_CONSTEVAL
+#  endif
+#endif
+
+#ifndef FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+#  if defined(__cpp_nontype_template_args) &&                \
+      ((FMT_GCC_VERSION >= 903 && __cplusplus >= 201709L) || \
+       __cpp_nontype_template_args >= 201911L)
+#    define FMT_USE_NONTYPE_TEMPLATE_PARAMETERS 1
+#  else
+#    define FMT_USE_NONTYPE_TEMPLATE_PARAMETERS 0
+#  endif
+#endif
+
+// Enable minimal optimizations for more compact code in debug mode.
+FMT_GCC_PRAGMA("GCC push_options")
+#ifndef __OPTIMIZE__
+FMT_GCC_PRAGMA("GCC optimize(\"Og\")")
+#endif
+
+FMT_BEGIN_NAMESPACE
+FMT_MODULE_EXPORT_BEGIN
+
+// Implementations of enable_if_t and other metafunctions for older systems.
+template <bool B, typename T = void>
+using enable_if_t = typename std::enable_if<B, T>::type;
+template <bool B, typename T, typename F>
+using conditional_t = typename std::conditional<B, T, F>::type;
+template <bool B> using bool_constant = std::integral_constant<bool, B>;
+template <typename T>
+using remove_reference_t = typename std::remove_reference<T>::type;
+template <typename T>
+using remove_const_t = typename std::remove_const<T>::type;
+template <typename T>
+using remove_cvref_t = typename std::remove_cv<remove_reference_t<T>>::type;
+template <typename T> struct type_identity { using type = T; };
+template <typename T> using type_identity_t = typename type_identity<T>::type;
+
+struct monostate {
+  constexpr monostate() {}
+};
+
+// An enable_if helper to be used in template parameters which results in much
+// shorter symbols: https://godbolt.org/z/sWw4vP. Extra parentheses are needed
+// to workaround a bug in MSVC 2019 (see #1140 and #1186).
+#ifdef FMT_DOC
+#  define FMT_ENABLE_IF(...)
+#else
+#  define FMT_ENABLE_IF(...) enable_if_t<(__VA_ARGS__), int> = 0
+#endif
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+// Suppress "unused variable" warnings with the method described in
+// https://herbsutter.com/2009/10/18/mailbag-shutting-up-compiler-warnings/.
+// (void)var does not work on many Intel compilers.
+template <typename... T> FMT_CONSTEXPR void ignore_unused(const T&...) {}
+
+constexpr FMT_INLINE auto is_constant_evaluated(bool default_value = false)
+    FMT_NOEXCEPT -> bool {
+#ifdef __cpp_lib_is_constant_evaluated
+  ignore_unused(default_value);
+  return std::is_constant_evaluated();
+#else
+  return default_value;
+#endif
+}
+
+// A function to suppress "conditional expression is constant" warnings.
+template <typename T> constexpr FMT_INLINE auto const_check(T value) -> T {
+  return value;
+}
+
+FMT_NORETURN FMT_API void assert_fail(const char* file, int line,
+                                      const char* message);
+
+#ifndef FMT_ASSERT
+#  ifdef NDEBUG
+// FMT_ASSERT is not empty to avoid -Werror=empty-body.
+#    define FMT_ASSERT(condition, message) \
+      ::fmt::detail::ignore_unused((condition), (message))
+#  else
+#    define FMT_ASSERT(condition, message)                                    \
+      ((condition) /* void() fails with -Winvalid-constexpr on clang 4.0.1 */ \
+           ? (void)0                                                          \
+           : ::fmt::detail::assert_fail(__FILE__, __LINE__, (message)))
+#  endif
+#endif
+
+#ifdef __cpp_lib_byte
+using byte = std::byte;
+#else
+enum class byte : unsigned char {};
+#endif
+
+#if defined(FMT_USE_STRING_VIEW)
+template <typename Char> using std_string_view = std::basic_string_view<Char>;
+#elif defined(FMT_USE_EXPERIMENTAL_STRING_VIEW)
+template <typename Char>
+using std_string_view = std::experimental::basic_string_view<Char>;
+#else
+template <typename T> struct std_string_view {};
+#endif
+
+#ifdef FMT_USE_INT128
+// Do nothing.
+#elif defined(__SIZEOF_INT128__) && !FMT_NVCC && \
+    !(FMT_CLANG_VERSION && FMT_MSC_VER)
+#  define FMT_USE_INT128 1
+using int128_t = __int128_t;
+using uint128_t = __uint128_t;
+template <typename T> inline auto convert_for_visit(T value) -> T {
+  return value;
+}
+#else
+#  define FMT_USE_INT128 0
+#endif
+#if !FMT_USE_INT128
+enum class int128_t {};
+enum class uint128_t {};
+// Reduce template instantiations.
+template <typename T> inline auto convert_for_visit(T) -> monostate {
+  return {};
+}
+#endif
+
+// Casts a nonnegative integer to unsigned.
+template <typename Int>
+FMT_CONSTEXPR auto to_unsigned(Int value) ->
+    typename std::make_unsigned<Int>::type {
+  FMT_ASSERT(value >= 0, "negative value");
+  return static_cast<typename std::make_unsigned<Int>::type>(value);
+}
+
+FMT_MSC_WARNING(suppress : 4566) constexpr unsigned char micro[] = "\u00B5";
+
+constexpr auto is_utf8() -> bool {
+  // Avoid buggy sign extensions in MSVC's constant evaluation mode.
+  // https://developercommunity.visualstudio.com/t/C-difference-in-behavior-for-unsigned/1233612
+  using uchar = unsigned char;
+  return FMT_UNICODE || (sizeof(micro) == 3 && uchar(micro[0]) == 0xC2 &&
+                         uchar(micro[1]) == 0xB5);
+}
+FMT_END_DETAIL_NAMESPACE
+
+/**
+  An implementation of ``std::basic_string_view`` for pre-C++17. It provides a
+  subset of the API. ``fmt::basic_string_view`` is used for format strings even
+  if ``std::string_view`` is available to prevent issues when a library is
+  compiled with a different ``-std`` option than the client code (which is not
+  recommended).
+ */
+template <typename Char> class basic_string_view {
+ private:
+  const Char* data_;
+  size_t size_;
+
+ public:
+  using value_type = Char;
+  using iterator = const Char*;
+
+  constexpr basic_string_view() FMT_NOEXCEPT : data_(nullptr), size_(0) {}
+
+  /** Constructs a string reference object from a C string and a size. */
+  constexpr basic_string_view(const Char* s, size_t count) FMT_NOEXCEPT
+      : data_(s),
+        size_(count) {}
+
+  /**
+    \rst
+    Constructs a string reference object from a C string computing
+    the size with ``std::char_traits<Char>::length``.
+    \endrst
+   */
+  FMT_CONSTEXPR_CHAR_TRAITS
+  FMT_INLINE
+  basic_string_view(const Char* s)
+      : data_(s),
+        size_(detail::const_check(std::is_same<Char, char>::value &&
+                                  !detail::is_constant_evaluated(true))
+                  ? std::strlen(reinterpret_cast<const char*>(s))
+                  : std::char_traits<Char>::length(s)) {}
+
+  /** Constructs a string reference from a ``std::basic_string`` object. */
+  template <typename Traits, typename Alloc>
+  FMT_CONSTEXPR basic_string_view(
+      const std::basic_string<Char, Traits, Alloc>& s) FMT_NOEXCEPT
+      : data_(s.data()),
+        size_(s.size()) {}
+
+  template <typename S, FMT_ENABLE_IF(std::is_same<
+                                      S, detail::std_string_view<Char>>::value)>
+  FMT_CONSTEXPR basic_string_view(S s) FMT_NOEXCEPT : data_(s.data()),
+                                                      size_(s.size()) {}
+
+  /** Returns a pointer to the string data. */
+  constexpr auto data() const FMT_NOEXCEPT -> const Char* { return data_; }
+
+  /** Returns the string size. */
+  constexpr auto size() const FMT_NOEXCEPT -> size_t { return size_; }
+
+  constexpr auto begin() const FMT_NOEXCEPT -> iterator { return data_; }
+  constexpr auto end() const FMT_NOEXCEPT -> iterator { return data_ + size_; }
+
+  constexpr auto operator[](size_t pos) const FMT_NOEXCEPT -> const Char& {
+    return data_[pos];
+  }
+
+  FMT_CONSTEXPR void remove_prefix(size_t n) FMT_NOEXCEPT {
+    data_ += n;
+    size_ -= n;
+  }
+
+  // Lexicographically compare this string reference to other.
+  FMT_CONSTEXPR_CHAR_TRAITS auto compare(basic_string_view other) const -> int {
+    size_t str_size = size_ < other.size_ ? size_ : other.size_;
+    int result = std::char_traits<Char>::compare(data_, other.data_, str_size);
+    if (result == 0)
+      result = size_ == other.size_ ? 0 : (size_ < other.size_ ? -1 : 1);
+    return result;
+  }
+
+  FMT_CONSTEXPR_CHAR_TRAITS friend auto operator==(basic_string_view lhs,
+                                                   basic_string_view rhs)
+      -> bool {
+    return lhs.compare(rhs) == 0;
+  }
+  friend auto operator!=(basic_string_view lhs, basic_string_view rhs) -> bool {
+    return lhs.compare(rhs) != 0;
+  }
+  friend auto operator<(basic_string_view lhs, basic_string_view rhs) -> bool {
+    return lhs.compare(rhs) < 0;
+  }
+  friend auto operator<=(basic_string_view lhs, basic_string_view rhs) -> bool {
+    return lhs.compare(rhs) <= 0;
+  }
+  friend auto operator>(basic_string_view lhs, basic_string_view rhs) -> bool {
+    return lhs.compare(rhs) > 0;
+  }
+  friend auto operator>=(basic_string_view lhs, basic_string_view rhs) -> bool {
+    return lhs.compare(rhs) >= 0;
+  }
+};
+
+using string_view = basic_string_view<char>;
+
+/** Specifies if ``T`` is a character type. Can be specialized by users. */
+template <typename T> struct is_char : std::false_type {};
+template <> struct is_char<char> : std::true_type {};
+
+// Returns a string view of `s`.
+template <typename Char, FMT_ENABLE_IF(is_char<Char>::value)>
+FMT_INLINE auto to_string_view(const Char* s) -> basic_string_view<Char> {
+  return s;
+}
+template <typename Char, typename Traits, typename Alloc>
+inline auto to_string_view(const std::basic_string<Char, Traits, Alloc>& s)
+    -> basic_string_view<Char> {
+  return s;
+}
+template <typename Char>
+constexpr auto to_string_view(basic_string_view<Char> s)
+    -> basic_string_view<Char> {
+  return s;
+}
+template <typename Char,
+          FMT_ENABLE_IF(!std::is_empty<detail::std_string_view<Char>>::value)>
+inline auto to_string_view(detail::std_string_view<Char> s)
+    -> basic_string_view<Char> {
+  return s;
+}
+
+// A base class for compile-time strings. It is defined in the fmt namespace to
+// make formatting functions visible via ADL, e.g. format(FMT_STRING("{}"), 42).
+struct compile_string {};
+
+template <typename S>
+struct is_compile_string : std::is_base_of<compile_string, S> {};
+
+template <typename S, FMT_ENABLE_IF(is_compile_string<S>::value)>
+constexpr auto to_string_view(const S& s)
+    -> basic_string_view<typename S::char_type> {
+  return basic_string_view<typename S::char_type>(s);
+}
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+void to_string_view(...);
+using fmt::to_string_view;
+
+// Specifies whether S is a string type convertible to fmt::basic_string_view.
+// It should be a constexpr function but MSVC 2017 fails to compile it in
+// enable_if and MSVC 2015 fails to compile it as an alias template.
+template <typename S>
+struct is_string : std::is_class<decltype(to_string_view(std::declval<S>()))> {
+};
+
+template <typename S, typename = void> struct char_t_impl {};
+template <typename S> struct char_t_impl<S, enable_if_t<is_string<S>::value>> {
+  using result = decltype(to_string_view(std::declval<S>()));
+  using type = typename result::value_type;
+};
+
+// Reports a compile-time error if S is not a valid format string.
+template <typename..., typename S, FMT_ENABLE_IF(!is_compile_string<S>::value)>
+FMT_INLINE void check_format_string(const S&) {
+#ifdef FMT_ENFORCE_COMPILE_STRING
+  static_assert(is_compile_string<S>::value,
+                "FMT_ENFORCE_COMPILE_STRING requires all format strings to use "
+                "FMT_STRING.");
+#endif
+}
+template <typename..., typename S, FMT_ENABLE_IF(is_compile_string<S>::value)>
+void check_format_string(S);
+
+FMT_NORETURN FMT_API void throw_format_error(const char* message);
+
+struct error_handler {
+  constexpr error_handler() = default;
+  constexpr error_handler(const error_handler&) = default;
+
+  // This function is intentionally not constexpr to give a compile-time error.
+  FMT_NORETURN FMT_API void on_error(const char* message);
+};
+FMT_END_DETAIL_NAMESPACE
+
+/** String's character type. */
+template <typename S> using char_t = typename detail::char_t_impl<S>::type;
+
+/**
+  \rst
+  Parsing context consisting of a format string range being parsed and an
+  argument counter for automatic indexing.
+  You can use the ``format_parse_context`` type alias for ``char`` instead.
+  \endrst
+ */
+template <typename Char, typename ErrorHandler = detail::error_handler>
+class basic_format_parse_context : private ErrorHandler {
+ private:
+  basic_string_view<Char> format_str_;
+  int next_arg_id_;
+
+ public:
+  using char_type = Char;
+  using iterator = typename basic_string_view<Char>::iterator;
+
+  explicit constexpr basic_format_parse_context(
+      basic_string_view<Char> format_str, ErrorHandler eh = {},
+      int next_arg_id = 0)
+      : ErrorHandler(eh), format_str_(format_str), next_arg_id_(next_arg_id) {}
+
+  /**
+    Returns an iterator to the beginning of the format string range being
+    parsed.
+   */
+  constexpr auto begin() const FMT_NOEXCEPT -> iterator {
+    return format_str_.begin();
+  }
+
+  /**
+    Returns an iterator past the end of the format string range being parsed.
+   */
+  constexpr auto end() const FMT_NOEXCEPT -> iterator {
+    return format_str_.end();
+  }
+
+  /** Advances the begin iterator to ``it``. */
+  FMT_CONSTEXPR void advance_to(iterator it) {
+    format_str_.remove_prefix(detail::to_unsigned(it - begin()));
+  }
+
+  /**
+    Reports an error if using the manual argument indexing; otherwise returns
+    the next argument index and switches to the automatic indexing.
+   */
+  FMT_CONSTEXPR auto next_arg_id() -> int {
+    // Don't check if the argument id is valid to avoid overhead and because it
+    // will be checked during formatting anyway.
+    if (next_arg_id_ >= 0) return next_arg_id_++;
+    on_error("cannot switch from manual to automatic argument indexing");
+    return 0;
+  }
+
+  /**
+    Reports an error if using the automatic argument indexing; otherwise
+    switches to the manual indexing.
+   */
+  FMT_CONSTEXPR void check_arg_id(int) {
+    if (next_arg_id_ > 0)
+      on_error("cannot switch from automatic to manual argument indexing");
+    else
+      next_arg_id_ = -1;
+  }
+
+  FMT_CONSTEXPR void check_arg_id(basic_string_view<Char>) {}
+
+  FMT_CONSTEXPR void on_error(const char* message) {
+    ErrorHandler::on_error(message);
+  }
+
+  constexpr auto error_handler() const -> ErrorHandler { return *this; }
+};
+
+using format_parse_context = basic_format_parse_context<char>;
+
+template <typename Context> class basic_format_arg;
+template <typename Context> class basic_format_args;
+template <typename Context> class dynamic_format_arg_store;
+
+// A formatter for objects of type T.
+template <typename T, typename Char = char, typename Enable = void>
+struct formatter {
+  // A deleted default constructor indicates a disabled formatter.
+  formatter() = delete;
+};
+
+// Specifies if T has an enabled formatter specialization. A type can be
+// formattable even if it doesn't have a formatter e.g. via a conversion.
+template <typename T, typename Context>
+using has_formatter =
+    std::is_constructible<typename Context::template formatter_type<T>>;
+
+// Checks whether T is a container with contiguous storage.
+template <typename T> struct is_contiguous : std::false_type {};
+template <typename Char>
+struct is_contiguous<std::basic_string<Char>> : std::true_type {};
+
+class appender;
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+template <typename Context, typename T>
+constexpr auto has_const_formatter_impl(T*)
+    -> decltype(typename Context::template formatter_type<T>().format(
+                    std::declval<const T&>(), std::declval<Context&>()),
+                true) {
+  return true;
+}
+template <typename Context>
+constexpr auto has_const_formatter_impl(...) -> bool {
+  return false;
+}
+template <typename T, typename Context>
+constexpr auto has_const_formatter() -> bool {
+  return has_const_formatter_impl<Context>(static_cast<T*>(nullptr));
+}
+
+// Extracts a reference to the container from back_insert_iterator.
+template <typename Container>
+inline auto get_container(std::back_insert_iterator<Container> it)
+    -> Container& {
+  using bi_iterator = std::back_insert_iterator<Container>;
+  struct accessor : bi_iterator {
+    accessor(bi_iterator iter) : bi_iterator(iter) {}
+    using bi_iterator::container;
+  };
+  return *accessor(it).container;
+}
+
+template <typename Char, typename InputIt, typename OutputIt>
+FMT_CONSTEXPR auto copy_str(InputIt begin, InputIt end, OutputIt out)
+    -> OutputIt {
+  while (begin != end) *out++ = static_cast<Char>(*begin++);
+  return out;
+}
+
+template <typename Char, typename T, typename U,
+          FMT_ENABLE_IF(
+              std::is_same<remove_const_t<T>, U>::value&& is_char<U>::value)>
+FMT_CONSTEXPR auto copy_str(T* begin, T* end, U* out) -> U* {
+  if (is_constant_evaluated()) return copy_str<Char, T*, U*>(begin, end, out);
+  auto size = to_unsigned(end - begin);
+  memcpy(out, begin, size * sizeof(U));
+  return out + size;
+}
+
+/**
+  \rst
+  A contiguous memory buffer with an optional growing ability. It is an internal
+  class and shouldn't be used directly, only via `~fmt::basic_memory_buffer`.
+  \endrst
+ */
+template <typename T> class buffer {
+ private:
+  T* ptr_;
+  size_t size_;
+  size_t capacity_;
+
+ protected:
+  // Don't initialize ptr_ since it is not accessed to save a few cycles.
+  FMT_MSC_WARNING(suppress : 26495)
+  buffer(size_t sz) FMT_NOEXCEPT : size_(sz), capacity_(sz) {}
+
+  FMT_CONSTEXPR20 buffer(T* p = nullptr, size_t sz = 0,
+                         size_t cap = 0) FMT_NOEXCEPT : ptr_(p),
+                                                        size_(sz),
+                                                        capacity_(cap) {}
+
+  FMT_CONSTEXPR20 ~buffer() = default;
+  buffer(buffer&&) = default;
+
+  /** Sets the buffer data and capacity. */
+  FMT_CONSTEXPR void set(T* buf_data, size_t buf_capacity) FMT_NOEXCEPT {
+    ptr_ = buf_data;
+    capacity_ = buf_capacity;
+  }
+
+  /** Increases the buffer capacity to hold at least *capacity* elements. */
+  virtual FMT_CONSTEXPR20 void grow(size_t capacity) = 0;
+
+ public:
+  using value_type = T;
+  using const_reference = const T&;
+
+  buffer(const buffer&) = delete;
+  void operator=(const buffer&) = delete;
+
+  auto begin() FMT_NOEXCEPT -> T* { return ptr_; }
+  auto end() FMT_NOEXCEPT -> T* { return ptr_ + size_; }
+
+  auto begin() const FMT_NOEXCEPT -> const T* { return ptr_; }
+  auto end() const FMT_NOEXCEPT -> const T* { return ptr_ + size_; }
+
+  /** Returns the size of this buffer. */
+  constexpr auto size() const FMT_NOEXCEPT -> size_t { return size_; }
+
+  /** Returns the capacity of this buffer. */
+  constexpr auto capacity() const FMT_NOEXCEPT -> size_t { return capacity_; }
+
+  /** Returns a pointer to the buffer data. */
+  FMT_CONSTEXPR auto data() FMT_NOEXCEPT -> T* { return ptr_; }
+
+  /** Returns a pointer to the buffer data. */
+  FMT_CONSTEXPR auto data() const FMT_NOEXCEPT -> const T* { return ptr_; }
+
+  /** Clears this buffer. */
+  void clear() { size_ = 0; }
+
+  // Tries resizing the buffer to contain *count* elements. If T is a POD type
+  // the new elements may not be initialized.
+  FMT_CONSTEXPR20 void try_resize(size_t count) {
+    try_reserve(count);
+    size_ = count <= capacity_ ? count : capacity_;
+  }
+
+  // Tries increasing the buffer capacity to *new_capacity*. It can increase the
+  // capacity by a smaller amount than requested but guarantees there is space
+  // for at least one additional element either by increasing the capacity or by
+  // flushing the buffer if it is full.
+  FMT_CONSTEXPR20 void try_reserve(size_t new_capacity) {
+    if (new_capacity > capacity_) grow(new_capacity);
+  }
+
+  FMT_CONSTEXPR20 void push_back(const T& value) {
+    try_reserve(size_ + 1);
+    ptr_[size_++] = value;
+  }
+
+  /** Appends data to the end of the buffer. */
+  template <typename U> void append(const U* begin, const U* end);
+
+  template <typename I> FMT_CONSTEXPR auto operator[](I index) -> T& {
+    return ptr_[index];
+  }
+  template <typename I>
+  FMT_CONSTEXPR auto operator[](I index) const -> const T& {
+    return ptr_[index];
+  }
+};
+
+struct buffer_traits {
+  explicit buffer_traits(size_t) {}
+  auto count() const -> size_t { return 0; }
+  auto limit(size_t size) -> size_t { return size; }
+};
+
+class fixed_buffer_traits {
+ private:
+  size_t count_ = 0;
+  size_t limit_;
+
+ public:
+  explicit fixed_buffer_traits(size_t limit) : limit_(limit) {}
+  auto count() const -> size_t { return count_; }
+  auto limit(size_t size) -> size_t {
+    size_t n = limit_ > count_ ? limit_ - count_ : 0;
+    count_ += size;
+    return size < n ? size : n;
+  }
+};
+
+// A buffer that writes to an output iterator when flushed.
+template <typename OutputIt, typename T, typename Traits = buffer_traits>
+class iterator_buffer final : public Traits, public buffer<T> {
+ private:
+  OutputIt out_;
+  enum { buffer_size = 256 };
+  T data_[buffer_size];
+
+ protected:
+  FMT_CONSTEXPR20 void grow(size_t) override {
+    if (this->size() == buffer_size) flush();
+  }
+
+  void flush() {
+    auto size = this->size();
+    this->clear();
+    out_ = copy_str<T>(data_, data_ + this->limit(size), out_);
+  }
+
+ public:
+  explicit iterator_buffer(OutputIt out, size_t n = buffer_size)
+      : Traits(n), buffer<T>(data_, 0, buffer_size), out_(out) {}
+  iterator_buffer(iterator_buffer&& other)
+      : Traits(other), buffer<T>(data_, 0, buffer_size), out_(other.out_) {}
+  ~iterator_buffer() { flush(); }
+
+  auto out() -> OutputIt {
+    flush();
+    return out_;
+  }
+  auto count() const -> size_t { return Traits::count() + this->size(); }
+};
+
+template <typename T>
+class iterator_buffer<T*, T, fixed_buffer_traits> final
+    : public fixed_buffer_traits,
+      public buffer<T> {
+ private:
+  T* out_;
+  enum { buffer_size = 256 };
+  T data_[buffer_size];
+
+ protected:
+  FMT_CONSTEXPR20 void grow(size_t) override {
+    if (this->size() == this->capacity()) flush();
+  }
+
+  void flush() {
+    size_t n = this->limit(this->size());
+    if (this->data() == out_) {
+      out_ += n;
+      this->set(data_, buffer_size);
+    }
+    this->clear();
+  }
+
+ public:
+  explicit iterator_buffer(T* out, size_t n = buffer_size)
+      : fixed_buffer_traits(n), buffer<T>(out, 0, n), out_(out) {}
+  iterator_buffer(iterator_buffer&& other)
+      : fixed_buffer_traits(other),
+        buffer<T>(std::move(other)),
+        out_(other.out_) {
+    if (this->data() != out_) {
+      this->set(data_, buffer_size);
+      this->clear();
+    }
+  }
+  ~iterator_buffer() { flush(); }
+
+  auto out() -> T* {
+    flush();
+    return out_;
+  }
+  auto count() const -> size_t {
+    return fixed_buffer_traits::count() + this->size();
+  }
+};
+
+template <typename T> class iterator_buffer<T*, T> final : public buffer<T> {
+ protected:
+  FMT_CONSTEXPR20 void grow(size_t) override {}
+
+ public:
+  explicit iterator_buffer(T* out, size_t = 0) : buffer<T>(out, 0, ~size_t()) {}
+
+  auto out() -> T* { return &*this->end(); }
+};
+
+// A buffer that writes to a container with the contiguous storage.
+template <typename Container>
+class iterator_buffer<std::back_insert_iterator<Container>,
+                      enable_if_t<is_contiguous<Container>::value,
+                                  typename Container::value_type>>
+    final : public buffer<typename Container::value_type> {
+ private:
+  Container& container_;
+
+ protected:
+  FMT_CONSTEXPR20 void grow(size_t capacity) override {
+    container_.resize(capacity);
+    this->set(&container_[0], capacity);
+  }
+
+ public:
+  explicit iterator_buffer(Container& c)
+      : buffer<typename Container::value_type>(c.size()), container_(c) {}
+  explicit iterator_buffer(std::back_insert_iterator<Container> out, size_t = 0)
+      : iterator_buffer(get_container(out)) {}
+  auto out() -> std::back_insert_iterator<Container> {
+    return std::back_inserter(container_);
+  }
+};
+
+// A buffer that counts the number of code units written discarding the output.
+template <typename T = char> class counting_buffer final : public buffer<T> {
+ private:
+  enum { buffer_size = 256 };
+  T data_[buffer_size];
+  size_t count_ = 0;
+
+ protected:
+  FMT_CONSTEXPR20 void grow(size_t) override {
+    if (this->size() != buffer_size) return;
+    count_ += this->size();
+    this->clear();
+  }
+
+ public:
+  counting_buffer() : buffer<T>(data_, 0, buffer_size) {}
+
+  auto count() -> size_t { return count_ + this->size(); }
+};
+
+template <typename T>
+using buffer_appender = conditional_t<std::is_same<T, char>::value, appender,
+                                      std::back_insert_iterator<buffer<T>>>;
+
+// Maps an output iterator to a buffer.
+template <typename T, typename OutputIt>
+auto get_buffer(OutputIt out) -> iterator_buffer<OutputIt, T> {
+  return iterator_buffer<OutputIt, T>(out);
+}
+
+template <typename Buffer>
+auto get_iterator(Buffer& buf) -> decltype(buf.out()) {
+  return buf.out();
+}
+template <typename T> auto get_iterator(buffer<T>& buf) -> buffer_appender<T> {
+  return buffer_appender<T>(buf);
+}
+
+template <typename T, typename Char = char, typename Enable = void>
+struct fallback_formatter {
+  fallback_formatter() = delete;
+};
+
+// Specifies if T has an enabled fallback_formatter specialization.
+template <typename T, typename Char>
+using has_fallback_formatter =
+    std::is_constructible<fallback_formatter<T, Char>>;
+
+struct view {};
+
+template <typename Char, typename T> struct named_arg : view {
+  const Char* name;
+  const T& value;
+  named_arg(const Char* n, const T& v) : name(n), value(v) {}
+};
+
+template <typename Char> struct named_arg_info {
+  const Char* name;
+  int id;
+};
+
+template <typename T, typename Char, size_t NUM_ARGS, size_t NUM_NAMED_ARGS>
+struct arg_data {
+  // args_[0].named_args points to named_args_ to avoid bloating format_args.
+  // +1 to workaround a bug in gcc 7.5 that causes duplicated-branches warning.
+  T args_[1 + (NUM_ARGS != 0 ? NUM_ARGS : +1)];
+  named_arg_info<Char> named_args_[NUM_NAMED_ARGS];
+
+  template <typename... U>
+  arg_data(const U&... init) : args_{T(named_args_, NUM_NAMED_ARGS), init...} {}
+  arg_data(const arg_data& other) = delete;
+  auto args() const -> const T* { return args_ + 1; }
+  auto named_args() -> named_arg_info<Char>* { return named_args_; }
+};
+
+template <typename T, typename Char, size_t NUM_ARGS>
+struct arg_data<T, Char, NUM_ARGS, 0> {
+  // +1 to workaround a bug in gcc 7.5 that causes duplicated-branches warning.
+  T args_[NUM_ARGS != 0 ? NUM_ARGS : +1];
+
+  template <typename... U>
+  FMT_CONSTEXPR FMT_INLINE arg_data(const U&... init) : args_{init...} {}
+  FMT_CONSTEXPR FMT_INLINE auto args() const -> const T* { return args_; }
+  FMT_CONSTEXPR FMT_INLINE auto named_args() -> std::nullptr_t {
+    return nullptr;
+  }
+};
+
+template <typename Char>
+inline void init_named_args(named_arg_info<Char>*, int, int) {}
+
+template <typename T> struct is_named_arg : std::false_type {};
+template <typename T> struct is_statically_named_arg : std::false_type {};
+
+template <typename T, typename Char>
+struct is_named_arg<named_arg<Char, T>> : std::true_type {};
+
+template <typename Char, typename T, typename... Tail,
+          FMT_ENABLE_IF(!is_named_arg<T>::value)>
+void init_named_args(named_arg_info<Char>* named_args, int arg_count,
+                     int named_arg_count, const T&, const Tail&... args) {
+  init_named_args(named_args, arg_count + 1, named_arg_count, args...);
+}
+
+template <typename Char, typename T, typename... Tail,
+          FMT_ENABLE_IF(is_named_arg<T>::value)>
+void init_named_args(named_arg_info<Char>* named_args, int arg_count,
+                     int named_arg_count, const T& arg, const Tail&... args) {
+  named_args[named_arg_count++] = {arg.name, arg_count};
+  init_named_args(named_args, arg_count + 1, named_arg_count, args...);
+}
+
+template <typename... Args>
+FMT_CONSTEXPR FMT_INLINE void init_named_args(std::nullptr_t, int, int,
+                                              const Args&...) {}
+
+template <bool B = false> constexpr auto count() -> size_t { return B ? 1 : 0; }
+template <bool B1, bool B2, bool... Tail> constexpr auto count() -> size_t {
+  return (B1 ? 1 : 0) + count<B2, Tail...>();
+}
+
+template <typename... Args> constexpr auto count_named_args() -> size_t {
+  return count<is_named_arg<Args>::value...>();
+}
+
+template <typename... Args>
+constexpr auto count_statically_named_args() -> size_t {
+  return count<is_statically_named_arg<Args>::value...>();
+}
+
+enum class type {
+  none_type,
+  // Integer types should go first,
+  int_type,
+  uint_type,
+  long_long_type,
+  ulong_long_type,
+  int128_type,
+  uint128_type,
+  bool_type,
+  char_type,
+  last_integer_type = char_type,
+  // followed by floating-point types.
+  float_type,
+  double_type,
+  long_double_type,
+  last_numeric_type = long_double_type,
+  cstring_type,
+  string_type,
+  pointer_type,
+  custom_type
+};
+
+// Maps core type T to the corresponding type enum constant.
+template <typename T, typename Char>
+struct type_constant : std::integral_constant<type, type::custom_type> {};
+
+#define FMT_TYPE_CONSTANT(Type, constant) \
+  template <typename Char>                \
+  struct type_constant<Type, Char>        \
+      : std::integral_constant<type, type::constant> {}
+
+FMT_TYPE_CONSTANT(int, int_type);
+FMT_TYPE_CONSTANT(unsigned, uint_type);
+FMT_TYPE_CONSTANT(long long, long_long_type);
+FMT_TYPE_CONSTANT(unsigned long long, ulong_long_type);
+FMT_TYPE_CONSTANT(int128_t, int128_type);
+FMT_TYPE_CONSTANT(uint128_t, uint128_type);
+FMT_TYPE_CONSTANT(bool, bool_type);
+FMT_TYPE_CONSTANT(Char, char_type);
+FMT_TYPE_CONSTANT(float, float_type);
+FMT_TYPE_CONSTANT(double, double_type);
+FMT_TYPE_CONSTANT(long double, long_double_type);
+FMT_TYPE_CONSTANT(const Char*, cstring_type);
+FMT_TYPE_CONSTANT(basic_string_view<Char>, string_type);
+FMT_TYPE_CONSTANT(const void*, pointer_type);
+
+constexpr bool is_integral_type(type t) {
+  return t > type::none_type && t <= type::last_integer_type;
+}
+
+constexpr bool is_arithmetic_type(type t) {
+  return t > type::none_type && t <= type::last_numeric_type;
+}
+
+struct unformattable {};
+struct unformattable_char : unformattable {};
+struct unformattable_const : unformattable {};
+struct unformattable_pointer : unformattable {};
+
+template <typename Char> struct string_value {
+  const Char* data;
+  size_t size;
+};
+
+template <typename Char> struct named_arg_value {
+  const named_arg_info<Char>* data;
+  size_t size;
+};
+
+template <typename Context> struct custom_value {
+  using parse_context = typename Context::parse_context_type;
+  void* value;
+  void (*format)(void* arg, parse_context& parse_ctx, Context& ctx);
+};
+
+// A formatting argument value.
+template <typename Context> class value {
+ public:
+  using char_type = typename Context::char_type;
+
+  union {
+    monostate no_value;
+    int int_value;
+    unsigned uint_value;
+    long long long_long_value;
+    unsigned long long ulong_long_value;
+    int128_t int128_value;
+    uint128_t uint128_value;
+    bool bool_value;
+    char_type char_value;
+    float float_value;
+    double double_value;
+    long double long_double_value;
+    const void* pointer;
+    string_value<char_type> string;
+    custom_value<Context> custom;
+    named_arg_value<char_type> named_args;
+  };
+
+  constexpr FMT_INLINE value() : no_value() {}
+  constexpr FMT_INLINE value(int val) : int_value(val) {}
+  constexpr FMT_INLINE value(unsigned val) : uint_value(val) {}
+  constexpr FMT_INLINE value(long long val) : long_long_value(val) {}
+  constexpr FMT_INLINE value(unsigned long long val) : ulong_long_value(val) {}
+  FMT_INLINE value(int128_t val) : int128_value(val) {}
+  FMT_INLINE value(uint128_t val) : uint128_value(val) {}
+  constexpr FMT_INLINE value(float val) : float_value(val) {}
+  constexpr FMT_INLINE value(double val) : double_value(val) {}
+  FMT_INLINE value(long double val) : long_double_value(val) {}
+  constexpr FMT_INLINE value(bool val) : bool_value(val) {}
+  constexpr FMT_INLINE value(char_type val) : char_value(val) {}
+  FMT_CONSTEXPR FMT_INLINE value(const char_type* val) {
+    string.data = val;
+    if (is_constant_evaluated()) string.size = {};
+  }
+  FMT_CONSTEXPR FMT_INLINE value(basic_string_view<char_type> val) {
+    string.data = val.data();
+    string.size = val.size();
+  }
+  FMT_INLINE value(const void* val) : pointer(val) {}
+  FMT_INLINE value(const named_arg_info<char_type>* args, size_t size)
+      : named_args{args, size} {}
+
+  template <typename T> FMT_CONSTEXPR FMT_INLINE value(T& val) {
+    using value_type = remove_cvref_t<T>;
+    custom.value = const_cast<value_type*>(&val);
+    // Get the formatter type through the context to allow different contexts
+    // have different extension points, e.g. `formatter<T>` for `format` and
+    // `printf_formatter<T>` for `printf`.
+    custom.format = format_custom_arg<
+        value_type,
+        conditional_t<has_formatter<value_type, Context>::value,
+                      typename Context::template formatter_type<value_type>,
+                      fallback_formatter<value_type, char_type>>>;
+  }
+  value(unformattable);
+  value(unformattable_char);
+  value(unformattable_const);
+  value(unformattable_pointer);
+
+ private:
+  // Formats an argument of a custom type, such as a user-defined class.
+  template <typename T, typename Formatter>
+  static void format_custom_arg(void* arg,
+                                typename Context::parse_context_type& parse_ctx,
+                                Context& ctx) {
+    auto f = Formatter();
+    parse_ctx.advance_to(f.parse(parse_ctx));
+    using qualified_type =
+        conditional_t<has_const_formatter<T, Context>(), const T, T>;
+    ctx.advance_to(f.format(*static_cast<qualified_type*>(arg), ctx));
+  }
+};
+
+template <typename Context, typename T>
+FMT_CONSTEXPR auto make_arg(const T& value) -> basic_format_arg<Context>;
+
+// To minimize the number of types we need to deal with, long is translated
+// either to int or to long long depending on its size.
+enum { long_short = sizeof(long) == sizeof(int) };
+using long_type = conditional_t<long_short, int, long long>;
+using ulong_type = conditional_t<long_short, unsigned, unsigned long long>;
+
+// Maps formatting arguments to core types.
+// arg_mapper reports errors by returning unformattable instead of using
+// static_assert because it's used in the is_formattable trait.
+template <typename Context> struct arg_mapper {
+  using char_type = typename Context::char_type;
+
+  FMT_CONSTEXPR FMT_INLINE auto map(signed char val) -> int { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(unsigned char val) -> unsigned {
+    return val;
+  }
+  FMT_CONSTEXPR FMT_INLINE auto map(short val) -> int { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(unsigned short val) -> unsigned {
+    return val;
+  }
+  FMT_CONSTEXPR FMT_INLINE auto map(int val) -> int { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(unsigned val) -> unsigned { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(long val) -> long_type { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(unsigned long val) -> ulong_type {
+    return val;
+  }
+  FMT_CONSTEXPR FMT_INLINE auto map(long long val) -> long long { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(unsigned long long val)
+      -> unsigned long long {
+    return val;
+  }
+  FMT_CONSTEXPR FMT_INLINE auto map(int128_t val) -> int128_t { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(uint128_t val) -> uint128_t { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(bool val) -> bool { return val; }
+
+  template <typename T, FMT_ENABLE_IF(std::is_same<T, char>::value ||
+                                      std::is_same<T, char_type>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto map(T val) -> char_type {
+    return val;
+  }
+  template <typename T, enable_if_t<(std::is_same<T, wchar_t>::value ||
+#ifdef __cpp_char8_t
+                                     std::is_same<T, char8_t>::value ||
+#endif
+                                     std::is_same<T, char16_t>::value ||
+                                     std::is_same<T, char32_t>::value) &&
+                                        !std::is_same<T, char_type>::value,
+                                    int> = 0>
+  FMT_CONSTEXPR FMT_INLINE auto map(T) -> unformattable_char {
+    return {};
+  }
+
+  FMT_CONSTEXPR FMT_INLINE auto map(float val) -> float { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(double val) -> double { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(long double val) -> long double {
+    return val;
+  }
+
+  FMT_CONSTEXPR FMT_INLINE auto map(char_type* val) -> const char_type* {
+    return val;
+  }
+  FMT_CONSTEXPR FMT_INLINE auto map(const char_type* val) -> const char_type* {
+    return val;
+  }
+  template <typename T,
+            FMT_ENABLE_IF(is_string<T>::value && !std::is_pointer<T>::value &&
+                          std::is_same<char_type, char_t<T>>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto map(const T& val)
+      -> basic_string_view<char_type> {
+    return to_string_view(val);
+  }
+  template <typename T,
+            FMT_ENABLE_IF(is_string<T>::value && !std::is_pointer<T>::value &&
+                          !std::is_same<char_type, char_t<T>>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto map(const T&) -> unformattable_char {
+    return {};
+  }
+  template <typename T,
+            FMT_ENABLE_IF(
+                std::is_constructible<basic_string_view<char_type>, T>::value &&
+                !is_string<T>::value && !has_formatter<T, Context>::value &&
+                !has_fallback_formatter<T, char_type>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto map(const T& val)
+      -> basic_string_view<char_type> {
+    return basic_string_view<char_type>(val);
+  }
+  template <
+      typename T,
+      FMT_ENABLE_IF(
+          std::is_constructible<std_string_view<char_type>, T>::value &&
+          !std::is_constructible<basic_string_view<char_type>, T>::value &&
+          !is_string<T>::value && !has_formatter<T, Context>::value &&
+          !has_fallback_formatter<T, char_type>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto map(const T& val)
+      -> basic_string_view<char_type> {
+    return std_string_view<char_type>(val);
+  }
+
+  using cstring_result = conditional_t<std::is_same<char_type, char>::value,
+                                       const char*, unformattable_pointer>;
+
+  FMT_DEPRECATED FMT_CONSTEXPR FMT_INLINE auto map(const signed char* val)
+      -> cstring_result {
+    return map(reinterpret_cast<const char*>(val));
+  }
+  FMT_DEPRECATED FMT_CONSTEXPR FMT_INLINE auto map(const unsigned char* val)
+      -> cstring_result {
+    return map(reinterpret_cast<const char*>(val));
+  }
+  FMT_DEPRECATED FMT_CONSTEXPR FMT_INLINE auto map(signed char* val)
+      -> cstring_result {
+    return map(reinterpret_cast<const char*>(val));
+  }
+  FMT_DEPRECATED FMT_CONSTEXPR FMT_INLINE auto map(unsigned char* val)
+      -> cstring_result {
+    return map(reinterpret_cast<const char*>(val));
+  }
+
+  FMT_CONSTEXPR FMT_INLINE auto map(void* val) -> const void* { return val; }
+  FMT_CONSTEXPR FMT_INLINE auto map(const void* val) -> const void* {
+    return val;
+  }
+  FMT_CONSTEXPR FMT_INLINE auto map(std::nullptr_t val) -> const void* {
+    return val;
+  }
+
+  // We use SFINAE instead of a const T* parameter to avoid conflicting with
+  // the C array overload.
+  template <
+      typename T,
+      FMT_ENABLE_IF(
+          std::is_member_pointer<T>::value ||
+          std::is_function<typename std::remove_pointer<T>::type>::value ||
+          (std::is_convertible<const T&, const void*>::value &&
+           !std::is_convertible<const T&, const char_type*>::value))>
+  FMT_CONSTEXPR auto map(const T&) -> unformattable_pointer {
+    return {};
+  }
+
+  template <typename T, std::size_t N,
+            FMT_ENABLE_IF(!std::is_same<T, wchar_t>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto map(const T (&values)[N]) -> const T (&)[N] {
+    return values;
+  }
+
+  template <typename T,
+            FMT_ENABLE_IF(
+                std::is_enum<T>::value&& std::is_convertible<T, int>::value &&
+                !has_formatter<T, Context>::value &&
+                !has_fallback_formatter<T, char_type>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto map(const T& val)
+      -> decltype(std::declval<arg_mapper>().map(
+          static_cast<typename std::underlying_type<T>::type>(val))) {
+    return map(static_cast<typename std::underlying_type<T>::type>(val));
+  }
+
+  FMT_CONSTEXPR FMT_INLINE auto map(detail::byte val) -> unsigned {
+    return map(static_cast<unsigned char>(val));
+  }
+
+  template <typename T, typename U = remove_cvref_t<T>>
+  struct formattable
+      : bool_constant<has_const_formatter<U, Context>() ||
+                      !std::is_const<remove_reference_t<T>>::value ||
+                      has_fallback_formatter<U, char_type>::value> {};
+
+#if FMT_MSC_VER != 0 && FMT_MSC_VER < 1910
+  // Workaround a bug in MSVC.
+  template <typename T> FMT_CONSTEXPR FMT_INLINE auto do_map(T&& val) -> T& {
+    return val;
+  }
+#else
+  template <typename T, FMT_ENABLE_IF(formattable<T>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto do_map(T&& val) -> T& {
+    return val;
+  }
+  template <typename T, FMT_ENABLE_IF(!formattable<T>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto do_map(T&&) -> unformattable_const {
+    return {};
+  }
+#endif
+
+  template <typename T, typename U = remove_cvref_t<T>,
+            FMT_ENABLE_IF(!is_string<U>::value && !is_char<U>::value &&
+                          !std::is_array<U>::value &&
+                          (has_formatter<U, Context>::value ||
+                           has_fallback_formatter<U, char_type>::value))>
+  FMT_CONSTEXPR FMT_INLINE auto map(T&& val)
+      -> decltype(this->do_map(std::forward<T>(val))) {
+    return do_map(std::forward<T>(val));
+  }
+
+  template <typename T, FMT_ENABLE_IF(is_named_arg<T>::value)>
+  FMT_CONSTEXPR FMT_INLINE auto map(const T& named_arg)
+      -> decltype(std::declval<arg_mapper>().map(named_arg.value)) {
+    return map(named_arg.value);
+  }
+
+  auto map(...) -> unformattable { return {}; }
+};
+
+// A type constant after applying arg_mapper<Context>.
+template <typename T, typename Context>
+using mapped_type_constant =
+    type_constant<decltype(arg_mapper<Context>().map(std::declval<const T&>())),
+                  typename Context::char_type>;
+
+enum { packed_arg_bits = 4 };
+// Maximum number of arguments with packed types.
+enum { max_packed_args = 62 / packed_arg_bits };
+enum : unsigned long long { is_unpacked_bit = 1ULL << 63 };
+enum : unsigned long long { has_named_args_bit = 1ULL << 62 };
+
+FMT_END_DETAIL_NAMESPACE
+
+// An output iterator that appends to a buffer.
+// It is used to reduce symbol sizes for the common case.
+class appender : public std::back_insert_iterator<detail::buffer<char>> {
+  using base = std::back_insert_iterator<detail::buffer<char>>;
+
+  template <typename T>
+  friend auto get_buffer(appender out) -> detail::buffer<char>& {
+    return detail::get_container(out);
+  }
+
+ public:
+  using std::back_insert_iterator<detail::buffer<char>>::back_insert_iterator;
+  appender(base it) FMT_NOEXCEPT : base(it) {}
+  using _Unchecked_type = appender;  // Mark iterator as checked.
+
+  auto operator++() FMT_NOEXCEPT -> appender& { return *this; }
+
+  auto operator++(int) FMT_NOEXCEPT -> appender { return *this; }
+};
+
+// A formatting argument. It is a trivially copyable/constructible type to
+// allow storage in basic_memory_buffer.
+template <typename Context> class basic_format_arg {
+ private:
+  detail::value<Context> value_;
+  detail::type type_;
+
+  template <typename ContextType, typename T>
+  friend FMT_CONSTEXPR auto detail::make_arg(const T& value)
+      -> basic_format_arg<ContextType>;
+
+  template <typename Visitor, typename Ctx>
+  friend FMT_CONSTEXPR auto visit_format_arg(Visitor&& vis,
+                                             const basic_format_arg<Ctx>& arg)
+      -> decltype(vis(0));
+
+  friend class basic_format_args<Context>;
+  friend class dynamic_format_arg_store<Context>;
+
+  using char_type = typename Context::char_type;
+
+  template <typename T, typename Char, size_t NUM_ARGS, size_t NUM_NAMED_ARGS>
+  friend struct detail::arg_data;
+
+  basic_format_arg(const detail::named_arg_info<char_type>* args, size_t size)
+      : value_(args, size) {}
+
+ public:
+  class handle {
+   public:
+    explicit handle(detail::custom_value<Context> custom) : custom_(custom) {}
+
+    void format(typename Context::parse_context_type& parse_ctx,
+                Context& ctx) const {
+      custom_.format(custom_.value, parse_ctx, ctx);
+    }
+
+   private:
+    detail::custom_value<Context> custom_;
+  };
+
+  constexpr basic_format_arg() : type_(detail::type::none_type) {}
+
+  constexpr explicit operator bool() const FMT_NOEXCEPT {
+    return type_ != detail::type::none_type;
+  }
+
+  auto type() const -> detail::type { return type_; }
+
+  auto is_integral() const -> bool { return detail::is_integral_type(type_); }
+  auto is_arithmetic() const -> bool {
+    return detail::is_arithmetic_type(type_);
+  }
+};
+
+/**
+  \rst
+  Visits an argument dispatching to the appropriate visit method based on
+  the argument type. For example, if the argument type is ``double`` then
+  ``vis(value)`` will be called with the value of type ``double``.
+  \endrst
+ */
+template <typename Visitor, typename Context>
+FMT_CONSTEXPR FMT_INLINE auto visit_format_arg(
+    Visitor&& vis, const basic_format_arg<Context>& arg) -> decltype(vis(0)) {
+  switch (arg.type_) {
+  case detail::type::none_type:
+    break;
+  case detail::type::int_type:
+    return vis(arg.value_.int_value);
+  case detail::type::uint_type:
+    return vis(arg.value_.uint_value);
+  case detail::type::long_long_type:
+    return vis(arg.value_.long_long_value);
+  case detail::type::ulong_long_type:
+    return vis(arg.value_.ulong_long_value);
+  case detail::type::int128_type:
+    return vis(detail::convert_for_visit(arg.value_.int128_value));
+  case detail::type::uint128_type:
+    return vis(detail::convert_for_visit(arg.value_.uint128_value));
+  case detail::type::bool_type:
+    return vis(arg.value_.bool_value);
+  case detail::type::char_type:
+    return vis(arg.value_.char_value);
+  case detail::type::float_type:
+    return vis(arg.value_.float_value);
+  case detail::type::double_type:
+    return vis(arg.value_.double_value);
+  case detail::type::long_double_type:
+    return vis(arg.value_.long_double_value);
+  case detail::type::cstring_type:
+    return vis(arg.value_.string.data);
+  case detail::type::string_type:
+    using sv = basic_string_view<typename Context::char_type>;
+    return vis(sv(arg.value_.string.data, arg.value_.string.size));
+  case detail::type::pointer_type:
+    return vis(arg.value_.pointer);
+  case detail::type::custom_type:
+    return vis(typename basic_format_arg<Context>::handle(arg.value_.custom));
+  }
+  return vis(monostate());
+}
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+template <typename Char, typename InputIt>
+auto copy_str(InputIt begin, InputIt end, appender out) -> appender {
+  get_container(out).append(begin, end);
+  return out;
+}
+
+#if FMT_GCC_VERSION && FMT_GCC_VERSION < 500
+// A workaround for gcc 4.8 to make void_t work in a SFINAE context.
+template <typename... Ts> struct void_t_impl { using type = void; };
+template <typename... Ts>
+using void_t = typename detail::void_t_impl<Ts...>::type;
+#else
+template <typename...> using void_t = void;
+#endif
+
+template <typename It, typename T, typename Enable = void>
+struct is_output_iterator : std::false_type {};
+
+template <typename It, typename T>
+struct is_output_iterator<
+    It, T,
+    void_t<typename std::iterator_traits<It>::iterator_category,
+           decltype(*std::declval<It>() = std::declval<T>())>>
+    : std::true_type {};
+
+template <typename OutputIt>
+struct is_back_insert_iterator : std::false_type {};
+template <typename Container>
+struct is_back_insert_iterator<std::back_insert_iterator<Container>>
+    : std::true_type {};
+
+template <typename OutputIt>
+struct is_contiguous_back_insert_iterator : std::false_type {};
+template <typename Container>
+struct is_contiguous_back_insert_iterator<std::back_insert_iterator<Container>>
+    : is_contiguous<Container> {};
+template <>
+struct is_contiguous_back_insert_iterator<appender> : std::true_type {};
+
+// A type-erased reference to an std::locale to avoid heavy <locale> include.
+class locale_ref {
+ private:
+  const void* locale_;  // A type-erased pointer to std::locale.
+
+ public:
+  constexpr locale_ref() : locale_(nullptr) {}
+  template <typename Locale> explicit locale_ref(const Locale& loc);
+
+  explicit operator bool() const FMT_NOEXCEPT { return locale_ != nullptr; }
+
+  template <typename Locale> auto get() const -> Locale;
+};
+
+template <typename> constexpr auto encode_types() -> unsigned long long {
+  return 0;
+}
+
+template <typename Context, typename Arg, typename... Args>
+constexpr auto encode_types() -> unsigned long long {
+  return static_cast<unsigned>(mapped_type_constant<Arg, Context>::value) |
+         (encode_types<Context, Args...>() << packed_arg_bits);
+}
+
+template <typename Context, typename T>
+FMT_CONSTEXPR auto make_arg(const T& value) -> basic_format_arg<Context> {
+  basic_format_arg<Context> arg;
+  arg.type_ = mapped_type_constant<T, Context>::value;
+  arg.value_ = arg_mapper<Context>().map(value);
+  return arg;
+}
+
+// The type template parameter is there to avoid an ODR violation when using
+// a fallback formatter in one translation unit and an implicit conversion in
+// another (not recommended).
+template <bool IS_PACKED, typename Context, type, typename T,
+          FMT_ENABLE_IF(IS_PACKED)>
+FMT_CONSTEXPR FMT_INLINE auto make_arg(T&& val) -> value<Context> {
+  const auto& arg = arg_mapper<Context>().map(std::forward<T>(val));
+
+  constexpr bool formattable_char =
+      !std::is_same<decltype(arg), const unformattable_char&>::value;
+  static_assert(formattable_char, "Mixing character types is disallowed.");
+
+  constexpr bool formattable_const =
+      !std::is_same<decltype(arg), const unformattable_const&>::value;
+  static_assert(formattable_const, "Cannot format a const argument.");
+
+  // Formatting of arbitrary pointers is disallowed. If you want to output
+  // a pointer cast it to "void *" or "const void *". In particular, this
+  // forbids formatting of "[const] volatile char *" which is printed as bool
+  // by iostreams.
+  constexpr bool formattable_pointer =
+      !std::is_same<decltype(arg), const unformattable_pointer&>::value;
+  static_assert(formattable_pointer,
+                "Formatting of non-void pointers is disallowed.");
+
+  constexpr bool formattable =
+      !std::is_same<decltype(arg), const unformattable&>::value;
+  static_assert(
+      formattable,
+      "Cannot format an argument. To make type T formattable provide a "
+      "formatter<T> specialization: https://fmt.dev/latest/api.html#udt");
+  return {arg};
+}
+
+template <bool IS_PACKED, typename Context, type, typename T,
+          FMT_ENABLE_IF(!IS_PACKED)>
+inline auto make_arg(const T& value) -> basic_format_arg<Context> {
+  return make_arg<Context>(value);
+}
+FMT_END_DETAIL_NAMESPACE
+
+// Formatting context.
+template <typename OutputIt, typename Char> class basic_format_context {
+ public:
+  /** The character type for the output. */
+  using char_type = Char;
+
+ private:
+  OutputIt out_;
+  basic_format_args<basic_format_context> args_;
+  detail::locale_ref loc_;
+
+ public:
+  using iterator = OutputIt;
+  using format_arg = basic_format_arg<basic_format_context>;
+  using parse_context_type = basic_format_parse_context<Char>;
+  template <typename T> using formatter_type = formatter<T, char_type>;
+
+  basic_format_context(basic_format_context&&) = default;
+  basic_format_context(const basic_format_context&) = delete;
+  void operator=(const basic_format_context&) = delete;
+  /**
+   Constructs a ``basic_format_context`` object. References to the arguments are
+   stored in the object so make sure they have appropriate lifetimes.
+   */
+  constexpr basic_format_context(
+      OutputIt out, basic_format_args<basic_format_context> ctx_args,
+      detail::locale_ref loc = detail::locale_ref())
+      : out_(out), args_(ctx_args), loc_(loc) {}
+
+  constexpr auto arg(int id) const -> format_arg { return args_.get(id); }
+  FMT_CONSTEXPR auto arg(basic_string_view<char_type> name) -> format_arg {
+    return args_.get(name);
+  }
+  FMT_CONSTEXPR auto arg_id(basic_string_view<char_type> name) -> int {
+    return args_.get_id(name);
+  }
+  auto args() const -> const basic_format_args<basic_format_context>& {
+    return args_;
+  }
+
+  FMT_CONSTEXPR auto error_handler() -> detail::error_handler { return {}; }
+  void on_error(const char* message) { error_handler().on_error(message); }
+
+  // Returns an iterator to the beginning of the output range.
+  FMT_CONSTEXPR auto out() -> iterator { return out_; }
+
+  // Advances the begin iterator to ``it``.
+  void advance_to(iterator it) {
+    if (!detail::is_back_insert_iterator<iterator>()) out_ = it;
+  }
+
+  FMT_CONSTEXPR auto locale() -> detail::locale_ref { return loc_; }
+};
+
+template <typename Char>
+using buffer_context =
+    basic_format_context<detail::buffer_appender<Char>, Char>;
+using format_context = buffer_context<char>;
+
+// Workaround an alias issue: https://stackoverflow.com/q/62767544/471164.
+#define FMT_BUFFER_CONTEXT(Char) \
+  basic_format_context<detail::buffer_appender<Char>, Char>
+
+template <typename T, typename Char = char>
+using is_formattable = bool_constant<
+    !std::is_base_of<detail::unformattable,
+                     decltype(detail::arg_mapper<buffer_context<Char>>().map(
+                         std::declval<T>()))>::value &&
+    !detail::has_fallback_formatter<T, Char>::value>;
+
+/**
+  \rst
+  An array of references to arguments. It can be implicitly converted into
+  `~fmt::basic_format_args` for passing into type-erased formatting functions
+  such as `~fmt::vformat`.
+  \endrst
+ */
+template <typename Context, typename... Args>
+class format_arg_store
+#if FMT_GCC_VERSION && FMT_GCC_VERSION < 409
+    // Workaround a GCC template argument substitution bug.
+    : public basic_format_args<Context>
+#endif
+{
+ private:
+  static const size_t num_args = sizeof...(Args);
+  static const size_t num_named_args = detail::count_named_args<Args...>();
+  static const bool is_packed = num_args <= detail::max_packed_args;
+
+  using value_type = conditional_t<is_packed, detail::value<Context>,
+                                   basic_format_arg<Context>>;
+
+  detail::arg_data<value_type, typename Context::char_type, num_args,
+                   num_named_args>
+      data_;
+
+  friend class basic_format_args<Context>;
+
+  static constexpr unsigned long long desc =
+      (is_packed ? detail::encode_types<Context, Args...>()
+                 : detail::is_unpacked_bit | num_args) |
+      (num_named_args != 0
+           ? static_cast<unsigned long long>(detail::has_named_args_bit)
+           : 0);
+
+ public:
+  template <typename... T>
+  FMT_CONSTEXPR FMT_INLINE format_arg_store(T&&... args)
+      :
+#if FMT_GCC_VERSION && FMT_GCC_VERSION < 409
+        basic_format_args<Context>(*this),
+#endif
+        data_{detail::make_arg<
+            is_packed, Context,
+            detail::mapped_type_constant<remove_cvref_t<T>, Context>::value>(
+            std::forward<T>(args))...} {
+    detail::init_named_args(data_.named_args(), 0, 0, args...);
+  }
+};
+
+/**
+  \rst
+  Constructs a `~fmt::format_arg_store` object that contains references to
+  arguments and can be implicitly converted to `~fmt::format_args`. `Context`
+  can be omitted in which case it defaults to `~fmt::context`.
+  See `~fmt::arg` for lifetime considerations.
+  \endrst
+ */
+template <typename Context = format_context, typename... Args>
+constexpr auto make_format_args(Args&&... args)
+    -> format_arg_store<Context, remove_cvref_t<Args>...> {
+  return {std::forward<Args>(args)...};
+}
+
+/**
+  \rst
+  Returns a named argument to be used in a formatting function.
+  It should only be used in a call to a formatting function or
+  `dynamic_format_arg_store::push_back`.
+
+  **Example**::
+
+    fmt::print("Elapsed time: {s:.2f} seconds", fmt::arg("s", 1.23));
+  \endrst
+ */
+template <typename Char, typename T>
+inline auto arg(const Char* name, const T& arg) -> detail::named_arg<Char, T> {
+  static_assert(!detail::is_named_arg<T>(), "nested named arguments");
+  return {name, arg};
+}
+
+/**
+  \rst
+  A view of a collection of formatting arguments. To avoid lifetime issues it
+  should only be used as a parameter type in type-erased functions such as
+  ``vformat``::
+
+    void vlog(string_view format_str, format_args args);  // OK
+    format_args args = make_format_args(42);  // Error: dangling reference
+  \endrst
+ */
+template <typename Context> class basic_format_args {
+ public:
+  using size_type = int;
+  using format_arg = basic_format_arg<Context>;
+
+ private:
+  // A descriptor that contains information about formatting arguments.
+  // If the number of arguments is less or equal to max_packed_args then
+  // argument types are passed in the descriptor. This reduces binary code size
+  // per formatting function call.
+  unsigned long long desc_;
+  union {
+    // If is_packed() returns true then argument values are stored in values_;
+    // otherwise they are stored in args_. This is done to improve cache
+    // locality and reduce compiled code size since storing larger objects
+    // may require more code (at least on x86-64) even if the same amount of
+    // data is actually copied to stack. It saves ~10% on the bloat test.
+    const detail::value<Context>* values_;
+    const format_arg* args_;
+  };
+
+  constexpr auto is_packed() const -> bool {
+    return (desc_ & detail::is_unpacked_bit) == 0;
+  }
+  auto has_named_args() const -> bool {
+    return (desc_ & detail::has_named_args_bit) != 0;
+  }
+
+  FMT_CONSTEXPR auto type(int index) const -> detail::type {
+    int shift = index * detail::packed_arg_bits;
+    unsigned int mask = (1 << detail::packed_arg_bits) - 1;
+    return static_cast<detail::type>((desc_ >> shift) & mask);
+  }
+
+  constexpr FMT_INLINE basic_format_args(unsigned long long desc,
+                                         const detail::value<Context>* values)
+      : desc_(desc), values_(values) {}
+  constexpr basic_format_args(unsigned long long desc, const format_arg* args)
+      : desc_(desc), args_(args) {}
+
+ public:
+  constexpr basic_format_args() : desc_(0), args_(nullptr) {}
+
+  /**
+   \rst
+   Constructs a `basic_format_args` object from `~fmt::format_arg_store`.
+   \endrst
+   */
+  template <typename... Args>
+  constexpr FMT_INLINE basic_format_args(
+      const format_arg_store<Context, Args...>& store)
+      : basic_format_args(format_arg_store<Context, Args...>::desc,
+                          store.data_.args()) {}
+
+  /**
+   \rst
+   Constructs a `basic_format_args` object from
+   `~fmt::dynamic_format_arg_store`.
+   \endrst
+   */
+  constexpr FMT_INLINE basic_format_args(
+      const dynamic_format_arg_store<Context>& store)
+      : basic_format_args(store.get_types(), store.data()) {}
+
+  /**
+   \rst
+   Constructs a `basic_format_args` object from a dynamic set of arguments.
+   \endrst
+   */
+  constexpr basic_format_args(const format_arg* args, int count)
+      : basic_format_args(detail::is_unpacked_bit | detail::to_unsigned(count),
+                          args) {}
+
+  /** Returns the argument with the specified id. */
+  FMT_CONSTEXPR auto get(int id) const -> format_arg {
+    format_arg arg;
+    if (!is_packed()) {
+      if (id < max_size()) arg = args_[id];
+      return arg;
+    }
+    if (id >= detail::max_packed_args) return arg;
+    arg.type_ = type(id);
+    if (arg.type_ == detail::type::none_type) return arg;
+    arg.value_ = values_[id];
+    return arg;
+  }
+
+  template <typename Char>
+  auto get(basic_string_view<Char> name) const -> format_arg {
+    int id = get_id(name);
+    return id >= 0 ? get(id) : format_arg();
+  }
+
+  template <typename Char>
+  auto get_id(basic_string_view<Char> name) const -> int {
+    if (!has_named_args()) return -1;
+    const auto& named_args =
+        (is_packed() ? values_[-1] : args_[-1].value_).named_args;
+    for (size_t i = 0; i < named_args.size; ++i) {
+      if (named_args.data[i].name == name) return named_args.data[i].id;
+    }
+    return -1;
+  }
+
+  auto max_size() const -> int {
+    unsigned long long max_packed = detail::max_packed_args;
+    return static_cast<int>(is_packed() ? max_packed
+                                        : desc_ & ~detail::is_unpacked_bit);
+  }
+};
+
+/** An alias to ``basic_format_args<format_context>``. */
+// A separate type would result in shorter symbols but break ABI compatibility
+// between clang and gcc on ARM (#1919).
+using format_args = basic_format_args<format_context>;
+
+// We cannot use enum classes as bit fields because of a gcc bug
+// https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61414.
+namespace align {
+enum type { none, left, right, center, numeric };
+}
+using align_t = align::type;
+namespace sign {
+enum type { none, minus, plus, space };
+}
+using sign_t = sign::type;
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+// Workaround an array initialization issue in gcc 4.8.
+template <typename Char> struct fill_t {
+ private:
+  enum { max_size = 4 };
+  Char data_[max_size] = {Char(' '), Char(0), Char(0), Char(0)};
+  unsigned char size_ = 1;
+
+ public:
+  FMT_CONSTEXPR void operator=(basic_string_view<Char> s) {
+    auto size = s.size();
+    if (size > max_size) return throw_format_error("invalid fill");
+    for (size_t i = 0; i < size; ++i) data_[i] = s[i];
+    size_ = static_cast<unsigned char>(size);
+  }
+
+  constexpr auto size() const -> size_t { return size_; }
+  constexpr auto data() const -> const Char* { return data_; }
+
+  FMT_CONSTEXPR auto operator[](size_t index) -> Char& { return data_[index]; }
+  FMT_CONSTEXPR auto operator[](size_t index) const -> const Char& {
+    return data_[index];
+  }
+};
+FMT_END_DETAIL_NAMESPACE
+
+enum class presentation_type : unsigned char {
+  none,
+  // Integer types should go first,
+  dec,             // 'd'
+  oct,             // 'o'
+  hex_lower,       // 'x'
+  hex_upper,       // 'X'
+  bin_lower,       // 'b'
+  bin_upper,       // 'B'
+  hexfloat_lower,  // 'a'
+  hexfloat_upper,  // 'A'
+  exp_lower,       // 'e'
+  exp_upper,       // 'E'
+  fixed_lower,     // 'f'
+  fixed_upper,     // 'F'
+  general_lower,   // 'g'
+  general_upper,   // 'G'
+  chr,             // 'c'
+  string,          // 's'
+  pointer          // 'p'
+};
+
+// Format specifiers for built-in and string types.
+template <typename Char> struct basic_format_specs {
+  int width;
+  int precision;
+  presentation_type type;
+  align_t align : 4;
+  sign_t sign : 3;
+  bool alt : 1;  // Alternate form ('#').
+  bool localized : 1;
+  detail::fill_t<Char> fill;
+
+  constexpr basic_format_specs()
+      : width(0),
+        precision(-1),
+        type(presentation_type::none),
+        align(align::none),
+        sign(sign::none),
+        alt(false),
+        localized(false) {}
+};
+
+using format_specs = basic_format_specs<char>;
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+enum class arg_id_kind { none, index, name };
+
+// An argument reference.
+template <typename Char> struct arg_ref {
+  FMT_CONSTEXPR arg_ref() : kind(arg_id_kind::none), val() {}
+
+  FMT_CONSTEXPR explicit arg_ref(int index)
+      : kind(arg_id_kind::index), val(index) {}
+  FMT_CONSTEXPR explicit arg_ref(basic_string_view<Char> name)
+      : kind(arg_id_kind::name), val(name) {}
+
+  FMT_CONSTEXPR auto operator=(int idx) -> arg_ref& {
+    kind = arg_id_kind::index;
+    val.index = idx;
+    return *this;
+  }
+
+  arg_id_kind kind;
+  union value {
+    FMT_CONSTEXPR value(int id = 0) : index{id} {}
+    FMT_CONSTEXPR value(basic_string_view<Char> n) : name(n) {}
+
+    int index;
+    basic_string_view<Char> name;
+  } val;
+};
+
+// Format specifiers with width and precision resolved at formatting rather
+// than parsing time to allow re-using the same parsed specifiers with
+// different sets of arguments (precompilation of format strings).
+template <typename Char>
+struct dynamic_format_specs : basic_format_specs<Char> {
+  arg_ref<Char> width_ref;
+  arg_ref<Char> precision_ref;
+};
+
+struct auto_id {};
+
+// A format specifier handler that sets fields in basic_format_specs.
+template <typename Char> class specs_setter {
+ protected:
+  basic_format_specs<Char>& specs_;
+
+ public:
+  explicit FMT_CONSTEXPR specs_setter(basic_format_specs<Char>& specs)
+      : specs_(specs) {}
+
+  FMT_CONSTEXPR specs_setter(const specs_setter& other)
+      : specs_(other.specs_) {}
+
+  FMT_CONSTEXPR void on_align(align_t align) { specs_.align = align; }
+  FMT_CONSTEXPR void on_fill(basic_string_view<Char> fill) {
+    specs_.fill = fill;
+  }
+  FMT_CONSTEXPR void on_sign(sign_t s) { specs_.sign = s; }
+  FMT_CONSTEXPR void on_hash() { specs_.alt = true; }
+  FMT_CONSTEXPR void on_localized() { specs_.localized = true; }
+
+  FMT_CONSTEXPR void on_zero() {
+    if (specs_.align == align::none) specs_.align = align::numeric;
+    specs_.fill[0] = Char('0');
+  }
+
+  FMT_CONSTEXPR void on_width(int width) { specs_.width = width; }
+  FMT_CONSTEXPR void on_precision(int precision) {
+    specs_.precision = precision;
+  }
+  FMT_CONSTEXPR void end_precision() {}
+
+  FMT_CONSTEXPR void on_type(presentation_type type) { specs_.type = type; }
+};
+
+// Format spec handler that saves references to arguments representing dynamic
+// width and precision to be resolved at formatting time.
+template <typename ParseContext>
+class dynamic_specs_handler
+    : public specs_setter<typename ParseContext::char_type> {
+ public:
+  using char_type = typename ParseContext::char_type;
+
+  FMT_CONSTEXPR dynamic_specs_handler(dynamic_format_specs<char_type>& specs,
+                                      ParseContext& ctx)
+      : specs_setter<char_type>(specs), specs_(specs), context_(ctx) {}
+
+  FMT_CONSTEXPR dynamic_specs_handler(const dynamic_specs_handler& other)
+      : specs_setter<char_type>(other),
+        specs_(other.specs_),
+        context_(other.context_) {}
+
+  template <typename Id> FMT_CONSTEXPR void on_dynamic_width(Id arg_id) {
+    specs_.width_ref = make_arg_ref(arg_id);
+  }
+
+  template <typename Id> FMT_CONSTEXPR void on_dynamic_precision(Id arg_id) {
+    specs_.precision_ref = make_arg_ref(arg_id);
+  }
+
+  FMT_CONSTEXPR void on_error(const char* message) {
+    context_.on_error(message);
+  }
+
+ private:
+  dynamic_format_specs<char_type>& specs_;
+  ParseContext& context_;
+
+  using arg_ref_type = arg_ref<char_type>;
+
+  FMT_CONSTEXPR auto make_arg_ref(int arg_id) -> arg_ref_type {
+    context_.check_arg_id(arg_id);
+    return arg_ref_type(arg_id);
+  }
+
+  FMT_CONSTEXPR auto make_arg_ref(auto_id) -> arg_ref_type {
+    return arg_ref_type(context_.next_arg_id());
+  }
+
+  FMT_CONSTEXPR auto make_arg_ref(basic_string_view<char_type> arg_id)
+      -> arg_ref_type {
+    context_.check_arg_id(arg_id);
+    basic_string_view<char_type> format_str(
+        context_.begin(), to_unsigned(context_.end() - context_.begin()));
+    return arg_ref_type(arg_id);
+  }
+};
+
+template <typename Char> constexpr bool is_ascii_letter(Char c) {
+  return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z');
+}
+
+// Converts a character to ASCII. Returns a number > 127 on conversion failure.
+template <typename Char, FMT_ENABLE_IF(std::is_integral<Char>::value)>
+constexpr auto to_ascii(Char value) -> Char {
+  return value;
+}
+template <typename Char, FMT_ENABLE_IF(std::is_enum<Char>::value)>
+constexpr auto to_ascii(Char value) ->
+    typename std::underlying_type<Char>::type {
+  return value;
+}
+
+template <typename Char>
+FMT_CONSTEXPR auto code_point_length(const Char* begin) -> int {
+  if (const_check(sizeof(Char) != 1)) return 1;
+  auto lengths =
+      "\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\1\0\0\0\0\0\0\0\0\2\2\2\2\3\3\4";
+  int len = lengths[static_cast<unsigned char>(*begin) >> 3];
+
+  // Compute the pointer to the next character early so that the next
+  // iteration can start working on the next character. Neither Clang
+  // nor GCC figure out this reordering on their own.
+  return len + !len;
+}
+
+// Return the result via the out param to workaround gcc bug 77539.
+template <bool IS_CONSTEXPR, typename T, typename Ptr = const T*>
+FMT_CONSTEXPR auto find(Ptr first, Ptr last, T value, Ptr& out) -> bool {
+  for (out = first; out != last; ++out) {
+    if (*out == value) return true;
+  }
+  return false;
+}
+
+template <>
+inline auto find<false, char>(const char* first, const char* last, char value,
+                              const char*& out) -> bool {
+  out = static_cast<const char*>(
+      std::memchr(first, value, to_unsigned(last - first)));
+  return out != nullptr;
+}
+
+// Parses the range [begin, end) as an unsigned integer. This function assumes
+// that the range is non-empty and the first character is a digit.
+template <typename Char>
+FMT_CONSTEXPR auto parse_nonnegative_int(const Char*& begin, const Char* end,
+                                         int error_value) noexcept -> int {
+  FMT_ASSERT(begin != end && '0' <= *begin && *begin <= '9', "");
+  unsigned value = 0, prev = 0;
+  auto p = begin;
+  do {
+    prev = value;
+    value = value * 10 + unsigned(*p - '0');
+    ++p;
+  } while (p != end && '0' <= *p && *p <= '9');
+  auto num_digits = p - begin;
+  begin = p;
+  if (num_digits <= std::numeric_limits<int>::digits10)
+    return static_cast<int>(value);
+  // Check for overflow.
+  const unsigned max = to_unsigned((std::numeric_limits<int>::max)());
+  return num_digits == std::numeric_limits<int>::digits10 + 1 &&
+                 prev * 10ull + unsigned(p[-1] - '0') <= max
+             ? static_cast<int>(value)
+             : error_value;
+}
+
+// Parses fill and alignment.
+template <typename Char, typename Handler>
+FMT_CONSTEXPR auto parse_align(const Char* begin, const Char* end,
+                               Handler&& handler) -> const Char* {
+  FMT_ASSERT(begin != end, "");
+  auto align = align::none;
+  auto p = begin + code_point_length(begin);
+  if (p >= end) p = begin;
+  for (;;) {
+    switch (to_ascii(*p)) {
+    case '<':
+      align = align::left;
+      break;
+    case '>':
+      align = align::right;
+      break;
+    case '^':
+      align = align::center;
+      break;
+    default:
+      break;
+    }
+    if (align != align::none) {
+      if (p != begin) {
+        auto c = *begin;
+        if (c == '{')
+          return handler.on_error("invalid fill character '{'"), begin;
+        handler.on_fill(basic_string_view<Char>(begin, to_unsigned(p - begin)));
+        begin = p + 1;
+      } else
+        ++begin;
+      handler.on_align(align);
+      break;
+    } else if (p == begin) {
+      break;
+    }
+    p = begin;
+  }
+  return begin;
+}
+
+template <typename Char> FMT_CONSTEXPR bool is_name_start(Char c) {
+  return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') || '_' == c;
+}
+
+template <typename Char, typename IDHandler>
+FMT_CONSTEXPR auto do_parse_arg_id(const Char* begin, const Char* end,
+                                   IDHandler&& handler) -> const Char* {
+  FMT_ASSERT(begin != end, "");
+  Char c = *begin;
+  if (c >= '0' && c <= '9') {
+    int index = 0;
+    if (c != '0')
+      index =
+          parse_nonnegative_int(begin, end, (std::numeric_limits<int>::max)());
+    else
+      ++begin;
+    if (begin == end || (*begin != '}' && *begin != ':'))
+      handler.on_error("invalid format string");
+    else
+      handler(index);
+    return begin;
+  }
+  if (!is_name_start(c)) {
+    handler.on_error("invalid format string");
+    return begin;
+  }
+  auto it = begin;
+  do {
+    ++it;
+  } while (it != end && (is_name_start(c = *it) || ('0' <= c && c <= '9')));
+  handler(basic_string_view<Char>(begin, to_unsigned(it - begin)));
+  return it;
+}
+
+template <typename Char, typename IDHandler>
+FMT_CONSTEXPR FMT_INLINE auto parse_arg_id(const Char* begin, const Char* end,
+                                           IDHandler&& handler) -> const Char* {
+  Char c = *begin;
+  if (c != '}' && c != ':') return do_parse_arg_id(begin, end, handler);
+  handler();
+  return begin;
+}
+
+template <typename Char, typename Handler>
+FMT_CONSTEXPR auto parse_width(const Char* begin, const Char* end,
+                               Handler&& handler) -> const Char* {
+  using detail::auto_id;
+  struct width_adapter {
+    Handler& handler;
+
+    FMT_CONSTEXPR void operator()() { handler.on_dynamic_width(auto_id()); }
+    FMT_CONSTEXPR void operator()(int id) { handler.on_dynamic_width(id); }
+    FMT_CONSTEXPR void operator()(basic_string_view<Char> id) {
+      handler.on_dynamic_width(id);
+    }
+    FMT_CONSTEXPR void on_error(const char* message) {
+      if (message) handler.on_error(message);
+    }
+  };
+
+  FMT_ASSERT(begin != end, "");
+  if ('0' <= *begin && *begin <= '9') {
+    int width = parse_nonnegative_int(begin, end, -1);
+    if (width != -1)
+      handler.on_width(width);
+    else
+      handler.on_error("number is too big");
+  } else if (*begin == '{') {
+    ++begin;
+    if (begin != end) begin = parse_arg_id(begin, end, width_adapter{handler});
+    if (begin == end || *begin != '}')
+      return handler.on_error("invalid format string"), begin;
+    ++begin;
+  }
+  return begin;
+}
+
+template <typename Char, typename Handler>
+FMT_CONSTEXPR auto parse_precision(const Char* begin, const Char* end,
+                                   Handler&& handler) -> const Char* {
+  using detail::auto_id;
+  struct precision_adapter {
+    Handler& handler;
+
+    FMT_CONSTEXPR void operator()() { handler.on_dynamic_precision(auto_id()); }
+    FMT_CONSTEXPR void operator()(int id) { handler.on_dynamic_precision(id); }
+    FMT_CONSTEXPR void operator()(basic_string_view<Char> id) {
+      handler.on_dynamic_precision(id);
+    }
+    FMT_CONSTEXPR void on_error(const char* message) {
+      if (message) handler.on_error(message);
+    }
+  };
+
+  ++begin;
+  auto c = begin != end ? *begin : Char();
+  if ('0' <= c && c <= '9') {
+    auto precision = parse_nonnegative_int(begin, end, -1);
+    if (precision != -1)
+      handler.on_precision(precision);
+    else
+      handler.on_error("number is too big");
+  } else if (c == '{') {
+    ++begin;
+    if (begin != end)
+      begin = parse_arg_id(begin, end, precision_adapter{handler});
+    if (begin == end || *begin++ != '}')
+      return handler.on_error("invalid format string"), begin;
+  } else {
+    return handler.on_error("missing precision specifier"), begin;
+  }
+  handler.end_precision();
+  return begin;
+}
+
+template <typename Char>
+FMT_CONSTEXPR auto parse_presentation_type(Char type) -> presentation_type {
+  switch (to_ascii(type)) {
+  case 'd':
+    return presentation_type::dec;
+  case 'o':
+    return presentation_type::oct;
+  case 'x':
+    return presentation_type::hex_lower;
+  case 'X':
+    return presentation_type::hex_upper;
+  case 'b':
+    return presentation_type::bin_lower;
+  case 'B':
+    return presentation_type::bin_upper;
+  case 'a':
+    return presentation_type::hexfloat_lower;
+  case 'A':
+    return presentation_type::hexfloat_upper;
+  case 'e':
+    return presentation_type::exp_lower;
+  case 'E':
+    return presentation_type::exp_upper;
+  case 'f':
+    return presentation_type::fixed_lower;
+  case 'F':
+    return presentation_type::fixed_upper;
+  case 'g':
+    return presentation_type::general_lower;
+  case 'G':
+    return presentation_type::general_upper;
+  case 'c':
+    return presentation_type::chr;
+  case 's':
+    return presentation_type::string;
+  case 'p':
+    return presentation_type::pointer;
+  default:
+    return presentation_type::none;
+  }
+}
+
+// Parses standard format specifiers and sends notifications about parsed
+// components to handler.
+template <typename Char, typename SpecHandler>
+FMT_CONSTEXPR FMT_INLINE auto parse_format_specs(const Char* begin,
+                                                 const Char* end,
+                                                 SpecHandler&& handler)
+    -> const Char* {
+  if (1 < end - begin && begin[1] == '}' && is_ascii_letter(*begin) &&
+      *begin != 'L') {
+    presentation_type type = parse_presentation_type(*begin++);
+    if (type == presentation_type::none)
+      handler.on_error("invalid type specifier");
+    handler.on_type(type);
+    return begin;
+  }
+
+  if (begin == end) return begin;
+
+  begin = parse_align(begin, end, handler);
+  if (begin == end) return begin;
+
+  // Parse sign.
+  switch (to_ascii(*begin)) {
+  case '+':
+    handler.on_sign(sign::plus);
+    ++begin;
+    break;
+  case '-':
+    handler.on_sign(sign::minus);
+    ++begin;
+    break;
+  case ' ':
+    handler.on_sign(sign::space);
+    ++begin;
+    break;
+  default:
+    break;
+  }
+  if (begin == end) return begin;
+
+  if (*begin == '#') {
+    handler.on_hash();
+    if (++begin == end) return begin;
+  }
+
+  // Parse zero flag.
+  if (*begin == '0') {
+    handler.on_zero();
+    if (++begin == end) return begin;
+  }
+
+  begin = parse_width(begin, end, handler);
+  if (begin == end) return begin;
+
+  // Parse precision.
+  if (*begin == '.') {
+    begin = parse_precision(begin, end, handler);
+    if (begin == end) return begin;
+  }
+
+  if (*begin == 'L') {
+    handler.on_localized();
+    ++begin;
+  }
+
+  // Parse type.
+  if (begin != end && *begin != '}') {
+    presentation_type type = parse_presentation_type(*begin++);
+    if (type == presentation_type::none)
+      handler.on_error("invalid type specifier");
+    handler.on_type(type);
+  }
+  return begin;
+}
+
+template <typename Char, typename Handler>
+FMT_CONSTEXPR auto parse_replacement_field(const Char* begin, const Char* end,
+                                           Handler&& handler) -> const Char* {
+  struct id_adapter {
+    Handler& handler;
+    int arg_id;
+
+    FMT_CONSTEXPR void operator()() { arg_id = handler.on_arg_id(); }
+    FMT_CONSTEXPR void operator()(int id) { arg_id = handler.on_arg_id(id); }
+    FMT_CONSTEXPR void operator()(basic_string_view<Char> id) {
+      arg_id = handler.on_arg_id(id);
+    }
+    FMT_CONSTEXPR void on_error(const char* message) {
+      if (message) handler.on_error(message);
+    }
+  };
+
+  ++begin;
+  if (begin == end) return handler.on_error("invalid format string"), end;
+  if (*begin == '}') {
+    handler.on_replacement_field(handler.on_arg_id(), begin);
+  } else if (*begin == '{') {
+    handler.on_text(begin, begin + 1);
+  } else {
+    auto adapter = id_adapter{handler, 0};
+    begin = parse_arg_id(begin, end, adapter);
+    Char c = begin != end ? *begin : Char();
+    if (c == '}') {
+      handler.on_replacement_field(adapter.arg_id, begin);
+    } else if (c == ':') {
+      begin = handler.on_format_specs(adapter.arg_id, begin + 1, end);
+      if (begin == end || *begin != '}')
+        return handler.on_error("unknown format specifier"), end;
+    } else {
+      return handler.on_error("missing '}' in format string"), end;
+    }
+  }
+  return begin + 1;
+}
+
+template <bool IS_CONSTEXPR, typename Char, typename Handler>
+FMT_CONSTEXPR FMT_INLINE void parse_format_string(
+    basic_string_view<Char> format_str, Handler&& handler) {
+  // Workaround a name-lookup bug in MSVC's modules implementation.
+  using detail::find;
+
+  auto begin = format_str.data();
+  auto end = begin + format_str.size();
+  if (end - begin < 32) {
+    // Use a simple loop instead of memchr for small strings.
+    const Char* p = begin;
+    while (p != end) {
+      auto c = *p++;
+      if (c == '{') {
+        handler.on_text(begin, p - 1);
+        begin = p = parse_replacement_field(p - 1, end, handler);
+      } else if (c == '}') {
+        if (p == end || *p != '}')
+          return handler.on_error("unmatched '}' in format string");
+        handler.on_text(begin, p);
+        begin = ++p;
+      }
+    }
+    handler.on_text(begin, end);
+    return;
+  }
+  struct writer {
+    FMT_CONSTEXPR void operator()(const Char* pbegin, const Char* pend) {
+      if (pbegin == pend) return;
+      for (;;) {
+        const Char* p = nullptr;
+        if (!find<IS_CONSTEXPR>(pbegin, pend, Char('}'), p))
+          return handler_.on_text(pbegin, pend);
+        ++p;
+        if (p == pend || *p != '}')
+          return handler_.on_error("unmatched '}' in format string");
+        handler_.on_text(pbegin, p);
+        pbegin = p + 1;
+      }
+    }
+    Handler& handler_;
+  } write{handler};
+  while (begin != end) {
+    // Doing two passes with memchr (one for '{' and another for '}') is up to
+    // 2.5x faster than the naive one-pass implementation on big format strings.
+    const Char* p = begin;
+    if (*begin != '{' && !find<IS_CONSTEXPR>(begin + 1, end, Char('{'), p))
+      return write(begin, end);
+    write(begin, p);
+    begin = parse_replacement_field(p, end, handler);
+  }
+}
+
+template <typename T, typename ParseContext>
+FMT_CONSTEXPR auto parse_format_specs(ParseContext& ctx)
+    -> decltype(ctx.begin()) {
+  using char_type = typename ParseContext::char_type;
+  using context = buffer_context<char_type>;
+  using mapped_type = conditional_t<
+      mapped_type_constant<T, context>::value != type::custom_type,
+      decltype(arg_mapper<context>().map(std::declval<const T&>())), T>;
+  auto f = conditional_t<has_formatter<mapped_type, context>::value,
+                         formatter<mapped_type, char_type>,
+                         fallback_formatter<T, char_type>>();
+  return f.parse(ctx);
+}
+
+// A parse context with extra argument id checks. It is only used at compile
+// time because adding checks at runtime would introduce substantial overhead
+// and would be redundant since argument ids are checked when arguments are
+// retrieved anyway.
+template <typename Char, typename ErrorHandler = error_handler>
+class compile_parse_context
+    : public basic_format_parse_context<Char, ErrorHandler> {
+ private:
+  int num_args_;
+  using base = basic_format_parse_context<Char, ErrorHandler>;
+
+ public:
+  explicit FMT_CONSTEXPR compile_parse_context(
+      basic_string_view<Char> format_str,
+      int num_args = (std::numeric_limits<int>::max)(), ErrorHandler eh = {})
+      : base(format_str, eh), num_args_(num_args) {}
+
+  FMT_CONSTEXPR auto next_arg_id() -> int {
+    int id = base::next_arg_id();
+    if (id >= num_args_) this->on_error("argument not found");
+    return id;
+  }
+
+  FMT_CONSTEXPR void check_arg_id(int id) {
+    base::check_arg_id(id);
+    if (id >= num_args_) this->on_error("argument not found");
+  }
+  using base::check_arg_id;
+};
+
+template <typename ErrorHandler>
+FMT_CONSTEXPR void check_int_type_spec(presentation_type type,
+                                       ErrorHandler&& eh) {
+  if (type > presentation_type::bin_upper && type != presentation_type::chr)
+    eh.on_error("invalid type specifier");
+}
+
+// Checks char specs and returns true if the type spec is char (and not int).
+template <typename Char, typename ErrorHandler = error_handler>
+FMT_CONSTEXPR auto check_char_specs(const basic_format_specs<Char>& specs,
+                                    ErrorHandler&& eh = {}) -> bool {
+  if (specs.type != presentation_type::none &&
+      specs.type != presentation_type::chr) {
+    check_int_type_spec(specs.type, eh);
+    return false;
+  }
+  if (specs.align == align::numeric || specs.sign != sign::none || specs.alt)
+    eh.on_error("invalid format specifier for char");
+  return true;
+}
+
+// A floating-point presentation format.
+enum class float_format : unsigned char {
+  general,  // General: exponent notation or fixed point based on magnitude.
+  exp,      // Exponent notation with the default precision of 6, e.g. 1.2e-3.
+  fixed,    // Fixed point with the default precision of 6, e.g. 0.0012.
+  hex
+};
+
+struct float_specs {
+  int precision;
+  float_format format : 8;
+  sign_t sign : 8;
+  bool upper : 1;
+  bool locale : 1;
+  bool binary32 : 1;
+  bool fallback : 1;
+  bool showpoint : 1;
+};
+
+template <typename ErrorHandler = error_handler, typename Char>
+FMT_CONSTEXPR auto parse_float_type_spec(const basic_format_specs<Char>& specs,
+                                         ErrorHandler&& eh = {})
+    -> float_specs {
+  auto result = float_specs();
+  result.showpoint = specs.alt;
+  result.locale = specs.localized;
+  switch (specs.type) {
+  case presentation_type::none:
+    result.format = float_format::general;
+    break;
+  case presentation_type::general_upper:
+    result.upper = true;
+    FMT_FALLTHROUGH;
+  case presentation_type::general_lower:
+    result.format = float_format::general;
+    break;
+  case presentation_type::exp_upper:
+    result.upper = true;
+    FMT_FALLTHROUGH;
+  case presentation_type::exp_lower:
+    result.format = float_format::exp;
+    result.showpoint |= specs.precision != 0;
+    break;
+  case presentation_type::fixed_upper:
+    result.upper = true;
+    FMT_FALLTHROUGH;
+  case presentation_type::fixed_lower:
+    result.format = float_format::fixed;
+    result.showpoint |= specs.precision != 0;
+    break;
+  case presentation_type::hexfloat_upper:
+    result.upper = true;
+    FMT_FALLTHROUGH;
+  case presentation_type::hexfloat_lower:
+    result.format = float_format::hex;
+    break;
+  default:
+    eh.on_error("invalid type specifier");
+    break;
+  }
+  return result;
+}
+
+template <typename ErrorHandler = error_handler>
+FMT_CONSTEXPR auto check_cstring_type_spec(presentation_type type,
+                                           ErrorHandler&& eh = {}) -> bool {
+  if (type == presentation_type::none || type == presentation_type::string)
+    return true;
+  if (type != presentation_type::pointer) eh.on_error("invalid type specifier");
+  return false;
+}
+
+template <typename ErrorHandler = error_handler>
+FMT_CONSTEXPR void check_string_type_spec(presentation_type type,
+                                          ErrorHandler&& eh = {}) {
+  if (type != presentation_type::none && type != presentation_type::string)
+    eh.on_error("invalid type specifier");
+}
+
+template <typename ErrorHandler>
+FMT_CONSTEXPR void check_pointer_type_spec(presentation_type type,
+                                           ErrorHandler&& eh) {
+  if (type != presentation_type::none && type != presentation_type::pointer)
+    eh.on_error("invalid type specifier");
+}
+
+// A parse_format_specs handler that checks if specifiers are consistent with
+// the argument type.
+template <typename Handler> class specs_checker : public Handler {
+ private:
+  detail::type arg_type_;
+
+  FMT_CONSTEXPR void require_numeric_argument() {
+    if (!is_arithmetic_type(arg_type_))
+      this->on_error("format specifier requires numeric argument");
+  }
+
+ public:
+  FMT_CONSTEXPR specs_checker(const Handler& handler, detail::type arg_type)
+      : Handler(handler), arg_type_(arg_type) {}
+
+  FMT_CONSTEXPR void on_align(align_t align) {
+    if (align == align::numeric) require_numeric_argument();
+    Handler::on_align(align);
+  }
+
+  FMT_CONSTEXPR void on_sign(sign_t s) {
+    require_numeric_argument();
+    if (is_integral_type(arg_type_) && arg_type_ != type::int_type &&
+        arg_type_ != type::long_long_type && arg_type_ != type::char_type) {
+      this->on_error("format specifier requires signed argument");
+    }
+    Handler::on_sign(s);
+  }
+
+  FMT_CONSTEXPR void on_hash() {
+    require_numeric_argument();
+    Handler::on_hash();
+  }
+
+  FMT_CONSTEXPR void on_localized() {
+    require_numeric_argument();
+    Handler::on_localized();
+  }
+
+  FMT_CONSTEXPR void on_zero() {
+    require_numeric_argument();
+    Handler::on_zero();
+  }
+
+  FMT_CONSTEXPR void end_precision() {
+    if (is_integral_type(arg_type_) || arg_type_ == type::pointer_type)
+      this->on_error("precision not allowed for this argument type");
+  }
+};
+
+constexpr int invalid_arg_index = -1;
+
+#if FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+template <int N, typename T, typename... Args, typename Char>
+constexpr auto get_arg_index_by_name(basic_string_view<Char> name) -> int {
+  if constexpr (detail::is_statically_named_arg<T>()) {
+    if (name == T::name) return N;
+  }
+  if constexpr (sizeof...(Args) > 0)
+    return get_arg_index_by_name<N + 1, Args...>(name);
+  (void)name;  // Workaround an MSVC bug about "unused" parameter.
+  return invalid_arg_index;
+}
+#endif
+
+template <typename... Args, typename Char>
+FMT_CONSTEXPR auto get_arg_index_by_name(basic_string_view<Char> name) -> int {
+#if FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+  if constexpr (sizeof...(Args) > 0)
+    return get_arg_index_by_name<0, Args...>(name);
+#endif
+  (void)name;
+  return invalid_arg_index;
+}
+
+template <typename Char, typename ErrorHandler, typename... Args>
+class format_string_checker {
+ private:
+  using parse_context_type = compile_parse_context<Char, ErrorHandler>;
+  enum { num_args = sizeof...(Args) };
+
+  // Format specifier parsing function.
+  using parse_func = const Char* (*)(parse_context_type&);
+
+  parse_context_type context_;
+  parse_func parse_funcs_[num_args > 0 ? num_args : 1];
+
+ public:
+  explicit FMT_CONSTEXPR format_string_checker(
+      basic_string_view<Char> format_str, ErrorHandler eh)
+      : context_(format_str, num_args, eh),
+        parse_funcs_{&parse_format_specs<Args, parse_context_type>...} {}
+
+  FMT_CONSTEXPR void on_text(const Char*, const Char*) {}
+
+  FMT_CONSTEXPR auto on_arg_id() -> int { return context_.next_arg_id(); }
+  FMT_CONSTEXPR auto on_arg_id(int id) -> int {
+    return context_.check_arg_id(id), id;
+  }
+  FMT_CONSTEXPR auto on_arg_id(basic_string_view<Char> id) -> int {
+#if FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+    auto index = get_arg_index_by_name<Args...>(id);
+    if (index == invalid_arg_index) on_error("named argument is not found");
+    return context_.check_arg_id(index), index;
+#else
+    (void)id;
+    on_error("compile-time checks for named arguments require C++20 support");
+    return 0;
+#endif
+  }
+
+  FMT_CONSTEXPR void on_replacement_field(int, const Char*) {}
+
+  FMT_CONSTEXPR auto on_format_specs(int id, const Char* begin, const Char*)
+      -> const Char* {
+    context_.advance_to(context_.begin() + (begin - &*context_.begin()));
+    // id >= 0 check is a workaround for gcc 10 bug (#2065).
+    return id >= 0 && id < num_args ? parse_funcs_[id](context_) : begin;
+  }
+
+  FMT_CONSTEXPR void on_error(const char* message) {
+    context_.on_error(message);
+  }
+};
+
+template <typename... Args, typename S,
+          enable_if_t<(is_compile_string<S>::value), int>>
+void check_format_string(S format_str) {
+  FMT_CONSTEXPR auto s = to_string_view(format_str);
+  using checker = format_string_checker<typename S::char_type, error_handler,
+                                        remove_cvref_t<Args>...>;
+  FMT_CONSTEXPR bool invalid_format =
+      (parse_format_string<true>(s, checker(s, {})), true);
+  ignore_unused(invalid_format);
+}
+
+template <typename Char>
+void vformat_to(
+    buffer<Char>& buf, basic_string_view<Char> fmt,
+    basic_format_args<FMT_BUFFER_CONTEXT(type_identity_t<Char>)> args,
+    locale_ref loc = {});
+
+FMT_API void vprint_mojibake(std::FILE*, string_view, format_args);
+#ifndef _WIN32
+inline void vprint_mojibake(std::FILE*, string_view, format_args) {}
+#endif
+FMT_END_DETAIL_NAMESPACE
+
+// A formatter specialization for the core types corresponding to detail::type
+// constants.
+template <typename T, typename Char>
+struct formatter<T, Char,
+                 enable_if_t<detail::type_constant<T, Char>::value !=
+                             detail::type::custom_type>> {
+ private:
+  detail::dynamic_format_specs<Char> specs_;
+
+ public:
+  // Parses format specifiers stopping either at the end of the range or at the
+  // terminating '}'.
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    auto begin = ctx.begin(), end = ctx.end();
+    if (begin == end) return begin;
+    using handler_type = detail::dynamic_specs_handler<ParseContext>;
+    auto type = detail::type_constant<T, Char>::value;
+    auto checker =
+        detail::specs_checker<handler_type>(handler_type(specs_, ctx), type);
+    auto it = detail::parse_format_specs(begin, end, checker);
+    auto eh = ctx.error_handler();
+    switch (type) {
+    case detail::type::none_type:
+      FMT_ASSERT(false, "invalid argument type");
+      break;
+    case detail::type::bool_type:
+      if (specs_.type == presentation_type::none ||
+          specs_.type == presentation_type::string) {
+        break;
+      }
+      FMT_FALLTHROUGH;
+    case detail::type::int_type:
+    case detail::type::uint_type:
+    case detail::type::long_long_type:
+    case detail::type::ulong_long_type:
+    case detail::type::int128_type:
+    case detail::type::uint128_type:
+      detail::check_int_type_spec(specs_.type, eh);
+      break;
+    case detail::type::char_type:
+      detail::check_char_specs(specs_, eh);
+      break;
+    case detail::type::float_type:
+      if (detail::const_check(FMT_USE_FLOAT))
+        detail::parse_float_type_spec(specs_, eh);
+      else
+        FMT_ASSERT(false, "float support disabled");
+      break;
+    case detail::type::double_type:
+      if (detail::const_check(FMT_USE_DOUBLE))
+        detail::parse_float_type_spec(specs_, eh);
+      else
+        FMT_ASSERT(false, "double support disabled");
+      break;
+    case detail::type::long_double_type:
+      if (detail::const_check(FMT_USE_LONG_DOUBLE))
+        detail::parse_float_type_spec(specs_, eh);
+      else
+        FMT_ASSERT(false, "long double support disabled");
+      break;
+    case detail::type::cstring_type:
+      detail::check_cstring_type_spec(specs_.type, eh);
+      break;
+    case detail::type::string_type:
+      detail::check_string_type_spec(specs_.type, eh);
+      break;
+    case detail::type::pointer_type:
+      detail::check_pointer_type_spec(specs_.type, eh);
+      break;
+    case detail::type::custom_type:
+      // Custom format specifiers are checked in parse functions of
+      // formatter specializations.
+      break;
+    }
+    return it;
+  }
+
+  template <typename FormatContext>
+  FMT_CONSTEXPR auto format(const T& val, FormatContext& ctx) const
+      -> decltype(ctx.out());
+};
+
+template <typename Char> struct basic_runtime { basic_string_view<Char> str; };
+
+/** A compile-time format string. */
+template <typename Char, typename... Args> class basic_format_string {
+ private:
+  basic_string_view<Char> str_;
+
+ public:
+  template <typename S,
+            FMT_ENABLE_IF(
+                std::is_convertible<const S&, basic_string_view<Char>>::value)>
+  FMT_CONSTEVAL FMT_INLINE basic_format_string(const S& s) : str_(s) {
+    static_assert(
+        detail::count<
+            (std::is_base_of<detail::view, remove_reference_t<Args>>::value &&
+             std::is_reference<Args>::value)...>() == 0,
+        "passing views as lvalues is disallowed");
+#ifdef FMT_HAS_CONSTEVAL
+    if constexpr (detail::count_named_args<Args...>() ==
+                  detail::count_statically_named_args<Args...>()) {
+      using checker = detail::format_string_checker<Char, detail::error_handler,
+                                                    remove_cvref_t<Args>...>;
+      detail::parse_format_string<true>(str_, checker(s, {}));
+    }
+#else
+    detail::check_format_string<Args...>(s);
+#endif
+  }
+  basic_format_string(basic_runtime<Char> r) : str_(r.str) {}
+
+  FMT_INLINE operator basic_string_view<Char>() const { return str_; }
+};
+
+#if FMT_GCC_VERSION && FMT_GCC_VERSION < 409
+// Workaround broken conversion on older gcc.
+template <typename... Args> using format_string = string_view;
+template <typename S> auto runtime(const S& s) -> basic_string_view<char_t<S>> {
+  return s;
+}
+#else
+template <typename... Args>
+using format_string = basic_format_string<char, type_identity_t<Args>...>;
+/**
+  \rst
+  Creates a runtime format string.
+
+  **Example**::
+
+    // Check format string at runtime instead of compile-time.
+    fmt::print(fmt::runtime("{:d}"), "I am not a number");
+  \endrst
+ */
+template <typename S> auto runtime(const S& s) -> basic_runtime<char_t<S>> {
+  return {{s}};
+}
+#endif
+
+FMT_API auto vformat(string_view fmt, format_args args) -> std::string;
+
+/**
+  \rst
+  Formats ``args`` according to specifications in ``fmt`` and returns the result
+  as a string.
+
+  **Example**::
+
+    #include <fmt/core.h>
+    std::string message = fmt::format("The answer is {}.", 42);
+  \endrst
+*/
+template <typename... T>
+FMT_NODISCARD FMT_INLINE auto format(format_string<T...> fmt, T&&... args)
+    -> std::string {
+  return vformat(fmt, fmt::make_format_args(args...));
+}
+
+/** Formats a string and writes the output to ``out``. */
+template <typename OutputIt,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, char>::value)>
+auto vformat_to(OutputIt out, string_view fmt, format_args args) -> OutputIt {
+  using detail::get_buffer;
+  auto&& buf = get_buffer<char>(out);
+  detail::vformat_to(buf, fmt, args, {});
+  return detail::get_iterator(buf);
+}
+
+/**
+ \rst
+ Formats ``args`` according to specifications in ``fmt``, writes the result to
+ the output iterator ``out`` and returns the iterator past the end of the output
+ range. `format_to` does not append a terminating null character.
+
+ **Example**::
+
+   auto out = std::vector<char>();
+   fmt::format_to(std::back_inserter(out), "{}", 42);
+ \endrst
+ */
+template <typename OutputIt, typename... T,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, char>::value)>
+FMT_INLINE auto format_to(OutputIt out, format_string<T...> fmt, T&&... args)
+    -> OutputIt {
+  return vformat_to(out, fmt, fmt::make_format_args(args...));
+}
+
+template <typename OutputIt> struct format_to_n_result {
+  /** Iterator past the end of the output range. */
+  OutputIt out;
+  /** Total (not truncated) output size. */
+  size_t size;
+};
+
+template <typename OutputIt, typename... T,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, char>::value)>
+auto vformat_to_n(OutputIt out, size_t n, string_view fmt, format_args args)
+    -> format_to_n_result<OutputIt> {
+  using traits = detail::fixed_buffer_traits;
+  auto buf = detail::iterator_buffer<OutputIt, char, traits>(out, n);
+  detail::vformat_to(buf, fmt, args, {});
+  return {buf.out(), buf.count()};
+}
+
+/**
+  \rst
+  Formats ``args`` according to specifications in ``fmt``, writes up to ``n``
+  characters of the result to the output iterator ``out`` and returns the total
+  (not truncated) output size and the iterator past the end of the output range.
+  `format_to_n` does not append a terminating null character.
+  \endrst
+ */
+template <typename OutputIt, typename... T,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, char>::value)>
+FMT_INLINE auto format_to_n(OutputIt out, size_t n, format_string<T...> fmt,
+                            T&&... args) -> format_to_n_result<OutputIt> {
+  return vformat_to_n(out, n, fmt, fmt::make_format_args(args...));
+}
+
+/** Returns the number of chars in the output of ``format(fmt, args...)``. */
+template <typename... T>
+FMT_NODISCARD FMT_INLINE auto formatted_size(format_string<T...> fmt,
+                                             T&&... args) -> size_t {
+  auto buf = detail::counting_buffer<>();
+  detail::vformat_to(buf, string_view(fmt), fmt::make_format_args(args...), {});
+  return buf.count();
+}
+
+FMT_API void vprint(string_view fmt, format_args args);
+FMT_API void vprint(std::FILE* f, string_view fmt, format_args args);
+
+/**
+  \rst
+  Formats ``args`` according to specifications in ``fmt`` and writes the output
+  to ``stdout``.
+
+  **Example**::
+
+    fmt::print("Elapsed time: {0:.2f} seconds", 1.23);
+  \endrst
+ */
+template <typename... T>
+FMT_INLINE void print(format_string<T...> fmt, T&&... args) {
+  const auto& vargs = fmt::make_format_args(args...);
+  return detail::is_utf8() ? vprint(fmt, vargs)
+                           : detail::vprint_mojibake(stdout, fmt, vargs);
+}
+
+/**
+  \rst
+  Formats ``args`` according to specifications in ``fmt`` and writes the
+  output to the file ``f``.
+
+  **Example**::
+
+    fmt::print(stderr, "Don't {}!", "panic");
+  \endrst
+ */
+template <typename... T>
+FMT_INLINE void print(std::FILE* f, format_string<T...> fmt, T&&... args) {
+  const auto& vargs = fmt::make_format_args(args...);
+  return detail::is_utf8() ? vprint(f, fmt, vargs)
+                           : detail::vprint_mojibake(f, fmt, vargs);
+}
+
+FMT_MODULE_EXPORT_END
+FMT_GCC_PRAGMA("GCC pop_options")
+FMT_END_NAMESPACE
+
+#ifdef FMT_HEADER_ONLY
+#  include "format.h"
+#endif
+#endif  // FMT_CORE_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/format-inl.h b/ctrtool/deps/libfmt/include/fmt/format-inl.h
new file mode 100644
index 00000000..2c51c50a
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/format-inl.h
@@ -0,0 +1,2643 @@
+// Formatting library for C++ - implementation
+//
+// Copyright (c) 2012 - 2016, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_FORMAT_INL_H_
+#define FMT_FORMAT_INL_H_
+
+#include <algorithm>
+#include <cctype>
+#include <cerrno>  // errno
+#include <climits>
+#include <cmath>
+#include <cstdarg>
+#include <cstring>  // std::memmove
+#include <cwchar>
+#include <exception>
+
+#ifndef FMT_STATIC_THOUSANDS_SEPARATOR
+#  include <locale>
+#endif
+
+#ifdef _WIN32
+#  include <io.h>  // _isatty
+#endif
+
+#include "format.h"
+
+FMT_BEGIN_NAMESPACE
+namespace detail {
+
+FMT_FUNC void assert_fail(const char* file, int line, const char* message) {
+  // Use unchecked std::fprintf to avoid triggering another assertion when
+  // writing to stderr fails
+  std::fprintf(stderr, "%s:%d: assertion failed: %s", file, line, message);
+  // Chosen instead of std::abort to satisfy Clang in CUDA mode during device
+  // code pass.
+  std::terminate();
+}
+
+FMT_FUNC void throw_format_error(const char* message) {
+  FMT_THROW(format_error(message));
+}
+
+#ifndef _MSC_VER
+#  define FMT_SNPRINTF snprintf
+#else  // _MSC_VER
+inline int fmt_snprintf(char* buffer, size_t size, const char* format, ...) {
+  va_list args;
+  va_start(args, format);
+  int result = vsnprintf_s(buffer, size, _TRUNCATE, format, args);
+  va_end(args);
+  return result;
+}
+#  define FMT_SNPRINTF fmt_snprintf
+#endif  // _MSC_VER
+
+FMT_FUNC void format_error_code(detail::buffer<char>& out, int error_code,
+                                string_view message) FMT_NOEXCEPT {
+  // Report error code making sure that the output fits into
+  // inline_buffer_size to avoid dynamic memory allocation and potential
+  // bad_alloc.
+  out.try_resize(0);
+  static const char SEP[] = ": ";
+  static const char ERROR_STR[] = "error ";
+  // Subtract 2 to account for terminating null characters in SEP and ERROR_STR.
+  size_t error_code_size = sizeof(SEP) + sizeof(ERROR_STR) - 2;
+  auto abs_value = static_cast<uint32_or_64_or_128_t<int>>(error_code);
+  if (detail::is_negative(error_code)) {
+    abs_value = 0 - abs_value;
+    ++error_code_size;
+  }
+  error_code_size += detail::to_unsigned(detail::count_digits(abs_value));
+  auto it = buffer_appender<char>(out);
+  if (message.size() <= inline_buffer_size - error_code_size)
+    format_to(it, FMT_STRING("{}{}"), message, SEP);
+  format_to(it, FMT_STRING("{}{}"), ERROR_STR, error_code);
+  FMT_ASSERT(out.size() <= inline_buffer_size, "");
+}
+
+FMT_FUNC void report_error(format_func func, int error_code,
+                           const char* message) FMT_NOEXCEPT {
+  memory_buffer full_message;
+  func(full_message, error_code, message);
+  // Don't use fwrite_fully because the latter may throw.
+  if (std::fwrite(full_message.data(), full_message.size(), 1, stderr) > 0)
+    std::fputc('\n', stderr);
+}
+
+// A wrapper around fwrite that throws on error.
+inline void fwrite_fully(const void* ptr, size_t size, size_t count,
+                         FILE* stream) {
+  size_t written = std::fwrite(ptr, size, count, stream);
+  if (written < count) FMT_THROW(system_error(errno, "cannot write to file"));
+}
+
+#ifndef FMT_STATIC_THOUSANDS_SEPARATOR
+template <typename Locale>
+locale_ref::locale_ref(const Locale& loc) : locale_(&loc) {
+  static_assert(std::is_same<Locale, std::locale>::value, "");
+}
+
+template <typename Locale> Locale locale_ref::get() const {
+  static_assert(std::is_same<Locale, std::locale>::value, "");
+  return locale_ ? *static_cast<const std::locale*>(locale_) : std::locale();
+}
+
+template <typename Char>
+FMT_FUNC auto thousands_sep_impl(locale_ref loc) -> thousands_sep_result<Char> {
+  auto& facet = std::use_facet<std::numpunct<Char>>(loc.get<std::locale>());
+  auto grouping = facet.grouping();
+  auto thousands_sep = grouping.empty() ? Char() : facet.thousands_sep();
+  return {std::move(grouping), thousands_sep};
+}
+template <typename Char> FMT_FUNC Char decimal_point_impl(locale_ref loc) {
+  return std::use_facet<std::numpunct<Char>>(loc.get<std::locale>())
+      .decimal_point();
+}
+#else
+template <typename Char>
+FMT_FUNC auto thousands_sep_impl(locale_ref) -> thousands_sep_result<Char> {
+  return {"\03", FMT_STATIC_THOUSANDS_SEPARATOR};
+}
+template <typename Char> FMT_FUNC Char decimal_point_impl(locale_ref) {
+  return '.';
+}
+#endif
+}  // namespace detail
+
+#if !FMT_MSC_VER
+FMT_API FMT_FUNC format_error::~format_error() FMT_NOEXCEPT = default;
+#endif
+
+FMT_FUNC std::system_error vsystem_error(int error_code, string_view format_str,
+                                         format_args args) {
+  auto ec = std::error_code(error_code, std::generic_category());
+  return std::system_error(ec, vformat(format_str, args));
+}
+
+namespace detail {
+
+template <> FMT_FUNC int count_digits<4>(detail::fallback_uintptr n) {
+  // fallback_uintptr is always stored in little endian.
+  int i = static_cast<int>(sizeof(void*)) - 1;
+  while (i > 0 && n.value[i] == 0) --i;
+  auto char_digits = std::numeric_limits<unsigned char>::digits / 4;
+  return i >= 0 ? i * char_digits + count_digits<4, unsigned>(n.value[i]) : 1;
+}
+
+// log10(2) = 0x0.4d104d427de7fbcc...
+static constexpr uint64_t log10_2_significand = 0x4d104d427de7fbcc;
+
+template <typename T = void> struct basic_impl_data {
+  // Normalized 64-bit significands of pow(10, k), for k = -348, -340, ..., 340.
+  // These are generated by support/compute-powers.py.
+  static constexpr uint64_t pow10_significands[87] = {
+      0xfa8fd5a0081c0288, 0xbaaee17fa23ebf76, 0x8b16fb203055ac76,
+      0xcf42894a5dce35ea, 0x9a6bb0aa55653b2d, 0xe61acf033d1a45df,
+      0xab70fe17c79ac6ca, 0xff77b1fcbebcdc4f, 0xbe5691ef416bd60c,
+      0x8dd01fad907ffc3c, 0xd3515c2831559a83, 0x9d71ac8fada6c9b5,
+      0xea9c227723ee8bcb, 0xaecc49914078536d, 0x823c12795db6ce57,
+      0xc21094364dfb5637, 0x9096ea6f3848984f, 0xd77485cb25823ac7,
+      0xa086cfcd97bf97f4, 0xef340a98172aace5, 0xb23867fb2a35b28e,
+      0x84c8d4dfd2c63f3b, 0xc5dd44271ad3cdba, 0x936b9fcebb25c996,
+      0xdbac6c247d62a584, 0xa3ab66580d5fdaf6, 0xf3e2f893dec3f126,
+      0xb5b5ada8aaff80b8, 0x87625f056c7c4a8b, 0xc9bcff6034c13053,
+      0x964e858c91ba2655, 0xdff9772470297ebd, 0xa6dfbd9fb8e5b88f,
+      0xf8a95fcf88747d94, 0xb94470938fa89bcf, 0x8a08f0f8bf0f156b,
+      0xcdb02555653131b6, 0x993fe2c6d07b7fac, 0xe45c10c42a2b3b06,
+      0xaa242499697392d3, 0xfd87b5f28300ca0e, 0xbce5086492111aeb,
+      0x8cbccc096f5088cc, 0xd1b71758e219652c, 0x9c40000000000000,
+      0xe8d4a51000000000, 0xad78ebc5ac620000, 0x813f3978f8940984,
+      0xc097ce7bc90715b3, 0x8f7e32ce7bea5c70, 0xd5d238a4abe98068,
+      0x9f4f2726179a2245, 0xed63a231d4c4fb27, 0xb0de65388cc8ada8,
+      0x83c7088e1aab65db, 0xc45d1df942711d9a, 0x924d692ca61be758,
+      0xda01ee641a708dea, 0xa26da3999aef774a, 0xf209787bb47d6b85,
+      0xb454e4a179dd1877, 0x865b86925b9bc5c2, 0xc83553c5c8965d3d,
+      0x952ab45cfa97a0b3, 0xde469fbd99a05fe3, 0xa59bc234db398c25,
+      0xf6c69a72a3989f5c, 0xb7dcbf5354e9bece, 0x88fcf317f22241e2,
+      0xcc20ce9bd35c78a5, 0x98165af37b2153df, 0xe2a0b5dc971f303a,
+      0xa8d9d1535ce3b396, 0xfb9b7cd9a4a7443c, 0xbb764c4ca7a44410,
+      0x8bab8eefb6409c1a, 0xd01fef10a657842c, 0x9b10a4e5e9913129,
+      0xe7109bfba19c0c9d, 0xac2820d9623bf429, 0x80444b5e7aa7cf85,
+      0xbf21e44003acdd2d, 0x8e679c2f5e44ff8f, 0xd433179d9c8cb841,
+      0x9e19db92b4e31ba9, 0xeb96bf6ebadf77d9, 0xaf87023b9bf0ee6b,
+  };
+
+#if FMT_GCC_VERSION && FMT_GCC_VERSION < 409
+#  pragma GCC diagnostic push
+#  pragma GCC diagnostic ignored "-Wnarrowing"
+#endif
+  // Binary exponents of pow(10, k), for k = -348, -340, ..., 340, corresponding
+  // to significands above.
+  static constexpr int16_t pow10_exponents[87] = {
+      -1220, -1193, -1166, -1140, -1113, -1087, -1060, -1034, -1007, -980, -954,
+      -927,  -901,  -874,  -847,  -821,  -794,  -768,  -741,  -715,  -688, -661,
+      -635,  -608,  -582,  -555,  -529,  -502,  -475,  -449,  -422,  -396, -369,
+      -343,  -316,  -289,  -263,  -236,  -210,  -183,  -157,  -130,  -103, -77,
+      -50,   -24,   3,     30,    56,    83,    109,   136,   162,   189,  216,
+      242,   269,   295,   322,   348,   375,   402,   428,   455,   481,  508,
+      534,   561,   588,   614,   641,   667,   694,   720,   747,   774,  800,
+      827,   853,   880,   907,   933,   960,   986,   1013,  1039,  1066};
+#if FMT_GCC_VERSION && FMT_GCC_VERSION < 409
+#  pragma GCC diagnostic pop
+#endif
+
+  static constexpr uint64_t power_of_10_64[20] = {
+      1, FMT_POWERS_OF_10(1ULL), FMT_POWERS_OF_10(1000000000ULL),
+      10000000000000000000ULL};
+};
+
+// This is a struct rather than an alias to avoid shadowing warnings in gcc.
+struct impl_data : basic_impl_data<> {};
+
+#if __cplusplus < 201703L
+template <typename T>
+constexpr uint64_t basic_impl_data<T>::pow10_significands[];
+template <typename T> constexpr int16_t basic_impl_data<T>::pow10_exponents[];
+template <typename T> constexpr uint64_t basic_impl_data<T>::power_of_10_64[];
+#endif
+
+template <typename T> struct bits {
+  static FMT_CONSTEXPR_DECL const int value =
+      static_cast<int>(sizeof(T) * std::numeric_limits<unsigned char>::digits);
+};
+
+// Returns the number of significand bits in Float excluding the implicit bit.
+template <typename Float> constexpr int num_significand_bits() {
+  // Subtract 1 to account for an implicit most significant bit in the
+  // normalized form.
+  return std::numeric_limits<Float>::digits - 1;
+}
+
+// A floating-point number f * pow(2, e).
+struct fp {
+  uint64_t f;
+  int e;
+
+  static constexpr const int num_significand_bits = bits<decltype(f)>::value;
+
+  constexpr fp() : f(0), e(0) {}
+  constexpr fp(uint64_t f_val, int e_val) : f(f_val), e(e_val) {}
+
+  // Constructs fp from an IEEE754 floating-point number. It is a template to
+  // prevent compile errors on systems where n is not IEEE754.
+  template <typename Float> explicit FMT_CONSTEXPR fp(Float n) { assign(n); }
+
+  template <typename Float>
+  using is_supported = bool_constant<sizeof(Float) == sizeof(uint64_t) ||
+                                     sizeof(Float) == sizeof(uint32_t)>;
+
+  // Assigns d to this and return true iff predecessor is closer than successor.
+  template <typename Float, FMT_ENABLE_IF(is_supported<Float>::value)>
+  FMT_CONSTEXPR bool assign(Float n) {
+    // Assume float is in the format [sign][exponent][significand].
+    const int num_float_significand_bits =
+        detail::num_significand_bits<Float>();
+    const uint64_t implicit_bit = 1ULL << num_float_significand_bits;
+    const uint64_t significand_mask = implicit_bit - 1;
+    constexpr bool is_double = sizeof(Float) == sizeof(uint64_t);
+    auto u = bit_cast<conditional_t<is_double, uint64_t, uint32_t>>(n);
+    f = u & significand_mask;
+    const uint64_t exponent_mask = (~0ULL >> 1) & ~significand_mask;
+    int biased_e =
+        static_cast<int>((u & exponent_mask) >> num_float_significand_bits);
+    // The predecessor is closer if n is a normalized power of 2 (f == 0) other
+    // than the smallest normalized number (biased_e > 1).
+    bool is_predecessor_closer = f == 0 && biased_e > 1;
+    if (biased_e != 0)
+      f += implicit_bit;
+    else
+      biased_e = 1;  // Subnormals use biased exponent 1 (min exponent).
+    const int exponent_bias = std::numeric_limits<Float>::max_exponent - 1;
+    e = biased_e - exponent_bias - num_float_significand_bits;
+    return is_predecessor_closer;
+  }
+
+  template <typename Float, FMT_ENABLE_IF(!is_supported<Float>::value)>
+  bool assign(Float) {
+    FMT_ASSERT(false, "");
+    return false;
+  }
+};
+
+// Normalizes the value converted from double and multiplied by (1 << SHIFT).
+template <int SHIFT = 0> FMT_CONSTEXPR fp normalize(fp value) {
+  // Handle subnormals.
+  const uint64_t implicit_bit = 1ULL << num_significand_bits<double>();
+  const auto shifted_implicit_bit = implicit_bit << SHIFT;
+  while ((value.f & shifted_implicit_bit) == 0) {
+    value.f <<= 1;
+    --value.e;
+  }
+  // Subtract 1 to account for hidden bit.
+  const auto offset =
+      fp::num_significand_bits - num_significand_bits<double>() - SHIFT - 1;
+  value.f <<= offset;
+  value.e -= offset;
+  return value;
+}
+
+inline bool operator==(fp x, fp y) { return x.f == y.f && x.e == y.e; }
+
+// Computes lhs * rhs / pow(2, 64) rounded to nearest with half-up tie breaking.
+FMT_CONSTEXPR inline uint64_t multiply(uint64_t lhs, uint64_t rhs) {
+#if FMT_USE_INT128
+  auto product = static_cast<__uint128_t>(lhs) * rhs;
+  auto f = static_cast<uint64_t>(product >> 64);
+  return (static_cast<uint64_t>(product) & (1ULL << 63)) != 0 ? f + 1 : f;
+#else
+  // Multiply 32-bit parts of significands.
+  uint64_t mask = (1ULL << 32) - 1;
+  uint64_t a = lhs >> 32, b = lhs & mask;
+  uint64_t c = rhs >> 32, d = rhs & mask;
+  uint64_t ac = a * c, bc = b * c, ad = a * d, bd = b * d;
+  // Compute mid 64-bit of result and round.
+  uint64_t mid = (bd >> 32) + (ad & mask) + (bc & mask) + (1U << 31);
+  return ac + (ad >> 32) + (bc >> 32) + (mid >> 32);
+#endif
+}
+
+FMT_CONSTEXPR inline fp operator*(fp x, fp y) {
+  return {multiply(x.f, y.f), x.e + y.e + 64};
+}
+
+// Returns a cached power of 10 `c_k = c_k.f * pow(2, c_k.e)` such that its
+// (binary) exponent satisfies `min_exponent <= c_k.e <= min_exponent + 28`.
+FMT_CONSTEXPR inline fp get_cached_power(int min_exponent,
+                                         int& pow10_exponent) {
+  const int shift = 32;
+  const auto significand = static_cast<int64_t>(log10_2_significand);
+  int index = static_cast<int>(
+      ((min_exponent + fp::num_significand_bits - 1) * (significand >> shift) +
+       ((int64_t(1) << shift) - 1))  // ceil
+      >> 32                          // arithmetic shift
+  );
+  // Decimal exponent of the first (smallest) cached power of 10.
+  const int first_dec_exp = -348;
+  // Difference between 2 consecutive decimal exponents in cached powers of 10.
+  const int dec_exp_step = 8;
+  index = (index - first_dec_exp - 1) / dec_exp_step + 1;
+  pow10_exponent = first_dec_exp + index * dec_exp_step;
+  return {impl_data::pow10_significands[index],
+          impl_data::pow10_exponents[index]};
+}
+
+// A simple accumulator to hold the sums of terms in bigint::square if uint128_t
+// is not available.
+struct accumulator {
+  uint64_t lower;
+  uint64_t upper;
+
+  constexpr accumulator() : lower(0), upper(0) {}
+  constexpr explicit operator uint32_t() const {
+    return static_cast<uint32_t>(lower);
+  }
+
+  FMT_CONSTEXPR void operator+=(uint64_t n) {
+    lower += n;
+    if (lower < n) ++upper;
+  }
+  FMT_CONSTEXPR void operator>>=(int shift) {
+    FMT_ASSERT(shift == 32, "");
+    (void)shift;
+    lower = (upper << 32) | (lower >> 32);
+    upper >>= 32;
+  }
+};
+
+class bigint {
+ private:
+  // A bigint is stored as an array of bigits (big digits), with bigit at index
+  // 0 being the least significant one.
+  using bigit = uint32_t;
+  using double_bigit = uint64_t;
+  enum { bigits_capacity = 32 };
+  basic_memory_buffer<bigit, bigits_capacity> bigits_;
+  int exp_;
+
+  FMT_CONSTEXPR20 bigit operator[](int index) const {
+    return bigits_[to_unsigned(index)];
+  }
+  FMT_CONSTEXPR20 bigit& operator[](int index) {
+    return bigits_[to_unsigned(index)];
+  }
+
+  static FMT_CONSTEXPR_DECL const int bigit_bits = bits<bigit>::value;
+
+  friend struct formatter<bigint>;
+
+  FMT_CONSTEXPR20 void subtract_bigits(int index, bigit other, bigit& borrow) {
+    auto result = static_cast<double_bigit>((*this)[index]) - other - borrow;
+    (*this)[index] = static_cast<bigit>(result);
+    borrow = static_cast<bigit>(result >> (bigit_bits * 2 - 1));
+  }
+
+  FMT_CONSTEXPR20 void remove_leading_zeros() {
+    int num_bigits = static_cast<int>(bigits_.size()) - 1;
+    while (num_bigits > 0 && (*this)[num_bigits] == 0) --num_bigits;
+    bigits_.resize(to_unsigned(num_bigits + 1));
+  }
+
+  // Computes *this -= other assuming aligned bigints and *this >= other.
+  FMT_CONSTEXPR20 void subtract_aligned(const bigint& other) {
+    FMT_ASSERT(other.exp_ >= exp_, "unaligned bigints");
+    FMT_ASSERT(compare(*this, other) >= 0, "");
+    bigit borrow = 0;
+    int i = other.exp_ - exp_;
+    for (size_t j = 0, n = other.bigits_.size(); j != n; ++i, ++j)
+      subtract_bigits(i, other.bigits_[j], borrow);
+    while (borrow > 0) subtract_bigits(i, 0, borrow);
+    remove_leading_zeros();
+  }
+
+  FMT_CONSTEXPR20 void multiply(uint32_t value) {
+    const double_bigit wide_value = value;
+    bigit carry = 0;
+    for (size_t i = 0, n = bigits_.size(); i < n; ++i) {
+      double_bigit result = bigits_[i] * wide_value + carry;
+      bigits_[i] = static_cast<bigit>(result);
+      carry = static_cast<bigit>(result >> bigit_bits);
+    }
+    if (carry != 0) bigits_.push_back(carry);
+  }
+
+  FMT_CONSTEXPR20 void multiply(uint64_t value) {
+    const bigit mask = ~bigit(0);
+    const double_bigit lower = value & mask;
+    const double_bigit upper = value >> bigit_bits;
+    double_bigit carry = 0;
+    for (size_t i = 0, n = bigits_.size(); i < n; ++i) {
+      double_bigit result = bigits_[i] * lower + (carry & mask);
+      carry =
+          bigits_[i] * upper + (result >> bigit_bits) + (carry >> bigit_bits);
+      bigits_[i] = static_cast<bigit>(result);
+    }
+    while (carry != 0) {
+      bigits_.push_back(carry & mask);
+      carry >>= bigit_bits;
+    }
+  }
+
+ public:
+  FMT_CONSTEXPR20 bigint() : exp_(0) {}
+  explicit bigint(uint64_t n) { assign(n); }
+  FMT_CONSTEXPR20 ~bigint() {
+    FMT_ASSERT(bigits_.capacity() <= bigits_capacity, "");
+  }
+
+  bigint(const bigint&) = delete;
+  void operator=(const bigint&) = delete;
+
+  FMT_CONSTEXPR20 void assign(const bigint& other) {
+    auto size = other.bigits_.size();
+    bigits_.resize(size);
+    auto data = other.bigits_.data();
+    std::copy(data, data + size, make_checked(bigits_.data(), size));
+    exp_ = other.exp_;
+  }
+
+  FMT_CONSTEXPR20 void assign(uint64_t n) {
+    size_t num_bigits = 0;
+    do {
+      bigits_[num_bigits++] = n & ~bigit(0);
+      n >>= bigit_bits;
+    } while (n != 0);
+    bigits_.resize(num_bigits);
+    exp_ = 0;
+  }
+
+  FMT_CONSTEXPR20 int num_bigits() const {
+    return static_cast<int>(bigits_.size()) + exp_;
+  }
+
+  FMT_NOINLINE FMT_CONSTEXPR20 bigint& operator<<=(int shift) {
+    FMT_ASSERT(shift >= 0, "");
+    exp_ += shift / bigit_bits;
+    shift %= bigit_bits;
+    if (shift == 0) return *this;
+    bigit carry = 0;
+    for (size_t i = 0, n = bigits_.size(); i < n; ++i) {
+      bigit c = bigits_[i] >> (bigit_bits - shift);
+      bigits_[i] = (bigits_[i] << shift) + carry;
+      carry = c;
+    }
+    if (carry != 0) bigits_.push_back(carry);
+    return *this;
+  }
+
+  template <typename Int> FMT_CONSTEXPR20 bigint& operator*=(Int value) {
+    FMT_ASSERT(value > 0, "");
+    multiply(uint32_or_64_or_128_t<Int>(value));
+    return *this;
+  }
+
+  friend FMT_CONSTEXPR20 int compare(const bigint& lhs, const bigint& rhs) {
+    int num_lhs_bigits = lhs.num_bigits(), num_rhs_bigits = rhs.num_bigits();
+    if (num_lhs_bigits != num_rhs_bigits)
+      return num_lhs_bigits > num_rhs_bigits ? 1 : -1;
+    int i = static_cast<int>(lhs.bigits_.size()) - 1;
+    int j = static_cast<int>(rhs.bigits_.size()) - 1;
+    int end = i - j;
+    if (end < 0) end = 0;
+    for (; i >= end; --i, --j) {
+      bigit lhs_bigit = lhs[i], rhs_bigit = rhs[j];
+      if (lhs_bigit != rhs_bigit) return lhs_bigit > rhs_bigit ? 1 : -1;
+    }
+    if (i != j) return i > j ? 1 : -1;
+    return 0;
+  }
+
+  // Returns compare(lhs1 + lhs2, rhs).
+  friend FMT_CONSTEXPR20 int add_compare(const bigint& lhs1, const bigint& lhs2,
+                                         const bigint& rhs) {
+    int max_lhs_bigits = (std::max)(lhs1.num_bigits(), lhs2.num_bigits());
+    int num_rhs_bigits = rhs.num_bigits();
+    if (max_lhs_bigits + 1 < num_rhs_bigits) return -1;
+    if (max_lhs_bigits > num_rhs_bigits) return 1;
+    auto get_bigit = [](const bigint& n, int i) -> bigit {
+      return i >= n.exp_ && i < n.num_bigits() ? n[i - n.exp_] : 0;
+    };
+    double_bigit borrow = 0;
+    int min_exp = (std::min)((std::min)(lhs1.exp_, lhs2.exp_), rhs.exp_);
+    for (int i = num_rhs_bigits - 1; i >= min_exp; --i) {
+      double_bigit sum =
+          static_cast<double_bigit>(get_bigit(lhs1, i)) + get_bigit(lhs2, i);
+      bigit rhs_bigit = get_bigit(rhs, i);
+      if (sum > rhs_bigit + borrow) return 1;
+      borrow = rhs_bigit + borrow - sum;
+      if (borrow > 1) return -1;
+      borrow <<= bigit_bits;
+    }
+    return borrow != 0 ? -1 : 0;
+  }
+
+  // Assigns pow(10, exp) to this bigint.
+  FMT_CONSTEXPR20 void assign_pow10(int exp) {
+    FMT_ASSERT(exp >= 0, "");
+    if (exp == 0) return assign(1);
+    // Find the top bit.
+    int bitmask = 1;
+    while (exp >= bitmask) bitmask <<= 1;
+    bitmask >>= 1;
+    // pow(10, exp) = pow(5, exp) * pow(2, exp). First compute pow(5, exp) by
+    // repeated squaring and multiplication.
+    assign(5);
+    bitmask >>= 1;
+    while (bitmask != 0) {
+      square();
+      if ((exp & bitmask) != 0) *this *= 5;
+      bitmask >>= 1;
+    }
+    *this <<= exp;  // Multiply by pow(2, exp) by shifting.
+  }
+
+  FMT_CONSTEXPR20 void square() {
+    int num_bigits = static_cast<int>(bigits_.size());
+    int num_result_bigits = 2 * num_bigits;
+    basic_memory_buffer<bigit, bigits_capacity> n(std::move(bigits_));
+    bigits_.resize(to_unsigned(num_result_bigits));
+    using accumulator_t = conditional_t<FMT_USE_INT128, uint128_t, accumulator>;
+    auto sum = accumulator_t();
+    for (int bigit_index = 0; bigit_index < num_bigits; ++bigit_index) {
+      // Compute bigit at position bigit_index of the result by adding
+      // cross-product terms n[i] * n[j] such that i + j == bigit_index.
+      for (int i = 0, j = bigit_index; j >= 0; ++i, --j) {
+        // Most terms are multiplied twice which can be optimized in the future.
+        sum += static_cast<double_bigit>(n[i]) * n[j];
+      }
+      (*this)[bigit_index] = static_cast<bigit>(sum);
+      sum >>= bits<bigit>::value;  // Compute the carry.
+    }
+    // Do the same for the top half.
+    for (int bigit_index = num_bigits; bigit_index < num_result_bigits;
+         ++bigit_index) {
+      for (int j = num_bigits - 1, i = bigit_index - j; i < num_bigits;)
+        sum += static_cast<double_bigit>(n[i++]) * n[j--];
+      (*this)[bigit_index] = static_cast<bigit>(sum);
+      sum >>= bits<bigit>::value;
+    }
+    remove_leading_zeros();
+    exp_ *= 2;
+  }
+
+  // If this bigint has a bigger exponent than other, adds trailing zero to make
+  // exponents equal. This simplifies some operations such as subtraction.
+  FMT_CONSTEXPR20 void align(const bigint& other) {
+    int exp_difference = exp_ - other.exp_;
+    if (exp_difference <= 0) return;
+    int num_bigits = static_cast<int>(bigits_.size());
+    bigits_.resize(to_unsigned(num_bigits + exp_difference));
+    for (int i = num_bigits - 1, j = i + exp_difference; i >= 0; --i, --j)
+      bigits_[j] = bigits_[i];
+    std::uninitialized_fill_n(bigits_.data(), exp_difference, 0);
+    exp_ -= exp_difference;
+  }
+
+  // Divides this bignum by divisor, assigning the remainder to this and
+  // returning the quotient.
+  FMT_CONSTEXPR20 int divmod_assign(const bigint& divisor) {
+    FMT_ASSERT(this != &divisor, "");
+    if (compare(*this, divisor) < 0) return 0;
+    FMT_ASSERT(divisor.bigits_[divisor.bigits_.size() - 1u] != 0, "");
+    align(divisor);
+    int quotient = 0;
+    do {
+      subtract_aligned(divisor);
+      ++quotient;
+    } while (compare(*this, divisor) >= 0);
+    return quotient;
+  }
+};
+
+enum class round_direction { unknown, up, down };
+
+// Given the divisor (normally a power of 10), the remainder = v % divisor for
+// some number v and the error, returns whether v should be rounded up, down, or
+// whether the rounding direction can't be determined due to error.
+// error should be less than divisor / 2.
+FMT_CONSTEXPR inline round_direction get_round_direction(uint64_t divisor,
+                                                         uint64_t remainder,
+                                                         uint64_t error) {
+  FMT_ASSERT(remainder < divisor, "");  // divisor - remainder won't overflow.
+  FMT_ASSERT(error < divisor, "");      // divisor - error won't overflow.
+  FMT_ASSERT(error < divisor - error, "");  // error * 2 won't overflow.
+  // Round down if (remainder + error) * 2 <= divisor.
+  if (remainder <= divisor - remainder && error * 2 <= divisor - remainder * 2)
+    return round_direction::down;
+  // Round up if (remainder - error) * 2 >= divisor.
+  if (remainder >= error &&
+      remainder - error >= divisor - (remainder - error)) {
+    return round_direction::up;
+  }
+  return round_direction::unknown;
+}
+
+namespace digits {
+enum result {
+  more,  // Generate more digits.
+  done,  // Done generating digits.
+  error  // Digit generation cancelled due to an error.
+};
+}
+
+struct gen_digits_handler {
+  char* buf;
+  int size;
+  int precision;
+  int exp10;
+  bool fixed;
+
+  FMT_CONSTEXPR digits::result on_digit(char digit, uint64_t divisor,
+                                        uint64_t remainder, uint64_t error,
+                                        bool integral) {
+    FMT_ASSERT(remainder < divisor, "");
+    buf[size++] = digit;
+    if (!integral && error >= remainder) return digits::error;
+    if (size < precision) return digits::more;
+    if (!integral) {
+      // Check if error * 2 < divisor with overflow prevention.
+      // The check is not needed for the integral part because error = 1
+      // and divisor > (1 << 32) there.
+      if (error >= divisor || error >= divisor - error) return digits::error;
+    } else {
+      FMT_ASSERT(error == 1 && divisor > 2, "");
+    }
+    auto dir = get_round_direction(divisor, remainder, error);
+    if (dir != round_direction::up)
+      return dir == round_direction::down ? digits::done : digits::error;
+    ++buf[size - 1];
+    for (int i = size - 1; i > 0 && buf[i] > '9'; --i) {
+      buf[i] = '0';
+      ++buf[i - 1];
+    }
+    if (buf[0] > '9') {
+      buf[0] = '1';
+      if (fixed)
+        buf[size++] = '0';
+      else
+        ++exp10;
+    }
+    return digits::done;
+  }
+};
+
+// Generates output using the Grisu digit-gen algorithm.
+// error: the size of the region (lower, upper) outside of which numbers
+// definitely do not round to value (Delta in Grisu3).
+FMT_INLINE FMT_CONSTEXPR20 digits::result grisu_gen_digits(
+    fp value, uint64_t error, int& exp, gen_digits_handler& handler) {
+  const fp one(1ULL << -value.e, value.e);
+  // The integral part of scaled value (p1 in Grisu) = value / one. It cannot be
+  // zero because it contains a product of two 64-bit numbers with MSB set (due
+  // to normalization) - 1, shifted right by at most 60 bits.
+  auto integral = static_cast<uint32_t>(value.f >> -one.e);
+  FMT_ASSERT(integral != 0, "");
+  FMT_ASSERT(integral == value.f >> -one.e, "");
+  // The fractional part of scaled value (p2 in Grisu) c = value % one.
+  uint64_t fractional = value.f & (one.f - 1);
+  exp = count_digits(integral);  // kappa in Grisu.
+  // Non-fixed formats require at least one digit and no precision adjustment.
+  if (handler.fixed) {
+    // Adjust fixed precision by exponent because it is relative to decimal
+    // point.
+    int precision_offset = exp + handler.exp10;
+    if (precision_offset > 0 &&
+        handler.precision > max_value<int>() - precision_offset) {
+      FMT_THROW(format_error("number is too big"));
+    }
+    handler.precision += precision_offset;
+    // Check if precision is satisfied just by leading zeros, e.g.
+    // format("{:.2f}", 0.001) gives "0.00" without generating any digits.
+    if (handler.precision <= 0) {
+      if (handler.precision < 0) return digits::done;
+      // Divide by 10 to prevent overflow.
+      uint64_t divisor = impl_data::power_of_10_64[exp - 1] << -one.e;
+      auto dir = get_round_direction(divisor, value.f / 10, error * 10);
+      if (dir == round_direction::unknown) return digits::error;
+      handler.buf[handler.size++] = dir == round_direction::up ? '1' : '0';
+      return digits::done;
+    }
+  }
+  // Generate digits for the integral part. This can produce up to 10 digits.
+  do {
+    uint32_t digit = 0;
+    auto divmod_integral = [&](uint32_t divisor) {
+      digit = integral / divisor;
+      integral %= divisor;
+    };
+    // This optimization by Milo Yip reduces the number of integer divisions by
+    // one per iteration.
+    switch (exp) {
+    case 10:
+      divmod_integral(1000000000);
+      break;
+    case 9:
+      divmod_integral(100000000);
+      break;
+    case 8:
+      divmod_integral(10000000);
+      break;
+    case 7:
+      divmod_integral(1000000);
+      break;
+    case 6:
+      divmod_integral(100000);
+      break;
+    case 5:
+      divmod_integral(10000);
+      break;
+    case 4:
+      divmod_integral(1000);
+      break;
+    case 3:
+      divmod_integral(100);
+      break;
+    case 2:
+      divmod_integral(10);
+      break;
+    case 1:
+      digit = integral;
+      integral = 0;
+      break;
+    default:
+      FMT_ASSERT(false, "invalid number of digits");
+    }
+    --exp;
+    auto remainder = (static_cast<uint64_t>(integral) << -one.e) + fractional;
+    auto result = handler.on_digit(static_cast<char>('0' + digit),
+                                   impl_data::power_of_10_64[exp] << -one.e,
+                                   remainder, error, true);
+    if (result != digits::more) return result;
+  } while (exp > 0);
+  // Generate digits for the fractional part.
+  for (;;) {
+    fractional *= 10;
+    error *= 10;
+    char digit = static_cast<char>('0' + (fractional >> -one.e));
+    fractional &= one.f - 1;
+    --exp;
+    auto result = handler.on_digit(digit, one.f, fractional, error, false);
+    if (result != digits::more) return result;
+  }
+}
+
+// A 128-bit integer type used internally,
+struct uint128_wrapper {
+  uint128_wrapper() = default;
+
+#if FMT_USE_INT128
+  uint128_t internal_;
+
+  constexpr uint128_wrapper(uint64_t high, uint64_t low) FMT_NOEXCEPT
+      : internal_{static_cast<uint128_t>(low) |
+                  (static_cast<uint128_t>(high) << 64)} {}
+
+  constexpr uint128_wrapper(uint128_t u) : internal_{u} {}
+
+  constexpr uint64_t high() const FMT_NOEXCEPT {
+    return uint64_t(internal_ >> 64);
+  }
+  constexpr uint64_t low() const FMT_NOEXCEPT { return uint64_t(internal_); }
+
+  uint128_wrapper& operator+=(uint64_t n) FMT_NOEXCEPT {
+    internal_ += n;
+    return *this;
+  }
+#else
+  uint64_t high_;
+  uint64_t low_;
+
+  constexpr uint128_wrapper(uint64_t high, uint64_t low) FMT_NOEXCEPT
+      : high_{high},
+        low_{low} {}
+
+  constexpr uint64_t high() const FMT_NOEXCEPT { return high_; }
+  constexpr uint64_t low() const FMT_NOEXCEPT { return low_; }
+
+  uint128_wrapper& operator+=(uint64_t n) FMT_NOEXCEPT {
+#  if defined(_MSC_VER) && defined(_M_X64)
+    unsigned char carry = _addcarry_u64(0, low_, n, &low_);
+    _addcarry_u64(carry, high_, 0, &high_);
+    return *this;
+#  else
+    uint64_t sum = low_ + n;
+    high_ += (sum < low_ ? 1 : 0);
+    low_ = sum;
+    return *this;
+#  endif
+  }
+#endif
+};
+
+// Implementation of Dragonbox algorithm: https://github.com/jk-jeon/dragonbox.
+namespace dragonbox {
+// Computes 128-bit result of multiplication of two 64-bit unsigned integers.
+inline uint128_wrapper umul128(uint64_t x, uint64_t y) FMT_NOEXCEPT {
+#if FMT_USE_INT128
+  return static_cast<uint128_t>(x) * static_cast<uint128_t>(y);
+#elif defined(_MSC_VER) && defined(_M_X64)
+  uint128_wrapper result;
+  result.low_ = _umul128(x, y, &result.high_);
+  return result;
+#else
+  const uint64_t mask = (uint64_t(1) << 32) - uint64_t(1);
+
+  uint64_t a = x >> 32;
+  uint64_t b = x & mask;
+  uint64_t c = y >> 32;
+  uint64_t d = y & mask;
+
+  uint64_t ac = a * c;
+  uint64_t bc = b * c;
+  uint64_t ad = a * d;
+  uint64_t bd = b * d;
+
+  uint64_t intermediate = (bd >> 32) + (ad & mask) + (bc & mask);
+
+  return {ac + (intermediate >> 32) + (ad >> 32) + (bc >> 32),
+          (intermediate << 32) + (bd & mask)};
+#endif
+}
+
+// Computes upper 64 bits of multiplication of two 64-bit unsigned integers.
+inline uint64_t umul128_upper64(uint64_t x, uint64_t y) FMT_NOEXCEPT {
+#if FMT_USE_INT128
+  auto p = static_cast<uint128_t>(x) * static_cast<uint128_t>(y);
+  return static_cast<uint64_t>(p >> 64);
+#elif defined(_MSC_VER) && defined(_M_X64)
+  return __umulh(x, y);
+#else
+  return umul128(x, y).high();
+#endif
+}
+
+// Computes upper 64 bits of multiplication of a 64-bit unsigned integer and a
+// 128-bit unsigned integer.
+inline uint64_t umul192_upper64(uint64_t x, uint128_wrapper y) FMT_NOEXCEPT {
+  uint128_wrapper g0 = umul128(x, y.high());
+  g0 += umul128_upper64(x, y.low());
+  return g0.high();
+}
+
+// Computes upper 32 bits of multiplication of a 32-bit unsigned integer and a
+// 64-bit unsigned integer.
+inline uint32_t umul96_upper32(uint32_t x, uint64_t y) FMT_NOEXCEPT {
+  return static_cast<uint32_t>(umul128_upper64(x, y));
+}
+
+// Computes middle 64 bits of multiplication of a 64-bit unsigned integer and a
+// 128-bit unsigned integer.
+inline uint64_t umul192_middle64(uint64_t x, uint128_wrapper y) FMT_NOEXCEPT {
+  uint64_t g01 = x * y.high();
+  uint64_t g10 = umul128_upper64(x, y.low());
+  return g01 + g10;
+}
+
+// Computes lower 64 bits of multiplication of a 32-bit unsigned integer and a
+// 64-bit unsigned integer.
+inline uint64_t umul96_lower64(uint32_t x, uint64_t y) FMT_NOEXCEPT {
+  return x * y;
+}
+
+// Computes floor(log10(pow(2, e))) for e in [-1700, 1700] using the method from
+// https://fmt.dev/papers/Grisu-Exact.pdf#page=5, section 3.4.
+inline int floor_log10_pow2(int e) FMT_NOEXCEPT {
+  FMT_ASSERT(e <= 1700 && e >= -1700, "too large exponent");
+  const int shift = 22;
+  return (e * static_cast<int>(log10_2_significand >> (64 - shift))) >> shift;
+}
+
+// Various fast log computations.
+inline int floor_log2_pow10(int e) FMT_NOEXCEPT {
+  FMT_ASSERT(e <= 1233 && e >= -1233, "too large exponent");
+  const uint64_t log2_10_integer_part = 3;
+  const uint64_t log2_10_fractional_digits = 0x5269e12f346e2bf9;
+  const int shift_amount = 19;
+  return (e * static_cast<int>(
+                  (log2_10_integer_part << shift_amount) |
+                  (log2_10_fractional_digits >> (64 - shift_amount)))) >>
+         shift_amount;
+}
+inline int floor_log10_pow2_minus_log10_4_over_3(int e) FMT_NOEXCEPT {
+  FMT_ASSERT(e <= 1700 && e >= -1700, "too large exponent");
+  const uint64_t log10_4_over_3_fractional_digits = 0x1ffbfc2bbc780375;
+  const int shift_amount = 22;
+  return (e * static_cast<int>(log10_2_significand >> (64 - shift_amount)) -
+          static_cast<int>(log10_4_over_3_fractional_digits >>
+                           (64 - shift_amount))) >>
+         shift_amount;
+}
+
+// Returns true iff x is divisible by pow(2, exp).
+inline bool divisible_by_power_of_2(uint32_t x, int exp) FMT_NOEXCEPT {
+  FMT_ASSERT(exp >= 1, "");
+  FMT_ASSERT(x != 0, "");
+#ifdef FMT_BUILTIN_CTZ
+  return FMT_BUILTIN_CTZ(x) >= exp;
+#else
+  return exp < num_bits<uint32_t>() && x == ((x >> exp) << exp);
+#endif
+}
+inline bool divisible_by_power_of_2(uint64_t x, int exp) FMT_NOEXCEPT {
+  FMT_ASSERT(exp >= 1, "");
+  FMT_ASSERT(x != 0, "");
+#ifdef FMT_BUILTIN_CTZLL
+  return FMT_BUILTIN_CTZLL(x) >= exp;
+#else
+  return exp < num_bits<uint64_t>() && x == ((x >> exp) << exp);
+#endif
+}
+
+// Table entry type for divisibility test.
+template <typename T> struct divtest_table_entry {
+  T mod_inv;
+  T max_quotient;
+};
+
+// Returns true iff x is divisible by pow(5, exp).
+inline bool divisible_by_power_of_5(uint32_t x, int exp) FMT_NOEXCEPT {
+  FMT_ASSERT(exp <= 10, "too large exponent");
+  static constexpr const divtest_table_entry<uint32_t> divtest_table[] = {
+      {0x00000001, 0xffffffff}, {0xcccccccd, 0x33333333},
+      {0xc28f5c29, 0x0a3d70a3}, {0x26e978d5, 0x020c49ba},
+      {0x3afb7e91, 0x0068db8b}, {0x0bcbe61d, 0x0014f8b5},
+      {0x68c26139, 0x000431bd}, {0xae8d46a5, 0x0000d6bf},
+      {0x22e90e21, 0x00002af3}, {0x3a2e9c6d, 0x00000897},
+      {0x3ed61f49, 0x000001b7}};
+  return x * divtest_table[exp].mod_inv <= divtest_table[exp].max_quotient;
+}
+inline bool divisible_by_power_of_5(uint64_t x, int exp) FMT_NOEXCEPT {
+  FMT_ASSERT(exp <= 23, "too large exponent");
+  static constexpr const divtest_table_entry<uint64_t> divtest_table[] = {
+      {0x0000000000000001, 0xffffffffffffffff},
+      {0xcccccccccccccccd, 0x3333333333333333},
+      {0x8f5c28f5c28f5c29, 0x0a3d70a3d70a3d70},
+      {0x1cac083126e978d5, 0x020c49ba5e353f7c},
+      {0xd288ce703afb7e91, 0x0068db8bac710cb2},
+      {0x5d4e8fb00bcbe61d, 0x0014f8b588e368f0},
+      {0x790fb65668c26139, 0x000431bde82d7b63},
+      {0xe5032477ae8d46a5, 0x0000d6bf94d5e57a},
+      {0xc767074b22e90e21, 0x00002af31dc46118},
+      {0x8e47ce423a2e9c6d, 0x0000089705f4136b},
+      {0x4fa7f60d3ed61f49, 0x000001b7cdfd9d7b},
+      {0x0fee64690c913975, 0x00000057f5ff85e5},
+      {0x3662e0e1cf503eb1, 0x000000119799812d},
+      {0xa47a2cf9f6433fbd, 0x0000000384b84d09},
+      {0x54186f653140a659, 0x00000000b424dc35},
+      {0x7738164770402145, 0x0000000024075f3d},
+      {0xe4a4d1417cd9a041, 0x000000000734aca5},
+      {0xc75429d9e5c5200d, 0x000000000170ef54},
+      {0xc1773b91fac10669, 0x000000000049c977},
+      {0x26b172506559ce15, 0x00000000000ec1e4},
+      {0xd489e3a9addec2d1, 0x000000000002f394},
+      {0x90e860bb892c8d5d, 0x000000000000971d},
+      {0x502e79bf1b6f4f79, 0x0000000000001e39},
+      {0xdcd618596be30fe5, 0x000000000000060b}};
+  return x * divtest_table[exp].mod_inv <= divtest_table[exp].max_quotient;
+}
+
+// Replaces n by floor(n / pow(5, N)) returning true if and only if n is
+// divisible by pow(5, N).
+// Precondition: n <= 2 * pow(5, N + 1).
+template <int N>
+bool check_divisibility_and_divide_by_pow5(uint32_t& n) FMT_NOEXCEPT {
+  static constexpr struct {
+    uint32_t magic_number;
+    int bits_for_comparison;
+    uint32_t threshold;
+    int shift_amount;
+  } infos[] = {{0xcccd, 16, 0x3333, 18}, {0xa429, 8, 0x0a, 20}};
+  constexpr auto info = infos[N - 1];
+  n *= info.magic_number;
+  const uint32_t comparison_mask = (1u << info.bits_for_comparison) - 1;
+  bool result = (n & comparison_mask) <= info.threshold;
+  n >>= info.shift_amount;
+  return result;
+}
+
+// Computes floor(n / pow(10, N)) for small n and N.
+// Precondition: n <= pow(10, N + 1).
+template <int N> uint32_t small_division_by_pow10(uint32_t n) FMT_NOEXCEPT {
+  static constexpr struct {
+    uint32_t magic_number;
+    int shift_amount;
+    uint32_t divisor_times_10;
+  } infos[] = {{0xcccd, 19, 100}, {0xa3d8, 22, 1000}};
+  constexpr auto info = infos[N - 1];
+  FMT_ASSERT(n <= info.divisor_times_10, "n is too large");
+  return n * info.magic_number >> info.shift_amount;
+}
+
+// Computes floor(n / 10^(kappa + 1)) (float)
+inline uint32_t divide_by_10_to_kappa_plus_1(uint32_t n) FMT_NOEXCEPT {
+  return n / float_info<float>::big_divisor;
+}
+// Computes floor(n / 10^(kappa + 1)) (double)
+inline uint64_t divide_by_10_to_kappa_plus_1(uint64_t n) FMT_NOEXCEPT {
+  return umul128_upper64(n, 0x83126e978d4fdf3c) >> 9;
+}
+
+// Various subroutines using pow10 cache
+template <class T> struct cache_accessor;
+
+template <> struct cache_accessor<float> {
+  using carrier_uint = float_info<float>::carrier_uint;
+  using cache_entry_type = uint64_t;
+
+  static uint64_t get_cached_power(int k) FMT_NOEXCEPT {
+    FMT_ASSERT(k >= float_info<float>::min_k && k <= float_info<float>::max_k,
+               "k is out of range");
+    static constexpr const uint64_t pow10_significands[] = {
+        0x81ceb32c4b43fcf5, 0xa2425ff75e14fc32, 0xcad2f7f5359a3b3f,
+        0xfd87b5f28300ca0e, 0x9e74d1b791e07e49, 0xc612062576589ddb,
+        0xf79687aed3eec552, 0x9abe14cd44753b53, 0xc16d9a0095928a28,
+        0xf1c90080baf72cb2, 0x971da05074da7bef, 0xbce5086492111aeb,
+        0xec1e4a7db69561a6, 0x9392ee8e921d5d08, 0xb877aa3236a4b44a,
+        0xe69594bec44de15c, 0x901d7cf73ab0acda, 0xb424dc35095cd810,
+        0xe12e13424bb40e14, 0x8cbccc096f5088cc, 0xafebff0bcb24aaff,
+        0xdbe6fecebdedd5bf, 0x89705f4136b4a598, 0xabcc77118461cefd,
+        0xd6bf94d5e57a42bd, 0x8637bd05af6c69b6, 0xa7c5ac471b478424,
+        0xd1b71758e219652c, 0x83126e978d4fdf3c, 0xa3d70a3d70a3d70b,
+        0xcccccccccccccccd, 0x8000000000000000, 0xa000000000000000,
+        0xc800000000000000, 0xfa00000000000000, 0x9c40000000000000,
+        0xc350000000000000, 0xf424000000000000, 0x9896800000000000,
+        0xbebc200000000000, 0xee6b280000000000, 0x9502f90000000000,
+        0xba43b74000000000, 0xe8d4a51000000000, 0x9184e72a00000000,
+        0xb5e620f480000000, 0xe35fa931a0000000, 0x8e1bc9bf04000000,
+        0xb1a2bc2ec5000000, 0xde0b6b3a76400000, 0x8ac7230489e80000,
+        0xad78ebc5ac620000, 0xd8d726b7177a8000, 0x878678326eac9000,
+        0xa968163f0a57b400, 0xd3c21bcecceda100, 0x84595161401484a0,
+        0xa56fa5b99019a5c8, 0xcecb8f27f4200f3a, 0x813f3978f8940984,
+        0xa18f07d736b90be5, 0xc9f2c9cd04674ede, 0xfc6f7c4045812296,
+        0x9dc5ada82b70b59d, 0xc5371912364ce305, 0xf684df56c3e01bc6,
+        0x9a130b963a6c115c, 0xc097ce7bc90715b3, 0xf0bdc21abb48db20,
+        0x96769950b50d88f4, 0xbc143fa4e250eb31, 0xeb194f8e1ae525fd,
+        0x92efd1b8d0cf37be, 0xb7abc627050305ad, 0xe596b7b0c643c719,
+        0x8f7e32ce7bea5c6f, 0xb35dbf821ae4f38b, 0xe0352f62a19e306e};
+    return pow10_significands[k - float_info<float>::min_k];
+  }
+
+  static carrier_uint compute_mul(carrier_uint u,
+                                  const cache_entry_type& cache) FMT_NOEXCEPT {
+    return umul96_upper32(u, cache);
+  }
+
+  static uint32_t compute_delta(const cache_entry_type& cache,
+                                int beta_minus_1) FMT_NOEXCEPT {
+    return static_cast<uint32_t>(cache >> (64 - 1 - beta_minus_1));
+  }
+
+  static bool compute_mul_parity(carrier_uint two_f,
+                                 const cache_entry_type& cache,
+                                 int beta_minus_1) FMT_NOEXCEPT {
+    FMT_ASSERT(beta_minus_1 >= 1, "");
+    FMT_ASSERT(beta_minus_1 < 64, "");
+
+    return ((umul96_lower64(two_f, cache) >> (64 - beta_minus_1)) & 1) != 0;
+  }
+
+  static carrier_uint compute_left_endpoint_for_shorter_interval_case(
+      const cache_entry_type& cache, int beta_minus_1) FMT_NOEXCEPT {
+    return static_cast<carrier_uint>(
+        (cache - (cache >> (float_info<float>::significand_bits + 2))) >>
+        (64 - float_info<float>::significand_bits - 1 - beta_minus_1));
+  }
+
+  static carrier_uint compute_right_endpoint_for_shorter_interval_case(
+      const cache_entry_type& cache, int beta_minus_1) FMT_NOEXCEPT {
+    return static_cast<carrier_uint>(
+        (cache + (cache >> (float_info<float>::significand_bits + 1))) >>
+        (64 - float_info<float>::significand_bits - 1 - beta_minus_1));
+  }
+
+  static carrier_uint compute_round_up_for_shorter_interval_case(
+      const cache_entry_type& cache, int beta_minus_1) FMT_NOEXCEPT {
+    return (static_cast<carrier_uint>(
+                cache >>
+                (64 - float_info<float>::significand_bits - 2 - beta_minus_1)) +
+            1) /
+           2;
+  }
+};
+
+template <> struct cache_accessor<double> {
+  using carrier_uint = float_info<double>::carrier_uint;
+  using cache_entry_type = uint128_wrapper;
+
+  static uint128_wrapper get_cached_power(int k) FMT_NOEXCEPT {
+    FMT_ASSERT(k >= float_info<double>::min_k && k <= float_info<double>::max_k,
+               "k is out of range");
+
+    static constexpr const uint128_wrapper pow10_significands[] = {
+#if FMT_USE_FULL_CACHE_DRAGONBOX
+      {0xff77b1fcbebcdc4f, 0x25e8e89c13bb0f7b},
+      {0x9faacf3df73609b1, 0x77b191618c54e9ad},
+      {0xc795830d75038c1d, 0xd59df5b9ef6a2418},
+      {0xf97ae3d0d2446f25, 0x4b0573286b44ad1e},
+      {0x9becce62836ac577, 0x4ee367f9430aec33},
+      {0xc2e801fb244576d5, 0x229c41f793cda740},
+      {0xf3a20279ed56d48a, 0x6b43527578c11110},
+      {0x9845418c345644d6, 0x830a13896b78aaaa},
+      {0xbe5691ef416bd60c, 0x23cc986bc656d554},
+      {0xedec366b11c6cb8f, 0x2cbfbe86b7ec8aa9},
+      {0x94b3a202eb1c3f39, 0x7bf7d71432f3d6aa},
+      {0xb9e08a83a5e34f07, 0xdaf5ccd93fb0cc54},
+      {0xe858ad248f5c22c9, 0xd1b3400f8f9cff69},
+      {0x91376c36d99995be, 0x23100809b9c21fa2},
+      {0xb58547448ffffb2d, 0xabd40a0c2832a78b},
+      {0xe2e69915b3fff9f9, 0x16c90c8f323f516d},
+      {0x8dd01fad907ffc3b, 0xae3da7d97f6792e4},
+      {0xb1442798f49ffb4a, 0x99cd11cfdf41779d},
+      {0xdd95317f31c7fa1d, 0x40405643d711d584},
+      {0x8a7d3eef7f1cfc52, 0x482835ea666b2573},
+      {0xad1c8eab5ee43b66, 0xda3243650005eed0},
+      {0xd863b256369d4a40, 0x90bed43e40076a83},
+      {0x873e4f75e2224e68, 0x5a7744a6e804a292},
+      {0xa90de3535aaae202, 0x711515d0a205cb37},
+      {0xd3515c2831559a83, 0x0d5a5b44ca873e04},
+      {0x8412d9991ed58091, 0xe858790afe9486c3},
+      {0xa5178fff668ae0b6, 0x626e974dbe39a873},
+      {0xce5d73ff402d98e3, 0xfb0a3d212dc81290},
+      {0x80fa687f881c7f8e, 0x7ce66634bc9d0b9a},
+      {0xa139029f6a239f72, 0x1c1fffc1ebc44e81},
+      {0xc987434744ac874e, 0xa327ffb266b56221},
+      {0xfbe9141915d7a922, 0x4bf1ff9f0062baa9},
+      {0x9d71ac8fada6c9b5, 0x6f773fc3603db4aa},
+      {0xc4ce17b399107c22, 0xcb550fb4384d21d4},
+      {0xf6019da07f549b2b, 0x7e2a53a146606a49},
+      {0x99c102844f94e0fb, 0x2eda7444cbfc426e},
+      {0xc0314325637a1939, 0xfa911155fefb5309},
+      {0xf03d93eebc589f88, 0x793555ab7eba27cb},
+      {0x96267c7535b763b5, 0x4bc1558b2f3458df},
+      {0xbbb01b9283253ca2, 0x9eb1aaedfb016f17},
+      {0xea9c227723ee8bcb, 0x465e15a979c1cadd},
+      {0x92a1958a7675175f, 0x0bfacd89ec191eca},
+      {0xb749faed14125d36, 0xcef980ec671f667c},
+      {0xe51c79a85916f484, 0x82b7e12780e7401b},
+      {0x8f31cc0937ae58d2, 0xd1b2ecb8b0908811},
+      {0xb2fe3f0b8599ef07, 0x861fa7e6dcb4aa16},
+      {0xdfbdcece67006ac9, 0x67a791e093e1d49b},
+      {0x8bd6a141006042bd, 0xe0c8bb2c5c6d24e1},
+      {0xaecc49914078536d, 0x58fae9f773886e19},
+      {0xda7f5bf590966848, 0xaf39a475506a899f},
+      {0x888f99797a5e012d, 0x6d8406c952429604},
+      {0xaab37fd7d8f58178, 0xc8e5087ba6d33b84},
+      {0xd5605fcdcf32e1d6, 0xfb1e4a9a90880a65},
+      {0x855c3be0a17fcd26, 0x5cf2eea09a550680},
+      {0xa6b34ad8c9dfc06f, 0xf42faa48c0ea481f},
+      {0xd0601d8efc57b08b, 0xf13b94daf124da27},
+      {0x823c12795db6ce57, 0x76c53d08d6b70859},
+      {0xa2cb1717b52481ed, 0x54768c4b0c64ca6f},
+      {0xcb7ddcdda26da268, 0xa9942f5dcf7dfd0a},
+      {0xfe5d54150b090b02, 0xd3f93b35435d7c4d},
+      {0x9efa548d26e5a6e1, 0xc47bc5014a1a6db0},
+      {0xc6b8e9b0709f109a, 0x359ab6419ca1091c},
+      {0xf867241c8cc6d4c0, 0xc30163d203c94b63},
+      {0x9b407691d7fc44f8, 0x79e0de63425dcf1e},
+      {0xc21094364dfb5636, 0x985915fc12f542e5},
+      {0xf294b943e17a2bc4, 0x3e6f5b7b17b2939e},
+      {0x979cf3ca6cec5b5a, 0xa705992ceecf9c43},
+      {0xbd8430bd08277231, 0x50c6ff782a838354},
+      {0xece53cec4a314ebd, 0xa4f8bf5635246429},
+      {0x940f4613ae5ed136, 0x871b7795e136be9a},
+      {0xb913179899f68584, 0x28e2557b59846e40},
+      {0xe757dd7ec07426e5, 0x331aeada2fe589d0},
+      {0x9096ea6f3848984f, 0x3ff0d2c85def7622},
+      {0xb4bca50b065abe63, 0x0fed077a756b53aa},
+      {0xe1ebce4dc7f16dfb, 0xd3e8495912c62895},
+      {0x8d3360f09cf6e4bd, 0x64712dd7abbbd95d},
+      {0xb080392cc4349dec, 0xbd8d794d96aacfb4},
+      {0xdca04777f541c567, 0xecf0d7a0fc5583a1},
+      {0x89e42caaf9491b60, 0xf41686c49db57245},
+      {0xac5d37d5b79b6239, 0x311c2875c522ced6},
+      {0xd77485cb25823ac7, 0x7d633293366b828c},
+      {0x86a8d39ef77164bc, 0xae5dff9c02033198},
+      {0xa8530886b54dbdeb, 0xd9f57f830283fdfd},
+      {0xd267caa862a12d66, 0xd072df63c324fd7c},
+      {0x8380dea93da4bc60, 0x4247cb9e59f71e6e},
+      {0xa46116538d0deb78, 0x52d9be85f074e609},
+      {0xcd795be870516656, 0x67902e276c921f8c},
+      {0x806bd9714632dff6, 0x00ba1cd8a3db53b7},
+      {0xa086cfcd97bf97f3, 0x80e8a40eccd228a5},
+      {0xc8a883c0fdaf7df0, 0x6122cd128006b2ce},
+      {0xfad2a4b13d1b5d6c, 0x796b805720085f82},
+      {0x9cc3a6eec6311a63, 0xcbe3303674053bb1},
+      {0xc3f490aa77bd60fc, 0xbedbfc4411068a9d},
+      {0xf4f1b4d515acb93b, 0xee92fb5515482d45},
+      {0x991711052d8bf3c5, 0x751bdd152d4d1c4b},
+      {0xbf5cd54678eef0b6, 0xd262d45a78a0635e},
+      {0xef340a98172aace4, 0x86fb897116c87c35},
+      {0x9580869f0e7aac0e, 0xd45d35e6ae3d4da1},
+      {0xbae0a846d2195712, 0x8974836059cca10a},
+      {0xe998d258869facd7, 0x2bd1a438703fc94c},
+      {0x91ff83775423cc06, 0x7b6306a34627ddd0},
+      {0xb67f6455292cbf08, 0x1a3bc84c17b1d543},
+      {0xe41f3d6a7377eeca, 0x20caba5f1d9e4a94},
+      {0x8e938662882af53e, 0x547eb47b7282ee9d},
+      {0xb23867fb2a35b28d, 0xe99e619a4f23aa44},
+      {0xdec681f9f4c31f31, 0x6405fa00e2ec94d5},
+      {0x8b3c113c38f9f37e, 0xde83bc408dd3dd05},
+      {0xae0b158b4738705e, 0x9624ab50b148d446},
+      {0xd98ddaee19068c76, 0x3badd624dd9b0958},
+      {0x87f8a8d4cfa417c9, 0xe54ca5d70a80e5d7},
+      {0xa9f6d30a038d1dbc, 0x5e9fcf4ccd211f4d},
+      {0xd47487cc8470652b, 0x7647c32000696720},
+      {0x84c8d4dfd2c63f3b, 0x29ecd9f40041e074},
+      {0xa5fb0a17c777cf09, 0xf468107100525891},
+      {0xcf79cc9db955c2cc, 0x7182148d4066eeb5},
+      {0x81ac1fe293d599bf, 0xc6f14cd848405531},
+      {0xa21727db38cb002f, 0xb8ada00e5a506a7d},
+      {0xca9cf1d206fdc03b, 0xa6d90811f0e4851d},
+      {0xfd442e4688bd304a, 0x908f4a166d1da664},
+      {0x9e4a9cec15763e2e, 0x9a598e4e043287ff},
+      {0xc5dd44271ad3cdba, 0x40eff1e1853f29fe},
+      {0xf7549530e188c128, 0xd12bee59e68ef47d},
+      {0x9a94dd3e8cf578b9, 0x82bb74f8301958cf},
+      {0xc13a148e3032d6e7, 0xe36a52363c1faf02},
+      {0xf18899b1bc3f8ca1, 0xdc44e6c3cb279ac2},
+      {0x96f5600f15a7b7e5, 0x29ab103a5ef8c0ba},
+      {0xbcb2b812db11a5de, 0x7415d448f6b6f0e8},
+      {0xebdf661791d60f56, 0x111b495b3464ad22},
+      {0x936b9fcebb25c995, 0xcab10dd900beec35},
+      {0xb84687c269ef3bfb, 0x3d5d514f40eea743},
+      {0xe65829b3046b0afa, 0x0cb4a5a3112a5113},
+      {0x8ff71a0fe2c2e6dc, 0x47f0e785eaba72ac},
+      {0xb3f4e093db73a093, 0x59ed216765690f57},
+      {0xe0f218b8d25088b8, 0x306869c13ec3532d},
+      {0x8c974f7383725573, 0x1e414218c73a13fc},
+      {0xafbd2350644eeacf, 0xe5d1929ef90898fb},
+      {0xdbac6c247d62a583, 0xdf45f746b74abf3a},
+      {0x894bc396ce5da772, 0x6b8bba8c328eb784},
+      {0xab9eb47c81f5114f, 0x066ea92f3f326565},
+      {0xd686619ba27255a2, 0xc80a537b0efefebe},
+      {0x8613fd0145877585, 0xbd06742ce95f5f37},
+      {0xa798fc4196e952e7, 0x2c48113823b73705},
+      {0xd17f3b51fca3a7a0, 0xf75a15862ca504c6},
+      {0x82ef85133de648c4, 0x9a984d73dbe722fc},
+      {0xa3ab66580d5fdaf5, 0xc13e60d0d2e0ebbb},
+      {0xcc963fee10b7d1b3, 0x318df905079926a9},
+      {0xffbbcfe994e5c61f, 0xfdf17746497f7053},
+      {0x9fd561f1fd0f9bd3, 0xfeb6ea8bedefa634},
+      {0xc7caba6e7c5382c8, 0xfe64a52ee96b8fc1},
+      {0xf9bd690a1b68637b, 0x3dfdce7aa3c673b1},
+      {0x9c1661a651213e2d, 0x06bea10ca65c084f},
+      {0xc31bfa0fe5698db8, 0x486e494fcff30a63},
+      {0xf3e2f893dec3f126, 0x5a89dba3c3efccfb},
+      {0x986ddb5c6b3a76b7, 0xf89629465a75e01d},
+      {0xbe89523386091465, 0xf6bbb397f1135824},
+      {0xee2ba6c0678b597f, 0x746aa07ded582e2d},
+      {0x94db483840b717ef, 0xa8c2a44eb4571cdd},
+      {0xba121a4650e4ddeb, 0x92f34d62616ce414},
+      {0xe896a0d7e51e1566, 0x77b020baf9c81d18},
+      {0x915e2486ef32cd60, 0x0ace1474dc1d122f},
+      {0xb5b5ada8aaff80b8, 0x0d819992132456bb},
+      {0xe3231912d5bf60e6, 0x10e1fff697ed6c6a},
+      {0x8df5efabc5979c8f, 0xca8d3ffa1ef463c2},
+      {0xb1736b96b6fd83b3, 0xbd308ff8a6b17cb3},
+      {0xddd0467c64bce4a0, 0xac7cb3f6d05ddbdf},
+      {0x8aa22c0dbef60ee4, 0x6bcdf07a423aa96c},
+      {0xad4ab7112eb3929d, 0x86c16c98d2c953c7},
+      {0xd89d64d57a607744, 0xe871c7bf077ba8b8},
+      {0x87625f056c7c4a8b, 0x11471cd764ad4973},
+      {0xa93af6c6c79b5d2d, 0xd598e40d3dd89bd0},
+      {0xd389b47879823479, 0x4aff1d108d4ec2c4},
+      {0x843610cb4bf160cb, 0xcedf722a585139bb},
+      {0xa54394fe1eedb8fe, 0xc2974eb4ee658829},
+      {0xce947a3da6a9273e, 0x733d226229feea33},
+      {0x811ccc668829b887, 0x0806357d5a3f5260},
+      {0xa163ff802a3426a8, 0xca07c2dcb0cf26f8},
+      {0xc9bcff6034c13052, 0xfc89b393dd02f0b6},
+      {0xfc2c3f3841f17c67, 0xbbac2078d443ace3},
+      {0x9d9ba7832936edc0, 0xd54b944b84aa4c0e},
+      {0xc5029163f384a931, 0x0a9e795e65d4df12},
+      {0xf64335bcf065d37d, 0x4d4617b5ff4a16d6},
+      {0x99ea0196163fa42e, 0x504bced1bf8e4e46},
+      {0xc06481fb9bcf8d39, 0xe45ec2862f71e1d7},
+      {0xf07da27a82c37088, 0x5d767327bb4e5a4d},
+      {0x964e858c91ba2655, 0x3a6a07f8d510f870},
+      {0xbbe226efb628afea, 0x890489f70a55368c},
+      {0xeadab0aba3b2dbe5, 0x2b45ac74ccea842f},
+      {0x92c8ae6b464fc96f, 0x3b0b8bc90012929e},
+      {0xb77ada0617e3bbcb, 0x09ce6ebb40173745},
+      {0xe55990879ddcaabd, 0xcc420a6a101d0516},
+      {0x8f57fa54c2a9eab6, 0x9fa946824a12232e},
+      {0xb32df8e9f3546564, 0x47939822dc96abfa},
+      {0xdff9772470297ebd, 0x59787e2b93bc56f8},
+      {0x8bfbea76c619ef36, 0x57eb4edb3c55b65b},
+      {0xaefae51477a06b03, 0xede622920b6b23f2},
+      {0xdab99e59958885c4, 0xe95fab368e45ecee},
+      {0x88b402f7fd75539b, 0x11dbcb0218ebb415},
+      {0xaae103b5fcd2a881, 0xd652bdc29f26a11a},
+      {0xd59944a37c0752a2, 0x4be76d3346f04960},
+      {0x857fcae62d8493a5, 0x6f70a4400c562ddc},
+      {0xa6dfbd9fb8e5b88e, 0xcb4ccd500f6bb953},
+      {0xd097ad07a71f26b2, 0x7e2000a41346a7a8},
+      {0x825ecc24c873782f, 0x8ed400668c0c28c9},
+      {0xa2f67f2dfa90563b, 0x728900802f0f32fb},
+      {0xcbb41ef979346bca, 0x4f2b40a03ad2ffba},
+      {0xfea126b7d78186bc, 0xe2f610c84987bfa9},
+      {0x9f24b832e6b0f436, 0x0dd9ca7d2df4d7ca},
+      {0xc6ede63fa05d3143, 0x91503d1c79720dbc},
+      {0xf8a95fcf88747d94, 0x75a44c6397ce912b},
+      {0x9b69dbe1b548ce7c, 0xc986afbe3ee11abb},
+      {0xc24452da229b021b, 0xfbe85badce996169},
+      {0xf2d56790ab41c2a2, 0xfae27299423fb9c4},
+      {0x97c560ba6b0919a5, 0xdccd879fc967d41b},
+      {0xbdb6b8e905cb600f, 0x5400e987bbc1c921},
+      {0xed246723473e3813, 0x290123e9aab23b69},
+      {0x9436c0760c86e30b, 0xf9a0b6720aaf6522},
+      {0xb94470938fa89bce, 0xf808e40e8d5b3e6a},
+      {0xe7958cb87392c2c2, 0xb60b1d1230b20e05},
+      {0x90bd77f3483bb9b9, 0xb1c6f22b5e6f48c3},
+      {0xb4ecd5f01a4aa828, 0x1e38aeb6360b1af4},
+      {0xe2280b6c20dd5232, 0x25c6da63c38de1b1},
+      {0x8d590723948a535f, 0x579c487e5a38ad0f},
+      {0xb0af48ec79ace837, 0x2d835a9df0c6d852},
+      {0xdcdb1b2798182244, 0xf8e431456cf88e66},
+      {0x8a08f0f8bf0f156b, 0x1b8e9ecb641b5900},
+      {0xac8b2d36eed2dac5, 0xe272467e3d222f40},
+      {0xd7adf884aa879177, 0x5b0ed81dcc6abb10},
+      {0x86ccbb52ea94baea, 0x98e947129fc2b4ea},
+      {0xa87fea27a539e9a5, 0x3f2398d747b36225},
+      {0xd29fe4b18e88640e, 0x8eec7f0d19a03aae},
+      {0x83a3eeeef9153e89, 0x1953cf68300424ad},
+      {0xa48ceaaab75a8e2b, 0x5fa8c3423c052dd8},
+      {0xcdb02555653131b6, 0x3792f412cb06794e},
+      {0x808e17555f3ebf11, 0xe2bbd88bbee40bd1},
+      {0xa0b19d2ab70e6ed6, 0x5b6aceaeae9d0ec5},
+      {0xc8de047564d20a8b, 0xf245825a5a445276},
+      {0xfb158592be068d2e, 0xeed6e2f0f0d56713},
+      {0x9ced737bb6c4183d, 0x55464dd69685606c},
+      {0xc428d05aa4751e4c, 0xaa97e14c3c26b887},
+      {0xf53304714d9265df, 0xd53dd99f4b3066a9},
+      {0x993fe2c6d07b7fab, 0xe546a8038efe402a},
+      {0xbf8fdb78849a5f96, 0xde98520472bdd034},
+      {0xef73d256a5c0f77c, 0x963e66858f6d4441},
+      {0x95a8637627989aad, 0xdde7001379a44aa9},
+      {0xbb127c53b17ec159, 0x5560c018580d5d53},
+      {0xe9d71b689dde71af, 0xaab8f01e6e10b4a7},
+      {0x9226712162ab070d, 0xcab3961304ca70e9},
+      {0xb6b00d69bb55c8d1, 0x3d607b97c5fd0d23},
+      {0xe45c10c42a2b3b05, 0x8cb89a7db77c506b},
+      {0x8eb98a7a9a5b04e3, 0x77f3608e92adb243},
+      {0xb267ed1940f1c61c, 0x55f038b237591ed4},
+      {0xdf01e85f912e37a3, 0x6b6c46dec52f6689},
+      {0x8b61313bbabce2c6, 0x2323ac4b3b3da016},
+      {0xae397d8aa96c1b77, 0xabec975e0a0d081b},
+      {0xd9c7dced53c72255, 0x96e7bd358c904a22},
+      {0x881cea14545c7575, 0x7e50d64177da2e55},
+      {0xaa242499697392d2, 0xdde50bd1d5d0b9ea},
+      {0xd4ad2dbfc3d07787, 0x955e4ec64b44e865},
+      {0x84ec3c97da624ab4, 0xbd5af13bef0b113f},
+      {0xa6274bbdd0fadd61, 0xecb1ad8aeacdd58f},
+      {0xcfb11ead453994ba, 0x67de18eda5814af3},
+      {0x81ceb32c4b43fcf4, 0x80eacf948770ced8},
+      {0xa2425ff75e14fc31, 0xa1258379a94d028e},
+      {0xcad2f7f5359a3b3e, 0x096ee45813a04331},
+      {0xfd87b5f28300ca0d, 0x8bca9d6e188853fd},
+      {0x9e74d1b791e07e48, 0x775ea264cf55347e},
+      {0xc612062576589dda, 0x95364afe032a819e},
+      {0xf79687aed3eec551, 0x3a83ddbd83f52205},
+      {0x9abe14cd44753b52, 0xc4926a9672793543},
+      {0xc16d9a0095928a27, 0x75b7053c0f178294},
+      {0xf1c90080baf72cb1, 0x5324c68b12dd6339},
+      {0x971da05074da7bee, 0xd3f6fc16ebca5e04},
+      {0xbce5086492111aea, 0x88f4bb1ca6bcf585},
+      {0xec1e4a7db69561a5, 0x2b31e9e3d06c32e6},
+      {0x9392ee8e921d5d07, 0x3aff322e62439fd0},
+      {0xb877aa3236a4b449, 0x09befeb9fad487c3},
+      {0xe69594bec44de15b, 0x4c2ebe687989a9b4},
+      {0x901d7cf73ab0acd9, 0x0f9d37014bf60a11},
+      {0xb424dc35095cd80f, 0x538484c19ef38c95},
+      {0xe12e13424bb40e13, 0x2865a5f206b06fba},
+      {0x8cbccc096f5088cb, 0xf93f87b7442e45d4},
+      {0xafebff0bcb24aafe, 0xf78f69a51539d749},
+      {0xdbe6fecebdedd5be, 0xb573440e5a884d1c},
+      {0x89705f4136b4a597, 0x31680a88f8953031},
+      {0xabcc77118461cefc, 0xfdc20d2b36ba7c3e},
+      {0xd6bf94d5e57a42bc, 0x3d32907604691b4d},
+      {0x8637bd05af6c69b5, 0xa63f9a49c2c1b110},
+      {0xa7c5ac471b478423, 0x0fcf80dc33721d54},
+      {0xd1b71758e219652b, 0xd3c36113404ea4a9},
+      {0x83126e978d4fdf3b, 0x645a1cac083126ea},
+      {0xa3d70a3d70a3d70a, 0x3d70a3d70a3d70a4},
+      {0xcccccccccccccccc, 0xcccccccccccccccd},
+      {0x8000000000000000, 0x0000000000000000},
+      {0xa000000000000000, 0x0000000000000000},
+      {0xc800000000000000, 0x0000000000000000},
+      {0xfa00000000000000, 0x0000000000000000},
+      {0x9c40000000000000, 0x0000000000000000},
+      {0xc350000000000000, 0x0000000000000000},
+      {0xf424000000000000, 0x0000000000000000},
+      {0x9896800000000000, 0x0000000000000000},
+      {0xbebc200000000000, 0x0000000000000000},
+      {0xee6b280000000000, 0x0000000000000000},
+      {0x9502f90000000000, 0x0000000000000000},
+      {0xba43b74000000000, 0x0000000000000000},
+      {0xe8d4a51000000000, 0x0000000000000000},
+      {0x9184e72a00000000, 0x0000000000000000},
+      {0xb5e620f480000000, 0x0000000000000000},
+      {0xe35fa931a0000000, 0x0000000000000000},
+      {0x8e1bc9bf04000000, 0x0000000000000000},
+      {0xb1a2bc2ec5000000, 0x0000000000000000},
+      {0xde0b6b3a76400000, 0x0000000000000000},
+      {0x8ac7230489e80000, 0x0000000000000000},
+      {0xad78ebc5ac620000, 0x0000000000000000},
+      {0xd8d726b7177a8000, 0x0000000000000000},
+      {0x878678326eac9000, 0x0000000000000000},
+      {0xa968163f0a57b400, 0x0000000000000000},
+      {0xd3c21bcecceda100, 0x0000000000000000},
+      {0x84595161401484a0, 0x0000000000000000},
+      {0xa56fa5b99019a5c8, 0x0000000000000000},
+      {0xcecb8f27f4200f3a, 0x0000000000000000},
+      {0x813f3978f8940984, 0x4000000000000000},
+      {0xa18f07d736b90be5, 0x5000000000000000},
+      {0xc9f2c9cd04674ede, 0xa400000000000000},
+      {0xfc6f7c4045812296, 0x4d00000000000000},
+      {0x9dc5ada82b70b59d, 0xf020000000000000},
+      {0xc5371912364ce305, 0x6c28000000000000},
+      {0xf684df56c3e01bc6, 0xc732000000000000},
+      {0x9a130b963a6c115c, 0x3c7f400000000000},
+      {0xc097ce7bc90715b3, 0x4b9f100000000000},
+      {0xf0bdc21abb48db20, 0x1e86d40000000000},
+      {0x96769950b50d88f4, 0x1314448000000000},
+      {0xbc143fa4e250eb31, 0x17d955a000000000},
+      {0xeb194f8e1ae525fd, 0x5dcfab0800000000},
+      {0x92efd1b8d0cf37be, 0x5aa1cae500000000},
+      {0xb7abc627050305ad, 0xf14a3d9e40000000},
+      {0xe596b7b0c643c719, 0x6d9ccd05d0000000},
+      {0x8f7e32ce7bea5c6f, 0xe4820023a2000000},
+      {0xb35dbf821ae4f38b, 0xdda2802c8a800000},
+      {0xe0352f62a19e306e, 0xd50b2037ad200000},
+      {0x8c213d9da502de45, 0x4526f422cc340000},
+      {0xaf298d050e4395d6, 0x9670b12b7f410000},
+      {0xdaf3f04651d47b4c, 0x3c0cdd765f114000},
+      {0x88d8762bf324cd0f, 0xa5880a69fb6ac800},
+      {0xab0e93b6efee0053, 0x8eea0d047a457a00},
+      {0xd5d238a4abe98068, 0x72a4904598d6d880},
+      {0x85a36366eb71f041, 0x47a6da2b7f864750},
+      {0xa70c3c40a64e6c51, 0x999090b65f67d924},
+      {0xd0cf4b50cfe20765, 0xfff4b4e3f741cf6d},
+      {0x82818f1281ed449f, 0xbff8f10e7a8921a4},
+      {0xa321f2d7226895c7, 0xaff72d52192b6a0d},
+      {0xcbea6f8ceb02bb39, 0x9bf4f8a69f764490},
+      {0xfee50b7025c36a08, 0x02f236d04753d5b4},
+      {0x9f4f2726179a2245, 0x01d762422c946590},
+      {0xc722f0ef9d80aad6, 0x424d3ad2b7b97ef5},
+      {0xf8ebad2b84e0d58b, 0xd2e0898765a7deb2},
+      {0x9b934c3b330c8577, 0x63cc55f49f88eb2f},
+      {0xc2781f49ffcfa6d5, 0x3cbf6b71c76b25fb},
+      {0xf316271c7fc3908a, 0x8bef464e3945ef7a},
+      {0x97edd871cfda3a56, 0x97758bf0e3cbb5ac},
+      {0xbde94e8e43d0c8ec, 0x3d52eeed1cbea317},
+      {0xed63a231d4c4fb27, 0x4ca7aaa863ee4bdd},
+      {0x945e455f24fb1cf8, 0x8fe8caa93e74ef6a},
+      {0xb975d6b6ee39e436, 0xb3e2fd538e122b44},
+      {0xe7d34c64a9c85d44, 0x60dbbca87196b616},
+      {0x90e40fbeea1d3a4a, 0xbc8955e946fe31cd},
+      {0xb51d13aea4a488dd, 0x6babab6398bdbe41},
+      {0xe264589a4dcdab14, 0xc696963c7eed2dd1},
+      {0x8d7eb76070a08aec, 0xfc1e1de5cf543ca2},
+      {0xb0de65388cc8ada8, 0x3b25a55f43294bcb},
+      {0xdd15fe86affad912, 0x49ef0eb713f39ebe},
+      {0x8a2dbf142dfcc7ab, 0x6e3569326c784337},
+      {0xacb92ed9397bf996, 0x49c2c37f07965404},
+      {0xd7e77a8f87daf7fb, 0xdc33745ec97be906},
+      {0x86f0ac99b4e8dafd, 0x69a028bb3ded71a3},
+      {0xa8acd7c0222311bc, 0xc40832ea0d68ce0c},
+      {0xd2d80db02aabd62b, 0xf50a3fa490c30190},
+      {0x83c7088e1aab65db, 0x792667c6da79e0fa},
+      {0xa4b8cab1a1563f52, 0x577001b891185938},
+      {0xcde6fd5e09abcf26, 0xed4c0226b55e6f86},
+      {0x80b05e5ac60b6178, 0x544f8158315b05b4},
+      {0xa0dc75f1778e39d6, 0x696361ae3db1c721},
+      {0xc913936dd571c84c, 0x03bc3a19cd1e38e9},
+      {0xfb5878494ace3a5f, 0x04ab48a04065c723},
+      {0x9d174b2dcec0e47b, 0x62eb0d64283f9c76},
+      {0xc45d1df942711d9a, 0x3ba5d0bd324f8394},
+      {0xf5746577930d6500, 0xca8f44ec7ee36479},
+      {0x9968bf6abbe85f20, 0x7e998b13cf4e1ecb},
+      {0xbfc2ef456ae276e8, 0x9e3fedd8c321a67e},
+      {0xefb3ab16c59b14a2, 0xc5cfe94ef3ea101e},
+      {0x95d04aee3b80ece5, 0xbba1f1d158724a12},
+      {0xbb445da9ca61281f, 0x2a8a6e45ae8edc97},
+      {0xea1575143cf97226, 0xf52d09d71a3293bd},
+      {0x924d692ca61be758, 0x593c2626705f9c56},
+      {0xb6e0c377cfa2e12e, 0x6f8b2fb00c77836c},
+      {0xe498f455c38b997a, 0x0b6dfb9c0f956447},
+      {0x8edf98b59a373fec, 0x4724bd4189bd5eac},
+      {0xb2977ee300c50fe7, 0x58edec91ec2cb657},
+      {0xdf3d5e9bc0f653e1, 0x2f2967b66737e3ed},
+      {0x8b865b215899f46c, 0xbd79e0d20082ee74},
+      {0xae67f1e9aec07187, 0xecd8590680a3aa11},
+      {0xda01ee641a708de9, 0xe80e6f4820cc9495},
+      {0x884134fe908658b2, 0x3109058d147fdcdd},
+      {0xaa51823e34a7eede, 0xbd4b46f0599fd415},
+      {0xd4e5e2cdc1d1ea96, 0x6c9e18ac7007c91a},
+      {0x850fadc09923329e, 0x03e2cf6bc604ddb0},
+      {0xa6539930bf6bff45, 0x84db8346b786151c},
+      {0xcfe87f7cef46ff16, 0xe612641865679a63},
+      {0x81f14fae158c5f6e, 0x4fcb7e8f3f60c07e},
+      {0xa26da3999aef7749, 0xe3be5e330f38f09d},
+      {0xcb090c8001ab551c, 0x5cadf5bfd3072cc5},
+      {0xfdcb4fa002162a63, 0x73d9732fc7c8f7f6},
+      {0x9e9f11c4014dda7e, 0x2867e7fddcdd9afa},
+      {0xc646d63501a1511d, 0xb281e1fd541501b8},
+      {0xf7d88bc24209a565, 0x1f225a7ca91a4226},
+      {0x9ae757596946075f, 0x3375788de9b06958},
+      {0xc1a12d2fc3978937, 0x0052d6b1641c83ae},
+      {0xf209787bb47d6b84, 0xc0678c5dbd23a49a},
+      {0x9745eb4d50ce6332, 0xf840b7ba963646e0},
+      {0xbd176620a501fbff, 0xb650e5a93bc3d898},
+      {0xec5d3fa8ce427aff, 0xa3e51f138ab4cebe},
+      {0x93ba47c980e98cdf, 0xc66f336c36b10137},
+      {0xb8a8d9bbe123f017, 0xb80b0047445d4184},
+      {0xe6d3102ad96cec1d, 0xa60dc059157491e5},
+      {0x9043ea1ac7e41392, 0x87c89837ad68db2f},
+      {0xb454e4a179dd1877, 0x29babe4598c311fb},
+      {0xe16a1dc9d8545e94, 0xf4296dd6fef3d67a},
+      {0x8ce2529e2734bb1d, 0x1899e4a65f58660c},
+      {0xb01ae745b101e9e4, 0x5ec05dcff72e7f8f},
+      {0xdc21a1171d42645d, 0x76707543f4fa1f73},
+      {0x899504ae72497eba, 0x6a06494a791c53a8},
+      {0xabfa45da0edbde69, 0x0487db9d17636892},
+      {0xd6f8d7509292d603, 0x45a9d2845d3c42b6},
+      {0x865b86925b9bc5c2, 0x0b8a2392ba45a9b2},
+      {0xa7f26836f282b732, 0x8e6cac7768d7141e},
+      {0xd1ef0244af2364ff, 0x3207d795430cd926},
+      {0x8335616aed761f1f, 0x7f44e6bd49e807b8},
+      {0xa402b9c5a8d3a6e7, 0x5f16206c9c6209a6},
+      {0xcd036837130890a1, 0x36dba887c37a8c0f},
+      {0x802221226be55a64, 0xc2494954da2c9789},
+      {0xa02aa96b06deb0fd, 0xf2db9baa10b7bd6c},
+      {0xc83553c5c8965d3d, 0x6f92829494e5acc7},
+      {0xfa42a8b73abbf48c, 0xcb772339ba1f17f9},
+      {0x9c69a97284b578d7, 0xff2a760414536efb},
+      {0xc38413cf25e2d70d, 0xfef5138519684aba},
+      {0xf46518c2ef5b8cd1, 0x7eb258665fc25d69},
+      {0x98bf2f79d5993802, 0xef2f773ffbd97a61},
+      {0xbeeefb584aff8603, 0xaafb550ffacfd8fa},
+      {0xeeaaba2e5dbf6784, 0x95ba2a53f983cf38},
+      {0x952ab45cfa97a0b2, 0xdd945a747bf26183},
+      {0xba756174393d88df, 0x94f971119aeef9e4},
+      {0xe912b9d1478ceb17, 0x7a37cd5601aab85d},
+      {0x91abb422ccb812ee, 0xac62e055c10ab33a},
+      {0xb616a12b7fe617aa, 0x577b986b314d6009},
+      {0xe39c49765fdf9d94, 0xed5a7e85fda0b80b},
+      {0x8e41ade9fbebc27d, 0x14588f13be847307},
+      {0xb1d219647ae6b31c, 0x596eb2d8ae258fc8},
+      {0xde469fbd99a05fe3, 0x6fca5f8ed9aef3bb},
+      {0x8aec23d680043bee, 0x25de7bb9480d5854},
+      {0xada72ccc20054ae9, 0xaf561aa79a10ae6a},
+      {0xd910f7ff28069da4, 0x1b2ba1518094da04},
+      {0x87aa9aff79042286, 0x90fb44d2f05d0842},
+      {0xa99541bf57452b28, 0x353a1607ac744a53},
+      {0xd3fa922f2d1675f2, 0x42889b8997915ce8},
+      {0x847c9b5d7c2e09b7, 0x69956135febada11},
+      {0xa59bc234db398c25, 0x43fab9837e699095},
+      {0xcf02b2c21207ef2e, 0x94f967e45e03f4bb},
+      {0x8161afb94b44f57d, 0x1d1be0eebac278f5},
+      {0xa1ba1ba79e1632dc, 0x6462d92a69731732},
+      {0xca28a291859bbf93, 0x7d7b8f7503cfdcfe},
+      {0xfcb2cb35e702af78, 0x5cda735244c3d43e},
+      {0x9defbf01b061adab, 0x3a0888136afa64a7},
+      {0xc56baec21c7a1916, 0x088aaa1845b8fdd0},
+      {0xf6c69a72a3989f5b, 0x8aad549e57273d45},
+      {0x9a3c2087a63f6399, 0x36ac54e2f678864b},
+      {0xc0cb28a98fcf3c7f, 0x84576a1bb416a7dd},
+      {0xf0fdf2d3f3c30b9f, 0x656d44a2a11c51d5},
+      {0x969eb7c47859e743, 0x9f644ae5a4b1b325},
+      {0xbc4665b596706114, 0x873d5d9f0dde1fee},
+      {0xeb57ff22fc0c7959, 0xa90cb506d155a7ea},
+      {0x9316ff75dd87cbd8, 0x09a7f12442d588f2},
+      {0xb7dcbf5354e9bece, 0x0c11ed6d538aeb2f},
+      {0xe5d3ef282a242e81, 0x8f1668c8a86da5fa},
+      {0x8fa475791a569d10, 0xf96e017d694487bc},
+      {0xb38d92d760ec4455, 0x37c981dcc395a9ac},
+      {0xe070f78d3927556a, 0x85bbe253f47b1417},
+      {0x8c469ab843b89562, 0x93956d7478ccec8e},
+      {0xaf58416654a6babb, 0x387ac8d1970027b2},
+      {0xdb2e51bfe9d0696a, 0x06997b05fcc0319e},
+      {0x88fcf317f22241e2, 0x441fece3bdf81f03},
+      {0xab3c2fddeeaad25a, 0xd527e81cad7626c3},
+      {0xd60b3bd56a5586f1, 0x8a71e223d8d3b074},
+      {0x85c7056562757456, 0xf6872d5667844e49},
+      {0xa738c6bebb12d16c, 0xb428f8ac016561db},
+      {0xd106f86e69d785c7, 0xe13336d701beba52},
+      {0x82a45b450226b39c, 0xecc0024661173473},
+      {0xa34d721642b06084, 0x27f002d7f95d0190},
+      {0xcc20ce9bd35c78a5, 0x31ec038df7b441f4},
+      {0xff290242c83396ce, 0x7e67047175a15271},
+      {0x9f79a169bd203e41, 0x0f0062c6e984d386},
+      {0xc75809c42c684dd1, 0x52c07b78a3e60868},
+      {0xf92e0c3537826145, 0xa7709a56ccdf8a82},
+      {0x9bbcc7a142b17ccb, 0x88a66076400bb691},
+      {0xc2abf989935ddbfe, 0x6acff893d00ea435},
+      {0xf356f7ebf83552fe, 0x0583f6b8c4124d43},
+      {0x98165af37b2153de, 0xc3727a337a8b704a},
+      {0xbe1bf1b059e9a8d6, 0x744f18c0592e4c5c},
+      {0xeda2ee1c7064130c, 0x1162def06f79df73},
+      {0x9485d4d1c63e8be7, 0x8addcb5645ac2ba8},
+      {0xb9a74a0637ce2ee1, 0x6d953e2bd7173692},
+      {0xe8111c87c5c1ba99, 0xc8fa8db6ccdd0437},
+      {0x910ab1d4db9914a0, 0x1d9c9892400a22a2},
+      {0xb54d5e4a127f59c8, 0x2503beb6d00cab4b},
+      {0xe2a0b5dc971f303a, 0x2e44ae64840fd61d},
+      {0x8da471a9de737e24, 0x5ceaecfed289e5d2},
+      {0xb10d8e1456105dad, 0x7425a83e872c5f47},
+      {0xdd50f1996b947518, 0xd12f124e28f77719},
+      {0x8a5296ffe33cc92f, 0x82bd6b70d99aaa6f},
+      {0xace73cbfdc0bfb7b, 0x636cc64d1001550b},
+      {0xd8210befd30efa5a, 0x3c47f7e05401aa4e},
+      {0x8714a775e3e95c78, 0x65acfaec34810a71},
+      {0xa8d9d1535ce3b396, 0x7f1839a741a14d0d},
+      {0xd31045a8341ca07c, 0x1ede48111209a050},
+      {0x83ea2b892091e44d, 0x934aed0aab460432},
+      {0xa4e4b66b68b65d60, 0xf81da84d5617853f},
+      {0xce1de40642e3f4b9, 0x36251260ab9d668e},
+      {0x80d2ae83e9ce78f3, 0xc1d72b7c6b426019},
+      {0xa1075a24e4421730, 0xb24cf65b8612f81f},
+      {0xc94930ae1d529cfc, 0xdee033f26797b627},
+      {0xfb9b7cd9a4a7443c, 0x169840ef017da3b1},
+      {0x9d412e0806e88aa5, 0x8e1f289560ee864e},
+      {0xc491798a08a2ad4e, 0xf1a6f2bab92a27e2},
+      {0xf5b5d7ec8acb58a2, 0xae10af696774b1db},
+      {0x9991a6f3d6bf1765, 0xacca6da1e0a8ef29},
+      {0xbff610b0cc6edd3f, 0x17fd090a58d32af3},
+      {0xeff394dcff8a948e, 0xddfc4b4cef07f5b0},
+      {0x95f83d0a1fb69cd9, 0x4abdaf101564f98e},
+      {0xbb764c4ca7a4440f, 0x9d6d1ad41abe37f1},
+      {0xea53df5fd18d5513, 0x84c86189216dc5ed},
+      {0x92746b9be2f8552c, 0x32fd3cf5b4e49bb4},
+      {0xb7118682dbb66a77, 0x3fbc8c33221dc2a1},
+      {0xe4d5e82392a40515, 0x0fabaf3feaa5334a},
+      {0x8f05b1163ba6832d, 0x29cb4d87f2a7400e},
+      {0xb2c71d5bca9023f8, 0x743e20e9ef511012},
+      {0xdf78e4b2bd342cf6, 0x914da9246b255416},
+      {0x8bab8eefb6409c1a, 0x1ad089b6c2f7548e},
+      {0xae9672aba3d0c320, 0xa184ac2473b529b1},
+      {0xda3c0f568cc4f3e8, 0xc9e5d72d90a2741e},
+      {0x8865899617fb1871, 0x7e2fa67c7a658892},
+      {0xaa7eebfb9df9de8d, 0xddbb901b98feeab7},
+      {0xd51ea6fa85785631, 0x552a74227f3ea565},
+      {0x8533285c936b35de, 0xd53a88958f87275f},
+      {0xa67ff273b8460356, 0x8a892abaf368f137},
+      {0xd01fef10a657842c, 0x2d2b7569b0432d85},
+      {0x8213f56a67f6b29b, 0x9c3b29620e29fc73},
+      {0xa298f2c501f45f42, 0x8349f3ba91b47b8f},
+      {0xcb3f2f7642717713, 0x241c70a936219a73},
+      {0xfe0efb53d30dd4d7, 0xed238cd383aa0110},
+      {0x9ec95d1463e8a506, 0xf4363804324a40aa},
+      {0xc67bb4597ce2ce48, 0xb143c6053edcd0d5},
+      {0xf81aa16fdc1b81da, 0xdd94b7868e94050a},
+      {0x9b10a4e5e9913128, 0xca7cf2b4191c8326},
+      {0xc1d4ce1f63f57d72, 0xfd1c2f611f63a3f0},
+      {0xf24a01a73cf2dccf, 0xbc633b39673c8cec},
+      {0x976e41088617ca01, 0xd5be0503e085d813},
+      {0xbd49d14aa79dbc82, 0x4b2d8644d8a74e18},
+      {0xec9c459d51852ba2, 0xddf8e7d60ed1219e},
+      {0x93e1ab8252f33b45, 0xcabb90e5c942b503},
+      {0xb8da1662e7b00a17, 0x3d6a751f3b936243},
+      {0xe7109bfba19c0c9d, 0x0cc512670a783ad4},
+      {0x906a617d450187e2, 0x27fb2b80668b24c5},
+      {0xb484f9dc9641e9da, 0xb1f9f660802dedf6},
+      {0xe1a63853bbd26451, 0x5e7873f8a0396973},
+      {0x8d07e33455637eb2, 0xdb0b487b6423e1e8},
+      {0xb049dc016abc5e5f, 0x91ce1a9a3d2cda62},
+      {0xdc5c5301c56b75f7, 0x7641a140cc7810fb},
+      {0x89b9b3e11b6329ba, 0xa9e904c87fcb0a9d},
+      {0xac2820d9623bf429, 0x546345fa9fbdcd44},
+      {0xd732290fbacaf133, 0xa97c177947ad4095},
+      {0x867f59a9d4bed6c0, 0x49ed8eabcccc485d},
+      {0xa81f301449ee8c70, 0x5c68f256bfff5a74},
+      {0xd226fc195c6a2f8c, 0x73832eec6fff3111},
+      {0x83585d8fd9c25db7, 0xc831fd53c5ff7eab},
+      {0xa42e74f3d032f525, 0xba3e7ca8b77f5e55},
+      {0xcd3a1230c43fb26f, 0x28ce1bd2e55f35eb},
+      {0x80444b5e7aa7cf85, 0x7980d163cf5b81b3},
+      {0xa0555e361951c366, 0xd7e105bcc332621f},
+      {0xc86ab5c39fa63440, 0x8dd9472bf3fefaa7},
+      {0xfa856334878fc150, 0xb14f98f6f0feb951},
+      {0x9c935e00d4b9d8d2, 0x6ed1bf9a569f33d3},
+      {0xc3b8358109e84f07, 0x0a862f80ec4700c8},
+      {0xf4a642e14c6262c8, 0xcd27bb612758c0fa},
+      {0x98e7e9cccfbd7dbd, 0x8038d51cb897789c},
+      {0xbf21e44003acdd2c, 0xe0470a63e6bd56c3},
+      {0xeeea5d5004981478, 0x1858ccfce06cac74},
+      {0x95527a5202df0ccb, 0x0f37801e0c43ebc8},
+      {0xbaa718e68396cffd, 0xd30560258f54e6ba},
+      {0xe950df20247c83fd, 0x47c6b82ef32a2069},
+      {0x91d28b7416cdd27e, 0x4cdc331d57fa5441},
+      {0xb6472e511c81471d, 0xe0133fe4adf8e952},
+      {0xe3d8f9e563a198e5, 0x58180fddd97723a6},
+      {0x8e679c2f5e44ff8f, 0x570f09eaa7ea7648},
+      {0xb201833b35d63f73, 0x2cd2cc6551e513da},
+      {0xde81e40a034bcf4f, 0xf8077f7ea65e58d1},
+      {0x8b112e86420f6191, 0xfb04afaf27faf782},
+      {0xadd57a27d29339f6, 0x79c5db9af1f9b563},
+      {0xd94ad8b1c7380874, 0x18375281ae7822bc},
+      {0x87cec76f1c830548, 0x8f2293910d0b15b5},
+      {0xa9c2794ae3a3c69a, 0xb2eb3875504ddb22},
+      {0xd433179d9c8cb841, 0x5fa60692a46151eb},
+      {0x849feec281d7f328, 0xdbc7c41ba6bcd333},
+      {0xa5c7ea73224deff3, 0x12b9b522906c0800},
+      {0xcf39e50feae16bef, 0xd768226b34870a00},
+      {0x81842f29f2cce375, 0xe6a1158300d46640},
+      {0xa1e53af46f801c53, 0x60495ae3c1097fd0},
+      {0xca5e89b18b602368, 0x385bb19cb14bdfc4},
+      {0xfcf62c1dee382c42, 0x46729e03dd9ed7b5},
+      {0x9e19db92b4e31ba9, 0x6c07a2c26a8346d1},
+      {0xc5a05277621be293, 0xc7098b7305241885},
+      { 0xf70867153aa2db38,
+        0xb8cbee4fc66d1ea7 }
+#else
+      {0xff77b1fcbebcdc4f, 0x25e8e89c13bb0f7b},
+      {0xce5d73ff402d98e3, 0xfb0a3d212dc81290},
+      {0xa6b34ad8c9dfc06f, 0xf42faa48c0ea481f},
+      {0x86a8d39ef77164bc, 0xae5dff9c02033198},
+      {0xd98ddaee19068c76, 0x3badd624dd9b0958},
+      {0xafbd2350644eeacf, 0xe5d1929ef90898fb},
+      {0x8df5efabc5979c8f, 0xca8d3ffa1ef463c2},
+      {0xe55990879ddcaabd, 0xcc420a6a101d0516},
+      {0xb94470938fa89bce, 0xf808e40e8d5b3e6a},
+      {0x95a8637627989aad, 0xdde7001379a44aa9},
+      {0xf1c90080baf72cb1, 0x5324c68b12dd6339},
+      {0xc350000000000000, 0x0000000000000000},
+      {0x9dc5ada82b70b59d, 0xf020000000000000},
+      {0xfee50b7025c36a08, 0x02f236d04753d5b4},
+      {0xcde6fd5e09abcf26, 0xed4c0226b55e6f86},
+      {0xa6539930bf6bff45, 0x84db8346b786151c},
+      {0x865b86925b9bc5c2, 0x0b8a2392ba45a9b2},
+      {0xd910f7ff28069da4, 0x1b2ba1518094da04},
+      {0xaf58416654a6babb, 0x387ac8d1970027b2},
+      {0x8da471a9de737e24, 0x5ceaecfed289e5d2},
+      {0xe4d5e82392a40515, 0x0fabaf3feaa5334a},
+      {0xb8da1662e7b00a17, 0x3d6a751f3b936243},
+      { 0x95527a5202df0ccb,
+        0x0f37801e0c43ebc8 }
+#endif
+    };
+
+#if FMT_USE_FULL_CACHE_DRAGONBOX
+    return pow10_significands[k - float_info<double>::min_k];
+#else
+    static constexpr const uint64_t powers_of_5_64[] = {
+        0x0000000000000001, 0x0000000000000005, 0x0000000000000019,
+        0x000000000000007d, 0x0000000000000271, 0x0000000000000c35,
+        0x0000000000003d09, 0x000000000001312d, 0x000000000005f5e1,
+        0x00000000001dcd65, 0x00000000009502f9, 0x0000000002e90edd,
+        0x000000000e8d4a51, 0x0000000048c27395, 0x000000016bcc41e9,
+        0x000000071afd498d, 0x0000002386f26fc1, 0x000000b1a2bc2ec5,
+        0x000003782dace9d9, 0x00001158e460913d, 0x000056bc75e2d631,
+        0x0001b1ae4d6e2ef5, 0x000878678326eac9, 0x002a5a058fc295ed,
+        0x00d3c21bcecceda1, 0x0422ca8b0a00a425, 0x14adf4b7320334b9};
+
+    static constexpr const uint32_t pow10_recovery_errors[] = {
+        0x50001400, 0x54044100, 0x54014555, 0x55954415, 0x54115555, 0x00000001,
+        0x50000000, 0x00104000, 0x54010004, 0x05004001, 0x55555544, 0x41545555,
+        0x54040551, 0x15445545, 0x51555514, 0x10000015, 0x00101100, 0x01100015,
+        0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x04450514, 0x45414110,
+        0x55555145, 0x50544050, 0x15040155, 0x11054140, 0x50111514, 0x11451454,
+        0x00400541, 0x00000000, 0x55555450, 0x10056551, 0x10054011, 0x55551014,
+        0x69514555, 0x05151109, 0x00155555};
+
+    static const int compression_ratio = 27;
+
+    // Compute base index.
+    int cache_index = (k - float_info<double>::min_k) / compression_ratio;
+    int kb = cache_index * compression_ratio + float_info<double>::min_k;
+    int offset = k - kb;
+
+    // Get base cache.
+    uint128_wrapper base_cache = pow10_significands[cache_index];
+    if (offset == 0) return base_cache;
+
+    // Compute the required amount of bit-shift.
+    int alpha = floor_log2_pow10(kb + offset) - floor_log2_pow10(kb) - offset;
+    FMT_ASSERT(alpha > 0 && alpha < 64, "shifting error detected");
+
+    // Try to recover the real cache.
+    uint64_t pow5 = powers_of_5_64[offset];
+    uint128_wrapper recovered_cache = umul128(base_cache.high(), pow5);
+    uint128_wrapper middle_low =
+        umul128(base_cache.low() - (kb < 0 ? 1u : 0u), pow5);
+
+    recovered_cache += middle_low.high();
+
+    uint64_t high_to_middle = recovered_cache.high() << (64 - alpha);
+    uint64_t middle_to_low = recovered_cache.low() << (64 - alpha);
+
+    recovered_cache =
+        uint128_wrapper{(recovered_cache.low() >> alpha) | high_to_middle,
+                        ((middle_low.low() >> alpha) | middle_to_low)};
+
+    if (kb < 0) recovered_cache += 1;
+
+    // Get error.
+    int error_idx = (k - float_info<double>::min_k) / 16;
+    uint32_t error = (pow10_recovery_errors[error_idx] >>
+                      ((k - float_info<double>::min_k) % 16) * 2) &
+                     0x3;
+
+    // Add the error back.
+    FMT_ASSERT(recovered_cache.low() + error >= recovered_cache.low(), "");
+    return {recovered_cache.high(), recovered_cache.low() + error};
+#endif
+  }
+
+  static carrier_uint compute_mul(carrier_uint u,
+                                  const cache_entry_type& cache) FMT_NOEXCEPT {
+    return umul192_upper64(u, cache);
+  }
+
+  static uint32_t compute_delta(cache_entry_type const& cache,
+                                int beta_minus_1) FMT_NOEXCEPT {
+    return static_cast<uint32_t>(cache.high() >> (64 - 1 - beta_minus_1));
+  }
+
+  static bool compute_mul_parity(carrier_uint two_f,
+                                 const cache_entry_type& cache,
+                                 int beta_minus_1) FMT_NOEXCEPT {
+    FMT_ASSERT(beta_minus_1 >= 1, "");
+    FMT_ASSERT(beta_minus_1 < 64, "");
+
+    return ((umul192_middle64(two_f, cache) >> (64 - beta_minus_1)) & 1) != 0;
+  }
+
+  static carrier_uint compute_left_endpoint_for_shorter_interval_case(
+      const cache_entry_type& cache, int beta_minus_1) FMT_NOEXCEPT {
+    return (cache.high() -
+            (cache.high() >> (float_info<double>::significand_bits + 2))) >>
+           (64 - float_info<double>::significand_bits - 1 - beta_minus_1);
+  }
+
+  static carrier_uint compute_right_endpoint_for_shorter_interval_case(
+      const cache_entry_type& cache, int beta_minus_1) FMT_NOEXCEPT {
+    return (cache.high() +
+            (cache.high() >> (float_info<double>::significand_bits + 1))) >>
+           (64 - float_info<double>::significand_bits - 1 - beta_minus_1);
+  }
+
+  static carrier_uint compute_round_up_for_shorter_interval_case(
+      const cache_entry_type& cache, int beta_minus_1) FMT_NOEXCEPT {
+    return ((cache.high() >>
+             (64 - float_info<double>::significand_bits - 2 - beta_minus_1)) +
+            1) /
+           2;
+  }
+};
+
+// Various integer checks
+template <class T>
+bool is_left_endpoint_integer_shorter_interval(int exponent) FMT_NOEXCEPT {
+  return exponent >=
+             float_info<
+                 T>::case_shorter_interval_left_endpoint_lower_threshold &&
+         exponent <=
+             float_info<T>::case_shorter_interval_left_endpoint_upper_threshold;
+}
+template <class T>
+bool is_endpoint_integer(typename float_info<T>::carrier_uint two_f,
+                         int exponent, int minus_k) FMT_NOEXCEPT {
+  if (exponent < float_info<T>::case_fc_pm_half_lower_threshold) return false;
+  // For k >= 0.
+  if (exponent <= float_info<T>::case_fc_pm_half_upper_threshold) return true;
+  // For k < 0.
+  if (exponent > float_info<T>::divisibility_check_by_5_threshold) return false;
+  return divisible_by_power_of_5(two_f, minus_k);
+}
+
+template <class T>
+bool is_center_integer(typename float_info<T>::carrier_uint two_f, int exponent,
+                       int minus_k) FMT_NOEXCEPT {
+  // Exponent for 5 is negative.
+  if (exponent > float_info<T>::divisibility_check_by_5_threshold) return false;
+  if (exponent > float_info<T>::case_fc_upper_threshold)
+    return divisible_by_power_of_5(two_f, minus_k);
+  // Both exponents are nonnegative.
+  if (exponent >= float_info<T>::case_fc_lower_threshold) return true;
+  // Exponent for 2 is negative.
+  return divisible_by_power_of_2(two_f, minus_k - exponent + 1);
+}
+
+// Remove trailing zeros from n and return the number of zeros removed (float)
+FMT_INLINE int remove_trailing_zeros(uint32_t& n) FMT_NOEXCEPT {
+#ifdef FMT_BUILTIN_CTZ
+  int t = FMT_BUILTIN_CTZ(n);
+#else
+  int t = ctz(n);
+#endif
+  if (t > float_info<float>::max_trailing_zeros)
+    t = float_info<float>::max_trailing_zeros;
+
+  const uint32_t mod_inv1 = 0xcccccccd;
+  const uint32_t max_quotient1 = 0x33333333;
+  const uint32_t mod_inv2 = 0xc28f5c29;
+  const uint32_t max_quotient2 = 0x0a3d70a3;
+
+  int s = 0;
+  for (; s < t - 1; s += 2) {
+    if (n * mod_inv2 > max_quotient2) break;
+    n *= mod_inv2;
+  }
+  if (s < t && n * mod_inv1 <= max_quotient1) {
+    n *= mod_inv1;
+    ++s;
+  }
+  n >>= s;
+  return s;
+}
+
+// Removes trailing zeros and returns the number of zeros removed (double)
+FMT_INLINE int remove_trailing_zeros(uint64_t& n) FMT_NOEXCEPT {
+#ifdef FMT_BUILTIN_CTZLL
+  int t = FMT_BUILTIN_CTZLL(n);
+#else
+  int t = ctzll(n);
+#endif
+  if (t > float_info<double>::max_trailing_zeros)
+    t = float_info<double>::max_trailing_zeros;
+  // Divide by 10^8 and reduce to 32-bits
+  // Since ret_value.significand <= (2^64 - 1) / 1000 < 10^17,
+  // both of the quotient and the r should fit in 32-bits
+
+  const uint32_t mod_inv1 = 0xcccccccd;
+  const uint32_t max_quotient1 = 0x33333333;
+  const uint64_t mod_inv8 = 0xc767074b22e90e21;
+  const uint64_t max_quotient8 = 0x00002af31dc46118;
+
+  // If the number is divisible by 1'0000'0000, work with the quotient
+  if (t >= 8) {
+    auto quotient_candidate = n * mod_inv8;
+
+    if (quotient_candidate <= max_quotient8) {
+      auto quotient = static_cast<uint32_t>(quotient_candidate >> 8);
+
+      int s = 8;
+      for (; s < t; ++s) {
+        if (quotient * mod_inv1 > max_quotient1) break;
+        quotient *= mod_inv1;
+      }
+      quotient >>= (s - 8);
+      n = quotient;
+      return s;
+    }
+  }
+
+  // Otherwise, work with the remainder
+  auto quotient = static_cast<uint32_t>(n / 100000000);
+  auto remainder = static_cast<uint32_t>(n - 100000000 * quotient);
+
+  if (t == 0 || remainder * mod_inv1 > max_quotient1) {
+    return 0;
+  }
+  remainder *= mod_inv1;
+
+  if (t == 1 || remainder * mod_inv1 > max_quotient1) {
+    n = (remainder >> 1) + quotient * 10000000ull;
+    return 1;
+  }
+  remainder *= mod_inv1;
+
+  if (t == 2 || remainder * mod_inv1 > max_quotient1) {
+    n = (remainder >> 2) + quotient * 1000000ull;
+    return 2;
+  }
+  remainder *= mod_inv1;
+
+  if (t == 3 || remainder * mod_inv1 > max_quotient1) {
+    n = (remainder >> 3) + quotient * 100000ull;
+    return 3;
+  }
+  remainder *= mod_inv1;
+
+  if (t == 4 || remainder * mod_inv1 > max_quotient1) {
+    n = (remainder >> 4) + quotient * 10000ull;
+    return 4;
+  }
+  remainder *= mod_inv1;
+
+  if (t == 5 || remainder * mod_inv1 > max_quotient1) {
+    n = (remainder >> 5) + quotient * 1000ull;
+    return 5;
+  }
+  remainder *= mod_inv1;
+
+  if (t == 6 || remainder * mod_inv1 > max_quotient1) {
+    n = (remainder >> 6) + quotient * 100ull;
+    return 6;
+  }
+  remainder *= mod_inv1;
+
+  n = (remainder >> 7) + quotient * 10ull;
+  return 7;
+}
+
+// The main algorithm for shorter interval case
+template <class T>
+FMT_INLINE decimal_fp<T> shorter_interval_case(int exponent) FMT_NOEXCEPT {
+  decimal_fp<T> ret_value;
+  // Compute k and beta
+  const int minus_k = floor_log10_pow2_minus_log10_4_over_3(exponent);
+  const int beta_minus_1 = exponent + floor_log2_pow10(-minus_k);
+
+  // Compute xi and zi
+  using cache_entry_type = typename cache_accessor<T>::cache_entry_type;
+  const cache_entry_type cache = cache_accessor<T>::get_cached_power(-minus_k);
+
+  auto xi = cache_accessor<T>::compute_left_endpoint_for_shorter_interval_case(
+      cache, beta_minus_1);
+  auto zi = cache_accessor<T>::compute_right_endpoint_for_shorter_interval_case(
+      cache, beta_minus_1);
+
+  // If the left endpoint is not an integer, increase it
+  if (!is_left_endpoint_integer_shorter_interval<T>(exponent)) ++xi;
+
+  // Try bigger divisor
+  ret_value.significand = zi / 10;
+
+  // If succeed, remove trailing zeros if necessary and return
+  if (ret_value.significand * 10 >= xi) {
+    ret_value.exponent = minus_k + 1;
+    ret_value.exponent += remove_trailing_zeros(ret_value.significand);
+    return ret_value;
+  }
+
+  // Otherwise, compute the round-up of y
+  ret_value.significand =
+      cache_accessor<T>::compute_round_up_for_shorter_interval_case(
+          cache, beta_minus_1);
+  ret_value.exponent = minus_k;
+
+  // When tie occurs, choose one of them according to the rule
+  if (exponent >= float_info<T>::shorter_interval_tie_lower_threshold &&
+      exponent <= float_info<T>::shorter_interval_tie_upper_threshold) {
+    ret_value.significand = ret_value.significand % 2 == 0
+                                ? ret_value.significand
+                                : ret_value.significand - 1;
+  } else if (ret_value.significand < xi) {
+    ++ret_value.significand;
+  }
+  return ret_value;
+}
+
+template <typename T> decimal_fp<T> to_decimal(T x) FMT_NOEXCEPT {
+  // Step 1: integer promotion & Schubfach multiplier calculation.
+
+  using carrier_uint = typename float_info<T>::carrier_uint;
+  using cache_entry_type = typename cache_accessor<T>::cache_entry_type;
+  auto br = bit_cast<carrier_uint>(x);
+
+  // Extract significand bits and exponent bits.
+  const carrier_uint significand_mask =
+      (static_cast<carrier_uint>(1) << float_info<T>::significand_bits) - 1;
+  carrier_uint significand = (br & significand_mask);
+  int exponent = static_cast<int>((br & exponent_mask<T>()) >>
+                                  float_info<T>::significand_bits);
+
+  if (exponent != 0) {  // Check if normal.
+    exponent += float_info<T>::exponent_bias - float_info<T>::significand_bits;
+
+    // Shorter interval case; proceed like Schubfach.
+    if (significand == 0) return shorter_interval_case<T>(exponent);
+
+    significand |=
+        (static_cast<carrier_uint>(1) << float_info<T>::significand_bits);
+  } else {
+    // Subnormal case; the interval is always regular.
+    if (significand == 0) return {0, 0};
+    exponent = float_info<T>::min_exponent - float_info<T>::significand_bits;
+  }
+
+  const bool include_left_endpoint = (significand % 2 == 0);
+  const bool include_right_endpoint = include_left_endpoint;
+
+  // Compute k and beta.
+  const int minus_k = floor_log10_pow2(exponent) - float_info<T>::kappa;
+  const cache_entry_type cache = cache_accessor<T>::get_cached_power(-minus_k);
+  const int beta_minus_1 = exponent + floor_log2_pow10(-minus_k);
+
+  // Compute zi and deltai
+  // 10^kappa <= deltai < 10^(kappa + 1)
+  const uint32_t deltai = cache_accessor<T>::compute_delta(cache, beta_minus_1);
+  const carrier_uint two_fc = significand << 1;
+  const carrier_uint two_fr = two_fc | 1;
+  const carrier_uint zi =
+      cache_accessor<T>::compute_mul(two_fr << beta_minus_1, cache);
+
+  // Step 2: Try larger divisor; remove trailing zeros if necessary
+
+  // Using an upper bound on zi, we might be able to optimize the division
+  // better than the compiler; we are computing zi / big_divisor here
+  decimal_fp<T> ret_value;
+  ret_value.significand = divide_by_10_to_kappa_plus_1(zi);
+  uint32_t r = static_cast<uint32_t>(zi - float_info<T>::big_divisor *
+                                              ret_value.significand);
+
+  if (r > deltai) {
+    goto small_divisor_case_label;
+  } else if (r < deltai) {
+    // Exclude the right endpoint if necessary
+    if (r == 0 && !include_right_endpoint &&
+        is_endpoint_integer<T>(two_fr, exponent, minus_k)) {
+      --ret_value.significand;
+      r = float_info<T>::big_divisor;
+      goto small_divisor_case_label;
+    }
+  } else {
+    // r == deltai; compare fractional parts
+    // Check conditions in the order different from the paper
+    // to take advantage of short-circuiting
+    const carrier_uint two_fl = two_fc - 1;
+    if ((!include_left_endpoint ||
+         !is_endpoint_integer<T>(two_fl, exponent, minus_k)) &&
+        !cache_accessor<T>::compute_mul_parity(two_fl, cache, beta_minus_1)) {
+      goto small_divisor_case_label;
+    }
+  }
+  ret_value.exponent = minus_k + float_info<T>::kappa + 1;
+
+  // We may need to remove trailing zeros
+  ret_value.exponent += remove_trailing_zeros(ret_value.significand);
+  return ret_value;
+
+  // Step 3: Find the significand with the smaller divisor
+
+small_divisor_case_label:
+  ret_value.significand *= 10;
+  ret_value.exponent = minus_k + float_info<T>::kappa;
+
+  const uint32_t mask = (1u << float_info<T>::kappa) - 1;
+  auto dist = r - (deltai / 2) + (float_info<T>::small_divisor / 2);
+
+  // Is dist divisible by 2^kappa?
+  if ((dist & mask) == 0) {
+    const bool approx_y_parity =
+        ((dist ^ (float_info<T>::small_divisor / 2)) & 1) != 0;
+    dist >>= float_info<T>::kappa;
+
+    // Is dist divisible by 5^kappa?
+    if (check_divisibility_and_divide_by_pow5<float_info<T>::kappa>(dist)) {
+      ret_value.significand += dist;
+
+      // Check z^(f) >= epsilon^(f)
+      // We have either yi == zi - epsiloni or yi == (zi - epsiloni) - 1,
+      // where yi == zi - epsiloni if and only if z^(f) >= epsilon^(f)
+      // Since there are only 2 possibilities, we only need to care about the
+      // parity. Also, zi and r should have the same parity since the divisor
+      // is an even number
+      if (cache_accessor<T>::compute_mul_parity(two_fc, cache, beta_minus_1) !=
+          approx_y_parity) {
+        --ret_value.significand;
+      } else {
+        // If z^(f) >= epsilon^(f), we might have a tie
+        // when z^(f) == epsilon^(f), or equivalently, when y is an integer
+        if (is_center_integer<T>(two_fc, exponent, minus_k)) {
+          ret_value.significand = ret_value.significand % 2 == 0
+                                      ? ret_value.significand
+                                      : ret_value.significand - 1;
+        }
+      }
+    }
+    // Is dist not divisible by 5^kappa?
+    else {
+      ret_value.significand += dist;
+    }
+  }
+  // Is dist not divisible by 2^kappa?
+  else {
+    // Since we know dist is small, we might be able to optimize the division
+    // better than the compiler; we are computing dist / small_divisor here
+    ret_value.significand +=
+        small_division_by_pow10<float_info<T>::kappa>(dist);
+  }
+  return ret_value;
+}
+}  // namespace dragonbox
+
+// Formats a floating-point number using a variation of the Fixed-Precision
+// Positive Floating-Point Printout ((FPP)^2) algorithm by Steele & White:
+// https://fmt.dev/papers/p372-steele.pdf.
+FMT_CONSTEXPR20 inline void format_dragon(fp value, bool is_predecessor_closer,
+                                          int num_digits, buffer<char>& buf,
+                                          int& exp10) {
+  bigint numerator;    // 2 * R in (FPP)^2.
+  bigint denominator;  // 2 * S in (FPP)^2.
+  // lower and upper are differences between value and corresponding boundaries.
+  bigint lower;             // (M^- in (FPP)^2).
+  bigint upper_store;       // upper's value if different from lower.
+  bigint* upper = nullptr;  // (M^+ in (FPP)^2).
+  // Shift numerator and denominator by an extra bit or two (if lower boundary
+  // is closer) to make lower and upper integers. This eliminates multiplication
+  // by 2 during later computations.
+  int shift = is_predecessor_closer ? 2 : 1;
+  uint64_t significand = value.f << shift;
+  if (value.e >= 0) {
+    numerator.assign(significand);
+    numerator <<= value.e;
+    lower.assign(1);
+    lower <<= value.e;
+    if (shift != 1) {
+      upper_store.assign(1);
+      upper_store <<= value.e + 1;
+      upper = &upper_store;
+    }
+    denominator.assign_pow10(exp10);
+    denominator <<= shift;
+  } else if (exp10 < 0) {
+    numerator.assign_pow10(-exp10);
+    lower.assign(numerator);
+    if (shift != 1) {
+      upper_store.assign(numerator);
+      upper_store <<= 1;
+      upper = &upper_store;
+    }
+    numerator *= significand;
+    denominator.assign(1);
+    denominator <<= shift - value.e;
+  } else {
+    numerator.assign(significand);
+    denominator.assign_pow10(exp10);
+    denominator <<= shift - value.e;
+    lower.assign(1);
+    if (shift != 1) {
+      upper_store.assign(1ULL << 1);
+      upper = &upper_store;
+    }
+  }
+  // Invariant: value == (numerator / denominator) * pow(10, exp10).
+  if (num_digits < 0) {
+    // Generate the shortest representation.
+    if (!upper) upper = &lower;
+    bool even = (value.f & 1) == 0;
+    num_digits = 0;
+    char* data = buf.data();
+    for (;;) {
+      int digit = numerator.divmod_assign(denominator);
+      bool low = compare(numerator, lower) - even < 0;  // numerator <[=] lower.
+      // numerator + upper >[=] pow10:
+      bool high = add_compare(numerator, *upper, denominator) + even > 0;
+      data[num_digits++] = static_cast<char>('0' + digit);
+      if (low || high) {
+        if (!low) {
+          ++data[num_digits - 1];
+        } else if (high) {
+          int result = add_compare(numerator, numerator, denominator);
+          // Round half to even.
+          if (result > 0 || (result == 0 && (digit % 2) != 0))
+            ++data[num_digits - 1];
+        }
+        buf.try_resize(to_unsigned(num_digits));
+        exp10 -= num_digits - 1;
+        return;
+      }
+      numerator *= 10;
+      lower *= 10;
+      if (upper != &lower) *upper *= 10;
+    }
+  }
+  // Generate the given number of digits.
+  exp10 -= num_digits - 1;
+  if (num_digits == 0) {
+    denominator *= 10;
+    auto digit = add_compare(numerator, numerator, denominator) > 0 ? '1' : '0';
+    buf.push_back(digit);
+    return;
+  }
+  buf.try_resize(to_unsigned(num_digits));
+  for (int i = 0; i < num_digits - 1; ++i) {
+    int digit = numerator.divmod_assign(denominator);
+    buf[i] = static_cast<char>('0' + digit);
+    numerator *= 10;
+  }
+  int digit = numerator.divmod_assign(denominator);
+  auto result = add_compare(numerator, numerator, denominator);
+  if (result > 0 || (result == 0 && (digit % 2) != 0)) {
+    if (digit == 9) {
+      const auto overflow = '0' + 10;
+      buf[num_digits - 1] = overflow;
+      // Propagate the carry.
+      for (int i = num_digits - 1; i > 0 && buf[i] == overflow; --i) {
+        buf[i] = '0';
+        ++buf[i - 1];
+      }
+      if (buf[0] == overflow) {
+        buf[0] = '1';
+        ++exp10;
+      }
+      return;
+    }
+    ++digit;
+  }
+  buf[num_digits - 1] = static_cast<char>('0' + digit);
+}
+
+template <typename Float>
+FMT_HEADER_ONLY_CONSTEXPR20 int format_float(Float value, int precision,
+                                             float_specs specs,
+                                             buffer<char>& buf) {
+  // float is passed as double to reduce the number of instantiations.
+  static_assert(!std::is_same<Float, float>::value, "");
+  FMT_ASSERT(value >= 0, "value is negative");
+
+  const bool fixed = specs.format == float_format::fixed;
+  if (value <= 0) {  // <= instead of == to silence a warning.
+    if (precision <= 0 || !fixed) {
+      buf.push_back('0');
+      return 0;
+    }
+    buf.try_resize(to_unsigned(precision));
+    fill_n(buf.data(), precision, '0');
+    return -precision;
+  }
+
+  if (specs.fallback) return snprintf_float(value, precision, specs, buf);
+
+  if (!is_constant_evaluated() && precision < 0) {
+    // Use Dragonbox for the shortest format.
+    if (specs.binary32) {
+      auto dec = dragonbox::to_decimal(static_cast<float>(value));
+      write<char>(buffer_appender<char>(buf), dec.significand);
+      return dec.exponent;
+    }
+    auto dec = dragonbox::to_decimal(static_cast<double>(value));
+    write<char>(buffer_appender<char>(buf), dec.significand);
+    return dec.exponent;
+  }
+
+  int exp = 0;
+  bool use_dragon = true;
+  if (is_fast_float<Float>()) {
+    // Use Grisu + Dragon4 for the given precision:
+    // https://www.cs.tufts.edu/~nr/cs257/archive/florian-loitsch/printf.pdf.
+    const int min_exp = -60;  // alpha in Grisu.
+    int cached_exp10 = 0;     // K in Grisu.
+    fp normalized = normalize(fp(value));
+    const auto cached_pow = get_cached_power(
+        min_exp - (normalized.e + fp::num_significand_bits), cached_exp10);
+    normalized = normalized * cached_pow;
+    gen_digits_handler handler{buf.data(), 0, precision, -cached_exp10, fixed};
+    if (grisu_gen_digits(normalized, 1, exp, handler) != digits::error &&
+        !is_constant_evaluated()) {
+      exp += handler.exp10;
+      buf.try_resize(to_unsigned(handler.size));
+      use_dragon = false;
+    } else {
+      exp += handler.size - cached_exp10 - 1;
+      precision = handler.precision;
+    }
+  }
+  if (use_dragon) {
+    auto f = fp();
+    bool is_predecessor_closer =
+        specs.binary32 ? f.assign(static_cast<float>(value)) : f.assign(value);
+    // Limit precision to the maximum possible number of significant digits in
+    // an IEEE754 double because we don't need to generate zeros.
+    const int max_double_digits = 767;
+    if (precision > max_double_digits) precision = max_double_digits;
+    format_dragon(f, is_predecessor_closer, precision, buf, exp);
+  }
+  if (!fixed && !specs.showpoint) {
+    // Remove trailing zeros.
+    auto num_digits = buf.size();
+    while (num_digits > 0 && buf[num_digits - 1] == '0') {
+      --num_digits;
+      ++exp;
+    }
+    buf.try_resize(num_digits);
+  }
+  return exp;
+}
+
+template <typename T>
+int snprintf_float(T value, int precision, float_specs specs,
+                   buffer<char>& buf) {
+  // Buffer capacity must be non-zero, otherwise MSVC's vsnprintf_s will fail.
+  FMT_ASSERT(buf.capacity() > buf.size(), "empty buffer");
+  static_assert(!std::is_same<T, float>::value, "");
+
+  // Subtract 1 to account for the difference in precision since we use %e for
+  // both general and exponent format.
+  if (specs.format == float_format::general ||
+      specs.format == float_format::exp)
+    precision = (precision >= 0 ? precision : 6) - 1;
+
+  // Build the format string.
+  enum { max_format_size = 7 };  // The longest format is "%#.*Le".
+  char format[max_format_size];
+  char* format_ptr = format;
+  *format_ptr++ = '%';
+  if (specs.showpoint && specs.format == float_format::hex) *format_ptr++ = '#';
+  if (precision >= 0) {
+    *format_ptr++ = '.';
+    *format_ptr++ = '*';
+  }
+  if (std::is_same<T, long double>()) *format_ptr++ = 'L';
+  *format_ptr++ = specs.format != float_format::hex
+                      ? (specs.format == float_format::fixed ? 'f' : 'e')
+                      : (specs.upper ? 'A' : 'a');
+  *format_ptr = '\0';
+
+  // Format using snprintf.
+  auto offset = buf.size();
+  for (;;) {
+    auto begin = buf.data() + offset;
+    auto capacity = buf.capacity() - offset;
+#ifdef FMT_FUZZ
+    if (precision > 100000)
+      throw std::runtime_error(
+          "fuzz mode - avoid large allocation inside snprintf");
+#endif
+    // Suppress the warning about a nonliteral format string.
+    // Cannot use auto because of a bug in MinGW (#1532).
+    int (*snprintf_ptr)(char*, size_t, const char*, ...) = FMT_SNPRINTF;
+    int result = precision >= 0
+                     ? snprintf_ptr(begin, capacity, format, precision, value)
+                     : snprintf_ptr(begin, capacity, format, value);
+    if (result < 0) {
+      // The buffer will grow exponentially.
+      buf.try_reserve(buf.capacity() + 1);
+      continue;
+    }
+    auto size = to_unsigned(result);
+    // Size equal to capacity means that the last character was truncated.
+    if (size >= capacity) {
+      buf.try_reserve(size + offset + 1);  // Add 1 for the terminating '\0'.
+      continue;
+    }
+    auto is_digit = [](char c) { return c >= '0' && c <= '9'; };
+    if (specs.format == float_format::fixed) {
+      if (precision == 0) {
+        buf.try_resize(size);
+        return 0;
+      }
+      // Find and remove the decimal point.
+      auto end = begin + size, p = end;
+      do {
+        --p;
+      } while (is_digit(*p));
+      int fraction_size = static_cast<int>(end - p - 1);
+      std::memmove(p, p + 1, to_unsigned(fraction_size));
+      buf.try_resize(size - 1);
+      return -fraction_size;
+    }
+    if (specs.format == float_format::hex) {
+      buf.try_resize(size + offset);
+      return 0;
+    }
+    // Find and parse the exponent.
+    auto end = begin + size, exp_pos = end;
+    do {
+      --exp_pos;
+    } while (*exp_pos != 'e');
+    char sign = exp_pos[1];
+    FMT_ASSERT(sign == '+' || sign == '-', "");
+    int exp = 0;
+    auto p = exp_pos + 2;  // Skip 'e' and sign.
+    do {
+      FMT_ASSERT(is_digit(*p), "");
+      exp = exp * 10 + (*p++ - '0');
+    } while (p != end);
+    if (sign == '-') exp = -exp;
+    int fraction_size = 0;
+    if (exp_pos != begin + 1) {
+      // Remove trailing zeros.
+      auto fraction_end = exp_pos - 1;
+      while (*fraction_end == '0') --fraction_end;
+      // Move the fractional part left to get rid of the decimal point.
+      fraction_size = static_cast<int>(fraction_end - begin - 1);
+      std::memmove(begin + 1, begin + 2, to_unsigned(fraction_size));
+    }
+    buf.try_resize(to_unsigned(fraction_size) + offset + 1);
+    return exp - fraction_size;
+  }
+}
+}  // namespace detail
+
+template <> struct formatter<detail::bigint> {
+  FMT_CONSTEXPR format_parse_context::iterator parse(
+      format_parse_context& ctx) {
+    return ctx.begin();
+  }
+
+  format_context::iterator format(const detail::bigint& n,
+                                  format_context& ctx) {
+    auto out = ctx.out();
+    bool first = true;
+    for (auto i = n.bigits_.size(); i > 0; --i) {
+      auto value = n.bigits_[i - 1u];
+      if (first) {
+        out = format_to(out, FMT_STRING("{:x}"), value);
+        first = false;
+        continue;
+      }
+      out = format_to(out, FMT_STRING("{:08x}"), value);
+    }
+    if (n.exp_ > 0)
+      out = format_to(out, FMT_STRING("p{}"),
+                      n.exp_ * detail::bigint::bigit_bits);
+    return out;
+  }
+};
+
+FMT_FUNC detail::utf8_to_utf16::utf8_to_utf16(string_view s) {
+  for_each_codepoint(s, [this](uint32_t cp, string_view) {
+    if (cp == invalid_code_point) FMT_THROW(std::runtime_error("invalid utf8"));
+    if (cp <= 0xFFFF) {
+      buffer_.push_back(static_cast<wchar_t>(cp));
+    } else {
+      cp -= 0x10000;
+      buffer_.push_back(static_cast<wchar_t>(0xD800 + (cp >> 10)));
+      buffer_.push_back(static_cast<wchar_t>(0xDC00 + (cp & 0x3FF)));
+    }
+    return true;
+  });
+  buffer_.push_back(0);
+}
+
+FMT_FUNC void format_system_error(detail::buffer<char>& out, int error_code,
+                                  const char* message) FMT_NOEXCEPT {
+  FMT_TRY {
+    auto ec = std::error_code(error_code, std::generic_category());
+    write(std::back_inserter(out), std::system_error(ec, message).what());
+    return;
+  }
+  FMT_CATCH(...) {}
+  format_error_code(out, error_code, message);
+}
+
+FMT_FUNC void report_system_error(int error_code,
+                                  const char* message) FMT_NOEXCEPT {
+  report_error(format_system_error, error_code, message);
+}
+
+// DEPRECATED!
+// This function is defined here and not inline for ABI compatiblity.
+FMT_FUNC void detail::error_handler::on_error(const char* message) {
+  throw_format_error(message);
+}
+
+FMT_FUNC std::string vformat(string_view fmt, format_args args) {
+  // Don't optimize the "{}" case to keep the binary size small and because it
+  // can be better optimized in fmt::format anyway.
+  auto buffer = memory_buffer();
+  detail::vformat_to(buffer, fmt, args);
+  return to_string(buffer);
+}
+
+#ifdef _WIN32
+namespace detail {
+using dword = conditional_t<sizeof(long) == 4, unsigned long, unsigned>;
+extern "C" __declspec(dllimport) int __stdcall WriteConsoleW(  //
+    void*, const void*, dword, dword*, void*);
+}  // namespace detail
+#endif
+
+namespace detail {
+FMT_FUNC void print(std::FILE* f, string_view text) {
+#ifdef _WIN32
+  auto fd = _fileno(f);
+  if (_isatty(fd)) {
+    detail::utf8_to_utf16 u16(string_view(text.data(), text.size()));
+    auto written = detail::dword();
+    if (detail::WriteConsoleW(reinterpret_cast<void*>(_get_osfhandle(fd)),
+                              u16.c_str(), static_cast<uint32_t>(u16.size()),
+                              &written, nullptr)) {
+      return;
+    }
+    // Fallback to fwrite on failure. It can happen if the output has been
+    // redirected to NUL.
+  }
+#endif
+  detail::fwrite_fully(text.data(), 1, text.size(), f);
+}
+}  // namespace detail
+
+FMT_FUNC void vprint(std::FILE* f, string_view format_str, format_args args) {
+  memory_buffer buffer;
+  detail::vformat_to(buffer, format_str, args);
+  detail::print(f, {buffer.data(), buffer.size()});
+}
+
+#ifdef _WIN32
+// Print assuming legacy (non-Unicode) encoding.
+FMT_FUNC void detail::vprint_mojibake(std::FILE* f, string_view format_str,
+                                      format_args args) {
+  memory_buffer buffer;
+  detail::vformat_to(buffer, format_str,
+                     basic_format_args<buffer_context<char>>(args));
+  fwrite_fully(buffer.data(), 1, buffer.size(), f);
+}
+#endif
+
+FMT_FUNC void vprint(string_view format_str, format_args args) {
+  vprint(stdout, format_str, args);
+}
+
+FMT_END_NAMESPACE
+
+#endif  // FMT_FORMAT_INL_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/format.h b/ctrtool/deps/libfmt/include/fmt/format.h
new file mode 100644
index 00000000..ee69651c
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/format.h
@@ -0,0 +1,3104 @@
+/*
+ Formatting library for C++
+
+ Copyright (c) 2012 - present, Victor Zverovich
+
+ Permission is hereby granted, free of charge, to any person obtaining
+ a copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+ --- Optional exception to the license ---
+
+ As an exception, if, as a result of your compiling your source code, portions
+ of this Software are embedded into a machine-executable object form of such
+ source code, you may redistribute such embedded portions in such object form
+ without including the above copyright and permission notices.
+ */
+
+#ifndef FMT_FORMAT_H_
+#define FMT_FORMAT_H_
+
+#include <cmath>         // std::signbit
+#include <cstdint>       // uint32_t
+#include <limits>        // std::numeric_limits
+#include <memory>        // std::uninitialized_copy
+#include <stdexcept>     // std::runtime_error
+#include <system_error>  // std::system_error
+#include <utility>       // std::swap
+
+#ifdef __cpp_lib_bit_cast
+#  include <bit>  // std::bitcast
+#endif
+
+#include "core.h"
+
+#if FMT_GCC_VERSION
+#  define FMT_GCC_VISIBILITY_HIDDEN __attribute__((visibility("hidden")))
+#else
+#  define FMT_GCC_VISIBILITY_HIDDEN
+#endif
+
+#ifdef __NVCC__
+#  define FMT_CUDA_VERSION (__CUDACC_VER_MAJOR__ * 100 + __CUDACC_VER_MINOR__)
+#else
+#  define FMT_CUDA_VERSION 0
+#endif
+
+#ifdef __has_builtin
+#  define FMT_HAS_BUILTIN(x) __has_builtin(x)
+#else
+#  define FMT_HAS_BUILTIN(x) 0
+#endif
+
+#if FMT_GCC_VERSION || FMT_CLANG_VERSION
+#  define FMT_NOINLINE __attribute__((noinline))
+#else
+#  define FMT_NOINLINE
+#endif
+
+#if FMT_MSC_VER
+#  define FMT_MSC_DEFAULT = default
+#else
+#  define FMT_MSC_DEFAULT
+#endif
+
+#ifndef FMT_THROW
+#  if FMT_EXCEPTIONS
+#    if FMT_MSC_VER || FMT_NVCC
+FMT_BEGIN_NAMESPACE
+namespace detail {
+template <typename Exception> inline void do_throw(const Exception& x) {
+  // Silence unreachable code warnings in MSVC and NVCC because these
+  // are nearly impossible to fix in a generic code.
+  volatile bool b = true;
+  if (b) throw x;
+}
+}  // namespace detail
+FMT_END_NAMESPACE
+#      define FMT_THROW(x) detail::do_throw(x)
+#    else
+#      define FMT_THROW(x) throw x
+#    endif
+#  else
+#    define FMT_THROW(x)               \
+      do {                             \
+        FMT_ASSERT(false, (x).what()); \
+      } while (false)
+#  endif
+#endif
+
+#if FMT_EXCEPTIONS
+#  define FMT_TRY try
+#  define FMT_CATCH(x) catch (x)
+#else
+#  define FMT_TRY if (true)
+#  define FMT_CATCH(x) if (false)
+#endif
+
+#ifndef FMT_MAYBE_UNUSED
+#  if FMT_HAS_CPP17_ATTRIBUTE(maybe_unused)
+#    define FMT_MAYBE_UNUSED [[maybe_unused]]
+#  else
+#    define FMT_MAYBE_UNUSED
+#  endif
+#endif
+
+// Workaround broken [[deprecated]] in the Intel, PGI and NVCC compilers.
+#if FMT_ICC_VERSION || defined(__PGI) || FMT_NVCC
+#  define FMT_DEPRECATED_ALIAS
+#else
+#  define FMT_DEPRECATED_ALIAS FMT_DEPRECATED
+#endif
+
+#ifndef FMT_USE_USER_DEFINED_LITERALS
+// EDG based compilers (Intel, NVIDIA, Elbrus, etc), GCC and MSVC support UDLs.
+#  if (FMT_HAS_FEATURE(cxx_user_literals) || FMT_GCC_VERSION >= 407 || \
+       FMT_MSC_VER >= 1900) &&                                         \
+      (!defined(__EDG_VERSION__) || __EDG_VERSION__ >= /* UDL feature */ 480)
+#    define FMT_USE_USER_DEFINED_LITERALS 1
+#  else
+#    define FMT_USE_USER_DEFINED_LITERALS 0
+#  endif
+#endif
+
+// Defining FMT_REDUCE_INT_INSTANTIATIONS to 1, will reduce the number of
+// integer formatter template instantiations to just one by only using the
+// largest integer type. This results in a reduction in binary size but will
+// cause a decrease in integer formatting performance.
+#if !defined(FMT_REDUCE_INT_INSTANTIATIONS)
+#  define FMT_REDUCE_INT_INSTANTIATIONS 0
+#endif
+
+// __builtin_clz is broken in clang with Microsoft CodeGen:
+// https://github.com/fmtlib/fmt/issues/519.
+#if !FMT_MSC_VER
+#  if FMT_HAS_BUILTIN(__builtin_clz) || FMT_GCC_VERSION || FMT_ICC_VERSION
+#    define FMT_BUILTIN_CLZ(n) __builtin_clz(n)
+#  endif
+#  if FMT_HAS_BUILTIN(__builtin_clzll) || FMT_GCC_VERSION || FMT_ICC_VERSION
+#    define FMT_BUILTIN_CLZLL(n) __builtin_clzll(n)
+#  endif
+#endif
+
+// __builtin_ctz is broken in Intel Compiler Classic on Windows:
+// https://github.com/fmtlib/fmt/issues/2510.
+#ifndef __ICL
+#  if FMT_HAS_BUILTIN(__builtin_ctz) || FMT_GCC_VERSION || FMT_ICC_VERSION
+#    define FMT_BUILTIN_CTZ(n) __builtin_ctz(n)
+#  endif
+#  if FMT_HAS_BUILTIN(__builtin_ctzll) || FMT_GCC_VERSION || FMT_ICC_VERSION
+#    define FMT_BUILTIN_CTZLL(n) __builtin_ctzll(n)
+#  endif
+#endif
+
+#if FMT_MSC_VER
+#  include <intrin.h>  // _BitScanReverse[64], _BitScanForward[64], _umul128
+#endif
+
+// Some compilers masquerade as both MSVC and GCC-likes or otherwise support
+// __builtin_clz and __builtin_clzll, so only define FMT_BUILTIN_CLZ using the
+// MSVC intrinsics if the clz and clzll builtins are not available.
+#if FMT_MSC_VER && !defined(FMT_BUILTIN_CLZLL) && !defined(FMT_BUILTIN_CTZLL)
+FMT_BEGIN_NAMESPACE
+namespace detail {
+// Avoid Clang with Microsoft CodeGen's -Wunknown-pragmas warning.
+#  if !defined(__clang__)
+#    pragma intrinsic(_BitScanForward)
+#    pragma intrinsic(_BitScanReverse)
+#    if defined(_WIN64)
+#      pragma intrinsic(_BitScanForward64)
+#      pragma intrinsic(_BitScanReverse64)
+#    endif
+#  endif
+
+inline auto clz(uint32_t x) -> int {
+  unsigned long r = 0;
+  _BitScanReverse(&r, x);
+  FMT_ASSERT(x != 0, "");
+  // Static analysis complains about using uninitialized data
+  // "r", but the only way that can happen is if "x" is 0,
+  // which the callers guarantee to not happen.
+  FMT_MSC_WARNING(suppress : 6102)
+  return 31 ^ static_cast<int>(r);
+}
+#  define FMT_BUILTIN_CLZ(n) detail::clz(n)
+
+inline auto clzll(uint64_t x) -> int {
+  unsigned long r = 0;
+#  ifdef _WIN64
+  _BitScanReverse64(&r, x);
+#  else
+  // Scan the high 32 bits.
+  if (_BitScanReverse(&r, static_cast<uint32_t>(x >> 32))) return 63 ^ (r + 32);
+  // Scan the low 32 bits.
+  _BitScanReverse(&r, static_cast<uint32_t>(x));
+#  endif
+  FMT_ASSERT(x != 0, "");
+  FMT_MSC_WARNING(suppress : 6102)  // Suppress a bogus static analysis warning.
+  return 63 ^ static_cast<int>(r);
+}
+#  define FMT_BUILTIN_CLZLL(n) detail::clzll(n)
+
+inline auto ctz(uint32_t x) -> int {
+  unsigned long r = 0;
+  _BitScanForward(&r, x);
+  FMT_ASSERT(x != 0, "");
+  FMT_MSC_WARNING(suppress : 6102)  // Suppress a bogus static analysis warning.
+  return static_cast<int>(r);
+}
+#  define FMT_BUILTIN_CTZ(n) detail::ctz(n)
+
+inline auto ctzll(uint64_t x) -> int {
+  unsigned long r = 0;
+  FMT_ASSERT(x != 0, "");
+  FMT_MSC_WARNING(suppress : 6102)  // Suppress a bogus static analysis warning.
+#  ifdef _WIN64
+  _BitScanForward64(&r, x);
+#  else
+  // Scan the low 32 bits.
+  if (_BitScanForward(&r, static_cast<uint32_t>(x))) return static_cast<int>(r);
+  // Scan the high 32 bits.
+  _BitScanForward(&r, static_cast<uint32_t>(x >> 32));
+  r += 32;
+#  endif
+  return static_cast<int>(r);
+}
+#  define FMT_BUILTIN_CTZLL(n) detail::ctzll(n)
+}  // namespace detail
+FMT_END_NAMESPACE
+#endif
+
+#ifdef FMT_HEADER_ONLY
+#  define FMT_HEADER_ONLY_CONSTEXPR20 FMT_CONSTEXPR20
+#else
+#  define FMT_HEADER_ONLY_CONSTEXPR20
+#endif
+
+FMT_BEGIN_NAMESPACE
+namespace detail {
+
+template <typename Streambuf> class formatbuf : public Streambuf {
+ private:
+  using char_type = typename Streambuf::char_type;
+  using streamsize = decltype(std::declval<Streambuf>().sputn(nullptr, 0));
+  using int_type = typename Streambuf::int_type;
+  using traits_type = typename Streambuf::traits_type;
+
+  buffer<char_type>& buffer_;
+
+ public:
+  explicit formatbuf(buffer<char_type>& buf) : buffer_(buf) {}
+
+ protected:
+  // The put area is always empty. This makes the implementation simpler and has
+  // the advantage that the streambuf and the buffer are always in sync and
+  // sputc never writes into uninitialized memory. A disadvantage is that each
+  // call to sputc always results in a (virtual) call to overflow. There is no
+  // disadvantage here for sputn since this always results in a call to xsputn.
+
+  auto overflow(int_type ch) -> int_type override {
+    if (!traits_type::eq_int_type(ch, traits_type::eof()))
+      buffer_.push_back(static_cast<char_type>(ch));
+    return ch;
+  }
+
+  auto xsputn(const char_type* s, streamsize count) -> streamsize override {
+    buffer_.append(s, s + count);
+    return count;
+  }
+};
+
+// Implementation of std::bit_cast for pre-C++20.
+template <typename To, typename From>
+FMT_CONSTEXPR20 auto bit_cast(const From& from) -> To {
+  static_assert(sizeof(To) == sizeof(From), "size mismatch");
+#ifdef __cpp_lib_bit_cast
+  if (is_constant_evaluated()) return std::bit_cast<To>(from);
+#endif
+  auto to = To();
+  std::memcpy(&to, &from, sizeof(to));
+  return to;
+}
+
+inline auto is_big_endian() -> bool {
+#ifdef _WIN32
+  return false;
+#elif defined(__BIG_ENDIAN__)
+  return true;
+#elif defined(__BYTE_ORDER__) && defined(__ORDER_BIG_ENDIAN__)
+  return __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__;
+#else
+  struct bytes {
+    char data[sizeof(int)];
+  };
+  return bit_cast<bytes>(1).data[0] == 0;
+#endif
+}
+
+// A fallback implementation of uintptr_t for systems that lack it.
+struct fallback_uintptr {
+  unsigned char value[sizeof(void*)];
+
+  fallback_uintptr() = default;
+  explicit fallback_uintptr(const void* p) {
+    *this = bit_cast<fallback_uintptr>(p);
+    if (const_check(is_big_endian())) {
+      for (size_t i = 0, j = sizeof(void*) - 1; i < j; ++i, --j)
+        std::swap(value[i], value[j]);
+    }
+  }
+};
+#ifdef UINTPTR_MAX
+using uintptr_t = ::uintptr_t;
+inline auto to_uintptr(const void* p) -> uintptr_t {
+  return bit_cast<uintptr_t>(p);
+}
+#else
+using uintptr_t = fallback_uintptr;
+inline auto to_uintptr(const void* p) -> fallback_uintptr {
+  return fallback_uintptr(p);
+}
+#endif
+
+// Returns the largest possible value for type T. Same as
+// std::numeric_limits<T>::max() but shorter and not affected by the max macro.
+template <typename T> constexpr auto max_value() -> T {
+  return (std::numeric_limits<T>::max)();
+}
+template <typename T> constexpr auto num_bits() -> int {
+  return std::numeric_limits<T>::digits;
+}
+// std::numeric_limits<T>::digits may return 0 for 128-bit ints.
+template <> constexpr auto num_bits<int128_t>() -> int { return 128; }
+template <> constexpr auto num_bits<uint128_t>() -> int { return 128; }
+template <> constexpr auto num_bits<fallback_uintptr>() -> int {
+  return static_cast<int>(sizeof(void*) *
+                          std::numeric_limits<unsigned char>::digits);
+}
+
+FMT_INLINE void assume(bool condition) {
+  (void)condition;
+#if FMT_HAS_BUILTIN(__builtin_assume)
+  __builtin_assume(condition);
+#endif
+}
+
+// An approximation of iterator_t for pre-C++20 systems.
+template <typename T>
+using iterator_t = decltype(std::begin(std::declval<T&>()));
+template <typename T> using sentinel_t = decltype(std::end(std::declval<T&>()));
+
+// A workaround for std::string not having mutable data() until C++17.
+template <typename Char>
+inline auto get_data(std::basic_string<Char>& s) -> Char* {
+  return &s[0];
+}
+template <typename Container>
+inline auto get_data(Container& c) -> typename Container::value_type* {
+  return c.data();
+}
+
+#if defined(_SECURE_SCL) && _SECURE_SCL
+// Make a checked iterator to avoid MSVC warnings.
+template <typename T> using checked_ptr = stdext::checked_array_iterator<T*>;
+template <typename T>
+constexpr auto make_checked(T* p, size_t size) -> checked_ptr<T> {
+  return {p, size};
+}
+#else
+template <typename T> using checked_ptr = T*;
+template <typename T> constexpr auto make_checked(T* p, size_t) -> T* {
+  return p;
+}
+#endif
+
+// Attempts to reserve space for n extra characters in the output range.
+// Returns a pointer to the reserved range or a reference to it.
+template <typename Container, FMT_ENABLE_IF(is_contiguous<Container>::value)>
+#if FMT_CLANG_VERSION >= 307 && !FMT_ICC_VERSION
+__attribute__((no_sanitize("undefined")))
+#endif
+inline auto
+reserve(std::back_insert_iterator<Container> it, size_t n)
+    -> checked_ptr<typename Container::value_type> {
+  Container& c = get_container(it);
+  size_t size = c.size();
+  c.resize(size + n);
+  return make_checked(get_data(c) + size, n);
+}
+
+template <typename T>
+inline auto reserve(buffer_appender<T> it, size_t n) -> buffer_appender<T> {
+  buffer<T>& buf = get_container(it);
+  buf.try_reserve(buf.size() + n);
+  return it;
+}
+
+template <typename Iterator>
+constexpr auto reserve(Iterator& it, size_t) -> Iterator& {
+  return it;
+}
+
+template <typename OutputIt>
+using reserve_iterator =
+    remove_reference_t<decltype(reserve(std::declval<OutputIt&>(), 0))>;
+
+template <typename T, typename OutputIt>
+constexpr auto to_pointer(OutputIt, size_t) -> T* {
+  return nullptr;
+}
+template <typename T> auto to_pointer(buffer_appender<T> it, size_t n) -> T* {
+  buffer<T>& buf = get_container(it);
+  auto size = buf.size();
+  if (buf.capacity() < size + n) return nullptr;
+  buf.try_resize(size + n);
+  return buf.data() + size;
+}
+
+template <typename Container, FMT_ENABLE_IF(is_contiguous<Container>::value)>
+inline auto base_iterator(std::back_insert_iterator<Container>& it,
+                          checked_ptr<typename Container::value_type>)
+    -> std::back_insert_iterator<Container> {
+  return it;
+}
+
+template <typename Iterator>
+constexpr auto base_iterator(Iterator, Iterator it) -> Iterator {
+  return it;
+}
+
+// <algorithm> is spectacularly slow to compile in C++20 so use a simple fill_n
+// instead (#1998).
+template <typename OutputIt, typename Size, typename T>
+FMT_CONSTEXPR auto fill_n(OutputIt out, Size count, const T& value)
+    -> OutputIt {
+  for (Size i = 0; i < count; ++i) *out++ = value;
+  return out;
+}
+template <typename T, typename Size>
+FMT_CONSTEXPR20 auto fill_n(T* out, Size count, char value) -> T* {
+  if (is_constant_evaluated()) {
+    return fill_n<T*, Size, T>(out, count, value);
+  }
+  std::memset(out, value, to_unsigned(count));
+  return out + count;
+}
+
+#ifdef __cpp_char8_t
+using char8_type = char8_t;
+#else
+enum char8_type : unsigned char {};
+#endif
+
+template <typename OutChar, typename InputIt, typename OutputIt>
+FMT_CONSTEXPR FMT_NOINLINE auto copy_str_noinline(InputIt begin, InputIt end,
+                                                  OutputIt out) -> OutputIt {
+  return copy_str<OutChar>(begin, end, out);
+}
+
+// A public domain branchless UTF-8 decoder by Christopher Wellons:
+// https://github.com/skeeto/branchless-utf8
+/* Decode the next character, c, from s, reporting errors in e.
+ *
+ * Since this is a branchless decoder, four bytes will be read from the
+ * buffer regardless of the actual length of the next character. This
+ * means the buffer _must_ have at least three bytes of zero padding
+ * following the end of the data stream.
+ *
+ * Errors are reported in e, which will be non-zero if the parsed
+ * character was somehow invalid: invalid byte sequence, non-canonical
+ * encoding, or a surrogate half.
+ *
+ * The function returns a pointer to the next character. When an error
+ * occurs, this pointer will be a guess that depends on the particular
+ * error, but it will always advance at least one byte.
+ */
+FMT_CONSTEXPR inline auto utf8_decode(const char* s, uint32_t* c, int* e)
+    -> const char* {
+  constexpr const int masks[] = {0x00, 0x7f, 0x1f, 0x0f, 0x07};
+  constexpr const uint32_t mins[] = {4194304, 0, 128, 2048, 65536};
+  constexpr const int shiftc[] = {0, 18, 12, 6, 0};
+  constexpr const int shifte[] = {0, 6, 4, 2, 0};
+
+  int len = code_point_length(s);
+  const char* next = s + len;
+
+  // Assume a four-byte character and load four bytes. Unused bits are
+  // shifted out.
+  *c = uint32_t(s[0] & masks[len]) << 18;
+  *c |= uint32_t(s[1] & 0x3f) << 12;
+  *c |= uint32_t(s[2] & 0x3f) << 6;
+  *c |= uint32_t(s[3] & 0x3f) << 0;
+  *c >>= shiftc[len];
+
+  // Accumulate the various error conditions.
+  using uchar = unsigned char;
+  *e = (*c < mins[len]) << 6;       // non-canonical encoding
+  *e |= ((*c >> 11) == 0x1b) << 7;  // surrogate half?
+  *e |= (*c > 0x10FFFF) << 8;       // out of range?
+  *e |= (uchar(s[1]) & 0xc0) >> 2;
+  *e |= (uchar(s[2]) & 0xc0) >> 4;
+  *e |= uchar(s[3]) >> 6;
+  *e ^= 0x2a;  // top two bits of each tail byte correct?
+  *e >>= shifte[len];
+
+  return next;
+}
+
+constexpr uint32_t invalid_code_point = ~uint32_t();
+
+// Invokes f(cp, sv) for every code point cp in s with sv being the string view
+// corresponding to the code point. cp is invalid_code_point on error.
+template <typename F>
+FMT_CONSTEXPR void for_each_codepoint(string_view s, F f) {
+  auto decode = [f](const char* buf_ptr, const char* ptr) {
+    auto cp = uint32_t();
+    auto error = 0;
+    auto end = utf8_decode(buf_ptr, &cp, &error);
+    bool result = f(error ? invalid_code_point : cp,
+                    string_view(ptr, to_unsigned(end - buf_ptr)));
+    return result ? end : nullptr;
+  };
+  auto p = s.data();
+  const size_t block_size = 4;  // utf8_decode always reads blocks of 4 chars.
+  if (s.size() >= block_size) {
+    for (auto end = p + s.size() - block_size + 1; p < end;) {
+      p = decode(p, p);
+      if (!p) return;
+    }
+  }
+  if (auto num_chars_left = s.data() + s.size() - p) {
+    char buf[2 * block_size - 1] = {};
+    copy_str<char>(p, p + num_chars_left, buf);
+    const char* buf_ptr = buf;
+    do {
+      auto end = decode(buf_ptr, p);
+      if (!end) return;
+      p += end - buf_ptr;
+      buf_ptr = end;
+    } while (buf_ptr - buf < num_chars_left);
+  }
+}
+
+template <typename Char>
+inline auto compute_width(basic_string_view<Char> s) -> size_t {
+  return s.size();
+}
+
+// Computes approximate display width of a UTF-8 string.
+FMT_CONSTEXPR inline size_t compute_width(string_view s) {
+  size_t num_code_points = 0;
+  // It is not a lambda for compatibility with C++14.
+  struct count_code_points {
+    size_t* count;
+    FMT_CONSTEXPR auto operator()(uint32_t cp, string_view) const -> bool {
+      *count += detail::to_unsigned(
+          1 +
+          (cp >= 0x1100 &&
+           (cp <= 0x115f ||  // Hangul Jamo init. consonants
+            cp == 0x2329 ||  // LEFT-POINTING ANGLE BRACKET
+            cp == 0x232a ||  // RIGHT-POINTING ANGLE BRACKET
+            // CJK ... Yi except IDEOGRAPHIC HALF FILL SPACE:
+            (cp >= 0x2e80 && cp <= 0xa4cf && cp != 0x303f) ||
+            (cp >= 0xac00 && cp <= 0xd7a3) ||    // Hangul Syllables
+            (cp >= 0xf900 && cp <= 0xfaff) ||    // CJK Compatibility Ideographs
+            (cp >= 0xfe10 && cp <= 0xfe19) ||    // Vertical Forms
+            (cp >= 0xfe30 && cp <= 0xfe6f) ||    // CJK Compatibility Forms
+            (cp >= 0xff00 && cp <= 0xff60) ||    // Fullwidth Forms
+            (cp >= 0xffe0 && cp <= 0xffe6) ||    // Fullwidth Forms
+            (cp >= 0x20000 && cp <= 0x2fffd) ||  // CJK
+            (cp >= 0x30000 && cp <= 0x3fffd) ||
+            // Miscellaneous Symbols and Pictographs + Emoticons:
+            (cp >= 0x1f300 && cp <= 0x1f64f) ||
+            // Supplemental Symbols and Pictographs:
+            (cp >= 0x1f900 && cp <= 0x1f9ff))));
+      return true;
+    }
+  };
+  for_each_codepoint(s, count_code_points{&num_code_points});
+  return num_code_points;
+}
+
+inline auto compute_width(basic_string_view<char8_type> s) -> size_t {
+  return compute_width(basic_string_view<char>(
+      reinterpret_cast<const char*>(s.data()), s.size()));
+}
+
+template <typename Char>
+inline auto code_point_index(basic_string_view<Char> s, size_t n) -> size_t {
+  size_t size = s.size();
+  return n < size ? n : size;
+}
+
+// Calculates the index of the nth code point in a UTF-8 string.
+inline auto code_point_index(basic_string_view<char8_type> s, size_t n)
+    -> size_t {
+  const char8_type* data = s.data();
+  size_t num_code_points = 0;
+  for (size_t i = 0, size = s.size(); i != size; ++i) {
+    if ((data[i] & 0xc0) != 0x80 && ++num_code_points > n) return i;
+  }
+  return s.size();
+}
+
+template <typename T, bool = std::is_floating_point<T>::value>
+struct is_fast_float : bool_constant<std::numeric_limits<T>::is_iec559 &&
+                                     sizeof(T) <= sizeof(double)> {};
+template <typename T> struct is_fast_float<T, false> : std::false_type {};
+
+#ifndef FMT_USE_FULL_CACHE_DRAGONBOX
+#  define FMT_USE_FULL_CACHE_DRAGONBOX 0
+#endif
+
+template <typename T>
+template <typename U>
+void buffer<T>::append(const U* begin, const U* end) {
+  while (begin != end) {
+    auto count = to_unsigned(end - begin);
+    try_reserve(size_ + count);
+    auto free_cap = capacity_ - size_;
+    if (free_cap < count) count = free_cap;
+    std::uninitialized_copy_n(begin, count, make_checked(ptr_ + size_, count));
+    size_ += count;
+    begin += count;
+  }
+}
+
+template <typename T, typename Enable = void>
+struct is_locale : std::false_type {};
+template <typename T>
+struct is_locale<T, void_t<decltype(T::classic())>> : std::true_type {};
+}  // namespace detail
+
+FMT_MODULE_EXPORT_BEGIN
+
+// The number of characters to store in the basic_memory_buffer object itself
+// to avoid dynamic memory allocation.
+enum { inline_buffer_size = 500 };
+
+/**
+  \rst
+  A dynamically growing memory buffer for trivially copyable/constructible types
+  with the first ``SIZE`` elements stored in the object itself.
+
+  You can use the ``memory_buffer`` type alias for ``char`` instead.
+
+  **Example**::
+
+     auto out = fmt::memory_buffer();
+     format_to(std::back_inserter(out), "The answer is {}.", 42);
+
+  This will append the following output to the ``out`` object:
+
+  .. code-block:: none
+
+     The answer is 42.
+
+  The output can be converted to an ``std::string`` with ``to_string(out)``.
+  \endrst
+ */
+template <typename T, size_t SIZE = inline_buffer_size,
+          typename Allocator = std::allocator<T>>
+class basic_memory_buffer final : public detail::buffer<T> {
+ private:
+  T store_[SIZE];
+
+  // Don't inherit from Allocator avoid generating type_info for it.
+  Allocator alloc_;
+
+  // Deallocate memory allocated by the buffer.
+  FMT_CONSTEXPR20 void deallocate() {
+    T* data = this->data();
+    if (data != store_) alloc_.deallocate(data, this->capacity());
+  }
+
+ protected:
+  FMT_CONSTEXPR20 void grow(size_t size) override;
+
+ public:
+  using value_type = T;
+  using const_reference = const T&;
+
+  FMT_CONSTEXPR20 explicit basic_memory_buffer(
+      const Allocator& alloc = Allocator())
+      : alloc_(alloc) {
+    this->set(store_, SIZE);
+    if (detail::is_constant_evaluated()) {
+      detail::fill_n(store_, SIZE, T{});
+    }
+  }
+  FMT_CONSTEXPR20 ~basic_memory_buffer() { deallocate(); }
+
+ private:
+  // Move data from other to this buffer.
+  FMT_CONSTEXPR20 void move(basic_memory_buffer& other) {
+    alloc_ = std::move(other.alloc_);
+    T* data = other.data();
+    size_t size = other.size(), capacity = other.capacity();
+    if (data == other.store_) {
+      this->set(store_, capacity);
+      if (detail::is_constant_evaluated()) {
+        detail::copy_str<T>(other.store_, other.store_ + size,
+                            detail::make_checked(store_, capacity));
+      } else {
+        std::uninitialized_copy(other.store_, other.store_ + size,
+                                detail::make_checked(store_, capacity));
+      }
+    } else {
+      this->set(data, capacity);
+      // Set pointer to the inline array so that delete is not called
+      // when deallocating.
+      other.set(other.store_, 0);
+    }
+    this->resize(size);
+  }
+
+ public:
+  /**
+    \rst
+    Constructs a :class:`fmt::basic_memory_buffer` object moving the content
+    of the other object to it.
+    \endrst
+   */
+  FMT_CONSTEXPR20 basic_memory_buffer(basic_memory_buffer&& other)
+      FMT_NOEXCEPT {
+    move(other);
+  }
+
+  /**
+    \rst
+    Moves the content of the other ``basic_memory_buffer`` object to this one.
+    \endrst
+   */
+  auto operator=(basic_memory_buffer&& other) FMT_NOEXCEPT
+      -> basic_memory_buffer& {
+    FMT_ASSERT(this != &other, "");
+    deallocate();
+    move(other);
+    return *this;
+  }
+
+  // Returns a copy of the allocator associated with this buffer.
+  auto get_allocator() const -> Allocator { return alloc_; }
+
+  /**
+    Resizes the buffer to contain *count* elements. If T is a POD type new
+    elements may not be initialized.
+   */
+  FMT_CONSTEXPR20 void resize(size_t count) { this->try_resize(count); }
+
+  /** Increases the buffer capacity to *new_capacity*. */
+  void reserve(size_t new_capacity) { this->try_reserve(new_capacity); }
+
+  // Directly append data into the buffer
+  using detail::buffer<T>::append;
+  template <typename ContiguousRange>
+  void append(const ContiguousRange& range) {
+    append(range.data(), range.data() + range.size());
+  }
+};
+
+template <typename T, size_t SIZE, typename Allocator>
+FMT_CONSTEXPR20 void basic_memory_buffer<T, SIZE, Allocator>::grow(
+    size_t size) {
+#ifdef FMT_FUZZ
+  if (size > 5000) throw std::runtime_error("fuzz mode - won't grow that much");
+#endif
+  const size_t max_size = std::allocator_traits<Allocator>::max_size(alloc_);
+  size_t old_capacity = this->capacity();
+  size_t new_capacity = old_capacity + old_capacity / 2;
+  if (size > new_capacity)
+    new_capacity = size;
+  else if (new_capacity > max_size)
+    new_capacity = size > max_size ? size : max_size;
+  T* old_data = this->data();
+  T* new_data =
+      std::allocator_traits<Allocator>::allocate(alloc_, new_capacity);
+  // The following code doesn't throw, so the raw pointer above doesn't leak.
+  std::uninitialized_copy(old_data, old_data + this->size(),
+                          detail::make_checked(new_data, new_capacity));
+  this->set(new_data, new_capacity);
+  // deallocate must not throw according to the standard, but even if it does,
+  // the buffer already uses the new storage and will deallocate it in
+  // destructor.
+  if (old_data != store_) alloc_.deallocate(old_data, old_capacity);
+}
+
+using memory_buffer = basic_memory_buffer<char>;
+
+template <typename T, size_t SIZE, typename Allocator>
+struct is_contiguous<basic_memory_buffer<T, SIZE, Allocator>> : std::true_type {
+};
+
+namespace detail {
+FMT_API void print(std::FILE*, string_view);
+}
+
+/** A formatting error such as invalid format string. */
+FMT_CLASS_API
+class FMT_API format_error : public std::runtime_error {
+ public:
+  explicit format_error(const char* message) : std::runtime_error(message) {}
+  explicit format_error(const std::string& message)
+      : std::runtime_error(message) {}
+  format_error(const format_error&) = default;
+  format_error& operator=(const format_error&) = default;
+  format_error(format_error&&) = default;
+  format_error& operator=(format_error&&) = default;
+  ~format_error() FMT_NOEXCEPT override FMT_MSC_DEFAULT;
+};
+
+/**
+  \rst
+  Constructs a `~fmt::format_arg_store` object that contains references
+  to arguments and can be implicitly converted to `~fmt::format_args`.
+  If ``fmt`` is a compile-time string then `make_args_checked` checks
+  its validity at compile time.
+  \endrst
+ */
+template <typename... Args, typename S, typename Char = char_t<S>>
+FMT_INLINE auto make_args_checked(const S& fmt,
+                                  const remove_reference_t<Args>&... args)
+    -> format_arg_store<buffer_context<Char>, remove_reference_t<Args>...> {
+  static_assert(
+      detail::count<(
+              std::is_base_of<detail::view, remove_reference_t<Args>>::value &&
+              std::is_reference<Args>::value)...>() == 0,
+      "passing views as lvalues is disallowed");
+  detail::check_format_string<Args...>(fmt);
+  return {args...};
+}
+
+// compile-time support
+namespace detail_exported {
+#if FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+template <typename Char, size_t N> struct fixed_string {
+  constexpr fixed_string(const Char (&str)[N]) {
+    detail::copy_str<Char, const Char*, Char*>(static_cast<const Char*>(str),
+                                               str + N, data);
+  }
+  Char data[N]{};
+};
+#endif
+
+// Converts a compile-time string to basic_string_view.
+template <typename Char, size_t N>
+constexpr auto compile_string_to_view(const Char (&s)[N])
+    -> basic_string_view<Char> {
+  // Remove trailing NUL character if needed. Won't be present if this is used
+  // with a raw character array (i.e. not defined as a string).
+  return {s, N - (std::char_traits<Char>::to_int_type(s[N - 1]) == 0 ? 1 : 0)};
+}
+template <typename Char>
+constexpr auto compile_string_to_view(detail::std_string_view<Char> s)
+    -> basic_string_view<Char> {
+  return {s.data(), s.size()};
+}
+}  // namespace detail_exported
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+template <typename T> struct is_integral : std::is_integral<T> {};
+template <> struct is_integral<int128_t> : std::true_type {};
+template <> struct is_integral<uint128_t> : std::true_type {};
+
+template <typename T>
+using is_signed =
+    std::integral_constant<bool, std::numeric_limits<T>::is_signed ||
+                                     std::is_same<T, int128_t>::value>;
+
+// Returns true if value is negative, false otherwise.
+// Same as `value < 0` but doesn't produce warnings if T is an unsigned type.
+template <typename T, FMT_ENABLE_IF(is_signed<T>::value)>
+FMT_CONSTEXPR auto is_negative(T value) -> bool {
+  return value < 0;
+}
+template <typename T, FMT_ENABLE_IF(!is_signed<T>::value)>
+FMT_CONSTEXPR auto is_negative(T) -> bool {
+  return false;
+}
+
+template <typename T, FMT_ENABLE_IF(std::is_floating_point<T>::value)>
+FMT_CONSTEXPR auto is_supported_floating_point(T) -> uint16_t {
+  return (std::is_same<T, float>::value && FMT_USE_FLOAT) ||
+         (std::is_same<T, double>::value && FMT_USE_DOUBLE) ||
+         (std::is_same<T, long double>::value && FMT_USE_LONG_DOUBLE);
+}
+
+// Smallest of uint32_t, uint64_t, uint128_t that is large enough to
+// represent all values of an integral type T.
+template <typename T>
+using uint32_or_64_or_128_t =
+    conditional_t<num_bits<T>() <= 32 && !FMT_REDUCE_INT_INSTANTIATIONS,
+                  uint32_t,
+                  conditional_t<num_bits<T>() <= 64, uint64_t, uint128_t>>;
+template <typename T>
+using uint64_or_128_t = conditional_t<num_bits<T>() <= 64, uint64_t, uint128_t>;
+
+#define FMT_POWERS_OF_10(factor)                                             \
+  factor * 10, (factor)*100, (factor)*1000, (factor)*10000, (factor)*100000, \
+      (factor)*1000000, (factor)*10000000, (factor)*100000000,               \
+      (factor)*1000000000
+
+// Converts value in the range [0, 100) to a string.
+constexpr const char* digits2(size_t value) {
+  // GCC generates slightly better code when value is pointer-size.
+  return &"0001020304050607080910111213141516171819"
+         "2021222324252627282930313233343536373839"
+         "4041424344454647484950515253545556575859"
+         "6061626364656667686970717273747576777879"
+         "8081828384858687888990919293949596979899"[value * 2];
+}
+
+// Sign is a template parameter to workaround a bug in gcc 4.8.
+template <typename Char, typename Sign> constexpr Char sign(Sign s) {
+#if !FMT_GCC_VERSION || FMT_GCC_VERSION >= 604
+  static_assert(std::is_same<Sign, sign_t>::value, "");
+#endif
+  return static_cast<Char>("\0-+ "[s]);
+}
+
+template <typename T> FMT_CONSTEXPR auto count_digits_fallback(T n) -> int {
+  int count = 1;
+  for (;;) {
+    // Integer division is slow so do it for a group of four digits instead
+    // of for every digit. The idea comes from the talk by Alexandrescu
+    // "Three Optimization Tips for C++". See speed-test for a comparison.
+    if (n < 10) return count;
+    if (n < 100) return count + 1;
+    if (n < 1000) return count + 2;
+    if (n < 10000) return count + 3;
+    n /= 10000u;
+    count += 4;
+  }
+}
+#if FMT_USE_INT128
+FMT_CONSTEXPR inline auto count_digits(uint128_t n) -> int {
+  return count_digits_fallback(n);
+}
+#endif
+
+#ifdef FMT_BUILTIN_CLZLL
+// It is a separate function rather than a part of count_digits to workaround
+// the lack of static constexpr in constexpr functions.
+inline auto do_count_digits(uint64_t n) -> int {
+  // This has comparable performance to the version by Kendall Willets
+  // (https://github.com/fmtlib/format-benchmark/blob/master/digits10)
+  // but uses smaller tables.
+  // Maps bsr(n) to ceil(log10(pow(2, bsr(n) + 1) - 1)).
+  static constexpr uint8_t bsr2log10[] = {
+      1,  1,  1,  2,  2,  2,  3,  3,  3,  4,  4,  4,  4,  5,  5,  5,
+      6,  6,  6,  7,  7,  7,  7,  8,  8,  8,  9,  9,  9,  10, 10, 10,
+      10, 11, 11, 11, 12, 12, 12, 13, 13, 13, 13, 14, 14, 14, 15, 15,
+      15, 16, 16, 16, 16, 17, 17, 17, 18, 18, 18, 19, 19, 19, 19, 20};
+  auto t = bsr2log10[FMT_BUILTIN_CLZLL(n | 1) ^ 63];
+  static constexpr const uint64_t zero_or_powers_of_10[] = {
+      0, 0, FMT_POWERS_OF_10(1U), FMT_POWERS_OF_10(1000000000ULL),
+      10000000000000000000ULL};
+  return t - (n < zero_or_powers_of_10[t]);
+}
+#endif
+
+// Returns the number of decimal digits in n. Leading zeros are not counted
+// except for n == 0 in which case count_digits returns 1.
+FMT_CONSTEXPR20 inline auto count_digits(uint64_t n) -> int {
+#ifdef FMT_BUILTIN_CLZLL
+  if (!is_constant_evaluated()) {
+    return do_count_digits(n);
+  }
+#endif
+  return count_digits_fallback(n);
+}
+
+// Counts the number of digits in n. BITS = log2(radix).
+template <int BITS, typename UInt>
+FMT_CONSTEXPR auto count_digits(UInt n) -> int {
+#ifdef FMT_BUILTIN_CLZ
+  if (num_bits<UInt>() == 32)
+    return (FMT_BUILTIN_CLZ(static_cast<uint32_t>(n) | 1) ^ 31) / BITS + 1;
+#endif
+  // Lambda avoids unreachable code warnings from NVHPC.
+  return [](UInt m) {
+    int num_digits = 0;
+    do {
+      ++num_digits;
+    } while ((m >>= BITS) != 0);
+    return num_digits;
+  }(n);
+}
+
+template <> auto count_digits<4>(detail::fallback_uintptr n) -> int;
+
+#ifdef FMT_BUILTIN_CLZ
+// It is a separate function rather than a part of count_digits to workaround
+// the lack of static constexpr in constexpr functions.
+FMT_INLINE auto do_count_digits(uint32_t n) -> int {
+// An optimization by Kendall Willets from https://bit.ly/3uOIQrB.
+// This increments the upper 32 bits (log10(T) - 1) when >= T is added.
+#  define FMT_INC(T) (((sizeof(#  T) - 1ull) << 32) - T)
+  static constexpr uint64_t table[] = {
+      FMT_INC(0),          FMT_INC(0),          FMT_INC(0),           // 8
+      FMT_INC(10),         FMT_INC(10),         FMT_INC(10),          // 64
+      FMT_INC(100),        FMT_INC(100),        FMT_INC(100),         // 512
+      FMT_INC(1000),       FMT_INC(1000),       FMT_INC(1000),        // 4096
+      FMT_INC(10000),      FMT_INC(10000),      FMT_INC(10000),       // 32k
+      FMT_INC(100000),     FMT_INC(100000),     FMT_INC(100000),      // 256k
+      FMT_INC(1000000),    FMT_INC(1000000),    FMT_INC(1000000),     // 2048k
+      FMT_INC(10000000),   FMT_INC(10000000),   FMT_INC(10000000),    // 16M
+      FMT_INC(100000000),  FMT_INC(100000000),  FMT_INC(100000000),   // 128M
+      FMT_INC(1000000000), FMT_INC(1000000000), FMT_INC(1000000000),  // 1024M
+      FMT_INC(1000000000), FMT_INC(1000000000)                        // 4B
+  };
+  auto inc = table[FMT_BUILTIN_CLZ(n | 1) ^ 31];
+  return static_cast<int>((n + inc) >> 32);
+}
+#endif
+
+// Optional version of count_digits for better performance on 32-bit platforms.
+FMT_CONSTEXPR20 inline auto count_digits(uint32_t n) -> int {
+#ifdef FMT_BUILTIN_CLZ
+  if (!is_constant_evaluated()) {
+    return do_count_digits(n);
+  }
+#endif
+  return count_digits_fallback(n);
+}
+
+template <typename Int> constexpr auto digits10() FMT_NOEXCEPT -> int {
+  return std::numeric_limits<Int>::digits10;
+}
+template <> constexpr auto digits10<int128_t>() FMT_NOEXCEPT -> int {
+  return 38;
+}
+template <> constexpr auto digits10<uint128_t>() FMT_NOEXCEPT -> int {
+  return 38;
+}
+
+template <typename Char> struct thousands_sep_result {
+  std::string grouping;
+  Char thousands_sep;
+};
+
+template <typename Char>
+FMT_API auto thousands_sep_impl(locale_ref loc) -> thousands_sep_result<Char>;
+template <typename Char>
+inline auto thousands_sep(locale_ref loc) -> thousands_sep_result<Char> {
+  auto result = thousands_sep_impl<char>(loc);
+  return {result.grouping, Char(result.thousands_sep)};
+}
+template <>
+inline auto thousands_sep(locale_ref loc) -> thousands_sep_result<wchar_t> {
+  return thousands_sep_impl<wchar_t>(loc);
+}
+
+template <typename Char>
+FMT_API auto decimal_point_impl(locale_ref loc) -> Char;
+template <typename Char> inline auto decimal_point(locale_ref loc) -> Char {
+  return Char(decimal_point_impl<char>(loc));
+}
+template <> inline auto decimal_point(locale_ref loc) -> wchar_t {
+  return decimal_point_impl<wchar_t>(loc);
+}
+
+// Compares two characters for equality.
+template <typename Char> auto equal2(const Char* lhs, const char* rhs) -> bool {
+  return lhs[0] == Char(rhs[0]) && lhs[1] == Char(rhs[1]);
+}
+inline auto equal2(const char* lhs, const char* rhs) -> bool {
+  return memcmp(lhs, rhs, 2) == 0;
+}
+
+// Copies two characters from src to dst.
+template <typename Char>
+FMT_CONSTEXPR20 FMT_INLINE void copy2(Char* dst, const char* src) {
+  if (!is_constant_evaluated() && sizeof(Char) == sizeof(char)) {
+    memcpy(dst, src, 2);
+    return;
+  }
+  *dst++ = static_cast<Char>(*src++);
+  *dst = static_cast<Char>(*src);
+}
+
+template <typename Iterator> struct format_decimal_result {
+  Iterator begin;
+  Iterator end;
+};
+
+// Formats a decimal unsigned integer value writing into out pointing to a
+// buffer of specified size. The caller must ensure that the buffer is large
+// enough.
+template <typename Char, typename UInt>
+FMT_CONSTEXPR20 auto format_decimal(Char* out, UInt value, int size)
+    -> format_decimal_result<Char*> {
+  FMT_ASSERT(size >= count_digits(value), "invalid digit count");
+  out += size;
+  Char* end = out;
+  while (value >= 100) {
+    // Integer division is slow so do it for a group of two digits instead
+    // of for every digit. The idea comes from the talk by Alexandrescu
+    // "Three Optimization Tips for C++". See speed-test for a comparison.
+    out -= 2;
+    copy2(out, digits2(static_cast<size_t>(value % 100)));
+    value /= 100;
+  }
+  if (value < 10) {
+    *--out = static_cast<Char>('0' + value);
+    return {out, end};
+  }
+  out -= 2;
+  copy2(out, digits2(static_cast<size_t>(value)));
+  return {out, end};
+}
+
+template <typename Char, typename UInt, typename Iterator,
+          FMT_ENABLE_IF(!std::is_pointer<remove_cvref_t<Iterator>>::value)>
+inline auto format_decimal(Iterator out, UInt value, int size)
+    -> format_decimal_result<Iterator> {
+  // Buffer is large enough to hold all digits (digits10 + 1).
+  Char buffer[digits10<UInt>() + 1];
+  auto end = format_decimal(buffer, value, size).end;
+  return {out, detail::copy_str_noinline<Char>(buffer, end, out)};
+}
+
+template <unsigned BASE_BITS, typename Char, typename UInt>
+FMT_CONSTEXPR auto format_uint(Char* buffer, UInt value, int num_digits,
+                               bool upper = false) -> Char* {
+  buffer += num_digits;
+  Char* end = buffer;
+  do {
+    const char* digits = upper ? "0123456789ABCDEF" : "0123456789abcdef";
+    unsigned digit = (value & ((1 << BASE_BITS) - 1));
+    *--buffer = static_cast<Char>(BASE_BITS < 4 ? static_cast<char>('0' + digit)
+                                                : digits[digit]);
+  } while ((value >>= BASE_BITS) != 0);
+  return end;
+}
+
+template <unsigned BASE_BITS, typename Char>
+auto format_uint(Char* buffer, detail::fallback_uintptr n, int num_digits,
+                 bool = false) -> Char* {
+  auto char_digits = std::numeric_limits<unsigned char>::digits / 4;
+  int start = (num_digits + char_digits - 1) / char_digits - 1;
+  if (int start_digits = num_digits % char_digits) {
+    unsigned value = n.value[start--];
+    buffer = format_uint<BASE_BITS>(buffer, value, start_digits);
+  }
+  for (; start >= 0; --start) {
+    unsigned value = n.value[start];
+    buffer += char_digits;
+    auto p = buffer;
+    for (int i = 0; i < char_digits; ++i) {
+      unsigned digit = (value & ((1 << BASE_BITS) - 1));
+      *--p = static_cast<Char>("0123456789abcdef"[digit]);
+      value >>= BASE_BITS;
+    }
+  }
+  return buffer;
+}
+
+template <unsigned BASE_BITS, typename Char, typename It, typename UInt>
+inline auto format_uint(It out, UInt value, int num_digits, bool upper = false)
+    -> It {
+  if (auto ptr = to_pointer<Char>(out, to_unsigned(num_digits))) {
+    format_uint<BASE_BITS>(ptr, value, num_digits, upper);
+    return out;
+  }
+  // Buffer should be large enough to hold all digits (digits / BASE_BITS + 1).
+  char buffer[num_bits<UInt>() / BASE_BITS + 1];
+  format_uint<BASE_BITS>(buffer, value, num_digits, upper);
+  return detail::copy_str_noinline<Char>(buffer, buffer + num_digits, out);
+}
+
+// A converter from UTF-8 to UTF-16.
+class utf8_to_utf16 {
+ private:
+  basic_memory_buffer<wchar_t> buffer_;
+
+ public:
+  FMT_API explicit utf8_to_utf16(string_view s);
+  operator basic_string_view<wchar_t>() const { return {&buffer_[0], size()}; }
+  auto size() const -> size_t { return buffer_.size() - 1; }
+  auto c_str() const -> const wchar_t* { return &buffer_[0]; }
+  auto str() const -> std::wstring { return {&buffer_[0], size()}; }
+};
+
+namespace dragonbox {
+
+// Type-specific information that Dragonbox uses.
+template <class T> struct float_info;
+
+template <> struct float_info<float> {
+  using carrier_uint = uint32_t;
+  static const int significand_bits = 23;
+  static const int exponent_bits = 8;
+  static const int min_exponent = -126;
+  static const int max_exponent = 127;
+  static const int exponent_bias = -127;
+  static const int decimal_digits = 9;
+  static const int kappa = 1;
+  static const int big_divisor = 100;
+  static const int small_divisor = 10;
+  static const int min_k = -31;
+  static const int max_k = 46;
+  static const int cache_bits = 64;
+  static const int divisibility_check_by_5_threshold = 39;
+  static const int case_fc_pm_half_lower_threshold = -1;
+  static const int case_fc_pm_half_upper_threshold = 6;
+  static const int case_fc_lower_threshold = -2;
+  static const int case_fc_upper_threshold = 6;
+  static const int case_shorter_interval_left_endpoint_lower_threshold = 2;
+  static const int case_shorter_interval_left_endpoint_upper_threshold = 3;
+  static const int shorter_interval_tie_lower_threshold = -35;
+  static const int shorter_interval_tie_upper_threshold = -35;
+  static const int max_trailing_zeros = 7;
+};
+
+template <> struct float_info<double> {
+  using carrier_uint = uint64_t;
+  static const int significand_bits = 52;
+  static const int exponent_bits = 11;
+  static const int min_exponent = -1022;
+  static const int max_exponent = 1023;
+  static const int exponent_bias = -1023;
+  static const int decimal_digits = 17;
+  static const int kappa = 2;
+  static const int big_divisor = 1000;
+  static const int small_divisor = 100;
+  static const int min_k = -292;
+  static const int max_k = 326;
+  static const int cache_bits = 128;
+  static const int divisibility_check_by_5_threshold = 86;
+  static const int case_fc_pm_half_lower_threshold = -2;
+  static const int case_fc_pm_half_upper_threshold = 9;
+  static const int case_fc_lower_threshold = -4;
+  static const int case_fc_upper_threshold = 9;
+  static const int case_shorter_interval_left_endpoint_lower_threshold = 2;
+  static const int case_shorter_interval_left_endpoint_upper_threshold = 3;
+  static const int shorter_interval_tie_lower_threshold = -77;
+  static const int shorter_interval_tie_upper_threshold = -77;
+  static const int max_trailing_zeros = 16;
+};
+
+template <typename T> struct decimal_fp {
+  using significand_type = typename float_info<T>::carrier_uint;
+  significand_type significand;
+  int exponent;
+};
+
+template <typename T>
+FMT_API auto to_decimal(T x) FMT_NOEXCEPT -> decimal_fp<T>;
+}  // namespace dragonbox
+
+template <typename T>
+constexpr auto exponent_mask() ->
+    typename dragonbox::float_info<T>::carrier_uint {
+  using uint = typename dragonbox::float_info<T>::carrier_uint;
+  return ((uint(1) << dragonbox::float_info<T>::exponent_bits) - 1)
+         << dragonbox::float_info<T>::significand_bits;
+}
+
+// Writes the exponent exp in the form "[+-]d{2,3}" to buffer.
+template <typename Char, typename It>
+FMT_CONSTEXPR auto write_exponent(int exp, It it) -> It {
+  FMT_ASSERT(-10000 < exp && exp < 10000, "exponent out of range");
+  if (exp < 0) {
+    *it++ = static_cast<Char>('-');
+    exp = -exp;
+  } else {
+    *it++ = static_cast<Char>('+');
+  }
+  if (exp >= 100) {
+    const char* top = digits2(to_unsigned(exp / 100));
+    if (exp >= 1000) *it++ = static_cast<Char>(top[0]);
+    *it++ = static_cast<Char>(top[1]);
+    exp %= 100;
+  }
+  const char* d = digits2(to_unsigned(exp));
+  *it++ = static_cast<Char>(d[0]);
+  *it++ = static_cast<Char>(d[1]);
+  return it;
+}
+
+template <typename T>
+FMT_HEADER_ONLY_CONSTEXPR20 auto format_float(T value, int precision,
+                                              float_specs specs,
+                                              buffer<char>& buf) -> int;
+
+// Formats a floating-point number with snprintf.
+template <typename T>
+auto snprintf_float(T value, int precision, float_specs specs,
+                    buffer<char>& buf) -> int;
+
+template <typename T> constexpr auto promote_float(T value) -> T {
+  return value;
+}
+constexpr auto promote_float(float value) -> double {
+  return static_cast<double>(value);
+}
+
+template <typename OutputIt, typename Char>
+FMT_NOINLINE FMT_CONSTEXPR auto fill(OutputIt it, size_t n,
+                                     const fill_t<Char>& fill) -> OutputIt {
+  auto fill_size = fill.size();
+  if (fill_size == 1) return detail::fill_n(it, n, fill[0]);
+  auto data = fill.data();
+  for (size_t i = 0; i < n; ++i)
+    it = copy_str<Char>(data, data + fill_size, it);
+  return it;
+}
+
+// Writes the output of f, padded according to format specifications in specs.
+// size: output size in code units.
+// width: output display width in (terminal) column positions.
+template <align::type align = align::left, typename OutputIt, typename Char,
+          typename F>
+FMT_CONSTEXPR auto write_padded(OutputIt out,
+                                const basic_format_specs<Char>& specs,
+                                size_t size, size_t width, F&& f) -> OutputIt {
+  static_assert(align == align::left || align == align::right, "");
+  unsigned spec_width = to_unsigned(specs.width);
+  size_t padding = spec_width > width ? spec_width - width : 0;
+  // Shifts are encoded as string literals because static constexpr is not
+  // supported in constexpr functions.
+  auto* shifts = align == align::left ? "\x1f\x1f\x00\x01" : "\x00\x1f\x00\x01";
+  size_t left_padding = padding >> shifts[specs.align];
+  size_t right_padding = padding - left_padding;
+  auto it = reserve(out, size + padding * specs.fill.size());
+  if (left_padding != 0) it = fill(it, left_padding, specs.fill);
+  it = f(it);
+  if (right_padding != 0) it = fill(it, right_padding, specs.fill);
+  return base_iterator(out, it);
+}
+
+template <align::type align = align::left, typename OutputIt, typename Char,
+          typename F>
+constexpr auto write_padded(OutputIt out, const basic_format_specs<Char>& specs,
+                            size_t size, F&& f) -> OutputIt {
+  return write_padded<align>(out, specs, size, size, f);
+}
+
+template <align::type align = align::left, typename Char, typename OutputIt>
+FMT_CONSTEXPR auto write_bytes(OutputIt out, string_view bytes,
+                               const basic_format_specs<Char>& specs)
+    -> OutputIt {
+  return write_padded<align>(
+      out, specs, bytes.size(), [bytes](reserve_iterator<OutputIt> it) {
+        const char* data = bytes.data();
+        return copy_str<Char>(data, data + bytes.size(), it);
+      });
+}
+
+template <typename Char, typename OutputIt, typename UIntPtr>
+auto write_ptr(OutputIt out, UIntPtr value,
+               const basic_format_specs<Char>* specs) -> OutputIt {
+  int num_digits = count_digits<4>(value);
+  auto size = to_unsigned(num_digits) + size_t(2);
+  auto write = [=](reserve_iterator<OutputIt> it) {
+    *it++ = static_cast<Char>('0');
+    *it++ = static_cast<Char>('x');
+    return format_uint<4, Char>(it, value, num_digits);
+  };
+  return specs ? write_padded<align::right>(out, *specs, size, write)
+               : base_iterator(out, write(reserve(out, size)));
+}
+
+template <typename Char, typename OutputIt>
+FMT_CONSTEXPR auto write_char(OutputIt out, Char value,
+                              const basic_format_specs<Char>& specs)
+    -> OutputIt {
+  return write_padded(out, specs, 1, [=](reserve_iterator<OutputIt> it) {
+    *it++ = value;
+    return it;
+  });
+}
+template <typename Char, typename OutputIt>
+FMT_CONSTEXPR auto write(OutputIt out, Char value,
+                         const basic_format_specs<Char>& specs,
+                         locale_ref loc = {}) -> OutputIt {
+  return check_char_specs(specs)
+             ? write_char(out, value, specs)
+             : write(out, static_cast<int>(value), specs, loc);
+}
+
+// Data for write_int that doesn't depend on output iterator type. It is used to
+// avoid template code bloat.
+template <typename Char> struct write_int_data {
+  size_t size;
+  size_t padding;
+
+  FMT_CONSTEXPR write_int_data(int num_digits, unsigned prefix,
+                               const basic_format_specs<Char>& specs)
+      : size((prefix >> 24) + to_unsigned(num_digits)), padding(0) {
+    if (specs.align == align::numeric) {
+      auto width = to_unsigned(specs.width);
+      if (width > size) {
+        padding = width - size;
+        size = width;
+      }
+    } else if (specs.precision > num_digits) {
+      size = (prefix >> 24) + to_unsigned(specs.precision);
+      padding = to_unsigned(specs.precision - num_digits);
+    }
+  }
+};
+
+// Writes an integer in the format
+//   <left-padding><prefix><numeric-padding><digits><right-padding>
+// where <digits> are written by write_digits(it).
+// prefix contains chars in three lower bytes and the size in the fourth byte.
+template <typename OutputIt, typename Char, typename W>
+FMT_CONSTEXPR FMT_INLINE auto write_int(OutputIt out, int num_digits,
+                                        unsigned prefix,
+                                        const basic_format_specs<Char>& specs,
+                                        W write_digits) -> OutputIt {
+  // Slightly faster check for specs.width == 0 && specs.precision == -1.
+  if ((specs.width | (specs.precision + 1)) == 0) {
+    auto it = reserve(out, to_unsigned(num_digits) + (prefix >> 24));
+    if (prefix != 0) {
+      for (unsigned p = prefix & 0xffffff; p != 0; p >>= 8)
+        *it++ = static_cast<Char>(p & 0xff);
+    }
+    return base_iterator(out, write_digits(it));
+  }
+  auto data = write_int_data<Char>(num_digits, prefix, specs);
+  return write_padded<align::right>(
+      out, specs, data.size, [=](reserve_iterator<OutputIt> it) {
+        for (unsigned p = prefix & 0xffffff; p != 0; p >>= 8)
+          *it++ = static_cast<Char>(p & 0xff);
+        it = detail::fill_n(it, data.padding, static_cast<Char>('0'));
+        return write_digits(it);
+      });
+}
+
+template <typename Char> class digit_grouping {
+ private:
+  thousands_sep_result<Char> sep_;
+
+  struct next_state {
+    std::string::const_iterator group;
+    int pos;
+  };
+  next_state initial_state() const { return {sep_.grouping.begin(), 0}; }
+
+  // Returns the next digit group separator position.
+  int next(next_state& state) const {
+    if (!sep_.thousands_sep) return max_value<int>();
+    if (state.group == sep_.grouping.end())
+      return state.pos += sep_.grouping.back();
+    if (*state.group <= 0 || *state.group == max_value<char>())
+      return max_value<int>();
+    state.pos += *state.group++;
+    return state.pos;
+  }
+
+ public:
+  explicit digit_grouping(locale_ref loc, bool localized = true) {
+    if (localized)
+      sep_ = thousands_sep<Char>(loc);
+    else
+      sep_.thousands_sep = Char();
+  }
+  explicit digit_grouping(thousands_sep_result<Char> sep) : sep_(sep) {}
+
+  Char separator() const { return sep_.thousands_sep; }
+
+  int count_separators(int num_digits) const {
+    int count = 0;
+    auto state = initial_state();
+    while (num_digits > next(state)) ++count;
+    return count;
+  }
+
+  // Applies grouping to digits and write the output to out.
+  template <typename Out, typename C>
+  Out apply(Out out, basic_string_view<C> digits) const {
+    auto num_digits = static_cast<int>(digits.size());
+    auto separators = basic_memory_buffer<int>();
+    separators.push_back(0);
+    auto state = initial_state();
+    while (int i = next(state)) {
+      if (i >= num_digits) break;
+      separators.push_back(i);
+    }
+    for (int i = 0, sep_index = static_cast<int>(separators.size() - 1);
+         i < num_digits; ++i) {
+      if (num_digits - i == separators[sep_index]) {
+        *out++ = separator();
+        --sep_index;
+      }
+      *out++ = static_cast<Char>(digits[to_unsigned(i)]);
+    }
+    return out;
+  }
+};
+
+template <typename OutputIt, typename UInt, typename Char>
+auto write_int_localized(OutputIt out, UInt value, unsigned prefix,
+                         const basic_format_specs<Char>& specs,
+                         const digit_grouping<Char>& grouping) -> OutputIt {
+  static_assert(std::is_same<uint64_or_128_t<UInt>, UInt>::value, "");
+  int num_digits = count_digits(value);
+  char digits[40];
+  format_decimal(digits, value, num_digits);
+  unsigned size = to_unsigned((prefix != 0 ? 1 : 0) + num_digits +
+                              grouping.count_separators(num_digits));
+  return write_padded<align::right>(
+      out, specs, size, size, [&](reserve_iterator<OutputIt> it) {
+        if (prefix != 0) *it++ = static_cast<Char>(prefix);
+        return grouping.apply(it, string_view(digits, to_unsigned(num_digits)));
+      });
+}
+
+template <typename OutputIt, typename UInt, typename Char>
+auto write_int_localized(OutputIt& out, UInt value, unsigned prefix,
+                         const basic_format_specs<Char>& specs, locale_ref loc)
+    -> bool {
+  auto grouping = digit_grouping<Char>(loc);
+  out = write_int_localized(out, value, prefix, specs, grouping);
+  return true;
+}
+
+FMT_CONSTEXPR inline void prefix_append(unsigned& prefix, unsigned value) {
+  prefix |= prefix != 0 ? value << 8 : value;
+  prefix += (1u + (value > 0xff ? 1 : 0)) << 24;
+}
+
+template <typename UInt> struct write_int_arg {
+  UInt abs_value;
+  unsigned prefix;
+};
+
+template <typename T>
+FMT_CONSTEXPR auto make_write_int_arg(T value, sign_t sign)
+    -> write_int_arg<uint32_or_64_or_128_t<T>> {
+  auto prefix = 0u;
+  auto abs_value = static_cast<uint32_or_64_or_128_t<T>>(value);
+  if (is_negative(value)) {
+    prefix = 0x01000000 | '-';
+    abs_value = 0 - abs_value;
+  } else {
+    constexpr const unsigned prefixes[4] = {0, 0, 0x1000000u | '+',
+                                            0x1000000u | ' '};
+    prefix = prefixes[sign];
+  }
+  return {abs_value, prefix};
+}
+
+template <typename Char, typename OutputIt, typename T>
+FMT_CONSTEXPR FMT_INLINE auto write_int(OutputIt out, write_int_arg<T> arg,
+                                        const basic_format_specs<Char>& specs,
+                                        locale_ref loc) -> OutputIt {
+  static_assert(std::is_same<T, uint32_or_64_or_128_t<T>>::value, "");
+  auto abs_value = arg.abs_value;
+  auto prefix = arg.prefix;
+  switch (specs.type) {
+  case presentation_type::none:
+  case presentation_type::dec: {
+    if (specs.localized &&
+        write_int_localized(out, static_cast<uint64_or_128_t<T>>(abs_value),
+                            prefix, specs, loc)) {
+      return out;
+    }
+    auto num_digits = count_digits(abs_value);
+    return write_int(
+        out, num_digits, prefix, specs, [=](reserve_iterator<OutputIt> it) {
+          return format_decimal<Char>(it, abs_value, num_digits).end;
+        });
+  }
+  case presentation_type::hex_lower:
+  case presentation_type::hex_upper: {
+    bool upper = specs.type == presentation_type::hex_upper;
+    if (specs.alt)
+      prefix_append(prefix, unsigned(upper ? 'X' : 'x') << 8 | '0');
+    int num_digits = count_digits<4>(abs_value);
+    return write_int(
+        out, num_digits, prefix, specs, [=](reserve_iterator<OutputIt> it) {
+          return format_uint<4, Char>(it, abs_value, num_digits, upper);
+        });
+  }
+  case presentation_type::bin_lower:
+  case presentation_type::bin_upper: {
+    bool upper = specs.type == presentation_type::bin_upper;
+    if (specs.alt)
+      prefix_append(prefix, unsigned(upper ? 'B' : 'b') << 8 | '0');
+    int num_digits = count_digits<1>(abs_value);
+    return write_int(out, num_digits, prefix, specs,
+                     [=](reserve_iterator<OutputIt> it) {
+                       return format_uint<1, Char>(it, abs_value, num_digits);
+                     });
+  }
+  case presentation_type::oct: {
+    int num_digits = count_digits<3>(abs_value);
+    // Octal prefix '0' is counted as a digit, so only add it if precision
+    // is not greater than the number of digits.
+    if (specs.alt && specs.precision <= num_digits && abs_value != 0)
+      prefix_append(prefix, '0');
+    return write_int(out, num_digits, prefix, specs,
+                     [=](reserve_iterator<OutputIt> it) {
+                       return format_uint<3, Char>(it, abs_value, num_digits);
+                     });
+  }
+  case presentation_type::chr:
+    return write_char(out, static_cast<Char>(abs_value), specs);
+  default:
+    throw_format_error("invalid type specifier");
+  }
+  return out;
+}
+template <typename Char, typename OutputIt, typename T>
+FMT_CONSTEXPR FMT_NOINLINE auto write_int_noinline(
+    OutputIt out, write_int_arg<T> arg, const basic_format_specs<Char>& specs,
+    locale_ref loc) -> OutputIt {
+  return write_int(out, arg, specs, loc);
+}
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(is_integral<T>::value &&
+                        !std::is_same<T, bool>::value &&
+                        std::is_same<OutputIt, buffer_appender<Char>>::value)>
+FMT_CONSTEXPR FMT_INLINE auto write(OutputIt out, T value,
+                                    const basic_format_specs<Char>& specs,
+                                    locale_ref loc) -> OutputIt {
+  return write_int_noinline(out, make_write_int_arg(value, specs.sign), specs,
+                            loc);
+}
+// An inlined version of write used in format string compilation.
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(is_integral<T>::value &&
+                        !std::is_same<T, bool>::value &&
+                        !std::is_same<OutputIt, buffer_appender<Char>>::value)>
+FMT_CONSTEXPR FMT_INLINE auto write(OutputIt out, T value,
+                                    const basic_format_specs<Char>& specs,
+                                    locale_ref loc) -> OutputIt {
+  return write_int(out, make_write_int_arg(value, specs.sign), specs, loc);
+}
+
+template <typename Char, typename OutputIt>
+FMT_CONSTEXPR auto write(OutputIt out, basic_string_view<Char> s,
+                         const basic_format_specs<Char>& specs) -> OutputIt {
+  auto data = s.data();
+  auto size = s.size();
+  if (specs.precision >= 0 && to_unsigned(specs.precision) < size)
+    size = code_point_index(s, to_unsigned(specs.precision));
+  auto width =
+      specs.width != 0 ? compute_width(basic_string_view<Char>(data, size)) : 0;
+  return write_padded(out, specs, size, width,
+                      [=](reserve_iterator<OutputIt> it) {
+                        return copy_str<Char>(data, data + size, it);
+                      });
+}
+template <typename Char, typename OutputIt>
+FMT_CONSTEXPR auto write(OutputIt out,
+                         basic_string_view<type_identity_t<Char>> s,
+                         const basic_format_specs<Char>& specs, locale_ref)
+    -> OutputIt {
+  check_string_type_spec(specs.type);
+  return write(out, s, specs);
+}
+template <typename Char, typename OutputIt>
+FMT_CONSTEXPR auto write(OutputIt out, const Char* s,
+                         const basic_format_specs<Char>& specs, locale_ref)
+    -> OutputIt {
+  return check_cstring_type_spec(specs.type)
+             ? write(out, basic_string_view<Char>(s), specs, {})
+             : write_ptr<Char>(out, to_uintptr(s), &specs);
+}
+
+template <typename Char, typename OutputIt>
+FMT_CONSTEXPR20 auto write_nonfinite(OutputIt out, bool isinf,
+                                     basic_format_specs<Char> specs,
+                                     const float_specs& fspecs) -> OutputIt {
+  auto str =
+      isinf ? (fspecs.upper ? "INF" : "inf") : (fspecs.upper ? "NAN" : "nan");
+  constexpr size_t str_size = 3;
+  auto sign = fspecs.sign;
+  auto size = str_size + (sign ? 1 : 0);
+  // Replace '0'-padding with space for non-finite values.
+  const bool is_zero_fill =
+      specs.fill.size() == 1 && *specs.fill.data() == static_cast<Char>('0');
+  if (is_zero_fill) specs.fill[0] = static_cast<Char>(' ');
+  return write_padded(out, specs, size, [=](reserve_iterator<OutputIt> it) {
+    if (sign) *it++ = detail::sign<Char>(sign);
+    return copy_str<Char>(str, str + str_size, it);
+  });
+}
+
+// A decimal floating-point number significand * pow(10, exp).
+struct big_decimal_fp {
+  const char* significand;
+  int significand_size;
+  int exponent;
+};
+
+constexpr auto get_significand_size(const big_decimal_fp& fp) -> int {
+  return fp.significand_size;
+}
+template <typename T>
+inline auto get_significand_size(const dragonbox::decimal_fp<T>& fp) -> int {
+  return count_digits(fp.significand);
+}
+
+template <typename Char, typename OutputIt>
+constexpr auto write_significand(OutputIt out, const char* significand,
+                                 int significand_size) -> OutputIt {
+  return copy_str<Char>(significand, significand + significand_size, out);
+}
+template <typename Char, typename OutputIt, typename UInt>
+inline auto write_significand(OutputIt out, UInt significand,
+                              int significand_size) -> OutputIt {
+  return format_decimal<Char>(out, significand, significand_size).end;
+}
+template <typename Char, typename OutputIt, typename T, typename Grouping>
+FMT_CONSTEXPR20 auto write_significand(OutputIt out, T significand,
+                                       int significand_size, int exponent,
+                                       const Grouping& grouping) -> OutputIt {
+  if (!grouping.separator()) {
+    out = write_significand<Char>(out, significand, significand_size);
+    return detail::fill_n(out, exponent, static_cast<Char>('0'));
+  }
+  auto buffer = memory_buffer();
+  write_significand<char>(appender(buffer), significand, significand_size);
+  detail::fill_n(appender(buffer), exponent, '0');
+  return grouping.apply(out, string_view(buffer.data(), buffer.size()));
+}
+
+template <typename Char, typename UInt,
+          FMT_ENABLE_IF(std::is_integral<UInt>::value)>
+inline auto write_significand(Char* out, UInt significand, int significand_size,
+                              int integral_size, Char decimal_point) -> Char* {
+  if (!decimal_point)
+    return format_decimal(out, significand, significand_size).end;
+  out += significand_size + 1;
+  Char* end = out;
+  int floating_size = significand_size - integral_size;
+  for (int i = floating_size / 2; i > 0; --i) {
+    out -= 2;
+    copy2(out, digits2(significand % 100));
+    significand /= 100;
+  }
+  if (floating_size % 2 != 0) {
+    *--out = static_cast<Char>('0' + significand % 10);
+    significand /= 10;
+  }
+  *--out = decimal_point;
+  format_decimal(out - integral_size, significand, integral_size);
+  return end;
+}
+
+template <typename OutputIt, typename UInt, typename Char,
+          FMT_ENABLE_IF(!std::is_pointer<remove_cvref_t<OutputIt>>::value)>
+inline auto write_significand(OutputIt out, UInt significand,
+                              int significand_size, int integral_size,
+                              Char decimal_point) -> OutputIt {
+  // Buffer is large enough to hold digits (digits10 + 1) and a decimal point.
+  Char buffer[digits10<UInt>() + 2];
+  auto end = write_significand(buffer, significand, significand_size,
+                               integral_size, decimal_point);
+  return detail::copy_str_noinline<Char>(buffer, end, out);
+}
+
+template <typename OutputIt, typename Char>
+FMT_CONSTEXPR auto write_significand(OutputIt out, const char* significand,
+                                     int significand_size, int integral_size,
+                                     Char decimal_point) -> OutputIt {
+  out = detail::copy_str_noinline<Char>(significand,
+                                        significand + integral_size, out);
+  if (!decimal_point) return out;
+  *out++ = decimal_point;
+  return detail::copy_str_noinline<Char>(significand + integral_size,
+                                         significand + significand_size, out);
+}
+
+template <typename OutputIt, typename Char, typename T, typename Grouping>
+FMT_CONSTEXPR20 auto write_significand(OutputIt out, T significand,
+                                       int significand_size, int integral_size,
+                                       Char decimal_point,
+                                       const Grouping& grouping) -> OutputIt {
+  if (!grouping.separator()) {
+    return write_significand(out, significand, significand_size, integral_size,
+                             decimal_point);
+  }
+  auto buffer = basic_memory_buffer<Char>();
+  write_significand(buffer_appender<Char>(buffer), significand,
+                    significand_size, integral_size, decimal_point);
+  grouping.apply(
+      out, basic_string_view<Char>(buffer.data(), to_unsigned(integral_size)));
+  return detail::copy_str_noinline<Char>(buffer.data() + integral_size,
+                                         buffer.end(), out);
+}
+
+template <typename OutputIt, typename DecimalFP, typename Char,
+          typename Grouping = digit_grouping<Char>>
+FMT_CONSTEXPR20 auto do_write_float(OutputIt out, const DecimalFP& fp,
+                                    const basic_format_specs<Char>& specs,
+                                    float_specs fspecs, locale_ref loc)
+    -> OutputIt {
+  auto significand = fp.significand;
+  int significand_size = get_significand_size(fp);
+  constexpr Char zero = static_cast<Char>('0');
+  auto sign = fspecs.sign;
+  size_t size = to_unsigned(significand_size) + (sign ? 1 : 0);
+  using iterator = reserve_iterator<OutputIt>;
+
+  Char decimal_point =
+      fspecs.locale ? detail::decimal_point<Char>(loc) : static_cast<Char>('.');
+
+  int output_exp = fp.exponent + significand_size - 1;
+  auto use_exp_format = [=]() {
+    if (fspecs.format == float_format::exp) return true;
+    if (fspecs.format != float_format::general) return false;
+    // Use the fixed notation if the exponent is in [exp_lower, exp_upper),
+    // e.g. 0.0001 instead of 1e-04. Otherwise use the exponent notation.
+    const int exp_lower = -4, exp_upper = 16;
+    return output_exp < exp_lower ||
+           output_exp >= (fspecs.precision > 0 ? fspecs.precision : exp_upper);
+  };
+  if (use_exp_format()) {
+    int num_zeros = 0;
+    if (fspecs.showpoint) {
+      num_zeros = fspecs.precision - significand_size;
+      if (num_zeros < 0) num_zeros = 0;
+      size += to_unsigned(num_zeros);
+    } else if (significand_size == 1) {
+      decimal_point = Char();
+    }
+    auto abs_output_exp = output_exp >= 0 ? output_exp : -output_exp;
+    int exp_digits = 2;
+    if (abs_output_exp >= 100) exp_digits = abs_output_exp >= 1000 ? 4 : 3;
+
+    size += to_unsigned((decimal_point ? 1 : 0) + 2 + exp_digits);
+    char exp_char = fspecs.upper ? 'E' : 'e';
+    auto write = [=](iterator it) {
+      if (sign) *it++ = detail::sign<Char>(sign);
+      // Insert a decimal point after the first digit and add an exponent.
+      it = write_significand(it, significand, significand_size, 1,
+                             decimal_point);
+      if (num_zeros > 0) it = detail::fill_n(it, num_zeros, zero);
+      *it++ = static_cast<Char>(exp_char);
+      return write_exponent<Char>(output_exp, it);
+    };
+    return specs.width > 0 ? write_padded<align::right>(out, specs, size, write)
+                           : base_iterator(out, write(reserve(out, size)));
+  }
+
+  int exp = fp.exponent + significand_size;
+  if (fp.exponent >= 0) {
+    // 1234e5 -> 123400000[.0+]
+    size += to_unsigned(fp.exponent);
+    int num_zeros = fspecs.precision - exp;
+#ifdef FMT_FUZZ
+    if (num_zeros > 5000)
+      throw std::runtime_error("fuzz mode - avoiding excessive cpu use");
+#endif
+    if (fspecs.showpoint) {
+      if (num_zeros <= 0 && fspecs.format != float_format::fixed) num_zeros = 1;
+      if (num_zeros > 0) size += to_unsigned(num_zeros) + 1;
+    }
+    auto grouping = Grouping(loc, fspecs.locale);
+    size += to_unsigned(grouping.count_separators(significand_size));
+    return write_padded<align::right>(out, specs, size, [&](iterator it) {
+      if (sign) *it++ = detail::sign<Char>(sign);
+      it = write_significand<Char>(it, significand, significand_size,
+                                   fp.exponent, grouping);
+      if (!fspecs.showpoint) return it;
+      *it++ = decimal_point;
+      return num_zeros > 0 ? detail::fill_n(it, num_zeros, zero) : it;
+    });
+  } else if (exp > 0) {
+    // 1234e-2 -> 12.34[0+]
+    int num_zeros = fspecs.showpoint ? fspecs.precision - significand_size : 0;
+    size += 1 + to_unsigned(num_zeros > 0 ? num_zeros : 0);
+    auto grouping = Grouping(loc, fspecs.locale);
+    size += to_unsigned(grouping.count_separators(significand_size));
+    return write_padded<align::right>(out, specs, size, [&](iterator it) {
+      if (sign) *it++ = detail::sign<Char>(sign);
+      it = write_significand(it, significand, significand_size, exp,
+                             decimal_point, grouping);
+      return num_zeros > 0 ? detail::fill_n(it, num_zeros, zero) : it;
+    });
+  }
+  // 1234e-6 -> 0.001234
+  int num_zeros = -exp;
+  if (significand_size == 0 && fspecs.precision >= 0 &&
+      fspecs.precision < num_zeros) {
+    num_zeros = fspecs.precision;
+  }
+  bool pointy = num_zeros != 0 || significand_size != 0 || fspecs.showpoint;
+  size += 1 + (pointy ? 1 : 0) + to_unsigned(num_zeros);
+  return write_padded<align::right>(out, specs, size, [&](iterator it) {
+    if (sign) *it++ = detail::sign<Char>(sign);
+    *it++ = zero;
+    if (!pointy) return it;
+    *it++ = decimal_point;
+    it = detail::fill_n(it, num_zeros, zero);
+    return write_significand<Char>(it, significand, significand_size);
+  });
+}
+
+template <typename Char> class fallback_digit_grouping {
+ public:
+  constexpr fallback_digit_grouping(locale_ref, bool) {}
+
+  constexpr Char separator() const { return Char(); }
+
+  constexpr int count_separators(int) const { return 0; }
+
+  template <typename Out, typename C>
+  constexpr Out apply(Out out, basic_string_view<C>) const {
+    return out;
+  }
+};
+
+template <typename OutputIt, typename DecimalFP, typename Char>
+FMT_CONSTEXPR20 auto write_float(OutputIt out, const DecimalFP& fp,
+                                 const basic_format_specs<Char>& specs,
+                                 float_specs fspecs, locale_ref loc)
+    -> OutputIt {
+  if (is_constant_evaluated()) {
+    return do_write_float<OutputIt, DecimalFP, Char,
+                          fallback_digit_grouping<Char>>(out, fp, specs, fspecs,
+                                                         loc);
+  } else {
+    return do_write_float(out, fp, specs, fspecs, loc);
+  }
+}
+
+template <typename T, FMT_ENABLE_IF(std::is_floating_point<T>::value)>
+FMT_CONSTEXPR20 bool isinf(T value) {
+  if (is_constant_evaluated()) {
+#if defined(__cpp_if_constexpr)
+    if constexpr (std::numeric_limits<double>::is_iec559) {
+      auto bits = detail::bit_cast<uint64_t>(static_cast<double>(value));
+      constexpr auto significand_bits =
+          dragonbox::float_info<double>::significand_bits;
+      return (bits & exponent_mask<double>()) &&
+             !(bits & ((uint64_t(1) << significand_bits) - 1));
+    }
+#endif
+  }
+  return std::isinf(value);
+}
+
+template <typename T, FMT_ENABLE_IF(std::is_floating_point<T>::value)>
+FMT_CONSTEXPR20 bool isfinite(T value) {
+  if (is_constant_evaluated()) {
+#if defined(__cpp_if_constexpr)
+    if constexpr (std::numeric_limits<double>::is_iec559) {
+      auto bits = detail::bit_cast<uint64_t>(static_cast<double>(value));
+      return (bits & exponent_mask<double>()) != exponent_mask<double>();
+    }
+#endif
+  }
+  return std::isfinite(value);
+}
+
+template <typename T, FMT_ENABLE_IF(std::is_floating_point<T>::value)>
+FMT_INLINE FMT_CONSTEXPR bool signbit(T value) {
+  if (is_constant_evaluated()) {
+#ifdef __cpp_if_constexpr
+    if constexpr (std::numeric_limits<double>::is_iec559) {
+      auto bits = detail::bit_cast<uint64_t>(static_cast<double>(value));
+      return (bits & (uint64_t(1) << (num_bits<uint64_t>() - 1))) != 0;
+    }
+#endif
+  }
+  return std::signbit(value);
+}
+
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(std::is_floating_point<T>::value)>
+FMT_CONSTEXPR20 auto write(OutputIt out, T value,
+                           basic_format_specs<Char> specs, locale_ref loc = {})
+    -> OutputIt {
+  if (const_check(!is_supported_floating_point(value))) return out;
+  float_specs fspecs = parse_float_type_spec(specs);
+  fspecs.sign = specs.sign;
+  if (detail::signbit(value)) {  // value < 0 is false for NaN so use signbit.
+    fspecs.sign = sign::minus;
+    value = -value;
+  } else if (fspecs.sign == sign::minus) {
+    fspecs.sign = sign::none;
+  }
+
+  if (!detail::isfinite(value))
+    return write_nonfinite(out, detail::isinf(value), specs, fspecs);
+
+  if (specs.align == align::numeric && fspecs.sign) {
+    auto it = reserve(out, 1);
+    *it++ = detail::sign<Char>(fspecs.sign);
+    out = base_iterator(out, it);
+    fspecs.sign = sign::none;
+    if (specs.width != 0) --specs.width;
+  }
+
+  memory_buffer buffer;
+  if (fspecs.format == float_format::hex) {
+    if (fspecs.sign) buffer.push_back(detail::sign<char>(fspecs.sign));
+    snprintf_float(promote_float(value), specs.precision, fspecs, buffer);
+    return write_bytes<align::right>(out, {buffer.data(), buffer.size()},
+                                     specs);
+  }
+  int precision = specs.precision >= 0 || specs.type == presentation_type::none
+                      ? specs.precision
+                      : 6;
+  if (fspecs.format == float_format::exp) {
+    if (precision == max_value<int>())
+      throw_format_error("number is too big");
+    else
+      ++precision;
+  }
+  if (const_check(std::is_same<T, float>())) fspecs.binary32 = true;
+  if (!is_fast_float<T>()) fspecs.fallback = true;
+  int exp = format_float(promote_float(value), precision, fspecs, buffer);
+  fspecs.precision = precision;
+  auto fp = big_decimal_fp{buffer.data(), static_cast<int>(buffer.size()), exp};
+  return write_float(out, fp, specs, fspecs, loc);
+}
+
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(is_fast_float<T>::value)>
+FMT_CONSTEXPR20 auto write(OutputIt out, T value) -> OutputIt {
+  if (is_constant_evaluated()) {
+    return write(out, value, basic_format_specs<Char>());
+  }
+
+  if (const_check(!is_supported_floating_point(value))) return out;
+
+  using floaty = conditional_t<std::is_same<T, long double>::value, double, T>;
+  using uint = typename dragonbox::float_info<floaty>::carrier_uint;
+  auto bits = bit_cast<uint>(value);
+
+  auto fspecs = float_specs();
+  if (detail::signbit(value)) {
+    fspecs.sign = sign::minus;
+    value = -value;
+  }
+
+  constexpr auto specs = basic_format_specs<Char>();
+  uint mask = exponent_mask<floaty>();
+  if ((bits & mask) == mask)
+    return write_nonfinite(out, std::isinf(value), specs, fspecs);
+
+  auto dec = dragonbox::to_decimal(static_cast<floaty>(value));
+  return write_float(out, dec, specs, fspecs, {});
+}
+
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(std::is_floating_point<T>::value &&
+                        !is_fast_float<T>::value)>
+inline auto write(OutputIt out, T value) -> OutputIt {
+  return write(out, value, basic_format_specs<Char>());
+}
+
+template <typename Char, typename OutputIt>
+auto write(OutputIt out, monostate, basic_format_specs<Char> = {},
+           locale_ref = {}) -> OutputIt {
+  FMT_ASSERT(false, "");
+  return out;
+}
+
+template <typename Char, typename OutputIt>
+FMT_CONSTEXPR auto write(OutputIt out, basic_string_view<Char> value)
+    -> OutputIt {
+  auto it = reserve(out, value.size());
+  it = copy_str_noinline<Char>(value.begin(), value.end(), it);
+  return base_iterator(out, it);
+}
+
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(is_string<T>::value)>
+constexpr auto write(OutputIt out, const T& value) -> OutputIt {
+  return write<Char>(out, to_string_view(value));
+}
+
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(is_integral<T>::value &&
+                        !std::is_same<T, bool>::value &&
+                        !std::is_same<T, Char>::value)>
+FMT_CONSTEXPR auto write(OutputIt out, T value) -> OutputIt {
+  auto abs_value = static_cast<uint32_or_64_or_128_t<T>>(value);
+  bool negative = is_negative(value);
+  // Don't do -abs_value since it trips unsigned-integer-overflow sanitizer.
+  if (negative) abs_value = ~abs_value + 1;
+  int num_digits = count_digits(abs_value);
+  auto size = (negative ? 1 : 0) + static_cast<size_t>(num_digits);
+  auto it = reserve(out, size);
+  if (auto ptr = to_pointer<Char>(it, size)) {
+    if (negative) *ptr++ = static_cast<Char>('-');
+    format_decimal<Char>(ptr, abs_value, num_digits);
+    return out;
+  }
+  if (negative) *it++ = static_cast<Char>('-');
+  it = format_decimal<Char>(it, abs_value, num_digits).end;
+  return base_iterator(out, it);
+}
+
+// FMT_ENABLE_IF() condition separated to workaround an MSVC bug.
+template <
+    typename Char, typename OutputIt, typename T,
+    bool check =
+        std::is_enum<T>::value && !std::is_same<T, Char>::value &&
+        mapped_type_constant<T, basic_format_context<OutputIt, Char>>::value !=
+            type::custom_type,
+    FMT_ENABLE_IF(check)>
+FMT_CONSTEXPR auto write(OutputIt out, T value) -> OutputIt {
+  return write<Char>(
+      out, static_cast<typename std::underlying_type<T>::type>(value));
+}
+
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(std::is_same<T, bool>::value)>
+FMT_CONSTEXPR auto write(OutputIt out, T value,
+                         const basic_format_specs<Char>& specs = {},
+                         locale_ref = {}) -> OutputIt {
+  return specs.type != presentation_type::none &&
+                 specs.type != presentation_type::string
+             ? write(out, value ? 1 : 0, specs, {})
+             : write_bytes(out, value ? "true" : "false", specs);
+}
+
+template <typename Char, typename OutputIt>
+FMT_CONSTEXPR auto write(OutputIt out, Char value) -> OutputIt {
+  auto it = reserve(out, 1);
+  *it++ = value;
+  return base_iterator(out, it);
+}
+
+template <typename Char, typename OutputIt>
+FMT_CONSTEXPR_CHAR_TRAITS auto write(OutputIt out, const Char* value)
+    -> OutputIt {
+  if (!value) {
+    throw_format_error("string pointer is null");
+  } else {
+    out = write(out, basic_string_view<Char>(value));
+  }
+  return out;
+}
+
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(std::is_same<T, void>::value)>
+auto write(OutputIt out, const T* value,
+           const basic_format_specs<Char>& specs = {}, locale_ref = {})
+    -> OutputIt {
+  check_pointer_type_spec(specs.type, error_handler());
+  return write_ptr<Char>(out, to_uintptr(value), &specs);
+}
+
+// A write overload that handles implicit conversions.
+template <typename Char, typename OutputIt, typename T,
+          typename Context = basic_format_context<OutputIt, Char>>
+FMT_CONSTEXPR auto write(OutputIt out, const T& value) -> enable_if_t<
+    std::is_class<T>::value && !is_string<T>::value &&
+        !std::is_same<T, Char>::value &&
+        !std::is_same<const T&,
+                      decltype(arg_mapper<Context>().map(value))>::value,
+    OutputIt> {
+  return write<Char>(out, arg_mapper<Context>().map(value));
+}
+
+template <typename Char, typename OutputIt, typename T,
+          typename Context = basic_format_context<OutputIt, Char>>
+FMT_CONSTEXPR auto write(OutputIt out, const T& value)
+    -> enable_if_t<mapped_type_constant<T, Context>::value == type::custom_type,
+                   OutputIt> {
+  using formatter_type =
+      conditional_t<has_formatter<T, Context>::value,
+                    typename Context::template formatter_type<T>,
+                    fallback_formatter<T, Char>>;
+  auto ctx = Context(out, {}, {});
+  return formatter_type().format(value, ctx);
+}
+
+// An argument visitor that formats the argument and writes it via the output
+// iterator. It's a class and not a generic lambda for compatibility with C++11.
+template <typename Char> struct default_arg_formatter {
+  using iterator = buffer_appender<Char>;
+  using context = buffer_context<Char>;
+
+  iterator out;
+  basic_format_args<context> args;
+  locale_ref loc;
+
+  template <typename T> auto operator()(T value) -> iterator {
+    return write<Char>(out, value);
+  }
+  auto operator()(typename basic_format_arg<context>::handle h) -> iterator {
+    basic_format_parse_context<Char> parse_ctx({});
+    context format_ctx(out, args, loc);
+    h.format(parse_ctx, format_ctx);
+    return format_ctx.out();
+  }
+};
+
+template <typename Char> struct arg_formatter {
+  using iterator = buffer_appender<Char>;
+  using context = buffer_context<Char>;
+
+  iterator out;
+  const basic_format_specs<Char>& specs;
+  locale_ref locale;
+
+  template <typename T>
+  FMT_CONSTEXPR FMT_INLINE auto operator()(T value) -> iterator {
+    return detail::write(out, value, specs, locale);
+  }
+  auto operator()(typename basic_format_arg<context>::handle) -> iterator {
+    // User-defined types are handled separately because they require access
+    // to the parse context.
+    return out;
+  }
+};
+
+template <typename Char> struct custom_formatter {
+  basic_format_parse_context<Char>& parse_ctx;
+  buffer_context<Char>& ctx;
+
+  void operator()(
+      typename basic_format_arg<buffer_context<Char>>::handle h) const {
+    h.format(parse_ctx, ctx);
+  }
+  template <typename T> void operator()(T) const {}
+};
+
+template <typename T>
+using is_integer =
+    bool_constant<is_integral<T>::value && !std::is_same<T, bool>::value &&
+                  !std::is_same<T, char>::value &&
+                  !std::is_same<T, wchar_t>::value>;
+
+template <typename ErrorHandler> class width_checker {
+ public:
+  explicit FMT_CONSTEXPR width_checker(ErrorHandler& eh) : handler_(eh) {}
+
+  template <typename T, FMT_ENABLE_IF(is_integer<T>::value)>
+  FMT_CONSTEXPR auto operator()(T value) -> unsigned long long {
+    if (is_negative(value)) handler_.on_error("negative width");
+    return static_cast<unsigned long long>(value);
+  }
+
+  template <typename T, FMT_ENABLE_IF(!is_integer<T>::value)>
+  FMT_CONSTEXPR auto operator()(T) -> unsigned long long {
+    handler_.on_error("width is not integer");
+    return 0;
+  }
+
+ private:
+  ErrorHandler& handler_;
+};
+
+template <typename ErrorHandler> class precision_checker {
+ public:
+  explicit FMT_CONSTEXPR precision_checker(ErrorHandler& eh) : handler_(eh) {}
+
+  template <typename T, FMT_ENABLE_IF(is_integer<T>::value)>
+  FMT_CONSTEXPR auto operator()(T value) -> unsigned long long {
+    if (is_negative(value)) handler_.on_error("negative precision");
+    return static_cast<unsigned long long>(value);
+  }
+
+  template <typename T, FMT_ENABLE_IF(!is_integer<T>::value)>
+  FMT_CONSTEXPR auto operator()(T) -> unsigned long long {
+    handler_.on_error("precision is not integer");
+    return 0;
+  }
+
+ private:
+  ErrorHandler& handler_;
+};
+
+template <template <typename> class Handler, typename FormatArg,
+          typename ErrorHandler>
+FMT_CONSTEXPR auto get_dynamic_spec(FormatArg arg, ErrorHandler eh) -> int {
+  unsigned long long value = visit_format_arg(Handler<ErrorHandler>(eh), arg);
+  if (value > to_unsigned(max_value<int>())) eh.on_error("number is too big");
+  return static_cast<int>(value);
+}
+
+template <typename Context, typename ID>
+FMT_CONSTEXPR auto get_arg(Context& ctx, ID id) ->
+    typename Context::format_arg {
+  auto arg = ctx.arg(id);
+  if (!arg) ctx.on_error("argument not found");
+  return arg;
+}
+
+// The standard format specifier handler with checking.
+template <typename Char> class specs_handler : public specs_setter<Char> {
+ private:
+  basic_format_parse_context<Char>& parse_context_;
+  buffer_context<Char>& context_;
+
+  // This is only needed for compatibility with gcc 4.4.
+  using format_arg = basic_format_arg<buffer_context<Char>>;
+
+  FMT_CONSTEXPR auto get_arg(auto_id) -> format_arg {
+    return detail::get_arg(context_, parse_context_.next_arg_id());
+  }
+
+  FMT_CONSTEXPR auto get_arg(int arg_id) -> format_arg {
+    parse_context_.check_arg_id(arg_id);
+    return detail::get_arg(context_, arg_id);
+  }
+
+  FMT_CONSTEXPR auto get_arg(basic_string_view<Char> arg_id) -> format_arg {
+    parse_context_.check_arg_id(arg_id);
+    return detail::get_arg(context_, arg_id);
+  }
+
+ public:
+  FMT_CONSTEXPR specs_handler(basic_format_specs<Char>& specs,
+                              basic_format_parse_context<Char>& parse_ctx,
+                              buffer_context<Char>& ctx)
+      : specs_setter<Char>(specs), parse_context_(parse_ctx), context_(ctx) {}
+
+  template <typename Id> FMT_CONSTEXPR void on_dynamic_width(Id arg_id) {
+    this->specs_.width = get_dynamic_spec<width_checker>(
+        get_arg(arg_id), context_.error_handler());
+  }
+
+  template <typename Id> FMT_CONSTEXPR void on_dynamic_precision(Id arg_id) {
+    this->specs_.precision = get_dynamic_spec<precision_checker>(
+        get_arg(arg_id), context_.error_handler());
+  }
+
+  void on_error(const char* message) { context_.on_error(message); }
+};
+
+template <template <typename> class Handler, typename Context>
+FMT_CONSTEXPR void handle_dynamic_spec(int& value,
+                                       arg_ref<typename Context::char_type> ref,
+                                       Context& ctx) {
+  switch (ref.kind) {
+  case arg_id_kind::none:
+    break;
+  case arg_id_kind::index:
+    value = detail::get_dynamic_spec<Handler>(ctx.arg(ref.val.index),
+                                              ctx.error_handler());
+    break;
+  case arg_id_kind::name:
+    value = detail::get_dynamic_spec<Handler>(ctx.arg(ref.val.name),
+                                              ctx.error_handler());
+    break;
+  }
+}
+
+#define FMT_STRING_IMPL(s, base, explicit)                                 \
+  [] {                                                                     \
+    /* Use the hidden visibility as a workaround for a GCC bug (#1973). */ \
+    /* Use a macro-like name to avoid shadowing warnings. */               \
+    struct FMT_GCC_VISIBILITY_HIDDEN FMT_COMPILE_STRING : base {           \
+      using char_type = fmt::remove_cvref_t<decltype(s[0])>;               \
+      FMT_MAYBE_UNUSED FMT_CONSTEXPR explicit                              \
+      operator fmt::basic_string_view<char_type>() const {                 \
+        return fmt::detail_exported::compile_string_to_view<char_type>(s); \
+      }                                                                    \
+    };                                                                     \
+    return FMT_COMPILE_STRING();                                           \
+  }()
+
+/**
+  \rst
+  Constructs a compile-time format string from a string literal *s*.
+
+  **Example**::
+
+    // A compile-time error because 'd' is an invalid specifier for strings.
+    std::string s = fmt::format(FMT_STRING("{:d}"), "foo");
+  \endrst
+ */
+#define FMT_STRING(s) FMT_STRING_IMPL(s, fmt::compile_string, )
+
+#if FMT_USE_USER_DEFINED_LITERALS
+template <typename Char> struct udl_formatter {
+  basic_string_view<Char> str;
+
+  template <typename... T>
+  auto operator()(T&&... args) const -> std::basic_string<Char> {
+    return vformat(str, fmt::make_args_checked<T...>(str, args...));
+  }
+};
+
+#  if FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+template <typename T, typename Char, size_t N,
+          fmt::detail_exported::fixed_string<Char, N> Str>
+struct statically_named_arg : view {
+  static constexpr auto name = Str.data;
+
+  const T& value;
+  statically_named_arg(const T& v) : value(v) {}
+};
+
+template <typename T, typename Char, size_t N,
+          fmt::detail_exported::fixed_string<Char, N> Str>
+struct is_named_arg<statically_named_arg<T, Char, N, Str>> : std::true_type {};
+
+template <typename T, typename Char, size_t N,
+          fmt::detail_exported::fixed_string<Char, N> Str>
+struct is_statically_named_arg<statically_named_arg<T, Char, N, Str>>
+    : std::true_type {};
+
+template <typename Char, size_t N,
+          fmt::detail_exported::fixed_string<Char, N> Str>
+struct udl_arg {
+  template <typename T> auto operator=(T&& value) const {
+    return statically_named_arg<T, Char, N, Str>(std::forward<T>(value));
+  }
+};
+#  else
+template <typename Char> struct udl_arg {
+  const Char* str;
+
+  template <typename T> auto operator=(T&& value) const -> named_arg<Char, T> {
+    return {str, std::forward<T>(value)};
+  }
+};
+#  endif
+#endif  // FMT_USE_USER_DEFINED_LITERALS
+
+template <typename Locale, typename Char>
+auto vformat(const Locale& loc, basic_string_view<Char> format_str,
+             basic_format_args<buffer_context<type_identity_t<Char>>> args)
+    -> std::basic_string<Char> {
+  basic_memory_buffer<Char> buffer;
+  detail::vformat_to(buffer, format_str, args, detail::locale_ref(loc));
+  return {buffer.data(), buffer.size()};
+}
+
+using format_func = void (*)(detail::buffer<char>&, int, const char*);
+
+FMT_API void format_error_code(buffer<char>& out, int error_code,
+                               string_view message) FMT_NOEXCEPT;
+
+FMT_API void report_error(format_func func, int error_code,
+                          const char* message) FMT_NOEXCEPT;
+FMT_END_DETAIL_NAMESPACE
+
+FMT_API auto vsystem_error(int error_code, string_view format_str,
+                           format_args args) -> std::system_error;
+
+/**
+ \rst
+ Constructs :class:`std::system_error` with a message formatted with
+ ``fmt::format(fmt, args...)``.
+  *error_code* is a system error code as given by ``errno``.
+
+ **Example**::
+
+   // This throws std::system_error with the description
+   //   cannot open file 'madeup': No such file or directory
+   // or similar (system message may vary).
+   const char* filename = "madeup";
+   std::FILE* file = std::fopen(filename, "r");
+   if (!file)
+     throw fmt::system_error(errno, "cannot open file '{}'", filename);
+ \endrst
+*/
+template <typename... T>
+auto system_error(int error_code, format_string<T...> fmt, T&&... args)
+    -> std::system_error {
+  return vsystem_error(error_code, fmt, fmt::make_format_args(args...));
+}
+
+/**
+  \rst
+  Formats an error message for an error returned by an operating system or a
+  language runtime, for example a file opening error, and writes it to *out*.
+  The format is the same as the one used by ``std::system_error(ec, message)``
+  where ``ec`` is ``std::error_code(error_code, std::generic_category()})``.
+  It is implementation-defined but normally looks like:
+
+  .. parsed-literal::
+     *<message>*: *<system-message>*
+
+  where *<message>* is the passed message and *<system-message>* is the system
+  message corresponding to the error code.
+  *error_code* is a system error code as given by ``errno``.
+  \endrst
+ */
+FMT_API void format_system_error(detail::buffer<char>& out, int error_code,
+                                 const char* message) FMT_NOEXCEPT;
+
+// Reports a system error without throwing an exception.
+// Can be used to report errors from destructors.
+FMT_API void report_system_error(int error_code,
+                                 const char* message) FMT_NOEXCEPT;
+
+/** Fast integer formatter. */
+class format_int {
+ private:
+  // Buffer should be large enough to hold all digits (digits10 + 1),
+  // a sign and a null character.
+  enum { buffer_size = std::numeric_limits<unsigned long long>::digits10 + 3 };
+  mutable char buffer_[buffer_size];
+  char* str_;
+
+  template <typename UInt> auto format_unsigned(UInt value) -> char* {
+    auto n = static_cast<detail::uint32_or_64_or_128_t<UInt>>(value);
+    return detail::format_decimal(buffer_, n, buffer_size - 1).begin;
+  }
+
+  template <typename Int> auto format_signed(Int value) -> char* {
+    auto abs_value = static_cast<detail::uint32_or_64_or_128_t<Int>>(value);
+    bool negative = value < 0;
+    if (negative) abs_value = 0 - abs_value;
+    auto begin = format_unsigned(abs_value);
+    if (negative) *--begin = '-';
+    return begin;
+  }
+
+ public:
+  explicit format_int(int value) : str_(format_signed(value)) {}
+  explicit format_int(long value) : str_(format_signed(value)) {}
+  explicit format_int(long long value) : str_(format_signed(value)) {}
+  explicit format_int(unsigned value) : str_(format_unsigned(value)) {}
+  explicit format_int(unsigned long value) : str_(format_unsigned(value)) {}
+  explicit format_int(unsigned long long value)
+      : str_(format_unsigned(value)) {}
+
+  /** Returns the number of characters written to the output buffer. */
+  auto size() const -> size_t {
+    return detail::to_unsigned(buffer_ - str_ + buffer_size - 1);
+  }
+
+  /**
+    Returns a pointer to the output buffer content. No terminating null
+    character is appended.
+   */
+  auto data() const -> const char* { return str_; }
+
+  /**
+    Returns a pointer to the output buffer content with terminating null
+    character appended.
+   */
+  auto c_str() const -> const char* {
+    buffer_[buffer_size - 1] = '\0';
+    return str_;
+  }
+
+  /**
+    \rst
+    Returns the content of the output buffer as an ``std::string``.
+    \endrst
+   */
+  auto str() const -> std::string { return std::string(str_, size()); }
+};
+
+template <typename T, typename Char>
+template <typename FormatContext>
+FMT_CONSTEXPR FMT_INLINE auto
+formatter<T, Char,
+          enable_if_t<detail::type_constant<T, Char>::value !=
+                      detail::type::custom_type>>::format(const T& val,
+                                                          FormatContext& ctx)
+    const -> decltype(ctx.out()) {
+  if (specs_.width_ref.kind != detail::arg_id_kind::none ||
+      specs_.precision_ref.kind != detail::arg_id_kind::none) {
+    auto specs = specs_;
+    detail::handle_dynamic_spec<detail::width_checker>(specs.width,
+                                                       specs.width_ref, ctx);
+    detail::handle_dynamic_spec<detail::precision_checker>(
+        specs.precision, specs.precision_ref, ctx);
+    return detail::write<Char>(ctx.out(), val, specs, ctx.locale());
+  }
+  return detail::write<Char>(ctx.out(), val, specs_, ctx.locale());
+}
+
+#define FMT_FORMAT_AS(Type, Base)                                        \
+  template <typename Char>                                               \
+  struct formatter<Type, Char> : formatter<Base, Char> {                 \
+    template <typename FormatContext>                                    \
+    auto format(Type const& val, FormatContext& ctx) const               \
+        -> decltype(ctx.out()) {                                         \
+      return formatter<Base, Char>::format(static_cast<Base>(val), ctx); \
+    }                                                                    \
+  }
+
+FMT_FORMAT_AS(signed char, int);
+FMT_FORMAT_AS(unsigned char, unsigned);
+FMT_FORMAT_AS(short, int);
+FMT_FORMAT_AS(unsigned short, unsigned);
+FMT_FORMAT_AS(long, long long);
+FMT_FORMAT_AS(unsigned long, unsigned long long);
+FMT_FORMAT_AS(Char*, const Char*);
+FMT_FORMAT_AS(std::basic_string<Char>, basic_string_view<Char>);
+FMT_FORMAT_AS(std::nullptr_t, const void*);
+FMT_FORMAT_AS(detail::byte, unsigned char);
+FMT_FORMAT_AS(detail::std_string_view<Char>, basic_string_view<Char>);
+
+template <typename Char>
+struct formatter<void*, Char> : formatter<const void*, Char> {
+  template <typename FormatContext>
+  auto format(void* val, FormatContext& ctx) const -> decltype(ctx.out()) {
+    return formatter<const void*, Char>::format(val, ctx);
+  }
+};
+
+template <typename Char, size_t N>
+struct formatter<Char[N], Char> : formatter<basic_string_view<Char>, Char> {
+  template <typename FormatContext>
+  FMT_CONSTEXPR auto format(const Char* val, FormatContext& ctx) const
+      -> decltype(ctx.out()) {
+    return formatter<basic_string_view<Char>, Char>::format(val, ctx);
+  }
+};
+
+// A formatter for types known only at run time such as variant alternatives.
+//
+// Usage:
+//   using variant = std::variant<int, std::string>;
+//   template <>
+//   struct formatter<variant>: dynamic_formatter<> {
+//     auto format(const variant& v, format_context& ctx) {
+//       return visit([&](const auto& val) {
+//           return dynamic_formatter<>::format(val, ctx);
+//       }, v);
+//     }
+//   };
+template <typename Char = char> class dynamic_formatter {
+ private:
+  detail::dynamic_format_specs<Char> specs_;
+  const Char* format_str_;
+
+  struct null_handler : detail::error_handler {
+    void on_align(align_t) {}
+    void on_sign(sign_t) {}
+    void on_hash() {}
+  };
+
+  template <typename Context> void handle_specs(Context& ctx) {
+    detail::handle_dynamic_spec<detail::width_checker>(specs_.width,
+                                                       specs_.width_ref, ctx);
+    detail::handle_dynamic_spec<detail::precision_checker>(
+        specs_.precision, specs_.precision_ref, ctx);
+  }
+
+ public:
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    format_str_ = ctx.begin();
+    // Checks are deferred to formatting time when the argument type is known.
+    detail::dynamic_specs_handler<ParseContext> handler(specs_, ctx);
+    return detail::parse_format_specs(ctx.begin(), ctx.end(), handler);
+  }
+
+  template <typename T, typename FormatContext>
+  auto format(const T& val, FormatContext& ctx) -> decltype(ctx.out()) {
+    handle_specs(ctx);
+    detail::specs_checker<null_handler> checker(
+        null_handler(), detail::mapped_type_constant<T, FormatContext>::value);
+    checker.on_align(specs_.align);
+    if (specs_.sign != sign::none) checker.on_sign(specs_.sign);
+    if (specs_.alt) checker.on_hash();
+    if (specs_.precision >= 0) checker.end_precision();
+    return detail::write<Char>(ctx.out(), val, specs_, ctx.locale());
+  }
+};
+
+/**
+  \rst
+  Converts ``p`` to ``const void*`` for pointer formatting.
+
+  **Example**::
+
+    auto s = fmt::format("{}", fmt::ptr(p));
+  \endrst
+ */
+template <typename T> auto ptr(T p) -> const void* {
+  static_assert(std::is_pointer<T>::value, "");
+  return detail::bit_cast<const void*>(p);
+}
+template <typename T> auto ptr(const std::unique_ptr<T>& p) -> const void* {
+  return p.get();
+}
+template <typename T> auto ptr(const std::shared_ptr<T>& p) -> const void* {
+  return p.get();
+}
+
+class bytes {
+ private:
+  string_view data_;
+  friend struct formatter<bytes>;
+
+ public:
+  explicit bytes(string_view data) : data_(data) {}
+};
+
+template <> struct formatter<bytes> {
+ private:
+  detail::dynamic_format_specs<char> specs_;
+
+ public:
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    using handler_type = detail::dynamic_specs_handler<ParseContext>;
+    detail::specs_checker<handler_type> handler(handler_type(specs_, ctx),
+                                                detail::type::string_type);
+    auto it = parse_format_specs(ctx.begin(), ctx.end(), handler);
+    detail::check_string_type_spec(specs_.type, ctx.error_handler());
+    return it;
+  }
+
+  template <typename FormatContext>
+  auto format(bytes b, FormatContext& ctx) -> decltype(ctx.out()) {
+    detail::handle_dynamic_spec<detail::width_checker>(specs_.width,
+                                                       specs_.width_ref, ctx);
+    detail::handle_dynamic_spec<detail::precision_checker>(
+        specs_.precision, specs_.precision_ref, ctx);
+    return detail::write_bytes(ctx.out(), b.data_, specs_);
+  }
+};
+
+// group_digits_view is not derived from view because it copies the argument.
+template <typename T> struct group_digits_view { T value; };
+
+/**
+  \rst
+  Returns a view that formats an integer value using ',' as a locale-independent
+  thousands separator.
+
+  **Example**::
+
+    fmt::print("{}", fmt::group_digits(12345));
+    // Output: "12,345"
+  \endrst
+ */
+template <typename T> auto group_digits(T value) -> group_digits_view<T> {
+  return {value};
+}
+
+template <typename T> struct formatter<group_digits_view<T>> : formatter<T> {
+ private:
+  detail::dynamic_format_specs<char> specs_;
+
+ public:
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    using handler_type = detail::dynamic_specs_handler<ParseContext>;
+    detail::specs_checker<handler_type> handler(handler_type(specs_, ctx),
+                                                detail::type::int_type);
+    auto it = parse_format_specs(ctx.begin(), ctx.end(), handler);
+    detail::check_string_type_spec(specs_.type, ctx.error_handler());
+    return it;
+  }
+
+  template <typename FormatContext>
+  auto format(group_digits_view<T> t, FormatContext& ctx)
+      -> decltype(ctx.out()) {
+    detail::handle_dynamic_spec<detail::width_checker>(specs_.width,
+                                                       specs_.width_ref, ctx);
+    detail::handle_dynamic_spec<detail::precision_checker>(
+        specs_.precision, specs_.precision_ref, ctx);
+    return detail::write_int_localized(
+        ctx.out(), static_cast<detail::uint64_or_128_t<T>>(t.value), 0, specs_,
+        detail::digit_grouping<char>({"\3", ','}));
+  }
+};
+
+template <typename It, typename Sentinel, typename Char = char>
+struct join_view : detail::view {
+  It begin;
+  Sentinel end;
+  basic_string_view<Char> sep;
+
+  join_view(It b, Sentinel e, basic_string_view<Char> s)
+      : begin(b), end(e), sep(s) {}
+};
+
+template <typename It, typename Sentinel, typename Char>
+using arg_join FMT_DEPRECATED_ALIAS = join_view<It, Sentinel, Char>;
+
+template <typename It, typename Sentinel, typename Char>
+struct formatter<join_view<It, Sentinel, Char>, Char> {
+ private:
+  using value_type =
+#ifdef __cpp_lib_ranges
+      std::iter_value_t<It>;
+#else
+      typename std::iterator_traits<It>::value_type;
+#endif
+  using context = buffer_context<Char>;
+  using mapper = detail::arg_mapper<context>;
+
+  template <typename T, FMT_ENABLE_IF(has_formatter<T, context>::value)>
+  static auto map(const T& value) -> const T& {
+    return value;
+  }
+  template <typename T, FMT_ENABLE_IF(!has_formatter<T, context>::value)>
+  static auto map(const T& value) -> decltype(mapper().map(value)) {
+    return mapper().map(value);
+  }
+
+  using formatter_type =
+      conditional_t<is_formattable<value_type, Char>::value,
+                    formatter<remove_cvref_t<decltype(map(
+                                  std::declval<const value_type&>()))>,
+                              Char>,
+                    detail::fallback_formatter<value_type, Char>>;
+
+  formatter_type value_formatter_;
+
+ public:
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    return value_formatter_.parse(ctx);
+  }
+
+  template <typename FormatContext>
+  auto format(const join_view<It, Sentinel, Char>& value, FormatContext& ctx)
+      -> decltype(ctx.out()) {
+    auto it = value.begin;
+    auto out = ctx.out();
+    if (it != value.end) {
+      out = value_formatter_.format(map(*it), ctx);
+      ++it;
+      while (it != value.end) {
+        out = detail::copy_str<Char>(value.sep.begin(), value.sep.end(), out);
+        ctx.advance_to(out);
+        out = value_formatter_.format(map(*it), ctx);
+        ++it;
+      }
+    }
+    return out;
+  }
+};
+
+/**
+  Returns a view that formats the iterator range `[begin, end)` with elements
+  separated by `sep`.
+ */
+template <typename It, typename Sentinel>
+auto join(It begin, Sentinel end, string_view sep) -> join_view<It, Sentinel> {
+  return {begin, end, sep};
+}
+
+/**
+  \rst
+  Returns a view that formats `range` with elements separated by `sep`.
+
+  **Example**::
+
+    std::vector<int> v = {1, 2, 3};
+    fmt::print("{}", fmt::join(v, ", "));
+    // Output: "1, 2, 3"
+
+  ``fmt::join`` applies passed format specifiers to the range elements::
+
+    fmt::print("{:02}", fmt::join(v, ", "));
+    // Output: "01, 02, 03"
+  \endrst
+ */
+template <typename Range>
+auto join(Range&& range, string_view sep)
+    -> join_view<detail::iterator_t<Range>, detail::sentinel_t<Range>> {
+  return join(std::begin(range), std::end(range), sep);
+}
+
+/**
+  \rst
+  Converts *value* to ``std::string`` using the default format for type *T*.
+
+  **Example**::
+
+    #include <fmt/format.h>
+
+    std::string answer = fmt::to_string(42);
+  \endrst
+ */
+template <typename T, FMT_ENABLE_IF(!std::is_integral<T>::value)>
+inline auto to_string(const T& value) -> std::string {
+  auto result = std::string();
+  detail::write<char>(std::back_inserter(result), value);
+  return result;
+}
+
+template <typename T, FMT_ENABLE_IF(std::is_integral<T>::value)>
+FMT_NODISCARD inline auto to_string(T value) -> std::string {
+  // The buffer should be large enough to store the number including the sign
+  // or "false" for bool.
+  constexpr int max_size = detail::digits10<T>() + 2;
+  char buffer[max_size > 5 ? static_cast<unsigned>(max_size) : 5];
+  char* begin = buffer;
+  return std::string(begin, detail::write<char>(begin, value));
+}
+
+template <typename Char, size_t SIZE>
+FMT_NODISCARD auto to_string(const basic_memory_buffer<Char, SIZE>& buf)
+    -> std::basic_string<Char> {
+  auto size = buf.size();
+  detail::assume(size < std::basic_string<Char>().max_size());
+  return std::basic_string<Char>(buf.data(), size);
+}
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+template <typename Char>
+void vformat_to(
+    buffer<Char>& buf, basic_string_view<Char> fmt,
+    basic_format_args<FMT_BUFFER_CONTEXT(type_identity_t<Char>)> args,
+    locale_ref loc) {
+  // workaround for msvc bug regarding name-lookup in module
+  // link names into function scope
+  using detail::arg_formatter;
+  using detail::buffer_appender;
+  using detail::custom_formatter;
+  using detail::default_arg_formatter;
+  using detail::get_arg;
+  using detail::locale_ref;
+  using detail::parse_format_specs;
+  using detail::specs_checker;
+  using detail::specs_handler;
+  using detail::to_unsigned;
+  using detail::type;
+  using detail::write;
+  auto out = buffer_appender<Char>(buf);
+  if (fmt.size() == 2 && equal2(fmt.data(), "{}")) {
+    auto arg = args.get(0);
+    if (!arg) error_handler().on_error("argument not found");
+    visit_format_arg(default_arg_formatter<Char>{out, args, loc}, arg);
+    return;
+  }
+
+  struct format_handler : error_handler {
+    basic_format_parse_context<Char> parse_context;
+    buffer_context<Char> context;
+
+    format_handler(buffer_appender<Char> out, basic_string_view<Char> str,
+                   basic_format_args<buffer_context<Char>> args, locale_ref loc)
+        : parse_context(str), context(out, args, loc) {}
+
+    void on_text(const Char* begin, const Char* end) {
+      auto text = basic_string_view<Char>(begin, to_unsigned(end - begin));
+      context.advance_to(write<Char>(context.out(), text));
+    }
+
+    FMT_CONSTEXPR auto on_arg_id() -> int {
+      return parse_context.next_arg_id();
+    }
+    FMT_CONSTEXPR auto on_arg_id(int id) -> int {
+      return parse_context.check_arg_id(id), id;
+    }
+    FMT_CONSTEXPR auto on_arg_id(basic_string_view<Char> id) -> int {
+      int arg_id = context.arg_id(id);
+      if (arg_id < 0) on_error("argument not found");
+      return arg_id;
+    }
+
+    FMT_INLINE void on_replacement_field(int id, const Char*) {
+      auto arg = get_arg(context, id);
+      context.advance_to(visit_format_arg(
+          default_arg_formatter<Char>{context.out(), context.args(),
+                                      context.locale()},
+          arg));
+    }
+
+    auto on_format_specs(int id, const Char* begin, const Char* end)
+        -> const Char* {
+      auto arg = get_arg(context, id);
+      if (arg.type() == type::custom_type) {
+        parse_context.advance_to(parse_context.begin() +
+                                 (begin - &*parse_context.begin()));
+        visit_format_arg(custom_formatter<Char>{parse_context, context}, arg);
+        return parse_context.begin();
+      }
+      auto specs = basic_format_specs<Char>();
+      specs_checker<specs_handler<Char>> handler(
+          specs_handler<Char>(specs, parse_context, context), arg.type());
+      begin = parse_format_specs(begin, end, handler);
+      if (begin == end || *begin != '}')
+        on_error("missing '}' in format string");
+      auto f = arg_formatter<Char>{context.out(), specs, context.locale()};
+      context.advance_to(visit_format_arg(f, arg));
+      return begin;
+    }
+  };
+  detail::parse_format_string<false>(fmt, format_handler(out, fmt, args, loc));
+}
+
+#ifndef FMT_HEADER_ONLY
+extern template FMT_API auto thousands_sep_impl<char>(locale_ref)
+    -> thousands_sep_result<char>;
+extern template FMT_API auto thousands_sep_impl<wchar_t>(locale_ref)
+    -> thousands_sep_result<wchar_t>;
+extern template FMT_API auto decimal_point_impl(locale_ref) -> char;
+extern template FMT_API auto decimal_point_impl(locale_ref) -> wchar_t;
+extern template auto format_float<double>(double value, int precision,
+                                          float_specs specs, buffer<char>& buf)
+    -> int;
+extern template auto format_float<long double>(long double value, int precision,
+                                               float_specs specs,
+                                               buffer<char>& buf) -> int;
+void snprintf_float(float, int, float_specs, buffer<char>&) = delete;
+extern template auto snprintf_float<double>(double value, int precision,
+                                            float_specs specs,
+                                            buffer<char>& buf) -> int;
+extern template auto snprintf_float<long double>(long double value,
+                                                 int precision,
+                                                 float_specs specs,
+                                                 buffer<char>& buf) -> int;
+#endif  // FMT_HEADER_ONLY
+
+FMT_END_DETAIL_NAMESPACE
+
+#if FMT_USE_USER_DEFINED_LITERALS
+inline namespace literals {
+/**
+  \rst
+  User-defined literal equivalent of :func:`fmt::arg`.
+
+  **Example**::
+
+    using namespace fmt::literals;
+    fmt::print("Elapsed time: {s:.2f} seconds", "s"_a=1.23);
+  \endrst
+ */
+#  if FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+template <detail_exported::fixed_string Str>
+constexpr auto operator""_a()
+    -> detail::udl_arg<remove_cvref_t<decltype(Str.data[0])>,
+                       sizeof(Str.data) / sizeof(decltype(Str.data[0])), Str> {
+  return {};
+}
+#  else
+constexpr auto operator"" _a(const char* s, size_t) -> detail::udl_arg<char> {
+  return {s};
+}
+#  endif
+
+// DEPRECATED!
+// User-defined literal equivalent of fmt::format.
+FMT_DEPRECATED constexpr auto operator"" _format(const char* s, size_t n)
+    -> detail::udl_formatter<char> {
+  return {{s, n}};
+}
+}  // namespace literals
+#endif  // FMT_USE_USER_DEFINED_LITERALS
+
+template <typename Locale, FMT_ENABLE_IF(detail::is_locale<Locale>::value)>
+inline auto vformat(const Locale& loc, string_view fmt, format_args args)
+    -> std::string {
+  return detail::vformat(loc, fmt, args);
+}
+
+template <typename Locale, typename... T,
+          FMT_ENABLE_IF(detail::is_locale<Locale>::value)>
+inline auto format(const Locale& loc, format_string<T...> fmt, T&&... args)
+    -> std::string {
+  return vformat(loc, string_view(fmt), fmt::make_format_args(args...));
+}
+
+template <typename... T, size_t SIZE, typename Allocator>
+FMT_DEPRECATED auto format_to(basic_memory_buffer<char, SIZE, Allocator>& buf,
+                              format_string<T...> fmt, T&&... args)
+    -> appender {
+  detail::vformat_to(buf, string_view(fmt), fmt::make_format_args(args...));
+  return appender(buf);
+}
+
+template <typename OutputIt, typename Locale,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, char>::value&&
+                            detail::is_locale<Locale>::value)>
+auto vformat_to(OutputIt out, const Locale& loc, string_view fmt,
+                format_args args) -> OutputIt {
+  using detail::get_buffer;
+  auto&& buf = get_buffer<char>(out);
+  detail::vformat_to(buf, fmt, args, detail::locale_ref(loc));
+  return detail::get_iterator(buf);
+}
+
+template <typename OutputIt, typename Locale, typename... T,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, char>::value&&
+                            detail::is_locale<Locale>::value)>
+FMT_INLINE auto format_to(OutputIt out, const Locale& loc,
+                          format_string<T...> fmt, T&&... args) -> OutputIt {
+  return vformat_to(out, loc, fmt, fmt::make_format_args(args...));
+}
+
+FMT_MODULE_EXPORT_END
+FMT_END_NAMESPACE
+
+#ifdef FMT_DEPRECATED_INCLUDE_XCHAR
+#  include "xchar.h"
+#endif
+
+#ifdef FMT_HEADER_ONLY
+#  define FMT_FUNC inline
+#  include "format-inl.h"
+#else
+#  define FMT_FUNC
+#endif
+
+#endif  // FMT_FORMAT_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/locale.h b/ctrtool/deps/libfmt/include/fmt/locale.h
new file mode 100644
index 00000000..7571b526
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/locale.h
@@ -0,0 +1,2 @@
+#include "xchar.h"
+#warning fmt/locale.h is deprecated, include fmt/format.h or fmt/xchar.h instead
diff --git a/ctrtool/deps/libfmt/include/fmt/os.h b/ctrtool/deps/libfmt/include/fmt/os.h
new file mode 100644
index 00000000..b64f8bbf
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/os.h
@@ -0,0 +1,527 @@
+// Formatting library for C++ - optional OS-specific functionality
+//
+// Copyright (c) 2012 - present, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_OS_H_
+#define FMT_OS_H_
+
+#include <cerrno>
+#include <clocale>  // locale_t
+#include <cstddef>
+#include <cstdio>
+#include <cstdlib>       // strtod_l
+#include <system_error>  // std::system_error
+
+#if defined __APPLE__ || defined(__FreeBSD__)
+#  include <xlocale.h>  // for LC_NUMERIC_MASK on OS X
+#endif
+
+#include "format.h"
+
+#ifndef FMT_USE_FCNTL
+// UWP doesn't provide _pipe.
+#  if FMT_HAS_INCLUDE("winapifamily.h")
+#    include <winapifamily.h>
+#  endif
+#  if (FMT_HAS_INCLUDE(<fcntl.h>) || defined(__APPLE__) || \
+       defined(__linux__)) &&                              \
+      (!defined(WINAPI_FAMILY) ||                          \
+       (WINAPI_FAMILY == WINAPI_FAMILY_DESKTOP_APP))
+#    include <fcntl.h>  // for O_RDONLY
+#    define FMT_USE_FCNTL 1
+#  else
+#    define FMT_USE_FCNTL 0
+#  endif
+#endif
+
+#ifndef FMT_POSIX
+#  if defined(_WIN32) && !defined(__MINGW32__)
+// Fix warnings about deprecated symbols.
+#    define FMT_POSIX(call) _##call
+#  else
+#    define FMT_POSIX(call) call
+#  endif
+#endif
+
+// Calls to system functions are wrapped in FMT_SYSTEM for testability.
+#ifdef FMT_SYSTEM
+#  define FMT_POSIX_CALL(call) FMT_SYSTEM(call)
+#else
+#  define FMT_SYSTEM(call) ::call
+#  ifdef _WIN32
+// Fix warnings about deprecated symbols.
+#    define FMT_POSIX_CALL(call) ::_##call
+#  else
+#    define FMT_POSIX_CALL(call) ::call
+#  endif
+#endif
+
+// Retries the expression while it evaluates to error_result and errno
+// equals to EINTR.
+#ifndef _WIN32
+#  define FMT_RETRY_VAL(result, expression, error_result) \
+    do {                                                  \
+      (result) = (expression);                            \
+    } while ((result) == (error_result) && errno == EINTR)
+#else
+#  define FMT_RETRY_VAL(result, expression, error_result) result = (expression)
+#endif
+
+#define FMT_RETRY(result, expression) FMT_RETRY_VAL(result, expression, -1)
+
+FMT_BEGIN_NAMESPACE
+FMT_MODULE_EXPORT_BEGIN
+
+/**
+  \rst
+  A reference to a null-terminated string. It can be constructed from a C
+  string or ``std::string``.
+
+  You can use one of the following type aliases for common character types:
+
+  +---------------+-----------------------------+
+  | Type          | Definition                  |
+  +===============+=============================+
+  | cstring_view  | basic_cstring_view<char>    |
+  +---------------+-----------------------------+
+  | wcstring_view | basic_cstring_view<wchar_t> |
+  +---------------+-----------------------------+
+
+  This class is most useful as a parameter type to allow passing
+  different types of strings to a function, for example::
+
+    template <typename... Args>
+    std::string format(cstring_view format_str, const Args & ... args);
+
+    format("{}", 42);
+    format(std::string("{}"), 42);
+  \endrst
+ */
+template <typename Char> class basic_cstring_view {
+ private:
+  const Char* data_;
+
+ public:
+  /** Constructs a string reference object from a C string. */
+  basic_cstring_view(const Char* s) : data_(s) {}
+
+  /**
+    \rst
+    Constructs a string reference from an ``std::string`` object.
+    \endrst
+   */
+  basic_cstring_view(const std::basic_string<Char>& s) : data_(s.c_str()) {}
+
+  /** Returns the pointer to a C string. */
+  const Char* c_str() const { return data_; }
+};
+
+using cstring_view = basic_cstring_view<char>;
+using wcstring_view = basic_cstring_view<wchar_t>;
+
+template <typename Char> struct formatter<std::error_code, Char> {
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    return ctx.begin();
+  }
+
+  template <typename FormatContext>
+  FMT_CONSTEXPR auto format(const std::error_code& ec, FormatContext& ctx) const
+      -> decltype(ctx.out()) {
+    auto out = ctx.out();
+    out = detail::write_bytes(out, ec.category().name(),
+                              basic_format_specs<Char>());
+    out = detail::write<Char>(out, Char(':'));
+    out = detail::write<Char>(out, ec.value());
+    return out;
+  }
+};
+
+#ifdef _WIN32
+FMT_API const std::error_category& system_category() FMT_NOEXCEPT;
+
+FMT_BEGIN_DETAIL_NAMESPACE
+// A converter from UTF-16 to UTF-8.
+// It is only provided for Windows since other systems support UTF-8 natively.
+class utf16_to_utf8 {
+ private:
+  memory_buffer buffer_;
+
+ public:
+  utf16_to_utf8() {}
+  FMT_API explicit utf16_to_utf8(basic_string_view<wchar_t> s);
+  operator string_view() const { return string_view(&buffer_[0], size()); }
+  size_t size() const { return buffer_.size() - 1; }
+  const char* c_str() const { return &buffer_[0]; }
+  std::string str() const { return std::string(&buffer_[0], size()); }
+
+  // Performs conversion returning a system error code instead of
+  // throwing exception on conversion error. This method may still throw
+  // in case of memory allocation error.
+  FMT_API int convert(basic_string_view<wchar_t> s);
+};
+
+FMT_API void format_windows_error(buffer<char>& out, int error_code,
+                                  const char* message) FMT_NOEXCEPT;
+FMT_END_DETAIL_NAMESPACE
+
+FMT_API std::system_error vwindows_error(int error_code, string_view format_str,
+                                         format_args args);
+
+/**
+ \rst
+ Constructs a :class:`std::system_error` object with the description
+ of the form
+
+ .. parsed-literal::
+   *<message>*: *<system-message>*
+
+ where *<message>* is the formatted message and *<system-message>* is the
+ system message corresponding to the error code.
+ *error_code* is a Windows error code as given by ``GetLastError``.
+ If *error_code* is not a valid error code such as -1, the system message
+ will look like "error -1".
+
+ **Example**::
+
+   // This throws a system_error with the description
+   //   cannot open file 'madeup': The system cannot find the file specified.
+   // or similar (system message may vary).
+   const char *filename = "madeup";
+   LPOFSTRUCT of = LPOFSTRUCT();
+   HFILE file = OpenFile(filename, &of, OF_READ);
+   if (file == HFILE_ERROR) {
+     throw fmt::windows_error(GetLastError(),
+                              "cannot open file '{}'", filename);
+   }
+ \endrst
+*/
+template <typename... Args>
+std::system_error windows_error(int error_code, string_view message,
+                                const Args&... args) {
+  return vwindows_error(error_code, message, fmt::make_format_args(args...));
+}
+
+// Reports a Windows error without throwing an exception.
+// Can be used to report errors from destructors.
+FMT_API void report_windows_error(int error_code,
+                                  const char* message) FMT_NOEXCEPT;
+#else
+inline const std::error_category& system_category() FMT_NOEXCEPT {
+  return std::system_category();
+}
+#endif  // _WIN32
+
+// std::system is not available on some platforms such as iOS (#2248).
+#ifdef __OSX__
+template <typename S, typename... Args, typename Char = char_t<S>>
+void say(const S& format_str, Args&&... args) {
+  std::system(format("say \"{}\"", format(format_str, args...)).c_str());
+}
+#endif
+
+// A buffered file.
+class buffered_file {
+ private:
+  FILE* file_;
+
+  friend class file;
+
+  explicit buffered_file(FILE* f) : file_(f) {}
+
+ public:
+  buffered_file(const buffered_file&) = delete;
+  void operator=(const buffered_file&) = delete;
+
+  // Constructs a buffered_file object which doesn't represent any file.
+  buffered_file() FMT_NOEXCEPT : file_(nullptr) {}
+
+  // Destroys the object closing the file it represents if any.
+  FMT_API ~buffered_file() FMT_NOEXCEPT;
+
+ public:
+  buffered_file(buffered_file&& other) FMT_NOEXCEPT : file_(other.file_) {
+    other.file_ = nullptr;
+  }
+
+  buffered_file& operator=(buffered_file&& other) {
+    close();
+    file_ = other.file_;
+    other.file_ = nullptr;
+    return *this;
+  }
+
+  // Opens a file.
+  FMT_API buffered_file(cstring_view filename, cstring_view mode);
+
+  // Closes the file.
+  FMT_API void close();
+
+  // Returns the pointer to a FILE object representing this file.
+  FILE* get() const FMT_NOEXCEPT { return file_; }
+
+  // We place parentheses around fileno to workaround a bug in some versions
+  // of MinGW that define fileno as a macro.
+  FMT_API int(fileno)() const;
+
+  void vprint(string_view format_str, format_args args) {
+    fmt::vprint(file_, format_str, args);
+  }
+
+  template <typename... Args>
+  inline void print(string_view format_str, const Args&... args) {
+    vprint(format_str, fmt::make_format_args(args...));
+  }
+};
+
+#if FMT_USE_FCNTL
+// A file. Closed file is represented by a file object with descriptor -1.
+// Methods that are not declared with FMT_NOEXCEPT may throw
+// fmt::system_error in case of failure. Note that some errors such as
+// closing the file multiple times will cause a crash on Windows rather
+// than an exception. You can get standard behavior by overriding the
+// invalid parameter handler with _set_invalid_parameter_handler.
+class file {
+ private:
+  int fd_;  // File descriptor.
+
+  // Constructs a file object with a given descriptor.
+  explicit file(int fd) : fd_(fd) {}
+
+ public:
+  // Possible values for the oflag argument to the constructor.
+  enum {
+    RDONLY = FMT_POSIX(O_RDONLY),  // Open for reading only.
+    WRONLY = FMT_POSIX(O_WRONLY),  // Open for writing only.
+    RDWR = FMT_POSIX(O_RDWR),      // Open for reading and writing.
+    CREATE = FMT_POSIX(O_CREAT),   // Create if the file doesn't exist.
+    APPEND = FMT_POSIX(O_APPEND),  // Open in append mode.
+    TRUNC = FMT_POSIX(O_TRUNC)     // Truncate the content of the file.
+  };
+
+  // Constructs a file object which doesn't represent any file.
+  file() FMT_NOEXCEPT : fd_(-1) {}
+
+  // Opens a file and constructs a file object representing this file.
+  FMT_API file(cstring_view path, int oflag);
+
+ public:
+  file(const file&) = delete;
+  void operator=(const file&) = delete;
+
+  file(file&& other) FMT_NOEXCEPT : fd_(other.fd_) { other.fd_ = -1; }
+
+  // Move assignment is not noexcept because close may throw.
+  file& operator=(file&& other) {
+    close();
+    fd_ = other.fd_;
+    other.fd_ = -1;
+    return *this;
+  }
+
+  // Destroys the object closing the file it represents if any.
+  FMT_API ~file() FMT_NOEXCEPT;
+
+  // Returns the file descriptor.
+  int descriptor() const FMT_NOEXCEPT { return fd_; }
+
+  // Closes the file.
+  FMT_API void close();
+
+  // Returns the file size. The size has signed type for consistency with
+  // stat::st_size.
+  FMT_API long long size() const;
+
+  // Attempts to read count bytes from the file into the specified buffer.
+  FMT_API size_t read(void* buffer, size_t count);
+
+  // Attempts to write count bytes from the specified buffer to the file.
+  FMT_API size_t write(const void* buffer, size_t count);
+
+  // Duplicates a file descriptor with the dup function and returns
+  // the duplicate as a file object.
+  FMT_API static file dup(int fd);
+
+  // Makes fd be the copy of this file descriptor, closing fd first if
+  // necessary.
+  FMT_API void dup2(int fd);
+
+  // Makes fd be the copy of this file descriptor, closing fd first if
+  // necessary.
+  FMT_API void dup2(int fd, std::error_code& ec) FMT_NOEXCEPT;
+
+  // Creates a pipe setting up read_end and write_end file objects for reading
+  // and writing respectively.
+  FMT_API static void pipe(file& read_end, file& write_end);
+
+  // Creates a buffered_file object associated with this file and detaches
+  // this file object from the file.
+  FMT_API buffered_file fdopen(const char* mode);
+};
+
+// Returns the memory page size.
+long getpagesize();
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+struct buffer_size {
+  buffer_size() = default;
+  size_t value = 0;
+  buffer_size operator=(size_t val) const {
+    auto bs = buffer_size();
+    bs.value = val;
+    return bs;
+  }
+};
+
+struct ostream_params {
+  int oflag = file::WRONLY | file::CREATE | file::TRUNC;
+  size_t buffer_size = BUFSIZ > 32768 ? BUFSIZ : 32768;
+
+  ostream_params() {}
+
+  template <typename... T>
+  ostream_params(T... params, int new_oflag) : ostream_params(params...) {
+    oflag = new_oflag;
+  }
+
+  template <typename... T>
+  ostream_params(T... params, detail::buffer_size bs)
+      : ostream_params(params...) {
+    this->buffer_size = bs.value;
+  }
+
+// Intel has a bug that results in failure to deduce a constructor
+// for empty parameter packs.
+#  if defined(__INTEL_COMPILER) && __INTEL_COMPILER < 2000
+  ostream_params(int new_oflag) : oflag(new_oflag) {}
+  ostream_params(detail::buffer_size bs) : buffer_size(bs.value) {}
+#  endif
+};
+
+FMT_END_DETAIL_NAMESPACE
+
+// Added {} below to work around default constructor error known to
+// occur in Xcode versions 7.2.1 and 8.2.1.
+constexpr detail::buffer_size buffer_size{};
+
+/** A fast output stream which is not thread-safe. */
+class FMT_API ostream final : private detail::buffer<char> {
+ private:
+  file file_;
+
+  void grow(size_t) override;
+
+  ostream(cstring_view path, const detail::ostream_params& params)
+      : file_(path, params.oflag) {
+    set(new char[params.buffer_size], params.buffer_size);
+  }
+
+ public:
+  ostream(ostream&& other)
+      : detail::buffer<char>(other.data(), other.size(), other.capacity()),
+        file_(std::move(other.file_)) {
+    other.clear();
+    other.set(nullptr, 0);
+  }
+  ~ostream() {
+    flush();
+    delete[] data();
+  }
+
+  void flush() {
+    if (size() == 0) return;
+    file_.write(data(), size());
+    clear();
+  }
+
+  template <typename... T>
+  friend ostream output_file(cstring_view path, T... params);
+
+  void close() {
+    flush();
+    file_.close();
+  }
+
+  /**
+    Formats ``args`` according to specifications in ``fmt`` and writes the
+    output to the file.
+   */
+  template <typename... T> void print(format_string<T...> fmt, T&&... args) {
+    vformat_to(detail::buffer_appender<char>(*this), fmt,
+               fmt::make_format_args(args...));
+  }
+};
+
+/**
+  \rst
+  Opens a file for writing. Supported parameters passed in *params*:
+
+  * ``<integer>``: Flags passed to `open
+    <https://pubs.opengroup.org/onlinepubs/007904875/functions/open.html>`_
+    (``file::WRONLY | file::CREATE`` by default)
+  * ``buffer_size=<integer>``: Output buffer size
+
+  **Example**::
+
+    auto out = fmt::output_file("guide.txt");
+    out.print("Don't {}", "Panic");
+  \endrst
+ */
+template <typename... T>
+inline ostream output_file(cstring_view path, T... params) {
+  return {path, detail::ostream_params(params...)};
+}
+#endif  // FMT_USE_FCNTL
+
+#ifdef FMT_LOCALE
+// A "C" numeric locale.
+class locale {
+ private:
+#  ifdef _WIN32
+  using locale_t = _locale_t;
+
+  static void freelocale(locale_t loc) { _free_locale(loc); }
+
+  static double strtod_l(const char* nptr, char** endptr, _locale_t loc) {
+    return _strtod_l(nptr, endptr, loc);
+  }
+#  endif
+
+  locale_t locale_;
+
+ public:
+  using type = locale_t;
+  locale(const locale&) = delete;
+  void operator=(const locale&) = delete;
+
+  locale() {
+#  ifndef _WIN32
+    locale_ = FMT_SYSTEM(newlocale(LC_NUMERIC_MASK, "C", nullptr));
+#  else
+    locale_ = _create_locale(LC_NUMERIC, "C");
+#  endif
+    if (!locale_) FMT_THROW(system_error(errno, "cannot create locale"));
+  }
+  ~locale() { freelocale(locale_); }
+
+  type get() const { return locale_; }
+
+  // Converts string to floating-point number and advances str past the end
+  // of the parsed input.
+  FMT_DEPRECATED double strtod(const char*& str) const {
+    char* end = nullptr;
+    double result = strtod_l(str, &end, locale_);
+    str = end;
+    return result;
+  }
+};
+using Locale FMT_DEPRECATED_ALIAS = locale;
+#endif  // FMT_LOCALE
+FMT_MODULE_EXPORT_END
+FMT_END_NAMESPACE
+
+#endif  // FMT_OS_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/ostream.h b/ctrtool/deps/libfmt/include/fmt/ostream.h
new file mode 100644
index 00000000..3d716ece
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/ostream.h
@@ -0,0 +1,135 @@
+// Formatting library for C++ - std::ostream support
+//
+// Copyright (c) 2012 - present, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_OSTREAM_H_
+#define FMT_OSTREAM_H_
+
+#include <ostream>
+
+#include "format.h"
+
+FMT_BEGIN_NAMESPACE
+
+template <typename OutputIt, typename Char> class basic_printf_context;
+
+namespace detail {
+
+// Checks if T has a user-defined operator<<.
+template <typename T, typename Char, typename Enable = void>
+class is_streamable {
+ private:
+  template <typename U>
+  static auto test(int)
+      -> bool_constant<sizeof(std::declval<std::basic_ostream<Char>&>()
+                              << std::declval<U>()) != 0>;
+
+  template <typename> static auto test(...) -> std::false_type;
+
+  using result = decltype(test<T>(0));
+
+ public:
+  is_streamable() = default;
+
+  static const bool value = result::value;
+};
+
+// Formatting of built-in types and arrays is intentionally disabled because
+// it's handled by standard (non-ostream) formatters.
+template <typename T, typename Char>
+struct is_streamable<
+    T, Char,
+    enable_if_t<
+        std::is_arithmetic<T>::value || std::is_array<T>::value ||
+        std::is_pointer<T>::value || std::is_same<T, char8_type>::value ||
+        std::is_same<T, std::basic_string<Char>>::value ||
+        std::is_same<T, std_string_view<Char>>::value ||
+        (std::is_convertible<T, int>::value && !std::is_enum<T>::value)>>
+    : std::false_type {};
+
+// Write the content of buf to os.
+// It is a separate function rather than a part of vprint to simplify testing.
+template <typename Char>
+void write_buffer(std::basic_ostream<Char>& os, buffer<Char>& buf) {
+  const Char* buf_data = buf.data();
+  using unsigned_streamsize = std::make_unsigned<std::streamsize>::type;
+  unsigned_streamsize size = buf.size();
+  unsigned_streamsize max_size = to_unsigned(max_value<std::streamsize>());
+  do {
+    unsigned_streamsize n = size <= max_size ? size : max_size;
+    os.write(buf_data, static_cast<std::streamsize>(n));
+    buf_data += n;
+    size -= n;
+  } while (size != 0);
+}
+
+template <typename Char, typename T>
+void format_value(buffer<Char>& buf, const T& value,
+                  locale_ref loc = locale_ref()) {
+  auto&& format_buf = formatbuf<std::basic_streambuf<Char>>(buf);
+  auto&& output = std::basic_ostream<Char>(&format_buf);
+#if !defined(FMT_STATIC_THOUSANDS_SEPARATOR)
+  if (loc) output.imbue(loc.get<std::locale>());
+#endif
+  output << value;
+  output.exceptions(std::ios_base::failbit | std::ios_base::badbit);
+  buf.try_resize(buf.size());
+}
+
+// Formats an object of type T that has an overloaded ostream operator<<.
+template <typename T, typename Char>
+struct fallback_formatter<T, Char, enable_if_t<is_streamable<T, Char>::value>>
+    : private formatter<basic_string_view<Char>, Char> {
+  using formatter<basic_string_view<Char>, Char>::parse;
+
+  template <typename OutputIt>
+  auto format(const T& value, basic_format_context<OutputIt, Char>& ctx)
+      -> OutputIt {
+    auto buffer = basic_memory_buffer<Char>();
+    format_value(buffer, value, ctx.locale());
+    return formatter<basic_string_view<Char>, Char>::format(
+        {buffer.data(), buffer.size()}, ctx);
+  }
+
+  // DEPRECATED!
+  template <typename OutputIt>
+  auto format(const T& value, basic_printf_context<OutputIt, Char>& ctx)
+      -> OutputIt {
+    auto buffer = basic_memory_buffer<Char>();
+    format_value(buffer, value, ctx.locale());
+    return std::copy(buffer.begin(), buffer.end(), ctx.out());
+  }
+};
+}  // namespace detail
+
+FMT_MODULE_EXPORT
+template <typename Char>
+void vprint(std::basic_ostream<Char>& os, basic_string_view<Char> format_str,
+            basic_format_args<buffer_context<type_identity_t<Char>>> args) {
+  auto buffer = basic_memory_buffer<Char>();
+  detail::vformat_to(buffer, format_str, args);
+  detail::write_buffer(os, buffer);
+}
+
+/**
+  \rst
+  Prints formatted data to the stream *os*.
+
+  **Example**::
+
+    fmt::print(cerr, "Don't {}!", "panic");
+  \endrst
+ */
+FMT_MODULE_EXPORT
+template <typename S, typename... Args,
+          typename Char = enable_if_t<detail::is_string<S>::value, char_t<S>>>
+void print(std::basic_ostream<Char>& os, const S& format_str, Args&&... args) {
+  vprint(os, to_string_view(format_str),
+         fmt::make_args_checked<Args...>(format_str, args...));
+}
+FMT_END_NAMESPACE
+
+#endif  // FMT_OSTREAM_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/printf.h b/ctrtool/deps/libfmt/include/fmt/printf.h
new file mode 100644
index 00000000..19d550f6
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/printf.h
@@ -0,0 +1,657 @@
+// Formatting library for C++ - legacy printf implementation
+//
+// Copyright (c) 2012 - 2016, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_PRINTF_H_
+#define FMT_PRINTF_H_
+
+#include <algorithm>  // std::max
+#include <limits>     // std::numeric_limits
+#include <ostream>
+
+#include "format.h"
+
+FMT_BEGIN_NAMESPACE
+FMT_MODULE_EXPORT_BEGIN
+
+template <typename T> struct printf_formatter { printf_formatter() = delete; };
+
+template <typename Char>
+class basic_printf_parse_context : public basic_format_parse_context<Char> {
+  using basic_format_parse_context<Char>::basic_format_parse_context;
+};
+
+template <typename OutputIt, typename Char> class basic_printf_context {
+ private:
+  OutputIt out_;
+  basic_format_args<basic_printf_context> args_;
+
+ public:
+  using char_type = Char;
+  using format_arg = basic_format_arg<basic_printf_context>;
+  using parse_context_type = basic_printf_parse_context<Char>;
+  template <typename T> using formatter_type = printf_formatter<T>;
+
+  /**
+    \rst
+    Constructs a ``printf_context`` object. References to the arguments are
+    stored in the context object so make sure they have appropriate lifetimes.
+    \endrst
+   */
+  basic_printf_context(OutputIt out,
+                       basic_format_args<basic_printf_context> args)
+      : out_(out), args_(args) {}
+
+  OutputIt out() { return out_; }
+  void advance_to(OutputIt it) { out_ = it; }
+
+  detail::locale_ref locale() { return {}; }
+
+  format_arg arg(int id) const { return args_.get(id); }
+
+  FMT_CONSTEXPR void on_error(const char* message) {
+    detail::error_handler().on_error(message);
+  }
+};
+
+FMT_BEGIN_DETAIL_NAMESPACE
+
+// Checks if a value fits in int - used to avoid warnings about comparing
+// signed and unsigned integers.
+template <bool IsSigned> struct int_checker {
+  template <typename T> static bool fits_in_int(T value) {
+    unsigned max = max_value<int>();
+    return value <= max;
+  }
+  static bool fits_in_int(bool) { return true; }
+};
+
+template <> struct int_checker<true> {
+  template <typename T> static bool fits_in_int(T value) {
+    return value >= (std::numeric_limits<int>::min)() &&
+           value <= max_value<int>();
+  }
+  static bool fits_in_int(int) { return true; }
+};
+
+class printf_precision_handler {
+ public:
+  template <typename T, FMT_ENABLE_IF(std::is_integral<T>::value)>
+  int operator()(T value) {
+    if (!int_checker<std::numeric_limits<T>::is_signed>::fits_in_int(value))
+      FMT_THROW(format_error("number is too big"));
+    return (std::max)(static_cast<int>(value), 0);
+  }
+
+  template <typename T, FMT_ENABLE_IF(!std::is_integral<T>::value)>
+  int operator()(T) {
+    FMT_THROW(format_error("precision is not integer"));
+    return 0;
+  }
+};
+
+// An argument visitor that returns true iff arg is a zero integer.
+class is_zero_int {
+ public:
+  template <typename T, FMT_ENABLE_IF(std::is_integral<T>::value)>
+  bool operator()(T value) {
+    return value == 0;
+  }
+
+  template <typename T, FMT_ENABLE_IF(!std::is_integral<T>::value)>
+  bool operator()(T) {
+    return false;
+  }
+};
+
+template <typename T> struct make_unsigned_or_bool : std::make_unsigned<T> {};
+
+template <> struct make_unsigned_or_bool<bool> { using type = bool; };
+
+template <typename T, typename Context> class arg_converter {
+ private:
+  using char_type = typename Context::char_type;
+
+  basic_format_arg<Context>& arg_;
+  char_type type_;
+
+ public:
+  arg_converter(basic_format_arg<Context>& arg, char_type type)
+      : arg_(arg), type_(type) {}
+
+  void operator()(bool value) {
+    if (type_ != 's') operator()<bool>(value);
+  }
+
+  template <typename U, FMT_ENABLE_IF(std::is_integral<U>::value)>
+  void operator()(U value) {
+    bool is_signed = type_ == 'd' || type_ == 'i';
+    using target_type = conditional_t<std::is_same<T, void>::value, U, T>;
+    if (const_check(sizeof(target_type) <= sizeof(int))) {
+      // Extra casts are used to silence warnings.
+      if (is_signed) {
+        arg_ = detail::make_arg<Context>(
+            static_cast<int>(static_cast<target_type>(value)));
+      } else {
+        using unsigned_type = typename make_unsigned_or_bool<target_type>::type;
+        arg_ = detail::make_arg<Context>(
+            static_cast<unsigned>(static_cast<unsigned_type>(value)));
+      }
+    } else {
+      if (is_signed) {
+        // glibc's printf doesn't sign extend arguments of smaller types:
+        //   std::printf("%lld", -42);  // prints "4294967254"
+        // but we don't have to do the same because it's a UB.
+        arg_ = detail::make_arg<Context>(static_cast<long long>(value));
+      } else {
+        arg_ = detail::make_arg<Context>(
+            static_cast<typename make_unsigned_or_bool<U>::type>(value));
+      }
+    }
+  }
+
+  template <typename U, FMT_ENABLE_IF(!std::is_integral<U>::value)>
+  void operator()(U) {}  // No conversion needed for non-integral types.
+};
+
+// Converts an integer argument to T for printf, if T is an integral type.
+// If T is void, the argument is converted to corresponding signed or unsigned
+// type depending on the type specifier: 'd' and 'i' - signed, other -
+// unsigned).
+template <typename T, typename Context, typename Char>
+void convert_arg(basic_format_arg<Context>& arg, Char type) {
+  visit_format_arg(arg_converter<T, Context>(arg, type), arg);
+}
+
+// Converts an integer argument to char for printf.
+template <typename Context> class char_converter {
+ private:
+  basic_format_arg<Context>& arg_;
+
+ public:
+  explicit char_converter(basic_format_arg<Context>& arg) : arg_(arg) {}
+
+  template <typename T, FMT_ENABLE_IF(std::is_integral<T>::value)>
+  void operator()(T value) {
+    arg_ = detail::make_arg<Context>(
+        static_cast<typename Context::char_type>(value));
+  }
+
+  template <typename T, FMT_ENABLE_IF(!std::is_integral<T>::value)>
+  void operator()(T) {}  // No conversion needed for non-integral types.
+};
+
+// An argument visitor that return a pointer to a C string if argument is a
+// string or null otherwise.
+template <typename Char> struct get_cstring {
+  template <typename T> const Char* operator()(T) { return nullptr; }
+  const Char* operator()(const Char* s) { return s; }
+};
+
+// Checks if an argument is a valid printf width specifier and sets
+// left alignment if it is negative.
+template <typename Char> class printf_width_handler {
+ private:
+  using format_specs = basic_format_specs<Char>;
+
+  format_specs& specs_;
+
+ public:
+  explicit printf_width_handler(format_specs& specs) : specs_(specs) {}
+
+  template <typename T, FMT_ENABLE_IF(std::is_integral<T>::value)>
+  unsigned operator()(T value) {
+    auto width = static_cast<uint32_or_64_or_128_t<T>>(value);
+    if (detail::is_negative(value)) {
+      specs_.align = align::left;
+      width = 0 - width;
+    }
+    unsigned int_max = max_value<int>();
+    if (width > int_max) FMT_THROW(format_error("number is too big"));
+    return static_cast<unsigned>(width);
+  }
+
+  template <typename T, FMT_ENABLE_IF(!std::is_integral<T>::value)>
+  unsigned operator()(T) {
+    FMT_THROW(format_error("width is not integer"));
+    return 0;
+  }
+};
+
+// The ``printf`` argument formatter.
+template <typename OutputIt, typename Char>
+class printf_arg_formatter : public arg_formatter<Char> {
+ private:
+  using base = arg_formatter<Char>;
+  using context_type = basic_printf_context<OutputIt, Char>;
+  using format_specs = basic_format_specs<Char>;
+
+  context_type& context_;
+
+  OutputIt write_null_pointer(bool is_string = false) {
+    auto s = this->specs;
+    s.type = presentation_type::none;
+    return write_bytes(this->out, is_string ? "(null)" : "(nil)", s);
+  }
+
+ public:
+  printf_arg_formatter(OutputIt iter, format_specs& s, context_type& ctx)
+      : base{iter, s, locale_ref()}, context_(ctx) {}
+
+  OutputIt operator()(monostate value) { return base::operator()(value); }
+
+  template <typename T, FMT_ENABLE_IF(detail::is_integral<T>::value)>
+  OutputIt operator()(T value) {
+    // MSVC2013 fails to compile separate overloads for bool and Char so use
+    // std::is_same instead.
+    if (std::is_same<T, Char>::value) {
+      format_specs fmt_specs = this->specs;
+      if (fmt_specs.type != presentation_type::none &&
+          fmt_specs.type != presentation_type::chr) {
+        return (*this)(static_cast<int>(value));
+      }
+      fmt_specs.sign = sign::none;
+      fmt_specs.alt = false;
+      fmt_specs.fill[0] = ' ';  // Ignore '0' flag for char types.
+      // align::numeric needs to be overwritten here since the '0' flag is
+      // ignored for non-numeric types
+      if (fmt_specs.align == align::none || fmt_specs.align == align::numeric)
+        fmt_specs.align = align::right;
+      return write<Char>(this->out, static_cast<Char>(value), fmt_specs);
+    }
+    return base::operator()(value);
+  }
+
+  template <typename T, FMT_ENABLE_IF(std::is_floating_point<T>::value)>
+  OutputIt operator()(T value) {
+    return base::operator()(value);
+  }
+
+  /** Formats a null-terminated C string. */
+  OutputIt operator()(const char* value) {
+    if (value) return base::operator()(value);
+    return write_null_pointer(this->specs.type != presentation_type::pointer);
+  }
+
+  /** Formats a null-terminated wide C string. */
+  OutputIt operator()(const wchar_t* value) {
+    if (value) return base::operator()(value);
+    return write_null_pointer(this->specs.type != presentation_type::pointer);
+  }
+
+  OutputIt operator()(basic_string_view<Char> value) {
+    return base::operator()(value);
+  }
+
+  /** Formats a pointer. */
+  OutputIt operator()(const void* value) {
+    return value ? base::operator()(value) : write_null_pointer();
+  }
+
+  /** Formats an argument of a custom (user-defined) type. */
+  OutputIt operator()(typename basic_format_arg<context_type>::handle handle) {
+    auto parse_ctx =
+        basic_printf_parse_context<Char>(basic_string_view<Char>());
+    handle.format(parse_ctx, context_);
+    return this->out;
+  }
+};
+
+template <typename Char>
+void parse_flags(basic_format_specs<Char>& specs, const Char*& it,
+                 const Char* end) {
+  for (; it != end; ++it) {
+    switch (*it) {
+    case '-':
+      specs.align = align::left;
+      break;
+    case '+':
+      specs.sign = sign::plus;
+      break;
+    case '0':
+      specs.fill[0] = '0';
+      break;
+    case ' ':
+      if (specs.sign != sign::plus) {
+        specs.sign = sign::space;
+      }
+      break;
+    case '#':
+      specs.alt = true;
+      break;
+    default:
+      return;
+    }
+  }
+}
+
+template <typename Char, typename GetArg>
+int parse_header(const Char*& it, const Char* end,
+                 basic_format_specs<Char>& specs, GetArg get_arg) {
+  int arg_index = -1;
+  Char c = *it;
+  if (c >= '0' && c <= '9') {
+    // Parse an argument index (if followed by '$') or a width possibly
+    // preceded with '0' flag(s).
+    int value = parse_nonnegative_int(it, end, -1);
+    if (it != end && *it == '$') {  // value is an argument index
+      ++it;
+      arg_index = value != -1 ? value : max_value<int>();
+    } else {
+      if (c == '0') specs.fill[0] = '0';
+      if (value != 0) {
+        // Nonzero value means that we parsed width and don't need to
+        // parse it or flags again, so return now.
+        if (value == -1) FMT_THROW(format_error("number is too big"));
+        specs.width = value;
+        return arg_index;
+      }
+    }
+  }
+  parse_flags(specs, it, end);
+  // Parse width.
+  if (it != end) {
+    if (*it >= '0' && *it <= '9') {
+      specs.width = parse_nonnegative_int(it, end, -1);
+      if (specs.width == -1) FMT_THROW(format_error("number is too big"));
+    } else if (*it == '*') {
+      ++it;
+      specs.width = static_cast<int>(visit_format_arg(
+          detail::printf_width_handler<Char>(specs), get_arg(-1)));
+    }
+  }
+  return arg_index;
+}
+
+template <typename Char, typename Context>
+void vprintf(buffer<Char>& buf, basic_string_view<Char> format,
+             basic_format_args<Context> args) {
+  using OutputIt = buffer_appender<Char>;
+  auto out = OutputIt(buf);
+  auto context = basic_printf_context<OutputIt, Char>(out, args);
+  auto parse_ctx = basic_printf_parse_context<Char>(format);
+
+  // Returns the argument with specified index or, if arg_index is -1, the next
+  // argument.
+  auto get_arg = [&](int arg_index) {
+    if (arg_index < 0)
+      arg_index = parse_ctx.next_arg_id();
+    else
+      parse_ctx.check_arg_id(--arg_index);
+    return detail::get_arg(context, arg_index);
+  };
+
+  const Char* start = parse_ctx.begin();
+  const Char* end = parse_ctx.end();
+  auto it = start;
+  while (it != end) {
+    if (!detail::find<false, Char>(it, end, '%', it)) {
+      it = end;  // detail::find leaves it == nullptr if it doesn't find '%'
+      break;
+    }
+    Char c = *it++;
+    if (it != end && *it == c) {
+      out = detail::write(
+          out, basic_string_view<Char>(start, detail::to_unsigned(it - start)));
+      start = ++it;
+      continue;
+    }
+    out = detail::write(out, basic_string_view<Char>(
+                                 start, detail::to_unsigned(it - 1 - start)));
+
+    basic_format_specs<Char> specs;
+    specs.align = align::right;
+
+    // Parse argument index, flags and width.
+    int arg_index = parse_header(it, end, specs, get_arg);
+    if (arg_index == 0) parse_ctx.on_error("argument not found");
+
+    // Parse precision.
+    if (it != end && *it == '.') {
+      ++it;
+      c = it != end ? *it : 0;
+      if ('0' <= c && c <= '9') {
+        specs.precision = parse_nonnegative_int(it, end, 0);
+      } else if (c == '*') {
+        ++it;
+        specs.precision = static_cast<int>(
+            visit_format_arg(detail::printf_precision_handler(), get_arg(-1)));
+      } else {
+        specs.precision = 0;
+      }
+    }
+
+    auto arg = get_arg(arg_index);
+    // For d, i, o, u, x, and X conversion specifiers, if a precision is
+    // specified, the '0' flag is ignored
+    if (specs.precision >= 0 && arg.is_integral())
+      specs.fill[0] =
+          ' ';  // Ignore '0' flag for non-numeric types or if '-' present.
+    if (specs.precision >= 0 && arg.type() == detail::type::cstring_type) {
+      auto str = visit_format_arg(detail::get_cstring<Char>(), arg);
+      auto str_end = str + specs.precision;
+      auto nul = std::find(str, str_end, Char());
+      arg = detail::make_arg<basic_printf_context<OutputIt, Char>>(
+          basic_string_view<Char>(
+              str, detail::to_unsigned(nul != str_end ? nul - str
+                                                      : specs.precision)));
+    }
+    if (specs.alt && visit_format_arg(detail::is_zero_int(), arg))
+      specs.alt = false;
+    if (specs.fill[0] == '0') {
+      if (arg.is_arithmetic() && specs.align != align::left)
+        specs.align = align::numeric;
+      else
+        specs.fill[0] = ' ';  // Ignore '0' flag for non-numeric types or if '-'
+                              // flag is also present.
+    }
+
+    // Parse length and convert the argument to the required type.
+    c = it != end ? *it++ : 0;
+    Char t = it != end ? *it : 0;
+    using detail::convert_arg;
+    switch (c) {
+    case 'h':
+      if (t == 'h') {
+        ++it;
+        t = it != end ? *it : 0;
+        convert_arg<signed char>(arg, t);
+      } else {
+        convert_arg<short>(arg, t);
+      }
+      break;
+    case 'l':
+      if (t == 'l') {
+        ++it;
+        t = it != end ? *it : 0;
+        convert_arg<long long>(arg, t);
+      } else {
+        convert_arg<long>(arg, t);
+      }
+      break;
+    case 'j':
+      convert_arg<intmax_t>(arg, t);
+      break;
+    case 'z':
+      convert_arg<size_t>(arg, t);
+      break;
+    case 't':
+      convert_arg<std::ptrdiff_t>(arg, t);
+      break;
+    case 'L':
+      // printf produces garbage when 'L' is omitted for long double, no
+      // need to do the same.
+      break;
+    default:
+      --it;
+      convert_arg<void>(arg, c);
+    }
+
+    // Parse type.
+    if (it == end) FMT_THROW(format_error("invalid format string"));
+    char type = static_cast<char>(*it++);
+    if (arg.is_integral()) {
+      // Normalize type.
+      switch (type) {
+      case 'i':
+      case 'u':
+        type = 'd';
+        break;
+      case 'c':
+        visit_format_arg(
+            detail::char_converter<basic_printf_context<OutputIt, Char>>(arg),
+            arg);
+        break;
+      }
+    }
+    specs.type = parse_presentation_type(type);
+    if (specs.type == presentation_type::none)
+      parse_ctx.on_error("invalid type specifier");
+
+    start = it;
+
+    // Format argument.
+    out = visit_format_arg(
+        detail::printf_arg_formatter<OutputIt, Char>(out, specs, context), arg);
+  }
+  detail::write(out, basic_string_view<Char>(start, to_unsigned(it - start)));
+}
+FMT_END_DETAIL_NAMESPACE
+
+template <typename Char>
+using basic_printf_context_t =
+    basic_printf_context<detail::buffer_appender<Char>, Char>;
+
+using printf_context = basic_printf_context_t<char>;
+using wprintf_context = basic_printf_context_t<wchar_t>;
+
+using printf_args = basic_format_args<printf_context>;
+using wprintf_args = basic_format_args<wprintf_context>;
+
+/**
+  \rst
+  Constructs an `~fmt::format_arg_store` object that contains references to
+  arguments and can be implicitly converted to `~fmt::printf_args`.
+  \endrst
+ */
+template <typename... T>
+inline auto make_printf_args(const T&... args)
+    -> format_arg_store<printf_context, T...> {
+  return {args...};
+}
+
+/**
+  \rst
+  Constructs an `~fmt::format_arg_store` object that contains references to
+  arguments and can be implicitly converted to `~fmt::wprintf_args`.
+  \endrst
+ */
+template <typename... T>
+inline auto make_wprintf_args(const T&... args)
+    -> format_arg_store<wprintf_context, T...> {
+  return {args...};
+}
+
+template <typename S, typename Char = char_t<S>>
+inline auto vsprintf(
+    const S& fmt,
+    basic_format_args<basic_printf_context_t<type_identity_t<Char>>> args)
+    -> std::basic_string<Char> {
+  basic_memory_buffer<Char> buffer;
+  vprintf(buffer, to_string_view(fmt), args);
+  return to_string(buffer);
+}
+
+/**
+  \rst
+  Formats arguments and returns the result as a string.
+
+  **Example**::
+
+    std::string message = fmt::sprintf("The answer is %d", 42);
+  \endrst
+*/
+template <typename S, typename... T,
+          typename Char = enable_if_t<detail::is_string<S>::value, char_t<S>>>
+inline auto sprintf(const S& fmt, const T&... args) -> std::basic_string<Char> {
+  using context = basic_printf_context_t<Char>;
+  return vsprintf(to_string_view(fmt), fmt::make_format_args<context>(args...));
+}
+
+template <typename S, typename Char = char_t<S>>
+inline auto vfprintf(
+    std::FILE* f, const S& fmt,
+    basic_format_args<basic_printf_context_t<type_identity_t<Char>>> args)
+    -> int {
+  basic_memory_buffer<Char> buffer;
+  vprintf(buffer, to_string_view(fmt), args);
+  size_t size = buffer.size();
+  return std::fwrite(buffer.data(), sizeof(Char), size, f) < size
+             ? -1
+             : static_cast<int>(size);
+}
+
+/**
+  \rst
+  Prints formatted data to the file *f*.
+
+  **Example**::
+
+    fmt::fprintf(stderr, "Don't %s!", "panic");
+  \endrst
+ */
+template <typename S, typename... T, typename Char = char_t<S>>
+inline auto fprintf(std::FILE* f, const S& fmt, const T&... args) -> int {
+  using context = basic_printf_context_t<Char>;
+  return vfprintf(f, to_string_view(fmt),
+                  fmt::make_format_args<context>(args...));
+}
+
+template <typename S, typename Char = char_t<S>>
+inline auto vprintf(
+    const S& fmt,
+    basic_format_args<basic_printf_context_t<type_identity_t<Char>>> args)
+    -> int {
+  return vfprintf(stdout, to_string_view(fmt), args);
+}
+
+/**
+  \rst
+  Prints formatted data to ``stdout``.
+
+  **Example**::
+
+    fmt::printf("Elapsed time: %.2f seconds", 1.23);
+  \endrst
+ */
+template <typename S, typename... T, FMT_ENABLE_IF(detail::is_string<S>::value)>
+inline auto printf(const S& fmt, const T&... args) -> int {
+  return vprintf(
+      to_string_view(fmt),
+      fmt::make_format_args<basic_printf_context_t<char_t<S>>>(args...));
+}
+
+template <typename S, typename Char = char_t<S>>
+FMT_DEPRECATED auto vfprintf(
+    std::basic_ostream<Char>& os, const S& fmt,
+    basic_format_args<basic_printf_context_t<type_identity_t<Char>>> args)
+    -> int {
+  basic_memory_buffer<Char> buffer;
+  vprintf(buffer, to_string_view(fmt), args);
+  os.write(buffer.data(), static_cast<std::streamsize>(buffer.size()));
+  return static_cast<int>(buffer.size());
+}
+template <typename S, typename... T, typename Char = char_t<S>>
+FMT_DEPRECATED auto fprintf(std::basic_ostream<Char>& os, const S& fmt,
+                            const T&... args) -> int {
+  return vfprintf(os, to_string_view(fmt),
+                  fmt::make_format_args<basic_printf_context_t<Char>>(args...));
+}
+
+FMT_MODULE_EXPORT_END
+FMT_END_NAMESPACE
+
+#endif  // FMT_PRINTF_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/ranges.h b/ctrtool/deps/libfmt/include/fmt/ranges.h
new file mode 100644
index 00000000..eb9fb8a9
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/ranges.h
@@ -0,0 +1,793 @@
+// Formatting library for C++ - experimental range support
+//
+// Copyright (c) 2012 - present, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+//
+// Copyright (c) 2018 - present, Remotion (Igor Schulz)
+// All Rights Reserved
+// {fmt} support for ranges, containers and types tuple interface.
+
+#ifndef FMT_RANGES_H_
+#define FMT_RANGES_H_
+
+#include <initializer_list>
+#include <tuple>
+#include <type_traits>
+
+#include "format.h"
+
+FMT_BEGIN_NAMESPACE
+
+namespace detail {
+
+template <typename RangeT, typename OutputIterator>
+OutputIterator copy(const RangeT& range, OutputIterator out) {
+  for (auto it = range.begin(), end = range.end(); it != end; ++it)
+    *out++ = *it;
+  return out;
+}
+
+template <typename OutputIterator>
+OutputIterator copy(const char* str, OutputIterator out) {
+  while (*str) *out++ = *str++;
+  return out;
+}
+
+template <typename OutputIterator>
+OutputIterator copy(char ch, OutputIterator out) {
+  *out++ = ch;
+  return out;
+}
+
+template <typename OutputIterator>
+OutputIterator copy(wchar_t ch, OutputIterator out) {
+  *out++ = ch;
+  return out;
+}
+
+// Returns true if T has a std::string-like interface, like std::string_view.
+template <typename T> class is_std_string_like {
+  template <typename U>
+  static auto check(U* p)
+      -> decltype((void)p->find('a'), p->length(), (void)p->data(), int());
+  template <typename> static void check(...);
+
+ public:
+  static FMT_CONSTEXPR_DECL const bool value =
+      is_string<T>::value ||
+      std::is_convertible<T, std_string_view<char>>::value ||
+      !std::is_void<decltype(check<T>(nullptr))>::value;
+};
+
+template <typename Char>
+struct is_std_string_like<fmt::basic_string_view<Char>> : std::true_type {};
+
+template <typename T> class is_map {
+  template <typename U> static auto check(U*) -> typename U::mapped_type;
+  template <typename> static void check(...);
+
+ public:
+#ifdef FMT_FORMAT_MAP_AS_LIST
+  static FMT_CONSTEXPR_DECL const bool value = false;
+#else
+  static FMT_CONSTEXPR_DECL const bool value =
+      !std::is_void<decltype(check<T>(nullptr))>::value;
+#endif
+};
+
+template <typename T> class is_set {
+  template <typename U> static auto check(U*) -> typename U::key_type;
+  template <typename> static void check(...);
+
+ public:
+#ifdef FMT_FORMAT_SET_AS_LIST
+  static FMT_CONSTEXPR_DECL const bool value = false;
+#else
+  static FMT_CONSTEXPR_DECL const bool value =
+      !std::is_void<decltype(check<T>(nullptr))>::value && !is_map<T>::value;
+#endif
+};
+
+template <typename... Ts> struct conditional_helper {};
+
+template <typename T, typename _ = void> struct is_range_ : std::false_type {};
+
+#if !FMT_MSC_VER || FMT_MSC_VER > 1800
+
+#  define FMT_DECLTYPE_RETURN(val)  \
+    ->decltype(val) { return val; } \
+    static_assert(                  \
+        true, "")  // This makes it so that a semicolon is required after the
+                   // macro, which helps clang-format handle the formatting.
+
+// C array overload
+template <typename T, std::size_t N>
+auto range_begin(const T (&arr)[N]) -> const T* {
+  return arr;
+}
+template <typename T, std::size_t N>
+auto range_end(const T (&arr)[N]) -> const T* {
+  return arr + N;
+}
+
+template <typename T, typename Enable = void>
+struct has_member_fn_begin_end_t : std::false_type {};
+
+template <typename T>
+struct has_member_fn_begin_end_t<T, void_t<decltype(std::declval<T>().begin()),
+                                           decltype(std::declval<T>().end())>>
+    : std::true_type {};
+
+// Member function overload
+template <typename T>
+auto range_begin(T&& rng) FMT_DECLTYPE_RETURN(static_cast<T&&>(rng).begin());
+template <typename T>
+auto range_end(T&& rng) FMT_DECLTYPE_RETURN(static_cast<T&&>(rng).end());
+
+// ADL overload. Only participates in overload resolution if member functions
+// are not found.
+template <typename T>
+auto range_begin(T&& rng)
+    -> enable_if_t<!has_member_fn_begin_end_t<T&&>::value,
+                   decltype(begin(static_cast<T&&>(rng)))> {
+  return begin(static_cast<T&&>(rng));
+}
+template <typename T>
+auto range_end(T&& rng) -> enable_if_t<!has_member_fn_begin_end_t<T&&>::value,
+                                       decltype(end(static_cast<T&&>(rng)))> {
+  return end(static_cast<T&&>(rng));
+}
+
+template <typename T, typename Enable = void>
+struct has_const_begin_end : std::false_type {};
+template <typename T, typename Enable = void>
+struct has_mutable_begin_end : std::false_type {};
+
+template <typename T>
+struct has_const_begin_end<
+    T,
+    void_t<
+        decltype(detail::range_begin(std::declval<const remove_cvref_t<T>&>())),
+        decltype(detail::range_end(std::declval<const remove_cvref_t<T>&>()))>>
+    : std::true_type {};
+
+template <typename T>
+struct has_mutable_begin_end<
+    T, void_t<decltype(detail::range_begin(std::declval<T>())),
+              decltype(detail::range_end(std::declval<T>())),
+              enable_if_t<std::is_copy_constructible<T>::value>>>
+    : std::true_type {};
+
+template <typename T>
+struct is_range_<T, void>
+    : std::integral_constant<bool, (has_const_begin_end<T>::value ||
+                                    has_mutable_begin_end<T>::value)> {};
+#  undef FMT_DECLTYPE_RETURN
+#endif
+
+// tuple_size and tuple_element check.
+template <typename T> class is_tuple_like_ {
+  template <typename U>
+  static auto check(U* p) -> decltype(std::tuple_size<U>::value, int());
+  template <typename> static void check(...);
+
+ public:
+  static FMT_CONSTEXPR_DECL const bool value =
+      !std::is_void<decltype(check<T>(nullptr))>::value;
+};
+
+// Check for integer_sequence
+#if defined(__cpp_lib_integer_sequence) || FMT_MSC_VER >= 1900
+template <typename T, T... N>
+using integer_sequence = std::integer_sequence<T, N...>;
+template <size_t... N> using index_sequence = std::index_sequence<N...>;
+template <size_t N> using make_index_sequence = std::make_index_sequence<N>;
+#else
+template <typename T, T... N> struct integer_sequence {
+  using value_type = T;
+
+  static FMT_CONSTEXPR size_t size() { return sizeof...(N); }
+};
+
+template <size_t... N> using index_sequence = integer_sequence<size_t, N...>;
+
+template <typename T, size_t N, T... Ns>
+struct make_integer_sequence : make_integer_sequence<T, N - 1, N - 1, Ns...> {};
+template <typename T, T... Ns>
+struct make_integer_sequence<T, 0, Ns...> : integer_sequence<T, Ns...> {};
+
+template <size_t N>
+using make_index_sequence = make_integer_sequence<size_t, N>;
+#endif
+
+template <class Tuple, class F, size_t... Is>
+void for_each(index_sequence<Is...>, Tuple&& tup, F&& f) FMT_NOEXCEPT {
+  using std::get;
+  // using free function get<I>(T) now.
+  const int _[] = {0, ((void)f(get<Is>(tup)), 0)...};
+  (void)_;  // blocks warnings
+}
+
+template <class T>
+FMT_CONSTEXPR make_index_sequence<std::tuple_size<T>::value> get_indexes(
+    T const&) {
+  return {};
+}
+
+template <class Tuple, class F> void for_each(Tuple&& tup, F&& f) {
+  const auto indexes = get_indexes(tup);
+  for_each(indexes, std::forward<Tuple>(tup), std::forward<F>(f));
+}
+
+template <typename Range>
+using value_type =
+    remove_cvref_t<decltype(*detail::range_begin(std::declval<Range>()))>;
+
+template <typename OutputIt> OutputIt write_delimiter(OutputIt out) {
+  *out++ = ',';
+  *out++ = ' ';
+  return out;
+}
+
+struct singleton {
+  unsigned char upper;
+  unsigned char lower_count;
+};
+
+inline auto is_printable(uint16_t x, const singleton* singletons,
+                         size_t singletons_size,
+                         const unsigned char* singleton_lowers,
+                         const unsigned char* normal, size_t normal_size)
+    -> bool {
+  auto upper = x >> 8;
+  auto lower_start = 0;
+  for (size_t i = 0; i < singletons_size; ++i) {
+    auto s = singletons[i];
+    auto lower_end = lower_start + s.lower_count;
+    if (upper < s.upper) break;
+    if (upper == s.upper) {
+      for (auto j = lower_start; j < lower_end; ++j) {
+        if (singleton_lowers[j] == (x & 0xff)) return false;
+      }
+    }
+    lower_start = lower_end;
+  }
+
+  auto xsigned = static_cast<int>(x);
+  auto current = true;
+  for (size_t i = 0; i < normal_size; ++i) {
+    auto v = static_cast<int>(normal[i]);
+    auto len = (v & 0x80) != 0 ? (v & 0x7f) << 8 | normal[++i] : v;
+    xsigned -= len;
+    if (xsigned < 0) break;
+    current = !current;
+  }
+  return current;
+}
+
+// Returns true iff the code point cp is printable.
+// This code is generated by support/printable.py.
+inline auto is_printable(uint32_t cp) -> bool {
+  static constexpr singleton singletons0[] = {
+      {0x00, 1},  {0x03, 5},  {0x05, 6},  {0x06, 3},  {0x07, 6},  {0x08, 8},
+      {0x09, 17}, {0x0a, 28}, {0x0b, 25}, {0x0c, 20}, {0x0d, 16}, {0x0e, 13},
+      {0x0f, 4},  {0x10, 3},  {0x12, 18}, {0x13, 9},  {0x16, 1},  {0x17, 5},
+      {0x18, 2},  {0x19, 3},  {0x1a, 7},  {0x1c, 2},  {0x1d, 1},  {0x1f, 22},
+      {0x20, 3},  {0x2b, 3},  {0x2c, 2},  {0x2d, 11}, {0x2e, 1},  {0x30, 3},
+      {0x31, 2},  {0x32, 1},  {0xa7, 2},  {0xa9, 2},  {0xaa, 4},  {0xab, 8},
+      {0xfa, 2},  {0xfb, 5},  {0xfd, 4},  {0xfe, 3},  {0xff, 9},
+  };
+  static constexpr unsigned char singletons0_lower[] = {
+      0xad, 0x78, 0x79, 0x8b, 0x8d, 0xa2, 0x30, 0x57, 0x58, 0x8b, 0x8c, 0x90,
+      0x1c, 0x1d, 0xdd, 0x0e, 0x0f, 0x4b, 0x4c, 0xfb, 0xfc, 0x2e, 0x2f, 0x3f,
+      0x5c, 0x5d, 0x5f, 0xb5, 0xe2, 0x84, 0x8d, 0x8e, 0x91, 0x92, 0xa9, 0xb1,
+      0xba, 0xbb, 0xc5, 0xc6, 0xc9, 0xca, 0xde, 0xe4, 0xe5, 0xff, 0x00, 0x04,
+      0x11, 0x12, 0x29, 0x31, 0x34, 0x37, 0x3a, 0x3b, 0x3d, 0x49, 0x4a, 0x5d,
+      0x84, 0x8e, 0x92, 0xa9, 0xb1, 0xb4, 0xba, 0xbb, 0xc6, 0xca, 0xce, 0xcf,
+      0xe4, 0xe5, 0x00, 0x04, 0x0d, 0x0e, 0x11, 0x12, 0x29, 0x31, 0x34, 0x3a,
+      0x3b, 0x45, 0x46, 0x49, 0x4a, 0x5e, 0x64, 0x65, 0x84, 0x91, 0x9b, 0x9d,
+      0xc9, 0xce, 0xcf, 0x0d, 0x11, 0x29, 0x45, 0x49, 0x57, 0x64, 0x65, 0x8d,
+      0x91, 0xa9, 0xb4, 0xba, 0xbb, 0xc5, 0xc9, 0xdf, 0xe4, 0xe5, 0xf0, 0x0d,
+      0x11, 0x45, 0x49, 0x64, 0x65, 0x80, 0x84, 0xb2, 0xbc, 0xbe, 0xbf, 0xd5,
+      0xd7, 0xf0, 0xf1, 0x83, 0x85, 0x8b, 0xa4, 0xa6, 0xbe, 0xbf, 0xc5, 0xc7,
+      0xce, 0xcf, 0xda, 0xdb, 0x48, 0x98, 0xbd, 0xcd, 0xc6, 0xce, 0xcf, 0x49,
+      0x4e, 0x4f, 0x57, 0x59, 0x5e, 0x5f, 0x89, 0x8e, 0x8f, 0xb1, 0xb6, 0xb7,
+      0xbf, 0xc1, 0xc6, 0xc7, 0xd7, 0x11, 0x16, 0x17, 0x5b, 0x5c, 0xf6, 0xf7,
+      0xfe, 0xff, 0x80, 0x0d, 0x6d, 0x71, 0xde, 0xdf, 0x0e, 0x0f, 0x1f, 0x6e,
+      0x6f, 0x1c, 0x1d, 0x5f, 0x7d, 0x7e, 0xae, 0xaf, 0xbb, 0xbc, 0xfa, 0x16,
+      0x17, 0x1e, 0x1f, 0x46, 0x47, 0x4e, 0x4f, 0x58, 0x5a, 0x5c, 0x5e, 0x7e,
+      0x7f, 0xb5, 0xc5, 0xd4, 0xd5, 0xdc, 0xf0, 0xf1, 0xf5, 0x72, 0x73, 0x8f,
+      0x74, 0x75, 0x96, 0x2f, 0x5f, 0x26, 0x2e, 0x2f, 0xa7, 0xaf, 0xb7, 0xbf,
+      0xc7, 0xcf, 0xd7, 0xdf, 0x9a, 0x40, 0x97, 0x98, 0x30, 0x8f, 0x1f, 0xc0,
+      0xc1, 0xce, 0xff, 0x4e, 0x4f, 0x5a, 0x5b, 0x07, 0x08, 0x0f, 0x10, 0x27,
+      0x2f, 0xee, 0xef, 0x6e, 0x6f, 0x37, 0x3d, 0x3f, 0x42, 0x45, 0x90, 0x91,
+      0xfe, 0xff, 0x53, 0x67, 0x75, 0xc8, 0xc9, 0xd0, 0xd1, 0xd8, 0xd9, 0xe7,
+      0xfe, 0xff,
+  };
+  static constexpr singleton singletons1[] = {
+      {0x00, 6},  {0x01, 1}, {0x03, 1},  {0x04, 2}, {0x08, 8},  {0x09, 2},
+      {0x0a, 5},  {0x0b, 2}, {0x0e, 4},  {0x10, 1}, {0x11, 2},  {0x12, 5},
+      {0x13, 17}, {0x14, 1}, {0x15, 2},  {0x17, 2}, {0x19, 13}, {0x1c, 5},
+      {0x1d, 8},  {0x24, 1}, {0x6a, 3},  {0x6b, 2}, {0xbc, 2},  {0xd1, 2},
+      {0xd4, 12}, {0xd5, 9}, {0xd6, 2},  {0xd7, 2}, {0xda, 1},  {0xe0, 5},
+      {0xe1, 2},  {0xe8, 2}, {0xee, 32}, {0xf0, 4}, {0xf8, 2},  {0xf9, 2},
+      {0xfa, 2},  {0xfb, 1},
+  };
+  static constexpr unsigned char singletons1_lower[] = {
+      0x0c, 0x27, 0x3b, 0x3e, 0x4e, 0x4f, 0x8f, 0x9e, 0x9e, 0x9f, 0x06, 0x07,
+      0x09, 0x36, 0x3d, 0x3e, 0x56, 0xf3, 0xd0, 0xd1, 0x04, 0x14, 0x18, 0x36,
+      0x37, 0x56, 0x57, 0x7f, 0xaa, 0xae, 0xaf, 0xbd, 0x35, 0xe0, 0x12, 0x87,
+      0x89, 0x8e, 0x9e, 0x04, 0x0d, 0x0e, 0x11, 0x12, 0x29, 0x31, 0x34, 0x3a,
+      0x45, 0x46, 0x49, 0x4a, 0x4e, 0x4f, 0x64, 0x65, 0x5c, 0xb6, 0xb7, 0x1b,
+      0x1c, 0x07, 0x08, 0x0a, 0x0b, 0x14, 0x17, 0x36, 0x39, 0x3a, 0xa8, 0xa9,
+      0xd8, 0xd9, 0x09, 0x37, 0x90, 0x91, 0xa8, 0x07, 0x0a, 0x3b, 0x3e, 0x66,
+      0x69, 0x8f, 0x92, 0x6f, 0x5f, 0xee, 0xef, 0x5a, 0x62, 0x9a, 0x9b, 0x27,
+      0x28, 0x55, 0x9d, 0xa0, 0xa1, 0xa3, 0xa4, 0xa7, 0xa8, 0xad, 0xba, 0xbc,
+      0xc4, 0x06, 0x0b, 0x0c, 0x15, 0x1d, 0x3a, 0x3f, 0x45, 0x51, 0xa6, 0xa7,
+      0xcc, 0xcd, 0xa0, 0x07, 0x19, 0x1a, 0x22, 0x25, 0x3e, 0x3f, 0xc5, 0xc6,
+      0x04, 0x20, 0x23, 0x25, 0x26, 0x28, 0x33, 0x38, 0x3a, 0x48, 0x4a, 0x4c,
+      0x50, 0x53, 0x55, 0x56, 0x58, 0x5a, 0x5c, 0x5e, 0x60, 0x63, 0x65, 0x66,
+      0x6b, 0x73, 0x78, 0x7d, 0x7f, 0x8a, 0xa4, 0xaa, 0xaf, 0xb0, 0xc0, 0xd0,
+      0xae, 0xaf, 0x79, 0xcc, 0x6e, 0x6f, 0x93,
+  };
+  static constexpr unsigned char normal0[] = {
+      0x00, 0x20, 0x5f, 0x22, 0x82, 0xdf, 0x04, 0x82, 0x44, 0x08, 0x1b, 0x04,
+      0x06, 0x11, 0x81, 0xac, 0x0e, 0x80, 0xab, 0x35, 0x28, 0x0b, 0x80, 0xe0,
+      0x03, 0x19, 0x08, 0x01, 0x04, 0x2f, 0x04, 0x34, 0x04, 0x07, 0x03, 0x01,
+      0x07, 0x06, 0x07, 0x11, 0x0a, 0x50, 0x0f, 0x12, 0x07, 0x55, 0x07, 0x03,
+      0x04, 0x1c, 0x0a, 0x09, 0x03, 0x08, 0x03, 0x07, 0x03, 0x02, 0x03, 0x03,
+      0x03, 0x0c, 0x04, 0x05, 0x03, 0x0b, 0x06, 0x01, 0x0e, 0x15, 0x05, 0x3a,
+      0x03, 0x11, 0x07, 0x06, 0x05, 0x10, 0x07, 0x57, 0x07, 0x02, 0x07, 0x15,
+      0x0d, 0x50, 0x04, 0x43, 0x03, 0x2d, 0x03, 0x01, 0x04, 0x11, 0x06, 0x0f,
+      0x0c, 0x3a, 0x04, 0x1d, 0x25, 0x5f, 0x20, 0x6d, 0x04, 0x6a, 0x25, 0x80,
+      0xc8, 0x05, 0x82, 0xb0, 0x03, 0x1a, 0x06, 0x82, 0xfd, 0x03, 0x59, 0x07,
+      0x15, 0x0b, 0x17, 0x09, 0x14, 0x0c, 0x14, 0x0c, 0x6a, 0x06, 0x0a, 0x06,
+      0x1a, 0x06, 0x59, 0x07, 0x2b, 0x05, 0x46, 0x0a, 0x2c, 0x04, 0x0c, 0x04,
+      0x01, 0x03, 0x31, 0x0b, 0x2c, 0x04, 0x1a, 0x06, 0x0b, 0x03, 0x80, 0xac,
+      0x06, 0x0a, 0x06, 0x21, 0x3f, 0x4c, 0x04, 0x2d, 0x03, 0x74, 0x08, 0x3c,
+      0x03, 0x0f, 0x03, 0x3c, 0x07, 0x38, 0x08, 0x2b, 0x05, 0x82, 0xff, 0x11,
+      0x18, 0x08, 0x2f, 0x11, 0x2d, 0x03, 0x20, 0x10, 0x21, 0x0f, 0x80, 0x8c,
+      0x04, 0x82, 0x97, 0x19, 0x0b, 0x15, 0x88, 0x94, 0x05, 0x2f, 0x05, 0x3b,
+      0x07, 0x02, 0x0e, 0x18, 0x09, 0x80, 0xb3, 0x2d, 0x74, 0x0c, 0x80, 0xd6,
+      0x1a, 0x0c, 0x05, 0x80, 0xff, 0x05, 0x80, 0xdf, 0x0c, 0xee, 0x0d, 0x03,
+      0x84, 0x8d, 0x03, 0x37, 0x09, 0x81, 0x5c, 0x14, 0x80, 0xb8, 0x08, 0x80,
+      0xcb, 0x2a, 0x38, 0x03, 0x0a, 0x06, 0x38, 0x08, 0x46, 0x08, 0x0c, 0x06,
+      0x74, 0x0b, 0x1e, 0x03, 0x5a, 0x04, 0x59, 0x09, 0x80, 0x83, 0x18, 0x1c,
+      0x0a, 0x16, 0x09, 0x4c, 0x04, 0x80, 0x8a, 0x06, 0xab, 0xa4, 0x0c, 0x17,
+      0x04, 0x31, 0xa1, 0x04, 0x81, 0xda, 0x26, 0x07, 0x0c, 0x05, 0x05, 0x80,
+      0xa5, 0x11, 0x81, 0x6d, 0x10, 0x78, 0x28, 0x2a, 0x06, 0x4c, 0x04, 0x80,
+      0x8d, 0x04, 0x80, 0xbe, 0x03, 0x1b, 0x03, 0x0f, 0x0d,
+  };
+  static constexpr unsigned char normal1[] = {
+      0x5e, 0x22, 0x7b, 0x05, 0x03, 0x04, 0x2d, 0x03, 0x66, 0x03, 0x01, 0x2f,
+      0x2e, 0x80, 0x82, 0x1d, 0x03, 0x31, 0x0f, 0x1c, 0x04, 0x24, 0x09, 0x1e,
+      0x05, 0x2b, 0x05, 0x44, 0x04, 0x0e, 0x2a, 0x80, 0xaa, 0x06, 0x24, 0x04,
+      0x24, 0x04, 0x28, 0x08, 0x34, 0x0b, 0x01, 0x80, 0x90, 0x81, 0x37, 0x09,
+      0x16, 0x0a, 0x08, 0x80, 0x98, 0x39, 0x03, 0x63, 0x08, 0x09, 0x30, 0x16,
+      0x05, 0x21, 0x03, 0x1b, 0x05, 0x01, 0x40, 0x38, 0x04, 0x4b, 0x05, 0x2f,
+      0x04, 0x0a, 0x07, 0x09, 0x07, 0x40, 0x20, 0x27, 0x04, 0x0c, 0x09, 0x36,
+      0x03, 0x3a, 0x05, 0x1a, 0x07, 0x04, 0x0c, 0x07, 0x50, 0x49, 0x37, 0x33,
+      0x0d, 0x33, 0x07, 0x2e, 0x08, 0x0a, 0x81, 0x26, 0x52, 0x4e, 0x28, 0x08,
+      0x2a, 0x56, 0x1c, 0x14, 0x17, 0x09, 0x4e, 0x04, 0x1e, 0x0f, 0x43, 0x0e,
+      0x19, 0x07, 0x0a, 0x06, 0x48, 0x08, 0x27, 0x09, 0x75, 0x0b, 0x3f, 0x41,
+      0x2a, 0x06, 0x3b, 0x05, 0x0a, 0x06, 0x51, 0x06, 0x01, 0x05, 0x10, 0x03,
+      0x05, 0x80, 0x8b, 0x62, 0x1e, 0x48, 0x08, 0x0a, 0x80, 0xa6, 0x5e, 0x22,
+      0x45, 0x0b, 0x0a, 0x06, 0x0d, 0x13, 0x39, 0x07, 0x0a, 0x36, 0x2c, 0x04,
+      0x10, 0x80, 0xc0, 0x3c, 0x64, 0x53, 0x0c, 0x48, 0x09, 0x0a, 0x46, 0x45,
+      0x1b, 0x48, 0x08, 0x53, 0x1d, 0x39, 0x81, 0x07, 0x46, 0x0a, 0x1d, 0x03,
+      0x47, 0x49, 0x37, 0x03, 0x0e, 0x08, 0x0a, 0x06, 0x39, 0x07, 0x0a, 0x81,
+      0x36, 0x19, 0x80, 0xb7, 0x01, 0x0f, 0x32, 0x0d, 0x83, 0x9b, 0x66, 0x75,
+      0x0b, 0x80, 0xc4, 0x8a, 0xbc, 0x84, 0x2f, 0x8f, 0xd1, 0x82, 0x47, 0xa1,
+      0xb9, 0x82, 0x39, 0x07, 0x2a, 0x04, 0x02, 0x60, 0x26, 0x0a, 0x46, 0x0a,
+      0x28, 0x05, 0x13, 0x82, 0xb0, 0x5b, 0x65, 0x4b, 0x04, 0x39, 0x07, 0x11,
+      0x40, 0x05, 0x0b, 0x02, 0x0e, 0x97, 0xf8, 0x08, 0x84, 0xd6, 0x2a, 0x09,
+      0xa2, 0xf7, 0x81, 0x1f, 0x31, 0x03, 0x11, 0x04, 0x08, 0x81, 0x8c, 0x89,
+      0x04, 0x6b, 0x05, 0x0d, 0x03, 0x09, 0x07, 0x10, 0x93, 0x60, 0x80, 0xf6,
+      0x0a, 0x73, 0x08, 0x6e, 0x17, 0x46, 0x80, 0x9a, 0x14, 0x0c, 0x57, 0x09,
+      0x19, 0x80, 0x87, 0x81, 0x47, 0x03, 0x85, 0x42, 0x0f, 0x15, 0x85, 0x50,
+      0x2b, 0x80, 0xd5, 0x2d, 0x03, 0x1a, 0x04, 0x02, 0x81, 0x70, 0x3a, 0x05,
+      0x01, 0x85, 0x00, 0x80, 0xd7, 0x29, 0x4c, 0x04, 0x0a, 0x04, 0x02, 0x83,
+      0x11, 0x44, 0x4c, 0x3d, 0x80, 0xc2, 0x3c, 0x06, 0x01, 0x04, 0x55, 0x05,
+      0x1b, 0x34, 0x02, 0x81, 0x0e, 0x2c, 0x04, 0x64, 0x0c, 0x56, 0x0a, 0x80,
+      0xae, 0x38, 0x1d, 0x0d, 0x2c, 0x04, 0x09, 0x07, 0x02, 0x0e, 0x06, 0x80,
+      0x9a, 0x83, 0xd8, 0x08, 0x0d, 0x03, 0x0d, 0x03, 0x74, 0x0c, 0x59, 0x07,
+      0x0c, 0x14, 0x0c, 0x04, 0x38, 0x08, 0x0a, 0x06, 0x28, 0x08, 0x22, 0x4e,
+      0x81, 0x54, 0x0c, 0x15, 0x03, 0x03, 0x05, 0x07, 0x09, 0x19, 0x07, 0x07,
+      0x09, 0x03, 0x0d, 0x07, 0x29, 0x80, 0xcb, 0x25, 0x0a, 0x84, 0x06,
+  };
+  auto lower = static_cast<uint16_t>(cp);
+  if (cp < 0x10000) {
+    return is_printable(lower, singletons0,
+                        sizeof(singletons0) / sizeof(*singletons0),
+                        singletons0_lower, normal0, sizeof(normal0));
+  }
+  if (cp < 0x20000) {
+    return is_printable(lower, singletons1,
+                        sizeof(singletons1) / sizeof(*singletons1),
+                        singletons1_lower, normal1, sizeof(normal1));
+  }
+  if (0x2a6de <= cp && cp < 0x2a700) return false;
+  if (0x2b735 <= cp && cp < 0x2b740) return false;
+  if (0x2b81e <= cp && cp < 0x2b820) return false;
+  if (0x2cea2 <= cp && cp < 0x2ceb0) return false;
+  if (0x2ebe1 <= cp && cp < 0x2f800) return false;
+  if (0x2fa1e <= cp && cp < 0x30000) return false;
+  if (0x3134b <= cp && cp < 0xe0100) return false;
+  if (0xe01f0 <= cp && cp < 0x110000) return false;
+  return cp < 0x110000;
+}
+
+inline auto needs_escape(uint32_t cp) -> bool {
+  return cp < 0x20 || cp == 0x7f || cp == '"' || cp == '\\' ||
+         !is_printable(cp);
+}
+
+template <typename Char> struct find_escape_result {
+  const Char* begin;
+  const Char* end;
+  uint32_t cp;
+};
+
+template <typename Char>
+auto find_escape(const Char* begin, const Char* end)
+    -> find_escape_result<Char> {
+  for (; begin != end; ++begin) {
+    auto cp = static_cast<typename std::make_unsigned<Char>::type>(*begin);
+    if (sizeof(Char) == 1 && cp >= 0x80) continue;
+    if (needs_escape(cp)) return {begin, begin + 1, cp};
+  }
+  return {begin, nullptr, 0};
+}
+
+inline auto find_escape(const char* begin, const char* end)
+    -> find_escape_result<char> {
+  if (!is_utf8()) return find_escape<char>(begin, end);
+  auto result = find_escape_result<char>{end, nullptr, 0};
+  for_each_codepoint(string_view(begin, to_unsigned(end - begin)),
+                     [&](uint32_t cp, string_view sv) {
+                       if (needs_escape(cp)) {
+                         result = {sv.begin(), sv.end(), cp};
+                         return false;
+                       }
+                       return true;
+                     });
+  return result;
+}
+
+template <typename Char, typename OutputIt>
+auto write_range_entry(OutputIt out, basic_string_view<Char> str) -> OutputIt {
+  *out++ = '"';
+  auto begin = str.begin(), end = str.end();
+  do {
+    auto escape = find_escape(begin, end);
+    out = copy_str<Char>(begin, escape.begin, out);
+    begin = escape.end;
+    if (!begin) break;
+    auto c = static_cast<Char>(escape.cp);
+    switch (escape.cp) {
+    case '\n':
+      *out++ = '\\';
+      c = 'n';
+      break;
+    case '\r':
+      *out++ = '\\';
+      c = 'r';
+      break;
+    case '\t':
+      *out++ = '\\';
+      c = 't';
+      break;
+    case '"':
+      FMT_FALLTHROUGH;
+    case '\\':
+      *out++ = '\\';
+      break;
+    default:
+      if (is_utf8()) {
+        if (escape.cp < 0x100) {
+          out = format_to(out, "\\x{:02x}", escape.cp);
+          continue;
+        }
+        if (escape.cp < 0x10000) {
+          out = format_to(out, "\\u{:04x}", escape.cp);
+          continue;
+        }
+        if (escape.cp < 0x110000) {
+          out = format_to(out, "\\U{:08x}", escape.cp);
+          continue;
+        }
+      }
+      for (Char escape_char : basic_string_view<Char>(
+               escape.begin, to_unsigned(escape.end - escape.begin))) {
+        out = format_to(
+            out, "\\x{:02x}",
+            static_cast<typename std::make_unsigned<Char>::type>(escape_char));
+      }
+      continue;
+    }
+    *out++ = c;
+  } while (begin != end);
+  *out++ = '"';
+  return out;
+}
+
+template <typename Char, typename OutputIt, typename T,
+          FMT_ENABLE_IF(std::is_convertible<T, std_string_view<char>>::value)>
+inline auto write_range_entry(OutputIt out, const T& str) -> OutputIt {
+  auto sv = std_string_view<Char>(str);
+  return write_range_entry<Char>(out, basic_string_view<Char>(sv));
+}
+
+template <typename Char, typename OutputIt, typename Arg,
+          FMT_ENABLE_IF(std::is_same<Arg, Char>::value)>
+OutputIt write_range_entry(OutputIt out, const Arg v) {
+  *out++ = '\'';
+  *out++ = v;
+  *out++ = '\'';
+  return out;
+}
+
+template <
+    typename Char, typename OutputIt, typename Arg,
+    FMT_ENABLE_IF(!is_std_string_like<typename std::decay<Arg>::type>::value &&
+                  !std::is_same<Arg, Char>::value)>
+OutputIt write_range_entry(OutputIt out, const Arg& v) {
+  return write<Char>(out, v);
+}
+
+}  // namespace detail
+
+template <typename T> struct is_tuple_like {
+  static FMT_CONSTEXPR_DECL const bool value =
+      detail::is_tuple_like_<T>::value && !detail::is_range_<T>::value;
+};
+
+template <typename TupleT, typename Char>
+struct formatter<TupleT, Char, enable_if_t<fmt::is_tuple_like<TupleT>::value>> {
+ private:
+  // C++11 generic lambda for format().
+  template <typename FormatContext> struct format_each {
+    template <typename T> void operator()(const T& v) {
+      if (i > 0) out = detail::write_delimiter(out);
+      out = detail::write_range_entry<Char>(out, v);
+      ++i;
+    }
+    int i;
+    typename FormatContext::iterator& out;
+  };
+
+ public:
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    return ctx.begin();
+  }
+
+  template <typename FormatContext = format_context>
+  auto format(const TupleT& values, FormatContext& ctx) -> decltype(ctx.out()) {
+    auto out = ctx.out();
+    *out++ = '(';
+    detail::for_each(values, format_each<FormatContext>{0, out});
+    *out++ = ')';
+    return out;
+  }
+};
+
+template <typename T, typename Char> struct is_range {
+  static FMT_CONSTEXPR_DECL const bool value =
+      detail::is_range_<T>::value && !detail::is_std_string_like<T>::value &&
+      !detail::is_map<T>::value &&
+      !std::is_convertible<T, std::basic_string<Char>>::value &&
+      !std::is_constructible<detail::std_string_view<Char>, T>::value;
+};
+
+template <typename T, typename Char>
+struct formatter<
+    T, Char,
+    enable_if_t<
+        fmt::is_range<T, Char>::value
+// Workaround a bug in MSVC 2019 and earlier.
+#if !FMT_MSC_VER
+        && (is_formattable<detail::value_type<T>, Char>::value ||
+            detail::has_fallback_formatter<detail::value_type<T>, Char>::value)
+#endif
+        >> {
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    return ctx.begin();
+  }
+
+  template <
+      typename FormatContext, typename U,
+      FMT_ENABLE_IF(
+          std::is_same<U, conditional_t<detail::has_const_begin_end<T>::value,
+                                        const T, T>>::value)>
+  auto format(U& range, FormatContext& ctx) -> decltype(ctx.out()) {
+#ifdef FMT_DEPRECATED_BRACED_RANGES
+    Char prefix = '{';
+    Char postfix = '}';
+#else
+    Char prefix = detail::is_set<T>::value ? '{' : '[';
+    Char postfix = detail::is_set<T>::value ? '}' : ']';
+#endif
+    auto out = ctx.out();
+    *out++ = prefix;
+    int i = 0;
+    auto it = std::begin(range);
+    auto end = std::end(range);
+    for (; it != end; ++it) {
+      if (i > 0) out = detail::write_delimiter(out);
+      out = detail::write_range_entry<Char>(out, *it);
+      ++i;
+    }
+    *out++ = postfix;
+    return out;
+  }
+};
+
+template <typename T, typename Char>
+struct formatter<
+    T, Char,
+    enable_if_t<
+        detail::is_map<T>::value
+// Workaround a bug in MSVC 2019 and earlier.
+#if !FMT_MSC_VER
+        && (is_formattable<detail::value_type<T>, Char>::value ||
+            detail::has_fallback_formatter<detail::value_type<T>, Char>::value)
+#endif
+        >> {
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    return ctx.begin();
+  }
+
+  template <
+      typename FormatContext, typename U,
+      FMT_ENABLE_IF(
+          std::is_same<U, conditional_t<detail::has_const_begin_end<T>::value,
+                                        const T, T>>::value)>
+  auto format(U& map, FormatContext& ctx) -> decltype(ctx.out()) {
+    auto out = ctx.out();
+    *out++ = '{';
+    int i = 0;
+    for (const auto& item : map) {
+      if (i > 0) out = detail::write_delimiter(out);
+      out = detail::write_range_entry<Char>(out, item.first);
+      *out++ = ':';
+      *out++ = ' ';
+      out = detail::write_range_entry<Char>(out, item.second);
+      ++i;
+    }
+    *out++ = '}';
+    return out;
+  }
+};
+
+template <typename Char, typename... T> struct tuple_join_view : detail::view {
+  const std::tuple<T...>& tuple;
+  basic_string_view<Char> sep;
+
+  tuple_join_view(const std::tuple<T...>& t, basic_string_view<Char> s)
+      : tuple(t), sep{s} {}
+};
+
+template <typename Char, typename... T>
+using tuple_arg_join = tuple_join_view<Char, T...>;
+
+// Define FMT_TUPLE_JOIN_SPECIFIERS to enable experimental format specifiers
+// support in tuple_join. It is disabled by default because of issues with
+// the dynamic width and precision.
+#ifndef FMT_TUPLE_JOIN_SPECIFIERS
+#  define FMT_TUPLE_JOIN_SPECIFIERS 0
+#endif
+
+template <typename Char, typename... T>
+struct formatter<tuple_join_view<Char, T...>, Char> {
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto parse(ParseContext& ctx) -> decltype(ctx.begin()) {
+    return do_parse(ctx, std::integral_constant<size_t, sizeof...(T)>());
+  }
+
+  template <typename FormatContext>
+  auto format(const tuple_join_view<Char, T...>& value,
+              FormatContext& ctx) const -> typename FormatContext::iterator {
+    return do_format(value, ctx,
+                     std::integral_constant<size_t, sizeof...(T)>());
+  }
+
+ private:
+  std::tuple<formatter<typename std::decay<T>::type, Char>...> formatters_;
+
+  template <typename ParseContext>
+  FMT_CONSTEXPR auto do_parse(ParseContext& ctx,
+                              std::integral_constant<size_t, 0>)
+      -> decltype(ctx.begin()) {
+    return ctx.begin();
+  }
+
+  template <typename ParseContext, size_t N>
+  FMT_CONSTEXPR auto do_parse(ParseContext& ctx,
+                              std::integral_constant<size_t, N>)
+      -> decltype(ctx.begin()) {
+    auto end = ctx.begin();
+#if FMT_TUPLE_JOIN_SPECIFIERS
+    end = std::get<sizeof...(T) - N>(formatters_).parse(ctx);
+    if (N > 1) {
+      auto end1 = do_parse(ctx, std::integral_constant<size_t, N - 1>());
+      if (end != end1)
+        FMT_THROW(format_error("incompatible format specs for tuple elements"));
+    }
+#endif
+    return end;
+  }
+
+  template <typename FormatContext>
+  auto do_format(const tuple_join_view<Char, T...>&, FormatContext& ctx,
+                 std::integral_constant<size_t, 0>) const ->
+      typename FormatContext::iterator {
+    return ctx.out();
+  }
+
+  template <typename FormatContext, size_t N>
+  auto do_format(const tuple_join_view<Char, T...>& value, FormatContext& ctx,
+                 std::integral_constant<size_t, N>) const ->
+      typename FormatContext::iterator {
+    auto out = std::get<sizeof...(T) - N>(formatters_)
+                   .format(std::get<sizeof...(T) - N>(value.tuple), ctx);
+    if (N > 1) {
+      out = std::copy(value.sep.begin(), value.sep.end(), out);
+      ctx.advance_to(out);
+      return do_format(value, ctx, std::integral_constant<size_t, N - 1>());
+    }
+    return out;
+  }
+};
+
+FMT_MODULE_EXPORT_BEGIN
+
+/**
+  \rst
+  Returns an object that formats `tuple` with elements separated by `sep`.
+
+  **Example**::
+
+    std::tuple<int, char> t = {1, 'a'};
+    fmt::print("{}", fmt::join(t, ", "));
+    // Output: "1, a"
+  \endrst
+ */
+template <typename... T>
+FMT_CONSTEXPR auto join(const std::tuple<T...>& tuple, string_view sep)
+    -> tuple_join_view<char, T...> {
+  return {tuple, sep};
+}
+
+template <typename... T>
+FMT_CONSTEXPR auto join(const std::tuple<T...>& tuple,
+                        basic_string_view<wchar_t> sep)
+    -> tuple_join_view<wchar_t, T...> {
+  return {tuple, sep};
+}
+
+/**
+  \rst
+  Returns an object that formats `initializer_list` with elements separated by
+  `sep`.
+
+  **Example**::
+
+    fmt::print("{}", fmt::join({1, 2, 3}, ", "));
+    // Output: "1, 2, 3"
+  \endrst
+ */
+template <typename T>
+auto join(std::initializer_list<T> list, string_view sep)
+    -> join_view<const T*, const T*> {
+  return join(std::begin(list), std::end(list), sep);
+}
+
+FMT_MODULE_EXPORT_END
+FMT_END_NAMESPACE
+
+#endif  // FMT_RANGES_H_
diff --git a/ctrtool/deps/libfmt/include/fmt/xchar.h b/ctrtool/deps/libfmt/include/fmt/xchar.h
new file mode 100644
index 00000000..55825077
--- /dev/null
+++ b/ctrtool/deps/libfmt/include/fmt/xchar.h
@@ -0,0 +1,236 @@
+// Formatting library for C++ - optional wchar_t and exotic character support
+//
+// Copyright (c) 2012 - present, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#ifndef FMT_XCHAR_H_
+#define FMT_XCHAR_H_
+
+#include <cwchar>
+#include <tuple>
+
+#include "format.h"
+
+FMT_BEGIN_NAMESPACE
+namespace detail {
+template <typename T>
+using is_exotic_char = bool_constant<!std::is_same<T, char>::value>;
+}
+
+FMT_MODULE_EXPORT_BEGIN
+
+using wstring_view = basic_string_view<wchar_t>;
+using wformat_parse_context = basic_format_parse_context<wchar_t>;
+using wformat_context = buffer_context<wchar_t>;
+using wformat_args = basic_format_args<wformat_context>;
+using wmemory_buffer = basic_memory_buffer<wchar_t>;
+
+#if FMT_GCC_VERSION && FMT_GCC_VERSION < 409
+// Workaround broken conversion on older gcc.
+template <typename... Args> using wformat_string = wstring_view;
+#else
+template <typename... Args>
+using wformat_string = basic_format_string<wchar_t, type_identity_t<Args>...>;
+#endif
+
+template <> struct is_char<wchar_t> : std::true_type {};
+template <> struct is_char<detail::char8_type> : std::true_type {};
+template <> struct is_char<char16_t> : std::true_type {};
+template <> struct is_char<char32_t> : std::true_type {};
+
+template <typename... Args>
+constexpr format_arg_store<wformat_context, Args...> make_wformat_args(
+    const Args&... args) {
+  return {args...};
+}
+
+inline namespace literals {
+constexpr auto operator"" _format(const wchar_t* s, size_t n)
+    -> detail::udl_formatter<wchar_t> {
+  return {{s, n}};
+}
+
+#if FMT_USE_USER_DEFINED_LITERALS && !FMT_USE_NONTYPE_TEMPLATE_PARAMETERS
+constexpr detail::udl_arg<wchar_t> operator"" _a(const wchar_t* s, size_t) {
+  return {s};
+}
+#endif
+}  // namespace literals
+
+template <typename It, typename Sentinel>
+auto join(It begin, Sentinel end, wstring_view sep)
+    -> join_view<It, Sentinel, wchar_t> {
+  return {begin, end, sep};
+}
+
+template <typename Range>
+auto join(Range&& range, wstring_view sep)
+    -> join_view<detail::iterator_t<Range>, detail::sentinel_t<Range>,
+                 wchar_t> {
+  return join(std::begin(range), std::end(range), sep);
+}
+
+template <typename T>
+auto join(std::initializer_list<T> list, wstring_view sep)
+    -> join_view<const T*, const T*, wchar_t> {
+  return join(std::begin(list), std::end(list), sep);
+}
+
+template <typename Char, FMT_ENABLE_IF(!std::is_same<Char, char>::value)>
+auto vformat(basic_string_view<Char> format_str,
+             basic_format_args<buffer_context<type_identity_t<Char>>> args)
+    -> std::basic_string<Char> {
+  basic_memory_buffer<Char> buffer;
+  detail::vformat_to(buffer, format_str, args);
+  return to_string(buffer);
+}
+
+// Pass char_t as a default template parameter instead of using
+// std::basic_string<char_t<S>> to reduce the symbol size.
+template <typename S, typename... Args, typename Char = char_t<S>,
+          FMT_ENABLE_IF(!std::is_same<Char, char>::value)>
+auto format(const S& format_str, Args&&... args) -> std::basic_string<Char> {
+  const auto& vargs = fmt::make_args_checked<Args...>(format_str, args...);
+  return vformat(to_string_view(format_str), vargs);
+}
+
+template <typename Locale, typename S, typename Char = char_t<S>,
+          FMT_ENABLE_IF(detail::is_locale<Locale>::value&&
+                            detail::is_exotic_char<Char>::value)>
+inline auto vformat(
+    const Locale& loc, const S& format_str,
+    basic_format_args<buffer_context<type_identity_t<Char>>> args)
+    -> std::basic_string<Char> {
+  return detail::vformat(loc, to_string_view(format_str), args);
+}
+
+template <typename Locale, typename S, typename... Args,
+          typename Char = char_t<S>,
+          FMT_ENABLE_IF(detail::is_locale<Locale>::value&&
+                            detail::is_exotic_char<Char>::value)>
+inline auto format(const Locale& loc, const S& format_str, Args&&... args)
+    -> std::basic_string<Char> {
+  return detail::vformat(loc, to_string_view(format_str),
+                         fmt::make_args_checked<Args...>(format_str, args...));
+}
+
+template <typename OutputIt, typename S, typename Char = char_t<S>,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, Char>::value&&
+                            detail::is_exotic_char<Char>::value)>
+auto vformat_to(OutputIt out, const S& format_str,
+                basic_format_args<buffer_context<type_identity_t<Char>>> args)
+    -> OutputIt {
+  auto&& buf = detail::get_buffer<Char>(out);
+  detail::vformat_to(buf, to_string_view(format_str), args);
+  return detail::get_iterator(buf);
+}
+
+template <typename OutputIt, typename S, typename... Args,
+          typename Char = char_t<S>,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, Char>::value&&
+                            detail::is_exotic_char<Char>::value)>
+inline auto format_to(OutputIt out, const S& fmt, Args&&... args) -> OutputIt {
+  const auto& vargs = fmt::make_args_checked<Args...>(fmt, args...);
+  return vformat_to(out, to_string_view(fmt), vargs);
+}
+
+template <typename S, typename... Args, typename Char, size_t SIZE,
+          typename Allocator, FMT_ENABLE_IF(detail::is_string<S>::value)>
+FMT_DEPRECATED auto format_to(basic_memory_buffer<Char, SIZE, Allocator>& buf,
+                              const S& format_str, Args&&... args) ->
+    typename buffer_context<Char>::iterator {
+  const auto& vargs = fmt::make_args_checked<Args...>(format_str, args...);
+  detail::vformat_to(buf, to_string_view(format_str), vargs, {});
+  return detail::buffer_appender<Char>(buf);
+}
+
+template <typename Locale, typename S, typename OutputIt, typename... Args,
+          typename Char = char_t<S>,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, Char>::value&&
+                            detail::is_locale<Locale>::value&&
+                                detail::is_exotic_char<Char>::value)>
+inline auto vformat_to(
+    OutputIt out, const Locale& loc, const S& format_str,
+    basic_format_args<buffer_context<type_identity_t<Char>>> args) -> OutputIt {
+  auto&& buf = detail::get_buffer<Char>(out);
+  vformat_to(buf, to_string_view(format_str), args, detail::locale_ref(loc));
+  return detail::get_iterator(buf);
+}
+
+template <
+    typename OutputIt, typename Locale, typename S, typename... Args,
+    typename Char = char_t<S>,
+    bool enable = detail::is_output_iterator<OutputIt, Char>::value&&
+        detail::is_locale<Locale>::value&& detail::is_exotic_char<Char>::value>
+inline auto format_to(OutputIt out, const Locale& loc, const S& format_str,
+                      Args&&... args) ->
+    typename std::enable_if<enable, OutputIt>::type {
+  const auto& vargs = fmt::make_args_checked<Args...>(format_str, args...);
+  return vformat_to(out, loc, to_string_view(format_str), vargs);
+}
+
+template <typename OutputIt, typename Char, typename... Args,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, Char>::value&&
+                            detail::is_exotic_char<Char>::value)>
+inline auto vformat_to_n(
+    OutputIt out, size_t n, basic_string_view<Char> format_str,
+    basic_format_args<buffer_context<type_identity_t<Char>>> args)
+    -> format_to_n_result<OutputIt> {
+  detail::iterator_buffer<OutputIt, Char, detail::fixed_buffer_traits> buf(out,
+                                                                           n);
+  detail::vformat_to(buf, format_str, args);
+  return {buf.out(), buf.count()};
+}
+
+template <typename OutputIt, typename S, typename... Args,
+          typename Char = char_t<S>,
+          FMT_ENABLE_IF(detail::is_output_iterator<OutputIt, Char>::value&&
+                            detail::is_exotic_char<Char>::value)>
+inline auto format_to_n(OutputIt out, size_t n, const S& fmt,
+                        const Args&... args) -> format_to_n_result<OutputIt> {
+  const auto& vargs = fmt::make_args_checked<Args...>(fmt, args...);
+  return vformat_to_n(out, n, to_string_view(fmt), vargs);
+}
+
+template <typename S, typename... Args, typename Char = char_t<S>,
+          FMT_ENABLE_IF(detail::is_exotic_char<Char>::value)>
+inline auto formatted_size(const S& fmt, Args&&... args) -> size_t {
+  detail::counting_buffer<Char> buf;
+  const auto& vargs = fmt::make_args_checked<Args...>(fmt, args...);
+  detail::vformat_to(buf, to_string_view(fmt), vargs);
+  return buf.count();
+}
+
+inline void vprint(std::FILE* f, wstring_view fmt, wformat_args args) {
+  wmemory_buffer buffer;
+  detail::vformat_to(buffer, fmt, args);
+  buffer.push_back(L'\0');
+  if (std::fputws(buffer.data(), f) == -1)
+    FMT_THROW(system_error(errno, FMT_STRING("cannot write to file")));
+}
+
+inline void vprint(wstring_view fmt, wformat_args args) {
+  vprint(stdout, fmt, args);
+}
+
+template <typename... T>
+void print(std::FILE* f, wformat_string<T...> fmt, T&&... args) {
+  return vprint(f, wstring_view(fmt), fmt::make_wformat_args(args...));
+}
+
+template <typename... T> void print(wformat_string<T...> fmt, T&&... args) {
+  return vprint(wstring_view(fmt), fmt::make_wformat_args(args...));
+}
+
+/**
+  Converts *value* to ``std::wstring`` using the default format for type *T*.
+ */
+template <typename T> inline auto to_wstring(const T& value) -> std::wstring {
+  return format(FMT_STRING(L"{}"), value);
+}
+FMT_MODULE_EXPORT_END
+FMT_END_NAMESPACE
+
+#endif  // FMT_XCHAR_H_
diff --git a/ctrtool/deps/libfmt/makefile b/ctrtool/deps/libfmt/makefile
new file mode 100644
index 00000000..8740695b
--- /dev/null
+++ b/ctrtool/deps/libfmt/makefile
@@ -0,0 +1,197 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 6 (20211110)
+
+# Project Name
+PROJECT_NAME = libfmt
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+PROJECT_INCLUDE_PATH = include
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Shared Library Definitions
+PROJECT_SO_VER_MAJOR = 0
+PROJECT_SO_VER_MINOR = 1
+PROJECT_SO_VER_PATCH = 0
+PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
+PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
+
+# Project Dependencies
+PROJECT_DEPEND = 
+PROJECT_DEPEND_LOCAL_DIR = 
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
+	INC +=
+	LIB +=
+	ARFLAGS = rc	
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building static library
+#	- 'shared_lib' for building shared library
+#	- 'program' for building the program
+#	- 'test_program' for building the test program
+# These can typically be used together however *_lib and program should not be used together
+all: static_lib
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+shared_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)
+	@gcc -shared -Wl,-soname,$(PROJECT_SONAME) -o "$(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/ctrtool/deps/libfmt/src/format.cc b/ctrtool/deps/libfmt/src/format.cc
new file mode 100644
index 00000000..ecb8cc79
--- /dev/null
+++ b/ctrtool/deps/libfmt/src/format.cc
@@ -0,0 +1,124 @@
+// Formatting library for C++
+//
+// Copyright (c) 2012 - 2016, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+#include "fmt/format-inl.h"
+
+FMT_BEGIN_NAMESPACE
+namespace detail {
+
+// DEPRECATED!
+template <typename T = void> struct basic_data {
+  FMT_API static constexpr const char digits[100][2] = {
+      {'0', '0'}, {'0', '1'}, {'0', '2'}, {'0', '3'}, {'0', '4'}, {'0', '5'},
+      {'0', '6'}, {'0', '7'}, {'0', '8'}, {'0', '9'}, {'1', '0'}, {'1', '1'},
+      {'1', '2'}, {'1', '3'}, {'1', '4'}, {'1', '5'}, {'1', '6'}, {'1', '7'},
+      {'1', '8'}, {'1', '9'}, {'2', '0'}, {'2', '1'}, {'2', '2'}, {'2', '3'},
+      {'2', '4'}, {'2', '5'}, {'2', '6'}, {'2', '7'}, {'2', '8'}, {'2', '9'},
+      {'3', '0'}, {'3', '1'}, {'3', '2'}, {'3', '3'}, {'3', '4'}, {'3', '5'},
+      {'3', '6'}, {'3', '7'}, {'3', '8'}, {'3', '9'}, {'4', '0'}, {'4', '1'},
+      {'4', '2'}, {'4', '3'}, {'4', '4'}, {'4', '5'}, {'4', '6'}, {'4', '7'},
+      {'4', '8'}, {'4', '9'}, {'5', '0'}, {'5', '1'}, {'5', '2'}, {'5', '3'},
+      {'5', '4'}, {'5', '5'}, {'5', '6'}, {'5', '7'}, {'5', '8'}, {'5', '9'},
+      {'6', '0'}, {'6', '1'}, {'6', '2'}, {'6', '3'}, {'6', '4'}, {'6', '5'},
+      {'6', '6'}, {'6', '7'}, {'6', '8'}, {'6', '9'}, {'7', '0'}, {'7', '1'},
+      {'7', '2'}, {'7', '3'}, {'7', '4'}, {'7', '5'}, {'7', '6'}, {'7', '7'},
+      {'7', '8'}, {'7', '9'}, {'8', '0'}, {'8', '1'}, {'8', '2'}, {'8', '3'},
+      {'8', '4'}, {'8', '5'}, {'8', '6'}, {'8', '7'}, {'8', '8'}, {'8', '9'},
+      {'9', '0'}, {'9', '1'}, {'9', '2'}, {'9', '3'}, {'9', '4'}, {'9', '5'},
+      {'9', '6'}, {'9', '7'}, {'9', '8'}, {'9', '9'}};
+  FMT_API static constexpr const char hex_digits[] = "0123456789abcdef";
+  FMT_API static constexpr const char signs[4] = {0, '-', '+', ' '};
+  FMT_API static constexpr const char left_padding_shifts[5] = {31, 31, 0, 1,
+                                                                0};
+  FMT_API static constexpr const char right_padding_shifts[5] = {0, 31, 0, 1,
+                                                                 0};
+  FMT_API static constexpr const unsigned prefixes[4] = {0, 0, 0x1000000u | '+',
+                                                         0x1000000u | ' '};
+};
+
+#ifdef FMT_SHARED
+// Required for -flto, -fivisibility=hidden and -shared to work
+extern template struct basic_data<void>;
+#endif
+
+#if __cplusplus < 201703L
+// DEPRECATED! These are here only for ABI compatiblity.
+template <typename T> constexpr const char basic_data<T>::digits[][2];
+template <typename T> constexpr const char basic_data<T>::hex_digits[];
+template <typename T> constexpr const char basic_data<T>::signs[];
+template <typename T> constexpr const char basic_data<T>::left_padding_shifts[];
+template <typename T>
+constexpr const char basic_data<T>::right_padding_shifts[];
+template <typename T> constexpr const unsigned basic_data<T>::prefixes[];
+#endif
+
+template <typename T>
+int format_float(char* buf, std::size_t size, const char* format, int precision,
+                 T value) {
+#ifdef FMT_FUZZ
+  if (precision > 100000)
+    throw std::runtime_error(
+        "fuzz mode - avoid large allocation inside snprintf");
+#endif
+  // Suppress the warning about nonliteral format string.
+  int (*snprintf_ptr)(char*, size_t, const char*, ...) = FMT_SNPRINTF;
+  return precision < 0 ? snprintf_ptr(buf, size, format, value)
+                       : snprintf_ptr(buf, size, format, precision, value);
+}
+
+template FMT_API dragonbox::decimal_fp<float> dragonbox::to_decimal(float x)
+    FMT_NOEXCEPT;
+template FMT_API dragonbox::decimal_fp<double> dragonbox::to_decimal(double x)
+    FMT_NOEXCEPT;
+}  // namespace detail
+
+// Workaround a bug in MSVC2013 that prevents instantiation of format_float.
+int (*instantiate_format_float)(double, int, detail::float_specs,
+                                detail::buffer<char>&) = detail::format_float;
+
+#ifndef FMT_STATIC_THOUSANDS_SEPARATOR
+template FMT_API detail::locale_ref::locale_ref(const std::locale& loc);
+template FMT_API std::locale detail::locale_ref::get<std::locale>() const;
+#endif
+
+// Explicit instantiations for char.
+
+template FMT_API auto detail::thousands_sep_impl(locale_ref)
+    -> thousands_sep_result<char>;
+template FMT_API char detail::decimal_point_impl(locale_ref);
+
+template FMT_API void detail::buffer<char>::append(const char*, const char*);
+
+// DEPRECATED!
+// There is no correspondent extern template in format.h because of
+// incompatibility between clang and gcc (#2377).
+template FMT_API void detail::vformat_to(
+    detail::buffer<char>&, string_view,
+    basic_format_args<FMT_BUFFER_CONTEXT(char)>, detail::locale_ref);
+
+template FMT_API int detail::snprintf_float(double, int, detail::float_specs,
+                                            detail::buffer<char>&);
+template FMT_API int detail::snprintf_float(long double, int,
+                                            detail::float_specs,
+                                            detail::buffer<char>&);
+template FMT_API int detail::format_float(double, int, detail::float_specs,
+                                          detail::buffer<char>&);
+template FMT_API int detail::format_float(long double, int, detail::float_specs,
+                                          detail::buffer<char>&);
+
+// Explicit instantiations for wchar_t.
+
+template FMT_API auto detail::thousands_sep_impl(locale_ref)
+    -> thousands_sep_result<wchar_t>;
+template FMT_API wchar_t detail::decimal_point_impl(locale_ref);
+
+template FMT_API void detail::buffer<wchar_t>::append(const wchar_t*,
+                                                      const wchar_t*);
+
+template struct detail::basic_data<void>;
+
+FMT_END_NAMESPACE
diff --git a/ctrtool/deps/libfmt/src/os.cc b/ctrtool/deps/libfmt/src/os.cc
new file mode 100644
index 00000000..04b4dc50
--- /dev/null
+++ b/ctrtool/deps/libfmt/src/os.cc
@@ -0,0 +1,361 @@
+// Formatting library for C++ - optional OS-specific functionality
+//
+// Copyright (c) 2012 - 2016, Victor Zverovich
+// All rights reserved.
+//
+// For the license information refer to format.h.
+
+// Disable bogus MSVC warnings.
+#if !defined(_CRT_SECURE_NO_WARNINGS) && defined(_MSC_VER)
+#  define _CRT_SECURE_NO_WARNINGS
+#endif
+
+#include "fmt/os.h"
+
+#include <climits>
+
+#if FMT_USE_FCNTL
+#  include <sys/stat.h>
+#  include <sys/types.h>
+
+#  ifndef _WIN32
+#    include <unistd.h>
+#  else
+#    ifndef WIN32_LEAN_AND_MEAN
+#      define WIN32_LEAN_AND_MEAN
+#    endif
+#    include <io.h>
+
+#    ifndef S_IRUSR
+#      define S_IRUSR _S_IREAD
+#    endif
+#    ifndef S_IWUSR
+#      define S_IWUSR _S_IWRITE
+#    endif
+#    ifndef S_IRGRP
+#      define S_IRGRP 0
+#    endif
+#    ifndef S_IROTH
+#      define S_IROTH 0
+#    endif
+#  endif  // _WIN32
+#endif    // FMT_USE_FCNTL
+
+#ifdef _WIN32
+#  include <windows.h>
+#endif
+
+#ifdef fileno
+#  undef fileno
+#endif
+
+namespace {
+#ifdef _WIN32
+// Return type of read and write functions.
+using rwresult = int;
+
+// On Windows the count argument to read and write is unsigned, so convert
+// it from size_t preventing integer overflow.
+inline unsigned convert_rwcount(std::size_t count) {
+  return count <= UINT_MAX ? static_cast<unsigned>(count) : UINT_MAX;
+}
+#elif FMT_USE_FCNTL
+// Return type of read and write functions.
+using rwresult = ssize_t;
+
+inline std::size_t convert_rwcount(std::size_t count) { return count; }
+#endif
+}  // namespace
+
+FMT_BEGIN_NAMESPACE
+
+#ifdef _WIN32
+detail::utf16_to_utf8::utf16_to_utf8(basic_string_view<wchar_t> s) {
+  if (int error_code = convert(s)) {
+    FMT_THROW(windows_error(error_code,
+                            "cannot convert string from UTF-16 to UTF-8"));
+  }
+}
+
+int detail::utf16_to_utf8::convert(basic_string_view<wchar_t> s) {
+  if (s.size() > INT_MAX) return ERROR_INVALID_PARAMETER;
+  int s_size = static_cast<int>(s.size());
+  if (s_size == 0) {
+    // WideCharToMultiByte does not support zero length, handle separately.
+    buffer_.resize(1);
+    buffer_[0] = 0;
+    return 0;
+  }
+
+  int length = WideCharToMultiByte(CP_UTF8, 0, s.data(), s_size, nullptr, 0,
+                                   nullptr, nullptr);
+  if (length == 0) return GetLastError();
+  buffer_.resize(length + 1);
+  length = WideCharToMultiByte(CP_UTF8, 0, s.data(), s_size, &buffer_[0],
+                               length, nullptr, nullptr);
+  if (length == 0) return GetLastError();
+  buffer_[length] = 0;
+  return 0;
+}
+
+namespace detail {
+
+class system_message {
+  system_message(const system_message&) = delete;
+  void operator=(const system_message&) = delete;
+
+  unsigned long result_;
+  wchar_t* message_;
+
+  static bool is_whitespace(wchar_t c) FMT_NOEXCEPT {
+    return c == L' ' || c == L'\n' || c == L'\r' || c == L'\t' || c == L'\0';
+  }
+
+ public:
+  explicit system_message(unsigned long error_code)
+      : result_(0), message_(nullptr) {
+    result_ = FormatMessageW(
+        FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM |
+            FORMAT_MESSAGE_IGNORE_INSERTS,
+        nullptr, error_code, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+        reinterpret_cast<wchar_t*>(&message_), 0, nullptr);
+    if (result_ != 0) {
+      while (result_ != 0 && is_whitespace(message_[result_ - 1])) {
+        --result_;
+      }
+    }
+  }
+  ~system_message() { LocalFree(message_); }
+  explicit operator bool() const FMT_NOEXCEPT { return result_ != 0; }
+  operator basic_string_view<wchar_t>() const FMT_NOEXCEPT {
+    return basic_string_view<wchar_t>(message_, result_);
+  }
+};
+
+class utf8_system_category final : public std::error_category {
+ public:
+  const char* name() const FMT_NOEXCEPT override { return "system"; }
+  std::string message(int error_code) const override {
+    system_message msg(error_code);
+    if (msg) {
+      utf16_to_utf8 utf8_message;
+      if (utf8_message.convert(msg) == ERROR_SUCCESS) {
+        return utf8_message.str();
+      }
+    }
+    return "unknown error";
+  }
+};
+
+}  // namespace detail
+
+FMT_API const std::error_category& system_category() FMT_NOEXCEPT {
+  static const detail::utf8_system_category category;
+  return category;
+}
+
+std::system_error vwindows_error(int err_code, string_view format_str,
+                                 format_args args) {
+  auto ec = std::error_code(err_code, system_category());
+  return std::system_error(ec, vformat(format_str, args));
+}
+
+void detail::format_windows_error(detail::buffer<char>& out, int error_code,
+                                  const char* message) FMT_NOEXCEPT {
+  FMT_TRY {
+    system_message msg(error_code);
+    if (msg) {
+      utf16_to_utf8 utf8_message;
+      if (utf8_message.convert(msg) == ERROR_SUCCESS) {
+        format_to(buffer_appender<char>(out), "{}: {}", message, utf8_message);
+        return;
+      }
+    }
+  }
+  FMT_CATCH(...) {}
+  format_error_code(out, error_code, message);
+}
+
+void report_windows_error(int error_code, const char* message) FMT_NOEXCEPT {
+  report_error(detail::format_windows_error, error_code, message);
+}
+#endif  // _WIN32
+
+buffered_file::~buffered_file() FMT_NOEXCEPT {
+  if (file_ && FMT_SYSTEM(fclose(file_)) != 0)
+    report_system_error(errno, "cannot close file");
+}
+
+buffered_file::buffered_file(cstring_view filename, cstring_view mode) {
+  FMT_RETRY_VAL(file_, FMT_SYSTEM(fopen(filename.c_str(), mode.c_str())),
+                nullptr);
+  if (!file_)
+    FMT_THROW(system_error(errno, "cannot open file {}", filename.c_str()));
+}
+
+void buffered_file::close() {
+  if (!file_) return;
+  int result = FMT_SYSTEM(fclose(file_));
+  file_ = nullptr;
+  if (result != 0) FMT_THROW(system_error(errno, "cannot close file"));
+}
+
+// A macro used to prevent expansion of fileno on broken versions of MinGW.
+#define FMT_ARGS
+
+int buffered_file::fileno() const {
+  int fd = FMT_POSIX_CALL(fileno FMT_ARGS(file_));
+  if (fd == -1) FMT_THROW(system_error(errno, "cannot get file descriptor"));
+  return fd;
+}
+
+#if FMT_USE_FCNTL
+file::file(cstring_view path, int oflag) {
+#  ifdef _WIN32
+  using mode_t = int;
+#  endif
+  mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH;
+#  if defined(_WIN32) && !defined(__MINGW32__)
+  fd_ = -1;
+  FMT_POSIX_CALL(sopen_s(&fd_, path.c_str(), oflag, _SH_DENYNO, mode));
+#  else
+  FMT_RETRY(fd_, FMT_POSIX_CALL(open(path.c_str(), oflag, mode)));
+#  endif
+  if (fd_ == -1)
+    FMT_THROW(system_error(errno, "cannot open file {}", path.c_str()));
+}
+
+file::~file() FMT_NOEXCEPT {
+  // Don't retry close in case of EINTR!
+  // See http://linux.derkeiler.com/Mailing-Lists/Kernel/2005-09/3000.html
+  if (fd_ != -1 && FMT_POSIX_CALL(close(fd_)) != 0)
+    report_system_error(errno, "cannot close file");
+}
+
+void file::close() {
+  if (fd_ == -1) return;
+  // Don't retry close in case of EINTR!
+  // See http://linux.derkeiler.com/Mailing-Lists/Kernel/2005-09/3000.html
+  int result = FMT_POSIX_CALL(close(fd_));
+  fd_ = -1;
+  if (result != 0) FMT_THROW(system_error(errno, "cannot close file"));
+}
+
+long long file::size() const {
+#  ifdef _WIN32
+  // Use GetFileSize instead of GetFileSizeEx for the case when _WIN32_WINNT
+  // is less than 0x0500 as is the case with some default MinGW builds.
+  // Both functions support large file sizes.
+  DWORD size_upper = 0;
+  HANDLE handle = reinterpret_cast<HANDLE>(_get_osfhandle(fd_));
+  DWORD size_lower = FMT_SYSTEM(GetFileSize(handle, &size_upper));
+  if (size_lower == INVALID_FILE_SIZE) {
+    DWORD error = GetLastError();
+    if (error != NO_ERROR)
+      FMT_THROW(windows_error(GetLastError(), "cannot get file size"));
+  }
+  unsigned long long long_size = size_upper;
+  return (long_size << sizeof(DWORD) * CHAR_BIT) | size_lower;
+#  else
+  using Stat = struct stat;
+  Stat file_stat = Stat();
+  if (FMT_POSIX_CALL(fstat(fd_, &file_stat)) == -1)
+    FMT_THROW(system_error(errno, "cannot get file attributes"));
+  static_assert(sizeof(long long) >= sizeof(file_stat.st_size),
+                "return type of file::size is not large enough");
+  return file_stat.st_size;
+#  endif
+}
+
+std::size_t file::read(void* buffer, std::size_t count) {
+  rwresult result = 0;
+  FMT_RETRY(result, FMT_POSIX_CALL(read(fd_, buffer, convert_rwcount(count))));
+  if (result < 0) FMT_THROW(system_error(errno, "cannot read from file"));
+  return detail::to_unsigned(result);
+}
+
+std::size_t file::write(const void* buffer, std::size_t count) {
+  rwresult result = 0;
+  FMT_RETRY(result, FMT_POSIX_CALL(write(fd_, buffer, convert_rwcount(count))));
+  if (result < 0) FMT_THROW(system_error(errno, "cannot write to file"));
+  return detail::to_unsigned(result);
+}
+
+file file::dup(int fd) {
+  // Don't retry as dup doesn't return EINTR.
+  // http://pubs.opengroup.org/onlinepubs/009695399/functions/dup.html
+  int new_fd = FMT_POSIX_CALL(dup(fd));
+  if (new_fd == -1)
+    FMT_THROW(system_error(errno, "cannot duplicate file descriptor {}", fd));
+  return file(new_fd);
+}
+
+void file::dup2(int fd) {
+  int result = 0;
+  FMT_RETRY(result, FMT_POSIX_CALL(dup2(fd_, fd)));
+  if (result == -1) {
+    FMT_THROW(system_error(errno, "cannot duplicate file descriptor {} to {}",
+                           fd_, fd));
+  }
+}
+
+void file::dup2(int fd, std::error_code& ec) FMT_NOEXCEPT {
+  int result = 0;
+  FMT_RETRY(result, FMT_POSIX_CALL(dup2(fd_, fd)));
+  if (result == -1) ec = std::error_code(errno, std::generic_category());
+}
+
+void file::pipe(file& read_end, file& write_end) {
+  // Close the descriptors first to make sure that assignments don't throw
+  // and there are no leaks.
+  read_end.close();
+  write_end.close();
+  int fds[2] = {};
+#  ifdef _WIN32
+  // Make the default pipe capacity same as on Linux 2.6.11+.
+  enum { DEFAULT_CAPACITY = 65536 };
+  int result = FMT_POSIX_CALL(pipe(fds, DEFAULT_CAPACITY, _O_BINARY));
+#  else
+  // Don't retry as the pipe function doesn't return EINTR.
+  // http://pubs.opengroup.org/onlinepubs/009696799/functions/pipe.html
+  int result = FMT_POSIX_CALL(pipe(fds));
+#  endif
+  if (result != 0) FMT_THROW(system_error(errno, "cannot create pipe"));
+  // The following assignments don't throw because read_fd and write_fd
+  // are closed.
+  read_end = file(fds[0]);
+  write_end = file(fds[1]);
+}
+
+buffered_file file::fdopen(const char* mode) {
+// Don't retry as fdopen doesn't return EINTR.
+#  if defined(__MINGW32__) && defined(_POSIX_)
+  FILE* f = ::fdopen(fd_, mode);
+#  else
+  FILE* f = FMT_POSIX_CALL(fdopen(fd_, mode));
+#  endif
+  if (!f)
+    FMT_THROW(
+        system_error(errno, "cannot associate stream with file descriptor"));
+  buffered_file bf(f);
+  fd_ = -1;
+  return bf;
+}
+
+long getpagesize() {
+#  ifdef _WIN32
+  SYSTEM_INFO si;
+  GetSystemInfo(&si);
+  return si.dwPageSize;
+#  else
+  long size = FMT_POSIX_CALL(sysconf(_SC_PAGESIZE));
+  if (size < 0) FMT_THROW(system_error(errno, "cannot get memory page size"));
+  return size;
+#  endif
+}
+
+FMT_API void ostream::grow(size_t) {
+  if (this->size() == this->capacity()) flush();
+}
+#endif  // FMT_USE_FCNTL
+FMT_END_NAMESPACE
diff --git a/ctrtool/deps/libmbedtls/BUILDING.md b/ctrtool/deps/libmbedtls/BUILDING.md
new file mode 100644
index 00000000..b5979c32
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/BUILDING.md
@@ -0,0 +1,31 @@
+# Building
+## Linux (incl. Windows Subsystem for Linux) & MacOS - Makefile
+### Requirements
+* `make`
+* Terminal access
+* Typical GNU compatible development tools (e.g. `clang`, `g++`, `c++`, `ar` etc) with __C++11__ support
+
+### Using Makefile
+* `make` (default) - Compile library
+* `make static_lib` - Compile library
+* `make clean` - Remove all object files
+
+## Native Win32 - Visual Studio
+### Requirements
+* [Visual Studio Community](https://visualstudio.microsoft.com/vs/community/) 2015 or 2017
+
+### Compiling Library
+* Open `build/visualstudio/libmbedtls.sln` in Visual Studio
+* Select Target (e.g `Debug`|`Release` & `x86`|`x64`)
+* Navigate to `Build`->`Build Solution`
+
+### Including libmbedtls in another VS Solution for static linking
+* Clone `libmbedtls` as a submodule into your project
+* Navigate to the `Solution Explorer` window
+* Right-click on the Solution Item and select `Add`->`Existing Project...`
+* In the filesystem popup window open `<libmbedtls location>\build\visualstudio\libmbedtls\libmbedtls.vcxproj`
+* Update each dependant project's `References` to include libmbedtls
+* Update each dependant project's `Property Pages` so that for `All Configurations` and `All Platforms` the `Addition Include Directories` has the relative path to `<libmbedtls location>\include`
+	* If `libmbedtls` is being included as a dependency in a similarly structured project the relative path is `$(SolutionDir)..\..\deps\libmbedtls\include`
+* Update the `Project Build Order` so libmbedtls is built before any of its dependants
+* Update the `Project Dependencies` so that each dependant has the box checked for libmbedtls
diff --git a/ctrtool/deps/libmbedtls/LICENSE b/ctrtool/deps/libmbedtls/LICENSE
new file mode 100644
index 00000000..546a8e63
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/LICENSE
@@ -0,0 +1,2 @@
+Unless specifically indicated otherwise in a file, files are licensed
+under the Apache 2.0 license, as can be found in: apache-2.0.txt
diff --git a/ctrtool/deps/libmbedtls/README.md b/ctrtool/deps/libmbedtls/README.md
new file mode 100644
index 00000000..4cbd026c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/README.md
@@ -0,0 +1,2 @@
+# libmbedtls
+Cryptographic functions. Clone of [mbedtls 2.16.5](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16).
diff --git a/ctrtool/deps/libmbedtls/apache-2.0.txt b/ctrtool/deps/libmbedtls/apache-2.0.txt
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/apache-2.0.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls.sln b/ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls.sln
new file mode 100644
index 00000000..52d81942
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28010.2036
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libmbedtls", "libmbedtls\libmbedtls.vcxproj", "{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.ActiveCfg = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.Build.0 = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.ActiveCfg = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.Build.0 = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.ActiveCfg = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.Build.0 = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.ActiveCfg = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {339FDA10-37B3-49E3-B5F4-44515FFBBC6A}
+	EndGlobalSection
+EndGlobal
diff --git a/ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj b/ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj
new file mode 100644
index 00000000..c7dda398
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj
@@ -0,0 +1,289 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>15.0</VCProjectVersion>
+    <ProjectGuid>{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}</ProjectGuid>
+    <RootNamespace>libmbedtls</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include;</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include;</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include;</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include;</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\mbedtls\aes.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\aesni.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\arc4.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\aria.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\asn1.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\asn1write.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\base64.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\bignum.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\blowfish.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\bn_mul.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\camellia.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ccm.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\certs.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\chacha20.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\chachapoly.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\check_config.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\cipher.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\cipher_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\cmac.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\compat-1.3.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\config.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ctr_drbg.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\debug.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\des.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\dhm.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecdh.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecdsa.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecjpake.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecp.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecp_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\entropy.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\entropy_poll.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\error.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\gcm.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\havege.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\hkdf.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\hmac_drbg.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md2.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md4.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md5.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\memory_buffer_alloc.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\net.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\net_sockets.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\nist_kw.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\oid.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\padlock.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pem.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pk.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs11.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs12.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs5.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pk_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\platform.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\platform_time.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\platform_util.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\poly1305.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ripemd160.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\rsa.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\rsa_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\sha1.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\sha256.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\sha512.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_cache.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_ciphersuites.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_cookie.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_ticket.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\threading.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\timing.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\version.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\x509.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\x509_crl.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\x509_crt.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\x509_csr.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\xtea.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\aes.c" />
+    <ClCompile Include="..\..\..\src\aesni.c" />
+    <ClCompile Include="..\..\..\src\arc4.c" />
+    <ClCompile Include="..\..\..\src\aria.c" />
+    <ClCompile Include="..\..\..\src\asn1parse.c" />
+    <ClCompile Include="..\..\..\src\asn1write.c" />
+    <ClCompile Include="..\..\..\src\base64.c" />
+    <ClCompile Include="..\..\..\src\bignum.c" />
+    <ClCompile Include="..\..\..\src\blowfish.c" />
+    <ClCompile Include="..\..\..\src\camellia.c" />
+    <ClCompile Include="..\..\..\src\ccm.c" />
+    <ClCompile Include="..\..\..\src\certs.c" />
+    <ClCompile Include="..\..\..\src\chacha20.c" />
+    <ClCompile Include="..\..\..\src\chachapoly.c" />
+    <ClCompile Include="..\..\..\src\cipher.c" />
+    <ClCompile Include="..\..\..\src\cipher_wrap.c" />
+    <ClCompile Include="..\..\..\src\cmac.c" />
+    <ClCompile Include="..\..\..\src\ctr_drbg.c" />
+    <ClCompile Include="..\..\..\src\debug.c" />
+    <ClCompile Include="..\..\..\src\des.c" />
+    <ClCompile Include="..\..\..\src\dhm.c" />
+    <ClCompile Include="..\..\..\src\ecdh.c" />
+    <ClCompile Include="..\..\..\src\ecdsa.c" />
+    <ClCompile Include="..\..\..\src\ecjpake.c" />
+    <ClCompile Include="..\..\..\src\ecp.c" />
+    <ClCompile Include="..\..\..\src\ecp_curves.c" />
+    <ClCompile Include="..\..\..\src\entropy.c" />
+    <ClCompile Include="..\..\..\src\entropy_poll.c" />
+    <ClCompile Include="..\..\..\src\error.c" />
+    <ClCompile Include="..\..\..\src\gcm.c" />
+    <ClCompile Include="..\..\..\src\havege.c" />
+    <ClCompile Include="..\..\..\src\hkdf.c" />
+    <ClCompile Include="..\..\..\src\hmac_drbg.c" />
+    <ClCompile Include="..\..\..\src\md.c" />
+    <ClCompile Include="..\..\..\src\md2.c" />
+    <ClCompile Include="..\..\..\src\md4.c" />
+    <ClCompile Include="..\..\..\src\md5.c" />
+    <ClCompile Include="..\..\..\src\md_wrap.c" />
+    <ClCompile Include="..\..\..\src\memory_buffer_alloc.c" />
+    <ClCompile Include="..\..\..\src\net_sockets.c" />
+    <ClCompile Include="..\..\..\src\nist_kw.c" />
+    <ClCompile Include="..\..\..\src\oid.c" />
+    <ClCompile Include="..\..\..\src\padlock.c" />
+    <ClCompile Include="..\..\..\src\pem.c" />
+    <ClCompile Include="..\..\..\src\pk.c" />
+    <ClCompile Include="..\..\..\src\pk_wrap.c" />
+    <ClCompile Include="..\..\..\src\pkcs11.c" />
+    <ClCompile Include="..\..\..\src\pkcs12.c" />
+    <ClCompile Include="..\..\..\src\pkcs5.c" />
+    <ClCompile Include="..\..\..\src\pkparse.c" />
+    <ClCompile Include="..\..\..\src\pkwrite.c" />
+    <ClCompile Include="..\..\..\src\platform.c" />
+    <ClCompile Include="..\..\..\src\platform_util.c" />
+    <ClCompile Include="..\..\..\src\poly1305.c" />
+    <ClCompile Include="..\..\..\src\ripemd160.c" />
+    <ClCompile Include="..\..\..\src\rsa.c" />
+    <ClCompile Include="..\..\..\src\rsa_internal.c" />
+    <ClCompile Include="..\..\..\src\sha1.c" />
+    <ClCompile Include="..\..\..\src\sha256.c" />
+    <ClCompile Include="..\..\..\src\sha512.c" />
+    <ClCompile Include="..\..\..\src\ssl_cache.c" />
+    <ClCompile Include="..\..\..\src\ssl_ciphersuites.c" />
+    <ClCompile Include="..\..\..\src\ssl_cli.c" />
+    <ClCompile Include="..\..\..\src\ssl_cookie.c" />
+    <ClCompile Include="..\..\..\src\ssl_srv.c" />
+    <ClCompile Include="..\..\..\src\ssl_ticket.c" />
+    <ClCompile Include="..\..\..\src\ssl_tls.c" />
+    <ClCompile Include="..\..\..\src\threading.c" />
+    <ClCompile Include="..\..\..\src\timing.c" />
+    <ClCompile Include="..\..\..\src\version.c" />
+    <ClCompile Include="..\..\..\src\version_features.c" />
+    <ClCompile Include="..\..\..\src\x509.c" />
+    <ClCompile Include="..\..\..\src\x509_create.c" />
+    <ClCompile Include="..\..\..\src\x509_crl.c" />
+    <ClCompile Include="..\..\..\src\x509_crt.c" />
+    <ClCompile Include="..\..\..\src\x509_csr.c" />
+    <ClCompile Include="..\..\..\src\x509write_crt.c" />
+    <ClCompile Include="..\..\..\src\x509write_csr.c" />
+    <ClCompile Include="..\..\..\src\xtea.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj.filters b/ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj.filters
new file mode 100644
index 00000000..27a1966d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj.filters
@@ -0,0 +1,492 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\mbedtls\aes.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\aesni.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\arc4.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\aria.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\asn1.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\asn1write.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\base64.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\bignum.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\blowfish.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\bn_mul.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\camellia.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ccm.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\certs.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\chacha20.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\chachapoly.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\check_config.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\cipher.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\cipher_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\cmac.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\compat-1.3.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\config.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ctr_drbg.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\debug.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\des.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\dhm.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecdh.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecdsa.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecjpake.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecp.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecp_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\entropy.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\entropy_poll.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\error.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\gcm.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\havege.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\hkdf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\hmac_drbg.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md2.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md4.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md5.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\memory_buffer_alloc.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\net.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\net_sockets.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\nist_kw.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\oid.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\padlock.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pem.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pk.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pk_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs5.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs11.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs12.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\platform.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\platform_time.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\platform_util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\poly1305.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ripemd160.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\rsa.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\rsa_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\sha1.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\sha256.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\sha512.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_cache.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_ciphersuites.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_cookie.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_ticket.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\threading.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\timing.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\x509.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\x509_crl.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\x509_crt.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\x509_csr.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\xtea.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\aes.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\aesni.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\arc4.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\aria.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\asn1parse.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\asn1write.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\base64.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\bignum.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\blowfish.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\camellia.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ccm.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\certs.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\chacha20.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\chachapoly.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\cipher.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\cipher_wrap.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\cmac.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ctr_drbg.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\debug.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\des.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\dhm.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecdh.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecdsa.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecjpake.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecp.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecp_curves.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\entropy.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\entropy_poll.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\error.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\gcm.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\havege.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\hkdf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\hmac_drbg.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md2.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md4.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md5.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md_wrap.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\memory_buffer_alloc.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\net_sockets.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\nist_kw.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\oid.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\padlock.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pem.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pk.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pk_wrap.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkcs11.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkcs12.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkcs5.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkparse.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkwrite.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\platform.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\platform_util.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\poly1305.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ripemd160.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\rsa.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\rsa_internal.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\sha1.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\sha256.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\sha512.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_cache.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_ciphersuites.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_cli.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_cookie.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_srv.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_ticket.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_tls.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\threading.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\timing.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\version_features.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509_create.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509_crl.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509_crt.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509_csr.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509write_crt.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509write_csr.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\xtea.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/aes.h b/ctrtool/deps/libmbedtls/include/mbedtls/aes.h
new file mode 100644
index 00000000..94e7282d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/aes.h
@@ -0,0 +1,674 @@
+/**
+ * \file aes.h
+ *
+ * \brief   This file contains AES definitions and functions.
+ *
+ *          The Advanced Encryption Standard (AES) specifies a FIPS-approved
+ *          cryptographic algorithm that can be used to protect electronic
+ *          data.
+ *
+ *          The AES algorithm is a symmetric block cipher that can
+ *          encrypt and decrypt information. For more information, see
+ *          <em>FIPS Publication 197: Advanced Encryption Standard</em> and
+ *          <em>ISO/IEC 18033-2:2006: Information technology -- Security
+ *          techniques -- Encryption algorithms -- Part 2: Asymmetric
+ *          ciphers</em>.
+ *
+ *          The AES-XTS block mode is standardized by NIST SP 800-38E
+ *          <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf>
+ *          and described in detail by IEEE P1619
+ *          <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_AES_H
+#define MBEDTLS_AES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* padlock.c and aesni.c rely on these values! */
+#define MBEDTLS_AES_ENCRYPT     1 /**< AES encryption. */
+#define MBEDTLS_AES_DECRYPT     0 /**< AES decryption. */
+
+/* Error codes in range 0x0020-0x0022 */
+#define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020  /**< Invalid key length. */
+#define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022  /**< Invalid data input length. */
+
+/* Error codes in range 0x0021-0x0025 */
+#define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021  /**< Invalid input data. */
+
+/* MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE is deprecated and should not be used. */
+#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023  /**< Feature not available. For example, an unsupported AES key size. */
+
+/* MBEDTLS_ERR_AES_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_AES_HW_ACCEL_FAILED                   -0x0025  /**< AES hardware accelerator failed. */
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_AES_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief The AES context-type definition.
+ */
+typedef struct mbedtls_aes_context
+{
+    int nr;                     /*!< The number of rounds. */
+    uint32_t *rk;               /*!< AES round keys. */
+    uint32_t buf[68];           /*!< Unaligned data buffer. This buffer can
+                                     hold 32 extra Bytes, which can be used for
+                                     one of the following purposes:
+                                     <ul><li>Alignment if VIA padlock is
+                                             used.</li>
+                                     <li>Simplifying key expansion in the 256-bit
+                                         case by generating an extra round key.
+                                         </li></ul> */
+}
+mbedtls_aes_context;
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief The AES XTS context-type definition.
+ */
+typedef struct mbedtls_aes_xts_context
+{
+    mbedtls_aes_context crypt; /*!< The AES context to use for AES block
+                                        encryption or decryption. */
+    mbedtls_aes_context tweak; /*!< The AES context used for tweak
+                                        computation. */
+} mbedtls_aes_xts_context;
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#else  /* MBEDTLS_AES_ALT */
+#include "aes_alt.h"
+#endif /* MBEDTLS_AES_ALT */
+
+/**
+ * \brief          This function initializes the specified AES context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The AES context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aes_init( mbedtls_aes_context *ctx );
+
+/**
+ * \brief          This function releases and clears the specified AES context.
+ *
+ * \param ctx      The AES context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
+ */
+void mbedtls_aes_free( mbedtls_aes_context *ctx );
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief          This function initializes the specified AES XTS context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The AES XTS context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx );
+
+/**
+ * \brief          This function releases and clears the specified AES XTS context.
+ *
+ * \param ctx      The AES XTS context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
+ */
+void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/**
+ * \brief          This function sets the encryption key.
+ *
+ * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The encryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of data passed in bits. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits );
+
+/**
+ * \brief          This function sets the decryption key.
+ *
+ * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The decryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of data passed. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits );
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief          This function prepares an XTS context for encryption and
+ *                 sets the encryption key.
+ *
+ * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The encryption key. This is comprised of the XTS key1
+ *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of \p key passed in bits. Valid options are:
+ *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits );
+
+/**
+ * \brief          This function prepares an XTS context for decryption and
+ *                 sets the decryption key.
+ *
+ * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The decryption key. This is comprised of the XTS key1
+ *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of \p key passed in bits. Valid options are:
+ *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/**
+ * \brief          This function performs an AES single-block encryption or
+ *                 decryption operation.
+ *
+ *                 It performs the operation defined in the \p mode parameter
+ *                 (encrypt or decrypt), on the input data buffer defined in
+ *                 the \p input parameter.
+ *
+ *                 mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or
+ *                 mbedtls_aes_setkey_dec() must be called before the first
+ *                 call to this API with the same context.
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and at least \c 16 Bytes long.
+ * \param output   The buffer where the output data will be written.
+ *                 It must be writeable and at least \c 16 Bytes long.
+
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief  This function performs an AES-CBC encryption or decryption operation
+ *         on full blocks.
+ *
+ *         It performs the operation defined in the \p mode
+ *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *         the \p input parameter.
+ *
+ *         It can be called as many times as needed, until all the input
+ *         data is processed. mbedtls_aes_init(), and either
+ *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
+ *         before the first call to this API with the same context.
+ *
+ * \note   This function operates on full blocks, that is, the input size
+ *         must be a multiple of the AES block size of \c 16 Bytes.
+ *
+ * \note   Upon exit, the content of the IV is updated so that you can
+ *         call the same function again on the next
+ *         block(s) of data and get the same result as if it was
+ *         encrypted in one call. This allows a "streaming" usage.
+ *         If you need to retain the contents of the IV, you should
+ *         either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param length   The length of the input data in Bytes. This must be a
+ *                 multiple of the block size (\c 16 Bytes).
+ * \param iv       Initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+ *                 on failure.
+ */
+int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief      This function performs an AES-XTS encryption or decryption
+ *             operation for an entire XTS data unit.
+ *
+ *             AES-XTS encrypts or decrypts blocks based on their location as
+ *             defined by a data unit number. The data unit number must be
+ *             provided by \p data_unit.
+ *
+ *             NIST SP 800-38E limits the maximum size of a data unit to 2^20
+ *             AES blocks. If the data unit is larger than this, this function
+ *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
+ *
+ * \param ctx          The AES XTS context to use for AES XTS operations.
+ *                     It must be initialized and bound to a key.
+ * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                     #MBEDTLS_AES_DECRYPT.
+ * \param length       The length of a data unit in Bytes. This can be any
+ *                     length between 16 bytes and 2^24 bytes inclusive
+ *                     (between 1 and 2^20 block cipher blocks).
+ * \param data_unit    The address of the data unit encoded as an array of 16
+ *                     bytes in little-endian format. For disk encryption, this
+ *                     is typically the index of the block device sector that
+ *                     contains the data.
+ * \param input        The buffer holding the input data (which is an entire
+ *                     data unit). This function reads \p length Bytes from \p
+ *                     input.
+ * \param output       The buffer holding the output data (which is an entire
+ *                     data unit). This function writes \p length Bytes to \p
+ *                     output.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
+ *                     smaller than an AES block in size (16 Bytes) or if \p
+ *                     length is larger than 2^20 blocks (16 MiB).
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
+                           int mode,
+                           size_t length,
+                           const unsigned char data_unit[16],
+                           const unsigned char *input,
+                           unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an AES-CFB128 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt or decrypt), on the input data buffer
+ *        defined in the \p input parameter.
+ *
+ *        For CFB, you must set up the context with mbedtls_aes_setkey_enc(),
+ *        regardless of whether you are performing an encryption or decryption
+ *        operation, that is, regardless of the \p mode parameter. This is
+ *        because CFB mode uses the same key schedule for encryption and
+ *        decryption.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you must either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param length   The length of the input data in Bytes.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+
+/**
+ * \brief This function performs an AES-CFB8 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt/decrypt), on the input data buffer defined
+ *        in the \p input parameter.
+ *
+ *        Due to the nature of CFB, you must use the same key schedule for
+ *        both encryption and decryption operations. Therefore, you must
+ *        use the context initialized with mbedtls_aes_setkey_enc() for
+ *        both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you should either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT
+ * \param length   The length of the input data.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/**
+ * \brief       This function performs an AES-OFB (Output Feedback Mode)
+ *              encryption or decryption operation.
+ *
+ *              For OFB, you must set up the context with
+ *              mbedtls_aes_setkey_enc(), regardless of whether you are
+ *              performing an encryption or decryption operation. This is
+ *              because OFB mode uses the same key schedule for encryption and
+ *              decryption.
+ *
+ *              The OFB operation is identical for encryption or decryption,
+ *              therefore no operation mode needs to be specified.
+ *
+ * \note        Upon exit, the content of iv, the Initialisation Vector, is
+ *              updated so that you can call the same function again on the next
+ *              block(s) of data and get the same result as if it was encrypted
+ *              in one call. This allows a "streaming" usage, by initialising
+ *              iv_off to 0 before the first call, and preserving its value
+ *              between calls.
+ *
+ *              For non-streaming use, the iv should be initialised on each call
+ *              to a unique value, and iv_off set to 0 on each call.
+ *
+ *              If you need to retain the contents of the initialisation vector,
+ *              you must either save it manually or use the cipher module
+ *              instead.
+ *
+ * \warning     For the OFB mode, the initialisation vector must be unique
+ *              every encryption operation. Reuse of an initialisation vector
+ *              will compromise security.
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param length   The length of the input data.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      This function performs an AES-CTR encryption or decryption
+ *             operation.
+ *
+ *             This function performs the operation defined in the \p mode
+ *             parameter (encrypt/decrypt), on the input data buffer
+ *             defined in the \p input parameter.
+ *
+ *             Due to the nature of CTR, you must use the same key schedule
+ *             for both encryption and decryption operations. Therefore, you
+ *             must use the context initialized with mbedtls_aes_setkey_enc()
+ *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 12 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 12 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter. An alternative is to generate random nonces, but this
+ *             limits the number of messages that can be securely encrypted:
+ *             for example, with 96-bit random nonces, you should not encrypt
+ *             more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that an AES block is 16 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx              The AES context to use for encryption or decryption.
+ *                         It must be initialized and bound to a key.
+ * \param length           The length of the input data.
+ * \param nc_off           The offset in the current \p stream_block, for
+ *                         resuming within the current cipher stream. The
+ *                         offset pointer should be 0 at the start of a stream.
+ *                         It must point to a valid \c size_t.
+ * \param nonce_counter    The 128-bit nonce and counter.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
+ * \param stream_block     The saved stream block for resuming. This is
+ *                         overwritten by the function.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
+ * \param input            The buffer holding the input data.
+ *                         It must be readable and of size \p length Bytes.
+ * \param output           The buffer holding the output data.
+ *                         It must be writeable and of size \p length Bytes.
+ *
+ * \return                 \c 0 on success.
+ */
+int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/**
+ * \brief           Internal AES block encryption function. This is only
+ *                  exposed to allow overriding it using
+ *                  \c MBEDTLS_AES_ENCRYPT_ALT.
+ *
+ * \param ctx       The AES context to use for encryption.
+ * \param input     The plaintext block.
+ * \param output    The output (ciphertext) block.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] );
+
+/**
+ * \brief           Internal AES block decryption function. This is only
+ *                  exposed to allow overriding it using see
+ *                  \c MBEDTLS_AES_DECRYPT_ALT.
+ *
+ * \param ctx       The AES context to use for decryption.
+ * \param input     The ciphertext block.
+ * \param output    The output (plaintext) block.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief           Deprecated internal AES block encryption function
+ *                  without return value.
+ *
+ * \deprecated      Superseded by mbedtls_internal_aes_encrypt()
+ *
+ * \param ctx       The AES context to use for encryption.
+ * \param input     Plaintext block.
+ * \param output    Output (ciphertext) block.
+ */
+MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
+                                             const unsigned char input[16],
+                                             unsigned char output[16] );
+
+/**
+ * \brief           Deprecated internal AES block decryption function
+ *                  without return value.
+ *
+ * \deprecated      Superseded by mbedtls_internal_aes_decrypt()
+ *
+ * \param ctx       The AES context to use for decryption.
+ * \param input     Ciphertext block.
+ * \param output    Output (plaintext) block.
+ */
+MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
+                                             const unsigned char input[16],
+                                             unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_aes_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aes.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/aesni.h b/ctrtool/deps/libmbedtls/include/mbedtls/aesni.h
new file mode 100644
index 00000000..a4ca012f
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/aesni.h
@@ -0,0 +1,138 @@
+/**
+ * \file aesni.h
+ *
+ * \brief AES-NI for hardware AES acceleration on some Intel processors
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_AESNI_H
+#define MBEDTLS_AESNI_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "aes.h"
+
+#define MBEDTLS_AESNI_AES      0x02000000u
+#define MBEDTLS_AESNI_CLMUL    0x00000002u
+
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) &&  \
+    ( defined(__amd64__) || defined(__x86_64__) )   &&  \
+    ! defined(MBEDTLS_HAVE_X86_64)
+#define MBEDTLS_HAVE_X86_64
+#endif
+
+#if defined(MBEDTLS_HAVE_X86_64)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Internal function to detect the AES-NI feature in CPUs.
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param what     The feature to detect
+ *                 (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_aesni_has_support( unsigned int what );
+
+/**
+ * \brief          Internal AES-NI AES-ECB block encryption and decryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 on success (cannot fail)
+ */
+int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
+                             int mode,
+                             const unsigned char input[16],
+                             unsigned char output[16] );
+
+/**
+ * \brief          Internal GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param c        Result
+ * \param a        First operand
+ * \param b        Second operand
+ *
+ * \note           Both operands and result are bit strings interpreted as
+ *                 elements of GF(2^128) as per the GCM spec.
+ */
+void mbedtls_aesni_gcm_mult( unsigned char c[16],
+                             const unsigned char a[16],
+                             const unsigned char b[16] );
+
+/**
+ * \brief           Internal round key inversion. This function computes
+ *                  decryption round keys from the encryption round keys.
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
+ *
+ * \param invkey    Round keys for the equivalent inverse cipher
+ * \param fwdkey    Original round keys (for encryption)
+ * \param nr        Number of rounds (that is, number of round keys minus one)
+ */
+void mbedtls_aesni_inverse_key( unsigned char *invkey,
+                                const unsigned char *fwdkey,
+                                int nr );
+
+/**
+ * \brief           Internal key expansion for encryption
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
+ *
+ * \param rk        Destination buffer where the round keys are written
+ * \param key       Encryption key
+ * \param bits      Key size in bits (must be 128, 192 or 256)
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+ */
+int mbedtls_aesni_setkey_enc( unsigned char *rk,
+                              const unsigned char *key,
+                              size_t bits );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_HAVE_X86_64 */
+
+#endif /* MBEDTLS_AESNI_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/arc4.h b/ctrtool/deps/libmbedtls/include/mbedtls/arc4.h
new file mode 100644
index 00000000..fb044d5b
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/arc4.h
@@ -0,0 +1,146 @@
+/**
+ * \file arc4.h
+ *
+ * \brief The ARCFOUR stream cipher
+ *
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+#ifndef MBEDTLS_ARC4_H
+#define MBEDTLS_ARC4_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED                  -0x0019  /**< ARC4 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_ARC4_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief     ARC4 context structure
+ *
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ *
+ */
+typedef struct mbedtls_arc4_context
+{
+    int x;                      /*!< permutation index */
+    int y;                      /*!< permutation index */
+    unsigned char m[256];       /*!< permutation table */
+}
+mbedtls_arc4_context;
+
+#else  /* MBEDTLS_ARC4_ALT */
+#include "arc4_alt.h"
+#endif /* MBEDTLS_ARC4_ALT */
+
+/**
+ * \brief          Initialize ARC4 context
+ *
+ * \param ctx      ARC4 context to be initialized
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+void mbedtls_arc4_init( mbedtls_arc4_context *ctx );
+
+/**
+ * \brief          Clear ARC4 context
+ *
+ * \param ctx      ARC4 context to be cleared
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+void mbedtls_arc4_free( mbedtls_arc4_context *ctx );
+
+/**
+ * \brief          ARC4 key schedule
+ *
+ * \param ctx      ARC4 context to be setup
+ * \param key      the secret key
+ * \param keylen   length of the key, in bytes
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key,
+                 unsigned int keylen );
+
+/**
+ * \brief          ARC4 cipher function
+ *
+ * \param ctx      ARC4 context
+ * \param length   length of the input data
+ * \param input    buffer holding the input data
+ * \param output   buffer for the output data
+ *
+ * \return         0 if successful
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
+                unsigned char *output );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+int mbedtls_arc4_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* arc4.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/aria.h b/ctrtool/deps/libmbedtls/include/mbedtls/aria.h
new file mode 100644
index 00000000..1e8956ed
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/aria.h
@@ -0,0 +1,370 @@
+/**
+ * \file aria.h
+ *
+ * \brief ARIA block cipher
+ *
+ *        The ARIA algorithm is a symmetric block cipher that can encrypt and
+ *        decrypt information. It is defined by the Korean Agency for
+ *        Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
+ *        Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
+ *        and also described by the IETF in <em>RFC 5794</em>.
+ */
+/*  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ARIA_H
+#define MBEDTLS_ARIA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "platform_util.h"
+
+#define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
+#define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */
+
+#define MBEDTLS_ARIA_BLOCKSIZE   16 /**< ARIA block size in bytes. */
+#define MBEDTLS_ARIA_MAX_ROUNDS  16 /**< Maxiumum number of rounds in ARIA. */
+#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x005C )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C /**< Bad input data. */
+
+#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE  -0x005A  /**< Feature not available. For example, an unsupported ARIA key size. */
+
+/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED      -0x0058  /**< ARIA hardware accelerator failed. */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief The ARIA context-type definition.
+ */
+typedef struct mbedtls_aria_context
+{
+    unsigned char nr;           /*!< The number of rounds (12, 14 or 16) */
+    /*! The ARIA round keys. */
+    uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
+}
+mbedtls_aria_context;
+
+#else  /* MBEDTLS_ARIA_ALT */
+#include "aria_alt.h"
+#endif /* MBEDTLS_ARIA_ALT */
+
+/**
+ * \brief          This function initializes the specified ARIA context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The ARIA context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aria_init( mbedtls_aria_context *ctx );
+
+/**
+ * \brief          This function releases and clears the specified ARIA context.
+ *
+ * \param ctx      The ARIA context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized ARIA context.
+ */
+void mbedtls_aria_free( mbedtls_aria_context *ctx );
+
+/**
+ * \brief          This function sets the encryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The encryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of \p key in Bits. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
+                             const unsigned char *key,
+                             unsigned int keybits );
+
+/**
+ * \brief          This function sets the decryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of data passed. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
+                             const unsigned char *key,
+                             unsigned int keybits );
+
+/**
+ * \brief          This function performs an ARIA single-block encryption or
+ *                 decryption operation.
+ *
+ *                 It performs encryption or decryption (depending on whether
+ *                 the key was set for encryption on decryption) on the input
+ *                 data buffer defined in the \p input parameter.
+ *
+ *                 mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
+ *                 mbedtls_aria_setkey_dec() must be called before the first
+ *                 call to this API with the same context.
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param input    The 16-Byte buffer holding the input data.
+ * \param output   The 16-Byte buffer holding the output data.
+
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
+                            const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief  This function performs an ARIA-CBC encryption or decryption operation
+ *         on full blocks.
+ *
+ *         It performs the operation defined in the \p mode
+ *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *         the \p input parameter.
+ *
+ *         It can be called as many times as needed, until all the input
+ *         data is processed. mbedtls_aria_init(), and either
+ *         mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
+ *         before the first call to this API with the same context.
+ *
+ * \note   This function operates on aligned blocks, that is, the input size
+ *         must be a multiple of the ARIA block size of 16 Bytes.
+ *
+ * \note   Upon exit, the content of the IV is updated so that you can
+ *         call the same function again on the next
+ *         block(s) of data and get the same result as if it was
+ *         encrypted in one call. This allows a "streaming" usage.
+ *         If you need to retain the contents of the IV, you should
+ *         either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes. This must be a
+ *                 multiple of the block size (16 Bytes).
+ * \param iv       Initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
+                            int mode,
+                            size_t length,
+                            unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an ARIA-CFB128 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt or decrypt), on the input data buffer
+ *        defined in the \p input parameter.
+ *
+ *        For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
+ *        regardless of whether you are performing an encryption or decryption
+ *        operation, that is, regardless of the \p mode parameter. This is
+ *        because CFB mode uses the same key schedule for encryption and
+ *        decryption.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you must either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data \p input in Bytes.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 This must not be larger than 15.
+ * \param iv       The initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
+                               int mode,
+                               size_t length,
+                               size_t *iv_off,
+                               unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                               const unsigned char *input,
+                               unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      This function performs an ARIA-CTR encryption or decryption
+ *             operation.
+ *
+ *             This function performs the operation defined in the \p mode
+ *             parameter (encrypt/decrypt), on the input data buffer
+ *             defined in the \p input parameter.
+ *
+ *             Due to the nature of CTR, you must use the same key schedule
+ *             for both encryption and decryption operations. Therefore, you
+ *             must use the context initialized with mbedtls_aria_setkey_enc()
+ *             for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 12 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 12 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter. An alternative is to generate random nonces, but this
+ *             limits the number of messages that can be securely encrypted:
+ *             for example, with 96-bit random nonces, you should not encrypt
+ *             more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that an ARIA block is 16 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx              The ARIA context to use for encryption or decryption.
+ *                         This must be initialized and bound to a key.
+ * \param length           The length of the input data \p input in Bytes.
+ * \param nc_off           The offset in Bytes in the current \p stream_block,
+ *                         for resuming within the current cipher stream. The
+ *                         offset pointer should be \c 0 at the start of a
+ *                         stream. This must not be larger than \c 15 Bytes.
+ * \param nonce_counter    The 128-bit nonce and counter. This must point to
+ *                         a read/write buffer of length \c 16 bytes.
+ * \param stream_block     The saved stream block for resuming. This must
+ *                         point to a read/write buffer of length \c 16 bytes.
+ *                         This is overwritten by the function.
+ * \param input            The buffer holding the input data. This must
+ *                         be a readable buffer of length \p length Bytes.
+ * \param output           The buffer holding the output data. This must
+ *                         be a writable buffer of length \p length Bytes.
+ *
+ * \return                 \c 0 on success.
+ * \return                 A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
+                            size_t length,
+                            size_t *nc_off,
+                            unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_aria_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aria.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/asn1.h b/ctrtool/deps/libmbedtls/include/mbedtls/asn1.h
new file mode 100644
index 00000000..96c1c9a8
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/asn1.h
@@ -0,0 +1,358 @@
+/**
+ * \file asn1.h
+ *
+ * \brief Generic ASN.1 parsing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ASN1_H
+#define MBEDTLS_ASN1_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "bignum.h"
+#endif
+
+/**
+ * \addtogroup asn1_module
+ * \{
+ */
+
+/**
+ * \name ASN1 Error codes
+ * These error codes are OR'ed to X509 error codes for
+ * higher error granularity.
+ * ASN1 is a standard to specify data structures.
+ * \{
+ */
+#define MBEDTLS_ERR_ASN1_OUT_OF_DATA                      -0x0060  /**< Out of data when parsing an ASN1 data structure. */
+#define MBEDTLS_ERR_ASN1_UNEXPECTED_TAG                   -0x0062  /**< ASN1 tag was of an unexpected value. */
+#define MBEDTLS_ERR_ASN1_INVALID_LENGTH                   -0x0064  /**< Error when trying to determine the length or invalid length. */
+#define MBEDTLS_ERR_ASN1_LENGTH_MISMATCH                  -0x0066  /**< Actual length differs from expected length. */
+#define MBEDTLS_ERR_ASN1_INVALID_DATA                     -0x0068  /**< Data is invalid. (not used) */
+#define MBEDTLS_ERR_ASN1_ALLOC_FAILED                     -0x006A  /**< Memory allocation failed */
+#define MBEDTLS_ERR_ASN1_BUF_TOO_SMALL                    -0x006C  /**< Buffer too small when writing ASN.1 data structure. */
+
+/* \} name */
+
+/**
+ * \name DER constants
+ * These constants comply with the DER encoded ASN.1 type tags.
+ * DER encoding uses hexadecimal representation.
+ * An example DER sequence is:\n
+ * - 0x02 -- tag indicating INTEGER
+ * - 0x01 -- length in octets
+ * - 0x05 -- value
+ * Such sequences are typically read into \c ::mbedtls_x509_buf.
+ * \{
+ */
+#define MBEDTLS_ASN1_BOOLEAN                 0x01
+#define MBEDTLS_ASN1_INTEGER                 0x02
+#define MBEDTLS_ASN1_BIT_STRING              0x03
+#define MBEDTLS_ASN1_OCTET_STRING            0x04
+#define MBEDTLS_ASN1_NULL                    0x05
+#define MBEDTLS_ASN1_OID                     0x06
+#define MBEDTLS_ASN1_UTF8_STRING             0x0C
+#define MBEDTLS_ASN1_SEQUENCE                0x10
+#define MBEDTLS_ASN1_SET                     0x11
+#define MBEDTLS_ASN1_PRINTABLE_STRING        0x13
+#define MBEDTLS_ASN1_T61_STRING              0x14
+#define MBEDTLS_ASN1_IA5_STRING              0x16
+#define MBEDTLS_ASN1_UTC_TIME                0x17
+#define MBEDTLS_ASN1_GENERALIZED_TIME        0x18
+#define MBEDTLS_ASN1_UNIVERSAL_STRING        0x1C
+#define MBEDTLS_ASN1_BMP_STRING              0x1E
+#define MBEDTLS_ASN1_PRIMITIVE               0x00
+#define MBEDTLS_ASN1_CONSTRUCTED             0x20
+#define MBEDTLS_ASN1_CONTEXT_SPECIFIC        0x80
+
+/*
+ * Bit masks for each of the components of an ASN.1 tag as specified in
+ * ITU X.690 (08/2015), section 8.1 "General rules for encoding",
+ * paragraph 8.1.2.2:
+ *
+ * Bit  8     7   6   5          1
+ *     +-------+-----+------------+
+ *     | Class | P/C | Tag number |
+ *     +-------+-----+------------+
+ */
+#define MBEDTLS_ASN1_TAG_CLASS_MASK          0xC0
+#define MBEDTLS_ASN1_TAG_PC_MASK             0x20
+#define MBEDTLS_ASN1_TAG_VALUE_MASK          0x1F
+
+/* \} name */
+/* \} addtogroup asn1_module */
+
+/** Returns the size of the binary string, without the trailing \\0 */
+#define MBEDTLS_OID_SIZE(x) (sizeof(x) - 1)
+
+/**
+ * Compares an mbedtls_asn1_buf structure to a reference OID.
+ *
+ * Only works for 'defined' oid_str values (MBEDTLS_OID_HMAC_SHA1), you cannot use a
+ * 'unsigned char *oid' here!
+ */
+#define MBEDTLS_OID_CMP(oid_str, oid_buf)                                   \
+        ( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf)->len ) ||                \
+          memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) != 0 )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name Functions to parse ASN.1 data structures
+ * \{
+ */
+
+/**
+ * Type-length-value structure that allows for ASN1 using DER.
+ */
+typedef struct mbedtls_asn1_buf
+{
+    int tag;                /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */
+    size_t len;             /**< ASN1 length, in octets. */
+    unsigned char *p;       /**< ASN1 data, e.g. in ASCII. */
+}
+mbedtls_asn1_buf;
+
+/**
+ * Container for ASN1 bit strings.
+ */
+typedef struct mbedtls_asn1_bitstring
+{
+    size_t len;                 /**< ASN1 length, in octets. */
+    unsigned char unused_bits;  /**< Number of unused bits at the end of the string */
+    unsigned char *p;           /**< Raw ASN1 data for the bit string */
+}
+mbedtls_asn1_bitstring;
+
+/**
+ * Container for a sequence of ASN.1 items
+ */
+typedef struct mbedtls_asn1_sequence
+{
+    mbedtls_asn1_buf buf;                   /**< Buffer containing the given ASN.1 item. */
+    struct mbedtls_asn1_sequence *next;    /**< The next entry in the sequence. */
+}
+mbedtls_asn1_sequence;
+
+/**
+ * Container for a sequence or list of 'named' ASN.1 data items
+ */
+typedef struct mbedtls_asn1_named_data
+{
+    mbedtls_asn1_buf oid;                   /**< The object identifier. */
+    mbedtls_asn1_buf val;                   /**< The named value. */
+    struct mbedtls_asn1_named_data *next;  /**< The next entry in the sequence. */
+    unsigned char next_merged;      /**< Merge next item into the current one? */
+}
+mbedtls_asn1_named_data;
+
+/**
+ * \brief       Get the length of an ASN.1 element.
+ *              Updates the pointer to immediately behind the length.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   The variable that will receive the value
+ *
+ * \return      0 if successful, MBEDTLS_ERR_ASN1_OUT_OF_DATA on reaching
+ *              end of data, MBEDTLS_ERR_ASN1_INVALID_LENGTH if length is
+ *              unparseable.
+ */
+int mbedtls_asn1_get_len( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len );
+
+/**
+ * \brief       Get the tag and length of the tag. Check for the requested tag.
+ *              Updates the pointer to immediately behind the tag and length.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   The variable that will receive the length
+ * \param tag   The expected tag
+ *
+ * \return      0 if successful, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if tag did
+ *              not match requested tag, or another specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_tag( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len, int tag );
+
+/**
+ * \brief       Retrieve a boolean ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param val   The variable that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_bool( unsigned char **p,
+                   const unsigned char *end,
+                   int *val );
+
+/**
+ * \brief       Retrieve an integer ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param val   The variable that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_int( unsigned char **p,
+                  const unsigned char *end,
+                  int *val );
+
+/**
+ * \brief       Retrieve a bitstring ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param bs    The variable that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_bitstring( unsigned char **p, const unsigned char *end,
+                        mbedtls_asn1_bitstring *bs);
+
+/**
+ * \brief       Retrieve a bitstring ASN.1 tag without unused bits and its
+ *              value.
+ *              Updates the pointer to the beginning of the bit/octet string.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   Length of the actual bit/octect string in bytes
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_bitstring_null( unsigned char **p, const unsigned char *end,
+                             size_t *len );
+
+/**
+ * \brief       Parses and splits an ASN.1 "SEQUENCE OF <tag>"
+ *              Updated the pointer to immediately behind the full sequence tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param cur   First variable in the chain to fill
+ * \param tag   Type of sequence
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_sequence_of( unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_asn1_sequence *cur,
+                          int tag);
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief       Retrieve a MPI value from an integer ASN.1 tag.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param X     The MPI that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_mpi( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_mpi *X );
+#endif /* MBEDTLS_BIGNUM_C */
+
+/**
+ * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence.
+ *              Updates the pointer to immediately behind the full
+ *              AlgorithmIdentifier.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param alg   The buffer to receive the OID
+ * \param params The buffer to receive the params (if any)
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_alg( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params );
+
+/**
+ * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence with NULL or no
+ *              params.
+ *              Updates the pointer to immediately behind the full
+ *              AlgorithmIdentifier.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param alg   The buffer to receive the OID
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_alg_null( unsigned char **p,
+                       const unsigned char *end,
+                       mbedtls_asn1_buf *alg );
+
+/**
+ * \brief       Find a specific named_data entry in a sequence or list based on
+ *              the OID.
+ *
+ * \param list  The list to seek through
+ * \param oid   The OID to look for
+ * \param len   Size of the OID
+ *
+ * \return      NULL if not found, or a pointer to the existing entry.
+ */
+mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( mbedtls_asn1_named_data *list,
+                                       const char *oid, size_t len );
+
+/**
+ * \brief       Free a mbedtls_asn1_named_data entry
+ *
+ * \param entry The named data entry to free
+ */
+void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *entry );
+
+/**
+ * \brief       Free all entries in a mbedtls_asn1_named_data list
+ *              Head will be set to NULL
+ *
+ * \param head  Pointer to the head of the list of named data entries to free
+ */
+void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* asn1.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/asn1write.h b/ctrtool/deps/libmbedtls/include/mbedtls/asn1write.h
new file mode 100644
index 00000000..a1942436
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/asn1write.h
@@ -0,0 +1,329 @@
+/**
+ * \file asn1write.h
+ *
+ * \brief ASN.1 buffer writing functionality
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ASN1_WRITE_H
+#define MBEDTLS_ASN1_WRITE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+
+#define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
+    do                                                  \
+    {                                                   \
+        if( ( ret = (f) ) < 0 )                         \
+            return( ret );                              \
+        else                                            \
+            (g) += ret;                                 \
+    } while( 0 )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           Write a length field in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param len       The length value to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start,
+                            size_t len );
+/**
+ * \brief           Write an ASN.1 tag in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The tag to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start,
+                            unsigned char tag );
+
+/**
+ * \brief           Write raw buffer data.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The data buffer to write.
+ * \param size      The length of the data buffer.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
+                                   const unsigned char *buf, size_t size );
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief           Write a arbitrary-precision number (#MBEDTLS_ASN1_INTEGER)
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param X         The MPI to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start,
+                            const mbedtls_mpi *X );
+#endif /* MBEDTLS_BIGNUM_C */
+
+/**
+ * \brief           Write a NULL tag (#MBEDTLS_ASN1_NULL) with zero data
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_null( unsigned char **p, unsigned char *start );
+
+/**
+ * \brief           Write an OID tag (#MBEDTLS_ASN1_OID) and data
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID to write.
+ * \param oid_len   The length of the OID.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_oid( unsigned char **p, unsigned char *start,
+                            const char *oid, size_t oid_len );
+
+/**
+ * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID of the algorithm to write.
+ * \param oid_len   The length of the algorithm's OID.
+ * \param par_len   The length of the parameters, which must be already written.
+ *                  If 0, NULL parameters are added
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_algorithm_identifier( unsigned char **p,
+                                             unsigned char *start,
+                                             const char *oid, size_t oid_len,
+                                             size_t par_len );
+
+/**
+ * \brief           Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param boolean   The boolean value to write, either \c 0 or \c 1.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start,
+                             int boolean );
+
+/**
+ * \brief           Write an int tag (#MBEDTLS_ASN1_INTEGER) and value
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param val       The integer value to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val );
+
+/**
+ * \brief           Write a string in ASN.1 format using a specific
+ *                  string encoding tag.
+
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The string encoding tag to write, e.g.
+ *                  #MBEDTLS_ASN1_UTF8_STRING.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_tagged_string( unsigned char **p, unsigned char *start,
+                                      int tag, const char *text,
+                                      size_t text_len );
+
+/**
+ * \brief           Write a string in ASN.1 format using the PrintableString
+ *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_printable_string( unsigned char **p,
+                                         unsigned char *start,
+                                         const char *text, size_t text_len );
+
+/**
+ * \brief           Write a UTF8 string in ASN.1 format using the UTF8String
+ *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_utf8_string( unsigned char **p, unsigned char *start,
+                                    const char *text, size_t text_len );
+
+/**
+ * \brief           Write a string in ASN.1 format using the IA5String
+ *                  string encoding tag (#MBEDTLS_ASN1_IA5_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
+                                   const char *text, size_t text_len );
+
+/**
+ * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ *                  value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
+                                  const unsigned char *buf, size_t bits );
+
+/**
+ * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ *                  and value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The buffer holding the data to write.
+ * \param size      The length of the data buffer \p buf.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
+                                     const unsigned char *buf, size_t size );
+
+/**
+ * \brief           Create or find a specific named_data entry for writing in a
+ *                  sequence or list based on the OID. If not already in there,
+ *                  a new entry is added to the head of the list.
+ *                  Warning: Destructive behaviour for the val data!
+ *
+ * \param list      The pointer to the location of the head of the list to seek
+ *                  through (will be updated in case of a new entry).
+ * \param oid       The OID to look for.
+ * \param oid_len   The size of the OID.
+ * \param val       The data to store (can be \c NULL if you want to fill
+ *                  it by hand).
+ * \param val_len   The minimum length of the data buffer needed.
+ *
+ * \return          A pointer to the new / existing entry on success.
+ * \return          \c NULL if if there was a memory allocation error.
+ */
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data **list,
+                                        const char *oid, size_t oid_len,
+                                        const unsigned char *val,
+                                        size_t val_len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_ASN1_WRITE_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/base64.h b/ctrtool/deps/libmbedtls/include/mbedtls/base64.h
new file mode 100644
index 00000000..0d024164
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/base64.h
@@ -0,0 +1,98 @@
+/**
+ * \file base64.h
+ *
+ * \brief RFC 1521 base64 encoding/decoding
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_BASE64_H
+#define MBEDTLS_BASE64_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
+#define MBEDTLS_ERR_BASE64_INVALID_CHARACTER              -0x002C  /**< Invalid character in input. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Encode a buffer into base64 format
+ *
+ * \param dst      destination buffer
+ * \param dlen     size of the destination buffer
+ * \param olen     number of bytes written
+ * \param src      source buffer
+ * \param slen     amount of data to be encoded
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL.
+ *                 *olen is always updated to reflect the amount
+ *                 of data that has (or would have) been written.
+ *                 If that length cannot be represented, then no data is
+ *                 written to the buffer and *olen is set to the maximum
+ *                 length representable as a size_t.
+ *
+ * \note           Call this function with dlen = 0 to obtain the
+ *                 required buffer size in *olen
+ */
+int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen );
+
+/**
+ * \brief          Decode a base64-formatted buffer
+ *
+ * \param dst      destination buffer (can be NULL for checking size)
+ * \param dlen     size of the destination buffer
+ * \param olen     number of bytes written
+ * \param src      source buffer
+ * \param slen     amount of data to be decoded
+ *
+ * \return         0 if successful, MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, or
+ *                 MBEDTLS_ERR_BASE64_INVALID_CHARACTER if the input data is
+ *                 not correct. *olen is always updated to reflect the amount
+ *                 of data that has (or would have) been written.
+ *
+ * \note           Call this function with *dst = NULL or dlen = 0 to obtain
+ *                 the required buffer size in *olen
+ */
+int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_base64_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* base64.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/bignum.h b/ctrtool/deps/libmbedtls/include/mbedtls/bignum.h
new file mode 100644
index 00000000..22b37311
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/bignum.h
@@ -0,0 +1,984 @@
+/**
+ * \file bignum.h
+ *
+ * \brief Multi-precision integer library
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_BIGNUM_H
+#define MBEDTLS_BIGNUM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#define MBEDTLS_ERR_MPI_FILE_IO_ERROR                     -0x0002  /**< An error occurred while reading from or writing to a file. */
+#define MBEDTLS_ERR_MPI_BAD_INPUT_DATA                    -0x0004  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_MPI_INVALID_CHARACTER                 -0x0006  /**< There is an invalid character in the digit string. */
+#define MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL                  -0x0008  /**< The buffer is too small to write to. */
+#define MBEDTLS_ERR_MPI_NEGATIVE_VALUE                    -0x000A  /**< The input arguments are negative or result in illegal output. */
+#define MBEDTLS_ERR_MPI_DIVISION_BY_ZERO                  -0x000C  /**< The input argument for division is zero, which is not allowed. */
+#define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE                    -0x000E  /**< The input arguments are not acceptable. */
+#define MBEDTLS_ERR_MPI_ALLOC_FAILED                      -0x0010  /**< Memory allocation failed. */
+
+#define MBEDTLS_MPI_CHK(f)       \
+    do                           \
+    {                            \
+        if( ( ret = (f) ) != 0 ) \
+            goto cleanup;        \
+    } while( 0 )
+
+/*
+ * Maximum size MPIs are allowed to grow to in number of limbs.
+ */
+#define MBEDTLS_MPI_MAX_LIMBS                             10000
+
+#if !defined(MBEDTLS_MPI_WINDOW_SIZE)
+/*
+ * Maximum window size used for modular exponentiation. Default: 6
+ * Minimum value: 1. Maximum value: 6.
+ *
+ * Result is an array of ( 2 << MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
+ * for the sliding window calculation. (So 64 by default)
+ *
+ * Reduction in size, reduces speed.
+ */
+#define MBEDTLS_MPI_WINDOW_SIZE                           6        /**< Maximum windows size used. */
+#endif /* !MBEDTLS_MPI_WINDOW_SIZE */
+
+#if !defined(MBEDTLS_MPI_MAX_SIZE)
+/*
+ * Maximum size of MPIs allowed in bits and bytes for user-MPIs.
+ * ( Default: 512 bytes => 4096 bits, Maximum tested: 2048 bytes => 16384 bits )
+ *
+ * Note: Calculations can temporarily result in larger MPIs. So the number
+ * of limbs required (MBEDTLS_MPI_MAX_LIMBS) is higher.
+ */
+#define MBEDTLS_MPI_MAX_SIZE                              1024     /**< Maximum number of bytes for usable MPIs. */
+#endif /* !MBEDTLS_MPI_MAX_SIZE */
+
+#define MBEDTLS_MPI_MAX_BITS                              ( 8 * MBEDTLS_MPI_MAX_SIZE )    /**< Maximum number of bits for usable MPIs. */
+
+/*
+ * When reading from files with mbedtls_mpi_read_file() and writing to files with
+ * mbedtls_mpi_write_file() the buffer should have space
+ * for a (short) label, the MPI (in the provided radix), the newline
+ * characters and the '\0'.
+ *
+ * By default we assume at least a 10 char label, a minimum radix of 10
+ * (decimal) and a maximum of 4096 bit numbers (1234 decimal chars).
+ * Autosized at compile time for at least a 10 char label, a minimum radix
+ * of 10 (decimal) for a number of MBEDTLS_MPI_MAX_BITS size.
+ *
+ * This used to be statically sized to 1250 for a maximum of 4096 bit
+ * numbers (1234 decimal chars).
+ *
+ * Calculate using the formula:
+ *  MBEDTLS_MPI_RW_BUFFER_SIZE = ceil(MBEDTLS_MPI_MAX_BITS / ln(10) * ln(2)) +
+ *                                LabelSize + 6
+ */
+#define MBEDTLS_MPI_MAX_BITS_SCALE100          ( 100 * MBEDTLS_MPI_MAX_BITS )
+#define MBEDTLS_LN_2_DIV_LN_10_SCALE100                 332
+#define MBEDTLS_MPI_RW_BUFFER_SIZE             ( ((MBEDTLS_MPI_MAX_BITS_SCALE100 + MBEDTLS_LN_2_DIV_LN_10_SCALE100 - 1) / MBEDTLS_LN_2_DIV_LN_10_SCALE100) + 10 + 6 )
+
+/*
+ * Define the base integer type, architecture-wise.
+ *
+ * 32 or 64-bit integer types can be forced regardless of the underlying
+ * architecture by defining MBEDTLS_HAVE_INT32 or MBEDTLS_HAVE_INT64
+ * respectively and undefining MBEDTLS_HAVE_ASM.
+ *
+ * Double-width integers (e.g. 128-bit in 64-bit architectures) can be
+ * disabled by defining MBEDTLS_NO_UDBL_DIVISION.
+ */
+#if !defined(MBEDTLS_HAVE_INT32)
+    #if defined(_MSC_VER) && defined(_M_AMD64)
+        /* Always choose 64-bit when using MSC */
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* !MBEDTLS_HAVE_INT64 */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+    #elif defined(__GNUC__) && (                         \
+        defined(__amd64__) || defined(__x86_64__)     || \
+        defined(__ppc64__) || defined(__powerpc64__)  || \
+        defined(__ia64__)  || defined(__alpha__)      || \
+        ( defined(__sparc__) && defined(__arch64__) ) || \
+        defined(__s390x__) || defined(__mips64) )
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* MBEDTLS_HAVE_INT64 */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+            /* mbedtls_t_udbl defined as 128-bit unsigned int */
+            typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI)));
+            #define MBEDTLS_HAVE_UDBL
+        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+    #elif defined(__ARMCC_VERSION) && defined(__aarch64__)
+        /*
+         * __ARMCC_VERSION is defined for both armcc and armclang and
+         * __aarch64__ is only defined by armclang when compiling 64-bit code
+         */
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* !MBEDTLS_HAVE_INT64 */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+            /* mbedtls_t_udbl defined as 128-bit unsigned int */
+            typedef __uint128_t mbedtls_t_udbl;
+            #define MBEDTLS_HAVE_UDBL
+        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+    #elif defined(MBEDTLS_HAVE_INT64)
+        /* Force 64-bit integers with unknown compiler */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+    #endif
+#endif /* !MBEDTLS_HAVE_INT32 */
+
+#if !defined(MBEDTLS_HAVE_INT64)
+    /* Default to 32-bit compilation */
+    #if !defined(MBEDTLS_HAVE_INT32)
+        #define MBEDTLS_HAVE_INT32
+    #endif /* !MBEDTLS_HAVE_INT32 */
+    typedef  int32_t mbedtls_mpi_sint;
+    typedef uint32_t mbedtls_mpi_uint;
+    #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+        typedef uint64_t mbedtls_t_udbl;
+        #define MBEDTLS_HAVE_UDBL
+    #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+#endif /* !MBEDTLS_HAVE_INT64 */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          MPI structure
+ */
+typedef struct mbedtls_mpi
+{
+    int s;              /*!<  Sign: -1 if the mpi is negative, 1 otherwise */
+    size_t n;           /*!<  total # of limbs  */
+    mbedtls_mpi_uint *p;          /*!<  pointer to limbs  */
+}
+mbedtls_mpi;
+
+/**
+ * \brief           Initialize an MPI context.
+ *
+ *                  This makes the MPI ready to be set or freed,
+ *                  but does not define a value for the MPI.
+ *
+ * \param X         The MPI context to initialize. This must not be \c NULL.
+ */
+void mbedtls_mpi_init( mbedtls_mpi *X );
+
+/**
+ * \brief          This function frees the components of an MPI context.
+ *
+ * \param X        The MPI context to be cleared. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is
+ *                 not \c NULL, it must point to an initialized MPI.
+ */
+void mbedtls_mpi_free( mbedtls_mpi *X );
+
+/**
+ * \brief          Enlarge an MPI to the specified number of limbs.
+ *
+ * \note           This function does nothing if the MPI is
+ *                 already large enough.
+ *
+ * \param X        The MPI to grow. It must be initialized.
+ * \param nblimbs  The target number of limbs.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs );
+
+/**
+ * \brief          This function resizes an MPI downwards, keeping at least the
+ *                 specified number of limbs.
+ *
+ *                 If \c X is smaller than \c nblimbs, it is resized up
+ *                 instead.
+ *
+ * \param X        The MPI to shrink. This must point to an initialized MPI.
+ * \param nblimbs  The minimum number of limbs to keep.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ *                 (this can only happen when resizing up).
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs );
+
+/**
+ * \brief          Make a copy of an MPI.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param Y        The source MPI. This must point to an initialized MPI.
+ *
+ * \note           The limb-buffer in the destination MPI is enlarged
+ *                 if necessary to hold the value in the source MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y );
+
+/**
+ * \brief          Swap the contents of two MPIs.
+ *
+ * \param X        The first MPI. It must be initialized.
+ * \param Y        The second MPI. It must be initialized.
+ */
+void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y );
+
+/**
+ * \brief          Perform a safe conditional copy of MPI which doesn't
+ *                 reveal whether the condition was true or not.
+ *
+ * \param X        The MPI to conditionally assign to. This must point
+ *                 to an initialized MPI.
+ * \param Y        The MPI to be assigned from. This must point to an
+ *                 initialized MPI.
+ * \param assign   The condition deciding whether to perform the
+ *                 assignment or not. Possible values:
+ *                 * \c 1: Perform the assignment `X = Y`.
+ *                 * \c 0: Keep the original value of \p X.
+ *
+ * \note           This function is equivalent to
+ *                      `if( assign ) mbedtls_mpi_copy( X, Y );`
+ *                 except that it avoids leaking any information about whether
+ *                 the assignment was done or not (the above code may leak
+ *                 information through branch prediction and/or memory access
+ *                 patterns analysis).
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign );
+
+/**
+ * \brief          Perform a safe conditional swap which doesn't
+ *                 reveal whether the condition was true or not.
+ *
+ * \param X        The first MPI. This must be initialized.
+ * \param Y        The second MPI. This must be initialized.
+ * \param assign   The condition deciding whether to perform
+ *                 the swap or not. Possible values:
+ *                 * \c 1: Swap the values of \p X and \p Y.
+ *                 * \c 0: Keep the original values of \p X and \p Y.
+ *
+ * \note           This function is equivalent to
+ *                      if( assign ) mbedtls_mpi_swap( X, Y );
+ *                 except that it avoids leaking any information about whether
+ *                 the assignment was done or not (the above code may leak
+ *                 information through branch prediction and/or memory access
+ *                 patterns analysis).
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ *
+ */
+int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char assign );
+
+/**
+ * \brief          Store integer value in MPI.
+ *
+ * \param X        The MPI to set. This must be initialized.
+ * \param z        The value to use.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z );
+
+/**
+ * \brief          Get a specific bit from an MPI.
+ *
+ * \param X        The MPI to query. This must be initialized.
+ * \param pos      Zero-based index of the bit to query.
+ *
+ * \return         \c 0 or \c 1 on success, depending on whether bit \c pos
+ *                 of \c X is unset or set.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos );
+
+/**
+ * \brief          Modify a specific bit in an MPI.
+ *
+ * \note           This function will grow the target MPI if necessary to set a
+ *                 bit to \c 1 in a not yet existing limb. It will not grow if
+ *                 the bit should be set to \c 0.
+ *
+ * \param X        The MPI to modify. This must be initialized.
+ * \param pos      Zero-based index of the bit to modify.
+ * \param val      The desired value of bit \c pos: \c 0 or \c 1.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val );
+
+/**
+ * \brief          Return the number of bits of value \c 0 before the
+ *                 least significant bit of value \c 1.
+ *
+ * \note           This is the same as the zero-based index of
+ *                 the least significant bit of value \c 1.
+ *
+ * \param X        The MPI to query.
+ *
+ * \return         The number of bits of value \c 0 before the least significant
+ *                 bit of value \c 1 in \p X.
+ */
+size_t mbedtls_mpi_lsb( const mbedtls_mpi *X );
+
+/**
+ * \brief          Return the number of bits up to and including the most
+ *                 significant bit of value \c 1.
+ *
+ * * \note         This is same as the one-based index of the most
+ *                 significant bit of value \c 1.
+ *
+ * \param X        The MPI to query. This must point to an initialized MPI.
+ *
+ * \return         The number of bits up to and including the most
+ *                 significant bit of value \c 1.
+ */
+size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X );
+
+/**
+ * \brief          Return the total size of an MPI value in bytes.
+ *
+ * \param X        The MPI to use. This must point to an initialized MPI.
+ *
+ * \note           The value returned by this function may be less than
+ *                 the number of bytes used to store \p X internally.
+ *                 This happens if and only if there are trailing bytes
+ *                 of value zero.
+ *
+ * \return         The least number of bytes capable of storing
+ *                 the absolute value of \p X.
+ */
+size_t mbedtls_mpi_size( const mbedtls_mpi *X );
+
+/**
+ * \brief          Import an MPI from an ASCII string.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the input string.
+ * \param s        Null-terminated string buffer.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s );
+
+/**
+ * \brief          Export an MPI to an ASCII string.
+ *
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the output string.
+ * \param buf      The buffer to write the string to. This must be writable
+ *                 buffer of length \p buflen Bytes.
+ * \param buflen   The available size in Bytes of \p buf.
+ * \param olen     The address at which to store the length of the string
+ *                 written, including the  final \c NULL byte. This must
+ *                 not be \c NULL.
+ *
+ * \note           You can call this function with `buflen == 0` to obtain the
+ *                 minimum required buffer size in `*olen`.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the target buffer \p buf
+ *                 is too small to hold the value of \p X in the desired base.
+ *                 In this case, `*olen` is nonetheless updated to contain the
+ *                 size of \p buf required for a successful call.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
+                              char *buf, size_t buflen, size_t *olen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Read an MPI from a line in an opened file.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the string representation used
+ *                 in the source line.
+ * \param fin      The input file handle to use. This must not be \c NULL.
+ *
+ * \note           On success, this function advances the file stream
+ *                 to the end of the current line or to EOF.
+ *
+ *                 The function returns \c 0 on an empty line.
+ *
+ *                 Leading whitespaces are ignored, as is a
+ *                 '0x' prefix for radix \c 16.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the file read buffer
+ *                 is too small.
+ * \return         Another negative error code on failure.
+ */
+int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin );
+
+/**
+ * \brief          Export an MPI into an opened file.
+ *
+ * \param p        A string prefix to emit prior to the MPI data.
+ *                 For example, this might be a label, or "0x" when
+ *                 printing in base \c 16. This may be \c NULL if no prefix
+ *                 is needed.
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base to be used in the emitted string.
+ * \param fout     The output file handle. This may be \c NULL, in which case
+ *                 the output is written to \c stdout.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X,
+                            int radix, FILE *fout );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Import an MPI from unsigned big endian binary data.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param buf      The input buffer. This must be a readable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The length of the input buffer \p p in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf,
+                             size_t buflen );
+
+/**
+ * \brief          Export an MPI into unsigned big endian binary data
+ *                 of fixed size.
+ *
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param buf      The output buffer. This must be a writable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The size of the output buffer \p buf in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ *                 large enough to hold the value of \p X.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf,
+                              size_t buflen );
+
+/**
+ * \brief          Perform a left-shift on an MPI: X <<= count
+ *
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ * \param count    The number of bits to shift by.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count );
+
+/**
+ * \brief          Perform a right-shift on an MPI: X >>= count
+ *
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ * \param count    The number of bits to shift by.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count );
+
+/**
+ * \brief          Compare the absolute values of two MPIs.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
+ *
+ * \return         \c 1 if `|X|` is greater than `|Y|`.
+ * \return         \c -1 if `|X|` is lesser than `|Y|`.
+ * \return         \c 0 if `|X|` is equal to `|Y|`.
+ */
+int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y );
+
+/**
+ * \brief          Compare two MPIs.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
+ *
+ * \return         \c 1 if \p X is greater than \p Y.
+ * \return         \c -1 if \p X is lesser than \p Y.
+ * \return         \c 0 if \p X is equal to \p Y.
+ */
+int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y );
+
+/**
+ * \brief          Check if an MPI is less than the other in constant time.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as Y.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as X.
+ * \param ret      The result of the comparison:
+ *                 \c 1 if \p X is less than \p Y.
+ *                 \c 0 if \p X is greater than or equal to \p Y.
+ *
+ * \return         0 on success.
+ * \return         MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the allocated length of
+ *                 the two input MPIs is not the same.
+ */
+int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
+        unsigned *ret );
+
+/**
+ * \brief          Compare an MPI with an integer.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param z        The integer value to compare \p X to.
+ *
+ * \return         \c 1 if \p X is greater than \p z.
+ * \return         \c -1 if \p X is lesser than \p z.
+ * \return         \c 0 if \p X is equal to \p z.
+ */
+int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z );
+
+/**
+ * \brief          Perform an unsigned addition of MPIs: X = |A| + |B|
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform an unsigned subtraction of MPIs: X = |A| - |B|
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is greater than \p A.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a signed addition of MPIs: X = A + B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a signed subtraction of MPIs: X = A - B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a signed addition of an MPI and an integer: X = A + b
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param b        The second summand.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
+
+/**
+ * \brief          Perform a signed subtraction of an MPI and an integer:
+ *                 X = A - b
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param b        The subtrahend.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
+
+/**
+ * \brief          Perform a multiplication of two MPIs: X = A * B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param B        The second factor. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a multiplication of an MPI with an unsigned integer:
+ *                 X = A * b
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param b        The second factor.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         mbedtls_mpi_uint b );
+
+/**
+ * \brief          Perform a division with remainder of two MPIs:
+ *                 A = Q * B + R
+ *
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed.
+ * \param A        The dividend. This must point to an initialized MPi.
+ * \param B        The divisor. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a division with remainder of an MPI by an integer:
+ *                 A = Q * b + R
+ *
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed.
+ * \param A        The dividend. This must point to an initialized MPi.
+ * \param b        The divisor.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
+
+/**
+ * \brief          Perform a modular reduction. R = A mod B
+ *
+ * \param R        The destination MPI for the residue value.
+ *                 This must point to an initialized MPI.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPI.
+ * \param B        The base of the modular reduction.
+ *                 This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is negative.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a modular reduction with respect to an integer.
+ *                 r = A mod b
+ *
+ * \param r        The address at which to store the residue.
+ *                 This must not be \c NULL.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPi.
+ * \param b        The integer base of the modular reduction.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p b is negative.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
+
+/**
+ * \brief          Perform a sliding-window exponentiation: X = A^E mod N
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The base of the exponentiation.
+ *                 This must point to an initialized MPI.
+ * \param E        The exponent MPI. This must point to an initialized MPI.
+ * \param N        The base for the modular reduction. This must point to an
+ *                 initialized MPI.
+ * \param _RR      A helper MPI depending solely on \p N which can be used to
+ *                 speed-up multiple modular exponentiations for the same value
+ *                 of \p N. This may be \c NULL. If it is not \c NULL, it must
+ *                 point to an initialized MPI. If it hasn't been used after
+ *                 the call to mbedtls_mpi_init(), this function will compute
+ *                 the helper value and store it in \p _RR for reuse on
+ *                 subsequent calls to this function. Otherwise, the function
+ *                 will assume that \p _RR holds the helper value set by a
+ *                 previous call to mbedtls_mpi_exp_mod(), and reuse it.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
+ *                 even, or if \c E is negative.
+ * \return         Another negative error code on different kinds of failures.
+ *
+ */
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *E, const mbedtls_mpi *N,
+                         mbedtls_mpi *_RR );
+
+/**
+ * \brief          Fill an MPI with a number of random bytes.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param size     The number of random bytes to generate.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on failure.
+ *
+ * \note           The bytes obtained from the RNG are interpreted
+ *                 as a big-endian representation of an MPI; this can
+ *                 be relevant in applications like deterministic ECDSA.
+ */
+int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          Compute the greatest common divisor: G = gcd(A, B)
+ *
+ * \param G        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first operand. This must point to an initialized MPI.
+ * \param B        The second operand. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A,
+                     const mbedtls_mpi *B );
+
+/**
+ * \brief          Compute the modular inverse: X = A^-1 mod N
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The MPI to calculate the modular inverse of. This must point
+ *                 to an initialized MPI.
+ * \param N        The base of the modular inversion. This must point to an
+ *                 initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than
+ *                 or equal to one.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse
+ *                 with respect to \p N.
+ */
+int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *N );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Perform a Miller-Rabin primality test with error
+ *                 probability of 2<sup>-80</sup>.
+ *
+ * \deprecated     Superseded by mbedtls_mpi_is_prime_ext() which allows
+ *                 specifying the number of Miller-Rabin rounds.
+ *
+ * \param X        The MPI to check for primality.
+ *                 This must point to an initialized MPI.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use a
+ *                 context parameter.
+ *
+ * \return         \c 0 if successful, i.e. \p X is probably prime.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return         Another negative error code on other kinds of failure.
+ */
+MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Miller-Rabin primality test.
+ *
+ * \warning        If \p X is potentially generated by an adversary, for example
+ *                 when validating cryptographic parameters that you didn't
+ *                 generate yourself and that are supposed to be prime, then
+ *                 \p rounds should be at least the half of the security
+ *                 strength of the cryptographic algorithm. On the other hand,
+ *                 if \p X is chosen uniformly or non-adversially (as is the
+ *                 case when mbedtls_mpi_gen_prime calls this function), then
+ *                 \p rounds can be much lower.
+ *
+ * \param X        The MPI to check for primality.
+ *                 This must point to an initialized MPI.
+ * \param rounds   The number of bases to perform the Miller-Rabin primality
+ *                 test for. The probability of returning 0 on a composite is
+ *                 at most 2<sup>-2*\p rounds</sup>.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
+ *
+ * \return         \c 0 if successful, i.e. \p X is probably prime.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng );
+/**
+ * \brief Flags for mbedtls_mpi_gen_prime()
+ *
+ * Each of these flags is a constraint on the result X returned by
+ * mbedtls_mpi_gen_prime().
+ */
+typedef enum {
+    MBEDTLS_MPI_GEN_PRIME_FLAG_DH =      0x0001, /**< (X-1)/2 is prime too */
+    MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR = 0x0002, /**< lower error rate from 2<sup>-80</sup> to 2<sup>-128</sup> */
+} mbedtls_mpi_gen_prime_flag_t;
+
+/**
+ * \brief          Generate a prime number.
+ *
+ * \param X        The destination MPI to store the generated prime in.
+ *                 This must point to an initialized MPi.
+ * \param nbits    The required size of the destination MPI in bits.
+ *                 This must be between \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ * \param flags    A mask of flags of type #mbedtls_mpi_gen_prime_flag_t.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
+ *
+ * \return         \c 0 if successful, in which case \p X holds a
+ *                 probably prime number.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if `nbits` is not between
+ *                 \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ */
+int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
+                   int (*f_rng)(void *, unsigned char *, size_t),
+                   void *p_rng );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_mpi_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* bignum.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/blowfish.h b/ctrtool/deps/libmbedtls/include/mbedtls/blowfish.h
new file mode 100644
index 00000000..f01573dc
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/blowfish.h
@@ -0,0 +1,287 @@
+/**
+ * \file blowfish.h
+ *
+ * \brief Blowfish block cipher
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_BLOWFISH_H
+#define MBEDTLS_BLOWFISH_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "platform_util.h"
+
+#define MBEDTLS_BLOWFISH_ENCRYPT     1
+#define MBEDTLS_BLOWFISH_DECRYPT     0
+#define MBEDTLS_BLOWFISH_MAX_KEY_BITS     448
+#define MBEDTLS_BLOWFISH_MIN_KEY_BITS     32
+#define MBEDTLS_BLOWFISH_ROUNDS      16         /**< Rounds to use. When increasing this value, make sure to extend the initialisation vectors */
+#define MBEDTLS_BLOWFISH_BLOCKSIZE   8          /* Blowfish uses 64 bit blocks */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0016 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA -0x0016 /**< Bad input data. */
+
+#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED                   -0x0017  /**< Blowfish hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_BLOWFISH_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          Blowfish context structure
+ */
+typedef struct mbedtls_blowfish_context
+{
+    uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2];    /*!<  Blowfish round keys    */
+    uint32_t S[4][256];                 /*!<  key dependent S-boxes  */
+}
+mbedtls_blowfish_context;
+
+#else  /* MBEDTLS_BLOWFISH_ALT */
+#include "blowfish_alt.h"
+#endif /* MBEDTLS_BLOWFISH_ALT */
+
+/**
+ * \brief          Initialize a Blowfish context.
+ *
+ * \param ctx      The Blowfish context to be initialized.
+ *                 This must not be \c NULL.
+ */
+void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx );
+
+/**
+ * \brief          Clear a Blowfish context.
+ *
+ * \param ctx      The Blowfish context to be cleared.
+ *                 This may be \c NULL, in which case this function
+ *                 returns immediately. If it is not \c NULL, it must
+ *                 point to an initialized Blowfish context.
+ */
+void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx );
+
+/**
+ * \brief          Perform a Blowfish key schedule operation.
+ *
+ * \param ctx      The Blowfish context to perform the key schedule on.
+ * \param key      The encryption key. This must be a readable buffer of
+ *                 length \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be between
+ *                 \c 32 and \c 448 and a multiple of \c 8.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx, const unsigned char *key,
+                     unsigned int keybits );
+
+/**
+ * \brief          Perform a Blowfish-ECB block encryption/decryption operation.
+ *
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param input    The input block. This must be a readable buffer
+ *                 of size \c 8 Bytes.
+ * \param output   The output block. This must be a writable buffer
+ *                 of size \c 8 Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
+                        int mode,
+                        const unsigned char input[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          Perform a Blowfish-CBC buffer encryption/decryption operation.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes. This must be
+ *                 multiple of \c 8.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 8 Bytes. It is updated by this function.
+ * \param input    The input data. This must be a readable buffer of length
+ *                 \p length Bytes.
+ * \param output   The output data. This must be a writable buffer of length
+ *                 \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
+                        int mode,
+                        size_t length,
+                        unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        const unsigned char *input,
+                        unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief          Perform a Blowfish CFB buffer encryption/decryption operation.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes.
+ * \param iv_off   The offset in the initialiation vector.
+ *                 The value pointed to must be smaller than \c 8 Bytes.
+ *                 It is updated by this function to support the aforementioned
+ *                 streaming usage.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of size \c 8 Bytes. It is updated after use.
+ * \param input    The input data. This must be a readable buffer of length
+ *                 \p length Bytes.
+ * \param output   The output data. This must be a writable buffer of length
+ *                 \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
+                          int mode,
+                          size_t length,
+                          size_t *iv_off,
+                          unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                          const unsigned char *input,
+                          unsigned char *output );
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      Perform a Blowfish-CTR buffer encryption/decryption operation.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**64
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 4 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 4 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**32 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that a Blowfish block is 8 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx           The Blowfish context to use. This must be initialized
+ *                      and bound to a key.
+ * \param length        The length of the input data in Bytes.
+ * \param nc_off        The offset in the current stream_block (for resuming
+ *                      within current cipher stream). The offset pointer
+ *                      should be \c 0 at the start of a stream and must be
+ *                      smaller than \c 8. It is updated by this function.
+ * \param nonce_counter The 64-bit nonce and counter. This must point to a
+ *                      read/write buffer of length \c 8 Bytes.
+ * \param stream_block  The saved stream-block for resuming. This must point to
+ *                      a read/write buffer of length \c 8 Bytes.
+ * \param input         The input data. This must be a readable buffer of
+ *                      length \p length Bytes.
+ * \param output        The output data. This must be a writable buffer of
+ *                      length \p length Bytes.
+ *
+ * \return              \c 0 if successful.
+ * \return              A negative error code on failure.
+ */
+int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
+                        size_t length,
+                        size_t *nc_off,
+                        unsigned char nonce_counter[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        unsigned char stream_block[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        const unsigned char *input,
+                        unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* blowfish.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/bn_mul.h b/ctrtool/deps/libmbedtls/include/mbedtls/bn_mul.h
new file mode 100644
index 00000000..748975ea
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/bn_mul.h
@@ -0,0 +1,916 @@
+/**
+ * \file bn_mul.h
+ *
+ * \brief Multi-precision integer library
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *      Multiply source vector [s] with b, add result
+ *       to destination vector [d] and set carry c.
+ *
+ *      Currently supports:
+ *
+ *         . IA-32 (386+)         . AMD64 / EM64T
+ *         . IA-32 (SSE2)         . Motorola 68000
+ *         . PowerPC, 32-bit      . MicroBlaze
+ *         . PowerPC, 64-bit      . TriCore
+ *         . SPARC v8             . ARM v3+
+ *         . Alpha                . MIPS32
+ *         . C, longlong          . C, generic
+ */
+#ifndef MBEDTLS_BN_MUL_H
+#define MBEDTLS_BN_MUL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+
+#if defined(MBEDTLS_HAVE_ASM)
+
+#ifndef asm
+#define asm __asm
+#endif
+
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
+
+/*
+ * Disable use of the i386 assembly code below if option -O0, to disable all
+ * compiler optimisations, is passed, detected with __OPTIMIZE__
+ * This is done as the number of registers used in the assembly code doesn't
+ * work with the -O0 option.
+ */
+#if defined(__i386__) && defined(__OPTIMIZE__)
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "movl   %%ebx, %0           \n\t"   \
+        "movl   %5, %%esi           \n\t"   \
+        "movl   %6, %%edi           \n\t"   \
+        "movl   %7, %%ecx           \n\t"   \
+        "movl   %8, %%ebx           \n\t"
+
+#define MULADDC_CORE                        \
+        "lodsl                      \n\t"   \
+        "mull   %%ebx               \n\t"   \
+        "addl   %%ecx,   %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "addl   (%%edi), %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "movl   %%edx,   %%ecx      \n\t"   \
+        "stosl                      \n\t"
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define MULADDC_HUIT                            \
+        "movd     %%ecx,     %%mm1      \n\t"   \
+        "movd     %%ebx,     %%mm0      \n\t"   \
+        "movd     (%%edi),   %%mm3      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     (%%esi),   %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "movd     4(%%esi),  %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "movd     8(%%esi),  %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     12(%%esi), %%mm7      \n\t"   \
+        "pmuludq  %%mm0,     %%mm7      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     4(%%edi),  %%mm3      \n\t"   \
+        "paddq    %%mm4,     %%mm3      \n\t"   \
+        "movd     8(%%edi),  %%mm5      \n\t"   \
+        "paddq    %%mm6,     %%mm5      \n\t"   \
+        "movd     12(%%edi), %%mm4      \n\t"   \
+        "paddq    %%mm4,     %%mm7      \n\t"   \
+        "movd     %%mm1,     (%%edi)    \n\t"   \
+        "movd     16(%%esi), %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     20(%%esi), %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     24(%%esi), %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     %%mm1,     4(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     28(%%esi), %%mm3      \n\t"   \
+        "pmuludq  %%mm0,     %%mm3      \n\t"   \
+        "paddq    %%mm5,     %%mm1      \n\t"   \
+        "movd     16(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm2      \n\t"   \
+        "movd     %%mm1,     8(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm7,     %%mm1      \n\t"   \
+        "movd     20(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm4      \n\t"   \
+        "movd     %%mm1,     12(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     24(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm6      \n\t"   \
+        "movd     %%mm1,     16(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm4,     %%mm1      \n\t"   \
+        "movd     28(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm3      \n\t"   \
+        "movd     %%mm1,     20(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm6,     %%mm1      \n\t"   \
+        "movd     %%mm1,     24(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     %%mm1,     28(%%edi)  \n\t"   \
+        "addl     $32,       %%edi      \n\t"   \
+        "addl     $32,       %%esi      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     %%mm1,     %%ecx      \n\t"
+
+#define MULADDC_STOP                    \
+        "emms                   \n\t"   \
+        "movl   %4, %%ebx       \n\t"   \
+        "movl   %%ecx, %1       \n\t"   \
+        "movl   %%edi, %2       \n\t"   \
+        "movl   %%esi, %3       \n\t"   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    );
+
+#else
+
+#define MULADDC_STOP                    \
+        "movl   %4, %%ebx       \n\t"   \
+        "movl   %%ecx, %1       \n\t"   \
+        "movl   %%edi, %2       \n\t"   \
+        "movl   %%esi, %3       \n\t"   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    );
+#endif /* SSE2 */
+#endif /* i386 */
+
+#if defined(__amd64__) || defined (__x86_64__)
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "xorq   %%r8, %%r8\n"
+
+#define MULADDC_CORE                        \
+        "movq   (%%rsi), %%rax\n"           \
+        "mulq   %%rbx\n"                    \
+        "addq   $8, %%rsi\n"                \
+        "addq   %%rcx, %%rax\n"             \
+        "movq   %%r8, %%rcx\n"              \
+        "adcq   $0, %%rdx\n"                \
+        "nop    \n"                         \
+        "addq   %%rax, (%%rdi)\n"           \
+        "adcq   %%rdx, %%rcx\n"             \
+        "addq   $8, %%rdi\n"
+
+#define MULADDC_STOP                        \
+        : "+c" (c), "+D" (d), "+S" (s)      \
+        : "b" (b)                           \
+        : "rax", "rdx", "r8"                \
+    );
+
+#endif /* AMD64 */
+
+#if defined(__mc68020__) || defined(__mcpu32__)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "movl   %3, %%a2        \n\t"   \
+        "movl   %4, %%a3        \n\t"   \
+        "movl   %5, %%d3        \n\t"   \
+        "movl   %6, %%d2        \n\t"   \
+        "moveq  #0, %%d0        \n\t"
+
+#define MULADDC_CORE                    \
+        "movel  %%a2@+, %%d1    \n\t"   \
+        "mulul  %%d2, %%d4:%%d1 \n\t"   \
+        "addl   %%d3, %%d1      \n\t"   \
+        "addxl  %%d0, %%d4      \n\t"   \
+        "moveq  #0,   %%d3      \n\t"   \
+        "addl   %%d1, %%a3@+    \n\t"   \
+        "addxl  %%d4, %%d3      \n\t"
+
+#define MULADDC_STOP                    \
+        "movl   %%d3, %0        \n\t"   \
+        "movl   %%a3, %1        \n\t"   \
+        "movl   %%a2, %2        \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "d0", "d1", "d2", "d3", "d4", "a2", "a3"  \
+    );
+
+#define MULADDC_HUIT                        \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"
+
+#endif /* MC68000 */
+
+#if defined(__powerpc64__) || defined(__ppc64__)
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "ld     r3, %3              \n\t"   \
+        "ld     r4, %4              \n\t"   \
+        "ld     r5, %5              \n\t"   \
+        "ld     r6, %6              \n\t"   \
+        "addi   r3, r3, -8          \n\t"   \
+        "addi   r4, r4, -8          \n\t"   \
+        "addic  r5, r5,  0          \n\t"
+
+#define MULADDC_CORE                        \
+        "ldu    r7, 8(r3)           \n\t"   \
+        "mulld  r8, r7, r6          \n\t"   \
+        "mulhdu r9, r7, r6          \n\t"   \
+        "adde   r8, r8, r5          \n\t"   \
+        "ld     r7, 8(r4)           \n\t"   \
+        "addze  r5, r9              \n\t"   \
+        "addc   r8, r8, r7          \n\t"   \
+        "stdu   r8, 8(r4)           \n\t"
+
+#define MULADDC_STOP                        \
+        "addze  r5, r5              \n\t"   \
+        "addi   r4, r4, 8           \n\t"   \
+        "addi   r3, r3, 8           \n\t"   \
+        "std    r5, %0              \n\t"   \
+        "std    r4, %1              \n\t"   \
+        "std    r3, %2              \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "ld     %%r3, %3            \n\t"   \
+        "ld     %%r4, %4            \n\t"   \
+        "ld     %%r5, %5            \n\t"   \
+        "ld     %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -8      \n\t"   \
+        "addi   %%r4, %%r4, -8      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
+
+#define MULADDC_CORE                        \
+        "ldu    %%r7, 8(%%r3)       \n\t"   \
+        "mulld  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhdu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "ld     %%r7, 8(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stdu   %%r8, 8(%%r4)       \n\t"
+
+#define MULADDC_STOP                        \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 8       \n\t"   \
+        "addi   %%r3, %%r3, 8       \n\t"   \
+        "std    %%r5, %0            \n\t"   \
+        "std    %%r4, %1            \n\t"   \
+        "std    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#elif defined(__powerpc__) || defined(__ppc__) /* end PPC64/begin PPC32  */
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "lwz    r3, %3          \n\t"   \
+        "lwz    r4, %4          \n\t"   \
+        "lwz    r5, %5          \n\t"   \
+        "lwz    r6, %6          \n\t"   \
+        "addi   r3, r3, -4      \n\t"   \
+        "addi   r4, r4, -4      \n\t"   \
+        "addic  r5, r5,  0      \n\t"
+
+#define MULADDC_CORE                    \
+        "lwzu   r7, 4(r3)       \n\t"   \
+        "mullw  r8, r7, r6      \n\t"   \
+        "mulhwu r9, r7, r6      \n\t"   \
+        "adde   r8, r8, r5      \n\t"   \
+        "lwz    r7, 4(r4)       \n\t"   \
+        "addze  r5, r9          \n\t"   \
+        "addc   r8, r8, r7      \n\t"   \
+        "stwu   r8, 4(r4)       \n\t"
+
+#define MULADDC_STOP                    \
+        "addze  r5, r5          \n\t"   \
+        "addi   r4, r4, 4       \n\t"   \
+        "addi   r3, r3, 4       \n\t"   \
+        "stw    r5, %0          \n\t"   \
+        "stw    r4, %1          \n\t"   \
+        "stw    r3, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "lwz    %%r3, %3            \n\t"   \
+        "lwz    %%r4, %4            \n\t"   \
+        "lwz    %%r5, %5            \n\t"   \
+        "lwz    %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -4      \n\t"   \
+        "addi   %%r4, %%r4, -4      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
+
+#define MULADDC_CORE                        \
+        "lwzu   %%r7, 4(%%r3)       \n\t"   \
+        "mullw  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhwu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "lwz    %%r7, 4(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stwu   %%r8, 4(%%r4)       \n\t"
+
+#define MULADDC_STOP                        \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 4       \n\t"   \
+        "addi   %%r3, %%r3, 4       \n\t"   \
+        "stw    %%r5, %0            \n\t"   \
+        "stw    %%r4, %1            \n\t"   \
+        "stw    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#endif /* PPC32 */
+
+/*
+ * The Sparc(64) assembly is reported to be broken.
+ * Disable it for now, until we're able to fix it.
+ */
+#if 0 && defined(__sparc__)
+#if defined(__sparc64__)
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+                "ldx     %3, %%o0               \n\t"   \
+                "ldx     %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
+
+#define MULADDC_CORE                                    \
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
+
+        #define MULADDC_STOP                            \
+                "st      %%o2, %0               \n\t"   \
+                "stx     %%o1, %1               \n\t"   \
+                "stx     %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
+
+#else /* __sparc64__ */
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+                "ld      %3, %%o0               \n\t"   \
+                "ld      %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
+
+#define MULADDC_CORE                                    \
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
+
+#define MULADDC_STOP                                    \
+                "st      %%o2, %0               \n\t"   \
+                "st      %%o1, %1               \n\t"   \
+                "st      %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
+
+#endif /* __sparc64__ */
+#endif /* __sparc__ */
+
+#if defined(__microblaze__) || defined(microblaze)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "lwi   r3,   %3         \n\t"   \
+        "lwi   r4,   %4         \n\t"   \
+        "lwi   r5,   %5         \n\t"   \
+        "lwi   r6,   %6         \n\t"   \
+        "andi  r7,   r6, 0xffff \n\t"   \
+        "bsrli r6,   r6, 16     \n\t"
+
+#define MULADDC_CORE                    \
+        "lhui  r8,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "lhui  r9,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "mul   r10,  r9,  r6    \n\t"   \
+        "mul   r11,  r8,  r7    \n\t"   \
+        "mul   r12,  r9,  r7    \n\t"   \
+        "mul   r13,  r8,  r6    \n\t"   \
+        "bsrli  r8, r10,  16    \n\t"   \
+        "bsrli  r9, r11,  16    \n\t"   \
+        "add   r13, r13,  r8    \n\t"   \
+        "add   r13, r13,  r9    \n\t"   \
+        "bslli r10, r10,  16    \n\t"   \
+        "bslli r11, r11,  16    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12, r11    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "lwi   r10,  r4,   0    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12,  r5    \n\t"   \
+        "addc   r5, r13,  r0    \n\t"   \
+        "swi   r12,  r4,   0    \n\t"   \
+        "addi   r4,  r4,   4    \n\t"
+
+#define MULADDC_STOP                    \
+        "swi   r5,   %0         \n\t"   \
+        "swi   r4,   %1         \n\t"   \
+        "swi   r3,   %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8",       \
+          "r9", "r10", "r11", "r12", "r13"          \
+    );
+
+#endif /* MicroBlaze */
+
+#if defined(__tricore__)
+
+#define MULADDC_INIT                            \
+    asm(                                        \
+        "ld.a   %%a2, %3                \n\t"   \
+        "ld.a   %%a3, %4                \n\t"   \
+        "ld.w   %%d4, %5                \n\t"   \
+        "ld.w   %%d1, %6                \n\t"   \
+        "xor    %%d5, %%d5              \n\t"
+
+#define MULADDC_CORE                            \
+        "ld.w   %%d0,   [%%a2+]         \n\t"   \
+        "madd.u %%e2, %%e4, %%d0, %%d1  \n\t"   \
+        "ld.w   %%d0,   [%%a3]          \n\t"   \
+        "addx   %%d2,    %%d2,  %%d0    \n\t"   \
+        "addc   %%d3,    %%d3,    0     \n\t"   \
+        "mov    %%d4,    %%d3           \n\t"   \
+        "st.w  [%%a3+],  %%d2           \n\t"
+
+#define MULADDC_STOP                            \
+        "st.w   %0, %%d4                \n\t"   \
+        "st.a   %1, %%a3                \n\t"   \
+        "st.a   %2, %%a2                \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "d0", "d1", "e2", "d4", "a2", "a3"    \
+    );
+
+#endif /* TriCore */
+
+/*
+ * Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
+ * our use of r7 below, unless -fomit-frame-pointer is passed.
+ *
+ * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
+ * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
+ * clang and armcc5 under the same conditions).
+ *
+ * So, only use the optimized assembly below for optimized build, which avoids
+ * the build error and is pretty reasonable anyway.
+ */
+#if defined(__GNUC__) && !defined(__OPTIMIZE__)
+#define MULADDC_CANNOT_USE_R7
+#endif
+
+#if defined(__arm__) && !defined(MULADDC_CANNOT_USE_R7)
+
+#if defined(__thumb__) && !defined(__thumb2__)
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"   \
+            "lsr    r7, r3, #16                 \n\t"   \
+            "mov    r9, r7                      \n\t"   \
+            "lsl    r7, r3, #16                 \n\t"   \
+            "lsr    r7, r7, #16                 \n\t"   \
+            "mov    r8, r7                      \n\t"
+
+#define MULADDC_CORE                                    \
+            "ldmia  r0!, {r6}                   \n\t"   \
+            "lsr    r7, r6, #16                 \n\t"   \
+            "lsl    r6, r6, #16                 \n\t"   \
+            "lsr    r6, r6, #16                 \n\t"   \
+            "mov    r4, r8                      \n\t"   \
+            "mul    r4, r6                      \n\t"   \
+            "mov    r3, r9                      \n\t"   \
+            "mul    r6, r3                      \n\t"   \
+            "mov    r5, r9                      \n\t"   \
+            "mul    r5, r7                      \n\t"   \
+            "mov    r3, r8                      \n\t"   \
+            "mul    r7, r3                      \n\t"   \
+            "lsr    r3, r6, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "lsr    r3, r7, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "add    r4, r4, r2                  \n\t"   \
+            "mov    r2, #0                      \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, r6, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, r7, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "ldr    r3, [r1]                    \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r2, r5                      \n\t"   \
+            "stmia  r1!, {r4}                   \n\t"
+
+#define MULADDC_STOP                                    \
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", "r7", "r8", "r9", "cc"         \
+         );
+
+#elif (__ARM_ARCH >= 6) && \
+    defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
+
+#define MULADDC_INIT                            \
+    asm(
+
+#define MULADDC_CORE                            \
+            "ldr    r0, [%0], #4        \n\t"   \
+            "ldr    r1, [%1]            \n\t"   \
+            "umaal  r1, %2, %3, r0      \n\t"   \
+            "str    r1, [%1], #4        \n\t"
+
+#define MULADDC_STOP                            \
+         : "=r" (s),  "=r" (d), "=r" (c)        \
+         : "r" (b), "0" (s), "1" (d), "2" (c)   \
+         : "r0", "r1", "memory"                 \
+         );
+
+#else
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"
+
+#define MULADDC_CORE                                    \
+            "ldr    r4, [r0], #4                \n\t"   \
+            "mov    r5, #0                      \n\t"   \
+            "ldr    r6, [r1]                    \n\t"   \
+            "umlal  r2, r5, r3, r4              \n\t"   \
+            "adds   r7, r6, r2                  \n\t"   \
+            "adc    r2, r5, #0                  \n\t"   \
+            "str    r7, [r1], #4                \n\t"
+
+#define MULADDC_STOP                                    \
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", "r7", "cc"                     \
+         );
+
+#endif /* Thumb */
+
+#endif /* ARMv3 */
+
+#if defined(__alpha__)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "ldq    $1, %3          \n\t"   \
+        "ldq    $2, %4          \n\t"   \
+        "ldq    $3, %5          \n\t"   \
+        "ldq    $4, %6          \n\t"
+
+#define MULADDC_CORE                    \
+        "ldq    $6,  0($1)      \n\t"   \
+        "addq   $1,  8, $1      \n\t"   \
+        "mulq   $6, $4, $7      \n\t"   \
+        "umulh  $6, $4, $6      \n\t"   \
+        "addq   $7, $3, $7      \n\t"   \
+        "cmpult $7, $3, $3      \n\t"   \
+        "ldq    $5,  0($2)      \n\t"   \
+        "addq   $7, $5, $7      \n\t"   \
+        "cmpult $7, $5, $5      \n\t"   \
+        "stq    $7,  0($2)      \n\t"   \
+        "addq   $2,  8, $2      \n\t"   \
+        "addq   $6, $3, $3      \n\t"   \
+        "addq   $5, $3, $3      \n\t"
+
+#define MULADDC_STOP                                    \
+        "stq    $3, %0          \n\t"   \
+        "stq    $2, %1          \n\t"   \
+        "stq    $1, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "$1", "$2", "$3", "$4", "$5", "$6", "$7"  \
+    );
+#endif /* Alpha */
+
+#if defined(__mips__) && !defined(__mips64)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "lw     $10, %3         \n\t"   \
+        "lw     $11, %4         \n\t"   \
+        "lw     $12, %5         \n\t"   \
+        "lw     $13, %6         \n\t"
+
+#define MULADDC_CORE                    \
+        "lw     $14, 0($10)     \n\t"   \
+        "multu  $13, $14        \n\t"   \
+        "addi   $10, $10, 4     \n\t"   \
+        "mflo   $14             \n\t"   \
+        "mfhi   $9              \n\t"   \
+        "addu   $14, $12, $14   \n\t"   \
+        "lw     $15, 0($11)     \n\t"   \
+        "sltu   $12, $14, $12   \n\t"   \
+        "addu   $15, $14, $15   \n\t"   \
+        "sltu   $14, $15, $14   \n\t"   \
+        "addu   $12, $12, $9    \n\t"   \
+        "sw     $15, 0($11)     \n\t"   \
+        "addu   $12, $12, $14   \n\t"   \
+        "addi   $11, $11, 4     \n\t"
+
+#define MULADDC_STOP                    \
+        "sw     $12, %0         \n\t"   \
+        "sw     $11, %1         \n\t"   \
+        "sw     $10, %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)                      \
+        : "m" (s), "m" (d), "m" (c), "m" (b)                \
+        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
+    );
+
+#endif /* MIPS */
+#endif /* GNUC */
+
+#if (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
+
+#define MULADDC_INIT                            \
+    __asm   mov     esi, s                      \
+    __asm   mov     edi, d                      \
+    __asm   mov     ecx, c                      \
+    __asm   mov     ebx, b
+
+#define MULADDC_CORE                            \
+    __asm   lodsd                               \
+    __asm   mul     ebx                         \
+    __asm   add     eax, ecx                    \
+    __asm   adc     edx, 0                      \
+    __asm   add     eax, [edi]                  \
+    __asm   adc     edx, 0                      \
+    __asm   mov     ecx, edx                    \
+    __asm   stosd
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define EMIT __asm _emit
+
+#define MULADDC_HUIT                            \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0xC9             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0xC3             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x1F             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x16             \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x7E  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF8             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x5F  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xDC             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xEE             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x67  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xFC             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x0F             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x56  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x5E  EMIT 0x1C  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD8             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCD             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xD5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCF             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xE5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xF5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCC             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x1C  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xDD             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCE             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x1C  \
+    EMIT 0x83  EMIT 0xC7  EMIT 0x20             \
+    EMIT 0x83  EMIT 0xC6  EMIT 0x20             \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0xC9
+
+#define MULADDC_STOP                            \
+    EMIT 0x0F  EMIT 0x77                        \
+    __asm   mov     c, ecx                      \
+    __asm   mov     d, edi                      \
+    __asm   mov     s, esi                      \
+
+#else
+
+#define MULADDC_STOP                            \
+    __asm   mov     c, ecx                      \
+    __asm   mov     d, edi                      \
+    __asm   mov     s, esi                      \
+
+#endif /* SSE2 */
+#endif /* MSVC */
+
+#endif /* MBEDTLS_HAVE_ASM */
+
+#if !defined(MULADDC_CORE)
+#if defined(MBEDTLS_HAVE_UDBL)
+
+#define MULADDC_INIT                    \
+{                                       \
+    mbedtls_t_udbl r;                           \
+    mbedtls_mpi_uint r0, r1;
+
+#define MULADDC_CORE                    \
+    r   = *(s++) * (mbedtls_t_udbl) b;          \
+    r0  = (mbedtls_mpi_uint) r;                   \
+    r1  = (mbedtls_mpi_uint)( r >> biL );         \
+    r0 += c;  r1 += (r0 <  c);          \
+    r0 += *d; r1 += (r0 < *d);          \
+    c = r1; *(d++) = r0;
+
+#define MULADDC_STOP                    \
+}
+
+#else
+#define MULADDC_INIT                    \
+{                                       \
+    mbedtls_mpi_uint s0, s1, b0, b1;              \
+    mbedtls_mpi_uint r0, r1, rx, ry;              \
+    b0 = ( b << biH ) >> biH;           \
+    b1 = ( b >> biH );
+
+#define MULADDC_CORE                    \
+    s0 = ( *s << biH ) >> biH;          \
+    s1 = ( *s >> biH ); s++;            \
+    rx = s0 * b1; r0 = s0 * b0;         \
+    ry = s1 * b0; r1 = s1 * b1;         \
+    r1 += ( rx >> biH );                \
+    r1 += ( ry >> biH );                \
+    rx <<= biH; ry <<= biH;             \
+    r0 += rx; r1 += (r0 < rx);          \
+    r0 += ry; r1 += (r0 < ry);          \
+    r0 +=  c; r1 += (r0 <  c);          \
+    r0 += *d; r1 += (r0 < *d);          \
+    c = r1; *(d++) = r0;
+
+#define MULADDC_STOP                    \
+}
+
+#endif /* C (generic)  */
+#endif /* C (longlong) */
+
+#endif /* bn_mul.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/camellia.h b/ctrtool/deps/libmbedtls/include/mbedtls/camellia.h
new file mode 100644
index 00000000..3eeb6636
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/camellia.h
@@ -0,0 +1,326 @@
+/**
+ * \file camellia.h
+ *
+ * \brief Camellia block cipher
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_CAMELLIA_H
+#define MBEDTLS_CAMELLIA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "platform_util.h"
+
+#define MBEDTLS_CAMELLIA_ENCRYPT     1
+#define MBEDTLS_CAMELLIA_DECRYPT     0
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0024 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA -0x0024 /**< Bad input data. */
+
+#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED              -0x0027  /**< Camellia hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          CAMELLIA context structure
+ */
+typedef struct mbedtls_camellia_context
+{
+    int nr;                     /*!<  number of rounds  */
+    uint32_t rk[68];            /*!<  CAMELLIA round keys    */
+}
+mbedtls_camellia_context;
+
+#else  /* MBEDTLS_CAMELLIA_ALT */
+#include "camellia_alt.h"
+#endif /* MBEDTLS_CAMELLIA_ALT */
+
+/**
+ * \brief          Initialize a CAMELLIA context.
+ *
+ * \param ctx      The CAMELLIA context to be initialized.
+ *                 This must not be \c NULL.
+ */
+void mbedtls_camellia_init( mbedtls_camellia_context *ctx );
+
+/**
+ * \brief          Clear a CAMELLIA context.
+ *
+ * \param ctx      The CAMELLIA context to be cleared. This may be \c NULL,
+ *                 in which case this function returns immediately. If it is not
+ *                 \c NULL, it must be initialized.
+ */
+void mbedtls_camellia_free( mbedtls_camellia_context *ctx );
+
+/**
+ * \brief          Perform a CAMELLIA key schedule operation for encryption.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The encryption key to use. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits );
+
+/**
+ * \brief          Perform a CAMELLIA key schedule operation for decryption.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits );
+
+/**
+ * \brief          Perform a CAMELLIA-ECB block encryption/decryption operation.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param input    The input block. This must be a readable buffer
+ *                 of size \c 16 Bytes.
+ * \param output   The output block. This must be a writable buffer
+ *                 of size \c 16 Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          Perform a CAMELLIA-CBC buffer encryption/decryption operation.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length in Bytes of the input data \p input.
+ *                 This must be a multiple of \c 16 Bytes.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated to allow streaming
+ *                 use as explained above.
+ * \param input    The buffer holding the input data. This must point to a
+ *                 readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must point to a
+ *                 writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief          Perform a CAMELLIA-CFB128 buffer encryption/decryption
+ *                 operation.
+ *
+ * \note           Due to the nature of CFB mode, you should use the same
+ *                 key for both encryption and decryption. In particular, calls
+ *                 to this function should be preceded by a key-schedule via
+ *                 mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ *                 is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length of the input data \p input. Any value is allowed.
+ * \param iv_off   The current offset in the IV. This must be smaller
+ *                 than \c 16 Bytes. It is updated after this call to allow
+ *                 the aforementioned streaming usage.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated after this call to
+ *                 allow the aforementioned streaming usage.
+ * \param input    The buffer holding the input data. This must be a readable
+ *                 buffer of size \p length Bytes.
+ * \param output   The buffer to hold the output data. This must be a writable
+ *                 buffer of length \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      Perform a CAMELLIA-CTR buffer encryption/decryption operation.
+ *
+ * *note       Due to the nature of CTR mode, you should use the same
+ *             key for both encryption and decryption. In particular, calls
+ *             to this function should be preceded by a key-schedule via
+ *             mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ *             is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first \c 12 Bytes for the
+ *             per-message nonce, and the last \c 4 Bytes for internal use.
+ *             In that case, before calling this function on a new message you
+ *             need to set the first \c 12 Bytes of \p nonce_counter to your
+ *             chosen nonce value, the last four to \c 0, and \p nc_off to \c 0
+ *             (which will cause \p stream_block to be ignored). That way, you
+ *             can encrypt at most \c 2**96 messages of up to \c 2**32 blocks
+ *             each  with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be
+ *             unique. The recommended way to ensure uniqueness is to use a
+ *             message counter. An alternative is to generate random nonces,
+ *             but this limits the number of messages that can be securely
+ *             encrypted: for example, with 96-bit random nonces, you should
+ *             not encrypt more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that a CAMELLIA block is \c 16 Bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx           The CAMELLIA context to use. This must be initialized
+ *                      and bound to a key.
+ * \param length        The length of the input data \p input in Bytes.
+ *                      Any value is allowed.
+ * \param nc_off        The offset in the current \p stream_block (for resuming
+ *                      within current cipher stream). The offset pointer to
+ *                      should be \c 0 at the start of a stream. It is updated
+ *                      at the end of this call.
+ * \param nonce_counter The 128-bit nonce and counter. This must be a read/write
+ *                      buffer of length \c 16 Bytes.
+ * \param stream_block  The saved stream-block for resuming. This must be a
+ *                      read/write buffer of length \c 16 Bytes.
+ * \param input         The input data stream. This must be a readable buffer of
+ *                      size \p length Bytes.
+ * \param output        The output data stream. This must be a writable buffer
+ *                      of size \p length Bytes.
+ *
+ * \return              \c 0 if successful.
+ * \return              A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_camellia_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* camellia.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ccm.h b/ctrtool/deps/libmbedtls/include/mbedtls/ccm.h
new file mode 100644
index 00000000..f03e3b58
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ccm.h
@@ -0,0 +1,310 @@
+/**
+ * \file ccm.h
+ *
+ * \brief This file provides an API for the CCM authenticated encryption
+ *        mode for block ciphers.
+ *
+ * CCM combines Counter mode encryption with CBC-MAC authentication
+ * for 128-bit block ciphers.
+ *
+ * Input to CCM includes the following elements:
+ * <ul><li>Payload - data that is both authenticated and encrypted.</li>
+ * <li>Associated data (Adata) - data that is authenticated but not
+ * encrypted, For example, a header.</li>
+ * <li>Nonce - A unique value that is assigned to the payload and the
+ * associated data.</li></ul>
+ *
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ *
+ * Definition of CCM*:
+ * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks
+ * Integer representation is fixed most-significant-octet-first order and
+ * the representation of octets is most-significant-bit-first order. This is
+ * consistent with RFC 3610.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CCM_H
+#define MBEDTLS_CCM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
+#define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F /**< Authenticated decryption failed. */
+
+/* MBEDTLS_ERR_CCM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CCM_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief    The CCM context-type definition. The CCM context is passed
+ *           to the APIs called.
+ */
+typedef struct mbedtls_ccm_context
+{
+    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+}
+mbedtls_ccm_context;
+
+#else  /* MBEDTLS_CCM_ALT */
+#include "ccm_alt.h"
+#endif /* MBEDTLS_CCM_ALT */
+
+/**
+ * \brief           This function initializes the specified CCM context,
+ *                  to make references valid, and prepare the context
+ *                  for mbedtls_ccm_setkey() or mbedtls_ccm_free().
+ *
+ * \param ctx       The CCM context to initialize. This must not be \c NULL.
+ */
+void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
+
+/**
+ * \brief           This function initializes the CCM context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The CCM context to initialize. This must be an initialized
+ *                  context.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key. This must not be \c NULL.
+ * \param keybits   The key size in bits. This must be acceptable by the cipher.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits );
+
+/**
+ * \brief   This function releases and clears the specified CCM context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The CCM context to clear. If this is \c NULL, the function
+ *                  has no effect. Otherwise, this must be initialized.
+ */
+void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
+
+/**
+ * \brief           This function encrypts a buffer using CCM.
+ *
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. If \p add_len is greater than
+ *                  zero, \p add must be a readable buffer of at least that
+ *                  length.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than `2^16 - 2^8`.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief           This function encrypts a buffer using CCM*.
+ *
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be encoded into the \p iv passed to
+ *                  this function.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer of
+ *                  at least \p add_len Bytes.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is no
+ *                  longer authenticated.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief           This function performs a CCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer
+ *                  of at least that \p add_len Bytes..
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \return          \c 0 on success. This indicates that the message is authentic.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief           This function performs a CCM* authenticated decryption of a
+ *                  buffer.
+ *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be decoded from \p iv and passed to
+ *                  this function as \p tag_len. (\p tag needs to be adjusted
+ *                  accordingly.)
+ *
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer of
+ *                  at least that \p add_len Bytes.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field in Bytes.
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is nos
+ *                  longer authenticated.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len );
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief          The CCM checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_ccm_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CCM_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/certs.h b/ctrtool/deps/libmbedtls/include/mbedtls/certs.h
new file mode 100644
index 00000000..179ebbba
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/certs.h
@@ -0,0 +1,252 @@
+/**
+ * \file certs.h
+ *
+ * \brief Sample certificates and DHM parameters for testing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_CERTS_H
+#define MBEDTLS_CERTS_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* List of all PEM-encoded CA certificates, terminated by NULL;
+ * PEM encoded if MBEDTLS_PEM_PARSE_C is enabled, DER encoded
+ * otherwise. */
+extern const char * mbedtls_test_cas[];
+extern const size_t mbedtls_test_cas_len[];
+
+/* List of all DER-encoded CA certificates, terminated by NULL */
+extern const unsigned char * mbedtls_test_cas_der[];
+extern const size_t mbedtls_test_cas_der_len[];
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+/* Concatenation of all CA certificates in PEM format if available */
+extern const char   mbedtls_test_cas_pem[];
+extern const size_t mbedtls_test_cas_pem_len;
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+/*
+ * CA test certificates
+ */
+
+extern const char mbedtls_test_ca_crt_ec_pem[];
+extern const char mbedtls_test_ca_key_ec_pem[];
+extern const char mbedtls_test_ca_pwd_ec_pem[];
+extern const char mbedtls_test_ca_key_rsa_pem[];
+extern const char mbedtls_test_ca_pwd_rsa_pem[];
+extern const char mbedtls_test_ca_crt_rsa_sha1_pem[];
+extern const char mbedtls_test_ca_crt_rsa_sha256_pem[];
+
+extern const unsigned char mbedtls_test_ca_crt_ec_der[];
+extern const unsigned char mbedtls_test_ca_key_ec_der[];
+extern const unsigned char mbedtls_test_ca_key_rsa_der[];
+extern const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[];
+extern const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[];
+
+extern const size_t mbedtls_test_ca_crt_ec_pem_len;
+extern const size_t mbedtls_test_ca_key_ec_pem_len;
+extern const size_t mbedtls_test_ca_pwd_ec_pem_len;
+extern const size_t mbedtls_test_ca_key_rsa_pem_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len;
+
+extern const size_t mbedtls_test_ca_crt_ec_der_len;
+extern const size_t mbedtls_test_ca_key_ec_der_len;
+extern const size_t mbedtls_test_ca_pwd_ec_der_len;
+extern const size_t mbedtls_test_ca_key_rsa_der_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_der_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_der_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_ca_crt_ec[];
+extern const char mbedtls_test_ca_key_ec[];
+extern const char mbedtls_test_ca_pwd_ec[];
+extern const char mbedtls_test_ca_key_rsa[];
+extern const char mbedtls_test_ca_pwd_rsa[];
+extern const char mbedtls_test_ca_crt_rsa_sha1[];
+extern const char mbedtls_test_ca_crt_rsa_sha256[];
+
+extern const size_t mbedtls_test_ca_crt_ec_len;
+extern const size_t mbedtls_test_ca_key_ec_len;
+extern const size_t mbedtls_test_ca_pwd_ec_len;
+extern const size_t mbedtls_test_ca_key_rsa_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_len;
+
+/* Config-dependent dispatch between SHA-1 and SHA-256
+ * (SHA-256 if enabled, otherwise SHA-1) */
+
+extern const char mbedtls_test_ca_crt_rsa[];
+extern const size_t mbedtls_test_ca_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char * mbedtls_test_ca_crt;
+extern const char * mbedtls_test_ca_key;
+extern const char * mbedtls_test_ca_pwd;
+extern const size_t mbedtls_test_ca_crt_len;
+extern const size_t mbedtls_test_ca_key_len;
+extern const size_t mbedtls_test_ca_pwd_len;
+
+/*
+ * Server test certificates
+ */
+
+extern const char mbedtls_test_srv_crt_ec_pem[];
+extern const char mbedtls_test_srv_key_ec_pem[];
+extern const char mbedtls_test_srv_pwd_ec_pem[];
+extern const char mbedtls_test_srv_key_rsa_pem[];
+extern const char mbedtls_test_srv_pwd_rsa_pem[];
+extern const char mbedtls_test_srv_crt_rsa_sha1_pem[];
+extern const char mbedtls_test_srv_crt_rsa_sha256_pem[];
+
+extern const unsigned char mbedtls_test_srv_crt_ec_der[];
+extern const unsigned char mbedtls_test_srv_key_ec_der[];
+extern const unsigned char mbedtls_test_srv_key_rsa_der[];
+extern const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[];
+extern const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[];
+
+extern const size_t mbedtls_test_srv_crt_ec_pem_len;
+extern const size_t mbedtls_test_srv_key_ec_pem_len;
+extern const size_t mbedtls_test_srv_pwd_ec_pem_len;
+extern const size_t mbedtls_test_srv_key_rsa_pem_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len;
+
+extern const size_t mbedtls_test_srv_crt_ec_der_len;
+extern const size_t mbedtls_test_srv_key_ec_der_len;
+extern const size_t mbedtls_test_srv_pwd_ec_der_len;
+extern const size_t mbedtls_test_srv_key_rsa_der_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_der_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_der_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_srv_crt_ec[];
+extern const char mbedtls_test_srv_key_ec[];
+extern const char mbedtls_test_srv_pwd_ec[];
+extern const char mbedtls_test_srv_key_rsa[];
+extern const char mbedtls_test_srv_pwd_rsa[];
+extern const char mbedtls_test_srv_crt_rsa_sha1[];
+extern const char mbedtls_test_srv_crt_rsa_sha256[];
+
+extern const size_t mbedtls_test_srv_crt_ec_len;
+extern const size_t mbedtls_test_srv_key_ec_len;
+extern const size_t mbedtls_test_srv_pwd_ec_len;
+extern const size_t mbedtls_test_srv_key_rsa_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_len;
+
+/* Config-dependent dispatch between SHA-1 and SHA-256
+ * (SHA-256 if enabled, otherwise SHA-1) */
+
+extern const char mbedtls_test_srv_crt_rsa[];
+extern const size_t mbedtls_test_srv_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char * mbedtls_test_srv_crt;
+extern const char * mbedtls_test_srv_key;
+extern const char * mbedtls_test_srv_pwd;
+extern const size_t mbedtls_test_srv_crt_len;
+extern const size_t mbedtls_test_srv_key_len;
+extern const size_t mbedtls_test_srv_pwd_len;
+
+/*
+ * Client test certificates
+ */
+
+extern const char mbedtls_test_cli_crt_ec_pem[];
+extern const char mbedtls_test_cli_key_ec_pem[];
+extern const char mbedtls_test_cli_pwd_ec_pem[];
+extern const char mbedtls_test_cli_key_rsa_pem[];
+extern const char mbedtls_test_cli_pwd_rsa_pem[];
+extern const char mbedtls_test_cli_crt_rsa_pem[];
+
+extern const unsigned char mbedtls_test_cli_crt_ec_der[];
+extern const unsigned char mbedtls_test_cli_key_ec_der[];
+extern const unsigned char mbedtls_test_cli_key_rsa_der[];
+extern const unsigned char mbedtls_test_cli_crt_rsa_der[];
+
+extern const size_t mbedtls_test_cli_crt_ec_pem_len;
+extern const size_t mbedtls_test_cli_key_ec_pem_len;
+extern const size_t mbedtls_test_cli_pwd_ec_pem_len;
+extern const size_t mbedtls_test_cli_key_rsa_pem_len;
+extern const size_t mbedtls_test_cli_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_cli_crt_rsa_pem_len;
+
+extern const size_t mbedtls_test_cli_crt_ec_der_len;
+extern const size_t mbedtls_test_cli_key_ec_der_len;
+extern const size_t mbedtls_test_cli_key_rsa_der_len;
+extern const size_t mbedtls_test_cli_crt_rsa_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_cli_crt_ec[];
+extern const char mbedtls_test_cli_key_ec[];
+extern const char mbedtls_test_cli_pwd_ec[];
+extern const char mbedtls_test_cli_key_rsa[];
+extern const char mbedtls_test_cli_pwd_rsa[];
+extern const char mbedtls_test_cli_crt_rsa[];
+
+extern const size_t mbedtls_test_cli_crt_ec_len;
+extern const size_t mbedtls_test_cli_key_ec_len;
+extern const size_t mbedtls_test_cli_pwd_ec_len;
+extern const size_t mbedtls_test_cli_key_rsa_len;
+extern const size_t mbedtls_test_cli_pwd_rsa_len;
+extern const size_t mbedtls_test_cli_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char * mbedtls_test_cli_crt;
+extern const char * mbedtls_test_cli_key;
+extern const char * mbedtls_test_cli_pwd;
+extern const size_t mbedtls_test_cli_crt_len;
+extern const size_t mbedtls_test_cli_key_len;
+extern const size_t mbedtls_test_cli_pwd_len;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* certs.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/chacha20.h b/ctrtool/deps/libmbedtls/include/mbedtls/chacha20.h
new file mode 100644
index 00000000..2ae5e6e5
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/chacha20.h
@@ -0,0 +1,226 @@
+/**
+ * \file chacha20.h
+ *
+ * \brief   This file contains ChaCha20 definitions and functions.
+ *
+ *          ChaCha20 is a stream cipher that can encrypt and decrypt
+ *          information. ChaCha was created by Daniel Bernstein as a variant of
+ *          its Salsa cipher https://cr.yp.to/chacha/chacha-20080128.pdf
+ *          ChaCha20 is the variant with 20 rounds, that was also standardized
+ *          in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CHACHA20_H
+#define MBEDTLS_CHACHA20_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA         -0x0051 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE    -0x0053 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED        -0x0055  /**< Chacha20 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+typedef struct mbedtls_chacha20_context
+{
+    uint32_t state[16];          /*! The state (before round operations). */
+    uint8_t  keystream8[64];     /*! Leftover keystream bytes. */
+    size_t keystream_bytes_used; /*! Number of keystream bytes already used. */
+}
+mbedtls_chacha20_context;
+
+#else  /* MBEDTLS_CHACHA20_ALT */
+#include "chacha20_alt.h"
+#endif /* MBEDTLS_CHACHA20_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by calls to
+ *                  \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts(), then one or more calls to
+ *                  to \c mbedtls_chacha20_update(), and finally to
+ *                  \c mbedtls_chacha20_free().
+ *
+ * \param ctx       The ChaCha20 context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20 context.
+ *
+ * \param ctx       The ChaCha20 context to clear. This may be \c NULL,
+ *                  in which case this function is a no-op. If it is not
+ *                  \c NULL, it must point to an initialized context.
+ *
+ */
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief           This function sets the encryption/decryption key.
+ *
+ * \note            After using this function, you must also call
+ *                  \c mbedtls_chacha20_starts() to set a nonce before you
+ *                  start encrypting/decrypting data with
+ *                  \c mbedtls_chacha_update().
+ *
+ * \param ctx       The ChaCha20 context to which the key should be bound.
+ *                  It must be initialized.
+ * \param key       The encryption/decryption key. This must be \c 32 Bytes
+ *                  in length.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL.
+ */
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+                             const unsigned char key[32] );
+
+/**
+ * \brief           This function sets the nonce and initial counter value.
+ *
+ * \note            A ChaCha20 context can be re-used with the same key by
+ *                  calling this function to change the nonce.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality guarantees for the
+ *                  messages encrypted with the same nonce and key.
+ *
+ * \param ctx       The ChaCha20 context to which the nonce should be bound.
+ *                  It must be initialized and bound to a key.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is
+ *                  NULL.
+ */
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+                             const unsigned char nonce[12],
+                             uint32_t counter );
+
+/**
+ * \brief           This function encrypts or decrypts data.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \note            \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts() must be called at least once
+ *                  to setup the context before this function can be called.
+ *
+ * \note            This function can be called multiple times in a row in
+ *                  order to encrypt of decrypt data piecewise with the same
+ *                  key and nonce.
+ *
+ * \param ctx       The ChaCha20 context to use for encryption or decryption.
+ *                  It must be initialized and bound to a key and nonce.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
+                             size_t size,
+                             const unsigned char *input,
+                             unsigned char *output );
+
+/**
+ * \brief           This function encrypts or decrypts data with ChaCha20 and
+ *                  the given key and nonce.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \warning         You must never use the same (key, nonce) pair more than
+ *                  once. This would void any confidentiality guarantees for
+ *                  the messages encrypted with the same nonce and key.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \param key       The encryption/decryption key.
+ *                  This must be \c 32 Bytes in length.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+                            const unsigned char nonce[12],
+                            uint32_t counter,
+                            size_t size,
+                            const unsigned char* input,
+                            unsigned char* output );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chacha20_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHA20_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/chachapoly.h b/ctrtool/deps/libmbedtls/include/mbedtls/chachapoly.h
new file mode 100644
index 00000000..49e615d2
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/chachapoly.h
@@ -0,0 +1,358 @@
+/**
+ * \file chachapoly.h
+ *
+ * \brief   This file contains the AEAD-ChaCha20-Poly1305 definitions and
+ *          functions.
+ *
+ *          ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
+ *          with Associated Data (AEAD) that can be used to encrypt and
+ *          authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
+ *          Bernstein and was standardized in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CHACHAPOLY_H
+#define MBEDTLS_CHACHAPOLY_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/* for shared error codes */
+#include "poly1305.h"
+
+#define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054 /**< The requested operation is not permitted in the current state. */
+#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056 /**< Authenticated decryption failed: data was not authentic. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum
+{
+    MBEDTLS_CHACHAPOLY_ENCRYPT,     /**< The mode value for performing encryption. */
+    MBEDTLS_CHACHAPOLY_DECRYPT      /**< The mode value for performing decryption. */
+}
+mbedtls_chachapoly_mode_t;
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+#include "chacha20.h"
+
+typedef struct mbedtls_chachapoly_context
+{
+    mbedtls_chacha20_context chacha20_ctx;  /**< The ChaCha20 context. */
+    mbedtls_poly1305_context poly1305_ctx;  /**< The Poly1305 context. */
+    uint64_t aad_len;                       /**< The length (bytes) of the Additional Authenticated Data. */
+    uint64_t ciphertext_len;                /**< The length (bytes) of the ciphertext. */
+    int state;                              /**< The current state of the context. */
+    mbedtls_chachapoly_mode_t mode;         /**< Cipher mode (encrypt or decrypt). */
+}
+mbedtls_chachapoly_context;
+
+#else /* !MBEDTLS_CHACHAPOLY_ALT */
+#include "chachapoly_alt.h"
+#endif /* !MBEDTLS_CHACHAPOLY_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20-Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context. It must be followed by a call to
+ *                  \c mbedtls_chachapoly_setkey() before any operation can be
+ *                  done, and to \c mbedtls_chachapoly_free() once all
+ *                  operations with that context have been finished.
+ *
+ *                  In order to encrypt or decrypt full messages at once, for
+ *                  each message you should make a single call to
+ *                  \c mbedtls_chachapoly_crypt_and_tag() or
+ *                  \c mbedtls_chachapoly_auth_decrypt().
+ *
+ *                  In order to encrypt messages piecewise, for each
+ *                  message you should make a call to
+ *                  \c mbedtls_chachapoly_starts(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update(), then one call to
+ *                  \c mbedtls_chachapoly_finish().
+ *
+ * \warning         Decryption with the piecewise API is discouraged! Always
+ *                  use \c mbedtls_chachapoly_auth_decrypt() when possible!
+ *
+ *                  If however this is not possible because the data is too
+ *                  large to fit in memory, you need to:
+ *
+ *                  - call \c mbedtls_chachapoly_starts() and (if needed)
+ *                  \c mbedtls_chachapoly_update_aad() as above,
+ *                  - call \c mbedtls_chachapoly_update() multiple times and
+ *                  ensure its output (the plaintext) is NOT used in any other
+ *                  way than placing it in temporary storage at this point,
+ *                  - call \c mbedtls_chachapoly_finish() to compute the
+ *                  authentication tag and compared it in constant time to the
+ *                  tag received with the ciphertext.
+ *
+ *                  If the tags are not equal, you must immediately discard
+ *                  all previous outputs of \c mbedtls_chachapoly_update(),
+ *                  otherwise you can now safely use the plaintext.
+ *
+ * \param ctx       The ChachaPoly context to initialize. Must not be \c NULL.
+ */
+void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20-Poly1305 context.
+ *
+ * \param ctx       The ChachaPoly context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op.
+ */
+void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );
+
+/**
+ * \brief           This function sets the ChaCha20-Poly1305
+ *                  symmetric encryption key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to which the key should be
+ *                  bound. This must be initialized.
+ * \param key       The \c 256 Bit (\c 32 Bytes) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
+                               const unsigned char key[32] );
+
+/**
+ * \brief           This function starts a ChaCha20-Poly1305 encryption or
+ *                  decryption operation.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \note            If the context is being used for AAD only (no data to
+ *                  encrypt or decrypt) then \p mode can be set to any value.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param nonce     The nonce/IV to use for the message.
+ *                  This must be a redable buffer of length \c 12 Bytes.
+ * \param mode      The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
+ *                  #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
+                               const unsigned char nonce[12],
+                               mbedtls_chachapoly_mode_t mode );
+
+/**
+ * \brief           This function feeds additional data to be authenticated
+ *                  into an ongoing ChaCha20-Poly1305 operation.
+ *
+ *                  The Additional Authenticated Data (AAD), also called
+ *                  Associated Data (AD) is only authenticated but not
+ *                  encrypted nor included in the encrypted output. It is
+ *                  usually transmitted separately from the ciphertext or
+ *                  computed locally by each party.
+ *
+ * \note            This function is called before data is encrypted/decrypted.
+ *                  I.e. call this function to process the AAD before calling
+ *                  \c mbedtls_chachapoly_update().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of AAD. It is permitted to call
+ *                  this function 0 times, if no AAD is used.
+ *
+ *                  This function cannot be called any more if data has
+ *                  been processed by \c mbedtls_chachapoly_update(),
+ *                  or if the context has been finished.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param aad_len   The length in Bytes of the AAD. The length has no
+ *                  restrictions.
+ * \param aad       Buffer containing the AAD.
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ *                  if \p ctx or \p aad are NULL.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operations has not been started or has been
+ *                  finished, or if the AAD has been finished.
+ */
+int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
+                                   const unsigned char *aad,
+                                   size_t aad_len );
+
+/**
+ * \brief           Thus function feeds data to be encrypted or decrypted
+ *                  into an on-going ChaCha20-Poly1305
+ *                  operation.
+ *
+ *                  The direction (encryption or decryption) depends on the
+ *                  mode that was given when calling
+ *                  \c mbedtls_chachapoly_starts().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of data. It is permitted to call
+ *                  this function 0 times, if no data is to be encrypted
+ *                  or decrypted.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param len       The length (in bytes) of the data to encrypt or decrypt.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `len == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data is
+ *                  written. This must be able to hold \p len bytes.
+ *                  This pointer can be \c NULL if `len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
+                               size_t len,
+                               const unsigned char *input,
+                               unsigned char *output );
+
+/**
+ * \brief           This function finished the ChaCha20-Poly1305 operation and
+ *                  generates the MAC (authentication tag).
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param mac       The buffer to where the 128-bit (16 bytes) MAC is written.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
+                               unsigned char mac[16] );
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated encryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ *                  This must be initialized.
+ * \param length    The length (in bytes) of the data to encrypt or decrypt.
+ * \param nonce     The 96-bit (12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated
+ *                  data (AAD). This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data
+ *                  is written. This pointer can be \c NULL if `ilen == 0`.
+ * \param tag       The buffer to where the computed 128-bit (16 bytes) MAC
+ *                  is written. This must not be \c NULL.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                        size_t length,
+                                        const unsigned char nonce[12],
+                                        const unsigned char *aad,
+                                        size_t aad_len,
+                                        const unsigned char *input,
+                                        unsigned char *output,
+                                        unsigned char tag[16] );
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated decryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ * \param length    The length (in Bytes) of the data to decrypt.
+ * \param nonce     The \c 96 Bit (\c 12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated data (AAD).
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param tag       The buffer holding the authentication tag.
+ *                  This must be a readable buffer of length \c 16 Bytes.
+ * \param input     The buffer containing the data to decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the decrypted data is written.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+ *                  if the data was not authentic.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char tag[16],
+                                     const unsigned char *input,
+                                     unsigned char *output );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20-Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chachapoly_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHAPOLY_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/check_config.h b/ctrtool/deps/libmbedtls/include/mbedtls/check_config.h
new file mode 100644
index 00000000..d076c235
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/check_config.h
@@ -0,0 +1,708 @@
+/**
+ * \file check_config.h
+ *
+ * \brief Consistency checks for configuration options
+ */
+/*
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * It is recommended to include this file from your config.h
+ * in order to catch dependency issues early.
+ */
+
+#ifndef MBEDTLS_CHECK_CONFIG_H
+#define MBEDTLS_CHECK_CONFIG_H
+
+/*
+ * We assume CHAR_BIT is 8 in many places. In practice, this is true on our
+ * target platforms, so not an issue, but let's just be extra sure.
+ */
+#include <limits.h>
+#if CHAR_BIT != 8
+#error "mbed TLS requires a platform with 8-bit chars"
+#endif
+
+#if defined(_WIN32)
+#if !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_C is required on Windows"
+#endif
+
+/* Fix the config here. Not convenient to put an #ifdef _WIN32 in config.h as
+ * it would confuse config.pl. */
+#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
+    !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+#endif
+#endif /* _WIN32 */
+
+#if defined(TARGET_LIKE_MBED) && \
+    ( defined(MBEDTLS_NET_C) || defined(MBEDTLS_TIMING_C) )
+#error "The NET and TIMING modules are not available for mbed OS - please use the network and timing functions provided by mbed OS"
+#endif
+
+#if defined(MBEDTLS_DEPRECATED_WARNING) && \
+    !defined(__GNUC__) && !defined(__clang__)
+#error "MBEDTLS_DEPRECATED_WARNING only works with GCC and Clang"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_HAVE_TIME)
+#error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense"
+#endif
+
+#if defined(MBEDTLS_AESNI_C) && !defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_AESNI_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
+#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_DHM_C) && !defined(MBEDTLS_BIGNUM_C)
+#error "MBEDTLS_DHM_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_CMAC_C) && \
+    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C)
+#error "MBEDTLS_CMAC_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C) && \
+    ( !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CIPHER_C) )
+#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
+#error "MBEDTLS_ECDH_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C) &&            \
+    ( !defined(MBEDTLS_ECP_C) ||           \
+      !defined(MBEDTLS_ASN1_PARSE_C) ||    \
+      !defined(MBEDTLS_ASN1_WRITE_C) )
+#error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECJPAKE_C) &&           \
+    ( !defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C) )
+#error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)           && \
+    ( defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
+      defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)     || \
+      defined(MBEDTLS_ECDSA_SIGN_ALT)          || \
+      defined(MBEDTLS_ECDSA_VERIFY_ALT)        || \
+      defined(MBEDTLS_ECDSA_GENKEY_ALT)        || \
+      defined(MBEDTLS_ECP_INTERNAL_ALT)        || \
+      defined(MBEDTLS_ECP_ALT) )
+#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation"
+#endif
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
+#error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || (    \
+    !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   &&                  \
+    !defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   &&                  \
+    !defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) &&                 \
+    !defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) )
+#error "MBEDTLS_ECP_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
+#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) &&      \
+                                    !defined(MBEDTLS_SHA256_C))
+#error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
+#endif
+#if defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_SHA512_C) &&         \
+    defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 64)
+#error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
+#endif
+#if defined(MBEDTLS_ENTROPY_C) &&                                            \
+    ( !defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_ENTROPY_FORCE_SHA256) ) \
+    && defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 32)
+#error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
+#endif
+#if defined(MBEDTLS_ENTROPY_C) && \
+    defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_SHA256_C)
+#error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
+    ( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
+#error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"
+#endif
+#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
+     ( defined(MBEDTLS_ENTROPY_NV_SEED) || defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \
+    defined(MBEDTLS_HAVEGE_C) )
+#error "MBEDTLS_TEST_NULL_ENTROPY defined, but entropy sources too"
+#endif
+
+#if defined(MBEDTLS_GCM_C) && (                                        \
+        !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) )
+#error "MBEDTLS_GCM_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_RANDOMIZE_JAC_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_ADD_MIXED_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_DOUBLE_JAC_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NORMALIZE_JAC_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C) && !defined(MBEDTLS_TIMING_C)
+#error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C)
+#error "MBEDTLS_HKDF_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C) && !defined(MBEDTLS_MD_C)
+#error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) && !defined(MBEDTLS_DHM_C)
+#error "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) &&                     \
+    !defined(MBEDTLS_ECDH_C)
+#error "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) &&                   \
+    ( !defined(MBEDTLS_DHM_C) || !defined(MBEDTLS_RSA_C) ||           \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) ||          \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) ||          \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) &&                   \
+    ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
+      !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) &&                       \
+    ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
+      !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
+    ( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) ||      \
+      !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
+#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) &&                          \
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
+#error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#error "MBEDTLS_MEMORY_BACKTRACE defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_DEBUG) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#error "MBEDTLS_MEMORY_DEBUG defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) && !defined(MBEDTLS_BASE64_C)
+#error "MBEDTLS_PEM_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PEM_WRITE_C) && !defined(MBEDTLS_BASE64_C)
+#error "MBEDTLS_PEM_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_C) && \
+    ( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) )
+#error "MBEDTLS_PK_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_PK_C)
+#error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_WRITE_C) && !defined(MBEDTLS_PK_C)
+#error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PKCS11_C) && !defined(MBEDTLS_PK_C)
+#error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_EXIT_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_EXIT) ||\
+        defined(MBEDTLS_PLATFORM_EXIT_ALT) )
+#error "MBEDTLS_PLATFORM_EXIT_MACRO and MBEDTLS_PLATFORM_STD_EXIT/MBEDTLS_PLATFORM_EXIT_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_ALT) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_TYPE_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_TIME) ||\
+        defined(MBEDTLS_PLATFORM_TIME_ALT) )
+#error "MBEDTLS_PLATFORM_TIME_MACRO and MBEDTLS_PLATFORM_STD_TIME/MBEDTLS_PLATFORM_TIME_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_TIME) ||\
+        defined(MBEDTLS_PLATFORM_TIME_ALT) )
+#error "MBEDTLS_PLATFORM_TIME_TYPE_MACRO and MBEDTLS_PLATFORM_STD_TIME/MBEDTLS_PLATFORM_TIME_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_FPRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_FPRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_FPRINTF) ||\
+        defined(MBEDTLS_PLATFORM_FPRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_FPRINTF_MACRO and MBEDTLS_PLATFORM_STD_FPRINTF/MBEDTLS_PLATFORM_FPRINTF_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
+#error "MBEDTLS_PLATFORM_FREE_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) &&\
+    defined(MBEDTLS_PLATFORM_STD_FREE)
+#error "MBEDTLS_PLATFORM_FREE_MACRO and MBEDTLS_PLATFORM_STD_FREE cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && !defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+#error "MBEDTLS_PLATFORM_CALLOC_MACRO must be defined if MBEDTLS_PLATFORM_FREE_MACRO is"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
+#error "MBEDTLS_PLATFORM_CALLOC_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&\
+    defined(MBEDTLS_PLATFORM_STD_CALLOC)
+#error "MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_STD_CALLOC cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) && !defined(MBEDTLS_PLATFORM_FREE_MACRO)
+#error "MBEDTLS_PLATFORM_FREE_MACRO must be defined if MBEDTLS_PLATFORM_CALLOC_MACRO is"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_MEMORY) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_MEMORY defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_PRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_PRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_PRINTF) ||\
+        defined(MBEDTLS_PLATFORM_PRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_PRINTF_MACRO and MBEDTLS_PLATFORM_STD_PRINTF/MBEDTLS_PLATFORM_PRINTF_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SNPRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SNPRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_SNPRINTF) ||\
+        defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_SNPRINTF_MACRO and MBEDTLS_PLATFORM_STD_SNPRINTF/MBEDTLS_PLATFORM_SNPRINTF_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR) &&\
+    !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+#error "MBEDTLS_PLATFORM_STD_MEM_HDR defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_CALLOC) && !defined(MBEDTLS_PLATFORM_MEMORY)
+#error "MBEDTLS_PLATFORM_STD_CALLOC defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_CALLOC) && !defined(MBEDTLS_PLATFORM_MEMORY)
+#error "MBEDTLS_PLATFORM_STD_CALLOC defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_FREE) && !defined(MBEDTLS_PLATFORM_MEMORY)
+#error "MBEDTLS_PLATFORM_STD_FREE defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_EXIT) &&\
+    !defined(MBEDTLS_PLATFORM_EXIT_ALT)
+#error "MBEDTLS_PLATFORM_STD_EXIT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_TIME) &&\
+    ( !defined(MBEDTLS_PLATFORM_TIME_ALT) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_STD_TIME defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_FPRINTF) &&\
+    !defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+#error "MBEDTLS_PLATFORM_STD_FPRINTF defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_PRINTF) &&\
+    !defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+#error "MBEDTLS_PLATFORM_STD_PRINTF defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_SNPRINTF) &&\
+    !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+#error "MBEDTLS_PLATFORM_STD_SNPRINTF defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_ENTROPY_C) )
+#error "MBEDTLS_ENTROPY_NV_SEED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT) &&\
+    !defined(MBEDTLS_ENTROPY_NV_SEED)
+#error "MBEDTLS_PLATFORM_NV_SEED_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ) &&\
+    !defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#error "MBEDTLS_PLATFORM_STD_NV_SEED_READ defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE) &&\
+    !defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#error "MBEDTLS_PLATFORM_STD_NV_SEED_WRITE defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ) ||\
+      defined(MBEDTLS_PLATFORM_NV_SEED_ALT) )
+#error "MBEDTLS_PLATFORM_NV_SEED_READ_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_READ cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE) ||\
+      defined(MBEDTLS_PLATFORM_NV_SEED_ALT) )
+#error "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_WRITE cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \
+    !defined(MBEDTLS_OID_C) )
+#error "MBEDTLS_RSA_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_PKCS1_V21) &&         \
+    !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_RSA_C defined, but none of the PKCS1 versions enabled"
+#endif
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) &&                        \
+    ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) )
+#error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && ( !defined(MBEDTLS_MD5_C) ||     \
+    !defined(MBEDTLS_SHA1_C) )
+#error "MBEDTLS_SSL_PROTO_SSL3 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) && ( !defined(MBEDTLS_MD5_C) ||     \
+    !defined(MBEDTLS_SHA1_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) && ( !defined(MBEDTLS_MD5_C) ||     \
+    !defined(MBEDTLS_SHA1_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1_1 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && ( !defined(MBEDTLS_SHA1_C) &&     \
+    !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)     && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1)  && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_CLI_C) && !defined(MBEDTLS_SSL_TLS_C)
+#error "MBEDTLS_SSL_CLI_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && ( !defined(MBEDTLS_CIPHER_C) ||     \
+    !defined(MBEDTLS_MD_C) )
+#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_TLS_C)
+#error "MBEDTLS_SSL_SRV_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2))
+#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1) && !defined(MBEDTLS_SSL_PROTO_TLS1))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_TLS1) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_SSL_PROTO_TLS1_1))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && (!defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1)))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && !defined(MBEDTLS_SSL_PROTO_DTLS)
+#error "MBEDTLS_SSL_DTLS_HELLO_VERIFY  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && \
+    !defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+#error "MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) &&                              \
+    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
+#error "MBEDTLS_SSL_DTLS_ANTI_REPLAY  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
+    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
+#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) &&   \
+    !defined(MBEDTLS_SSL_PROTO_TLS1)   &&      \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1) &&      \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites"
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1)   &&          \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1) &&          \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites"
+#endif
+
+#if defined(MBEDTLS_SSL_TICKET_C) && !defined(MBEDTLS_CIPHER_C)
+#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) && \
+    !defined(MBEDTLS_SSL_PROTO_SSL3) && !defined(MBEDTLS_SSL_PROTO_TLS1)
+#error "MBEDTLS_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+        !defined(MBEDTLS_X509_CRT_PARSE_C)
+#error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
+#error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
+#endif
+#define MBEDTLS_THREADING_IMPL
+#endif
+
+#if defined(MBEDTLS_THREADING_ALT)
+#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
+#error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"
+#endif
+#define MBEDTLS_THREADING_IMPL
+#endif
+
+#if defined(MBEDTLS_THREADING_C) && !defined(MBEDTLS_THREADING_IMPL)
+#error "MBEDTLS_THREADING_C defined, single threading implementation required"
+#endif
+#undef MBEDTLS_THREADING_IMPL
+
+#if defined(MBEDTLS_VERSION_FEATURES) && !defined(MBEDTLS_VERSION_C)
+#error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) && ( !defined(MBEDTLS_BIGNUM_C) ||  \
+    !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) ||      \
+    !defined(MBEDTLS_PK_PARSE_C) )
+#error "MBEDTLS_X509_USE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CREATE_C) && ( !defined(MBEDTLS_BIGNUM_C) ||  \
+    !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) ||       \
+    !defined(MBEDTLS_PK_WRITE_C) )
+#error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
+#error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
+#error "MBEDTLS_X509_CRL_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
+#error "MBEDTLS_X509_CSR_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
+#error "MBEDTLS_X509_CRT_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
+#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
+#error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
+#endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */
+
+#if ( defined(MBEDTLS_HAVE_INT32) || defined(MBEDTLS_HAVE_INT64) ) && \
+    defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously"
+#endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */
+
+/*
+ * Avoid warning from -pedantic. This is a convenient place for this
+ * workaround since this is included by every single file before the
+ * #if defined(MBEDTLS_xxx_C) that results in empty translation units.
+ */
+typedef int mbedtls_iso_c_forbids_empty_translation_units;
+
+#endif /* MBEDTLS_CHECK_CONFIG_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/cipher.h b/ctrtool/deps/libmbedtls/include/mbedtls/cipher.h
new file mode 100644
index 00000000..082a6917
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/cipher.h
@@ -0,0 +1,872 @@
+/**
+ * \file cipher.h
+ *
+ * \brief This file contains an abstraction interface for use with the cipher
+ * primitives provided by the library. It provides a common interface to all of
+ * the available cipher operations.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CIPHER_H
+#define MBEDTLS_CIPHER_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include "platform_util.h"
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+#define MBEDTLS_CIPHER_MODE_AEAD
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_CIPHER_MODE_WITH_PADDING
+#endif
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
+    defined(MBEDTLS_CHACHA20_C)
+#define MBEDTLS_CIPHER_MODE_STREAM
+#endif
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE  -0x6080  /**< The selected feature is not available. */
+#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA       -0x6100  /**< Bad input parameters. */
+#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED         -0x6180  /**< Failed to allocate memory. */
+#define MBEDTLS_ERR_CIPHER_INVALID_PADDING      -0x6200  /**< Input data contains invalid padding and is rejected. */
+#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED  -0x6280  /**< Decryption of block requires a full block. */
+#define MBEDTLS_ERR_CIPHER_AUTH_FAILED          -0x6300  /**< Authentication failed (for AEAD modes). */
+#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380  /**< The context is invalid. For example, because it was freed. */
+
+/* MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED      -0x6400  /**< Cipher hardware accelerator failed. */
+
+#define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
+#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN    0x02    /**< Cipher accepts keys of variable length. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief     Supported cipher types.
+ *
+ * \warning   RC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. Arm recommends considering stronger
+ *            ciphers instead.
+ */
+typedef enum {
+    MBEDTLS_CIPHER_ID_NONE = 0,  /**< Placeholder to mark the end of cipher ID lists. */
+    MBEDTLS_CIPHER_ID_NULL,      /**< The identity cipher, treated as a stream cipher. */
+    MBEDTLS_CIPHER_ID_AES,       /**< The AES cipher. */
+    MBEDTLS_CIPHER_ID_DES,       /**< The DES cipher. */
+    MBEDTLS_CIPHER_ID_3DES,      /**< The Triple DES cipher. */
+    MBEDTLS_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
+    MBEDTLS_CIPHER_ID_BLOWFISH,  /**< The Blowfish cipher. */
+    MBEDTLS_CIPHER_ID_ARC4,      /**< The RC4 cipher. */
+    MBEDTLS_CIPHER_ID_ARIA,      /**< The Aria cipher. */
+    MBEDTLS_CIPHER_ID_CHACHA20,  /**< The ChaCha20 cipher. */
+} mbedtls_cipher_id_t;
+
+/**
+ * \brief     Supported {cipher type, cipher mode} pairs.
+ *
+ * \warning   RC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. Arm recommends considering stronger
+ *            ciphers instead.
+ */
+typedef enum {
+    MBEDTLS_CIPHER_NONE = 0,             /**< Placeholder to mark the end of cipher-pair lists. */
+    MBEDTLS_CIPHER_NULL,                 /**< The identity stream cipher. */
+    MBEDTLS_CIPHER_AES_128_ECB,          /**< AES cipher with 128-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_192_ECB,          /**< AES cipher with 192-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_256_ECB,          /**< AES cipher with 256-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_128_CBC,          /**< AES cipher with 128-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_192_CBC,          /**< AES cipher with 192-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_256_CBC,          /**< AES cipher with 256-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_128_CFB128,       /**< AES cipher with 128-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_192_CFB128,       /**< AES cipher with 192-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_256_CFB128,       /**< AES cipher with 256-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_128_CTR,          /**< AES cipher with 128-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_192_CTR,          /**< AES cipher with 192-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_256_CTR,          /**< AES cipher with 256-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_128_GCM,          /**< AES cipher with 128-bit GCM mode. */
+    MBEDTLS_CIPHER_AES_192_GCM,          /**< AES cipher with 192-bit GCM mode. */
+    MBEDTLS_CIPHER_AES_256_GCM,          /**< AES cipher with 256-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_ECB,     /**< Camellia cipher with 128-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_ECB,     /**< Camellia cipher with 192-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_ECB,     /**< Camellia cipher with 256-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CBC,     /**< Camellia cipher with 128-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CBC,     /**< Camellia cipher with 192-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CBC,     /**< Camellia cipher with 256-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  /**< Camellia cipher with 128-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  /**< Camellia cipher with 192-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  /**< Camellia cipher with 256-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CTR,     /**< Camellia cipher with 128-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CTR,     /**< Camellia cipher with 192-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CTR,     /**< Camellia cipher with 256-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_GCM,     /**< Camellia cipher with 128-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_GCM,     /**< Camellia cipher with 192-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_GCM,     /**< Camellia cipher with 256-bit GCM mode. */
+    MBEDTLS_CIPHER_DES_ECB,              /**< DES cipher with ECB mode. */
+    MBEDTLS_CIPHER_DES_CBC,              /**< DES cipher with CBC mode. */
+    MBEDTLS_CIPHER_DES_EDE_ECB,          /**< DES cipher with EDE ECB mode. */
+    MBEDTLS_CIPHER_DES_EDE_CBC,          /**< DES cipher with EDE CBC mode. */
+    MBEDTLS_CIPHER_DES_EDE3_ECB,         /**< DES cipher with EDE3 ECB mode. */
+    MBEDTLS_CIPHER_DES_EDE3_CBC,         /**< DES cipher with EDE3 CBC mode. */
+    MBEDTLS_CIPHER_BLOWFISH_ECB,         /**< Blowfish cipher with ECB mode. */
+    MBEDTLS_CIPHER_BLOWFISH_CBC,         /**< Blowfish cipher with CBC mode. */
+    MBEDTLS_CIPHER_BLOWFISH_CFB64,       /**< Blowfish cipher with CFB64 mode. */
+    MBEDTLS_CIPHER_BLOWFISH_CTR,         /**< Blowfish cipher with CTR mode. */
+    MBEDTLS_CIPHER_ARC4_128,             /**< RC4 cipher with 128-bit mode. */
+    MBEDTLS_CIPHER_AES_128_CCM,          /**< AES cipher with 128-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_192_CCM,          /**< AES cipher with 192-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_256_CCM,          /**< AES cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM,     /**< Camellia cipher with 128-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM,     /**< Camellia cipher with 192-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM,     /**< Camellia cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_ARIA_128_ECB,         /**< Aria cipher with 128-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_192_ECB,         /**< Aria cipher with 192-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_256_ECB,         /**< Aria cipher with 256-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_128_CBC,         /**< Aria cipher with 128-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_192_CBC,         /**< Aria cipher with 192-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_256_CBC,         /**< Aria cipher with 256-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_128_CFB128,      /**< Aria cipher with 128-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_192_CFB128,      /**< Aria cipher with 192-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_256_CFB128,      /**< Aria cipher with 256-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_128_CTR,         /**< Aria cipher with 128-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_192_CTR,         /**< Aria cipher with 192-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_256_CTR,         /**< Aria cipher with 256-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_128_GCM,         /**< Aria cipher with 128-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_192_GCM,         /**< Aria cipher with 192-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_256_GCM,         /**< Aria cipher with 256-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_128_CCM,         /**< Aria cipher with 128-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_192_CCM,         /**< Aria cipher with 192-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_256_CCM,         /**< Aria cipher with 256-bit key and CCM mode. */
+    MBEDTLS_CIPHER_AES_128_OFB,          /**< AES 128-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_192_OFB,          /**< AES 192-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_256_OFB,          /**< AES 256-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_128_XTS,          /**< AES 128-bit cipher in XTS block mode. */
+    MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
+    MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
+    MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
+} mbedtls_cipher_type_t;
+
+/** Supported cipher modes. */
+typedef enum {
+    MBEDTLS_MODE_NONE = 0,               /**< None. */
+    MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode. */
+    MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode. */
+    MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode. */
+    MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode. */
+    MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode. */
+    MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode. */
+    MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode. */
+    MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode. */
+    MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode. */
+    MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
+} mbedtls_cipher_mode_t;
+
+/** Supported cipher padding types. */
+typedef enum {
+    MBEDTLS_PADDING_PKCS7 = 0,     /**< PKCS7 padding (default).        */
+    MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding.         */
+    MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding.             */
+    MBEDTLS_PADDING_ZEROS,         /**< Zero padding (not reversible). */
+    MBEDTLS_PADDING_NONE,          /**< Never pad (full blocks only).   */
+} mbedtls_cipher_padding_t;
+
+/** Type of operation. */
+typedef enum {
+    MBEDTLS_OPERATION_NONE = -1,
+    MBEDTLS_DECRYPT = 0,
+    MBEDTLS_ENCRYPT,
+} mbedtls_operation_t;
+
+enum {
+    /** Undefined key length. */
+    MBEDTLS_KEY_LENGTH_NONE = 0,
+    /** Key length, in bits (including parity), for DES keys. */
+    MBEDTLS_KEY_LENGTH_DES  = 64,
+    /** Key length in bits, including parity, for DES in two-key EDE. */
+    MBEDTLS_KEY_LENGTH_DES_EDE = 128,
+    /** Key length in bits, including parity, for DES in three-key EDE. */
+    MBEDTLS_KEY_LENGTH_DES_EDE3 = 192,
+};
+
+/** Maximum length of any IV, in Bytes. */
+#define MBEDTLS_MAX_IV_LENGTH      16
+/** Maximum block size of any cipher, in Bytes. */
+#define MBEDTLS_MAX_BLOCK_LENGTH   16
+
+/**
+ * Base cipher information (opaque struct).
+ */
+typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t;
+
+/**
+ * CMAC context (opaque struct).
+ */
+typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
+
+/**
+ * Cipher information. Allows calling cipher functions
+ * in a generic way.
+ */
+typedef struct mbedtls_cipher_info_t
+{
+    /** Full cipher identifier. For example,
+     * MBEDTLS_CIPHER_AES_256_CBC.
+     */
+    mbedtls_cipher_type_t type;
+
+    /** The cipher mode. For example, MBEDTLS_MODE_CBC. */
+    mbedtls_cipher_mode_t mode;
+
+    /** The cipher key length, in bits. This is the
+     * default length for variable sized ciphers.
+     * Includes parity bits for ciphers like DES.
+     */
+    unsigned int key_bitlen;
+
+    /** Name of the cipher. */
+    const char * name;
+
+    /** IV or nonce size, in Bytes.
+     * For ciphers that accept variable IV sizes,
+     * this is the recommended size.
+     */
+    unsigned int iv_size;
+
+    /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and
+     *  MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the
+     *  cipher supports variable IV or variable key sizes, respectively.
+     */
+    int flags;
+
+    /** The block size, in Bytes. */
+    unsigned int block_size;
+
+    /** Struct for base cipher information and functions. */
+    const mbedtls_cipher_base_t *base;
+
+} mbedtls_cipher_info_t;
+
+/**
+ * Generic cipher context.
+ */
+typedef struct mbedtls_cipher_context_t
+{
+    /** Information about the associated cipher. */
+    const mbedtls_cipher_info_t *cipher_info;
+
+    /** Key length to use. */
+    int key_bitlen;
+
+    /** Operation that the key of the context has been
+     * initialized for.
+     */
+    mbedtls_operation_t operation;
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /** Padding functions to use, if relevant for
+     * the specific cipher mode.
+     */
+    void (*add_padding)( unsigned char *output, size_t olen, size_t data_len );
+    int (*get_padding)( unsigned char *input, size_t ilen, size_t *data_len );
+#endif
+
+    /** Buffer for input that has not been processed yet. */
+    unsigned char unprocessed_data[MBEDTLS_MAX_BLOCK_LENGTH];
+
+    /** Number of Bytes that have not been processed yet. */
+    size_t unprocessed_len;
+
+    /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number
+     * for XTS-mode. */
+    unsigned char iv[MBEDTLS_MAX_IV_LENGTH];
+
+    /** IV size in Bytes, for ciphers with variable-length IVs. */
+    size_t iv_size;
+
+    /** The cipher-specific context. */
+    void *cipher_ctx;
+
+#if defined(MBEDTLS_CMAC_C)
+    /** CMAC-specific context. */
+    mbedtls_cmac_context_t *cmac_ctx;
+#endif
+} mbedtls_cipher_context_t;
+
+/**
+ * \brief This function retrieves the list of ciphers supported by the generic
+ * cipher module.
+ *
+ * \return      A statically-allocated array of ciphers. The last entry
+ *              is zero.
+ */
+const int *mbedtls_cipher_list( void );
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher name.
+ *
+ * \param cipher_name   Name of the cipher to search for. This must not be
+ *                      \c NULL.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_name.
+ * \return              \c NULL if the associated cipher information is not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name );
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher type.
+ *
+ * \param cipher_type   Type of the cipher to search for.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_type.
+ * \return              \c NULL if the associated cipher information is not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type );
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher ID,
+ *                      key size and mode.
+ *
+ * \param cipher_id     The ID of the cipher to search for. For example,
+ *                      #MBEDTLS_CIPHER_ID_AES.
+ * \param key_bitlen    The length of the key in bits.
+ * \param mode          The cipher mode. For example, #MBEDTLS_MODE_CBC.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_id.
+ * \return              \c NULL if the associated cipher information is not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
+                                              int key_bitlen,
+                                              const mbedtls_cipher_mode_t mode );
+
+/**
+ * \brief               This function initializes a \p cipher_context as NONE.
+ *
+ * \param ctx           The context to be initialized. This must not be \c NULL.
+ */
+void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx );
+
+/**
+ * \brief               This function frees and clears the cipher-specific
+ *                      context of \p ctx. Freeing \p ctx itself remains the
+ *                      responsibility of the caller.
+ *
+ * \param ctx           The context to be freed. If this is \c NULL, the
+ *                      function has no effect, otherwise this must point to an
+ *                      initialized context.
+ */
+void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
+
+
+/**
+ * \brief               This function initializes and fills the cipher-context
+ *                      structure with the appropriate values. It also clears
+ *                      the structure.
+ *
+ * \param ctx           The context to initialize. This must be initialized.
+ * \param cipher_info   The cipher to use.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
+ *                      cipher-specific context fails.
+ *
+ * \internal Currently, the function also clears the structure.
+ * In future versions, the caller will be required to call
+ * mbedtls_cipher_init() on the structure first.
+ */
+int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
+                          const mbedtls_cipher_info_t *cipher_info );
+
+/**
+ * \brief        This function returns the block size of the given cipher.
+ *
+ * \param ctx    The context of the cipher. This must be initialized.
+ *
+ * \return       The block size of the underlying cipher.
+ * \return       \c 0 if \p ctx has not been initialized.
+ */
+static inline unsigned int mbedtls_cipher_get_block_size(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+    if( ctx->cipher_info == NULL )
+        return 0;
+
+    return ctx->cipher_info->block_size;
+}
+
+/**
+ * \brief        This function returns the mode of operation for
+ *               the cipher. For example, MBEDTLS_MODE_CBC.
+ *
+ * \param ctx    The context of the cipher. This must be initialized.
+ *
+ * \return       The mode of operation.
+ * \return       #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
+ */
+static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, MBEDTLS_MODE_NONE );
+    if( ctx->cipher_info == NULL )
+        return MBEDTLS_MODE_NONE;
+
+    return ctx->cipher_info->mode;
+}
+
+/**
+ * \brief       This function returns the size of the IV or nonce
+ *              of the cipher, in Bytes.
+ *
+ * \param ctx   The context of the cipher. This must be initialized.
+ *
+ * \return      The recommended IV size if no IV has been set.
+ * \return      \c 0 for ciphers not using an IV or a nonce.
+ * \return      The actual size if an IV has been set.
+ */
+static inline int mbedtls_cipher_get_iv_size(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+    if( ctx->cipher_info == NULL )
+        return 0;
+
+    if( ctx->iv_size != 0 )
+        return (int) ctx->iv_size;
+
+    return (int) ctx->cipher_info->iv_size;
+}
+
+/**
+ * \brief               This function returns the type of the given cipher.
+ *
+ * \param ctx           The context of the cipher. This must be initialized.
+ *
+ * \return              The type of the cipher.
+ * \return              #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
+ */
+static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_CIPHER_NONE );
+    if( ctx->cipher_info == NULL )
+        return MBEDTLS_CIPHER_NONE;
+
+    return ctx->cipher_info->type;
+}
+
+/**
+ * \brief               This function returns the name of the given cipher
+ *                      as a string.
+ *
+ * \param ctx           The context of the cipher. This must be initialized.
+ *
+ * \return              The name of the cipher.
+ * \return              NULL if \p ctx has not been not initialized.
+ */
+static inline const char *mbedtls_cipher_get_name(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+    if( ctx->cipher_info == NULL )
+        return 0;
+
+    return ctx->cipher_info->name;
+}
+
+/**
+ * \brief               This function returns the key length of the cipher.
+ *
+ * \param ctx           The context of the cipher. This must be initialized.
+ *
+ * \return              The key length of the cipher in bits.
+ * \return              #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
+ *                      initialized.
+ */
+static inline int mbedtls_cipher_get_key_bitlen(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_KEY_LENGTH_NONE );
+    if( ctx->cipher_info == NULL )
+        return MBEDTLS_KEY_LENGTH_NONE;
+
+    return (int) ctx->cipher_info->key_bitlen;
+}
+
+/**
+ * \brief          This function returns the operation of the given cipher.
+ *
+ * \param ctx      The context of the cipher. This must be initialized.
+ *
+ * \return         The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
+ * \return         #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
+ */
+static inline mbedtls_operation_t mbedtls_cipher_get_operation(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_OPERATION_NONE );
+    if( ctx->cipher_info == NULL )
+        return MBEDTLS_OPERATION_NONE;
+
+    return ctx->operation;
+}
+
+/**
+ * \brief               This function sets the key to use with the given context.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
+ * \param key           The key to use. This must be a readable buffer of at
+ *                      least \p key_bitlen Bits.
+ * \param key_bitlen    The key length to use, in Bits.
+ * \param operation     The operation that the key will be used for:
+ *                      #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *key,
+                           int key_bitlen,
+                           const mbedtls_operation_t operation );
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+/**
+ * \brief               This function sets the padding mode, for cipher modes
+ *                      that use padding.
+ *
+ *                      The default passing mode is PKCS7 padding.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
+ * \param mode          The padding mode.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+ *                      if the selected padding mode is not supported.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
+ *                      does not support padding.
+ */
+int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
+                                     mbedtls_cipher_padding_t mode );
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+/**
+ * \brief           This function sets the initialization vector (IV)
+ *                  or nonce.
+ *
+ * \note            Some ciphers do not use IVs nor nonce. For these
+ *                  ciphers, this function has no effect.
+ *
+ * \param ctx       The generic cipher context. This must be initialized and
+ *                  bound to a cipher information structure.
+ * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
+ *                  must be a readable buffer of at least \p iv_len Bytes.
+ * \param iv_len    The IV length for ciphers with variable-size IV.
+ *                  This parameter is discarded by ciphers with fixed-size IV.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                  parameter-verification failure.
+ */
+int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *iv,
+                           size_t iv_len );
+
+/**
+ * \brief         This function resets the cipher state.
+ *
+ * \param ctx     The generic cipher context. This must be initialized.
+ *
+ * \return        \c 0 on success.
+ * \return        #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                parameter-verification failure.
+ */
+int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/**
+ * \brief               This function adds additional data for AEAD ciphers.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called exactly once, after
+ *                      mbedtls_cipher_reset().
+ *
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param ad            The additional data to use. This must be a readable
+ *                      buffer of at least \p ad_len Bytes.
+ * \param ad_len        the Length of \p ad Bytes.
+ *
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
+ */
+int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *ad, size_t ad_len );
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/**
+ * \brief               The generic cipher update function. It encrypts or
+ *                      decrypts using the given cipher context. Writes as
+ *                      many block-sized blocks of data as possible to output.
+ *                      Any data that cannot be written immediately is either
+ *                      added to the next block, or flushed when
+ *                      mbedtls_cipher_finish() is called.
+ *                      Exception: For MBEDTLS_MODE_ECB, expects a single block
+ *                      in size. For example, 16 Bytes for AES.
+ *
+ * \note                If the underlying cipher is used in GCM mode, all calls
+ *                      to this function, except for the last one before
+ *                      mbedtls_cipher_finish(), must have \p ilen as a
+ *                      multiple of the block size of the cipher.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
+ *                      unsupported mode for a cipher.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
+                   size_t ilen, unsigned char *output, size_t *olen );
+
+/**
+ * \brief               The generic cipher finalization function. If data still
+ *                      needs to be flushed from an incomplete block, the data
+ *                      contained in it is padded to the size of
+ *                      the last block, and written to the \p output buffer.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param output        The buffer to write data to. This needs to be a writable
+ *                      buffer of at least \p block_size Bytes.
+ * \param olen          The length of the data written to the \p output buffer.
+ *                      This may not be \c NULL.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ *                      expecting a full block but not receiving one.
+ * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
+                   unsigned char *output, size_t *olen );
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/**
+ * \brief               This function writes a tag for AEAD ciphers.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx           The generic cipher context. This must be initialized,
+ *                      bound to a key, and have just completed a cipher
+ *                      operation through mbedtls_cipher_finish() the tag for
+ *                      which should be written.
+ * \param tag           The buffer to write the tag to. This must be a writable
+ *                      buffer of at least \p tag_len Bytes.
+ * \param tag_len       The length of the tag to write.
+ *
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
+ */
+int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
+                      unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief               This function checks the tag for AEAD ciphers.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param tag           The buffer holding the tag. This must be a readable
+ *                      buffer of at least \p tag_len Bytes.
+ * \param tag_len       The length of the tag to check.
+ *
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
+ */
+int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *tag, size_t tag_len );
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/**
+ * \brief               The generic all-in-one encryption/decryption function,
+ *                      for all ciphers except AEAD constructs.
+ *
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size
+ *                      IV.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data in Bytes.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ *
+ * \note                Some ciphers do not use IVs nor nonce. For these
+ *                      ciphers, use \p iv = NULL and \p iv_len = 0.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ *                      expecting a full block but not receiving one.
+ * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
+                  const unsigned char *iv, size_t iv_len,
+                  const unsigned char *input, size_t ilen,
+                  unsigned char *output, size_t *olen );
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+/**
+ * \brief               The generic autenticated encryption (AEAD) function.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size IV.
+ * \param ad            The additional data to authenticate. This must be a
+ *                      readable buffer of at least \p ad_len Bytes.
+ * \param ad_len        The length of \p ad.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least \p ilen Bytes.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ * \param tag           The buffer for the authentication tag. This must be a
+ *                      writable buffer of at least \p tag_len Bytes.
+ * \param tag_len       The desired length of the authentication tag.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief               The generic autenticated decryption (AEAD) function.
+ *
+ * \note                If the data is not authentic, then the output buffer
+ *                      is zeroed out to prevent the unauthentic plaintext being
+ *                      used, making this interface safer.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      and bound to a key.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size IV.
+ * \param ad            The additional data to be authenticated. This must be a
+ *                      readable buffer of at least \p ad_len Bytes.
+ * \param ad_len        The length of \p ad.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data.
+ *                      This must be able to hold at least \p ilen Bytes.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ * \param tag           The buffer holding the authentication tag. This must be
+ *                      a readable buffer of at least \p tag_len Bytes.
+ * \param tag_len       The length of the authentication tag.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         const unsigned char *tag, size_t tag_len );
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CIPHER_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/cipher_internal.h b/ctrtool/deps/libmbedtls/include/mbedtls/cipher_internal.h
new file mode 100644
index 00000000..c6def0be
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/cipher_internal.h
@@ -0,0 +1,125 @@
+/**
+ * \file cipher_internal.h
+ *
+ * \brief Cipher wrappers.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_CIPHER_WRAP_H
+#define MBEDTLS_CIPHER_WRAP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Base cipher information. The non-mode specific functions and values.
+ */
+struct mbedtls_cipher_base_t
+{
+    /** Base Cipher type (e.g. MBEDTLS_CIPHER_ID_AES) */
+    mbedtls_cipher_id_t cipher;
+
+    /** Encrypt using ECB */
+    int (*ecb_func)( void *ctx, mbedtls_operation_t mode,
+                     const unsigned char *input, unsigned char *output );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /** Encrypt using CBC */
+    int (*cbc_func)( void *ctx, mbedtls_operation_t mode, size_t length,
+                     unsigned char *iv, const unsigned char *input,
+                     unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    /** Encrypt using CFB (Full length) */
+    int (*cfb_func)( void *ctx, mbedtls_operation_t mode, size_t length, size_t *iv_off,
+                     unsigned char *iv, const unsigned char *input,
+                     unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    /** Encrypt using OFB (Full length) */
+    int (*ofb_func)( void *ctx, size_t length, size_t *iv_off,
+                     unsigned char *iv,
+                     const unsigned char *input,
+                     unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /** Encrypt using CTR */
+    int (*ctr_func)( void *ctx, size_t length, size_t *nc_off,
+                     unsigned char *nonce_counter, unsigned char *stream_block,
+                     const unsigned char *input, unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    /** Encrypt or decrypt using XTS. */
+    int (*xts_func)( void *ctx, mbedtls_operation_t mode, size_t length,
+                     const unsigned char data_unit[16],
+                     const unsigned char *input, unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    /** Encrypt using STREAM */
+    int (*stream_func)( void *ctx, size_t length,
+                        const unsigned char *input, unsigned char *output );
+#endif
+
+    /** Set key for encryption purposes */
+    int (*setkey_enc_func)( void *ctx, const unsigned char *key,
+                            unsigned int key_bitlen );
+
+    /** Set key for decryption purposes */
+    int (*setkey_dec_func)( void *ctx, const unsigned char *key,
+                            unsigned int key_bitlen);
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)( void );
+
+    /** Free the given context */
+    void (*ctx_free_func)( void *ctx );
+
+};
+
+typedef struct
+{
+    mbedtls_cipher_type_t type;
+    const mbedtls_cipher_info_t *info;
+} mbedtls_cipher_definition_t;
+
+extern const mbedtls_cipher_definition_t mbedtls_cipher_definitions[];
+
+extern int mbedtls_cipher_supported[];
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CIPHER_WRAP_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/cmac.h b/ctrtool/deps/libmbedtls/include/mbedtls/cmac.h
new file mode 100644
index 00000000..9d42b3f2
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/cmac.h
@@ -0,0 +1,213 @@
+/**
+ * \file cmac.h
+ *
+ * \brief This file contains CMAC definitions and functions.
+ *
+ * The Cipher-based Message Authentication Code (CMAC) Mode for
+ * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
+ */
+/*
+ *  Copyright (C) 2015-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CMAC_H
+#define MBEDTLS_CMAC_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A  /**< CMAC hardware accelerator failed. */
+
+#define MBEDTLS_AES_BLOCK_SIZE          16
+#define MBEDTLS_DES3_BLOCK_SIZE         8
+
+#if defined(MBEDTLS_AES_C)
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      16  /**< The longest block used by CMAC is that of AES. */
+#else
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      8   /**< The longest block used by CMAC is that of 3DES. */
+#endif
+
+#if !defined(MBEDTLS_CMAC_ALT)
+
+/**
+ * The CMAC context structure.
+ */
+struct mbedtls_cmac_context_t
+{
+    /** The internal state of the CMAC algorithm.  */
+    unsigned char       state[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    /** Unprocessed data - either data that was not block aligned and is still
+     *  pending processing, or the final block. */
+    unsigned char       unprocessed_block[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    /** The length of data pending processing. */
+    size_t              unprocessed_len;
+};
+
+#else  /* !MBEDTLS_CMAC_ALT */
+#include "cmac_alt.h"
+#endif /* !MBEDTLS_CMAC_ALT */
+
+/**
+ * \brief               This function sets the CMAC key, and prepares to authenticate
+ *                      the input data.
+ *                      Must be called with an initialized cipher context.
+ *
+ * \param ctx           The cipher context used for the CMAC operation, initialized
+ *                      as one of the following types: MBEDTLS_CIPHER_AES_128_ECB,
+ *                      MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB,
+ *                      or MBEDTLS_CIPHER_DES_EDE3_ECB.
+ * \param key           The CMAC key.
+ * \param keybits       The length of the CMAC key in bits.
+ *                      Must be supported by the cipher.
+ *
+ * \return              \c 0 on success.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *key, size_t keybits );
+
+/**
+ * \brief               This function feeds an input buffer into an ongoing CMAC
+ *                      computation.
+ *
+ *                      It is called between mbedtls_cipher_cmac_starts() or
+ *                      mbedtls_cipher_cmac_reset(), and mbedtls_cipher_cmac_finish().
+ *                      Can be called repeatedly.
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                     if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *input, size_t ilen );
+
+/**
+ * \brief               This function finishes the CMAC operation, and writes
+ *                      the result to the output buffer.
+ *
+ *                      It is called after mbedtls_cipher_cmac_update().
+ *                      It can be followed by mbedtls_cipher_cmac_reset() and
+ *                      mbedtls_cipher_cmac_update(), or mbedtls_cipher_free().
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ * \param output        The output buffer for the CMAC checksum result.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
+                                unsigned char *output );
+
+/**
+ * \brief               This function prepares the authentication of another
+ *                      message with the same key as the previous CMAC
+ *                      operation.
+ *
+ *                      It is called after mbedtls_cipher_cmac_finish()
+ *                      and before mbedtls_cipher_cmac_update().
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
+
+/**
+ * \brief               This function calculates the full generic CMAC
+ *                      on the input buffer with the provided key.
+ *
+ *                      The function allocates the context, performs the
+ *                      calculation, and frees the context.
+ *
+ *                      The CMAC result is calculated as
+ *                      output = generic CMAC(cmac key, input buffer).
+ *
+ *
+ * \param cipher_info   The cipher information.
+ * \param key           The CMAC key.
+ * \param keylen        The length of the CMAC key in bits.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the generic CMAC result.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output );
+
+#if defined(MBEDTLS_AES_C)
+/**
+ * \brief           This function implements the AES-CMAC-PRF-128 pseudorandom
+ *                  function, as defined in
+ *                  <em>RFC-4615: The Advanced Encryption Standard-Cipher-based
+ *                  Message Authentication Code-Pseudo-Random Function-128
+ *                  (AES-CMAC-PRF-128) Algorithm for the Internet Key
+ *                  Exchange Protocol (IKE).</em>
+ *
+ * \param key       The key to use.
+ * \param key_len   The key length in Bytes.
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ * \param output    The buffer holding the generated 16 Bytes of
+ *                  pseudorandom output.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len,
+                              const unsigned char *input, size_t in_len,
+                              unsigned char output[16] );
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) )
+/**
+ * \brief          The CMAC checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_cmac_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CMAC_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/compat-1.3.h b/ctrtool/deps/libmbedtls/include/mbedtls/compat-1.3.h
new file mode 100644
index 00000000..a58b4724
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/compat-1.3.h
@@ -0,0 +1,2531 @@
+/**
+ * \file compat-1.3.h
+ *
+ * \brief Compatibility definitions for using mbed TLS with client code written
+ *  for the PolarSSL naming conventions.
+ *
+ * \deprecated Use the new names directly instead
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Including compat-1.3.h is deprecated"
+#endif
+
+#ifndef MBEDTLS_COMPAT13_H
+#define MBEDTLS_COMPAT13_H
+
+/*
+ * config.h options
+ */
+#if defined MBEDTLS_AESNI_C
+#define POLARSSL_AESNI_C MBEDTLS_AESNI_C
+#endif
+#if defined MBEDTLS_AES_ALT
+#define POLARSSL_AES_ALT MBEDTLS_AES_ALT
+#endif
+#if defined MBEDTLS_AES_C
+#define POLARSSL_AES_C MBEDTLS_AES_C
+#endif
+#if defined MBEDTLS_AES_ROM_TABLES
+#define POLARSSL_AES_ROM_TABLES MBEDTLS_AES_ROM_TABLES
+#endif
+#if defined MBEDTLS_ARC4_ALT
+#define POLARSSL_ARC4_ALT MBEDTLS_ARC4_ALT
+#endif
+#if defined MBEDTLS_ARC4_C
+#define POLARSSL_ARC4_C MBEDTLS_ARC4_C
+#endif
+#if defined MBEDTLS_ASN1_PARSE_C
+#define POLARSSL_ASN1_PARSE_C MBEDTLS_ASN1_PARSE_C
+#endif
+#if defined MBEDTLS_ASN1_WRITE_C
+#define POLARSSL_ASN1_WRITE_C MBEDTLS_ASN1_WRITE_C
+#endif
+#if defined MBEDTLS_BASE64_C
+#define POLARSSL_BASE64_C MBEDTLS_BASE64_C
+#endif
+#if defined MBEDTLS_BIGNUM_C
+#define POLARSSL_BIGNUM_C MBEDTLS_BIGNUM_C
+#endif
+#if defined MBEDTLS_BLOWFISH_ALT
+#define POLARSSL_BLOWFISH_ALT MBEDTLS_BLOWFISH_ALT
+#endif
+#if defined MBEDTLS_BLOWFISH_C
+#define POLARSSL_BLOWFISH_C MBEDTLS_BLOWFISH_C
+#endif
+#if defined MBEDTLS_CAMELLIA_ALT
+#define POLARSSL_CAMELLIA_ALT MBEDTLS_CAMELLIA_ALT
+#endif
+#if defined MBEDTLS_CAMELLIA_C
+#define POLARSSL_CAMELLIA_C MBEDTLS_CAMELLIA_C
+#endif
+#if defined MBEDTLS_CAMELLIA_SMALL_MEMORY
+#define POLARSSL_CAMELLIA_SMALL_MEMORY MBEDTLS_CAMELLIA_SMALL_MEMORY
+#endif
+#if defined MBEDTLS_CCM_C
+#define POLARSSL_CCM_C MBEDTLS_CCM_C
+#endif
+#if defined MBEDTLS_CERTS_C
+#define POLARSSL_CERTS_C MBEDTLS_CERTS_C
+#endif
+#if defined MBEDTLS_CIPHER_C
+#define POLARSSL_CIPHER_C MBEDTLS_CIPHER_C
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CBC
+#define POLARSSL_CIPHER_MODE_CBC MBEDTLS_CIPHER_MODE_CBC
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CFB
+#define POLARSSL_CIPHER_MODE_CFB MBEDTLS_CIPHER_MODE_CFB
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CTR
+#define POLARSSL_CIPHER_MODE_CTR MBEDTLS_CIPHER_MODE_CTR
+#endif
+#if defined MBEDTLS_CIPHER_NULL_CIPHER
+#define POLARSSL_CIPHER_NULL_CIPHER MBEDTLS_CIPHER_NULL_CIPHER
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#define POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_PKCS7
+#define POLARSSL_CIPHER_PADDING_PKCS7 MBEDTLS_CIPHER_PADDING_PKCS7
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ZEROS
+#define POLARSSL_CIPHER_PADDING_ZEROS MBEDTLS_CIPHER_PADDING_ZEROS
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#define POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#endif
+#if defined MBEDTLS_CTR_DRBG_C
+#define POLARSSL_CTR_DRBG_C MBEDTLS_CTR_DRBG_C
+#endif
+#if defined MBEDTLS_DEBUG_C
+#define POLARSSL_DEBUG_C MBEDTLS_DEBUG_C
+#endif
+#if defined MBEDTLS_DEPRECATED_REMOVED
+#define POLARSSL_DEPRECATED_REMOVED MBEDTLS_DEPRECATED_REMOVED
+#endif
+#if defined MBEDTLS_DEPRECATED_WARNING
+#define POLARSSL_DEPRECATED_WARNING MBEDTLS_DEPRECATED_WARNING
+#endif
+#if defined MBEDTLS_DES_ALT
+#define POLARSSL_DES_ALT MBEDTLS_DES_ALT
+#endif
+#if defined MBEDTLS_DES_C
+#define POLARSSL_DES_C MBEDTLS_DES_C
+#endif
+#if defined MBEDTLS_DHM_C
+#define POLARSSL_DHM_C MBEDTLS_DHM_C
+#endif
+#if defined MBEDTLS_ECDH_C
+#define POLARSSL_ECDH_C MBEDTLS_ECDH_C
+#endif
+#if defined MBEDTLS_ECDSA_C
+#define POLARSSL_ECDSA_C MBEDTLS_ECDSA_C
+#endif
+#if defined MBEDTLS_ECDSA_DETERMINISTIC
+#define POLARSSL_ECDSA_DETERMINISTIC MBEDTLS_ECDSA_DETERMINISTIC
+#endif
+#if defined MBEDTLS_ECP_C
+#define POLARSSL_ECP_C MBEDTLS_ECP_C
+#endif
+#if defined MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define POLARSSL_ECP_DP_BP256R1_ENABLED MBEDTLS_ECP_DP_BP256R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define POLARSSL_ECP_DP_BP384R1_ENABLED MBEDTLS_ECP_DP_BP384R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_BP512R1_ENABLED
+#define POLARSSL_ECP_DP_BP512R1_ENABLED MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define POLARSSL_ECP_DP_M255_ENABLED MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define POLARSSL_ECP_DP_SECP192K1_ENABLED MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define POLARSSL_ECP_DP_SECP192R1_ENABLED MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define POLARSSL_ECP_DP_SECP224K1_ENABLED MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define POLARSSL_ECP_DP_SECP224R1_ENABLED MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define POLARSSL_ECP_DP_SECP256K1_ENABLED MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define POLARSSL_ECP_DP_SECP256R1_ENABLED MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define POLARSSL_ECP_DP_SECP384R1_ENABLED MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define POLARSSL_ECP_DP_SECP521R1_ENABLED MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_FIXED_POINT_OPTIM
+#define POLARSSL_ECP_FIXED_POINT_OPTIM MBEDTLS_ECP_FIXED_POINT_OPTIM
+#endif
+#if defined MBEDTLS_ECP_MAX_BITS
+#define POLARSSL_ECP_MAX_BITS MBEDTLS_ECP_MAX_BITS
+#endif
+#if defined MBEDTLS_ECP_NIST_OPTIM
+#define POLARSSL_ECP_NIST_OPTIM MBEDTLS_ECP_NIST_OPTIM
+#endif
+#if defined MBEDTLS_ECP_WINDOW_SIZE
+#define POLARSSL_ECP_WINDOW_SIZE MBEDTLS_ECP_WINDOW_SIZE
+#endif
+#if defined MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+#define POLARSSL_ENABLE_WEAK_CIPHERSUITES MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+#endif
+#if defined MBEDTLS_ENTROPY_C
+#define POLARSSL_ENTROPY_C MBEDTLS_ENTROPY_C
+#endif
+#if defined MBEDTLS_ENTROPY_FORCE_SHA256
+#define POLARSSL_ENTROPY_FORCE_SHA256 MBEDTLS_ENTROPY_FORCE_SHA256
+#endif
+#if defined MBEDTLS_ERROR_C
+#define POLARSSL_ERROR_C MBEDTLS_ERROR_C
+#endif
+#if defined MBEDTLS_ERROR_STRERROR_DUMMY
+#define POLARSSL_ERROR_STRERROR_DUMMY MBEDTLS_ERROR_STRERROR_DUMMY
+#endif
+#if defined MBEDTLS_FS_IO
+#define POLARSSL_FS_IO MBEDTLS_FS_IO
+#endif
+#if defined MBEDTLS_GCM_C
+#define POLARSSL_GCM_C MBEDTLS_GCM_C
+#endif
+#if defined MBEDTLS_GENPRIME
+#define POLARSSL_GENPRIME MBEDTLS_GENPRIME
+#endif
+#if defined MBEDTLS_HAVEGE_C
+#define POLARSSL_HAVEGE_C MBEDTLS_HAVEGE_C
+#endif
+#if defined MBEDTLS_HAVE_ASM
+#define POLARSSL_HAVE_ASM MBEDTLS_HAVE_ASM
+#endif
+#if defined MBEDTLS_HAVE_SSE2
+#define POLARSSL_HAVE_SSE2 MBEDTLS_HAVE_SSE2
+#endif
+#if defined MBEDTLS_HAVE_TIME
+#define POLARSSL_HAVE_TIME MBEDTLS_HAVE_TIME
+#endif
+#if defined MBEDTLS_HMAC_DRBG_C
+#define POLARSSL_HMAC_DRBG_C MBEDTLS_HMAC_DRBG_C
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_INPUT
+#define POLARSSL_HMAC_DRBG_MAX_INPUT MBEDTLS_HMAC_DRBG_MAX_INPUT
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#define POLARSSL_HMAC_DRBG_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
+#define POLARSSL_HMAC_DRBG_MAX_SEED_INPUT MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
+#endif
+#if defined MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+#define POLARSSL_HMAC_DRBG_RESEED_INTERVAL MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#endif
+#if defined MBEDTLS_MD2_ALT
+#define POLARSSL_MD2_ALT MBEDTLS_MD2_ALT
+#endif
+#if defined MBEDTLS_MD2_C
+#define POLARSSL_MD2_C MBEDTLS_MD2_C
+#endif
+#if defined MBEDTLS_MD2_PROCESS_ALT
+#define POLARSSL_MD2_PROCESS_ALT MBEDTLS_MD2_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD4_ALT
+#define POLARSSL_MD4_ALT MBEDTLS_MD4_ALT
+#endif
+#if defined MBEDTLS_MD4_C
+#define POLARSSL_MD4_C MBEDTLS_MD4_C
+#endif
+#if defined MBEDTLS_MD4_PROCESS_ALT
+#define POLARSSL_MD4_PROCESS_ALT MBEDTLS_MD4_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD5_ALT
+#define POLARSSL_MD5_ALT MBEDTLS_MD5_ALT
+#endif
+#if defined MBEDTLS_MD5_C
+#define POLARSSL_MD5_C MBEDTLS_MD5_C
+#endif
+#if defined MBEDTLS_MD5_PROCESS_ALT
+#define POLARSSL_MD5_PROCESS_ALT MBEDTLS_MD5_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD_C
+#define POLARSSL_MD_C MBEDTLS_MD_C
+#endif
+#if defined MBEDTLS_MEMORY_ALIGN_MULTIPLE
+#define POLARSSL_MEMORY_ALIGN_MULTIPLE MBEDTLS_MEMORY_ALIGN_MULTIPLE
+#endif
+#if defined MBEDTLS_MEMORY_BACKTRACE
+#define POLARSSL_MEMORY_BACKTRACE MBEDTLS_MEMORY_BACKTRACE
+#endif
+#if defined MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define POLARSSL_MEMORY_BUFFER_ALLOC_C MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#endif
+#if defined MBEDTLS_MEMORY_DEBUG
+#define POLARSSL_MEMORY_DEBUG MBEDTLS_MEMORY_DEBUG
+#endif
+#if defined MBEDTLS_MPI_MAX_SIZE
+#define POLARSSL_MPI_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+#if defined MBEDTLS_MPI_WINDOW_SIZE
+#define POLARSSL_MPI_WINDOW_SIZE MBEDTLS_MPI_WINDOW_SIZE
+#endif
+#if defined MBEDTLS_NET_C
+#define POLARSSL_NET_C MBEDTLS_NET_C
+#endif
+#if defined MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define POLARSSL_NO_DEFAULT_ENTROPY_SOURCES MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#endif
+#if defined MBEDTLS_NO_PLATFORM_ENTROPY
+#define POLARSSL_NO_PLATFORM_ENTROPY MBEDTLS_NO_PLATFORM_ENTROPY
+#endif
+#if defined MBEDTLS_OID_C
+#define POLARSSL_OID_C MBEDTLS_OID_C
+#endif
+#if defined MBEDTLS_PADLOCK_C
+#define POLARSSL_PADLOCK_C MBEDTLS_PADLOCK_C
+#endif
+#if defined MBEDTLS_PEM_PARSE_C
+#define POLARSSL_PEM_PARSE_C MBEDTLS_PEM_PARSE_C
+#endif
+#if defined MBEDTLS_PEM_WRITE_C
+#define POLARSSL_PEM_WRITE_C MBEDTLS_PEM_WRITE_C
+#endif
+#if defined MBEDTLS_PKCS11_C
+#define POLARSSL_PKCS11_C MBEDTLS_PKCS11_C
+#endif
+#if defined MBEDTLS_PKCS12_C
+#define POLARSSL_PKCS12_C MBEDTLS_PKCS12_C
+#endif
+#if defined MBEDTLS_PKCS1_V15
+#define POLARSSL_PKCS1_V15 MBEDTLS_PKCS1_V15
+#endif
+#if defined MBEDTLS_PKCS1_V21
+#define POLARSSL_PKCS1_V21 MBEDTLS_PKCS1_V21
+#endif
+#if defined MBEDTLS_PKCS5_C
+#define POLARSSL_PKCS5_C MBEDTLS_PKCS5_C
+#endif
+#if defined MBEDTLS_PK_C
+#define POLARSSL_PK_C MBEDTLS_PK_C
+#endif
+#if defined MBEDTLS_PK_PARSE_C
+#define POLARSSL_PK_PARSE_C MBEDTLS_PK_PARSE_C
+#endif
+#if defined MBEDTLS_PK_PARSE_EC_EXTENDED
+#define POLARSSL_PK_PARSE_EC_EXTENDED MBEDTLS_PK_PARSE_EC_EXTENDED
+#endif
+#if defined MBEDTLS_PK_RSA_ALT_SUPPORT
+#define POLARSSL_PK_RSA_ALT_SUPPORT MBEDTLS_PK_RSA_ALT_SUPPORT
+#endif
+#if defined MBEDTLS_PK_WRITE_C
+#define POLARSSL_PK_WRITE_C MBEDTLS_PK_WRITE_C
+#endif
+#if defined MBEDTLS_PLATFORM_C
+#define POLARSSL_PLATFORM_C MBEDTLS_PLATFORM_C
+#endif
+#if defined MBEDTLS_PLATFORM_EXIT_ALT
+#define POLARSSL_PLATFORM_EXIT_ALT MBEDTLS_PLATFORM_EXIT_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_EXIT_MACRO
+#define POLARSSL_PLATFORM_EXIT_MACRO MBEDTLS_PLATFORM_EXIT_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_FPRINTF_ALT
+#define POLARSSL_PLATFORM_FPRINTF_ALT MBEDTLS_PLATFORM_FPRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_FPRINTF_MACRO
+#define POLARSSL_PLATFORM_FPRINTF_MACRO MBEDTLS_PLATFORM_FPRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_FREE_MACRO
+#define POLARSSL_PLATFORM_FREE_MACRO MBEDTLS_PLATFORM_FREE_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_MEMORY
+#define POLARSSL_PLATFORM_MEMORY MBEDTLS_PLATFORM_MEMORY
+#endif
+#if defined MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define POLARSSL_PLATFORM_NO_STD_FUNCTIONS MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#endif
+#if defined MBEDTLS_PLATFORM_PRINTF_ALT
+#define POLARSSL_PLATFORM_PRINTF_ALT MBEDTLS_PLATFORM_PRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_PRINTF_MACRO
+#define POLARSSL_PLATFORM_PRINTF_MACRO MBEDTLS_PLATFORM_PRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_SNPRINTF_ALT
+#define POLARSSL_PLATFORM_SNPRINTF_ALT MBEDTLS_PLATFORM_SNPRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#define POLARSSL_PLATFORM_SNPRINTF_MACRO MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_STD_EXIT
+#define POLARSSL_PLATFORM_STD_EXIT MBEDTLS_PLATFORM_STD_EXIT
+#endif
+#if defined MBEDTLS_PLATFORM_STD_FPRINTF
+#define POLARSSL_PLATFORM_STD_FPRINTF MBEDTLS_PLATFORM_STD_FPRINTF
+#endif
+#if defined MBEDTLS_PLATFORM_STD_FREE
+#define POLARSSL_PLATFORM_STD_FREE MBEDTLS_PLATFORM_STD_FREE
+#endif
+#if defined MBEDTLS_PLATFORM_STD_MEM_HDR
+#define POLARSSL_PLATFORM_STD_MEM_HDR MBEDTLS_PLATFORM_STD_MEM_HDR
+#endif
+#if defined MBEDTLS_PLATFORM_STD_PRINTF
+#define POLARSSL_PLATFORM_STD_PRINTF MBEDTLS_PLATFORM_STD_PRINTF
+#endif
+#if defined MBEDTLS_PLATFORM_STD_SNPRINTF
+#define POLARSSL_PLATFORM_STD_SNPRINTF MBEDTLS_PLATFORM_STD_SNPRINTF
+#endif
+#if defined MBEDTLS_PSK_MAX_LEN
+#define POLARSSL_PSK_MAX_LEN MBEDTLS_PSK_MAX_LEN
+#endif
+#if defined MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#define POLARSSL_REMOVE_ARC4_CIPHERSUITES MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#endif
+#if defined MBEDTLS_RIPEMD160_ALT
+#define POLARSSL_RIPEMD160_ALT MBEDTLS_RIPEMD160_ALT
+#endif
+#if defined MBEDTLS_RIPEMD160_C
+#define POLARSSL_RIPEMD160_C MBEDTLS_RIPEMD160_C
+#endif
+#if defined MBEDTLS_RIPEMD160_PROCESS_ALT
+#define POLARSSL_RIPEMD160_PROCESS_ALT MBEDTLS_RIPEMD160_PROCESS_ALT
+#endif
+#if defined MBEDTLS_RSA_C
+#define POLARSSL_RSA_C MBEDTLS_RSA_C
+#endif
+#if defined MBEDTLS_RSA_NO_CRT
+#define POLARSSL_RSA_NO_CRT MBEDTLS_RSA_NO_CRT
+#endif
+#if defined MBEDTLS_SELF_TEST
+#define POLARSSL_SELF_TEST MBEDTLS_SELF_TEST
+#endif
+#if defined MBEDTLS_SHA1_ALT
+#define POLARSSL_SHA1_ALT MBEDTLS_SHA1_ALT
+#endif
+#if defined MBEDTLS_SHA1_C
+#define POLARSSL_SHA1_C MBEDTLS_SHA1_C
+#endif
+#if defined MBEDTLS_SHA1_PROCESS_ALT
+#define POLARSSL_SHA1_PROCESS_ALT MBEDTLS_SHA1_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SHA256_ALT
+#define POLARSSL_SHA256_ALT MBEDTLS_SHA256_ALT
+#endif
+#if defined MBEDTLS_SHA256_C
+#define POLARSSL_SHA256_C MBEDTLS_SHA256_C
+#endif
+#if defined MBEDTLS_SHA256_PROCESS_ALT
+#define POLARSSL_SHA256_PROCESS_ALT MBEDTLS_SHA256_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SHA512_ALT
+#define POLARSSL_SHA512_ALT MBEDTLS_SHA512_ALT
+#endif
+#if defined MBEDTLS_SHA512_C
+#define POLARSSL_SHA512_C MBEDTLS_SHA512_C
+#endif
+#if defined MBEDTLS_SHA512_PROCESS_ALT
+#define POLARSSL_SHA512_PROCESS_ALT MBEDTLS_SHA512_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SSL_ALL_ALERT_MESSAGES
+#define POLARSSL_SSL_ALL_ALERT_MESSAGES MBEDTLS_SSL_ALL_ALERT_MESSAGES
+#endif
+#if defined MBEDTLS_SSL_ALPN
+#define POLARSSL_SSL_ALPN MBEDTLS_SSL_ALPN
+#endif
+#if defined MBEDTLS_SSL_CACHE_C
+#define POLARSSL_SSL_CACHE_C MBEDTLS_SSL_CACHE_C
+#endif
+#if defined MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#define POLARSSL_SSL_CBC_RECORD_SPLITTING MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#endif
+#if defined MBEDTLS_SSL_CLI_C
+#define POLARSSL_SSL_CLI_C MBEDTLS_SSL_CLI_C
+#endif
+#if defined MBEDTLS_SSL_COOKIE_C
+#define POLARSSL_SSL_COOKIE_C MBEDTLS_SSL_COOKIE_C
+#endif
+#if defined MBEDTLS_SSL_COOKIE_TIMEOUT
+#define POLARSSL_SSL_COOKIE_TIMEOUT MBEDTLS_SSL_COOKIE_TIMEOUT
+#endif
+#if defined MBEDTLS_SSL_DEBUG_ALL
+#define POLARSSL_SSL_DEBUG_ALL MBEDTLS_SSL_DEBUG_ALL
+#endif
+#if defined MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#define POLARSSL_SSL_DTLS_ANTI_REPLAY MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#endif
+#if defined MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#define POLARSSL_SSL_DTLS_BADMAC_LIMIT MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#endif
+#if defined MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#define POLARSSL_SSL_DTLS_HELLO_VERIFY MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#endif
+#if defined MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#define POLARSSL_SSL_ENCRYPT_THEN_MAC MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#endif
+#if defined MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#define POLARSSL_SSL_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#endif
+#if defined MBEDTLS_SSL_FALLBACK_SCSV
+#define POLARSSL_SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
+#endif
+#if defined MBEDTLS_SSL_HW_RECORD_ACCEL
+#define POLARSSL_SSL_HW_RECORD_ACCEL MBEDTLS_SSL_HW_RECORD_ACCEL
+#endif
+#if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+#define POLARSSL_SSL_MAX_FRAGMENT_LENGTH MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+#endif
+#if defined MBEDTLS_SSL_PROTO_DTLS
+#define POLARSSL_SSL_PROTO_DTLS MBEDTLS_SSL_PROTO_DTLS
+#endif
+#if defined MBEDTLS_SSL_PROTO_SSL3
+#define POLARSSL_SSL_PROTO_SSL3 MBEDTLS_SSL_PROTO_SSL3
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1
+#define POLARSSL_SSL_PROTO_TLS1 MBEDTLS_SSL_PROTO_TLS1
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1_1
+#define POLARSSL_SSL_PROTO_TLS1_1 MBEDTLS_SSL_PROTO_TLS1_1
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1_2
+#define POLARSSL_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_2
+#endif
+#if defined MBEDTLS_SSL_RENEGOTIATION
+#define POLARSSL_SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
+#endif
+#if defined MBEDTLS_SSL_SERVER_NAME_INDICATION
+#define POLARSSL_SSL_SERVER_NAME_INDICATION MBEDTLS_SSL_SERVER_NAME_INDICATION
+#endif
+#if defined MBEDTLS_SSL_SESSION_TICKETS
+#define POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS
+#endif
+#if defined MBEDTLS_SSL_SRV_C
+#define POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C
+#endif
+#if defined MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+#define POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+#endif
+#if defined MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+#endif
+#if defined MBEDTLS_SSL_TLS_C
+#define POLARSSL_SSL_TLS_C MBEDTLS_SSL_TLS_C
+#endif
+#if defined MBEDTLS_SSL_TRUNCATED_HMAC
+#define POLARSSL_SSL_TRUNCATED_HMAC MBEDTLS_SSL_TRUNCATED_HMAC
+#endif
+#if defined MBEDTLS_THREADING_ALT
+#define POLARSSL_THREADING_ALT MBEDTLS_THREADING_ALT
+#endif
+#if defined MBEDTLS_THREADING_C
+#define POLARSSL_THREADING_C MBEDTLS_THREADING_C
+#endif
+#if defined MBEDTLS_THREADING_PTHREAD
+#define POLARSSL_THREADING_PTHREAD MBEDTLS_THREADING_PTHREAD
+#endif
+#if defined MBEDTLS_TIMING_ALT
+#define POLARSSL_TIMING_ALT MBEDTLS_TIMING_ALT
+#endif
+#if defined MBEDTLS_TIMING_C
+#define POLARSSL_TIMING_C MBEDTLS_TIMING_C
+#endif
+#if defined MBEDTLS_VERSION_C
+#define POLARSSL_VERSION_C MBEDTLS_VERSION_C
+#endif
+#if defined MBEDTLS_VERSION_FEATURES
+#define POLARSSL_VERSION_FEATURES MBEDTLS_VERSION_FEATURES
+#endif
+#if defined MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+#define POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+#endif
+#if defined MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#endif
+#if defined MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#endif
+#if defined MBEDTLS_X509_CHECK_KEY_USAGE
+#define POLARSSL_X509_CHECK_KEY_USAGE MBEDTLS_X509_CHECK_KEY_USAGE
+#endif
+#if defined MBEDTLS_X509_CREATE_C
+#define POLARSSL_X509_CREATE_C MBEDTLS_X509_CREATE_C
+#endif
+#if defined MBEDTLS_X509_CRL_PARSE_C
+#define POLARSSL_X509_CRL_PARSE_C MBEDTLS_X509_CRL_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CRT_PARSE_C
+#define POLARSSL_X509_CRT_PARSE_C MBEDTLS_X509_CRT_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CRT_WRITE_C
+#define POLARSSL_X509_CRT_WRITE_C MBEDTLS_X509_CRT_WRITE_C
+#endif
+#if defined MBEDTLS_X509_CSR_PARSE_C
+#define POLARSSL_X509_CSR_PARSE_C MBEDTLS_X509_CSR_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CSR_WRITE_C
+#define POLARSSL_X509_CSR_WRITE_C MBEDTLS_X509_CSR_WRITE_C
+#endif
+#if defined MBEDTLS_X509_MAX_INTERMEDIATE_CA
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA MBEDTLS_X509_MAX_INTERMEDIATE_CA
+#endif
+#if defined MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#define POLARSSL_X509_RSASSA_PSS_SUPPORT MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#endif
+#if defined MBEDTLS_X509_USE_C
+#define POLARSSL_X509_USE_C MBEDTLS_X509_USE_C
+#endif
+#if defined MBEDTLS_XTEA_ALT
+#define POLARSSL_XTEA_ALT MBEDTLS_XTEA_ALT
+#endif
+#if defined MBEDTLS_XTEA_C
+#define POLARSSL_XTEA_C MBEDTLS_XTEA_C
+#endif
+#if defined MBEDTLS_ZLIB_SUPPORT
+#define POLARSSL_ZLIB_SUPPORT MBEDTLS_ZLIB_SUPPORT
+#endif
+
+/*
+ * Misc names (macros, types, functions, enum constants...)
+ */
+#define AES_DECRYPT MBEDTLS_AES_DECRYPT
+#define AES_ENCRYPT MBEDTLS_AES_ENCRYPT
+#define ASN1_BIT_STRING MBEDTLS_ASN1_BIT_STRING
+#define ASN1_BMP_STRING MBEDTLS_ASN1_BMP_STRING
+#define ASN1_BOOLEAN MBEDTLS_ASN1_BOOLEAN
+#define ASN1_CHK_ADD MBEDTLS_ASN1_CHK_ADD
+#define ASN1_CONSTRUCTED MBEDTLS_ASN1_CONSTRUCTED
+#define ASN1_CONTEXT_SPECIFIC MBEDTLS_ASN1_CONTEXT_SPECIFIC
+#define ASN1_GENERALIZED_TIME MBEDTLS_ASN1_GENERALIZED_TIME
+#define ASN1_IA5_STRING MBEDTLS_ASN1_IA5_STRING
+#define ASN1_INTEGER MBEDTLS_ASN1_INTEGER
+#define ASN1_NULL MBEDTLS_ASN1_NULL
+#define ASN1_OCTET_STRING MBEDTLS_ASN1_OCTET_STRING
+#define ASN1_OID MBEDTLS_ASN1_OID
+#define ASN1_PRIMITIVE MBEDTLS_ASN1_PRIMITIVE
+#define ASN1_PRINTABLE_STRING MBEDTLS_ASN1_PRINTABLE_STRING
+#define ASN1_SEQUENCE MBEDTLS_ASN1_SEQUENCE
+#define ASN1_SET MBEDTLS_ASN1_SET
+#define ASN1_T61_STRING MBEDTLS_ASN1_T61_STRING
+#define ASN1_UNIVERSAL_STRING MBEDTLS_ASN1_UNIVERSAL_STRING
+#define ASN1_UTC_TIME MBEDTLS_ASN1_UTC_TIME
+#define ASN1_UTF8_STRING MBEDTLS_ASN1_UTF8_STRING
+#define BADCERT_CN_MISMATCH MBEDTLS_X509_BADCERT_CN_MISMATCH
+#define BADCERT_EXPIRED MBEDTLS_X509_BADCERT_EXPIRED
+#define BADCERT_FUTURE MBEDTLS_X509_BADCERT_FUTURE
+#define BADCERT_MISSING MBEDTLS_X509_BADCERT_MISSING
+#define BADCERT_NOT_TRUSTED MBEDTLS_X509_BADCERT_NOT_TRUSTED
+#define BADCERT_OTHER MBEDTLS_X509_BADCERT_OTHER
+#define BADCERT_REVOKED MBEDTLS_X509_BADCERT_REVOKED
+#define BADCERT_SKIP_VERIFY MBEDTLS_X509_BADCERT_SKIP_VERIFY
+#define BADCRL_EXPIRED MBEDTLS_X509_BADCRL_EXPIRED
+#define BADCRL_FUTURE MBEDTLS_X509_BADCRL_FUTURE
+#define BADCRL_NOT_TRUSTED MBEDTLS_X509_BADCRL_NOT_TRUSTED
+#define BLOWFISH_BLOCKSIZE MBEDTLS_BLOWFISH_BLOCKSIZE
+#define BLOWFISH_DECRYPT MBEDTLS_BLOWFISH_DECRYPT
+#define BLOWFISH_ENCRYPT MBEDTLS_BLOWFISH_ENCRYPT
+#define BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
+#define BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
+#define BLOWFISH_ROUNDS MBEDTLS_BLOWFISH_ROUNDS
+#define CAMELLIA_DECRYPT MBEDTLS_CAMELLIA_DECRYPT
+#define CAMELLIA_ENCRYPT MBEDTLS_CAMELLIA_ENCRYPT
+#define COLLECT_SIZE MBEDTLS_HAVEGE_COLLECT_SIZE
+#define CTR_DRBG_BLOCKSIZE MBEDTLS_CTR_DRBG_BLOCKSIZE
+#define CTR_DRBG_ENTROPY_LEN MBEDTLS_CTR_DRBG_ENTROPY_LEN
+#define CTR_DRBG_KEYBITS MBEDTLS_CTR_DRBG_KEYBITS
+#define CTR_DRBG_KEYSIZE MBEDTLS_CTR_DRBG_KEYSIZE
+#define CTR_DRBG_MAX_INPUT MBEDTLS_CTR_DRBG_MAX_INPUT
+#define CTR_DRBG_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
+#define CTR_DRBG_MAX_SEED_INPUT MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+#define CTR_DRBG_PR_OFF MBEDTLS_CTR_DRBG_PR_OFF
+#define CTR_DRBG_PR_ON MBEDTLS_CTR_DRBG_PR_ON
+#define CTR_DRBG_RESEED_INTERVAL MBEDTLS_CTR_DRBG_RESEED_INTERVAL
+#define CTR_DRBG_SEEDLEN MBEDTLS_CTR_DRBG_SEEDLEN
+#define DEPRECATED MBEDTLS_DEPRECATED
+#define DES_DECRYPT MBEDTLS_DES_DECRYPT
+#define DES_ENCRYPT MBEDTLS_DES_ENCRYPT
+#define DES_KEY_SIZE MBEDTLS_DES_KEY_SIZE
+#define ENTROPY_BLOCK_SIZE MBEDTLS_ENTROPY_BLOCK_SIZE
+#define ENTROPY_MAX_GATHER MBEDTLS_ENTROPY_MAX_GATHER
+#define ENTROPY_MAX_SEED_SIZE MBEDTLS_ENTROPY_MAX_SEED_SIZE
+#define ENTROPY_MAX_SOURCES MBEDTLS_ENTROPY_MAX_SOURCES
+#define ENTROPY_MIN_HARDCLOCK MBEDTLS_ENTROPY_MIN_HARDCLOCK
+#define ENTROPY_MIN_HAVEGE MBEDTLS_ENTROPY_MIN_HAVEGE
+#define ENTROPY_MIN_PLATFORM MBEDTLS_ENTROPY_MIN_PLATFORM
+#define ENTROPY_SOURCE_MANUAL MBEDTLS_ENTROPY_SOURCE_MANUAL
+#define EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER
+#define EXT_BASIC_CONSTRAINTS MBEDTLS_X509_EXT_BASIC_CONSTRAINTS
+#define EXT_CERTIFICATE_POLICIES MBEDTLS_X509_EXT_CERTIFICATE_POLICIES
+#define EXT_CRL_DISTRIBUTION_POINTS MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS
+#define EXT_EXTENDED_KEY_USAGE MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE
+#define EXT_FRESHEST_CRL MBEDTLS_X509_EXT_FRESHEST_CRL
+#define EXT_INIHIBIT_ANYPOLICY MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY
+#define EXT_ISSUER_ALT_NAME MBEDTLS_X509_EXT_ISSUER_ALT_NAME
+#define EXT_KEY_USAGE MBEDTLS_X509_EXT_KEY_USAGE
+#define EXT_NAME_CONSTRAINTS MBEDTLS_X509_EXT_NAME_CONSTRAINTS
+#define EXT_NS_CERT_TYPE MBEDTLS_X509_EXT_NS_CERT_TYPE
+#define EXT_POLICY_CONSTRAINTS MBEDTLS_X509_EXT_POLICY_CONSTRAINTS
+#define EXT_POLICY_MAPPINGS MBEDTLS_X509_EXT_POLICY_MAPPINGS
+#define EXT_SUBJECT_ALT_NAME MBEDTLS_X509_EXT_SUBJECT_ALT_NAME
+#define EXT_SUBJECT_DIRECTORY_ATTRS MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS
+#define EXT_SUBJECT_KEY_IDENTIFIER MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER
+#define GCM_DECRYPT MBEDTLS_GCM_DECRYPT
+#define GCM_ENCRYPT MBEDTLS_GCM_ENCRYPT
+#define KU_CRL_SIGN MBEDTLS_X509_KU_CRL_SIGN
+#define KU_DATA_ENCIPHERMENT MBEDTLS_X509_KU_DATA_ENCIPHERMENT
+#define KU_DIGITAL_SIGNATURE MBEDTLS_X509_KU_DIGITAL_SIGNATURE
+#define KU_KEY_AGREEMENT MBEDTLS_X509_KU_KEY_AGREEMENT
+#define KU_KEY_CERT_SIGN MBEDTLS_X509_KU_KEY_CERT_SIGN
+#define KU_KEY_ENCIPHERMENT MBEDTLS_X509_KU_KEY_ENCIPHERMENT
+#define KU_NON_REPUDIATION MBEDTLS_X509_KU_NON_REPUDIATION
+#define LN_2_DIV_LN_10_SCALE100 MBEDTLS_LN_2_DIV_LN_10_SCALE100
+#define MEMORY_VERIFY_ALLOC MBEDTLS_MEMORY_VERIFY_ALLOC
+#define MEMORY_VERIFY_ALWAYS MBEDTLS_MEMORY_VERIFY_ALWAYS
+#define MEMORY_VERIFY_FREE MBEDTLS_MEMORY_VERIFY_FREE
+#define MEMORY_VERIFY_NONE MBEDTLS_MEMORY_VERIFY_NONE
+#define MPI_CHK MBEDTLS_MPI_CHK
+#define NET_PROTO_TCP MBEDTLS_NET_PROTO_TCP
+#define NET_PROTO_UDP MBEDTLS_NET_PROTO_UDP
+#define NS_CERT_TYPE_EMAIL MBEDTLS_X509_NS_CERT_TYPE_EMAIL
+#define NS_CERT_TYPE_EMAIL_CA MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA
+#define NS_CERT_TYPE_OBJECT_SIGNING MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING
+#define NS_CERT_TYPE_OBJECT_SIGNING_CA MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA
+#define NS_CERT_TYPE_RESERVED MBEDTLS_X509_NS_CERT_TYPE_RESERVED
+#define NS_CERT_TYPE_SSL_CA MBEDTLS_X509_NS_CERT_TYPE_SSL_CA
+#define NS_CERT_TYPE_SSL_CLIENT MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT
+#define NS_CERT_TYPE_SSL_SERVER MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
+#define OID_ANSI_X9_62 MBEDTLS_OID_ANSI_X9_62
+#define OID_ANSI_X9_62_FIELD_TYPE MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE
+#define OID_ANSI_X9_62_PRIME_FIELD MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD
+#define OID_ANSI_X9_62_SIG MBEDTLS_OID_ANSI_X9_62_SIG
+#define OID_ANSI_X9_62_SIG_SHA2 MBEDTLS_OID_ANSI_X9_62_SIG_SHA2
+#define OID_ANY_EXTENDED_KEY_USAGE MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE
+#define OID_AT MBEDTLS_OID_AT
+#define OID_AT_CN MBEDTLS_OID_AT_CN
+#define OID_AT_COUNTRY MBEDTLS_OID_AT_COUNTRY
+#define OID_AT_DN_QUALIFIER MBEDTLS_OID_AT_DN_QUALIFIER
+#define OID_AT_GENERATION_QUALIFIER MBEDTLS_OID_AT_GENERATION_QUALIFIER
+#define OID_AT_GIVEN_NAME MBEDTLS_OID_AT_GIVEN_NAME
+#define OID_AT_INITIALS MBEDTLS_OID_AT_INITIALS
+#define OID_AT_LOCALITY MBEDTLS_OID_AT_LOCALITY
+#define OID_AT_ORGANIZATION MBEDTLS_OID_AT_ORGANIZATION
+#define OID_AT_ORG_UNIT MBEDTLS_OID_AT_ORG_UNIT
+#define OID_AT_POSTAL_ADDRESS MBEDTLS_OID_AT_POSTAL_ADDRESS
+#define OID_AT_POSTAL_CODE MBEDTLS_OID_AT_POSTAL_CODE
+#define OID_AT_PSEUDONYM MBEDTLS_OID_AT_PSEUDONYM
+#define OID_AT_SERIAL_NUMBER MBEDTLS_OID_AT_SERIAL_NUMBER
+#define OID_AT_STATE MBEDTLS_OID_AT_STATE
+#define OID_AT_SUR_NAME MBEDTLS_OID_AT_SUR_NAME
+#define OID_AT_TITLE MBEDTLS_OID_AT_TITLE
+#define OID_AT_UNIQUE_IDENTIFIER MBEDTLS_OID_AT_UNIQUE_IDENTIFIER
+#define OID_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER
+#define OID_BASIC_CONSTRAINTS MBEDTLS_OID_BASIC_CONSTRAINTS
+#define OID_CERTICOM MBEDTLS_OID_CERTICOM
+#define OID_CERTIFICATE_POLICIES MBEDTLS_OID_CERTIFICATE_POLICIES
+#define OID_CLIENT_AUTH MBEDTLS_OID_CLIENT_AUTH
+#define OID_CMP MBEDTLS_OID_CMP
+#define OID_CODE_SIGNING MBEDTLS_OID_CODE_SIGNING
+#define OID_COUNTRY_US MBEDTLS_OID_COUNTRY_US
+#define OID_CRL_DISTRIBUTION_POINTS MBEDTLS_OID_CRL_DISTRIBUTION_POINTS
+#define OID_CRL_NUMBER MBEDTLS_OID_CRL_NUMBER
+#define OID_DES_CBC MBEDTLS_OID_DES_CBC
+#define OID_DES_EDE3_CBC MBEDTLS_OID_DES_EDE3_CBC
+#define OID_DIGEST_ALG_MD2 MBEDTLS_OID_DIGEST_ALG_MD2
+#define OID_DIGEST_ALG_MD4 MBEDTLS_OID_DIGEST_ALG_MD4
+#define OID_DIGEST_ALG_MD5 MBEDTLS_OID_DIGEST_ALG_MD5
+#define OID_DIGEST_ALG_SHA1 MBEDTLS_OID_DIGEST_ALG_SHA1
+#define OID_DIGEST_ALG_SHA224 MBEDTLS_OID_DIGEST_ALG_SHA224
+#define OID_DIGEST_ALG_SHA256 MBEDTLS_OID_DIGEST_ALG_SHA256
+#define OID_DIGEST_ALG_SHA384 MBEDTLS_OID_DIGEST_ALG_SHA384
+#define OID_DIGEST_ALG_SHA512 MBEDTLS_OID_DIGEST_ALG_SHA512
+#define OID_DOMAIN_COMPONENT MBEDTLS_OID_DOMAIN_COMPONENT
+#define OID_ECDSA_SHA1 MBEDTLS_OID_ECDSA_SHA1
+#define OID_ECDSA_SHA224 MBEDTLS_OID_ECDSA_SHA224
+#define OID_ECDSA_SHA256 MBEDTLS_OID_ECDSA_SHA256
+#define OID_ECDSA_SHA384 MBEDTLS_OID_ECDSA_SHA384
+#define OID_ECDSA_SHA512 MBEDTLS_OID_ECDSA_SHA512
+#define OID_EC_ALG_ECDH MBEDTLS_OID_EC_ALG_ECDH
+#define OID_EC_ALG_UNRESTRICTED MBEDTLS_OID_EC_ALG_UNRESTRICTED
+#define OID_EC_BRAINPOOL_V1 MBEDTLS_OID_EC_BRAINPOOL_V1
+#define OID_EC_GRP_BP256R1 MBEDTLS_OID_EC_GRP_BP256R1
+#define OID_EC_GRP_BP384R1 MBEDTLS_OID_EC_GRP_BP384R1
+#define OID_EC_GRP_BP512R1 MBEDTLS_OID_EC_GRP_BP512R1
+#define OID_EC_GRP_SECP192K1 MBEDTLS_OID_EC_GRP_SECP192K1
+#define OID_EC_GRP_SECP192R1 MBEDTLS_OID_EC_GRP_SECP192R1
+#define OID_EC_GRP_SECP224K1 MBEDTLS_OID_EC_GRP_SECP224K1
+#define OID_EC_GRP_SECP224R1 MBEDTLS_OID_EC_GRP_SECP224R1
+#define OID_EC_GRP_SECP256K1 MBEDTLS_OID_EC_GRP_SECP256K1
+#define OID_EC_GRP_SECP256R1 MBEDTLS_OID_EC_GRP_SECP256R1
+#define OID_EC_GRP_SECP384R1 MBEDTLS_OID_EC_GRP_SECP384R1
+#define OID_EC_GRP_SECP521R1 MBEDTLS_OID_EC_GRP_SECP521R1
+#define OID_EMAIL_PROTECTION MBEDTLS_OID_EMAIL_PROTECTION
+#define OID_EXTENDED_KEY_USAGE MBEDTLS_OID_EXTENDED_KEY_USAGE
+#define OID_FRESHEST_CRL MBEDTLS_OID_FRESHEST_CRL
+#define OID_GOV MBEDTLS_OID_GOV
+#define OID_HMAC_SHA1 MBEDTLS_OID_HMAC_SHA1
+#define OID_ID_CE MBEDTLS_OID_ID_CE
+#define OID_INIHIBIT_ANYPOLICY MBEDTLS_OID_INIHIBIT_ANYPOLICY
+#define OID_ISO_CCITT_DS MBEDTLS_OID_ISO_CCITT_DS
+#define OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ISO_IDENTIFIED_ORG
+#define OID_ISO_ITU_COUNTRY MBEDTLS_OID_ISO_ITU_COUNTRY
+#define OID_ISO_ITU_US_ORG MBEDTLS_OID_ISO_ITU_US_ORG
+#define OID_ISO_MEMBER_BODIES MBEDTLS_OID_ISO_MEMBER_BODIES
+#define OID_ISSUER_ALT_NAME MBEDTLS_OID_ISSUER_ALT_NAME
+#define OID_KEY_USAGE MBEDTLS_OID_KEY_USAGE
+#define OID_KP MBEDTLS_OID_KP
+#define OID_MGF1 MBEDTLS_OID_MGF1
+#define OID_NAME_CONSTRAINTS MBEDTLS_OID_NAME_CONSTRAINTS
+#define OID_NETSCAPE MBEDTLS_OID_NETSCAPE
+#define OID_NS_BASE_URL MBEDTLS_OID_NS_BASE_URL
+#define OID_NS_CA_POLICY_URL MBEDTLS_OID_NS_CA_POLICY_URL
+#define OID_NS_CA_REVOCATION_URL MBEDTLS_OID_NS_CA_REVOCATION_URL
+#define OID_NS_CERT MBEDTLS_OID_NS_CERT
+#define OID_NS_CERT_SEQUENCE MBEDTLS_OID_NS_CERT_SEQUENCE
+#define OID_NS_CERT_TYPE MBEDTLS_OID_NS_CERT_TYPE
+#define OID_NS_COMMENT MBEDTLS_OID_NS_COMMENT
+#define OID_NS_DATA_TYPE MBEDTLS_OID_NS_DATA_TYPE
+#define OID_NS_RENEWAL_URL MBEDTLS_OID_NS_RENEWAL_URL
+#define OID_NS_REVOCATION_URL MBEDTLS_OID_NS_REVOCATION_URL
+#define OID_NS_SSL_SERVER_NAME MBEDTLS_OID_NS_SSL_SERVER_NAME
+#define OID_OCSP_SIGNING MBEDTLS_OID_OCSP_SIGNING
+#define OID_OIW_SECSIG MBEDTLS_OID_OIW_SECSIG
+#define OID_OIW_SECSIG_ALG MBEDTLS_OID_OIW_SECSIG_ALG
+#define OID_OIW_SECSIG_SHA1 MBEDTLS_OID_OIW_SECSIG_SHA1
+#define OID_ORGANIZATION MBEDTLS_OID_ORGANIZATION
+#define OID_ORG_ANSI_X9_62 MBEDTLS_OID_ORG_ANSI_X9_62
+#define OID_ORG_CERTICOM MBEDTLS_OID_ORG_CERTICOM
+#define OID_ORG_DOD MBEDTLS_OID_ORG_DOD
+#define OID_ORG_GOV MBEDTLS_OID_ORG_GOV
+#define OID_ORG_NETSCAPE MBEDTLS_OID_ORG_NETSCAPE
+#define OID_ORG_OIW MBEDTLS_OID_ORG_OIW
+#define OID_ORG_RSA_DATA_SECURITY MBEDTLS_OID_ORG_RSA_DATA_SECURITY
+#define OID_ORG_TELETRUST MBEDTLS_OID_ORG_TELETRUST
+#define OID_PKCS MBEDTLS_OID_PKCS
+#define OID_PKCS1 MBEDTLS_OID_PKCS1
+#define OID_PKCS12 MBEDTLS_OID_PKCS12
+#define OID_PKCS12_PBE MBEDTLS_OID_PKCS12_PBE
+#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC
+#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC
+#define OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC
+#define OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC
+#define OID_PKCS12_PBE_SHA1_RC4_128 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128
+#define OID_PKCS12_PBE_SHA1_RC4_40 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_40
+#define OID_PKCS1_MD2 MBEDTLS_OID_PKCS1_MD2
+#define OID_PKCS1_MD4 MBEDTLS_OID_PKCS1_MD4
+#define OID_PKCS1_MD5 MBEDTLS_OID_PKCS1_MD5
+#define OID_PKCS1_RSA MBEDTLS_OID_PKCS1_RSA
+#define OID_PKCS1_SHA1 MBEDTLS_OID_PKCS1_SHA1
+#define OID_PKCS1_SHA224 MBEDTLS_OID_PKCS1_SHA224
+#define OID_PKCS1_SHA256 MBEDTLS_OID_PKCS1_SHA256
+#define OID_PKCS1_SHA384 MBEDTLS_OID_PKCS1_SHA384
+#define OID_PKCS1_SHA512 MBEDTLS_OID_PKCS1_SHA512
+#define OID_PKCS5 MBEDTLS_OID_PKCS5
+#define OID_PKCS5_PBES2 MBEDTLS_OID_PKCS5_PBES2
+#define OID_PKCS5_PBE_MD2_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD2_DES_CBC
+#define OID_PKCS5_PBE_MD2_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD2_RC2_CBC
+#define OID_PKCS5_PBE_MD5_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC
+#define OID_PKCS5_PBE_MD5_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC
+#define OID_PKCS5_PBE_SHA1_DES_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC
+#define OID_PKCS5_PBE_SHA1_RC2_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC
+#define OID_PKCS5_PBKDF2 MBEDTLS_OID_PKCS5_PBKDF2
+#define OID_PKCS5_PBMAC1 MBEDTLS_OID_PKCS5_PBMAC1
+#define OID_PKCS9 MBEDTLS_OID_PKCS9
+#define OID_PKCS9_CSR_EXT_REQ MBEDTLS_OID_PKCS9_CSR_EXT_REQ
+#define OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9_EMAIL
+#define OID_PKIX MBEDTLS_OID_PKIX
+#define OID_POLICY_CONSTRAINTS MBEDTLS_OID_POLICY_CONSTRAINTS
+#define OID_POLICY_MAPPINGS MBEDTLS_OID_POLICY_MAPPINGS
+#define OID_PRIVATE_KEY_USAGE_PERIOD MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD
+#define OID_RSASSA_PSS MBEDTLS_OID_RSASSA_PSS
+#define OID_RSA_COMPANY MBEDTLS_OID_RSA_COMPANY
+#define OID_RSA_SHA_OBS MBEDTLS_OID_RSA_SHA_OBS
+#define OID_SERVER_AUTH MBEDTLS_OID_SERVER_AUTH
+#define OID_SIZE MBEDTLS_OID_SIZE
+#define OID_SUBJECT_ALT_NAME MBEDTLS_OID_SUBJECT_ALT_NAME
+#define OID_SUBJECT_DIRECTORY_ATTRS MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS
+#define OID_SUBJECT_KEY_IDENTIFIER MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER
+#define OID_TELETRUST MBEDTLS_OID_TELETRUST
+#define OID_TIME_STAMPING MBEDTLS_OID_TIME_STAMPING
+#define PADLOCK_ACE MBEDTLS_PADLOCK_ACE
+#define PADLOCK_ALIGN16 MBEDTLS_PADLOCK_ALIGN16
+#define PADLOCK_PHE MBEDTLS_PADLOCK_PHE
+#define PADLOCK_PMM MBEDTLS_PADLOCK_PMM
+#define PADLOCK_RNG MBEDTLS_PADLOCK_RNG
+#define PKCS12_DERIVE_IV MBEDTLS_PKCS12_DERIVE_IV
+#define PKCS12_DERIVE_KEY MBEDTLS_PKCS12_DERIVE_KEY
+#define PKCS12_DERIVE_MAC_KEY MBEDTLS_PKCS12_DERIVE_MAC_KEY
+#define PKCS12_PBE_DECRYPT MBEDTLS_PKCS12_PBE_DECRYPT
+#define PKCS12_PBE_ENCRYPT MBEDTLS_PKCS12_PBE_ENCRYPT
+#define PKCS5_DECRYPT MBEDTLS_PKCS5_DECRYPT
+#define PKCS5_ENCRYPT MBEDTLS_PKCS5_ENCRYPT
+#define POLARSSL_AESNI_AES MBEDTLS_AESNI_AES
+#define POLARSSL_AESNI_CLMUL MBEDTLS_AESNI_CLMUL
+#define POLARSSL_AESNI_H MBEDTLS_AESNI_H
+#define POLARSSL_AES_H MBEDTLS_AES_H
+#define POLARSSL_ARC4_H MBEDTLS_ARC4_H
+#define POLARSSL_ASN1_H MBEDTLS_ASN1_H
+#define POLARSSL_ASN1_WRITE_H MBEDTLS_ASN1_WRITE_H
+#define POLARSSL_BASE64_H MBEDTLS_BASE64_H
+#define POLARSSL_BIGNUM_H MBEDTLS_BIGNUM_H
+#define POLARSSL_BLOWFISH_H MBEDTLS_BLOWFISH_H
+#define POLARSSL_BN_MUL_H MBEDTLS_BN_MUL_H
+#define POLARSSL_CAMELLIA_H MBEDTLS_CAMELLIA_H
+#define POLARSSL_CCM_H MBEDTLS_CCM_H
+#define POLARSSL_CERTS_H MBEDTLS_CERTS_H
+#define POLARSSL_CHECK_CONFIG_H MBEDTLS_CHECK_CONFIG_H
+#define POLARSSL_CIPHERSUITE_NODTLS MBEDTLS_CIPHERSUITE_NODTLS
+#define POLARSSL_CIPHERSUITE_SHORT_TAG MBEDTLS_CIPHERSUITE_SHORT_TAG
+#define POLARSSL_CIPHERSUITE_WEAK MBEDTLS_CIPHERSUITE_WEAK
+#define POLARSSL_CIPHER_AES_128_CBC MBEDTLS_CIPHER_AES_128_CBC
+#define POLARSSL_CIPHER_AES_128_CCM MBEDTLS_CIPHER_AES_128_CCM
+#define POLARSSL_CIPHER_AES_128_CFB128 MBEDTLS_CIPHER_AES_128_CFB128
+#define POLARSSL_CIPHER_AES_128_CTR MBEDTLS_CIPHER_AES_128_CTR
+#define POLARSSL_CIPHER_AES_128_ECB MBEDTLS_CIPHER_AES_128_ECB
+#define POLARSSL_CIPHER_AES_128_GCM MBEDTLS_CIPHER_AES_128_GCM
+#define POLARSSL_CIPHER_AES_192_CBC MBEDTLS_CIPHER_AES_192_CBC
+#define POLARSSL_CIPHER_AES_192_CCM MBEDTLS_CIPHER_AES_192_CCM
+#define POLARSSL_CIPHER_AES_192_CFB128 MBEDTLS_CIPHER_AES_192_CFB128
+#define POLARSSL_CIPHER_AES_192_CTR MBEDTLS_CIPHER_AES_192_CTR
+#define POLARSSL_CIPHER_AES_192_ECB MBEDTLS_CIPHER_AES_192_ECB
+#define POLARSSL_CIPHER_AES_192_GCM MBEDTLS_CIPHER_AES_192_GCM
+#define POLARSSL_CIPHER_AES_256_CBC MBEDTLS_CIPHER_AES_256_CBC
+#define POLARSSL_CIPHER_AES_256_CCM MBEDTLS_CIPHER_AES_256_CCM
+#define POLARSSL_CIPHER_AES_256_CFB128 MBEDTLS_CIPHER_AES_256_CFB128
+#define POLARSSL_CIPHER_AES_256_CTR MBEDTLS_CIPHER_AES_256_CTR
+#define POLARSSL_CIPHER_AES_256_ECB MBEDTLS_CIPHER_AES_256_ECB
+#define POLARSSL_CIPHER_AES_256_GCM MBEDTLS_CIPHER_AES_256_GCM
+#define POLARSSL_CIPHER_ARC4_128 MBEDTLS_CIPHER_ARC4_128
+#define POLARSSL_CIPHER_BLOWFISH_CBC MBEDTLS_CIPHER_BLOWFISH_CBC
+#define POLARSSL_CIPHER_BLOWFISH_CFB64 MBEDTLS_CIPHER_BLOWFISH_CFB64
+#define POLARSSL_CIPHER_BLOWFISH_CTR MBEDTLS_CIPHER_BLOWFISH_CTR
+#define POLARSSL_CIPHER_BLOWFISH_ECB MBEDTLS_CIPHER_BLOWFISH_ECB
+#define POLARSSL_CIPHER_CAMELLIA_128_CBC MBEDTLS_CIPHER_CAMELLIA_128_CBC
+#define POLARSSL_CIPHER_CAMELLIA_128_CCM MBEDTLS_CIPHER_CAMELLIA_128_CCM
+#define POLARSSL_CIPHER_CAMELLIA_128_CFB128 MBEDTLS_CIPHER_CAMELLIA_128_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_128_CTR MBEDTLS_CIPHER_CAMELLIA_128_CTR
+#define POLARSSL_CIPHER_CAMELLIA_128_ECB MBEDTLS_CIPHER_CAMELLIA_128_ECB
+#define POLARSSL_CIPHER_CAMELLIA_128_GCM MBEDTLS_CIPHER_CAMELLIA_128_GCM
+#define POLARSSL_CIPHER_CAMELLIA_192_CBC MBEDTLS_CIPHER_CAMELLIA_192_CBC
+#define POLARSSL_CIPHER_CAMELLIA_192_CCM MBEDTLS_CIPHER_CAMELLIA_192_CCM
+#define POLARSSL_CIPHER_CAMELLIA_192_CFB128 MBEDTLS_CIPHER_CAMELLIA_192_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_192_CTR MBEDTLS_CIPHER_CAMELLIA_192_CTR
+#define POLARSSL_CIPHER_CAMELLIA_192_ECB MBEDTLS_CIPHER_CAMELLIA_192_ECB
+#define POLARSSL_CIPHER_CAMELLIA_192_GCM MBEDTLS_CIPHER_CAMELLIA_192_GCM
+#define POLARSSL_CIPHER_CAMELLIA_256_CBC MBEDTLS_CIPHER_CAMELLIA_256_CBC
+#define POLARSSL_CIPHER_CAMELLIA_256_CCM MBEDTLS_CIPHER_CAMELLIA_256_CCM
+#define POLARSSL_CIPHER_CAMELLIA_256_CFB128 MBEDTLS_CIPHER_CAMELLIA_256_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_256_CTR MBEDTLS_CIPHER_CAMELLIA_256_CTR
+#define POLARSSL_CIPHER_CAMELLIA_256_ECB MBEDTLS_CIPHER_CAMELLIA_256_ECB
+#define POLARSSL_CIPHER_CAMELLIA_256_GCM MBEDTLS_CIPHER_CAMELLIA_256_GCM
+#define POLARSSL_CIPHER_DES_CBC MBEDTLS_CIPHER_DES_CBC
+#define POLARSSL_CIPHER_DES_ECB MBEDTLS_CIPHER_DES_ECB
+#define POLARSSL_CIPHER_DES_EDE3_CBC MBEDTLS_CIPHER_DES_EDE3_CBC
+#define POLARSSL_CIPHER_DES_EDE3_ECB MBEDTLS_CIPHER_DES_EDE3_ECB
+#define POLARSSL_CIPHER_DES_EDE_CBC MBEDTLS_CIPHER_DES_EDE_CBC
+#define POLARSSL_CIPHER_DES_EDE_ECB MBEDTLS_CIPHER_DES_EDE_ECB
+#define POLARSSL_CIPHER_H MBEDTLS_CIPHER_H
+#define POLARSSL_CIPHER_ID_3DES MBEDTLS_CIPHER_ID_3DES
+#define POLARSSL_CIPHER_ID_AES MBEDTLS_CIPHER_ID_AES
+#define POLARSSL_CIPHER_ID_ARC4 MBEDTLS_CIPHER_ID_ARC4
+#define POLARSSL_CIPHER_ID_BLOWFISH MBEDTLS_CIPHER_ID_BLOWFISH
+#define POLARSSL_CIPHER_ID_CAMELLIA MBEDTLS_CIPHER_ID_CAMELLIA
+#define POLARSSL_CIPHER_ID_DES MBEDTLS_CIPHER_ID_DES
+#define POLARSSL_CIPHER_ID_NONE MBEDTLS_CIPHER_ID_NONE
+#define POLARSSL_CIPHER_ID_NULL MBEDTLS_CIPHER_ID_NULL
+#define POLARSSL_CIPHER_MODE_AEAD MBEDTLS_CIPHER_MODE_AEAD
+#define POLARSSL_CIPHER_MODE_STREAM MBEDTLS_CIPHER_MODE_STREAM
+#define POLARSSL_CIPHER_MODE_WITH_PADDING MBEDTLS_CIPHER_MODE_WITH_PADDING
+#define POLARSSL_CIPHER_NONE MBEDTLS_CIPHER_NONE
+#define POLARSSL_CIPHER_NULL MBEDTLS_CIPHER_NULL
+#define POLARSSL_CIPHER_VARIABLE_IV_LEN MBEDTLS_CIPHER_VARIABLE_IV_LEN
+#define POLARSSL_CIPHER_VARIABLE_KEY_LEN MBEDTLS_CIPHER_VARIABLE_KEY_LEN
+#define POLARSSL_CIPHER_WRAP_H MBEDTLS_CIPHER_WRAP_H
+#define POLARSSL_CONFIG_H MBEDTLS_CONFIG_H
+#define POLARSSL_CTR_DRBG_H MBEDTLS_CTR_DRBG_H
+#define POLARSSL_DEBUG_H MBEDTLS_DEBUG_H
+#define POLARSSL_DECRYPT MBEDTLS_DECRYPT
+#define POLARSSL_DES_H MBEDTLS_DES_H
+#define POLARSSL_DHM_H MBEDTLS_DHM_H
+#define POLARSSL_DHM_RFC3526_MODP_2048_G MBEDTLS_DHM_RFC3526_MODP_2048_G
+#define POLARSSL_DHM_RFC3526_MODP_2048_P MBEDTLS_DHM_RFC3526_MODP_2048_P
+#define POLARSSL_DHM_RFC3526_MODP_3072_G MBEDTLS_DHM_RFC3526_MODP_3072_G
+#define POLARSSL_DHM_RFC3526_MODP_3072_P MBEDTLS_DHM_RFC3526_MODP_3072_P
+#define POLARSSL_DHM_RFC5114_MODP_2048_G MBEDTLS_DHM_RFC5114_MODP_2048_G
+#define POLARSSL_DHM_RFC5114_MODP_2048_P MBEDTLS_DHM_RFC5114_MODP_2048_P
+#define POLARSSL_ECDH_H MBEDTLS_ECDH_H
+#define POLARSSL_ECDH_OURS MBEDTLS_ECDH_OURS
+#define POLARSSL_ECDH_THEIRS MBEDTLS_ECDH_THEIRS
+#define POLARSSL_ECDSA_H MBEDTLS_ECDSA_H
+#define POLARSSL_ECP_DP_BP256R1 MBEDTLS_ECP_DP_BP256R1
+#define POLARSSL_ECP_DP_BP384R1 MBEDTLS_ECP_DP_BP384R1
+#define POLARSSL_ECP_DP_BP512R1 MBEDTLS_ECP_DP_BP512R1
+#define POLARSSL_ECP_DP_M255 MBEDTLS_ECP_DP_CURVE25519
+#define POLARSSL_ECP_DP_MAX MBEDTLS_ECP_DP_MAX
+#define POLARSSL_ECP_DP_NONE MBEDTLS_ECP_DP_NONE
+#define POLARSSL_ECP_DP_SECP192K1 MBEDTLS_ECP_DP_SECP192K1
+#define POLARSSL_ECP_DP_SECP192R1 MBEDTLS_ECP_DP_SECP192R1
+#define POLARSSL_ECP_DP_SECP224K1 MBEDTLS_ECP_DP_SECP224K1
+#define POLARSSL_ECP_DP_SECP224R1 MBEDTLS_ECP_DP_SECP224R1
+#define POLARSSL_ECP_DP_SECP256K1 MBEDTLS_ECP_DP_SECP256K1
+#define POLARSSL_ECP_DP_SECP256R1 MBEDTLS_ECP_DP_SECP256R1
+#define POLARSSL_ECP_DP_SECP384R1 MBEDTLS_ECP_DP_SECP384R1
+#define POLARSSL_ECP_DP_SECP521R1 MBEDTLS_ECP_DP_SECP521R1
+#define POLARSSL_ECP_H MBEDTLS_ECP_H
+#define POLARSSL_ECP_MAX_BYTES MBEDTLS_ECP_MAX_BYTES
+#define POLARSSL_ECP_MAX_PT_LEN MBEDTLS_ECP_MAX_PT_LEN
+#define POLARSSL_ECP_PF_COMPRESSED MBEDTLS_ECP_PF_COMPRESSED
+#define POLARSSL_ECP_PF_UNCOMPRESSED MBEDTLS_ECP_PF_UNCOMPRESSED
+#define POLARSSL_ECP_TLS_NAMED_CURVE MBEDTLS_ECP_TLS_NAMED_CURVE
+#define POLARSSL_ENCRYPT MBEDTLS_ENCRYPT
+#define POLARSSL_ENTROPY_H MBEDTLS_ENTROPY_H
+#define POLARSSL_ENTROPY_POLL_H MBEDTLS_ENTROPY_POLL_H
+#define POLARSSL_ENTROPY_SHA256_ACCUMULATOR MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
+#define POLARSSL_ENTROPY_SHA512_ACCUMULATOR MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
+#define POLARSSL_ERROR_H MBEDTLS_ERROR_H
+#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_ASN1_BUF_TOO_SMALL MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+#define POLARSSL_ERR_ASN1_INVALID_DATA MBEDTLS_ERR_ASN1_INVALID_DATA
+#define POLARSSL_ERR_ASN1_INVALID_LENGTH MBEDTLS_ERR_ASN1_INVALID_LENGTH
+#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+#define POLARSSL_ERR_ASN1_MALLOC_FAILED MBEDTLS_ERR_ASN1_ALLOC_FAILED
+#define POLARSSL_ERR_ASN1_OUT_OF_DATA MBEDTLS_ERR_ASN1_OUT_OF_DATA
+#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+#define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_BASE64_INVALID_CHARACTER MBEDTLS_ERR_BASE64_INVALID_CHARACTER
+#define POLARSSL_ERR_BLOWFISH_INVALID_INPUT_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_BLOWFISH_INVALID_KEY_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_CCM_AUTH_FAILED MBEDTLS_ERR_CCM_AUTH_FAILED
+#define POLARSSL_ERR_CCM_BAD_INPUT MBEDTLS_ERR_CCM_BAD_INPUT
+#define POLARSSL_ERR_CIPHER_ALLOC_FAILED MBEDTLS_ERR_CIPHER_ALLOC_FAILED
+#define POLARSSL_ERR_CIPHER_AUTH_FAILED MBEDTLS_ERR_CIPHER_AUTH_FAILED
+#define POLARSSL_ERR_CIPHER_BAD_INPUT_DATA MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+#define POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
+#define POLARSSL_ERR_CIPHER_INVALID_PADDING MBEDTLS_ERR_CIPHER_INVALID_PADDING
+#define POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR
+#define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG
+#define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG
+#define POLARSSL_ERR_DES_INVALID_INPUT_LENGTH MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_DHM_BAD_INPUT_DATA MBEDTLS_ERR_DHM_BAD_INPUT_DATA
+#define POLARSSL_ERR_DHM_CALC_SECRET_FAILED MBEDTLS_ERR_DHM_CALC_SECRET_FAILED
+#define POLARSSL_ERR_DHM_FILE_IO_ERROR MBEDTLS_ERR_DHM_FILE_IO_ERROR
+#define POLARSSL_ERR_DHM_INVALID_FORMAT MBEDTLS_ERR_DHM_INVALID_FORMAT
+#define POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED
+#define POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED
+#define POLARSSL_ERR_DHM_MALLOC_FAILED MBEDTLS_ERR_DHM_ALLOC_FAILED
+#define POLARSSL_ERR_DHM_READ_PARAMS_FAILED MBEDTLS_ERR_DHM_READ_PARAMS_FAILED
+#define POLARSSL_ERR_DHM_READ_PUBLIC_FAILED MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED
+#define POLARSSL_ERR_ECP_BAD_INPUT_DATA MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+#define POLARSSL_ERR_ECP_BUFFER_TOO_SMALL MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_ECP_INVALID_KEY MBEDTLS_ERR_ECP_INVALID_KEY
+#define POLARSSL_ERR_ECP_MALLOC_FAILED MBEDTLS_ERR_ECP_ALLOC_FAILED
+#define POLARSSL_ERR_ECP_RANDOM_FAILED MBEDTLS_ERR_ECP_RANDOM_FAILED
+#define POLARSSL_ERR_ECP_SIG_LEN_MISMATCH MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH
+#define POLARSSL_ERR_ECP_VERIFY_FAILED MBEDTLS_ERR_ECP_VERIFY_FAILED
+#define POLARSSL_ERR_ENTROPY_FILE_IO_ERROR MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR
+#define POLARSSL_ERR_ENTROPY_MAX_SOURCES MBEDTLS_ERR_ENTROPY_MAX_SOURCES
+#define POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED
+#define POLARSSL_ERR_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_GCM_AUTH_FAILED MBEDTLS_ERR_GCM_AUTH_FAILED
+#define POLARSSL_ERR_GCM_BAD_INPUT MBEDTLS_ERR_GCM_BAD_INPUT
+#define POLARSSL_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_HMAC_DRBG_FILE_IO_ERROR MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
+#define POLARSSL_ERR_HMAC_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG
+#define POLARSSL_ERR_HMAC_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG
+#define POLARSSL_ERR_MD_ALLOC_FAILED MBEDTLS_ERR_MD_ALLOC_FAILED
+#define POLARSSL_ERR_MD_BAD_INPUT_DATA MBEDTLS_ERR_MD_BAD_INPUT_DATA
+#define POLARSSL_ERR_MD_FEATURE_UNAVAILABLE MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_MD_FILE_IO_ERROR MBEDTLS_ERR_MD_FILE_IO_ERROR
+#define POLARSSL_ERR_MPI_BAD_INPUT_DATA MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+#define POLARSSL_ERR_MPI_BUFFER_TOO_SMALL MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_MPI_DIVISION_BY_ZERO MBEDTLS_ERR_MPI_DIVISION_BY_ZERO
+#define POLARSSL_ERR_MPI_FILE_IO_ERROR MBEDTLS_ERR_MPI_FILE_IO_ERROR
+#define POLARSSL_ERR_MPI_INVALID_CHARACTER MBEDTLS_ERR_MPI_INVALID_CHARACTER
+#define POLARSSL_ERR_MPI_MALLOC_FAILED MBEDTLS_ERR_MPI_ALLOC_FAILED
+#define POLARSSL_ERR_MPI_NEGATIVE_VALUE MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+#define POLARSSL_ERR_MPI_NOT_ACCEPTABLE MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
+#define POLARSSL_ERR_NET_ACCEPT_FAILED MBEDTLS_ERR_NET_ACCEPT_FAILED
+#define POLARSSL_ERR_NET_BIND_FAILED MBEDTLS_ERR_NET_BIND_FAILED
+#define POLARSSL_ERR_NET_CONNECT_FAILED MBEDTLS_ERR_NET_CONNECT_FAILED
+#define POLARSSL_ERR_NET_CONN_RESET MBEDTLS_ERR_NET_CONN_RESET
+#define POLARSSL_ERR_NET_LISTEN_FAILED MBEDTLS_ERR_NET_LISTEN_FAILED
+#define POLARSSL_ERR_NET_RECV_FAILED MBEDTLS_ERR_NET_RECV_FAILED
+#define POLARSSL_ERR_NET_SEND_FAILED MBEDTLS_ERR_NET_SEND_FAILED
+#define POLARSSL_ERR_NET_SOCKET_FAILED MBEDTLS_ERR_NET_SOCKET_FAILED
+#define POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_SSL_TIMEOUT
+#define POLARSSL_ERR_NET_UNKNOWN_HOST MBEDTLS_ERR_NET_UNKNOWN_HOST
+#define POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_SSL_WANT_READ
+#define POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE
+#define POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL
+#define POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND
+#define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED
+#define POLARSSL_ERR_PEM_BAD_INPUT_DATA MBEDTLS_ERR_PEM_BAD_INPUT_DATA
+#define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PEM_INVALID_DATA MBEDTLS_ERR_PEM_INVALID_DATA
+#define POLARSSL_ERR_PEM_INVALID_ENC_IV MBEDTLS_ERR_PEM_INVALID_ENC_IV
+#define POLARSSL_ERR_PEM_MALLOC_FAILED MBEDTLS_ERR_PEM_ALLOC_FAILED
+#define POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
+#define POLARSSL_ERR_PEM_PASSWORD_MISMATCH MBEDTLS_ERR_PEM_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PEM_PASSWORD_REQUIRED MBEDTLS_ERR_PEM_PASSWORD_REQUIRED
+#define POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
+#define POLARSSL_ERR_PKCS12_BAD_INPUT_DATA MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA
+#define POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT
+#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA
+#define POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PKCS5_INVALID_FORMAT MBEDTLS_ERR_PKCS5_INVALID_FORMAT
+#define POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PK_BAD_INPUT_DATA MBEDTLS_ERR_PK_BAD_INPUT_DATA
+#define POLARSSL_ERR_PK_FEATURE_UNAVAILABLE MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PK_FILE_IO_ERROR MBEDTLS_ERR_PK_FILE_IO_ERROR
+#define POLARSSL_ERR_PK_INVALID_ALG MBEDTLS_ERR_PK_INVALID_ALG
+#define POLARSSL_ERR_PK_INVALID_PUBKEY MBEDTLS_ERR_PK_INVALID_PUBKEY
+#define POLARSSL_ERR_PK_KEY_INVALID_FORMAT MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+#define POLARSSL_ERR_PK_KEY_INVALID_VERSION MBEDTLS_ERR_PK_KEY_INVALID_VERSION
+#define POLARSSL_ERR_PK_MALLOC_FAILED MBEDTLS_ERR_PK_ALLOC_FAILED
+#define POLARSSL_ERR_PK_PASSWORD_MISMATCH MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PK_PASSWORD_REQUIRED MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+#define POLARSSL_ERR_PK_SIG_LEN_MISMATCH MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
+#define POLARSSL_ERR_PK_TYPE_MISMATCH MBEDTLS_ERR_PK_TYPE_MISMATCH
+#define POLARSSL_ERR_PK_UNKNOWN_NAMED_CURVE MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE
+#define POLARSSL_ERR_PK_UNKNOWN_PK_ALG MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
+#define POLARSSL_ERR_RSA_BAD_INPUT_DATA MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+#define POLARSSL_ERR_RSA_INVALID_PADDING MBEDTLS_ERR_RSA_INVALID_PADDING
+#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
+#define POLARSSL_ERR_RSA_KEY_GEN_FAILED MBEDTLS_ERR_RSA_KEY_GEN_FAILED
+#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
+#define POLARSSL_ERR_RSA_PRIVATE_FAILED MBEDTLS_ERR_RSA_PRIVATE_FAILED
+#define POLARSSL_ERR_RSA_PUBLIC_FAILED MBEDTLS_ERR_RSA_PUBLIC_FAILED
+#define POLARSSL_ERR_RSA_RNG_FAILED MBEDTLS_ERR_RSA_RNG_FAILED
+#define POLARSSL_ERR_RSA_VERIFY_FAILED MBEDTLS_ERR_RSA_VERIFY_FAILED
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
+#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
+#define POLARSSL_ERR_SSL_BAD_HS_FINISHED MBEDTLS_ERR_SSL_BAD_HS_FINISHED
+#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
+#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
+#define POLARSSL_ERR_SSL_BAD_INPUT_DATA MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+#define POLARSSL_ERR_SSL_BUFFER_TOO_SMALL MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
+#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
+#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE
+#define POLARSSL_ERR_SSL_COMPRESSION_FAILED MBEDTLS_ERR_SSL_COMPRESSION_FAILED
+#define POLARSSL_ERR_SSL_CONN_EOF MBEDTLS_ERR_SSL_CONN_EOF
+#define POLARSSL_ERR_SSL_COUNTER_WRAPPING MBEDTLS_ERR_SSL_COUNTER_WRAPPING
+#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE
+#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
+#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH
+#define POLARSSL_ERR_SSL_INTERNAL_ERROR MBEDTLS_ERR_SSL_INTERNAL_ERROR
+#define POLARSSL_ERR_SSL_INVALID_MAC MBEDTLS_ERR_SSL_INVALID_MAC
+#define POLARSSL_ERR_SSL_INVALID_RECORD MBEDTLS_ERR_SSL_INVALID_RECORD
+#define POLARSSL_ERR_SSL_MALLOC_FAILED MBEDTLS_ERR_SSL_ALLOC_FAILED
+#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
+#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
+#define POLARSSL_ERR_SSL_NO_RNG MBEDTLS_ERR_SSL_NO_RNG
+#define POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
+#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY
+#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED
+#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH
+#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
+#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED
+#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER MBEDTLS_ERR_SSL_UNKNOWN_CIPHER
+#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
+#define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
+#define POLARSSL_ERR_THREADING_BAD_INPUT_DATA MBEDTLS_ERR_THREADING_BAD_INPUT_DATA
+#define POLARSSL_ERR_THREADING_FEATURE_UNAVAILABLE MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_THREADING_MUTEX_ERROR MBEDTLS_ERR_THREADING_MUTEX_ERROR
+#define POLARSSL_ERR_X509_BAD_INPUT_DATA MBEDTLS_ERR_X509_BAD_INPUT_DATA
+#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT
+#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
+#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_X509_FILE_IO_ERROR MBEDTLS_ERR_X509_FILE_IO_ERROR
+#define POLARSSL_ERR_X509_INVALID_ALG MBEDTLS_ERR_X509_INVALID_ALG
+#define POLARSSL_ERR_X509_INVALID_DATE MBEDTLS_ERR_X509_INVALID_DATE
+#define POLARSSL_ERR_X509_INVALID_EXTENSIONS MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+#define POLARSSL_ERR_X509_INVALID_FORMAT MBEDTLS_ERR_X509_INVALID_FORMAT
+#define POLARSSL_ERR_X509_INVALID_NAME MBEDTLS_ERR_X509_INVALID_NAME
+#define POLARSSL_ERR_X509_INVALID_SERIAL MBEDTLS_ERR_X509_INVALID_SERIAL
+#define POLARSSL_ERR_X509_INVALID_SIGNATURE MBEDTLS_ERR_X509_INVALID_SIGNATURE
+#define POLARSSL_ERR_X509_INVALID_VERSION MBEDTLS_ERR_X509_INVALID_VERSION
+#define POLARSSL_ERR_X509_MALLOC_FAILED MBEDTLS_ERR_X509_ALLOC_FAILED
+#define POLARSSL_ERR_X509_SIG_MISMATCH MBEDTLS_ERR_X509_SIG_MISMATCH
+#define POLARSSL_ERR_X509_UNKNOWN_OID MBEDTLS_ERR_X509_UNKNOWN_OID
+#define POLARSSL_ERR_X509_UNKNOWN_SIG_ALG MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
+#define POLARSSL_ERR_X509_UNKNOWN_VERSION MBEDTLS_ERR_X509_UNKNOWN_VERSION
+#define POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH
+#define POLARSSL_GCM_H MBEDTLS_GCM_H
+#define POLARSSL_HAVEGE_H MBEDTLS_HAVEGE_H
+#define POLARSSL_HAVE_INT32 MBEDTLS_HAVE_INT32
+#define POLARSSL_HAVE_INT64 MBEDTLS_HAVE_INT64
+#define POLARSSL_HAVE_UDBL MBEDTLS_HAVE_UDBL
+#define POLARSSL_HAVE_X86 MBEDTLS_HAVE_X86
+#define POLARSSL_HAVE_X86_64 MBEDTLS_HAVE_X86_64
+#define POLARSSL_HMAC_DRBG_H MBEDTLS_HMAC_DRBG_H
+#define POLARSSL_HMAC_DRBG_PR_OFF MBEDTLS_HMAC_DRBG_PR_OFF
+#define POLARSSL_HMAC_DRBG_PR_ON MBEDTLS_HMAC_DRBG_PR_ON
+#define POLARSSL_KEY_EXCHANGE_DHE_PSK MBEDTLS_KEY_EXCHANGE_DHE_PSK
+#define POLARSSL_KEY_EXCHANGE_DHE_RSA MBEDTLS_KEY_EXCHANGE_DHE_RSA
+#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
+#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
+#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
+#define POLARSSL_KEY_EXCHANGE_ECDH_RSA MBEDTLS_KEY_EXCHANGE_ECDH_RSA
+#define POLARSSL_KEY_EXCHANGE_NONE MBEDTLS_KEY_EXCHANGE_NONE
+#define POLARSSL_KEY_EXCHANGE_PSK MBEDTLS_KEY_EXCHANGE_PSK
+#define POLARSSL_KEY_EXCHANGE_RSA MBEDTLS_KEY_EXCHANGE_RSA
+#define POLARSSL_KEY_EXCHANGE_RSA_PSK MBEDTLS_KEY_EXCHANGE_RSA_PSK
+#define POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
+#define POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
+#define POLARSSL_KEY_LENGTH_DES MBEDTLS_KEY_LENGTH_DES
+#define POLARSSL_KEY_LENGTH_DES_EDE MBEDTLS_KEY_LENGTH_DES_EDE
+#define POLARSSL_KEY_LENGTH_DES_EDE3 MBEDTLS_KEY_LENGTH_DES_EDE3
+#define POLARSSL_KEY_LENGTH_NONE MBEDTLS_KEY_LENGTH_NONE
+#define POLARSSL_MAX_BLOCK_LENGTH MBEDTLS_MAX_BLOCK_LENGTH
+#define POLARSSL_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH
+#define POLARSSL_MD2_H MBEDTLS_MD2_H
+#define POLARSSL_MD4_H MBEDTLS_MD4_H
+#define POLARSSL_MD5_H MBEDTLS_MD5_H
+#define POLARSSL_MD_H MBEDTLS_MD_H
+#define POLARSSL_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE
+#define POLARSSL_MD_MD2 MBEDTLS_MD_MD2
+#define POLARSSL_MD_MD4 MBEDTLS_MD_MD4
+#define POLARSSL_MD_MD5 MBEDTLS_MD_MD5
+#define POLARSSL_MD_NONE MBEDTLS_MD_NONE
+#define POLARSSL_MD_RIPEMD160 MBEDTLS_MD_RIPEMD160
+#define POLARSSL_MD_SHA1 MBEDTLS_MD_SHA1
+#define POLARSSL_MD_SHA224 MBEDTLS_MD_SHA224
+#define POLARSSL_MD_SHA256 MBEDTLS_MD_SHA256
+#define POLARSSL_MD_SHA384 MBEDTLS_MD_SHA384
+#define POLARSSL_MD_SHA512 MBEDTLS_MD_SHA512
+#define POLARSSL_MD_WRAP_H MBEDTLS_MD_WRAP_H
+#define POLARSSL_MEMORY_BUFFER_ALLOC_H MBEDTLS_MEMORY_BUFFER_ALLOC_H
+#define POLARSSL_MODE_CBC MBEDTLS_MODE_CBC
+#define POLARSSL_MODE_CCM MBEDTLS_MODE_CCM
+#define POLARSSL_MODE_CFB MBEDTLS_MODE_CFB
+#define POLARSSL_MODE_CTR MBEDTLS_MODE_CTR
+#define POLARSSL_MODE_ECB MBEDTLS_MODE_ECB
+#define POLARSSL_MODE_GCM MBEDTLS_MODE_GCM
+#define POLARSSL_MODE_NONE MBEDTLS_MODE_NONE
+#define POLARSSL_MODE_OFB MBEDTLS_MODE_OFB
+#define POLARSSL_MODE_STREAM MBEDTLS_MODE_STREAM
+#define POLARSSL_MPI_MAX_BITS MBEDTLS_MPI_MAX_BITS
+#define POLARSSL_MPI_MAX_BITS_SCALE100 MBEDTLS_MPI_MAX_BITS_SCALE100
+#define POLARSSL_MPI_MAX_LIMBS MBEDTLS_MPI_MAX_LIMBS
+#define POLARSSL_MPI_RW_BUFFER_SIZE MBEDTLS_MPI_RW_BUFFER_SIZE
+#define POLARSSL_NET_H MBEDTLS_NET_SOCKETS_H
+#define POLARSSL_NET_LISTEN_BACKLOG MBEDTLS_NET_LISTEN_BACKLOG
+#define POLARSSL_OID_H MBEDTLS_OID_H
+#define POLARSSL_OPERATION_NONE MBEDTLS_OPERATION_NONE
+#define POLARSSL_PADDING_NONE MBEDTLS_PADDING_NONE
+#define POLARSSL_PADDING_ONE_AND_ZEROS MBEDTLS_PADDING_ONE_AND_ZEROS
+#define POLARSSL_PADDING_PKCS7 MBEDTLS_PADDING_PKCS7
+#define POLARSSL_PADDING_ZEROS MBEDTLS_PADDING_ZEROS
+#define POLARSSL_PADDING_ZEROS_AND_LEN MBEDTLS_PADDING_ZEROS_AND_LEN
+#define POLARSSL_PADLOCK_H MBEDTLS_PADLOCK_H
+#define POLARSSL_PEM_H MBEDTLS_PEM_H
+#define POLARSSL_PKCS11_H MBEDTLS_PKCS11_H
+#define POLARSSL_PKCS12_H MBEDTLS_PKCS12_H
+#define POLARSSL_PKCS5_H MBEDTLS_PKCS5_H
+#define POLARSSL_PK_DEBUG_ECP MBEDTLS_PK_DEBUG_ECP
+#define POLARSSL_PK_DEBUG_MAX_ITEMS MBEDTLS_PK_DEBUG_MAX_ITEMS
+#define POLARSSL_PK_DEBUG_MPI MBEDTLS_PK_DEBUG_MPI
+#define POLARSSL_PK_DEBUG_NONE MBEDTLS_PK_DEBUG_NONE
+#define POLARSSL_PK_ECDSA MBEDTLS_PK_ECDSA
+#define POLARSSL_PK_ECKEY MBEDTLS_PK_ECKEY
+#define POLARSSL_PK_ECKEY_DH MBEDTLS_PK_ECKEY_DH
+#define POLARSSL_PK_H MBEDTLS_PK_H
+#define POLARSSL_PK_NONE MBEDTLS_PK_NONE
+#define POLARSSL_PK_RSA MBEDTLS_PK_RSA
+#define POLARSSL_PK_RSASSA_PSS MBEDTLS_PK_RSASSA_PSS
+#define POLARSSL_PK_RSA_ALT MBEDTLS_PK_RSA_ALT
+#define POLARSSL_PK_WRAP_H MBEDTLS_PK_WRAP_H
+#define POLARSSL_PLATFORM_H MBEDTLS_PLATFORM_H
+#define POLARSSL_PREMASTER_SIZE MBEDTLS_PREMASTER_SIZE
+#define POLARSSL_RIPEMD160_H MBEDTLS_RIPEMD160_H
+#define POLARSSL_RSA_H MBEDTLS_RSA_H
+#define POLARSSL_SHA1_H MBEDTLS_SHA1_H
+#define POLARSSL_SHA256_H MBEDTLS_SHA256_H
+#define POLARSSL_SHA512_H MBEDTLS_SHA512_H
+#define POLARSSL_SSL_CACHE_H MBEDTLS_SSL_CACHE_H
+#define POLARSSL_SSL_CIPHERSUITES_H MBEDTLS_SSL_CIPHERSUITES_H
+#define POLARSSL_SSL_COOKIE_H MBEDTLS_SSL_COOKIE_H
+#define POLARSSL_SSL_H MBEDTLS_SSL_H
+#define POLARSSL_THREADING_H MBEDTLS_THREADING_H
+#define POLARSSL_THREADING_IMPL MBEDTLS_THREADING_IMPL
+#define POLARSSL_TIMING_H MBEDTLS_TIMING_H
+#define POLARSSL_VERSION_H MBEDTLS_VERSION_H
+#define POLARSSL_VERSION_MAJOR MBEDTLS_VERSION_MAJOR
+#define POLARSSL_VERSION_MINOR MBEDTLS_VERSION_MINOR
+#define POLARSSL_VERSION_NUMBER MBEDTLS_VERSION_NUMBER
+#define POLARSSL_VERSION_PATCH MBEDTLS_VERSION_PATCH
+#define POLARSSL_VERSION_STRING MBEDTLS_VERSION_STRING
+#define POLARSSL_VERSION_STRING_FULL MBEDTLS_VERSION_STRING_FULL
+#define POLARSSL_X509_CRL_H MBEDTLS_X509_CRL_H
+#define POLARSSL_X509_CRT_H MBEDTLS_X509_CRT_H
+#define POLARSSL_X509_CSR_H MBEDTLS_X509_CSR_H
+#define POLARSSL_X509_H MBEDTLS_X509_H
+#define POLARSSL_XTEA_H MBEDTLS_XTEA_H
+#define RSA_CRYPT MBEDTLS_RSA_CRYPT
+#define RSA_PKCS_V15 MBEDTLS_RSA_PKCS_V15
+#define RSA_PKCS_V21 MBEDTLS_RSA_PKCS_V21
+#define RSA_PRIVATE MBEDTLS_RSA_PRIVATE
+#define RSA_PUBLIC MBEDTLS_RSA_PUBLIC
+#define RSA_SALT_LEN_ANY MBEDTLS_RSA_SALT_LEN_ANY
+#define RSA_SIGN MBEDTLS_RSA_SIGN
+#define SSL_ALERT_LEVEL_FATAL MBEDTLS_SSL_ALERT_LEVEL_FATAL
+#define SSL_ALERT_LEVEL_WARNING MBEDTLS_SSL_ALERT_LEVEL_WARNING
+#define SSL_ALERT_MSG_ACCESS_DENIED MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED
+#define SSL_ALERT_MSG_BAD_CERT MBEDTLS_SSL_ALERT_MSG_BAD_CERT
+#define SSL_ALERT_MSG_BAD_RECORD_MAC MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC
+#define SSL_ALERT_MSG_CERT_EXPIRED MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED
+#define SSL_ALERT_MSG_CERT_REVOKED MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED
+#define SSL_ALERT_MSG_CERT_UNKNOWN MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN
+#define SSL_ALERT_MSG_CLOSE_NOTIFY MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY
+#define SSL_ALERT_MSG_DECODE_ERROR MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
+#define SSL_ALERT_MSG_DECOMPRESSION_FAILURE MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE
+#define SSL_ALERT_MSG_DECRYPTION_FAILED MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED
+#define SSL_ALERT_MSG_DECRYPT_ERROR MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR
+#define SSL_ALERT_MSG_EXPORT_RESTRICTION MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION
+#define SSL_ALERT_MSG_HANDSHAKE_FAILURE MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
+#define SSL_ALERT_MSG_ILLEGAL_PARAMETER MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
+#define SSL_ALERT_MSG_INAPROPRIATE_FALLBACK MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
+#define SSL_ALERT_MSG_INSUFFICIENT_SECURITY MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY
+#define SSL_ALERT_MSG_INTERNAL_ERROR MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR
+#define SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
+#define SSL_ALERT_MSG_NO_CERT MBEDTLS_SSL_ALERT_MSG_NO_CERT
+#define SSL_ALERT_MSG_NO_RENEGOTIATION MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION
+#define SSL_ALERT_MSG_PROTOCOL_VERSION MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
+#define SSL_ALERT_MSG_RECORD_OVERFLOW MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW
+#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE
+#define SSL_ALERT_MSG_UNKNOWN_CA MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
+#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
+#define SSL_ALERT_MSG_UNRECOGNIZED_NAME MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME
+#define SSL_ALERT_MSG_UNSUPPORTED_CERT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
+#define SSL_ALERT_MSG_UNSUPPORTED_EXT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT
+#define SSL_ALERT_MSG_USER_CANCELED MBEDTLS_SSL_ALERT_MSG_USER_CANCELED
+#define SSL_ANTI_REPLAY_DISABLED MBEDTLS_SSL_ANTI_REPLAY_DISABLED
+#define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
+#define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
+#define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
+#define SSL_BUFFER_LEN ( ( ( MBEDTLS_SSL_IN_BUFFER_LEN ) < ( MBEDTLS_SSL_OUT_BUFFER_LEN ) ) \
+                         ? ( MBEDTLS_SSL_IN_BUFFER_LEN ) : ( MBEDTLS_SSL_OUT_BUFFER_LEN ) )
+#define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
+#define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
+#define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
+#define SSL_CBC_RECORD_SPLITTING_ENABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
+#define SSL_CERTIFICATE_REQUEST MBEDTLS_SSL_CERTIFICATE_REQUEST
+#define SSL_CERTIFICATE_VERIFY MBEDTLS_SSL_CERTIFICATE_VERIFY
+#define SSL_CERT_TYPE_ECDSA_SIGN MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN
+#define SSL_CERT_TYPE_RSA_SIGN MBEDTLS_SSL_CERT_TYPE_RSA_SIGN
+#define SSL_CHANNEL_INBOUND MBEDTLS_SSL_CHANNEL_INBOUND
+#define SSL_CHANNEL_OUTBOUND MBEDTLS_SSL_CHANNEL_OUTBOUND
+#define SSL_CIPHERSUITES MBEDTLS_SSL_CIPHERSUITES
+#define SSL_CLIENT_CERTIFICATE MBEDTLS_SSL_CLIENT_CERTIFICATE
+#define SSL_CLIENT_CHANGE_CIPHER_SPEC MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
+#define SSL_CLIENT_FINISHED MBEDTLS_SSL_CLIENT_FINISHED
+#define SSL_CLIENT_HELLO MBEDTLS_SSL_CLIENT_HELLO
+#define SSL_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_CLIENT_KEY_EXCHANGE
+#define SSL_COMPRESSION_ADD MBEDTLS_SSL_COMPRESSION_ADD
+#define SSL_COMPRESS_DEFLATE MBEDTLS_SSL_COMPRESS_DEFLATE
+#define SSL_COMPRESS_NULL MBEDTLS_SSL_COMPRESS_NULL
+#define SSL_DEBUG_BUF MBEDTLS_SSL_DEBUG_BUF
+#define SSL_DEBUG_CRT MBEDTLS_SSL_DEBUG_CRT
+#define SSL_DEBUG_ECP MBEDTLS_SSL_DEBUG_ECP
+#define SSL_DEBUG_MPI MBEDTLS_SSL_DEBUG_MPI
+#define SSL_DEBUG_MSG MBEDTLS_SSL_DEBUG_MSG
+#define SSL_DEBUG_RET MBEDTLS_SSL_DEBUG_RET
+#define SSL_DEFAULT_TICKET_LIFETIME MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME
+#define SSL_DTLS_TIMEOUT_DFL_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
+#define SSL_DTLS_TIMEOUT_DFL_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
+#define SSL_EMPTY_RENEGOTIATION_INFO MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
+#define SSL_ETM_DISABLED MBEDTLS_SSL_ETM_DISABLED
+#define SSL_ETM_ENABLED MBEDTLS_SSL_ETM_ENABLED
+#define SSL_EXTENDED_MS_DISABLED MBEDTLS_SSL_EXTENDED_MS_DISABLED
+#define SSL_EXTENDED_MS_ENABLED MBEDTLS_SSL_EXTENDED_MS_ENABLED
+#define SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
+#define SSL_FLUSH_BUFFERS MBEDTLS_SSL_FLUSH_BUFFERS
+#define SSL_HANDSHAKE_OVER MBEDTLS_SSL_HANDSHAKE_OVER
+#define SSL_HANDSHAKE_WRAPUP MBEDTLS_SSL_HANDSHAKE_WRAPUP
+#define SSL_HASH_MD5 MBEDTLS_SSL_HASH_MD5
+#define SSL_HASH_NONE MBEDTLS_SSL_HASH_NONE
+#define SSL_HASH_SHA1 MBEDTLS_SSL_HASH_SHA1
+#define SSL_HASH_SHA224 MBEDTLS_SSL_HASH_SHA224
+#define SSL_HASH_SHA256 MBEDTLS_SSL_HASH_SHA256
+#define SSL_HASH_SHA384 MBEDTLS_SSL_HASH_SHA384
+#define SSL_HASH_SHA512 MBEDTLS_SSL_HASH_SHA512
+#define SSL_HELLO_REQUEST MBEDTLS_SSL_HELLO_REQUEST
+#define SSL_HS_CERTIFICATE MBEDTLS_SSL_HS_CERTIFICATE
+#define SSL_HS_CERTIFICATE_REQUEST MBEDTLS_SSL_HS_CERTIFICATE_REQUEST
+#define SSL_HS_CERTIFICATE_VERIFY MBEDTLS_SSL_HS_CERTIFICATE_VERIFY
+#define SSL_HS_CLIENT_HELLO MBEDTLS_SSL_HS_CLIENT_HELLO
+#define SSL_HS_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE
+#define SSL_HS_FINISHED MBEDTLS_SSL_HS_FINISHED
+#define SSL_HS_HELLO_REQUEST MBEDTLS_SSL_HS_HELLO_REQUEST
+#define SSL_HS_HELLO_VERIFY_REQUEST MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
+#define SSL_HS_NEW_SESSION_TICKET MBEDTLS_SSL_HS_NEW_SESSION_TICKET
+#define SSL_HS_SERVER_HELLO MBEDTLS_SSL_HS_SERVER_HELLO
+#define SSL_HS_SERVER_HELLO_DONE MBEDTLS_SSL_HS_SERVER_HELLO_DONE
+#define SSL_HS_SERVER_KEY_EXCHANGE MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE
+#define SSL_INITIAL_HANDSHAKE MBEDTLS_SSL_INITIAL_HANDSHAKE
+#define SSL_IS_CLIENT MBEDTLS_SSL_IS_CLIENT
+#define SSL_IS_FALLBACK MBEDTLS_SSL_IS_FALLBACK
+#define SSL_IS_NOT_FALLBACK MBEDTLS_SSL_IS_NOT_FALLBACK
+#define SSL_IS_SERVER MBEDTLS_SSL_IS_SERVER
+#define SSL_LEGACY_ALLOW_RENEGOTIATION MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
+#define SSL_LEGACY_BREAK_HANDSHAKE MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
+#define SSL_LEGACY_NO_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
+#define SSL_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_RENEGOTIATION
+#define SSL_MAC_ADD MBEDTLS_SSL_MAC_ADD
+#define SSL_MAJOR_VERSION_3 MBEDTLS_SSL_MAJOR_VERSION_3
+#define SSL_MAX_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#define SSL_MAX_FRAG_LEN_1024 MBEDTLS_SSL_MAX_FRAG_LEN_1024
+#define SSL_MAX_FRAG_LEN_2048 MBEDTLS_SSL_MAX_FRAG_LEN_2048
+#define SSL_MAX_FRAG_LEN_4096 MBEDTLS_SSL_MAX_FRAG_LEN_4096
+#define SSL_MAX_FRAG_LEN_512 MBEDTLS_SSL_MAX_FRAG_LEN_512
+#define SSL_MAX_FRAG_LEN_INVALID MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
+#define SSL_MAX_FRAG_LEN_NONE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
+#define SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAX_MAJOR_VERSION
+#define SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MAX_MINOR_VERSION
+#define SSL_MINOR_VERSION_0 MBEDTLS_SSL_MINOR_VERSION_0
+#define SSL_MINOR_VERSION_1 MBEDTLS_SSL_MINOR_VERSION_1
+#define SSL_MINOR_VERSION_2 MBEDTLS_SSL_MINOR_VERSION_2
+#define SSL_MINOR_VERSION_3 MBEDTLS_SSL_MINOR_VERSION_3
+#define SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MIN_MAJOR_VERSION
+#define SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MIN_MINOR_VERSION
+#define SSL_MSG_ALERT MBEDTLS_SSL_MSG_ALERT
+#define SSL_MSG_APPLICATION_DATA MBEDTLS_SSL_MSG_APPLICATION_DATA
+#define SSL_MSG_CHANGE_CIPHER_SPEC MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
+#define SSL_MSG_HANDSHAKE MBEDTLS_SSL_MSG_HANDSHAKE
+#define SSL_PADDING_ADD MBEDTLS_SSL_PADDING_ADD
+#define SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
+#define SSL_RENEGOTIATION_DISABLED MBEDTLS_SSL_RENEGOTIATION_DISABLED
+#define SSL_RENEGOTIATION_DONE MBEDTLS_SSL_RENEGOTIATION_DONE
+#define SSL_RENEGOTIATION_ENABLED MBEDTLS_SSL_RENEGOTIATION_ENABLED
+#define SSL_RENEGOTIATION_NOT_ENFORCED MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED
+#define SSL_RENEGOTIATION_PENDING MBEDTLS_SSL_RENEGOTIATION_PENDING
+#define SSL_RENEGO_MAX_RECORDS_DEFAULT MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT
+#define SSL_RETRANS_FINISHED MBEDTLS_SSL_RETRANS_FINISHED
+#define SSL_RETRANS_PREPARING MBEDTLS_SSL_RETRANS_PREPARING
+#define SSL_RETRANS_SENDING MBEDTLS_SSL_RETRANS_SENDING
+#define SSL_RETRANS_WAITING MBEDTLS_SSL_RETRANS_WAITING
+#define SSL_SECURE_RENEGOTIATION MBEDTLS_SSL_SECURE_RENEGOTIATION
+#define SSL_SERVER_CERTIFICATE MBEDTLS_SSL_SERVER_CERTIFICATE
+#define SSL_SERVER_CHANGE_CIPHER_SPEC MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
+#define SSL_SERVER_FINISHED MBEDTLS_SSL_SERVER_FINISHED
+#define SSL_SERVER_HELLO MBEDTLS_SSL_SERVER_HELLO
+#define SSL_SERVER_HELLO_DONE MBEDTLS_SSL_SERVER_HELLO_DONE
+#define SSL_SERVER_HELLO_VERIFY_REQUEST_SENT MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
+#define SSL_SERVER_KEY_EXCHANGE MBEDTLS_SSL_SERVER_KEY_EXCHANGE
+#define SSL_SERVER_NEW_SESSION_TICKET MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET
+#define SSL_SESSION_TICKETS_DISABLED MBEDTLS_SSL_SESSION_TICKETS_DISABLED
+#define SSL_SESSION_TICKETS_ENABLED MBEDTLS_SSL_SESSION_TICKETS_ENABLED
+#define SSL_SIG_ANON MBEDTLS_SSL_SIG_ANON
+#define SSL_SIG_ECDSA MBEDTLS_SSL_SIG_ECDSA
+#define SSL_SIG_RSA MBEDTLS_SSL_SIG_RSA
+#define SSL_TRANSPORT_DATAGRAM MBEDTLS_SSL_TRANSPORT_DATAGRAM
+#define SSL_TRANSPORT_STREAM MBEDTLS_SSL_TRANSPORT_STREAM
+#define SSL_TRUNCATED_HMAC_LEN MBEDTLS_SSL_TRUNCATED_HMAC_LEN
+#define SSL_TRUNC_HMAC_DISABLED MBEDTLS_SSL_TRUNC_HMAC_DISABLED
+#define SSL_TRUNC_HMAC_ENABLED MBEDTLS_SSL_TRUNC_HMAC_ENABLED
+#define SSL_VERIFY_DATA_MAX_LEN MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
+#define SSL_VERIFY_NONE MBEDTLS_SSL_VERIFY_NONE
+#define SSL_VERIFY_OPTIONAL MBEDTLS_SSL_VERIFY_OPTIONAL
+#define SSL_VERIFY_REQUIRED MBEDTLS_SSL_VERIFY_REQUIRED
+#define TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_DHE_PSK_WITH_AES_128_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM
+#define TLS_DHE_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8
+#define TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_DHE_PSK_WITH_AES_256_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM
+#define TLS_DHE_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8
+#define TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_DHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
+#define TLS_DHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
+#define TLS_DHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
+#define TLS_DHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_DHE_RSA_WITH_AES_128_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM
+#define TLS_DHE_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8
+#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+#define TLS_DHE_RSA_WITH_AES_256_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM
+#define TLS_DHE_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8
+#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_DHE_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
+#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDHE_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
+#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+#define TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
+#define TLS_ECDHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
+#define TLS_ECDHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
+#define TLS_ECDHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDHE_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
+#define TLS_ECDHE_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDH_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
+#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDH_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
+#define TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+#define TLS_EXT_ALPN MBEDTLS_TLS_EXT_ALPN
+#define TLS_EXT_ENCRYPT_THEN_MAC MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
+#define TLS_EXT_EXTENDED_MASTER_SECRET MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
+#define TLS_EXT_MAX_FRAGMENT_LENGTH MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
+#define TLS_EXT_RENEGOTIATION_INFO MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
+#define TLS_EXT_SERVERNAME MBEDTLS_TLS_EXT_SERVERNAME
+#define TLS_EXT_SERVERNAME_HOSTNAME MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME
+#define TLS_EXT_SESSION_TICKET MBEDTLS_TLS_EXT_SESSION_TICKET
+#define TLS_EXT_SIG_ALG MBEDTLS_TLS_EXT_SIG_ALG
+#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
+#define TLS_EXT_SUPPORTED_POINT_FORMATS MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
+#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
+#define TLS_EXT_TRUNCATED_HMAC MBEDTLS_TLS_EXT_TRUNCATED_HMAC
+#define TLS_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+#define TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_PSK_WITH_AES_128_CCM MBEDTLS_TLS_PSK_WITH_AES_128_CCM
+#define TLS_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8
+#define TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+#define TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_PSK_WITH_AES_256_CCM MBEDTLS_TLS_PSK_WITH_AES_256_CCM
+#define TLS_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8
+#define TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_PSK_WITH_NULL_SHA MBEDTLS_TLS_PSK_WITH_NULL_SHA
+#define TLS_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_PSK_WITH_NULL_SHA256
+#define TLS_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_PSK_WITH_NULL_SHA384
+#define TLS_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+#define TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_RSA_PSK_WITH_NULL_SHA MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
+#define TLS_RSA_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
+#define TLS_RSA_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
+#define TLS_RSA_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+#define TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+#define TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_RSA_WITH_AES_128_CCM MBEDTLS_TLS_RSA_WITH_AES_128_CCM
+#define TLS_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8
+#define TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+#define TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+#define TLS_RSA_WITH_AES_256_CCM MBEDTLS_TLS_RSA_WITH_AES_256_CCM
+#define TLS_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8
+#define TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+#define TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
+#define TLS_RSA_WITH_NULL_MD5 MBEDTLS_TLS_RSA_WITH_NULL_MD5
+#define TLS_RSA_WITH_NULL_SHA MBEDTLS_TLS_RSA_WITH_NULL_SHA
+#define TLS_RSA_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_WITH_NULL_SHA256
+#define TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+#define TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+#define X509_CRT_VERSION_1 MBEDTLS_X509_CRT_VERSION_1
+#define X509_CRT_VERSION_2 MBEDTLS_X509_CRT_VERSION_2
+#define X509_CRT_VERSION_3 MBEDTLS_X509_CRT_VERSION_3
+#define X509_FORMAT_DER MBEDTLS_X509_FORMAT_DER
+#define X509_FORMAT_PEM MBEDTLS_X509_FORMAT_PEM
+#define X509_MAX_DN_NAME_SIZE MBEDTLS_X509_MAX_DN_NAME_SIZE
+#define X509_RFC5280_MAX_SERIAL_LEN MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
+#define X509_RFC5280_UTC_TIME_LEN MBEDTLS_X509_RFC5280_UTC_TIME_LEN
+#define XTEA_DECRYPT MBEDTLS_XTEA_DECRYPT
+#define XTEA_ENCRYPT MBEDTLS_XTEA_ENCRYPT
+#define _asn1_bitstring mbedtls_asn1_bitstring
+#define _asn1_buf mbedtls_asn1_buf
+#define _asn1_named_data mbedtls_asn1_named_data
+#define _asn1_sequence mbedtls_asn1_sequence
+#define _ssl_cache_context mbedtls_ssl_cache_context
+#define _ssl_cache_entry mbedtls_ssl_cache_entry
+#define _ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
+#define _ssl_context mbedtls_ssl_context
+#define _ssl_flight_item mbedtls_ssl_flight_item
+#define _ssl_handshake_params mbedtls_ssl_handshake_params
+#define _ssl_key_cert mbedtls_ssl_key_cert
+#define _ssl_premaster_secret mbedtls_ssl_premaster_secret
+#define _ssl_session mbedtls_ssl_session
+#define _ssl_transform mbedtls_ssl_transform
+#define _x509_crl mbedtls_x509_crl
+#define _x509_crl_entry mbedtls_x509_crl_entry
+#define _x509_crt mbedtls_x509_crt
+#define _x509_csr mbedtls_x509_csr
+#define _x509_time mbedtls_x509_time
+#define _x509write_cert mbedtls_x509write_cert
+#define _x509write_csr mbedtls_x509write_csr
+#define aes_context mbedtls_aes_context
+#define aes_crypt_cbc mbedtls_aes_crypt_cbc
+#define aes_crypt_cfb128 mbedtls_aes_crypt_cfb128
+#define aes_crypt_cfb8 mbedtls_aes_crypt_cfb8
+#define aes_crypt_ctr mbedtls_aes_crypt_ctr
+#define aes_crypt_ecb mbedtls_aes_crypt_ecb
+#define aes_free mbedtls_aes_free
+#define aes_init mbedtls_aes_init
+#define aes_self_test mbedtls_aes_self_test
+#define aes_setkey_dec mbedtls_aes_setkey_dec
+#define aes_setkey_enc mbedtls_aes_setkey_enc
+#define aesni_crypt_ecb mbedtls_aesni_crypt_ecb
+#define aesni_gcm_mult mbedtls_aesni_gcm_mult
+#define aesni_inverse_key mbedtls_aesni_inverse_key
+#define aesni_setkey_enc mbedtls_aesni_setkey_enc
+#define aesni_supports mbedtls_aesni_has_support
+#define alarmed mbedtls_timing_alarmed
+#define arc4_context mbedtls_arc4_context
+#define arc4_crypt mbedtls_arc4_crypt
+#define arc4_free mbedtls_arc4_free
+#define arc4_init mbedtls_arc4_init
+#define arc4_self_test mbedtls_arc4_self_test
+#define arc4_setup mbedtls_arc4_setup
+#define asn1_bitstring mbedtls_asn1_bitstring
+#define asn1_buf mbedtls_asn1_buf
+#define asn1_find_named_data mbedtls_asn1_find_named_data
+#define asn1_free_named_data mbedtls_asn1_free_named_data
+#define asn1_free_named_data_list mbedtls_asn1_free_named_data_list
+#define asn1_get_alg mbedtls_asn1_get_alg
+#define asn1_get_alg_null mbedtls_asn1_get_alg_null
+#define asn1_get_bitstring mbedtls_asn1_get_bitstring
+#define asn1_get_bitstring_null mbedtls_asn1_get_bitstring_null
+#define asn1_get_bool mbedtls_asn1_get_bool
+#define asn1_get_int mbedtls_asn1_get_int
+#define asn1_get_len mbedtls_asn1_get_len
+#define asn1_get_mpi mbedtls_asn1_get_mpi
+#define asn1_get_sequence_of mbedtls_asn1_get_sequence_of
+#define asn1_get_tag mbedtls_asn1_get_tag
+#define asn1_named_data mbedtls_asn1_named_data
+#define asn1_sequence mbedtls_asn1_sequence
+#define asn1_store_named_data mbedtls_asn1_store_named_data
+#define asn1_write_algorithm_identifier mbedtls_asn1_write_algorithm_identifier
+#define asn1_write_bitstring mbedtls_asn1_write_bitstring
+#define asn1_write_bool mbedtls_asn1_write_bool
+#define asn1_write_ia5_string mbedtls_asn1_write_ia5_string
+#define asn1_write_int mbedtls_asn1_write_int
+#define asn1_write_len mbedtls_asn1_write_len
+#define asn1_write_mpi mbedtls_asn1_write_mpi
+#define asn1_write_null mbedtls_asn1_write_null
+#define asn1_write_octet_string mbedtls_asn1_write_octet_string
+#define asn1_write_oid mbedtls_asn1_write_oid
+#define asn1_write_printable_string mbedtls_asn1_write_printable_string
+#define asn1_write_raw_buffer mbedtls_asn1_write_raw_buffer
+#define asn1_write_tag mbedtls_asn1_write_tag
+#define base64_decode mbedtls_base64_decode
+#define base64_encode mbedtls_base64_encode
+#define base64_self_test mbedtls_base64_self_test
+#define blowfish_context mbedtls_blowfish_context
+#define blowfish_crypt_cbc mbedtls_blowfish_crypt_cbc
+#define blowfish_crypt_cfb64 mbedtls_blowfish_crypt_cfb64
+#define blowfish_crypt_ctr mbedtls_blowfish_crypt_ctr
+#define blowfish_crypt_ecb mbedtls_blowfish_crypt_ecb
+#define blowfish_free mbedtls_blowfish_free
+#define blowfish_init mbedtls_blowfish_init
+#define blowfish_setkey mbedtls_blowfish_setkey
+#define camellia_context mbedtls_camellia_context
+#define camellia_crypt_cbc mbedtls_camellia_crypt_cbc
+#define camellia_crypt_cfb128 mbedtls_camellia_crypt_cfb128
+#define camellia_crypt_ctr mbedtls_camellia_crypt_ctr
+#define camellia_crypt_ecb mbedtls_camellia_crypt_ecb
+#define camellia_free mbedtls_camellia_free
+#define camellia_init mbedtls_camellia_init
+#define camellia_self_test mbedtls_camellia_self_test
+#define camellia_setkey_dec mbedtls_camellia_setkey_dec
+#define camellia_setkey_enc mbedtls_camellia_setkey_enc
+#define ccm_auth_decrypt mbedtls_ccm_auth_decrypt
+#define ccm_context mbedtls_ccm_context
+#define ccm_encrypt_and_tag mbedtls_ccm_encrypt_and_tag
+#define ccm_free mbedtls_ccm_free
+#define ccm_init mbedtls_ccm_init
+#define ccm_self_test mbedtls_ccm_self_test
+#define cipher_auth_decrypt mbedtls_cipher_auth_decrypt
+#define cipher_auth_encrypt mbedtls_cipher_auth_encrypt
+#define cipher_base_t mbedtls_cipher_base_t
+#define cipher_check_tag mbedtls_cipher_check_tag
+#define cipher_context_t mbedtls_cipher_context_t
+#define cipher_crypt mbedtls_cipher_crypt
+#define cipher_definition_t mbedtls_cipher_definition_t
+#define cipher_definitions mbedtls_cipher_definitions
+#define cipher_finish mbedtls_cipher_finish
+#define cipher_free mbedtls_cipher_free
+#define cipher_get_block_size mbedtls_cipher_get_block_size
+#define cipher_get_cipher_mode mbedtls_cipher_get_cipher_mode
+#define cipher_get_iv_size mbedtls_cipher_get_iv_size
+#define cipher_get_key_size mbedtls_cipher_get_key_bitlen
+#define cipher_get_name mbedtls_cipher_get_name
+#define cipher_get_operation mbedtls_cipher_get_operation
+#define cipher_get_type mbedtls_cipher_get_type
+#define cipher_id_t mbedtls_cipher_id_t
+#define cipher_info_from_string mbedtls_cipher_info_from_string
+#define cipher_info_from_type mbedtls_cipher_info_from_type
+#define cipher_info_from_values mbedtls_cipher_info_from_values
+#define cipher_info_t mbedtls_cipher_info_t
+#define cipher_init mbedtls_cipher_init
+#define cipher_init_ctx mbedtls_cipher_setup
+#define cipher_list mbedtls_cipher_list
+#define cipher_mode_t mbedtls_cipher_mode_t
+#define cipher_padding_t mbedtls_cipher_padding_t
+#define cipher_reset mbedtls_cipher_reset
+#define cipher_set_iv mbedtls_cipher_set_iv
+#define cipher_set_padding_mode mbedtls_cipher_set_padding_mode
+#define cipher_setkey mbedtls_cipher_setkey
+#define cipher_type_t mbedtls_cipher_type_t
+#define cipher_update mbedtls_cipher_update
+#define cipher_update_ad mbedtls_cipher_update_ad
+#define cipher_write_tag mbedtls_cipher_write_tag
+#define ctr_drbg_context mbedtls_ctr_drbg_context
+#define ctr_drbg_free mbedtls_ctr_drbg_free
+#define ctr_drbg_init mbedtls_ctr_drbg_init
+#define ctr_drbg_random mbedtls_ctr_drbg_random
+#define ctr_drbg_random_with_add mbedtls_ctr_drbg_random_with_add
+#define ctr_drbg_reseed mbedtls_ctr_drbg_reseed
+#define ctr_drbg_self_test mbedtls_ctr_drbg_self_test
+#define ctr_drbg_set_entropy_len mbedtls_ctr_drbg_set_entropy_len
+#define ctr_drbg_set_prediction_resistance mbedtls_ctr_drbg_set_prediction_resistance
+#define ctr_drbg_set_reseed_interval mbedtls_ctr_drbg_set_reseed_interval
+#define ctr_drbg_update mbedtls_ctr_drbg_update
+#define ctr_drbg_update_seed_file mbedtls_ctr_drbg_update_seed_file
+#define ctr_drbg_write_seed_file mbedtls_ctr_drbg_write_seed_file
+#define debug_print_buf mbedtls_debug_print_buf
+#define debug_print_crt mbedtls_debug_print_crt
+#define debug_print_ecp mbedtls_debug_print_ecp
+#define debug_print_mpi mbedtls_debug_print_mpi
+#define debug_print_msg mbedtls_debug_print_msg
+#define debug_print_ret mbedtls_debug_print_ret
+#define debug_set_threshold mbedtls_debug_set_threshold
+#define des3_context mbedtls_des3_context
+#define des3_crypt_cbc mbedtls_des3_crypt_cbc
+#define des3_crypt_ecb mbedtls_des3_crypt_ecb
+#define des3_free mbedtls_des3_free
+#define des3_init mbedtls_des3_init
+#define des3_set2key_dec mbedtls_des3_set2key_dec
+#define des3_set2key_enc mbedtls_des3_set2key_enc
+#define des3_set3key_dec mbedtls_des3_set3key_dec
+#define des3_set3key_enc mbedtls_des3_set3key_enc
+#define des_context mbedtls_des_context
+#define des_crypt_cbc mbedtls_des_crypt_cbc
+#define des_crypt_ecb mbedtls_des_crypt_ecb
+#define des_free mbedtls_des_free
+#define des_init mbedtls_des_init
+#define des_key_check_key_parity mbedtls_des_key_check_key_parity
+#define des_key_check_weak mbedtls_des_key_check_weak
+#define des_key_set_parity mbedtls_des_key_set_parity
+#define des_self_test mbedtls_des_self_test
+#define des_setkey_dec mbedtls_des_setkey_dec
+#define des_setkey_enc mbedtls_des_setkey_enc
+#define dhm_calc_secret mbedtls_dhm_calc_secret
+#define dhm_context mbedtls_dhm_context
+#define dhm_free mbedtls_dhm_free
+#define dhm_init mbedtls_dhm_init
+#define dhm_make_params mbedtls_dhm_make_params
+#define dhm_make_public mbedtls_dhm_make_public
+#define dhm_parse_dhm mbedtls_dhm_parse_dhm
+#define dhm_parse_dhmfile mbedtls_dhm_parse_dhmfile
+#define dhm_read_params mbedtls_dhm_read_params
+#define dhm_read_public mbedtls_dhm_read_public
+#define dhm_self_test mbedtls_dhm_self_test
+#define ecdh_calc_secret mbedtls_ecdh_calc_secret
+#define ecdh_compute_shared mbedtls_ecdh_compute_shared
+#define ecdh_context mbedtls_ecdh_context
+#define ecdh_free mbedtls_ecdh_free
+#define ecdh_gen_public mbedtls_ecdh_gen_public
+#define ecdh_get_params mbedtls_ecdh_get_params
+#define ecdh_init mbedtls_ecdh_init
+#define ecdh_make_params mbedtls_ecdh_make_params
+#define ecdh_make_public mbedtls_ecdh_make_public
+#define ecdh_read_params mbedtls_ecdh_read_params
+#define ecdh_read_public mbedtls_ecdh_read_public
+#define ecdh_side mbedtls_ecdh_side
+#define ecdsa_context mbedtls_ecdsa_context
+#define ecdsa_free mbedtls_ecdsa_free
+#define ecdsa_from_keypair mbedtls_ecdsa_from_keypair
+#define ecdsa_genkey mbedtls_ecdsa_genkey
+#define ecdsa_info mbedtls_ecdsa_info
+#define ecdsa_init mbedtls_ecdsa_init
+#define ecdsa_read_signature mbedtls_ecdsa_read_signature
+#define ecdsa_sign mbedtls_ecdsa_sign
+#define ecdsa_sign_det mbedtls_ecdsa_sign_det
+#define ecdsa_verify mbedtls_ecdsa_verify
+#define ecdsa_write_signature mbedtls_ecdsa_write_signature
+#define ecdsa_write_signature_det mbedtls_ecdsa_write_signature_det
+#define eckey_info mbedtls_eckey_info
+#define eckeydh_info mbedtls_eckeydh_info
+#define ecp_check_privkey mbedtls_ecp_check_privkey
+#define ecp_check_pub_priv mbedtls_ecp_check_pub_priv
+#define ecp_check_pubkey mbedtls_ecp_check_pubkey
+#define ecp_copy mbedtls_ecp_copy
+#define ecp_curve_info mbedtls_ecp_curve_info
+#define ecp_curve_info_from_grp_id mbedtls_ecp_curve_info_from_grp_id
+#define ecp_curve_info_from_name mbedtls_ecp_curve_info_from_name
+#define ecp_curve_info_from_tls_id mbedtls_ecp_curve_info_from_tls_id
+#define ecp_curve_list mbedtls_ecp_curve_list
+#define ecp_gen_key mbedtls_ecp_gen_key
+#define ecp_gen_keypair mbedtls_ecp_gen_keypair
+#define ecp_group mbedtls_ecp_group
+#define ecp_group_copy mbedtls_ecp_group_copy
+#define ecp_group_free mbedtls_ecp_group_free
+#define ecp_group_id mbedtls_ecp_group_id
+#define ecp_group_init mbedtls_ecp_group_init
+#define ecp_grp_id_list mbedtls_ecp_grp_id_list
+#define ecp_is_zero mbedtls_ecp_is_zero
+#define ecp_keypair mbedtls_ecp_keypair
+#define ecp_keypair_free mbedtls_ecp_keypair_free
+#define ecp_keypair_init mbedtls_ecp_keypair_init
+#define ecp_mul mbedtls_ecp_mul
+#define ecp_point mbedtls_ecp_point
+#define ecp_point_free mbedtls_ecp_point_free
+#define ecp_point_init mbedtls_ecp_point_init
+#define ecp_point_read_binary mbedtls_ecp_point_read_binary
+#define ecp_point_read_string mbedtls_ecp_point_read_string
+#define ecp_point_write_binary mbedtls_ecp_point_write_binary
+#define ecp_self_test mbedtls_ecp_self_test
+#define ecp_set_zero mbedtls_ecp_set_zero
+#define ecp_tls_read_group mbedtls_ecp_tls_read_group
+#define ecp_tls_read_point mbedtls_ecp_tls_read_point
+#define ecp_tls_write_group mbedtls_ecp_tls_write_group
+#define ecp_tls_write_point mbedtls_ecp_tls_write_point
+#define ecp_use_known_dp mbedtls_ecp_group_load
+#define entropy_add_source mbedtls_entropy_add_source
+#define entropy_context mbedtls_entropy_context
+#define entropy_free mbedtls_entropy_free
+#define entropy_func mbedtls_entropy_func
+#define entropy_gather mbedtls_entropy_gather
+#define entropy_init mbedtls_entropy_init
+#define entropy_self_test mbedtls_entropy_self_test
+#define entropy_update_manual mbedtls_entropy_update_manual
+#define entropy_update_seed_file mbedtls_entropy_update_seed_file
+#define entropy_write_seed_file mbedtls_entropy_write_seed_file
+#define error_strerror mbedtls_strerror
+#define f_source_ptr mbedtls_entropy_f_source_ptr
+#define gcm_auth_decrypt mbedtls_gcm_auth_decrypt
+#define gcm_context mbedtls_gcm_context
+#define gcm_crypt_and_tag mbedtls_gcm_crypt_and_tag
+#define gcm_finish mbedtls_gcm_finish
+#define gcm_free mbedtls_gcm_free
+#define gcm_init mbedtls_gcm_init
+#define gcm_self_test mbedtls_gcm_self_test
+#define gcm_starts mbedtls_gcm_starts
+#define gcm_update mbedtls_gcm_update
+#define get_timer mbedtls_timing_get_timer
+#define hardclock mbedtls_timing_hardclock
+#define hardclock_poll mbedtls_hardclock_poll
+#define havege_free mbedtls_havege_free
+#define havege_init mbedtls_havege_init
+#define havege_poll mbedtls_havege_poll
+#define havege_random mbedtls_havege_random
+#define havege_state mbedtls_havege_state
+#define hmac_drbg_context mbedtls_hmac_drbg_context
+#define hmac_drbg_free mbedtls_hmac_drbg_free
+#define hmac_drbg_init mbedtls_hmac_drbg_init
+#define hmac_drbg_random mbedtls_hmac_drbg_random
+#define hmac_drbg_random_with_add mbedtls_hmac_drbg_random_with_add
+#define hmac_drbg_reseed mbedtls_hmac_drbg_reseed
+#define hmac_drbg_self_test mbedtls_hmac_drbg_self_test
+#define hmac_drbg_set_entropy_len mbedtls_hmac_drbg_set_entropy_len
+#define hmac_drbg_set_prediction_resistance mbedtls_hmac_drbg_set_prediction_resistance
+#define hmac_drbg_set_reseed_interval mbedtls_hmac_drbg_set_reseed_interval
+#define hmac_drbg_update mbedtls_hmac_drbg_update
+#define hmac_drbg_update_seed_file mbedtls_hmac_drbg_update_seed_file
+#define hmac_drbg_write_seed_file mbedtls_hmac_drbg_write_seed_file
+#define hr_time mbedtls_timing_hr_time
+#define key_exchange_type_t mbedtls_key_exchange_type_t
+#define md mbedtls_md
+#define md2 mbedtls_md2
+#define md2_context mbedtls_md2_context
+#define md2_finish mbedtls_md2_finish
+#define md2_free mbedtls_md2_free
+#define md2_info mbedtls_md2_info
+#define md2_init mbedtls_md2_init
+#define md2_process mbedtls_md2_process
+#define md2_self_test mbedtls_md2_self_test
+#define md2_starts mbedtls_md2_starts
+#define md2_update mbedtls_md2_update
+#define md4 mbedtls_md4
+#define md4_context mbedtls_md4_context
+#define md4_finish mbedtls_md4_finish
+#define md4_free mbedtls_md4_free
+#define md4_info mbedtls_md4_info
+#define md4_init mbedtls_md4_init
+#define md4_process mbedtls_md4_process
+#define md4_self_test mbedtls_md4_self_test
+#define md4_starts mbedtls_md4_starts
+#define md4_update mbedtls_md4_update
+#define md5 mbedtls_md5
+#define md5_context mbedtls_md5_context
+#define md5_finish mbedtls_md5_finish
+#define md5_free mbedtls_md5_free
+#define md5_info mbedtls_md5_info
+#define md5_init mbedtls_md5_init
+#define md5_process mbedtls_md5_process
+#define md5_self_test mbedtls_md5_self_test
+#define md5_starts mbedtls_md5_starts
+#define md5_update mbedtls_md5_update
+#define md_context_t mbedtls_md_context_t
+#define md_file mbedtls_md_file
+#define md_finish mbedtls_md_finish
+#define md_free mbedtls_md_free
+#define md_get_name mbedtls_md_get_name
+#define md_get_size mbedtls_md_get_size
+#define md_get_type mbedtls_md_get_type
+#define md_hmac mbedtls_md_hmac
+#define md_hmac_finish mbedtls_md_hmac_finish
+#define md_hmac_reset mbedtls_md_hmac_reset
+#define md_hmac_starts mbedtls_md_hmac_starts
+#define md_hmac_update mbedtls_md_hmac_update
+#define md_info_from_string mbedtls_md_info_from_string
+#define md_info_from_type mbedtls_md_info_from_type
+#define md_info_t mbedtls_md_info_t
+#define md_init mbedtls_md_init
+#define md_init_ctx mbedtls_md_init_ctx
+#define md_list mbedtls_md_list
+#define md_process mbedtls_md_process
+#define md_starts mbedtls_md_starts
+#define md_type_t mbedtls_md_type_t
+#define md_update mbedtls_md_update
+#define memory_buffer_alloc_cur_get mbedtls_memory_buffer_alloc_cur_get
+#define memory_buffer_alloc_free mbedtls_memory_buffer_alloc_free
+#define memory_buffer_alloc_init mbedtls_memory_buffer_alloc_init
+#define memory_buffer_alloc_max_get mbedtls_memory_buffer_alloc_max_get
+#define memory_buffer_alloc_max_reset mbedtls_memory_buffer_alloc_max_reset
+#define memory_buffer_alloc_self_test mbedtls_memory_buffer_alloc_self_test
+#define memory_buffer_alloc_status mbedtls_memory_buffer_alloc_status
+#define memory_buffer_alloc_verify mbedtls_memory_buffer_alloc_verify
+#define memory_buffer_set_verify mbedtls_memory_buffer_set_verify
+#define mpi mbedtls_mpi
+#define mpi_add_abs mbedtls_mpi_add_abs
+#define mpi_add_int mbedtls_mpi_add_int
+#define mpi_add_mpi mbedtls_mpi_add_mpi
+#define mpi_cmp_abs mbedtls_mpi_cmp_abs
+#define mpi_cmp_int mbedtls_mpi_cmp_int
+#define mpi_cmp_mpi mbedtls_mpi_cmp_mpi
+#define mpi_copy mbedtls_mpi_copy
+#define mpi_div_int mbedtls_mpi_div_int
+#define mpi_div_mpi mbedtls_mpi_div_mpi
+#define mpi_exp_mod mbedtls_mpi_exp_mod
+#define mpi_fill_random mbedtls_mpi_fill_random
+#define mpi_free mbedtls_mpi_free
+#define mpi_gcd mbedtls_mpi_gcd
+#define mpi_gen_prime mbedtls_mpi_gen_prime
+#define mpi_get_bit mbedtls_mpi_get_bit
+#define mpi_grow mbedtls_mpi_grow
+#define mpi_init mbedtls_mpi_init
+#define mpi_inv_mod mbedtls_mpi_inv_mod
+#define mpi_is_prime mbedtls_mpi_is_prime
+#define mpi_lsb mbedtls_mpi_lsb
+#define mpi_lset mbedtls_mpi_lset
+#define mpi_mod_int mbedtls_mpi_mod_int
+#define mpi_mod_mpi mbedtls_mpi_mod_mpi
+#define mpi_msb mbedtls_mpi_bitlen
+#define mpi_mul_int mbedtls_mpi_mul_int
+#define mpi_mul_mpi mbedtls_mpi_mul_mpi
+#define mpi_read_binary mbedtls_mpi_read_binary
+#define mpi_read_file mbedtls_mpi_read_file
+#define mpi_read_string mbedtls_mpi_read_string
+#define mpi_safe_cond_assign mbedtls_mpi_safe_cond_assign
+#define mpi_safe_cond_swap mbedtls_mpi_safe_cond_swap
+#define mpi_self_test mbedtls_mpi_self_test
+#define mpi_set_bit mbedtls_mpi_set_bit
+#define mpi_shift_l mbedtls_mpi_shift_l
+#define mpi_shift_r mbedtls_mpi_shift_r
+#define mpi_shrink mbedtls_mpi_shrink
+#define mpi_size mbedtls_mpi_size
+#define mpi_sub_abs mbedtls_mpi_sub_abs
+#define mpi_sub_int mbedtls_mpi_sub_int
+#define mpi_sub_mpi mbedtls_mpi_sub_mpi
+#define mpi_swap mbedtls_mpi_swap
+#define mpi_write_binary mbedtls_mpi_write_binary
+#define mpi_write_file mbedtls_mpi_write_file
+#define mpi_write_string mbedtls_mpi_write_string
+#define net_accept mbedtls_net_accept
+#define net_bind mbedtls_net_bind
+#define net_close mbedtls_net_free
+#define net_connect mbedtls_net_connect
+#define net_recv mbedtls_net_recv
+#define net_recv_timeout mbedtls_net_recv_timeout
+#define net_send mbedtls_net_send
+#define net_set_block mbedtls_net_set_block
+#define net_set_nonblock mbedtls_net_set_nonblock
+#define net_usleep mbedtls_net_usleep
+#define oid_descriptor_t mbedtls_oid_descriptor_t
+#define oid_get_attr_short_name mbedtls_oid_get_attr_short_name
+#define oid_get_cipher_alg mbedtls_oid_get_cipher_alg
+#define oid_get_ec_grp mbedtls_oid_get_ec_grp
+#define oid_get_extended_key_usage mbedtls_oid_get_extended_key_usage
+#define oid_get_md_alg mbedtls_oid_get_md_alg
+#define oid_get_numeric_string mbedtls_oid_get_numeric_string
+#define oid_get_oid_by_ec_grp mbedtls_oid_get_oid_by_ec_grp
+#define oid_get_oid_by_md mbedtls_oid_get_oid_by_md
+#define oid_get_oid_by_pk_alg mbedtls_oid_get_oid_by_pk_alg
+#define oid_get_oid_by_sig_alg mbedtls_oid_get_oid_by_sig_alg
+#define oid_get_pk_alg mbedtls_oid_get_pk_alg
+#define oid_get_pkcs12_pbe_alg mbedtls_oid_get_pkcs12_pbe_alg
+#define oid_get_sig_alg mbedtls_oid_get_sig_alg
+#define oid_get_sig_alg_desc mbedtls_oid_get_sig_alg_desc
+#define oid_get_x509_ext_type mbedtls_oid_get_x509_ext_type
+#define operation_t mbedtls_operation_t
+#define padlock_supports mbedtls_padlock_has_support
+#define padlock_xcryptcbc mbedtls_padlock_xcryptcbc
+#define padlock_xcryptecb mbedtls_padlock_xcryptecb
+#define pem_context mbedtls_pem_context
+#define pem_free mbedtls_pem_free
+#define pem_init mbedtls_pem_init
+#define pem_read_buffer mbedtls_pem_read_buffer
+#define pem_write_buffer mbedtls_pem_write_buffer
+#define pk_can_do mbedtls_pk_can_do
+#define pk_check_pair mbedtls_pk_check_pair
+#define pk_context mbedtls_pk_context
+#define pk_debug mbedtls_pk_debug
+#define pk_debug_item mbedtls_pk_debug_item
+#define pk_debug_type mbedtls_pk_debug_type
+#define pk_decrypt mbedtls_pk_decrypt
+#define pk_ec mbedtls_pk_ec
+#define pk_encrypt mbedtls_pk_encrypt
+#define pk_free mbedtls_pk_free
+#define pk_get_len mbedtls_pk_get_len
+#define pk_get_name mbedtls_pk_get_name
+#define pk_get_size mbedtls_pk_get_bitlen
+#define pk_get_type mbedtls_pk_get_type
+#define pk_info_from_type mbedtls_pk_info_from_type
+#define pk_info_t mbedtls_pk_info_t
+#define pk_init mbedtls_pk_init
+#define pk_init_ctx mbedtls_pk_setup
+#define pk_init_ctx_rsa_alt mbedtls_pk_setup_rsa_alt
+#define pk_load_file mbedtls_pk_load_file
+#define pk_parse_key mbedtls_pk_parse_key
+#define pk_parse_keyfile mbedtls_pk_parse_keyfile
+#define pk_parse_public_key mbedtls_pk_parse_public_key
+#define pk_parse_public_keyfile mbedtls_pk_parse_public_keyfile
+#define pk_parse_subpubkey mbedtls_pk_parse_subpubkey
+#define pk_rsa mbedtls_pk_rsa
+#define pk_rsa_alt_decrypt_func mbedtls_pk_rsa_alt_decrypt_func
+#define pk_rsa_alt_key_len_func mbedtls_pk_rsa_alt_key_len_func
+#define pk_rsa_alt_sign_func mbedtls_pk_rsa_alt_sign_func
+#define pk_rsassa_pss_options mbedtls_pk_rsassa_pss_options
+#define pk_sign mbedtls_pk_sign
+#define pk_type_t mbedtls_pk_type_t
+#define pk_verify mbedtls_pk_verify
+#define pk_verify_ext mbedtls_pk_verify_ext
+#define pk_write_key_der mbedtls_pk_write_key_der
+#define pk_write_key_pem mbedtls_pk_write_key_pem
+#define pk_write_pubkey mbedtls_pk_write_pubkey
+#define pk_write_pubkey_der mbedtls_pk_write_pubkey_der
+#define pk_write_pubkey_pem mbedtls_pk_write_pubkey_pem
+#define pkcs11_context mbedtls_pkcs11_context
+#define pkcs11_decrypt mbedtls_pkcs11_decrypt
+#define pkcs11_priv_key_free mbedtls_pkcs11_priv_key_free
+#define pkcs11_priv_key_init mbedtls_pkcs11_priv_key_bind
+#define pkcs11_sign mbedtls_pkcs11_sign
+#define pkcs11_x509_cert_init mbedtls_pkcs11_x509_cert_bind
+#define pkcs12_derivation mbedtls_pkcs12_derivation
+#define pkcs12_pbe mbedtls_pkcs12_pbe
+#define pkcs12_pbe_sha1_rc4_128 mbedtls_pkcs12_pbe_sha1_rc4_128
+#define pkcs5_pbes2 mbedtls_pkcs5_pbes2
+#define pkcs5_pbkdf2_hmac mbedtls_pkcs5_pbkdf2_hmac
+#define pkcs5_self_test mbedtls_pkcs5_self_test
+#define platform_entropy_poll mbedtls_platform_entropy_poll
+#define platform_set_exit mbedtls_platform_set_exit
+#define platform_set_fprintf mbedtls_platform_set_fprintf
+#define platform_set_printf mbedtls_platform_set_printf
+#define platform_set_snprintf mbedtls_platform_set_snprintf
+#define polarssl_exit mbedtls_exit
+#define polarssl_fprintf mbedtls_fprintf
+#define polarssl_free mbedtls_free
+#define polarssl_mutex_free mbedtls_mutex_free
+#define polarssl_mutex_init mbedtls_mutex_init
+#define polarssl_mutex_lock mbedtls_mutex_lock
+#define polarssl_mutex_unlock mbedtls_mutex_unlock
+#define polarssl_printf mbedtls_printf
+#define polarssl_snprintf mbedtls_snprintf
+#define polarssl_strerror mbedtls_strerror
+#define ripemd160 mbedtls_ripemd160
+#define ripemd160_context mbedtls_ripemd160_context
+#define ripemd160_finish mbedtls_ripemd160_finish
+#define ripemd160_free mbedtls_ripemd160_free
+#define ripemd160_info mbedtls_ripemd160_info
+#define ripemd160_init mbedtls_ripemd160_init
+#define ripemd160_process mbedtls_ripemd160_process
+#define ripemd160_self_test mbedtls_ripemd160_self_test
+#define ripemd160_starts mbedtls_ripemd160_starts
+#define ripemd160_update mbedtls_ripemd160_update
+#define rsa_alt_context mbedtls_rsa_alt_context
+#define rsa_alt_info mbedtls_rsa_alt_info
+#define rsa_check_privkey mbedtls_rsa_check_privkey
+#define rsa_check_pub_priv mbedtls_rsa_check_pub_priv
+#define rsa_check_pubkey mbedtls_rsa_check_pubkey
+#define rsa_context mbedtls_rsa_context
+#define rsa_copy mbedtls_rsa_copy
+#define rsa_free mbedtls_rsa_free
+#define rsa_gen_key mbedtls_rsa_gen_key
+#define rsa_info mbedtls_rsa_info
+#define rsa_init mbedtls_rsa_init
+#define rsa_pkcs1_decrypt mbedtls_rsa_pkcs1_decrypt
+#define rsa_pkcs1_encrypt mbedtls_rsa_pkcs1_encrypt
+#define rsa_pkcs1_sign mbedtls_rsa_pkcs1_sign
+#define rsa_pkcs1_verify mbedtls_rsa_pkcs1_verify
+#define rsa_private mbedtls_rsa_private
+#define rsa_public mbedtls_rsa_public
+#define rsa_rsaes_oaep_decrypt mbedtls_rsa_rsaes_oaep_decrypt
+#define rsa_rsaes_oaep_encrypt mbedtls_rsa_rsaes_oaep_encrypt
+#define rsa_rsaes_pkcs1_v15_decrypt mbedtls_rsa_rsaes_pkcs1_v15_decrypt
+#define rsa_rsaes_pkcs1_v15_encrypt mbedtls_rsa_rsaes_pkcs1_v15_encrypt
+#define rsa_rsassa_pkcs1_v15_sign mbedtls_rsa_rsassa_pkcs1_v15_sign
+#define rsa_rsassa_pkcs1_v15_verify mbedtls_rsa_rsassa_pkcs1_v15_verify
+#define rsa_rsassa_pss_sign mbedtls_rsa_rsassa_pss_sign
+#define rsa_rsassa_pss_verify mbedtls_rsa_rsassa_pss_verify
+#define rsa_rsassa_pss_verify_ext mbedtls_rsa_rsassa_pss_verify_ext
+#define rsa_self_test mbedtls_rsa_self_test
+#define rsa_set_padding mbedtls_rsa_set_padding
+#define safer_memcmp mbedtls_ssl_safer_memcmp
+#define set_alarm mbedtls_set_alarm
+#define sha1 mbedtls_sha1
+#define sha1_context mbedtls_sha1_context
+#define sha1_finish mbedtls_sha1_finish
+#define sha1_free mbedtls_sha1_free
+#define sha1_info mbedtls_sha1_info
+#define sha1_init mbedtls_sha1_init
+#define sha1_process mbedtls_sha1_process
+#define sha1_self_test mbedtls_sha1_self_test
+#define sha1_starts mbedtls_sha1_starts
+#define sha1_update mbedtls_sha1_update
+#define sha224_info mbedtls_sha224_info
+#define sha256 mbedtls_sha256
+#define sha256_context mbedtls_sha256_context
+#define sha256_finish mbedtls_sha256_finish
+#define sha256_free mbedtls_sha256_free
+#define sha256_info mbedtls_sha256_info
+#define sha256_init mbedtls_sha256_init
+#define sha256_process mbedtls_sha256_process
+#define sha256_self_test mbedtls_sha256_self_test
+#define sha256_starts mbedtls_sha256_starts
+#define sha256_update mbedtls_sha256_update
+#define sha384_info mbedtls_sha384_info
+#define sha512 mbedtls_sha512
+#define sha512_context mbedtls_sha512_context
+#define sha512_finish mbedtls_sha512_finish
+#define sha512_free mbedtls_sha512_free
+#define sha512_info mbedtls_sha512_info
+#define sha512_init mbedtls_sha512_init
+#define sha512_process mbedtls_sha512_process
+#define sha512_self_test mbedtls_sha512_self_test
+#define sha512_starts mbedtls_sha512_starts
+#define sha512_update mbedtls_sha512_update
+#define source_state mbedtls_entropy_source_state
+#define ssl_cache_context mbedtls_ssl_cache_context
+#define ssl_cache_entry mbedtls_ssl_cache_entry
+#define ssl_cache_free mbedtls_ssl_cache_free
+#define ssl_cache_get mbedtls_ssl_cache_get
+#define ssl_cache_init mbedtls_ssl_cache_init
+#define ssl_cache_set mbedtls_ssl_cache_set
+#define ssl_cache_set_max_entries mbedtls_ssl_cache_set_max_entries
+#define ssl_cache_set_timeout mbedtls_ssl_cache_set_timeout
+#define ssl_check_cert_usage mbedtls_ssl_check_cert_usage
+#define ssl_ciphersuite_from_id mbedtls_ssl_ciphersuite_from_id
+#define ssl_ciphersuite_from_string mbedtls_ssl_ciphersuite_from_string
+#define ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
+#define ssl_ciphersuite_uses_ec mbedtls_ssl_ciphersuite_uses_ec
+#define ssl_ciphersuite_uses_psk mbedtls_ssl_ciphersuite_uses_psk
+#define ssl_close_notify mbedtls_ssl_close_notify
+#define ssl_context mbedtls_ssl_context
+#define ssl_cookie_check mbedtls_ssl_cookie_check
+#define ssl_cookie_check_t mbedtls_ssl_cookie_check_t
+#define ssl_cookie_ctx mbedtls_ssl_cookie_ctx
+#define ssl_cookie_free mbedtls_ssl_cookie_free
+#define ssl_cookie_init mbedtls_ssl_cookie_init
+#define ssl_cookie_set_timeout mbedtls_ssl_cookie_set_timeout
+#define ssl_cookie_setup mbedtls_ssl_cookie_setup
+#define ssl_cookie_write mbedtls_ssl_cookie_write
+#define ssl_cookie_write_t mbedtls_ssl_cookie_write_t
+#define ssl_derive_keys mbedtls_ssl_derive_keys
+#define ssl_dtls_replay_check mbedtls_ssl_dtls_replay_check
+#define ssl_dtls_replay_update mbedtls_ssl_dtls_replay_update
+#define ssl_fetch_input mbedtls_ssl_fetch_input
+#define ssl_flight_item mbedtls_ssl_flight_item
+#define ssl_flush_output mbedtls_ssl_flush_output
+#define ssl_free mbedtls_ssl_free
+#define ssl_get_alpn_protocol mbedtls_ssl_get_alpn_protocol
+#define ssl_get_bytes_avail mbedtls_ssl_get_bytes_avail
+#define ssl_get_ciphersuite mbedtls_ssl_get_ciphersuite
+#define ssl_get_ciphersuite_id mbedtls_ssl_get_ciphersuite_id
+#define ssl_get_ciphersuite_name mbedtls_ssl_get_ciphersuite_name
+#define ssl_get_ciphersuite_sig_pk_alg mbedtls_ssl_get_ciphersuite_sig_pk_alg
+#define ssl_get_peer_cert mbedtls_ssl_get_peer_cert
+#define ssl_get_record_expansion mbedtls_ssl_get_record_expansion
+#define ssl_get_session mbedtls_ssl_get_session
+#define ssl_get_verify_result mbedtls_ssl_get_verify_result
+#define ssl_get_version mbedtls_ssl_get_version
+#define ssl_handshake mbedtls_ssl_handshake
+#define ssl_handshake_client_step mbedtls_ssl_handshake_client_step
+#define ssl_handshake_free mbedtls_ssl_handshake_free
+#define ssl_handshake_params mbedtls_ssl_handshake_params
+#define ssl_handshake_server_step mbedtls_ssl_handshake_server_step
+#define ssl_handshake_step mbedtls_ssl_handshake_step
+#define ssl_handshake_wrapup mbedtls_ssl_handshake_wrapup
+#define ssl_hdr_len mbedtls_ssl_hdr_len
+#define ssl_hs_hdr_len mbedtls_ssl_hs_hdr_len
+#define ssl_hw_record_activate mbedtls_ssl_hw_record_activate
+#define ssl_hw_record_finish mbedtls_ssl_hw_record_finish
+#define ssl_hw_record_init mbedtls_ssl_hw_record_init
+#define ssl_hw_record_read mbedtls_ssl_hw_record_read
+#define ssl_hw_record_reset mbedtls_ssl_hw_record_reset
+#define ssl_hw_record_write mbedtls_ssl_hw_record_write
+#define ssl_init mbedtls_ssl_init
+#define ssl_key_cert mbedtls_ssl_key_cert
+#define ssl_legacy_renegotiation mbedtls_ssl_conf_legacy_renegotiation
+#define ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites
+#define ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash
+#define ssl_optimize_checksum mbedtls_ssl_optimize_checksum
+#define ssl_own_cert mbedtls_ssl_own_cert
+#define ssl_own_key mbedtls_ssl_own_key
+#define ssl_parse_certificate mbedtls_ssl_parse_certificate
+#define ssl_parse_change_cipher_spec mbedtls_ssl_parse_change_cipher_spec
+#define ssl_parse_finished mbedtls_ssl_parse_finished
+#define ssl_pk_alg_from_sig mbedtls_ssl_pk_alg_from_sig
+#define ssl_pkcs11_decrypt mbedtls_ssl_pkcs11_decrypt
+#define ssl_pkcs11_key_len mbedtls_ssl_pkcs11_key_len
+#define ssl_pkcs11_sign mbedtls_ssl_pkcs11_sign
+#define ssl_psk_derive_premaster mbedtls_ssl_psk_derive_premaster
+#define ssl_read mbedtls_ssl_read
+#define ssl_read_record mbedtls_ssl_read_record
+#define ssl_read_version mbedtls_ssl_read_version
+#define ssl_recv_flight_completed mbedtls_ssl_recv_flight_completed
+#define ssl_renegotiate mbedtls_ssl_renegotiate
+#define ssl_resend mbedtls_ssl_resend
+#define ssl_reset_checksum mbedtls_ssl_reset_checksum
+#define ssl_send_alert_message mbedtls_ssl_send_alert_message
+#define ssl_send_fatal_handshake_failure mbedtls_ssl_send_fatal_handshake_failure
+#define ssl_send_flight_completed mbedtls_ssl_send_flight_completed
+#define ssl_session mbedtls_ssl_session
+#define ssl_session_free mbedtls_ssl_session_free
+#define ssl_session_init mbedtls_ssl_session_init
+#define ssl_session_reset mbedtls_ssl_session_reset
+#define ssl_set_alpn_protocols mbedtls_ssl_conf_alpn_protocols
+#define ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
+#define ssl_set_authmode mbedtls_ssl_conf_authmode
+#define ssl_set_bio mbedtls_ssl_set_bio
+#define ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
+#define ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
+#define ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites
+#define ssl_set_ciphersuites_for_version mbedtls_ssl_conf_ciphersuites_for_version
+#define ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id
+#define ssl_set_curves mbedtls_ssl_conf_curves
+#define ssl_set_dbg mbedtls_ssl_conf_dbg
+#define ssl_set_dh_param mbedtls_ssl_conf_dh_param
+#define ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx
+#define ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay
+#define ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit
+#define ssl_set_dtls_cookies mbedtls_ssl_conf_dtls_cookies
+#define ssl_set_encrypt_then_mac mbedtls_ssl_conf_encrypt_then_mac
+#define ssl_set_endpoint mbedtls_ssl_conf_endpoint
+#define ssl_set_extended_master_secret mbedtls_ssl_conf_extended_master_secret
+#define ssl_set_fallback mbedtls_ssl_conf_fallback
+#define ssl_set_handshake_timeout mbedtls_ssl_conf_handshake_timeout
+#define ssl_set_hostname mbedtls_ssl_set_hostname
+#define ssl_set_max_frag_len mbedtls_ssl_conf_max_frag_len
+#define ssl_set_max_version mbedtls_ssl_conf_max_version
+#define ssl_set_min_version mbedtls_ssl_conf_min_version
+#define ssl_set_own_cert mbedtls_ssl_conf_own_cert
+#define ssl_set_psk mbedtls_ssl_conf_psk
+#define ssl_set_psk_cb mbedtls_ssl_conf_psk_cb
+#define ssl_set_renegotiation mbedtls_ssl_conf_renegotiation
+#define ssl_set_renegotiation_enforced mbedtls_ssl_conf_renegotiation_enforced
+#define ssl_set_renegotiation_period mbedtls_ssl_conf_renegotiation_period
+#define ssl_set_rng mbedtls_ssl_conf_rng
+#define ssl_set_session mbedtls_ssl_set_session
+#define ssl_set_session_cache mbedtls_ssl_conf_session_cache
+#define ssl_set_session_tickets mbedtls_ssl_conf_session_tickets
+#define ssl_set_sni mbedtls_ssl_conf_sni
+#define ssl_set_transport mbedtls_ssl_conf_transport
+#define ssl_set_truncated_hmac mbedtls_ssl_conf_truncated_hmac
+#define ssl_set_verify mbedtls_ssl_conf_verify
+#define ssl_sig_from_pk mbedtls_ssl_sig_from_pk
+#define ssl_states mbedtls_ssl_states
+#define ssl_transform mbedtls_ssl_transform
+#define ssl_transform_free mbedtls_ssl_transform_free
+#define ssl_write mbedtls_ssl_write
+#define ssl_write_certificate mbedtls_ssl_write_certificate
+#define ssl_write_change_cipher_spec mbedtls_ssl_write_change_cipher_spec
+#define ssl_write_finished mbedtls_ssl_write_finished
+#define ssl_write_record mbedtls_ssl_write_record
+#define ssl_write_version mbedtls_ssl_write_version
+#define supported_ciphers mbedtls_cipher_supported
+#define t_sint mbedtls_mpi_sint
+#define t_udbl mbedtls_t_udbl
+#define t_uint mbedtls_mpi_uint
+#define test_ca_crt mbedtls_test_ca_crt
+#define test_ca_crt_ec mbedtls_test_ca_crt_ec
+#define test_ca_crt_rsa mbedtls_test_ca_crt_rsa
+#define test_ca_key mbedtls_test_ca_key
+#define test_ca_key_ec mbedtls_test_ca_key_ec
+#define test_ca_key_rsa mbedtls_test_ca_key_rsa
+#define test_ca_list mbedtls_test_cas_pem
+#define test_ca_pwd mbedtls_test_ca_pwd
+#define test_ca_pwd_ec mbedtls_test_ca_pwd_ec
+#define test_ca_pwd_rsa mbedtls_test_ca_pwd_rsa
+#define test_cli_crt mbedtls_test_cli_crt
+#define test_cli_crt_ec mbedtls_test_cli_crt_ec
+#define test_cli_crt_rsa mbedtls_test_cli_crt_rsa
+#define test_cli_key mbedtls_test_cli_key
+#define test_cli_key_ec mbedtls_test_cli_key_ec
+#define test_cli_key_rsa mbedtls_test_cli_key_rsa
+#define test_srv_crt mbedtls_test_srv_crt
+#define test_srv_crt_ec mbedtls_test_srv_crt_ec
+#define test_srv_crt_rsa mbedtls_test_srv_crt_rsa
+#define test_srv_key mbedtls_test_srv_key
+#define test_srv_key_ec mbedtls_test_srv_key_ec
+#define test_srv_key_rsa mbedtls_test_srv_key_rsa
+#define threading_mutex_t mbedtls_threading_mutex_t
+#define threading_set_alt mbedtls_threading_set_alt
+#define timing_self_test mbedtls_timing_self_test
+#define version_check_feature mbedtls_version_check_feature
+#define version_get_number mbedtls_version_get_number
+#define version_get_string mbedtls_version_get_string
+#define version_get_string_full mbedtls_version_get_string_full
+#define x509_bitstring mbedtls_x509_bitstring
+#define x509_buf mbedtls_x509_buf
+#define x509_crl mbedtls_x509_crl
+#define x509_crl_entry mbedtls_x509_crl_entry
+#define x509_crl_free mbedtls_x509_crl_free
+#define x509_crl_info mbedtls_x509_crl_info
+#define x509_crl_init mbedtls_x509_crl_init
+#define x509_crl_parse mbedtls_x509_crl_parse
+#define x509_crl_parse_der mbedtls_x509_crl_parse_der
+#define x509_crl_parse_file mbedtls_x509_crl_parse_file
+#define x509_crt mbedtls_x509_crt
+#define x509_crt_check_extended_key_usage mbedtls_x509_crt_check_extended_key_usage
+#define x509_crt_check_key_usage mbedtls_x509_crt_check_key_usage
+#define x509_crt_free mbedtls_x509_crt_free
+#define x509_crt_info mbedtls_x509_crt_info
+#define x509_crt_init mbedtls_x509_crt_init
+#define x509_crt_parse mbedtls_x509_crt_parse
+#define x509_crt_parse_der mbedtls_x509_crt_parse_der
+#define x509_crt_parse_file mbedtls_x509_crt_parse_file
+#define x509_crt_parse_path mbedtls_x509_crt_parse_path
+#define x509_crt_revoked mbedtls_x509_crt_is_revoked
+#define x509_crt_verify mbedtls_x509_crt_verify
+#define x509_csr mbedtls_x509_csr
+#define x509_csr_free mbedtls_x509_csr_free
+#define x509_csr_info mbedtls_x509_csr_info
+#define x509_csr_init mbedtls_x509_csr_init
+#define x509_csr_parse mbedtls_x509_csr_parse
+#define x509_csr_parse_der mbedtls_x509_csr_parse_der
+#define x509_csr_parse_file mbedtls_x509_csr_parse_file
+#define x509_dn_gets mbedtls_x509_dn_gets
+#define x509_get_alg mbedtls_x509_get_alg
+#define x509_get_alg_null mbedtls_x509_get_alg_null
+#define x509_get_ext mbedtls_x509_get_ext
+#define x509_get_name mbedtls_x509_get_name
+#define x509_get_rsassa_pss_params mbedtls_x509_get_rsassa_pss_params
+#define x509_get_serial mbedtls_x509_get_serial
+#define x509_get_sig mbedtls_x509_get_sig
+#define x509_get_sig_alg mbedtls_x509_get_sig_alg
+#define x509_get_time mbedtls_x509_get_time
+#define x509_key_size_helper mbedtls_x509_key_size_helper
+#define x509_name mbedtls_x509_name
+#define x509_self_test mbedtls_x509_self_test
+#define x509_sequence mbedtls_x509_sequence
+#define x509_serial_gets mbedtls_x509_serial_gets
+#define x509_set_extension mbedtls_x509_set_extension
+#define x509_sig_alg_gets mbedtls_x509_sig_alg_gets
+#define x509_string_to_names mbedtls_x509_string_to_names
+#define x509_time mbedtls_x509_time
+#define x509_time_expired mbedtls_x509_time_is_past
+#define x509_time_future mbedtls_x509_time_is_future
+#define x509_write_extensions mbedtls_x509_write_extensions
+#define x509_write_names mbedtls_x509_write_names
+#define x509_write_sig mbedtls_x509_write_sig
+#define x509write_cert mbedtls_x509write_cert
+#define x509write_crt_der mbedtls_x509write_crt_der
+#define x509write_crt_free mbedtls_x509write_crt_free
+#define x509write_crt_init mbedtls_x509write_crt_init
+#define x509write_crt_pem mbedtls_x509write_crt_pem
+#define x509write_crt_set_authority_key_identifier mbedtls_x509write_crt_set_authority_key_identifier
+#define x509write_crt_set_basic_constraints mbedtls_x509write_crt_set_basic_constraints
+#define x509write_crt_set_extension mbedtls_x509write_crt_set_extension
+#define x509write_crt_set_issuer_key mbedtls_x509write_crt_set_issuer_key
+#define x509write_crt_set_issuer_name mbedtls_x509write_crt_set_issuer_name
+#define x509write_crt_set_key_usage mbedtls_x509write_crt_set_key_usage
+#define x509write_crt_set_md_alg mbedtls_x509write_crt_set_md_alg
+#define x509write_crt_set_ns_cert_type mbedtls_x509write_crt_set_ns_cert_type
+#define x509write_crt_set_serial mbedtls_x509write_crt_set_serial
+#define x509write_crt_set_subject_key mbedtls_x509write_crt_set_subject_key
+#define x509write_crt_set_subject_key_identifier mbedtls_x509write_crt_set_subject_key_identifier
+#define x509write_crt_set_subject_name mbedtls_x509write_crt_set_subject_name
+#define x509write_crt_set_validity mbedtls_x509write_crt_set_validity
+#define x509write_crt_set_version mbedtls_x509write_crt_set_version
+#define x509write_csr mbedtls_x509write_csr
+#define x509write_csr_der mbedtls_x509write_csr_der
+#define x509write_csr_free mbedtls_x509write_csr_free
+#define x509write_csr_init mbedtls_x509write_csr_init
+#define x509write_csr_pem mbedtls_x509write_csr_pem
+#define x509write_csr_set_extension mbedtls_x509write_csr_set_extension
+#define x509write_csr_set_key mbedtls_x509write_csr_set_key
+#define x509write_csr_set_key_usage mbedtls_x509write_csr_set_key_usage
+#define x509write_csr_set_md_alg mbedtls_x509write_csr_set_md_alg
+#define x509write_csr_set_ns_cert_type mbedtls_x509write_csr_set_ns_cert_type
+#define x509write_csr_set_subject_name mbedtls_x509write_csr_set_subject_name
+#define xtea_context mbedtls_xtea_context
+#define xtea_crypt_cbc mbedtls_xtea_crypt_cbc
+#define xtea_crypt_ecb mbedtls_xtea_crypt_ecb
+#define xtea_free mbedtls_xtea_free
+#define xtea_init mbedtls_xtea_init
+#define xtea_self_test mbedtls_xtea_self_test
+#define xtea_setup mbedtls_xtea_setup
+
+#endif /* compat-1.3.h */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/config.h b/ctrtool/deps/libmbedtls/include/mbedtls/config.h
new file mode 100644
index 00000000..159163f9
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/config.h
@@ -0,0 +1,3344 @@
+/**
+ * \file config.h
+ *
+ * \brief Configuration options (set of defines)
+ *
+ *  This set of compile-time options may be used to enable
+ *  or disable features selectively, and reduce the global
+ *  memory footprint.
+ */
+/*
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/**
+ * \name SECTION: System support
+ *
+ * This section sets system specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ *      library/aria.c
+ *      library/timing.c
+ *      include/mbedtls/bn_mul.h
+ *
+ * Required by:
+ *      MBEDTLS_AESNI_C
+ *      MBEDTLS_PADLOCK_C
+ *
+ * Comment to disable the use of assembly code.
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_NO_UDBL_DIVISION
+ *
+ * The platform lacks support for double-width integer division (64-bit
+ * division on a 32-bit platform, 128-bit division on a 64-bit platform).
+ *
+ * Used in:
+ *      include/mbedtls/bignum.h
+ *      library/bignum.c
+ *
+ * The bignum code uses double-width division to speed up some operations.
+ * Double-width division is often implemented in software that needs to
+ * be linked with the program. The presence of a double-width integer
+ * type is usually detected automatically through preprocessor macros,
+ * but the automatic detection cannot know whether the code needs to
+ * and can be linked with an implementation of division for that type.
+ * By default division is assumed to be usable if the type is present.
+ * Uncomment this option to prevent the use of double-width division.
+ *
+ * Note that division for the native integer type is always required.
+ * Furthermore, a 64-bit type is always required even on a 32-bit
+ * platform, but it need not support multiplication or division. In some
+ * cases it is also desirable to disable some double-width operations. For
+ * example, if double-width division is implemented in software, disabling
+ * it can reduce code size in some embedded targets.
+ */
+//#define MBEDTLS_NO_UDBL_DIVISION
+
+/**
+ * \def MBEDTLS_NO_64BIT_MULTIPLICATION
+ *
+ * The platform lacks support for 32x32 -> 64-bit multiplication.
+ *
+ * Used in:
+ *      library/poly1305.c
+ *
+ * Some parts of the library may use multiplication of two unsigned 32-bit
+ * operands with a 64-bit result in order to speed up computations. On some
+ * platforms, this is not available in hardware and has to be implemented in
+ * software, usually in a library provided by the toolchain.
+ *
+ * Sometimes it is not desirable to have to link to that library. This option
+ * removes the dependency of that library on platforms that lack a hardware
+ * 64-bit multiplier by embedding a software implementation in Mbed TLS.
+ *
+ * Note that depending on the compiler, this may decrease performance compared
+ * to using the library function provided by the toolchain.
+ */
+//#define MBEDTLS_NO_64BIT_MULTIPLICATION
+
+/**
+ * \def MBEDTLS_HAVE_SSE2
+ *
+ * CPU supports SSE2 instruction set.
+ *
+ * Uncomment if the CPU supports SSE2 (IA-32 specific).
+ */
+//#define MBEDTLS_HAVE_SSE2
+
+/**
+ * \def MBEDTLS_HAVE_TIME
+ *
+ * System has time.h and time().
+ * The time does not need to be correct, only time differences are used,
+ * by contrast with MBEDTLS_HAVE_TIME_DATE
+ *
+ * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
+ * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
+ * MBEDTLS_PLATFORM_STD_TIME.
+ *
+ * Comment if your system does not support time functions
+ */
+#define MBEDTLS_HAVE_TIME
+
+/**
+ * \def MBEDTLS_HAVE_TIME_DATE
+ *
+ * System has time.h, time(), and an implementation for
+ * mbedtls_platform_gmtime_r() (see below).
+ * The time needs to be correct (not necessarily very accurate, but at least
+ * the date should be correct). This is used to verify the validity period of
+ * X.509 certificates.
+ *
+ * Comment if your system does not have a correct clock.
+ *
+ * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
+ * behaves similarly to the gmtime_r() function from the C standard. Refer to
+ * the documentation for mbedtls_platform_gmtime_r() for more information.
+ *
+ * \note It is possible to configure an implementation for
+ * mbedtls_platform_gmtime_r() at compile-time by using the macro
+ * MBEDTLS_PLATFORM_GMTIME_R_ALT.
+ */
+#define MBEDTLS_HAVE_TIME_DATE
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+//#define MBEDTLS_PLATFORM_MEMORY
+
+/**
+ * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+ *
+ * Do not assign standard functions in the platform layer (e.g. calloc() to
+ * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
+ *
+ * This makes sure there are no linking errors on platforms that do not support
+ * these functions. You will HAVE to provide alternatives, either at runtime
+ * via the platform_set_xxx() functions or at compile time by setting
+ * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
+ * MBEDTLS_PLATFORM_XXX_MACRO.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Uncomment to prevent default assignment of standard functions in the
+ * platform layer.
+ */
+//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+
+/**
+ * \def MBEDTLS_PLATFORM_EXIT_ALT
+ *
+ * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
+ * function in the platform abstraction layer.
+ *
+ * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
+ * provide a function "mbedtls_platform_set_printf()" that allows you to set an
+ * alternative printf function pointer.
+ *
+ * All these define require MBEDTLS_PLATFORM_C to be defined!
+ *
+ * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
+ * it will be enabled automatically by check_config.h
+ *
+ * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
+ * MBEDTLS_PLATFORM_XXX_MACRO!
+ *
+ * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
+ *
+ * Uncomment a macro to enable alternate implementation of specific base
+ * platform function
+ */
+//#define MBEDTLS_PLATFORM_EXIT_ALT
+//#define MBEDTLS_PLATFORM_TIME_ALT
+//#define MBEDTLS_PLATFORM_FPRINTF_ALT
+//#define MBEDTLS_PLATFORM_PRINTF_ALT
+//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+//#define MBEDTLS_PLATFORM_NV_SEED_ALT
+//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
+
+/**
+ * \def MBEDTLS_DEPRECATED_WARNING
+ *
+ * Mark deprecated functions so that they generate a warning if used.
+ * Functions deprecated in one version will usually be removed in the next
+ * version. You can enable this to help you prepare the transition to a new
+ * major version by making sure your code is not using these functions.
+ *
+ * This only works with GCC and Clang. With other compilers, you may want to
+ * use MBEDTLS_DEPRECATED_REMOVED
+ *
+ * Uncomment to get warnings on using deprecated functions.
+ */
+//#define MBEDTLS_DEPRECATED_WARNING
+
+/**
+ * \def MBEDTLS_DEPRECATED_REMOVED
+ *
+ * Remove deprecated functions so that they generate an error if used.
+ * Functions deprecated in one version will usually be removed in the next
+ * version. You can enable this to help you prepare the transition to a new
+ * major version by making sure your code is not using these functions.
+ *
+ * Uncomment to get errors on using deprecated functions.
+ */
+//#define MBEDTLS_DEPRECATED_REMOVED
+
+/**
+ * \def MBEDTLS_CHECK_PARAMS
+ *
+ * This configuration option controls whether the library validates more of
+ * the parameters passed to it.
+ *
+ * When this flag is not defined, the library only attempts to validate an
+ * input parameter if: (1) they may come from the outside world (such as the
+ * network, the filesystem, etc.) or (2) not validating them could result in
+ * internal memory errors such as overflowing a buffer controlled by the
+ * library. On the other hand, it doesn't attempt to validate parameters whose
+ * values are fully controlled by the application (such as pointers).
+ *
+ * When this flag is defined, the library additionally attempts to validate
+ * parameters that are fully controlled by the application, and should always
+ * be valid if the application code is fully correct and trusted.
+ *
+ * For example, when a function accepts as input a pointer to a buffer that may
+ * contain untrusted data, and its documentation mentions that this pointer
+ * must not be NULL:
+ * - The pointer is checked to be non-NULL only if this option is enabled.
+ * - The content of the buffer is always validated.
+ *
+ * When this flag is defined, if a library function receives a parameter that
+ * is invalid:
+ * 1. The function will invoke the macro MBEDTLS_PARAM_FAILED().
+ * 2. If MBEDTLS_PARAM_FAILED() did not terminate the program, the function
+ *   will immediately return. If the function returns an Mbed TLS error code,
+ *   the error code in this case is MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
+ *
+ * When defining this flag, you also need to arrange a definition for
+ * MBEDTLS_PARAM_FAILED(). You can do this by any of the following methods:
+ * - By default, the library defines MBEDTLS_PARAM_FAILED() to call a
+ *   function mbedtls_param_failed(), but the library does not define this
+ *   function. If you do not make any other arrangements, you must provide
+ *   the function mbedtls_param_failed() in your application.
+ *   See `platform_util.h` for its prototype.
+ * - If you enable the macro #MBEDTLS_CHECK_PARAMS_ASSERT, then the
+ *   library defines #MBEDTLS_PARAM_FAILED(\c cond) to be `assert(cond)`.
+ *   You can still supply an alternative definition of
+ *   MBEDTLS_PARAM_FAILED(), which may call `assert`.
+ * - If you define a macro MBEDTLS_PARAM_FAILED() before including `config.h`
+ *   or you uncomment the definition of MBEDTLS_PARAM_FAILED() in `config.h`,
+ *   the library will call the macro that you defined and will not supply
+ *   its own version. Note that if MBEDTLS_PARAM_FAILED() calls `assert`,
+ *   you need to enable #MBEDTLS_CHECK_PARAMS_ASSERT so that library source
+ *   files include `<assert.h>`.
+ *
+ * Uncomment to enable validation of application-controlled parameters.
+ */
+//#define MBEDTLS_CHECK_PARAMS
+
+/**
+ * \def MBEDTLS_CHECK_PARAMS_ASSERT
+ *
+ * Allow MBEDTLS_PARAM_FAILED() to call `assert`, and make it default to
+ * `assert`. This macro is only used if #MBEDTLS_CHECK_PARAMS is defined.
+ *
+ * If this macro is not defined, then MBEDTLS_PARAM_FAILED() defaults to
+ * calling a function mbedtls_param_failed(). See the documentation of
+ * #MBEDTLS_CHECK_PARAMS for details.
+ *
+ * Uncomment to allow MBEDTLS_PARAM_FAILED() to call `assert`.
+ */
+//#define MBEDTLS_CHECK_PARAMS_ASSERT
+
+/* \} name SECTION: System support */
+
+/**
+ * \name SECTION: mbed TLS feature support
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_TIMING_ALT
+ *
+ * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(),
+ * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay()
+ *
+ * Only works if you have MBEDTLS_TIMING_C enabled.
+ *
+ * You will need to provide a header "timing_alt.h" and an implementation at
+ * compile time.
+ */
+//#define MBEDTLS_TIMING_ALT
+
+/**
+ * \def MBEDTLS_AES_ALT
+ *
+ * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
+ * alternate core implementation of a symmetric crypto, an arithmetic or hash
+ * module (e.g. platform specific assembly optimized implementations). Keep
+ * in mind that the function prototypes should remain the same.
+ *
+ * This replaces the whole module. If you only want to replace one of the
+ * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
+ *
+ * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
+ * provide the "struct mbedtls_aes_context" definition and omit the base
+ * function declarations and implementations. "aes_alt.h" will be included from
+ * "aes.h" to include the new function definitions.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * module.
+ *
+ * \warning   MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
+ *            use constitutes a security risk. If possible, we recommend
+ *            avoiding dependencies on them, and considering stronger message
+ *            digests and ciphers instead.
+ *
+ */
+//#define MBEDTLS_AES_ALT
+//#define MBEDTLS_ARC4_ALT
+//#define MBEDTLS_ARIA_ALT
+//#define MBEDTLS_BLOWFISH_ALT
+//#define MBEDTLS_CAMELLIA_ALT
+//#define MBEDTLS_CCM_ALT
+//#define MBEDTLS_CHACHA20_ALT
+//#define MBEDTLS_CHACHAPOLY_ALT
+//#define MBEDTLS_CMAC_ALT
+//#define MBEDTLS_DES_ALT
+//#define MBEDTLS_DHM_ALT
+//#define MBEDTLS_ECJPAKE_ALT
+//#define MBEDTLS_GCM_ALT
+//#define MBEDTLS_NIST_KW_ALT
+//#define MBEDTLS_MD2_ALT
+//#define MBEDTLS_MD4_ALT
+//#define MBEDTLS_MD5_ALT
+//#define MBEDTLS_POLY1305_ALT
+//#define MBEDTLS_RIPEMD160_ALT
+//#define MBEDTLS_RSA_ALT
+//#define MBEDTLS_SHA1_ALT
+//#define MBEDTLS_SHA256_ALT
+//#define MBEDTLS_SHA512_ALT
+//#define MBEDTLS_XTEA_ALT
+
+/*
+ * When replacing the elliptic curve module, pleace consider, that it is
+ * implemented with two .c files:
+ *      - ecp.c
+ *      - ecp_curves.c
+ * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
+ * macros as described above. The only difference is that you have to make sure
+ * that you provide functionality for both .c files.
+ */
+//#define MBEDTLS_ECP_ALT
+
+/**
+ * \def MBEDTLS_MD2_PROCESS_ALT
+ *
+ * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
+ * alternate core implementation of symmetric crypto or hash function. Keep in
+ * mind that function prototypes should remain the same.
+ *
+ * This replaces only one function. The header file from mbed TLS is still
+ * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
+ *
+ * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
+ * no longer provide the mbedtls_sha1_process() function, but it will still provide
+ * the other function (using your mbedtls_sha1_process() function) and the definition
+ * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
+ * with this definition.
+ *
+ * \note Because of a signature change, the core AES encryption and decryption routines are
+ *       currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
+ *       respectively. When setting up alternative implementations, these functions should
+ *       be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
+ *       must stay untouched.
+ *
+ * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
+ *       MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
+ *       tables.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * function.
+ *
+ * \warning   MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
+ *            constitutes a security risk. If possible, we recommend avoiding
+ *            dependencies on them, and considering stronger message digests
+ *            and ciphers instead.
+ *
+ * \warning   If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are
+ *            enabled, then the deterministic ECDH signature functions pass the
+ *            the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore
+ *            alternative implementations should use the RNG only for generating
+ *            the ephemeral key and nothing else. If this is not possible, then
+ *            MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
+ *            implementation should be provided for mbedtls_ecdsa_sign_det_ext()
+ *            (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
+ *            desirable).
+ *
+ */
+//#define MBEDTLS_MD2_PROCESS_ALT
+//#define MBEDTLS_MD4_PROCESS_ALT
+//#define MBEDTLS_MD5_PROCESS_ALT
+//#define MBEDTLS_RIPEMD160_PROCESS_ALT
+//#define MBEDTLS_SHA1_PROCESS_ALT
+//#define MBEDTLS_SHA256_PROCESS_ALT
+//#define MBEDTLS_SHA512_PROCESS_ALT
+//#define MBEDTLS_DES_SETKEY_ALT
+//#define MBEDTLS_DES_CRYPT_ECB_ALT
+//#define MBEDTLS_DES3_CRYPT_ECB_ALT
+//#define MBEDTLS_AES_SETKEY_ENC_ALT
+//#define MBEDTLS_AES_SETKEY_DEC_ALT
+//#define MBEDTLS_AES_ENCRYPT_ALT
+//#define MBEDTLS_AES_DECRYPT_ALT
+//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
+//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
+//#define MBEDTLS_ECDSA_VERIFY_ALT
+//#define MBEDTLS_ECDSA_SIGN_ALT
+//#define MBEDTLS_ECDSA_GENKEY_ALT
+
+/**
+ * \def MBEDTLS_ECP_INTERNAL_ALT
+ *
+ * Expose a part of the internal interface of the Elliptic Curve Point module.
+ *
+ * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
+ * alternative core implementation of elliptic curve arithmetic. Keep in mind
+ * that function prototypes should remain the same.
+ *
+ * This partially replaces one function. The header file from mbed TLS is still
+ * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
+ * is still present and it is used for group structures not supported by the
+ * alternative.
+ *
+ * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
+ * and implementing the following functions:
+ *      unsigned char mbedtls_internal_ecp_grp_capable(
+ *          const mbedtls_ecp_group *grp )
+ *      int  mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
+ *      void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
+ * The mbedtls_internal_ecp_grp_capable function should return 1 if the
+ * replacement functions implement arithmetic for the given group and 0
+ * otherwise.
+ * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
+ * called before and after each point operation and provide an opportunity to
+ * implement optimized set up and tear down instructions.
+ *
+ * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
+ * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
+ * function, but will use your mbedtls_internal_ecp_double_jac if the group is
+ * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
+ * receives it as an argument). If the group is not supported then the original
+ * implementation is used. The other functions and the definition of
+ * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
+ * implementation of mbedtls_internal_ecp_double_jac and
+ * mbedtls_internal_ecp_grp_capable must be compatible with this definition.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * function.
+ */
+/* Required for all the functions in this section */
+//#define MBEDTLS_ECP_INTERNAL_ALT
+/* Support for Weierstrass curves with Jacobi representation */
+//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
+//#define MBEDTLS_ECP_ADD_MIXED_ALT
+//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
+//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
+//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
+/* Support for curves with Montgomery arithmetic */
+//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
+//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
+//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
+
+/**
+ * \def MBEDTLS_TEST_NULL_ENTROPY
+ *
+ * Enables testing and use of mbed TLS without any configured entropy sources.
+ * This permits use of the library on platforms before an entropy source has
+ * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
+ * MBEDTLS_ENTROPY_NV_SEED switches).
+ *
+ * WARNING! This switch MUST be disabled in production builds, and is suitable
+ * only for development.
+ * Enabling the switch negates any security provided by the library.
+ *
+ * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+ *
+ */
+//#define MBEDTLS_TEST_NULL_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_HARDWARE_ALT
+ *
+ * Uncomment this macro to let mbed TLS use your own implementation of a
+ * hardware entropy collector.
+ *
+ * Your function must be called \c mbedtls_hardware_poll(), have the same
+ * prototype as declared in entropy_poll.h, and accept NULL as first argument.
+ *
+ * Uncomment to use your own hardware entropy collector.
+ */
+//#define MBEDTLS_ENTROPY_HARDWARE_ALT
+
+/**
+ * \def MBEDTLS_AES_ROM_TABLES
+ *
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
+ *
+ */
+//#define MBEDTLS_AES_ROM_TABLES
+
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+//#define MBEDTLS_AES_FEWER_TABLES
+
+/**
+ * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
+ *
+ * Use less ROM for the Camellia implementation (saves about 768 bytes).
+ *
+ * Uncomment this macro to use less memory for Camellia.
+ */
+//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CBC
+ *
+ * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CBC
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CFB
+ *
+ * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CTR
+ *
+ * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CTR
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_OFB
+ *
+ * Enable Output Feedback mode (OFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_OFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_XTS
+ *
+ * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
+ */
+#define MBEDTLS_CIPHER_MODE_XTS
+
+/**
+ * \def MBEDTLS_CIPHER_NULL_CIPHER
+ *
+ * Enable NULL cipher.
+ * Warning: Only do so when you know what you are doing. This allows for
+ * encryption or channels without any security!
+ *
+ * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
+ * the following ciphersuites:
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
+ *      MBEDTLS_TLS_RSA_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_RSA_WITH_NULL_MD5
+ *      MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
+ *      MBEDTLS_TLS_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_NULL_SHA
+ *
+ * Uncomment this macro to enable the NULL cipher and ciphersuites
+ */
+//#define MBEDTLS_CIPHER_NULL_CIPHER
+
+/**
+ * \def MBEDTLS_CIPHER_PADDING_PKCS7
+ *
+ * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
+ * specific padding modes in the cipher layer with cipher modes that support
+ * padding (e.g. CBC)
+ *
+ * If you disable all padding modes, only full blocks can be used with CBC.
+ *
+ * Enable padding modes in the cipher layer.
+ */
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#define MBEDTLS_CIPHER_PADDING_ZEROS
+
+/** \def MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ *
+ * Uncomment this macro to use a 128-bit key in the CTR_DRBG module.
+ * By default, CTR_DRBG uses a 256-bit key.
+ */
+//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+
+/**
+ * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+ *
+ * Enable weak ciphersuites in SSL / TLS.
+ * Warning: Only do so when you know what you are doing. This allows for
+ * channels with virtually no security at all!
+ *
+ * This enables the following ciphersuites:
+ *      MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
+ *
+ * Uncomment this macro to enable weak ciphersuites
+ *
+ * \warning   DES is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ */
+//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+
+/**
+ * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+ *
+ * Remove RC4 ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on RC4 from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
+ * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
+ * explicitly.
+ *
+ * Uncomment this macro to remove RC4 ciphersuites by default.
+ */
+#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+
+/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
+/**
+ * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ *
+ * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
+ * module.  By default all supported curves are enabled.
+ *
+ * Comment macros to disable the curve and functions for it
+ */
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define MBEDTLS_ECP_DP_CURVE448_ENABLED
+
+/**
+ * \def MBEDTLS_ECP_NIST_OPTIM
+ *
+ * Enable specific 'modulo p' routines for each NIST prime.
+ * Depending on the prime and architecture, makes operations 4 to 8 times
+ * faster on the corresponding curve.
+ *
+ * Comment this macro to disable NIST curves optimisation.
+ */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/**
+ * \def MBEDTLS_ECP_RESTARTABLE
+ *
+ * Enable "non-blocking" ECC operations that can return early and be resumed.
+ *
+ * This allows various functions to pause by returning
+ * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in
+ * order to further progress and eventually complete their operation. This is
+ * controlled through mbedtls_ecp_set_max_ops() which limits the maximum
+ * number of ECC operations a function may perform before pausing; see
+ * mbedtls_ecp_set_max_ops() for more information.
+ *
+ * This is useful in non-threaded environments if you want to avoid blocking
+ * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
+ *
+ * Uncomment this macro to enable restartable ECC computations.
+ *
+ * \note  This option only works with the default software implementation of
+ *        elliptic curve functionality. It is incompatible with
+ *        MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT and MBEDTLS_ECDSA_XXX_ALT.
+ */
+//#define MBEDTLS_ECP_RESTARTABLE
+
+/**
+ * \def MBEDTLS_ECDSA_DETERMINISTIC
+ *
+ * Enable deterministic ECDSA (RFC 6979).
+ * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
+ * may result in a compromise of the long-term signing key. This is avoided by
+ * the deterministic variant.
+ *
+ * Requires: MBEDTLS_HMAC_DRBG_C
+ *
+ * Comment this macro to disable deterministic ECDSA.
+ */
+#define MBEDTLS_ECDSA_DETERMINISTIC
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+ *
+ * Enable the PSK based ciphersuite modes in SSL / TLS.
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+ *
+ * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_DHM_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+ *
+ * \warning    Using DHE constitutes a security risk as it
+ *             is not possible to validate custom DH parameters.
+ *             If possible, it is recommended users should consider
+ *             preferring other methods of key exchange.
+ *             See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+ *
+ * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+ *
+ * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+ *
+ * Enable the RSA-only based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+ */
+#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+ *
+ * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *
+ * \warning    Using DHE constitutes a security risk as it
+ *             is not possible to validate custom DH parameters.
+ *             If possible, it is recommended users should consider
+ *             preferring other methods of key exchange.
+ *             See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+ *
+ * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+ *
+ * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+ *
+ * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+ *
+ * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+ *
+ * Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
+ *
+ * \warning This is currently experimental. EC J-PAKE support is based on the
+ * Thread v1.0.0 specification; incompatible changes to the specification
+ * might still happen. For this reason, this is disabled by default.
+ *
+ * Requires: MBEDTLS_ECJPAKE_C
+ *           MBEDTLS_SHA256_C
+ *           MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
+ */
+//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+
+/**
+ * \def MBEDTLS_PK_PARSE_EC_EXTENDED
+ *
+ * Enhance support for reading EC keys using variants of SEC1 not allowed by
+ * RFC 5915 and RFC 5480.
+ *
+ * Currently this means parsing the SpecifiedECDomain choice of EC
+ * parameters (only known groups are supported, not arbitrary domains, to
+ * avoid validation issues).
+ *
+ * Disable if you only need to support RFC 5915 + 5480 key formats.
+ */
+#define MBEDTLS_PK_PARSE_EC_EXTENDED
+
+/**
+ * \def MBEDTLS_ERROR_STRERROR_DUMMY
+ *
+ * Enable a dummy error function to make use of mbedtls_strerror() in
+ * third party libraries easier when MBEDTLS_ERROR_C is disabled
+ * (no effect when MBEDTLS_ERROR_C is enabled).
+ *
+ * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
+ * not using mbedtls_strerror() or error_strerror() in your application.
+ *
+ * Disable if you run into name conflicts and want to really remove the
+ * mbedtls_strerror()
+ */
+#define MBEDTLS_ERROR_STRERROR_DUMMY
+
+/**
+ * \def MBEDTLS_GENPRIME
+ *
+ * Enable the prime-number generation code.
+ *
+ * Requires: MBEDTLS_BIGNUM_C
+ */
+#define MBEDTLS_GENPRIME
+
+/**
+ * \def MBEDTLS_FS_IO
+ *
+ * Enable functions that use the filesystem.
+ */
+#define MBEDTLS_FS_IO
+
+/**
+ * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+ *
+ * Do not add default entropy sources. These are the platform specific,
+ * mbedtls_timing_hardclock and HAVEGE based poll functions.
+ *
+ * This is useful to have more control over the added entropy sources in an
+ * application.
+ *
+ * Uncomment this macro to prevent loading of default entropy functions.
+ */
+//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+//#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_FORCE_SHA256
+ *
+ * Force the entropy accumulator to use a SHA-256 accumulator instead of the
+ * default SHA-512 based one (if both are available).
+ *
+ * Requires: MBEDTLS_SHA256_C
+ *
+ * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
+ * if you have performance concerns.
+ *
+ * This option is only useful if both MBEDTLS_SHA256_C and
+ * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
+ */
+//#define MBEDTLS_ENTROPY_FORCE_SHA256
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ *       determined in the platform layer, and can be modified at runtime and/or
+ *       compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ *       with regular fopen(), please make sure you make a seedfile with the
+ *       proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ *       least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ *       and written to or you will get an entropy source error! The default
+ *       implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ *       bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ *       given to an external source, to update it.
+ */
+//#define MBEDTLS_ENTROPY_NV_SEED
+
+/**
+ * \def MBEDTLS_MEMORY_DEBUG
+ *
+ * Enable debugging of buffer allocator memory issues. Automatically prints
+ * (to stderr) all (fatal) messages on memory allocation issues. Enables
+ * function for 'debug output' of allocated memory.
+ *
+ * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Uncomment this macro to let the buffer allocator print out error messages.
+ */
+//#define MBEDTLS_MEMORY_DEBUG
+
+/**
+ * \def MBEDTLS_MEMORY_BACKTRACE
+ *
+ * Include backtrace information with each allocated block.
+ *
+ * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *           GLIBC-compatible backtrace() an backtrace_symbols() support
+ *
+ * Uncomment this macro to include backtrace information
+ */
+//#define MBEDTLS_MEMORY_BACKTRACE
+
+/**
+ * \def MBEDTLS_PK_RSA_ALT_SUPPORT
+ *
+ * Support external private RSA keys (eg from a HSM) in the PK layer.
+ *
+ * Comment this macro to disable support for external private RSA keys.
+ */
+#define MBEDTLS_PK_RSA_ALT_SUPPORT
+
+/**
+ * \def MBEDTLS_PKCS1_V15
+ *
+ * Enable support for PKCS#1 v1.5 encoding.
+ *
+ * Requires: MBEDTLS_RSA_C
+ *
+ * This enables support for PKCS#1 v1.5 operations.
+ */
+#define MBEDTLS_PKCS1_V15
+
+/**
+ * \def MBEDTLS_PKCS1_V21
+ *
+ * Enable support for PKCS#1 v2.1 encoding.
+ *
+ * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C
+ *
+ * This enables support for RSAES-OAEP and RSASSA-PSS operations.
+ */
+#define MBEDTLS_PKCS1_V21
+
+/**
+ * \def MBEDTLS_RSA_NO_CRT
+ *
+ * Do not use the Chinese Remainder Theorem
+ * for the RSA private operation.
+ *
+ * Uncomment this macro to disable the use of CRT in RSA.
+ *
+ */
+#define MBEDTLS_RSA_NO_CRT
+
+/**
+ * \def MBEDTLS_SELF_TEST
+ *
+ * Enable the checkup functions (*_self_test).
+ */
+#define MBEDTLS_SELF_TEST
+
+/**
+ * \def MBEDTLS_SHA256_SMALLER
+ *
+ * Enable an implementation of SHA-256 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * The default implementation is meant to be a reasonnable compromise between
+ * performance and size. This version optimizes more aggressively for size at
+ * the expense of performance. Eg on Cortex-M4 it reduces the size of
+ * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
+ * 30%.
+ *
+ * Uncomment to enable the smaller implementation of SHA256.
+ */
+//#define MBEDTLS_SHA256_SMALLER
+
+/**
+ * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
+ *
+ * Enable sending of alert messages in case of encountered errors as per RFC.
+ * If you choose not to send the alert messages, mbed TLS can still communicate
+ * with other servers, only debugging of failures is harder.
+ *
+ * The advantage of not sending alert messages, is that no information is given
+ * about reasons for failures thus preventing adversaries of gaining intel.
+ *
+ * Enable sending of all alert messages
+ */
+#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
+
+/**
+ * \def MBEDTLS_SSL_ASYNC_PRIVATE
+ *
+ * Enable asynchronous external private key operations in SSL. This allows
+ * you to configure an SSL connection to call an external cryptographic
+ * module to perform private key operations instead of performing the
+ * operation inside the library.
+ *
+ */
+//#define MBEDTLS_SSL_ASYNC_PRIVATE
+
+/**
+ * \def MBEDTLS_SSL_DEBUG_ALL
+ *
+ * Enable the debug messages in SSL module for all issues.
+ * Debug messages have been disabled in some places to prevent timing
+ * attacks due to (unbalanced) debugging function calls.
+ *
+ * If you need all error reporting you should enable this during debugging,
+ * but remove this for production servers that should log as well.
+ *
+ * Uncomment this macro to report all debug messages on errors introducing
+ * a timing side-channel.
+ *
+ */
+//#define MBEDTLS_SSL_DEBUG_ALL
+
+/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
+ *
+ * Enable support for Encrypt-then-MAC, RFC 7366.
+ *
+ * This allows peers that both support it to use a more robust protection for
+ * ciphersuites using CBC, providing deep resistance against timing attacks
+ * on the padding or underlying cipher.
+ *
+ * This only affects CBC ciphersuites, and is useless if none is defined.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1    or
+ *           MBEDTLS_SSL_PROTO_TLS1_1  or
+ *           MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for Encrypt-then-MAC
+ */
+#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
+
+/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+ *
+ * Enable support for Extended Master Secret, aka Session Hash
+ * (draft-ietf-tls-session-hash-02).
+ *
+ * This was introduced as "the proper fix" to the Triple Handshake familiy of
+ * attacks, but it is recommended to always use it (even if you disable
+ * renegotiation), since it actually fixes a more fundamental issue in the
+ * original SSL/TLS design, and has implications beyond Triple Handshake.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1    or
+ *           MBEDTLS_SSL_PROTO_TLS1_1  or
+ *           MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for Extended Master Secret.
+ */
+#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+
+/**
+ * \def MBEDTLS_SSL_FALLBACK_SCSV
+ *
+ * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
+ *
+ * For servers, it is recommended to always enable this, unless you support
+ * only one version of TLS, or know for sure that none of your clients
+ * implements a fallback strategy.
+ *
+ * For clients, you only need this if you're using a fallback strategy, which
+ * is not recommended in the first place, unless you absolutely need it to
+ * interoperate with buggy (version-intolerant) servers.
+ *
+ * Comment this macro to disable support for FALLBACK_SCSV
+ */
+#define MBEDTLS_SSL_FALLBACK_SCSV
+
+/**
+ * \def MBEDTLS_SSL_HW_RECORD_ACCEL
+ *
+ * Enable hooking functions in SSL module for hardware acceleration of
+ * individual records.
+ *
+ * Uncomment this macro to enable hooking functions.
+ */
+//#define MBEDTLS_SSL_HW_RECORD_ACCEL
+
+/**
+ * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
+ *
+ * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
+ *
+ * This is a countermeasure to the BEAST attack, which also minimizes the risk
+ * of interoperability issues compared to sending 0-length records.
+ *
+ * Comment this macro to disable 1/n-1 record splitting.
+ */
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
+
+/**
+ * \def MBEDTLS_SSL_RENEGOTIATION
+ *
+ * Enable support for TLS renegotiation.
+ *
+ * The two main uses of renegotiation are (1) refresh keys on long-lived
+ * connections and (2) client authentication after the initial handshake.
+ * If you don't need renegotiation, it's probably better to disable it, since
+ * it has been associated with security issues in the past and is easy to
+ * misuse/misunderstand.
+ *
+ * Comment this to disable support for renegotiation.
+ *
+ * \note   Even if this option is disabled, both client and server are aware
+ *         of the Renegotiation Indication Extension (RFC 5746) used to
+ *         prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
+ *         (See \c mbedtls_ssl_conf_legacy_renegotiation for the
+ *          configuration of this extension).
+ *
+ */
+#define MBEDTLS_SSL_RENEGOTIATION
+
+/**
+ * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+ *
+ * Enable support for receiving and parsing SSLv2 Client Hello messages for the
+ * SSL Server module (MBEDTLS_SSL_SRV_C).
+ *
+ * Uncomment this macro to enable support for SSLv2 Client Hello messages.
+ */
+//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+
+/**
+ * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+ *
+ * Pick the ciphersuite according to the client's preferences rather than ours
+ * in the SSL Server module (MBEDTLS_SSL_SRV_C).
+ *
+ * Uncomment this macro to respect client's ciphersuite order
+ */
+//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+
+/**
+ * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+ *
+ * Enable support for RFC 6066 max_fragment_length extension in SSL.
+ *
+ * Comment this macro to disable support for the max_fragment_length extension
+ */
+#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+
+/**
+ * \def MBEDTLS_SSL_PROTO_SSL3
+ *
+ * Enable support for SSL 3.0.
+ *
+ * Requires: MBEDTLS_MD5_C
+ *           MBEDTLS_SHA1_C
+ *
+ * Comment this macro to disable support for SSL 3.0
+ */
+//#define MBEDTLS_SSL_PROTO_SSL3
+
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1
+ *
+ * Enable support for TLS 1.0.
+ *
+ * Requires: MBEDTLS_MD5_C
+ *           MBEDTLS_SHA1_C
+ *
+ * Comment this macro to disable support for TLS 1.0
+ */
+#define MBEDTLS_SSL_PROTO_TLS1
+
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1_1
+ *
+ * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
+ *
+ * Requires: MBEDTLS_MD5_C
+ *           MBEDTLS_SHA1_C
+ *
+ * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
+ */
+#define MBEDTLS_SSL_PROTO_TLS1_1
+
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
+ *
+ * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
+ *           (Depends on ciphersuites)
+ *
+ * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
+ */
+#define MBEDTLS_SSL_PROTO_TLS1_2
+
+/**
+ * \def MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Enable support for DTLS (all available versions).
+ *
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
+ * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_1
+ *        or MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for DTLS
+ */
+#define MBEDTLS_SSL_PROTO_DTLS
+
+/**
+ * \def MBEDTLS_SSL_ALPN
+ *
+ * Enable support for RFC 7301 Application Layer Protocol Negotiation.
+ *
+ * Comment this macro to disable support for ALPN.
+ */
+#define MBEDTLS_SSL_ALPN
+
+/**
+ * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
+ *
+ * Enable support for the anti-replay mechanism in DTLS.
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *           MBEDTLS_SSL_PROTO_DTLS
+ *
+ * \warning Disabling this is often a security risk!
+ * See mbedtls_ssl_conf_dtls_anti_replay() for details.
+ *
+ * Comment this to disable anti-replay in DTLS.
+ */
+#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
+
+/**
+ * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
+ *
+ * Enable support for HelloVerifyRequest on DTLS servers.
+ *
+ * This feature is highly recommended to prevent DTLS servers being used as
+ * amplifiers in DoS attacks against other hosts. It should always be enabled
+ * unless you know for sure amplification cannot be a problem in the
+ * environment in which your server operates.
+ *
+ * \warning Disabling this can ba a security risk! (see above)
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Comment this to disable support for HelloVerifyRequest.
+ */
+#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
+
+/**
+ * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+ *
+ * Enable server-side support for clients that reconnect from the same port.
+ *
+ * Some clients unexpectedly close the connection and try to reconnect using the
+ * same source port. This needs special support from the server to handle the
+ * new connection securely, as described in section 4.2.8 of RFC 6347. This
+ * flag enables that support.
+ *
+ * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
+ *
+ * Comment this to disable support for clients reusing the source port.
+ */
+#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+
+/**
+ * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+ *
+ * Enable support for a limit of records with bad MAC.
+ *
+ * See mbedtls_ssl_conf_dtls_badmac_limit().
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ */
+#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+
+/**
+ * \def MBEDTLS_SSL_SESSION_TICKETS
+ *
+ * Enable support for RFC 5077 session tickets in SSL.
+ * Client-side, provides full support for session tickets (maintenance of a
+ * session store remains the responsibility of the application, though).
+ * Server-side, you also need to provide callbacks for writing and parsing
+ * tickets, including authenticated encryption and key management. Example
+ * callbacks are provided by MBEDTLS_SSL_TICKET_C.
+ *
+ * Comment this macro to disable support for SSL session tickets
+ */
+#define MBEDTLS_SSL_SESSION_TICKETS
+
+/**
+ * \def MBEDTLS_SSL_EXPORT_KEYS
+ *
+ * Enable support for exporting key block and master secret.
+ * This is required for certain users of TLS, e.g. EAP-TLS.
+ *
+ * Comment this macro to disable support for key export
+ */
+#define MBEDTLS_SSL_EXPORT_KEYS
+
+/**
+ * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
+ *
+ * Enable support for RFC 6066 server name indication (SNI) in SSL.
+ *
+ * Requires: MBEDTLS_X509_CRT_PARSE_C
+ *
+ * Comment this macro to disable support for server name indication in SSL
+ */
+#define MBEDTLS_SSL_SERVER_NAME_INDICATION
+
+/**
+ * \def MBEDTLS_SSL_TRUNCATED_HMAC
+ *
+ * Enable support for RFC 6066 truncated HMAC in SSL.
+ *
+ * Comment this macro to disable support for truncated HMAC in SSL
+ */
+#define MBEDTLS_SSL_TRUNCATED_HMAC
+
+/**
+ * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+ *
+ * Fallback to old (pre-2.7), non-conforming implementation of the truncated
+ * HMAC extension which also truncates the HMAC key. Note that this option is
+ * only meant for a transitory upgrade period and is likely to be removed in
+ * a future version of the library.
+ *
+ * \warning The old implementation is non-compliant and has a security weakness
+ *          (2^80 brute force attack on the HMAC key used for a single,
+ *          uninterrupted connection). This should only be enabled temporarily
+ *          when (1) the use of truncated HMAC is essential in order to save
+ *          bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
+ *          the fixed implementation yet (pre-2.7).
+ *
+ * \deprecated This option is deprecated and will likely be removed in a
+ *             future version of Mbed TLS.
+ *
+ * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
+ *
+ * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
+ */
+//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+
+/**
+ * \def MBEDTLS_THREADING_ALT
+ *
+ * Provide your own alternate threading implementation.
+ *
+ * Requires: MBEDTLS_THREADING_C
+ *
+ * Uncomment this to allow your own alternate threading implementation.
+ */
+//#define MBEDTLS_THREADING_ALT
+
+/**
+ * \def MBEDTLS_THREADING_PTHREAD
+ *
+ * Enable the pthread wrapper layer for the threading layer.
+ *
+ * Requires: MBEDTLS_THREADING_C
+ *
+ * Uncomment this to enable pthread mutexes.
+ */
+//#define MBEDTLS_THREADING_PTHREAD
+
+/**
+ * \def MBEDTLS_VERSION_FEATURES
+ *
+ * Allow run-time checking of compile-time enabled features. Thus allowing users
+ * to check at run-time if the library is for instance compiled with threading
+ * support via mbedtls_version_check_feature().
+ *
+ * Requires: MBEDTLS_VERSION_C
+ *
+ * Comment this to disable run-time checking and save ROM space
+ */
+#define MBEDTLS_VERSION_FEATURES
+
+/**
+ * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+ *
+ * If set, the X509 parser will not break-off when parsing an X509 certificate
+ * and encountering an extension in a v1 or v2 certificate.
+ *
+ * Uncomment to prevent an error.
+ */
+//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+
+/**
+ * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+ *
+ * If set, the X509 parser will not break-off when parsing an X509 certificate
+ * and encountering an unknown critical extension.
+ *
+ * \warning Depending on your PKI use, enabling this can be a security risk!
+ *
+ * Uncomment to prevent an error.
+ */
+//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+
+/**
+ * \def MBEDTLS_X509_CHECK_KEY_USAGE
+ *
+ * Enable verification of the keyUsage extension (CA and leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused
+ * (intermediate) CA and leaf certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip keyUsage checking for both CA and leaf certificates.
+ */
+#define MBEDTLS_X509_CHECK_KEY_USAGE
+
+/**
+ * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+ *
+ * Enable verification of the extendedKeyUsage extension (leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip extendedKeyUsage checking for certificates.
+ */
+#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+
+/**
+ * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ *
+ * Enable parsing and verification of X.509 certificates, CRLs and CSRS
+ * signed with RSASSA-PSS (aka PKCS#1 v2.1).
+ *
+ * Comment this macro to disallow using RSASSA-PSS in certificates.
+ */
+#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
+
+/**
+ * \def MBEDTLS_ZLIB_SUPPORT
+ *
+ * If set, the SSL/TLS module uses ZLIB to support compression and
+ * decompression of packet data.
+ *
+ * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
+ * CRIME attack. Before enabling this option, you should examine with care if
+ * CRIME or similar exploits may be applicable to your use case.
+ *
+ * \note Currently compression can't be used with DTLS.
+ *
+ * \deprecated This feature is deprecated and will be removed
+ *             in the next major revision of the library.
+ *
+ * Used in: library/ssl_tls.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This feature requires zlib library and headers to be present.
+ *
+ * Uncomment to enable use of ZLIB
+ */
+//#define MBEDTLS_ZLIB_SUPPORT
+/* \} name SECTION: mbed TLS feature support */
+
+/**
+ * \name SECTION: mbed TLS modules
+ *
+ * This section enables or disables entire modules in mbed TLS
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AESNI_C
+ *
+ * Enable AES-NI support on x86-64.
+ *
+ * Module:  library/aesni.c
+ * Caller:  library/aes.c
+ *
+ * Requires: MBEDTLS_HAVE_ASM
+ *
+ * This modules adds support for the AES-NI instructions on x86-64
+ */
+#define MBEDTLS_AESNI_C
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module:  library/aes.c
+ * Caller:  library/cipher.c
+ *          library/pem.c
+ *          library/ctr_drbg.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_ARC4_C
+ *
+ * Enable the ARCFOUR stream cipher.
+ *
+ * Module:  library/arc4.c
+ * Caller:  library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+ *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+ *
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. If possible, we recommend avoidng dependencies on
+ *            it, and considering stronger ciphers instead.
+ *
+ */
+#define MBEDTLS_ARC4_C
+
+/**
+ * \def MBEDTLS_ASN1_PARSE_C
+ *
+ * Enable the generic ASN1 parser.
+ *
+ * Module:  library/asn1.c
+ * Caller:  library/x509.c
+ *          library/dhm.c
+ *          library/pkcs12.c
+ *          library/pkcs5.c
+ *          library/pkparse.c
+ */
+#define MBEDTLS_ASN1_PARSE_C
+
+/**
+ * \def MBEDTLS_ASN1_WRITE_C
+ *
+ * Enable the generic ASN1 writer.
+ *
+ * Module:  library/asn1write.c
+ * Caller:  library/ecdsa.c
+ *          library/pkwrite.c
+ *          library/x509_create.c
+ *          library/x509write_crt.c
+ *          library/x509write_csr.c
+ */
+#define MBEDTLS_ASN1_WRITE_C
+
+/**
+ * \def MBEDTLS_BASE64_C
+ *
+ * Enable the Base64 module.
+ *
+ * Module:  library/base64.c
+ * Caller:  library/pem.c
+ *
+ * This module is required for PEM support (required by X.509).
+ */
+#define MBEDTLS_BASE64_C
+
+/**
+ * \def MBEDTLS_BIGNUM_C
+ *
+ * Enable the multi-precision integer library.
+ *
+ * Module:  library/bignum.c
+ * Caller:  library/dhm.c
+ *          library/ecp.c
+ *          library/ecdsa.c
+ *          library/rsa.c
+ *          library/rsa_internal.c
+ *          library/ssl_tls.c
+ *
+ * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
+ */
+#define MBEDTLS_BIGNUM_C
+
+/**
+ * \def MBEDTLS_BLOWFISH_C
+ *
+ * Enable the Blowfish block cipher.
+ *
+ * Module:  library/blowfish.c
+ */
+#define MBEDTLS_BLOWFISH_C
+
+/**
+ * \def MBEDTLS_CAMELLIA_C
+ *
+ * Enable the Camellia block cipher.
+ *
+ * Module:  library/camellia.c
+ * Caller:  library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ */
+#define MBEDTLS_CAMELLIA_C
+
+/**
+ * \def MBEDTLS_ARIA_C
+ *
+ * Enable the ARIA block cipher.
+ *
+ * Module:  library/aria.c
+ * Caller:  library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
+ */
+//#define MBEDTLS_ARIA_C
+
+/**
+ * \def MBEDTLS_CCM_C
+ *
+ * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
+ *
+ * Module:  library/ccm.c
+ *
+ * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
+ *
+ * This module enables the AES-CCM ciphersuites, if other requisites are
+ * enabled as well.
+ */
+#define MBEDTLS_CCM_C
+
+/**
+ * \def MBEDTLS_CERTS_C
+ *
+ * Enable the test certificates.
+ *
+ * Module:  library/certs.c
+ * Caller:
+ *
+ * This module is used for testing (ssl_client/server).
+ */
+#define MBEDTLS_CERTS_C
+
+/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 stream cipher.
+ *
+ * Module:  library/chacha20.c
+ */
+#define MBEDTLS_CHACHA20_C
+
+/**
+ * \def MBEDTLS_CHACHAPOLY_C
+ *
+ * Enable the ChaCha20-Poly1305 AEAD algorithm.
+ *
+ * Module:  library/chachapoly.c
+ *
+ * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
+ */
+#define MBEDTLS_CHACHAPOLY_C
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module:  library/cipher.c
+ * Caller:  library/ssl_tls.c
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CMAC_C
+ *
+ * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
+ * ciphers.
+ *
+ * Module:  library/cmac.c
+ *
+ * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
+ *
+ */
+//#define MBEDTLS_CMAC_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
+ *
+ * \note To achieve a 256-bit security strength with CTR_DRBG,
+ *       you must use AES-256 *and* use sufficient entropy.
+ *       See ctr_drbg.h for more details.
+ *
+ * Module:  library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * This module provides the CTR_DRBG AES random number generator.
+ */
+#define MBEDTLS_CTR_DRBG_C
+
+/**
+ * \def MBEDTLS_DEBUG_C
+ *
+ * Enable the debug functions.
+ *
+ * Module:  library/debug.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *
+ * This module provides debugging functions.
+ */
+#define MBEDTLS_DEBUG_C
+
+/**
+ * \def MBEDTLS_DES_C
+ *
+ * Enable the DES block cipher.
+ *
+ * Module:  library/des.c
+ * Caller:  library/pem.c
+ *          library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+ *
+ * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
+ *
+ * \warning   DES is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ */
+#define MBEDTLS_DES_C
+
+/**
+ * \def MBEDTLS_DHM_C
+ *
+ * Enable the Diffie-Hellman-Merkle module.
+ *
+ * Module:  library/dhm.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This module is used by the following key exchanges:
+ *      DHE-RSA, DHE-PSK
+ *
+ * \warning    Using DHE constitutes a security risk as it
+ *             is not possible to validate custom DH parameters.
+ *             If possible, it is recommended users should consider
+ *             preferring other methods of key exchange.
+ *             See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_DHM_C
+
+/**
+ * \def MBEDTLS_ECDH_C
+ *
+ * Enable the elliptic curve Diffie-Hellman library.
+ *
+ * Module:  library/ecdh.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This module is used by the following key exchanges:
+ *      ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
+ *
+ * Requires: MBEDTLS_ECP_C
+ */
+#define MBEDTLS_ECDH_C
+
+/**
+ * \def MBEDTLS_ECDSA_C
+ *
+ * Enable the elliptic curve DSA library.
+ *
+ * Module:  library/ecdsa.c
+ * Caller:
+ *
+ * This module is used by the following key exchanges:
+ *      ECDHE-ECDSA
+ *
+ * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
+ */
+#define MBEDTLS_ECDSA_C
+
+/**
+ * \def MBEDTLS_ECJPAKE_C
+ *
+ * Enable the elliptic curve J-PAKE library.
+ *
+ * \warning This is currently experimental. EC J-PAKE support is based on the
+ * Thread v1.0.0 specification; incompatible changes to the specification
+ * might still happen. For this reason, this is disabled by default.
+ *
+ * Module:  library/ecjpake.c
+ * Caller:
+ *
+ * This module is used by the following key exchanges:
+ *      ECJPAKE
+ *
+ * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
+ */
+//#define MBEDTLS_ECJPAKE_C
+
+/**
+ * \def MBEDTLS_ECP_C
+ *
+ * Enable the elliptic curve over GF(p) library.
+ *
+ * Module:  library/ecp.c
+ * Caller:  library/ecdh.c
+ *          library/ecdsa.c
+ *          library/ecjpake.c
+ *
+ * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
+ */
+#define MBEDTLS_ECP_C
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module:  library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_ERROR_C
+ *
+ * Enable error code to error string conversion.
+ *
+ * Module:  library/error.c
+ * Caller:
+ *
+ * This module enables mbedtls_strerror().
+ */
+#define MBEDTLS_ERROR_C
+
+/**
+ * \def MBEDTLS_GCM_C
+ *
+ * Enable the Galois/Counter Mode (GCM) for AES.
+ *
+ * Module:  library/gcm.c
+ *
+ * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
+ *
+ * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
+ * requisites are enabled as well.
+ */
+#define MBEDTLS_GCM_C
+
+/**
+ * \def MBEDTLS_HAVEGE_C
+ *
+ * Enable the HAVEGE random generator.
+ *
+ * Warning: the HAVEGE random generator is not suitable for virtualized
+ *          environments
+ *
+ * Warning: the HAVEGE random generator is dependent on timing and specific
+ *          processor traits. It is therefore not advised to use HAVEGE as
+ *          your applications primary random generator or primary entropy pool
+ *          input. As a secondary input to your entropy pool, it IS able add
+ *          the (limited) extra entropy it provides.
+ *
+ * Module:  library/havege.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_TIMING_C
+ *
+ * Uncomment to enable the HAVEGE random generator.
+ */
+//#define MBEDTLS_HAVEGE_C
+
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module:  library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+#define MBEDTLS_HKDF_C
+
+/**
+ * \def MBEDTLS_HMAC_DRBG_C
+ *
+ * Enable the HMAC_DRBG random generator.
+ *
+ * Module:  library/hmac_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * Uncomment to enable the HMAC_DRBG random number geerator.
+ */
+#define MBEDTLS_HMAC_DRBG_C
+
+/**
+ * \def MBEDTLS_NIST_KW_C
+ *
+ * Enable the Key Wrapping mode for 128-bit block ciphers,
+ * as defined in NIST SP 800-38F. Only KW and KWP modes
+ * are supported. At the moment, only AES is approved by NIST.
+ *
+ * Module:  library/nist_kw.c
+ *
+ * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
+ */
+//#define MBEDTLS_NIST_KW_C
+
+/**
+ * \def MBEDTLS_MD_C
+ *
+ * Enable the generic message digest layer.
+ *
+ * Module:  library/md.c
+ * Caller:
+ *
+ * Uncomment to enable generic message digest wrappers.
+ */
+#define MBEDTLS_MD_C
+
+/**
+ * \def MBEDTLS_MD2_C
+ *
+ * Enable the MD2 hash algorithm.
+ *
+ * Module:  library/md2.c
+ * Caller:
+ *
+ * Uncomment to enable support for (rare) MD2-signed X.509 certs.
+ *
+ * \warning   MD2 is considered a weak message digest and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger message digests instead.
+ *
+ */
+//#define MBEDTLS_MD2_C
+
+/**
+ * \def MBEDTLS_MD4_C
+ *
+ * Enable the MD4 hash algorithm.
+ *
+ * Module:  library/md4.c
+ * Caller:
+ *
+ * Uncomment to enable support for (rare) MD4-signed X.509 certs.
+ *
+ * \warning   MD4 is considered a weak message digest and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger message digests instead.
+ *
+ */
+//#define MBEDTLS_MD4_C
+
+/**
+ * \def MBEDTLS_MD5_C
+ *
+ * Enable the MD5 hash algorithm.
+ *
+ * Module:  library/md5.c
+ * Caller:  library/md.c
+ *          library/pem.c
+ *          library/ssl_tls.c
+ *
+ * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
+ * depending on the handshake parameters. Further, it is used for checking
+ * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
+ * encrypted keys.
+ *
+ * \warning   MD5 is considered a weak message digest and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_MD5_C
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module:  library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *           MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_NET_C
+ *
+ * Enable the TCP and UDP over IPv6/IPv4 networking routines.
+ *
+ * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
+ * and Windows. For other platforms, you'll want to disable it, and write your
+ * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ *
+ * Module:  library/net_sockets.c
+ *
+ * This module provides networking routines.
+ */
+#define MBEDTLS_NET_C
+
+/**
+ * \def MBEDTLS_OID_C
+ *
+ * Enable the OID database.
+ *
+ * Module:  library/oid.c
+ * Caller:  library/asn1write.c
+ *          library/pkcs5.c
+ *          library/pkparse.c
+ *          library/pkwrite.c
+ *          library/rsa.c
+ *          library/x509.c
+ *          library/x509_create.c
+ *          library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
+ *          library/x509write_crt.c
+ *          library/x509write_csr.c
+ *
+ * This modules translates between OIDs and internal values.
+ */
+#define MBEDTLS_OID_C
+
+/**
+ * \def MBEDTLS_PADLOCK_C
+ *
+ * Enable VIA Padlock support on x86.
+ *
+ * Module:  library/padlock.c
+ * Caller:  library/aes.c
+ *
+ * Requires: MBEDTLS_HAVE_ASM
+ *
+ * This modules adds support for the VIA PadLock on x86.
+ */
+#define MBEDTLS_PADLOCK_C
+
+/**
+ * \def MBEDTLS_PEM_PARSE_C
+ *
+ * Enable PEM decoding / parsing.
+ *
+ * Module:  library/pem.c
+ * Caller:  library/dhm.c
+ *          library/pkparse.c
+ *          library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
+ *
+ * Requires: MBEDTLS_BASE64_C
+ *
+ * This modules adds support for decoding / parsing PEM files.
+ */
+#define MBEDTLS_PEM_PARSE_C
+
+/**
+ * \def MBEDTLS_PEM_WRITE_C
+ *
+ * Enable PEM encoding / writing.
+ *
+ * Module:  library/pem.c
+ * Caller:  library/pkwrite.c
+ *          library/x509write_crt.c
+ *          library/x509write_csr.c
+ *
+ * Requires: MBEDTLS_BASE64_C
+ *
+ * This modules adds support for encoding / writing PEM files.
+ */
+#define MBEDTLS_PEM_WRITE_C
+
+/**
+ * \def MBEDTLS_PK_C
+ *
+ * Enable the generic public (asymetric) key layer.
+ *
+ * Module:  library/pk.c
+ * Caller:  library/ssl_tls.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
+ *
+ * Uncomment to enable generic public key wrappers.
+ */
+#define MBEDTLS_PK_C
+
+/**
+ * \def MBEDTLS_PK_PARSE_C
+ *
+ * Enable the generic public (asymetric) key parser.
+ *
+ * Module:  library/pkparse.c
+ * Caller:  library/x509_crt.c
+ *          library/x509_csr.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key parse functions.
+ */
+#define MBEDTLS_PK_PARSE_C
+
+/**
+ * \def MBEDTLS_PK_WRITE_C
+ *
+ * Enable the generic public (asymetric) key writer.
+ *
+ * Module:  library/pkwrite.c
+ * Caller:  library/x509write.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key write functions.
+ */
+#define MBEDTLS_PK_WRITE_C
+
+/**
+ * \def MBEDTLS_PKCS5_C
+ *
+ * Enable PKCS#5 functions.
+ *
+ * Module:  library/pkcs5.c
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the PKCS#5 functions.
+ */
+#define MBEDTLS_PKCS5_C
+
+/**
+ * \def MBEDTLS_PKCS11_C
+ *
+ * Enable wrapper for PKCS#11 smartcard support.
+ *
+ * Module:  library/pkcs11.c
+ * Caller:  library/pk.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * This module enables SSL/TLS PKCS #11 smartcard support.
+ * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
+ */
+//#define MBEDTLS_PKCS11_C
+
+/**
+ * \def MBEDTLS_PKCS12_C
+ *
+ * Enable PKCS#12 PBE functions.
+ * Adds algorithms for parsing PKCS#8 encrypted private keys
+ *
+ * Module:  library/pkcs12.c
+ * Caller:  library/pkparse.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
+ * Can use:  MBEDTLS_ARC4_C
+ *
+ * This module enables PKCS#12 functions.
+ */
+#define MBEDTLS_PKCS12_C
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other module rely on it for a fixed snprintf implementation.
+ *
+ * Module:  library/platform.c
+ * Caller:  Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+/**
+ * \def MBEDTLS_POLY1305_C
+ *
+ * Enable the Poly1305 MAC algorithm.
+ *
+ * Module:  library/poly1305.c
+ * Caller:  library/chachapoly.c
+ */
+#define MBEDTLS_POLY1305_C
+
+/**
+ * \def MBEDTLS_RIPEMD160_C
+ *
+ * Enable the RIPEMD-160 hash algorithm.
+ *
+ * Module:  library/ripemd160.c
+ * Caller:  library/md.c
+ *
+ */
+#define MBEDTLS_RIPEMD160_C
+
+/**
+ * \def MBEDTLS_RSA_C
+ *
+ * Enable the RSA public-key cryptosystem.
+ *
+ * Module:  library/rsa.c
+ *          library/rsa_internal.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *          library/x509.c
+ *
+ * This module is used by the following key exchanges:
+ *      RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
+ *
+ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
+ */
+#define MBEDTLS_RSA_C
+
+/**
+ * \def MBEDTLS_SHA1_C
+ *
+ * Enable the SHA1 cryptographic hash algorithm.
+ *
+ * Module:  library/sha1.c
+ * Caller:  library/md.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *          library/x509write_crt.c
+ *
+ * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
+ * depending on the handshake parameters, and for SHA1-signed certificates.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. If possible, we recommend avoiding dependencies
+ *            on it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_SHA1_C
+
+/**
+ * \def MBEDTLS_SHA256_C
+ *
+ * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
+ *
+ * Module:  library/sha256.c
+ * Caller:  library/entropy.c
+ *          library/md.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *
+ * This module adds support for SHA-224 and SHA-256.
+ * This module is required for the SSL/TLS 1.2 PRF function.
+ */
+#define MBEDTLS_SHA256_C
+
+/**
+ * \def MBEDTLS_SHA512_C
+ *
+ * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
+ *
+ * Module:  library/sha512.c
+ * Caller:  library/entropy.c
+ *          library/md.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This module adds support for SHA-384 and SHA-512.
+ */
+#define MBEDTLS_SHA512_C
+
+/**
+ * \def MBEDTLS_SSL_CACHE_C
+ *
+ * Enable simple SSL cache implementation.
+ *
+ * Module:  library/ssl_cache.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_CACHE_C
+ */
+#define MBEDTLS_SSL_CACHE_C
+
+/**
+ * \def MBEDTLS_SSL_COOKIE_C
+ *
+ * Enable basic implementation of DTLS cookies for hello verification.
+ *
+ * Module:  library/ssl_cookie.c
+ * Caller:
+ */
+#define MBEDTLS_SSL_COOKIE_C
+
+/**
+ * \def MBEDTLS_SSL_TICKET_C
+ *
+ * Enable an implementation of TLS server-side callbacks for session tickets.
+ *
+ * Module:  library/ssl_ticket.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_CIPHER_C
+ */
+#define MBEDTLS_SSL_TICKET_C
+
+/**
+ * \def MBEDTLS_SSL_CLI_C
+ *
+ * Enable the SSL/TLS client code.
+ *
+ * Module:  library/ssl_cli.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *
+ * This module is required for SSL/TLS client support.
+ */
+#define MBEDTLS_SSL_CLI_C
+
+/**
+ * \def MBEDTLS_SSL_SRV_C
+ *
+ * Enable the SSL/TLS server code.
+ *
+ * Module:  library/ssl_srv.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *
+ * This module is required for SSL/TLS server support.
+ */
+#define MBEDTLS_SSL_SRV_C
+
+/**
+ * \def MBEDTLS_SSL_TLS_C
+ *
+ * Enable the generic SSL/TLS code.
+ *
+ * Module:  library/ssl_tls.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
+ *           and at least one of the MBEDTLS_SSL_PROTO_XXX defines
+ *
+ * This module is required for SSL/TLS.
+ */
+#define MBEDTLS_SSL_TLS_C
+
+/**
+ * \def MBEDTLS_THREADING_C
+ *
+ * Enable the threading abstraction layer.
+ * By default mbed TLS assumes it is used in a non-threaded environment or that
+ * contexts are not shared between threads. If you do intend to use contexts
+ * between threads, you will need to enable this layer to prevent race
+ * conditions. See also our Knowledge Base article about threading:
+ * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
+ *
+ * Module:  library/threading.c
+ *
+ * This allows different threading implementations (self-implemented or
+ * provided).
+ *
+ * You will have to enable either MBEDTLS_THREADING_ALT or
+ * MBEDTLS_THREADING_PTHREAD.
+ *
+ * Enable this layer to allow use of mutexes within mbed TLS
+ */
+//#define MBEDTLS_THREADING_C
+
+/**
+ * \def MBEDTLS_TIMING_C
+ *
+ * Enable the semi-portable timing interface.
+ *
+ * \note The provided implementation only works on POSIX/Unix (including Linux,
+ * BSD and OS X) and Windows. On other platforms, you can either disable that
+ * module and provide your own implementations of the callbacks needed by
+ * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
+ * your own implementation of the whole module by setting
+ * \c MBEDTLS_TIMING_ALT in the current file.
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ *
+ * Module:  library/timing.c
+ * Caller:  library/havege.c
+ *
+ * This module is used by the HAVEGE random number generator.
+ */
+#define MBEDTLS_TIMING_C
+
+/**
+ * \def MBEDTLS_VERSION_C
+ *
+ * Enable run-time version information.
+ *
+ * Module:  library/version.c
+ *
+ * This module provides run-time version information.
+ */
+#define MBEDTLS_VERSION_C
+
+/**
+ * \def MBEDTLS_X509_USE_C
+ *
+ * Enable X.509 core for using certificates.
+ *
+ * Module:  library/x509.c
+ * Caller:  library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
+ *           MBEDTLS_PK_PARSE_C
+ *
+ * This module is required for the X.509 parsing modules.
+ */
+#define MBEDTLS_X509_USE_C
+
+/**
+ * \def MBEDTLS_X509_CRT_PARSE_C
+ *
+ * Enable X.509 certificate parsing.
+ *
+ * Module:  library/x509_crt.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is required for X.509 certificate parsing.
+ */
+#define MBEDTLS_X509_CRT_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CRL_PARSE_C
+ *
+ * Enable X.509 CRL parsing.
+ *
+ * Module:  library/x509_crl.c
+ * Caller:  library/x509_crt.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is required for X.509 CRL parsing.
+ */
+#define MBEDTLS_X509_CRL_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CSR_PARSE_C
+ *
+ * Enable X.509 Certificate Signing Request (CSR) parsing.
+ *
+ * Module:  library/x509_csr.c
+ * Caller:  library/x509_crt_write.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is used for reading X.509 certificate request.
+ */
+#define MBEDTLS_X509_CSR_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CREATE_C
+ *
+ * Enable X.509 core for creating certificates.
+ *
+ * Module:  library/x509_create.c
+ *
+ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
+ *
+ * This module is the basis for creating X.509 certificates and CSRs.
+ */
+#define MBEDTLS_X509_CREATE_C
+
+/**
+ * \def MBEDTLS_X509_CRT_WRITE_C
+ *
+ * Enable creating X.509 certificates.
+ *
+ * Module:  library/x509_crt_write.c
+ *
+ * Requires: MBEDTLS_X509_CREATE_C
+ *
+ * This module is required for X.509 certificate creation.
+ */
+#define MBEDTLS_X509_CRT_WRITE_C
+
+/**
+ * \def MBEDTLS_X509_CSR_WRITE_C
+ *
+ * Enable creating X.509 Certificate Signing Requests (CSR).
+ *
+ * Module:  library/x509_csr_write.c
+ *
+ * Requires: MBEDTLS_X509_CREATE_C
+ *
+ * This module is required for X.509 certificate request writing.
+ */
+#define MBEDTLS_X509_CSR_WRITE_C
+
+/**
+ * \def MBEDTLS_XTEA_C
+ *
+ * Enable the XTEA block cipher.
+ *
+ * Module:  library/xtea.c
+ * Caller:
+ */
+#define MBEDTLS_XTEA_C
+
+/* \} name SECTION: mbed TLS modules */
+
+/**
+ * \name SECTION: Module configuration options
+ *
+ * This section allows for the setting of module specific sizes and
+ * configuration options. The default values are already present in the
+ * relevant header files and should suffice for the regular use cases.
+ *
+ * Our advice is to enable options and change their values here
+ * only if you have a good reason and know the consequences.
+ *
+ * Please check the respective header file for documentation on these
+ * parameters (to prevent duplicate documentation).
+ * \{
+ */
+
+/* MPI / BIGNUM options */
+//#define MBEDTLS_MPI_WINDOW_SIZE            6 /**< Maximum windows size used. */
+//#define MBEDTLS_MPI_MAX_SIZE            1024 /**< Maximum number of bytes for usable MPIs. */
+
+/* CTR_DRBG options */
+//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN               48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
+//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL        10000 /**< Interval before reseed is performed by default */
+//#define MBEDTLS_CTR_DRBG_MAX_INPUT                256 /**< Maximum number of additional input bytes */
+//#define MBEDTLS_CTR_DRBG_MAX_REQUEST             1024 /**< Maximum number of requested bytes per call */
+//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT           384 /**< Maximum size of (re)seed buffer */
+
+/* HMAC_DRBG options */
+//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000 /**< Interval before reseed is performed by default */
+//#define MBEDTLS_HMAC_DRBG_MAX_INPUT           256 /**< Maximum number of additional input bytes */
+//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST        1024 /**< Maximum number of requested bytes per call */
+//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT      384 /**< Maximum size of (re)seed buffer */
+
+/* ECP options */
+//#define MBEDTLS_ECP_MAX_BITS             521 /**< Maximum bit size of groups */
+//#define MBEDTLS_ECP_WINDOW_SIZE            6 /**< Maximum window size used */
+//#define MBEDTLS_ECP_FIXED_POINT_OPTIM      1 /**< Enable fixed-point speed-up */
+
+/* Entropy options */
+//#define MBEDTLS_ENTROPY_MAX_SOURCES                20 /**< Maximum number of sources supported */
+//#define MBEDTLS_ENTROPY_MAX_GATHER                128 /**< Maximum amount requested from entropy sources */
+//#define MBEDTLS_ENTROPY_MIN_HARDWARE               32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
+
+/* Memory buffer allocator options */
+//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE      4 /**< Align on multiples of this value */
+
+/* Platform options */
+//#define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
+//#define MBEDTLS_PLATFORM_STD_CALLOC        calloc /**< Default allocator to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_FREE            free /**< Default free to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT            exit /**< Default exit to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_TIME            time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_STD_FPRINTF      fprintf /**< Default fprintf to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_PRINTF        printf /**< Default printf to use, can be undefined */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
+//#define MBEDTLS_PLATFORM_STD_SNPRINTF    snprintf /**< Default snprintf to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS       0 /**< Default exit value to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE       1 /**< Default exit value to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE  "seedfile" /**< Seed file to read/write with default implementation */
+
+/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
+/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
+//#define MBEDTLS_PLATFORM_CALLOC_MACRO        calloc /**< Default allocator macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_FREE_MACRO            free /**< Default free macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_EXIT_MACRO            exit /**< Default exit macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_TIME_MACRO            time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO       time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_FPRINTF_MACRO      fprintf /**< Default fprintf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_PRINTF_MACRO        printf /**< Default printf macro to use, can be undefined */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
+//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO    snprintf /**< Default snprintf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
+
+/**
+ * \brief       This macro is invoked by the library when an invalid parameter
+ *              is detected that is only checked with #MBEDTLS_CHECK_PARAMS
+ *              (see the documentation of that option for context).
+ *
+ *              When you leave this undefined here, the library provides
+ *              a default definition. If the macro #MBEDTLS_CHECK_PARAMS_ASSERT
+ *              is defined, the default definition is `assert(cond)`,
+ *              otherwise the default definition calls a function
+ *              mbedtls_param_failed(). This function is declared in
+ *              `platform_util.h` for the benefit of the library, but
+ *              you need to define in your application.
+ *
+ *              When you define this here, this replaces the default
+ *              definition in platform_util.h (which no longer declares the
+ *              function mbedtls_param_failed()) and it is your responsibility
+ *              to make sure this macro expands to something suitable (in
+ *              particular, that all the necessary declarations are visible
+ *              from within the library - you can ensure that by providing
+ *              them in this file next to the macro definition).
+ *              If you define this macro to call `assert`, also define
+ *              #MBEDTLS_CHECK_PARAMS_ASSERT so that library source files
+ *              include `<assert.h>`.
+ *
+ *              Note that you may define this macro to expand to nothing, in
+ *              which case you don't have to worry about declarations or
+ *              definitions. However, you will then be notified about invalid
+ *              parameters only in non-void functions, and void function will
+ *              just silently return early on invalid parameters, which
+ *              partially negates the benefits of enabling
+ *              #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged.
+ *
+ * \param cond  The expression that should evaluate to true, but doesn't.
+ */
+//#define MBEDTLS_PARAM_FAILED( cond )               assert( cond )
+
+/* SSL Cache options */
+//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400 /**< 1 day  */
+//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50 /**< Maximum entries in cache */
+
+/* SSL options */
+
+/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of incoming and outgoing plaintext fragments.
+ *
+ * This determines the size of both the incoming and outgoing TLS I/O buffers
+ * in such a way that both are capable of holding the specified amount of
+ * plaintext data, regardless of the protection mechanism used.
+ *
+ * To configure incoming and outgoing I/O buffers separately, use
+ * #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN,
+ * which overwrite the value set by this option.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of both
+ * incoming and outgoing I/O buffers.
+ */
+//#define MBEDTLS_SSL_MAX_CONTENT_LEN             16384
+
+/** \def MBEDTLS_SSL_IN_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of incoming plaintext fragments.
+ *
+ * This determines the size of the incoming TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option is undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of the incoming I/O buffer
+ * independently of the outgoing I/O buffer.
+ */
+//#define MBEDTLS_SSL_IN_CONTENT_LEN              16384
+
+/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of outgoing plaintext fragments.
+ *
+ * This determines the size of the outgoing TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * It is possible to save RAM by setting a smaller outward buffer, while keeping
+ * the default inward 16384 byte buffer to conform to the TLS specification.
+ *
+ * The minimum required outward buffer size is determined by the handshake
+ * protocol's usage. Handshaking will fail if the outward buffer is too small.
+ * The specific size requirement depends on the configured ciphers and any
+ * certificate data which is sent during the handshake.
+ *
+ * Uncomment to set the maximum plaintext size of the outgoing I/O buffer
+ * independently of the incoming I/O buffer.
+ */
+//#define MBEDTLS_SSL_OUT_CONTENT_LEN             16384
+
+/** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING
+ *
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ *
+ * This should be at least 9/8 * MBEDTLSSL_IN_CONTENT_LEN
+ * to account for a reassembled handshake message of maximum size,
+ * together with its reassembly bitmap.
+ *
+ * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default)
+ * should be sufficient for all practical situations as it allows
+ * to reassembly a large handshake message (such as a certificate)
+ * while buffering multiple smaller handshake messages.
+ *
+ */
+//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING             32768
+
+//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
+//#define MBEDTLS_PSK_MAX_LEN               32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
+//#define MBEDTLS_SSL_COOKIE_TIMEOUT        60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+
+/**
+ * Complete list of ciphersuites to use, in order of preference.
+ *
+ * \warning No dependency checking is done on that field! This option can only
+ * be used to restrict the set of available ciphersuites. It is your
+ * responsibility to make sure the needed modules are active.
+ *
+ * Use this to save a few hundred bytes of ROM (default ordering of all
+ * available ciphersuites) and a few to a few hundred bytes of RAM.
+ *
+ * The value below is only an example, not the default.
+ */
+//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+
+/* X509 options */
+//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8   /**< Maximum number of intermediate CAs in a verification chain. */
+//#define MBEDTLS_X509_MAX_FILE_PATH_LEN     512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
+
+/**
+ * Allow SHA-1 in the default TLS configuration for certificate signing.
+ * Without this build-time option, SHA-1 support must be activated explicitly
+ * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
+ * recommended because of it is possible to generate SHA-1 collisions, however
+ * this may be safe for legacy infrastructure where additional controls apply.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. If possible, we recommend avoiding dependencies
+ *            on it, and considering stronger message digests instead.
+ *
+ */
+// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+
+/**
+ * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
+ * signature and ciphersuite selection. Without this build-time option, SHA-1
+ * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
+ * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
+ * default. At the time of writing, there is no practical attack on the use
+ * of SHA-1 in handshake signatures, hence this option is turned on by default
+ * to preserve compatibility with existing peers, but the general
+ * warning applies nonetheless:
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. If possible, we recommend avoiding dependencies
+ *            on it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
+
+/**
+ * Uncomment the macro to let mbed TLS use your alternate implementation of
+ * mbedtls_platform_zeroize(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * mbedtls_platform_zeroize() is a widely used function across the library to
+ * zero a block of memory. The implementation is expected to be secure in the
+ * sense that it has been written to prevent the compiler from removing calls
+ * to mbedtls_platform_zeroize() as part of redundant code elimination
+ * optimizations. However, it is difficult to guarantee that calls to
+ * mbedtls_platform_zeroize() will not be optimized by the compiler as older
+ * versions of the C language standards do not provide a secure implementation
+ * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to
+ * configure their own implementation of mbedtls_platform_zeroize(), for
+ * example by using directives specific to their compiler, features from newer
+ * C standards (e.g using memset_s() in C11) or calling a secure memset() from
+ * their system (e.g explicit_bzero() in BSD).
+ */
+//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
+
+/**
+ * Uncomment the macro to let Mbed TLS use your alternate implementation of
+ * mbedtls_platform_gmtime_r(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * gmtime() is not a thread-safe function as defined in the C standard. The
+ * library will try to use safer implementations of this function, such as
+ * gmtime_r() when available. However, if Mbed TLS cannot identify the target
+ * system, the implementation of mbedtls_platform_gmtime_r() will default to
+ * using the standard gmtime(). In this case, calls from the library to
+ * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex
+ * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the
+ * library are also guarded with this mutex to avoid race conditions. However,
+ * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will
+ * unconditionally use the implementation for mbedtls_platform_gmtime_r()
+ * supplied at compile time.
+ */
+//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
+
+/* \} name SECTION: Customisation configuration options */
+
+/* Target and application specific configurations
+ *
+ * Allow user to override any previous default.
+ *
+ */
+#if defined(MBEDTLS_USER_CONFIG_FILE)
+#include MBEDTLS_USER_CONFIG_FILE
+#endif
+
+#include "check_config.h"
+
+#endif /* MBEDTLS_CONFIG_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ctr_drbg.h b/ctrtool/deps/libmbedtls/include/mbedtls/ctr_drbg.h
new file mode 100644
index 00000000..e0b5ed9c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ctr_drbg.h
@@ -0,0 +1,512 @@
+/**
+ * \file ctr_drbg.h
+ *
+ * \brief    This file contains definitions and functions for the
+ *           CTR_DRBG pseudorandom generator.
+ *
+ * CTR_DRBG is a standardized way of building a PRNG from a block-cipher
+ * in counter mode operation, as defined in <em>NIST SP 800-90A:
+ * Recommendation for Random Number Generation Using Deterministic Random
+ * Bit Generators</em>.
+ *
+ * The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
+ * (if \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time)
+ * as the underlying block cipher, with a derivation function.
+ * The initial seeding grabs #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of entropy.
+ * See the documentation of mbedtls_ctr_drbg_seed() for more details.
+ *
+ * Based on NIST SP 800-90A §10.2.1 table 3 and NIST SP 800-57 part 1 table 2,
+ * here are the security strengths achieved in typical configuration:
+ * - 256 bits under the default configuration of the library, with AES-256
+ *   and with #MBEDTLS_CTR_DRBG_ENTROPY_LEN set to 48 or more.
+ * - 256 bits if AES-256 is used, #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set
+ *   to 32 or more, and the DRBG is initialized with an explicit
+ *   nonce in the \c custom parameter to mbedtls_ctr_drbg_seed().
+ * - 128 bits if AES-256 is used but #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
+ *   between 24 and 47 and the DRBG is not initialized with an explicit
+ *   nonce (see mbedtls_ctr_drbg_seed()).
+ * - 128 bits if AES-128 is used (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled)
+ *   and #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set to 24 or more (which is
+ *   always the case unless it is explicitly set to a different value
+ *   in config.h).
+ *
+ * Note that the value of #MBEDTLS_CTR_DRBG_ENTROPY_LEN defaults to:
+ * - \c 48 if the module \c MBEDTLS_SHA512_C is enabled and the symbol
+ *   \c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled at compile time.
+ *   This is the default configuration of the library.
+ * - \c 32 if the module \c MBEDTLS_SHA512_C is disabled at compile time.
+ * - \c 32 if \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled at compile time.
+ */
+/*
+ *  Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CTR_DRBG_H
+#define MBEDTLS_CTR_DRBG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "aes.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+#define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED        -0x0034  /**< The entropy source failed. */
+#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG              -0x0036  /**< The requested random buffer length is too big. */
+#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG                -0x0038  /**< The input (entropy + additional data) is too large. */
+#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A  /**< Read or write error in file. */
+
+#define MBEDTLS_CTR_DRBG_BLOCKSIZE          16 /**< The block size used by the cipher. */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+#define MBEDTLS_CTR_DRBG_KEYSIZE            16
+/**< The key size in bytes used by the cipher.
+ *
+ * Compile-time choice: 16 bytes (128 bits)
+ * because #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled.
+ */
+#else
+#define MBEDTLS_CTR_DRBG_KEYSIZE            32
+/**< The key size in bytes used by the cipher.
+ *
+ * Compile-time choice: 32 bytes (256 bits)
+ * because \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled.
+ */
+#endif
+
+#define MBEDTLS_CTR_DRBG_KEYBITS            ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) /**< The key size for the DRBG operation, in bits. */
+#define MBEDTLS_CTR_DRBG_SEEDLEN            ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) /**< The seed length, calculated as (counter + AES key). */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them using the compiler command
+ * line.
+ * \{
+ */
+
+/** \def MBEDTLS_CTR_DRBG_ENTROPY_LEN
+ *
+ * \brief The amount of entropy used per seed by default, in bytes.
+ */
+#if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+/** This is 48 bytes because the entropy module uses SHA-512
+ * (\c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled).
+ */
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        48
+
+#else /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+
+/** This is 32 bytes because the entropy module uses SHA-256
+ * (the SHA512 module is disabled or
+ * \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
+ */
+#if !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+/** \warning To achieve a 256-bit security strength, you must pass a nonce
+ *           to mbedtls_ctr_drbg_seed().
+ */
+#endif /* !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) */
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        32
+#endif /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+#endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
+
+#if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
+#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL    10000
+/**< The interval before reseed is performed by default. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_INPUT)
+#define MBEDTLS_CTR_DRBG_MAX_INPUT          256
+/**< The maximum number of additional input Bytes. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_REQUEST)
+#define MBEDTLS_CTR_DRBG_MAX_REQUEST        1024
+/**< The maximum number of requested Bytes per call. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
+#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT     384
+/**< The maximum size of seed or reseed buffer in bytes. */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_CTR_DRBG_PR_OFF             0
+/**< Prediction resistance is disabled. */
+#define MBEDTLS_CTR_DRBG_PR_ON              1
+/**< Prediction resistance is enabled. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The CTR_DRBG context structure.
+ */
+typedef struct mbedtls_ctr_drbg_context
+{
+    unsigned char counter[16];  /*!< The counter (V). */
+    int reseed_counter;         /*!< The reseed counter. */
+    int prediction_resistance;  /*!< This determines whether prediction
+                                     resistance is enabled, that is
+                                     whether to systematically reseed before
+                                     each random generation. */
+    size_t entropy_len;         /*!< The amount of entropy grabbed on each
+                                     seed or reseed operation. */
+    int reseed_interval;        /*!< The reseed interval. */
+
+    mbedtls_aes_context aes_ctx;        /*!< The AES context. */
+
+    /*
+     * Callbacks (Entropy)
+     */
+    int (*f_entropy)(void *, unsigned char *, size_t);
+                                /*!< The entropy callback function. */
+
+    void *p_entropy;            /*!< The context for the entropy function. */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+}
+mbedtls_ctr_drbg_context;
+
+/**
+ * \brief               This function initializes the CTR_DRBG context,
+ *                      and prepares it for mbedtls_ctr_drbg_seed()
+ *                      or mbedtls_ctr_drbg_free().
+ *
+ * \param ctx           The CTR_DRBG context to initialize.
+ */
+void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
+
+/**
+ * \brief               This function seeds and sets up the CTR_DRBG
+ *                      entropy source for future reseeds.
+ *
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default.
+ * You can override it by calling mbedtls_ctr_drbg_set_entropy_len().
+ *
+ * You can provide a personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ *
+ * \note                The _seed_material_ value passed to the derivation
+ *                      function in the CTR_DRBG Instantiate Process
+ *                      described in NIST SP 800-90A §10.2.1.3.2
+ *                      is the concatenation of the string obtained from
+ *                      calling \p f_entropy and the \p custom string.
+ *                      The origin of the nonce depends on the value of
+ *                      the entropy length relative to the security strength.
+ *                      - If the entropy length is at least 1.5 times the
+ *                        security strength then the nonce is taken from the
+ *                        string obtained with \p f_entropy.
+ *                      - If the entropy length is less than the security
+ *                        strength, then the nonce is taken from \p custom.
+ *                        In this case, for compliance with SP 800-90A,
+ *                        you must pass a unique value of \p custom at
+ *                        each invocation. See SP 800-90A §8.6.7 for more
+ *                        details.
+ */
+#if MBEDTLS_CTR_DRBG_ENTROPY_LEN < MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
+/** \warning            When #MBEDTLS_CTR_DRBG_ENTROPY_LEN is less than
+ *                      #MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2, to achieve the
+ *                      maximum security strength permitted by CTR_DRBG,
+ *                      you must pass a value of \p custom that is a nonce:
+ *                      this value must never be repeated in subsequent
+ *                      runs of the same application or on a different
+ *                      device.
+ */
+#endif
+/**
+ * \param ctx           The CTR_DRBG context to seed.
+ *                      It must have been initialized with
+ *                      mbedtls_ctr_drbg_init().
+ *                      After a successful call to mbedtls_ctr_drbg_seed(),
+ *                      you may not call mbedtls_ctr_drbg_seed() again on
+ *                      the same context unless you call
+ *                      mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init()
+ *                      again first.
+ * \param f_entropy     The entropy callback, taking as arguments the
+ *                      \p p_entropy context, the buffer to fill, and the
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a buffer size
+ *                      equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+ *                      - #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ */
+int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
+                   int (*f_entropy)(void *, unsigned char *, size_t),
+                   void *p_entropy,
+                   const unsigned char *custom,
+                   size_t len );
+
+/**
+ * \brief               This function clears CTR_CRBG context data.
+ *
+ * \param ctx           The CTR_DRBG context to clear.
+ */
+void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx );
+
+/**
+ * \brief               This function turns prediction resistance on or off.
+ *                      The default value is off.
+ *
+ * \note                If enabled, entropy is gathered at the beginning of
+ *                      every call to mbedtls_ctr_drbg_random_with_add()
+ *                      or mbedtls_ctr_drbg_random().
+ *                      Only use this if your entropy source has sufficient
+ *                      throughput.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param resistance    #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF.
+ */
+void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
+                                         int resistance );
+
+/**
+ * \brief               This function sets the amount of entropy grabbed on each
+ *                      seed or reseed.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *
+ * \note                The security strength of CTR_DRBG is bounded by the
+ *                      entropy length. Thus:
+ *                      - When using AES-256
+ *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled,
+ *                        which is the default),
+ *                        \p len must be at least 32 (in bytes)
+ *                        to achieve a 256-bit strength.
+ *                      - When using AES-128
+ *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled)
+ *                        \p len must be at least 16 (in bytes)
+ *                        to achieve a 128-bit strength.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param len           The amount of entropy to grab, in bytes.
+ *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ */
+void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
+                               size_t len );
+
+/**
+ * \brief               This function sets the reseed interval.
+ *
+ * The reseed interval is the number of calls to mbedtls_ctr_drbg_random()
+ * or mbedtls_ctr_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param interval      The reseed interval.
+ */
+void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
+                                   int interval );
+
+/**
+ * \brief               This function reseeds the CTR_DRBG context, that is
+ *                      extracts data from the entropy source.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param additional    Additional data to add to the state. Can be \c NULL.
+ * \param len           The length of the additional data.
+ *                      This must be less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ */
+int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
+                     const unsigned char *additional, size_t len );
+
+/**
+ * \brief              This function updates the state of the CTR_DRBG context.
+ *
+ * \param ctx          The CTR_DRBG context.
+ * \param additional   The data to update the state with. This must not be
+ *                     \c NULL unless \p add_len is \c 0.
+ * \param add_len      Length of \p additional in bytes. This must be at
+ *                     most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
+ *                     \p add_len is more than
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return             An error from the underlying AES cipher on failure.
+ */
+int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
+                                 const unsigned char *additional,
+                                 size_t add_len );
+
+/**
+ * \brief   This function updates a CTR_DRBG instance with additional
+ *          data and uses it to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \param p_rng         The CTR_DRBG context. This must be a pointer to a
+ *                      #mbedtls_ctr_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ * \param additional    Additional data to update. Can be \c NULL, in which
+ *                      case the additional data is empty regardless of
+ *                      the value of \p add_len.
+ * \param add_len       The length of the additional data
+ *                      if \p additional is not \c NULL.
+ *                      This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT
+ *                      and less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
+ *
+ * \return    \c 0 on success.
+ * \return    #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ *            #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
+ */
+int mbedtls_ctr_drbg_random_with_add( void *p_rng,
+                              unsigned char *output, size_t output_len,
+                              const unsigned char *additional, size_t add_len );
+
+/**
+ * \brief   This function uses CTR_DRBG to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ *
+ * \param p_rng         The CTR_DRBG context. This must be a pointer to a
+ *                      #mbedtls_ctr_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ *                      #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
+ */
+int mbedtls_ctr_drbg_random( void *p_rng,
+                     unsigned char *output, size_t output_len );
+
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief              This function updates the state of the CTR_DRBG context.
+ *
+ * \deprecated         Superseded by mbedtls_ctr_drbg_update_ret()
+ *                     in 2.16.0.
+ *
+ * \note               If \p add_len is greater than
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
+ *                     The remaining Bytes are silently discarded.
+ *
+ * \param ctx          The CTR_DRBG context.
+ * \param additional   The data to update the state with.
+ * \param add_len      Length of \p additional data.
+ */
+MBEDTLS_DEPRECATED void mbedtls_ctr_drbg_update(
+    mbedtls_ctr_drbg_context *ctx,
+    const unsigned char *additional,
+    size_t add_len );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               This function writes a seed file.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      failure.
+ */
+int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
+
+/**
+ * \brief               This function reads and updates a seed file. The seed
+ *                      is added to this instance.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
+ */
+int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief               The CTR_DRBG checkup routine.
+ *
+ * \return              \c 0 on success.
+ * \return              \c 1 on failure.
+ */
+int mbedtls_ctr_drbg_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+/* Internal functions (do not call directly) */
+int mbedtls_ctr_drbg_seed_entropy_len( mbedtls_ctr_drbg_context *,
+                               int (*)(void *, unsigned char *, size_t), void *,
+                               const unsigned char *, size_t, size_t );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ctr_drbg.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/debug.h b/ctrtool/deps/libmbedtls/include/mbedtls/debug.h
new file mode 100644
index 00000000..736444bb
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/debug.h
@@ -0,0 +1,265 @@
+/**
+ * \file debug.h
+ *
+ * \brief Functions for controlling and providing debug output from the library.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_DEBUG_H
+#define MBEDTLS_DEBUG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#if defined(MBEDTLS_ECP_C)
+#include "ecp.h"
+#endif
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#define MBEDTLS_DEBUG_STRIP_PARENS( ... )   __VA_ARGS__
+
+#define MBEDTLS_SSL_DEBUG_MSG( level, args )                    \
+    mbedtls_debug_print_msg( ssl, level, __FILE__, __LINE__,    \
+                             MBEDTLS_DEBUG_STRIP_PARENS args )
+
+#define MBEDTLS_SSL_DEBUG_RET( level, text, ret )                \
+    mbedtls_debug_print_ret( ssl, level, __FILE__, __LINE__, text, ret )
+
+#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len )           \
+    mbedtls_debug_print_buf( ssl, level, __FILE__, __LINE__, text, buf, len )
+
+#if defined(MBEDTLS_BIGNUM_C)
+#define MBEDTLS_SSL_DEBUG_MPI( level, text, X )                  \
+    mbedtls_debug_print_mpi( ssl, level, __FILE__, __LINE__, text, X )
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_SSL_DEBUG_ECP( level, text, X )                  \
+    mbedtls_debug_print_ecp( ssl, level, __FILE__, __LINE__, text, X )
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )                \
+    mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )               \
+    mbedtls_debug_printf_ecdh( ssl, level, __FILE__, __LINE__, ecdh, attr )
+#endif
+
+#else /* MBEDTLS_DEBUG_C */
+
+#define MBEDTLS_SSL_DEBUG_MSG( level, args )            do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_RET( level, text, ret )       do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len )  do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_MPI( level, text, X )         do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_ECP( level, text, X )         do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )       do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )     do { } while( 0 )
+
+#endif /* MBEDTLS_DEBUG_C */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Set the threshold error level to handle globally all debug output.
+ *          Debug messages that have a level over the threshold value are
+ *          discarded.
+ *          (Default value: 0 = No debug )
+ *
+ * \param threshold     theshold level of messages to filter on. Messages at a
+ *                      higher level will be discarded.
+ *                          - Debug levels
+ *                              - 0 No debug
+ *                              - 1 Error
+ *                              - 2 State change
+ *                              - 3 Informational
+ *                              - 4 Verbose
+ */
+void mbedtls_debug_set_threshold( int threshold );
+
+/**
+ * \brief    Print a message to the debug output. This function is always used
+ *          through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
+ *          context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the message has occurred in
+ * \param line      line number the message has occurred at
+ * \param format    format specifier, in printf format
+ * \param ...       variables used by the format specifier
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
+                              const char *file, int line,
+                              const char *format, ... );
+
+/**
+ * \brief   Print the return value of a function to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      the name of the function that returned the error
+ * \param ret       the return code value
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, int ret );
+
+/**
+ * \brief   Output a buffer of size len bytes to the debug output. This function
+ *          is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the buffer being dumped. Normally the
+ *                  variable or buffer name
+ * \param buf       the buffer to be outputted
+ * \param len       length of the buffer
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line, const char *text,
+                      const unsigned char *buf, size_t len );
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief   Print a MPI variable to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the MPI being output. Normally the
+ *                  variable name
+ * \param X         the MPI variable
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_mpi *X );
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief   Print an ECP point to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the ECP point being output. Normally the
+ *                  variable name
+ * \param X         the ECP point
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_ecp_point *X );
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief   Print a X.509 certificate structure to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the certificate being output
+ * \param crt       X.509 certificate structure
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_x509_crt *crt );
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+typedef enum
+{
+    MBEDTLS_DEBUG_ECDH_Q,
+    MBEDTLS_DEBUG_ECDH_QP,
+    MBEDTLS_DEBUG_ECDH_Z,
+} mbedtls_debug_ecdh_attr;
+
+/**
+ * \brief   Print a field of the ECDH structure in the SSL context to the debug
+ *          output. This function is always used through the
+ *          MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
+ *          and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param ecdh      the ECDH context
+ * \param attr      the identifier of the attribute being output
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
+                                const char *file, int line,
+                                const mbedtls_ecdh_context *ecdh,
+                                mbedtls_debug_ecdh_attr attr );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* debug.h */
+
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/des.h b/ctrtool/deps/libmbedtls/include/mbedtls/des.h
new file mode 100644
index 00000000..54e6b789
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/des.h
@@ -0,0 +1,356 @@
+/**
+ * \file des.h
+ *
+ * \brief DES block cipher
+ *
+ * \warning   DES is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers
+ *            instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+#ifndef MBEDTLS_DES_H
+#define MBEDTLS_DES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_DES_ENCRYPT     1
+#define MBEDTLS_DES_DECRYPT     0
+
+#define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH              -0x0032  /**< The data input has an invalid length. */
+
+/* MBEDTLS_ERR_DES_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_DES_HW_ACCEL_FAILED                   -0x0033  /**< DES hardware accelerator failed. */
+
+#define MBEDTLS_DES_KEY_SIZE    8
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_DES_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          DES context structure
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+typedef struct mbedtls_des_context
+{
+    uint32_t sk[32];            /*!<  DES subkeys       */
+}
+mbedtls_des_context;
+
+/**
+ * \brief          Triple-DES context structure
+ */
+typedef struct mbedtls_des3_context
+{
+    uint32_t sk[96];            /*!<  3DES subkeys      */
+}
+mbedtls_des3_context;
+
+#else  /* MBEDTLS_DES_ALT */
+#include "des_alt.h"
+#endif /* MBEDTLS_DES_ALT */
+
+/**
+ * \brief          Initialize DES context
+ *
+ * \param ctx      DES context to be initialized
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_init( mbedtls_des_context *ctx );
+
+/**
+ * \brief          Clear DES context
+ *
+ * \param ctx      DES context to be cleared
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_free( mbedtls_des_context *ctx );
+
+/**
+ * \brief          Initialize Triple-DES context
+ *
+ * \param ctx      DES3 context to be initialized
+ */
+void mbedtls_des3_init( mbedtls_des3_context *ctx );
+
+/**
+ * \brief          Clear Triple-DES context
+ *
+ * \param ctx      DES3 context to be cleared
+ */
+void mbedtls_des3_free( mbedtls_des3_context *ctx );
+
+/**
+ * \brief          Set key parity on the given key to odd.
+ *
+ *                 DES keys are 56 bits long, but each byte is padded with
+ *                 a parity bit to allow verification.
+ *
+ * \param key      8-byte secret key
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          Check that key parity on the given key is odd.
+ *
+ *                 DES keys are 56 bits long, but each byte is padded with
+ *                 a parity bit to allow verification.
+ *
+ * \param key      8-byte secret key
+ *
+ * \return         0 is parity was ok, 1 if parity was not correct.
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          Check that key is not a weak or semi-weak DES key
+ *
+ * \param key      8-byte secret key
+ *
+ * \return         0 if no weak key was found, 1 if a weak key was identified.
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          DES key schedule (56-bit, encryption)
+ *
+ * \param ctx      DES context to be initialized
+ * \param key      8-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          DES key schedule (56-bit, decryption)
+ *
+ * \param ctx      DES context to be initialized
+ * \param key      8-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          Triple-DES key schedule (112-bit, encryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      16-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] );
+
+/**
+ * \brief          Triple-DES key schedule (112-bit, decryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      16-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] );
+
+/**
+ * \brief          Triple-DES key schedule (168-bit, encryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      24-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] );
+
+/**
+ * \brief          Triple-DES key schedule (168-bit, decryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      24-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] );
+
+/**
+ * \brief          DES-ECB block encryption/decryption
+ *
+ * \param ctx      DES context
+ * \param input    64-bit input block
+ * \param output   64-bit output block
+ *
+ * \return         0 if successful
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
+                    const unsigned char input[8],
+                    unsigned char output[8] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          DES-CBC buffer encryption/decryption
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      DES context
+ * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[8],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/**
+ * \brief          3DES-ECB block encryption/decryption
+ *
+ * \param ctx      3DES context
+ * \param input    64-bit input block
+ * \param output   64-bit output block
+ *
+ * \return         0 if successful
+ */
+int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
+                     const unsigned char input[8],
+                     unsigned char output[8] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          3DES-CBC buffer encryption/decryption
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      3DES context
+ * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+ */
+int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
+                     int mode,
+                     size_t length,
+                     unsigned char iv[8],
+                     const unsigned char *input,
+                     unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/**
+ * \brief          Internal function for key expansion.
+ *                 (Only exposed to allow overriding it,
+ *                 see MBEDTLS_DES_SETKEY_ALT)
+ *
+ * \param SK       Round keys
+ * \param key      Base key
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_setkey( uint32_t SK[32],
+                         const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_des_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* des.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/dhm.h b/ctrtool/deps/libmbedtls/include/mbedtls/dhm.h
new file mode 100644
index 00000000..2909f5fb
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/dhm.h
@@ -0,0 +1,1096 @@
+/**
+ * \file dhm.h
+ *
+ * \brief   This file contains Diffie-Hellman-Merkle (DHM) key exchange
+ *          definitions and functions.
+ *
+ * Diffie-Hellman-Merkle (DHM) key exchange is defined in
+ * <em>RFC-2631: Diffie-Hellman Key Agreement Method</em> and
+ * <em>Public-Key Cryptography Standards (PKCS) #3: Diffie
+ * Hellman Key Agreement Standard</em>.
+ *
+ * <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for
+ * Internet Key Exchange (IKE)</em> defines a number of standardized
+ * Diffie-Hellman groups for IKE.
+ *
+ * <em>RFC-5114: Additional Diffie-Hellman Groups for Use with IETF
+ * Standards</em> defines a number of standardized Diffie-Hellman
+ * groups that can be used.
+ *
+ * \warning  The security of the DHM key exchange relies on the proper choice
+ *           of prime modulus - optimally, it should be a safe prime. The usage
+ *           of non-safe primes both decreases the difficulty of the underlying
+ *           discrete logarithm problem and can lead to small subgroup attacks
+ *           leaking private exponent bits when invalid public keys are used
+ *           and not detected. This is especially relevant if the same DHM
+ *           parameters are reused for multiple key exchanges as in static DHM,
+ *           while the criticality of small-subgroup attacks is lower for
+ *           ephemeral DHM.
+ *
+ * \warning  For performance reasons, the code does neither perform primality
+ *           nor safe primality tests, nor the expensive checks for invalid
+ *           subgroups. Moreover, even if these were performed, non-standardized
+ *           primes cannot be trusted because of the possibility of backdoors
+ *           that can't be effectively checked for.
+ *
+ * \warning  Diffie-Hellman-Merkle is therefore a security risk when not using
+ *           standardized primes generated using a trustworthy ("nothing up
+ *           my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS
+ *           protocol, DH parameters need to be negotiated, so using the default
+ *           primes systematically is not always an option. If possible, use
+ *           Elliptic Curve Diffie-Hellman (ECDH), which has better performance,
+ *           and for which the TLS protocol mandates the use of standard
+ *           parameters.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_DHM_H
+#define MBEDTLS_DHM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+#include "bignum.h"
+
+/*
+ * DHM Error codes
+ */
+#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA                    -0x3080  /**< Bad input parameters. */
+#define MBEDTLS_ERR_DHM_READ_PARAMS_FAILED                -0x3100  /**< Reading of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED                -0x3180  /**< Making of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED                -0x3200  /**< Reading of the public values failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED                -0x3280  /**< Making of the public value failed. */
+#define MBEDTLS_ERR_DHM_CALC_SECRET_FAILED                -0x3300  /**< Calculation of the DHM secret failed. */
+#define MBEDTLS_ERR_DHM_INVALID_FORMAT                    -0x3380  /**< The ASN.1 data is not formatted correctly. */
+#define MBEDTLS_ERR_DHM_ALLOC_FAILED                      -0x3400  /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_DHM_FILE_IO_ERROR                     -0x3480  /**< Read or write of file failed. */
+
+/* MBEDTLS_ERR_DHM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED                   -0x3500  /**< DHM hardware accelerator failed. */
+
+#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED                  -0x3580  /**< Setting the modulus and generator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_DHM_ALT)
+
+/**
+ * \brief          The DHM context structure.
+ */
+typedef struct mbedtls_dhm_context
+{
+    size_t len;         /*!<  The size of \p P in Bytes. */
+    mbedtls_mpi P;      /*!<  The prime modulus. */
+    mbedtls_mpi G;      /*!<  The generator. */
+    mbedtls_mpi X;      /*!<  Our secret value. */
+    mbedtls_mpi GX;     /*!<  Our public key = \c G^X mod \c P. */
+    mbedtls_mpi GY;     /*!<  The public key of the peer = \c G^Y mod \c P. */
+    mbedtls_mpi K;      /*!<  The shared secret = \c G^(XY) mod \c P. */
+    mbedtls_mpi RP;     /*!<  The cached value = \c R^2 mod \c P. */
+    mbedtls_mpi Vi;     /*!<  The blinding value. */
+    mbedtls_mpi Vf;     /*!<  The unblinding value. */
+    mbedtls_mpi pX;     /*!<  The previous \c X. */
+}
+mbedtls_dhm_context;
+
+#else /* MBEDTLS_DHM_ALT */
+#include "dhm_alt.h"
+#endif /* MBEDTLS_DHM_ALT */
+
+/**
+ * \brief          This function initializes the DHM context.
+ *
+ * \param ctx      The DHM context to initialize.
+ */
+void mbedtls_dhm_init( mbedtls_dhm_context *ctx );
+
+/**
+ * \brief          This function parses the DHM parameters in a
+ *                 TLS ServerKeyExchange handshake message
+ *                 (DHM modulus, generator, and public key).
+ *
+ * \note           In a TLS handshake, this is the how the client
+ *                 sets up its DHM context from the server's public
+ *                 DHM key material.
+ *
+ * \param ctx      The DHM context to use. This must be initialized.
+ * \param p        On input, *p must be the start of the input buffer.
+ *                 On output, *p is updated to point to the end of the data
+ *                 that has been read. On success, this is the first byte
+ *                 past the end of the ServerKeyExchange parameters.
+ *                 On error, this is the point at which an error has been
+ *                 detected, which is usually not useful except to debug
+ *                 failures.
+ * \param end      The end of the input buffer.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
+                             unsigned char **p,
+                             const unsigned char *end );
+
+/**
+ * \brief          This function generates a DHM key pair and exports its
+ *                 public part together with the DHM parameters in the format
+ *                 used in a TLS ServerKeyExchange handshake message.
+ *
+ * \note           This function assumes that the DHM parameters \c ctx->P
+ *                 and \c ctx->G have already been properly set. For that, use
+ *                 mbedtls_dhm_set_group() below in conjunction with
+ *                 mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
+ *
+ * \note           In a TLS handshake, this is the how the server generates
+ *                 and exports its DHM key material.
+ *
+ * \param ctx      The DHM context to use. This must be initialized
+ *                 and have the DHM parameters set. It may or may not
+ *                 already have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param olen     The address at which to store the number of Bytes
+ *                 written on success. This must not be \c NULL.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 sufficient size to hold the reduced binary presentation of
+ *                 the modulus, the generator and the public key, each wrapped
+ *                 with a 2-byte length field. It is the responsibility of the
+ *                 caller to ensure that enough space is available. Refer to
+ *                 mbedtls_mpi_size() to computing the byte-size of an MPI.
+ * \param f_rng    The RNG function. Must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          This function sets the prime modulus and generator.
+ *
+ * \note           This function can be used to set \c ctx->P, \c ctx->G
+ *                 in preparation for mbedtls_dhm_make_params().
+ *
+ * \param ctx      The DHM context to configure. This must be initialized.
+ * \param P        The MPI holding the DHM prime modulus. This must be
+ *                 an initialized MPI.
+ * \param G        The MPI holding the DHM generator. This must be an
+ *                 initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
+                           const mbedtls_mpi *P,
+                           const mbedtls_mpi *G );
+
+/**
+ * \brief          This function imports the raw public value of the peer.
+ *
+ * \note           In a TLS handshake, this is the how the server imports
+ *                 the Client's public DHM key.
+ *
+ * \param ctx      The DHM context to use. This must be initialized and have
+ *                 its DHM parameters set, e.g. via mbedtls_dhm_set_group().
+ *                 It may or may not already have generated its own private key.
+ * \param input    The input buffer containing the \c G^Y value of the peer.
+ *                 This must be a readable buffer of size \p ilen Bytes.
+ * \param ilen     The size of the input buffer \p input in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
+                     const unsigned char *input, size_t ilen );
+
+/**
+ * \brief          This function creates a DHM key pair and exports
+ *                 the raw public key in big-endian format.
+ *
+ * \note           The destination buffer is always fully written
+ *                 so as to contain a big-endian representation of G^X mod P.
+ *                 If it is larger than \c ctx->len, it is padded accordingly
+ *                 with zero-bytes at the beginning.
+ *
+ * \param ctx      The DHM context to use. This must be initialized and
+ *                 have the DHM parameters set. It may or may not already
+ *                 have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 size \p olen Bytes.
+ * \param olen     The length of the destination buffer. This must be at least
+ *                 equal to `ctx->len` (the size of \c P).
+ * \param f_rng    The RNG function. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          This function derives and exports the shared secret
+ *                 \c (G^Y)^X mod \c P.
+ *
+ * \note           If \p f_rng is not \c NULL, it is used to blind the input as
+ *                 a countermeasure against timing attacks. Blinding is used
+ *                 only if our private key \c X is re-used, and not used
+ *                 otherwise. We recommend always passing a non-NULL
+ *                 \p f_rng argument.
+ *
+ * \param ctx           The DHM context to use. This must be initialized
+ *                      and have its own private key generated and the peer's
+ *                      public key imported.
+ * \param output        The buffer to write the generated shared key to. This
+ *                      must be a writable buffer of size \p output_size Bytes.
+ * \param output_size   The size of the destination buffer. This must be at
+ *                      least the size of \c ctx->len (the size of \c P).
+ * \param olen          On exit, holds the actual number of Bytes written.
+ * \param f_rng         The RNG function, for blinding purposes. This may
+ *                      b \c NULL if blinding isn't needed.
+ * \param p_rng         The RNG context. This may be \c NULL if \p f_rng
+ *                      doesn't need a context argument.
+ *
+ * \return              \c 0 on success.
+ * \return              An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
+                     unsigned char *output, size_t output_size, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          This function frees and clears the components
+ *                 of a DHM context.
+ *
+ * \param ctx      The DHM context to free and clear. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is not \c NULL,
+ *                 it must point to an initialized DHM context.
+ */
+void mbedtls_dhm_free( mbedtls_dhm_context *ctx );
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/** \ingroup x509_module */
+/**
+ * \brief             This function parses DHM parameters in PEM or DER format.
+ *
+ * \param dhm         The DHM context to import the DHM parameters into.
+ *                    This must be initialized.
+ * \param dhmin       The input buffer. This must be a readable buffer of
+ *                    length \p dhminlen Bytes.
+ * \param dhminlen    The size of the input buffer \p dhmin, including the
+ *                    terminating \c NULL Byte for PEM data.
+ *
+ * \return            \c 0 on success.
+ * \return            An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error
+ *                    code on failure.
+ */
+int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                           size_t dhminlen );
+
+#if defined(MBEDTLS_FS_IO)
+/** \ingroup x509_module */
+/**
+ * \brief          This function loads and parses DHM parameters from a file.
+ *
+ * \param dhm      The DHM context to load the parameters to.
+ *                 This must be initialized.
+ * \param path     The filename to read the DHM parameters from.
+ *                 This must not be \c NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX
+ *                 error code on failure.
+ */
+int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path );
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The DMH checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_dhm_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+#ifdef __cplusplus
+}
+#endif
+
+/**
+ * RFC 3526, RFC 5114 and RFC 7919 standardize a number of
+ * Diffie-Hellman groups, some of which are included here
+ * for use within the SSL/TLS module and the user's convenience
+ * when configuring the Diffie-Hellman parameters by hand
+ * through \c mbedtls_ssl_conf_dh_param.
+ *
+ * The following lists the source of the above groups in the standards:
+ * - RFC 5114 section 2.2:  2048-bit MODP Group with 224-bit Prime Order Subgroup
+ * - RFC 3526 section 3:    2048-bit MODP Group
+ * - RFC 3526 section 4:    3072-bit MODP Group
+ * - RFC 3526 section 5:    4096-bit MODP Group
+ * - RFC 7919 section A.1:  ffdhe2048
+ * - RFC 7919 section A.2:  ffdhe3072
+ * - RFC 7919 section A.3:  ffdhe4096
+ * - RFC 7919 section A.4:  ffdhe6144
+ * - RFC 7919 section A.5:  ffdhe8192
+ *
+ * The constants with suffix "_p" denote the chosen prime moduli, while
+ * the constants with suffix "_g" denote the chosen generator
+ * of the associated prime field.
+ *
+ * The constants further suffixed with "_bin" are provided in binary format,
+ * while all other constants represent null-terminated strings holding the
+ * hexadecimal presentation of the respective numbers.
+ *
+ * The primes from RFC 3526 and RFC 7919 have been generating by the following
+ * trust-worthy procedure:
+ * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number
+ *   the first and last 64 bits are all 1, and the remaining N - 128 bits of
+ *   which are 0x7ff...ff.
+ * - Add the smallest multiple of the first N - 129 bits of the binary expansion
+ *   of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string
+ *   such that the resulting integer is a safe-prime.
+ * - The result is the respective RFC 3526 / 7919 prime, and the corresponding
+ *   generator is always chosen to be 2 (which is a square for these prime,
+ *   hence the corresponding subgroup has order (p-1)/2 and avoids leaking a
+ *   bit in the private exponent).
+ *
+ */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+/**
+ * \warning The origin of the primes in RFC 5114 is not documented and
+ *          their use therefore constitutes a security risk!
+ *
+ * \deprecated The hex-encoded primes from RFC 5114 are deprecated and are
+ *             likely to be removed in a future version of the library without
+ *             replacement.
+ */
+
+/**
+ * The hexadecimal presentation of the prime underlying the
+ * 2048-bit MODP Group with 224-bit Prime Order Subgroup, as defined
+ * in <em>RFC-5114: Additional Diffie-Hellman Groups for Use with
+ * IETF Standards</em>.
+ */
+#define MBEDTLS_DHM_RFC5114_MODP_2048_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1"      \
+        "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15"      \
+        "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212"      \
+        "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207"      \
+        "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708"      \
+        "B3BF8A317091883681286130BC8985DB1602E714415D9330"      \
+        "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D"      \
+        "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8"      \
+        "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763"      \
+        "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71"      \
+        "CF9DE5384E71B81C0AC4DFFE0C10E64F" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group with 224-bit Prime Order Subgroup, as defined in <em>RFC-5114:
+ * Additional Diffie-Hellman Groups for Use with IETF Standards</em>.
+ */
+#define MBEDTLS_DHM_RFC5114_MODP_2048_G                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"      \
+        "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"      \
+        "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7"      \
+        "C17669101999024AF4D027275AC1348BB8A762D0521BC98A"      \
+        "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE"      \
+        "F180EB34118E98D119529A45D6F834566E3025E316A330EF"      \
+        "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB"      \
+        "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381"      \
+        "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269"      \
+        "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179"      \
+        "81BC087F2A7065B384B890D3191F2BFA" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ *
+ * \deprecated The hex-encoded primes from RFC 3625 are deprecated and
+ *             superseded by the corresponding macros providing them as
+ *             binary constants. Their hex-encoded constants are likely
+ *             to be removed in a future version of the library.
+ *
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_2048_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
+        "15728E5A8AACAA68FFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_2048_G                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 3072-bit MODP
+ * Group, as defined in <em>RFC-3072: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_3072_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
+        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"      \
+        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"      \
+        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"      \
+        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"      \
+        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"      \
+        "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 3072-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_3072_G                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_4096_P                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                      \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"   \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"   \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"   \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"   \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"   \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"   \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"   \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"   \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"   \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"   \
+        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"   \
+        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"   \
+        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"   \
+        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"   \
+        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"   \
+        "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7"   \
+        "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA"   \
+        "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6"   \
+        "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED"   \
+        "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9"   \
+        "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199"   \
+        "FFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_4096_G                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * Trustworthy DHM parameters in binary form
+ */
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+     0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+     0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+     0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+     0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+     0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+     0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+     0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+     0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+     0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+     0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+     0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+     0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+     0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+     0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+     0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+     0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+     0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+     0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+     0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+     0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+     0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+     0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+     0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+     0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+     0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+     0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+     0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+     0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+     0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN {       \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+    0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+    0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+    0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+    0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+    0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+    0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+    0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+    0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+    0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+    0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+    0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+    0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+    0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+    0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+    0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+    0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+    0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+    0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+    0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+    0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+    0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+    0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+    0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+    0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+    0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+    0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+    0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+    0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+    0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+    0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \
+    0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \
+    0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \
+    0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \
+    0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \
+    0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \
+    0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \
+    0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \
+    0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \
+    0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \
+    0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \
+    0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \
+    0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \
+    0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \
+    0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \
+    0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \
+    0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_P_BIN  {       \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,  \
+    0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,  \
+    0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,  \
+    0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,  \
+    0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,  \
+    0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,  \
+    0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,  \
+    0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,  \
+    0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,  \
+    0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,  \
+    0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,  \
+    0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,  \
+    0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,  \
+    0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,  \
+    0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,  \
+    0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,  \
+    0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,  \
+    0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,  \
+    0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,  \
+    0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,  \
+    0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,  \
+    0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,  \
+    0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,  \
+    0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,  \
+    0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,  \
+    0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,  \
+    0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,  \
+    0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,  \
+    0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,  \
+    0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,  \
+    0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,  \
+    0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,  \
+    0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,  \
+    0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,  \
+    0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,  \
+    0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,  \
+    0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,  \
+    0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,  \
+    0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,  \
+    0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,  \
+    0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,  \
+    0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,  \
+    0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,  \
+    0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,  \
+    0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,  \
+    0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,  \
+    0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,  \
+    0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,  \
+    0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,  \
+    0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,  \
+    0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,  \
+    0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,  \
+    0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,  \
+    0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,  \
+    0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,  \
+    0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,  \
+    0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,  \
+    0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,  \
+    0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,  \
+    0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,  \
+    0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,  \
+    0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,  \
+    0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,  \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN { \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+     0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+     0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+     0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+     0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+     0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+     0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+     0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+     0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+     0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+     0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+     0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+     0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+     0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+     0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+     0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+     0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+     0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+     0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+     0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+     0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+     0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+     0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+     0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+     0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+     0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+     0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+     0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+     0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+     0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+     0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+     0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+     0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+     0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+     0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+     0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+     0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+     0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+     0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+     0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+     0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+     0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+     0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+     0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+     0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+     0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+     0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+     0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+     0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+     0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+     0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+     0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+     0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+     0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+     0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+     0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+     0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+     0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+     0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+     0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+     0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+     0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+     0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+     0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+     0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA, \
+     0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, \
+     0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, \
+     0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43, \
+     0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, \
+     0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, \
+     0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29, \
+     0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, \
+     0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, \
+     0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4, \
+     0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, \
+     0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, \
+     0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51, \
+     0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, \
+     0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, \
+     0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE, \
+     0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, \
+     0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, \
+     0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B, \
+     0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, \
+     0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, \
+     0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31, \
+     0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, \
+     0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, \
+     0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E, \
+     0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, \
+     0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, \
+     0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE, \
+     0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, \
+     0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, \
+     0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E, \
+     0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, \
+     0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN { 0x02 }
+
+#endif /* dhm.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ecdh.h b/ctrtool/deps/libmbedtls/include/mbedtls/ecdh.h
new file mode 100644
index 00000000..4479a1d4
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ecdh.h
@@ -0,0 +1,440 @@
+/**
+ * \file ecdh.h
+ *
+ * \brief This file contains ECDH definitions and functions.
+ *
+ * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous
+ * key agreement protocol allowing two parties to establish a shared
+ * secret over an insecure channel. Each party must have an
+ * elliptic-curve public–private key pair.
+ *
+ * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
+ * Pair-Wise Key Establishment Schemes Using Discrete Logarithm
+ * Cryptography</em>.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ECDH_H
+#define MBEDTLS_ECDH_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ecp.h"
+
+/*
+ * Use a backward compatible ECDH context.
+ *
+ * This flag is always enabled for now and future versions might add a
+ * configuration option that conditionally undefines this flag.
+ * The configuration option in question may have a different name.
+ *
+ * Features undefining this flag, must have a warning in their description in
+ * config.h stating that the feature breaks backward compatibility.
+ */
+#define MBEDTLS_ECDH_LEGACY_CONTEXT
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Defines the source of the imported EC key.
+ */
+typedef enum
+{
+    MBEDTLS_ECDH_OURS,   /**< Our key. */
+    MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
+} mbedtls_ecdh_side;
+
+#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+/**
+ * Defines the ECDH implementation used.
+ *
+ * Later versions of the library may add new variants, therefore users should
+ * not make any assumptions about them.
+ */
+typedef enum
+{
+    MBEDTLS_ECDH_VARIANT_NONE = 0,   /*!< Implementation not defined. */
+    MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
+} mbedtls_ecdh_variant;
+
+/**
+ * The context used by the default ECDH implementation.
+ *
+ * Later versions might change the structure of this context, therefore users
+ * should not make any assumptions about the structure of
+ * mbedtls_ecdh_context_mbed.
+ */
+typedef struct mbedtls_ecdh_context_mbed
+{
+    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
+    mbedtls_mpi d;           /*!< The private key. */
+    mbedtls_ecp_point Q;     /*!< The public key. */
+    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
+    mbedtls_mpi z;           /*!< The shared secret. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif
+} mbedtls_ecdh_context_mbed;
+#endif
+
+/**
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
+ * \brief           The ECDH context structure.
+ */
+typedef struct mbedtls_ecdh_context
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
+    mbedtls_mpi d;           /*!< The private key. */
+    mbedtls_ecp_point Q;     /*!< The public key. */
+    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
+    mbedtls_mpi z;           /*!< The shared secret. */
+    int point_format;        /*!< The format of point export in TLS messages. */
+    mbedtls_ecp_point Vi;    /*!< The blinding value. */
+    mbedtls_ecp_point Vf;    /*!< The unblinding value. */
+    mbedtls_mpi _d;          /*!< The previous \p d. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    int restart_enabled;        /*!< The flag for restartable mode. */
+    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#else
+    uint8_t point_format;       /*!< The format of point export in TLS messages
+                                  as defined in RFC 4492. */
+    mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */
+    mbedtls_ecdh_variant var;   /*!< The ECDH implementation/structure used. */
+    union
+    {
+        mbedtls_ecdh_context_mbed   mbed_ecdh;
+    } ctx;                      /*!< Implementation-specific context. The
+                                  context in use is specified by the \c var
+                                  field. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    uint8_t restart_enabled;    /*!< The flag for restartable mode. Functions of
+                                  an alternative implementation not supporting
+                                  restartable mode must return
+                                  MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
+                                  if this flag is set. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
+}
+mbedtls_ecdh_context;
+
+/**
+ * \brief           This function generates an ECDH keypair on an elliptic
+ *                  curve.
+ *
+ *                  This function performs the first of two core computations
+ *                  implemented during the ECDH key exchange. The second core
+ *                  computation is performed by mbedtls_ecdh_compute_shared().
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
+ * \param d         The destination MPI (private key).
+ *                  This must be initialized.
+ * \param Q         The destination point (public key).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief           This function computes the shared secret.
+ *
+ *                  This function performs the second of two core computations
+ *                  implemented during the ECDH key exchange. The first core
+ *                  computation is performed by mbedtls_ecdh_gen_public().
+ *
+ * \see             ecp.h
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
+ * \param z         The destination MPI (shared secret).
+ *                  This must be initialized.
+ * \param Q         The public key from another party.
+ *                  This must be initialized.
+ * \param d         Our secret exponent (private key).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results during the ECP computations is
+ *                  not needed (discouraged). See the documentation of
+ *                  mbedtls_ecp_mul() for more.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't need a
+ *                  context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+/**
+ * \brief           This function initializes an ECDH context.
+ *
+ * \param ctx       The ECDH context to initialize. This must not be \c NULL.
+ */
+void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx );
+
+/**
+ * \brief           This function sets up the ECDH context with the information
+ *                  given.
+ *
+ *                  This function should be called after mbedtls_ecdh_init() but
+ *                  before mbedtls_ecdh_make_params(). There is no need to call
+ *                  this function before mbedtls_ecdh_read_params().
+ *
+ *                  This is the first function used by a TLS server for ECDHE
+ *                  ciphersuites.
+ *
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param grp_id    The group id of the group to set up the context for.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx,
+                        mbedtls_ecp_group_id grp_id );
+
+/**
+ * \brief           This function frees a context.
+ *
+ * \param ctx       The context to free. This may be \c NULL, in which
+ *                  case this function does nothing. If it is not \c NULL,
+ *                  it must point to an initialized ECDH context.
+ */
+void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx );
+
+/**
+ * \brief           This function generates an EC key pair and exports its
+ *                  in the format used in a TLS ServerKeyExchange handshake
+ *                  message.
+ *
+ *                  This is the second function used by a TLS server for ECDHE
+ *                  ciphersuites. (It is called after mbedtls_ecdh_setup().)
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param olen      The address at which to store the number of Bytes written.
+ * \param buf       The destination buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+/**
+ * \brief           This function parses the ECDHE parameters in a
+ *                  TLS ServerKeyExchange handshake message.
+ *
+ * \note            In a TLS handshake, this is the how the client
+ *                  sets up its ECDHE context from the server's public
+ *                  ECDHE key material.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDHE context to use. This must be initialized.
+ * \param buf       On input, \c *buf must be the start of the input buffer.
+ *                  On output, \c *buf is updated to point to the end of the
+ *                  data that has been read. On success, this is the first byte
+ *                  past the end of the ServerKeyExchange parameters.
+ *                  On error, this is the point at which an error has been
+ *                  detected, which is usually not useful except to debug
+ *                  failures.
+ * \param end       The end of the input buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ *
+ */
+int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
+                              const unsigned char **buf,
+                              const unsigned char *end );
+
+/**
+ * \brief           This function sets up an ECDH context from an EC key.
+ *
+ *                  It is used by clients and servers in place of the
+ *                  ServerKeyEchange for static ECDH, and imports ECDH
+ *                  parameters from the EC key information of a certificate.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param key       The EC key to use. This must be initialized.
+ * \param side      Defines the source of the key. Possible values are:
+ *                  - #MBEDTLS_ECDH_OURS: The key is ours.
+ *                  - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ *
+ */
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
+                             const mbedtls_ecp_keypair *key,
+                             mbedtls_ecdh_side side );
+
+/**
+ * \brief           This function generates a public key and exports it
+ *                  as a TLS ClientKeyExchange payload.
+ *
+ *                  This is the second function used by a TLS client for ECDH(E)
+ *                  ciphersuites.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, the latter usually by
+ *                  mbedtls_ecdh_read_params().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The destination buffer. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The size of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+/**
+ * \brief       This function parses and processes the ECDHE payload of a
+ *              TLS ClientKeyExchange message.
+ *
+ *              This is the third function used by a TLS server for ECDH(E)
+ *              ciphersuites. (It is called after mbedtls_ecdh_setup() and
+ *              mbedtls_ecdh_make_params().)
+ *
+ * \see         ecp.h
+ *
+ * \param ctx   The ECDH context to use. This must be initialized
+ *              and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param buf   The pointer to the ClientKeyExchange payload. This must
+ *              be a readable buffer of length \p blen Bytes.
+ * \param blen  The length of the input buffer \p buf in Bytes.
+ *
+ * \return      \c 0 on success.
+ * \return      An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
+                              const unsigned char *buf, size_t blen );
+
+/**
+ * \brief           This function derives and exports the shared secret.
+ *
+ *                  This is the last function used by both TLS client
+ *                  and servers.
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
+ *
+ * \see             ecp.h
+
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and have its own private key generated and the peer's
+ *                  public key imported.
+ * \param olen      The address at which to store the total number of
+ *                  Bytes written on success. This must not be \c NULL.
+ * \param buf       The buffer to write the generated shared key to. This
+ *                  must be a writable buffer of size \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function, for blinding purposes. This may
+ *                  b \c NULL if blinding isn't needed.
+ * \param p_rng     The RNG context. This may be \c NULL if \p f_rng
+ *                  doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           This function enables restartable EC computations for this
+ *                  context.  (Default: disabled.)
+ *
+ * \see             \c mbedtls_ecp_set_max_ops()
+ *
+ * \note            It is not possible to safely disable restartable
+ *                  computations once enabled, except by free-ing the context,
+ *                  which cancels possible in-progress operations.
+ *
+ * \param ctx       The ECDH context to use. This must be initialized.
+ */
+void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecdh.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ecdsa.h b/ctrtool/deps/libmbedtls/include/mbedtls/ecdsa.h
new file mode 100644
index 00000000..932acc6d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ecdsa.h
@@ -0,0 +1,604 @@
+/**
+ * \file ecdsa.h
+ *
+ * \brief This file contains ECDSA definitions and functions.
+ *
+ * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
+ * <em>Standards for Efficient Cryptography Group (SECG):
+ * SEC1 Elliptic Curve Cryptography</em>.
+ * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
+ * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ECDSA_H
+#define MBEDTLS_ECDSA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ecp.h"
+#include "md.h"
+
+/*
+ * RFC-4492 page 20:
+ *
+ *     Ecdsa-Sig-Value ::= SEQUENCE {
+ *         r       INTEGER,
+ *         s       INTEGER
+ *     }
+ *
+ * Size is at most
+ *    1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s,
+ *    twice that + 1 (tag) + 2 (len) for the sequence
+ * (assuming ECP_MAX_BYTES is less than 126 for r and s,
+ * and less than 124 (total len <= 255) for the sequence)
+ */
+#if MBEDTLS_ECP_MAX_BYTES > 124
+#error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN"
+#endif
+/** The maximal size of an ECDSA signature in Bytes. */
+#define MBEDTLS_ECDSA_MAX_LEN  ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           The ECDSA context structure.
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
+ */
+typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for ecdsa_verify()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
+
+/**
+ * \brief           Internal restart context for ecdsa_sign()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief           Internal restart context for ecdsa_sign_det()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
+#endif
+
+/**
+ * \brief           General context for resuming ECDSA operations
+ */
+typedef struct
+{
+    mbedtls_ecp_restart_ctx ecp;        /*!<  base context for ECP restart and
+                                              shared administrative info    */
+    mbedtls_ecdsa_restart_ver_ctx *ver; /*!<  ecdsa_verify() sub-context    */
+    mbedtls_ecdsa_restart_sig_ctx *sig; /*!<  ecdsa_sign() sub-context      */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    mbedtls_ecdsa_restart_det_ctx *det; /*!<  ecdsa_sign_det() sub-context  */
+#endif
+} mbedtls_ecdsa_restart_ctx;
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_ecdsa_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message.
+ *
+ * \note            The deterministic version implemented in
+ *                  mbedtls_ecdsa_sign_det() is usually preferred.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated
+ *                  as defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The context for the elliptic curve to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param r         The MPI context in which to store the first part
+ *                  the signature. This must be initialized.
+ * \param s         The MPI context in which to store the second part
+ *                  the signature. This must be initialized.
+ * \param d         The private signing key. This must be initialized.
+ * \param buf       The content to be signed. This is usually the hash of
+ *                  the original data to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX
+ *                  or \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message, deterministic version.
+ *
+ *                  For more information, see <em>RFC-6979: Deterministic
+ *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \warning         Since the output of the internal RNG is always the same for
+ *                  the same key and message, this limits the efficiency of
+ *                  blinding and leaks information through side channels. For
+ *                  secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
+ *
+ *                  (Optimally the blinding is a random value that is different
+ *                  on every execution. In this case the blinding is still
+ *                  random from the attackers perspective, but is the same on
+ *                  each execution. This means that this blinding does not
+ *                  prevent attackers from recovering secrets by combining
+ *                  several measurement traces, but may prevent some attacks
+ *                  that exploit relationships between secret data.)
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The context for the elliptic curve to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param r         The MPI context in which to store the first part
+ *                  the signature. This must be initialized.
+ * \param s         The MPI context in which to store the second part
+ *                  the signature. This must be initialized.
+ * \param d         The private signing key. This must be initialized
+ *                  and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf       The hashed content to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param md_alg    The hash algorithm used to hash the original data.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                            mbedtls_mpi *s, const mbedtls_mpi *d,
+                            const unsigned char *buf, size_t blen,
+                            mbedtls_md_type_t md_alg );
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message, deterministic version.
+ *
+ *                  For more information, see <em>RFC-6979: Deterministic
+ *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param md_alg        The hash algorithm used to hash the original data.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                                mbedtls_mpi *s, const mbedtls_mpi *d,
+                                const unsigned char *buf, size_t blen,
+                                mbedtls_md_type_t md_alg,
+                                int (*f_rng_blind)(void *, unsigned char *,
+                                                   size_t),
+                                void *p_rng_blind );
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+/**
+ * \brief           This function verifies the ECDSA signature of a
+ *                  previously-hashed message.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param buf       The hashed content that was signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param Q         The public key to use for verification. This must be
+ *                  initialized and setup.
+ * \param r         The first integer of the signature.
+ *                  This must be initialized.
+ * \param s         The second integer of the signature.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature
+ *                  is invalid.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
+                          const unsigned char *buf, size_t blen,
+                          const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
+                          const mbedtls_mpi *s);
+
+/**
+ * \brief           This function computes the ECDSA signature and writes it
+ *                  to a buffer, serialized as defined in <em>RFC-4492:
+ *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
+ *                  Transport Layer Security (TLS)</em>.
+ *
+ * \warning         It is not thread-safe to use the same context in
+ *                  multiple threads.
+ *
+ * \note            The deterministic version is used if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more
+ *                  information, see <em>RFC-6979: Deterministic Usage
+ *                  of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is unused and may be set to \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
+                                   mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hlen,
+                           unsigned char *sig, size_t *slen,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng );
+
+/**
+ * \brief           This function computes the ECDSA signature and writes it
+ *                  to a buffer, in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_write_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_write_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is unused and may be set to \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
+                           mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hlen,
+                           unsigned char *sig, size_t *slen,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           mbedtls_ecdsa_restart_ctx *rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief           This function computes an ECDSA signature and writes
+ *                  it to a buffer, serialized as defined in <em>RFC-4492:
+ *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
+ *                  Transport Layer Security (TLS)</em>.
+ *
+ *                  The deterministic version is defined in <em>RFC-6979:
+ *                  Deterministic Usage of the Digital Signature Algorithm (DSA)
+ *                  and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \warning         It is not thread-safe to use the same context in
+ *                  multiple threads.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in
+ *                  Mbed TLS version 2.0 and later.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param md_alg    The message digest that was used to hash the message.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
+                               const unsigned char *hash, size_t hlen,
+                               unsigned char *sig, size_t *slen,
+                               mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
+#undef MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+/**
+ * \brief           This function reads and verifies an ECDSA signature.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p size Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig, but its length is less than \p siglen.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen );
+
+/**
+ * \brief           This function reads and verifies an ECDSA signature,
+ *                  in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_read_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_read_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p size Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig, but its length is less than \p siglen.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen,
+                          mbedtls_ecdsa_restart_ctx *rs_ctx );
+
+/**
+ * \brief          This function generates an ECDSA keypair on the given curve.
+ *
+ * \see            ecp.h
+ *
+ * \param ctx      The ECDSA context to store the keypair in.
+ *                 This must be initialized.
+ * \param gid      The elliptic curve to use. One of the various
+ *                 \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_ECP_XXX code on failure.
+ */
+int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           This function sets up an ECDSA context from an EC key pair.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to setup. This must be initialized.
+ * \param key       The EC key to use. This must be initialized and hold
+ *                  a private-public key pair or a public key. In the former
+ *                  case, the ECDSA context may be used for signature creation
+ *                  and verification after this call. In the latter case, it
+ *                  may be used for signature verification.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX code on failure.
+ */
+int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx,
+                                const mbedtls_ecp_keypair *key );
+
+/**
+ * \brief           This function initializes an ECDSA context.
+ *
+ * \param ctx       The ECDSA context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
+
+/**
+ * \brief           This function frees an ECDSA context.
+ *
+ * \param ctx       The ECDSA context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
+ */
+void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context.
+ *
+ * \param ctx       The restart context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context.
+ *
+ * \param ctx       The restart context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
+ */
+void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecdsa.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ecjpake.h b/ctrtool/deps/libmbedtls/include/mbedtls/ecjpake.h
new file mode 100644
index 00000000..3d8d02ae
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ecjpake.h
@@ -0,0 +1,277 @@
+/**
+ * \file ecjpake.h
+ *
+ * \brief Elliptic curve J-PAKE
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ECJPAKE_H
+#define MBEDTLS_ECJPAKE_H
+
+/*
+ * J-PAKE is a password-authenticated key exchange that allows deriving a
+ * strong shared secret from a (potentially low entropy) pre-shared
+ * passphrase, with forward secrecy and mutual authentication.
+ * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling
+ *
+ * This file implements the Elliptic Curve variant of J-PAKE,
+ * as defined in Chapter 7.4 of the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ *
+ * As the J-PAKE algorithm is inherently symmetric, so is our API.
+ * Each party needs to send its first round message, in any order, to the
+ * other party, then each sends its second round message, in any order.
+ * The payloads are serialized in a way suitable for use in TLS, but could
+ * also be use outside TLS.
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ecp.h"
+#include "md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Roles in the EC J-PAKE exchange
+ */
+typedef enum {
+    MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
+    MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
+} mbedtls_ecjpake_role;
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+/**
+ * EC J-PAKE context structure.
+ *
+ * J-PAKE is a symmetric protocol, except for the identifiers used in
+ * Zero-Knowledge Proofs, and the serialization of the second message
+ * (KeyExchange) as defined by the Thread spec.
+ *
+ * In order to benefit from this symmetry, we choose a different naming
+ * convetion from the Thread v1.0 spec. Correspondance is indicated in the
+ * description as a pair C: client name, S: server name
+ */
+typedef struct mbedtls_ecjpake_context
+{
+    const mbedtls_md_info_t *md_info;   /**< Hash to use                    */
+    mbedtls_ecp_group grp;              /**< Elliptic curve                 */
+    mbedtls_ecjpake_role role;          /**< Are we client or server?       */
+    int point_format;                   /**< Format for point export        */
+
+    mbedtls_ecp_point Xm1;              /**< My public key 1   C: X1, S: X3 */
+    mbedtls_ecp_point Xm2;              /**< My public key 2   C: X2, S: X4 */
+    mbedtls_ecp_point Xp1;              /**< Peer public key 1 C: X3, S: X1 */
+    mbedtls_ecp_point Xp2;              /**< Peer public key 2 C: X4, S: X2 */
+    mbedtls_ecp_point Xp;               /**< Peer public key   C: Xs, S: Xc */
+
+    mbedtls_mpi xm1;                    /**< My private key 1  C: x1, S: x3 */
+    mbedtls_mpi xm2;                    /**< My private key 2  C: x2, S: x4 */
+
+    mbedtls_mpi s;                      /**< Pre-shared secret (passphrase) */
+} mbedtls_ecjpake_context;
+
+#else  /* MBEDTLS_ECJPAKE_ALT */
+#include "ecjpake_alt.h"
+#endif /* MBEDTLS_ECJPAKE_ALT */
+
+/**
+ * \brief           Initialize an ECJPAKE context.
+ *
+ * \param ctx       The ECJPAKE context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx );
+
+/**
+ * \brief           Set up an ECJPAKE context for use.
+ *
+ * \note            Currently the only values for hash/curve allowed by the
+ *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
+ *
+ * \param ctx       The ECJPAKE context to set up. This must be initialized.
+ * \param role      The role of the caller. This must be either
+ *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
+ * \param hash      The identifier of the hash function to use,
+ *                  for example #MBEDTLS_MD_SHA256.
+ * \param curve     The identifier of the elliptic curve to use,
+ *                  for example #MBEDTLS_ECP_DP_SECP256R1.
+ * \param secret    The pre-shared secret (passphrase). This must be
+ *                  a readable buffer of length \p len Bytes. It need
+ *                  only be valid for the duration of this call.
+ * \param len       The length of the pre-shared secret \p secret.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
+                           mbedtls_ecjpake_role role,
+                           mbedtls_md_type_t hash,
+                           mbedtls_ecp_group_id curve,
+                           const unsigned char *secret,
+                           size_t len );
+
+/**
+ * \brief           Check if an ECJPAKE context is ready for use.
+ *
+ * \param ctx       The ECJPAKE context to check. This must be
+ *                  initialized.
+ *
+ * \return          \c 0 if the context is ready for use.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
+ */
+int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx );
+
+/**
+ * \brief           Generate and write the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be
+ *                  initialized and set up.
+ * \param buf       The buffer to write the contents to. This must be a
+ *                  writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number
+ *                  of Bytes written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng );
+
+/**
+ * \brief           Read and process the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up.
+ * \param buf       The buffer holding the first round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
+                                    const unsigned char *buf,
+                                    size_t len );
+
+/**
+ * \brief           Generate and write the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up, and already have performed round one.
+ * \param buf       The buffer to write the round two contents to.
+ *                  This must be a writable buffer of length \p len Bytes.
+ * \param len       The size of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng );
+
+/**
+ * \brief           Read and process the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up and already have performed round one.
+ * \param buf       The buffer holding the second round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
+                                    const unsigned char *buf,
+                                    size_t len );
+
+/**
+ * \brief           Derive the shared secret
+ *                  (TLS: Pre-Master Secret).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up and have performed both round one and two.
+ * \param buf       The buffer to write the derived secret to. This must
+ *                  be a writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng );
+
+/**
+ * \brief           This clears an ECJPAKE context and frees any
+ *                  embedded data structure.
+ *
+ * \param ctx       The ECJPAKE context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it is not
+ *                  \c NULL, it must point to an initialized ECJPAKE context.
+ */
+void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_ecjpake_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* ecjpake.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ecp.h b/ctrtool/deps/libmbedtls/include/mbedtls/ecp.h
new file mode 100644
index 00000000..065a4cc0
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ecp.h
@@ -0,0 +1,1132 @@
+/**
+ * \file ecp.h
+ *
+ * \brief This file provides an API for Elliptic Curves over GF(P) (ECP).
+ *
+ * The use of ECP in cryptography and TLS is defined in
+ * <em>Standards for Efficient Cryptography Group (SECG): SEC1
+ * Elliptic Curve Cryptography</em> and
+ * <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites
+ * for Transport Layer Security (TLS)</em>.
+ *
+ * <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP
+ * group types.
+ *
+ */
+
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ECP_H
+#define MBEDTLS_ECP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+
+/*
+ * ECP error codes
+ */
+#define MBEDTLS_ERR_ECP_BAD_INPUT_DATA                    -0x4F80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL                  -0x4F00  /**< The buffer is too small to write to. */
+#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE               -0x4E80  /**< The requested feature is not available, for example, the requested curve is not supported. */
+#define MBEDTLS_ERR_ECP_VERIFY_FAILED                     -0x4E00  /**< The signature is not valid. */
+#define MBEDTLS_ERR_ECP_ALLOC_FAILED                      -0x4D80  /**< Memory allocation failed. */
+#define MBEDTLS_ERR_ECP_RANDOM_FAILED                     -0x4D00  /**< Generation of random value, such as ephemeral key, failed. */
+#define MBEDTLS_ERR_ECP_INVALID_KEY                       -0x4C80  /**< Invalid private or public key. */
+#define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH                  -0x4C00  /**< The buffer contains a valid signature followed by more data. */
+
+/* MBEDTLS_ERR_ECP_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED                   -0x4B80  /**< The ECP hardware accelerator failed. */
+
+#define MBEDTLS_ERR_ECP_IN_PROGRESS                       -0x4B00  /**< Operation in progress, call again with the same parameters to continue. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Domain-parameter identifiers: curve, subgroup, and generator.
+ *
+ * \note Only curves over prime fields are supported.
+ *
+ * \warning This library does not support validation of arbitrary domain
+ * parameters. Therefore, only standardized domain parameters from trusted
+ * sources should be used. See mbedtls_ecp_group_load().
+ */
+typedef enum
+{
+    MBEDTLS_ECP_DP_NONE = 0,       /*!< Curve not defined. */
+    MBEDTLS_ECP_DP_SECP192R1,      /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP224R1,      /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP256R1,      /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP384R1,      /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP521R1,      /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_BP256R1,        /*!< Domain parameters for 256-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_BP384R1,        /*!< Domain parameters for 384-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_BP512R1,        /*!< Domain parameters for 512-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_CURVE25519,     /*!< Domain parameters for Curve25519. */
+    MBEDTLS_ECP_DP_SECP192K1,      /*!< Domain parameters for 192-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_SECP224K1,      /*!< Domain parameters for 224-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_SECP256K1,      /*!< Domain parameters for 256-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_CURVE448,       /*!< Domain parameters for Curve448. */
+} mbedtls_ecp_group_id;
+
+/**
+ * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
+ *
+ * \note Montgomery curves are currently excluded.
+ */
+#define MBEDTLS_ECP_DP_MAX     12
+
+/**
+ * Curve information, for use by other modules.
+ */
+typedef struct mbedtls_ecp_curve_info
+{
+    mbedtls_ecp_group_id grp_id;    /*!< An internal identifier. */
+    uint16_t tls_id;                /*!< The TLS NamedCurve identifier. */
+    uint16_t bit_size;              /*!< The curve size in bits. */
+    const char *name;               /*!< A human-friendly name. */
+} mbedtls_ecp_curve_info;
+
+/**
+ * \brief           The ECP point structure, in Jacobian coordinates.
+ *
+ * \note            All functions expect and return points satisfying
+ *                  the following condition: <code>Z == 0</code> or
+ *                  <code>Z == 1</code>. Other values of \p Z are
+ *                  used only by internal functions.
+ *                  The point is zero, or "at infinity", if <code>Z == 0</code>.
+ *                  Otherwise, \p X and \p Y are its standard (affine)
+ *                  coordinates.
+ */
+typedef struct mbedtls_ecp_point
+{
+    mbedtls_mpi X;          /*!< The X coordinate of the ECP point. */
+    mbedtls_mpi Y;          /*!< The Y coordinate of the ECP point. */
+    mbedtls_mpi Z;          /*!< The Z coordinate of the ECP point. */
+}
+mbedtls_ecp_point;
+
+#if !defined(MBEDTLS_ECP_ALT)
+/*
+ * default mbed TLS elliptic curve arithmetic implementation
+ *
+ * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an
+ * alternative implementation for the whole module and it will replace this
+ * one.)
+ */
+
+/**
+ * \brief           The ECP group structure.
+ *
+ * We consider two types of curve equations:
+ * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code>
+ * (SEC1 + RFC-4492)</li>
+ * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519,
+ * Curve448)</li></ul>
+ * In both cases, the generator (\p G) for a prime-order subgroup is fixed.
+ *
+ * For Short Weierstrass, this subgroup is the whole curve, and its
+ * cardinality is denoted by \p N. Our code requires that \p N is an
+ * odd prime as mbedtls_ecp_mul() requires an odd number, and
+ * mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.
+ *
+ * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,
+ * which is the quantity used in the formulas. Additionally, \p nbits is
+ * not the size of \p N but the required size for private keys.
+ *
+ * If \p modp is NULL, reduction modulo \p P is done using a generic algorithm.
+ * Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the
+ * range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
+ * which is congruent mod \p P to the given MPI, and is close enough to \p pbits
+ * in size, so that it may be efficiently brought in the 0..P-1 range by a few
+ * additions or subtractions. Therefore, it is only an approximative modular
+ * reduction. It must return 0 on success and non-zero on failure.
+ *
+ * \note        Alternative implementations must keep the group IDs distinct. If
+ *              two group structures have the same ID, then they must be
+ *              identical.
+ *
+ */
+typedef struct mbedtls_ecp_group
+{
+    mbedtls_ecp_group_id id;    /*!< An internal group identifier. */
+    mbedtls_mpi P;              /*!< The prime modulus of the base field. */
+    mbedtls_mpi A;              /*!< For Short Weierstrass: \p A in the equation. For
+                                     Montgomery curves: <code>(A + 2) / 4</code>. */
+    mbedtls_mpi B;              /*!< For Short Weierstrass: \p B in the equation.
+                                     For Montgomery curves: unused. */
+    mbedtls_ecp_point G;        /*!< The generator of the subgroup used. */
+    mbedtls_mpi N;              /*!< The order of \p G. */
+    size_t pbits;               /*!< The number of bits in \p P.*/
+    size_t nbits;               /*!< For Short Weierstrass: The number of bits in \p P.
+                                     For Montgomery curves: the number of bits in the
+                                     private keys. */
+    unsigned int h;             /*!< \internal 1 if the constants are static. */
+    int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction
+                                     mod \p P (see above).*/
+    int (*t_pre)(mbedtls_ecp_point *, void *);  /*!< Unused. */
+    int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */
+    void *t_data;               /*!< Unused. */
+    mbedtls_ecp_point *T;       /*!< Pre-computed points for ecp_mul_comb(). */
+    size_t T_size;              /*!< The number of pre-computed points. */
+}
+mbedtls_ecp_group;
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h, or define them using the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_ECP_MAX_BITS)
+/**
+ * The maximum size of the groups, that is, of \c N and \c P.
+ */
+#define MBEDTLS_ECP_MAX_BITS     521   /**< The maximum size of groups, in bits. */
+#endif
+
+#define MBEDTLS_ECP_MAX_BYTES    ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 )
+#define MBEDTLS_ECP_MAX_PT_LEN   ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 )
+
+#if !defined(MBEDTLS_ECP_WINDOW_SIZE)
+/*
+ * Maximum "window" size used for point multiplication.
+ * Default: 6.
+ * Minimum value: 2. Maximum value: 7.
+ *
+ * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
+ * points used for point multiplication. This value is directly tied to EC
+ * peak memory usage, so decreasing it by one should roughly cut memory usage
+ * by two (if large curves are in use).
+ *
+ * Reduction in size may reduce speed, but larger curves are impacted first.
+ * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1):
+ *      w-size:     6       5       4       3       2
+ *      521       145     141     135     120      97
+ *      384       214     209     198     177     146
+ *      256       320     320     303     262     226
+ *      224       475     475     453     398     342
+ *      192       640     640     633     587     476
+ */
+#define MBEDTLS_ECP_WINDOW_SIZE    6   /**< The maximum window size used. */
+#endif /* MBEDTLS_ECP_WINDOW_SIZE */
+
+#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
+/*
+ * Trade memory for speed on fixed-point multiplication.
+ *
+ * This speeds up repeated multiplication of the generator (that is, the
+ * multiplication in ECDSA signatures, and half of the multiplications in
+ * ECDSA verification and ECDHE) by a factor roughly 3 to 4.
+ *
+ * The cost is increasing EC peak memory usage by a factor roughly 2.
+ *
+ * Change this value to 0 to reduce peak memory usage.
+ */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up. */
+#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
+
+/* \} name SECTION: Module settings */
+
+#else  /* MBEDTLS_ECP_ALT */
+#include "ecp_alt.h"
+#endif /* MBEDTLS_ECP_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for multiplication
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;
+
+/**
+ * \brief           Internal restart context for ecp_muladd()
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
+
+/**
+ * \brief           General context for resuming ECC operations
+ */
+typedef struct
+{
+    unsigned ops_done;                  /*!<  current ops count             */
+    unsigned depth;                     /*!<  call depth (0 = top-level)    */
+    mbedtls_ecp_restart_mul_ctx *rsm;   /*!<  ecp_mul_comb() sub-context    */
+    mbedtls_ecp_restart_muladd_ctx *ma; /*!<  ecp_muladd() sub-context      */
+} mbedtls_ecp_restart_ctx;
+
+/*
+ * Operation counts for restartable functions
+ */
+#define MBEDTLS_ECP_OPS_CHK   3 /*!< basic ops count for ecp_check_pubkey()  */
+#define MBEDTLS_ECP_OPS_DBL   8 /*!< basic ops count for ecp_double_jac()    */
+#define MBEDTLS_ECP_OPS_ADD  11 /*!< basic ops count for see ecp_add_mixed() */
+#define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv()  */
+
+/**
+ * \brief           Internal; for restartable functions in other modules.
+ *                  Check and update basic ops budget.
+ *
+ * \param grp       Group structure
+ * \param rs_ctx    Restart context
+ * \param ops       Number of basic ops to do
+ *
+ * \return          \c 0 if doing \p ops basic ops is still allowed,
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.
+ */
+int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
+                              mbedtls_ecp_restart_ctx *rs_ctx,
+                              unsigned ops );
+
+/* Utility macro for checking and updating ops budget */
+#define MBEDTLS_ECP_BUDGET( ops )   \
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, rs_ctx, \
+                                               (unsigned) (ops) ) );
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define MBEDTLS_ECP_BUDGET( ops )   /* no-op; for compatibility */
+
+/* We want to declare restartable versions of existing functions anyway */
+typedef void mbedtls_ecp_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief    The ECP key-pair structure.
+ *
+ * A generic key-pair that may be used for ECDSA and fixed ECDH, for example.
+ *
+ * \note    Members are deliberately in the same order as in the
+ *          ::mbedtls_ecdsa_context structure.
+ */
+typedef struct mbedtls_ecp_keypair
+{
+    mbedtls_ecp_group grp;      /*!<  Elliptic curve and base point     */
+    mbedtls_mpi d;              /*!<  our secret value                  */
+    mbedtls_ecp_point Q;        /*!<  our public value                  */
+}
+mbedtls_ecp_keypair;
+
+/*
+ * Point formats, from RFC 4492's enum ECPointFormat
+ */
+#define MBEDTLS_ECP_PF_UNCOMPRESSED    0   /**< Uncompressed point format. */
+#define MBEDTLS_ECP_PF_COMPRESSED      1   /**< Compressed point format. */
+
+/*
+ * Some other constants from RFC 4492
+ */
+#define MBEDTLS_ECP_TLS_NAMED_CURVE    3   /**< The named_curve of ECCurveType. */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Set the maximum number of basic operations done in a row.
+ *
+ *                  If more operations are needed to complete a computation,
+ *                  #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the
+ *                  function performing the computation. It is then the
+ *                  caller's responsibility to either call again with the same
+ *                  parameters until it returns 0 or an error code; or to free
+ *                  the restart context if the operation is to be aborted.
+ *
+ *                  It is strictly required that all input parameters and the
+ *                  restart context be the same on successive calls for the
+ *                  same operation, but output parameters need not be the
+ *                  same; they must not be used until the function finally
+ *                  returns 0.
+ *
+ *                  This only applies to functions whose documentation
+ *                  mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or
+ *                  #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the
+ *                  SSL module). For functions that accept a "restart context"
+ *                  argument, passing NULL disables restart and makes the
+ *                  function equivalent to the function with the same name
+ *                  with \c _restartable removed. For functions in the ECDH
+ *                  module, restart is disabled unless the function accepts
+ *                  an "ECDH context" argument and
+ *                  mbedtls_ecdh_enable_restart() was previously called on
+ *                  that context. For function in the SSL module, restart is
+ *                  only enabled for specific sides and key exchanges
+ *                  (currently only for clients and ECDHE-ECDSA).
+ *
+ * \param max_ops   Maximum number of basic operations done in a row.
+ *                  Default: 0 (unlimited).
+ *                  Lower (non-zero) values mean ECC functions will block for
+ *                  a lesser maximum amount of time.
+ *
+ * \note            A "basic operation" is defined as a rough equivalent of a
+ *                  multiplication in GF(p) for the NIST P-256 curve.
+ *                  As an indication, with default settings, a scalar
+ *                  multiplication (full run of \c mbedtls_ecp_mul()) is:
+ *                  - about 3300 basic operations for P-256
+ *                  - about 9400 basic operations for P-384
+ *
+ * \note            Very low values are not always respected: sometimes
+ *                  functions need to block for a minimum number of
+ *                  operations, and will do so even if max_ops is set to a
+ *                  lower value.  That minimum depends on the curve size, and
+ *                  can be made lower by decreasing the value of
+ *                  \c MBEDTLS_ECP_WINDOW_SIZE.  As an indication, here is the
+ *                  lowest effective value for various curves and values of
+ *                  that parameter (w for short):
+ *                          w=6     w=5     w=4     w=3     w=2
+ *                  P-256   208     208     160     136     124
+ *                  P-384   682     416     320     272     248
+ *                  P-521  1364     832     640     544     496
+ *
+ * \note            This setting is currently ignored by Curve25519.
+ */
+void mbedtls_ecp_set_max_ops( unsigned max_ops );
+
+/**
+ * \brief           Check if restart is enabled (max_ops != 0)
+ *
+ * \return          \c 0 if \c max_ops == 0 (restart disabled)
+ * \return          \c 1 otherwise (restart enabled)
+ */
+int mbedtls_ecp_restart_is_enabled( void );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           This function retrieves the information defined in
+ *                  mbedtls_ecp_curve_info() for all supported curves in order
+ *                  of preference.
+ *
+ * \return          A statically allocated array. The last entry is 0.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void );
+
+/**
+ * \brief           This function retrieves the list of internal group
+ *                  identifiers of all supported curves in the order of
+ *                  preference.
+ *
+ * \return          A statically allocated array,
+ *                  terminated with MBEDTLS_ECP_DP_NONE.
+ */
+const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void );
+
+/**
+ * \brief           This function retrieves curve information from an internal
+ *                  group identifier.
+ *
+ * \param grp_id    An \c MBEDTLS_ECP_DP_XXX value.
+ *
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id );
+
+/**
+ * \brief           This function retrieves curve information from a TLS
+ *                  NamedCurve value.
+ *
+ * \param tls_id    An \c MBEDTLS_ECP_DP_XXX value.
+ *
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id );
+
+/**
+ * \brief           This function retrieves curve information from a
+ *                  human-readable name.
+ *
+ * \param name      The human-readable name.
+ *
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name );
+
+/**
+ * \brief           This function initializes a point as zero.
+ *
+ * \param pt        The point to initialize.
+ */
+void mbedtls_ecp_point_init( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function initializes an ECP group context
+ *                  without loading any domain parameters.
+ *
+ * \note            After this function is called, domain parameters
+ *                  for various ECP groups can be loaded through the
+ *                  mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group()
+ *                  functions.
+ */
+void mbedtls_ecp_group_init( mbedtls_ecp_group *grp );
+
+/**
+ * \brief           This function initializes a key pair as an invalid one.
+ *
+ * \param key       The key pair to initialize.
+ */
+void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key );
+
+/**
+ * \brief           This function frees the components of a point.
+ *
+ * \param pt        The point to free.
+ */
+void mbedtls_ecp_point_free( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function frees the components of an ECP group.
+ *
+ * \param grp       The group to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP group.
+ */
+void mbedtls_ecp_group_free( mbedtls_ecp_group *grp );
+
+/**
+ * \brief           This function frees the components of a key pair.
+ *
+ * \param key       The key pair to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP key pair.
+ */
+void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context.
+ *
+ * \param ctx       The restart context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context.
+ *
+ * \param ctx       The restart context to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized restart context.
+ */
+void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           This function copies the contents of point \p Q into
+ *                  point \p P.
+ *
+ * \param P         The destination point. This must be initialized.
+ * \param Q         The source point. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code for other kinds of failure.
+ */
+int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q );
+
+/**
+ * \brief           This function copies the contents of group \p src into
+ *                  group \p dst.
+ *
+ * \param dst       The destination group. This must be initialized.
+ * \param src       The source group. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst,
+                            const mbedtls_ecp_group *src );
+
+/**
+ * \brief           This function sets a point to the point at infinity.
+ *
+ * \param pt        The point to set. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function checks if a point is the point at infinity.
+ *
+ * \param pt        The point to test. This must be initialized.
+ *
+ * \return          \c 1 if the point is zero.
+ * \return          \c 0 if the point is non-zero.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function compares two points.
+ *
+ * \note            This assumes that the points are normalized. Otherwise,
+ *                  they may compare as "not equal" even if they are.
+ *
+ * \param P         The first point to compare. This must be initialized.
+ * \param Q         The second point to compare. This must be initialized.
+ *
+ * \return          \c 0 if the points are equal.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
+ */
+int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
+                           const mbedtls_ecp_point *Q );
+
+/**
+ * \brief           This function imports a non-zero point from two ASCII
+ *                  strings.
+ *
+ * \param P         The destination point. This must be initialized.
+ * \param radix     The numeric base of the input.
+ * \param x         The first affine coordinate, as a null-terminated string.
+ * \param y         The second affine coordinate, as a null-terminated string.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_MPI_XXX error code on failure.
+ */
+int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
+                           const char *x, const char *y );
+
+/**
+ * \brief           This function exports a point into unsigned binary data.
+ *
+ * \param grp       The group to which the point should belong.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The point to export. This must be initialized.
+ * \param format    The point format. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen      The address at which to store the length of
+ *                  the output in Bytes. This must not be \c NULL.
+ * \param buf       The output buffer. This must be a writable buffer
+ *                  of length \p buflen Bytes.
+ * \param buflen    The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
+ *                  is too small to hold the point.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
+                            int format, size_t *olen,
+                            unsigned char *buf, size_t buflen );
+
+/**
+ * \brief           This function imports a point from unsigned binary data.
+ *
+ * \note            This function does not check that the point actually
+ *                  belongs to the given group, see mbedtls_ecp_check_pubkey()
+ *                  for that.
+ *
+ * \param grp       The group to which the point should belong.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The destination context to import the point to.
+ *                  This must be initialized.
+ * \param buf       The input buffer. This must be a readable buffer
+ *                  of length \p ilen Bytes.
+ * \param ilen      The length of the input buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
+ *                  is not implemented.
+ */
+int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,
+                                   mbedtls_ecp_point *P,
+                                   const unsigned char *buf, size_t ilen );
+
+/**
+ * \brief           This function imports a point from a TLS ECPoint record.
+ *
+ * \note            On function return, \p *buf is updated to point immediately
+ *                  after the ECPoint record.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The destination point.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization
+ *                  failure.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ */
+int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point *pt,
+                                const unsigned char **buf, size_t len );
+
+/**
+ * \brief           This function exports a point as a TLS ECPoint record
+ *                  defined in RFC 4492, Section 5.4.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to be exported. This must be initialized.
+ * \param format    The point format to use. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen      The address at which to store the length in Bytes
+ *                  of the data written.
+ * \param buf       The target buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the target buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer
+ *                  is too small to hold the exported point.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp,
+                                 const mbedtls_ecp_point *pt,
+                                 int format, size_t *olen,
+                                 unsigned char *buf, size_t blen );
+
+/**
+ * \brief           This function sets up an ECP group context
+ *                  from a standardized set of domain parameters.
+ *
+ * \note            The index should be a value of the NamedCurve enum,
+ *                  as defined in <em>RFC-4492: Elliptic Curve Cryptography
+ *                  (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
+ *                  usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
+ *
+ * \param grp       The group context to setup. This must be initialized.
+ * \param id        The identifier of the domain parameter set to load.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't
+ *                  correspond to a known group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id );
+
+/**
+ * \brief           This function sets up an ECP group context from a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
+ *
+ * \param grp       The group context to setup. This must be initialized.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,
+                                const unsigned char **buf, size_t len );
+
+/**
+ * \brief           This function extracts an elliptic curve group ID from a
+ *                  TLS ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
+ *
+ * \param grp       The address at which to store the group id.
+ *                  This must not be \c NULL.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,
+                                   const unsigned char **buf,
+                                   size_t len );
+/**
+ * \brief           This function exports an elliptic curve as a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \param grp       The ECP group to be exported.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The buffer to write to. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output
+ *                  buffer is too small to hold the exported group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,
+                                 size_t *olen,
+                                 unsigned char *buf, size_t blen );
+
+/**
+ * \brief           This function performs a scalar multiplication of a point
+ *                  by an integer: \p R = \p m * \p P.
+ *
+ *                  It is not thread-safe to use same group in multiple threads.
+ *
+ * \note            To prevent timing attacks, this function
+ *                  executes the exact same sequence of base-field
+ *                  operations for any valid \p m. It avoids any if-branch or
+ *                  array index depending on the value of \p m.
+ *
+ * \note            If \p f_rng is not NULL, it is used to randomize
+ *                  intermediate results to prevent potential timing attacks
+ *                  targeting these results. We recommend always providing
+ *                  a non-NULL \p f_rng. The overhead is negligible.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results isn't desired (discouraged).
+ * \param p_rng     The RNG context to be passed to \p p_rng.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ *                  key, or \p P is not a valid public key.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           This function performs multiplication of a point by
+ *                  an integer: \p R = \p m * \p P in a restartable way.
+ *
+ * \see             mbedtls_ecp_mul()
+ *
+ * \note            This function does the same as \c mbedtls_ecp_mul(), but
+ *                  it can return early and restart according to the limit set
+ *                  with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results isn't desired (discouraged).
+ * \param p_rng     The RNG context to be passed to \p p_rng.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ *                  key, or \p P is not a valid public key.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_ecp_restart_ctx *rs_ctx );
+
+/**
+ * \brief           This function performs multiplication and addition of two
+ *                  points by integers: \p R = \p m * \p P + \p n * \p Q
+ *
+ *                  It is not thread-safe to use same group in multiple threads.
+ *
+ * \note            In contrast to mbedtls_ecp_mul(), this function does not
+ *                  guarantee a constant execution flow and timing.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply \p P.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
+ * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
+ * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ *                  valid private keys, or \p P or \p Q are not valid public
+ *                  keys.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q );
+
+/**
+ * \brief           This function performs multiplication and addition of two
+ *                  points by integers: \p R = \p m * \p P + \p n * \p Q in a
+ *                  restartable way.
+ *
+ * \see             \c mbedtls_ecp_muladd()
+ *
+ * \note            This function works the same as \c mbedtls_ecp_muladd(),
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply \p P.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
+ * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
+ * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ *                  valid private keys, or \p P or \p Q are not valid public
+ *                  keys.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_muladd_restartable(
+             mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+             mbedtls_ecp_restart_ctx *rs_ctx );
+
+/**
+ * \brief           This function checks that a point is a valid public key
+ *                  on this curve.
+ *
+ *                  It only checks that the point is non-zero, has
+ *                  valid coordinates and lies on the curve. It does not verify
+ *                  that it is indeed a multiple of \p G. This additional
+ *                  check is computationally more expensive, is not required
+ *                  by standards, and should not be necessary if the group
+ *                  used has a small cofactor. In particular, it is useless for
+ *                  the NIST groups which all have a cofactor of 1.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure, to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group the point should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to check. This must be initialized.
+ *
+ * \return          \c 0 if the point is a valid public key.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not
+ *                  a valid public key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
+                              const mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function checks that an \p mbedtls_mpi is a
+ *                  valid private key for this curve.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group the private key should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The integer to check. This must be initialized.
+ *
+ * \return          \c 0 if the point is a valid private key.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid
+ *                  private key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,
+                               const mbedtls_mpi *d );
+
+/**
+ * \brief           This function generates a private key.
+ *
+ * \param grp       The ECP group to generate a private key for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The destination MPI (secret part). This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+                     mbedtls_mpi *d,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief           This function generates a keypair with a configurable base
+ *                  point.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param G         The base point to use. This must be initialized
+ *                  and belong to \p grp. It replaces the default base
+ *                  point \c grp->G used by mbedtls_ecp_gen_keypair().
+ * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
+ * \param Q         The destination point (public part).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
+                                  const mbedtls_ecp_point *G,
+                                  mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng );
+
+/**
+ * \brief           This function generates an ECP keypair.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
+ * \param Q         The destination point (public part).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d,
+                             mbedtls_ecp_point *Q,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng );
+
+/**
+ * \brief           This function generates an ECP key.
+ *
+ * \param grp_id    The ECP group identifier.
+ * \param key       The destination key. This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+/**
+ * \brief           This function checks that the keypair objects
+ *                  \p pub and \p prv have the same group and the
+ *                  same public point, and that the private key in
+ *                  \p prv is consistent with the public key.
+ *
+ * \param pub       The keypair structure holding the public key. This
+ *                  must be initialized. If it contains a private key, that
+ *                  part is ignored.
+ * \param prv       The keypair structure holding the full keypair.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success, meaning that the keys are valid and match.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on calculation failure.
+ */
+int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub,
+                                const mbedtls_ecp_keypair *prv );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The ECP checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_ecp_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecp.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ecp_internal.h b/ctrtool/deps/libmbedtls/include/mbedtls/ecp_internal.h
new file mode 100644
index 00000000..7625ed48
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ecp_internal.h
@@ -0,0 +1,299 @@
+/**
+ * \file ecp_internal.h
+ *
+ * \brief Function declarations for alternative implementation of elliptic curve
+ * point arithmetic.
+ */
+/*
+ *  Copyright (C) 2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records.
+ *     <http://cr.yp.to/ecdh/curve25519-20060209.pdf>
+ *
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
+ *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
+ *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
+ *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
+ *
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
+ *     render ECC resistant against Side Channel Attacks. IACR Cryptology
+ *     ePrint Archive, 2004, vol. 2004, p. 342.
+ *     <http://eprint.iacr.org/2004/342.pdf>
+ *
+ * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters.
+ *     <http://www.secg.org/sec2-v2.pdf>
+ *
+ * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic
+ *     Curve Cryptography.
+ *
+ * [6] Digital Signature Standard (DSS), FIPS 186-4.
+ *     <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>
+ *
+ * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
+ *     Security (TLS), RFC 4492.
+ *     <https://tools.ietf.org/search/rfc4492>
+ *
+ * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html>
+ *
+ * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory.
+ *     Springer Science & Business Media, 1 Aug 2000
+ */
+
+#ifndef MBEDTLS_ECP_INTERNAL_H
+#define MBEDTLS_ECP_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+
+/**
+ * \brief           Indicate if the Elliptic Curve Point module extension can
+ *                  handle the group.
+ *
+ * \param grp       The pointer to the elliptic curve group that will be the
+ *                  basis of the cryptographic computations.
+ *
+ * \return          Non-zero if successful.
+ */
+unsigned char mbedtls_internal_ecp_grp_capable( const mbedtls_ecp_group *grp );
+
+/**
+ * \brief           Initialise the Elliptic Curve Point module extension.
+ *
+ *                  If mbedtls_internal_ecp_grp_capable returns true for a
+ *                  group, this function has to be able to initialise the
+ *                  module for it.
+ *
+ *                  This module can be a driver to a crypto hardware
+ *                  accelerator, for which this could be an initialise function.
+ *
+ * \param grp       The pointer to the group the module needs to be
+ *                  initialised for.
+ *
+ * \return          0 if successful.
+ */
+int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp );
+
+/**
+ * \brief           Frees and deallocates the Elliptic Curve Point module
+ *                  extension.
+ *
+ * \param grp       The pointer to the group the module was initialised for.
+ */
+void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp );
+
+#if defined(ECP_SHORTWEIERSTRASS)
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+/**
+ * \brief           Randomize jacobian coordinates:
+ *                  (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l.
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param pt        The point on the curve to be randomised, given with Jacobian
+ *                  coordinates.
+ *
+ * \param f_rng     A function pointer to the random number generator.
+ *
+ * \param p_rng     A pointer to the random number generator state.
+ *
+ * \return          0 if successful.
+ */
+int mbedtls_internal_ecp_randomize_jac( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *pt, int (*f_rng)(void *, unsigned char *, size_t),
+        void *p_rng );
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+/**
+ * \brief           Addition: R = P + Q, mixed affine-Jacobian coordinates.
+ *
+ *                  The coordinates of Q must be normalized (= affine),
+ *                  but those of P don't need to. R is not normalized.
+ *
+ *                  This function is used only as a subrutine of
+ *                  ecp_mul_comb().
+ *
+ *                  Special cases: (1) P or Q is zero, (2) R is zero,
+ *                      (3) P == Q.
+ *                  None of these cases can happen as intermediate step in
+ *                  ecp_mul_comb():
+ *                      - at each step, P, Q and R are multiples of the base
+ *                      point, the factor being less than its order, so none of
+ *                      them is zero;
+ *                      - Q is an odd multiple of the base point, P an even
+ *                      multiple, due to the choice of precomputed points in the
+ *                      modified comb method.
+ *                  So branches for these cases do not leak secret information.
+ *
+ *                  We accept Q->Z being unset (saving memory in tables) as
+ *                  meaning 1.
+ *
+ *                  Cost in field operations if done by [5] 3.22:
+ *                      1A := 8M + 3S
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param R         Pointer to a point structure to hold the result.
+ *
+ * \param P         Pointer to the first summand, given with Jacobian
+ *                  coordinates
+ *
+ * \param Q         Pointer to the second summand, given with affine
+ *                  coordinates.
+ *
+ * \return          0 if successful.
+ */
+int mbedtls_internal_ecp_add_mixed( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *R, const mbedtls_ecp_point *P,
+        const mbedtls_ecp_point *Q );
+#endif
+
+/**
+ * \brief           Point doubling R = 2 P, Jacobian coordinates.
+ *
+ *                  Cost:   1D := 3M + 4S    (A ==  0)
+ *                          4M + 4S          (A == -3)
+ *                          3M + 6S + 1a     otherwise
+ *                  when the implementation is based on the "dbl-1998-cmo-2"
+ *                  doubling formulas in [8] and standard optimizations are
+ *                  applied when curve parameter A is one of { 0, -3 }.
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param R         Pointer to a point structure to hold the result.
+ *
+ * \param P         Pointer to the point that has to be doubled, given with
+ *                  Jacobian coordinates.
+ *
+ * \return          0 if successful.
+ */
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+int mbedtls_internal_ecp_double_jac( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *R, const mbedtls_ecp_point *P );
+#endif
+
+/**
+ * \brief           Normalize jacobian coordinates of an array of (pointers to)
+ *                  points.
+ *
+ *                  Using Montgomery's trick to perform only one inversion mod P
+ *                  the cost is:
+ *                      1N(t) := 1I + (6t - 3)M + 1S
+ *                  (See for example Algorithm 10.3.4. in [9])
+ *
+ *                  This function is used only as a subrutine of
+ *                  ecp_mul_comb().
+ *
+ *                  Warning: fails (returning an error) if one of the points is
+ *                  zero!
+ *                  This should never happen, see choice of w in ecp_mul_comb().
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param T         Array of pointers to the points to normalise.
+ *
+ * \param t_len     Number of elements in the array.
+ *
+ * \return          0 if successful,
+ *                      an error if one of the points is zero.
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+int mbedtls_internal_ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *T[], size_t t_len );
+#endif
+
+/**
+ * \brief           Normalize jacobian coordinates so that Z == 0 || Z == 1.
+ *
+ *                  Cost in field operations if done by [5] 3.2.1:
+ *                      1N := 1I + 3M + 1S
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param pt        pointer to the point to be normalised. This is an
+ *                  input/output parameter.
+ *
+ * \return          0 if successful.
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+int mbedtls_internal_ecp_normalize_jac( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *pt );
+#endif
+
+#endif /* ECP_SHORTWEIERSTRASS */
+
+#if defined(ECP_MONTGOMERY)
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+int mbedtls_internal_ecp_double_add_mxz( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *R, mbedtls_ecp_point *S, const mbedtls_ecp_point *P,
+        const mbedtls_ecp_point *Q, const mbedtls_mpi *d );
+#endif
+
+/**
+ * \brief           Randomize projective x/z coordinates:
+ *                      (X, Z) -> (l X, l Z) for random l
+ *
+ * \param grp       pointer to the group representing the curve
+ *
+ * \param P         the point on the curve to be randomised given with
+ *                  projective coordinates. This is an input/output parameter.
+ *
+ * \param f_rng     a function pointer to the random number generator
+ *
+ * \param p_rng     a pointer to the random number generator state
+ *
+ * \return          0 if successful
+ */
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+int mbedtls_internal_ecp_randomize_mxz( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t),
+        void *p_rng );
+#endif
+
+/**
+ * \brief           Normalize Montgomery x/z coordinates: X = X/Z, Z = 1.
+ *
+ * \param grp       pointer to the group representing the curve
+ *
+ * \param P         pointer to the point to be normalised. This is an
+ *                  input/output parameter.
+ *
+ * \return          0 if successful
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+int mbedtls_internal_ecp_normalize_mxz( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *P );
+#endif
+
+#endif /* ECP_MONTGOMERY */
+
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#endif /* ecp_internal.h */
+
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/entropy.h b/ctrtool/deps/libmbedtls/include/mbedtls/entropy.h
new file mode 100644
index 00000000..ca06dc3c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/entropy.h
@@ -0,0 +1,289 @@
+/**
+ * \file entropy.h
+ *
+ * \brief Entropy accumulator implementation
+ */
+/*
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ENTROPY_H
+#define MBEDTLS_ENTROPY_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+#include "sha512.h"
+#define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
+#else
+#if defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
+#include "sha256.h"
+#endif
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C)
+#include "havege.h"
+#endif
+
+#define MBEDTLS_ERR_ENTROPY_SOURCE_FAILED                 -0x003C  /**< Critical entropy source failure. */
+#define MBEDTLS_ERR_ENTROPY_MAX_SOURCES                   -0x003E  /**< No more sources can be added. */
+#define MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED            -0x0040  /**< No sources have been added to poll. */
+#define MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE              -0x003D  /**< No strong sources have been added to poll. */
+#define MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR                 -0x003F  /**< Read/write error in file. */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_ENTROPY_MAX_SOURCES)
+#define MBEDTLS_ENTROPY_MAX_SOURCES     20      /**< Maximum number of sources supported */
+#endif
+
+#if !defined(MBEDTLS_ENTROPY_MAX_GATHER)
+#define MBEDTLS_ENTROPY_MAX_GATHER      128     /**< Maximum amount requested from entropy sources */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      64      /**< Block size of entropy accumulator (SHA-512) */
+#else
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      32      /**< Block size of entropy accumulator (SHA-256) */
+#endif
+
+#define MBEDTLS_ENTROPY_MAX_SEED_SIZE   1024    /**< Maximum size of seed we read from seed file */
+#define MBEDTLS_ENTROPY_SOURCE_MANUAL   MBEDTLS_ENTROPY_MAX_SOURCES
+
+#define MBEDTLS_ENTROPY_SOURCE_STRONG   1       /**< Entropy source is strong   */
+#define MBEDTLS_ENTROPY_SOURCE_WEAK     0       /**< Entropy source is weak     */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           Entropy poll callback pointer
+ *
+ * \param data      Callback-specific data pointer
+ * \param output    Data to fill
+ * \param len       Maximum size to provide
+ * \param olen      The actual amount of bytes put into the buffer (Can be 0)
+ *
+ * \return          0 if no critical failures occurred,
+ *                  MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise
+ */
+typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, size_t len,
+                            size_t *olen);
+
+/**
+ * \brief           Entropy source state
+ */
+typedef struct mbedtls_entropy_source_state
+{
+    mbedtls_entropy_f_source_ptr    f_source;   /**< The entropy source callback */
+    void *          p_source;   /**< The callback data pointer */
+    size_t          size;       /**< Amount received in bytes */
+    size_t          threshold;  /**< Minimum bytes required before release */
+    int             strong;     /**< Is the source strong? */
+}
+mbedtls_entropy_source_state;
+
+/**
+ * \brief           Entropy context structure
+ */
+typedef struct mbedtls_entropy_context
+{
+    int accumulator_started;
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_context  accumulator;
+#else
+    mbedtls_sha256_context  accumulator;
+#endif
+    int             source_count;
+    mbedtls_entropy_source_state    source[MBEDTLS_ENTROPY_MAX_SOURCES];
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_havege_state    havege_data;
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;    /*!< mutex                  */
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    int initial_entropy_run;
+#endif
+}
+mbedtls_entropy_context;
+
+/**
+ * \brief           Initialize the context
+ *
+ * \param ctx       Entropy context to initialize
+ */
+void mbedtls_entropy_init( mbedtls_entropy_context *ctx );
+
+/**
+ * \brief           Free the data in the context
+ *
+ * \param ctx       Entropy context to free
+ */
+void mbedtls_entropy_free( mbedtls_entropy_context *ctx );
+
+/**
+ * \brief           Adds an entropy source to poll
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ * \param f_source  Entropy function
+ * \param p_source  Function data
+ * \param threshold Minimum required from source before entropy is released
+ *                  ( with mbedtls_entropy_func() ) (in bytes)
+ * \param strong    MBEDTLS_ENTROPY_SOURCE_STRONG or
+ *                  MBEDTLS_ENTROPY_SOURCE_WEAK.
+ *                  At least one strong source needs to be added.
+ *                  Weaker sources (such as the cycle counter) can be used as
+ *                  a complement.
+ *
+ * \return          0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES
+ */
+int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx,
+                        mbedtls_entropy_f_source_ptr f_source, void *p_source,
+                        size_t threshold, int strong );
+
+/**
+ * \brief           Trigger an extra gather poll for the accumulator
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_gather( mbedtls_entropy_context *ctx );
+
+/**
+ * \brief           Retrieve entropy from the accumulator
+ *                  (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE)
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data      Entropy context
+ * \param output    Buffer to fill
+ * \param len       Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_func( void *data, unsigned char *output, size_t len );
+
+/**
+ * \brief           Add data to the accumulator manually
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ * \param data      Data to add
+ * \param len       Length of data
+ *
+ * \return          0 if successful
+ */
+int mbedtls_entropy_update_manual( mbedtls_entropy_context *ctx,
+                           const unsigned char *data, size_t len );
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/**
+ * \brief           Trigger an update of the seed file in NV by using the
+ *                  current entropy pool.
+ *
+ * \param ctx       Entropy context
+ *
+ * \return          0 if successful
+ */
+int mbedtls_entropy_update_nv_seed( mbedtls_entropy_context *ctx );
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               Write a seed file
+ *
+ * \param ctx           Entropy context
+ * \param path          Name of the file
+ *
+ * \return              0 if successful,
+ *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error, or
+ *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *path );
+
+/**
+ * \brief               Read and update a seed file. Seed is added to this
+ *                      instance. No more than MBEDTLS_ENTROPY_MAX_SEED_SIZE bytes are
+ *                      read from the seed file. The rest is ignored.
+ *
+ * \param ctx           Entropy context
+ * \param path          Name of the file
+ *
+ * \return              0 if successful,
+ *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error,
+ *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ *                 This module self-test also calls the entropy self-test,
+ *                 mbedtls_entropy_source_self_test();
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_entropy_self_test( int verbose );
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+/**
+ * \brief          Checkup routine
+ *
+ *                 Verifies the integrity of the hardware entropy source
+ *                 provided by the function 'mbedtls_hardware_poll()'.
+ *
+ *                 Note this is the only hardware entropy source that is known
+ *                 at link time, and other entropy sources configured
+ *                 dynamically at runtime by the function
+ *                 mbedtls_entropy_add_source() will not be tested.
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_entropy_source_self_test( int verbose );
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* entropy.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/entropy_poll.h b/ctrtool/deps/libmbedtls/include/mbedtls/entropy_poll.h
new file mode 100644
index 00000000..94dd657e
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/entropy_poll.h
@@ -0,0 +1,110 @@
+/**
+ * \file entropy_poll.h
+ *
+ * \brief Platform-specific and custom entropy polling functions
+ */
+/*
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ENTROPY_POLL_H
+#define MBEDTLS_ENTROPY_POLL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Default thresholds for built-in sources, in bytes
+ */
+#define MBEDTLS_ENTROPY_MIN_PLATFORM     32     /**< Minimum for platform source    */
+#define MBEDTLS_ENTROPY_MIN_HAVEGE       32     /**< Minimum for HAVEGE             */
+#define MBEDTLS_ENTROPY_MIN_HARDCLOCK     4     /**< Minimum for mbedtls_timing_hardclock()        */
+#if !defined(MBEDTLS_ENTROPY_MIN_HARDWARE)
+#define MBEDTLS_ENTROPY_MIN_HARDWARE     32     /**< Minimum for the hardware source */
+#endif
+
+/**
+ * \brief           Entropy poll callback that provides 0 entropy.
+ */
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    int mbedtls_null_entropy_poll( void *data,
+                                unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+/**
+ * \brief           Platform-specific entropy poll callback
+ */
+int mbedtls_platform_entropy_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C)
+/**
+ * \brief           HAVEGE based entropy poll callback
+ *
+ * Requires an HAVEGE state as its data pointer.
+ */
+int mbedtls_havege_poll( void *data,
+                 unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_TIMING_C)
+/**
+ * \brief           mbedtls_timing_hardclock-based entropy poll callback
+ */
+int mbedtls_hardclock_poll( void *data,
+                    unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+/**
+ * \brief           Entropy poll callback for a hardware source
+ *
+ * \warning         This is not provided by mbed TLS!
+ *                  See \c MBEDTLS_ENTROPY_HARDWARE_ALT in config.h.
+ *
+ * \note            This must accept NULL as its first argument.
+ */
+int mbedtls_hardware_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/**
+ * \brief           Entropy poll callback for a non-volatile seed file
+ *
+ * \note            This must accept NULL as its first argument.
+ */
+int mbedtls_nv_seed_poll( void *data,
+                          unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* entropy_poll.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/error.h b/ctrtool/deps/libmbedtls/include/mbedtls/error.h
new file mode 100644
index 00000000..bee0fe48
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/error.h
@@ -0,0 +1,129 @@
+/**
+ * \file error.h
+ *
+ * \brief Error to string translation
+ */
+/*
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ERROR_H
+#define MBEDTLS_ERROR_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * Error code layout.
+ *
+ * Currently we try to keep all error codes within the negative space of 16
+ * bits signed integers to support all platforms (-0x0001 - -0x7FFF). In
+ * addition we'd like to give two layers of information on the error if
+ * possible.
+ *
+ * For that purpose the error codes are segmented in the following manner:
+ *
+ * 16 bit error code bit-segmentation
+ *
+ * 1 bit  - Unused (sign bit)
+ * 3 bits - High level module ID
+ * 5 bits - Module-dependent error code
+ * 7 bits - Low level module errors
+ *
+ * For historical reasons, low-level error codes are divided in even and odd,
+ * even codes were assigned first, and -1 is reserved for other errors.
+ *
+ * Low-level module errors (0x0002-0x007E, 0x0003-0x007F)
+ *
+ * Module   Nr  Codes assigned
+ * MPI       7  0x0002-0x0010
+ * GCM       3  0x0012-0x0014   0x0013-0x0013
+ * BLOWFISH  3  0x0016-0x0018   0x0017-0x0017
+ * THREADING 3  0x001A-0x001E
+ * AES       5  0x0020-0x0022   0x0021-0x0025
+ * CAMELLIA  3  0x0024-0x0026   0x0027-0x0027
+ * XTEA      2  0x0028-0x0028   0x0029-0x0029
+ * BASE64    2  0x002A-0x002C
+ * OID       1  0x002E-0x002E   0x000B-0x000B
+ * PADLOCK   1  0x0030-0x0030
+ * DES       2  0x0032-0x0032   0x0033-0x0033
+ * CTR_DBRG  4  0x0034-0x003A
+ * ENTROPY   3  0x003C-0x0040   0x003D-0x003F
+ * NET      13  0x0042-0x0052   0x0043-0x0049
+ * ARIA      4  0x0058-0x005E
+ * ASN1      7  0x0060-0x006C
+ * CMAC      1  0x007A-0x007A
+ * PBKDF2    1  0x007C-0x007C
+ * HMAC_DRBG 4                  0x0003-0x0009
+ * CCM       3                  0x000D-0x0011
+ * ARC4      1                  0x0019-0x0019
+ * MD2       1                  0x002B-0x002B
+ * MD4       1                  0x002D-0x002D
+ * MD5       1                  0x002F-0x002F
+ * RIPEMD160 1                  0x0031-0x0031
+ * SHA1      1                  0x0035-0x0035 0x0073-0x0073
+ * SHA256    1                  0x0037-0x0037 0x0074-0x0074
+ * SHA512    1                  0x0039-0x0039 0x0075-0x0075
+ * CHACHA20  3                  0x0051-0x0055
+ * POLY1305  3                  0x0057-0x005B
+ * CHACHAPOLY 2 0x0054-0x0056
+ * PLATFORM  1  0x0070-0x0072
+ *
+ * High-level module nr (3 bits - 0x0...-0x7...)
+ * Name      ID  Nr of Errors
+ * PEM       1   9
+ * PKCS#12   1   4 (Started from top)
+ * X509      2   20
+ * PKCS5     2   4 (Started from top)
+ * DHM       3   11
+ * PK        3   15 (Started from top)
+ * RSA       4   11
+ * ECP       4   10 (Started from top)
+ * MD        5   5
+ * HKDF      5   1 (Started from top)
+ * CIPHER    6   8
+ * SSL       6   23 (Started from top)
+ * SSL       7   32
+ *
+ * Module dependent error code (5 bits 0x.00.-0x.F8.)
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Translate a mbed TLS error code into a string representation,
+ *        Result is truncated if necessary and always includes a terminating
+ *        null byte.
+ *
+ * \param errnum    error code
+ * \param buffer    buffer to place representation in
+ * \param buflen    length of the buffer
+ */
+void mbedtls_strerror( int errnum, char *buffer, size_t buflen );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* error.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/gcm.h b/ctrtool/deps/libmbedtls/include/mbedtls/gcm.h
new file mode 100644
index 00000000..fd130abd
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/gcm.h
@@ -0,0 +1,326 @@
+/**
+ * \file gcm.h
+ *
+ * \brief This file contains GCM definitions and functions.
+ *
+ * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
+ * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
+ * (GCM), Natl. Inst. Stand. Technol.</em>
+ *
+ * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
+ * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_GCM_H
+#define MBEDTLS_GCM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#include <stdint.h>
+
+#define MBEDTLS_GCM_ENCRYPT     1
+#define MBEDTLS_GCM_DECRYPT     0
+
+#define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012  /**< Authenticated decryption failed. */
+
+/* MBEDTLS_ERR_GCM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED                   -0x0013  /**< GCM hardware accelerator failed. */
+
+#define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014  /**< Bad input parameters to function. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+/**
+ * \brief          The GCM context structure.
+ */
+typedef struct mbedtls_gcm_context
+{
+    mbedtls_cipher_context_t cipher_ctx;  /*!< The cipher context used. */
+    uint64_t HL[16];                      /*!< Precalculated HTable low. */
+    uint64_t HH[16];                      /*!< Precalculated HTable high. */
+    uint64_t len;                         /*!< The total length of the encrypted data. */
+    uint64_t add_len;                     /*!< The total length of the additional data. */
+    unsigned char base_ectr[16];          /*!< The first ECTR for tag. */
+    unsigned char y[16];                  /*!< The Y working value. */
+    unsigned char buf[16];                /*!< The buf working value. */
+    int mode;                             /*!< The operation to perform:
+                                               #MBEDTLS_GCM_ENCRYPT or
+                                               #MBEDTLS_GCM_DECRYPT. */
+}
+mbedtls_gcm_context;
+
+#else  /* !MBEDTLS_GCM_ALT */
+#include "gcm_alt.h"
+#endif /* !MBEDTLS_GCM_ALT */
+
+/**
+ * \brief           This function initializes the specified GCM context,
+ *                  to make references valid, and prepares the context
+ *                  for mbedtls_gcm_setkey() or mbedtls_gcm_free().
+ *
+ *                  The function does not bind the GCM context to a particular
+ *                  cipher, nor set the key. For this purpose, use
+ *                  mbedtls_gcm_setkey().
+ *
+ * \param ctx       The GCM context to initialize. This must not be \c NULL.
+ */
+void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
+
+/**
+ * \brief           This function associates a GCM context with a
+ *                  cipher algorithm and a key.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key. This must be a readable buffer of at
+ *                  least \p keybits bits.
+ * \param keybits   The key size in bits. Valid options are:
+ *                  <ul><li>128 bits</li>
+ *                  <li>192 bits</li>
+ *                  <li>256 bits</li></ul>
+ *
+ * \return          \c 0 on success.
+ * \return          A cipher-specific error code on failure.
+ */
+int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits );
+
+/**
+ * \brief           This function performs GCM encryption or decryption of a buffer.
+ *
+ * \note            For encryption, the output buffer can be the same as the
+ *                  input buffer. For decryption, the output buffer cannot be
+ *                  the same as input buffer. If the buffers overlap, the output
+ *                  buffer must trail at least 8 Bytes behind the input buffer.
+ *
+ * \warning         When this function performs a decryption, it outputs the
+ *                  authentication tag and does not verify that the data is
+ *                  authentic. You should use this function to perform encryption
+ *                  only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
+ *
+ * \param ctx       The GCM context to use for encryption or decryption. This
+ *                  must be initialized.
+ * \param mode      The operation to perform:
+ *                  - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
+ *                    The ciphertext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                  - #MBEDTLS_GCM_DECRYPT to perform decryption.
+ *                    The plaintext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                    Note that this mode is not recommended, because it does
+ *                    not verify the authenticity of the data. For this reason,
+ *                    you should use mbedtls_gcm_auth_decrypt() instead of
+ *                    calling this function in decryption mode.
+ * \param length    The length of the input data, which is equal to the length
+ *                  of the output data.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
+ * \param add_len   The length of the additional data.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size in Bytes.
+ * \param output    The buffer for holding the output data. If \p length is greater
+ *                  than zero, this must be a writable buffer of at least that
+ *                  size in Bytes.
+ * \param tag_len   The length of the tag to generate.
+ * \param tag       The buffer for holding the tag. This must be a readable
+ *                  buffer of at least \p tag_len Bytes.
+ *
+ * \return          \c 0 if the encryption or decryption was performed
+ *                  successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
+ *                  this does not indicate that the data is authentic.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the encryption
+ *                  or decryption failed.
+ */
+int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
+                       int mode,
+                       size_t length,
+                       const unsigned char *iv,
+                       size_t iv_len,
+                       const unsigned char *add,
+                       size_t add_len,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t tag_len,
+                       unsigned char *tag );
+
+/**
+ * \brief           This function performs a GCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param length    The length of the ciphertext to decrypt, which is also
+ *                  the length of the decrypted plaintext.
+ * \param iv        The initialization vector. This must be a readable buffer
+ *                  of at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
+ * \param add_len   The length of the additional data.
+ * \param tag       The buffer holding the tag to verify. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the tag to verify.
+ * \param input     The buffer holding the ciphertext. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size.
+ * \param output    The buffer for holding the decrypted plaintext. If \p length
+ *                  is greater than zero, this must be a writable buffer of at
+ *                  least that size.
+ *
+ * \return          \c 0 if successful and authenticated.
+ * \return          #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the decryption
+ *                  failed.
+ */
+int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
+                      size_t length,
+                      const unsigned char *iv,
+                      size_t iv_len,
+                      const unsigned char *add,
+                      size_t add_len,
+                      const unsigned char *tag,
+                      size_t tag_len,
+                      const unsigned char *input,
+                      unsigned char *output );
+
+/**
+ * \brief           This function starts a GCM encryption or decryption
+ *                  operation.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param mode      The operation to perform: #MBEDTLS_GCM_ENCRYPT or
+ *                  #MBEDTLS_GCM_DECRYPT.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data, or \c NULL
+ *                  if \p add_len is \c 0.
+ * \param add_len   The length of the additional data. If \c 0,
+ *                  \p add may be \c NULL.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
+                int mode,
+                const unsigned char *iv,
+                size_t iv_len,
+                const unsigned char *add,
+                size_t add_len );
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing GCM
+ *                  encryption or decryption operation.
+ *
+ *    `             The function expects input to be a multiple of 16
+ *                  Bytes. Only the last call before calling
+ *                  mbedtls_gcm_finish() can be less than 16 Bytes.
+ *
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param length    The length of the input data. This must be a multiple of
+ *                  16 except in the last call before mbedtls_gcm_finish().
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size in Bytes.
+ * \param output    The buffer for holding the output data. If \p length is
+ *                  greater than zero, this must be a writable buffer of at
+ *                  least that size in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ */
+int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
+                size_t length,
+                const unsigned char *input,
+                unsigned char *output );
+
+/**
+ * \brief           This function finishes the GCM operation and generates
+ *                  the authentication tag.
+ *
+ *                  It wraps up the GCM stream, and generates the
+ *                  tag. The tag can have a maximum length of 16 Bytes.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param tag       The buffer for holding the tag. This must be a readable
+ *                  buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the tag to generate. This must be at least
+ *                  four.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ */
+int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
+                unsigned char *tag,
+                size_t tag_len );
+
+/**
+ * \brief           This function clears a GCM context and the underlying
+ *                  cipher sub-context.
+ *
+ * \param ctx       The GCM context to clear. If this is \c NULL, the call has
+ *                  no effect. Otherwise, this must be initialized.
+ */
+void mbedtls_gcm_free( mbedtls_gcm_context *ctx );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The GCM checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_gcm_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* gcm.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/havege.h b/ctrtool/deps/libmbedtls/include/mbedtls/havege.h
new file mode 100644
index 00000000..4c1c8608
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/havege.h
@@ -0,0 +1,81 @@
+/**
+ * \file havege.h
+ *
+ * \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_HAVEGE_H
+#define MBEDTLS_HAVEGE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          HAVEGE state structure
+ */
+typedef struct mbedtls_havege_state
+{
+    int PT1, PT2, offset[2];
+    int pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
+    int WALK[8192];
+}
+mbedtls_havege_state;
+
+/**
+ * \brief          HAVEGE initialization
+ *
+ * \param hs       HAVEGE state to be initialized
+ */
+void mbedtls_havege_init( mbedtls_havege_state *hs );
+
+/**
+ * \brief          Clear HAVEGE state
+ *
+ * \param hs       HAVEGE state to be cleared
+ */
+void mbedtls_havege_free( mbedtls_havege_state *hs );
+
+/**
+ * \brief          HAVEGE rand function
+ *
+ * \param p_rng    A HAVEGE state
+ * \param output   Buffer to fill
+ * \param len      Length of buffer
+ *
+ * \return         0
+ */
+int mbedtls_havege_random( void *p_rng, unsigned char *output, size_t len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* havege.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/hkdf.h b/ctrtool/deps/libmbedtls/include/mbedtls/hkdf.h
new file mode 100644
index 00000000..bcafe425
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/hkdf.h
@@ -0,0 +1,141 @@
+/**
+ * \file hkdf.h
+ *
+ * \brief   This file contains the HKDF interface.
+ *
+ *          The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is
+ *          specified by RFC 5869.
+ */
+/*
+ *  Copyright (C) 2016-2019, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_HKDF_H
+#define MBEDTLS_HKDF_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+/**
+ *  \name HKDF Error codes
+ *  \{
+ */
+#define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA  -0x5F80  /**< Bad input parameters to function. */
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ *  \brief  This is the HMAC-based Extract-and-Expand Key Derivation Function
+ *          (HKDF).
+ *
+ *  \param  md        A hash function; md.size denotes the length of the hash
+ *                    function output in bytes.
+ *  \param  salt      An optional salt value (a non-secret random value);
+ *                    if the salt is not provided, a string of all zeros of
+ *                    md.size length is used as the salt.
+ *  \param  salt_len  The length in bytes of the optional \p salt.
+ *  \param  ikm       The input keying material.
+ *  \param  ikm_len   The length in bytes of \p ikm.
+ *  \param  info      An optional context and application specific information
+ *                    string. This can be a zero-length string.
+ *  \param  info_len  The length of \p info in bytes.
+ *  \param  okm       The output keying material of \p okm_len bytes.
+ *  \param  okm_len   The length of the output keying material in bytes. This
+ *                    must be less than or equal to 255 * md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
+                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+                  const unsigned char *info, size_t info_len,
+                  unsigned char *okm, size_t okm_len );
+
+/**
+ *  \brief  Take the input keying material \p ikm and extract from it a
+ *          fixed-length pseudorandom key \p prk.
+ *
+ *  \warning    This function should only be used if the security of it has been
+ *              studied and established in that particular context (eg. TLS 1.3
+ *              key schedule). For standard HKDF security guarantees use
+ *              \c mbedtls_hkdf instead.
+ *
+ *  \param       md        A hash function; md.size denotes the length of the
+ *                         hash function output in bytes.
+ *  \param       salt      An optional salt value (a non-secret random value);
+ *                         if the salt is not provided, a string of all zeros
+ *                         of md.size length is used as the salt.
+ *  \param       salt_len  The length in bytes of the optional \p salt.
+ *  \param       ikm       The input keying material.
+ *  \param       ikm_len   The length in bytes of \p ikm.
+ *  \param[out]  prk       A pseudorandom key of at least md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
+                          const unsigned char *salt, size_t salt_len,
+                          const unsigned char *ikm, size_t ikm_len,
+                          unsigned char *prk );
+
+/**
+ *  \brief  Expand the supplied \p prk into several additional pseudorandom
+ *          keys, which is the output of the HKDF.
+ *
+ *  \warning    This function should only be used if the security of it has been
+ *              studied and established in that particular context (eg. TLS 1.3
+ *              key schedule). For standard HKDF security guarantees use
+ *              \c mbedtls_hkdf instead.
+ *
+ *  \param  md        A hash function; md.size denotes the length of the hash
+ *                    function output in bytes.
+ *  \param  prk       A pseudorandom key of at least md.size bytes. \p prk is
+ *                    usually the output from the HKDF extract step.
+ *  \param  prk_len   The length in bytes of \p prk.
+ *  \param  info      An optional context and application specific information
+ *                    string. This can be a zero-length string.
+ *  \param  info_len  The length of \p info in bytes.
+ *  \param  okm       The output keying material of \p okm_len bytes.
+ *  \param  okm_len   The length of the output keying material in bytes. This
+ *                    must be less than or equal to 255 * md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
+                         size_t prk_len, const unsigned char *info,
+                         size_t info_len, unsigned char *okm, size_t okm_len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hkdf.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/hmac_drbg.h b/ctrtool/deps/libmbedtls/include/mbedtls/hmac_drbg.h
new file mode 100644
index 00000000..7931c228
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/hmac_drbg.h
@@ -0,0 +1,415 @@
+/**
+ * \file hmac_drbg.h
+ *
+ * \brief The HMAC_DRBG pseudorandom generator.
+ *
+ * This module implements the HMAC_DRBG pseudorandom generator described
+ * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
+ * Deterministic Random Bit Generators</em>.
+ */
+/*
+ *  Copyright (C) 2006-2019, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_HMAC_DRBG_H
+#define MBEDTLS_HMAC_DRBG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/*
+ * Error codes
+ */
+#define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG              -0x0003  /**< Too many random requested in single call. */
+#define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG                -0x0005  /**< Input too large (Entropy + additional). */
+#define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR                -0x0007  /**< Read/write error in file. */
+#define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED        -0x0009  /**< The entropy source failed. */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
+#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000   /**< Interval before reseed is performed by default */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_INPUT         256     /**< Maximum number of additional input bytes */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
+#define MBEDTLS_HMAC_DRBG_MAX_REQUEST       1024    /**< Maximum number of requested bytes per call */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT    384     /**< Maximum size of (re)seed buffer */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_HMAC_DRBG_PR_OFF   0   /**< No prediction resistance       */
+#define MBEDTLS_HMAC_DRBG_PR_ON    1   /**< Prediction resistance enabled  */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * HMAC_DRBG context.
+ */
+typedef struct mbedtls_hmac_drbg_context
+{
+    /* Working state: the key K is not stored explicitly,
+     * but is implied by the HMAC context */
+    mbedtls_md_context_t md_ctx;                    /*!< HMAC context (inc. K)  */
+    unsigned char V[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
+    int reseed_counter;                     /*!< reseed counter         */
+
+    /* Administrative state */
+    size_t entropy_len;         /*!< entropy bytes grabbed on each (re)seed */
+    int prediction_resistance;  /*!< enable prediction resistance (Automatic
+                                     reseed before every random generation) */
+    int reseed_interval;        /*!< reseed interval   */
+
+    /* Callbacks */
+    int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */
+    void *p_entropy;            /*!< context for the entropy function        */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+} mbedtls_hmac_drbg_context;
+
+/**
+ * \brief               HMAC_DRBG context initialization.
+ *
+ * This function makes the context ready for mbedtls_hmac_drbg_seed(),
+ * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
+ *
+ * \param ctx           HMAC_DRBG context to be initialized.
+ */
+void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx );
+
+/**
+ * \brief               HMAC_DRBG initial seeding.
+ *
+ * Set the initial seed and set up the entropy source for future reseeds.
+ *
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * You can provide a personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ *
+ * \note                By default, the security strength as defined by NIST is:
+ *                      - 128 bits if \p md_info is SHA-1;
+ *                      - 192 bits if \p md_info is SHA-224;
+ *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
+ *                      Note that SHA-256 is just as efficient as SHA-224.
+ *                      The security strength can be reduced if a smaller
+ *                      entropy length is set with
+ *                      mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                The default entropy length is the security strength
+ *                      (converted from bits to bytes). You can override
+ *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                During the initial seeding, this function calls
+ *                      the entropy source to obtain a nonce
+ *                      whose length is half the entropy length.
+ *
+ * \param ctx           HMAC_DRBG context to be seeded.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param f_entropy     The entropy callback, taking as arguments the
+ *                      \p p_entropy context, the buffer to fill, and the
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a length that is
+ *                      less than or equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2
+ *                      where \p entropy_len is the entropy length
+ *                      described above.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if the call to \p f_entropy failed.
+ */
+int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
+                    const mbedtls_md_info_t * md_info,
+                    int (*f_entropy)(void *, unsigned char *, size_t),
+                    void *p_entropy,
+                    const unsigned char *custom,
+                    size_t len );
+
+/**
+ * \brief               Initilisation of simpified HMAC_DRBG (never reseeds).
+ *
+ * This function is meant for use in algorithms that need a pseudorandom
+ * input such as deterministic ECDSA.
+ *
+ * \param ctx           HMAC_DRBG context to be initialised.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param data          Concatenation of the initial entropy string and
+ *                      the additional data.
+ * \param data_len      Length of \p data in bytes.
+ *
+ * \return              \c 0 if successful. or
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ */
+int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
+                        const mbedtls_md_info_t * md_info,
+                        const unsigned char *data, size_t data_len );
+
+/**
+ * \brief               This function turns prediction resistance on or off.
+ *                      The default value is off.
+ *
+ * \note                If enabled, entropy is gathered at the beginning of
+ *                      every call to mbedtls_hmac_drbg_random_with_add()
+ *                      or mbedtls_hmac_drbg_random().
+ *                      Only use this if your entropy source has sufficient
+ *                      throughput.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
+                                          int resistance );
+
+/**
+ * \brief               This function sets the amount of entropy grabbed on each
+ *                      seed or reseed.
+ *
+ * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param len           The amount of entropy to grab, in bytes.
+ */
+void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx,
+                                size_t len );
+
+/**
+ * \brief               Set the reseed interval.
+ *
+ * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
+ * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param interval      The reseed interval.
+ */
+void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
+                                    int interval );
+
+/**
+ * \brief               This function updates the state of the HMAC_DRBG context.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    The data to update the state with.
+ *                      If this is \c NULL, there is no additional data.
+ * \param add_len       Length of \p additional in bytes.
+ *                      Unused if \p additional is \c NULL.
+ *
+ * \return              \c 0 on success, or an error from the underlying
+ *                      hash calculation.
+ */
+int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
+                       const unsigned char *additional, size_t add_len );
+
+/**
+ * \brief               This function reseeds the HMAC_DRBG context, that is
+ *                      extracts data from the entropy source.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    Additional data to add to the state.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p len should be \c 0.
+ * \param len           The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len
+ *                      where \p entropy_len is the entropy length
+ *                      (see mbedtls_hmac_drbg_set_entropy_len()).
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy function failed.
+ */
+int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
+                      const unsigned char *additional, size_t len );
+
+/**
+ * \brief   This function updates an HMAC_DRBG instance with additional
+ *          data and uses it to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \param additional    Additional data to update with.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p add_len should be \c 0.
+ * \param add_len       The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
+ *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ */
+int mbedtls_hmac_drbg_random_with_add( void *p_rng,
+                               unsigned char *output, size_t output_len,
+                               const unsigned char *additional,
+                               size_t add_len );
+
+/**
+ * \brief   This function uses HMAC_DRBG to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param out_len       The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ */
+int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len );
+
+/**
+ * \brief               Free an HMAC_DRBG context
+ *
+ * \param ctx           The HMAC_DRBG context to free.
+ */
+void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief               This function updates the state of the HMAC_DRBG context.
+ *
+ * \deprecated          Superseded by mbedtls_hmac_drbg_update_ret()
+ *                      in 2.16.0.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    The data to update the state with.
+ *                      If this is \c NULL, there is no additional data.
+ * \param add_len       Length of \p additional in bytes.
+ *                      Unused if \p additional is \c NULL.
+ */
+MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
+    mbedtls_hmac_drbg_context *ctx,
+    const unsigned char *additional, size_t add_len );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               This function writes a seed file.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      failure.
+ */
+int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
+
+/**
+ * \brief               This function reads and updates a seed file. The seed
+ *                      is added to this instance.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
+ */
+int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief               The HMAC_DRBG Checkup routine.
+ *
+ * \return              \c 0 if successful.
+ * \return              \c 1 if the test failed.
+ */
+int mbedtls_hmac_drbg_self_test( int verbose );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hmac_drbg.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/md.h b/ctrtool/deps/libmbedtls/include/mbedtls/md.h
new file mode 100644
index 00000000..8bcf766a
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/md.h
@@ -0,0 +1,468 @@
+ /**
+ * \file md.h
+ *
+ * \brief This file contains the generic message-digest wrapper.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_MD_H
+#define MBEDTLS_MD_H
+
+#include <stddef.h>
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE                -0x5080  /**< The selected feature is not available. */
+#define MBEDTLS_ERR_MD_BAD_INPUT_DATA                     -0x5100  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_MD_ALLOC_FAILED                       -0x5180  /**< Failed to allocate memory. */
+#define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200  /**< Opening or reading of file failed. */
+
+/* MBEDTLS_ERR_MD_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD_HW_ACCEL_FAILED                    -0x5280  /**< MD hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief     Supported message digests.
+ *
+ * \warning   MD2, MD4, MD5 and SHA-1 are considered weak message digests and
+ *            their use constitutes a security risk. We recommend considering
+ *            stronger message digests instead.
+ *
+ */
+typedef enum {
+    MBEDTLS_MD_NONE=0,    /**< None. */
+    MBEDTLS_MD_MD2,       /**< The MD2 message digest. */
+    MBEDTLS_MD_MD4,       /**< The MD4 message digest. */
+    MBEDTLS_MD_MD5,       /**< The MD5 message digest. */
+    MBEDTLS_MD_SHA1,      /**< The SHA-1 message digest. */
+    MBEDTLS_MD_SHA224,    /**< The SHA-224 message digest. */
+    MBEDTLS_MD_SHA256,    /**< The SHA-256 message digest. */
+    MBEDTLS_MD_SHA384,    /**< The SHA-384 message digest. */
+    MBEDTLS_MD_SHA512,    /**< The SHA-512 message digest. */
+    MBEDTLS_MD_RIPEMD160, /**< The RIPEMD-160 message digest. */
+} mbedtls_md_type_t;
+
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_MD_MAX_SIZE         64  /* longest known is SHA512 */
+#else
+#define MBEDTLS_MD_MAX_SIZE         32  /* longest known is SHA256 or less */
+#endif
+
+/**
+ * Opaque struct defined in md_internal.h.
+ */
+typedef struct mbedtls_md_info_t mbedtls_md_info_t;
+
+/**
+ * The generic message-digest context.
+ */
+typedef struct mbedtls_md_context_t
+{
+    /** Information about the associated message digest. */
+    const mbedtls_md_info_t *md_info;
+
+    /** The digest-specific context. */
+    void *md_ctx;
+
+    /** The HMAC part of the context. */
+    void *hmac_ctx;
+} mbedtls_md_context_t;
+
+/**
+ * \brief           This function returns the list of digests supported by the
+ *                  generic digest module.
+ *
+ * \return          A statically allocated array of digests. Each element
+ *                  in the returned list is an integer belonging to the
+ *                  message-digest enumeration #mbedtls_md_type_t.
+ *                  The last entry is 0.
+ */
+const int *mbedtls_md_list( void );
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  associated with the given digest name.
+ *
+ * \param md_name   The name of the digest to search for.
+ *
+ * \return          The message-digest information associated with \p md_name.
+ * \return          NULL if the associated message-digest information is not found.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name );
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  associated with the given digest type.
+ *
+ * \param md_type   The type of digest to search for.
+ *
+ * \return          The message-digest information associated with \p md_type.
+ * \return          NULL if the associated message-digest information is not found.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type );
+
+/**
+ * \brief           This function initializes a message-digest context without
+ *                  binding it to a particular message-digest algorithm.
+ *
+ *                  This function should always be called first. It prepares the
+ *                  context for mbedtls_md_setup() for binding it to a
+ *                  message-digest algorithm.
+ */
+void mbedtls_md_init( mbedtls_md_context_t *ctx );
+
+/**
+ * \brief           This function clears the internal structure of \p ctx and
+ *                  frees any embedded internal structure, but does not free
+ *                  \p ctx itself.
+ *
+ *                  If you have called mbedtls_md_setup() on \p ctx, you must
+ *                  call mbedtls_md_free() when you are no longer using the
+ *                  context.
+ *                  Calling this function if you have previously
+ *                  called mbedtls_md_init() and nothing else is optional.
+ *                  You must not call this function if you have not called
+ *                  mbedtls_md_init().
+ */
+void mbedtls_md_free( mbedtls_md_context_t *ctx );
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief           This function selects the message digest algorithm to use,
+ *                  and allocates internal structures.
+ *
+ *                  It should be called after mbedtls_md_init() or mbedtls_md_free().
+ *                  Makes it necessary to call mbedtls_md_free() later.
+ *
+ * \deprecated      Superseded by mbedtls_md_setup() in 2.0.0
+ *
+ * \param ctx       The context to set up.
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
+ */
+int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info ) MBEDTLS_DEPRECATED;
+#undef MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief           This function selects the message digest algorithm to use,
+ *                  and allocates internal structures.
+ *
+ *                  It should be called after mbedtls_md_init() or
+ *                  mbedtls_md_free(). Makes it necessary to call
+ *                  mbedtls_md_free() later.
+ *
+ * \param ctx       The context to set up.
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ * \param hmac      Defines if HMAC is used. 0: HMAC is not used (saves some memory),
+ *                  or non-zero: HMAC is used with this context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
+ */
+int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac );
+
+/**
+ * \brief           This function clones the state of an message-digest
+ *                  context.
+ *
+ * \note            You must call mbedtls_md_setup() on \c dst before calling
+ *                  this function.
+ *
+ * \note            The two contexts must have the same type,
+ *                  for example, both are SHA-256.
+ *
+ * \warning         This function clones the message-digest state, not the
+ *                  HMAC state.
+ *
+ * \param dst       The destination context.
+ * \param src       The context to be cloned.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure.
+ */
+int mbedtls_md_clone( mbedtls_md_context_t *dst,
+                      const mbedtls_md_context_t *src );
+
+/**
+ * \brief           This function extracts the message-digest size from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The size of the message-digest output in Bytes.
+ */
+unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info );
+
+/**
+ * \brief           This function extracts the message-digest type from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The type of the message digest.
+ */
+mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info );
+
+/**
+ * \brief           This function extracts the message-digest name from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The name of the message digest.
+ */
+const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info );
+
+/**
+ * \brief           This function starts a message-digest computation.
+ *
+ *                  You must call this function after setting up the context
+ *                  with mbedtls_md_setup(), and before passing data with
+ *                  mbedtls_md_update().
+ *
+ * \param ctx       The generic message-digest context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_starts( mbedtls_md_context_t *ctx );
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing
+ *                  message-digest computation.
+ *
+ *                  You must call mbedtls_md_starts() before calling this
+ *                  function. You may call this function multiple times.
+ *                  Afterwards, call mbedtls_md_finish().
+ *
+ * \param ctx       The generic message-digest context.
+ * \param input     The buffer holding the input data.
+ * \param ilen      The length of the input data.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen );
+
+/**
+ * \brief           This function finishes the digest operation,
+ *                  and writes the result to the output buffer.
+ *
+ *                  Call this function after a call to mbedtls_md_starts(),
+ *                  followed by any number of calls to mbedtls_md_update().
+ *                  Afterwards, you may either clear the context with
+ *                  mbedtls_md_free(), or call mbedtls_md_starts() to reuse
+ *                  the context for another digest operation with the same
+ *                  algorithm.
+ *
+ * \param ctx       The generic message-digest context.
+ * \param output    The buffer for the generic message-digest checksum result.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output );
+
+/**
+ * \brief          This function calculates the message-digest of a buffer,
+ *                 with respect to a configurable message-digest algorithm
+ *                 in a single call.
+ *
+ *                 The result is calculated as
+ *                 Output = message_digest(input buffer).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param input    The buffer holding the data.
+ * \param ilen     The length of the input data.
+ * \param output   The generic message-digest checksum result.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                 failure.
+ */
+int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
+        unsigned char *output );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          This function calculates the message-digest checksum
+ *                 result of the contents of the provided file.
+ *
+ *                 The result is calculated as
+ *                 Output = message_digest(file contents).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param path     The input file name.
+ * \param output   The generic message-digest checksum result.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_FILE_IO_ERROR on an I/O error accessing
+ *                 the file pointed by \p path.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL.
+ */
+int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path,
+                     unsigned char *output );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief           This function sets the HMAC key and prepares to
+ *                  authenticate a new message.
+ *
+ *                  Call this function after mbedtls_md_setup(), to use
+ *                  the MD context for an HMAC calculation, then call
+ *                  mbedtls_md_hmac_update() to provide the input data, and
+ *                  mbedtls_md_hmac_finish() to get the HMAC value.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param key       The HMAC secret key.
+ * \param keylen    The length of the HMAC key in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key,
+                    size_t keylen );
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing HMAC
+ *                  computation.
+ *
+ *                  Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset()
+ *                  before calling this function.
+ *                  You may call this function multiple times to pass the
+ *                  input piecewise.
+ *                  Afterwards, call mbedtls_md_hmac_finish().
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param input     The buffer holding the input data.
+ * \param ilen      The length of the input data.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input,
+                    size_t ilen );
+
+/**
+ * \brief           This function finishes the HMAC operation, and writes
+ *                  the result to the output buffer.
+ *
+ *                  Call this function after mbedtls_md_hmac_starts() and
+ *                  mbedtls_md_hmac_update() to get the HMAC value. Afterwards
+ *                  you may either call mbedtls_md_free() to clear the context,
+ *                  or call mbedtls_md_hmac_reset() to reuse the context with
+ *                  the same HMAC key.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param output    The generic HMAC checksum result.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output);
+
+/**
+ * \brief           This function prepares to authenticate a new message with
+ *                  the same key as the previous HMAC operation.
+ *
+ *                  You may call this function after mbedtls_md_hmac_finish().
+ *                  Afterwards call mbedtls_md_hmac_update() to pass the new
+ *                  input.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx );
+
+/**
+ * \brief          This function calculates the full generic HMAC
+ *                 on the input buffer with the provided key.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The HMAC result is calculated as
+ *                 output = generic HMAC(hmac key, input buffer).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param key      The HMAC secret key.
+ * \param keylen   The length of the HMAC secret key in Bytes.
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ * \param output   The generic HMAC result.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                 failure.
+ */
+int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output );
+
+/* Internal use */
+int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_MD_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/md2.h b/ctrtool/deps/libmbedtls/include/mbedtls/md2.h
new file mode 100644
index 00000000..fe97cf08
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/md2.h
@@ -0,0 +1,306 @@
+/**
+ * \file md2.h
+ *
+ * \brief MD2 message digest algorithm (hash function)
+ *
+ * \warning MD2 is considered a weak message digest and its use constitutes a
+ *          security risk. We recommend considering stronger message digests
+ *          instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+#ifndef MBEDTLS_MD2_H
+#define MBEDTLS_MD2_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/* MBEDTLS_ERR_MD2_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED                   -0x002B  /**< MD2 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_MD2_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          MD2 context structure
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_md2_context
+{
+    unsigned char cksum[16];    /*!< checksum of the data block */
+    unsigned char state[48];    /*!< intermediate digest state  */
+    unsigned char buffer[16];   /*!< data block being processed */
+    size_t left;                /*!< amount of data in buffer   */
+}
+mbedtls_md2_context;
+
+#else  /* MBEDTLS_MD2_ALT */
+#include "md2_alt.h"
+#endif /* MBEDTLS_MD2_ALT */
+
+/**
+ * \brief          Initialize MD2 context
+ *
+ * \param ctx      MD2 context to be initialized
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_init( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          Clear MD2 context
+ *
+ * \param ctx      MD2 context to be cleared
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_free( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an MD2 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_clone( mbedtls_md2_context *dst,
+                        const mbedtls_md2_context *src );
+
+/**
+ * \brief          MD2 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          MD2 process buffer
+ *
+ * \param ctx      MD2 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_update_ret( mbedtls_md2_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen );
+
+/**
+ * \brief          MD2 final digest
+ *
+ * \param ctx      MD2 context
+ * \param output   MD2 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx,
+                            unsigned char output[16] );
+
+/**
+ * \brief          MD2 process data block (internal use only)
+ *
+ * \param ctx      MD2 context
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md2_process( mbedtls_md2_context *ctx );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD2 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md2_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_starts( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          MD2 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md2_update_ret() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_update( mbedtls_md2_context *ctx,
+                                            const unsigned char *input,
+                                            size_t ilen );
+
+/**
+ * \brief          MD2 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md2_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_finish( mbedtls_md2_context *ctx,
+                                            unsigned char output[16] );
+
+/**
+ * \brief          MD2 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md2_process() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_process( mbedtls_md2_context *ctx );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = MD2( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD2( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md2_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2( const unsigned char *input,
+                                     size_t ilen,
+                                     unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md2.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/md4.h b/ctrtool/deps/libmbedtls/include/mbedtls/md4.h
new file mode 100644
index 00000000..ce703c0b
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/md4.h
@@ -0,0 +1,311 @@
+/**
+ * \file md4.h
+ *
+ * \brief MD4 message digest algorithm (hash function)
+ *
+ * \warning MD4 is considered a weak message digest and its use constitutes a
+ *          security risk. We recommend considering stronger message digests
+ *          instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+#ifndef MBEDTLS_MD4_H
+#define MBEDTLS_MD4_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_MD4_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED                   -0x002D  /**< MD4 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_MD4_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          MD4 context structure
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_md4_context
+{
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[4];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_md4_context;
+
+#else  /* MBEDTLS_MD4_ALT */
+#include "md4_alt.h"
+#endif /* MBEDTLS_MD4_ALT */
+
+/**
+ * \brief          Initialize MD4 context
+ *
+ * \param ctx      MD4 context to be initialized
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_init( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          Clear MD4 context
+ *
+ * \param ctx      MD4 context to be cleared
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_free( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an MD4 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_clone( mbedtls_md4_context *dst,
+                        const mbedtls_md4_context *src );
+
+/**
+ * \brief          MD4 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ */
+int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          MD4 process buffer
+ *
+ * \param ctx      MD4 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_update_ret( mbedtls_md4_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen );
+
+/**
+ * \brief          MD4 final digest
+ *
+ * \param ctx      MD4 context
+ * \param output   MD4 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx,
+                            unsigned char output[16] );
+
+/**
+ * \brief          MD4 process data block (internal use only)
+ *
+ * \param ctx      MD4 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
+                                  const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD4 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md4_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_starts( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          MD4 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md4_update_ret() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_update( mbedtls_md4_context *ctx,
+                                            const unsigned char *input,
+                                            size_t ilen );
+
+/**
+ * \brief          MD4 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md4_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param output   MD4 checksum result
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_finish( mbedtls_md4_context *ctx,
+                                            unsigned char output[16] );
+
+/**
+ * \brief          MD4 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md4_process() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param data     buffer holding one block of data
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_process( mbedtls_md4_context *ctx,
+                                             const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = MD4( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD4 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD4( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md4_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD4 checksum result
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4( const unsigned char *input,
+                                     size_t ilen,
+                                     unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md4.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/md5.h b/ctrtool/deps/libmbedtls/include/mbedtls/md5.h
new file mode 100644
index 00000000..6eed6cc8
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/md5.h
@@ -0,0 +1,311 @@
+/**
+ * \file md5.h
+ *
+ * \brief MD5 message digest algorithm (hash function)
+ *
+ * \warning   MD5 is considered a weak message digest and its use constitutes a
+ *            security risk. We recommend considering stronger message
+ *            digests instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_MD5_H
+#define MBEDTLS_MD5_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_MD5_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED                   -0x002F  /**< MD5 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_MD5_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          MD5 context structure
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_md5_context
+{
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[4];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_md5_context;
+
+#else  /* MBEDTLS_MD5_ALT */
+#include "md5_alt.h"
+#endif /* MBEDTLS_MD5_ALT */
+
+/**
+ * \brief          Initialize MD5 context
+ *
+ * \param ctx      MD5 context to be initialized
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_init( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          Clear MD5 context
+ *
+ * \param ctx      MD5 context to be cleared
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_free( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an MD5 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_clone( mbedtls_md5_context *dst,
+                        const mbedtls_md5_context *src );
+
+/**
+ * \brief          MD5 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          MD5 process buffer
+ *
+ * \param ctx      MD5 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_update_ret( mbedtls_md5_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen );
+
+/**
+ * \brief          MD5 final digest
+ *
+ * \param ctx      MD5 context
+ * \param output   MD5 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx,
+                            unsigned char output[16] );
+
+/**
+ * \brief          MD5 process data block (internal use only)
+ *
+ * \param ctx      MD5 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
+                                  const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD5 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md5_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_starts( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          MD5 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md5_update_ret() in 2.7.0
+ *
+ * \param ctx      MD5 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_update( mbedtls_md5_context *ctx,
+                                            const unsigned char *input,
+                                            size_t ilen );
+
+/**
+ * \brief          MD5 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md5_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD5 context
+ * \param output   MD5 checksum result
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_finish( mbedtls_md5_context *ctx,
+                                            unsigned char output[16] );
+
+/**
+ * \brief          MD5 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md5_process() in 2.7.0
+ *
+ * \param ctx      MD5 context
+ * \param data     buffer holding one block of data
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_process( mbedtls_md5_context *ctx,
+                                             const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = MD5( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD5 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD5( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md5_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD5 checksum result
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5( const unsigned char *input,
+                                     size_t ilen,
+                                     unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md5.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/md_internal.h b/ctrtool/deps/libmbedtls/include/mbedtls/md_internal.h
new file mode 100644
index 00000000..04de4829
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/md_internal.h
@@ -0,0 +1,115 @@
+/**
+ * \file md_internal.h
+ *
+ * \brief Message digest wrappers.
+ *
+ * \warning This in an internal header. Do not include directly.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_MD_WRAP_H
+#define MBEDTLS_MD_WRAP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Message digest information.
+ * Allows message digest functions to be called in a generic way.
+ */
+struct mbedtls_md_info_t
+{
+    /** Digest identifier */
+    mbedtls_md_type_t type;
+
+    /** Name of the message digest */
+    const char * name;
+
+    /** Output length of the digest function in bytes */
+    int size;
+
+    /** Block length of the digest function in bytes */
+    int block_size;
+
+    /** Digest initialisation function */
+    int (*starts_func)( void *ctx );
+
+    /** Digest update function */
+    int (*update_func)( void *ctx, const unsigned char *input, size_t ilen );
+
+    /** Digest finalisation function */
+    int (*finish_func)( void *ctx, unsigned char *output );
+
+    /** Generic digest function */
+    int (*digest_func)( const unsigned char *input, size_t ilen,
+                        unsigned char *output );
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)( void );
+
+    /** Free the given context */
+    void (*ctx_free_func)( void *ctx );
+
+    /** Clone state from a context */
+    void (*clone_func)( void *dst, const void *src );
+
+    /** Internal use only */
+    int (*process_func)( void *ctx, const unsigned char *input );
+};
+
+#if defined(MBEDTLS_MD2_C)
+extern const mbedtls_md_info_t mbedtls_md2_info;
+#endif
+#if defined(MBEDTLS_MD4_C)
+extern const mbedtls_md_info_t mbedtls_md4_info;
+#endif
+#if defined(MBEDTLS_MD5_C)
+extern const mbedtls_md_info_t mbedtls_md5_info;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+extern const mbedtls_md_info_t mbedtls_ripemd160_info;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+extern const mbedtls_md_info_t mbedtls_sha1_info;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+extern const mbedtls_md_info_t mbedtls_sha224_info;
+extern const mbedtls_md_info_t mbedtls_sha256_info;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+extern const mbedtls_md_info_t mbedtls_sha384_info;
+extern const mbedtls_md_info_t mbedtls_sha512_info;
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_MD_WRAP_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/memory_buffer_alloc.h b/ctrtool/deps/libmbedtls/include/mbedtls/memory_buffer_alloc.h
new file mode 100644
index 00000000..705f9a63
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/memory_buffer_alloc.h
@@ -0,0 +1,151 @@
+/**
+ * \file memory_buffer_alloc.h
+ *
+ * \brief Buffer-based memory allocator
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_MEMORY_BUFFER_ALLOC_H
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_MEMORY_ALIGN_MULTIPLE)
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE       4 /**< Align on multiples of this value */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_MEMORY_VERIFY_NONE         0
+#define MBEDTLS_MEMORY_VERIFY_ALLOC        (1 << 0)
+#define MBEDTLS_MEMORY_VERIFY_FREE         (1 << 1)
+#define MBEDTLS_MEMORY_VERIFY_ALWAYS       (MBEDTLS_MEMORY_VERIFY_ALLOC | MBEDTLS_MEMORY_VERIFY_FREE)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Initialize use of stack-based memory allocator.
+ *          The stack-based allocator does memory management inside the
+ *          presented buffer and does not call calloc() and free().
+ *          It sets the global mbedtls_calloc() and mbedtls_free() pointers
+ *          to its own functions.
+ *          (Provided mbedtls_calloc() and mbedtls_free() are thread-safe if
+ *           MBEDTLS_THREADING_C is defined)
+ *
+ * \note    This code is not optimized and provides a straight-forward
+ *          implementation of a stack-based memory allocator.
+ *
+ * \param buf   buffer to use as heap
+ * \param len   size of the buffer
+ */
+void mbedtls_memory_buffer_alloc_init( unsigned char *buf, size_t len );
+
+/**
+ * \brief   Free the mutex for thread-safety and clear remaining memory
+ */
+void mbedtls_memory_buffer_alloc_free( void );
+
+/**
+ * \brief   Determine when the allocator should automatically verify the state
+ *          of the entire chain of headers / meta-data.
+ *          (Default: MBEDTLS_MEMORY_VERIFY_NONE)
+ *
+ * \param verify    One of MBEDTLS_MEMORY_VERIFY_NONE, MBEDTLS_MEMORY_VERIFY_ALLOC,
+ *                  MBEDTLS_MEMORY_VERIFY_FREE or MBEDTLS_MEMORY_VERIFY_ALWAYS
+ */
+void mbedtls_memory_buffer_set_verify( int verify );
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+/**
+ * \brief   Print out the status of the allocated memory (primarily for use
+ *          after a program should have de-allocated all memory)
+ *          Prints out a list of 'still allocated' blocks and their stack
+ *          trace if MBEDTLS_MEMORY_BACKTRACE is defined.
+ */
+void mbedtls_memory_buffer_alloc_status( void );
+
+/**
+ * \brief   Get the peak heap usage so far
+ *
+ * \param max_used      Peak number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param max_blocks    Peak number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_max_get( size_t *max_used, size_t *max_blocks );
+
+/**
+ * \brief   Reset peak statistics
+ */
+void mbedtls_memory_buffer_alloc_max_reset( void );
+
+/**
+ * \brief   Get the current heap usage
+ *
+ * \param cur_used      Current number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param cur_blocks    Current number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_cur_get( size_t *cur_used, size_t *cur_blocks );
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+/**
+ * \brief   Verifies that all headers in the memory buffer are correct
+ *          and contain sane values. Helps debug buffer-overflow errors.
+ *
+ *          Prints out first failure if MBEDTLS_MEMORY_DEBUG is defined.
+ *          Prints out full header information if MBEDTLS_MEMORY_DEBUG
+ *          is defined. (Includes stack trace information for each block if
+ *          MBEDTLS_MEMORY_BACKTRACE is defined as well).
+ *
+ * \return             0 if verified, 1 otherwise
+ */
+int mbedtls_memory_buffer_alloc_verify( void );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_memory_buffer_alloc_self_test( int verbose );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* memory_buffer_alloc.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/net.h b/ctrtool/deps/libmbedtls/include/mbedtls/net.h
new file mode 100644
index 00000000..8cead58e
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/net.h
@@ -0,0 +1,37 @@
+/**
+ * \file net.h
+ *
+ * \brief Deprecated header file that includes net_sockets.h
+ *
+ * \deprecated Superseded by mbedtls/net_sockets.h
+ */
+/*
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#include "net_sockets.h"
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/net_sockets.h b/ctrtool/deps/libmbedtls/include/mbedtls/net_sockets.h
new file mode 100644
index 00000000..4c7ef00f
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/net_sockets.h
@@ -0,0 +1,271 @@
+/**
+ * \file net_sockets.h
+ *
+ * \brief   Network sockets abstraction layer to integrate Mbed TLS into a
+ *          BSD-style sockets API.
+ *
+ *          The network sockets module provides an example integration of the
+ *          Mbed TLS library into a BSD sockets implementation. The module is
+ *          intended to be an example of how Mbed TLS can be integrated into a
+ *          networking stack, as well as to be Mbed TLS's network integration
+ *          for its supported platforms.
+ *
+ *          The module is intended only to be used with the Mbed TLS library and
+ *          is not intended to be used by third party application software
+ *          directly.
+ *
+ *          The supported platforms are as follows:
+ *              * Microsoft Windows and Windows CE
+ *              * POSIX/Unix platforms including Linux, OS X
+ *
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_NET_SOCKETS_H
+#define MBEDTLS_NET_SOCKETS_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_NET_SOCKET_FAILED                     -0x0042  /**< Failed to open a socket. */
+#define MBEDTLS_ERR_NET_CONNECT_FAILED                    -0x0044  /**< The connection to the given server / port failed. */
+#define MBEDTLS_ERR_NET_BIND_FAILED                       -0x0046  /**< Binding of the socket failed. */
+#define MBEDTLS_ERR_NET_LISTEN_FAILED                     -0x0048  /**< Could not listen on the socket. */
+#define MBEDTLS_ERR_NET_ACCEPT_FAILED                     -0x004A  /**< Could not accept the incoming connection. */
+#define MBEDTLS_ERR_NET_RECV_FAILED                       -0x004C  /**< Reading information from the socket failed. */
+#define MBEDTLS_ERR_NET_SEND_FAILED                       -0x004E  /**< Sending information through the socket failed. */
+#define MBEDTLS_ERR_NET_CONN_RESET                        -0x0050  /**< Connection was reset by peer. */
+#define MBEDTLS_ERR_NET_UNKNOWN_HOST                      -0x0052  /**< Failed to get an IP address for the given hostname. */
+#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL                  -0x0043  /**< Buffer is too small to hold the data. */
+#define MBEDTLS_ERR_NET_INVALID_CONTEXT                   -0x0045  /**< The context is invalid, eg because it was free()ed. */
+#define MBEDTLS_ERR_NET_POLL_FAILED                       -0x0047  /**< Polling the net context failed. */
+#define MBEDTLS_ERR_NET_BAD_INPUT_DATA                    -0x0049  /**< Input invalid. */
+
+#define MBEDTLS_NET_LISTEN_BACKLOG         10 /**< The backlog that listen() should use. */
+
+#define MBEDTLS_NET_PROTO_TCP 0 /**< The TCP transport protocol */
+#define MBEDTLS_NET_PROTO_UDP 1 /**< The UDP transport protocol */
+
+#define MBEDTLS_NET_POLL_READ  1 /**< Used in \c mbedtls_net_poll to check for pending data  */
+#define MBEDTLS_NET_POLL_WRITE 2 /**< Used in \c mbedtls_net_poll to check if write possible */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Wrapper type for sockets.
+ *
+ * Currently backed by just a file descriptor, but might be more in the future
+ * (eg two file descriptors for combined IPv4 + IPv6 support, or additional
+ * structures for hand-made UDP demultiplexing).
+ */
+typedef struct mbedtls_net_context
+{
+    int fd;             /**< The underlying file descriptor                 */
+}
+mbedtls_net_context;
+
+/**
+ * \brief          Initialize a context
+ *                 Just makes the context ready to be used or freed safely.
+ *
+ * \param ctx      Context to initialize
+ */
+void mbedtls_net_init( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Initiate a connection with host:port in the given protocol
+ *
+ * \param ctx      Socket to use
+ * \param host     Host to connect to
+ * \param port     Port to connect to
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_UNKNOWN_HOST,
+ *                      MBEDTLS_ERR_NET_CONNECT_FAILED
+ *
+ * \note           Sets the socket in connected mode even with UDP.
+ */
+int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char *port, int proto );
+
+/**
+ * \brief          Create a receiving socket on bind_ip:port in the chosen
+ *                 protocol. If bind_ip == NULL, all interfaces are bound.
+ *
+ * \param ctx      Socket to use
+ * \param bind_ip  IP to bind to, can be NULL
+ * \param port     Port number to use
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_BIND_FAILED,
+ *                      MBEDTLS_ERR_NET_LISTEN_FAILED
+ *
+ * \note           Regardless of the protocol, opens the sockets and binds it.
+ *                 In addition, make the socket listening if protocol is TCP.
+ */
+int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto );
+
+/**
+ * \brief           Accept a connection from a remote client
+ *
+ * \param bind_ctx  Relevant socket
+ * \param client_ctx Will contain the connected client socket
+ * \param client_ip Will contain the client IP address, can be NULL
+ * \param buf_size  Size of the client_ip buffer
+ * \param ip_len    Will receive the size of the client IP written,
+ *                  can be NULL if client_ip is null
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_NET_ACCEPT_FAILED, or
+ *                  MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
+ *                  MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
+ *                  non-blocking and accept() would block.
+ */
+int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+                        mbedtls_net_context *client_ctx,
+                        void *client_ip, size_t buf_size, size_t *ip_len );
+
+/**
+ * \brief          Check and wait for the context to be ready for read/write
+ *
+ * \param ctx      Socket to check
+ * \param rw       Bitflag composed of MBEDTLS_NET_POLL_READ and
+ *                 MBEDTLS_NET_POLL_WRITE specifying the events
+ *                 to wait for:
+ *                 - If MBEDTLS_NET_POLL_READ is set, the function
+ *                   will return as soon as the net context is available
+ *                   for reading.
+ *                 - If MBEDTLS_NET_POLL_WRITE is set, the function
+ *                   will return as soon as the net context is available
+ *                   for writing.
+ * \param timeout  Maximal amount of time to wait before returning,
+ *                 in milliseconds. If \c timeout is zero, the
+ *                 function returns immediately. If \c timeout is
+ *                 -1u, the function blocks potentially indefinitely.
+ *
+ * \return         Bitmask composed of MBEDTLS_NET_POLL_READ/WRITE
+ *                 on success or timeout, or a negative return code otherwise.
+ */
+int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout );
+
+/**
+ * \brief          Set the socket blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_block( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Set the socket non-blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_nonblock( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Portable usleep helper
+ *
+ * \param usec     Amount of microseconds to sleep
+ *
+ * \note           Real amount of time slept will not be less than
+ *                 select()'s timeout granularity (typically, 10ms).
+ */
+void mbedtls_net_usleep( unsigned long usec );
+
+/**
+ * \brief          Read at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ *
+ * \return         the number of bytes received,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_READ indicates read() would block.
+ */
+int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len );
+
+/**
+ * \brief          Write at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to read from
+ * \param len      The length of the buffer
+ *
+ * \return         the number of bytes sent,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_WRITE indicates write() would block.
+ */
+int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
+
+/**
+ * \brief          Read at most 'len' characters, blocking for at most
+ *                 'timeout' seconds. If no error occurs, the actual amount
+ *                 read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ * \param timeout  Maximum number of milliseconds to wait for data
+ *                 0 means no timeout (wait forever)
+ *
+ * \return         the number of bytes received,
+ *                 or a non-zero error code:
+ *                 MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
+ *                 MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *
+ * \note           This function will block (until data becomes available or
+ *                 timeout is reached) even if the socket is set to
+ *                 non-blocking. Handling timeouts with non-blocking reads
+ *                 requires a different strategy.
+ */
+int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+                      uint32_t timeout );
+
+/**
+ * \brief          Gracefully shutdown the connection and free associated data
+ *
+ * \param ctx      The context to free
+ */
+void mbedtls_net_free( mbedtls_net_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* net_sockets.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/nist_kw.h b/ctrtool/deps/libmbedtls/include/mbedtls/nist_kw.h
new file mode 100644
index 00000000..3b67b59c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/nist_kw.h
@@ -0,0 +1,184 @@
+/**
+ * \file nist_kw.h
+ *
+ * \brief This file provides an API for key wrapping (KW) and key wrapping with
+ *        padding (KWP) as defined in NIST SP 800-38F.
+ *        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *
+ *        Key wrapping specifies a deterministic authenticated-encryption mode
+ *        of operation, according to <em>NIST SP 800-38F: Recommendation for
+ *        Block Cipher Modes of Operation: Methods for Key Wrapping</em>. Its
+ *        purpose is to protect cryptographic keys.
+ *
+ *        Its equivalent is RFC 3394 for KW, and RFC 5649 for KWP.
+ *        https://tools.ietf.org/html/rfc3394
+ *        https://tools.ietf.org/html/rfc5649
+ *
+ */
+/*
+ *  Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_NIST_KW_H
+#define MBEDTLS_NIST_KW_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum
+{
+    MBEDTLS_KW_MODE_KW = 0,
+    MBEDTLS_KW_MODE_KWP = 1
+} mbedtls_nist_kw_mode_t;
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief    The key wrapping context-type definition. The key wrapping context is passed
+ *           to the APIs called.
+ *
+ * \note     The definition of this type may change in future library versions.
+ *           Don't make any assumptions on this context!
+ */
+typedef struct {
+    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+} mbedtls_nist_kw_context;
+
+#else  /* MBEDTLS_NIST_key wrapping_ALT */
+#include "nist_kw_alt.h"
+#endif /* MBEDTLS_NIST_KW_ALT */
+
+/**
+ * \brief           This function initializes the specified key wrapping context
+ *                  to make references valid and prepare the context
+ *                  for mbedtls_nist_kw_setkey() or mbedtls_nist_kw_free().
+ *
+ * \param ctx       The key wrapping context to initialize.
+ *
+ */
+void mbedtls_nist_kw_init( mbedtls_nist_kw_context *ctx );
+
+/**
+ * \brief           This function initializes the key wrapping context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The key wrapping context.
+ * \param cipher    The 128-bit block cipher to use. Only AES is supported.
+ * \param key       The Key Encryption Key (KEK).
+ * \param keybits   The KEK size in bits. This must be acceptable by the cipher.
+ * \param is_wrap   Specify whether the operation within the context is wrapping or unwrapping
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for any invalid input.
+ * \return          \c MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE for 128-bit block ciphers
+ *                  which are not supported.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
+                            mbedtls_cipher_id_t cipher,
+                            const unsigned char *key,
+                            unsigned int keybits,
+                            const int is_wrap );
+
+/**
+ * \brief   This function releases and clears the specified key wrapping context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The key wrapping context to clear.
+ */
+void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx );
+
+/**
+ * \brief           This function encrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for encryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 16 and 2^57-8 inclusive. </li>
+ *                  <li>For KWP mode: any length between 1 and 2^32-1 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  <ul><li>For KW mode: Must be at least 8 bytes larger than \p in_len.</li>
+ *                  <li>For KWP mode: Must be at least 8 bytes larger rounded up to a multiple of
+ *                  8 bytes for KWP (15 bytes at most).</li></ul>
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                          const unsigned char *input, size_t in_len,
+                          unsigned char *output, size_t* out_len, size_t out_size );
+
+/**
+ * \brief           This function decrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for decryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  The input must be a multiple of semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 24 and 2^57 inclusive. </li>
+ *                  <li>For KWP mode: a multiple of 8 bytes between 16 and 2^32 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  The output buffer's minimal length is 8 bytes shorter than \p in_len.
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ *                  For KWP mode, the length could be up to 15 bytes shorter than \p in_len,
+ *                  depending on how much padding was added to the data.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          \c MBEDTLS_ERR_CIPHER_AUTH_FAILED for verification failure of the ciphertext.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                            const unsigned char *input, size_t in_len,
+                            unsigned char *output, size_t* out_len, size_t out_size);
+
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief          The key wrapping checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_nist_kw_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_NIST_KW_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/oid.h b/ctrtool/deps/libmbedtls/include/mbedtls/oid.h
new file mode 100644
index 00000000..6fbd018a
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/oid.h
@@ -0,0 +1,605 @@
+/**
+ * \file oid.h
+ *
+ * \brief Object Identifier (OID) database
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_OID_H
+#define MBEDTLS_OID_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+#include "pk.h"
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_CIPHER_C)
+#include "cipher.h"
+#endif
+
+#if defined(MBEDTLS_MD_C)
+#include "md.h"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "x509.h"
+#endif
+
+#define MBEDTLS_ERR_OID_NOT_FOUND                         -0x002E  /**< OID is not found. */
+#define MBEDTLS_ERR_OID_BUF_TOO_SMALL                     -0x000B  /**< output buffer is too small */
+
+/*
+ * Top level OID tuples
+ */
+#define MBEDTLS_OID_ISO_MEMBER_BODIES           "\x2a"          /* {iso(1) member-body(2)} */
+#define MBEDTLS_OID_ISO_IDENTIFIED_ORG          "\x2b"          /* {iso(1) identified-organization(3)} */
+#define MBEDTLS_OID_ISO_CCITT_DS                "\x55"          /* {joint-iso-ccitt(2) ds(5)} */
+#define MBEDTLS_OID_ISO_ITU_COUNTRY             "\x60"          /* {joint-iso-itu-t(2) country(16)} */
+
+/*
+ * ISO Member bodies OID parts
+ */
+#define MBEDTLS_OID_COUNTRY_US                  "\x86\x48"      /* {us(840)} */
+#define MBEDTLS_OID_ORG_RSA_DATA_SECURITY       "\x86\xf7\x0d"  /* {rsadsi(113549)} */
+#define MBEDTLS_OID_RSA_COMPANY                 MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
+                                        MBEDTLS_OID_ORG_RSA_DATA_SECURITY /* {iso(1) member-body(2) us(840) rsadsi(113549)} */
+#define MBEDTLS_OID_ORG_ANSI_X9_62              "\xce\x3d" /* ansi-X9-62(10045) */
+#define MBEDTLS_OID_ANSI_X9_62                  MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
+                                        MBEDTLS_OID_ORG_ANSI_X9_62
+
+/*
+ * ISO Identified organization OID parts
+ */
+#define MBEDTLS_OID_ORG_DOD                     "\x06"          /* {dod(6)} */
+#define MBEDTLS_OID_ORG_OIW                     "\x0e"
+#define MBEDTLS_OID_OIW_SECSIG                  MBEDTLS_OID_ORG_OIW "\x03"
+#define MBEDTLS_OID_OIW_SECSIG_ALG              MBEDTLS_OID_OIW_SECSIG "\x02"
+#define MBEDTLS_OID_OIW_SECSIG_SHA1             MBEDTLS_OID_OIW_SECSIG_ALG "\x1a"
+#define MBEDTLS_OID_ORG_CERTICOM                "\x81\x04"  /* certicom(132) */
+#define MBEDTLS_OID_CERTICOM                    MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_CERTICOM
+#define MBEDTLS_OID_ORG_TELETRUST               "\x24" /* teletrust(36) */
+#define MBEDTLS_OID_TELETRUST                   MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_TELETRUST
+
+/*
+ * ISO ITU OID parts
+ */
+#define MBEDTLS_OID_ORGANIZATION                "\x01"          /* {organization(1)} */
+#define MBEDTLS_OID_ISO_ITU_US_ORG              MBEDTLS_OID_ISO_ITU_COUNTRY MBEDTLS_OID_COUNTRY_US MBEDTLS_OID_ORGANIZATION /* {joint-iso-itu-t(2) country(16) us(840) organization(1)} */
+
+#define MBEDTLS_OID_ORG_GOV                     "\x65"          /* {gov(101)} */
+#define MBEDTLS_OID_GOV                         MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_GOV /* {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)} */
+
+#define MBEDTLS_OID_ORG_NETSCAPE                "\x86\xF8\x42"  /* {netscape(113730)} */
+#define MBEDTLS_OID_NETSCAPE                    MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_NETSCAPE /* Netscape OID {joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730)} */
+
+/* ISO arc for standard certificate and CRL extensions */
+#define MBEDTLS_OID_ID_CE                       MBEDTLS_OID_ISO_CCITT_DS "\x1D" /**< id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29} */
+
+#define MBEDTLS_OID_NIST_ALG                    MBEDTLS_OID_GOV "\x03\x04" /** { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) */
+
+/**
+ * Private Internet Extensions
+ * { iso(1) identified-organization(3) dod(6) internet(1)
+ *                      security(5) mechanisms(5) pkix(7) }
+ */
+#define MBEDTLS_OID_PKIX                        MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_DOD "\x01\x05\x05\x07"
+
+/*
+ * Arc for standard naming attributes
+ */
+#define MBEDTLS_OID_AT                          MBEDTLS_OID_ISO_CCITT_DS "\x04" /**< id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} */
+#define MBEDTLS_OID_AT_CN                       MBEDTLS_OID_AT "\x03" /**< id-at-commonName AttributeType:= {id-at 3} */
+#define MBEDTLS_OID_AT_SUR_NAME                 MBEDTLS_OID_AT "\x04" /**< id-at-surName AttributeType:= {id-at 4} */
+#define MBEDTLS_OID_AT_SERIAL_NUMBER            MBEDTLS_OID_AT "\x05" /**< id-at-serialNumber AttributeType:= {id-at 5} */
+#define MBEDTLS_OID_AT_COUNTRY                  MBEDTLS_OID_AT "\x06" /**< id-at-countryName AttributeType:= {id-at 6} */
+#define MBEDTLS_OID_AT_LOCALITY                 MBEDTLS_OID_AT "\x07" /**< id-at-locality AttributeType:= {id-at 7} */
+#define MBEDTLS_OID_AT_STATE                    MBEDTLS_OID_AT "\x08" /**< id-at-state AttributeType:= {id-at 8} */
+#define MBEDTLS_OID_AT_ORGANIZATION             MBEDTLS_OID_AT "\x0A" /**< id-at-organizationName AttributeType:= {id-at 10} */
+#define MBEDTLS_OID_AT_ORG_UNIT                 MBEDTLS_OID_AT "\x0B" /**< id-at-organizationalUnitName AttributeType:= {id-at 11} */
+#define MBEDTLS_OID_AT_TITLE                    MBEDTLS_OID_AT "\x0C" /**< id-at-title AttributeType:= {id-at 12} */
+#define MBEDTLS_OID_AT_POSTAL_ADDRESS           MBEDTLS_OID_AT "\x10" /**< id-at-postalAddress AttributeType:= {id-at 16} */
+#define MBEDTLS_OID_AT_POSTAL_CODE              MBEDTLS_OID_AT "\x11" /**< id-at-postalCode AttributeType:= {id-at 17} */
+#define MBEDTLS_OID_AT_GIVEN_NAME               MBEDTLS_OID_AT "\x2A" /**< id-at-givenName AttributeType:= {id-at 42} */
+#define MBEDTLS_OID_AT_INITIALS                 MBEDTLS_OID_AT "\x2B" /**< id-at-initials AttributeType:= {id-at 43} */
+#define MBEDTLS_OID_AT_GENERATION_QUALIFIER     MBEDTLS_OID_AT "\x2C" /**< id-at-generationQualifier AttributeType:= {id-at 44} */
+#define MBEDTLS_OID_AT_UNIQUE_IDENTIFIER        MBEDTLS_OID_AT "\x2D" /**< id-at-uniqueIdentifier AttributType:= {id-at 45} */
+#define MBEDTLS_OID_AT_DN_QUALIFIER             MBEDTLS_OID_AT "\x2E" /**< id-at-dnQualifier AttributeType:= {id-at 46} */
+#define MBEDTLS_OID_AT_PSEUDONYM                MBEDTLS_OID_AT "\x41" /**< id-at-pseudonym AttributeType:= {id-at 65} */
+
+#define MBEDTLS_OID_DOMAIN_COMPONENT            "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x19" /** id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) domainComponent(25)} */
+
+/*
+ * OIDs for standard certificate extensions
+ */
+#define MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER    MBEDTLS_OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 } */
+#define MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER      MBEDTLS_OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 } */
+#define MBEDTLS_OID_KEY_USAGE                   MBEDTLS_OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 } */
+#define MBEDTLS_OID_CERTIFICATE_POLICIES        MBEDTLS_OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 } */
+#define MBEDTLS_OID_POLICY_MAPPINGS             MBEDTLS_OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 } */
+#define MBEDTLS_OID_SUBJECT_ALT_NAME            MBEDTLS_OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 } */
+#define MBEDTLS_OID_ISSUER_ALT_NAME             MBEDTLS_OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 } */
+#define MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS     MBEDTLS_OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 } */
+#define MBEDTLS_OID_BASIC_CONSTRAINTS           MBEDTLS_OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 } */
+#define MBEDTLS_OID_NAME_CONSTRAINTS            MBEDTLS_OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 } */
+#define MBEDTLS_OID_POLICY_CONSTRAINTS          MBEDTLS_OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 } */
+#define MBEDTLS_OID_EXTENDED_KEY_USAGE          MBEDTLS_OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
+#define MBEDTLS_OID_CRL_DISTRIBUTION_POINTS     MBEDTLS_OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 } */
+#define MBEDTLS_OID_INIHIBIT_ANYPOLICY          MBEDTLS_OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 } */
+#define MBEDTLS_OID_FRESHEST_CRL                MBEDTLS_OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 } */
+
+/*
+ * Netscape certificate extensions
+ */
+#define MBEDTLS_OID_NS_CERT                 MBEDTLS_OID_NETSCAPE "\x01"
+#define MBEDTLS_OID_NS_CERT_TYPE            MBEDTLS_OID_NS_CERT  "\x01"
+#define MBEDTLS_OID_NS_BASE_URL             MBEDTLS_OID_NS_CERT  "\x02"
+#define MBEDTLS_OID_NS_REVOCATION_URL       MBEDTLS_OID_NS_CERT  "\x03"
+#define MBEDTLS_OID_NS_CA_REVOCATION_URL    MBEDTLS_OID_NS_CERT  "\x04"
+#define MBEDTLS_OID_NS_RENEWAL_URL          MBEDTLS_OID_NS_CERT  "\x07"
+#define MBEDTLS_OID_NS_CA_POLICY_URL        MBEDTLS_OID_NS_CERT  "\x08"
+#define MBEDTLS_OID_NS_SSL_SERVER_NAME      MBEDTLS_OID_NS_CERT  "\x0C"
+#define MBEDTLS_OID_NS_COMMENT              MBEDTLS_OID_NS_CERT  "\x0D"
+#define MBEDTLS_OID_NS_DATA_TYPE            MBEDTLS_OID_NETSCAPE "\x02"
+#define MBEDTLS_OID_NS_CERT_SEQUENCE        MBEDTLS_OID_NS_DATA_TYPE "\x05"
+
+/*
+ * OIDs for CRL extensions
+ */
+#define MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD    MBEDTLS_OID_ID_CE "\x10"
+#define MBEDTLS_OID_CRL_NUMBER                  MBEDTLS_OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
+
+/*
+ * X.509 v3 Extended key usage OIDs
+ */
+#define MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE      MBEDTLS_OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
+
+#define MBEDTLS_OID_KP                          MBEDTLS_OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
+#define MBEDTLS_OID_SERVER_AUTH                 MBEDTLS_OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
+#define MBEDTLS_OID_CLIENT_AUTH                 MBEDTLS_OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
+#define MBEDTLS_OID_CODE_SIGNING                MBEDTLS_OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
+#define MBEDTLS_OID_EMAIL_PROTECTION            MBEDTLS_OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
+#define MBEDTLS_OID_TIME_STAMPING               MBEDTLS_OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
+#define MBEDTLS_OID_OCSP_SIGNING                MBEDTLS_OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
+
+/*
+ * PKCS definition OIDs
+ */
+
+#define MBEDTLS_OID_PKCS                MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */
+#define MBEDTLS_OID_PKCS1               MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
+#define MBEDTLS_OID_PKCS5               MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
+#define MBEDTLS_OID_PKCS9               MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
+#define MBEDTLS_OID_PKCS12              MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */
+
+/*
+ * PKCS#1 OIDs
+ */
+#define MBEDTLS_OID_PKCS1_RSA           MBEDTLS_OID_PKCS1 "\x01" /**< rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */
+#define MBEDTLS_OID_PKCS1_MD2           MBEDTLS_OID_PKCS1 "\x02" /**< md2WithRSAEncryption ::= { pkcs-1 2 } */
+#define MBEDTLS_OID_PKCS1_MD4           MBEDTLS_OID_PKCS1 "\x03" /**< md4WithRSAEncryption ::= { pkcs-1 3 } */
+#define MBEDTLS_OID_PKCS1_MD5           MBEDTLS_OID_PKCS1 "\x04" /**< md5WithRSAEncryption ::= { pkcs-1 4 } */
+#define MBEDTLS_OID_PKCS1_SHA1          MBEDTLS_OID_PKCS1 "\x05" /**< sha1WithRSAEncryption ::= { pkcs-1 5 } */
+#define MBEDTLS_OID_PKCS1_SHA224        MBEDTLS_OID_PKCS1 "\x0e" /**< sha224WithRSAEncryption ::= { pkcs-1 14 } */
+#define MBEDTLS_OID_PKCS1_SHA256        MBEDTLS_OID_PKCS1 "\x0b" /**< sha256WithRSAEncryption ::= { pkcs-1 11 } */
+#define MBEDTLS_OID_PKCS1_SHA384        MBEDTLS_OID_PKCS1 "\x0c" /**< sha384WithRSAEncryption ::= { pkcs-1 12 } */
+#define MBEDTLS_OID_PKCS1_SHA512        MBEDTLS_OID_PKCS1 "\x0d" /**< sha512WithRSAEncryption ::= { pkcs-1 13 } */
+
+#define MBEDTLS_OID_RSA_SHA_OBS         "\x2B\x0E\x03\x02\x1D"
+
+#define MBEDTLS_OID_PKCS9_EMAIL         MBEDTLS_OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */
+
+/* RFC 4055 */
+#define MBEDTLS_OID_RSASSA_PSS          MBEDTLS_OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */
+#define MBEDTLS_OID_MGF1                MBEDTLS_OID_PKCS1 "\x08" /**< id-mgf1 ::= { pkcs-1 8 } */
+
+/*
+ * Digest algorithms
+ */
+#define MBEDTLS_OID_DIGEST_ALG_MD2              MBEDTLS_OID_RSA_COMPANY "\x02\x02" /**< id-mbedtls_md2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } */
+#define MBEDTLS_OID_DIGEST_ALG_MD4              MBEDTLS_OID_RSA_COMPANY "\x02\x04" /**< id-mbedtls_md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_MD5              MBEDTLS_OID_RSA_COMPANY "\x02\x05" /**< id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA1             MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_SHA1 /**< id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA224           MBEDTLS_OID_NIST_ALG "\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA256           MBEDTLS_OID_NIST_ALG "\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA384           MBEDTLS_OID_NIST_ALG "\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_NIST_ALG "\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
+
+#define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
+
+#define MBEDTLS_OID_HMAC_SHA224                 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */
+
+#define MBEDTLS_OID_HMAC_SHA256                 MBEDTLS_OID_RSA_COMPANY "\x02\x09" /**< id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 } */
+
+#define MBEDTLS_OID_HMAC_SHA384                 MBEDTLS_OID_RSA_COMPANY "\x02\x0A" /**< id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 } */
+
+#define MBEDTLS_OID_HMAC_SHA512                 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */
+
+/*
+ * Encryption algorithms
+ */
+#define MBEDTLS_OID_DES_CBC                     MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_ALG "\x07" /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
+#define MBEDTLS_OID_DES_EDE3_CBC                MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
+#define MBEDTLS_OID_AES                         MBEDTLS_OID_NIST_ALG "\x01" /** aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } */
+
+/*
+ * Key Wrapping algorithms
+ */
+/*
+ * RFC 5649
+ */
+#define MBEDTLS_OID_AES128_KW                   MBEDTLS_OID_AES "\x05" /** id-aes128-wrap     OBJECT IDENTIFIER ::= { aes 5 } */
+#define MBEDTLS_OID_AES128_KWP                  MBEDTLS_OID_AES "\x08" /** id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 } */
+#define MBEDTLS_OID_AES192_KW                   MBEDTLS_OID_AES "\x19" /** id-aes192-wrap     OBJECT IDENTIFIER ::= { aes 25 } */
+#define MBEDTLS_OID_AES192_KWP                  MBEDTLS_OID_AES "\x1c" /** id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 } */
+#define MBEDTLS_OID_AES256_KW                   MBEDTLS_OID_AES "\x2d" /** id-aes256-wrap     OBJECT IDENTIFIER ::= { aes 45 } */
+#define MBEDTLS_OID_AES256_KWP                  MBEDTLS_OID_AES "\x30" /** id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } */
+/*
+ * PKCS#5 OIDs
+ */
+#define MBEDTLS_OID_PKCS5_PBKDF2                MBEDTLS_OID_PKCS5 "\x0c" /**< id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12} */
+#define MBEDTLS_OID_PKCS5_PBES2                 MBEDTLS_OID_PKCS5 "\x0d" /**< id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13} */
+#define MBEDTLS_OID_PKCS5_PBMAC1                MBEDTLS_OID_PKCS5 "\x0e" /**< id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14} */
+
+/*
+ * PKCS#5 PBES1 algorithms
+ */
+#define MBEDTLS_OID_PKCS5_PBE_MD2_DES_CBC       MBEDTLS_OID_PKCS5 "\x01" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */
+#define MBEDTLS_OID_PKCS5_PBE_MD2_RC2_CBC       MBEDTLS_OID_PKCS5 "\x04" /**< pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} */
+#define MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC       MBEDTLS_OID_PKCS5 "\x03" /**< pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} */
+#define MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC       MBEDTLS_OID_PKCS5 "\x06" /**< pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} */
+#define MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC      MBEDTLS_OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */
+#define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC      MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */
+
+/*
+ * PKCS#8 OIDs
+ */
+#define MBEDTLS_OID_PKCS9_CSR_EXT_REQ           MBEDTLS_OID_PKCS9 "\x0e" /**< extensionRequest OBJECT IDENTIFIER ::= {pkcs-9 14} */
+
+/*
+ * PKCS#12 PBE OIDs
+ */
+#define MBEDTLS_OID_PKCS12_PBE                      MBEDTLS_OID_PKCS12 "\x01" /**< pkcs-12PbeIds OBJECT IDENTIFIER ::= {pkcs-12 1} */
+
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128         MBEDTLS_OID_PKCS12_PBE "\x01" /**< pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_40          MBEDTLS_OID_PKCS12_PBE "\x02" /**< pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x03" /**< pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x04" /**< pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC     MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC      MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+
+/*
+ * EC key algorithms from RFC 5480
+ */
+
+/* id-ecPublicKey OBJECT IDENTIFIER ::= {
+ *       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } */
+#define MBEDTLS_OID_EC_ALG_UNRESTRICTED         MBEDTLS_OID_ANSI_X9_62 "\x02\01"
+
+/*   id-ecDH OBJECT IDENTIFIER ::= {
+ *     iso(1) identified-organization(3) certicom(132)
+ *     schemes(1) ecdh(12) } */
+#define MBEDTLS_OID_EC_ALG_ECDH                 MBEDTLS_OID_CERTICOM "\x01\x0c"
+
+/*
+ * ECParameters namedCurve identifiers, from RFC 5480, RFC 5639, and SEC2
+ */
+
+/* secp192r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 1 } */
+#define MBEDTLS_OID_EC_GRP_SECP192R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x01"
+
+/* secp224r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 33 } */
+#define MBEDTLS_OID_EC_GRP_SECP224R1        MBEDTLS_OID_CERTICOM "\x00\x21"
+
+/* secp256r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 7 } */
+#define MBEDTLS_OID_EC_GRP_SECP256R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x07"
+
+/* secp384r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 34 } */
+#define MBEDTLS_OID_EC_GRP_SECP384R1        MBEDTLS_OID_CERTICOM "\x00\x22"
+
+/* secp521r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 35 } */
+#define MBEDTLS_OID_EC_GRP_SECP521R1        MBEDTLS_OID_CERTICOM "\x00\x23"
+
+/* secp192k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 31 } */
+#define MBEDTLS_OID_EC_GRP_SECP192K1        MBEDTLS_OID_CERTICOM "\x00\x1f"
+
+/* secp224k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 32 } */
+#define MBEDTLS_OID_EC_GRP_SECP224K1        MBEDTLS_OID_CERTICOM "\x00\x20"
+
+/* secp256k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 10 } */
+#define MBEDTLS_OID_EC_GRP_SECP256K1        MBEDTLS_OID_CERTICOM "\x00\x0a"
+
+/* RFC 5639 4.1
+ * ecStdCurvesAndGeneration OBJECT IDENTIFIER::= {iso(1)
+ * identified-organization(3) teletrust(36) algorithm(3) signature-
+ * algorithm(3) ecSign(2) 8}
+ * ellipticCurve OBJECT IDENTIFIER ::= {ecStdCurvesAndGeneration 1}
+ * versionOne OBJECT IDENTIFIER ::= {ellipticCurve 1} */
+#define MBEDTLS_OID_EC_BRAINPOOL_V1         MBEDTLS_OID_TELETRUST "\x03\x03\x02\x08\x01\x01"
+
+/* brainpoolP256r1 OBJECT IDENTIFIER ::= {versionOne 7} */
+#define MBEDTLS_OID_EC_GRP_BP256R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x07"
+
+/* brainpoolP384r1 OBJECT IDENTIFIER ::= {versionOne 11} */
+#define MBEDTLS_OID_EC_GRP_BP384R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0B"
+
+/* brainpoolP512r1 OBJECT IDENTIFIER ::= {versionOne 13} */
+#define MBEDTLS_OID_EC_GRP_BP512R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0D"
+
+/*
+ * SEC1 C.1
+ *
+ * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+ * id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1)}
+ */
+#define MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE   MBEDTLS_OID_ANSI_X9_62 "\x01"
+#define MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD  MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE "\x01"
+
+/*
+ * ECDSA signature identifiers, from RFC 5480
+ */
+#define MBEDTLS_OID_ANSI_X9_62_SIG          MBEDTLS_OID_ANSI_X9_62 "\x04" /* signatures(4) */
+#define MBEDTLS_OID_ANSI_X9_62_SIG_SHA2     MBEDTLS_OID_ANSI_X9_62_SIG "\x03" /* ecdsa-with-SHA2(3) */
+
+/* ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } */
+#define MBEDTLS_OID_ECDSA_SHA1              MBEDTLS_OID_ANSI_X9_62_SIG "\x01"
+
+/* ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 1 } */
+#define MBEDTLS_OID_ECDSA_SHA224            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x01"
+
+/* ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 2 } */
+#define MBEDTLS_OID_ECDSA_SHA256            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x02"
+
+/* ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 3 } */
+#define MBEDTLS_OID_ECDSA_SHA384            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x03"
+
+/* ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 4 } */
+#define MBEDTLS_OID_ECDSA_SHA512            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x04"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Base OID descriptor structure
+ */
+typedef struct mbedtls_oid_descriptor_t
+{
+    const char *asn1;               /*!< OID ASN.1 representation       */
+    size_t asn1_len;                /*!< length of asn1                 */
+    const char *name;               /*!< official name (e.g. from RFC)  */
+    const char *description;        /*!< human friendly description     */
+} mbedtls_oid_descriptor_t;
+
+/**
+ * \brief           Translate an ASN.1 OID into its numeric representation
+ *                  (e.g. "\x2A\x86\x48\x86\xF7\x0D" into "1.2.840.113549")
+ *
+ * \param buf       buffer to put representation in
+ * \param size      size of the buffer
+ * \param oid       OID to translate
+ *
+ * \return          Length of the string written (excluding final NULL) or
+ *                  MBEDTLS_ERR_OID_BUF_TOO_SMALL in case of error
+ */
+int mbedtls_oid_get_numeric_string( char *buf, size_t size, const mbedtls_asn1_buf *oid );
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+/**
+ * \brief          Translate an X.509 extension OID into local values
+ *
+ * \param oid      OID to use
+ * \param ext_type place to store the extension type
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_x509_ext_type( const mbedtls_asn1_buf *oid, int *ext_type );
+#endif
+
+/**
+ * \brief          Translate an X.509 attribute type OID into the short name
+ *                 (e.g. the OID for an X520 Common Name into "CN")
+ *
+ * \param oid      OID to use
+ * \param short_name    place to store the string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_attr_short_name( const mbedtls_asn1_buf *oid, const char **short_name );
+
+/**
+ * \brief          Translate PublicKeyAlgorithm OID into pk_type
+ *
+ * \param oid      OID to use
+ * \param pk_alg   place to store public key algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_pk_alg( const mbedtls_asn1_buf *oid, mbedtls_pk_type_t *pk_alg );
+
+/**
+ * \brief          Translate pk_type into PublicKeyAlgorithm OID
+ *
+ * \param pk_alg   Public key type to look for
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_pk_alg( mbedtls_pk_type_t pk_alg,
+                           const char **oid, size_t *olen );
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief          Translate NamedCurve OID into an EC group identifier
+ *
+ * \param oid      OID to use
+ * \param grp_id   place to store group id
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_ec_grp( const mbedtls_asn1_buf *oid, mbedtls_ecp_group_id *grp_id );
+
+/**
+ * \brief          Translate EC group identifier into NamedCurve OID
+ *
+ * \param grp_id   EC group identifier
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_ec_grp( mbedtls_ecp_group_id grp_id,
+                           const char **oid, size_t *olen );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_MD_C)
+/**
+ * \brief          Translate SignatureAlgorithm OID into md_type and pk_type
+ *
+ * \param oid      OID to use
+ * \param md_alg   place to store message digest algorithm
+ * \param pk_alg   place to store public key algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_sig_alg( const mbedtls_asn1_buf *oid,
+                     mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg );
+
+/**
+ * \brief          Translate SignatureAlgorithm OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_sig_alg_desc( const mbedtls_asn1_buf *oid, const char **desc );
+
+/**
+ * \brief          Translate md_type and pk_type into SignatureAlgorithm OID
+ *
+ * \param md_alg   message digest algorithm
+ * \param pk_alg   public key algorithm
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                            const char **oid, size_t *olen );
+
+/**
+ * \brief          Translate hash algorithm OID into md_type
+ *
+ * \param oid      OID to use
+ * \param md_alg   place to store message digest algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg );
+
+/**
+ * \brief          Translate hmac algorithm OID into md_type
+ *
+ * \param oid      OID to use
+ * \param md_hmac  place to store message hmac algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac );
+#endif /* MBEDTLS_MD_C */
+
+/**
+ * \brief          Translate Extended Key Usage OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_extended_key_usage( const mbedtls_asn1_buf *oid, const char **desc );
+
+/**
+ * \brief          Translate md_type into hash algorithm OID
+ *
+ * \param md_alg   message digest algorithm
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_md( mbedtls_md_type_t md_alg, const char **oid, size_t *olen );
+
+#if defined(MBEDTLS_CIPHER_C)
+/**
+ * \brief          Translate encryption algorithm OID into cipher_type
+ *
+ * \param oid           OID to use
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_cipher_alg( const mbedtls_asn1_buf *oid, mbedtls_cipher_type_t *cipher_alg );
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+/**
+ * \brief          Translate PKCS#12 PBE algorithm OID into md_type and
+ *                 cipher_type
+ *
+ * \param oid           OID to use
+ * \param md_alg        place to store message digest algorithm
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_pkcs12_pbe_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg,
+                            mbedtls_cipher_type_t *cipher_alg );
+#endif /* MBEDTLS_PKCS12_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* oid.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/padlock.h b/ctrtool/deps/libmbedtls/include/mbedtls/padlock.h
new file mode 100644
index 00000000..721a5d49
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/padlock.h
@@ -0,0 +1,126 @@
+/**
+ * \file padlock.h
+ *
+ * \brief VIA PadLock ACE for HW encryption/decryption supported by some
+ *        processors
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PADLOCK_H
+#define MBEDTLS_PADLOCK_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "aes.h"
+
+#define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
+
+#if defined(__has_feature)
+#if __has_feature(address_sanitizer)
+#define MBEDTLS_HAVE_ASAN
+#endif
+#endif
+
+/* Some versions of ASan result in errors about not enough registers */
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \
+    !defined(MBEDTLS_HAVE_ASAN)
+
+#ifndef MBEDTLS_HAVE_X86
+#define MBEDTLS_HAVE_X86
+#endif
+
+#include <stdint.h>
+
+#define MBEDTLS_PADLOCK_RNG 0x000C
+#define MBEDTLS_PADLOCK_ACE 0x00C0
+#define MBEDTLS_PADLOCK_PHE 0x0C00
+#define MBEDTLS_PADLOCK_PMM 0x3000
+
+#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) (x) & ~15))
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Internal PadLock detection routine
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param feature  The feature to detect
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_padlock_has_support( int feature );
+
+/**
+ * \brief          Internal PadLock AES-ECB block en(de)cryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
+                               int mode,
+                               const unsigned char input[16],
+                               unsigned char output[16] );
+
+/**
+ * \brief          Internal PadLock AES-CBC buffer en(de)cryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx,
+                               int mode,
+                               size_t length,
+                               unsigned char iv[16],
+                               const unsigned char *input,
+                               unsigned char *output );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* HAVE_X86  */
+
+#endif /* padlock.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/pem.h b/ctrtool/deps/libmbedtls/include/mbedtls/pem.h
new file mode 100644
index 00000000..a29e9ce3
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/pem.h
@@ -0,0 +1,136 @@
+/**
+ * \file pem.h
+ *
+ * \brief Privacy Enhanced Mail (PEM) decoding
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PEM_H
+#define MBEDTLS_PEM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * \name PEM Error codes
+ * These error codes are returned in case of errors reading the
+ * PEM data.
+ * \{
+ */
+#define MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT          -0x1080  /**< No PEM header or footer found. */
+#define MBEDTLS_ERR_PEM_INVALID_DATA                      -0x1100  /**< PEM string is not as expected. */
+#define MBEDTLS_ERR_PEM_ALLOC_FAILED                      -0x1180  /**< Failed to allocate memory. */
+#define MBEDTLS_ERR_PEM_INVALID_ENC_IV                    -0x1200  /**< RSA IV is not in hex-format. */
+#define MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG                   -0x1280  /**< Unsupported key encryption algorithm. */
+#define MBEDTLS_ERR_PEM_PASSWORD_REQUIRED                 -0x1300  /**< Private key password can't be empty. */
+#define MBEDTLS_ERR_PEM_PASSWORD_MISMATCH                 -0x1380  /**< Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE               -0x1400  /**< Unavailable feature, e.g. hashing/encryption combination. */
+#define MBEDTLS_ERR_PEM_BAD_INPUT_DATA                    -0x1480  /**< Bad input parameters to function. */
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+/**
+ * \brief       PEM context structure
+ */
+typedef struct mbedtls_pem_context
+{
+    unsigned char *buf;     /*!< buffer for decoded data             */
+    size_t buflen;          /*!< length of the buffer                */
+    unsigned char *info;    /*!< buffer for extra header information */
+}
+mbedtls_pem_context;
+
+/**
+ * \brief       PEM context setup
+ *
+ * \param ctx   context to be initialized
+ */
+void mbedtls_pem_init( mbedtls_pem_context *ctx );
+
+/**
+ * \brief       Read a buffer for PEM information and store the resulting
+ *              data into the specified context buffers.
+ *
+ * \param ctx       context to use
+ * \param header    header string to seek and expect
+ * \param footer    footer string to seek and expect
+ * \param data      source data to look in (must be nul-terminated)
+ * \param pwd       password for decryption (can be NULL)
+ * \param pwdlen    length of password
+ * \param use_len   destination for total length used (set after header is
+ *                  correctly read, so unless you get
+ *                  MBEDTLS_ERR_PEM_BAD_INPUT_DATA or
+ *                  MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is
+ *                  the length to skip)
+ *
+ * \note            Attempts to check password correctness by verifying if
+ *                  the decrypted text starts with an ASN.1 sequence of
+ *                  appropriate length
+ *
+ * \return          0 on success, or a specific PEM error code
+ */
+int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const char *footer,
+                     const unsigned char *data,
+                     const unsigned char *pwd,
+                     size_t pwdlen, size_t *use_len );
+
+/**
+ * \brief       PEM context memory freeing
+ *
+ * \param ctx   context to be freed
+ */
+void mbedtls_pem_free( mbedtls_pem_context *ctx );
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a buffer of PEM information from a DER encoded
+ *                  buffer.
+ *
+ * \param header    header string to write
+ * \param footer    footer string to write
+ * \param der_data  DER data to write
+ * \param der_len   length of the DER data
+ * \param buf       buffer to write to
+ * \param buf_len   length of output buffer
+ * \param olen      total length written / required (if buf_len is not enough)
+ *
+ * \return          0 on success, or a specific PEM or BASE64 error code. On
+ *                  MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL olen is the required
+ *                  size.
+ */
+int mbedtls_pem_write_buffer( const char *header, const char *footer,
+                      const unsigned char *der_data, size_t der_len,
+                      unsigned char *buf, size_t buf_len, size_t *olen );
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pem.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/pk.h b/ctrtool/deps/libmbedtls/include/mbedtls/pk.h
new file mode 100644
index 00000000..13642750
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/pk.h
@@ -0,0 +1,755 @@
+/**
+ * \file pk.h
+ *
+ * \brief Public Key abstraction layer
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_PK_H
+#define MBEDTLS_PK_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "rsa.h"
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#include "ecp.h"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#include "ecdsa.h"
+#endif
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define MBEDTLS_ERR_PK_ALLOC_FAILED        -0x3F80  /**< Memory allocation failed. */
+#define MBEDTLS_ERR_PK_TYPE_MISMATCH       -0x3F00  /**< Type mismatch, eg attempt to encrypt with an ECDSA key */
+#define MBEDTLS_ERR_PK_BAD_INPUT_DATA      -0x3E80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_PK_FILE_IO_ERROR       -0x3E00  /**< Read/write of file failed. */
+#define MBEDTLS_ERR_PK_KEY_INVALID_VERSION -0x3D80  /**< Unsupported key version */
+#define MBEDTLS_ERR_PK_KEY_INVALID_FORMAT  -0x3D00  /**< Invalid key tag or value. */
+#define MBEDTLS_ERR_PK_UNKNOWN_PK_ALG      -0x3C80  /**< Key algorithm is unsupported (only RSA and EC are supported). */
+#define MBEDTLS_ERR_PK_PASSWORD_REQUIRED   -0x3C00  /**< Private key password can't be empty. */
+#define MBEDTLS_ERR_PK_PASSWORD_MISMATCH   -0x3B80  /**< Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PK_INVALID_PUBKEY      -0x3B00  /**< The pubkey tag or value is invalid (only RSA and EC are supported). */
+#define MBEDTLS_ERR_PK_INVALID_ALG         -0x3A80  /**< The algorithm tag or value is invalid. */
+#define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00  /**< Elliptic curve is unsupported (only NIST curves are supported). */
+#define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980  /**< Unavailable feature, e.g. RSA disabled for RSA key. */
+#define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900  /**< The buffer contains a valid signature followed by more data. */
+
+/* MBEDTLS_ERR_PK_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_PK_HW_ACCEL_FAILED     -0x3880  /**< PK hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Public key types
+ */
+typedef enum {
+    MBEDTLS_PK_NONE=0,
+    MBEDTLS_PK_RSA,
+    MBEDTLS_PK_ECKEY,
+    MBEDTLS_PK_ECKEY_DH,
+    MBEDTLS_PK_ECDSA,
+    MBEDTLS_PK_RSA_ALT,
+    MBEDTLS_PK_RSASSA_PSS,
+} mbedtls_pk_type_t;
+
+/**
+ * \brief           Options for RSASSA-PSS signature verification.
+ *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
+ */
+typedef struct mbedtls_pk_rsassa_pss_options
+{
+    mbedtls_md_type_t mgf1_hash_id;
+    int expected_salt_len;
+
+} mbedtls_pk_rsassa_pss_options;
+
+/**
+ * \brief           Types for interfacing with the debug module
+ */
+typedef enum
+{
+    MBEDTLS_PK_DEBUG_NONE = 0,
+    MBEDTLS_PK_DEBUG_MPI,
+    MBEDTLS_PK_DEBUG_ECP,
+} mbedtls_pk_debug_type;
+
+/**
+ * \brief           Item to send to the debug module
+ */
+typedef struct mbedtls_pk_debug_item
+{
+    mbedtls_pk_debug_type type;
+    const char *name;
+    void *value;
+} mbedtls_pk_debug_item;
+
+/** Maximum number of item send for debugging, plus 1 */
+#define MBEDTLS_PK_DEBUG_MAX_ITEMS 3
+
+/**
+ * \brief           Public key information and operations
+ */
+typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
+
+/**
+ * \brief           Public key container
+ */
+typedef struct mbedtls_pk_context
+{
+    const mbedtls_pk_info_t *   pk_info; /**< Public key information         */
+    void *                      pk_ctx;  /**< Underlying public key context  */
+} mbedtls_pk_context;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Context for resuming operations
+ */
+typedef struct
+{
+    const mbedtls_pk_info_t *   pk_info; /**< Public key information         */
+    void *                      rs_ctx;  /**< Underlying restart context     */
+} mbedtls_pk_restart_ctx;
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_pk_restart_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_RSA_C)
+/**
+ * Quick access to an RSA context inside a PK context.
+ *
+ * \warning You must make sure the PK context actually holds an RSA context
+ * before using this function!
+ */
+static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk )
+{
+    return( (mbedtls_rsa_context *) (pk).pk_ctx );
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * Quick access to an EC context inside a PK context.
+ *
+ * \warning You must make sure the PK context actually holds an EC context
+ * before using this function!
+ */
+static inline mbedtls_ecp_keypair *mbedtls_pk_ec( const mbedtls_pk_context pk )
+{
+    return( (mbedtls_ecp_keypair *) (pk).pk_ctx );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/**
+ * \brief           Types for RSA-alt abstraction
+ */
+typedef int (*mbedtls_pk_rsa_alt_decrypt_func)( void *ctx, int mode, size_t *olen,
+                    const unsigned char *input, unsigned char *output,
+                    size_t output_max_len );
+typedef int (*mbedtls_pk_rsa_alt_sign_func)( void *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                    int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                    const unsigned char *hash, unsigned char *sig );
+typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)( void *ctx );
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/**
+ * \brief           Return information associated with the given PK type
+ *
+ * \param pk_type   PK type to search for.
+ *
+ * \return          The PK info associated with the type or NULL if not found.
+ */
+const mbedtls_pk_info_t *mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type );
+
+/**
+ * \brief           Initialize a #mbedtls_pk_context (as NONE).
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_pk_init( mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Free the components of a #mbedtls_pk_context.
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
+ */
+void mbedtls_pk_free( mbedtls_pk_context *ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
+ */
+void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           Initialize a PK context with the information given
+ *                  and allocates the type-specific PK subcontext.
+ *
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
+ * \param info      Information to use
+ *
+ * \return          0 on success,
+ *                  MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input,
+ *                  MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
+ *
+ * \note            For contexts holding an RSA-alt key, use
+ *                  \c mbedtls_pk_setup_rsa_alt() instead.
+ */
+int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/**
+ * \brief           Initialize an RSA-alt context
+ *
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
+ * \param key       RSA key pointer
+ * \param decrypt_func  Decryption function
+ * \param sign_func     Signing function
+ * \param key_len_func  Function returning key length in bytes
+ *
+ * \return          0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the
+ *                  context wasn't already initialized as RSA_ALT.
+ *
+ * \note            This function replaces \c mbedtls_pk_setup() for RSA-alt.
+ */
+int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
+                         mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
+                         mbedtls_pk_rsa_alt_sign_func sign_func,
+                         mbedtls_pk_rsa_alt_key_len_func key_len_func );
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/**
+ * \brief           Get the size in bits of the underlying key
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ *
+ * \return          Key size in bits, or 0 on error
+ */
+size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Get the length in bytes of the underlying key
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ *
+ * \return          Key length in bytes, or 0 on error
+ */
+static inline size_t mbedtls_pk_get_len( const mbedtls_pk_context *ctx )
+{
+    return( ( mbedtls_pk_get_bitlen( ctx ) + 7 ) / 8 );
+}
+
+/**
+ * \brief           Tell if a context can do the operation given by type
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ * \param type      The desired type.
+ *
+ * \return          1 if the context can do operations on the given type.
+ * \return          0 if the context cannot do the operations on the given
+ *                  type. This is always the case for a context that has
+ *                  been initialized but not set up, or that has been
+ *                  cleared with mbedtls_pk_free().
+ */
+int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
+
+/**
+ * \brief           Verify signature (including padding if relevant).
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ *
+ * \return          0 on success (signature is valid),
+ *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in sig but its length is less than \p siglen,
+ *                  or a specific error code.
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *                  Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... )
+ *                  to verify RSASSA_PSS signatures.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
+ */
+int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len );
+
+/**
+ * \brief           Restartable version of \c mbedtls_pk_verify()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_verify(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_verify().
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_verify(), or
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
+               mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len,
+               mbedtls_pk_restart_ctx *rs_ctx );
+
+/**
+ * \brief           Verify signature, with options.
+ *                  (Includes verification of the padding depending on type.)
+ *
+ * \param type      Signature type (inc. possible padding type) to verify
+ * \param options   Pointer to type-specific options, or NULL
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ *
+ * \return          0 on success (signature is valid),
+ *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be
+ *                  used for this type of signatures,
+ *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in sig but its length is less than \p siglen,
+ *                  or a specific error code.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
+ *
+ * \note            If type is MBEDTLS_PK_RSASSA_PSS, then options must point
+ *                  to a mbedtls_pk_rsassa_pss_options structure,
+ *                  otherwise it must be NULL.
+ */
+int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
+                   mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   const unsigned char *sig, size_t sig_len );
+
+/**
+ * \brief           Make signature, including padding if relevant.
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Place to write the signature
+ * \param sig_len   Number of bytes written
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 on success, or a specific error code.
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *                  There is no interface in the PK module to make RSASSA-PSS
+ *                  signatures yet.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
+ *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
+ *
+ * \note            In order to ensure enough space for the signature, the
+ *                  \p sig buffer size must be of at least
+ *                  `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
+ */
+int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Restartable version of \c mbedtls_pk_sign()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_sign(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_sign().
+ *
+ * \note            In order to ensure enough space for the signature, the
+ *                  \p sig buffer size must be of at least
+ *                  `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Place to write the signature
+ * \param sig_len   Number of bytes written
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_sign(), or
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
+             mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_pk_restart_ctx *rs_ctx );
+
+/**
+ * \brief           Decrypt message (including padding if relevant).
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param input     Input to decrypt
+ * \param ilen      Input size
+ * \param output    Decrypted output
+ * \param olen      Decrypted message length
+ * \param osize     Size of the output buffer
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *
+ * \return          0 on success, or a specific error code.
+ */
+int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Encrypt message (including padding if relevant).
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param input     Message to encrypt
+ * \param ilen      Message size
+ * \param output    Encrypted output
+ * \param olen      Encrypted output length
+ * \param osize     Size of the output buffer
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *
+ * \return          0 on success, or a specific error code.
+ */
+int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Check if a public-private pair of keys matches.
+ *
+ * \param pub       Context holding a public key.
+ * \param prv       Context holding a private (and public) key.
+ *
+ * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
+ */
+int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_context *prv );
+
+/**
+ * \brief           Export debug information
+ *
+ * \param ctx       The PK context to use. It must have been initialized.
+ * \param items     Place to write debug items
+ *
+ * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
+ */
+int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items );
+
+/**
+ * \brief           Access the type name
+ *
+ * \param ctx       The PK context to use. It must have been initialized.
+ *
+ * \return          Type name on success, or "invalid PK"
+ */
+const char * mbedtls_pk_get_name( const mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Get the key type
+ *
+ * \param ctx       The PK context to use. It must have been initialized.
+ *
+ * \return          Type on success.
+ * \return          #MBEDTLS_PK_NONE for a context that has not been set up.
+ */
+mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
+
+#if defined(MBEDTLS_PK_PARSE_C)
+/** \ingroup pk_module */
+/**
+ * \brief           Parse a private key in PEM or DER format
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
+ * \param pwd       Optional password for decryption.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a string of \p pwdlen bytes if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
+ * \param pwdlen    Size of the password in bytes.
+ *                  Ignored if \p pwd is \c NULL.
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_key( mbedtls_pk_context *ctx,
+                  const unsigned char *key, size_t keylen,
+                  const unsigned char *pwd, size_t pwdlen );
+
+/** \ingroup pk_module */
+/**
+ * \brief           Parse a public key in PEM or DER format
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
+                         const unsigned char *key, size_t keylen );
+
+#if defined(MBEDTLS_FS_IO)
+/** \ingroup pk_module */
+/**
+ * \brief           Load and parse a private key
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param path      filename to read the private key from
+ * \param password  Optional password to decrypt the file.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a null-terminated string if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
+                      const char *path, const char *password );
+
+/** \ingroup pk_module */
+/**
+ * \brief           Load and parse a public key
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param path      filename to read the public key from
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If
+ *                  you need a specific key type, check the result with
+ *                  mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+/**
+ * \brief           Write a private key to a PKCS#1 or SEC1 DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       PK context which must contain a valid private key.
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ */
+int mbedtls_pk_write_key_der( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+
+/**
+ * \brief           Write a public key to a SubjectPublicKeyInfo DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       PK context which must contain a valid public or private key.
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ */
+int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a public key to a PEM string
+ *
+ * \param ctx       PK context which must contain a valid public or private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
+ *
+ * \return          0 if successful, or a specific error code
+ */
+int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+
+/**
+ * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
+ *
+ * \param ctx       PK context which must contain a valid private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
+ *
+ * \return          0 if successful, or a specific error code
+ */
+int mbedtls_pk_write_key_pem( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_PK_WRITE_C */
+
+/*
+ * WARNING: Low-level functions. You probably do not want to use these unless
+ *          you are certain you do ;)
+ */
+
+#if defined(MBEDTLS_PK_PARSE_C)
+/**
+ * \brief           Parse a SubjectPublicKeyInfo DER structure
+ *
+ * \param p         the position in the ASN.1 data
+ * \param end       end of the buffer
+ * \param pk        The PK context to fill. It must have been initialized
+ *                  but not set up.
+ *
+ * \return          0 if successful, or a specific PK error code
+ */
+int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
+                        mbedtls_pk_context *pk );
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+/**
+ * \brief           Write a subjectPublicKey to ASN.1 data
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param key       PK context which must contain a valid public or private key.
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
+                     const mbedtls_pk_context *key );
+#endif /* MBEDTLS_PK_WRITE_C */
+
+/*
+ * Internal module functions. You probably do not want to use these unless you
+ * know you do.
+ */
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PK_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/pk_internal.h b/ctrtool/deps/libmbedtls/include/mbedtls/pk_internal.h
new file mode 100644
index 00000000..48b7a5f7
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/pk_internal.h
@@ -0,0 +1,138 @@
+/**
+ * \file pk_internal.h
+ *
+ * \brief Public Key abstraction layer: wrapper functions
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_PK_WRAP_H
+#define MBEDTLS_PK_WRAP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "pk.h"
+
+struct mbedtls_pk_info_t
+{
+    /** Public key type */
+    mbedtls_pk_type_t type;
+
+    /** Type name */
+    const char *name;
+
+    /** Get key size in bits */
+    size_t (*get_bitlen)( const void * );
+
+    /** Tell if the context implements this type (e.g. ECKEY can do ECDSA) */
+    int (*can_do)( mbedtls_pk_type_t type );
+
+    /** Verify signature */
+    int (*verify_func)( void *ctx, mbedtls_md_type_t md_alg,
+                        const unsigned char *hash, size_t hash_len,
+                        const unsigned char *sig, size_t sig_len );
+
+    /** Make signature */
+    int (*sign_func)( void *ctx, mbedtls_md_type_t md_alg,
+                      const unsigned char *hash, size_t hash_len,
+                      unsigned char *sig, size_t *sig_len,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Verify signature (restartable) */
+    int (*verify_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hash_len,
+                           const unsigned char *sig, size_t sig_len,
+                           void *rs_ctx );
+
+    /** Make signature (restartable) */
+    int (*sign_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
+                         const unsigned char *hash, size_t hash_len,
+                         unsigned char *sig, size_t *sig_len,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng, void *rs_ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    /** Decrypt message */
+    int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen, size_t osize,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+    /** Encrypt message */
+    int (*encrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen, size_t osize,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+    /** Check public-private key pair */
+    int (*check_pair_func)( const void *pub, const void *prv );
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)( void );
+
+    /** Free the given context */
+    void (*ctx_free_func)( void *ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Allocate the restart context */
+    void * (*rs_alloc_func)( void );
+
+    /** Free the restart context */
+    void (*rs_free_func)( void *rs_ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    /** Interface with the debug module */
+    void (*debug_func)( const void *ctx, mbedtls_pk_debug_item *items );
+
+};
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/* Container for RSA-alt */
+typedef struct
+{
+    void *key;
+    mbedtls_pk_rsa_alt_decrypt_func decrypt_func;
+    mbedtls_pk_rsa_alt_sign_func sign_func;
+    mbedtls_pk_rsa_alt_key_len_func key_len_func;
+} mbedtls_rsa_alt_context;
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+extern const mbedtls_pk_info_t mbedtls_rsa_info;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+extern const mbedtls_pk_info_t mbedtls_eckey_info;
+extern const mbedtls_pk_info_t mbedtls_eckeydh_info;
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+extern const mbedtls_pk_info_t mbedtls_ecdsa_info;
+#endif
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
+#endif
+
+#endif /* MBEDTLS_PK_WRAP_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/pkcs11.h b/ctrtool/deps/libmbedtls/include/mbedtls/pkcs11.h
new file mode 100644
index 00000000..02427ddc
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/pkcs11.h
@@ -0,0 +1,175 @@
+/**
+ * \file pkcs11.h
+ *
+ * \brief Wrapper for PKCS#11 library libpkcs11-helper
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PKCS11_H
+#define MBEDTLS_PKCS11_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS11_C)
+
+#include "x509_crt.h"
+
+#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Context for PKCS #11 private keys.
+ */
+typedef struct mbedtls_pkcs11_context
+{
+        pkcs11h_certificate_t pkcs11h_cert;
+        int len;
+} mbedtls_pkcs11_context;
+
+/**
+ * Initialize a mbedtls_pkcs11_context.
+ * (Just making memory references valid.)
+ */
+void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
+
+/**
+ * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
+ *
+ * \param cert          X.509 certificate to fill
+ * \param pkcs11h_cert  PKCS #11 helper certificate
+ *
+ * \return              0 on success.
+ */
+int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
+
+/**
+ * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
+ * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
+ * done.
+ *
+ * \param priv_key      Private key structure to fill.
+ * \param pkcs11_cert   PKCS #11 helper certificate
+ *
+ * \return              0 on success
+ */
+int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
+        pkcs11h_certificate_t pkcs11_cert );
+
+/**
+ * Free the contents of the given private key context. Note that the structure
+ * itself is not freed.
+ *
+ * \param priv_key      Private key structure to cleanup
+ */
+void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
+
+/**
+ * \brief          Do an RSA private key decrypt, then remove the message
+ *                 padding
+ *
+ * \param ctx      PKCS #11 context
+ * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
+ * \param input    buffer holding the encrypted data
+ * \param output   buffer that will hold the plaintext
+ * \param olen     will contain the plaintext length
+ * \param output_max_len    maximum length of the output buffer
+ *
+ * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
+ *
+ * \note           The output buffer must be as large as the size
+ *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
+ *                 an error is thrown.
+ */
+int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len );
+
+/**
+ * \brief          Do a private RSA to sign a message digest
+ *
+ * \param ctx      PKCS #11 context
+ * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
+ * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
+ * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
+ * \param hash     buffer holding the message digest
+ * \param sig      buffer that will hold the ciphertext
+ *
+ * \return         0 if the signing operation was successful,
+ *                 or an MBEDTLS_ERR_RSA_XXX error code
+ *
+ * \note           The "sig" buffer must be as large as the size
+ *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
+ */
+int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig );
+
+/**
+ * SSL/TLS wrappers for PKCS#11 functions
+ */
+static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
+                        const unsigned char *input, unsigned char *output,
+                        size_t output_max_len )
+{
+    return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
+                           output_max_len );
+}
+
+static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
+                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                     int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                     const unsigned char *hash, unsigned char *sig )
+{
+    ((void) f_rng);
+    ((void) p_rng);
+    return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
+                        hashlen, hash, sig );
+}
+
+static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
+{
+    return ( (mbedtls_pkcs11_context *) ctx )->len;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PKCS11_C */
+
+#endif /* MBEDTLS_PKCS11_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/pkcs12.h b/ctrtool/deps/libmbedtls/include/mbedtls/pkcs12.h
new file mode 100644
index 00000000..d441357b
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/pkcs12.h
@@ -0,0 +1,130 @@
+/**
+ * \file pkcs12.h
+ *
+ * \brief PKCS#12 Personal Information Exchange Syntax
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PKCS12_H
+#define MBEDTLS_PKCS12_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+#include "cipher.h"
+#include "asn1.h"
+
+#include <stddef.h>
+
+#define MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA                 -0x1F80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE            -0x1F00  /**< Feature not available, e.g. unsupported encryption scheme. */
+#define MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT             -0x1E80  /**< PBE ASN.1 data not as expected. */
+#define MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH              -0x1E00  /**< Given private key password does not allow for correct decryption. */
+
+#define MBEDTLS_PKCS12_DERIVE_KEY       1   /**< encryption/decryption key */
+#define MBEDTLS_PKCS12_DERIVE_IV        2   /**< initialization vector     */
+#define MBEDTLS_PKCS12_DERIVE_MAC_KEY   3   /**< integrity / MAC key       */
+
+#define MBEDTLS_PKCS12_PBE_DECRYPT      0
+#define MBEDTLS_PKCS12_PBE_ENCRYPT      1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+/**
+ * \brief            PKCS12 Password Based function (encryption / decryption)
+ *                   for pbeWithSHAAnd128BitRC4
+ *
+ * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure
+ * \param mode       either MBEDTLS_PKCS12_PBE_ENCRYPT or MBEDTLS_PKCS12_PBE_DECRYPT
+ * \param pwd        the password used (may be NULL if no password is used)
+ * \param pwdlen     length of the password (may be 0)
+ * \param input      the input data
+ * \param len        data length
+ * \param output     the output buffer
+ *
+ * \return           0 if successful, or a MBEDTLS_ERR_XXX code
+ */
+int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
+                             const unsigned char *pwd,  size_t pwdlen,
+                             const unsigned char *input, size_t len,
+                             unsigned char *output );
+
+/**
+ * \brief            PKCS12 Password Based function (encryption / decryption)
+ *                   for cipher-based and mbedtls_md-based PBE's
+ *
+ * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure
+ * \param mode       either MBEDTLS_PKCS12_PBE_ENCRYPT or MBEDTLS_PKCS12_PBE_DECRYPT
+ * \param cipher_type the cipher used
+ * \param md_type     the mbedtls_md used
+ * \param pwd        the password used (may be NULL if no password is used)
+ * \param pwdlen     length of the password (may be 0)
+ * \param input      the input data
+ * \param len        data length
+ * \param output     the output buffer
+ *
+ * \return           0 if successful, or a MBEDTLS_ERR_XXX code
+ */
+int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
+                mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                const unsigned char *pwd,  size_t pwdlen,
+                const unsigned char *input, size_t len,
+                unsigned char *output );
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+/**
+ * \brief            The PKCS#12 derivation function uses a password and a salt
+ *                   to produce pseudo-random bits for a particular "purpose".
+ *
+ *                   Depending on the given id, this function can produce an
+ *                   encryption/decryption key, an nitialization vector or an
+ *                   integrity key.
+ *
+ * \param data       buffer to store the derived data in
+ * \param datalen    length to fill
+ * \param pwd        password to use (may be NULL if no password is used)
+ * \param pwdlen     length of the password (may be 0)
+ * \param salt       salt buffer to use
+ * \param saltlen    length of the salt
+ * \param mbedtls_md         mbedtls_md type to use during the derivation
+ * \param id         id that describes the purpose (can be MBEDTLS_PKCS12_DERIVE_KEY,
+ *                   MBEDTLS_PKCS12_DERIVE_IV or MBEDTLS_PKCS12_DERIVE_MAC_KEY)
+ * \param iterations number of iterations
+ *
+ * \return          0 if successful, or a MD, BIGNUM type error.
+ */
+int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen,
+                       const unsigned char *pwd, size_t pwdlen,
+                       const unsigned char *salt, size_t saltlen,
+                       mbedtls_md_type_t mbedtls_md, int id, int iterations );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs12.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/pkcs5.h b/ctrtool/deps/libmbedtls/include/mbedtls/pkcs5.h
new file mode 100644
index 00000000..c92185f7
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/pkcs5.h
@@ -0,0 +1,109 @@
+/**
+ * \file pkcs5.h
+ *
+ * \brief PKCS#5 functions
+ *
+ * \author Mathias Olsson <mathias@kompetensum.com>
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PKCS5_H
+#define MBEDTLS_PKCS5_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+#include "md.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA                  -0x2f80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_PKCS5_INVALID_FORMAT                  -0x2f00  /**< Unexpected ASN.1 data. */
+#define MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE             -0x2e80  /**< Requested encryption or digest alg not available. */
+#define MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH               -0x2e00  /**< Given private key password does not allow for correct decryption. */
+
+#define MBEDTLS_PKCS5_DECRYPT      0
+#define MBEDTLS_PKCS5_ENCRYPT      1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+/**
+ * \brief          PKCS#5 PBES2 function
+ *
+ * \param pbe_params the ASN.1 algorithm parameters
+ * \param mode       either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT
+ * \param pwd        password to use when generating key
+ * \param pwdlen     length of password
+ * \param data       data to process
+ * \param datalen    length of data
+ * \param output     output buffer
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
+                 const unsigned char *pwd,  size_t pwdlen,
+                 const unsigned char *data, size_t datalen,
+                 unsigned char *output );
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+/**
+ * \brief          PKCS#5 PBKDF2 using HMAC
+ *
+ * \param ctx      Generic HMAC context
+ * \param password Password to use when generating key
+ * \param plen     Length of password
+ * \param salt     Salt to use when generating key
+ * \param slen     Length of salt
+ * \param iteration_count       Iteration count
+ * \param key_length            Length of generated key in bytes
+ * \param output   Generated key. Must be at least as big as key_length
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password,
+                       size_t plen, const unsigned char *salt, size_t slen,
+                       unsigned int iteration_count,
+                       uint32_t key_length, unsigned char *output );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_pkcs5_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs5.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/platform.h b/ctrtool/deps/libmbedtls/include/mbedtls/platform.h
new file mode 100644
index 00000000..89fe8a7b
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/platform.h
@@ -0,0 +1,367 @@
+/**
+ * \file platform.h
+ *
+ * \brief This file contains the definitions and functions of the
+ *        Mbed TLS platform abstraction layer.
+ *
+ *        The platform abstraction layer removes the need for the library
+ *        to directly link to standard C library functions or operating
+ *        system services, making the library easier to port and embed.
+ *        Application developers and users of the library can provide their own
+ *        implementations of these functions, or implementations specific to
+ *        their platform, which can be statically linked to the library or
+ *        dynamically configured at runtime.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PLATFORM_H
+#define MBEDTLS_PLATFORM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "platform_time.h"
+#endif
+
+#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070 /**< Hardware accelerator failed */
+#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072 /**< The requested feature is not supported by the platform */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+#if defined(_WIN32)
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   mbedtls_platform_win32_snprintf /**< The default \c snprintf function to use.  */
+#else
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   snprintf /**< The default \c snprintf function to use.  */
+#endif
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
+#define MBEDTLS_PLATFORM_STD_PRINTF   printf /**< The default \c printf function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< The default \c fprintf function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+#define MBEDTLS_PLATFORM_STD_CALLOC   calloc /**< The default \c calloc function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_FREE)
+#define MBEDTLS_PLATFORM_STD_FREE       free /**< The default \c free function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
+#define MBEDTLS_PLATFORM_STD_EXIT      exit /**< The default \c exit function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+#define MBEDTLS_PLATFORM_STD_TIME       time    /**< The default \c time function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS /**< The default exit value to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE /**< The default exit value to use. */
+#endif
+#if defined(MBEDTLS_FS_IO)
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   mbedtls_platform_std_nv_seed_read
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE  mbedtls_platform_std_nv_seed_write
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_FILE)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE   "seedfile"
+#endif
+#endif /* MBEDTLS_FS_IO */
+#else /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR)
+#include MBEDTLS_PLATFORM_STD_MEM_HDR
+#endif
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+
+/* \} name SECTION: Module settings */
+
+/*
+ * The function pointers for calloc and free.
+ */
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
+    defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+#define mbedtls_free       MBEDTLS_PLATFORM_FREE_MACRO
+#define mbedtls_calloc     MBEDTLS_PLATFORM_CALLOC_MACRO
+#else
+/* For size_t */
+#include <stddef.h>
+extern void *mbedtls_calloc( size_t n, size_t size );
+extern void mbedtls_free( void *ptr );
+
+/**
+ * \brief               This function dynamically sets the memory-management
+ *                      functions used by the library, during runtime.
+ *
+ * \param calloc_func   The \c calloc function implementation.
+ * \param free_func     The \c free function implementation.
+ *
+ * \return              \c 0.
+ */
+int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
+                              void (*free_func)( void * ) );
+#endif /* MBEDTLS_PLATFORM_FREE_MACRO && MBEDTLS_PLATFORM_CALLOC_MACRO */
+#else /* !MBEDTLS_PLATFORM_MEMORY */
+#define mbedtls_free       free
+#define mbedtls_calloc     calloc
+#endif /* MBEDTLS_PLATFORM_MEMORY && !MBEDTLS_PLATFORM_{FREE,CALLOC}_MACRO */
+
+/*
+ * The function pointers for fprintf
+ */
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+/* We need FILE * */
+#include <stdio.h>
+extern int (*mbedtls_fprintf)( FILE *stream, const char *format, ... );
+
+/**
+ * \brief                This function dynamically configures the fprintf
+ *                       function that is called when the
+ *                       mbedtls_fprintf() function is invoked by the library.
+ *
+ * \param fprintf_func   The \c fprintf function implementation.
+ *
+ * \return               \c 0.
+ */
+int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *stream, const char *,
+                                               ... ) );
+#else
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO)
+#define mbedtls_fprintf    MBEDTLS_PLATFORM_FPRINTF_MACRO
+#else
+#define mbedtls_fprintf    fprintf
+#endif /* MBEDTLS_PLATFORM_FPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+/*
+ * The function pointers for printf
+ */
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+extern int (*mbedtls_printf)( const char *format, ... );
+
+/**
+ * \brief               This function dynamically configures the snprintf
+ *                      function that is called when the mbedtls_snprintf()
+ *                      function is invoked by the library.
+ *
+ * \param printf_func   The \c printf function implementation.
+ *
+ * \return              \c 0 on success.
+ */
+int mbedtls_platform_set_printf( int (*printf_func)( const char *, ... ) );
+#else /* !MBEDTLS_PLATFORM_PRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO)
+#define mbedtls_printf     MBEDTLS_PLATFORM_PRINTF_MACRO
+#else
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_PLATFORM_PRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+/*
+ * The function pointers for snprintf
+ *
+ * The snprintf implementation should conform to C99:
+ * - it *must* always correctly zero-terminate the buffer
+ *   (except when n == 0, then it must leave the buffer untouched)
+ * - however it is acceptable to return -1 instead of the required length when
+ *   the destination buffer is too short.
+ */
+#if defined(_WIN32)
+/* For Windows (inc. MSYS2), we provide our own fixed implementation */
+int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... );
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+extern int (*mbedtls_snprintf)( char * s, size_t n, const char * format, ... );
+
+/**
+ * \brief                 This function allows configuring a custom
+ *                        \c snprintf function pointer.
+ *
+ * \param snprintf_func   The \c snprintf function implementation.
+ *
+ * \return                \c 0 on success.
+ */
+int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
+                                                 const char * format, ... ) );
+#else /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+#define mbedtls_snprintf   MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#else
+#define mbedtls_snprintf   MBEDTLS_PLATFORM_STD_SNPRINTF
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+/*
+ * The function pointers for exit
+ */
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+extern void (*mbedtls_exit)( int status );
+
+/**
+ * \brief             This function dynamically configures the exit
+ *                    function that is called when the mbedtls_exit()
+ *                    function is invoked by the library.
+ *
+ * \param exit_func   The \c exit function implementation.
+ *
+ * \return            \c 0 on success.
+ */
+int mbedtls_platform_set_exit( void (*exit_func)( int status ) );
+#else
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO)
+#define mbedtls_exit   MBEDTLS_PLATFORM_EXIT_MACRO
+#else
+#define mbedtls_exit   exit
+#endif /* MBEDTLS_PLATFORM_EXIT_MACRO */
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+/*
+ * The default exit values
+ */
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_EXIT_SUCCESS MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
+#else
+#define MBEDTLS_EXIT_SUCCESS 0
+#endif
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_EXIT_FAILURE MBEDTLS_PLATFORM_STD_EXIT_FAILURE
+#else
+#define MBEDTLS_EXIT_FAILURE 1
+#endif
+
+/*
+ * The function pointers for reading from and writing a seed file to
+ * Non-Volatile storage (NV) in a platform-independent way
+ *
+ * Only enabled when the NV seed entropy source is enabled
+ */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Internal standard platform definitions */
+int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len );
+int mbedtls_platform_std_nv_seed_write( unsigned char *buf, size_t buf_len );
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+extern int (*mbedtls_nv_seed_read)( unsigned char *buf, size_t buf_len );
+extern int (*mbedtls_nv_seed_write)( unsigned char *buf, size_t buf_len );
+
+/**
+ * \brief   This function allows configuring custom seed file writing and
+ *          reading functions.
+ *
+ * \param   nv_seed_read_func   The seed reading function implementation.
+ * \param   nv_seed_write_func  The seed writing function implementation.
+ *
+ * \return  \c 0 on success.
+ */
+int mbedtls_platform_set_nv_seed(
+            int (*nv_seed_read_func)( unsigned char *buf, size_t buf_len ),
+            int (*nv_seed_write_func)( unsigned char *buf, size_t buf_len )
+            );
+#else
+#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) && \
+    defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO)
+#define mbedtls_nv_seed_read    MBEDTLS_PLATFORM_NV_SEED_READ_MACRO
+#define mbedtls_nv_seed_write   MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO
+#else
+#define mbedtls_nv_seed_read    mbedtls_platform_std_nv_seed_read
+#define mbedtls_nv_seed_write   mbedtls_platform_std_nv_seed_write
+#endif
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+
+/**
+ * \brief   The platform context structure.
+ *
+ * \note    This structure may be used to assist platform-specific
+ *          setup or teardown operations.
+ */
+typedef struct mbedtls_platform_context
+{
+    char dummy; /**< A placeholder member, as empty structs are not portable. */
+}
+mbedtls_platform_context;
+
+#else
+#include "platform_alt.h"
+#endif /* !MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+/**
+ * \brief   This function performs any platform-specific initialization
+ *          operations.
+ *
+ * \note    This function should be called before any other library functions.
+ *
+ *          Its implementation is platform-specific, and unless
+ *          platform-specific code is provided, it does nothing.
+ *
+ * \note    The usage and necessity of this function is dependent on the platform.
+ *
+ * \param   ctx     The platform context.
+ *
+ * \return  \c 0 on success.
+ */
+int mbedtls_platform_setup( mbedtls_platform_context *ctx );
+/**
+ * \brief   This function performs any platform teardown operations.
+ *
+ * \note    This function should be called after every other Mbed TLS module
+ *          has been correctly freed using the appropriate free function.
+ *
+ *          Its implementation is platform-specific, and unless
+ *          platform-specific code is provided, it does nothing.
+ *
+ * \note    The usage and necessity of this function is dependent on the platform.
+ *
+ * \param   ctx     The platform context.
+ *
+ */
+void mbedtls_platform_teardown( mbedtls_platform_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* platform.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/platform_time.h b/ctrtool/deps/libmbedtls/include/mbedtls/platform_time.h
new file mode 100644
index 00000000..2ed36f56
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/platform_time.h
@@ -0,0 +1,82 @@
+/**
+ * \file platform_time.h
+ *
+ * \brief mbed TLS Platform time abstraction
+ */
+/*
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PLATFORM_TIME_H
+#define MBEDTLS_PLATFORM_TIME_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+/*
+ * The time_t datatype
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO)
+typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t;
+#else
+/* For time_t */
+#include <time.h>
+typedef time_t mbedtls_time_t;
+#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
+
+/*
+ * The function pointers for time
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+extern mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* time );
+
+/**
+ * \brief   Set your own time function pointer
+ *
+ * \param   time_func   the time function implementation
+ *
+ * \return              0
+ */
+int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* time ) );
+#else
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO)
+#define mbedtls_time    MBEDTLS_PLATFORM_TIME_MACRO
+#else
+#define mbedtls_time   time
+#endif /* MBEDTLS_PLATFORM_TIME_MACRO */
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* platform_time.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/platform_util.h b/ctrtool/deps/libmbedtls/include/mbedtls/platform_util.h
new file mode 100644
index 00000000..09d09651
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/platform_util.h
@@ -0,0 +1,196 @@
+/**
+ * \file platform_util.h
+ *
+ * \brief Common and shared functions used by multiple modules in the Mbed TLS
+ *        library.
+ */
+/*
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PLATFORM_UTIL_H
+#define MBEDTLS_PLATFORM_UTIL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "platform_time.h"
+#include <time.h>
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+
+#if defined(MBEDTLS_CHECK_PARAMS_ASSERT)
+/* Allow the user to define MBEDTLS_PARAM_FAILED to something like assert
+ * (which is what our config.h suggests). */
+#include <assert.h>
+#endif /* MBEDTLS_CHECK_PARAMS_ASSERT */
+
+#if defined(MBEDTLS_PARAM_FAILED)
+/** An alternative definition of MBEDTLS_PARAM_FAILED has been set in config.h.
+ *
+ * This flag can be used to check whether it is safe to assume that
+ * MBEDTLS_PARAM_FAILED() will expand to a call to mbedtls_param_failed().
+ */
+#define MBEDTLS_PARAM_FAILED_ALT
+
+#elif defined(MBEDTLS_CHECK_PARAMS_ASSERT)
+#define MBEDTLS_PARAM_FAILED( cond ) assert( cond )
+#define MBEDTLS_PARAM_FAILED_ALT
+
+#else /* MBEDTLS_PARAM_FAILED */
+#define MBEDTLS_PARAM_FAILED( cond ) \
+    mbedtls_param_failed( #cond, __FILE__, __LINE__ )
+
+/**
+ * \brief       User supplied callback function for parameter validation failure.
+ *              See #MBEDTLS_CHECK_PARAMS for context.
+ *
+ *              This function will be called unless an alternative treatement
+ *              is defined through the #MBEDTLS_PARAM_FAILED macro.
+ *
+ *              This function can return, and the operation will be aborted, or
+ *              alternatively, through use of setjmp()/longjmp() can resume
+ *              execution in the application code.
+ *
+ * \param failure_condition The assertion that didn't hold.
+ * \param file  The file where the assertion failed.
+ * \param line  The line in the file where the assertion failed.
+ */
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line );
+#endif /* MBEDTLS_PARAM_FAILED */
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  \
+    do {                                            \
+        if( !(cond) )                               \
+        {                                           \
+            MBEDTLS_PARAM_FAILED( cond );           \
+            return( ret );                          \
+        }                                           \
+    } while( 0 )
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE( cond )           \
+    do {                                            \
+        if( !(cond) )                               \
+        {                                           \
+            MBEDTLS_PARAM_FAILED( cond );           \
+            return;                                 \
+        }                                           \
+    } while( 0 )
+
+#else /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal macros meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  do { } while( 0 )
+#define MBEDTLS_INTERNAL_VALIDATE( cond )           do { } while( 0 )
+
+#endif /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal helper macros for deprecating API constants. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+/* Deliberately don't (yet) export MBEDTLS_DEPRECATED here
+ * to avoid conflict with other headers which define and use
+ * it, too. We might want to move all these definitions here at
+ * some point for uniformity. */
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_string_constant_t;
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL )       \
+    ( (mbedtls_deprecated_string_constant_t) ( VAL ) )
+MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL )       \
+    ( (mbedtls_deprecated_numeric_constant_t) ( VAL ) )
+#undef MBEDTLS_DEPRECATED
+#else /* MBEDTLS_DEPRECATED_WARNING */
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) VAL
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief       Securely zeroize a buffer
+ *
+ *              The function is meant to wipe the data contained in a buffer so
+ *              that it can no longer be recovered even if the program memory
+ *              is later compromised. Call this function on sensitive data
+ *              stored on the stack before returning from a function, and on
+ *              sensitive data stored on the heap before freeing the heap
+ *              object.
+ *
+ *              It is extremely difficult to guarantee that calls to
+ *              mbedtls_platform_zeroize() are not removed by aggressive
+ *              compiler optimizations in a portable way. For this reason, Mbed
+ *              TLS provides the configuration option
+ *              MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
+ *              mbedtls_platform_zeroize() to use a suitable implementation for
+ *              their platform and needs
+ *
+ * \param buf   Buffer to be zeroized
+ * \param len   Length of the buffer in bytes
+ *
+ */
+void mbedtls_platform_zeroize( void *buf, size_t len );
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/**
+ * \brief      Platform-specific implementation of gmtime_r()
+ *
+ *             The function is a thread-safe abstraction that behaves
+ *             similarly to the gmtime_r() function from Unix/POSIX.
+ *
+ *             Mbed TLS will try to identify the underlying platform and
+ *             make use of an appropriate underlying implementation (e.g.
+ *             gmtime_r() for POSIX and gmtime_s() for Windows). If this is
+ *             not possible, then gmtime() will be used. In this case, calls
+ *             from the library to gmtime() will be guarded by the mutex
+ *             mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is
+ *             enabled. It is recommended that calls from outside the library
+ *             are also guarded by this mutex.
+ *
+ *             If MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, then Mbed TLS will
+ *             unconditionally use the alternative implementation for
+ *             mbedtls_platform_gmtime_r() supplied by the user at compile time.
+ *
+ * \param tt     Pointer to an object containing time (in seconds) since the
+ *               epoch to be converted
+ * \param tm_buf Pointer to an object where the results will be stored
+ *
+ * \return      Pointer to an object of type struct tm on success, otherwise
+ *              NULL
+ */
+struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
+                                      struct tm *tm_buf );
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PLATFORM_UTIL_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/poly1305.h b/ctrtool/deps/libmbedtls/include/mbedtls/poly1305.h
new file mode 100644
index 00000000..f0ec44c9
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/poly1305.h
@@ -0,0 +1,192 @@
+/**
+ * \file poly1305.h
+ *
+ * \brief   This file contains Poly1305 definitions and functions.
+ *
+ *          Poly1305 is a one-time message authenticator that can be used to
+ *          authenticate messages. Poly1305-AES was created by Daniel
+ *          Bernstein https://cr.yp.to/mac/poly1305-20050329.pdf The generic
+ *          Poly1305 algorithm (not tied to AES) was also standardized in RFC
+ *          7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_POLY1305_H
+#define MBEDTLS_POLY1305_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA         -0x0057 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE    -0x0059 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED        -0x005B  /**< Poly1305 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+typedef struct mbedtls_poly1305_context
+{
+    uint32_t r[4];      /** The value for 'r' (low 128 bits of the key). */
+    uint32_t s[4];      /** The value for 's' (high 128 bits of the key). */
+    uint32_t acc[5];    /** The accumulator number. */
+    uint8_t queue[16];  /** The current partial block of data. */
+    size_t queue_len;   /** The number of bytes stored in 'queue'. */
+}
+mbedtls_poly1305_context;
+
+#else  /* MBEDTLS_POLY1305_ALT */
+#include "poly1305_alt.h"
+#endif /* MBEDTLS_POLY1305_ALT */
+
+/**
+ * \brief           This function initializes the specified Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by a call to
+ *                  \c mbedtls_poly1305_starts(), then one or more calls to
+ *                  \c mbedtls_poly1305_update(), then one call to
+ *                  \c mbedtls_poly1305_finish(), then finally
+ *                  \c mbedtls_poly1305_free().
+ *
+ * \param ctx       The Poly1305 context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx );
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  Poly1305 context.
+ *
+ * \param ctx       The Poly1305 context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op. If it is not \c NULL, it must
+ *                  point to an initialized Poly1305 context.
+ */
+void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx );
+
+/**
+ * \brief           This function sets the one-time authentication key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param ctx       The Poly1305 context to which the key should be bound.
+ *                  This must be initialized.
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
+                             const unsigned char key[32] );
+
+/**
+ * \brief           This functions feeds an input buffer into an ongoing
+ *                  Poly1305 computation.
+ *
+ *                  It is called between \c mbedtls_cipher_poly1305_starts() and
+ *                  \c mbedtls_cipher_poly1305_finish().
+ *                  It can be called repeatedly to process a stream of data.
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen );
+
+/**
+ * \brief           This function generates the Poly1305 Message
+ *                  Authentication Code (MAC).
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param mac       The buffer to where the MAC is written. This must
+ *                  be a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
+                             unsigned char mac[16] );
+
+/**
+ * \brief           This function calculates the Poly1305 MAC of the input
+ *                  buffer with the provided key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param mac       The buffer to where the MAC is written. This must be
+ *                  a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_mac( const unsigned char key[32],
+                          const unsigned char *input,
+                          size_t ilen,
+                          unsigned char mac[16] );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_poly1305_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_POLY1305_H */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ripemd160.h b/ctrtool/deps/libmbedtls/include/mbedtls/ripemd160.h
new file mode 100644
index 00000000..b42f6d2a
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ripemd160.h
@@ -0,0 +1,237 @@
+/**
+ * \file ripemd160.h
+ *
+ * \brief RIPE MD-160 message digest
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_RIPEMD160_H
+#define MBEDTLS_RIPEMD160_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED             -0x0031  /**< RIPEMD160 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          RIPEMD-160 context structure
+ */
+typedef struct mbedtls_ripemd160_context
+{
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[5];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_ripemd160_context;
+
+#else  /* MBEDTLS_RIPEMD160_ALT */
+#include "ripemd160.h"
+#endif /* MBEDTLS_RIPEMD160_ALT */
+
+/**
+ * \brief          Initialize RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be initialized
+ */
+void mbedtls_ripemd160_init( mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          Clear RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be cleared
+ */
+void mbedtls_ripemd160_free( mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an RIPEMD-160 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ */
+void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst,
+                        const mbedtls_ripemd160_context *src );
+
+/**
+ * \brief          RIPEMD-160 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_starts_ret( mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          RIPEMD-160 process buffer
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_update_ret( mbedtls_ripemd160_context *ctx,
+                                  const unsigned char *input,
+                                  size_t ilen );
+
+/**
+ * \brief          RIPEMD-160 final digest
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx,
+                                  unsigned char output[20] );
+
+/**
+ * \brief          RIPEMD-160 process data block (internal use only)
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
+                                        const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          RIPEMD-160 context setup
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_starts(
+                                            mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          RIPEMD-160 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_update_ret() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_update(
+                                                mbedtls_ripemd160_context *ctx,
+                                                const unsigned char *input,
+                                                size_t ilen );
+
+/**
+ * \brief          RIPEMD-160 final digest
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_finish_ret() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param output   RIPEMD-160 checksum result
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_finish(
+                                                mbedtls_ripemd160_context *ctx,
+                                                unsigned char output[20] );
+
+/**
+ * \brief          RIPEMD-160 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_ripemd160_process() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param data     buffer holding one block of data
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_process(
+                                            mbedtls_ripemd160_context *ctx,
+                                            const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = RIPEMD-160( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_ret( const unsigned char *input,
+                           size_t ilen,
+                           unsigned char output[20] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = RIPEMD-160( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   RIPEMD-160 checksum result
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160( const unsigned char *input,
+                                           size_t ilen,
+                                           unsigned char output[20] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_ripemd160_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_ripemd160.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/rsa.h b/ctrtool/deps/libmbedtls/include/mbedtls/rsa.h
new file mode 100644
index 00000000..35bacd87
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/rsa.h
@@ -0,0 +1,1274 @@
+/**
+ * \file rsa.h
+ *
+ * \brief This file provides an API for the RSA public-key cryptosystem.
+ *
+ * The RSA public-key cryptosystem is defined in <em>Public-Key
+ * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em>
+ * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1:
+ * RSA Cryptography Specifications</em>.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_RSA_H
+#define MBEDTLS_RSA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+#include "md.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/*
+ * RSA Error codes
+ */
+#define MBEDTLS_ERR_RSA_BAD_INPUT_DATA                    -0x4080  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_RSA_INVALID_PADDING                   -0x4100  /**< Input data contains invalid padding and is rejected. */
+#define MBEDTLS_ERR_RSA_KEY_GEN_FAILED                    -0x4180  /**< Something failed during generation of a key. */
+#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED                  -0x4200  /**< Key failed to pass the validity check of the library. */
+#define MBEDTLS_ERR_RSA_PUBLIC_FAILED                     -0x4280  /**< The public key operation failed. */
+#define MBEDTLS_ERR_RSA_PRIVATE_FAILED                    -0x4300  /**< The private key operation failed. */
+#define MBEDTLS_ERR_RSA_VERIFY_FAILED                     -0x4380  /**< The PKCS#1 verification failed. */
+#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400  /**< The output buffer for decryption is not large enough. */
+#define MBEDTLS_ERR_RSA_RNG_FAILED                        -0x4480  /**< The random generator failed to generate non-zeros. */
+
+/* MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION             -0x4500  /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
+
+/* MBEDTLS_ERR_RSA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED                   -0x4580  /**< RSA hardware accelerator failed. */
+
+/*
+ * RSA constants
+ */
+#define MBEDTLS_RSA_PUBLIC      0 /**< Request private key operation. */
+#define MBEDTLS_RSA_PRIVATE     1 /**< Request public key operation. */
+
+#define MBEDTLS_RSA_PKCS_V15    0 /**< Use PKCS#1 v1.5 encoding. */
+#define MBEDTLS_RSA_PKCS_V21    1 /**< Use PKCS#1 v2.1 encoding. */
+
+#define MBEDTLS_RSA_SIGN        1 /**< Identifier for RSA signature operations. */
+#define MBEDTLS_RSA_CRYPT       2 /**< Identifier for RSA encryption and decryption operations. */
+
+#define MBEDTLS_RSA_SALT_LEN_ANY    -1
+
+/*
+ * The above constants may be used even if the RSA module is compile out,
+ * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_RSA_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief   The RSA context structure.
+ *
+ * \note    Direct manipulation of the members of this structure
+ *          is deprecated. All manipulation should instead be done through
+ *          the public interface functions.
+ */
+typedef struct mbedtls_rsa_context
+{
+    int ver;                    /*!<  Always 0.*/
+    size_t len;                 /*!<  The size of \p N in Bytes. */
+
+    mbedtls_mpi N;              /*!<  The public modulus. */
+    mbedtls_mpi E;              /*!<  The public exponent. */
+
+    mbedtls_mpi D;              /*!<  The private exponent. */
+    mbedtls_mpi P;              /*!<  The first prime factor. */
+    mbedtls_mpi Q;              /*!<  The second prime factor. */
+
+    mbedtls_mpi DP;             /*!<  <code>D % (P - 1)</code>. */
+    mbedtls_mpi DQ;             /*!<  <code>D % (Q - 1)</code>. */
+    mbedtls_mpi QP;             /*!<  <code>1 / (Q % P)</code>. */
+
+    mbedtls_mpi RN;             /*!<  cached <code>R^2 mod N</code>. */
+
+    mbedtls_mpi RP;             /*!<  cached <code>R^2 mod P</code>. */
+    mbedtls_mpi RQ;             /*!<  cached <code>R^2 mod Q</code>. */
+
+    mbedtls_mpi Vi;             /*!<  The cached blinding value. */
+    mbedtls_mpi Vf;             /*!<  The cached un-blinding value. */
+
+    int padding;                /*!< Selects padding mode:
+                                     #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
+                                     #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */
+    int hash_id;                /*!< Hash identifier of mbedtls_md_type_t type,
+                                     as specified in md.h for use in the MGF
+                                     mask generating function used in the
+                                     EME-OAEP and EMSA-PSS encodings. */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;    /*!<  Thread-safety mutex. */
+#endif
+}
+mbedtls_rsa_context;
+
+#else  /* MBEDTLS_RSA_ALT */
+#include "rsa_alt.h"
+#endif /* MBEDTLS_RSA_ALT */
+
+/**
+ * \brief          This function initializes an RSA context.
+ *
+ * \note           Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
+ *                 encryption scheme and the RSASSA-PSS signature scheme.
+ *
+ * \note           The \p hash_id parameter is ignored when using
+ *                 #MBEDTLS_RSA_PKCS_V15 padding.
+ *
+ * \note           The choice of padding mode is strictly enforced for private key
+ *                 operations, since there might be security concerns in
+ *                 mixing padding modes. For public key operations it is
+ *                 a default value, which can be overridden by calling specific
+ *                 \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
+ *
+ * \note           The hash selected in \p hash_id is always used for OEAP
+ *                 encryption. For PSS signatures, it is always used for
+ *                 making signatures, but can be overridden for verifying them.
+ *                 If set to #MBEDTLS_MD_NONE, it is always overridden.
+ *
+ * \param ctx      The RSA context to initialize. This must not be \c NULL.
+ * \param padding  The padding mode to use. This must be either
+ *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id  The hash identifier of ::mbedtls_md_type_t type, if
+ *                 \p padding is #MBEDTLS_RSA_PKCS_V21. It is unused
+ *                 otherwise.
+ */
+void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
+                       int padding,
+                       int hash_id );
+
+/**
+ * \brief          This function imports a set of core parameters into an
+ *                 RSA context.
+ *
+ * \note           This function can be called multiple times for successive
+ *                 imports, if the parameters are not simultaneously present.
+ *
+ *                 Any sequence of calls to this function should be followed
+ *                 by a call to mbedtls_rsa_complete(), which checks and
+ *                 completes the provided information to a ready-for-use
+ *                 public or private RSA key.
+ *
+ * \note           See mbedtls_rsa_complete() for more information on which
+ *                 parameters are necessary to set up a private or public
+ *                 RSA key.
+ *
+ * \note           The imported parameters are copied and need not be preserved
+ *                 for the lifetime of the RSA context being set up.
+ *
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param E        The public exponent. This may be \c NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
+                        const mbedtls_mpi *N,
+                        const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                        const mbedtls_mpi *D, const mbedtls_mpi *E );
+
+/**
+ * \brief          This function imports core RSA parameters, in raw big-endian
+ *                 binary format, into an RSA context.
+ *
+ * \note           This function can be called multiple times for successive
+ *                 imports, if the parameters are not simultaneously present.
+ *
+ *                 Any sequence of calls to this function should be followed
+ *                 by a call to mbedtls_rsa_complete(), which checks and
+ *                 completes the provided information to a ready-for-use
+ *                 public or private RSA key.
+ *
+ * \note           See mbedtls_rsa_complete() for more information on which
+ *                 parameters are necessary to set up a private or public
+ *                 RSA key.
+ *
+ * \note           The imported parameters are copied and need not be preserved
+ *                 for the lifetime of the RSA context being set up.
+ *
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param N_len    The Byte length of \p N; it is ignored if \p N == NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param P_len    The Byte length of \p P; it ns ignored if \p P == NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param Q_len    The Byte length of \p Q; it is ignored if \p Q == NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param D_len    The Byte length of \p D; it is ignored if \p D == NULL.
+ * \param E        The public exponent. This may be \c NULL.
+ * \param E_len    The Byte length of \p E; it is ignored if \p E == NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
+                            unsigned char const *N, size_t N_len,
+                            unsigned char const *P, size_t P_len,
+                            unsigned char const *Q, size_t Q_len,
+                            unsigned char const *D, size_t D_len,
+                            unsigned char const *E, size_t E_len );
+
+/**
+ * \brief          This function completes an RSA context from
+ *                 a set of imported core parameters.
+ *
+ *                 To setup an RSA public key, precisely \p N and \p E
+ *                 must have been imported.
+ *
+ *                 To setup an RSA private key, sufficient information must
+ *                 be present for the other parameters to be derivable.
+ *
+ *                 The default implementation supports the following:
+ *                 <ul><li>Derive \p P, \p Q from \p N, \p D, \p E.</li>
+ *                 <li>Derive \p N, \p D from \p P, \p Q, \p E.</li></ul>
+ *                 Alternative implementations need not support these.
+ *
+ *                 If this function runs successfully, it guarantees that
+ *                 the RSA context can be used for RSA operations without
+ *                 the risk of failure or crash.
+ *
+ * \warning        This function need not perform consistency checks
+ *                 for the imported parameters. In particular, parameters that
+ *                 are not needed by the implementation might be silently
+ *                 discarded and left unchecked. To check the consistency
+ *                 of the key material, see mbedtls_rsa_check_privkey().
+ *
+ * \param ctx      The initialized RSA context holding imported parameters.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations
+ *                 failed.
+ *
+ */
+int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
+
+/**
+ * \brief          This function exports the core parameters of an RSA key.
+ *
+ *                 If this function runs successfully, the non-NULL buffers
+ *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
+ *                 written, with additional unused space filled leading by
+ *                 zero Bytes.
+ *
+ *                 Possible reasons for returning
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
+ *                 <li>An alternative RSA implementation is in use, which
+ *                 stores the key externally, and either cannot or should
+ *                 not export it into RAM.</li>
+ *                 <li>A SW or HW implementation might not support a certain
+ *                 deduction. For example, \p P, \p Q from \p N, \p D,
+ *                 and \p E if the former are not part of the
+ *                 implementation.</li></ul>
+ *
+ *                 If the function fails due to an unsupported operation,
+ *                 the RSA context stays intact and remains usable.
+ *
+ * \param ctx      The initialized RSA context.
+ * \param N        The MPI to hold the RSA modulus.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param P        The MPI to hold the first prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param Q        The MPI to hold the second prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param D        The MPI to hold the private exponent.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param E        The MPI to hold the public exponent.
+ *                 This may be \c NULL if this field need not be exported.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
+ *                 requested parameters cannot be done due to missing
+ *                 functionality or because of security policies.
+ * \return         A non-zero return code on any other failure.
+ *
+ */
+int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
+                        mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
+                        mbedtls_mpi *D, mbedtls_mpi *E );
+
+/**
+ * \brief          This function exports core parameters of an RSA key
+ *                 in raw big-endian binary format.
+ *
+ *                 If this function runs successfully, the non-NULL buffers
+ *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
+ *                 written, with additional unused space filled leading by
+ *                 zero Bytes.
+ *
+ *                 Possible reasons for returning
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
+ *                 <li>An alternative RSA implementation is in use, which
+ *                 stores the key externally, and either cannot or should
+ *                 not export it into RAM.</li>
+ *                 <li>A SW or HW implementation might not support a certain
+ *                 deduction. For example, \p P, \p Q from \p N, \p D,
+ *                 and \p E if the former are not part of the
+ *                 implementation.</li></ul>
+ *                 If the function fails due to an unsupported operation,
+ *                 the RSA context stays intact and remains usable.
+ *
+ * \note           The length parameters are ignored if the corresponding
+ *                 buffer pointers are NULL.
+ *
+ * \param ctx      The initialized RSA context.
+ * \param N        The Byte array to store the RSA modulus,
+ *                 or \c NULL if this field need not be exported.
+ * \param N_len    The size of the buffer for the modulus.
+ * \param P        The Byte array to hold the first prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
+ * \param P_len    The size of the buffer for the first prime factor.
+ * \param Q        The Byte array to hold the second prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
+ * \param Q_len    The size of the buffer for the second prime factor.
+ * \param D        The Byte array to hold the private exponent,
+ *                 or \c NULL if this field need not be exported.
+ * \param D_len    The size of the buffer for the private exponent.
+ * \param E        The Byte array to hold the public exponent,
+ *                 or \c NULL if this field need not be exported.
+ * \param E_len    The size of the buffer for the public exponent.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
+ *                 requested parameters cannot be done due to missing
+ *                 functionality or because of security policies.
+ * \return         A non-zero return code on any other failure.
+ */
+int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
+                            unsigned char *N, size_t N_len,
+                            unsigned char *P, size_t P_len,
+                            unsigned char *Q, size_t Q_len,
+                            unsigned char *D, size_t D_len,
+                            unsigned char *E, size_t E_len );
+
+/**
+ * \brief          This function exports CRT parameters of a private RSA key.
+ *
+ * \note           Alternative RSA implementations not using CRT-parameters
+ *                 internally can implement this function based on
+ *                 mbedtls_rsa_deduce_opt().
+ *
+ * \param ctx      The initialized RSA context.
+ * \param DP       The MPI to hold \c D modulo `P-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param DQ       The MPI to hold \c D modulo `Q-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param QP       The MPI to hold modular inverse of \c Q modulo \c P,
+ *                 or \c NULL if it need not be exported.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ *
+ */
+int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
+                            mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP );
+
+/**
+ * \brief          This function sets padding for an already initialized RSA
+ *                 context. See mbedtls_rsa_init() for details.
+ *
+ * \param ctx      The initialized RSA context to be configured.
+ * \param padding  The padding mode to use. This must be either
+ *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id  The #MBEDTLS_RSA_PKCS_V21 hash identifier.
+ */
+void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
+                              int hash_id );
+
+/**
+ * \brief          This function retrieves the length of RSA modulus in Bytes.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         The length of the RSA modulus in Bytes.
+ *
+ */
+size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx );
+
+/**
+ * \brief          This function generates an RSA keypair.
+ *
+ * \note           mbedtls_rsa_init() must be called before this function,
+ *                 to set up the RSA context.
+ *
+ * \param ctx      The initialized RSA context used to hold the key.
+ * \param f_rng    The RNG function to be used for key generation.
+ *                 This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't need a context.
+ * \param nbits    The size of the public key in bits.
+ * \param exponent The public exponent to use. For example, \c 65537.
+ *                 This must be odd and greater than \c 1.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         unsigned int nbits, int exponent );
+
+/**
+ * \brief          This function checks if a context contains at least an RSA
+ *                 public key.
+ *
+ *                 If the function runs successfully, it is guaranteed that
+ *                 enough information is present to perform an RSA public key
+ *                 operation using mbedtls_rsa_public().
+ *
+ * \param ctx      The initialized RSA context to check.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ */
+int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
+
+/**
+ * \brief      This function checks if a context contains an RSA private key
+ *             and perform basic consistency checks.
+ *
+ * \note       The consistency checks performed by this function not only
+ *             ensure that mbedtls_rsa_private() can be called successfully
+ *             on the given context, but that the various parameters are
+ *             mutually consistent with high probability, in the sense that
+ *             mbedtls_rsa_public() and mbedtls_rsa_private() are inverses.
+ *
+ * \warning    This function should catch accidental misconfigurations
+ *             like swapping of parameters, but it cannot establish full
+ *             trust in neither the quality nor the consistency of the key
+ *             material that was used to setup the given RSA context:
+ *             <ul><li>Consistency: Imported parameters that are irrelevant
+ *             for the implementation might be silently dropped. If dropped,
+ *             the current function does not have access to them,
+ *             and therefore cannot check them. See mbedtls_rsa_complete().
+ *             If you want to check the consistency of the entire
+ *             content of an PKCS1-encoded RSA private key, for example, you
+ *             should use mbedtls_rsa_validate_params() before setting
+ *             up the RSA context.
+ *             Additionally, if the implementation performs empirical checks,
+ *             these checks substantiate but do not guarantee consistency.</li>
+ *             <li>Quality: This function is not expected to perform
+ *             extended quality assessments like checking that the prime
+ *             factors are safe. Additionally, it is the responsibility of the
+ *             user to ensure the trustworthiness of the source of his RSA
+ *             parameters, which goes beyond what is effectively checkable
+ *             by the library.</li></ul>
+ *
+ * \param ctx  The initialized RSA context to check.
+ *
+ * \return     \c 0 on success.
+ * \return     An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
+
+/**
+ * \brief          This function checks a public-private RSA key pair.
+ *
+ *                 It checks each of the contexts, and makes sure they match.
+ *
+ * \param pub      The initialized RSA context holding the public key.
+ * \param prv      The initialized RSA context holding the private key.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
+                                const mbedtls_rsa_context *prv );
+
+/**
+ * \brief          This function performs an RSA public key operation.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \note           This function does not handle message padding.
+ *
+ * \note           Make sure to set \p input[0] = 0 or ensure that
+ *                 input is smaller than \p N.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
+                const unsigned char *input,
+                unsigned char *output );
+
+/**
+ * \brief          This function performs an RSA private key operation.
+ *
+ * \note           Blinding is used if and only if a PRNG is provided.
+ *
+ * \note           If blinding is used, both the base of exponentation
+ *                 and the exponent are blinded, providing protection
+ *                 against some side-channel attacks.
+ *
+ * \warning        It is deprecated and a security risk to not provide
+ *                 a PRNG here and thereby prevent the use of blinding.
+ *                 Future versions of the library may enforce the presence
+ *                 of a PRNG.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function, used for blinding. It is discouraged
+ *                 and deprecated to pass \c NULL here, in which case
+ *                 blinding will be omitted.
+ * \param p_rng    The RNG context to pass to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or if \p f_rng doesn't need a context.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ */
+int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t),
+                 void *p_rng,
+                 const unsigned char *input,
+                 unsigned char *output );
+
+/**
+ * \brief          This function adds the message padding, then performs an RSA
+ *                 operation.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1 encryption
+ *                 operation using the \p mode from the context.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG to use. It is mandatory for PKCS#1 v2.1 padding
+ *                 encoding, and for PKCS#1 v1.5 padding encoding when used
+ *                 with \p mode set to #MBEDTLS_RSA_PUBLIC. For PKCS#1 v1.5
+ *                 padding encoding and \p mode set to #MBEDTLS_RSA_PRIVATE,
+ *                 it is used for blinding and should be provided in this
+ *                 case; see mbedtls_rsa_private() for more.
+ * \param p_rng    The RNG context to be passed to \p f_rng. May be
+ *                 \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't
+ *                 need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t ilen,
+                       const unsigned char *input,
+                       unsigned char *output );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 encryption operation
+ *                 (RSAES-PKCS1-v1_5-ENCRYPT).
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. It is needed for padding generation
+ *                 if \p mode is #MBEDTLS_RSA_PUBLIC. If \p mode is
+ *                 #MBEDTLS_RSA_PRIVATE (discouraged), it is used for
+ *                 blinding and should be provided; see mbedtls_rsa_private().
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may
+ *                 be \c NULL if \p f_rng is \c NULL or if \p f_rng
+ *                 doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t ilen,
+                                 const unsigned char *input,
+                                 unsigned char *output );
+
+/**
+ * \brief            This function performs a PKCS#1 v2.1 OAEP encryption
+ *                   operation (RSAES-OAEP-ENCRYPT).
+ *
+ * \note             The output buffer must be as large as the size
+ *                   of ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \deprecated       It is deprecated and discouraged to call this function
+ *                   in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                   are likely to remove the \p mode argument and have it
+ *                   implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note             Alternative implementations of RSA need not support
+ *                   mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx        The initnialized RSA context to use.
+ * \param f_rng      The RNG function to use. This is needed for padding
+ *                   generation and must be provided.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may
+ *                   be \c NULL if \p f_rng doesn't need a context argument.
+ * \param mode       The mode of operation. This must be either
+ *                   #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param label      The buffer holding the custom label to use.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param ilen       The length of the plaintext buffer \p input in Bytes.
+ * \param input      The input data to encrypt. This must be a readable
+ *                   buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output     The output buffer. This must be a writable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
+ *
+ * \return           \c 0 on success.
+ * \return           An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t ilen,
+                            const unsigned char *input,
+                            unsigned char *output );
+
+/**
+ * \brief          This function performs an RSA operation, then removes the
+ *                 message padding.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1 decryption
+ *                 operation using the \p mode from the context.
+ *
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N (for example,
+ *                 128 Bytes if RSA-1024 is used) to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 decryption
+ *                 operation (RSAES-PKCS1-v1_5-DECRYPT).
+ *
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N, for example,
+ *                 128 Bytes if RSA-1024 is used, to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t *olen,
+                                 const unsigned char *input,
+                                 unsigned char *output,
+                                 size_t output_max_len );
+
+/**
+ * \brief            This function performs a PKCS#1 v2.1 OAEP decryption
+ *                   operation (RSAES-OAEP-DECRYPT).
+ *
+ * \note             The output buffer length \c output_max_len should be
+ *                   as large as the size \p ctx->len of \p ctx->N, for
+ *                   example, 128 Bytes if RSA-1024 is used, to be able to
+ *                   hold an arbitrary decrypted message. If it is not
+ *                   large enough to hold the decryption of the particular
+ *                   ciphertext provided, the function returns
+ *                   #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \deprecated       It is deprecated and discouraged to call this function
+ *                   in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                   are likely to remove the \p mode argument and have it
+ *                   implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note             Alternative implementations of RSA need not support
+ *                   mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx        The initialized RSA context to use.
+ * \param f_rng      The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                   this is used for blinding and should be provided; see
+ *                   mbedtls_rsa_private() for more. If \p mode is
+ *                   #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may be
+ *                   \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode       The mode of operation. This must be either
+ *                   #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param label      The buffer holding the custom label to use.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param olen       The address at which to store the length of
+ *                   the plaintext. This must not be \c NULL.
+ * \param input      The ciphertext buffer. This must be a readable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
+ * \param output     The buffer used to hold the plaintext. This must
+ *                   be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t *olen,
+                            const unsigned char *input,
+                            unsigned char *output,
+                            size_t output_max_len );
+
+/**
+ * \brief          This function performs a private RSA operation to sign
+ *                 a message digest using PKCS#1.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1
+ *                 signature using the \p mode from the context.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_sign() for details on
+ *                 \p md_alg and \p hash_id.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. If the padding mode is PKCS#1 v2.1,
+ *                 this must be provided. If the padding mode is PKCS#1 v1.5 and
+ *                 \p mode is #MBEDTLS_RSA_PRIVATE, it is used for blinding
+ *                 and should be provided; see mbedtls_rsa_private() for more
+ *                 more. It is ignored otherwise.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t),
+                    void *p_rng,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 signature
+ *                 operation (RSASSA-PKCS1-v1_5-SIGN).
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS signature
+ *                 operation (RSASSA-PSS-SIGN).
+ *
+ * \note           The \p hash_id in the RSA context is the one used for the
+ *                 encoding. \p md_alg in the function call is the type of hash
+ *                 that is encoded. According to <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em> it is advised to keep both hashes the
+ *                 same.
+ *
+ * \note           This function always uses the maximum possible salt size,
+ *                 up to the length of the payload hash. This choice of salt
+ *                 size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1
+ *                 v2.2) §9.1.1 step 3. Furthermore this function enforces a
+ *                 minimum salt size which is the hash size minus 2 bytes. If
+ *                 this minimum size is too large given the key size (the salt
+ *                 size, plus the hash size, plus 2 bytes must be no more than
+ *                 the key size in bytes), this function returns
+ *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. It must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         int mode,
+                         mbedtls_md_type_t md_alg,
+                         unsigned int hashlen,
+                         const unsigned char *hash,
+                         unsigned char *sig );
+
+/**
+ * \brief          This function performs a public RSA operation and checks
+ *                 the message digest.
+ *
+ *                 This is the generic wrapper for performing a PKCS#1
+ *                 verification using the mode from the context.
+ *
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_verify() about \p md_alg and
+ *                 \p hash_id.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng,
+                      int mode,
+                      mbedtls_md_type_t md_alg,
+                      unsigned int hashlen,
+                      const unsigned char *hash,
+                      const unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 verification
+ *                 operation (RSASSA-PKCS1-v1_5-VERIFY).
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode,
+                                 mbedtls_md_type_t md_alg,
+                                 unsigned int hashlen,
+                                 const unsigned char *hash,
+                                 const unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS verification
+ *                 operation (RSASSA-PSS-VERIFY).
+ *
+ *                 The hash function for the MGF mask generating function
+ *                 is that specified in the RSA context.
+ *
+ * \note           The \p hash_id in the RSA context is the one used for the
+ *                 verification. \p md_alg in the function call is the type of
+ *                 hash that is verified. According to <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em> it is advised to keep both hashes the
+ *                 same. If \p hash_id in the RSA context is unset,
+ *                 the \p md_alg from the function call is used.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           int mode,
+                           mbedtls_md_type_t md_alg,
+                           unsigned int hashlen,
+                           const unsigned char *hash,
+                           const unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS verification
+ *                 operation (RSASSA-PSS-VERIFY).
+ *
+ *                 The hash function for the MGF mask generating function
+ *                 is that specified in \p mgf1_hash_id.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           The \p hash_id in the RSA context is ignored.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param mgf1_hash_id      The message digest used for mask generation.
+ * \param expected_salt_len The length of the salt used in padding. Use
+ *                          #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               mbedtls_md_type_t mgf1_hash_id,
+                               int expected_salt_len,
+                               const unsigned char *sig );
+
+/**
+ * \brief          This function copies the components of an RSA context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The source context. This must be initialized.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
+ */
+int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src );
+
+/**
+ * \brief          This function frees the components of an RSA key.
+ *
+ * \param ctx      The RSA context to free. May be \c NULL, in which case
+ *                 this function is a no-op. If it is not \c NULL, it must
+ *                 point to an initialized RSA context.
+ */
+void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The RSA checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_rsa_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* rsa.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/rsa_internal.h b/ctrtool/deps/libmbedtls/include/mbedtls/rsa_internal.h
new file mode 100644
index 00000000..53abd3c5
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/rsa_internal.h
@@ -0,0 +1,226 @@
+/**
+ * \file rsa_internal.h
+ *
+ * \brief Context-independent RSA helper functions
+ *
+ *  This module declares some RSA-related helper functions useful when
+ *  implementing the RSA interface. These functions are provided in a separate
+ *  compilation unit in order to make it easy for designers of alternative RSA
+ *  implementations to use them in their own code, as it is conceived that the
+ *  functionality they provide will be necessary for most complete
+ *  implementations.
+ *
+ *  End-users of Mbed TLS who are not providing their own alternative RSA
+ *  implementations should not use these functions directly, and should instead
+ *  use only the functions declared in rsa.h.
+ *
+ *  The interface provided by this module will be maintained through LTS (Long
+ *  Term Support) branches of Mbed TLS, but may otherwise be subject to change,
+ *  and must be considered an internal interface of the library.
+ *
+ *  There are two classes of helper functions:
+ *
+ *  (1) Parameter-generating helpers. These are:
+ *      - mbedtls_rsa_deduce_primes
+ *      - mbedtls_rsa_deduce_private_exponent
+ *      - mbedtls_rsa_deduce_crt
+ *       Each of these functions takes a set of core RSA parameters and
+ *       generates some other, or CRT related parameters.
+ *
+ *  (2) Parameter-checking helpers. These are:
+ *      - mbedtls_rsa_validate_params
+ *      - mbedtls_rsa_validate_crt
+ *      They take a set of core or CRT related RSA parameters and check their
+ *      validity.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+
+#ifndef MBEDTLS_RSA_INTERNAL_H
+#define MBEDTLS_RSA_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * \brief          Compute RSA prime moduli P, Q from public modulus N=PQ
+ *                 and a pair of private and public key.
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param N        RSA modulus N = PQ, with P, Q to be found
+ * \param E        RSA public exponent
+ * \param D        RSA private exponent
+ * \param P        Pointer to MPI holding first prime factor of N on success
+ * \param Q        Pointer to MPI holding second prime factor of N on success
+ *
+ * \return
+ *                 - 0 if successful. In this case, P and Q constitute a
+ *                   factorization of N.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           It is neither checked that P, Q are prime nor that
+ *                 D, E are modular inverses wrt. P-1 and Q-1. For that,
+ *                 use the helper function \c mbedtls_rsa_validate_params.
+ *
+ */
+int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N, mbedtls_mpi const *E,
+                               mbedtls_mpi const *D,
+                               mbedtls_mpi *P, mbedtls_mpi *Q );
+
+/**
+ * \brief          Compute RSA private exponent from
+ *                 prime moduli and public key.
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of RSA modulus
+ * \param Q        Second prime factor of RSA modulus
+ * \param E        RSA public exponent
+ * \param D        Pointer to MPI holding the private exponent on success.
+ *
+ * \return
+ *                 - 0 if successful. In this case, D is set to a simultaneous
+ *                   modular inverse of E modulo both P-1 and Q-1.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           This function does not check whether P and Q are primes.
+ *
+ */
+int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
+                                         mbedtls_mpi const *Q,
+                                         mbedtls_mpi const *E,
+                                         mbedtls_mpi *D );
+
+
+/**
+ * \brief          Generate RSA-CRT parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of N
+ * \param Q        Second prime factor of N
+ * \param D        RSA private exponent
+ * \param DP       Output variable for D modulo P-1
+ * \param DQ       Output variable for D modulo Q-1
+ * \param QP       Output variable for the modular inverse of Q modulo P.
+ *
+ * \return         0 on success, non-zero error code otherwise.
+ *
+ * \note           This function does not check whether P, Q are
+ *                 prime and whether D is a valid private exponent.
+ *
+ */
+int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                            const mbedtls_mpi *D, mbedtls_mpi *DP,
+                            mbedtls_mpi *DQ, mbedtls_mpi *QP );
+
+
+/**
+ * \brief          Check validity of core RSA parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param N        RSA modulus N = PQ
+ * \param P        First prime factor of N
+ * \param Q        Second prime factor of N
+ * \param D        RSA private exponent
+ * \param E        RSA public exponent
+ * \param f_rng    PRNG to be used for primality check, or NULL
+ * \param p_rng    PRNG context for f_rng, or NULL
+ *
+ * \return
+ *                 - 0 if the following conditions are satisfied
+ *                   if all relevant parameters are provided:
+ *                    - P prime if f_rng != NULL (%)
+ *                    - Q prime if f_rng != NULL (%)
+ *                    - 1 < N = P * Q
+ *                    - 1 < D, E < N
+ *                    - D and E are modular inverses modulo P-1 and Q-1
+ *                   (%) This is only done if MBEDTLS_GENPRIME is defined.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           The function can be used with a restricted set of arguments
+ *                 to perform specific checks only. E.g., calling it with
+ *                 (-,P,-,-,-) and a PRNG amounts to a primality check for P.
+ */
+int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
+                                 const mbedtls_mpi *Q, const mbedtls_mpi *D,
+                                 const mbedtls_mpi *E,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng );
+
+/**
+ * \brief          Check validity of RSA CRT parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of RSA modulus
+ * \param Q        Second prime factor of RSA modulus
+ * \param D        RSA private exponent
+ * \param DP       MPI to check for D modulo P-1
+ * \param DQ       MPI to check for D modulo P-1
+ * \param QP       MPI to check for the modular inverse of Q modulo P.
+ *
+ * \return
+ *                 - 0 if the following conditions are satisfied:
+ *                    - D = DP mod P-1 if P, D, DP != NULL
+ *                    - Q = DQ mod P-1 if P, D, DQ != NULL
+ *                    - QP = Q^-1 mod P if P, Q, QP != NULL
+ *                 - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed,
+ *                   potentially including \c MBEDTLS_ERR_MPI_XXX if some
+ *                   MPI calculations failed.
+ *                 - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient
+ *                   data was provided to check DP, DQ or QP.
+ *
+ * \note           The function can be used with a restricted set of arguments
+ *                 to perform specific checks only. E.g., calling it with the
+ *                 parameters (P, -, D, DP, -, -) will check DP = D mod P-1.
+ */
+int mbedtls_rsa_validate_crt( const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                              const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                              const mbedtls_mpi *DQ, const mbedtls_mpi *QP );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* rsa_internal.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/sha1.h b/ctrtool/deps/libmbedtls/include/mbedtls/sha1.h
new file mode 100644
index 00000000..bb6ecf05
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/sha1.h
@@ -0,0 +1,352 @@
+/**
+ * \file sha1.h
+ *
+ * \brief This file contains SHA-1 definitions and functions.
+ *
+ * The Secure Hash Algorithm 1 (SHA-1) cryptographic hash function is defined in
+ * <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. We recommend considering stronger message
+ *            digests instead.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SHA1_H
+#define MBEDTLS_SHA1_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED                  -0x0035  /**< SHA-1 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA1_BAD_INPUT_DATA                   -0x0073  /**< SHA-1 input data was malformed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          The SHA-1 context structure.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_sha1_context
+{
+    uint32_t total[2];          /*!< The number of Bytes processed.  */
+    uint32_t state[5];          /*!< The intermediate digest state.  */
+    unsigned char buffer[64];   /*!< The data block being processed. */
+}
+mbedtls_sha1_context;
+
+#else  /* MBEDTLS_SHA1_ALT */
+#include "sha1_alt.h"
+#endif /* MBEDTLS_SHA1_ALT */
+
+/**
+ * \brief          This function initializes a SHA-1 context.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to initialize.
+ *                 This must not be \c NULL.
+ *
+ */
+void mbedtls_sha1_init( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function clears a SHA-1 context.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it is
+ *                 not \c NULL, it must point to an initialized
+ *                 SHA-1 context.
+ *
+ */
+void mbedtls_sha1_free( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function clones the state of a SHA-1 context.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param dst      The SHA-1 context to clone to. This must be initialized.
+ * \param src      The SHA-1 context to clone from. This must be initialized.
+ *
+ */
+void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
+                         const mbedtls_sha1_context *src );
+
+/**
+ * \brief          This function starts a SHA-1 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to initialize. This must be initialized.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
+ */
+int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing SHA-1
+ *                 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-1 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to use. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-1 checksum result. This must be a writable
+ *                 buffer of length \c 20 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
+                             unsigned char output[20] );
+
+/**
+ * \brief          SHA-1 process data block (internal use only).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to use. This must be initialized.
+ * \param data     The data block being processed. This must be a
+ *                 readable buffer of length \c 64 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
+ */
+int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
+                                   const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function starts a SHA-1 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_sha1_starts_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context to initialize. This must be initialized.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_starts( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing SHA-1
+ *                 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_sha1_update_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
+                                             const unsigned char *input,
+                                             size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-1 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_sha1_finish_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-1 checksum result.
+ *                 This must be a writable buffer of length \c 20 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
+                                             unsigned char output[20] );
+
+/**
+ * \brief          SHA-1 process data block (internal use only).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_internal_sha1_process() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized.
+ * \param data     The data block being processed.
+ *                 This must be a readable buffer of length \c 64 bytes.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
+                                              const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          This function calculates the SHA-1 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-1 result is calculated as
+ *                 output = SHA-1(input buffer).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ * \param output   The SHA-1 checksum result.
+ *                 This must be a writable buffer of length \c 20 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
+ */
+int mbedtls_sha1_ret( const unsigned char *input,
+                      size_t ilen,
+                      unsigned char output[20] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function calculates the SHA-1 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-1 result is calculated as
+ *                 output = SHA-1(input buffer).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_sha1_ret() in 2.7.0
+ *
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ * \param output   The SHA-1 checksum result. This must be a writable
+ *                 buffer of size \c 20 Bytes.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1( const unsigned char *input,
+                                      size_t ilen,
+                                      unsigned char output[20] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The SHA-1 checkup routine.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ *
+ */
+int mbedtls_sha1_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha1.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/sha256.h b/ctrtool/deps/libmbedtls/include/mbedtls/sha256.h
new file mode 100644
index 00000000..d6473982
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/sha256.h
@@ -0,0 +1,297 @@
+/**
+ * \file sha256.h
+ *
+ * \brief This file contains SHA-224 and SHA-256 definitions and functions.
+ *
+ * The Secure Hash Algorithms 224 and 256 (SHA-224 and SHA-256) cryptographic
+ * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SHA256_H
+#define MBEDTLS_SHA256_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED                -0x0037  /**< SHA-256 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA256_BAD_INPUT_DATA                 -0x0074  /**< SHA-256 input data was malformed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_SHA256_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          The SHA-256 context structure.
+ *
+ *                 The structure is used both for SHA-256 and for SHA-224
+ *                 checksum calculations. The choice between these two is
+ *                 made in the call to mbedtls_sha256_starts_ret().
+ */
+typedef struct mbedtls_sha256_context
+{
+    uint32_t total[2];          /*!< The number of Bytes processed.  */
+    uint32_t state[8];          /*!< The intermediate digest state.  */
+    unsigned char buffer[64];   /*!< The data block being processed. */
+    int is224;                  /*!< Determines which function to use:
+                                     0: Use SHA-256, or 1: Use SHA-224. */
+}
+mbedtls_sha256_context;
+
+#else  /* MBEDTLS_SHA256_ALT */
+#include "sha256_alt.h"
+#endif /* MBEDTLS_SHA256_ALT */
+
+/**
+ * \brief          This function initializes a SHA-256 context.
+ *
+ * \param ctx      The SHA-256 context to initialize. This must not be \c NULL.
+ */
+void mbedtls_sha256_init( mbedtls_sha256_context *ctx );
+
+/**
+ * \brief          This function clears a SHA-256 context.
+ *
+ * \param ctx      The SHA-256 context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized SHA-256 context.
+ */
+void mbedtls_sha256_free( mbedtls_sha256_context *ctx );
+
+/**
+ * \brief          This function clones the state of a SHA-256 context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
+ */
+void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
+                           const mbedtls_sha256_context *src );
+
+/**
+ * \brief          This function starts a SHA-224 or SHA-256 checksum
+ *                 calculation.
+ *
+ * \param ctx      The context to use. This must be initialized.
+ * \param is224    This determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-256 checksum calculation.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-256 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-224 or SHA-256 checksum result.
+ *                 This must be a writable buffer of length \c 32 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
+                               unsigned char output[32] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-256 computation. This function is for
+ *                 internal use only.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must
+ *                 be a readable buffer of length \c 64 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
+                                     const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function starts a SHA-224 or SHA-256 checksum
+ *                 calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha256_starts_ret() in 2.7.0.
+ *
+ * \param ctx      The context to use. This must be initialized.
+ * \param is224    Determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
+                                               int is224 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-256 checksum calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha256_update_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context to use. This must be
+ *                 initialized and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
+                                               const unsigned char *input,
+                                               size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-256 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \deprecated     Superseded by mbedtls_sha256_finish_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must be
+ *                 a writable buffer of length \c 32 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
+                                               unsigned char output[32] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-256 computation. This function is for
+ *                 internal use only.
+ *
+ * \deprecated     Superseded by mbedtls_internal_sha256_process() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must be
+ *                 a readable buffer of size \c 64 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
+                                                const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          This function calculates the SHA-224 or SHA-256
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-256 result is calculated as
+ *                 output = SHA-256(input buffer).
+ *
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must
+ *                 be a writable buffer of length \c 32 Bytes.
+ * \param is224    Determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
+ */
+int mbedtls_sha256_ret( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[32],
+                        int is224 );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          This function calculates the SHA-224 or SHA-256 checksum
+ *                 of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-256 result is calculated as
+ *                 output = SHA-256(input buffer).
+ *
+ * \deprecated     Superseded by mbedtls_sha256_ret() in 2.7.0.
+ *
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must be
+ *                 a writable buffer of length \c 32 Bytes.
+ * \param is224    Determines which function to use. This must be either
+ *                 \c 0 for SHA-256, or \c 1 for SHA-224.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256( const unsigned char *input,
+                                        size_t ilen,
+                                        unsigned char output[32],
+                                        int is224 );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The SHA-224 and SHA-256 checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_sha256_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha256.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/sha512.h b/ctrtool/deps/libmbedtls/include/mbedtls/sha512.h
new file mode 100644
index 00000000..c06ceed1
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/sha512.h
@@ -0,0 +1,300 @@
+/**
+ * \file sha512.h
+ * \brief This file contains SHA-384 and SHA-512 definitions and functions.
+ *
+ * The Secure Hash Algorithms 384 and 512 (SHA-384 and SHA-512) cryptographic
+ * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SHA512_H
+#define MBEDTLS_SHA512_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED                -0x0039  /**< SHA-512 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA512_BAD_INPUT_DATA                 -0x0075  /**< SHA-512 input data was malformed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_SHA512_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          The SHA-512 context structure.
+ *
+ *                 The structure is used both for SHA-384 and for SHA-512
+ *                 checksum calculations. The choice between these two is
+ *                 made in the call to mbedtls_sha512_starts_ret().
+ */
+typedef struct mbedtls_sha512_context
+{
+    uint64_t total[2];          /*!< The number of Bytes processed. */
+    uint64_t state[8];          /*!< The intermediate digest state. */
+    unsigned char buffer[128];  /*!< The data block being processed. */
+    int is384;                  /*!< Determines which function to use:
+                                     0: Use SHA-512, or 1: Use SHA-384. */
+}
+mbedtls_sha512_context;
+
+#else  /* MBEDTLS_SHA512_ALT */
+#include "sha512_alt.h"
+#endif /* MBEDTLS_SHA512_ALT */
+
+/**
+ * \brief          This function initializes a SHA-512 context.
+ *
+ * \param ctx      The SHA-512 context to initialize. This must
+ *                 not be \c NULL.
+ */
+void mbedtls_sha512_init( mbedtls_sha512_context *ctx );
+
+/**
+ * \brief          This function clears a SHA-512 context.
+ *
+ * \param ctx      The SHA-512 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it
+ *                 is not \c NULL, it must point to an initialized
+ *                 SHA-512 context.
+ */
+void mbedtls_sha512_free( mbedtls_sha512_context *ctx );
+
+/**
+ * \brief          This function clones the state of a SHA-512 context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
+ */
+void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
+                           const mbedtls_sha512_context *src );
+
+/**
+ * \brief          This function starts a SHA-384 or SHA-512 checksum
+ *                 calculation.
+ *
+ * \param ctx      The SHA-512 context to use. This must be initialized.
+ * \param is384    Determines which function to use. This must be
+ *                 either \c for SHA-512, or \c 1 for SHA-384.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-512 checksum calculation.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
+                    const unsigned char *input,
+                    size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-512 operation, and writes
+ *                 the result to the output buffer. This function is for
+ *                 internal use only.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ *                 This must be a writable buffer of length \c 64 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
+                               unsigned char output[64] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-512 computation.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This
+ *                 must be a readable buffer of length \c 128 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
+                                     const unsigned char data[128] );
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function starts a SHA-384 or SHA-512 checksum
+ *                 calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha512_starts_ret() in 2.7.0
+ *
+ * \param ctx      The SHA-512 context to use. This must be initialized.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512 or \c 1 for SHA-384.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
+                                               int is384 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-512 checksum calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha512_update_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
+                                               const unsigned char *input,
+                                               size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-512 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \deprecated     Superseded by mbedtls_sha512_finish_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-384 or SHA-512 checksum result. This must
+ *                 be a writable buffer of size \c 64 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
+                                               unsigned char output[64] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-512 computation. This function is for
+ *                 internal use only.
+ *
+ * \deprecated     Superseded by mbedtls_internal_sha512_process() in 2.7.0.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must be
+ *                 a readable buffer of length \c 128 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_process(
+                                            mbedtls_sha512_context *ctx,
+                                            const unsigned char data[128] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          This function calculates the SHA-512 or SHA-384
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-512 result is calculated as
+ *                 output = SHA-512(input buffer).
+ *
+ * \param input    The buffer holding the input data. This must be
+ *                 a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ *                 This must be a writable buffer of length \c 64 Bytes.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512, or \c 1 for SHA-384.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_ret( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[64],
+                        int is384 );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          This function calculates the SHA-512 or SHA-384
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-512 result is calculated as
+ *                 output = SHA-512(input buffer).
+ *
+ * \deprecated     Superseded by mbedtls_sha512_ret() in 2.7.0
+ *
+ * \param input    The buffer holding the data. This must be a
+ *                 readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-384 or SHA-512 checksum result. This must
+ *                 be a writable buffer of length \c 64 Bytes.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512, or \c 1 for SHA-384.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512( const unsigned char *input,
+                                        size_t ilen,
+                                        unsigned char output[64],
+                                        int is384 );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+ /**
+ * \brief          The SHA-384 or SHA-512 checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_sha512_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha512.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ssl.h b/ctrtool/deps/libmbedtls/include/mbedtls/ssl.h
new file mode 100644
index 00000000..1adf9608
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ssl.h
@@ -0,0 +1,3262 @@
+/**
+ * \file ssl.h
+ *
+ * \brief SSL/TLS functions.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_H
+#define MBEDTLS_SSL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+#include "ecp.h"
+
+#include "ssl_ciphersuites.h"
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "x509_crt.h"
+#include "x509_crl.h"
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+#include "dhm.h"
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+#include "ecdh.h"
+#endif
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and will be removed in the next major revision of the library"
+#endif
+
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and cannot be used if MBEDTLS_DEPRECATED_REMOVED is set"
+#endif
+
+#include "zlib.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "platform_time.h"
+#endif
+
+/*
+ * SSL Error codes
+ */
+#define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE               -0x7080  /**< The requested feature is not available. */
+#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA                    -0x7100  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_SSL_INVALID_MAC                       -0x7180  /**< Verification of the message MAC failed. */
+#define MBEDTLS_ERR_SSL_INVALID_RECORD                    -0x7200  /**< An invalid SSL record was received. */
+#define MBEDTLS_ERR_SSL_CONN_EOF                          -0x7280  /**< The connection indicated an EOF. */
+#define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER                    -0x7300  /**< An unknown cipher was received. */
+#define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN                  -0x7380  /**< The server has no ciphersuites in common with the client. */
+#define MBEDTLS_ERR_SSL_NO_RNG                            -0x7400  /**< No RNG was provided to the SSL module. */
+#define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE             -0x7480  /**< No client certification received from the client, but required by the authentication mode. */
+#define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE             -0x7500  /**< Our own certificate(s) is/are too large to send in an SSL message. */
+#define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED              -0x7580  /**< The own certificate is not set, but needed by the server. */
+#define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED              -0x7600  /**< The own private key or pre-shared key is not set, but needed. */
+#define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED                 -0x7680  /**< No CA Chain is set, but required to operate. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE                -0x7700  /**< An unexpected message was received from our peer. */
+#define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE               -0x7780  /**< A fatal alert message was received from our peer. */
+#define MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED                -0x7800  /**< Verification of our peer failed. */
+#define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY                 -0x7880  /**< The peer notified us that the connection is going to be closed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO               -0x7900  /**< Processing of the ClientHello handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO               -0x7980  /**< Processing of the ServerHello handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE                -0x7A00  /**< Processing of the Certificate handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST        -0x7A80  /**< Processing of the CertificateRequest handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE        -0x7B00  /**< Processing of the ServerKeyExchange handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE          -0x7B80  /**< Processing of the ServerHelloDone handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE        -0x7C00  /**< Processing of the ClientKeyExchange handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP     -0x7C80  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS     -0x7D00  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY         -0x7D80  /**< Processing of the CertificateVerify handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC         -0x7E00  /**< Processing of the ChangeCipherSpec handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_FINISHED                   -0x7E80  /**< Processing of the Finished handshake message failed. */
+#define MBEDTLS_ERR_SSL_ALLOC_FAILED                      -0x7F00  /**< Memory allocation failed */
+#define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED                   -0x7F80  /**< Hardware acceleration function returned with error */
+#define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH              -0x6F80  /**< Hardware acceleration function skipped / left alone data */
+#define MBEDTLS_ERR_SSL_COMPRESSION_FAILED                -0x6F00  /**< Processing of the compression / decompression failed */
+#define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION           -0x6E80  /**< Handshake protocol not within min/max boundaries */
+#define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET         -0x6E00  /**< Processing of the NewSessionTicket handshake message failed. */
+#define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED            -0x6D80  /**< Session ticket has expired. */
+#define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH                  -0x6D00  /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
+#define MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY                  -0x6C80  /**< Unknown identity received (eg, PSK identity) */
+#define MBEDTLS_ERR_SSL_INTERNAL_ERROR                    -0x6C00  /**< Internal error (eg, unexpected failure in lower-level module) */
+#define MBEDTLS_ERR_SSL_COUNTER_WRAPPING                  -0x6B80  /**< A counter would wrap (eg, too many messages exchanged). */
+#define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO       -0x6B00  /**< Unexpected message at ServerHello in renegotiation. */
+#define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED             -0x6A80  /**< DTLS client must retry for hello verification */
+#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL                  -0x6A00  /**< A buffer is too small to receive or write a message */
+#define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE             -0x6980  /**< None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages). */
+#define MBEDTLS_ERR_SSL_WANT_READ                         -0x6900  /**< No data of requested type currently available on underlying transport. */
+#define MBEDTLS_ERR_SSL_WANT_WRITE                        -0x6880  /**< Connection requires a write call. */
+#define MBEDTLS_ERR_SSL_TIMEOUT                           -0x6800  /**< The operation timed out. */
+#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT                  -0x6780  /**< The client initiated a reconnect from the same port. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD                 -0x6700  /**< Record header looks valid but is not expected. */
+#define MBEDTLS_ERR_SSL_NON_FATAL                         -0x6680  /**< The alert message received indicates a non-fatal error. */
+#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH               -0x6600  /**< Couldn't set the hash for verifying CertificateVerify */
+#define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING               -0x6580  /**< Internal-only message signaling that further message-processing should be done */
+#define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS                 -0x6500  /**< The asynchronous operation is not completed yet. */
+#define MBEDTLS_ERR_SSL_EARLY_MESSAGE                     -0x6480  /**< Internal-only message signaling that a message arrived early. */
+#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS                -0x7000  /**< A cryptographic operation is in progress. Try again later. */
+
+/*
+ * Various constants
+ */
+#define MBEDTLS_SSL_MAJOR_VERSION_3             3
+#define MBEDTLS_SSL_MINOR_VERSION_0             0   /*!< SSL v3.0 */
+#define MBEDTLS_SSL_MINOR_VERSION_1             1   /*!< TLS v1.0 */
+#define MBEDTLS_SSL_MINOR_VERSION_2             2   /*!< TLS v1.1 */
+#define MBEDTLS_SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
+
+#define MBEDTLS_SSL_TRANSPORT_STREAM            0   /*!< TLS      */
+#define MBEDTLS_SSL_TRANSPORT_DATAGRAM          1   /*!< DTLS     */
+
+#define MBEDTLS_SSL_MAX_HOST_NAME_LEN           255 /*!< Maximum host name defined in RFC 1035 */
+
+/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
+ * NONE must be zero so that memset()ing structure to zero works */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_NONE           0   /*!< don't use this extension   */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_512            1   /*!< MaxFragmentLength 2^9      */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_1024           2   /*!< MaxFragmentLength 2^10     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_2048           3   /*!< MaxFragmentLength 2^11     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_4096           4   /*!< MaxFragmentLength 2^12     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID        5   /*!< first invalid value        */
+
+#define MBEDTLS_SSL_IS_CLIENT                   0
+#define MBEDTLS_SSL_IS_SERVER                   1
+
+#define MBEDTLS_SSL_IS_NOT_FALLBACK             0
+#define MBEDTLS_SSL_IS_FALLBACK                 1
+
+#define MBEDTLS_SSL_EXTENDED_MS_DISABLED        0
+#define MBEDTLS_SSL_EXTENDED_MS_ENABLED         1
+
+#define MBEDTLS_SSL_ETM_DISABLED                0
+#define MBEDTLS_SSL_ETM_ENABLED                 1
+
+#define MBEDTLS_SSL_COMPRESS_NULL               0
+#define MBEDTLS_SSL_COMPRESS_DEFLATE            1
+
+#define MBEDTLS_SSL_VERIFY_NONE                 0
+#define MBEDTLS_SSL_VERIFY_OPTIONAL             1
+#define MBEDTLS_SSL_VERIFY_REQUIRED             2
+#define MBEDTLS_SSL_VERIFY_UNSET                3 /* Used only for sni_authmode */
+
+#define MBEDTLS_SSL_LEGACY_RENEGOTIATION        0
+#define MBEDTLS_SSL_SECURE_RENEGOTIATION        1
+
+#define MBEDTLS_SSL_RENEGOTIATION_DISABLED      0
+#define MBEDTLS_SSL_RENEGOTIATION_ENABLED       1
+
+#define MBEDTLS_SSL_ANTI_REPLAY_DISABLED        0
+#define MBEDTLS_SSL_ANTI_REPLAY_ENABLED         1
+
+#define MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED  -1
+#define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT  16
+
+#define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION     0
+#define MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION  1
+#define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE      2
+
+#define MBEDTLS_SSL_TRUNC_HMAC_DISABLED         0
+#define MBEDTLS_SSL_TRUNC_HMAC_ENABLED          1
+#define MBEDTLS_SSL_TRUNCATED_HMAC_LEN          10  /* 80 bits, rfc 6066 section 7 */
+
+#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
+#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1
+
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED    0
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED     1
+
+#define MBEDTLS_SSL_ARC4_ENABLED                0
+#define MBEDTLS_SSL_ARC4_DISABLED               1
+
+#define MBEDTLS_SSL_PRESET_DEFAULT              0
+#define MBEDTLS_SSL_PRESET_SUITEB               2
+
+#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED       1
+#define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED      0
+
+/*
+ * Default range for DTLS retransmission timer value, in milliseconds.
+ * RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
+ */
+#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN    1000
+#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX   60000
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME)
+#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
+#endif
+
+/*
+ * Maximum fragment length in bytes,
+ * determines the size of each of the two internal I/O buffers.
+ *
+ * Note: the RFC defines the default size of SSL / TLS messages. If you
+ * change the value here, other clients / servers may not be able to
+ * communicate with you anymore. Only change this value if you control
+ * both sides of the connection and have it reduced at both sides, or
+ * if you're using the Max Fragment Length extension and you know all your
+ * peers are using it too!
+ */
+#if !defined(MBEDTLS_SSL_MAX_CONTENT_LEN)
+#define MBEDTLS_SSL_MAX_CONTENT_LEN         16384   /**< Size of the input / output buffer */
+#endif
+
+#if !defined(MBEDTLS_SSL_IN_CONTENT_LEN)
+#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
+#if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
+#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
+/*
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ */
+#if !defined(MBEDTLS_SSL_DTLS_MAX_BUFFERING)
+#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
+#endif
+
+/* \} name SECTION: Module settings */
+
+/*
+ * Length of the verify data for secure renegotiation
+ */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 36
+#else
+#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 12
+#endif
+
+/*
+ * Signaling ciphersuite values (SCSV)
+ */
+#define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO    0xFF   /**< renegotiation info ext */
+#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE         0x5600 /**< RFC 7507 section 2 */
+
+/*
+ * Supported Signature and Hash algorithms (For TLS 1.2)
+ * RFC 5246 section 7.4.1.4.1
+ */
+#define MBEDTLS_SSL_HASH_NONE                0
+#define MBEDTLS_SSL_HASH_MD5                 1
+#define MBEDTLS_SSL_HASH_SHA1                2
+#define MBEDTLS_SSL_HASH_SHA224              3
+#define MBEDTLS_SSL_HASH_SHA256              4
+#define MBEDTLS_SSL_HASH_SHA384              5
+#define MBEDTLS_SSL_HASH_SHA512              6
+
+#define MBEDTLS_SSL_SIG_ANON                 0
+#define MBEDTLS_SSL_SIG_RSA                  1
+#define MBEDTLS_SSL_SIG_ECDSA                3
+
+/*
+ * Client Certificate Types
+ * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
+ */
+#define MBEDTLS_SSL_CERT_TYPE_RSA_SIGN       1
+#define MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN    64
+
+/*
+ * Message, alert and handshake types
+ */
+#define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC     20
+#define MBEDTLS_SSL_MSG_ALERT                  21
+#define MBEDTLS_SSL_MSG_HANDSHAKE              22
+#define MBEDTLS_SSL_MSG_APPLICATION_DATA       23
+
+#define MBEDTLS_SSL_ALERT_LEVEL_WARNING         1
+#define MBEDTLS_SSL_ALERT_LEVEL_FATAL           2
+
+#define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY           0  /* 0x00 */
+#define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE    10  /* 0x0A */
+#define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC        20  /* 0x14 */
+#define MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED     21  /* 0x15 */
+#define MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW       22  /* 0x16 */
+#define MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30  /* 0x1E */
+#define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE     40  /* 0x28 */
+#define MBEDTLS_SSL_ALERT_MSG_NO_CERT               41  /* 0x29 */
+#define MBEDTLS_SSL_ALERT_MSG_BAD_CERT              42  /* 0x2A */
+#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT      43  /* 0x2B */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED          44  /* 0x2C */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED          45  /* 0x2D */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN          46  /* 0x2E */
+#define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER     47  /* 0x2F */
+#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA            48  /* 0x30 */
+#define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED         49  /* 0x31 */
+#define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR          50  /* 0x32 */
+#define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR         51  /* 0x33 */
+#define MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION    60  /* 0x3C */
+#define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION      70  /* 0x46 */
+#define MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71  /* 0x47 */
+#define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR        80  /* 0x50 */
+#define MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86  /* 0x56 */
+#define MBEDTLS_SSL_ALERT_MSG_USER_CANCELED         90  /* 0x5A */
+#define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION     100  /* 0x64 */
+#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT      110  /* 0x6E */
+#define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME    112  /* 0x70 */
+#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115  /* 0x73 */
+#define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL 120 /* 0x78 */
+
+#define MBEDTLS_SSL_HS_HELLO_REQUEST            0
+#define MBEDTLS_SSL_HS_CLIENT_HELLO             1
+#define MBEDTLS_SSL_HS_SERVER_HELLO             2
+#define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST     3
+#define MBEDTLS_SSL_HS_NEW_SESSION_TICKET       4
+#define MBEDTLS_SSL_HS_CERTIFICATE             11
+#define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE     12
+#define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST     13
+#define MBEDTLS_SSL_HS_SERVER_HELLO_DONE       14
+#define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY      15
+#define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE     16
+#define MBEDTLS_SSL_HS_FINISHED                20
+
+/*
+ * TLS extensions
+ */
+#define MBEDTLS_TLS_EXT_SERVERNAME                   0
+#define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME          0
+
+#define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH          1
+
+#define MBEDTLS_TLS_EXT_TRUNCATED_HMAC               4
+
+#define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES   10
+#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS     11
+
+#define MBEDTLS_TLS_EXT_SIG_ALG                     13
+
+#define MBEDTLS_TLS_EXT_ALPN                        16
+
+#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC            22 /* 0x16 */
+#define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET  0x0017 /* 23 */
+
+#define MBEDTLS_TLS_EXT_SESSION_TICKET              35
+
+#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP               256 /* experimental */
+
+#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      0xFF01
+
+/*
+ * Size defines
+ */
+#if !defined(MBEDTLS_PSK_MAX_LEN)
+#define MBEDTLS_PSK_MAX_LEN            32 /* 256 bits */
+#endif
+
+/* Dummy type used only for its size */
+union mbedtls_ssl_premaster_secret
+{
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    unsigned char _pms_rsa[48];                         /* RFC 5246 8.1.1 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    unsigned char _pms_dhm[MBEDTLS_MPI_MAX_SIZE];      /* RFC 5246 8.1.2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)    || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)  || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES];    /* RFC 4492 5.10 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    unsigned char _pms_psk[4 + 2 * MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    unsigned char _pms_dhe_psk[4 + MBEDTLS_MPI_MAX_SIZE
+                                 + MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 3 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    unsigned char _pms_rsa_psk[52 + MBEDTLS_PSK_MAX_LEN];      /* RFC 4279 4 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES
+                                   + MBEDTLS_PSK_MAX_LEN];     /* RFC 5489 2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    unsigned char _pms_ecjpake[32];     /* Thread spec: SHA-256 output */
+#endif
+};
+
+#define MBEDTLS_PREMASTER_SIZE     sizeof( union mbedtls_ssl_premaster_secret )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * SSL state machine
+ */
+typedef enum
+{
+    MBEDTLS_SSL_HELLO_REQUEST,
+    MBEDTLS_SSL_CLIENT_HELLO,
+    MBEDTLS_SSL_SERVER_HELLO,
+    MBEDTLS_SSL_SERVER_CERTIFICATE,
+    MBEDTLS_SSL_SERVER_KEY_EXCHANGE,
+    MBEDTLS_SSL_CERTIFICATE_REQUEST,
+    MBEDTLS_SSL_SERVER_HELLO_DONE,
+    MBEDTLS_SSL_CLIENT_CERTIFICATE,
+    MBEDTLS_SSL_CLIENT_KEY_EXCHANGE,
+    MBEDTLS_SSL_CERTIFICATE_VERIFY,
+    MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC,
+    MBEDTLS_SSL_CLIENT_FINISHED,
+    MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC,
+    MBEDTLS_SSL_SERVER_FINISHED,
+    MBEDTLS_SSL_FLUSH_BUFFERS,
+    MBEDTLS_SSL_HANDSHAKE_WRAPUP,
+    MBEDTLS_SSL_HANDSHAKE_OVER,
+    MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET,
+    MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
+}
+mbedtls_ssl_states;
+
+/**
+ * \brief          Callback type: send data on the network.
+ *
+ * \note           That callback may be either blocking or non-blocking.
+ *
+ * \param ctx      Context for the send callback (typically a file descriptor)
+ * \param buf      Buffer holding the data to send
+ * \param len      Length of the data to send
+ *
+ * \return         The callback must return the number of bytes sent if any,
+ *                 or a non-zero error code.
+ *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 must be returned when the operation would block.
+ *
+ * \note           The callback is allowed to send fewer bytes than requested.
+ *                 It must always return the number of bytes actually sent.
+ */
+typedef int mbedtls_ssl_send_t( void *ctx,
+                                const unsigned char *buf,
+                                size_t len );
+
+/**
+ * \brief          Callback type: receive data from the network.
+ *
+ * \note           That callback may be either blocking or non-blocking.
+ *
+ * \param ctx      Context for the receive callback (typically a file
+ *                 descriptor)
+ * \param buf      Buffer to write the received data to
+ * \param len      Length of the receive buffer
+ *
+ * \return         The callback must return the number of bytes received,
+ *                 or a non-zero error code.
+ *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
+ *                 must be returned when the operation would block.
+ *
+ * \note           The callback may receive fewer bytes than the length of the
+ *                 buffer. It must always return the number of bytes actually
+ *                 received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_t( void *ctx,
+                                unsigned char *buf,
+                                size_t len );
+
+/**
+ * \brief          Callback type: receive data from the network, with timeout
+ *
+ * \note           That callback must block until data is received, or the
+ *                 timeout delay expires, or the operation is interrupted by a
+ *                 signal.
+ *
+ * \param ctx      Context for the receive callback (typically a file descriptor)
+ * \param buf      Buffer to write the received data to
+ * \param len      Length of the receive buffer
+ * \param timeout  Maximum nomber of millisecondes to wait for data
+ *                 0 means no timeout (potentially waiting forever)
+ *
+ * \return         The callback must return the number of bytes received,
+ *                 or a non-zero error code:
+ *                 \c MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
+ *                 \c MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *
+ * \note           The callback may receive fewer bytes than the length of the
+ *                 buffer. It must always return the number of bytes actually
+ *                 received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_timeout_t( void *ctx,
+                                        unsigned char *buf,
+                                        size_t len,
+                                        uint32_t timeout );
+/**
+ * \brief          Callback type: set a pair of timers/delays to watch
+ *
+ * \param ctx      Context pointer
+ * \param int_ms   Intermediate delay in milliseconds
+ * \param fin_ms   Final delay in milliseconds
+ *                 0 cancels the current timer.
+ *
+ * \note           This callback must at least store the necessary information
+ *                 for the associated \c mbedtls_ssl_get_timer_t callback to
+ *                 return correct information.
+ *
+ * \note           If using a event-driven style of programming, an event must
+ *                 be generated when the final delay is passed. The event must
+ *                 cause a call to \c mbedtls_ssl_handshake() with the proper
+ *                 SSL context to be scheduled. Care must be taken to ensure
+ *                 that at most one such call happens at a time.
+ *
+ * \note           Only one timer at a time must be running. Calling this
+ *                 function while a timer is running must cancel it. Cancelled
+ *                 timers must not generate any event.
+ */
+typedef void mbedtls_ssl_set_timer_t( void * ctx,
+                                      uint32_t int_ms,
+                                      uint32_t fin_ms );
+
+/**
+ * \brief          Callback type: get status of timers/delays
+ *
+ * \param ctx      Context pointer
+ *
+ * \return         This callback must return:
+ *                 -1 if cancelled (fin_ms == 0),
+ *                  0 if none of the delays have passed,
+ *                  1 if only the intermediate delay has passed,
+ *                  2 if the final delay has passed.
+ */
+typedef int mbedtls_ssl_get_timer_t( void * ctx );
+
+/* Defined below */
+typedef struct mbedtls_ssl_session mbedtls_ssl_session;
+typedef struct mbedtls_ssl_context mbedtls_ssl_context;
+typedef struct mbedtls_ssl_config  mbedtls_ssl_config;
+
+/* Defined in ssl_internal.h */
+typedef struct mbedtls_ssl_transform mbedtls_ssl_transform;
+typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params;
+typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief           Callback type: start external signature operation.
+ *
+ *                  This callback is called during an SSL handshake to start
+ *                  a signature decryption operation using an
+ *                  external processor. The parameter \p cert contains
+ *                  the public key; it is up to the callback function to
+ *                  determine how to access the associated private key.
+ *
+ *                  This function typically sends or enqueues a request, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  The parameters \p ssl and \p cert are guaranteed to remain
+ *                  valid throughout the handshake. On the other hand, this
+ *                  function must save the contents of \p hash if the value
+ *                  is needed for later processing, because the \p hash buffer
+ *                  is no longer valid after this function returns.
+ *
+ *                  This function may call mbedtls_ssl_set_async_operation_data()
+ *                  to store an operation context for later retrieval
+ *                  by the resume or cancel callback.
+ *
+ * \note            For RSA signatures, this function must produce output
+ *                  that is consistent with PKCS#1 v1.5 in the same way as
+ *                  mbedtls_rsa_pkcs1_sign(). Before the private key operation,
+ *                  apply the padding steps described in RFC 8017, section 9.2
+ *                  "EMSA-PKCS1-v1_5" as follows.
+ *                  - If \p md_alg is #MBEDTLS_MD_NONE, apply the PKCS#1 v1.5
+ *                    encoding, treating \p hash as the DigestInfo to be
+ *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ *                    from step 3, with `T = hash` and `tLen = hash_len`.
+ *                  - If `md_alg != MBEDTLS_MD_NONE`, apply the PKCS#1 v1.5
+ *                    encoding, treating \p hash as the hash to be encoded and
+ *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ *                    from step 2, with `digestAlgorithm` obtained by calling
+ *                    mbedtls_oid_get_oid_by_md() on \p md_alg.
+ *
+ * \note            For ECDSA signatures, the output format is the DER encoding
+ *                  `Ecdsa-Sig-Value` defined in
+ *                  [RFC 4492 section 5.4](https://tools.ietf.org/html/rfc4492#section-5.4).
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param cert            Certificate containing the public key.
+ *                        In simple cases, this is one of the pointers passed to
+ *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
+ * \param md_alg          Hash algorithm.
+ * \param hash            Buffer containing the hash. This buffer is
+ *                        no longer valid when the function returns.
+ * \param hash_len        Size of the \c hash buffer in bytes.
+ *
+ * \return          0 if the operation was started successfully and the SSL
+ *                  stack should call the resume callback immediately.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  was started successfully and the SSL stack should return
+ *                  immediately without calling the resume callback yet.
+ * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ *                  processor does not support this key. The SSL stack will
+ *                  use the private key object instead.
+ * \return          Any other error indicates a fatal failure and is
+ *                  propagated up the call chain. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_sign_t( mbedtls_ssl_context *ssl,
+                                      mbedtls_x509_crt *cert,
+                                      mbedtls_md_type_t md_alg,
+                                      const unsigned char *hash,
+                                      size_t hash_len );
+
+/**
+ * \brief           Callback type: start external decryption operation.
+ *
+ *                  This callback is called during an SSL handshake to start
+ *                  an RSA decryption operation using an
+ *                  external processor. The parameter \p cert contains
+ *                  the public key; it is up to the callback function to
+ *                  determine how to access the associated private key.
+ *
+ *                  This function typically sends or enqueues a request, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  The parameters \p ssl and \p cert are guaranteed to remain
+ *                  valid throughout the handshake. On the other hand, this
+ *                  function must save the contents of \p input if the value
+ *                  is needed for later processing, because the \p input buffer
+ *                  is no longer valid after this function returns.
+ *
+ *                  This function may call mbedtls_ssl_set_async_operation_data()
+ *                  to store an operation context for later retrieval
+ *                  by the resume or cancel callback.
+ *
+ * \warning         RSA decryption as used in TLS is subject to a potential
+ *                  timing side channel attack first discovered by Bleichenbacher
+ *                  in 1998. This attack can be remotely exploitable
+ *                  in practice. To avoid this attack, you must ensure that
+ *                  if the callback performs an RSA decryption, the time it
+ *                  takes to execute and return the result does not depend
+ *                  on whether the RSA decryption succeeded or reported
+ *                  invalid padding.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param cert            Certificate containing the public key.
+ *                        In simple cases, this is one of the pointers passed to
+ *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
+ * \param input           Buffer containing the input ciphertext. This buffer
+ *                        is no longer valid when the function returns.
+ * \param input_len       Size of the \p input buffer in bytes.
+ *
+ * \return          0 if the operation was started successfully and the SSL
+ *                  stack should call the resume callback immediately.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  was started successfully and the SSL stack should return
+ *                  immediately without calling the resume callback yet.
+ * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ *                  processor does not support this key. The SSL stack will
+ *                  use the private key object instead.
+ * \return          Any other error indicates a fatal failure and is
+ *                  propagated up the call chain. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_decrypt_t( mbedtls_ssl_context *ssl,
+                                         mbedtls_x509_crt *cert,
+                                         const unsigned char *input,
+                                         size_t input_len );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief           Callback type: resume external operation.
+ *
+ *                  This callback is called during an SSL handshake to resume
+ *                  an external operation started by the
+ *                  ::mbedtls_ssl_async_sign_t or
+ *                  ::mbedtls_ssl_async_decrypt_t callback.
+ *
+ *                  This function typically checks the status of a pending
+ *                  request or causes the request queue to make progress, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  This function may call mbedtls_ssl_get_async_operation_data()
+ *                  to retrieve an operation context set by the start callback.
+ *                  It may call mbedtls_ssl_set_async_operation_data() to modify
+ *                  this context.
+ *
+ *                  Note that when this function returns a status other than
+ *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, it must free any
+ *                  resources associated with the operation.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param output          Buffer containing the output (signature or decrypted
+ *                        data) on success.
+ * \param output_len      On success, number of bytes written to \p output.
+ * \param output_size     Size of the \p output buffer in bytes.
+ *
+ * \return          0 if output of the operation is available in the
+ *                  \p output buffer.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  is still in progress. Subsequent requests for progress
+ *                  on the SSL connection will call the resume callback
+ *                  again.
+ * \return          Any other error means that the operation is aborted.
+ *                  The SSL handshake is aborted. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_resume_t( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        size_t *output_len,
+                                        size_t output_size );
+
+/**
+ * \brief           Callback type: cancel external operation.
+ *
+ *                  This callback is called if an SSL connection is closed
+ *                  while an asynchronous operation is in progress. Note that
+ *                  this callback is not called if the
+ *                  ::mbedtls_ssl_async_resume_t callback has run and has
+ *                  returned a value other than
+ *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, since in that case
+ *                  the asynchronous operation has already completed.
+ *
+ *                  This function may call mbedtls_ssl_get_async_operation_data()
+ *                  to retrieve an operation context set by the start callback.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified.
+ */
+typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/*
+ * This structure is used for storing current session data.
+ */
+struct mbedtls_ssl_session
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t start;       /*!< starting time      */
+#endif
+    int ciphersuite;            /*!< chosen ciphersuite */
+    int compression;            /*!< chosen compression */
+    size_t id_len;              /*!< session id length  */
+    unsigned char id[32];       /*!< session identifier */
+    unsigned char master[48];   /*!< the master secret  */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_x509_crt *peer_cert;        /*!< peer X.509 cert chain */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+    uint32_t verify_result;          /*!<  verification result     */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned char *ticket;      /*!< RFC 5077 session ticket */
+    size_t ticket_len;          /*!< session ticket length   */
+    uint32_t ticket_lifetime;   /*!< ticket lifetime hint    */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    unsigned char mfl_code;     /*!< MaxFragmentLength negotiated by peer */
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    int trunc_hmac;             /*!< flag for truncated hmac activation   */
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    int encrypt_then_mac;       /*!< flag for EtM activation                */
+#endif
+};
+
+/**
+ * SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
+ */
+struct mbedtls_ssl_config
+{
+    /* Group items by size (largest first) to minimize padding overhead */
+
+    /*
+     * Pointers
+     */
+
+    const int *ciphersuite_list[4]; /*!< allowed ciphersuites per version   */
+
+    /** Callback for printing debug output                                  */
+    void (*f_dbg)(void *, int, const char *, int, const char *);
+    void *p_dbg;                    /*!< context for the debug function     */
+
+    /** Callback for getting (pseudo-)random numbers                        */
+    int  (*f_rng)(void *, unsigned char *, size_t);
+    void *p_rng;                    /*!< context for the RNG function       */
+
+    /** Callback to retrieve a session from the cache                       */
+    int (*f_get_cache)(void *, mbedtls_ssl_session *);
+    /** Callback to store a session into the cache                          */
+    int (*f_set_cache)(void *, const mbedtls_ssl_session *);
+    void *p_cache;                  /*!< context for cache callbacks        */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    /** Callback for setting cert according to SNI extension                */
+    int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
+    void *p_sni;                    /*!< context for SNI callback           */
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /** Callback to customize X.509 certificate chain verification          */
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;                   /*!< context for X.509 verify calllback */
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    /** Callback to retrieve PSK key from identity                          */
+    int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
+    void *p_psk;                    /*!< context for PSK callback           */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    /** Callback to create & write a cookie for ClientHello veirifcation    */
+    int (*f_cookie_write)( void *, unsigned char **, unsigned char *,
+                           const unsigned char *, size_t );
+    /** Callback to verify validity of a ClientHello cookie                 */
+    int (*f_cookie_check)( void *, const unsigned char *, size_t,
+                           const unsigned char *, size_t );
+    void *p_cookie;                 /*!< context for the cookie callbacks   */
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+    /** Callback to create & write a session ticket                         */
+    int (*f_ticket_write)( void *, const mbedtls_ssl_session *,
+            unsigned char *, const unsigned char *, size_t *, uint32_t * );
+    /** Callback to parse a session ticket into a session structure         */
+    int (*f_ticket_parse)( void *, mbedtls_ssl_session *, unsigned char *, size_t);
+    void *p_ticket;                 /*!< context for the ticket callbacks   */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    /** Callback to export key block and master secret                      */
+    int (*f_export_keys)( void *, const unsigned char *,
+            const unsigned char *, size_t, size_t, size_t );
+    void *p_export_keys;            /*!< context for key export callback    */
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */
+    mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s)        */
+    mbedtls_x509_crt *ca_chain;     /*!< trusted CAs                        */
+    mbedtls_x509_crl *ca_crl;       /*!< trusted CAs CRLs                   */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_ssl_async_sign_t *f_async_sign_start; /*!< start asynchronous signature operation */
+    mbedtls_ssl_async_decrypt_t *f_async_decrypt_start; /*!< start asynchronous decryption operation */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+    mbedtls_ssl_async_resume_t *f_async_resume; /*!< resume asynchronous operation */
+    mbedtls_ssl_async_cancel_t *f_async_cancel; /*!< cancel asynchronous operation */
+    void *p_async_config_data; /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    const int *sig_hashes;          /*!< allowed signature hashes           */
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+    const mbedtls_ecp_group_id *curve_list; /*!< allowed curves             */
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_mpi dhm_P;              /*!< prime modulus for DHM              */
+    mbedtls_mpi dhm_G;              /*!< generator for DHM                  */
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    unsigned char *psk;             /*!< pre-shared key. This field should
+                                         only be set via
+                                         mbedtls_ssl_conf_psk() */
+    size_t         psk_len;         /*!< length of the pre-shared key. This
+                                         field should only be set via
+                                         mbedtls_ssl_conf_psk() */
+    unsigned char *psk_identity;    /*!< identity for PSK negotiation. This
+                                         field should only be set via
+                                         mbedtls_ssl_conf_psk() */
+    size_t         psk_identity_len;/*!< length of identity. This field should
+                                         only be set via
+                                         mbedtls_ssl_conf_psk() */
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    const char **alpn_list;         /*!< ordered list of protocols          */
+#endif
+
+    /*
+     * Numerical settings (int then char)
+     */
+
+    uint32_t read_timeout;          /*!< timeout for mbedtls_ssl_read (ms)  */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint32_t hs_timeout_min;        /*!< initial value of the handshake
+                                         retransmission timeout (ms)        */
+    uint32_t hs_timeout_max;        /*!< maximum value of the handshake
+                                         retransmission timeout (ms)        */
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renego_max_records;         /*!< grace period for renegotiation     */
+    unsigned char renego_period[8]; /*!< value of the record counters
+                                         that triggers renegotiation        */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    unsigned int badmac_limit;      /*!< limit of records with a bad MAC    */
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned int dhm_min_bitlen;    /*!< min. bit length of the DHM prime   */
+#endif
+
+    unsigned char max_major_ver;    /*!< max. major version used            */
+    unsigned char max_minor_ver;    /*!< max. minor version used            */
+    unsigned char min_major_ver;    /*!< min. major version used            */
+    unsigned char min_minor_ver;    /*!< min. minor version used            */
+
+    /*
+     * Flags (bitfields)
+     */
+
+    unsigned int endpoint : 1;      /*!< 0: client, 1: server               */
+    unsigned int transport : 1;     /*!< stream (TLS) or datagram (DTLS)    */
+    unsigned int authmode : 2;      /*!< MBEDTLS_SSL_VERIFY_XXX             */
+    /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE          */
+    unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX   */
+#if defined(MBEDTLS_ARC4_C)
+    unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites?        */
+#endif
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    unsigned int mfl_code : 3;      /*!< desired fragment length            */
+#endif
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    unsigned int encrypt_then_mac : 1 ; /*!< negotiate encrypt-then-mac?    */
+#endif
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    unsigned int extended_ms : 1;   /*!< negotiate extended master secret?  */
+#endif
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    unsigned int anti_replay : 1;   /*!< detect and prevent replay?         */
+#endif
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    unsigned int cbc_record_splitting : 1;  /*!< do cbc record splitting    */
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    unsigned int disable_renegotiation : 1; /*!< disable renegotiation?     */
+#endif
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    unsigned int trunc_hmac : 1;    /*!< negotiate truncated hmac?          */
+#endif
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    unsigned int session_tickets : 1;   /*!< use session tickets?           */
+#endif
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned int fallback : 1;      /*!< is this a fallback?                */
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+    unsigned int cert_req_ca_list : 1;  /*!< enable sending CA list in
+                                          Certificate Request messages?     */
+#endif
+};
+
+
+struct mbedtls_ssl_context
+{
+    const mbedtls_ssl_config *conf; /*!< configuration information          */
+
+    /*
+     * Miscellaneous
+     */
+    int state;                  /*!< SSL handshake: current state     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renego_status;          /*!< Initial, in progress, pending?   */
+    int renego_records_seen;    /*!< Records since renego request, or with DTLS,
+                                  number of retransmissions of request if
+                                  renego_max_records is < 0           */
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    int major_ver;              /*!< equal to  MBEDTLS_SSL_MAJOR_VERSION_3    */
+    int minor_ver;              /*!< either 0 (SSL3) or 1 (TLS1.0)    */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    unsigned badmac_seen;       /*!< records with a bad MAC received    */
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+    mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
+    mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
+    mbedtls_ssl_recv_timeout_t *f_recv_timeout;
+                                /*!< Callback for network receive with timeout */
+
+    void *p_bio;                /*!< context for I/O operations   */
+
+    /*
+     * Session layer
+     */
+    mbedtls_ssl_session *session_in;            /*!<  current session data (in)   */
+    mbedtls_ssl_session *session_out;           /*!<  current session data (out)  */
+    mbedtls_ssl_session *session;               /*!<  negotiated session data     */
+    mbedtls_ssl_session *session_negotiate;     /*!<  session data in negotiation */
+
+    mbedtls_ssl_handshake_params *handshake;    /*!<  params required only during
+                                              the handshake process        */
+
+    /*
+     * Record layer transformations
+     */
+    mbedtls_ssl_transform *transform_in;        /*!<  current transform params (in)   */
+    mbedtls_ssl_transform *transform_out;       /*!<  current transform params (in)   */
+    mbedtls_ssl_transform *transform;           /*!<  negotiated transform params     */
+    mbedtls_ssl_transform *transform_negotiate; /*!<  transform params in negotiation */
+
+    /*
+     * Timers
+     */
+    void *p_timer;              /*!< context for the timer callbacks */
+
+    mbedtls_ssl_set_timer_t *f_set_timer;       /*!< set timer callback */
+    mbedtls_ssl_get_timer_t *f_get_timer;       /*!< get timer callback */
+
+    /*
+     * Record layer (incoming data)
+     */
+    unsigned char *in_buf;      /*!< input buffer                     */
+    unsigned char *in_ctr;      /*!< 64-bit incoming message counter
+                                     TLS: maintained by us
+                                     DTLS: read from peer             */
+    unsigned char *in_hdr;      /*!< start of record header           */
+    unsigned char *in_len;      /*!< two-bytes message length field   */
+    unsigned char *in_iv;       /*!< ivlen-byte IV                    */
+    unsigned char *in_msg;      /*!< message contents (in_iv+ivlen)   */
+    unsigned char *in_offt;     /*!< read offset in application data  */
+
+    int in_msgtype;             /*!< record header: message type      */
+    size_t in_msglen;           /*!< record header: message length    */
+    size_t in_left;             /*!< amount of data read so far       */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint16_t in_epoch;          /*!< DTLS epoch for incoming records  */
+    size_t next_record_offset;  /*!< offset of the next record in datagram
+                                     (equal to in_left if none)       */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    uint64_t in_window_top;     /*!< last validated record seq_num    */
+    uint64_t in_window;         /*!< bitmask for replay detection     */
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+    size_t in_hslen;            /*!< current handshake message length,
+                                     including the handshake header   */
+    int nb_zero;                /*!< # of 0-length encrypted messages */
+
+    int keep_current_message;   /*!< drop or reuse current message
+                                     on next call to record layer? */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint8_t disable_datagram_packing;  /*!< Disable packing multiple records
+                                        *   within a single datagram.  */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Record layer (outgoing data)
+     */
+    unsigned char *out_buf;     /*!< output buffer                    */
+    unsigned char *out_ctr;     /*!< 64-bit outgoing message counter  */
+    unsigned char *out_hdr;     /*!< start of record header           */
+    unsigned char *out_len;     /*!< two-bytes message length field   */
+    unsigned char *out_iv;      /*!< ivlen-byte IV                    */
+    unsigned char *out_msg;     /*!< message contents (out_iv+ivlen)  */
+
+    int out_msgtype;            /*!< record header: message type      */
+    size_t out_msglen;          /*!< record header: message length    */
+    size_t out_left;            /*!< amount of data not yet written   */
+
+    unsigned char cur_out_ctr[8]; /*!<  Outgoing record sequence  number. */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint16_t mtu;               /*!< path mtu, used to fragment outgoing messages */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    unsigned char *compress_buf;        /*!<  zlib data buffer        */
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    signed char split_done;     /*!< current record already splitted? */
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+    /*
+     * PKI layer
+     */
+    int client_auth;                    /*!<  flag for client auth.   */
+
+    /*
+     * User settings
+     */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    char *hostname;             /*!< expected peer CN for verification
+                                     (and SNI if available)                 */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_ALPN)
+    const char *alpn_chosen;    /*!<  negotiated protocol                   */
+#endif /* MBEDTLS_SSL_ALPN */
+
+    /*
+     * Information for DTLS hello verify
+     */
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    unsigned char  *cli_id;         /*!<  transport-level ID of the client  */
+    size_t          cli_id_len;     /*!<  length of cli_id                  */
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+    /*
+     * Secure renegotiation
+     */
+    /* needed to know when to send extension on server */
+    int secure_renegotiation;           /*!<  does peer support legacy or
+                                              secure renegotiation           */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    size_t verify_data_len;             /*!<  length of verify data stored   */
+    char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
+    char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+};
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+
+#define MBEDTLS_SSL_CHANNEL_OUTBOUND    0
+#define MBEDTLS_SSL_CHANNEL_INBOUND     1
+
+extern int (*mbedtls_ssl_hw_record_init)(mbedtls_ssl_context *ssl,
+                const unsigned char *key_enc, const unsigned char *key_dec,
+                size_t keylen,
+                const unsigned char *iv_enc,  const unsigned char *iv_dec,
+                size_t ivlen,
+                const unsigned char *mac_enc, const unsigned char *mac_dec,
+                size_t maclen);
+extern int (*mbedtls_ssl_hw_record_activate)(mbedtls_ssl_context *ssl, int direction);
+extern int (*mbedtls_ssl_hw_record_reset)(mbedtls_ssl_context *ssl);
+extern int (*mbedtls_ssl_hw_record_write)(mbedtls_ssl_context *ssl);
+extern int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl);
+extern int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+/**
+ * \brief               Return the name of the ciphersuite associated with the
+ *                      given ID
+ *
+ * \param ciphersuite_id SSL ciphersuite ID
+ *
+ * \return              a string containing the ciphersuite name
+ */
+const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id );
+
+/**
+ * \brief               Return the ID of the ciphersuite associated with the
+ *                      given name
+ *
+ * \param ciphersuite_name SSL ciphersuite name
+ *
+ * \return              the ID with the ciphersuite or 0 if not found
+ */
+int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name );
+
+/**
+ * \brief          Initialize an SSL context
+ *                 Just makes the context ready for mbedtls_ssl_setup() or
+ *                 mbedtls_ssl_free()
+ *
+ * \param ssl      SSL context
+ */
+void mbedtls_ssl_init( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Set up an SSL context for use
+ *
+ * \note           No copy of the configuration context is made, it can be
+ *                 shared by many mbedtls_ssl_context structures.
+ *
+ * \warning        The conf structure will be accessed during the session.
+ *                 It must not be modified or freed as long as the session
+ *                 is active.
+ *
+ * \warning        This function must be called exactly once per context.
+ *                 Calling mbedtls_ssl_setup again is not supported, even
+ *                 if no session is active.
+ *
+ * \param ssl      SSL context
+ * \param conf     SSL configuration to use
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if
+ *                 memory allocation failed
+ */
+int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
+                       const mbedtls_ssl_config *conf );
+
+/**
+ * \brief          Reset an already initialized SSL context for re-use
+ *                 while retaining application-set variables, function
+ *                 pointers and data.
+ *
+ * \param ssl      SSL context
+ * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED,
+                   MBEDTLS_ERR_SSL_HW_ACCEL_FAILED or
+ *                 MBEDTLS_ERR_SSL_COMPRESSION_FAILED
+ */
+int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Set the current endpoint type
+ *
+ * \param conf     SSL configuration
+ * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
+ */
+void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
+
+/**
+ * \brief           Set the transport type (TLS or DTLS).
+ *                  Default: TLS
+ *
+ * \note            For DTLS, you must either provide a recv callback that
+ *                  doesn't block, or one that handles timeouts, see
+ *                  \c mbedtls_ssl_set_bio(). You also need to provide timer
+ *                  callbacks with \c mbedtls_ssl_set_timer_cb().
+ *
+ * \param conf      SSL configuration
+ * \param transport transport type:
+ *                  MBEDTLS_SSL_TRANSPORT_STREAM for TLS,
+ *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS.
+ */
+void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport );
+
+/**
+ * \brief          Set the certificate verification mode
+ *                 Default: NONE on server, REQUIRED on client
+ *
+ * \param conf     SSL configuration
+ * \param authmode can be:
+ *
+ *  MBEDTLS_SSL_VERIFY_NONE:      peer certificate is not checked
+ *                        (default on server)
+ *                        (insecure on client)
+ *
+ *  MBEDTLS_SSL_VERIFY_OPTIONAL:  peer certificate is checked, however the
+ *                        handshake continues even if verification failed;
+ *                        mbedtls_ssl_get_verify_result() can be called after the
+ *                        handshake is complete.
+ *
+ *  MBEDTLS_SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
+ *                        handshake is aborted if verification failed.
+ *                        (default on client)
+ *
+ * \note On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode.
+ * With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at
+ * the right time(s), which may not be obvious, while REQUIRED always perform
+ * the verification as soon as possible. For example, REQUIRED was protecting
+ * against the "triple handshake" attack even before it was found.
+ */
+void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set the verification callback (Optional).
+ *
+ *                 If set, the verify callback is called for each
+ *                 certificate in the chain. For implementation
+ *                 information, please see \c mbedtls_x509_crt_verify()
+ *
+ * \param conf     SSL configuration
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ */
+void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief          Set the random number generator callback
+ *
+ * \param conf     SSL configuration
+ * \param f_rng    RNG function
+ * \param p_rng    RNG parameter
+ */
+void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng );
+
+/**
+ * \brief          Set the debug callback
+ *
+ *                 The callback has the following argument:
+ *                 void *           opaque context for the callback
+ *                 int              debug level
+ *                 const char *     file name
+ *                 int              line number
+ *                 const char *     message
+ *
+ * \param conf     SSL configuration
+ * \param f_dbg    debug function
+ * \param p_dbg    debug parameter
+ */
+void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
+                  void (*f_dbg)(void *, int, const char *, int, const char *),
+                  void  *p_dbg );
+
+/**
+ * \brief          Set the underlying BIO callbacks for write, read and
+ *                 read-with-timeout.
+ *
+ * \param ssl      SSL context
+ * \param p_bio    parameter (context) shared by BIO callbacks
+ * \param f_send   write callback
+ * \param f_recv   read callback
+ * \param f_recv_timeout blocking read callback with timeout.
+ *
+ * \note           One of f_recv or f_recv_timeout can be NULL, in which case
+ *                 the other is used. If both are non-NULL, f_recv_timeout is
+ *                 used and f_recv is ignored (as if it were NULL).
+ *
+ * \note           The two most common use cases are:
+ *                 - non-blocking I/O, f_recv != NULL, f_recv_timeout == NULL
+ *                 - blocking I/O, f_recv == NULL, f_recv_timout != NULL
+ *
+ * \note           For DTLS, you need to provide either a non-NULL
+ *                 f_recv_timeout callback, or a f_recv that doesn't block.
+ *
+ * \note           See the documentations of \c mbedtls_ssl_sent_t,
+ *                 \c mbedtls_ssl_recv_t and \c mbedtls_ssl_recv_timeout_t for
+ *                 the conventions those callbacks must follow.
+ *
+ * \note           On some platforms, net_sockets.c provides
+ *                 \c mbedtls_net_send(), \c mbedtls_net_recv() and
+ *                 \c mbedtls_net_recv_timeout() that are suitable to be used
+ *                 here.
+ */
+void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
+                          void *p_bio,
+                          mbedtls_ssl_send_t *f_send,
+                          mbedtls_ssl_recv_t *f_recv,
+                          mbedtls_ssl_recv_timeout_t *f_recv_timeout );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/**
+ * \brief          Set the Maximum Tranport Unit (MTU).
+ *                 Special value: 0 means unset (no limit).
+ *                 This represents the maximum size of a datagram payload
+ *                 handled by the transport layer (usually UDP) as determined
+ *                 by the network link and stack. In practice, this controls
+ *                 the maximum size datagram the DTLS layer will pass to the
+ *                 \c f_send() callback set using \c mbedtls_ssl_set_bio().
+ *
+ * \note           The limit on datagram size is converted to a limit on
+ *                 record payload by subtracting the current overhead of
+ *                 encapsulation and encryption/authentication if any.
+ *
+ * \note           This can be called at any point during the connection, for
+ *                 example when a Path Maximum Transfer Unit (PMTU)
+ *                 estimate becomes available from other sources,
+ *                 such as lower (or higher) protocol layers.
+ *
+ * \note           This setting only controls the size of the packets we send,
+ *                 and does not restrict the size of the datagrams we're
+ *                 willing to receive. Client-side, you can request the
+ *                 server to use smaller records with \c
+ *                 mbedtls_ssl_conf_max_frag_len().
+ *
+ * \note           If both a MTU and a maximum fragment length have been
+ *                 configured (or negotiated with the peer), the resulting
+ *                 lower limit on record payload (see first note) is used.
+ *
+ * \note           This can only be used to decrease the maximum size
+ *                 of datagrams (hence records, see first note) sent. It
+ *                 cannot be used to increase the maximum size of records over
+ *                 the limit set by #MBEDTLS_SSL_OUT_CONTENT_LEN.
+ *
+ * \note           Values lower than the current record layer expansion will
+ *                 result in an error when trying to send data.
+ *
+ * \note           Using record compression together with a non-zero MTU value
+ *                 will result in an error when trying to send data.
+ *
+ * \param ssl      SSL context
+ * \param mtu      Value of the path MTU in bytes
+ */
+void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/**
+ * \brief          Set the timeout period for mbedtls_ssl_read()
+ *                 (Default: no timeout.)
+ *
+ * \param conf     SSL configuration context
+ * \param timeout  Timeout value in milliseconds.
+ *                 Use 0 for no timeout (default).
+ *
+ * \note           With blocking I/O, this will only work if a non-NULL
+ *                 \c f_recv_timeout was set with \c mbedtls_ssl_set_bio().
+ *                 With non-blocking I/O, this will only work if timer
+ *                 callbacks were set with \c mbedtls_ssl_set_timer_cb().
+ *
+ * \note           With non-blocking I/O, you may also skip this function
+ *                 altogether and handle timeouts at the application layer.
+ */
+void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
+
+/**
+ * \brief          Set the timer callbacks (Mandatory for DTLS.)
+ *
+ * \param ssl      SSL context
+ * \param p_timer  parameter (context) shared by timer callbacks
+ * \param f_set_timer   set timer callback
+ * \param f_get_timer   get timer callback. Must return:
+ *
+ * \note           See the documentation of \c mbedtls_ssl_set_timer_t and
+ *                 \c mbedtls_ssl_get_timer_t for the conventions this pair of
+ *                 callbacks must follow.
+ *
+ * \note           On some platforms, timing.c provides
+ *                 \c mbedtls_timing_set_delay() and
+ *                 \c mbedtls_timing_get_delay() that are suitable for using
+ *                 here, except if using an event-driven style.
+ *
+ * \note           See also the "DTLS tutorial" article in our knowledge base.
+ *                 https://tls.mbed.org/kb/how-to/dtls-tutorial
+ */
+void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
+                               void *p_timer,
+                               mbedtls_ssl_set_timer_t *f_set_timer,
+                               mbedtls_ssl_get_timer_t *f_get_timer );
+
+/**
+ * \brief           Callback type: generate and write session ticket
+ *
+ * \note            This describes what a callback implementation should do.
+ *                  This callback should generate an encrypted and
+ *                  authenticated ticket for the session and write it to the
+ *                  output buffer. Here, ticket means the opaque ticket part
+ *                  of the NewSessionTicket structure of RFC 5077.
+ *
+ * \param p_ticket  Context for the callback
+ * \param session   SSL session to be written in the ticket
+ * \param start     Start of the output buffer
+ * \param end       End of the output buffer
+ * \param tlen      On exit, holds the length written
+ * \param lifetime  On exit, holds the lifetime of the ticket in seconds
+ *
+ * \return          0 if successful, or
+ *                  a specific MBEDTLS_ERR_XXX code.
+ */
+typedef int mbedtls_ssl_ticket_write_t( void *p_ticket,
+                                        const mbedtls_ssl_session *session,
+                                        unsigned char *start,
+                                        const unsigned char *end,
+                                        size_t *tlen,
+                                        uint32_t *lifetime );
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+/**
+ * \brief           Callback type: Export key block and master secret
+ *
+ * \note            This is required for certain uses of TLS, e.g. EAP-TLS
+ *                  (RFC 5216) and Thread. The key pointers are ephemeral and
+ *                  therefore must not be stored. The master secret and keys
+ *                  should not be used directly except as an input to a key
+ *                  derivation function.
+ *
+ * \param p_expkey  Context for the callback
+ * \param ms        Pointer to master secret (fixed length: 48 bytes)
+ * \param kb        Pointer to key block, see RFC 5246 section 6.3
+ *                  (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
+ * \param maclen    MAC length
+ * \param keylen    Key length
+ * \param ivlen     IV length
+ *
+ * \return          0 if successful, or
+ *                  a specific MBEDTLS_ERR_XXX code.
+ */
+typedef int mbedtls_ssl_export_keys_t( void *p_expkey,
+                                const unsigned char *ms,
+                                const unsigned char *kb,
+                                size_t maclen,
+                                size_t keylen,
+                                size_t ivlen );
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+/**
+ * \brief           Callback type: parse and load session ticket
+ *
+ * \note            This describes what a callback implementation should do.
+ *                  This callback should parse a session ticket as generated
+ *                  by the corresponding mbedtls_ssl_ticket_write_t function,
+ *                  and, if the ticket is authentic and valid, load the
+ *                  session.
+ *
+ * \note            The implementation is allowed to modify the first len
+ *                  bytes of the input buffer, eg to use it as a temporary
+ *                  area for the decrypted ticket contents.
+ *
+ * \param p_ticket  Context for the callback
+ * \param session   SSL session to be loaded
+ * \param buf       Start of the buffer containing the ticket
+ * \param len       Length of the ticket.
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_SSL_INVALID_MAC if not authentic, or
+ *                  MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED if expired, or
+ *                  any other non-zero code for other failures.
+ */
+typedef int mbedtls_ssl_ticket_parse_t( void *p_ticket,
+                                        mbedtls_ssl_session *session,
+                                        unsigned char *buf,
+                                        size_t len );
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief           Configure SSL session ticket callbacks (server only).
+ *                  (Default: none.)
+ *
+ * \note            On server, session tickets are enabled by providing
+ *                  non-NULL callbacks.
+ *
+ * \note            On client, use \c mbedtls_ssl_conf_session_tickets().
+ *
+ * \param conf      SSL configuration context
+ * \param f_ticket_write    Callback for writing a ticket
+ * \param f_ticket_parse    Callback for parsing a ticket
+ * \param p_ticket          Context shared by the two callbacks
+ */
+void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_ticket_write_t *f_ticket_write,
+        mbedtls_ssl_ticket_parse_t *f_ticket_parse,
+        void *p_ticket );
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+/**
+ * \brief           Configure key export callback.
+ *                  (Default: none.)
+ *
+ * \note            See \c mbedtls_ssl_export_keys_t.
+ *
+ * \param conf      SSL configuration context
+ * \param f_export_keys     Callback for exporting keys
+ * \param p_export_keys     Context for the callback
+ */
+void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_export_keys_t *f_export_keys,
+        void *p_export_keys );
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+/**
+ * \brief           Configure asynchronous private key operation callbacks.
+ *
+ * \param conf              SSL configuration context
+ * \param f_async_sign      Callback to start a signature operation. See
+ *                          the description of ::mbedtls_ssl_async_sign_t
+ *                          for more information. This may be \c NULL if the
+ *                          external processor does not support any signature
+ *                          operation; in this case the private key object
+ *                          associated with the certificate will be used.
+ * \param f_async_decrypt   Callback to start a decryption operation. See
+ *                          the description of ::mbedtls_ssl_async_decrypt_t
+ *                          for more information. This may be \c NULL if the
+ *                          external processor does not support any decryption
+ *                          operation; in this case the private key object
+ *                          associated with the certificate will be used.
+ * \param f_async_resume    Callback to resume an asynchronous operation. See
+ *                          the description of ::mbedtls_ssl_async_resume_t
+ *                          for more information. This may not be \c NULL unless
+ *                          \p f_async_sign and \p f_async_decrypt are both
+ *                          \c NULL.
+ * \param f_async_cancel    Callback to cancel an asynchronous operation. See
+ *                          the description of ::mbedtls_ssl_async_cancel_t
+ *                          for more information. This may be \c NULL if
+ *                          no cleanup is needed.
+ * \param config_data       A pointer to configuration data which can be
+ *                          retrieved with
+ *                          mbedtls_ssl_conf_get_async_config_data(). The
+ *                          library stores this value without dereferencing it.
+ */
+void mbedtls_ssl_conf_async_private_cb( mbedtls_ssl_config *conf,
+                                        mbedtls_ssl_async_sign_t *f_async_sign,
+                                        mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+                                        mbedtls_ssl_async_resume_t *f_async_resume,
+                                        mbedtls_ssl_async_cancel_t *f_async_cancel,
+                                        void *config_data );
+
+/**
+ * \brief           Retrieve the configuration data set by
+ *                  mbedtls_ssl_conf_async_private_cb().
+ *
+ * \param conf      SSL configuration context
+ * \return          The configuration data set by
+ *                  mbedtls_ssl_conf_async_private_cb().
+ */
+void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf );
+
+/**
+ * \brief           Retrieve the asynchronous operation user context.
+ *
+ * \note            This function may only be called while a handshake
+ *                  is in progress.
+ *
+ * \param ssl       The SSL context to access.
+ *
+ * \return          The asynchronous operation user context that was last
+ *                  set during the current handshake. If
+ *                  mbedtls_ssl_set_async_operation_data() has not yet been
+ *                  called during the current handshake, this function returns
+ *                  \c NULL.
+ */
+void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief           Retrieve the asynchronous operation user context.
+ *
+ * \note            This function may only be called while a handshake
+ *                  is in progress.
+ *
+ * \param ssl       The SSL context to access.
+ * \param ctx       The new value of the asynchronous operation user context.
+ *                  Call mbedtls_ssl_get_async_operation_data() later during the
+ *                  same handshake to retrieve this value.
+ */
+void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
+                                 void *ctx );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/**
+ * \brief          Callback type: generate a cookie
+ *
+ * \param ctx      Context for the callback
+ * \param p        Buffer to write to,
+ *                 must be updated to point right after the cookie
+ * \param end      Pointer to one past the end of the output buffer
+ * \param info     Client ID info that was passed to
+ *                 \c mbedtls_ssl_set_client_transport_id()
+ * \param ilen     Length of info in bytes
+ *
+ * \return         The callback must return 0 on success,
+ *                 or a negative error code.
+ */
+typedef int mbedtls_ssl_cookie_write_t( void *ctx,
+                                unsigned char **p, unsigned char *end,
+                                const unsigned char *info, size_t ilen );
+
+/**
+ * \brief          Callback type: verify a cookie
+ *
+ * \param ctx      Context for the callback
+ * \param cookie   Cookie to verify
+ * \param clen     Length of cookie
+ * \param info     Client ID info that was passed to
+ *                 \c mbedtls_ssl_set_client_transport_id()
+ * \param ilen     Length of info in bytes
+ *
+ * \return         The callback must return 0 if cookie is valid,
+ *                 or a negative error code.
+ */
+typedef int mbedtls_ssl_cookie_check_t( void *ctx,
+                                const unsigned char *cookie, size_t clen,
+                                const unsigned char *info, size_t ilen );
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief           Register callbacks for DTLS cookies
+ *                  (Server only. DTLS only.)
+ *
+ *                  Default: dummy callbacks that fail, in order to force you to
+ *                  register working callbacks (and initialize their context).
+ *
+ *                  To disable HelloVerifyRequest, register NULL callbacks.
+ *
+ * \warning         Disabling hello verification allows your server to be used
+ *                  for amplification in DoS attacks against other hosts.
+ *                  Only disable if you known this can't happen in your
+ *                  particular environment.
+ *
+ * \note            See comments on \c mbedtls_ssl_handshake() about handling
+ *                  the MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED that is expected
+ *                  on the first handshake attempt when this is enabled.
+ *
+ * \note            This is also necessary to handle client reconnection from
+ *                  the same port as described in RFC 6347 section 4.2.8 (only
+ *                  the variant with cookies is supported currently). See
+ *                  comments on \c mbedtls_ssl_read() for details.
+ *
+ * \param conf              SSL configuration
+ * \param f_cookie_write    Cookie write callback
+ * \param f_cookie_check    Cookie check callback
+ * \param p_cookie          Context for both callbacks
+ */
+void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
+                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+                           void *p_cookie );
+
+/**
+ * \brief          Set client's transport-level identification info.
+ *                 (Server only. DTLS only.)
+ *
+ *                 This is usually the IP address (and port), but could be
+ *                 anything identify the client depending on the underlying
+ *                 network stack. Used for HelloVerifyRequest with DTLS.
+ *                 This is *not* used to route the actual packets.
+ *
+ * \param ssl      SSL context
+ * \param info     Transport-level info identifying the client (eg IP + port)
+ * \param ilen     Length of info in bytes
+ *
+ * \note           An internal copy is made, so the info buffer can be reused.
+ *
+ * \return         0 on success,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory.
+ */
+int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
+                                 const unsigned char *info,
+                                 size_t ilen );
+
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+/**
+ * \brief          Enable or disable anti-replay protection for DTLS.
+ *                 (DTLS only, no effect on TLS.)
+ *                 Default: enabled.
+ *
+ * \param conf     SSL configuration
+ * \param mode     MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
+ *
+ * \warning        Disabling this is a security risk unless the application
+ *                 protocol handles duplicated packets in a safe way. You
+ *                 should not disable this without careful consideration.
+ *                 However, if your application already detects duplicated
+ *                 packets and needs information about them to adjust its
+ *                 transmission strategy, then you'll want to disable this.
+ */
+void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+/**
+ * \brief          Set a limit on the number of records with a bad MAC
+ *                 before terminating the connection.
+ *                 (DTLS only, no effect on TLS.)
+ *                 Default: 0 (disabled).
+ *
+ * \param conf     SSL configuration
+ * \param limit    Limit, or 0 to disable.
+ *
+ * \note           If the limit is N, then the connection is terminated when
+ *                 the Nth non-authentic record is seen.
+ *
+ * \note           Records with an invalid header are not counted, only the
+ *                 ones going through the authentication-decryption phase.
+ *
+ * \note           This is a security trade-off related to the fact that it's
+ *                 often relatively easy for an active attacker ot inject UDP
+ *                 datagrams. On one hand, setting a low limit here makes it
+ *                 easier for such an attacker to forcibly terminated a
+ *                 connection. On the other hand, a high limit or no limit
+ *                 might make us waste resources checking authentication on
+ *                 many bogus packets.
+ */
+void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/**
+ * \brief          Allow or disallow packing of multiple handshake records
+ *                 within a single datagram.
+ *
+ * \param ssl           The SSL context to configure.
+ * \param allow_packing This determines whether datagram packing may
+ *                      be used or not. A value of \c 0 means that every
+ *                      record will be sent in a separate datagram; a
+ *                      value of \c 1 means that, if space permits,
+ *                      multiple handshake messages (including CCS) belonging to
+ *                      a single flight may be packed within a single datagram.
+ *
+ * \note           This is enabled by default and should only be disabled
+ *                 for test purposes, or if datagram packing causes
+ *                 interoperability issues with peers that don't support it.
+ *
+ * \note           Allowing datagram packing reduces the network load since
+ *                 there's less overhead if multiple messages share the same
+ *                 datagram. Also, it increases the handshake efficiency
+ *                 since messages belonging to a single datagram will not
+ *                 be reordered in transit, and so future message buffering
+ *                 or flight retransmission (if no buffering is used) as
+ *                 means to deal with reordering are needed less frequently.
+ *
+ * \note           Application records are not affected by this option and
+ *                 are currently always sent in separate datagrams.
+ *
+ */
+void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
+                                       unsigned allow_packing );
+
+/**
+ * \brief          Set retransmit timeout values for the DTLS handshake.
+ *                 (DTLS only, no effect on TLS.)
+ *
+ * \param conf     SSL configuration
+ * \param min      Initial timeout value in milliseconds.
+ *                 Default: 1000 (1 second).
+ * \param max      Maximum timeout value in milliseconds.
+ *                 Default: 60000 (60 seconds).
+ *
+ * \note           Default values are from RFC 6347 section 4.2.4.1.
+ *
+ * \note           The 'min' value should typically be slightly above the
+ *                 expected round-trip time to your peer, plus whatever time
+ *                 it takes for the peer to process the message. For example,
+ *                 if your RTT is about 600ms and you peer needs up to 1s to
+ *                 do the cryptographic operations in the handshake, then you
+ *                 should set 'min' slightly above 1600. Lower values of 'min'
+ *                 might cause spurious resends which waste network resources,
+ *                 while larger value of 'min' will increase overall latency
+ *                 on unreliable network links.
+ *
+ * \note           The more unreliable your network connection is, the larger
+ *                 your max / min ratio needs to be in order to achieve
+ *                 reliable handshakes.
+ *
+ * \note           Messages are retransmitted up to log2(ceil(max/min)) times.
+ *                 For example, if min = 1s and max = 5s, the retransmit plan
+ *                 goes: send ... 1s -> resend ... 2s -> resend ... 4s ->
+ *                 resend ... 5s -> give up and return a timeout error.
+ */
+void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief          Set the session cache callbacks (server-side only)
+ *                 If not set, no session resuming is done (except if session
+ *                 tickets are enabled too).
+ *
+ *                 The session cache has the responsibility to check for stale
+ *                 entries based on timeout. See RFC 5246 for recommendations.
+ *
+ *                 Warning: session.peer_cert is cleared by the SSL/TLS layer on
+ *                 connection shutdown, so do not cache the pointer! Either set
+ *                 it to NULL or make a full copy of the certificate.
+ *
+ *                 The get callback is called once during the initial handshake
+ *                 to enable session resuming. The get function has the
+ *                 following parameters: (void *parameter, mbedtls_ssl_session *session)
+ *                 If a valid entry is found, it should fill the master of
+ *                 the session object with the cached values and return 0,
+ *                 return 1 otherwise. Optionally peer_cert can be set as well
+ *                 if it is properly present in cache entry.
+ *
+ *                 The set callback is called once during the initial handshake
+ *                 to enable session resuming after the entire handshake has
+ *                 been finished. The set function has the following parameters:
+ *                 (void *parameter, const mbedtls_ssl_session *session). The function
+ *                 should create a cache entry for future retrieval based on
+ *                 the data in the session structure and should keep in mind
+ *                 that the mbedtls_ssl_session object presented (and all its referenced
+ *                 data) is cleared by the SSL/TLS layer when the connection is
+ *                 terminated. It is recommended to add metadata to determine if
+ *                 an entry is still valid in the future. Return 0 if
+ *                 successfully cached, return 1 otherwise.
+ *
+ * \param conf           SSL configuration
+ * \param p_cache        parmater (context) for both callbacks
+ * \param f_get_cache    session get callback
+ * \param f_set_cache    session set callback
+ */
+void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
+        void *p_cache,
+        int (*f_get_cache)(void *, mbedtls_ssl_session *),
+        int (*f_set_cache)(void *, const mbedtls_ssl_session *) );
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Request resumption of session (client-side only)
+ *                 Session data is copied from presented session structure.
+ *
+ * \param ssl      SSL context
+ * \param session  session context
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
+ *                 arguments are otherwise invalid
+ *
+ * \sa             mbedtls_ssl_get_session()
+ */
+int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session );
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/**
+ * \brief               Set the list of allowed ciphersuites and the preference
+ *                      order. First in the list has the highest preference.
+ *                      (Overrides all version-specific lists)
+ *
+ *                      The ciphersuites array is not copied, and must remain
+ *                      valid for the lifetime of the ssl_config.
+ *
+ *                      Note: The server uses its own preferences
+ *                      over the preference of the client unless
+ *                      MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
+ *
+ * \param conf          SSL configuration
+ * \param ciphersuites  0-terminated list of allowed ciphersuites
+ */
+void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
+                                   const int *ciphersuites );
+
+/**
+ * \brief               Set the list of allowed ciphersuites and the
+ *                      preference order for a specific version of the protocol.
+ *                      (Only useful on the server side)
+ *
+ *                      The ciphersuites array is not copied, and must remain
+ *                      valid for the lifetime of the ssl_config.
+ *
+ * \param conf          SSL configuration
+ * \param ciphersuites  0-terminated list of allowed ciphersuites
+ * \param major         Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3
+ *                      supported)
+ * \param minor         Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                      MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                      MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ *
+ * \note                With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0
+ *                      and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ */
+void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
+                                       const int *ciphersuites,
+                                       int major, int minor );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set the X.509 security profile used for verification
+ *
+ * \note           The restrictions are enforced for all certificates in the
+ *                 chain. However, signatures in the handshake are not covered
+ *                 by this setting but by \b mbedtls_ssl_conf_sig_hashes().
+ *
+ * \param conf     SSL configuration
+ * \param profile  Profile to use
+ */
+void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
+                                    const mbedtls_x509_crt_profile *profile );
+
+/**
+ * \brief          Set the data required to verify peer certificate
+ *
+ * \note           See \c mbedtls_x509_crt_verify() for notes regarding the
+ *                 parameters ca_chain (maps to trust_ca for that function)
+ *                 and ca_crl.
+ *
+ * \param conf     SSL configuration
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
+ * \param ca_crl   trusted CA CRLs
+ */
+void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
+                               mbedtls_x509_crt *ca_chain,
+                               mbedtls_x509_crl *ca_crl );
+
+/**
+ * \brief          Set own certificate chain and private key
+ *
+ * \note           own_cert should contain in order from the bottom up your
+ *                 certificate chain. The top certificate (self-signed)
+ *                 can be omitted.
+ *
+ * \note           On server, this function can be called multiple times to
+ *                 provision more than one cert/key pair (eg one ECDSA, one
+ *                 RSA with SHA-256, one RSA with SHA-1). An adequate
+ *                 certificate will be selected according to the client's
+ *                 advertised capabilities. In case multiple certificates are
+ *                 adequate, preference is given to the one set by the first
+ *                 call to this function, then second, etc.
+ *
+ * \note           On client, only the first call has any effect. That is,
+ *                 only one client certificate can be provisioned. The
+ *                 server's preferences in its CertficateRequest message will
+ *                 be ignored and our only cert will be sent regardless of
+ *                 whether it matches those preferences - the server can then
+ *                 decide what it wants to do with it.
+ *
+ * \note           The provided \p pk_key needs to match the public key in the
+ *                 first certificate in \p own_cert, or all handshakes using
+ *                 that certificate will fail. It is your responsibility
+ *                 to ensure that; this function will not perform any check.
+ *                 You may use mbedtls_pk_check_pair() in order to perform
+ *                 this check yourself, but be aware that this function can
+ *                 be computationally expensive on some key types.
+ *
+ * \param conf     SSL configuration
+ * \param own_cert own public certificate chain
+ * \param pk_key   own private key
+ *
+ * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
+                              mbedtls_x509_crt *own_cert,
+                              mbedtls_pk_context *pk_key );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+/**
+ * \brief          Set the Pre Shared Key (PSK) and the expected identity name
+ *
+ * \note           This is mainly useful for clients. Servers will usually
+ *                 want to use \c mbedtls_ssl_conf_psk_cb() instead.
+ *
+ * \note           Currently clients can only register one pre-shared key.
+ *                 In other words, the servers' identity hint is ignored.
+ *                 Support for setting multiple PSKs on clients and selecting
+ *                 one based on the identity hint is not a planned feature but
+ *                 feedback is welcomed.
+ *
+ * \param conf     SSL configuration
+ * \param psk      pointer to the pre-shared key
+ * \param psk_len  pre-shared key length
+ * \param psk_identity      pointer to the pre-shared key identity
+ * \param psk_identity_len  identity key length
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
+                const unsigned char *psk, size_t psk_len,
+                const unsigned char *psk_identity, size_t psk_identity_len );
+
+
+/**
+ * \brief          Set the Pre Shared Key (PSK) for the current handshake
+ *
+ * \note           This should only be called inside the PSK callback,
+ *                 ie the function passed to \c mbedtls_ssl_conf_psk_cb().
+ *
+ * \param ssl      SSL context
+ * \param psk      pointer to the pre-shared key
+ * \param psk_len  pre-shared key length
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
+                            const unsigned char *psk, size_t psk_len );
+
+/**
+ * \brief          Set the PSK callback (server-side only).
+ *
+ *                 If set, the PSK callback is called for each
+ *                 handshake where a PSK ciphersuite was negotiated.
+ *                 The caller provides the identity received and wants to
+ *                 receive the actual PSK data and length.
+ *
+ *                 The callback has the following parameters: (void *parameter,
+ *                 mbedtls_ssl_context *ssl, const unsigned char *psk_identity,
+ *                 size_t identity_len)
+ *                 If a valid PSK identity is found, the callback should use
+ *                 \c mbedtls_ssl_set_hs_psk() on the ssl context to set the
+ *                 correct PSK and return 0.
+ *                 Any other return value will result in a denied PSK identity.
+ *
+ * \note           If you set a PSK callback using this function, then you
+ *                 don't need to set a PSK key and identity using
+ *                 \c mbedtls_ssl_conf_psk().
+ *
+ * \param conf     SSL configuration
+ * \param f_psk    PSK identity function
+ * \param p_psk    PSK identity parameter
+ */
+void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
+                     int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
+                                  size_t),
+                     void *p_psk );
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values,
+ *                 read as hexadecimal strings (server-side only)
+ *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG])
+ *
+ * \param conf     SSL configuration
+ * \param dhm_P    Diffie-Hellman-Merkle modulus
+ * \param dhm_G    Diffie-Hellman-Merkle generator
+ *
+ * \deprecated     Superseded by \c mbedtls_ssl_conf_dh_param_bin.
+ *
+ * \return         0 if successful
+ */
+MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf,
+                                                  const char *dhm_P,
+                                                  const char *dhm_G );
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values
+ *                 from big-endian binary presentations.
+ *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN)
+ *
+ * \param conf     SSL configuration
+ * \param dhm_P    Diffie-Hellman-Merkle modulus in big-endian binary form
+ * \param P_len    Length of DHM modulus
+ * \param dhm_G    Diffie-Hellman-Merkle generator in big-endian binary form
+ * \param G_len    Length of DHM generator
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
+                                   const unsigned char *dhm_P, size_t P_len,
+                                   const unsigned char *dhm_G,  size_t G_len );
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values,
+ *                 read from existing context (server-side only)
+ *
+ * \param conf     SSL configuration
+ * \param dhm_ctx  Diffie-Hellman-Merkle context
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx );
+#endif /* MBEDTLS_DHM_C && defined(MBEDTLS_SSL_SRV_C) */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Set the minimum length for Diffie-Hellman parameters.
+ *                 (Client-side only.)
+ *                 (Default: 1024 bits.)
+ *
+ * \param conf     SSL configuration
+ * \param bitlen   Minimum bit length of the DHM prime
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
+                                      unsigned int bitlen );
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief          Set the allowed curves in order of preference.
+ *                 (Default: all defined curves.)
+ *
+ *                 On server: this only affects selection of the ECDHE curve;
+ *                 the curves used for ECDH and ECDSA are determined by the
+ *                 list of available certificates instead.
+ *
+ *                 On client: this affects the list of curves offered for any
+ *                 use. The server can override our preference order.
+ *
+ *                 Both sides: limits the set of curves accepted for use in
+ *                 ECDHE and in the peer's end-entity certificate.
+ *
+ * \note           This has no influence on which curves are allowed inside the
+ *                 certificate chains, see \c mbedtls_ssl_conf_cert_profile()
+ *                 for that. For the end-entity certificate however, the key
+ *                 will be accepted only if it is allowed both by this list
+ *                 and by the cert profile.
+ *
+ * \note           This list should be ordered by decreasing preference
+ *                 (preferred curve first).
+ *
+ * \param conf     SSL configuration
+ * \param curves   Ordered list of allowed curves,
+ *                 terminated by MBEDTLS_ECP_DP_NONE.
+ */
+void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
+                              const mbedtls_ecp_group_id *curves );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/**
+ * \brief          Set the allowed hashes for signatures during the handshake.
+ *                 (Default: all available hashes except MD5.)
+ *
+ * \note           This only affects which hashes are offered and can be used
+ *                 for signatures during the handshake. Hashes for message
+ *                 authentication and the TLS PRF are controlled by the
+ *                 ciphersuite, see \c mbedtls_ssl_conf_ciphersuites(). Hashes
+ *                 used for certificate signature are controlled by the
+ *                 verification profile, see \c mbedtls_ssl_conf_cert_profile().
+ *
+ * \note           This list should be ordered by decreasing preference
+ *                 (preferred hash first).
+ *
+ * \param conf     SSL configuration
+ * \param hashes   Ordered list of allowed signature hashes,
+ *                 terminated by \c MBEDTLS_MD_NONE.
+ */
+void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
+                                  const int *hashes );
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set or reset the hostname to check against the received
+ *                 server certificate. It sets the ServerName TLS extension,
+ *                 too, if that extension is enabled. (client-side only)
+ *
+ * \param ssl      SSL context
+ * \param hostname the server hostname, may be NULL to clear hostname
+
+ * \note           Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
+ *
+ * \return         0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
+ *                 allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
+ *                 too long input hostname.
+ *
+ *                 Hostname set to the one provided on success (cleared
+ *                 when NULL). On allocation failure hostname is cleared.
+ *                 On too long input failure, old hostname is unchanged.
+ */
+int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+/**
+ * \brief          Set own certificate and key for the current handshake
+ *
+ * \note           Same as \c mbedtls_ssl_conf_own_cert() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param own_cert own public certificate chain
+ * \param pk_key   own private key
+ *
+ * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
+                                 mbedtls_x509_crt *own_cert,
+                                 mbedtls_pk_context *pk_key );
+
+/**
+ * \brief          Set the data required to verify peer certificate for the
+ *                 current handshake
+ *
+ * \note           Same as \c mbedtls_ssl_conf_ca_chain() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
+ * \param ca_crl   trusted CA CRLs
+ */
+void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
+                                  mbedtls_x509_crt *ca_chain,
+                                  mbedtls_x509_crl *ca_crl );
+
+/**
+ * \brief          Set authmode for the current handshake.
+ *
+ * \note           Same as \c mbedtls_ssl_conf_authmode() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param authmode MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or
+ *                 MBEDTLS_SSL_VERIFY_REQUIRED
+ */
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
+                                  int authmode );
+
+/**
+ * \brief          Set server side ServerName TLS extension callback
+ *                 (optional, server-side only).
+ *
+ *                 If set, the ServerName callback is called whenever the
+ *                 server receives a ServerName TLS extension from the client
+ *                 during a handshake. The ServerName callback has the
+ *                 following parameters: (void *parameter, mbedtls_ssl_context *ssl,
+ *                 const unsigned char *hostname, size_t len). If a suitable
+ *                 certificate is found, the callback must set the
+ *                 certificate(s) and key(s) to use with \c
+ *                 mbedtls_ssl_set_hs_own_cert() (can be called repeatedly),
+ *                 and may optionally adjust the CA and associated CRL with \c
+ *                 mbedtls_ssl_set_hs_ca_chain() as well as the client
+ *                 authentication mode with \c mbedtls_ssl_set_hs_authmode(),
+ *                 then must return 0. If no matching name is found, the
+ *                 callback must either set a default cert, or
+ *                 return non-zero to abort the handshake at this point.
+ *
+ * \param conf     SSL configuration
+ * \param f_sni    verification function
+ * \param p_sni    verification parameter
+ */
+void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
+                  int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *,
+                               size_t),
+                  void *p_sni );
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+/**
+ * \brief          Set the EC J-PAKE password for current handshake.
+ *
+ * \note           An internal copy is made, and destroyed as soon as the
+ *                 handshake is completed, or when the SSL context is reset or
+ *                 freed.
+ *
+ * \note           The SSL context needs to be already set up. The right place
+ *                 to call this function is between \c mbedtls_ssl_setup() or
+ *                 \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake().
+ *
+ * \param ssl      SSL context
+ * \param pw       EC J-PAKE password (pre-shared secret)
+ * \param pw_len   length of pw in bytes
+ *
+ * \return         0 on success, or a negative error code.
+ */
+int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
+                                         const unsigned char *pw,
+                                         size_t pw_len );
+#endif /*MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+/**
+ * \brief          Set the supported Application Layer Protocols.
+ *
+ * \param conf     SSL configuration
+ * \param protos   Pointer to a NULL-terminated list of supported protocols,
+ *                 in decreasing preference order. The pointer to the list is
+ *                 recorded by the library for later reference as required, so
+ *                 the lifetime of the table must be atleast as long as the
+ *                 lifetime of the SSL configuration structure.
+ *
+ * \return         0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
+ */
+int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos );
+
+/**
+ * \brief          Get the name of the negotiated Application Layer Protocol.
+ *                 This function should be called after the handshake is
+ *                 completed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Protcol name, or NULL if no protocol was negotiated.
+ */
+const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_ALPN */
+
+/**
+ * \brief          Set the maximum supported version sent from the client side
+ *                 and/or accepted at the server side
+ *                 (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION)
+ *
+ * \note           This ignores ciphersuites from higher versions.
+ *
+ * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ *
+ * \param conf     SSL configuration
+ * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
+ * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ */
+void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
+
+/**
+ * \brief          Set the minimum accepted SSL/TLS protocol version
+ *                 (Default: TLS 1.0)
+ *
+ * \note           Input outside of the SSL_MAX_XXXXX_VERSION and
+ *                 SSL_MIN_XXXXX_VERSION range is ignored.
+ *
+ * \note           MBEDTLS_SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
+ *
+ * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ *
+ * \param conf     SSL configuration
+ * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
+ * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ */
+void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Set the fallback flag (client-side only).
+ *                 (Default: MBEDTLS_SSL_IS_NOT_FALLBACK).
+ *
+ * \note           Set to MBEDTLS_SSL_IS_FALLBACK when preparing a fallback
+ *                 connection, that is a connection with max_version set to a
+ *                 lower value than the value you're willing to use. Such
+ *                 fallback connections are not recommended but are sometimes
+ *                 necessary to interoperate with buggy (version-intolerant)
+ *                 servers.
+ *
+ * \warning        You should NOT set this to MBEDTLS_SSL_IS_FALLBACK for
+ *                 non-fallback connections! This would appear to work for a
+ *                 while, then cause failures when the server is upgraded to
+ *                 support a newer TLS version.
+ *
+ * \param conf     SSL configuration
+ * \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK
+ */
+void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback );
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+/**
+ * \brief           Enable or disable Encrypt-then-MAC
+ *                  (Default: MBEDTLS_SSL_ETM_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security
+ *                  improvement, and should not cause any interoperability
+ *                  issue (used only if the peer supports it too).
+ *
+ * \param conf      SSL configuration
+ * \param etm       MBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED
+ */
+void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+/**
+ * \brief           Enable or disable Extended Master Secret negotiation.
+ *                  (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security fix to the
+ *                  protocol, and should not cause any interoperability issue
+ *                  (used only if the peer supports it too).
+ *
+ * \param conf      SSL configuration
+ * \param ems       MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
+ */
+void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_ARC4_C)
+/**
+ * \brief          Disable or enable support for RC4
+ *                 (Default: MBEDTLS_SSL_ARC4_DISABLED)
+ *
+ * \warning        Use of RC4 in DTLS/TLS has been prohibited by RFC 7465
+ *                 for security reasons. Use at your own risk.
+ *
+ * \note           This function is deprecated and will likely be removed in
+ *                 a future version of the library.
+ *                 RC4 is disabled by default at compile time and needs to be
+ *                 actively enabled for use with legacy systems.
+ *
+ * \param conf     SSL configuration
+ * \param arc4     MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED
+ */
+void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief          Whether to send a list of acceptable CAs in
+ *                 CertificateRequest messages.
+ *                 (Default: do send)
+ *
+ * \param conf     SSL configuration
+ * \param cert_req_ca_list   MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
+ *                          MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
+ */
+void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
+                                          char cert_req_ca_list );
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief          Set the maximum fragment length to emit and/or negotiate.
+ *                 (Typical: the smaller of #MBEDTLS_SSL_IN_CONTENT_LEN and
+ *                 #MBEDTLS_SSL_OUT_CONTENT_LEN, usually `2^14` bytes)
+ *                 (Server: set maximum fragment length to emit,
+ *                 usually negotiated by the client during handshake)
+ *                 (Client: set maximum fragment length to emit *and*
+ *                 negotiate with the server during handshake)
+ *                 (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
+ *
+ * \note           On the client side, the maximum fragment length extension
+ *                 *will not* be used, unless the maximum fragment length has
+ *                 been set via this function to a value different than
+ *                 #MBEDTLS_SSL_MAX_FRAG_LEN_NONE.
+ *
+ * \note           This sets the maximum length for a record's payload,
+ *                 excluding record overhead that will be added to it, see
+ *                 \c mbedtls_ssl_get_record_expansion().
+ *
+ * \note           With TLS, this currently only affects ApplicationData (sent
+ *                 with \c mbedtls_ssl_read()), not handshake messages.
+ *                 With DTLS, this affects both ApplicationData and handshake.
+ *
+ * \note           For DTLS, it is also possible to set a limit for the total
+ *                 size of daragrams passed to the transport layer, including
+ *                 record overhead, see \c mbedtls_ssl_set_mtu().
+ *
+ * \param conf     SSL configuration
+ * \param mfl_code Code for maximum fragment length (allowed values:
+ *                 MBEDTLS_SSL_MAX_FRAG_LEN_512,  MBEDTLS_SSL_MAX_FRAG_LEN_1024,
+ *                 MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096)
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+ */
+int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+/**
+ * \brief          Activate negotiation of truncated HMAC
+ *                 (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
+ *
+ * \param conf     SSL configuration
+ * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
+ *                                    MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
+ */
+void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate );
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+/**
+ * \brief          Enable / Disable 1/n-1 record splitting
+ *                 (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED)
+ *
+ * \note           Only affects SSLv3 and TLS 1.0, not higher versions.
+ *                 Does not affect non-CBC ciphersuites in any version.
+ *
+ * \param conf     SSL configuration
+ * \param split    MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or
+ *                 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
+ */
+void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split );
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Enable / Disable session tickets (client only).
+ *                 (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
+ *
+ * \note           On server, use \c mbedtls_ssl_conf_session_tickets_cb().
+ *
+ * \param conf     SSL configuration
+ * \param use_tickets   Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
+ *                                         MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
+ */
+void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Enable / Disable renegotiation support for connection when
+ *                 initiated by peer
+ *                 (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED)
+ *
+ * \warning        It is recommended to always disable renegotation unless you
+ *                 know you need it and you know what you're doing. In the
+ *                 past, there have been several issues associated with
+ *                 renegotiation or a poor understanding of its properties.
+ *
+ * \note           Server-side, enabling renegotiation also makes the server
+ *                 susceptible to a resource DoS by a malicious client.
+ *
+ * \param conf    SSL configuration
+ * \param renegotiation     Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or
+ *                                             MBEDTLS_SSL_RENEGOTIATION_DISABLED)
+ */
+void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Prevent or allow legacy renegotiation.
+ *                 (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
+ *
+ *                 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION allows connections to
+ *                 be established even if the peer does not support
+ *                 secure renegotiation, but does not allow renegotiation
+ *                 to take place if not secure.
+ *                 (Interoperable and secure option)
+ *
+ *                 MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations
+ *                 with non-upgraded peers. Allowing legacy renegotiation
+ *                 makes the connection vulnerable to specific man in the
+ *                 middle attacks. (See RFC 5746)
+ *                 (Most interoperable and least secure option)
+ *
+ *                 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE breaks off connections
+ *                 if peer does not support secure renegotiation. Results
+ *                 in interoperability issues with non-upgraded peers
+ *                 that do not support renegotiation altogether.
+ *                 (Most secure option, interoperability issues)
+ *
+ * \param conf     SSL configuration
+ * \param allow_legacy  Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
+ *                                        SSL_ALLOW_LEGACY_RENEGOTIATION or
+ *                                        MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
+ */
+void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Enforce renegotiation requests.
+ *                 (Default: enforced, max_records = 16)
+ *
+ *                 When we request a renegotiation, the peer can comply or
+ *                 ignore the request. This function allows us to decide
+ *                 whether to enforce our renegotiation requests by closing
+ *                 the connection if the peer doesn't comply.
+ *
+ *                 However, records could already be in transit from the peer
+ *                 when the request is emitted. In order to increase
+ *                 reliability, we can accept a number of records before the
+ *                 expected handshake records.
+ *
+ *                 The optimal value is highly dependent on the specific usage
+ *                 scenario.
+ *
+ * \note           With DTLS and server-initiated renegotiation, the
+ *                 HelloRequest is retransmited every time mbedtls_ssl_read() times
+ *                 out or receives Application Data, until:
+ *                 - max_records records have beens seen, if it is >= 0, or
+ *                 - the number of retransmits that would happen during an
+ *                 actual handshake has been reached.
+ *                 Please remember the request might be lost a few times
+ *                 if you consider setting max_records to a really low value.
+ *
+ * \warning        On client, the grace period can only happen during
+ *                 mbedtls_ssl_read(), as opposed to mbedtls_ssl_write() and mbedtls_ssl_renegotiate()
+ *                 which always behave as if max_record was 0. The reason is,
+ *                 if we receive application data from the server, we need a
+ *                 place to write it, which only happens during mbedtls_ssl_read().
+ *
+ * \param conf     SSL configuration
+ * \param max_records Use MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
+ *                 enforce renegotiation, or a non-negative value to enforce
+ *                 it but allow for a grace period of max_records records.
+ */
+void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records );
+
+/**
+ * \brief          Set record counter threshold for periodic renegotiation.
+ *                 (Default: 2^48 - 1)
+ *
+ *                 Renegotiation is automatically triggered when a record
+ *                 counter (outgoing or ingoing) crosses the defined
+ *                 threshold. The default value is meant to prevent the
+ *                 connection from being closed when the counter is about to
+ *                 reached its maximal value (it is not allowed to wrap).
+ *
+ *                 Lower values can be used to enforce policies such as "keys
+ *                 must be refreshed every N packets with cipher X".
+ *
+ *                 The renegotiation period can be disabled by setting
+ *                 conf->disable_renegotiation to
+ *                 MBEDTLS_SSL_RENEGOTIATION_DISABLED.
+ *
+ * \note           When the configured transport is
+ *                 MBEDTLS_SSL_TRANSPORT_DATAGRAM the maximum renegotiation
+ *                 period is 2^48 - 1, and for MBEDTLS_SSL_TRANSPORT_STREAM,
+ *                 the maximum renegotiation period is 2^64 - 1.
+ *
+ * \param conf     SSL configuration
+ * \param period   The threshold value: a big-endian 64-bit number.
+ */
+void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
+                                   const unsigned char period[8] );
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Check if there is data already read from the
+ *                 underlying transport but not yet processed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if nothing's pending, 1 otherwise.
+ *
+ * \note           This is different in purpose and behaviour from
+ *                 \c mbedtls_ssl_get_bytes_avail in that it considers
+ *                 any kind of unprocessed data, not only unread
+ *                 application data. If \c mbedtls_ssl_get_bytes
+ *                 returns a non-zero value, this function will
+ *                 also signal pending data, but the converse does
+ *                 not hold. For example, in DTLS there might be
+ *                 further records waiting to be processed from
+ *                 the current underlying transport's datagram.
+ *
+ * \note           If this function returns 1 (data pending), this
+ *                 does not imply that a subsequent call to
+ *                 \c mbedtls_ssl_read will provide any data;
+ *                 e.g., the unprocessed data might turn out
+ *                 to be an alert or a handshake message.
+ *
+ * \note           This function is useful in the following situation:
+ *                 If the SSL/TLS module successfully returns from an
+ *                 operation - e.g. a handshake or an application record
+ *                 read - and you're awaiting incoming data next, you
+ *                 must not immediately idle on the underlying transport
+ *                 to have data ready, but you need to check the value
+ *                 of this function first. The reason is that the desired
+ *                 data might already be read but not yet processed.
+ *                 If, in contrast, a previous call to the SSL/TLS module
+ *                 returned MBEDTLS_ERR_SSL_WANT_READ, it is not necessary
+ *                 to call this function, as the latter error code entails
+ *                 that all internal data has been processed.
+ *
+ */
+int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the number of application data bytes
+ *                 remaining to be read from the current record.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         How many bytes are available in the application
+ *                 data record read buffer.
+ *
+ * \note           When working over a datagram transport, this is
+ *                 useful to detect the current datagram's boundary
+ *                 in case \c mbedtls_ssl_read has written the maximal
+ *                 amount of data fitting into the input buffer.
+ *
+ */
+size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the result of the certificate verification
+ *
+ * \param ssl      The SSL context to use.
+ *
+ * \return         \c 0 if the certificate verification was successful.
+ * \return         \c -1u if the result is not available. This may happen
+ *                 e.g. if the handshake aborts early, or a verification
+ *                 callback returned a fatal error.
+ * \return         A bitwise combination of \c MBEDTLS_X509_BADCERT_XXX
+ *                 and \c MBEDTLS_X509_BADCRL_XXX failure flags; see x509.h.
+ */
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the name of the current ciphersuite
+ *
+ * \param ssl      SSL context
+ *
+ * \return         a string containing the ciphersuite name
+ */
+const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the current SSL version (SSLv3/TLSv1/etc)
+ *
+ * \param ssl      SSL context
+ *
+ * \return         a string containing the SSL version
+ */
+const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the (maximum) number of bytes added by the record
+ *                 layer: header + encryption/MAC overhead (inc. padding)
+ *
+ * \note           This function is not available (always returns an error)
+ *                 when record compression is enabled.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum record expansion in bytes, or
+ *                 MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if compression is
+ *                 enabled, which makes expansion much less predictable
+ */
+int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief          Return the maximum fragment length (payload, in bytes).
+ *                 This is the value negotiated with peer if any,
+ *                 or the locally configured value.
+ *
+ * \sa             mbedtls_ssl_conf_max_frag_len()
+ * \sa             mbedtls_ssl_get_max_record_payload()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum fragment length.
+ */
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+/**
+ * \brief          Return the current maximum outgoing record payload in bytes.
+ *                 This takes into account the config.h setting \c
+ *                 MBEDTLS_SSL_OUT_CONTENT_LEN, the configured and negotiated
+ *                 max fragment length extension if used, and for DTLS the
+ *                 path MTU as configured and current record expansion.
+ *
+ * \note           With DTLS, \c mbedtls_ssl_write() will return an error if
+ *                 called with a larger length value.
+ *                 With TLS, \c mbedtls_ssl_write() will fragment the input if
+ *                 necessary and return the number of bytes written; it is up
+ *                 to the caller to call \c mbedtls_ssl_write() again in
+ *                 order to send the remaining bytes if any.
+ *
+ * \note           This function is not available (always returns an error)
+ *                 when record compression is enabled.
+ *
+ * \sa             mbedtls_ssl_set_mtu()
+ * \sa             mbedtls_ssl_get_max_frag_len()
+ * \sa             mbedtls_ssl_get_record_expansion()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum payload for an outgoing record,
+ *                 or a negative error code.
+ */
+int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Return the peer certificate from the current connection
+ *
+ *                 Note: Can be NULL in case no certificate was sent during
+ *                 the handshake. Different calls for the same connection can
+ *                 return the same or different pointers for the same
+ *                 certificate and even a different certificate altogether.
+ *                 The peer cert CAN change in a single connection if
+ *                 renegotiation is performed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         the current peer certificate
+ */
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Save session in order to resume it later (client-side only)
+ *                 Session data is copied to presented session structure.
+ *
+ *
+ * \param ssl      SSL context
+ * \param session  session context
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
+ *                 arguments are otherwise invalid.
+ *
+ * \note           Only the server certificate is copied, and not the full chain,
+ *                 so you should not attempt to validate the certificate again
+ *                 by calling \c mbedtls_x509_crt_verify() on it.
+ *                 Instead, you should use the results from the verification
+ *                 in the original handshake by calling \c mbedtls_ssl_get_verify_result()
+ *                 after loading the session again into a new SSL context
+ *                 using \c mbedtls_ssl_set_session().
+ *
+ * \note           Once the session object is not needed anymore, you should
+ *                 free it by calling \c mbedtls_ssl_session_free().
+ *
+ * \sa             mbedtls_ssl_set_session()
+ */
+int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *session );
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/**
+ * \brief          Perform the SSL handshake
+ *
+ * \param ssl      SSL context
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
+ *                 and the client did not demonstrate reachability yet - in
+ *                 this case you must stop using the context (see below).
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           If DTLS is in use, then you may choose to handle
+ *                 #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
+ *                 purposes, as it is an expected return value rather than an
+ *                 actual error, but you still need to reset/free the context.
+ *
+ * \note           Remarks regarding event-driven DTLS:
+ *                 If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ *                 from the underlying transport layer is currently being processed,
+ *                 and it is safe to idle until the timer or the underlying transport
+ *                 signal a new event. This is not true for a successful handshake,
+ *                 in which case the datagram of the underlying transport that is
+ *                 currently being processed might or might not contain further
+ *                 DTLS records.
+ */
+int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Perform a single step of the SSL handshake
+ *
+ * \note           The state of the context (ssl->state) will be at
+ *                 the next state after this function returns \c 0. Do not
+ *                 call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         See mbedtls_ssl_handshake().
+ *
+ * \warning        If this function returns something other than \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ *                 the SSL context for reading or writing, and either free it
+ *                 or call \c mbedtls_ssl_session_reset() on it before
+ *                 re-using it for a new connection; the current connection
+ *                 must be closed.
+ */
+int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Initiate an SSL renegotiation on the running connection.
+ *                 Client: perform the renegotiation right now.
+ *                 Server: request renegotiation, which will be performed
+ *                 during the next call to mbedtls_ssl_read() if honored by
+ *                 client.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if successful, or any mbedtls_ssl_handshake() return
+ *                 value except #MBEDTLS_ERR_SSL_CLIENT_RECONNECT that can't
+ *                 happen during a renegotiation.
+ *
+ * \warning        If this function returns something other than \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ *                 the SSL context for reading or writing, and either free it
+ *                 or call \c mbedtls_ssl_session_reset() on it before
+ *                 re-using it for a new connection; the current connection
+ *                 must be closed.
+ *
+ */
+int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Read at most 'len' application data bytes
+ *
+ * \param ssl      SSL context
+ * \param buf      buffer that will hold the data
+ * \param len      maximum number of bytes to read
+ *
+ * \return         The (positive) number of bytes read if successful.
+ * \return         \c 0 if the read end of the underlying transport was closed
+ *                 - in this case you must stop using the context (see below).
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
+ *                 side of a DTLS connection and the client is initiating a
+ *                 new connection using the same source port. See below.
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 a positive value,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           When this function returns #MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ *                 (which can only happen server-side), it means that a client
+ *                 is initiating a new connection using the same source port.
+ *                 You can either treat that as a connection close and wait
+ *                 for the client to resend a ClientHello, or directly
+ *                 continue with \c mbedtls_ssl_handshake() with the same
+ *                 context (as it has been reset internally). Either way, you
+ *                 must make sure this is seen by the application as a new
+ *                 connection: application state, if any, should be reset, and
+ *                 most importantly the identity of the client must be checked
+ *                 again. WARNING: not validating the identity of the client
+ *                 again, or not transmitting the new identity to the
+ *                 application layer, would allow authentication bypass!
+ *
+ * \note           Remarks regarding event-driven DTLS:
+ *                 - If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ *                   from the underlying transport layer is currently being processed,
+ *                   and it is safe to idle until the timer or the underlying transport
+ *                   signal a new event.
+ *                 - This function may return MBEDTLS_ERR_SSL_WANT_READ even if data was
+ *                   initially available on the underlying transport, as this data may have
+ *                   been only e.g. duplicated messages or a renegotiation request.
+ *                   Therefore, you must be prepared to receive MBEDTLS_ERR_SSL_WANT_READ even
+ *                   when reacting to an incoming-data event from the underlying transport.
+ *                 - On success, the datagram of the underlying transport that is currently
+ *                   being processed may contain further DTLS records. You should call
+ *                   \c mbedtls_ssl_check_pending to check for remaining records.
+ *
+ */
+int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len );
+
+/**
+ * \brief          Try to write exactly 'len' application data bytes
+ *
+ * \warning        This function will do partial writes in some cases. If the
+ *                 return value is non-negative but less than length, the
+ *                 function must be called again with updated arguments:
+ *                 buf + ret, len - ret (if ret is the return value) until
+ *                 it returns a value equal to the last 'len' argument.
+ *
+ * \param ssl      SSL context
+ * \param buf      buffer holding the data
+ * \param len      how many bytes must be written
+ *
+ * \return         The (non-negative) number of bytes actually written if
+ *                 successful (may be less than \p len).
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 a non-negative value,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           When this function returns #MBEDTLS_ERR_SSL_WANT_WRITE/READ,
+ *                 it must be called later with the *same* arguments,
+ *                 until it returns a value greater that or equal to 0. When
+ *                 the function returns #MBEDTLS_ERR_SSL_WANT_WRITE there may be
+ *                 some partial data in the output buffer, however this is not
+ *                 yet sent.
+ *
+ * \note           If the requested length is greater than the maximum
+ *                 fragment length (either the built-in limit or the one set
+ *                 or negotiated with the peer), then:
+ *                 - with TLS, less bytes than requested are written.
+ *                 - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned.
+ *                 \c mbedtls_ssl_get_max_frag_len() may be used to query the
+ *                 active maximum fragment length.
+ *
+ * \note           Attempting to write 0 bytes will result in an empty TLS
+ *                 application record being sent.
+ */
+int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len );
+
+/**
+ * \brief           Send an alert message
+ *
+ * \param ssl       SSL context
+ * \param level     The alert level of the message
+ *                  (MBEDTLS_SSL_ALERT_LEVEL_WARNING or MBEDTLS_SSL_ALERT_LEVEL_FATAL)
+ * \param message   The alert message (SSL_ALERT_MSG_*)
+ *
+ * \return          0 if successful, or a specific SSL error code.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
+ *                 the SSL context for reading or writing, and either free it or
+ *                 call \c mbedtls_ssl_session_reset() on it before re-using it
+ *                 for a new connection; the current connection must be closed.
+ */
+int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
+                            unsigned char level,
+                            unsigned char message );
+/**
+ * \brief          Notify the peer that the connection is being closed
+ *
+ * \param ssl      SSL context
+ *
+ * \return          0 if successful, or a specific SSL error code.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
+ *                 the SSL context for reading or writing, and either free it or
+ *                 call \c mbedtls_ssl_session_reset() on it before re-using it
+ *                 for a new connection; the current connection must be closed.
+ */
+int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Free referenced items in an SSL context and clear memory
+ *
+ * \param ssl      SSL context
+ */
+void mbedtls_ssl_free( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Initialize an SSL configuration context
+ *                 Just makes the context ready for
+ *                 mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free().
+ *
+ * \note           You need to call mbedtls_ssl_config_defaults() unless you
+ *                 manually set all of the relevant fields yourself.
+ *
+ * \param conf     SSL configuration context
+ */
+void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
+
+/**
+ * \brief          Load reasonnable default SSL configuration values.
+ *                 (You need to call mbedtls_ssl_config_init() first.)
+ *
+ * \param conf     SSL configuration context
+ * \param endpoint MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
+ * \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or
+ *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS
+ * \param preset   a MBEDTLS_SSL_PRESET_XXX value
+ *
+ * \note           See \c mbedtls_ssl_conf_transport() for notes on DTLS.
+ *
+ * \return         0 if successful, or
+ *                 MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error.
+ */
+int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
+                                 int endpoint, int transport, int preset );
+
+/**
+ * \brief          Free an SSL configuration context
+ *
+ * \param conf     SSL configuration context
+ */
+void mbedtls_ssl_config_free( mbedtls_ssl_config *conf );
+
+/**
+ * \brief          Initialize SSL session structure
+ *
+ * \param session  SSL session
+ */
+void mbedtls_ssl_session_init( mbedtls_ssl_session *session );
+
+/**
+ * \brief          Free referenced items in an SSL session including the
+ *                 peer certificate and clear memory
+ *
+ * \note           A session object can be freed even if the SSL context
+ *                 that was used to retrieve the session is still in use.
+ *
+ * \param session  SSL session
+ */
+void mbedtls_ssl_session_free( mbedtls_ssl_session *session );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ssl_cache.h b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_cache.h
new file mode 100644
index 00000000..52ba0948
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_cache.h
@@ -0,0 +1,150 @@
+/**
+ * \file ssl_cache.h
+ *
+ * \brief SSL session cache implementation
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_CACHE_H
+#define MBEDTLS_SSL_CACHE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT)
+#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400   /*!< 1 day  */
+#endif
+
+#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES)
+#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50   /*!< Maximum entries in cache */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct mbedtls_ssl_cache_context mbedtls_ssl_cache_context;
+typedef struct mbedtls_ssl_cache_entry mbedtls_ssl_cache_entry;
+
+/**
+ * \brief   This structure is used for storing cache entries
+ */
+struct mbedtls_ssl_cache_entry
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t timestamp;           /*!< entry timestamp    */
+#endif
+    mbedtls_ssl_session session;        /*!< entry session      */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_x509_buf peer_cert;         /*!< entry peer_cert    */
+#endif
+    mbedtls_ssl_cache_entry *next;      /*!< chain pointer      */
+};
+
+/**
+ * \brief Cache context
+ */
+struct mbedtls_ssl_cache_context
+{
+    mbedtls_ssl_cache_entry *chain;     /*!< start of the chain     */
+    int timeout;                /*!< cache entry timeout    */
+    int max_entries;            /*!< maximum entries        */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;    /*!< mutex                  */
+#endif
+};
+
+/**
+ * \brief          Initialize an SSL cache context
+ *
+ * \param cache    SSL cache context
+ */
+void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache );
+
+/**
+ * \brief          Cache get callback implementation
+ *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data     SSL cache context
+ * \param session  session to retrieve entry for
+ */
+int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session );
+
+/**
+ * \brief          Cache set callback implementation
+ *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data     SSL cache context
+ * \param session  session to store entry for
+ */
+int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session );
+
+#if defined(MBEDTLS_HAVE_TIME)
+/**
+ * \brief          Set the cache timeout
+ *                 (Default: MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT (1 day))
+ *
+ *                 A timeout of 0 indicates no timeout.
+ *
+ * \param cache    SSL cache context
+ * \param timeout  cache entry timeout in seconds
+ */
+void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout );
+#endif /* MBEDTLS_HAVE_TIME */
+
+/**
+ * \brief          Set the maximum number of cache entries
+ *                 (Default: MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES (50))
+ *
+ * \param cache    SSL cache context
+ * \param max      cache entry maximum
+ */
+void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max );
+
+/**
+ * \brief          Free referenced items in a cache context and clear memory
+ *
+ * \param cache    SSL cache context
+ */
+void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_cache.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ssl_ciphersuites.h b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_ciphersuites.h
new file mode 100644
index 00000000..71053e5b
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_ciphersuites.h
@@ -0,0 +1,540 @@
+/**
+ * \file ssl_ciphersuites.h
+ *
+ * \brief SSL Ciphersuites for mbed TLS
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_CIPHERSUITES_H
+#define MBEDTLS_SSL_CIPHERSUITES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "pk.h"
+#include "cipher.h"
+#include "md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Supported ciphersuites (Official IANA names)
+ */
+#define MBEDTLS_TLS_RSA_WITH_NULL_MD5                    0x01   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_NULL_SHA                    0x02   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_WITH_RC4_128_MD5                 0x04
+#define MBEDTLS_TLS_RSA_WITH_RC4_128_SHA                 0x05
+#define MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA                 0x09   /**< Weak! Not in TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA            0x0A
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA             0x15   /**< Weak! Not in TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        0x16
+
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA                    0x2C   /**< Weak! */
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA                0x2D   /**< Weak! */
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA                0x2E   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA             0x2F
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA         0x33
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA             0x35
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA         0x39
+
+#define MBEDTLS_TLS_RSA_WITH_NULL_SHA256                 0x3B   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256          0x3C   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256          0x3D   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA        0x41
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA    0x45
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      0x67   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      0x6B   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA        0x84
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA    0x88
+
+#define MBEDTLS_TLS_PSK_WITH_RC4_128_SHA                 0x8A
+#define MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA            0x8B
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA             0x8C
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA             0x8D
+
+#define MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA             0x8E
+#define MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA        0x8F
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA         0x90
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA         0x91
+
+#define MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA             0x92
+#define MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA        0x93
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA         0x94
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA         0x95
+
+#define MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256          0x9C   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384          0x9D   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      0x9E   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      0x9F   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256          0xA8   /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384          0xA9   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256      0xAA   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384      0xAB   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256      0xAC   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384      0xAD   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256          0xAE
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384          0xAF
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA256                 0xB0   /**< Weak! */
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA384                 0xB1   /**< Weak! */
+
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256      0xB2
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384      0xB3
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256             0xB4   /**< Weak! */
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384             0xB5   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256      0xB6
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384      0xB7
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256             0xB8   /**< Weak! */
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384             0xB9   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256     0xBA   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256     0xC0   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA             0xC001 /**< Weak! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA          0xC002 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA     0xC003 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      0xC004 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA      0xC005 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA            0xC006 /**< Weak! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA         0xC007 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    0xC008 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     0xC009 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     0xC00A /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA               0xC00B /**< Weak! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA            0xC00C /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA       0xC00D /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA        0xC00E /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA        0xC00F /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA              0xC010 /**< Weak! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA           0xC011 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA      0xC012 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       0xC013 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       0xC014 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  0xC023 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  0xC024 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   0xC025 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   0xC026 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    0xC027 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    0xC028 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     0xC029 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     0xC02A /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  0xC02B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  0xC02C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   0xC02D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   0xC02E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    0xC02F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    0xC030 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     0xC031 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     0xC032 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA           0xC033 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA      0xC034 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       0xC035 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA       0xC036 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384    0xC038 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA              0xC039 /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256           0xC03A /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384           0xC03B /**< Weak! No SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256         0xC03C /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384         0xC03D /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256     0xC044 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384     0xC045 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256  0xC04A /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384  0xC04B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256   0xC04C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384   0xC04D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256    0xC04E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384    0xC04F /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256         0xC050 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384         0xC051 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256     0xC052 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384     0xC053 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256  0xC05E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384  0xC05F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256   0xC060 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384   0xC061 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256    0xC062 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384    0xC063 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256         0xC064 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384         0xC065 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256     0xC066 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384     0xC067 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256     0xC068 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384     0xC069 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256         0xC06A /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384         0xC06B /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256     0xC06C /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384     0xC06D /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256     0xC06E /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384     0xC06F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256   0xC070 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384   0xC071 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  0xC074 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  0xC075 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   0xC076 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   0xC077 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    0xC078 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    0xC079 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256         0xC07A /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384         0xC07B /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256     0xC07C /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384     0xC07D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC086 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC087 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256  0xC088 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384  0xC089 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256   0xC08A /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384   0xC08B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256    0xC08C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384    0xC08D /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256       0xC08E /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384       0xC08F /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256   0xC090 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384   0xC091 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256   0xC092 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384   0xC093 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256       0xC094
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384       0xC095
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256   0xC096
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC097
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256   0xC098
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC099
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC09A /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC09B /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM                0xC09C  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM                0xC09D  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM            0xC09E  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM            0xC09F  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8              0xC0A0  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8              0xC0A1  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8          0xC0A2  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8          0xC0A3  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM                0xC0A4  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM                0xC0A5  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM            0xC0A6  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM            0xC0A7  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8              0xC0A8  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8              0xC0A9  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8          0xC0AA  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8          0xC0AB  /**< TLS 1.2 */
+/* The last two are named with PSK_DHE in the RFC, which looks like a typo */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM        0xC0AC  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM        0xC0AD  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8      0xC0AE  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8      0xC0AF  /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8          0xC0FF  /**< experimental */
+
+/* RFC 7905 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   0xCCA8 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     0xCCAA /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256         0xCCAB /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256   0xCCAC /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAD /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAE /**< TLS 1.2 */
+
+/* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
+ * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
+ */
+typedef enum {
+    MBEDTLS_KEY_EXCHANGE_NONE = 0,
+    MBEDTLS_KEY_EXCHANGE_RSA,
+    MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+    MBEDTLS_KEY_EXCHANGE_PSK,
+    MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+    MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+    MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+    MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+} mbedtls_key_exchange_type_t;
+
+/* Key exchanges using a certificate */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
+#endif
+
+/* Key exchanges allowing client certificate requests */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)    ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED
+#endif
+
+/* Key exchanges involving server signature in ServerKeyExchange */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED
+#endif
+
+/* Key exchanges using ECDH */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED
+#endif
+
+/* Key exchanges that don't involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED
+#endif
+
+/* Key exchanges that involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED
+#endif
+
+/* Key exchanges using a PSK */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
+#endif
+
+/* Key exchanges using DHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED
+#endif
+
+/* Key exchanges using ECDHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
+#endif
+
+typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t;
+
+#define MBEDTLS_CIPHERSUITE_WEAK       0x01    /**< Weak ciphersuite flag  */
+#define MBEDTLS_CIPHERSUITE_SHORT_TAG  0x02    /**< Short authentication tag,
+                                                     eg for CCM_8 */
+#define MBEDTLS_CIPHERSUITE_NODTLS     0x04    /**< Can't be used with DTLS */
+
+/**
+ * \brief   This structure is used for storing ciphersuite information
+ */
+struct mbedtls_ssl_ciphersuite_t
+{
+    int id;
+    const char * name;
+
+    mbedtls_cipher_type_t cipher;
+    mbedtls_md_type_t mac;
+    mbedtls_key_exchange_type_t key_exchange;
+
+    int min_major_ver;
+    int min_minor_ver;
+    int max_major_ver;
+    int max_minor_ver;
+
+    unsigned char flags;
+};
+
+const int *mbedtls_ssl_list_ciphersuites( void );
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name );
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id );
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info );
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info );
+#endif
+
+int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info );
+int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+
+static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_ciphersuites.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ssl_cookie.h b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_cookie.h
new file mode 100644
index 00000000..e34760ae
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_cookie.h
@@ -0,0 +1,115 @@
+/**
+ * \file ssl_cookie.h
+ *
+ * \brief DTLS cookie callbacks implementation
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_COOKIE_H
+#define MBEDTLS_SSL_COOKIE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+#ifndef MBEDTLS_SSL_COOKIE_TIMEOUT
+#define MBEDTLS_SSL_COOKIE_TIMEOUT     60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Context for the default cookie functions.
+ */
+typedef struct mbedtls_ssl_cookie_ctx
+{
+    mbedtls_md_context_t    hmac_ctx;   /*!< context for the HMAC portion   */
+#if !defined(MBEDTLS_HAVE_TIME)
+    unsigned long   serial;     /*!< serial number for expiration   */
+#endif
+    unsigned long   timeout;    /*!< timeout delay, in seconds if HAVE_TIME,
+                                     or in number of tickets issued */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+} mbedtls_ssl_cookie_ctx;
+
+/**
+ * \brief          Initialize cookie context
+ */
+void mbedtls_ssl_cookie_init( mbedtls_ssl_cookie_ctx *ctx );
+
+/**
+ * \brief          Setup cookie context (generate keys)
+ */
+int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+/**
+ * \brief          Set expiration delay for cookies
+ *                 (Default MBEDTLS_SSL_COOKIE_TIMEOUT)
+ *
+ * \param ctx      Cookie contex
+ * \param delay    Delay, in seconds if HAVE_TIME, or in number of cookies
+ *                 issued in the meantime.
+ *                 0 to disable expiration (NOT recommended)
+ */
+void mbedtls_ssl_cookie_set_timeout( mbedtls_ssl_cookie_ctx *ctx, unsigned long delay );
+
+/**
+ * \brief          Free cookie context
+ */
+void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx );
+
+/**
+ * \brief          Generate cookie, see \c mbedtls_ssl_cookie_write_t
+ */
+mbedtls_ssl_cookie_write_t mbedtls_ssl_cookie_write;
+
+/**
+ * \brief          Verify cookie, see \c mbedtls_ssl_cookie_write_t
+ */
+mbedtls_ssl_cookie_check_t mbedtls_ssl_cookie_check;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_cookie.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ssl_internal.h b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_internal.h
new file mode 100644
index 00000000..bd5ad94d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_internal.h
@@ -0,0 +1,782 @@
+/**
+ * \file ssl_internal.h
+ *
+ * \brief Internal functions shared by the SSL modules
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_INTERNAL_H
+#define MBEDTLS_SSL_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+#include "cipher.h"
+
+#if defined(MBEDTLS_MD5_C)
+#include "md5.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "sha512.h"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#include "ecjpake.h"
+#endif
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Determine minimum supported version */
+#define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1   */
+#endif /* MBEDTLS_SSL_PROTO_SSL3   */
+
+#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
+#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
+
+/* Determine maximum supported version */
+#define MBEDTLS_SSL_MAX_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
+#else
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
+#endif /* MBEDTLS_SSL_PROTO_SSL3   */
+#endif /* MBEDTLS_SSL_PROTO_TLS1   */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+/* Shorthand for restartable ECC */
+#if defined(MBEDTLS_ECP_RESTARTABLE) && \
+    defined(MBEDTLS_SSL_CLI_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_SSL__ECP_RESTARTABLE
+#endif
+
+#define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
+#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
+#define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
+#define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
+
+/*
+ * DTLS retransmission states, see RFC 6347 4.2.4
+ *
+ * The SENDING state is merged in PREPARING for initial sends,
+ * but is distinct for resends.
+ *
+ * Note: initial state is wrong for server, but is not used anyway.
+ */
+#define MBEDTLS_SSL_RETRANS_PREPARING       0
+#define MBEDTLS_SSL_RETRANS_SENDING         1
+#define MBEDTLS_SSL_RETRANS_WAITING         2
+#define MBEDTLS_SSL_RETRANS_FINISHED        3
+
+/*
+ * Allow extra bytes for record, authentication and encryption overhead:
+ * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
+ * and allow for a maximum of 1024 of compression expansion if
+ * enabled.
+ */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+#define MBEDTLS_SSL_COMPRESSION_ADD          1024
+#else
+#define MBEDTLS_SSL_COMPRESSION_ADD             0
+#endif
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
+/* Ciphersuites using HMAC */
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
+#elif defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
+#else
+#define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
+#endif
+#else
+/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
+#define MBEDTLS_SSL_MAC_ADD                 16
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_SSL_PADDING_ADD            256
+#else
+#define MBEDTLS_SSL_PADDING_ADD              0
+#endif
+
+#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD +    \
+                                       MBEDTLS_MAX_IV_LENGTH +          \
+                                       MBEDTLS_SSL_MAC_ADD +            \
+                                       MBEDTLS_SSL_PADDING_ADD          \
+                                       )
+
+#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+                                     ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
+
+#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+                                      ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
+
+/* The maximum number of buffered handshake messages. */
+#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
+
+/* Maximum length we can advertise as our max content length for
+   RFC 6066 max_fragment_length extension negotiation purposes
+   (the lesser of both sizes, if they are unequal.)
+ */
+#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
+        (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
+        ? ( MBEDTLS_SSL_OUT_CONTENT_LEN )                            \
+        : ( MBEDTLS_SSL_IN_CONTENT_LEN )                             \
+        )
+
+/*
+ * Check that we obey the standard's message size bounds
+ */
+
+#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
+#error "Bad configuration - record content too large."
+#endif
+
+#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
+#endif
+
+#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
+#endif
+
+#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - incoming protected record payload too large."
+#endif
+
+#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - outgoing protected record payload too large."
+#endif
+
+/* Calculate buffer sizes */
+
+/* Note: Even though the TLS record header is only 5 bytes
+   long, we're internally using 8 bytes to store the
+   implicit sequence number. */
+#define MBEDTLS_SSL_HEADER_LEN 13
+
+#define MBEDTLS_SSL_IN_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
+
+#define MBEDTLS_SSL_OUT_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
+
+#ifdef MBEDTLS_ZLIB_SUPPORT
+/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
+#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN (                               \
+        ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN )      \
+        ? MBEDTLS_SSL_IN_BUFFER_LEN                                     \
+        : MBEDTLS_SSL_OUT_BUFFER_LEN                                    \
+        )
+#endif
+
+/*
+ * TLS extension flags (for extensions with outgoing ServerHello content
+ * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
+ * of state of the renegotiation flag, so no indicator is required)
+ */
+#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
+#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Abstraction for a grid of allowed signature-hash-algorithm pairs.
+ */
+struct mbedtls_ssl_sig_hash_set_t
+{
+    /* At the moment, we only need to remember a single suitable
+     * hash algorithm per signature algorithm. As long as that's
+     * the case - and we don't need a general lookup function -
+     * we can implement the sig-hash-set as a map from signatures
+     * to hash algorithms. */
+    mbedtls_md_type_t rsa;
+    mbedtls_md_type_t ecdsa;
+};
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+/*
+ * This structure contains the parameters only needed during handshake.
+ */
+struct mbedtls_ssl_handshake_params
+{
+    /*
+     * Handshake specific crypto variables
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_ssl_sig_hash_set_t hash_algs;             /*!<  Set of suitable sig-hash pairs */
+#endif
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
+#if defined(MBEDTLS_SSL_CLI_C)
+    unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
+    size_t ecjpake_cache_len;                   /*!< Length of cached data */
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    unsigned char *psk;                 /*!<  PSK from the callback         */
+    size_t psk_len;                     /*!<  Length of PSK from callback   */
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    int sni_authmode;                   /*!< authmode from SNI callback     */
+    mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
+    mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
+    mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    int ecrs_enabled;                   /*!< Handshake supports EC restart? */
+    mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
+    enum { /* this complements ssl->state with info on intra-state operations */
+        ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
+        ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
+        ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
+        ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
+        ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
+    } ecrs_state;                       /*!< current (or last) operation    */
+    size_t ecrs_n;                      /*!< place for saving a length      */
+#endif
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
+    unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
+
+    unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
+                                              Srv: unused                    */
+    unsigned char verify_cookie_len;    /*!<  Cli: cookie length
+                                              Srv: flag for sending a cookie */
+
+    uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
+    unsigned char retransmit_state;     /*!<  Retransmission state           */
+    mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
+    mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
+    unsigned char *cur_msg_p;           /*!<  Position in current message    */
+    unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
+                                              flight being received          */
+    mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
+                                              resending messages             */
+    unsigned char alt_out_ctr[8];       /*!<  Alternative record epoch/counter
+                                              for resending messages         */
+
+    struct
+    {
+        size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
+                                      *   buffers used for message buffering. */
+
+        uint8_t seen_ccs;               /*!< Indicates if a CCS message has
+                                         *   been seen in the current flight. */
+
+        struct mbedtls_ssl_hs_buffer
+        {
+            unsigned is_valid      : 1;
+            unsigned is_fragmented : 1;
+            unsigned is_complete   : 1;
+            unsigned char *data;
+            size_t data_len;
+        } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
+
+        struct
+        {
+            unsigned char *data;
+            size_t len;
+            unsigned epoch;
+        } future_record;
+
+    } buffering;
+
+    uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Checksum contexts
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+       mbedtls_md5_context fin_md5;
+      mbedtls_sha1_context fin_sha1;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_context fin_sha256;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_context fin_sha512;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
+    void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
+    void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
+    int  (*tls_prf)(const unsigned char *, size_t, const char *,
+                    const unsigned char *, size_t,
+                    unsigned char *, size_t);
+
+    size_t pmslen;                      /*!<  premaster length        */
+
+    unsigned char randbytes[64];        /*!<  random bytes            */
+    unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
+                                        /*!<  premaster secret        */
+
+    int resume;                         /*!<  session resume indicator*/
+    int max_major_ver;                  /*!< max. major version client*/
+    int max_minor_ver;                  /*!< max. minor version client*/
+    int cli_exts;                       /*!< client extension presence*/
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    int new_session_ticket;             /*!< use NewSessionTicket?    */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    int extended_ms;                    /*!< use Extended Master Secret? */
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /** Asynchronous operation context. This field is meant for use by the
+     * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
+     * mbedtls_ssl_config::f_async_decrypt_start,
+     * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
+     * The library does not use it internally. */
+    void *user_async_ctx;
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+};
+
+typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
+
+/*
+ * This structure contains a full set of runtime transform parameters
+ * either in negotiation or active.
+ */
+struct mbedtls_ssl_transform
+{
+    /*
+     * Session specific crypto layer
+     */
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+                                        /*!<  Chosen cipersuite_info  */
+    unsigned int keylen;                /*!<  symmetric key length (bytes)  */
+    size_t minlen;                      /*!<  min. ciphertext length  */
+    size_t ivlen;                       /*!<  IV length               */
+    size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
+    size_t maclen;                      /*!<  MAC length              */
+
+    unsigned char iv_enc[16];           /*!<  IV (encryption)         */
+    unsigned char iv_dec[16];           /*!<  IV (decryption)         */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    /* Needed only for SSL v3.0 secret */
+    unsigned char mac_enc[20];          /*!<  SSL v3.0 secret (enc)   */
+    unsigned char mac_dec[20];          /*!<  SSL v3.0 secret (dec)   */
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+    mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
+    mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
+
+    mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
+    mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
+
+    /*
+     * Session specific compression layer
+     */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    z_stream ctx_deflate;               /*!<  compression context     */
+    z_stream ctx_inflate;               /*!<  decompression context   */
+#endif
+};
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * List of certificate + private key pairs
+ */
+struct mbedtls_ssl_key_cert
+{
+    mbedtls_x509_crt *cert;                 /*!< cert                       */
+    mbedtls_pk_context *key;                /*!< private key                */
+    mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
+};
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * List of handshake messages kept around for resending
+ */
+struct mbedtls_ssl_flight_item
+{
+    unsigned char *p;       /*!< message, including handshake headers   */
+    size_t len;             /*!< length of p                            */
+    unsigned char type;     /*!< type of the message: handshake or CCS  */
+    mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
+};
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
+                                                 mbedtls_pk_type_t sig_alg );
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
+                                   mbedtls_pk_type_t sig_alg,
+                                   mbedtls_md_type_t md_alg );
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
+                                          mbedtls_md_type_t md_alg );
+
+/* Setup an empty signature-hash set */
+static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
+{
+    mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+/**
+ * \brief           Free referenced items in an SSL transform context and clear
+ *                  memory
+ *
+ * \param transform SSL transform context
+ */
+void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
+
+/**
+ * \brief           Free referenced items in an SSL handshake context and clear
+ *                  memory
+ *
+ * \param ssl       SSL context
+ */
+void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
+
+void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief       Update record layer
+ *
+ *              This function roughly separates the implementation
+ *              of the logic of (D)TLS from the implementation
+ *              of the secure transport.
+ *
+ * \param  ssl              The SSL context to use.
+ * \param  update_hs_digest This indicates if the handshake digest
+ *                          should be automatically updated in case
+ *                          a handshake message is found.
+ *
+ * \return      0 or non-zero error code.
+ *
+ * \note        A clarification on what is called 'record layer' here
+ *              is in order, as many sensible definitions are possible:
+ *
+ *              The record layer takes as input an untrusted underlying
+ *              transport (stream or datagram) and transforms it into
+ *              a serially multiplexed, secure transport, which
+ *              conceptually provides the following:
+ *
+ *              (1) Three datagram based, content-agnostic transports
+ *                  for handshake, alert and CCS messages.
+ *              (2) One stream- or datagram-based transport
+ *                  for application data.
+ *              (3) Functionality for changing the underlying transform
+ *                  securing the contents.
+ *
+ *              The interface to this functionality is given as follows:
+ *
+ *              a Updating
+ *                [Currently implemented by mbedtls_ssl_read_record]
+ *
+ *                Check if and on which of the four 'ports' data is pending:
+ *                Nothing, a controlling datagram of type (1), or application
+ *                data (2). In any case data is present, internal buffers
+ *                provide access to the data for the user to process it.
+ *                Consumption of type (1) datagrams is done automatically
+ *                on the next update, invalidating that the internal buffers
+ *                for previous datagrams, while consumption of application
+ *                data (2) is user-controlled.
+ *
+ *              b Reading of application data
+ *                [Currently manual adaption of ssl->in_offt pointer]
+ *
+ *                As mentioned in the last paragraph, consumption of data
+ *                is different from the automatic consumption of control
+ *                datagrams (1) because application data is treated as a stream.
+ *
+ *              c Tracking availability of application data
+ *                [Currently manually through decreasing ssl->in_msglen]
+ *
+ *                For efficiency and to retain datagram semantics for
+ *                application data in case of DTLS, the record layer
+ *                provides functionality for checking how much application
+ *                data is still available in the internal buffer.
+ *
+ *              d Changing the transformation securing the communication.
+ *
+ *              Given an opaque implementation of the record layer in the
+ *              above sense, it should be possible to implement the logic
+ *              of (D)TLS on top of it without the need to know anything
+ *              about the record layer's internals. This is done e.g.
+ *              in all the handshake handling functions, and in the
+ *              application data reading function mbedtls_ssl_read.
+ *
+ * \note        The above tries to give a conceptual picture of the
+ *              record layer, but the current implementation deviates
+ *              from it in some places. For example, our implementation of
+ *              the update functionality through mbedtls_ssl_read_record
+ *              discards datagrams depending on the current state, which
+ *              wouldn't fall under the record layer's responsibility
+ *              following the above definition.
+ *
+ */
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
+                             unsigned update_hs_digest );
+int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
+
+int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
+int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
+
+void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
+                            const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
+#endif
+
+#if defined(MBEDTLS_PK_C)
+unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
+unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
+#endif
+
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
+unsigned char mbedtls_ssl_hash_from_md_alg( int md );
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
+
+#if defined(MBEDTLS_ECP_C)
+int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
+                                mbedtls_md_type_t md );
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_key_cert *key_cert;
+
+    if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
+        key_cert = ssl->handshake->key_cert;
+    else
+        key_cert = ssl->conf->key_cert;
+
+    return( key_cert == NULL ? NULL : key_cert->key );
+}
+
+static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_key_cert *key_cert;
+
+    if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
+        key_cert = ssl->handshake->key_cert;
+    else
+        key_cert = ssl->conf->key_cert;
+
+    return( key_cert == NULL ? NULL : key_cert->cert );
+}
+
+/*
+ * Check usage of a certificate wrt extensions:
+ * keyUsage, extendedKeyUsage (later), and nSCertType (later).
+ *
+ * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
+ * check a cert we received from them)!
+ *
+ * Return 0 if everything is OK, -1 if not.
+ */
+int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
+                          const mbedtls_ssl_ciphersuite_t *ciphersuite,
+                          int cert_endpoint,
+                          uint32_t *flags );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_write_version( int major, int minor, int transport,
+                        unsigned char ver[2] );
+void mbedtls_ssl_read_version( int *major, int *minor, int transport,
+                       const unsigned char ver[2] );
+
+static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 13 );
+#else
+    ((void) ssl);
+#endif
+    return( 5 );
+}
+
+static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 12 );
+#else
+    ((void) ssl);
+#endif
+    return( 4 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
+#endif
+
+/* Visible for testing purposes only */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
+#endif
+
+/* constant-time buffer comparison */
+static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+    {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+    return( diff );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        unsigned char *data, size_t data_len );
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
+                                            unsigned char *hash, size_t *hashlen,
+                                            unsigned char *data, size_t data_len,
+                                            mbedtls_md_type_t md_alg );
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_internal.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/ssl_ticket.h b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_ticket.h
new file mode 100644
index 00000000..774a007a
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/ssl_ticket.h
@@ -0,0 +1,142 @@
+/**
+ * \file ssl_ticket.h
+ *
+ * \brief TLS server ticket callbacks implementation
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_TICKET_H
+#define MBEDTLS_SSL_TICKET_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/*
+ * This implementation of the session ticket callbacks includes key
+ * management, rotating the keys periodically in order to preserve forward
+ * secrecy, when MBEDTLS_HAVE_TIME is defined.
+ */
+
+#include "ssl.h"
+#include "cipher.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Information for session ticket protection
+ */
+typedef struct mbedtls_ssl_ticket_key
+{
+    unsigned char name[4];          /*!< random key identifier              */
+    uint32_t generation_time;       /*!< key generation timestamp (seconds) */
+    mbedtls_cipher_context_t ctx;   /*!< context for auth enc/decryption    */
+}
+mbedtls_ssl_ticket_key;
+
+/**
+ * \brief   Context for session ticket handling functions
+ */
+typedef struct mbedtls_ssl_ticket_context
+{
+    mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys             */
+    unsigned char active;           /*!< index of the currently active key  */
+
+    uint32_t ticket_lifetime;       /*!< lifetime of tickets in seconds     */
+
+    /** Callback for getting (pseudo-)random numbers                        */
+    int  (*f_rng)(void *, unsigned char *, size_t);
+    void *p_rng;                    /*!< context for the RNG function       */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+}
+mbedtls_ssl_ticket_context;
+
+/**
+ * \brief           Initialize a ticket context.
+ *                  (Just make it ready for mbedtls_ssl_ticket_setup()
+ *                  or mbedtls_ssl_ticket_free().)
+ *
+ * \param ctx       Context to be initialized
+ */
+void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
+
+/**
+ * \brief           Prepare context to be actually used
+ *
+ * \param ctx       Context to be set up
+ * \param f_rng     RNG callback function
+ * \param p_rng     RNG callback context
+ * \param cipher    AEAD cipher to use for ticket protection.
+ *                  Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
+ * \param lifetime  Tickets lifetime in seconds
+ *                  Recommended value: 86400 (one day).
+ *
+ * \note            It is highly recommended to select a cipher that is at
+ *                  least as strong as the the strongest ciphersuite
+ *                  supported. Usually that means a 256-bit key.
+ *
+ * \note            The lifetime of the keys is twice the lifetime of tickets.
+ *                  It is recommended to pick a reasonnable lifetime so as not
+ *                  to negate the benefits of forward secrecy.
+ *
+ * \return          0 if successful,
+ *                  or a specific MBEDTLS_ERR_XXX error code
+ */
+int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+    mbedtls_cipher_type_t cipher,
+    uint32_t lifetime );
+
+/**
+ * \brief           Implementation of the ticket write callback
+ *
+ * \note            See \c mbedtls_ssl_ticket_write_t for description
+ */
+mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;
+
+/**
+ * \brief           Implementation of the ticket parse callback
+ *
+ * \note            See \c mbedtls_ssl_ticket_parse_t for description
+ */
+mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;
+
+/**
+ * \brief           Free a context's content and zeroize it.
+ *
+ * \param ctx       Context to be cleaned up
+ */
+void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_ticket.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/threading.h b/ctrtool/deps/libmbedtls/include/mbedtls/threading.h
new file mode 100644
index 00000000..92e6e6b9
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/threading.h
@@ -0,0 +1,122 @@
+/**
+ * \file threading.h
+ *
+ * \brief Threading abstraction layer
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_THREADING_H
+#define MBEDTLS_THREADING_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE         -0x001A  /**< The selected feature is not available. */
+
+#define MBEDTLS_ERR_THREADING_BAD_INPUT_DATA              -0x001C  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_THREADING_MUTEX_ERROR                 -0x001E  /**< Locking / unlocking / free failed with error code. */
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#include <pthread.h>
+typedef struct mbedtls_threading_mutex_t
+{
+    pthread_mutex_t mutex;
+    char is_valid;
+} mbedtls_threading_mutex_t;
+#endif
+
+#if defined(MBEDTLS_THREADING_ALT)
+/* You should define the mbedtls_threading_mutex_t type in your header */
+#include "threading_alt.h"
+
+/**
+ * \brief           Set your alternate threading implementation function
+ *                  pointers and initialize global mutexes. If used, this
+ *                  function must be called once in the main thread before any
+ *                  other mbed TLS function is called, and
+ *                  mbedtls_threading_free_alt() must be called once in the main
+ *                  thread after all other mbed TLS functions.
+ *
+ * \note            mutex_init() and mutex_free() don't return a status code.
+ *                  If mutex_init() fails, it should leave its argument (the
+ *                  mutex) in a state such that mutex_lock() will fail when
+ *                  called with this argument.
+ *
+ * \param mutex_init    the init function implementation
+ * \param mutex_free    the free function implementation
+ * \param mutex_lock    the lock function implementation
+ * \param mutex_unlock  the unlock function implementation
+ */
+void mbedtls_threading_set_alt( void (*mutex_init)( mbedtls_threading_mutex_t * ),
+                       void (*mutex_free)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_lock)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_unlock)( mbedtls_threading_mutex_t * ) );
+
+/**
+ * \brief               Free global mutexes.
+ */
+void mbedtls_threading_free_alt( void );
+#endif /* MBEDTLS_THREADING_ALT */
+
+#if defined(MBEDTLS_THREADING_C)
+/*
+ * The function pointers for mutex_init, mutex_free, mutex_ and mutex_unlock
+ *
+ * All these functions are expected to work or the result will be undefined.
+ */
+extern void (*mbedtls_mutex_init)( mbedtls_threading_mutex_t *mutex );
+extern void (*mbedtls_mutex_free)( mbedtls_threading_mutex_t *mutex );
+extern int (*mbedtls_mutex_lock)( mbedtls_threading_mutex_t *mutex );
+extern int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t *mutex );
+
+/*
+ * Global mutexes
+ */
+#if defined(MBEDTLS_FS_IO)
+extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+/* This mutex may or may not be used in the default definition of
+ * mbedtls_platform_gmtime_r(), but in order to determine that,
+ * we need to check POSIX features, hence modify _POSIX_C_SOURCE.
+ * With the current approach, this declaration is orphaned, lacking
+ * an accompanying definition, in case mbedtls_platform_gmtime_r()
+ * doesn't need it, but that's not a problem. */
+extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+#endif /* MBEDTLS_THREADING_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* threading.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/timing.h b/ctrtool/deps/libmbedtls/include/mbedtls/timing.h
new file mode 100644
index 00000000..a965fe0d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/timing.h
@@ -0,0 +1,153 @@
+/**
+ * \file timing.h
+ *
+ * \brief Portable interface to timeouts and to the CPU cycle counter
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_TIMING_H
+#define MBEDTLS_TIMING_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_TIMING_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          timer structure
+ */
+struct mbedtls_timing_hr_time
+{
+    unsigned char opaque[32];
+};
+
+/**
+ * \brief          Context for mbedtls_timing_set/get_delay()
+ */
+typedef struct mbedtls_timing_delay_context
+{
+    struct mbedtls_timing_hr_time   timer;
+    uint32_t                        int_ms;
+    uint32_t                        fin_ms;
+} mbedtls_timing_delay_context;
+
+#else  /* MBEDTLS_TIMING_ALT */
+#include "timing_alt.h"
+#endif /* MBEDTLS_TIMING_ALT */
+
+extern volatile int mbedtls_timing_alarmed;
+
+/**
+ * \brief          Return the CPU cycle counter value
+ *
+ * \warning        This is only a best effort! Do not rely on this!
+ *                 In particular, it is known to be unreliable on virtual
+ *                 machines.
+ *
+ * \note           This value starts at an unspecified origin and
+ *                 may wrap around.
+ */
+unsigned long mbedtls_timing_hardclock( void );
+
+/**
+ * \brief          Return the elapsed time in milliseconds
+ *
+ * \param val      points to a timer structure
+ * \param reset    If 0, query the elapsed time. Otherwise (re)start the timer.
+ *
+ * \return         Elapsed time since the previous reset in ms. When
+ *                 restarting, this is always 0.
+ *
+ * \note           To initialize a timer, call this function with reset=1.
+ *
+ *                 Determining the elapsed time and resetting the timer is not
+ *                 atomic on all platforms, so after the sequence
+ *                 `{ get_timer(1); ...; time1 = get_timer(1); ...; time2 =
+ *                 get_timer(0) }` the value time1+time2 is only approximately
+ *                 the delay since the first reset.
+ */
+unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset );
+
+/**
+ * \brief          Setup an alarm clock
+ *
+ * \param seconds  delay before the "mbedtls_timing_alarmed" flag is set
+ *                 (must be >=0)
+ *
+ * \warning        Only one alarm at a time  is supported. In a threaded
+ *                 context, this means one for the whole process, not one per
+ *                 thread.
+ */
+void mbedtls_set_alarm( int seconds );
+
+/**
+ * \brief          Set a pair of delays to watch
+ *                 (See \c mbedtls_timing_get_delay().)
+ *
+ * \param data     Pointer to timing data.
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ * \param int_ms   First (intermediate) delay in milliseconds.
+ *                 The effect if int_ms > fin_ms is unspecified.
+ * \param fin_ms   Second (final) delay in milliseconds.
+ *                 Pass 0 to cancel the current delay.
+ *
+ * \note           To set a single delay, either use \c mbedtls_timing_set_timer
+ *                 directly or use this function with int_ms == fin_ms.
+ */
+void mbedtls_timing_set_delay( void *data, uint32_t int_ms, uint32_t fin_ms );
+
+/**
+ * \brief          Get the status of delays
+ *                 (Memory helper: number of delays passed.)
+ *
+ * \param data     Pointer to timing data
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ *
+ * \return         -1 if cancelled (fin_ms = 0),
+ *                  0 if none of the delays are passed,
+ *                  1 if only the intermediate delay is passed,
+ *                  2 if the final delay is passed.
+ */
+int mbedtls_timing_get_delay( void *data );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_timing_self_test( int verbose );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* timing.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/version.h b/ctrtool/deps/libmbedtls/include/mbedtls/version.h
new file mode 100644
index 00000000..8e2ce03c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/version.h
@@ -0,0 +1,112 @@
+/**
+ * \file version.h
+ *
+ * \brief Run-time version information
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * This set of compile-time defines and run-time variables can be used to
+ * determine the version number of the mbed TLS library used.
+ */
+#ifndef MBEDTLS_VERSION_H
+#define MBEDTLS_VERSION_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/**
+ * The version number x.y.z is split into three parts.
+ * Major, Minor, Patchlevel
+ */
+#define MBEDTLS_VERSION_MAJOR  2
+#define MBEDTLS_VERSION_MINOR  16
+#define MBEDTLS_VERSION_PATCH  5
+
+/**
+ * The single version number has the following structure:
+ *    MMNNPP00
+ *    Major version | Minor version | Patch version
+ */
+#define MBEDTLS_VERSION_NUMBER         0x02100500
+#define MBEDTLS_VERSION_STRING         "2.16.5"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.16.5"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Get the version number.
+ *
+ * \return          The constructed version number in the format
+ *                  MMNNPP00 (Major, Minor, Patch).
+ */
+unsigned int mbedtls_version_get_number( void );
+
+/**
+ * Get the version string ("x.y.z").
+ *
+ * \param string    The string that will receive the value.
+ *                  (Should be at least 9 bytes in size)
+ */
+void mbedtls_version_get_string( char *string );
+
+/**
+ * Get the full version string ("mbed TLS x.y.z").
+ *
+ * \param string    The string that will receive the value. The mbed TLS version
+ *                  string will use 18 bytes AT MOST including a terminating
+ *                  null byte.
+ *                  (So the buffer should be at least 18 bytes to receive this
+ *                  version string).
+ */
+void mbedtls_version_get_string_full( char *string );
+
+/**
+ * \brief           Check if support for a feature was compiled into this
+ *                  mbed TLS binary. This allows you to see at runtime if the
+ *                  library was for instance compiled with or without
+ *                  Multi-threading support.
+ *
+ * \note            only checks against defines in the sections "System
+ *                  support", "mbed TLS modules" and "mbed TLS feature
+ *                  support" in config.h
+ *
+ * \param feature   The string for the define to check (e.g. "MBEDTLS_AES_C")
+ *
+ * \return          0 if the feature is present,
+ *                  -1 if the feature is not present and
+ *                  -2 if support for feature checking as a whole was not
+ *                  compiled in.
+ */
+int mbedtls_version_check_feature( const char *feature );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_VERSION_C */
+
+#endif /* version.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/x509.h b/ctrtool/deps/libmbedtls/include/mbedtls/x509.h
new file mode 100644
index 00000000..63aae32d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/x509.h
@@ -0,0 +1,337 @@
+/**
+ * \file x509.h
+ *
+ * \brief X.509 generic defines and structures
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_X509_H
+#define MBEDTLS_X509_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+#include "pk.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "rsa.h"
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{
+ */
+
+#if !defined(MBEDTLS_X509_MAX_INTERMEDIATE_CA)
+/**
+ * Maximum number of intermediate CAs in a verification chain.
+ * That is, maximum length of the chain, excluding the end-entity certificate
+ * and the trusted root certificate.
+ *
+ * Set this to a low value to prevent an adversary from making you waste
+ * resources verifying an overlong certificate chain.
+ */
+#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
+#endif
+
+/**
+ * \name X509 Error codes
+ * \{
+ */
+#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE              -0x2080  /**< Unavailable feature, e.g. RSA hashing/encryption combination. */
+#define MBEDTLS_ERR_X509_UNKNOWN_OID                      -0x2100  /**< Requested OID is unknown. */
+#define MBEDTLS_ERR_X509_INVALID_FORMAT                   -0x2180  /**< The CRT/CRL/CSR format is invalid, e.g. different type expected. */
+#define MBEDTLS_ERR_X509_INVALID_VERSION                  -0x2200  /**< The CRT/CRL/CSR version element is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_SERIAL                   -0x2280  /**< The serial tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_ALG                      -0x2300  /**< The algorithm tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_NAME                     -0x2380  /**< The name tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_DATE                     -0x2400  /**< The date tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_SIGNATURE                -0x2480  /**< The signature tag or value invalid. */
+#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS               -0x2500  /**< The extension tag or value is invalid. */
+#define MBEDTLS_ERR_X509_UNKNOWN_VERSION                  -0x2580  /**< CRT/CRL/CSR has an unsupported version number. */
+#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG                  -0x2600  /**< Signature algorithm (oid) is unsupported. */
+#define MBEDTLS_ERR_X509_SIG_MISMATCH                     -0x2680  /**< Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */
+#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               -0x2700  /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
+#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2780  /**< Format not recognized as DER or PEM. */
+#define MBEDTLS_ERR_X509_BAD_INPUT_DATA                   -0x2800  /**< Input invalid. */
+#define MBEDTLS_ERR_X509_ALLOC_FAILED                     -0x2880  /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_X509_FILE_IO_ERROR                    -0x2900  /**< Read/write of file failed. */
+#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL                 -0x2980  /**< Destination buffer is too small. */
+#define MBEDTLS_ERR_X509_FATAL_ERROR                      -0x3000  /**< A fatal error occurred, eg the chain is too long or the vrfy callback failed. */
+/* \} name */
+
+/**
+ * \name X509 Verify codes
+ * \{
+ */
+/* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */
+#define MBEDTLS_X509_BADCERT_EXPIRED             0x01  /**< The certificate validity has expired. */
+#define MBEDTLS_X509_BADCERT_REVOKED             0x02  /**< The certificate has been revoked (is on a CRL). */
+#define MBEDTLS_X509_BADCERT_CN_MISMATCH         0x04  /**< The certificate Common Name (CN) does not match with the expected CN. */
+#define MBEDTLS_X509_BADCERT_NOT_TRUSTED         0x08  /**< The certificate is not correctly signed by the trusted CA. */
+#define MBEDTLS_X509_BADCRL_NOT_TRUSTED          0x10  /**< The CRL is not correctly signed by the trusted CA. */
+#define MBEDTLS_X509_BADCRL_EXPIRED              0x20  /**< The CRL is expired. */
+#define MBEDTLS_X509_BADCERT_MISSING             0x40  /**< Certificate was missing. */
+#define MBEDTLS_X509_BADCERT_SKIP_VERIFY         0x80  /**< Certificate verification was skipped. */
+#define MBEDTLS_X509_BADCERT_OTHER             0x0100  /**< Other reason (can be used by verify callback) */
+#define MBEDTLS_X509_BADCERT_FUTURE            0x0200  /**< The certificate validity starts in the future. */
+#define MBEDTLS_X509_BADCRL_FUTURE             0x0400  /**< The CRL is from the future */
+#define MBEDTLS_X509_BADCERT_KEY_USAGE         0x0800  /**< Usage does not match the keyUsage extension. */
+#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE     0x1000  /**< Usage does not match the extendedKeyUsage extension. */
+#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE      0x2000  /**< Usage does not match the nsCertType extension. */
+#define MBEDTLS_X509_BADCERT_BAD_MD            0x4000  /**< The certificate is signed with an unacceptable hash. */
+#define MBEDTLS_X509_BADCERT_BAD_PK            0x8000  /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
+#define MBEDTLS_X509_BADCERT_BAD_KEY         0x010000  /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */
+#define MBEDTLS_X509_BADCRL_BAD_MD           0x020000  /**< The CRL is signed with an unacceptable hash. */
+#define MBEDTLS_X509_BADCRL_BAD_PK           0x040000  /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
+#define MBEDTLS_X509_BADCRL_BAD_KEY          0x080000  /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+/*
+ * X.509 v3 Key Usage Extension flags
+ * Reminder: update x509_info_key_usage() when adding new flags.
+ */
+#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE            (0x80)  /* bit 0 */
+#define MBEDTLS_X509_KU_NON_REPUDIATION              (0x40)  /* bit 1 */
+#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT             (0x20)  /* bit 2 */
+#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT            (0x10)  /* bit 3 */
+#define MBEDTLS_X509_KU_KEY_AGREEMENT                (0x08)  /* bit 4 */
+#define MBEDTLS_X509_KU_KEY_CERT_SIGN                (0x04)  /* bit 5 */
+#define MBEDTLS_X509_KU_CRL_SIGN                     (0x02)  /* bit 6 */
+#define MBEDTLS_X509_KU_ENCIPHER_ONLY                (0x01)  /* bit 7 */
+#define MBEDTLS_X509_KU_DECIPHER_ONLY              (0x8000)  /* bit 8 */
+
+/*
+ * Netscape certificate types
+ * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
+ */
+
+#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT         (0x80)  /* bit 0 */
+#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER         (0x40)  /* bit 1 */
+#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL              (0x20)  /* bit 2 */
+#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING     (0x10)  /* bit 3 */
+#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED           (0x08)  /* bit 4 */
+#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA             (0x04)  /* bit 5 */
+#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA           (0x02)  /* bit 6 */
+#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA  (0x01)  /* bit 7 */
+
+/*
+ * X.509 extension types
+ *
+ * Comments refer to the status for using certificates. Status can be
+ * different for writing certificates or reading CRLs or CSRs.
+ */
+#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
+#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
+#define MBEDTLS_X509_EXT_KEY_USAGE                   (1 << 2)
+#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES        (1 << 3)
+#define MBEDTLS_X509_EXT_POLICY_MAPPINGS             (1 << 4)
+#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME            (1 << 5)    /* Supported (DNS) */
+#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME             (1 << 6)
+#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
+#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS           (1 << 8)    /* Supported */
+#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS            (1 << 9)
+#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS          (1 << 10)
+#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE          (1 << 11)
+#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
+#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY          (1 << 13)
+#define MBEDTLS_X509_EXT_FRESHEST_CRL                (1 << 14)
+
+#define MBEDTLS_X509_EXT_NS_CERT_TYPE                (1 << 16)
+
+/*
+ * Storage format identifiers
+ * Recognized formats: PEM and DER
+ */
+#define MBEDTLS_X509_FORMAT_DER                 1
+#define MBEDTLS_X509_FORMAT_PEM                 2
+
+#define MBEDTLS_X509_MAX_DN_NAME_SIZE         256 /**< Maximum value size of a DN entry */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures for parsing X.509 certificates, CRLs and CSRs
+ * \{
+ */
+
+/**
+ * Type-length-value structure that allows for ASN1 using DER.
+ */
+typedef mbedtls_asn1_buf mbedtls_x509_buf;
+
+/**
+ * Container for ASN1 bit strings.
+ */
+typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring;
+
+/**
+ * Container for ASN1 named information objects.
+ * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
+ */
+typedef mbedtls_asn1_named_data mbedtls_x509_name;
+
+/**
+ * Container for a sequence of ASN.1 items
+ */
+typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
+
+/** Container for date and time (precision in seconds). */
+typedef struct mbedtls_x509_time
+{
+    int year, mon, day;         /**< Date. */
+    int hour, min, sec;         /**< Time. */
+}
+mbedtls_x509_time;
+
+/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
+/** \} addtogroup x509_module */
+
+/**
+ * \brief          Store the certificate DN in printable form into buf;
+ *                 no more than size characters will be written.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param dn       The X509 name to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn );
+
+/**
+ * \brief          Store the certificate serial in printable form into buf;
+ *                 no more than size characters will be written.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param serial   The X509 serial to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial );
+
+/**
+ * \brief          Check a given mbedtls_x509_time against the system time
+ *                 and tell if it's in the past.
+ *
+ * \note           Intended usage is "if( is_past( valid_to ) ) ERROR".
+ *                 Hence the return value of 1 if on internal errors.
+ *
+ * \param to       mbedtls_x509_time to check
+ *
+ * \return         1 if the given time is in the past or an error occurred,
+ *                 0 otherwise.
+ */
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to );
+
+/**
+ * \brief          Check a given mbedtls_x509_time against the system time
+ *                 and tell if it's in the future.
+ *
+ * \note           Intended usage is "if( is_future( valid_from ) ) ERROR".
+ *                 Hence the return value of 1 if on internal errors.
+ *
+ * \param from     mbedtls_x509_time to check
+ *
+ * \return         1 if the given time is in the future or an error occurred,
+ *                 0 otherwise.
+ */
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_x509_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+/*
+ * Internal module functions. You probably do not want to use these unless you
+ * know you do.
+ */
+int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
+                   mbedtls_x509_name *cur );
+int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
+                       mbedtls_x509_buf *alg );
+int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
+                  mbedtls_x509_buf *alg, mbedtls_x509_buf *params );
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params,
+                                mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+                                int *salt_len );
+#endif
+int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig );
+int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+                      mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+                      void **sig_opts );
+int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
+                   mbedtls_x509_time *t );
+int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
+                     mbedtls_x509_buf *serial );
+int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
+                  mbedtls_x509_buf *ext, int tag );
+int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+                       mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                       const void *sig_opts );
+int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name );
+int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name );
+int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+                        int critical, const unsigned char *val,
+                        size_t val_len );
+int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
+                           mbedtls_asn1_named_data *first );
+int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
+                      mbedtls_asn1_named_data *first );
+int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len,
+                    unsigned char *sig, size_t size );
+
+#define MBEDTLS_X509_SAFE_SNPRINTF                          \
+    do {                                                    \
+        if( ret < 0 || (size_t) ret >= n )                  \
+            return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );    \
+                                                            \
+        n -= (size_t) ret;                                  \
+        p += (size_t) ret;                                  \
+    } while( 0 )
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* x509.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/x509_crl.h b/ctrtool/deps/libmbedtls/include/mbedtls/x509_crl.h
new file mode 100644
index 00000000..fa838d68
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/x509_crl.h
@@ -0,0 +1,174 @@
+/**
+ * \file x509_crl.h
+ *
+ * \brief X.509 certificate revocation list parsing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_X509_CRL_H
+#define MBEDTLS_X509_CRL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "x509.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures and functions for parsing CRLs
+ * \{
+ */
+
+/**
+ * Certificate revocation list entry.
+ * Contains the CA-specific serial numbers and revocation dates.
+ */
+typedef struct mbedtls_x509_crl_entry
+{
+    mbedtls_x509_buf raw;
+
+    mbedtls_x509_buf serial;
+
+    mbedtls_x509_time revocation_date;
+
+    mbedtls_x509_buf entry_ext;
+
+    struct mbedtls_x509_crl_entry *next;
+}
+mbedtls_x509_crl_entry;
+
+/**
+ * Certificate revocation list structure.
+ * Every CRL may have multiple entries.
+ */
+typedef struct mbedtls_x509_crl
+{
+    mbedtls_x509_buf raw;           /**< The raw certificate data (DER). */
+    mbedtls_x509_buf tbs;           /**< The raw certificate body (DER). The part that is To Be Signed. */
+
+    int version;            /**< CRL version (1=v1, 2=v2) */
+    mbedtls_x509_buf sig_oid;       /**< CRL signature type identifier */
+
+    mbedtls_x509_buf issuer_raw;    /**< The raw issuer data (DER). */
+
+    mbedtls_x509_name issuer;       /**< The parsed issuer data (named information object). */
+
+    mbedtls_x509_time this_update;
+    mbedtls_x509_time next_update;
+
+    mbedtls_x509_crl_entry entry;   /**< The CRL entries containing the certificate revocation times for this CA. */
+
+    mbedtls_x509_buf crl_ext;
+
+    mbedtls_x509_buf sig_oid2;
+    mbedtls_x509_buf sig;
+    mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+
+    struct mbedtls_x509_crl *next;
+}
+mbedtls_x509_crl;
+
+/**
+ * \brief          Parse a DER-encoded CRL and append it to the chained list
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the CRL data in DER format
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
+                        const unsigned char *buf, size_t buflen );
+/**
+ * \brief          Parse one or more CRLs and append them to the chained list
+ *
+ * \note           Multiple CRLs are accepted only if using PEM format
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the CRL data in PEM or DER format
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load one or more CRLs and append them to the chained list
+ *
+ * \note           Multiple CRLs are accepted only if using PEM format
+ *
+ * \param chain    points to the start of the chain
+ * \param path     filename to read the CRLs from (in PEM or DER encoding)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the CRL.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param crl      The X509 CRL to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crl *crl );
+
+/**
+ * \brief          Initialize a CRL (chain)
+ *
+ * \param crl      CRL chain to initialize
+ */
+void mbedtls_x509_crl_init( mbedtls_x509_crl *crl );
+
+/**
+ * \brief          Unallocate all CRL data
+ *
+ * \param crl      CRL chain to free
+ */
+void mbedtls_x509_crl_free( mbedtls_x509_crl *crl );
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_crl.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/x509_crt.h b/ctrtool/deps/libmbedtls/include/mbedtls/x509_crt.h
new file mode 100644
index 00000000..670bd10d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/x509_crt.h
@@ -0,0 +1,785 @@
+/**
+ * \file x509_crt.h
+ *
+ * \brief X.509 certificate parsing and writing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_X509_CRT_H
+#define MBEDTLS_X509_CRT_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "x509.h"
+#include "x509_crl.h"
+
+/**
+ * \addtogroup x509_module
+ * \{
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name Structures and functions for parsing and writing X.509 certificates
+ * \{
+ */
+
+/**
+ * Container for an X.509 certificate. The certificate may be chained.
+ */
+typedef struct mbedtls_x509_crt
+{
+    mbedtls_x509_buf raw;               /**< The raw certificate data (DER). */
+    mbedtls_x509_buf tbs;               /**< The raw certificate body (DER). The part that is To Be Signed. */
+
+    int version;                /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
+    mbedtls_x509_buf serial;            /**< Unique id for certificate issued by a specific CA. */
+    mbedtls_x509_buf sig_oid;           /**< Signature algorithm, e.g. sha1RSA */
+
+    mbedtls_x509_buf issuer_raw;        /**< The raw issuer data (DER). Used for quick comparison. */
+    mbedtls_x509_buf subject_raw;       /**< The raw subject data (DER). Used for quick comparison. */
+
+    mbedtls_x509_name issuer;           /**< The parsed issuer data (named information object). */
+    mbedtls_x509_name subject;          /**< The parsed subject data (named information object). */
+
+    mbedtls_x509_time valid_from;       /**< Start time of certificate validity. */
+    mbedtls_x509_time valid_to;         /**< End time of certificate validity. */
+
+    mbedtls_pk_context pk;              /**< Container for the public key context. */
+
+    mbedtls_x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
+    mbedtls_x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
+    mbedtls_x509_buf v3_ext;            /**< Optional X.509 v3 extensions.  */
+    mbedtls_x509_sequence subject_alt_names;    /**< Optional list of Subject Alternative Names (Only dNSName supported). */
+
+    int ext_types;              /**< Bit string containing detected and parsed extensions */
+    int ca_istrue;              /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
+    int max_pathlen;            /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
+
+    unsigned int key_usage;     /**< Optional key usage extension value: See the values in x509.h */
+
+    mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
+
+    unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
+
+    mbedtls_x509_buf sig;               /**< Signature: hash of the tbs part signed with the private key. */
+    mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+
+    struct mbedtls_x509_crt *next;     /**< Next certificate in the CA-chain. */
+}
+mbedtls_x509_crt;
+
+/**
+ * Build flag from an algorithm/curve identifier (pk, md, ecp)
+ * Since 0 is always XXX_NONE, ignore it.
+ */
+#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( (id) - 1 ) )
+
+/**
+ * Security profile for certificate verification.
+ *
+ * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
+ */
+typedef struct mbedtls_x509_crt_profile
+{
+    uint32_t allowed_mds;       /**< MDs for signatures         */
+    uint32_t allowed_pks;       /**< PK algs for signatures     */
+    uint32_t allowed_curves;    /**< Elliptic curves for ECDSA  */
+    uint32_t rsa_min_bitlen;    /**< Minimum size for RSA keys  */
+}
+mbedtls_x509_crt_profile;
+
+#define MBEDTLS_X509_CRT_VERSION_1              0
+#define MBEDTLS_X509_CRT_VERSION_2              1
+#define MBEDTLS_X509_CRT_VERSION_3              2
+
+#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
+#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN   15
+
+#if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
+#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
+#endif
+
+/**
+ * Container for writing a certificate (CRT)
+ */
+typedef struct mbedtls_x509write_cert
+{
+    int version;
+    mbedtls_mpi serial;
+    mbedtls_pk_context *subject_key;
+    mbedtls_pk_context *issuer_key;
+    mbedtls_asn1_named_data *subject;
+    mbedtls_asn1_named_data *issuer;
+    mbedtls_md_type_t md_alg;
+    char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
+    char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
+    mbedtls_asn1_named_data *extensions;
+}
+mbedtls_x509write_cert;
+
+/**
+ * Item in a verification chain: cert and flags for it
+ */
+typedef struct {
+    mbedtls_x509_crt *crt;
+    uint32_t flags;
+} mbedtls_x509_crt_verify_chain_item;
+
+/**
+ * Max size of verification chain: end-entity + intermediates + trusted root
+ */
+#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE  ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
+
+/**
+ * Verification chain as built by \c mbedtls_crt_verify_chain()
+ */
+typedef struct
+{
+    mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
+    unsigned len;
+} mbedtls_x509_crt_verify_chain;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief       Context for resuming X.509 verify operations
+ */
+typedef struct
+{
+    /* for check_signature() */
+    mbedtls_pk_restart_ctx pk;
+
+    /* for find_parent_in() */
+    mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
+    mbedtls_x509_crt *fallback_parent;
+    int fallback_signature_is_good;
+
+    /* for find_parent() */
+    int parent_is_trusted; /* -1 if find_parent is not in progress */
+
+    /* for verify_chain() */
+    enum {
+        x509_crt_rs_none,
+        x509_crt_rs_find_parent,
+    } in_progress;  /* none if no operation is in progress */
+    int self_cnt;
+    mbedtls_x509_crt_verify_chain ver_chain;
+
+} mbedtls_x509_crt_restart_ctx;
+
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_x509_crt_restart_ctx;
+
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * Default security profile. Should provide a good balance between security
+ * and compatibility with current deployments.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
+
+/**
+ * Expected next default profile. Recommended for new deployments.
+ * Currently targets a 128-bit security level, except for RSA-2048.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
+
+/**
+ * NSA Suite B profile.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
+
+/**
+ * \brief          Parse a single DER formatted certificate and add it
+ *                 to the chained list.
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the certificate DER data
+ * \param buflen   size of the buffer
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
+                        size_t buflen );
+
+/**
+ * \brief          Parse one DER-encoded or one or more concatenated PEM-encoded
+ *                 certificates and add them to the chained list.
+ *
+ *                 For CRTs in PEM encoding, the function parses permissively:
+ *                 if at least one certificate can be parsed, the function
+ *                 returns the number of certificates for which parsing failed
+ *                 (hence \c 0 if all certificates were parsed successfully).
+ *                 If no certificate could be parsed, the function returns
+ *                 the first (negative) error encountered during parsing.
+ *
+ *                 PEM encoded certificates may be interleaved by other data
+ *                 such as human readable descriptions of their content, as
+ *                 long as the certificates are enclosed in the PEM specific
+ *                 '-----{BEGIN/END} CERTIFICATE-----' delimiters.
+ *
+ * \param chain    The chain to which to add the parsed certificates.
+ * \param buf      The buffer holding the certificate data in PEM or DER format.
+ *                 For certificates in PEM encoding, this may be a concatenation
+ *                 of multiple certificates; for DER encoding, the buffer must
+ *                 comprise exactly one certificate.
+ * \param buflen   The size of \p buf, including the terminating \c NULL byte
+ *                 in case of PEM encoded data.
+ *
+ * \return         \c 0 if all certificates were parsed successfully.
+ * \return         The (positive) number of certificates that couldn't
+ *                 be parsed if parsing was partly successful (see above).
+ * \return         A negative X509 or PEM error code otherwise.
+ *
+ */
+int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load one or more certificates and add them
+ *                 to the chained list. Parses permissively. If some
+ *                 certificates can be parsed, the result is the number
+ *                 of failed certificates it encountered. If none complete
+ *                 correctly, the first error is returned.
+ *
+ * \param chain    points to the start of the chain
+ * \param path     filename to read the certificates from
+ *
+ * \return         0 if all certificates parsed successfully, a positive number
+ *                 if partly successful or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
+
+/**
+ * \brief          Load one or more certificate files from a path and add them
+ *                 to the chained list. Parses permissively. If some
+ *                 certificates can be parsed, the result is the number
+ *                 of failed certificates it encountered. If none complete
+ *                 correctly, the first error is returned.
+ *
+ * \param chain    points to the start of the chain
+ * \param path     directory / folder to read the certificate files from
+ *
+ * \return         0 if all certificates parsed successfully, a positive number
+ *                 if partly successful or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the
+ *                 certificate.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param crt      The X509 certificate to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crt *crt );
+
+/**
+ * \brief          Returns an informational string about the
+ *                 verification status of a certificate.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param flags    Verification flags created by mbedtls_x509_crt_verify()
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+                          uint32_t flags );
+
+/**
+ * \brief          Verify the certificate signature
+ *
+ *                 The verify callback is a user-supplied callback that
+ *                 can clear / modify / add flags for a certificate. If set,
+ *                 the verification callback is called for each
+ *                 certificate in the chain (from the trust-ca down to the
+ *                 presented crt). The parameters for the callback are:
+ *                 (void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
+ *                 int *flags). With the flags representing current flags for
+ *                 that specific certificate and the certificate depth from
+ *                 the bottom (Peer cert depth = 0).
+ *
+ *                 All flags left after returning from the callback
+ *                 are also returned to the application. The function should
+ *                 return 0 for anything (including invalid certificates)
+ *                 other than fatal error, as a non-zero return code
+ *                 immediately aborts the verification process. For fatal
+ *                 errors, a specific error code should be used (different
+ *                 from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
+ *                 be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
+ *                 can be used if no better code is available.
+ *
+ * \note           In case verification failed, the results can be displayed
+ *                 using \c mbedtls_x509_crt_verify_info()
+ *
+ * \note           Same as \c mbedtls_x509_crt_verify_with_profile() with the
+ *                 default security profile.
+ *
+ * \note           It is your responsibility to provide up-to-date CRLs for
+ *                 all trusted CAs. If no CRL is provided for the CA that was
+ *                 used to sign the certificate, CRL verification is skipped
+ *                 silently, that is *without* setting any flag.
+ *
+ * \note           The \c trust_ca list can contain two types of certificates:
+ *                 (1) those of trusted root CAs, so that certificates
+ *                 chaining up to those CAs will be trusted, and (2)
+ *                 self-signed end-entity certificates to be trusted (for
+ *                 specific peers you know) - in that case, the self-signed
+ *                 certificate doesn't need to have the CA bit set.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs (see note above)
+ * \param ca_crl   the list of CRLs for trusted CAs (see note above)
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ *
+ * \return         0 (and flags set to 0) if the chain was verified and valid,
+ *                 MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified
+ *                 but found to be invalid, in which case *flags will have one
+ *                 or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX
+ *                 flags set, or another error (and flags set to 0xffffffff)
+ *                 in case of a fatal error encountered during the
+ *                 verification process.
+ */
+int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+
+/**
+ * \brief          Verify the certificate signature according to profile
+ *
+ * \note           Same as \c mbedtls_x509_crt_verify(), but with explicit
+ *                 security profile.
+ *
+ * \note           The restrictions on keys (RSA minimum size, allowed curves
+ *                 for ECDSA) apply to all certificates: trusted root,
+ *                 intermediate CAs if any, and end entity certificate.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl   the list of CRLs for trusted CAs
+ * \param profile  security profile for verification
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ *
+ * \return         0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
+ *                 in which case *flags will have one or more
+ *                 MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
+ *                 set,
+ *                 or another error in case of a fatal error encountered
+ *                 during the verification process.
+ */
+int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+
+/**
+ * \brief          Restartable version of \c mbedtls_crt_verify_with_profile()
+ *
+ * \note           Performs the same job as \c mbedtls_crt_verify_with_profile()
+ *                 but can return early and restart according to the limit
+ *                 set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl   the list of CRLs for trusted CAs
+ * \param profile  security profile for verification
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ * \param rs_ctx   restart context (NULL to disable restart)
+ *
+ * \return         See \c mbedtls_crt_verify_with_profile(), or
+ * \return         #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                 operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy,
+                     mbedtls_x509_crt_restart_ctx *rs_ctx );
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+/**
+ * \brief          Check usage of certificate against keyUsage extension.
+ *
+ * \param crt      Leaf certificate used.
+ * \param usage    Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT
+ *                 before using the certificate to perform an RSA key
+ *                 exchange).
+ *
+ * \note           Except for decipherOnly and encipherOnly, a bit set in the
+ *                 usage argument means this bit MUST be set in the
+ *                 certificate. For decipherOnly and encipherOnly, it means
+ *                 that bit MAY be set.
+ *
+ * \return         0 is these uses of the certificate are allowed,
+ *                 MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
+ *                 is present but does not match the usage argument.
+ *
+ * \note           You should only call this function on leaf certificates, on
+ *                 (intermediate) CAs the keyUsage extension is automatically
+ *                 checked by \c mbedtls_x509_crt_verify().
+ */
+int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
+                                      unsigned int usage );
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+/**
+ * \brief           Check usage of certificate against extendedKeyUsage.
+ *
+ * \param crt       Leaf certificate used.
+ * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or
+ *                  MBEDTLS_OID_CLIENT_AUTH).
+ * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
+ *
+ * \return          0 if this use of the certificate is allowed,
+ *                  MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
+ *
+ * \note            Usually only makes sense on leaf certificates.
+ */
+int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
+                                               const char *usage_oid,
+                                               size_t usage_len );
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+/**
+ * \brief          Verify the certificate revocation status
+ *
+ * \param crt      a certificate to be verified
+ * \param crl      the CRL to verify against
+ *
+ * \return         1 if the certificate is revoked, 0 otherwise
+ *
+ */
+int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl );
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+
+/**
+ * \brief          Initialize a certificate (chain)
+ *
+ * \param crt      Certificate chain to initialize
+ */
+void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
+
+/**
+ * \brief          Unallocate all certificate data
+ *
+ * \param crt      Certificate chain to free
+ */
+void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+/**
+ * \brief           Initialize a CRT writing context
+ *
+ * \param ctx       CRT context to initialize
+ */
+void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx );
+
+/**
+ * \brief           Set the verion for a Certificate
+ *                  Default: MBEDTLS_X509_CRT_VERSION_3
+ *
+ * \param ctx       CRT context to use
+ * \param version   version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or
+ *                                  MBEDTLS_X509_CRT_VERSION_3)
+ */
+void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version );
+
+/**
+ * \brief           Set the serial number for a Certificate.
+ *
+ * \param ctx       CRT context to use
+ * \param serial    serial number to set
+ *
+ * \return          0 if successful
+ */
+int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial );
+
+/**
+ * \brief           Set the validity period for a Certificate
+ *                  Timestamps should be in string format for UTC timezone
+ *                  i.e. "YYYYMMDDhhmmss"
+ *                  e.g. "20131231235959" for December 31st 2013
+ *                       at 23:59:59
+ *
+ * \param ctx       CRT context to use
+ * \param not_before    not_before timestamp
+ * \param not_after     not_after timestamp
+ *
+ * \return          0 if timestamp was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
+                                const char *not_after );
+
+/**
+ * \brief           Set the issuer name for a Certificate
+ *                  Issuer names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS CA"
+ *
+ * \param ctx           CRT context to use
+ * \param issuer_name   issuer name to set
+ *
+ * \return          0 if issuer name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
+                                   const char *issuer_name );
+
+/**
+ * \brief           Set the subject name for a Certificate
+ *                  Subject names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
+ *
+ * \param ctx           CRT context to use
+ * \param subject_name  subject name to set
+ *
+ * \return          0 if subject name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
+                                    const char *subject_name );
+
+/**
+ * \brief           Set the subject public key for the certificate
+ *
+ * \param ctx       CRT context to use
+ * \param key       public key to include
+ */
+void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
+
+/**
+ * \brief           Set the issuer key used for signing the certificate
+ *
+ * \param ctx       CRT context to use
+ * \param key       private key to sign with
+ */
+void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
+
+/**
+ * \brief           Set the MD algorithm to use for the signature
+ *                  (e.g. MBEDTLS_MD_SHA1)
+ *
+ * \param ctx       CRT context to use
+ * \param md_alg    MD algorithm to use
+ */
+void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg );
+
+/**
+ * \brief           Generic function to add to or replace an extension in the
+ *                  CRT
+ *
+ * \param ctx       CRT context to use
+ * \param oid       OID of the extension
+ * \param oid_len   length of the OID
+ * \param critical  if the extension is critical (per the RFC's definition)
+ * \param val       value of the extension OCTET STRING
+ * \param val_len   length of the value data
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
+                                 const char *oid, size_t oid_len,
+                                 int critical,
+                                 const unsigned char *val, size_t val_len );
+
+/**
+ * \brief           Set the basicConstraints extension for a CRT
+ *
+ * \param ctx       CRT context to use
+ * \param is_ca     is this a CA certificate
+ * \param max_pathlen   maximum length of certificate chains below this
+ *                      certificate (only for CA certificates, -1 is
+ *                      inlimited)
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
+                                         int is_ca, int max_pathlen );
+
+#if defined(MBEDTLS_SHA1_C)
+/**
+ * \brief           Set the subjectKeyIdentifier extension for a CRT
+ *                  Requires that mbedtls_x509write_crt_set_subject_key() has been
+ *                  called before
+ *
+ * \param ctx       CRT context to use
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx );
+
+/**
+ * \brief           Set the authorityKeyIdentifier extension for a CRT
+ *                  Requires that mbedtls_x509write_crt_set_issuer_key() has been
+ *                  called before
+ *
+ * \param ctx       CRT context to use
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
+#endif /* MBEDTLS_SHA1_C */
+
+/**
+ * \brief           Set the Key Usage Extension flags
+ *                  (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
+ *
+ * \param ctx       CRT context to use
+ * \param key_usage key usage flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage );
+
+/**
+ * \brief           Set the Netscape Cert Type flags
+ *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
+ *
+ * \param ctx           CRT context to use
+ * \param ns_cert_type  Netscape Cert Type flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
+                                    unsigned char ns_cert_type );
+
+/**
+ * \brief           Free the contents of a CRT write context
+ *
+ * \param ctx       CRT context to free
+ */
+void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx );
+
+/**
+ * \brief           Write a built up certificate to a X509 DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       certificate to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a built up certificate to a X509 PEM string
+ *
+ * \param ctx       certificate to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful, or a specific error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_crt.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/x509_csr.h b/ctrtool/deps/libmbedtls/include/mbedtls/x509_csr.h
new file mode 100644
index 00000000..a3c28048
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/x509_csr.h
@@ -0,0 +1,307 @@
+/**
+ * \file x509_csr.h
+ *
+ * \brief X.509 certificate signing request parsing and writing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_X509_CSR_H
+#define MBEDTLS_X509_CSR_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "x509.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures and functions for X.509 Certificate Signing Requests (CSR)
+ * \{
+ */
+
+/**
+ * Certificate Signing Request (CSR) structure.
+ */
+typedef struct mbedtls_x509_csr
+{
+    mbedtls_x509_buf raw;           /**< The raw CSR data (DER). */
+    mbedtls_x509_buf cri;           /**< The raw CertificateRequestInfo body (DER). */
+
+    int version;            /**< CSR version (1=v1). */
+
+    mbedtls_x509_buf  subject_raw;  /**< The raw subject data (DER). */
+    mbedtls_x509_name subject;      /**< The parsed subject data (named information object). */
+
+    mbedtls_pk_context pk;          /**< Container for the public key context. */
+
+    mbedtls_x509_buf sig_oid;
+    mbedtls_x509_buf sig;
+    mbedtls_md_type_t sig_md;       /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;       /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;         /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+}
+mbedtls_x509_csr;
+
+/**
+ * Container for writing a CSR
+ */
+typedef struct mbedtls_x509write_csr
+{
+    mbedtls_pk_context *key;
+    mbedtls_asn1_named_data *subject;
+    mbedtls_md_type_t md_alg;
+    mbedtls_asn1_named_data *extensions;
+}
+mbedtls_x509write_csr;
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+/**
+ * \brief          Load a Certificate Signing Request (CSR) in DER format
+ *
+ * \note           CSR attributes (if any) are currently silently ignored.
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ *
+ * \return         0 if successful, or a specific X509 error code
+ */
+int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
+                        const unsigned char *buf, size_t buflen );
+
+/**
+ * \brief          Load a Certificate Signing Request (CSR), DER or PEM format
+ *
+ * \note           See notes for \c mbedtls_x509_csr_parse_der()
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load a Certificate Signing Request (CSR)
+ *
+ * \note           See notes for \c mbedtls_x509_csr_parse()
+ *
+ * \param csr      CSR context to fill
+ * \param path     filename to read the CSR from
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the
+ *                 CSR.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param csr      The X509 CSR to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_csr *csr );
+
+/**
+ * \brief          Initialize a CSR
+ *
+ * \param csr      CSR to initialize
+ */
+void mbedtls_x509_csr_init( mbedtls_x509_csr *csr );
+
+/**
+ * \brief          Unallocate all CSR data
+ *
+ * \param csr      CSR to free
+ */
+void mbedtls_x509_csr_free( mbedtls_x509_csr *csr );
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+/**
+ * \brief           Initialize a CSR context
+ *
+ * \param ctx       CSR context to initialize
+ */
+void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx );
+
+/**
+ * \brief           Set the subject name for a CSR
+ *                  Subject names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
+ *
+ * \param ctx           CSR context to use
+ * \param subject_name  subject name to set
+ *
+ * \return          0 if subject name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
+                                    const char *subject_name );
+
+/**
+ * \brief           Set the key for a CSR (public key will be included,
+ *                  private key used to sign the CSR when writing it)
+ *
+ * \param ctx       CSR context to use
+ * \param key       Asymetric key to include
+ */
+void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key );
+
+/**
+ * \brief           Set the MD algorithm to use for the signature
+ *                  (e.g. MBEDTLS_MD_SHA1)
+ *
+ * \param ctx       CSR context to use
+ * \param md_alg    MD algorithm to use
+ */
+void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg );
+
+/**
+ * \brief           Set the Key Usage Extension flags
+ *                  (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
+ *
+ * \param ctx       CSR context to use
+ * \param key_usage key usage flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note            The <code>decipherOnly</code> flag from the Key Usage
+ *                  extension is represented by bit 8 (i.e.
+ *                  <code>0x8000</code>), which cannot typically be represented
+ *                  in an unsigned char. Therefore, the flag
+ *                  <code>decipherOnly</code> (i.e.
+ *                  #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
+ *                  function.
+ */
+int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );
+
+/**
+ * \brief           Set the Netscape Cert Type flags
+ *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
+ *
+ * \param ctx           CSR context to use
+ * \param ns_cert_type  Netscape Cert Type flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
+                                    unsigned char ns_cert_type );
+
+/**
+ * \brief           Generic function to add to or replace an extension in the
+ *                  CSR
+ *
+ * \param ctx       CSR context to use
+ * \param oid       OID of the extension
+ * \param oid_len   length of the OID
+ * \param val       value of the extension OCTET STRING
+ * \param val_len   length of the value data
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
+                                 const char *oid, size_t oid_len,
+                                 const unsigned char *val, size_t val_len );
+
+/**
+ * \brief           Free the contents of a CSR context
+ *
+ * \param ctx       CSR context to free
+ */
+void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx );
+
+/**
+ * \brief           Write a CSR (Certificate Signing Request) to a
+ *                  DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       CSR to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a CSR (Certificate Signing Request) to a
+ *                  PEM string
+ *
+ * \param ctx       CSR to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful, or a specific error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_csr.h */
diff --git a/ctrtool/deps/libmbedtls/include/mbedtls/xtea.h b/ctrtool/deps/libmbedtls/include/mbedtls/xtea.h
new file mode 100644
index 00000000..b47f5535
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/include/mbedtls/xtea.h
@@ -0,0 +1,139 @@
+/**
+ * \file xtea.h
+ *
+ * \brief XTEA block cipher (32-bit)
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_XTEA_H
+#define MBEDTLS_XTEA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_XTEA_ENCRYPT     1
+#define MBEDTLS_XTEA_DECRYPT     0
+
+#define MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH             -0x0028  /**< The data input has an invalid length. */
+
+/* MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED                  -0x0029  /**< XTEA hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_XTEA_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          XTEA context structure
+ */
+typedef struct mbedtls_xtea_context
+{
+    uint32_t k[4];       /*!< key */
+}
+mbedtls_xtea_context;
+
+#else  /* MBEDTLS_XTEA_ALT */
+#include "xtea_alt.h"
+#endif /* MBEDTLS_XTEA_ALT */
+
+/**
+ * \brief          Initialize XTEA context
+ *
+ * \param ctx      XTEA context to be initialized
+ */
+void mbedtls_xtea_init( mbedtls_xtea_context *ctx );
+
+/**
+ * \brief          Clear XTEA context
+ *
+ * \param ctx      XTEA context to be cleared
+ */
+void mbedtls_xtea_free( mbedtls_xtea_context *ctx );
+
+/**
+ * \brief          XTEA key schedule
+ *
+ * \param ctx      XTEA context to be initialized
+ * \param key      the secret key
+ */
+void mbedtls_xtea_setup( mbedtls_xtea_context *ctx, const unsigned char key[16] );
+
+/**
+ * \brief          XTEA cipher function
+ *
+ * \param ctx      XTEA context
+ * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
+ * \param input    8-byte input block
+ * \param output   8-byte output block
+ *
+ * \return         0 if successful
+ */
+int mbedtls_xtea_crypt_ecb( mbedtls_xtea_context *ctx,
+                    int mode,
+                    const unsigned char input[8],
+                    unsigned char output[8] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          XTEA CBC cipher function
+ *
+ * \param ctx      XTEA context
+ * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
+ * \param length   the length of input, multiple of 8
+ * \param iv       initialization vector for CBC mode
+ * \param input    input block
+ * \param output   output block
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH if the length % 8 != 0
+ */
+int mbedtls_xtea_crypt_cbc( mbedtls_xtea_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[8],
+                    const unsigned char *input,
+                    unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_xtea_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* xtea.h */
diff --git a/ctrtool/deps/libmbedtls/makefile b/ctrtool/deps/libmbedtls/makefile
new file mode 100644
index 00000000..3f2d0ca7
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/makefile
@@ -0,0 +1,197 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 6 (20211110)
+
+# Project Name
+PROJECT_NAME = libmbedtls
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+PROJECT_INCLUDE_PATH = include
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Shared Library Definitions
+PROJECT_SO_VER_MAJOR = 0
+PROJECT_SO_VER_MINOR = 2
+PROJECT_SO_VER_PATCH = 0
+PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
+PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
+
+# Project Dependencies
+PROJECT_DEPEND =
+PROJECT_DEPEND_LOCAL_DIR =
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
+	INC +=
+	LIB +=
+	ARFLAGS = rc	
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building static library
+#	- 'shared_lib' for building shared library
+#	- 'program' for building the program
+#	- 'test_program' for building the test program
+# These can typically be used together however *_lib and program should not be used together
+all: static_lib
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+shared_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)
+	@gcc -shared -Wl,-soname,$(PROJECT_SONAME) -o "$(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/ctrtool/deps/libmbedtls/src/aes.c b/ctrtool/deps/libmbedtls/src/aes.c
new file mode 100644
index 00000000..02a7986b
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/aes.c
@@ -0,0 +1,2233 @@
+/*
+ *  FIPS-197 compliant AES implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
+ *
+ *  http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
+ *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_AES_C)
+
+#include <string.h>
+
+#include "mbedtls/aes.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#if defined(MBEDTLS_PADLOCK_C)
+#include "mbedtls/padlock.h"
+#endif
+#if defined(MBEDTLS_AESNI_C)
+#include "mbedtls/aesni.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_AES_ALT)
+
+/* Parameter validation macros based on platform_util.h */
+#define AES_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
+#define AES_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) &&                      \
+    ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
+static int aes_padlock_ace = -1;
+#endif
+
+#if defined(MBEDTLS_AES_ROM_TABLES)
+/*
+ * Forward S-box
+ */
+static const unsigned char FSb[256] =
+{
+    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
+    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
+    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
+    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
+    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
+    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
+    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
+    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
+    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
+    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
+    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
+    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
+    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
+    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
+    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
+    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
+    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
+    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
+    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
+    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
+    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
+    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
+};
+
+/*
+ * Forward tables
+ */
+#define FT \
+\
+    V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
+    V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
+    V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
+    V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
+    V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
+    V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
+    V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
+    V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
+    V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
+    V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
+    V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
+    V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
+    V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
+    V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
+    V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
+    V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
+    V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
+    V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
+    V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
+    V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
+    V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
+    V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
+    V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
+    V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
+    V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
+    V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
+    V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
+    V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
+    V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
+    V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
+    V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
+    V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
+    V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
+    V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
+    V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
+    V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
+    V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
+    V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
+    V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
+    V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
+    V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
+    V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
+    V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
+    V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
+    V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
+    V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
+    V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
+    V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
+    V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
+    V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
+    V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
+    V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
+    V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
+    V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
+    V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
+    V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
+    V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
+    V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
+    V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
+    V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
+    V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
+    V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
+    V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
+    V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
+
+#define V(a,b,c,d) 0x##a##b##c##d
+static const uint32_t FT0[256] = { FT };
+#undef V
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+
+#define V(a,b,c,d) 0x##b##c##d##a
+static const uint32_t FT1[256] = { FT };
+#undef V
+
+#define V(a,b,c,d) 0x##c##d##a##b
+static const uint32_t FT2[256] = { FT };
+#undef V
+
+#define V(a,b,c,d) 0x##d##a##b##c
+static const uint32_t FT3[256] = { FT };
+#undef V
+
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+#undef FT
+
+/*
+ * Reverse S-box
+ */
+static const unsigned char RSb[256] =
+{
+    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
+    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
+    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
+    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
+    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
+    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
+    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
+    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
+    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
+    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
+    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
+    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
+    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
+    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
+    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
+    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
+    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
+    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
+    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
+    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
+    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
+    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
+};
+
+/*
+ * Reverse tables
+ */
+#define RT \
+\
+    V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
+    V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
+    V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
+    V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
+    V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
+    V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
+    V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
+    V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
+    V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
+    V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
+    V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
+    V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
+    V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
+    V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
+    V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
+    V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
+    V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
+    V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
+    V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
+    V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
+    V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
+    V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
+    V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
+    V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
+    V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
+    V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
+    V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
+    V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
+    V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
+    V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
+    V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
+    V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
+    V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
+    V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
+    V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
+    V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
+    V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
+    V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
+    V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
+    V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
+    V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
+    V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
+    V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
+    V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
+    V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
+    V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
+    V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
+    V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
+    V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
+    V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
+    V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
+    V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
+    V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
+    V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
+    V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
+    V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
+    V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
+    V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
+    V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
+    V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
+    V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
+    V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
+    V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
+    V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
+
+#define V(a,b,c,d) 0x##a##b##c##d
+static const uint32_t RT0[256] = { RT };
+#undef V
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+
+#define V(a,b,c,d) 0x##b##c##d##a
+static const uint32_t RT1[256] = { RT };
+#undef V
+
+#define V(a,b,c,d) 0x##c##d##a##b
+static const uint32_t RT2[256] = { RT };
+#undef V
+
+#define V(a,b,c,d) 0x##d##a##b##c
+static const uint32_t RT3[256] = { RT };
+#undef V
+
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+#undef RT
+
+/*
+ * Round constants
+ */
+static const uint32_t RCON[10] =
+{
+    0x00000001, 0x00000002, 0x00000004, 0x00000008,
+    0x00000010, 0x00000020, 0x00000040, 0x00000080,
+    0x0000001B, 0x00000036
+};
+
+#else /* MBEDTLS_AES_ROM_TABLES */
+
+/*
+ * Forward S-box & tables
+ */
+static unsigned char FSb[256];
+static uint32_t FT0[256];
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+static uint32_t FT1[256];
+static uint32_t FT2[256];
+static uint32_t FT3[256];
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+/*
+ * Reverse S-box & tables
+ */
+static unsigned char RSb[256];
+static uint32_t RT0[256];
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+static uint32_t RT1[256];
+static uint32_t RT2[256];
+static uint32_t RT3[256];
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+/*
+ * Round constants
+ */
+static uint32_t RCON[10];
+
+/*
+ * Tables generation code
+ */
+#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
+#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
+#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
+
+static int aes_init_done = 0;
+
+static void aes_gen_tables( void )
+{
+    int i, x, y, z;
+    int pow[256];
+    int log[256];
+
+    /*
+     * compute pow and log tables over GF(2^8)
+     */
+    for( i = 0, x = 1; i < 256; i++ )
+    {
+        pow[i] = x;
+        log[x] = i;
+        x = ( x ^ XTIME( x ) ) & 0xFF;
+    }
+
+    /*
+     * calculate the round constants
+     */
+    for( i = 0, x = 1; i < 10; i++ )
+    {
+        RCON[i] = (uint32_t) x;
+        x = XTIME( x ) & 0xFF;
+    }
+
+    /*
+     * generate the forward and reverse S-boxes
+     */
+    FSb[0x00] = 0x63;
+    RSb[0x63] = 0x00;
+
+    for( i = 1; i < 256; i++ )
+    {
+        x = pow[255 - log[i]];
+
+        y  = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y ^ 0x63;
+
+        FSb[i] = (unsigned char) x;
+        RSb[x] = (unsigned char) i;
+    }
+
+    /*
+     * generate the forward and reverse tables
+     */
+    for( i = 0; i < 256; i++ )
+    {
+        x = FSb[i];
+        y = XTIME( x ) & 0xFF;
+        z =  ( y ^ x ) & 0xFF;
+
+        FT0[i] = ( (uint32_t) y       ) ^
+                 ( (uint32_t) x <<  8 ) ^
+                 ( (uint32_t) x << 16 ) ^
+                 ( (uint32_t) z << 24 );
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+        FT1[i] = ROTL8( FT0[i] );
+        FT2[i] = ROTL8( FT1[i] );
+        FT3[i] = ROTL8( FT2[i] );
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+        x = RSb[i];
+
+        RT0[i] = ( (uint32_t) MUL( 0x0E, x )       ) ^
+                 ( (uint32_t) MUL( 0x09, x ) <<  8 ) ^
+                 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
+                 ( (uint32_t) MUL( 0x0B, x ) << 24 );
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+        RT1[i] = ROTL8( RT0[i] );
+        RT2[i] = ROTL8( RT1[i] );
+        RT3[i] = ROTL8( RT2[i] );
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+    }
+}
+
+#undef ROTL8
+
+#endif /* MBEDTLS_AES_ROM_TABLES */
+
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+
+#define ROTL8(x)  ( (uint32_t)( ( x ) <<  8 ) + (uint32_t)( ( x ) >> 24 ) )
+#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
+#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >>  8 ) )
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) ROTL8(  RT0[idx] )
+#define AES_RT2(idx) ROTL16( RT0[idx] )
+#define AES_RT3(idx) ROTL24( RT0[idx] )
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) ROTL8(  FT0[idx] )
+#define AES_FT2(idx) ROTL16( FT0[idx] )
+#define AES_FT3(idx) ROTL24( FT0[idx] )
+
+#else /* MBEDTLS_AES_FEWER_TABLES */
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) RT1[idx]
+#define AES_RT2(idx) RT2[idx]
+#define AES_RT3(idx) RT3[idx]
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) FT1[idx]
+#define AES_FT2(idx) FT2[idx]
+#define AES_FT3(idx) FT3[idx]
+
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+
+void mbedtls_aes_init( mbedtls_aes_context *ctx )
+{
+    AES_VALIDATE( ctx != NULL );
+
+    memset( ctx, 0, sizeof( mbedtls_aes_context ) );
+}
+
+void mbedtls_aes_free( mbedtls_aes_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
+{
+    AES_VALIDATE( ctx != NULL );
+
+    mbedtls_aes_init( &ctx->crypt );
+    mbedtls_aes_init( &ctx->tweak );
+}
+
+void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_aes_free( &ctx->crypt );
+    mbedtls_aes_free( &ctx->tweak );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/*
+ * AES key schedule (encryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits )
+{
+    unsigned int i;
+    uint32_t *RK;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    switch( keybits )
+    {
+        case 128: ctx->nr = 10; break;
+        case 192: ctx->nr = 12; break;
+        case 256: ctx->nr = 14; break;
+        default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+    }
+
+#if !defined(MBEDTLS_AES_ROM_TABLES)
+    if( aes_init_done == 0 )
+    {
+        aes_gen_tables();
+        aes_init_done = 1;
+    }
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
+    if( aes_padlock_ace == -1 )
+        aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
+
+    if( aes_padlock_ace )
+        ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
+    else
+#endif
+    ctx->rk = RK = ctx->buf;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+        return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
+#endif
+
+    for( i = 0; i < ( keybits >> 5 ); i++ )
+    {
+        GET_UINT32_LE( RK[i], key, i << 2 );
+    }
+
+    switch( ctx->nr )
+    {
+        case 10:
+
+            for( i = 0; i < 10; i++, RK += 4 )
+            {
+                RK[4]  = RK[0] ^ RCON[i] ^
+                ( (uint32_t) FSb[ ( RK[3] >>  8 ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[3]       ) & 0xFF ] << 24 );
+
+                RK[5]  = RK[1] ^ RK[4];
+                RK[6]  = RK[2] ^ RK[5];
+                RK[7]  = RK[3] ^ RK[6];
+            }
+            break;
+
+        case 12:
+
+            for( i = 0; i < 8; i++, RK += 6 )
+            {
+                RK[6]  = RK[0] ^ RCON[i] ^
+                ( (uint32_t) FSb[ ( RK[5] >>  8 ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[5]       ) & 0xFF ] << 24 );
+
+                RK[7]  = RK[1] ^ RK[6];
+                RK[8]  = RK[2] ^ RK[7];
+                RK[9]  = RK[3] ^ RK[8];
+                RK[10] = RK[4] ^ RK[9];
+                RK[11] = RK[5] ^ RK[10];
+            }
+            break;
+
+        case 14:
+
+            for( i = 0; i < 7; i++, RK += 8 )
+            {
+                RK[8]  = RK[0] ^ RCON[i] ^
+                ( (uint32_t) FSb[ ( RK[7] >>  8 ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[7]       ) & 0xFF ] << 24 );
+
+                RK[9]  = RK[1] ^ RK[8];
+                RK[10] = RK[2] ^ RK[9];
+                RK[11] = RK[3] ^ RK[10];
+
+                RK[12] = RK[4] ^
+                ( (uint32_t) FSb[ ( RK[11]       ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[11] >>  8 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
+
+                RK[13] = RK[5] ^ RK[12];
+                RK[14] = RK[6] ^ RK[13];
+                RK[15] = RK[7] ^ RK[14];
+            }
+            break;
+    }
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
+
+/*
+ * AES key schedule (decryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
+int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits )
+{
+    int i, j, ret;
+    mbedtls_aes_context cty;
+    uint32_t *RK;
+    uint32_t *SK;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    mbedtls_aes_init( &cty );
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
+    if( aes_padlock_ace == -1 )
+        aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
+
+    if( aes_padlock_ace )
+        ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
+    else
+#endif
+    ctx->rk = RK = ctx->buf;
+
+    /* Also checks keybits */
+    if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
+        goto exit;
+
+    ctx->nr = cty.nr;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+    {
+        mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
+                           (const unsigned char *) cty.rk, ctx->nr );
+        goto exit;
+    }
+#endif
+
+    SK = cty.rk + cty.nr * 4;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+    for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
+    {
+        for( j = 0; j < 4; j++, SK++ )
+        {
+            *RK++ = AES_RT0( FSb[ ( *SK       ) & 0xFF ] ) ^
+                    AES_RT1( FSb[ ( *SK >>  8 ) & 0xFF ] ) ^
+                    AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
+                    AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
+        }
+    }
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+exit:
+    mbedtls_aes_free( &cty );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
+                                        unsigned int keybits,
+                                        const unsigned char **key1,
+                                        unsigned int *key1bits,
+                                        const unsigned char **key2,
+                                        unsigned int *key2bits )
+{
+    const unsigned int half_keybits = keybits / 2;
+    const unsigned int half_keybytes = half_keybits / 8;
+
+    switch( keybits )
+    {
+        case 256: break;
+        case 512: break;
+        default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+    }
+
+    *key1bits = half_keybits;
+    *key2bits = half_keybits;
+    *key1 = &key[0];
+    *key2 = &key[half_keybytes];
+
+    return 0;
+}
+
+int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits)
+{
+    int ret;
+    const unsigned char *key1, *key2;
+    unsigned int key1bits, key2bits;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
+                                       &key2, &key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set the tweak key. Always set tweak key for the encryption mode. */
+    ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set crypt key for encryption. */
+    return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
+}
+
+int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits)
+{
+    int ret;
+    const unsigned char *key1, *key2;
+    unsigned int key1bits, key2bits;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
+                                       &key2, &key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set the tweak key. Always set tweak key for encryption. */
+    ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set crypt key for decryption. */
+    return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
+
+#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                     \
+    do                                                          \
+    {                                                           \
+        (X0) = *RK++ ^ AES_FT0( ( (Y0)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y1) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y3) >> 24 ) & 0xFF );        \
+                                                                \
+        (X1) = *RK++ ^ AES_FT0( ( (Y1)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y2) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y0) >> 24 ) & 0xFF );        \
+                                                                \
+        (X2) = *RK++ ^ AES_FT0( ( (Y2)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y3) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y1) >> 24 ) & 0xFF );        \
+                                                                \
+        (X3) = *RK++ ^ AES_FT0( ( (Y3)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y0) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y2) >> 24 ) & 0xFF );        \
+    } while( 0 )
+
+#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                 \
+    do                                                      \
+    {                                                       \
+        (X0) = *RK++ ^ AES_RT0( ( (Y0)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y3) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y1) >> 24 ) & 0xFF );    \
+                                                            \
+        (X1) = *RK++ ^ AES_RT0( ( (Y1)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y0) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y2) >> 24 ) & 0xFF );    \
+                                                            \
+        (X2) = *RK++ ^ AES_RT0( ( (Y2)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y1) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y3) >> 24 ) & 0xFF );    \
+                                                            \
+        (X3) = *RK++ ^ AES_RT0( ( (Y3)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y2) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y0) >> 24 ) & 0xFF );    \
+    } while( 0 )
+
+/*
+ * AES-ECB block encryption
+ */
+#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
+int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] )
+{
+    int i;
+    uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
+
+    RK = ctx->rk;
+
+    GET_UINT32_LE( X0, input,  0 ); X0 ^= *RK++;
+    GET_UINT32_LE( X1, input,  4 ); X1 ^= *RK++;
+    GET_UINT32_LE( X2, input,  8 ); X2 ^= *RK++;
+    GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
+
+    for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
+    {
+        AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+        AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
+    }
+
+    AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+
+    X0 = *RK++ ^ \
+            ( (uint32_t) FSb[ ( Y0       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
+
+    X1 = *RK++ ^ \
+            ( (uint32_t) FSb[ ( Y1       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
+
+    X2 = *RK++ ^ \
+            ( (uint32_t) FSb[ ( Y2       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
+
+    X3 = *RK++ ^ \
+            ( (uint32_t) FSb[ ( Y3       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
+
+    PUT_UINT32_LE( X0, output,  0 );
+    PUT_UINT32_LE( X1, output,  4 );
+    PUT_UINT32_LE( X2, output,  8 );
+    PUT_UINT32_LE( X3, output, 12 );
+
+    mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_platform_zeroize( &RK, sizeof( RK ) );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
+                          const unsigned char input[16],
+                          unsigned char output[16] )
+{
+    mbedtls_internal_aes_encrypt( ctx, input, output );
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * AES-ECB block decryption
+ */
+#if !defined(MBEDTLS_AES_DECRYPT_ALT)
+int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] )
+{
+    int i;
+    uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
+
+    RK = ctx->rk;
+
+    GET_UINT32_LE( X0, input,  0 ); X0 ^= *RK++;
+    GET_UINT32_LE( X1, input,  4 ); X1 ^= *RK++;
+    GET_UINT32_LE( X2, input,  8 ); X2 ^= *RK++;
+    GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
+
+    for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
+    {
+        AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+        AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
+    }
+
+    AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+
+    X0 = *RK++ ^ \
+            ( (uint32_t) RSb[ ( Y0       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
+
+    X1 = *RK++ ^ \
+            ( (uint32_t) RSb[ ( Y1       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
+
+    X2 = *RK++ ^ \
+            ( (uint32_t) RSb[ ( Y2       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
+
+    X3 = *RK++ ^ \
+            ( (uint32_t) RSb[ ( Y3       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
+
+    PUT_UINT32_LE( X0, output,  0 );
+    PUT_UINT32_LE( X1, output,  4 );
+    PUT_UINT32_LE( X2, output,  8 );
+    PUT_UINT32_LE( X3, output, 12 );
+
+    mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_platform_zeroize( &RK, sizeof( RK ) );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_AES_DECRYPT_ALT */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
+                          const unsigned char input[16],
+                          unsigned char output[16] )
+{
+    mbedtls_internal_aes_decrypt( ctx, input, output );
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * AES-ECB block encryption/decryption
+ */
+int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
+                           int mode,
+                           const unsigned char input[16],
+                           unsigned char output[16] )
+{
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+        return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+    if( aes_padlock_ace )
+    {
+        if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
+            return( 0 );
+
+        // If padlock data misaligned, we just fall back to
+        // unaccelerated mode
+        //
+    }
+#endif
+
+    if( mode == MBEDTLS_AES_ENCRYPT )
+        return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
+    else
+        return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * AES-CBC buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[16];
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    if( length % 16 )
+        return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+    if( aes_padlock_ace )
+    {
+        if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
+            return( 0 );
+
+        // If padlock data misaligned, we just fall back to
+        // unaccelerated mode
+        //
+    }
+#endif
+
+    if( mode == MBEDTLS_AES_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 16 );
+            mbedtls_aes_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_aes_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+
+/* Endianess with 64 bits values */
+#ifndef GET_UINT64_LE
+#define GET_UINT64_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint64_t) (b)[(i) + 7] << 56 )             \
+        | ( (uint64_t) (b)[(i) + 6] << 48 )             \
+        | ( (uint64_t) (b)[(i) + 5] << 40 )             \
+        | ( (uint64_t) (b)[(i) + 4] << 32 )             \
+        | ( (uint64_t) (b)[(i) + 3] << 24 )             \
+        | ( (uint64_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint64_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint64_t) (b)[(i)    ]       );            \
+}
+#endif
+
+#ifndef PUT_UINT64_LE
+#define PUT_UINT64_LE(n,b,i)                            \
+{                                                       \
+    (b)[(i) + 7] = (unsigned char) ( (n) >> 56 );       \
+    (b)[(i) + 6] = (unsigned char) ( (n) >> 48 );       \
+    (b)[(i) + 5] = (unsigned char) ( (n) >> 40 );       \
+    (b)[(i) + 4] = (unsigned char) ( (n) >> 32 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i)    ] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+typedef unsigned char mbedtls_be128[16];
+
+/*
+ * GF(2^128) multiplication function
+ *
+ * This function multiplies a field element by x in the polynomial field
+ * representation. It uses 64-bit word operations to gain speed but compensates
+ * for machine endianess and hence works correctly on both big and little
+ * endian machines.
+ */
+static void mbedtls_gf128mul_x_ble( unsigned char r[16],
+                                    const unsigned char x[16] )
+{
+    uint64_t a, b, ra, rb;
+
+    GET_UINT64_LE( a, x, 0 );
+    GET_UINT64_LE( b, x, 8 );
+
+    ra = ( a << 1 )  ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
+    rb = ( a >> 63 ) | ( b << 1 );
+
+    PUT_UINT64_LE( ra, r, 0 );
+    PUT_UINT64_LE( rb, r, 8 );
+}
+
+/*
+ * AES-XTS buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
+                           int mode,
+                           size_t length,
+                           const unsigned char data_unit[16],
+                           const unsigned char *input,
+                           unsigned char *output )
+{
+    int ret;
+    size_t blocks = length / 16;
+    size_t leftover = length % 16;
+    unsigned char tweak[16];
+    unsigned char prev_tweak[16];
+    unsigned char tmp[16];
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( data_unit != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    /* Data units must be at least 16 bytes long. */
+    if( length < 16 )
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+
+    /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
+    if( length > ( 1 << 20 ) * 16 )
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+
+    /* Compute the tweak. */
+    ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
+                                 data_unit, tweak );
+    if( ret != 0 )
+        return( ret );
+
+    while( blocks-- )
+    {
+        size_t i;
+
+        if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
+        {
+            /* We are on the last block in a decrypt operation that has
+             * leftover bytes, so we need to use the next tweak for this block,
+             * and this tweak for the lefover bytes. Save the current tweak for
+             * the leftovers and then update the current tweak for use on this,
+             * the last full block. */
+            memcpy( prev_tweak, tweak, sizeof( tweak ) );
+            mbedtls_gf128mul_x_ble( tweak, tweak );
+        }
+
+        for( i = 0; i < 16; i++ )
+            tmp[i] = input[i] ^ tweak[i];
+
+        ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
+        if( ret != 0 )
+            return( ret );
+
+        for( i = 0; i < 16; i++ )
+            output[i] = tmp[i] ^ tweak[i];
+
+        /* Update the tweak for the next block. */
+        mbedtls_gf128mul_x_ble( tweak, tweak );
+
+        output += 16;
+        input += 16;
+    }
+
+    if( leftover )
+    {
+        /* If we are on the leftover bytes in a decrypt operation, we need to
+         * use the previous tweak for these bytes (as saved in prev_tweak). */
+        unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
+
+        /* We are now on the final part of the data unit, which doesn't divide
+         * evenly by 16. It's time for ciphertext stealing. */
+        size_t i;
+        unsigned char *prev_output = output - 16;
+
+        /* Copy ciphertext bytes from the previous block to our output for each
+         * byte of cyphertext we won't steal. At the same time, copy the
+         * remainder of the input for this final round (since the loop bounds
+         * are the same). */
+        for( i = 0; i < leftover; i++ )
+        {
+            output[i] = prev_output[i];
+            tmp[i] = input[i] ^ t[i];
+        }
+
+        /* Copy ciphertext bytes from the previous block for input in this
+         * round. */
+        for( ; i < 16; i++ )
+            tmp[i] = prev_output[i] ^ t[i];
+
+        ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
+        if( ret != 0 )
+            return ret;
+
+        /* Write the result back to the previous block, overriding the previous
+         * output we copied. */
+        for( i = 0; i < 16; i++ )
+            prev_output[i] = tmp[i] ^ t[i];
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c;
+    size_t n;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( iv_off != NULL );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    n = *iv_off;
+
+    if( n > 15 )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+
+    if( mode == MBEDTLS_AES_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+
+            c = *input++;
+            *output++ = (unsigned char)( c ^ iv[n] );
+            iv[n] = (unsigned char) c;
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+
+/*
+ * AES-CFB8 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
+                            int mode,
+                            size_t length,
+                            unsigned char iv[16],
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    unsigned char c;
+    unsigned char ov[17];
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+    while( length-- )
+    {
+        memcpy( ov, iv, 16 );
+        mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+            ov[16] = *input;
+
+        c = *output++ = (unsigned char)( iv[0] ^ *input++ );
+
+        if( mode == MBEDTLS_AES_ENCRYPT )
+            ov[16] = c;
+
+        memcpy( iv, ov + 1, 16 );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB (Output Feedback Mode) buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
+                           size_t length,
+                           size_t *iv_off,
+                           unsigned char iv[16],
+                           const unsigned char *input,
+                           unsigned char *output )
+{
+    int ret = 0;
+    size_t n;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( iv_off != NULL );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    n = *iv_off;
+
+    if( n > 15 )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 )
+        {
+            ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+            if( ret != 0 )
+                goto exit;
+        }
+        *output++ =  *input++ ^ iv[n];
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *iv_off = n;
+
+exit:
+    return( ret );
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c, i;
+    size_t n;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( nc_off != NULL );
+    AES_VALIDATE_RET( nonce_counter != NULL );
+    AES_VALIDATE_RET( stream_block != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    n = *nc_off;
+
+    if ( n > 0x0F )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
+
+            for( i = 16; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#endif /* !MBEDTLS_AES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * AES test vectors from:
+ *
+ * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
+ */
+static const unsigned char aes_test_ecb_dec[3][16] =
+{
+    { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
+      0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
+    { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
+      0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
+    { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
+      0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
+};
+
+static const unsigned char aes_test_ecb_enc[3][16] =
+{
+    { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
+      0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
+    { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
+      0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
+    { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
+      0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char aes_test_cbc_dec[3][16] =
+{
+    { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
+      0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
+    { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
+      0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
+    { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
+      0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
+};
+
+static const unsigned char aes_test_cbc_enc[3][16] =
+{
+    { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
+      0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
+    { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
+      0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
+    { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
+      0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 test vectors from:
+ *
+ * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
+ */
+static const unsigned char aes_test_cfb128_key[3][32] =
+{
+    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char aes_test_cfb128_iv[16] =
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_cfb128_pt[64] =
+{
+    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_cfb128_ct[3][64] =
+{
+    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+      0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
+      0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
+      0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
+      0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
+      0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
+      0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
+    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+      0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
+      0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
+      0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
+      0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
+      0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
+      0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
+    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+      0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
+      0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
+      0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
+      0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
+      0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
+      0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB test vectors from:
+ *
+ * https://csrc.nist.gov/publications/detail/sp/800-38a/final
+ */
+static const unsigned char aes_test_ofb_key[3][32] =
+{
+    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char aes_test_ofb_iv[16] =
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_ofb_pt[64] =
+{
+    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_ofb_ct[3][64] =
+{
+    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+      0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
+      0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
+      0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
+      0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
+      0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
+      0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
+    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+      0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
+      0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
+      0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
+      0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
+      0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
+      0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
+    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+      0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
+      0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
+      0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
+      0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
+      0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
+      0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc3686.html
+ */
+
+static const unsigned char aes_test_ctr_key[3][16] =
+{
+    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char aes_test_ctr_nonce_counter[3][16] =
+{
+    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char aes_test_ctr_pt[3][48] =
+{
+    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+      0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char aes_test_ctr_ct[3][48] =
+{
+    { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
+      0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
+    { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
+      0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
+      0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
+      0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
+    { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
+      0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
+      0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
+      0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
+      0x25, 0xB2, 0x07, 0x2F }
+};
+
+static const int aes_test_ctr_len[3] =
+    { 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/*
+ * AES-XTS test vectors from:
+ *
+ * IEEE P1619/D16 Annex B
+ * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
+ * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
+ */
+static const unsigned char aes_test_xts_key[][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+      0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+    { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
+      0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+};
+
+static const unsigned char aes_test_xts_pt32[][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+};
+
+static const unsigned char aes_test_xts_ct32[][32] =
+{
+    { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
+      0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
+      0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
+      0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
+    { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
+      0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
+      0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
+      0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
+    { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
+      0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
+      0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
+      0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
+};
+
+static const unsigned char aes_test_xts_data_unit[][16] =
+{
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+   { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+   { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+};
+
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aes_self_test( int verbose )
+{
+    int ret = 0, i, j, u, mode;
+    unsigned int keybits;
+    unsigned char key[32];
+    unsigned char buf[64];
+    const unsigned char *aes_tests;
+#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
+    unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char prv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_OFB)
+    size_t offset;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
+    int len;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    unsigned char nonce_counter[16];
+    unsigned char stream_block[16];
+#endif
+    mbedtls_aes_context ctx;
+
+    memset( key, 0, 32 );
+    mbedtls_aes_init( &ctx );
+
+    /*
+     * ECB mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-ECB-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memset( buf, 0, 16 );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
+            aes_tests = aes_test_ecb_dec[u];
+        }
+        else
+        {
+            ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+            aes_tests = aes_test_ecb_enc[u];
+        }
+
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        for( j = 0; j < 10000; j++ )
+        {
+            ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
+            if( ret != 0 )
+                goto exit;
+        }
+
+        if( memcmp( buf, aes_tests, 16 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-CBC-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memset( iv , 0, 16 );
+        memset( prv, 0, 16 );
+        memset( buf, 0, 16 );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
+            aes_tests = aes_test_cbc_dec[u];
+        }
+        else
+        {
+            ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+            aes_tests = aes_test_cbc_enc[u];
+        }
+
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        for( j = 0; j < 10000; j++ )
+        {
+            if( mode == MBEDTLS_AES_ENCRYPT )
+            {
+                unsigned char tmp[16];
+
+                memcpy( tmp, prv, 16 );
+                memcpy( prv, buf, 16 );
+                memcpy( buf, tmp, 16 );
+            }
+
+            ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
+            if( ret != 0 )
+                goto exit;
+
+        }
+
+        if( memcmp( buf, aes_tests, 16 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    /*
+     * CFB128 mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-CFB128-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( iv,  aes_test_cfb128_iv, 16 );
+        memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
+
+        offset = 0;
+        ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            memcpy( buf, aes_test_cfb128_ct[u], 64 );
+            aes_tests = aes_test_cfb128_pt;
+        }
+        else
+        {
+            memcpy( buf, aes_test_cfb128_pt, 64 );
+            aes_tests = aes_test_cfb128_ct[u];
+        }
+
+        ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, 64 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    /*
+     * OFB mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-OFB-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( iv,  aes_test_ofb_iv, 16 );
+        memcpy( key, aes_test_ofb_key[u], keybits / 8 );
+
+        offset = 0;
+        ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            memcpy( buf, aes_test_ofb_ct[u], 64 );
+            aes_tests = aes_test_ofb_pt;
+        }
+        else
+        {
+            memcpy( buf, aes_test_ofb_pt, 64 );
+            aes_tests = aes_test_ofb_ct[u];
+        }
+
+        ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, 64 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /*
+     * CTR mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-CTR-128 (%s): ",
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
+        memcpy( key, aes_test_ctr_key[u], 16 );
+
+        offset = 0;
+        if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
+            goto exit;
+
+        len = aes_test_ctr_len[u];
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            memcpy( buf, aes_test_ctr_ct[u], len );
+            aes_tests = aes_test_ctr_pt[u];
+        }
+        else
+        {
+            memcpy( buf, aes_test_ctr_pt[u], len );
+            aes_tests = aes_test_ctr_ct[u];
+        }
+
+        ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
+                                     stream_block, buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, len ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    {
+    static const int num_tests =
+        sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
+    mbedtls_aes_xts_context ctx_xts;
+
+    /*
+     * XTS mode
+     */
+    mbedtls_aes_xts_init( &ctx_xts );
+
+    for( i = 0; i < num_tests << 1; i++ )
+    {
+        const unsigned char *data_unit;
+        u = i >> 1;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-XTS-128 (%s): ",
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memset( key, 0, sizeof( key ) );
+        memcpy( key, aes_test_xts_key[u], 32 );
+        data_unit = aes_test_xts_data_unit[u];
+
+        len = sizeof( *aes_test_xts_ct32 );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
+            if( ret != 0)
+                goto exit;
+            memcpy( buf, aes_test_xts_ct32[u], len );
+            aes_tests = aes_test_xts_pt32[u];
+        }
+        else
+        {
+            ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
+            if( ret != 0)
+                goto exit;
+            memcpy( buf, aes_test_xts_pt32[u], len );
+            aes_tests = aes_test_xts_ct32[u];
+        }
+
+
+        ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
+                                     buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, len ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    mbedtls_aes_xts_free( &ctx_xts );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+    ret = 0;
+
+exit:
+    if( ret != 0 && verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    mbedtls_aes_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_AES_C */
diff --git a/ctrtool/deps/libmbedtls/src/aesni.c b/ctrtool/deps/libmbedtls/src/aesni.c
new file mode 100644
index 00000000..062708b0
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/aesni.c
@@ -0,0 +1,470 @@
+/*
+ *  AES-NI support functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * [AES-WP] http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set
+ * [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_AESNI_C)
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#warning "MBEDTLS_AESNI_C is known to cause spurious error reports with some memory sanitizers as they do not understand the assembly code."
+#endif
+#endif
+
+#include "mbedtls/aesni.h"
+
+#include <string.h>
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(MBEDTLS_HAVE_X86_64)
+
+/*
+ * AES-NI support detection routine
+ */
+int mbedtls_aesni_has_support( unsigned int what )
+{
+    static int done = 0;
+    static unsigned int c = 0;
+
+    if( ! done )
+    {
+        asm( "movl  $1, %%eax   \n\t"
+             "cpuid             \n\t"
+             : "=c" (c)
+             :
+             : "eax", "ebx", "edx" );
+        done = 1;
+    }
+
+    return( ( c & what ) != 0 );
+}
+
+/*
+ * Binutils needs to be at least 2.19 to support AES-NI instructions.
+ * Unfortunately, a lot of users have a lower version now (2014-04).
+ * Emit bytecode directly in order to support "old" version of gas.
+ *
+ * Opcodes from the Intel architecture reference manual, vol. 3.
+ * We always use registers, so we don't need prefixes for memory operands.
+ * Operand macros are in gas order (src, dst) as opposed to Intel order
+ * (dst, src) in order to blend better into the surrounding assembly code.
+ */
+#define AESDEC      ".byte 0x66,0x0F,0x38,0xDE,"
+#define AESDECLAST  ".byte 0x66,0x0F,0x38,0xDF,"
+#define AESENC      ".byte 0x66,0x0F,0x38,0xDC,"
+#define AESENCLAST  ".byte 0x66,0x0F,0x38,0xDD,"
+#define AESIMC      ".byte 0x66,0x0F,0x38,0xDB,"
+#define AESKEYGENA  ".byte 0x66,0x0F,0x3A,0xDF,"
+#define PCLMULQDQ   ".byte 0x66,0x0F,0x3A,0x44,"
+
+#define xmm0_xmm0   "0xC0"
+#define xmm0_xmm1   "0xC8"
+#define xmm0_xmm2   "0xD0"
+#define xmm0_xmm3   "0xD8"
+#define xmm0_xmm4   "0xE0"
+#define xmm1_xmm0   "0xC1"
+#define xmm1_xmm2   "0xD1"
+
+/*
+ * AES-NI AES-ECB block en(de)cryption
+ */
+int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
+                     int mode,
+                     const unsigned char input[16],
+                     unsigned char output[16] )
+{
+    asm( "movdqu    (%3), %%xmm0    \n\t" // load input
+         "movdqu    (%1), %%xmm1    \n\t" // load round key 0
+         "pxor      %%xmm1, %%xmm0  \n\t" // round 0
+         "add       $16, %1         \n\t" // point to next round key
+         "subl      $1, %0          \n\t" // normal rounds = nr - 1
+         "test      %2, %2          \n\t" // mode?
+         "jz        2f              \n\t" // 0 = decrypt
+
+         "1:                        \n\t" // encryption loop
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESENC     xmm1_xmm0      "\n\t" // do round
+         "add       $16, %1         \n\t" // point to next round key
+         "subl      $1, %0          \n\t" // loop
+         "jnz       1b              \n\t"
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESENCLAST xmm1_xmm0      "\n\t" // last round
+         "jmp       3f              \n\t"
+
+         "2:                        \n\t" // decryption loop
+         "movdqu    (%1), %%xmm1    \n\t"
+         AESDEC     xmm1_xmm0      "\n\t" // do round
+         "add       $16, %1         \n\t"
+         "subl      $1, %0          \n\t"
+         "jnz       2b              \n\t"
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESDECLAST xmm1_xmm0      "\n\t" // last round
+
+         "3:                        \n\t"
+         "movdqu    %%xmm0, (%4)    \n\t" // export output
+         :
+         : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output)
+         : "memory", "cc", "xmm0", "xmm1" );
+
+
+    return( 0 );
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
+ */
+void mbedtls_aesni_gcm_mult( unsigned char c[16],
+                     const unsigned char a[16],
+                     const unsigned char b[16] )
+{
+    unsigned char aa[16], bb[16], cc[16];
+    size_t i;
+
+    /* The inputs are in big-endian order, so byte-reverse them */
+    for( i = 0; i < 16; i++ )
+    {
+        aa[i] = a[15 - i];
+        bb[i] = b[15 - i];
+    }
+
+    asm( "movdqu (%0), %%xmm0               \n\t" // a1:a0
+         "movdqu (%1), %%xmm1               \n\t" // b1:b0
+
+         /*
+          * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
+          * using [CLMUL-WP] algorithm 1 (p. 13).
+          */
+         "movdqa %%xmm1, %%xmm2             \n\t" // copy of b1:b0
+         "movdqa %%xmm1, %%xmm3             \n\t" // same
+         "movdqa %%xmm1, %%xmm4             \n\t" // same
+         PCLMULQDQ xmm0_xmm1 ",0x00         \n\t" // a0*b0 = c1:c0
+         PCLMULQDQ xmm0_xmm2 ",0x11         \n\t" // a1*b1 = d1:d0
+         PCLMULQDQ xmm0_xmm3 ",0x10         \n\t" // a0*b1 = e1:e0
+         PCLMULQDQ xmm0_xmm4 ",0x01         \n\t" // a1*b0 = f1:f0
+         "pxor %%xmm3, %%xmm4               \n\t" // e1+f1:e0+f0
+         "movdqa %%xmm4, %%xmm3             \n\t" // same
+         "psrldq $8, %%xmm4                 \n\t" // 0:e1+f1
+         "pslldq $8, %%xmm3                 \n\t" // e0+f0:0
+         "pxor %%xmm4, %%xmm2               \n\t" // d1:d0+e1+f1
+         "pxor %%xmm3, %%xmm1               \n\t" // c1+e0+f1:c0
+
+         /*
+          * Now shift the result one bit to the left,
+          * taking advantage of [CLMUL-WP] eq 27 (p. 20)
+          */
+         "movdqa %%xmm1, %%xmm3             \n\t" // r1:r0
+         "movdqa %%xmm2, %%xmm4             \n\t" // r3:r2
+         "psllq $1, %%xmm1                  \n\t" // r1<<1:r0<<1
+         "psllq $1, %%xmm2                  \n\t" // r3<<1:r2<<1
+         "psrlq $63, %%xmm3                 \n\t" // r1>>63:r0>>63
+         "psrlq $63, %%xmm4                 \n\t" // r3>>63:r2>>63
+         "movdqa %%xmm3, %%xmm5             \n\t" // r1>>63:r0>>63
+         "pslldq $8, %%xmm3                 \n\t" // r0>>63:0
+         "pslldq $8, %%xmm4                 \n\t" // r2>>63:0
+         "psrldq $8, %%xmm5                 \n\t" // 0:r1>>63
+         "por %%xmm3, %%xmm1                \n\t" // r1<<1|r0>>63:r0<<1
+         "por %%xmm4, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1
+         "por %%xmm5, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
+
+         /*
+          * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
+          * using [CLMUL-WP] algorithm 5 (p. 20).
+          * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
+          */
+         /* Step 2 (1) */
+         "movdqa %%xmm1, %%xmm3             \n\t" // x1:x0
+         "movdqa %%xmm1, %%xmm4             \n\t" // same
+         "movdqa %%xmm1, %%xmm5             \n\t" // same
+         "psllq $63, %%xmm3                 \n\t" // x1<<63:x0<<63 = stuff:a
+         "psllq $62, %%xmm4                 \n\t" // x1<<62:x0<<62 = stuff:b
+         "psllq $57, %%xmm5                 \n\t" // x1<<57:x0<<57 = stuff:c
+
+         /* Step 2 (2) */
+         "pxor %%xmm4, %%xmm3               \n\t" // stuff:a+b
+         "pxor %%xmm5, %%xmm3               \n\t" // stuff:a+b+c
+         "pslldq $8, %%xmm3                 \n\t" // a+b+c:0
+         "pxor %%xmm3, %%xmm1               \n\t" // x1+a+b+c:x0 = d:x0
+
+         /* Steps 3 and 4 */
+         "movdqa %%xmm1,%%xmm0              \n\t" // d:x0
+         "movdqa %%xmm1,%%xmm4              \n\t" // same
+         "movdqa %%xmm1,%%xmm5              \n\t" // same
+         "psrlq $1, %%xmm0                  \n\t" // e1:x0>>1 = e1:e0'
+         "psrlq $2, %%xmm4                  \n\t" // f1:x0>>2 = f1:f0'
+         "psrlq $7, %%xmm5                  \n\t" // g1:x0>>7 = g1:g0'
+         "pxor %%xmm4, %%xmm0               \n\t" // e1+f1:e0'+f0'
+         "pxor %%xmm5, %%xmm0               \n\t" // e1+f1+g1:e0'+f0'+g0'
+         // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
+         // bits carried from d. Now get those\t bits back in.
+         "movdqa %%xmm1,%%xmm3              \n\t" // d:x0
+         "movdqa %%xmm1,%%xmm4              \n\t" // same
+         "movdqa %%xmm1,%%xmm5              \n\t" // same
+         "psllq $63, %%xmm3                 \n\t" // d<<63:stuff
+         "psllq $62, %%xmm4                 \n\t" // d<<62:stuff
+         "psllq $57, %%xmm5                 \n\t" // d<<57:stuff
+         "pxor %%xmm4, %%xmm3               \n\t" // d<<63+d<<62:stuff
+         "pxor %%xmm5, %%xmm3               \n\t" // missing bits of d:stuff
+         "psrldq $8, %%xmm3                 \n\t" // 0:missing bits of d
+         "pxor %%xmm3, %%xmm0               \n\t" // e1+f1+g1:e0+f0+g0
+         "pxor %%xmm1, %%xmm0               \n\t" // h1:h0
+         "pxor %%xmm2, %%xmm0               \n\t" // x3+h1:x2+h0
+
+         "movdqu %%xmm0, (%2)               \n\t" // done
+         :
+         : "r" (aa), "r" (bb), "r" (cc)
+         : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5" );
+
+    /* Now byte-reverse the outputs */
+    for( i = 0; i < 16; i++ )
+        c[i] = cc[15 - i];
+
+    return;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+void mbedtls_aesni_inverse_key( unsigned char *invkey,
+                        const unsigned char *fwdkey, int nr )
+{
+    unsigned char *ik = invkey;
+    const unsigned char *fk = fwdkey + 16 * nr;
+
+    memcpy( ik, fk, 16 );
+
+    for( fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16 )
+        asm( "movdqu (%0), %%xmm0       \n\t"
+             AESIMC  xmm0_xmm0         "\n\t"
+             "movdqu %%xmm0, (%1)       \n\t"
+             :
+             : "r" (fk), "r" (ik)
+             : "memory", "xmm0" );
+
+    memcpy( ik, fk, 16 );
+}
+
+/*
+ * Key expansion, 128-bit case
+ */
+static void aesni_setkey_enc_128( unsigned char *rk,
+                                  const unsigned char *key )
+{
+    asm( "movdqu (%1), %%xmm0               \n\t" // copy the original key
+         "movdqu %%xmm0, (%0)               \n\t" // as round key 0
+         "jmp 2f                            \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next round key.
+          *
+          * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
+          * with X = rot( sub( r3 ) ) ^ RCON.
+          *
+          * On exit, xmm0 is r7:r6:r5:r4
+          * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
+          * and those are written to the round key buffer.
+          */
+         "1:                                \n\t"
+         "pshufd $0xff, %%xmm1, %%xmm1      \n\t" // X:X:X:X
+         "pxor %%xmm0, %%xmm1               \n\t" // X+r3:X+r2:X+r1:r4
+         "pslldq $4, %%xmm0                 \n\t" // r2:r1:r0:0
+         "pxor %%xmm0, %%xmm1               \n\t" // X+r3+r2:X+r2+r1:r5:r4
+         "pslldq $4, %%xmm0                 \n\t" // etc
+         "pxor %%xmm0, %%xmm1               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm1, %%xmm0               \n\t" // update xmm0 for next time!
+         "add $16, %0                       \n\t" // point to next round key
+         "movdqu %%xmm0, (%0)               \n\t" // write it
+         "ret                               \n\t"
+
+         /* Main "loop" */
+         "2:                                \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x01        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x02        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x04        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x08        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x10        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x20        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x40        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x80        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x1B        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x36        \n\tcall 1b \n\t"
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0" );
+}
+
+/*
+ * Key expansion, 192-bit case
+ */
+static void aesni_setkey_enc_192( unsigned char *rk,
+                                  const unsigned char *key )
+{
+    asm( "movdqu (%1), %%xmm0   \n\t" // copy original round key
+         "movdqu %%xmm0, (%0)   \n\t"
+         "add $16, %0           \n\t"
+         "movq 16(%1), %%xmm1   \n\t"
+         "movq %%xmm1, (%0)     \n\t"
+         "add $8, %0            \n\t"
+         "jmp 2f                \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next 6 quarter-keys.
+          *
+          * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
+          * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
+          *
+          * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
+          * and those are written to the round key buffer.
+          */
+         "1:                            \n\t"
+         "pshufd $0x55, %%xmm2, %%xmm2  \n\t" // X:X:X:X
+         "pxor %%xmm0, %%xmm2           \n\t" // X+r3:X+r2:X+r1:r4
+         "pslldq $4, %%xmm0             \n\t" // etc
+         "pxor %%xmm0, %%xmm2           \n\t"
+         "pslldq $4, %%xmm0             \n\t"
+         "pxor %%xmm0, %%xmm2           \n\t"
+         "pslldq $4, %%xmm0             \n\t"
+         "pxor %%xmm2, %%xmm0           \n\t" // update xmm0 = r9:r8:r7:r6
+         "movdqu %%xmm0, (%0)           \n\t"
+         "add $16, %0                   \n\t"
+         "pshufd $0xff, %%xmm0, %%xmm2  \n\t" // r9:r9:r9:r9
+         "pxor %%xmm1, %%xmm2           \n\t" // stuff:stuff:r9+r5:r10
+         "pslldq $4, %%xmm1             \n\t" // r2:r1:r0:0
+         "pxor %%xmm2, %%xmm1           \n\t" // xmm1 = stuff:stuff:r11:r10
+         "movq %%xmm1, (%0)             \n\t"
+         "add $8, %0                    \n\t"
+         "ret                           \n\t"
+
+         "2:                            \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x01    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x02    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x04    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x08    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x10    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x20    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x40    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x80    \n\tcall 1b \n\t"
+
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0" );
+}
+
+/*
+ * Key expansion, 256-bit case
+ */
+static void aesni_setkey_enc_256( unsigned char *rk,
+                                  const unsigned char *key )
+{
+    asm( "movdqu (%1), %%xmm0           \n\t"
+         "movdqu %%xmm0, (%0)           \n\t"
+         "add $16, %0                   \n\t"
+         "movdqu 16(%1), %%xmm1         \n\t"
+         "movdqu %%xmm1, (%0)           \n\t"
+         "jmp 2f                        \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next two round keys.
+          *
+          * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
+          * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
+          *
+          * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
+          * and those have been written to the output buffer.
+          */
+         "1:                                \n\t"
+         "pshufd $0xff, %%xmm2, %%xmm2      \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm2, %%xmm0               \n\t"
+         "add $16, %0                       \n\t"
+         "movdqu %%xmm0, (%0)               \n\t"
+
+         /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
+          * and proceed to generate next round key from there */
+         AESKEYGENA xmm0_xmm2 ",0x00        \n\t"
+         "pshufd $0xaa, %%xmm2, %%xmm2      \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm2, %%xmm1               \n\t"
+         "add $16, %0                       \n\t"
+         "movdqu %%xmm1, (%0)               \n\t"
+         "ret                               \n\t"
+
+         /*
+          * Main "loop" - Generating one more key than necessary,
+          * see definition of mbedtls_aes_context.buf
+          */
+         "2:                                \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x01        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x02        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x04        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x08        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x10        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x20        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x40        \n\tcall 1b \n\t"
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0" );
+}
+
+/*
+ * Key expansion, wrapper
+ */
+int mbedtls_aesni_setkey_enc( unsigned char *rk,
+                      const unsigned char *key,
+                      size_t bits )
+{
+    switch( bits )
+    {
+        case 128: aesni_setkey_enc_128( rk, key ); break;
+        case 192: aesni_setkey_enc_192( rk, key ); break;
+        case 256: aesni_setkey_enc_256( rk, key ); break;
+        default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_HAVE_X86_64 */
+
+#endif /* MBEDTLS_AESNI_C */
diff --git a/ctrtool/deps/libmbedtls/src/arc4.c b/ctrtool/deps/libmbedtls/src/arc4.c
new file mode 100644
index 00000000..b8998ac6
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/arc4.c
@@ -0,0 +1,201 @@
+/*
+ *  An implementation of the ARCFOUR algorithm
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ARCFOUR algorithm was publicly disclosed on 94/09.
+ *
+ *  http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+
+#include "mbedtls/arc4.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_ARC4_ALT)
+
+void mbedtls_arc4_init( mbedtls_arc4_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_arc4_context ) );
+}
+
+void mbedtls_arc4_free( mbedtls_arc4_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_arc4_context ) );
+}
+
+/*
+ * ARC4 key schedule
+ */
+void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key,
+                 unsigned int keylen )
+{
+    int i, j, a;
+    unsigned int k;
+    unsigned char *m;
+
+    ctx->x = 0;
+    ctx->y = 0;
+    m = ctx->m;
+
+    for( i = 0; i < 256; i++ )
+        m[i] = (unsigned char) i;
+
+    j = k = 0;
+
+    for( i = 0; i < 256; i++, k++ )
+    {
+        if( k >= keylen ) k = 0;
+
+        a = m[i];
+        j = ( j + a + key[k] ) & 0xFF;
+        m[i] = m[j];
+        m[j] = (unsigned char) a;
+    }
+}
+
+/*
+ * ARC4 cipher function
+ */
+int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
+                unsigned char *output )
+{
+    int x, y, a, b;
+    size_t i;
+    unsigned char *m;
+
+    x = ctx->x;
+    y = ctx->y;
+    m = ctx->m;
+
+    for( i = 0; i < length; i++ )
+    {
+        x = ( x + 1 ) & 0xFF; a = m[x];
+        y = ( y + a ) & 0xFF; b = m[y];
+
+        m[x] = (unsigned char) b;
+        m[y] = (unsigned char) a;
+
+        output[i] = (unsigned char)
+            ( input[i] ^ m[(unsigned char)( a + b )] );
+    }
+
+    ctx->x = x;
+    ctx->y = y;
+
+    return( 0 );
+}
+
+#endif /* !MBEDTLS_ARC4_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * ARC4 tests vectors as posted by Eric Rescorla in sep. 1994:
+ *
+ * http://groups.google.com/group/comp.security.misc/msg/10a300c9d21afca0
+ */
+static const unsigned char arc4_test_key[3][8] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char arc4_test_pt[3][8] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char arc4_test_ct[3][8] =
+{
+    { 0x75, 0xB7, 0x87, 0x80, 0x99, 0xE0, 0xC5, 0x96 },
+    { 0x74, 0x94, 0xC2, 0xE7, 0x10, 0x4B, 0x08, 0x79 },
+    { 0xDE, 0x18, 0x89, 0x41, 0xA3, 0x37, 0x5D, 0x3A }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_arc4_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char ibuf[8];
+    unsigned char obuf[8];
+    mbedtls_arc4_context ctx;
+
+    mbedtls_arc4_init( &ctx );
+
+    for( i = 0; i < 3; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  ARC4 test #%d: ", i + 1 );
+
+        memcpy( ibuf, arc4_test_pt[i], 8 );
+
+        mbedtls_arc4_setup( &ctx, arc4_test_key[i], 8 );
+        mbedtls_arc4_crypt( &ctx, 8, ibuf, obuf );
+
+        if( memcmp( obuf, arc4_test_ct[i], 8 ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_arc4_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARC4_C */
diff --git a/ctrtool/deps/libmbedtls/src/aria.c b/ctrtool/deps/libmbedtls/src/aria.c
new file mode 100644
index 00000000..aff66d66
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/aria.c
@@ -0,0 +1,1079 @@
+/*
+ *  ARIA implementation
+ *
+ *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * This implementation is based on the following standards:
+ * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
+ * [2] https://tools.ietf.org/html/rfc5794
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+
+#include "mbedtls/aria.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+
+#include "mbedtls/platform_util.h"
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define ARIA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
+#define ARIA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE( n, b, i )                \
+{                                               \
+    (n) = ( (uint32_t) (b)[(i)    ]       )     \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )     \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )     \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );    \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE( n, b, i )                                \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
+ *
+ * This is submatrix P1 in [1] Appendix B.1
+ *
+ * Common compilers fail to translate this to minimal number of instructions,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev16 available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+    __ARM_ARCH >= 6
+static inline uint32_t aria_p1( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
+    return( r );
+}
+#define ARIA_P1 aria_p1
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p1( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev16 r, x" );
+    return( r );
+}
+#define ARIA_P1 aria_p1
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+/* I couldn't find an Intel equivalent of rev16, so two instructions */
+#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P1)
+#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
+ *
+ * This is submatrix P2 in [1] Appendix B.1
+ *
+ * Common compilers will translate this to a single instruction.
+ */
+#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
+
+/*
+ * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
+ *
+ * This is submatrix P3 in [1] Appendix B.1
+ *
+ * Some compilers fail to translate this to a single instruction,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+    __ARM_ARCH >= 6
+static inline uint32_t aria_p3( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
+    return( r );
+}
+#define ARIA_P3 aria_p3
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p3( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev r, x" );
+    return( r );
+}
+#define ARIA_P3 aria_p3
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+static inline uint32_t aria_p3( uint32_t x )
+{
+    __asm( "bswap %0" : "=r" (x) : "0" (x) );
+    return( x );
+}
+#define ARIA_P3 aria_p3
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P3)
+#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
+#endif
+
+/*
+ * ARIA Affine Transform
+ * (a, b, c, d) = state in/out
+ *
+ * If we denote the first byte of input by 0, ..., the last byte by f,
+ * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
+ *
+ * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
+ * rearrangements on adjacent pairs, output is:
+ *
+ * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
+ *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
+ * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
+ *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
+ * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
+ *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
+ * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
+ *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
+ *
+ * Note: another presentation of the A transform can be found as the first
+ * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
+ * The implementation below uses only P1 and P2 as they are sufficient.
+ */
+static inline void aria_a( uint32_t *a, uint32_t *b,
+                           uint32_t *c, uint32_t *d )
+{
+    uint32_t ta, tb, tc;
+    ta  =  *b;                      // 4567
+    *b  =  *a;                      // 0123
+    *a  =  ARIA_P2( ta );           // 6745
+    tb  =  ARIA_P2( *d );           // efcd
+    *d  =  ARIA_P1( *c );           // 98ba
+    *c  =  ARIA_P1( tb );           // fedc
+    ta  ^= *d;                      // 4567+98ba
+    tc  =  ARIA_P2( *b );           // 2301
+    ta  =  ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
+    tb  ^= ARIA_P2( *d );           // ba98+efcd
+    tc  ^= ARIA_P1( *a );           // 2301+7654
+    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
+    tb  =  ARIA_P2( tb ) ^ ta;      // 2301+5476+89ab+98ba+cdef+fedc
+    *a  ^= ARIA_P1( tb );           // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
+    ta  =  ARIA_P2( ta );           // 0123+7654+ab89+dcfe
+    *d  ^= ARIA_P1( ta ) ^ tc;      // 1032+2301+6745+7654+98ba+ba98+cdef OUT
+    tc  =  ARIA_P2( tc );           // 0123+5476
+    *c  ^= ARIA_P1( tc ) ^ ta;      // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
+}
+
+/*
+ * ARIA Substitution Layer SL1 / SL2
+ * (a, b, c, d) = state in/out
+ * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
+ *
+ * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
+ * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
+ */
+static inline void aria_sl( uint32_t *a, uint32_t *b,
+                            uint32_t *c, uint32_t *d,
+                            const uint8_t sa[256], const uint8_t sb[256],
+                            const uint8_t sc[256], const uint8_t sd[256] )
+{
+    *a = ( (uint32_t) sa[ *a        & 0xFF]       ) ^
+         (((uint32_t) sb[(*a >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *a >> 24        ]) << 24);
+    *b = ( (uint32_t) sa[ *b        & 0xFF]       ) ^
+         (((uint32_t) sb[(*b >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *b >> 24        ]) << 24);
+    *c = ( (uint32_t) sa[ *c        & 0xFF]       ) ^
+         (((uint32_t) sb[(*c >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *c >> 24        ]) << 24);
+    *d = ( (uint32_t) sa[ *d        & 0xFF]       ) ^
+         (((uint32_t) sb[(*d >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *d >> 24        ]) << 24);
+}
+
+/*
+ * S-Boxes
+ */
+static const uint8_t aria_sb1[256] =
+{
+    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
+    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
+    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
+    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
+    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
+    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
+    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
+    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
+    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
+    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
+    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
+    0xB0, 0x54, 0xBB, 0x16
+};
+
+static const uint8_t aria_sb2[256] =
+{
+    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
+    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
+    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
+    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
+    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
+    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
+    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
+    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
+    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
+    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
+    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
+    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
+    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
+    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
+    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
+    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
+    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
+    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
+    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
+    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
+    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
+    0xAF, 0xBA, 0xB5, 0x81
+};
+
+static const uint8_t aria_is1[256] =
+{
+    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
+    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
+    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
+    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
+    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
+    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
+    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
+    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
+    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
+    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
+    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
+    0x55, 0x21, 0x0C, 0x7D
+};
+
+static const uint8_t aria_is2[256] =
+{
+    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
+    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
+    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
+    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
+    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
+    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
+    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
+    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
+    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
+    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
+    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
+    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
+    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
+    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
+    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
+    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
+    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
+    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
+    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
+    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
+    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
+    0x03, 0xA2, 0xAC, 0x60
+};
+
+/*
+ * Helper for key schedule: r = FO( p, k ) ^ x
+ */
+static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
+                         const uint32_t k[4], const uint32_t x[4] )
+{
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
+    aria_a( &a, &b, &c, &d );
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Helper for key schedule: r = FE( p, k ) ^ x
+ */
+static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
+                         const uint32_t k[4], const uint32_t x[4] )
+{
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
+    aria_a( &a, &b, &c, &d );
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
+ *
+ * We chose to store bytes into 32-bit words in little-endian format (see
+ * GET/PUT_UINT32_LE) so we need to reverse bytes here.
+ */
+static void aria_rot128( uint32_t r[4], const uint32_t a[4],
+                         const uint32_t b[4], uint8_t n )
+{
+    uint8_t i, j;
+    uint32_t t, u;
+
+    const uint8_t n1 = n % 32;              // bit offset
+    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
+
+    j = ( n / 32 ) % 4;                     // initial word offset
+    t = ARIA_P3( b[j] );                    // big endian
+    for( i = 0; i < 4; i++ )
+    {
+        j = ( j + 1 ) % 4;                  // get next word, big endian
+        u = ARIA_P3( b[j] );
+        t <<= n1;                           // rotate
+        t |= u >> n2;
+        t = ARIA_P3( t );                   // back to little endian
+        r[i] = a[i] ^ t;                    // store
+        t = u;                              // move to next word
+    }
+}
+
+/*
+ * Set encryption key
+ */
+int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
+                             const unsigned char *key, unsigned int keybits )
+{
+    /* round constant masks */
+    const uint32_t rc[3][4] =
+    {
+        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
+        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
+        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
+    };
+
+    int i;
+    uint32_t w[4][4], *w2;
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( key != NULL );
+
+    if( keybits != 128 && keybits != 192 && keybits != 256 )
+        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
+
+    /* Copy key to W0 (and potential remainder to W1) */
+    GET_UINT32_LE( w[0][0], key,  0 );
+    GET_UINT32_LE( w[0][1], key,  4 );
+    GET_UINT32_LE( w[0][2], key,  8 );
+    GET_UINT32_LE( w[0][3], key, 12 );
+
+    memset( w[1], 0, 16 );
+    if( keybits >= 192 )
+    {
+        GET_UINT32_LE( w[1][0], key, 16 );  // 192 bit key
+        GET_UINT32_LE( w[1][1], key, 20 );
+    }
+    if( keybits == 256 )
+    {
+        GET_UINT32_LE( w[1][2], key, 24 );  // 256 bit key
+        GET_UINT32_LE( w[1][3], key, 28 );
+    }
+
+    i = ( keybits - 128 ) >> 6;             // index: 0, 1, 2
+    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
+
+    aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
+    i = i < 2 ? i + 1 : 0;
+    aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
+    i = i < 2 ? i + 1 : 0;
+    aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
+
+    for( i = 0; i < 4; i++ )                // create round keys
+    {
+        w2 = w[(i + 1) & 3];
+        aria_rot128( ctx->rk[i     ], w[i], w2, 128 - 19 );
+        aria_rot128( ctx->rk[i +  4], w[i], w2, 128 - 31 );
+        aria_rot128( ctx->rk[i +  8], w[i], w2,       61 );
+        aria_rot128( ctx->rk[i + 12], w[i], w2,       31 );
+    }
+    aria_rot128( ctx->rk[16], w[0], w[1], 19 );
+
+    /* w holds enough info to reconstruct the round keys */
+    mbedtls_platform_zeroize( w, sizeof( w ) );
+
+    return( 0 );
+}
+
+/*
+ * Set decryption key
+ */
+int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
+                             const unsigned char *key, unsigned int keybits )
+{
+    int i, j, k, ret;
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
+    if( ret != 0 )
+        return( ret );
+
+    /* flip the order of round keys */
+    for( i = 0, j = ctx->nr; i < j; i++, j-- )
+    {
+        for( k = 0; k < 4; k++ )
+        {
+            uint32_t t = ctx->rk[i][k];
+            ctx->rk[i][k] = ctx->rk[j][k];
+            ctx->rk[j][k] = t;
+        }
+    }
+
+    /* apply affine transform to middle keys */
+    for( i = 1; i < ctx->nr; i++ )
+    {
+        aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
+                &ctx->rk[i][2], &ctx->rk[i][3] );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Encrypt a block
+ */
+int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
+                            const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
+{
+    int i;
+
+    uint32_t a, b, c, d;
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( input != NULL );
+    ARIA_VALIDATE_RET( output != NULL );
+
+    GET_UINT32_LE( a, input,  0 );
+    GET_UINT32_LE( b, input,  4 );
+    GET_UINT32_LE( c, input,  8 );
+    GET_UINT32_LE( d, input, 12 );
+
+    i = 0;
+    while( 1 )
+    {
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
+        aria_a( &a, &b, &c, &d );
+
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
+        if( i >= ctx->nr )
+            break;
+        aria_a( &a, &b, &c, &d );
+    }
+
+    /* final key mixing */
+    a ^= ctx->rk[i][0];
+    b ^= ctx->rk[i][1];
+    c ^= ctx->rk[i][2];
+    d ^= ctx->rk[i][3];
+
+    PUT_UINT32_LE( a, output,  0 );
+    PUT_UINT32_LE( b, output,  4 );
+    PUT_UINT32_LE( c, output,  8 );
+    PUT_UINT32_LE( d, output, 12 );
+
+    return( 0 );
+}
+
+/* Initialize context */
+void mbedtls_aria_init( mbedtls_aria_context *ctx )
+{
+    ARIA_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_aria_context ) );
+}
+
+/* Clear context */
+void mbedtls_aria_free( mbedtls_aria_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * ARIA-CBC buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
+                            int mode,
+                            size_t length,
+                            unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    int i;
+    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
+
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
+                       mode == MBEDTLS_ARIA_DECRYPT );
+    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
+    ARIA_VALIDATE_RET( length == 0 || output != NULL );
+    ARIA_VALIDATE_RET( iv != NULL );
+
+    if( length % MBEDTLS_ARIA_BLOCKSIZE )
+        return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_ARIA_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
+            mbedtls_aria_crypt_ecb( ctx, input, output );
+
+            for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_aria_crypt_ecb( ctx, output, output );
+            memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * ARIA-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
+                               int mode,
+                               size_t length,
+                               size_t *iv_off,
+                               unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                               const unsigned char *input,
+                               unsigned char *output )
+{
+    unsigned char c;
+    size_t n;
+
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
+                       mode == MBEDTLS_ARIA_DECRYPT );
+    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
+    ARIA_VALIDATE_RET( length == 0 || output != NULL );
+    ARIA_VALIDATE_RET( iv != NULL );
+    ARIA_VALIDATE_RET( iv_off != NULL );
+
+    n = *iv_off;
+
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. Therefore, guard against this
+     * outside of parameter validation. */
+    if( n >= MBEDTLS_ARIA_BLOCKSIZE )
+        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
+
+    if( mode == MBEDTLS_ARIA_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aria_crypt_ecb( ctx, iv, iv );
+
+            c = *input++;
+            *output++ = c ^ iv[n];
+            iv[n] = c;
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aria_crypt_ecb( ctx, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * ARIA-CTR buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
+                            size_t length,
+                            size_t *nc_off,
+                            unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    int c, i;
+    size_t n;
+
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
+    ARIA_VALIDATE_RET( length == 0 || output != NULL );
+    ARIA_VALIDATE_RET( nonce_counter != NULL );
+    ARIA_VALIDATE_RET( stream_block  != NULL );
+    ARIA_VALIDATE_RET( nc_off != NULL );
+
+    n = *nc_off;
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. Therefore, guard against this
+     * outside of parameter validation. */
+    if( n >= MBEDTLS_ARIA_BLOCKSIZE )
+        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_aria_crypt_ecb( ctx, nonce_counter,
+                                stream_block );
+
+            for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_ARIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Basic ARIA ECB test vectors from RFC 5794
+ */
+static const uint8_t aria_test1_ecb_key[32] =           // test key
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
+    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
+};
+
+static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
+{
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
+    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
+};
+
+static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
+{
+    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
+      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
+    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
+      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
+    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
+      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
+};
+
+/*
+ * Mode tests from "Test Vectors for ARIA"  Version 1.0
+ * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
+ */
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_CTR))
+static const uint8_t aria_test2_key[32] =
+{
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
+};
+
+static const uint8_t aria_test2_pt[48] =
+{
+    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
+    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
+    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
+    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
+    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
+    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
+};
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
+static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
+{
+    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
+    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
+};
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
+{
+    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
+      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
+      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
+      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
+      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
+      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
+    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
+      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
+      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
+      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
+      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
+      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
+    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
+      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
+      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
+      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
+      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
+      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
+{
+    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
+      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
+      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
+      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
+      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
+      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
+    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
+      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
+      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
+      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
+      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
+      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
+    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
+      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
+      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
+      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
+      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
+      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
+{
+    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
+      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
+      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
+      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
+      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
+      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
+    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
+      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
+      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
+      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
+      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
+      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
+    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
+      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
+      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
+      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
+      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
+      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#define ARIA_SELF_TEST_IF_FAIL              \
+        {                                   \
+            if( verbose )                   \
+                mbedtls_printf( "failed\n" );       \
+            return( 1 );                    \
+        } else {                            \
+            if( verbose )                   \
+                mbedtls_printf( "passed\n" );       \
+        }
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aria_self_test( int verbose )
+{
+    int i;
+    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
+    mbedtls_aria_context ctx;
+
+#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
+    size_t j;
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
+     defined(MBEDTLS_CIPHER_MODE_CFB) || \
+     defined(MBEDTLS_CIPHER_MODE_CTR))
+    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
+#endif
+
+    /*
+     * Test set 1
+     */
+    for( i = 0; i < 3; i++ )
+    {
+        /* test ECB encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-ECB-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
+        mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
+        if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* test ECB decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-ECB-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
+        mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
+        if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+
+    /*
+     * Test set 2
+     */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    for( i = 0; i < 3; i++ )
+    {
+        /* Test CBC encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CBC-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0x55, sizeof( buf ) );
+        mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
+            aria_test2_pt, buf );
+        if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CBC decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CBC-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0xAA, sizeof( buf ) );
+        mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
+            aria_test2_cbc_ct[i], buf );
+        if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    for( i = 0; i < 3; i++ )
+    {
+        /* Test CFB encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CFB-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0x55, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
+            aria_test2_pt, buf );
+        if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CFB decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CFB-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0xAA, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
+            iv, aria_test2_cfb_ct[i], buf );
+        if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    for( i = 0; i < 3; i++ )
+    {
+        /* Test CTR encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CTR-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
+        memset( buf, 0x55, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
+            aria_test2_pt, buf );
+        if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CTR decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CTR-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
+        memset( buf, 0xAA, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
+            aria_test2_ctr_ct[i], buf );
+        if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARIA_C */
diff --git a/ctrtool/deps/libmbedtls/src/asn1parse.c b/ctrtool/deps/libmbedtls/src/asn1parse.c
new file mode 100644
index 00000000..171c340b
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/asn1parse.c
@@ -0,0 +1,389 @@
+/*
+ *  Generic ASN.1 parsing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+#include "mbedtls/asn1.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+/*
+ * ASN.1 DER decoding routines
+ */
+int mbedtls_asn1_get_len( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len )
+{
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( ( **p & 0x80 ) == 0 )
+        *len = *(*p)++;
+    else
+    {
+        switch( **p & 0x7F )
+        {
+        case 1:
+            if( ( end - *p ) < 2 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = (*p)[1];
+            (*p) += 2;
+            break;
+
+        case 2:
+            if( ( end - *p ) < 3 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = ( (size_t)(*p)[1] << 8 ) | (*p)[2];
+            (*p) += 3;
+            break;
+
+        case 3:
+            if( ( end - *p ) < 4 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = ( (size_t)(*p)[1] << 16 ) |
+                   ( (size_t)(*p)[2] << 8  ) | (*p)[3];
+            (*p) += 4;
+            break;
+
+        case 4:
+            if( ( end - *p ) < 5 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = ( (size_t)(*p)[1] << 24 ) | ( (size_t)(*p)[2] << 16 ) |
+                   ( (size_t)(*p)[3] << 8  ) |           (*p)[4];
+            (*p) += 5;
+            break;
+
+        default:
+            return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+        }
+    }
+
+    if( *len > (size_t) ( end - *p ) )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_tag( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len, int tag )
+{
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( **p != tag )
+        return( MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    (*p)++;
+
+    return( mbedtls_asn1_get_len( p, end, len ) );
+}
+
+int mbedtls_asn1_get_bool( unsigned char **p,
+                   const unsigned char *end,
+                   int *val )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_BOOLEAN ) ) != 0 )
+        return( ret );
+
+    if( len != 1 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    *val = ( **p != 0 ) ? 1 : 0;
+    (*p)++;
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_int( unsigned char **p,
+                  const unsigned char *end,
+                  int *val )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( ret );
+
+    if( len == 0 || len > sizeof( int ) || ( **p & 0x80 ) != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    *val = 0;
+
+    while( len-- > 0 )
+    {
+        *val = ( *val << 8 ) | **p;
+        (*p)++;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_get_mpi( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_mpi *X )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_mpi_read_binary( X, *p, len );
+
+    *p += len;
+
+    return( ret );
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_get_bitstring( unsigned char **p, const unsigned char *end,
+                        mbedtls_asn1_bitstring *bs)
+{
+    int ret;
+
+    /* Certificate type is a single byte bitstring */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &bs->len, MBEDTLS_ASN1_BIT_STRING ) ) != 0 )
+        return( ret );
+
+    /* Check length, subtract one for actual bit string length */
+    if( bs->len < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+    bs->len -= 1;
+
+    /* Get number of unused bits, ensure unused bits <= 7 */
+    bs->unused_bits = **p;
+    if( bs->unused_bits > 7 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+    (*p)++;
+
+    /* Get actual bitstring */
+    bs->p = *p;
+    *p += bs->len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * Get a bit string without unused bits
+ */
+int mbedtls_asn1_get_bitstring_null( unsigned char **p, const unsigned char *end,
+                             size_t *len )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_BIT_STRING ) ) != 0 )
+        return( ret );
+
+    if( (*len)-- < 2 || *(*p)++ != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_DATA );
+
+    return( 0 );
+}
+
+
+
+/*
+ *  Parses and splits an ASN.1 "SEQUENCE OF <tag>"
+ */
+int mbedtls_asn1_get_sequence_of( unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_asn1_sequence *cur,
+                          int tag)
+{
+    int ret;
+    size_t len;
+    mbedtls_asn1_buf *buf;
+
+    /* Get main sequence tag */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    while( *p < end )
+    {
+        buf = &(cur->buf);
+        buf->tag = **p;
+
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &buf->len, tag ) ) != 0 )
+            return( ret );
+
+        buf->p = *p;
+        *p += buf->len;
+
+        /* Allocate and assign next pointer */
+        if( *p < end )
+        {
+            cur->next = (mbedtls_asn1_sequence*)mbedtls_calloc( 1,
+                                            sizeof( mbedtls_asn1_sequence ) );
+
+            if( cur->next == NULL )
+                return( MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+
+            cur = cur->next;
+        }
+    }
+
+    /* Set final sequence entry's next pointer to NULL */
+    cur->next = NULL;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_alg( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    alg->tag = **p;
+    end = *p + len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &alg->len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( ret );
+
+    alg->p = *p;
+    *p += alg->len;
+
+    if( *p == end )
+    {
+        mbedtls_platform_zeroize( params, sizeof(mbedtls_asn1_buf) );
+        return( 0 );
+    }
+
+    params->tag = **p;
+    (*p)++;
+
+    if( ( ret = mbedtls_asn1_get_len( p, end, &params->len ) ) != 0 )
+        return( ret );
+
+    params->p = *p;
+    *p += params->len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_alg_null( unsigned char **p,
+                       const unsigned char *end,
+                       mbedtls_asn1_buf *alg )
+{
+    int ret;
+    mbedtls_asn1_buf params;
+
+    memset( &params, 0, sizeof(mbedtls_asn1_buf) );
+
+    if( ( ret = mbedtls_asn1_get_alg( p, end, alg, &params ) ) != 0 )
+        return( ret );
+
+    if( ( params.tag != MBEDTLS_ASN1_NULL && params.tag != 0 ) || params.len != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_DATA );
+
+    return( 0 );
+}
+
+void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *cur )
+{
+    if( cur == NULL )
+        return;
+
+    mbedtls_free( cur->oid.p );
+    mbedtls_free( cur->val.p );
+
+    mbedtls_platform_zeroize( cur, sizeof( mbedtls_asn1_named_data ) );
+}
+
+void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head )
+{
+    mbedtls_asn1_named_data *cur;
+
+    while( ( cur = *head ) != NULL )
+    {
+        *head = cur->next;
+        mbedtls_asn1_free_named_data( cur );
+        mbedtls_free( cur );
+    }
+}
+
+mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( mbedtls_asn1_named_data *list,
+                                       const char *oid, size_t len )
+{
+    while( list != NULL )
+    {
+        if( list->oid.len == len &&
+            memcmp( list->oid.p, oid, len ) == 0 )
+        {
+            break;
+        }
+
+        list = list->next;
+    }
+
+    return( list );
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
diff --git a/ctrtool/deps/libmbedtls/src/asn1write.c b/ctrtool/deps/libmbedtls/src/asn1write.c
new file mode 100644
index 00000000..c0b4622d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/asn1write.c
@@ -0,0 +1,421 @@
+/*
+ * ASN.1 buffer writing functionality
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ASN1_WRITE_C)
+
+#include "mbedtls/asn1write.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len )
+{
+    if( len < 0x80 )
+    {
+        if( *p - start < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = (unsigned char) len;
+        return( 1 );
+    }
+
+    if( len <= 0xFF )
+    {
+        if( *p - start < 2 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = (unsigned char) len;
+        *--(*p) = 0x81;
+        return( 2 );
+    }
+
+    if( len <= 0xFFFF )
+    {
+        if( *p - start < 3 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = ( len       ) & 0xFF;
+        *--(*p) = ( len >>  8 ) & 0xFF;
+        *--(*p) = 0x82;
+        return( 3 );
+    }
+
+    if( len <= 0xFFFFFF )
+    {
+        if( *p - start < 4 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = ( len       ) & 0xFF;
+        *--(*p) = ( len >>  8 ) & 0xFF;
+        *--(*p) = ( len >> 16 ) & 0xFF;
+        *--(*p) = 0x83;
+        return( 4 );
+    }
+
+#if SIZE_MAX > 0xFFFFFFFF
+    if( len <= 0xFFFFFFFF )
+#endif
+    {
+        if( *p - start < 5 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = ( len       ) & 0xFF;
+        *--(*p) = ( len >>  8 ) & 0xFF;
+        *--(*p) = ( len >> 16 ) & 0xFF;
+        *--(*p) = ( len >> 24 ) & 0xFF;
+        *--(*p) = 0x84;
+        return( 5 );
+    }
+
+#if SIZE_MAX > 0xFFFFFFFF
+    return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+#endif
+}
+
+int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start, unsigned char tag )
+{
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *--(*p) = tag;
+
+    return( 1 );
+}
+
+int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
+                           const unsigned char *buf, size_t size )
+{
+    size_t len = 0;
+
+    if( *p < start || (size_t)( *p - start ) < size )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len = size;
+    (*p) -= len;
+    memcpy( *p, buf, len );
+
+    return( (int) len );
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedtls_mpi *X )
+{
+    int ret;
+    size_t len = 0;
+
+    // Write the MPI
+    //
+    len = mbedtls_mpi_size( X );
+
+    if( *p < start || (size_t)( *p - start ) < len )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    (*p) -= len;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( X, *p, len ) );
+
+    // DER format assumes 2s complement for numbers, so the leftmost bit
+    // should be 0 for positive numbers and 1 for negative numbers.
+    //
+    if( X->s ==1 && **p & 0x80 )
+    {
+        if( *p - start < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = 0x00;
+        len += 1;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_INTEGER ) );
+
+    ret = (int) len;
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_write_null( unsigned char **p, unsigned char *start )
+{
+    int ret;
+    size_t len = 0;
+
+    // Write NULL
+    //
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, 0) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_NULL ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_oid( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                                  (const unsigned char *) oid, oid_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len , mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len , mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OID ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_algorithm_identifier( unsigned char **p, unsigned char *start,
+                                     const char *oid, size_t oid_len,
+                                     size_t par_len )
+{
+    int ret;
+    size_t len = 0;
+
+    if( par_len == 0 )
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_null( p, start ) );
+    else
+        len += par_len;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid, oid_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
+                                       MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start, int boolean )
+{
+    int ret;
+    size_t len = 0;
+
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *--(*p) = (boolean) ? 255 : 0;
+    len++;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BOOLEAN ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val )
+{
+    int ret;
+    size_t len = 0;
+
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len += 1;
+    *--(*p) = val;
+
+    if( val > 0 && **p & 0x80 )
+    {
+        if( *p - start < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = 0x00;
+        len += 1;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_INTEGER ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_tagged_string( unsigned char **p, unsigned char *start, int tag,
+    const char *text, size_t text_len )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+        (const unsigned char *) text, text_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, tag ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_utf8_string( unsigned char **p, unsigned char *start,
+    const char *text, size_t text_len )
+{
+    return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_UTF8_STRING, text, text_len) );
+}
+
+int mbedtls_asn1_write_printable_string( unsigned char **p, unsigned char *start,
+                                 const char *text, size_t text_len )
+{
+    return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_PRINTABLE_STRING, text, text_len) );
+}
+
+int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
+                           const char *text, size_t text_len )
+{
+    return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_IA5_STRING, text, text_len) );
+}
+
+int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
+                          const unsigned char *buf, size_t bits )
+{
+    int ret;
+    size_t len = 0;
+    size_t unused_bits, byte_len;
+
+    byte_len = ( bits + 7 ) / 8;
+    unused_bits = ( byte_len * 8 ) - bits;
+
+    if( *p < start || (size_t)( *p - start ) < byte_len + 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len = byte_len + 1;
+
+    /* Write the bitstring. Ensure the unused bits are zeroed */
+    if( byte_len > 0 )
+    {
+        byte_len--;
+        *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 );
+        ( *p ) -= byte_len;
+        memcpy( *p, buf, byte_len );
+    }
+
+    /* Write unused bits */
+    *--( *p ) = (unsigned char)unused_bits;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
+                             const unsigned char *buf, size_t size )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, buf, size ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OCTET_STRING ) );
+
+    return( (int) len );
+}
+
+
+/* This is a copy of the ASN.1 parsing function mbedtls_asn1_find_named_data(),
+ * which is replicated to avoid a dependency ASN1_WRITE_C on ASN1_PARSE_C. */
+static mbedtls_asn1_named_data *asn1_find_named_data(
+                                               mbedtls_asn1_named_data *list,
+                                               const char *oid, size_t len )
+{
+    while( list != NULL )
+    {
+        if( list->oid.len == len &&
+            memcmp( list->oid.p, oid, len ) == 0 )
+        {
+            break;
+        }
+
+        list = list->next;
+    }
+
+    return( list );
+}
+
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
+                                        mbedtls_asn1_named_data **head,
+                                        const char *oid, size_t oid_len,
+                                        const unsigned char *val,
+                                        size_t val_len )
+{
+    mbedtls_asn1_named_data *cur;
+
+    if( ( cur = asn1_find_named_data( *head, oid, oid_len ) ) == NULL )
+    {
+        // Add new entry if not present yet based on OID
+        //
+        cur = (mbedtls_asn1_named_data*)mbedtls_calloc( 1,
+                                            sizeof(mbedtls_asn1_named_data) );
+        if( cur == NULL )
+            return( NULL );
+
+        cur->oid.len = oid_len;
+        cur->oid.p = mbedtls_calloc( 1, oid_len );
+        if( cur->oid.p == NULL )
+        {
+            mbedtls_free( cur );
+            return( NULL );
+        }
+
+        memcpy( cur->oid.p, oid, oid_len );
+
+        cur->val.len = val_len;
+        cur->val.p = mbedtls_calloc( 1, val_len );
+        if( cur->val.p == NULL )
+        {
+            mbedtls_free( cur->oid.p );
+            mbedtls_free( cur );
+            return( NULL );
+        }
+
+        cur->next = *head;
+        *head = cur;
+    }
+    else if( cur->val.len < val_len )
+    {
+        /*
+         * Enlarge existing value buffer if needed
+         * Preserve old data until the allocation succeeded, to leave list in
+         * a consistent state in case allocation fails.
+         */
+        void *p = mbedtls_calloc( 1, val_len );
+        if( p == NULL )
+            return( NULL );
+
+        mbedtls_free( cur->val.p );
+        cur->val.p = p;
+        cur->val.len = val_len;
+    }
+
+    if( val != NULL )
+        memcpy( cur->val.p, val, val_len );
+
+    return( cur );
+}
+#endif /* MBEDTLS_ASN1_WRITE_C */
diff --git a/ctrtool/deps/libmbedtls/src/base64.c b/ctrtool/deps/libmbedtls/src/base64.c
new file mode 100644
index 00000000..f06b57b3
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/base64.c
@@ -0,0 +1,293 @@
+/*
+ *  RFC 1521 base64 encoding/decoding
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_BASE64_C)
+
+#include "mbedtls/base64.h"
+
+#include <stdint.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#include <string.h>
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+static const unsigned char base64_enc_map[64] =
+{
+    'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
+    'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
+    'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd',
+    'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
+    'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x',
+    'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',
+    '8', '9', '+', '/'
+};
+
+static const unsigned char base64_dec_map[128] =
+{
+    127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
+    127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
+    127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
+    127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
+    127, 127, 127,  62, 127, 127, 127,  63,  52,  53,
+     54,  55,  56,  57,  58,  59,  60,  61, 127, 127,
+    127,  64, 127, 127, 127,   0,   1,   2,   3,   4,
+      5,   6,   7,   8,   9,  10,  11,  12,  13,  14,
+     15,  16,  17,  18,  19,  20,  21,  22,  23,  24,
+     25, 127, 127, 127, 127, 127, 127,  26,  27,  28,
+     29,  30,  31,  32,  33,  34,  35,  36,  37,  38,
+     39,  40,  41,  42,  43,  44,  45,  46,  47,  48,
+     49,  50,  51, 127, 127, 127, 127, 127
+};
+
+#define BASE64_SIZE_T_MAX   ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
+
+/*
+ * Encode a buffer into base64 format
+ */
+int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen )
+{
+    size_t i, n;
+    int C1, C2, C3;
+    unsigned char *p;
+
+    if( slen == 0 )
+    {
+        *olen = 0;
+        return( 0 );
+    }
+
+    n = slen / 3 + ( slen % 3 != 0 );
+
+    if( n > ( BASE64_SIZE_T_MAX - 1 ) / 4 )
+    {
+        *olen = BASE64_SIZE_T_MAX;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+    }
+
+    n *= 4;
+
+    if( ( dlen < n + 1 ) || ( NULL == dst ) )
+    {
+        *olen = n + 1;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+    }
+
+    n = ( slen / 3 ) * 3;
+
+    for( i = 0, p = dst; i < n; i += 3 )
+    {
+        C1 = *src++;
+        C2 = *src++;
+        C3 = *src++;
+
+        *p++ = base64_enc_map[(C1 >> 2) & 0x3F];
+        *p++ = base64_enc_map[(((C1 &  3) << 4) + (C2 >> 4)) & 0x3F];
+        *p++ = base64_enc_map[(((C2 & 15) << 2) + (C3 >> 6)) & 0x3F];
+        *p++ = base64_enc_map[C3 & 0x3F];
+    }
+
+    if( i < slen )
+    {
+        C1 = *src++;
+        C2 = ( ( i + 1 ) < slen ) ? *src++ : 0;
+
+        *p++ = base64_enc_map[(C1 >> 2) & 0x3F];
+        *p++ = base64_enc_map[(((C1 & 3) << 4) + (C2 >> 4)) & 0x3F];
+
+        if( ( i + 1 ) < slen )
+             *p++ = base64_enc_map[((C2 & 15) << 2) & 0x3F];
+        else *p++ = '=';
+
+        *p++ = '=';
+    }
+
+    *olen = p - dst;
+    *p = 0;
+
+    return( 0 );
+}
+
+/*
+ * Decode a base64-formatted buffer
+ */
+int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen )
+{
+    size_t i, n;
+    uint32_t j, x;
+    unsigned char *p;
+
+    /* First pass: check for validity and get output length */
+    for( i = n = j = 0; i < slen; i++ )
+    {
+        /* Skip spaces before checking for EOL */
+        x = 0;
+        while( i < slen && src[i] == ' ' )
+        {
+            ++i;
+            ++x;
+        }
+
+        /* Spaces at end of buffer are OK */
+        if( i == slen )
+            break;
+
+        if( ( slen - i ) >= 2 &&
+            src[i] == '\r' && src[i + 1] == '\n' )
+            continue;
+
+        if( src[i] == '\n' )
+            continue;
+
+        /* Space inside a line is an error */
+        if( x != 0 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
+
+        if( src[i] == '=' && ++j > 2 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
+
+        if( src[i] > 127 || base64_dec_map[src[i]] == 127 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
+
+        if( base64_dec_map[src[i]] < 64 && j != 0 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
+
+        n++;
+    }
+
+    if( n == 0 )
+    {
+        *olen = 0;
+        return( 0 );
+    }
+
+    /* The following expression is to calculate the following formula without
+     * risk of integer overflow in n:
+     *     n = ( ( n * 6 ) + 7 ) >> 3;
+     */
+    n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
+    n -= j;
+
+    if( dst == NULL || dlen < n )
+    {
+        *olen = n;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+    }
+
+   for( j = 3, n = x = 0, p = dst; i > 0; i--, src++ )
+   {
+        if( *src == '\r' || *src == '\n' || *src == ' ' )
+            continue;
+
+        j -= ( base64_dec_map[*src] == 64 );
+        x  = ( x << 6 ) | ( base64_dec_map[*src] & 0x3F );
+
+        if( ++n == 4 )
+        {
+            n = 0;
+            if( j > 0 ) *p++ = (unsigned char)( x >> 16 );
+            if( j > 1 ) *p++ = (unsigned char)( x >>  8 );
+            if( j > 2 ) *p++ = (unsigned char)( x       );
+        }
+    }
+
+    *olen = p - dst;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char base64_test_dec[64] =
+{
+    0x24, 0x48, 0x6E, 0x56, 0x87, 0x62, 0x5A, 0xBD,
+    0xBF, 0x17, 0xD9, 0xA2, 0xC4, 0x17, 0x1A, 0x01,
+    0x94, 0xED, 0x8F, 0x1E, 0x11, 0xB3, 0xD7, 0x09,
+    0x0C, 0xB6, 0xE9, 0x10, 0x6F, 0x22, 0xEE, 0x13,
+    0xCA, 0xB3, 0x07, 0x05, 0x76, 0xC9, 0xFA, 0x31,
+    0x6C, 0x08, 0x34, 0xFF, 0x8D, 0xC2, 0x6C, 0x38,
+    0x00, 0x43, 0xE9, 0x54, 0x97, 0xAF, 0x50, 0x4B,
+    0xD1, 0x41, 0xBA, 0x95, 0x31, 0x5A, 0x0B, 0x97
+};
+
+static const unsigned char base64_test_enc[] =
+    "JEhuVodiWr2/F9mixBcaAZTtjx4Rs9cJDLbpEG8i7hPK"
+    "swcFdsn6MWwINP+Nwmw4AEPpVJevUEvRQbqVMVoLlw==";
+
+/*
+ * Checkup routine
+ */
+int mbedtls_base64_self_test( int verbose )
+{
+    size_t len;
+    const unsigned char *src;
+    unsigned char buffer[128];
+
+    if( verbose != 0 )
+        mbedtls_printf( "  Base64 encoding test: " );
+
+    src = base64_test_dec;
+
+    if( mbedtls_base64_encode( buffer, sizeof( buffer ), &len, src, 64 ) != 0 ||
+         memcmp( base64_test_enc, buffer, 88 ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        return( 1 );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  Base64 decoding test: " );
+
+    src = base64_test_enc;
+
+    if( mbedtls_base64_decode( buffer, sizeof( buffer ), &len, src, 88 ) != 0 ||
+         memcmp( base64_test_dec, buffer, 64 ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        return( 1 );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_BASE64_C */
diff --git a/ctrtool/deps/libmbedtls/src/bignum.c b/ctrtool/deps/libmbedtls/src/bignum.c
new file mode 100644
index 00000000..87ccf42f
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/bignum.c
@@ -0,0 +1,2866 @@
+/*
+ *  Multi-precision integer library
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ *  The following sources were referenced in the design of this Multi-precision
+ *  Integer library:
+ *
+ *  [1] Handbook of Applied Cryptography - 1997
+ *      Menezes, van Oorschot and Vanstone
+ *
+ *  [2] Multi-Precision Math
+ *      Tom St Denis
+ *      https://github.com/libtom/libtommath/blob/develop/tommath.pdf
+ *
+ *  [3] GNU Multi-Precision Arithmetic Library
+ *      https://gmplib.org/manual/index.html
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+#include "mbedtls/bignum.h"
+#include "mbedtls/bn_mul.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#define MPI_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
+#define MPI_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define ciL    (sizeof(mbedtls_mpi_uint))         /* chars in limb  */
+#define biL    (ciL << 3)               /* bits  in limb  */
+#define biH    (ciL << 2)               /* half limb size */
+
+#define MPI_SIZE_T_MAX  ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
+
+/*
+ * Convert between bits/chars and number of limbs
+ * Divide first in order to avoid potential overflows
+ */
+#define BITS_TO_LIMBS(i)  ( (i) / biL + ( (i) % biL != 0 ) )
+#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n )
+{
+    mbedtls_platform_zeroize( v, ciL * n );
+}
+
+/*
+ * Initialize one MPI
+ */
+void mbedtls_mpi_init( mbedtls_mpi *X )
+{
+    MPI_VALIDATE( X != NULL );
+
+    X->s = 1;
+    X->n = 0;
+    X->p = NULL;
+}
+
+/*
+ * Unallocate one MPI
+ */
+void mbedtls_mpi_free( mbedtls_mpi *X )
+{
+    if( X == NULL )
+        return;
+
+    if( X->p != NULL )
+    {
+        mbedtls_mpi_zeroize( X->p, X->n );
+        mbedtls_free( X->p );
+    }
+
+    X->s = 1;
+    X->n = 0;
+    X->p = NULL;
+}
+
+/*
+ * Enlarge to the specified number of limbs
+ */
+int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs )
+{
+    mbedtls_mpi_uint *p;
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    if( X->n < nblimbs )
+    {
+        if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL )
+            return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+        if( X->p != NULL )
+        {
+            memcpy( p, X->p, X->n * ciL );
+            mbedtls_mpi_zeroize( X->p, X->n );
+            mbedtls_free( X->p );
+        }
+
+        X->n = nblimbs;
+        X->p = p;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Resize down as much as possible,
+ * while keeping at least the specified number of limbs
+ */
+int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
+{
+    mbedtls_mpi_uint *p;
+    size_t i;
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    /* Actually resize up if there are currently fewer than nblimbs limbs. */
+    if( X->n <= nblimbs )
+        return( mbedtls_mpi_grow( X, nblimbs ) );
+    /* After this point, then X->n > nblimbs and in particular X->n > 0. */
+
+    for( i = X->n - 1; i > 0; i-- )
+        if( X->p[i] != 0 )
+            break;
+    i++;
+
+    if( i < nblimbs )
+        i = nblimbs;
+
+    if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL ) ) == NULL )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    if( X->p != NULL )
+    {
+        memcpy( p, X->p, i * ciL );
+        mbedtls_mpi_zeroize( X->p, X->n );
+        mbedtls_free( X->p );
+    }
+
+    X->n = i;
+    X->p = p;
+
+    return( 0 );
+}
+
+/*
+ * Copy the contents of Y into X
+ */
+int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
+{
+    int ret = 0;
+    size_t i;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    if( X == Y )
+        return( 0 );
+
+    if( Y->n == 0 )
+    {
+        mbedtls_mpi_free( X );
+        return( 0 );
+    }
+
+    for( i = Y->n - 1; i > 0; i-- )
+        if( Y->p[i] != 0 )
+            break;
+    i++;
+
+    X->s = Y->s;
+
+    if( X->n < i )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i ) );
+    }
+    else
+    {
+        memset( X->p + i, 0, ( X->n - i ) * ciL );
+    }
+
+    memcpy( X->p, Y->p, i * ciL );
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Swap the contents of X and Y
+ */
+void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
+{
+    mbedtls_mpi T;
+    MPI_VALIDATE( X != NULL );
+    MPI_VALIDATE( Y != NULL );
+
+    memcpy( &T,  X, sizeof( mbedtls_mpi ) );
+    memcpy(  X,  Y, sizeof( mbedtls_mpi ) );
+    memcpy(  Y, &T, sizeof( mbedtls_mpi ) );
+}
+
+/*
+ * Conditionally assign X = Y, without leaking information
+ * about whether the assignment was made or not.
+ * (Leaking information about the respective sizes of X and Y is ok however.)
+ */
+int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign )
+{
+    int ret = 0;
+    size_t i;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    /* make sure assign is 0 or 1 in a time-constant manner */
+    assign = (assign | (unsigned char)-assign) >> 7;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
+
+    X->s = X->s * ( 1 - assign ) + Y->s * assign;
+
+    for( i = 0; i < Y->n; i++ )
+        X->p[i] = X->p[i] * ( 1 - assign ) + Y->p[i] * assign;
+
+    for( ; i < X->n; i++ )
+        X->p[i] *= ( 1 - assign );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Conditionally swap X and Y, without leaking information
+ * about whether the swap was made or not.
+ * Here it is not ok to simply swap the pointers, which whould lead to
+ * different memory access patterns when X and Y are used afterwards.
+ */
+int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap )
+{
+    int ret, s;
+    size_t i;
+    mbedtls_mpi_uint tmp;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    if( X == Y )
+        return( 0 );
+
+    /* make sure swap is 0 or 1 in a time-constant manner */
+    swap = (swap | (unsigned char)-swap) >> 7;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
+
+    s = X->s;
+    X->s = X->s * ( 1 - swap ) + Y->s * swap;
+    Y->s = Y->s * ( 1 - swap ) +    s * swap;
+
+
+    for( i = 0; i < X->n; i++ )
+    {
+        tmp = X->p[i];
+        X->p[i] = X->p[i] * ( 1 - swap ) + Y->p[i] * swap;
+        Y->p[i] = Y->p[i] * ( 1 - swap ) +     tmp * swap;
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Set value from integer
+ */
+int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
+{
+    int ret;
+    MPI_VALIDATE_RET( X != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
+    memset( X->p, 0, X->n * ciL );
+
+    X->p[0] = ( z < 0 ) ? -z : z;
+    X->s    = ( z < 0 ) ? -1 : 1;
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Get a specific bit
+ */
+int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos )
+{
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( X->n * biL <= pos )
+        return( 0 );
+
+    return( ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01 );
+}
+
+/* Get a specific byte, without range checks. */
+#define GET_BYTE( X, i )                                \
+    ( ( ( X )->p[( i ) / ciL] >> ( ( ( i ) % ciL ) * 8 ) ) & 0xff )
+
+/*
+ * Set a bit to a specific value of 0 or 1
+ */
+int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val )
+{
+    int ret = 0;
+    size_t off = pos / biL;
+    size_t idx = pos % biL;
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( val != 0 && val != 1 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( X->n * biL <= pos )
+    {
+        if( val == 0 )
+            return( 0 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, off + 1 ) );
+    }
+
+    X->p[off] &= ~( (mbedtls_mpi_uint) 0x01 << idx );
+    X->p[off] |= (mbedtls_mpi_uint) val << idx;
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Return the number of less significant zero-bits
+ */
+size_t mbedtls_mpi_lsb( const mbedtls_mpi *X )
+{
+    size_t i, j, count = 0;
+    MBEDTLS_INTERNAL_VALIDATE_RET( X != NULL, 0 );
+
+    for( i = 0; i < X->n; i++ )
+        for( j = 0; j < biL; j++, count++ )
+            if( ( ( X->p[i] >> j ) & 1 ) != 0 )
+                return( count );
+
+    return( 0 );
+}
+
+/*
+ * Count leading zero bits in a given integer
+ */
+static size_t mbedtls_clz( const mbedtls_mpi_uint x )
+{
+    size_t j;
+    mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
+
+    for( j = 0; j < biL; j++ )
+    {
+        if( x & mask ) break;
+
+        mask >>= 1;
+    }
+
+    return j;
+}
+
+/*
+ * Return the number of bits
+ */
+size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X )
+{
+    size_t i, j;
+
+    if( X->n == 0 )
+        return( 0 );
+
+    for( i = X->n - 1; i > 0; i-- )
+        if( X->p[i] != 0 )
+            break;
+
+    j = biL - mbedtls_clz( X->p[i] );
+
+    return( ( i * biL ) + j );
+}
+
+/*
+ * Return the total size in bytes
+ */
+size_t mbedtls_mpi_size( const mbedtls_mpi *X )
+{
+    return( ( mbedtls_mpi_bitlen( X ) + 7 ) >> 3 );
+}
+
+/*
+ * Convert an ASCII character to digit value
+ */
+static int mpi_get_digit( mbedtls_mpi_uint *d, int radix, char c )
+{
+    *d = 255;
+
+    if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
+    if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
+    if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
+
+    if( *d >= (mbedtls_mpi_uint) radix )
+        return( MBEDTLS_ERR_MPI_INVALID_CHARACTER );
+
+    return( 0 );
+}
+
+/*
+ * Import from an ASCII string
+ */
+int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
+{
+    int ret;
+    size_t i, j, slen, n;
+    mbedtls_mpi_uint d;
+    mbedtls_mpi T;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( s != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &T );
+
+    slen = strlen( s );
+
+    if( radix == 16 )
+    {
+        if( slen > MPI_SIZE_T_MAX >> 2 )
+            return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+        n = BITS_TO_LIMBS( slen << 2 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+        for( i = slen, j = 0; i > 0; i--, j++ )
+        {
+            if( i == 1 && s[i - 1] == '-' )
+            {
+                X->s = -1;
+                break;
+            }
+
+            MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
+            X->p[j / ( 2 * ciL )] |= d << ( ( j % ( 2 * ciL ) ) << 2 );
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+        for( i = 0; i < slen; i++ )
+        {
+            if( i == 0 && s[i] == '-' )
+            {
+                X->s = -1;
+                continue;
+            }
+
+            MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T, X, radix ) );
+
+            if( X->s == 1 )
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, &T, d ) );
+            }
+            else
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( X, &T, d ) );
+            }
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &T );
+
+    return( ret );
+}
+
+/*
+ * Helper to write the digits high-order first.
+ */
+static int mpi_write_hlp( mbedtls_mpi *X, int radix,
+                          char **p, const size_t buflen )
+{
+    int ret;
+    mbedtls_mpi_uint r;
+    size_t length = 0;
+    char *p_end = *p + buflen;
+
+    do
+    {
+        if( length >= buflen )
+        {
+            return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
+        /*
+         * Write the residue in the current position, as an ASCII character.
+         */
+        if( r < 0xA )
+            *(--p_end) = (char)( '0' + r );
+        else
+            *(--p_end) = (char)( 'A' + ( r - 0xA ) );
+
+        length++;
+    } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
+
+    memmove( *p, p_end, length );
+    *p += length;
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Export into an ASCII string
+ */
+int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
+                              char *buf, size_t buflen, size_t *olen )
+{
+    int ret = 0;
+    size_t n;
+    char *p;
+    mbedtls_mpi T;
+    MPI_VALIDATE_RET( X    != NULL );
+    MPI_VALIDATE_RET( olen != NULL );
+    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    n = mbedtls_mpi_bitlen( X ); /* Number of bits necessary to present `n`. */
+    if( radix >=  4 ) n >>= 1;   /* Number of 4-adic digits necessary to present
+                                  * `n`. If radix > 4, this might be a strict
+                                  * overapproximation of the number of
+                                  * radix-adic digits needed to present `n`. */
+    if( radix >= 16 ) n >>= 1;   /* Number of hexadecimal digits necessary to
+                                  * present `n`. */
+
+    n += 1; /* Terminating null byte */
+    n += 1; /* Compensate for the divisions above, which round down `n`
+             * in case it's not even. */
+    n += 1; /* Potential '-'-sign. */
+    n += ( n & 1 ); /* Make n even to have enough space for hexadecimal writing,
+                     * which always uses an even number of hex-digits. */
+
+    if( buflen < n )
+    {
+        *olen = n;
+        return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+    }
+
+    p = buf;
+    mbedtls_mpi_init( &T );
+
+    if( X->s == -1 )
+    {
+        *p++ = '-';
+        buflen--;
+    }
+
+    if( radix == 16 )
+    {
+        int c;
+        size_t i, j, k;
+
+        for( i = X->n, k = 0; i > 0; i-- )
+        {
+            for( j = ciL; j > 0; j-- )
+            {
+                c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
+
+                if( c == 0 && k == 0 && ( i + j ) != 2 )
+                    continue;
+
+                *(p++) = "0123456789ABCDEF" [c / 16];
+                *(p++) = "0123456789ABCDEF" [c % 16];
+                k = 1;
+            }
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T, X ) );
+
+        if( T.s == -1 )
+            T.s = 1;
+
+        MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
+    }
+
+    *p++ = '\0';
+    *olen = p - buf;
+
+cleanup:
+
+    mbedtls_mpi_free( &T );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Read X from an opened file
+ */
+int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin )
+{
+    mbedtls_mpi_uint d;
+    size_t slen;
+    char *p;
+    /*
+     * Buffer should have space for (short) label and decimal formatted MPI,
+     * newline characters and '\0'
+     */
+    char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
+
+    MPI_VALIDATE_RET( X   != NULL );
+    MPI_VALIDATE_RET( fin != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    memset( s, 0, sizeof( s ) );
+    if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
+        return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
+
+    slen = strlen( s );
+    if( slen == sizeof( s ) - 2 )
+        return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+
+    if( slen > 0 && s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
+    if( slen > 0 && s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
+
+    p = s + slen;
+    while( p-- > s )
+        if( mpi_get_digit( &d, radix, *p ) != 0 )
+            break;
+
+    return( mbedtls_mpi_read_string( X, radix, p + 1 ) );
+}
+
+/*
+ * Write X into an opened file (or stdout if fout == NULL)
+ */
+int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout )
+{
+    int ret;
+    size_t n, slen, plen;
+    /*
+     * Buffer should have space for (short) label and decimal formatted MPI,
+     * newline characters and '\0'
+     */
+    char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    memset( s, 0, sizeof( s ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_string( X, radix, s, sizeof( s ) - 2, &n ) );
+
+    if( p == NULL ) p = "";
+
+    plen = strlen( p );
+    slen = strlen( s );
+    s[slen++] = '\r';
+    s[slen++] = '\n';
+
+    if( fout != NULL )
+    {
+        if( fwrite( p, 1, plen, fout ) != plen ||
+            fwrite( s, 1, slen, fout ) != slen )
+            return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
+    }
+    else
+        mbedtls_printf( "%s%s", p, s );
+
+cleanup:
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+
+/* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
+ * into the storage form used by mbedtls_mpi. */
+
+static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x )
+{
+    uint8_t i;
+    unsigned char *x_ptr;
+    mbedtls_mpi_uint tmp = 0;
+
+    for( i = 0, x_ptr = (unsigned char*) &x; i < ciL; i++, x_ptr++ )
+    {
+        tmp <<= CHAR_BIT;
+        tmp |= (mbedtls_mpi_uint) *x_ptr;
+    }
+
+    return( tmp );
+}
+
+static mbedtls_mpi_uint mpi_uint_bigendian_to_host( mbedtls_mpi_uint x )
+{
+#if defined(__BYTE_ORDER__)
+
+/* Nothing to do on bigendian systems. */
+#if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ )
+    return( x );
+#endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */
+
+#if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ )
+
+/* For GCC and Clang, have builtins for byte swapping. */
+#if defined(__GNUC__) && defined(__GNUC_PREREQ)
+#if __GNUC_PREREQ(4,3)
+#define have_bswap
+#endif
+#endif
+
+#if defined(__clang__) && defined(__has_builtin)
+#if __has_builtin(__builtin_bswap32)  &&                 \
+    __has_builtin(__builtin_bswap64)
+#define have_bswap
+#endif
+#endif
+
+#if defined(have_bswap)
+    /* The compiler is hopefully able to statically evaluate this! */
+    switch( sizeof(mbedtls_mpi_uint) )
+    {
+        case 4:
+            return( __builtin_bswap32(x) );
+        case 8:
+            return( __builtin_bswap64(x) );
+    }
+#endif
+#endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */
+#endif /* __BYTE_ORDER__ */
+
+    /* Fall back to C-based reordering if we don't know the byte order
+     * or we couldn't use a compiler-specific builtin. */
+    return( mpi_uint_bigendian_to_host_c( x ) );
+}
+
+static void mpi_bigendian_to_host( mbedtls_mpi_uint * const p, size_t limbs )
+{
+    mbedtls_mpi_uint *cur_limb_left;
+    mbedtls_mpi_uint *cur_limb_right;
+    if( limbs == 0 )
+        return;
+
+    /*
+     * Traverse limbs and
+     * - adapt byte-order in each limb
+     * - swap the limbs themselves.
+     * For that, simultaneously traverse the limbs from left to right
+     * and from right to left, as long as the left index is not bigger
+     * than the right index (it's not a problem if limbs is odd and the
+     * indices coincide in the last iteration).
+     */
+    for( cur_limb_left = p, cur_limb_right = p + ( limbs - 1 );
+         cur_limb_left <= cur_limb_right;
+         cur_limb_left++, cur_limb_right-- )
+    {
+        mbedtls_mpi_uint tmp;
+        /* Note that if cur_limb_left == cur_limb_right,
+         * this code effectively swaps the bytes only once. */
+        tmp             = mpi_uint_bigendian_to_host( *cur_limb_left  );
+        *cur_limb_left  = mpi_uint_bigendian_to_host( *cur_limb_right );
+        *cur_limb_right = tmp;
+    }
+}
+
+/*
+ * Import X from unsigned binary data, big endian
+ */
+int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
+{
+    int ret;
+    size_t const limbs    = CHARS_TO_LIMBS( buflen );
+    size_t const overhead = ( limbs * ciL ) - buflen;
+    unsigned char *Xp;
+
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    if( X->n != limbs )
+    {
+        mbedtls_mpi_free( X );
+        mbedtls_mpi_init( X );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
+    }
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+    /* Avoid calling `memcpy` with NULL source argument,
+     * even if buflen is 0. */
+    if( buf != NULL )
+    {
+        Xp = (unsigned char*) X->p;
+        memcpy( Xp + overhead, buf, buflen );
+
+        mpi_bigendian_to_host( X->p, limbs );
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Export X into unsigned binary data, big endian
+ */
+int mbedtls_mpi_write_binary( const mbedtls_mpi *X,
+                              unsigned char *buf, size_t buflen )
+{
+    size_t stored_bytes;
+    size_t bytes_to_copy;
+    unsigned char *p;
+    size_t i;
+
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
+
+    stored_bytes = X->n * ciL;
+
+    if( stored_bytes < buflen )
+    {
+        /* There is enough space in the output buffer. Write initial
+         * null bytes and record the position at which to start
+         * writing the significant bytes. In this case, the execution
+         * trace of this function does not depend on the value of the
+         * number. */
+        bytes_to_copy = stored_bytes;
+        p = buf + buflen - stored_bytes;
+        memset( buf, 0, buflen - stored_bytes );
+    }
+    else
+    {
+        /* The output buffer is smaller than the allocated size of X.
+         * However X may fit if its leading bytes are zero. */
+        bytes_to_copy = buflen;
+        p = buf;
+        for( i = bytes_to_copy; i < stored_bytes; i++ )
+        {
+            if( GET_BYTE( X, i ) != 0 )
+                return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+        }
+    }
+
+    for( i = 0; i < bytes_to_copy; i++ )
+        p[bytes_to_copy - i - 1] = GET_BYTE( X, i );
+
+    return( 0 );
+}
+
+/*
+ * Left-shift: X <<= count
+ */
+int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count )
+{
+    int ret;
+    size_t i, v0, t1;
+    mbedtls_mpi_uint r0 = 0, r1;
+    MPI_VALIDATE_RET( X != NULL );
+
+    v0 = count / (biL    );
+    t1 = count & (biL - 1);
+
+    i = mbedtls_mpi_bitlen( X ) + count;
+
+    if( X->n * biL < i )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, BITS_TO_LIMBS( i ) ) );
+
+    ret = 0;
+
+    /*
+     * shift by count / limb_size
+     */
+    if( v0 > 0 )
+    {
+        for( i = X->n; i > v0; i-- )
+            X->p[i - 1] = X->p[i - v0 - 1];
+
+        for( ; i > 0; i-- )
+            X->p[i - 1] = 0;
+    }
+
+    /*
+     * shift by count % limb_size
+     */
+    if( t1 > 0 )
+    {
+        for( i = v0; i < X->n; i++ )
+        {
+            r1 = X->p[i] >> (biL - t1);
+            X->p[i] <<= t1;
+            X->p[i] |= r0;
+            r0 = r1;
+        }
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Right-shift: X >>= count
+ */
+int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count )
+{
+    size_t i, v0, v1;
+    mbedtls_mpi_uint r0 = 0, r1;
+    MPI_VALIDATE_RET( X != NULL );
+
+    v0 = count /  biL;
+    v1 = count & (biL - 1);
+
+    if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
+        return mbedtls_mpi_lset( X, 0 );
+
+    /*
+     * shift by count / limb_size
+     */
+    if( v0 > 0 )
+    {
+        for( i = 0; i < X->n - v0; i++ )
+            X->p[i] = X->p[i + v0];
+
+        for( ; i < X->n; i++ )
+            X->p[i] = 0;
+    }
+
+    /*
+     * shift by count % limb_size
+     */
+    if( v1 > 0 )
+    {
+        for( i = X->n; i > 0; i-- )
+        {
+            r1 = X->p[i - 1] << (biL - v1);
+            X->p[i - 1] >>= v1;
+            X->p[i - 1] |= r0;
+            r0 = r1;
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Compare unsigned values
+ */
+int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y )
+{
+    size_t i, j;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    for( i = X->n; i > 0; i-- )
+        if( X->p[i - 1] != 0 )
+            break;
+
+    for( j = Y->n; j > 0; j-- )
+        if( Y->p[j - 1] != 0 )
+            break;
+
+    if( i == 0 && j == 0 )
+        return( 0 );
+
+    if( i > j ) return(  1 );
+    if( j > i ) return( -1 );
+
+    for( ; i > 0; i-- )
+    {
+        if( X->p[i - 1] > Y->p[i - 1] ) return(  1 );
+        if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
+{
+    size_t i, j;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    for( i = X->n; i > 0; i-- )
+        if( X->p[i - 1] != 0 )
+            break;
+
+    for( j = Y->n; j > 0; j-- )
+        if( Y->p[j - 1] != 0 )
+            break;
+
+    if( i == 0 && j == 0 )
+        return( 0 );
+
+    if( i > j ) return(  X->s );
+    if( j > i ) return( -Y->s );
+
+    if( X->s > 0 && Y->s < 0 ) return(  1 );
+    if( Y->s > 0 && X->s < 0 ) return( -1 );
+
+    for( ; i > 0; i-- )
+    {
+        if( X->p[i - 1] > Y->p[i - 1] ) return(  X->s );
+        if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
+    }
+
+    return( 0 );
+}
+
+/** Decide if an integer is less than the other, without branches.
+ *
+ * \param x         First integer.
+ * \param y         Second integer.
+ *
+ * \return          1 if \p x is less than \p y, 0 otherwise
+ */
+static unsigned ct_lt_mpi_uint( const mbedtls_mpi_uint x,
+        const mbedtls_mpi_uint y )
+{
+    mbedtls_mpi_uint ret;
+    mbedtls_mpi_uint cond;
+
+    /*
+     * Check if the most significant bits (MSB) of the operands are different.
+     */
+    cond = ( x ^ y );
+    /*
+     * If the MSB are the same then the difference x-y will be negative (and
+     * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
+     */
+    ret = ( x - y ) & ~cond;
+    /*
+     * If the MSB are different, then the operand with the MSB of 1 is the
+     * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
+     * the MSB of y is 0.)
+     */
+    ret |= y & cond;
+
+
+    ret = ret >> ( biL - 1 );
+
+    return (unsigned) ret;
+}
+
+/*
+ * Compare signed values in constant time
+ */
+int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
+        unsigned *ret )
+{
+    size_t i;
+    /* The value of any of these variables is either 0 or 1 at all times. */
+    unsigned cond, done, X_is_negative, Y_is_negative;
+
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+    MPI_VALIDATE_RET( ret != NULL );
+
+    if( X->n != Y->n )
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+    /*
+     * Set sign_N to 1 if N >= 0, 0 if N < 0.
+     * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
+     */
+    X_is_negative = ( X->s & 2 ) >> 1;
+    Y_is_negative = ( Y->s & 2 ) >> 1;
+
+    /*
+     * If the signs are different, then the positive operand is the bigger.
+     * That is if X is negative (X_is_negative == 1), then X < Y is true and it
+     * is false if X is positive (X_is_negative == 0).
+     */
+    cond = ( X_is_negative ^ Y_is_negative );
+    *ret = cond & X_is_negative;
+
+    /*
+     * This is a constant-time function. We might have the result, but we still
+     * need to go through the loop. Record if we have the result already.
+     */
+    done = cond;
+
+    for( i = X->n; i > 0; i-- )
+    {
+        /*
+         * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
+         * X and Y are negative.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] );
+        *ret |= cond & ( 1 - done ) & X_is_negative;
+        done |= cond;
+
+        /*
+         * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
+         * X and Y are positive.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] );
+        *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
+        done |= cond;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
+{
+    mbedtls_mpi Y;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+
+    *p  = ( z < 0 ) ? -z : z;
+    Y.s = ( z < 0 ) ? -1 : 1;
+    Y.n = 1;
+    Y.p = p;
+
+    return( mbedtls_mpi_cmp_mpi( X, &Y ) );
+}
+
+/*
+ * Unsigned addition: X = |A| + |B|  (HAC 14.7)
+ */
+int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t i, j;
+    mbedtls_mpi_uint *o, *p, c, tmp;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    if( X == B )
+    {
+        const mbedtls_mpi *T = A; A = X; B = T;
+    }
+
+    if( X != A )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
+
+    /*
+     * X should always be positive as a result of unsigned additions.
+     */
+    X->s = 1;
+
+    for( j = B->n; j > 0; j-- )
+        if( B->p[j - 1] != 0 )
+            break;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
+
+    o = B->p; p = X->p; c = 0;
+
+    /*
+     * tmp is used because it might happen that p == o
+     */
+    for( i = 0; i < j; i++, o++, p++ )
+    {
+        tmp= *o;
+        *p +=  c; c  = ( *p <  c );
+        *p += tmp; c += ( *p < tmp );
+    }
+
+    while( c != 0 )
+    {
+        if( i >= X->n )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + 1 ) );
+            p = X->p + i;
+        }
+
+        *p += c; c = ( *p < c ); i++; p++;
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Helper for mbedtls_mpi subtraction
+ */
+static void mpi_sub_hlp( size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d )
+{
+    size_t i;
+    mbedtls_mpi_uint c, z;
+
+    for( i = c = 0; i < n; i++, s++, d++ )
+    {
+        z = ( *d <  c );     *d -=  c;
+        c = ( *d < *s ) + z; *d -= *s;
+    }
+
+    while( c != 0 )
+    {
+        z = ( *d < c ); *d -= c;
+        c = z; d++;
+    }
+}
+
+/*
+ * Unsigned subtraction: X = |A| - |B|  (HAC 14.9)
+ */
+int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    mbedtls_mpi TB;
+    int ret;
+    size_t n;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
+        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+    mbedtls_mpi_init( &TB );
+
+    if( X == B )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
+        B = &TB;
+    }
+
+    if( X != A )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
+
+    /*
+     * X should always be positive as a result of unsigned subtractions.
+     */
+    X->s = 1;
+
+    ret = 0;
+
+    for( n = B->n; n > 0; n-- )
+        if( B->p[n - 1] != 0 )
+            break;
+
+    mpi_sub_hlp( n, B->p, X->p );
+
+cleanup:
+
+    mbedtls_mpi_free( &TB );
+
+    return( ret );
+}
+
+/*
+ * Signed addition: X = A + B
+ */
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret, s;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    s = A->s;
+    if( A->s * B->s < 0 )
+    {
+        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
+            X->s =  s;
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
+            X->s = -s;
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
+        X->s = s;
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Signed subtraction: X = A - B
+ */
+int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret, s;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    s = A->s;
+    if( A->s * B->s > 0 )
+    {
+        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
+            X->s =  s;
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
+            X->s = -s;
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
+        X->s = s;
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Signed addition: X = A + b
+ */
+int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+
+    p[0] = ( b < 0 ) ? -b : b;
+    _B.s = ( b < 0 ) ? -1 : 1;
+    _B.n = 1;
+    _B.p = p;
+
+    return( mbedtls_mpi_add_mpi( X, A, &_B ) );
+}
+
+/*
+ * Signed subtraction: X = A - b
+ */
+int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+
+    p[0] = ( b < 0 ) ? -b : b;
+    _B.s = ( b < 0 ) ? -1 : 1;
+    _B.n = 1;
+    _B.p = p;
+
+    return( mbedtls_mpi_sub_mpi( X, A, &_B ) );
+}
+
+/*
+ * Helper for mbedtls_mpi multiplication
+ */
+static
+#if defined(__APPLE__) && defined(__arm__)
+/*
+ * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
+ * appears to need this to prevent bad ARM code generation at -O3.
+ */
+__attribute__ ((noinline))
+#endif
+void mpi_mul_hlp( size_t i, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d, mbedtls_mpi_uint b )
+{
+    mbedtls_mpi_uint c = 0, t = 0;
+
+#if defined(MULADDC_HUIT)
+    for( ; i >= 8; i -= 8 )
+    {
+        MULADDC_INIT
+        MULADDC_HUIT
+        MULADDC_STOP
+    }
+
+    for( ; i > 0; i-- )
+    {
+        MULADDC_INIT
+        MULADDC_CORE
+        MULADDC_STOP
+    }
+#else /* MULADDC_HUIT */
+    for( ; i >= 16; i -= 16 )
+    {
+        MULADDC_INIT
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_STOP
+    }
+
+    for( ; i >= 8; i -= 8 )
+    {
+        MULADDC_INIT
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_STOP
+    }
+
+    for( ; i > 0; i-- )
+    {
+        MULADDC_INIT
+        MULADDC_CORE
+        MULADDC_STOP
+    }
+#endif /* MULADDC_HUIT */
+
+    t++;
+
+    do {
+        *d += c; c = ( *d < c ); d++;
+    }
+    while( c != 0 );
+}
+
+/*
+ * Baseline multiplication: X = A * B  (HAC 14.12)
+ */
+int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t i, j;
+    mbedtls_mpi TA, TB;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
+
+    if( X == A ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) ); A = &TA; }
+    if( X == B ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) ); B = &TB; }
+
+    for( i = A->n; i > 0; i-- )
+        if( A->p[i - 1] != 0 )
+            break;
+
+    for( j = B->n; j > 0; j-- )
+        if( B->p[j - 1] != 0 )
+            break;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + j ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+    for( ; j > 0; j-- )
+        mpi_mul_hlp( i, A->p, X->p + j - 1, B->p[j - 1] );
+
+    X->s = A->s * B->s;
+
+cleanup:
+
+    mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TA );
+
+    return( ret );
+}
+
+/*
+ * Baseline multiplication: X = A * b
+ */
+int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+
+    _B.s = 1;
+    _B.n = 1;
+    _B.p = p;
+    p[0] = b;
+
+    return( mbedtls_mpi_mul_mpi( X, A, &_B ) );
+}
+
+/*
+ * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
+ * mbedtls_mpi_uint divisor, d
+ */
+static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
+            mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r )
+{
+#if defined(MBEDTLS_HAVE_UDBL)
+    mbedtls_t_udbl dividend, quotient;
+#else
+    const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
+    const mbedtls_mpi_uint uint_halfword_mask = ( (mbedtls_mpi_uint) 1 << biH ) - 1;
+    mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
+    mbedtls_mpi_uint u0_msw, u0_lsw;
+    size_t s;
+#endif
+
+    /*
+     * Check for overflow
+     */
+    if( 0 == d || u1 >= d )
+    {
+        if (r != NULL) *r = ~0;
+
+        return ( ~0 );
+    }
+
+#if defined(MBEDTLS_HAVE_UDBL)
+    dividend  = (mbedtls_t_udbl) u1 << biL;
+    dividend |= (mbedtls_t_udbl) u0;
+    quotient = dividend / d;
+    if( quotient > ( (mbedtls_t_udbl) 1 << biL ) - 1 )
+        quotient = ( (mbedtls_t_udbl) 1 << biL ) - 1;
+
+    if( r != NULL )
+        *r = (mbedtls_mpi_uint)( dividend - (quotient * d ) );
+
+    return (mbedtls_mpi_uint) quotient;
+#else
+
+    /*
+     * Algorithm D, Section 4.3.1 - The Art of Computer Programming
+     *   Vol. 2 - Seminumerical Algorithms, Knuth
+     */
+
+    /*
+     * Normalize the divisor, d, and dividend, u0, u1
+     */
+    s = mbedtls_clz( d );
+    d = d << s;
+
+    u1 = u1 << s;
+    u1 |= ( u0 >> ( biL - s ) ) & ( -(mbedtls_mpi_sint)s >> ( biL - 1 ) );
+    u0 =  u0 << s;
+
+    d1 = d >> biH;
+    d0 = d & uint_halfword_mask;
+
+    u0_msw = u0 >> biH;
+    u0_lsw = u0 & uint_halfword_mask;
+
+    /*
+     * Find the first quotient and remainder
+     */
+    q1 = u1 / d1;
+    r0 = u1 - d1 * q1;
+
+    while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) )
+    {
+        q1 -= 1;
+        r0 += d1;
+
+        if ( r0 >= radix ) break;
+    }
+
+    rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
+    q0 = rAX / d1;
+    r0 = rAX - q0 * d1;
+
+    while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) )
+    {
+        q0 -= 1;
+        r0 += d1;
+
+        if ( r0 >= radix ) break;
+    }
+
+    if (r != NULL)
+        *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
+
+    quotient = q1 * radix + q0;
+
+    return quotient;
+#endif
+}
+
+/*
+ * Division by mbedtls_mpi: A = Q * B + R  (HAC 14.20)
+ */
+int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B )
+{
+    int ret;
+    size_t i, n, t, k;
+    mbedtls_mpi X, Y, Z, T1, T2;
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    if( mbedtls_mpi_cmp_int( B, 0 ) == 0 )
+        return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
+
+    mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
+    mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
+
+    if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
+    {
+        if( Q != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_lset( Q, 0 ) );
+        if( R != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, A ) );
+        return( 0 );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &X, A ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, B ) );
+    X.s = Y.s = 1;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &Z, A->n + 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Z,  0 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T1, 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T2, 3 ) );
+
+    k = mbedtls_mpi_bitlen( &Y ) % biL;
+    if( k < biL - 1 )
+    {
+        k = biL - 1 - k;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &X, k ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, k ) );
+    }
+    else k = 0;
+
+    n = X.n - 1;
+    t = Y.n - 1;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, biL * ( n - t ) ) );
+
+    while( mbedtls_mpi_cmp_mpi( &X, &Y ) >= 0 )
+    {
+        Z.p[n - t]++;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &Y ) );
+    }
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, biL * ( n - t ) ) );
+
+    for( i = n; i > t ; i-- )
+    {
+        if( X.p[i] >= Y.p[t] )
+            Z.p[i - t - 1] = ~0;
+        else
+        {
+            Z.p[i - t - 1] = mbedtls_int_div_int( X.p[i], X.p[i - 1],
+                                                            Y.p[t], NULL);
+        }
+
+        Z.p[i - t - 1]++;
+        do
+        {
+            Z.p[i - t - 1]--;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T1, 0 ) );
+            T1.p[0] = ( t < 1 ) ? 0 : Y.p[t - 1];
+            T1.p[1] = Y.p[t];
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T2, 0 ) );
+            T2.p[0] = ( i < 2 ) ? 0 : X.p[i - 2];
+            T2.p[1] = ( i < 1 ) ? 0 : X.p[i - 1];
+            T2.p[2] = X.p[i];
+        }
+        while( mbedtls_mpi_cmp_mpi( &T1, &T2 ) > 0 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1,  biL * ( i - t - 1 ) ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &T1 ) );
+
+        if( mbedtls_mpi_cmp_int( &X, 0 ) < 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T1, &Y ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &X, &X, &T1 ) );
+            Z.p[i - t - 1]--;
+        }
+    }
+
+    if( Q != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( Q, &Z ) );
+        Q->s = A->s * B->s;
+    }
+
+    if( R != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &X, k ) );
+        X.s = A->s;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, &X ) );
+
+        if( mbedtls_mpi_cmp_int( R, 0 ) == 0 )
+            R->s = 1;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
+    mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
+
+    return( ret );
+}
+
+/*
+ * Division by int: A = Q * b + R
+ */
+int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R,
+                         const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( A != NULL );
+
+    p[0] = ( b < 0 ) ? -b : b;
+    _B.s = ( b < 0 ) ? -1 : 1;
+    _B.n = 1;
+    _B.p = p;
+
+    return( mbedtls_mpi_div_mpi( Q, R, A, &_B ) );
+}
+
+/*
+ * Modulo: R = A mod B
+ */
+int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    MPI_VALIDATE_RET( R != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    if( mbedtls_mpi_cmp_int( B, 0 ) < 0 )
+        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( NULL, R, A, B ) );
+
+    while( mbedtls_mpi_cmp_int( R, 0 ) < 0 )
+      MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( R, R, B ) );
+
+    while( mbedtls_mpi_cmp_mpi( R, B ) >= 0 )
+      MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( R, R, B ) );
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Modulo: r = A mod b
+ */
+int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    size_t i;
+    mbedtls_mpi_uint x, y, z;
+    MPI_VALIDATE_RET( r != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+
+    if( b == 0 )
+        return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
+
+    if( b < 0 )
+        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+    /*
+     * handle trivial cases
+     */
+    if( b == 1 )
+    {
+        *r = 0;
+        return( 0 );
+    }
+
+    if( b == 2 )
+    {
+        *r = A->p[0] & 1;
+        return( 0 );
+    }
+
+    /*
+     * general case
+     */
+    for( i = A->n, y = 0; i > 0; i-- )
+    {
+        x  = A->p[i - 1];
+        y  = ( y << biH ) | ( x >> biH );
+        z  = y / b;
+        y -= z * b;
+
+        x <<= biH;
+        y  = ( y << biH ) | ( x >> biH );
+        z  = y / b;
+        y -= z * b;
+    }
+
+    /*
+     * If A is negative, then the current y represents a negative value.
+     * Flipping it to the positive side.
+     */
+    if( A->s < 0 && y != 0 )
+        y = b - y;
+
+    *r = y;
+
+    return( 0 );
+}
+
+/*
+ * Fast Montgomery initialization (thanks to Tom St Denis)
+ */
+static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
+{
+    mbedtls_mpi_uint x, m0 = N->p[0];
+    unsigned int i;
+
+    x  = m0;
+    x += ( ( m0 + 2 ) & 4 ) << 1;
+
+    for( i = biL; i >= 8; i /= 2 )
+        x *= ( 2 - ( m0 * x ) );
+
+    *mm = ~x + 1;
+}
+
+/*
+ * Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
+ */
+static int mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
+                         const mbedtls_mpi *T )
+{
+    size_t i, n, m;
+    mbedtls_mpi_uint u0, u1, *d;
+
+    if( T->n < N->n + 1 || T->p == NULL )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    memset( T->p, 0, T->n * ciL );
+
+    d = T->p;
+    n = N->n;
+    m = ( B->n < n ) ? B->n : n;
+
+    for( i = 0; i < n; i++ )
+    {
+        /*
+         * T = (T + u0*B + u1*N) / 2^biL
+         */
+        u0 = A->p[i];
+        u1 = ( d[0] + u0 * B->p[0] ) * mm;
+
+        mpi_mul_hlp( m, B->p, d, u0 );
+        mpi_mul_hlp( n, N->p, d, u1 );
+
+        *d++ = u0; d[n + 1] = 0;
+    }
+
+    memcpy( A->p, d, ( n + 1 ) * ciL );
+
+    if( mbedtls_mpi_cmp_abs( A, N ) >= 0 )
+        mpi_sub_hlp( n, N->p, A->p );
+    else
+        /* prevent timing attacks */
+        mpi_sub_hlp( n, A->p, T->p );
+
+    return( 0 );
+}
+
+/*
+ * Montgomery reduction: A = A * R^-1 mod N
+ */
+static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
+                        mbedtls_mpi_uint mm, const mbedtls_mpi *T )
+{
+    mbedtls_mpi_uint z = 1;
+    mbedtls_mpi U;
+
+    U.n = U.s = (int) z;
+    U.p = &z;
+
+    return( mpi_montmul( A, &U, N, mm, T ) );
+}
+
+/*
+ * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
+ */
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *E, const mbedtls_mpi *N,
+                         mbedtls_mpi *_RR )
+{
+    int ret;
+    size_t wbits, wsize, one = 1;
+    size_t i, j, nblimbs;
+    size_t bufsize, nbits;
+    mbedtls_mpi_uint ei, mm, state;
+    mbedtls_mpi RR, T, W[ 2 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
+    int neg;
+
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( E != NULL );
+    MPI_VALIDATE_RET( N != NULL );
+
+    if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 || ( N->p[0] & 1 ) == 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( E, 0 ) < 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    /*
+     * Init temps and window size
+     */
+    mpi_montg_init( &mm, N );
+    mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &T );
+    mbedtls_mpi_init( &Apos );
+    memset( W, 0, sizeof( W ) );
+
+    i = mbedtls_mpi_bitlen( E );
+
+    wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
+            ( i >  79 ) ? 4 : ( i >  23 ) ? 3 : 1;
+
+#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
+    if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
+        wsize = MBEDTLS_MPI_WINDOW_SIZE;
+#endif
+
+    j = N->n + 1;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1],  j ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
+
+    /*
+     * Compensate for negative A (and correct at the end)
+     */
+    neg = ( A->s == -1 );
+    if( neg )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Apos, A ) );
+        Apos.s = 1;
+        A = &Apos;
+    }
+
+    /*
+     * If 1st call, pre-compute R^2 mod N
+     */
+    if( _RR == NULL || _RR->p == NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &RR, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &RR, N->n * 2 * biL ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &RR, &RR, N ) );
+
+        if( _RR != NULL )
+            memcpy( _RR, &RR, sizeof( mbedtls_mpi ) );
+    }
+    else
+        memcpy( &RR, _RR, sizeof( mbedtls_mpi ) );
+
+    /*
+     * W[1] = A * R^2 * R^-1 mod N = A * R mod N
+     */
+    if( mbedtls_mpi_cmp_mpi( A, N ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &W[1], A, N ) );
+    else
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
+
+    MBEDTLS_MPI_CHK( mpi_montmul( &W[1], &RR, N, mm, &T ) );
+
+    /*
+     * X = R^2 * R^-1 mod N = R mod N
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
+    MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
+
+    if( wsize > 1 )
+    {
+        /*
+         * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
+         */
+        j =  one << ( wsize - 1 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1]    ) );
+
+        for( i = 0; i < wsize - 1; i++ )
+            MBEDTLS_MPI_CHK( mpi_montmul( &W[j], &W[j], N, mm, &T ) );
+
+        /*
+         * W[i] = W[i - 1] * W[1]
+         */
+        for( i = j + 1; i < ( one << wsize ); i++ )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
+
+            MBEDTLS_MPI_CHK( mpi_montmul( &W[i], &W[1], N, mm, &T ) );
+        }
+    }
+
+    nblimbs = E->n;
+    bufsize = 0;
+    nbits   = 0;
+    wbits   = 0;
+    state   = 0;
+
+    while( 1 )
+    {
+        if( bufsize == 0 )
+        {
+            if( nblimbs == 0 )
+                break;
+
+            nblimbs--;
+
+            bufsize = sizeof( mbedtls_mpi_uint ) << 3;
+        }
+
+        bufsize--;
+
+        ei = (E->p[nblimbs] >> bufsize) & 1;
+
+        /*
+         * skip leading 0s
+         */
+        if( ei == 0 && state == 0 )
+            continue;
+
+        if( ei == 0 && state == 1 )
+        {
+            /*
+             * out of window, square X
+             */
+            MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
+            continue;
+        }
+
+        /*
+         * add ei to current window
+         */
+        state = 2;
+
+        nbits++;
+        wbits |= ( ei << ( wsize - nbits ) );
+
+        if( nbits == wsize )
+        {
+            /*
+             * X = X^wsize R^-1 mod N
+             */
+            for( i = 0; i < wsize; i++ )
+                MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
+
+            /*
+             * X = X * W[wbits] R^-1 mod N
+             */
+            MBEDTLS_MPI_CHK( mpi_montmul( X, &W[wbits], N, mm, &T ) );
+
+            state--;
+            nbits = 0;
+            wbits = 0;
+        }
+    }
+
+    /*
+     * process the remaining bits
+     */
+    for( i = 0; i < nbits; i++ )
+    {
+        MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
+
+        wbits <<= 1;
+
+        if( ( wbits & ( one << wsize ) ) != 0 )
+            MBEDTLS_MPI_CHK( mpi_montmul( X, &W[1], N, mm, &T ) );
+    }
+
+    /*
+     * X = A^E * R * R^-1 mod N = A^E mod N
+     */
+    MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
+
+    if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
+    {
+        X->s = -1;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) );
+    }
+
+cleanup:
+
+    for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ )
+        mbedtls_mpi_free( &W[i] );
+
+    mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos );
+
+    if( _RR == NULL || _RR->p == NULL )
+        mbedtls_mpi_free( &RR );
+
+    return( ret );
+}
+
+/*
+ * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
+ */
+int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t lz, lzt;
+    mbedtls_mpi TG, TA, TB;
+
+    MPI_VALIDATE_RET( G != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    mbedtls_mpi_init( &TG ); mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
+
+    lz = mbedtls_mpi_lsb( &TA );
+    lzt = mbedtls_mpi_lsb( &TB );
+
+    if( lzt < lz )
+        lz = lzt;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, lz ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, lz ) );
+
+    TA.s = TB.s = 1;
+
+    while( mbedtls_mpi_cmp_int( &TA, 0 ) != 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, mbedtls_mpi_lsb( &TA ) ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, mbedtls_mpi_lsb( &TB ) ) );
+
+        if( mbedtls_mpi_cmp_mpi( &TA, &TB ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TA, &TA, &TB ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, 1 ) );
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TB, &TB, &TA ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, 1 ) );
+        }
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &TB, lz ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( G, &TB ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &TG ); mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TB );
+
+    return( ret );
+}
+
+/*
+ * Fill X with size bytes of random.
+ *
+ * Use a temporary bytes representation to make sure the result is the same
+ * regardless of the platform endianness (useful when f_rng is actually
+ * deterministic, eg for tests).
+ */
+int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+    size_t const limbs = CHARS_TO_LIMBS( size );
+    size_t const overhead = ( limbs * ciL ) - size;
+    unsigned char *Xp;
+
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    if( X->n != limbs )
+    {
+        mbedtls_mpi_free( X );
+        mbedtls_mpi_init( X );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
+    }
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+    Xp = (unsigned char*) X->p;
+    f_rng( p_rng, Xp + overhead, size );
+
+    mpi_bigendian_to_host( X->p, limbs );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Modular inverse: X = A^-1 mod N  (HAC 14.61 / 14.64)
+ */
+int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N )
+{
+    int ret;
+    mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( N != NULL );
+
+    if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TU ); mbedtls_mpi_init( &U1 ); mbedtls_mpi_init( &U2 );
+    mbedtls_mpi_init( &G ); mbedtls_mpi_init( &TB ); mbedtls_mpi_init( &TV );
+    mbedtls_mpi_init( &V1 ); mbedtls_mpi_init( &V2 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, A, N ) );
+
+    if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &TA, A, N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TU, &TA ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TV, N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U1, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U2, 0 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V1, 0 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V2, 1 ) );
+
+    do
+    {
+        while( ( TU.p[0] & 1 ) == 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TU, 1 ) );
+
+            if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &U1, &U1, &TB ) );
+                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &TA ) );
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U1, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U2, 1 ) );
+        }
+
+        while( ( TV.p[0] & 1 ) == 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TV, 1 ) );
+
+            if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, &TB ) );
+                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &TA ) );
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V1, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V2, 1 ) );
+        }
+
+        if( mbedtls_mpi_cmp_mpi( &TU, &TV ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TU, &TU, &TV ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U1, &U1, &V1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &V2 ) );
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TV, &TV, &TU ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, &U1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &U2 ) );
+        }
+    }
+    while( mbedtls_mpi_cmp_int( &TU, 0 ) != 0 );
+
+    while( mbedtls_mpi_cmp_int( &V1, 0 ) < 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, N ) );
+
+    while( mbedtls_mpi_cmp_mpi( &V1, N ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &V1 ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TU ); mbedtls_mpi_free( &U1 ); mbedtls_mpi_free( &U2 );
+    mbedtls_mpi_free( &G ); mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TV );
+    mbedtls_mpi_free( &V1 ); mbedtls_mpi_free( &V2 );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_GENPRIME)
+
+static const int small_prime[] =
+{
+        3,    5,    7,   11,   13,   17,   19,   23,
+       29,   31,   37,   41,   43,   47,   53,   59,
+       61,   67,   71,   73,   79,   83,   89,   97,
+      101,  103,  107,  109,  113,  127,  131,  137,
+      139,  149,  151,  157,  163,  167,  173,  179,
+      181,  191,  193,  197,  199,  211,  223,  227,
+      229,  233,  239,  241,  251,  257,  263,  269,
+      271,  277,  281,  283,  293,  307,  311,  313,
+      317,  331,  337,  347,  349,  353,  359,  367,
+      373,  379,  383,  389,  397,  401,  409,  419,
+      421,  431,  433,  439,  443,  449,  457,  461,
+      463,  467,  479,  487,  491,  499,  503,  509,
+      521,  523,  541,  547,  557,  563,  569,  571,
+      577,  587,  593,  599,  601,  607,  613,  617,
+      619,  631,  641,  643,  647,  653,  659,  661,
+      673,  677,  683,  691,  701,  709,  719,  727,
+      733,  739,  743,  751,  757,  761,  769,  773,
+      787,  797,  809,  811,  821,  823,  827,  829,
+      839,  853,  857,  859,  863,  877,  881,  883,
+      887,  907,  911,  919,  929,  937,  941,  947,
+      953,  967,  971,  977,  983,  991,  997, -103
+};
+
+/*
+ * Small divisors test (X must be positive)
+ *
+ * Return values:
+ * 0: no small factor (possible prime, more tests needed)
+ * 1: certain prime
+ * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
+ * other negative: error
+ */
+static int mpi_check_small_factors( const mbedtls_mpi *X )
+{
+    int ret = 0;
+    size_t i;
+    mbedtls_mpi_uint r;
+
+    if( ( X->p[0] & 1 ) == 0 )
+        return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+
+    for( i = 0; small_prime[i] > 0; i++ )
+    {
+        if( mbedtls_mpi_cmp_int( X, small_prime[i] ) <= 0 )
+            return( 1 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, small_prime[i] ) );
+
+        if( r == 0 )
+            return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Miller-Rabin pseudo-primality test  (HAC 4.24)
+ */
+static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng )
+{
+    int ret, count;
+    size_t i, j, k, s;
+    mbedtls_mpi W, R, T, A, RR;
+
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R );
+    mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
+    mbedtls_mpi_init( &RR );
+
+    /*
+     * W = |X| - 1
+     * R = W >> lsb( W )
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &W, X, 1 ) );
+    s = mbedtls_mpi_lsb( &W );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R, &W ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
+
+    for( i = 0; i < rounds; i++ )
+    {
+        /*
+         * pick a random A, 1 < A < |X| - 1
+         */
+        count = 0;
+        do {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
+
+            j = mbedtls_mpi_bitlen( &A );
+            k = mbedtls_mpi_bitlen( &W );
+            if (j > k) {
+                A.p[A.n - 1] &= ( (mbedtls_mpi_uint) 1 << ( k - ( A.n - 1 ) * biL - 1 ) ) - 1;
+            }
+
+            if (count++ > 30) {
+                ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+                goto cleanup;
+            }
+
+        } while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 ||
+                  mbedtls_mpi_cmp_int( &A, 1 )  <= 0    );
+
+        /*
+         * A = A^R mod |X|
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &A, &A, &R, X, &RR ) );
+
+        if( mbedtls_mpi_cmp_mpi( &A, &W ) == 0 ||
+            mbedtls_mpi_cmp_int( &A,  1 ) == 0 )
+            continue;
+
+        j = 1;
+        while( j < s && mbedtls_mpi_cmp_mpi( &A, &W ) != 0 )
+        {
+            /*
+             * A = A * A mod |X|
+             */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &A, &A ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &A, &T, X  ) );
+
+            if( mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
+                break;
+
+            j++;
+        }
+
+        /*
+         * not prime if A != |X| - 1 or A == 1
+         */
+        if( mbedtls_mpi_cmp_mpi( &A, &W ) != 0 ||
+            mbedtls_mpi_cmp_int( &A,  1 ) == 0 )
+        {
+            ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+            break;
+        }
+    }
+
+cleanup:
+    mbedtls_mpi_free( &W ); mbedtls_mpi_free( &R );
+    mbedtls_mpi_free( &T ); mbedtls_mpi_free( &A );
+    mbedtls_mpi_free( &RR );
+
+    return( ret );
+}
+
+/*
+ * Pseudo-primality test: small factors, then Miller-Rabin
+ */
+int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int ret;
+    mbedtls_mpi XX;
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    XX.s = 1;
+    XX.n = X->n;
+    XX.p = X->p;
+
+    if( mbedtls_mpi_cmp_int( &XX, 0 ) == 0 ||
+        mbedtls_mpi_cmp_int( &XX, 1 ) == 0 )
+        return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+
+    if( mbedtls_mpi_cmp_int( &XX, 2 ) == 0 )
+        return( 0 );
+
+    if( ( ret = mpi_check_small_factors( &XX ) ) != 0 )
+    {
+        if( ret == 1 )
+            return( 0 );
+
+        return( ret );
+    }
+
+    return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/*
+ * Pseudo-primality test, error probability 2^-80
+ */
+int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng )
+{
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    /*
+     * In the past our key generation aimed for an error rate of at most
+     * 2^-80. Since this function is deprecated, aim for the same certainty
+     * here as well.
+     */
+    return( mbedtls_mpi_is_prime_ext( X, 40, f_rng, p_rng ) );
+}
+#endif
+
+/*
+ * Prime number generation
+ *
+ * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
+ * be either 1024 bits or 1536 bits long, and flags must contain
+ * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
+ */
+int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
+                   int (*f_rng)(void *, unsigned char *, size_t),
+                   void *p_rng )
+{
+#ifdef MBEDTLS_HAVE_INT64
+// ceil(2^63.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
+#else
+// ceil(2^31.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
+#endif
+    int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+    size_t k, n;
+    int rounds;
+    mbedtls_mpi_uint r;
+    mbedtls_mpi Y;
+
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    if( nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &Y );
+
+    n = BITS_TO_LIMBS( nbits );
+
+    if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR ) == 0 )
+    {
+        /*
+         * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
+         */
+        rounds = ( ( nbits >= 1300 ) ?  2 : ( nbits >=  850 ) ?  3 :
+                   ( nbits >=  650 ) ?  4 : ( nbits >=  350 ) ?  8 :
+                   ( nbits >=  250 ) ? 12 : ( nbits >=  150 ) ? 18 : 27 );
+    }
+    else
+    {
+        /*
+         * 2^-100 error probability, number of rounds computed based on HAC,
+         * fact 4.48
+         */
+        rounds = ( ( nbits >= 1450 ) ?  4 : ( nbits >=  1150 ) ?  5 :
+                   ( nbits >= 1000 ) ?  6 : ( nbits >=   850 ) ?  7 :
+                   ( nbits >=  750 ) ?  8 : ( nbits >=   500 ) ? 13 :
+                   ( nbits >=  250 ) ? 28 : ( nbits >=   150 ) ? 40 : 51 );
+    }
+
+    while( 1 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
+        /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
+        if( X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2 ) continue;
+
+        k = n * biL;
+        if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits ) );
+        X->p[0] |= 1;
+
+        if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH ) == 0 )
+        {
+            ret = mbedtls_mpi_is_prime_ext( X, rounds, f_rng, p_rng );
+
+            if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+                goto cleanup;
+        }
+        else
+        {
+            /*
+             * An necessary condition for Y and X = 2Y + 1 to be prime
+             * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
+             * Make sure it is satisfied, while keeping X = 3 mod 4
+             */
+
+            X->p[0] |= 2;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
+            if( r == 0 )
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
+            else if( r == 1 )
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 4 ) );
+
+            /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, X ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, 1 ) );
+
+            while( 1 )
+            {
+                /*
+                 * First, check small factors for X and Y
+                 * before doing Miller-Rabin on any of them
+                 */
+                if( ( ret = mpi_check_small_factors(  X         ) ) == 0 &&
+                    ( ret = mpi_check_small_factors( &Y         ) ) == 0 &&
+                    ( ret = mpi_miller_rabin(  X, rounds, f_rng, p_rng  ) )
+                                                                    == 0 &&
+                    ( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng  ) )
+                                                                    == 0 )
+                    goto cleanup;
+
+                if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+                    goto cleanup;
+
+                /*
+                 * Next candidates. We want to preserve Y = (X-1) / 2 and
+                 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
+                 * so up Y by 6 and X by 12.
+                 */
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int(  X,  X, 12 ) );
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &Y, &Y, 6  ) );
+            }
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &Y );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#define GCD_PAIR_COUNT  3
+
+static const int gcd_pairs[GCD_PAIR_COUNT][3] =
+{
+    { 693, 609, 21 },
+    { 1764, 868, 28 },
+    { 768454923, 542167814, 1 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_mpi_self_test( int verbose )
+{
+    int ret, i;
+    mbedtls_mpi A, E, N, X, Y, U, V;
+
+    mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &X );
+    mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &U ); mbedtls_mpi_init( &V );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &A, 16,
+        "EFE021C2645FD1DC586E69184AF4A31E" \
+        "D5F53E93B5F123FA41680867BA110131" \
+        "944FE7952E2517337780CB0DB80E61AA" \
+        "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &E, 16,
+        "B2E7EFD37075B9F03FF989C7C5051C20" \
+        "34D2A323810251127E7BF8625A4F49A5" \
+        "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
+        "5B5C25763222FEFCCFC38B832366C29E" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &N, 16,
+        "0066A198186C18C10B2F5ED9B522752A" \
+        "9830B69916E535C8F047518A889A43A5" \
+        "94B6BED27A168D31D4A52F88925AA8F5" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X, &A, &N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "602AB7ECA597A3D6B56FF9829A5E8B85" \
+        "9E857EA95A03512E2BAE7391688D264A" \
+        "A5663B0341DB9CCFD2C4C5F421FEC814" \
+        "8001B72E848A38CAE1C65F78E56ABDEF" \
+        "E12D3C039B8A02D6BE593F0BBBDA56F1" \
+        "ECF677152EF804370C1A305CAF3B5BF1" \
+        "30879B56C61DE584A0F53A2447A51E" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #1 (mul_mpi): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &X, &Y, &A, &N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "256567336059E52CAE22925474705F39A94" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &V, 16,
+        "6613F26162223DF488E9CD48CC132C7A" \
+        "0AC93C701B001B092E4E5B9F73BCD27B" \
+        "9EE50D0657C77F374E903CDFA4C642" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #2 (div_mpi): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 ||
+        mbedtls_mpi_cmp_mpi( &Y, &V ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &X, &A, &E, &N, NULL ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "36E139AEA55215609D2816998ED020BB" \
+        "BD96C37890F65171D948E9BC7CBAA4D9" \
+        "325D24D6A3C12710F10A09FA08AB87" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #3 (exp_mod): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &X, &A, &N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
+        "C3DBA76456363A10869622EAC2DD84EC" \
+        "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #4 (inv_mod): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #5 (simple gcd): " );
+
+    for( i = 0; i < GCD_PAIR_COUNT; i++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &X, gcd_pairs[i][0] ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Y, gcd_pairs[i][1] ) );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &A, &X, &Y ) );
+
+        if( mbedtls_mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed at %d\n", i );
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+
+    if( ret != 0 && verbose != 0 )
+        mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
+
+    mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &X );
+    mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &U ); mbedtls_mpi_free( &V );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_BIGNUM_C */
diff --git a/ctrtool/deps/libmbedtls/src/blowfish.c b/ctrtool/deps/libmbedtls/src/blowfish.c
new file mode 100644
index 00000000..cbf92382
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/blowfish.c
@@ -0,0 +1,696 @@
+/*
+ *  Blowfish implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The Blowfish block cipher was designed by Bruce Schneier in 1993.
+ *  http://www.schneier.com/blowfish.html
+ *  http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+
+#include "mbedtls/blowfish.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_BLOWFISH_ALT)
+
+/* Parameter validation macros */
+#define BLOWFISH_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA )
+#define BLOWFISH_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+static const uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2] = {
+        0x243F6A88L, 0x85A308D3L, 0x13198A2EL, 0x03707344L,
+        0xA4093822L, 0x299F31D0L, 0x082EFA98L, 0xEC4E6C89L,
+        0x452821E6L, 0x38D01377L, 0xBE5466CFL, 0x34E90C6CL,
+        0xC0AC29B7L, 0xC97C50DDL, 0x3F84D5B5L, 0xB5470917L,
+        0x9216D5D9L, 0x8979FB1BL
+};
+
+/* declarations of data at the end of this file */
+static const uint32_t S[4][256];
+
+static uint32_t F( mbedtls_blowfish_context *ctx, uint32_t x )
+{
+   unsigned short a, b, c, d;
+   uint32_t  y;
+
+   d = (unsigned short)(x & 0xFF);
+   x >>= 8;
+   c = (unsigned short)(x & 0xFF);
+   x >>= 8;
+   b = (unsigned short)(x & 0xFF);
+   x >>= 8;
+   a = (unsigned short)(x & 0xFF);
+   y = ctx->S[0][a] + ctx->S[1][b];
+   y = y ^ ctx->S[2][c];
+   y = y + ctx->S[3][d];
+
+   return( y );
+}
+
+static void blowfish_enc( mbedtls_blowfish_context *ctx, uint32_t *xl, uint32_t *xr )
+{
+    uint32_t  Xl, Xr, temp;
+    short i;
+
+    Xl = *xl;
+    Xr = *xr;
+
+    for( i = 0; i < MBEDTLS_BLOWFISH_ROUNDS; ++i )
+    {
+        Xl = Xl ^ ctx->P[i];
+        Xr = F( ctx, Xl ) ^ Xr;
+
+        temp = Xl;
+        Xl = Xr;
+        Xr = temp;
+    }
+
+    temp = Xl;
+    Xl = Xr;
+    Xr = temp;
+
+    Xr = Xr ^ ctx->P[MBEDTLS_BLOWFISH_ROUNDS];
+    Xl = Xl ^ ctx->P[MBEDTLS_BLOWFISH_ROUNDS + 1];
+
+    *xl = Xl;
+    *xr = Xr;
+}
+
+static void blowfish_dec( mbedtls_blowfish_context *ctx, uint32_t *xl, uint32_t *xr )
+{
+    uint32_t  Xl, Xr, temp;
+    short i;
+
+    Xl = *xl;
+    Xr = *xr;
+
+    for( i = MBEDTLS_BLOWFISH_ROUNDS + 1; i > 1; --i )
+    {
+        Xl = Xl ^ ctx->P[i];
+        Xr = F( ctx, Xl ) ^ Xr;
+
+        temp = Xl;
+        Xl = Xr;
+        Xr = temp;
+    }
+
+    temp = Xl;
+    Xl = Xr;
+    Xr = temp;
+
+    Xr = Xr ^ ctx->P[1];
+    Xl = Xl ^ ctx->P[0];
+
+    *xl = Xl;
+    *xr = Xr;
+}
+
+void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx )
+{
+    BLOWFISH_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_blowfish_context ) );
+}
+
+void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_blowfish_context ) );
+}
+
+/*
+ * Blowfish key schedule
+ */
+int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx,
+                             const unsigned char *key,
+                             unsigned int keybits )
+{
+    unsigned int i, j, k;
+    uint32_t data, datal, datar;
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( key != NULL );
+
+    if( keybits < MBEDTLS_BLOWFISH_MIN_KEY_BITS    ||
+        keybits > MBEDTLS_BLOWFISH_MAX_KEY_BITS    ||
+        keybits % 8 != 0 )
+    {
+        return( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA );
+    }
+
+    keybits >>= 3;
+
+    for( i = 0; i < 4; i++ )
+    {
+        for( j = 0; j < 256; j++ )
+            ctx->S[i][j] = S[i][j];
+    }
+
+    j = 0;
+    for( i = 0; i < MBEDTLS_BLOWFISH_ROUNDS + 2; ++i )
+    {
+        data = 0x00000000;
+        for( k = 0; k < 4; ++k )
+        {
+            data = ( data << 8 ) | key[j++];
+            if( j >= keybits )
+                j = 0;
+        }
+        ctx->P[i] = P[i] ^ data;
+    }
+
+    datal = 0x00000000;
+    datar = 0x00000000;
+
+    for( i = 0; i < MBEDTLS_BLOWFISH_ROUNDS + 2; i += 2 )
+    {
+        blowfish_enc( ctx, &datal, &datar );
+        ctx->P[i] = datal;
+        ctx->P[i + 1] = datar;
+    }
+
+    for( i = 0; i < 4; i++ )
+    {
+       for( j = 0; j < 256; j += 2 )
+       {
+            blowfish_enc( ctx, &datal, &datar );
+            ctx->S[i][j] = datal;
+            ctx->S[i][j + 1] = datar;
+        }
+    }
+    return( 0 );
+}
+
+/*
+ * Blowfish-ECB block encryption/decryption
+ */
+int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
+                    int mode,
+                    const unsigned char input[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                    unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE] )
+{
+    uint32_t X0, X1;
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                           mode == MBEDTLS_BLOWFISH_DECRYPT );
+    BLOWFISH_VALIDATE_RET( input  != NULL );
+    BLOWFISH_VALIDATE_RET( output != NULL );
+
+    GET_UINT32_BE( X0, input,  0 );
+    GET_UINT32_BE( X1, input,  4 );
+
+    if( mode == MBEDTLS_BLOWFISH_DECRYPT )
+    {
+        blowfish_dec( ctx, &X0, &X1 );
+    }
+    else /* MBEDTLS_BLOWFISH_ENCRYPT */
+    {
+        blowfish_enc( ctx, &X0, &X1 );
+    }
+
+    PUT_UINT32_BE( X0, output,  0 );
+    PUT_UINT32_BE( X1, output,  4 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * Blowfish-CBC buffer encryption/decryption
+ */
+int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[MBEDTLS_BLOWFISH_BLOCKSIZE];
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                           mode == MBEDTLS_BLOWFISH_DECRYPT );
+    BLOWFISH_VALIDATE_RET( iv != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || input  != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || output != NULL );
+
+    if( length % MBEDTLS_BLOWFISH_BLOCKSIZE )
+        return( MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_BLOWFISH_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, MBEDTLS_BLOWFISH_BLOCKSIZE );
+            mbedtls_blowfish_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < MBEDTLS_BLOWFISH_BLOCKSIZE;i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, MBEDTLS_BLOWFISH_BLOCKSIZE );
+
+            input  += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            output += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            length -= MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < MBEDTLS_BLOWFISH_BLOCKSIZE; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_blowfish_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, MBEDTLS_BLOWFISH_BLOCKSIZE );
+
+            input  += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            output += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            length -= MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * Blowfish CFB buffer encryption/decryption
+ */
+int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c;
+    size_t n;
+
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                           mode == MBEDTLS_BLOWFISH_DECRYPT );
+    BLOWFISH_VALIDATE_RET( iv     != NULL );
+    BLOWFISH_VALIDATE_RET( iv_off != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || input  != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *iv_off;
+    if( n >= 8 )
+        return( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA );
+
+    if( mode == MBEDTLS_BLOWFISH_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_blowfish_crypt_ecb( ctx, MBEDTLS_BLOWFISH_ENCRYPT, iv, iv );
+
+            c = *input++;
+            *output++ = (unsigned char)( c ^ iv[n] );
+            iv[n] = (unsigned char) c;
+
+            n = ( n + 1 ) % MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_blowfish_crypt_ecb( ctx, MBEDTLS_BLOWFISH_ENCRYPT, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) % MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Blowfish CTR buffer encryption/decryption
+ */
+int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                       unsigned char stream_block[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c, i;
+    size_t n;
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( nonce_counter != NULL );
+    BLOWFISH_VALIDATE_RET( stream_block  != NULL );
+    BLOWFISH_VALIDATE_RET( nc_off != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || input  != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *nc_off;
+    if( n >= 8 )
+        return( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_blowfish_crypt_ecb( ctx, MBEDTLS_BLOWFISH_ENCRYPT, nonce_counter,
+                                stream_block );
+
+            for( i = MBEDTLS_BLOWFISH_BLOCKSIZE; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) % MBEDTLS_BLOWFISH_BLOCKSIZE;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static const uint32_t S[4][256] = {
+    {   0xD1310BA6L, 0x98DFB5ACL, 0x2FFD72DBL, 0xD01ADFB7L,
+        0xB8E1AFEDL, 0x6A267E96L, 0xBA7C9045L, 0xF12C7F99L,
+        0x24A19947L, 0xB3916CF7L, 0x0801F2E2L, 0x858EFC16L,
+        0x636920D8L, 0x71574E69L, 0xA458FEA3L, 0xF4933D7EL,
+        0x0D95748FL, 0x728EB658L, 0x718BCD58L, 0x82154AEEL,
+        0x7B54A41DL, 0xC25A59B5L, 0x9C30D539L, 0x2AF26013L,
+        0xC5D1B023L, 0x286085F0L, 0xCA417918L, 0xB8DB38EFL,
+        0x8E79DCB0L, 0x603A180EL, 0x6C9E0E8BL, 0xB01E8A3EL,
+        0xD71577C1L, 0xBD314B27L, 0x78AF2FDAL, 0x55605C60L,
+        0xE65525F3L, 0xAA55AB94L, 0x57489862L, 0x63E81440L,
+        0x55CA396AL, 0x2AAB10B6L, 0xB4CC5C34L, 0x1141E8CEL,
+        0xA15486AFL, 0x7C72E993L, 0xB3EE1411L, 0x636FBC2AL,
+        0x2BA9C55DL, 0x741831F6L, 0xCE5C3E16L, 0x9B87931EL,
+        0xAFD6BA33L, 0x6C24CF5CL, 0x7A325381L, 0x28958677L,
+        0x3B8F4898L, 0x6B4BB9AFL, 0xC4BFE81BL, 0x66282193L,
+        0x61D809CCL, 0xFB21A991L, 0x487CAC60L, 0x5DEC8032L,
+        0xEF845D5DL, 0xE98575B1L, 0xDC262302L, 0xEB651B88L,
+        0x23893E81L, 0xD396ACC5L, 0x0F6D6FF3L, 0x83F44239L,
+        0x2E0B4482L, 0xA4842004L, 0x69C8F04AL, 0x9E1F9B5EL,
+        0x21C66842L, 0xF6E96C9AL, 0x670C9C61L, 0xABD388F0L,
+        0x6A51A0D2L, 0xD8542F68L, 0x960FA728L, 0xAB5133A3L,
+        0x6EEF0B6CL, 0x137A3BE4L, 0xBA3BF050L, 0x7EFB2A98L,
+        0xA1F1651DL, 0x39AF0176L, 0x66CA593EL, 0x82430E88L,
+        0x8CEE8619L, 0x456F9FB4L, 0x7D84A5C3L, 0x3B8B5EBEL,
+        0xE06F75D8L, 0x85C12073L, 0x401A449FL, 0x56C16AA6L,
+        0x4ED3AA62L, 0x363F7706L, 0x1BFEDF72L, 0x429B023DL,
+        0x37D0D724L, 0xD00A1248L, 0xDB0FEAD3L, 0x49F1C09BL,
+        0x075372C9L, 0x80991B7BL, 0x25D479D8L, 0xF6E8DEF7L,
+        0xE3FE501AL, 0xB6794C3BL, 0x976CE0BDL, 0x04C006BAL,
+        0xC1A94FB6L, 0x409F60C4L, 0x5E5C9EC2L, 0x196A2463L,
+        0x68FB6FAFL, 0x3E6C53B5L, 0x1339B2EBL, 0x3B52EC6FL,
+        0x6DFC511FL, 0x9B30952CL, 0xCC814544L, 0xAF5EBD09L,
+        0xBEE3D004L, 0xDE334AFDL, 0x660F2807L, 0x192E4BB3L,
+        0xC0CBA857L, 0x45C8740FL, 0xD20B5F39L, 0xB9D3FBDBL,
+        0x5579C0BDL, 0x1A60320AL, 0xD6A100C6L, 0x402C7279L,
+        0x679F25FEL, 0xFB1FA3CCL, 0x8EA5E9F8L, 0xDB3222F8L,
+        0x3C7516DFL, 0xFD616B15L, 0x2F501EC8L, 0xAD0552ABL,
+        0x323DB5FAL, 0xFD238760L, 0x53317B48L, 0x3E00DF82L,
+        0x9E5C57BBL, 0xCA6F8CA0L, 0x1A87562EL, 0xDF1769DBL,
+        0xD542A8F6L, 0x287EFFC3L, 0xAC6732C6L, 0x8C4F5573L,
+        0x695B27B0L, 0xBBCA58C8L, 0xE1FFA35DL, 0xB8F011A0L,
+        0x10FA3D98L, 0xFD2183B8L, 0x4AFCB56CL, 0x2DD1D35BL,
+        0x9A53E479L, 0xB6F84565L, 0xD28E49BCL, 0x4BFB9790L,
+        0xE1DDF2DAL, 0xA4CB7E33L, 0x62FB1341L, 0xCEE4C6E8L,
+        0xEF20CADAL, 0x36774C01L, 0xD07E9EFEL, 0x2BF11FB4L,
+        0x95DBDA4DL, 0xAE909198L, 0xEAAD8E71L, 0x6B93D5A0L,
+        0xD08ED1D0L, 0xAFC725E0L, 0x8E3C5B2FL, 0x8E7594B7L,
+        0x8FF6E2FBL, 0xF2122B64L, 0x8888B812L, 0x900DF01CL,
+        0x4FAD5EA0L, 0x688FC31CL, 0xD1CFF191L, 0xB3A8C1ADL,
+        0x2F2F2218L, 0xBE0E1777L, 0xEA752DFEL, 0x8B021FA1L,
+        0xE5A0CC0FL, 0xB56F74E8L, 0x18ACF3D6L, 0xCE89E299L,
+        0xB4A84FE0L, 0xFD13E0B7L, 0x7CC43B81L, 0xD2ADA8D9L,
+        0x165FA266L, 0x80957705L, 0x93CC7314L, 0x211A1477L,
+        0xE6AD2065L, 0x77B5FA86L, 0xC75442F5L, 0xFB9D35CFL,
+        0xEBCDAF0CL, 0x7B3E89A0L, 0xD6411BD3L, 0xAE1E7E49L,
+        0x00250E2DL, 0x2071B35EL, 0x226800BBL, 0x57B8E0AFL,
+        0x2464369BL, 0xF009B91EL, 0x5563911DL, 0x59DFA6AAL,
+        0x78C14389L, 0xD95A537FL, 0x207D5BA2L, 0x02E5B9C5L,
+        0x83260376L, 0x6295CFA9L, 0x11C81968L, 0x4E734A41L,
+        0xB3472DCAL, 0x7B14A94AL, 0x1B510052L, 0x9A532915L,
+        0xD60F573FL, 0xBC9BC6E4L, 0x2B60A476L, 0x81E67400L,
+        0x08BA6FB5L, 0x571BE91FL, 0xF296EC6BL, 0x2A0DD915L,
+        0xB6636521L, 0xE7B9F9B6L, 0xFF34052EL, 0xC5855664L,
+        0x53B02D5DL, 0xA99F8FA1L, 0x08BA4799L, 0x6E85076AL   },
+    {   0x4B7A70E9L, 0xB5B32944L, 0xDB75092EL, 0xC4192623L,
+        0xAD6EA6B0L, 0x49A7DF7DL, 0x9CEE60B8L, 0x8FEDB266L,
+        0xECAA8C71L, 0x699A17FFL, 0x5664526CL, 0xC2B19EE1L,
+        0x193602A5L, 0x75094C29L, 0xA0591340L, 0xE4183A3EL,
+        0x3F54989AL, 0x5B429D65L, 0x6B8FE4D6L, 0x99F73FD6L,
+        0xA1D29C07L, 0xEFE830F5L, 0x4D2D38E6L, 0xF0255DC1L,
+        0x4CDD2086L, 0x8470EB26L, 0x6382E9C6L, 0x021ECC5EL,
+        0x09686B3FL, 0x3EBAEFC9L, 0x3C971814L, 0x6B6A70A1L,
+        0x687F3584L, 0x52A0E286L, 0xB79C5305L, 0xAA500737L,
+        0x3E07841CL, 0x7FDEAE5CL, 0x8E7D44ECL, 0x5716F2B8L,
+        0xB03ADA37L, 0xF0500C0DL, 0xF01C1F04L, 0x0200B3FFL,
+        0xAE0CF51AL, 0x3CB574B2L, 0x25837A58L, 0xDC0921BDL,
+        0xD19113F9L, 0x7CA92FF6L, 0x94324773L, 0x22F54701L,
+        0x3AE5E581L, 0x37C2DADCL, 0xC8B57634L, 0x9AF3DDA7L,
+        0xA9446146L, 0x0FD0030EL, 0xECC8C73EL, 0xA4751E41L,
+        0xE238CD99L, 0x3BEA0E2FL, 0x3280BBA1L, 0x183EB331L,
+        0x4E548B38L, 0x4F6DB908L, 0x6F420D03L, 0xF60A04BFL,
+        0x2CB81290L, 0x24977C79L, 0x5679B072L, 0xBCAF89AFL,
+        0xDE9A771FL, 0xD9930810L, 0xB38BAE12L, 0xDCCF3F2EL,
+        0x5512721FL, 0x2E6B7124L, 0x501ADDE6L, 0x9F84CD87L,
+        0x7A584718L, 0x7408DA17L, 0xBC9F9ABCL, 0xE94B7D8CL,
+        0xEC7AEC3AL, 0xDB851DFAL, 0x63094366L, 0xC464C3D2L,
+        0xEF1C1847L, 0x3215D908L, 0xDD433B37L, 0x24C2BA16L,
+        0x12A14D43L, 0x2A65C451L, 0x50940002L, 0x133AE4DDL,
+        0x71DFF89EL, 0x10314E55L, 0x81AC77D6L, 0x5F11199BL,
+        0x043556F1L, 0xD7A3C76BL, 0x3C11183BL, 0x5924A509L,
+        0xF28FE6EDL, 0x97F1FBFAL, 0x9EBABF2CL, 0x1E153C6EL,
+        0x86E34570L, 0xEAE96FB1L, 0x860E5E0AL, 0x5A3E2AB3L,
+        0x771FE71CL, 0x4E3D06FAL, 0x2965DCB9L, 0x99E71D0FL,
+        0x803E89D6L, 0x5266C825L, 0x2E4CC978L, 0x9C10B36AL,
+        0xC6150EBAL, 0x94E2EA78L, 0xA5FC3C53L, 0x1E0A2DF4L,
+        0xF2F74EA7L, 0x361D2B3DL, 0x1939260FL, 0x19C27960L,
+        0x5223A708L, 0xF71312B6L, 0xEBADFE6EL, 0xEAC31F66L,
+        0xE3BC4595L, 0xA67BC883L, 0xB17F37D1L, 0x018CFF28L,
+        0xC332DDEFL, 0xBE6C5AA5L, 0x65582185L, 0x68AB9802L,
+        0xEECEA50FL, 0xDB2F953BL, 0x2AEF7DADL, 0x5B6E2F84L,
+        0x1521B628L, 0x29076170L, 0xECDD4775L, 0x619F1510L,
+        0x13CCA830L, 0xEB61BD96L, 0x0334FE1EL, 0xAA0363CFL,
+        0xB5735C90L, 0x4C70A239L, 0xD59E9E0BL, 0xCBAADE14L,
+        0xEECC86BCL, 0x60622CA7L, 0x9CAB5CABL, 0xB2F3846EL,
+        0x648B1EAFL, 0x19BDF0CAL, 0xA02369B9L, 0x655ABB50L,
+        0x40685A32L, 0x3C2AB4B3L, 0x319EE9D5L, 0xC021B8F7L,
+        0x9B540B19L, 0x875FA099L, 0x95F7997EL, 0x623D7DA8L,
+        0xF837889AL, 0x97E32D77L, 0x11ED935FL, 0x16681281L,
+        0x0E358829L, 0xC7E61FD6L, 0x96DEDFA1L, 0x7858BA99L,
+        0x57F584A5L, 0x1B227263L, 0x9B83C3FFL, 0x1AC24696L,
+        0xCDB30AEBL, 0x532E3054L, 0x8FD948E4L, 0x6DBC3128L,
+        0x58EBF2EFL, 0x34C6FFEAL, 0xFE28ED61L, 0xEE7C3C73L,
+        0x5D4A14D9L, 0xE864B7E3L, 0x42105D14L, 0x203E13E0L,
+        0x45EEE2B6L, 0xA3AAABEAL, 0xDB6C4F15L, 0xFACB4FD0L,
+        0xC742F442L, 0xEF6ABBB5L, 0x654F3B1DL, 0x41CD2105L,
+        0xD81E799EL, 0x86854DC7L, 0xE44B476AL, 0x3D816250L,
+        0xCF62A1F2L, 0x5B8D2646L, 0xFC8883A0L, 0xC1C7B6A3L,
+        0x7F1524C3L, 0x69CB7492L, 0x47848A0BL, 0x5692B285L,
+        0x095BBF00L, 0xAD19489DL, 0x1462B174L, 0x23820E00L,
+        0x58428D2AL, 0x0C55F5EAL, 0x1DADF43EL, 0x233F7061L,
+        0x3372F092L, 0x8D937E41L, 0xD65FECF1L, 0x6C223BDBL,
+        0x7CDE3759L, 0xCBEE7460L, 0x4085F2A7L, 0xCE77326EL,
+        0xA6078084L, 0x19F8509EL, 0xE8EFD855L, 0x61D99735L,
+        0xA969A7AAL, 0xC50C06C2L, 0x5A04ABFCL, 0x800BCADCL,
+        0x9E447A2EL, 0xC3453484L, 0xFDD56705L, 0x0E1E9EC9L,
+        0xDB73DBD3L, 0x105588CDL, 0x675FDA79L, 0xE3674340L,
+        0xC5C43465L, 0x713E38D8L, 0x3D28F89EL, 0xF16DFF20L,
+        0x153E21E7L, 0x8FB03D4AL, 0xE6E39F2BL, 0xDB83ADF7L   },
+    {   0xE93D5A68L, 0x948140F7L, 0xF64C261CL, 0x94692934L,
+        0x411520F7L, 0x7602D4F7L, 0xBCF46B2EL, 0xD4A20068L,
+        0xD4082471L, 0x3320F46AL, 0x43B7D4B7L, 0x500061AFL,
+        0x1E39F62EL, 0x97244546L, 0x14214F74L, 0xBF8B8840L,
+        0x4D95FC1DL, 0x96B591AFL, 0x70F4DDD3L, 0x66A02F45L,
+        0xBFBC09ECL, 0x03BD9785L, 0x7FAC6DD0L, 0x31CB8504L,
+        0x96EB27B3L, 0x55FD3941L, 0xDA2547E6L, 0xABCA0A9AL,
+        0x28507825L, 0x530429F4L, 0x0A2C86DAL, 0xE9B66DFBL,
+        0x68DC1462L, 0xD7486900L, 0x680EC0A4L, 0x27A18DEEL,
+        0x4F3FFEA2L, 0xE887AD8CL, 0xB58CE006L, 0x7AF4D6B6L,
+        0xAACE1E7CL, 0xD3375FECL, 0xCE78A399L, 0x406B2A42L,
+        0x20FE9E35L, 0xD9F385B9L, 0xEE39D7ABL, 0x3B124E8BL,
+        0x1DC9FAF7L, 0x4B6D1856L, 0x26A36631L, 0xEAE397B2L,
+        0x3A6EFA74L, 0xDD5B4332L, 0x6841E7F7L, 0xCA7820FBL,
+        0xFB0AF54EL, 0xD8FEB397L, 0x454056ACL, 0xBA489527L,
+        0x55533A3AL, 0x20838D87L, 0xFE6BA9B7L, 0xD096954BL,
+        0x55A867BCL, 0xA1159A58L, 0xCCA92963L, 0x99E1DB33L,
+        0xA62A4A56L, 0x3F3125F9L, 0x5EF47E1CL, 0x9029317CL,
+        0xFDF8E802L, 0x04272F70L, 0x80BB155CL, 0x05282CE3L,
+        0x95C11548L, 0xE4C66D22L, 0x48C1133FL, 0xC70F86DCL,
+        0x07F9C9EEL, 0x41041F0FL, 0x404779A4L, 0x5D886E17L,
+        0x325F51EBL, 0xD59BC0D1L, 0xF2BCC18FL, 0x41113564L,
+        0x257B7834L, 0x602A9C60L, 0xDFF8E8A3L, 0x1F636C1BL,
+        0x0E12B4C2L, 0x02E1329EL, 0xAF664FD1L, 0xCAD18115L,
+        0x6B2395E0L, 0x333E92E1L, 0x3B240B62L, 0xEEBEB922L,
+        0x85B2A20EL, 0xE6BA0D99L, 0xDE720C8CL, 0x2DA2F728L,
+        0xD0127845L, 0x95B794FDL, 0x647D0862L, 0xE7CCF5F0L,
+        0x5449A36FL, 0x877D48FAL, 0xC39DFD27L, 0xF33E8D1EL,
+        0x0A476341L, 0x992EFF74L, 0x3A6F6EABL, 0xF4F8FD37L,
+        0xA812DC60L, 0xA1EBDDF8L, 0x991BE14CL, 0xDB6E6B0DL,
+        0xC67B5510L, 0x6D672C37L, 0x2765D43BL, 0xDCD0E804L,
+        0xF1290DC7L, 0xCC00FFA3L, 0xB5390F92L, 0x690FED0BL,
+        0x667B9FFBL, 0xCEDB7D9CL, 0xA091CF0BL, 0xD9155EA3L,
+        0xBB132F88L, 0x515BAD24L, 0x7B9479BFL, 0x763BD6EBL,
+        0x37392EB3L, 0xCC115979L, 0x8026E297L, 0xF42E312DL,
+        0x6842ADA7L, 0xC66A2B3BL, 0x12754CCCL, 0x782EF11CL,
+        0x6A124237L, 0xB79251E7L, 0x06A1BBE6L, 0x4BFB6350L,
+        0x1A6B1018L, 0x11CAEDFAL, 0x3D25BDD8L, 0xE2E1C3C9L,
+        0x44421659L, 0x0A121386L, 0xD90CEC6EL, 0xD5ABEA2AL,
+        0x64AF674EL, 0xDA86A85FL, 0xBEBFE988L, 0x64E4C3FEL,
+        0x9DBC8057L, 0xF0F7C086L, 0x60787BF8L, 0x6003604DL,
+        0xD1FD8346L, 0xF6381FB0L, 0x7745AE04L, 0xD736FCCCL,
+        0x83426B33L, 0xF01EAB71L, 0xB0804187L, 0x3C005E5FL,
+        0x77A057BEL, 0xBDE8AE24L, 0x55464299L, 0xBF582E61L,
+        0x4E58F48FL, 0xF2DDFDA2L, 0xF474EF38L, 0x8789BDC2L,
+        0x5366F9C3L, 0xC8B38E74L, 0xB475F255L, 0x46FCD9B9L,
+        0x7AEB2661L, 0x8B1DDF84L, 0x846A0E79L, 0x915F95E2L,
+        0x466E598EL, 0x20B45770L, 0x8CD55591L, 0xC902DE4CL,
+        0xB90BACE1L, 0xBB8205D0L, 0x11A86248L, 0x7574A99EL,
+        0xB77F19B6L, 0xE0A9DC09L, 0x662D09A1L, 0xC4324633L,
+        0xE85A1F02L, 0x09F0BE8CL, 0x4A99A025L, 0x1D6EFE10L,
+        0x1AB93D1DL, 0x0BA5A4DFL, 0xA186F20FL, 0x2868F169L,
+        0xDCB7DA83L, 0x573906FEL, 0xA1E2CE9BL, 0x4FCD7F52L,
+        0x50115E01L, 0xA70683FAL, 0xA002B5C4L, 0x0DE6D027L,
+        0x9AF88C27L, 0x773F8641L, 0xC3604C06L, 0x61A806B5L,
+        0xF0177A28L, 0xC0F586E0L, 0x006058AAL, 0x30DC7D62L,
+        0x11E69ED7L, 0x2338EA63L, 0x53C2DD94L, 0xC2C21634L,
+        0xBBCBEE56L, 0x90BCB6DEL, 0xEBFC7DA1L, 0xCE591D76L,
+        0x6F05E409L, 0x4B7C0188L, 0x39720A3DL, 0x7C927C24L,
+        0x86E3725FL, 0x724D9DB9L, 0x1AC15BB4L, 0xD39EB8FCL,
+        0xED545578L, 0x08FCA5B5L, 0xD83D7CD3L, 0x4DAD0FC4L,
+        0x1E50EF5EL, 0xB161E6F8L, 0xA28514D9L, 0x6C51133CL,
+        0x6FD5C7E7L, 0x56E14EC4L, 0x362ABFCEL, 0xDDC6C837L,
+        0xD79A3234L, 0x92638212L, 0x670EFA8EL, 0x406000E0L  },
+    {   0x3A39CE37L, 0xD3FAF5CFL, 0xABC27737L, 0x5AC52D1BL,
+        0x5CB0679EL, 0x4FA33742L, 0xD3822740L, 0x99BC9BBEL,
+        0xD5118E9DL, 0xBF0F7315L, 0xD62D1C7EL, 0xC700C47BL,
+        0xB78C1B6BL, 0x21A19045L, 0xB26EB1BEL, 0x6A366EB4L,
+        0x5748AB2FL, 0xBC946E79L, 0xC6A376D2L, 0x6549C2C8L,
+        0x530FF8EEL, 0x468DDE7DL, 0xD5730A1DL, 0x4CD04DC6L,
+        0x2939BBDBL, 0xA9BA4650L, 0xAC9526E8L, 0xBE5EE304L,
+        0xA1FAD5F0L, 0x6A2D519AL, 0x63EF8CE2L, 0x9A86EE22L,
+        0xC089C2B8L, 0x43242EF6L, 0xA51E03AAL, 0x9CF2D0A4L,
+        0x83C061BAL, 0x9BE96A4DL, 0x8FE51550L, 0xBA645BD6L,
+        0x2826A2F9L, 0xA73A3AE1L, 0x4BA99586L, 0xEF5562E9L,
+        0xC72FEFD3L, 0xF752F7DAL, 0x3F046F69L, 0x77FA0A59L,
+        0x80E4A915L, 0x87B08601L, 0x9B09E6ADL, 0x3B3EE593L,
+        0xE990FD5AL, 0x9E34D797L, 0x2CF0B7D9L, 0x022B8B51L,
+        0x96D5AC3AL, 0x017DA67DL, 0xD1CF3ED6L, 0x7C7D2D28L,
+        0x1F9F25CFL, 0xADF2B89BL, 0x5AD6B472L, 0x5A88F54CL,
+        0xE029AC71L, 0xE019A5E6L, 0x47B0ACFDL, 0xED93FA9BL,
+        0xE8D3C48DL, 0x283B57CCL, 0xF8D56629L, 0x79132E28L,
+        0x785F0191L, 0xED756055L, 0xF7960E44L, 0xE3D35E8CL,
+        0x15056DD4L, 0x88F46DBAL, 0x03A16125L, 0x0564F0BDL,
+        0xC3EB9E15L, 0x3C9057A2L, 0x97271AECL, 0xA93A072AL,
+        0x1B3F6D9BL, 0x1E6321F5L, 0xF59C66FBL, 0x26DCF319L,
+        0x7533D928L, 0xB155FDF5L, 0x03563482L, 0x8ABA3CBBL,
+        0x28517711L, 0xC20AD9F8L, 0xABCC5167L, 0xCCAD925FL,
+        0x4DE81751L, 0x3830DC8EL, 0x379D5862L, 0x9320F991L,
+        0xEA7A90C2L, 0xFB3E7BCEL, 0x5121CE64L, 0x774FBE32L,
+        0xA8B6E37EL, 0xC3293D46L, 0x48DE5369L, 0x6413E680L,
+        0xA2AE0810L, 0xDD6DB224L, 0x69852DFDL, 0x09072166L,
+        0xB39A460AL, 0x6445C0DDL, 0x586CDECFL, 0x1C20C8AEL,
+        0x5BBEF7DDL, 0x1B588D40L, 0xCCD2017FL, 0x6BB4E3BBL,
+        0xDDA26A7EL, 0x3A59FF45L, 0x3E350A44L, 0xBCB4CDD5L,
+        0x72EACEA8L, 0xFA6484BBL, 0x8D6612AEL, 0xBF3C6F47L,
+        0xD29BE463L, 0x542F5D9EL, 0xAEC2771BL, 0xF64E6370L,
+        0x740E0D8DL, 0xE75B1357L, 0xF8721671L, 0xAF537D5DL,
+        0x4040CB08L, 0x4EB4E2CCL, 0x34D2466AL, 0x0115AF84L,
+        0xE1B00428L, 0x95983A1DL, 0x06B89FB4L, 0xCE6EA048L,
+        0x6F3F3B82L, 0x3520AB82L, 0x011A1D4BL, 0x277227F8L,
+        0x611560B1L, 0xE7933FDCL, 0xBB3A792BL, 0x344525BDL,
+        0xA08839E1L, 0x51CE794BL, 0x2F32C9B7L, 0xA01FBAC9L,
+        0xE01CC87EL, 0xBCC7D1F6L, 0xCF0111C3L, 0xA1E8AAC7L,
+        0x1A908749L, 0xD44FBD9AL, 0xD0DADECBL, 0xD50ADA38L,
+        0x0339C32AL, 0xC6913667L, 0x8DF9317CL, 0xE0B12B4FL,
+        0xF79E59B7L, 0x43F5BB3AL, 0xF2D519FFL, 0x27D9459CL,
+        0xBF97222CL, 0x15E6FC2AL, 0x0F91FC71L, 0x9B941525L,
+        0xFAE59361L, 0xCEB69CEBL, 0xC2A86459L, 0x12BAA8D1L,
+        0xB6C1075EL, 0xE3056A0CL, 0x10D25065L, 0xCB03A442L,
+        0xE0EC6E0EL, 0x1698DB3BL, 0x4C98A0BEL, 0x3278E964L,
+        0x9F1F9532L, 0xE0D392DFL, 0xD3A0342BL, 0x8971F21EL,
+        0x1B0A7441L, 0x4BA3348CL, 0xC5BE7120L, 0xC37632D8L,
+        0xDF359F8DL, 0x9B992F2EL, 0xE60B6F47L, 0x0FE3F11DL,
+        0xE54CDA54L, 0x1EDAD891L, 0xCE6279CFL, 0xCD3E7E6FL,
+        0x1618B166L, 0xFD2C1D05L, 0x848FD2C5L, 0xF6FB2299L,
+        0xF523F357L, 0xA6327623L, 0x93A83531L, 0x56CCCD02L,
+        0xACF08162L, 0x5A75EBB5L, 0x6E163697L, 0x88D273CCL,
+        0xDE966292L, 0x81B949D0L, 0x4C50901BL, 0x71C65614L,
+        0xE6C6C7BDL, 0x327A140AL, 0x45E1D006L, 0xC3F27B9AL,
+        0xC9AA53FDL, 0x62A80F00L, 0xBB25BFE2L, 0x35BDD2F6L,
+        0x71126905L, 0xB2040222L, 0xB6CBCF7CL, 0xCD769C2BL,
+        0x53113EC0L, 0x1640E3D3L, 0x38ABBD60L, 0x2547ADF0L,
+        0xBA38209CL, 0xF746CE76L, 0x77AFA1C5L, 0x20756060L,
+        0x85CBFE4EL, 0x8AE88DD8L, 0x7AAAF9B0L, 0x4CF9AA7EL,
+        0x1948C25CL, 0x02FB8A8CL, 0x01C36AE4L, 0xD6EBE1F9L,
+        0x90D4F869L, 0xA65CDEA0L, 0x3F09252DL, 0xC208E69FL,
+        0xB74E6132L, 0xCE77E25BL, 0x578FDFE3L, 0x3AC372E6L  }
+};
+
+#endif /* !MBEDTLS_BLOWFISH_ALT */
+#endif /* MBEDTLS_BLOWFISH_C */
diff --git a/ctrtool/deps/libmbedtls/src/camellia.c b/ctrtool/deps/libmbedtls/src/camellia.c
new file mode 100644
index 00000000..22262b89
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/camellia.c
@@ -0,0 +1,1114 @@
+/*
+ *  Camellia implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
+ *  Corporation.
+ *
+ *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+#include "mbedtls/camellia.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+
+/* Parameter validation macros */
+#define CAMELLIA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
+#define CAMELLIA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+static const unsigned char SIGMA_CHARS[6][8] =
+{
+    { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
+    { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
+    { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
+    { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
+    { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
+    { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
+};
+
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+
+static const unsigned char FSb[256] =
+{
+    112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
+     35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
+    134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
+    166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
+    139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
+    223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
+     20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
+    254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
+    170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
+     16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
+    135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
+     82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
+    233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
+    120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
+    114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
+     64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
+#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
+#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
+
+#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char FSb[256] =
+{
+ 112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
+  35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
+ 134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
+ 166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
+ 139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
+ 223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
+  20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
+ 254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
+ 170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
+  16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
+ 135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
+  82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
+ 233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
+ 120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
+ 114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
+ 64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
+};
+
+static const unsigned char FSb2[256] =
+{
+ 224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
+  70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
+  13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
+  77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
+  23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
+ 191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
+  40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
+ 253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
+  85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
+  32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
+  15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
+ 164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
+ 211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
+ 240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
+ 228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
+ 128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
+};
+
+static const unsigned char FSb3[256] =
+{
+  56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
+ 145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
+  67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
+  83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
+ 197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
+ 239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
+  10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
+ 127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
+  85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
+   8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
+ 195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
+  41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
+ 244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
+  60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
+  57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
+  32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
+};
+
+static const unsigned char FSb4[256] =
+{
+ 112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
+ 134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
+ 139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
+  20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
+ 170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
+ 135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
+ 233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
+ 114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
+ 130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
+ 184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
+  13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
+  88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
+ 208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
+  92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
+ 121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
+  7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) FSb2[(n)]
+#define SBOX3(n) FSb3[(n)]
+#define SBOX4(n) FSb4[(n)]
+
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char shifts[2][4][4] =
+{
+    {
+        { 1, 1, 1, 1 }, /* KL */
+        { 0, 0, 0, 0 }, /* KR */
+        { 1, 1, 1, 1 }, /* KA */
+        { 0, 0, 0, 0 }  /* KB */
+    },
+    {
+        { 1, 0, 1, 1 }, /* KL */
+        { 1, 1, 0, 1 }, /* KR */
+        { 1, 1, 1, 0 }, /* KA */
+        { 1, 1, 0, 1 }  /* KB */
+    }
+};
+
+static const signed char indexes[2][4][20] =
+{
+    {
+        {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
+          36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
+        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
+        {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
+          18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
+        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
+    },
+    {
+        {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
+          -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
+        { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
+          18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
+        { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
+          56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
+        {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
+          22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }  /* KB -> RK */
+    }
+};
+
+static const signed char transposes[2][20] =
+{
+    {
+        21, 22, 23, 20,
+        -1, -1, -1, -1,
+        18, 19, 16, 17,
+        11,  8,  9, 10,
+        15, 12, 13, 14
+    },
+    {
+        25, 26, 27, 24,
+        29, 30, 31, 28,
+        18, 19, 16, 17,
+        -1, -1, -1, -1,
+        -1, -1, -1, -1
+    }
+};
+
+/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
+#define ROTL(DEST, SRC, SHIFT)                                      \
+{                                                                   \
+    (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
+    (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
+    (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
+    (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
+}
+
+#define FL(XL, XR, KL, KR)                                          \
+{                                                                   \
+    (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
+    (XL) = ((XR) | (KR)) ^ (XL);                                    \
+}
+
+#define FLInv(YL, YR, KL, KR)                                       \
+{                                                                   \
+    (YL) = ((YR) | (KR)) ^ (YL);                                    \
+    (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
+}
+
+#define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
+{                                                           \
+    TK[0] = KC[(OFFSET) * 4 + 0];                           \
+    TK[1] = KC[(OFFSET) * 4 + 1];                           \
+    TK[2] = KC[(OFFSET) * 4 + 2];                           \
+    TK[3] = KC[(OFFSET) * 4 + 3];                           \
+                                                            \
+    for( i = 1; i <= 4; i++ )                               \
+        if( shifts[(INDEX)][(OFFSET)][i -1] )               \
+            ROTL(TK + i * 4, TK, ( 15 * i ) % 32);          \
+                                                            \
+    for( i = 0; i < 20; i++ )                               \
+        if( indexes[(INDEX)][(OFFSET)][i] != -1 ) {         \
+            RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];    \
+        }                                                   \
+}
+
+static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
+                              uint32_t z[2])
+{
+    uint32_t I0, I1;
+    I0 = x[0] ^ k[0];
+    I1 = x[1] ^ k[1];
+
+    I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
+         ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
+         ((uint32_t) SBOX3((I0 >>  8) & 0xFF) <<  8) |
+         ((uint32_t) SBOX4((I0      ) & 0xFF)      );
+    I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
+         ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
+         ((uint32_t) SBOX4((I1 >>  8) & 0xFF) <<  8) |
+         ((uint32_t) SBOX1((I1      ) & 0xFF)      );
+
+    I0 ^= (I1 << 8) | (I1 >> 24);
+    I1 ^= (I0 << 16) | (I0 >> 16);
+    I0 ^= (I1 >> 8) | (I1 << 24);
+    I1 ^= (I0 >> 8) | (I0 << 24);
+
+    z[0] ^= I1;
+    z[1] ^= I0;
+}
+
+void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
+{
+    CAMELLIA_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
+}
+
+void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
+}
+
+/*
+ * Camellia key schedule (encryption)
+ */
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits )
+{
+    int idx;
+    size_t i;
+    uint32_t *RK;
+    unsigned char t[64];
+    uint32_t SIGMA[6][2];
+    uint32_t KC[16];
+    uint32_t TK[20];
+
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( key != NULL );
+
+    RK = ctx->rk;
+
+    memset( t, 0, 64 );
+    memset( RK, 0, sizeof(ctx->rk) );
+
+    switch( keybits )
+    {
+        case 128: ctx->nr = 3; idx = 0; break;
+        case 192:
+        case 256: ctx->nr = 4; idx = 1; break;
+        default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
+    }
+
+    for( i = 0; i < keybits / 8; ++i )
+        t[i] = key[i];
+
+    if( keybits == 192 ) {
+        for( i = 0; i < 8; i++ )
+            t[24 + i] = ~t[16 + i];
+    }
+
+    /*
+     * Prepare SIGMA values
+     */
+    for( i = 0; i < 6; i++ ) {
+        GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
+        GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
+    }
+
+    /*
+     * Key storage in KC
+     * Order: KL, KR, KA, KB
+     */
+    memset( KC, 0, sizeof(KC) );
+
+    /* Store KL, KR */
+    for( i = 0; i < 8; i++ )
+        GET_UINT32_BE( KC[i], t, i * 4 );
+
+    /* Generate KA */
+    for( i = 0; i < 4; ++i )
+        KC[8 + i] = KC[i] ^ KC[4 + i];
+
+    camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
+    camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
+
+    for( i = 0; i < 4; ++i )
+        KC[8 + i] ^= KC[i];
+
+    camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
+    camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
+
+    if( keybits > 128 ) {
+        /* Generate KB */
+        for( i = 0; i < 4; ++i )
+            KC[12 + i] = KC[4 + i] ^ KC[8 + i];
+
+        camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
+        camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
+    }
+
+    /*
+     * Generating subkeys
+     */
+
+    /* Manipulating KL */
+    SHIFT_AND_PLACE( idx, 0 );
+
+    /* Manipulating KR */
+    if( keybits > 128 ) {
+        SHIFT_AND_PLACE( idx, 1 );
+    }
+
+    /* Manipulating KA */
+    SHIFT_AND_PLACE( idx, 2 );
+
+    /* Manipulating KB */
+    if( keybits > 128 ) {
+        SHIFT_AND_PLACE( idx, 3 );
+    }
+
+    /* Do transpositions */
+    for( i = 0; i < 20; i++ ) {
+        if( transposes[idx][i] != -1 ) {
+            RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Camellia key schedule (decryption)
+ */
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits )
+{
+    int idx, ret;
+    size_t i;
+    mbedtls_camellia_context cty;
+    uint32_t *RK;
+    uint32_t *SK;
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( key != NULL );
+
+    mbedtls_camellia_init( &cty );
+
+    /* Also checks keybits */
+    if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
+        goto exit;
+
+    ctx->nr = cty.nr;
+    idx = ( ctx->nr == 4 );
+
+    RK = ctx->rk;
+    SK = cty.rk + 24 * 2 + 8 * idx * 2;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+    for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
+    {
+        *RK++ = *SK++;
+        *RK++ = *SK++;
+    }
+
+    SK -= 2;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+exit:
+    mbedtls_camellia_free( &cty );
+
+    return( ret );
+}
+
+/*
+ * Camellia-ECB block encryption/decryption
+ */
+int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] )
+{
+    int NR;
+    uint32_t *RK, X[4];
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                           mode == MBEDTLS_CAMELLIA_DECRYPT );
+    CAMELLIA_VALIDATE_RET( input  != NULL );
+    CAMELLIA_VALIDATE_RET( output != NULL );
+
+    ( (void) mode );
+
+    NR = ctx->nr;
+    RK = ctx->rk;
+
+    GET_UINT32_BE( X[0], input,  0 );
+    GET_UINT32_BE( X[1], input,  4 );
+    GET_UINT32_BE( X[2], input,  8 );
+    GET_UINT32_BE( X[3], input, 12 );
+
+    X[0] ^= *RK++;
+    X[1] ^= *RK++;
+    X[2] ^= *RK++;
+    X[3] ^= *RK++;
+
+    while( NR ) {
+        --NR;
+        camellia_feistel( X, RK, X + 2 );
+        RK += 2;
+        camellia_feistel( X + 2, RK, X );
+        RK += 2;
+        camellia_feistel( X, RK, X + 2 );
+        RK += 2;
+        camellia_feistel( X + 2, RK, X );
+        RK += 2;
+        camellia_feistel( X, RK, X + 2 );
+        RK += 2;
+        camellia_feistel( X + 2, RK, X );
+        RK += 2;
+
+        if( NR ) {
+            FL(X[0], X[1], RK[0], RK[1]);
+            RK += 2;
+            FLInv(X[2], X[3], RK[0], RK[1]);
+            RK += 2;
+        }
+    }
+
+    X[2] ^= *RK++;
+    X[3] ^= *RK++;
+    X[0] ^= *RK++;
+    X[1] ^= *RK++;
+
+    PUT_UINT32_BE( X[2], output,  0 );
+    PUT_UINT32_BE( X[3], output,  4 );
+    PUT_UINT32_BE( X[0], output,  8 );
+    PUT_UINT32_BE( X[1], output, 12 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * Camellia-CBC buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
+                                int mode,
+                                size_t length,
+                                unsigned char iv[16],
+                                const unsigned char *input,
+                                unsigned char *output )
+{
+    int i;
+    unsigned char temp[16];
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                           mode == MBEDTLS_CAMELLIA_DECRYPT );
+    CAMELLIA_VALIDATE_RET( iv != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
+
+    if( length % 16 )
+        return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_CAMELLIA_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 16 );
+            mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * Camellia-CFB128 buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c;
+    size_t n;
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                           mode == MBEDTLS_CAMELLIA_DECRYPT );
+    CAMELLIA_VALIDATE_RET( iv     != NULL );
+    CAMELLIA_VALIDATE_RET( iv_off != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *iv_off;
+    if( n >= 16 )
+        return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
+
+    if( mode == MBEDTLS_CAMELLIA_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
+
+            c = *input++;
+            *output++ = (unsigned char)( c ^ iv[n] );
+            iv[n] = (unsigned char) c;
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c, i;
+    size_t n;
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
+    CAMELLIA_VALIDATE_RET( stream_block  != NULL );
+    CAMELLIA_VALIDATE_RET( nc_off != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *nc_off;
+    if( n >= 16 )
+        return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
+                                stream_block );
+
+            for( i = 16; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_CAMELLIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Camellia test vectors from:
+ *
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
+ *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
+ *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
+ *                      (For each bitlength: Key 0, Nr 39)
+ */
+#define CAMELLIA_TESTS_ECB  2
+
+static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
+{
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+          0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+};
+
+static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+      0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+    { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
+{
+    {
+        { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
+          0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
+        { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
+          0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
+    },
+    {
+        { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
+          0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
+        { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
+          0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
+    },
+    {
+        { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
+          0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
+        { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
+          0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
+    }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define CAMELLIA_TESTS_CBC  3
+
+static const unsigned char camellia_test_cbc_key[3][32] =
+{
+        { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+          0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
+    ,
+        { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+          0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+          0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
+    ,
+        { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+          0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+          0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+          0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char camellia_test_cbc_iv[16] =
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
+;
+
+static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
+{
+    { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+      0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
+    { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+      0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
+    { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+      0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
+
+};
+
+static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
+{
+    {
+        { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
+          0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
+        { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
+          0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
+        { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
+          0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
+    },
+    {
+        { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
+          0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
+        { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
+          0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
+        { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
+          0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
+    },
+    {
+        { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
+          0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
+        { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
+          0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
+        { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
+          0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
+    }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc5528.html
+ */
+
+static const unsigned char camellia_test_ctr_key[3][16] =
+{
+    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
+{
+    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char camellia_test_ctr_pt[3][48] =
+{
+    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+      0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char camellia_test_ctr_ct[3][48] =
+{
+    { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
+      0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
+    { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
+      0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
+      0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
+      0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
+    { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
+      0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
+      0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
+      0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
+      0xDF, 0x50, 0x86, 0x96 }
+};
+
+static const int camellia_test_ctr_len[3] =
+    { 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_camellia_self_test( int verbose )
+{
+    int i, j, u, v;
+    unsigned char key[32];
+    unsigned char buf[64];
+    unsigned char src[16];
+    unsigned char dst[16];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    size_t offset, len;
+    unsigned char nonce_counter[16];
+    unsigned char stream_block[16];
+#endif
+
+    mbedtls_camellia_context ctx;
+
+    memset( key, 0, 32 );
+
+    for( j = 0; j < 6; j++ ) {
+        u = j >> 1;
+    v = j & 1;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
+                         (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
+
+    for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
+        memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
+
+        if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
+            mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
+            memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
+            memcpy( dst, camellia_test_ecb_plain[i], 16 );
+        } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
+            mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
+            memcpy( src, camellia_test_ecb_plain[i], 16 );
+            memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
+        }
+
+        mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
+
+        if( memcmp( buf, dst, 16 ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( 1 );
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for( j = 0; j < 6; j++ )
+    {
+        u = j >> 1;
+        v = j  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
+                             ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( src, camellia_test_cbc_iv, 16 );
+        memcpy( dst, camellia_test_cbc_iv, 16 );
+        memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
+
+        if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
+            mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
+        } else {
+            mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
+        }
+
+        for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
+
+            if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
+                memcpy( iv , src, 16 );
+                memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
+                memcpy( dst, camellia_test_cbc_plain[i], 16 );
+            } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
+                memcpy( iv , dst, 16 );
+                memcpy( src, camellia_test_cbc_plain[i], 16 );
+                memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
+            }
+
+            mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
+
+            if( memcmp( buf, dst, 16 ) != 0 )
+            {
+                if( verbose != 0 )
+                    mbedtls_printf( "failed\n" );
+
+                return( 1 );
+            }
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /*
+     * CTR mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        v = i  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  CAMELLIA-CTR-128 (%s): ",
+                             ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
+        memcpy( key, camellia_test_ctr_key[u], 16 );
+
+        offset = 0;
+        mbedtls_camellia_setkey_enc( &ctx, key, 128 );
+
+        if( v == MBEDTLS_CAMELLIA_DECRYPT )
+        {
+            len = camellia_test_ctr_len[u];
+            memcpy( buf, camellia_test_ctr_ct[u], len );
+
+            mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
+                                buf, buf );
+
+            if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
+            {
+                if( verbose != 0 )
+                    mbedtls_printf( "failed\n" );
+
+                return( 1 );
+            }
+        }
+        else
+        {
+            len = camellia_test_ctr_len[u];
+            memcpy( buf, camellia_test_ctr_pt[u], len );
+
+            mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
+                                buf, buf );
+
+            if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
+            {
+                if( verbose != 0 )
+                    mbedtls_printf( "failed\n" );
+
+                return( 1 );
+            }
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CAMELLIA_C */
diff --git a/ctrtool/deps/libmbedtls/src/ccm.c b/ctrtool/deps/libmbedtls/src/ccm.c
new file mode 100644
index 00000000..c6211ee7
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ccm.c
@@ -0,0 +1,545 @@
+/*
+ *  NIST SP800-38C compliant CCM implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+
+#include "mbedtls/ccm.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_CCM_ALT)
+
+#define CCM_VALIDATE_RET( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT )
+#define CCM_VALIDATE( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define CCM_ENCRYPT 0
+#define CCM_DECRYPT 1
+
+/*
+ * Initialize context
+ */
+void mbedtls_ccm_init( mbedtls_ccm_context *ctx )
+{
+    CCM_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_ccm_context ) );
+}
+
+int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( key != NULL );
+
+    cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    if( cipher_info->block_size != 16 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+                               MBEDTLS_ENCRYPT ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ccm_free( mbedtls_ccm_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) );
+}
+
+/*
+ * Macros for common operations.
+ * Results in smaller compiled code than static inline functions.
+ */
+
+/*
+ * Update the CBC-MAC state in y using a block in b
+ * (Always using b as the source helps the compiler optimise a bit better.)
+ */
+#define UPDATE_CBC_MAC                                                      \
+    for( i = 0; i < 16; i++ )                                               \
+        y[i] ^= b[i];                                                       \
+                                                                            \
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \
+        return( ret );
+
+/*
+ * Encrypt or decrypt a partial block with CTR
+ * Warning: using b for temporary storage! src and dst must not be b!
+ * This avoids allocating one more 16 bytes buffer while allowing src == dst.
+ */
+#define CTR_CRYPT( dst, src, len  )                                            \
+    do                                                                  \
+    {                                                                   \
+        if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr,       \
+                                           16, b, &olen ) ) != 0 )      \
+        {                                                               \
+            return( ret );                                              \
+        }                                                               \
+                                                                        \
+        for( i = 0; i < (len); i++ )                                    \
+            (dst)[i] = (src)[i] ^ b[i];                                 \
+    } while( 0 )
+
+/*
+ * Authenticated encryption or decryption
+ */
+static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
+                           const unsigned char *iv, size_t iv_len,
+                           const unsigned char *add, size_t add_len,
+                           const unsigned char *input, unsigned char *output,
+                           unsigned char *tag, size_t tag_len )
+{
+    int ret;
+    unsigned char i;
+    unsigned char q;
+    size_t len_left, olen;
+    unsigned char b[16];
+    unsigned char y[16];
+    unsigned char ctr[16];
+    const unsigned char *src;
+    unsigned char *dst;
+
+    /*
+     * Check length requirements: SP800-38C A.1
+     * Additional requirement: a < 2^16 - 2^8 to simplify the code.
+     * 'length' checked later (when writing it to the first block)
+     *
+     * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
+     */
+    if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    /* Also implies q is within bounds */
+    if( iv_len < 7 || iv_len > 13 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    if( add_len > 0xFF00 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    q = 16 - 1 - (unsigned char) iv_len;
+
+    /*
+     * First block B_0:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)
+     * iv_len+1 .. 15       length
+     *
+     * With flags as (bits):
+     * 7        0
+     * 6        add present?
+     * 5 .. 3   (t - 2) / 2
+     * 2 .. 0   q - 1
+     */
+    b[0] = 0;
+    b[0] |= ( add_len > 0 ) << 6;
+    b[0] |= ( ( tag_len - 2 ) / 2 ) << 3;
+    b[0] |= q - 1;
+
+    memcpy( b + 1, iv, iv_len );
+
+    for( i = 0, len_left = length; i < q; i++, len_left >>= 8 )
+        b[15-i] = (unsigned char)( len_left & 0xFF );
+
+    if( len_left > 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+
+    /* Start CBC-MAC with first block */
+    memset( y, 0, 16 );
+    UPDATE_CBC_MAC;
+
+    /*
+     * If there is additional data, update CBC-MAC with
+     * add_len, add, 0 (padding to a block boundary)
+     */
+    if( add_len > 0 )
+    {
+        size_t use_len;
+        len_left = add_len;
+        src = add;
+
+        memset( b, 0, 16 );
+        b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF );
+        b[1] = (unsigned char)( ( add_len      ) & 0xFF );
+
+        use_len = len_left < 16 - 2 ? len_left : 16 - 2;
+        memcpy( b + 2, src, use_len );
+        len_left -= use_len;
+        src += use_len;
+
+        UPDATE_CBC_MAC;
+
+        while( len_left > 0 )
+        {
+            use_len = len_left > 16 ? 16 : len_left;
+
+            memset( b, 0, 16 );
+            memcpy( b, src, use_len );
+            UPDATE_CBC_MAC;
+
+            len_left -= use_len;
+            src += use_len;
+        }
+    }
+
+    /*
+     * Prepare counter block for encryption:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)
+     * iv_len+1 .. 15       counter (initially 1)
+     *
+     * With flags as (bits):
+     * 7 .. 3   0
+     * 2 .. 0   q - 1
+     */
+    ctr[0] = q - 1;
+    memcpy( ctr + 1, iv, iv_len );
+    memset( ctr + 1 + iv_len, 0, q );
+    ctr[15] = 1;
+
+    /*
+     * Authenticate and {en,de}crypt the message.
+     *
+     * The only difference between encryption and decryption is
+     * the respective order of authentication and {en,de}cryption.
+     */
+    len_left = length;
+    src = input;
+    dst = output;
+
+    while( len_left > 0 )
+    {
+        size_t use_len = len_left > 16 ? 16 : len_left;
+
+        if( mode == CCM_ENCRYPT )
+        {
+            memset( b, 0, 16 );
+            memcpy( b, src, use_len );
+            UPDATE_CBC_MAC;
+        }
+
+        CTR_CRYPT( dst, src, use_len );
+
+        if( mode == CCM_DECRYPT )
+        {
+            memset( b, 0, 16 );
+            memcpy( b, dst, use_len );
+            UPDATE_CBC_MAC;
+        }
+
+        dst += use_len;
+        src += use_len;
+        len_left -= use_len;
+
+        /*
+         * Increment counter.
+         * No need to check for overflow thanks to the length check above.
+         */
+        for( i = 0; i < q; i++ )
+            if( ++ctr[15-i] != 0 )
+                break;
+    }
+
+    /*
+     * Authentication: reset counter and crypt/mask internal tag
+     */
+    for( i = 0; i < q; i++ )
+        ctr[15-i] = 0;
+
+    CTR_CRYPT( y, y, 16 );
+    memcpy( tag, y, tag_len );
+
+    return( 0 );
+}
+
+/*
+ * Authenticated encryption
+ */
+int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len )
+{
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len,
+                            add, add_len, input, output, tag, tag_len ) );
+}
+
+int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len )
+{
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    if( tag_len == 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add,
+                add_len, input, output, tag, tag_len ) );
+}
+
+/*
+ * Authenticated decryption
+ */
+int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len )
+{
+    int ret;
+    unsigned char check_tag[16];
+    unsigned char i;
+    int diff;
+
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+    if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length,
+                                iv, iv_len, add, add_len,
+                                input, output, check_tag, tag_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < tag_len; i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        mbedtls_platform_zeroize( output, length );
+        return( MBEDTLS_ERR_CCM_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len )
+{
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+    if( tag_len == 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add,
+                add_len, input, output, tag, tag_len ) );
+}
+#endif /* !MBEDTLS_CCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/*
+ * Examples 1 to 3 from SP800-38C Appendix C
+ */
+
+#define NB_TESTS 3
+#define CCM_SELFTEST_PT_MAX_LEN 24
+#define CCM_SELFTEST_CT_MAX_LEN 32
+/*
+ * The data is the same for all tests, only the used length changes
+ */
+static const unsigned char key[] = {
+    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+    0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
+};
+
+static const unsigned char iv[] = {
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+    0x18, 0x19, 0x1a, 0x1b
+};
+
+static const unsigned char ad[] = {
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char msg[CCM_SELFTEST_PT_MAX_LEN] = {
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+};
+
+static const size_t iv_len [NB_TESTS] = { 7, 8,  12 };
+static const size_t add_len[NB_TESTS] = { 8, 16, 20 };
+static const size_t msg_len[NB_TESTS] = { 4, 16, 24 };
+static const size_t tag_len[NB_TESTS] = { 4, 6,  8  };
+
+static const unsigned char res[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
+    {   0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
+    {   0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
+        0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
+        0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
+    {   0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
+        0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
+        0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
+        0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
+};
+
+int mbedtls_ccm_self_test( int verbose )
+{
+    mbedtls_ccm_context ctx;
+    /*
+     * Some hardware accelerators require the input and output buffers
+     * would be in RAM, because the flash is not accessible.
+     * Use buffers on the stack to hold the test vectors data.
+     */
+    unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
+    unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
+    size_t i;
+    int ret;
+
+    mbedtls_ccm_init( &ctx );
+
+    if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key, 8 * sizeof key ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  CCM: setup failed" );
+
+        return( 1 );
+    }
+
+    for( i = 0; i < NB_TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  CCM-AES #%u: ", (unsigned int) i + 1 );
+
+        memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
+        memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN );
+        memcpy( plaintext, msg, msg_len[i] );
+
+        ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len[i],
+                                           iv, iv_len[i], ad, add_len[i],
+                                           plaintext, ciphertext,
+                                           ciphertext + msg_len[i], tag_len[i] );
+
+        if( ret != 0 ||
+            memcmp( ciphertext, res[i], msg_len[i] + tag_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( 1 );
+        }
+        memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
+
+        ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len[i],
+                                        iv, iv_len[i], ad, add_len[i],
+                                        ciphertext, plaintext,
+                                        ciphertext + msg_len[i], tag_len[i] );
+
+        if( ret != 0 ||
+            memcmp( plaintext, msg, msg_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( 1 );
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    mbedtls_ccm_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_CCM_C */
diff --git a/ctrtool/deps/libmbedtls/src/certs.c b/ctrtool/deps/libmbedtls/src/certs.c
new file mode 100644
index 00000000..80ab0b9d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/certs.c
@@ -0,0 +1,1753 @@
+/*
+ *  X.509 test certificates
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/certs.h"
+
+#if defined(MBEDTLS_CERTS_C)
+
+/*
+ * Test CA Certificates
+ *
+ * We define test CA certificates for each choice of the following parameters:
+ * - PEM or DER encoding
+ * - SHA-1 or SHA-256 hash
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - multiple EC curve types
+ *
+ */
+
+/* This is taken from tests/data_files/test-ca2.crt */
+/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca2.crt */
+#define TEST_CA_CRT_EC_PEM                                                 \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIICBDCCAYigAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE\r\n" \
+    "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
+    "IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE\r\n" \
+    "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
+    "IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO\r\n" \
+    "4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK\r\n" \
+    "6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1AwTjAMBgNVHRMEBTADAQH/\r\n" \
+    "MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSdbSAk\r\n" \
+    "SQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMFHKrjAPpHB0BN1a\r\n" \
+    "LH8TwcJ3vh0AxeKZj30mRdOKBmg/jLS3rU3g8VQBHpn8sOTTBwIxANxPO5AerimZ\r\n" \
+    "hCjMe0d4CTHf1gFZMF70+IqEP+o5VHsIp2Cqvflb0VGWFC5l9a4cQg==\r\n"         \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/test-ca2.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER tests/data_files/test-ca2.crt.der */
+#define TEST_CA_CRT_EC_DER {                                                 \
+  0x30, 0x82, 0x02, 0x04, 0x30, 0x82, 0x01, 0x88, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8,    \
+  0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,    \
+  0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,    \
+  0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55,    \
+  0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50,    \
+  0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74,    \
+  0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39,    \
+  0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x17,    \
+  0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30,    \
+  0x30, 0x5a, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,    \
+  0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55,    \
+  0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50,    \
+  0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74,    \
+  0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07,    \
+  0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04,    \
+  0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 0xc3, 0xda, 0x2b, 0x34, 0x41, 0x37,    \
+  0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89, 0xba, 0x29, 0x43, 0x4b, 0x4e,    \
+  0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33, 0x39, 0x58, 0xd4, 0x52, 0xb4,    \
+  0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f, 0x17, 0x24, 0x62, 0x48, 0xfc,    \
+  0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87, 0xc2, 0x88, 0x52, 0x80, 0xaf,    \
+  0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3, 0x1c, 0x6e, 0x58, 0xb8, 0xca,    \
+  0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad, 0x29, 0xc3, 0xb4, 0x5f, 0x75,    \
+  0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55, 0x69, 0x9a, 0x53, 0x3b, 0x20,    \
+  0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x0c,    \
+  0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,    \
+  0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x9d,    \
+  0x6d, 0x20, 0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc,    \
+  0x7e, 0x24, 0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x1f, 0x06, 0x03, 0x55,    \
+  0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24,    \
+  0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9,    \
+  0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,    \
+  0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, 0x30, 0x65, 0x02,    \
+  0x30, 0x51, 0xca, 0xae, 0x30, 0x0f, 0xa4, 0x70, 0x74, 0x04, 0xdd, 0x5a,    \
+  0x2c, 0x7f, 0x13, 0xc1, 0xc2, 0x77, 0xbe, 0x1d, 0x00, 0xc5, 0xe2, 0x99,    \
+  0x8f, 0x7d, 0x26, 0x45, 0xd3, 0x8a, 0x06, 0x68, 0x3f, 0x8c, 0xb4, 0xb7,    \
+  0xad, 0x4d, 0xe0, 0xf1, 0x54, 0x01, 0x1e, 0x99, 0xfc, 0xb0, 0xe4, 0xd3,    \
+  0x07, 0x02, 0x31, 0x00, 0xdc, 0x4f, 0x3b, 0x90, 0x1e, 0xae, 0x29, 0x99,    \
+  0x84, 0x28, 0xcc, 0x7b, 0x47, 0x78, 0x09, 0x31, 0xdf, 0xd6, 0x01, 0x59,    \
+  0x30, 0x5e, 0xf4, 0xf8, 0x8a, 0x84, 0x3f, 0xea, 0x39, 0x54, 0x7b, 0x08,    \
+  0xa7, 0x60, 0xaa, 0xbd, 0xf9, 0x5b, 0xd1, 0x51, 0x96, 0x14, 0x2e, 0x65,    \
+  0xf5, 0xae, 0x1c, 0x42                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca2.key.enc */
+/* BEGIN FILE string macro TEST_CA_KEY_EC_PEM tests/data_files/test-ca2.key.enc */
+#define TEST_CA_KEY_EC_PEM                                                 \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "Proc-Type: 4,ENCRYPTED\r\n"                                           \
+    "DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"                          \
+    "\r\n"                                                                 \
+    "IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n" \
+    "ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n" \
+    "UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n" \
+    "a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"                                 \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+#define TEST_CA_PWD_EC_PEM "PolarSSLTest"
+
+/* This is generated from tests/data_files/test-ca2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_KEY_EC_DER tests/data_files/test-ca2.key.der */
+#define TEST_CA_KEY_EC_DER {                                                 \
+    0x30, 0x81, 0xa4, 0x02, 0x01, 0x01, 0x04, 0x30, 0x83, 0xd9, 0x15, 0x0e,  \
+    0xa0, 0x71, 0xf0, 0x57, 0x10, 0x33, 0xa3, 0x38, 0xb8, 0x86, 0xc1, 0xa6,  \
+    0x11, 0x5d, 0x6d, 0xb4, 0x03, 0xe1, 0x29, 0x76, 0x45, 0xd7, 0x87, 0x6f,  \
+    0x23, 0xab, 0x44, 0x20, 0xea, 0x64, 0x7b, 0x85, 0xb1, 0x76, 0xe7, 0x85,  \
+    0x95, 0xaa, 0x74, 0xd6, 0xd1, 0xa4, 0x5e, 0xea, 0xa0, 0x07, 0x06, 0x05,  \
+    0x2b, 0x81, 0x04, 0x00, 0x22, 0xa1, 0x64, 0x03, 0x62, 0x00, 0x04, 0xc3,  \
+    0xda, 0x2b, 0x34, 0x41, 0x37, 0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89,  \
+    0xba, 0x29, 0x43, 0x4b, 0x4e, 0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33,  \
+    0x39, 0x58, 0xd4, 0x52, 0xb4, 0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f,  \
+    0x17, 0x24, 0x62, 0x48, 0xfc, 0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87,  \
+    0xc2, 0x88, 0x52, 0x80, 0xaf, 0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3,  \
+    0x1c, 0x6e, 0x58, 0xb8, 0xca, 0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad,  \
+    0x29, 0xc3, 0xb4, 0x5f, 0x75, 0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55,  \
+    0x69, 0x9a, 0x53, 0x3b, 0x20, 0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e         \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha256.crt. */
+/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA256_PEM tests/data_files/test-ca-sha256.crt */
+#define TEST_CA_CRT_RSA_SHA256_PEM                                         \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
+    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
+    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
+    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
+    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
+    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
+    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
+    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n" \
+    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA\r\n" \
+    "A4IBAQA4qFSCth2q22uJIdE4KGHJsJjVEfw2/xn+MkTvCMfxVrvmRvqCtjE4tKDl\r\n" \
+    "oK4MxFOek07oDZwvtAT9ijn1hHftTNS7RH9zd/fxNpfcHnMZXVC4w4DNA1fSANtW\r\n" \
+    "5sY1JB5Je9jScrsLSS+mAjyv0Ow3Hb2Bix8wu7xNNrV5fIf7Ubm+wt6SqEBxu3Kb\r\n" \
+    "+EfObAT4huf3czznhH3C17ed6NSbXwoXfby7stWUDeRJv08RaFOykf/Aae7bY5PL\r\n" \
+    "yTVrkAnikMntJ9YI+hNNYt3inqq11A5cN0+rVTst8UKCxzQ4GpvroSwPKTFkbMw4\r\n" \
+    "/anT1dVxr/BtwJfiESoK3/4CeXR1\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/test-ca-sha256.crt.der
+ * using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA256_DER tests/data_files/test-ca-sha256.crt.der */
+#define TEST_CA_CRT_RSA_SHA256_DER {                                         \
+  0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65,    \
+  0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,    \
+  0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f,    \
+  0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1,    \
+  0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec,    \
+  0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b,    \
+  0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9,    \
+  0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2,    \
+  0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40,    \
+  0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8,    \
+  0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1,    \
+  0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27,    \
+  0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84,    \
+  0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5,    \
+  0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e,    \
+  0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb,    \
+  0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab,    \
+  0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62,    \
+  0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37,    \
+  0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e,    \
+  0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64,    \
+  0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b,    \
+  0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32,    \
+  0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,    \
+  0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,    \
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,    \
+  0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52,    \
+  0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff,    \
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,    \
+  0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5,    \
+  0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x01, 0x00, 0x38, 0xa8, 0x54, 0x82, 0xb6, 0x1d, 0xaa,    \
+  0xdb, 0x6b, 0x89, 0x21, 0xd1, 0x38, 0x28, 0x61, 0xc9, 0xb0, 0x98, 0xd5,    \
+  0x11, 0xfc, 0x36, 0xff, 0x19, 0xfe, 0x32, 0x44, 0xef, 0x08, 0xc7, 0xf1,    \
+  0x56, 0xbb, 0xe6, 0x46, 0xfa, 0x82, 0xb6, 0x31, 0x38, 0xb4, 0xa0, 0xe5,    \
+  0xa0, 0xae, 0x0c, 0xc4, 0x53, 0x9e, 0x93, 0x4e, 0xe8, 0x0d, 0x9c, 0x2f,    \
+  0xb4, 0x04, 0xfd, 0x8a, 0x39, 0xf5, 0x84, 0x77, 0xed, 0x4c, 0xd4, 0xbb,    \
+  0x44, 0x7f, 0x73, 0x77, 0xf7, 0xf1, 0x36, 0x97, 0xdc, 0x1e, 0x73, 0x19,    \
+  0x5d, 0x50, 0xb8, 0xc3, 0x80, 0xcd, 0x03, 0x57, 0xd2, 0x00, 0xdb, 0x56,    \
+  0xe6, 0xc6, 0x35, 0x24, 0x1e, 0x49, 0x7b, 0xd8, 0xd2, 0x72, 0xbb, 0x0b,    \
+  0x49, 0x2f, 0xa6, 0x02, 0x3c, 0xaf, 0xd0, 0xec, 0x37, 0x1d, 0xbd, 0x81,    \
+  0x8b, 0x1f, 0x30, 0xbb, 0xbc, 0x4d, 0x36, 0xb5, 0x79, 0x7c, 0x87, 0xfb,    \
+  0x51, 0xb9, 0xbe, 0xc2, 0xde, 0x92, 0xa8, 0x40, 0x71, 0xbb, 0x72, 0x9b,    \
+  0xf8, 0x47, 0xce, 0x6c, 0x04, 0xf8, 0x86, 0xe7, 0xf7, 0x73, 0x3c, 0xe7,    \
+  0x84, 0x7d, 0xc2, 0xd7, 0xb7, 0x9d, 0xe8, 0xd4, 0x9b, 0x5f, 0x0a, 0x17,    \
+  0x7d, 0xbc, 0xbb, 0xb2, 0xd5, 0x94, 0x0d, 0xe4, 0x49, 0xbf, 0x4f, 0x11,    \
+  0x68, 0x53, 0xb2, 0x91, 0xff, 0xc0, 0x69, 0xee, 0xdb, 0x63, 0x93, 0xcb,    \
+  0xc9, 0x35, 0x6b, 0x90, 0x09, 0xe2, 0x90, 0xc9, 0xed, 0x27, 0xd6, 0x08,    \
+  0xfa, 0x13, 0x4d, 0x62, 0xdd, 0xe2, 0x9e, 0xaa, 0xb5, 0xd4, 0x0e, 0x5c,    \
+  0x37, 0x4f, 0xab, 0x55, 0x3b, 0x2d, 0xf1, 0x42, 0x82, 0xc7, 0x34, 0x38,    \
+  0x1a, 0x9b, 0xeb, 0xa1, 0x2c, 0x0f, 0x29, 0x31, 0x64, 0x6c, 0xcc, 0x38,    \
+  0xfd, 0xa9, 0xd3, 0xd5, 0xd5, 0x71, 0xaf, 0xf0, 0x6d, 0xc0, 0x97, 0xe2,    \
+  0x11, 0x2a, 0x0a, 0xdf, 0xfe, 0x02, 0x79, 0x74, 0x75                       \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha1.crt. */
+/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA1_PEM tests/data_files/test-ca-sha1.crt */
+#define TEST_CA_CRT_RSA_SHA1_PEM                                           \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
+    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
+    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
+    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
+    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
+    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
+    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
+    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n" \
+    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA\r\n" \
+    "A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL\r\n" \
+    "hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm\r\n" \
+    "8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD\r\n" \
+    "zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ\r\n" \
+    "0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/\r\n" \
+    "mtxyUALj2pQxRitopORFQdn7AOY5\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha1.crt.der. */
+/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA1_DER tests/data_files/test-ca-sha1.crt.der */
+#define TEST_CA_CRT_RSA_SHA1_DER {                                           \
+  0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65,    \
+  0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,    \
+  0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f,    \
+  0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1,    \
+  0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec,    \
+  0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b,    \
+  0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9,    \
+  0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2,    \
+  0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40,    \
+  0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8,    \
+  0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1,    \
+  0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27,    \
+  0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84,    \
+  0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5,    \
+  0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e,    \
+  0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb,    \
+  0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab,    \
+  0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62,    \
+  0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37,    \
+  0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e,    \
+  0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64,    \
+  0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b,    \
+  0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32,    \
+  0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,    \
+  0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,    \
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,    \
+  0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52,    \
+  0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff,    \
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,    \
+  0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5,    \
+  0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x01, 0x00, 0x74, 0x66, 0x23, 0x51, 0x15, 0xd8, 0x9a,    \
+  0xea, 0x4b, 0x24, 0x68, 0xf9, 0xe1, 0xae, 0xa7, 0xa3, 0x21, 0x1a, 0xbc,    \
+  0x60, 0xc1, 0x06, 0x01, 0xfd, 0xa8, 0x20, 0xf9, 0xf2, 0x67, 0xbf, 0x31,    \
+  0xa3, 0x21, 0x11, 0x81, 0xcd, 0xf9, 0x94, 0x71, 0xb2, 0x32, 0xdb, 0x0b,    \
+  0x85, 0x68, 0x9c, 0x36, 0x33, 0xf8, 0x77, 0xf8, 0x52, 0xf4, 0x0b, 0x38,    \
+  0x8f, 0x92, 0x80, 0xda, 0x07, 0x4d, 0x1a, 0x2e, 0x44, 0x4c, 0x0d, 0x57,    \
+  0xed, 0x2a, 0x30, 0x58, 0xe1, 0xac, 0xaf, 0x28, 0xaf, 0x4a, 0x93, 0x12,    \
+  0x1d, 0x5c, 0xb5, 0xf8, 0x77, 0x5f, 0x5a, 0x5b, 0x18, 0x40, 0xec, 0xe6,    \
+  0xf2, 0x8f, 0x9f, 0x69, 0x03, 0x54, 0x9b, 0xc5, 0xf3, 0x3d, 0x59, 0xad,    \
+  0xb5, 0xf0, 0x15, 0xb2, 0x9c, 0x5e, 0x1d, 0x2c, 0x49, 0x67, 0x7e, 0x8e,    \
+  0xa3, 0xe4, 0x16, 0x67, 0x9c, 0x19, 0x94, 0x22, 0x04, 0xca, 0x31, 0x1d,    \
+  0x2d, 0x42, 0x1d, 0xf9, 0x39, 0xb8, 0x07, 0x3d, 0xc1, 0xe6, 0x34, 0x43,    \
+  0xcd, 0x96, 0xbf, 0x49, 0xaa, 0x83, 0xa2, 0x4a, 0xba, 0xe8, 0xdd, 0xb3,    \
+  0xa5, 0xb8, 0x0a, 0x28, 0x09, 0x77, 0x19, 0x4d, 0x8e, 0xfb, 0xe7, 0xc1,    \
+  0xa8, 0xfd, 0x9d, 0x4a, 0x47, 0x50, 0xca, 0x49, 0x93, 0xc6, 0x12, 0xcb,    \
+  0x59, 0x13, 0x7c, 0x14, 0x9a, 0xa1, 0x60, 0x04, 0xf2, 0x42, 0x7b, 0x59,    \
+  0xd1, 0x04, 0xa2, 0xdd, 0x6f, 0x47, 0x7d, 0x26, 0x4f, 0x9c, 0x54, 0xdc,    \
+  0x3c, 0x85, 0xde, 0xa2, 0x23, 0xdd, 0xda, 0x92, 0xe5, 0xc6, 0xdd, 0x61,    \
+  0x66, 0xef, 0x1d, 0xc2, 0xcd, 0x8b, 0x4d, 0x71, 0x3a, 0xde, 0xe3, 0xfa,    \
+  0x30, 0xce, 0x0b, 0x1e, 0xf5, 0xb1, 0x8a, 0xe2, 0x5a, 0x5a, 0x43, 0xff,    \
+  0x9a, 0xdc, 0x72, 0x50, 0x02, 0xe3, 0xda, 0x94, 0x31, 0x46, 0x2b, 0x68,    \
+  0xa4, 0xe4, 0x45, 0x41, 0xd9, 0xfb, 0x00, 0xe6, 0x39                       \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca.key */
+/* BEGIN FILE string macro TEST_CA_KEY_RSA_PEM tests/data_files/test-ca.key */
+#define TEST_CA_KEY_RSA_PEM                                                \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "Proc-Type: 4,ENCRYPTED\r\n"                                           \
+    "DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"                          \
+    "\r\n"                                                                 \
+    "9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n" \
+    "7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n" \
+    "Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n" \
+    "PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n" \
+    "GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n" \
+    "gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n" \
+    "QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n" \
+    "PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n" \
+    "vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n" \
+    "WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n" \
+    "JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n" \
+    "KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n" \
+    "Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n" \
+    "9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n" \
+    "iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n" \
+    "tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n" \
+    "P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n" \
+    "1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n" \
+    "nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n" \
+    "X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n" \
+    "rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n" \
+    "L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n" \
+    "I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n" \
+    "wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n" \
+    "P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n" \
+    "-----END RSA PRIVATE KEY-----\r\n"
+/* END FILE */
+
+#define TEST_CA_PWD_RSA_PEM "PolarSSLTest"
+
+/* This was generated from test-ca.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_KEY_RSA_DER tests/data_files/test-ca.key.der */
+#define TEST_CA_KEY_RSA_DER {                                                \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f, 0x86, 0xde,  \
+    0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1, 0x99, 0xd4,  \
+    0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec, 0x9b, 0xc5,  \
+    0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b, 0xc0, 0x8d,  \
+    0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9, 0x93, 0xe8,  \
+    0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2, 0xe7, 0x40,  \
+    0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40, 0xf9, 0x3e,  \
+    0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8, 0x29, 0x00,  \
+    0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1, 0xbd, 0x83,  \
+    0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27, 0x60, 0xc3,  \
+    0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84, 0x32, 0xbe,  \
+    0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5, 0xfb, 0xf5,  \
+    0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e, 0xee, 0xe2,  \
+    0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb, 0x47, 0xb1,  \
+    0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab, 0xf1, 0x79,  \
+    0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62, 0x6f, 0x27,  \
+    0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37, 0xa1, 0x30,  \
+    0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e, 0x28, 0xd1,  \
+    0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64, 0x09, 0xea,  \
+    0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b, 0xc9, 0xab,  \
+    0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32, 0x9e, 0x99,  \
+    0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x00, 0x3f, 0xf7, 0x07, 0xd3, 0x34, 0x6f, 0xdb, 0xc9, 0x37, 0xb7, 0x84,  \
+    0xdc, 0x37, 0x45, 0xe1, 0x63, 0xad, 0xb8, 0xb6, 0x75, 0xb1, 0xc7, 0x35,  \
+    0xb4, 0x77, 0x2a, 0x5b, 0x77, 0xf9, 0x7e, 0xe0, 0xc1, 0xa3, 0xd1, 0xb7,  \
+    0xcb, 0xa9, 0x5a, 0xc1, 0x87, 0xda, 0x5a, 0xfa, 0x17, 0xe4, 0xd5, 0x38,  \
+    0x03, 0xde, 0x68, 0x98, 0x81, 0xec, 0xb5, 0xf2, 0x2a, 0x8d, 0xe9, 0x2c,  \
+    0xf3, 0xa6, 0xe5, 0x32, 0x17, 0x7f, 0x33, 0x81, 0xe8, 0x38, 0x72, 0xd5,  \
+    0x9c, 0xfa, 0x4e, 0xfb, 0x26, 0xf5, 0x15, 0x0b, 0xaf, 0x84, 0x66, 0xab,  \
+    0x02, 0xe0, 0x18, 0xd5, 0x91, 0x7c, 0xd6, 0x8f, 0xc9, 0x4b, 0x76, 0x08,  \
+    0x2b, 0x1d, 0x81, 0x68, 0x30, 0xe1, 0xfa, 0x70, 0x6c, 0x13, 0x4e, 0x10,  \
+    0x03, 0x35, 0x3e, 0xc5, 0xca, 0x58, 0x20, 0x8a, 0x21, 0x18, 0x38, 0xa0,  \
+    0x0f, 0xed, 0xc4, 0xbb, 0x45, 0x6f, 0xf5, 0x84, 0x5b, 0xb0, 0xcf, 0x4e,  \
+    0x9d, 0x58, 0x13, 0x6b, 0x35, 0x35, 0x69, 0xa1, 0xd2, 0xc4, 0xf2, 0xc1,  \
+    0x48, 0x04, 0x20, 0x51, 0xb9, 0x6b, 0xa4, 0x5d, 0xa5, 0x4b, 0x84, 0x88,  \
+    0x43, 0x48, 0x99, 0x2c, 0xbb, 0xa4, 0x97, 0xd6, 0xd6, 0x18, 0xf6, 0xec,  \
+    0x5c, 0xd1, 0x31, 0x49, 0xc9, 0xf2, 0x8f, 0x0b, 0x4d, 0xef, 0x09, 0x02,  \
+    0xfe, 0x7d, 0xfd, 0xbb, 0xaf, 0x2b, 0x83, 0x94, 0x22, 0xc4, 0xa7, 0x3e,  \
+    0x66, 0xf5, 0xe0, 0x57, 0xdc, 0xf2, 0xed, 0x2c, 0x3e, 0x81, 0x74, 0x76,  \
+    0x1e, 0x96, 0x6f, 0x74, 0x1e, 0x32, 0x0e, 0x14, 0x31, 0xd0, 0x74, 0xf0,  \
+    0xf4, 0x07, 0xbd, 0xc3, 0xd1, 0x22, 0xc2, 0xa8, 0x95, 0x92, 0x06, 0x7f,  \
+    0x43, 0x02, 0x91, 0xbc, 0xdd, 0x23, 0x01, 0x89, 0x94, 0x20, 0x44, 0x64,  \
+    0xf5, 0x1d, 0x67, 0xd2, 0x8f, 0xe8, 0x69, 0xa5, 0x29, 0x25, 0xe6, 0x50,  \
+    0x9c, 0xe3, 0xe9, 0xcb, 0x75, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x29, 0x3e,  \
+    0xaa, 0x6b, 0xd5, 0x59, 0x1e, 0x9c, 0xe6, 0x47, 0xd5, 0xb6, 0xd7, 0xe3,  \
+    0xf1, 0x8e, 0x9e, 0xe9, 0x83, 0x5f, 0x10, 0x9f, 0x63, 0xec, 0x04, 0x44,  \
+    0xcc, 0x3f, 0xf8, 0xd9, 0x3a, 0x17, 0xe0, 0x4f, 0xfe, 0xd8, 0x4d, 0xcd,  \
+    0x46, 0x54, 0x74, 0xbf, 0x0a, 0xc4, 0x67, 0x9c, 0xa7, 0xd8, 0x89, 0x65,  \
+    0x4c, 0xfd, 0x58, 0x2a, 0x47, 0x0f, 0xf4, 0x37, 0xb6, 0x55, 0xb0, 0x1d,  \
+    0xed, 0xa7, 0x39, 0xfc, 0x4f, 0xa3, 0xc4, 0x75, 0x3a, 0xa3, 0x98, 0xa7,  \
+    0x45, 0xf5, 0x66, 0xcb, 0x7c, 0x65, 0xfb, 0x80, 0x23, 0xe6, 0xff, 0xfd,  \
+    0x99, 0x1f, 0x8e, 0x6b, 0xff, 0x5e, 0x93, 0x66, 0xdf, 0x6c, 0x6f, 0xc3,  \
+    0xf6, 0x38, 0x2e, 0xff, 0x69, 0xb5, 0xac, 0xae, 0xbb, 0xc6, 0x71, 0x16,  \
+    0x6b, 0xd0, 0xf8, 0x22, 0xd9, 0xf8, 0xa2, 0x72, 0x20, 0xd2, 0xe2, 0x3a,  \
+    0x70, 0x4b, 0xde, 0xab, 0x2f, 0x02, 0x81, 0x81, 0x00, 0xda, 0x51, 0x9b,  \
+    0xb8, 0xb2, 0x2a, 0x14, 0x75, 0x58, 0x40, 0x8d, 0x27, 0x70, 0xfa, 0x31,  \
+    0x48, 0xb0, 0x20, 0x21, 0x34, 0xfa, 0x4c, 0x57, 0xa8, 0x11, 0x88, 0xf3,  \
+    0xa7, 0xae, 0x21, 0xe9, 0xb6, 0x2b, 0xd1, 0xcd, 0xa7, 0xf8, 0xd8, 0x0c,  \
+    0x8a, 0x76, 0x22, 0x35, 0x44, 0xce, 0x3f, 0x25, 0x29, 0x83, 0x7d, 0x79,  \
+    0xa7, 0x31, 0xd6, 0xec, 0xb2, 0xbf, 0xda, 0x34, 0xb6, 0xf6, 0xb2, 0x3b,  \
+    0xf3, 0x78, 0x5a, 0x04, 0x83, 0x33, 0x3e, 0xa2, 0xe2, 0x81, 0x82, 0x13,  \
+    0xd4, 0x35, 0x17, 0x63, 0x9b, 0x9e, 0xc4, 0x8d, 0x91, 0x4c, 0x03, 0x77,  \
+    0xc7, 0x71, 0x5b, 0xee, 0x83, 0x6d, 0xd5, 0x78, 0x88, 0xf6, 0x2c, 0x79,  \
+    0xc2, 0x4a, 0xb4, 0x79, 0x90, 0x70, 0xbf, 0xdf, 0x34, 0x56, 0x96, 0x71,  \
+    0xe3, 0x0e, 0x68, 0x91, 0xbc, 0xea, 0xcb, 0x33, 0xc0, 0xbe, 0x45, 0xd7,  \
+    0xfc, 0x30, 0xfd, 0x01, 0x3b, 0x02, 0x81, 0x81, 0x00, 0xd2, 0x9f, 0x2a,  \
+    0xb7, 0x38, 0x19, 0xc7, 0x17, 0x95, 0x73, 0x78, 0xae, 0xf5, 0xcb, 0x75,  \
+    0x83, 0x7f, 0x19, 0x4b, 0xcb, 0x86, 0xfb, 0x4a, 0x15, 0x9a, 0xb6, 0x17,  \
+    0x04, 0x49, 0x07, 0x8d, 0xf6, 0x66, 0x4a, 0x06, 0xf6, 0x05, 0xa7, 0xdf,  \
+    0x66, 0x82, 0x3c, 0xff, 0xb6, 0x1d, 0x57, 0x89, 0x33, 0x5f, 0x9c, 0x05,  \
+    0x75, 0x7f, 0xf3, 0x5d, 0xdc, 0x34, 0x65, 0x72, 0x85, 0x22, 0xa4, 0x14,  \
+    0x1b, 0x41, 0xc3, 0xe4, 0xd0, 0x9e, 0x69, 0xd5, 0xeb, 0x38, 0x74, 0x70,  \
+    0x43, 0xdc, 0xd9, 0x50, 0xe4, 0x97, 0x6d, 0x73, 0xd6, 0xfb, 0xc8, 0xa7,  \
+    0xfa, 0xb4, 0xc2, 0xc4, 0x9d, 0x5d, 0x0c, 0xd5, 0x9f, 0x79, 0xb3, 0x54,  \
+    0xc2, 0xb7, 0x6c, 0x3d, 0x7d, 0xcb, 0x2d, 0xf8, 0xc4, 0xf3, 0x78, 0x5a,  \
+    0x33, 0x2a, 0xb8, 0x0c, 0x6d, 0x06, 0xfa, 0xf2, 0x62, 0xd3, 0x42, 0xd0,  \
+    0xbd, 0xc8, 0x4a, 0xa5, 0x0d, 0x02, 0x81, 0x81, 0x00, 0xd4, 0xa9, 0x90,  \
+    0x15, 0xde, 0xbf, 0x2c, 0xc4, 0x8d, 0x9d, 0xfb, 0xa1, 0xc2, 0xe4, 0x83,  \
+    0xe3, 0x79, 0x65, 0x22, 0xd3, 0xb7, 0x49, 0x6c, 0x4d, 0x94, 0x1f, 0x22,  \
+    0xb1, 0x60, 0xe7, 0x3a, 0x00, 0xb1, 0x38, 0xa2, 0xab, 0x0f, 0xb4, 0x6c,  \
+    0xaa, 0xe7, 0x9e, 0x34, 0xe3, 0x7c, 0x40, 0x78, 0x53, 0xb2, 0xf9, 0x23,  \
+    0xea, 0xa0, 0x9a, 0xea, 0x60, 0xc8, 0x8f, 0xa6, 0xaf, 0xdf, 0x29, 0x09,  \
+    0x4b, 0x06, 0x1e, 0x31, 0xad, 0x17, 0xda, 0xd8, 0xd1, 0xe9, 0x33, 0xab,  \
+    0x5b, 0x18, 0x08, 0x5b, 0x87, 0xf8, 0xa5, 0x1f, 0xfd, 0xbb, 0xdc, 0xd8,  \
+    0xed, 0x97, 0x57, 0xe4, 0xc3, 0x73, 0xd6, 0xf0, 0x9e, 0x01, 0xa6, 0x9b,  \
+    0x48, 0x8e, 0x7a, 0xb4, 0xbb, 0xe5, 0x88, 0x91, 0xc5, 0x2a, 0xdf, 0x4b,  \
+    0xba, 0xd0, 0x8b, 0x3e, 0x03, 0x97, 0x77, 0x2f, 0x47, 0x7e, 0x51, 0x0c,  \
+    0xae, 0x65, 0x8d, 0xde, 0x87, 0x02, 0x81, 0x80, 0x20, 0x24, 0x0f, 0xd2,  \
+    0xaf, 0xc2, 0x28, 0x3b, 0x97, 0x20, 0xb2, 0x92, 0x49, 0xeb, 0x09, 0x68,  \
+    0x40, 0xb2, 0xbe, 0xd1, 0xc3, 0x83, 0x94, 0x34, 0x38, 0xd6, 0xc9, 0xec,  \
+    0x34, 0x09, 0xf9, 0x41, 0x6d, 0x5c, 0x42, 0x94, 0xf7, 0x04, 0xfc, 0x32,  \
+    0x39, 0x69, 0xbc, 0x1c, 0xfb, 0x3e, 0x61, 0x98, 0xc0, 0x80, 0xd8, 0x36,  \
+    0x47, 0xc3, 0x6d, 0xc2, 0x2e, 0xe7, 0x81, 0x2a, 0x17, 0x34, 0x64, 0x30,  \
+    0x4e, 0x96, 0xbb, 0x26, 0x16, 0xb9, 0x41, 0x36, 0xfe, 0x8a, 0xd6, 0x53,  \
+    0x7c, 0xaa, 0xec, 0x39, 0x42, 0x50, 0xef, 0xe3, 0xb3, 0x01, 0x28, 0x32,  \
+    0xca, 0x6d, 0xf5, 0x9a, 0x1e, 0x9f, 0x37, 0xbe, 0xfe, 0x38, 0x20, 0x22,  \
+    0x91, 0x8c, 0xcd, 0x95, 0x02, 0xf2, 0x4d, 0x6f, 0x1a, 0xb4, 0x43, 0xf0,  \
+    0x19, 0xdf, 0x65, 0xc0, 0x92, 0xe7, 0x9d, 0x2f, 0x09, 0xe7, 0xec, 0x69,  \
+    0xa8, 0xc2, 0x8f, 0x0d                                                   \
+}
+/* END FILE */
+
+/*
+ * Test server Certificates
+ *
+ * Test server certificates are defined for each choice
+ * of the following parameters:
+ * - PEM or DER encoding
+ * - SHA-1 or SHA-256 hash
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - multiple EC curve types
+ */
+
+/* This is taken from tests/data_files/server5.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server5.crt */
+#define TEST_SRV_CRT_EC_PEM                                                \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" \
+    "MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n" \
+    "CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n" \
+    "2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n" \
+    "BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n" \
+    "PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n" \
+    "clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n" \
+    "CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n" \
+    "C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n" \
+    "fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/server5.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER tests/data_files/server5.crt.der */
+#define TEST_SRV_CRT_EC_DER {                                                \
+    0x30, 0x82, 0x02, 0x1f, 0x30, 0x82, 0x01, 0xa5, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x09, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,  \
+    0x3d, 0x04, 0x03, 0x02, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65,  \
+    0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x33, 0x30, 0x39, 0x32, 0x34, 0x31, 0x35, 0x35, 0x32, 0x30, 0x34,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x39, 0x32, 0x32, 0x31, 0x35, 0x35,  \
+    0x32, 0x30, 0x34, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x59,  \
+    0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06,  \
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,  \
+    0x04, 0x37, 0xcc, 0x56, 0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7,  \
+    0x59, 0x2d, 0xff, 0x20, 0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0,  \
+    0xad, 0x14, 0xb5, 0xf7, 0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00,  \
+    0xd8, 0x23, 0x11, 0xff, 0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd,  \
+    0x8a, 0x88, 0xc2, 0x6b, 0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa,  \
+    0x01, 0xc8, 0xb4, 0xed, 0xff, 0xa3, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d,  \
+    0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0x61, 0xa5,  \
+    0x8f, 0xd4, 0x07, 0xd9, 0xd7, 0x82, 0x01, 0x0c, 0xe5, 0x65, 0x7f, 0x8c,  \
+    0x63, 0x46, 0xa7, 0x13, 0xbe, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23,  \
+    0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01,  \
+    0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb,  \
+    0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,  \
+    0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,  \
+    0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61,  \
+    0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,  \
+    0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20,  \
+    0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09,  \
+    0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0a, 0x06,  \
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x68, 0x00,  \
+    0x30, 0x65, 0x02, 0x31, 0x00, 0x9a, 0x2c, 0x5c, 0xd7, 0xa6, 0xdb, 0xa2,  \
+    0xe5, 0x64, 0x0d, 0xf0, 0xb9, 0x4e, 0xdd, 0xd7, 0x61, 0xd6, 0x13, 0x31,  \
+    0xc7, 0xab, 0x73, 0x80, 0xbb, 0xd3, 0xd3, 0x73, 0x13, 0x54, 0xad, 0x92,  \
+    0x0b, 0x5d, 0xab, 0xd0, 0xbc, 0xf7, 0xae, 0x2f, 0xe6, 0xa1, 0x21, 0x29,  \
+    0x35, 0x95, 0xaa, 0x3e, 0x39, 0x02, 0x30, 0x21, 0x36, 0x7f, 0x9d, 0xc6,  \
+    0x5d, 0xc6, 0x0b, 0xab, 0x27, 0xf2, 0x25, 0x1d, 0x3b, 0xf1, 0xcf, 0xf1,  \
+    0x35, 0x25, 0x14, 0xe7, 0xe5, 0xf1, 0x97, 0xb5, 0x59, 0xe3, 0x5e, 0x15,  \
+    0x7c, 0x66, 0xb9, 0x90, 0x7b, 0xc7, 0x01, 0x10, 0x4f, 0x73, 0xc6, 0x00,  \
+    0x21, 0x52, 0x2a, 0x0e, 0xf1, 0xc7, 0xd5                                 \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server5.key. */
+/* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM tests/data_files/server5.key */
+#define TEST_SRV_KEY_EC_PEM                                                \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n" \
+    "AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n" \
+    "6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"                             \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/server5.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER tests/data_files/server5.key.der */
+#define TEST_SRV_KEY_EC_DER {                                                \
+    0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf1, 0x2a, 0x13, 0x20, 0x76,  \
+    0x02, 0x70, 0xa8, 0x3c, 0xbf, 0xfd, 0x53, 0xf6, 0x03, 0x1e, 0xf7, 0x6a,  \
+    0x5d, 0x86, 0xc8, 0xa2, 0x04, 0xf2, 0xc3, 0x0c, 0xa9, 0xeb, 0xf5, 0x1f,  \
+    0x0f, 0x0e, 0xa7, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x37, 0xcc, 0x56,  \
+    0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7, 0x59, 0x2d, 0xff, 0x20,  \
+    0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0, 0xad, 0x14, 0xb5, 0xf7,  \
+    0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00, 0xd8, 0x23, 0x11, 0xff,  \
+    0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd, 0x8a, 0x88, 0xc2, 0x6b,  \
+    0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa, 0x01, 0xc8, 0xb4, 0xed,  \
+    0xff                                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2-sha256.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM tests/data_files/server2-sha256.crt */
+#define TEST_SRV_CRT_RSA_SHA256_PEM                                        \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJh\r\n" \
+    "Pqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6U\r\n" \
+    "HoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq9\r\n" \
+    "1C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sv\r\n" \
+    "a1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0\r\n" \
+    "e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbo\r\n" \
+    "pMZqLmbBm/7WPLc=\r\n"                                                 \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/server2-sha256.crt.der. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA256_DER tests/data_files/server2-sha256.crt.der */
+#define TEST_SRV_CRT_RSA_SHA256_DER {                                        \
+  0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82,    \
+  0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,    \
+  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,    \
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7,    \
+  0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78,    \
+  0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd,    \
+  0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90,    \
+  0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24,    \
+  0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda,    \
+  0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3,    \
+  0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4,    \
+  0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d,    \
+  0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49,    \
+  0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c,    \
+  0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b,    \
+  0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08,    \
+  0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa,    \
+  0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f,    \
+  0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7,    \
+  0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5,    \
+  0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde,    \
+  0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a,    \
+  0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96,    \
+  0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0,    \
+  0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02,    \
+  0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,    \
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc,    \
+  0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b,    \
+  0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,    \
+  0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6,    \
+  0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30,    \
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,    \
+  0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x2e, 0x3a, 0xe4, 0x52, 0x61,    \
+  0x3e, 0xa7, 0xa5, 0xef, 0x32, 0x67, 0x80, 0x72, 0x07, 0x26, 0xba, 0xa3,    \
+  0xff, 0x05, 0x40, 0xc4, 0x60, 0x05, 0x39, 0x31, 0x77, 0xf7, 0xa5, 0xca,    \
+  0x01, 0x31, 0x80, 0xa7, 0xe1, 0xd1, 0x0a, 0xa2, 0x7c, 0xd5, 0x1c, 0xba,    \
+  0xd0, 0x23, 0x4a, 0xd6, 0x30, 0xf3, 0x93, 0xc7, 0x6f, 0xe8, 0xce, 0x94,    \
+  0x1e, 0x84, 0xbb, 0x44, 0x81, 0x62, 0x33, 0xff, 0x6b, 0x5d, 0x00, 0x9b,    \
+  0x25, 0xf8, 0x8f, 0x0f, 0x9c, 0x4c, 0x4d, 0xe8, 0xd9, 0xa7, 0x99, 0xf9,    \
+  0x51, 0x81, 0xc0, 0x9b, 0x1b, 0x31, 0x0d, 0xa6, 0xb3, 0x7c, 0x0e, 0x45,    \
+  0xb8, 0x18, 0x64, 0x7e, 0x89, 0x0a, 0x2b, 0xa8, 0xc3, 0xe0, 0x4a, 0xbd,    \
+  0xd4, 0x2f, 0x78, 0xc4, 0x62, 0x9b, 0xe9, 0x7e, 0x3f, 0x56, 0x46, 0x8f,    \
+  0x17, 0xb7, 0x2a, 0xa0, 0x10, 0x70, 0xfd, 0xb1, 0xf1, 0x6b, 0x05, 0xdc,    \
+  0xd1, 0x41, 0x0f, 0x8e, 0xa6, 0xb2, 0x88, 0x1a, 0x42, 0x61, 0x4f, 0xeb,    \
+  0x26, 0x85, 0x59, 0x80, 0xba, 0x85, 0x54, 0xfe, 0xcf, 0xc7, 0x7b, 0x2f,    \
+  0x6b, 0x59, 0xce, 0xac, 0xdc, 0x7c, 0xac, 0xf3, 0xc8, 0xd6, 0x12, 0x7e,    \
+  0x64, 0xe8, 0x3c, 0x99, 0xa8, 0x8f, 0x4f, 0x11, 0xd9, 0x9c, 0x15, 0x4b,    \
+  0x6a, 0x44, 0x92, 0x2d, 0x0c, 0xbf, 0xb1, 0x67, 0x96, 0xc9, 0xac, 0xce,    \
+  0xd5, 0x19, 0xeb, 0x6f, 0x18, 0xeb, 0x6e, 0x04, 0x2d, 0x60, 0xac, 0xf4,    \
+  0x7b, 0x79, 0xf0, 0x1a, 0x9b, 0xb5, 0xc3, 0x5d, 0xef, 0x7d, 0xc9, 0x05,    \
+  0x99, 0x44, 0x81, 0x84, 0x75, 0xc7, 0xec, 0x00, 0x12, 0xfc, 0x7a, 0x4a,    \
+  0x0b, 0x82, 0x07, 0xec, 0x6d, 0x86, 0x02, 0x4d, 0xfe, 0x9f, 0xc8, 0x92,    \
+  0x48, 0xde, 0xf5, 0xb1, 0x9c, 0xe9, 0xc6, 0x89, 0xd0, 0xc1, 0x56, 0xe8,    \
+  0xa4, 0xc6, 0x6a, 0x2e, 0x66, 0xc1, 0x9b, 0xfe, 0xd6, 0x3c, 0xb7           \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA1_PEM tests/data_files/server2.crt */
+#define TEST_SRV_CRT_RSA_SHA1_PEM                                          \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJklg3Q4\r\n" \
+    "cB7v7BzsxM/vLyKccO6op0/gZzM4ghuLq2Y32kl0sM6kSNUUmduuq3u/+GmUZN2A\r\n" \
+    "O/7c+Hw7hDFEIvZk98aBGjCLqn3DmgHIv8ToQ67nellQxx2Uj309PdgjNi/r9HOc\r\n" \
+    "KNAYPbBcg6MJGWWj2TI6vNaceios/DhOYx5V0j5nfqSJ/pnU0g9Ign2LAhgYpGJE\r\n" \
+    "iEM9wW7hEMkwmk0h/sqZsrJsGH5YsF/VThSq/JVO1e2mZH2vruyZKJVBq+8tDNYp\r\n" \
+    "HkK6tSyVYQhzIt3StMJWKMl/o5k2AYz6tSC164+1oG+ML3LWg8XrGKa91H4UOKap\r\n" \
+    "Awgk0+4m0T25cNs=\r\n"                                                 \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.crt.der. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA1_DER tests/data_files/server2.crt.der */
+#define TEST_SRV_CRT_RSA_SHA1_DER {                                          \
+  0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82,    \
+  0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,    \
+  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,    \
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7,    \
+  0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78,    \
+  0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd,    \
+  0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90,    \
+  0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24,    \
+  0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda,    \
+  0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3,    \
+  0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4,    \
+  0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d,    \
+  0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49,    \
+  0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c,    \
+  0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b,    \
+  0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08,    \
+  0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa,    \
+  0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f,    \
+  0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7,    \
+  0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5,    \
+  0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde,    \
+  0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a,    \
+  0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96,    \
+  0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0,    \
+  0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02,    \
+  0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,    \
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc,    \
+  0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b,    \
+  0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,    \
+  0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6,    \
+  0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30,    \
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,    \
+  0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x99, 0x25, 0x83, 0x74, 0x38,    \
+  0x70, 0x1e, 0xef, 0xec, 0x1c, 0xec, 0xc4, 0xcf, 0xef, 0x2f, 0x22, 0x9c,    \
+  0x70, 0xee, 0xa8, 0xa7, 0x4f, 0xe0, 0x67, 0x33, 0x38, 0x82, 0x1b, 0x8b,    \
+  0xab, 0x66, 0x37, 0xda, 0x49, 0x74, 0xb0, 0xce, 0xa4, 0x48, 0xd5, 0x14,    \
+  0x99, 0xdb, 0xae, 0xab, 0x7b, 0xbf, 0xf8, 0x69, 0x94, 0x64, 0xdd, 0x80,    \
+  0x3b, 0xfe, 0xdc, 0xf8, 0x7c, 0x3b, 0x84, 0x31, 0x44, 0x22, 0xf6, 0x64,    \
+  0xf7, 0xc6, 0x81, 0x1a, 0x30, 0x8b, 0xaa, 0x7d, 0xc3, 0x9a, 0x01, 0xc8,    \
+  0xbf, 0xc4, 0xe8, 0x43, 0xae, 0xe7, 0x7a, 0x59, 0x50, 0xc7, 0x1d, 0x94,    \
+  0x8f, 0x7d, 0x3d, 0x3d, 0xd8, 0x23, 0x36, 0x2f, 0xeb, 0xf4, 0x73, 0x9c,    \
+  0x28, 0xd0, 0x18, 0x3d, 0xb0, 0x5c, 0x83, 0xa3, 0x09, 0x19, 0x65, 0xa3,    \
+  0xd9, 0x32, 0x3a, 0xbc, 0xd6, 0x9c, 0x7a, 0x2a, 0x2c, 0xfc, 0x38, 0x4e,    \
+  0x63, 0x1e, 0x55, 0xd2, 0x3e, 0x67, 0x7e, 0xa4, 0x89, 0xfe, 0x99, 0xd4,    \
+  0xd2, 0x0f, 0x48, 0x82, 0x7d, 0x8b, 0x02, 0x18, 0x18, 0xa4, 0x62, 0x44,    \
+  0x88, 0x43, 0x3d, 0xc1, 0x6e, 0xe1, 0x10, 0xc9, 0x30, 0x9a, 0x4d, 0x21,    \
+  0xfe, 0xca, 0x99, 0xb2, 0xb2, 0x6c, 0x18, 0x7e, 0x58, 0xb0, 0x5f, 0xd5,    \
+  0x4e, 0x14, 0xaa, 0xfc, 0x95, 0x4e, 0xd5, 0xed, 0xa6, 0x64, 0x7d, 0xaf,    \
+  0xae, 0xec, 0x99, 0x28, 0x95, 0x41, 0xab, 0xef, 0x2d, 0x0c, 0xd6, 0x29,    \
+  0x1e, 0x42, 0xba, 0xb5, 0x2c, 0x95, 0x61, 0x08, 0x73, 0x22, 0xdd, 0xd2,    \
+  0xb4, 0xc2, 0x56, 0x28, 0xc9, 0x7f, 0xa3, 0x99, 0x36, 0x01, 0x8c, 0xfa,    \
+  0xb5, 0x20, 0xb5, 0xeb, 0x8f, 0xb5, 0xa0, 0x6f, 0x8c, 0x2f, 0x72, 0xd6,    \
+  0x83, 0xc5, 0xeb, 0x18, 0xa6, 0xbd, 0xd4, 0x7e, 0x14, 0x38, 0xa6, 0xa9,    \
+  0x03, 0x08, 0x24, 0xd3, 0xee, 0x26, 0xd1, 0x3d, 0xb9, 0x70, 0xdb           \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.key. */
+/* BEGIN FILE string macro TEST_SRV_KEY_RSA_PEM tests/data_files/server2.key */
+#define TEST_SRV_KEY_RSA_PEM                                               \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n" \
+    "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n" \
+    "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n" \
+    "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n" \
+    "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n" \
+    "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n" \
+    "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n" \
+    "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n" \
+    "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n" \
+    "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n" \
+    "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n" \
+    "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n" \
+    "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n" \
+    "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n" \
+    "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n" \
+    "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n" \
+    "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n" \
+    "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n" \
+    "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n" \
+    "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n" \
+    "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n" \
+    "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n" \
+    "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n" \
+    "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n" \
+    "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"         \
+    "-----END RSA PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This was generated from tests/data_files/server2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_KEY_RSA_DER tests/data_files/server2.key.der */
+#define TEST_SRV_KEY_RSA_DER {                                               \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc1, 0x4d, 0xa3, 0xdd, 0xe7, 0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72,  \
+    0xb8, 0x99, 0xac, 0x0e, 0x78, 0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13,  \
+    0x16, 0xd0, 0x5a, 0xe4, 0xcd, 0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b,  \
+    0x96, 0xa7, 0x52, 0xb4, 0x90, 0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a,  \
+    0xfc, 0xb6, 0x34, 0xac, 0x24, 0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c,  \
+    0xb0, 0x28, 0x7d, 0xa1, 0xda, 0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc,  \
+    0xfe, 0xc1, 0x04, 0x52, 0xb3, 0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76,  \
+    0xd8, 0x90, 0xc1, 0x61, 0xb4, 0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa,  \
+    0xab, 0x74, 0x5e, 0x07, 0x7d, 0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0,  \
+    0xd9, 0x0d, 0x1c, 0x2d, 0x49, 0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8,  \
+    0x0b, 0x8a, 0x4f, 0x69, 0x0c, 0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10,  \
+    0x66, 0x7d, 0xae, 0x54, 0x2b, 0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61,  \
+    0xc3, 0xcd, 0x40, 0x49, 0x08, 0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2,  \
+    0x46, 0xbf, 0xd0, 0xb8, 0xaa, 0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a,  \
+    0x1e, 0x44, 0x18, 0x0f, 0x0f, 0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2,  \
+    0x18, 0xc6, 0x62, 0x2f, 0xc7, 0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3,  \
+    0x27, 0x89, 0x29, 0x01, 0xc5, 0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8,  \
+    0x4a, 0x0e, 0xef, 0xd6, 0xde, 0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d,  \
+    0x7a, 0xc4, 0x02, 0x3c, 0x9a, 0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b,  \
+    0xcb, 0x73, 0x4b, 0x52, 0x96, 0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69,  \
+    0x39, 0x5a, 0xd3, 0x0f, 0xb0, 0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea,  \
+    0x12, 0x01, 0x30, 0x97, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x01, 0x00, 0x97, 0x47, 0x44, 0xbc, 0x10, 0x81, 0xc5, 0x18, 0xe4, 0x59,  \
+    0xfb, 0xe0, 0x2d, 0x3a, 0x0e, 0x9e, 0x10, 0xdc, 0x43, 0xfb, 0x15, 0x6c,  \
+    0xd1, 0xfd, 0x48, 0x78, 0x6c, 0xf9, 0xed, 0x38, 0xe8, 0xdd, 0x09, 0xd7,  \
+    0x5f, 0xb5, 0x41, 0x64, 0xd7, 0x63, 0xfa, 0x9d, 0x44, 0x0a, 0xf8, 0x42,  \
+    0x13, 0xf1, 0xbb, 0x5e, 0x79, 0x20, 0x53, 0x98, 0x4b, 0x65, 0x7f, 0x86,  \
+    0x67, 0x48, 0xe4, 0xcf, 0xfb, 0x6a, 0x24, 0xe2, 0x34, 0xbd, 0x14, 0x9d,  \
+    0x2c, 0x16, 0xe2, 0xa4, 0x79, 0xd6, 0xa2, 0xec, 0x81, 0x43, 0x87, 0xbf,  \
+    0x03, 0x5c, 0x88, 0x25, 0xd9, 0x41, 0xb6, 0xa5, 0xf1, 0x27, 0x52, 0x84,  \
+    0xfe, 0x2b, 0x6e, 0x1d, 0x16, 0xcd, 0x73, 0x88, 0xf8, 0x90, 0xbf, 0x19,  \
+    0xfe, 0xbe, 0xa9, 0xbf, 0x09, 0xd3, 0x23, 0x43, 0xd2, 0xc7, 0x61, 0x2a,  \
+    0xb3, 0x4e, 0x3c, 0x61, 0xd4, 0xbd, 0xd8, 0xb4, 0xfa, 0xa8, 0x0b, 0xf8,  \
+    0x7e, 0x56, 0xcd, 0x0f, 0x13, 0x27, 0xda, 0xe6, 0x3b, 0xb3, 0x8c, 0x9c,  \
+    0x4b, 0x84, 0x3c, 0xc3, 0x52, 0x57, 0x9c, 0x27, 0x9a, 0x02, 0x76, 0x26,  \
+    0x59, 0x82, 0x39, 0xc3, 0x13, 0xbe, 0x6e, 0xf4, 0x44, 0x2d, 0x1d, 0x8c,  \
+    0x73, 0x3e, 0x43, 0x99, 0x59, 0xcb, 0xf2, 0x34, 0x72, 0x9a, 0x5e, 0xa5,  \
+    0xeb, 0x9f, 0x36, 0x6d, 0x2b, 0xf9, 0xa2, 0xe7, 0xd1, 0x78, 0x52, 0x1b,  \
+    0xc8, 0xf6, 0x5b, 0x41, 0x69, 0x57, 0x81, 0x89, 0xe9, 0xbb, 0xa1, 0xde,  \
+    0x19, 0x37, 0x3b, 0x13, 0x5c, 0xca, 0x61, 0x01, 0x86, 0xff, 0xdf, 0x83,  \
+    0x41, 0x49, 0x7f, 0xd6, 0xf4, 0x2e, 0x08, 0xfa, 0x90, 0xc2, 0x7c, 0xb4,  \
+    0xb5, 0x0a, 0x17, 0xdb, 0x0e, 0x6d, 0x75, 0x8a, 0x5d, 0x31, 0xd5, 0x66,  \
+    0xfb, 0x39, 0x0b, 0xb5, 0xb6, 0xa3, 0xcd, 0xd4, 0xef, 0x88, 0x92, 0x5a,  \
+    0x4d, 0x6c, 0xcb, 0xea, 0x5b, 0x79, 0x02, 0x81, 0x81, 0x00, 0xdf, 0x3a,  \
+    0xf9, 0x25, 0x5e, 0x24, 0x37, 0x26, 0x40, 0x97, 0x2f, 0xe0, 0x4a, 0xba,  \
+    0x52, 0x1b, 0x51, 0xaf, 0x84, 0x06, 0x32, 0x24, 0x0c, 0xcf, 0x44, 0xa8,  \
+    0x77, 0xa7, 0xad, 0xb5, 0x8c, 0x58, 0xcc, 0xc8, 0x31, 0xb7, 0x0d, 0xbc,  \
+    0x08, 0x8a, 0xe0, 0xa6, 0x8c, 0xc2, 0x73, 0xe5, 0x1a, 0x64, 0x92, 0xe8,  \
+    0xed, 0x4c, 0x6f, 0x0b, 0xa6, 0xa7, 0xf3, 0x9a, 0xf5, 0x6f, 0x69, 0xca,  \
+    0x3c, 0x22, 0xd0, 0x15, 0xa8, 0x20, 0x27, 0x41, 0xf8, 0x43, 0x42, 0x7f,  \
+    0xb1, 0x93, 0xa1, 0x04, 0x85, 0xda, 0xa0, 0x1c, 0xd6, 0xc6, 0xf7, 0x8a,  \
+    0x9e, 0xea, 0x5c, 0x78, 0xa7, 0x55, 0xc4, 0x6b, 0x05, 0x8b, 0xc0, 0x83,  \
+    0xcb, 0xce, 0x83, 0x05, 0xf8, 0xb2, 0x16, 0x2b, 0xdf, 0x06, 0x3f, 0xb8,  \
+    0xec, 0x16, 0xda, 0x43, 0x33, 0xc1, 0x8f, 0xb0, 0xb8, 0xac, 0xae, 0xd4,  \
+    0x94, 0xb8, 0xda, 0x6f, 0x6a, 0xc3, 0x02, 0x81, 0x81, 0x00, 0xdd, 0xae,  \
+    0x00, 0xcd, 0xa0, 0x72, 0x1a, 0x05, 0x8a, 0xee, 0x2f, 0xd4, 0x71, 0x4b,  \
+    0xf0, 0x3e, 0xe5, 0xc1, 0xe1, 0x29, 0x8b, 0xa6, 0x67, 0x30, 0x98, 0xe7,  \
+    0x12, 0xef, 0xdd, 0x12, 0x01, 0x90, 0x24, 0x58, 0xf0, 0x76, 0x92, 0xe7,  \
+    0x3d, 0xbb, 0x23, 0xe1, 0xce, 0xf9, 0xa1, 0xd4, 0x38, 0x1b, 0x3f, 0x20,  \
+    0xb3, 0x0f, 0x65, 0x6a, 0x8f, 0x55, 0x57, 0x36, 0xee, 0xb2, 0x84, 0x44,  \
+    0xfc, 0x91, 0x88, 0xe1, 0xa4, 0xdd, 0x3b, 0x4a, 0x40, 0x4d, 0x7c, 0x86,  \
+    0xed, 0xe1, 0xb5, 0x42, 0xef, 0xb9, 0x61, 0xcd, 0x58, 0x19, 0x77, 0x02,  \
+    0xae, 0x58, 0x80, 0xdb, 0x13, 0x3d, 0xc7, 0x1f, 0x9d, 0xed, 0xff, 0xac,  \
+    0x98, 0xfc, 0xcd, 0xf9, 0x62, 0x04, 0x83, 0x91, 0x89, 0x0d, 0x86, 0x43,  \
+    0x8c, 0x0c, 0xc7, 0x1b, 0x90, 0x4d, 0xbe, 0x2f, 0xc5, 0x7c, 0xcd, 0x42,  \
+    0xf5, 0xd3, 0xad, 0x8e, 0xfd, 0x9d, 0x02, 0x81, 0x80, 0x17, 0x4b, 0x79,  \
+    0x2a, 0x6c, 0x1b, 0x8d, 0x61, 0xc1, 0x85, 0xc5, 0x6a, 0x3b, 0x82, 0x1c,  \
+    0x05, 0x5b, 0xcd, 0xdc, 0x12, 0x25, 0x73, 0x5b, 0x9e, 0xd9, 0x84, 0x57,  \
+    0x10, 0x39, 0x71, 0x63, 0x96, 0xf4, 0xaf, 0xc3, 0x78, 0x5d, 0xc7, 0x8c,  \
+    0x80, 0xa9, 0x96, 0xd7, 0xc3, 0x87, 0x02, 0x96, 0x71, 0x7e, 0x5f, 0x2e,  \
+    0x3c, 0x36, 0xae, 0x59, 0x92, 0xd7, 0x3a, 0x09, 0x78, 0xb9, 0xea, 0x6f,  \
+    0xc2, 0x16, 0x42, 0xdc, 0x4b, 0x96, 0xad, 0x2c, 0xb2, 0x20, 0x23, 0x61,  \
+    0x2d, 0x8d, 0xb5, 0x02, 0x1e, 0xe1, 0x6c, 0x81, 0x01, 0x3c, 0x5d, 0xcb,  \
+    0xdd, 0x9b, 0x0e, 0xc0, 0x2f, 0x94, 0x12, 0xb2, 0xfe, 0x75, 0x75, 0x8b,  \
+    0x74, 0x1e, 0x7a, 0x26, 0x0c, 0xb7, 0x81, 0x96, 0x81, 0x79, 0x6e, 0xdb,  \
+    0xbc, 0x3a, 0xc4, 0x9e, 0x87, 0x09, 0x6e, 0xa0, 0xa6, 0xec, 0x8b, 0xa4,  \
+    0x85, 0x71, 0xce, 0x04, 0xaf, 0x02, 0x81, 0x81, 0x00, 0xc2, 0xa7, 0x47,  \
+    0x07, 0x48, 0x6a, 0xc8, 0xd4, 0xb3, 0x20, 0xe1, 0x98, 0xee, 0xff, 0x5a,  \
+    0x6f, 0x30, 0x7a, 0xa5, 0x47, 0x40, 0xdc, 0x16, 0x62, 0x42, 0xf1, 0x2c,  \
+    0xdc, 0xb8, 0xc7, 0x55, 0xde, 0x07, 0x3c, 0x9d, 0xb1, 0xd0, 0xdf, 0x02,  \
+    0x82, 0xb0, 0x48, 0x58, 0xe1, 0x34, 0xab, 0xcf, 0xb4, 0x85, 0x23, 0x26,  \
+    0x78, 0x4f, 0x7a, 0x59, 0x6f, 0xfb, 0x8c, 0x3d, 0xdf, 0x3d, 0x6c, 0x02,  \
+    0x47, 0x9c, 0xe5, 0x5e, 0x49, 0xf1, 0x05, 0x0b, 0x1f, 0xbf, 0x48, 0x0f,  \
+    0xdc, 0x10, 0xb9, 0x3d, 0x1d, 0x10, 0x77, 0x2a, 0x73, 0xf9, 0xdf, 0xbd,  \
+    0xcd, 0xf3, 0x1f, 0xeb, 0x6e, 0x64, 0xca, 0x2b, 0x78, 0x4f, 0xf8, 0x73,  \
+    0xc2, 0x10, 0xef, 0x79, 0x95, 0x33, 0x1e, 0x79, 0x35, 0x09, 0xff, 0x88,  \
+    0x1b, 0xb4, 0x3e, 0x4c, 0xe1, 0x27, 0x2e, 0x75, 0x80, 0x58, 0x11, 0x03,  \
+    0x21, 0x23, 0x96, 0x9a, 0xb5, 0x02, 0x81, 0x80, 0x05, 0x12, 0x64, 0x71,  \
+    0x83, 0x00, 0x1c, 0xfe, 0xef, 0x83, 0xea, 0xdd, 0x2c, 0xc8, 0x2c, 0x00,  \
+    0x62, 0x1e, 0x8f, 0x3a, 0xdb, 0x1c, 0xab, 0xd6, 0x34, 0x8b, 0xd1, 0xb2,  \
+    0x5a, 0x4f, 0x3d, 0x37, 0x38, 0x02, 0xe0, 0xd7, 0x70, 0xc1, 0xb0, 0x47,  \
+    0xe0, 0x08, 0x1a, 0x84, 0xec, 0x48, 0xc5, 0x7c, 0x76, 0x83, 0x12, 0x67,  \
+    0xab, 0x7c, 0x9f, 0x90, 0x97, 0xc8, 0x8f, 0x07, 0xf4, 0xb3, 0x60, 0xf2,  \
+    0x3f, 0x49, 0x18, 0xdb, 0x2e, 0x94, 0x6b, 0x53, 0x9e, 0xa2, 0x63, 0xde,  \
+    0x63, 0xd9, 0xab, 0x21, 0x2e, 0x2d, 0x0a, 0xe0, 0xd0, 0xe8, 0xba, 0xc4,  \
+    0x4c, 0x1e, 0xa5, 0xf5, 0x51, 0xa8, 0xc4, 0x92, 0xf8, 0x7f, 0x21, 0xe7,  \
+    0x65, 0xbf, 0x0b, 0xe6, 0x01, 0xaf, 0x9c, 0x1d, 0x5b, 0x6c, 0x3f, 0x1c,  \
+    0x2f, 0xa6, 0x0f, 0x68, 0x38, 0x8e, 0x85, 0xc4, 0x6c, 0x78, 0x2f, 0x6f,  \
+    0x06, 0x21, 0x2e, 0x56                                                   \
+}
+/* END FILE */
+
+/*
+ * Test client Certificates
+ *
+ * Test client certificates are defined for each choice
+ * of the following parameters:
+ * - PEM or DER encoding
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - hash type
+ * - multiple EC curve types
+ */
+
+/* This is taken from tests/data_files/cli2.crt. */
+/* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli2.crt */
+#define TEST_CLI_CRT_EC_PEM                                                \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIB3zCCAWOgAwIBAgIBDTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw\r\n" \
+    "DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJTU0wgVGVzdCBFQyBDQTAe\r\n" \
+    "Fw0xOTAyMTAxNDQ0MDBaFw0yOTAyMTAxNDQ0MDBaMEExCzAJBgNVBAYTAk5MMREw\r\n" \
+    "DwYDVQQKDAhQb2xhclNTTDEfMB0GA1UEAwwWUG9sYXJTU0wgVGVzdCBDbGllbnQg\r\n" \
+    "MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFflrrFz39Osu5O4gf8Sru7mU6zO\r\n" \
+    "VVP2NA7MLuNjJQvfmOLzXGA2lsDVGBRw5X+f1UtFGOWwbNVc+JaPh3Cj5MejTTBL\r\n" \
+    "MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMB8GA1Ud\r\n" \
+    "IwQYMBaAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8MAwGCCqGSM49BAMCBQADaAAwZQIx\r\n" \
+    "AMqme4DKMldUlplDET9Q6Eptre7uUWKhsLOF+zPkKDlfzpIkJYEFgcloDHGYw80u\r\n" \
+    "IgIwNftyPXsabTqMM7iEHgVpX/GRozKklY9yQI/5eoA6gGW7Y+imuGR/oao5ySOb\r\n" \
+    "a9Vk\r\n"                                                             \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/cli2.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER tests/data_files/cli2.crt.der */
+#define TEST_CLI_CRT_EC_DER {                                                \
+  0x30, 0x82, 0x01, 0xdf, 0x30, 0x82, 0x01, 0x63, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x0d, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,    \
+  0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,    \
+  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,    \
+  0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61,    \
+  0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,    \
+  0x03, 0x0c, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20,    \
+  0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e,    \
+  0x17, 0x0d, 0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34,    \
+  0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31,    \
+  0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x30, 0x41, 0x31, 0x0b, 0x30, 0x09,    \
+  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,    \
+  0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61,    \
+  0x72, 0x53, 0x53, 0x4c, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,    \
+  0x03, 0x0c, 0x16, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20,    \
+  0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,    \
+  0x32, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,    \
+  0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,    \
+  0x03, 0x42, 0x00, 0x04, 0x57, 0xe5, 0xae, 0xb1, 0x73, 0xdf, 0xd3, 0xac,    \
+  0xbb, 0x93, 0xb8, 0x81, 0xff, 0x12, 0xae, 0xee, 0xe6, 0x53, 0xac, 0xce,    \
+  0x55, 0x53, 0xf6, 0x34, 0x0e, 0xcc, 0x2e, 0xe3, 0x63, 0x25, 0x0b, 0xdf,    \
+  0x98, 0xe2, 0xf3, 0x5c, 0x60, 0x36, 0x96, 0xc0, 0xd5, 0x18, 0x14, 0x70,    \
+  0xe5, 0x7f, 0x9f, 0xd5, 0x4b, 0x45, 0x18, 0xe5, 0xb0, 0x6c, 0xd5, 0x5c,    \
+  0xf8, 0x96, 0x8f, 0x87, 0x70, 0xa3, 0xe4, 0xc7, 0xa3, 0x4d, 0x30, 0x4b,    \
+  0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,    \
+  0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x7a, 0x00,    \
+  0x5f, 0x86, 0x64, 0xfc, 0xe0, 0x5d, 0xe5, 0x11, 0x10, 0x3b, 0xb2, 0xe6,    \
+  0x3b, 0xc4, 0x26, 0x3f, 0xcf, 0xe2, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,    \
+  0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49,    \
+  0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb,    \
+  0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,    \
+  0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, 0x30, 0x65, 0x02, 0x31,    \
+  0x00, 0xca, 0xa6, 0x7b, 0x80, 0xca, 0x32, 0x57, 0x54, 0x96, 0x99, 0x43,    \
+  0x11, 0x3f, 0x50, 0xe8, 0x4a, 0x6d, 0xad, 0xee, 0xee, 0x51, 0x62, 0xa1,    \
+  0xb0, 0xb3, 0x85, 0xfb, 0x33, 0xe4, 0x28, 0x39, 0x5f, 0xce, 0x92, 0x24,    \
+  0x25, 0x81, 0x05, 0x81, 0xc9, 0x68, 0x0c, 0x71, 0x98, 0xc3, 0xcd, 0x2e,    \
+  0x22, 0x02, 0x30, 0x35, 0xfb, 0x72, 0x3d, 0x7b, 0x1a, 0x6d, 0x3a, 0x8c,    \
+  0x33, 0xb8, 0x84, 0x1e, 0x05, 0x69, 0x5f, 0xf1, 0x91, 0xa3, 0x32, 0xa4,    \
+  0x95, 0x8f, 0x72, 0x40, 0x8f, 0xf9, 0x7a, 0x80, 0x3a, 0x80, 0x65, 0xbb,    \
+  0x63, 0xe8, 0xa6, 0xb8, 0x64, 0x7f, 0xa1, 0xaa, 0x39, 0xc9, 0x23, 0x9b,    \
+  0x6b, 0xd5, 0x64                                                           \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli2.key. */
+/* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM tests/data_files/cli2.key */
+#define TEST_CLI_KEY_EC_PEM                                                \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n" \
+    "AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n" \
+    "wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"                             \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/cli2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER tests/data_files/cli2.key.der */
+#define TEST_CLI_KEY_EC_DER {                                                \
+    0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf6, 0xf7, 0x86, 0x64, 0xf1,  \
+    0x67, 0x7f, 0xe6, 0x64, 0x8d, 0xef, 0xca, 0x4e, 0xe9, 0xdd, 0x4d, 0xf0,  \
+    0x05, 0xff, 0x96, 0x22, 0x8a, 0x7a, 0x84, 0x38, 0x64, 0x17, 0x32, 0x61,  \
+    0x98, 0xb7, 0x2a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x57, 0xe5, 0xae,  \
+    0xb1, 0x73, 0xdf, 0xd3, 0xac, 0xbb, 0x93, 0xb8, 0x81, 0xff, 0x12, 0xae,  \
+    0xee, 0xe6, 0x53, 0xac, 0xce, 0x55, 0x53, 0xf6, 0x34, 0x0e, 0xcc, 0x2e,  \
+    0xe3, 0x63, 0x25, 0x0b, 0xdf, 0x98, 0xe2, 0xf3, 0x5c, 0x60, 0x36, 0x96,  \
+    0xc0, 0xd5, 0x18, 0x14, 0x70, 0xe5, 0x7f, 0x9f, 0xd5, 0x4b, 0x45, 0x18,  \
+    0xe5, 0xb0, 0x6c, 0xd5, 0x5c, 0xf8, 0x96, 0x8f, 0x87, 0x70, 0xa3, 0xe4,  \
+    0xc7                                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli-rsa-sha256.crt. */
+/* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM tests/data_files/cli-rsa-sha256.crt */
+#define TEST_CLI_CRT_RSA_PEM                                               \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n" \
+    "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n" \
+    "M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n" \
+    "1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n" \
+    "MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n" \
+    "4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n" \
+    "/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n" \
+    "o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n" \
+    "BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n" \
+    "AQEAXidv1d4pLlBiKWED95rMycBdgDcgyNqJxakFkRfRyA2y1mlyTn7uBXRkNLY5\r\n" \
+    "ZFzK82GCjk2Q2OD4RZSCPAJJqLpHHU34t71ciffvy2KK81YvrxczRhMAE64i+qna\r\n" \
+    "yP3Td2XuWJR05PVPoSemsNELs9gWttdnYy3ce+EY2Y0n7Rsi7982EeLIAA7H6ca4\r\n" \
+    "2Es/NUH//JZJT32OP0doMxeDRA+vplkKqTLLWf7dX26LIriBkBaRCgR5Yv9LBPFc\r\n" \
+    "NOtpzu/LbrY7QFXKJMI+JXDudCsOn8KCmiA4d6Emisqfh3V3485l7HEQNcvLTxlD\r\n" \
+    "6zDQyi0/ykYUYZkwQTK1N2Nvlw==\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This was generated from tests/data_files/cli-rsa-sha256.crt.der
+   using `xxd -i.` */
+/* BEGIN FILE binary macro TEST_CLI_CRT_RSA_DER tests/data_files/cli-rsa-sha256.crt.der */
+#define TEST_CLI_CRT_RSA_DER {                                               \
+  0x30, 0x82, 0x03, 0x3f, 0x30, 0x82, 0x02, 0x27, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x36, 0x5a, 0x30, 0x3c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x11, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x43, 0x6c,    \
+  0x69, 0x65, 0x6e, 0x74, 0x20, 0x32, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,    \
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,    \
+  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,    \
+  0x01, 0x01, 0x00, 0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9,    \
+  0x45, 0xd9, 0x14, 0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f,    \
+  0x33, 0xad, 0x0d, 0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9,    \
+  0xcc, 0x66, 0x85, 0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63,    \
+  0x9e, 0x0a, 0x6e, 0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10,    \
+  0x93, 0x86, 0x49, 0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e,    \
+  0xd4, 0x2f, 0x77, 0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95,    \
+  0x48, 0x70, 0xf5, 0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed,    \
+  0xe6, 0x43, 0xea, 0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4,    \
+  0x57, 0x4e, 0xa9, 0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30,    \
+  0x32, 0x30, 0xd5, 0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2,    \
+  0x5f, 0xf9, 0x3d, 0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d,    \
+  0xfb, 0xe5, 0x0c, 0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2,    \
+  0x7f, 0xca, 0xad, 0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f,    \
+  0xe0, 0x9b, 0xf8, 0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34,    \
+  0x04, 0x66, 0xc7, 0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a,    \
+  0x06, 0x67, 0xf4, 0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe,    \
+  0x3c, 0x8b, 0x35, 0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f,    \
+  0xfc, 0x36, 0x6b, 0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d,    \
+  0x00, 0xcf, 0xaf, 0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4,    \
+  0xe7, 0x50, 0x71, 0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8,    \
+  0xe4, 0xc4, 0xfd, 0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01,    \
+  0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,    \
+  0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,    \
+  0x04, 0x14, 0x71, 0xa1, 0x00, 0x73, 0x72, 0x40, 0x2f, 0x54, 0x76, 0x5e,    \
+  0x33, 0xfc, 0x52, 0x8f, 0xbc, 0xf1, 0xdd, 0x6b, 0x46, 0x21, 0x30, 0x1f,    \
+  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xb4,    \
+  0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5, 0xa6, 0x95,    \
+  0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a,    \
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,    \
+  0x01, 0x01, 0x00, 0x5e, 0x27, 0x6f, 0xd5, 0xde, 0x29, 0x2e, 0x50, 0x62,    \
+  0x29, 0x61, 0x03, 0xf7, 0x9a, 0xcc, 0xc9, 0xc0, 0x5d, 0x80, 0x37, 0x20,    \
+  0xc8, 0xda, 0x89, 0xc5, 0xa9, 0x05, 0x91, 0x17, 0xd1, 0xc8, 0x0d, 0xb2,    \
+  0xd6, 0x69, 0x72, 0x4e, 0x7e, 0xee, 0x05, 0x74, 0x64, 0x34, 0xb6, 0x39,    \
+  0x64, 0x5c, 0xca, 0xf3, 0x61, 0x82, 0x8e, 0x4d, 0x90, 0xd8, 0xe0, 0xf8,    \
+  0x45, 0x94, 0x82, 0x3c, 0x02, 0x49, 0xa8, 0xba, 0x47, 0x1d, 0x4d, 0xf8,    \
+  0xb7, 0xbd, 0x5c, 0x89, 0xf7, 0xef, 0xcb, 0x62, 0x8a, 0xf3, 0x56, 0x2f,    \
+  0xaf, 0x17, 0x33, 0x46, 0x13, 0x00, 0x13, 0xae, 0x22, 0xfa, 0xa9, 0xda,    \
+  0xc8, 0xfd, 0xd3, 0x77, 0x65, 0xee, 0x58, 0x94, 0x74, 0xe4, 0xf5, 0x4f,    \
+  0xa1, 0x27, 0xa6, 0xb0, 0xd1, 0x0b, 0xb3, 0xd8, 0x16, 0xb6, 0xd7, 0x67,    \
+  0x63, 0x2d, 0xdc, 0x7b, 0xe1, 0x18, 0xd9, 0x8d, 0x27, 0xed, 0x1b, 0x22,    \
+  0xef, 0xdf, 0x36, 0x11, 0xe2, 0xc8, 0x00, 0x0e, 0xc7, 0xe9, 0xc6, 0xb8,    \
+  0xd8, 0x4b, 0x3f, 0x35, 0x41, 0xff, 0xfc, 0x96, 0x49, 0x4f, 0x7d, 0x8e,    \
+  0x3f, 0x47, 0x68, 0x33, 0x17, 0x83, 0x44, 0x0f, 0xaf, 0xa6, 0x59, 0x0a,    \
+  0xa9, 0x32, 0xcb, 0x59, 0xfe, 0xdd, 0x5f, 0x6e, 0x8b, 0x22, 0xb8, 0x81,    \
+  0x90, 0x16, 0x91, 0x0a, 0x04, 0x79, 0x62, 0xff, 0x4b, 0x04, 0xf1, 0x5c,    \
+  0x34, 0xeb, 0x69, 0xce, 0xef, 0xcb, 0x6e, 0xb6, 0x3b, 0x40, 0x55, 0xca,    \
+  0x24, 0xc2, 0x3e, 0x25, 0x70, 0xee, 0x74, 0x2b, 0x0e, 0x9f, 0xc2, 0x82,    \
+  0x9a, 0x20, 0x38, 0x77, 0xa1, 0x26, 0x8a, 0xca, 0x9f, 0x87, 0x75, 0x77,    \
+  0xe3, 0xce, 0x65, 0xec, 0x71, 0x10, 0x35, 0xcb, 0xcb, 0x4f, 0x19, 0x43,    \
+  0xeb, 0x30, 0xd0, 0xca, 0x2d, 0x3f, 0xca, 0x46, 0x14, 0x61, 0x99, 0x30,    \
+  0x41, 0x32, 0xb5, 0x37, 0x63, 0x6f, 0x97                                   \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli-rsa.key. */
+/* BEGIN FILE string macro TEST_CLI_KEY_RSA_PEM tests/data_files/cli-rsa.key */
+#define TEST_CLI_KEY_RSA_PEM                                               \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n" \
+    "B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n" \
+    "bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n" \
+    "Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n" \
+    "7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n" \
+    "dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n" \
+    "yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n" \
+    "4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n" \
+    "ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n" \
+    "zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n" \
+    "l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n" \
+    "DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n" \
+    "VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n" \
+    "Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n" \
+    "wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n" \
+    "c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n" \
+    "33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n" \
+    "ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n" \
+    "BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n" \
+    "KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n" \
+    "UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n" \
+    "7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n" \
+    "gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n" \
+    "bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n" \
+    "8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"         \
+    "-----END RSA PRIVATE KEY-----\r\n"/* END FILE */
+
+/* This was generated from tests/data_files/cli-rsa.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_KEY_RSA_DER tests/data_files/cli-rsa.key.der */
+#define TEST_CLI_KEY_RSA_DER {                                               \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9, 0x45, 0xd9, 0x14,  \
+    0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f, 0x33, 0xad, 0x0d,  \
+    0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9, 0xcc, 0x66, 0x85,  \
+    0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63, 0x9e, 0x0a, 0x6e,  \
+    0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10, 0x93, 0x86, 0x49,  \
+    0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e, 0xd4, 0x2f, 0x77,  \
+    0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95, 0x48, 0x70, 0xf5,  \
+    0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed, 0xe6, 0x43, 0xea,  \
+    0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4, 0x57, 0x4e, 0xa9,  \
+    0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30, 0x32, 0x30, 0xd5,  \
+    0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2, 0x5f, 0xf9, 0x3d,  \
+    0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d, 0xfb, 0xe5, 0x0c,  \
+    0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2, 0x7f, 0xca, 0xad,  \
+    0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f, 0xe0, 0x9b, 0xf8,  \
+    0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34, 0x04, 0x66, 0xc7,  \
+    0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a, 0x06, 0x67, 0xf4,  \
+    0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe, 0x3c, 0x8b, 0x35,  \
+    0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f, 0xfc, 0x36, 0x6b,  \
+    0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d, 0x00, 0xcf, 0xaf,  \
+    0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4, 0xe7, 0x50, 0x71,  \
+    0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8, 0xe4, 0xc4, 0xfd,  \
+    0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x00, 0x67, 0x4d, 0xb5, 0xf6, 0x03, 0x89, 0xaa, 0x7a, 0x6f, 0x3b, 0x2d,  \
+    0xca, 0x10, 0xa2, 0x23, 0xc9, 0xbd, 0x4e, 0xda, 0xe1, 0x67, 0x0e, 0x0c,  \
+    0x8a, 0xc6, 0x84, 0x68, 0xdf, 0xe5, 0x97, 0x75, 0xd2, 0x8d, 0xa3, 0x86,  \
+    0xd9, 0xdb, 0xd5, 0xeb, 0x13, 0x19, 0x08, 0xc5, 0x7e, 0xe5, 0x37, 0x97,  \
+    0x0c, 0x73, 0x80, 0x66, 0x76, 0x35, 0xf1, 0x88, 0xb5, 0xf2, 0xfc, 0xf3,  \
+    0xe1, 0x4b, 0x76, 0x4e, 0x73, 0x45, 0xce, 0x2c, 0xc2, 0x10, 0x26, 0x0d,  \
+    0x68, 0x0d, 0x9f, 0x49, 0x3d, 0xd6, 0x80, 0x89, 0xe7, 0xc5, 0x49, 0x15,  \
+    0xdd, 0x85, 0xc0, 0xc8, 0xfe, 0x82, 0x37, 0x12, 0x5a, 0x0a, 0x6b, 0xf6,  \
+    0x68, 0x0d, 0x32, 0x16, 0xbd, 0xa4, 0x15, 0x54, 0x9e, 0x68, 0xa1, 0xad,  \
+    0xca, 0x6b, 0xe5, 0x8c, 0xda, 0x76, 0x35, 0x59, 0x2f, 0x9b, 0xb4, 0xe1,  \
+    0xf1, 0xf0, 0x50, 0x04, 0xee, 0xc8, 0xec, 0x05, 0xe1, 0xcf, 0x8d, 0xe4,  \
+    0xd2, 0x64, 0x7b, 0x5e, 0x63, 0xe0, 0x7b, 0x07, 0xbc, 0x02, 0x96, 0x4e,  \
+    0x1b, 0x78, 0x6c, 0xb6, 0x43, 0x9a, 0x32, 0xf6, 0xd6, 0x02, 0xf5, 0x80,  \
+    0xcc, 0x26, 0x6e, 0xa5, 0xd0, 0xe3, 0x65, 0x88, 0xce, 0x26, 0xa9, 0x40,  \
+    0xe1, 0xe1, 0x00, 0xe0, 0x7f, 0x3f, 0xc3, 0xb1, 0x7c, 0xde, 0xbe, 0x42,  \
+    0xba, 0x07, 0x81, 0x13, 0xc2, 0xe0, 0x11, 0x11, 0x23, 0x2c, 0xf8, 0xb2,  \
+    0x7a, 0x3a, 0xd4, 0xe4, 0x7d, 0x5f, 0xb9, 0xb1, 0x18, 0xfa, 0x1d, 0x1d,  \
+    0x97, 0x91, 0xd9, 0x04, 0x9e, 0xbc, 0xc9, 0xb4, 0xd7, 0x7d, 0x0e, 0x54,  \
+    0xf6, 0x8f, 0xd0, 0x28, 0x0d, 0xdd, 0x77, 0x4b, 0x68, 0x04, 0x48, 0x61,  \
+    0x75, 0x15, 0x03, 0x1b, 0x35, 0xad, 0x8e, 0xfc, 0x24, 0x11, 0x07, 0xea,  \
+    0x17, 0x5a, 0xde, 0x19, 0x68, 0xff, 0xb6, 0x87, 0x7f, 0x80, 0x2a, 0x5f,  \
+    0x0c, 0x58, 0xba, 0x5f, 0x41, 0x02, 0x81, 0x81, 0x00, 0xe3, 0x03, 0xaf,  \
+    0xfe, 0x98, 0xd2, 0x0b, 0x7b, 0x72, 0xe9, 0x3b, 0x8e, 0xbc, 0xa5, 0xf6,  \
+    0xac, 0xe5, 0x22, 0x06, 0xb2, 0xd7, 0x5e, 0xfd, 0x89, 0x4b, 0x16, 0x67,  \
+    0x32, 0x83, 0x22, 0x58, 0x8e, 0x62, 0xa4, 0xb4, 0x2d, 0xf9, 0x16, 0x13,  \
+    0x54, 0xf6, 0x9f, 0x2f, 0xf9, 0xbb, 0x0e, 0x7e, 0x8c, 0x6f, 0x08, 0xda,  \
+    0xc8, 0xe9, 0x1c, 0x66, 0x10, 0x70, 0x93, 0x90, 0x8d, 0xcf, 0x90, 0x3a,  \
+    0x43, 0x89, 0x49, 0xeb, 0x83, 0x2a, 0xfe, 0x5a, 0x87, 0xce, 0x74, 0x42,  \
+    0x41, 0x0d, 0x8c, 0x73, 0x51, 0xbc, 0x7b, 0x20, 0xc5, 0xfd, 0xf6, 0x0b,  \
+    0x65, 0xed, 0xa9, 0x2e, 0xfc, 0x0f, 0xf5, 0x50, 0xf9, 0x8d, 0x37, 0x36,  \
+    0x9a, 0x20, 0xdf, 0xc3, 0xe3, 0x27, 0xbc, 0x98, 0x72, 0xc1, 0x14, 0x4b,  \
+    0x71, 0xe9, 0x83, 0x14, 0xff, 0x24, 0xe2, 0x14, 0x15, 0xb6, 0x6f, 0x0f,  \
+    0x32, 0x9d, 0xd9, 0x98, 0xd1, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x0c, 0xfb,  \
+    0xc3, 0x33, 0x9b, 0x47, 0x88, 0x27, 0xf2, 0x26, 0xde, 0xeb, 0x5e, 0xee,  \
+    0x40, 0xf6, 0x63, 0x5b, 0x35, 0x23, 0xf5, 0xd5, 0x07, 0x61, 0xdf, 0xa2,  \
+    0x9f, 0x58, 0x30, 0x04, 0x22, 0x2b, 0xb4, 0xd9, 0xda, 0x46, 0x7f, 0x48,  \
+    0xf5, 0x4f, 0xd0, 0xea, 0xd7, 0xa0, 0x45, 0x8a, 0x62, 0x8b, 0x8c, 0xac,  \
+    0x73, 0x5e, 0xfa, 0x36, 0x65, 0x3e, 0xba, 0x6c, 0xba, 0x5e, 0x6b, 0x92,  \
+    0x29, 0x5e, 0x6a, 0x0f, 0xd6, 0xd2, 0xa5, 0x95, 0x86, 0xda, 0x72, 0xc5,  \
+    0x9e, 0xc9, 0x6b, 0x37, 0x5e, 0x4b, 0x9b, 0x77, 0xe1, 0x67, 0x1a, 0x1e,  \
+    0x30, 0xd8, 0x41, 0x68, 0x40, 0xd3, 0x9c, 0xb4, 0xf6, 0xeb, 0x2a, 0x22,  \
+    0xdf, 0x78, 0x29, 0xd2, 0x64, 0x92, 0x5b, 0x2f, 0x78, 0x64, 0x4a, 0xa2,  \
+    0xa6, 0x6b, 0x3e, 0x50, 0xb1, 0x7a, 0xb1, 0x8d, 0x59, 0xb4, 0x55, 0xba,  \
+    0xb6, 0x91, 0x85, 0xa3, 0x2f, 0x02, 0x81, 0x80, 0x10, 0x1e, 0x19, 0xe7,  \
+    0xbc, 0x97, 0xe5, 0x22, 0xcd, 0xa4, 0xcb, 0x8a, 0xb5, 0xd0, 0x1e, 0xb4,  \
+    0x65, 0xcc, 0x45, 0xa7, 0x7a, 0xed, 0x0e, 0x99, 0x29, 0xd0, 0x9c, 0x61,  \
+    0x14, 0xb8, 0x62, 0x8b, 0x31, 0x6b, 0xba, 0x33, 0x2d, 0x65, 0x28, 0xd8,  \
+    0x36, 0x6e, 0x54, 0xec, 0xa9, 0x20, 0x3d, 0x51, 0xe1, 0x2c, 0x42, 0xc4,  \
+    0x52, 0xf0, 0xa6, 0x3a, 0x72, 0x93, 0xb7, 0x86, 0xa9, 0xfe, 0xf6, 0x74,  \
+    0x07, 0x12, 0x4d, 0x7b, 0x51, 0x99, 0x1f, 0x7a, 0x56, 0xe9, 0x20, 0x2f,  \
+    0x18, 0x34, 0x29, 0x97, 0xdb, 0x06, 0xee, 0xeb, 0xbf, 0xbd, 0x31, 0x4f,  \
+    0xfa, 0x50, 0xb1, 0xba, 0x49, 0xb3, 0xc4, 0x1d, 0x03, 0xae, 0xb0, 0xdc,  \
+    0xbe, 0x8a, 0xc4, 0x90, 0xa3, 0x28, 0x9b, 0xb6, 0x42, 0x09, 0x1b, 0xd6,  \
+    0x29, 0x9b, 0x19, 0xe9, 0x87, 0x87, 0xd9, 0x9f, 0x35, 0x05, 0xab, 0x91,  \
+    0x8f, 0x6d, 0x7c, 0x91, 0x02, 0x81, 0x81, 0x00, 0x94, 0x57, 0xf0, 0xe0,  \
+    0x28, 0xfd, 0xbd, 0xf3, 0x9c, 0x43, 0x4d, 0x3e, 0xfd, 0x37, 0x4f, 0x23,  \
+    0x52, 0x8d, 0xe1, 0x4c, 0xfe, 0x4c, 0x55, 0x80, 0x82, 0xba, 0x3f, 0xfe,  \
+    0x51, 0xe1, 0x30, 0xd5, 0x3b, 0xd9, 0x73, 0x1d, 0xcb, 0x25, 0xbc, 0xbb,  \
+    0x3f, 0xa5, 0xda, 0x77, 0xa6, 0xb5, 0xfc, 0x1a, 0xaf, 0x79, 0xa1, 0xb2,  \
+    0x14, 0xa2, 0x1f, 0x10, 0x52, 0x1a, 0x05, 0x40, 0x48, 0xb6, 0x4f, 0x34,  \
+    0xd6, 0xc0, 0xc3, 0xa4, 0x36, 0x98, 0x73, 0x88, 0x0b, 0xd3, 0x45, 0xdc,  \
+    0xee, 0x51, 0x6e, 0x04, 0x73, 0x99, 0x93, 0x12, 0x58, 0x96, 0xcb, 0x39,  \
+    0x42, 0xb1, 0xa9, 0xb8, 0xe1, 0x25, 0xf5, 0x9c, 0x14, 0xb7, 0x92, 0x2b,  \
+    0x14, 0xb0, 0x5d, 0x61, 0xa2, 0xaa, 0x34, 0x7c, 0xcd, 0x54, 0x2d, 0x69,  \
+    0x08, 0xf7, 0xdb, 0xfc, 0x9c, 0x87, 0xe8, 0x3a, 0xf6, 0x1d, 0x4c, 0x6a,  \
+    0x83, 0x15, 0x30, 0x01, 0x02, 0x81, 0x81, 0x00, 0x9c, 0x53, 0xa1, 0xb6,  \
+    0x2f, 0xc0, 0x06, 0xf5, 0xdf, 0x5c, 0xd1, 0x4a, 0x4e, 0xc8, 0xbd, 0x6d,  \
+    0x32, 0xf1, 0x5e, 0xe5, 0x3b, 0x70, 0xd0, 0xa8, 0xe5, 0x41, 0x57, 0x6c,  \
+    0x87, 0x53, 0x0f, 0xeb, 0x28, 0xa0, 0x62, 0x8f, 0x43, 0x62, 0xec, 0x2e,  \
+    0x6c, 0x71, 0x55, 0x5b, 0x6a, 0xf4, 0x74, 0x14, 0xea, 0x7a, 0x03, 0xf6,  \
+    0xfc, 0xa4, 0xce, 0xc4, 0xac, 0xda, 0x1d, 0xf0, 0xb5, 0xa9, 0xfd, 0x11,  \
+    0x18, 0x3b, 0x14, 0xa0, 0x90, 0x8d, 0x26, 0xb7, 0x75, 0x73, 0x0a, 0x02,  \
+    0x2c, 0x6f, 0x0f, 0xd8, 0x41, 0x78, 0xc3, 0x73, 0x81, 0xac, 0xaa, 0xaf,  \
+    0xf2, 0xee, 0x32, 0xb5, 0x8d, 0x05, 0xf9, 0x59, 0x5a, 0x9e, 0x3e, 0x65,  \
+    0x9b, 0x74, 0xda, 0xa0, 0x74, 0x95, 0x17, 0x5f, 0x8d, 0x58, 0xfc, 0x8e,  \
+    0x4e, 0x2c, 0x1e, 0xbc, 0x81, 0x02, 0x18, 0xac, 0x12, 0xc6, 0xf9, 0x64,  \
+    0x8b, 0x87, 0xc3, 0x00                                                   \
+}
+/* END FILE */
+
+/*
+ *
+ * Test certificates and keys as C variables
+ *
+ */
+
+/*
+ * CA
+ */
+
+const char mbedtls_test_ca_crt_ec_pem[]           = TEST_CA_CRT_EC_PEM;
+const char mbedtls_test_ca_key_ec_pem[]           = TEST_CA_KEY_EC_PEM;
+const char mbedtls_test_ca_pwd_ec_pem[]           = TEST_CA_PWD_EC_PEM;
+const char mbedtls_test_ca_key_rsa_pem[]          = TEST_CA_KEY_RSA_PEM;
+const char mbedtls_test_ca_pwd_rsa_pem[]          = TEST_CA_PWD_RSA_PEM;
+const char mbedtls_test_ca_crt_rsa_sha1_pem[]     = TEST_CA_CRT_RSA_SHA1_PEM;
+const char mbedtls_test_ca_crt_rsa_sha256_pem[]   = TEST_CA_CRT_RSA_SHA256_PEM;
+
+const unsigned char mbedtls_test_ca_crt_ec_der[]   = TEST_CA_CRT_EC_DER;
+const unsigned char mbedtls_test_ca_key_ec_der[]   = TEST_CA_KEY_EC_DER;
+const unsigned char mbedtls_test_ca_key_rsa_der[]  = TEST_CA_KEY_RSA_DER;
+const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[]   =
+    TEST_CA_CRT_RSA_SHA1_DER;
+const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[] =
+    TEST_CA_CRT_RSA_SHA256_DER;
+
+const size_t mbedtls_test_ca_crt_ec_pem_len =
+    sizeof( mbedtls_test_ca_crt_ec_pem );
+const size_t mbedtls_test_ca_key_ec_pem_len =
+    sizeof( mbedtls_test_ca_key_ec_pem );
+const size_t mbedtls_test_ca_pwd_ec_pem_len =
+    sizeof( mbedtls_test_ca_pwd_ec_pem ) - 1;
+const size_t mbedtls_test_ca_key_rsa_pem_len =
+    sizeof( mbedtls_test_ca_key_rsa_pem );
+const size_t mbedtls_test_ca_pwd_rsa_pem_len =
+    sizeof( mbedtls_test_ca_pwd_rsa_pem ) - 1;
+const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha1_pem );
+const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha256_pem );
+
+const size_t mbedtls_test_ca_crt_ec_der_len =
+    sizeof( mbedtls_test_ca_crt_ec_der );
+const size_t mbedtls_test_ca_key_ec_der_len =
+    sizeof( mbedtls_test_ca_key_ec_der );
+const size_t mbedtls_test_ca_pwd_ec_der_len = 0;
+const size_t mbedtls_test_ca_key_rsa_der_len =
+    sizeof( mbedtls_test_ca_key_rsa_der );
+const size_t mbedtls_test_ca_pwd_rsa_der_len = 0;
+const size_t mbedtls_test_ca_crt_rsa_sha1_der_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha1_der );
+const size_t mbedtls_test_ca_crt_rsa_sha256_der_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha256_der );
+
+/*
+ * Server
+ */
+
+const char mbedtls_test_srv_crt_ec_pem[]           = TEST_SRV_CRT_EC_PEM;
+const char mbedtls_test_srv_key_ec_pem[]           = TEST_SRV_KEY_EC_PEM;
+const char mbedtls_test_srv_pwd_ec_pem[]           = "";
+const char mbedtls_test_srv_key_rsa_pem[]          = TEST_SRV_KEY_RSA_PEM;
+const char mbedtls_test_srv_pwd_rsa_pem[]          = "";
+const char mbedtls_test_srv_crt_rsa_sha1_pem[]     = TEST_SRV_CRT_RSA_SHA1_PEM;
+const char mbedtls_test_srv_crt_rsa_sha256_pem[]   = TEST_SRV_CRT_RSA_SHA256_PEM;
+
+const unsigned char mbedtls_test_srv_crt_ec_der[]   = TEST_SRV_CRT_EC_DER;
+const unsigned char mbedtls_test_srv_key_ec_der[]   = TEST_SRV_KEY_EC_DER;
+const unsigned char mbedtls_test_srv_key_rsa_der[]  = TEST_SRV_KEY_RSA_DER;
+const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[]   =
+    TEST_SRV_CRT_RSA_SHA1_DER;
+const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[] =
+    TEST_SRV_CRT_RSA_SHA256_DER;
+
+const size_t mbedtls_test_srv_crt_ec_pem_len =
+    sizeof( mbedtls_test_srv_crt_ec_pem );
+const size_t mbedtls_test_srv_key_ec_pem_len =
+    sizeof( mbedtls_test_srv_key_ec_pem );
+const size_t mbedtls_test_srv_pwd_ec_pem_len =
+    sizeof( mbedtls_test_srv_pwd_ec_pem ) - 1;
+const size_t mbedtls_test_srv_key_rsa_pem_len =
+    sizeof( mbedtls_test_srv_key_rsa_pem );
+const size_t mbedtls_test_srv_pwd_rsa_pem_len =
+    sizeof( mbedtls_test_srv_pwd_rsa_pem ) - 1;
+const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha1_pem );
+const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha256_pem );
+
+const size_t mbedtls_test_srv_crt_ec_der_len =
+    sizeof( mbedtls_test_srv_crt_ec_der );
+const size_t mbedtls_test_srv_key_ec_der_len =
+    sizeof( mbedtls_test_srv_key_ec_der );
+const size_t mbedtls_test_srv_pwd_ec_der_len = 0;
+const size_t mbedtls_test_srv_key_rsa_der_len =
+    sizeof( mbedtls_test_srv_key_rsa_der );
+const size_t mbedtls_test_srv_pwd_rsa_der_len = 0;
+const size_t mbedtls_test_srv_crt_rsa_sha1_der_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha1_der );
+const size_t mbedtls_test_srv_crt_rsa_sha256_der_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha256_der );
+
+/*
+ * Client
+ */
+
+const char mbedtls_test_cli_crt_ec_pem[]   = TEST_CLI_CRT_EC_PEM;
+const char mbedtls_test_cli_key_ec_pem[]   = TEST_CLI_KEY_EC_PEM;
+const char mbedtls_test_cli_pwd_ec_pem[]   = "";
+const char mbedtls_test_cli_key_rsa_pem[]  = TEST_CLI_KEY_RSA_PEM;
+const char mbedtls_test_cli_pwd_rsa_pem[]  = "";
+const char mbedtls_test_cli_crt_rsa_pem[]  = TEST_CLI_CRT_RSA_PEM;
+
+const unsigned char mbedtls_test_cli_crt_ec_der[]   = TEST_CLI_CRT_EC_DER;
+const unsigned char mbedtls_test_cli_key_ec_der[]   = TEST_CLI_KEY_EC_DER;
+const unsigned char mbedtls_test_cli_key_rsa_der[]  = TEST_CLI_KEY_RSA_DER;
+const unsigned char mbedtls_test_cli_crt_rsa_der[]  = TEST_CLI_CRT_RSA_DER;
+
+const size_t mbedtls_test_cli_crt_ec_pem_len =
+    sizeof( mbedtls_test_cli_crt_ec_pem );
+const size_t mbedtls_test_cli_key_ec_pem_len =
+    sizeof( mbedtls_test_cli_key_ec_pem );
+const size_t mbedtls_test_cli_pwd_ec_pem_len =
+    sizeof( mbedtls_test_cli_pwd_ec_pem ) - 1;
+const size_t mbedtls_test_cli_key_rsa_pem_len =
+    sizeof( mbedtls_test_cli_key_rsa_pem );
+const size_t mbedtls_test_cli_pwd_rsa_pem_len =
+    sizeof( mbedtls_test_cli_pwd_rsa_pem ) - 1;
+const size_t mbedtls_test_cli_crt_rsa_pem_len =
+    sizeof( mbedtls_test_cli_crt_rsa_pem );
+
+const size_t mbedtls_test_cli_crt_ec_der_len =
+    sizeof( mbedtls_test_cli_crt_ec_der );
+const size_t mbedtls_test_cli_key_ec_der_len =
+    sizeof( mbedtls_test_cli_key_ec_der );
+const size_t mbedtls_test_cli_key_rsa_der_len =
+    sizeof( mbedtls_test_cli_key_rsa_der );
+const size_t mbedtls_test_cli_crt_rsa_der_len =
+    sizeof( mbedtls_test_cli_crt_rsa_der );
+
+/*
+ *
+ * Definitions of test CRTs without specification of all parameters, choosing
+ * them automatically according to the config. For example, mbedtls_test_ca_crt
+ * is one of mbedtls_test_ca_crt_{rsa|ec}_{sha1|sha256}_{pem|der}.
+ *
+ */
+
+/*
+ * Dispatch between PEM and DER according to config
+ */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+
+/* PEM encoded test CA certificates and keys */
+
+#define TEST_CA_KEY_RSA        TEST_CA_KEY_RSA_PEM
+#define TEST_CA_PWD_RSA        TEST_CA_PWD_RSA_PEM
+#define TEST_CA_CRT_RSA_SHA256 TEST_CA_CRT_RSA_SHA256_PEM
+#define TEST_CA_CRT_RSA_SHA1   TEST_CA_CRT_RSA_SHA1_PEM
+#define TEST_CA_KEY_EC         TEST_CA_KEY_EC_PEM
+#define TEST_CA_PWD_EC         TEST_CA_PWD_EC_PEM
+#define TEST_CA_CRT_EC         TEST_CA_CRT_EC_PEM
+
+/* PEM encoded test server certificates and keys */
+
+#define TEST_SRV_KEY_RSA        TEST_SRV_KEY_RSA_PEM
+#define TEST_SRV_PWD_RSA        ""
+#define TEST_SRV_CRT_RSA_SHA256 TEST_SRV_CRT_RSA_SHA256_PEM
+#define TEST_SRV_CRT_RSA_SHA1   TEST_SRV_CRT_RSA_SHA1_PEM
+#define TEST_SRV_KEY_EC         TEST_SRV_KEY_EC_PEM
+#define TEST_SRV_PWD_EC         ""
+#define TEST_SRV_CRT_EC         TEST_SRV_CRT_EC_PEM
+
+/* PEM encoded test client certificates and keys */
+
+#define TEST_CLI_KEY_RSA  TEST_CLI_KEY_RSA_PEM
+#define TEST_CLI_PWD_RSA  ""
+#define TEST_CLI_CRT_RSA  TEST_CLI_CRT_RSA_PEM
+#define TEST_CLI_KEY_EC   TEST_CLI_KEY_EC_PEM
+#define TEST_CLI_PWD_EC   ""
+#define TEST_CLI_CRT_EC   TEST_CLI_CRT_EC_PEM
+
+#else /* MBEDTLS_PEM_PARSE_C */
+
+/* DER encoded test CA certificates and keys */
+
+#define TEST_CA_KEY_RSA        TEST_CA_KEY_RSA_DER
+#define TEST_CA_PWD_RSA        ""
+#define TEST_CA_CRT_RSA_SHA256 TEST_CA_CRT_RSA_SHA256_DER
+#define TEST_CA_CRT_RSA_SHA1   TEST_CA_CRT_RSA_SHA1_DER
+#define TEST_CA_KEY_EC         TEST_CA_KEY_EC_DER
+#define TEST_CA_PWD_EC         ""
+#define TEST_CA_CRT_EC         TEST_CA_CRT_EC_DER
+
+/* DER encoded test server certificates and keys */
+
+#define TEST_SRV_KEY_RSA        TEST_SRV_KEY_RSA_DER
+#define TEST_SRV_PWD_RSA        ""
+#define TEST_SRV_CRT_RSA_SHA256 TEST_SRV_CRT_RSA_SHA256_DER
+#define TEST_SRV_CRT_RSA_SHA1   TEST_SRV_CRT_RSA_SHA1_DER
+#define TEST_SRV_KEY_EC         TEST_SRV_KEY_EC_DER
+#define TEST_SRV_PWD_EC         ""
+#define TEST_SRV_CRT_EC         TEST_SRV_CRT_EC_DER
+
+/* DER encoded test client certificates and keys */
+
+#define TEST_CLI_KEY_RSA  TEST_CLI_KEY_RSA_DER
+#define TEST_CLI_PWD_RSA  ""
+#define TEST_CLI_CRT_RSA  TEST_CLI_CRT_RSA_DER
+#define TEST_CLI_KEY_EC   TEST_CLI_KEY_EC_DER
+#define TEST_CLI_PWD_EC   ""
+#define TEST_CLI_CRT_EC   TEST_CLI_CRT_EC_DER
+
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+const char mbedtls_test_ca_key_rsa[]         = TEST_CA_KEY_RSA;
+const char mbedtls_test_ca_pwd_rsa[]         = TEST_CA_PWD_RSA;
+const char mbedtls_test_ca_crt_rsa_sha256[]  = TEST_CA_CRT_RSA_SHA256;
+const char mbedtls_test_ca_crt_rsa_sha1[]    = TEST_CA_CRT_RSA_SHA1;
+const char mbedtls_test_ca_key_ec[]          = TEST_CA_KEY_EC;
+const char mbedtls_test_ca_pwd_ec[]          = TEST_CA_PWD_EC;
+const char mbedtls_test_ca_crt_ec[]          = TEST_CA_CRT_EC;
+
+const char mbedtls_test_srv_key_rsa[]        = TEST_SRV_KEY_RSA;
+const char mbedtls_test_srv_pwd_rsa[]        = TEST_SRV_PWD_RSA;
+const char mbedtls_test_srv_crt_rsa_sha256[] = TEST_SRV_CRT_RSA_SHA256;
+const char mbedtls_test_srv_crt_rsa_sha1[]   = TEST_SRV_CRT_RSA_SHA1;
+const char mbedtls_test_srv_key_ec[]         = TEST_SRV_KEY_EC;
+const char mbedtls_test_srv_pwd_ec[]         = TEST_SRV_PWD_EC;
+const char mbedtls_test_srv_crt_ec[]         = TEST_SRV_CRT_EC;
+
+const char mbedtls_test_cli_key_rsa[]        = TEST_CLI_KEY_RSA;
+const char mbedtls_test_cli_pwd_rsa[]        = TEST_CLI_PWD_RSA;
+const char mbedtls_test_cli_crt_rsa[]        = TEST_CLI_CRT_RSA;
+const char mbedtls_test_cli_key_ec[]         = TEST_CLI_KEY_EC;
+const char mbedtls_test_cli_pwd_ec[]         = TEST_CLI_PWD_EC;
+const char mbedtls_test_cli_crt_ec[]         = TEST_CLI_CRT_EC;
+
+const size_t mbedtls_test_ca_key_rsa_len =
+    sizeof( mbedtls_test_ca_key_rsa );
+const size_t mbedtls_test_ca_pwd_rsa_len =
+    sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
+const size_t mbedtls_test_ca_crt_rsa_sha256_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha256 );
+const size_t mbedtls_test_ca_crt_rsa_sha1_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha1 );
+const size_t mbedtls_test_ca_key_ec_len =
+    sizeof( mbedtls_test_ca_key_ec );
+const size_t mbedtls_test_ca_pwd_ec_len =
+    sizeof( mbedtls_test_ca_pwd_ec ) - 1;
+const size_t mbedtls_test_ca_crt_ec_len =
+    sizeof( mbedtls_test_ca_crt_ec );
+
+const size_t mbedtls_test_srv_key_rsa_len =
+    sizeof( mbedtls_test_srv_key_rsa );
+const size_t mbedtls_test_srv_pwd_rsa_len =
+    sizeof( mbedtls_test_srv_pwd_rsa ) -1;
+const size_t mbedtls_test_srv_crt_rsa_sha256_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha256 );
+const size_t mbedtls_test_srv_crt_rsa_sha1_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha1 );
+const size_t mbedtls_test_srv_key_ec_len =
+    sizeof( mbedtls_test_srv_key_ec );
+const size_t mbedtls_test_srv_pwd_ec_len =
+    sizeof( mbedtls_test_srv_pwd_ec ) - 1;
+const size_t mbedtls_test_srv_crt_ec_len =
+    sizeof( mbedtls_test_srv_crt_ec );
+
+const size_t mbedtls_test_cli_key_rsa_len =
+    sizeof( mbedtls_test_cli_key_rsa );
+const size_t mbedtls_test_cli_pwd_rsa_len =
+    sizeof( mbedtls_test_cli_pwd_rsa ) - 1;
+const size_t mbedtls_test_cli_crt_rsa_len =
+    sizeof( mbedtls_test_cli_crt_rsa );
+const size_t mbedtls_test_cli_key_ec_len =
+    sizeof( mbedtls_test_cli_key_ec );
+const size_t mbedtls_test_cli_pwd_ec_len =
+    sizeof( mbedtls_test_cli_pwd_ec ) - 1;
+const size_t mbedtls_test_cli_crt_ec_len =
+    sizeof( mbedtls_test_cli_crt_ec );
+
+/*
+ * Dispatch between SHA-1 and SHA-256
+ */
+
+#if defined(MBEDTLS_SHA256_C)
+#define TEST_CA_CRT_RSA  TEST_CA_CRT_RSA_SHA256
+#define TEST_SRV_CRT_RSA TEST_SRV_CRT_RSA_SHA256
+#else
+#define TEST_CA_CRT_RSA  TEST_CA_CRT_RSA_SHA1
+#define TEST_SRV_CRT_RSA TEST_SRV_CRT_RSA_SHA1
+#endif /* MBEDTLS_SHA256_C */
+
+const char mbedtls_test_ca_crt_rsa[]  = TEST_CA_CRT_RSA;
+const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA;
+
+const size_t mbedtls_test_ca_crt_rsa_len =
+    sizeof( mbedtls_test_ca_crt_rsa );
+const size_t mbedtls_test_srv_crt_rsa_len =
+    sizeof( mbedtls_test_srv_crt_rsa );
+
+/*
+ * Dispatch between RSA and EC
+ */
+
+#if defined(MBEDTLS_RSA_C)
+
+#define TEST_CA_KEY TEST_CA_KEY_RSA
+#define TEST_CA_PWD TEST_CA_PWD_RSA
+#define TEST_CA_CRT TEST_CA_CRT_RSA
+
+#define TEST_SRV_KEY TEST_SRV_KEY_RSA
+#define TEST_SRV_PWD TEST_SRV_PWD_RSA
+#define TEST_SRV_CRT TEST_SRV_CRT_RSA
+
+#define TEST_CLI_KEY TEST_CLI_KEY_RSA
+#define TEST_CLI_PWD TEST_CLI_PWD_RSA
+#define TEST_CLI_CRT TEST_CLI_CRT_RSA
+
+#else /* no RSA, so assume ECDSA */
+
+#define TEST_CA_KEY TEST_CA_KEY_EC
+#define TEST_CA_PWD TEST_CA_PWD_EC
+#define TEST_CA_CRT TEST_CA_CRT_EC
+
+#define TEST_SRV_KEY TEST_SRV_KEY_EC
+#define TEST_SRV_PWD TEST_SRV_PWD_EC
+#define TEST_SRV_CRT TEST_SRV_CRT_EC
+
+#define TEST_CLI_KEY TEST_CLI_KEY_EC
+#define TEST_CLI_PWD TEST_CLI_PWD_EC
+#define TEST_CLI_CRT TEST_CLI_CRT_EC
+
+#endif /* MBEDTLS_RSA_C */
+
+/* API stability forces us to declare
+ *   mbedtls_test_{ca|srv|cli}_{key|pwd|crt}
+ * as pointers. */
+static const char test_ca_key[] = TEST_CA_KEY;
+static const char test_ca_pwd[] = TEST_CA_PWD;
+static const char test_ca_crt[] = TEST_CA_CRT;
+
+static const char test_srv_key[] = TEST_SRV_KEY;
+static const char test_srv_pwd[] = TEST_SRV_PWD;
+static const char test_srv_crt[] = TEST_SRV_CRT;
+
+static const char test_cli_key[] = TEST_CLI_KEY;
+static const char test_cli_pwd[] = TEST_CLI_PWD;
+static const char test_cli_crt[] = TEST_CLI_CRT;
+
+const char *mbedtls_test_ca_key = test_ca_key;
+const char *mbedtls_test_ca_pwd = test_ca_pwd;
+const char *mbedtls_test_ca_crt = test_ca_crt;
+
+const char *mbedtls_test_srv_key = test_srv_key;
+const char *mbedtls_test_srv_pwd = test_srv_pwd;
+const char *mbedtls_test_srv_crt = test_srv_crt;
+
+const char *mbedtls_test_cli_key = test_cli_key;
+const char *mbedtls_test_cli_pwd = test_cli_pwd;
+const char *mbedtls_test_cli_crt = test_cli_crt;
+
+const size_t mbedtls_test_ca_key_len =
+    sizeof( test_ca_key );
+const size_t mbedtls_test_ca_pwd_len =
+    sizeof( test_ca_pwd ) - 1;
+const size_t mbedtls_test_ca_crt_len =
+    sizeof( test_ca_crt );
+
+const size_t mbedtls_test_srv_key_len =
+    sizeof( test_srv_key );
+const size_t mbedtls_test_srv_pwd_len =
+    sizeof( test_srv_pwd ) - 1;
+const size_t mbedtls_test_srv_crt_len =
+    sizeof( test_srv_crt );
+
+const size_t mbedtls_test_cli_key_len =
+    sizeof( test_cli_key );
+const size_t mbedtls_test_cli_pwd_len =
+    sizeof( test_cli_pwd ) - 1;
+const size_t mbedtls_test_cli_crt_len =
+    sizeof( test_cli_crt );
+
+/*
+ *
+ * Lists of certificates
+ *
+ */
+
+/* List of CAs in PEM or DER, depending on config */
+const char * mbedtls_test_cas[] = {
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA1_C)
+    mbedtls_test_ca_crt_rsa_sha1,
+#endif
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
+    mbedtls_test_ca_crt_rsa_sha256,
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    mbedtls_test_ca_crt_ec,
+#endif
+    NULL
+};
+const size_t mbedtls_test_cas_len[] = {
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA1_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha1 ),
+#endif
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha256 ),
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    sizeof( mbedtls_test_ca_crt_ec ),
+#endif
+    0
+};
+
+/* List of all available CA certificates in DER format */
+const unsigned char * mbedtls_test_cas_der[] = {
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_test_ca_crt_rsa_sha256_der,
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    mbedtls_test_ca_crt_rsa_sha1_der,
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    mbedtls_test_ca_crt_ec_der,
+#endif /* MBEDTLS_ECDSA_C */
+    NULL
+};
+
+const size_t mbedtls_test_cas_der_len[] = {
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha256_der ),
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha1_der ),
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    sizeof( mbedtls_test_ca_crt_ec_der ),
+#endif /* MBEDTLS_ECDSA_C */
+    0
+};
+
+/* Concatenation of all available CA certificates in PEM format */
+#if defined(MBEDTLS_PEM_PARSE_C)
+const char mbedtls_test_cas_pem[] =
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    TEST_CA_CRT_RSA_SHA256_PEM
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    TEST_CA_CRT_RSA_SHA1_PEM
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    TEST_CA_CRT_EC_PEM
+#endif /* MBEDTLS_ECDSA_C */
+    "";
+const size_t mbedtls_test_cas_pem_len = sizeof( mbedtls_test_cas_pem );
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#endif /* MBEDTLS_CERTS_C */
diff --git a/ctrtool/deps/libmbedtls/src/chacha20.c b/ctrtool/deps/libmbedtls/src/chacha20.c
new file mode 100644
index 00000000..8a3610f0
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/chacha20.c
@@ -0,0 +1,570 @@
+/**
+ * \file chacha20.c
+ *
+ * \brief ChaCha20 cipher.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+#include "mbedtls/chacha20.h"
+#include "mbedtls/platform_util.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define CHACHA20_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA )
+#define CHACHA20_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define BYTES_TO_U32_LE( data, offset )                           \
+    ( (uint32_t) (data)[offset]                                   \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 )     \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 )    \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 )    \
+    )
+
+#define ROTL32( value, amount ) \
+    ( (uint32_t) ( (value) << (amount) ) | ( (value) >> ( 32 - (amount) ) ) )
+
+#define CHACHA20_CTR_INDEX ( 12U )
+
+#define CHACHA20_BLOCK_SIZE_BYTES ( 4U * 16U )
+
+/**
+ * \brief           ChaCha20 quarter round operation.
+ *
+ *                  The quarter round is defined as follows (from RFC 7539):
+ *                      1.  a += b; d ^= a; d <<<= 16;
+ *                      2.  c += d; b ^= c; b <<<= 12;
+ *                      3.  a += b; d ^= a; d <<<= 8;
+ *                      4.  c += d; b ^= c; b <<<= 7;
+ *
+ * \param state     ChaCha20 state to modify.
+ * \param a         The index of 'a' in the state.
+ * \param b         The index of 'b' in the state.
+ * \param c         The index of 'c' in the state.
+ * \param d         The index of 'd' in the state.
+ */
+static inline void chacha20_quarter_round( uint32_t state[16],
+                                           size_t a,
+                                           size_t b,
+                                           size_t c,
+                                           size_t d )
+{
+    /* a += b; d ^= a; d <<<= 16; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32( state[d], 16 );
+
+    /* c += d; b ^= c; b <<<= 12 */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32( state[b], 12 );
+
+    /* a += b; d ^= a; d <<<= 8; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32( state[d], 8 );
+
+    /* c += d; b ^= c; b <<<= 7; */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32( state[b], 7 );
+}
+
+/**
+ * \brief           Perform the ChaCha20 inner block operation.
+ *
+ *                  This function performs two rounds: the column round and the
+ *                  diagonal round.
+ *
+ * \param state     The ChaCha20 state to update.
+ */
+static void chacha20_inner_block( uint32_t state[16] )
+{
+    chacha20_quarter_round( state, 0, 4, 8,  12 );
+    chacha20_quarter_round( state, 1, 5, 9,  13 );
+    chacha20_quarter_round( state, 2, 6, 10, 14 );
+    chacha20_quarter_round( state, 3, 7, 11, 15 );
+
+    chacha20_quarter_round( state, 0, 5, 10, 15 );
+    chacha20_quarter_round( state, 1, 6, 11, 12 );
+    chacha20_quarter_round( state, 2, 7, 8,  13 );
+    chacha20_quarter_round( state, 3, 4, 9,  14 );
+}
+
+/**
+ * \brief               Generates a keystream block.
+ *
+ * \param initial_state The initial ChaCha20 state (key, nonce, counter).
+ * \param keystream     Generated keystream bytes are written to this buffer.
+ */
+static void chacha20_block( const uint32_t initial_state[16],
+                            unsigned char keystream[64] )
+{
+    uint32_t working_state[16];
+    size_t i;
+
+    memcpy( working_state,
+            initial_state,
+            CHACHA20_BLOCK_SIZE_BYTES );
+
+    for( i = 0U; i < 10U; i++ )
+        chacha20_inner_block( working_state );
+
+    working_state[ 0] += initial_state[ 0];
+    working_state[ 1] += initial_state[ 1];
+    working_state[ 2] += initial_state[ 2];
+    working_state[ 3] += initial_state[ 3];
+    working_state[ 4] += initial_state[ 4];
+    working_state[ 5] += initial_state[ 5];
+    working_state[ 6] += initial_state[ 6];
+    working_state[ 7] += initial_state[ 7];
+    working_state[ 8] += initial_state[ 8];
+    working_state[ 9] += initial_state[ 9];
+    working_state[10] += initial_state[10];
+    working_state[11] += initial_state[11];
+    working_state[12] += initial_state[12];
+    working_state[13] += initial_state[13];
+    working_state[14] += initial_state[14];
+    working_state[15] += initial_state[15];
+
+    for( i = 0U; i < 16; i++ )
+    {
+        size_t offset = i * 4U;
+
+        keystream[offset     ] = (unsigned char)( working_state[i]       );
+        keystream[offset + 1U] = (unsigned char)( working_state[i] >>  8 );
+        keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 );
+        keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 );
+    }
+
+    mbedtls_platform_zeroize( working_state, sizeof( working_state ) );
+}
+
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx )
+{
+    CHACHA20_VALIDATE( ctx != NULL );
+
+    mbedtls_platform_zeroize( ctx->state, sizeof( ctx->state ) );
+    mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+}
+
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx )
+{
+    if( ctx != NULL )
+    {
+        mbedtls_platform_zeroize( ctx, sizeof( mbedtls_chacha20_context ) );
+    }
+}
+
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+                            const unsigned char key[32] )
+{
+    CHACHA20_VALIDATE_RET( ctx != NULL );
+    CHACHA20_VALIDATE_RET( key != NULL );
+
+    /* ChaCha20 constants - the string "expand 32-byte k" */
+    ctx->state[0] = 0x61707865;
+    ctx->state[1] = 0x3320646e;
+    ctx->state[2] = 0x79622d32;
+    ctx->state[3] = 0x6b206574;
+
+    /* Set key */
+    ctx->state[4]  = BYTES_TO_U32_LE( key, 0 );
+    ctx->state[5]  = BYTES_TO_U32_LE( key, 4 );
+    ctx->state[6]  = BYTES_TO_U32_LE( key, 8 );
+    ctx->state[7]  = BYTES_TO_U32_LE( key, 12 );
+    ctx->state[8]  = BYTES_TO_U32_LE( key, 16 );
+    ctx->state[9]  = BYTES_TO_U32_LE( key, 20 );
+    ctx->state[10] = BYTES_TO_U32_LE( key, 24 );
+    ctx->state[11] = BYTES_TO_U32_LE( key, 28 );
+
+    return( 0 );
+}
+
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+                             const unsigned char nonce[12],
+                             uint32_t counter )
+{
+    CHACHA20_VALIDATE_RET( ctx != NULL );
+    CHACHA20_VALIDATE_RET( nonce != NULL );
+
+    /* Counter */
+    ctx->state[12] = counter;
+
+    /* Nonce */
+    ctx->state[13] = BYTES_TO_U32_LE( nonce, 0 );
+    ctx->state[14] = BYTES_TO_U32_LE( nonce, 4 );
+    ctx->state[15] = BYTES_TO_U32_LE( nonce, 8 );
+
+    mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+
+    return( 0 );
+}
+
+int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
+                              size_t size,
+                              const unsigned char *input,
+                              unsigned char *output )
+{
+    size_t offset = 0U;
+    size_t i;
+
+    CHACHA20_VALIDATE_RET( ctx != NULL );
+    CHACHA20_VALIDATE_RET( size == 0 || input  != NULL );
+    CHACHA20_VALIDATE_RET( size == 0 || output != NULL );
+
+    /* Use leftover keystream bytes, if available */
+    while( size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES )
+    {
+        output[offset] = input[offset]
+                       ^ ctx->keystream8[ctx->keystream_bytes_used];
+
+        ctx->keystream_bytes_used++;
+        offset++;
+        size--;
+    }
+
+    /* Process full blocks */
+    while( size >= CHACHA20_BLOCK_SIZE_BYTES )
+    {
+        /* Generate new keystream block and increment counter */
+        chacha20_block( ctx->state, ctx->keystream8 );
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        for( i = 0U; i < 64U; i += 8U )
+        {
+            output[offset + i  ] = input[offset + i  ] ^ ctx->keystream8[i  ];
+            output[offset + i+1] = input[offset + i+1] ^ ctx->keystream8[i+1];
+            output[offset + i+2] = input[offset + i+2] ^ ctx->keystream8[i+2];
+            output[offset + i+3] = input[offset + i+3] ^ ctx->keystream8[i+3];
+            output[offset + i+4] = input[offset + i+4] ^ ctx->keystream8[i+4];
+            output[offset + i+5] = input[offset + i+5] ^ ctx->keystream8[i+5];
+            output[offset + i+6] = input[offset + i+6] ^ ctx->keystream8[i+6];
+            output[offset + i+7] = input[offset + i+7] ^ ctx->keystream8[i+7];
+        }
+
+        offset += CHACHA20_BLOCK_SIZE_BYTES;
+        size   -= CHACHA20_BLOCK_SIZE_BYTES;
+    }
+
+    /* Last (partial) block */
+    if( size > 0U )
+    {
+        /* Generate new keystream block and increment counter */
+        chacha20_block( ctx->state, ctx->keystream8 );
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        for( i = 0U; i < size; i++)
+        {
+            output[offset + i] = input[offset + i] ^ ctx->keystream8[i];
+        }
+
+        ctx->keystream_bytes_used = size;
+
+    }
+
+    return( 0 );
+}
+
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+                            const unsigned char nonce[12],
+                            uint32_t counter,
+                            size_t data_len,
+                            const unsigned char* input,
+                            unsigned char* output )
+{
+    mbedtls_chacha20_context ctx;
+    int ret;
+
+    CHACHA20_VALIDATE_RET( key != NULL );
+    CHACHA20_VALIDATE_RET( nonce != NULL );
+    CHACHA20_VALIDATE_RET( data_len == 0 || input  != NULL );
+    CHACHA20_VALIDATE_RET( data_len == 0 || output != NULL );
+
+    mbedtls_chacha20_init( &ctx );
+
+    ret = mbedtls_chacha20_setkey( &ctx, key );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chacha20_starts( &ctx, nonce, counter );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chacha20_update( &ctx, data_len, input, output );
+
+cleanup:
+    mbedtls_chacha20_free( &ctx );
+    return( ret );
+}
+
+#endif /* !MBEDTLS_CHACHA20_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+    }
+};
+
+static const unsigned char test_nonces[2][12] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x02
+    }
+};
+
+static const uint32_t test_counters[2] =
+{
+    0U,
+    1U
+};
+
+static const unsigned char test_input[2][375] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
+        0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
+        0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
+        0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
+        0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
+        0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
+        0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
+        0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
+        0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
+        0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
+        0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+        0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
+        0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
+        0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+        0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
+        0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
+        0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+        0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
+        0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
+        0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
+        0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
+        0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
+        0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
+        0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
+        0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
+        0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
+        0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
+        0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
+        0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
+        0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
+        0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
+        0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
+        0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
+        0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
+        0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f
+    }
+};
+
+static const unsigned char test_output[2][375] =
+{
+    {
+        0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90,
+        0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28,
+        0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a,
+        0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7,
+        0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d,
+        0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37,
+        0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c,
+        0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86
+    },
+    {
+        0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde,
+        0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70,
+        0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd,
+        0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec,
+        0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15,
+        0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05,
+        0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f,
+        0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d,
+        0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa,
+        0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e,
+        0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7,
+        0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50,
+        0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05,
+        0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c,
+        0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05,
+        0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a,
+        0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0,
+        0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66,
+        0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4,
+        0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d,
+        0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91,
+        0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28,
+        0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87,
+        0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b,
+        0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2,
+        0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f,
+        0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76,
+        0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c,
+        0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b,
+        0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84,
+        0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd,
+        0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b,
+        0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe,
+        0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0,
+        0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80,
+        0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f,
+        0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3,
+        0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62,
+        0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91,
+        0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6,
+        0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64,
+        0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85,
+        0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41,
+        0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab,
+        0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba,
+        0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd,
+        0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21
+    }
+};
+
+static const size_t test_lengths[2] =
+{
+    64U,
+    375U
+};
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_chacha20_self_test( int verbose )
+{
+    unsigned char output[381];
+    unsigned i;
+    int ret;
+
+    for( i = 0U; i < 2U; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  ChaCha20 test %u ", i );
+
+        ret = mbedtls_chacha20_crypt( test_keys[i],
+                                      test_nonces[i],
+                                      test_counters[i],
+                                      test_lengths[i],
+                                      test_input[i],
+                                      output );
+
+        ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
+
+        ASSERT( 0 == memcmp( output, test_output[i], test_lengths[i] ),
+                ( "failed (output)\n" ) );
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_CHACHA20_C */
diff --git a/ctrtool/deps/libmbedtls/src/chachapoly.c b/ctrtool/deps/libmbedtls/src/chachapoly.c
new file mode 100644
index 00000000..dc643dd6
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/chachapoly.c
@@ -0,0 +1,540 @@
+/**
+ * \file chachapoly.c
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+/* Parameter validation macros */
+#define CHACHAPOLY_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
+#define CHACHAPOLY_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define CHACHAPOLY_STATE_INIT       ( 0 )
+#define CHACHAPOLY_STATE_AAD        ( 1 )
+#define CHACHAPOLY_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
+#define CHACHAPOLY_STATE_FINISHED   ( 3 )
+
+/**
+ * \brief           Adds nul bytes to pad the AAD for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_aad( mbedtls_chachapoly_context *ctx )
+{
+    uint32_t partial_block_len = (uint32_t) ( ctx->aad_len % 16U );
+    unsigned char zeroes[15];
+
+    if( partial_block_len == 0U )
+        return( 0 );
+
+    memset( zeroes, 0, sizeof( zeroes ) );
+
+    return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
+                                     zeroes,
+                                     16U - partial_block_len ) );
+}
+
+/**
+ * \brief           Adds nul bytes to pad the ciphertext for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx )
+{
+    uint32_t partial_block_len = (uint32_t) ( ctx->ciphertext_len % 16U );
+    unsigned char zeroes[15];
+
+    if( partial_block_len == 0U )
+        return( 0 );
+
+    memset( zeroes, 0, sizeof( zeroes ) );
+    return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
+                                     zeroes,
+                                     16U - partial_block_len ) );
+}
+
+void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx )
+{
+    CHACHAPOLY_VALIDATE( ctx != NULL );
+
+    mbedtls_chacha20_init( &ctx->chacha20_ctx );
+    mbedtls_poly1305_init( &ctx->poly1305_ctx );
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_chacha20_free( &ctx->chacha20_ctx );
+    mbedtls_poly1305_free( &ctx->poly1305_ctx );
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
+                               const unsigned char key[32] )
+{
+    int ret;
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
+
+    return( ret );
+}
+
+int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
+                               const unsigned char nonce[12],
+                               mbedtls_chachapoly_mode_t mode  )
+{
+    int ret;
+    unsigned char poly1305_key[64];
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( nonce != NULL );
+
+    /* Set counter = 0, will be update to 1 when generating Poly1305 key */
+    ret = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U );
+    if( ret != 0 )
+        goto cleanup;
+
+    /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
+     * counter = 0.  This is the same as encrypting a buffer of zeroes.
+     * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
+     * The other 256 bits are discarded.
+     */
+    memset( poly1305_key, 0, sizeof( poly1305_key ) );
+    ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ),
+                                      poly1305_key, poly1305_key );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_poly1305_starts( &ctx->poly1305_ctx, poly1305_key );
+
+    if( ret == 0 )
+    {
+        ctx->aad_len        = 0U;
+        ctx->ciphertext_len = 0U;
+        ctx->state          = CHACHAPOLY_STATE_AAD;
+        ctx->mode           = mode;
+    }
+
+cleanup:
+    mbedtls_platform_zeroize( poly1305_key, 64U );
+    return( ret );
+}
+
+int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
+                                   const unsigned char *aad,
+                                   size_t aad_len )
+{
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL );
+
+    if( ctx->state != CHACHAPOLY_STATE_AAD )
+        return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+    ctx->aad_len += aad_len;
+
+    return( mbedtls_poly1305_update( &ctx->poly1305_ctx, aad, aad_len ) );
+}
+
+int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
+                               size_t len,
+                               const unsigned char *input,
+                               unsigned char *output )
+{
+    int ret;
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( len == 0 || input != NULL );
+    CHACHAPOLY_VALIDATE_RET( len == 0 || output != NULL );
+
+    if( ( ctx->state != CHACHAPOLY_STATE_AAD ) &&
+        ( ctx->state != CHACHAPOLY_STATE_CIPHERTEXT ) )
+    {
+        return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    }
+
+    if( ctx->state == CHACHAPOLY_STATE_AAD )
+    {
+        ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
+
+        ret = chachapoly_pad_aad( ctx );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    ctx->ciphertext_len += len;
+
+    if( ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT )
+    {
+        ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+        if( ret != 0 )
+            return( ret );
+
+        ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, output, len );
+        if( ret != 0 )
+            return( ret );
+    }
+    else /* DECRYPT */
+    {
+        ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, input, len );
+        if( ret != 0 )
+            return( ret );
+
+        ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
+                               unsigned char mac[16] )
+{
+    int ret;
+    unsigned char len_block[16];
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( mac != NULL );
+
+    if( ctx->state == CHACHAPOLY_STATE_INIT )
+    {
+        return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    }
+
+    if( ctx->state == CHACHAPOLY_STATE_AAD )
+    {
+        ret = chachapoly_pad_aad( ctx );
+        if( ret != 0 )
+            return( ret );
+    }
+    else if( ctx->state == CHACHAPOLY_STATE_CIPHERTEXT )
+    {
+        ret = chachapoly_pad_ciphertext( ctx );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    ctx->state = CHACHAPOLY_STATE_FINISHED;
+
+    /* The lengths of the AAD and ciphertext are processed by
+     * Poly1305 as the final 128-bit block, encoded as little-endian integers.
+     */
+    len_block[ 0] = (unsigned char)( ctx->aad_len       );
+    len_block[ 1] = (unsigned char)( ctx->aad_len >>  8 );
+    len_block[ 2] = (unsigned char)( ctx->aad_len >> 16 );
+    len_block[ 3] = (unsigned char)( ctx->aad_len >> 24 );
+    len_block[ 4] = (unsigned char)( ctx->aad_len >> 32 );
+    len_block[ 5] = (unsigned char)( ctx->aad_len >> 40 );
+    len_block[ 6] = (unsigned char)( ctx->aad_len >> 48 );
+    len_block[ 7] = (unsigned char)( ctx->aad_len >> 56 );
+    len_block[ 8] = (unsigned char)( ctx->ciphertext_len       );
+    len_block[ 9] = (unsigned char)( ctx->ciphertext_len >>  8 );
+    len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 );
+    len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 );
+    len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 );
+    len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 );
+    len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 );
+    len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 );
+
+    ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, len_block, 16U );
+    if( ret != 0 )
+        return( ret );
+
+    ret = mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac );
+
+    return( ret );
+}
+
+static int chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                     mbedtls_chachapoly_mode_t mode,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char *input,
+                                     unsigned char *output,
+                                     unsigned char tag[16] )
+{
+    int ret;
+
+    ret = mbedtls_chachapoly_starts( ctx, nonce, mode );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_update_aad( ctx, aad, aad_len );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_update( ctx, length, input, output );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_finish( ctx, tag );
+
+cleanup:
+    return( ret );
+}
+
+int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                        size_t length,
+                                        const unsigned char nonce[12],
+                                        const unsigned char *aad,
+                                        size_t aad_len,
+                                        const unsigned char *input,
+                                        unsigned char *output,
+                                        unsigned char tag[16] )
+{
+    CHACHAPOLY_VALIDATE_RET( ctx   != NULL );
+    CHACHAPOLY_VALIDATE_RET( nonce != NULL );
+    CHACHAPOLY_VALIDATE_RET( tag   != NULL );
+    CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad    != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || input  != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || output != NULL );
+
+    return( chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
+                                      length, nonce, aad, aad_len,
+                                      input, output, tag ) );
+}
+
+int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char tag[16],
+                                     const unsigned char *input,
+                                     unsigned char *output )
+{
+    int ret;
+    unsigned char check_tag[16];
+    size_t i;
+    int diff;
+    CHACHAPOLY_VALIDATE_RET( ctx   != NULL );
+    CHACHAPOLY_VALIDATE_RET( nonce != NULL );
+    CHACHAPOLY_VALIDATE_RET( tag   != NULL );
+    CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad    != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || input  != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || output != NULL );
+
+    if( ( ret = chachapoly_crypt_and_tag( ctx,
+                        MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
+                        aad, aad_len, input, output, check_tag ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < sizeof( check_tag ); i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        mbedtls_platform_zeroize( output, length );
+        return( MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_key[1][32] =
+{
+    {
+        0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+        0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+        0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+        0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+    }
+};
+
+static const unsigned char test_nonce[1][12] =
+{
+    {
+        0x07, 0x00, 0x00, 0x00,                         /* 32-bit common part */
+        0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47  /* 64-bit IV */
+    }
+};
+
+static const unsigned char test_aad[1][12] =
+{
+    {
+        0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
+        0xc4, 0xc5, 0xc6, 0xc7
+    }
+};
+
+static const size_t test_aad_len[1] =
+{
+    12U
+};
+
+static const unsigned char test_input[1][114] =
+{
+    {
+        0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
+        0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
+        0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
+        0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+        0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
+        0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
+        0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
+        0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
+        0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+        0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
+        0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
+        0x74, 0x2e
+    }
+};
+
+static const unsigned char test_output[1][114] =
+{
+    {
+        0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
+        0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
+        0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+        0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
+        0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
+        0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+        0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
+        0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
+        0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+        0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
+        0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
+        0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+        0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
+        0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
+        0x61, 0x16
+    }
+};
+
+static const size_t test_input_len[1] =
+{
+    114U
+};
+
+static const unsigned char test_mac[1][16] =
+{
+    {
+        0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
+        0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
+    }
+};
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_chachapoly_self_test( int verbose )
+{
+    mbedtls_chachapoly_context ctx;
+    unsigned i;
+    int ret;
+    unsigned char output[200];
+    unsigned char mac[16];
+
+    for( i = 0U; i < 1U; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  ChaCha20-Poly1305 test %u ", i );
+
+        mbedtls_chachapoly_init( &ctx );
+
+        ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
+        ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) );
+
+        ret = mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                                  test_input_len[i],
+                                                  test_nonce[i],
+                                                  test_aad[i],
+                                                  test_aad_len[i],
+                                                  test_input[i],
+                                                  output,
+                                                  mac );
+
+        ASSERT( 0 == ret, ( "crypt_and_tag() error code: %i\n", ret ) );
+
+        ASSERT( 0 == memcmp( output, test_output[i], test_input_len[i] ),
+                ( "failure (wrong output)\n" ) );
+
+        ASSERT( 0 == memcmp( mac, test_mac[i], 16U ),
+                ( "failure (wrong MAC)\n" ) );
+
+        mbedtls_chachapoly_free( &ctx );
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CHACHAPOLY_C */
diff --git a/ctrtool/deps/libmbedtls/src/cipher.c b/ctrtool/deps/libmbedtls/src/cipher.c
new file mode 100644
index 00000000..8d010b59
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/cipher.c
@@ -0,0 +1,1158 @@
+/**
+ * \file cipher.c
+ *
+ * \brief Generic cipher wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "mbedtls/cipher.h"
+#include "mbedtls/cipher_internal.h"
+#include "mbedtls/platform_util.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+#include "mbedtls/cmac.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+#define CIPHER_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
+#define CIPHER_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/* Compare the contents of two buffers in constant time.
+ * Returns 0 if the contents are bitwise identical, otherwise returns
+ * a non-zero value.
+ * This is currently only used by GCM and ChaCha20+Poly1305.
+ */
+static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len )
+{
+    const unsigned char *p1 = (const unsigned char*) v1;
+    const unsigned char *p2 = (const unsigned char*) v2;
+    size_t i;
+    unsigned char diff;
+
+    for( diff = 0, i = 0; i < len; i++ )
+        diff |= p1[i] ^ p2[i];
+
+    return( (int)diff );
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+static int supported_init = 0;
+
+const int *mbedtls_cipher_list( void )
+{
+    const mbedtls_cipher_definition_t *def;
+    int *type;
+
+    if( ! supported_init )
+    {
+        def = mbedtls_cipher_definitions;
+        type = mbedtls_cipher_supported;
+
+        while( def->type != 0 )
+            *type++ = (*def++).type;
+
+        *type = 0;
+
+        supported_init = 1;
+    }
+
+    return( mbedtls_cipher_supported );
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
+{
+    const mbedtls_cipher_definition_t *def;
+
+    for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
+        if( def->type == cipher_type )
+            return( def->info );
+
+    return( NULL );
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name )
+{
+    const mbedtls_cipher_definition_t *def;
+
+    if( NULL == cipher_name )
+        return( NULL );
+
+    for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
+        if( !  strcmp( def->info->name, cipher_name ) )
+            return( def->info );
+
+    return( NULL );
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
+                                              int key_bitlen,
+                                              const mbedtls_cipher_mode_t mode )
+{
+    const mbedtls_cipher_definition_t *def;
+
+    for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
+        if( def->info->base->cipher == cipher_id &&
+            def->info->key_bitlen == (unsigned) key_bitlen &&
+            def->info->mode == mode )
+            return( def->info );
+
+    return( NULL );
+}
+
+void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
+{
+    CIPHER_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
+}
+
+void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_CMAC_C)
+    if( ctx->cmac_ctx )
+    {
+       mbedtls_platform_zeroize( ctx->cmac_ctx,
+                                 sizeof( mbedtls_cmac_context_t ) );
+       mbedtls_free( ctx->cmac_ctx );
+    }
+#endif
+
+    if( ctx->cipher_ctx )
+        ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
+
+    mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
+}
+
+int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
+
+    if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
+        return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
+
+    ctx->cipher_info = cipher_info;
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /*
+     * Ignore possible errors caused by a cipher mode that doesn't use padding
+     */
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
+#else
+    (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+    return( 0 );
+}
+
+int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *key,
+                           int key_bitlen,
+                           const mbedtls_operation_t operation )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( key != NULL );
+    CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
+                         operation == MBEDTLS_DECRYPT );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
+        (int) ctx->cipher_info->key_bitlen != key_bitlen )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    ctx->key_bitlen = key_bitlen;
+    ctx->operation = operation;
+
+    /*
+     * For OFB, CFB and CTR mode always use the encryption key schedule
+     */
+    if( MBEDTLS_ENCRYPT == operation ||
+        MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
+    {
+        return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
+                                                         ctx->key_bitlen ) );
+    }
+
+    if( MBEDTLS_DECRYPT == operation )
+        return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
+                                                         ctx->key_bitlen ) );
+
+    return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+}
+
+int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *iv,
+                           size_t iv_len )
+{
+    size_t actual_iv_size;
+
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /* avoid buffer overflow in ctx->iv */
+    if( iv_len > MBEDTLS_MAX_IV_LENGTH )
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+
+    if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
+        actual_iv_size = iv_len;
+    else
+    {
+        actual_iv_size = ctx->cipher_info->iv_size;
+
+        /* avoid reading past the end of input buffer */
+        if( actual_iv_size > iv_len )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_CHACHA20_C)
+    if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
+    {
+        if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
+                                           iv,
+                                           0U ) ) /* Initial counter value */
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+    }
+#endif
+
+    if ( actual_iv_size != 0 )
+    {
+        memcpy( ctx->iv, iv, actual_iv_size );
+        ctx->iv_size = actual_iv_size;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    ctx->unprocessed_len = 0;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *ad, size_t ad_len )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
+                                    ctx->iv, ctx->iv_size, ad, ad_len ) );
+    }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        int result;
+        mbedtls_chachapoly_mode_t mode;
+
+        mode = ( ctx->operation == MBEDTLS_ENCRYPT )
+                ? MBEDTLS_CHACHAPOLY_ENCRYPT
+                : MBEDTLS_CHACHAPOLY_DECRYPT;
+
+        result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                                        ctx->iv,
+                                                        mode );
+        if ( result != 0 )
+            return( result );
+
+        return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                               ad, ad_len ) );
+    }
+#endif
+
+    return( 0 );
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
+                   size_t ilen, unsigned char *output, size_t *olen )
+{
+    int ret;
+    size_t block_size;
+
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *olen = 0;
+    block_size = mbedtls_cipher_get_block_size( ctx );
+    if ( 0 == block_size )
+    {
+        return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
+    }
+
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
+    {
+        if( ilen != block_size )
+            return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+
+        *olen = ilen;
+
+        if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
+                    ctx->operation, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_GCM_C)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
+    {
+        *olen = ilen;
+        return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
+                                    output ) );
+    }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
+    {
+        *olen = ilen;
+        return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                           ilen, input, output ) );
+    }
+#endif
+
+    if( input == output &&
+       ( ctx->unprocessed_len != 0 || ilen % block_size ) )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
+    {
+        size_t copy_len = 0;
+
+        /*
+         * If there is not enough data for a full block, cache it.
+         */
+        if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
+                ilen <= block_size - ctx->unprocessed_len ) ||
+            ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
+                ilen < block_size - ctx->unprocessed_len ) ||
+             ( ctx->operation == MBEDTLS_ENCRYPT &&
+                ilen < block_size - ctx->unprocessed_len ) )
+        {
+            memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
+                    ilen );
+
+            ctx->unprocessed_len += ilen;
+            return( 0 );
+        }
+
+        /*
+         * Process cached data first
+         */
+        if( 0 != ctx->unprocessed_len )
+        {
+            copy_len = block_size - ctx->unprocessed_len;
+
+            memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
+                    copy_len );
+
+            if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
+                    ctx->operation, block_size, ctx->iv,
+                    ctx->unprocessed_data, output ) ) )
+            {
+                return( ret );
+            }
+
+            *olen += block_size;
+            output += block_size;
+            ctx->unprocessed_len = 0;
+
+            input += copy_len;
+            ilen -= copy_len;
+        }
+
+        /*
+         * Cache final, incomplete block
+         */
+        if( 0 != ilen )
+        {
+            /* Encryption: only cache partial blocks
+             * Decryption w/ padding: always keep at least one whole block
+             * Decryption w/o padding: only cache partial blocks
+             */
+            copy_len = ilen % block_size;
+            if( copy_len == 0 &&
+                ctx->operation == MBEDTLS_DECRYPT &&
+                NULL != ctx->add_padding)
+            {
+                copy_len = block_size;
+            }
+
+            memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
+                    copy_len );
+
+            ctx->unprocessed_len += copy_len;
+            ilen -= copy_len;
+        }
+
+        /*
+         * Process remaining full blocks
+         */
+        if( ilen )
+        {
+            if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
+                    ctx->operation, ilen, ctx->iv, input, output ) ) )
+            {
+                return( ret );
+            }
+
+            *olen += ilen;
+        }
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
+                ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
+                input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
+                ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
+                ilen, &ctx->unprocessed_len, ctx->iv,
+                ctx->unprocessed_data, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
+    {
+        if( ctx->unprocessed_len > 0 ) {
+            /* We can only process an entire data unit at a time. */
+            return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+        }
+
+        ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
+                ctx->operation, ilen, ctx->iv, input, output );
+        if( ret != 0 )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
+                                                    ilen, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_STREAM */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+/*
+ * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
+ */
+static void add_pkcs_padding( unsigned char *output, size_t output_len,
+        size_t data_len )
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i;
+
+    for( i = 0; i < padding_len; i++ )
+        output[data_len + i] = (unsigned char) padding_len;
+}
+
+static int get_pkcs_padding( unsigned char *input, size_t input_len,
+        size_t *data_len )
+{
+    size_t i, pad_idx;
+    unsigned char padding_len, bad = 0;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    padding_len = input[input_len - 1];
+    *data_len = input_len - padding_len;
+
+    /* Avoid logical || since it results in a branch */
+    bad |= padding_len > input_len;
+    bad |= padding_len == 0;
+
+    /* The number of bytes checked must be independent of padding_len,
+     * so pick input_len, which is usually 8 or 16 (one block) */
+    pad_idx = input_len - padding_len;
+    for( i = 0; i < input_len; i++ )
+        bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
+
+    return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
+}
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+/*
+ * One and zeros padding: fill with 80 00 ... 00
+ */
+static void add_one_and_zeros_padding( unsigned char *output,
+                                       size_t output_len, size_t data_len )
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i = 0;
+
+    output[data_len] = 0x80;
+    for( i = 1; i < padding_len; i++ )
+        output[data_len + i] = 0x00;
+}
+
+static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
+                                      size_t *data_len )
+{
+    size_t i;
+    unsigned char done = 0, prev_done, bad;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    bad = 0x80;
+    *data_len = 0;
+    for( i = input_len; i > 0; i-- )
+    {
+        prev_done = done;
+        done |= ( input[i - 1] != 0 );
+        *data_len |= ( i - 1 ) * ( done != prev_done );
+        bad ^= input[i - 1] * ( done != prev_done );
+    }
+
+    return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
+
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+/*
+ * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
+ */
+static void add_zeros_and_len_padding( unsigned char *output,
+                                       size_t output_len, size_t data_len )
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i = 0;
+
+    for( i = 1; i < padding_len; i++ )
+        output[data_len + i - 1] = 0x00;
+    output[output_len - 1] = (unsigned char) padding_len;
+}
+
+static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
+                                      size_t *data_len )
+{
+    size_t i, pad_idx;
+    unsigned char padding_len, bad = 0;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    padding_len = input[input_len - 1];
+    *data_len = input_len - padding_len;
+
+    /* Avoid logical || since it results in a branch */
+    bad |= padding_len > input_len;
+    bad |= padding_len == 0;
+
+    /* The number of bytes checked must be independent of padding_len */
+    pad_idx = input_len - padding_len;
+    for( i = 0; i < input_len - 1; i++ )
+        bad |= input[i] * ( i >= pad_idx );
+
+    return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+/*
+ * Zero padding: fill with 00 ... 00
+ */
+static void add_zeros_padding( unsigned char *output,
+                               size_t output_len, size_t data_len )
+{
+    size_t i;
+
+    for( i = data_len; i < output_len; i++ )
+        output[i] = 0x00;
+}
+
+static int get_zeros_padding( unsigned char *input, size_t input_len,
+                              size_t *data_len )
+{
+    size_t i;
+    unsigned char done = 0, prev_done;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *data_len = 0;
+    for( i = input_len; i > 0; i-- )
+    {
+        prev_done = done;
+        done |= ( input[i-1] != 0 );
+        *data_len |= i * ( done != prev_done );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+
+/*
+ * No padding: don't pad :)
+ *
+ * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
+ * but a trivial get_padding function
+ */
+static int get_no_padding( unsigned char *input, size_t input_len,
+                              size_t *data_len )
+{
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *data_len = input_len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
+                   unsigned char *output, size_t *olen )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *olen = 0;
+
+    if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
+    {
+        return( 0 );
+    }
+
+    if ( ( MBEDTLS_CIPHER_CHACHA20          == ctx->cipher_info->type ) ||
+         ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
+    {
+        return( 0 );
+    }
+
+    if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
+    {
+        if( ctx->unprocessed_len != 0 )
+            return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
+    {
+        int ret = 0;
+
+        if( MBEDTLS_ENCRYPT == ctx->operation )
+        {
+            /* check for 'no padding' mode */
+            if( NULL == ctx->add_padding )
+            {
+                if( 0 != ctx->unprocessed_len )
+                    return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+
+                return( 0 );
+            }
+
+            ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
+                    ctx->unprocessed_len );
+        }
+        else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
+        {
+            /*
+             * For decrypt operations, expect a full block,
+             * or an empty block if no padding
+             */
+            if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
+                return( 0 );
+
+            return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+        }
+
+        /* cipher block */
+        if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
+                ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
+                ctx->unprocessed_data, output ) ) )
+        {
+            return( ret );
+        }
+
+        /* Set output size for decryption */
+        if( MBEDTLS_DECRYPT == ctx->operation )
+            return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
+                                      olen ) );
+
+        /* Set output size for encryption */
+        *olen = mbedtls_cipher_get_block_size( ctx );
+        return( 0 );
+    }
+#else
+    ((void) output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
+                                     mbedtls_cipher_padding_t mode )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+
+    if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    switch( mode )
+    {
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    case MBEDTLS_PADDING_PKCS7:
+        ctx->add_padding = add_pkcs_padding;
+        ctx->get_padding = get_pkcs_padding;
+        break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+    case MBEDTLS_PADDING_ONE_AND_ZEROS:
+        ctx->add_padding = add_one_and_zeros_padding;
+        ctx->get_padding = get_one_and_zeros_padding;
+        break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+    case MBEDTLS_PADDING_ZEROS_AND_LEN:
+        ctx->add_padding = add_zeros_and_len_padding;
+        ctx->get_padding = get_zeros_and_len_padding;
+        break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+    case MBEDTLS_PADDING_ZEROS:
+        ctx->add_padding = add_zeros_padding;
+        ctx->get_padding = get_zeros_padding;
+        break;
+#endif
+    case MBEDTLS_PADDING_NONE:
+        ctx->add_padding = NULL;
+        ctx->get_padding = get_no_padding;
+        break;
+
+    default:
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
+                      unsigned char *tag, size_t tag_len )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( MBEDTLS_ENCRYPT != ctx->operation )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+        return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
+                                    tag, tag_len ) );
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        /* Don't allow truncated MAC for Poly1305 */
+        if ( tag_len != 16U )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+        return( mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                           tag ) );
+    }
+#endif
+
+    return( 0 );
+}
+
+int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *tag, size_t tag_len )
+{
+    unsigned char check_tag[16];
+    int ret;
+
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( MBEDTLS_DECRYPT != ctx->operation )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        if( tag_len > sizeof( check_tag ) )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+        if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
+                                     check_tag, tag_len ) ) )
+        {
+            return( ret );
+        }
+
+        /* Check the tag in "constant-time" */
+        if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
+            return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        /* Don't allow truncated MAC for Poly1305 */
+        if ( tag_len != sizeof( check_tag ) )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+        ret = mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                                     check_tag );
+        if ( ret != 0 )
+        {
+            return( ret );
+        }
+
+        /* Check the tag in "constant-time" */
+        if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
+            return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+    return( 0 );
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/*
+ * Packet-oriented wrapper for non-AEAD modes
+ */
+int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
+                  const unsigned char *iv, size_t iv_len,
+                  const unsigned char *input, size_t ilen,
+                  unsigned char *output, size_t *olen )
+{
+    int ret;
+    size_t finish_olen;
+
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+
+    if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
+        return( ret );
+
+    *olen += finish_olen;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+/*
+ * Packet-oriented encryption for AEAD modes
+ */
+int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         unsigned char *tag, size_t tag_len )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv != NULL );
+    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        *olen = ilen;
+        return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
+                                   iv, iv_len, ad, ad_len, input, output,
+                                   tag_len, tag ) );
+    }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+    if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
+    {
+        *olen = ilen;
+        return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
+                                     iv, iv_len, ad, ad_len, input, output,
+                                     tag, tag_len ) );
+    }
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        /* ChachaPoly has fixed length nonce and MAC (tag) */
+        if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+             ( tag_len != 16U ) )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        *olen = ilen;
+        return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
+                                ilen, iv, ad, ad_len, input, output, tag ) );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+/*
+ * Packet-oriented decryption for AEAD modes
+ */
+int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         const unsigned char *tag, size_t tag_len )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv != NULL );
+    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        int ret;
+
+        *olen = ilen;
+        ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
+                                iv, iv_len, ad, ad_len,
+                                tag, tag_len, input, output );
+
+        if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+        return( ret );
+    }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+    if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
+    {
+        int ret;
+
+        *olen = ilen;
+        ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
+                                iv, iv_len, ad, ad_len,
+                                input, output, tag, tag_len );
+
+        if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+        return( ret );
+    }
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        int ret;
+
+        /* ChachaPoly has fixed length nonce and MAC (tag) */
+        if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+             ( tag_len != 16U ) )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        *olen = ilen;
+        ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
+                                iv, ad, ad_len, tag, input, output );
+
+        if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+        return( ret );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/ctrtool/deps/libmbedtls/src/cipher_wrap.c b/ctrtool/deps/libmbedtls/src/cipher_wrap.c
new file mode 100644
index 00000000..6dd8c5d3
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/cipher_wrap.c
@@ -0,0 +1,2272 @@
+/**
+ * \file cipher_wrap.c
+ *
+ * \brief Generic cipher wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "mbedtls/cipher_internal.h"
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+#include "mbedtls/arc4.h"
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+#include "mbedtls/blowfish.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#include <string.h>
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+/* shared by all GCM ciphers */
+static void *gcm_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_gcm_context ) );
+
+    if( ctx != NULL )
+        mbedtls_gcm_init( (mbedtls_gcm_context *) ctx );
+
+    return( ctx );
+}
+
+static void gcm_ctx_free( void *ctx )
+{
+    mbedtls_gcm_free( ctx );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+/* shared by all CCM ciphers */
+static void *ccm_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ccm_context ) );
+
+    if( ctx != NULL )
+        mbedtls_ccm_init( (mbedtls_ccm_context *) ctx );
+
+    return( ctx );
+}
+
+static void ccm_ctx_free( void *ctx )
+{
+    mbedtls_ccm_free( ctx );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_AES_C)
+
+static int aes_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_ecb( (mbedtls_aes_context *) ctx, operation, input, output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aes_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_cbc( (mbedtls_aes_context *) ctx, operation, length, iv, input,
+                          output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aes_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_cfb128( (mbedtls_aes_context *) ctx, operation, length, iv_off, iv,
+                             input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static int aes_crypt_ofb_wrap( void *ctx, size_t length, size_t *iv_off,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_ofb( (mbedtls_aes_context *) ctx, length, iv_off,
+                                    iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aes_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_ctr( (mbedtls_aes_context *) ctx, length, nc_off, nonce_counter,
+                          stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int aes_crypt_xts_wrap( void *ctx, mbedtls_operation_t operation,
+                               size_t length,
+                               const unsigned char data_unit[16],
+                               const unsigned char *input,
+                               unsigned char *output )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    int mode;
+
+    switch( operation )
+    {
+        case MBEDTLS_ENCRYPT:
+            mode = MBEDTLS_AES_ENCRYPT;
+            break;
+        case MBEDTLS_DECRYPT:
+            mode = MBEDTLS_AES_DECRYPT;
+            break;
+        default:
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    return mbedtls_aes_crypt_xts( xts_ctx, mode, length,
+                                  data_unit, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+static int aes_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_aes_setkey_dec( (mbedtls_aes_context *) ctx, key, key_bitlen );
+}
+
+static int aes_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_aes_setkey_enc( (mbedtls_aes_context *) ctx, key, key_bitlen );
+}
+
+static void * aes_ctx_alloc( void )
+{
+    mbedtls_aes_context *aes = mbedtls_calloc( 1, sizeof( mbedtls_aes_context ) );
+
+    if( aes == NULL )
+        return( NULL );
+
+    mbedtls_aes_init( aes );
+
+    return( aes );
+}
+
+static void aes_ctx_free( void *ctx )
+{
+    mbedtls_aes_free( (mbedtls_aes_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    aes_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    aes_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    aes_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    aes_crypt_ofb_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    aes_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    aes_setkey_enc_wrap,
+    aes_setkey_dec_wrap,
+    aes_ctx_alloc,
+    aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_ecb_info = {
+    MBEDTLS_CIPHER_AES_128_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "AES-128-ECB",
+    0,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ecb_info = {
+    MBEDTLS_CIPHER_AES_192_ECB,
+    MBEDTLS_MODE_ECB,
+    192,
+    "AES-192-ECB",
+    0,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ecb_info = {
+    MBEDTLS_CIPHER_AES_256_ECB,
+    MBEDTLS_MODE_ECB,
+    256,
+    "AES-256-ECB",
+    0,
+    0,
+    16,
+    &aes_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aes_128_cbc_info = {
+    MBEDTLS_CIPHER_AES_128_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "AES-128-CBC",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_cbc_info = {
+    MBEDTLS_CIPHER_AES_192_CBC,
+    MBEDTLS_MODE_CBC,
+    192,
+    "AES-192-CBC",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_cbc_info = {
+    MBEDTLS_CIPHER_AES_256_CBC,
+    MBEDTLS_MODE_CBC,
+    256,
+    "AES-256-CBC",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aes_128_cfb128_info = {
+    MBEDTLS_CIPHER_AES_128_CFB128,
+    MBEDTLS_MODE_CFB,
+    128,
+    "AES-128-CFB128",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_cfb128_info = {
+    MBEDTLS_CIPHER_AES_192_CFB128,
+    MBEDTLS_MODE_CFB,
+    192,
+    "AES-192-CFB128",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_cfb128_info = {
+    MBEDTLS_CIPHER_AES_256_CFB128,
+    MBEDTLS_MODE_CFB,
+    256,
+    "AES-256-CFB128",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static const mbedtls_cipher_info_t aes_128_ofb_info = {
+    MBEDTLS_CIPHER_AES_128_OFB,
+    MBEDTLS_MODE_OFB,
+    128,
+    "AES-128-OFB",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ofb_info = {
+    MBEDTLS_CIPHER_AES_192_OFB,
+    MBEDTLS_MODE_OFB,
+    192,
+    "AES-192-OFB",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ofb_info = {
+    MBEDTLS_CIPHER_AES_256_OFB,
+    MBEDTLS_MODE_OFB,
+    256,
+    "AES-256-OFB",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aes_128_ctr_info = {
+    MBEDTLS_CIPHER_AES_128_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "AES-128-CTR",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ctr_info = {
+    MBEDTLS_CIPHER_AES_192_CTR,
+    MBEDTLS_MODE_CTR,
+    192,
+    "AES-192-CTR",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ctr_info = {
+    MBEDTLS_CIPHER_AES_256_CTR,
+    MBEDTLS_MODE_CTR,
+    256,
+    "AES-256-CTR",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int xts_aes_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    return( mbedtls_aes_xts_setkey_enc( xts_ctx, key, key_bitlen ) );
+}
+
+static int xts_aes_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    return( mbedtls_aes_xts_setkey_dec( xts_ctx, key, key_bitlen ) );
+}
+
+static void *xts_aes_ctx_alloc( void )
+{
+    mbedtls_aes_xts_context *xts_ctx = mbedtls_calloc( 1, sizeof( *xts_ctx ) );
+
+    if( xts_ctx != NULL )
+        mbedtls_aes_xts_init( xts_ctx );
+
+    return( xts_ctx );
+}
+
+static void xts_aes_ctx_free( void *ctx )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+
+    if( xts_ctx == NULL )
+        return;
+
+    mbedtls_aes_xts_free( xts_ctx );
+    mbedtls_free( xts_ctx );
+}
+
+static const mbedtls_cipher_base_t xts_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    aes_crypt_xts_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    xts_aes_setkey_enc_wrap,
+    xts_aes_setkey_dec_wrap,
+    xts_aes_ctx_alloc,
+    xts_aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_xts_info = {
+    MBEDTLS_CIPHER_AES_128_XTS,
+    MBEDTLS_MODE_XTS,
+    256,
+    "AES-128-XTS",
+    16,
+    0,
+    16,
+    &xts_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_xts_info = {
+    MBEDTLS_CIPHER_AES_256_XTS,
+    MBEDTLS_MODE_XTS,
+    512,
+    "AES-256-XTS",
+    16,
+    0,
+    16,
+    &xts_aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_aes_setkey_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_aes_setkey_wrap,
+    gcm_aes_setkey_wrap,
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aes_128_gcm_info = {
+    MBEDTLS_CIPHER_AES_128_GCM,
+    MBEDTLS_MODE_GCM,
+    128,
+    "AES-128-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_gcm_info = {
+    MBEDTLS_CIPHER_AES_192_GCM,
+    MBEDTLS_MODE_GCM,
+    192,
+    "AES-192-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_gcm_info = {
+    MBEDTLS_CIPHER_AES_256_GCM,
+    MBEDTLS_MODE_GCM,
+    256,
+    "AES-256-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aes_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_aes_setkey_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_aes_setkey_wrap,
+    ccm_aes_setkey_wrap,
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aes_128_ccm_info = {
+    MBEDTLS_CIPHER_AES_128_CCM,
+    MBEDTLS_MODE_CCM,
+    128,
+    "AES-128-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ccm_info = {
+    MBEDTLS_CIPHER_AES_192_CCM,
+    MBEDTLS_MODE_CCM,
+    192,
+    "AES-192-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ccm_info = {
+    MBEDTLS_CIPHER_AES_256_CCM,
+    MBEDTLS_MODE_CCM,
+    256,
+    "AES-256-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aes_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+static int camellia_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_ecb( (mbedtls_camellia_context *) ctx, operation, input,
+                               output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int camellia_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_cbc( (mbedtls_camellia_context *) ctx, operation, length, iv,
+                               input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int camellia_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_cfb128( (mbedtls_camellia_context *) ctx, operation, length,
+                                  iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int camellia_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_ctr( (mbedtls_camellia_context *) ctx, length, nc_off,
+                               nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int camellia_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_camellia_setkey_dec( (mbedtls_camellia_context *) ctx, key, key_bitlen );
+}
+
+static int camellia_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_camellia_setkey_enc( (mbedtls_camellia_context *) ctx, key, key_bitlen );
+}
+
+static void * camellia_ctx_alloc( void )
+{
+    mbedtls_camellia_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_camellia_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_camellia_init( ctx );
+
+    return( ctx );
+}
+
+static void camellia_ctx_free( void *ctx )
+{
+    mbedtls_camellia_free( (mbedtls_camellia_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    camellia_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    camellia_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    camellia_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    camellia_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    camellia_setkey_enc_wrap,
+    camellia_setkey_dec_wrap,
+    camellia_ctx_alloc,
+    camellia_ctx_free
+};
+
+static const mbedtls_cipher_info_t camellia_128_ecb_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "CAMELLIA-128-ECB",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_ecb_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_ECB,
+    MBEDTLS_MODE_ECB,
+    192,
+    "CAMELLIA-192-ECB",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_ecb_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_ECB,
+    MBEDTLS_MODE_ECB,
+    256,
+    "CAMELLIA-256-ECB",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t camellia_128_cbc_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "CAMELLIA-128-CBC",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_cbc_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CBC,
+    MBEDTLS_MODE_CBC,
+    192,
+    "CAMELLIA-192-CBC",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_cbc_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CBC,
+    MBEDTLS_MODE_CBC,
+    256,
+    "CAMELLIA-256-CBC",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t camellia_128_cfb128_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,
+    MBEDTLS_MODE_CFB,
+    128,
+    "CAMELLIA-128-CFB128",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_cfb128_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,
+    MBEDTLS_MODE_CFB,
+    192,
+    "CAMELLIA-192-CFB128",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_cfb128_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,
+    MBEDTLS_MODE_CFB,
+    256,
+    "CAMELLIA-256-CFB128",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t camellia_128_ctr_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "CAMELLIA-128-CTR",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_ctr_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CTR,
+    MBEDTLS_MODE_CTR,
+    192,
+    "CAMELLIA-192-CTR",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_ctr_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CTR,
+    MBEDTLS_MODE_CTR,
+    256,
+    "CAMELLIA-256-CTR",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_camellia_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_camellia_setkey_wrap,
+    gcm_camellia_setkey_wrap,
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_gcm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_GCM,
+    MBEDTLS_MODE_GCM,
+    128,
+    "CAMELLIA-128-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_gcm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_GCM,
+    MBEDTLS_MODE_GCM,
+    192,
+    "CAMELLIA-192-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_gcm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_GCM,
+    MBEDTLS_MODE_GCM,
+    256,
+    "CAMELLIA-256-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_camellia_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_camellia_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_camellia_setkey_wrap,
+    ccm_camellia_setkey_wrap,
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_ccm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM,
+    MBEDTLS_MODE_CCM,
+    128,
+    "CAMELLIA-128-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_ccm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM,
+    MBEDTLS_MODE_CCM,
+    192,
+    "CAMELLIA-192-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_ccm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM,
+    MBEDTLS_MODE_CCM,
+    256,
+    "CAMELLIA-256-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_camellia_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_ARIA_C)
+
+static int aria_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    (void) operation;
+    return mbedtls_aria_crypt_ecb( (mbedtls_aria_context *) ctx, input,
+                               output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aria_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aria_crypt_cbc( (mbedtls_aria_context *) ctx, operation, length, iv,
+                               input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aria_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aria_crypt_cfb128( (mbedtls_aria_context *) ctx, operation, length,
+                                  iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aria_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aria_crypt_ctr( (mbedtls_aria_context *) ctx, length, nc_off,
+                               nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int aria_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_aria_setkey_dec( (mbedtls_aria_context *) ctx, key, key_bitlen );
+}
+
+static int aria_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_aria_setkey_enc( (mbedtls_aria_context *) ctx, key, key_bitlen );
+}
+
+static void * aria_ctx_alloc( void )
+{
+    mbedtls_aria_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_aria_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_aria_init( ctx );
+
+    return( ctx );
+}
+
+static void aria_ctx_free( void *ctx )
+{
+    mbedtls_aria_free( (mbedtls_aria_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    aria_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    aria_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    aria_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    aria_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    aria_setkey_enc_wrap,
+    aria_setkey_dec_wrap,
+    aria_ctx_alloc,
+    aria_ctx_free
+};
+
+static const mbedtls_cipher_info_t aria_128_ecb_info = {
+    MBEDTLS_CIPHER_ARIA_128_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "ARIA-128-ECB",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ecb_info = {
+    MBEDTLS_CIPHER_ARIA_192_ECB,
+    MBEDTLS_MODE_ECB,
+    192,
+    "ARIA-192-ECB",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ecb_info = {
+    MBEDTLS_CIPHER_ARIA_256_ECB,
+    MBEDTLS_MODE_ECB,
+    256,
+    "ARIA-256-ECB",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aria_128_cbc_info = {
+    MBEDTLS_CIPHER_ARIA_128_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "ARIA-128-CBC",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_cbc_info = {
+    MBEDTLS_CIPHER_ARIA_192_CBC,
+    MBEDTLS_MODE_CBC,
+    192,
+    "ARIA-192-CBC",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_cbc_info = {
+    MBEDTLS_CIPHER_ARIA_256_CBC,
+    MBEDTLS_MODE_CBC,
+    256,
+    "ARIA-256-CBC",
+    16,
+    0,
+    16,
+    &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aria_128_cfb128_info = {
+    MBEDTLS_CIPHER_ARIA_128_CFB128,
+    MBEDTLS_MODE_CFB,
+    128,
+    "ARIA-128-CFB128",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_cfb128_info = {
+    MBEDTLS_CIPHER_ARIA_192_CFB128,
+    MBEDTLS_MODE_CFB,
+    192,
+    "ARIA-192-CFB128",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_cfb128_info = {
+    MBEDTLS_CIPHER_ARIA_256_CFB128,
+    MBEDTLS_MODE_CFB,
+    256,
+    "ARIA-256-CFB128",
+    16,
+    0,
+    16,
+    &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aria_128_ctr_info = {
+    MBEDTLS_CIPHER_ARIA_128_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "ARIA-128-CTR",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ctr_info = {
+    MBEDTLS_CIPHER_ARIA_192_CTR,
+    MBEDTLS_MODE_CTR,
+    192,
+    "ARIA-192-CTR",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ctr_info = {
+    MBEDTLS_CIPHER_ARIA_256_CTR,
+    MBEDTLS_MODE_CTR,
+    256,
+    "ARIA-256-CTR",
+    16,
+    0,
+    16,
+    &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_aria_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_aria_setkey_wrap,
+    gcm_aria_setkey_wrap,
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_gcm_info = {
+    MBEDTLS_CIPHER_ARIA_128_GCM,
+    MBEDTLS_MODE_GCM,
+    128,
+    "ARIA-128-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_gcm_info = {
+    MBEDTLS_CIPHER_ARIA_192_GCM,
+    MBEDTLS_MODE_GCM,
+    192,
+    "ARIA-192-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_gcm_info = {
+    MBEDTLS_CIPHER_ARIA_256_GCM,
+    MBEDTLS_MODE_GCM,
+    256,
+    "ARIA-256-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aria_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_aria_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_aria_setkey_wrap,
+    ccm_aria_setkey_wrap,
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_ccm_info = {
+    MBEDTLS_CIPHER_ARIA_128_CCM,
+    MBEDTLS_MODE_CCM,
+    128,
+    "ARIA-128-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ccm_info = {
+    MBEDTLS_CIPHER_ARIA_192_CCM,
+    MBEDTLS_MODE_CCM,
+    192,
+    "ARIA-192-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ccm_info = {
+    MBEDTLS_CIPHER_ARIA_256_CCM,
+    MBEDTLS_MODE_CCM,
+    256,
+    "ARIA-256-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aria_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_DES_C)
+
+static int des_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    ((void) operation);
+    return mbedtls_des_crypt_ecb( (mbedtls_des_context *) ctx, input, output );
+}
+
+static int des3_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    ((void) operation);
+    return mbedtls_des3_crypt_ecb( (mbedtls_des3_context *) ctx, input, output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_des_crypt_cbc( (mbedtls_des_context *) ctx, operation, length, iv, input,
+                          output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des3_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_des3_crypt_cbc( (mbedtls_des3_context *) ctx, operation, length, iv, input,
+                           output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static int des_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des_setkey_dec( (mbedtls_des_context *) ctx, key );
+}
+
+static int des_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des_setkey_enc( (mbedtls_des_context *) ctx, key );
+}
+
+static int des3_set2key_dec_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set2key_dec( (mbedtls_des3_context *) ctx, key );
+}
+
+static int des3_set2key_enc_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set2key_enc( (mbedtls_des3_context *) ctx, key );
+}
+
+static int des3_set3key_dec_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set3key_dec( (mbedtls_des3_context *) ctx, key );
+}
+
+static int des3_set3key_enc_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set3key_enc( (mbedtls_des3_context *) ctx, key );
+}
+
+static void * des_ctx_alloc( void )
+{
+    mbedtls_des_context *des = mbedtls_calloc( 1, sizeof( mbedtls_des_context ) );
+
+    if( des == NULL )
+        return( NULL );
+
+    mbedtls_des_init( des );
+
+    return( des );
+}
+
+static void des_ctx_free( void *ctx )
+{
+    mbedtls_des_free( (mbedtls_des_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void * des3_ctx_alloc( void )
+{
+    mbedtls_des3_context *des3;
+    des3 = mbedtls_calloc( 1, sizeof( mbedtls_des3_context ) );
+
+    if( des3 == NULL )
+        return( NULL );
+
+    mbedtls_des3_init( des3 );
+
+    return( des3 );
+}
+
+static void des3_ctx_free( void *ctx )
+{
+    mbedtls_des3_free( (mbedtls_des3_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t des_info = {
+    MBEDTLS_CIPHER_ID_DES,
+    des_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des_setkey_enc_wrap,
+    des_setkey_dec_wrap,
+    des_ctx_alloc,
+    des_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ecb_info = {
+    MBEDTLS_CIPHER_DES_ECB,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_KEY_LENGTH_DES,
+    "DES-ECB",
+    8,
+    0,
+    8,
+    &des_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_cbc_info = {
+    MBEDTLS_CIPHER_DES_CBC,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_KEY_LENGTH_DES,
+    "DES-CBC",
+    8,
+    0,
+    8,
+    &des_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede_info = {
+    MBEDTLS_CIPHER_ID_DES,
+    des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des3_set2key_enc_wrap,
+    des3_set2key_dec_wrap,
+    des3_ctx_alloc,
+    des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede_ecb_info = {
+    MBEDTLS_CIPHER_DES_EDE_ECB,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_KEY_LENGTH_DES_EDE,
+    "DES-EDE-ECB",
+    8,
+    0,
+    8,
+    &des_ede_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede_cbc_info = {
+    MBEDTLS_CIPHER_DES_EDE_CBC,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_KEY_LENGTH_DES_EDE,
+    "DES-EDE-CBC",
+    8,
+    0,
+    8,
+    &des_ede_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede3_info = {
+    MBEDTLS_CIPHER_ID_3DES,
+    des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des3_set3key_enc_wrap,
+    des3_set3key_dec_wrap,
+    des3_ctx_alloc,
+    des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede3_ecb_info = {
+    MBEDTLS_CIPHER_DES_EDE3_ECB,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_KEY_LENGTH_DES_EDE3,
+    "DES-EDE3-ECB",
+    8,
+    0,
+    8,
+    &des_ede3_info
+};
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede3_cbc_info = {
+    MBEDTLS_CIPHER_DES_EDE3_CBC,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_KEY_LENGTH_DES_EDE3,
+    "DES-EDE3-CBC",
+    8,
+    0,
+    8,
+    &des_ede3_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_BLOWFISH_C)
+
+static int blowfish_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_ecb( (mbedtls_blowfish_context *) ctx, operation, input,
+                               output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int blowfish_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, unsigned char *iv, const unsigned char *input,
+        unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_cbc( (mbedtls_blowfish_context *) ctx, operation, length, iv,
+                               input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int blowfish_crypt_cfb64_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_cfb64( (mbedtls_blowfish_context *) ctx, operation, length,
+                                 iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int blowfish_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_ctr( (mbedtls_blowfish_context *) ctx, length, nc_off,
+                               nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int blowfish_setkey_wrap( void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen )
+{
+    return mbedtls_blowfish_setkey( (mbedtls_blowfish_context *) ctx, key, key_bitlen );
+}
+
+static void * blowfish_ctx_alloc( void )
+{
+    mbedtls_blowfish_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_blowfish_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_blowfish_init( ctx );
+
+    return( ctx );
+}
+
+static void blowfish_ctx_free( void *ctx )
+{
+    mbedtls_blowfish_free( (mbedtls_blowfish_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t blowfish_info = {
+    MBEDTLS_CIPHER_ID_BLOWFISH,
+    blowfish_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    blowfish_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    blowfish_crypt_cfb64_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    blowfish_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    blowfish_setkey_wrap,
+    blowfish_setkey_wrap,
+    blowfish_ctx_alloc,
+    blowfish_ctx_free
+};
+
+static const mbedtls_cipher_info_t blowfish_ecb_info = {
+    MBEDTLS_CIPHER_BLOWFISH_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "BLOWFISH-ECB",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t blowfish_cbc_info = {
+    MBEDTLS_CIPHER_BLOWFISH_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "BLOWFISH-CBC",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t blowfish_cfb64_info = {
+    MBEDTLS_CIPHER_BLOWFISH_CFB64,
+    MBEDTLS_MODE_CFB,
+    128,
+    "BLOWFISH-CFB64",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t blowfish_ctr_info = {
+    MBEDTLS_CIPHER_BLOWFISH_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "BLOWFISH-CTR",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_ARC4_C)
+static int arc4_crypt_stream_wrap( void *ctx, size_t length,
+                                   const unsigned char *input,
+                                   unsigned char *output )
+{
+    return( mbedtls_arc4_crypt( (mbedtls_arc4_context *) ctx, length, input, output ) );
+}
+
+static int arc4_setkey_wrap( void *ctx, const unsigned char *key,
+                             unsigned int key_bitlen )
+{
+    /* we get key_bitlen in bits, arc4 expects it in bytes */
+    if( key_bitlen % 8 != 0 )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    mbedtls_arc4_setup( (mbedtls_arc4_context *) ctx, key, key_bitlen / 8 );
+    return( 0 );
+}
+
+static void * arc4_ctx_alloc( void )
+{
+    mbedtls_arc4_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_arc4_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_arc4_init( ctx );
+
+    return( ctx );
+}
+
+static void arc4_ctx_free( void *ctx )
+{
+    mbedtls_arc4_free( (mbedtls_arc4_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t arc4_base_info = {
+    MBEDTLS_CIPHER_ID_ARC4,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    arc4_crypt_stream_wrap,
+#endif
+    arc4_setkey_wrap,
+    arc4_setkey_wrap,
+    arc4_ctx_alloc,
+    arc4_ctx_free
+};
+
+static const mbedtls_cipher_info_t arc4_128_info = {
+    MBEDTLS_CIPHER_ARC4_128,
+    MBEDTLS_MODE_STREAM,
+    128,
+    "ARC4-128",
+    0,
+    0,
+    1,
+    &arc4_base_info
+};
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+static int chacha20_setkey_wrap( void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen )
+{
+    if( key_bitlen != 256U )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if ( 0 != mbedtls_chacha20_setkey( (mbedtls_chacha20_context*)ctx, key ) )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+static int chacha20_stream_wrap( void *ctx,  size_t length,
+                                 const unsigned char *input,
+                                 unsigned char *output )
+{
+    int ret;
+
+    ret = mbedtls_chacha20_update( ctx, length, input, output );
+    if( ret == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    return( ret );
+}
+
+static void * chacha20_ctx_alloc( void )
+{
+    mbedtls_chacha20_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_chacha20_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_chacha20_init( ctx );
+
+    return( ctx );
+}
+
+static void chacha20_ctx_free( void *ctx )
+{
+    mbedtls_chacha20_free( (mbedtls_chacha20_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t chacha20_base_info = {
+    MBEDTLS_CIPHER_ID_CHACHA20,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    chacha20_stream_wrap,
+#endif
+    chacha20_setkey_wrap,
+    chacha20_setkey_wrap,
+    chacha20_ctx_alloc,
+    chacha20_ctx_free
+};
+static const mbedtls_cipher_info_t chacha20_info = {
+    MBEDTLS_CIPHER_CHACHA20,
+    MBEDTLS_MODE_STREAM,
+    256,
+    "CHACHA20",
+    12,
+    0,
+    1,
+    &chacha20_base_info
+};
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+static int chachapoly_setkey_wrap( void *ctx,
+                                   const unsigned char *key,
+                                   unsigned int key_bitlen )
+{
+    if( key_bitlen != 256U )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if ( 0 != mbedtls_chachapoly_setkey( (mbedtls_chachapoly_context*)ctx, key ) )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+static void * chachapoly_ctx_alloc( void )
+{
+    mbedtls_chachapoly_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_chachapoly_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_chachapoly_init( ctx );
+
+    return( ctx );
+}
+
+static void chachapoly_ctx_free( void *ctx )
+{
+    mbedtls_chachapoly_free( (mbedtls_chachapoly_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t chachapoly_base_info = {
+    MBEDTLS_CIPHER_ID_CHACHA20,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    chachapoly_setkey_wrap,
+    chachapoly_setkey_wrap,
+    chachapoly_ctx_alloc,
+    chachapoly_ctx_free
+};
+static const mbedtls_cipher_info_t chachapoly_info = {
+    MBEDTLS_CIPHER_CHACHA20_POLY1305,
+    MBEDTLS_MODE_CHACHAPOLY,
+    256,
+    "CHACHA20-POLY1305",
+    12,
+    0,
+    1,
+    &chachapoly_base_info
+};
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+static int null_crypt_stream( void *ctx, size_t length,
+                              const unsigned char *input,
+                              unsigned char *output )
+{
+    ((void) ctx);
+    memmove( output, input, length );
+    return( 0 );
+}
+
+static int null_setkey( void *ctx, const unsigned char *key,
+                        unsigned int key_bitlen )
+{
+    ((void) ctx);
+    ((void) key);
+    ((void) key_bitlen);
+
+    return( 0 );
+}
+
+static void * null_ctx_alloc( void )
+{
+    return( (void *) 1 );
+}
+
+static void null_ctx_free( void *ctx )
+{
+    ((void) ctx);
+}
+
+static const mbedtls_cipher_base_t null_base_info = {
+    MBEDTLS_CIPHER_ID_NULL,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    null_crypt_stream,
+#endif
+    null_setkey,
+    null_setkey,
+    null_ctx_alloc,
+    null_ctx_free
+};
+
+static const mbedtls_cipher_info_t null_cipher_info = {
+    MBEDTLS_CIPHER_NULL,
+    MBEDTLS_MODE_STREAM,
+    0,
+    "NULL",
+    0,
+    0,
+    1,
+    &null_base_info
+};
+#endif /* defined(MBEDTLS_CIPHER_NULL_CIPHER) */
+
+const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
+{
+#if defined(MBEDTLS_AES_C)
+    { MBEDTLS_CIPHER_AES_128_ECB,          &aes_128_ecb_info },
+    { MBEDTLS_CIPHER_AES_192_ECB,          &aes_192_ecb_info },
+    { MBEDTLS_CIPHER_AES_256_ECB,          &aes_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_AES_128_CBC,          &aes_128_cbc_info },
+    { MBEDTLS_CIPHER_AES_192_CBC,          &aes_192_cbc_info },
+    { MBEDTLS_CIPHER_AES_256_CBC,          &aes_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_AES_128_CFB128,       &aes_128_cfb128_info },
+    { MBEDTLS_CIPHER_AES_192_CFB128,       &aes_192_cfb128_info },
+    { MBEDTLS_CIPHER_AES_256_CFB128,       &aes_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    { MBEDTLS_CIPHER_AES_128_OFB,          &aes_128_ofb_info },
+    { MBEDTLS_CIPHER_AES_192_OFB,          &aes_192_ofb_info },
+    { MBEDTLS_CIPHER_AES_256_OFB,          &aes_256_ofb_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_AES_128_CTR,          &aes_128_ctr_info },
+    { MBEDTLS_CIPHER_AES_192_CTR,          &aes_192_ctr_info },
+    { MBEDTLS_CIPHER_AES_256_CTR,          &aes_256_ctr_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    { MBEDTLS_CIPHER_AES_128_XTS,          &aes_128_xts_info },
+    { MBEDTLS_CIPHER_AES_256_XTS,          &aes_256_xts_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_AES_128_GCM,          &aes_128_gcm_info },
+    { MBEDTLS_CIPHER_AES_192_GCM,          &aes_192_gcm_info },
+    { MBEDTLS_CIPHER_AES_256_GCM,          &aes_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_AES_128_CCM,          &aes_128_ccm_info },
+    { MBEDTLS_CIPHER_AES_192_CCM,          &aes_192_ccm_info },
+    { MBEDTLS_CIPHER_AES_256_CCM,          &aes_256_ccm_info },
+#endif
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+    { MBEDTLS_CIPHER_ARC4_128,             &arc4_128_info },
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+    { MBEDTLS_CIPHER_BLOWFISH_ECB,         &blowfish_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_BLOWFISH_CBC,         &blowfish_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_BLOWFISH_CFB64,       &blowfish_cfb64_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_BLOWFISH_CTR,         &blowfish_ctr_info },
+#endif
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_ECB,     &camellia_128_ecb_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_ECB,     &camellia_192_ecb_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_ECB,     &camellia_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CBC,     &camellia_128_cbc_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CBC,     &camellia_192_cbc_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CBC,     &camellia_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  &camellia_128_cfb128_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  &camellia_192_cfb128_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  &camellia_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CTR,     &camellia_128_ctr_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CTR,     &camellia_192_ctr_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CTR,     &camellia_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_GCM,     &camellia_128_gcm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_GCM,     &camellia_192_gcm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_GCM,     &camellia_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CCM,     &camellia_128_ccm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CCM,     &camellia_192_ccm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CCM,     &camellia_256_ccm_info },
+#endif
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_ARIA_C)
+    { MBEDTLS_CIPHER_ARIA_128_ECB,     &aria_128_ecb_info },
+    { MBEDTLS_CIPHER_ARIA_192_ECB,     &aria_192_ecb_info },
+    { MBEDTLS_CIPHER_ARIA_256_ECB,     &aria_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_ARIA_128_CBC,     &aria_128_cbc_info },
+    { MBEDTLS_CIPHER_ARIA_192_CBC,     &aria_192_cbc_info },
+    { MBEDTLS_CIPHER_ARIA_256_CBC,     &aria_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_ARIA_128_CFB128,  &aria_128_cfb128_info },
+    { MBEDTLS_CIPHER_ARIA_192_CFB128,  &aria_192_cfb128_info },
+    { MBEDTLS_CIPHER_ARIA_256_CFB128,  &aria_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_ARIA_128_CTR,     &aria_128_ctr_info },
+    { MBEDTLS_CIPHER_ARIA_192_CTR,     &aria_192_ctr_info },
+    { MBEDTLS_CIPHER_ARIA_256_CTR,     &aria_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_ARIA_128_GCM,     &aria_128_gcm_info },
+    { MBEDTLS_CIPHER_ARIA_192_GCM,     &aria_192_gcm_info },
+    { MBEDTLS_CIPHER_ARIA_256_GCM,     &aria_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_ARIA_128_CCM,     &aria_128_ccm_info },
+    { MBEDTLS_CIPHER_ARIA_192_CCM,     &aria_192_ccm_info },
+    { MBEDTLS_CIPHER_ARIA_256_CCM,     &aria_256_ccm_info },
+#endif
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_DES_C)
+    { MBEDTLS_CIPHER_DES_ECB,              &des_ecb_info },
+    { MBEDTLS_CIPHER_DES_EDE_ECB,          &des_ede_ecb_info },
+    { MBEDTLS_CIPHER_DES_EDE3_ECB,         &des_ede3_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_DES_CBC,              &des_cbc_info },
+    { MBEDTLS_CIPHER_DES_EDE_CBC,          &des_ede_cbc_info },
+    { MBEDTLS_CIPHER_DES_EDE3_CBC,         &des_ede3_cbc_info },
+#endif
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+    { MBEDTLS_CIPHER_CHACHA20,             &chacha20_info },
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    { MBEDTLS_CIPHER_CHACHA20_POLY1305,    &chachapoly_info },
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    { MBEDTLS_CIPHER_NULL,                 &null_cipher_info },
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+    { MBEDTLS_CIPHER_NONE, NULL }
+};
+
+#define NUM_CIPHERS sizeof mbedtls_cipher_definitions / sizeof mbedtls_cipher_definitions[0]
+int mbedtls_cipher_supported[NUM_CIPHERS];
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/ctrtool/deps/libmbedtls/src/cmac.c b/ctrtool/deps/libmbedtls/src/cmac.c
new file mode 100644
index 00000000..5d101e1c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/cmac.c
@@ -0,0 +1,1078 @@
+/**
+ * \file cmac.c
+ *
+ * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
+ *      CMAC Mode for Authentication
+ *   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
+ *
+ * - RFC 4493 - The AES-CMAC Algorithm
+ *   https://tools.ietf.org/html/rfc4493
+ *
+ * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
+ *      Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
+ *      Algorithm for the Internet Key Exchange Protocol (IKE)
+ *   https://tools.ietf.org/html/rfc4615
+ *
+ *   Additional test vectors: ISO/IEC 9797-1
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+
+#include "mbedtls/cmac.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc     calloc
+#define mbedtls_free       free
+#if defined(MBEDTLS_SELF_TEST)
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_SELF_TEST */
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Multiplication by u in the Galois field of GF(2^n)
+ *
+ * As explained in NIST SP 800-38B, this can be computed:
+ *
+ *   If MSB(p) = 0, then p = (p << 1)
+ *   If MSB(p) = 1, then p = (p << 1) ^ R_n
+ *   with R_64 = 0x1B and  R_128 = 0x87
+ *
+ * Input and output MUST NOT point to the same buffer
+ * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
+ */
+static int cmac_multiply_by_u( unsigned char *output,
+                               const unsigned char *input,
+                               size_t blocksize )
+{
+    const unsigned char R_128 = 0x87;
+    const unsigned char R_64 = 0x1B;
+    unsigned char R_n, mask;
+    unsigned char overflow = 0x00;
+    int i;
+
+    if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
+    {
+        R_n = R_128;
+    }
+    else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
+    {
+        R_n = R_64;
+    }
+    else
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    for( i = (int)blocksize - 1; i >= 0; i-- )
+    {
+        output[i] = input[i] << 1 | overflow;
+        overflow = input[i] >> 7;
+    }
+
+    /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
+     * using bit operations to avoid branches */
+
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    mask = - ( input[0] >> 7 );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    output[ blocksize - 1 ] ^= R_n & mask;
+
+    return( 0 );
+}
+
+/*
+ * Generate subkeys
+ *
+ * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
+ */
+static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
+                                  unsigned char* K1, unsigned char* K2 )
+{
+    int ret;
+    unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    size_t olen, block_size;
+
+    mbedtls_platform_zeroize( L, sizeof( L ) );
+
+    block_size = ctx->cipher_info->block_size;
+
+    /* Calculate Ek(0) */
+    if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
+        goto exit;
+
+    /*
+     * Generate K1 and K2
+     */
+    if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
+        goto exit;
+
+    if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_platform_zeroize( L, sizeof( L ) );
+
+    return( ret );
+}
+#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
+
+#if !defined(MBEDTLS_CMAC_ALT)
+static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
+                            const unsigned char *input2,
+                            const size_t block_size )
+{
+    size_t idx;
+
+    for( idx = 0; idx < block_size; idx++ )
+        output[ idx ] = input1[ idx ] ^ input2[ idx ];
+}
+
+/*
+ * Create padded last block from (partial) last block.
+ *
+ * We can't use the padding option from the cipher layer, as it only works for
+ * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
+ */
+static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
+                      size_t padded_block_len,
+                      const unsigned char *last_block,
+                      size_t last_block_len )
+{
+    size_t j;
+
+    for( j = 0; j < padded_block_len; j++ )
+    {
+        if( j < last_block_len )
+            padded_block[j] = last_block[j];
+        else if( j == last_block_len )
+            padded_block[j] = 0x80;
+        else
+            padded_block[j] = 0x00;
+    }
+}
+
+int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *key, size_t keybits )
+{
+    mbedtls_cipher_type_t type;
+    mbedtls_cmac_context_t *cmac_ctx;
+    int retval;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
+                                          MBEDTLS_ENCRYPT ) ) != 0 )
+        return( retval );
+
+    type = ctx->cipher_info->type;
+
+    switch( type )
+    {
+        case MBEDTLS_CIPHER_AES_128_ECB:
+        case MBEDTLS_CIPHER_AES_192_ECB:
+        case MBEDTLS_CIPHER_AES_256_ECB:
+        case MBEDTLS_CIPHER_DES_EDE3_ECB:
+            break;
+        default:
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    /* Allocated and initialise in the cipher context memory for the CMAC
+     * context */
+    cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
+    if( cmac_ctx == NULL )
+        return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
+
+    ctx->cmac_ctx = cmac_ctx;
+
+    mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
+
+    return 0;
+}
+
+int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *input, size_t ilen )
+{
+    mbedtls_cmac_context_t* cmac_ctx;
+    unsigned char *state;
+    int ret = 0;
+    size_t n, j, olen, block_size;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
+        ctx->cmac_ctx == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cmac_ctx = ctx->cmac_ctx;
+    block_size = ctx->cipher_info->block_size;
+    state = ctx->cmac_ctx->state;
+
+    /* Is there data still to process from the last call, that's greater in
+     * size than a block? */
+    if( cmac_ctx->unprocessed_len > 0 &&
+        ilen > block_size - cmac_ctx->unprocessed_len )
+    {
+        memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+                input,
+                block_size - cmac_ctx->unprocessed_len );
+
+        cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
+
+        if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
+                                           &olen ) ) != 0 )
+        {
+           goto exit;
+        }
+
+        input += block_size - cmac_ctx->unprocessed_len;
+        ilen -= block_size - cmac_ctx->unprocessed_len;
+        cmac_ctx->unprocessed_len = 0;
+    }
+
+    /* n is the number of blocks including any final partial block */
+    n = ( ilen + block_size - 1 ) / block_size;
+
+    /* Iterate across the input data in block sized chunks, excluding any
+     * final partial or complete block */
+    for( j = 1; j < n; j++ )
+    {
+        cmac_xor_block( state, input, state, block_size );
+
+        if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
+                                           &olen ) ) != 0 )
+           goto exit;
+
+        ilen -= block_size;
+        input += block_size;
+    }
+
+    /* If there is data left over that wasn't aligned to a block */
+    if( ilen > 0 )
+    {
+        memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+                input,
+                ilen );
+        cmac_ctx->unprocessed_len += ilen;
+    }
+
+exit:
+    return( ret );
+}
+
+int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
+                                unsigned char *output )
+{
+    mbedtls_cmac_context_t* cmac_ctx;
+    unsigned char *state, *last_block;
+    unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    int ret;
+    size_t olen, block_size;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
+        output == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cmac_ctx = ctx->cmac_ctx;
+    block_size = ctx->cipher_info->block_size;
+    state = cmac_ctx->state;
+
+    mbedtls_platform_zeroize( K1, sizeof( K1 ) );
+    mbedtls_platform_zeroize( K2, sizeof( K2 ) );
+    cmac_generate_subkeys( ctx, K1, K2 );
+
+    last_block = cmac_ctx->unprocessed_block;
+
+    /* Calculate last block */
+    if( cmac_ctx->unprocessed_len < block_size )
+    {
+        cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
+        cmac_xor_block( M_last, M_last, K2, block_size );
+    }
+    else
+    {
+        /* Last block is complete block */
+        cmac_xor_block( M_last, last_block, K1, block_size );
+    }
+
+
+    cmac_xor_block( state, M_last, state, block_size );
+    if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
+                                       &olen ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    memcpy( output, state, block_size );
+
+exit:
+    /* Wipe the generated keys on the stack, and any other transients to avoid
+     * side channel leakage */
+    mbedtls_platform_zeroize( K1, sizeof( K1 ) );
+    mbedtls_platform_zeroize( K2, sizeof( K2 ) );
+
+    cmac_ctx->unprocessed_len = 0;
+    mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
+                              sizeof( cmac_ctx->unprocessed_block ) );
+
+    mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
+    return( ret );
+}
+
+int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
+{
+    mbedtls_cmac_context_t* cmac_ctx;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cmac_ctx = ctx->cmac_ctx;
+
+    /* Reset the internal state */
+    cmac_ctx->unprocessed_len = 0;
+    mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
+                              sizeof( cmac_ctx->unprocessed_block ) );
+    mbedtls_platform_zeroize( cmac_ctx->state,
+                              sizeof( cmac_ctx->state ) );
+
+    return( 0 );
+}
+
+int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output )
+{
+    mbedtls_cipher_context_t ctx;
+    int ret;
+
+    if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    mbedtls_cipher_init( &ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
+    if( ret != 0 )
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
+    if( ret != 0 )
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_finish( &ctx, output );
+
+exit:
+    mbedtls_cipher_free( &ctx );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
+ */
+int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
+                              const unsigned char *input, size_t in_len,
+                              unsigned char *output )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+    unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
+    unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
+
+    if( key == NULL || input == NULL || output == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
+    if( cipher_info == NULL )
+    {
+        /* Failing at this point must be due to a build issue */
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto exit;
+    }
+
+    if( key_length == MBEDTLS_AES_BLOCK_SIZE )
+    {
+        /* Use key as is */
+        memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
+    }
+    else
+    {
+        memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
+
+        ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
+                                   key_length, int_key );
+        if( ret != 0 )
+            goto exit;
+    }
+
+    ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
+                               output );
+
+exit:
+    mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_AES_C */
+
+#endif /* !MBEDTLS_CMAC_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * CMAC test data for SP800-38B
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
+ *
+ * AES-CMAC-PRF-128 test data from RFC 4615
+ * https://tools.ietf.org/html/rfc4615#page-4
+ */
+
+#define NB_CMAC_TESTS_PER_KEY 4
+#define NB_PRF_TESTS 3
+
+#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
+/* All CMAC test inputs are truncated from the same 64 byte buffer. */
+static const unsigned char test_message[] = {
+    /* PT */
+    0x6b, 0xc1, 0xbe, 0xe2,     0x2e, 0x40, 0x9f, 0x96,
+    0xe9, 0x3d, 0x7e, 0x11,     0x73, 0x93, 0x17, 0x2a,
+    0xae, 0x2d, 0x8a, 0x57,     0x1e, 0x03, 0xac, 0x9c,
+    0x9e, 0xb7, 0x6f, 0xac,     0x45, 0xaf, 0x8e, 0x51,
+    0x30, 0xc8, 0x1c, 0x46,     0xa3, 0x5c, 0xe4, 0x11,
+    0xe5, 0xfb, 0xc1, 0x19,     0x1a, 0x0a, 0x52, 0xef,
+    0xf6, 0x9f, 0x24, 0x45,     0xdf, 0x4f, 0x9b, 0x17,
+    0xad, 0x2b, 0x41, 0x7b,     0xe6, 0x6c, 0x37, 0x10
+};
+#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* Truncation point of message for AES CMAC tests  */
+static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+    /* Mlen */
+    0,
+    16,
+    20,
+    64
+};
+
+/* CMAC-AES128 Test Data */
+static const unsigned char aes_128_key[16] = {
+    0x2b, 0x7e, 0x15, 0x16,     0x28, 0xae, 0xd2, 0xa6,
+    0xab, 0xf7, 0x15, 0x88,     0x09, 0xcf, 0x4f, 0x3c
+};
+static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0xfb, 0xee, 0xd6, 0x18,     0x35, 0x71, 0x33, 0x66,
+        0x7c, 0x85, 0xe0, 0x8f,     0x72, 0x36, 0xa8, 0xde
+    },
+    {
+        /* K2 */
+        0xf7, 0xdd, 0xac, 0x30,     0x6a, 0xe2, 0x66, 0xcc,
+        0xf9, 0x0b, 0xc1, 0x1e,     0xe4, 0x6d, 0x51, 0x3b
+    }
+};
+static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* Example #1 */
+        0xbb, 0x1d, 0x69, 0x29,     0xe9, 0x59, 0x37, 0x28,
+        0x7f, 0xa3, 0x7d, 0x12,     0x9b, 0x75, 0x67, 0x46
+    },
+    {
+        /* Example #2 */
+        0x07, 0x0a, 0x16, 0xb4,     0x6b, 0x4d, 0x41, 0x44,
+        0xf7, 0x9b, 0xdd, 0x9d,     0xd0, 0x4a, 0x28, 0x7c
+    },
+    {
+        /* Example #3 */
+        0x7d, 0x85, 0x44, 0x9e,     0xa6, 0xea, 0x19, 0xc8,
+        0x23, 0xa7, 0xbf, 0x78,     0x83, 0x7d, 0xfa, 0xde
+    },
+    {
+        /* Example #4 */
+        0x51, 0xf0, 0xbe, 0xbf,     0x7e, 0x3b, 0x9d, 0x92,
+        0xfc, 0x49, 0x74, 0x17,     0x79, 0x36, 0x3c, 0xfe
+    }
+};
+
+/* CMAC-AES192 Test Data */
+static const unsigned char aes_192_key[24] = {
+    0x8e, 0x73, 0xb0, 0xf7,     0xda, 0x0e, 0x64, 0x52,
+    0xc8, 0x10, 0xf3, 0x2b,     0x80, 0x90, 0x79, 0xe5,
+    0x62, 0xf8, 0xea, 0xd2,     0x52, 0x2c, 0x6b, 0x7b
+};
+static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0x44, 0x8a, 0x5b, 0x1c,     0x93, 0x51, 0x4b, 0x27,
+        0x3e, 0xe6, 0x43, 0x9d,     0xd4, 0xda, 0xa2, 0x96
+    },
+    {
+        /* K2 */
+        0x89, 0x14, 0xb6, 0x39,     0x26, 0xa2, 0x96, 0x4e,
+        0x7d, 0xcc, 0x87, 0x3b,     0xa9, 0xb5, 0x45, 0x2c
+    }
+};
+static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* Example #1 */
+        0xd1, 0x7d, 0xdf, 0x46,     0xad, 0xaa, 0xcd, 0xe5,
+        0x31, 0xca, 0xc4, 0x83,     0xde, 0x7a, 0x93, 0x67
+    },
+    {
+        /* Example #2 */
+        0x9e, 0x99, 0xa7, 0xbf,     0x31, 0xe7, 0x10, 0x90,
+        0x06, 0x62, 0xf6, 0x5e,     0x61, 0x7c, 0x51, 0x84
+    },
+    {
+        /* Example #3 */
+        0x3d, 0x75, 0xc1, 0x94,     0xed, 0x96, 0x07, 0x04,
+        0x44, 0xa9, 0xfa, 0x7e,     0xc7, 0x40, 0xec, 0xf8
+    },
+    {
+        /* Example #4 */
+        0xa1, 0xd5, 0xdf, 0x0e,     0xed, 0x79, 0x0f, 0x79,
+        0x4d, 0x77, 0x58, 0x96,     0x59, 0xf3, 0x9a, 0x11
+    }
+};
+
+/* CMAC-AES256 Test Data */
+static const unsigned char aes_256_key[32] = {
+    0x60, 0x3d, 0xeb, 0x10,     0x15, 0xca, 0x71, 0xbe,
+    0x2b, 0x73, 0xae, 0xf0,     0x85, 0x7d, 0x77, 0x81,
+    0x1f, 0x35, 0x2c, 0x07,     0x3b, 0x61, 0x08, 0xd7,
+    0x2d, 0x98, 0x10, 0xa3,     0x09, 0x14, 0xdf, 0xf4
+};
+static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0xca, 0xd1, 0xed, 0x03,     0x29, 0x9e, 0xed, 0xac,
+        0x2e, 0x9a, 0x99, 0x80,     0x86, 0x21, 0x50, 0x2f
+    },
+    {
+        /* K2 */
+        0x95, 0xa3, 0xda, 0x06,     0x53, 0x3d, 0xdb, 0x58,
+        0x5d, 0x35, 0x33, 0x01,     0x0c, 0x42, 0xa0, 0xd9
+    }
+};
+static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* Example #1 */
+        0x02, 0x89, 0x62, 0xf6,     0x1b, 0x7b, 0xf8, 0x9e,
+        0xfc, 0x6b, 0x55, 0x1f,     0x46, 0x67, 0xd9, 0x83
+    },
+    {
+        /* Example #2 */
+        0x28, 0xa7, 0x02, 0x3f,     0x45, 0x2e, 0x8f, 0x82,
+        0xbd, 0x4b, 0xf2, 0x8d,     0x8c, 0x37, 0xc3, 0x5c
+    },
+    {
+        /* Example #3 */
+        0x15, 0x67, 0x27, 0xdc,     0x08, 0x78, 0x94, 0x4a,
+        0x02, 0x3c, 0x1f, 0xe0,     0x3b, 0xad, 0x6d, 0x93
+    },
+    {
+        /* Example #4 */
+        0xe1, 0x99, 0x21, 0x90,     0x54, 0x9f, 0x6e, 0xd5,
+        0x69, 0x6a, 0x2c, 0x05,     0x6c, 0x31, 0x54, 0x10
+    }
+};
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+/* Truncation point of message for 3DES CMAC tests  */
+static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+    0,
+    16,
+    20,
+    32
+};
+
+/* CMAC-TDES (Generation) - 2 Key Test Data */
+static const unsigned char des3_2key_key[24] = {
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xEF, 0x01,
+    /* Key3 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef
+};
+static const unsigned char des3_2key_subkeys[2][8] = {
+    {
+        /* K1 */
+        0x0d, 0xd2, 0xcb, 0x7a,     0x3d, 0x88, 0x88, 0xd9
+    },
+    {
+        /* K2 */
+        0x1b, 0xa5, 0x96, 0xf4,     0x7b, 0x11, 0x11, 0xb2
+    }
+};
+static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
+    {
+        /* Sample #1 */
+        0x79, 0xce, 0x52, 0xa7,     0xf7, 0x86, 0xa9, 0x60
+    },
+    {
+        /* Sample #2 */
+        0xcc, 0x18, 0xa0, 0xb7,     0x9a, 0xf2, 0x41, 0x3b
+    },
+    {
+        /* Sample #3 */
+        0xc0, 0x6d, 0x37, 0x7e,     0xcd, 0x10, 0x19, 0x69
+    },
+    {
+        /* Sample #4 */
+        0x9c, 0xd3, 0x35, 0x80,     0xf9, 0xb6, 0x4d, 0xfb
+    }
+};
+
+/* CMAC-TDES (Generation) - 3 Key Test Data */
+static const unsigned char des3_3key_key[24] = {
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xaa, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xef, 0x01,
+    /* Key3 */
+    0x45, 0x67, 0x89, 0xab,     0xcd, 0xef, 0x01, 0x23
+};
+static const unsigned char des3_3key_subkeys[2][8] = {
+    {
+        /* K1 */
+        0x9d, 0x74, 0xe7, 0x39,     0x33, 0x17, 0x96, 0xc0
+    },
+    {
+        /* K2 */
+        0x3a, 0xe9, 0xce, 0x72,     0x66, 0x2f, 0x2d, 0x9b
+    }
+};
+static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
+    {
+        /* Sample #1 */
+        0x7d, 0xb0, 0xd3, 0x7d,     0xf9, 0x36, 0xc5, 0x50
+    },
+    {
+        /* Sample #2 */
+        0x30, 0x23, 0x9c, 0xf1,     0xf5, 0x2e, 0x66, 0x09
+    },
+    {
+        /* Sample #3 */
+        0x6c, 0x9f, 0x3e, 0xe4,     0x92, 0x3f, 0x6b, 0xe2
+    },
+    {
+        /* Sample #4 */
+        0x99, 0x42, 0x9b, 0xd0,     0xbF, 0x79, 0x04, 0xe5
+    }
+};
+
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* AES AES-CMAC-PRF-128 Test Data */
+static const unsigned char PRFK[] = {
+    /* Key */
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
+    0xed, 0xcb
+};
+
+/* Sizes in bytes */
+static const size_t PRFKlen[NB_PRF_TESTS] = {
+    18,
+    16,
+    10
+};
+
+/* Message */
+static const unsigned char PRFM[] = {
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char PRFT[NB_PRF_TESTS][16] = {
+    {
+        0x84, 0xa3, 0x48, 0xa4,     0xa4, 0x5d, 0x23, 0x5b,
+        0xab, 0xff, 0xfc, 0x0d,     0x2b, 0x4d, 0xa0, 0x9a
+    },
+    {
+        0x98, 0x0a, 0xe8, 0x7b,     0x5f, 0x4c, 0x9c, 0x52,
+        0x14, 0xf5, 0xb6, 0xa8,     0x45, 0x5e, 0x4c, 0x2d
+    },
+    {
+        0x29, 0x0d, 0x9e, 0x11,     0x2e, 0xdb, 0x09, 0xee,
+        0x14, 0x1f, 0xcf, 0x64,     0xc0, 0xb7, 0x2f, 0x3d
+    }
+};
+#endif /* MBEDTLS_AES_C */
+
+static int cmac_test_subkeys( int verbose,
+                              const char* testname,
+                              const unsigned char* key,
+                              int keybits,
+                              const unsigned char* subkeys,
+                              mbedtls_cipher_type_t cipher_type,
+                              int block_size,
+                              int num_tests )
+{
+    int i, ret = 0;
+    mbedtls_cipher_context_t ctx;
+    const mbedtls_cipher_info_t *cipher_info;
+    unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_type );
+    if( cipher_info == NULL )
+    {
+        /* Failing at this point must be due to a build issue */
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+    }
+
+    for( i = 0; i < num_tests; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  %s CMAC subkey #%u: ", testname, i + 1 );
+
+        mbedtls_cipher_init( &ctx );
+
+        if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "test execution failed\n" );
+
+            goto cleanup;
+        }
+
+        if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
+                                       MBEDTLS_ENCRYPT ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "test execution failed\n" );
+
+            goto cleanup;
+        }
+
+        ret = cmac_generate_subkeys( &ctx, K1, K2 );
+        if( ret != 0 )
+        {
+           if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            goto cleanup;
+        }
+
+        if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0  ||
+            ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            goto cleanup;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+
+        mbedtls_cipher_free( &ctx );
+    }
+
+    ret = 0;
+    goto exit;
+
+cleanup:
+    mbedtls_cipher_free( &ctx );
+
+exit:
+    return( ret );
+}
+
+static int cmac_test_wth_cipher( int verbose,
+                                 const char* testname,
+                                 const unsigned char* key,
+                                 int keybits,
+                                 const unsigned char* messages,
+                                 const unsigned int message_lengths[4],
+                                 const unsigned char* expected_result,
+                                 mbedtls_cipher_type_t cipher_type,
+                                 int block_size,
+                                 int num_tests )
+{
+    const mbedtls_cipher_info_t *cipher_info;
+    int i, ret = 0;
+    unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_type );
+    if( cipher_info == NULL )
+    {
+        /* Failing at this point must be due to a build issue */
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto exit;
+    }
+
+    for( i = 0; i < num_tests; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  %s CMAC #%u: ", testname, i + 1 );
+
+        if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
+                                         message_lengths[i], output ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+            goto exit;
+        }
+
+        if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+    ret = 0;
+
+exit:
+    return( ret );
+}
+
+#if defined(MBEDTLS_AES_C)
+static int test_aes128_cmac_prf( int verbose )
+{
+    int i;
+    int ret;
+    unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
+
+    for( i = 0; i < NB_PRF_TESTS; i++ )
+    {
+        mbedtls_printf( "  AES CMAC 128 PRF #%u: ", i );
+        ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
+        if( ret != 0 ||
+            memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
+        {
+
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( ret );
+        }
+        else if( verbose != 0 )
+        {
+            mbedtls_printf( "passed\n" );
+        }
+    }
+    return( ret );
+}
+#endif /* MBEDTLS_AES_C */
+
+int mbedtls_cmac_self_test( int verbose )
+{
+    int ret;
+
+#if defined(MBEDTLS_AES_C)
+    /* AES-128 */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "AES 128",
+                                   aes_128_key,
+                                   128,
+                                   (const unsigned char*)aes_128_subkeys,
+                                   MBEDTLS_CIPHER_AES_128_ECB,
+                                   MBEDTLS_AES_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "AES 128",
+                                      aes_128_key,
+                                      128,
+                                      test_message,
+                                      aes_message_lengths,
+                                      (const unsigned char*)aes_128_expected_result,
+                                      MBEDTLS_CIPHER_AES_128_ECB,
+                                      MBEDTLS_AES_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* AES-192 */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "AES 192",
+                                   aes_192_key,
+                                   192,
+                                   (const unsigned char*)aes_192_subkeys,
+                                   MBEDTLS_CIPHER_AES_192_ECB,
+                                   MBEDTLS_AES_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "AES 192",
+                                      aes_192_key,
+                                      192,
+                                      test_message,
+                                      aes_message_lengths,
+                                      (const unsigned char*)aes_192_expected_result,
+                                      MBEDTLS_CIPHER_AES_192_ECB,
+                                      MBEDTLS_AES_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* AES-256 */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "AES 256",
+                                   aes_256_key,
+                                   256,
+                                   (const unsigned char*)aes_256_subkeys,
+                                   MBEDTLS_CIPHER_AES_256_ECB,
+                                   MBEDTLS_AES_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher ( verbose,
+                                       "AES 256",
+                                       aes_256_key,
+                                       256,
+                                       test_message,
+                                       aes_message_lengths,
+                                       (const unsigned char*)aes_256_expected_result,
+                                       MBEDTLS_CIPHER_AES_256_ECB,
+                                       MBEDTLS_AES_BLOCK_SIZE,
+                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+    /* 3DES 2 key */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "3DES 2 key",
+                                   des3_2key_key,
+                                   192,
+                                   (const unsigned char*)des3_2key_subkeys,
+                                   MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                   MBEDTLS_DES3_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "3DES 2 key",
+                                      des3_2key_key,
+                                      192,
+                                      test_message,
+                                      des3_message_lengths,
+                                      (const unsigned char*)des3_2key_expected_result,
+                                      MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                      MBEDTLS_DES3_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* 3DES 3 key */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "3DES 3 key",
+                                   des3_3key_key,
+                                   192,
+                                   (const unsigned char*)des3_3key_subkeys,
+                                   MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                   MBEDTLS_DES3_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "3DES 3 key",
+                                      des3_3key_key,
+                                      192,
+                                      test_message,
+                                      des3_message_lengths,
+                                      (const unsigned char*)des3_3key_expected_result,
+                                      MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                      MBEDTLS_DES3_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+    if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
+        return( ret );
+#endif /* MBEDTLS_AES_C */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CMAC_C */
diff --git a/ctrtool/deps/libmbedtls/src/ctr_drbg.c b/ctrtool/deps/libmbedtls/src/ctr_drbg.c
new file mode 100644
index 00000000..ad0a1936
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ctr_drbg.c
@@ -0,0 +1,722 @@
+/*
+ *  CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The NIST SP 800-90 DRBGs are described in the following publication.
+ *
+ *  http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+/*
+ * CTR_DRBG context initialization
+ */
+void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+    mbedtls_aes_free( &ctx->aes_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
+}
+
+void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance )
+{
+    ctx->prediction_resistance = resistance;
+}
+
+void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len )
+{
+    ctx->entropy_len = len;
+}
+
+void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval )
+{
+    ctx->reseed_interval = interval;
+}
+
+static int block_cipher_df( unsigned char *output,
+                            const unsigned char *data, size_t data_len )
+{
+    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
+    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+    unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+    unsigned char *p, *iv;
+    mbedtls_aes_context aes_ctx;
+    int ret = 0;
+
+    int i, j;
+    size_t buf_len, use_len;
+
+    if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
+    mbedtls_aes_init( &aes_ctx );
+
+    /*
+     * Construct IV (16 bytes) and S in buffer
+     * IV = Counter (in 32-bits) padded to 16 with zeroes
+     * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
+     *     data || 0x80
+     *     (Total is padded to a multiple of 16-bytes with zeroes)
+     */
+    p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    *p++ = ( data_len >> 24 ) & 0xff;
+    *p++ = ( data_len >> 16 ) & 0xff;
+    *p++ = ( data_len >> 8  ) & 0xff;
+    *p++ = ( data_len       ) & 0xff;
+    p += 3;
+    *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
+    memcpy( p, data, data_len );
+    p[data_len] = 0x80;
+
+    buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
+
+    for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
+        key[i] = i;
+
+    if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    /*
+     * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
+     */
+    for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
+    {
+        p = buf;
+        memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+        use_len = buf_len;
+
+        while( use_len > 0 )
+        {
+            for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
+                chain[i] ^= p[i];
+            p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+            use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
+                       MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
+
+            if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain ) ) != 0 )
+            {
+                goto exit;
+            }
+        }
+
+        memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+
+        /*
+         * Update IV
+         */
+        buf[3]++;
+    }
+
+    /*
+     * Do final encryption with reduced data
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        goto exit;
+    }
+    iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
+    p = output;
+
+    for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
+    {
+        if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv ) ) != 0 )
+        {
+            goto exit;
+        }
+        memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    }
+exit:
+    mbedtls_aes_free( &aes_ctx );
+    /*
+    * tidy up the stack
+    */
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+    mbedtls_platform_zeroize( chain, sizeof( chain ) );
+    if( 0 != ret )
+    {
+        /*
+        * wipe partial seed from memory
+        */
+        mbedtls_platform_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
+    }
+
+    return( ret );
+}
+
+/* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
+ * ctr_drbg_update_internal(ctx, provided_data)
+ * implements
+ * CTR_DRBG_Update(provided_data, Key, V)
+ * with inputs and outputs
+ *   ctx->aes_ctx = Key
+ *   ctx->counter = V
+ */
+static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
+                              const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
+{
+    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char *p = tmp;
+    int i, j;
+    int ret = 0;
+
+    memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
+
+    for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
+    {
+        /*
+         * Increase counter
+         */
+        for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
+            if( ++ctx->counter[i - 1] != 0 )
+                break;
+
+        /*
+         * Crypt counter block
+         */
+        if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p ) ) != 0 )
+            goto exit;
+
+        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    }
+
+    for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
+        tmp[i] ^= data[i];
+
+    /*
+     * Update key and counter
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+        goto exit;
+    memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+
+exit:
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    return( ret );
+}
+
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_update(ctx, additional, add_len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   ctx->counter = all-bits-0
+ *   ctx->aes_ctx = context from all-bits-0 key
+ *   additional[:add_len] = entropy_input || nonce || personalization_string
+ * and with outputs
+ *   ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
+                                 const unsigned char *additional,
+                                 size_t add_len )
+{
+    unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+    int ret;
+
+    if( add_len == 0 )
+        return( 0 );
+
+    if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
+        goto exit;
+    if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
+                              const unsigned char *additional,
+                              size_t add_len )
+{
+    /* MAX_INPUT would be more logical here, but we have to match
+     * block_cipher_df()'s limits since we can't propagate errors */
+    if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
+        add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
+    (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
+ * mbedtls_ctr_drbg_reseed(ctx, additional, len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
+ *                -> new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   additional[:len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * and with output
+ *   ctx contains new_working_state
+ */
+int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
+                     const unsigned char *additional, size_t len )
+{
+    unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
+    size_t seedlen = 0;
+    int ret;
+
+    if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
+        len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
+
+    /*
+     * Gather entropy_len bytes of entropy to seed state
+     */
+    if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
+                             ctx->entropy_len ) )
+    {
+        return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
+    }
+
+    seedlen += ctx->entropy_len;
+
+    /*
+     * Add additional data
+     */
+    if( additional && len )
+    {
+        memcpy( seed + seedlen, additional, len );
+        seedlen += len;
+    }
+
+    /*
+     * Reduce to 384 bits
+     */
+    if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 )
+        goto exit;
+
+    /*
+     * Update state
+     */
+    if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 )
+        goto exit;
+    ctx->reseed_counter = 1;
+
+exit:
+    mbedtls_platform_zeroize( seed, sizeof( seed ) );
+    return( ret );
+}
+
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   custom[:len] = nonce || personalization_string
+ * where entropy_input comes from f_entropy for ctx->entropy_len bytes
+ * and with outputs
+ *   ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
+                           int (*f_entropy)(void *, unsigned char *, size_t),
+                           void *p_entropy,
+                           const unsigned char *custom,
+                           size_t len )
+{
+    int ret;
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+
+    memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
+
+    mbedtls_aes_init( &ctx->aes_ctx );
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    if( ctx->entropy_len == 0 )
+        ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
+    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+
+    /*
+     * Initialize with an empty key
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
+    {
+        return( ret );
+    }
+    return( 0 );
+}
+
+/* Backward compatibility wrapper */
+int mbedtls_ctr_drbg_seed_entropy_len(
+    mbedtls_ctr_drbg_context *ctx,
+    int (*f_entropy)(void *, unsigned char *, size_t), void *p_entropy,
+    const unsigned char *custom, size_t len,
+    size_t entropy_len )
+{
+    mbedtls_ctr_drbg_set_entropy_len( ctx, entropy_len );
+    return( mbedtls_ctr_drbg_seed( ctx, f_entropy, p_entropy, custom, len ) );
+}
+
+/* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
+ * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
+ *                -> working_state_after_reseed
+ *                if required, then
+ * CTR_DRBG_Generate(working_state_after_reseed,
+ *                   requested_number_of_bits, additional_input)
+ *                -> status, returned_bits, new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   requested_number_of_bits = 8 * output_len
+ *   additional[:add_len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * and with outputs
+ *   status = SUCCESS (this function does the reseed internally)
+ *   returned_bits = output[:output_len]
+ *   ctx contains new_working_state
+ */
+int mbedtls_ctr_drbg_random_with_add( void *p_rng,
+                              unsigned char *output, size_t output_len,
+                              const unsigned char *additional, size_t add_len )
+{
+    int ret = 0;
+    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+    unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char *p = output;
+    unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+    int i;
+    size_t use_len;
+
+    if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
+        return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
+
+    if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
+
+    if( ctx->reseed_counter > ctx->reseed_interval ||
+        ctx->prediction_resistance )
+    {
+        if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
+        {
+            return( ret );
+        }
+        add_len = 0;
+    }
+
+    if( add_len > 0 )
+    {
+        if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
+            goto exit;
+        if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
+            goto exit;
+    }
+
+    while( output_len > 0 )
+    {
+        /*
+         * Increase counter
+         */
+        for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
+            if( ++ctx->counter[i - 1] != 0 )
+                break;
+
+        /*
+         * Crypt counter block
+         */
+        if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp ) ) != 0 )
+            goto exit;
+
+        use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
+                                                       output_len;
+        /*
+         * Copy random block to destination
+         */
+        memcpy( p, tmp, use_len );
+        p += use_len;
+        output_len -= use_len;
+    }
+
+    if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
+        goto exit;
+
+    ctx->reseed_counter++;
+
+exit:
+    mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    return( ret );
+}
+
+int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
+{
+    int ret;
+    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
+{
+    int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    FILE *f;
+    unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
+
+    if( ( f = fopen( path, "wb" ) ) == NULL )
+        return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
+
+    if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
+        goto exit;
+
+    if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT )
+        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    else
+        ret = 0;
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    fclose( f );
+    return( ret );
+}
+
+int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
+{
+    int ret = 0;
+    FILE *f = NULL;
+    size_t n;
+    unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
+    unsigned char c;
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
+
+    n = fread( buf, 1, sizeof( buf ), f );
+    if( fread( &c, 1, 1, f ) != 0 )
+    {
+        ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+        goto exit;
+    }
+    if( n == 0 || ferror( f ) )
+    {
+        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+    fclose( f );
+    f = NULL;
+
+    ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    if( f != NULL )
+        fclose( f );
+    if( ret != 0 )
+        return( ret );
+    return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char entropy_source_pr[96] =
+    { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
+      0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
+      0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
+      0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
+      0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
+      0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
+      0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
+      0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
+      0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
+      0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
+      0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
+      0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
+
+static const unsigned char entropy_source_nopr[64] =
+    { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
+      0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
+      0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
+      0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
+      0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
+      0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
+      0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
+      0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
+
+static const unsigned char nonce_pers_pr[16] =
+    { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
+      0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
+
+static const unsigned char nonce_pers_nopr[16] =
+    { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
+      0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
+
+static const unsigned char result_pr[16] =
+    { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
+      0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
+
+static const unsigned char result_nopr[16] =
+    { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
+      0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
+
+static size_t test_offset;
+static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
+                                       size_t len )
+{
+    const unsigned char *p = data;
+    memcpy( buf, p + test_offset, len );
+    test_offset += len;
+    return( 0 );
+}
+
+#define CHK( c )    if( (c) != 0 )                          \
+                    {                                       \
+                        if( verbose != 0 )                  \
+                            mbedtls_printf( "failed\n" );  \
+                        return( 1 );                        \
+                    }
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ctr_drbg_self_test( int verbose )
+{
+    mbedtls_ctr_drbg_context ctx;
+    unsigned char buf[16];
+
+    mbedtls_ctr_drbg_init( &ctx );
+
+    /*
+     * Based on a NIST CTR_DRBG test vector (PR = True)
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  CTR_DRBG (PR = TRUE) : " );
+
+    test_offset = 0;
+    mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
+    CHK( mbedtls_ctr_drbg_seed( &ctx,
+                                ctr_drbg_self_test_entropy,
+                                (void *) entropy_source_pr,
+                                nonce_pers_pr, 16 ) );
+    mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+    CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+
+    mbedtls_ctr_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    /*
+     * Based on a NIST CTR_DRBG test vector (PR = FALSE)
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  CTR_DRBG (PR = FALSE): " );
+
+    mbedtls_ctr_drbg_init( &ctx );
+
+    test_offset = 0;
+    mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
+    CHK( mbedtls_ctr_drbg_seed( &ctx,
+                                ctr_drbg_self_test_entropy,
+                                (void *) entropy_source_nopr,
+                                nonce_pers_nopr, 16 ) );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
+    CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
+    CHK( memcmp( buf, result_nopr, 16 ) );
+
+    mbedtls_ctr_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+            mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CTR_DRBG_C */
diff --git a/ctrtool/deps/libmbedtls/src/debug.c b/ctrtool/deps/libmbedtls/src/debug.c
new file mode 100644
index 00000000..36510cdd
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/debug.c
@@ -0,0 +1,450 @@
+/*
+ *  Debugging routines
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc      calloc
+#define mbedtls_free        free
+#define mbedtls_time_t      time_t
+#define mbedtls_snprintf    snprintf
+#endif
+
+#include "mbedtls/debug.h"
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define DEBUG_BUF_SIZE      512
+
+static int debug_threshold = 0;
+
+void mbedtls_debug_set_threshold( int threshold )
+{
+    debug_threshold = threshold;
+}
+
+/*
+ * All calls to f_dbg must be made via this function
+ */
+static inline void debug_send_line( const mbedtls_ssl_context *ssl, int level,
+                                    const char *file, int line,
+                                    const char *str )
+{
+    /*
+     * If in a threaded environment, we need a thread identifier.
+     * Since there is no portable way to get one, use the address of the ssl
+     * context instead, as it shouldn't be shared between threads.
+     */
+#if defined(MBEDTLS_THREADING_C)
+    char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */
+    mbedtls_snprintf( idstr, sizeof( idstr ), "%p: %s", (void*)ssl, str );
+    ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, idstr );
+#else
+    ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str );
+#endif
+}
+
+void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
+                              const char *file, int line,
+                              const char *format, ... )
+{
+    va_list argp;
+    char str[DEBUG_BUF_SIZE];
+    int ret;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    va_start( argp, format );
+#if defined(_WIN32)
+#if defined(_TRUNCATE) && !defined(__MINGW32__)
+    ret = _vsnprintf_s( str, DEBUG_BUF_SIZE, _TRUNCATE, format, argp );
+#else
+    ret = _vsnprintf( str, DEBUG_BUF_SIZE, format, argp );
+    if( ret < 0 || (size_t) ret == DEBUG_BUF_SIZE )
+    {
+        str[DEBUG_BUF_SIZE-1] = '\0';
+        ret = -1;
+    }
+#endif
+#else
+    ret = vsnprintf( str, DEBUG_BUF_SIZE, format, argp );
+#endif
+    va_end( argp );
+
+    if( ret >= 0 && ret < DEBUG_BUF_SIZE - 1 )
+    {
+        str[ret]     = '\n';
+        str[ret + 1] = '\0';
+    }
+
+    debug_send_line( ssl, level, file, line, str );
+}
+
+void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, int ret )
+{
+    char str[DEBUG_BUF_SIZE];
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    /*
+     * With non-blocking I/O and examples that just retry immediately,
+     * the logs would be quickly flooded with WANT_READ, so ignore that.
+     * Don't ignore WANT_WRITE however, since is is usually rare.
+     */
+    if( ret == MBEDTLS_ERR_SSL_WANT_READ )
+        return;
+
+    mbedtls_snprintf( str, sizeof( str ), "%s() returned %d (-0x%04x)\n",
+              text, ret, -ret );
+
+    debug_send_line( ssl, level, file, line, str );
+}
+
+void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line, const char *text,
+                      const unsigned char *buf, size_t len )
+{
+    char str[DEBUG_BUF_SIZE];
+    char txt[17];
+    size_t i, idx = 0;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n",
+              text, (unsigned int) len );
+
+    debug_send_line( ssl, level, file, line, str );
+
+    idx = 0;
+    memset( txt, 0, sizeof( txt ) );
+    for( i = 0; i < len; i++ )
+    {
+        if( i >= 4096 )
+            break;
+
+        if( i % 16 == 0 )
+        {
+            if( i > 0 )
+            {
+                mbedtls_snprintf( str + idx, sizeof( str ) - idx, "  %s\n", txt );
+                debug_send_line( ssl, level, file, line, str );
+
+                idx = 0;
+                memset( txt, 0, sizeof( txt ) );
+            }
+
+            idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, "%04x: ",
+                             (unsigned int) i );
+
+        }
+
+        idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x",
+                         (unsigned int) buf[i] );
+        txt[i % 16] = ( buf[i] > 31 && buf[i] < 127 ) ? buf[i] : '.' ;
+    }
+
+    if( len > 0 )
+    {
+        for( /* i = i */; i % 16 != 0; i++ )
+            idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, "   " );
+
+        mbedtls_snprintf( str + idx, sizeof( str ) - idx, "  %s\n", txt );
+        debug_send_line( ssl, level, file, line, str );
+    }
+}
+
+#if defined(MBEDTLS_ECP_C)
+void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_ecp_point *X )
+{
+    char str[DEBUG_BUF_SIZE];
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    mbedtls_snprintf( str, sizeof( str ), "%s(X)", text );
+    mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->X );
+
+    mbedtls_snprintf( str, sizeof( str ), "%s(Y)", text );
+    mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->Y );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_mpi *X )
+{
+    char str[DEBUG_BUF_SIZE];
+    int j, k, zeros = 1;
+    size_t i, n, idx = 0;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        NULL == X                ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    for( n = X->n - 1; n > 0; n-- )
+        if( X->p[n] != 0 )
+            break;
+
+    for( j = ( sizeof(mbedtls_mpi_uint) << 3 ) - 1; j >= 0; j-- )
+        if( ( ( X->p[n] >> j ) & 1 ) != 0 )
+            break;
+
+    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n",
+              text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) );
+
+    debug_send_line( ssl, level, file, line, str );
+
+    idx = 0;
+    for( i = n + 1, j = 0; i > 0; i-- )
+    {
+        if( zeros && X->p[i - 1] == 0 )
+            continue;
+
+        for( k = sizeof( mbedtls_mpi_uint ) - 1; k >= 0; k-- )
+        {
+            if( zeros && ( ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF ) == 0 )
+                continue;
+            else
+                zeros = 0;
+
+            if( j % 16 == 0 )
+            {
+                if( j > 0 )
+                {
+                    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
+                    debug_send_line( ssl, level, file, line, str );
+                    idx = 0;
+                }
+            }
+
+            idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", (unsigned int)
+                             ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF );
+
+            j++;
+        }
+
+    }
+
+    if( zeros == 1 )
+        idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" );
+
+    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
+    debug_send_line( ssl, level, file, line, str );
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void debug_print_pk( const mbedtls_ssl_context *ssl, int level,
+                            const char *file, int line,
+                            const char *text, const mbedtls_pk_context *pk )
+{
+    size_t i;
+    mbedtls_pk_debug_item items[MBEDTLS_PK_DEBUG_MAX_ITEMS];
+    char name[16];
+
+    memset( items, 0, sizeof( items ) );
+
+    if( mbedtls_pk_debug( pk, items ) != 0 )
+    {
+        debug_send_line( ssl, level, file, line,
+                          "invalid PK context\n" );
+        return;
+    }
+
+    for( i = 0; i < MBEDTLS_PK_DEBUG_MAX_ITEMS; i++ )
+    {
+        if( items[i].type == MBEDTLS_PK_DEBUG_NONE )
+            return;
+
+        mbedtls_snprintf( name, sizeof( name ), "%s%s", text, items[i].name );
+        name[sizeof( name ) - 1] = '\0';
+
+        if( items[i].type == MBEDTLS_PK_DEBUG_MPI )
+            mbedtls_debug_print_mpi( ssl, level, file, line, name, items[i].value );
+        else
+#if defined(MBEDTLS_ECP_C)
+        if( items[i].type == MBEDTLS_PK_DEBUG_ECP )
+            mbedtls_debug_print_ecp( ssl, level, file, line, name, items[i].value );
+        else
+#endif
+            debug_send_line( ssl, level, file, line,
+                              "should not happen\n" );
+    }
+}
+
+static void debug_print_line_by_line( const mbedtls_ssl_context *ssl, int level,
+                                      const char *file, int line, const char *text )
+{
+    char str[DEBUG_BUF_SIZE];
+    const char *start, *cur;
+
+    start = text;
+    for( cur = text; *cur != '\0'; cur++ )
+    {
+        if( *cur == '\n' )
+        {
+            size_t len = cur - start + 1;
+            if( len > DEBUG_BUF_SIZE - 1 )
+                len = DEBUG_BUF_SIZE - 1;
+
+            memcpy( str, start, len );
+            str[len] = '\0';
+
+            debug_send_line( ssl, level, file, line, str );
+
+            start = cur + 1;
+        }
+    }
+}
+
+void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_x509_crt *crt )
+{
+    char str[DEBUG_BUF_SIZE];
+    int i = 0;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        NULL == crt              ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    while( crt != NULL )
+    {
+        char buf[1024];
+
+        mbedtls_snprintf( str, sizeof( str ), "%s #%d:\n", text, ++i );
+        debug_send_line( ssl, level, file, line, str );
+
+        mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
+        debug_print_line_by_line( ssl, level, file, line, buf );
+
+        debug_print_pk( ssl, level, file, line, "crt->", &crt->pk );
+
+        crt = crt->next;
+    }
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_ECDH_C)
+static void mbedtls_debug_printf_ecdh_internal( const mbedtls_ssl_context *ssl,
+                                                int level, const char *file,
+                                                int line,
+                                                const mbedtls_ecdh_context *ecdh,
+                                                mbedtls_debug_ecdh_attr attr )
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    const mbedtls_ecdh_context* ctx = ecdh;
+#else
+    const mbedtls_ecdh_context_mbed* ctx = &ecdh->ctx.mbed_ecdh;
+#endif
+
+    switch( attr )
+    {
+        case MBEDTLS_DEBUG_ECDH_Q:
+            mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Q",
+                                     &ctx->Q );
+            break;
+        case MBEDTLS_DEBUG_ECDH_QP:
+            mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Qp",
+                                     &ctx->Qp );
+            break;
+        case MBEDTLS_DEBUG_ECDH_Z:
+            mbedtls_debug_print_mpi( ssl, level, file, line, "ECDH: z",
+                                     &ctx->z );
+            break;
+        default:
+            break;
+    }
+}
+
+void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
+                                const char *file, int line,
+                                const mbedtls_ecdh_context *ecdh,
+                                mbedtls_debug_ecdh_attr attr )
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh, attr );
+#else
+    switch( ecdh->var )
+    {
+        default:
+            mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh,
+                                                attr );
+    }
+#endif
+}
+#endif /* MBEDTLS_ECDH_C */
+
+#endif /* MBEDTLS_DEBUG_C */
diff --git a/ctrtool/deps/libmbedtls/src/des.c b/ctrtool/deps/libmbedtls/src/des.c
new file mode 100644
index 00000000..8a33d82e
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/des.c
@@ -0,0 +1,1064 @@
+/*
+ *  FIPS-46-3 compliant Triple-DES implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  DES, on which TDES is based, was originally designed by Horst Feistel
+ *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
+ *
+ *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_DES_C)
+
+#include "mbedtls/des.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_DES_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+/*
+ * Expanded DES S-boxes
+ */
+static const uint32_t SB1[64] =
+{
+    0x01010400, 0x00000000, 0x00010000, 0x01010404,
+    0x01010004, 0x00010404, 0x00000004, 0x00010000,
+    0x00000400, 0x01010400, 0x01010404, 0x00000400,
+    0x01000404, 0x01010004, 0x01000000, 0x00000004,
+    0x00000404, 0x01000400, 0x01000400, 0x00010400,
+    0x00010400, 0x01010000, 0x01010000, 0x01000404,
+    0x00010004, 0x01000004, 0x01000004, 0x00010004,
+    0x00000000, 0x00000404, 0x00010404, 0x01000000,
+    0x00010000, 0x01010404, 0x00000004, 0x01010000,
+    0x01010400, 0x01000000, 0x01000000, 0x00000400,
+    0x01010004, 0x00010000, 0x00010400, 0x01000004,
+    0x00000400, 0x00000004, 0x01000404, 0x00010404,
+    0x01010404, 0x00010004, 0x01010000, 0x01000404,
+    0x01000004, 0x00000404, 0x00010404, 0x01010400,
+    0x00000404, 0x01000400, 0x01000400, 0x00000000,
+    0x00010004, 0x00010400, 0x00000000, 0x01010004
+};
+
+static const uint32_t SB2[64] =
+{
+    0x80108020, 0x80008000, 0x00008000, 0x00108020,
+    0x00100000, 0x00000020, 0x80100020, 0x80008020,
+    0x80000020, 0x80108020, 0x80108000, 0x80000000,
+    0x80008000, 0x00100000, 0x00000020, 0x80100020,
+    0x00108000, 0x00100020, 0x80008020, 0x00000000,
+    0x80000000, 0x00008000, 0x00108020, 0x80100000,
+    0x00100020, 0x80000020, 0x00000000, 0x00108000,
+    0x00008020, 0x80108000, 0x80100000, 0x00008020,
+    0x00000000, 0x00108020, 0x80100020, 0x00100000,
+    0x80008020, 0x80100000, 0x80108000, 0x00008000,
+    0x80100000, 0x80008000, 0x00000020, 0x80108020,
+    0x00108020, 0x00000020, 0x00008000, 0x80000000,
+    0x00008020, 0x80108000, 0x00100000, 0x80000020,
+    0x00100020, 0x80008020, 0x80000020, 0x00100020,
+    0x00108000, 0x00000000, 0x80008000, 0x00008020,
+    0x80000000, 0x80100020, 0x80108020, 0x00108000
+};
+
+static const uint32_t SB3[64] =
+{
+    0x00000208, 0x08020200, 0x00000000, 0x08020008,
+    0x08000200, 0x00000000, 0x00020208, 0x08000200,
+    0x00020008, 0x08000008, 0x08000008, 0x00020000,
+    0x08020208, 0x00020008, 0x08020000, 0x00000208,
+    0x08000000, 0x00000008, 0x08020200, 0x00000200,
+    0x00020200, 0x08020000, 0x08020008, 0x00020208,
+    0x08000208, 0x00020200, 0x00020000, 0x08000208,
+    0x00000008, 0x08020208, 0x00000200, 0x08000000,
+    0x08020200, 0x08000000, 0x00020008, 0x00000208,
+    0x00020000, 0x08020200, 0x08000200, 0x00000000,
+    0x00000200, 0x00020008, 0x08020208, 0x08000200,
+    0x08000008, 0x00000200, 0x00000000, 0x08020008,
+    0x08000208, 0x00020000, 0x08000000, 0x08020208,
+    0x00000008, 0x00020208, 0x00020200, 0x08000008,
+    0x08020000, 0x08000208, 0x00000208, 0x08020000,
+    0x00020208, 0x00000008, 0x08020008, 0x00020200
+};
+
+static const uint32_t SB4[64] =
+{
+    0x00802001, 0x00002081, 0x00002081, 0x00000080,
+    0x00802080, 0x00800081, 0x00800001, 0x00002001,
+    0x00000000, 0x00802000, 0x00802000, 0x00802081,
+    0x00000081, 0x00000000, 0x00800080, 0x00800001,
+    0x00000001, 0x00002000, 0x00800000, 0x00802001,
+    0x00000080, 0x00800000, 0x00002001, 0x00002080,
+    0x00800081, 0x00000001, 0x00002080, 0x00800080,
+    0x00002000, 0x00802080, 0x00802081, 0x00000081,
+    0x00800080, 0x00800001, 0x00802000, 0x00802081,
+    0x00000081, 0x00000000, 0x00000000, 0x00802000,
+    0x00002080, 0x00800080, 0x00800081, 0x00000001,
+    0x00802001, 0x00002081, 0x00002081, 0x00000080,
+    0x00802081, 0x00000081, 0x00000001, 0x00002000,
+    0x00800001, 0x00002001, 0x00802080, 0x00800081,
+    0x00002001, 0x00002080, 0x00800000, 0x00802001,
+    0x00000080, 0x00800000, 0x00002000, 0x00802080
+};
+
+static const uint32_t SB5[64] =
+{
+    0x00000100, 0x02080100, 0x02080000, 0x42000100,
+    0x00080000, 0x00000100, 0x40000000, 0x02080000,
+    0x40080100, 0x00080000, 0x02000100, 0x40080100,
+    0x42000100, 0x42080000, 0x00080100, 0x40000000,
+    0x02000000, 0x40080000, 0x40080000, 0x00000000,
+    0x40000100, 0x42080100, 0x42080100, 0x02000100,
+    0x42080000, 0x40000100, 0x00000000, 0x42000000,
+    0x02080100, 0x02000000, 0x42000000, 0x00080100,
+    0x00080000, 0x42000100, 0x00000100, 0x02000000,
+    0x40000000, 0x02080000, 0x42000100, 0x40080100,
+    0x02000100, 0x40000000, 0x42080000, 0x02080100,
+    0x40080100, 0x00000100, 0x02000000, 0x42080000,
+    0x42080100, 0x00080100, 0x42000000, 0x42080100,
+    0x02080000, 0x00000000, 0x40080000, 0x42000000,
+    0x00080100, 0x02000100, 0x40000100, 0x00080000,
+    0x00000000, 0x40080000, 0x02080100, 0x40000100
+};
+
+static const uint32_t SB6[64] =
+{
+    0x20000010, 0x20400000, 0x00004000, 0x20404010,
+    0x20400000, 0x00000010, 0x20404010, 0x00400000,
+    0x20004000, 0x00404010, 0x00400000, 0x20000010,
+    0x00400010, 0x20004000, 0x20000000, 0x00004010,
+    0x00000000, 0x00400010, 0x20004010, 0x00004000,
+    0x00404000, 0x20004010, 0x00000010, 0x20400010,
+    0x20400010, 0x00000000, 0x00404010, 0x20404000,
+    0x00004010, 0x00404000, 0x20404000, 0x20000000,
+    0x20004000, 0x00000010, 0x20400010, 0x00404000,
+    0x20404010, 0x00400000, 0x00004010, 0x20000010,
+    0x00400000, 0x20004000, 0x20000000, 0x00004010,
+    0x20000010, 0x20404010, 0x00404000, 0x20400000,
+    0x00404010, 0x20404000, 0x00000000, 0x20400010,
+    0x00000010, 0x00004000, 0x20400000, 0x00404010,
+    0x00004000, 0x00400010, 0x20004010, 0x00000000,
+    0x20404000, 0x20000000, 0x00400010, 0x20004010
+};
+
+static const uint32_t SB7[64] =
+{
+    0x00200000, 0x04200002, 0x04000802, 0x00000000,
+    0x00000800, 0x04000802, 0x00200802, 0x04200800,
+    0x04200802, 0x00200000, 0x00000000, 0x04000002,
+    0x00000002, 0x04000000, 0x04200002, 0x00000802,
+    0x04000800, 0x00200802, 0x00200002, 0x04000800,
+    0x04000002, 0x04200000, 0x04200800, 0x00200002,
+    0x04200000, 0x00000800, 0x00000802, 0x04200802,
+    0x00200800, 0x00000002, 0x04000000, 0x00200800,
+    0x04000000, 0x00200800, 0x00200000, 0x04000802,
+    0x04000802, 0x04200002, 0x04200002, 0x00000002,
+    0x00200002, 0x04000000, 0x04000800, 0x00200000,
+    0x04200800, 0x00000802, 0x00200802, 0x04200800,
+    0x00000802, 0x04000002, 0x04200802, 0x04200000,
+    0x00200800, 0x00000000, 0x00000002, 0x04200802,
+    0x00000000, 0x00200802, 0x04200000, 0x00000800,
+    0x04000002, 0x04000800, 0x00000800, 0x00200002
+};
+
+static const uint32_t SB8[64] =
+{
+    0x10001040, 0x00001000, 0x00040000, 0x10041040,
+    0x10000000, 0x10001040, 0x00000040, 0x10000000,
+    0x00040040, 0x10040000, 0x10041040, 0x00041000,
+    0x10041000, 0x00041040, 0x00001000, 0x00000040,
+    0x10040000, 0x10000040, 0x10001000, 0x00001040,
+    0x00041000, 0x00040040, 0x10040040, 0x10041000,
+    0x00001040, 0x00000000, 0x00000000, 0x10040040,
+    0x10000040, 0x10001000, 0x00041040, 0x00040000,
+    0x00041040, 0x00040000, 0x10041000, 0x00001000,
+    0x00000040, 0x10040040, 0x00001000, 0x00041040,
+    0x10001000, 0x00000040, 0x10000040, 0x10040000,
+    0x10040040, 0x10000000, 0x00040000, 0x10001040,
+    0x00000000, 0x10041040, 0x00040040, 0x10000040,
+    0x10040000, 0x10001000, 0x10001040, 0x00000000,
+    0x10041040, 0x00041000, 0x00041000, 0x00001040,
+    0x00001040, 0x00040040, 0x10000000, 0x10041000
+};
+
+/*
+ * PC1: left and right halves bit-swap
+ */
+static const uint32_t LHs[16] =
+{
+    0x00000000, 0x00000001, 0x00000100, 0x00000101,
+    0x00010000, 0x00010001, 0x00010100, 0x00010101,
+    0x01000000, 0x01000001, 0x01000100, 0x01000101,
+    0x01010000, 0x01010001, 0x01010100, 0x01010101
+};
+
+static const uint32_t RHs[16] =
+{
+    0x00000000, 0x01000000, 0x00010000, 0x01010000,
+    0x00000100, 0x01000100, 0x00010100, 0x01010100,
+    0x00000001, 0x01000001, 0x00010001, 0x01010001,
+    0x00000101, 0x01000101, 0x00010101, 0x01010101,
+};
+
+/*
+ * Initial Permutation macro
+ */
+#define DES_IP(X,Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
+        (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
+    } while( 0 )
+
+/*
+ * Final Permutation macro
+ */
+#define DES_FP(X,Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
+        (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+    } while( 0 )
+
+/*
+ * DES round macro
+ */
+#define DES_ROUND(X,Y)                              \
+    do                                              \
+    {                                               \
+        T = *SK++ ^ (X);                            \
+        (Y) ^= SB8[ (T      ) & 0x3F ] ^            \
+               SB6[ (T >>  8) & 0x3F ] ^            \
+               SB4[ (T >> 16) & 0x3F ] ^            \
+               SB2[ (T >> 24) & 0x3F ];             \
+                                                    \
+        T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
+        (Y) ^= SB7[ (T      ) & 0x3F ] ^            \
+               SB5[ (T >>  8) & 0x3F ] ^            \
+               SB3[ (T >> 16) & 0x3F ] ^            \
+               SB1[ (T >> 24) & 0x3F ];             \
+    } while( 0 )
+
+#define SWAP(a,b)                                       \
+    do                                                  \
+    {                                                   \
+        uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
+    } while( 0 )
+
+void mbedtls_des_init( mbedtls_des_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_des_context ) );
+}
+
+void mbedtls_des_free( mbedtls_des_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
+}
+
+void mbedtls_des3_init( mbedtls_des3_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_des3_context ) );
+}
+
+void mbedtls_des3_free( mbedtls_des3_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
+}
+
+static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
+        11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
+        47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
+        82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
+        115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
+        143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
+        171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
+        199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
+        227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
+        254 };
+
+void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
+        key[i] = odd_parity_table[key[i] / 2];
+}
+
+/*
+ * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
+ */
+int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
+        if( key[i] != odd_parity_table[key[i] / 2] )
+            return( 1 );
+
+    return( 0 );
+}
+
+/*
+ * Table of weak and semi-weak keys
+ *
+ * Source: http://en.wikipedia.org/wiki/Weak_key
+ *
+ * Weak:
+ * Alternating ones + zeros (0x0101010101010101)
+ * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
+ * '0xE0E0E0E0F1F1F1F1'
+ * '0x1F1F1F1F0E0E0E0E'
+ *
+ * Semi-weak:
+ * 0x011F011F010E010E and 0x1F011F010E010E01
+ * 0x01E001E001F101F1 and 0xE001E001F101F101
+ * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
+ * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
+ * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
+ * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
+ *
+ */
+
+#define WEAK_KEY_COUNT 16
+
+static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
+{
+    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
+    { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
+    { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
+    { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
+
+    { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
+    { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
+    { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
+    { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
+    { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
+    { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
+    { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
+    { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
+    { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
+    { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
+    { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
+    { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
+};
+
+int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    for( i = 0; i < WEAK_KEY_COUNT; i++ )
+        if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
+            return( 1 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DES_SETKEY_ALT)
+void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+    uint32_t X, Y, T;
+
+    GET_UINT32_BE( X, key, 0 );
+    GET_UINT32_BE( Y, key, 4 );
+
+    /*
+     * Permuted Choice 1
+     */
+    T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
+    T =  ((Y      ) ^ X) & 0x10101010;  X ^= T; Y ^= (T      );
+
+    X =   (LHs[ (X      ) & 0xF] << 3) | (LHs[ (X >>  8) & 0xF ] << 2)
+        | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ]     )
+        | (LHs[ (X >>  5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
+        | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
+
+    Y =   (RHs[ (Y >>  1) & 0xF] << 3) | (RHs[ (Y >>  9) & 0xF ] << 2)
+        | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ]     )
+        | (RHs[ (Y >>  4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
+        | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
+
+    X &= 0x0FFFFFFF;
+    Y &= 0x0FFFFFFF;
+
+    /*
+     * calculate subkeys
+     */
+    for( i = 0; i < 16; i++ )
+    {
+        if( i < 2 || i == 8 || i == 15 )
+        {
+            X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
+            Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
+        }
+        else
+        {
+            X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
+            Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
+        }
+
+        *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
+                | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
+                | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
+                | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
+                | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
+                | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
+                | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
+                | ((Y >> 14) & 0x00000200) | ((Y      ) & 0x00000100)
+                | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
+                | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
+                | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
+
+        *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
+                | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
+                | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
+                | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
+                | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
+                | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
+                | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
+                | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
+                | ((Y      ) & 0x00000200) | ((Y <<  7) & 0x00000100)
+                | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
+                | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
+    }
+}
+#endif /* !MBEDTLS_DES_SETKEY_ALT */
+
+/*
+ * DES key schedule (56-bit, encryption)
+ */
+int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    mbedtls_des_setkey( ctx->sk, key );
+
+    return( 0 );
+}
+
+/*
+ * DES key schedule (56-bit, decryption)
+ */
+int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    mbedtls_des_setkey( ctx->sk, key );
+
+    for( i = 0; i < 16; i += 2 )
+    {
+        SWAP( ctx->sk[i    ], ctx->sk[30 - i] );
+        SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
+    }
+
+    return( 0 );
+}
+
+static void des3_set2key( uint32_t esk[96],
+                          uint32_t dsk[96],
+                          const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
+{
+    int i;
+
+    mbedtls_des_setkey( esk, key );
+    mbedtls_des_setkey( dsk + 32, key + 8 );
+
+    for( i = 0; i < 32; i += 2 )
+    {
+        dsk[i     ] = esk[30 - i];
+        dsk[i +  1] = esk[31 - i];
+
+        esk[i + 32] = dsk[62 - i];
+        esk[i + 33] = dsk[63 - i];
+
+        esk[i + 64] = esk[i    ];
+        esk[i + 65] = esk[i + 1];
+
+        dsk[i + 64] = dsk[i    ];
+        dsk[i + 65] = dsk[i + 1];
+    }
+}
+
+/*
+ * Triple-DES key schedule (112-bit, encryption)
+ */
+int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
+{
+    uint32_t sk[96];
+
+    des3_set2key( ctx->sk, sk, key );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+/*
+ * Triple-DES key schedule (112-bit, decryption)
+ */
+int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
+{
+    uint32_t sk[96];
+
+    des3_set2key( sk, ctx->sk, key );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+static void des3_set3key( uint32_t esk[96],
+                          uint32_t dsk[96],
+                          const unsigned char key[24] )
+{
+    int i;
+
+    mbedtls_des_setkey( esk, key );
+    mbedtls_des_setkey( dsk + 32, key +  8 );
+    mbedtls_des_setkey( esk + 64, key + 16 );
+
+    for( i = 0; i < 32; i += 2 )
+    {
+        dsk[i     ] = esk[94 - i];
+        dsk[i +  1] = esk[95 - i];
+
+        esk[i + 32] = dsk[62 - i];
+        esk[i + 33] = dsk[63 - i];
+
+        dsk[i + 64] = esk[30 - i];
+        dsk[i + 65] = esk[31 - i];
+    }
+}
+
+/*
+ * Triple-DES key schedule (168-bit, encryption)
+ */
+int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
+{
+    uint32_t sk[96];
+
+    des3_set3key( ctx->sk, sk, key );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+/*
+ * Triple-DES key schedule (168-bit, decryption)
+ */
+int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
+{
+    uint32_t sk[96];
+
+    des3_set3key( sk, ctx->sk, key );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+/*
+ * DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
+                    const unsigned char input[8],
+                    unsigned char output[8] )
+{
+    int i;
+    uint32_t X, Y, T, *SK;
+
+    SK = ctx->sk;
+
+    GET_UINT32_BE( X, input, 0 );
+    GET_UINT32_BE( Y, input, 4 );
+
+    DES_IP( X, Y );
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( Y, X );
+        DES_ROUND( X, Y );
+    }
+
+    DES_FP( Y, X );
+
+    PUT_UINT32_BE( Y, output, 0 );
+    PUT_UINT32_BE( X, output, 4 );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[8],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[8];
+
+    if( length % 8 )
+        return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_DES_ENCRYPT )
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_des_crypt_ecb( ctx, output, output );
+            memcpy( iv, output, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    else /* MBEDTLS_DES_DECRYPT */
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 8 );
+            mbedtls_des_crypt_ecb( ctx, input, output );
+
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * 3DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
+                     const unsigned char input[8],
+                     unsigned char output[8] )
+{
+    int i;
+    uint32_t X, Y, T, *SK;
+
+    SK = ctx->sk;
+
+    GET_UINT32_BE( X, input, 0 );
+    GET_UINT32_BE( Y, input, 4 );
+
+    DES_IP( X, Y );
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( Y, X );
+        DES_ROUND( X, Y );
+    }
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( X, Y );
+        DES_ROUND( Y, X );
+    }
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( Y, X );
+        DES_ROUND( X, Y );
+    }
+
+    DES_FP( Y, X );
+
+    PUT_UINT32_BE( Y, output, 0 );
+    PUT_UINT32_BE( X, output, 4 );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * 3DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
+                     int mode,
+                     size_t length,
+                     unsigned char iv[8],
+                     const unsigned char *input,
+                     unsigned char *output )
+{
+    int i;
+    unsigned char temp[8];
+
+    if( length % 8 )
+        return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_DES_ENCRYPT )
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_des3_crypt_ecb( ctx, output, output );
+            memcpy( iv, output, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    else /* MBEDTLS_DES_DECRYPT */
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 8 );
+            mbedtls_des3_crypt_ecb( ctx, input, output );
+
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#endif /* !MBEDTLS_DES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * DES and 3DES test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
+ */
+static const unsigned char des3_test_keys[24] =
+{
+    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
+    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
+    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
+};
+
+static const unsigned char des3_test_buf[8] =
+{
+    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
+};
+
+static const unsigned char des3_test_ecb_dec[3][8] =
+{
+    { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
+    { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
+    { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
+};
+
+static const unsigned char des3_test_ecb_enc[3][8] =
+{
+    { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
+    { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
+    { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char des3_test_iv[8] =
+{
+    0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
+};
+
+static const unsigned char des3_test_cbc_dec[3][8] =
+{
+    { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
+    { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
+    { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
+};
+
+static const unsigned char des3_test_cbc_enc[3][8] =
+{
+    { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
+    { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
+    { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_des_self_test( int verbose )
+{
+    int i, j, u, v, ret = 0;
+    mbedtls_des_context ctx;
+    mbedtls_des3_context ctx3;
+    unsigned char buf[8];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char prv[8];
+    unsigned char iv[8];
+#endif
+
+    mbedtls_des_init( &ctx );
+    mbedtls_des3_init( &ctx3 );
+    /*
+     * ECB mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        v = i  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  DES%c-ECB-%3d (%s): ",
+                             ( u == 0 ) ? ' ' : '3', 56 + u * 56,
+                             ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( buf, des3_test_buf, 8 );
+
+        switch( i )
+        {
+        case 0:
+            mbedtls_des_setkey_dec( &ctx, des3_test_keys );
+            break;
+
+        case 1:
+            mbedtls_des_setkey_enc( &ctx, des3_test_keys );
+            break;
+
+        case 2:
+            mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 3:
+            mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
+            break;
+
+        case 4:
+            mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 5:
+            mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
+            break;
+
+        default:
+            return( 1 );
+        }
+
+        for( j = 0; j < 10000; j++ )
+        {
+            if( u == 0 )
+                mbedtls_des_crypt_ecb( &ctx, buf, buf );
+            else
+                mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
+        }
+
+        if( ( v == MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
+            ( v != MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        v = i  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  DES%c-CBC-%3d (%s): ",
+                             ( u == 0 ) ? ' ' : '3', 56 + u * 56,
+                             ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( iv,  des3_test_iv,  8 );
+        memcpy( prv, des3_test_iv,  8 );
+        memcpy( buf, des3_test_buf, 8 );
+
+        switch( i )
+        {
+        case 0:
+            mbedtls_des_setkey_dec( &ctx, des3_test_keys );
+            break;
+
+        case 1:
+            mbedtls_des_setkey_enc( &ctx, des3_test_keys );
+            break;
+
+        case 2:
+            mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 3:
+            mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
+            break;
+
+        case 4:
+            mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 5:
+            mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
+            break;
+
+        default:
+            return( 1 );
+        }
+
+        if( v == MBEDTLS_DES_DECRYPT )
+        {
+            for( j = 0; j < 10000; j++ )
+            {
+                if( u == 0 )
+                    mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
+                else
+                    mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
+            }
+        }
+        else
+        {
+            for( j = 0; j < 10000; j++ )
+            {
+                unsigned char tmp[8];
+
+                if( u == 0 )
+                    mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
+                else
+                    mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
+
+                memcpy( tmp, prv, 8 );
+                memcpy( prv, buf, 8 );
+                memcpy( buf, tmp, 8 );
+            }
+
+            memcpy( buf, prv, 8 );
+        }
+
+        if( ( v == MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
+            ( v != MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_des_free( &ctx );
+    mbedtls_des3_free( &ctx3 );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DES_C */
diff --git a/ctrtool/deps/libmbedtls/src/dhm.c b/ctrtool/deps/libmbedtls/src/dhm.c
new file mode 100644
index 00000000..8255632a
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/dhm.c
@@ -0,0 +1,712 @@
+/*
+ *  Diffie-Hellman-Merkle key exchange
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the Diffie-Hellman-Merkle algorithm:
+ *
+ *  [1] Handbook of Applied Cryptography - 1997, Chapter 12
+ *      Menezes, van Oorschot and Vanstone
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+
+#include "mbedtls/dhm.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if !defined(MBEDTLS_DHM_ALT)
+
+#define DHM_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_DHM_BAD_INPUT_DATA )
+#define DHM_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * helper to validate the mbedtls_mpi size and import it
+ */
+static int dhm_read_bignum( mbedtls_mpi *X,
+                            unsigned char **p,
+                            const unsigned char *end )
+{
+    int ret, n;
+
+    if( end - *p < 2 )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    n = ( (*p)[0] << 8 ) | (*p)[1];
+    (*p) += 2;
+
+    if( (int)( end - *p ) < n )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_mpi_read_binary( X, *p, n ) ) != 0 )
+        return( MBEDTLS_ERR_DHM_READ_PARAMS_FAILED + ret );
+
+    (*p) += n;
+
+    return( 0 );
+}
+
+/*
+ * Verify sanity of parameter with regards to P
+ *
+ * Parameter should be: 2 <= public_param <= P - 2
+ *
+ * This means that we need to return an error if
+ *              public_param < 2 or public_param > P-2
+ *
+ * For more information on the attack, see:
+ *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
+ *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
+ */
+static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P )
+{
+    mbedtls_mpi L, U;
+    int ret = 0;
+
+    mbedtls_mpi_init( &L ); mbedtls_mpi_init( &U );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &L, 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &U, P, 2 ) );
+
+    if( mbedtls_mpi_cmp_mpi( param, &L ) < 0 ||
+        mbedtls_mpi_cmp_mpi( param, &U ) > 0 )
+    {
+        ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+cleanup:
+    mbedtls_mpi_free( &L ); mbedtls_mpi_free( &U );
+    return( ret );
+}
+
+void mbedtls_dhm_init( mbedtls_dhm_context *ctx )
+{
+    DHM_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_dhm_context ) );
+}
+
+/*
+ * Parse the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
+                     unsigned char **p,
+                     const unsigned char *end )
+{
+    int ret;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( p != NULL && *p != NULL );
+    DHM_VALIDATE_RET( end != NULL );
+
+    if( ( ret = dhm_read_bignum( &ctx->P,  p, end ) ) != 0 ||
+        ( ret = dhm_read_bignum( &ctx->G,  p, end ) ) != 0 ||
+        ( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 )
+        return( ret );
+
+    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
+        return( ret );
+
+    ctx->len = mbedtls_mpi_size( &ctx->P );
+
+    return( 0 );
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret, count = 0;
+    size_t n1, n2, n3;
+    unsigned char *p;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( output != NULL );
+    DHM_VALIDATE_RET( olen != NULL );
+    DHM_VALIDATE_RET( f_rng != NULL );
+
+    if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    /*
+     * Generate X as large as possible ( < P )
+     */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED );
+    }
+    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
+
+    /*
+     * Calculate GX = G^X mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
+                          &ctx->P , &ctx->RP ) );
+
+    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
+        return( ret );
+
+    /*
+     * export P, G, GX
+     */
+#define DHM_MPI_EXPORT( X, n )                                          \
+    do {                                                                \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( ( X ),               \
+                                                   p + 2,               \
+                                                   ( n ) ) );           \
+        *p++ = (unsigned char)( ( n ) >> 8 );                           \
+        *p++ = (unsigned char)( ( n )      );                           \
+        p += ( n );                                                     \
+    } while( 0 )
+
+    n1 = mbedtls_mpi_size( &ctx->P  );
+    n2 = mbedtls_mpi_size( &ctx->G  );
+    n3 = mbedtls_mpi_size( &ctx->GX );
+
+    p = output;
+    DHM_MPI_EXPORT( &ctx->P , n1 );
+    DHM_MPI_EXPORT( &ctx->G , n2 );
+    DHM_MPI_EXPORT( &ctx->GX, n3 );
+
+    *olen = p - output;
+
+    ctx->len = n1;
+
+cleanup:
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Set prime modulus and generator
+ */
+int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
+                           const mbedtls_mpi *P,
+                           const mbedtls_mpi *G )
+{
+    int ret;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( P != NULL );
+    DHM_VALIDATE_RET( G != NULL );
+
+    if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_DHM_SET_GROUP_FAILED + ret );
+    }
+
+    ctx->len = mbedtls_mpi_size( &ctx->P );
+    return( 0 );
+}
+
+/*
+ * Import the peer's public value G^Y
+ */
+int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
+                     const unsigned char *input, size_t ilen )
+{
+    int ret;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( input != NULL );
+
+    if( ilen < 1 || ilen > ctx->len )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
+        return( MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Create own private value X and export G^X
+ */
+int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret, count = 0;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( output != NULL );
+    DHM_VALIDATE_RET( f_rng != NULL );
+
+    if( olen < 1 || olen > ctx->len )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    /*
+     * generate X and calculate GX = G^X mod P
+     */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED );
+    }
+    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
+                          &ctx->P , &ctx->RP ) );
+
+    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
+        return( ret );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->GX, output, olen ) );
+
+cleanup:
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Use the blinding method and optimisation suggested in section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int dhm_update_blinding( mbedtls_dhm_context *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret, count;
+
+    /*
+     * Don't use any blinding the first time a particular X is used,
+     * but remember it to use blinding next time.
+     */
+    if( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->pX ) != 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &ctx->pX, &ctx->X ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vi, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vf, 1 ) );
+
+        return( 0 );
+    }
+
+    /*
+     * Ok, we need blinding. Can we re-use existing values?
+     * If yes, just update them by squaring them.
+     */
+    if( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+
+        return( 0 );
+    }
+
+    /*
+     * We need to generate blinding values from scratch
+     */
+
+    /* Vi = random( 2, P-1 ) */
+    count = 0;
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->Vi, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+    }
+    while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
+
+    /* Vf = Vi^-X mod P */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Derive and export the shared secret (G^Y)^X mod P
+ */
+int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
+                     unsigned char *output, size_t output_size, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+    mbedtls_mpi GYb;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( output != NULL );
+    DHM_VALIDATE_RET( olen != NULL );
+
+    if( output_size < ctx->len )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
+        return( ret );
+
+    mbedtls_mpi_init( &GYb );
+
+    /* Blind peer's value */
+    if( f_rng != NULL )
+    {
+        MBEDTLS_MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &GYb, &GYb, &ctx->P ) );
+    }
+    else
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &GYb, &ctx->GY ) );
+
+    /* Do modular exponentiation */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->K, &GYb, &ctx->X,
+                          &ctx->P, &ctx->RP ) );
+
+    /* Unblind secret value */
+    if( f_rng != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
+    }
+
+    *olen = mbedtls_mpi_size( &ctx->K );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->K, output, *olen ) );
+
+cleanup:
+    mbedtls_mpi_free( &GYb );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_DHM_CALC_SECRET_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Free the components of a DHM key
+ */
+void mbedtls_dhm_free( mbedtls_dhm_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->pX );
+    mbedtls_mpi_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->Vi );
+    mbedtls_mpi_free( &ctx->RP );
+    mbedtls_mpi_free( &ctx->K  );
+    mbedtls_mpi_free( &ctx->GY );
+    mbedtls_mpi_free( &ctx->GX );
+    mbedtls_mpi_free( &ctx->X  );
+    mbedtls_mpi_free( &ctx->G  );
+    mbedtls_mpi_free( &ctx->P  );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_dhm_context ) );
+}
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/*
+ * Parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                   size_t dhminlen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p, *end;
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_context pem;
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+    DHM_VALIDATE_RET( dhm != NULL );
+    DHM_VALIDATE_RET( dhmin != NULL );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_init( &pem );
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( dhminlen == 0 || dhmin[dhminlen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN DH PARAMETERS-----",
+                               "-----END DH PARAMETERS-----",
+                               dhmin, NULL, 0, &dhminlen );
+
+    if( ret == 0 )
+    {
+        /*
+         * Was PEM encoded
+         */
+        dhminlen = pem.buflen;
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        goto exit;
+
+    p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
+#else
+    p = (unsigned char *) dhmin;
+#endif /* MBEDTLS_PEM_PARSE_C */
+    end = p + dhminlen;
+
+    /*
+     *  DHParams ::= SEQUENCE {
+     *      prime              INTEGER,  -- P
+     *      generator          INTEGER,  -- g
+     *      privateValueLength INTEGER OPTIONAL
+     *  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+        goto exit;
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->P  ) ) != 0 ||
+        ( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+        goto exit;
+    }
+
+    if( p != end )
+    {
+        /* This might be the optional privateValueLength.
+         * If so, we can cleanly discard it */
+        mbedtls_mpi rec;
+        mbedtls_mpi_init( &rec );
+        ret = mbedtls_asn1_get_mpi( &p, end, &rec );
+        mbedtls_mpi_free( &rec );
+        if ( ret != 0 )
+        {
+            ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+            goto exit;
+        }
+        if ( p != end )
+        {
+            ret = MBEDTLS_ERR_DHM_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+            goto exit;
+        }
+    }
+
+    ret = 0;
+
+    dhm->len = mbedtls_mpi_size( &dhm->P );
+
+exit:
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_free( &pem );
+#endif
+    if( ret != 0 )
+        mbedtls_dhm_free( dhm );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+static int load_file( const char *path, unsigned char **buf, size_t *n )
+{
+    FILE *f;
+    long size;
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    if( ( size = ftell( f ) ) == -1 )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+    }
+    fseek( f, 0, SEEK_SET );
+
+    *n = (size_t) size;
+
+    if( *n + 1 == 0 ||
+        ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_DHM_ALLOC_FAILED );
+    }
+
+    if( fread( *buf, 1, *n, f ) != *n )
+    {
+        fclose( f );
+
+        mbedtls_platform_zeroize( *buf, *n + 1 );
+        mbedtls_free( *buf );
+
+        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+    }
+
+    fclose( f );
+
+    (*buf)[*n] = '\0';
+
+    if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
+        ++*n;
+
+    return( 0 );
+}
+
+/*
+ * Load and parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+    DHM_VALIDATE_RET( dhm != NULL );
+    DHM_VALIDATE_RET( path != NULL );
+
+    if( ( ret = load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_dhm_parse_dhm( dhm, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#endif /* MBEDTLS_DHM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+static const char mbedtls_test_dhm_params[] =
+"-----BEGIN DH PARAMETERS-----\r\n"
+"MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
+"1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
+"9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
+"-----END DH PARAMETERS-----\r\n";
+#else /* MBEDTLS_PEM_PARSE_C */
+static const char mbedtls_test_dhm_params[] = {
+  0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
+  0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
+  0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
+  0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
+  0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
+  0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
+  0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
+  0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
+  0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
+  0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
+  0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
+  0x49, 0x75, 0xb3, 0x02, 0x01, 0x02 };
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+static const size_t mbedtls_test_dhm_params_len = sizeof( mbedtls_test_dhm_params );
+
+/*
+ * Checkup routine
+ */
+int mbedtls_dhm_self_test( int verbose )
+{
+    int ret;
+    mbedtls_dhm_context dhm;
+
+    mbedtls_dhm_init( &dhm );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  DHM parameter load: " );
+
+    if( ( ret = mbedtls_dhm_parse_dhm( &dhm,
+                    (const unsigned char *) mbedtls_test_dhm_params,
+                    mbedtls_test_dhm_params_len ) ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto exit;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n\n" );
+
+exit:
+    mbedtls_dhm_free( &dhm );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DHM_C */
diff --git a/ctrtool/deps/libmbedtls/src/ecdh.c b/ctrtool/deps/libmbedtls/src/ecdh.c
new file mode 100644
index 00000000..c5726877
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ecdh.c
@@ -0,0 +1,676 @@
+/*
+ *  Elliptic curve Diffie-Hellman
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ * RFC 4492
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+
+#include "mbedtls/ecdh.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+/* Parameter validation macros based on platform_util.h */
+#define ECDH_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECDH_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed;
+#endif
+
+static mbedtls_ecp_group_id mbedtls_ecdh_grp_id(
+    const mbedtls_ecdh_context *ctx )
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ctx->grp.id );
+#else
+    return( ctx->grp_id );
+#endif
+}
+
+#if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+/*
+ * Generate public key (restartable version)
+ *
+ * Note: this internal function relies on its caller preserving the value of
+ * the output parameter 'd' across continuation calls. This would not be
+ * acceptable for a public function but is OK here as we control call sites.
+ */
+static int ecdh_gen_public_restartable( mbedtls_ecp_group *grp,
+                    mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                    int (*f_rng)(void *, unsigned char *, size_t),
+                    void *p_rng,
+                    mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+
+    /* If multiplication is in progress, we already generated a privkey */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx == NULL || rs_ctx->rsm == NULL )
+#endif
+        MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, Q, d, &grp->G,
+                                                  f_rng, p_rng, rs_ctx ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate public key
+ */
+int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    ECDH_VALIDATE_RET( grp != NULL );
+    ECDH_VALIDATE_RET( d != NULL );
+    ECDH_VALIDATE_RET( Q != NULL );
+    ECDH_VALIDATE_RET( f_rng != NULL );
+    return( ecdh_gen_public_restartable( grp, d, Q, f_rng, p_rng, NULL ) );
+}
+#endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+
+#if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+static int ecdh_compute_shared_restartable( mbedtls_ecp_group *grp,
+                         mbedtls_mpi *z,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_ecp_point P;
+
+    mbedtls_ecp_point_init( &P );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &P, d, Q,
+                                                  f_rng, p_rng, rs_ctx ) );
+
+    if( mbedtls_ecp_is_zero( &P ) )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( z, &P.X ) );
+
+cleanup:
+    mbedtls_ecp_point_free( &P );
+
+    return( ret );
+}
+
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng )
+{
+    ECDH_VALIDATE_RET( grp != NULL );
+    ECDH_VALIDATE_RET( Q != NULL );
+    ECDH_VALIDATE_RET( d != NULL );
+    ECDH_VALIDATE_RET( z != NULL );
+    return( ecdh_compute_shared_restartable( grp, z, Q, d,
+                                             f_rng, p_rng, NULL ) );
+}
+#endif /* !MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+
+static void ecdh_init_internal( mbedtls_ecdh_context_mbed *ctx )
+{
+    mbedtls_ecp_group_init( &ctx->grp );
+    mbedtls_mpi_init( &ctx->d  );
+    mbedtls_ecp_point_init( &ctx->Q   );
+    mbedtls_ecp_point_init( &ctx->Qp  );
+    mbedtls_mpi_init( &ctx->z  );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_init( &ctx->rs );
+#endif
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx )
+{
+    ECDH_VALIDATE( ctx != NULL );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    ecdh_init_internal( ctx );
+    mbedtls_ecp_point_init( &ctx->Vi  );
+    mbedtls_ecp_point_init( &ctx->Vf  );
+    mbedtls_mpi_init( &ctx->_d );
+#else
+    memset( ctx, 0, sizeof( mbedtls_ecdh_context ) );
+
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+#endif
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ctx->restart_enabled = 0;
+#endif
+}
+
+static int ecdh_setup_internal( mbedtls_ecdh_context_mbed *ctx,
+                                mbedtls_ecp_group_id grp_id )
+{
+    int ret;
+
+    ret = mbedtls_ecp_group_load( &ctx->grp, grp_id );
+    if( ret != 0 )
+    {
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id )
+{
+    ECDH_VALIDATE_RET( ctx != NULL );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_setup_internal( ctx, grp_id ) );
+#else
+    switch( grp_id )
+    {
+        default:
+            ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+            ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
+            ctx->grp_id = grp_id;
+            ecdh_init_internal( &ctx->ctx.mbed_ecdh );
+            return( ecdh_setup_internal( &ctx->ctx.mbed_ecdh, grp_id ) );
+    }
+#endif
+}
+
+static void ecdh_free_internal( mbedtls_ecdh_context_mbed *ctx )
+{
+    mbedtls_ecp_group_free( &ctx->grp );
+    mbedtls_mpi_free( &ctx->d  );
+    mbedtls_ecp_point_free( &ctx->Q   );
+    mbedtls_ecp_point_free( &ctx->Qp  );
+    mbedtls_mpi_free( &ctx->z  );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_free( &ctx->rs );
+#endif
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Enable restartable operations for context
+ */
+void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx )
+{
+    ECDH_VALIDATE( ctx != NULL );
+
+    ctx->restart_enabled = 1;
+}
+#endif
+
+/*
+ * Free context
+ */
+void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_ecp_point_free( &ctx->Vi );
+    mbedtls_ecp_point_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->_d );
+    ecdh_free_internal( ctx );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            ecdh_free_internal( &ctx->ctx.mbed_ecdh );
+            break;
+        default:
+            break;
+    }
+
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+    ctx->grp_id = MBEDTLS_ECP_DP_NONE;
+#endif
+}
+
+static int ecdh_make_params_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      size_t *olen, int point_format,
+                                      unsigned char *buf, size_t blen,
+                                      int (*f_rng)(void *,
+                                                   unsigned char *,
+                                                   size_t),
+                                      void *p_rng,
+                                      int restart_enabled )
+{
+    int ret;
+    size_t grp_len, pt_len;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if( ctx->grp.pbits == 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( restart_enabled )
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ( ret = ecdh_gen_public_restartable( &ctx->grp, &ctx->d, &ctx->Q,
+                                             f_rng, p_rng, rs_ctx ) ) != 0 )
+        return( ret );
+#else
+    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q,
+                                         f_rng, p_rng ) ) != 0 )
+        return( ret );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    if( ( ret = mbedtls_ecp_tls_write_group( &ctx->grp, &grp_len, buf,
+                                             blen ) ) != 0 )
+        return( ret );
+
+    buf += grp_len;
+    blen -= grp_len;
+
+    if( ( ret = mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, point_format,
+                                             &pt_len, buf, blen ) ) != 0 )
+        return( ret );
+
+    *olen = grp_len + pt_len;
+    return( 0 );
+}
+
+/*
+ * Setup and write the ServerKeyExhange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
+                              unsigned char *buf, size_t blen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( olen != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+    ECDH_VALIDATE_RET( f_rng != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_make_params_internal( ctx, olen, ctx->point_format, buf, blen,
+                                       f_rng, p_rng, restart_enabled ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_make_params_internal( &ctx->ctx.mbed_ecdh, olen,
+                                               ctx->point_format, buf, blen,
+                                               f_rng, p_rng,
+                                               restart_enabled ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_read_params_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      const unsigned char **buf,
+                                      const unsigned char *end )
+{
+    return( mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, buf,
+                                        end - *buf ) );
+}
+
+/*
+ * Read the ServerKeyExhange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
+                              const unsigned char **buf,
+                              const unsigned char *end )
+{
+    int ret;
+    mbedtls_ecp_group_id grp_id;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+    ECDH_VALIDATE_RET( *buf != NULL );
+    ECDH_VALIDATE_RET( end != NULL );
+
+    if( ( ret = mbedtls_ecp_tls_read_group_id( &grp_id, buf, end - *buf ) )
+            != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_ecdh_setup( ctx, grp_id ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_read_params_internal( ctx, buf, end ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_read_params_internal( &ctx->ctx.mbed_ecdh,
+                                               buf, end ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_get_params_internal( mbedtls_ecdh_context_mbed *ctx,
+                                     const mbedtls_ecp_keypair *key,
+                                     mbedtls_ecdh_side side )
+{
+    int ret;
+
+    /* If it's not our key, just import the public part as Qp */
+    if( side == MBEDTLS_ECDH_THEIRS )
+        return( mbedtls_ecp_copy( &ctx->Qp, &key->Q ) );
+
+    /* Our key: import public (as Q) and private parts */
+    if( side != MBEDTLS_ECDH_OURS )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Get parameters from a keypair
+ */
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
+                             const mbedtls_ecp_keypair *key,
+                             mbedtls_ecdh_side side )
+{
+    int ret;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( key != NULL );
+    ECDH_VALIDATE_RET( side == MBEDTLS_ECDH_OURS ||
+                       side == MBEDTLS_ECDH_THEIRS );
+
+    if( mbedtls_ecdh_grp_id( ctx ) == MBEDTLS_ECP_DP_NONE )
+    {
+        /* This is the first call to get_params(). Set up the context
+         * for use with the group. */
+        if( ( ret = mbedtls_ecdh_setup( ctx, key->grp.id ) ) != 0 )
+            return( ret );
+    }
+    else
+    {
+        /* This is not the first call to get_params(). Check that the
+         * current key's group is the same as the context's, which was set
+         * from the first key's group. */
+        if( mbedtls_ecdh_grp_id( ctx ) != key->grp.id )
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_get_params_internal( ctx, key, side ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_get_params_internal( &ctx->ctx.mbed_ecdh,
+                                              key, side ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_make_public_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      size_t *olen, int point_format,
+                                      unsigned char *buf, size_t blen,
+                                      int (*f_rng)(void *,
+                                                   unsigned char *,
+                                                   size_t),
+                                      void *p_rng,
+                                      int restart_enabled )
+{
+    int ret;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if( ctx->grp.pbits == 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( restart_enabled )
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ( ret = ecdh_gen_public_restartable( &ctx->grp, &ctx->d, &ctx->Q,
+                                             f_rng, p_rng, rs_ctx ) ) != 0 )
+        return( ret );
+#else
+    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q,
+                                         f_rng, p_rng ) ) != 0 )
+        return( ret );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    return mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, point_format, olen,
+                                        buf, blen );
+}
+
+/*
+ * Setup and export the client public value
+ */
+int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
+                              unsigned char *buf, size_t blen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( olen != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+    ECDH_VALIDATE_RET( f_rng != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_make_public_internal( ctx, olen, ctx->point_format, buf, blen,
+                                       f_rng, p_rng, restart_enabled ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_make_public_internal( &ctx->ctx.mbed_ecdh, olen,
+                                               ctx->point_format, buf, blen,
+                                               f_rng, p_rng,
+                                               restart_enabled ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_read_public_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      const unsigned char *buf, size_t blen )
+{
+    int ret;
+    const unsigned char *p = buf;
+
+    if( ( ret = mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, &p,
+                                            blen ) ) != 0 )
+        return( ret );
+
+    if( (size_t)( p - buf ) != blen )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+/*
+ * Parse and import the client's public value
+ */
+int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
+                              const unsigned char *buf, size_t blen )
+{
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_read_public_internal( ctx, buf, blen ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_read_public_internal( &ctx->ctx.mbed_ecdh,
+                                                       buf, blen ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_calc_secret_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      size_t *olen, unsigned char *buf,
+                                      size_t blen,
+                                      int (*f_rng)(void *,
+                                                   unsigned char *,
+                                                   size_t),
+                                      void *p_rng,
+                                      int restart_enabled )
+{
+    int ret;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if( ctx == NULL || ctx->grp.pbits == 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( restart_enabled )
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ( ret = ecdh_compute_shared_restartable( &ctx->grp, &ctx->z, &ctx->Qp,
+                                                 &ctx->d, f_rng, p_rng,
+                                                 rs_ctx ) ) != 0 )
+    {
+        return( ret );
+    }
+#else
+    if( ( ret = mbedtls_ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp,
+                                             &ctx->d, f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    if( mbedtls_mpi_size( &ctx->z ) > blen )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    *olen = ctx->grp.pbits / 8 + ( ( ctx->grp.pbits % 8 ) != 0 );
+    return mbedtls_mpi_write_binary( &ctx->z, buf, *olen );
+}
+
+/*
+ * Derive and export the shared secret
+ */
+int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
+                              unsigned char *buf, size_t blen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( olen != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_calc_secret_internal( ctx, olen, buf, blen, f_rng, p_rng,
+                                       restart_enabled ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_calc_secret_internal( &ctx->ctx.mbed_ecdh, olen, buf,
+                                               blen, f_rng, p_rng,
+                                               restart_enabled ) );
+        default:
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+#endif
+}
+
+#endif /* MBEDTLS_ECDH_C */
diff --git a/ctrtool/deps/libmbedtls/src/ecdsa.c b/ctrtool/deps/libmbedtls/src/ecdsa.c
new file mode 100644
index 00000000..6b72e0d9
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ecdsa.c
@@ -0,0 +1,991 @@
+/*
+ *  Elliptic curve DSA
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+
+#include "mbedtls/ecdsa.h"
+#include "mbedtls/asn1write.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#include "mbedtls/hmac_drbg.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include "mbedtls/platform_util.h"
+
+/* Parameter validation macros based on platform_util.h */
+#define ECDSA_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECDSA_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/*
+ * Sub-context for ecdsa_verify()
+ */
+struct mbedtls_ecdsa_restart_ver
+{
+    mbedtls_mpi u1, u2;     /* intermediate values  */
+    enum {                  /* what to do next?     */
+        ecdsa_ver_init = 0, /* getting started      */
+        ecdsa_ver_muladd,   /* muladd step          */
+    } state;
+};
+
+/*
+ * Init verify restart sub-context
+ */
+static void ecdsa_restart_ver_init( mbedtls_ecdsa_restart_ver_ctx *ctx )
+{
+    mbedtls_mpi_init( &ctx->u1 );
+    mbedtls_mpi_init( &ctx->u2 );
+    ctx->state = ecdsa_ver_init;
+}
+
+/*
+ * Free the components of a verify restart sub-context
+ */
+static void ecdsa_restart_ver_free( mbedtls_ecdsa_restart_ver_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->u1 );
+    mbedtls_mpi_free( &ctx->u2 );
+
+    ecdsa_restart_ver_init( ctx );
+}
+
+/*
+ * Sub-context for ecdsa_sign()
+ */
+struct mbedtls_ecdsa_restart_sig
+{
+    int sign_tries;
+    int key_tries;
+    mbedtls_mpi k;          /* per-signature random */
+    mbedtls_mpi r;          /* r value              */
+    enum {                  /* what to do next?     */
+        ecdsa_sig_init = 0, /* getting started      */
+        ecdsa_sig_mul,      /* doing ecp_mul()      */
+        ecdsa_sig_modn,     /* mod N computations   */
+    } state;
+};
+
+/*
+ * Init verify sign sub-context
+ */
+static void ecdsa_restart_sig_init( mbedtls_ecdsa_restart_sig_ctx *ctx )
+{
+    ctx->sign_tries = 0;
+    ctx->key_tries = 0;
+    mbedtls_mpi_init( &ctx->k );
+    mbedtls_mpi_init( &ctx->r );
+    ctx->state = ecdsa_sig_init;
+}
+
+/*
+ * Free the components of a sign restart sub-context
+ */
+static void ecdsa_restart_sig_free( mbedtls_ecdsa_restart_sig_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->k );
+    mbedtls_mpi_free( &ctx->r );
+}
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Sub-context for ecdsa_sign_det()
+ */
+struct mbedtls_ecdsa_restart_det
+{
+    mbedtls_hmac_drbg_context rng_ctx;  /* DRBG state   */
+    enum {                      /* what to do next?     */
+        ecdsa_det_init = 0,     /* getting started      */
+        ecdsa_det_sign,         /* make signature       */
+    } state;
+};
+
+/*
+ * Init verify sign_det sub-context
+ */
+static void ecdsa_restart_det_init( mbedtls_ecdsa_restart_det_ctx *ctx )
+{
+    mbedtls_hmac_drbg_init( &ctx->rng_ctx );
+    ctx->state = ecdsa_det_init;
+}
+
+/*
+ * Free the components of a sign_det restart sub-context
+ */
+static void ecdsa_restart_det_free( mbedtls_ecdsa_restart_det_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_hmac_drbg_free( &ctx->rng_ctx );
+
+    ecdsa_restart_det_init( ctx );
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#define ECDSA_RS_ECP    ( rs_ctx == NULL ? NULL : &rs_ctx->ecp )
+
+/* Utility macro for checking and updating ops budget */
+#define ECDSA_BUDGET( ops )   \
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, ECDSA_RS_ECP, ops ) );
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECDSA_RS_ENTER( SUB )   do {                                 \
+    /* reset ops count for this call if top-level */                 \
+    if( rs_ctx != NULL && rs_ctx->ecp.depth++ == 0 )                 \
+        rs_ctx->ecp.ops_done = 0;                                    \
+                                                                     \
+    /* set up our own sub-context if needed */                       \
+    if( mbedtls_ecp_restart_is_enabled() &&                          \
+        rs_ctx != NULL && rs_ctx->SUB == NULL )                      \
+    {                                                                \
+        rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) );   \
+        if( rs_ctx->SUB == NULL )                                    \
+            return( MBEDTLS_ERR_ECP_ALLOC_FAILED );                  \
+                                                                     \
+        ecdsa_restart_## SUB ##_init( rs_ctx->SUB );                 \
+    }                                                                \
+} while( 0 )
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECDSA_RS_LEAVE( SUB )   do {                                 \
+    /* clear our sub-context when not in progress (done or error) */ \
+    if( rs_ctx != NULL && rs_ctx->SUB != NULL &&                     \
+        ret != MBEDTLS_ERR_ECP_IN_PROGRESS )                         \
+    {                                                                \
+        ecdsa_restart_## SUB ##_free( rs_ctx->SUB );                 \
+        mbedtls_free( rs_ctx->SUB );                                 \
+        rs_ctx->SUB = NULL;                                          \
+    }                                                                \
+                                                                     \
+    if( rs_ctx != NULL )                                             \
+        rs_ctx->ecp.depth--;                                         \
+} while( 0 )
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECDSA_RS_ECP    NULL
+
+#define ECDSA_BUDGET( ops )   /* no-op; for compatibility */
+
+#define ECDSA_RS_ENTER( SUB )   (void) rs_ctx
+#define ECDSA_RS_LEAVE( SUB )   (void) rs_ctx
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Derive a suitable integer for group grp from a buffer of length len
+ * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
+ */
+static int derive_mpi( const mbedtls_ecp_group *grp, mbedtls_mpi *x,
+                       const unsigned char *buf, size_t blen )
+{
+    int ret;
+    size_t n_size = ( grp->nbits + 7 ) / 8;
+    size_t use_size = blen > n_size ? n_size : blen;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( x, buf, use_size ) );
+    if( use_size * 8 > grp->nbits )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( x, use_size * 8 - grp->nbits ) );
+
+    /* While at it, reduce modulo N */
+    if( mbedtls_mpi_cmp_mpi( x, &grp->N ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( x, x, &grp->N ) );
+
+cleanup:
+    return( ret );
+}
+
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/*
+ * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
+ * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
+ */
+static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
+                mbedtls_mpi *r, mbedtls_mpi *s,
+                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                int (*f_rng_blind)(void *, unsigned char *, size_t),
+                void *p_rng_blind,
+                mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret, key_tries, sign_tries;
+    int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
+    mbedtls_ecp_point R;
+    mbedtls_mpi k, e, t;
+    mbedtls_mpi *pk = &k, *pr = r;
+
+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if( grp->N.p == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /* Make sure d is in range 1..n-1 */
+    if( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    mbedtls_ecp_point_init( &R );
+    mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t );
+
+    ECDSA_RS_ENTER( sig );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->sig != NULL )
+    {
+        /* redirect to our context */
+        p_sign_tries = &rs_ctx->sig->sign_tries;
+        p_key_tries = &rs_ctx->sig->key_tries;
+        pk = &rs_ctx->sig->k;
+        pr = &rs_ctx->sig->r;
+
+        /* jump to current step */
+        if( rs_ctx->sig->state == ecdsa_sig_mul )
+            goto mul;
+        if( rs_ctx->sig->state == ecdsa_sig_modn )
+            goto modn;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    *p_sign_tries = 0;
+    do
+    {
+        if( (*p_sign_tries)++ > 10 )
+        {
+            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+            goto cleanup;
+        }
+
+        /*
+         * Steps 1-3: generate a suitable ephemeral keypair
+         * and set r = xR mod n
+         */
+        *p_key_tries = 0;
+        do
+        {
+            if( (*p_key_tries)++ > 10 )
+            {
+                ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+                goto cleanup;
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+            if( rs_ctx != NULL && rs_ctx->sig != NULL )
+                rs_ctx->sig->state = ecdsa_sig_mul;
+
+mul:
+#endif
+            MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G,
+                                                          f_rng_blind,
+                                                          p_rng_blind,
+                                                          ECDSA_RS_ECP ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) );
+        }
+        while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && rs_ctx->sig != NULL )
+            rs_ctx->sig->state = ecdsa_sig_modn;
+
+modn:
+#endif
+        /*
+         * Accounting for everything up to the end of the loop
+         * (step 6, but checking now avoids saving e and t)
+         */
+        ECDSA_BUDGET( MBEDTLS_ECP_OPS_INV + 4 );
+
+        /*
+         * Step 5: derive MPI from hashed message
+         */
+        MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
+
+        /*
+         * Generate a random value to blind inv_mod in next step,
+         * avoiding a potential timing leak.
+         */
+        MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng_blind,
+                                                  p_rng_blind ) );
+
+        /*
+         * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, pr, d ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
+    }
+    while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->sig != NULL )
+        mbedtls_mpi_copy( r, pr );
+#endif
+
+cleanup:
+    mbedtls_ecp_point_free( &R );
+    mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t );
+
+    ECDSA_RS_LEAVE( sig );
+
+    return( ret );
+}
+
+/*
+ * Compute ECDSA signature of a hashed message
+ */
+int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    ECDSA_VALIDATE_RET( grp   != NULL );
+    ECDSA_VALIDATE_RET( r     != NULL );
+    ECDSA_VALIDATE_RET( s     != NULL );
+    ECDSA_VALIDATE_RET( d     != NULL );
+    ECDSA_VALIDATE_RET( f_rng != NULL );
+    ECDSA_VALIDATE_RET( buf   != NULL || blen == 0 );
+
+    /* Use the same RNG for both blinding and ephemeral key generation */
+    return( ecdsa_sign_restartable( grp, r, s, d, buf, blen,
+                                    f_rng, p_rng, f_rng, p_rng, NULL ) );
+}
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Deterministic signature wrapper
+ */
+static int ecdsa_sign_det_restartable( mbedtls_ecp_group *grp,
+                    mbedtls_mpi *r, mbedtls_mpi *s,
+                    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                    mbedtls_md_type_t md_alg,
+                    int (*f_rng_blind)(void *, unsigned char *, size_t),
+                    void *p_rng_blind,
+                    mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_hmac_drbg_context rng_ctx;
+    mbedtls_hmac_drbg_context *p_rng = &rng_ctx;
+    unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
+    size_t grp_len = ( grp->nbits + 7 ) / 8;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_mpi h;
+
+    if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &h );
+    mbedtls_hmac_drbg_init( &rng_ctx );
+
+    ECDSA_RS_ENTER( det );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->det != NULL )
+    {
+        /* redirect to our context */
+        p_rng = &rs_ctx->det->rng_ctx;
+
+        /* jump to current step */
+        if( rs_ctx->det->state == ecdsa_det_sign )
+            goto sign;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) );
+    MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) );
+    mbedtls_hmac_drbg_seed_buf( p_rng, md_info, data, 2 * grp_len );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->det != NULL )
+        rs_ctx->det->state = ecdsa_det_sign;
+
+sign:
+#endif
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen,
+                              mbedtls_hmac_drbg_random, p_rng );
+#else
+    if( f_rng_blind != NULL )
+        ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
+                                      mbedtls_hmac_drbg_random, p_rng,
+                                      f_rng_blind, p_rng_blind, rs_ctx );
+    else
+    {
+        mbedtls_hmac_drbg_context *p_rng_blind_det;
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+        /*
+         * To avoid reusing rng_ctx and risking incorrect behavior we seed a
+         * second HMAC-DRBG with the same seed. We also apply a label to avoid
+         * reusing the bits of the ephemeral key for blinding and eliminate the
+         * risk that they leak this way.
+         */
+        const char* blind_label = "BLINDING CONTEXT";
+        mbedtls_hmac_drbg_context rng_ctx_blind;
+
+        mbedtls_hmac_drbg_init( &rng_ctx_blind );
+        p_rng_blind_det = &rng_ctx_blind;
+
+        mbedtls_hmac_drbg_seed_buf( p_rng_blind_det, md_info,
+                                    data, 2 * grp_len );
+        ret = mbedtls_hmac_drbg_update_ret( p_rng_blind_det,
+                                            (const unsigned char*) blind_label,
+                                            strlen( blind_label ) );
+        if( ret != 0 )
+        {
+            mbedtls_hmac_drbg_free( &rng_ctx_blind );
+            goto cleanup;
+        }
+#else
+        /*
+         * In the case of restartable computations we would either need to store
+         * the second RNG in the restart context too or set it up at every
+         * restart. The first option would penalize the correct application of
+         * the function and the second would defeat the purpose of the
+         * restartable feature.
+         *
+         * Therefore in this case we reuse the original RNG. This comes with the
+         * price that the resulting signature might not be a valid deterministic
+         * ECDSA signature with a very low probability (same magnitude as
+         * successfully guessing the private key). However even then it is still
+         * a valid ECDSA signature.
+         */
+        p_rng_blind_det = p_rng;
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+        /*
+         * Since the output of the RNGs is always the same for the same key and
+         * message, this limits the efficiency of blinding and leaks information
+         * through side channels. After mbedtls_ecdsa_sign_det() is removed NULL
+         * won't be a valid value for f_rng_blind anymore. Therefore it should
+         * be checked by the caller and this branch and check can be removed.
+         */
+        ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
+                                      mbedtls_hmac_drbg_random, p_rng,
+                                      mbedtls_hmac_drbg_random, p_rng_blind_det,
+                                      rs_ctx );
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+        mbedtls_hmac_drbg_free( &rng_ctx_blind );
+#endif
+    }
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+
+cleanup:
+    mbedtls_hmac_drbg_free( &rng_ctx );
+    mbedtls_mpi_free( &h );
+
+    ECDSA_RS_LEAVE( det );
+
+    return( ret );
+}
+
+/*
+ * Deterministic signature wrappers
+ */
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                            mbedtls_mpi *s, const mbedtls_mpi *d,
+                            const unsigned char *buf, size_t blen,
+                            mbedtls_md_type_t md_alg )
+{
+    ECDSA_VALIDATE_RET( grp   != NULL );
+    ECDSA_VALIDATE_RET( r     != NULL );
+    ECDSA_VALIDATE_RET( s     != NULL );
+    ECDSA_VALIDATE_RET( d     != NULL );
+    ECDSA_VALIDATE_RET( buf   != NULL || blen == 0 );
+
+    return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg,
+                                        NULL, NULL, NULL ) );
+}
+
+int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                                mbedtls_mpi *s, const mbedtls_mpi *d,
+                                const unsigned char *buf, size_t blen,
+                                mbedtls_md_type_t md_alg,
+                                int (*f_rng_blind)(void *, unsigned char *,
+                                                   size_t),
+                                void *p_rng_blind )
+{
+    ECDSA_VALIDATE_RET( grp   != NULL );
+    ECDSA_VALIDATE_RET( r     != NULL );
+    ECDSA_VALIDATE_RET( s     != NULL );
+    ECDSA_VALIDATE_RET( d     != NULL );
+    ECDSA_VALIDATE_RET( buf   != NULL || blen == 0 );
+    ECDSA_VALIDATE_RET( f_rng_blind != NULL );
+
+    return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg,
+                                        f_rng_blind, p_rng_blind, NULL ) );
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/*
+ * Verify ECDSA signature of hashed message (SEC1 4.1.4)
+ * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
+ */
+static int ecdsa_verify_restartable( mbedtls_ecp_group *grp,
+                                     const unsigned char *buf, size_t blen,
+                                     const mbedtls_ecp_point *Q,
+                                     const mbedtls_mpi *r, const mbedtls_mpi *s,
+                                     mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_mpi e, s_inv, u1, u2;
+    mbedtls_ecp_point R;
+    mbedtls_mpi *pu1 = &u1, *pu2 = &u2;
+
+    mbedtls_ecp_point_init( &R );
+    mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv );
+    mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
+
+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if( grp->N.p == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    ECDSA_RS_ENTER( ver );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ver != NULL )
+    {
+        /* redirect to our context */
+        pu1 = &rs_ctx->ver->u1;
+        pu2 = &rs_ctx->ver->u2;
+
+        /* jump to current step */
+        if( rs_ctx->ver->state == ecdsa_ver_muladd )
+            goto muladd;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    /*
+     * Step 1: make sure r and s are in range 1..n-1
+     */
+    if( mbedtls_mpi_cmp_int( r, 1 ) < 0 || mbedtls_mpi_cmp_mpi( r, &grp->N ) >= 0 ||
+        mbedtls_mpi_cmp_int( s, 1 ) < 0 || mbedtls_mpi_cmp_mpi( s, &grp->N ) >= 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    /*
+     * Step 3: derive MPI from hashed message
+     */
+    MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
+
+    /*
+     * Step 4: u1 = e / s mod n, u2 = r / s mod n
+     */
+    ECDSA_BUDGET( MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &s_inv, s, &grp->N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu1, &e, &s_inv ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu1, pu1, &grp->N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu2, r, &s_inv ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu2, pu2, &grp->N ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ver != NULL )
+        rs_ctx->ver->state = ecdsa_ver_muladd;
+
+muladd:
+#endif
+    /*
+     * Step 5: R = u1 G + u2 Q
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd_restartable( grp,
+                     &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP ) );
+
+    if( mbedtls_ecp_is_zero( &R ) )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    /*
+     * Step 6: convert xR to an integer (no-op)
+     * Step 7: reduce xR mod n (gives v)
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
+
+    /*
+     * Step 8: check if v (that is, R.X) is equal to r
+     */
+    if( mbedtls_mpi_cmp_mpi( &R.X, r ) != 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free( &R );
+    mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv );
+    mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
+
+    ECDSA_RS_LEAVE( ver );
+
+    return( ret );
+}
+
+/*
+ * Verify ECDSA signature of hashed message
+ */
+int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
+                          const unsigned char *buf, size_t blen,
+                          const mbedtls_ecp_point *Q,
+                          const mbedtls_mpi *r,
+                          const mbedtls_mpi *s)
+{
+    ECDSA_VALIDATE_RET( grp != NULL );
+    ECDSA_VALIDATE_RET( Q   != NULL );
+    ECDSA_VALIDATE_RET( r   != NULL );
+    ECDSA_VALIDATE_RET( s   != NULL );
+    ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
+
+    return( ecdsa_verify_restartable( grp, buf, blen, Q, r, s, NULL ) );
+}
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
+
+/*
+ * Convert a signature (given by context) to ASN.1
+ */
+static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
+                                    unsigned char *sig, size_t *slen )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_ECDSA_MAX_LEN];
+    unsigned char *p = buf + sizeof( buf );
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, s ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, r ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf,
+                                       MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+    memcpy( sig, p, len );
+    *slen = len;
+
+    return( 0 );
+}
+
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
+                           mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hlen,
+                           unsigned char *sig, size_t *slen,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_mpi r, s;
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    ECDSA_VALIDATE_RET( slen != NULL );
+
+    mbedtls_mpi_init( &r );
+    mbedtls_mpi_init( &s );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    MBEDTLS_MPI_CHK( ecdsa_sign_det_restartable( &ctx->grp, &r, &s, &ctx->d,
+                                                 hash, hlen, md_alg, f_rng,
+                                                 p_rng, rs_ctx ) );
+#else
+    (void) md_alg;
+
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
+                         hash, hlen, f_rng, p_rng ) );
+#else
+    /* Use the same RNG for both blinding and ephemeral key generation */
+    MBEDTLS_MPI_CHK( ecdsa_sign_restartable( &ctx->grp, &r, &s, &ctx->d,
+                                             hash, hlen, f_rng, p_rng, f_rng,
+                                             p_rng, rs_ctx ) );
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+    MBEDTLS_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) );
+
+cleanup:
+    mbedtls_mpi_free( &r );
+    mbedtls_mpi_free( &s );
+
+    return( ret );
+}
+
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
+                                 mbedtls_md_type_t md_alg,
+                                 const unsigned char *hash, size_t hlen,
+                                 unsigned char *sig, size_t *slen,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng )
+{
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    ECDSA_VALIDATE_RET( slen != NULL );
+    return( mbedtls_ecdsa_write_signature_restartable(
+                ctx, md_alg, hash, hlen, sig, slen, f_rng, p_rng, NULL ) );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED) && \
+    defined(MBEDTLS_ECDSA_DETERMINISTIC)
+int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
+                               const unsigned char *hash, size_t hlen,
+                               unsigned char *sig, size_t *slen,
+                               mbedtls_md_type_t md_alg )
+{
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    ECDSA_VALIDATE_RET( slen != NULL );
+    return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen,
+                                   NULL, NULL ) );
+}
+#endif
+
+/*
+ * Read and check signature
+ */
+int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen )
+{
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    return( mbedtls_ecdsa_read_signature_restartable(
+                ctx, hash, hlen, sig, slen, NULL ) );
+}
+
+/*
+ * Restartable read and check signature
+ */
+int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen,
+                          mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char *p = (unsigned char *) sig;
+    const unsigned char *end = sig + slen;
+    size_t len;
+    mbedtls_mpi r, s;
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+
+    mbedtls_mpi_init( &r );
+    mbedtls_mpi_init( &s );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    if( p + len != end )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
+              MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+        goto cleanup;
+    }
+
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 ||
+        ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 )
+    {
+        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+    if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen,
+                                      &ctx->Q, &r, &s ) ) != 0 )
+        goto cleanup;
+#else
+    if( ( ret = ecdsa_verify_restartable( &ctx->grp, hash, hlen,
+                              &ctx->Q, &r, &s, rs_ctx ) ) != 0 )
+        goto cleanup;
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+
+    /* At this point we know that the buffer starts with a valid signature.
+     * Return 0 if the buffer just contains the signature, and a specific
+     * error code if the valid signature is followed by more data. */
+    if( p != end )
+        ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;
+
+cleanup:
+    mbedtls_mpi_free( &r );
+    mbedtls_mpi_free( &s );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_ECDSA_GENKEY_ALT)
+/*
+ * Generate key pair
+ */
+int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret = 0;
+    ECDSA_VALIDATE_RET( ctx   != NULL );
+    ECDSA_VALIDATE_RET( f_rng != NULL );
+
+    ret = mbedtls_ecp_group_load( &ctx->grp, gid );
+    if( ret != 0 )
+        return( ret );
+
+   return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d,
+                                    &ctx->Q, f_rng, p_rng ) );
+}
+#endif /* !MBEDTLS_ECDSA_GENKEY_ALT */
+
+/*
+ * Set context from an mbedtls_ecp_keypair
+ */
+int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key )
+{
+    int ret;
+    ECDSA_VALIDATE_RET( ctx != NULL );
+    ECDSA_VALIDATE_RET( key != NULL );
+
+    if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 ||
+        ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
+    {
+        mbedtls_ecdsa_free( ctx );
+    }
+
+    return( ret );
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx )
+{
+    ECDSA_VALIDATE( ctx != NULL );
+
+    mbedtls_ecp_keypair_init( ctx );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_keypair_free( ctx );
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx )
+{
+    ECDSA_VALIDATE( ctx != NULL );
+
+    mbedtls_ecp_restart_init( &ctx->ecp );
+
+    ctx->ver = NULL;
+    ctx->sig = NULL;
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ctx->det = NULL;
+#endif
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_restart_free( &ctx->ecp );
+
+    ecdsa_restart_ver_free( ctx->ver );
+    mbedtls_free( ctx->ver );
+    ctx->ver = NULL;
+
+    ecdsa_restart_sig_free( ctx->sig );
+    mbedtls_free( ctx->sig );
+    ctx->sig = NULL;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ecdsa_restart_det_free( ctx->det );
+    mbedtls_free( ctx->det );
+    ctx->det = NULL;
+#endif
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#endif /* MBEDTLS_ECDSA_C */
diff --git a/ctrtool/deps/libmbedtls/src/ecjpake.c b/ctrtool/deps/libmbedtls/src/ecjpake.c
new file mode 100644
index 00000000..1845c936
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ecjpake.c
@@ -0,0 +1,1140 @@
+/*
+ *  Elliptic curve J-PAKE
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References in the code are to the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECJPAKE_C)
+
+#include "mbedtls/ecjpake.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
+/* Parameter validation macros based on platform_util.h */
+#define ECJPAKE_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECJPAKE_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * Convert a mbedtls_ecjpake_role to identifier string
+ */
+static const char * const ecjpake_id[] = {
+    "client",
+    "server"
+};
+
+#define ID_MINE     ( ecjpake_id[ ctx->role ] )
+#define ID_PEER     ( ecjpake_id[ 1 - ctx->role ] )
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx )
+{
+    ECJPAKE_VALIDATE( ctx != NULL );
+
+    ctx->md_info = NULL;
+    mbedtls_ecp_group_init( &ctx->grp );
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    mbedtls_ecp_point_init( &ctx->Xm1 );
+    mbedtls_ecp_point_init( &ctx->Xm2 );
+    mbedtls_ecp_point_init( &ctx->Xp1 );
+    mbedtls_ecp_point_init( &ctx->Xp2 );
+    mbedtls_ecp_point_init( &ctx->Xp  );
+
+    mbedtls_mpi_init( &ctx->xm1 );
+    mbedtls_mpi_init( &ctx->xm2 );
+    mbedtls_mpi_init( &ctx->s   );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    ctx->md_info = NULL;
+    mbedtls_ecp_group_free( &ctx->grp );
+
+    mbedtls_ecp_point_free( &ctx->Xm1 );
+    mbedtls_ecp_point_free( &ctx->Xm2 );
+    mbedtls_ecp_point_free( &ctx->Xp1 );
+    mbedtls_ecp_point_free( &ctx->Xp2 );
+    mbedtls_ecp_point_free( &ctx->Xp  );
+
+    mbedtls_mpi_free( &ctx->xm1 );
+    mbedtls_mpi_free( &ctx->xm2 );
+    mbedtls_mpi_free( &ctx->s   );
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
+                           mbedtls_ecjpake_role role,
+                           mbedtls_md_type_t hash,
+                           mbedtls_ecp_group_id curve,
+                           const unsigned char *secret,
+                           size_t len )
+{
+    int ret;
+
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+    ECJPAKE_VALIDATE_RET( role == MBEDTLS_ECJPAKE_CLIENT ||
+                          role == MBEDTLS_ECJPAKE_SERVER );
+    ECJPAKE_VALIDATE_RET( secret != NULL || len == 0 );
+
+    ctx->role = role;
+
+    if( ( ctx->md_info = mbedtls_md_info_from_type( hash ) ) == NULL )
+        return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ctx->grp, curve ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->s, secret, len ) );
+
+cleanup:
+    if( ret != 0 )
+        mbedtls_ecjpake_free( ctx );
+
+    return( ret );
+}
+
+/*
+ * Check if context is ready for use
+ */
+int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx )
+{
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+
+    if( ctx->md_info == NULL ||
+        ctx->grp.id == MBEDTLS_ECP_DP_NONE ||
+        ctx->s.p == NULL )
+    {
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Write a point plus its length to a buffer
+ */
+static int ecjpake_write_len_point( unsigned char **p,
+                                    const unsigned char *end,
+                                    const mbedtls_ecp_group *grp,
+                                    const int pf,
+                                    const mbedtls_ecp_point *P )
+{
+    int ret;
+    size_t len;
+
+    /* Need at least 4 for length plus 1 for point */
+    if( end < *p || end - *p < 5 )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    ret = mbedtls_ecp_point_write_binary( grp, P, pf,
+                                          &len, *p + 4, end - ( *p + 4 ) );
+    if( ret != 0 )
+        return( ret );
+
+    (*p)[0] = (unsigned char)( ( len >> 24 ) & 0xFF );
+    (*p)[1] = (unsigned char)( ( len >> 16 ) & 0xFF );
+    (*p)[2] = (unsigned char)( ( len >>  8 ) & 0xFF );
+    (*p)[3] = (unsigned char)( ( len       ) & 0xFF );
+
+    *p += 4 + len;
+
+    return( 0 );
+}
+
+/*
+ * Size of the temporary buffer for ecjpake_hash:
+ * 3 EC points plus their length, plus ID and its length (4 + 6 bytes)
+ */
+#define ECJPAKE_HASH_BUF_LEN    ( 3 * ( 4 + MBEDTLS_ECP_MAX_PT_LEN ) + 4 + 6 )
+
+/*
+ * Compute hash for ZKP (7.4.2.2.2.1)
+ */
+static int ecjpake_hash( const mbedtls_md_info_t *md_info,
+                         const mbedtls_ecp_group *grp,
+                         const int pf,
+                         const mbedtls_ecp_point *G,
+                         const mbedtls_ecp_point *V,
+                         const mbedtls_ecp_point *X,
+                         const char *id,
+                         mbedtls_mpi *h )
+{
+    int ret;
+    unsigned char buf[ECJPAKE_HASH_BUF_LEN];
+    unsigned char *p = buf;
+    const unsigned char *end = buf + sizeof( buf );
+    const size_t id_len = strlen( id );
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+    /* Write things to temporary buffer */
+    MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, G ) );
+    MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, V ) );
+    MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, X ) );
+
+    if( end - p < 4 )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    *p++ = (unsigned char)( ( id_len >> 24 ) & 0xFF );
+    *p++ = (unsigned char)( ( id_len >> 16 ) & 0xFF );
+    *p++ = (unsigned char)( ( id_len >>  8 ) & 0xFF );
+    *p++ = (unsigned char)( ( id_len       ) & 0xFF );
+
+    if( end < p || (size_t)( end - p ) < id_len )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    memcpy( p, id, id_len );
+    p += id_len;
+
+    /* Compute hash */
+    MBEDTLS_MPI_CHK( mbedtls_md( md_info, buf, p - buf, hash ) );
+
+    /* Turn it into an integer mod n */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( h, hash,
+                                        mbedtls_md_get_size( md_info ) ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( h, h, &grp->N ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3)
+ */
+static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             const mbedtls_ecp_point *X,
+                             const char *id,
+                             const unsigned char **p,
+                             const unsigned char *end )
+{
+    int ret;
+    mbedtls_ecp_point V, VV;
+    mbedtls_mpi r, h;
+    size_t r_len;
+
+    mbedtls_ecp_point_init( &V );
+    mbedtls_ecp_point_init( &VV );
+    mbedtls_mpi_init( &r );
+    mbedtls_mpi_init( &h );
+
+    /*
+     * struct {
+     *     ECPoint V;
+     *     opaque r<1..2^8-1>;
+     * } ECSchnorrZKP;
+     */
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, &V, p, end - *p ) );
+
+    if( end < *p || (size_t)( end - *p ) < 1 )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    r_len = *(*p)++;
+
+    if( end < *p || (size_t)( end - *p ) < r_len )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r, *p, r_len ) );
+    *p += r_len;
+
+    /*
+     * Verification
+     */
+    MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( (mbedtls_ecp_group *) grp,
+                     &VV, &h, X, &r, G ) );
+
+    if( mbedtls_ecp_point_cmp( &VV, &V ) != 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free( &V );
+    mbedtls_ecp_point_free( &VV );
+    mbedtls_mpi_free( &r );
+    mbedtls_mpi_free( &h );
+
+    return( ret );
+}
+
+/*
+ * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2)
+ */
+static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              const mbedtls_mpi *x,
+                              const mbedtls_ecp_point *X,
+                              const char *id,
+                              unsigned char **p,
+                              const unsigned char *end,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point V;
+    mbedtls_mpi v;
+    mbedtls_mpi h; /* later recycled to hold r */
+    size_t len;
+
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    mbedtls_ecp_point_init( &V );
+    mbedtls_mpi_init( &v );
+    mbedtls_mpi_init( &h );
+
+    /* Compute signature */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp,
+                                                   G, &v, &V, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &h, &h, x ) ); /* x*h */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &h, &v, &h ) ); /* v - x*h */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &h, &h, &grp->N ) ); /* r */
+
+    /* Write it out */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, &V,
+                pf, &len, *p, end - *p ) );
+    *p += len;
+
+    len = mbedtls_mpi_size( &h ); /* actually r */
+    if( end < *p || (size_t)( end - *p ) < 1 + len || len > 255 )
+    {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+
+    *(*p)++ = (unsigned char)( len & 0xFF );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, *p, len ) ); /* r */
+    *p += len;
+
+cleanup:
+    mbedtls_ecp_point_free( &V );
+    mbedtls_mpi_free( &v );
+    mbedtls_mpi_free( &h );
+
+    return( ret );
+}
+
+/*
+ * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof
+ * Output: verified public key X
+ */
+static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             mbedtls_ecp_point *X,
+                             const char *id,
+                             const unsigned char **p,
+                             const unsigned char *end )
+{
+    int ret;
+
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * struct {
+     *     ECPoint X;
+     *     ECSchnorrZKP zkp;
+     * } ECJPAKEKeyKP;
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, X, p, end - *p ) );
+    if( mbedtls_ecp_is_zero( X ) )
+    {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, grp, pf, G, X, id, p, end ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate an ECJPAKEKeyKP
+ * Output: the serialized structure, plus private/public key pair
+ */
+static int ecjpake_kkp_write( const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              mbedtls_mpi *x,
+                              mbedtls_ecp_point *X,
+                              const char *id,
+                              unsigned char **p,
+                              const unsigned char *end,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int ret;
+    size_t len;
+
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    /* Generate key (7.4.2.3.1) and write it out */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, G, x, X,
+                                                   f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, X,
+                pf, &len, *p, end - *p ) );
+    *p += len;
+
+    /* Generate and write proof */
+    MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, grp, pf, G, x, X, id,
+                                        p, end, f_rng, p_rng ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs
+ * Ouputs: verified peer public keys Xa, Xb
+ */
+static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              mbedtls_ecp_point *Xa,
+                              mbedtls_ecp_point *Xb,
+                              const char *id,
+                              const unsigned char *buf,
+                              size_t len )
+{
+    int ret;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    /*
+     * struct {
+     *     ECJPAKEKeyKP ecjpake_key_kp_pair_list[2];
+     * } ECJPAKEKeyKPPairList;
+     */
+    MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xa, id, &p, end ) );
+    MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xb, id, &p, end ) );
+
+    if( p != end )
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate a ECJPAKEKeyKPPairList
+ * Outputs: the serialized structure, plus two private/public key pairs
+ */
+static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info,
+                               const mbedtls_ecp_group *grp,
+                               const int pf,
+                               const mbedtls_ecp_point *G,
+                               mbedtls_mpi *xm1,
+                               mbedtls_ecp_point *Xa,
+                               mbedtls_mpi *xm2,
+                               mbedtls_ecp_point *Xb,
+                               const char *id,
+                               unsigned char *buf,
+                               size_t len,
+                               size_t *olen,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
+{
+    int ret;
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm1, Xa, id,
+                &p, end, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm2, Xb, id,
+                &p, end, f_rng, p_rng ) );
+
+    *olen = p - buf;
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Read and process the first round message
+ */
+int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
+                                    const unsigned char *buf,
+                                    size_t len )
+{
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+    ECJPAKE_VALIDATE_RET( buf != NULL );
+
+    return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, ctx->point_format,
+                               &ctx->grp.G,
+                               &ctx->Xp1, &ctx->Xp2, ID_PEER,
+                               buf, len ) );
+}
+
+/*
+ * Generate and write the first round message
+ */
+int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng )
+{
+    ECJPAKE_VALIDATE_RET( ctx   != NULL );
+    ECJPAKE_VALIDATE_RET( buf   != NULL );
+    ECJPAKE_VALIDATE_RET( olen  != NULL );
+    ECJPAKE_VALIDATE_RET( f_rng != NULL );
+
+    return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, ctx->point_format,
+                                &ctx->grp.G,
+                                &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,
+                                ID_MINE, buf, len, olen, f_rng, p_rng ) );
+}
+
+/*
+ * Compute the sum of three points R = A + B + C
+ */
+static int ecjpake_ecp_add3( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                             const mbedtls_ecp_point *A,
+                             const mbedtls_ecp_point *B,
+                             const mbedtls_ecp_point *C )
+{
+    int ret;
+    mbedtls_mpi one;
+
+    mbedtls_mpi_init( &one );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, R, &one, A, &one, B ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, R, &one, R, &one, C ) );
+
+cleanup:
+    mbedtls_mpi_free( &one );
+
+    return( ret );
+}
+
+/*
+ * Read and process second round message (C: 7.4.2.5, S: 7.4.2.6)
+ */
+int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
+                                            const unsigned char *buf,
+                                            size_t len )
+{
+    int ret;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point G;    /* C: GB, S: GA */
+
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+    ECJPAKE_VALIDATE_RET( buf != NULL );
+
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_ecp_point_init( &G );
+
+    /*
+     * Server: GA = X3  + X4  + X1      (7.4.2.6.1)
+     * Client: GB = X1  + X2  + X3      (7.4.2.5.1)
+     * Unified: G = Xm1 + Xm2 + Xp1
+     * We need that before parsing in order to check Xp as we read it
+     */
+    MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &G,
+                                       &ctx->Xm1, &ctx->Xm2, &ctx->Xp1 ) );
+
+    /*
+     * struct {
+     *     ECParameters curve_params;   // only client reading server msg
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if( ctx->role == MBEDTLS_ECJPAKE_CLIENT )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_group( &grp, &p, len ) );
+        if( grp.id != ctx->grp.id )
+        {
+            ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+            goto cleanup;
+        }
+    }
+
+    MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp,
+                            ctx->point_format,
+                            &G, &ctx->Xp, ID_PEER, &p, end ) );
+
+    if( p != end )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_ecp_point_free( &G );
+
+    return( ret );
+}
+
+/*
+ * Compute R = +/- X * S mod N, taking care not to leak S
+ */
+static int ecjpake_mul_secret( mbedtls_mpi *R, int sign,
+                               const mbedtls_mpi *X,
+                               const mbedtls_mpi *S,
+                               const mbedtls_mpi *N,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
+{
+    int ret;
+    mbedtls_mpi b; /* Blinding value, then s + N * blinding */
+
+    mbedtls_mpi_init( &b );
+
+    /* b = s + rnd-128-bit * N */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &b, 16, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &b, &b, N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &b, &b, S ) );
+
+    /* R = sign * X * b mod N */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( R, X, &b ) );
+    R->s *= sign;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( R, R, N ) );
+
+cleanup:
+    mbedtls_mpi_free( &b );
+
+    return( ret );
+}
+
+/*
+ * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6)
+ */
+int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point G;    /* C: GA, S: GB */
+    mbedtls_ecp_point Xm;   /* C: Xc, S: Xs */
+    mbedtls_mpi xm;         /* C: xc, S: xs */
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    size_t ec_len;
+
+    ECJPAKE_VALIDATE_RET( ctx   != NULL );
+    ECJPAKE_VALIDATE_RET( buf   != NULL );
+    ECJPAKE_VALIDATE_RET( olen  != NULL );
+    ECJPAKE_VALIDATE_RET( f_rng != NULL );
+
+    mbedtls_ecp_point_init( &G );
+    mbedtls_ecp_point_init( &Xm );
+    mbedtls_mpi_init( &xm );
+
+    /*
+     * First generate private/public key pair (S: 7.4.2.5.1, C: 7.4.2.6.1)
+     *
+     * Client:  GA = X1  + X3  + X4  | xs = x2  * s | Xc = xc * GA
+     * Server:  GB = X3  + X1  + X2  | xs = x4  * s | Xs = xs * GB
+     * Unified: G  = Xm1 + Xp1 + Xp2 | xm = xm2 * s | Xm = xm * G
+     */
+    MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &G,
+                                       &ctx->Xp1, &ctx->Xp2, &ctx->Xm1 ) );
+    MBEDTLS_MPI_CHK( ecjpake_mul_secret( &xm, 1, &ctx->xm2, &ctx->s,
+                                         &ctx->grp.N, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xm, &xm, &G, f_rng, p_rng ) );
+
+    /*
+     * Now write things out
+     *
+     * struct {
+     *     ECParameters curve_params;   // only server writing its message
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if( ctx->role == MBEDTLS_ECJPAKE_SERVER )
+    {
+        if( end < p )
+        {
+            ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            goto cleanup;
+        }
+        MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_group( &ctx->grp, &ec_len,
+                                                      p, end - p ) );
+        p += ec_len;
+    }
+
+    if( end < p )
+    {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( &ctx->grp, &Xm,
+                     ctx->point_format, &ec_len, p, end - p ) );
+    p += ec_len;
+
+    MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp,
+                                        ctx->point_format,
+                                        &G, &xm, &Xm, ID_MINE,
+                                        &p, end, f_rng, p_rng ) );
+
+    *olen = p - buf;
+
+cleanup:
+    mbedtls_ecp_point_free( &G );
+    mbedtls_ecp_point_free( &Xm );
+    mbedtls_mpi_free( &xm );
+
+    return( ret );
+}
+
+/*
+ * Derive PMS (7.4.2.7 / 7.4.2.8)
+ */
+int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point K;
+    mbedtls_mpi m_xm2_s, one;
+    unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
+    size_t x_bytes;
+
+    ECJPAKE_VALIDATE_RET( ctx   != NULL );
+    ECJPAKE_VALIDATE_RET( buf   != NULL );
+    ECJPAKE_VALIDATE_RET( olen  != NULL );
+    ECJPAKE_VALIDATE_RET( f_rng != NULL );
+
+    *olen = mbedtls_md_get_size( ctx->md_info );
+    if( len < *olen )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    mbedtls_ecp_point_init( &K );
+    mbedtls_mpi_init( &m_xm2_s );
+    mbedtls_mpi_init( &one );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) );
+
+    /*
+     * Client:  K = ( Xs - X4  * x2  * s ) * x2
+     * Server:  K = ( Xc - X2  * x4  * s ) * x4
+     * Unified: K = ( Xp - Xp2 * xm2 * s ) * xm2
+     */
+    MBEDTLS_MPI_CHK( ecjpake_mul_secret( &m_xm2_s, -1, &ctx->xm2, &ctx->s,
+                                         &ctx->grp.N, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &K,
+                                         &one, &ctx->Xp,
+                                         &m_xm2_s, &ctx->Xp2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &K, &ctx->xm2, &K,
+                                      f_rng, p_rng ) );
+
+    /* PMS = SHA-256( K.X ) */
+    x_bytes = ( ctx->grp.pbits + 7 ) / 8;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &K.X, kx, x_bytes ) );
+    MBEDTLS_MPI_CHK( mbedtls_md( ctx->md_info, kx, x_bytes, buf ) );
+
+cleanup:
+    mbedtls_ecp_point_free( &K );
+    mbedtls_mpi_free( &m_xm2_s );
+    mbedtls_mpi_free( &one );
+
+    return( ret );
+}
+
+#undef ID_MINE
+#undef ID_PEER
+
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif
+
+#if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+    !defined(MBEDTLS_SHA256_C)
+int mbedtls_ecjpake_self_test( int verbose )
+{
+    (void) verbose;
+    return( 0 );
+}
+#else
+
+static const unsigned char ecjpake_test_password[] = {
+    0x74, 0x68, 0x72, 0x65, 0x61, 0x64, 0x6a, 0x70, 0x61, 0x6b, 0x65, 0x74,
+    0x65, 0x73, 0x74
+};
+
+static const unsigned char ecjpake_test_x1[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
+    0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+    0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21
+};
+
+static const unsigned char ecjpake_test_x2[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x3[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x4[] = {
+    0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc,
+    0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8,
+    0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1
+};
+
+static const unsigned char ecjpake_test_cli_one[] = {
+    0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19,
+    0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44,
+    0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad,
+    0xa7, 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62,
+    0x1f, 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9,
+    0x06, 0x07, 0x31, 0xf6, 0x94, 0xa4, 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d,
+    0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e,
+    0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e,
+    0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73,
+    0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22,
+    0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce,
+    0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00,
+    0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b,
+    0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58, 0x41, 0x04, 0x7e,
+    0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62,
+    0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5,
+    0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, 0x0a, 0xeb,
+    0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, 0xc3, 0x35,
+    0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, 0x2b, 0xb0,
+    0x13, 0xbb, 0x2b, 0x41, 0x04, 0xa4, 0x95, 0x58, 0xd3, 0x2e, 0xd1, 0xeb,
+    0xfc, 0x18, 0x16, 0xaf, 0x4f, 0xf0, 0x9b, 0x55, 0xfc, 0xb4, 0xca, 0x47,
+    0xb2, 0xa0, 0x2d, 0x1e, 0x7c, 0xaf, 0x11, 0x79, 0xea, 0x3f, 0xe1, 0x39,
+    0x5b, 0x22, 0xb8, 0x61, 0x96, 0x40, 0x16, 0xfa, 0xba, 0xf7, 0x2c, 0x97,
+    0x56, 0x95, 0xd9, 0x3d, 0x4d, 0xf0, 0xe5, 0x19, 0x7f, 0xe9, 0xf0, 0x40,
+    0x63, 0x4e, 0xd5, 0x97, 0x64, 0x93, 0x77, 0x87, 0xbe, 0x20, 0xbc, 0x4d,
+    0xee, 0xbb, 0xf9, 0xb8, 0xd6, 0x0a, 0x33, 0x5f, 0x04, 0x6c, 0xa3, 0xaa,
+    0x94, 0x1e, 0x45, 0x86, 0x4c, 0x7c, 0xad, 0xef, 0x9c, 0xf7, 0x5b, 0x3d,
+    0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0
+};
+
+static const unsigned char ecjpake_test_srv_one[] = {
+    0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb,
+    0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18,
+    0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47,
+    0x79, 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f,
+    0xd1, 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7,
+    0xe3, 0x2b, 0xb0, 0x13, 0xbb, 0x2b, 0x41, 0x04, 0x09, 0xf8, 0x5b, 0x3d,
+    0x20, 0xeb, 0xd7, 0x88, 0x5c, 0xe4, 0x64, 0xc0, 0x8d, 0x05, 0x6d, 0x64,
+    0x28, 0xfe, 0x4d, 0xd9, 0x28, 0x7a, 0xa3, 0x65, 0xf1, 0x31, 0xf4, 0x36,
+    0x0f, 0xf3, 0x86, 0xd8, 0x46, 0x89, 0x8b, 0xc4, 0xb4, 0x15, 0x83, 0xc2,
+    0xa5, 0x19, 0x7f, 0x65, 0xd7, 0x87, 0x42, 0x74, 0x6c, 0x12, 0xa5, 0xec,
+    0x0a, 0x4f, 0xfe, 0x2f, 0x27, 0x0a, 0x75, 0x0a, 0x1d, 0x8f, 0xb5, 0x16,
+    0x20, 0x93, 0x4d, 0x74, 0xeb, 0x43, 0xe5, 0x4d, 0xf4, 0x24, 0xfd, 0x96,
+    0x30, 0x6c, 0x01, 0x17, 0xbf, 0x13, 0x1a, 0xfa, 0xbf, 0x90, 0xa9, 0xd3,
+    0x3d, 0x11, 0x98, 0xd9, 0x05, 0x19, 0x37, 0x35, 0x14, 0x41, 0x04, 0x19,
+    0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, 0xee, 0x0f,
+    0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, 0x70, 0xf8,
+    0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, 0xfe, 0xc7,
+    0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, 0xc4, 0xea,
+    0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, 0x1a, 0xc5,
+    0x6a, 0x56, 0x12, 0x41, 0x04, 0x36, 0x0a, 0x1c, 0xea, 0x33, 0xfc, 0xe6,
+    0x41, 0x15, 0x64, 0x58, 0xe0, 0xa4, 0xea, 0xc2, 0x19, 0xe9, 0x68, 0x31,
+    0xe6, 0xae, 0xbc, 0x88, 0xb3, 0xf3, 0x75, 0x2f, 0x93, 0xa0, 0x28, 0x1d,
+    0x1b, 0xf1, 0xfb, 0x10, 0x60, 0x51, 0xdb, 0x96, 0x94, 0xa8, 0xd6, 0xe8,
+    0x62, 0xa5, 0xef, 0x13, 0x24, 0xa3, 0xd9, 0xe2, 0x78, 0x94, 0xf1, 0xee,
+    0x4f, 0x7c, 0x59, 0x19, 0x99, 0x65, 0xa8, 0xdd, 0x4a, 0x20, 0x91, 0x84,
+    0x7d, 0x2d, 0x22, 0xdf, 0x3e, 0xe5, 0x5f, 0xaa, 0x2a, 0x3f, 0xb3, 0x3f,
+    0xd2, 0xd1, 0xe0, 0x55, 0xa0, 0x7a, 0x7c, 0x61, 0xec, 0xfb, 0x8d, 0x80,
+    0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12
+};
+
+static const unsigned char ecjpake_test_srv_two[] = {
+    0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23,
+    0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c,
+    0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f,
+    0xda, 0x43, 0x28, 0xa2, 0x0b, 0x07, 0xd8, 0xfd, 0x66, 0x76, 0x54, 0xca,
+    0x18, 0xc5, 0x4e, 0x32, 0xa3, 0x33, 0xa0, 0x84, 0x54, 0x51, 0xe9, 0x26,
+    0xee, 0x88, 0x04, 0xfd, 0x7a, 0xf0, 0xaa, 0xa7, 0xa6, 0x41, 0x04, 0x55,
+    0x16, 0xea, 0x3e, 0x54, 0xa0, 0xd5, 0xd8, 0xb2, 0xce, 0x78, 0x6b, 0x38,
+    0xd3, 0x83, 0x37, 0x00, 0x29, 0xa5, 0xdb, 0xe4, 0x45, 0x9c, 0x9d, 0xd6,
+    0x01, 0xb4, 0x08, 0xa2, 0x4a, 0xe6, 0x46, 0x5c, 0x8a, 0xc9, 0x05, 0xb9,
+    0xeb, 0x03, 0xb5, 0xd3, 0x69, 0x1c, 0x13, 0x9e, 0xf8, 0x3f, 0x1c, 0xd4,
+    0x20, 0x0f, 0x6c, 0x9c, 0xd4, 0xec, 0x39, 0x22, 0x18, 0xa5, 0x9e, 0xd2,
+    0x43, 0xd3, 0xc8, 0x20, 0xff, 0x72, 0x4a, 0x9a, 0x70, 0xb8, 0x8c, 0xb8,
+    0x6f, 0x20, 0xb4, 0x34, 0xc6, 0x86, 0x5a, 0xa1, 0xcd, 0x79, 0x06, 0xdd,
+    0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c
+};
+
+static const unsigned char ecjpake_test_cli_two[] = {
+    0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46,
+    0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb,
+    0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72,
+    0x0b, 0x45, 0x54, 0x1c, 0x83, 0xee, 0x88, 0x41, 0x19, 0x1d, 0xa7, 0xce,
+    0xd8, 0x6e, 0x33, 0x12, 0xd4, 0x36, 0x23, 0xc1, 0xd6, 0x3e, 0x74, 0x98,
+    0x9a, 0xba, 0x4a, 0xff, 0xd1, 0xee, 0x41, 0x04, 0x07, 0x7e, 0x8c, 0x31,
+    0xe2, 0x0e, 0x6b, 0xed, 0xb7, 0x60, 0xc1, 0x35, 0x93, 0xe6, 0x9f, 0x15,
+    0xbe, 0x85, 0xc2, 0x7d, 0x68, 0xcd, 0x09, 0xcc, 0xb8, 0xc4, 0x18, 0x36,
+    0x08, 0x91, 0x7c, 0x5c, 0x3d, 0x40, 0x9f, 0xac, 0x39, 0xfe, 0xfe, 0xe8,
+    0x2f, 0x72, 0x92, 0xd3, 0x6f, 0x0d, 0x23, 0xe0, 0x55, 0x91, 0x3f, 0x45,
+    0xa5, 0x2b, 0x85, 0xdd, 0x8a, 0x20, 0x52, 0xe9, 0xe1, 0x29, 0xbb, 0x4d,
+    0x20, 0x0f, 0x01, 0x1f, 0x19, 0x48, 0x35, 0x35, 0xa6, 0xe8, 0x9a, 0x58,
+    0x0c, 0x9b, 0x00, 0x03, 0xba, 0xf2, 0x14, 0x62, 0xec, 0xe9, 0x1a, 0x82,
+    0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c
+};
+
+static const unsigned char ecjpake_test_pms[] = {
+    0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7,
+    0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9,
+    0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51
+};
+
+/* Load my private keys and generate the corresponding public keys */
+static int ecjpake_test_load( mbedtls_ecjpake_context *ctx,
+                              const unsigned char *xm1, size_t len1,
+                              const unsigned char *xm2, size_t len2 )
+{
+    int ret;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm1, xm1, len1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm2, xm2, len2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &ctx->Xm1, &ctx->xm1,
+                                      &ctx->grp.G, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &ctx->Xm2, &ctx->xm2,
+                                      &ctx->grp.G, NULL, NULL ) );
+
+cleanup:
+    return( ret );
+}
+
+/* For tests we don't need a secure RNG;
+ * use the LGC from Numerical Recipes for simplicity */
+static int ecjpake_lgc( void *p, unsigned char *out, size_t len )
+{
+    static uint32_t x = 42;
+    (void) p;
+
+    while( len > 0 )
+    {
+        size_t use_len = len > 4 ? 4 : len;
+        x = 1664525 * x + 1013904223;
+        memcpy( out, &x, use_len );
+        out += use_len;
+        len -= use_len;
+    }
+
+    return( 0 );
+}
+
+#define TEST_ASSERT( x )    \
+    do {                    \
+        if( x )             \
+            ret = 0;        \
+        else                \
+        {                   \
+            ret = 1;        \
+            goto cleanup;   \
+        }                   \
+    } while( 0 )
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecjpake_self_test( int verbose )
+{
+    int ret;
+    mbedtls_ecjpake_context cli;
+    mbedtls_ecjpake_context srv;
+    unsigned char buf[512], pms[32];
+    size_t len, pmslen;
+
+    mbedtls_ecjpake_init( &cli );
+    mbedtls_ecjpake_init( &srv );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECJPAKE test #0 (setup): " );
+
+    TEST_ASSERT( mbedtls_ecjpake_setup( &cli, MBEDTLS_ECJPAKE_CLIENT,
+                    MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                    ecjpake_test_password,
+            sizeof( ecjpake_test_password ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_setup( &srv, MBEDTLS_ECJPAKE_SERVER,
+                    MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                    ecjpake_test_password,
+            sizeof( ecjpake_test_password ) ) == 0 );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECJPAKE test #1 (random handshake): " );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_one( &cli,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_one( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_two( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &cli,
+                 pms, sizeof( pms ), &pmslen, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_two( &cli,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( len == pmslen );
+    TEST_ASSERT( memcmp( buf, pms, len ) == 0 );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECJPAKE test #2 (reference handshake): " );
+
+    /* Simulate generation of round one */
+    MBEDTLS_MPI_CHK( ecjpake_test_load( &cli,
+                ecjpake_test_x1, sizeof( ecjpake_test_x1 ),
+                ecjpake_test_x2, sizeof( ecjpake_test_x2 ) ) );
+
+    MBEDTLS_MPI_CHK( ecjpake_test_load( &srv,
+                ecjpake_test_x3, sizeof( ecjpake_test_x3 ),
+                ecjpake_test_x4, sizeof( ecjpake_test_x4 ) ) );
+
+    /* Read round one */
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv,
+                                    ecjpake_test_cli_one,
+                            sizeof( ecjpake_test_cli_one ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli,
+                                    ecjpake_test_srv_one,
+                            sizeof( ecjpake_test_srv_one ) ) == 0 );
+
+    /* Skip generation of round two, read round two */
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli,
+                                    ecjpake_test_srv_two,
+                            sizeof( ecjpake_test_srv_two ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv,
+                                    ecjpake_test_cli_two,
+                            sizeof( ecjpake_test_cli_two ) ) == 0 );
+
+    /* Server derives PMS */
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( len == sizeof( ecjpake_test_pms ) );
+    TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 );
+
+    memset( buf, 0, len ); /* Avoid interferences with next step */
+
+    /* Client derives PMS */
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &cli,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( len == sizeof( ecjpake_test_pms ) );
+    TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+    mbedtls_ecjpake_free( &cli );
+    mbedtls_ecjpake_free( &srv );
+
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#undef TEST_ASSERT
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_SHA256_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ECJPAKE_C */
diff --git a/ctrtool/deps/libmbedtls/src/ecp.c b/ctrtool/deps/libmbedtls/src/ecp.c
new file mode 100644
index 00000000..040c20bd
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ecp.c
@@ -0,0 +1,2999 @@
+/*
+ *  Elliptic curves over GF(p): generic functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
+ * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
+ * RFC 4492 for the related TLS structures and constants
+ * RFC 7748 for the Curve448 and Curve25519 curve definitions
+ *
+ * [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
+ *
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
+ *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
+ *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
+ *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
+ *
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
+ *     render ECC resistant against Side Channel Attacks. IACR Cryptology
+ *     ePrint Archive, 2004, vol. 2004, p. 342.
+ *     <http://eprint.iacr.org/2004/342.pdf>
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/**
+ * \brief Function level alternative implementation.
+ *
+ * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
+ * replace certain functions in this module. The alternative implementations are
+ * typically hardware accelerators and need to activate the hardware before the
+ * computation starts and deactivate it after it finishes. The
+ * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
+ * this purpose.
+ *
+ * To preserve the correct functionality the following conditions must hold:
+ *
+ * - The alternative implementation must be activated by
+ *   mbedtls_internal_ecp_init() before any of the replaceable functions is
+ *   called.
+ * - mbedtls_internal_ecp_free() must \b only be called when the alternative
+ *   implementation is activated.
+ * - mbedtls_internal_ecp_init() must \b not be called when the alternative
+ *   implementation is activated.
+ * - Public functions must not return while the alternative implementation is
+ *   activated.
+ * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
+ *   before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
+ *   \endcode ensures that the alternative implementation supports the current
+ *   group.
+ */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/threading.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECP_ALT)
+
+/* Parameter validation macros based on platform_util.h */
+#define ECP_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECP_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include "mbedtls/ecp_internal.h"
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Counts of point addition and doubling, and field multiplications.
+ * Used to test resistance of point multiplication to simple timing attacks.
+ */
+static unsigned long add_count, dbl_count, mul_count;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Maximum number of "basic operations" to be done in a row.
+ *
+ * Default value 0 means that ECC operations will not yield.
+ * Note that regardless of the value of ecp_max_ops, always at
+ * least one step is performed before yielding.
+ *
+ * Setting ecp_max_ops=1 can be suitable for testing purposes
+ * as it will interrupt computation at all possible points.
+ */
+static unsigned ecp_max_ops = 0;
+
+/*
+ * Set ecp_max_ops
+ */
+void mbedtls_ecp_set_max_ops( unsigned max_ops )
+{
+    ecp_max_ops = max_ops;
+}
+
+/*
+ * Check if restart is enabled
+ */
+int mbedtls_ecp_restart_is_enabled( void )
+{
+    return( ecp_max_ops != 0 );
+}
+
+/*
+ * Restart sub-context for ecp_mul_comb()
+ */
+struct mbedtls_ecp_restart_mul
+{
+    mbedtls_ecp_point R;    /* current intermediate result                  */
+    size_t i;               /* current index in various loops, 0 outside    */
+    mbedtls_ecp_point *T;   /* table for precomputed points                 */
+    unsigned char T_size;   /* number of points in table T                  */
+    enum {                  /* what were we doing last time we returned?    */
+        ecp_rsm_init = 0,       /* nothing so far, dummy initial state      */
+        ecp_rsm_pre_dbl,        /* precompute 2^n multiples                 */
+        ecp_rsm_pre_norm_dbl,   /* normalize precomputed 2^n multiples      */
+        ecp_rsm_pre_add,        /* precompute remaining points by adding    */
+        ecp_rsm_pre_norm_add,   /* normalize all precomputed points         */
+        ecp_rsm_comb_core,      /* ecp_mul_comb_core()                      */
+        ecp_rsm_final_norm,     /* do the final normalization               */
+    } state;
+};
+
+/*
+ * Init restart_mul sub-context
+ */
+static void ecp_restart_rsm_init( mbedtls_ecp_restart_mul_ctx *ctx )
+{
+    mbedtls_ecp_point_init( &ctx->R );
+    ctx->i = 0;
+    ctx->T = NULL;
+    ctx->T_size = 0;
+    ctx->state = ecp_rsm_init;
+}
+
+/*
+ * Free the components of a restart_mul sub-context
+ */
+static void ecp_restart_rsm_free( mbedtls_ecp_restart_mul_ctx *ctx )
+{
+    unsigned char i;
+
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_point_free( &ctx->R );
+
+    if( ctx->T != NULL )
+    {
+        for( i = 0; i < ctx->T_size; i++ )
+            mbedtls_ecp_point_free( ctx->T + i );
+        mbedtls_free( ctx->T );
+    }
+
+    ecp_restart_rsm_init( ctx );
+}
+
+/*
+ * Restart context for ecp_muladd()
+ */
+struct mbedtls_ecp_restart_muladd
+{
+    mbedtls_ecp_point mP;       /* mP value                             */
+    mbedtls_ecp_point R;        /* R intermediate result                */
+    enum {                      /* what should we do next?              */
+        ecp_rsma_mul1 = 0,      /* first multiplication                 */
+        ecp_rsma_mul2,          /* second multiplication                */
+        ecp_rsma_add,           /* addition                             */
+        ecp_rsma_norm,          /* normalization                        */
+    } state;
+};
+
+/*
+ * Init restart_muladd sub-context
+ */
+static void ecp_restart_ma_init( mbedtls_ecp_restart_muladd_ctx *ctx )
+{
+    mbedtls_ecp_point_init( &ctx->mP );
+    mbedtls_ecp_point_init( &ctx->R );
+    ctx->state = ecp_rsma_mul1;
+}
+
+/*
+ * Free the components of a restart_muladd sub-context
+ */
+static void ecp_restart_ma_free( mbedtls_ecp_restart_muladd_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_point_free( &ctx->mP );
+    mbedtls_ecp_point_free( &ctx->R );
+
+    ecp_restart_ma_init( ctx );
+}
+
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx )
+{
+    ECP_VALIDATE( ctx != NULL );
+    ctx->ops_done = 0;
+    ctx->depth = 0;
+    ctx->rsm = NULL;
+    ctx->ma = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    ecp_restart_rsm_free( ctx->rsm );
+    mbedtls_free( ctx->rsm );
+
+    ecp_restart_ma_free( ctx->ma );
+    mbedtls_free( ctx->ma );
+
+    mbedtls_ecp_restart_init( ctx );
+}
+
+/*
+ * Check if we can do the next step
+ */
+int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
+                              mbedtls_ecp_restart_ctx *rs_ctx,
+                              unsigned ops )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+
+    if( rs_ctx != NULL && ecp_max_ops != 0 )
+    {
+        /* scale depending on curve size: the chosen reference is 256-bit,
+         * and multiplication is quadratic. Round to the closest integer. */
+        if( grp->pbits >= 512 )
+            ops *= 4;
+        else if( grp->pbits >= 384 )
+            ops *= 2;
+
+        /* Avoid infinite loops: always allow first step.
+         * Because of that, however, it's not generally true
+         * that ops_done <= ecp_max_ops, so the check
+         * ops_done > ecp_max_ops below is mandatory. */
+        if( ( rs_ctx->ops_done != 0 ) &&
+            ( rs_ctx->ops_done > ecp_max_ops ||
+              ops > ecp_max_ops - rs_ctx->ops_done ) )
+        {
+            return( MBEDTLS_ERR_ECP_IN_PROGRESS );
+        }
+
+        /* update running count */
+        rs_ctx->ops_done += ops;
+    }
+
+    return( 0 );
+}
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECP_RS_ENTER( SUB )   do {                                      \
+    /* reset ops count for this call if top-level */                    \
+    if( rs_ctx != NULL && rs_ctx->depth++ == 0 )                        \
+        rs_ctx->ops_done = 0;                                           \
+                                                                        \
+    /* set up our own sub-context if needed */                          \
+    if( mbedtls_ecp_restart_is_enabled() &&                             \
+        rs_ctx != NULL && rs_ctx->SUB == NULL )                         \
+    {                                                                   \
+        rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) );      \
+        if( rs_ctx->SUB == NULL )                                       \
+            return( MBEDTLS_ERR_ECP_ALLOC_FAILED );                     \
+                                                                        \
+        ecp_restart_## SUB ##_init( rs_ctx->SUB );                      \
+    }                                                                   \
+} while( 0 )
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECP_RS_LEAVE( SUB )   do {                                      \
+    /* clear our sub-context when not in progress (done or error) */    \
+    if( rs_ctx != NULL && rs_ctx->SUB != NULL &&                        \
+        ret != MBEDTLS_ERR_ECP_IN_PROGRESS )                            \
+    {                                                                   \
+        ecp_restart_## SUB ##_free( rs_ctx->SUB );                      \
+        mbedtls_free( rs_ctx->SUB );                                    \
+        rs_ctx->SUB = NULL;                                             \
+    }                                                                   \
+                                                                        \
+    if( rs_ctx != NULL )                                                \
+        rs_ctx->depth--;                                                \
+} while( 0 )
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECP_RS_ENTER( sub )     (void) rs_ctx;
+#define ECP_RS_LEAVE( sub )     (void) rs_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define ECP_SHORTWEIERSTRASS
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define ECP_MONTGOMERY
+#endif
+
+/*
+ * Curve types: internal for now, might be exposed later
+ */
+typedef enum
+{
+    ECP_TYPE_NONE = 0,
+    ECP_TYPE_SHORT_WEIERSTRASS,    /* y^2 = x^3 + a x + b      */
+    ECP_TYPE_MONTGOMERY,           /* y^2 = x^3 + a x^2 + x    */
+} ecp_curve_type;
+
+/*
+ * List of supported curves:
+ *  - internal ID
+ *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2)
+ *  - size in bits
+ *  - readable name
+ *
+ * Curves are listed in order: largest curves first, and for a given size,
+ * fastest curves first. This provides the default order for the SSL module.
+ *
+ * Reminder: update profiles in x509_crt.c when adding a new curves!
+ */
+static const mbedtls_ecp_curve_info ecp_supported_curves[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP521R1,    25,     521,    "secp521r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP512R1,      28,     512,    "brainpoolP512r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP384R1,    24,     384,    "secp384r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP384R1,      27,     384,    "brainpoolP384r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP256R1,    23,     256,    "secp256r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP256K1,    22,     256,    "secp256k1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP256R1,      26,     256,    "brainpoolP256r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP224R1,    21,     224,    "secp224r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP224K1,    20,     224,    "secp224k1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP192R1,    19,     192,    "secp192r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP192K1,    18,     192,    "secp192k1"         },
+#endif
+    { MBEDTLS_ECP_DP_NONE,          0,     0,      NULL                },
+};
+
+#define ECP_NB_CURVES   sizeof( ecp_supported_curves ) /    \
+                        sizeof( ecp_supported_curves[0] )
+
+static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
+
+/*
+ * List of supported curves and associated info
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void )
+{
+    return( ecp_supported_curves );
+}
+
+/*
+ * List of supported curves, group ID only
+ */
+const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void )
+{
+    static int init_done = 0;
+
+    if( ! init_done )
+    {
+        size_t i = 0;
+        const mbedtls_ecp_curve_info *curve_info;
+
+        for( curve_info = mbedtls_ecp_curve_list();
+             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+             curve_info++ )
+        {
+            ecp_supported_grp_id[i++] = curve_info->grp_id;
+        }
+        ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
+
+        init_done = 1;
+    }
+
+    return( ecp_supported_grp_id );
+}
+
+/*
+ * Get the curve info for the internal identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    for( curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++ )
+    {
+        if( curve_info->grp_id == grp_id )
+            return( curve_info );
+    }
+
+    return( NULL );
+}
+
+/*
+ * Get the curve info from the TLS identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    for( curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++ )
+    {
+        if( curve_info->tls_id == tls_id )
+            return( curve_info );
+    }
+
+    return( NULL );
+}
+
+/*
+ * Get the curve info from the name
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    if( name == NULL )
+        return( NULL );
+
+    for( curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++ )
+    {
+        if( strcmp( curve_info->name, name ) == 0 )
+            return( curve_info );
+    }
+
+    return( NULL );
+}
+
+/*
+ * Get the type of a curve
+ */
+static inline ecp_curve_type ecp_get_type( const mbedtls_ecp_group *grp )
+{
+    if( grp->G.X.p == NULL )
+        return( ECP_TYPE_NONE );
+
+    if( grp->G.Y.p == NULL )
+        return( ECP_TYPE_MONTGOMERY );
+    else
+        return( ECP_TYPE_SHORT_WEIERSTRASS );
+}
+
+/*
+ * Initialize (the components of) a point
+ */
+void mbedtls_ecp_point_init( mbedtls_ecp_point *pt )
+{
+    ECP_VALIDATE( pt != NULL );
+
+    mbedtls_mpi_init( &pt->X );
+    mbedtls_mpi_init( &pt->Y );
+    mbedtls_mpi_init( &pt->Z );
+}
+
+/*
+ * Initialize (the components of) a group
+ */
+void mbedtls_ecp_group_init( mbedtls_ecp_group *grp )
+{
+    ECP_VALIDATE( grp != NULL );
+
+    grp->id = MBEDTLS_ECP_DP_NONE;
+    mbedtls_mpi_init( &grp->P );
+    mbedtls_mpi_init( &grp->A );
+    mbedtls_mpi_init( &grp->B );
+    mbedtls_ecp_point_init( &grp->G );
+    mbedtls_mpi_init( &grp->N );
+    grp->pbits = 0;
+    grp->nbits = 0;
+    grp->h = 0;
+    grp->modp = NULL;
+    grp->t_pre = NULL;
+    grp->t_post = NULL;
+    grp->t_data = NULL;
+    grp->T = NULL;
+    grp->T_size = 0;
+}
+
+/*
+ * Initialize (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key )
+{
+    ECP_VALIDATE( key != NULL );
+
+    mbedtls_ecp_group_init( &key->grp );
+    mbedtls_mpi_init( &key->d );
+    mbedtls_ecp_point_init( &key->Q );
+}
+
+/*
+ * Unallocate (the components of) a point
+ */
+void mbedtls_ecp_point_free( mbedtls_ecp_point *pt )
+{
+    if( pt == NULL )
+        return;
+
+    mbedtls_mpi_free( &( pt->X ) );
+    mbedtls_mpi_free( &( pt->Y ) );
+    mbedtls_mpi_free( &( pt->Z ) );
+}
+
+/*
+ * Unallocate (the components of) a group
+ */
+void mbedtls_ecp_group_free( mbedtls_ecp_group *grp )
+{
+    size_t i;
+
+    if( grp == NULL )
+        return;
+
+    if( grp->h != 1 )
+    {
+        mbedtls_mpi_free( &grp->P );
+        mbedtls_mpi_free( &grp->A );
+        mbedtls_mpi_free( &grp->B );
+        mbedtls_ecp_point_free( &grp->G );
+        mbedtls_mpi_free( &grp->N );
+    }
+
+    if( grp->T != NULL )
+    {
+        for( i = 0; i < grp->T_size; i++ )
+            mbedtls_ecp_point_free( &grp->T[i] );
+        mbedtls_free( grp->T );
+    }
+
+    mbedtls_platform_zeroize( grp, sizeof( mbedtls_ecp_group ) );
+}
+
+/*
+ * Unallocate (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key )
+{
+    if( key == NULL )
+        return;
+
+    mbedtls_ecp_group_free( &key->grp );
+    mbedtls_mpi_free( &key->d );
+    mbedtls_ecp_point_free( &key->Q );
+}
+
+/*
+ * Copy the contents of a point
+ */
+int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
+{
+    int ret;
+    ECP_VALIDATE_RET( P != NULL );
+    ECP_VALIDATE_RET( Q != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->X, &Q->X ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Y, &Q->Y ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Z, &Q->Z ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Copy the contents of a group object
+ */
+int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src )
+{
+    ECP_VALIDATE_RET( dst != NULL );
+    ECP_VALIDATE_RET( src != NULL );
+
+    return( mbedtls_ecp_group_load( dst, src->id ) );
+}
+
+/*
+ * Set point to zero
+ */
+int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt )
+{
+    int ret;
+    ECP_VALIDATE_RET( pt != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->X , 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Y , 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z , 0 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Tell if a point is zero
+ */
+int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt )
+{
+    ECP_VALIDATE_RET( pt != NULL );
+
+    return( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 );
+}
+
+/*
+ * Compare two points lazily
+ */
+int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
+                           const mbedtls_ecp_point *Q )
+{
+    ECP_VALIDATE_RET( P != NULL );
+    ECP_VALIDATE_RET( Q != NULL );
+
+    if( mbedtls_mpi_cmp_mpi( &P->X, &Q->X ) == 0 &&
+        mbedtls_mpi_cmp_mpi( &P->Y, &Q->Y ) == 0 &&
+        mbedtls_mpi_cmp_mpi( &P->Z, &Q->Z ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+}
+
+/*
+ * Import a non-zero point from ASCII strings
+ */
+int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
+                           const char *x, const char *y )
+{
+    int ret;
+    ECP_VALIDATE_RET( P != NULL );
+    ECP_VALIDATE_RET( x != NULL );
+    ECP_VALIDATE_RET( y != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->X, radix, x ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->Y, radix, y ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Export a point into unsigned binary data (SEC1 2.3.3)
+ */
+int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp,
+                                    const mbedtls_ecp_point *P,
+                                    int format, size_t *olen,
+                                    unsigned char *buf, size_t buflen )
+{
+    int ret = 0;
+    size_t plen;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( P    != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                      format == MBEDTLS_ECP_PF_COMPRESSED );
+
+    /*
+     * Common case: P == 0
+     */
+    if( mbedtls_mpi_cmp_int( &P->Z, 0 ) == 0 )
+    {
+        if( buflen < 1 )
+            return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+        buf[0] = 0x00;
+        *olen = 1;
+
+        return( 0 );
+    }
+
+    plen = mbedtls_mpi_size( &grp->P );
+
+    if( format == MBEDTLS_ECP_PF_UNCOMPRESSED )
+    {
+        *olen = 2 * plen + 1;
+
+        if( buflen < *olen )
+            return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+        buf[0] = 0x04;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->X, buf + 1, plen ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->Y, buf + 1 + plen, plen ) );
+    }
+    else if( format == MBEDTLS_ECP_PF_COMPRESSED )
+    {
+        *olen = plen + 1;
+
+        if( buflen < *olen )
+            return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+        buf[0] = 0x02 + mbedtls_mpi_get_bit( &P->Y, 0 );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->X, buf + 1, plen ) );
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Import a point from unsigned binary data (SEC1 2.3.4)
+ */
+int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,
+                                   mbedtls_ecp_point *pt,
+                                   const unsigned char *buf, size_t ilen )
+{
+    int ret;
+    size_t plen;
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( pt  != NULL );
+    ECP_VALIDATE_RET( buf != NULL );
+
+    if( ilen < 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( buf[0] == 0x00 )
+    {
+        if( ilen == 1 )
+            return( mbedtls_ecp_set_zero( pt ) );
+        else
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    plen = mbedtls_mpi_size( &grp->P );
+
+    if( buf[0] != 0x04 )
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    if( ilen != 2 * plen + 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &pt->X, buf + 1, plen ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &pt->Y, buf + 1 + plen, plen ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Import a point from a TLS ECPoint record (RFC 4492)
+ *      struct {
+ *          opaque point <1..2^8-1>;
+ *      } ECPoint;
+ */
+int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point *pt,
+                                const unsigned char **buf, size_t buf_len )
+{
+    unsigned char data_len;
+    const unsigned char *buf_start;
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( pt  != NULL );
+    ECP_VALIDATE_RET( buf != NULL );
+    ECP_VALIDATE_RET( *buf != NULL );
+
+    /*
+     * We must have at least two bytes (1 for length, at least one for data)
+     */
+    if( buf_len < 2 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    data_len = *(*buf)++;
+    if( data_len < 1 || data_len > buf_len - 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * Save buffer start for read_binary and update buf
+     */
+    buf_start = *buf;
+    *buf += data_len;
+
+    return( mbedtls_ecp_point_read_binary( grp, pt, buf_start, data_len ) );
+}
+
+/*
+ * Export a point as a TLS ECPoint record (RFC 4492)
+ *      struct {
+ *          opaque point <1..2^8-1>;
+ *      } ECPoint;
+ */
+int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
+                         int format, size_t *olen,
+                         unsigned char *buf, size_t blen )
+{
+    int ret;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( pt   != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                      format == MBEDTLS_ECP_PF_COMPRESSED );
+
+    /*
+     * buffer length must be at least one, for our length byte
+     */
+    if( blen < 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecp_point_write_binary( grp, pt, format,
+                    olen, buf + 1, blen - 1) ) != 0 )
+        return( ret );
+
+    /*
+     * write length to the first byte and update total length
+     */
+    buf[0] = (unsigned char) *olen;
+    ++*olen;
+
+    return( 0 );
+}
+
+/*
+ * Set a group from an ECParameters record (RFC 4492)
+ */
+int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,
+                                const unsigned char **buf, size_t len )
+{
+    int ret;
+    mbedtls_ecp_group_id grp_id;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( *buf != NULL );
+
+    if( ( ret = mbedtls_ecp_tls_read_group_id( &grp_id, buf, len ) ) != 0 )
+        return( ret );
+
+    return( mbedtls_ecp_group_load( grp, grp_id ) );
+}
+
+/*
+ * Read a group id from an ECParameters record (RFC 4492) and convert it to
+ * mbedtls_ecp_group_id.
+ */
+int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,
+                                   const unsigned char **buf, size_t len )
+{
+    uint16_t tls_id;
+    const mbedtls_ecp_curve_info *curve_info;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( *buf != NULL );
+
+    /*
+     * We expect at least three bytes (see below)
+     */
+    if( len < 3 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * First byte is curve_type; only named_curve is handled
+     */
+    if( *(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * Next two bytes are the namedcurve value
+     */
+    tls_id = *(*buf)++;
+    tls_id <<= 8;
+    tls_id |= *(*buf)++;
+
+    if( ( curve_info = mbedtls_ecp_curve_info_from_tls_id( tls_id ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    *grp = curve_info->grp_id;
+
+    return( 0 );
+}
+
+/*
+ * Write the ECParameters record corresponding to a group (RFC 4492)
+ */
+int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
+                         unsigned char *buf, size_t blen )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
+
+    if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( grp->id ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * We are going to write 3 bytes (see below)
+     */
+    *olen = 3;
+    if( blen < *olen )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    /*
+     * First byte is curve_type, always named_curve
+     */
+    *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
+
+    /*
+     * Next two bytes are the namedcurve value
+     */
+    buf[0] = curve_info->tls_id >> 8;
+    buf[1] = curve_info->tls_id & 0xFF;
+
+    return( 0 );
+}
+
+/*
+ * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
+ * See the documentation of struct mbedtls_ecp_group.
+ *
+ * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
+ */
+static int ecp_modp( mbedtls_mpi *N, const mbedtls_ecp_group *grp )
+{
+    int ret;
+
+    if( grp->modp == NULL )
+        return( mbedtls_mpi_mod_mpi( N, N, &grp->P ) );
+
+    /* N->s < 0 is a much faster test, which fails only if N is 0 */
+    if( ( N->s < 0 && mbedtls_mpi_cmp_int( N, 0 ) != 0 ) ||
+        mbedtls_mpi_bitlen( N ) > 2 * grp->pbits )
+    {
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    MBEDTLS_MPI_CHK( grp->modp( N ) );
+
+    /* N->s < 0 is a much faster test, which fails only if N is 0 */
+    while( N->s < 0 && mbedtls_mpi_cmp_int( N, 0 ) != 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &grp->P ) );
+
+    while( mbedtls_mpi_cmp_mpi( N, &grp->P ) >= 0 )
+        /* we known P, N and the result are positive */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, N, &grp->P ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Fast mod-p functions expect their argument to be in the 0..p^2 range.
+ *
+ * In order to guarantee that, we need to ensure that operands of
+ * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
+ * bring the result back to this range.
+ *
+ * The following macros are shortcuts for doing that.
+ */
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
+ */
+#if defined(MBEDTLS_SELF_TEST)
+#define INC_MUL_COUNT   mul_count++;
+#else
+#define INC_MUL_COUNT
+#endif
+
+#define MOD_MUL( N )                                                    \
+    do                                                                  \
+    {                                                                   \
+        MBEDTLS_MPI_CHK( ecp_modp( &(N), grp ) );                       \
+        INC_MUL_COUNT                                                   \
+    } while( 0 )
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
+ * N->s < 0 is a very fast test, which fails only if N is 0
+ */
+#define MOD_SUB( N )                                                    \
+    while( (N).s < 0 && mbedtls_mpi_cmp_int( &(N), 0 ) != 0 )           \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &(N), &(N), &grp->P ) )
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
+ * We known P, N and the result are positive, so sub_abs is correct, and
+ * a bit faster.
+ */
+#define MOD_ADD( N )                                                    \
+    while( mbedtls_mpi_cmp_mpi( &(N), &grp->P ) >= 0 )                  \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &(N), &(N), &grp->P ) )
+
+#if defined(ECP_SHORTWEIERSTRASS)
+/*
+ * For curves in short Weierstrass form, we do all the internal operations in
+ * Jacobian coordinates.
+ *
+ * For multiplication, we'll use a comb method with coutermeasueres against
+ * SPA, hence timing attacks.
+ */
+
+/*
+ * Normalize jacobian coordinates so that Z == 0 || Z == 1  (GECC 3.2.1)
+ * Cost: 1N := 1I + 3M + 1S
+ */
+static int ecp_normalize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt )
+{
+    int ret;
+    mbedtls_mpi Zi, ZZi;
+
+    if( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 )
+        return( 0 );
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_normalize_jac( grp, pt ) );
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+
+    mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
+
+    /*
+     * X = X / Z^2  mod p
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &Zi,      &pt->Z,     &grp->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ZZi,     &Zi,        &Zi     ) ); MOD_MUL( ZZi );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->X,   &pt->X,     &ZZi    ) ); MOD_MUL( pt->X );
+
+    /*
+     * Y = Y / Z^3  mod p
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &ZZi    ) ); MOD_MUL( pt->Y );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &Zi     ) ); MOD_MUL( pt->Y );
+
+    /*
+     * Z = 1
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
+
+    return( ret );
+}
+
+/*
+ * Normalize jacobian coordinates of an array of (pointers to) points,
+ * using Montgomery's trick to perform only one inversion mod P.
+ * (See for example Cohen's "A Course in Computational Algebraic Number
+ * Theory", Algorithm 10.3.4.)
+ *
+ * Warning: fails (returning an error) if one of the points is zero!
+ * This should never happen, see choice of w in ecp_mul_comb().
+ *
+ * Cost: 1N(t) := 1I + (6t - 3)M + 1S
+ */
+static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
+                                   mbedtls_ecp_point *T[], size_t T_size )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi *c, u, Zi, ZZi;
+
+    if( T_size < 2 )
+        return( ecp_normalize_jac( grp, *T ) );
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_normalize_jac_many( grp, T, T_size ) );
+#endif
+
+    if( ( c = mbedtls_calloc( T_size, sizeof( mbedtls_mpi ) ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_ALLOC_FAILED );
+
+    for( i = 0; i < T_size; i++ )
+        mbedtls_mpi_init( &c[i] );
+
+    mbedtls_mpi_init( &u ); mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
+
+    /*
+     * c[i] = Z_0 * ... * Z_i
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &c[0], &T[0]->Z ) );
+    for( i = 1; i < T_size; i++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &c[i], &c[i-1], &T[i]->Z ) );
+        MOD_MUL( c[i] );
+    }
+
+    /*
+     * u = 1 / (Z_0 * ... * Z_n) mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &u, &c[T_size-1], &grp->P ) );
+
+    for( i = T_size - 1; ; i-- )
+    {
+        /*
+         * Zi = 1 / Z_i mod p
+         * u = 1 / (Z_0 * ... * Z_i) mod P
+         */
+        if( i == 0 ) {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Zi, &u ) );
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &Zi, &u, &c[i-1]  ) ); MOD_MUL( Zi );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u,  &u, &T[i]->Z ) ); MOD_MUL( u );
+        }
+
+        /*
+         * proceed as in normalize()
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ZZi,     &Zi,      &Zi  ) ); MOD_MUL( ZZi );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->X, &T[i]->X, &ZZi ) ); MOD_MUL( T[i]->X );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->Y, &T[i]->Y, &ZZi ) ); MOD_MUL( T[i]->Y );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->Y, &T[i]->Y, &Zi  ) ); MOD_MUL( T[i]->Y );
+
+        /*
+         * Post-precessing: reclaim some memory by shrinking coordinates
+         * - not storing Z (always 1)
+         * - shrinking other coordinates, but still keeping the same number of
+         *   limbs as P, as otherwise it will too likely be regrown too fast.
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shrink( &T[i]->X, grp->P.n ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shrink( &T[i]->Y, grp->P.n ) );
+        mbedtls_mpi_free( &T[i]->Z );
+
+        if( i == 0 )
+            break;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &u ); mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
+    for( i = 0; i < T_size; i++ )
+        mbedtls_mpi_free( &c[i] );
+    mbedtls_free( c );
+
+    return( ret );
+}
+
+/*
+ * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
+ * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
+ */
+static int ecp_safe_invert_jac( const mbedtls_ecp_group *grp,
+                            mbedtls_ecp_point *Q,
+                            unsigned char inv )
+{
+    int ret;
+    unsigned char nonzero;
+    mbedtls_mpi mQY;
+
+    mbedtls_mpi_init( &mQY );
+
+    /* Use the fact that -Q.Y mod P = P - Q.Y unless Q.Y == 0 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mQY, &grp->P, &Q->Y ) );
+    nonzero = mbedtls_mpi_cmp_int( &Q->Y, 0 ) != 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &Q->Y, &mQY, inv & nonzero ) );
+
+cleanup:
+    mbedtls_mpi_free( &mQY );
+
+    return( ret );
+}
+
+/*
+ * Point doubling R = 2 P, Jacobian coordinates
+ *
+ * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
+ *
+ * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
+ * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
+ *
+ * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
+ *
+ * Cost: 1D := 3M + 4S          (A ==  0)
+ *             4M + 4S          (A == -3)
+ *             3M + 6S + 1a     otherwise
+ */
+static int ecp_double_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                           const mbedtls_ecp_point *P )
+{
+    int ret;
+    mbedtls_mpi M, S, T, U;
+
+#if defined(MBEDTLS_SELF_TEST)
+    dbl_count++;
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_double_jac( grp, R, P ) );
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+
+    mbedtls_mpi_init( &M ); mbedtls_mpi_init( &S ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &U );
+
+    /* Special case for A = -3 */
+    if( grp->A.p == NULL )
+    {
+        /* M = 3(X + Z^2)(X - Z^2) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->Z,  &P->Z   ) ); MOD_MUL( S );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T,  &P->X,  &S      ) ); MOD_ADD( T );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U,  &P->X,  &S      ) ); MOD_SUB( U );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &T,     &U      ) ); MOD_MUL( S );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M,  &S,     3       ) ); MOD_ADD( M );
+    }
+    else
+    {
+        /* M = 3.X^2 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->X,  &P->X   ) ); MOD_MUL( S );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M,  &S,     3       ) ); MOD_ADD( M );
+
+        /* Optimize away for "koblitz" curves with A = 0 */
+        if( mbedtls_mpi_cmp_int( &grp->A, 0 ) != 0 )
+        {
+            /* M += A.Z^4 */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->Z,  &P->Z   ) ); MOD_MUL( S );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &S,     &S      ) ); MOD_MUL( T );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &T,     &grp->A ) ); MOD_MUL( S );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M,  &M,     &S      ) ); MOD_ADD( M );
+        }
+    }
+
+    /* S = 4.X.Y^2 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &P->Y,  &P->Y   ) ); MOD_MUL( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T,  1               ) ); MOD_ADD( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->X,  &T      ) ); MOD_MUL( S );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &S,  1               ) ); MOD_ADD( S );
+
+    /* U = 8.Y^4 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &U,  &T,     &T      ) ); MOD_MUL( U );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &U,  1               ) ); MOD_ADD( U );
+
+    /* T = M^2 - 2.S */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &M,     &M      ) ); MOD_MUL( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T,  &T,     &S      ) ); MOD_SUB( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T,  &T,     &S      ) ); MOD_SUB( T );
+
+    /* S = M(S - T) - U */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S,  &S,     &T      ) ); MOD_SUB( S );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &S,     &M      ) ); MOD_MUL( S );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S,  &S,     &U      ) ); MOD_SUB( S );
+
+    /* U = 2.Y.Z */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &U,  &P->Y,  &P->Z   ) ); MOD_MUL( U );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &U,  1               ) ); MOD_ADD( U );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->X, &T ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Y, &S ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Z, &U ) );
+
+cleanup:
+    mbedtls_mpi_free( &M ); mbedtls_mpi_free( &S ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &U );
+
+    return( ret );
+}
+
+/*
+ * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
+ *
+ * The coordinates of Q must be normalized (= affine),
+ * but those of P don't need to. R is not normalized.
+ *
+ * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
+ * None of these cases can happen as intermediate step in ecp_mul_comb():
+ * - at each step, P, Q and R are multiples of the base point, the factor
+ *   being less than its order, so none of them is zero;
+ * - Q is an odd multiple of the base point, P an even multiple,
+ *   due to the choice of precomputed points in the modified comb method.
+ * So branches for these cases do not leak secret information.
+ *
+ * We accept Q->Z being unset (saving memory in tables) as meaning 1.
+ *
+ * Cost: 1A := 8M + 3S
+ */
+static int ecp_add_mixed( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                          const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
+{
+    int ret;
+    mbedtls_mpi T1, T2, T3, T4, X, Y, Z;
+
+#if defined(MBEDTLS_SELF_TEST)
+    add_count++;
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_add_mixed( grp, R, P, Q ) );
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+
+    /*
+     * Trivial cases: P == 0 or Q == 0 (case 1)
+     */
+    if( mbedtls_mpi_cmp_int( &P->Z, 0 ) == 0 )
+        return( mbedtls_ecp_copy( R, Q ) );
+
+    if( Q->Z.p != NULL && mbedtls_mpi_cmp_int( &Q->Z, 0 ) == 0 )
+        return( mbedtls_ecp_copy( R, P ) );
+
+    /*
+     * Make sure Q coordinates are normalized
+     */
+    if( Q->Z.p != NULL && mbedtls_mpi_cmp_int( &Q->Z, 1 ) != 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); mbedtls_mpi_init( &T3 ); mbedtls_mpi_init( &T4 );
+    mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1,  &P->Z,  &P->Z ) );  MOD_MUL( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T2,  &T1,    &P->Z ) );  MOD_MUL( T2 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1,  &T1,    &Q->X ) );  MOD_MUL( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T2,  &T2,    &Q->Y ) );  MOD_MUL( T2 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T1,  &T1,    &P->X ) );  MOD_SUB( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T2,  &T2,    &P->Y ) );  MOD_SUB( T2 );
+
+    /* Special cases (2) and (3) */
+    if( mbedtls_mpi_cmp_int( &T1, 0 ) == 0 )
+    {
+        if( mbedtls_mpi_cmp_int( &T2, 0 ) == 0 )
+        {
+            ret = ecp_double_jac( grp, R, P );
+            goto cleanup;
+        }
+        else
+        {
+            ret = mbedtls_ecp_set_zero( R );
+            goto cleanup;
+        }
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &Z,   &P->Z,  &T1   ) );  MOD_MUL( Z  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T1,    &T1   ) );  MOD_MUL( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T4,  &T3,    &T1   ) );  MOD_MUL( T4 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T3,    &P->X ) );  MOD_MUL( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1,  &T3,    2     ) );  MOD_ADD( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X,   &T2,    &T2   ) );  MOD_MUL( X  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X,   &X,     &T1   ) );  MOD_SUB( X  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X,   &X,     &T4   ) );  MOD_SUB( X  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T3,  &T3,    &X    ) );  MOD_SUB( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T3,    &T2   ) );  MOD_MUL( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T4,  &T4,    &P->Y ) );  MOD_MUL( T4 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &Y,   &T3,    &T4   ) );  MOD_SUB( Y  );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->X, &X ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Y, &Y ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Z, &Z ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); mbedtls_mpi_free( &T3 ); mbedtls_mpi_free( &T4 );
+    mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
+
+    return( ret );
+}
+
+/*
+ * Randomize jacobian coordinates:
+ * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_jac().
+ *
+ * This countermeasure was first suggested in [2].
+ */
+static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_mpi l, ll;
+    size_t p_size;
+    int count = 0;
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_randomize_jac( grp, pt, f_rng, p_rng ) );
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+
+    p_size = ( grp->pbits + 7 ) / 8;
+    mbedtls_mpi_init( &l ); mbedtls_mpi_init( &ll );
+
+    /* Generate l such that 1 < l < p */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+    }
+    while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
+
+    /* Z = l * Z */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Z,   &pt->Z,     &l  ) ); MOD_MUL( pt->Z );
+
+    /* X = l^2 * X */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ll,      &l,         &l  ) ); MOD_MUL( ll );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->X,   &pt->X,     &ll ) ); MOD_MUL( pt->X );
+
+    /* Y = l^3 * Y */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ll,      &ll,        &l  ) ); MOD_MUL( ll );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &ll ) ); MOD_MUL( pt->Y );
+
+cleanup:
+    mbedtls_mpi_free( &l ); mbedtls_mpi_free( &ll );
+
+    return( ret );
+}
+
+/*
+ * Check and define parameters used by the comb method (see below for details)
+ */
+#if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
+#error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
+#endif
+
+/* d = ceil( n / w ) */
+#define COMB_MAX_D      ( MBEDTLS_ECP_MAX_BITS + 1 ) / 2
+
+/* number of precomputed points */
+#define COMB_MAX_PRE    ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
+
+/*
+ * Compute the representation of m that will be used with our comb method.
+ *
+ * The basic comb method is described in GECC 3.44 for example. We use a
+ * modified version that provides resistance to SPA by avoiding zero
+ * digits in the representation as in [3]. We modify the method further by
+ * requiring that all K_i be odd, which has the small cost that our
+ * representation uses one more K_i, due to carries, but saves on the size of
+ * the precomputed table.
+ *
+ * Summary of the comb method and its modifications:
+ *
+ * - The goal is to compute m*P for some w*d-bit integer m.
+ *
+ * - The basic comb method splits m into the w-bit integers
+ *   x[0] .. x[d-1] where x[i] consists of the bits in m whose
+ *   index has residue i modulo d, and computes m * P as
+ *   S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
+ *   S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
+ *
+ * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
+ *    .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
+ *   thereby successively converting it into a form where all summands
+ *   are nonzero, at the cost of negative summands. This is the basic idea of [3].
+ *
+ * - More generally, even if x[i+1] != 0, we can first transform the sum as
+ *   .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
+ *   and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
+ *   Performing and iterating this procedure for those x[i] that are even
+ *   (keeping track of carry), we can transform the original sum into one of the form
+ *   S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
+ *   with all x'[i] odd. It is therefore only necessary to know S at odd indices,
+ *   which is why we are only computing half of it in the first place in
+ *   ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
+ *
+ * - For the sake of compactness, only the seven low-order bits of x[i]
+ *   are used to represent its absolute value (K_i in the paper), and the msb
+ *   of x[i] encodes the sign (s_i in the paper): it is set if and only if
+ *   if s_i == -1;
+ *
+ * Calling conventions:
+ * - x is an array of size d + 1
+ * - w is the size, ie number of teeth, of the comb, and must be between
+ *   2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
+ * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
+ *   (the result will be incorrect if these assumptions are not satisfied)
+ */
+static void ecp_comb_recode_core( unsigned char x[], size_t d,
+                                  unsigned char w, const mbedtls_mpi *m )
+{
+    size_t i, j;
+    unsigned char c, cc, adjust;
+
+    memset( x, 0, d+1 );
+
+    /* First get the classical comb values (except for x_d = 0) */
+    for( i = 0; i < d; i++ )
+        for( j = 0; j < w; j++ )
+            x[i] |= mbedtls_mpi_get_bit( m, i + d * j ) << j;
+
+    /* Now make sure x_1 .. x_d are odd */
+    c = 0;
+    for( i = 1; i <= d; i++ )
+    {
+        /* Add carry and update it */
+        cc   = x[i] & c;
+        x[i] = x[i] ^ c;
+        c = cc;
+
+        /* Adjust if needed, avoiding branches */
+        adjust = 1 - ( x[i] & 0x01 );
+        c   |= x[i] & ( x[i-1] * adjust );
+        x[i] = x[i] ^ ( x[i-1] * adjust );
+        x[i-1] |= adjust << 7;
+    }
+}
+
+/*
+ * Precompute points for the adapted comb method
+ *
+ * Assumption: T must be able to hold 2^{w - 1} elements.
+ *
+ * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
+ *            sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
+ *
+ * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
+ *
+ * Note: Even comb values (those where P would be omitted from the
+ *       sum defining T[i] above) are not needed in our adaption
+ *       the comb method. See ecp_comb_recode_core().
+ *
+ * This function currently works in four steps:
+ * (1) [dbl]      Computation of intermediate T[i] for 2-power values of i
+ * (2) [norm_dbl] Normalization of coordinates of these T[i]
+ * (3) [add]      Computation of all T[i]
+ * (4) [norm_add] Normalization of all T[i]
+ *
+ * Step 1 can be interrupted but not the others; together with the final
+ * coordinate normalization they are the largest steps done at once, depending
+ * on the window size. Here are operation counts for P-256:
+ *
+ * step     (2)     (3)     (4)
+ * w = 5    142     165     208
+ * w = 4    136      77     160
+ * w = 3    130      33     136
+ * w = 2    124      11     124
+ *
+ * So if ECC operations are blocking for too long even with a low max_ops
+ * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
+ * to minimize maximum blocking time.
+ */
+static int ecp_precompute_comb( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
+                                unsigned char w, size_t d,
+                                mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char i;
+    size_t j = 0;
+    const unsigned char T_size = 1U << ( w - 1 );
+    mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1];
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+    {
+        if( rs_ctx->rsm->state == ecp_rsm_pre_dbl )
+            goto dbl;
+        if( rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl )
+            goto norm_dbl;
+        if( rs_ctx->rsm->state == ecp_rsm_pre_add )
+            goto add;
+        if( rs_ctx->rsm->state == ecp_rsm_pre_norm_add )
+            goto norm_add;
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+    {
+        rs_ctx->rsm->state = ecp_rsm_pre_dbl;
+
+        /* initial state for the loop */
+        rs_ctx->rsm->i = 0;
+    }
+
+dbl:
+#endif
+    /*
+     * Set T[0] = P and
+     * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &T[0], P ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0 )
+        j = rs_ctx->rsm->i;
+    else
+#endif
+        j = 0;
+
+    for( ; j < d * ( w - 1 ); j++ )
+    {
+        MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_DBL );
+
+        i = 1U << ( j / d );
+        cur = T + i;
+
+        if( j % d == 0 )
+            MBEDTLS_MPI_CHK( mbedtls_ecp_copy( cur, T + ( i >> 1 ) ) );
+
+        MBEDTLS_MPI_CHK( ecp_double_jac( grp, cur, cur ) );
+    }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
+
+norm_dbl:
+#endif
+    /*
+     * Normalize current elements in T. As T has holes,
+     * use an auxiliary array of pointers to elements in T.
+     */
+    j = 0;
+    for( i = 1; i < T_size; i <<= 1 )
+        TT[j++] = T + i;
+
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV + 6 * j - 2 );
+
+    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, j ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_pre_add;
+
+add:
+#endif
+    /*
+     * Compute the remaining ones using the minimal number of additions
+     * Be careful to update T[2^l] only after using it!
+     */
+    MBEDTLS_ECP_BUDGET( ( T_size - 1 ) * MBEDTLS_ECP_OPS_ADD );
+
+    for( i = 1; i < T_size; i <<= 1 )
+    {
+        j = i;
+        while( j-- )
+            MBEDTLS_MPI_CHK( ecp_add_mixed( grp, &T[i + j], &T[j], &T[i] ) );
+    }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
+
+norm_add:
+#endif
+    /*
+     * Normalize final elements in T. Even though there are no holes now, we
+     * still need the auxiliary array for homogeneity with the previous
+     * call. Also, skip T[0] which is already normalised, being a copy of P.
+     */
+    for( j = 0; j + 1 < T_size; j++ )
+        TT[j] = T + j + 1;
+
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV + 6 * j - 2 );
+
+    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, j ) );
+
+cleanup:
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+    {
+        if( rs_ctx->rsm->state == ecp_rsm_pre_dbl )
+            rs_ctx->rsm->i = j;
+    }
+#endif
+
+    return( ret );
+}
+
+/*
+ * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
+ *
+ * See ecp_comb_recode_core() for background
+ */
+static int ecp_select_comb( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                            const mbedtls_ecp_point T[], unsigned char T_size,
+                            unsigned char i )
+{
+    int ret;
+    unsigned char ii, j;
+
+    /* Ignore the "sign" bit and scale down */
+    ii =  ( i & 0x7Fu ) >> 1;
+
+    /* Read the whole table to thwart cache-based timing attacks */
+    for( j = 0; j < T_size; j++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->X, &T[j].X, j == ii ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->Y, &T[j].Y, j == ii ) );
+    }
+
+    /* Safely invert result if i is "negative" */
+    MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, R, i >> 7 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Core multiplication algorithm for the (modified) comb method.
+ * This part is actually common with the basic comb method (GECC 3.44)
+ *
+ * Cost: d A + d D + 1 R
+ */
+static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                              const mbedtls_ecp_point T[], unsigned char T_size,
+                              const unsigned char x[], size_t d,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng,
+                              mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_ecp_point Txi;
+    size_t i;
+
+    mbedtls_ecp_point_init( &Txi );
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        rs_ctx->rsm->state != ecp_rsm_comb_core )
+    {
+        rs_ctx->rsm->i = 0;
+        rs_ctx->rsm->state = ecp_rsm_comb_core;
+    }
+
+    /* new 'if' instead of nested for the sake of the 'else' branch */
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0 )
+    {
+        /* restore current index (R already pointing to rs_ctx->rsm->R) */
+        i = rs_ctx->rsm->i;
+    }
+    else
+#endif
+    {
+        /* Start with a non-zero point and randomize its coordinates */
+        i = d;
+        MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, T_size, x[i] ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
+        if( f_rng != 0 )
+            MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
+    }
+
+    while( i != 0 )
+    {
+        MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD );
+        --i;
+
+        MBEDTLS_MPI_CHK( ecp_double_jac( grp, R, R ) );
+        MBEDTLS_MPI_CHK( ecp_select_comb( grp, &Txi, T, T_size, x[i] ) );
+        MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, R, &Txi ) );
+    }
+
+cleanup:
+
+    mbedtls_ecp_point_free( &Txi );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+    {
+        rs_ctx->rsm->i = i;
+        /* no need to save R, already pointing to rs_ctx->rsm->R */
+    }
+#endif
+
+    return( ret );
+}
+
+/*
+ * Recode the scalar to get constant-time comb multiplication
+ *
+ * As the actual scalar recoding needs an odd scalar as a starting point,
+ * this wrapper ensures that by replacing m by N - m if necessary, and
+ * informs the caller that the result of multiplication will be negated.
+ *
+ * This works because we only support large prime order for Short Weierstrass
+ * curves, so N is always odd hence either m or N - m is.
+ *
+ * See ecp_comb_recode_core() for background.
+ */
+static int ecp_comb_recode_scalar( const mbedtls_ecp_group *grp,
+                                   const mbedtls_mpi *m,
+                                   unsigned char k[COMB_MAX_D + 1],
+                                   size_t d,
+                                   unsigned char w,
+                                   unsigned char *parity_trick )
+{
+    int ret;
+    mbedtls_mpi M, mm;
+
+    mbedtls_mpi_init( &M );
+    mbedtls_mpi_init( &mm );
+
+    /* N is always odd (see above), just make extra sure */
+    if( mbedtls_mpi_get_bit( &grp->N, 0 ) != 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /* do we need the parity trick? */
+    *parity_trick = ( mbedtls_mpi_get_bit( m, 0 ) == 0 );
+
+    /* execute parity fix in constant time */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &M, m ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mm, &grp->N, m ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &M, &mm, *parity_trick ) );
+
+    /* actual scalar recoding */
+    ecp_comb_recode_core( k, d, w, &M );
+
+cleanup:
+    mbedtls_mpi_free( &mm );
+    mbedtls_mpi_free( &M );
+
+    return( ret );
+}
+
+/*
+ * Perform comb multiplication (for short Weierstrass curves)
+ * once the auxiliary table has been pre-computed.
+ *
+ * Scalar recoding may use a parity trick that makes us compute -m * P,
+ * if that is the case we'll need to recover m * P at the end.
+ */
+static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point *R,
+                                const mbedtls_mpi *m,
+                                const mbedtls_ecp_point *T,
+                                unsigned char T_size,
+                                unsigned char w,
+                                size_t d,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng,
+                                mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char parity_trick;
+    unsigned char k[COMB_MAX_D + 1];
+    mbedtls_ecp_point *RR = R;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+    {
+        RR = &rs_ctx->rsm->R;
+
+        if( rs_ctx->rsm->state == ecp_rsm_final_norm )
+            goto final_norm;
+    }
+#endif
+
+    MBEDTLS_MPI_CHK( ecp_comb_recode_scalar( grp, m, k, d, w,
+                                            &parity_trick ) );
+    MBEDTLS_MPI_CHK( ecp_mul_comb_core( grp, RR, T, T_size, k, d,
+                                        f_rng, p_rng, rs_ctx ) );
+    MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, RR, parity_trick ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_final_norm;
+
+final_norm:
+#endif
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
+    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, RR ) );
+#endif
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Pick window size based on curve size and whether we optimize for base point
+ */
+static unsigned char ecp_pick_window_size( const mbedtls_ecp_group *grp,
+                                           unsigned char p_eq_g )
+{
+    unsigned char w;
+
+    /*
+     * Minimize the number of multiplications, that is minimize
+     * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
+     * (see costs of the various parts, with 1S = 1M)
+     */
+    w = grp->nbits >= 384 ? 5 : 4;
+
+    /*
+     * If P == G, pre-compute a bit more, since this may be re-used later.
+     * Just adding one avoids upping the cost of the first mul too much,
+     * and the memory cost too.
+     */
+    if( p_eq_g )
+        w++;
+
+    /*
+     * Make sure w is within bounds.
+     * (The last test is useful only for very small curves in the test suite.)
+     */
+    if( w > MBEDTLS_ECP_WINDOW_SIZE )
+        w = MBEDTLS_ECP_WINDOW_SIZE;
+    if( w >= grp->nbits )
+        w = 2;
+
+    return( w );
+}
+
+/*
+ * Multiplication using the comb method - for curves in short Weierstrass form
+ *
+ * This function is mainly responsible for administrative work:
+ * - managing the restart context if enabled
+ * - managing the table of precomputed points (passed between the below two
+ *   functions): allocation, computation, ownership tranfer, freeing.
+ *
+ * It delegates the actual arithmetic work to:
+ *      ecp_precompute_comb() and ecp_mul_comb_with_precomp()
+ *
+ * See comments on ecp_comb_recode_core() regarding the computation strategy.
+ */
+static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                         const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char w, p_eq_g, i;
+    size_t d;
+    unsigned char T_size, T_ok;
+    mbedtls_ecp_point *T;
+
+    ECP_RS_ENTER( rsm );
+
+    /* Is P the base point ? */
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+    p_eq_g = ( mbedtls_mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
+               mbedtls_mpi_cmp_mpi( &P->X, &grp->G.X ) == 0 );
+#else
+    p_eq_g = 0;
+#endif
+
+    /* Pick window size and deduce related sizes */
+    w = ecp_pick_window_size( grp, p_eq_g );
+    T_size = 1U << ( w - 1 );
+    d = ( grp->nbits + w - 1 ) / w;
+
+    /* Pre-computed table: do we have it already for the base point? */
+    if( p_eq_g && grp->T != NULL )
+    {
+        /* second pointer to the same table, will be deleted on exit */
+        T = grp->T;
+        T_ok = 1;
+    }
+    else
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* Pre-computed table: do we have one in progress? complete? */
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL )
+    {
+        /* transfer ownership of T from rsm to local function */
+        T = rs_ctx->rsm->T;
+        rs_ctx->rsm->T = NULL;
+        rs_ctx->rsm->T_size = 0;
+
+        /* This effectively jumps to the call to mul_comb_after_precomp() */
+        T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
+    }
+    else
+#endif
+    /* Allocate table if we didn't have any */
+    {
+        T = mbedtls_calloc( T_size, sizeof( mbedtls_ecp_point ) );
+        if( T == NULL )
+        {
+            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+            goto cleanup;
+        }
+
+        for( i = 0; i < T_size; i++ )
+            mbedtls_ecp_point_init( &T[i] );
+
+        T_ok = 0;
+    }
+
+    /* Compute table (or finish computing it) if not done already */
+    if( !T_ok )
+    {
+        MBEDTLS_MPI_CHK( ecp_precompute_comb( grp, T, P, w, d, rs_ctx ) );
+
+        if( p_eq_g )
+        {
+            /* almost transfer ownership of T to the group, but keep a copy of
+             * the pointer to use for calling the next function more easily */
+            grp->T = T;
+            grp->T_size = T_size;
+        }
+    }
+
+    /* Actual comb multiplication using precomputed points */
+    MBEDTLS_MPI_CHK( ecp_mul_comb_after_precomp( grp, R, m,
+                                                 T, T_size, w, d,
+                                                 f_rng, p_rng, rs_ctx ) );
+
+cleanup:
+
+    /* does T belong to the group? */
+    if( T == grp->T )
+        T = NULL;
+
+    /* does T belong to the restart context? */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL )
+    {
+        /* transfer ownership of T from local function to rsm */
+        rs_ctx->rsm->T_size = T_size;
+        rs_ctx->rsm->T = T;
+        T = NULL;
+    }
+#endif
+
+    /* did T belong to us? then let's destroy it! */
+    if( T != NULL )
+    {
+        for( i = 0; i < T_size; i++ )
+            mbedtls_ecp_point_free( &T[i] );
+        mbedtls_free( T );
+    }
+
+    /* don't free R while in progress in case R == P */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+#endif
+    /* prevent caller from using invalid value */
+    if( ret != 0 )
+        mbedtls_ecp_point_free( R );
+
+    ECP_RS_LEAVE( rsm );
+
+    return( ret );
+}
+
+#endif /* ECP_SHORTWEIERSTRASS */
+
+#if defined(ECP_MONTGOMERY)
+/*
+ * For Montgomery curves, we do all the internal arithmetic in projective
+ * coordinates. Import/export of points uses only the x coordinates, which is
+ * internaly represented as X / Z.
+ *
+ * For scalar multiplication, we'll use a Montgomery ladder.
+ */
+
+/*
+ * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
+ * Cost: 1M + 1I
+ */
+static int ecp_normalize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P )
+{
+    int ret;
+
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_normalize_mxz( grp, P ) );
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &P->Z, &P->Z, &grp->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->X, &P->X, &P->Z ) ); MOD_MUL( P->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Randomize projective x/z coordinates:
+ * (X, Z) -> (l X, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_mxz().
+ *
+ * This countermeasure was first suggested in [2].
+ * Cost: 2M
+ */
+static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_mpi l;
+    size_t p_size;
+    int count = 0;
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_randomize_mxz( grp, P, f_rng, p_rng );
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+
+    p_size = ( grp->pbits + 7 ) / 8;
+    mbedtls_mpi_init( &l );
+
+    /* Generate l such that 1 < l < p */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+    }
+    while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->X, &P->X, &l ) ); MOD_MUL( P->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->Z, &P->Z, &l ) ); MOD_MUL( P->Z );
+
+cleanup:
+    mbedtls_mpi_free( &l );
+
+    return( ret );
+}
+
+/*
+ * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
+ * for Montgomery curves in x/z coordinates.
+ *
+ * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
+ * with
+ * d =  X1
+ * P = (X2, Z2)
+ * Q = (X3, Z3)
+ * R = (X4, Z4)
+ * S = (X5, Z5)
+ * and eliminating temporary variables tO, ..., t4.
+ *
+ * Cost: 5M + 4S
+ */
+static int ecp_double_add_mxz( const mbedtls_ecp_group *grp,
+                               mbedtls_ecp_point *R, mbedtls_ecp_point *S,
+                               const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
+                               const mbedtls_mpi *d )
+{
+    int ret;
+    mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB;
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_double_add_mxz( grp, R, S, P, Q, d ) );
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+
+    mbedtls_mpi_init( &A ); mbedtls_mpi_init( &AA ); mbedtls_mpi_init( &B );
+    mbedtls_mpi_init( &BB ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &C );
+    mbedtls_mpi_init( &D ); mbedtls_mpi_init( &DA ); mbedtls_mpi_init( &CB );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &A,    &P->X,   &P->Z ) ); MOD_ADD( A    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &AA,   &A,      &A    ) ); MOD_MUL( AA   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &B,    &P->X,   &P->Z ) ); MOD_SUB( B    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &BB,   &B,      &B    ) ); MOD_MUL( BB   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &E,    &AA,     &BB   ) ); MOD_SUB( E    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &C,    &Q->X,   &Q->Z ) ); MOD_ADD( C    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &D,    &Q->X,   &Q->Z ) ); MOD_SUB( D    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DA,   &D,      &A    ) ); MOD_MUL( DA   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &CB,   &C,      &B    ) ); MOD_MUL( CB   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &S->X, &DA,     &CB   ) ); MOD_MUL( S->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->X, &S->X,   &S->X ) ); MOD_MUL( S->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S->Z, &DA,     &CB   ) ); MOD_SUB( S->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->Z, &S->Z,   &S->Z ) ); MOD_MUL( S->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->Z, d,       &S->Z ) ); MOD_MUL( S->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->X, &AA,     &BB   ) ); MOD_MUL( R->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->Z, &grp->A, &E    ) ); MOD_MUL( R->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &R->Z, &BB,     &R->Z ) ); MOD_ADD( R->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->Z, &E,      &R->Z ) ); MOD_MUL( R->Z );
+
+cleanup:
+    mbedtls_mpi_free( &A ); mbedtls_mpi_free( &AA ); mbedtls_mpi_free( &B );
+    mbedtls_mpi_free( &BB ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &C );
+    mbedtls_mpi_free( &D ); mbedtls_mpi_free( &DA ); mbedtls_mpi_free( &CB );
+
+    return( ret );
+}
+
+/*
+ * Multiplication with Montgomery ladder in x/z coordinates,
+ * for curves in Montgomery form
+ */
+static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng )
+{
+    int ret;
+    size_t i;
+    unsigned char b;
+    mbedtls_ecp_point RP;
+    mbedtls_mpi PX;
+
+    mbedtls_ecp_point_init( &RP ); mbedtls_mpi_init( &PX );
+
+    /* Save PX and read from P before writing to R, in case P == R */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &PX, &P->X ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &RP, P ) );
+
+    /* Set R to zero in modified x/z coordinates */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->X, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 0 ) );
+    mbedtls_mpi_free( &R->Y );
+
+    /* RP.X might be sligtly larger than P, so reduce it */
+    MOD_ADD( RP.X );
+
+    /* Randomize coordinates of the starting point */
+    if( f_rng != NULL )
+        MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
+
+    /* Loop invariant: R = result so far, RP = R + P */
+    i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */
+    while( i-- > 0 )
+    {
+        b = mbedtls_mpi_get_bit( m, i );
+        /*
+         *  if (b) R = 2R + P else R = 2R,
+         * which is:
+         *  if (b) double_add( RP, R, RP, R )
+         *  else   double_add( R, RP, R, RP )
+         * but using safe conditional swaps to avoid leaks
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->X, &RP.X, b ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
+        MBEDTLS_MPI_CHK( ecp_double_add_mxz( grp, R, &RP, R, &RP, &PX ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->X, &RP.X, b ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
+    }
+
+    MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
+
+cleanup:
+    mbedtls_ecp_point_free( &RP ); mbedtls_mpi_free( &PX );
+
+    return( ret );
+}
+
+#endif /* ECP_MONTGOMERY */
+
+/*
+ * Restartable multiplication R = m * P
+ */
+int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    char is_grp_capable = 0;
+#endif
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* reset ops count for this call if top-level */
+    if( rs_ctx != NULL && rs_ctx->depth++ == 0 )
+        rs_ctx->ops_done = 0;
+#endif
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) )
+        MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* skip argument check when restarting */
+    if( rs_ctx == NULL || rs_ctx->rsm == NULL )
+#endif
+    {
+        /* check_privkey is free */
+        MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_CHK );
+
+        /* Common sanity checks */
+        MBEDTLS_MPI_CHK( mbedtls_ecp_check_privkey( grp, m ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, P ) );
+    }
+
+    ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+        MBEDTLS_MPI_CHK( ecp_mul_mxz( grp, R, m, P, f_rng, p_rng ) );
+#endif
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+        MBEDTLS_MPI_CHK( ecp_mul_comb( grp, R, m, P, f_rng, p_rng, rs_ctx ) );
+#endif
+
+cleanup:
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( is_grp_capable )
+        mbedtls_internal_ecp_free( grp );
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL )
+        rs_ctx->depth--;
+#endif
+
+    return( ret );
+}
+
+/*
+ * Multiplication R = m * P
+ */
+int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+    return( mbedtls_ecp_mul_restartable( grp, R, m, P, f_rng, p_rng, NULL ) );
+}
+
+#if defined(ECP_SHORTWEIERSTRASS)
+/*
+ * Check that an affine point is valid as a public key,
+ * short weierstrass curves (SEC1 3.2.3.1)
+ */
+static int ecp_check_pubkey_sw( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
+{
+    int ret;
+    mbedtls_mpi YY, RHS;
+
+    /* pt coordinates must be normalized for our checks */
+    if( mbedtls_mpi_cmp_int( &pt->X, 0 ) < 0 ||
+        mbedtls_mpi_cmp_int( &pt->Y, 0 ) < 0 ||
+        mbedtls_mpi_cmp_mpi( &pt->X, &grp->P ) >= 0 ||
+        mbedtls_mpi_cmp_mpi( &pt->Y, &grp->P ) >= 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    mbedtls_mpi_init( &YY ); mbedtls_mpi_init( &RHS );
+
+    /*
+     * YY = Y^2
+     * RHS = X (X^2 + A) + B = X^3 + A X + B
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &YY,  &pt->Y,   &pt->Y  ) );  MOD_MUL( YY  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &RHS, &pt->X,   &pt->X  ) );  MOD_MUL( RHS );
+
+    /* Special case for A = -3 */
+    if( grp->A.p == NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &RHS, &RHS, 3       ) );  MOD_SUB( RHS );
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &RHS, &RHS, &grp->A ) );  MOD_ADD( RHS );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &RHS, &RHS,     &pt->X  ) );  MOD_MUL( RHS );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &RHS, &RHS,     &grp->B ) );  MOD_ADD( RHS );
+
+    if( mbedtls_mpi_cmp_mpi( &YY, &RHS ) != 0 )
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+
+cleanup:
+
+    mbedtls_mpi_free( &YY ); mbedtls_mpi_free( &RHS );
+
+    return( ret );
+}
+#endif /* ECP_SHORTWEIERSTRASS */
+
+/*
+ * R = m * P with shortcuts for m == 1 and m == -1
+ * NOT constant-time - ONLY for short Weierstrass!
+ */
+static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
+                                      mbedtls_ecp_point *R,
+                                      const mbedtls_mpi *m,
+                                      const mbedtls_ecp_point *P,
+                                      mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+
+    if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
+    }
+    else if( mbedtls_mpi_cmp_int( m, -1 ) == 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
+        if( mbedtls_mpi_cmp_int( &R->Y, 0 ) != 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &R->Y, &grp->P, &R->Y ) );
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, R, m, P,
+                                                      NULL, NULL, rs_ctx ) );
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Restartable linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd_restartable(
+             mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+             mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_ecp_point mP;
+    mbedtls_ecp_point *pmP = &mP;
+    mbedtls_ecp_point *pR = R;
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    char is_grp_capable = 0;
+#endif
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+    ECP_VALIDATE_RET( n   != NULL );
+    ECP_VALIDATE_RET( Q   != NULL );
+
+    if( ecp_get_type( grp ) != ECP_TYPE_SHORT_WEIERSTRASS )
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    mbedtls_ecp_point_init( &mP );
+
+    ECP_RS_ENTER( ma );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+    {
+        /* redirect intermediate results to restart context */
+        pmP = &rs_ctx->ma->mP;
+        pR  = &rs_ctx->ma->R;
+
+        /* jump to next operation */
+        if( rs_ctx->ma->state == ecp_rsma_mul2 )
+            goto mul2;
+        if( rs_ctx->ma->state == ecp_rsma_add )
+            goto add;
+        if( rs_ctx->ma->state == ecp_rsma_norm )
+            goto norm;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, pmP, m, P, rs_ctx ) );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        rs_ctx->ma->state = ecp_rsma_mul2;
+
+mul2:
+#endif
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, pR,  n, Q, rs_ctx ) );
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) )
+        MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        rs_ctx->ma->state = ecp_rsma_add;
+
+add:
+#endif
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_ADD );
+    MBEDTLS_MPI_CHK( ecp_add_mixed( grp, pR, pmP, pR ) );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        rs_ctx->ma->state = ecp_rsma_norm;
+
+norm:
+#endif
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
+    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, pR ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, pR ) );
+#endif
+
+cleanup:
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( is_grp_capable )
+        mbedtls_internal_ecp_free( grp );
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+    mbedtls_ecp_point_free( &mP );
+
+    ECP_RS_LEAVE( ma );
+
+    return( ret );
+}
+
+/*
+ * Linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+    ECP_VALIDATE_RET( n   != NULL );
+    ECP_VALIDATE_RET( Q   != NULL );
+    return( mbedtls_ecp_muladd_restartable( grp, R, m, P, n, Q, NULL ) );
+}
+
+#if defined(ECP_MONTGOMERY)
+/*
+ * Check validity of a public key for Montgomery curves with x-only schemes
+ */
+static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
+{
+    /* [Curve25519 p. 5] Just check X is the correct number of bytes */
+    /* Allow any public value, if it's too big then we'll just reduce it mod p
+     * (RFC 7748 sec. 5 para. 3). */
+    if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    return( 0 );
+}
+#endif /* ECP_MONTGOMERY */
+
+/*
+ * Check that a point is valid as a public key
+ */
+int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
+                              const mbedtls_ecp_point *pt )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( pt  != NULL );
+
+    /* Must use affine coordinates */
+    if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+        return( ecp_check_pubkey_mx( grp, pt ) );
+#endif
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+        return( ecp_check_pubkey_sw( grp, pt ) );
+#endif
+    return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+}
+
+/*
+ * Check that an mbedtls_mpi is valid as a private key
+ */
+int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,
+                               const mbedtls_mpi *d )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( d   != NULL );
+
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+    {
+        /* see RFC 7748 sec. 5 para. 5 */
+        if( mbedtls_mpi_get_bit( d, 0 ) != 0 ||
+            mbedtls_mpi_get_bit( d, 1 ) != 0 ||
+            mbedtls_mpi_bitlen( d ) - 1 != grp->nbits ) /* mbedtls_mpi_bitlen is one-based! */
+            return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+        /* see [Curve25519] page 5 */
+        if( grp->nbits == 254 && mbedtls_mpi_get_bit( d, 2 ) != 0 )
+            return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+        return( 0 );
+    }
+#endif /* ECP_MONTGOMERY */
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+    {
+        /* see SEC1 3.2 */
+        if( mbedtls_mpi_cmp_int( d, 1 ) < 0 ||
+            mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
+            return( MBEDTLS_ERR_ECP_INVALID_KEY );
+        else
+            return( 0 );
+    }
+#endif /* ECP_SHORTWEIERSTRASS */
+
+    return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+}
+
+/*
+ * Generate a private key
+ */
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+                     mbedtls_mpi *d,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    size_t n_size;
+
+    ECP_VALIDATE_RET( grp   != NULL );
+    ECP_VALIDATE_RET( d     != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    n_size = ( grp->nbits + 7 ) / 8;
+
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+    {
+        /* [M225] page 5 */
+        size_t b;
+
+        do {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
+        } while( mbedtls_mpi_bitlen( d ) == 0);
+
+        /* Make sure the most significant bit is nbits */
+        b = mbedtls_mpi_bitlen( d ) - 1; /* mbedtls_mpi_bitlen is one-based */
+        if( b > grp->nbits )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, b - grp->nbits ) );
+        else
+            MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, grp->nbits, 1 ) );
+
+        /* Make sure the last two bits are unset for Curve448, three bits for
+           Curve25519 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 0, 0 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 1, 0 ) );
+        if( grp->nbits == 254 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 2, 0 ) );
+        }
+    }
+#endif /* ECP_MONTGOMERY */
+
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+    {
+        /* SEC1 3.2.1: Generate d such that 1 <= n < N */
+        int count = 0;
+        unsigned cmp = 0;
+
+        /*
+         * Match the procedure given in RFC 6979 (deterministic ECDSA):
+         * - use the same byte ordering;
+         * - keep the leftmost nbits bits of the generated octet string;
+         * - try until result is in the desired range.
+         * This also avoids any biais, which is especially important for ECDSA.
+         */
+        do
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
+
+            /*
+             * Each try has at worst a probability 1/2 of failing (the msb has
+             * a probability 1/2 of being 0, and then the result will be < N),
+             * so after 30 tries failure probability is a most 2**(-30).
+             *
+             * For most curves, 1 try is enough with overwhelming probability,
+             * since N starts with a lot of 1s in binary, but some curves
+             * such as secp224k1 are actually very close to the worst case.
+             */
+            if( ++count > 30 )
+                return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+
+            ret = mbedtls_mpi_lt_mpi_ct( d, &grp->N, &cmp );
+            if( ret != 0 )
+            {
+                goto cleanup;
+            }
+        }
+        while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || cmp != 1 );
+    }
+#endif /* ECP_SHORTWEIERSTRASS */
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate a keypair with configurable base point
+ */
+int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
+                     const mbedtls_ecp_point *G,
+                     mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+    ECP_VALIDATE_RET( grp   != NULL );
+    ECP_VALIDATE_RET( d     != NULL );
+    ECP_VALIDATE_RET( G     != NULL );
+    ECP_VALIDATE_RET( Q     != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, Q, d, G, f_rng, p_rng ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate key pair, wrapper for conventional base point
+ */
+int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp,
+                             mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng )
+{
+    ECP_VALIDATE_RET( grp   != NULL );
+    ECP_VALIDATE_RET( d     != NULL );
+    ECP_VALIDATE_RET( Q     != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    return( mbedtls_ecp_gen_keypair_base( grp, &grp->G, d, Q, f_rng, p_rng ) );
+}
+
+/*
+ * Generate a keypair, prettier wrapper
+ */
+int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    ECP_VALIDATE_RET( key   != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 )
+        return( ret );
+
+    return( mbedtls_ecp_gen_keypair( &key->grp, &key->d, &key->Q, f_rng, p_rng ) );
+}
+
+/*
+ * Check a public-private key pair
+ */
+int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv )
+{
+    int ret;
+    mbedtls_ecp_point Q;
+    mbedtls_ecp_group grp;
+    ECP_VALIDATE_RET( pub != NULL );
+    ECP_VALIDATE_RET( prv != NULL );
+
+    if( pub->grp.id == MBEDTLS_ECP_DP_NONE ||
+        pub->grp.id != prv->grp.id ||
+        mbedtls_mpi_cmp_mpi( &pub->Q.X, &prv->Q.X ) ||
+        mbedtls_mpi_cmp_mpi( &pub->Q.Y, &prv->Q.Y ) ||
+        mbedtls_mpi_cmp_mpi( &pub->Q.Z, &prv->Q.Z ) )
+    {
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    mbedtls_ecp_point_init( &Q );
+    mbedtls_ecp_group_init( &grp );
+
+    /* mbedtls_ecp_mul() needs a non-const group... */
+    mbedtls_ecp_group_copy( &grp, &prv->grp );
+
+    /* Also checks d is valid */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &Q, &prv->d, &prv->grp.G, NULL, NULL ) );
+
+    if( mbedtls_mpi_cmp_mpi( &Q.X, &prv->Q.X ) ||
+        mbedtls_mpi_cmp_mpi( &Q.Y, &prv->Q.Y ) ||
+        mbedtls_mpi_cmp_mpi( &Q.Z, &prv->Q.Z ) )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free( &Q );
+    mbedtls_ecp_group_free( &grp );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecp_self_test( int verbose )
+{
+    int ret;
+    size_t i;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point R, P;
+    mbedtls_mpi m;
+    unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
+    /* exponents especially adapted for secp192r1 */
+    const char *exponents[] =
+    {
+        "000000000000000000000000000000000000000000000001", /* one */
+        "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", /* N - 1 */
+        "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
+        "400000000000000000000000000000000000000000000000", /* one and zeros */
+        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
+        "555555555555555555555555555555555555555555555555", /* 101010... */
+    };
+
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_ecp_point_init( &R );
+    mbedtls_ecp_point_init( &P );
+    mbedtls_mpi_init( &m );
+
+    /* Use secp192r1 if available, or any available curve */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP192R1 ) );
+#else
+    MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, mbedtls_ecp_curve_list()->grp_id ) );
+#endif
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECP test #1 (constant op_count, base point G): " );
+
+    /* Do a dummy multiplication first to trigger precomputation */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &m, 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &P, &m, &grp.G, NULL, NULL ) );
+
+    add_count = 0;
+    dbl_count = 0;
+    mul_count = 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
+
+    for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
+    {
+        add_c_prev = add_count;
+        dbl_c_prev = dbl_count;
+        mul_c_prev = mul_count;
+        add_count = 0;
+        dbl_count = 0;
+        mul_count = 0;
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
+
+        if( add_count != add_c_prev ||
+            dbl_count != dbl_c_prev ||
+            mul_count != mul_c_prev )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed (%u)\n", (unsigned int) i );
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECP test #2 (constant op_count, other point): " );
+    /* We computed P = 2G last time, use it */
+
+    add_count = 0;
+    dbl_count = 0;
+    mul_count = 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
+
+    for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
+    {
+        add_c_prev = add_count;
+        dbl_c_prev = dbl_count;
+        mul_c_prev = mul_count;
+        add_count = 0;
+        dbl_count = 0;
+        mul_count = 0;
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
+
+        if( add_count != add_c_prev ||
+            dbl_count != dbl_c_prev ||
+            mul_count != mul_c_prev )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed (%u)\n", (unsigned int) i );
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+
+    if( ret < 0 && verbose != 0 )
+        mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
+
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_ecp_point_free( &R );
+    mbedtls_ecp_point_free( &P );
+    mbedtls_mpi_free( &m );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_ECP_ALT */
+
+#endif /* MBEDTLS_ECP_C */
diff --git a/ctrtool/deps/libmbedtls/src/ecp_curves.c b/ctrtool/deps/libmbedtls/src/ecp_curves.c
new file mode 100644
index 00000000..282481d0
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ecp_curves.c
@@ -0,0 +1,1470 @@
+/*
+ *  Elliptic curves over GF(p): curve-specific data and functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECP_ALT)
+
+/* Parameter validation macros based on platform_util.h */
+#define ECP_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECP_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/*
+ * Conversion macros for embedded constants:
+ * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
+ */
+#if defined(MBEDTLS_HAVE_INT32)
+
+#define BYTES_TO_T_UINT_4( a, b, c, d )                       \
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 )
+
+#define BYTES_TO_T_UINT_2( a, b )                   \
+    BYTES_TO_T_UINT_4( a, b, 0, 0 )
+
+#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
+    BYTES_TO_T_UINT_4( a, b, c, d ),                \
+    BYTES_TO_T_UINT_4( e, f, g, h )
+
+#else /* 64-bits */
+
+#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 ) |                        \
+    ( (mbedtls_mpi_uint) (e) << 32 ) |                        \
+    ( (mbedtls_mpi_uint) (f) << 40 ) |                        \
+    ( (mbedtls_mpi_uint) (g) << 48 ) |                        \
+    ( (mbedtls_mpi_uint) (h) << 56 )
+
+#define BYTES_TO_T_UINT_4( a, b, c, d )             \
+    BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
+
+#define BYTES_TO_T_UINT_2( a, b )                   \
+    BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
+
+#endif /* bits in mbedtls_mpi_uint */
+
+/*
+ * Note: the constants are in little-endian order
+ * to be directly usable in MPIs
+ */
+
+/*
+ * Domain parameters for secp192r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static const mbedtls_mpi_uint secp192r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp192r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
+    BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
+    BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
+};
+static const mbedtls_mpi_uint secp192r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
+    BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
+};
+static const mbedtls_mpi_uint secp192r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
+    BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
+    BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
+};
+static const mbedtls_mpi_uint secp192r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
+    BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+/*
+ * Domain parameters for secp224r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static const mbedtls_mpi_uint secp224r1_p[] = {
+    BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp224r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
+    BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
+    BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
+    BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
+};
+static const mbedtls_mpi_uint secp224r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
+    BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
+    BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
+    BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
+};
+static const mbedtls_mpi_uint secp224r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
+    BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
+    BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
+    BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
+};
+static const mbedtls_mpi_uint secp224r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
+    BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+/*
+ * Domain parameters for secp256r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static const mbedtls_mpi_uint secp256r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp256r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
+    BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
+    BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
+    BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
+};
+static const mbedtls_mpi_uint secp256r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
+    BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
+    BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
+    BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
+};
+static const mbedtls_mpi_uint secp256r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
+    BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
+    BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
+    BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
+};
+static const mbedtls_mpi_uint secp256r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
+    BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+/*
+ * Domain parameters for secp384r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static const mbedtls_mpi_uint secp384r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp384r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
+    BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
+    BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
+    BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
+    BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
+    BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
+};
+static const mbedtls_mpi_uint secp384r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
+    BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
+    BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
+    BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
+    BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
+    BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
+};
+static const mbedtls_mpi_uint secp384r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
+    BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
+    BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
+    BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
+    BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
+    BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
+};
+static const mbedtls_mpi_uint secp384r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
+    BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
+    BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+/*
+ * Domain parameters for secp521r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static const mbedtls_mpi_uint secp521r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
+};
+static const mbedtls_mpi_uint secp521r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
+    BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
+    BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
+    BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
+    BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
+    BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
+    BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
+    BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
+    BYTES_TO_T_UINT_2( 0x51, 0x00 ),
+};
+static const mbedtls_mpi_uint secp521r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
+    BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
+    BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
+    BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
+    BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
+    BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
+    BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
+    BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
+    BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
+};
+static const mbedtls_mpi_uint secp521r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
+    BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
+    BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
+    BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
+    BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
+    BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
+    BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
+    BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
+    BYTES_TO_T_UINT_2( 0x18, 0x01 ),
+};
+static const mbedtls_mpi_uint secp521r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
+    BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
+    BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
+    BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
+    BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static const mbedtls_mpi_uint secp192k1_p[] = {
+    BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp192k1_a[] = {
+    BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp192k1_b[] = {
+    BYTES_TO_T_UINT_2( 0x03, 0x00 ),
+};
+static const mbedtls_mpi_uint secp192k1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
+    BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
+    BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
+};
+static const mbedtls_mpi_uint secp192k1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
+    BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
+    BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
+};
+static const mbedtls_mpi_uint secp192k1_n[] = {
+    BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
+    BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static const mbedtls_mpi_uint secp224k1_p[] = {
+    BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp224k1_a[] = {
+    BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp224k1_b[] = {
+    BYTES_TO_T_UINT_2( 0x05, 0x00 ),
+};
+static const mbedtls_mpi_uint secp224k1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
+    BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
+    BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
+    BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
+};
+static const mbedtls_mpi_uint secp224k1_gy[] = {
+    BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
+    BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
+    BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
+    BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
+};
+static const mbedtls_mpi_uint secp224k1_n[] = {
+    BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
+    BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static const mbedtls_mpi_uint secp256k1_p[] = {
+    BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp256k1_a[] = {
+    BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp256k1_b[] = {
+    BYTES_TO_T_UINT_2( 0x07, 0x00 ),
+};
+static const mbedtls_mpi_uint secp256k1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
+    BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
+    BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
+    BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
+};
+static const mbedtls_mpi_uint secp256k1_gy[] = {
+    BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
+    BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
+    BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
+    BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
+};
+static const mbedtls_mpi_uint secp256k1_n[] = {
+    BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
+    BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
+    BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
+ */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
+    BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
+    BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
+    BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
+    BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
+    BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
+    BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
+    BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
+    BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
+    BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
+    BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
+    BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
+    BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
+    BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
+    BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
+    BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
+    BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
+    BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
+    BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
+    BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
+    BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
+    BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
+};
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
+ */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
+    BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
+    BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
+    BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
+    BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
+    BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
+    BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
+    BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
+    BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
+    BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
+    BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
+    BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
+    BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
+    BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
+    BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
+    BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
+    BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
+    BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
+    BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
+    BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
+    BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
+    BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
+    BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
+    BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
+    BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
+    BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
+    BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
+    BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
+    BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
+    BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
+    BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
+    BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
+    BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
+};
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
+ */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
+    BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
+    BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
+    BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
+    BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
+    BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
+    BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
+    BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
+    BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
+    BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
+    BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
+    BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
+    BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
+    BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
+    BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
+    BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
+    BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
+    BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
+    BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
+    BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
+    BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
+    BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
+    BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
+    BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
+    BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
+    BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
+    BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
+    BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
+    BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
+    BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
+    BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
+    BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
+    BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
+    BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
+    BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
+    BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
+    BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
+    BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
+    BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
+    BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
+    BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
+    BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
+    BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
+    BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
+};
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+/*
+ * Create an MPI from embedded constants
+ * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
+ */
+static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len )
+{
+    X->s = 1;
+    X->n = len / sizeof( mbedtls_mpi_uint );
+    X->p = (mbedtls_mpi_uint *) p;
+}
+
+/*
+ * Set an MPI to static value 1
+ */
+static inline void ecp_mpi_set1( mbedtls_mpi *X )
+{
+    static mbedtls_mpi_uint one[] = { 1 };
+    X->s = 1;
+    X->n = 1;
+    X->p = one;
+}
+
+/*
+ * Make group available from embedded constants
+ */
+static int ecp_group_load( mbedtls_ecp_group *grp,
+                           const mbedtls_mpi_uint *p,  size_t plen,
+                           const mbedtls_mpi_uint *a,  size_t alen,
+                           const mbedtls_mpi_uint *b,  size_t blen,
+                           const mbedtls_mpi_uint *gx, size_t gxlen,
+                           const mbedtls_mpi_uint *gy, size_t gylen,
+                           const mbedtls_mpi_uint *n,  size_t nlen)
+{
+    ecp_mpi_load( &grp->P, p, plen );
+    if( a != NULL )
+        ecp_mpi_load( &grp->A, a, alen );
+    ecp_mpi_load( &grp->B, b, blen );
+    ecp_mpi_load( &grp->N, n, nlen );
+
+    ecp_mpi_load( &grp->G.X, gx, gxlen );
+    ecp_mpi_load( &grp->G.Y, gy, gylen );
+    ecp_mpi_set1( &grp->G.Z );
+
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+    grp->nbits = mbedtls_mpi_bitlen( &grp->N );
+
+    grp->h = 1;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/* Forward declarations */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static int ecp_mod_p192( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static int ecp_mod_p224( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static int ecp_mod_p256( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static int ecp_mod_p384( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static int ecp_mod_p521( mbedtls_mpi * );
+#endif
+
+#define NIST_MODP( P )      grp->modp = ecp_mod_ ## P;
+#else
+#define NIST_MODP( P )
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+/* Additional forward declarations */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+static int ecp_mod_p255( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+static int ecp_mod_p448( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static int ecp_mod_p192k1( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static int ecp_mod_p224k1( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static int ecp_mod_p256k1( mbedtls_mpi * );
+#endif
+
+#define LOAD_GROUP_A( G )   ecp_group_load( grp,            \
+                            G ## _p,  sizeof( G ## _p  ),   \
+                            G ## _a,  sizeof( G ## _a  ),   \
+                            G ## _b,  sizeof( G ## _b  ),   \
+                            G ## _gx, sizeof( G ## _gx ),   \
+                            G ## _gy, sizeof( G ## _gy ),   \
+                            G ## _n,  sizeof( G ## _n  ) )
+
+#define LOAD_GROUP( G )     ecp_group_load( grp,            \
+                            G ## _p,  sizeof( G ## _p  ),   \
+                            NULL,     0,                    \
+                            G ## _b,  sizeof( G ## _b  ),   \
+                            G ## _gx, sizeof( G ## _gx ),   \
+                            G ## _gy, sizeof( G ## _gy ),   \
+                            G ## _n,  sizeof( G ## _n  ) )
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/*
+ * Specialized function for creating the Curve25519 group
+ */
+static int ecp_use_curve25519( mbedtls_ecp_group *grp )
+{
+    int ret;
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "01DB42" ) );
+
+    /* P = 2^255 - 19 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+
+    /* N = 2^252 + 27742317777372353535851937790883648493 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->N, 16,
+                                              "14DEF9DEA2F79CD65812631A5CF5D3ED" ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) );
+
+    /* Y intentionally not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
+    mbedtls_mpi_free( &grp->G.Y );
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 254;
+
+cleanup:
+    if( ret != 0 )
+        mbedtls_ecp_group_free( grp );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/*
+ * Specialized function for creating the Curve448 group
+ */
+static int ecp_use_curve448( mbedtls_ecp_group *grp )
+{
+    mbedtls_mpi Ns;
+    int ret;
+
+    mbedtls_mpi_init( &Ns );
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "98AA" ) );
+
+    /* P = 2^448 - 2^224 - 1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+
+    /* Y intentionally not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
+    mbedtls_mpi_free( &grp->G.Y );
+
+    /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &Ns, 16,
+                                              "8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D" ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) );
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 447;
+
+cleanup:
+    mbedtls_mpi_free( &Ns );
+    if( ret != 0 )
+        mbedtls_ecp_group_free( grp );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+/*
+ * Set a group using well-known domain parameters
+ */
+int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    mbedtls_ecp_group_free( grp );
+
+    grp->id = id;
+
+    switch( id )
+    {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192R1:
+            NIST_MODP( p192 );
+            return( LOAD_GROUP( secp192r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224R1:
+            NIST_MODP( p224 );
+            return( LOAD_GROUP( secp224r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256R1:
+            NIST_MODP( p256 );
+            return( LOAD_GROUP( secp256r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP384R1:
+            NIST_MODP( p384 );
+            return( LOAD_GROUP( secp384r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP521R1:
+            NIST_MODP( p521 );
+            return( LOAD_GROUP( secp521r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192K1:
+            grp->modp = ecp_mod_p192k1;
+            return( LOAD_GROUP_A( secp192k1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224K1:
+            grp->modp = ecp_mod_p224k1;
+            return( LOAD_GROUP_A( secp224k1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256K1:
+            grp->modp = ecp_mod_p256k1;
+            return( LOAD_GROUP_A( secp256k1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP256R1:
+            return( LOAD_GROUP_A( brainpoolP256r1 ) );
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP384R1:
+            return( LOAD_GROUP_A( brainpoolP384r1 ) );
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP512R1:
+            return( LOAD_GROUP_A( brainpoolP512r1 ) );
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE25519:
+            grp->modp = ecp_mod_p255;
+            return( ecp_use_curve25519( grp ) );
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE448:
+            grp->modp = ecp_mod_p448;
+            return( ecp_use_curve448( grp ) );
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+        default:
+            mbedtls_ecp_group_free( grp );
+            return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+    }
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/*
+ * Fast reduction modulo the primes used by the NIST curves.
+ *
+ * These functions are critical for speed, but not needed for correct
+ * operations. So, we make the choice to heavily rely on the internals of our
+ * bignum library, which creates a tight coupling between these functions and
+ * our MPI implementation.  However, the coupling between the ECP module and
+ * MPI remains loose, since these functions can be deactivated at will.
+ */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+/*
+ * Compared to the way things are presented in FIPS 186-3 D.2,
+ * we proceed in columns, from right (least significant chunk) to left,
+ * adding chunks to N in place, and keeping a carry for the next chunk.
+ * This avoids moving things around in memory, and uselessly adding zeros,
+ * compared to the more straightforward, line-oriented approach.
+ *
+ * For this prime we need to handle data in chunks of 64 bits.
+ * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
+ * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
+ */
+
+/* Add 64-bit chunks (dst += src) and update carry */
+static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry )
+{
+    unsigned char i;
+    mbedtls_mpi_uint c = 0;
+    for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ )
+    {
+        *dst += c;      c  = ( *dst < c );
+        *dst += *src;   c += ( *dst < *src );
+    }
+    *carry += c;
+}
+
+/* Add carry to a 64-bit chunk and update carry */
+static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry )
+{
+    unsigned char i;
+    for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ )
+    {
+        *dst += *carry;
+        *carry  = ( *dst < *carry );
+    }
+}
+
+#define WIDTH       8 / sizeof( mbedtls_mpi_uint )
+#define A( i )      N->p + (i) * WIDTH
+#define ADD( i )    add64( p, A( i ), &c )
+#define NEXT        p += WIDTH; carry64( p, &c )
+#define LAST        p += WIDTH; *p = c; while( ++p < end ) *p = 0
+
+/*
+ * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ */
+static int ecp_mod_p192( mbedtls_mpi *N )
+{
+    int ret;
+    mbedtls_mpi_uint c = 0;
+    mbedtls_mpi_uint *p, *end;
+
+    /* Make sure we have enough blocks so that A(5) is legal */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) );
+
+    p = N->p;
+    end = p + N->n;
+
+    ADD( 3 ); ADD( 5 );             NEXT; // A0 += A3 + A5
+    ADD( 3 ); ADD( 4 ); ADD( 5 );   NEXT; // A1 += A3 + A4 + A5
+    ADD( 4 ); ADD( 5 );             LAST; // A2 += A4 + A5
+
+cleanup:
+    return( ret );
+}
+
+#undef WIDTH
+#undef A
+#undef ADD
+#undef NEXT
+#undef LAST
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * The reader is advised to first understand ecp_mod_p192() since the same
+ * general structure is used here, but with additional complications:
+ * (1) chunks of 32 bits, and (2) subtractions.
+ */
+
+/*
+ * For these primes, we need to handle data in chunks of 32 bits.
+ * This makes it more complicated if we use 64 bits limbs in MPI,
+ * which prevents us from using a uniform access method as for p192.
+ *
+ * So, we define a mini abstraction layer to access 32 bit chunks,
+ * load them in 'cur' for work, and store them back from 'cur' when done.
+ *
+ * While at it, also define the size of N in terms of 32-bit chunks.
+ */
+#define LOAD32      cur = A( i );
+
+#if defined(MBEDTLS_HAVE_INT32)  /* 32 bit */
+
+#define MAX32       N->n
+#define A( j )      N->p[j]
+#define STORE32     N->p[i] = cur;
+
+#else                               /* 64-bit */
+
+#define MAX32       N->n * 2
+#define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \
+                         (uint32_t)( N->p[(j)/2] )
+#define STORE32                                   \
+    if( i % 2 ) {                                 \
+        N->p[i/2] &= 0x00000000FFFFFFFF;          \
+        N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32;        \
+    } else {                                      \
+        N->p[i/2] &= 0xFFFFFFFF00000000;          \
+        N->p[i/2] |= (mbedtls_mpi_uint) cur;                \
+    }
+
+#endif /* sizeof( mbedtls_mpi_uint ) */
+
+/*
+ * Helpers for addition and subtraction of chunks, with signed carry.
+ */
+static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
+{
+    *dst += src;
+    *carry += ( *dst < src );
+}
+
+static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
+{
+    *carry -= ( *dst < src );
+    *dst -= src;
+}
+
+#define ADD( j )    add32( &cur, A( j ), &c );
+#define SUB( j )    sub32( &cur, A( j ), &c );
+
+/*
+ * Helpers for the main 'loop'
+ * (see fix_negative for the motivation of C)
+ */
+#define INIT( b )                                                       \
+    int ret;                                                            \
+    signed char c = 0, cc;                                              \
+    uint32_t cur;                                                       \
+    size_t i = 0, bits = (b);                                           \
+    mbedtls_mpi C;                                                      \
+    mbedtls_mpi_uint Cp[ (b) / 8 / sizeof( mbedtls_mpi_uint) + 1 ];     \
+                                                                        \
+    C.s = 1;                                                            \
+    C.n = (b) / 8 / sizeof( mbedtls_mpi_uint) + 1;                      \
+    C.p = Cp;                                                           \
+    memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) );                  \
+                                                                        \
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, (b) * 2 / 8 /                 \
+                                       sizeof( mbedtls_mpi_uint ) ) );  \
+    LOAD32;
+
+#define NEXT                    \
+    STORE32; i++; LOAD32;       \
+    cc = c; c = 0;              \
+    if( cc < 0 )                \
+        sub32( &cur, -cc, &c ); \
+    else                        \
+        add32( &cur, cc, &c );  \
+
+#define LAST                                    \
+    STORE32; i++;                               \
+    cur = c > 0 ? c : 0; STORE32;               \
+    cur = 0; while( ++i < MAX32 ) { STORE32; }  \
+    if( c < 0 ) fix_negative( N, c, &C, bits );
+
+/*
+ * If the result is negative, we get it in the form
+ * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
+ */
+static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits )
+{
+    int ret;
+
+    /* C = - c * 2^(bits + 32) */
+#if !defined(MBEDTLS_HAVE_INT64)
+    ((void) bits);
+#else
+    if( bits == 224 )
+        C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32;
+    else
+#endif
+        C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c;
+
+    /* N = - ( C - N ) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) );
+    N->s = -1;
+
+cleanup:
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
+ */
+static int ecp_mod_p224( mbedtls_mpi *N )
+{
+    INIT( 224 );
+
+    SUB(  7 ); SUB( 11 );               NEXT; // A0 += -A7 - A11
+    SUB(  8 ); SUB( 12 );               NEXT; // A1 += -A8 - A12
+    SUB(  9 ); SUB( 13 );               NEXT; // A2 += -A9 - A13
+    SUB( 10 ); ADD(  7 ); ADD( 11 );    NEXT; // A3 += -A10 + A7 + A11
+    SUB( 11 ); ADD(  8 ); ADD( 12 );    NEXT; // A4 += -A11 + A8 + A12
+    SUB( 12 ); ADD(  9 ); ADD( 13 );    NEXT; // A5 += -A12 + A9 + A13
+    SUB( 13 ); ADD( 10 );               LAST; // A6 += -A13 + A10
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
+ */
+static int ecp_mod_p256( mbedtls_mpi *N )
+{
+    INIT( 256 );
+
+    ADD(  8 ); ADD(  9 );
+    SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 );             NEXT; // A0
+
+    ADD(  9 ); ADD( 10 );
+    SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 );             NEXT; // A1
+
+    ADD( 10 ); ADD( 11 );
+    SUB( 13 ); SUB( 14 ); SUB( 15 );                        NEXT; // A2
+
+    ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
+    SUB( 15 ); SUB(  8 ); SUB(  9 );                        NEXT; // A3
+
+    ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
+    SUB(  9 ); SUB( 10 );                                   NEXT; // A4
+
+    ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
+    SUB( 10 ); SUB( 11 );                                   NEXT; // A5
+
+    ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
+    SUB(  8 ); SUB(  9 );                                   NEXT; // A6
+
+    ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
+    SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 );             LAST; // A7
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
+ */
+static int ecp_mod_p384( mbedtls_mpi *N )
+{
+    INIT( 384 );
+
+    ADD( 12 ); ADD( 21 ); ADD( 20 );
+    SUB( 23 );                                              NEXT; // A0
+
+    ADD( 13 ); ADD( 22 ); ADD( 23 );
+    SUB( 12 ); SUB( 20 );                                   NEXT; // A2
+
+    ADD( 14 ); ADD( 23 );
+    SUB( 13 ); SUB( 21 );                                   NEXT; // A2
+
+    ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
+    SUB( 14 ); SUB( 22 ); SUB( 23 );                        NEXT; // A3
+
+    ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
+    SUB( 15 ); SUB( 23 ); SUB( 23 );                        NEXT; // A4
+
+    ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
+    SUB( 16 );                                              NEXT; // A5
+
+    ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
+    SUB( 17 );                                              NEXT; // A6
+
+    ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
+    SUB( 18 );                                              NEXT; // A7
+
+    ADD( 20 ); ADD( 17 ); ADD( 16 );
+    SUB( 19 );                                              NEXT; // A8
+
+    ADD( 21 ); ADD( 18 ); ADD( 17 );
+    SUB( 20 );                                              NEXT; // A9
+
+    ADD( 22 ); ADD( 19 ); ADD( 18 );
+    SUB( 21 );                                              NEXT; // A10
+
+    ADD( 23 ); ADD( 20 ); ADD( 19 );
+    SUB( 22 );                                              LAST; // A11
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#undef A
+#undef LOAD32
+#undef STORE32
+#undef MAX32
+#undef INIT
+#undef NEXT
+#undef LAST
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+/*
+ * Here we have an actual Mersenne prime, so things are more straightforward.
+ * However, chunks are aligned on a 'weird' boundary (521 bits).
+ */
+
+/* Size of p521 in terms of mbedtls_mpi_uint */
+#define P521_WIDTH      ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
+
+/* Bits to keep in the most significant mbedtls_mpi_uint */
+#define P521_MASK       0x01FF
+
+/*
+ * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
+ * Write N as A1 + 2^521 A0, return A0 + A1
+ */
+static int ecp_mod_p521( mbedtls_mpi *N )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M;
+    mbedtls_mpi_uint Mp[P521_WIDTH + 1];
+    /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
+     * we need to hold bits 513 to 1056, which is 34 limbs, that is
+     * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
+
+    if( N->n < P521_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P521_WIDTH - 1 );
+    if( M.n > P521_WIDTH + 1 )
+        M.n = P521_WIDTH + 1;
+    M.p = Mp;
+    memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
+
+    /* N = A0 */
+    N->p[P521_WIDTH - 1] &= P521_MASK;
+    for( i = P521_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+
+#undef P521_WIDTH
+#undef P521_MASK
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/* Size of p255 in terms of mbedtls_mpi_uint */
+#define P255_WIDTH      ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
+
+/*
+ * Fast quasi-reduction modulo p255 = 2^255 - 19
+ * Write N as A0 + 2^255 A1, return A0 + 19 * A1
+ */
+static int ecp_mod_p255( mbedtls_mpi *N )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M;
+    mbedtls_mpi_uint Mp[P255_WIDTH + 2];
+
+    if( N->n < P255_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P255_WIDTH - 1 );
+    if( M.n > P255_WIDTH + 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    M.p = Mp;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
+    M.n++; /* Make room for multiplication by 19 */
+
+    /* N = A0 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) );
+    for( i = P255_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + 19 * A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+
+/* Size of p448 in terms of mbedtls_mpi_uint */
+#define P448_WIDTH      ( 448 / 8 / sizeof( mbedtls_mpi_uint ) )
+
+/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
+#define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) )
+#define P224_WIDTH_MIN   ( 28 / sizeof( mbedtls_mpi_uint ) )
+#define P224_WIDTH_MAX   DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) )
+#define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 )
+
+/*
+ * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
+ * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
+ * A0 + A1 + B1 + (B0 + B1) * 2^224.  This is different to the reference
+ * implementation of Curve448, which uses its own special 56-bit limbs rather
+ * than a generic bignum library.  We could squeeze some extra speed out on
+ * 32-bit machines by splitting N up into 32-bit limbs and doing the
+ * arithmetic using the limbs directly as we do for the NIST primes above,
+ * but for 64-bit targets it should use half the number of operations if we do
+ * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
+ */
+static int ecp_mod_p448( mbedtls_mpi *N )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M, Q;
+    mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
+
+    if( N->n <= P448_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P448_WIDTH );
+    if( M.n > P448_WIDTH )
+        /* Shouldn't be called with N larger than 2^896! */
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    M.p = Mp;
+    memset( Mp, 0, sizeof( Mp ) );
+    memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) );
+
+    /* N = A0 */
+    for( i = P448_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N += A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
+
+    /* Q = B1, N += B1 */
+    Q = M;
+    Q.p = Qp;
+    memcpy( Qp, Mp, sizeof( Qp ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) );
+
+    /* M = (B0 + B1) * 2^224, N += M */
+    if( sizeof( mbedtls_mpi_uint ) > 4 )
+        Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS );
+    for( i = P224_WIDTH_MAX; i < M.n; ++i )
+        Mp[i] = 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) );
+    M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo P = 2^s - R,
+ * with R about 33 bits, used by the Koblitz curves.
+ *
+ * Write N as A0 + 2^224 A1, return A0 + R * A1.
+ * Actually do two passes, since R is big.
+ */
+#define P_KOBLITZ_MAX   ( 256 / 8 / sizeof( mbedtls_mpi_uint ) )  // Max limbs in P
+#define P_KOBLITZ_R     ( 8 / sizeof( mbedtls_mpi_uint ) )        // Limbs in R
+static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
+                                   size_t adjust, size_t shift, mbedtls_mpi_uint mask )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M, R;
+    mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
+
+    if( N->n < p_limbs )
+        return( 0 );
+
+    /* Init R */
+    R.s = 1;
+    R.p = Rp;
+    R.n = P_KOBLITZ_R;
+
+    /* Common setup for M */
+    M.s = 1;
+    M.p = Mp;
+
+    /* M = A1 */
+    M.n = N->n - ( p_limbs - adjust );
+    if( M.n > p_limbs + adjust )
+        M.n = p_limbs + adjust;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
+    if( shift != 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
+    M.n += R.n; /* Make room for multiplication by R */
+
+    /* N = A0 */
+    if( mask != 0 )
+        N->p[p_limbs - 1] &= mask;
+    for( i = p_limbs; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + R * A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+    /* Second pass */
+
+    /* M = A1 */
+    M.n = N->n - ( p_limbs - adjust );
+    if( M.n > p_limbs + adjust )
+        M.n = p_limbs + adjust;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
+    if( shift != 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
+    M.n += R.n; /* Make room for multiplication by R */
+
+    /* N = A0 */
+    if( mask != 0 )
+        N->p[p_limbs - 1] &= mask;
+    for( i = p_limbs; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + R * A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
+ */
+static int ecp_mod_p192k1( mbedtls_mpi *N )
+{
+    static mbedtls_mpi_uint Rp[] = {
+        BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+
+    return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ */
+static int ecp_mod_p224k1( mbedtls_mpi *N )
+{
+    static mbedtls_mpi_uint Rp[] = {
+        BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+
+#if defined(MBEDTLS_HAVE_INT64)
+    return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
+#else
+    return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+#endif
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ */
+static int ecp_mod_p256k1( mbedtls_mpi *N )
+{
+    static mbedtls_mpi_uint Rp[] = {
+        BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+    return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+}
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#endif /* !MBEDTLS_ECP_ALT */
+
+#endif /* MBEDTLS_ECP_C */
diff --git a/ctrtool/deps/libmbedtls/src/entropy.c b/ctrtool/deps/libmbedtls/src/entropy.c
new file mode 100644
index 00000000..f8db1a55
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/entropy.c
@@ -0,0 +1,721 @@
+/*
+ *  Entropy accumulator implementation
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+#warning "**** WARNING!  MBEDTLS_TEST_NULL_ENTROPY defined! "
+#warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES "
+#warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE "
+#endif
+
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls/platform.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if defined(MBEDTLS_HAVEGE_C)
+#include "mbedtls/havege.h"
+#endif
+
+#define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
+
+void mbedtls_entropy_init( mbedtls_entropy_context *ctx )
+{
+    ctx->source_count = 0;
+    memset( ctx->source, 0, sizeof( ctx->source ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+
+    ctx->accumulator_started = 0;
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_init( &ctx->accumulator );
+#else
+    mbedtls_sha256_init( &ctx->accumulator );
+#endif
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_havege_init( &ctx->havege_data );
+#endif
+
+    /* Reminder: Update ENTROPY_HAVE_STRONG in the test files
+     *           when adding more strong entropy sources here. */
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    mbedtls_entropy_add_source( ctx, mbedtls_null_entropy_poll, NULL,
+                                1, MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+
+#if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+    mbedtls_entropy_add_source( ctx, mbedtls_platform_entropy_poll, NULL,
+                                MBEDTLS_ENTROPY_MIN_PLATFORM,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+#if defined(MBEDTLS_TIMING_C)
+    mbedtls_entropy_add_source( ctx, mbedtls_hardclock_poll, NULL,
+                                MBEDTLS_ENTROPY_MIN_HARDCLOCK,
+                                MBEDTLS_ENTROPY_SOURCE_WEAK );
+#endif
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_entropy_add_source( ctx, mbedtls_havege_poll, &ctx->havege_data,
+                                MBEDTLS_ENTROPY_MIN_HAVEGE,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    mbedtls_entropy_add_source( ctx, mbedtls_hardware_poll, NULL,
+                                MBEDTLS_ENTROPY_MIN_HARDWARE,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    mbedtls_entropy_add_source( ctx, mbedtls_nv_seed_poll, NULL,
+                                MBEDTLS_ENTROPY_BLOCK_SIZE,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+    ctx->initial_entropy_run = 0;
+#endif
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+}
+
+void mbedtls_entropy_free( mbedtls_entropy_context *ctx )
+{
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_havege_free( &ctx->havege_data );
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_free( &ctx->accumulator );
+#else
+    mbedtls_sha256_free( &ctx->accumulator );
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    ctx->initial_entropy_run = 0;
+#endif
+    ctx->source_count = 0;
+    mbedtls_platform_zeroize( ctx->source, sizeof( ctx->source ) );
+    ctx->accumulator_started = 0;
+}
+
+int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx,
+                        mbedtls_entropy_f_source_ptr f_source, void *p_source,
+                        size_t threshold, int strong )
+{
+    int idx, ret = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    idx = ctx->source_count;
+    if( idx >= MBEDTLS_ENTROPY_MAX_SOURCES )
+    {
+        ret = MBEDTLS_ERR_ENTROPY_MAX_SOURCES;
+        goto exit;
+    }
+
+    ctx->source[idx].f_source  = f_source;
+    ctx->source[idx].p_source  = p_source;
+    ctx->source[idx].threshold = threshold;
+    ctx->source[idx].strong    = strong;
+
+    ctx->source_count++;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Entropy accumulator update
+ */
+static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id,
+                           const unsigned char *data, size_t len )
+{
+    unsigned char header[2];
+    unsigned char tmp[MBEDTLS_ENTROPY_BLOCK_SIZE];
+    size_t use_len = len;
+    const unsigned char *p = data;
+    int ret = 0;
+
+    if( use_len > MBEDTLS_ENTROPY_BLOCK_SIZE )
+    {
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+        if( ( ret = mbedtls_sha512_ret( data, len, tmp, 0 ) ) != 0 )
+            goto cleanup;
+#else
+        if( ( ret = mbedtls_sha256_ret( data, len, tmp, 0 ) ) != 0 )
+            goto cleanup;
+#endif
+        p = tmp;
+        use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+    }
+
+    header[0] = source_id;
+    header[1] = use_len & 0xFF;
+
+    /*
+     * Start the accumulator if this has not already happened. Note that
+     * it is sufficient to start the accumulator here only because all calls to
+     * gather entropy eventually execute this code.
+     */
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    if( ctx->accumulator_started == 0 &&
+        ( ret = mbedtls_sha512_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto cleanup;
+    else
+        ctx->accumulator_started = 1;
+    if( ( ret = mbedtls_sha512_update_ret( &ctx->accumulator, header, 2 ) ) != 0 )
+        goto cleanup;
+    ret = mbedtls_sha512_update_ret( &ctx->accumulator, p, use_len );
+#else
+    if( ctx->accumulator_started == 0 &&
+        ( ret = mbedtls_sha256_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto cleanup;
+    else
+        ctx->accumulator_started = 1;
+    if( ( ret = mbedtls_sha256_update_ret( &ctx->accumulator, header, 2 ) ) != 0 )
+        goto cleanup;
+    ret = mbedtls_sha256_update_ret( &ctx->accumulator, p, use_len );
+#endif
+
+cleanup:
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+
+    return( ret );
+}
+
+int mbedtls_entropy_update_manual( mbedtls_entropy_context *ctx,
+                           const unsigned char *data, size_t len )
+{
+    int ret;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = entropy_update( ctx, MBEDTLS_ENTROPY_SOURCE_MANUAL, data, len );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Run through the different sources to add entropy to our accumulator
+ */
+static int entropy_gather_internal( mbedtls_entropy_context *ctx )
+{
+    int ret, i, have_one_strong = 0;
+    unsigned char buf[MBEDTLS_ENTROPY_MAX_GATHER];
+    size_t olen;
+
+    if( ctx->source_count == 0 )
+        return( MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED );
+
+    /*
+     * Run through our entropy sources
+     */
+    for( i = 0; i < ctx->source_count; i++ )
+    {
+        if( ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG )
+            have_one_strong = 1;
+
+        olen = 0;
+        if( ( ret = ctx->source[i].f_source( ctx->source[i].p_source,
+                        buf, MBEDTLS_ENTROPY_MAX_GATHER, &olen ) ) != 0 )
+        {
+            goto cleanup;
+        }
+
+        /*
+         * Add if we actually gathered something
+         */
+        if( olen > 0 )
+        {
+            if( ( ret = entropy_update( ctx, (unsigned char) i,
+                                        buf, olen ) ) != 0 )
+                return( ret );
+            ctx->source[i].size += olen;
+        }
+    }
+
+    if( have_one_strong == 0 )
+        ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
+
+cleanup:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+
+/*
+ * Thread-safe wrapper for entropy_gather_internal()
+ */
+int mbedtls_entropy_gather( mbedtls_entropy_context *ctx )
+{
+    int ret;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = entropy_gather_internal( ctx );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+int mbedtls_entropy_func( void *data, unsigned char *output, size_t len )
+{
+    int ret, count = 0, i, done;
+    mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    if( len > MBEDTLS_ENTROPY_BLOCK_SIZE )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    /* Update the NV entropy seed before generating any entropy for outside
+     * use.
+     */
+    if( ctx->initial_entropy_run == 0 )
+    {
+        ctx->initial_entropy_run = 1;
+        if( ( ret = mbedtls_entropy_update_nv_seed( ctx ) ) != 0 )
+            return( ret );
+    }
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    /*
+     * Always gather extra entropy before a call
+     */
+    do
+    {
+        if( count++ > ENTROPY_MAX_LOOP )
+        {
+            ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+            goto exit;
+        }
+
+        if( ( ret = entropy_gather_internal( ctx ) ) != 0 )
+            goto exit;
+
+        done = 1;
+        for( i = 0; i < ctx->source_count; i++ )
+            if( ctx->source[i].size < ctx->source[i].threshold )
+                done = 0;
+    }
+    while( ! done );
+
+    memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE );
+
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    /*
+     * Note that at this stage it is assumed that the accumulator was started
+     * in a previous call to entropy_update(). If this is not guaranteed, the
+     * code below will fail.
+     */
+    if( ( ret = mbedtls_sha512_finish_ret( &ctx->accumulator, buf ) ) != 0 )
+        goto exit;
+
+    /*
+     * Reset accumulator and counters and recycle existing entropy
+     */
+    mbedtls_sha512_free( &ctx->accumulator );
+    mbedtls_sha512_init( &ctx->accumulator );
+    if( ( ret = mbedtls_sha512_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_sha512_update_ret( &ctx->accumulator, buf,
+                                           MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        goto exit;
+
+    /*
+     * Perform second SHA-512 on entropy
+     */
+    if( ( ret = mbedtls_sha512_ret( buf, MBEDTLS_ENTROPY_BLOCK_SIZE,
+                                    buf, 0 ) ) != 0 )
+        goto exit;
+#else /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
+    if( ( ret = mbedtls_sha256_finish_ret( &ctx->accumulator, buf ) ) != 0 )
+        goto exit;
+
+    /*
+     * Reset accumulator and counters and recycle existing entropy
+     */
+    mbedtls_sha256_free( &ctx->accumulator );
+    mbedtls_sha256_init( &ctx->accumulator );
+    if( ( ret = mbedtls_sha256_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_sha256_update_ret( &ctx->accumulator, buf,
+                                           MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        goto exit;
+
+    /*
+     * Perform second SHA-256 on entropy
+     */
+    if( ( ret = mbedtls_sha256_ret( buf, MBEDTLS_ENTROPY_BLOCK_SIZE,
+                                    buf, 0 ) ) != 0 )
+        goto exit;
+#endif /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
+
+    for( i = 0; i < ctx->source_count; i++ )
+        ctx->source[i].size = 0;
+
+    memcpy( output, buf, len );
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_entropy_update_nv_seed( mbedtls_entropy_context *ctx )
+{
+    int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    /* Read new seed  and write it to NV */
+    if( ( ret = mbedtls_entropy_func( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        return( ret );
+
+    if( mbedtls_nv_seed_write( buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) < 0 )
+        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+
+    /* Manually update the remaining stream with a separator value to diverge */
+    memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE );
+    ret = mbedtls_entropy_update_manual( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *path )
+{
+    int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    FILE *f;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    if( ( f = fopen( path, "wb" ) ) == NULL )
+        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+
+    if( ( ret = mbedtls_entropy_func( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        goto exit;
+
+    if( fwrite( buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f ) != MBEDTLS_ENTROPY_BLOCK_SIZE )
+    {
+        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    fclose( f );
+    return( ret );
+}
+
+int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *path )
+{
+    int ret = 0;
+    FILE *f;
+    size_t n;
+    unsigned char buf[ MBEDTLS_ENTROPY_MAX_SEED_SIZE ];
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    n = (size_t) ftell( f );
+    fseek( f, 0, SEEK_SET );
+
+    if( n > MBEDTLS_ENTROPY_MAX_SEED_SIZE )
+        n = MBEDTLS_ENTROPY_MAX_SEED_SIZE;
+
+    if( fread( buf, 1, n, f ) != n )
+        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    else
+        ret = mbedtls_entropy_update_manual( ctx, buf, n );
+
+    fclose( f );
+
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( mbedtls_entropy_write_seed_file( ctx, path ) );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
+/*
+ * Dummy source function
+ */
+static int entropy_dummy_source( void *data, unsigned char *output,
+                                 size_t len, size_t *olen )
+{
+    ((void) data);
+
+    memset( output, 0x2a, len );
+    *olen = len;
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+
+static int mbedtls_entropy_source_self_test_gather( unsigned char *buf, size_t buf_len )
+{
+    int ret = 0;
+    size_t entropy_len = 0;
+    size_t olen = 0;
+    size_t attempts = buf_len;
+
+    while( attempts > 0 && entropy_len < buf_len )
+    {
+        if( ( ret = mbedtls_hardware_poll( NULL, buf + entropy_len,
+            buf_len - entropy_len, &olen ) ) != 0 )
+            return( ret );
+
+        entropy_len += olen;
+        attempts--;
+    }
+
+    if( entropy_len < buf_len )
+    {
+        ret = 1;
+    }
+
+    return( ret );
+}
+
+
+static int mbedtls_entropy_source_self_test_check_bits( const unsigned char *buf,
+                                                        size_t buf_len )
+{
+    unsigned char set= 0xFF;
+    unsigned char unset = 0x00;
+    size_t i;
+
+    for( i = 0; i < buf_len; i++ )
+    {
+        set &= buf[i];
+        unset |= buf[i];
+    }
+
+    return( set == 0xFF || unset == 0x00 );
+}
+
+/*
+ * A test to ensure hat the entropy sources are functioning correctly
+ * and there is no obvious failure. The test performs the following checks:
+ *  - The entropy source is not providing only 0s (all bits unset) or 1s (all
+ *    bits set).
+ *  - The entropy source is not providing values in a pattern. Because the
+ *    hardware could be providing data in an arbitrary length, this check polls
+ *    the hardware entropy source twice and compares the result to ensure they
+ *    are not equal.
+ *  - The error code returned by the entropy source is not an error.
+ */
+int mbedtls_entropy_source_self_test( int verbose )
+{
+    int ret = 0;
+    unsigned char buf0[2 * sizeof( unsigned long long int )];
+    unsigned char buf1[2 * sizeof( unsigned long long int )];
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ENTROPY_BIAS test: " );
+
+    memset( buf0, 0x00, sizeof( buf0 ) );
+    memset( buf1, 0x00, sizeof( buf1 ) );
+
+    if( ( ret = mbedtls_entropy_source_self_test_gather( buf0, sizeof( buf0 ) ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_entropy_source_self_test_gather( buf1, sizeof( buf1 ) ) ) != 0 )
+        goto cleanup;
+
+    /* Make sure that the returned values are not all 0 or 1 */
+    if( ( ret = mbedtls_entropy_source_self_test_check_bits( buf0, sizeof( buf0 ) ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_entropy_source_self_test_check_bits( buf1, sizeof( buf1 ) ) ) != 0 )
+        goto cleanup;
+
+    /* Make sure that the entropy source is not returning values in a
+     * pattern */
+    ret = memcmp( buf0, buf1, sizeof( buf0 ) ) == 0;
+
+cleanup:
+    if( verbose != 0 )
+    {
+        if( ret != 0 )
+            mbedtls_printf( "failed\n" );
+        else
+            mbedtls_printf( "passed\n" );
+
+        mbedtls_printf( "\n" );
+    }
+
+    return( ret != 0 );
+}
+
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+
+/*
+ * The actual entropy quality is hard to test, but we can at least
+ * test that the functions don't cause errors and write the correct
+ * amount of data to buffers.
+ */
+int mbedtls_entropy_self_test( int verbose )
+{
+    int ret = 1;
+#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
+    mbedtls_entropy_context ctx;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+    unsigned char acc[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+    size_t i, j;
+#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ENTROPY test: " );
+
+#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
+    mbedtls_entropy_init( &ctx );
+
+    /* First do a gather to make sure we have default sources */
+    if( ( ret = mbedtls_entropy_gather( &ctx ) ) != 0 )
+        goto cleanup;
+
+    ret = mbedtls_entropy_add_source( &ctx, entropy_dummy_source, NULL, 16,
+                                      MBEDTLS_ENTROPY_SOURCE_WEAK );
+    if( ret != 0 )
+        goto cleanup;
+
+    if( ( ret = mbedtls_entropy_update_manual( &ctx, buf, sizeof buf ) ) != 0 )
+        goto cleanup;
+
+    /*
+     * To test that mbedtls_entropy_func writes correct number of bytes:
+     * - use the whole buffer and rely on ASan to detect overruns
+     * - collect entropy 8 times and OR the result in an accumulator:
+     *   any byte should then be 0 with probably 2^(-64), so requiring
+     *   each of the 32 or 64 bytes to be non-zero has a false failure rate
+     *   of at most 2^(-58) which is acceptable.
+     */
+    for( i = 0; i < 8; i++ )
+    {
+        if( ( ret = mbedtls_entropy_func( &ctx, buf, sizeof( buf ) ) ) != 0 )
+            goto cleanup;
+
+        for( j = 0; j < sizeof( buf ); j++ )
+            acc[j] |= buf[j];
+    }
+
+    for( j = 0; j < sizeof( buf ); j++ )
+    {
+        if( acc[j] == 0 )
+        {
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    if( ( ret = mbedtls_entropy_source_self_test( 0 ) ) != 0 )
+        goto cleanup;
+#endif
+
+cleanup:
+    mbedtls_entropy_free( &ctx );
+#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
+
+    if( verbose != 0 )
+    {
+        if( ret != 0 )
+            mbedtls_printf( "failed\n" );
+        else
+            mbedtls_printf( "passed\n" );
+
+        mbedtls_printf( "\n" );
+    }
+
+    return( ret != 0 );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/ctrtool/deps/libmbedtls/src/entropy_poll.c b/ctrtool/deps/libmbedtls/src/entropy_poll.c
new file mode 100644
index 00000000..4556f88a
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/entropy_poll.c
@@ -0,0 +1,236 @@
+/*
+ *  Platform-specific and custom entropy polling functions
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if defined(__linux__)
+/* Ensure that syscall() is available even when compiling with -std=c99 */
+#define _GNU_SOURCE
+#endif
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+
+#if defined(MBEDTLS_TIMING_C)
+#include "mbedtls/timing.h"
+#endif
+#if defined(MBEDTLS_HAVEGE_C)
+#include "mbedtls/havege.h"
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls/platform.h"
+#endif
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__)
+#error "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#if !defined(_WIN32_WINNT)
+#define _WIN32_WINNT 0x0400
+#endif
+#include <windows.h>
+#include <wincrypt.h>
+
+int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len,
+                           size_t *olen )
+{
+    HCRYPTPROV provider;
+    ((void) data);
+    *olen = 0;
+
+    if( CryptAcquireContext( &provider, NULL, NULL,
+                              PROV_RSA_FULL, CRYPT_VERIFYCONTEXT ) == FALSE )
+    {
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    }
+
+    if( CryptGenRandom( provider, (DWORD) len, output ) == FALSE )
+    {
+        CryptReleaseContext( provider, 0 );
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    }
+
+    CryptReleaseContext( provider, 0 );
+    *olen = len;
+
+    return( 0 );
+}
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Test for Linux getrandom() support.
+ * Since there is no wrapper in the libc yet, use the generic syscall wrapper
+ * available in GNU libc and compatible libc's (eg uClibc).
+ */
+#if defined(__linux__) && defined(__GLIBC__)
+#include <unistd.h>
+#include <sys/syscall.h>
+#if defined(SYS_getrandom)
+#define HAVE_GETRANDOM
+#include <errno.h>
+
+static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
+{
+    /* MemSan cannot understand that the syscall writes to the buffer */
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+    memset( buf, 0, buflen );
+#endif
+#endif
+    return( syscall( SYS_getrandom, buf, buflen, flags ) );
+}
+#endif /* SYS_getrandom */
+#endif /* __linux__ */
+
+#include <stdio.h>
+
+int mbedtls_platform_entropy_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen )
+{
+    FILE *file;
+    size_t read_len;
+    int ret;
+    ((void) data);
+
+#if defined(HAVE_GETRANDOM)
+    ret = getrandom_wrapper( output, len, 0 );
+    if( ret >= 0 )
+    {
+        *olen = ret;
+        return( 0 );
+    }
+    else if( errno != ENOSYS )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    /* Fall through if the system call isn't known. */
+#else
+    ((void) ret);
+#endif /* HAVE_GETRANDOM */
+
+    *olen = 0;
+
+    file = fopen( "/dev/urandom", "rb" );
+    if( file == NULL )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+    read_len = fread( output, 1, len, file );
+    if( read_len != len )
+    {
+        fclose( file );
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    }
+
+    fclose( file );
+    *olen = len;
+
+    return( 0 );
+}
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+int mbedtls_null_entropy_poll( void *data,
+                    unsigned char *output, size_t len, size_t *olen )
+{
+    ((void) data);
+    ((void) output);
+    *olen = 0;
+
+    if( len < sizeof(unsigned char) )
+        return( 0 );
+
+    *olen = sizeof(unsigned char);
+
+    return( 0 );
+}
+#endif
+
+#if defined(MBEDTLS_TIMING_C)
+int mbedtls_hardclock_poll( void *data,
+                    unsigned char *output, size_t len, size_t *olen )
+{
+    unsigned long timer = mbedtls_timing_hardclock();
+    ((void) data);
+    *olen = 0;
+
+    if( len < sizeof(unsigned long) )
+        return( 0 );
+
+    memcpy( output, &timer, sizeof(unsigned long) );
+    *olen = sizeof(unsigned long);
+
+    return( 0 );
+}
+#endif /* MBEDTLS_TIMING_C */
+
+#if defined(MBEDTLS_HAVEGE_C)
+int mbedtls_havege_poll( void *data,
+                 unsigned char *output, size_t len, size_t *olen )
+{
+    mbedtls_havege_state *hs = (mbedtls_havege_state *) data;
+    *olen = 0;
+
+    if( mbedtls_havege_random( hs, output, len ) != 0 )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+    *olen = len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_HAVEGE_C */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_nv_seed_poll( void *data,
+                          unsigned char *output, size_t len, size_t *olen )
+{
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+    size_t use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+    ((void) data);
+
+    memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE );
+
+    if( mbedtls_nv_seed_read( buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) < 0 )
+      return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+    if( len < use_len )
+      use_len = len;
+
+    memcpy( output, buf, use_len );
+    *olen = use_len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/ctrtool/deps/libmbedtls/src/error.c b/ctrtool/deps/libmbedtls/src/error.c
new file mode 100644
index 00000000..c596f0bc
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/error.c
@@ -0,0 +1,916 @@
+/*
+ *  Error message information
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ERROR_C) || defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+#include "mbedtls/error.h"
+#include <string.h>
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf snprintf
+#define mbedtls_time_t   time_t
+#endif
+
+#if defined(MBEDTLS_ERROR_C)
+
+#include <stdio.h>
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+#include "mbedtls/arc4.h"
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
+#if defined(MBEDTLS_BASE64_C)
+#include "mbedtls/base64.h"
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+#include "mbedtls/blowfish.h"
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+#include "mbedtls/cipher.h"
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+#include "mbedtls/cmac.h"
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+#include "mbedtls/dhm.h"
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C)
+#include "mbedtls/entropy.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_HKDF_C)
+#include "mbedtls/hkdf.h"
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#endif
+
+#if defined(MBEDTLS_MD_C)
+#include "mbedtls/md.h"
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+#include "mbedtls/md2.h"
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+#include "mbedtls/md4.h"
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+#include "mbedtls/md5.h"
+#endif
+
+#if defined(MBEDTLS_NET_C)
+#include "mbedtls/net_sockets.h"
+#endif
+
+#if defined(MBEDTLS_OID_C)
+#include "mbedtls/oid.h"
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C)
+#include "mbedtls/padlock.h"
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk.h"
+#endif
+
+#if defined(MBEDTLS_PKCS12_C)
+#include "mbedtls/pkcs12.h"
+#endif
+
+#if defined(MBEDTLS_PKCS5_C)
+#include "mbedtls/pkcs5.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+#include "mbedtls/poly1305.h"
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#include "mbedtls/ripemd160.h"
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "mbedtls/sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "mbedtls/sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "mbedtls/sha512.h"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+#include "mbedtls/ssl.h"
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "mbedtls/x509.h"
+#endif
+
+#if defined(MBEDTLS_XTEA_C)
+#include "mbedtls/xtea.h"
+#endif
+
+
+void mbedtls_strerror( int ret, char *buf, size_t buflen )
+{
+    size_t len;
+    int use_ret;
+
+    if( buflen == 0 )
+        return;
+
+    memset( buf, 0x00, buflen );
+
+    if( ret < 0 )
+        ret = -ret;
+
+    if( ret & 0xFF80 )
+    {
+        use_ret = ret & 0xFF80;
+
+        // High level error codes
+        //
+        // BEGIN generated code
+#if defined(MBEDTLS_CIPHER_C)
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - The selected feature is not available" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Bad input parameters" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Failed to allocate memory" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_PADDING) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Input data contains invalid padding and is rejected" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Decryption of block requires a full block" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_AUTH_FAILED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Authentication failed (for AEAD modes)" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - The context is invalid. For example, because it was freed" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Cipher hardware accelerator failed" );
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_DHM_C)
+        if( use_ret == -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "DHM - Bad input parameters" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Reading of the DHM parameters failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Making of the DHM parameters failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Reading of the public values failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Making of the public value failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Calculation of the DHM secret failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "DHM - The ASN.1 data is not formatted correctly" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Allocation of memory failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "DHM - Read or write of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - DHM hardware accelerator failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Setting the modulus and generator failed" );
+#endif /* MBEDTLS_DHM_C */
+
+#if defined(MBEDTLS_ECP_C)
+        if( use_ret == -(MBEDTLS_ERR_ECP_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "ECP - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL) )
+            mbedtls_snprintf( buf, buflen, "ECP - The buffer is too small to write to" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "ECP - The requested feature is not available, for example, the requested curve is not supported" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - The signature is not valid" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - Memory allocation failed" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_RANDOM_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - Generation of random value, such as ephemeral key, failed" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_INVALID_KEY) )
+            mbedtls_snprintf( buf, buflen, "ECP - Invalid private or public key" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "ECP - The buffer contains a valid signature followed by more data" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - The ECP hardware accelerator failed" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_IN_PROGRESS) )
+            mbedtls_snprintf( buf, buflen, "ECP - Operation in progress, call again with the same parameters to continue" );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_MD_C)
+        if( use_ret == -(MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "MD - The selected feature is not available" );
+        if( use_ret == -(MBEDTLS_ERR_MD_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "MD - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_MD_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "MD - Failed to allocate memory" );
+        if( use_ret == -(MBEDTLS_ERR_MD_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "MD - Opening or reading of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_MD_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "MD - MD hardware accelerator failed" );
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+        if( use_ret == -(MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) )
+            mbedtls_snprintf( buf, buflen, "PEM - No PEM header or footer found" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_INVALID_DATA) )
+            mbedtls_snprintf( buf, buflen, "PEM - PEM string is not as expected" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "PEM - Failed to allocate memory" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_INVALID_ENC_IV) )
+            mbedtls_snprintf( buf, buflen, "PEM - RSA IV is not in hex-format" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG) )
+            mbedtls_snprintf( buf, buflen, "PEM - Unsupported key encryption algorithm" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "PEM - Private key password can't be empty" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PEM - Given private key password does not allow for correct decryption" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PEM - Unavailable feature, e.g. hashing/encryption combination" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PEM - Bad input parameters to function" );
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
+
+#if defined(MBEDTLS_PK_C)
+        if( use_ret == -(MBEDTLS_ERR_PK_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "PK - Memory allocation failed" );
+        if( use_ret == -(MBEDTLS_ERR_PK_TYPE_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" );
+        if( use_ret == -(MBEDTLS_ERR_PK_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PK - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_PK_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "PK - Read/write of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_VERSION) )
+            mbedtls_snprintf( buf, buflen, "PK - Unsupported key version" );
+        if( use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "PK - Invalid key tag or value" );
+        if( use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_PK_ALG) )
+            mbedtls_snprintf( buf, buflen, "PK - Key algorithm is unsupported (only RSA and EC are supported)" );
+        if( use_ret == -(MBEDTLS_ERR_PK_PASSWORD_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "PK - Private key password can't be empty" );
+        if( use_ret == -(MBEDTLS_ERR_PK_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PK - Given private key password does not allow for correct decryption" );
+        if( use_ret == -(MBEDTLS_ERR_PK_INVALID_PUBKEY) )
+            mbedtls_snprintf( buf, buflen, "PK - The pubkey tag or value is invalid (only RSA and EC are supported)" );
+        if( use_ret == -(MBEDTLS_ERR_PK_INVALID_ALG) )
+            mbedtls_snprintf( buf, buflen, "PK - The algorithm tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE) )
+            mbedtls_snprintf( buf, buflen, "PK - Elliptic curve is unsupported (only NIST curves are supported)" );
+        if( use_ret == -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PK - Unavailable feature, e.g. RSA disabled for RSA key" );
+        if( use_ret == -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PK - The buffer contains a valid signature followed by more data" );
+        if( use_ret == -(MBEDTLS_ERR_PK_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "PK - PK hardware accelerator failed" );
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - Feature not available, e.g. unsupported encryption scheme" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - PBE ASN.1 data not as expected" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS12_C */
+
+#if defined(MBEDTLS_PKCS5_C)
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Unexpected ASN.1 data" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Requested encryption or digest alg not available" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS5_C */
+
+#if defined(MBEDTLS_RSA_C)
+        if( use_ret == -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "RSA - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_INVALID_PADDING) )
+            mbedtls_snprintf( buf, buflen, "RSA - Input data contains invalid padding and is rejected" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - Something failed during generation of a key" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - Key failed to pass the validity check of the library" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_PUBLIC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The public key operation failed" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_PRIVATE_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The private key operation failed" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The PKCS#1 verification failed" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE) )
+            mbedtls_snprintf( buf, buflen, "RSA - The output buffer for decryption is not large enough" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) )
+            mbedtls_snprintf( buf, buflen, "RSA - The implementation does not offer the requested operation, for example, because of security violations or lack of functionality" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - RSA hardware accelerator failed" );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_SSL_TLS_C)
+        if( use_ret == -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "SSL - The requested feature is not available" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "SSL - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_MAC) )
+            mbedtls_snprintf( buf, buflen, "SSL - Verification of the message MAC failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_RECORD) )
+            mbedtls_snprintf( buf, buflen, "SSL - An invalid SSL record was received" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CONN_EOF) )
+            mbedtls_snprintf( buf, buflen, "SSL - The connection indicated an EOF" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER) )
+            mbedtls_snprintf( buf, buflen, "SSL - An unknown cipher was received" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN) )
+            mbedtls_snprintf( buf, buflen, "SSL - The server has no ciphersuites in common with the client" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_RNG) )
+            mbedtls_snprintf( buf, buflen, "SSL - No RNG was provided to the SSL module" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE) )
+            mbedtls_snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - The own private key or pre-shared key is not set, but needed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - No CA Chain is set, but required to operate" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - An unexpected message was received from our peer" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE) )
+        {
+            mbedtls_snprintf( buf, buflen, "SSL - A fatal alert message was received from our peer" );
+            return;
+        }
+        if( use_ret == -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Verification of our peer failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) )
+            mbedtls_snprintf( buf, buflen, "SSL - The peer notified us that the connection is going to be closed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientHello handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHello handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the Certificate handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateRequest handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerKeyExchange handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHelloDone handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateVerify handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ChangeCipherSpec handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the Finished handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Memory allocation failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function returned with error" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) )
+            mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function skipped / left alone data" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
+            mbedtls_snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Session ticket has expired" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) )
+            mbedtls_snprintf( buf, buflen, "SSL - Unknown identity received (eg, PSK identity)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INTERNAL_ERROR) )
+            mbedtls_snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING) )
+            mbedtls_snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO) )
+            mbedtls_snprintf( buf, buflen, "SSL - Unexpected message at ServerHello in renegotiation" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - DTLS client must retry for hello verification" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) )
+            mbedtls_snprintf( buf, buflen, "SSL - A buffer is too small to receive or write a message" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) )
+            mbedtls_snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_WANT_READ) )
+            mbedtls_snprintf( buf, buflen, "SSL - No data of requested type currently available on underlying transport" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Connection requires a write call" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT) )
+            mbedtls_snprintf( buf, buflen, "SSL - The operation timed out" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT) )
+            mbedtls_snprintf( buf, buflen, "SSL - The client initiated a reconnect from the same port" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) )
+            mbedtls_snprintf( buf, buflen, "SSL - Record header looks valid but is not expected" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NON_FATAL) )
+            mbedtls_snprintf( buf, buflen, "SSL - The alert message received indicates a non-fatal error" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH) )
+            mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) )
+            mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) )
+            mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_EARLY_MESSAGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
+            mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
+#endif /* MBEDTLS_SSL_TLS_C */
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+        if( use_ret == -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
+        if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_OID) )
+            mbedtls_snprintf( buf, buflen, "X509 - Requested OID is unknown" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_VERSION) )
+            mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR version element is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SERIAL) )
+            mbedtls_snprintf( buf, buflen, "X509 - The serial tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_ALG) )
+            mbedtls_snprintf( buf, buflen, "X509 - The algorithm tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_NAME) )
+            mbedtls_snprintf( buf, buflen, "X509 - The name tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_DATE) )
+            mbedtls_snprintf( buf, buflen, "X509 - The date tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SIGNATURE) )
+            mbedtls_snprintf( buf, buflen, "X509 - The signature tag or value invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS) )
+            mbedtls_snprintf( buf, buflen, "X509 - The extension tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_VERSION) )
+            mbedtls_snprintf( buf, buflen, "X509 - CRT/CRL/CSR has an unsupported version number" );
+        if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG) )
+            mbedtls_snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
+        if( use_ret == -(MBEDTLS_ERR_X509_SIG_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)" );
+        if( use_ret == -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
+        if( use_ret == -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" );
+        if( use_ret == -(MBEDTLS_ERR_X509_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "X509 - Input invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "X509 - Allocation of memory failed" );
+        if( use_ret == -(MBEDTLS_ERR_X509_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "X509 - Read/write of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL) )
+            mbedtls_snprintf( buf, buflen, "X509 - Destination buffer is too small" );
+        if( use_ret == -(MBEDTLS_ERR_X509_FATAL_ERROR) )
+            mbedtls_snprintf( buf, buflen, "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed" );
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+        // END generated code
+
+        if( strlen( buf ) == 0 )
+            mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
+    }
+
+    use_ret = ret & ~0xFF80;
+
+    if( use_ret == 0 )
+        return;
+
+    // If high level code is present, make a concatenation between both
+    // error strings.
+    //
+    len = strlen( buf );
+
+    if( len > 0 )
+    {
+        if( buflen - len < 5 )
+            return;
+
+        mbedtls_snprintf( buf + len, buflen - len, " : " );
+
+        buf += len + 3;
+        buflen -= len + 3;
+    }
+
+    // Low level error codes
+    //
+    // BEGIN generated code
+#if defined(MBEDTLS_AES_C)
+    if( use_ret == -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "AES - Invalid key length" );
+    if( use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_AES_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "AES - Invalid input data" );
+    if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "AES - Feature not available. For example, an unsupported AES key size" );
+    if( use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "AES - AES hardware accelerator failed" );
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+    if( use_ret == -(MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ARC4 - ARC4 hardware accelerator failed" );
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_ARIA_C)
+    if( use_ret == -(MBEDTLS_ERR_ARIA_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "ARIA - Bad input data" );
+    if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "ARIA - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "ARIA - Feature not available. For example, an unsupported ARIA key size" );
+    if( use_ret == -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ARIA - ARIA hardware accelerator failed" );
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+    if( use_ret == -(MBEDTLS_ERR_ASN1_OUT_OF_DATA) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - ASN1 tag was of an unexpected value" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_INVALID_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Error when trying to determine the length or invalid length" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_LENGTH_MISMATCH) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Actual length differs from expected length" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_INVALID_DATA) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Data is invalid. (not used)" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_ALLOC_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Memory allocation failed" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_BUF_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Buffer too small when writing ASN.1 data structure" );
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_BASE64_C)
+    if( use_ret == -(MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "BASE64 - Output buffer too small" );
+    if( use_ret == -(MBEDTLS_ERR_BASE64_INVALID_CHARACTER) )
+        mbedtls_snprintf( buf, buflen, "BASE64 - Invalid character in input" );
+#endif /* MBEDTLS_BASE64_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+    if( use_ret == -(MBEDTLS_ERR_MPI_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - An error occurred while reading from or writing to a file" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - Bad input parameters to function" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_INVALID_CHARACTER) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - There is an invalid character in the digit string" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The buffer is too small to write to" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_NEGATIVE_VALUE) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The input arguments are negative or result in illegal output" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_DIVISION_BY_ZERO) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The input argument for division is zero, which is not allowed" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The input arguments are not acceptable" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_ALLOC_FAILED) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - Memory allocation failed" );
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_BLOWFISH_C)
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Bad input data" );
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Blowfish hardware accelerator failed" );
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Bad input data" );
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Camellia hardware accelerator failed" );
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_CCM_C)
+    if( use_ret == -(MBEDTLS_ERR_CCM_BAD_INPUT) )
+        mbedtls_snprintf( buf, buflen, "CCM - Bad input parameters to the function" );
+    if( use_ret == -(MBEDTLS_ERR_CCM_AUTH_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CCM - Authenticated decryption failed" );
+    if( use_ret == -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CCM - CCM hardware accelerator failed" );
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+    if( use_ret == -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "CHACHA20 - Invalid input parameter(s)" );
+    if( use_ret == -(MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "CHACHA20 - Feature not available. For example, s part of the API is not implemented" );
+    if( use_ret == -(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CHACHA20 - Chacha20 hardware accelerator failed" );
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE) )
+        mbedtls_snprintf( buf, buflen, "CHACHAPOLY - The requested operation is not permitted in the current state" );
+    if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CHACHAPOLY - Authenticated decryption failed: data was not authentic" );
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CMAC_C)
+    if( use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CMAC - CMAC hardware accelerator failed" );
+#endif /* MBEDTLS_CMAC_C */
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - The entropy source failed" );
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - The requested random buffer length is too big" );
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - The input (entropy + additional data) is too large" );
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - Read or write error in file" );
+#endif /* MBEDTLS_CTR_DRBG_C */
+
+#if defined(MBEDTLS_DES_C)
+    if( use_ret == -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "DES - The data input has an invalid length" );
+    if( use_ret == -(MBEDTLS_ERR_DES_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "DES - DES hardware accelerator failed" );
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ENTROPY_C)
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - Critical entropy source failure" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_MAX_SOURCES) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - No more sources can be added" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - No sources have been added to poll" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - No strong sources have been added to poll" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - Read/write error in file" );
+#endif /* MBEDTLS_ENTROPY_C */
+
+#if defined(MBEDTLS_GCM_C)
+    if( use_ret == -(MBEDTLS_ERR_GCM_AUTH_FAILED) )
+        mbedtls_snprintf( buf, buflen, "GCM - Authenticated decryption failed" );
+    if( use_ret == -(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "GCM - GCM hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_GCM_BAD_INPUT) )
+        mbedtls_snprintf( buf, buflen, "GCM - Bad input parameters to function" );
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_HKDF_C)
+    if( use_ret == -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "HKDF - Bad input parameters to function" );
+#endif /* MBEDTLS_HKDF_C */
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Too many random requested in single call" );
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Input too large (Entropy + additional)" );
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Read/write error in file" );
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - The entropy source failed" );
+#endif /* MBEDTLS_HMAC_DRBG_C */
+
+#if defined(MBEDTLS_MD2_C)
+    if( use_ret == -(MBEDTLS_ERR_MD2_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "MD2 - MD2 hardware accelerator failed" );
+#endif /* MBEDTLS_MD2_C */
+
+#if defined(MBEDTLS_MD4_C)
+    if( use_ret == -(MBEDTLS_ERR_MD4_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "MD4 - MD4 hardware accelerator failed" );
+#endif /* MBEDTLS_MD4_C */
+
+#if defined(MBEDTLS_MD5_C)
+    if( use_ret == -(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "MD5 - MD5 hardware accelerator failed" );
+#endif /* MBEDTLS_MD5_C */
+
+#if defined(MBEDTLS_NET_C)
+    if( use_ret == -(MBEDTLS_ERR_NET_SOCKET_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Failed to open a socket" );
+    if( use_ret == -(MBEDTLS_ERR_NET_CONNECT_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - The connection to the given server / port failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_BIND_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Binding of the socket failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_LISTEN_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Could not listen on the socket" );
+    if( use_ret == -(MBEDTLS_ERR_NET_ACCEPT_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Could not accept the incoming connection" );
+    if( use_ret == -(MBEDTLS_ERR_NET_RECV_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Reading information from the socket failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_SEND_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Sending information through the socket failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_CONN_RESET) )
+        mbedtls_snprintf( buf, buflen, "NET - Connection was reset by peer" );
+    if( use_ret == -(MBEDTLS_ERR_NET_UNKNOWN_HOST) )
+        mbedtls_snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" );
+    if( use_ret == -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "NET - Buffer is too small to hold the data" );
+    if( use_ret == -(MBEDTLS_ERR_NET_INVALID_CONTEXT) )
+        mbedtls_snprintf( buf, buflen, "NET - The context is invalid, eg because it was free()ed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_POLL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Polling the net context failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "NET - Input invalid" );
+#endif /* MBEDTLS_NET_C */
+
+#if defined(MBEDTLS_OID_C)
+    if( use_ret == -(MBEDTLS_ERR_OID_NOT_FOUND) )
+        mbedtls_snprintf( buf, buflen, "OID - OID is not found" );
+    if( use_ret == -(MBEDTLS_ERR_OID_BUF_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "OID - output buffer is too small" );
+#endif /* MBEDTLS_OID_C */
+
+#if defined(MBEDTLS_PADLOCK_C)
+    if( use_ret == -(MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED) )
+        mbedtls_snprintf( buf, buflen, "PADLOCK - Input data should be aligned" );
+#endif /* MBEDTLS_PADLOCK_C */
+
+#if defined(MBEDTLS_PLATFORM_C)
+    if( use_ret == -(MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "PLATFORM - Hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED) )
+        mbedtls_snprintf( buf, buflen, "PLATFORM - The requested feature is not supported by the platform" );
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if defined(MBEDTLS_POLY1305_C)
+    if( use_ret == -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "POLY1305 - Invalid input parameter(s)" );
+    if( use_ret == -(MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "POLY1305 - Feature not available. For example, s part of the API is not implemented" );
+    if( use_ret == -(MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "POLY1305 - Poly1305 hardware accelerator failed" );
+#endif /* MBEDTLS_POLY1305_C */
+
+#if defined(MBEDTLS_RIPEMD160_C)
+    if( use_ret == -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "RIPEMD160 - RIPEMD160 hardware accelerator failed" );
+#endif /* MBEDTLS_RIPEMD160_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    if( use_ret == -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_SHA1_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 input data was malformed" );
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    if( use_ret == -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_SHA256_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 input data was malformed" );
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    if( use_ret == -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_SHA512_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 input data was malformed" );
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_THREADING_C)
+    if( use_ret == -(MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "THREADING - The selected feature is not available" );
+    if( use_ret == -(MBEDTLS_ERR_THREADING_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "THREADING - Bad input parameters to function" );
+    if( use_ret == -(MBEDTLS_ERR_THREADING_MUTEX_ERROR) )
+        mbedtls_snprintf( buf, buflen, "THREADING - Locking / unlocking / free failed with error code" );
+#endif /* MBEDTLS_THREADING_C */
+
+#if defined(MBEDTLS_XTEA_C)
+    if( use_ret == -(MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "XTEA - The data input has an invalid length" );
+    if( use_ret == -(MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "XTEA - XTEA hardware accelerator failed" );
+#endif /* MBEDTLS_XTEA_C */
+    // END generated code
+
+    if( strlen( buf ) != 0 )
+        return;
+
+    mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
+}
+
+#else /* MBEDTLS_ERROR_C */
+
+#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+
+/*
+ * Provide an non-function in case MBEDTLS_ERROR_C is not defined
+ */
+void mbedtls_strerror( int ret, char *buf, size_t buflen )
+{
+    ((void) ret);
+
+    if( buflen > 0 )
+        buf[0] = '\0';
+}
+
+#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
+
+#endif /* MBEDTLS_ERROR_C */
diff --git a/ctrtool/deps/libmbedtls/src/gcm.c b/ctrtool/deps/libmbedtls/src/gcm.c
new file mode 100644
index 00000000..675926a5
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/gcm.c
@@ -0,0 +1,994 @@
+/*
+ *  NIST SP800-38D compliant GCM implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
+ *
+ * See also:
+ * [MGV] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+ *
+ * We use the algorithm described as Shoup's method with 4-bit tables in
+ * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+
+#include "mbedtls/gcm.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_AESNI_C)
+#include "mbedtls/aesni.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#include "mbedtls/platform.h"
+#if !defined(MBEDTLS_PLATFORM_C)
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+/* Parameter validation macros */
+#define GCM_VALIDATE_RET( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT )
+#define GCM_VALIDATE( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+/*
+ * Initialize a context
+ */
+void mbedtls_gcm_init( mbedtls_gcm_context *ctx )
+{
+    GCM_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_gcm_context ) );
+}
+
+/*
+ * Precompute small multiples of H, that is set
+ *      HH[i] || HL[i] = H times i,
+ * where i is seen as a field element as in [MGV], ie high-order bits
+ * correspond to low powers of P. The result is stored in the same way, that
+ * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL
+ * corresponds to P^127.
+ */
+static int gcm_gen_table( mbedtls_gcm_context *ctx )
+{
+    int ret, i, j;
+    uint64_t hi, lo;
+    uint64_t vl, vh;
+    unsigned char h[16];
+    size_t olen = 0;
+
+    memset( h, 0, 16 );
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, h, 16, h, &olen ) ) != 0 )
+        return( ret );
+
+    /* pack h as two 64-bits ints, big-endian */
+    GET_UINT32_BE( hi, h,  0  );
+    GET_UINT32_BE( lo, h,  4  );
+    vh = (uint64_t) hi << 32 | lo;
+
+    GET_UINT32_BE( hi, h,  8  );
+    GET_UINT32_BE( lo, h,  12 );
+    vl = (uint64_t) hi << 32 | lo;
+
+    /* 8 = 1000 corresponds to 1 in GF(2^128) */
+    ctx->HL[8] = vl;
+    ctx->HH[8] = vh;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    /* With CLMUL support, we need only h, not the rest of the table */
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) )
+        return( 0 );
+#endif
+
+    /* 0 corresponds to 0 in GF(2^128) */
+    ctx->HH[0] = 0;
+    ctx->HL[0] = 0;
+
+    for( i = 4; i > 0; i >>= 1 )
+    {
+        uint32_t T = ( vl & 1 ) * 0xe1000000U;
+        vl  = ( vh << 63 ) | ( vl >> 1 );
+        vh  = ( vh >> 1 ) ^ ( (uint64_t) T << 32);
+
+        ctx->HL[i] = vl;
+        ctx->HH[i] = vh;
+    }
+
+    for( i = 2; i <= 8; i *= 2 )
+    {
+        uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i;
+        vh = *HiH;
+        vl = *HiL;
+        for( j = 1; j < i; j++ )
+        {
+            HiH[j] = vh ^ ctx->HH[j];
+            HiL[j] = vl ^ ctx->HL[j];
+        }
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( key != NULL );
+    GCM_VALIDATE_RET( keybits == 128 || keybits == 192 || keybits == 256 );
+
+    cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    if( cipher_info->block_size != 16 )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+                               MBEDTLS_ENCRYPT ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = gcm_gen_table( ctx ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Shoup's method for multiplication use this table with
+ *      last4[x] = x times P^128
+ * where x and last4[x] are seen as elements of GF(2^128) as in [MGV]
+ */
+static const uint64_t last4[16] =
+{
+    0x0000, 0x1c20, 0x3840, 0x2460,
+    0x7080, 0x6ca0, 0x48c0, 0x54e0,
+    0xe100, 0xfd20, 0xd940, 0xc560,
+    0x9180, 0x8da0, 0xa9c0, 0xb5e0
+};
+
+/*
+ * Sets output to x times H using the precomputed tables.
+ * x and output are seen as elements of GF(2^128) as in [MGV].
+ */
+static void gcm_mult( mbedtls_gcm_context *ctx, const unsigned char x[16],
+                      unsigned char output[16] )
+{
+    int i = 0;
+    unsigned char lo, hi, rem;
+    uint64_t zh, zl;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) ) {
+        unsigned char h[16];
+
+        PUT_UINT32_BE( ctx->HH[8] >> 32, h,  0 );
+        PUT_UINT32_BE( ctx->HH[8],       h,  4 );
+        PUT_UINT32_BE( ctx->HL[8] >> 32, h,  8 );
+        PUT_UINT32_BE( ctx->HL[8],       h, 12 );
+
+        mbedtls_aesni_gcm_mult( output, x, h );
+        return;
+    }
+#endif /* MBEDTLS_AESNI_C && MBEDTLS_HAVE_X86_64 */
+
+    lo = x[15] & 0xf;
+
+    zh = ctx->HH[lo];
+    zl = ctx->HL[lo];
+
+    for( i = 15; i >= 0; i-- )
+    {
+        lo = x[i] & 0xf;
+        hi = x[i] >> 4;
+
+        if( i != 15 )
+        {
+            rem = (unsigned char) zl & 0xf;
+            zl = ( zh << 60 ) | ( zl >> 4 );
+            zh = ( zh >> 4 );
+            zh ^= (uint64_t) last4[rem] << 48;
+            zh ^= ctx->HH[lo];
+            zl ^= ctx->HL[lo];
+
+        }
+
+        rem = (unsigned char) zl & 0xf;
+        zl = ( zh << 60 ) | ( zl >> 4 );
+        zh = ( zh >> 4 );
+        zh ^= (uint64_t) last4[rem] << 48;
+        zh ^= ctx->HH[hi];
+        zl ^= ctx->HL[hi];
+    }
+
+    PUT_UINT32_BE( zh >> 32, output, 0 );
+    PUT_UINT32_BE( zh, output, 4 );
+    PUT_UINT32_BE( zl >> 32, output, 8 );
+    PUT_UINT32_BE( zl, output, 12 );
+}
+
+int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
+                int mode,
+                const unsigned char *iv,
+                size_t iv_len,
+                const unsigned char *add,
+                size_t add_len )
+{
+    int ret;
+    unsigned char work_buf[16];
+    size_t i;
+    const unsigned char *p;
+    size_t use_len, olen = 0;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( iv != NULL );
+    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
+
+    /* IV and AD are limited to 2^64 bits, so 2^61 bytes */
+    /* IV is not allowed to be zero length */
+    if( iv_len == 0 ||
+      ( (uint64_t) iv_len  ) >> 61 != 0 ||
+      ( (uint64_t) add_len ) >> 61 != 0 )
+    {
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+    }
+
+    memset( ctx->y, 0x00, sizeof(ctx->y) );
+    memset( ctx->buf, 0x00, sizeof(ctx->buf) );
+
+    ctx->mode = mode;
+    ctx->len = 0;
+    ctx->add_len = 0;
+
+    if( iv_len == 12 )
+    {
+        memcpy( ctx->y, iv, iv_len );
+        ctx->y[15] = 1;
+    }
+    else
+    {
+        memset( work_buf, 0x00, 16 );
+        PUT_UINT32_BE( iv_len * 8, work_buf, 12 );
+
+        p = iv;
+        while( iv_len > 0 )
+        {
+            use_len = ( iv_len < 16 ) ? iv_len : 16;
+
+            for( i = 0; i < use_len; i++ )
+                ctx->y[i] ^= p[i];
+
+            gcm_mult( ctx, ctx->y, ctx->y );
+
+            iv_len -= use_len;
+            p += use_len;
+        }
+
+        for( i = 0; i < 16; i++ )
+            ctx->y[i] ^= work_buf[i];
+
+        gcm_mult( ctx, ctx->y, ctx->y );
+    }
+
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->base_ectr,
+                             &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    ctx->add_len = add_len;
+    p = add;
+    while( add_len > 0 )
+    {
+        use_len = ( add_len < 16 ) ? add_len : 16;
+
+        for( i = 0; i < use_len; i++ )
+            ctx->buf[i] ^= p[i];
+
+        gcm_mult( ctx, ctx->buf, ctx->buf );
+
+        add_len -= use_len;
+        p += use_len;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
+                size_t length,
+                const unsigned char *input,
+                unsigned char *output )
+{
+    int ret;
+    unsigned char ectr[16];
+    size_t i;
+    const unsigned char *p;
+    unsigned char *out_p = output;
+    size_t use_len, olen = 0;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( length == 0 || input != NULL );
+    GCM_VALIDATE_RET( length == 0 || output != NULL );
+
+    if( output > input && (size_t) ( output - input ) < length )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+     * Also check for possible overflow */
+    if( ctx->len + length < ctx->len ||
+        (uint64_t) ctx->len + length > 0xFFFFFFFE0ull )
+    {
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+    }
+
+    ctx->len += length;
+
+    p = input;
+    while( length > 0 )
+    {
+        use_len = ( length < 16 ) ? length : 16;
+
+        for( i = 16; i > 12; i-- )
+            if( ++ctx->y[i - 1] != 0 )
+                break;
+
+        if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ectr,
+                                   &olen ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        for( i = 0; i < use_len; i++ )
+        {
+            if( ctx->mode == MBEDTLS_GCM_DECRYPT )
+                ctx->buf[i] ^= p[i];
+            out_p[i] = ectr[i] ^ p[i];
+            if( ctx->mode == MBEDTLS_GCM_ENCRYPT )
+                ctx->buf[i] ^= out_p[i];
+        }
+
+        gcm_mult( ctx, ctx->buf, ctx->buf );
+
+        length -= use_len;
+        p += use_len;
+        out_p += use_len;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
+                unsigned char *tag,
+                size_t tag_len )
+{
+    unsigned char work_buf[16];
+    size_t i;
+    uint64_t orig_len;
+    uint64_t orig_add_len;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( tag != NULL );
+
+    orig_len = ctx->len * 8;
+    orig_add_len = ctx->add_len * 8;
+
+    if( tag_len > 16 || tag_len < 4 )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    memcpy( tag, ctx->base_ectr, tag_len );
+
+    if( orig_len || orig_add_len )
+    {
+        memset( work_buf, 0x00, 16 );
+
+        PUT_UINT32_BE( ( orig_add_len >> 32 ), work_buf, 0  );
+        PUT_UINT32_BE( ( orig_add_len       ), work_buf, 4  );
+        PUT_UINT32_BE( ( orig_len     >> 32 ), work_buf, 8  );
+        PUT_UINT32_BE( ( orig_len           ), work_buf, 12 );
+
+        for( i = 0; i < 16; i++ )
+            ctx->buf[i] ^= work_buf[i];
+
+        gcm_mult( ctx, ctx->buf, ctx->buf );
+
+        for( i = 0; i < tag_len; i++ )
+            tag[i] ^= ctx->buf[i];
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
+                       int mode,
+                       size_t length,
+                       const unsigned char *iv,
+                       size_t iv_len,
+                       const unsigned char *add,
+                       size_t add_len,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t tag_len,
+                       unsigned char *tag )
+{
+    int ret;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( iv != NULL );
+    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    GCM_VALIDATE_RET( length == 0 || input != NULL );
+    GCM_VALIDATE_RET( length == 0 || output != NULL );
+    GCM_VALIDATE_RET( tag != NULL );
+
+    if( ( ret = mbedtls_gcm_starts( ctx, mode, iv, iv_len, add, add_len ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_gcm_update( ctx, length, input, output ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_gcm_finish( ctx, tag, tag_len ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
+                      size_t length,
+                      const unsigned char *iv,
+                      size_t iv_len,
+                      const unsigned char *add,
+                      size_t add_len,
+                      const unsigned char *tag,
+                      size_t tag_len,
+                      const unsigned char *input,
+                      unsigned char *output )
+{
+    int ret;
+    unsigned char check_tag[16];
+    size_t i;
+    int diff;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( iv != NULL );
+    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    GCM_VALIDATE_RET( tag != NULL );
+    GCM_VALIDATE_RET( length == 0 || input != NULL );
+    GCM_VALIDATE_RET( length == 0 || output != NULL );
+
+    if( ( ret = mbedtls_gcm_crypt_and_tag( ctx, MBEDTLS_GCM_DECRYPT, length,
+                                   iv, iv_len, add, add_len,
+                                   input, output, tag_len, check_tag ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < tag_len; i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        mbedtls_platform_zeroize( output, length );
+        return( MBEDTLS_ERR_GCM_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
+void mbedtls_gcm_free( mbedtls_gcm_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_gcm_context ) );
+}
+
+#endif /* !MBEDTLS_GCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/*
+ * AES-GCM test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
+ */
+#define MAX_TESTS   6
+
+static const int key_index[MAX_TESTS] =
+    { 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char key[MAX_TESTS][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+      0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 },
+};
+
+static const size_t iv_len[MAX_TESTS] =
+    { 12, 12, 12, 12, 8, 60 };
+
+static const int iv_index[MAX_TESTS] =
+    { 0, 0, 1, 1, 1, 2 };
+
+static const unsigned char iv[MAX_TESTS][64] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00 },
+    { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+      0xde, 0xca, 0xf8, 0x88 },
+    { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
+      0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
+      0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
+      0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
+      0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
+      0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
+      0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
+      0xa6, 0x37, 0xb3, 0x9b },
+};
+
+static const size_t add_len[MAX_TESTS] =
+    { 0, 0, 0, 20, 20, 20 };
+
+static const int add_index[MAX_TESTS] =
+    { 0, 0, 0, 1, 1, 1 };
+
+static const unsigned char additional[MAX_TESTS][64] =
+{
+    { 0x00 },
+    { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+      0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+      0xab, 0xad, 0xda, 0xd2 },
+};
+
+static const size_t pt_len[MAX_TESTS] =
+    { 0, 16, 64, 60, 60, 60 };
+
+static const int pt_index[MAX_TESTS] =
+    { 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char pt[MAX_TESTS][64] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+      0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+      0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+      0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+      0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+      0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+      0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+      0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
+};
+
+static const unsigned char ct[MAX_TESTS * 3][64] =
+{
+    { 0x00 },
+    { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
+      0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
+    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+      0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 },
+    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+      0x3d, 0x58, 0xe0, 0x91 },
+    { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
+      0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
+      0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
+      0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
+      0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
+      0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
+      0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
+      0xc2, 0x3f, 0x45, 0x98 },
+    { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
+      0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
+      0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
+      0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
+      0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
+      0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
+      0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
+      0x4c, 0x34, 0xae, 0xe5 },
+    { 0x00 },
+    { 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
+      0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 },
+    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+      0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 },
+    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+      0xcc, 0xda, 0x27, 0x10 },
+    { 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
+      0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
+      0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
+      0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
+      0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
+      0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
+      0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
+      0xa0, 0xf0, 0x62, 0xf7 },
+    { 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
+      0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
+      0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
+      0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
+      0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
+      0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
+      0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
+      0xe9, 0xb7, 0x37, 0x3b },
+    { 0x00 },
+    { 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
+      0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 },
+    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+      0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad },
+    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+      0xbc, 0xc9, 0xf6, 0x62 },
+    { 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
+      0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
+      0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
+      0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
+      0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
+      0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
+      0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
+      0xf4, 0x7c, 0x9b, 0x1f },
+    { 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
+      0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
+      0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
+      0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
+      0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
+      0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
+      0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
+      0x44, 0xae, 0x7e, 0x3f },
+};
+
+static const unsigned char tag[MAX_TESTS * 3][16] =
+{
+    { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
+      0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
+    { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
+      0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf },
+    { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
+      0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 },
+    { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
+      0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 },
+    { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
+      0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
+    { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
+      0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
+    { 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
+      0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
+    { 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
+      0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb },
+    { 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
+      0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 },
+    { 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
+      0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c },
+    { 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
+      0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 },
+    { 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
+      0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 },
+    { 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
+      0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b },
+    { 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
+      0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 },
+    { 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
+      0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c },
+    { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
+      0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b },
+    { 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
+      0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 },
+    { 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
+      0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a },
+};
+
+int mbedtls_gcm_self_test( int verbose )
+{
+    mbedtls_gcm_context ctx;
+    unsigned char buf[64];
+    unsigned char tag_buf[16];
+    int i, j, ret;
+    mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
+
+    for( j = 0; j < 3; j++ )
+    {
+        int key_len = 128 + 64 * j;
+
+        for( i = 0; i < MAX_TESTS; i++ )
+        {
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d (%s): ",
+                                key_len, i, "enc" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            /*
+             * AES-192 is an optional feature that may be unavailable when
+             * there is an alternative underlying implementation i.e. when
+             * MBEDTLS_AES_ALT is defined.
+             */
+            if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && key_len == 192 )
+            {
+                mbedtls_printf( "skipped\n" );
+                break;
+            }
+            else if( ret != 0 )
+            {
+                goto exit;
+            }
+
+            ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT,
+                                        pt_len[i],
+                                        iv[iv_index[i]], iv_len[i],
+                                        additional[add_index[i]], add_len[i],
+                                        pt[pt_index[i]], buf, 16, tag_buf );
+            if( ret != 0 )
+                goto exit;
+
+            if ( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 ||
+                 memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d (%s): ",
+                                key_len, i, "dec" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            if( ret != 0 )
+                goto exit;
+
+            ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_DECRYPT,
+                                        pt_len[i],
+                                        iv[iv_index[i]], iv_len[i],
+                                        additional[add_index[i]], add_len[i],
+                                        ct[j * 6 + i], buf, 16, tag_buf );
+
+            if( ret != 0 )
+                goto exit;
+
+            if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 ||
+                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d split (%s): ",
+                                key_len, i, "enc" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            if( ret != 0 )
+                goto exit;
+
+            ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_ENCRYPT,
+                                      iv[iv_index[i]], iv_len[i],
+                                      additional[add_index[i]], add_len[i] );
+            if( ret != 0 )
+                goto exit;
+
+            if( pt_len[i] > 32 )
+            {
+                size_t rest_len = pt_len[i] - 32;
+                ret = mbedtls_gcm_update( &ctx, 32, pt[pt_index[i]], buf );
+                if( ret != 0 )
+                    goto exit;
+
+                ret = mbedtls_gcm_update( &ctx, rest_len, pt[pt_index[i]] + 32,
+                                  buf + 32 );
+                if( ret != 0 )
+                    goto exit;
+            }
+            else
+            {
+                ret = mbedtls_gcm_update( &ctx, pt_len[i], pt[pt_index[i]], buf );
+                if( ret != 0 )
+                    goto exit;
+            }
+
+            ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 );
+            if( ret != 0 )
+                goto exit;
+
+            if( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 ||
+                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d split (%s): ",
+                                key_len, i, "dec" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            if( ret != 0 )
+                goto exit;
+
+            ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_DECRYPT,
+                              iv[iv_index[i]], iv_len[i],
+                              additional[add_index[i]], add_len[i] );
+            if( ret != 0 )
+                goto exit;
+
+            if( pt_len[i] > 32 )
+            {
+                size_t rest_len = pt_len[i] - 32;
+                ret = mbedtls_gcm_update( &ctx, 32, ct[j * 6 + i], buf );
+                if( ret != 0 )
+                    goto exit;
+
+                ret = mbedtls_gcm_update( &ctx, rest_len, ct[j * 6 + i] + 32,
+                                          buf + 32 );
+                if( ret != 0 )
+                    goto exit;
+            }
+            else
+            {
+                ret = mbedtls_gcm_update( &ctx, pt_len[i], ct[j * 6 + i],
+                                          buf );
+                if( ret != 0 )
+                    goto exit;
+            }
+
+            ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 );
+            if( ret != 0 )
+                goto exit;
+
+            if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 ||
+                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    ret = 0;
+
+exit:
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+        mbedtls_gcm_free( &ctx );
+    }
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_GCM_C */
diff --git a/ctrtool/deps/libmbedtls/src/havege.c b/ctrtool/deps/libmbedtls/src/havege.c
new file mode 100644
index 00000000..c139e1db
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/havege.c
@@ -0,0 +1,253 @@
+/**
+ *  \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The HAVEGE RNG was designed by Andre Seznec in 2002.
+ *
+ *  http://www.irisa.fr/caps/projects/hipsor/publi.php
+ *
+ *  Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C)
+
+#include "mbedtls/havege.h"
+#include "mbedtls/timing.h"
+#include "mbedtls/platform_util.h"
+
+#include <limits.h>
+#include <string.h>
+
+/* If int isn't capable of storing 2^32 distinct values, the code of this
+ * module may cause a processor trap or a miscalculation. If int is more
+ * than 32 bits, the code may not calculate the intended values. */
+#if INT_MIN + 1 != -0x7fffffff
+#error "The HAVEGE module requires int to be exactly 32 bits, with INT_MIN = -2^31."
+#endif
+#if UINT_MAX != 0xffffffff
+#error "The HAVEGE module requires unsigned to be exactly 32 bits."
+#endif
+
+/* ------------------------------------------------------------------------
+ * On average, one iteration accesses two 8-word blocks in the havege WALK
+ * table, and generates 16 words in the RES array.
+ *
+ * The data read in the WALK table is updated and permuted after each use.
+ * The result of the hardware clock counter read is used  for this update.
+ *
+ * 25 conditional tests are present.  The conditional tests are grouped in
+ * two nested  groups of 12 conditional tests and 1 test that controls the
+ * permutation; on average, there should be 6 tests executed and 3 of them
+ * should be mispredicted.
+ * ------------------------------------------------------------------------
+ */
+
+#define SWAP(X,Y) { unsigned *T = (X); (X) = (Y); (Y) = T; }
+
+#define TST1_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
+#define TST2_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
+
+#define TST1_LEAVE U1++; }
+#define TST2_LEAVE U2++; }
+
+#define ONE_ITERATION                                   \
+                                                        \
+    PTEST = PT1 >> 20;                                  \
+                                                        \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+                                                        \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+                                                        \
+    PTX = (PT1 >> 18) & 7;                              \
+    PT1 &= 0x1FFF;                                      \
+    PT2 &= 0x1FFF;                                      \
+    CLK = (unsigned) mbedtls_timing_hardclock();        \
+                                                        \
+    i = 0;                                              \
+    A = &WALK[PT1    ]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2    ]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 1]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 4]; RES[i++] ^= *D;                 \
+                                                        \
+    IN = (*A >> (1)) ^ (*A << (31)) ^ CLK;              \
+    *A = (*B >> (2)) ^ (*B << (30)) ^ CLK;              \
+    *B = IN ^ U1;                                       \
+    *C = (*C >> (3)) ^ (*C << (29)) ^ CLK;              \
+    *D = (*D >> (4)) ^ (*D << (28)) ^ CLK;              \
+                                                        \
+    A = &WALK[PT1 ^ 2]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2 ^ 2]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 3]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 6]; RES[i++] ^= *D;                 \
+                                                        \
+    if( PTEST & 1 ) SWAP( A, C );                       \
+                                                        \
+    IN = (*A >> (5)) ^ (*A << (27)) ^ CLK;              \
+    *A = (*B >> (6)) ^ (*B << (26)) ^ CLK;              \
+    *B = IN; CLK = (unsigned) mbedtls_timing_hardclock(); \
+    *C = (*C >> (7)) ^ (*C << (25)) ^ CLK;              \
+    *D = (*D >> (8)) ^ (*D << (24)) ^ CLK;              \
+                                                        \
+    A = &WALK[PT1 ^ 4];                                 \
+    B = &WALK[PT2 ^ 1];                                 \
+                                                        \
+    PTEST = PT2 >> 1;                                   \
+                                                        \
+    PT2 = (RES[(i - 8) ^ PTY] ^ WALK[PT2 ^ PTY ^ 7]);   \
+    PT2 = ((PT2 & 0x1FFF) & (~8)) ^ ((PT1 ^ 8) & 0x8);  \
+    PTY = (PT2 >> 10) & 7;                              \
+                                                        \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+                                                        \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+                                                        \
+    C = &WALK[PT1 ^ 5];                                 \
+    D = &WALK[PT2 ^ 5];                                 \
+                                                        \
+    RES[i++] ^= *A;                                     \
+    RES[i++] ^= *B;                                     \
+    RES[i++] ^= *C;                                     \
+    RES[i++] ^= *D;                                     \
+                                                        \
+    IN = (*A >> ( 9)) ^ (*A << (23)) ^ CLK;             \
+    *A = (*B >> (10)) ^ (*B << (22)) ^ CLK;             \
+    *B = IN ^ U2;                                       \
+    *C = (*C >> (11)) ^ (*C << (21)) ^ CLK;             \
+    *D = (*D >> (12)) ^ (*D << (20)) ^ CLK;             \
+                                                        \
+    A = &WALK[PT1 ^ 6]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2 ^ 3]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 7]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 7]; RES[i++] ^= *D;                 \
+                                                        \
+    IN = (*A >> (13)) ^ (*A << (19)) ^ CLK;             \
+    *A = (*B >> (14)) ^ (*B << (18)) ^ CLK;             \
+    *B = IN;                                            \
+    *C = (*C >> (15)) ^ (*C << (17)) ^ CLK;             \
+    *D = (*D >> (16)) ^ (*D << (16)) ^ CLK;             \
+                                                        \
+    PT1 = ( RES[( i - 8 ) ^ PTX] ^                      \
+            WALK[PT1 ^ PTX ^ 7] ) & (~1);               \
+    PT1 ^= (PT2 ^ 0x10) & 0x10;                         \
+                                                        \
+    for( n++, i = 0; i < 16; i++ )                      \
+        POOL[n % MBEDTLS_HAVEGE_COLLECT_SIZE] ^= RES[i];
+
+/*
+ * Entropy gathering function
+ */
+static void havege_fill( mbedtls_havege_state *hs )
+{
+    unsigned i, n = 0;
+    unsigned  U1,  U2, *A, *B, *C, *D;
+    unsigned PT1, PT2, *WALK, *POOL, RES[16];
+    unsigned PTX, PTY, CLK, PTEST, IN;
+
+    WALK = (unsigned *) hs->WALK;
+    POOL = (unsigned *) hs->pool;
+    PT1  = hs->PT1;
+    PT2  = hs->PT2;
+
+    PTX  = U1 = 0;
+    PTY  = U2 = 0;
+
+    (void)PTX;
+
+    memset( RES, 0, sizeof( RES ) );
+
+    while( n < MBEDTLS_HAVEGE_COLLECT_SIZE * 4 )
+    {
+        ONE_ITERATION
+        ONE_ITERATION
+        ONE_ITERATION
+        ONE_ITERATION
+    }
+
+    hs->PT1 = PT1;
+    hs->PT2 = PT2;
+
+    hs->offset[0] = 0;
+    hs->offset[1] = MBEDTLS_HAVEGE_COLLECT_SIZE / 2;
+}
+
+/*
+ * HAVEGE initialization
+ */
+void mbedtls_havege_init( mbedtls_havege_state *hs )
+{
+    memset( hs, 0, sizeof( mbedtls_havege_state ) );
+
+    havege_fill( hs );
+}
+
+void mbedtls_havege_free( mbedtls_havege_state *hs )
+{
+    if( hs == NULL )
+        return;
+
+    mbedtls_platform_zeroize( hs, sizeof( mbedtls_havege_state ) );
+}
+
+/*
+ * HAVEGE rand function
+ */
+int mbedtls_havege_random( void *p_rng, unsigned char *buf, size_t len )
+{
+    int val;
+    size_t use_len;
+    mbedtls_havege_state *hs = (mbedtls_havege_state *) p_rng;
+    unsigned char *p = buf;
+
+    while( len > 0 )
+    {
+        use_len = len;
+        if( use_len > sizeof(int) )
+            use_len = sizeof(int);
+
+        if( hs->offset[1] >= MBEDTLS_HAVEGE_COLLECT_SIZE )
+            havege_fill( hs );
+
+        val  = hs->pool[hs->offset[0]++];
+        val ^= hs->pool[hs->offset[1]++];
+
+        memcpy( p, &val, use_len );
+
+        len -= use_len;
+        p += use_len;
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_HAVEGE_C */
diff --git a/ctrtool/deps/libmbedtls/src/hkdf.c b/ctrtool/deps/libmbedtls/src/hkdf.c
new file mode 100644
index 00000000..82d8a429
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/hkdf.c
@@ -0,0 +1,192 @@
+/*
+ *  HKDF implementation -- RFC 5869
+ *
+ *  Copyright (C) 2016-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HKDF_C)
+
+#include <string.h>
+#include "mbedtls/hkdf.h"
+#include "mbedtls/platform_util.h"
+
+int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
+                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+                  const unsigned char *info, size_t info_len,
+                  unsigned char *okm, size_t okm_len )
+{
+    int ret;
+    unsigned char prk[MBEDTLS_MD_MAX_SIZE];
+
+    ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, prk );
+
+    if( ret == 0 )
+    {
+        ret = mbedtls_hkdf_expand( md, prk, mbedtls_md_get_size( md ),
+                                   info, info_len, okm, okm_len );
+    }
+
+    mbedtls_platform_zeroize( prk, sizeof( prk ) );
+
+    return( ret );
+}
+
+int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
+                          const unsigned char *salt, size_t salt_len,
+                          const unsigned char *ikm, size_t ikm_len,
+                          unsigned char *prk )
+{
+    unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
+
+    if( salt == NULL )
+    {
+        size_t hash_len;
+
+        if( salt_len != 0 )
+        {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        hash_len = mbedtls_md_get_size( md );
+
+        if( hash_len == 0 )
+        {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        salt = null_salt;
+        salt_len = hash_len;
+    }
+
+    return( mbedtls_md_hmac( md, salt, salt_len, ikm, ikm_len, prk ) );
+}
+
+int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
+                         size_t prk_len, const unsigned char *info,
+                         size_t info_len, unsigned char *okm, size_t okm_len )
+{
+    size_t hash_len;
+    size_t where = 0;
+    size_t n;
+    size_t t_len = 0;
+    size_t i;
+    int ret = 0;
+    mbedtls_md_context_t ctx;
+    unsigned char t[MBEDTLS_MD_MAX_SIZE];
+
+    if( okm == NULL )
+    {
+        return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+    }
+
+    hash_len = mbedtls_md_get_size( md );
+
+    if( prk_len < hash_len || hash_len == 0 )
+    {
+        return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+    }
+
+    if( info == NULL )
+    {
+        info = (const unsigned char *) "";
+        info_len = 0;
+    }
+
+    n = okm_len / hash_len;
+
+    if( (okm_len % hash_len) != 0 )
+    {
+        n++;
+    }
+
+    /*
+     * Per RFC 5869 Section 2.3, okm_len must not exceed
+     * 255 times the hash length
+     */
+    if( n > 255 )
+    {
+        return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+    }
+
+    mbedtls_md_init( &ctx );
+
+    if( (ret = mbedtls_md_setup( &ctx, md, 1) ) != 0 )
+    {
+        goto exit;
+    }
+
+    /*
+     * Compute T = T(1) | T(2) | T(3) | ... | T(N)
+     * Where T(N) is defined in RFC 5869 Section 2.3
+     */
+    for( i = 1; i <= n; i++ )
+    {
+        size_t num_to_copy;
+        unsigned char c = i & 0xff;
+
+        ret = mbedtls_md_hmac_starts( &ctx, prk, prk_len );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update( &ctx, t, t_len );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update( &ctx, info, info_len );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        /* The constant concatenated to the end of each T(n) is a single octet.
+         * */
+        ret = mbedtls_md_hmac_update( &ctx, &c, 1 );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_finish( &ctx, t );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        num_to_copy = i != n ? hash_len : okm_len - where;
+        memcpy( okm + where, t, num_to_copy );
+        where += hash_len;
+        t_len = hash_len;
+    }
+
+exit:
+    mbedtls_md_free( &ctx );
+    mbedtls_platform_zeroize( t, sizeof( t ) );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_HKDF_C */
diff --git a/ctrtool/deps/libmbedtls/src/hmac_drbg.c b/ctrtool/deps/libmbedtls/src/hmac_drbg.c
new file mode 100644
index 00000000..284c9b4e
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/hmac_drbg.c
@@ -0,0 +1,625 @@
+/*
+ *  HMAC_DRBG implementation (NIST SP 800-90)
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ *  The NIST SP 800-90A DRBGs are described in the following publication.
+ *  http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
+ *  References below are based on rev. 1 (January 2012).
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_SELF_TEST */
+#endif /* MBEDTLS_PLATFORM_C */
+
+/*
+ * HMAC_DRBG context initialization
+ */
+void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+/*
+ * HMAC_DRBG update, using optional additional data (10.1.2.2)
+ */
+int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
+                                  const unsigned char *additional,
+                                  size_t add_len )
+{
+    size_t md_len = mbedtls_md_get_size( ctx->md_ctx.md_info );
+    unsigned char rounds = ( additional != NULL && add_len != 0 ) ? 2 : 1;
+    unsigned char sep[1];
+    unsigned char K[MBEDTLS_MD_MAX_SIZE];
+    int ret;
+
+    for( sep[0] = 0; sep[0] < rounds; sep[0]++ )
+    {
+        /* Step 1 or 4 */
+        if( ( ret = mbedtls_md_hmac_reset( &ctx->md_ctx ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            ctx->V, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            sep, 1 ) ) != 0 )
+            goto exit;
+        if( rounds == 2 )
+        {
+            if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                                additional, add_len ) ) != 0 )
+            goto exit;
+        }
+        if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, K ) ) != 0 )
+            goto exit;
+
+        /* Step 2 or 5 */
+        if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, K, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            ctx->V, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V ) ) != 0 )
+            goto exit;
+    }
+
+exit:
+    mbedtls_platform_zeroize( K, sizeof( K ) );
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
+                               const unsigned char *additional,
+                               size_t add_len )
+{
+    (void) mbedtls_hmac_drbg_update_ret( ctx, additional, add_len );
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
+ */
+int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
+                        const mbedtls_md_info_t * md_info,
+                        const unsigned char *data, size_t data_len )
+{
+    int ret;
+
+    if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, ctx->V,
+                                        mbedtls_md_get_size( md_info ) ) ) != 0 )
+        return( ret );
+    memset( ctx->V, 0x01, mbedtls_md_get_size( md_info ) );
+
+    if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, data, data_len ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Internal function used both for seeding and reseeding the DRBG.
+ * Comments starting with arabic numbers refer to section 10.1.2.4
+ * of SP800-90A, while roman numbers refer to section 9.2.
+ */
+static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
+                                  const unsigned char *additional, size_t len,
+                                  int use_nonce )
+{
+    unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
+    size_t seedlen = 0;
+    int ret;
+
+    {
+        size_t total_entropy_len;
+
+        if( use_nonce == 0 )
+            total_entropy_len = ctx->entropy_len;
+        else
+            total_entropy_len = ctx->entropy_len * 3 / 2;
+
+        /* III. Check input length */
+        if( len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
+            total_entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT )
+        {
+            return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+        }
+    }
+
+    memset( seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT );
+
+    /* IV. Gather entropy_len bytes of entropy for the seed */
+    if( ( ret = ctx->f_entropy( ctx->p_entropy,
+                                seed, ctx->entropy_len ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+    }
+    seedlen += ctx->entropy_len;
+
+    /* For initial seeding, allow adding of nonce generated
+     * from the entropy source. See Sect 8.6.7 in SP800-90A. */
+    if( use_nonce )
+    {
+        /* Note: We don't merge the two calls to f_entropy() in order
+         *       to avoid requesting too much entropy from f_entropy()
+         *       at once. Specifically, if the underlying digest is not
+         *       SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which
+         *       is larger than the maximum of 32 Bytes that our own
+         *       entropy source implementation can emit in a single
+         *       call in configurations disabling SHA-512. */
+        if( ( ret = ctx->f_entropy( ctx->p_entropy,
+                                    seed + seedlen,
+                                    ctx->entropy_len / 2 ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+        }
+
+        seedlen += ctx->entropy_len / 2;
+    }
+
+
+    /* 1. Concatenate entropy and additional data if any */
+    if( additional != NULL && len != 0 )
+    {
+        memcpy( seed + seedlen, additional, len );
+        seedlen += len;
+    }
+
+    /* 2. Update state */
+    if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, seed, seedlen ) ) != 0 )
+        goto exit;
+
+    /* 3. Reset reseed_counter */
+    ctx->reseed_counter = 1;
+
+exit:
+    /* 4. Done */
+    mbedtls_platform_zeroize( seed, seedlen );
+    return( ret );
+}
+
+/*
+ * HMAC_DRBG reseeding: 10.1.2.4 + 9.2
+ */
+int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
+                      const unsigned char *additional, size_t len )
+{
+    return( hmac_drbg_reseed_core( ctx, additional, len, 0 ) );
+}
+
+/*
+ * HMAC_DRBG initialisation (10.1.2.3 + 9.1)
+ *
+ * The nonce is not passed as a separate parameter but extracted
+ * from the entropy source as suggested in 8.6.7.
+ */
+int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
+                    const mbedtls_md_info_t * md_info,
+                    int (*f_entropy)(void *, unsigned char *, size_t),
+                    void *p_entropy,
+                    const unsigned char *custom,
+                    size_t len )
+{
+    int ret;
+    size_t md_size;
+
+    if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    md_size = mbedtls_md_get_size( md_info );
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, ctx->V, md_size ) ) != 0 )
+        return( ret );
+    memset( ctx->V, 0x01, md_size );
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+
+    if( ctx->entropy_len == 0 )
+    {
+        /*
+         * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
+         * each hash function, then according to SP800-90A rev1 10.1 table 2,
+         * min_entropy_len (in bits) is security_strength.
+         *
+         * (This also matches the sizes used in the NIST test vectors.)
+         */
+        ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
+                           md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
+                           32;  /* better (256+) -> 256 bits */
+    }
+
+    if( ( ret = hmac_drbg_reseed_core( ctx, custom, len,
+                                       1 /* add nonce */ ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Set prediction resistance
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
+                                          int resistance )
+{
+    ctx->prediction_resistance = resistance;
+}
+
+/*
+ * Set entropy length grabbed for seeding
+ */
+void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len )
+{
+    ctx->entropy_len = len;
+}
+
+/*
+ * Set reseed interval
+ */
+void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx, int interval )
+{
+    ctx->reseed_interval = interval;
+}
+
+/*
+ * HMAC_DRBG random function with optional additional data:
+ * 10.1.2.5 (arabic) + 9.3 (Roman)
+ */
+int mbedtls_hmac_drbg_random_with_add( void *p_rng,
+                               unsigned char *output, size_t out_len,
+                               const unsigned char *additional, size_t add_len )
+{
+    int ret;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+    size_t md_len = mbedtls_md_get_size( ctx->md_ctx.md_info );
+    size_t left = out_len;
+    unsigned char *out = output;
+
+    /* II. Check request length */
+    if( out_len > MBEDTLS_HMAC_DRBG_MAX_REQUEST )
+        return( MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG );
+
+    /* III. Check input length */
+    if( add_len > MBEDTLS_HMAC_DRBG_MAX_INPUT )
+        return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+
+    /* 1. (aka VII and IX) Check reseed counter and PR */
+    if( ctx->f_entropy != NULL && /* For no-reseeding instances */
+        ( ctx->prediction_resistance == MBEDTLS_HMAC_DRBG_PR_ON ||
+          ctx->reseed_counter > ctx->reseed_interval ) )
+    {
+        if( ( ret = mbedtls_hmac_drbg_reseed( ctx, additional, add_len ) ) != 0 )
+            return( ret );
+
+        add_len = 0; /* VII.4 */
+    }
+
+    /* 2. Use additional data if any */
+    if( additional != NULL && add_len != 0 )
+    {
+        if( ( ret = mbedtls_hmac_drbg_update_ret( ctx,
+                                                  additional, add_len ) ) != 0 )
+            goto exit;
+    }
+
+    /* 3, 4, 5. Generate bytes */
+    while( left != 0 )
+    {
+        size_t use_len = left > md_len ? md_len : left;
+
+        if( ( ret = mbedtls_md_hmac_reset( &ctx->md_ctx ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            ctx->V, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V ) ) != 0 )
+            goto exit;
+
+        memcpy( out, ctx->V, use_len );
+        out += use_len;
+        left -= use_len;
+    }
+
+    /* 6. Update */
+    if( ( ret = mbedtls_hmac_drbg_update_ret( ctx,
+                                              additional, add_len ) ) != 0 )
+        goto exit;
+
+    /* 7. Update reseed counter */
+    ctx->reseed_counter++;
+
+exit:
+    /* 8. Done */
+    return( ret );
+}
+
+/*
+ * HMAC_DRBG random function
+ */
+int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len )
+{
+    int ret;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = mbedtls_hmac_drbg_random_with_add( ctx, output, out_len, NULL, 0 );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Free an HMAC_DRBG context
+ */
+void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+    mbedtls_md_free( &ctx->md_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_hmac_drbg_context ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
+{
+    int ret;
+    FILE *f;
+    unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
+
+    if( ( f = fopen( path, "wb" ) ) == NULL )
+        return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
+
+    if( ( ret = mbedtls_hmac_drbg_random( ctx, buf, sizeof( buf ) ) ) != 0 )
+        goto exit;
+
+    if( fwrite( buf, 1, sizeof( buf ), f ) != sizeof( buf ) )
+    {
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    fclose( f );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+
+int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
+{
+    int ret = 0;
+    FILE *f = NULL;
+    size_t n;
+    unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
+    unsigned char c;
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
+
+    n = fread( buf, 1, sizeof( buf ), f );
+    if( fread( &c, 1, 1, f ) != 0 )
+    {
+        ret = MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+        goto exit;
+    }
+    if( n == 0 || ferror( f ) )
+    {
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+    fclose( f );
+    f = NULL;
+
+    ret = mbedtls_hmac_drbg_update_ret( ctx, buf, n );
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    if( f != NULL )
+        fclose( f );
+    if( ret != 0 )
+        return( ret );
+    return( mbedtls_hmac_drbg_write_seed_file( ctx, path ) );
+}
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_SHA1_C)
+/* Dummy checkup routine */
+int mbedtls_hmac_drbg_self_test( int verbose )
+{
+    (void) verbose;
+    return( 0 );
+}
+#else
+
+#define OUTPUT_LEN  80
+
+/* From a NIST PR=true test vector */
+static const unsigned char entropy_pr[] = {
+    0xa0, 0xc9, 0xab, 0x58, 0xf1, 0xe2, 0xe5, 0xa4, 0xde, 0x3e, 0xbd, 0x4f,
+    0xf7, 0x3e, 0x9c, 0x5b, 0x64, 0xef, 0xd8, 0xca, 0x02, 0x8c, 0xf8, 0x11,
+    0x48, 0xa5, 0x84, 0xfe, 0x69, 0xab, 0x5a, 0xee, 0x42, 0xaa, 0x4d, 0x42,
+    0x17, 0x60, 0x99, 0xd4, 0x5e, 0x13, 0x97, 0xdc, 0x40, 0x4d, 0x86, 0xa3,
+    0x7b, 0xf5, 0x59, 0x54, 0x75, 0x69, 0x51, 0xe4 };
+static const unsigned char result_pr[OUTPUT_LEN] = {
+    0x9a, 0x00, 0xa2, 0xd0, 0x0e, 0xd5, 0x9b, 0xfe, 0x31, 0xec, 0xb1, 0x39,
+    0x9b, 0x60, 0x81, 0x48, 0xd1, 0x96, 0x9d, 0x25, 0x0d, 0x3c, 0x1e, 0x94,
+    0x10, 0x10, 0x98, 0x12, 0x93, 0x25, 0xca, 0xb8, 0xfc, 0xcc, 0x2d, 0x54,
+    0x73, 0x19, 0x70, 0xc0, 0x10, 0x7a, 0xa4, 0x89, 0x25, 0x19, 0x95, 0x5e,
+    0x4b, 0xc6, 0x00, 0x1d, 0x7f, 0x4e, 0x6a, 0x2b, 0xf8, 0xa3, 0x01, 0xab,
+    0x46, 0x05, 0x5c, 0x09, 0xa6, 0x71, 0x88, 0xf1, 0xa7, 0x40, 0xee, 0xf3,
+    0xe1, 0x5c, 0x02, 0x9b, 0x44, 0xaf, 0x03, 0x44 };
+
+/* From a NIST PR=false test vector */
+static const unsigned char entropy_nopr[] = {
+    0x79, 0x34, 0x9b, 0xbf, 0x7c, 0xdd, 0xa5, 0x79, 0x95, 0x57, 0x86, 0x66,
+    0x21, 0xc9, 0x13, 0x83, 0x11, 0x46, 0x73, 0x3a, 0xbf, 0x8c, 0x35, 0xc8,
+    0xc7, 0x21, 0x5b, 0x5b, 0x96, 0xc4, 0x8e, 0x9b, 0x33, 0x8c, 0x74, 0xe3,
+    0xe9, 0x9d, 0xfe, 0xdf };
+static const unsigned char result_nopr[OUTPUT_LEN] = {
+    0xc6, 0xa1, 0x6a, 0xb8, 0xd4, 0x20, 0x70, 0x6f, 0x0f, 0x34, 0xab, 0x7f,
+    0xec, 0x5a, 0xdc, 0xa9, 0xd8, 0xca, 0x3a, 0x13, 0x3e, 0x15, 0x9c, 0xa6,
+    0xac, 0x43, 0xc6, 0xf8, 0xa2, 0xbe, 0x22, 0x83, 0x4a, 0x4c, 0x0a, 0x0a,
+    0xff, 0xb1, 0x0d, 0x71, 0x94, 0xf1, 0xc1, 0xa5, 0xcf, 0x73, 0x22, 0xec,
+    0x1a, 0xe0, 0x96, 0x4e, 0xd4, 0xbf, 0x12, 0x27, 0x46, 0xe0, 0x87, 0xfd,
+    0xb5, 0xb3, 0xe9, 0x1b, 0x34, 0x93, 0xd5, 0xbb, 0x98, 0xfa, 0xed, 0x49,
+    0xe8, 0x5f, 0x13, 0x0f, 0xc8, 0xa4, 0x59, 0xb7 };
+
+/* "Entropy" from buffer */
+static size_t test_offset;
+static int hmac_drbg_self_test_entropy( void *data,
+                                        unsigned char *buf, size_t len )
+{
+    const unsigned char *p = data;
+    memcpy( buf, p + test_offset, len );
+    test_offset += len;
+    return( 0 );
+}
+
+#define CHK( c )    if( (c) != 0 )                          \
+                    {                                       \
+                        if( verbose != 0 )                  \
+                            mbedtls_printf( "failed\n" );  \
+                        return( 1 );                        \
+                    }
+
+/*
+ * Checkup routine for HMAC_DRBG with SHA-1
+ */
+int mbedtls_hmac_drbg_self_test( int verbose )
+{
+    mbedtls_hmac_drbg_context ctx;
+    unsigned char buf[OUTPUT_LEN];
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
+
+    mbedtls_hmac_drbg_init( &ctx );
+
+    /*
+     * PR = True
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  HMAC_DRBG (PR = True) : " );
+
+    test_offset = 0;
+    CHK( mbedtls_hmac_drbg_seed( &ctx, md_info,
+                         hmac_drbg_self_test_entropy, (void *) entropy_pr,
+                         NULL, 0 ) );
+    mbedtls_hmac_drbg_set_prediction_resistance( &ctx, MBEDTLS_HMAC_DRBG_PR_ON );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( memcmp( buf, result_pr, OUTPUT_LEN ) );
+    mbedtls_hmac_drbg_free( &ctx );
+
+    mbedtls_hmac_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    /*
+     * PR = False
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  HMAC_DRBG (PR = False) : " );
+
+    mbedtls_hmac_drbg_init( &ctx );
+
+    test_offset = 0;
+    CHK( mbedtls_hmac_drbg_seed( &ctx, md_info,
+                         hmac_drbg_self_test_entropy, (void *) entropy_nopr,
+                         NULL, 0 ) );
+    CHK( mbedtls_hmac_drbg_reseed( &ctx, NULL, 0 ) );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( memcmp( buf, result_nopr, OUTPUT_LEN ) );
+    mbedtls_hmac_drbg_free( &ctx );
+
+    mbedtls_hmac_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_HMAC_DRBG_C */
diff --git a/ctrtool/deps/libmbedtls/src/md.c b/ctrtool/deps/libmbedtls/src/md.c
new file mode 100644
index 00000000..303cdcbe
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/md.c
@@ -0,0 +1,475 @@
+/**
+ * \file mbedtls_md.c
+ *
+ * \brief Generic message digest wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD_C)
+
+#include "mbedtls/md.h"
+#include "mbedtls/md_internal.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+/*
+ * Reminder: update profiles in x509_crt.c when adding a new hash!
+ */
+static const int supported_digests[] = {
+
+#if defined(MBEDTLS_SHA512_C)
+        MBEDTLS_MD_SHA512,
+        MBEDTLS_MD_SHA384,
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+        MBEDTLS_MD_SHA256,
+        MBEDTLS_MD_SHA224,
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+        MBEDTLS_MD_SHA1,
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+        MBEDTLS_MD_RIPEMD160,
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+        MBEDTLS_MD_MD5,
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+        MBEDTLS_MD_MD4,
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+        MBEDTLS_MD_MD2,
+#endif
+
+        MBEDTLS_MD_NONE
+};
+
+const int *mbedtls_md_list( void )
+{
+    return( supported_digests );
+}
+
+const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name )
+{
+    if( NULL == md_name )
+        return( NULL );
+
+    /* Get the appropriate digest information */
+#if defined(MBEDTLS_MD2_C)
+    if( !strcmp( "MD2", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_MD2 );
+#endif
+#if defined(MBEDTLS_MD4_C)
+    if( !strcmp( "MD4", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_MD4 );
+#endif
+#if defined(MBEDTLS_MD5_C)
+    if( !strcmp( "MD5", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_MD5 );
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+    if( !strcmp( "RIPEMD160", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_RIPEMD160 );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+    if( !strcmp( "SHA1", md_name ) || !strcmp( "SHA", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    if( !strcmp( "SHA224", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA224 );
+    if( !strcmp( "SHA256", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    if( !strcmp( "SHA384", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA384 );
+    if( !strcmp( "SHA512", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA512 );
+#endif
+    return( NULL );
+}
+
+const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type )
+{
+    switch( md_type )
+    {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            return( &mbedtls_md2_info );
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            return( &mbedtls_md4_info );
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return( &mbedtls_md5_info );
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return( &mbedtls_ripemd160_info );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return( &mbedtls_sha1_info );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return( &mbedtls_sha224_info );
+        case MBEDTLS_MD_SHA256:
+            return( &mbedtls_sha256_info );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA384:
+            return( &mbedtls_sha384_info );
+        case MBEDTLS_MD_SHA512:
+            return( &mbedtls_sha512_info );
+#endif
+        default:
+            return( NULL );
+    }
+}
+
+void mbedtls_md_init( mbedtls_md_context_t *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md_context_t ) );
+}
+
+void mbedtls_md_free( mbedtls_md_context_t *ctx )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return;
+
+    if( ctx->md_ctx != NULL )
+        ctx->md_info->ctx_free_func( ctx->md_ctx );
+
+    if( ctx->hmac_ctx != NULL )
+    {
+        mbedtls_platform_zeroize( ctx->hmac_ctx,
+                                  2 * ctx->md_info->block_size );
+        mbedtls_free( ctx->hmac_ctx );
+    }
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md_context_t ) );
+}
+
+int mbedtls_md_clone( mbedtls_md_context_t *dst,
+                      const mbedtls_md_context_t *src )
+{
+    if( dst == NULL || dst->md_info == NULL ||
+        src == NULL || src->md_info == NULL ||
+        dst->md_info != src->md_info )
+    {
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+    }
+
+    dst->md_info->clone_func( dst->md_ctx, src->md_ctx );
+
+    return( 0 );
+}
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info )
+{
+    return mbedtls_md_setup( ctx, md_info, 1 );
+}
+#endif
+
+int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac )
+{
+    if( md_info == NULL || ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    if( ( ctx->md_ctx = md_info->ctx_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_MD_ALLOC_FAILED );
+
+    if( hmac != 0 )
+    {
+        ctx->hmac_ctx = mbedtls_calloc( 2, md_info->block_size );
+        if( ctx->hmac_ctx == NULL )
+        {
+            md_info->ctx_free_func( ctx->md_ctx );
+            return( MBEDTLS_ERR_MD_ALLOC_FAILED );
+        }
+    }
+
+    ctx->md_info = md_info;
+
+    return( 0 );
+}
+
+int mbedtls_md_starts( mbedtls_md_context_t *ctx )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->starts_func( ctx->md_ctx ) );
+}
+
+int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->update_func( ctx->md_ctx, input, ilen ) );
+}
+
+int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->finish_func( ctx->md_ctx, output ) );
+}
+
+int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
+            unsigned char *output )
+{
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( md_info->digest_func( input, ilen, output ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigned char *output )
+{
+    int ret;
+    FILE *f;
+    size_t n;
+    mbedtls_md_context_t ctx;
+    unsigned char buf[1024];
+
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_MD_FILE_IO_ERROR );
+
+    mbedtls_md_init( &ctx );
+
+    if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
+        goto cleanup;
+
+    if( ( ret = md_info->starts_func( ctx.md_ctx ) ) != 0 )
+        goto cleanup;
+
+    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
+        if( ( ret = md_info->update_func( ctx.md_ctx, buf, n ) ) != 0 )
+            goto cleanup;
+
+    if( ferror( f ) != 0 )
+        ret = MBEDTLS_ERR_MD_FILE_IO_ERROR;
+    else
+        ret = md_info->finish_func( ctx.md_ctx, output );
+
+cleanup:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    fclose( f );
+    mbedtls_md_free( &ctx );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen )
+{
+    int ret;
+    unsigned char sum[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *ipad, *opad;
+    size_t i;
+
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    if( keylen > (size_t) ctx->md_info->block_size )
+    {
+        if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+            goto cleanup;
+        if( ( ret = ctx->md_info->update_func( ctx->md_ctx, key, keylen ) ) != 0 )
+            goto cleanup;
+        if( ( ret = ctx->md_info->finish_func( ctx->md_ctx, sum ) ) != 0 )
+            goto cleanup;
+
+        keylen = ctx->md_info->size;
+        key = sum;
+    }
+
+    ipad = (unsigned char *) ctx->hmac_ctx;
+    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+    memset( ipad, 0x36, ctx->md_info->block_size );
+    memset( opad, 0x5C, ctx->md_info->block_size );
+
+    for( i = 0; i < keylen; i++ )
+    {
+        ipad[i] = (unsigned char)( ipad[i] ^ key[i] );
+        opad[i] = (unsigned char)( opad[i] ^ key[i] );
+    }
+
+    if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+        goto cleanup;
+    if( ( ret = ctx->md_info->update_func( ctx->md_ctx, ipad,
+                                           ctx->md_info->block_size ) ) != 0 )
+        goto cleanup;
+
+cleanup:
+    mbedtls_platform_zeroize( sum, sizeof( sum ) );
+
+    return( ret );
+}
+
+int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen )
+{
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->update_func( ctx->md_ctx, input, ilen ) );
+}
+
+int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output )
+{
+    int ret;
+    unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *opad;
+
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+    if( ( ret = ctx->md_info->finish_func( ctx->md_ctx, tmp ) ) != 0 )
+        return( ret );
+    if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+        return( ret );
+    if( ( ret = ctx->md_info->update_func( ctx->md_ctx, opad,
+                                           ctx->md_info->block_size ) ) != 0 )
+        return( ret );
+    if( ( ret = ctx->md_info->update_func( ctx->md_ctx, tmp,
+                                           ctx->md_info->size ) ) != 0 )
+        return( ret );
+    return( ctx->md_info->finish_func( ctx->md_ctx, output ) );
+}
+
+int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx )
+{
+    int ret;
+    unsigned char *ipad;
+
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    ipad = (unsigned char *) ctx->hmac_ctx;
+
+    if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+        return( ret );
+    return( ctx->md_info->update_func( ctx->md_ctx, ipad,
+                                       ctx->md_info->block_size ) );
+}
+
+int mbedtls_md_hmac( const mbedtls_md_info_t *md_info,
+                     const unsigned char *key, size_t keylen,
+                     const unsigned char *input, size_t ilen,
+                     unsigned char *output )
+{
+    mbedtls_md_context_t ctx;
+    int ret;
+
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    mbedtls_md_init( &ctx );
+
+    if( ( ret = mbedtls_md_setup( &ctx, md_info, 1 ) ) != 0 )
+        goto cleanup;
+
+    if( ( ret = mbedtls_md_hmac_starts( &ctx, key, keylen ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_md_hmac_update( &ctx, input, ilen ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_md_hmac_finish( &ctx, output ) ) != 0 )
+        goto cleanup;
+
+cleanup:
+    mbedtls_md_free( &ctx );
+
+    return( ret );
+}
+
+int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->process_func( ctx->md_ctx, data ) );
+}
+
+unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info )
+{
+    if( md_info == NULL )
+        return( 0 );
+
+    return md_info->size;
+}
+
+mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info )
+{
+    if( md_info == NULL )
+        return( MBEDTLS_MD_NONE );
+
+    return md_info->type;
+}
+
+const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info )
+{
+    if( md_info == NULL )
+        return( NULL );
+
+    return md_info->name;
+}
+
+#endif /* MBEDTLS_MD_C */
diff --git a/ctrtool/deps/libmbedtls/src/md2.c b/ctrtool/deps/libmbedtls/src/md2.c
new file mode 100644
index 00000000..1c0b3df5
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/md2.c
@@ -0,0 +1,363 @@
+/*
+ *  RFC 1115/1319 compliant MD2 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The MD2 algorithm was designed by Ron Rivest in 1989.
+ *
+ *  http://www.ietf.org/rfc/rfc1115.txt
+ *  http://www.ietf.org/rfc/rfc1319.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+
+#include "mbedtls/md2.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD2_ALT)
+
+static const unsigned char PI_SUBST[256] =
+{
+    0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01, 0x3D, 0x36,
+    0x54, 0xA1, 0xEC, 0xF0, 0x06, 0x13, 0x62, 0xA7, 0x05, 0xF3,
+    0xC0, 0xC7, 0x73, 0x8C, 0x98, 0x93, 0x2B, 0xD9, 0xBC, 0x4C,
+    0x82, 0xCA, 0x1E, 0x9B, 0x57, 0x3C, 0xFD, 0xD4, 0xE0, 0x16,
+    0x67, 0x42, 0x6F, 0x18, 0x8A, 0x17, 0xE5, 0x12, 0xBE, 0x4E,
+    0xC4, 0xD6, 0xDA, 0x9E, 0xDE, 0x49, 0xA0, 0xFB, 0xF5, 0x8E,
+    0xBB, 0x2F, 0xEE, 0x7A, 0xA9, 0x68, 0x79, 0x91, 0x15, 0xB2,
+    0x07, 0x3F, 0x94, 0xC2, 0x10, 0x89, 0x0B, 0x22, 0x5F, 0x21,
+    0x80, 0x7F, 0x5D, 0x9A, 0x5A, 0x90, 0x32, 0x27, 0x35, 0x3E,
+    0xCC, 0xE7, 0xBF, 0xF7, 0x97, 0x03, 0xFF, 0x19, 0x30, 0xB3,
+    0x48, 0xA5, 0xB5, 0xD1, 0xD7, 0x5E, 0x92, 0x2A, 0xAC, 0x56,
+    0xAA, 0xC6, 0x4F, 0xB8, 0x38, 0xD2, 0x96, 0xA4, 0x7D, 0xB6,
+    0x76, 0xFC, 0x6B, 0xE2, 0x9C, 0x74, 0x04, 0xF1, 0x45, 0x9D,
+    0x70, 0x59, 0x64, 0x71, 0x87, 0x20, 0x86, 0x5B, 0xCF, 0x65,
+    0xE6, 0x2D, 0xA8, 0x02, 0x1B, 0x60, 0x25, 0xAD, 0xAE, 0xB0,
+    0xB9, 0xF6, 0x1C, 0x46, 0x61, 0x69, 0x34, 0x40, 0x7E, 0x0F,
+    0x55, 0x47, 0xA3, 0x23, 0xDD, 0x51, 0xAF, 0x3A, 0xC3, 0x5C,
+    0xF9, 0xCE, 0xBA, 0xC5, 0xEA, 0x26, 0x2C, 0x53, 0x0D, 0x6E,
+    0x85, 0x28, 0x84, 0x09, 0xD3, 0xDF, 0xCD, 0xF4, 0x41, 0x81,
+    0x4D, 0x52, 0x6A, 0xDC, 0x37, 0xC8, 0x6C, 0xC1, 0xAB, 0xFA,
+    0x24, 0xE1, 0x7B, 0x08, 0x0C, 0xBD, 0xB1, 0x4A, 0x78, 0x88,
+    0x95, 0x8B, 0xE3, 0x63, 0xE8, 0x6D, 0xE9, 0xCB, 0xD5, 0xFE,
+    0x3B, 0x00, 0x1D, 0x39, 0xF2, 0xEF, 0xB7, 0x0E, 0x66, 0x58,
+    0xD0, 0xE4, 0xA6, 0x77, 0x72, 0xF8, 0xEB, 0x75, 0x4B, 0x0A,
+    0x31, 0x44, 0x50, 0xB4, 0x8F, 0xED, 0x1F, 0x1A, 0xDB, 0x99,
+    0x8D, 0x33, 0x9F, 0x11, 0x83, 0x14
+};
+
+void mbedtls_md2_init( mbedtls_md2_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md2_context ) );
+}
+
+void mbedtls_md2_free( mbedtls_md2_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md2_context ) );
+}
+
+void mbedtls_md2_clone( mbedtls_md2_context *dst,
+                        const mbedtls_md2_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * MD2 context setup
+ */
+int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx )
+{
+    memset( ctx->cksum, 0, 16 );
+    memset( ctx->state, 0, 46 );
+    memset( ctx->buffer, 0, 16 );
+    ctx->left = 0;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_starts( mbedtls_md2_context *ctx )
+{
+    mbedtls_md2_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_MD2_PROCESS_ALT)
+int mbedtls_internal_md2_process( mbedtls_md2_context *ctx )
+{
+    int i, j;
+    unsigned char t = 0;
+
+    for( i = 0; i < 16; i++ )
+    {
+        ctx->state[i + 16] = ctx->buffer[i];
+        ctx->state[i + 32] =
+            (unsigned char)( ctx->buffer[i] ^ ctx->state[i]);
+    }
+
+    for( i = 0; i < 18; i++ )
+    {
+        for( j = 0; j < 48; j++ )
+        {
+            ctx->state[j] = (unsigned char)
+               ( ctx->state[j] ^ PI_SUBST[t] );
+            t  = ctx->state[j];
+        }
+
+        t = (unsigned char)( t + i );
+    }
+
+    t = ctx->cksum[15];
+
+    for( i = 0; i < 16; i++ )
+    {
+        ctx->cksum[i] = (unsigned char)
+           ( ctx->cksum[i] ^ PI_SUBST[ctx->buffer[i] ^ t] );
+        t  = ctx->cksum[i];
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_process( mbedtls_md2_context *ctx )
+{
+    mbedtls_internal_md2_process( ctx );
+}
+#endif
+#endif /* !MBEDTLS_MD2_PROCESS_ALT */
+
+/*
+ * MD2 process buffer
+ */
+int mbedtls_md2_update_ret( mbedtls_md2_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    int ret;
+    size_t fill;
+
+    while( ilen > 0 )
+    {
+        if( ilen > 16 - ctx->left )
+            fill = 16 - ctx->left;
+        else
+            fill = ilen;
+
+        memcpy( ctx->buffer + ctx->left, input, fill );
+
+        ctx->left += fill;
+        input += fill;
+        ilen  -= fill;
+
+        if( ctx->left == 16 )
+        {
+            ctx->left = 0;
+            if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 )
+                return( ret );
+        }
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_update( mbedtls_md2_context *ctx,
+                         const unsigned char *input,
+                         size_t ilen )
+{
+    mbedtls_md2_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * MD2 final digest
+ */
+int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx,
+                            unsigned char output[16] )
+{
+    int ret;
+    size_t i;
+    unsigned char x;
+
+    x = (unsigned char)( 16 - ctx->left );
+
+    for( i = ctx->left; i < 16; i++ )
+        ctx->buffer[i] = x;
+
+    if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 )
+        return( ret );
+
+    memcpy( ctx->buffer, ctx->cksum, 16 );
+    if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 )
+        return( ret );
+
+    memcpy( output, ctx->state, 16 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_finish( mbedtls_md2_context *ctx,
+                         unsigned char output[16] )
+{
+    mbedtls_md2_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_MD2_ALT */
+
+/*
+ * output = MD2( input buffer )
+ */
+int mbedtls_md2_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] )
+{
+    int ret;
+    mbedtls_md2_context ctx;
+
+    mbedtls_md2_init( &ctx );
+
+    if( ( ret = mbedtls_md2_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md2_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md2_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md2_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2( const unsigned char *input,
+                  size_t ilen,
+                  unsigned char output[16] )
+{
+    mbedtls_md2_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * RFC 1319 test vectors
+ */
+static const unsigned char md2_test_str[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" }
+};
+
+static const size_t md2_test_strlen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md2_test_sum[7][16] =
+{
+    { 0x83, 0x50, 0xE5, 0xA3, 0xE2, 0x4C, 0x15, 0x3D,
+      0xF2, 0x27, 0x5C, 0x9F, 0x80, 0x69, 0x27, 0x73 },
+    { 0x32, 0xEC, 0x01, 0xEC, 0x4A, 0x6D, 0xAC, 0x72,
+      0xC0, 0xAB, 0x96, 0xFB, 0x34, 0xC0, 0xB5, 0xD1 },
+    { 0xDA, 0x85, 0x3B, 0x0D, 0x3F, 0x88, 0xD9, 0x9B,
+      0x30, 0x28, 0x3A, 0x69, 0xE6, 0xDE, 0xD6, 0xBB },
+    { 0xAB, 0x4F, 0x49, 0x6B, 0xFB, 0x2A, 0x53, 0x0B,
+      0x21, 0x9F, 0xF3, 0x30, 0x31, 0xFE, 0x06, 0xB0 },
+    { 0x4E, 0x8D, 0xDF, 0xF3, 0x65, 0x02, 0x92, 0xAB,
+      0x5A, 0x41, 0x08, 0xC3, 0xAA, 0x47, 0x94, 0x0B },
+    { 0xDA, 0x33, 0xDE, 0xF2, 0xA4, 0x2D, 0xF1, 0x39,
+      0x75, 0x35, 0x28, 0x46, 0xC3, 0x03, 0x38, 0xCD },
+    { 0xD5, 0x97, 0x6F, 0x79, 0xD8, 0x3D, 0x3A, 0x0D,
+      0xC9, 0x80, 0x6C, 0x3C, 0x66, 0xF3, 0xEF, 0xD8 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md2_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char md2sum[16];
+
+    for( i = 0; i < 7; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  MD2 test #%d: ", i + 1 );
+
+        ret = mbedtls_md2_ret( md2_test_str[i], md2_test_strlen[i], md2sum );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( md2sum, md2_test_sum[i], 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD2_C */
diff --git a/ctrtool/deps/libmbedtls/src/md4.c b/ctrtool/deps/libmbedtls/src/md4.c
new file mode 100644
index 00000000..828fd429
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/md4.c
@@ -0,0 +1,484 @@
+/*
+ *  RFC 1186/1320 compliant MD4 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The MD4 algorithm was designed by Ron Rivest in 1990.
+ *
+ *  http://www.ietf.org/rfc/rfc1186.txt
+ *  http://www.ietf.org/rfc/rfc1320.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+
+#include "mbedtls/md4.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD4_ALT)
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_md4_init( mbedtls_md4_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md4_context ) );
+}
+
+void mbedtls_md4_free( mbedtls_md4_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md4_context ) );
+}
+
+void mbedtls_md4_clone( mbedtls_md4_context *dst,
+                        const mbedtls_md4_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * MD4 context setup
+ */
+int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_starts( mbedtls_md4_context *ctx )
+{
+    mbedtls_md4_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_MD4_PROCESS_ALT)
+int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
+                                  const unsigned char data[64] )
+{
+    uint32_t X[16], A, B, C, D;
+
+    GET_UINT32_LE( X[ 0], data,  0 );
+    GET_UINT32_LE( X[ 1], data,  4 );
+    GET_UINT32_LE( X[ 2], data,  8 );
+    GET_UINT32_LE( X[ 3], data, 12 );
+    GET_UINT32_LE( X[ 4], data, 16 );
+    GET_UINT32_LE( X[ 5], data, 20 );
+    GET_UINT32_LE( X[ 6], data, 24 );
+    GET_UINT32_LE( X[ 7], data, 28 );
+    GET_UINT32_LE( X[ 8], data, 32 );
+    GET_UINT32_LE( X[ 9], data, 36 );
+    GET_UINT32_LE( X[10], data, 40 );
+    GET_UINT32_LE( X[11], data, 44 );
+    GET_UINT32_LE( X[12], data, 48 );
+    GET_UINT32_LE( X[13], data, 52 );
+    GET_UINT32_LE( X[14], data, 56 );
+    GET_UINT32_LE( X[15], data, 60 );
+
+#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+
+#define F(x, y, z) (((x) & (y)) | ((~(x)) & (z)))
+#define P(a,b,c,d,x,s)                           \
+    do                                           \
+    {                                            \
+        (a) += F((b),(c),(d)) + (x);             \
+        (a) = S((a),(s));                        \
+    } while( 0 )
+
+
+    P( A, B, C, D, X[ 0],  3 );
+    P( D, A, B, C, X[ 1],  7 );
+    P( C, D, A, B, X[ 2], 11 );
+    P( B, C, D, A, X[ 3], 19 );
+    P( A, B, C, D, X[ 4],  3 );
+    P( D, A, B, C, X[ 5],  7 );
+    P( C, D, A, B, X[ 6], 11 );
+    P( B, C, D, A, X[ 7], 19 );
+    P( A, B, C, D, X[ 8],  3 );
+    P( D, A, B, C, X[ 9],  7 );
+    P( C, D, A, B, X[10], 11 );
+    P( B, C, D, A, X[11], 19 );
+    P( A, B, C, D, X[12],  3 );
+    P( D, A, B, C, X[13],  7 );
+    P( C, D, A, B, X[14], 11 );
+    P( B, C, D, A, X[15], 19 );
+
+#undef P
+#undef F
+
+#define F(x,y,z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
+#define P(a,b,c,d,x,s)                          \
+    do                                          \
+    {                                           \
+        (a) += F((b),(c),(d)) + (x) + 0x5A827999;       \
+        (a) = S((a),(s));                               \
+    } while( 0 )
+
+    P( A, B, C, D, X[ 0],  3 );
+    P( D, A, B, C, X[ 4],  5 );
+    P( C, D, A, B, X[ 8],  9 );
+    P( B, C, D, A, X[12], 13 );
+    P( A, B, C, D, X[ 1],  3 );
+    P( D, A, B, C, X[ 5],  5 );
+    P( C, D, A, B, X[ 9],  9 );
+    P( B, C, D, A, X[13], 13 );
+    P( A, B, C, D, X[ 2],  3 );
+    P( D, A, B, C, X[ 6],  5 );
+    P( C, D, A, B, X[10],  9 );
+    P( B, C, D, A, X[14], 13 );
+    P( A, B, C, D, X[ 3],  3 );
+    P( D, A, B, C, X[ 7],  5 );
+    P( C, D, A, B, X[11],  9 );
+    P( B, C, D, A, X[15], 13 );
+
+#undef P
+#undef F
+
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+#define P(a,b,c,d,x,s)                                  \
+    do                                                  \
+    {                                                   \
+        (a) += F((b),(c),(d)) + (x) + 0x6ED9EBA1;       \
+        (a) = S((a),(s));                               \
+    } while( 0 )
+
+    P( A, B, C, D, X[ 0],  3 );
+    P( D, A, B, C, X[ 8],  9 );
+    P( C, D, A, B, X[ 4], 11 );
+    P( B, C, D, A, X[12], 15 );
+    P( A, B, C, D, X[ 2],  3 );
+    P( D, A, B, C, X[10],  9 );
+    P( C, D, A, B, X[ 6], 11 );
+    P( B, C, D, A, X[14], 15 );
+    P( A, B, C, D, X[ 1],  3 );
+    P( D, A, B, C, X[ 9],  9 );
+    P( C, D, A, B, X[ 5], 11 );
+    P( B, C, D, A, X[13], 15 );
+    P( A, B, C, D, X[ 3],  3 );
+    P( D, A, B, C, X[11],  9 );
+    P( C, D, A, B, X[ 7], 11 );
+    P( B, C, D, A, X[15], 15 );
+
+#undef F
+#undef P
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_process( mbedtls_md4_context *ctx,
+                          const unsigned char data[64] )
+{
+    mbedtls_internal_md4_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_MD4_PROCESS_ALT */
+
+/*
+ * MD4 process buffer
+ */
+int mbedtls_md4_update_ret( mbedtls_md4_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left),
+                (void *) input, fill );
+
+        if( ( ret = mbedtls_internal_md4_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_md4_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+    {
+        memcpy( (void *) (ctx->buffer + left),
+                (void *) input, ilen );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_update( mbedtls_md4_context *ctx,
+                         const unsigned char *input,
+                         size_t ilen )
+{
+    mbedtls_md4_update_ret( ctx, input, ilen );
+}
+#endif
+
+static const unsigned char md4_padding[64] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * MD4 final digest
+ */
+int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx,
+                            unsigned char output[16] )
+{
+    int ret;
+    uint32_t last, padn;
+    uint32_t high, low;
+    unsigned char msglen[8];
+
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_LE( low,  msglen, 0 );
+    PUT_UINT32_LE( high, msglen, 4 );
+
+    last = ctx->total[0] & 0x3F;
+    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
+
+    ret = mbedtls_md4_update_ret( ctx, (unsigned char *)md4_padding, padn );
+    if( ret != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_md4_update_ret( ctx, msglen, 8 ) ) != 0 )
+        return( ret );
+
+
+    PUT_UINT32_LE( ctx->state[0], output,  0 );
+    PUT_UINT32_LE( ctx->state[1], output,  4 );
+    PUT_UINT32_LE( ctx->state[2], output,  8 );
+    PUT_UINT32_LE( ctx->state[3], output, 12 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_finish( mbedtls_md4_context *ctx,
+                         unsigned char output[16] )
+{
+    mbedtls_md4_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_MD4_ALT */
+
+/*
+ * output = MD4( input buffer )
+ */
+int mbedtls_md4_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] )
+{
+    int ret;
+    mbedtls_md4_context ctx;
+
+    mbedtls_md4_init( &ctx );
+
+    if( ( ret = mbedtls_md4_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md4_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md4_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md4_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4( const unsigned char *input,
+                  size_t ilen,
+                  unsigned char output[16] )
+{
+    mbedtls_md4_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * RFC 1320 test vectors
+ */
+static const unsigned char md4_test_str[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" }
+};
+
+static const size_t md4_test_strlen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md4_test_sum[7][16] =
+{
+    { 0x31, 0xD6, 0xCF, 0xE0, 0xD1, 0x6A, 0xE9, 0x31,
+      0xB7, 0x3C, 0x59, 0xD7, 0xE0, 0xC0, 0x89, 0xC0 },
+    { 0xBD, 0xE5, 0x2C, 0xB3, 0x1D, 0xE3, 0x3E, 0x46,
+      0x24, 0x5E, 0x05, 0xFB, 0xDB, 0xD6, 0xFB, 0x24 },
+    { 0xA4, 0x48, 0x01, 0x7A, 0xAF, 0x21, 0xD8, 0x52,
+      0x5F, 0xC1, 0x0A, 0xE8, 0x7A, 0xA6, 0x72, 0x9D },
+    { 0xD9, 0x13, 0x0A, 0x81, 0x64, 0x54, 0x9F, 0xE8,
+      0x18, 0x87, 0x48, 0x06, 0xE1, 0xC7, 0x01, 0x4B },
+    { 0xD7, 0x9E, 0x1C, 0x30, 0x8A, 0xA5, 0xBB, 0xCD,
+      0xEE, 0xA8, 0xED, 0x63, 0xDF, 0x41, 0x2D, 0xA9 },
+    { 0x04, 0x3F, 0x85, 0x82, 0xF2, 0x41, 0xDB, 0x35,
+      0x1C, 0xE6, 0x27, 0xE1, 0x53, 0xE7, 0xF0, 0xE4 },
+    { 0xE3, 0x3B, 0x4D, 0xDC, 0x9C, 0x38, 0xF2, 0x19,
+      0x9C, 0x3E, 0x7B, 0x16, 0x4F, 0xCC, 0x05, 0x36 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md4_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char md4sum[16];
+
+    for( i = 0; i < 7; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  MD4 test #%d: ", i + 1 );
+
+        ret = mbedtls_md4_ret( md4_test_str[i], md4_test_strlen[i], md4sum );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( md4sum, md4_test_sum[i], 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD4_C */
diff --git a/ctrtool/deps/libmbedtls/src/md5.c b/ctrtool/deps/libmbedtls/src/md5.c
new file mode 100644
index 00000000..a93da8a0
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/md5.c
@@ -0,0 +1,498 @@
+/*
+ *  RFC 1321 compliant MD5 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The MD5 algorithm was designed by Ron Rivest in 1991.
+ *
+ *  http://www.ietf.org/rfc/rfc1321.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+
+#include "mbedtls/md5.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD5_ALT)
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_md5_init( mbedtls_md5_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md5_context ) );
+}
+
+void mbedtls_md5_free( mbedtls_md5_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md5_context ) );
+}
+
+void mbedtls_md5_clone( mbedtls_md5_context *dst,
+                        const mbedtls_md5_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * MD5 context setup
+ */
+int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_starts( mbedtls_md5_context *ctx )
+{
+    mbedtls_md5_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_MD5_PROCESS_ALT)
+int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
+                                  const unsigned char data[64] )
+{
+    uint32_t X[16], A, B, C, D;
+
+    GET_UINT32_LE( X[ 0], data,  0 );
+    GET_UINT32_LE( X[ 1], data,  4 );
+    GET_UINT32_LE( X[ 2], data,  8 );
+    GET_UINT32_LE( X[ 3], data, 12 );
+    GET_UINT32_LE( X[ 4], data, 16 );
+    GET_UINT32_LE( X[ 5], data, 20 );
+    GET_UINT32_LE( X[ 6], data, 24 );
+    GET_UINT32_LE( X[ 7], data, 28 );
+    GET_UINT32_LE( X[ 8], data, 32 );
+    GET_UINT32_LE( X[ 9], data, 36 );
+    GET_UINT32_LE( X[10], data, 40 );
+    GET_UINT32_LE( X[11], data, 44 );
+    GET_UINT32_LE( X[12], data, 48 );
+    GET_UINT32_LE( X[13], data, 52 );
+    GET_UINT32_LE( X[14], data, 56 );
+    GET_UINT32_LE( X[15], data, 60 );
+
+#define S(x,n)                                                          \
+    ( ( (x) << (n) ) | ( ( (x) & 0xFFFFFFFF) >> ( 32 - (n) ) ) )
+
+#define P(a,b,c,d,k,s,t)                                        \
+    do                                                          \
+    {                                                           \
+        (a) += F((b),(c),(d)) + X[(k)] + (t);                   \
+        (a) = S((a),(s)) + (b);                                 \
+    } while( 0 )
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+
+#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
+
+    P( A, B, C, D,  0,  7, 0xD76AA478 );
+    P( D, A, B, C,  1, 12, 0xE8C7B756 );
+    P( C, D, A, B,  2, 17, 0x242070DB );
+    P( B, C, D, A,  3, 22, 0xC1BDCEEE );
+    P( A, B, C, D,  4,  7, 0xF57C0FAF );
+    P( D, A, B, C,  5, 12, 0x4787C62A );
+    P( C, D, A, B,  6, 17, 0xA8304613 );
+    P( B, C, D, A,  7, 22, 0xFD469501 );
+    P( A, B, C, D,  8,  7, 0x698098D8 );
+    P( D, A, B, C,  9, 12, 0x8B44F7AF );
+    P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
+    P( B, C, D, A, 11, 22, 0x895CD7BE );
+    P( A, B, C, D, 12,  7, 0x6B901122 );
+    P( D, A, B, C, 13, 12, 0xFD987193 );
+    P( C, D, A, B, 14, 17, 0xA679438E );
+    P( B, C, D, A, 15, 22, 0x49B40821 );
+
+#undef F
+
+#define F(x,y,z) ((y) ^ ((z) & ((x) ^ (y))))
+
+    P( A, B, C, D,  1,  5, 0xF61E2562 );
+    P( D, A, B, C,  6,  9, 0xC040B340 );
+    P( C, D, A, B, 11, 14, 0x265E5A51 );
+    P( B, C, D, A,  0, 20, 0xE9B6C7AA );
+    P( A, B, C, D,  5,  5, 0xD62F105D );
+    P( D, A, B, C, 10,  9, 0x02441453 );
+    P( C, D, A, B, 15, 14, 0xD8A1E681 );
+    P( B, C, D, A,  4, 20, 0xE7D3FBC8 );
+    P( A, B, C, D,  9,  5, 0x21E1CDE6 );
+    P( D, A, B, C, 14,  9, 0xC33707D6 );
+    P( C, D, A, B,  3, 14, 0xF4D50D87 );
+    P( B, C, D, A,  8, 20, 0x455A14ED );
+    P( A, B, C, D, 13,  5, 0xA9E3E905 );
+    P( D, A, B, C,  2,  9, 0xFCEFA3F8 );
+    P( C, D, A, B,  7, 14, 0x676F02D9 );
+    P( B, C, D, A, 12, 20, 0x8D2A4C8A );
+
+#undef F
+
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+
+    P( A, B, C, D,  5,  4, 0xFFFA3942 );
+    P( D, A, B, C,  8, 11, 0x8771F681 );
+    P( C, D, A, B, 11, 16, 0x6D9D6122 );
+    P( B, C, D, A, 14, 23, 0xFDE5380C );
+    P( A, B, C, D,  1,  4, 0xA4BEEA44 );
+    P( D, A, B, C,  4, 11, 0x4BDECFA9 );
+    P( C, D, A, B,  7, 16, 0xF6BB4B60 );
+    P( B, C, D, A, 10, 23, 0xBEBFBC70 );
+    P( A, B, C, D, 13,  4, 0x289B7EC6 );
+    P( D, A, B, C,  0, 11, 0xEAA127FA );
+    P( C, D, A, B,  3, 16, 0xD4EF3085 );
+    P( B, C, D, A,  6, 23, 0x04881D05 );
+    P( A, B, C, D,  9,  4, 0xD9D4D039 );
+    P( D, A, B, C, 12, 11, 0xE6DB99E5 );
+    P( C, D, A, B, 15, 16, 0x1FA27CF8 );
+    P( B, C, D, A,  2, 23, 0xC4AC5665 );
+
+#undef F
+
+#define F(x,y,z) ((y) ^ ((x) | ~(z)))
+
+    P( A, B, C, D,  0,  6, 0xF4292244 );
+    P( D, A, B, C,  7, 10, 0x432AFF97 );
+    P( C, D, A, B, 14, 15, 0xAB9423A7 );
+    P( B, C, D, A,  5, 21, 0xFC93A039 );
+    P( A, B, C, D, 12,  6, 0x655B59C3 );
+    P( D, A, B, C,  3, 10, 0x8F0CCC92 );
+    P( C, D, A, B, 10, 15, 0xFFEFF47D );
+    P( B, C, D, A,  1, 21, 0x85845DD1 );
+    P( A, B, C, D,  8,  6, 0x6FA87E4F );
+    P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
+    P( C, D, A, B,  6, 15, 0xA3014314 );
+    P( B, C, D, A, 13, 21, 0x4E0811A1 );
+    P( A, B, C, D,  4,  6, 0xF7537E82 );
+    P( D, A, B, C, 11, 10, 0xBD3AF235 );
+    P( C, D, A, B,  2, 15, 0x2AD7D2BB );
+    P( B, C, D, A,  9, 21, 0xEB86D391 );
+
+#undef F
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_process( mbedtls_md5_context *ctx,
+                          const unsigned char data[64] )
+{
+    mbedtls_internal_md5_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_MD5_PROCESS_ALT */
+
+/*
+ * MD5 process buffer
+ */
+int mbedtls_md5_update_ret( mbedtls_md5_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+        if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_md5_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_update( mbedtls_md5_context *ctx,
+                         const unsigned char *input,
+                         size_t ilen )
+{
+    mbedtls_md5_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * MD5 final digest
+ */
+int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx,
+                            unsigned char output[16] )
+{
+    int ret;
+    uint32_t used;
+    uint32_t high, low;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 56 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 56 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 64 - used );
+
+        if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 56 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_LE( low,  ctx->buffer, 56 );
+    PUT_UINT32_LE( high, ctx->buffer, 60 );
+
+    if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT32_LE( ctx->state[0], output,  0 );
+    PUT_UINT32_LE( ctx->state[1], output,  4 );
+    PUT_UINT32_LE( ctx->state[2], output,  8 );
+    PUT_UINT32_LE( ctx->state[3], output, 12 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_finish( mbedtls_md5_context *ctx,
+                         unsigned char output[16] )
+{
+    mbedtls_md5_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_MD5_ALT */
+
+/*
+ * output = MD5( input buffer )
+ */
+int mbedtls_md5_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] )
+{
+    int ret;
+    mbedtls_md5_context ctx;
+
+    mbedtls_md5_init( &ctx );
+
+    if( ( ret = mbedtls_md5_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md5_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md5_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md5_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5( const unsigned char *input,
+                  size_t ilen,
+                  unsigned char output[16] )
+{
+    mbedtls_md5_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * RFC 1321 test vectors
+ */
+static const unsigned char md5_test_buf[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" }
+};
+
+static const size_t md5_test_buflen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md5_test_sum[7][16] =
+{
+    { 0xD4, 0x1D, 0x8C, 0xD9, 0x8F, 0x00, 0xB2, 0x04,
+      0xE9, 0x80, 0x09, 0x98, 0xEC, 0xF8, 0x42, 0x7E },
+    { 0x0C, 0xC1, 0x75, 0xB9, 0xC0, 0xF1, 0xB6, 0xA8,
+      0x31, 0xC3, 0x99, 0xE2, 0x69, 0x77, 0x26, 0x61 },
+    { 0x90, 0x01, 0x50, 0x98, 0x3C, 0xD2, 0x4F, 0xB0,
+      0xD6, 0x96, 0x3F, 0x7D, 0x28, 0xE1, 0x7F, 0x72 },
+    { 0xF9, 0x6B, 0x69, 0x7D, 0x7C, 0xB7, 0x93, 0x8D,
+      0x52, 0x5A, 0x2F, 0x31, 0xAA, 0xF1, 0x61, 0xD0 },
+    { 0xC3, 0xFC, 0xD3, 0xD7, 0x61, 0x92, 0xE4, 0x00,
+      0x7D, 0xFB, 0x49, 0x6C, 0xCA, 0x67, 0xE1, 0x3B },
+    { 0xD1, 0x74, 0xAB, 0x98, 0xD2, 0x77, 0xD9, 0xF5,
+      0xA5, 0x61, 0x1C, 0x2C, 0x9F, 0x41, 0x9D, 0x9F },
+    { 0x57, 0xED, 0xF4, 0xA2, 0x2B, 0xE3, 0xC9, 0x55,
+      0xAC, 0x49, 0xDA, 0x2E, 0x21, 0x07, 0xB6, 0x7A }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md5_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char md5sum[16];
+
+    for( i = 0; i < 7; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  MD5 test #%d: ", i + 1 );
+
+        ret = mbedtls_md5_ret( md5_test_buf[i], md5_test_buflen[i], md5sum );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( md5sum, md5_test_sum[i], 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD5_C */
diff --git a/ctrtool/deps/libmbedtls/src/md_wrap.c b/ctrtool/deps/libmbedtls/src/md_wrap.c
new file mode 100644
index 00000000..32f08719
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/md_wrap.c
@@ -0,0 +1,586 @@
+/**
+ * \file md_wrap.c
+ *
+ * \brief Generic message digest wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD_C)
+
+#include "mbedtls/md_internal.h"
+
+#if defined(MBEDTLS_MD2_C)
+#include "mbedtls/md2.h"
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+#include "mbedtls/md4.h"
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+#include "mbedtls/md5.h"
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#include "mbedtls/ripemd160.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "mbedtls/sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "mbedtls/sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "mbedtls/sha512.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+
+static int md2_starts_wrap( void *ctx )
+{
+    return( mbedtls_md2_starts_ret( (mbedtls_md2_context *) ctx ) );
+}
+
+static int md2_update_wrap( void *ctx, const unsigned char *input,
+                             size_t ilen )
+{
+    return( mbedtls_md2_update_ret( (mbedtls_md2_context *) ctx, input, ilen ) );
+}
+
+static int md2_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_md2_finish_ret( (mbedtls_md2_context *) ctx, output ) );
+}
+
+static void *md2_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_md2_context ) );
+
+    if( ctx != NULL )
+        mbedtls_md2_init( (mbedtls_md2_context *) ctx );
+
+    return( ctx );
+}
+
+static void md2_ctx_free( void *ctx )
+{
+    mbedtls_md2_free( (mbedtls_md2_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void md2_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_md2_clone( (mbedtls_md2_context *) dst,
+                 (const mbedtls_md2_context *) src );
+}
+
+static int md2_process_wrap( void *ctx, const unsigned char *data )
+{
+    ((void) data);
+
+    return( mbedtls_internal_md2_process( (mbedtls_md2_context *) ctx ) );
+}
+
+const mbedtls_md_info_t mbedtls_md2_info = {
+    MBEDTLS_MD_MD2,
+    "MD2",
+    16,
+    16,
+    md2_starts_wrap,
+    md2_update_wrap,
+    md2_finish_wrap,
+    mbedtls_md2_ret,
+    md2_ctx_alloc,
+    md2_ctx_free,
+    md2_clone_wrap,
+    md2_process_wrap,
+};
+
+#endif /* MBEDTLS_MD2_C */
+
+#if defined(MBEDTLS_MD4_C)
+
+static int md4_starts_wrap( void *ctx )
+{
+    return( mbedtls_md4_starts_ret( (mbedtls_md4_context *) ctx ) );
+}
+
+static int md4_update_wrap( void *ctx, const unsigned char *input,
+                             size_t ilen )
+{
+    return( mbedtls_md4_update_ret( (mbedtls_md4_context *) ctx, input, ilen ) );
+}
+
+static int md4_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_md4_finish_ret( (mbedtls_md4_context *) ctx, output ) );
+}
+
+static void *md4_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_md4_context ) );
+
+    if( ctx != NULL )
+        mbedtls_md4_init( (mbedtls_md4_context *) ctx );
+
+    return( ctx );
+}
+
+static void md4_ctx_free( void *ctx )
+{
+    mbedtls_md4_free( (mbedtls_md4_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void md4_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_md4_clone( (mbedtls_md4_context *) dst,
+                       (const mbedtls_md4_context *) src );
+}
+
+static int md4_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_md4_process( (mbedtls_md4_context *) ctx, data ) );
+}
+
+const mbedtls_md_info_t mbedtls_md4_info = {
+    MBEDTLS_MD_MD4,
+    "MD4",
+    16,
+    64,
+    md4_starts_wrap,
+    md4_update_wrap,
+    md4_finish_wrap,
+    mbedtls_md4_ret,
+    md4_ctx_alloc,
+    md4_ctx_free,
+    md4_clone_wrap,
+    md4_process_wrap,
+};
+
+#endif /* MBEDTLS_MD4_C */
+
+#if defined(MBEDTLS_MD5_C)
+
+static int md5_starts_wrap( void *ctx )
+{
+    return( mbedtls_md5_starts_ret( (mbedtls_md5_context *) ctx ) );
+}
+
+static int md5_update_wrap( void *ctx, const unsigned char *input,
+                             size_t ilen )
+{
+    return( mbedtls_md5_update_ret( (mbedtls_md5_context *) ctx, input, ilen ) );
+}
+
+static int md5_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_md5_finish_ret( (mbedtls_md5_context *) ctx, output ) );
+}
+
+static void *md5_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_md5_context ) );
+
+    if( ctx != NULL )
+        mbedtls_md5_init( (mbedtls_md5_context *) ctx );
+
+    return( ctx );
+}
+
+static void md5_ctx_free( void *ctx )
+{
+    mbedtls_md5_free( (mbedtls_md5_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void md5_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_md5_clone( (mbedtls_md5_context *) dst,
+                       (const mbedtls_md5_context *) src );
+}
+
+static int md5_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_md5_process( (mbedtls_md5_context *) ctx, data ) );
+}
+
+const mbedtls_md_info_t mbedtls_md5_info = {
+    MBEDTLS_MD_MD5,
+    "MD5",
+    16,
+    64,
+    md5_starts_wrap,
+    md5_update_wrap,
+    md5_finish_wrap,
+    mbedtls_md5_ret,
+    md5_ctx_alloc,
+    md5_ctx_free,
+    md5_clone_wrap,
+    md5_process_wrap,
+};
+
+#endif /* MBEDTLS_MD5_C */
+
+#if defined(MBEDTLS_RIPEMD160_C)
+
+static int ripemd160_starts_wrap( void *ctx )
+{
+    return( mbedtls_ripemd160_starts_ret( (mbedtls_ripemd160_context *) ctx ) );
+}
+
+static int ripemd160_update_wrap( void *ctx, const unsigned char *input,
+                                   size_t ilen )
+{
+    return( mbedtls_ripemd160_update_ret( (mbedtls_ripemd160_context *) ctx,
+                                          input, ilen ) );
+}
+
+static int ripemd160_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_ripemd160_finish_ret( (mbedtls_ripemd160_context *) ctx,
+                                          output ) );
+}
+
+static void *ripemd160_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ripemd160_context ) );
+
+    if( ctx != NULL )
+        mbedtls_ripemd160_init( (mbedtls_ripemd160_context *) ctx );
+
+    return( ctx );
+}
+
+static void ripemd160_ctx_free( void *ctx )
+{
+    mbedtls_ripemd160_free( (mbedtls_ripemd160_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void ripemd160_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_ripemd160_clone( (mbedtls_ripemd160_context *) dst,
+                       (const mbedtls_ripemd160_context *) src );
+}
+
+static int ripemd160_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_ripemd160_process(
+                                (mbedtls_ripemd160_context *) ctx, data ) );
+}
+
+const mbedtls_md_info_t mbedtls_ripemd160_info = {
+    MBEDTLS_MD_RIPEMD160,
+    "RIPEMD160",
+    20,
+    64,
+    ripemd160_starts_wrap,
+    ripemd160_update_wrap,
+    ripemd160_finish_wrap,
+    mbedtls_ripemd160_ret,
+    ripemd160_ctx_alloc,
+    ripemd160_ctx_free,
+    ripemd160_clone_wrap,
+    ripemd160_process_wrap,
+};
+
+#endif /* MBEDTLS_RIPEMD160_C */
+
+#if defined(MBEDTLS_SHA1_C)
+
+static int sha1_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha1_starts_ret( (mbedtls_sha1_context *) ctx ) );
+}
+
+static int sha1_update_wrap( void *ctx, const unsigned char *input,
+                              size_t ilen )
+{
+    return( mbedtls_sha1_update_ret( (mbedtls_sha1_context *) ctx,
+                                     input, ilen ) );
+}
+
+static int sha1_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_sha1_finish_ret( (mbedtls_sha1_context *) ctx, output ) );
+}
+
+static void *sha1_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_sha1_context ) );
+
+    if( ctx != NULL )
+        mbedtls_sha1_init( (mbedtls_sha1_context *) ctx );
+
+    return( ctx );
+}
+
+static void sha1_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_sha1_clone( (mbedtls_sha1_context *) dst,
+                  (const mbedtls_sha1_context *) src );
+}
+
+static void sha1_ctx_free( void *ctx )
+{
+    mbedtls_sha1_free( (mbedtls_sha1_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static int sha1_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_sha1_process( (mbedtls_sha1_context *) ctx,
+                                           data ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha1_info = {
+    MBEDTLS_MD_SHA1,
+    "SHA1",
+    20,
+    64,
+    sha1_starts_wrap,
+    sha1_update_wrap,
+    sha1_finish_wrap,
+    mbedtls_sha1_ret,
+    sha1_ctx_alloc,
+    sha1_ctx_free,
+    sha1_clone_wrap,
+    sha1_process_wrap,
+};
+
+#endif /* MBEDTLS_SHA1_C */
+
+/*
+ * Wrappers for generic message digests
+ */
+#if defined(MBEDTLS_SHA256_C)
+
+static int sha224_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha256_starts_ret( (mbedtls_sha256_context *) ctx, 1 ) );
+}
+
+static int sha224_update_wrap( void *ctx, const unsigned char *input,
+                                size_t ilen )
+{
+    return( mbedtls_sha256_update_ret( (mbedtls_sha256_context *) ctx,
+                                       input, ilen ) );
+}
+
+static int sha224_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_sha256_finish_ret( (mbedtls_sha256_context *) ctx,
+                                       output ) );
+}
+
+static int sha224_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha256_ret( input, ilen, output, 1 ) );
+}
+
+static void *sha224_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_sha256_context ) );
+
+    if( ctx != NULL )
+        mbedtls_sha256_init( (mbedtls_sha256_context *) ctx );
+
+    return( ctx );
+}
+
+static void sha224_ctx_free( void *ctx )
+{
+    mbedtls_sha256_free( (mbedtls_sha256_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void sha224_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_sha256_clone( (mbedtls_sha256_context *) dst,
+                    (const mbedtls_sha256_context *) src );
+}
+
+static int sha224_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_sha256_process( (mbedtls_sha256_context *) ctx,
+                                             data ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha224_info = {
+    MBEDTLS_MD_SHA224,
+    "SHA224",
+    28,
+    64,
+    sha224_starts_wrap,
+    sha224_update_wrap,
+    sha224_finish_wrap,
+    sha224_wrap,
+    sha224_ctx_alloc,
+    sha224_ctx_free,
+    sha224_clone_wrap,
+    sha224_process_wrap,
+};
+
+static int sha256_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha256_starts_ret( (mbedtls_sha256_context *) ctx, 0 ) );
+}
+
+static int sha256_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha256_ret( input, ilen, output, 0 ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha256_info = {
+    MBEDTLS_MD_SHA256,
+    "SHA256",
+    32,
+    64,
+    sha256_starts_wrap,
+    sha224_update_wrap,
+    sha224_finish_wrap,
+    sha256_wrap,
+    sha224_ctx_alloc,
+    sha224_ctx_free,
+    sha224_clone_wrap,
+    sha224_process_wrap,
+};
+
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+
+static int sha384_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha512_starts_ret( (mbedtls_sha512_context *) ctx, 1 ) );
+}
+
+static int sha384_update_wrap( void *ctx, const unsigned char *input,
+                               size_t ilen )
+{
+    return( mbedtls_sha512_update_ret( (mbedtls_sha512_context *) ctx,
+                                       input, ilen ) );
+}
+
+static int sha384_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_sha512_finish_ret( (mbedtls_sha512_context *) ctx,
+                                       output ) );
+}
+
+static int sha384_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha512_ret( input, ilen, output, 1 ) );
+}
+
+static void *sha384_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_sha512_context ) );
+
+    if( ctx != NULL )
+        mbedtls_sha512_init( (mbedtls_sha512_context *) ctx );
+
+    return( ctx );
+}
+
+static void sha384_ctx_free( void *ctx )
+{
+    mbedtls_sha512_free( (mbedtls_sha512_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void sha384_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_sha512_clone( (mbedtls_sha512_context *) dst,
+                    (const mbedtls_sha512_context *) src );
+}
+
+static int sha384_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_sha512_process( (mbedtls_sha512_context *) ctx,
+                                             data ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha384_info = {
+    MBEDTLS_MD_SHA384,
+    "SHA384",
+    48,
+    128,
+    sha384_starts_wrap,
+    sha384_update_wrap,
+    sha384_finish_wrap,
+    sha384_wrap,
+    sha384_ctx_alloc,
+    sha384_ctx_free,
+    sha384_clone_wrap,
+    sha384_process_wrap,
+};
+
+static int sha512_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha512_starts_ret( (mbedtls_sha512_context *) ctx, 0 ) );
+}
+
+static int sha512_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha512_ret( input, ilen, output, 0 ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha512_info = {
+    MBEDTLS_MD_SHA512,
+    "SHA512",
+    64,
+    128,
+    sha512_starts_wrap,
+    sha384_update_wrap,
+    sha384_finish_wrap,
+    sha512_wrap,
+    sha384_ctx_alloc,
+    sha384_ctx_free,
+    sha384_clone_wrap,
+    sha384_process_wrap,
+};
+
+#endif /* MBEDTLS_SHA512_C */
+
+#endif /* MBEDTLS_MD_C */
diff --git a/ctrtool/deps/libmbedtls/src/memory_buffer_alloc.c b/ctrtool/deps/libmbedtls/src/memory_buffer_alloc.c
new file mode 100644
index 00000000..51ea7c41
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/memory_buffer_alloc.c
@@ -0,0 +1,750 @@
+/*
+ *  Buffer-based memory allocator
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+
+/* No need for the header guard as MBEDTLS_MEMORY_BUFFER_ALLOC_C
+   is dependent upon MBEDTLS_PLATFORM_C */
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+#include <execinfo.h>
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#define MAGIC1       0xFF00AA55
+#define MAGIC2       0xEE119966
+#define MAX_BT 20
+
+typedef struct _memory_header memory_header;
+struct _memory_header
+{
+    size_t          magic1;
+    size_t          size;
+    size_t          alloc;
+    memory_header   *prev;
+    memory_header   *next;
+    memory_header   *prev_free;
+    memory_header   *next_free;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    char            **trace;
+    size_t          trace_count;
+#endif
+    size_t          magic2;
+};
+
+typedef struct
+{
+    unsigned char   *buf;
+    size_t          len;
+    memory_header   *first;
+    memory_header   *first_free;
+    int             verify;
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    size_t          alloc_count;
+    size_t          free_count;
+    size_t          total_used;
+    size_t          maximum_used;
+    size_t          header_count;
+    size_t          maximum_header_count;
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t   mutex;
+#endif
+}
+buffer_alloc_ctx;
+
+static buffer_alloc_ctx heap;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+static void debug_header( memory_header *hdr )
+{
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    size_t i;
+#endif
+
+    mbedtls_fprintf( stderr, "HDR:  PTR(%10zu), PREV(%10zu), NEXT(%10zu), "
+                              "ALLOC(%zu), SIZE(%10zu)\n",
+                      (size_t) hdr, (size_t) hdr->prev, (size_t) hdr->next,
+                      hdr->alloc, hdr->size );
+    mbedtls_fprintf( stderr, "      FPREV(%10zu), FNEXT(%10zu)\n",
+                      (size_t) hdr->prev_free, (size_t) hdr->next_free );
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    mbedtls_fprintf( stderr, "TRACE: \n" );
+    for( i = 0; i < hdr->trace_count; i++ )
+        mbedtls_fprintf( stderr, "%s\n", hdr->trace[i] );
+    mbedtls_fprintf( stderr, "\n" );
+#endif
+}
+
+static void debug_chain( void )
+{
+    memory_header *cur = heap.first;
+
+    mbedtls_fprintf( stderr, "\nBlock list\n" );
+    while( cur != NULL )
+    {
+        debug_header( cur );
+        cur = cur->next;
+    }
+
+    mbedtls_fprintf( stderr, "Free list\n" );
+    cur = heap.first_free;
+
+    while( cur != NULL )
+    {
+        debug_header( cur );
+        cur = cur->next_free;
+    }
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+static int verify_header( memory_header *hdr )
+{
+    if( hdr->magic1 != MAGIC1 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: MAGIC1 mismatch\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->magic2 != MAGIC2 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: MAGIC2 mismatch\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->alloc > 1 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: alloc has illegal value\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->prev != NULL && hdr->prev == hdr->next )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: prev == next\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->prev_free != NULL && hdr->prev_free == hdr->next_free )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: prev_free == next_free\n" );
+#endif
+        return( 1 );
+    }
+
+    return( 0 );
+}
+
+static int verify_chain( void )
+{
+    memory_header *prv = heap.first, *cur;
+
+    if( prv == NULL || verify_header( prv ) != 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: verification of first header "
+                                  "failed\n" );
+#endif
+        return( 1 );
+    }
+
+    if( heap.first->prev != NULL )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: verification failed: "
+                                  "first->prev != NULL\n" );
+#endif
+        return( 1 );
+    }
+
+    cur = heap.first->next;
+
+    while( cur != NULL )
+    {
+        if( verify_header( cur ) != 0 )
+        {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf( stderr, "FATAL: verification of header "
+                                      "failed\n" );
+#endif
+            return( 1 );
+        }
+
+        if( cur->prev != prv )
+        {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf( stderr, "FATAL: verification failed: "
+                                      "cur->prev != prv\n" );
+#endif
+            return( 1 );
+        }
+
+        prv = cur;
+        cur = cur->next;
+    }
+
+    return( 0 );
+}
+
+static void *buffer_alloc_calloc( size_t n, size_t size )
+{
+    memory_header *new, *cur = heap.first_free;
+    unsigned char *p;
+    void *ret;
+    size_t original_len, len;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    void *trace_buffer[MAX_BT];
+    size_t trace_cnt;
+#endif
+
+    if( heap.buf == NULL || heap.first == NULL )
+        return( NULL );
+
+    original_len = len = n * size;
+
+    if( n == 0 || size == 0 || len / n != size )
+        return( NULL );
+    else if( len > (size_t)-MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+        return( NULL );
+
+    if( len % MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+    {
+        len -= len % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        len += MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    // Find block that fits
+    //
+    while( cur != NULL )
+    {
+        if( cur->size >= len )
+            break;
+
+        cur = cur->next_free;
+    }
+
+    if( cur == NULL )
+        return( NULL );
+
+    if( cur->alloc != 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: block in free_list but allocated "
+                                  "data\n" );
+#endif
+        mbedtls_exit( 1 );
+    }
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.alloc_count++;
+#endif
+
+    // Found location, split block if > memory_header + 4 room left
+    //
+    if( cur->size - len < sizeof(memory_header) +
+                          MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+    {
+        cur->alloc = 1;
+
+        // Remove from free_list
+        //
+        if( cur->prev_free != NULL )
+            cur->prev_free->next_free = cur->next_free;
+        else
+            heap.first_free = cur->next_free;
+
+        if( cur->next_free != NULL )
+            cur->next_free->prev_free = cur->prev_free;
+
+        cur->prev_free = NULL;
+        cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used += cur->size;
+        if( heap.total_used > heap.maximum_used )
+            heap.maximum_used = heap.total_used;
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+        trace_cnt = backtrace( trace_buffer, MAX_BT );
+        cur->trace = backtrace_symbols( trace_buffer, trace_cnt );
+        cur->trace_count = trace_cnt;
+#endif
+
+        if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC ) && verify_chain() != 0 )
+            mbedtls_exit( 1 );
+
+        ret = (unsigned char *) cur + sizeof( memory_header );
+        memset( ret, 0, original_len );
+
+        return( ret );
+    }
+
+    p = ( (unsigned char *) cur ) + sizeof(memory_header) + len;
+    new = (memory_header *) p;
+
+    new->size = cur->size - len - sizeof(memory_header);
+    new->alloc = 0;
+    new->prev = cur;
+    new->next = cur->next;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    new->trace = NULL;
+    new->trace_count = 0;
+#endif
+    new->magic1 = MAGIC1;
+    new->magic2 = MAGIC2;
+
+    if( new->next != NULL )
+        new->next->prev = new;
+
+    // Replace cur with new in free_list
+    //
+    new->prev_free = cur->prev_free;
+    new->next_free = cur->next_free;
+    if( new->prev_free != NULL )
+        new->prev_free->next_free = new;
+    else
+        heap.first_free = new;
+
+    if( new->next_free != NULL )
+        new->next_free->prev_free = new;
+
+    cur->alloc = 1;
+    cur->size = len;
+    cur->next = new;
+    cur->prev_free = NULL;
+    cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.header_count++;
+    if( heap.header_count > heap.maximum_header_count )
+        heap.maximum_header_count = heap.header_count;
+    heap.total_used += cur->size;
+    if( heap.total_used > heap.maximum_used )
+        heap.maximum_used = heap.total_used;
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    trace_cnt = backtrace( trace_buffer, MAX_BT );
+    cur->trace = backtrace_symbols( trace_buffer, trace_cnt );
+    cur->trace_count = trace_cnt;
+#endif
+
+    if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC ) && verify_chain() != 0 )
+        mbedtls_exit( 1 );
+
+    ret = (unsigned char *) cur + sizeof( memory_header );
+    memset( ret, 0, original_len );
+
+    return( ret );
+}
+
+static void buffer_alloc_free( void *ptr )
+{
+    memory_header *hdr, *old = NULL;
+    unsigned char *p = (unsigned char *) ptr;
+
+    if( ptr == NULL || heap.buf == NULL || heap.first == NULL )
+        return;
+
+    if( p < heap.buf || p >= heap.buf + heap.len )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: mbedtls_free() outside of managed "
+                                  "space\n" );
+#endif
+        mbedtls_exit( 1 );
+    }
+
+    p -= sizeof(memory_header);
+    hdr = (memory_header *) p;
+
+    if( verify_header( hdr ) != 0 )
+        mbedtls_exit( 1 );
+
+    if( hdr->alloc != 1 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: mbedtls_free() on unallocated "
+                                  "data\n" );
+#endif
+        mbedtls_exit( 1 );
+    }
+
+    hdr->alloc = 0;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.free_count++;
+    heap.total_used -= hdr->size;
+#endif
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    free( hdr->trace );
+    hdr->trace = NULL;
+    hdr->trace_count = 0;
+#endif
+
+    // Regroup with block before
+    //
+    if( hdr->prev != NULL && hdr->prev->alloc == 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->prev->size += sizeof(memory_header) + hdr->size;
+        hdr->prev->next = hdr->next;
+        old = hdr;
+        hdr = hdr->prev;
+
+        if( hdr->next != NULL )
+            hdr->next->prev = hdr;
+
+        memset( old, 0, sizeof(memory_header) );
+    }
+
+    // Regroup with block after
+    //
+    if( hdr->next != NULL && hdr->next->alloc == 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->size += sizeof(memory_header) + hdr->next->size;
+        old = hdr->next;
+        hdr->next = hdr->next->next;
+
+        if( hdr->prev_free != NULL || hdr->next_free != NULL )
+        {
+            if( hdr->prev_free != NULL )
+                hdr->prev_free->next_free = hdr->next_free;
+            else
+                heap.first_free = hdr->next_free;
+
+            if( hdr->next_free != NULL )
+                hdr->next_free->prev_free = hdr->prev_free;
+        }
+
+        hdr->prev_free = old->prev_free;
+        hdr->next_free = old->next_free;
+
+        if( hdr->prev_free != NULL )
+            hdr->prev_free->next_free = hdr;
+        else
+            heap.first_free = hdr;
+
+        if( hdr->next_free != NULL )
+            hdr->next_free->prev_free = hdr;
+
+        if( hdr->next != NULL )
+            hdr->next->prev = hdr;
+
+        memset( old, 0, sizeof(memory_header) );
+    }
+
+    // Prepend to free_list if we have not merged
+    // (Does not have to stay in same order as prev / next list)
+    //
+    if( old == NULL )
+    {
+        hdr->next_free = heap.first_free;
+        if( heap.first_free != NULL )
+            heap.first_free->prev_free = hdr;
+        heap.first_free = hdr;
+    }
+
+    if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_FREE ) && verify_chain() != 0 )
+        mbedtls_exit( 1 );
+}
+
+void mbedtls_memory_buffer_set_verify( int verify )
+{
+    heap.verify = verify;
+}
+
+int mbedtls_memory_buffer_alloc_verify( void )
+{
+    return verify_chain();
+}
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+void mbedtls_memory_buffer_alloc_status( void )
+{
+    mbedtls_fprintf( stderr,
+                      "Current use: %zu blocks / %zu bytes, max: %zu blocks / "
+                      "%zu bytes (total %zu bytes), alloc / free: %zu / %zu\n",
+                      heap.header_count, heap.total_used,
+                      heap.maximum_header_count, heap.maximum_used,
+                      heap.maximum_header_count * sizeof( memory_header )
+                      + heap.maximum_used,
+                      heap.alloc_count, heap.free_count );
+
+    if( heap.first->next == NULL )
+    {
+        mbedtls_fprintf( stderr, "All memory de-allocated in stack buffer\n" );
+    }
+    else
+    {
+        mbedtls_fprintf( stderr, "Memory currently allocated:\n" );
+        debug_chain();
+    }
+}
+
+void mbedtls_memory_buffer_alloc_max_get( size_t *max_used, size_t *max_blocks )
+{
+    *max_used   = heap.maximum_used;
+    *max_blocks = heap.maximum_header_count;
+}
+
+void mbedtls_memory_buffer_alloc_max_reset( void )
+{
+    heap.maximum_used = 0;
+    heap.maximum_header_count = 0;
+}
+
+void mbedtls_memory_buffer_alloc_cur_get( size_t *cur_used, size_t *cur_blocks )
+{
+    *cur_used   = heap.total_used;
+    *cur_blocks = heap.header_count;
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+#if defined(MBEDTLS_THREADING_C)
+static void *buffer_alloc_calloc_mutexed( size_t n, size_t size )
+{
+    void *buf;
+    if( mbedtls_mutex_lock( &heap.mutex ) != 0 )
+        return( NULL );
+    buf = buffer_alloc_calloc( n, size );
+    if( mbedtls_mutex_unlock( &heap.mutex ) )
+        return( NULL );
+    return( buf );
+}
+
+static void buffer_alloc_free_mutexed( void *ptr )
+{
+    /* We have to good option here, but corrupting the heap seems
+     * worse than loosing memory. */
+    if( mbedtls_mutex_lock( &heap.mutex ) )
+        return;
+    buffer_alloc_free( ptr );
+    (void) mbedtls_mutex_unlock( &heap.mutex );
+}
+#endif /* MBEDTLS_THREADING_C */
+
+void mbedtls_memory_buffer_alloc_init( unsigned char *buf, size_t len )
+{
+    memset( &heap, 0, sizeof( buffer_alloc_ctx ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &heap.mutex );
+    mbedtls_platform_set_calloc_free( buffer_alloc_calloc_mutexed,
+                              buffer_alloc_free_mutexed );
+#else
+    mbedtls_platform_set_calloc_free( buffer_alloc_calloc, buffer_alloc_free );
+#endif
+
+    if( len < sizeof( memory_header ) + MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+        return;
+    else if( (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+    {
+        /* Adjust len first since buf is used in the computation */
+        len -= MBEDTLS_MEMORY_ALIGN_MULTIPLE
+             - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        buf += MBEDTLS_MEMORY_ALIGN_MULTIPLE
+             - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    memset( buf, 0, len );
+
+    heap.buf = buf;
+    heap.len = len;
+
+    heap.first = (memory_header *)buf;
+    heap.first->size = len - sizeof( memory_header );
+    heap.first->magic1 = MAGIC1;
+    heap.first->magic2 = MAGIC2;
+    heap.first_free = heap.first;
+}
+
+void mbedtls_memory_buffer_alloc_free( void )
+{
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &heap.mutex );
+#endif
+    mbedtls_platform_zeroize( &heap, sizeof(buffer_alloc_ctx) );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+static int check_pointer( void *p )
+{
+    if( p == NULL )
+        return( -1 );
+
+    if( (size_t) p % MBEDTLS_MEMORY_ALIGN_MULTIPLE != 0 )
+        return( -1 );
+
+    return( 0 );
+}
+
+static int check_all_free( void )
+{
+    if(
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used != 0 ||
+#endif
+        heap.first != heap.first_free ||
+        (void *) heap.first != (void *) heap.buf )
+    {
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+#define TEST_ASSERT( condition )            \
+    if( ! (condition) )                     \
+    {                                       \
+        if( verbose != 0 )                  \
+            mbedtls_printf( "failed\n" );  \
+                                            \
+        ret = 1;                            \
+        goto cleanup;                       \
+    }
+
+int mbedtls_memory_buffer_alloc_self_test( int verbose )
+{
+    unsigned char buf[1024];
+    unsigned char *p, *q, *r, *end;
+    int ret = 0;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MBA test #1 (basic alloc-free cycle): " );
+
+    mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+    p = mbedtls_calloc( 1, 1 );
+    q = mbedtls_calloc( 1, 128 );
+    r = mbedtls_calloc( 1, 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 &&
+                 check_pointer( q ) == 0 &&
+                 check_pointer( r ) == 0 );
+
+    mbedtls_free( r );
+    mbedtls_free( q );
+    mbedtls_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    /* Memorize end to compare with the next test */
+    end = heap.buf + heap.len;
+
+    mbedtls_memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MBA test #2 (buf not aligned): " );
+
+    mbedtls_memory_buffer_alloc_init( buf + 1, sizeof( buf ) - 1 );
+
+    TEST_ASSERT( heap.buf + heap.len == end );
+
+    p = mbedtls_calloc( 1, 1 );
+    q = mbedtls_calloc( 1, 128 );
+    r = mbedtls_calloc( 1, 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 &&
+                 check_pointer( q ) == 0 &&
+                 check_pointer( r ) == 0 );
+
+    mbedtls_free( r );
+    mbedtls_free( q );
+    mbedtls_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    mbedtls_memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MBA test #3 (full): " );
+
+    mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+    p = mbedtls_calloc( 1, sizeof( buf ) - sizeof( memory_header ) );
+
+    TEST_ASSERT( check_pointer( p ) == 0 );
+    TEST_ASSERT( mbedtls_calloc( 1, 1 ) == NULL );
+
+    mbedtls_free( p );
+
+    p = mbedtls_calloc( 1, sizeof( buf ) - 2 * sizeof( memory_header ) - 16 );
+    q = mbedtls_calloc( 1, 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 && check_pointer( q ) == 0 );
+    TEST_ASSERT( mbedtls_calloc( 1, 1 ) == NULL );
+
+    mbedtls_free( q );
+
+    TEST_ASSERT( mbedtls_calloc( 1, 17 ) == NULL );
+
+    mbedtls_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    mbedtls_memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+    mbedtls_memory_buffer_alloc_free( );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
diff --git a/ctrtool/deps/libmbedtls/src/net_sockets.c b/ctrtool/deps/libmbedtls/src/net_sockets.c
new file mode 100644
index 00000000..5d538bfd
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/net_sockets.c
@@ -0,0 +1,668 @@
+/*
+ *  TCP/IP or UDP/IP networking functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
+ * be set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 200112L
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_NET_C)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__)
+#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/net_sockets.h"
+
+#include <string.h>
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+    !defined(EFI32)
+
+#define IS_EINTR( ret ) ( ( ret ) == WSAEINTR )
+
+#if !defined(_WIN32_WINNT) || (_WIN32_WINNT < 0x0501)
+#undef _WIN32_WINNT
+/* Enables getaddrinfo() & Co */
+#define _WIN32_WINNT 0x0501
+#endif
+
+#include <ws2tcpip.h>
+
+#include <winsock2.h>
+#include <windows.h>
+
+#if defined(_MSC_VER)
+#if defined(_WIN32_WCE)
+#pragma comment( lib, "ws2.lib" )
+#else
+#pragma comment( lib, "ws2_32.lib" )
+#endif
+#endif /* _MSC_VER */
+
+#define read(fd,buf,len)        recv( fd, (char*)( buf ), (int)( len ), 0 )
+#define write(fd,buf,len)       send( fd, (char*)( buf ), (int)( len ), 0 )
+#define close(fd)               closesocket(fd)
+
+static int wsa_init_done = 0;
+
+#else /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <netdb.h>
+#include <errno.h>
+
+#define IS_EINTR( ret ) ( ( ret ) == EINTR )
+
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/* Some MS functions want int and MSVC warns if we pass size_t,
+ * but the standard functions use socklen_t, so cast only for MSVC */
+#if defined(_MSC_VER)
+#define MSVC_INT_CAST   (int)
+#else
+#define MSVC_INT_CAST
+#endif
+
+#include <stdio.h>
+
+#include <time.h>
+
+#include <stdint.h>
+
+/*
+ * Prepare for using the sockets interface
+ */
+static int net_prepare( void )
+{
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    WSADATA wsaData;
+
+    if( wsa_init_done == 0 )
+    {
+        if( WSAStartup( MAKEWORD(2,0), &wsaData ) != 0 )
+            return( MBEDTLS_ERR_NET_SOCKET_FAILED );
+
+        wsa_init_done = 1;
+    }
+#else
+#if !defined(EFIX64) && !defined(EFI32)
+    signal( SIGPIPE, SIG_IGN );
+#endif
+#endif
+    return( 0 );
+}
+
+/*
+ * Initialize a context
+ */
+void mbedtls_net_init( mbedtls_net_context *ctx )
+{
+    ctx->fd = -1;
+}
+
+/*
+ * Initiate a TCP connection with host:port and the given protocol
+ */
+int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host,
+                         const char *port, int proto )
+{
+    int ret;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if( ( ret = net_prepare() ) != 0 )
+        return( ret );
+
+    /* Do name resolution with both IPv6 and IPv4 */
+    memset( &hints, 0, sizeof( hints ) );
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+
+    if( getaddrinfo( host, port, &hints, &addr_list ) != 0 )
+        return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
+
+    /* Try the sockaddrs until a connection succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for( cur = addr_list; cur != NULL; cur = cur->ai_next )
+    {
+        ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
+                            cur->ai_protocol );
+        if( ctx->fd < 0 )
+        {
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if( connect( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) == 0 )
+        {
+            ret = 0;
+            break;
+        }
+
+        close( ctx->fd );
+        ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
+    }
+
+    freeaddrinfo( addr_list );
+
+    return( ret );
+}
+
+/*
+ * Create a listening socket on bind_ip:port
+ */
+int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto )
+{
+    int n, ret;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if( ( ret = net_prepare() ) != 0 )
+        return( ret );
+
+    /* Bind to IPv6 and/or IPv4, but only in the desired protocol */
+    memset( &hints, 0, sizeof( hints ) );
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+    if( bind_ip == NULL )
+        hints.ai_flags = AI_PASSIVE;
+
+    if( getaddrinfo( bind_ip, port, &hints, &addr_list ) != 0 )
+        return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
+
+    /* Try the sockaddrs until a binding succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for( cur = addr_list; cur != NULL; cur = cur->ai_next )
+    {
+        ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
+                            cur->ai_protocol );
+        if( ctx->fd < 0 )
+        {
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        n = 1;
+        if( setsockopt( ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                        (const char *) &n, sizeof( n ) ) != 0 )
+        {
+            close( ctx->fd );
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if( bind( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) != 0 )
+        {
+            close( ctx->fd );
+            ret = MBEDTLS_ERR_NET_BIND_FAILED;
+            continue;
+        }
+
+        /* Listen only makes sense for TCP */
+        if( proto == MBEDTLS_NET_PROTO_TCP )
+        {
+            if( listen( ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG ) != 0 )
+            {
+                close( ctx->fd );
+                ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
+                continue;
+            }
+        }
+
+        /* Bind was successful */
+        ret = 0;
+        break;
+    }
+
+    freeaddrinfo( addr_list );
+
+    return( ret );
+
+}
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ */
+static int net_would_block( const mbedtls_net_context *ctx )
+{
+    ((void) ctx);
+    return( WSAGetLastError() == WSAEWOULDBLOCK );
+}
+#else
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ *
+ * Note: on a blocking socket this function always returns 0!
+ */
+static int net_would_block( const mbedtls_net_context *ctx )
+{
+    int err = errno;
+
+    /*
+     * Never return 'WOULD BLOCK' on a blocking socket
+     */
+    if( ( fcntl( ctx->fd, F_GETFL ) & O_NONBLOCK ) != O_NONBLOCK )
+    {
+        errno = err;
+        return( 0 );
+    }
+
+    switch( errno = err )
+    {
+#if defined EAGAIN
+        case EAGAIN:
+#endif
+#if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
+        case EWOULDBLOCK:
+#endif
+            return( 1 );
+    }
+    return( 0 );
+}
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/*
+ * Accept a connection from a remote client
+ */
+int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+                        mbedtls_net_context *client_ctx,
+                        void *client_ip, size_t buf_size, size_t *ip_len )
+{
+    int ret;
+    int type;
+
+    struct sockaddr_storage client_addr;
+
+#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) ||  \
+    defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t)
+    socklen_t n = (socklen_t) sizeof( client_addr );
+    socklen_t type_len = (socklen_t) sizeof( type );
+#else
+    int n = (int) sizeof( client_addr );
+    int type_len = (int) sizeof( type );
+#endif
+
+    /* Is this a TCP or UDP socket? */
+    if( getsockopt( bind_ctx->fd, SOL_SOCKET, SO_TYPE,
+                    (void *) &type, &type_len ) != 0 ||
+        ( type != SOCK_STREAM && type != SOCK_DGRAM ) )
+    {
+        return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+    }
+
+    if( type == SOCK_STREAM )
+    {
+        /* TCP: actual accept() */
+        ret = client_ctx->fd = (int) accept( bind_ctx->fd,
+                                             (struct sockaddr *) &client_addr, &n );
+    }
+    else
+    {
+        /* UDP: wait for a message, but keep it in the queue */
+        char buf[1] = { 0 };
+
+        ret = (int) recvfrom( bind_ctx->fd, buf, sizeof( buf ), MSG_PEEK,
+                        (struct sockaddr *) &client_addr, &n );
+
+#if defined(_WIN32)
+        if( ret == SOCKET_ERROR &&
+            WSAGetLastError() == WSAEMSGSIZE )
+        {
+            /* We know buf is too small, thanks, just peeking here */
+            ret = 0;
+        }
+#endif
+    }
+
+    if( ret < 0 )
+    {
+        if( net_would_block( bind_ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+
+        return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+    }
+
+    /* UDP: hijack the listening socket to communicate with the client,
+     * then bind a new socket to accept new connections */
+    if( type != SOCK_STREAM )
+    {
+        struct sockaddr_storage local_addr;
+        int one = 1;
+
+        if( connect( bind_ctx->fd, (struct sockaddr *) &client_addr, n ) != 0 )
+            return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+
+        client_ctx->fd = bind_ctx->fd;
+        bind_ctx->fd   = -1; /* In case we exit early */
+
+        n = sizeof( struct sockaddr_storage );
+        if( getsockname( client_ctx->fd,
+                         (struct sockaddr *) &local_addr, &n ) != 0 ||
+            ( bind_ctx->fd = (int) socket( local_addr.ss_family,
+                                           SOCK_DGRAM, IPPROTO_UDP ) ) < 0 ||
+            setsockopt( bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                        (const char *) &one, sizeof( one ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_NET_SOCKET_FAILED );
+        }
+
+        if( bind( bind_ctx->fd, (struct sockaddr *) &local_addr, n ) != 0 )
+        {
+            return( MBEDTLS_ERR_NET_BIND_FAILED );
+        }
+    }
+
+    if( client_ip != NULL )
+    {
+        if( client_addr.ss_family == AF_INET )
+        {
+            struct sockaddr_in *addr4 = (struct sockaddr_in *) &client_addr;
+            *ip_len = sizeof( addr4->sin_addr.s_addr );
+
+            if( buf_size < *ip_len )
+                return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
+
+            memcpy( client_ip, &addr4->sin_addr.s_addr, *ip_len );
+        }
+        else
+        {
+            struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &client_addr;
+            *ip_len = sizeof( addr6->sin6_addr.s6_addr );
+
+            if( buf_size < *ip_len )
+                return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
+
+            memcpy( client_ip, &addr6->sin6_addr.s6_addr, *ip_len);
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Set the socket blocking or non-blocking
+ */
+int mbedtls_net_set_block( mbedtls_net_context *ctx )
+{
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    u_long n = 0;
+    return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
+#else
+    return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) & ~O_NONBLOCK ) );
+#endif
+}
+
+int mbedtls_net_set_nonblock( mbedtls_net_context *ctx )
+{
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    u_long n = 1;
+    return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
+#else
+    return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) | O_NONBLOCK ) );
+#endif
+}
+
+/*
+ * Check if data is available on the socket
+ */
+
+int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout )
+{
+    int ret;
+    struct timeval tv;
+
+    fd_set read_fds;
+    fd_set write_fds;
+
+    int fd = ctx->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+    /* Ensure that memory sanitizers consider read_fds and write_fds as
+     * initialized even on platforms such as Glibc/x86_64 where FD_ZERO
+     * is implemented in assembly. */
+    memset( &read_fds, 0, sizeof( read_fds ) );
+    memset( &write_fds, 0, sizeof( write_fds ) );
+#endif
+#endif
+
+    FD_ZERO( &read_fds );
+    if( rw & MBEDTLS_NET_POLL_READ )
+    {
+        rw &= ~MBEDTLS_NET_POLL_READ;
+        FD_SET( fd, &read_fds );
+    }
+
+    FD_ZERO( &write_fds );
+    if( rw & MBEDTLS_NET_POLL_WRITE )
+    {
+        rw &= ~MBEDTLS_NET_POLL_WRITE;
+        FD_SET( fd, &write_fds );
+    }
+
+    if( rw != 0 )
+        return( MBEDTLS_ERR_NET_BAD_INPUT_DATA );
+
+    tv.tv_sec  = timeout / 1000;
+    tv.tv_usec = ( timeout % 1000 ) * 1000;
+
+    do
+    {
+        ret = select( fd + 1, &read_fds, &write_fds, NULL,
+                      timeout == (uint32_t) -1 ? NULL : &tv );
+    }
+    while( IS_EINTR( ret ) );
+
+    if( ret < 0 )
+        return( MBEDTLS_ERR_NET_POLL_FAILED );
+
+    ret = 0;
+    if( FD_ISSET( fd, &read_fds ) )
+        ret |= MBEDTLS_NET_POLL_READ;
+    if( FD_ISSET( fd, &write_fds ) )
+        ret |= MBEDTLS_NET_POLL_WRITE;
+
+    return( ret );
+}
+
+/*
+ * Portable usleep helper
+ */
+void mbedtls_net_usleep( unsigned long usec )
+{
+#if defined(_WIN32)
+    Sleep( ( usec + 999 ) / 1000 );
+#else
+    struct timeval tv;
+    tv.tv_sec  = usec / 1000000;
+#if defined(__unix__) || defined(__unix) || \
+    ( defined(__APPLE__) && defined(__MACH__) )
+    tv.tv_usec = (suseconds_t) usec % 1000000;
+#else
+    tv.tv_usec = usec % 1000000;
+#endif
+    select( 0, NULL, NULL, NULL, &tv );
+#endif
+}
+
+/*
+ * Read at most 'len' characters
+ */
+int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
+{
+    int ret;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    ret = (int) read( fd, buf, len );
+
+    if( ret < 0 )
+    {
+        if( net_would_block( ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+#else
+        if( errno == EPIPE || errno == ECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+    }
+
+    return( ret );
+}
+
+/*
+ * Read at most 'len' characters, blocking for at most 'timeout' ms
+ */
+int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf,
+                              size_t len, uint32_t timeout )
+{
+    int ret;
+    struct timeval tv;
+    fd_set read_fds;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    FD_ZERO( &read_fds );
+    FD_SET( fd, &read_fds );
+
+    tv.tv_sec  = timeout / 1000;
+    tv.tv_usec = ( timeout % 1000 ) * 1000;
+
+    ret = select( fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv );
+
+    /* Zero fds ready means we timed out */
+    if( ret == 0 )
+        return( MBEDTLS_ERR_SSL_TIMEOUT );
+
+    if( ret < 0 )
+    {
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAEINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#else
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+    }
+
+    /* This call will not block */
+    return( mbedtls_net_recv( ctx, buf, len ) );
+}
+
+/*
+ * Write at most 'len' characters
+ */
+int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
+{
+    int ret;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    ret = (int) write( fd, buf, len );
+
+    if( ret < 0 )
+    {
+        if( net_would_block( ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_WRITE );
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+#else
+        if( errno == EPIPE || errno == ECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_WRITE );
+#endif
+
+        return( MBEDTLS_ERR_NET_SEND_FAILED );
+    }
+
+    return( ret );
+}
+
+/*
+ * Gracefully close the connection
+ */
+void mbedtls_net_free( mbedtls_net_context *ctx )
+{
+    if( ctx->fd == -1 )
+        return;
+
+    shutdown( ctx->fd, 2 );
+    close( ctx->fd );
+
+    ctx->fd = -1;
+}
+
+#endif /* MBEDTLS_NET_C */
diff --git a/ctrtool/deps/libmbedtls/src/nist_kw.c b/ctrtool/deps/libmbedtls/src/nist_kw.c
new file mode 100644
index 00000000..317a2426
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/nist_kw.c
@@ -0,0 +1,755 @@
+/*
+ *  Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
+ *  only
+ *
+ *  Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * Definition of Key Wrapping:
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ * RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm"
+ * RFC 5649 "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm"
+ *
+ * Note: RFC 3394 defines different methodology for intermediate operations for
+ * the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/platform_util.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+
+#define KW_SEMIBLOCK_LENGTH    8
+#define MIN_SEMIBLOCKS_COUNT   3
+
+/* constant-time buffer comparison */
+static inline unsigned char mbedtls_nist_kw_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+    {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+    return( diff );
+}
+
+/*! The 64-bit default integrity check value (ICV) for KW mode. */
+static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
+/*! The 32-bit default integrity check value (ICV) for KWP mode. */
+static const  unsigned char NIST_KW_ICV2[] = {0xA6, 0x59, 0x59, 0xA6};
+
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+} while( 0 )
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+} while( 0 )
+#endif
+
+/*
+ * Initialize context
+ */
+void mbedtls_nist_kw_init( mbedtls_nist_kw_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_nist_kw_context ) );
+}
+
+int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
+                            mbedtls_cipher_id_t cipher,
+                            const unsigned char *key,
+                            unsigned int keybits,
+                            const int is_wrap )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    cipher_info = mbedtls_cipher_info_from_values( cipher,
+                                                   keybits,
+                                                   MBEDTLS_MODE_ECB );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( cipher_info->block_size != 16 )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /*
+     * SP 800-38F currently defines AES cipher as the only block cipher allowed:
+     * "For KW and KWP, the underlying block cipher shall be approved, and the
+     *  block size shall be 128 bits. Currently, the AES block cipher, with key
+     *  lengths of 128, 192, or 256 bits, is the only block cipher that fits
+     *  this profile."
+     *  Currently we don't support other 128 bit block ciphers for key wrapping,
+     *  such as Camellia and Aria.
+     */
+    if( cipher != MBEDTLS_CIPHER_ID_AES )
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+                                       is_wrap ? MBEDTLS_ENCRYPT :
+                                                 MBEDTLS_DECRYPT )
+                                                                   ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx )
+{
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_nist_kw_context ) );
+}
+
+/*
+ * Helper function for Xoring the uint64_t "t" with the encrypted A.
+ * Defined in NIST SP 800-38F section 6.1
+ */
+static void calc_a_xor_t( unsigned char A[KW_SEMIBLOCK_LENGTH], uint64_t t )
+{
+    size_t i = 0;
+    for( i = 0; i < sizeof( t ); i++ )
+    {
+        A[i] ^= ( t >> ( ( sizeof( t ) - 1 - i ) * 8 ) ) & 0xff;
+    }
+}
+
+/*
+ * KW-AE as defined in SP 800-38F section 6.2
+ * KWP-AE as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx,
+                          mbedtls_nist_kw_mode_t mode,
+                          const unsigned char *input, size_t in_len,
+                          unsigned char *output, size_t *out_len, size_t out_size )
+{
+    int ret = 0;
+    size_t semiblocks = 0;
+    size_t s;
+    size_t olen, padlen = 0;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
+    unsigned char *A = output;
+
+    *out_len = 0;
+    /*
+     * Generate the String to work on
+     */
+    if( mode == MBEDTLS_KW_MODE_KW )
+    {
+        if( out_size < in_len + KW_SEMIBLOCK_LENGTH )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KW
+         * must be between 2 to 2^54-1 semiblocks inclusive.
+         */
+        if( in_len < 16 ||
+#if SIZE_MAX > 0x1FFFFFFFFFFFFF8
+            in_len > 0x1FFFFFFFFFFFFF8 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0 )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        memcpy( output, NIST_KW_ICV1, KW_SEMIBLOCK_LENGTH );
+        memmove( output + KW_SEMIBLOCK_LENGTH, input, in_len );
+    }
+    else
+    {
+        if( in_len % 8 != 0 )
+        {
+            padlen = ( 8 - ( in_len % 8 ) );
+        }
+
+        if( out_size < in_len + KW_SEMIBLOCK_LENGTH + padlen )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KWP
+         * must be between 1 and 2^32-1 octets inclusive.
+         */
+        if( in_len < 1
+#if SIZE_MAX > 0xFFFFFFFF
+            || in_len > 0xFFFFFFFF
+#endif
+          )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        memcpy( output, NIST_KW_ICV2, KW_SEMIBLOCK_LENGTH / 2 );
+        PUT_UINT32_BE( ( in_len & 0xffffffff ), output,
+                       KW_SEMIBLOCK_LENGTH / 2 );
+
+        memcpy( output + KW_SEMIBLOCK_LENGTH, input, in_len );
+        memset( output + KW_SEMIBLOCK_LENGTH + in_len, 0, padlen );
+    }
+    semiblocks = ( ( in_len + padlen ) / KW_SEMIBLOCK_LENGTH ) + 1;
+
+    s = 6 * ( semiblocks - 1 );
+
+    if( mode == MBEDTLS_KW_MODE_KWP
+        && in_len <= KW_SEMIBLOCK_LENGTH )
+    {
+        memcpy( inbuff, output, 16 );
+        ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                     inbuff, 16, output, &olen );
+        if( ret != 0 )
+            goto cleanup;
+    }
+    else
+    {
+        /*
+         * Do the wrapping function W, as defined in RFC 3394 section 2.2.1
+         */
+        if( semiblocks < MIN_SEMIBLOCKS_COUNT )
+        {
+            ret = MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        /* Calculate intermediate values */
+        for( t = 1; t <= s; t++ )
+        {
+            memcpy( inbuff, A, KW_SEMIBLOCK_LENGTH );
+            memcpy( inbuff + KW_SEMIBLOCK_LENGTH, R2, KW_SEMIBLOCK_LENGTH );
+
+            ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                         inbuff, 16, outbuff, &olen );
+            if( ret != 0 )
+                goto cleanup;
+
+            memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+            calc_a_xor_t( A, t );
+
+            memcpy( R2, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+            R2 += KW_SEMIBLOCK_LENGTH;
+            if( R2 >= output + ( semiblocks * KW_SEMIBLOCK_LENGTH ) )
+                R2 = output + KW_SEMIBLOCK_LENGTH;
+        }
+    }
+
+    *out_len = semiblocks * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+
+    if( ret != 0)
+    {
+        memset( output, 0, semiblocks * KW_SEMIBLOCK_LENGTH );
+    }
+    mbedtls_platform_zeroize( inbuff, KW_SEMIBLOCK_LENGTH * 2 );
+    mbedtls_platform_zeroize( outbuff, KW_SEMIBLOCK_LENGTH * 2 );
+
+    return( ret );
+}
+
+/*
+ * W-1 function as defined in RFC 3394 section 2.2.2
+ * This function assumes the following:
+ * 1. Output buffer is at least of size ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH.
+ * 2. The input buffer is of size semiblocks * KW_SEMIBLOCK_LENGTH.
+ * 3. Minimal number of semiblocks is 3.
+ * 4. A is a buffer to hold the first semiblock of the input buffer.
+ */
+static int unwrap( mbedtls_nist_kw_context *ctx,
+                   const unsigned char *input, size_t semiblocks,
+                   unsigned char A[KW_SEMIBLOCK_LENGTH],
+                   unsigned char *output, size_t* out_len )
+{
+    int ret = 0;
+    const size_t s = 6 * ( semiblocks - 1 );
+    size_t olen;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char *R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
+    *out_len = 0;
+
+    if( semiblocks < MIN_SEMIBLOCKS_COUNT )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    memcpy( A, input, KW_SEMIBLOCK_LENGTH );
+    memmove( output, input + KW_SEMIBLOCK_LENGTH, ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH );
+
+    /* Calculate intermediate values */
+    for( t = s; t >= 1; t-- )
+    {
+        calc_a_xor_t( A, t );
+
+        memcpy( inbuff, A, KW_SEMIBLOCK_LENGTH );
+        memcpy( inbuff + KW_SEMIBLOCK_LENGTH, R, KW_SEMIBLOCK_LENGTH );
+
+        ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                     inbuff, 16, outbuff, &olen );
+        if( ret != 0 )
+            goto cleanup;
+
+        memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+
+        /* Set R as LSB64 of outbuff */
+        memcpy( R, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+
+        if( R == output )
+            R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
+        else
+            R -= KW_SEMIBLOCK_LENGTH;
+    }
+
+    *out_len = ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+    if( ret != 0)
+        memset( output, 0, ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH );
+    mbedtls_platform_zeroize( inbuff, sizeof( inbuff )  );
+    mbedtls_platform_zeroize( outbuff, sizeof( outbuff ) );
+
+    return( ret );
+}
+
+/*
+ * KW-AD as defined in SP 800-38F section 6.2
+ * KWP-AD as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx,
+                            mbedtls_nist_kw_mode_t mode,
+                            const unsigned char *input, size_t in_len,
+                            unsigned char *output, size_t *out_len, size_t out_size )
+{
+    int ret = 0;
+    size_t i, olen;
+    unsigned char A[KW_SEMIBLOCK_LENGTH];
+    unsigned char diff, bad_padding = 0;
+
+    *out_len = 0;
+    if( out_size < in_len - KW_SEMIBLOCK_LENGTH )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    if( mode == MBEDTLS_KW_MODE_KW )
+    {
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KW
+         * must be between 3 to 2^54 semiblocks inclusive.
+         */
+        if( in_len < 24 ||
+#if SIZE_MAX > 0x200000000000000
+            in_len > 0x200000000000000 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0 )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        ret = unwrap( ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                      A, output, out_len );
+        if( ret != 0 )
+            goto cleanup;
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH );
+
+        if( diff != 0 )
+        {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+            goto cleanup;
+        }
+
+    }
+    else if( mode == MBEDTLS_KW_MODE_KWP )
+    {
+        size_t padlen = 0;
+        uint32_t Plen;
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KWP
+         * must be between 2 to 2^29 semiblocks inclusive.
+         */
+        if( in_len < KW_SEMIBLOCK_LENGTH * 2 ||
+#if SIZE_MAX > 0x100000000
+            in_len > 0x100000000 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0 )
+        {
+            return(  MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        if( in_len == KW_SEMIBLOCK_LENGTH * 2 )
+        {
+            unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+            ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                         input, 16, outbuff, &olen );
+            if( ret != 0 )
+                goto cleanup;
+
+            memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+            memcpy( output, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+            mbedtls_platform_zeroize( outbuff, sizeof( outbuff ) );
+            *out_len = KW_SEMIBLOCK_LENGTH;
+        }
+        else
+        {
+            /* in_len >=  KW_SEMIBLOCK_LENGTH * 3 */
+            ret = unwrap( ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                          A, output, out_len );
+            if( ret != 0 )
+                goto cleanup;
+        }
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 );
+
+        if( diff != 0 )
+        {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        GET_UINT32_BE( Plen, A, KW_SEMIBLOCK_LENGTH / 2 );
+
+        /*
+         * Plen is the length of the plaintext, when the input is valid.
+         * If Plen is larger than the plaintext and padding, padlen will be
+         * larger than 8, because of the type wrap around.
+         */
+        padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
+        if ( padlen > 7 )
+        {
+            padlen &= 7;
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        /* Check padding in "constant-time" */
+        for( diff = 0, i = 0; i < KW_SEMIBLOCK_LENGTH; i++ )
+        {
+             if( i >= KW_SEMIBLOCK_LENGTH - padlen )
+                 diff |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+             else
+                 bad_padding |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+        }
+
+        if( diff != 0 )
+        {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        if( ret != 0 )
+        {
+            goto cleanup;
+        }
+        memset( output + Plen, 0, padlen );
+        *out_len = Plen;
+    }
+    else
+    {
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto cleanup;
+    }
+
+cleanup:
+    if( ret != 0 )
+    {
+        memset( output, 0, *out_len );
+        *out_len = 0;
+    }
+
+    mbedtls_platform_zeroize( &bad_padding, sizeof( bad_padding) );
+    mbedtls_platform_zeroize( &diff, sizeof( diff ) );
+    mbedtls_platform_zeroize( A, sizeof( A ) );
+
+    return( ret );
+}
+
+#endif /* !MBEDTLS_NIST_KW_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+
+#define KW_TESTS 3
+
+/*
+ * Test vectors taken from NIST
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#KW
+ */
+static const unsigned int key_len[KW_TESTS] = { 16, 24, 32 };
+
+static const unsigned char kw_key[KW_TESTS][32] = {
+    { 0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2,
+      0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, 0xa6 },
+    { 0x2d, 0x85, 0x26, 0x08, 0x1d, 0x02, 0xfb, 0x5b,
+      0x85, 0xf6, 0x9a, 0xc2, 0x86, 0xec, 0xd5, 0x7d,
+      0x40, 0xdf, 0x5d, 0xf3, 0x49, 0x47, 0x44, 0xd3 },
+    { 0x11, 0x2a, 0xd4, 0x1b, 0x48, 0x56, 0xc7, 0x25,
+      0x4a, 0x98, 0x48, 0xd3, 0x0f, 0xdd, 0x78, 0x33,
+      0x5b, 0x03, 0x9a, 0x48, 0xa8, 0x96, 0x2c, 0x4d,
+      0x1c, 0xb7, 0x8e, 0xab, 0xd5, 0xda, 0xd7, 0x88 }
+};
+
+static const unsigned char kw_msg[KW_TESTS][40] = {
+    { 0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea,
+      0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, 0x3f },
+    { 0x95, 0xc1, 0x1b, 0xf5, 0x35, 0x3a, 0xfe, 0xdb,
+      0x98, 0xfd, 0xd6, 0xc8, 0xca, 0x6f, 0xdb, 0x6d,
+      0xa5, 0x4b, 0x74, 0xb4, 0x99, 0x0f, 0xdc, 0x45,
+      0xc0, 0x9d, 0x15, 0x8f, 0x51, 0xce, 0x62, 0x9d,
+      0xe2, 0xaf, 0x26, 0xe3, 0x25, 0x0e, 0x6b, 0x4c },
+    { 0x1b, 0x20, 0xbf, 0x19, 0x90, 0xb0, 0x65, 0xd7,
+      0x98, 0xe1, 0xb3, 0x22, 0x64, 0xad, 0x50, 0xa8,
+      0x74, 0x74, 0x92, 0xba, 0x09, 0xa0, 0x4d, 0xd1 }
+};
+
+static const size_t kw_msg_len[KW_TESTS] = { 16, 40, 24 };
+static const size_t kw_out_len[KW_TESTS] = { 24, 48, 32 };
+static const unsigned char kw_res[KW_TESTS][48] = {
+    { 0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d,
+      0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, 0xa3,
+      0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb },
+    { 0x44, 0x3c, 0x6f, 0x15, 0x09, 0x83, 0x71, 0x91,
+      0x3e, 0x5c, 0x81, 0x4c, 0xa1, 0xa0, 0x42, 0xec,
+      0x68, 0x2f, 0x7b, 0x13, 0x6d, 0x24, 0x3a, 0x4d,
+      0x6c, 0x42, 0x6f, 0xc6, 0x97, 0x15, 0x63, 0xe8,
+      0xa1, 0x4a, 0x55, 0x8e, 0x09, 0x64, 0x16, 0x19,
+      0xbf, 0x03, 0xfc, 0xaf, 0x90, 0xb1, 0xfc, 0x2d },
+    { 0xba, 0x8a, 0x25, 0x9a, 0x47, 0x1b, 0x78, 0x7d,
+      0xd5, 0xd5, 0x40, 0xec, 0x25, 0xd4, 0x3d, 0x87,
+      0x20, 0x0f, 0xda, 0xdc, 0x6d, 0x1f, 0x05, 0xd9,
+      0x16, 0x58, 0x4f, 0xa9, 0xf6, 0xcb, 0xf5, 0x12 }
+};
+
+static const unsigned char kwp_key[KW_TESTS][32] = {
+    { 0x78, 0x65, 0xe2, 0x0f, 0x3c, 0x21, 0x65, 0x9a,
+      0xb4, 0x69, 0x0b, 0x62, 0x9c, 0xdf, 0x3c, 0xc4 },
+    { 0xf5, 0xf8, 0x96, 0xa3, 0xbd, 0x2f, 0x4a, 0x98,
+      0x23, 0xef, 0x16, 0x2b, 0x00, 0xb8, 0x05, 0xd7,
+      0xde, 0x1e, 0xa4, 0x66, 0x26, 0x96, 0xa2, 0x58 },
+    { 0x95, 0xda, 0x27, 0x00, 0xca, 0x6f, 0xd9, 0xa5,
+      0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, 0x6f,
+      0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae,
+      0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, 0x22, 0x5a }
+};
+
+static const unsigned char kwp_msg[KW_TESTS][31] = {
+    { 0xbd, 0x68, 0x43, 0xd4, 0x20, 0x37, 0x8d, 0xc8,
+      0x96 },
+    { 0x6c, 0xcd, 0xd5, 0x85, 0x18, 0x40, 0x97, 0xeb,
+      0xd5, 0xc3, 0xaf, 0x3e, 0x47, 0xd0, 0x2c, 0x19,
+      0x14, 0x7b, 0x4d, 0x99, 0x5f, 0x96, 0x43, 0x66,
+      0x91, 0x56, 0x75, 0x8c, 0x13, 0x16, 0x8f },
+    { 0xd1 }
+};
+static const size_t kwp_msg_len[KW_TESTS] = { 9, 31, 1 };
+
+static const unsigned char kwp_res[KW_TESTS][48] = {
+    { 0x41, 0xec, 0xa9, 0x56, 0xd4, 0xaa, 0x04, 0x7e,
+      0xb5, 0xcf, 0x4e, 0xfe, 0x65, 0x96, 0x61, 0xe7,
+      0x4d, 0xb6, 0xf8, 0xc5, 0x64, 0xe2, 0x35, 0x00 },
+    { 0x4e, 0x9b, 0xc2, 0xbc, 0xbc, 0x6c, 0x1e, 0x13,
+      0xd3, 0x35, 0xbc, 0xc0, 0xf7, 0x73, 0x6a, 0x88,
+      0xfa, 0x87, 0x53, 0x66, 0x15, 0xbb, 0x8e, 0x63,
+      0x8b, 0xcc, 0x81, 0x66, 0x84, 0x68, 0x17, 0x90,
+      0x67, 0xcf, 0xa9, 0x8a, 0x9d, 0x0e, 0x33, 0x26 },
+    { 0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd,
+      0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, 0xc4  }
+};
+static const size_t kwp_out_len[KW_TESTS] = { 24, 40, 16 };
+
+int mbedtls_nist_kw_self_test( int verbose )
+{
+    mbedtls_nist_kw_context ctx;
+    unsigned char out[48];
+    size_t olen;
+    int i;
+    int ret = 0;
+    mbedtls_nist_kw_init( &ctx );
+
+    for( i = 0; i < KW_TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  KW-AES-%u ", (unsigned int) key_len[i] * 8 );
+
+        ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                      kw_key[i], key_len[i] * 8, 1 );
+        if( ret != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KW: setup failed " );
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_wrap( &ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
+                                    kw_msg_len[i], out, &olen, sizeof( out ) );
+        if( ret != 0 || kw_out_len[i] != olen ||
+            memcmp( out, kw_res[i], kw_out_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if( ( ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                            kw_key[i], key_len[i] * 8, 0 ) )
+              != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KW: setup failed ");
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_unwrap( &ctx, MBEDTLS_KW_MODE_KW,
+                                      out, olen, out, &olen, sizeof( out ) );
+
+        if( ret != 0 || olen != kw_msg_len[i] ||
+            memcmp( out, kw_msg[i], kw_msg_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto end;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( " passed\n" );
+    }
+
+    for( i = 0; i < KW_TESTS; i++ )
+    {
+        olen = sizeof( out );
+        if( verbose != 0 )
+            mbedtls_printf( "  KWP-AES-%u ", (unsigned int) key_len[i] * 8 );
+
+        ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
+                                      key_len[i] * 8, 1 );
+        if( ret  != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KWP: setup failed " );
+
+            goto end;
+        }
+        ret = mbedtls_nist_kw_wrap( &ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
+                                    kwp_msg_len[i], out, &olen, sizeof( out ) );
+
+        if( ret != 0 || kwp_out_len[i] != olen ||
+            memcmp( out, kwp_res[i], kwp_out_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if( ( ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                            kwp_key[i], key_len[i] * 8, 0 ) )
+              != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KWP: setup failed ");
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_unwrap(  &ctx, MBEDTLS_KW_MODE_KWP, out,
+                                       olen, out, &olen, sizeof( out ) );
+
+        if( ret != 0 || olen != kwp_msg_len[i] ||
+            memcmp( out, kwp_msg[i], kwp_msg_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( " passed\n" );
+    }
+end:
+    mbedtls_nist_kw_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_NIST_KW_C */
diff --git a/ctrtool/deps/libmbedtls/src/oid.c b/ctrtool/deps/libmbedtls/src/oid.c
new file mode 100644
index 00000000..33f437cb
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/oid.c
@@ -0,0 +1,758 @@
+/**
+ * \file oid.c
+ *
+ * \brief Object Identifier (OID) database
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_OID_C)
+
+#include "mbedtls/oid.h"
+#include "mbedtls/rsa.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf snprintf
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "mbedtls/x509.h"
+#endif
+
+/*
+ * Macro to automatically add the size of #define'd OIDs
+ */
+#define ADD_LEN(s)      s, MBEDTLS_OID_SIZE(s)
+
+/*
+ * Macro to generate an internal function for oid_XXX_from_asn1() (used by
+ * the other functions)
+ */
+#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST )                    \
+    static const TYPE_T * oid_ ## NAME ## _from_asn1(                   \
+                                      const mbedtls_asn1_buf *oid )     \
+    {                                                                   \
+        const TYPE_T *p = (LIST);                                       \
+        const mbedtls_oid_descriptor_t *cur =                           \
+            (const mbedtls_oid_descriptor_t *) p;                       \
+        if( p == NULL || oid == NULL ) return( NULL );                  \
+        while( cur->asn1 != NULL ) {                                    \
+            if( cur->asn1_len == oid->len &&                            \
+                memcmp( cur->asn1, oid->p, oid->len ) == 0 ) {          \
+                return( p );                                            \
+            }                                                           \
+            p++;                                                        \
+            cur = (const mbedtls_oid_descriptor_t *) p;                 \
+        }                                                               \
+        return( NULL );                                                 \
+    }
+
+/*
+ * Macro to generate a function for retrieving a single attribute from the
+ * descriptor of an mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_DESCRIPTOR_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
+{                                                                       \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
+    *ATTR1 = data->descriptor.ATTR1;                                    \
+    return( 0 );                                                        \
+}
+
+/*
+ * Macro to generate a function for retrieving a single attribute from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
+{                                                                       \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
+    *ATTR1 = data->ATTR1;                                               \
+    return( 0 );                                                        \
+}
+
+/*
+ * Macro to generate a function for retrieving two attributes from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR2(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1,     \
+                         ATTR2_TYPE, ATTR2)                                 \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1,               \
+                                          ATTR2_TYPE * ATTR2 )              \
+{                                                                           \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );            \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );                 \
+    *(ATTR1) = data->ATTR1;                                                 \
+    *(ATTR2) = data->ATTR2;                                                 \
+    return( 0 );                                                            \
+}
+
+/*
+ * Macro to generate a function for retrieving the OID based on a single
+ * attribute from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR1(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1)   \
+int FN_NAME( ATTR1_TYPE ATTR1, const char **oid, size_t *olen )             \
+{                                                                           \
+    const TYPE_T *cur = (LIST);                                             \
+    while( cur->descriptor.asn1 != NULL ) {                                 \
+        if( cur->ATTR1 == (ATTR1) ) {                                       \
+            *oid = cur->descriptor.asn1;                                    \
+            *olen = cur->descriptor.asn1_len;                               \
+            return( 0 );                                                    \
+        }                                                                   \
+        cur++;                                                              \
+    }                                                                       \
+    return( MBEDTLS_ERR_OID_NOT_FOUND );                                    \
+}
+
+/*
+ * Macro to generate a function for retrieving the OID based on two
+ * attributes from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR2(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1,   \
+                                ATTR2_TYPE, ATTR2)                          \
+int FN_NAME( ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid ,         \
+             size_t *olen )                                                 \
+{                                                                           \
+    const TYPE_T *cur = (LIST);                                             \
+    while( cur->descriptor.asn1 != NULL ) {                                 \
+        if( cur->ATTR1 == (ATTR1) && cur->ATTR2 == (ATTR2) ) {              \
+            *oid = cur->descriptor.asn1;                                    \
+            *olen = cur->descriptor.asn1_len;                               \
+            return( 0 );                                                    \
+        }                                                                   \
+        cur++;                                                              \
+    }                                                                       \
+    return( MBEDTLS_ERR_OID_NOT_FOUND );                                   \
+}
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+/*
+ * For X520 attribute types
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    const char          *short_name;
+} oid_x520_attr_t;
+
+static const oid_x520_attr_t oid_x520_attr_type[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_CN ),          "id-at-commonName",               "Common Name" },
+        "CN",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_COUNTRY ),     "id-at-countryName",              "Country" },
+        "C",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_LOCALITY ),    "id-at-locality",                 "Locality" },
+        "L",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_STATE ),       "id-at-state",                    "State" },
+        "ST",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_ORGANIZATION ),"id-at-organizationName",         "Organization" },
+        "O",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_ORG_UNIT ),    "id-at-organizationalUnitName",   "Org Unit" },
+        "OU",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS9_EMAIL ),    "emailAddress",                   "E-mail address" },
+        "emailAddress",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_SERIAL_NUMBER ),"id-at-serialNumber",            "Serial number" },
+        "serialNumber",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_POSTAL_ADDRESS ),"id-at-postalAddress",          "Postal address" },
+        "postalAddress",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_POSTAL_CODE ), "id-at-postalCode",               "Postal code" },
+        "postalCode",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_SUR_NAME ),    "id-at-surName",                  "Surname" },
+        "SN",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_GIVEN_NAME ),  "id-at-givenName",                "Given name" },
+        "GN",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_INITIALS ),    "id-at-initials",                 "Initials" },
+        "initials",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_GENERATION_QUALIFIER ), "id-at-generationQualifier", "Generation qualifier" },
+        "generationQualifier",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_TITLE ),       "id-at-title",                    "Title" },
+        "title",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_DN_QUALIFIER ),"id-at-dnQualifier",              "Distinguished Name qualifier" },
+        "dnQualifier",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_PSEUDONYM ),   "id-at-pseudonym",                "Pseudonym" },
+        "pseudonym",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DOMAIN_COMPONENT ), "id-domainComponent",           "Domain component" },
+        "DC",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_UNIQUE_IDENTIFIER ), "id-at-uniqueIdentifier",    "Unique Identifier" },
+        "uniqueIdentifier",
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        NULL,
+    }
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x520_attr_t, x520_attr, oid_x520_attr_type)
+FN_OID_GET_ATTR1(mbedtls_oid_get_attr_short_name, oid_x520_attr_t, x520_attr, const char *, short_name)
+
+/*
+ * For X509 extensions
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    int                 ext_type;
+} oid_x509_ext_t;
+
+static const oid_x509_ext_t oid_x509_ext[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_BASIC_CONSTRAINTS ),    "id-ce-basicConstraints",   "Basic Constraints" },
+        MBEDTLS_X509_EXT_BASIC_CONSTRAINTS,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_KEY_USAGE ),            "id-ce-keyUsage",           "Key Usage" },
+        MBEDTLS_X509_EXT_KEY_USAGE,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EXTENDED_KEY_USAGE ),   "id-ce-extKeyUsage",        "Extended Key Usage" },
+        MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_SUBJECT_ALT_NAME ),     "id-ce-subjectAltName",     "Subject Alt Name" },
+        MBEDTLS_X509_EXT_SUBJECT_ALT_NAME,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_NS_CERT_TYPE ),         "id-netscape-certtype",     "Netscape Certificate Type" },
+        MBEDTLS_X509_EXT_NS_CERT_TYPE,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        0,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
+FN_OID_GET_ATTR1(mbedtls_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
+
+static const mbedtls_oid_descriptor_t oid_ext_key_usage[] =
+{
+    { ADD_LEN( MBEDTLS_OID_SERVER_AUTH ),      "id-kp-serverAuth",      "TLS Web Server Authentication" },
+    { ADD_LEN( MBEDTLS_OID_CLIENT_AUTH ),      "id-kp-clientAuth",      "TLS Web Client Authentication" },
+    { ADD_LEN( MBEDTLS_OID_CODE_SIGNING ),     "id-kp-codeSigning",     "Code Signing" },
+    { ADD_LEN( MBEDTLS_OID_EMAIL_PROTECTION ), "id-kp-emailProtection", "E-mail Protection" },
+    { ADD_LEN( MBEDTLS_OID_TIME_STAMPING ),    "id-kp-timeStamping",    "Time Stamping" },
+    { ADD_LEN( MBEDTLS_OID_OCSP_SIGNING ),     "id-kp-OCSPSigning",     "OCSP Signing" },
+    { NULL, 0, NULL, NULL },
+};
+
+FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, ext_key_usage, oid_ext_key_usage)
+FN_OID_GET_ATTR1(mbedtls_oid_get_extended_key_usage, mbedtls_oid_descriptor_t, ext_key_usage, const char *, description)
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+
+#if defined(MBEDTLS_MD_C)
+/*
+ * For SignatureAlgorithmIdentifier
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+    mbedtls_pk_type_t           pk_alg;
+} oid_sig_alg_t;
+
+static const oid_sig_alg_t oid_sig_alg[] =
+{
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_MD2_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_MD2 ),        "md2WithRSAEncryption",     "RSA with MD2" },
+        MBEDTLS_MD_MD2,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_MD4 ),        "md4WithRSAEncryption",     "RSA with MD4" },
+        MBEDTLS_MD_MD4,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_MD5 ),        "md5WithRSAEncryption",     "RSA with MD5" },
+        MBEDTLS_MD_MD5,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA1 ),       "sha-1WithRSAEncryption",   "RSA with SHA1" },
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA224 ),     "sha224WithRSAEncryption",  "RSA with SHA-224" },
+        MBEDTLS_MD_SHA224,   MBEDTLS_PK_RSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA256 ),     "sha256WithRSAEncryption",  "RSA with SHA-256" },
+        MBEDTLS_MD_SHA256,   MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA384 ),     "sha384WithRSAEncryption",  "RSA with SHA-384" },
+        MBEDTLS_MD_SHA384,   MBEDTLS_PK_RSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA512 ),     "sha512WithRSAEncryption",  "RSA with SHA-512" },
+        MBEDTLS_MD_SHA512,   MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_RSA_SHA_OBS ),      "sha-1WithRSAEncryption",   "RSA with SHA1" },
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA1 ),       "ecdsa-with-SHA1",      "ECDSA with SHA1" },
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA224 ),     "ecdsa-with-SHA224",    "ECDSA with SHA224" },
+        MBEDTLS_MD_SHA224,   MBEDTLS_PK_ECDSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA256 ),     "ecdsa-with-SHA256",    "ECDSA with SHA256" },
+        MBEDTLS_MD_SHA256,   MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA384 ),     "ecdsa-with-SHA384",    "ECDSA with SHA384" },
+        MBEDTLS_MD_SHA384,   MBEDTLS_PK_ECDSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA512 ),     "ecdsa-with-SHA512",    "ECDSA with SHA512" },
+        MBEDTLS_MD_SHA512,   MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_ECDSA_C */
+#if defined(MBEDTLS_RSA_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_RSASSA_PSS ),        "RSASSA-PSS",           "RSASSA-PSS" },
+        MBEDTLS_MD_NONE,     MBEDTLS_PK_RSASSA_PSS,
+    },
+#endif /* MBEDTLS_RSA_C */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE, MBEDTLS_PK_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_sig_alg_t, sig_alg, oid_sig_alg)
+FN_OID_GET_DESCRIPTOR_ATTR1(mbedtls_oid_get_sig_alg_desc, oid_sig_alg_t, sig_alg, const char *, description)
+FN_OID_GET_ATTR2(mbedtls_oid_get_sig_alg, oid_sig_alg_t, sig_alg, mbedtls_md_type_t, md_alg, mbedtls_pk_type_t, pk_alg)
+FN_OID_GET_OID_BY_ATTR2(mbedtls_oid_get_oid_by_sig_alg, oid_sig_alg_t, oid_sig_alg, mbedtls_pk_type_t, pk_alg, mbedtls_md_type_t, md_alg)
+#endif /* MBEDTLS_MD_C */
+
+/*
+ * For PublicKeyInfo (PKCS1, RFC 5480)
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_pk_type_t           pk_alg;
+} oid_pk_alg_t;
+
+static const oid_pk_alg_t oid_pk_alg[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_RSA ),      "rsaEncryption",   "RSA" },
+        MBEDTLS_PK_RSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_ALG_UNRESTRICTED ),  "id-ecPublicKey",   "Generic EC key" },
+        MBEDTLS_PK_ECKEY,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_ALG_ECDH ),          "id-ecDH",          "EC key for ECDH" },
+        MBEDTLS_PK_ECKEY_DH,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_PK_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pk_alg_t, pk_alg, oid_pk_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_pk_alg, oid_pk_alg_t, pk_alg, mbedtls_pk_type_t, pk_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_pk_alg, oid_pk_alg_t, oid_pk_alg, mbedtls_pk_type_t, pk_alg)
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * For namedCurve (RFC 5480)
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_ecp_group_id        grp_id;
+} oid_ecp_grp_t;
+
+static const oid_ecp_grp_t oid_ecp_grp[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP192R1 ), "secp192r1",    "secp192r1" },
+        MBEDTLS_ECP_DP_SECP192R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP224R1 ), "secp224r1",    "secp224r1" },
+        MBEDTLS_ECP_DP_SECP224R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP256R1 ), "secp256r1",    "secp256r1" },
+        MBEDTLS_ECP_DP_SECP256R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP384R1 ), "secp384r1",    "secp384r1" },
+        MBEDTLS_ECP_DP_SECP384R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP521R1 ), "secp521r1",    "secp521r1" },
+        MBEDTLS_ECP_DP_SECP521R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP192K1 ), "secp192k1",    "secp192k1" },
+        MBEDTLS_ECP_DP_SECP192K1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP224K1 ), "secp224k1",    "secp224k1" },
+        MBEDTLS_ECP_DP_SECP224K1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP256K1 ), "secp256k1",    "secp256k1" },
+        MBEDTLS_ECP_DP_SECP256K1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_BP256R1 ),   "brainpoolP256r1","brainpool256r1" },
+        MBEDTLS_ECP_DP_BP256R1,
+    },
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_BP384R1 ),   "brainpoolP384r1","brainpool384r1" },
+        MBEDTLS_ECP_DP_BP384R1,
+    },
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_BP512R1 ),   "brainpoolP512r1","brainpool512r1" },
+        MBEDTLS_ECP_DP_BP512R1,
+    },
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_ECP_DP_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_t, grp_id, oid_ecp_grp)
+FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp, oid_ecp_grp_t, grp_id, mbedtls_ecp_group_id, grp_id)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp, oid_ecp_grp_t, oid_ecp_grp, mbedtls_ecp_group_id, grp_id)
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_CIPHER_C)
+/*
+ * For PKCS#5 PBES2 encryption algorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_cipher_type_t       cipher_alg;
+} oid_cipher_alg_t;
+
+static const oid_cipher_alg_t oid_cipher_alg[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_DES_CBC ),              "desCBC",       "DES-CBC" },
+        MBEDTLS_CIPHER_DES_CBC,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DES_EDE3_CBC ),         "des-ede3-cbc", "DES-EDE3-CBC" },
+        MBEDTLS_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_CIPHER_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_cipher_alg, oid_cipher_alg_t, cipher_alg, mbedtls_cipher_type_t, cipher_alg)
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_MD_C)
+/*
+ * For digestAlgorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+} oid_md_alg_t;
+
+static const oid_md_alg_t oid_md_alg[] =
+{
+#if defined(MBEDTLS_MD2_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_MD2 ),       "id-md2",       "MD2" },
+        MBEDTLS_MD_MD2,
+    },
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_MD4 ),       "id-md4",       "MD4" },
+        MBEDTLS_MD_MD4,
+    },
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_MD5 ),       "id-md5",       "MD5" },
+        MBEDTLS_MD_MD5,
+    },
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA1 ),      "id-sha1",      "SHA-1" },
+        MBEDTLS_MD_SHA1,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA224 ),    "id-sha224",    "SHA-224" },
+        MBEDTLS_MD_SHA224,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA256 ),    "id-sha256",    "SHA-256" },
+        MBEDTLS_MD_SHA256,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA384 ),    "id-sha384",    "SHA-384" },
+        MBEDTLS_MD_SHA384,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA512 ),    "id-sha512",    "SHA-512" },
+        MBEDTLS_MD_SHA512,
+    },
+#endif /* MBEDTLS_SHA512_C */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_alg_t, md_alg, oid_md_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_alg, oid_md_alg_t, md_alg, mbedtls_md_type_t, md_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_md, oid_md_alg_t, oid_md_alg, mbedtls_md_type_t, md_alg)
+
+/*
+ * For HMAC digestAlgorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_hmac;
+} oid_md_hmac_t;
+
+static const oid_md_hmac_t oid_md_hmac[] =
+{
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA1 ),      "hmacSHA1",      "HMAC-SHA-1" },
+        MBEDTLS_MD_SHA1,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA224 ),    "hmacSHA224",    "HMAC-SHA-224" },
+        MBEDTLS_MD_SHA224,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA256 ),    "hmacSHA256",    "HMAC-SHA-256" },
+        MBEDTLS_MD_SHA256,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA384 ),    "hmacSHA384",    "HMAC-SHA-384" },
+        MBEDTLS_MD_SHA384,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA512 ),    "hmacSHA512",    "HMAC-SHA-512" },
+        MBEDTLS_MD_SHA512,
+    },
+#endif /* MBEDTLS_SHA512_C */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_hmac_t, md_hmac, oid_md_hmac)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_hmac, oid_md_hmac_t, md_hmac, mbedtls_md_type_t, md_hmac)
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+/*
+ * For PKCS#12 PBEs
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+    mbedtls_cipher_type_t       cipher_alg;
+} oid_pkcs12_pbe_alg_t;
+
+static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC ), "pbeWithSHAAnd3-KeyTripleDES-CBC", "PBE with SHA1 and 3-Key 3DES" },
+        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC ), "pbeWithSHAAnd2-KeyTripleDES-CBC", "PBE with SHA1 and 2-Key 3DES" },
+        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE_CBC,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE, MBEDTLS_CIPHER_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg)
+FN_OID_GET_ATTR2(mbedtls_oid_get_pkcs12_pbe_alg, oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, mbedtls_md_type_t, md_alg, mbedtls_cipher_type_t, cipher_alg)
+#endif /* MBEDTLS_PKCS12_C */
+
+#define OID_SAFE_SNPRINTF                               \
+    do {                                                \
+        if( ret < 0 || (size_t) ret >= n )              \
+            return( MBEDTLS_ERR_OID_BUF_TOO_SMALL );    \
+                                                        \
+        n -= (size_t) ret;                              \
+        p += (size_t) ret;                              \
+    } while( 0 )
+
+/* Return the x.y.z.... style numeric string for the given OID */
+int mbedtls_oid_get_numeric_string( char *buf, size_t size,
+                            const mbedtls_asn1_buf *oid )
+{
+    int ret;
+    size_t i, n;
+    unsigned int value;
+    char *p;
+
+    p = buf;
+    n = size;
+
+    /* First byte contains first two dots */
+    if( oid->len > 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "%d.%d", oid->p[0] / 40, oid->p[0] % 40 );
+        OID_SAFE_SNPRINTF;
+    }
+
+    value = 0;
+    for( i = 1; i < oid->len; i++ )
+    {
+        /* Prevent overflow in value. */
+        if( ( ( value << 7 ) >> 7 ) != value )
+            return( MBEDTLS_ERR_OID_BUF_TOO_SMALL );
+
+        value <<= 7;
+        value += oid->p[i] & 0x7F;
+
+        if( !( oid->p[i] & 0x80 ) )
+        {
+            /* Last byte */
+            ret = mbedtls_snprintf( p, n, ".%d", value );
+            OID_SAFE_SNPRINTF;
+            value = 0;
+        }
+    }
+
+    return( (int) ( size - n ) );
+}
+
+#endif /* MBEDTLS_OID_C */
diff --git a/ctrtool/deps/libmbedtls/src/padlock.c b/ctrtool/deps/libmbedtls/src/padlock.c
new file mode 100644
index 00000000..b85ff9cd
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/padlock.c
@@ -0,0 +1,170 @@
+/*
+ *  VIA PadLock support functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  This implementation is based on the VIA PadLock Programming Guide:
+ *
+ *  http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/
+ *  programming_guide.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C)
+
+#include "mbedtls/padlock.h"
+
+#include <string.h>
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(MBEDTLS_HAVE_X86)
+
+/*
+ * PadLock detection routine
+ */
+int mbedtls_padlock_has_support( int feature )
+{
+    static int flags = -1;
+    int ebx = 0, edx = 0;
+
+    if( flags == -1 )
+    {
+        asm( "movl  %%ebx, %0           \n\t"
+             "movl  $0xC0000000, %%eax  \n\t"
+             "cpuid                     \n\t"
+             "cmpl  $0xC0000001, %%eax  \n\t"
+             "movl  $0, %%edx           \n\t"
+             "jb    unsupported         \n\t"
+             "movl  $0xC0000001, %%eax  \n\t"
+             "cpuid                     \n\t"
+             "unsupported:              \n\t"
+             "movl  %%edx, %1           \n\t"
+             "movl  %2, %%ebx           \n\t"
+             : "=m" (ebx), "=m" (edx)
+             :  "m" (ebx)
+             : "eax", "ecx", "edx" );
+
+        flags = edx;
+    }
+
+    return( flags & feature );
+}
+
+/*
+ * PadLock AES-ECB block en(de)cryption
+ */
+int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
+                       int mode,
+                       const unsigned char input[16],
+                       unsigned char output[16] )
+{
+    int ebx = 0;
+    uint32_t *rk;
+    uint32_t *blk;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    rk  = ctx->rk;
+    blk = MBEDTLS_PADLOCK_ALIGN16( buf );
+    memcpy( blk, input, 16 );
+
+     ctrl = blk + 4;
+    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + ( mode^1 ) - 10 ) << 9 );
+
+    asm( "pushfl                        \n\t"
+         "popfl                         \n\t"
+         "movl    %%ebx, %0             \n\t"
+         "movl    $1, %%ecx             \n\t"
+         "movl    %2, %%edx             \n\t"
+         "movl    %3, %%ebx             \n\t"
+         "movl    %4, %%esi             \n\t"
+         "movl    %4, %%edi             \n\t"
+         ".byte  0xf3,0x0f,0xa7,0xc8    \n\t"
+         "movl    %1, %%ebx             \n\t"
+         : "=m" (ebx)
+         :  "m" (ebx), "m" (ctrl), "m" (rk), "m" (blk)
+         : "memory", "ecx", "edx", "esi", "edi" );
+
+    memcpy( output, blk, 16 );
+
+    return( 0 );
+}
+
+/*
+ * PadLock AES-CBC buffer en(de)cryption
+ */
+int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int ebx = 0;
+    size_t count;
+    uint32_t *rk;
+    uint32_t *iw;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    if( ( (long) input  & 15 ) != 0 ||
+        ( (long) output & 15 ) != 0 )
+        return( MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED );
+
+    rk = ctx->rk;
+    iw = MBEDTLS_PADLOCK_ALIGN16( buf );
+    memcpy( iw, iv, 16 );
+
+     ctrl = iw + 4;
+    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + ( mode ^ 1 ) - 10 ) << 9 );
+
+    count = ( length + 15 ) >> 4;
+
+    asm( "pushfl                        \n\t"
+         "popfl                         \n\t"
+         "movl    %%ebx, %0             \n\t"
+         "movl    %2, %%ecx             \n\t"
+         "movl    %3, %%edx             \n\t"
+         "movl    %4, %%ebx             \n\t"
+         "movl    %5, %%esi             \n\t"
+         "movl    %6, %%edi             \n\t"
+         "movl    %7, %%eax             \n\t"
+         ".byte  0xf3,0x0f,0xa7,0xd0    \n\t"
+         "movl    %1, %%ebx             \n\t"
+         : "=m" (ebx)
+         :  "m" (ebx), "m" (count), "m" (ctrl),
+            "m"  (rk), "m" (input), "m" (output), "m" (iw)
+         : "memory", "eax", "ecx", "edx", "esi", "edi" );
+
+    memcpy( iv, iw, 16 );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_HAVE_X86 */
+
+#endif /* MBEDTLS_PADLOCK_C */
diff --git a/ctrtool/deps/libmbedtls/src/pem.c b/ctrtool/deps/libmbedtls/src/pem.c
new file mode 100644
index 00000000..897c8a0d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/pem.c
@@ -0,0 +1,490 @@
+/*
+ *  Privacy Enhanced Mail (PEM) decoding
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+
+#include "mbedtls/pem.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/des.h"
+#include "mbedtls/aes.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+void mbedtls_pem_init( mbedtls_pem_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_pem_context ) );
+}
+
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+/*
+ * Read a 16-byte hex string and convert it to binary
+ */
+static int pem_get_iv( const unsigned char *s, unsigned char *iv,
+                       size_t iv_len )
+{
+    size_t i, j, k;
+
+    memset( iv, 0, iv_len );
+
+    for( i = 0; i < iv_len * 2; i++, s++ )
+    {
+        if( *s >= '0' && *s <= '9' ) j = *s - '0'; else
+        if( *s >= 'A' && *s <= 'F' ) j = *s - '7'; else
+        if( *s >= 'a' && *s <= 'f' ) j = *s - 'W'; else
+            return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+        k = ( ( i & 1 ) != 0 ) ? j : j << 4;
+
+        iv[i >> 1] = (unsigned char)( iv[i >> 1] | k );
+    }
+
+    return( 0 );
+}
+
+static int pem_pbkdf1( unsigned char *key, size_t keylen,
+                       unsigned char *iv,
+                       const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_md5_context md5_ctx;
+    unsigned char md5sum[16];
+    size_t use_len;
+    int ret;
+
+    mbedtls_md5_init( &md5_ctx );
+
+    /*
+     * key[ 0..15] = MD5(pwd || IV)
+     */
+    if( ( ret = mbedtls_md5_starts_ret( &md5_ctx ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, pwd, pwdlen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, iv,  8 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_finish_ret( &md5_ctx, md5sum ) ) != 0 )
+        goto exit;
+
+    if( keylen <= 16 )
+    {
+        memcpy( key, md5sum, keylen );
+        goto exit;
+    }
+
+    memcpy( key, md5sum, 16 );
+
+    /*
+     * key[16..23] = MD5(key[ 0..15] || pwd || IV])
+     */
+    if( ( ret = mbedtls_md5_starts_ret( &md5_ctx ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, md5sum, 16 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, pwd, pwdlen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, iv, 8 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_finish_ret( &md5_ctx, md5sum ) ) != 0 )
+        goto exit;
+
+    use_len = 16;
+    if( keylen < 32 )
+        use_len = keylen - 16;
+
+    memcpy( key + 16, md5sum, use_len );
+
+exit:
+    mbedtls_md5_free( &md5_ctx );
+    mbedtls_platform_zeroize( md5sum, 16 );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_DES_C)
+/*
+ * Decrypt with DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des_decrypt( unsigned char des_iv[8],
+                            unsigned char *buf, size_t buflen,
+                            const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_des_context des_ctx;
+    unsigned char des_key[8];
+    int ret;
+
+    mbedtls_des_init( &des_ctx );
+
+    if( ( ret = pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_des_setkey_dec( &des_ctx, des_key ) ) != 0 )
+        goto exit;
+    ret = mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen,
+                     des_iv, buf, buf );
+
+exit:
+    mbedtls_des_free( &des_ctx );
+    mbedtls_platform_zeroize( des_key, 8 );
+
+    return( ret );
+}
+
+/*
+ * Decrypt with 3DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des3_decrypt( unsigned char des3_iv[8],
+                             unsigned char *buf, size_t buflen,
+                             const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_des3_context des3_ctx;
+    unsigned char des3_key[24];
+    int ret;
+
+    mbedtls_des3_init( &des3_ctx );
+
+    if( ( ret = pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_des3_set3key_dec( &des3_ctx, des3_key ) ) != 0 )
+        goto exit;
+    ret = mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
+                     des3_iv, buf, buf );
+
+exit:
+    mbedtls_des3_free( &des3_ctx );
+    mbedtls_platform_zeroize( des3_key, 24 );
+
+    return( ret );
+}
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
+ */
+static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
+                            unsigned char *buf, size_t buflen,
+                            const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_aes_context aes_ctx;
+    unsigned char aes_key[32];
+    int ret;
+
+    mbedtls_aes_init( &aes_ctx );
+
+    if( ( ret = pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ) ) != 0 )
+        goto exit;
+    ret = mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
+                     aes_iv, buf, buf );
+
+exit:
+    mbedtls_aes_free( &aes_ctx );
+    mbedtls_platform_zeroize( aes_key, keylen );
+
+    return( ret );
+}
+#endif /* MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const char *footer,
+                     const unsigned char *data, const unsigned char *pwd,
+                     size_t pwdlen, size_t *use_len )
+{
+    int ret, enc;
+    size_t len;
+    unsigned char *buf;
+    const unsigned char *s1, *s2, *end;
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+    unsigned char pem_iv[16];
+    mbedtls_cipher_type_t enc_alg = MBEDTLS_CIPHER_NONE;
+#else
+    ((void) pwd);
+    ((void) pwdlen);
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+    if( ctx == NULL )
+        return( MBEDTLS_ERR_PEM_BAD_INPUT_DATA );
+
+    s1 = (unsigned char *) strstr( (const char *) data, header );
+
+    if( s1 == NULL )
+        return( MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
+
+    s2 = (unsigned char *) strstr( (const char *) data, footer );
+
+    if( s2 == NULL || s2 <= s1 )
+        return( MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
+
+    s1 += strlen( header );
+    if( *s1 == ' '  ) s1++;
+    if( *s1 == '\r' ) s1++;
+    if( *s1 == '\n' ) s1++;
+    else return( MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
+
+    end = s2;
+    end += strlen( footer );
+    if( *end == ' '  ) end++;
+    if( *end == '\r' ) end++;
+    if( *end == '\n' ) end++;
+    *use_len = end - data;
+
+    enc = 0;
+
+    if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
+    {
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+        enc++;
+
+        s1 += 22;
+        if( *s1 == '\r' ) s1++;
+        if( *s1 == '\n' ) s1++;
+        else return( MBEDTLS_ERR_PEM_INVALID_DATA );
+
+
+#if defined(MBEDTLS_DES_C)
+        if( s2 - s1 >= 23 && memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
+        {
+            enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
+
+            s1 += 23;
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8 ) != 0 )
+                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 16;
+        }
+        else if( s2 - s1 >= 18 && memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
+        {
+            enc_alg = MBEDTLS_CIPHER_DES_CBC;
+
+            s1 += 18;
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8) != 0 )
+                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 16;
+        }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+        if( s2 - s1 >= 14 && memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
+        {
+            if( s2 - s1 < 22 )
+                return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+            else if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
+                enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
+            else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
+                enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
+            else if( memcmp( s1, "DEK-Info: AES-256-CBC,", 22 ) == 0 )
+                enc_alg = MBEDTLS_CIPHER_AES_256_CBC;
+            else
+                return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+
+            s1 += 22;
+            if( s2 - s1 < 32 || pem_get_iv( s1, pem_iv, 16 ) != 0 )
+                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 32;
+        }
+#endif /* MBEDTLS_AES_C */
+
+        if( enc_alg == MBEDTLS_CIPHER_NONE )
+            return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+
+        if( *s1 == '\r' ) s1++;
+        if( *s1 == '\n' ) s1++;
+        else return( MBEDTLS_ERR_PEM_INVALID_DATA );
+#else
+        return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+    }
+
+    if( s1 >= s2 )
+        return( MBEDTLS_ERR_PEM_INVALID_DATA );
+
+    ret = mbedtls_base64_decode( NULL, 0, &len, s1, s2 - s1 );
+
+    if( ret == MBEDTLS_ERR_BASE64_INVALID_CHARACTER )
+        return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
+
+    if( ( buf = mbedtls_calloc( 1, len ) ) == NULL )
+        return( MBEDTLS_ERR_PEM_ALLOC_FAILED );
+
+    if( ( ret = mbedtls_base64_decode( buf, len, &len, s1, s2 - s1 ) ) != 0 )
+    {
+        mbedtls_platform_zeroize( buf, len );
+        mbedtls_free( buf );
+        return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
+    }
+
+    if( enc != 0 )
+    {
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+        if( pwd == NULL )
+        {
+            mbedtls_platform_zeroize( buf, len );
+            mbedtls_free( buf );
+            return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED );
+        }
+
+        ret = 0;
+
+#if defined(MBEDTLS_DES_C)
+        if( enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC )
+            ret = pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen );
+        else if( enc_alg == MBEDTLS_CIPHER_DES_CBC )
+            ret = pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen );
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+        if( enc_alg == MBEDTLS_CIPHER_AES_128_CBC )
+            ret = pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen );
+        else if( enc_alg == MBEDTLS_CIPHER_AES_192_CBC )
+            ret = pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen );
+        else if( enc_alg == MBEDTLS_CIPHER_AES_256_CBC )
+            ret = pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen );
+#endif /* MBEDTLS_AES_C */
+
+        if( ret != 0 )
+        {
+            mbedtls_free( buf );
+            return( ret );
+        }
+
+        /*
+         * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3
+         * length bytes (allow 4 to be sure) in all known use cases.
+         *
+         * Use that as a heuristic to try to detect password mismatches.
+         */
+        if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 )
+        {
+            mbedtls_platform_zeroize( buf, len );
+            mbedtls_free( buf );
+            return( MBEDTLS_ERR_PEM_PASSWORD_MISMATCH );
+        }
+#else
+        mbedtls_platform_zeroize( buf, len );
+        mbedtls_free( buf );
+        return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+    }
+
+    ctx->buf = buf;
+    ctx->buflen = len;
+
+    return( 0 );
+}
+
+void mbedtls_pem_free( mbedtls_pem_context *ctx )
+{
+    if ( ctx->buf != NULL )
+    {
+        mbedtls_platform_zeroize( ctx->buf, ctx->buflen );
+        mbedtls_free( ctx->buf );
+    }
+    mbedtls_free( ctx->info );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_pem_context ) );
+}
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_pem_write_buffer( const char *header, const char *footer,
+                      const unsigned char *der_data, size_t der_len,
+                      unsigned char *buf, size_t buf_len, size_t *olen )
+{
+    int ret;
+    unsigned char *encode_buf = NULL, *c, *p = buf;
+    size_t len = 0, use_len, add_len = 0;
+
+    mbedtls_base64_encode( NULL, 0, &use_len, der_data, der_len );
+    add_len = strlen( header ) + strlen( footer ) + ( use_len / 64 ) + 1;
+
+    if( use_len + add_len > buf_len )
+    {
+        *olen = use_len + add_len;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+    }
+
+    if( use_len != 0 &&
+        ( ( encode_buf = mbedtls_calloc( 1, use_len ) ) == NULL ) )
+        return( MBEDTLS_ERR_PEM_ALLOC_FAILED );
+
+    if( ( ret = mbedtls_base64_encode( encode_buf, use_len, &use_len, der_data,
+                               der_len ) ) != 0 )
+    {
+        mbedtls_free( encode_buf );
+        return( ret );
+    }
+
+    memcpy( p, header, strlen( header ) );
+    p += strlen( header );
+    c = encode_buf;
+
+    while( use_len )
+    {
+        len = ( use_len > 64 ) ? 64 : use_len;
+        memcpy( p, c, len );
+        use_len -= len;
+        p += len;
+        c += len;
+        *p++ = '\n';
+    }
+
+    memcpy( p, footer, strlen( footer ) );
+    p += strlen( footer );
+
+    *p++ = '\0';
+    *olen = p - buf;
+
+    mbedtls_free( encode_buf );
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
diff --git a/ctrtool/deps/libmbedtls/src/pk.c b/ctrtool/deps/libmbedtls/src/pk.c
new file mode 100644
index 00000000..bac685dc
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/pk.c
@@ -0,0 +1,546 @@
+/*
+ *  Public Key abstraction layer
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk.h"
+#include "mbedtls/pk_internal.h"
+
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#include <limits.h>
+#include <stdint.h>
+
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * Initialise a mbedtls_pk_context
+ */
+void mbedtls_pk_init( mbedtls_pk_context *ctx )
+{
+    PK_VALIDATE( ctx != NULL );
+
+    ctx->pk_info = NULL;
+    ctx->pk_ctx = NULL;
+}
+
+/*
+ * Free (the components of) a mbedtls_pk_context
+ */
+void mbedtls_pk_free( mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    if ( ctx->pk_info != NULL )
+        ctx->pk_info->ctx_free_func( ctx->pk_ctx );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_pk_context ) );
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx )
+{
+    PK_VALIDATE( ctx != NULL );
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL ||
+        ctx->pk_info->rs_free_func == NULL )
+    {
+        return;
+    }
+
+    ctx->pk_info->rs_free_func( ctx->rs_ctx );
+
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Get pk_info structure from type
+ */
+const mbedtls_pk_info_t * mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type )
+{
+    switch( pk_type ) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+            return( &mbedtls_rsa_info );
+#endif
+#if defined(MBEDTLS_ECP_C)
+        case MBEDTLS_PK_ECKEY:
+            return( &mbedtls_eckey_info );
+        case MBEDTLS_PK_ECKEY_DH:
+            return( &mbedtls_eckeydh_info );
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+        case MBEDTLS_PK_ECDSA:
+            return( &mbedtls_ecdsa_info );
+#endif
+        /* MBEDTLS_PK_RSA_ALT omitted on purpose */
+        default:
+            return( NULL );
+    }
+}
+
+/*
+ * Initialise context
+ */
+int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    if( info == NULL || ctx->pk_info != NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+    ctx->pk_info = info;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Initialize an RSA-alt context
+ */
+int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
+                         mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
+                         mbedtls_pk_rsa_alt_sign_func sign_func,
+                         mbedtls_pk_rsa_alt_key_len_func key_len_func )
+{
+    mbedtls_rsa_alt_context *rsa_alt;
+    const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
+
+    PK_VALIDATE_RET( ctx != NULL );
+    if( ctx->pk_info != NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+    ctx->pk_info = info;
+
+    rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
+
+    rsa_alt->key = key;
+    rsa_alt->decrypt_func = decrypt_func;
+    rsa_alt->sign_func = sign_func;
+    rsa_alt->key_len_func = key_len_func;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/*
+ * Tell if a PK can do the operations of the given type
+ */
+int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type )
+{
+    /* A context with null pk_info is not set up yet and can't do anything.
+     * For backward compatibility, also accept NULL instead of a context
+     * pointer. */
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( 0 );
+
+    return( ctx->pk_info->can_do( type ) );
+}
+
+/*
+ * Helper for mbedtls_pk_sign and mbedtls_pk_verify
+ */
+static inline int pk_hashlen_helper( mbedtls_md_type_t md_alg, size_t *hash_len )
+{
+    const mbedtls_md_info_t *md_info;
+
+    if( *hash_len != 0 )
+        return( 0 );
+
+    if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
+        return( -1 );
+
+    *hash_len = mbedtls_md_get_size( md_info );
+    return( 0 );
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Helper to set up a restart context if needed
+ */
+static int pk_restart_setup( mbedtls_pk_restart_ctx *ctx,
+                             const mbedtls_pk_info_t *info )
+{
+    /* Don't do anything if already set up or invalid */
+    if( ctx == NULL || ctx->pk_info != NULL )
+        return( 0 );
+
+    /* Should never happen when we're called */
+    if( info->rs_alloc_func == NULL || info->rs_free_func == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ( ctx->rs_ctx = info->rs_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+    ctx->pk_info = info;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Verify a signature (restartable)
+ */
+int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
+               mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len,
+               mbedtls_pk_restart_ctx *rs_ctx )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
+                     hash != NULL );
+    PK_VALIDATE_RET( sig != NULL );
+
+    if( ctx->pk_info == NULL ||
+        pk_hashlen_helper( md_alg, &hash_len ) != 0 )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if( rs_ctx != NULL &&
+        mbedtls_ecp_restart_is_enabled() &&
+        ctx->pk_info->verify_rs_func != NULL )
+    {
+        int ret;
+
+        if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
+            return( ret );
+
+        ret = ctx->pk_info->verify_rs_func( ctx->pk_ctx,
+                   md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx );
+
+        if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+            mbedtls_pk_restart_free( rs_ctx );
+
+        return( ret );
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    if( ctx->pk_info->verify_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->verify_func( ctx->pk_ctx, md_alg, hash, hash_len,
+                                       sig, sig_len ) );
+}
+
+/*
+ * Verify a signature
+ */
+int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len )
+{
+    return( mbedtls_pk_verify_restartable( ctx, md_alg, hash, hash_len,
+                                           sig, sig_len, NULL ) );
+}
+
+/*
+ * Verify a signature with options
+ */
+int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
+                   mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   const unsigned char *sig, size_t sig_len )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
+                     hash != NULL );
+    PK_VALIDATE_RET( sig != NULL );
+
+    if( ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ! mbedtls_pk_can_do( ctx, type ) )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    if( type == MBEDTLS_PK_RSASSA_PSS )
+    {
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
+        int ret;
+        const mbedtls_pk_rsassa_pss_options *pss_opts;
+
+#if SIZE_MAX > UINT_MAX
+        if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+        if( options == NULL )
+            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+        pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
+
+        if( sig_len < mbedtls_pk_get_len( ctx ) )
+            return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+
+        ret = mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_pk_rsa( *ctx ),
+                NULL, NULL, MBEDTLS_RSA_PUBLIC,
+                md_alg, (unsigned int) hash_len, hash,
+                pss_opts->mgf1_hash_id,
+                pss_opts->expected_salt_len,
+                sig );
+        if( ret != 0 )
+            return( ret );
+
+        if( sig_len > mbedtls_pk_get_len( ctx ) )
+            return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+        return( 0 );
+#else
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
+    }
+
+    /* General case: no options */
+    if( options != NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    return( mbedtls_pk_verify( ctx, md_alg, hash, hash_len, sig, sig_len ) );
+}
+
+/*
+ * Make a signature (restartable)
+ */
+int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
+             mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_pk_restart_ctx *rs_ctx )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
+                     hash != NULL );
+    PK_VALIDATE_RET( sig != NULL );
+
+    if( ctx->pk_info == NULL ||
+        pk_hashlen_helper( md_alg, &hash_len ) != 0 )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if( rs_ctx != NULL &&
+        mbedtls_ecp_restart_is_enabled() &&
+        ctx->pk_info->sign_rs_func != NULL )
+    {
+        int ret;
+
+        if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
+            return( ret );
+
+        ret = ctx->pk_info->sign_rs_func( ctx->pk_ctx, md_alg,
+                hash, hash_len, sig, sig_len, f_rng, p_rng, rs_ctx->rs_ctx );
+
+        if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+            mbedtls_pk_restart_free( rs_ctx );
+
+        return( ret );
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    if( ctx->pk_info->sign_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->sign_func( ctx->pk_ctx, md_alg, hash, hash_len,
+                                     sig, sig_len, f_rng, p_rng ) );
+}
+
+/*
+ * Make a signature
+ */
+int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    return( mbedtls_pk_sign_restartable( ctx, md_alg, hash, hash_len,
+                                         sig, sig_len, f_rng, p_rng, NULL ) );
+}
+
+/*
+ * Decrypt message
+ */
+int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( input != NULL || ilen == 0 );
+    PK_VALIDATE_RET( output != NULL || osize == 0 );
+    PK_VALIDATE_RET( olen != NULL );
+
+    if( ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->decrypt_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->decrypt_func( ctx->pk_ctx, input, ilen,
+                output, olen, osize, f_rng, p_rng ) );
+}
+
+/*
+ * Encrypt message
+ */
+int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( input != NULL || ilen == 0 );
+    PK_VALIDATE_RET( output != NULL || osize == 0 );
+    PK_VALIDATE_RET( olen != NULL );
+
+    if( ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->encrypt_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->encrypt_func( ctx->pk_ctx, input, ilen,
+                output, olen, osize, f_rng, p_rng ) );
+}
+
+/*
+ * Check public-private key pair
+ */
+int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_context *prv )
+{
+    PK_VALIDATE_RET( pub != NULL );
+    PK_VALIDATE_RET( prv != NULL );
+
+    if( pub->pk_info == NULL ||
+        prv->pk_info == NULL ||
+        prv->pk_info->check_pair_func == NULL )
+    {
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+    }
+
+    if( prv->pk_info->type == MBEDTLS_PK_RSA_ALT )
+    {
+        if( pub->pk_info->type != MBEDTLS_PK_RSA )
+            return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+    }
+    else
+    {
+        if( pub->pk_info != prv->pk_info )
+            return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+    }
+
+    return( prv->pk_info->check_pair_func( pub->pk_ctx, prv->pk_ctx ) );
+}
+
+/*
+ * Get key size in bits
+ */
+size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx )
+{
+    /* For backward compatibility, accept NULL or a context that
+     * isn't set up yet, and return a fake value that should be safe. */
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( 0 );
+
+    return( ctx->pk_info->get_bitlen( ctx->pk_ctx ) );
+}
+
+/*
+ * Export debug information
+ */
+int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    if( ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->debug_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    ctx->pk_info->debug_func( ctx->pk_ctx, items );
+    return( 0 );
+}
+
+/*
+ * Access the PK type name
+ */
+const char *mbedtls_pk_get_name( const mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( "invalid PK" );
+
+    return( ctx->pk_info->name );
+}
+
+/*
+ * Access the PK type
+ */
+mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( MBEDTLS_PK_NONE );
+
+    return( ctx->pk_info->type );
+}
+
+#endif /* MBEDTLS_PK_C */
diff --git a/ctrtool/deps/libmbedtls/src/pk_wrap.c b/ctrtool/deps/libmbedtls/src/pk_wrap.c
new file mode 100644
index 00000000..87806be3
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/pk_wrap.c
@@ -0,0 +1,719 @@
+/*
+ *  Public Key abstraction layer: wrapper functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk_internal.h"
+
+/* Even if RSA not activated, for the sake of RSA-alt */
+#include "mbedtls/rsa.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+#include "mbedtls/platform_util.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <limits.h>
+#include <stdint.h>
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_RSA ||
+            type == MBEDTLS_PK_RSASSA_PSS );
+}
+
+static size_t rsa_get_bitlen( const void *ctx )
+{
+    const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx;
+    return( 8 * mbedtls_rsa_get_len( rsa ) );
+}
+
+static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   const unsigned char *sig, size_t sig_len )
+{
+    int ret;
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+    size_t rsa_len = mbedtls_rsa_get_len( rsa );
+
+#if SIZE_MAX > UINT_MAX
+    if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+    if( sig_len < rsa_len )
+        return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+
+    if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL,
+                                  MBEDTLS_RSA_PUBLIC, md_alg,
+                                  (unsigned int) hash_len, hash, sig ) ) != 0 )
+        return( ret );
+
+    /* The buffer contains a valid signature followed by extra data.
+     * We have a special error code for that so that so that callers can
+     * use mbedtls_pk_verify() to check "Does the buffer start with a
+     * valid signature?" and not just "Does the buffer contain a valid
+     * signature?". */
+    if( sig_len > rsa_len )
+        return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+    return( 0 );
+}
+
+static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+
+#if SIZE_MAX > UINT_MAX
+    if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+    *sig_len = mbedtls_rsa_get_len( rsa );
+
+    return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
+                md_alg, (unsigned int) hash_len, hash, sig ) );
+}
+
+static int rsa_decrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+
+    if( ilen != mbedtls_rsa_get_len( rsa ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng,
+                MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
+}
+
+static int rsa_encrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+    *olen = mbedtls_rsa_get_len( rsa );
+
+    if( *olen > osize )
+        return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+
+    return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
+                                       ilen, input, output ) );
+}
+
+static int rsa_check_pair_wrap( const void *pub, const void *prv )
+{
+    return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub,
+                                (const mbedtls_rsa_context *) prv ) );
+}
+
+static void *rsa_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) );
+
+    if( ctx != NULL )
+        mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 );
+
+    return( ctx );
+}
+
+static void rsa_free_wrap( void *ctx )
+{
+    mbedtls_rsa_free( (mbedtls_rsa_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items )
+{
+    items->type = MBEDTLS_PK_DEBUG_MPI;
+    items->name = "rsa.N";
+    items->value = &( ((mbedtls_rsa_context *) ctx)->N );
+
+    items++;
+
+    items->type = MBEDTLS_PK_DEBUG_MPI;
+    items->name = "rsa.E";
+    items->value = &( ((mbedtls_rsa_context *) ctx)->E );
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_info = {
+    MBEDTLS_PK_RSA,
+    "RSA",
+    rsa_get_bitlen,
+    rsa_can_do,
+    rsa_verify_wrap,
+    rsa_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    rsa_decrypt_wrap,
+    rsa_encrypt_wrap,
+    rsa_check_pair_wrap,
+    rsa_alloc_wrap,
+    rsa_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    rsa_debug,
+};
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Generic EC key
+ */
+static int eckey_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_ECKEY ||
+            type == MBEDTLS_PK_ECKEY_DH ||
+            type == MBEDTLS_PK_ECDSA );
+}
+
+static size_t eckey_get_bitlen( const void *ctx )
+{
+    return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits );
+}
+
+#if defined(MBEDTLS_ECDSA_C)
+/* Forward declarations */
+static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len );
+
+static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len )
+{
+    int ret;
+    mbedtls_ecdsa_context ecdsa;
+
+    mbedtls_ecdsa_init( &ecdsa );
+
+    if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
+        ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len );
+
+    mbedtls_ecdsa_free( &ecdsa );
+
+    return( ret );
+}
+
+static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_ecdsa_context ecdsa;
+
+    mbedtls_ecdsa_init( &ecdsa );
+
+    if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
+        ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len,
+                               f_rng, p_rng );
+
+    mbedtls_ecdsa_free( &ecdsa );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/* Forward declarations */
+static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len,
+                       void *rs_ctx );
+
+static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                   void *rs_ctx );
+
+/*
+ * Restart context for ECDSA operations with ECKEY context
+ *
+ * We need to store an actual ECDSA context, as we need to pass the same to
+ * the underlying ecdsa function, so we can't create it on the fly every time.
+ */
+typedef struct
+{
+    mbedtls_ecdsa_restart_ctx ecdsa_rs;
+    mbedtls_ecdsa_context ecdsa_ctx;
+} eckey_restart_ctx;
+
+static void *eckey_rs_alloc( void )
+{
+    eckey_restart_ctx *rs_ctx;
+
+    void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) );
+
+    if( ctx != NULL )
+    {
+        rs_ctx = ctx;
+        mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs );
+        mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx );
+    }
+
+    return( ctx );
+}
+
+static void eckey_rs_free( void *ctx )
+{
+    eckey_restart_ctx *rs_ctx;
+
+    if( ctx == NULL)
+        return;
+
+    rs_ctx = ctx;
+    mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs );
+    mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx );
+
+    mbedtls_free( ctx );
+}
+
+static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len,
+                       void *rs_ctx )
+{
+    int ret;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if( rs == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if( rs->ecdsa_ctx.grp.pbits == 0 )
+        MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
+
+    MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx,
+                                           md_alg, hash, hash_len,
+                                           sig, sig_len, &rs->ecdsa_rs ) );
+
+cleanup:
+    return( ret );
+}
+
+static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                       void *rs_ctx )
+{
+    int ret;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if( rs == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if( rs->ecdsa_ctx.grp.pbits == 0 )
+        MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
+
+    MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg,
+                                         hash, hash_len, sig, sig_len,
+                                         f_rng, p_rng, &rs->ecdsa_rs ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECDSA_C */
+
+static int eckey_check_pair( const void *pub, const void *prv )
+{
+    return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub,
+                                (const mbedtls_ecp_keypair *) prv ) );
+}
+
+static void *eckey_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
+
+    if( ctx != NULL )
+        mbedtls_ecp_keypair_init( ctx );
+
+    return( ctx );
+}
+
+static void eckey_free_wrap( void *ctx )
+{
+    mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items )
+{
+    items->type = MBEDTLS_PK_DEBUG_ECP;
+    items->name = "eckey.Q";
+    items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q );
+}
+
+const mbedtls_pk_info_t mbedtls_eckey_info = {
+    MBEDTLS_PK_ECKEY,
+    "EC",
+    eckey_get_bitlen,
+    eckey_can_do,
+#if defined(MBEDTLS_ECDSA_C)
+    eckey_verify_wrap,
+    eckey_sign_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    eckey_verify_rs_wrap,
+    eckey_sign_rs_wrap,
+#endif
+#else /* MBEDTLS_ECDSA_C */
+    NULL,
+    NULL,
+#endif /* MBEDTLS_ECDSA_C */
+    NULL,
+    NULL,
+    eckey_check_pair,
+    eckey_alloc_wrap,
+    eckey_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    eckey_rs_alloc,
+    eckey_rs_free,
+#endif
+    eckey_debug,
+};
+
+/*
+ * EC key restricted to ECDH
+ */
+static int eckeydh_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_ECKEY ||
+            type == MBEDTLS_PK_ECKEY_DH );
+}
+
+const mbedtls_pk_info_t mbedtls_eckeydh_info = {
+    MBEDTLS_PK_ECKEY_DH,
+    "EC_DH",
+    eckey_get_bitlen,         /* Same underlying key structure */
+    eckeydh_can_do,
+    NULL,
+    NULL,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    NULL,
+    NULL,
+    eckey_check_pair,
+    eckey_alloc_wrap,       /* Same underlying key structure */
+    eckey_free_wrap,        /* Same underlying key structure */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    eckey_debug,            /* Same underlying key structure */
+};
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_ECDSA_C)
+static int ecdsa_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_ECDSA );
+}
+
+static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len )
+{
+    int ret;
+    ((void) md_alg);
+
+    ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx,
+                                hash, hash_len, sig, sig_len );
+
+    if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
+        return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+    return( ret );
+}
+
+static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx,
+                md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) );
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len,
+                       void *rs_ctx )
+{
+    int ret;
+    ((void) md_alg);
+
+    ret = mbedtls_ecdsa_read_signature_restartable(
+            (mbedtls_ecdsa_context *) ctx,
+            hash, hash_len, sig, sig_len,
+            (mbedtls_ecdsa_restart_ctx *) rs_ctx );
+
+    if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
+        return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+    return( ret );
+}
+
+static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                   void *rs_ctx )
+{
+    return( mbedtls_ecdsa_write_signature_restartable(
+                (mbedtls_ecdsa_context *) ctx,
+                md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng,
+                (mbedtls_ecdsa_restart_ctx *) rs_ctx ) );
+
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+static void *ecdsa_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) );
+
+    if( ctx != NULL )
+        mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx );
+
+    return( ctx );
+}
+
+static void ecdsa_free_wrap( void *ctx )
+{
+    mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+static void *ecdsa_rs_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) );
+
+    if( ctx != NULL )
+        mbedtls_ecdsa_restart_init( ctx );
+
+    return( ctx );
+}
+
+static void ecdsa_rs_free( void *ctx )
+{
+    mbedtls_ecdsa_restart_free( ctx );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+const mbedtls_pk_info_t mbedtls_ecdsa_info = {
+    MBEDTLS_PK_ECDSA,
+    "ECDSA",
+    eckey_get_bitlen,     /* Compatible key structures */
+    ecdsa_can_do,
+    ecdsa_verify_wrap,
+    ecdsa_sign_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ecdsa_verify_rs_wrap,
+    ecdsa_sign_rs_wrap,
+#endif
+    NULL,
+    NULL,
+    eckey_check_pair,   /* Compatible key structures */
+    ecdsa_alloc_wrap,
+    ecdsa_free_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ecdsa_rs_alloc,
+    ecdsa_rs_free,
+#endif
+    eckey_debug,        /* Compatible key structures */
+};
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Support for alternative RSA-private implementations
+ */
+
+static int rsa_alt_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_RSA );
+}
+
+static size_t rsa_alt_get_bitlen( const void *ctx )
+{
+    const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
+
+    return( 8 * rsa_alt->key_len_func( rsa_alt->key ) );
+}
+
+static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
+
+#if SIZE_MAX > UINT_MAX
+    if( UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+    *sig_len = rsa_alt->key_len_func( rsa_alt->key );
+
+    return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
+                md_alg, (unsigned int) hash_len, hash, sig ) );
+}
+
+static int rsa_alt_decrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
+
+    ((void) f_rng);
+    ((void) p_rng);
+
+    if( ilen != rsa_alt->key_len_func( rsa_alt->key ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    return( rsa_alt->decrypt_func( rsa_alt->key,
+                MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
+}
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_alt_check_pair( const void *pub, const void *prv )
+{
+    unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char hash[32];
+    size_t sig_len = 0;
+    int ret;
+
+    if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) )
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+
+    memset( hash, 0x2a, sizeof( hash ) );
+
+    if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE,
+                                   hash, sizeof( hash ),
+                                   sig, &sig_len, NULL, NULL ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE,
+                         hash, sizeof( hash ), sig, sig_len ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_RSA_C */
+
+static void *rsa_alt_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) );
+
+    if( ctx != NULL )
+        memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) );
+
+    return( ctx );
+}
+
+static void rsa_alt_free_wrap( void *ctx )
+{
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
+    mbedtls_free( ctx );
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
+    MBEDTLS_PK_RSA_ALT,
+    "RSA-alt",
+    rsa_alt_get_bitlen,
+    rsa_alt_can_do,
+    NULL,
+    rsa_alt_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    rsa_alt_decrypt_wrap,
+    NULL,
+#if defined(MBEDTLS_RSA_C)
+    rsa_alt_check_pair,
+#else
+    NULL,
+#endif
+    rsa_alt_alloc_wrap,
+    rsa_alt_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    NULL,
+};
+
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+#endif /* MBEDTLS_PK_C */
diff --git a/ctrtool/deps/libmbedtls/src/pkcs11.c b/ctrtool/deps/libmbedtls/src/pkcs11.c
new file mode 100644
index 00000000..0ea64252
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/pkcs11.c
@@ -0,0 +1,240 @@
+/**
+ * \file pkcs11.c
+ *
+ * \brief Wrapper for PKCS#11 library libpkcs11-helper
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#include "mbedtls/pkcs11.h"
+
+#if defined(MBEDTLS_PKCS11_C)
+
+#include "mbedtls/md.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/x509_crt.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <string.h>
+
+void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_pkcs11_context ) );
+}
+
+int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11_cert )
+{
+    int ret = 1;
+    unsigned char *cert_blob = NULL;
+    size_t cert_blob_size = 0;
+
+    if( cert == NULL )
+    {
+        ret = 2;
+        goto cleanup;
+    }
+
+    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL,
+                                                &cert_blob_size ) != CKR_OK )
+    {
+        ret = 3;
+        goto cleanup;
+    }
+
+    cert_blob = mbedtls_calloc( 1, cert_blob_size );
+    if( NULL == cert_blob )
+    {
+        ret = 4;
+        goto cleanup;
+    }
+
+    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob,
+                                                &cert_blob_size ) != CKR_OK )
+    {
+        ret = 5;
+        goto cleanup;
+    }
+
+    if( 0 != mbedtls_x509_crt_parse( cert, cert_blob, cert_blob_size ) )
+    {
+        ret = 6;
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    if( NULL != cert_blob )
+        mbedtls_free( cert_blob );
+
+    return( ret );
+}
+
+
+int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
+        pkcs11h_certificate_t pkcs11_cert )
+{
+    int ret = 1;
+    mbedtls_x509_crt cert;
+
+    mbedtls_x509_crt_init( &cert );
+
+    if( priv_key == NULL )
+        goto cleanup;
+
+    if( 0 != mbedtls_pkcs11_x509_cert_bind( &cert, pkcs11_cert ) )
+        goto cleanup;
+
+    priv_key->len = mbedtls_pk_get_len( &cert.pk );
+    priv_key->pkcs11h_cert = pkcs11_cert;
+
+    ret = 0;
+
+cleanup:
+    mbedtls_x509_crt_free( &cert );
+
+    return( ret );
+}
+
+void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key )
+{
+    if( NULL != priv_key )
+        pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
+}
+
+int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len )
+{
+    size_t input_len, output_len;
+
+    if( NULL == ctx )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( MBEDTLS_RSA_PRIVATE != mode )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    output_len = input_len = ctx->len;
+
+    if( input_len < 16 || input_len > output_max_len )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /* Determine size of output buffer */
+    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
+            input_len, NULL, &output_len ) != CKR_OK )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    if( output_len > output_max_len )
+        return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+
+    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
+            input_len, output, &output_len ) != CKR_OK )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+    *olen = output_len;
+    return( 0 );
+}
+
+int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig )
+{
+    size_t sig_len = 0, asn_len = 0, oid_size = 0;
+    unsigned char *p = sig;
+    const char *oid;
+
+    if( NULL == ctx )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( MBEDTLS_RSA_PRIVATE != mode )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+        asn_len = 10 + oid_size;
+    }
+
+    sig_len = ctx->len;
+    if( hashlen > sig_len || asn_len > sig_len ||
+        hashlen + asn_len > sig_len )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        /*
+         * DigestInfo ::= SEQUENCE {
+         *   digestAlgorithm DigestAlgorithmIdentifier,
+         *   digest Digest }
+         *
+         * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+         *
+         * Digest ::= OCTET STRING
+         */
+        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+        *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
+        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+        *p++ = (unsigned char) ( 0x04 + oid_size );
+        *p++ = MBEDTLS_ASN1_OID;
+        *p++ = oid_size & 0xFF;
+        memcpy( p, oid, oid_size );
+        p += oid_size;
+        *p++ = MBEDTLS_ASN1_NULL;
+        *p++ = 0x00;
+        *p++ = MBEDTLS_ASN1_OCTET_STRING;
+        *p++ = hashlen;
+    }
+
+    memcpy( p, hash, hashlen );
+
+    if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
+            asn_len + hashlen, sig, &sig_len ) != CKR_OK )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    return( 0 );
+}
+
+#endif /* defined(MBEDTLS_PKCS11_C) */
diff --git a/ctrtool/deps/libmbedtls/src/pkcs12.c b/ctrtool/deps/libmbedtls/src/pkcs12.c
new file mode 100644
index 00000000..7edf064c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/pkcs12.c
@@ -0,0 +1,365 @@
+/*
+ *  PKCS#12 Personal Information Exchange Syntax
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The PKCS #12 Personal Information Exchange Syntax Standard v1.1
+ *
+ *  http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
+ *  ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS12_C)
+
+#include "mbedtls/pkcs12.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ARC4_C)
+#include "mbedtls/arc4.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params,
+                                    mbedtls_asn1_buf *salt, int *iterations )
+{
+    int ret;
+    unsigned char **p = &params->p;
+    const unsigned char *end = params->p + params->len;
+
+    /*
+     *  pkcs-12PbeParams ::= SEQUENCE {
+     *    salt          OCTET STRING,
+     *    iterations    INTEGER
+     *  }
+     *
+     */
+    if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
+
+    salt->p = *p;
+    *p += salt->len;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, iterations ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+#define PKCS12_MAX_PWDLEN 128
+
+static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
+                                     const unsigned char *pwd,  size_t pwdlen,
+                                     unsigned char *key, size_t keylen,
+                                     unsigned char *iv,  size_t ivlen )
+{
+    int ret, iterations = 0;
+    mbedtls_asn1_buf salt;
+    size_t i;
+    unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
+
+    if( pwdlen > PKCS12_MAX_PWDLEN )
+        return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA );
+
+    memset( &salt, 0, sizeof(mbedtls_asn1_buf) );
+    memset( &unipwd, 0, sizeof(unipwd) );
+
+    if( ( ret = pkcs12_parse_pbe_params( pbe_params, &salt,
+                                         &iterations ) ) != 0 )
+        return( ret );
+
+    for( i = 0; i < pwdlen; i++ )
+        unipwd[i * 2 + 1] = pwd[i];
+
+    if( ( ret = mbedtls_pkcs12_derivation( key, keylen, unipwd, pwdlen * 2 + 2,
+                                   salt.p, salt.len, md_type,
+                                   MBEDTLS_PKCS12_DERIVE_KEY, iterations ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( iv == NULL || ivlen == 0 )
+        return( 0 );
+
+    if( ( ret = mbedtls_pkcs12_derivation( iv, ivlen, unipwd, pwdlen * 2 + 2,
+                                   salt.p, salt.len, md_type,
+                                   MBEDTLS_PKCS12_DERIVE_IV, iterations ) ) != 0 )
+    {
+        return( ret );
+    }
+    return( 0 );
+}
+
+#undef PKCS12_MAX_PWDLEN
+
+int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
+                             const unsigned char *pwd,  size_t pwdlen,
+                             const unsigned char *data, size_t len,
+                             unsigned char *output )
+{
+#if !defined(MBEDTLS_ARC4_C)
+    ((void) pbe_params);
+    ((void) mode);
+    ((void) pwd);
+    ((void) pwdlen);
+    ((void) data);
+    ((void) len);
+    ((void) output);
+    return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE );
+#else
+    int ret;
+    unsigned char key[16];
+    mbedtls_arc4_context ctx;
+    ((void) mode);
+
+    mbedtls_arc4_init( &ctx );
+
+    if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, MBEDTLS_MD_SHA1,
+                                          pwd, pwdlen,
+                                          key, 16, NULL, 0 ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    mbedtls_arc4_setup( &ctx, key, 16 );
+    if( ( ret = mbedtls_arc4_crypt( &ctx, len, data, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+    mbedtls_arc4_free( &ctx );
+
+    return( ret );
+#endif /* MBEDTLS_ARC4_C */
+}
+
+int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
+                mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                const unsigned char *pwd,  size_t pwdlen,
+                const unsigned char *data, size_t len,
+                unsigned char *output )
+{
+    int ret, keylen = 0;
+    unsigned char key[32];
+    unsigned char iv[16];
+    const mbedtls_cipher_info_t *cipher_info;
+    mbedtls_cipher_context_t cipher_ctx;
+    size_t olen = 0;
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_type );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE );
+
+    keylen = cipher_info->key_bitlen / 8;
+
+    if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, md_type, pwd, pwdlen,
+                                          key, keylen,
+                                          iv, cipher_info->iv_size ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    mbedtls_cipher_init( &cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_set_iv( &cipher_ctx, iv, cipher_info->iv_size ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_reset( &cipher_ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_update( &cipher_ctx, data, len,
+                                output, &olen ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 )
+        ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
+
+exit:
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+    mbedtls_platform_zeroize( iv,  sizeof( iv  ) );
+    mbedtls_cipher_free( &cipher_ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+static void pkcs12_fill_buffer( unsigned char *data, size_t data_len,
+                                const unsigned char *filler, size_t fill_len )
+{
+    unsigned char *p = data;
+    size_t use_len;
+
+    while( data_len > 0 )
+    {
+        use_len = ( data_len > fill_len ) ? fill_len : data_len;
+        memcpy( p, filler, use_len );
+        p += use_len;
+        data_len -= use_len;
+    }
+}
+
+int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen,
+                       const unsigned char *pwd, size_t pwdlen,
+                       const unsigned char *salt, size_t saltlen,
+                       mbedtls_md_type_t md_type, int id, int iterations )
+{
+    int ret;
+    unsigned int j;
+
+    unsigned char diversifier[128];
+    unsigned char salt_block[128], pwd_block[128], hash_block[128];
+    unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *p;
+    unsigned char c;
+
+    size_t hlen, use_len, v, i;
+
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    // This version only allows max of 64 bytes of password or salt
+    if( datalen > 128 || pwdlen > 64 || saltlen > 64 )
+        return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA );
+
+    md_info = mbedtls_md_info_from_type( md_type );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE );
+
+    mbedtls_md_init( &md_ctx );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        return( ret );
+    hlen = mbedtls_md_get_size( md_info );
+
+    if( hlen <= 32 )
+        v = 64;
+    else
+        v = 128;
+
+    memset( diversifier, (unsigned char) id, v );
+
+    pkcs12_fill_buffer( salt_block, v, salt, saltlen );
+    pkcs12_fill_buffer( pwd_block,  v, pwd,  pwdlen  );
+
+    p = data;
+    while( datalen > 0 )
+    {
+        // Calculate hash( diversifier || salt_block || pwd_block )
+        if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 )
+            goto exit;
+
+        // Perform remaining ( iterations - 1 ) recursive hash calculations
+        for( i = 1; i < (size_t) iterations; i++ )
+        {
+            if( ( ret = mbedtls_md( md_info, hash_output, hlen, hash_output ) ) != 0 )
+                goto exit;
+        }
+
+        use_len = ( datalen > hlen ) ? hlen : datalen;
+        memcpy( p, hash_output, use_len );
+        datalen -= use_len;
+        p += use_len;
+
+        if( datalen == 0 )
+            break;
+
+        // Concatenating copies of hash_output into hash_block (B)
+        pkcs12_fill_buffer( hash_block, v, hash_output, hlen );
+
+        // B += 1
+        for( i = v; i > 0; i-- )
+            if( ++hash_block[i - 1] != 0 )
+                break;
+
+        // salt_block += B
+        c = 0;
+        for( i = v; i > 0; i-- )
+        {
+            j = salt_block[i - 1] + hash_block[i - 1] + c;
+            c = (unsigned char) (j >> 8);
+            salt_block[i - 1] = j & 0xFF;
+        }
+
+        // pwd_block  += B
+        c = 0;
+        for( i = v; i > 0; i-- )
+        {
+            j = pwd_block[i - 1] + hash_block[i - 1] + c;
+            c = (unsigned char) (j >> 8);
+            pwd_block[i - 1] = j & 0xFF;
+        }
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize( salt_block, sizeof( salt_block ) );
+    mbedtls_platform_zeroize( pwd_block, sizeof( pwd_block ) );
+    mbedtls_platform_zeroize( hash_block, sizeof( hash_block ) );
+    mbedtls_platform_zeroize( hash_output, sizeof( hash_output ) );
+
+    mbedtls_md_free( &md_ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_PKCS12_C */
diff --git a/ctrtool/deps/libmbedtls/src/pkcs5.c b/ctrtool/deps/libmbedtls/src/pkcs5.c
new file mode 100644
index 00000000..50133435
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/pkcs5.c
@@ -0,0 +1,411 @@
+/**
+ * \file pkcs5.c
+ *
+ * \brief PKCS#5 functions
+ *
+ * \author Mathias Olsson <mathias@kompetensum.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * PKCS#5 includes PBKDF2 and more
+ *
+ * http://tools.ietf.org/html/rfc2898 (Specification)
+ * http://tools.ietf.org/html/rfc6070 (Test vectors)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS5_C)
+
+#include "mbedtls/pkcs5.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/oid.h"
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params,
+                                      mbedtls_asn1_buf *salt, int *iterations,
+                                      int *keylen, mbedtls_md_type_t *md_type )
+{
+    int ret;
+    mbedtls_asn1_buf prf_alg_oid;
+    unsigned char *p = params->p;
+    const unsigned char *end = params->p + params->len;
+
+    if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+    /*
+     *  PBKDF2-params ::= SEQUENCE {
+     *    salt              OCTET STRING,
+     *    iterationCount    INTEGER,
+     *    keyLength         INTEGER OPTIONAL
+     *    prf               AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
+     *  }
+     *
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    salt->p = p;
+    p += salt->len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, iterations ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    if( p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, keylen ) ) != 0 )
+    {
+        if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+    }
+
+    if( p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_alg_null( &p, end, &prf_alg_oid ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    if( mbedtls_oid_get_md_hmac( &prf_alg_oid, md_type ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    if( p != end )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
+                 const unsigned char *pwd,  size_t pwdlen,
+                 const unsigned char *data, size_t datalen,
+                 unsigned char *output )
+{
+    int ret, iterations = 0, keylen = 0;
+    unsigned char *p, *end;
+    mbedtls_asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
+    mbedtls_asn1_buf salt;
+    mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
+    unsigned char key[32], iv[32];
+    size_t olen = 0;
+    const mbedtls_md_info_t *md_info;
+    const mbedtls_cipher_info_t *cipher_info;
+    mbedtls_md_context_t md_ctx;
+    mbedtls_cipher_type_t cipher_alg;
+    mbedtls_cipher_context_t cipher_ctx;
+
+    p = pbe_params->p;
+    end = p + pbe_params->len;
+
+    /*
+     *  PBES2-params ::= SEQUENCE {
+     *    keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
+     *    encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
+     *  }
+     */
+    if( pbe_params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    if( ( ret = mbedtls_asn1_get_alg( &p, end, &kdf_alg_oid, &kdf_alg_params ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    // Only PBKDF2 supported at the moment
+    //
+    if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    if( ( ret = pkcs5_parse_pbkdf2_params( &kdf_alg_params,
+                                           &salt, &iterations, &keylen,
+                                           &md_type ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    md_info = mbedtls_md_info_from_type( md_type );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    if( ( ret = mbedtls_asn1_get_alg( &p, end, &enc_scheme_oid,
+                              &enc_scheme_params ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+    }
+
+    if( mbedtls_oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_alg );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    /*
+     * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
+     * since it is optional and we don't know if it was set or not
+     */
+    keylen = cipher_info->key_bitlen / 8;
+
+    if( enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
+        enc_scheme_params.len != cipher_info->iv_size )
+    {
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT );
+    }
+
+    mbedtls_md_init( &md_ctx );
+    mbedtls_cipher_init( &cipher_ctx );
+
+    memcpy( iv, enc_scheme_params.p, enc_scheme_params.len );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len,
+                                   iterations, keylen, key ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_crypt( &cipher_ctx, iv, enc_scheme_params.len,
+                              data, datalen, output, &olen ) ) != 0 )
+        ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
+
+exit:
+    mbedtls_md_free( &md_ctx );
+    mbedtls_cipher_free( &cipher_ctx );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password,
+                       size_t plen, const unsigned char *salt, size_t slen,
+                       unsigned int iteration_count,
+                       uint32_t key_length, unsigned char *output )
+{
+    int ret, j;
+    unsigned int i;
+    unsigned char md1[MBEDTLS_MD_MAX_SIZE];
+    unsigned char work[MBEDTLS_MD_MAX_SIZE];
+    unsigned char md_size = mbedtls_md_get_size( ctx->md_info );
+    size_t use_len;
+    unsigned char *out_p = output;
+    unsigned char counter[4];
+
+    memset( counter, 0, 4 );
+    counter[3] = 1;
+
+#if UINT_MAX > 0xFFFFFFFF
+    if( iteration_count > 0xFFFFFFFF )
+        return( MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA );
+#endif
+
+    while( key_length )
+    {
+        // U1 ends up in work
+        //
+        if( ( ret = mbedtls_md_hmac_starts( ctx, password, plen ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_md_hmac_update( ctx, salt, slen ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_md_hmac_update( ctx, counter, 4 ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_md_hmac_finish( ctx, work ) ) != 0 )
+            return( ret );
+
+        memcpy( md1, work, md_size );
+
+        for( i = 1; i < iteration_count; i++ )
+        {
+            // U2 ends up in md1
+            //
+            if( ( ret = mbedtls_md_hmac_starts( ctx, password, plen ) ) != 0 )
+                return( ret );
+
+            if( ( ret = mbedtls_md_hmac_update( ctx, md1, md_size ) ) != 0 )
+                return( ret );
+
+            if( ( ret = mbedtls_md_hmac_finish( ctx, md1 ) ) != 0 )
+                return( ret );
+
+            // U1 xor U2
+            //
+            for( j = 0; j < md_size; j++ )
+                work[j] ^= md1[j];
+        }
+
+        use_len = ( key_length < md_size ) ? key_length : md_size;
+        memcpy( out_p, work, use_len );
+
+        key_length -= (uint32_t) use_len;
+        out_p += use_len;
+
+        for( i = 4; i > 0; i-- )
+            if( ++counter[i - 1] != 0 )
+                break;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_SHA1_C)
+int mbedtls_pkcs5_self_test( int verbose )
+{
+    if( verbose != 0 )
+        mbedtls_printf( "  PBKDF2 (SHA1): skipped\n\n" );
+
+    return( 0 );
+}
+#else
+
+#define MAX_TESTS   6
+
+static const size_t plen[MAX_TESTS] =
+    { 8, 8, 8, 24, 9 };
+
+static const unsigned char password[MAX_TESTS][32] =
+{
+    "password",
+    "password",
+    "password",
+    "passwordPASSWORDpassword",
+    "pass\0word",
+};
+
+static const size_t slen[MAX_TESTS] =
+    { 4, 4, 4, 36, 5 };
+
+static const unsigned char salt[MAX_TESTS][40] =
+{
+    "salt",
+    "salt",
+    "salt",
+    "saltSALTsaltSALTsaltSALTsaltSALTsalt",
+    "sa\0lt",
+};
+
+static const uint32_t it_cnt[MAX_TESTS] =
+    { 1, 2, 4096, 4096, 4096 };
+
+static const uint32_t key_len[MAX_TESTS] =
+    { 20, 20, 20, 25, 16 };
+
+static const unsigned char result_key[MAX_TESTS][32] =
+{
+    { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
+      0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
+      0x2f, 0xe0, 0x37, 0xa6 },
+    { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
+      0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
+      0xd8, 0xde, 0x89, 0x57 },
+    { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
+      0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
+      0x65, 0xa4, 0x29, 0xc1 },
+    { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
+      0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
+      0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
+      0x38 },
+    { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
+      0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
+};
+
+int mbedtls_pkcs5_self_test( int verbose )
+{
+    mbedtls_md_context_t sha1_ctx;
+    const mbedtls_md_info_t *info_sha1;
+    int ret, i;
+    unsigned char key[64];
+
+    mbedtls_md_init( &sha1_ctx );
+
+    info_sha1 = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
+    if( info_sha1 == NULL )
+    {
+        ret = 1;
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_md_setup( &sha1_ctx, info_sha1, 1 ) ) != 0 )
+    {
+        ret = 1;
+        goto exit;
+    }
+
+    for( i = 0; i < MAX_TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  PBKDF2 (SHA1) #%d: ", i );
+
+        ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password[i], plen[i], salt[i],
+                                  slen[i], it_cnt[i], key_len[i], key );
+        if( ret != 0 ||
+            memcmp( result_key[i], key, key_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_md_free( &sha1_ctx );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SHA1_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_PKCS5_C */
diff --git a/ctrtool/deps/libmbedtls/src/pkparse.c b/ctrtool/deps/libmbedtls/src/pkparse.c
new file mode 100644
index 00000000..d5004577
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/pkparse.c
@@ -0,0 +1,1538 @@
+/*
+ *  Public Key layer for parsing key files and structures
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+#if defined(MBEDTLS_PKCS5_C)
+#include "mbedtls/pkcs5.h"
+#endif
+#if defined(MBEDTLS_PKCS12_C)
+#include "mbedtls/pkcs12.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
+{
+    FILE *f;
+    long size;
+
+    PK_VALIDATE_RET( path != NULL );
+    PK_VALIDATE_RET( buf != NULL );
+    PK_VALIDATE_RET( n != NULL );
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    if( ( size = ftell( f ) ) == -1 )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+    }
+    fseek( f, 0, SEEK_SET );
+
+    *n = (size_t) size;
+
+    if( *n + 1 == 0 ||
+        ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+    }
+
+    if( fread( *buf, 1, *n, f ) != *n )
+    {
+        fclose( f );
+
+        mbedtls_platform_zeroize( *buf, *n );
+        mbedtls_free( *buf );
+
+        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+    }
+
+    fclose( f );
+
+    (*buf)[*n] = '\0';
+
+    if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
+        ++*n;
+
+    return( 0 );
+}
+
+/*
+ * Load and parse a private key
+ */
+int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
+                      const char *path, const char *pwd )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( path != NULL );
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    if( pwd == NULL )
+        ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 );
+    else
+        ret = mbedtls_pk_parse_key( ctx, buf, n,
+                (const unsigned char *) pwd, strlen( pwd ) );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+/*
+ * Load and parse a public key
+ */
+int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( path != NULL );
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_pk_parse_public_key( ctx, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_ECP_C)
+/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
+ *
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
+ *   -- implicitCurve   NULL
+ * }
+ */
+static int pk_get_ecparams( unsigned char **p, const unsigned char *end,
+                            mbedtls_asn1_buf *params )
+{
+    int ret;
+
+    if ( end - *p < 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    /* Tag may be either OID or SEQUENCE */
+    params->tag = **p;
+    if( params->tag != MBEDTLS_ASN1_OID
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+            && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE )
+#endif
+            )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+    }
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &params->len, params->tag ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    params->p = *p;
+    *p += params->len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
+ * WARNING: the resulting group should only be used with
+ * pk_group_id_from_specified(), since its base point may not be set correctly
+ * if it was encoded compressed.
+ *
+ *  SpecifiedECDomain ::= SEQUENCE {
+ *      version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
+ *      fieldID FieldID {{FieldTypes}},
+ *      curve Curve,
+ *      base ECPoint,
+ *      order INTEGER,
+ *      cofactor INTEGER OPTIONAL,
+ *      hash HashAlgorithm OPTIONAL,
+ *      ...
+ *  }
+ *
+ * We only support prime-field as field type, and ignore hash and cofactor.
+ */
+static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
+{
+    int ret;
+    unsigned char *p = params->p;
+    const unsigned char * const end = params->p + params->len;
+    const unsigned char *end_field, *end_curve;
+    size_t len;
+    int ver;
+
+    /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ver < 1 || ver > 3 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    /*
+     * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
+     *       fieldType FIELD-ID.&id({IOSet}),
+     *       parameters FIELD-ID.&Type({IOSet}{@fieldType})
+     * }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    end_field = p + len;
+
+    /*
+     * FIELD-ID ::= TYPE-IDENTIFIER
+     * FieldTypes FIELD-ID ::= {
+     *       { Prime-p IDENTIFIED BY prime-field } |
+     *       { Characteristic-two IDENTIFIED BY characteristic-two-field }
+     * }
+     * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( ret );
+
+    if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) ||
+        memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+    }
+
+    p += len;
+
+    /* Prime-p ::= INTEGER -- Field of size p. */
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+
+    if( p != end_field )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /*
+     * Curve ::= SEQUENCE {
+     *       a FieldElement,
+     *       b FieldElement,
+     *       seed BIT STRING OPTIONAL
+     *       -- Shall be present if used in SpecifiedECDomain
+     *       -- with version equal to ecdpVer2 or ecdpVer3
+     * }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    end_curve = p + len;
+
+    /*
+     * FieldElement ::= OCTET STRING
+     * containing an integer in the case of a prime field
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    /* Ignore seed BIT STRING OPTIONAL */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 )
+        p += len;
+
+    if( p != end_curve )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /*
+     * ECPoint ::= OCTET STRING
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
+                                      ( const unsigned char *) p, len ) ) != 0 )
+    {
+        /*
+         * If we can't read the point because it's compressed, cheat by
+         * reading only the X coordinate and the parity bit of Y.
+         */
+        if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
+            ( p[0] != 0x02 && p[0] != 0x03 ) ||
+            len != mbedtls_mpi_size( &grp->P ) + 1 ||
+            mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 ||
+            mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 ||
+            mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 )
+        {
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+        }
+    }
+
+    p += len;
+
+    /*
+     * order INTEGER
+     */
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    grp->nbits = mbedtls_mpi_bitlen( &grp->N );
+
+    /*
+     * Allow optional elements by purposefully not enforcing p == end here.
+     */
+
+    return( 0 );
+}
+
+/*
+ * Find the group id associated with an (almost filled) group as generated by
+ * pk_group_from_specified(), or return an error if unknown.
+ */
+static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id )
+{
+    int ret = 0;
+    mbedtls_ecp_group ref;
+    const mbedtls_ecp_group_id *id;
+
+    mbedtls_ecp_group_init( &ref );
+
+    for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ )
+    {
+        /* Load the group associated to that id */
+        mbedtls_ecp_group_free( &ref );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) );
+
+        /* Compare to the group we were given, starting with easy tests */
+        if( grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
+            mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 &&
+            /* For Y we may only know the parity bit, so compare only that */
+            mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) )
+        {
+            break;
+        }
+
+    }
+
+cleanup:
+    mbedtls_ecp_group_free( &ref );
+
+    *grp_id = *id;
+
+    if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE )
+        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+    return( ret );
+}
+
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
+ */
+static int pk_group_id_from_specified( const mbedtls_asn1_buf *params,
+                                       mbedtls_ecp_group_id *grp_id )
+{
+    int ret;
+    mbedtls_ecp_group grp;
+
+    mbedtls_ecp_group_init( &grp );
+
+    if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 )
+        goto cleanup;
+
+    ret = pk_group_id_from_group( &grp, grp_id );
+
+cleanup:
+    mbedtls_ecp_group_free( &grp );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+
+/*
+ * Use EC parameters to initialise an EC group
+ *
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
+ *   -- implicitCurve   NULL
+ */
+static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
+{
+    int ret;
+    mbedtls_ecp_group_id grp_id;
+
+    if( params->tag == MBEDTLS_ASN1_OID )
+    {
+        if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 )
+            return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE );
+    }
+    else
+    {
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+        if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
+            return( ret );
+#else
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+#endif
+    }
+
+    /*
+     * grp may already be initilialized; if so, make sure IDs match
+     */
+    if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * EC public key is an EC point
+ *
+ * The caller is responsible for clearing the structure upon failure if
+ * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
+ * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
+ */
+static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end,
+                            mbedtls_ecp_keypair *key )
+{
+    int ret;
+
+    if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q,
+                    (const unsigned char *) *p, end - *p ) ) == 0 )
+    {
+        ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q );
+    }
+
+    /*
+     * We know mbedtls_ecp_point_read_binary consumed all bytes or failed
+     */
+    *p = (unsigned char *) end;
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ *  RSAPublicKey ::= SEQUENCE {
+ *      modulus           INTEGER,  -- n
+ *      publicExponent    INTEGER   -- e
+ *  }
+ */
+static int pk_get_rsapubkey( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_rsa_context *rsa )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /* Import N */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0,
+                                        NULL, 0, NULL, 0 ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
+
+    *p += len;
+
+    /* Import E */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
+                                        NULL, 0, *p, len ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
+
+    *p += len;
+
+    if( mbedtls_rsa_complete( rsa ) != 0 ||
+        mbedtls_rsa_check_pubkey( rsa ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_RSA_C */
+
+/* Get a PK algorithm identifier
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ */
+static int pk_get_pk_alg( unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params )
+{
+    int ret;
+    mbedtls_asn1_buf alg_oid;
+
+    memset( params, 0, sizeof(mbedtls_asn1_buf) );
+
+    if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_ALG + ret );
+
+    if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    /*
+     * No parameters with RSA (only for EC)
+     */
+    if( *pk_alg == MBEDTLS_PK_RSA &&
+            ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) ||
+                params->len != 0 ) )
+    {
+        return( MBEDTLS_ERR_PK_INVALID_ALG );
+    }
+
+    return( 0 );
+}
+
+/*
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *       algorithm            AlgorithmIdentifier,
+ *       subjectPublicKey     BIT STRING }
+ */
+int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
+                        mbedtls_pk_context *pk )
+{
+    int ret;
+    size_t len;
+    mbedtls_asn1_buf alg_params;
+    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+    const mbedtls_pk_info_t *pk_info;
+
+    PK_VALIDATE_RET( p != NULL );
+    PK_VALIDATE_RET( *p != NULL );
+    PK_VALIDATE_RET( end != NULL );
+    PK_VALIDATE_RET( pk != NULL );
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = *p + len;
+
+    if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_RSA_C)
+    if( pk_alg == MBEDTLS_PK_RSA )
+    {
+        ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) );
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_C)
+    if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY )
+    {
+        ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp );
+        if( ret == 0 )
+            ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) );
+    } else
+#endif /* MBEDTLS_ECP_C */
+        ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+
+    if( ret == 0 && *p != end )
+        ret = MBEDTLS_ERR_PK_INVALID_PUBKEY
+              MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+
+    if( ret != 0 )
+        mbedtls_pk_free( pk );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
+ *
+ * The value zero is:
+ * - never a valid value for an RSA parameter
+ * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
+ *
+ * Since values can't be omitted in PKCS#1, passing a zero value to
+ * rsa_complete() would be incorrect, so reject zero values early.
+ */
+static int asn1_get_nonzero_mpi( unsigned char **p,
+                                 const unsigned char *end,
+                                 mbedtls_mpi *X )
+{
+    int ret;
+
+    ret = mbedtls_asn1_get_mpi( p, end, X );
+    if( ret != 0 )
+        return( ret );
+
+    if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    return( 0 );
+}
+
+/*
+ * Parse a PKCS#1 encoded private RSA key
+ */
+static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
+                                   const unsigned char *key,
+                                   size_t keylen )
+{
+    int ret, version;
+    size_t len;
+    unsigned char *p, *end;
+
+    mbedtls_mpi T;
+    mbedtls_mpi_init( &T );
+
+    p = (unsigned char *) key;
+    end = p + keylen;
+
+    /*
+     * This function parses the RSAPrivateKey (PKCS#1)
+     *
+     *  RSAPrivateKey ::= SEQUENCE {
+     *      version           Version,
+     *      modulus           INTEGER,  -- n
+     *      publicExponent    INTEGER,  -- e
+     *      privateExponent   INTEGER,  -- d
+     *      prime1            INTEGER,  -- p
+     *      prime2            INTEGER,  -- q
+     *      exponent1         INTEGER,  -- d mod (p-1)
+     *      exponent2         INTEGER,  -- d mod (q-1)
+     *      coefficient       INTEGER,  -- (inverse of q) mod p
+     *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
+     *  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    if( version != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
+    }
+
+    /* Import N */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL,
+                                        NULL, NULL ) ) != 0 )
+        goto cleanup;
+
+    /* Import E */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
+                                        NULL, &T ) ) != 0 )
+        goto cleanup;
+
+    /* Import D */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
+                                        &T, NULL ) ) != 0 )
+        goto cleanup;
+
+    /* Import P */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL,
+                                        NULL, NULL ) ) != 0 )
+        goto cleanup;
+
+    /* Import Q */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T,
+                                        NULL, NULL ) ) != 0 )
+        goto cleanup;
+
+#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
+    /*
+    * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
+    * that they can be easily recomputed from D, P and Q. However by
+    * parsing them from the PKCS1 structure it is possible to avoid
+    * recalculating them which both reduces the overhead of loading
+    * RSA private keys into memory and also avoids side channels which
+    * can arise when computing those values, since all of D, P, and Q
+    * are secret. See https://eprint.iacr.org/2020/055 for a
+    * description of one such attack.
+    */
+
+    /* Import DP */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 )
+       goto cleanup;
+
+    /* Import DQ */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 )
+       goto cleanup;
+
+    /* Import QP */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 )
+       goto cleanup;
+
+#else
+    /* Verify existance of the CRT params */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 )
+       goto cleanup;
+#endif
+
+    /* rsa_complete() doesn't complete anything with the default
+     * implementation but is still called:
+     * - for the benefit of alternative implementation that may want to
+     *   pre-compute stuff beyond what's provided (eg Montgomery factors)
+     * - as is also sanity-checks the key
+     *
+     * Furthermore, we also check the public part for consistency with
+     * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
+     */
+    if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ||
+        ( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 )
+    {
+        goto cleanup;
+    }
+
+    if( p != end )
+    {
+        ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+              MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &T );
+
+    if( ret != 0 )
+    {
+        /* Wrap error code if it's coming from a lower level */
+        if( ( ret & 0xff80 ) == 0 )
+            ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret;
+        else
+            ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+
+        mbedtls_rsa_free( rsa );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Parse a SEC1 encoded private EC key
+ */
+static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck,
+                                  const unsigned char *key,
+                                  size_t keylen )
+{
+    int ret;
+    int version, pubkey_done;
+    size_t len;
+    mbedtls_asn1_buf params;
+    unsigned char *p = (unsigned char *) key;
+    unsigned char *end = p + keylen;
+    unsigned char *end2;
+
+    /*
+     * RFC 5915, or SEC1 Appendix C.4
+     *
+     * ECPrivateKey ::= SEQUENCE {
+     *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+     *      privateKey     OCTET STRING,
+     *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+     *      publicKey  [1] BIT STRING OPTIONAL
+     *    }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( version != 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 )
+    {
+        mbedtls_ecp_keypair_free( eck );
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    pubkey_done = 0;
+    if( p != end )
+    {
+        /*
+         * Is 'parameters' present?
+         */
+        if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
+        {
+            if( ( ret = pk_get_ecparams( &p, p + len, &params) ) != 0 ||
+                ( ret = pk_use_ecparams( &params, &eck->grp )  ) != 0 )
+            {
+                mbedtls_ecp_keypair_free( eck );
+                return( ret );
+            }
+        }
+        else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            mbedtls_ecp_keypair_free( eck );
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+        }
+    }
+
+    if( p != end )
+    {
+        /*
+         * Is 'publickey' present? If not, or if we can't read it (eg because it
+         * is compressed), create it from the private key.
+         */
+        if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
+        {
+            end2 = p + len;
+
+            if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
+                return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+            if( p + len != end2 )
+                return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                        MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+            if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
+                pubkey_done = 1;
+            else
+            {
+                /*
+                 * The only acceptable failure mode of pk_get_ecpubkey() above
+                 * is if the point format is not recognized.
+                 */
+                if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE )
+                    return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+            }
+        }
+        else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            mbedtls_ecp_keypair_free( eck );
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+        }
+    }
+
+    if( ! pubkey_done &&
+        ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
+                                                      NULL, NULL ) ) != 0 )
+    {
+        mbedtls_ecp_keypair_free( eck );
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
+    {
+        mbedtls_ecp_keypair_free( eck );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECP_C */
+
+/*
+ * Parse an unencrypted PKCS#8 encoded private key
+ *
+ * Notes:
+ *
+ * - This function does not own the key buffer. It is the
+ *   responsibility of the caller to take care of zeroizing
+ *   and freeing it after use.
+ *
+ * - The function is responsible for freeing the provided
+ *   PK context on failure.
+ *
+ */
+static int pk_parse_key_pkcs8_unencrypted_der(
+                                    mbedtls_pk_context *pk,
+                                    const unsigned char* key,
+                                    size_t keylen )
+{
+    int ret, version;
+    size_t len;
+    mbedtls_asn1_buf params;
+    unsigned char *p = (unsigned char *) key;
+    unsigned char *end = p + keylen;
+    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+    const mbedtls_pk_info_t *pk_info;
+
+    /*
+     * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
+     *
+     *    PrivateKeyInfo ::= SEQUENCE {
+     *      version                   Version,
+     *      privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
+     *      privateKey                PrivateKey,
+     *      attributes           [0]  IMPLICIT Attributes OPTIONAL }
+     *
+     *    Version ::= INTEGER
+     *    PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+     *    PrivateKey ::= OCTET STRING
+     *
+     *  The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
+     */
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( version != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret );
+
+    if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, &params ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( len < 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_RSA_C)
+    if( pk_alg == MBEDTLS_PK_RSA )
+    {
+        if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+            return( ret );
+        }
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_C)
+    if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH )
+    {
+        if( ( ret = pk_use_ecparams( &params, &mbedtls_pk_ec( *pk )->grp ) ) != 0 ||
+            ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len )  ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+            return( ret );
+        }
+    } else
+#endif /* MBEDTLS_ECP_C */
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    return( 0 );
+}
+
+/*
+ * Parse an encrypted PKCS#8 encoded private key
+ *
+ * To save space, the decryption happens in-place on the given key buffer.
+ * Also, while this function may modify the keybuffer, it doesn't own it,
+ * and instead it is the responsibility of the caller to zeroize and properly
+ * free it after use.
+ *
+ */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+static int pk_parse_key_pkcs8_encrypted_der(
+                                    mbedtls_pk_context *pk,
+                                    unsigned char *key, size_t keylen,
+                                    const unsigned char *pwd, size_t pwdlen )
+{
+    int ret, decrypted = 0;
+    size_t len;
+    unsigned char *buf;
+    unsigned char *p, *end;
+    mbedtls_asn1_buf pbe_alg_oid, pbe_params;
+#if defined(MBEDTLS_PKCS12_C)
+    mbedtls_cipher_type_t cipher_alg;
+    mbedtls_md_type_t md_alg;
+#endif
+
+    p = key;
+    end = p + keylen;
+
+    if( pwdlen == 0 )
+        return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
+
+    /*
+     * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
+     *
+     *  EncryptedPrivateKeyInfo ::= SEQUENCE {
+     *    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
+     *    encryptedData        EncryptedData
+     *  }
+     *
+     *  EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+     *
+     *  EncryptedData ::= OCTET STRING
+     *
+     *  The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
+     *
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    buf = p;
+
+    /*
+     * Decrypt EncryptedData with appropriate PBE
+     */
+#if defined(MBEDTLS_PKCS12_C)
+    if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
+    {
+        if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
+                                cipher_alg, md_alg,
+                                pwd, pwdlen, p, len, buf ) ) != 0 )
+        {
+            if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH )
+                return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+
+            return( ret );
+        }
+
+        decrypted = 1;
+    }
+    else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 )
+    {
+        if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params,
+                                             MBEDTLS_PKCS12_PBE_DECRYPT,
+                                             pwd, pwdlen,
+                                             p, len, buf ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        // Best guess for password mismatch when using RC4. If first tag is
+        // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE
+        //
+        if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+            return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+
+        decrypted = 1;
+    }
+    else
+#endif /* MBEDTLS_PKCS12_C */
+#if defined(MBEDTLS_PKCS5_C)
+    if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 )
+    {
+        if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
+                                  p, len, buf ) ) != 0 )
+        {
+            if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH )
+                return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+
+            return( ret );
+        }
+
+        decrypted = 1;
+    }
+    else
+#endif /* MBEDTLS_PKCS5_C */
+    {
+        ((void) pwd);
+    }
+
+    if( decrypted == 0 )
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
+}
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+/*
+ * Parse a private key
+ */
+int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
+                  const unsigned char *key, size_t keylen,
+                  const unsigned char *pwd, size_t pwdlen )
+{
+    int ret;
+    const mbedtls_pk_info_t *pk_info;
+#if defined(MBEDTLS_PEM_PARSE_C)
+    size_t len;
+    mbedtls_pem_context pem;
+#endif
+
+    PK_VALIDATE_RET( pk != NULL );
+    if( keylen == 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+    PK_VALIDATE_RET( key != NULL );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+   mbedtls_pem_init( &pem );
+
+#if defined(MBEDTLS_RSA_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN RSA PRIVATE KEY-----",
+                               "-----END RSA PRIVATE KEY-----",
+                               key, pwd, pwdlen, &len );
+
+    if( ret == 0 )
+    {
+        pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
+        if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+            ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
+                                            pem.buf, pem.buflen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
+        return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
+        return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN EC PRIVATE KEY-----",
+                               "-----END EC PRIVATE KEY-----",
+                               key, pwd, pwdlen, &len );
+    if( ret == 0 )
+    {
+        pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
+
+        if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+            ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
+                                           pem.buf, pem.buflen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
+        return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
+        return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+#endif /* MBEDTLS_ECP_C */
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN PRIVATE KEY-----",
+                               "-----END PRIVATE KEY-----",
+                               key, NULL, 0, &len );
+    if( ret == 0 )
+    {
+        if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
+                                                pem.buf, pem.buflen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN ENCRYPTED PRIVATE KEY-----",
+                               "-----END ENCRYPTED PRIVATE KEY-----",
+                               key, NULL, 0, &len );
+    if( ret == 0 )
+    {
+        if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
+                                                      pem.buf, pem.buflen,
+                                                      pwd, pwdlen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+#else
+    ((void) pwd);
+    ((void) pwdlen);
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+    /*
+     * At this point we only know it's not a PEM formatted key. Could be any
+     * of the known DER encoded private key formats
+     *
+     * We try the different DER format parsers to see if one passes without
+     * error
+     */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+    {
+        unsigned char *key_copy;
+
+        if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
+            return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+        memcpy( key_copy, key, keylen );
+
+        ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
+                                                pwd, pwdlen );
+
+        mbedtls_platform_zeroize( key_copy, keylen );
+        mbedtls_free( key_copy );
+    }
+
+    if( ret == 0 )
+        return( 0 );
+
+    mbedtls_pk_free( pk );
+    mbedtls_pk_init( pk );
+
+    if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+    if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
+        return( 0 );
+
+    mbedtls_pk_free( pk );
+    mbedtls_pk_init( pk );
+
+#if defined(MBEDTLS_RSA_C)
+
+    pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
+    if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
+        pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 )
+    {
+        return( 0 );
+    }
+
+    mbedtls_pk_free( pk );
+    mbedtls_pk_init( pk );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+    pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
+    if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
+        pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
+                               key, keylen ) == 0 )
+    {
+        return( 0 );
+    }
+    mbedtls_pk_free( pk );
+#endif /* MBEDTLS_ECP_C */
+
+    /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
+     * it is ok to leave the PK context initialized but not
+     * freed: It is the caller's responsibility to call pk_init()
+     * before calling this function, and to call pk_free()
+     * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
+     * isn't, this leads to mbedtls_pk_free() being called
+     * twice, once here and once by the caller, but this is
+     * also ok and in line with the mbedtls_pk_free() calls
+     * on failed PEM parsing attempts. */
+
+    return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+}
+
+/*
+ * Parse a public key
+ */
+int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
+                         const unsigned char *key, size_t keylen )
+{
+    int ret;
+    unsigned char *p;
+#if defined(MBEDTLS_RSA_C)
+    const mbedtls_pk_info_t *pk_info;
+#endif
+#if defined(MBEDTLS_PEM_PARSE_C)
+    size_t len;
+    mbedtls_pem_context pem;
+#endif
+
+    PK_VALIDATE_RET( ctx != NULL );
+    if( keylen == 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+    PK_VALIDATE_RET( key != NULL || keylen == 0 );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_init( &pem );
+#if defined(MBEDTLS_RSA_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN RSA PUBLIC KEY-----",
+                               "-----END RSA PUBLIC KEY-----",
+                               key, NULL, 0, &len );
+
+    if( ret == 0 )
+    {
+        p = pem.buf;
+        if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
+            return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+        if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
+            return( ret );
+
+        if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 )
+            mbedtls_pk_free( ctx );
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+    {
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+#endif /* MBEDTLS_RSA_C */
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                "-----BEGIN PUBLIC KEY-----",
+                "-----END PUBLIC KEY-----",
+                key, NULL, 0, &len );
+
+    if( ret == 0 )
+    {
+        /*
+         * Was PEM encoded
+         */
+        p = pem.buf;
+
+        ret = mbedtls_pk_parse_subpubkey( &p,  p + pem.buflen, ctx );
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+    {
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    mbedtls_pem_free( &pem );
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_RSA_C)
+    if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
+        return( ret );
+
+    p = (unsigned char *)key;
+    ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) );
+    if( ret == 0 )
+    {
+        return( ret );
+    }
+    mbedtls_pk_free( ctx );
+    if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_RSA_C */
+    p = (unsigned char *) key;
+
+    ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_PK_PARSE_C */
diff --git a/ctrtool/deps/libmbedtls/src/pkwrite.c b/ctrtool/deps/libmbedtls/src/pkwrite.c
new file mode 100644
index 00000000..03d14f2f
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/pkwrite.c
@@ -0,0 +1,566 @@
+/*
+ *  Public Key layer for writing key files and structures
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_WRITE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/bignum.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ *  RSAPublicKey ::= SEQUENCE {
+ *      modulus           INTEGER,  -- n
+ *      publicExponent    INTEGER   -- e
+ *  }
+ */
+static int pk_write_rsa_pubkey( unsigned char **p, unsigned char *start,
+                                mbedtls_rsa_context *rsa )
+{
+    int ret;
+    size_t len = 0;
+    mbedtls_mpi T;
+
+    mbedtls_mpi_init( &T );
+
+    /* Export E */
+    if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL, NULL, NULL, &T ) ) != 0 ||
+         ( ret = mbedtls_asn1_write_mpi( p, start, &T ) ) < 0 )
+        goto end_of_export;
+    len += ret;
+
+    /* Export N */
+    if ( ( ret = mbedtls_rsa_export( rsa, &T, NULL, NULL, NULL, NULL ) ) != 0 ||
+         ( ret = mbedtls_asn1_write_mpi( p, start, &T ) ) < 0 )
+        goto end_of_export;
+    len += ret;
+
+end_of_export:
+
+    mbedtls_mpi_free( &T );
+    if( ret < 0 )
+        return( ret );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * EC public key is an EC point
+ */
+static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start,
+                               mbedtls_ecp_keypair *ec )
+{
+    int ret;
+    size_t len = 0;
+    unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
+
+    if( ( ret = mbedtls_ecp_point_write_binary( &ec->grp, &ec->Q,
+                                        MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                        &len, buf, sizeof( buf ) ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( *p < start || (size_t)( *p - start ) < len )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *p -= len;
+    memcpy( *p, buf, len );
+
+    return( (int) len );
+}
+
+/*
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ * }
+ */
+static int pk_write_ec_param( unsigned char **p, unsigned char *start,
+                              mbedtls_ecp_keypair *ec )
+{
+    int ret;
+    size_t len = 0;
+    const char *oid;
+    size_t oid_len;
+
+    if( ( ret = mbedtls_oid_get_oid_by_ec_grp( ec->grp.id, &oid, &oid_len ) ) != 0 )
+        return( ret );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid, oid_len ) );
+
+    return( (int) len );
+}
+
+/*
+ * privateKey  OCTET STRING -- always of length ceil(log2(n)/8)
+ */
+static int pk_write_ec_private( unsigned char **p, unsigned char *start,
+                                mbedtls_ecp_keypair *ec )
+{
+    int ret;
+    size_t byte_length = ( ec->grp.pbits + 7 ) / 8;
+    unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
+
+    ret = mbedtls_mpi_write_binary( &ec->d, tmp, byte_length );
+    if( ret != 0 )
+        goto exit;
+    ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length );
+
+exit:
+    mbedtls_platform_zeroize( tmp, byte_length );
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_C */
+
+int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
+                             const mbedtls_pk_context *key )
+{
+    int ret;
+    size_t len = 0;
+
+    PK_VALIDATE_RET( p != NULL );
+    PK_VALIDATE_RET( *p != NULL );
+    PK_VALIDATE_RET( start != NULL );
+    PK_VALIDATE_RET( key != NULL );
+
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
+        MBEDTLS_ASN1_CHK_ADD( len, pk_write_rsa_pubkey( p, start, mbedtls_pk_rsa( *key ) ) );
+    else
+#endif
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+        MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_pubkey( p, start, mbedtls_pk_ec( *key ) ) );
+    else
+#endif
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    return( (int) len );
+}
+
+int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char *c;
+    size_t len = 0, par_len = 0, oid_len;
+    const char *oid;
+
+    PK_VALIDATE_RET( key != NULL );
+    if( size == 0 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+    PK_VALIDATE_RET( buf != NULL );
+
+    c = buf + size;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, key ) );
+
+    if( c - buf < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    /*
+     *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+     *       algorithm            AlgorithmIdentifier,
+     *       subjectPublicKey     BIT STRING }
+     */
+    *--c = 0;
+    len += 1;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_BIT_STRING ) );
+
+    if( ( ret = mbedtls_oid_get_oid_by_pk_alg( mbedtls_pk_get_type( key ),
+                                       &oid, &oid_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    {
+        MBEDTLS_ASN1_CHK_ADD( par_len, pk_write_ec_param( &c, buf, mbedtls_pk_ec( *key ) ) );
+    }
+#endif
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, buf, oid, oid_len,
+                                                        par_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+int mbedtls_pk_write_key_der( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char *c;
+    size_t len = 0;
+
+    PK_VALIDATE_RET( key != NULL );
+    if( size == 0 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+    PK_VALIDATE_RET( buf != NULL );
+
+    c = buf + size;
+
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
+    {
+        mbedtls_mpi T; /* Temporary holding the exported parameters */
+        mbedtls_rsa_context *rsa = mbedtls_pk_rsa( *key );
+
+        /*
+         * Export the parameters one after another to avoid simultaneous copies.
+         */
+
+        mbedtls_mpi_init( &T );
+
+        /* Export QP */
+        if( ( ret = mbedtls_rsa_export_crt( rsa, NULL, NULL, &T ) ) != 0 ||
+            ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export DQ */
+        if( ( ret = mbedtls_rsa_export_crt( rsa, NULL, &T, NULL ) ) != 0 ||
+            ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export DP */
+        if( ( ret = mbedtls_rsa_export_crt( rsa, &T, NULL, NULL ) ) != 0 ||
+            ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export Q */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL,
+                                         &T, NULL, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export P */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, &T,
+                                         NULL, NULL, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export D */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL,
+                                         NULL, &T, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export E */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL,
+                                         NULL, NULL, &T ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export N */
+        if ( ( ret = mbedtls_rsa_export( rsa, &T, NULL,
+                                         NULL, NULL, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+    end_of_export:
+
+        mbedtls_mpi_free( &T );
+        if( ret < 0 )
+            return( ret );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 0 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c,
+                                               buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                               MBEDTLS_ASN1_SEQUENCE ) );
+    }
+    else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    {
+        mbedtls_ecp_keypair *ec = mbedtls_pk_ec( *key );
+        size_t pub_len = 0, par_len = 0;
+
+        /*
+         * RFC 5915, or SEC1 Appendix C.4
+         *
+         * ECPrivateKey ::= SEQUENCE {
+         *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+         *      privateKey     OCTET STRING,
+         *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+         *      publicKey  [1] BIT STRING OPTIONAL
+         *    }
+         */
+
+        /* publicKey */
+        MBEDTLS_ASN1_CHK_ADD( pub_len, pk_write_ec_pubkey( &c, buf, ec ) );
+
+        if( c - buf < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+        *--c = 0;
+        pub_len += 1;
+
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_len( &c, buf, pub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_BIT_STRING ) );
+
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_len( &c, buf, pub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_tag( &c, buf,
+                            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) );
+        len += pub_len;
+
+        /* parameters */
+        MBEDTLS_ASN1_CHK_ADD( par_len, pk_write_ec_param( &c, buf, ec ) );
+
+        MBEDTLS_ASN1_CHK_ADD( par_len, mbedtls_asn1_write_len( &c, buf, par_len ) );
+        MBEDTLS_ASN1_CHK_ADD( par_len, mbedtls_asn1_write_tag( &c, buf,
+                            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+        len += par_len;
+
+        /* privateKey */
+        MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_private( &c, buf, ec ) );
+
+        /* version */
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 1 ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+    }
+    else
+#endif /* MBEDTLS_ECP_C */
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    return( (int) len );
+}
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+
+#define PEM_BEGIN_PUBLIC_KEY    "-----BEGIN PUBLIC KEY-----\n"
+#define PEM_END_PUBLIC_KEY      "-----END PUBLIC KEY-----\n"
+
+#define PEM_BEGIN_PRIVATE_KEY_RSA   "-----BEGIN RSA PRIVATE KEY-----\n"
+#define PEM_END_PRIVATE_KEY_RSA     "-----END RSA PRIVATE KEY-----\n"
+#define PEM_BEGIN_PRIVATE_KEY_EC    "-----BEGIN EC PRIVATE KEY-----\n"
+#define PEM_END_PRIVATE_KEY_EC      "-----END EC PRIVATE KEY-----\n"
+
+/*
+ * Max sizes of key per types. Shown as tag + len (+ content).
+ */
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ * RSA public keys:
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {          1 + 3
+ *       algorithm            AlgorithmIdentifier,  1 + 1 (sequence)
+ *                                                + 1 + 1 + 9 (rsa oid)
+ *                                                + 1 + 1 (params null)
+ *       subjectPublicKey     BIT STRING }          1 + 3 + (1 + below)
+ *  RSAPublicKey ::= SEQUENCE {                     1 + 3
+ *      modulus           INTEGER,  -- n            1 + 3 + MPI_MAX + 1
+ *      publicExponent    INTEGER   -- e            1 + 3 + MPI_MAX + 1
+ *  }
+ */
+#define RSA_PUB_DER_MAX_BYTES   38 + 2 * MBEDTLS_MPI_MAX_SIZE
+
+/*
+ * RSA private keys:
+ *  RSAPrivateKey ::= SEQUENCE {                    1 + 3
+ *      version           Version,                  1 + 1 + 1
+ *      modulus           INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      publicExponent    INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      privateExponent   INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      prime1            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      prime2            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      exponent1         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      exponent2         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      coefficient       INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      otherPrimeInfos   OtherPrimeInfos OPTIONAL  0 (not supported)
+ *  }
+ */
+#define MPI_MAX_SIZE_2          MBEDTLS_MPI_MAX_SIZE / 2 + \
+                                MBEDTLS_MPI_MAX_SIZE % 2
+#define RSA_PRV_DER_MAX_BYTES   47 + 3 * MBEDTLS_MPI_MAX_SIZE \
+                                   + 5 * MPI_MAX_SIZE_2
+
+#else /* MBEDTLS_RSA_C */
+
+#define RSA_PUB_DER_MAX_BYTES   0
+#define RSA_PRV_DER_MAX_BYTES   0
+
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * EC public keys:
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {      1 + 2
+ *    algorithm         AlgorithmIdentifier,    1 + 1 (sequence)
+ *                                            + 1 + 1 + 7 (ec oid)
+ *                                            + 1 + 1 + 9 (namedCurve oid)
+ *    subjectPublicKey  BIT STRING              1 + 2 + 1               [1]
+ *                                            + 1 (point format)        [1]
+ *                                            + 2 * ECP_MAX (coords)    [1]
+ *  }
+ */
+#define ECP_PUB_DER_MAX_BYTES   30 + 2 * MBEDTLS_ECP_MAX_BYTES
+
+/*
+ * EC private keys:
+ * ECPrivateKey ::= SEQUENCE {                  1 + 2
+ *      version        INTEGER ,                1 + 1 + 1
+ *      privateKey     OCTET STRING,            1 + 1 + ECP_MAX
+ *      parameters [0] ECParameters OPTIONAL,   1 + 1 + (1 + 1 + 9)
+ *      publicKey  [1] BIT STRING OPTIONAL      1 + 2 + [1] above
+ *    }
+ */
+#define ECP_PRV_DER_MAX_BYTES   29 + 3 * MBEDTLS_ECP_MAX_BYTES
+
+#else /* MBEDTLS_ECP_C */
+
+#define ECP_PUB_DER_MAX_BYTES   0
+#define ECP_PRV_DER_MAX_BYTES   0
+
+#endif /* MBEDTLS_ECP_C */
+
+#define PUB_DER_MAX_BYTES   RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
+                            RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES
+#define PRV_DER_MAX_BYTES   RSA_PRV_DER_MAX_BYTES > ECP_PRV_DER_MAX_BYTES ? \
+                            RSA_PRV_DER_MAX_BYTES : ECP_PRV_DER_MAX_BYTES
+
+int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char output_buf[PUB_DER_MAX_BYTES];
+    size_t olen = 0;
+
+    PK_VALIDATE_RET( key != NULL );
+    PK_VALIDATE_RET( buf != NULL || size == 0 );
+
+    if( ( ret = mbedtls_pk_write_pubkey_der( key, output_buf,
+                                     sizeof(output_buf) ) ) < 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_pk_write_key_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char output_buf[PRV_DER_MAX_BYTES];
+    const char *begin, *end;
+    size_t olen = 0;
+
+    PK_VALIDATE_RET( key != NULL );
+    PK_VALIDATE_RET( buf != NULL || size == 0 );
+
+    if( ( ret = mbedtls_pk_write_key_der( key, output_buf, sizeof(output_buf) ) ) < 0 )
+        return( ret );
+
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
+    {
+        begin = PEM_BEGIN_PRIVATE_KEY_RSA;
+        end = PEM_END_PRIVATE_KEY_RSA;
+    }
+    else
+#endif
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    {
+        begin = PEM_BEGIN_PRIVATE_KEY_EC;
+        end = PEM_END_PRIVATE_KEY_EC;
+    }
+    else
+#endif
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    if( ( ret = mbedtls_pem_write_buffer( begin, end,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_PK_WRITE_C */
diff --git a/ctrtool/deps/libmbedtls/src/platform.c b/ctrtool/deps/libmbedtls/src/platform.c
new file mode 100644
index 00000000..73a6db9e
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/platform.c
@@ -0,0 +1,348 @@
+/*
+ *  Platform abstraction layer
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+/* The compile time configuration of memory allocation via the macros
+ * MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
+ * configuration via mbedtls_platform_set_calloc_free(). So, omit everything
+ * related to the latter if MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO are defined. */
+#if defined(MBEDTLS_PLATFORM_MEMORY) &&                 \
+    !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&        \
+       defined(MBEDTLS_PLATFORM_FREE_MACRO) )
+
+#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+static void *platform_calloc_uninit( size_t n, size_t size )
+{
+    ((void) n);
+    ((void) size);
+    return( NULL );
+}
+
+#define MBEDTLS_PLATFORM_STD_CALLOC   platform_calloc_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_CALLOC */
+
+#if !defined(MBEDTLS_PLATFORM_STD_FREE)
+static void platform_free_uninit( void *ptr )
+{
+    ((void) ptr);
+}
+
+#define MBEDTLS_PLATFORM_STD_FREE     platform_free_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FREE */
+
+static void * (*mbedtls_calloc_func)( size_t, size_t ) = MBEDTLS_PLATFORM_STD_CALLOC;
+static void (*mbedtls_free_func)( void * ) = MBEDTLS_PLATFORM_STD_FREE;
+
+void * mbedtls_calloc( size_t nmemb, size_t size )
+{
+    return (*mbedtls_calloc_func)( nmemb, size );
+}
+
+void mbedtls_free( void * ptr )
+{
+    (*mbedtls_free_func)( ptr );
+}
+
+int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
+                              void (*free_func)( void * ) )
+{
+    mbedtls_calloc_func = calloc_func;
+    mbedtls_free_func = free_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_MEMORY &&
+          !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&
+             defined(MBEDTLS_PLATFORM_FREE_MACRO) ) */
+
+#if defined(_WIN32)
+#include <stdarg.h>
+int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... )
+{
+    int ret;
+    va_list argp;
+
+    /* Avoid calling the invalid parameter handler by checking ourselves */
+    if( s == NULL || n == 0 || fmt == NULL )
+        return( -1 );
+
+    va_start( argp, fmt );
+#if defined(_TRUNCATE) && !defined(__MINGW32__)
+    ret = _vsnprintf_s( s, n, _TRUNCATE, fmt, argp );
+#else
+    ret = _vsnprintf( s, n, fmt, argp );
+    if( ret < 0 || (size_t) ret == n )
+    {
+        s[n-1] = '\0';
+        ret = -1;
+    }
+#endif
+    va_end( argp );
+
+    return( ret );
+}
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_snprintf_uninit( char * s, size_t n,
+                                     const char * format, ... )
+{
+    ((void) s);
+    ((void) n);
+    ((void) format);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_SNPRINTF    platform_snprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_SNPRINTF */
+
+int (*mbedtls_snprintf)( char * s, size_t n,
+                          const char * format,
+                          ... ) = MBEDTLS_PLATFORM_STD_SNPRINTF;
+
+int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
+                                                 const char * format,
+                                                 ... ) )
+{
+    mbedtls_snprintf = snprintf_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_printf_uninit( const char *format, ... )
+{
+    ((void) format);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_PRINTF    platform_printf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_PRINTF */
+
+int (*mbedtls_printf)( const char *, ... ) = MBEDTLS_PLATFORM_STD_PRINTF;
+
+int mbedtls_platform_set_printf( int (*printf_func)( const char *, ... ) )
+{
+    mbedtls_printf = printf_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_fprintf_uninit( FILE *stream, const char *format, ... )
+{
+    ((void) stream);
+    ((void) format);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_FPRINTF   platform_fprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FPRINTF */
+
+int (*mbedtls_fprintf)( FILE *, const char *, ... ) =
+                                        MBEDTLS_PLATFORM_STD_FPRINTF;
+
+int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *, const char *, ... ) )
+{
+    mbedtls_fprintf = fprintf_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static void platform_exit_uninit( int status )
+{
+    ((void) status);
+}
+
+#define MBEDTLS_PLATFORM_STD_EXIT   platform_exit_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_EXIT */
+
+void (*mbedtls_exit)( int status ) = MBEDTLS_PLATFORM_STD_EXIT;
+
+int mbedtls_platform_set_exit( void (*exit_func)( int status ) )
+{
+    mbedtls_exit = exit_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+#if defined(MBEDTLS_HAVE_TIME)
+
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static mbedtls_time_t platform_time_uninit( mbedtls_time_t* timer )
+{
+    ((void) timer);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_TIME   platform_time_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_TIME */
+
+mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* timer ) = MBEDTLS_PLATFORM_STD_TIME;
+
+int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* timer ) )
+{
+    mbedtls_time = time_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Default implementations for the platform independent seed functions use
+ * standard libc file functions to read from and write to a pre-defined filename
+ */
+int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len )
+{
+    FILE *file;
+    size_t n;
+
+    if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "rb" ) ) == NULL )
+        return( -1 );
+
+    if( ( n = fread( buf, 1, buf_len, file ) ) != buf_len )
+    {
+        fclose( file );
+        mbedtls_platform_zeroize( buf, buf_len );
+        return( -1 );
+    }
+
+    fclose( file );
+    return( (int)n );
+}
+
+int mbedtls_platform_std_nv_seed_write( unsigned char *buf, size_t buf_len )
+{
+    FILE *file;
+    size_t n;
+
+    if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "w" ) ) == NULL )
+        return -1;
+
+    if( ( n = fwrite( buf, 1, buf_len, file ) ) != buf_len )
+    {
+        fclose( file );
+        return -1;
+    }
+
+    fclose( file );
+    return( (int)n );
+}
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_read_uninit( unsigned char *buf, size_t buf_len )
+{
+    ((void) buf);
+    ((void) buf_len);
+    return( -1 );
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   platform_nv_seed_read_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_READ */
+
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_write_uninit( unsigned char *buf, size_t buf_len )
+{
+    ((void) buf);
+    ((void) buf_len);
+    return( -1 );
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE   platform_nv_seed_write_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_WRITE */
+
+int (*mbedtls_nv_seed_read)( unsigned char *buf, size_t buf_len ) =
+            MBEDTLS_PLATFORM_STD_NV_SEED_READ;
+int (*mbedtls_nv_seed_write)( unsigned char *buf, size_t buf_len ) =
+            MBEDTLS_PLATFORM_STD_NV_SEED_WRITE;
+
+int mbedtls_platform_set_nv_seed(
+        int (*nv_seed_read_func)( unsigned char *buf, size_t buf_len ),
+        int (*nv_seed_write_func)( unsigned char *buf, size_t buf_len ) )
+{
+    mbedtls_nv_seed_read = nv_seed_read_func;
+    mbedtls_nv_seed_write = nv_seed_write_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+/*
+ * Placeholder platform setup that does nothing by default
+ */
+int mbedtls_platform_setup( mbedtls_platform_context *ctx )
+{
+    (void)ctx;
+
+    return( 0 );
+}
+
+/*
+ * Placeholder platform teardown that does nothing by default
+ */
+void mbedtls_platform_teardown( mbedtls_platform_context *ctx )
+{
+    (void)ctx;
+}
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+#endif /* MBEDTLS_PLATFORM_C */
diff --git a/ctrtool/deps/libmbedtls/src/platform_util.c b/ctrtool/deps/libmbedtls/src/platform_util.c
new file mode 100644
index 00000000..b1f74509
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/platform_util.c
@@ -0,0 +1,139 @@
+/*
+ * Common and shared functions used by multiple modules in the Mbed TLS
+ * library.
+ *
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/threading.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#if !defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
+/*
+ * This implementation should never be optimized out by the compiler
+ *
+ * This implementation for mbedtls_platform_zeroize() was inspired from Colin
+ * Percival's blog article at:
+ *
+ * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
+ *
+ * It uses a volatile function pointer to the standard memset(). Because the
+ * pointer is volatile the compiler expects it to change at
+ * any time and will not optimize out the call that could potentially perform
+ * other operations on the input buffer instead of just setting it to 0.
+ * Nevertheless, as pointed out by davidtgoldblatt on Hacker News
+ * (refer to http://www.daemonology.net/blog/2014-09-05-erratum.html for
+ * details), optimizations of the following form are still possible:
+ *
+ * if( memset_func != memset )
+ *     memset_func( buf, 0, len );
+ *
+ * Note that it is extremely difficult to guarantee that
+ * mbedtls_platform_zeroize() will not be optimized out by aggressive compilers
+ * in a portable way. For this reason, Mbed TLS also provides the configuration
+ * option MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
+ * mbedtls_platform_zeroize() to use a suitable implementation for their
+ * platform and needs.
+ */
+static void * (* const volatile memset_func)( void *, int, size_t ) = memset;
+
+void mbedtls_platform_zeroize( void *buf, size_t len )
+{
+    MBEDTLS_INTERNAL_VALIDATE( len == 0 || buf != NULL );
+
+    if( len > 0 )
+        memset_func( buf, 0, len );
+}
+#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+#include <time.h>
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__)) */
+
+#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+       ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+         _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) )
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+#if ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) )
+#define PLATFORM_UTIL_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) ) */
+
+struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
+                                      struct tm *tm_buf )
+{
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+    return( ( gmtime_s( tm_buf, tt ) == 0 ) ? tm_buf : NULL );
+#elif !defined(PLATFORM_UTIL_USE_GMTIME)
+    return( gmtime_r( tt, tm_buf ) );
+#else
+    struct tm *lt;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_lock( &mbedtls_threading_gmtime_mutex ) != 0 )
+        return( NULL );
+#endif /* MBEDTLS_THREADING_C */
+
+    lt = gmtime( tt );
+
+    if( lt != NULL )
+    {
+        memcpy( tm_buf, lt, sizeof( struct tm ) );
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &mbedtls_threading_gmtime_mutex ) != 0 )
+        return( NULL );
+#endif /* MBEDTLS_THREADING_C */
+
+    return( ( lt == NULL ) ? NULL : tm_buf );
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE && MBEDTLS_PLATFORM_GMTIME_R_ALT */
diff --git a/ctrtool/deps/libmbedtls/src/poly1305.c b/ctrtool/deps/libmbedtls/src/poly1305.c
new file mode 100644
index 00000000..2b56c5f7
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/poly1305.c
@@ -0,0 +1,559 @@
+/**
+ * \file poly1305.c
+ *
+ * \brief Poly1305 authentication algorithm.
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+
+#include "mbedtls/poly1305.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define POLY1305_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
+#define POLY1305_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define POLY1305_BLOCK_SIZE_BYTES ( 16U )
+
+#define BYTES_TO_U32_LE( data, offset )                           \
+    ( (uint32_t) (data)[offset]                                     \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 )   \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 )  \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 )  \
+    )
+
+/*
+ * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
+ * However we provided an alternative for platforms without such a multiplier.
+ */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+static uint64_t mul64( uint32_t a, uint32_t b )
+{
+    /* a = al + 2**16 ah, b = bl + 2**16 bh */
+    const uint16_t al = (uint16_t) a;
+    const uint16_t bl = (uint16_t) b;
+    const uint16_t ah = a >> 16;
+    const uint16_t bh = b >> 16;
+
+    /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */
+    const uint32_t lo = (uint32_t) al * bl;
+    const uint64_t me = (uint64_t)( (uint32_t) ah * bl ) + (uint32_t) al * bh;
+    const uint32_t hi = (uint32_t) ah * bh;
+
+    return( lo + ( me << 16 ) + ( (uint64_t) hi << 32 ) );
+}
+#else
+static inline uint64_t mul64( uint32_t a, uint32_t b )
+{
+    return( (uint64_t) a * b );
+}
+#endif
+
+
+/**
+ * \brief                   Process blocks with Poly1305.
+ *
+ * \param ctx               The Poly1305 context.
+ * \param nblocks           Number of blocks to process. Note that this
+ *                          function only processes full blocks.
+ * \param input             Buffer containing the input block(s).
+ * \param needs_padding     Set to 0 if the padding bit has already been
+ *                          applied to the input data before calling this
+ *                          function.  Otherwise, set this parameter to 1.
+ */
+static void poly1305_process( mbedtls_poly1305_context *ctx,
+                              size_t nblocks,
+                              const unsigned char *input,
+                              uint32_t needs_padding )
+{
+    uint64_t d0, d1, d2, d3;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t r0, r1, r2, r3;
+    uint32_t rs1, rs2, rs3;
+    size_t offset  = 0U;
+    size_t i;
+
+    r0 = ctx->r[0];
+    r1 = ctx->r[1];
+    r2 = ctx->r[2];
+    r3 = ctx->r[3];
+
+    rs1 = r1 + ( r1 >> 2U );
+    rs2 = r2 + ( r2 >> 2U );
+    rs3 = r3 + ( r3 >> 2U );
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Process full blocks */
+    for( i = 0U; i < nblocks; i++ )
+    {
+        /* The input block is treated as a 128-bit little-endian integer */
+        d0   = BYTES_TO_U32_LE( input, offset + 0  );
+        d1   = BYTES_TO_U32_LE( input, offset + 4  );
+        d2   = BYTES_TO_U32_LE( input, offset + 8  );
+        d3   = BYTES_TO_U32_LE( input, offset + 12 );
+
+        /* Compute: acc += (padded) block as a 130-bit integer */
+        d0  += (uint64_t) acc0;
+        d1  += (uint64_t) acc1 + ( d0 >> 32U );
+        d2  += (uint64_t) acc2 + ( d1 >> 32U );
+        d3  += (uint64_t) acc3 + ( d2 >> 32U );
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 += (uint32_t) ( d3 >> 32U ) + needs_padding;
+
+        /* Compute: acc *= r */
+        d0 = mul64( acc0, r0  ) +
+             mul64( acc1, rs3 ) +
+             mul64( acc2, rs2 ) +
+             mul64( acc3, rs1 );
+        d1 = mul64( acc0, r1  ) +
+             mul64( acc1, r0  ) +
+             mul64( acc2, rs3 ) +
+             mul64( acc3, rs2 ) +
+             mul64( acc4, rs1 );
+        d2 = mul64( acc0, r2  ) +
+             mul64( acc1, r1  ) +
+             mul64( acc2, r0  ) +
+             mul64( acc3, rs3 ) +
+             mul64( acc4, rs2 );
+        d3 = mul64( acc0, r3  ) +
+             mul64( acc1, r2  ) +
+             mul64( acc2, r1  ) +
+             mul64( acc3, r0  ) +
+             mul64( acc4, rs3 );
+        acc4 *= r0;
+
+        /* Compute: acc %= (2^130 - 5) (partial remainder) */
+        d1 += ( d0 >> 32 );
+        d2 += ( d1 >> 32 );
+        d3 += ( d2 >> 32 );
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 = (uint32_t) ( d3 >> 32 ) + acc4;
+
+        d0 = (uint64_t) acc0 + ( acc4 >> 2 ) + ( acc4 & 0xFFFFFFFCU );
+        acc4 &= 3U;
+        acc0 = (uint32_t) d0;
+        d0 = (uint64_t) acc1 + ( d0 >> 32U );
+        acc1 = (uint32_t) d0;
+        d0 = (uint64_t) acc2 + ( d0 >> 32U );
+        acc2 = (uint32_t) d0;
+        d0 = (uint64_t) acc3 + ( d0 >> 32U );
+        acc3 = (uint32_t) d0;
+        d0 = (uint64_t) acc4 + ( d0 >> 32U );
+        acc4 = (uint32_t) d0;
+
+        offset    += POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    ctx->acc[0] = acc0;
+    ctx->acc[1] = acc1;
+    ctx->acc[2] = acc2;
+    ctx->acc[3] = acc3;
+    ctx->acc[4] = acc4;
+}
+
+/**
+ * \brief                   Compute the Poly1305 MAC
+ *
+ * \param ctx               The Poly1305 context.
+ * \param mac               The buffer to where the MAC is written. Must be
+ *                          big enough to contain the 16-byte MAC.
+ */
+static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx,
+                                  unsigned char mac[16] )
+{
+    uint64_t d;
+    uint32_t g0, g1, g2, g3, g4;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t mask;
+    uint32_t mask_inv;
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
+     * We do this by calculating acc - (2^130 - 5), then checking if
+     * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
+     */
+
+    /* Calculate acc + -(2^130 - 5) */
+    d  = ( (uint64_t) acc0 + 5U );
+    g0 = (uint32_t) d;
+    d  = ( (uint64_t) acc1 + ( d >> 32 ) );
+    g1 = (uint32_t) d;
+    d  = ( (uint64_t) acc2 + ( d >> 32 ) );
+    g2 = (uint32_t) d;
+    d  = ( (uint64_t) acc3 + ( d >> 32 ) );
+    g3 = (uint32_t) d;
+    g4 = acc4 + (uint32_t) ( d >> 32U );
+
+    /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
+    mask = (uint32_t) 0U - ( g4 >> 2U );
+    mask_inv = ~mask;
+
+    /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
+    acc0 = ( acc0 & mask_inv ) | ( g0 & mask );
+    acc1 = ( acc1 & mask_inv ) | ( g1 & mask );
+    acc2 = ( acc2 & mask_inv ) | ( g2 & mask );
+    acc3 = ( acc3 & mask_inv ) | ( g3 & mask );
+
+    /* Add 's' */
+    d = (uint64_t) acc0 + ctx->s[0];
+    acc0 = (uint32_t) d;
+    d = (uint64_t) acc1 + ctx->s[1] + ( d >> 32U );
+    acc1 = (uint32_t) d;
+    d = (uint64_t) acc2 + ctx->s[2] + ( d >> 32U );
+    acc2 = (uint32_t) d;
+    acc3 += ctx->s[3] + (uint32_t) ( d >> 32U );
+
+    /* Compute MAC (128 least significant bits of the accumulator) */
+    mac[ 0] = (unsigned char)( acc0       );
+    mac[ 1] = (unsigned char)( acc0 >>  8 );
+    mac[ 2] = (unsigned char)( acc0 >> 16 );
+    mac[ 3] = (unsigned char)( acc0 >> 24 );
+    mac[ 4] = (unsigned char)( acc1       );
+    mac[ 5] = (unsigned char)( acc1 >>  8 );
+    mac[ 6] = (unsigned char)( acc1 >> 16 );
+    mac[ 7] = (unsigned char)( acc1 >> 24 );
+    mac[ 8] = (unsigned char)( acc2       );
+    mac[ 9] = (unsigned char)( acc2 >>  8 );
+    mac[10] = (unsigned char)( acc2 >> 16 );
+    mac[11] = (unsigned char)( acc2 >> 24 );
+    mac[12] = (unsigned char)( acc3       );
+    mac[13] = (unsigned char)( acc3 >>  8 );
+    mac[14] = (unsigned char)( acc3 >> 16 );
+    mac[15] = (unsigned char)( acc3 >> 24 );
+}
+
+void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
+{
+    POLY1305_VALIDATE( ctx != NULL );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
+}
+
+void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
+}
+
+int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
+                             const unsigned char key[32] )
+{
+    POLY1305_VALIDATE_RET( ctx != NULL );
+    POLY1305_VALIDATE_RET( key != NULL );
+
+    /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
+    ctx->r[0] = BYTES_TO_U32_LE( key, 0 )  & 0x0FFFFFFFU;
+    ctx->r[1] = BYTES_TO_U32_LE( key, 4 )  & 0x0FFFFFFCU;
+    ctx->r[2] = BYTES_TO_U32_LE( key, 8 )  & 0x0FFFFFFCU;
+    ctx->r[3] = BYTES_TO_U32_LE( key, 12 ) & 0x0FFFFFFCU;
+
+    ctx->s[0] = BYTES_TO_U32_LE( key, 16 );
+    ctx->s[1] = BYTES_TO_U32_LE( key, 20 );
+    ctx->s[2] = BYTES_TO_U32_LE( key, 24 );
+    ctx->s[3] = BYTES_TO_U32_LE( key, 28 );
+
+    /* Initial accumulator state */
+    ctx->acc[0] = 0U;
+    ctx->acc[1] = 0U;
+    ctx->acc[2] = 0U;
+    ctx->acc[3] = 0U;
+    ctx->acc[4] = 0U;
+
+    /* Queue initially empty */
+    mbedtls_platform_zeroize( ctx->queue, sizeof( ctx->queue ) );
+    ctx->queue_len = 0U;
+
+    return( 0 );
+}
+
+int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen )
+{
+    size_t offset    = 0U;
+    size_t remaining = ilen;
+    size_t queue_free_len;
+    size_t nblocks;
+    POLY1305_VALIDATE_RET( ctx != NULL );
+    POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) )
+    {
+        queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
+
+        if( ilen < queue_free_len )
+        {
+            /* Not enough data to complete the block.
+             * Store this data with the other leftovers.
+             */
+            memcpy( &ctx->queue[ctx->queue_len],
+                    input,
+                    ilen );
+
+            ctx->queue_len += ilen;
+
+            remaining = 0U;
+        }
+        else
+        {
+            /* Enough data to produce a complete block */
+            memcpy( &ctx->queue[ctx->queue_len],
+                    input,
+                    queue_free_len );
+
+            ctx->queue_len = 0U;
+
+            poly1305_process( ctx, 1U, ctx->queue, 1U ); /* add padding bit */
+
+            offset    += queue_free_len;
+            remaining -= queue_free_len;
+        }
+    }
+
+    if( remaining >= POLY1305_BLOCK_SIZE_BYTES )
+    {
+        nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
+
+        poly1305_process( ctx, nblocks, &input[offset], 1U );
+
+        offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
+        remaining %= POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    if( remaining > 0U )
+    {
+        /* Store partial block */
+        ctx->queue_len = remaining;
+        memcpy( ctx->queue, &input[offset], remaining );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
+                             unsigned char mac[16] )
+{
+    POLY1305_VALIDATE_RET( ctx != NULL );
+    POLY1305_VALIDATE_RET( mac != NULL );
+
+    /* Process any leftover data */
+    if( ctx->queue_len > 0U )
+    {
+        /* Add padding bit */
+        ctx->queue[ctx->queue_len] = 1U;
+        ctx->queue_len++;
+
+        /* Pad with zeroes */
+        memset( &ctx->queue[ctx->queue_len],
+                0,
+                POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
+
+        poly1305_process( ctx, 1U,          /* Process 1 block */
+                          ctx->queue, 0U ); /* Already padded above */
+    }
+
+    poly1305_compute_mac( ctx, mac );
+
+    return( 0 );
+}
+
+int mbedtls_poly1305_mac( const unsigned char key[32],
+                          const unsigned char *input,
+                          size_t ilen,
+                          unsigned char mac[16] )
+{
+    mbedtls_poly1305_context ctx;
+    int ret;
+    POLY1305_VALIDATE_RET( key != NULL );
+    POLY1305_VALIDATE_RET( mac != NULL );
+    POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    mbedtls_poly1305_init( &ctx );
+
+    ret = mbedtls_poly1305_starts( &ctx, key );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_poly1305_update( &ctx, input, ilen );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_poly1305_finish( &ctx, mac );
+
+cleanup:
+    mbedtls_poly1305_free( &ctx );
+    return( ret );
+}
+
+#endif /* MBEDTLS_POLY1305_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+    {
+        0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
+        0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
+        0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
+        0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
+    },
+    {
+        0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
+        0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
+        0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
+        0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
+    }
+};
+
+static const unsigned char test_data[2][127] =
+{
+    {
+        0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
+        0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
+        0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
+        0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
+        0x75, 0x70
+    },
+    {
+        0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
+        0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+        0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
+        0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
+        0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
+        0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
+        0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
+        0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
+        0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
+        0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
+        0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
+        0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
+        0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
+        0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
+    }
+};
+
+static const size_t test_data_len[2] =
+{
+    34U,
+    127U
+};
+
+static const unsigned char test_mac[2][16] =
+{
+    {
+        0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
+        0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
+    },
+    {
+        0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
+        0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
+    }
+};
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_poly1305_self_test( int verbose )
+{
+    unsigned char mac[16];
+    unsigned i;
+    int ret;
+
+    for( i = 0U; i < 2U; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  Poly1305 test %u ", i );
+
+        ret = mbedtls_poly1305_mac( test_keys[i],
+                                    test_data[i],
+                                    test_data_len[i],
+                                    mac );
+        ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
+
+        ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_POLY1305_C */
diff --git a/ctrtool/deps/libmbedtls/src/ripemd160.c b/ctrtool/deps/libmbedtls/src/ripemd160.c
new file mode 100644
index 00000000..0791ae4c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ripemd160.c
@@ -0,0 +1,559 @@
+/*
+ *  RIPE MD-160 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ *  The RIPEMD-160 algorithm was designed by RIPE in 1996
+ *  http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html
+ *  http://ehash.iaik.tugraz.at/wiki/RIPEMD-160
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_ripemd160_init( mbedtls_ripemd160_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ripemd160_context ) );
+}
+
+void mbedtls_ripemd160_free( mbedtls_ripemd160_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ripemd160_context ) );
+}
+
+void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst,
+                        const mbedtls_ripemd160_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * RIPEMD-160 context setup
+ */
+int mbedtls_ripemd160_starts_ret( mbedtls_ripemd160_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx )
+{
+    mbedtls_ripemd160_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+/*
+ * Process one block
+ */
+int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
+                                        const unsigned char data[64] )
+{
+    uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
+
+    GET_UINT32_LE( X[ 0], data,  0 );
+    GET_UINT32_LE( X[ 1], data,  4 );
+    GET_UINT32_LE( X[ 2], data,  8 );
+    GET_UINT32_LE( X[ 3], data, 12 );
+    GET_UINT32_LE( X[ 4], data, 16 );
+    GET_UINT32_LE( X[ 5], data, 20 );
+    GET_UINT32_LE( X[ 6], data, 24 );
+    GET_UINT32_LE( X[ 7], data, 28 );
+    GET_UINT32_LE( X[ 8], data, 32 );
+    GET_UINT32_LE( X[ 9], data, 36 );
+    GET_UINT32_LE( X[10], data, 40 );
+    GET_UINT32_LE( X[11], data, 44 );
+    GET_UINT32_LE( X[12], data, 48 );
+    GET_UINT32_LE( X[13], data, 52 );
+    GET_UINT32_LE( X[14], data, 56 );
+    GET_UINT32_LE( X[15], data, 60 );
+
+    A = Ap = ctx->state[0];
+    B = Bp = ctx->state[1];
+    C = Cp = ctx->state[2];
+    D = Dp = ctx->state[3];
+    E = Ep = ctx->state[4];
+
+#define F1( x, y, z )   ( (x) ^ (y) ^ (z) )
+#define F2( x, y, z )   ( ( (x) & (y) ) | ( ~(x) & (z) ) )
+#define F3( x, y, z )   ( ( (x) | ~(y) ) ^ (z) )
+#define F4( x, y, z )   ( ( (x) & (z) ) | ( (y) & ~(z) ) )
+#define F5( x, y, z )   ( (x) ^ ( (y) | ~(z) ) )
+
+#define S( x, n ) ( ( (x) << (n) ) | ( (x) >> (32 - (n)) ) )
+
+#define P( a, b, c, d, e, r, s, f, k )                \
+    do                                                \
+    {                                                 \
+        (a) += f( (b), (c), (d) ) + X[r] + (k);       \
+        (a) = S( (a), (s) ) + (e);                    \
+        (c) = S( (c), 10 );                           \
+    } while( 0 )
+
+#define P2( a, b, c, d, e, r, s, rp, sp )                               \
+    do                                                                  \
+    {                                                                   \
+        P( (a), (b), (c), (d), (e), (r), (s), F, K );                   \
+        P( a ## p, b ## p, c ## p, d ## p, e ## p,                      \
+           (rp), (sp), Fp, Kp );                                        \
+    } while( 0 )
+
+#define F   F1
+#define K   0x00000000
+#define Fp  F5
+#define Kp  0x50A28BE6
+    P2( A, B, C, D, E,  0, 11,  5,  8 );
+    P2( E, A, B, C, D,  1, 14, 14,  9 );
+    P2( D, E, A, B, C,  2, 15,  7,  9 );
+    P2( C, D, E, A, B,  3, 12,  0, 11 );
+    P2( B, C, D, E, A,  4,  5,  9, 13 );
+    P2( A, B, C, D, E,  5,  8,  2, 15 );
+    P2( E, A, B, C, D,  6,  7, 11, 15 );
+    P2( D, E, A, B, C,  7,  9,  4,  5 );
+    P2( C, D, E, A, B,  8, 11, 13,  7 );
+    P2( B, C, D, E, A,  9, 13,  6,  7 );
+    P2( A, B, C, D, E, 10, 14, 15,  8 );
+    P2( E, A, B, C, D, 11, 15,  8, 11 );
+    P2( D, E, A, B, C, 12,  6,  1, 14 );
+    P2( C, D, E, A, B, 13,  7, 10, 14 );
+    P2( B, C, D, E, A, 14,  9,  3, 12 );
+    P2( A, B, C, D, E, 15,  8, 12,  6 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F2
+#define K   0x5A827999
+#define Fp  F4
+#define Kp  0x5C4DD124
+    P2( E, A, B, C, D,  7,  7,  6,  9 );
+    P2( D, E, A, B, C,  4,  6, 11, 13 );
+    P2( C, D, E, A, B, 13,  8,  3, 15 );
+    P2( B, C, D, E, A,  1, 13,  7,  7 );
+    P2( A, B, C, D, E, 10, 11,  0, 12 );
+    P2( E, A, B, C, D,  6,  9, 13,  8 );
+    P2( D, E, A, B, C, 15,  7,  5,  9 );
+    P2( C, D, E, A, B,  3, 15, 10, 11 );
+    P2( B, C, D, E, A, 12,  7, 14,  7 );
+    P2( A, B, C, D, E,  0, 12, 15,  7 );
+    P2( E, A, B, C, D,  9, 15,  8, 12 );
+    P2( D, E, A, B, C,  5,  9, 12,  7 );
+    P2( C, D, E, A, B,  2, 11,  4,  6 );
+    P2( B, C, D, E, A, 14,  7,  9, 15 );
+    P2( A, B, C, D, E, 11, 13,  1, 13 );
+    P2( E, A, B, C, D,  8, 12,  2, 11 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F3
+#define K   0x6ED9EBA1
+#define Fp  F3
+#define Kp  0x6D703EF3
+    P2( D, E, A, B, C,  3, 11, 15,  9 );
+    P2( C, D, E, A, B, 10, 13,  5,  7 );
+    P2( B, C, D, E, A, 14,  6,  1, 15 );
+    P2( A, B, C, D, E,  4,  7,  3, 11 );
+    P2( E, A, B, C, D,  9, 14,  7,  8 );
+    P2( D, E, A, B, C, 15,  9, 14,  6 );
+    P2( C, D, E, A, B,  8, 13,  6,  6 );
+    P2( B, C, D, E, A,  1, 15,  9, 14 );
+    P2( A, B, C, D, E,  2, 14, 11, 12 );
+    P2( E, A, B, C, D,  7,  8,  8, 13 );
+    P2( D, E, A, B, C,  0, 13, 12,  5 );
+    P2( C, D, E, A, B,  6,  6,  2, 14 );
+    P2( B, C, D, E, A, 13,  5, 10, 13 );
+    P2( A, B, C, D, E, 11, 12,  0, 13 );
+    P2( E, A, B, C, D,  5,  7,  4,  7 );
+    P2( D, E, A, B, C, 12,  5, 13,  5 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F4
+#define K   0x8F1BBCDC
+#define Fp  F2
+#define Kp  0x7A6D76E9
+    P2( C, D, E, A, B,  1, 11,  8, 15 );
+    P2( B, C, D, E, A,  9, 12,  6,  5 );
+    P2( A, B, C, D, E, 11, 14,  4,  8 );
+    P2( E, A, B, C, D, 10, 15,  1, 11 );
+    P2( D, E, A, B, C,  0, 14,  3, 14 );
+    P2( C, D, E, A, B,  8, 15, 11, 14 );
+    P2( B, C, D, E, A, 12,  9, 15,  6 );
+    P2( A, B, C, D, E,  4,  8,  0, 14 );
+    P2( E, A, B, C, D, 13,  9,  5,  6 );
+    P2( D, E, A, B, C,  3, 14, 12,  9 );
+    P2( C, D, E, A, B,  7,  5,  2, 12 );
+    P2( B, C, D, E, A, 15,  6, 13,  9 );
+    P2( A, B, C, D, E, 14,  8,  9, 12 );
+    P2( E, A, B, C, D,  5,  6,  7,  5 );
+    P2( D, E, A, B, C,  6,  5, 10, 15 );
+    P2( C, D, E, A, B,  2, 12, 14,  8 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F5
+#define K   0xA953FD4E
+#define Fp  F1
+#define Kp  0x00000000
+    P2( B, C, D, E, A,  4,  9, 12,  8 );
+    P2( A, B, C, D, E,  0, 15, 15,  5 );
+    P2( E, A, B, C, D,  5,  5, 10, 12 );
+    P2( D, E, A, B, C,  9, 11,  4,  9 );
+    P2( C, D, E, A, B,  7,  6,  1, 12 );
+    P2( B, C, D, E, A, 12,  8,  5,  5 );
+    P2( A, B, C, D, E,  2, 13,  8, 14 );
+    P2( E, A, B, C, D, 10, 12,  7,  6 );
+    P2( D, E, A, B, C, 14,  5,  6,  8 );
+    P2( C, D, E, A, B,  1, 12,  2, 13 );
+    P2( B, C, D, E, A,  3, 13, 13,  6 );
+    P2( A, B, C, D, E,  8, 14, 14,  5 );
+    P2( E, A, B, C, D, 11, 11,  0, 15 );
+    P2( D, E, A, B, C,  6,  8,  3, 13 );
+    P2( C, D, E, A, B, 15,  5,  9, 11 );
+    P2( B, C, D, E, A, 13,  6, 11, 11 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+    C             = ctx->state[1] + C + Dp;
+    ctx->state[1] = ctx->state[2] + D + Ep;
+    ctx->state[2] = ctx->state[3] + E + Ap;
+    ctx->state[3] = ctx->state[4] + A + Bp;
+    ctx->state[4] = ctx->state[0] + B + Cp;
+    ctx->state[0] = C;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_process( mbedtls_ripemd160_context *ctx,
+                                const unsigned char data[64] )
+{
+    mbedtls_internal_ripemd160_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_RIPEMD160_PROCESS_ALT */
+
+/*
+ * RIPEMD-160 process buffer
+ */
+int mbedtls_ripemd160_update_ret( mbedtls_ripemd160_context *ctx,
+                                  const unsigned char *input,
+                                  size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_ripemd160_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_ripemd160_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_update( mbedtls_ripemd160_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen )
+{
+    mbedtls_ripemd160_update_ret( ctx, input, ilen );
+}
+#endif
+
+static const unsigned char ripemd160_padding[64] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * RIPEMD-160 final digest
+ */
+int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx,
+                                  unsigned char output[20] )
+{
+    int ret;
+    uint32_t last, padn;
+    uint32_t high, low;
+    unsigned char msglen[8];
+
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_LE( low,  msglen, 0 );
+    PUT_UINT32_LE( high, msglen, 4 );
+
+    last = ctx->total[0] & 0x3F;
+    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
+
+    ret = mbedtls_ripemd160_update_ret( ctx, ripemd160_padding, padn );
+    if( ret != 0 )
+        return( ret );
+
+    ret = mbedtls_ripemd160_update_ret( ctx, msglen, 8 );
+    if( ret != 0 )
+        return( ret );
+
+    PUT_UINT32_LE( ctx->state[0], output,  0 );
+    PUT_UINT32_LE( ctx->state[1], output,  4 );
+    PUT_UINT32_LE( ctx->state[2], output,  8 );
+    PUT_UINT32_LE( ctx->state[3], output, 12 );
+    PUT_UINT32_LE( ctx->state[4], output, 16 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx,
+                               unsigned char output[20] )
+{
+    mbedtls_ripemd160_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* ! MBEDTLS_RIPEMD160_ALT */
+
+/*
+ * output = RIPEMD-160( input buffer )
+ */
+int mbedtls_ripemd160_ret( const unsigned char *input,
+                           size_t ilen,
+                           unsigned char output[20] )
+{
+    int ret;
+    mbedtls_ripemd160_context ctx;
+
+    mbedtls_ripemd160_init( &ctx );
+
+    if( ( ret = mbedtls_ripemd160_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_ripemd160_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_ripemd160_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_ripemd160_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[20] )
+{
+    mbedtls_ripemd160_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Test vectors from the RIPEMD-160 paper and
+ * http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html#HMAC
+ */
+#define TESTS   8
+static const unsigned char ripemd160_test_str[TESTS][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" },
+};
+
+static const size_t ripemd160_test_strlen[TESTS] =
+{
+    0, 1, 3, 14, 26, 56, 62, 80
+};
+
+static const unsigned char ripemd160_test_md[TESTS][20] =
+{
+    { 0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54, 0x61, 0x28,
+      0x08, 0x97, 0x7e, 0xe8, 0xf5, 0x48, 0xb2, 0x25, 0x8d, 0x31 },
+    { 0x0b, 0xdc, 0x9d, 0x2d, 0x25, 0x6b, 0x3e, 0xe9, 0xda, 0xae,
+      0x34, 0x7b, 0xe6, 0xf4, 0xdc, 0x83, 0x5a, 0x46, 0x7f, 0xfe },
+    { 0x8e, 0xb2, 0x08, 0xf7, 0xe0, 0x5d, 0x98, 0x7a, 0x9b, 0x04,
+      0x4a, 0x8e, 0x98, 0xc6, 0xb0, 0x87, 0xf1, 0x5a, 0x0b, 0xfc },
+    { 0x5d, 0x06, 0x89, 0xef, 0x49, 0xd2, 0xfa, 0xe5, 0x72, 0xb8,
+      0x81, 0xb1, 0x23, 0xa8, 0x5f, 0xfa, 0x21, 0x59, 0x5f, 0x36 },
+    { 0xf7, 0x1c, 0x27, 0x10, 0x9c, 0x69, 0x2c, 0x1b, 0x56, 0xbb,
+      0xdc, 0xeb, 0x5b, 0x9d, 0x28, 0x65, 0xb3, 0x70, 0x8d, 0xbc },
+    { 0x12, 0xa0, 0x53, 0x38, 0x4a, 0x9c, 0x0c, 0x88, 0xe4, 0x05,
+      0xa0, 0x6c, 0x27, 0xdc, 0xf4, 0x9a, 0xda, 0x62, 0xeb, 0x2b },
+    { 0xb0, 0xe2, 0x0b, 0x6e, 0x31, 0x16, 0x64, 0x02, 0x86, 0xed,
+      0x3a, 0x87, 0xa5, 0x71, 0x30, 0x79, 0xb2, 0x1f, 0x51, 0x89 },
+    { 0x9b, 0x75, 0x2e, 0x45, 0x57, 0x3d, 0x4b, 0x39, 0xf4, 0xdb,
+      0xd3, 0x32, 0x3c, 0xab, 0x82, 0xbf, 0x63, 0x32, 0x6b, 0xfb },
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ripemd160_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char output[20];
+
+    memset( output, 0, sizeof output );
+
+    for( i = 0; i < TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  RIPEMD-160 test #%d: ", i + 1 );
+
+        ret = mbedtls_ripemd160_ret( ripemd160_test_str[i],
+                                     ripemd160_test_strlen[i], output );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( output, ripemd160_test_md[i], 20 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RIPEMD160_C */
diff --git a/ctrtool/deps/libmbedtls/src/rsa.c b/ctrtool/deps/libmbedtls/src/rsa.c
new file mode 100644
index 00000000..09fd379f
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/rsa.c
@@ -0,0 +1,2729 @@
+/*
+ *  The RSA public-key cryptosystem
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the RSA algorithm:
+ *
+ *  [1] A method for obtaining digital signatures and public-key cryptosystems
+ *      R Rivest, A Shamir, and L Adleman
+ *      http://people.csail.mit.edu/rivest/pubs.html#RSA78
+ *
+ *  [2] Handbook of Applied Cryptography - 1997, Chapter 8
+ *      Menezes, van Oorschot and Vanstone
+ *
+ *  [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
+ *      Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
+ *      Stefan Mangard
+ *      https://arxiv.org/abs/1702.08719v2
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/rsa_internal.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PKCS1_V21)
+#include "mbedtls/md.h"
+#endif
+
+#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
+#include <stdlib.h>
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+#if !defined(MBEDTLS_RSA_ALT)
+
+/* Parameter validation macros */
+#define RSA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
+#define RSA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_PKCS1_V15)
+/* constant-time buffer comparison */
+static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    const unsigned char *A = (const unsigned char *) a;
+    const unsigned char *B = (const unsigned char *) b;
+    unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+        diff |= A[i] ^ B[i];
+
+    return( diff );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
+                        const mbedtls_mpi *N,
+                        const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                        const mbedtls_mpi *D, const mbedtls_mpi *E )
+{
+    int ret;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
+        ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
+        ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||
+        ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||
+        ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+
+    if( N != NULL )
+        ctx->len = mbedtls_mpi_size( &ctx->N );
+
+    return( 0 );
+}
+
+int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
+                            unsigned char const *N, size_t N_len,
+                            unsigned char const *P, size_t P_len,
+                            unsigned char const *Q, size_t Q_len,
+                            unsigned char const *D, size_t D_len,
+                            unsigned char const *E, size_t E_len )
+{
+    int ret = 0;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    if( N != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
+        ctx->len = mbedtls_mpi_size( &ctx->N );
+    }
+
+    if( P != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
+
+    if( Q != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
+
+    if( D != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
+
+    if( E != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
+
+cleanup:
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+
+    return( 0 );
+}
+
+/*
+ * Checks whether the context fields are set in such a way
+ * that the RSA primitives will be able to execute without error.
+ * It does *not* make guarantees for consistency of the parameters.
+ */
+static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
+                              int blinding_needed )
+{
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* blinding_needed is only used for NO_CRT to decide whether
+     * P,Q need to be present or not. */
+    ((void) blinding_needed);
+#endif
+
+    if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
+        ctx->len > MBEDTLS_MPI_MAX_SIZE )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    /*
+     * 1. Modular exponentiation needs positive, odd moduli.
+     */
+
+    /* Modular exponentiation wrt. N is always used for
+     * RSA public key operations. */
+    if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||
+        mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0  )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Modular exponentiation for P and Q is only
+     * used for private key operations and if CRT
+     * is used. */
+    if( is_priv &&
+        ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
+          mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||
+          mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||
+          mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0  ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif /* !MBEDTLS_RSA_NO_CRT */
+
+    /*
+     * 2. Exponents must be positive
+     */
+
+    /* Always need E for public key operations */
+    if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    /* For private key operations, use D or DP & DQ
+     * as (unblinded) exponents. */
+    if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+#else
+    if( is_priv &&
+        ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||
+          mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0  ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Blinding shouldn't make exponents negative either,
+     * so check that P, Q >= 1 if that hasn't yet been
+     * done as part of 1. */
+#if defined(MBEDTLS_RSA_NO_CRT)
+    if( is_priv && blinding_needed &&
+        ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
+          mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif
+
+    /* It wouldn't lead to an error if it wasn't satisfied,
+     * but check for QP >= 1 nonetheless. */
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    if( is_priv &&
+        mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif
+
+    return( 0 );
+}
+
+int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
+{
+    int ret = 0;
+    int have_N, have_P, have_Q, have_D, have_E;
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    int have_DP, have_DQ, have_QP;
+#endif
+    int n_missing, pq_missing, d_missing, is_pub, is_priv;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
+    have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
+    have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
+    have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
+    have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
+    have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
+    have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
+#endif
+
+    /*
+     * Check whether provided parameters are enough
+     * to deduce all others. The following incomplete
+     * parameter sets for private keys are supported:
+     *
+     * (1) P, Q missing.
+     * (2) D and potentially N missing.
+     *
+     */
+
+    n_missing  =              have_P &&  have_Q &&  have_D && have_E;
+    pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
+    d_missing  =              have_P &&  have_Q && !have_D && have_E;
+    is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
+
+    /* These three alternatives are mutually exclusive */
+    is_priv = n_missing || pq_missing || d_missing;
+
+    if( !is_priv && !is_pub )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * Step 1: Deduce N if P, Q are provided.
+     */
+
+    if( !have_N && have_P && have_Q )
+    {
+        if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
+                                         &ctx->Q ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+        }
+
+        ctx->len = mbedtls_mpi_size( &ctx->N );
+    }
+
+    /*
+     * Step 2: Deduce and verify all remaining core parameters.
+     */
+
+    if( pq_missing )
+    {
+        ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
+                                         &ctx->P, &ctx->Q );
+        if( ret != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+
+    }
+    else if( d_missing )
+    {
+        if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
+                                                         &ctx->Q,
+                                                         &ctx->E,
+                                                         &ctx->D ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+        }
+    }
+
+    /*
+     * Step 3: Deduce all additional parameters specific
+     *         to our current RSA implementation.
+     */
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
+    {
+        ret = mbedtls_rsa_deduce_crt( &ctx->P,  &ctx->Q,  &ctx->D,
+                                      &ctx->DP, &ctx->DQ, &ctx->QP );
+        if( ret != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /*
+     * Step 3: Basic sanity checks
+     */
+
+    return( rsa_check_context( ctx, is_priv, 1 ) );
+}
+
+int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
+                            unsigned char *N, size_t N_len,
+                            unsigned char *P, size_t P_len,
+                            unsigned char *Q, size_t Q_len,
+                            unsigned char *D, size_t D_len,
+                            unsigned char *E, size_t E_len )
+{
+    int ret = 0;
+    int is_priv;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    /* Check if key is private or public */
+    is_priv =
+        mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
+
+    if( !is_priv )
+    {
+        /* If we're trying to export private parameters for a public key,
+         * something must be wrong. */
+        if( P != NULL || Q != NULL || D != NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    }
+
+    if( N != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
+
+    if( P != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
+
+    if( Q != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
+
+    if( D != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
+
+    if( E != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
+
+cleanup:
+
+    return( ret );
+}
+
+int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
+                        mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
+                        mbedtls_mpi *D, mbedtls_mpi *E )
+{
+    int ret;
+    int is_priv;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    /* Check if key is private or public */
+    is_priv =
+        mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
+
+    if( !is_priv )
+    {
+        /* If we're trying to export private parameters for a public key,
+         * something must be wrong. */
+        if( P != NULL || Q != NULL || D != NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    }
+
+    /* Export all requested core parameters. */
+
+    if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||
+        ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||
+        ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||
+        ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||
+        ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Export CRT parameters
+ * This must also be implemented if CRT is not used, for being able to
+ * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
+ * can be used in this case.
+ */
+int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
+                            mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
+{
+    int ret;
+    int is_priv;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    /* Check if key is private or public */
+    is_priv =
+        mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
+
+    if( !is_priv )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Export all requested blinding parameters. */
+    if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||
+        ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
+        ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+#else
+    if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                        DP, DQ, QP ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+#endif
+
+    return( 0 );
+}
+
+/*
+ * Initialize an RSA context
+ */
+void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
+               int padding,
+               int hash_id )
+{
+    RSA_VALIDATE( ctx != NULL );
+    RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
+                  padding == MBEDTLS_RSA_PKCS_V21 );
+
+    memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
+
+    mbedtls_rsa_set_padding( ctx, padding, hash_id );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+/*
+ * Set padding for an existing RSA context
+ */
+void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
+                              int hash_id )
+{
+    RSA_VALIDATE( ctx != NULL );
+    RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
+                  padding == MBEDTLS_RSA_PKCS_V21 );
+
+    ctx->padding = padding;
+    ctx->hash_id = hash_id;
+}
+
+/*
+ * Get length in bytes of RSA modulus
+ */
+
+size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
+{
+    return( ctx->len );
+}
+
+
+#if defined(MBEDTLS_GENPRIME)
+
+/*
+ * Generate an RSA keypair
+ *
+ * This generation method follows the RSA key pair generation procedure of
+ * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
+ */
+int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t),
+                 void *p_rng,
+                 unsigned int nbits, int exponent )
+{
+    int ret;
+    mbedtls_mpi H, G, L;
+    int prime_quality = 0;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( f_rng != NULL );
+
+    if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * If the modulus is 1024 bit long or shorter, then the security strength of
+     * the RSA algorithm is less than or equal to 80 bits and therefore an error
+     * rate of 2^-80 is sufficient.
+     */
+    if( nbits > 1024 )
+        prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
+
+    mbedtls_mpi_init( &H );
+    mbedtls_mpi_init( &G );
+    mbedtls_mpi_init( &L );
+
+    /*
+     * find primes P and Q with Q < P so that:
+     * 1.  |P-Q| > 2^( nbits / 2 - 100 )
+     * 2.  GCD( E, (P-1)*(Q-1) ) == 1
+     * 3.  E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
+
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1,
+                                                prime_quality, f_rng, p_rng ) );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1,
+                                                prime_quality, f_rng, p_rng ) );
+
+        /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
+        if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
+            continue;
+
+        /* not required by any standards, but some users rely on the fact that P > Q */
+        if( H.s < 0 )
+            mbedtls_mpi_swap( &ctx->P, &ctx->Q );
+
+        /* Temporarily replace P,Q by P-1, Q-1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
+
+        /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H  ) );
+        if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
+            continue;
+
+        /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
+
+        if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
+            continue;
+
+        break;
+    }
+    while( 1 );
+
+    /* Restore P,Q */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P,  &ctx->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q,  &ctx->Q, 1 ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
+
+    ctx->len = mbedtls_mpi_size( &ctx->N );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /*
+     * DP = D mod (P - 1)
+     * DQ = D mod (Q - 1)
+     * QP = Q^-1 mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                             &ctx->DP, &ctx->DQ, &ctx->QP ) );
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Double-check */
+    MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &H );
+    mbedtls_mpi_free( &G );
+    mbedtls_mpi_free( &L );
+
+    if( ret != 0 )
+    {
+        mbedtls_rsa_free( ctx );
+        return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+/*
+ * Check a public RSA key
+ */
+int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+
+    if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||
+        mbedtls_mpi_bitlen( &ctx->E )     < 2  ||
+        mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Check for the consistency of all fields in an RSA private key context
+ */
+int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
+        rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
+                                     &ctx->D, &ctx->E, NULL, NULL ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                       &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+#endif
+
+    return( 0 );
+}
+
+/*
+ * Check if contexts holding a public and private key match
+ */
+int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
+                                const mbedtls_rsa_context *prv )
+{
+    RSA_VALIDATE_RET( pub != NULL );
+    RSA_VALIDATE_RET( prv != NULL );
+
+    if( mbedtls_rsa_check_pubkey( pub )  != 0 ||
+        mbedtls_rsa_check_privkey( prv ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
+        mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Do an RSA public key operation
+ */
+int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
+                const unsigned char *input,
+                unsigned char *output )
+{
+    int ret;
+    size_t olen;
+    mbedtls_mpi T;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( output != NULL );
+
+    if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &T );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
+
+    if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    olen = ctx->len;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    mbedtls_mpi_free( &T );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Generate or update blinding values, see section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret, count = 0;
+
+    if( ctx->Vf.p != NULL )
+    {
+        /* We already have blinding values, just update them by squaring */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
+
+        goto cleanup;
+    }
+
+    /* Unblinding value: Vf = random number, invertible mod N */
+    do {
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_RSA_RNG_FAILED );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
+    } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
+
+    /* Blinding value: Vi =  Vf^(-e) mod N */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
+
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Exponent blinding supposed to prevent side-channel attacks using multiple
+ * traces of measurements to recover the RSA key. The more collisions are there,
+ * the more bits of the key can be recovered. See [3].
+ *
+ * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
+ * observations on avarage.
+ *
+ * For example with 28 byte blinding to achieve 2 collisions the adversary has
+ * to make 2^112 observations on avarage.
+ *
+ * (With the currently (as of 2017 April) known best algorithms breaking 2048
+ * bit RSA requires approximately as much time as trying out 2^112 random keys.
+ * Thus in this sense with 28 byte blinding the security is not reduced by
+ * side-channel attacks like the one in [3])
+ *
+ * This countermeasure does not help if the key recovery is possible with a
+ * single trace.
+ */
+#define RSA_EXPONENT_BLINDING 28
+
+/*
+ * Do an RSA private key operation
+ */
+int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t),
+                 void *p_rng,
+                 const unsigned char *input,
+                 unsigned char *output )
+{
+    int ret;
+    size_t olen;
+
+    /* Temporary holding the result */
+    mbedtls_mpi T;
+
+    /* Temporaries holding P-1, Q-1 and the
+     * exponent blinding factor, respectively. */
+    mbedtls_mpi P1, Q1, R;
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Temporaries holding the results mod p resp. mod q. */
+    mbedtls_mpi TP, TQ;
+
+    /* Temporaries holding the blinded exponents for
+     * the mod p resp. mod q computation (if used). */
+    mbedtls_mpi DP_blind, DQ_blind;
+
+    /* Pointers to actual exponents to be used - either the unblinded
+     * or the blinded ones, depending on the presence of a PRNG. */
+    mbedtls_mpi *DP = &ctx->DP;
+    mbedtls_mpi *DQ = &ctx->DQ;
+#else
+    /* Temporary holding the blinded exponent (if used). */
+    mbedtls_mpi D_blind;
+
+    /* Pointer to actual exponent to be used - either the unblinded
+     * or the blinded one, depending on the presence of a PRNG. */
+    mbedtls_mpi *D = &ctx->D;
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Temporaries holding the initial input and the double
+     * checked result; should be the same in the end. */
+    mbedtls_mpi I, C;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( input  != NULL );
+    RSA_VALIDATE_RET( output != NULL );
+
+    if( rsa_check_context( ctx, 1             /* private key checks */,
+                                f_rng != NULL /* blinding y/n       */ ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    /* MPI Initialization */
+    mbedtls_mpi_init( &T );
+
+    mbedtls_mpi_init( &P1 );
+    mbedtls_mpi_init( &Q1 );
+    mbedtls_mpi_init( &R );
+
+    if( f_rng != NULL )
+    {
+#if defined(MBEDTLS_RSA_NO_CRT)
+        mbedtls_mpi_init( &D_blind );
+#else
+        mbedtls_mpi_init( &DP_blind );
+        mbedtls_mpi_init( &DQ_blind );
+#endif
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
+#endif
+
+    mbedtls_mpi_init( &I );
+    mbedtls_mpi_init( &C );
+
+    /* End of MPI initialization */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
+    if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
+
+    if( f_rng != NULL )
+    {
+        /*
+         * Blinding
+         * T = T * Vi mod N
+         */
+        MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
+
+        /*
+         * Exponent blinding
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+        /*
+         * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+                         f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
+
+        D = &D_blind;
+#else
+        /*
+         * DP_blind = ( P - 1 ) * R + DP
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+                         f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
+                    &ctx->DP ) );
+
+        DP = &DP_blind;
+
+        /*
+         * DQ_blind = ( Q - 1 ) * R + DQ
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+                         f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
+                    &ctx->DQ ) );
+
+        DQ = &DQ_blind;
+#endif /* MBEDTLS_RSA_NO_CRT */
+    }
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
+#else
+    /*
+     * Faster decryption using the CRT
+     *
+     * TP = input ^ dP mod P
+     * TQ = input ^ dQ mod Q
+     */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
+
+    /*
+     * T = (TP - TQ) * (Q^-1 mod P) mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
+
+    /*
+     * T = TQ + T * Q
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    if( f_rng != NULL )
+    {
+        /*
+         * Unblind
+         * T = T * Vf mod N
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
+    }
+
+    /* Verify the result to prevent glitching attacks. */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
+                                          &ctx->N, &ctx->RN ) );
+    if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    olen = ctx->len;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    mbedtls_mpi_free( &P1 );
+    mbedtls_mpi_free( &Q1 );
+    mbedtls_mpi_free( &R );
+
+    if( f_rng != NULL )
+    {
+#if defined(MBEDTLS_RSA_NO_CRT)
+        mbedtls_mpi_free( &D_blind );
+#else
+        mbedtls_mpi_free( &DP_blind );
+        mbedtls_mpi_free( &DQ_blind );
+#endif
+    }
+
+    mbedtls_mpi_free( &T );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
+#endif
+
+    mbedtls_mpi_free( &C );
+    mbedtls_mpi_free( &I );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/**
+ * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
+ *
+ * \param dst       buffer to mask
+ * \param dlen      length of destination buffer
+ * \param src       source of the mask generation
+ * \param slen      length of the source buffer
+ * \param md_ctx    message digest context to use
+ */
+static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
+                      size_t slen, mbedtls_md_context_t *md_ctx )
+{
+    unsigned char mask[MBEDTLS_MD_MAX_SIZE];
+    unsigned char counter[4];
+    unsigned char *p;
+    unsigned int hlen;
+    size_t i, use_len;
+    int ret = 0;
+
+    memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
+    memset( counter, 0, 4 );
+
+    hlen = mbedtls_md_get_size( md_ctx->md_info );
+
+    /* Generate and apply dbMask */
+    p = dst;
+
+    while( dlen > 0 )
+    {
+        use_len = hlen;
+        if( dlen < hlen )
+            use_len = dlen;
+
+        if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
+            goto exit;
+
+        for( i = 0; i < use_len; ++i )
+            *p++ ^= mask[i];
+
+        counter[3]++;
+
+        dlen -= use_len;
+    }
+
+exit:
+    mbedtls_platform_zeroize( mask, sizeof( mask ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t ilen,
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    size_t olen;
+    int ret;
+    unsigned char *p = output;
+    unsigned int hlen;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( label_len == 0 || label != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( f_rng == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    olen = ctx->len;
+    hlen = mbedtls_md_get_size( md_info );
+
+    /* first comparison checks for overflow */
+    if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    memset( output, 0, olen );
+
+    *p++ = 0;
+
+    /* Generate a random octet string seed */
+    if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
+        return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
+    p += hlen;
+
+    /* Construct DB */
+    if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
+        return( ret );
+    p += hlen;
+    p += olen - 2 * hlen - 2 - ilen;
+    *p++ = 1;
+    memcpy( p, input, ilen );
+
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        goto exit;
+
+    /* maskedDB: Apply dbMask to DB */
+    if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
+                          &md_ctx ) ) != 0 )
+        goto exit;
+
+    /* maskedSeed: Apply seedMask to seed */
+    if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
+                          &md_ctx ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md_free( &md_ctx );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( ( mode == MBEDTLS_RSA_PUBLIC )
+            ? mbedtls_rsa_public(  ctx, output, output )
+            : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t ilen,
+                                 const unsigned char *input,
+                                 unsigned char *output )
+{
+    size_t nb_pad, olen;
+    int ret;
+    unsigned char *p = output;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    olen = ctx->len;
+
+    /* first comparison checks for overflow */
+    if( ilen + 11 < ilen || olen < ilen + 11 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    nb_pad = olen - 3 - ilen;
+
+    *p++ = 0;
+    if( mode == MBEDTLS_RSA_PUBLIC )
+    {
+        if( f_rng == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        *p++ = MBEDTLS_RSA_CRYPT;
+
+        while( nb_pad-- > 0 )
+        {
+            int rng_dl = 100;
+
+            do {
+                ret = f_rng( p_rng, p, 1 );
+            } while( *p == 0 && --rng_dl && ret == 0 );
+
+            /* Check if RNG failed to generate data */
+            if( rng_dl == 0 || ret != 0 )
+                return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
+            p++;
+        }
+    }
+    else
+    {
+        *p++ = MBEDTLS_RSA_SIGN;
+
+        while( nb_pad-- > 0 )
+            *p++ = 0xFF;
+    }
+
+    *p++ = 0;
+    memcpy( p, input, ilen );
+
+    return( ( mode == MBEDTLS_RSA_PUBLIC )
+            ? mbedtls_rsa_public(  ctx, output, output )
+            : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Add the message padding, then do an RSA operation
+ */
+int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t ilen,
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
+                                                input, output );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
+                                           ilen, input, output );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t *olen,
+                            const unsigned char *input,
+                            unsigned char *output,
+                            size_t output_max_len )
+{
+    int ret;
+    size_t ilen, i, pad_len;
+    unsigned char *p, bad, pad_done;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
+    unsigned int hlen;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
+    RSA_VALIDATE_RET( label_len == 0 || label != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( olen != NULL );
+
+    /*
+     * Parameters sanity checks
+     */
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    ilen = ctx->len;
+
+    if( ilen < 16 || ilen > sizeof( buf ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    hlen = mbedtls_md_get_size( md_info );
+
+    // checking for integer underflow
+    if( 2 * hlen + 2 > ilen )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * RSA operation
+     */
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, input, buf )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
+
+    if( ret != 0 )
+        goto cleanup;
+
+    /*
+     * Unmask data and generate lHash
+     */
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+    {
+        mbedtls_md_free( &md_ctx );
+        goto cleanup;
+    }
+
+    /* seed: Apply seedMask to maskedSeed */
+    if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
+                          &md_ctx ) ) != 0 ||
+    /* DB: Apply dbMask to maskedDB */
+        ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
+                          &md_ctx ) ) != 0 )
+    {
+        mbedtls_md_free( &md_ctx );
+        goto cleanup;
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    /* Generate lHash */
+    if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
+        goto cleanup;
+
+    /*
+     * Check contents, in "constant-time"
+     */
+    p = buf;
+    bad = 0;
+
+    bad |= *p++; /* First byte must be 0 */
+
+    p += hlen; /* Skip seed */
+
+    /* Check lHash */
+    for( i = 0; i < hlen; i++ )
+        bad |= lhash[i] ^ *p++;
+
+    /* Get zero-padding len, but always read till end of buffer
+     * (minus one, for the 01 byte) */
+    pad_len = 0;
+    pad_done = 0;
+    for( i = 0; i < ilen - 2 * hlen - 2; i++ )
+    {
+        pad_done |= p[i];
+        pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
+    }
+
+    p += pad_len;
+    bad |= *p++ ^ 0x01;
+
+    /*
+     * The only information "leaked" is whether the padding was correct or not
+     * (eg, no data is copied if it was not correct). This meets the
+     * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
+     * the different error conditions.
+     */
+    if( bad != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto cleanup;
+    }
+
+    if( ilen - ( p - buf ) > output_max_len )
+    {
+        ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+        goto cleanup;
+    }
+
+    *olen = ilen - (p - buf);
+    memcpy( output, p, *olen );
+    ret = 0;
+
+cleanup:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/** Turn zero-or-nonzero into zero-or-all-bits-one, without branches.
+ *
+ * \param value     The value to analyze.
+ * \return          Zero if \p value is zero, otherwise all-bits-one.
+ */
+static unsigned all_or_nothing_int( unsigned value )
+{
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+}
+
+/** Check whether a size is out of bounds, without branches.
+ *
+ * This is equivalent to `size > max`, but is likely to be compiled to
+ * to code using bitwise operation rather than a branch.
+ *
+ * \param size      Size to check.
+ * \param max       Maximum desired value for \p size.
+ * \return          \c 0 if `size <= max`.
+ * \return          \c 1 if `size > max`.
+ */
+static unsigned size_greater_than( size_t size, size_t max )
+{
+    /* Return the sign bit (1 for negative) of (max - size). */
+    return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) );
+}
+
+/** Choose between two integer values, without branches.
+ *
+ * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled
+ * to code using bitwise operation rather than a branch.
+ *
+ * \param cond      Condition to test.
+ * \param if1       Value to use if \p cond is nonzero.
+ * \param if0       Value to use if \p cond is zero.
+ * \return          \c if1 if \p cond is nonzero, otherwise \c if0.
+ */
+static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 )
+{
+    unsigned mask = all_or_nothing_int( cond );
+    return( ( mask & if1 ) | (~mask & if0 ) );
+}
+
+/** Shift some data towards the left inside a buffer without leaking
+ * the length of the data through side channels.
+ *
+ * `mem_move_to_left(start, total, offset)` is functionally equivalent to
+ * ```
+ * memmove(start, start + offset, total - offset);
+ * memset(start + offset, 0, total - offset);
+ * ```
+ * but it strives to use a memory access pattern (and thus total timing)
+ * that does not depend on \p offset. This timing independence comes at
+ * the expense of performance.
+ *
+ * \param start     Pointer to the start of the buffer.
+ * \param total     Total size of the buffer.
+ * \param offset    Offset from which to copy \p total - \p offset bytes.
+ */
+static void mem_move_to_left( void *start,
+                              size_t total,
+                              size_t offset )
+{
+    volatile unsigned char *buf = start;
+    size_t i, n;
+    if( total == 0 )
+        return;
+    for( i = 0; i < total; i++ )
+    {
+        unsigned no_op = size_greater_than( total - offset, i );
+        /* The first `total - offset` passes are a no-op. The last
+         * `offset` passes shift the data one byte to the left and
+         * zero out the last byte. */
+        for( n = 0; n < total - 1; n++ )
+        {
+            unsigned char current = buf[n];
+            unsigned char next = buf[n+1];
+            buf[n] = if_int( no_op, current, next );
+        }
+        buf[total-1] = if_int( no_op, buf[total-1], 0 );
+    }
+}
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t *olen,
+                                 const unsigned char *input,
+                                 unsigned char *output,
+                                 size_t output_max_len )
+{
+    int ret;
+    size_t ilen, i, plaintext_max_size;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    /* The following variables take sensitive values: their value must
+     * not leak into the observable behavior of the function other than
+     * the designated outputs (output, olen, return value). Otherwise
+     * this would open the execution of the function to
+     * side-channel-based variants of the Bleichenbacher padding oracle
+     * attack. Potential side channels include overall timing, memory
+     * access patterns (especially visible to an adversary who has access
+     * to a shared memory cache), and branches (especially visible to
+     * an adversary who has access to a shared code cache or to a shared
+     * branch predictor). */
+    size_t pad_count = 0;
+    unsigned bad = 0;
+    unsigned char pad_done = 0;
+    size_t plaintext_size = 0;
+    unsigned output_too_large;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( olen != NULL );
+
+    ilen = ctx->len;
+    plaintext_max_size = ( output_max_len > ilen - 11 ?
+                           ilen - 11 :
+                           output_max_len );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( ilen < 16 || ilen > sizeof( buf ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, input, buf )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
+
+    if( ret != 0 )
+        goto cleanup;
+
+    /* Check and get padding length in constant time and constant
+     * memory trace. The first byte must be 0. */
+    bad |= buf[0];
+
+    if( mode == MBEDTLS_RSA_PRIVATE )
+    {
+        /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
+         * where PS must be at least 8 nonzero bytes. */
+        bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
+
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count. */
+        for( i = 2; i < ilen; i++ )
+        {
+            pad_done  |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
+            pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
+        }
+    }
+    else
+    {
+        /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
+         * where PS must be at least 8 bytes with the value 0xFF. */
+        bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
+
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count.
+         * If there's a non-0xff byte in the padding, the padding is bad. */
+        for( i = 2; i < ilen; i++ )
+        {
+            pad_done |= if_int( buf[i], 0, 1 );
+            pad_count += if_int( pad_done, 0, 1 );
+            bad |= if_int( pad_done, 0, buf[i] ^ 0xFF );
+        }
+    }
+
+    /* If pad_done is still zero, there's no data, only unfinished padding. */
+    bad |= if_int( pad_done, 0, 1 );
+
+    /* There must be at least 8 bytes of padding. */
+    bad |= size_greater_than( 8, pad_count );
+
+    /* If the padding is valid, set plaintext_size to the number of
+     * remaining bytes after stripping the padding. If the padding
+     * is invalid, avoid leaking this fact through the size of the
+     * output: use the maximum message size that fits in the output
+     * buffer. Do it without branches to avoid leaking the padding
+     * validity through timing. RSA keys are small enough that all the
+     * size_t values involved fit in unsigned int. */
+    plaintext_size = if_int( bad,
+                             (unsigned) plaintext_max_size,
+                             (unsigned) ( ilen - pad_count - 3 ) );
+
+    /* Set output_too_large to 0 if the plaintext fits in the output
+     * buffer and to 1 otherwise. */
+    output_too_large = size_greater_than( plaintext_size,
+                                          plaintext_max_size );
+
+    /* Set ret without branches to avoid timing attacks. Return:
+     * - INVALID_PADDING if the padding is bad (bad != 0).
+     * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
+     *   plaintext does not fit in the output buffer.
+     * - 0 if the padding is correct. */
+    ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
+                  if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
+                          0 ) );
+
+    /* If the padding is bad or the plaintext is too large, zero the
+     * data that we're about to copy to the output buffer.
+     * We need to copy the same amount of data
+     * from the same buffer whether the padding is good or not to
+     * avoid leaking the padding validity through overall timing or
+     * through memory or cache access patterns. */
+    bad = all_or_nothing_int( bad | output_too_large );
+    for( i = 11; i < ilen; i++ )
+        buf[i] &= ~bad;
+
+    /* If the plaintext is too large, truncate it to the buffer size.
+     * Copy anyway to avoid revealing the length through timing, because
+     * revealing the length is as bad as revealing the padding validity
+     * for a Bleichenbacher attack. */
+    plaintext_size = if_int( output_too_large,
+                             (unsigned) plaintext_max_size,
+                             (unsigned) plaintext_size );
+
+    /* Move the plaintext to the leftmost position where it can start in
+     * the working buffer, i.e. make it start plaintext_max_size from
+     * the end of the buffer. Do this with a memory access trace that
+     * does not depend on the plaintext size. After this move, the
+     * starting location of the plaintext is no longer sensitive
+     * information. */
+    mem_move_to_left( buf + ilen - plaintext_max_size,
+                      plaintext_max_size,
+                      plaintext_max_size - plaintext_size );
+
+    /* Finally copy the decrypted plaintext plus trailing zeros
+     * into the output buffer. */
+    memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
+
+    /* Report the amount of data we copied to the output buffer. In case
+     * of errors (bad padding or output too large), the value of *olen
+     * when this function returns is not specified. Making it equivalent
+     * to the good case limits the risks of leaking the padding validity. */
+    *olen = plaintext_size;
+
+cleanup:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation, then remove the message padding
+ */
+int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len)
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( olen != NULL );
+
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
+                                                input, output, output_max_len );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
+                                           olen, input, output,
+                                           output_max_len );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
+ */
+int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         int mode,
+                         mbedtls_md_type_t md_alg,
+                         unsigned int hashlen,
+                         const unsigned char *hash,
+                         unsigned char *sig )
+{
+    size_t olen;
+    unsigned char *p = sig;
+    unsigned char salt[MBEDTLS_MD_MAX_SIZE];
+    size_t slen, min_slen, hlen, offset = 0;
+    int ret;
+    size_t msb;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+    RSA_VALIDATE_RET( sig != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( f_rng == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    olen = ctx->len;
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        /* Gather length of hash to sign */
+        md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+    }
+
+    md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    hlen = mbedtls_md_get_size( md_info );
+
+    /* Calculate the largest possible salt length. Normally this is the hash
+     * length, which is the maximum length the salt can have. If there is not
+     * enough room, use the maximum salt length that fits. The constraint is
+     * that the hash length plus the salt length plus 2 bytes must be at most
+     * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
+     * (PKCS#1 v2.2) §9.1.1 step 3. */
+    min_slen = hlen - 2;
+    if( olen < hlen + min_slen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    else if( olen >= hlen + hlen + 2 )
+        slen = hlen;
+    else
+        slen = olen - hlen - 2;
+
+    memset( sig, 0, olen );
+
+    /* Generate salt of length slen */
+    if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
+        return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
+    /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
+    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
+    p += olen - hlen - slen - 2;
+    *p++ = 0x01;
+    memcpy( p, salt, slen );
+    p += slen;
+
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        goto exit;
+
+    /* Generate H = Hash( M' ) */
+    if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
+        goto exit;
+
+    /* Compensate for boundary condition when applying mask */
+    if( msb % 8 == 0 )
+        offset = 1;
+
+    /* maskedDB: Apply dbMask to DB */
+    if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
+                          &md_ctx ) ) != 0 )
+        goto exit;
+
+    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
+    sig[0] &= 0xFF >> ( olen * 8 - msb );
+
+    p += hlen;
+    *p++ = 0xBC;
+
+    mbedtls_platform_zeroize( salt, sizeof( salt ) );
+
+exit:
+    mbedtls_md_free( &md_ctx );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( ( mode == MBEDTLS_RSA_PUBLIC )
+            ? mbedtls_rsa_public(  ctx, sig, sig )
+            : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
+ */
+
+/* Construct a PKCS v1.5 encoding of a hashed message
+ *
+ * This is used both for signature generation and verification.
+ *
+ * Parameters:
+ * - md_alg:  Identifies the hash algorithm used to generate the given hash;
+ *            MBEDTLS_MD_NONE if raw data is signed.
+ * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
+ * - hash:    Buffer containing the hashed message or the raw data.
+ * - dst_len: Length of the encoded message.
+ * - dst:     Buffer to hold the encoded message.
+ *
+ * Assumptions:
+ * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
+ * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
+ * - dst points to a buffer of size at least dst_len.
+ *
+ */
+static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
+                                        unsigned int hashlen,
+                                        const unsigned char *hash,
+                                        size_t dst_len,
+                                        unsigned char *dst )
+{
+    size_t oid_size  = 0;
+    size_t nb_pad    = dst_len;
+    unsigned char *p = dst;
+    const char *oid  = NULL;
+
+    /* Are we signing hashed or raw data? */
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+
+        /* Double-check that 8 + hashlen + oid_size can be used as a
+         * 1-byte ASN.1 length encoding and that there's no overflow. */
+        if( 8 + hashlen + oid_size  >= 0x80         ||
+            10 + hashlen            <  hashlen      ||
+            10 + hashlen + oid_size <  10 + hashlen )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        /*
+         * Static bounds check:
+         * - Need 10 bytes for five tag-length pairs.
+         *   (Insist on 1-byte length encodings to protect against variants of
+         *    Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
+         * - Need hashlen bytes for hash
+         * - Need oid_size bytes for hash alg OID.
+         */
+        if( nb_pad < 10 + hashlen + oid_size )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+        nb_pad -= 10 + hashlen + oid_size;
+    }
+    else
+    {
+        if( nb_pad < hashlen )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        nb_pad -= hashlen;
+    }
+
+    /* Need space for signature header and padding delimiter (3 bytes),
+     * and 8 bytes for the minimal padding */
+    if( nb_pad < 3 + 8 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    nb_pad -= 3;
+
+    /* Now nb_pad is the amount of memory to be filled
+     * with padding, and at least 8 bytes long. */
+
+    /* Write signature header and padding */
+    *p++ = 0;
+    *p++ = MBEDTLS_RSA_SIGN;
+    memset( p, 0xFF, nb_pad );
+    p += nb_pad;
+    *p++ = 0;
+
+    /* Are we signing raw data? */
+    if( md_alg == MBEDTLS_MD_NONE )
+    {
+        memcpy( p, hash, hashlen );
+        return( 0 );
+    }
+
+    /* Signing hashed data, add corresponding ASN.1 structure
+     *
+     * DigestInfo ::= SEQUENCE {
+     *   digestAlgorithm DigestAlgorithmIdentifier,
+     *   digest Digest }
+     * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+     * Digest ::= OCTET STRING
+     *
+     * Schematic:
+     * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID  + LEN [ OID  ]
+     *                                 TAG-NULL + LEN [ NULL ] ]
+     *                 TAG-OCTET + LEN [ HASH ] ]
+     */
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char)( 0x04 + oid_size );
+    *p++ = MBEDTLS_ASN1_OID;
+    *p++ = (unsigned char) oid_size;
+    memcpy( p, oid, oid_size );
+    p += oid_size;
+    *p++ = MBEDTLS_ASN1_NULL;
+    *p++ = 0x00;
+    *p++ = MBEDTLS_ASN1_OCTET_STRING;
+    *p++ = (unsigned char) hashlen;
+    memcpy( p, hash, hashlen );
+    p += hashlen;
+
+    /* Just a sanity-check, should be automatic
+     * after the initial bounds check. */
+    if( p != dst + dst_len )
+    {
+        mbedtls_platform_zeroize( dst, dst_len );
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               unsigned char *sig )
+{
+    int ret;
+    unsigned char *sig_try = NULL, *verif = NULL;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+    RSA_VALIDATE_RET( sig != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
+     */
+
+    if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
+                                             ctx->len, sig ) ) != 0 )
+        return( ret );
+
+    /*
+     * Call respective RSA primitive
+     */
+
+    if( mode == MBEDTLS_RSA_PUBLIC )
+    {
+        /* Skip verification on a public key operation */
+        return( mbedtls_rsa_public( ctx, sig, sig ) );
+    }
+
+    /* Private key operation
+     *
+     * In order to prevent Lenstra's attack, make the signature in a
+     * temporary buffer and check it before returning it.
+     */
+
+    sig_try = mbedtls_calloc( 1, ctx->len );
+    if( sig_try == NULL )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    verif = mbedtls_calloc( 1, ctx->len );
+    if( verif == NULL )
+    {
+        mbedtls_free( sig_try );
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
+
+    if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
+        goto cleanup;
+    }
+
+    memcpy( sig, sig_try, ctx->len );
+
+cleanup:
+    mbedtls_free( sig_try );
+    mbedtls_free( verif );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t),
+                    void *p_rng,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+    RSA_VALIDATE_RET( sig != NULL );
+
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
+                                              hashlen, hash, sig );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
+                                        hashlen, hash, sig );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               mbedtls_md_type_t mgf1_hash_id,
+                               int expected_salt_len,
+                               const unsigned char *sig )
+{
+    int ret;
+    size_t siglen;
+    unsigned char *p;
+    unsigned char *hash_start;
+    unsigned char result[MBEDTLS_MD_MAX_SIZE];
+    unsigned char zeros[8];
+    unsigned int hlen;
+    size_t observed_salt_len, msb;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    siglen = ctx->len;
+
+    if( siglen < 16 || siglen > sizeof( buf ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, sig, buf )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
+
+    if( ret != 0 )
+        return( ret );
+
+    p = buf;
+
+    if( buf[siglen - 1] != 0xBC )
+        return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        /* Gather length of hash to sign */
+        md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+    }
+
+    md_info = mbedtls_md_info_from_type( mgf1_hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    hlen = mbedtls_md_get_size( md_info );
+
+    memset( zeros, 0, 8 );
+
+    /*
+     * Note: EMSA-PSS verification is over the length of N - 1 bits
+     */
+    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
+
+    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /* Compensate for boundary condition when applying mask */
+    if( msb % 8 == 0 )
+    {
+        p++;
+        siglen -= 1;
+    }
+
+    if( siglen < hlen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    hash_start = p + siglen - hlen - 1;
+
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        goto exit;
+
+    ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
+    if( ret != 0 )
+        goto exit;
+
+    buf[0] &= 0xFF >> ( siglen * 8 - msb );
+
+    while( p < hash_start - 1 && *p == 0 )
+        p++;
+
+    if( *p++ != 0x01 )
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto exit;
+    }
+
+    observed_salt_len = hash_start - p;
+
+    if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
+        observed_salt_len != (size_t) expected_salt_len )
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto exit;
+    }
+
+    /*
+     * Generate H = Hash( M' )
+     */
+    ret = mbedtls_md_starts( &md_ctx );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_update( &md_ctx, zeros, 8 );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_update( &md_ctx, hash, hashlen );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_finish( &md_ctx, result );
+    if ( ret != 0 )
+        goto exit;
+
+    if( memcmp( hash_start, result, hlen ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto exit;
+    }
+
+exit:
+    mbedtls_md_free( &md_ctx );
+
+    return( ret );
+}
+
+/*
+ * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           int mode,
+                           mbedtls_md_type_t md_alg,
+                           unsigned int hashlen,
+                           const unsigned char *hash,
+                           const unsigned char *sig )
+{
+    mbedtls_md_type_t mgf1_hash_id;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
+                             ? (mbedtls_md_type_t) ctx->hash_id
+                             : md_alg;
+
+    return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
+                                       md_alg, hashlen, hash,
+                                       mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
+                                       sig ) );
+
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode,
+                                 mbedtls_md_type_t md_alg,
+                                 unsigned int hashlen,
+                                 const unsigned char *hash,
+                                 const unsigned char *sig )
+{
+    int ret = 0;
+    size_t sig_len;
+    unsigned char *encoded = NULL, *encoded_expected = NULL;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    sig_len = ctx->len;
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * Prepare expected PKCS1 v1.5 encoding of hash.
+     */
+
+    if( ( encoded          = mbedtls_calloc( 1, sig_len ) ) == NULL ||
+        ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
+    {
+        ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
+        goto cleanup;
+    }
+
+    if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
+                                             encoded_expected ) ) != 0 )
+        goto cleanup;
+
+    /*
+     * Apply RSA primitive to get what should be PKCS1 encoded hash.
+     */
+
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, sig, encoded )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );
+    if( ret != 0 )
+        goto cleanup;
+
+    /*
+     * Compare
+     */
+
+    if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected,
+                                      sig_len ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+
+    if( encoded != NULL )
+    {
+        mbedtls_platform_zeroize( encoded, sig_len );
+        mbedtls_free( encoded );
+    }
+
+    if( encoded_expected != NULL )
+    {
+        mbedtls_platform_zeroize( encoded_expected, sig_len );
+        mbedtls_free( encoded_expected );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation and check the message digest
+ */
+int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng,
+                      int mode,
+                      mbedtls_md_type_t md_alg,
+                      unsigned int hashlen,
+                      const unsigned char *hash,
+                      const unsigned char *sig )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
+                                                hashlen, hash, sig );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
+                                          hashlen, hash, sig );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+/*
+ * Copy the components of an RSA key
+ */
+int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
+{
+    int ret;
+    RSA_VALIDATE_RET( dst != NULL );
+    RSA_VALIDATE_RET( src != NULL );
+
+    dst->ver = src->ver;
+    dst->len = src->len;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
+#endif
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
+
+    dst->padding = src->padding;
+    dst->hash_id = src->hash_id;
+
+cleanup:
+    if( ret != 0 )
+        mbedtls_rsa_free( dst );
+
+    return( ret );
+}
+
+/*
+ * Free the components of an RSA key
+ */
+void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->Vi );
+    mbedtls_mpi_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->RN );
+    mbedtls_mpi_free( &ctx->D  );
+    mbedtls_mpi_free( &ctx->Q  );
+    mbedtls_mpi_free( &ctx->P  );
+    mbedtls_mpi_free( &ctx->E  );
+    mbedtls_mpi_free( &ctx->N  );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_free( &ctx->RQ );
+    mbedtls_mpi_free( &ctx->RP );
+    mbedtls_mpi_free( &ctx->QP );
+    mbedtls_mpi_free( &ctx->DQ );
+    mbedtls_mpi_free( &ctx->DP );
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+}
+
+#endif /* !MBEDTLS_RSA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#include "mbedtls/sha1.h"
+
+/*
+ * Example RSA-1024 keypair, for test purposes
+ */
+#define KEY_LEN 128
+
+#define RSA_N   "9292758453063D803DD603D5E777D788" \
+                "8ED1D5BF35786190FA2F23EBC0848AEA" \
+                "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
+                "7130B9CED7ACDF54CFC7555AC14EEBAB" \
+                "93A89813FBF3C4F8066D2D800F7C38A8" \
+                "1AE31942917403FF4946B0A83D3D3E05" \
+                "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
+                "5E94BB77B07507233A0BC7BAC8F90F79"
+
+#define RSA_E   "10001"
+
+#define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
+                "66CA472BC44D253102F8B4A9D3BFA750" \
+                "91386C0077937FE33FA3252D28855837" \
+                "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
+                "DF79C5CE07EE72C7F123142198164234" \
+                "CABB724CF78B8173B9F880FC86322407" \
+                "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
+                "071513A1E85B5DFA031F21ECAE91A34D"
+
+#define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
+                "2C01CAD19EA484A87EA4377637E75500" \
+                "FCB2005C5C7DD6EC4AC023CDA285D796" \
+                "C3D9E75E1EFC42488BB4F1D13AC30A57"
+
+#define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
+                "E211C2B9E5DB1ED0BF61D0D9899620F4" \
+                "910E4168387E3C30AA1E00C339A79508" \
+                "8452DD96A9A5EA5D9DCA68DA636032AF"
+
+#define PT_LEN  24
+#define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
+                "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
+
+#if defined(MBEDTLS_PKCS1_V15)
+static int myrand( void *rng_state, unsigned char *output, size_t len )
+{
+#if !defined(__OpenBSD__)
+    size_t i;
+
+    if( rng_state != NULL )
+        rng_state  = NULL;
+
+    for( i = 0; i < len; ++i )
+        output[i] = rand();
+#else
+    if( rng_state != NULL )
+        rng_state = NULL;
+
+    arc4random_buf( output, len );
+#endif /* !OpenBSD */
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_rsa_self_test( int verbose )
+{
+    int ret = 0;
+#if defined(MBEDTLS_PKCS1_V15)
+    size_t len;
+    mbedtls_rsa_context rsa;
+    unsigned char rsa_plaintext[PT_LEN];
+    unsigned char rsa_decrypted[PT_LEN];
+    unsigned char rsa_ciphertext[KEY_LEN];
+#if defined(MBEDTLS_SHA1_C)
+    unsigned char sha1sum[20];
+#endif
+
+    mbedtls_mpi K;
+
+    mbedtls_mpi_init( &K );
+    mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  RSA key validation: " );
+
+    if( mbedtls_rsa_check_pubkey(  &rsa ) != 0 ||
+        mbedtls_rsa_check_privkey( &rsa ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  PKCS#1 encryption : " );
+
+    memcpy( rsa_plaintext, RSA_PT, PT_LEN );
+
+    if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
+                                   PT_LEN, rsa_plaintext,
+                                   rsa_ciphertext ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  PKCS#1 decryption : " );
+
+    if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
+                                   &len, rsa_ciphertext, rsa_decrypted,
+                                   sizeof(rsa_decrypted) ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+#if defined(MBEDTLS_SHA1_C)
+    if( verbose != 0 )
+        mbedtls_printf( "  PKCS#1 data sign  : " );
+
+    if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        return( 1 );
+    }
+
+    if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
+                                MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
+                                sha1sum, rsa_ciphertext ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  PKCS#1 sig. verify: " );
+
+    if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,
+                                  MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
+                                  sha1sum, rsa_ciphertext ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+#endif /* MBEDTLS_SHA1_C */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+cleanup:
+    mbedtls_mpi_free( &K );
+    mbedtls_rsa_free( &rsa );
+#else /* MBEDTLS_PKCS1_V15 */
+    ((void) verbose);
+#endif /* MBEDTLS_PKCS1_V15 */
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/ctrtool/deps/libmbedtls/src/rsa_internal.c b/ctrtool/deps/libmbedtls/src/rsa_internal.c
new file mode 100644
index 00000000..9a42d47c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/rsa_internal.c
@@ -0,0 +1,492 @@
+/*
+ *  Helper functions for the RSA module
+ *
+ *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/rsa_internal.h"
+
+/*
+ * Compute RSA prime factors from public and private exponents
+ *
+ * Summary of algorithm:
+ * Setting F := lcm(P-1,Q-1), the idea is as follows:
+ *
+ * (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)
+ *     is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the
+ *     square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four
+ *     possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)
+ *     or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime
+ *     factors of N.
+ *
+ * (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same
+ *     construction still applies since (-)^K is the identity on the set of
+ *     roots of 1 in Z/NZ.
+ *
+ * The public and private key primitives (-)^E and (-)^D are mutually inverse
+ * bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.
+ * if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.
+ * Splitting L = 2^t * K with K odd, we have
+ *
+ *   DE - 1 = FL = (F/2) * (2^(t+1)) * K,
+ *
+ * so (F / 2) * K is among the numbers
+ *
+ *   (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord
+ *
+ * where ord is the order of 2 in (DE - 1).
+ * We can therefore iterate through these numbers apply the construction
+ * of (a) and (b) above to attempt to factor N.
+ *
+ */
+int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N,
+                     mbedtls_mpi const *E, mbedtls_mpi const *D,
+                     mbedtls_mpi *P, mbedtls_mpi *Q )
+{
+    int ret = 0;
+
+    uint16_t attempt;  /* Number of current attempt  */
+    uint16_t iter;     /* Number of squares computed in the current attempt */
+
+    uint16_t order;    /* Order of 2 in DE - 1 */
+
+    mbedtls_mpi T;  /* Holds largest odd divisor of DE - 1     */
+    mbedtls_mpi K;  /* Temporary holding the current candidate */
+
+    const unsigned char primes[] = { 2,
+           3,    5,    7,   11,   13,   17,   19,   23,
+          29,   31,   37,   41,   43,   47,   53,   59,
+          61,   67,   71,   73,   79,   83,   89,   97,
+         101,  103,  107,  109,  113,  127,  131,  137,
+         139,  149,  151,  157,  163,  167,  173,  179,
+         181,  191,  193,  197,  199,  211,  223,  227,
+         229,  233,  239,  241,  251
+    };
+
+    const size_t num_primes = sizeof( primes ) / sizeof( *primes );
+
+    if( P == NULL || Q == NULL || P->p != NULL || Q->p != NULL )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 ||
+        mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
+        mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
+    {
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+    }
+
+    /*
+     * Initializations and temporary changes
+     */
+
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &T );
+
+    /* T := DE - 1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, D,  E ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &T, &T, 1 ) );
+
+    if( ( order = (uint16_t) mbedtls_mpi_lsb( &T ) ) == 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /* After this operation, T holds the largest odd divisor of DE - 1. */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &T, order ) );
+
+    /*
+     * Actual work
+     */
+
+    /* Skip trying 2 if N == 1 mod 8 */
+    attempt = 0;
+    if( N->p[0] % 8 == 1 )
+        attempt = 1;
+
+    for( ; attempt < num_primes; ++attempt )
+    {
+        mbedtls_mpi_lset( &K, primes[attempt] );
+
+        /* Check if gcd(K,N) = 1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
+        if( mbedtls_mpi_cmp_int( P, 1 ) != 0 )
+            continue;
+
+        /* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...
+         * and check whether they have nontrivial GCD with N. */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &K, &K, &T, N,
+                             Q /* temporarily use Q for storing Montgomery
+                                * multiplication helper values */ ) );
+
+        for( iter = 1; iter <= order; ++iter )
+        {
+            /* If we reach 1 prematurely, there's no point
+             * in continuing to square K */
+            if( mbedtls_mpi_cmp_int( &K, 1 ) == 0 )
+                break;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
+
+            if( mbedtls_mpi_cmp_int( P, 1 ) ==  1 &&
+                mbedtls_mpi_cmp_mpi( P, N ) == -1 )
+            {
+                /*
+                 * Have found a nontrivial divisor P of N.
+                 * Set Q := N / P.
+                 */
+
+                MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( Q, NULL, N, P ) );
+                goto cleanup;
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &K ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );
+        }
+
+        /*
+         * If we get here, then either we prematurely aborted the loop because
+         * we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
+         * be 1 if D,E,N were consistent.
+         * Check if that's the case and abort if not, to avoid very long,
+         * yet eventually failing, computations if N,D,E were not sane.
+         */
+        if( mbedtls_mpi_cmp_int( &K, 1 ) != 0 )
+        {
+            break;
+        }
+    }
+
+    ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+cleanup:
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &T );
+    return( ret );
+}
+
+/*
+ * Given P, Q and the public exponent E, deduce D.
+ * This is essentially a modular inversion.
+ */
+int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
+                                         mbedtls_mpi const *Q,
+                                         mbedtls_mpi const *E,
+                                         mbedtls_mpi *D )
+{
+    int ret = 0;
+    mbedtls_mpi K, L;
+
+    if( D == NULL || mbedtls_mpi_cmp_int( D, 0 ) != 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_int( E, 0 ) == 0 )
+    {
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+    }
+
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /* Temporarily put K := P-1 and L := Q-1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
+
+    /* Temporarily put D := gcd(P-1, Q-1) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( D, &K, &L ) );
+
+    /* K := LCM(P-1, Q-1) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &L ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &K, NULL, &K, D ) );
+
+    /* Compute modular inverse of E in LCM(P-1, Q-1) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( D, E, &K ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    return( ret );
+}
+
+/*
+ * Check that RSA CRT parameters are in accordance with core parameters.
+ */
+int mbedtls_rsa_validate_crt( const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                              const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                              const mbedtls_mpi *DQ, const mbedtls_mpi *QP )
+{
+    int ret = 0;
+
+    mbedtls_mpi K, L;
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /* Check that DP - D == 0 mod P - 1 */
+    if( DP != NULL )
+    {
+        if( P == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
+
+        if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /* Check that DQ - D == 0 mod Q - 1 */
+    if( DQ != NULL )
+    {
+        if( Q == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
+
+        if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /* Check that QP * Q - 1 == 0 mod P */
+    if( QP != NULL )
+    {
+        if( P == NULL || Q == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    /* Wrap MPI error codes by RSA check failure error code */
+    if( ret != 0 &&
+        ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
+        ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
+    {
+        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    return( ret );
+}
+
+/*
+ * Check that core RSA parameters are sane.
+ */
+int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
+                                 const mbedtls_mpi *Q, const mbedtls_mpi *D,
+                                 const mbedtls_mpi *E,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng )
+{
+    int ret = 0;
+    mbedtls_mpi K, L;
+
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /*
+     * Step 1: If PRNG provided, check that P and Q are prime
+     */
+
+#if defined(MBEDTLS_GENPRIME)
+    /*
+     * When generating keys, the strongest security we support aims for an error
+     * rate of at most 2^-100 and we are aiming for the same certainty here as
+     * well.
+     */
+    if( f_rng != NULL && P != NULL &&
+        ( ret = mbedtls_mpi_is_prime_ext( P, 50, f_rng, p_rng ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+        goto cleanup;
+    }
+
+    if( f_rng != NULL && Q != NULL &&
+        ( ret = mbedtls_mpi_is_prime_ext( Q, 50, f_rng, p_rng ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+        goto cleanup;
+    }
+#else
+    ((void) f_rng);
+    ((void) p_rng);
+#endif /* MBEDTLS_GENPRIME */
+
+    /*
+     * Step 2: Check that 1 < N = P * Q
+     */
+
+    if( P != NULL && Q != NULL && N != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );
+        if( mbedtls_mpi_cmp_int( N, 1 )  <= 0 ||
+            mbedtls_mpi_cmp_mpi( &K, N ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /*
+     * Step 3: Check and 1 < D, E < N if present.
+     */
+
+    if( N != NULL && D != NULL && E != NULL )
+    {
+        if ( mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
+             mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
+             mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
+             mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /*
+     * Step 4: Check that D, E are inverse modulo P-1 and Q-1
+     */
+
+    if( P != NULL && Q != NULL && D != NULL && E != NULL )
+    {
+        if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
+            mbedtls_mpi_cmp_int( Q, 1 ) <= 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+
+        /* Compute DE-1 mod P-1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+
+        /* Compute DE-1 mod Q-1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    /* Wrap MPI error codes by RSA check failure error code */
+    if( ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
+    {
+        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    return( ret );
+}
+
+int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                            const mbedtls_mpi *D, mbedtls_mpi *DP,
+                            mbedtls_mpi *DQ, mbedtls_mpi *QP )
+{
+    int ret = 0;
+    mbedtls_mpi K;
+    mbedtls_mpi_init( &K );
+
+    /* DP = D mod P-1 */
+    if( DP != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1  ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, D, &K ) );
+    }
+
+    /* DQ = D mod Q-1 */
+    if( DQ != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1  ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, D, &K ) );
+    }
+
+    /* QP = Q^{-1} mod P */
+    if( QP != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( QP, Q, P ) );
+    }
+
+cleanup:
+    mbedtls_mpi_free( &K );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/ctrtool/deps/libmbedtls/src/sha1.c b/ctrtool/deps/libmbedtls/src/sha1.c
new file mode 100644
index 00000000..355c83d2
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/sha1.c
@@ -0,0 +1,573 @@
+/*
+ *  FIPS-180-1 compliant SHA-1 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The SHA-1 standard was published by NIST in 1993.
+ *
+ *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+
+#include "mbedtls/sha1.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#define SHA1_VALIDATE_RET(cond)                             \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA1_BAD_INPUT_DATA )
+
+#define SHA1_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if !defined(MBEDTLS_SHA1_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
+{
+    SHA1_VALIDATE( ctx != NULL );
+
+    memset( ctx, 0, sizeof( mbedtls_sha1_context ) );
+}
+
+void mbedtls_sha1_free( mbedtls_sha1_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha1_context ) );
+}
+
+void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
+                         const mbedtls_sha1_context *src )
+{
+    SHA1_VALIDATE( dst != NULL );
+    SHA1_VALIDATE( src != NULL );
+
+    *dst = *src;
+}
+
+/*
+ * SHA-1 context setup
+ */
+int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx )
+{
+    SHA1_VALIDATE_RET( ctx != NULL );
+
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_starts( mbedtls_sha1_context *ctx )
+{
+    mbedtls_sha1_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_SHA1_PROCESS_ALT)
+int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
+                                   const unsigned char data[64] )
+{
+    uint32_t temp, W[16], A, B, C, D, E;
+
+    SHA1_VALIDATE_RET( ctx != NULL );
+    SHA1_VALIDATE_RET( (const unsigned char *)data != NULL );
+
+    GET_UINT32_BE( W[ 0], data,  0 );
+    GET_UINT32_BE( W[ 1], data,  4 );
+    GET_UINT32_BE( W[ 2], data,  8 );
+    GET_UINT32_BE( W[ 3], data, 12 );
+    GET_UINT32_BE( W[ 4], data, 16 );
+    GET_UINT32_BE( W[ 5], data, 20 );
+    GET_UINT32_BE( W[ 6], data, 24 );
+    GET_UINT32_BE( W[ 7], data, 28 );
+    GET_UINT32_BE( W[ 8], data, 32 );
+    GET_UINT32_BE( W[ 9], data, 36 );
+    GET_UINT32_BE( W[10], data, 40 );
+    GET_UINT32_BE( W[11], data, 44 );
+    GET_UINT32_BE( W[12], data, 48 );
+    GET_UINT32_BE( W[13], data, 52 );
+    GET_UINT32_BE( W[14], data, 56 );
+    GET_UINT32_BE( W[15], data, 60 );
+
+#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+#define R(t)                                                    \
+    (                                                           \
+        temp = W[( (t) -  3 ) & 0x0F] ^ W[( (t) - 8 ) & 0x0F] ^ \
+               W[( (t) - 14 ) & 0x0F] ^ W[  (t)       & 0x0F],  \
+        ( W[(t) & 0x0F] = S(temp,1) )                           \
+    )
+
+#define P(a,b,c,d,e,x)                                          \
+    do                                                          \
+    {                                                           \
+        (e) += S((a),5) + F((b),(c),(d)) + K + (x);             \
+        (b) = S((b),30);                                        \
+    } while( 0 )
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+    E = ctx->state[4];
+
+#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
+#define K 0x5A827999
+
+    P( A, B, C, D, E, W[0]  );
+    P( E, A, B, C, D, W[1]  );
+    P( D, E, A, B, C, W[2]  );
+    P( C, D, E, A, B, W[3]  );
+    P( B, C, D, E, A, W[4]  );
+    P( A, B, C, D, E, W[5]  );
+    P( E, A, B, C, D, W[6]  );
+    P( D, E, A, B, C, W[7]  );
+    P( C, D, E, A, B, W[8]  );
+    P( B, C, D, E, A, W[9]  );
+    P( A, B, C, D, E, W[10] );
+    P( E, A, B, C, D, W[11] );
+    P( D, E, A, B, C, W[12] );
+    P( C, D, E, A, B, W[13] );
+    P( B, C, D, E, A, W[14] );
+    P( A, B, C, D, E, W[15] );
+    P( E, A, B, C, D, R(16) );
+    P( D, E, A, B, C, R(17) );
+    P( C, D, E, A, B, R(18) );
+    P( B, C, D, E, A, R(19) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+#define K 0x6ED9EBA1
+
+    P( A, B, C, D, E, R(20) );
+    P( E, A, B, C, D, R(21) );
+    P( D, E, A, B, C, R(22) );
+    P( C, D, E, A, B, R(23) );
+    P( B, C, D, E, A, R(24) );
+    P( A, B, C, D, E, R(25) );
+    P( E, A, B, C, D, R(26) );
+    P( D, E, A, B, C, R(27) );
+    P( C, D, E, A, B, R(28) );
+    P( B, C, D, E, A, R(29) );
+    P( A, B, C, D, E, R(30) );
+    P( E, A, B, C, D, R(31) );
+    P( D, E, A, B, C, R(32) );
+    P( C, D, E, A, B, R(33) );
+    P( B, C, D, E, A, R(34) );
+    P( A, B, C, D, E, R(35) );
+    P( E, A, B, C, D, R(36) );
+    P( D, E, A, B, C, R(37) );
+    P( C, D, E, A, B, R(38) );
+    P( B, C, D, E, A, R(39) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define K 0x8F1BBCDC
+
+    P( A, B, C, D, E, R(40) );
+    P( E, A, B, C, D, R(41) );
+    P( D, E, A, B, C, R(42) );
+    P( C, D, E, A, B, R(43) );
+    P( B, C, D, E, A, R(44) );
+    P( A, B, C, D, E, R(45) );
+    P( E, A, B, C, D, R(46) );
+    P( D, E, A, B, C, R(47) );
+    P( C, D, E, A, B, R(48) );
+    P( B, C, D, E, A, R(49) );
+    P( A, B, C, D, E, R(50) );
+    P( E, A, B, C, D, R(51) );
+    P( D, E, A, B, C, R(52) );
+    P( C, D, E, A, B, R(53) );
+    P( B, C, D, E, A, R(54) );
+    P( A, B, C, D, E, R(55) );
+    P( E, A, B, C, D, R(56) );
+    P( D, E, A, B, C, R(57) );
+    P( C, D, E, A, B, R(58) );
+    P( B, C, D, E, A, R(59) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+#define K 0xCA62C1D6
+
+    P( A, B, C, D, E, R(60) );
+    P( E, A, B, C, D, R(61) );
+    P( D, E, A, B, C, R(62) );
+    P( C, D, E, A, B, R(63) );
+    P( B, C, D, E, A, R(64) );
+    P( A, B, C, D, E, R(65) );
+    P( E, A, B, C, D, R(66) );
+    P( D, E, A, B, C, R(67) );
+    P( C, D, E, A, B, R(68) );
+    P( B, C, D, E, A, R(69) );
+    P( A, B, C, D, E, R(70) );
+    P( E, A, B, C, D, R(71) );
+    P( D, E, A, B, C, R(72) );
+    P( C, D, E, A, B, R(73) );
+    P( B, C, D, E, A, R(74) );
+    P( A, B, C, D, E, R(75) );
+    P( E, A, B, C, D, R(76) );
+    P( D, E, A, B, C, R(77) );
+    P( C, D, E, A, B, R(78) );
+    P( B, C, D, E, A, R(79) );
+
+#undef K
+#undef F
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+    ctx->state[4] += E;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
+                           const unsigned char data[64] )
+{
+    mbedtls_internal_sha1_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_SHA1_PROCESS_ALT */
+
+/*
+ * SHA-1 process buffer
+ */
+int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    SHA1_VALIDATE_RET( ctx != NULL );
+    SHA1_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_sha1_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
+                          const unsigned char *input,
+                          size_t ilen )
+{
+    mbedtls_sha1_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * SHA-1 final digest
+ */
+int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
+                             unsigned char output[20] )
+{
+    int ret;
+    uint32_t used;
+    uint32_t high, low;
+
+    SHA1_VALIDATE_RET( ctx != NULL );
+    SHA1_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 56 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 56 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 64 - used );
+
+        if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 56 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_BE( high, ctx->buffer, 56 );
+    PUT_UINT32_BE( low,  ctx->buffer, 60 );
+
+    if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT32_BE( ctx->state[0], output,  0 );
+    PUT_UINT32_BE( ctx->state[1], output,  4 );
+    PUT_UINT32_BE( ctx->state[2], output,  8 );
+    PUT_UINT32_BE( ctx->state[3], output, 12 );
+    PUT_UINT32_BE( ctx->state[4], output, 16 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
+                          unsigned char output[20] )
+{
+    mbedtls_sha1_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_SHA1_ALT */
+
+/*
+ * output = SHA-1( input buffer )
+ */
+int mbedtls_sha1_ret( const unsigned char *input,
+                      size_t ilen,
+                      unsigned char output[20] )
+{
+    int ret;
+    mbedtls_sha1_context ctx;
+
+    SHA1_VALIDATE_RET( ilen == 0 || input != NULL );
+    SHA1_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    mbedtls_sha1_init( &ctx );
+
+    if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha1_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha1_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_sha1_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1( const unsigned char *input,
+                   size_t ilen,
+                   unsigned char output[20] )
+{
+    mbedtls_sha1_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-1 test vectors
+ */
+static const unsigned char sha1_test_buf[3][57] =
+{
+    { "abc" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "" }
+};
+
+static const size_t sha1_test_buflen[3] =
+{
+    3, 56, 1000
+};
+
+static const unsigned char sha1_test_sum[3][20] =
+{
+    { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
+      0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
+    { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
+      0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
+    { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
+      0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha1_self_test( int verbose )
+{
+    int i, j, buflen, ret = 0;
+    unsigned char buf[1024];
+    unsigned char sha1sum[20];
+    mbedtls_sha1_context ctx;
+
+    mbedtls_sha1_init( &ctx );
+
+    /*
+     * SHA-1
+     */
+    for( i = 0; i < 3; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  SHA-1 test #%d: ", i + 1 );
+
+        if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )
+            goto fail;
+
+        if( i == 2 )
+        {
+            memset( buf, 'a', buflen = 1000 );
+
+            for( j = 0; j < 1000; j++ )
+            {
+                ret = mbedtls_sha1_update_ret( &ctx, buf, buflen );
+                if( ret != 0 )
+                    goto fail;
+            }
+        }
+        else
+        {
+            ret = mbedtls_sha1_update_ret( &ctx, sha1_test_buf[i],
+                                           sha1_test_buflen[i] );
+            if( ret != 0 )
+                goto fail;
+        }
+
+        if( ( ret = mbedtls_sha1_finish_ret( &ctx, sha1sum ) ) != 0 )
+            goto fail;
+
+        if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    goto exit;
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+exit:
+    mbedtls_sha1_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA1_C */
diff --git a/ctrtool/deps/libmbedtls/src/sha256.c b/ctrtool/deps/libmbedtls/src/sha256.c
new file mode 100644
index 00000000..2dc0e1a2
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/sha256.c
@@ -0,0 +1,586 @@
+/*
+ *  FIPS-180-2 compliant SHA-256 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
+ *
+ *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+
+#include "mbedtls/sha256.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#define SHA256_VALIDATE_RET(cond)                           \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA )
+#define SHA256_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if !defined(MBEDTLS_SHA256_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+} while( 0 )
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+} while( 0 )
+#endif
+
+void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
+{
+    SHA256_VALIDATE( ctx != NULL );
+
+    memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
+}
+
+void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
+}
+
+void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
+                           const mbedtls_sha256_context *src )
+{
+    SHA256_VALIDATE( dst != NULL );
+    SHA256_VALIDATE( src != NULL );
+
+    *dst = *src;
+}
+
+/*
+ * SHA-256 context setup
+ */
+int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 )
+{
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
+
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    if( is224 == 0 )
+    {
+        /* SHA-256 */
+        ctx->state[0] = 0x6A09E667;
+        ctx->state[1] = 0xBB67AE85;
+        ctx->state[2] = 0x3C6EF372;
+        ctx->state[3] = 0xA54FF53A;
+        ctx->state[4] = 0x510E527F;
+        ctx->state[5] = 0x9B05688C;
+        ctx->state[6] = 0x1F83D9AB;
+        ctx->state[7] = 0x5BE0CD19;
+    }
+    else
+    {
+        /* SHA-224 */
+        ctx->state[0] = 0xC1059ED8;
+        ctx->state[1] = 0x367CD507;
+        ctx->state[2] = 0x3070DD17;
+        ctx->state[3] = 0xF70E5939;
+        ctx->state[4] = 0xFFC00B31;
+        ctx->state[5] = 0x68581511;
+        ctx->state[6] = 0x64F98FA7;
+        ctx->state[7] = 0xBEFA4FA4;
+    }
+
+    ctx->is224 = is224;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
+                            int is224 )
+{
+    mbedtls_sha256_starts_ret( ctx, is224 );
+}
+#endif
+
+#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
+static const uint32_t K[] =
+{
+    0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
+    0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
+    0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
+    0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
+    0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
+    0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
+    0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
+    0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
+    0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
+    0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
+    0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
+    0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
+    0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
+    0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
+    0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
+    0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
+};
+
+#define  SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
+#define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
+
+#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^  SHR(x, 3))
+#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^  SHR(x,10))
+
+#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
+#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
+
+#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
+
+#define R(t)                                    \
+    (                                           \
+        W[t] = S1(W[(t) -  2]) + W[(t) -  7] +  \
+               S0(W[(t) - 15]) + W[(t) - 16]    \
+    )
+
+#define P(a,b,c,d,e,f,g,h,x,K)                          \
+    do                                                  \
+    {                                                   \
+        temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x);      \
+        temp2 = S2(a) + F0((a),(b),(c));                        \
+        (d) += temp1; (h) = temp1 + temp2;              \
+    } while( 0 )
+
+int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
+                                const unsigned char data[64] )
+{
+    uint32_t temp1, temp2, W[64];
+    uint32_t A[8];
+    unsigned int i;
+
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
+
+    for( i = 0; i < 8; i++ )
+        A[i] = ctx->state[i];
+
+#if defined(MBEDTLS_SHA256_SMALLER)
+    for( i = 0; i < 64; i++ )
+    {
+        if( i < 16 )
+            GET_UINT32_BE( W[i], data, 4 * i );
+        else
+            R( i );
+
+        P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
+
+        temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
+        A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
+    }
+#else /* MBEDTLS_SHA256_SMALLER */
+    for( i = 0; i < 16; i++ )
+        GET_UINT32_BE( W[i], data, 4 * i );
+
+    for( i = 0; i < 16; i += 8 )
+    {
+        P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
+        P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
+        P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
+        P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
+        P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
+        P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
+        P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
+        P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
+    }
+
+    for( i = 16; i < 64; i += 8 )
+    {
+        P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
+        P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
+        P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
+        P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
+        P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
+        P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
+        P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
+        P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
+    }
+#endif /* MBEDTLS_SHA256_SMALLER */
+
+    for( i = 0; i < 8; i++ )
+        ctx->state[i] += A[i];
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
+                             const unsigned char data[64] )
+{
+    mbedtls_internal_sha256_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_SHA256_PROCESS_ALT */
+
+/*
+ * SHA-256 process buffer
+ */
+int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    mbedtls_sha256_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * SHA-256 final digest
+ */
+int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
+                               unsigned char output[32] )
+{
+    int ret;
+    uint32_t used;
+    uint32_t high, low;
+
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 56 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 56 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 64 - used );
+
+        if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 56 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_BE( high, ctx->buffer, 56 );
+    PUT_UINT32_BE( low,  ctx->buffer, 60 );
+
+    if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT32_BE( ctx->state[0], output,  0 );
+    PUT_UINT32_BE( ctx->state[1], output,  4 );
+    PUT_UINT32_BE( ctx->state[2], output,  8 );
+    PUT_UINT32_BE( ctx->state[3], output, 12 );
+    PUT_UINT32_BE( ctx->state[4], output, 16 );
+    PUT_UINT32_BE( ctx->state[5], output, 20 );
+    PUT_UINT32_BE( ctx->state[6], output, 24 );
+
+    if( ctx->is224 == 0 )
+        PUT_UINT32_BE( ctx->state[7], output, 28 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
+                            unsigned char output[32] )
+{
+    mbedtls_sha256_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_SHA256_ALT */
+
+/*
+ * output = SHA-256( input buffer )
+ */
+int mbedtls_sha256_ret( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[32],
+                        int is224 )
+{
+    int ret;
+    mbedtls_sha256_context ctx;
+
+    SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
+    SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
+    SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    mbedtls_sha256_init( &ctx );
+
+    if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_sha256_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[32],
+                     int is224 )
+{
+    mbedtls_sha256_ret( input, ilen, output, is224 );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha256_test_buf[3][57] =
+{
+    { "abc" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "" }
+};
+
+static const size_t sha256_test_buflen[3] =
+{
+    3, 56, 1000
+};
+
+static const unsigned char sha256_test_sum[6][32] =
+{
+    /*
+     * SHA-224 test vectors
+     */
+    { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
+      0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
+      0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
+      0xE3, 0x6C, 0x9D, 0xA7 },
+    { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
+      0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
+      0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
+      0x52, 0x52, 0x25, 0x25 },
+    { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
+      0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
+      0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
+      0x4E, 0xE7, 0xAD, 0x67 },
+
+    /*
+     * SHA-256 test vectors
+     */
+    { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
+      0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
+      0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
+      0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
+    { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
+      0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
+      0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
+      0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
+    { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
+      0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
+      0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
+      0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha256_self_test( int verbose )
+{
+    int i, j, k, buflen, ret = 0;
+    unsigned char *buf;
+    unsigned char sha256sum[32];
+    mbedtls_sha256_context ctx;
+
+    buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+    if( NULL == buf )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "Buffer allocation failed\n" );
+
+        return( 1 );
+    }
+
+    mbedtls_sha256_init( &ctx );
+
+    for( i = 0; i < 6; i++ )
+    {
+        j = i % 3;
+        k = i < 3;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  SHA-%d test #%d: ", 256 - k * 32, j + 1 );
+
+        if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 )
+            goto fail;
+
+        if( j == 2 )
+        {
+            memset( buf, 'a', buflen = 1000 );
+
+            for( j = 0; j < 1000; j++ )
+            {
+                ret = mbedtls_sha256_update_ret( &ctx, buf, buflen );
+                if( ret != 0 )
+                    goto fail;
+            }
+
+        }
+        else
+        {
+            ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j],
+                                             sha256_test_buflen[j] );
+            if( ret != 0 )
+                 goto fail;
+        }
+
+        if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 )
+            goto fail;
+
+
+        if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    goto exit;
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+exit:
+    mbedtls_sha256_free( &ctx );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA256_C */
diff --git a/ctrtool/deps/libmbedtls/src/sha512.c b/ctrtool/deps/libmbedtls/src/sha512.c
new file mode 100644
index 00000000..bdd20b28
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/sha512.c
@@ -0,0 +1,636 @@
+/*
+ *  FIPS-180-2 compliant SHA-384/512 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The SHA-512 Secure Hash Standard was published by NIST in 2002.
+ *
+ *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+
+#include "mbedtls/sha512.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(_MSC_VER) || defined(__WATCOMC__)
+  #define UL64(x) x##ui64
+#else
+  #define UL64(x) x##ULL
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#define SHA512_VALIDATE_RET(cond)                           \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA512_BAD_INPUT_DATA )
+#define SHA512_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if !defined(MBEDTLS_SHA512_ALT)
+
+/*
+ * 64-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT64_BE
+#define GET_UINT64_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint64_t) (b)[(i)    ] << 56 )       \
+        | ( (uint64_t) (b)[(i) + 1] << 48 )       \
+        | ( (uint64_t) (b)[(i) + 2] << 40 )       \
+        | ( (uint64_t) (b)[(i) + 3] << 32 )       \
+        | ( (uint64_t) (b)[(i) + 4] << 24 )       \
+        | ( (uint64_t) (b)[(i) + 5] << 16 )       \
+        | ( (uint64_t) (b)[(i) + 6] <<  8 )       \
+        | ( (uint64_t) (b)[(i) + 7]       );      \
+}
+#endif /* GET_UINT64_BE */
+
+#ifndef PUT_UINT64_BE
+#define PUT_UINT64_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 56 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 48 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >> 40 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n) >> 32 );       \
+    (b)[(i) + 4] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 5] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 6] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 7] = (unsigned char) ( (n)       );       \
+}
+#endif /* PUT_UINT64_BE */
+
+void mbedtls_sha512_init( mbedtls_sha512_context *ctx )
+{
+    SHA512_VALIDATE( ctx != NULL );
+
+    memset( ctx, 0, sizeof( mbedtls_sha512_context ) );
+}
+
+void mbedtls_sha512_free( mbedtls_sha512_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha512_context ) );
+}
+
+void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
+                           const mbedtls_sha512_context *src )
+{
+    SHA512_VALIDATE( dst != NULL );
+    SHA512_VALIDATE( src != NULL );
+
+    *dst = *src;
+}
+
+/*
+ * SHA-512 context setup
+ */
+int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 )
+{
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 );
+
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    if( is384 == 0 )
+    {
+        /* SHA-512 */
+        ctx->state[0] = UL64(0x6A09E667F3BCC908);
+        ctx->state[1] = UL64(0xBB67AE8584CAA73B);
+        ctx->state[2] = UL64(0x3C6EF372FE94F82B);
+        ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
+        ctx->state[4] = UL64(0x510E527FADE682D1);
+        ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
+        ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
+        ctx->state[7] = UL64(0x5BE0CD19137E2179);
+    }
+    else
+    {
+        /* SHA-384 */
+        ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
+        ctx->state[1] = UL64(0x629A292A367CD507);
+        ctx->state[2] = UL64(0x9159015A3070DD17);
+        ctx->state[3] = UL64(0x152FECD8F70E5939);
+        ctx->state[4] = UL64(0x67332667FFC00B31);
+        ctx->state[5] = UL64(0x8EB44A8768581511);
+        ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
+        ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
+    }
+
+    ctx->is384 = is384;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
+                            int is384 )
+{
+    mbedtls_sha512_starts_ret( ctx, is384 );
+}
+#endif
+
+#if !defined(MBEDTLS_SHA512_PROCESS_ALT)
+
+/*
+ * Round constants
+ */
+static const uint64_t K[80] =
+{
+    UL64(0x428A2F98D728AE22),  UL64(0x7137449123EF65CD),
+    UL64(0xB5C0FBCFEC4D3B2F),  UL64(0xE9B5DBA58189DBBC),
+    UL64(0x3956C25BF348B538),  UL64(0x59F111F1B605D019),
+    UL64(0x923F82A4AF194F9B),  UL64(0xAB1C5ED5DA6D8118),
+    UL64(0xD807AA98A3030242),  UL64(0x12835B0145706FBE),
+    UL64(0x243185BE4EE4B28C),  UL64(0x550C7DC3D5FFB4E2),
+    UL64(0x72BE5D74F27B896F),  UL64(0x80DEB1FE3B1696B1),
+    UL64(0x9BDC06A725C71235),  UL64(0xC19BF174CF692694),
+    UL64(0xE49B69C19EF14AD2),  UL64(0xEFBE4786384F25E3),
+    UL64(0x0FC19DC68B8CD5B5),  UL64(0x240CA1CC77AC9C65),
+    UL64(0x2DE92C6F592B0275),  UL64(0x4A7484AA6EA6E483),
+    UL64(0x5CB0A9DCBD41FBD4),  UL64(0x76F988DA831153B5),
+    UL64(0x983E5152EE66DFAB),  UL64(0xA831C66D2DB43210),
+    UL64(0xB00327C898FB213F),  UL64(0xBF597FC7BEEF0EE4),
+    UL64(0xC6E00BF33DA88FC2),  UL64(0xD5A79147930AA725),
+    UL64(0x06CA6351E003826F),  UL64(0x142929670A0E6E70),
+    UL64(0x27B70A8546D22FFC),  UL64(0x2E1B21385C26C926),
+    UL64(0x4D2C6DFC5AC42AED),  UL64(0x53380D139D95B3DF),
+    UL64(0x650A73548BAF63DE),  UL64(0x766A0ABB3C77B2A8),
+    UL64(0x81C2C92E47EDAEE6),  UL64(0x92722C851482353B),
+    UL64(0xA2BFE8A14CF10364),  UL64(0xA81A664BBC423001),
+    UL64(0xC24B8B70D0F89791),  UL64(0xC76C51A30654BE30),
+    UL64(0xD192E819D6EF5218),  UL64(0xD69906245565A910),
+    UL64(0xF40E35855771202A),  UL64(0x106AA07032BBD1B8),
+    UL64(0x19A4C116B8D2D0C8),  UL64(0x1E376C085141AB53),
+    UL64(0x2748774CDF8EEB99),  UL64(0x34B0BCB5E19B48A8),
+    UL64(0x391C0CB3C5C95A63),  UL64(0x4ED8AA4AE3418ACB),
+    UL64(0x5B9CCA4F7763E373),  UL64(0x682E6FF3D6B2B8A3),
+    UL64(0x748F82EE5DEFB2FC),  UL64(0x78A5636F43172F60),
+    UL64(0x84C87814A1F0AB72),  UL64(0x8CC702081A6439EC),
+    UL64(0x90BEFFFA23631E28),  UL64(0xA4506CEBDE82BDE9),
+    UL64(0xBEF9A3F7B2C67915),  UL64(0xC67178F2E372532B),
+    UL64(0xCA273ECEEA26619C),  UL64(0xD186B8C721C0C207),
+    UL64(0xEADA7DD6CDE0EB1E),  UL64(0xF57D4F7FEE6ED178),
+    UL64(0x06F067AA72176FBA),  UL64(0x0A637DC5A2C898A6),
+    UL64(0x113F9804BEF90DAE),  UL64(0x1B710B35131C471B),
+    UL64(0x28DB77F523047D84),  UL64(0x32CAAB7B40C72493),
+    UL64(0x3C9EBE0A15C9BEBC),  UL64(0x431D67C49C100D4C),
+    UL64(0x4CC5D4BECB3E42B6),  UL64(0x597F299CFC657E2A),
+    UL64(0x5FCB6FAB3AD6FAEC),  UL64(0x6C44198C4A475817)
+};
+
+int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
+                                     const unsigned char data[128] )
+{
+    int i;
+    uint64_t temp1, temp2, W[80];
+    uint64_t A, B, C, D, E, F, G, H;
+
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( (const unsigned char *)data != NULL );
+
+#define  SHR(x,n) ((x) >> (n))
+#define ROTR(x,n) (SHR((x),(n)) | ((x) << (64 - (n))))
+
+#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^  SHR(x, 7))
+#define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^  SHR(x, 6))
+
+#define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
+#define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
+
+#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
+
+#define P(a,b,c,d,e,f,g,h,x,K)                                  \
+    do                                                          \
+    {                                                           \
+        temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x);      \
+        temp2 = S2(a) + F0((a),(b),(c));                        \
+        (d) += temp1; (h) = temp1 + temp2;                      \
+    } while( 0 )
+
+    for( i = 0; i < 16; i++ )
+    {
+        GET_UINT64_BE( W[i], data, i << 3 );
+    }
+
+    for( ; i < 80; i++ )
+    {
+        W[i] = S1(W[i -  2]) + W[i -  7] +
+               S0(W[i - 15]) + W[i - 16];
+    }
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+    E = ctx->state[4];
+    F = ctx->state[5];
+    G = ctx->state[6];
+    H = ctx->state[7];
+    i = 0;
+
+    do
+    {
+        P( A, B, C, D, E, F, G, H, W[i], K[i] ); i++;
+        P( H, A, B, C, D, E, F, G, W[i], K[i] ); i++;
+        P( G, H, A, B, C, D, E, F, W[i], K[i] ); i++;
+        P( F, G, H, A, B, C, D, E, W[i], K[i] ); i++;
+        P( E, F, G, H, A, B, C, D, W[i], K[i] ); i++;
+        P( D, E, F, G, H, A, B, C, W[i], K[i] ); i++;
+        P( C, D, E, F, G, H, A, B, W[i], K[i] ); i++;
+        P( B, C, D, E, F, G, H, A, W[i], K[i] ); i++;
+    }
+    while( i < 80 );
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+    ctx->state[4] += E;
+    ctx->state[5] += F;
+    ctx->state[6] += G;
+    ctx->state[7] += H;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_process( mbedtls_sha512_context *ctx,
+                             const unsigned char data[128] )
+{
+    mbedtls_internal_sha512_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_SHA512_PROCESS_ALT */
+
+/*
+ * SHA-512 process buffer
+ */
+int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen )
+{
+    int ret;
+    size_t fill;
+    unsigned int left;
+
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = (unsigned int) (ctx->total[0] & 0x7F);
+    fill = 128 - left;
+
+    ctx->total[0] += (uint64_t) ilen;
+
+    if( ctx->total[0] < (uint64_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 128 )
+    {
+        if( ( ret = mbedtls_internal_sha512_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 128;
+        ilen  -= 128;
+    }
+
+    if( ilen > 0 )
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    mbedtls_sha512_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * SHA-512 final digest
+ */
+int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
+                               unsigned char output[64] )
+{
+    int ret;
+    unsigned used;
+    uint64_t high, low;
+
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    /*
+     * Add padding: 0x80 then 0x00 until 16 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x7F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 112 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 112 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 128 - used );
+
+        if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 112 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 61 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT64_BE( high, ctx->buffer, 112 );
+    PUT_UINT64_BE( low,  ctx->buffer, 120 );
+
+    if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT64_BE( ctx->state[0], output,  0 );
+    PUT_UINT64_BE( ctx->state[1], output,  8 );
+    PUT_UINT64_BE( ctx->state[2], output, 16 );
+    PUT_UINT64_BE( ctx->state[3], output, 24 );
+    PUT_UINT64_BE( ctx->state[4], output, 32 );
+    PUT_UINT64_BE( ctx->state[5], output, 40 );
+
+    if( ctx->is384 == 0 )
+    {
+        PUT_UINT64_BE( ctx->state[6], output, 48 );
+        PUT_UINT64_BE( ctx->state[7], output, 56 );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
+                            unsigned char output[64] )
+{
+    mbedtls_sha512_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_SHA512_ALT */
+
+/*
+ * output = SHA-512( input buffer )
+ */
+int mbedtls_sha512_ret( const unsigned char *input,
+                    size_t ilen,
+                    unsigned char output[64],
+                    int is384 )
+{
+    int ret;
+    mbedtls_sha512_context ctx;
+
+    SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 );
+    SHA512_VALIDATE_RET( ilen == 0 || input != NULL );
+    SHA512_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    mbedtls_sha512_init( &ctx );
+
+    if( ( ret = mbedtls_sha512_starts_ret( &ctx, is384 ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha512_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha512_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_sha512_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[64],
+                     int is384 )
+{
+    mbedtls_sha512_ret( input, ilen, output, is384 );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha512_test_buf[3][113] =
+{
+    { "abc" },
+    { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
+      "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
+    { "" }
+};
+
+static const size_t sha512_test_buflen[3] =
+{
+    3, 112, 1000
+};
+
+static const unsigned char sha512_test_sum[6][64] =
+{
+    /*
+     * SHA-384 test vectors
+     */
+    { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
+      0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
+      0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
+      0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
+      0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
+      0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
+    { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
+      0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
+      0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
+      0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
+      0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
+      0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
+    { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
+      0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
+      0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
+      0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
+      0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
+      0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
+
+    /*
+     * SHA-512 test vectors
+     */
+    { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
+      0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
+      0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
+      0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
+      0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
+      0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
+      0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
+      0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
+    { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
+      0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
+      0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
+      0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
+      0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
+      0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
+      0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
+      0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
+    { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
+      0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
+      0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
+      0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
+      0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
+      0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
+      0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
+      0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha512_self_test( int verbose )
+{
+    int i, j, k, buflen, ret = 0;
+    unsigned char *buf;
+    unsigned char sha512sum[64];
+    mbedtls_sha512_context ctx;
+
+    buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+    if( NULL == buf )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "Buffer allocation failed\n" );
+
+        return( 1 );
+    }
+
+    mbedtls_sha512_init( &ctx );
+
+    for( i = 0; i < 6; i++ )
+    {
+        j = i % 3;
+        k = i < 3;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  SHA-%d test #%d: ", 512 - k * 128, j + 1 );
+
+        if( ( ret = mbedtls_sha512_starts_ret( &ctx, k ) ) != 0 )
+            goto fail;
+
+        if( j == 2 )
+        {
+            memset( buf, 'a', buflen = 1000 );
+
+            for( j = 0; j < 1000; j++ )
+            {
+                ret = mbedtls_sha512_update_ret( &ctx, buf, buflen );
+                if( ret != 0 )
+                    goto fail;
+            }
+        }
+        else
+        {
+            ret = mbedtls_sha512_update_ret( &ctx, sha512_test_buf[j],
+                                             sha512_test_buflen[j] );
+            if( ret != 0 )
+                goto fail;
+        }
+
+        if( ( ret = mbedtls_sha512_finish_ret( &ctx, sha512sum ) ) != 0 )
+            goto fail;
+
+        if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    goto exit;
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+exit:
+    mbedtls_sha512_free( &ctx );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA512_C */
diff --git a/ctrtool/deps/libmbedtls/src/ssl_cache.c b/ctrtool/deps/libmbedtls/src/ssl_cache.c
new file mode 100644
index 00000000..47867f13
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ssl_cache.c
@@ -0,0 +1,327 @@
+/*
+ *  SSL session cache implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_CACHE_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_cache.h"
+
+#include <string.h>
+
+void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache )
+{
+    memset( cache, 0, sizeof( mbedtls_ssl_cache_context ) );
+
+    cache->timeout = MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT;
+    cache->max_entries = MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &cache->mutex );
+#endif
+}
+
+int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
+{
+    int ret = 1;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t = mbedtls_time( NULL );
+#endif
+    mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+    mbedtls_ssl_cache_entry *cur, *entry;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_lock( &cache->mutex ) != 0 )
+        return( 1 );
+#endif
+
+    cur = cache->chain;
+    entry = NULL;
+
+    while( cur != NULL )
+    {
+        entry = cur;
+        cur = cur->next;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if( cache->timeout != 0 &&
+            (int) ( t - entry->timestamp ) > cache->timeout )
+            continue;
+#endif
+
+        if( session->ciphersuite != entry->session.ciphersuite ||
+            session->compression != entry->session.compression ||
+            session->id_len != entry->session.id_len )
+            continue;
+
+        if( memcmp( session->id, entry->session.id,
+                    entry->session.id_len ) != 0 )
+            continue;
+
+        memcpy( session->master, entry->session.master, 48 );
+
+        session->verify_result = entry->session.verify_result;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+        /*
+         * Restore peer certificate (without rest of the original chain)
+         */
+        if( entry->peer_cert.p != NULL )
+        {
+            if( ( session->peer_cert = mbedtls_calloc( 1,
+                                 sizeof(mbedtls_x509_crt) ) ) == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_x509_crt_init( session->peer_cert );
+            if( mbedtls_x509_crt_parse( session->peer_cert, entry->peer_cert.p,
+                                entry->peer_cert.len ) != 0 )
+            {
+                mbedtls_free( session->peer_cert );
+                session->peer_cert = NULL;
+                ret = 1;
+                goto exit;
+            }
+        }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+        ret = 0;
+        goto exit;
+    }
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
+        ret = 1;
+#endif
+
+    return( ret );
+}
+
+int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
+{
+    int ret = 1;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t = mbedtls_time( NULL ), oldest = 0;
+    mbedtls_ssl_cache_entry *old = NULL;
+#endif
+    mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+    mbedtls_ssl_cache_entry *cur, *prv;
+    int count = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &cache->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    cur = cache->chain;
+    prv = NULL;
+
+    while( cur != NULL )
+    {
+        count++;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if( cache->timeout != 0 &&
+            (int) ( t - cur->timestamp ) > cache->timeout )
+        {
+            cur->timestamp = t;
+            break; /* expired, reuse this slot, update timestamp */
+        }
+#endif
+
+        if( memcmp( session->id, cur->session.id, cur->session.id_len ) == 0 )
+            break; /* client reconnected, keep timestamp for session id */
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if( oldest == 0 || cur->timestamp < oldest )
+        {
+            oldest = cur->timestamp;
+            old = cur;
+        }
+#endif
+
+        prv = cur;
+        cur = cur->next;
+    }
+
+    if( cur == NULL )
+    {
+#if defined(MBEDTLS_HAVE_TIME)
+        /*
+         * Reuse oldest entry if max_entries reached
+         */
+        if( count >= cache->max_entries )
+        {
+            if( old == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            cur = old;
+        }
+#else /* MBEDTLS_HAVE_TIME */
+        /*
+         * Reuse first entry in chain if max_entries reached,
+         * but move to last place
+         */
+        if( count >= cache->max_entries )
+        {
+            if( cache->chain == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            cur = cache->chain;
+            cache->chain = cur->next;
+            cur->next = NULL;
+            prv->next = cur;
+        }
+#endif /* MBEDTLS_HAVE_TIME */
+        else
+        {
+            /*
+             * max_entries not reached, create new entry
+             */
+            cur = mbedtls_calloc( 1, sizeof(mbedtls_ssl_cache_entry) );
+            if( cur == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            if( prv == NULL )
+                cache->chain = cur;
+            else
+                prv->next = cur;
+        }
+
+#if defined(MBEDTLS_HAVE_TIME)
+        cur->timestamp = t;
+#endif
+    }
+
+    memcpy( &cur->session, session, sizeof( mbedtls_ssl_session ) );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /*
+     * If we're reusing an entry, free its certificate first
+     */
+    if( cur->peer_cert.p != NULL )
+    {
+        mbedtls_free( cur->peer_cert.p );
+        memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
+    }
+
+    /*
+     * Store peer certificate
+     */
+    if( session->peer_cert != NULL )
+    {
+        cur->peer_cert.p = mbedtls_calloc( 1, session->peer_cert->raw.len );
+        if( cur->peer_cert.p == NULL )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        memcpy( cur->peer_cert.p, session->peer_cert->raw.p,
+                session->peer_cert->raw.len );
+        cur->peer_cert.len = session->peer_cert->raw.len;
+
+        cur->session.peer_cert = NULL;
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    ret = 0;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
+        ret = 1;
+#endif
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_HAVE_TIME)
+void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout )
+{
+    if( timeout < 0 ) timeout = 0;
+
+    cache->timeout = timeout;
+}
+#endif /* MBEDTLS_HAVE_TIME */
+
+void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max )
+{
+    if( max < 0 ) max = 0;
+
+    cache->max_entries = max;
+}
+
+void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache )
+{
+    mbedtls_ssl_cache_entry *cur, *prv;
+
+    cur = cache->chain;
+
+    while( cur != NULL )
+    {
+        prv = cur;
+        cur = cur->next;
+
+        mbedtls_ssl_session_free( &prv->session );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+        mbedtls_free( prv->peer_cert.p );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+        mbedtls_free( prv );
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &cache->mutex );
+#endif
+    cache->chain = NULL;
+}
+
+#endif /* MBEDTLS_SSL_CACHE_C */
diff --git a/ctrtool/deps/libmbedtls/src/ssl_ciphersuites.c b/ctrtool/deps/libmbedtls/src/ssl_ciphersuites.c
new file mode 100644
index 00000000..518f7dde
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ssl_ciphersuites.c
@@ -0,0 +1,2373 @@
+/**
+ * \file ssl_ciphersuites.c
+ *
+ * \brief SSL ciphersuites for mbed TLS
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/ssl.h"
+
+#include <string.h>
+
+/*
+ * Ordered from most preferred to least preferred in terms of security.
+ *
+ * Current rule (except RC4 and 3DES, weak and null which come last):
+ * 1. By key exchange:
+ *    Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
+ * 2. By key length and cipher:
+ *    ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128
+ * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
+ * 4. By hash function used when relevant
+ * 5. By key exchange/auth again: EC > non-EC
+ */
+static const int ciphersuite_preference[] =
+{
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+    MBEDTLS_SSL_CIPHERSUITES,
+#else
+    /* Chacha-Poly ephemeral suites */
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+
+    /* All AES-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
+
+    /* All CAMELLIA-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+
+    /* All ARIA-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+
+    /* All AES-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
+
+    /* All CAMELLIA-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+    /* All ARIA-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+
+    /* The PSK ephemeral suites */
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+
+    /* The ECJPAKE suite */
+    MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
+
+    /* All AES-256 suites */
+    MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8,
+
+    /* All CAMELLIA-256 suites */
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+
+    /* All ARIA-256 suites */
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+
+    /* All AES-128 suites */
+    MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8,
+
+    /* All CAMELLIA-128 suites */
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+
+    /* All ARIA-128 suites */
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+
+    /* The RSA PSK suites */
+    MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+
+    /* The PSK suites */
+    MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CCM,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+
+    /* 3DES suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
+
+    /* RC4 suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_MD5,
+    MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_PSK_WITH_RC4_128_SHA,
+
+    /* Weak suites */
+    MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA,
+
+    /* NULL suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA,
+
+    MBEDTLS_TLS_RSA_WITH_NULL_SHA256,
+    MBEDTLS_TLS_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_RSA_WITH_NULL_MD5,
+    MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA,
+
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+    0
+};
+
+static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
+{
+#if defined(MBEDTLS_CHACHAPOLY_C) && \
+    defined(MBEDTLS_SHA256_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    { MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#endif /* MBEDTLS_CHACHAPOLY_C &&
+          MBEDTLS_SHA256_C &&
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA, "TLS-ECDHE-ECDSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS-ECDHE-RSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8, "TLS-DHE-RSA-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM, "TLS-DHE-RSA-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, "TLS-DHE-RSA-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_MD5_C)
+    { MBEDTLS_TLS_RSA_WITH_RC4_128_MD5, "TLS-RSA-WITH-RC4-128-MD5",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_RC4_128_SHA, "TLS-RSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA, "TLS-ECDH-RSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, "TLS-ECDH-RSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "TLS-ECDH-ECDSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS-ECDH-ECDSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, "TLS-PSK-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, "TLS-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA, "TLS-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_RC4_128_SHA, "TLS-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA, "TLS-DHE-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA, "TLS-ECDHE-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA, "TLS-RSA-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, "TLS-ECJPAKE-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_MD5_C)
+    { MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_NULL_SHA256, "TLS-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA, "TLS-DHE-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, "TLS-ECDHE-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256, "TLS-ECDHE-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384, "TLS-ECDHE-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA, "TLS-DHE-RSA-WITH-DES-CBC-SHA",
+      MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA, "TLS-RSA-WITH-DES-CBC-SHA",
+      MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+
+#if defined(MBEDTLS_ARIA_C)
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+             "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+             "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+             "TLS-PSK-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384,MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+             "TLS-PSK-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+             "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+             "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#endif /* MBEDTLS_ARIA_C */
+
+
+    { 0, "",
+      MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE,
+      0, 0, 0, 0, 0 }
+};
+
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+const int *mbedtls_ssl_list_ciphersuites( void )
+{
+    return( ciphersuite_preference );
+}
+#else
+#define MAX_CIPHERSUITES    sizeof( ciphersuite_definitions     ) /         \
+                            sizeof( ciphersuite_definitions[0]  )
+static int supported_ciphersuites[MAX_CIPHERSUITES];
+static int supported_init = 0;
+
+static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
+{
+    (void)cs_info;
+
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+        return( 1 );
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
+        cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
+    {
+        return( 1 );
+    }
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+
+    return( 0 );
+}
+
+const int *mbedtls_ssl_list_ciphersuites( void )
+{
+    /*
+     * On initial call filter out all ciphersuites not supported by current
+     * build based on presence in the ciphersuite_definitions.
+     */
+    if( supported_init == 0 )
+    {
+        const int *p;
+        int *q;
+
+        for( p = ciphersuite_preference, q = supported_ciphersuites;
+             *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
+             p++ )
+        {
+            const mbedtls_ssl_ciphersuite_t *cs_info;
+            if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL &&
+                !ciphersuite_is_removed( cs_info ) )
+            {
+                *(q++) = *p;
+            }
+        }
+        *q = 0;
+
+        supported_init = 1;
+    }
+
+    return( supported_ciphersuites );
+}
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
+                                                const char *ciphersuite_name )
+{
+    const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+    if( NULL == ciphersuite_name )
+        return( NULL );
+
+    while( cur->id != 0 )
+    {
+        if( 0 == strcmp( cur->name, ciphersuite_name ) )
+            return( cur );
+
+        cur++;
+    }
+
+    return( NULL );
+}
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite )
+{
+    const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+    while( cur->id != 0 )
+    {
+        if( cur->id == ciphersuite )
+            return( cur );
+
+        cur++;
+    }
+
+    return( NULL );
+}
+
+const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id )
+{
+    const mbedtls_ssl_ciphersuite_t *cur;
+
+    cur = mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
+
+    if( cur == NULL )
+        return( "unknown" );
+
+    return( cur->name );
+}
+
+int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name )
+{
+    const mbedtls_ssl_ciphersuite_t *cur;
+
+    cur = mbedtls_ssl_ciphersuite_from_string( ciphersuite_name );
+
+    if( cur == NULL )
+        return( 0 );
+
+    return( cur->id );
+}
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+            return( MBEDTLS_PK_RSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+            return( MBEDTLS_PK_ECKEY );
+
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
+
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+            return( MBEDTLS_PK_RSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
+
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/ctrtool/deps/libmbedtls/src/ssl_cli.c b/ctrtool/deps/libmbedtls/src/ssl_cli.c
new file mode 100644
index 00000000..afced7a9
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ssl_cli.c
@@ -0,0 +1,3636 @@
+/*
+ *  SSLv3/TLSv1 client-side functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_CLI_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+
+#include <string.h>
+
+#include <stdint.h>
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#include "mbedtls/platform_util.h"
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
+                                    unsigned char *buf,
+                                    size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t hostname_len;
+
+    *olen = 0;
+
+    if( ssl->hostname == NULL )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
+                   ssl->hostname ) );
+
+    hostname_len = strlen( ssl->hostname );
+
+    if( end < p || (size_t)( end - p ) < hostname_len + 9 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    /*
+     * Sect. 3, RFC 6066 (TLS Extensions Definitions)
+     *
+     * In order to provide any of the server names, clients MAY include an
+     * extension of type "server_name" in the (extended) client hello. The
+     * "extension_data" field of this extension SHALL contain
+     * "ServerNameList" where:
+     *
+     * struct {
+     *     NameType name_type;
+     *     select (name_type) {
+     *         case host_name: HostName;
+     *     } name;
+     * } ServerName;
+     *
+     * enum {
+     *     host_name(0), (255)
+     * } NameType;
+     *
+     * opaque HostName<1..2^16-1>;
+     *
+     * struct {
+     *     ServerName server_name_list<1..2^16-1>
+     * } ServerNameList;
+     *
+     */
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( (hostname_len + 5)      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( (hostname_len + 3)      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
+    *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( hostname_len      ) & 0xFF );
+
+    memcpy( p, ssl->hostname, hostname_len );
+
+    *olen = hostname_len + 9;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
+     * initial ClientHello, in which case also adding the renegotiation
+     * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
+    if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    /*
+     * Secure renegotiation
+     */
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
+    *p++ = ssl->verify_data_len & 0xFF;
+
+    memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
+
+    *olen = 5 + ssl->verify_data_len;
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Only if we handle at least one key exchange that needs signatures.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
+                                                unsigned char *buf,
+                                                size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t sig_alg_len = 0;
+    const int *md;
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
+    unsigned char *sig_alg_list = buf + 6;
+#endif
+
+    *olen = 0;
+
+    if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
+
+    for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
+    {
+#if defined(MBEDTLS_ECDSA_C)
+        sig_alg_len += 2;
+#endif
+#if defined(MBEDTLS_RSA_C)
+        sig_alg_len += 2;
+#endif
+    }
+
+    if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    /*
+     * Prepare signature_algorithms extension (TLS 1.2)
+     */
+    sig_alg_len = 0;
+
+    for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
+    {
+#if defined(MBEDTLS_ECDSA_C)
+        sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
+        sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
+#endif
+#if defined(MBEDTLS_RSA_C)
+        sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
+        sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
+#endif
+    }
+
+    /*
+     * enum {
+     *     none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
+     *     sha512(6), (255)
+     * } HashAlgorithm;
+     *
+     * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
+     *   SignatureAlgorithm;
+     *
+     * struct {
+     *     HashAlgorithm hash;
+     *     SignatureAlgorithm signature;
+     * } SignatureAndHashAlgorithm;
+     *
+     * SignatureAndHashAlgorithm
+     *   supported_signature_algorithms<2..2^16-2>;
+     */
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( ( sig_alg_len + 2 )      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( sig_alg_len      ) & 0xFF );
+
+    *olen = 6 + sig_alg_len;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
+                                                     unsigned char *buf,
+                                                     size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    unsigned char *elliptic_curve_list = p + 6;
+    size_t elliptic_curve_len = 0;
+    const mbedtls_ecp_curve_info *info;
+#if defined(MBEDTLS_ECP_C)
+    const mbedtls_ecp_group_id *grp_id;
+#else
+    ((void) ssl);
+#endif
+
+    *olen = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
+
+#if defined(MBEDTLS_ECP_C)
+    for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
+#else
+    for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
+#endif
+    {
+#if defined(MBEDTLS_ECP_C)
+        info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
+#endif
+        if( info == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
+            return;
+        }
+
+        elliptic_curve_len += 2;
+    }
+
+    if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    elliptic_curve_len = 0;
+
+#if defined(MBEDTLS_ECP_C)
+    for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
+#else
+    for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
+#endif
+    {
+#if defined(MBEDTLS_ECP_C)
+        info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
+#endif
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
+    }
+
+    if( elliptic_curve_len == 0 )
+        return;
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 )      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( ( elliptic_curve_len     ) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( ( elliptic_curve_len     )      ) & 0xFF );
+
+    *olen = 6 + elliptic_curve_len;
+}
+
+static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+                                                   unsigned char *buf,
+                                                   size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 6 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 2;
+
+    *p++ = 1;
+    *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    *olen = 6;
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        size_t *olen )
+{
+    int ret;
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t kkpp_len;
+
+    *olen = 0;
+
+    /* Skip costly extension if we can't use EC J-PAKE anyway */
+    if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
+
+    if( end - p < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP      ) & 0xFF );
+
+    /*
+     * We may need to send ClientHello multiple times for Hello verification.
+     * We don't want to compute fresh values every time (both for performance
+     * and consistency reasons), so cache the extension content.
+     */
+    if( ssl->handshake->ecjpake_cache == NULL ||
+        ssl->handshake->ecjpake_cache_len == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
+
+        ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
+                                        p + 2, end - p - 2, &kkpp_len,
+                                        ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
+            return;
+        }
+
+        ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
+        if( ssl->handshake->ecjpake_cache == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
+            return;
+        }
+
+        memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
+        ssl->handshake->ecjpake_cache_len = kkpp_len;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
+
+        kkpp_len = ssl->handshake->ecjpake_cache_len;
+
+        if( (size_t)( end - p - 2 ) < kkpp_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+            return;
+        }
+
+        memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
+    }
+
+    *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( kkpp_len      ) & 0xFF );
+
+    *olen = kkpp_len + 4;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                               unsigned char *buf,
+                                               size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 5 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 1;
+
+    *p++ = ssl->conf->mfl_code;
+
+    *olen = 5;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                       unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+        ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
+                        "extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                       unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+        ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
+                        "extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t tlen = ssl->session_negotiate->ticket_len;
+
+    *olen = 0;
+
+    if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 4 + tlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( tlen      ) & 0xFF );
+
+    *olen = 4;
+
+    if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
+
+    memcpy( p, ssl->session_negotiate->ticket, tlen );
+
+    *olen += tlen;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
+                                unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t alpnlen = 0;
+    const char **cur;
+
+    *olen = 0;
+
+    if( ssl->conf->alpn_list == NULL )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
+
+    for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
+        alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
+
+    if( end < p || (size_t)( end - p ) < 6 + alpnlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN      ) & 0xFF );
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     */
+
+    /* Skip writing extension and list length for now */
+    p += 4;
+
+    for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
+    {
+        *p = (unsigned char)( strlen( *cur ) & 0xFF );
+        memcpy( p + 1, *cur, *p );
+        p += 1 + *p;
+    }
+
+    *olen = p - buf;
+
+    /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
+    buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
+    buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
+
+    /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
+    buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
+    buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+/*
+ * Generate random bytes for ClientHello
+ */
+static int ssl_generate_random( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *p = ssl->handshake->randbytes;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t;
+#endif
+
+    /*
+     * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->verify_cookie != NULL )
+    {
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = mbedtls_time( NULL );
+    *p++ = (unsigned char)( t >> 24 );
+    *p++ = (unsigned char)( t >> 16 );
+    *p++ = (unsigned char)( t >>  8 );
+    *p++ = (unsigned char)( t       );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
+#else
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
+        return( ret );
+
+    p += 4;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/**
+ * \brief           Validate cipher suite against config in SSL context.
+ *
+ * \param suite_info    cipher suite to validate
+ * \param ssl           SSL context
+ * \param min_minor_ver Minimal minor version to accept a cipher suite
+ * \param max_minor_ver Maximal minor version to accept a cipher suite
+ *
+ * \return          0 if valid, else 1
+ */
+static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
+                                     const mbedtls_ssl_context * ssl,
+                                     int min_minor_ver, int max_minor_ver )
+{
+    (void) ssl;
+    if( suite_info == NULL )
+        return( 1 );
+
+    if( suite_info->min_minor_ver > max_minor_ver ||
+            suite_info->max_minor_ver < min_minor_ver )
+        return( 1 );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
+        return( 1 );
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
+            suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+        return( 1 );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+            mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+        return( 1 );
+#endif
+
+    return( 0 );
+}
+
+static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t i, n, olen, ext_len = 0;
+    unsigned char *buf;
+    unsigned char *p, *q;
+    unsigned char offer_compress;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    int uses_ec = 0;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
+
+    if( ssl->conf->f_rng == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
+        return( MBEDTLS_ERR_SSL_NO_RNG );
+    }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        ssl->major_ver = ssl->conf->min_major_ver;
+        ssl->minor_ver = ssl->conf->min_minor_ver;
+    }
+
+    if( ssl->conf->max_major_ver == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
+                            "consider using mbedtls_ssl_config_defaults()" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   highest version supported
+     *     6  .   9   current UNIX time
+     *    10  .  37   random bytes
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
+                       ssl->conf->transport, p );
+    p += 2;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
+                   buf[4], buf[5] ) );
+
+    if( ( ret = ssl_generate_random( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
+        return( ret );
+    }
+
+    memcpy( p, ssl->handshake->randbytes, 32 );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
+    p += 32;
+
+    /*
+     *    38  .  38   session id length
+     *    39  . 39+n  session id
+     *   39+n . 39+n  DTLS only: cookie length (1 byte)
+     *   40+n .  ..   DTSL only: cookie
+     *   ..   . ..    ciphersuitelist length (2 bytes)
+     *   ..   . ..    ciphersuitelist
+     *   ..   . ..    compression methods length (1 byte)
+     *   ..   . ..    compression methods
+     *   ..   . ..    extensions length (2 bytes)
+     *   ..   . ..    extensions
+     */
+    n = ssl->session_negotiate->id_len;
+
+    if( n < 16 || n > 32 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+        ssl->handshake->resume == 0 )
+    {
+        n = 0;
+    }
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    /*
+     * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
+     * generate and include a Session ID in the TLS ClientHello."
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        if( ssl->session_negotiate->ticket != NULL &&
+                ssl->session_negotiate->ticket_len != 0 )
+        {
+            ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
+
+            if( ret != 0 )
+                return( ret );
+
+            ssl->session_negotiate->id_len = n = 32;
+        }
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+    *p++ = (unsigned char) n;
+
+    for( i = 0; i < n; i++ )
+        *p++ = ssl->session_negotiate->id[i];
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "client hello, session id", buf + 39, n );
+
+    /*
+     * DTLS cookie
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( ssl->handshake->verify_cookie == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
+            *p++ = 0;
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
+                              ssl->handshake->verify_cookie,
+                              ssl->handshake->verify_cookie_len );
+
+            *p++ = ssl->handshake->verify_cookie_len;
+            memcpy( p, ssl->handshake->verify_cookie,
+                       ssl->handshake->verify_cookie_len );
+            p += ssl->handshake->verify_cookie_len;
+        }
+    }
+#endif
+
+    /*
+     * Ciphersuite list
+     */
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+
+    /* Skip writing ciphersuite length for now */
+    n = 0;
+    q = p;
+    p += 2;
+
+    for( i = 0; ciphersuites[i] != 0; i++ )
+    {
+        ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
+
+        if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
+                                      ssl->conf->min_minor_ver,
+                                      ssl->conf->max_minor_ver ) != 0 )
+            continue;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
+                                    ciphersuites[i] ) );
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
+#endif
+
+        n++;
+        *p++ = (unsigned char)( ciphersuites[i] >> 8 );
+        *p++ = (unsigned char)( ciphersuites[i]      );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
+
+    /*
+     * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
+        *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
+        *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO      );
+        n++;
+    }
+
+    /* Some versions of OpenSSL don't handle it correctly if not at end */
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
+        *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
+        *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      );
+        n++;
+    }
+#endif
+
+    *q++ = (unsigned char)( n >> 7 );
+    *q++ = (unsigned char)( n << 1 );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    offer_compress = 1;
+#else
+    offer_compress = 0;
+#endif
+
+    /*
+     * We don't support compression with DTLS right now: if many records come
+     * in the same datagram, uncompressing one could overwrite the next one.
+     * We don't want to add complexity for handling that case unless there is
+     * an actual need for it.
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        offer_compress = 0;
+#endif
+
+    if( offer_compress )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
+                            MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
+
+        *p++ = 2;
+        *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
+        *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
+                            MBEDTLS_SSL_COMPRESS_NULL ) );
+
+        *p++ = 1;
+        *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+    }
+
+    // First write extensions, then the total length
+    //
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+    /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
+     * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( uses_ec )
+    {
+        ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
+        ext_len += olen;
+
+        ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
+        ext_len += olen;
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+    /* olen unused if all extensions are disabled */
+    ((void) olen);
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
+                   ext_len ) );
+
+    if( ext_len > 0 )
+    {
+        *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
+        *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
+        p += ext_len;
+    }
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CLIENT_HELLO;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_send_flight_completed( ssl );
+#endif
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
+
+    return( 0 );
+}
+
+static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        /* Check verify-data in constant-time. The length OTOH is no secret */
+        if( len    != 1 + ssl->verify_data_len * 2 ||
+            buf[0] !=     ssl->verify_data_len * 2 ||
+            mbedtls_ssl_safer_memcmp( buf + 1,
+                          ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
+            mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
+                          ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        if( len != 1 || buf[0] != 0x00 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+
+        ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len )
+{
+    /*
+     * server should use the extension only if we did,
+     * and if so the server's value should match ours (and len is always 1)
+     */
+    if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
+        len != 1 ||
+        buf[0] != ssl->conf->mfl_code )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->handshake->new_session_ticket = 1;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+                                                  const unsigned char *buf,
+                                                  size_t len )
+{
+    size_t list_size;
+    const unsigned char *p;
+
+    if( len == 0 || (size_t)( buf[0] + 1 ) != len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+    list_size = buf[0];
+
+    p = buf + 1;
+    while( list_size > 0 )
+    {
+        if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+            p[0] == MBEDTLS_ECP_PF_COMPRESSED )
+        {
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+            ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            ssl->handshake->ecjpake_ctx.point_format = p[0];
+#endif
+            MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
+            return( 0 );
+        }
+
+        list_size--;
+        p++;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
+    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+    return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
+                                   const unsigned char *buf,
+                                   size_t len )
+{
+    int ret;
+
+    if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
+        MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
+        return( 0 );
+    }
+
+    /* If we got here, we no longer need our cached extension */
+    mbedtls_free( ssl->handshake->ecjpake_cache );
+    ssl->handshake->ecjpake_cache = NULL;
+    ssl->handshake->ecjpake_cache_len = 0;
+
+    if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
+                                                buf, len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
+                               const unsigned char *buf, size_t len )
+{
+    size_t list_len, name_len;
+    const char **p;
+
+    /* If we didn't send it, the server shouldn't send it */
+    if( ssl->conf->alpn_list == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     *
+     * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
+     */
+
+    /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
+    if( len < 4 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    list_len = ( buf[0] << 8 ) | buf[1];
+    if( list_len != len - 2 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    name_len = buf[2];
+    if( name_len != list_len - 1 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /* Check that the server chosen protocol was in our list and save it */
+    for( p = ssl->conf->alpn_list; *p != NULL; p++ )
+    {
+        if( name_len == strlen( *p ) &&
+            memcmp( buf + 3, *p, name_len ) == 0 )
+        {
+            ssl->alpn_chosen = *p;
+            return( 0 );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
+    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+    return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+/*
+ * Parse HelloVerifyRequest.  Only called after verifying the HS type.
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
+{
+    const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+    int major_ver, minor_ver;
+    unsigned char cookie_len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
+
+    /*
+     * struct {
+     *   ProtocolVersion server_version;
+     *   opaque cookie<0..2^8-1>;
+     * } HelloVerifyRequest;
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
+    mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
+    p += 2;
+
+    /*
+     * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
+     * even is lower than our min version.
+     */
+    if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
+        minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
+        major_ver > ssl->conf->max_major_ver  ||
+        minor_ver > ssl->conf->max_minor_ver  )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
+
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    cookie_len = *p++;
+    MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
+
+    if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "cookie length does not match incoming message size" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    mbedtls_free( ssl->handshake->verify_cookie );
+
+    ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
+    if( ssl->handshake->verify_cookie  == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    memcpy( ssl->handshake->verify_cookie, p, cookie_len );
+    ssl->handshake->verify_cookie_len = cookie_len;
+
+    /* Start over at ClientHello */
+    ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+    mbedtls_ssl_reset_checksum( ssl );
+
+    mbedtls_ssl_recv_flight_completed( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
+{
+    int ret, i;
+    size_t n;
+    size_t ext_len;
+    unsigned char *buf, *ext;
+    unsigned char comp;
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    int accept_comp;
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renegotiation_info_seen = 0;
+#endif
+    int handshake_failure = 0;
+    const mbedtls_ssl_ciphersuite_t *suite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
+
+    buf = ssl->in_msg;
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        /* No alert on a read error. */
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+        {
+            ssl->renego_records_seen++;
+
+            if( ssl->conf->renego_max_records >= 0 &&
+                ssl->renego_records_seen > ssl->conf->renego_max_records )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
+                                    "but not honored by server" ) );
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
+
+            ssl->keep_current_message = 1;
+            return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
+        }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
+            return( ssl_parse_hello_verify_request( ssl ) );
+        }
+        else
+        {
+            /* We made it through the verification process */
+            mbedtls_free( ssl->handshake->verify_cookie );
+            ssl->handshake->verify_cookie = NULL;
+            ssl->handshake->verify_cookie_len = 0;
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
+        buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /*
+     *  0   .  1    server_version
+     *  2   . 33    random (maybe including 4 bytes of Unix time)
+     * 34   . 34    session_id length = n
+     * 35   . 34+n  session_id
+     * 35+n . 36+n  cipher_suite
+     * 37+n . 37+n  compression_method
+     *
+     * 38+n . 39+n  extensions length (optional)
+     * 40+n .  ..   extensions
+     */
+    buf += mbedtls_ssl_hs_hdr_len( ssl );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
+    mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
+                      ssl->conf->transport, buf + 0 );
+
+    if( ssl->major_ver < ssl->conf->min_major_ver ||
+        ssl->minor_ver < ssl->conf->min_minor_ver ||
+        ssl->major_ver > ssl->conf->max_major_ver ||
+        ssl->minor_ver > ssl->conf->max_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
+                            " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
+                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
+                            ssl->major_ver, ssl->minor_ver,
+                            ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
+
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
+                           ( (uint32_t) buf[2] << 24 ) |
+                           ( (uint32_t) buf[3] << 16 ) |
+                           ( (uint32_t) buf[4] <<  8 ) |
+                           ( (uint32_t) buf[5]       ) ) );
+
+    memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
+
+    n = buf[34];
+
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, random bytes", buf + 2, 32 );
+
+    if( n > 32 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
+    {
+        ext_len = ( ( buf[38 + n] <<  8 )
+                  | ( buf[39 + n]       ) );
+
+        if( ( ext_len > 0 && ext_len < 4 ) ||
+            ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+    }
+    else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
+    {
+        ext_len = 0;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /* ciphersuite (used later) */
+    i = ( buf[35 + n] << 8 ) | buf[36 + n];
+
+    /*
+     * Read and check compression
+     */
+    comp = buf[37 + n];
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    /* See comments in ssl_write_client_hello() */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        accept_comp = 0;
+    else
+#endif
+        accept_comp = 1;
+
+    if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
+        ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
+#else /* MBEDTLS_ZLIB_SUPPORT */
+    if( comp != MBEDTLS_SSL_COMPRESS_NULL )
+#endif/* MBEDTLS_ZLIB_SUPPORT */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    /*
+     * Initialize update checksum functions
+     */
+    ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
+
+    if( ssl->transform_negotiate->ciphersuite_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 35, n );
+
+    /*
+     * Check if the session can be resumed
+     */
+    if( ssl->handshake->resume == 0 || n == 0 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+        ssl->session_negotiate->ciphersuite != i ||
+        ssl->session_negotiate->compression != comp ||
+        ssl->session_negotiate->id_len != n ||
+        memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
+    {
+        ssl->state++;
+        ssl->handshake->resume = 0;
+#if defined(MBEDTLS_HAVE_TIME)
+        ssl->session_negotiate->start = mbedtls_time( NULL );
+#endif
+        ssl->session_negotiate->ciphersuite = i;
+        ssl->session_negotiate->compression = comp;
+        ssl->session_negotiate->id_len = n;
+        memcpy( ssl->session_negotiate->id, buf + 35, n );
+    }
+    else
+    {
+        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+        if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+            return( ret );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
+                   ssl->handshake->resume ? "a" : "no" ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
+
+    /*
+     * Perform cipher suite validation in same way as in ssl_write_client_hello.
+     */
+    i = 0;
+    while( 1 )
+    {
+        if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+
+        if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
+            ssl->session_negotiate->ciphersuite )
+        {
+            break;
+        }
+    }
+
+    suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
+    if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        ssl->handshake->ecrs_enabled = 1;
+    }
+#endif
+
+    if( comp != MBEDTLS_SSL_COMPRESS_NULL
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+        && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
+#endif
+      )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+    ssl->session_negotiate->compression = comp;
+
+    ext = buf + 40 + n;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
+
+    while( ext_len )
+    {
+        unsigned int ext_id   = ( ( ext[0] <<  8 )
+                                | ( ext[1]       ) );
+        unsigned int ext_size = ( ( ext[2] <<  8 )
+                                | ( ext[3]       ) );
+
+        if( ext_size + 4 > ext_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+
+        switch( ext_id )
+        {
+        case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            renegotiation_info_seen = 1;
+#endif
+
+            if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
+                                                      ext_size ) ) != 0 )
+                return( ret );
+
+            break;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
+
+            if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+        case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
+
+            if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
+
+            if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+        case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
+
+            if( ( ret = ssl_parse_extended_ms_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        case MBEDTLS_TLS_EXT_SESSION_TICKET:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
+
+            if( ( ret = ssl_parse_session_ticket_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
+
+            if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
+
+            if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+        case MBEDTLS_TLS_EXT_ALPN:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
+
+            if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
+                return( ret );
+
+            break;
+#endif /* MBEDTLS_SSL_ALPN */
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
+                           ext_id ) );
+        }
+
+        ext_len -= 4 + ext_size;
+        ext += 4 + ext_size;
+
+        if( ext_len > 0 && ext_len < 4 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+    }
+
+    /*
+     * Renegotiation security checks
+     */
+    if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+        ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
+        handshake_failure = 1;
+    }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+             renegotiation_info_seen == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             renegotiation_info_seen == 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    if( handshake_failure == 1 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
+                                       unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    /*
+     * Ephemeral DH parameters:
+     *
+     * struct {
+     *     opaque dh_p<1..2^16-1>;
+     *     opaque dh_g<1..2^16-1>;
+     *     opaque dh_Ys<1..2^16-1>;
+     * } ServerDHParams;
+     */
+    if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
+        return( ret );
+    }
+
+    if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
+                                    ssl->handshake->dhm_ctx.len * 8,
+                                    ssl->conf->dhm_min_bitlen ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+    mbedtls_ecp_group_id grp_id;
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    grp_id = ssl->handshake->ecdh_ctx.grp.id;
+#else
+    grp_id = ssl->handshake->ecdh_ctx.grp_id;
+#endif
+
+    curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
+    if( curve_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
+
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
+#else
+    if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
+        ssl->handshake->ecdh_ctx.grp.nbits > 521 )
+#endif
+        return( -1 );
+
+    MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                            MBEDTLS_DEBUG_ECDH_QP );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
+                                         unsigned char **p,
+                                         unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    /*
+     * Ephemeral ECDH parameters:
+     *
+     * struct {
+     *     ECParameters curve_params;
+     *     ECPoint      public;
+     * } ServerECDHParams;
+     */
+    if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
+                                  (const unsigned char **) p, end ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+        return( ret );
+    }
+
+    if( ssl_check_server_ecdh_params( ssl ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
+                                      unsigned char **p,
+                                      unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t  len;
+    ((void) ssl);
+
+    /*
+     * PSK parameters:
+     *
+     * opaque psk_identity_hint<0..2^16-1>;
+     */
+    if( end - (*p) < 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
+                                    "(psk_identity_hint length)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+    len = (*p)[0] << 8 | (*p)[1];
+    *p += 2;
+
+    if( end - (*p) < (int) len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
+                                    "(psk_identity_hint length)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    /*
+     * Note: we currently ignore the PKS identity hint, as we only allow one
+     * PSK to be provisionned on the client. This could be changed later if
+     * someone needs that feature.
+     */
+    *p += len;
+    ret = 0;
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+/*
+ * Generate a pre-master secret and encrypt it with the server's RSA key
+ */
+static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
+                                    size_t offset, size_t *olen,
+                                    size_t pms_offset )
+{
+    int ret;
+    size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
+    unsigned char *p = ssl->handshake->premaster + pms_offset;
+
+    if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+    }
+
+    /*
+     * Generate (part of) the pre-master as
+     *  struct {
+     *      ProtocolVersion client_version;
+     *      opaque random[46];
+     *  } PreMasterSecret;
+     */
+    mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
+                       ssl->conf->transport, p );
+
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
+        return( ret );
+    }
+
+    ssl->handshake->pmslen = 48;
+
+    if( ssl->session_negotiate->peer_cert == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /*
+     * Now write it out, encrypted
+     */
+    if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                MBEDTLS_PK_RSA ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
+                            p, ssl->handshake->pmslen,
+                            ssl->out_msg + offset + len_bytes, olen,
+                            MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
+                            ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( len_bytes == 2 )
+    {
+        ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
+        ssl->out_msg[offset+1] = (unsigned char)( *olen      );
+        *olen += 2;
+    }
+#endif
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
+                                          unsigned char **p,
+                                          unsigned char *end,
+                                          mbedtls_md_type_t *md_alg,
+                                          mbedtls_pk_type_t *pk_alg )
+{
+    ((void) ssl);
+    *md_alg = MBEDTLS_MD_NONE;
+    *pk_alg = MBEDTLS_PK_NONE;
+
+    /* Only in TLS 1.2 */
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        return( 0 );
+    }
+
+    if( (*p) + 2 > end )
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+
+    /*
+     * Get hash algorithm
+     */
+    if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
+                            "HashAlgorithm %d", *(p)[0] ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    /*
+     * Get signature algorithm
+     */
+    if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
+                            "SignatureAlgorithm %d", (*p)[1] ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    /*
+     * Check if the hash is acceptable
+     */
+    if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
+                                    *(p)[0] ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
+    *p += 2;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ecp_keypair *peer_key;
+
+    if( ssl->session_negotiate->peer_cert == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                     MBEDTLS_PK_ECKEY ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
+
+    if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
+                                 MBEDTLS_ECDH_THEIRS ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
+        return( ret );
+    }
+
+    if( ssl_check_server_ecdh_params( ssl ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    unsigned char *p = NULL, *end = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+    ((void) p);
+    ((void) end);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+    {
+        if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+    ((void) p);
+    ((void) end);
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
+    {
+        goto start_processing;
+    }
+#endif
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /*
+     * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
+     * doesn't use a psk_identity_hint
+     */
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
+    {
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+        {
+            /* Current message is probably either
+             * CertificateRequest or ServerHelloDone */
+            ssl->keep_current_message = 1;
+            goto exit;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
+                                    "not be skipped" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled )
+        ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
+
+start_processing:
+#endif
+    p   = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+    end = ssl->in_msg + ssl->in_hslen;
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server key exchange", p, end - p );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    } /* FALLTROUGH */
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+        ; /* nothing more to do */
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+    {
+        if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+    {
+        if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
+                                              p, end - p );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
+    {
+        size_t sig_len, hashlen;
+        unsigned char hash[64];
+        mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+        mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+        unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+        size_t params_len = p - params;
+        void *rs_ctx = NULL;
+
+        /*
+         * Handle the digitally-signed structure
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            if( ssl_parse_signature_algorithm( ssl, &p, end,
+                                               &md_alg, &pk_alg ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+                return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+            }
+
+            if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+                return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+
+            /* Default hash for ECDSA is SHA-1 */
+            if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
+                md_alg = MBEDTLS_MD_SHA1;
+        }
+        else
+#endif
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Read signature
+         */
+
+        if( p > end - 2 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+        sig_len = ( p[0] << 8 ) | p[1];
+        p += 2;
+
+        if( p != end - sig_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
+
+        /*
+         * Compute the hash that has been signed
+         */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( md_alg == MBEDTLS_MD_NONE )
+        {
+            hashlen = 36;
+            ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
+                                                           params_len );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( md_alg != MBEDTLS_MD_NONE )
+        {
+            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
+                                                          params, params_len,
+                                                          md_alg );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
+
+        if( ssl->session_negotiate->peer_cert == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+        }
+
+        /*
+         * Verify signature
+         */
+        if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+        }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_enabled )
+            rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+#endif
+
+        if( ( ret = mbedtls_pk_verify_restartable(
+                        &ssl->session_negotiate->peer_cert->pk,
+                        md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
+        {
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+#endif
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+exit:
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
+
+    return( 0 );
+}
+
+#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
+static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
+
+    if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
+static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *buf;
+    size_t n = 0;
+    size_t cert_type_len = 0, dn_len = 0;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
+
+    if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    ssl->state++;
+    ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
+                        ssl->client_auth ? "a" : "no" ) );
+
+    if( ssl->client_auth == 0 )
+    {
+        /* Current message is probably the ServerHelloDone */
+        ssl->keep_current_message = 1;
+        goto exit;
+    }
+
+    /*
+     *  struct {
+     *      ClientCertificateType certificate_types<1..2^8-1>;
+     *      SignatureAndHashAlgorithm
+     *        supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
+     *      DistinguishedName certificate_authorities<0..2^16-1>;
+     *  } CertificateRequest;
+     *
+     *  Since we only support a single certificate on clients, let's just
+     *  ignore all the information that's supposed to help us pick a
+     *  certificate.
+     *
+     *  We could check that our certificate matches the request, and bail out
+     *  if it doesn't, but it's simpler to just send the certificate anyway,
+     *  and give the server the opportunity to decide if it should terminate
+     *  the connection when it doesn't like our certificate.
+     *
+     *  Same goes for the hash in TLS 1.2's signature_algorithms: at this
+     *  point we only have one hash available (see comments in
+     *  write_certificate_verify), so let's just use what we have.
+     *
+     *  However, we still minimally parse the message to check it is at least
+     *  superficially sane.
+     */
+    buf = ssl->in_msg;
+
+    /* certificate_types */
+    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+    }
+    cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
+    n = cert_type_len;
+
+    /*
+     * In the subsequent code there are two paths that read from buf:
+     *     * the length of the signature algorithms field (if minor version of
+     *       SSL is 3),
+     *     * distinguished name length otherwise.
+     * Both reach at most the index:
+     *    ...hdr_len + 2 + n,
+     * therefore the buffer length at this point must be greater than that
+     * regardless of the actual code path.
+     */
+    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+    }
+
+    /* supported_signature_algorithms */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] <<  8 )
+                             | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n]       ) );
+#if defined(MBEDTLS_DEBUG_C)
+        unsigned char* sig_alg;
+        size_t i;
+#endif
+
+        /*
+         * The furthest access in buf is in the loop few lines below:
+         *     sig_alg[i + 1],
+         * where:
+         *     sig_alg = buf + ...hdr_len + 3 + n,
+         *     max(i) = sig_alg_len - 1.
+         * Therefore the furthest access is:
+         *     buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
+         * which reduces to:
+         *     buf[...hdr_len + 3 + n + sig_alg_len],
+         * which is one less than we need the buf to be.
+         */
+        if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+        }
+
+#if defined(MBEDTLS_DEBUG_C)
+        sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
+        for( i = 0; i < sig_alg_len; i += 2 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
+                                        ",%d", sig_alg[i], sig_alg[i + 1]  ) );
+        }
+#endif
+
+        n += 2 + sig_alg_len;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    /* certificate_authorities */
+    dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] <<  8 )
+             | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n]       ) );
+
+    n += dn_len;
+    if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+    }
+
+exit:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
+
+static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) ||
+        ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
+    }
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_recv_flight_completed( ssl );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
+
+    return( 0 );
+}
+
+static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t i, n;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
+    {
+        /*
+         * DHM key exchange -- send G^X mod P
+         */
+        n = ssl->handshake->dhm_ctx.len;
+
+        ssl->out_msg[4] = (unsigned char)( n >> 8 );
+        ssl->out_msg[5] = (unsigned char)( n      );
+        i = 6;
+
+        ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
+                                (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                               &ssl->out_msg[i], n,
+                                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
+
+        if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+                                      ssl->handshake->premaster,
+                                      MBEDTLS_PREMASTER_SIZE,
+                                     &ssl->handshake->pmslen,
+                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+    {
+        /*
+         * ECDH key exchange -- send client public value
+         */
+        i = 4;
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_enabled )
+        {
+            if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
+                goto ecdh_calc_secret;
+
+            mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
+        }
+#endif
+
+        ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
+                                &n,
+                                &ssl->out_msg[i], 1000,
+                                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Q );
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_enabled )
+        {
+            ssl->handshake->ecrs_n = n;
+            ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
+        }
+
+ecdh_calc_secret:
+        if( ssl->handshake->ecrs_enabled )
+            n = ssl->handshake->ecrs_n;
+#endif
+        if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
+                                      &ssl->handshake->pmslen,
+                                       ssl->handshake->premaster,
+                                       MBEDTLS_MPI_MAX_SIZE,
+                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Z );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
+    {
+        /*
+         * opaque psk_identity<0..2^16-1>;
+         */
+        if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
+            return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+        }
+
+        i = 4;
+        n = ssl->conf->psk_identity_len;
+
+        if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
+                                        "SSL buffer too short" ) );
+            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+        }
+
+        ssl->out_msg[i++] = (unsigned char)( n >> 8 );
+        ssl->out_msg[i++] = (unsigned char)( n      );
+
+        memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
+        i += ssl->conf->psk_identity_len;
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
+        {
+            n = 0;
+        }
+        else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+        {
+            if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
+                return( ret );
+        }
+        else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+        {
+            /*
+             * ClientDiffieHellmanPublic public (DHM send G^X mod P)
+             */
+            n = ssl->handshake->dhm_ctx.len;
+
+            if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
+                                            " or SSL buffer too short" ) );
+                return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+            }
+
+            ssl->out_msg[i++] = (unsigned char)( n >> 8 );
+            ssl->out_msg[i++] = (unsigned char)( n      );
+
+            ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
+                    (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                    &ssl->out_msg[i], n,
+                    ssl->conf->f_rng, ssl->conf->p_rng );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
+                return( ret );
+            }
+        }
+        else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+        {
+            /*
+             * ClientECDiffieHellmanPublic public;
+             */
+            ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
+                    &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
+                    ssl->conf->f_rng, ssl->conf->p_rng );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
+                return( ret );
+            }
+
+            MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                    MBEDTLS_DEBUG_ECDH_Q );
+        }
+        else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
+    {
+        i = 4;
+        if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
+            return( ret );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        i = 4;
+
+        ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
+                ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
+                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
+            return( ret );
+        }
+
+        ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
+                ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+    {
+        ((void) ciphersuite_info);
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    ssl->out_msglen  = i + n;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
+
+    if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+        return( ret );
+    }
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else
+static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    size_t n = 0, offset = 0;
+    unsigned char hash[48];
+    unsigned char *hash_start = hash;
+    mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+    unsigned int hashlen;
+    void *rs_ctx = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
+    {
+        goto sign;
+    }
+#endif
+
+    if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+        return( ret );
+    }
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( mbedtls_ssl_own_key( ssl ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    /*
+     * Make a signature of the handshake digests
+     */
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled )
+        ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
+
+sign:
+#endif
+
+    ssl->handshake->calc_verify( ssl, hash );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        /*
+         * digitally-signed struct {
+         *     opaque md5_hash[16];
+         *     opaque sha_hash[20];
+         * };
+         *
+         * md5_hash
+         *     MD5(handshake_messages);
+         *
+         * sha_hash
+         *     SHA(handshake_messages);
+         */
+        hashlen = 36;
+        md_alg = MBEDTLS_MD_NONE;
+
+        /*
+         * For ECDSA, default hash is SHA-1 only
+         */
+        if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
+        {
+            hash_start += 16;
+            hashlen -= 16;
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        /*
+         * digitally-signed struct {
+         *     opaque handshake_messages[handshake_messages_length];
+         * };
+         *
+         * Taking shortcut here. We assume that the server always allows the
+         * PRF Hash function and has sent it in the allowed signature
+         * algorithms list received in the Certificate Request message.
+         *
+         * Until we encounter a server that does not, we will take this
+         * shortcut.
+         *
+         * Reason: Otherwise we should have running hashes for SHA512 and SHA224
+         *         in order to satisfy 'weird' needs from the server side.
+         */
+        if( ssl->transform_negotiate->ciphersuite_info->mac ==
+            MBEDTLS_MD_SHA384 )
+        {
+            md_alg = MBEDTLS_MD_SHA384;
+            ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
+        }
+        else
+        {
+            md_alg = MBEDTLS_MD_SHA256;
+            ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
+        }
+        ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
+
+        /* Info from md_alg will be used instead */
+        hashlen = 0;
+        offset = 2;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled )
+        rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+#endif
+
+    if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
+                         md_alg, hash_start, hashlen,
+                         ssl->out_msg + 6 + offset, &n,
+                         ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+        return( ret );
+    }
+
+    ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
+    ssl->out_msg[5 + offset] = (unsigned char)( n      );
+
+    ssl->out_msglen  = 6 + n + offset;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    uint32_t lifetime;
+    size_t ticket_len;
+    unsigned char *ticket;
+    const unsigned char *msg;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /*
+     * struct {
+     *     uint32 ticket_lifetime_hint;
+     *     opaque ticket<0..2^16-1>;
+     * } NewSessionTicket;
+     *
+     * 0  .  3   ticket_lifetime_hint
+     * 4  .  5   ticket_len (n)
+     * 6  .  5+n ticket content
+     */
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
+        ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
+    }
+
+    msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+
+    lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
+               ( msg[2] << 8 ) | ( msg[3] );
+
+    ticket_len = ( msg[4] << 8 ) | ( msg[5] );
+
+    if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
+
+    /* We're not waiting for a NewSessionTicket message any more */
+    ssl->handshake->new_session_ticket = 0;
+    ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+    /*
+     * Zero-length ticket means the server changed his mind and doesn't want
+     * to send a ticket after all, so just forget it
+     */
+    if( ticket_len == 0 )
+        return( 0 );
+
+    mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
+                              ssl->session_negotiate->ticket_len );
+    mbedtls_free( ssl->session_negotiate->ticket );
+    ssl->session_negotiate->ticket = NULL;
+    ssl->session_negotiate->ticket_len = 0;
+
+    if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    memcpy( ticket, msg + 6, ticket_len );
+
+    ssl->session_negotiate->ticket = ticket;
+    ssl->session_negotiate->ticket_len = ticket_len;
+    ssl->session_negotiate->ticket_lifetime = lifetime;
+
+    /*
+     * RFC 5077 section 3.4:
+     * "If the client receives a session ticket from the server, then it
+     * discards any Session ID that was sent in the ServerHello."
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
+    ssl->session_negotiate->id_len = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- client side -- single step
+ */
+int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
+
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+            return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
+     * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
+        ssl->handshake->new_session_ticket != 0 )
+    {
+        ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
+    }
+#endif
+
+    switch( ssl->state )
+    {
+        case MBEDTLS_SSL_HELLO_REQUEST:
+            ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+            break;
+
+       /*
+        *  ==>   ClientHello
+        */
+       case MBEDTLS_SSL_CLIENT_HELLO:
+           ret = ssl_write_client_hello( ssl );
+           break;
+
+       /*
+        *  <==   ServerHello
+        *        Certificate
+        *      ( ServerKeyExchange  )
+        *      ( CertificateRequest )
+        *        ServerHelloDone
+        */
+       case MBEDTLS_SSL_SERVER_HELLO:
+           ret = ssl_parse_server_hello( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_CERTIFICATE:
+           ret = mbedtls_ssl_parse_certificate( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+           ret = ssl_parse_server_key_exchange( ssl );
+           break;
+
+       case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+           ret = ssl_parse_certificate_request( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_HELLO_DONE:
+           ret = ssl_parse_server_hello_done( ssl );
+           break;
+
+       /*
+        *  ==> ( Certificate/Alert  )
+        *        ClientKeyExchange
+        *      ( CertificateVerify  )
+        *        ChangeCipherSpec
+        *        Finished
+        */
+       case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+           ret = mbedtls_ssl_write_certificate( ssl );
+           break;
+
+       case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+           ret = ssl_write_client_key_exchange( ssl );
+           break;
+
+       case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+           ret = ssl_write_certificate_verify( ssl );
+           break;
+
+       case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+           ret = mbedtls_ssl_write_change_cipher_spec( ssl );
+           break;
+
+       case MBEDTLS_SSL_CLIENT_FINISHED:
+           ret = mbedtls_ssl_write_finished( ssl );
+           break;
+
+       /*
+        *  <==   ( NewSessionTicket )
+        *        ChangeCipherSpec
+        *        Finished
+        */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+       case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
+           ret = ssl_parse_new_session_ticket( ssl );
+           break;
+#endif
+
+       case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+           ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_FINISHED:
+           ret = mbedtls_ssl_parse_finished( ssl );
+           break;
+
+       case MBEDTLS_SSL_FLUSH_BUFFERS:
+           MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
+           ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+           break;
+
+       case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+           mbedtls_ssl_handshake_wrapup( ssl );
+           break;
+
+       default:
+           MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
+           return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+   }
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
diff --git a/ctrtool/deps/libmbedtls/src/ssl_cookie.c b/ctrtool/deps/libmbedtls/src/ssl_cookie.c
new file mode 100644
index 00000000..56e9bdd2
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ssl_cookie.c
@@ -0,0 +1,256 @@
+/*
+ *  DTLS cookie callbacks implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_COOKIE_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_cookie.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+/*
+ * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
+ * available. Try SHA-256 first, 512 wastes resources since we need to stay
+ * with max 32 bytes of cookie for DTLS 1.0
+ */
+#if defined(MBEDTLS_SHA256_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA224
+#define COOKIE_MD_OUTLEN    32
+#define COOKIE_HMAC_LEN     28
+#elif defined(MBEDTLS_SHA512_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA384
+#define COOKIE_MD_OUTLEN    48
+#define COOKIE_HMAC_LEN     28
+#elif defined(MBEDTLS_SHA1_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA1
+#define COOKIE_MD_OUTLEN    20
+#define COOKIE_HMAC_LEN     20
+#else
+#error "DTLS hello verify needs SHA-1 or SHA-2"
+#endif
+
+/*
+ * Cookies are formed of a 4-bytes timestamp (or serial number) and
+ * an HMAC of timestemp and client ID.
+ */
+#define COOKIE_LEN      ( 4 + COOKIE_HMAC_LEN )
+
+void mbedtls_ssl_cookie_init( mbedtls_ssl_cookie_ctx *ctx )
+{
+    mbedtls_md_init( &ctx->hmac_ctx );
+#if !defined(MBEDTLS_HAVE_TIME)
+    ctx->serial = 0;
+#endif
+    ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+void mbedtls_ssl_cookie_set_timeout( mbedtls_ssl_cookie_ctx *ctx, unsigned long delay )
+{
+    ctx->timeout = delay;
+}
+
+void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx )
+{
+    mbedtls_md_free( &ctx->hmac_ctx );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_cookie_ctx ) );
+}
+
+int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng )
+{
+    int ret;
+    unsigned char key[COOKIE_MD_OUTLEN];
+
+    if( ( ret = f_rng( p_rng, key, sizeof( key ) ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_md_setup( &ctx->hmac_ctx, mbedtls_md_info_from_type( COOKIE_MD ), 1 );
+    if( ret != 0 )
+        return( ret );
+
+    ret = mbedtls_md_hmac_starts( &ctx->hmac_ctx, key, sizeof( key ) );
+    if( ret != 0 )
+        return( ret );
+
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+
+    return( 0 );
+}
+
+/*
+ * Generate the HMAC part of a cookie
+ */
+static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx,
+                            const unsigned char time[4],
+                            unsigned char **p, unsigned char *end,
+                            const unsigned char *cli_id, size_t cli_id_len )
+{
+    unsigned char hmac_out[COOKIE_MD_OUTLEN];
+
+    if( (size_t)( end - *p ) < COOKIE_HMAC_LEN )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    if( mbedtls_md_hmac_reset(  hmac_ctx ) != 0 ||
+        mbedtls_md_hmac_update( hmac_ctx, time, 4 ) != 0 ||
+        mbedtls_md_hmac_update( hmac_ctx, cli_id, cli_id_len ) != 0 ||
+        mbedtls_md_hmac_finish( hmac_ctx, hmac_out ) != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    memcpy( *p, hmac_out, COOKIE_HMAC_LEN );
+    *p += COOKIE_HMAC_LEN;
+
+    return( 0 );
+}
+
+/*
+ * Generate cookie for DTLS ClientHello verification
+ */
+int mbedtls_ssl_cookie_write( void *p_ctx,
+                      unsigned char **p, unsigned char *end,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    int ret;
+    mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+    unsigned long t;
+
+    if( ctx == NULL || cli_id == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( (size_t)( end - *p ) < COOKIE_LEN )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = (unsigned long) mbedtls_time( NULL );
+#else
+    t = ctx->serial++;
+#endif
+
+    (*p)[0] = (unsigned char)( t >> 24 );
+    (*p)[1] = (unsigned char)( t >> 16 );
+    (*p)[2] = (unsigned char)( t >>  8 );
+    (*p)[3] = (unsigned char)( t       );
+    *p += 4;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
+#endif
+
+    ret = ssl_cookie_hmac( &ctx->hmac_ctx, *p - 4,
+                           p, end, cli_id, cli_id_len );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
+                MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Check a cookie
+ */
+int mbedtls_ssl_cookie_check( void *p_ctx,
+                      const unsigned char *cookie, size_t cookie_len,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    unsigned char ref_hmac[COOKIE_HMAC_LEN];
+    int ret = 0;
+    unsigned char *p = ref_hmac;
+    mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+    unsigned long cur_time, cookie_time;
+
+    if( ctx == NULL || cli_id == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( cookie_len != COOKIE_LEN )
+        return( -1 );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
+#endif
+
+    if( ssl_cookie_hmac( &ctx->hmac_ctx, cookie,
+                         &p, p + sizeof( ref_hmac ),
+                         cli_id, cli_id_len ) != 0 )
+        ret = -1;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
+                MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    if( ret != 0 )
+        return( ret );
+
+    if( mbedtls_ssl_safer_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 )
+        return( -1 );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    cur_time = (unsigned long) mbedtls_time( NULL );
+#else
+    cur_time = ctx->serial;
+#endif
+
+    cookie_time = ( (unsigned long) cookie[0] << 24 ) |
+                  ( (unsigned long) cookie[1] << 16 ) |
+                  ( (unsigned long) cookie[2] <<  8 ) |
+                  ( (unsigned long) cookie[3]       );
+
+    if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
+        return( -1 );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_COOKIE_C */
diff --git a/ctrtool/deps/libmbedtls/src/ssl_srv.c b/ctrtool/deps/libmbedtls/src/ssl_srv.c
new file mode 100644
index 00000000..5825970c
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ssl_srv.c
@@ -0,0 +1,4379 @@
+/*
+ *  SSLv3/TLSv1 server-side functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
+                                 const unsigned char *info,
+                                 size_t ilen )
+{
+    if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    mbedtls_free( ssl->cli_id );
+
+    if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    memcpy( ssl->cli_id, info, ilen );
+    ssl->cli_id_len = ilen;
+
+    return( 0 );
+}
+
+void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
+                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+                           void *p_cookie )
+{
+    conf->f_cookie_write = f_cookie_write;
+    conf->f_cookie_check = f_cookie_check;
+    conf->p_cookie       = p_cookie;
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
+                                     const unsigned char *buf,
+                                     size_t len )
+{
+    int ret;
+    size_t servername_list_size, hostname_len;
+    const unsigned char *p;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
+
+    if( len < 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
+    if( servername_list_size + 2 != len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    p = buf + 2;
+    while( servername_list_size > 2 )
+    {
+        hostname_len = ( ( p[1] << 8 ) | p[2] );
+        if( hostname_len + 3 > servername_list_size )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
+        {
+            ret = ssl->conf->f_sni( ssl->conf->p_sni,
+                                    ssl, p + 3, hostname_len );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                        MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+            return( 0 );
+        }
+
+        servername_list_size -= hostname_len + 3;
+        p += hostname_len + 3;
+    }
+
+    if( servername_list_size != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        /* Check verify-data in constant-time. The length OTOH is no secret */
+        if( len    != 1 + ssl->verify_data_len ||
+            buf[0] !=     ssl->verify_data_len ||
+            mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
+                          ssl->verify_data_len ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        if( len != 1 || buf[0] != 0x0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/*
+ * Status of the implementation of signature-algorithms extension:
+ *
+ * Currently, we are only considering the signature-algorithm extension
+ * to pick a ciphersuite which allows us to send the ServerKeyExchange
+ * message with a signature-hash combination that the user allows.
+ *
+ * We do *not* check whether all certificates in our certificate
+ * chain are signed with an allowed signature-hash pair.
+ * This needs to be done at a later stage.
+ *
+ */
+static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
+                                               const unsigned char *buf,
+                                               size_t len )
+{
+    size_t sig_alg_list_size;
+
+    const unsigned char *p;
+    const unsigned char *end = buf + len;
+
+    mbedtls_md_type_t md_cur;
+    mbedtls_pk_type_t sig_cur;
+
+    if ( len < 2 ) {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
+    if( sig_alg_list_size + 2 != len ||
+        sig_alg_list_size % 2 != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* Currently we only guarantee signing the ServerKeyExchange message according
+     * to the constraints specified in this extension (see above), so it suffices
+     * to remember only one suitable hash for each possible signature algorithm.
+     *
+     * This will change when we also consider certificate signatures,
+     * in which case we will need to remember the whole signature-hash
+     * pair list from the extension.
+     */
+
+    for( p = buf + 2; p < end; p += 2 )
+    {
+        /* Silently ignore unknown signature or hash algorithms. */
+
+        if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
+                                        " unknown sig alg encoding %d", p[1] ) );
+            continue;
+        }
+
+        /* Check if we support the hash the user proposes */
+        md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
+        if( md_cur == MBEDTLS_MD_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
+                                        " unknown hash alg encoding %d", p[0] ) );
+            continue;
+        }
+
+        if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
+        {
+            mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
+                                        " match sig %d and hash %d",
+                                        sig_cur, md_cur ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
+                                        "hash alg %d not supported", md_cur ) );
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
+                                                const unsigned char *buf,
+                                                size_t len )
+{
+    size_t list_size, our_size;
+    const unsigned char *p;
+    const mbedtls_ecp_curve_info *curve_info, **curves;
+
+    if ( len < 2 ) {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
+    if( list_size + 2 != len ||
+        list_size % 2 != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* Should never happen unless client duplicates the extension */
+    if( ssl->handshake->curves != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* Don't allow our peer to make us allocate too much memory,
+     * and leave room for a final 0 */
+    our_size = list_size / 2 + 1;
+    if( our_size > MBEDTLS_ECP_DP_MAX )
+        our_size = MBEDTLS_ECP_DP_MAX;
+
+    if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    ssl->handshake->curves = curves;
+
+    p = buf + 2;
+    while( list_size > 0 && our_size > 1 )
+    {
+        curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
+
+        if( curve_info != NULL )
+        {
+            *curves++ = curve_info;
+            our_size--;
+        }
+
+        list_size -= 2;
+        p += 2;
+    }
+
+    return( 0 );
+}
+
+static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len )
+{
+    size_t list_size;
+    const unsigned char *p;
+
+    if( len == 0 || (size_t)( buf[0] + 1 ) != len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    list_size = buf[0];
+
+    p = buf + 1;
+    while( list_size > 0 )
+    {
+        if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+            p[0] == MBEDTLS_ECP_PF_COMPRESSED )
+        {
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+            ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            ssl->handshake->ecjpake_ctx.point_format = p[0];
+#endif
+            MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
+            return( 0 );
+        }
+
+        list_size--;
+        p++;
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
+                                   const unsigned char *buf,
+                                   size_t len )
+{
+    int ret;
+
+    if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
+        return( 0 );
+    }
+
+    if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
+                                                buf, len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( ret );
+    }
+
+    /* Only mark the extension as OK when we're sure it is */
+    ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len )
+{
+    if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ssl->session_negotiate->mfl_code = buf[0];
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
+        ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                      const unsigned char *buf,
+                                      size_t len )
+{
+    if( len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
+        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                      const unsigned char *buf,
+                                      size_t len )
+{
+    if( len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t len )
+{
+    int ret;
+    mbedtls_ssl_session session;
+
+    mbedtls_ssl_session_init( &session );
+
+    if( ssl->conf->f_ticket_parse == NULL ||
+        ssl->conf->f_ticket_write == NULL )
+    {
+        return( 0 );
+    }
+
+    /* Remember the client asked us to send a new ticket */
+    ssl->handshake->new_session_ticket = 1;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
+
+    if( len == 0 )
+        return( 0 );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    /*
+     * Failures are ok: just ignore the ticket and proceed.
+     */
+    if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
+                                           buf, len ) ) != 0 )
+    {
+        mbedtls_ssl_session_free( &session );
+
+        if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
+        else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
+        else
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
+
+        return( 0 );
+    }
+
+    /*
+     * Keep the session ID sent by the client, since we MUST send it back to
+     * inform them we're accepting the ticket  (RFC 5077 section 3.4)
+     */
+    session.id_len = ssl->session_negotiate->id_len;
+    memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
+
+    mbedtls_ssl_session_free( ssl->session_negotiate );
+    memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
+
+    /* Zeroize instead of free as we copied the content */
+    mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
+
+    ssl->handshake->resume = 1;
+
+    /* Don't send a new ticket after all, this one is OK */
+    ssl->handshake->new_session_ticket = 0;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
+                               const unsigned char *buf, size_t len )
+{
+    size_t list_len, cur_len, ours_len;
+    const unsigned char *theirs, *start, *end;
+    const char **ours;
+
+    /* If ALPN not configured, just ignore the extension */
+    if( ssl->conf->alpn_list == NULL )
+        return( 0 );
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     */
+
+    /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
+    if( len < 4 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    list_len = ( buf[0] << 8 ) | buf[1];
+    if( list_len != len - 2 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Validate peer's list (lengths)
+     */
+    start = buf + 2;
+    end = buf + len;
+    for( theirs = start; theirs != end; theirs += cur_len )
+    {
+        cur_len = *theirs++;
+
+        /* Current identifier must fit in list */
+        if( cur_len > (size_t)( end - theirs ) )
+        {
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        /* Empty strings MUST NOT be included */
+        if( cur_len == 0 )
+        {
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+    }
+
+    /*
+     * Use our order of preference
+     */
+    for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
+    {
+        ours_len = strlen( *ours );
+        for( theirs = start; theirs != end; theirs += cur_len )
+        {
+            cur_len = *theirs++;
+
+            if( cur_len == ours_len &&
+                memcmp( theirs, *ours, cur_len ) == 0 )
+            {
+                ssl->alpn_chosen = *ours;
+                return( 0 );
+            }
+        }
+    }
+
+    /* If we get there, no match was found */
+    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                            MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
+    return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+/*
+ * Auxiliary functions for ServerHello parsing and related actions
+ */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
+ */
+#if defined(MBEDTLS_ECDSA_C)
+static int ssl_check_key_curve( mbedtls_pk_context *pk,
+                                const mbedtls_ecp_curve_info **curves )
+{
+    const mbedtls_ecp_curve_info **crv = curves;
+    mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
+
+    while( *crv != NULL )
+    {
+        if( (*crv)->grp_id == grp_id )
+            return( 0 );
+        crv++;
+    }
+
+    return( -1 );
+}
+#endif /* MBEDTLS_ECDSA_C */
+
+/*
+ * Try picking a certificate for this ciphersuite,
+ * return 0 on success and -1 on failure.
+ */
+static int ssl_pick_cert( mbedtls_ssl_context *ssl,
+                          const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
+{
+    mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
+    mbedtls_pk_type_t pk_alg =
+        mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+    uint32_t flags;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if( ssl->handshake->sni_key_cert != NULL )
+        list = ssl->handshake->sni_key_cert;
+    else
+#endif
+        list = ssl->conf->key_cert;
+
+    if( pk_alg == MBEDTLS_PK_NONE )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
+
+    if( list == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
+        return( -1 );
+    }
+
+    for( cur = list; cur != NULL; cur = cur->next )
+    {
+        MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
+                          cur->cert );
+
+        if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
+            continue;
+        }
+
+        /*
+         * This avoids sending the client a cert it'll reject based on
+         * keyUsage or other extensions.
+         *
+         * It also allows the user to provision different certificates for
+         * different uses based on keyUsage, eg if they want to avoid signing
+         * and decrypting with the same RSA key.
+         */
+        if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
+                                  MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
+                                "(extended) key usage extension" ) );
+            continue;
+        }
+
+#if defined(MBEDTLS_ECDSA_C)
+        if( pk_alg == MBEDTLS_PK_ECDSA &&
+            ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
+            continue;
+        }
+#endif
+
+        /*
+         * Try to select a SHA-1 certificate for pre-1.2 clients, but still
+         * present them a SHA-higher cert rather than failing if it's the only
+         * one we got that satisfies the other conditions.
+         */
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
+            cur->cert->sig_md != MBEDTLS_MD_SHA1 )
+        {
+            if( fallback == NULL )
+                fallback = cur;
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
+                                    "sha-2 with pre-TLS 1.2 client" ) );
+            continue;
+            }
+        }
+
+        /* If we get there, we got a winner */
+        break;
+    }
+
+    if( cur == NULL )
+        cur = fallback;
+
+    /* Do not update ssl->handshake->key_cert unless there is a match */
+    if( cur != NULL )
+    {
+        ssl->handshake->key_cert = cur;
+        MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
+                          ssl->handshake->key_cert->cert );
+        return( 0 );
+    }
+
+    return( -1 );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/*
+ * Check if a given ciphersuite is suitable for use with our config/keys/etc
+ * Sets ciphersuite_info only if the suite matches.
+ */
+static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
+                                  const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
+{
+    const mbedtls_ssl_ciphersuite_t *suite_info;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_pk_type_t sig_type;
+#endif
+
+    suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
+    if( suite_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
+
+    if( suite_info->min_minor_ver > ssl->minor_ver ||
+        suite_info->max_minor_ver < ssl->minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
+        return( 0 );
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
+            suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+        ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
+                                    "not configured or ext missing" ) );
+        return( 0 );
+    }
+#endif
+
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+    if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
+        ( ssl->handshake->curves == NULL ||
+          ssl->handshake->curves[0] == NULL ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
+                            "no common elliptic curve" ) );
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    /* If the ciphersuite requires a pre-shared key and we don't
+     * have one, skip it now rather than failing later */
+    if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
+        ssl->conf->f_psk == NULL &&
+        ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
+          ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    /* If the ciphersuite requires signing, check whether
+     * a suitable hash algorithm is present. */
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
+        if( sig_type != MBEDTLS_PK_NONE &&
+            mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
+                                        "for signature algorithm %d", sig_type ) );
+            return( 0 );
+        }
+    }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /*
+     * Final check: if ciphersuite requires us to have a
+     * certificate/key of a particular type:
+     * - select the appropriate certificate if we have one, or
+     * - try the next ciphersuite if we don't
+     * This must be done last since we modify the key_cert list.
+     */
+    if( ssl_pick_cert( ssl, suite_info ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
+                            "no suitable certificate" ) );
+        return( 0 );
+    }
+#endif
+
+    *ciphersuite_info = suite_info;
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
+{
+    int ret, got_common_suite;
+    unsigned int i, j;
+    size_t n;
+    unsigned int ciph_len, sess_len, chal_len;
+    unsigned char *buf, *p;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    buf = ssl->in_hdr;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
+                   buf[2] ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
+                   ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
+                   buf[3], buf[4] ) );
+
+    /*
+     * SSLv2 Client Hello
+     *
+     * Record layer:
+     *     0  .   1   message length
+     *
+     * SSL layer:
+     *     2  .   2   message type
+     *     3  .   4   protocol version
+     */
+    if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
+        buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
+
+    if( n < 17 || n > 512 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+    ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
+                     ? buf[4]  : ssl->conf->max_minor_ver;
+
+    if( ssl->minor_ver < ssl->conf->min_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]",
+                            ssl->major_ver, ssl->minor_ver,
+                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    ssl->handshake->max_major_ver = buf[3];
+    ssl->handshake->max_minor_ver = buf[4];
+
+    if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+        return( ret );
+    }
+
+    ssl->handshake->update_checksum( ssl, buf + 2, n );
+
+    buf = ssl->in_msg;
+    n = ssl->in_left - 5;
+
+    /*
+     *    0  .   1   ciphersuitelist length
+     *    2  .   3   session id length
+     *    4  .   5   challenge length
+     *    6  .  ..   ciphersuitelist
+     *   ..  .  ..   session id
+     *   ..  .  ..   challenge
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
+
+    ciph_len = ( buf[0] << 8 ) | buf[1];
+    sess_len = ( buf[2] << 8 ) | buf[3];
+    chal_len = ( buf[4] << 8 ) | buf[5];
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
+                   ciph_len, sess_len, chal_len ) );
+
+    /*
+     * Make sure each parameter length is valid
+     */
+    if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    if( sess_len > 32 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    if( chal_len < 8 || chal_len > 32 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    if( n != 6 + ciph_len + sess_len + chal_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
+                   buf + 6, ciph_len );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
+                   buf + 6 + ciph_len, sess_len );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
+                   buf + 6 + ciph_len + sess_len, chal_len );
+
+    p = buf + 6 + ciph_len;
+    ssl->session_negotiate->id_len = sess_len;
+    memset( ssl->session_negotiate->id, 0,
+            sizeof( ssl->session_negotiate->id ) );
+    memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
+
+    p += sess_len;
+    memset( ssl->handshake->randbytes, 0, 64 );
+    memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
+
+    /*
+     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+    for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
+    {
+        if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
+                                    "during renegotiation" ) );
+
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+            ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+            break;
+        }
+    }
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
+    {
+        if( p[0] == 0 &&
+            p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
+            p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
+
+            if( ssl->minor_ver < ssl->conf->max_minor_ver )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
+
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
+
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            break;
+        }
+    }
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+
+    got_common_suite = 0;
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+    ciphersuite_info = NULL;
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
+        for( i = 0; ciphersuites[i] != 0; i++ )
+#else
+    for( i = 0; ciphersuites[i] != 0; i++ )
+        for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
+#endif
+        {
+            if( p[0] != 0 ||
+                p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
+                p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
+                continue;
+
+            got_common_suite = 1;
+
+            if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
+                                               &ciphersuite_info ) ) != 0 )
+                return( ret );
+
+            if( ciphersuite_info != NULL )
+                goto have_ciphersuite_v2;
+        }
+
+    if( got_common_suite )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
+                            "but none of them usable" ) );
+        return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
+        return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
+    }
+
+have_ciphersuite_v2:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
+
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
+    ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
+
+    /*
+     * SSLv2 Client Hello relevant renegotiation security checks
+     */
+    if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+        ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ssl->in_left = 0;
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+
+/* This function doesn't alert on errors that happen early during
+   ClientHello parsing because they might indicate that the client is
+   not talking SSL/TLS at all and would not understand our alert. */
+static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
+{
+    int ret, got_common_suite;
+    size_t i, j;
+    size_t ciph_offset, comp_offset, ext_offset;
+    size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    size_t cookie_offset, cookie_len;
+#endif
+    unsigned char *buf, *p, *ext;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renegotiation_info_seen = 0;
+#endif
+    int handshake_failure = 0;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    int major, minor;
+
+    /* If there is no signature-algorithm extension present,
+     * we need to fall back to the default values for allowed
+     * signature-hash pairs. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    int sig_hash_alg_ext_present = 0;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+read_record_header:
+#endif
+    /*
+     * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
+     * otherwise read it ourselves manually in order to support SSLv2
+     * ClientHello, which doesn't use the same record layer format.
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
+        {
+            /* No alert on a read error. */
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+            return( ret );
+        }
+    }
+
+    buf = ssl->in_hdr;
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
+#endif
+        if( ( buf[0] & 0x80 ) != 0 )
+            return( ssl_parse_client_hello_v2( ssl ) );
+#endif
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
+
+    /*
+     * SSLv3/TLS Client Hello
+     *
+     * Record layer:
+     *     0  .   0   message type
+     *     1  .   2   protocol version
+     *     3  .   11  DTLS: epoch + record sequence number
+     *     3  .   4   message length
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
+                   buf[0] ) );
+
+    if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
+                   ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
+                   buf[1], buf[2] ) );
+
+    mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
+
+    /* According to RFC 5246 Appendix E.1, the version here is typically
+     * "{03,00}, the lowest version number supported by the client, [or] the
+     * value of ClientHello.client_version", so the only meaningful check here
+     * is the major version shouldn't be less than 3 */
+    if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* For DTLS if this is the initial handshake, remember the client sequence
+     * number to use it in our next message (RFC 6347 4.2.1) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+        )
+    {
+        /* Epoch should be 0 for initial handshakes */
+        if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 );
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
+            ssl->next_record_offset = 0;
+            ssl->in_left = 0;
+            goto read_record_header;
+        }
+
+        /* No MAC to check yet, so we can update right now */
+        mbedtls_ssl_dtls_replay_update( ssl );
+#endif
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        /* Set by mbedtls_ssl_read_record() */
+        msg_len = ssl->in_hslen;
+    }
+    else
+#endif
+    {
+        if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        if( ( ret = mbedtls_ssl_fetch_input( ssl,
+                       mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+            return( ret );
+        }
+
+    /* Done reading this record, get ready for the next one */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+            ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
+        else
+#endif
+            ssl->in_left = 0;
+    }
+
+    buf = ssl->in_msg;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
+
+    ssl->handshake->update_checksum( ssl, buf, msg_len );
+
+    /*
+     * Handshake layer:
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   DTLS only: message seqence number
+     *     6  .   8   DTLS only: fragment offset
+     *     9  .  11   DTLS only: fragment length
+     */
+    if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
+
+    if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
+                   ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
+
+    /* We don't support fragmentation of ClientHello (yet?) */
+    if( buf[1] != 0 ||
+        msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        /*
+         * Copy the client's handshake message_seq on initial handshakes,
+         * check sequence number on renego.
+         */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+        {
+            /* This couldn't be done in ssl_prepare_handshake_record() */
+            unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
+                                         ssl->in_msg[5];
+
+            if( cli_msg_seq != ssl->handshake->in_msg_seq )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
+                                    "%d (expected %d)", cli_msg_seq,
+                                    ssl->handshake->in_msg_seq ) );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            ssl->handshake->in_msg_seq++;
+        }
+        else
+#endif
+        {
+            unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
+                                         ssl->in_msg[5];
+            ssl->handshake->out_msg_seq = cli_msg_seq;
+            ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
+        }
+
+        /*
+         * For now we don't support fragmentation, so make sure
+         * fragment_offset == 0 and fragment_length == length
+         */
+        if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
+            memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    buf += mbedtls_ssl_hs_hdr_len( ssl );
+    msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
+
+    /*
+     * ClientHello layer:
+     *     0  .   1   protocol version
+     *     2  .  33   random bytes (starting with 4 bytes of Unix time)
+     *    34  .  35   session id length (1 byte)
+     *    35  . 34+x  session id
+     *   35+x . 35+x  DTLS only: cookie length (1 byte)
+     *   36+x .  ..   DTLS only: cookie
+     *    ..  .  ..   ciphersuite list length (2 bytes)
+     *    ..  .  ..   ciphersuite list
+     *    ..  .  ..   compression alg. list length (1 byte)
+     *    ..  .  ..   compression alg. list
+     *    ..  .  ..   extensions length (2 bytes, optional)
+     *    ..  .  ..   extensions (optional)
+     */
+
+    /*
+     * Minimal length (with everything empty and extensions omitted) is
+     * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
+     * read at least up to session id length without worrying.
+     */
+    if( msg_len < 38 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Check and save the protocol version
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
+
+    mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
+                      ssl->conf->transport, buf );
+
+    ssl->handshake->max_major_ver = ssl->major_ver;
+    ssl->handshake->max_minor_ver = ssl->minor_ver;
+
+    if( ssl->major_ver < ssl->conf->min_major_ver ||
+        ssl->minor_ver < ssl->conf->min_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]",
+                            ssl->major_ver, ssl->minor_ver,
+                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    if( ssl->major_ver > ssl->conf->max_major_ver )
+    {
+        ssl->major_ver = ssl->conf->max_major_ver;
+        ssl->minor_ver = ssl->conf->max_minor_ver;
+    }
+    else if( ssl->minor_ver > ssl->conf->max_minor_ver )
+        ssl->minor_ver = ssl->conf->max_minor_ver;
+
+    /*
+     * Save client random (inc. Unix time)
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
+
+    memcpy( ssl->handshake->randbytes, buf + 2, 32 );
+
+    /*
+     * Check the session ID length and save session ID
+     */
+    sess_len = buf[34];
+
+    if( sess_len > sizeof( ssl->session_negotiate->id ) ||
+        sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
+
+    ssl->session_negotiate->id_len = sess_len;
+    memset( ssl->session_negotiate->id, 0,
+            sizeof( ssl->session_negotiate->id ) );
+    memcpy( ssl->session_negotiate->id, buf + 35,
+            ssl->session_negotiate->id_len );
+
+    /*
+     * Check the cookie length and content
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        cookie_offset = 35 + sess_len;
+        cookie_len = buf[cookie_offset];
+
+        if( cookie_offset + 1 + cookie_len + 2 > msg_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
+                       buf + cookie_offset + 1, cookie_len );
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+        if( ssl->conf->f_cookie_check != NULL
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+            )
+        {
+            if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
+                                     buf + cookie_offset + 1, cookie_len,
+                                     ssl->cli_id, ssl->cli_id_len ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
+                ssl->handshake->verify_cookie_len = 1;
+            }
+            else
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
+                ssl->handshake->verify_cookie_len = 0;
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+        {
+            /* We know we didn't send a cookie, so it should be empty */
+            if( cookie_len != 0 )
+            {
+                /* This may be an attacker's probe, so don't send an alert */
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
+        }
+
+    /*
+     * Check the ciphersuitelist length (will be parsed later)
+     */
+        ciph_offset = cookie_offset + 1 + cookie_len;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+        ciph_offset = 35 + sess_len;
+
+    ciph_len = ( buf[ciph_offset + 0] << 8 )
+             | ( buf[ciph_offset + 1]      );
+
+    if( ciph_len < 2 ||
+        ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
+        ( ciph_len % 2 ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
+                   buf + ciph_offset + 2,  ciph_len );
+
+    /*
+     * Check the compression algorithms length and pick one
+     */
+    comp_offset = ciph_offset + 2 + ciph_len;
+
+    comp_len = buf[comp_offset];
+
+    if( comp_len < 1 ||
+        comp_len > 16 ||
+        comp_len + comp_offset + 1 > msg_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
+                      buf + comp_offset + 1, comp_len );
+
+    ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    for( i = 0; i < comp_len; ++i )
+    {
+        if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
+        {
+            ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
+            break;
+        }
+    }
+#endif
+
+    /* See comments in ssl_write_client_hello() */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
+#endif
+
+    /* Do not parse the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    {
+#endif
+        /*
+         * Check the extension length
+         */
+        ext_offset = comp_offset + 1 + comp_len;
+        if( msg_len > ext_offset )
+        {
+            if( msg_len < ext_offset + 2 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            ext_len = ( buf[ext_offset + 0] << 8 )
+                    | ( buf[ext_offset + 1]      );
+
+            if( ( ext_len > 0 && ext_len < 4 ) ||
+                msg_len != ext_offset + 2 + ext_len )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+        }
+        else
+            ext_len = 0;
+
+        ext = buf + ext_offset + 2;
+        MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
+
+        while( ext_len != 0 )
+        {
+            unsigned int ext_id;
+            unsigned int ext_size;
+            if ( ext_len < 4 ) {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+            ext_id   = ( ( ext[0] <<  8 ) | ( ext[1] ) );
+            ext_size = ( ( ext[2] <<  8 ) | ( ext[3] ) );
+
+            if( ext_size + 4 > ext_len )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+            switch( ext_id )
+            {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+            case MBEDTLS_TLS_EXT_SERVERNAME:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
+                if( ssl->conf->f_sni == NULL )
+                    break;
+
+                ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+            case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+                renegotiation_info_seen = 1;
+#endif
+
+                ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+            case MBEDTLS_TLS_EXT_SIG_ALG:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
+
+                ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+
+                sig_hash_alg_ext_present = 1;
+                break;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
+
+                ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+
+            case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
+                ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
+
+                ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
+
+                ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+            case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
+
+                ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+            case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
+
+                ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+            case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
+
+                ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+            case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
+
+                ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            case MBEDTLS_TLS_EXT_SESSION_TICKET:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
+
+                ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+            case MBEDTLS_TLS_EXT_ALPN:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
+
+                ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+            default:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
+                               ext_id ) );
+            }
+
+            ext_len -= 4 + ext_size;
+            ext += 4 + ext_size;
+
+            if( ext_len > 0 && ext_len < 4 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+        }
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
+    {
+        if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
+            p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
+
+            if( ssl->minor_ver < ssl->conf->max_minor_ver )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
+
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
+
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            break;
+        }
+    }
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+    /*
+     * Try to fall back to default hash SHA1 if the client
+     * hasn't provided any preferred signature-hash combinations.
+     */
+    if( sig_hash_alg_ext_present == 0 )
+    {
+        mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
+
+        if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
+            md_default = MBEDTLS_MD_NONE;
+
+        mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
+    }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+    /*
+     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+    for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
+    {
+        if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
+                                            "during renegotiation" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+#endif
+            ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+            break;
+        }
+    }
+
+    /*
+     * Renegotiation security checks
+     */
+    if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+        ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
+        handshake_failure = 1;
+    }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+             renegotiation_info_seen == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             renegotiation_info_seen == 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    if( handshake_failure == 1 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Search for a matching ciphersuite
+     * (At the end because we need information from the EC-based extensions
+     * and certificate from the SNI callback triggered by the SNI extension.)
+     */
+    got_common_suite = 0;
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+    ciphersuite_info = NULL;
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
+        for( i = 0; ciphersuites[i] != 0; i++ )
+#else
+    for( i = 0; ciphersuites[i] != 0; i++ )
+        for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
+#endif
+        {
+            if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
+                p[1] != ( ( ciphersuites[i]      ) & 0xFF ) )
+                continue;
+
+            got_common_suite = 1;
+
+            if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
+                                               &ciphersuite_info ) ) != 0 )
+                return( ret );
+
+            if( ciphersuite_info != NULL )
+                goto have_ciphersuite;
+        }
+
+    if( got_common_suite )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
+                            "but none of them usable" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
+    }
+
+have_ciphersuite:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
+
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
+    ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_recv_flight_completed( ssl );
+#endif
+
+    /* Debugging-only output for testsuite */
+#if defined(MBEDTLS_DEBUG_C)                         && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)                && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
+        if( sig_alg != MBEDTLS_PK_NONE )
+        {
+            mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
+                                                                  sig_alg );
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
+                                        mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
+                                        "%d - should not happen", sig_alg ) );
+        }
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf,
+                                          size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                            unsigned char *buf,
+                                            size_t *olen )
+{
+    unsigned char *p = buf;
+    const mbedtls_ssl_ciphersuite_t *suite = NULL;
+    const mbedtls_cipher_info_t *cipher = NULL;
+
+    if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    /*
+     * RFC 7366: "If a server receives an encrypt-then-MAC request extension
+     * from a client and then selects a stream or Authenticated Encryption
+     * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
+     * encrypt-then-MAC response extension back to the client."
+     */
+    if( ( suite = mbedtls_ssl_ciphersuite_from_id(
+                    ssl->session_negotiate->ciphersuite ) ) == NULL ||
+        ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
+        cipher->mode != MBEDTLS_MODE_CBC )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                       unsigned char *buf,
+                                       size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
+                        "extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf,
+                                          size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->handshake->new_session_ticket == 0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        *p++ = 0x00;
+        *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
+        *p++ = ssl->verify_data_len * 2 & 0xFF;
+
+        memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
+        p += ssl->verify_data_len;
+        memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
+        p += ssl->verify_data_len;
+    }
+    else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        *p++ = 0x00;
+        *p++ = 0x01;
+        *p++ = 0x00;
+    }
+
+    *olen = p - buf;
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                               unsigned char *buf,
+                                               size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 1;
+
+    *p++ = ssl->session_negotiate->mfl_code;
+
+    *olen = 5;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+                                                   unsigned char *buf,
+                                                   size_t *olen )
+{
+    unsigned char *p = buf;
+    ((void) ssl);
+
+    if( ( ssl->handshake->cli_exts &
+          MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 2;
+
+    *p++ = 1;
+    *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    *olen = 6;
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        size_t *olen )
+{
+    int ret;
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t kkpp_len;
+
+    *olen = 0;
+
+    /* Skip costly computation if not needed */
+    if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
+        MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
+
+    if( end - p < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP      ) & 0xFF );
+
+    ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
+                                        p + 2, end - p - 2, &kkpp_len,
+                                        ssl->conf->f_rng, ssl->conf->p_rng );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( kkpp_len      ) & 0xFF );
+
+    *olen = kkpp_len + 4;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN )
+static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
+                                unsigned char *buf, size_t *olen )
+{
+    if( ssl->alpn_chosen == NULL )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
+
+    /*
+     * 0 . 1    ext identifier
+     * 2 . 3    ext length
+     * 4 . 5    protocol list length
+     * 6 . 6    protocol name length
+     * 7 . 7+n  protocol name
+     */
+    buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
+    buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN      ) & 0xFF );
+
+    *olen = 7 + strlen( ssl->alpn_chosen );
+
+    buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
+    buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
+
+    buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
+    buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
+
+    buf[6] = (unsigned char)( ( ( *olen - 7 )      ) & 0xFF );
+
+    memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *p = ssl->out_msg + 4;
+    unsigned char *cookie_len_byte;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
+
+    /*
+     * struct {
+     *   ProtocolVersion server_version;
+     *   opaque cookie<0..2^8-1>;
+     * } HelloVerifyRequest;
+     */
+
+    /* The RFC is not clear on this point, but sending the actual negotiated
+     * version looks like the most interoperable thing to do. */
+    mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                       ssl->conf->transport, p );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
+    p += 2;
+
+    /* If we get here, f_cookie_check is not null */
+    if( ssl->conf->f_cookie_write == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* Skip length byte until we know the length */
+    cookie_len_byte = p++;
+
+    if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
+                                     &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
+                                     ssl->cli_id, ssl->cli_id_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
+        return( ret );
+    }
+
+    *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
+
+    ssl->out_msglen  = p - ssl->out_msg;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+
+    ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t;
+#endif
+    int ret;
+    size_t olen, ext_len = 0, n;
+    unsigned char *buf, *p;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->verify_cookie_len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
+
+        return( ssl_write_hello_verify_request( ssl ) );
+    }
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+    if( ssl->conf->f_rng == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
+        return( MBEDTLS_ERR_SSL_NO_RNG );
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   protocol version
+     *     6  .   9   UNIX time()
+     *    10  .  37   random bytes
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                       ssl->conf->transport, p );
+    p += 2;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
+                        buf[4], buf[5] ) );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = mbedtls_time( NULL );
+    *p++ = (unsigned char)( t >> 24 );
+    *p++ = (unsigned char)( t >> 16 );
+    *p++ = (unsigned char)( t >>  8 );
+    *p++ = (unsigned char)( t       );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
+#else
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
+        return( ret );
+
+    p += 4;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
+        return( ret );
+
+    p += 28;
+
+    memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
+
+    /*
+     * Resume is 0  by default, see ssl_handshake_init().
+     * It may be already set to 1 by ssl_parse_session_ticket_ext().
+     * If not, try looking up session ID in our cache.
+     */
+    if( ssl->handshake->resume == 0 &&
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
+#endif
+        ssl->session_negotiate->id_len != 0 &&
+        ssl->conf->f_get_cache != NULL &&
+        ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
+        ssl->handshake->resume = 1;
+    }
+
+    if( ssl->handshake->resume == 0 )
+    {
+        /*
+         * New session, create a new session id,
+         * unless we're about to issue a session ticket
+         */
+        ssl->state++;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        ssl->session_negotiate->start = mbedtls_time( NULL );
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        if( ssl->handshake->new_session_ticket != 0 )
+        {
+            ssl->session_negotiate->id_len = n = 0;
+            memset( ssl->session_negotiate->id, 0, 32 );
+        }
+        else
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+        {
+            ssl->session_negotiate->id_len = n = 32;
+            if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
+                                    n ) ) != 0 )
+                return( ret );
+        }
+    }
+    else
+    {
+        /*
+         * Resuming a session
+         */
+        n = ssl->session_negotiate->id_len;
+        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+        if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+            return( ret );
+        }
+    }
+
+    /*
+     *    38  .  38     session id length
+     *    39  . 38+n    session id
+     *   39+n . 40+n    chosen ciphersuite
+     *   41+n . 41+n    chosen compression alg.
+     *   42+n . 43+n    extensions length
+     *   44+n . 43+n+m  extensions
+     */
+    *p++ = (unsigned char) ssl->session_negotiate->id_len;
+    memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
+    p += ssl->session_negotiate->id_len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
+                   ssl->handshake->resume ? "a" : "no" ) );
+
+    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
+    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
+    *p++ = (unsigned char)( ssl->session_negotiate->compression      );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
+           mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
+                   ssl->session_negotiate->compression ) );
+
+    /* Do not write the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    {
+#endif
+
+    /*
+     *  First write extensions, then the total length
+     */
+    ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if ( mbedtls_ssl_ciphersuite_uses_ec(
+         mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
+    {
+        ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
+        ext_len += olen;
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
+
+    if( ext_len > 0 )
+    {
+        *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
+        *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
+        p += ext_len;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
+
+    ret = mbedtls_ssl_write_handshake_msg( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else
+static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    size_t dn_size, total_dn_size; /* excluding length bytes */
+    size_t ct_len, sa_len; /* including length bytes */
+    unsigned char *buf, *p;
+    const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    const mbedtls_x509_crt *crt;
+    int authmode;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
+        authmode = ssl->handshake->sni_authmode;
+    else
+#endif
+        authmode = ssl->conf->authmode;
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
+        authmode == MBEDTLS_SSL_VERIFY_NONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
+        return( 0 );
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   4   cert type count
+     *     5  .. m-1  cert types
+     *     m  .. m+1  sig alg length (TLS 1.2 only)
+     *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
+     *     n  .. n+1  length of all DNs
+     *    n+2 .. n+3  length of DN 1
+     *    n+4 .. ...  Distinguished Name #1
+     *    ... .. ...  length of DN 2, etc.
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    /*
+     * Supported certificate types
+     *
+     *     ClientCertificateType certificate_types<1..2^8-1>;
+     *     enum { (255) } ClientCertificateType;
+     */
+    ct_len = 0;
+
+#if defined(MBEDTLS_RSA_C)
+    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
+#endif
+
+    p[0] = (unsigned char) ct_len++;
+    p += ct_len;
+
+    sa_len = 0;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    /*
+     * Add signature_algorithms for verify (TLS 1.2)
+     *
+     *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
+     *
+     *     struct {
+     *           HashAlgorithm hash;
+     *           SignatureAlgorithm signature;
+     *     } SignatureAndHashAlgorithm;
+     *
+     *     enum { (255) } HashAlgorithm;
+     *     enum { (255) } SignatureAlgorithm;
+     */
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        const int *cur;
+
+        /*
+         * Supported signature algorithms
+         */
+        for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
+        {
+            unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
+
+            if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
+                continue;
+
+#if defined(MBEDTLS_RSA_C)
+            p[2 + sa_len++] = hash;
+            p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+            p[2 + sa_len++] = hash;
+            p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
+#endif
+        }
+
+        p[0] = (unsigned char)( sa_len >> 8 );
+        p[1] = (unsigned char)( sa_len      );
+        sa_len += 2;
+        p += sa_len;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    /*
+     * DistinguishedName certificate_authorities<0..2^16-1>;
+     * opaque DistinguishedName<1..2^16-1>;
+     */
+    p += 2;
+
+    total_dn_size = 0;
+
+    if( ssl->conf->cert_req_ca_list ==  MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
+    {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        if( ssl->handshake->sni_ca_chain != NULL )
+            crt = ssl->handshake->sni_ca_chain;
+        else
+#endif
+            crt = ssl->conf->ca_chain;
+
+        while( crt != NULL && crt->version != 0 )
+        {
+            dn_size = crt->subject_raw.len;
+
+            if( end < p ||
+                (size_t)( end - p ) < dn_size ||
+                (size_t)( end - p ) < 2 + dn_size )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
+                break;
+            }
+
+            *p++ = (unsigned char)( dn_size >> 8 );
+            *p++ = (unsigned char)( dn_size      );
+            memcpy( p, crt->subject_raw.p, dn_size );
+            p += dn_size;
+
+            MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
+
+            total_dn_size += 2 + dn_size;
+            crt = crt->next;
+        }
+    }
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
+    ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size  >> 8 );
+    ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size       );
+
+    ret = mbedtls_ssl_write_handshake_msg( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
+                                 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
+                                 MBEDTLS_ECDH_OURS ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
+                                           size_t *signature_len )
+{
+    /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+     * signature length which will be added in ssl_write_server_key_exchange
+     * after the call to ssl_prepare_server_key_exchange.
+     * ssl_write_server_key_exchange also takes care of incrementing
+     * ssl->out_msglen. */
+    unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
+    size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
+                           - sig_start );
+    int ret = ssl->conf->f_async_resume( ssl,
+                                         sig_start, signature_len, sig_max_len );
+    if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+    {
+        ssl->handshake->async_in_progress = 0;
+        mbedtls_ssl_set_async_operation_data( ssl, NULL );
+    }
+    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
+    return( ret );
+}
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+
+/* Prepare the ServerKeyExchange message, up to and including
+ * calculating the signature if any, but excluding formatting the
+ * signature and sending the message. */
+static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
+                                            size_t *signature_len )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+                            ssl->transform_negotiate->ciphersuite_info;
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    unsigned char *dig_signed = NULL;
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
+
+    (void) ciphersuite_info; /* unused in some configurations */
+#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    (void) signature_len;
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+    ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
+
+    /*
+     *
+     * Part 1: Provide key exchange parameters for chosen ciphersuite.
+     *
+     */
+
+    /*
+     * - ECJPAKE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        int ret;
+        size_t len = 0;
+
+        ret = mbedtls_ecjpake_write_round_two(
+            &ssl->handshake->ecjpake_ctx,
+            ssl->out_msg + ssl->out_msglen,
+            MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
+            ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
+            return( ret );
+        }
+
+        ssl->out_msglen += len;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+    /*
+     * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
+     * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
+     * we use empty support identity hints here.
+     **/
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        ssl->out_msg[ssl->out_msglen++] = 0x00;
+        ssl->out_msg[ssl->out_msglen++] = 0x00;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+    /*
+     * - DHE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
+    {
+        int ret;
+        size_t len = 0;
+
+        if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+        }
+
+        /*
+         * Ephemeral DH parameters:
+         *
+         * struct {
+         *     opaque dh_p<1..2^16-1>;
+         *     opaque dh_g<1..2^16-1>;
+         *     opaque dh_Ys<1..2^16-1>;
+         * } ServerDHParams;
+         */
+        if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
+                                           &ssl->conf->dhm_P,
+                                           &ssl->conf->dhm_G ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_dhm_make_params(
+                  &ssl->handshake->dhm_ctx,
+                  (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                  ssl->out_msg + ssl->out_msglen, &len,
+                  ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
+            return( ret );
+        }
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+        dig_signed = ssl->out_msg + ssl->out_msglen;
+#endif
+
+        ssl->out_msglen += len;
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
+
+    /*
+     * - ECDHE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
+    {
+        /*
+         * Ephemeral ECDH parameters:
+         *
+         * struct {
+         *     ECParameters curve_params;
+         *     ECPoint      public;
+         * } ServerECDHParams;
+         */
+        const mbedtls_ecp_curve_info **curve = NULL;
+        const mbedtls_ecp_group_id *gid;
+        int ret;
+        size_t len = 0;
+
+        /* Match our preference list against the offered curves */
+        for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
+            for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
+                if( (*curve)->grp_id == *gid )
+                    goto curve_matching_done;
+
+curve_matching_done:
+        if( curve == NULL || *curve == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
+            return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
+
+        if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
+                                        (*curve)->grp_id ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_ecdh_make_params(
+                  &ssl->handshake->ecdh_ctx, &len,
+                  ssl->out_msg + ssl->out_msglen,
+                  MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
+                  ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
+            return( ret );
+        }
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+        dig_signed = ssl->out_msg + ssl->out_msglen;
+#endif
+
+        ssl->out_msglen += len;
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Q );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
+
+    /*
+     *
+     * Part 2: For key exchanges involving the server signing the
+     *         exchange parameters, compute and add the signature here.
+     *
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
+    {
+        size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
+        size_t hashlen = 0;
+        unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+        int ret;
+
+        /*
+         * 2.1: Choose hash algorithm:
+         * A: For TLS 1.2, obey signature-hash-algorithm extension
+         *    to choose appropriate hash.
+         * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
+         *    (RFC 4492, Sec. 5.4)
+         * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
+         */
+
+        mbedtls_md_type_t md_alg;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        mbedtls_pk_type_t sig_alg =
+            mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            /* A: For TLS 1.2, obey signature-hash-algorithm extension
+             *    (RFC 5246, Sec. 7.4.1.4.1). */
+            if( sig_alg == MBEDTLS_PK_NONE ||
+                ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
+                                                          sig_alg ) ) == MBEDTLS_MD_NONE )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                /* (... because we choose a cipher suite
+                 *      only if there is a matching hash.) */
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+        {
+            /* B: Default hash SHA1 */
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+        {
+            /* C: MD5 + SHA1 */
+            md_alg = MBEDTLS_MD_NONE;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
+
+        /*
+         * 2.2: Compute the hash to be signed
+         */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( md_alg == MBEDTLS_MD_NONE )
+        {
+            hashlen = 36;
+            ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
+                                                           dig_signed,
+                                                           dig_signed_len );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( md_alg != MBEDTLS_MD_NONE )
+        {
+            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
+                                                          dig_signed,
+                                                          dig_signed_len,
+                                                          md_alg );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
+
+        /*
+         * 2.3: Compute and add the signature
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            /*
+             * For TLS 1.2, we need to specify signature and hash algorithm
+             * explicitly through a prefix to the signature.
+             *
+             * struct {
+             *    HashAlgorithm hash;
+             *    SignatureAlgorithm signature;
+             * } SignatureAndHashAlgorithm;
+             *
+             * struct {
+             *    SignatureAndHashAlgorithm algorithm;
+             *    opaque signature<0..2^16-1>;
+             * } DigitallySigned;
+             *
+             */
+
+            ssl->out_msg[ssl->out_msglen++] =
+                mbedtls_ssl_hash_from_md_alg( md_alg );
+            ssl->out_msg[ssl->out_msglen++] =
+                mbedtls_ssl_sig_from_pk_alg( sig_alg );
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if( ssl->conf->f_async_sign_start != NULL )
+        {
+            ret = ssl->conf->f_async_sign_start( ssl,
+                                                 mbedtls_ssl_own_cert( ssl ),
+                                                 md_alg, hash, hashlen );
+            switch( ret )
+            {
+            case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+                /* act as if f_async_sign was null */
+                break;
+            case 0:
+                ssl->handshake->async_in_progress = 1;
+                return( ssl_resume_server_key_exchange( ssl, signature_len ) );
+            case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+                ssl->handshake->async_in_progress = 1;
+                return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+            default:
+                MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
+                return( ret );
+            }
+        }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+        if( mbedtls_ssl_own_key( ssl ) == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
+            return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+        }
+
+        /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+         * signature length which will be added in ssl_write_server_key_exchange
+         * after the call to ssl_prepare_server_key_exchange.
+         * ssl_write_server_key_exchange also takes care of incrementing
+         * ssl->out_msglen. */
+        if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
+                                     md_alg, hash, hashlen,
+                                     ssl->out_msg + ssl->out_msglen + 2,
+                                     signature_len,
+                                     ssl->conf->f_rng,
+                                     ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+    return( 0 );
+}
+
+/* Prepare the ServerKeyExchange message and send it. For ciphersuites
+ * that do not include a ServerKeyExchange message, do nothing. Either
+ * way, if successful, move on to the next step in the SSL state
+ * machine. */
+static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t signature_len = 0;
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+                            ssl->transform_negotiate->ciphersuite_info;
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+    /* Extract static ECDH parameters and abort if ServerKeyExchange
+     * is not needed. */
+    if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
+    {
+        /* For suites involving ECDH, extract DH parameters
+         * from certificate at this point. */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+        if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
+        {
+            ssl_get_ecdh_params_from_cert( ssl );
+        }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+
+        /* Key exchanges not involving ephemeral keys don't use
+         * ServerKeyExchange, so end here. */
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /* If we have already prepared the message and there is an ongoing
+     * signature operation, resume signing. */
+    if( ssl->handshake->async_in_progress != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
+        ret = ssl_resume_server_key_exchange( ssl, &signature_len );
+    }
+    else
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+    {
+        /* ServerKeyExchange is needed. Prepare the message. */
+        ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
+    }
+
+    if( ret != 0 )
+    {
+        /* If we're starting to write a new message, set ssl->out_msglen
+         * to 0. But if we're resuming after an asynchronous message,
+         * out_msglen is the amount of data written so far and mst be
+         * preserved. */
+        if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
+        else
+            ssl->out_msglen = 0;
+        return( ret );
+    }
+
+    /* If there is a signature, write its length.
+     * ssl_prepare_server_key_exchange already wrote the signature
+     * itself at its proper place in the output buffer. */
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    if( signature_len != 0 )
+    {
+        ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
+        ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len      );
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
+                               ssl->out_msg + ssl->out_msglen,
+                               signature_len );
+
+        /* Skip over the already-written signature */
+        ssl->out_msglen += signature_len;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+    /* Add header and send. */
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
+    return( 0 );
+}
+
+static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
+
+    ssl->out_msglen  = 4;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_send_flight_completed( ssl );
+#endif
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
+                                       const unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t n;
+
+    /*
+     * Receive G^Y mod P, premaster = (G^Y)^X mod P
+     */
+    if( *p + 2 > end )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    n = ( (*p)[0] << 8 ) | (*p)[1];
+    *p += 2;
+
+    if( *p + n > end )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
+    }
+
+    *p += n;
+
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
+                                   unsigned char *peer_pms,
+                                   size_t *peer_pmslen,
+                                   size_t peer_pmssize )
+{
+    int ret = ssl->conf->f_async_resume( ssl,
+                                         peer_pms, peer_pmslen, peer_pmssize );
+    if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+    {
+        ssl->handshake->async_in_progress = 0;
+        mbedtls_ssl_set_async_operation_data( ssl, NULL );
+    }
+    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
+                                      const unsigned char *p,
+                                      const unsigned char *end,
+                                      unsigned char *peer_pms,
+                                      size_t *peer_pmslen,
+                                      size_t peer_pmssize )
+{
+    int ret;
+    mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
+    mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
+    size_t len = mbedtls_pk_get_len( public_key );
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /* If we have already started decoding the message and there is an ongoing
+     * decryption operation, resume signing. */
+    if( ssl->handshake->async_in_progress != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
+        return( ssl_resume_decrypt_pms( ssl,
+                                        peer_pms, peer_pmslen, peer_pmssize ) );
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    /*
+     * Prepare to decrypt the premaster using own private RSA key
+     */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if ( p + 2 > end ) {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+        if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
+            *p++ != ( ( len      ) & 0xFF ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+    }
+#endif
+
+    if( p + len != end )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    /*
+     * Decrypt the premaster secret
+     */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if( ssl->conf->f_async_decrypt_start != NULL )
+    {
+        ret = ssl->conf->f_async_decrypt_start( ssl,
+                                                mbedtls_ssl_own_cert( ssl ),
+                                                p, len );
+        switch( ret )
+        {
+        case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+            /* act as if f_async_decrypt_start was null */
+            break;
+        case 0:
+            ssl->handshake->async_in_progress = 1;
+            return( ssl_resume_decrypt_pms( ssl,
+                                            peer_pms,
+                                            peer_pmslen,
+                                            peer_pmssize ) );
+        case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+            ssl->handshake->async_in_progress = 1;
+            return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+        default:
+            MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    ret = mbedtls_pk_decrypt( private_key, p, len,
+                              peer_pms, peer_pmslen, peer_pmssize,
+                              ssl->conf->f_rng, ssl->conf->p_rng );
+    return( ret );
+}
+
+static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
+                                    const unsigned char *p,
+                                    const unsigned char *end,
+                                    size_t pms_offset )
+{
+    int ret;
+    unsigned char *pms = ssl->handshake->premaster + pms_offset;
+    unsigned char ver[2];
+    unsigned char fake_pms[48], peer_pms[48];
+    unsigned char mask;
+    size_t i, peer_pmslen;
+    unsigned int diff;
+
+    /* In case of a failure in decryption, the decryption may write less than
+     * 2 bytes of output, but we always read the first two bytes. It doesn't
+     * matter in the end because diff will be nonzero in that case due to
+     * peer_pmslen being less than 48, and we only care whether diff is 0.
+     * But do initialize peer_pms for robustness anyway. This also makes
+     * memory analyzers happy (don't access uninitialized memory, even
+     * if it's an unsigned char). */
+    peer_pms[0] = peer_pms[1] = ~0;
+
+    ret = ssl_decrypt_encrypted_pms( ssl, p, end,
+                                     peer_pms,
+                                     &peer_pmslen,
+                                     sizeof( peer_pms ) );
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+        return( ret );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
+                               ssl->handshake->max_minor_ver,
+                               ssl->conf->transport, ver );
+
+    /* Avoid data-dependent branches while checking for invalid
+     * padding, to protect against timing-based Bleichenbacher-type
+     * attacks. */
+    diff  = (unsigned int) ret;
+    diff |= peer_pmslen ^ 48;
+    diff |= peer_pms[0] ^ ver[0];
+    diff |= peer_pms[1] ^ ver[1];
+
+    /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    /*
+     * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
+     * must not cause the connection to end immediately; instead, send a
+     * bad_record_mac later in the handshake.
+     * To protect against timing-based variants of the attack, we must
+     * not have any branch that depends on whether the decryption was
+     * successful. In particular, always generate the fake premaster secret,
+     * regardless of whether it will ultimately influence the output or not.
+     */
+    ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
+    if( ret != 0 )
+    {
+        /* It's ok to abort on an RNG failure, since this does not reveal
+         * anything about the RSA decryption. */
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    if( diff != 0 )
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+#endif
+
+    if( sizeof( ssl->handshake->premaster ) < pms_offset ||
+        sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+    ssl->handshake->pmslen = 48;
+
+    /* Set pms to either the true or the fake PMS, without
+     * data-dependent branches. */
+    for( i = 0; i < ssl->handshake->pmslen; i++ )
+        pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
+                                          const unsigned char *end )
+{
+    int ret = 0;
+    size_t n;
+
+    if( ssl->conf->f_psk == NULL &&
+        ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
+          ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    /*
+     * Receive client pre-shared key identity name
+     */
+    if( end - *p < 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    n = ( (*p)[0] << 8 ) | (*p)[1];
+    *p += 2;
+
+    if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    if( ssl->conf->f_psk != NULL )
+    {
+        if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
+            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+    }
+    else
+    {
+        /* Identity is not a big secret since clients send it in the clear,
+         * but treat it carefully anyway, just in case */
+        if( n != ssl->conf->psk_identity_len ||
+            mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
+        {
+            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+        }
+    }
+
+    if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
+    {
+        MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
+        return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
+    }
+
+    *p += n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    unsigned char *p, *end;
+
+    ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
+    ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+      defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
+    if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
+        ( ssl->handshake->async_in_progress != 0 ) )
+    {
+        /* We've already read a record and there is an asynchronous
+         * operation in progress to decrypt it. So skip reading the
+         * record. */
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
+    }
+    else
+#endif
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+    end = ssl->in_msg + ssl->in_hslen;
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
+    {
+        if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
+            return( ret );
+        }
+
+        if( p != end )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+
+        if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+                                      ssl->handshake->premaster,
+                                      MBEDTLS_PREMASTER_SIZE,
+                                     &ssl->handshake->pmslen,
+                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+    {
+        if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
+                                      p, end - p) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_QP );
+
+        if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
+                                      &ssl->handshake->pmslen,
+                                       ssl->handshake->premaster,
+                                       MBEDTLS_MPI_MAX_SIZE,
+                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Z );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+
+        if( p != end )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if ( ssl->handshake->async_in_progress != 0 )
+        {
+            /* There is an asynchronous operation in progress to
+             * decrypt the encrypted premaster secret, so skip
+             * directly to resuming this operation. */
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
+            /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
+             * won't actually use it, but maintain p anyway for robustness. */
+            p += ssl->conf->psk_identity_len + 2;
+        }
+        else
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+
+        if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+        if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
+            return( ret );
+        }
+
+        if( p != end )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
+                                       p, end - p ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_QP );
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
+    {
+        if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
+                                              p, end - p );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+
+        ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
+                ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+        return( ret );
+    }
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else
+static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t i, sig_len;
+    unsigned char hash[48];
+    unsigned char *hash_start = hash;
+    size_t hashlen;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    mbedtls_pk_type_t pk_alg;
+#endif
+    mbedtls_md_type_t md_alg;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
+        ssl->session_negotiate->peer_cert == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    /* Read the message without adding it to the checksum */
+    ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
+    if( 0 != ret )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
+        return( ret );
+    }
+
+    ssl->state++;
+
+    /* Process the message contents */
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
+        ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
+    i = mbedtls_ssl_hs_hdr_len( ssl );
+
+    /*
+     *  struct {
+     *     SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
+     *     opaque signature<0..2^16-1>;
+     *  } DigitallySigned;
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        md_alg = MBEDTLS_MD_NONE;
+        hashlen = 36;
+
+        /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
+        if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                        MBEDTLS_PK_ECDSA ) )
+        {
+            hash_start += 16;
+            hashlen -= 16;
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        if( i + 2 > ssl->in_hslen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+        /*
+         * Hash
+         */
+        md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
+
+        if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
+                                " for verify message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+#if !defined(MBEDTLS_MD_SHA1)
+        if( MBEDTLS_MD_SHA1 == md_alg )
+            hash_start += 16;
+#endif
+
+        /* Info from md_alg will be used instead */
+        hashlen = 0;
+
+        i++;
+
+        /*
+         * Signature
+         */
+        if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
+                        == MBEDTLS_PK_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
+                                " for verify message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+        /*
+         * Check the certificate's key type matches the signature alg
+         */
+        if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+        i++;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( i + 2 > ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
+    sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
+    i += 2;
+
+    if( i + sig_len != ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
+    /* Calculate hash and verify signature */
+    ssl->handshake->calc_verify( ssl, hash );
+
+    if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
+                           md_alg, hash_start, hashlen,
+                           ssl->in_msg + i, sig_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
+        return( ret );
+    }
+
+    mbedtls_ssl_update_handshake_status( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t tlen;
+    uint32_t lifetime;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
+
+    /*
+     * struct {
+     *     uint32 ticket_lifetime_hint;
+     *     opaque ticket<0..2^16-1>;
+     * } NewSessionTicket;
+     *
+     * 4  .  7   ticket_lifetime_hint (0 = unspecified)
+     * 8  .  9   ticket_len (n)
+     * 10 .  9+n ticket content
+     */
+
+    if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
+                                ssl->session_negotiate,
+                                ssl->out_msg + 10,
+                                ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
+                                &tlen, &lifetime ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
+        tlen = 0;
+    }
+
+    ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
+    ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
+    ssl->out_msg[6] = ( lifetime >>  8 ) & 0xFF;
+    ssl->out_msg[7] = ( lifetime       ) & 0xFF;
+
+    ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
+    ssl->out_msg[9] = (unsigned char)( ( tlen      ) & 0xFF );
+
+    ssl->out_msglen = 10 + tlen;
+
+    /*
+     * Morally equivalent to updating ssl->state, but NewSessionTicket and
+     * ChangeCipherSpec share the same state.
+     */
+    ssl->handshake->new_session_ticket = 0;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- server side -- single step
+ */
+int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
+
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+            return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    switch( ssl->state )
+    {
+        case MBEDTLS_SSL_HELLO_REQUEST:
+            ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+            break;
+
+        /*
+         *  <==   ClientHello
+         */
+        case MBEDTLS_SSL_CLIENT_HELLO:
+            ret = ssl_parse_client_hello( ssl );
+            break;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
+            return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
+#endif
+
+        /*
+         *  ==>   ServerHello
+         *        Certificate
+         *      ( ServerKeyExchange  )
+         *      ( CertificateRequest )
+         *        ServerHelloDone
+         */
+        case MBEDTLS_SSL_SERVER_HELLO:
+            ret = ssl_write_server_hello( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_CERTIFICATE:
+            ret = mbedtls_ssl_write_certificate( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+            ret = ssl_write_server_key_exchange( ssl );
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+            ret = ssl_write_certificate_request( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_HELLO_DONE:
+            ret = ssl_write_server_hello_done( ssl );
+            break;
+
+        /*
+         *  <== ( Certificate/Alert  )
+         *        ClientKeyExchange
+         *      ( CertificateVerify  )
+         *        ChangeCipherSpec
+         *        Finished
+         */
+        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+            ret = mbedtls_ssl_parse_certificate( ssl );
+            break;
+
+        case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+            ret = ssl_parse_client_key_exchange( ssl );
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+            ret = ssl_parse_certificate_verify( ssl );
+            break;
+
+        case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+            ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
+            break;
+
+        case MBEDTLS_SSL_CLIENT_FINISHED:
+            ret = mbedtls_ssl_parse_finished( ssl );
+            break;
+
+        /*
+         *  ==> ( NewSessionTicket )
+         *        ChangeCipherSpec
+         *        Finished
+         */
+        case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            if( ssl->handshake->new_session_ticket != 0 )
+                ret = ssl_write_new_session_ticket( ssl );
+            else
+#endif
+                ret = mbedtls_ssl_write_change_cipher_spec( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_FINISHED:
+            ret = mbedtls_ssl_write_finished( ssl );
+            break;
+
+        case MBEDTLS_SSL_FLUSH_BUFFERS:
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+            break;
+
+        case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+            mbedtls_ssl_handshake_wrapup( ssl );
+            break;
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_SRV_C */
diff --git a/ctrtool/deps/libmbedtls/src/ssl_ticket.c b/ctrtool/deps/libmbedtls/src/ssl_ticket.c
new file mode 100644
index 00000000..8492c19a
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ssl_ticket.c
@@ -0,0 +1,485 @@
+/*
+ *  TLS server tickets callbacks implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_TICKET_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_ticket.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+/*
+ * Initialze context
+ */
+void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+#define MAX_KEY_BYTES 32    /* 256 bits */
+
+/*
+ * Generate/update a key
+ */
+static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
+                               unsigned char index )
+{
+    int ret;
+    unsigned char buf[MAX_KEY_BYTES];
+    mbedtls_ssl_ticket_key *key = ctx->keys + index;
+
+#if defined(MBEDTLS_HAVE_TIME)
+    key->generation_time = (uint32_t) mbedtls_time( NULL );
+#endif
+
+    if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
+        return( ret );
+
+    if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
+        return( ret );
+
+    /* With GCM and CCM, same context can encrypt & decrypt */
+    ret = mbedtls_cipher_setkey( &key->ctx, buf,
+                                 mbedtls_cipher_get_key_bitlen( &key->ctx ),
+                                 MBEDTLS_ENCRYPT );
+
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+
+/*
+ * Rotate/generate keys if necessary
+ */
+static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
+{
+#if !defined(MBEDTLS_HAVE_TIME)
+    ((void) ctx);
+#else
+    if( ctx->ticket_lifetime != 0 )
+    {
+        uint32_t current_time = (uint32_t) mbedtls_time( NULL );
+        uint32_t key_time = ctx->keys[ctx->active].generation_time;
+
+        if( current_time >= key_time &&
+            current_time - key_time < ctx->ticket_lifetime )
+        {
+            return( 0 );
+        }
+
+        ctx->active = 1 - ctx->active;
+
+        return( ssl_ticket_gen_key( ctx, ctx->active ) );
+    }
+    else
+#endif /* MBEDTLS_HAVE_TIME */
+        return( 0 );
+}
+
+/*
+ * Setup context for actual use
+ */
+int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+    mbedtls_cipher_type_t cipher,
+    uint32_t lifetime )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    ctx->f_rng = f_rng;
+    ctx->p_rng = p_rng;
+
+    ctx->ticket_lifetime = lifetime;
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher);
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( cipher_info->mode != MBEDTLS_MODE_GCM &&
+        cipher_info->mode != MBEDTLS_MODE_CCM )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 ||
+        ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
+        ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Serialize a session in the following format:
+ *  0   .   n-1     session structure, n = sizeof(mbedtls_ssl_session)
+ *  n   .   n+2     peer_cert length = m (0 if no certificate)
+ *  n+3 .   n+2+m   peer cert ASN.1
+ */
+static int ssl_save_session( const mbedtls_ssl_session *session,
+                             unsigned char *buf, size_t buf_len,
+                             size_t *olen )
+{
+    unsigned char *p = buf;
+    size_t left = buf_len;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    size_t cert_len;
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if( left < sizeof( mbedtls_ssl_session ) )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    memcpy( p, session, sizeof( mbedtls_ssl_session ) );
+    p += sizeof( mbedtls_ssl_session );
+    left -= sizeof( mbedtls_ssl_session );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( session->peer_cert == NULL )
+        cert_len = 0;
+    else
+        cert_len = session->peer_cert->raw.len;
+
+    if( left < 3 + cert_len )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    *p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
+    *p++ = (unsigned char)( ( cert_len >>  8 ) & 0xFF );
+    *p++ = (unsigned char)( ( cert_len       ) & 0xFF );
+
+    if( session->peer_cert != NULL )
+        memcpy( p, session->peer_cert->raw.p, cert_len );
+
+    p += cert_len;
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    *olen = p - buf;
+
+    return( 0 );
+}
+
+/*
+ * Unserialise session, see ssl_save_session()
+ */
+static int ssl_load_session( mbedtls_ssl_session *session,
+                             const unsigned char *buf, size_t len )
+{
+    const unsigned char *p = buf;
+    const unsigned char * const end = buf + len;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    size_t cert_len;
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    memcpy( session, p, sizeof( mbedtls_ssl_session ) );
+    p += sizeof( mbedtls_ssl_session );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( 3 > (size_t)( end - p ) )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
+    p += 3;
+
+    if( cert_len == 0 )
+    {
+        session->peer_cert = NULL;
+    }
+    else
+    {
+        int ret;
+
+        if( cert_len > (size_t)( end - p ) )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
+
+        if( session->peer_cert == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        mbedtls_x509_crt_init( session->peer_cert );
+
+        if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
+                                                p, cert_len ) ) != 0 )
+        {
+            mbedtls_x509_crt_free( session->peer_cert );
+            mbedtls_free( session->peer_cert );
+            session->peer_cert = NULL;
+            return( ret );
+        }
+
+        p += cert_len;
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if( p != end )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+/*
+ * Create session ticket, with the following structure:
+ *
+ *    struct {
+ *        opaque key_name[4];
+ *        opaque iv[12];
+ *        opaque encrypted_state<0..2^16-1>;
+ *        opaque tag[16];
+ *    } ticket;
+ *
+ * The key_name, iv, and length of encrypted_state are the additional
+ * authenticated data.
+ */
+int mbedtls_ssl_ticket_write( void *p_ticket,
+                              const mbedtls_ssl_session *session,
+                              unsigned char *start,
+                              const unsigned char *end,
+                              size_t *tlen,
+                              uint32_t *ticket_lifetime )
+{
+    int ret;
+    mbedtls_ssl_ticket_context *ctx = p_ticket;
+    mbedtls_ssl_ticket_key *key;
+    unsigned char *key_name = start;
+    unsigned char *iv = start + 4;
+    unsigned char *state_len_bytes = iv + 12;
+    unsigned char *state = state_len_bytes + 2;
+    unsigned char *tag;
+    size_t clear_len, ciph_len;
+
+    *tlen = 0;
+
+    if( ctx == NULL || ctx->f_rng == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
+     * in addition to session itself, that will be checked when writing it. */
+    if( end - start < 4 + 12 + 2 + 16 )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
+        goto cleanup;
+
+    key = &ctx->keys[ctx->active];
+
+    *ticket_lifetime = ctx->ticket_lifetime;
+
+    memcpy( key_name, key->name, 4 );
+
+    if( ( ret = ctx->f_rng( ctx->p_rng, iv, 12 ) ) != 0 )
+        goto cleanup;
+
+    /* Dump session state */
+    if( ( ret = ssl_save_session( session,
+                                  state, end - state, &clear_len ) ) != 0 ||
+        (unsigned long) clear_len > 65535 )
+    {
+         goto cleanup;
+    }
+    state_len_bytes[0] = ( clear_len >> 8 ) & 0xff;
+    state_len_bytes[1] = ( clear_len      ) & 0xff;
+
+    /* Encrypt and authenticate */
+    tag = state + clear_len;
+    if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
+                    iv, 12, key_name, 4 + 12 + 2,
+                    state, clear_len, state, &ciph_len, tag, 16 ) ) != 0 )
+    {
+        goto cleanup;
+    }
+    if( ciph_len != clear_len )
+    {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
+    }
+
+    *tlen = 4 + 12 + 2 + 16 + ciph_len;
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Select key based on name
+ */
+static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
+        mbedtls_ssl_ticket_context *ctx,
+        const unsigned char name[4] )
+{
+    unsigned char i;
+
+    for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
+        if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
+            return( &ctx->keys[i] );
+
+    return( NULL );
+}
+
+/*
+ * Load session ticket (see mbedtls_ssl_ticket_write for structure)
+ */
+int mbedtls_ssl_ticket_parse( void *p_ticket,
+                              mbedtls_ssl_session *session,
+                              unsigned char *buf,
+                              size_t len )
+{
+    int ret;
+    mbedtls_ssl_ticket_context *ctx = p_ticket;
+    mbedtls_ssl_ticket_key *key;
+    unsigned char *key_name = buf;
+    unsigned char *iv = buf + 4;
+    unsigned char *enc_len_p = iv + 12;
+    unsigned char *ticket = enc_len_p + 2;
+    unsigned char *tag;
+    size_t enc_len, clear_len;
+
+    if( ctx == NULL || ctx->f_rng == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /* See mbedtls_ssl_ticket_write() */
+    if( len < 4 + 12 + 2 + 16 )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
+        goto cleanup;
+
+    enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
+    tag = ticket + enc_len;
+
+    if( len != 4 + 12 + 2 + enc_len + 16 )
+    {
+        ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /* Select key */
+    if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
+    {
+        /* We can't know for sure but this is a likely option unless we're
+         * under attack - this is only informative anyway */
+        ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+        goto cleanup;
+    }
+
+    /* Decrypt and authenticate */
+    if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, iv, 12,
+                    key_name, 4 + 12 + 2, ticket, enc_len,
+                    ticket, &clear_len, tag, 16 ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
+            ret = MBEDTLS_ERR_SSL_INVALID_MAC;
+
+        goto cleanup;
+    }
+    if( clear_len != enc_len )
+    {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
+    }
+
+    /* Actually load session */
+    if( ( ret = ssl_load_session( session, ticket, clear_len ) ) != 0 )
+        goto cleanup;
+
+#if defined(MBEDTLS_HAVE_TIME)
+    {
+        /* Check for expiration */
+        mbedtls_time_t current_time = mbedtls_time( NULL );
+
+        if( current_time < session->start ||
+            (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
+        {
+            ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+            goto cleanup;
+        }
+    }
+#endif
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
+{
+    mbedtls_cipher_free( &ctx->keys[0].ctx );
+    mbedtls_cipher_free( &ctx->keys[1].ctx );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
+}
+
+#endif /* MBEDTLS_SSL_TICKET_C */
diff --git a/ctrtool/deps/libmbedtls/src/ssl_tls.c b/ctrtool/deps/libmbedtls/src/ssl_tls.c
new file mode 100644
index 00000000..b8f35fec
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/ssl_tls.c
@@ -0,0 +1,9791 @@
+/*
+ *  SSLv3/TLSv1 shared functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The SSL 3.0 specification was drafted by Netscape in 1996,
+ *  and became an IETF standard in 1999.
+ *
+ *  http://wp.netscape.com/eng/ssl3/
+ *  http://www.ietf.org/rfc/rfc2246.txt
+ *  http://www.ietf.org/rfc/rfc4346.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "mbedtls/oid.h"
+#endif
+
+static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
+static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
+
+/* Length of the "epoch" field in the record header */
+static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 2 );
+#else
+    ((void) ssl);
+#endif
+    return( 0 );
+}
+
+/*
+ * Start a timer.
+ * Passing millisecs = 0 cancels a running timer.
+ */
+static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
+{
+    if( ssl->f_set_timer == NULL )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
+    ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
+}
+
+/*
+ * Return -1 is timer is expired, 0 if it isn't.
+ */
+static int ssl_check_timer( mbedtls_ssl_context *ssl )
+{
+    if( ssl->f_get_timer == NULL )
+        return( 0 );
+
+    if( ssl->f_get_timer( ssl->p_timer ) == 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
+                                     mbedtls_ssl_transform *transform );
+static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
+                                    mbedtls_ssl_transform *transform );
+
+#define SSL_DONT_FORCE_FLUSH 0
+#define SSL_FORCE_FLUSH      1
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/* Forward declarations for functions related to message buffering. */
+static void ssl_buffering_free( mbedtls_ssl_context *ssl );
+static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
+                                     uint8_t slot );
+static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
+static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
+static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
+static int ssl_buffer_message( mbedtls_ssl_context *ssl );
+static int ssl_buffer_future_record( mbedtls_ssl_context *ssl );
+static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
+
+static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
+static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
+{
+    size_t mtu = ssl_get_current_mtu( ssl );
+
+    if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
+        return( mtu );
+
+    return( MBEDTLS_SSL_OUT_BUFFER_LEN );
+}
+
+static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
+{
+    size_t const bytes_written = ssl->out_left;
+    size_t const mtu           = ssl_get_maximum_datagram_size( ssl );
+
+    /* Double-check that the write-index hasn't gone
+     * past what we can transmit in a single datagram. */
+    if( bytes_written > mtu )
+    {
+        /* Should never happen... */
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    return( (int) ( mtu - bytes_written ) );
+}
+
+static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
+{
+    int ret;
+    size_t remaining, expansion;
+    size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
+
+    if( max_len > mfl )
+        max_len = mfl;
+
+    /* By the standard (RFC 6066 Sect. 4), the MFL extension
+     * only limits the maximum record payload size, so in theory
+     * we would be allowed to pack multiple records of payload size
+     * MFL into a single datagram. However, this would mean that there's
+     * no way to explicitly communicate MTU restrictions to the peer.
+     *
+     * The following reduction of max_len makes sure that we never
+     * write datagrams larger than MFL + Record Expansion Overhead.
+     */
+    if( max_len <= ssl->out_left )
+        return( 0 );
+
+    max_len -= ssl->out_left;
+#endif
+
+    ret = ssl_get_remaining_space_in_datagram( ssl );
+    if( ret < 0 )
+        return( ret );
+    remaining = (size_t) ret;
+
+    ret = mbedtls_ssl_get_record_expansion( ssl );
+    if( ret < 0 )
+        return( ret );
+    expansion = (size_t) ret;
+
+    if( remaining <= expansion )
+        return( 0 );
+
+    remaining -= expansion;
+    if( remaining >= max_len )
+        remaining = max_len;
+
+    return( (int) remaining );
+}
+
+/*
+ * Double the retransmit timeout value, within the allowed range,
+ * returning -1 if the maximum value has already been reached.
+ */
+static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
+{
+    uint32_t new_timeout;
+
+    if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
+        return( -1 );
+
+    /* Implement the final paragraph of RFC 6347 section 4.1.1.1
+     * in the following way: after the initial transmission and a first
+     * retransmission, back off to a temporary estimated MTU of 508 bytes.
+     * This value is guaranteed to be deliverable (if not guaranteed to be
+     * delivered) of any compliant IPv4 (and IPv6) network, and should work
+     * on most non-IP stacks too. */
+    if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
+    {
+        ssl->handshake->mtu = 508;
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
+    }
+
+    new_timeout = 2 * ssl->handshake->retransmit_timeout;
+
+    /* Avoid arithmetic overflow and range overflow */
+    if( new_timeout < ssl->handshake->retransmit_timeout ||
+        new_timeout > ssl->conf->hs_timeout_max )
+    {
+        new_timeout = ssl->conf->hs_timeout_max;
+    }
+
+    ssl->handshake->retransmit_timeout = new_timeout;
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
+                        ssl->handshake->retransmit_timeout ) );
+
+    return( 0 );
+}
+
+static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
+{
+    ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
+                        ssl->handshake->retransmit_timeout ) );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/*
+ * Convert max_fragment_length codes to length.
+ * RFC 6066 says:
+ *    enum{
+ *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
+ *    } MaxFragmentLength;
+ * and we add 0 -> extension unused
+ */
+static unsigned int ssl_mfl_code_to_length( int mfl )
+{
+    switch( mfl )
+    {
+    case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
+        return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
+    case MBEDTLS_SSL_MAX_FRAG_LEN_512:
+        return 512;
+    case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
+        return 1024;
+    case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
+        return 2048;
+    case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
+        return 4096;
+    default:
+        return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
+    }
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src )
+{
+    mbedtls_ssl_session_free( dst );
+    memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( src->peer_cert != NULL )
+    {
+        int ret;
+
+        dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
+        if( dst->peer_cert == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        mbedtls_x509_crt_init( dst->peer_cert );
+
+        if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
+                                        src->peer_cert->raw.len ) ) != 0 )
+        {
+            mbedtls_free( dst->peer_cert );
+            dst->peer_cert = NULL;
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    if( src->ticket != NULL )
+    {
+        dst->ticket = mbedtls_calloc( 1, src->ticket_len );
+        if( dst->ticket == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        memcpy( dst->ticket, src->ticket, src->ticket_len );
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
+                     const unsigned char *key_enc, const unsigned char *key_dec,
+                     size_t keylen,
+                     const unsigned char *iv_enc,  const unsigned char *iv_dec,
+                     size_t ivlen,
+                     const unsigned char *mac_enc, const unsigned char *mac_dec,
+                     size_t maclen ) = NULL;
+int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
+int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
+int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
+int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
+int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+/*
+ * Key material generation
+ */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static int ssl3_prf( const unsigned char *secret, size_t slen,
+                     const char *label,
+                     const unsigned char *random, size_t rlen,
+                     unsigned char *dstbuf, size_t dlen )
+{
+    int ret = 0;
+    size_t i;
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+    unsigned char padding[16];
+    unsigned char sha1sum[20];
+    ((void)label);
+
+    mbedtls_md5_init(  &md5  );
+    mbedtls_sha1_init( &sha1 );
+
+    /*
+     *  SSLv3:
+     *    block =
+     *      MD5( secret + SHA1( 'A'    + secret + random ) ) +
+     *      MD5( secret + SHA1( 'BB'   + secret + random ) ) +
+     *      MD5( secret + SHA1( 'CCC'  + secret + random ) ) +
+     *      ...
+     */
+    for( i = 0; i < dlen / 16; i++ )
+    {
+        memset( padding, (unsigned char) ('A' + i), 1 + i );
+
+        if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
+            goto exit;
+    }
+
+exit:
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    mbedtls_platform_zeroize( padding, sizeof( padding ) );
+    mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static int tls1_prf( const unsigned char *secret, size_t slen,
+                     const char *label,
+                     const unsigned char *random, size_t rlen,
+                     unsigned char *dstbuf, size_t dlen )
+{
+    size_t nb, hs;
+    size_t i, j, k;
+    const unsigned char *S1, *S2;
+    unsigned char tmp[128];
+    unsigned char h_i[20];
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    int ret;
+
+    mbedtls_md_init( &md_ctx );
+
+    if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    hs = ( slen + 1 ) / 2;
+    S1 = secret;
+    S2 = secret + slen - hs;
+
+    nb = strlen( label );
+    memcpy( tmp + 20, label, nb );
+    memcpy( tmp + 20 + nb, random, rlen );
+    nb += rlen;
+
+    /*
+     * First compute P_md5(secret,label+random)[0..dlen]
+     */
+    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    mbedtls_md_hmac_starts( &md_ctx, S1, hs );
+    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
+    mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+
+    for( i = 0; i < dlen; i += 16 )
+    {
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
+        mbedtls_md_hmac_finish( &md_ctx, h_i );
+
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
+        mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+
+        k = ( i + 16 > dlen ) ? dlen % 16 : 16;
+
+        for( j = 0; j < k; j++ )
+            dstbuf[i + j]  = h_i[j];
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    /*
+     * XOR out with P_sha1(secret,label+random)[0..dlen]
+     */
+    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    mbedtls_md_hmac_starts( &md_ctx, S2, hs );
+    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
+    mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+    for( i = 0; i < dlen; i += 20 )
+    {
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
+        mbedtls_md_hmac_finish( &md_ctx, h_i );
+
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
+        mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+        k = ( i + 20 > dlen ) ? dlen % 20 : 20;
+
+        for( j = 0; j < k; j++ )
+            dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static int tls_prf_generic( mbedtls_md_type_t md_type,
+                            const unsigned char *secret, size_t slen,
+                            const char *label,
+                            const unsigned char *random, size_t rlen,
+                            unsigned char *dstbuf, size_t dlen )
+{
+    size_t nb;
+    size_t i, j, k, md_len;
+    unsigned char tmp[128];
+    unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    int ret;
+
+    mbedtls_md_init( &md_ctx );
+
+    if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    md_len = mbedtls_md_get_size( md_info );
+
+    if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    nb = strlen( label );
+    memcpy( tmp + md_len, label, nb );
+    memcpy( tmp + md_len + nb, random, rlen );
+    nb += rlen;
+
+    /*
+     * Compute P_<hash>(secret, label + random)[0..dlen]
+     */
+    if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    mbedtls_md_hmac_starts( &md_ctx, secret, slen );
+    mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
+    mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+    for( i = 0; i < dlen; i += md_len )
+    {
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
+        mbedtls_md_hmac_finish( &md_ctx, h_i );
+
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
+        mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+        k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
+
+        for( j = 0; j < k; j++ )
+            dstbuf[i + j]  = h_i[j];
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SHA256_C)
+static int tls_prf_sha256( const unsigned char *secret, size_t slen,
+                           const char *label,
+                           const unsigned char *random, size_t rlen,
+                           unsigned char *dstbuf, size_t dlen )
+{
+    return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
+                             label, random, rlen, dstbuf, dlen ) );
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+static int tls_prf_sha384( const unsigned char *secret, size_t slen,
+                           const char *label,
+                           const unsigned char *random, size_t rlen,
+                           unsigned char *dstbuf, size_t dlen )
+{
+    return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
+                             label, random, rlen, dstbuf, dlen ) );
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
+static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );
+static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
+static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+    unsigned char tmp[64];
+    unsigned char keyblk[256];
+    unsigned char *key1;
+    unsigned char *key2;
+    unsigned char *mac_enc;
+    unsigned char *mac_dec;
+    size_t mac_key_len;
+    size_t iv_copy_len;
+    const mbedtls_cipher_info_t *cipher_info;
+    const mbedtls_md_info_t *md_info;
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    mbedtls_ssl_transform *transform = ssl->transform_negotiate;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
+
+    cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
+    if( cipher_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
+                            transform->ciphersuite_info->cipher ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
+    if( md_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
+                            transform->ciphersuite_info->mac ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /*
+     * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        handshake->tls_prf = ssl3_prf;
+        handshake->calc_verify = ssl_calc_verify_ssl;
+        handshake->calc_finished = ssl_calc_finished_ssl;
+    }
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        handshake->tls_prf = tls1_prf;
+        handshake->calc_verify = ssl_calc_verify_tls;
+        handshake->calc_finished = ssl_calc_finished_tls;
+    }
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
+        transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+    {
+        handshake->tls_prf = tls_prf_sha384;
+        handshake->calc_verify = ssl_calc_verify_tls_sha384;
+        handshake->calc_finished = ssl_calc_finished_tls_sha384;
+    }
+    else
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        handshake->tls_prf = tls_prf_sha256;
+        handshake->calc_verify = ssl_calc_verify_tls_sha256;
+        handshake->calc_finished = ssl_calc_finished_tls_sha256;
+    }
+    else
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /*
+     * SSLv3:
+     *   master =
+     *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
+     *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
+     *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
+     *
+     * TLSv1+:
+     *   master = PRF( premaster, "master secret", randbytes )[0..47]
+     */
+    if( handshake->resume == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
+                       handshake->pmslen );
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+        if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
+        {
+            unsigned char session_hash[48];
+            size_t hash_len;
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
+
+            ssl->handshake->calc_verify( ssl, session_hash );
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+            {
+#if defined(MBEDTLS_SHA512_C)
+                if( ssl->transform_negotiate->ciphersuite_info->mac ==
+                    MBEDTLS_MD_SHA384 )
+                {
+                    hash_len = 48;
+                }
+                else
+#endif
+                    hash_len = 32;
+            }
+            else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+                hash_len = 36;
+
+            MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
+
+            ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
+                                      "extended master secret",
+                                      session_hash, hash_len,
+                                      session->master, 48 );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
+                return( ret );
+            }
+
+        }
+        else
+#endif
+        ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
+                                  "master secret",
+                                  handshake->randbytes, 64,
+                                  session->master, 48 );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
+            return( ret );
+        }
+
+        mbedtls_platform_zeroize( handshake->premaster,
+                                  sizeof(handshake->premaster) );
+    }
+    else
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
+
+    /*
+     * Swap the client and server random values.
+     */
+    memcpy( tmp, handshake->randbytes, 64 );
+    memcpy( handshake->randbytes, tmp + 32, 32 );
+    memcpy( handshake->randbytes + 32, tmp, 32 );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+
+    /*
+     *  SSLv3:
+     *    key block =
+     *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
+     *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
+     *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
+     *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
+     *      ...
+     *
+     *  TLSv1:
+     *    key block = PRF( master, "key expansion", randbytes )
+     */
+    ret = handshake->tls_prf( session->master, 48, "key expansion",
+                              handshake->randbytes, 64, keyblk, 256 );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
+                   mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
+    MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
+    MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
+
+    mbedtls_platform_zeroize( handshake->randbytes,
+                              sizeof( handshake->randbytes ) );
+
+    /*
+     * Determine the appropriate key, IV and MAC length.
+     */
+
+    transform->keylen = cipher_info->key_bitlen / 8;
+
+    if( cipher_info->mode == MBEDTLS_MODE_GCM ||
+        cipher_info->mode == MBEDTLS_MODE_CCM ||
+        cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+    {
+        size_t taglen, explicit_ivlen;
+
+        transform->maclen = 0;
+        mac_key_len = 0;
+
+        /* All modes haves 96-bit IVs;
+         * GCM and CCM has 4 implicit and 8 explicit bytes
+         * ChachaPoly has all 12 bytes implicit
+         */
+        transform->ivlen = 12;
+        if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+            transform->fixed_ivlen = 12;
+        else
+            transform->fixed_ivlen = 4;
+
+        /* All modes have 128-bit tags, except CCM_8 (ciphersuite flag) */
+        taglen = transform->ciphersuite_info->flags &
+                  MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+
+
+        /* Minimum length of encrypted record */
+        explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
+        transform->minlen = explicit_ivlen + taglen;
+    }
+    else
+    {
+        /* Initialize HMAC contexts */
+        if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
+            ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
+            return( ret );
+        }
+
+        /* Get MAC length */
+        mac_key_len = mbedtls_md_get_size( md_info );
+        transform->maclen = mac_key_len;
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+        /*
+         * If HMAC is to be truncated, we shall keep the leftmost bytes,
+         * (rfc 6066 page 13 or rfc 2104 section 4),
+         * so we only need to adjust the length here.
+         */
+        if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
+        {
+            transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+            /* Fall back to old, non-compliant version of the truncated
+             * HMAC implementation which also truncates the key
+             * (Mbed TLS versions from 1.3 to 2.6.0) */
+            mac_key_len = transform->maclen;
+#endif
+        }
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+        /* IV length */
+        transform->ivlen = cipher_info->iv_size;
+
+        /* Minimum length */
+        if( cipher_info->mode == MBEDTLS_MODE_STREAM )
+            transform->minlen = transform->maclen;
+        else
+        {
+            /*
+             * GenericBlockCipher:
+             * 1. if EtM is in use: one block plus MAC
+             *    otherwise: * first multiple of blocklen greater than maclen
+             * 2. IV except for SSL3 and TLS 1.0
+             */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+            if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
+            {
+                transform->minlen = transform->maclen
+                                  + cipher_info->block_size;
+            }
+            else
+#endif
+            {
+                transform->minlen = transform->maclen
+                                  + cipher_info->block_size
+                                  - transform->maclen % cipher_info->block_size;
+            }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
+                ; /* No need to adjust minlen */
+            else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
+                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+            {
+                transform->minlen += transform->ivlen;
+            }
+            else
+#endif
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
+                   transform->keylen, transform->minlen, transform->ivlen,
+                   transform->maclen ) );
+
+    /*
+     * Finally setup the cipher contexts, IVs and MAC secrets.
+     */
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        key1 = keyblk + mac_key_len * 2;
+        key2 = keyblk + mac_key_len * 2 + transform->keylen;
+
+        mac_enc = keyblk;
+        mac_dec = keyblk + mac_key_len;
+
+        /*
+         * This is not used in TLS v1.1.
+         */
+        iv_copy_len = ( transform->fixed_ivlen ) ?
+                            transform->fixed_ivlen : transform->ivlen;
+        memcpy( transform->iv_enc, key2 + transform->keylen,  iv_copy_len );
+        memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
+                iv_copy_len );
+    }
+    else
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        key1 = keyblk + mac_key_len * 2 + transform->keylen;
+        key2 = keyblk + mac_key_len * 2;
+
+        mac_enc = keyblk + mac_key_len;
+        mac_dec = keyblk;
+
+        /*
+         * This is not used in TLS v1.1.
+         */
+        iv_copy_len = ( transform->fixed_ivlen ) ?
+                            transform->fixed_ivlen : transform->ivlen;
+        memcpy( transform->iv_dec, key1 + transform->keylen,  iv_copy_len );
+        memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
+                iv_copy_len );
+    }
+    else
+#endif /* MBEDTLS_SSL_SRV_C */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if( mac_key_len > sizeof transform->mac_enc )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        memcpy( transform->mac_enc, mac_enc, mac_key_len );
+        memcpy( transform->mac_dec, mac_dec, mac_key_len );
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+    {
+        /* For HMAC-based ciphersuites, initialize the HMAC transforms.
+           For AEAD-based ciphersuites, there is nothing to do here. */
+        if( mac_key_len != 0 )
+        {
+            mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
+            mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
+        }
+    }
+    else
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_init != NULL )
+    {
+        int ret = 0;
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
+
+        if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
+                                        transform->iv_enc, transform->iv_dec,
+                                        iv_copy_len,
+                                        mac_enc, mac_dec,
+                                        mac_key_len ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    if( ssl->conf->f_export_keys != NULL )
+    {
+        ssl->conf->f_export_keys( ssl->conf->p_export_keys,
+                                  session->master, keyblk,
+                                  mac_key_len, transform->keylen,
+                                  iv_copy_len );
+    }
+#endif
+
+    if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
+                                 cipher_info ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
+                                 cipher_info ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
+                               cipher_info->key_bitlen,
+                               MBEDTLS_ENCRYPT ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
+                               cipher_info->key_bitlen,
+                               MBEDTLS_DECRYPT ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( cipher_info->mode == MBEDTLS_MODE_CBC )
+    {
+        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
+                                             MBEDTLS_PADDING_NONE ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
+                                             MBEDTLS_PADDING_NONE ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    // Initialize compression
+    //
+    if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ssl->compress_buf == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
+            ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
+            if( ssl->compress_buf == NULL )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
+                                    MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
+                return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+            }
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
+
+        memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
+        memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
+
+        if( deflateInit( &transform->ctx_deflate,
+                         Z_DEFAULT_COMPRESSION )   != Z_OK ||
+            inflateInit( &transform->ctx_inflate ) != Z_OK )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
+            return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
+        }
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
+{
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+    unsigned char pad_1[48];
+    unsigned char pad_2[48];
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+    memset( pad_1, 0x36, 48 );
+    memset( pad_2, 0x5C, 48 );
+
+    mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
+    mbedtls_md5_update_ret( &md5, pad_1, 48 );
+    mbedtls_md5_finish_ret( &md5, hash );
+
+    mbedtls_md5_starts_ret( &md5 );
+    mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
+    mbedtls_md5_update_ret( &md5, pad_2, 48 );
+    mbedtls_md5_update_ret( &md5, hash,  16 );
+    mbedtls_md5_finish_ret( &md5, hash );
+
+    mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
+    mbedtls_sha1_finish_ret( &sha1, hash + 16 );
+
+    mbedtls_sha1_starts_ret( &sha1 );
+    mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
+    mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
+    mbedtls_sha1_finish_ret( &sha1, hash + 16 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    return;
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
+{
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+     mbedtls_md5_finish_ret( &md5,  hash );
+    mbedtls_sha1_finish_ret( &sha1, hash + 16 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    return;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
+{
+    mbedtls_sha256_context sha256;
+
+    mbedtls_sha256_init( &sha256 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
+
+    mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
+    mbedtls_sha256_finish_ret( &sha256, hash );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_sha256_free( &sha256 );
+
+    return;
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
+{
+    mbedtls_sha512_context sha512;
+
+    mbedtls_sha512_init( &sha512 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
+
+    mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
+    mbedtls_sha512_finish_ret( &sha512, hash );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_sha512_free( &sha512 );
+
+    return;
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
+{
+    unsigned char *p = ssl->handshake->premaster;
+    unsigned char *end = p + sizeof( ssl->handshake->premaster );
+    const unsigned char *psk = ssl->conf->psk;
+    size_t psk_len = ssl->conf->psk_len;
+
+    /* If the psk callback was called, use its result */
+    if( ssl->handshake->psk != NULL )
+    {
+        psk = ssl->handshake->psk;
+        psk_len = ssl->handshake->psk_len;
+    }
+
+    /*
+     * PMS = struct {
+     *     opaque other_secret<0..2^16-1>;
+     *     opaque psk<0..2^16-1>;
+     * };
+     * with "other_secret" depending on the particular key exchange
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
+    {
+        if( end - p < 2 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        *(p++) = (unsigned char)( psk_len >> 8 );
+        *(p++) = (unsigned char)( psk_len      );
+
+        if( end < p || (size_t)( end - p ) < psk_len )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        memset( p, 0, psk_len );
+        p += psk_len;
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+        /*
+         * other_secret already set by the ClientKeyExchange message,
+         * and is 48 bytes long
+         */
+        if( end - p < 2 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        *p++ = 0;
+        *p++ = 48;
+        p += 48;
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+    {
+        int ret;
+        size_t len;
+
+        /* Write length only when we know the actual value */
+        if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+                                      p + 2, end - ( p + 2 ), &len,
+                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+            return( ret );
+        }
+        *(p++) = (unsigned char)( len >> 8 );
+        *(p++) = (unsigned char)( len );
+        p += len;
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        int ret;
+        size_t zlen;
+
+        if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
+                                       p + 2, end - ( p + 2 ),
+                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+            return( ret );
+        }
+
+        *(p++) = (unsigned char)( zlen >> 8 );
+        *(p++) = (unsigned char)( zlen      );
+        p += zlen;
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Z );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* opaque psk<0..2^16-1>; */
+    if( end - p < 2 )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    *(p++) = (unsigned char)( psk_len >> 8 );
+    *(p++) = (unsigned char)( psk_len      );
+
+    if( end < p || (size_t)( end - p ) < psk_len )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    memcpy( p, psk, psk_len );
+    p += psk_len;
+
+    ssl->handshake->pmslen = p - ssl->handshake->premaster;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+/*
+ * SSLv3.0 MAC functions
+ */
+#define SSL_MAC_MAX_BYTES   20  /* MD-5 or SHA-1 */
+static void ssl_mac( mbedtls_md_context_t *md_ctx,
+                     const unsigned char *secret,
+                     const unsigned char *buf, size_t len,
+                     const unsigned char *ctr, int type,
+                     unsigned char out[SSL_MAC_MAX_BYTES] )
+{
+    unsigned char header[11];
+    unsigned char padding[48];
+    int padlen;
+    int md_size = mbedtls_md_get_size( md_ctx->md_info );
+    int md_type = mbedtls_md_get_type( md_ctx->md_info );
+
+    /* Only MD5 and SHA-1 supported */
+    if( md_type == MBEDTLS_MD_MD5 )
+        padlen = 48;
+    else
+        padlen = 40;
+
+    memcpy( header, ctr, 8 );
+    header[ 8] = (unsigned char)  type;
+    header[ 9] = (unsigned char)( len >> 8 );
+    header[10] = (unsigned char)( len      );
+
+    memset( padding, 0x36, padlen );
+    mbedtls_md_starts( md_ctx );
+    mbedtls_md_update( md_ctx, secret,  md_size );
+    mbedtls_md_update( md_ctx, padding, padlen  );
+    mbedtls_md_update( md_ctx, header,  11      );
+    mbedtls_md_update( md_ctx, buf,     len     );
+    mbedtls_md_finish( md_ctx, out              );
+
+    memset( padding, 0x5C, padlen );
+    mbedtls_md_starts( md_ctx );
+    mbedtls_md_update( md_ctx, secret,    md_size );
+    mbedtls_md_update( md_ctx, padding,   padlen  );
+    mbedtls_md_update( md_ctx, out,       md_size );
+    mbedtls_md_finish( md_ctx, out                );
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||     \
+    ( defined(MBEDTLS_CIPHER_MODE_CBC) &&                                  \
+      ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) )
+#define SSL_SOME_MODES_USE_MAC
+#endif
+
+/* The function below is only used in the Lucky 13 counter-measure in
+ * ssl_decrypt_buf(). These are the defines that guard the call site. */
+#if defined(SSL_SOME_MODES_USE_MAC) && \
+    ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
+      defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+      defined(MBEDTLS_SSL_PROTO_TLS1_2) )
+/* This function makes sure every byte in the memory region is accessed
+ * (in ascending addresses order) */
+static void ssl_read_memory( unsigned char *p, size_t len )
+{
+    unsigned char acc = 0;
+    volatile unsigned char force;
+
+    for( ; len != 0; p++, len-- )
+        acc ^= *p;
+
+    force = acc;
+    (void) force;
+}
+#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
+
+/*
+ * Encryption/decryption functions
+ */
+static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
+{
+    mbedtls_cipher_mode_t mode;
+    int auth_done = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
+
+    if( ssl->session_out == NULL || ssl->transform_out == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
+                      ssl->out_msg, ssl->out_msglen );
+
+    /*
+     * Add MAC before if needed
+     */
+#if defined(SSL_SOME_MODES_USE_MAC)
+    if( mode == MBEDTLS_MODE_STREAM ||
+        ( mode == MBEDTLS_MODE_CBC
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+          && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
+#endif
+        ) )
+    {
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            unsigned char mac[SSL_MAC_MAX_BYTES];
+
+            ssl_mac( &ssl->transform_out->md_ctx_enc,
+                      ssl->transform_out->mac_enc,
+                      ssl->out_msg, ssl->out_msglen,
+                      ssl->out_ctr, ssl->out_msgtype,
+                      mac );
+
+            memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
+        }
+        else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+        defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+        {
+            unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
+                             ssl->out_msg, ssl->out_msglen );
+            mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
+            mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
+
+            memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
+        }
+        else
+#endif
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
+                       ssl->out_msg + ssl->out_msglen,
+                       ssl->transform_out->maclen );
+
+        ssl->out_msglen += ssl->transform_out->maclen;
+        auth_done++;
+    }
+#endif /* AEAD not the only option */
+
+    /*
+     * Encrypt
+     */
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    if( mode == MBEDTLS_MODE_STREAM )
+    {
+        int ret;
+        size_t olen = 0;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+                            "including %d bytes of padding",
+                       ssl->out_msglen, 0 ) );
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
+                                   ssl->transform_out->iv_enc,
+                                   ssl->transform_out->ivlen,
+                                   ssl->out_msg, ssl->out_msglen,
+                                   ssl->out_msg, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( ssl->out_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+    else
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_GCM_C) || \
+    defined(MBEDTLS_CCM_C) || \
+    defined(MBEDTLS_CHACHAPOLY_C)
+    if( mode == MBEDTLS_MODE_GCM ||
+        mode == MBEDTLS_MODE_CCM ||
+        mode == MBEDTLS_MODE_CHACHAPOLY )
+    {
+        int ret;
+        size_t enc_msglen, olen;
+        unsigned char *enc_msg;
+        unsigned char add_data[13];
+        unsigned char iv[12];
+        mbedtls_ssl_transform *transform = ssl->transform_out;
+        unsigned char taglen = transform->ciphersuite_info->flags &
+                               MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+        size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
+
+        /*
+         * Prepare additional authenticated data
+         */
+        memcpy( add_data, ssl->out_ctr, 8 );
+        add_data[8]  = ssl->out_msgtype;
+        mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                           ssl->conf->transport, add_data + 9 );
+        add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
+        add_data[12] = ssl->out_msglen & 0xFF;
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
+
+        /*
+         * Generate IV
+         */
+        if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+        {
+            /* GCM and CCM: fixed || explicit (=seqnum) */
+            memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+            memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 );
+            memcpy( ssl->out_iv, ssl->out_ctr, 8 );
+
+        }
+        else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
+        {
+            /* ChachaPoly: fixed XOR sequence number */
+            unsigned char i;
+
+            memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+
+            for( i = 0; i < 8; i++ )
+                iv[i+4] ^= ssl->out_ctr[i];
+        }
+        else
+        {
+            /* Reminder if we ever add an AEAD mode with a different size */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
+                                  iv, transform->ivlen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
+                                  ssl->out_iv, explicit_ivlen );
+
+        /*
+         * Fix message length with added IV
+         */
+        enc_msg = ssl->out_msg;
+        enc_msglen = ssl->out_msglen;
+        ssl->out_msglen += explicit_ivlen;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+                                    "including 0 bytes of padding",
+                                    ssl->out_msglen ) );
+
+        /*
+         * Encrypt and authenticate
+         */
+        if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
+                                         iv, transform->ivlen,
+                                         add_data, 13,
+                                         enc_msg, enc_msglen,
+                                         enc_msg, &olen,
+                                         enc_msg + enc_msglen, taglen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
+            return( ret );
+        }
+
+        if( olen != enc_msglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->out_msglen += taglen;
+        auth_done++;
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
+    }
+    else
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
+    ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
+    if( mode == MBEDTLS_MODE_CBC )
+    {
+        int ret;
+        unsigned char *enc_msg;
+        size_t enc_msglen, padlen, olen = 0, i;
+
+        padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
+                 ssl->transform_out->ivlen;
+        if( padlen == ssl->transform_out->ivlen )
+            padlen = 0;
+
+        for( i = 0; i <= padlen; i++ )
+            ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
+
+        ssl->out_msglen += padlen + 1;
+
+        enc_msglen = ssl->out_msglen;
+        enc_msg = ssl->out_msg;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * Prepend per-record IV for block cipher in TLS v1.1 and up as per
+         * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            /*
+             * Generate IV
+             */
+            ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
+                                  ssl->transform_out->ivlen );
+            if( ret != 0 )
+                return( ret );
+
+            memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
+                    ssl->transform_out->ivlen );
+
+            /*
+             * Fix pointer positions and message length with added IV
+             */
+            enc_msg = ssl->out_msg;
+            enc_msglen = ssl->out_msglen;
+            ssl->out_msglen += ssl->transform_out->ivlen;
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+                            "including %d bytes of IV and %d bytes of padding",
+                            ssl->out_msglen, ssl->transform_out->ivlen,
+                            padlen + 1 ) );
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
+                                   ssl->transform_out->iv_enc,
+                                   ssl->transform_out->ivlen,
+                                   enc_msg, enc_msglen,
+                                   enc_msg, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( enc_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            /*
+             * Save IV in SSL3 and TLS1
+             */
+            memcpy( ssl->transform_out->iv_enc,
+                    ssl->transform_out->cipher_ctx_enc.iv,
+                    ssl->transform_out->ivlen );
+        }
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        if( auth_done == 0 )
+        {
+            unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+
+            /*
+             * MAC(MAC_write_key, seq_num +
+             *     TLSCipherText.type +
+             *     TLSCipherText.version +
+             *     length_of( (IV +) ENC(...) ) +
+             *     IV + // except for TLS 1.0
+             *     ENC(content + padding + padding_length));
+             */
+            unsigned char pseudo_hdr[13];
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
+
+            memcpy( pseudo_hdr +  0, ssl->out_ctr, 8 );
+            memcpy( pseudo_hdr +  8, ssl->out_hdr, 3 );
+            pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
+            pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen      ) & 0xFF );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
+
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
+                             ssl->out_iv, ssl->out_msglen );
+            mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
+            mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
+
+            memcpy( ssl->out_iv + ssl->out_msglen, mac,
+                    ssl->transform_out->maclen );
+
+            ssl->out_msglen += ssl->transform_out->maclen;
+            auth_done++;
+        }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+    }
+    else
+#endif /* MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* Make extra sure authentication was performed, exactly once */
+    if( auth_done != 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
+
+    return( 0 );
+}
+
+static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
+{
+    mbedtls_cipher_mode_t mode;
+    int auth_done = 0;
+#if defined(SSL_SOME_MODES_USE_MAC)
+    size_t padlen = 0, correct = 1;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
+
+    if( ssl->session_in == NULL || ssl->transform_in == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
+
+    if( ssl->in_msglen < ssl->transform_in->minlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
+                       ssl->in_msglen, ssl->transform_in->minlen ) );
+        return( MBEDTLS_ERR_SSL_INVALID_MAC );
+    }
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    if( mode == MBEDTLS_MODE_STREAM )
+    {
+        int ret;
+        size_t olen = 0;
+
+        padlen = 0;
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
+                                   ssl->transform_in->iv_dec,
+                                   ssl->transform_in->ivlen,
+                                   ssl->in_msg, ssl->in_msglen,
+                                   ssl->in_msg, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( ssl->in_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+    else
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_GCM_C) || \
+    defined(MBEDTLS_CCM_C) || \
+    defined(MBEDTLS_CHACHAPOLY_C)
+    if( mode == MBEDTLS_MODE_GCM ||
+        mode == MBEDTLS_MODE_CCM ||
+        mode == MBEDTLS_MODE_CHACHAPOLY )
+    {
+        int ret;
+        size_t dec_msglen, olen;
+        unsigned char *dec_msg;
+        unsigned char *dec_msg_result;
+        unsigned char add_data[13];
+        unsigned char iv[12];
+        mbedtls_ssl_transform *transform = ssl->transform_in;
+        unsigned char taglen = transform->ciphersuite_info->flags &
+                               MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+        size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
+
+        /*
+         * Compute and update sizes
+         */
+        if( ssl->in_msglen < explicit_iv_len + taglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
+                                "+ taglen (%d)", ssl->in_msglen,
+                                explicit_iv_len, taglen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+        dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
+
+        dec_msg = ssl->in_msg;
+        dec_msg_result = ssl->in_msg;
+        ssl->in_msglen = dec_msglen;
+
+        /*
+         * Prepare additional authenticated data
+         */
+        memcpy( add_data, ssl->in_ctr, 8 );
+        add_data[8]  = ssl->in_msgtype;
+        mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                           ssl->conf->transport, add_data + 9 );
+        add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
+        add_data[12] = ssl->in_msglen & 0xFF;
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
+
+        /*
+         * Prepare IV
+         */
+        if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+        {
+            /* GCM and CCM: fixed || explicit (transmitted) */
+            memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
+            memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 );
+
+        }
+        else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
+        {
+            /* ChachaPoly: fixed XOR sequence number */
+            unsigned char i;
+
+            memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
+
+            for( i = 0; i < 8; i++ )
+                iv[i+4] ^= ssl->in_ctr[i];
+        }
+        else
+        {
+            /* Reminder if we ever add an AEAD mode with a different size */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
+
+        /*
+         * Decrypt and authenticate
+         */
+        if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
+                                         iv, transform->ivlen,
+                                         add_data, 13,
+                                         dec_msg, dec_msglen,
+                                         dec_msg_result, &olen,
+                                         dec_msg + dec_msglen, taglen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
+
+            if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
+                return( MBEDTLS_ERR_SSL_INVALID_MAC );
+
+            return( ret );
+        }
+        auth_done++;
+
+        if( olen != dec_msglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+    else
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
+    ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
+    if( mode == MBEDTLS_MODE_CBC )
+    {
+        /*
+         * Decrypt and check the padding
+         */
+        int ret;
+        unsigned char *dec_msg;
+        unsigned char *dec_msg_result;
+        size_t dec_msglen;
+        size_t minlen = 0;
+        size_t olen = 0;
+
+        /*
+         * Check immediate ciphertext sanity
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+            minlen += ssl->transform_in->ivlen;
+#endif
+
+        if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
+            ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
+                                "+ 1 ) ( + expl IV )", ssl->in_msglen,
+                                ssl->transform_in->ivlen,
+                                ssl->transform_in->maclen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+
+        dec_msglen = ssl->in_msglen;
+        dec_msg = ssl->in_msg;
+        dec_msg_result = ssl->in_msg;
+
+        /*
+         * Authenticate before decrypt if enabled
+         */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
+        {
+            unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+            unsigned char pseudo_hdr[13];
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
+
+            dec_msglen -= ssl->transform_in->maclen;
+            ssl->in_msglen -= ssl->transform_in->maclen;
+
+            memcpy( pseudo_hdr +  0, ssl->in_ctr, 8 );
+            memcpy( pseudo_hdr +  8, ssl->in_hdr, 3 );
+            pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
+            pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen      ) & 0xFF );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
+
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
+                             ssl->in_iv, ssl->in_msglen );
+            mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
+            mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", ssl->in_iv + ssl->in_msglen,
+                                              ssl->transform_in->maclen );
+            MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
+                                              ssl->transform_in->maclen );
+
+            if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
+                                          ssl->transform_in->maclen ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
+
+                return( MBEDTLS_ERR_SSL_INVALID_MAC );
+            }
+            auth_done++;
+        }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+        /*
+         * Check length sanity
+         */
+        if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
+                           ssl->in_msglen, ssl->transform_in->ivlen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * Initialize for prepended IV for block cipher in TLS v1.1 and up
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            unsigned char i;
+            dec_msglen -= ssl->transform_in->ivlen;
+            ssl->in_msglen -= ssl->transform_in->ivlen;
+
+            for( i = 0; i < ssl->transform_in->ivlen; i++ )
+                ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
+                                   ssl->transform_in->iv_dec,
+                                   ssl->transform_in->ivlen,
+                                   dec_msg, dec_msglen,
+                                   dec_msg_result, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( dec_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            /*
+             * Save IV in SSL3 and TLS1
+             */
+            memcpy( ssl->transform_in->iv_dec,
+                    ssl->transform_in->cipher_ctx_dec.iv,
+                    ssl->transform_in->ivlen );
+        }
+#endif
+
+        padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
+
+        if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
+            auth_done == 0 )
+        {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
+                        ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
+#endif
+            padlen = 0;
+            correct = 0;
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            if( padlen > ssl->transform_in->ivlen )
+            {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
+                                    "should be no more than %d",
+                               padlen, ssl->transform_in->ivlen ) );
+#endif
+                correct = 0;
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            /*
+             * TLSv1+: always check the padding up to the first failure
+             * and fake check up to 256 bytes of padding
+             */
+            size_t pad_count = 0, real_count = 1;
+            size_t padding_idx = ssl->in_msglen - padlen;
+            size_t i;
+
+            /*
+             * Padding is guaranteed to be incorrect if:
+             *   1. padlen > ssl->in_msglen
+             *
+             *   2. padding_idx > MBEDTLS_SSL_IN_CONTENT_LEN +
+             *                     ssl->transform_in->maclen
+             *
+             * In both cases we reset padding_idx to a safe value (0) to
+             * prevent out-of-buffer reads.
+             */
+            correct &= ( padlen <= ssl->in_msglen );
+            correct &= ( padding_idx <= MBEDTLS_SSL_IN_CONTENT_LEN +
+                                       ssl->transform_in->maclen );
+
+            padding_idx *= correct;
+
+            for( i = 0; i < 256; i++ )
+            {
+                real_count &= ( i < padlen );
+                pad_count += real_count *
+                             ( ssl->in_msg[padding_idx + i] == padlen - 1 );
+            }
+
+            correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            if( padlen > 0 && correct == 0 )
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
+#endif
+            padlen &= correct * 0x1FF;
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->in_msglen -= padlen;
+    }
+    else
+#endif /* MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
+                   ssl->in_msg, ssl->in_msglen );
+#endif
+
+    /*
+     * Authenticate if not done yet.
+     * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
+     */
+#if defined(SSL_SOME_MODES_USE_MAC)
+    if( auth_done == 0 )
+    {
+        unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+
+        ssl->in_msglen -= ssl->transform_in->maclen;
+
+        ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
+        ssl->in_len[1] = (unsigned char)( ssl->in_msglen      );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            ssl_mac( &ssl->transform_in->md_ctx_dec,
+                      ssl->transform_in->mac_dec,
+                      ssl->in_msg, ssl->in_msglen,
+                      ssl->in_ctr, ssl->in_msgtype,
+                      mac_expect );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+        defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            /*
+             * Process MAC and always update for padlen afterwards to make
+             * total time independent of padlen.
+             *
+             * Known timing attacks:
+             *  - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
+             *
+             * To compensate for different timings for the MAC calculation
+             * depending on how much padding was removed (which is determined
+             * by padlen), process extra_run more blocks through the hash
+             * function.
+             *
+             * The formula in the paper is
+             *   extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
+             * where L1 is the size of the header plus the decrypted message
+             * plus CBC padding and L2 is the size of the header plus the
+             * decrypted message. This is for an underlying hash function
+             * with 64-byte blocks.
+             * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
+             * correctly. We round down instead of up, so -56 is the correct
+             * value for our calculations instead of -55.
+             *
+             * Repeat the formula rather than defining a block_size variable.
+             * This avoids requiring division by a variable at runtime
+             * (which would be marginally less efficient and would require
+             * linking an extra division function in some builds).
+             */
+            size_t j, extra_run = 0;
+
+            /*
+             * The next two sizes are the minimum and maximum values of
+             * in_msglen over all padlen values.
+             *
+             * They're independent of padlen, since we previously did
+             * in_msglen -= padlen.
+             *
+             * Note that max_len + maclen is never more than the buffer
+             * length, as we previously did in_msglen -= maclen too.
+             */
+            const size_t max_len = ssl->in_msglen + padlen;
+            const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
+
+            switch( ssl->transform_in->ciphersuite_info->mac )
+            {
+#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
+    defined(MBEDTLS_SHA256_C)
+                case MBEDTLS_MD_MD5:
+                case MBEDTLS_MD_SHA1:
+                case MBEDTLS_MD_SHA256:
+                    /* 8 bytes of message size, 64-byte compression blocks */
+                    extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
+                                ( 13 + ssl->in_msglen          + 8 ) / 64;
+                    break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+                case MBEDTLS_MD_SHA384:
+                    /* 16 bytes of message size, 128-byte compression blocks */
+                    extra_run = ( 13 + ssl->in_msglen + padlen + 16 ) / 128 -
+                                ( 13 + ssl->in_msglen          + 16 ) / 128;
+                    break;
+#endif
+                default:
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            extra_run &= correct * 0xFF;
+
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
+                             ssl->in_msglen );
+            /* Make sure we access everything even when padlen > 0. This
+             * makes the synchronisation requirements for just-in-time
+             * Prime+Probe attacks much tighter and hopefully impractical. */
+            ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
+            mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
+
+            /* Call mbedtls_md_process at least once due to cache attacks
+             * that observe whether md_process() was called of not */
+            for( j = 0; j < extra_run + 1; j++ )
+                mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
+
+            mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
+
+            /* Make sure we access all the memory that could contain the MAC,
+             * before we check it in the next code block. This makes the
+             * synchronisation requirements for just-in-time Prime+Probe
+             * attacks much tighter and hopefully impractical. */
+            ssl_read_memory( ssl->in_msg + min_len,
+                                 max_len - min_len + ssl->transform_in->maclen );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+              MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+        MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", ssl->in_msg + ssl->in_msglen,
+                               ssl->transform_in->maclen );
+#endif
+
+        if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
+                                      ssl->transform_in->maclen ) != 0 )
+        {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
+#endif
+            correct = 0;
+        }
+        auth_done++;
+    }
+
+    /*
+     * Finally check the correct flag
+     */
+    if( correct == 0 )
+        return( MBEDTLS_ERR_SSL_INVALID_MAC );
+#endif /* SSL_SOME_MODES_USE_MAC */
+
+    /* Make extra sure authentication was performed, exactly once */
+    if( auth_done != 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( ssl->in_msglen == 0 )
+    {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
+            && ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+        {
+            /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        ssl->nb_zero++;
+
+        /*
+         * Three or more empty messages may be a DoS attack
+         * (excessive CPU consumption).
+         */
+        if( ssl->nb_zero > 3 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
+                                "messages, possible DoS attack" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+    }
+    else
+        ssl->nb_zero = 0;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ; /* in_ctr read from peer, not maintained internally */
+    }
+    else
+#endif
+    {
+        unsigned char i;
+        for( i = 8; i > ssl_ep_len( ssl ); i-- )
+            if( ++ssl->in_ctr[i - 1] != 0 )
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if( i == ssl_ep_len( ssl ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
+
+    return( 0 );
+}
+
+#undef MAC_NONE
+#undef MAC_PLAINTEXT
+#undef MAC_CIPHERTEXT
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+/*
+ * Compression/decompression functions
+ */
+static int ssl_compress_buf( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *msg_post = ssl->out_msg;
+    ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
+    size_t len_pre = ssl->out_msglen;
+    unsigned char *msg_pre = ssl->compress_buf;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
+
+    if( len_pre == 0 )
+        return( 0 );
+
+    memcpy( msg_pre, ssl->out_msg, len_pre );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
+                   ssl->out_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
+                   ssl->out_msg, ssl->out_msglen );
+
+    ssl->transform_out->ctx_deflate.next_in = msg_pre;
+    ssl->transform_out->ctx_deflate.avail_in = len_pre;
+    ssl->transform_out->ctx_deflate.next_out = msg_post;
+    ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
+
+    ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
+    if( ret != Z_OK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
+        return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
+    }
+
+    ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
+                      ssl->transform_out->ctx_deflate.avail_out - bytes_written;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
+                   ssl->out_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
+                   ssl->out_msg, ssl->out_msglen );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
+
+    return( 0 );
+}
+
+static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *msg_post = ssl->in_msg;
+    ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
+    size_t len_pre = ssl->in_msglen;
+    unsigned char *msg_pre = ssl->compress_buf;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
+
+    if( len_pre == 0 )
+        return( 0 );
+
+    memcpy( msg_pre, ssl->in_msg, len_pre );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
+                   ssl->in_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
+                   ssl->in_msg, ssl->in_msglen );
+
+    ssl->transform_in->ctx_inflate.next_in = msg_pre;
+    ssl->transform_in->ctx_inflate.avail_in = len_pre;
+    ssl->transform_in->ctx_inflate.next_out = msg_post;
+    ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
+                                               header_bytes;
+
+    ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
+    if( ret != Z_OK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
+        return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
+    }
+
+    ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
+                     ssl->transform_in->ctx_inflate.avail_out - header_bytes;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
+                   ssl->in_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
+                   ssl->in_msg, ssl->in_msglen );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
+{
+    /* If renegotiation is not enforced, retransmit until we would reach max
+     * timeout if we were using the usual handshake doubling scheme */
+    if( ssl->conf->renego_max_records < 0 )
+    {
+        uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
+        unsigned char doublings = 1;
+
+        while( ratio != 0 )
+        {
+            ++doublings;
+            ratio >>= 1;
+        }
+
+        if( ++ssl->renego_records_seen > doublings )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
+            return( 0 );
+        }
+    }
+
+    return( ssl_write_hello_request( ssl ) );
+}
+#endif
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Fill the input message buffer by appending data to it.
+ * The amount of data already fetched is in ssl->in_left.
+ *
+ * If we return 0, is it guaranteed that (at least) nb_want bytes are
+ * available (from this read and/or a previous one). Otherwise, an error code
+ * is returned (possibly EOF or WANT_READ).
+ *
+ * With stream transport (TLS) on success ssl->in_left == nb_want, but
+ * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
+ * since we always read a whole datagram at once.
+ *
+ * For DTLS, it is up to the caller to set ssl->next_record_offset when
+ * they're done reading a record.
+ */
+int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
+{
+    int ret;
+    size_t len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
+
+    if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
+                            "or mbedtls_ssl_set_bio()" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        uint32_t timeout;
+
+        /* Just to be sure */
+        if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
+                        "mbedtls_ssl_set_timer_cb() for DTLS" ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+        }
+
+        /*
+         * The point is, we need to always read a full datagram at once, so we
+         * sometimes read more then requested, and handle the additional data.
+         * It could be the rest of the current record (while fetching the
+         * header) and/or some other records in the same datagram.
+         */
+
+        /*
+         * Move to the next record in the already read datagram if applicable
+         */
+        if( ssl->next_record_offset != 0 )
+        {
+            if( ssl->in_left < ssl->next_record_offset )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            ssl->in_left -= ssl->next_record_offset;
+
+            if( ssl->in_left != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
+                                    ssl->next_record_offset ) );
+                memmove( ssl->in_hdr,
+                         ssl->in_hdr + ssl->next_record_offset,
+                         ssl->in_left );
+            }
+
+            ssl->next_record_offset = 0;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+                       ssl->in_left, nb_want ) );
+
+        /*
+         * Done if we already have enough data.
+         */
+        if( nb_want <= ssl->in_left)
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
+            return( 0 );
+        }
+
+        /*
+         * A record can't be split across datagrams. If we need to read but
+         * are not at the beginning of a new record, the caller did something
+         * wrong.
+         */
+        if( ssl->in_left != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Don't even try to read if time's out already.
+         * This avoids by-passing the timer when repeatedly receiving messages
+         * that will end up being dropped.
+         */
+        if( ssl_check_timer( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
+            ret = MBEDTLS_ERR_SSL_TIMEOUT;
+        }
+        else
+        {
+            len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
+
+            if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+                timeout = ssl->handshake->retransmit_timeout;
+            else
+                timeout = ssl->conf->read_timeout;
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
+
+            if( ssl->f_recv_timeout != NULL )
+                ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
+                                                                    timeout );
+            else
+                ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
+
+            MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
+
+            if( ret == 0 )
+                return( MBEDTLS_ERR_SSL_CONN_EOF );
+        }
+
+        if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
+            ssl_set_timer( ssl, 0 );
+
+            if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+            {
+                if( ssl_double_retransmit_timeout( ssl ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
+                    return( MBEDTLS_ERR_SSL_TIMEOUT );
+                }
+
+                if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
+                    return( ret );
+                }
+
+                return( MBEDTLS_ERR_SSL_WANT_READ );
+            }
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+            else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                     ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+            {
+                if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
+                    return( ret );
+                }
+
+                return( MBEDTLS_ERR_SSL_WANT_READ );
+            }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+        }
+
+        if( ret < 0 )
+            return( ret );
+
+        ssl->in_left = ret;
+    }
+    else
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+                       ssl->in_left, nb_want ) );
+
+        while( ssl->in_left < nb_want )
+        {
+            len = nb_want - ssl->in_left;
+
+            if( ssl_check_timer( ssl ) != 0 )
+                ret = MBEDTLS_ERR_SSL_TIMEOUT;
+            else
+            {
+                if( ssl->f_recv_timeout != NULL )
+                {
+                    ret = ssl->f_recv_timeout( ssl->p_bio,
+                                               ssl->in_hdr + ssl->in_left, len,
+                                               ssl->conf->read_timeout );
+                }
+                else
+                {
+                    ret = ssl->f_recv( ssl->p_bio,
+                                       ssl->in_hdr + ssl->in_left, len );
+                }
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+                                        ssl->in_left, nb_want ) );
+            MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
+
+            if( ret == 0 )
+                return( MBEDTLS_ERR_SSL_CONN_EOF );
+
+            if( ret < 0 )
+                return( ret );
+
+            if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "f_recv returned %d bytes but only %lu were requested",
+                    ret, (unsigned long)len ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            ssl->in_left += ret;
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
+
+    return( 0 );
+}
+
+/*
+ * Flush any data not yet written
+ */
+int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *buf;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
+
+    if( ssl->f_send == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
+                            "or mbedtls_ssl_set_bio()" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /* Avoid incrementing counter if data is flushed */
+    if( ssl->out_left == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
+        return( 0 );
+    }
+
+    while( ssl->out_left > 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
+                       mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
+
+        buf = ssl->out_hdr - ssl->out_left;
+        ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
+
+        MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
+
+        if( ret <= 0 )
+            return( ret );
+
+        if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1,
+                ( "f_send returned %d bytes but only %lu bytes were sent",
+                ret, (unsigned long)ssl->out_left ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->out_left -= ret;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->out_hdr = ssl->out_buf;
+    }
+    else
+#endif
+    {
+        ssl->out_hdr = ssl->out_buf + 8;
+    }
+    ssl_update_out_pointers( ssl, ssl->transform_out );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
+
+    return( 0 );
+}
+
+/*
+ * Functions to handle the DTLS retransmission state machine
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * Append current handshake message to current outgoing flight
+ */
+static int ssl_flight_append( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_flight_item *msg;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
+    MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
+                           ssl->out_msg, ssl->out_msglen );
+
+    /* Allocate space for current message */
+    if( ( msg = mbedtls_calloc( 1, sizeof(  mbedtls_ssl_flight_item ) ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
+                            sizeof( mbedtls_ssl_flight_item ) ) );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
+        mbedtls_free( msg );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    /* Copy current handshake message with headers */
+    memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
+    msg->len = ssl->out_msglen;
+    msg->type = ssl->out_msgtype;
+    msg->next = NULL;
+
+    /* Append to the current flight */
+    if( ssl->handshake->flight == NULL )
+        ssl->handshake->flight = msg;
+    else
+    {
+        mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
+        while( cur->next != NULL )
+            cur = cur->next;
+        cur->next = msg;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
+    return( 0 );
+}
+
+/*
+ * Free the current flight of handshake messages
+ */
+static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
+{
+    mbedtls_ssl_flight_item *cur = flight;
+    mbedtls_ssl_flight_item *next;
+
+    while( cur != NULL )
+    {
+        next = cur->next;
+
+        mbedtls_free( cur->p );
+        mbedtls_free( cur );
+
+        cur = next;
+    }
+}
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
+#endif
+
+/*
+ * Swap transform_out and out_ctr with the alternative ones
+ */
+static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_transform *tmp_transform;
+    unsigned char tmp_out_ctr[8];
+
+    if( ssl->transform_out == ssl->handshake->alt_transform_out )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
+
+    /* Swap transforms */
+    tmp_transform                     = ssl->transform_out;
+    ssl->transform_out                = ssl->handshake->alt_transform_out;
+    ssl->handshake->alt_transform_out = tmp_transform;
+
+    /* Swap epoch + sequence_number */
+    memcpy( tmp_out_ctr,                 ssl->cur_out_ctr,            8 );
+    memcpy( ssl->cur_out_ctr,            ssl->handshake->alt_out_ctr, 8 );
+    memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,                 8 );
+
+    /* Adjust to the newly activated transform */
+    ssl_update_out_pointers( ssl, ssl->transform_out );
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_activate != NULL )
+    {
+        if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+}
+
+/*
+ * Retransmit the current flight of messages.
+ */
+int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
+
+    ret = mbedtls_ssl_flight_transmit( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
+
+    return( ret );
+}
+
+/*
+ * Transmit or retransmit the current flight of messages.
+ *
+ * Need to remember the current message in case flush_output returns
+ * WANT_WRITE, causing us to exit this function and come back later.
+ * This function must be called until state is no longer SENDING.
+ */
+int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
+
+    if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
+
+        ssl->handshake->cur_msg = ssl->handshake->flight;
+        ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
+        ssl_swap_epochs( ssl );
+
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
+    }
+
+    while( ssl->handshake->cur_msg != NULL )
+    {
+        size_t max_frag_len;
+        const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
+
+        int const is_finished =
+            ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
+              cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
+
+        uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
+            SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
+
+        /* Swap epochs before sending Finished: we can't do it after
+         * sending ChangeCipherSpec, in case write returns WANT_READ.
+         * Must be done before copying, may change out_msg pointer */
+        if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
+            ssl_swap_epochs( ssl );
+        }
+
+        ret = ssl_get_remaining_payload_in_datagram( ssl );
+        if( ret < 0 )
+            return( ret );
+        max_frag_len = (size_t) ret;
+
+        /* CCS is copied as is, while HS messages may need fragmentation */
+        if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+        {
+            if( max_frag_len == 0 )
+            {
+                if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+                    return( ret );
+
+                continue;
+            }
+
+            memcpy( ssl->out_msg, cur->p, cur->len );
+            ssl->out_msglen  = cur->len;
+            ssl->out_msgtype = cur->type;
+
+            /* Update position inside current message */
+            ssl->handshake->cur_msg_p += cur->len;
+        }
+        else
+        {
+            const unsigned char * const p = ssl->handshake->cur_msg_p;
+            const size_t hs_len = cur->len - 12;
+            const size_t frag_off = p - ( cur->p + 12 );
+            const size_t rem_len = hs_len - frag_off;
+            size_t cur_hs_frag_len, max_hs_frag_len;
+
+            if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
+            {
+                if( is_finished )
+                    ssl_swap_epochs( ssl );
+
+                if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+                    return( ret );
+
+                continue;
+            }
+            max_hs_frag_len = max_frag_len - 12;
+
+            cur_hs_frag_len = rem_len > max_hs_frag_len ?
+                max_hs_frag_len : rem_len;
+
+            if( frag_off == 0 && cur_hs_frag_len != hs_len )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
+                                            (unsigned) cur_hs_frag_len,
+                                            (unsigned) max_hs_frag_len ) );
+            }
+
+            /* Messages are stored with handshake headers as if not fragmented,
+             * copy beginning of headers then fill fragmentation fields.
+             * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
+            memcpy( ssl->out_msg, cur->p, 6 );
+
+            ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
+            ssl->out_msg[7] = ( ( frag_off >>  8 ) & 0xff );
+            ssl->out_msg[8] = ( ( frag_off       ) & 0xff );
+
+            ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
+            ssl->out_msg[10] = ( ( cur_hs_frag_len >>  8 ) & 0xff );
+            ssl->out_msg[11] = ( ( cur_hs_frag_len       ) & 0xff );
+
+            MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
+
+            /* Copy the handshake message content and set records fields */
+            memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
+            ssl->out_msglen = cur_hs_frag_len + 12;
+            ssl->out_msgtype = cur->type;
+
+            /* Update position inside current message */
+            ssl->handshake->cur_msg_p += cur_hs_frag_len;
+        }
+
+        /* If done with the current message move to the next one if any */
+        if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
+        {
+            if( cur->next != NULL )
+            {
+                ssl->handshake->cur_msg = cur->next;
+                ssl->handshake->cur_msg_p = cur->next->p + 12;
+            }
+            else
+            {
+                ssl->handshake->cur_msg = NULL;
+                ssl->handshake->cur_msg_p = NULL;
+            }
+        }
+
+        /* Actually send the message out */
+        if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+            return( ret );
+        }
+    }
+
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        return( ret );
+
+    /* Update state and set timer */
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    else
+    {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+        ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
+
+    return( 0 );
+}
+
+/*
+ * To be called when the last message of an incoming flight is received.
+ */
+void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
+{
+    /* We won't need to resend that one any more */
+    ssl_flight_free( ssl->handshake->flight );
+    ssl->handshake->flight = NULL;
+    ssl->handshake->cur_msg = NULL;
+
+    /* The next incoming flight will start with this msg_seq */
+    ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
+
+    /* We don't want to remember CCS's across flight boundaries. */
+    ssl->handshake->buffering.seen_ccs = 0;
+
+    /* Clear future message buffering structure. */
+    ssl_buffering_free( ssl );
+
+    /* Cancel timer */
+    ssl_set_timer( ssl, 0 );
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+        ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
+    {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    }
+    else
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+}
+
+/*
+ * To be called when the last message of an outgoing flight is send.
+ */
+void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
+{
+    ssl_reset_retransmit_timeout( ssl );
+    ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+        ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
+    {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    }
+    else
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/*
+ * Handshake layer functions
+ */
+
+/*
+ * Write (DTLS: or queue) current handshake (including CCS) message.
+ *
+ *  - fill in handshake headers
+ *  - update handshake checksum
+ *  - DTLS: save message for resending
+ *  - then pass to the record layer
+ *
+ * DTLS: except for HelloRequest, messages are only queued, and will only be
+ * actually sent when calling flight_transmit() or resend().
+ *
+ * Inputs:
+ *  - ssl->out_msglen: 4 + actual handshake message len
+ *      (4 is the size of handshake headers for TLS)
+ *  - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
+ *  - ssl->out_msg + 4: the handshake message body
+ *
+ * Outputs, ie state before passing to flight_append() or write_record():
+ *   - ssl->out_msglen: the length of the record contents
+ *      (including handshake headers but excluding record headers)
+ *   - ssl->out_msg: the record contents (handshake headers + content)
+ */
+int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const size_t hs_len = ssl->out_msglen - 4;
+    const unsigned char hs_type = ssl->out_msg[0];
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
+
+    /*
+     * Sanity checks
+     */
+    if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE          &&
+        ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+    {
+        /* In SSLv3, the client might send a NoCertificate alert. */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
+        if( ! ( ssl->minor_ver      == MBEDTLS_SSL_MINOR_VERSION_0 &&
+                ssl->out_msgtype    == MBEDTLS_SSL_MSG_ALERT       &&
+                ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+
+    /* Whenever we send anything different from a
+     * HelloRequest we should be in a handshake - double check. */
+    if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
+        ssl->handshake == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL &&
+        ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+#endif
+
+    /* Double-check that we did not exceed the bounds
+     * of the outgoing record buffer.
+     * This should never fail as the various message
+     * writing functions must obey the bounds of the
+     * outgoing record buffer, but better be safe.
+     *
+     * Note: We deliberately do not check for the MTU or MFL here.
+     */
+    if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
+                                    "size %u, maximum %u",
+                                    (unsigned) ssl->out_msglen,
+                                    (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /*
+     * Fill handshake headers
+     */
+    if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
+        ssl->out_msg[2] = (unsigned char)( hs_len >>  8 );
+        ssl->out_msg[3] = (unsigned char)( hs_len       );
+
+        /*
+         * DTLS has additional fields in the Handshake layer,
+         * between the length field and the actual payload:
+         *      uint16 message_seq;
+         *      uint24 fragment_offset;
+         *      uint24 fragment_length;
+         */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            /* Make room for the additional DTLS fields */
+            if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
+                              "size %u, maximum %u",
+                               (unsigned) ( hs_len ),
+                               (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
+                return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+            }
+
+            memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
+            ssl->out_msglen += 8;
+
+            /* Write message_seq and update it, except for HelloRequest */
+            if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
+            {
+                ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
+                ssl->out_msg[5] = ( ssl->handshake->out_msg_seq      ) & 0xFF;
+                ++( ssl->handshake->out_msg_seq );
+            }
+            else
+            {
+                ssl->out_msg[4] = 0;
+                ssl->out_msg[5] = 0;
+            }
+
+            /* Handshake hashes are computed without fragmentation,
+             * so set frag_offset = 0 and frag_len = hs_len for now */
+            memset( ssl->out_msg + 6, 0x00, 3 );
+            memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
+        }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        /* Update running hashes of handshake messages seen */
+        if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
+            ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
+    }
+
+    /* Either send now, or just save to be sent (and resent) later */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
+    {
+        if( ( ret = ssl_flight_append( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
+            return( ret );
+        }
+    }
+    else
+#endif
+    {
+        if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
+            return( ret );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
+
+    return( 0 );
+}
+
+/*
+ * Record layer functions
+ */
+
+/*
+ * Write current record.
+ *
+ * Uses:
+ *  - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
+ *  - ssl->out_msglen: length of the record content (excl headers)
+ *  - ssl->out_msg: record content
+ */
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
+{
+    int ret, done = 0;
+    size_t len = ssl->out_msglen;
+    uint8_t flush = force_flush;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->transform_out != NULL &&
+        ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
+            return( ret );
+        }
+
+        len = ssl->out_msglen;
+    }
+#endif /*MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_write != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
+
+        ret = mbedtls_ssl_hw_record_write( ssl );
+        if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+
+        if( ret == 0 )
+            done = 1;
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+    if( !done )
+    {
+        unsigned i;
+        size_t protected_record_size;
+
+        ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
+        mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                           ssl->conf->transport, ssl->out_hdr + 1 );
+
+        memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
+        ssl->out_len[0] = (unsigned char)( len >> 8 );
+        ssl->out_len[1] = (unsigned char)( len      );
+
+        if( ssl->transform_out != NULL )
+        {
+            if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
+                return( ret );
+            }
+
+            len = ssl->out_msglen;
+            ssl->out_len[0] = (unsigned char)( len >> 8 );
+            ssl->out_len[1] = (unsigned char)( len      );
+        }
+
+        protected_record_size = len + mbedtls_ssl_hdr_len( ssl );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* In case of DTLS, double-check that we don't exceed
+         * the remaining space in the datagram. */
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            ret = ssl_get_remaining_space_in_datagram( ssl );
+            if( ret < 0 )
+                return( ret );
+
+            if( protected_record_size > (size_t) ret )
+            {
+                /* Should never happen */
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+        }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
+                                    "version = [%d:%d], msglen = %d",
+                                    ssl->out_hdr[0], ssl->out_hdr[1],
+                                    ssl->out_hdr[2], len ) );
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
+                               ssl->out_hdr, protected_record_size );
+
+        ssl->out_left += protected_record_size;
+        ssl->out_hdr  += protected_record_size;
+        ssl_update_out_pointers( ssl, ssl->transform_out );
+
+        for( i = 8; i > ssl_ep_len( ssl ); i-- )
+            if( ++ssl->cur_out_ctr[i - 1] != 0 )
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if( i == ssl_ep_len( ssl ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        flush == SSL_DONT_FORCE_FLUSH )
+    {
+        size_t remaining;
+        ret = ssl_get_remaining_payload_in_datagram( ssl );
+        if( ret < 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
+                                   ret );
+            return( ret );
+        }
+
+        remaining = (size_t) ret;
+        if( remaining == 0 )
+        {
+            flush = SSL_FORCE_FLUSH;
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if( ( flush == SSL_FORCE_FLUSH ) &&
+        ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_msglen < ssl->in_hslen ||
+        memcmp( ssl->in_msg + 6, "\0\0\0",        3 ) != 0 ||
+        memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
+    {
+        return( 1 );
+    }
+    return( 0 );
+}
+
+static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
+{
+    return( ( ssl->in_msg[9] << 16  ) |
+            ( ssl->in_msg[10] << 8  ) |
+              ssl->in_msg[11] );
+}
+
+static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
+{
+    return( ( ssl->in_msg[6] << 16 ) |
+            ( ssl->in_msg[7] << 8  ) |
+              ssl->in_msg[8] );
+}
+
+static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
+{
+    uint32_t msg_len, frag_off, frag_len;
+
+    msg_len  = ssl_get_hs_total_len( ssl );
+    frag_off = ssl_get_hs_frag_off( ssl );
+    frag_len = ssl_get_hs_frag_len( ssl );
+
+    if( frag_off > msg_len )
+        return( -1 );
+
+    if( frag_len > msg_len - frag_off )
+        return( -1 );
+
+    if( frag_len + 12 > ssl->in_msglen )
+        return( -1 );
+
+    return( 0 );
+}
+
+/*
+ * Mark bits in bitmask (used for DTLS HS reassembly)
+ */
+static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
+{
+    unsigned int start_bits, end_bits;
+
+    start_bits = 8 - ( offset % 8 );
+    if( start_bits != 8 )
+    {
+        size_t first_byte_idx = offset / 8;
+
+        /* Special case */
+        if( len <= start_bits )
+        {
+            for( ; len != 0; len-- )
+                mask[first_byte_idx] |= 1 << ( start_bits - len );
+
+            /* Avoid potential issues with offset or len becoming invalid */
+            return;
+        }
+
+        offset += start_bits; /* Now offset % 8 == 0 */
+        len -= start_bits;
+
+        for( ; start_bits != 0; start_bits-- )
+            mask[first_byte_idx] |= 1 << ( start_bits - 1 );
+    }
+
+    end_bits = len % 8;
+    if( end_bits != 0 )
+    {
+        size_t last_byte_idx = ( offset + len ) / 8;
+
+        len -= end_bits; /* Now len % 8 == 0 */
+
+        for( ; end_bits != 0; end_bits-- )
+            mask[last_byte_idx] |= 1 << ( 8 - end_bits );
+    }
+
+    memset( mask + offset / 8, 0xFF, len / 8 );
+}
+
+/*
+ * Check that bitmask is full
+ */
+static int ssl_bitmask_check( unsigned char *mask, size_t len )
+{
+    size_t i;
+
+    for( i = 0; i < len / 8; i++ )
+        if( mask[i] != 0xFF )
+            return( -1 );
+
+    for( i = 0; i < len % 8; i++ )
+        if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
+            return( -1 );
+
+    return( 0 );
+}
+
+/* msg_len does not include the handshake header */
+static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
+                                              unsigned add_bitmap )
+{
+    size_t alloc_len;
+
+    alloc_len  = 12;                                 /* Handshake header */
+    alloc_len += msg_len;                            /* Content buffer   */
+
+    if( add_bitmap )
+        alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap       */
+
+    return( alloc_len );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
+{
+    return( ( ssl->in_msg[1] << 16 ) |
+            ( ssl->in_msg[2] << 8  ) |
+              ssl->in_msg[3] );
+}
+
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
+                            ssl->in_msglen ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
+                        " %d, type = %d, hslen = %d",
+                        ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        int ret;
+        unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
+
+        if( ssl_check_hs_header( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+        if( ssl->handshake != NULL &&
+            ( ( ssl->state   != MBEDTLS_SSL_HANDSHAKE_OVER &&
+                recv_msg_seq != ssl->handshake->in_msg_seq ) ||
+              ( ssl->state  == MBEDTLS_SSL_HANDSHAKE_OVER &&
+                ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
+        {
+            if( recv_msg_seq > ssl->handshake->in_msg_seq )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
+                                            recv_msg_seq,
+                                            ssl->handshake->in_msg_seq ) );
+                return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+            }
+
+            /* Retransmit only on last message from previous flight, to avoid
+             * too many retransmissions.
+             * Besides, No sane server ever retransmits HelloVerifyRequest */
+            if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
+                ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
+                                    "message_seq = %d, start_of_flight = %d",
+                                    recv_msg_seq,
+                                    ssl->handshake->in_flight_start_seq ) );
+
+                if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
+                    return( ret );
+                }
+            }
+            else
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
+                                    "message_seq = %d, expected = %d",
+                                    recv_msg_seq,
+                                    ssl->handshake->in_msg_seq ) );
+            }
+
+            return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
+        }
+        /* Wait until message completion to increment in_msg_seq */
+
+        /* Message reassembly is handled alongside buffering of future
+         * messages; the commonality is that both handshake fragments and
+         * future messages cannot be forwarded immediately to the
+         * handshake logic layer. */
+        if( ssl_hs_is_proper_fragment( ssl ) == 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
+            return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    /* With TLS we don't handle fragmentation (for now) */
+    if( ssl->in_msglen < ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    return( 0 );
+}
+
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
+    {
+        ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
+    }
+
+    /* Handshake message is complete, increment counter */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL )
+    {
+        unsigned offset;
+        mbedtls_ssl_hs_buffer *hs_buf;
+
+        /* Increment handshake sequence number */
+        hs->in_msg_seq++;
+
+        /*
+         * Clear up handshake buffering and reassembly structure.
+         */
+
+        /* Free first entry */
+        ssl_buffering_free_slot( ssl, 0 );
+
+        /* Shift all other entries */
+        for( offset = 0, hs_buf = &hs->buffering.hs[0];
+             offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
+             offset++, hs_buf++ )
+        {
+            *hs_buf = *(hs_buf + 1);
+        }
+
+        /* Create a fresh last entry */
+        memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
+    }
+#endif
+}
+
+/*
+ * DTLS anti-replay: RFC 6347 4.1.2.6
+ *
+ * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
+ * Bit n is set iff record number in_window_top - n has been seen.
+ *
+ * Usually, in_window_top is the last record number seen and the lsb of
+ * in_window is set. The only exception is the initial state (record number 0
+ * not seen yet).
+ */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
+{
+    ssl->in_window_top = 0;
+    ssl->in_window = 0;
+}
+
+static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
+{
+    return( ( (uint64_t) buf[0] << 40 ) |
+            ( (uint64_t) buf[1] << 32 ) |
+            ( (uint64_t) buf[2] << 24 ) |
+            ( (uint64_t) buf[3] << 16 ) |
+            ( (uint64_t) buf[4] <<  8 ) |
+            ( (uint64_t) buf[5]       ) );
+}
+
+/*
+ * Return 0 if sequence number is acceptable, -1 otherwise
+ */
+int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
+{
+    uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
+    uint64_t bit;
+
+    if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+        return( 0 );
+
+    if( rec_seqnum > ssl->in_window_top )
+        return( 0 );
+
+    bit = ssl->in_window_top - rec_seqnum;
+
+    if( bit >= 64 )
+        return( -1 );
+
+    if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
+        return( -1 );
+
+    return( 0 );
+}
+
+/*
+ * Update replay window on new validated record
+ */
+void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
+{
+    uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
+
+    if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+        return;
+
+    if( rec_seqnum > ssl->in_window_top )
+    {
+        /* Update window_top and the contents of the window */
+        uint64_t shift = rec_seqnum - ssl->in_window_top;
+
+        if( shift >= 64 )
+            ssl->in_window = 1;
+        else
+        {
+            ssl->in_window <<= shift;
+            ssl->in_window |= 1;
+        }
+
+        ssl->in_window_top = rec_seqnum;
+    }
+    else
+    {
+        /* Mark that number as seen in the current window */
+        uint64_t bit = ssl->in_window_top - rec_seqnum;
+
+        if( bit < 64 ) /* Always true, but be extra sure */
+            ssl->in_window |= (uint64_t) 1 << bit;
+    }
+}
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+/* Forward declaration */
+static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
+
+/*
+ * Without any SSL context, check if a datagram looks like a ClientHello with
+ * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
+ * Both input and output include full DTLS headers.
+ *
+ * - if cookie is valid, return 0
+ * - if ClientHello looks superficially valid but cookie is not,
+ *   fill obuf and set olen, then
+ *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+ * - otherwise return a specific error code
+ */
+static int ssl_check_dtls_clihlo_cookie(
+                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+                           void *p_cookie,
+                           const unsigned char *cli_id, size_t cli_id_len,
+                           const unsigned char *in, size_t in_len,
+                           unsigned char *obuf, size_t buf_len, size_t *olen )
+{
+    size_t sid_len, cookie_len;
+    unsigned char *p;
+
+    if( f_cookie_write == NULL || f_cookie_check == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /*
+     * Structure of ClientHello with record and handshake headers,
+     * and expected values. We don't need to check a lot, more checks will be
+     * done when actually parsing the ClientHello - skipping those checks
+     * avoids code duplication and does not make cookie forging any easier.
+     *
+     *  0-0  ContentType type;                  copied, must be handshake
+     *  1-2  ProtocolVersion version;           copied
+     *  3-4  uint16 epoch;                      copied, must be 0
+     *  5-10 uint48 sequence_number;            copied
+     * 11-12 uint16 length;                     (ignored)
+     *
+     * 13-13 HandshakeType msg_type;            (ignored)
+     * 14-16 uint24 length;                     (ignored)
+     * 17-18 uint16 message_seq;                copied
+     * 19-21 uint24 fragment_offset;            copied, must be 0
+     * 22-24 uint24 fragment_length;            (ignored)
+     *
+     * 25-26 ProtocolVersion client_version;    (ignored)
+     * 27-58 Random random;                     (ignored)
+     * 59-xx SessionID session_id;              1 byte len + sid_len content
+     * 60+   opaque cookie<0..2^8-1>;           1 byte len + content
+     *       ...
+     *
+     * Minimum length is 61 bytes.
+     */
+    if( in_len < 61 ||
+        in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
+        in[3] != 0 || in[4] != 0 ||
+        in[19] != 0 || in[20] != 0 || in[21] != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    sid_len = in[59];
+    if( sid_len > in_len - 61 )
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+
+    cookie_len = in[60 + sid_len];
+    if( cookie_len > in_len - 60 )
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+
+    if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
+                        cli_id, cli_id_len ) == 0 )
+    {
+        /* Valid cookie */
+        return( 0 );
+    }
+
+    /*
+     * If we get here, we've got an invalid cookie, let's prepare HVR.
+     *
+     *  0-0  ContentType type;                  copied
+     *  1-2  ProtocolVersion version;           copied
+     *  3-4  uint16 epoch;                      copied
+     *  5-10 uint48 sequence_number;            copied
+     * 11-12 uint16 length;                     olen - 13
+     *
+     * 13-13 HandshakeType msg_type;            hello_verify_request
+     * 14-16 uint24 length;                     olen - 25
+     * 17-18 uint16 message_seq;                copied
+     * 19-21 uint24 fragment_offset;            copied
+     * 22-24 uint24 fragment_length;            olen - 25
+     *
+     * 25-26 ProtocolVersion server_version;    0xfe 0xff
+     * 27-27 opaque cookie<0..2^8-1>;           cookie_len = olen - 27, cookie
+     *
+     * Minimum length is 28.
+     */
+    if( buf_len < 28 )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    /* Copy most fields and adapt others */
+    memcpy( obuf, in, 25 );
+    obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+    obuf[25] = 0xfe;
+    obuf[26] = 0xff;
+
+    /* Generate and write actual cookie */
+    p = obuf + 28;
+    if( f_cookie_write( p_cookie,
+                        &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    *olen = p - obuf;
+
+    /* Go back and fill length fields */
+    obuf[27] = (unsigned char)( *olen - 28 );
+
+    obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
+    obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >>  8 );
+    obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 )       );
+
+    obuf[11] = (unsigned char)( ( *olen - 13 ) >>  8 );
+    obuf[12] = (unsigned char)( ( *olen - 13 )       );
+
+    return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
+}
+
+/*
+ * Handle possible client reconnect with the same UDP quadruplet
+ * (RFC 6347 Section 4.2.8).
+ *
+ * Called by ssl_parse_record_header() in case we receive an epoch 0 record
+ * that looks like a ClientHello.
+ *
+ * - if the input looks like a ClientHello without cookies,
+ *   send back HelloVerifyRequest, then
+ *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+ * - if the input looks like a ClientHello with a valid cookie,
+ *   reset the session of the current context, and
+ *   return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ * - if anything goes wrong, return a specific error code
+ *
+ * mbedtls_ssl_read_record() will ignore the record if anything else than
+ * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
+ * cannot not return 0.
+ */
+static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t len;
+
+    ret = ssl_check_dtls_clihlo_cookie(
+            ssl->conf->f_cookie_write,
+            ssl->conf->f_cookie_check,
+            ssl->conf->p_cookie,
+            ssl->cli_id, ssl->cli_id_len,
+            ssl->in_buf, ssl->in_left,
+            ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
+
+    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
+
+    if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
+    {
+        /* Don't check write errors as we can't do anything here.
+         * If the error is permanent we'll catch it later,
+         * if it's not, then hopefully it'll work next time. */
+        (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
+
+        return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
+    }
+
+    if( ret == 0 )
+    {
+        /* Got a valid cookie, partially reset context */
+        if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
+            return( ret );
+        }
+
+        return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+
+/*
+ * ContentType type;
+ * ProtocolVersion version;
+ * uint16 epoch;            // DTLS only
+ * uint48 sequence_number;  // DTLS only
+ * uint16 length;
+ *
+ * Return 0 if header looks sane (and, for DTLS, the record is expected)
+ * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
+ * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
+ *
+ * With DTLS, mbedtls_ssl_read_record() will:
+ * 1. proceed with the record if this function returns 0
+ * 2. drop only the current record if this function returns UNEXPECTED_RECORD
+ * 3. return CLIENT_RECONNECT if this function return that value
+ * 4. drop the whole datagram if this function returns anything else.
+ * Point 2 is needed when the peer is resending, and we have already received
+ * the first record from a datagram but are still waiting for the others.
+ */
+static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
+{
+    int major_ver, minor_ver;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
+
+    ssl->in_msgtype =  ssl->in_hdr[0];
+    ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
+    mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
+                        "version = [%d:%d], msglen = %d",
+                        ssl->in_msgtype,
+                        major_ver, minor_ver, ssl->in_msglen ) );
+
+    /* Check record type */
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* Silently ignore invalid DTLS records as recommended by RFC 6347
+         * Section 4.1.2.7 */
+        if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    /* Check version */
+    if( major_ver != ssl->major_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    if( minor_ver > ssl->conf->max_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    /* Check length against the size of our buffer */
+    if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
+                         - (size_t)( ssl->in_msg - ssl->in_buf ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    /*
+     * DTLS-related tests.
+     * Check epoch before checking length constraint because
+     * the latter varies with the epoch. E.g., if a ChangeCipherSpec
+     * message gets duplicated before the corresponding Finished message,
+     * the second ChangeCipherSpec should be discarded because it belongs
+     * to an old epoch, but not because its length is shorter than
+     * the minimum record length for packets using the new record transform.
+     * Note that these two kinds of failures are handled differently,
+     * as an unexpected record is silently skipped but an invalid
+     * record leads to the entire datagram being dropped.
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
+
+        /* Check epoch (and sequence number) with DTLS */
+        if( rec_epoch != ssl->in_epoch )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
+                                        "expected %d, received %d",
+                                        ssl->in_epoch, rec_epoch ) );
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+            /*
+             * Check for an epoch 0 ClientHello. We can't use in_msg here to
+             * access the first byte of record content (handshake type), as we
+             * have an active transform (possibly iv_len != 0), so use the
+             * fact that the record header len is 13 instead.
+             */
+            if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
+                rec_epoch == 0 &&
+                ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+                ssl->in_left > 13 &&
+                ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
+                                            "from the same port" ) );
+                return( ssl_handle_possible_reconnect( ssl ) );
+            }
+            else
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+            {
+                /* Consider buffering the record. */
+                if( rec_epoch == (unsigned int) ssl->in_epoch + 1 )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
+                    return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+                }
+
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+            }
+        }
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        /* Replay detection only works for the current epoch */
+        if( rec_epoch == ssl->in_epoch &&
+            mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
+#endif
+
+        /* Drop unexpected ApplicationData records,
+         * except at the beginning of renegotiations */
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
+            ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+                   ssl->state == MBEDTLS_SSL_SERVER_HELLO )
+#endif
+            )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+
+    /* Check length against bounds of the current transform and version */
+    if( ssl->transform_in == NULL )
+    {
+        if( ssl->in_msglen < 1 ||
+            ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+    }
+    else
+    {
+        if( ssl->in_msglen < ssl->transform_in->minlen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+            ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * TLS encrypted messages can have up to 256 bytes of padding
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
+            ssl->in_msglen > ssl->transform_in->minlen +
+                             MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif
+    }
+
+    return( 0 );
+}
+
+/*
+ * If applicable, decrypt (and decompress) record content
+ */
+static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
+{
+    int ret, done = 0;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
+                   ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_read != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
+
+        ret = mbedtls_ssl_hw_record_read( ssl );
+        if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+
+        if( ret == 0 )
+            done = 1;
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+    if( !done && ssl->transform_in != NULL )
+    {
+        if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
+                       ssl->in_msg, ssl->in_msglen );
+
+        if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+    }
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->transform_in != NULL &&
+        ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        mbedtls_ssl_dtls_replay_update( ssl );
+    }
+#endif
+
+    return( 0 );
+}
+
+static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
+
+/*
+ * Read a record.
+ *
+ * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
+ * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
+ *
+ */
+
+/* Helper functions for mbedtls_ssl_read_record(). */
+static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
+static int ssl_get_next_record( mbedtls_ssl_context *ssl );
+static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
+                             unsigned update_hs_digest )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
+
+    if( ssl->keep_current_message == 0 )
+    {
+        do {
+
+            ret = ssl_consume_current_message( ssl );
+            if( ret != 0 )
+                return( ret );
+
+            if( ssl_record_is_in_progress( ssl ) == 0 )
+            {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                int have_buffered = 0;
+
+                /* We only check for buffered messages if the
+                 * current datagram is fully consumed. */
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+                    ssl_next_record_is_in_datagram( ssl ) == 0 )
+                {
+                    if( ssl_load_buffered_message( ssl ) == 0 )
+                        have_buffered = 1;
+                }
+
+                if( have_buffered == 0 )
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+                {
+                    ret = ssl_get_next_record( ssl );
+                    if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
+                        continue;
+
+                    if( ret != 0 )
+                    {
+                        MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
+                        return( ret );
+                    }
+                }
+            }
+
+            ret = mbedtls_ssl_handle_message_type( ssl );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+            if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
+            {
+                /* Buffer future message */
+                ret = ssl_buffer_message( ssl );
+                if( ret != 0 )
+                    return( ret );
+
+                ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+            }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        } while( MBEDTLS_ERR_SSL_NON_FATAL           == ret  ||
+                 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
+
+        if( 0 != ret )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
+            return( ret );
+        }
+
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            update_hs_digest == 1 )
+        {
+            mbedtls_ssl_update_handshake_status( ssl );
+        }
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
+        ssl->keep_current_message = 0;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_left > ssl->next_record_offset )
+        return( 1 );
+
+    return( 0 );
+}
+
+static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    mbedtls_ssl_hs_buffer * hs_buf;
+    int ret = 0;
+
+    if( hs == NULL )
+        return( -1 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
+
+    if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
+        ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+    {
+        /* Check if we have seen a ChangeCipherSpec before.
+         * If yes, synthesize a CCS record. */
+        if( !hs->buffering.seen_ccs )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
+            ret = -1;
+            goto exit;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
+        ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+        ssl->in_msglen = 1;
+        ssl->in_msg[0] = 1;
+
+        /* As long as they are equal, the exact value doesn't matter. */
+        ssl->in_left            = 0;
+        ssl->next_record_offset = 0;
+
+        hs->buffering.seen_ccs = 0;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_DEBUG_C)
+    /* Debug only */
+    {
+        unsigned offset;
+        for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
+        {
+            hs_buf = &hs->buffering.hs[offset];
+            if( hs_buf->is_valid == 1 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
+                            hs->in_msg_seq + offset,
+                            hs_buf->is_complete ? "fully" : "partially" ) );
+            }
+        }
+    }
+#endif /* MBEDTLS_DEBUG_C */
+
+    /* Check if we have buffered and/or fully reassembled the
+     * next handshake message. */
+    hs_buf = &hs->buffering.hs[0];
+    if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
+    {
+        /* Synthesize a record containing the buffered HS message. */
+        size_t msg_len = ( hs_buf->data[1] << 16 ) |
+                         ( hs_buf->data[2] << 8  ) |
+                           hs_buf->data[3];
+
+        /* Double-check that we haven't accidentally buffered
+         * a message that doesn't fit into the input buffer. */
+        if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
+        MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
+                               hs_buf->data, msg_len + 12 );
+
+        ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+        ssl->in_hslen   = msg_len + 12;
+        ssl->in_msglen  = msg_len + 12;
+        memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
+
+        ret = 0;
+        goto exit;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
+                                    hs->in_msg_seq ) );
+    }
+
+    ret = -1;
+
+exit:
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
+    return( ret );
+}
+
+static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
+                                  size_t desired )
+{
+    int offset;
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
+                                (unsigned) desired ) );
+
+    /* Get rid of future records epoch first, if such exist. */
+    ssl_free_buffered_record( ssl );
+
+    /* Check if we have enough space available now. */
+    if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                     hs->buffering.total_bytes_buffered ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
+        return( 0 );
+    }
+
+    /* We don't have enough space to buffer the next expected handshake
+     * message. Remove buffers used for future messages to gain space,
+     * starting with the most distant one. */
+    for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
+         offset >= 0; offset-- )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
+                                    offset ) );
+
+        ssl_buffering_free_slot( ssl, (uint8_t) offset );
+
+        /* Check if we have enough space available now. */
+        if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                         hs->buffering.total_bytes_buffered ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
+            return( 0 );
+        }
+    }
+
+    return( -1 );
+}
+
+static int ssl_buffer_message( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+    if( hs == NULL )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
+
+    switch( ssl->in_msgtype )
+    {
+        case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
+
+            hs->buffering.seen_ccs = 1;
+            break;
+
+        case MBEDTLS_SSL_MSG_HANDSHAKE:
+        {
+            unsigned recv_msg_seq_offset;
+            unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
+            mbedtls_ssl_hs_buffer *hs_buf;
+            size_t msg_len = ssl->in_hslen - 12;
+
+            /* We should never receive an old handshake
+             * message - double-check nonetheless. */
+            if( recv_msg_seq < ssl->handshake->in_msg_seq )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
+            if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
+            {
+                /* Silently ignore -- message too far in the future */
+                MBEDTLS_SSL_DEBUG_MSG( 2,
+                 ( "Ignore future HS message with sequence number %u, "
+                   "buffering window %u - %u",
+                   recv_msg_seq, ssl->handshake->in_msg_seq,
+                   ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
+
+                goto exit;
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
+                                        recv_msg_seq, recv_msg_seq_offset ) );
+
+            hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
+
+            /* Check if the buffering for this seq nr has already commenced. */
+            if( !hs_buf->is_valid )
+            {
+                size_t reassembly_buf_sz;
+
+                hs_buf->is_fragmented =
+                    ( ssl_hs_is_proper_fragment( ssl ) == 1 );
+
+                /* We copy the message back into the input buffer
+                 * after reassembly, so check that it's not too large.
+                 * This is an implementation-specific limitation
+                 * and not one from the standard, hence it is not
+                 * checked in ssl_check_hs_header(). */
+                if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
+                {
+                    /* Ignore message */
+                    goto exit;
+                }
+
+                /* Check if we have enough space to buffer the message. */
+                if( hs->buffering.total_bytes_buffered >
+                    MBEDTLS_SSL_DTLS_MAX_BUFFERING )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+                }
+
+                reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
+                                                       hs_buf->is_fragmented );
+
+                if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                                          hs->buffering.total_bytes_buffered ) )
+                {
+                    if( recv_msg_seq_offset > 0 )
+                    {
+                        /* If we can't buffer a future message because
+                         * of space limitations -- ignore. */
+                        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
+                             (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                             (unsigned) hs->buffering.total_bytes_buffered ) );
+                        goto exit;
+                    }
+                    else
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
+                             (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                             (unsigned) hs->buffering.total_bytes_buffered ) );
+                    }
+
+                    if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
+                             (unsigned) msg_len,
+                             (unsigned) reassembly_buf_sz,
+                             MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                             (unsigned) hs->buffering.total_bytes_buffered ) );
+                        ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+                        goto exit;
+                    }
+                }
+
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
+                                            msg_len ) );
+
+                hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
+                if( hs_buf->data == NULL )
+                {
+                    ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+                    goto exit;
+                }
+                hs_buf->data_len = reassembly_buf_sz;
+
+                /* Prepare final header: copy msg_type, length and message_seq,
+                 * then add standardised fragment_offset and fragment_length */
+                memcpy( hs_buf->data, ssl->in_msg, 6 );
+                memset( hs_buf->data + 6, 0, 3 );
+                memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
+
+                hs_buf->is_valid = 1;
+
+                hs->buffering.total_bytes_buffered += reassembly_buf_sz;
+            }
+            else
+            {
+                /* Make sure msg_type and length are consistent */
+                if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
+                    /* Ignore */
+                    goto exit;
+                }
+            }
+
+            if( !hs_buf->is_complete )
+            {
+                size_t frag_len, frag_off;
+                unsigned char * const msg = hs_buf->data + 12;
+
+                /*
+                 * Check and copy current fragment
+                 */
+
+                /* Validation of header fields already done in
+                 * mbedtls_ssl_prepare_handshake_record(). */
+                frag_off = ssl_get_hs_frag_off( ssl );
+                frag_len = ssl_get_hs_frag_len( ssl );
+
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
+                                            frag_off, frag_len ) );
+                memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
+
+                if( hs_buf->is_fragmented )
+                {
+                    unsigned char * const bitmask = msg + msg_len;
+                    ssl_bitmask_set( bitmask, frag_off, frag_len );
+                    hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
+                                                               msg_len ) == 0 );
+                }
+                else
+                {
+                    hs_buf->is_complete = 1;
+                }
+
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
+                                   hs_buf->is_complete ? "" : "not yet " ) );
+            }
+
+            break;
+        }
+
+        default:
+            /* We don't buffer other types of messages. */
+            break;
+    }
+
+exit:
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
+{
+    /*
+     * Consume last content-layer message and potentially
+     * update in_msglen which keeps track of the contents'
+     * consumption state.
+     *
+     * (1) Handshake messages:
+     *     Remove last handshake message, move content
+     *     and adapt in_msglen.
+     *
+     * (2) Alert messages:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     * (3) Change cipher spec:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     * (4) Application data:
+     *     Don't do anything - the record layer provides
+     *     the application data as a stream transport
+     *     and consumes through mbedtls_ssl_read only.
+     *
+     */
+
+    /* Case (1): Handshake messages */
+    if( ssl->in_hslen != 0 )
+    {
+        /* Hard assertion to be sure that no application data
+         * is in flight, as corrupting ssl->in_msglen during
+         * ssl->in_offt != NULL is fatal. */
+        if( ssl->in_offt != NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Get next Handshake message in the current record
+         */
+
+        /* Notes:
+         * (1) in_hslen is not necessarily the size of the
+         *     current handshake content: If DTLS handshake
+         *     fragmentation is used, that's the fragment
+         *     size instead. Using the total handshake message
+         *     size here is faulty and should be changed at
+         *     some point.
+         * (2) While it doesn't seem to cause problems, one
+         *     has to be very careful not to assume that in_hslen
+         *     is always <= in_msglen in a sensible communication.
+         *     Again, it's wrong for DTLS handshake fragmentation.
+         *     The following check is therefore mandatory, and
+         *     should not be treated as a silently corrected assertion.
+         *     Additionally, ssl->in_hslen might be arbitrarily out of
+         *     bounds after handling a DTLS message with an unexpected
+         *     sequence number, see mbedtls_ssl_prepare_handshake_record.
+         */
+        if( ssl->in_hslen < ssl->in_msglen )
+        {
+            ssl->in_msglen -= ssl->in_hslen;
+            memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
+                     ssl->in_msglen );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
+                                   ssl->in_msg, ssl->in_msglen );
+        }
+        else
+        {
+            ssl->in_msglen = 0;
+        }
+
+        ssl->in_hslen   = 0;
+    }
+    /* Case (4): Application data */
+    else if( ssl->in_offt != NULL )
+    {
+        return( 0 );
+    }
+    /* Everything else (CCS & Alerts) */
+    else
+    {
+        ssl->in_msglen = 0;
+    }
+
+    return( 0 );
+}
+
+static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_msglen > 0 )
+        return( 1 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    if( hs == NULL )
+        return;
+
+    if( hs->buffering.future_record.data != NULL )
+    {
+        hs->buffering.total_bytes_buffered -=
+            hs->buffering.future_record.len;
+
+        mbedtls_free( hs->buffering.future_record.data );
+        hs->buffering.future_record.data = NULL;
+    }
+}
+
+static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    unsigned char * rec;
+    size_t rec_len;
+    unsigned rec_epoch;
+
+    if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 0 );
+
+    if( hs == NULL )
+        return( 0 );
+
+    rec       = hs->buffering.future_record.data;
+    rec_len   = hs->buffering.future_record.len;
+    rec_epoch = hs->buffering.future_record.epoch;
+
+    if( rec == NULL )
+        return( 0 );
+
+    /* Only consider loading future records if the
+     * input buffer is empty. */
+    if( ssl_next_record_is_in_datagram( ssl ) == 1 )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
+
+    if( rec_epoch != ssl->in_epoch )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
+        goto exit;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
+
+    /* Double-check that the record is not too large */
+    if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -
+        (size_t)( ssl->in_hdr - ssl->in_buf ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    memcpy( ssl->in_hdr, rec, rec_len );
+    ssl->in_left = rec_len;
+    ssl->next_record_offset = 0;
+
+    ssl_free_buffered_record( ssl );
+
+exit:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
+    return( 0 );
+}
+
+static int ssl_buffer_future_record( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    size_t const rec_hdr_len = 13;
+    size_t const total_buf_sz = rec_hdr_len + ssl->in_msglen;
+
+    /* Don't buffer future records outside handshakes. */
+    if( hs == NULL )
+        return( 0 );
+
+    /* Only buffer handshake records (we are only interested
+     * in Finished messages). */
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+        return( 0 );
+
+    /* Don't buffer more than one future epoch record. */
+    if( hs->buffering.future_record.data != NULL )
+        return( 0 );
+
+    /* Don't buffer record if there's not enough buffering space remaining. */
+    if( total_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                         hs->buffering.total_bytes_buffered ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
+                        (unsigned) total_buf_sz, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                        (unsigned) hs->buffering.total_bytes_buffered ) );
+        return( 0 );
+    }
+
+    /* Buffer record */
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
+                                ssl->in_epoch + 1 ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", ssl->in_hdr,
+                           rec_hdr_len + ssl->in_msglen );
+
+    /* ssl_parse_record_header() only considers records
+     * of the next epoch as candidates for buffering. */
+    hs->buffering.future_record.epoch = ssl->in_epoch + 1;
+    hs->buffering.future_record.len   = total_buf_sz;
+
+    hs->buffering.future_record.data =
+        mbedtls_calloc( 1, hs->buffering.future_record.len );
+    if( hs->buffering.future_record.data == NULL )
+    {
+        /* If we run out of RAM trying to buffer a
+         * record from the next epoch, just ignore. */
+        return( 0 );
+    }
+
+    memcpy( hs->buffering.future_record.data, ssl->in_hdr, total_buf_sz );
+
+    hs->buffering.total_bytes_buffered += total_buf_sz;
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_get_next_record( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    /* We might have buffered a future record; if so,
+     * and if the epoch matches now, load it.
+     * On success, this call will set ssl->in_left to
+     * the length of the buffered record, so that
+     * the calls to ssl_fetch_input() below will
+     * essentially be no-ops. */
+    ret = ssl_load_buffered_record( ssl );
+    if( ret != 0 )
+        return( ret );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+        return( ret );
+    }
+
+    if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
+        {
+            if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
+            {
+                ret = ssl_buffer_future_record( ssl );
+                if( ret != 0 )
+                    return( ret );
+
+                /* Fall through to handling of unexpected records */
+                ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+            }
+
+            if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
+            {
+                /* Skip unexpected record (but not whole datagram) */
+                ssl->next_record_offset = ssl->in_msglen
+                                        + mbedtls_ssl_hdr_len( ssl );
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
+                                            "(header)" ) );
+            }
+            else
+            {
+                /* Skip invalid record and the rest of the datagram */
+                ssl->next_record_offset = 0;
+                ssl->in_left = 0;
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
+                                            "(header)" ) );
+            }
+
+            /* Get next record */
+            return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
+        }
+#endif
+        return( ret );
+    }
+
+    /*
+     * Read and optionally decrypt the message contents
+     */
+    if( ( ret = mbedtls_ssl_fetch_input( ssl,
+                                 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+        return( ret );
+    }
+
+    /* Done reading this record, get ready for the next one */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
+        if( ssl->next_record_offset < ssl->in_left )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
+        }
+    }
+    else
+#endif
+        ssl->in_left = 0;
+
+    if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            /* Silently discard invalid records */
+            if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
+                ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+            {
+                /* Except when waiting for Finished as a bad mac here
+                 * probably means something went wrong in the handshake
+                 * (eg wrong psk used, mitm downgrade attempt, etc.) */
+                if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
+                    ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
+                {
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+                    if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+                    {
+                        mbedtls_ssl_send_alert_message( ssl,
+                                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
+                    }
+#endif
+                    return( ret );
+                }
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+                if( ssl->conf->badmac_limit != 0 &&
+                    ++ssl->badmac_seen >= ssl->conf->badmac_limit )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
+                    return( MBEDTLS_ERR_SSL_INVALID_MAC );
+                }
+#endif
+
+                /* As above, invalid records cause
+                 * dismissal of the whole datagram. */
+
+                ssl->next_record_offset = 0;
+                ssl->in_left = 0;
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
+                return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
+            }
+
+            return( ret );
+        }
+        else
+#endif
+        {
+            /* Error out (and send alert) on invalid records */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+            if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+            {
+                mbedtls_ssl_send_alert_message( ssl,
+                        MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                        MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
+            }
+#endif
+            return( ret );
+        }
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    /*
+     * Handle particular types of records
+     */
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
+        {
+            return( ret );
+        }
+    }
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+    {
+        if( ssl->in_msglen != 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
+                           ssl->in_msglen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+        if( ssl->in_msg[0] != 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
+                                        ssl->in_msg[0] ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC    &&
+            ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+        {
+            if( ssl->handshake == NULL )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
+            return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+        }
+#endif
+    }
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
+    {
+        if( ssl->in_msglen != 2 )
+        {
+            /* Note: Standard allows for more than one 2 byte alert
+               to be packed in a single message, but Mbed TLS doesn't
+               currently support this. */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
+                           ssl->in_msglen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
+                       ssl->in_msg[0], ssl->in_msg[1] ) );
+
+        /*
+         * Ignore non-fatal alerts, except close_notify and no_renegotiation
+         */
+        if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
+                           ssl->in_msg[1] ) );
+            return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
+        }
+
+        if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
+            return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
+        }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
+        if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
+            /* Will be handled when trying to parse ServerHello */
+            return( 0 );
+        }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+            ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+            ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
+            /* Will be handled in mbedtls_ssl_parse_certificate() */
+            return( 0 );
+        }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
+
+        /* Silently ignore: fetch new message */
+        return MBEDTLS_ERR_SSL_NON_FATAL;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL &&
+        ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER  )
+    {
+        ssl_handshake_wrapup_free_hs_transform( ssl );
+    }
+#endif
+
+    return( 0 );
+}
+
+int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+                    MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
+                            unsigned char level,
+                            unsigned char message )
+{
+    int ret;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
+    ssl->out_msglen = 2;
+    ssl->out_msg[0] = level;
+    ssl->out_msg[1] = message;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
+
+    return( 0 );
+}
+
+/*
+ * Handshake functions
+ */
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)         && \
+    !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)     && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)     && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)    && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+/* No certificate support -> dummy functions */
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+
+#else
+/* Some certificate support -> implement write and parse */
+
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t i, n;
+    const mbedtls_x509_crt *crt;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        if( ssl->client_auth == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
+            ssl->state++;
+            return( 0 );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        /*
+         * If using SSLv3 and got no cert, send an Alert message
+         * (otherwise an empty Certificate message will be sent).
+         */
+        if( mbedtls_ssl_own_cert( ssl )  == NULL &&
+            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            ssl->out_msglen  = 2;
+            ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
+            ssl->out_msg[0]  = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
+            ssl->out_msg[1]  = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
+            goto write_msg;
+        }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        if( mbedtls_ssl_own_cert( ssl ) == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
+            return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
+        }
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
+
+    /*
+     *     0  .  0    handshake type
+     *     1  .  3    handshake length
+     *     4  .  6    length of all certs
+     *     7  .  9    length of cert. 1
+     *    10  . n-1   peer certificate
+     *     n  . n+2   length of cert. 2
+     *    n+3 . ...   upper level cert, etc.
+     */
+    i = 7;
+    crt = mbedtls_ssl_own_cert( ssl );
+
+    while( crt != NULL )
+    {
+        n = crt->raw.len;
+        if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
+                           i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
+            return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
+        }
+
+        ssl->out_msg[i    ] = (unsigned char)( n >> 16 );
+        ssl->out_msg[i + 1] = (unsigned char)( n >>  8 );
+        ssl->out_msg[i + 2] = (unsigned char)( n       );
+
+        i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
+        i += n; crt = crt->next;
+    }
+
+    ssl->out_msg[4]  = (unsigned char)( ( i - 7 ) >> 16 );
+    ssl->out_msg[5]  = (unsigned char)( ( i - 7 ) >>  8 );
+    ssl->out_msg[6]  = (unsigned char)( ( i - 7 )       );
+
+    ssl->out_msglen  = i;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE;
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
+write_msg:
+#endif
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
+
+    return( ret );
+}
+
+/*
+ * Once the certificate message is read, parse it into a cert chain and
+ * perform basic checks, but leave actual verification to the caller
+ */
+static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t i, n;
+    uint8_t alert;
+
+#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    /*
+     * Check if the client sent an empty certificate
+     */
+    if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if( ssl->in_msglen  == 2                        &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT            &&
+            ssl->in_msg[0]  == MBEDTLS_SSL_ALERT_LEVEL_WARNING  &&
+            ssl->in_msg[1]  == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
+
+            /* The client was asked for a certificate but didn't send
+               one. The client should know what's going on, so we
+               don't send an alert. */
+            ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
+            return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
+        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if( ssl->in_hslen   == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE    &&
+            ssl->in_msg[0]  == MBEDTLS_SSL_HS_CERTIFICATE   &&
+            memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
+
+            /* The client was asked for a certificate but didn't send
+               one. The client should know what's going on, so we
+               don't send an alert. */
+            ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
+            return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_SRV_C */
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
+        ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+    }
+
+    i = mbedtls_ssl_hs_hdr_len( ssl );
+
+    /*
+     * Same message structure as in mbedtls_ssl_write_certificate()
+     */
+    n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
+
+    if( ssl->in_msg[i] != 0 ||
+        ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+    }
+
+    /* In case we tried to reuse a session but it failed */
+    if( ssl->session_negotiate->peer_cert != NULL )
+    {
+        mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
+        mbedtls_free( ssl->session_negotiate->peer_cert );
+    }
+
+    if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
+                    sizeof( mbedtls_x509_crt ) ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
+                       sizeof( mbedtls_x509_crt ) ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
+
+    i += 3;
+
+    while( i < ssl->in_hslen )
+    {
+        if ( i + 3 > ssl->in_hslen ) {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+        if( ssl->in_msg[i] != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+
+        n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
+            | (unsigned int) ssl->in_msg[i + 2];
+        i += 3;
+
+        if( n < 128 || i + n > ssl->in_hslen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+
+        ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
+                                  ssl->in_msg + i, n );
+        switch( ret )
+        {
+        case 0: /*ok*/
+        case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
+            /* Ignore certificate with an unknown algorithm: maybe a
+               prior certificate was already trusted. */
+            break;
+
+        case MBEDTLS_ERR_X509_ALLOC_FAILED:
+            alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
+            goto crt_parse_der_failed;
+
+        case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
+            alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            goto crt_parse_der_failed;
+
+        default:
+            alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+        crt_parse_der_failed:
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
+            MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
+            return( ret );
+        }
+
+        i += n;
+    }
+
+    MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
+
+    /*
+     * On client, make sure the server cert doesn't change during renego to
+     * avoid "triple handshake" attack: https://secure-resumption.com/
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+        ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+    {
+        if( ssl->session->peer_cert == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+
+        if( ssl->session->peer_cert->raw.len !=
+            ssl->session_negotiate->peer_cert->raw.len ||
+            memcmp( ssl->session->peer_cert->raw.p,
+                    ssl->session_negotiate->peer_cert->raw.p,
+                    ssl->session->peer_cert->raw.len ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
+
+    return( 0 );
+}
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
+          ssl->transform_negotiate->ciphersuite_info;
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+                       ? ssl->handshake->sni_authmode
+                       : ssl->conf->authmode;
+#else
+    const int authmode = ssl->conf->authmode;
+#endif
+    void *rs_ctx = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+        authmode == MBEDTLS_SSL_VERIFY_NONE )
+    {
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+
+        ssl->state++;
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
+    {
+        goto crt_verify;
+    }
+#endif
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        /* mbedtls_ssl_read_record may have sent an alert already. We
+           let it decide whether to alert. */
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_SRV_C)
+        if( ret == MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE &&
+            authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
+        {
+            ret = 0;
+        }
+#endif
+
+        ssl->state++;
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled)
+        ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
+
+crt_verify:
+    if( ssl->handshake->ecrs_enabled)
+        rs_ctx = &ssl->handshake->ecrs_ctx;
+#endif
+
+    if( authmode != MBEDTLS_SSL_VERIFY_NONE )
+    {
+        mbedtls_x509_crt *ca_chain;
+        mbedtls_x509_crl *ca_crl;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        if( ssl->handshake->sni_ca_chain != NULL )
+        {
+            ca_chain = ssl->handshake->sni_ca_chain;
+            ca_crl   = ssl->handshake->sni_ca_crl;
+        }
+        else
+#endif
+        {
+            ca_chain = ssl->conf->ca_chain;
+            ca_crl   = ssl->conf->ca_crl;
+        }
+
+        /*
+         * Main check: verify certificate
+         */
+        ret = mbedtls_x509_crt_verify_restartable(
+                                ssl->session_negotiate->peer_cert,
+                                ca_chain, ca_crl,
+                                ssl->conf->cert_profile,
+                                ssl->hostname,
+                               &ssl->session_negotiate->verify_result,
+                                ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
+
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
+        }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
+#endif
+
+        /*
+         * Secondary checks: always done, but change 'ret' only if it was 0
+         */
+
+#if defined(MBEDTLS_ECP_C)
+        {
+            const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
+
+            /* If certificate uses an EC key, make sure the curve is OK */
+            if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
+                mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
+            {
+                ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
+                if( ret == 0 )
+                    ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+            }
+        }
+#endif /* MBEDTLS_ECP_C */
+
+        if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
+                                 ciphersuite_info,
+                                 ! ssl->conf->endpoint,
+                                 &ssl->session_negotiate->verify_result ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
+            if( ret == 0 )
+                ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+        }
+
+        /* mbedtls_x509_crt_verify_with_profile is supposed to report a
+         * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
+         * with details encoded in the verification flags. All other kinds
+         * of error codes, including those from the user provided f_vrfy
+         * functions, are treated as fatal and lead to a failure of
+         * ssl_parse_certificate even if verification was optional. */
+        if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
+            ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+              ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
+        {
+            ret = 0;
+        }
+
+        if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
+            ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
+        }
+
+        if( ret != 0 )
+        {
+            uint8_t alert;
+
+            /* The certificate may have been rejected for several reasons.
+               Pick one and send the corresponding alert. Which alert to send
+               may be a subject of debate in some cases. */
+            if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
+                alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
+                alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
+                alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
+                alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
+            else
+                alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            alert );
+        }
+
+#if defined(MBEDTLS_DEBUG_C)
+        if( ssl->session_negotiate->verify_result != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
+                                        ssl->session_negotiate->verify_result ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
+        }
+#endif /* MBEDTLS_DEBUG_C */
+    }
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+    ssl->out_msglen  = 1;
+    ssl->out_msg[0]  = 1;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
+
+    return( 0 );
+}
+
+int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /* CCS records are only accepted if they have length 1 and content '1',
+     * so we don't need to check this here. */
+
+    /*
+     * Switch to our negotiated transform and session parameters for inbound
+     * data.
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
+    ssl->transform_in = ssl->transform_negotiate;
+    ssl->session_in = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        ssl_dtls_replay_reset( ssl );
+#endif
+
+        /* Increment epoch */
+        if( ++ssl->in_epoch == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
+            /* This is highly unlikely to happen for legitimate reasons, so
+               treat it as an attack and don't send an alert. */
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    memset( ssl->in_ctr, 0, 8 );
+
+    ssl_update_in_pointers( ssl, ssl->transform_negotiate );
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_activate != NULL )
+    {
+        if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
+
+    return( 0 );
+}
+
+void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
+                            const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
+{
+    ((void) ciphersuite_info);
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+        ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+    if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+        ssl->handshake->update_checksum = ssl_update_checksum_sha384;
+    else
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
+        ssl->handshake->update_checksum = ssl_update_checksum_sha256;
+    else
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return;
+    }
+}
+
+void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+     mbedtls_md5_starts_ret( &ssl->handshake->fin_md5  );
+    mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
+                                       const unsigned char *buf, size_t len )
+{
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+     mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
+    mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf, size_t len )
+{
+     mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
+    mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
+}
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf, size_t len )
+{
+    mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
+}
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf, size_t len )
+{
+    mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
+}
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static void ssl_calc_finished_ssl(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    const char *sender;
+    mbedtls_md5_context  md5;
+    mbedtls_sha1_context sha1;
+
+    unsigned char padbuf[48];
+    unsigned char md5sum[16];
+    unsigned char sha1sum[20];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished ssl" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+    /*
+     * SSLv3:
+     *   hash =
+     *      MD5( master + pad2 +
+     *          MD5( handshake + sender + master + pad1 ) )
+     *   + SHA1( master + pad2 +
+     *         SHA1( handshake + sender + master + pad1 ) )
+     */
+
+#if !defined(MBEDTLS_MD5_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
+                    md5.state, sizeof(  md5.state ) );
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
+                   sha1.state, sizeof( sha1.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
+                                       : "SRVR";
+
+    memset( padbuf, 0x36, 48 );
+
+    mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
+    mbedtls_md5_update_ret( &md5, session->master, 48 );
+    mbedtls_md5_update_ret( &md5, padbuf, 48 );
+    mbedtls_md5_finish_ret( &md5, md5sum );
+
+    mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
+    mbedtls_sha1_update_ret( &sha1, session->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
+    mbedtls_sha1_finish_ret( &sha1, sha1sum );
+
+    memset( padbuf, 0x5C, 48 );
+
+    mbedtls_md5_starts_ret( &md5 );
+    mbedtls_md5_update_ret( &md5, session->master, 48 );
+    mbedtls_md5_update_ret( &md5, padbuf, 48 );
+    mbedtls_md5_update_ret( &md5, md5sum, 16 );
+    mbedtls_md5_finish_ret( &md5, buf );
+
+    mbedtls_sha1_starts_ret( &sha1 );
+    mbedtls_sha1_update_ret( &sha1, session->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
+    mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
+    mbedtls_sha1_finish_ret( &sha1, buf + 16 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
+    mbedtls_platform_zeroize(  md5sum, sizeof(  md5sum ) );
+    mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_calc_finished_tls(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    int len = 12;
+    const char *sender;
+    mbedtls_md5_context  md5;
+    mbedtls_sha1_context sha1;
+    unsigned char padbuf[36];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+    /*
+     * TLSv1:
+     *   hash = PRF( master, finished_label,
+     *               MD5( handshake ) + SHA1( handshake ) )[0..11]
+     */
+
+#if !defined(MBEDTLS_MD5_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
+                    md5.state, sizeof(  md5.state ) );
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
+                   sha1.state, sizeof( sha1.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT )
+             ? "client finished"
+             : "server finished";
+
+    mbedtls_md5_finish_ret(  &md5, padbuf );
+    mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
+
+    ssl->handshake->tls_prf( session->master, 48, sender,
+                             padbuf, 36, buf, len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_calc_finished_tls_sha256(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    int len = 12;
+    const char *sender;
+    mbedtls_sha256_context sha256;
+    unsigned char padbuf[32];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    mbedtls_sha256_init( &sha256 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha256" ) );
+
+    mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
+
+    /*
+     * TLSv1.2:
+     *   hash = PRF( master, finished_label,
+     *               Hash( handshake ) )[0.11]
+     */
+
+#if !defined(MBEDTLS_SHA256_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
+                   sha256.state, sizeof( sha256.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT )
+             ? "client finished"
+             : "server finished";
+
+    mbedtls_sha256_finish_ret( &sha256, padbuf );
+
+    ssl->handshake->tls_prf( session->master, 48, sender,
+                             padbuf, 32, buf, len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
+
+    mbedtls_sha256_free( &sha256 );
+
+    mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_calc_finished_tls_sha384(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    int len = 12;
+    const char *sender;
+    mbedtls_sha512_context sha512;
+    unsigned char padbuf[48];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    mbedtls_sha512_init( &sha512 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha384" ) );
+
+    mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
+
+    /*
+     * TLSv1.2:
+     *   hash = PRF( master, finished_label,
+     *               Hash( handshake ) )[0.11]
+     */
+
+#if !defined(MBEDTLS_SHA512_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
+                   sha512.state, sizeof( sha512.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT )
+             ? "client finished"
+             : "server finished";
+
+    mbedtls_sha512_finish_ret( &sha512, padbuf );
+
+    ssl->handshake->tls_prf( session->master, 48, sender,
+                             padbuf, 48, buf, len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
+
+    mbedtls_sha512_free( &sha512 );
+
+    mbedtls_platform_zeroize(  padbuf, sizeof( padbuf ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
+{
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
+
+    /*
+     * Free our handshake params
+     */
+    mbedtls_ssl_handshake_free( ssl );
+    mbedtls_free( ssl->handshake );
+    ssl->handshake = NULL;
+
+    /*
+     * Free the previous transform and swith in the current one
+     */
+    if( ssl->transform )
+    {
+        mbedtls_ssl_transform_free( ssl->transform );
+        mbedtls_free( ssl->transform );
+    }
+    ssl->transform = ssl->transform_negotiate;
+    ssl->transform_negotiate = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
+}
+
+void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
+{
+    int resume = ssl->handshake->resume;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+    {
+        ssl->renego_status =  MBEDTLS_SSL_RENEGOTIATION_DONE;
+        ssl->renego_records_seen = 0;
+    }
+#endif
+
+    /*
+     * Free the previous session and switch in the current one
+     */
+    if( ssl->session )
+    {
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        /* RFC 7366 3.1: keep the EtM state */
+        ssl->session_negotiate->encrypt_then_mac =
+                  ssl->session->encrypt_then_mac;
+#endif
+
+        mbedtls_ssl_session_free( ssl->session );
+        mbedtls_free( ssl->session );
+    }
+    ssl->session = ssl->session_negotiate;
+    ssl->session_negotiate = NULL;
+
+    /*
+     * Add cache entry
+     */
+    if( ssl->conf->f_set_cache != NULL &&
+        ssl->session->id_len != 0 &&
+        resume == 0 )
+    {
+        if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->flight != NULL )
+    {
+        /* Cancel handshake timer */
+        ssl_set_timer( ssl, 0 );
+
+        /* Keep last flight around in case we need to resend it:
+         * we need the handshake and transform structures for that */
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
+    }
+    else
+#endif
+        ssl_handshake_wrapup_free_hs_transform( ssl );
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
+}
+
+int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
+{
+    int ret, hash_len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
+
+    ssl_update_out_pointers( ssl, ssl->transform_negotiate );
+
+    ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
+
+    /*
+     * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
+     * may define some other value. Currently (early 2016), no defined
+     * ciphersuite does this (and this is unlikely to change as activity has
+     * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
+     */
+    hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->verify_data_len = hash_len;
+    memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
+#endif
+
+    ssl->out_msglen  = 4 + hash_len;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_FINISHED;
+
+    /*
+     * In case of session resuming, invert the client and server
+     * ChangeCipherSpec messages order.
+     */
+    if( ssl->handshake->resume != 0 )
+    {
+#if defined(MBEDTLS_SSL_CLI_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+            ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+#endif
+    }
+    else
+        ssl->state++;
+
+    /*
+     * Switch to our negotiated transform and session parameters for outbound
+     * data.
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        unsigned char i;
+
+        /* Remember current epoch settings for resending */
+        ssl->handshake->alt_transform_out = ssl->transform_out;
+        memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
+
+        /* Set sequence_number to zero */
+        memset( ssl->cur_out_ctr + 2, 0, 6 );
+
+        /* Increment epoch */
+        for( i = 2; i > 0; i-- )
+            if( ++ssl->cur_out_ctr[i - 1] != 0 )
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if( i == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    memset( ssl->cur_out_ctr, 0, 8 );
+
+    ssl->transform_out = ssl->transform_negotiate;
+    ssl->session_out = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_activate != NULL )
+    {
+        if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_send_flight_completed( ssl );
+#endif
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define SSL_MAX_HASH_LEN 36
+#else
+#define SSL_MAX_HASH_LEN 12
+#endif
+
+int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned int hash_len;
+    unsigned char buf[SSL_MAX_HASH_LEN];
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
+
+    ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /* There is currently no ciphersuite using another length with TLS 1.2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        hash_len = 36;
+    else
+#endif
+        hash_len = 12;
+
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
+        ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
+    }
+
+    if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
+                      buf, hash_len ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
+    }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->verify_data_len = hash_len;
+    memcpy( ssl->peer_verify_data, buf, hash_len );
+#endif
+
+    if( ssl->handshake->resume != 0 )
+    {
+#if defined(MBEDTLS_SSL_CLI_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+#endif
+    }
+    else
+        ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_recv_flight_completed( ssl );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
+
+    return( 0 );
+}
+
+static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
+{
+    memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+     mbedtls_md5_init(   &handshake->fin_md5  );
+    mbedtls_sha1_init(   &handshake->fin_sha1 );
+     mbedtls_md5_starts_ret( &handshake->fin_md5  );
+    mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_init(   &handshake->fin_sha256    );
+    mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_init(   &handshake->fin_sha512    );
+    mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    handshake->update_checksum = ssl_update_checksum_start;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_init( &handshake->dhm_ctx );
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_init( &handshake->ecdh_ctx );
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
+#if defined(MBEDTLS_SSL_CLI_C)
+    handshake->ecjpake_cache = NULL;
+    handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
+#endif
+}
+
+static void ssl_transform_init( mbedtls_ssl_transform *transform )
+{
+    memset( transform, 0, sizeof(mbedtls_ssl_transform) );
+
+    mbedtls_cipher_init( &transform->cipher_ctx_enc );
+    mbedtls_cipher_init( &transform->cipher_ctx_dec );
+
+    mbedtls_md_init( &transform->md_ctx_enc );
+    mbedtls_md_init( &transform->md_ctx_dec );
+}
+
+void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
+{
+    memset( session, 0, sizeof(mbedtls_ssl_session) );
+}
+
+static int ssl_handshake_init( mbedtls_ssl_context *ssl )
+{
+    /* Clear old handshake information if present */
+    if( ssl->transform_negotiate )
+        mbedtls_ssl_transform_free( ssl->transform_negotiate );
+    if( ssl->session_negotiate )
+        mbedtls_ssl_session_free( ssl->session_negotiate );
+    if( ssl->handshake )
+        mbedtls_ssl_handshake_free( ssl );
+
+    /*
+     * Either the pointers are now NULL or cleared properly and can be freed.
+     * Now allocate missing structures.
+     */
+    if( ssl->transform_negotiate == NULL )
+    {
+        ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
+    }
+
+    if( ssl->session_negotiate == NULL )
+    {
+        ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
+    }
+
+    if( ssl->handshake == NULL )
+    {
+        ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
+    }
+
+    /* All pointers should exist and can be directly freed without issue */
+    if( ssl->handshake == NULL ||
+        ssl->transform_negotiate == NULL ||
+        ssl->session_negotiate == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
+
+        mbedtls_free( ssl->handshake );
+        mbedtls_free( ssl->transform_negotiate );
+        mbedtls_free( ssl->session_negotiate );
+
+        ssl->handshake = NULL;
+        ssl->transform_negotiate = NULL;
+        ssl->session_negotiate = NULL;
+
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    /* Initialize structures */
+    mbedtls_ssl_session_init( ssl->session_negotiate );
+    ssl_transform_init( ssl->transform_negotiate );
+    ssl_handshake_params_init( ssl->handshake );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->handshake->alt_transform_out = ssl->transform_out;
+
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+        else
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+
+        ssl_set_timer( ssl, 0 );
+    }
+#endif
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+/* Dummy cookie callbacks for defaults */
+static int ssl_cookie_write_dummy( void *ctx,
+                      unsigned char **p, unsigned char *end,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    ((void) ctx);
+    ((void) p);
+    ((void) end);
+    ((void) cli_id);
+    ((void) cli_id_len);
+
+    return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+}
+
+static int ssl_cookie_check_dummy( void *ctx,
+                      const unsigned char *cookie, size_t cookie_len,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    ((void) ctx);
+    ((void) cookie);
+    ((void) cookie_len);
+    ((void) cli_id);
+    ((void) cli_id_len);
+
+    return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+/* Once ssl->out_hdr as the address of the beginning of the
+ * next outgoing record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ *       (entering MAC computation) in the 8 bytes before ssl->out_hdr,
+ *       and the caller has to make sure there's space for this.
+ */
+
+static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
+                                     mbedtls_ssl_transform *transform )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->out_ctr = ssl->out_hdr +  3;
+        ssl->out_len = ssl->out_hdr + 11;
+        ssl->out_iv  = ssl->out_hdr + 13;
+    }
+    else
+#endif
+    {
+        ssl->out_ctr = ssl->out_hdr - 8;
+        ssl->out_len = ssl->out_hdr + 3;
+        ssl->out_iv  = ssl->out_hdr + 5;
+    }
+
+    /* Adjust out_msg to make space for explicit IV, if used. */
+    if( transform != NULL &&
+        ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+    {
+        ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
+    }
+    else
+        ssl->out_msg = ssl->out_iv;
+}
+
+/* Once ssl->in_hdr as the address of the beginning of the
+ * next incoming record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ *       (entering MAC computation) in the 8 bytes before ssl->in_hdr,
+ *       and the caller has to make sure there's space for this.
+ */
+
+static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
+                                    mbedtls_ssl_transform *transform )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->in_ctr = ssl->in_hdr +  3;
+        ssl->in_len = ssl->in_hdr + 11;
+        ssl->in_iv  = ssl->in_hdr + 13;
+    }
+    else
+#endif
+    {
+        ssl->in_ctr = ssl->in_hdr - 8;
+        ssl->in_len = ssl->in_hdr + 3;
+        ssl->in_iv  = ssl->in_hdr + 5;
+    }
+
+    /* Offset in_msg from in_iv to allow space for explicit IV, if used. */
+    if( transform != NULL &&
+        ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+    {
+        ssl->in_msg = ssl->in_iv + transform->ivlen - transform->fixed_ivlen;
+    }
+    else
+        ssl->in_msg = ssl->in_iv;
+}
+
+/*
+ * Initialize an SSL context
+ */
+void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
+{
+    memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
+}
+
+/*
+ * Setup an SSL context
+ */
+
+static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
+{
+    /* Set the incoming and outgoing record pointers. */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->out_hdr = ssl->out_buf;
+        ssl->in_hdr  = ssl->in_buf;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    {
+        ssl->out_hdr = ssl->out_buf + 8;
+        ssl->in_hdr  = ssl->in_buf  + 8;
+    }
+
+    /* Derive other internal pointers. */
+    ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
+    ssl_update_in_pointers ( ssl, NULL /* no transform enabled */ );
+}
+
+int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
+                       const mbedtls_ssl_config *conf )
+{
+    int ret;
+
+    ssl->conf = conf;
+
+    /*
+     * Prepare base structures
+     */
+
+    /* Set to NULL in case of an error condition */
+    ssl->out_buf = NULL;
+
+    ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
+    if( ssl->in_buf == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto error;
+    }
+
+    ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
+    if( ssl->out_buf == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto error;
+    }
+
+    ssl_reset_in_out_pointers( ssl );
+
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
+        goto error;
+
+    return( 0 );
+
+error:
+    mbedtls_free( ssl->in_buf );
+    mbedtls_free( ssl->out_buf );
+
+    ssl->conf = NULL;
+
+    ssl->in_buf = NULL;
+    ssl->out_buf = NULL;
+
+    ssl->in_hdr = NULL;
+    ssl->in_ctr = NULL;
+    ssl->in_len = NULL;
+    ssl->in_iv = NULL;
+    ssl->in_msg = NULL;
+
+    ssl->out_hdr = NULL;
+    ssl->out_ctr = NULL;
+    ssl->out_len = NULL;
+    ssl->out_iv = NULL;
+    ssl->out_msg = NULL;
+
+    return( ret );
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ *
+ * If partial is non-zero, keep data in the input buffer and client ID.
+ * (Use when a DTLS client reconnects from the same port.)
+ */
+static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
+{
+    int ret;
+
+#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) ||     \
+    !defined(MBEDTLS_SSL_SRV_C)
+    ((void) partial);
+#endif
+
+    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+
+    /* Cancel any possibly running timer */
+    ssl_set_timer( ssl, 0 );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
+    ssl->renego_records_seen = 0;
+
+    ssl->verify_data_len = 0;
+    memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
+    memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
+#endif
+    ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
+
+    ssl->in_offt = NULL;
+    ssl_reset_in_out_pointers( ssl );
+
+    ssl->in_msgtype = 0;
+    ssl->in_msglen = 0;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    ssl->next_record_offset = 0;
+    ssl->in_epoch = 0;
+#endif
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    ssl_dtls_replay_reset( ssl );
+#endif
+
+    ssl->in_hslen = 0;
+    ssl->nb_zero = 0;
+
+    ssl->keep_current_message = 0;
+
+    ssl->out_msgtype = 0;
+    ssl->out_msglen = 0;
+    ssl->out_left = 0;
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
+        ssl->split_done = 0;
+#endif
+
+    memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
+
+    ssl->transform_in = NULL;
+    ssl->transform_out = NULL;
+
+    ssl->session_in = NULL;
+    ssl->session_out = NULL;
+
+    memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+    if( partial == 0 )
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+    {
+        ssl->in_left = 0;
+        memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
+    }
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_reset != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
+        if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+
+    if( ssl->transform )
+    {
+        mbedtls_ssl_transform_free( ssl->transform );
+        mbedtls_free( ssl->transform );
+        ssl->transform = NULL;
+    }
+
+    if( ssl->session )
+    {
+        mbedtls_ssl_session_free( ssl->session );
+        mbedtls_free( ssl->session );
+        ssl->session = NULL;
+    }
+
+#if defined(MBEDTLS_SSL_ALPN)
+    ssl->alpn_chosen = NULL;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+    if( partial == 0 )
+#endif
+    {
+        mbedtls_free( ssl->cli_id );
+        ssl->cli_id = NULL;
+        ssl->cli_id_len = 0;
+    }
+#endif
+
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ */
+int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
+{
+    return( ssl_session_reset_int( ssl, 0 ) );
+}
+
+/*
+ * SSL set accessors
+ */
+void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
+{
+    conf->endpoint   = endpoint;
+}
+
+void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
+{
+    conf->transport = transport;
+}
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
+{
+    conf->anti_replay = mode;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
+{
+    conf->badmac_limit = limit;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
+                                       unsigned allow_packing )
+{
+    ssl->disable_datagram_packing = !allow_packing;
+}
+
+void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
+                                         uint32_t min, uint32_t max )
+{
+    conf->hs_timeout_min = min;
+    conf->hs_timeout_max = max;
+}
+#endif
+
+void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
+{
+    conf->authmode   = authmode;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    conf->f_vrfy      = f_vrfy;
+    conf->p_vrfy      = p_vrfy;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng )
+{
+    conf->f_rng      = f_rng;
+    conf->p_rng      = p_rng;
+}
+
+void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
+                  void (*f_dbg)(void *, int, const char *, int, const char *),
+                  void  *p_dbg )
+{
+    conf->f_dbg      = f_dbg;
+    conf->p_dbg      = p_dbg;
+}
+
+void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
+        void *p_bio,
+        mbedtls_ssl_send_t *f_send,
+        mbedtls_ssl_recv_t *f_recv,
+        mbedtls_ssl_recv_timeout_t *f_recv_timeout )
+{
+    ssl->p_bio          = p_bio;
+    ssl->f_send         = f_send;
+    ssl->f_recv         = f_recv;
+    ssl->f_recv_timeout = f_recv_timeout;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
+{
+    ssl->mtu = mtu;
+}
+#endif
+
+void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
+{
+    conf->read_timeout   = timeout;
+}
+
+void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
+                               void *p_timer,
+                               mbedtls_ssl_set_timer_t *f_set_timer,
+                               mbedtls_ssl_get_timer_t *f_get_timer )
+{
+    ssl->p_timer        = p_timer;
+    ssl->f_set_timer    = f_set_timer;
+    ssl->f_get_timer    = f_get_timer;
+
+    /* Make sure we start with no timer running */
+    ssl_set_timer( ssl, 0 );
+}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
+        void *p_cache,
+        int (*f_get_cache)(void *, mbedtls_ssl_session *),
+        int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
+{
+    conf->p_cache = p_cache;
+    conf->f_get_cache = f_get_cache;
+    conf->f_set_cache = f_set_cache;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
+{
+    int ret;
+
+    if( ssl == NULL ||
+        session == NULL ||
+        ssl->session_negotiate == NULL ||
+        ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
+        return( ret );
+
+    ssl->handshake->resume = 1;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
+                                   const int *ciphersuites )
+{
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
+}
+
+void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
+                                       const int *ciphersuites,
+                                       int major, int minor )
+{
+    if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
+        return;
+
+    if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
+        return;
+
+    conf->ciphersuite_list[minor] = ciphersuites;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
+                                    const mbedtls_x509_crt_profile *profile )
+{
+    conf->cert_profile = profile;
+}
+
+/* Append a new keycert entry to a (possibly empty) list */
+static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
+                                mbedtls_x509_crt *cert,
+                                mbedtls_pk_context *key )
+{
+    mbedtls_ssl_key_cert *new_cert;
+
+    new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
+    if( new_cert == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    new_cert->cert = cert;
+    new_cert->key  = key;
+    new_cert->next = NULL;
+
+    /* Update head is the list was null, else add to the end */
+    if( *head == NULL )
+    {
+        *head = new_cert;
+    }
+    else
+    {
+        mbedtls_ssl_key_cert *cur = *head;
+        while( cur->next != NULL )
+            cur = cur->next;
+        cur->next = new_cert;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
+                              mbedtls_x509_crt *own_cert,
+                              mbedtls_pk_context *pk_key )
+{
+    return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
+}
+
+void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
+                               mbedtls_x509_crt *ca_chain,
+                               mbedtls_x509_crl *ca_crl )
+{
+    conf->ca_chain   = ca_chain;
+    conf->ca_crl     = ca_crl;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
+                                 mbedtls_x509_crt *own_cert,
+                                 mbedtls_pk_context *pk_key )
+{
+    return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
+                                 own_cert, pk_key ) );
+}
+
+void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
+                                  mbedtls_x509_crt *ca_chain,
+                                  mbedtls_x509_crl *ca_crl )
+{
+    ssl->handshake->sni_ca_chain   = ca_chain;
+    ssl->handshake->sni_ca_crl     = ca_crl;
+}
+
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
+                                  int authmode )
+{
+    ssl->handshake->sni_authmode = authmode;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+/*
+ * Set EC J-PAKE password for current handshake
+ */
+int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
+                                         const unsigned char *pw,
+                                         size_t pw_len )
+{
+    mbedtls_ecjpake_role role;
+
+    if( ssl->handshake == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+        role = MBEDTLS_ECJPAKE_SERVER;
+    else
+        role = MBEDTLS_ECJPAKE_CLIENT;
+
+    return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
+                                   role,
+                                   MBEDTLS_MD_SHA256,
+                                   MBEDTLS_ECP_DP_SECP256R1,
+                                   pw, pw_len ) );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
+                const unsigned char *psk, size_t psk_len,
+                const unsigned char *psk_identity, size_t psk_identity_len )
+{
+    if( psk == NULL || psk_identity == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( psk_len > MBEDTLS_PSK_MAX_LEN )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /* Identity len will be encoded on two bytes */
+    if( ( psk_identity_len >> 16 ) != 0 ||
+        psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( conf->psk != NULL )
+    {
+        mbedtls_platform_zeroize( conf->psk, conf->psk_len );
+
+        mbedtls_free( conf->psk );
+        conf->psk = NULL;
+        conf->psk_len = 0;
+    }
+    if( conf->psk_identity != NULL )
+    {
+        mbedtls_free( conf->psk_identity );
+        conf->psk_identity = NULL;
+        conf->psk_identity_len = 0;
+    }
+
+    if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ||
+        ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
+    {
+        mbedtls_free( conf->psk );
+        mbedtls_free( conf->psk_identity );
+        conf->psk = NULL;
+        conf->psk_identity = NULL;
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    conf->psk_len = psk_len;
+    conf->psk_identity_len = psk_identity_len;
+
+    memcpy( conf->psk, psk, conf->psk_len );
+    memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
+
+    return( 0 );
+}
+
+int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
+                            const unsigned char *psk, size_t psk_len )
+{
+    if( psk == NULL || ssl->handshake == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( psk_len > MBEDTLS_PSK_MAX_LEN )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ssl->handshake->psk != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->handshake->psk,
+                                  ssl->handshake->psk_len );
+        mbedtls_free( ssl->handshake->psk );
+        ssl->handshake->psk_len = 0;
+    }
+
+    if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    ssl->handshake->psk_len = psk_len;
+    memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
+
+    return( 0 );
+}
+
+void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
+                     int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
+                     size_t),
+                     void *p_psk )
+{
+    conf->f_psk = f_psk;
+    conf->p_psk = p_psk;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
+    {
+        mbedtls_mpi_free( &conf->dhm_P );
+        mbedtls_mpi_free( &conf->dhm_G );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
+                                   const unsigned char *dhm_P, size_t P_len,
+                                   const unsigned char *dhm_G, size_t G_len )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
+    {
+        mbedtls_mpi_free( &conf->dhm_P );
+        mbedtls_mpi_free( &conf->dhm_G );
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
+    {
+        mbedtls_mpi_free( &conf->dhm_P );
+        mbedtls_mpi_free( &conf->dhm_G );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/*
+ * Set the minimum length for Diffie-Hellman parameters
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
+                                      unsigned int bitlen )
+{
+    conf->dhm_min_bitlen = bitlen;
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Set allowed/preferred hashes for handshake signatures
+ */
+void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
+                                  const int *hashes )
+{
+    conf->sig_hashes = hashes;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Set the allowed elliptic curves
+ */
+void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
+                             const mbedtls_ecp_group_id *curve_list )
+{
+    conf->curve_list = curve_list;
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
+{
+    /* Initialize to suppress unnecessary compiler warning */
+    size_t hostname_len = 0;
+
+    /* Check if new hostname is valid before
+     * making any change to current one */
+    if( hostname != NULL )
+    {
+        hostname_len = strlen( hostname );
+
+        if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /* Now it's clear that we will overwrite the old hostname,
+     * so we can free it safely */
+
+    if( ssl->hostname != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+        mbedtls_free( ssl->hostname );
+    }
+
+    /* Passing NULL as hostname shall clear the old one */
+
+    if( hostname == NULL )
+    {
+        ssl->hostname = NULL;
+    }
+    else
+    {
+        ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
+        if( ssl->hostname == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        memcpy( ssl->hostname, hostname, hostname_len );
+
+        ssl->hostname[hostname_len] = '\0';
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
+                  int (*f_sni)(void *, mbedtls_ssl_context *,
+                                const unsigned char *, size_t),
+                  void *p_sni )
+{
+    conf->f_sni = f_sni;
+    conf->p_sni = p_sni;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ALPN)
+int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
+{
+    size_t cur_len, tot_len;
+    const char **p;
+
+    /*
+     * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
+     * MUST NOT be truncated."
+     * We check lengths now rather than later.
+     */
+    tot_len = 0;
+    for( p = protos; *p != NULL; p++ )
+    {
+        cur_len = strlen( *p );
+        tot_len += cur_len;
+
+        if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    conf->alpn_list = protos;
+
+    return( 0 );
+}
+
+const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
+{
+    return( ssl->alpn_chosen );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
+{
+    conf->max_major_ver = major;
+    conf->max_minor_ver = minor;
+}
+
+void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
+{
+    conf->min_major_ver = major;
+    conf->min_minor_ver = minor;
+}
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
+{
+    conf->fallback = fallback;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
+                                          char cert_req_ca_list )
+{
+    conf->cert_req_ca_list = cert_req_ca_list;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
+{
+    conf->encrypt_then_mac = etm;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
+{
+    conf->extended_ms = ems;
+}
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
+{
+    conf->arc4_disabled = arc4;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
+{
+    if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
+        ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    conf->mfl_code = mfl_code;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
+{
+    conf->trunc_hmac = truncate;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
+{
+    conf->cbc_record_splitting = split;
+}
+#endif
+
+void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
+{
+    conf->allow_legacy_renegotiation = allow_legacy;
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
+{
+    conf->disable_renegotiation = renegotiation;
+}
+
+void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
+{
+    conf->renego_max_records = max_records;
+}
+
+void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
+                                   const unsigned char period[8] )
+{
+    memcpy( conf->renego_period, period, 8 );
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
+void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
+{
+    conf->session_tickets = use_tickets;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_ticket_write_t *f_ticket_write,
+        mbedtls_ssl_ticket_parse_t *f_ticket_parse,
+        void *p_ticket )
+{
+    conf->f_ticket_write = f_ticket_write;
+    conf->f_ticket_parse = f_ticket_parse;
+    conf->p_ticket       = p_ticket;
+}
+#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_export_keys_t *f_export_keys,
+        void *p_export_keys )
+{
+    conf->f_export_keys = f_export_keys;
+    conf->p_export_keys = p_export_keys;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+void mbedtls_ssl_conf_async_private_cb(
+    mbedtls_ssl_config *conf,
+    mbedtls_ssl_async_sign_t *f_async_sign,
+    mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+    mbedtls_ssl_async_resume_t *f_async_resume,
+    mbedtls_ssl_async_cancel_t *f_async_cancel,
+    void *async_config_data )
+{
+    conf->f_async_sign_start = f_async_sign;
+    conf->f_async_decrypt_start = f_async_decrypt;
+    conf->f_async_resume = f_async_resume;
+    conf->f_async_cancel = f_async_cancel;
+    conf->p_async_config_data = async_config_data;
+}
+
+void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
+{
+    return( conf->p_async_config_data );
+}
+
+void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
+{
+    if( ssl->handshake == NULL )
+        return( NULL );
+    else
+        return( ssl->handshake->user_async_ctx );
+}
+
+void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
+                                 void *ctx )
+{
+    if( ssl->handshake != NULL )
+        ssl->handshake->user_async_ctx = ctx;
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/*
+ * SSL get accessors
+ */
+size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
+{
+    return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
+}
+
+int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
+{
+    /*
+     * Case A: We're currently holding back
+     * a message for further processing.
+     */
+
+    if( ssl->keep_current_message == 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
+        return( 1 );
+    }
+
+    /*
+     * Case B: Further records are pending in the current datagram.
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->in_left > ssl->next_record_offset )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
+        return( 1 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Case C: A handshake message is being processed.
+     */
+
+    if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
+        return( 1 );
+    }
+
+    /*
+     * Case D: An application data message is being processed
+     */
+    if( ssl->in_offt != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
+        return( 1 );
+    }
+
+    /*
+     * In all other cases, the rest of the message can be dropped.
+     * As in ssl_get_next_record, this needs to be adapted if
+     * we implement support for multiple alerts in single records.
+     */
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
+    return( 0 );
+}
+
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
+{
+    if( ssl->session != NULL )
+        return( ssl->session->verify_result );
+
+    if( ssl->session_negotiate != NULL )
+        return( ssl->session_negotiate->verify_result );
+
+    return( 0xFFFFFFFF );
+}
+
+const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
+{
+    if( ssl == NULL || ssl->session == NULL )
+        return( NULL );
+
+    return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
+}
+
+const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        switch( ssl->minor_ver )
+        {
+            case MBEDTLS_SSL_MINOR_VERSION_2:
+                return( "DTLSv1.0" );
+
+            case MBEDTLS_SSL_MINOR_VERSION_3:
+                return( "DTLSv1.2" );
+
+            default:
+                return( "unknown (DTLS)" );
+        }
+    }
+#endif
+
+    switch( ssl->minor_ver )
+    {
+        case MBEDTLS_SSL_MINOR_VERSION_0:
+            return( "SSLv3.0" );
+
+        case MBEDTLS_SSL_MINOR_VERSION_1:
+            return( "TLSv1.0" );
+
+        case MBEDTLS_SSL_MINOR_VERSION_2:
+            return( "TLSv1.1" );
+
+        case MBEDTLS_SSL_MINOR_VERSION_3:
+            return( "TLSv1.2" );
+
+        default:
+            return( "unknown" );
+    }
+}
+
+int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
+{
+    size_t transform_expansion = 0;
+    const mbedtls_ssl_transform *transform = ssl->transform_out;
+    unsigned block_size;
+
+    if( transform == NULL )
+        return( (int) mbedtls_ssl_hdr_len( ssl ) );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+#endif
+
+    switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
+    {
+        case MBEDTLS_MODE_GCM:
+        case MBEDTLS_MODE_CCM:
+        case MBEDTLS_MODE_CHACHAPOLY:
+        case MBEDTLS_MODE_STREAM:
+            transform_expansion = transform->minlen;
+            break;
+
+        case MBEDTLS_MODE_CBC:
+
+            block_size = mbedtls_cipher_get_block_size(
+                &transform->cipher_ctx_enc );
+
+            /* Expansion due to the addition of the MAC. */
+            transform_expansion += transform->maclen;
+
+            /* Expansion due to the addition of CBC padding;
+             * Theoretically up to 256 bytes, but we never use
+             * more than the block size of the underlying cipher. */
+            transform_expansion += block_size;
+
+            /* For TLS 1.1 or higher, an explicit IV is added
+             * after the record header. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+                transform_expansion += block_size;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+            break;
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
+{
+    size_t max_len;
+
+    /*
+     * Assume mfl_code is correct since it was checked when set
+     */
+    max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
+
+    /* Check if a smaller max length was negotiated */
+    if( ssl->session_out != NULL &&
+        ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
+    {
+        max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
+    }
+
+    /* During a handshake, use the value being negotiated */
+    if( ssl->session_negotiate != NULL &&
+        ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
+    {
+        max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
+    }
+
+    return( max_len );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
+{
+    /* Return unlimited mtu for client hello messages to avoid fragmentation. */
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+        ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
+          ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
+        return ( 0 );
+
+    if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
+        return( ssl->mtu );
+
+    if( ssl->mtu == 0 )
+        return( ssl->handshake->mtu );
+
+    return( ssl->mtu < ssl->handshake->mtu ?
+            ssl->mtu : ssl->handshake->mtu );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
+{
+    size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
+    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    (void) ssl;
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
+
+    if( max_len > mfl )
+        max_len = mfl;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl_get_current_mtu( ssl ) != 0 )
+    {
+        const size_t mtu = ssl_get_current_mtu( ssl );
+        const int ret = mbedtls_ssl_get_record_expansion( ssl );
+        const size_t overhead = (size_t) ret;
+
+        if( ret < 0 )
+            return( ret );
+
+        if( mtu <= overhead )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+        }
+
+        if( max_len > mtu - overhead )
+            max_len = mtu - overhead;
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) &&        \
+    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    ((void) ssl);
+#endif
+
+    return( (int) max_len );
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
+{
+    if( ssl == NULL || ssl->session == NULL )
+        return( NULL );
+
+    return( ssl->session->peer_cert );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst )
+{
+    if( ssl == NULL ||
+        dst == NULL ||
+        ssl->session == NULL ||
+        ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    return( ssl_session_copy( dst, ssl->session ) );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/*
+ * Perform a single step of the SSL handshake
+ */
+int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+        ret = mbedtls_ssl_handshake_client_step( ssl );
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+        ret = mbedtls_ssl_handshake_server_step( ssl );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Perform the SSL handshake
+ */
+int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
+
+    while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        ret = mbedtls_ssl_handshake_step( ssl );
+
+        if( ret != 0 )
+            break;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+#if defined(MBEDTLS_SSL_SRV_C)
+/*
+ * Write HelloRequest to request renegotiation on server
+ */
+static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
+
+    ssl->out_msglen  = 4;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_REQUEST;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+/*
+ * Actually renegotiate current connection, triggered by either:
+ * - any side: calling mbedtls_ssl_renegotiate(),
+ * - client: receiving a HelloRequest during mbedtls_ssl_read(),
+ * - server: receiving any handshake message on server during mbedtls_ssl_read() after
+ *   the initial handshake is completed.
+ * If the handshake doesn't complete due to waiting for I/O, it will continue
+ * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
+ */
+static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
+
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
+        return( ret );
+
+    /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
+     * the ServerHello will have message_seq = 1" */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+    {
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+            ssl->handshake->out_msg_seq = 1;
+        else
+            ssl->handshake->in_msg_seq = 1;
+    }
+#endif
+
+    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+    ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
+
+    if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
+
+    return( 0 );
+}
+
+/*
+ * Renegotiate current connection on client,
+ * or request renegotiation on server
+ */
+int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    /* On server, just send the request */
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+
+        /* Did we already try/start sending HelloRequest? */
+        if( ssl->out_left != 0 )
+            return( mbedtls_ssl_flush_output( ssl ) );
+
+        return( ssl_write_hello_request( ssl ) );
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    /*
+     * On client, either start the renegotiation process or,
+     * if already in progress, continue the handshake
+     */
+    if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+    {
+        if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
+            return( ret );
+        }
+    }
+    else
+    {
+        if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+    return( ret );
+}
+
+/*
+ * Check record counters and renegotiate if they're above the limit.
+ */
+static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
+{
+    size_t ep_len = ssl_ep_len( ssl );
+    int in_ctr_cmp;
+    int out_ctr_cmp;
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
+        ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
+        ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
+    {
+        return( 0 );
+    }
+
+    in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
+                        ssl->conf->renego_period + ep_len, 8 - ep_len );
+    out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
+                          ssl->conf->renego_period + ep_len, 8 - ep_len );
+
+    if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
+    {
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
+    return( mbedtls_ssl_renegotiate( ssl ) );
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Receive application data decrypted from the SSL layer
+ */
+int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
+{
+    int ret;
+    size_t n;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+            return( ret );
+
+        if( ssl->handshake != NULL &&
+            ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+        {
+            if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+                return( ret );
+        }
+    }
+#endif
+
+    /*
+     * Check if renegotiation is necessary and/or handshake is
+     * in process. If yes, perform/continue, and fall through
+     * if an unexpected packet is received while the client
+     * is waiting for the ServerHello.
+     *
+     * (There is no equivalent to the last condition on
+     *  the server-side as it is not treated as within
+     *  a handshake while waiting for the ClientHello
+     *  after a renegotiation request.)
+     */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ret = ssl_check_ctr_renegotiate( ssl );
+    if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+        ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
+        return( ret );
+    }
+#endif
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        ret = mbedtls_ssl_handshake( ssl );
+        if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+            ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+            return( ret );
+        }
+    }
+
+    /* Loop as long as no application data record is available */
+    while( ssl->in_offt == NULL )
+    {
+        /* Start timer if not already running */
+        if( ssl->f_get_timer != NULL &&
+            ssl->f_get_timer( ssl->p_timer ) == -1 )
+        {
+            ssl_set_timer( ssl, ssl->conf->read_timeout );
+        }
+
+        if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+        {
+            if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
+                return( 0 );
+
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+            return( ret );
+        }
+
+        if( ssl->in_msglen  == 0 &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
+        {
+            /*
+             * OpenSSL sends empty messages to randomize the IV
+             */
+            if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+            {
+                if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
+                    return( 0 );
+
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+                return( ret );
+            }
+        }
+
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
+
+            /*
+             * - For client-side, expect SERVER_HELLO_REQUEST.
+             * - For server-side, expect CLIENT_HELLO.
+             * - Fail (TLS) or silently drop record (DTLS) in other cases.
+             */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+            if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+                ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
+                  ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                {
+                    continue;
+                }
+#endif
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+            if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                {
+                    continue;
+                }
+#endif
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            /* Determine whether renegotiation attempt should be accepted */
+            if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
+                    ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+                      ssl->conf->allow_legacy_renegotiation ==
+                                                   MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
+            {
+                /*
+                 * Accept renegotiation request
+                 */
+
+                /* DTLS clients need to know renego is server-initiated */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+                    ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+                {
+                    ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+                }
+#endif
+                ret = ssl_start_renegotiation( ssl );
+                if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+                    ret != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
+                    return( ret );
+                }
+            }
+            else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+            {
+                /*
+                 * Refuse renegotiation
+                 */
+
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+                if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+                {
+                    /* SSLv3 does not have a "no_renegotiation" warning, so
+                       we send a fatal alert and abort the connection. */
+                    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                    MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+                    return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+                }
+                else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+                if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+                {
+                    if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+                                    MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+                                    MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
+                    {
+                        return( ret );
+                    }
+                }
+                else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+                }
+            }
+
+            /* At this point, we don't know whether the renegotiation has been
+             * completed or not. The cases to consider are the following:
+             * 1) The renegotiation is complete. In this case, no new record
+             *    has been read yet.
+             * 2) The renegotiation is incomplete because the client received
+             *    an application data record while awaiting the ServerHello.
+             * 3) The renegotiation is incomplete because the client received
+             *    a non-handshake, non-application data message while awaiting
+             *    the ServerHello.
+             * In each of these case, looping will be the proper action:
+             * - For 1), the next iteration will read a new record and check
+             *   if it's application data.
+             * - For 2), the loop condition isn't satisfied as application data
+             *   is present, hence continue is the same as break
+             * - For 3), the loop condition is satisfied and read_record
+             *   will re-deliver the message that was held back by the client
+             *   when expecting the ServerHello.
+             */
+            continue;
+        }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+        {
+            if( ssl->conf->renego_max_records >= 0 )
+            {
+                if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
+                                        "but not honored by client" ) );
+                    return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+                }
+            }
+        }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+        /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+        }
+
+        if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+        }
+
+        ssl->in_offt = ssl->in_msg;
+
+        /* We're going to return something now, cancel timer,
+         * except if handshake (renegotiation) is in progress */
+        if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+            ssl_set_timer( ssl, 0 );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* If we requested renego but received AppData, resend HelloRequest.
+         * Do it now, after setting in_offt, to avoid taking this branch
+         * again if ssl_write_hello_request() returns WANT_WRITE */
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+            ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+        {
+            if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
+                return( ret );
+            }
+        }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    }
+
+    n = ( len < ssl->in_msglen )
+        ? len : ssl->in_msglen;
+
+    memcpy( buf, ssl->in_offt, n );
+    ssl->in_msglen -= n;
+
+    if( ssl->in_msglen == 0 )
+    {
+        /* all bytes consumed */
+        ssl->in_offt = NULL;
+        ssl->keep_current_message = 0;
+    }
+    else
+    {
+        /* more data available */
+        ssl->in_offt += n;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
+
+    return( (int) n );
+}
+
+/*
+ * Send application data to be encrypted by the SSL layer, taking care of max
+ * fragment length and buffer size.
+ *
+ * According to RFC 5246 Section 6.2.1:
+ *
+ *      Zero-length fragments of Application data MAY be sent as they are
+ *      potentially useful as a traffic analysis countermeasure.
+ *
+ * Therefore, it is possible that the input message length is 0 and the
+ * corresponding return code is 0 on success.
+ */
+static int ssl_write_real( mbedtls_ssl_context *ssl,
+                           const unsigned char *buf, size_t len )
+{
+    int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
+    const size_t max_len = (size_t) ret;
+
+    if( ret < 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
+        return( ret );
+    }
+
+    if( len > max_len )
+    {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
+                                "maximum fragment length: %d > %d",
+                                len, max_len ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+        }
+        else
+#endif
+            len = max_len;
+    }
+
+    if( ssl->out_left != 0 )
+    {
+        /*
+         * The user has previously tried to send the data and
+         * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
+         * written. In this case, we expect the high-level write function
+         * (e.g. mbedtls_ssl_write()) to be called with the same parameters
+         */
+        if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
+            return( ret );
+        }
+    }
+    else
+    {
+        /*
+         * The user is trying to send a message the first time, so we need to
+         * copy the data into the internal buffers and setup the data structure
+         * to keep track of partial writes
+         */
+        ssl->out_msglen  = len;
+        ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+        memcpy( ssl->out_msg, buf, len );
+
+        if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+            return( ret );
+        }
+    }
+
+    return( (int) len );
+}
+
+/*
+ * Write application data, doing 1/n-1 splitting if necessary.
+ *
+ * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
+ * then the caller will call us again with the same arguments, so
+ * remember whether we already did the split or not.
+ */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+static int ssl_write_split( mbedtls_ssl_context *ssl,
+                            const unsigned char *buf, size_t len )
+{
+    int ret;
+
+    if( ssl->conf->cbc_record_splitting ==
+            MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
+        len <= 1 ||
+        ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
+        mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
+                                != MBEDTLS_MODE_CBC )
+    {
+        return( ssl_write_real( ssl, buf, len ) );
+    }
+
+    if( ssl->split_done == 0 )
+    {
+        if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
+            return( ret );
+        ssl->split_done = 1;
+    }
+
+    if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
+        return( ret );
+    ssl->split_done = 0;
+
+    return( ret + 1 );
+}
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+/*
+ * Write application data (public-facing wrapper)
+ */
+int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
+        return( ret );
+    }
+#endif
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+            return( ret );
+        }
+    }
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    ret = ssl_write_split( ssl, buf, len );
+#else
+    ret = ssl_write_real( ssl, buf, len );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
+
+    return( ret );
+}
+
+/*
+ * Notify the peer that the connection is being closed
+ */
+int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
+
+    if( ssl->out_left != 0 )
+        return( mbedtls_ssl_flush_output( ssl ) );
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+                        MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+                        MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
+            return( ret );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
+
+    return( 0 );
+}
+
+void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
+{
+    if( transform == NULL )
+        return;
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    deflateEnd( &transform->ctx_deflate );
+    inflateEnd( &transform->ctx_inflate );
+#endif
+
+    mbedtls_cipher_free( &transform->cipher_ctx_enc );
+    mbedtls_cipher_free( &transform->cipher_ctx_dec );
+
+    mbedtls_md_free( &transform->md_ctx_enc );
+    mbedtls_md_free( &transform->md_ctx_dec );
+
+    mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
+{
+    mbedtls_ssl_key_cert *cur = key_cert, *next;
+
+    while( cur != NULL )
+    {
+        next = cur->next;
+        mbedtls_free( cur );
+        cur = next;
+    }
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static void ssl_buffering_free( mbedtls_ssl_context *ssl )
+{
+    unsigned offset;
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+    if( hs == NULL )
+        return;
+
+    ssl_free_buffered_record( ssl );
+
+    for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
+        ssl_buffering_free_slot( ssl, offset );
+}
+
+static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
+                                     uint8_t slot )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
+
+    if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
+        return;
+
+    if( hs_buf->is_valid == 1 )
+    {
+        hs->buffering.total_bytes_buffered -= hs_buf->data_len;
+        mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
+        mbedtls_free( hs_buf->data );
+        memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
+    }
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+    if( handshake == NULL )
+        return;
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
+    {
+        ssl->conf->f_async_cancel( ssl );
+        handshake->async_in_progress = 0;
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_free(    &handshake->fin_md5  );
+    mbedtls_sha1_free(   &handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_free(   &handshake->fin_sha256    );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_free(   &handshake->fin_sha512    );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_free( &handshake->dhm_ctx );
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_free( &handshake->ecdh_ctx );
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
+#if defined(MBEDTLS_SSL_CLI_C)
+    mbedtls_free( handshake->ecjpake_cache );
+    handshake->ecjpake_cache = NULL;
+    handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    /* explicit void pointer cast for buggy MS compiler */
+    mbedtls_free( (void *) handshake->curves );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( handshake->psk != NULL )
+    {
+        mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
+        mbedtls_free( handshake->psk );
+    }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    /*
+     * Free only the linked list wrapper, not the keys themselves
+     * since the belong to the SNI callback
+     */
+    if( handshake->sni_key_cert != NULL )
+    {
+        mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
+
+        while( cur != NULL )
+        {
+            next = cur->next;
+            mbedtls_free( cur );
+            cur = next;
+        }
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    mbedtls_free( handshake->verify_cookie );
+    ssl_flight_free( handshake->flight );
+    ssl_buffering_free( ssl );
+#endif
+
+    mbedtls_platform_zeroize( handshake,
+                              sizeof( mbedtls_ssl_handshake_params ) );
+}
+
+void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
+{
+    if( session == NULL )
+        return;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( session->peer_cert != NULL )
+    {
+        mbedtls_x509_crt_free( session->peer_cert );
+        mbedtls_free( session->peer_cert );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    mbedtls_free( session->ticket );
+#endif
+
+    mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
+}
+
+/*
+ * Free an SSL context
+ */
+void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
+{
+    if( ssl == NULL )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
+
+    if( ssl->out_buf != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
+        mbedtls_free( ssl->out_buf );
+    }
+
+    if( ssl->in_buf != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
+        mbedtls_free( ssl->in_buf );
+    }
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->compress_buf != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
+        mbedtls_free( ssl->compress_buf );
+    }
+#endif
+
+    if( ssl->transform )
+    {
+        mbedtls_ssl_transform_free( ssl->transform );
+        mbedtls_free( ssl->transform );
+    }
+
+    if( ssl->handshake )
+    {
+        mbedtls_ssl_handshake_free( ssl );
+        mbedtls_ssl_transform_free( ssl->transform_negotiate );
+        mbedtls_ssl_session_free( ssl->session_negotiate );
+
+        mbedtls_free( ssl->handshake );
+        mbedtls_free( ssl->transform_negotiate );
+        mbedtls_free( ssl->session_negotiate );
+    }
+
+    if( ssl->session )
+    {
+        mbedtls_ssl_session_free( ssl->session );
+        mbedtls_free( ssl->session );
+    }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( ssl->hostname != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+        mbedtls_free( ssl->hostname );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_finish != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
+        mbedtls_ssl_hw_record_finish( ssl );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    mbedtls_free( ssl->cli_id );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
+
+    /* Actually clear after last debug message */
+    mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
+}
+
+/*
+ * Initialze mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
+{
+    memset( conf, 0, sizeof( mbedtls_ssl_config ) );
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static int ssl_preset_default_hashes[] = {
+#if defined(MBEDTLS_SHA512_C)
+    MBEDTLS_MD_SHA512,
+    MBEDTLS_MD_SHA384,
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA224,
+#endif
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
+    MBEDTLS_MD_SHA1,
+#endif
+    MBEDTLS_MD_NONE
+};
+#endif
+
+static int ssl_preset_suiteb_ciphersuites[] = {
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    0
+};
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static int ssl_preset_suiteb_hashes[] = {
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA384,
+    MBEDTLS_MD_NONE
+};
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    MBEDTLS_ECP_DP_SECP256R1,
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    MBEDTLS_ECP_DP_SECP384R1,
+#endif
+    MBEDTLS_ECP_DP_NONE
+};
+#endif
+
+/*
+ * Load default in mbedtls_ssl_config
+ */
+int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
+                                 int endpoint, int transport, int preset )
+{
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+    int ret;
+#endif
+
+    /* Use the functions here so that they are covered in tests,
+     * but otherwise access member directly for efficiency */
+    mbedtls_ssl_conf_endpoint( conf, endpoint );
+    mbedtls_ssl_conf_transport( conf, transport );
+
+    /*
+     * Things that are common to all presets
+     */
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+#endif
+    }
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    conf->f_cookie_write = ssl_cookie_write_dummy;
+    conf->f_cookie_check = ssl_cookie_check_dummy;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
+    conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
+    memset( conf->renego_period,     0x00, 2 );
+    memset( conf->renego_period + 2, 0xFF, 6 );
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+            if( endpoint == MBEDTLS_SSL_IS_SERVER )
+            {
+                const unsigned char dhm_p[] =
+                    MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
+                const unsigned char dhm_g[] =
+                    MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
+
+                if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
+                                               dhm_p, sizeof( dhm_p ),
+                                               dhm_g, sizeof( dhm_g ) ) ) != 0 )
+                {
+                    return( ret );
+                }
+            }
+#endif
+
+    /*
+     * Preset-specific defaults
+     */
+    switch( preset )
+    {
+        /*
+         * NSA Suite B
+         */
+        case MBEDTLS_SSL_PRESET_SUITEB:
+            conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+            conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                                   ssl_preset_suiteb_ciphersuites;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+            conf->sig_hashes = ssl_preset_suiteb_hashes;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = ssl_preset_suiteb_curves;
+#endif
+            break;
+
+        /*
+         * Default
+         */
+        default:
+            conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
+                                    MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
+                                    MBEDTLS_SSL_MIN_MAJOR_VERSION :
+                                    MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
+            conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
+                                    MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
+                                    MBEDTLS_SSL_MIN_MINOR_VERSION :
+                                    MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+            if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
+#endif
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                                   mbedtls_ssl_list_ciphersuites();
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_default;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+            conf->sig_hashes = ssl_preset_default_hashes;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = mbedtls_ecp_grp_id_list();
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+            conf->dhm_min_bitlen = 1024;
+#endif
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
+{
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_mpi_free( &conf->dhm_P );
+    mbedtls_mpi_free( &conf->dhm_G );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( conf->psk != NULL )
+    {
+        mbedtls_platform_zeroize( conf->psk, conf->psk_len );
+        mbedtls_free( conf->psk );
+        conf->psk = NULL;
+        conf->psk_len = 0;
+    }
+
+    if( conf->psk_identity != NULL )
+    {
+        mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
+        mbedtls_free( conf->psk_identity );
+        conf->psk_identity = NULL;
+        conf->psk_identity_len = 0;
+    }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    ssl_key_cert_free( conf->key_cert );
+#endif
+
+    mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
+}
+
+#if defined(MBEDTLS_PK_C) && \
+    ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
+/*
+ * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
+ */
+unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
+{
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
+        return( MBEDTLS_SSL_SIG_RSA );
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
+        return( MBEDTLS_SSL_SIG_ECDSA );
+#endif
+    return( MBEDTLS_SSL_SIG_ANON );
+}
+
+unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
+{
+    switch( type ) {
+        case MBEDTLS_PK_RSA:
+            return( MBEDTLS_SSL_SIG_RSA );
+        case MBEDTLS_PK_ECDSA:
+        case MBEDTLS_PK_ECKEY:
+            return( MBEDTLS_SSL_SIG_ECDSA );
+        default:
+            return( MBEDTLS_SSL_SIG_ANON );
+    }
+}
+
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
+{
+    switch( sig )
+    {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_SSL_SIG_RSA:
+            return( MBEDTLS_PK_RSA );
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+        case MBEDTLS_SSL_SIG_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+#endif
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
+#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
+                                                 mbedtls_pk_type_t sig_alg )
+{
+    switch( sig_alg )
+    {
+        case MBEDTLS_PK_RSA:
+            return( set->rsa );
+        case MBEDTLS_PK_ECDSA:
+            return( set->ecdsa );
+        default:
+            return( MBEDTLS_MD_NONE );
+    }
+}
+
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
+                                   mbedtls_pk_type_t sig_alg,
+                                   mbedtls_md_type_t md_alg )
+{
+    switch( sig_alg )
+    {
+        case MBEDTLS_PK_RSA:
+            if( set->rsa == MBEDTLS_MD_NONE )
+                set->rsa = md_alg;
+            break;
+
+        case MBEDTLS_PK_ECDSA:
+            if( set->ecdsa == MBEDTLS_MD_NONE )
+                set->ecdsa = md_alg;
+            break;
+
+        default:
+            break;
+    }
+}
+
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
+                                          mbedtls_md_type_t md_alg )
+{
+    set->rsa   = md_alg;
+    set->ecdsa = md_alg;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+/*
+ * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
+ */
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
+{
+    switch( hash )
+    {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_SSL_HASH_MD5:
+            return( MBEDTLS_MD_MD5 );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_SSL_HASH_SHA1:
+            return( MBEDTLS_MD_SHA1 );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_HASH_SHA224:
+            return( MBEDTLS_MD_SHA224 );
+        case MBEDTLS_SSL_HASH_SHA256:
+            return( MBEDTLS_MD_SHA256 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_HASH_SHA384:
+            return( MBEDTLS_MD_SHA384 );
+        case MBEDTLS_SSL_HASH_SHA512:
+            return( MBEDTLS_MD_SHA512 );
+#endif
+        default:
+            return( MBEDTLS_MD_NONE );
+    }
+}
+
+/*
+ * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
+ */
+unsigned char mbedtls_ssl_hash_from_md_alg( int md )
+{
+    switch( md )
+    {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return( MBEDTLS_SSL_HASH_MD5 );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return( MBEDTLS_SSL_HASH_SHA1 );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return( MBEDTLS_SSL_HASH_SHA224 );
+        case MBEDTLS_MD_SHA256:
+            return( MBEDTLS_SSL_HASH_SHA256 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA384:
+            return( MBEDTLS_SSL_HASH_SHA384 );
+        case MBEDTLS_MD_SHA512:
+            return( MBEDTLS_SSL_HASH_SHA512 );
+#endif
+        default:
+            return( MBEDTLS_SSL_HASH_NONE );
+    }
+}
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Check if a curve proposed by the peer is in our list.
+ * Return 0 if we're willing to use it, -1 otherwise.
+ */
+int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
+{
+    const mbedtls_ecp_group_id *gid;
+
+    if( ssl->conf->curve_list == NULL )
+        return( -1 );
+
+    for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
+        if( *gid == grp_id )
+            return( 0 );
+
+    return( -1 );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Check if a hash proposed by the peer is in our list.
+ * Return 0 if we're willing to use it, -1 otherwise.
+ */
+int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
+                                mbedtls_md_type_t md )
+{
+    const int *cur;
+
+    if( ssl->conf->sig_hashes == NULL )
+        return( -1 );
+
+    for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
+        if( *cur == (int) md )
+            return( 0 );
+
+    return( -1 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
+                          const mbedtls_ssl_ciphersuite_t *ciphersuite,
+                          int cert_endpoint,
+                          uint32_t *flags )
+{
+    int ret = 0;
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    int usage = 0;
+#endif
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    const char *ext_oid;
+    size_t ext_len;
+#endif
+
+#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) &&          \
+    !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    ((void) cert);
+    ((void) cert_endpoint);
+    ((void) flags);
+#endif
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        /* Server part of the key exchange */
+        switch( ciphersuite->key_exchange )
+        {
+            case MBEDTLS_KEY_EXCHANGE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+                usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
+                break;
+
+            case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+                usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+                break;
+
+            case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+                usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
+                break;
+
+            /* Don't use default: we want warnings when adding new values */
+            case MBEDTLS_KEY_EXCHANGE_NONE:
+            case MBEDTLS_KEY_EXCHANGE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+                usage = 0;
+        }
+    }
+    else
+    {
+        /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
+        usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+    }
+
+    if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
+    {
+        *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
+        ret = -1;
+    }
+#else
+    ((void) ciphersuite);
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        ext_oid = MBEDTLS_OID_SERVER_AUTH;
+        ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
+    }
+    else
+    {
+        ext_oid = MBEDTLS_OID_CLIENT_AUTH;
+        ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
+    }
+
+    if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
+    {
+        *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
+        ret = -1;
+    }
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+    return( ret );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/*
+ * Convert version numbers to/from wire format
+ * and, for DTLS, to/from TLS equivalent.
+ *
+ * For TLS this is the identity.
+ * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
+ * 1.0 <-> 3.2      (DTLS 1.0 is based on TLS 1.1)
+ * 1.x <-> 3.x+1    for x != 0 (DTLS 1.2 based on TLS 1.2)
+ */
+void mbedtls_ssl_write_version( int major, int minor, int transport,
+                        unsigned char ver[2] )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
+            --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+
+        ver[0] = (unsigned char)( 255 - ( major - 2 ) );
+        ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
+    }
+    else
+#else
+    ((void) transport);
+#endif
+    {
+        ver[0] = (unsigned char) major;
+        ver[1] = (unsigned char) minor;
+    }
+}
+
+void mbedtls_ssl_read_version( int *major, int *minor, int transport,
+                       const unsigned char ver[2] )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        *major = 255 - ver[0] + 2;
+        *minor = 255 - ver[1] + 1;
+
+        if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
+            ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+    }
+    else
+#else
+    ((void) transport);
+#endif
+    {
+        *major = ver[0];
+        *minor = ver[1];
+    }
+}
+
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+        return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+
+    switch( md )
+    {
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_SSL_HASH_MD5:
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_SSL_HASH_SHA1:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls;
+            break;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_HASH_SHA384:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
+            break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_HASH_SHA256:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
+            break;
+#endif
+        default:
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+    }
+
+    return 0;
+#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
+    (void) ssl;
+    (void) md;
+
+    return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        unsigned char *data, size_t data_len )
+{
+    int ret = 0;
+    mbedtls_md5_context mbedtls_md5;
+    mbedtls_sha1_context mbedtls_sha1;
+
+    mbedtls_md5_init( &mbedtls_md5 );
+    mbedtls_sha1_init( &mbedtls_sha1 );
+
+    /*
+     * digitally-signed struct {
+     *     opaque md5_hash[16];
+     *     opaque sha_hash[20];
+     * };
+     *
+     * md5_hash
+     *     MD5(ClientHello.random + ServerHello.random
+     *                            + ServerParams);
+     * sha_hash
+     *     SHA(ClientHello.random + ServerHello.random
+     *                            + ServerParams);
+     */
+    if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
+                                        ssl->handshake->randbytes, 64 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
+                                         ssl->handshake->randbytes, 64 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
+                                         data_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
+                                         output + 16 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
+        goto exit;
+    }
+
+exit:
+    mbedtls_md5_free( &mbedtls_md5 );
+    mbedtls_sha1_free( &mbedtls_sha1 );
+
+    if( ret != 0 )
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+
+    return( ret );
+
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
+                                            unsigned char *hash, size_t *hashlen,
+                                            unsigned char *data, size_t data_len,
+                                            mbedtls_md_type_t md_alg )
+{
+    int ret = 0;
+    mbedtls_md_context_t ctx;
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+    *hashlen = mbedtls_md_get_size( md_info );
+
+    mbedtls_md_init( &ctx );
+
+    /*
+     * digitally-signed struct {
+     *     opaque client_random[32];
+     *     opaque server_random[32];
+     *     ServerDHParams params;
+     * };
+     */
+    if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
+        goto exit;
+    }
+
+exit:
+    mbedtls_md_free( &ctx );
+
+    if( ret != 0 )
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/ctrtool/deps/libmbedtls/src/threading.c b/ctrtool/deps/libmbedtls/src/threading.c
new file mode 100644
index 00000000..7c90c7c5
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/threading.c
@@ -0,0 +1,187 @@
+/*
+ *  Threading abstraction layer
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+
+#include "mbedtls/threading.h"
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__)) */
+
+#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+       ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+         _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) )
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+
+#if ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) )
+#define THREADING_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) ) */
+
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+static void threading_mutex_init_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL )
+        return;
+
+    mutex->is_valid = pthread_mutex_init( &mutex->mutex, NULL ) == 0;
+}
+
+static void threading_mutex_free_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL || !mutex->is_valid )
+        return;
+
+    (void) pthread_mutex_destroy( &mutex->mutex );
+    mutex->is_valid = 0;
+}
+
+static int threading_mutex_lock_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL || ! mutex->is_valid )
+        return( MBEDTLS_ERR_THREADING_BAD_INPUT_DATA );
+
+    if( pthread_mutex_lock( &mutex->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+
+    return( 0 );
+}
+
+static int threading_mutex_unlock_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL || ! mutex->is_valid )
+        return( MBEDTLS_ERR_THREADING_BAD_INPUT_DATA );
+
+    if( pthread_mutex_unlock( &mutex->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+
+    return( 0 );
+}
+
+void (*mbedtls_mutex_init)( mbedtls_threading_mutex_t * ) = threading_mutex_init_pthread;
+void (*mbedtls_mutex_free)( mbedtls_threading_mutex_t * ) = threading_mutex_free_pthread;
+int (*mbedtls_mutex_lock)( mbedtls_threading_mutex_t * ) = threading_mutex_lock_pthread;
+int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t * ) = threading_mutex_unlock_pthread;
+
+/*
+ * With phtreads we can statically initialize mutexes
+ */
+#define MUTEX_INIT  = { PTHREAD_MUTEX_INITIALIZER, 1 }
+
+#endif /* MBEDTLS_THREADING_PTHREAD */
+
+#if defined(MBEDTLS_THREADING_ALT)
+static int threading_mutex_fail( mbedtls_threading_mutex_t *mutex )
+{
+    ((void) mutex );
+    return( MBEDTLS_ERR_THREADING_BAD_INPUT_DATA );
+}
+static void threading_mutex_dummy( mbedtls_threading_mutex_t *mutex )
+{
+    ((void) mutex );
+    return;
+}
+
+void (*mbedtls_mutex_init)( mbedtls_threading_mutex_t * ) = threading_mutex_dummy;
+void (*mbedtls_mutex_free)( mbedtls_threading_mutex_t * ) = threading_mutex_dummy;
+int (*mbedtls_mutex_lock)( mbedtls_threading_mutex_t * ) = threading_mutex_fail;
+int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t * ) = threading_mutex_fail;
+
+/*
+ * Set functions pointers and initialize global mutexes
+ */
+void mbedtls_threading_set_alt( void (*mutex_init)( mbedtls_threading_mutex_t * ),
+                       void (*mutex_free)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_lock)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_unlock)( mbedtls_threading_mutex_t * ) )
+{
+    mbedtls_mutex_init = mutex_init;
+    mbedtls_mutex_free = mutex_free;
+    mbedtls_mutex_lock = mutex_lock;
+    mbedtls_mutex_unlock = mutex_unlock;
+
+#if defined(MBEDTLS_FS_IO)
+    mbedtls_mutex_init( &mbedtls_threading_readdir_mutex );
+#endif
+#if defined(THREADING_USE_GMTIME)
+    mbedtls_mutex_init( &mbedtls_threading_gmtime_mutex );
+#endif
+}
+
+/*
+ * Free global mutexes
+ */
+void mbedtls_threading_free_alt( void )
+{
+#if defined(MBEDTLS_FS_IO)
+    mbedtls_mutex_free( &mbedtls_threading_readdir_mutex );
+#endif
+#if defined(THREADING_USE_GMTIME)
+    mbedtls_mutex_free( &mbedtls_threading_gmtime_mutex );
+#endif
+}
+#endif /* MBEDTLS_THREADING_ALT */
+
+/*
+ * Define global mutexes
+ */
+#ifndef MUTEX_INIT
+#define MUTEX_INIT
+#endif
+#if defined(MBEDTLS_FS_IO)
+mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
+#endif
+#if defined(THREADING_USE_GMTIME)
+mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
+#endif
+
+#endif /* MBEDTLS_THREADING_C */
diff --git a/ctrtool/deps/libmbedtls/src/timing.c b/ctrtool/deps/libmbedtls/src/timing.c
new file mode 100644
index 00000000..009516a6
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/timing.c
@@ -0,0 +1,536 @@
+/*
+ *  Portable interface to the CPU cycle counter
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif
+
+#if defined(MBEDTLS_TIMING_C)
+
+#include "mbedtls/timing.h"
+
+#if !defined(MBEDTLS_TIMING_ALT)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__)
+#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in config.h"
+#endif
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#include <windows.h>
+#include <process.h>
+
+struct _hr_time
+{
+    LARGE_INTEGER start;
+};
+
+#else
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <signal.h>
+#include <time.h>
+
+struct _hr_time
+{
+    struct timeval start;
+};
+
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    ( defined(_MSC_VER) && defined(_M_IX86) ) || defined(__WATCOMC__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tsc;
+    __asm   rdtsc
+    __asm   mov  [tsc], eax
+    return( tsc );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          ( _MSC_VER && _M_IX86 ) || __WATCOMC__ */
+
+/* some versions of mingw-64 have 32-bit longs even on x84_64 */
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && ( defined(__i386__) || (                       \
+    ( defined(__amd64__) || defined( __x86_64__) ) && __SIZEOF_LONG__ == 4 ) )
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long lo, hi;
+    asm volatile( "rdtsc" : "=a" (lo), "=d" (hi) );
+    return( lo );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __i386__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && ( defined(__amd64__) || defined(__x86_64__) )
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long lo, hi;
+    asm volatile( "rdtsc" : "=a" (lo), "=d" (hi) );
+    return( lo | ( hi << 32 ) );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && ( __amd64__ || __x86_64__ ) */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && ( defined(__powerpc__) || defined(__ppc__) )
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tbl, tbu0, tbu1;
+
+    do
+    {
+        asm volatile( "mftbu %0" : "=r" (tbu0) );
+        asm volatile( "mftb  %0" : "=r" (tbl ) );
+        asm volatile( "mftbu %0" : "=r" (tbu1) );
+    }
+    while( tbu0 != tbu1 );
+
+    return( tbl );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && ( __powerpc__ || __ppc__ ) */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && defined(__sparc64__)
+
+#if defined(__OpenBSD__)
+#warning OpenBSD does not allow access to tick register using software version instead
+#else
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tick;
+    asm volatile( "rdpr %%tick, %0;" : "=&r" (tick) );
+    return( tick );
+}
+#endif /* __OpenBSD__ */
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __sparc64__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && defined(__sparc__) && !defined(__sparc64__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tick;
+    asm volatile( ".byte 0x83, 0x41, 0x00, 0x00" );
+    asm volatile( "mov   %%g1, %0" : "=r" (tick) );
+    return( tick );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __sparc__ && !__sparc64__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&      \
+    defined(__GNUC__) && defined(__alpha__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long cc;
+    asm volatile( "rpcc %0" : "=r" (cc) );
+    return( cc & 0xFFFFFFFF );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __alpha__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&      \
+    defined(__GNUC__) && defined(__ia64__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long itc;
+    asm volatile( "mov %0 = ar.itc" : "=r" (itc) );
+    return( itc );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __ia64__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(_MSC_VER) && \
+    !defined(EFIX64) && !defined(EFI32)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    LARGE_INTEGER offset;
+
+    QueryPerformanceCounter( &offset );
+
+    return( (unsigned long)( offset.QuadPart ) );
+}
+#endif /* !HAVE_HARDCLOCK && _MSC_VER && !EFIX64 && !EFI32 */
+
+#if !defined(HAVE_HARDCLOCK)
+
+#define HAVE_HARDCLOCK
+
+static int hardclock_init = 0;
+static struct timeval tv_init;
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    struct timeval tv_cur;
+
+    if( hardclock_init == 0 )
+    {
+        gettimeofday( &tv_init, NULL );
+        hardclock_init = 1;
+    }
+
+    gettimeofday( &tv_cur, NULL );
+    return( ( tv_cur.tv_sec  - tv_init.tv_sec  ) * 1000000
+          + ( tv_cur.tv_usec - tv_init.tv_usec ) );
+}
+#endif /* !HAVE_HARDCLOCK */
+
+volatile int mbedtls_timing_alarmed = 0;
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset )
+{
+    struct _hr_time *t = (struct _hr_time *) val;
+
+    if( reset )
+    {
+        QueryPerformanceCounter( &t->start );
+        return( 0 );
+    }
+    else
+    {
+        unsigned long delta;
+        LARGE_INTEGER now, hfreq;
+        QueryPerformanceCounter(  &now );
+        QueryPerformanceFrequency( &hfreq );
+        delta = (unsigned long)( ( now.QuadPart - t->start.QuadPart ) * 1000ul
+                                 / hfreq.QuadPart );
+        return( delta );
+    }
+}
+
+/* It's OK to use a global because alarm() is supposed to be global anyway */
+static DWORD alarmMs;
+
+static void TimerProc( void *TimerContext )
+{
+    (void) TimerContext;
+    Sleep( alarmMs );
+    mbedtls_timing_alarmed = 1;
+    /* _endthread will be called implicitly on return
+     * That ensures execution of thread funcition's epilogue */
+}
+
+void mbedtls_set_alarm( int seconds )
+{
+    if( seconds == 0 )
+    {
+        /* No need to create a thread for this simple case.
+         * Also, this shorcut is more reliable at least on MinGW32 */
+        mbedtls_timing_alarmed = 1;
+        return;
+    }
+
+    mbedtls_timing_alarmed = 0;
+    alarmMs = seconds * 1000;
+    (void) _beginthread( TimerProc, 0, NULL );
+}
+
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset )
+{
+    struct _hr_time *t = (struct _hr_time *) val;
+
+    if( reset )
+    {
+        gettimeofday( &t->start, NULL );
+        return( 0 );
+    }
+    else
+    {
+        unsigned long delta;
+        struct timeval now;
+        gettimeofday( &now, NULL );
+        delta = ( now.tv_sec  - t->start.tv_sec  ) * 1000ul
+              + ( now.tv_usec - t->start.tv_usec ) / 1000;
+        return( delta );
+    }
+}
+
+static void sighandler( int signum )
+{
+    mbedtls_timing_alarmed = 1;
+    signal( signum, sighandler );
+}
+
+void mbedtls_set_alarm( int seconds )
+{
+    mbedtls_timing_alarmed = 0;
+    signal( SIGALRM, sighandler );
+    alarm( seconds );
+    if( seconds == 0 )
+    {
+        /* alarm(0) cancelled any previous pending alarm, but the
+           handler won't fire, so raise the flag straight away. */
+        mbedtls_timing_alarmed = 1;
+    }
+}
+
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Set delays to watch
+ */
+void mbedtls_timing_set_delay( void *data, uint32_t int_ms, uint32_t fin_ms )
+{
+    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+
+    ctx->int_ms = int_ms;
+    ctx->fin_ms = fin_ms;
+
+    if( fin_ms != 0 )
+        (void) mbedtls_timing_get_timer( &ctx->timer, 1 );
+}
+
+/*
+ * Get number of delays expired
+ */
+int mbedtls_timing_get_delay( void *data )
+{
+    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+    unsigned long elapsed_ms;
+
+    if( ctx->fin_ms == 0 )
+        return( -1 );
+
+    elapsed_ms = mbedtls_timing_get_timer( &ctx->timer, 0 );
+
+    if( elapsed_ms >= ctx->fin_ms )
+        return( 2 );
+
+    if( elapsed_ms >= ctx->int_ms )
+        return( 1 );
+
+    return( 0 );
+}
+
+#endif /* !MBEDTLS_TIMING_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Busy-waits for the given number of milliseconds.
+ * Used for testing mbedtls_timing_hardclock.
+ */
+static void busy_msleep( unsigned long msec )
+{
+    struct mbedtls_timing_hr_time hires;
+    unsigned long i = 0; /* for busy-waiting */
+    volatile unsigned long j; /* to prevent optimisation */
+
+    (void) mbedtls_timing_get_timer( &hires, 1 );
+
+    while( mbedtls_timing_get_timer( &hires, 0 ) < msec )
+        i++;
+
+    j = i;
+    (void) j;
+}
+
+#define FAIL    do                                                      \
+    {                                                                   \
+        if( verbose != 0 )                                              \
+        {                                                               \
+            mbedtls_printf( "failed at line %d\n", __LINE__ );          \
+            mbedtls_printf( " cycles=%lu ratio=%lu millisecs=%lu secs=%lu hardfail=%d a=%lu b=%lu\n", \
+                            cycles, ratio, millisecs, secs, hardfail,   \
+                            (unsigned long) a, (unsigned long) b );     \
+            mbedtls_printf( " elapsed(hires)=%lu elapsed(ctx)=%lu status(ctx)=%d\n", \
+                            mbedtls_timing_get_timer( &hires, 0 ),      \
+                            mbedtls_timing_get_timer( &ctx.timer, 0 ),  \
+                            mbedtls_timing_get_delay( &ctx ) );         \
+        }                                                               \
+        return( 1 );                                                    \
+    } while( 0 )
+
+/*
+ * Checkup routine
+ *
+ * Warning: this is work in progress, some tests may not be reliable enough
+ * yet! False positives may happen.
+ */
+int mbedtls_timing_self_test( int verbose )
+{
+    unsigned long cycles = 0, ratio = 0;
+    unsigned long millisecs = 0, secs = 0;
+    int hardfail = 0;
+    struct mbedtls_timing_hr_time hires;
+    uint32_t a = 0, b = 0;
+    mbedtls_timing_delay_context ctx;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING tests note: will take some time!\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING test #1 (set_alarm / get_timer): " );
+
+    {
+        secs = 1;
+
+        (void) mbedtls_timing_get_timer( &hires, 1 );
+
+        mbedtls_set_alarm( (int) secs );
+        while( !mbedtls_timing_alarmed )
+            ;
+
+        millisecs = mbedtls_timing_get_timer( &hires, 0 );
+
+        /* For some reason on Windows it looks like alarm has an extra delay
+         * (maybe related to creating a new thread). Allow some room here. */
+        if( millisecs < 800 * secs || millisecs > 1200 * secs + 300 )
+            FAIL;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING test #2 (set/get_delay        ): " );
+
+    {
+        a = 800;
+        b = 400;
+        mbedtls_timing_set_delay( &ctx, a, a + b );          /* T = 0 */
+
+        busy_msleep( a - a / 4 );                      /* T = a - a/4 */
+        if( mbedtls_timing_get_delay( &ctx ) != 0 )
+            FAIL;
+
+        busy_msleep( a / 4 + b / 4 );                  /* T = a + b/4 */
+        if( mbedtls_timing_get_delay( &ctx ) != 1 )
+            FAIL;
+
+        busy_msleep( b );                          /* T = a + b + b/4 */
+        if( mbedtls_timing_get_delay( &ctx ) != 2 )
+            FAIL;
+    }
+
+    mbedtls_timing_set_delay( &ctx, 0, 0 );
+    busy_msleep( 200 );
+    if( mbedtls_timing_get_delay( &ctx ) != -1 )
+        FAIL;
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING test #3 (hardclock / get_timer): " );
+
+    /*
+     * Allow one failure for possible counter wrapping.
+     * On a 4Ghz 32-bit machine the cycle counter wraps about once per second;
+     * since the whole test is about 10ms, it shouldn't happen twice in a row.
+     */
+
+hard_test:
+    if( hardfail > 1 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed (ignored)\n" );
+
+        goto hard_test_done;
+    }
+
+    /* Get a reference ratio cycles/ms */
+    millisecs = 1;
+    cycles = mbedtls_timing_hardclock();
+    busy_msleep( millisecs );
+    cycles = mbedtls_timing_hardclock() - cycles;
+    ratio = cycles / millisecs;
+
+    /* Check that the ratio is mostly constant */
+    for( millisecs = 2; millisecs <= 4; millisecs++ )
+    {
+        cycles = mbedtls_timing_hardclock();
+        busy_msleep( millisecs );
+        cycles = mbedtls_timing_hardclock() - cycles;
+
+        /* Allow variation up to 20% */
+        if( cycles / millisecs < ratio - ratio / 5 ||
+            cycles / millisecs > ratio + ratio / 5 )
+        {
+            hardfail++;
+            goto hard_test;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+hard_test_done:
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_TIMING_C */
diff --git a/ctrtool/deps/libmbedtls/src/version.c b/ctrtool/deps/libmbedtls/src/version.c
new file mode 100644
index 00000000..fd967508
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/version.c
@@ -0,0 +1,50 @@
+/*
+ *  Version information
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+#include <string.h>
+
+unsigned int mbedtls_version_get_number( void )
+{
+    return( MBEDTLS_VERSION_NUMBER );
+}
+
+void mbedtls_version_get_string( char *string )
+{
+    memcpy( string, MBEDTLS_VERSION_STRING,
+            sizeof( MBEDTLS_VERSION_STRING ) );
+}
+
+void mbedtls_version_get_string_full( char *string )
+{
+    memcpy( string, MBEDTLS_VERSION_STRING_FULL,
+            sizeof( MBEDTLS_VERSION_STRING_FULL ) );
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/ctrtool/deps/libmbedtls/src/version_features.c b/ctrtool/deps/libmbedtls/src/version_features.c
new file mode 100644
index 00000000..3b67b2be
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/version_features.c
@@ -0,0 +1,785 @@
+/*
+ *  Version feature information
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+
+#include <string.h>
+
+static const char *features[] = {
+#if defined(MBEDTLS_VERSION_FEATURES)
+#if defined(MBEDTLS_HAVE_ASM)
+    "MBEDTLS_HAVE_ASM",
+#endif /* MBEDTLS_HAVE_ASM */
+#if defined(MBEDTLS_NO_UDBL_DIVISION)
+    "MBEDTLS_NO_UDBL_DIVISION",
+#endif /* MBEDTLS_NO_UDBL_DIVISION */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+    "MBEDTLS_NO_64BIT_MULTIPLICATION",
+#endif /* MBEDTLS_NO_64BIT_MULTIPLICATION */
+#if defined(MBEDTLS_HAVE_SSE2)
+    "MBEDTLS_HAVE_SSE2",
+#endif /* MBEDTLS_HAVE_SSE2 */
+#if defined(MBEDTLS_HAVE_TIME)
+    "MBEDTLS_HAVE_TIME",
+#endif /* MBEDTLS_HAVE_TIME */
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+    "MBEDTLS_HAVE_TIME_DATE",
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+    "MBEDTLS_PLATFORM_MEMORY",
+#endif /* MBEDTLS_PLATFORM_MEMORY */
+#if defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+    "MBEDTLS_PLATFORM_NO_STD_FUNCTIONS",
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+    "MBEDTLS_PLATFORM_EXIT_ALT",
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+    "MBEDTLS_PLATFORM_TIME_ALT",
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+    "MBEDTLS_PLATFORM_FPRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+    "MBEDTLS_PLATFORM_PRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+    "MBEDTLS_PLATFORM_SNPRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+    "MBEDTLS_PLATFORM_NV_SEED_ALT",
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#if defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+    "MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT",
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+    "MBEDTLS_DEPRECATED_WARNING",
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+    "MBEDTLS_DEPRECATED_REMOVED",
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#if defined(MBEDTLS_CHECK_PARAMS)
+    "MBEDTLS_CHECK_PARAMS",
+#endif /* MBEDTLS_CHECK_PARAMS */
+#if defined(MBEDTLS_CHECK_PARAMS_ASSERT)
+    "MBEDTLS_CHECK_PARAMS_ASSERT",
+#endif /* MBEDTLS_CHECK_PARAMS_ASSERT */
+#if defined(MBEDTLS_TIMING_ALT)
+    "MBEDTLS_TIMING_ALT",
+#endif /* MBEDTLS_TIMING_ALT */
+#if defined(MBEDTLS_AES_ALT)
+    "MBEDTLS_AES_ALT",
+#endif /* MBEDTLS_AES_ALT */
+#if defined(MBEDTLS_ARC4_ALT)
+    "MBEDTLS_ARC4_ALT",
+#endif /* MBEDTLS_ARC4_ALT */
+#if defined(MBEDTLS_ARIA_ALT)
+    "MBEDTLS_ARIA_ALT",
+#endif /* MBEDTLS_ARIA_ALT */
+#if defined(MBEDTLS_BLOWFISH_ALT)
+    "MBEDTLS_BLOWFISH_ALT",
+#endif /* MBEDTLS_BLOWFISH_ALT */
+#if defined(MBEDTLS_CAMELLIA_ALT)
+    "MBEDTLS_CAMELLIA_ALT",
+#endif /* MBEDTLS_CAMELLIA_ALT */
+#if defined(MBEDTLS_CCM_ALT)
+    "MBEDTLS_CCM_ALT",
+#endif /* MBEDTLS_CCM_ALT */
+#if defined(MBEDTLS_CHACHA20_ALT)
+    "MBEDTLS_CHACHA20_ALT",
+#endif /* MBEDTLS_CHACHA20_ALT */
+#if defined(MBEDTLS_CHACHAPOLY_ALT)
+    "MBEDTLS_CHACHAPOLY_ALT",
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+#if defined(MBEDTLS_CMAC_ALT)
+    "MBEDTLS_CMAC_ALT",
+#endif /* MBEDTLS_CMAC_ALT */
+#if defined(MBEDTLS_DES_ALT)
+    "MBEDTLS_DES_ALT",
+#endif /* MBEDTLS_DES_ALT */
+#if defined(MBEDTLS_DHM_ALT)
+    "MBEDTLS_DHM_ALT",
+#endif /* MBEDTLS_DHM_ALT */
+#if defined(MBEDTLS_ECJPAKE_ALT)
+    "MBEDTLS_ECJPAKE_ALT",
+#endif /* MBEDTLS_ECJPAKE_ALT */
+#if defined(MBEDTLS_GCM_ALT)
+    "MBEDTLS_GCM_ALT",
+#endif /* MBEDTLS_GCM_ALT */
+#if defined(MBEDTLS_NIST_KW_ALT)
+    "MBEDTLS_NIST_KW_ALT",
+#endif /* MBEDTLS_NIST_KW_ALT */
+#if defined(MBEDTLS_MD2_ALT)
+    "MBEDTLS_MD2_ALT",
+#endif /* MBEDTLS_MD2_ALT */
+#if defined(MBEDTLS_MD4_ALT)
+    "MBEDTLS_MD4_ALT",
+#endif /* MBEDTLS_MD4_ALT */
+#if defined(MBEDTLS_MD5_ALT)
+    "MBEDTLS_MD5_ALT",
+#endif /* MBEDTLS_MD5_ALT */
+#if defined(MBEDTLS_POLY1305_ALT)
+    "MBEDTLS_POLY1305_ALT",
+#endif /* MBEDTLS_POLY1305_ALT */
+#if defined(MBEDTLS_RIPEMD160_ALT)
+    "MBEDTLS_RIPEMD160_ALT",
+#endif /* MBEDTLS_RIPEMD160_ALT */
+#if defined(MBEDTLS_RSA_ALT)
+    "MBEDTLS_RSA_ALT",
+#endif /* MBEDTLS_RSA_ALT */
+#if defined(MBEDTLS_SHA1_ALT)
+    "MBEDTLS_SHA1_ALT",
+#endif /* MBEDTLS_SHA1_ALT */
+#if defined(MBEDTLS_SHA256_ALT)
+    "MBEDTLS_SHA256_ALT",
+#endif /* MBEDTLS_SHA256_ALT */
+#if defined(MBEDTLS_SHA512_ALT)
+    "MBEDTLS_SHA512_ALT",
+#endif /* MBEDTLS_SHA512_ALT */
+#if defined(MBEDTLS_XTEA_ALT)
+    "MBEDTLS_XTEA_ALT",
+#endif /* MBEDTLS_XTEA_ALT */
+#if defined(MBEDTLS_ECP_ALT)
+    "MBEDTLS_ECP_ALT",
+#endif /* MBEDTLS_ECP_ALT */
+#if defined(MBEDTLS_MD2_PROCESS_ALT)
+    "MBEDTLS_MD2_PROCESS_ALT",
+#endif /* MBEDTLS_MD2_PROCESS_ALT */
+#if defined(MBEDTLS_MD4_PROCESS_ALT)
+    "MBEDTLS_MD4_PROCESS_ALT",
+#endif /* MBEDTLS_MD4_PROCESS_ALT */
+#if defined(MBEDTLS_MD5_PROCESS_ALT)
+    "MBEDTLS_MD5_PROCESS_ALT",
+#endif /* MBEDTLS_MD5_PROCESS_ALT */
+#if defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+    "MBEDTLS_RIPEMD160_PROCESS_ALT",
+#endif /* MBEDTLS_RIPEMD160_PROCESS_ALT */
+#if defined(MBEDTLS_SHA1_PROCESS_ALT)
+    "MBEDTLS_SHA1_PROCESS_ALT",
+#endif /* MBEDTLS_SHA1_PROCESS_ALT */
+#if defined(MBEDTLS_SHA256_PROCESS_ALT)
+    "MBEDTLS_SHA256_PROCESS_ALT",
+#endif /* MBEDTLS_SHA256_PROCESS_ALT */
+#if defined(MBEDTLS_SHA512_PROCESS_ALT)
+    "MBEDTLS_SHA512_PROCESS_ALT",
+#endif /* MBEDTLS_SHA512_PROCESS_ALT */
+#if defined(MBEDTLS_DES_SETKEY_ALT)
+    "MBEDTLS_DES_SETKEY_ALT",
+#endif /* MBEDTLS_DES_SETKEY_ALT */
+#if defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+    "MBEDTLS_DES_CRYPT_ECB_ALT",
+#endif /* MBEDTLS_DES_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+    "MBEDTLS_DES3_CRYPT_ECB_ALT",
+#endif /* MBEDTLS_DES3_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+    "MBEDTLS_AES_SETKEY_ENC_ALT",
+#endif /* MBEDTLS_AES_SETKEY_ENC_ALT */
+#if defined(MBEDTLS_AES_SETKEY_DEC_ALT)
+    "MBEDTLS_AES_SETKEY_DEC_ALT",
+#endif /* MBEDTLS_AES_SETKEY_DEC_ALT */
+#if defined(MBEDTLS_AES_ENCRYPT_ALT)
+    "MBEDTLS_AES_ENCRYPT_ALT",
+#endif /* MBEDTLS_AES_ENCRYPT_ALT */
+#if defined(MBEDTLS_AES_DECRYPT_ALT)
+    "MBEDTLS_AES_DECRYPT_ALT",
+#endif /* MBEDTLS_AES_DECRYPT_ALT */
+#if defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+    "MBEDTLS_ECDH_GEN_PUBLIC_ALT",
+#endif /* MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+#if defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+    "MBEDTLS_ECDH_COMPUTE_SHARED_ALT",
+#endif /* MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+    "MBEDTLS_ECDSA_VERIFY_ALT",
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    "MBEDTLS_ECDSA_SIGN_ALT",
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#if defined(MBEDTLS_ECDSA_GENKEY_ALT)
+    "MBEDTLS_ECDSA_GENKEY_ALT",
+#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    "MBEDTLS_ECP_INTERNAL_ALT",
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+    "MBEDTLS_ECP_RANDOMIZE_JAC_ALT",
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+    "MBEDTLS_ECP_ADD_MIXED_ALT",
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+    "MBEDTLS_ECP_DOUBLE_JAC_ALT",
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+    "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+    "MBEDTLS_ECP_NORMALIZE_JAC_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT",
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+    "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT",
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+    "MBEDTLS_ECP_NORMALIZE_MXZ_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    "MBEDTLS_TEST_NULL_ENTROPY",
+#endif /* MBEDTLS_TEST_NULL_ENTROPY */
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    "MBEDTLS_ENTROPY_HARDWARE_ALT",
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+#if defined(MBEDTLS_AES_ROM_TABLES)
+    "MBEDTLS_AES_ROM_TABLES",
+#endif /* MBEDTLS_AES_ROM_TABLES */
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+    "MBEDTLS_AES_FEWER_TABLES",
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+    "MBEDTLS_CAMELLIA_SMALL_MEMORY",
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    "MBEDTLS_CIPHER_MODE_CBC",
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    "MBEDTLS_CIPHER_MODE_CFB",
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    "MBEDTLS_CIPHER_MODE_CTR",
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    "MBEDTLS_CIPHER_MODE_OFB",
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    "MBEDTLS_CIPHER_MODE_XTS",
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    "MBEDTLS_CIPHER_NULL_CIPHER",
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    "MBEDTLS_CIPHER_PADDING_PKCS7",
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+    "MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS",
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+    "MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN",
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+    "MBEDTLS_CIPHER_PADDING_ZEROS",
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+    "MBEDTLS_CTR_DRBG_USE_128_BIT_KEY",
+#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
+    "MBEDTLS_ENABLE_WEAK_CIPHERSUITES",
+#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    "MBEDTLS_REMOVE_ARC4_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    "MBEDTLS_REMOVE_3DES_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP192R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP224R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP256R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP384R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP521R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP192K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP224K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP256K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP256R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP384R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP512R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    "MBEDTLS_ECP_DP_CURVE25519_ENABLED",
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+    "MBEDTLS_ECP_DP_CURVE448_ENABLED",
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+    "MBEDTLS_ECP_NIST_OPTIM",
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    "MBEDTLS_ECP_RESTARTABLE",
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    "MBEDTLS_ECDSA_DETERMINISTIC",
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+    "MBEDTLS_PK_PARSE_EC_EXTENDED",
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+    "MBEDTLS_ERROR_STRERROR_DUMMY",
+#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
+#if defined(MBEDTLS_GENPRIME)
+    "MBEDTLS_GENPRIME",
+#endif /* MBEDTLS_GENPRIME */
+#if defined(MBEDTLS_FS_IO)
+    "MBEDTLS_FS_IO",
+#endif /* MBEDTLS_FS_IO */
+#if defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+    "MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES",
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+#if defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+    "MBEDTLS_NO_PLATFORM_ENTROPY",
+#endif /* MBEDTLS_NO_PLATFORM_ENTROPY */
+#if defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+    "MBEDTLS_ENTROPY_FORCE_SHA256",
+#endif /* MBEDTLS_ENTROPY_FORCE_SHA256 */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    "MBEDTLS_ENTROPY_NV_SEED",
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    "MBEDTLS_MEMORY_DEBUG",
+#endif /* MBEDTLS_MEMORY_DEBUG */
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    "MBEDTLS_MEMORY_BACKTRACE",
+#endif /* MBEDTLS_MEMORY_BACKTRACE */
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+    "MBEDTLS_PK_RSA_ALT_SUPPORT",
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+#if defined(MBEDTLS_PKCS1_V15)
+    "MBEDTLS_PKCS1_V15",
+#endif /* MBEDTLS_PKCS1_V15 */
+#if defined(MBEDTLS_PKCS1_V21)
+    "MBEDTLS_PKCS1_V21",
+#endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_RSA_NO_CRT)
+    "MBEDTLS_RSA_NO_CRT",
+#endif /* MBEDTLS_RSA_NO_CRT */
+#if defined(MBEDTLS_SELF_TEST)
+    "MBEDTLS_SELF_TEST",
+#endif /* MBEDTLS_SELF_TEST */
+#if defined(MBEDTLS_SHA256_SMALLER)
+    "MBEDTLS_SHA256_SMALLER",
+#endif /* MBEDTLS_SHA256_SMALLER */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+    "MBEDTLS_SSL_ALL_ALERT_MESSAGES",
+#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    "MBEDTLS_SSL_ASYNC_PRIVATE",
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    "MBEDTLS_SSL_DEBUG_ALL",
+#endif /* MBEDTLS_SSL_DEBUG_ALL */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    "MBEDTLS_SSL_ENCRYPT_THEN_MAC",
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    "MBEDTLS_SSL_EXTENDED_MASTER_SECRET",
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    "MBEDTLS_SSL_FALLBACK_SCSV",
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    "MBEDTLS_SSL_HW_RECORD_ACCEL",
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    "MBEDTLS_SSL_CBC_RECORD_SPLITTING",
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    "MBEDTLS_SSL_RENEGOTIATION",
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+    "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO",
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    "MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE",
+#endif /* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH",
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    "MBEDTLS_SSL_PROTO_SSL3",
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+    "MBEDTLS_SSL_PROTO_TLS1",
+#endif /* MBEDTLS_SSL_PROTO_TLS1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    "MBEDTLS_SSL_PROTO_TLS1_1",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    "MBEDTLS_SSL_PROTO_TLS1_2",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    "MBEDTLS_SSL_PROTO_DTLS",
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_ALPN)
+    "MBEDTLS_SSL_ALPN",
+#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    "MBEDTLS_SSL_DTLS_ANTI_REPLAY",
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+    "MBEDTLS_SSL_DTLS_HELLO_VERIFY",
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+    "MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE",
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE */
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    "MBEDTLS_SSL_DTLS_BADMAC_LIMIT",
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    "MBEDTLS_SSL_SESSION_TICKETS",
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    "MBEDTLS_SSL_EXPORT_KEYS",
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    "MBEDTLS_SSL_SERVER_NAME_INDICATION",
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    "MBEDTLS_SSL_TRUNCATED_HMAC",
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+    "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT",
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */
+#if defined(MBEDTLS_THREADING_ALT)
+    "MBEDTLS_THREADING_ALT",
+#endif /* MBEDTLS_THREADING_ALT */
+#if defined(MBEDTLS_THREADING_PTHREAD)
+    "MBEDTLS_THREADING_PTHREAD",
+#endif /* MBEDTLS_THREADING_PTHREAD */
+#if defined(MBEDTLS_VERSION_FEATURES)
+    "MBEDTLS_VERSION_FEATURES",
+#endif /* MBEDTLS_VERSION_FEATURES */
+#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
+    "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3",
+#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */
+#if defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+    "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION",
+#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    "MBEDTLS_X509_CHECK_KEY_USAGE",
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    "MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE",
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    "MBEDTLS_X509_RSASSA_PSS_SUPPORT",
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    "MBEDTLS_ZLIB_SUPPORT",
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+#if defined(MBEDTLS_AESNI_C)
+    "MBEDTLS_AESNI_C",
+#endif /* MBEDTLS_AESNI_C */
+#if defined(MBEDTLS_AES_C)
+    "MBEDTLS_AES_C",
+#endif /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_ARC4_C)
+    "MBEDTLS_ARC4_C",
+#endif /* MBEDTLS_ARC4_C */
+#if defined(MBEDTLS_ASN1_PARSE_C)
+    "MBEDTLS_ASN1_PARSE_C",
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#if defined(MBEDTLS_ASN1_WRITE_C)
+    "MBEDTLS_ASN1_WRITE_C",
+#endif /* MBEDTLS_ASN1_WRITE_C */
+#if defined(MBEDTLS_BASE64_C)
+    "MBEDTLS_BASE64_C",
+#endif /* MBEDTLS_BASE64_C */
+#if defined(MBEDTLS_BIGNUM_C)
+    "MBEDTLS_BIGNUM_C",
+#endif /* MBEDTLS_BIGNUM_C */
+#if defined(MBEDTLS_BLOWFISH_C)
+    "MBEDTLS_BLOWFISH_C",
+#endif /* MBEDTLS_BLOWFISH_C */
+#if defined(MBEDTLS_CAMELLIA_C)
+    "MBEDTLS_CAMELLIA_C",
+#endif /* MBEDTLS_CAMELLIA_C */
+#if defined(MBEDTLS_ARIA_C)
+    "MBEDTLS_ARIA_C",
+#endif /* MBEDTLS_ARIA_C */
+#if defined(MBEDTLS_CCM_C)
+    "MBEDTLS_CCM_C",
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CERTS_C)
+    "MBEDTLS_CERTS_C",
+#endif /* MBEDTLS_CERTS_C */
+#if defined(MBEDTLS_CHACHA20_C)
+    "MBEDTLS_CHACHA20_C",
+#endif /* MBEDTLS_CHACHA20_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    "MBEDTLS_CHACHAPOLY_C",
+#endif /* MBEDTLS_CHACHAPOLY_C */
+#if defined(MBEDTLS_CIPHER_C)
+    "MBEDTLS_CIPHER_C",
+#endif /* MBEDTLS_CIPHER_C */
+#if defined(MBEDTLS_CMAC_C)
+    "MBEDTLS_CMAC_C",
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_CTR_DRBG_C)
+    "MBEDTLS_CTR_DRBG_C",
+#endif /* MBEDTLS_CTR_DRBG_C */
+#if defined(MBEDTLS_DEBUG_C)
+    "MBEDTLS_DEBUG_C",
+#endif /* MBEDTLS_DEBUG_C */
+#if defined(MBEDTLS_DES_C)
+    "MBEDTLS_DES_C",
+#endif /* MBEDTLS_DES_C */
+#if defined(MBEDTLS_DHM_C)
+    "MBEDTLS_DHM_C",
+#endif /* MBEDTLS_DHM_C */
+#if defined(MBEDTLS_ECDH_C)
+    "MBEDTLS_ECDH_C",
+#endif /* MBEDTLS_ECDH_C */
+#if defined(MBEDTLS_ECDSA_C)
+    "MBEDTLS_ECDSA_C",
+#endif /* MBEDTLS_ECDSA_C */
+#if defined(MBEDTLS_ECJPAKE_C)
+    "MBEDTLS_ECJPAKE_C",
+#endif /* MBEDTLS_ECJPAKE_C */
+#if defined(MBEDTLS_ECP_C)
+    "MBEDTLS_ECP_C",
+#endif /* MBEDTLS_ECP_C */
+#if defined(MBEDTLS_ENTROPY_C)
+    "MBEDTLS_ENTROPY_C",
+#endif /* MBEDTLS_ENTROPY_C */
+#if defined(MBEDTLS_ERROR_C)
+    "MBEDTLS_ERROR_C",
+#endif /* MBEDTLS_ERROR_C */
+#if defined(MBEDTLS_GCM_C)
+    "MBEDTLS_GCM_C",
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_HAVEGE_C)
+    "MBEDTLS_HAVEGE_C",
+#endif /* MBEDTLS_HAVEGE_C */
+#if defined(MBEDTLS_HKDF_C)
+    "MBEDTLS_HKDF_C",
+#endif /* MBEDTLS_HKDF_C */
+#if defined(MBEDTLS_HMAC_DRBG_C)
+    "MBEDTLS_HMAC_DRBG_C",
+#endif /* MBEDTLS_HMAC_DRBG_C */
+#if defined(MBEDTLS_NIST_KW_C)
+    "MBEDTLS_NIST_KW_C",
+#endif /* MBEDTLS_NIST_KW_C */
+#if defined(MBEDTLS_MD_C)
+    "MBEDTLS_MD_C",
+#endif /* MBEDTLS_MD_C */
+#if defined(MBEDTLS_MD2_C)
+    "MBEDTLS_MD2_C",
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    "MBEDTLS_MD4_C",
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    "MBEDTLS_MD5_C",
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+    "MBEDTLS_MEMORY_BUFFER_ALLOC_C",
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
+#if defined(MBEDTLS_NET_C)
+    "MBEDTLS_NET_C",
+#endif /* MBEDTLS_NET_C */
+#if defined(MBEDTLS_OID_C)
+    "MBEDTLS_OID_C",
+#endif /* MBEDTLS_OID_C */
+#if defined(MBEDTLS_PADLOCK_C)
+    "MBEDTLS_PADLOCK_C",
+#endif /* MBEDTLS_PADLOCK_C */
+#if defined(MBEDTLS_PEM_PARSE_C)
+    "MBEDTLS_PEM_PARSE_C",
+#endif /* MBEDTLS_PEM_PARSE_C */
+#if defined(MBEDTLS_PEM_WRITE_C)
+    "MBEDTLS_PEM_WRITE_C",
+#endif /* MBEDTLS_PEM_WRITE_C */
+#if defined(MBEDTLS_PK_C)
+    "MBEDTLS_PK_C",
+#endif /* MBEDTLS_PK_C */
+#if defined(MBEDTLS_PK_PARSE_C)
+    "MBEDTLS_PK_PARSE_C",
+#endif /* MBEDTLS_PK_PARSE_C */
+#if defined(MBEDTLS_PK_WRITE_C)
+    "MBEDTLS_PK_WRITE_C",
+#endif /* MBEDTLS_PK_WRITE_C */
+#if defined(MBEDTLS_PKCS5_C)
+    "MBEDTLS_PKCS5_C",
+#endif /* MBEDTLS_PKCS5_C */
+#if defined(MBEDTLS_PKCS11_C)
+    "MBEDTLS_PKCS11_C",
+#endif /* MBEDTLS_PKCS11_C */
+#if defined(MBEDTLS_PKCS12_C)
+    "MBEDTLS_PKCS12_C",
+#endif /* MBEDTLS_PKCS12_C */
+#if defined(MBEDTLS_PLATFORM_C)
+    "MBEDTLS_PLATFORM_C",
+#endif /* MBEDTLS_PLATFORM_C */
+#if defined(MBEDTLS_POLY1305_C)
+    "MBEDTLS_POLY1305_C",
+#endif /* MBEDTLS_POLY1305_C */
+#if defined(MBEDTLS_RIPEMD160_C)
+    "MBEDTLS_RIPEMD160_C",
+#endif /* MBEDTLS_RIPEMD160_C */
+#if defined(MBEDTLS_RSA_C)
+    "MBEDTLS_RSA_C",
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_SHA1_C)
+    "MBEDTLS_SHA1_C",
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    "MBEDTLS_SHA256_C",
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    "MBEDTLS_SHA512_C",
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SSL_CACHE_C)
+    "MBEDTLS_SSL_CACHE_C",
+#endif /* MBEDTLS_SSL_CACHE_C */
+#if defined(MBEDTLS_SSL_COOKIE_C)
+    "MBEDTLS_SSL_COOKIE_C",
+#endif /* MBEDTLS_SSL_COOKIE_C */
+#if defined(MBEDTLS_SSL_TICKET_C)
+    "MBEDTLS_SSL_TICKET_C",
+#endif /* MBEDTLS_SSL_TICKET_C */
+#if defined(MBEDTLS_SSL_CLI_C)
+    "MBEDTLS_SSL_CLI_C",
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    "MBEDTLS_SSL_SRV_C",
+#endif /* MBEDTLS_SSL_SRV_C */
+#if defined(MBEDTLS_SSL_TLS_C)
+    "MBEDTLS_SSL_TLS_C",
+#endif /* MBEDTLS_SSL_TLS_C */
+#if defined(MBEDTLS_THREADING_C)
+    "MBEDTLS_THREADING_C",
+#endif /* MBEDTLS_THREADING_C */
+#if defined(MBEDTLS_TIMING_C)
+    "MBEDTLS_TIMING_C",
+#endif /* MBEDTLS_TIMING_C */
+#if defined(MBEDTLS_VERSION_C)
+    "MBEDTLS_VERSION_C",
+#endif /* MBEDTLS_VERSION_C */
+#if defined(MBEDTLS_X509_USE_C)
+    "MBEDTLS_X509_USE_C",
+#endif /* MBEDTLS_X509_USE_C */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    "MBEDTLS_X509_CRT_PARSE_C",
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+    "MBEDTLS_X509_CRL_PARSE_C",
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+    "MBEDTLS_X509_CSR_PARSE_C",
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+#if defined(MBEDTLS_X509_CREATE_C)
+    "MBEDTLS_X509_CREATE_C",
+#endif /* MBEDTLS_X509_CREATE_C */
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+    "MBEDTLS_X509_CRT_WRITE_C",
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+    "MBEDTLS_X509_CSR_WRITE_C",
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+#if defined(MBEDTLS_XTEA_C)
+    "MBEDTLS_XTEA_C",
+#endif /* MBEDTLS_XTEA_C */
+#endif /* MBEDTLS_VERSION_FEATURES */
+    NULL
+};
+
+int mbedtls_version_check_feature( const char *feature )
+{
+    const char **idx = features;
+
+    if( *idx == NULL )
+        return( -2 );
+
+    if( feature == NULL )
+        return( -1 );
+
+    while( *idx != NULL )
+    {
+        if( !strcmp( *idx, feature ) )
+            return( 0 );
+        idx++;
+    }
+    return( -1 );
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/ctrtool/deps/libmbedtls/src/x509.c b/ctrtool/deps/libmbedtls/src/x509.c
new file mode 100644
index 00000000..2e0b0e8f
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/x509.c
@@ -0,0 +1,1072 @@
+/*
+ *  X.509 common functions for parsing and verification
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_USE_C)
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/oid.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_free      free
+#define mbedtls_calloc    calloc
+#define mbedtls_printf    printf
+#define mbedtls_snprintf  snprintf
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "mbedtls/platform_util.h"
+#include <time.h>
+#endif
+
+#define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); }
+#define CHECK_RANGE(min, max, val)                      \
+    do                                                  \
+    {                                                   \
+        if( ( val ) < ( min ) || ( val ) > ( max ) )    \
+        {                                               \
+            return( ret );                              \
+        }                                               \
+    } while( 0 )
+
+/*
+ *  CertificateSerialNumber  ::=  INTEGER
+ */
+int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
+                     mbedtls_x509_buf *serial )
+{
+    int ret;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_SERIAL +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( **p != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_PRIMITIVE | 2 ) &&
+        **p !=   MBEDTLS_ASN1_INTEGER )
+        return( MBEDTLS_ERR_X509_INVALID_SERIAL +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    serial->tag = *(*p)++;
+
+    if( ( ret = mbedtls_asn1_get_len( p, end, &serial->len ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_SERIAL + ret );
+
+    serial->p = *p;
+    *p += serial->len;
+
+    return( 0 );
+}
+
+/* Get an algorithm identifier without parameters (eg for signatures)
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ */
+int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
+                       mbedtls_x509_buf *alg )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    return( 0 );
+}
+
+/*
+ * Parse an algorithm identifier with (optional) parameters
+ */
+int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
+                  mbedtls_x509_buf *alg, mbedtls_x509_buf *params )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_alg( p, end, alg, params ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+/*
+ * HashAlgorithm ::= AlgorithmIdentifier
+ *
+ * AlgorithmIdentifier  ::=  SEQUENCE  {
+ *      algorithm               OBJECT IDENTIFIER,
+ *      parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *
+ * For HashAlgorithm, parameters MUST be NULL or absent.
+ */
+static int x509_get_hash_alg( const mbedtls_x509_buf *alg, mbedtls_md_type_t *md_alg )
+{
+    int ret;
+    unsigned char *p;
+    const unsigned char *end;
+    mbedtls_x509_buf md_oid;
+    size_t len;
+
+    /* Make sure we got a SEQUENCE and setup bounds */
+    if( alg->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    p = (unsigned char *) alg->p;
+    end = p + alg->len;
+
+    if( p >= end )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    /* Parse md_oid */
+    md_oid.tag = *p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &md_oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    md_oid.p = p;
+    p += md_oid.len;
+
+    /* Get md_alg from md_oid */
+    if( ( ret = mbedtls_oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    /* Make sure params is absent of NULL */
+    if( p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_NULL ) ) != 0 || len != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p != end )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ *    RSASSA-PSS-params  ::=  SEQUENCE  {
+ *       hashAlgorithm     [0] HashAlgorithm DEFAULT sha1Identifier,
+ *       maskGenAlgorithm  [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
+ *       saltLength        [2] INTEGER DEFAULT 20,
+ *       trailerField      [3] INTEGER DEFAULT 1  }
+ *    -- Note that the tags in this Sequence are explicit.
+ *
+ * RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
+ * of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
+ * option. Enfore this at parsing time.
+ */
+int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params,
+                                mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+                                int *salt_len )
+{
+    int ret;
+    unsigned char *p;
+    const unsigned char *end, *end2;
+    size_t len;
+    mbedtls_x509_buf alg_id, alg_params;
+
+    /* First set everything to defaults */
+    *md_alg = MBEDTLS_MD_SHA1;
+    *mgf_md = MBEDTLS_MD_SHA1;
+    *salt_len = 20;
+
+    /* Make sure params is a SEQUENCE and setup bounds */
+    if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    p = (unsigned char *) params->p;
+    end = p + params->len;
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * HashAlgorithm
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
+    {
+        end2 = p + len;
+
+        /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
+        if( ( ret = mbedtls_x509_get_alg_null( &p, end2, &alg_id ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * MaskGenAlgorithm
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
+    {
+        end2 = p + len;
+
+        /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
+        if( ( ret = mbedtls_x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 )
+            return( ret );
+
+        /* Only MFG1 is recognised for now */
+        if( MBEDTLS_OID_CMP( MBEDTLS_OID_MGF1, &alg_id ) != 0 )
+            return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE +
+                    MBEDTLS_ERR_OID_NOT_FOUND );
+
+        /* Parse HashAlgorithm */
+        if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
+            return( ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * salt_len
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 2 ) ) == 0 )
+    {
+        end2 = p + len;
+
+        if( ( ret = mbedtls_asn1_get_int( &p, end2, salt_len ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * trailer_field (if present, must be 1)
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 3 ) ) == 0 )
+    {
+        int trailer_field;
+
+        end2 = p + len;
+
+        if( ( ret = mbedtls_asn1_get_int( &p, end2, &trailer_field ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+        if( trailer_field != 1 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p != end )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+/*
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ */
+static int x509_get_attr_type_value( unsigned char **p,
+                                     const unsigned char *end,
+                                     mbedtls_x509_name *cur )
+{
+    int ret;
+    size_t len;
+    mbedtls_x509_buf *oid;
+    mbedtls_x509_buf *val;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+    end = *p + len;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    oid = &cur->oid;
+    oid->tag = **p;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &oid->len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+    oid->p = *p;
+    *p += oid->len;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( **p != MBEDTLS_ASN1_BMP_STRING && **p != MBEDTLS_ASN1_UTF8_STRING      &&
+        **p != MBEDTLS_ASN1_T61_STRING && **p != MBEDTLS_ASN1_PRINTABLE_STRING &&
+        **p != MBEDTLS_ASN1_IA5_STRING && **p != MBEDTLS_ASN1_UNIVERSAL_STRING &&
+        **p != MBEDTLS_ASN1_BIT_STRING )
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    val = &cur->val;
+    val->tag = *(*p)++;
+
+    if( ( ret = mbedtls_asn1_get_len( p, end, &val->len ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+    val->p = *p;
+    *p += val->len;
+
+    if( *p != end )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    cur->next = NULL;
+
+    return( 0 );
+}
+
+/*
+ *  Name ::= CHOICE { -- only one possibility for now --
+ *       rdnSequence  RDNSequence }
+ *
+ *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+ *
+ *  RelativeDistinguishedName ::=
+ *    SET OF AttributeTypeAndValue
+ *
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ *
+ * The data structure is optimized for the common case where each RDN has only
+ * one element, which is represented as a list of AttributeTypeAndValue.
+ * For the general case we still use a flat list, but we mark elements of the
+ * same set so that they are "merged" together in the functions that consume
+ * this list, eg mbedtls_x509_dn_gets().
+ */
+int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
+                   mbedtls_x509_name *cur )
+{
+    int ret;
+    size_t set_len;
+    const unsigned char *end_set;
+
+    /* don't use recursion, we'd risk stack overflow if not optimized */
+    while( 1 )
+    {
+        /*
+         * parse SET
+         */
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &set_len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+        end_set  = *p + set_len;
+
+        while( 1 )
+        {
+            if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
+                return( ret );
+
+            if( *p == end_set )
+                break;
+
+            /* Mark this item as being no the only one in a set */
+            cur->next_merged = 1;
+
+            cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );
+
+            if( cur->next == NULL )
+                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+            cur = cur->next;
+        }
+
+        /*
+         * continue until end of SEQUENCE is reached
+         */
+        if( *p == end )
+            return( 0 );
+
+        cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );
+
+        if( cur->next == NULL )
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+        cur = cur->next;
+    }
+}
+
+static int x509_parse_int( unsigned char **p, size_t n, int *res )
+{
+    *res = 0;
+
+    for( ; n > 0; --n )
+    {
+        if( ( **p < '0') || ( **p > '9' ) )
+            return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+        *res *= 10;
+        *res += ( *(*p)++ - '0' );
+    }
+
+    return( 0 );
+}
+
+static int x509_date_is_valid(const mbedtls_x509_time *t )
+{
+    int ret = MBEDTLS_ERR_X509_INVALID_DATE;
+    int month_len;
+
+    CHECK_RANGE( 0, 9999, t->year );
+    CHECK_RANGE( 0, 23,   t->hour );
+    CHECK_RANGE( 0, 59,   t->min  );
+    CHECK_RANGE( 0, 59,   t->sec  );
+
+    switch( t->mon )
+    {
+        case 1: case 3: case 5: case 7: case 8: case 10: case 12:
+            month_len = 31;
+            break;
+        case 4: case 6: case 9: case 11:
+            month_len = 30;
+            break;
+        case 2:
+            if( ( !( t->year % 4 ) && t->year % 100 ) ||
+                !( t->year % 400 ) )
+                month_len = 29;
+            else
+                month_len = 28;
+            break;
+        default:
+            return( ret );
+    }
+    CHECK_RANGE( 1, month_len, t->day );
+
+    return( 0 );
+}
+
+/*
+ * Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4)
+ * field.
+ */
+static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
+                            mbedtls_x509_time *tm )
+{
+    int ret;
+
+    /*
+     * Minimum length is 10 or 12 depending on yearlen
+     */
+    if ( len < yearlen + 8 )
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+    len -= yearlen + 8;
+
+    /*
+     * Parse year, month, day, hour, minute
+     */
+    CHECK( x509_parse_int( p, yearlen, &tm->year ) );
+    if ( 2 == yearlen )
+    {
+        if ( tm->year < 50 )
+            tm->year += 100;
+
+        tm->year += 1900;
+    }
+
+    CHECK( x509_parse_int( p, 2, &tm->mon ) );
+    CHECK( x509_parse_int( p, 2, &tm->day ) );
+    CHECK( x509_parse_int( p, 2, &tm->hour ) );
+    CHECK( x509_parse_int( p, 2, &tm->min ) );
+
+    /*
+     * Parse seconds if present
+     */
+    if ( len >= 2 )
+    {
+        CHECK( x509_parse_int( p, 2, &tm->sec ) );
+        len -= 2;
+    }
+    else
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+    /*
+     * Parse trailing 'Z' if present
+     */
+    if ( 1 == len && 'Z' == **p )
+    {
+        (*p)++;
+        len--;
+    }
+
+    /*
+     * We should have parsed all characters at this point
+     */
+    if ( 0 != len )
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+    CHECK( x509_date_is_valid( tm ) );
+
+    return ( 0 );
+}
+
+/*
+ *  Time ::= CHOICE {
+ *       utcTime        UTCTime,
+ *       generalTime    GeneralizedTime }
+ */
+int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
+                           mbedtls_x509_time *tm )
+{
+    int ret;
+    size_t len, year_len;
+    unsigned char tag;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    tag = **p;
+
+    if( tag == MBEDTLS_ASN1_UTC_TIME )
+        year_len = 2;
+    else if( tag == MBEDTLS_ASN1_GENERALIZED_TIME )
+        year_len = 4;
+    else
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    (*p)++;
+    ret = mbedtls_asn1_get_len( p, end, &len );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+
+    return x509_parse_time( p, len, year_len, tm );
+}
+
+int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig )
+{
+    int ret;
+    size_t len;
+    int tag_type;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_SIGNATURE +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    tag_type = **p;
+
+    if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_SIGNATURE + ret );
+
+    sig->tag = tag_type;
+    sig->len = len;
+    sig->p = *p;
+
+    *p += len;
+
+    return( 0 );
+}
+
+/*
+ * Get signature algorithm from alg OID and optional parameters
+ */
+int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+                      mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+                      void **sig_opts )
+{
+    int ret;
+
+    if( *sig_opts != NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 )
+        return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + ret );
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    if( *pk_alg == MBEDTLS_PK_RSASSA_PSS )
+    {
+        mbedtls_pk_rsassa_pss_options *pss_opts;
+
+        pss_opts = mbedtls_calloc( 1, sizeof( mbedtls_pk_rsassa_pss_options ) );
+        if( pss_opts == NULL )
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+        ret = mbedtls_x509_get_rsassa_pss_params( sig_params,
+                                          md_alg,
+                                          &pss_opts->mgf1_hash_id,
+                                          &pss_opts->expected_salt_len );
+        if( ret != 0 )
+        {
+            mbedtls_free( pss_opts );
+            return( ret );
+        }
+
+        *sig_opts = (void *) pss_opts;
+    }
+    else
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+    {
+        /* Make sure parameters are absent or NULL */
+        if( ( sig_params->tag != MBEDTLS_ASN1_NULL && sig_params->tag != 0 ) ||
+              sig_params->len != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG );
+    }
+
+    return( 0 );
+}
+
+/*
+ * X.509 Extensions (No parsing of extensions, pointer should
+ * be either manually updated or extensions should be parsed!)
+ */
+int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
+                          mbedtls_x509_buf *ext, int tag )
+{
+    int ret;
+    size_t len;
+
+    /* Extension structure use EXPLICIT tagging. That is, the actual
+     * `Extensions` structure is wrapped by a tag-length pair using
+     * the respective context-specific tag. */
+    ret = mbedtls_asn1_get_tag( p, end, &ext->len,
+              MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag );
+    if( ret != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    ext->tag = MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag;
+    ext->p   = *p;
+    end      = *p + ext->len;
+
+    /*
+     * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+     */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( end != *p + len )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * Store the name in printable form into buf; no more
+ * than size characters will be written
+ */
+int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn )
+{
+    int ret;
+    size_t i, n;
+    unsigned char c, merge = 0;
+    const mbedtls_x509_name *name;
+    const char *short_name = NULL;
+    char s[MBEDTLS_X509_MAX_DN_NAME_SIZE], *p;
+
+    memset( s, 0, sizeof( s ) );
+
+    name = dn;
+    p = buf;
+    n = size;
+
+    while( name != NULL )
+    {
+        if( !name->oid.p )
+        {
+            name = name->next;
+            continue;
+        }
+
+        if( name != dn )
+        {
+            ret = mbedtls_snprintf( p, n, merge ? " + " : ", " );
+            MBEDTLS_X509_SAFE_SNPRINTF;
+        }
+
+        ret = mbedtls_oid_get_attr_short_name( &name->oid, &short_name );
+
+        if( ret == 0 )
+            ret = mbedtls_snprintf( p, n, "%s=", short_name );
+        else
+            ret = mbedtls_snprintf( p, n, "\?\?=" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        for( i = 0; i < name->val.len; i++ )
+        {
+            if( i >= sizeof( s ) - 1 )
+                break;
+
+            c = name->val.p[i];
+            if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
+                 s[i] = '?';
+            else s[i] = c;
+        }
+        s[i] = '\0';
+        ret = mbedtls_snprintf( p, n, "%s", s );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        merge = name->next_merged;
+        name = name->next;
+    }
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Store the serial in printable form into buf; no more
+ * than size characters will be written
+ */
+int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial )
+{
+    int ret;
+    size_t i, n, nr;
+    char *p;
+
+    p = buf;
+    n = size;
+
+    nr = ( serial->len <= 32 )
+        ? serial->len  : 28;
+
+    for( i = 0; i < nr; i++ )
+    {
+        if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
+            continue;
+
+        ret = mbedtls_snprintf( p, n, "%02X%s",
+                serial->p[i], ( i < nr - 1 ) ? ":" : "" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    if( nr != serial->len )
+    {
+        ret = mbedtls_snprintf( p, n, "...." );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Helper for writing signature algorithms
+ */
+int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+                       mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                       const void *sig_opts )
+{
+    int ret;
+    char *p = buf;
+    size_t n = size;
+    const char *desc = NULL;
+
+    ret = mbedtls_oid_get_sig_alg_desc( sig_oid, &desc );
+    if( ret != 0 )
+        ret = mbedtls_snprintf( p, n, "???"  );
+    else
+        ret = mbedtls_snprintf( p, n, "%s", desc );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    if( pk_alg == MBEDTLS_PK_RSASSA_PSS )
+    {
+        const mbedtls_pk_rsassa_pss_options *pss_opts;
+        const mbedtls_md_info_t *md_info, *mgf_md_info;
+
+        pss_opts = (const mbedtls_pk_rsassa_pss_options *) sig_opts;
+
+        md_info = mbedtls_md_info_from_type( md_alg );
+        mgf_md_info = mbedtls_md_info_from_type( pss_opts->mgf1_hash_id );
+
+        ret = mbedtls_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)",
+                              md_info ? mbedtls_md_get_name( md_info ) : "???",
+                              mgf_md_info ? mbedtls_md_get_name( mgf_md_info ) : "???",
+                              pss_opts->expected_salt_len );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+#else
+    ((void) pk_alg);
+    ((void) md_alg);
+    ((void) sig_opts);
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+    return( (int)( size - n ) );
+}
+
+/*
+ * Helper for writing "RSA key size", "EC key size", etc
+ */
+int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name )
+{
+    char *p = buf;
+    size_t n = buf_size;
+    int ret;
+
+    ret = mbedtls_snprintf( p, n, "%s key size", name );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/*
+ * Set the time structure to the current time.
+ * Return 0 on success, non-zero on failure.
+ */
+static int x509_get_current_time( mbedtls_x509_time *now )
+{
+    struct tm *lt, tm_buf;
+    mbedtls_time_t tt;
+    int ret = 0;
+
+    tt = mbedtls_time( NULL );
+    lt = mbedtls_platform_gmtime_r( &tt, &tm_buf );
+
+    if( lt == NULL )
+        ret = -1;
+    else
+    {
+        now->year = lt->tm_year + 1900;
+        now->mon  = lt->tm_mon  + 1;
+        now->day  = lt->tm_mday;
+        now->hour = lt->tm_hour;
+        now->min  = lt->tm_min;
+        now->sec  = lt->tm_sec;
+    }
+
+    return( ret );
+}
+
+/*
+ * Return 0 if before <= after, 1 otherwise
+ */
+static int x509_check_time( const mbedtls_x509_time *before, const mbedtls_x509_time *after )
+{
+    if( before->year  > after->year )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon   > after->mon )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day   > after->day )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day  == after->day  &&
+        before->hour  > after->hour )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day  == after->day  &&
+        before->hour == after->hour &&
+        before->min   > after->min  )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day  == after->day  &&
+        before->hour == after->hour &&
+        before->min  == after->min  &&
+        before->sec   > after->sec  )
+        return( 1 );
+
+    return( 0 );
+}
+
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to )
+{
+    mbedtls_x509_time now;
+
+    if( x509_get_current_time( &now ) != 0 )
+        return( 1 );
+
+    return( x509_check_time( &now, to ) );
+}
+
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from )
+{
+    mbedtls_x509_time now;
+
+    if( x509_get_current_time( &now ) != 0 )
+        return( 1 );
+
+    return( x509_check_time( from, &now ) );
+}
+
+#else  /* MBEDTLS_HAVE_TIME_DATE */
+
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to )
+{
+    ((void) to);
+    return( 0 );
+}
+
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from )
+{
+    ((void) from);
+    return( 0 );
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/certs.h"
+
+/*
+ * Checkup routine
+ */
+int mbedtls_x509_self_test( int verbose )
+{
+    int ret = 0;
+#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C)
+    uint32_t flags;
+    mbedtls_x509_crt cacert;
+    mbedtls_x509_crt clicert;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  X.509 certificate load: " );
+
+    mbedtls_x509_crt_init( &cacert );
+    mbedtls_x509_crt_init( &clicert );
+
+    ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
+                           mbedtls_test_cli_crt_len );
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        goto cleanup;
+    }
+
+    ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_ca_crt,
+                          mbedtls_test_ca_crt_len );
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  X.509 signature verify: ");
+
+    ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n\n");
+
+cleanup:
+    mbedtls_x509_crt_free( &cacert  );
+    mbedtls_x509_crt_free( &clicert );
+#else
+    ((void) verbose);
+#endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA1_C */
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_X509_USE_C */
diff --git a/ctrtool/deps/libmbedtls/src/x509_create.c b/ctrtool/deps/libmbedtls/src/x509_create.c
new file mode 100644
index 00000000..546e8fa1
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/x509_create.c
@@ -0,0 +1,379 @@
+/*
+ *  X.509 base functions for creating certificates / CSRs
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CREATE_C)
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+/* Structure linking OIDs for X.509 DN AttributeTypes to their
+ * string representations and default string encodings used by Mbed TLS. */
+typedef struct {
+   const char *name; /* String representation of AttributeType, e.g.
+                      * "CN" or "emailAddress". */
+   size_t name_len;  /* Length of 'name', without trailing 0 byte. */
+   const char *oid;  /* String representation of OID of AttributeType,
+                      * as per RFC 5280, Appendix A.1. */
+   int default_tag;  /* The default character encoding used for the
+                      * given attribute type, e.g.
+                      * MBEDTLS_ASN1_UTF8_STRING for UTF-8. */
+} x509_attr_descriptor_t;
+
+#define ADD_STRLEN( s )     s, sizeof( s ) - 1
+
+/* X.509 DN attributes from RFC 5280, Appendix A.1. */
+static const x509_attr_descriptor_t x509_attrs[] =
+{
+    { ADD_STRLEN( "CN" ),
+      MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "commonName" ),
+      MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "C" ),
+      MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "countryName" ),
+      MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "O" ),
+      MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "organizationName" ),
+      MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "L" ),
+      MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "locality" ),
+      MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "R" ),
+      MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
+    { ADD_STRLEN( "OU" ),
+      MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "organizationalUnitName" ),
+      MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "ST" ),
+      MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "stateOrProvinceName" ),
+      MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "emailAddress" ),
+      MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
+    { ADD_STRLEN( "serialNumber" ),
+      MBEDTLS_OID_AT_SERIAL_NUMBER, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "postalAddress" ),
+      MBEDTLS_OID_AT_POSTAL_ADDRESS, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "postalCode" ),
+      MBEDTLS_OID_AT_POSTAL_CODE, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "dnQualifier" ),
+      MBEDTLS_OID_AT_DN_QUALIFIER, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "title" ),
+      MBEDTLS_OID_AT_TITLE, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "surName" ),
+      MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "SN" ),
+      MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "givenName" ),
+      MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "GN" ),
+      MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "initials" ),
+      MBEDTLS_OID_AT_INITIALS, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "pseudonym" ),
+      MBEDTLS_OID_AT_PSEUDONYM, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "generationQualifier" ),
+      MBEDTLS_OID_AT_GENERATION_QUALIFIER, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "domainComponent" ),
+      MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING },
+    { ADD_STRLEN( "DC" ),
+      MBEDTLS_OID_DOMAIN_COMPONENT,   MBEDTLS_ASN1_IA5_STRING },
+    { NULL, 0, NULL, MBEDTLS_ASN1_NULL }
+};
+
+static const x509_attr_descriptor_t *x509_attr_descr_from_name( const char *name, size_t name_len )
+{
+    const x509_attr_descriptor_t *cur;
+
+    for( cur = x509_attrs; cur->name != NULL; cur++ )
+        if( cur->name_len == name_len &&
+            strncmp( cur->name, name, name_len ) == 0 )
+            break;
+
+    if ( cur->name == NULL )
+        return( NULL );
+
+    return( cur );
+}
+
+int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name )
+{
+    int ret = 0;
+    const char *s = name, *c = s;
+    const char *end = s + strlen( s );
+    const char *oid = NULL;
+    const x509_attr_descriptor_t* attr_descr = NULL;
+    int in_tag = 1;
+    char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
+    char *d = data;
+
+    /* Clear existing chain if present */
+    mbedtls_asn1_free_named_data_list( head );
+
+    while( c <= end )
+    {
+        if( in_tag && *c == '=' )
+        {
+            if( ( attr_descr = x509_attr_descr_from_name( s, c - s ) ) == NULL )
+            {
+                ret = MBEDTLS_ERR_X509_UNKNOWN_OID;
+                goto exit;
+            }
+
+            oid = attr_descr->oid;
+            s = c + 1;
+            in_tag = 0;
+            d = data;
+        }
+
+        if( !in_tag && *c == '\\' && c != end )
+        {
+            c++;
+
+            /* Check for valid escaped characters */
+            if( c == end || *c != ',' )
+            {
+                ret = MBEDTLS_ERR_X509_INVALID_NAME;
+                goto exit;
+            }
+        }
+        else if( !in_tag && ( *c == ',' || c == end ) )
+        {
+            mbedtls_asn1_named_data* cur =
+                mbedtls_asn1_store_named_data( head, oid, strlen( oid ),
+                                               (unsigned char *) data,
+                                               d - data );
+
+            if(cur == NULL )
+            {
+                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+            }
+
+            // set tagType
+            cur->val.tag = attr_descr->default_tag;
+
+            while( c < end && *(c + 1) == ' ' )
+                c++;
+
+            s = c + 1;
+            in_tag = 1;
+        }
+
+        if( !in_tag && s != c + 1 )
+        {
+            *(d++) = *c;
+
+            if( d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE )
+            {
+                ret = MBEDTLS_ERR_X509_INVALID_NAME;
+                goto exit;
+            }
+        }
+
+        c++;
+    }
+
+exit:
+
+    return( ret );
+}
+
+/* The first byte of the value in the mbedtls_asn1_named_data structure is reserved
+ * to store the critical boolean for us
+ */
+int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+                        int critical, const unsigned char *val, size_t val_len )
+{
+    mbedtls_asn1_named_data *cur;
+
+    if( ( cur = mbedtls_asn1_store_named_data( head, oid, oid_len,
+                                       NULL, val_len + 1 ) ) == NULL )
+    {
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+    }
+
+    cur->val.p[0] = critical;
+    memcpy( cur->val.p + 1, val, val_len );
+
+    return( 0 );
+}
+
+/*
+ *  RelativeDistinguishedName ::=
+ *    SET OF AttributeTypeAndValue
+ *
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ */
+static int x509_write_name( unsigned char **p, unsigned char *start, mbedtls_asn1_named_data* cur_name)
+{
+    int ret;
+    size_t len = 0;
+    const char *oid             = (const char*)cur_name->oid.p;
+    size_t oid_len              = cur_name->oid.len;
+    const unsigned char *name   = cur_name->val.p;
+    size_t name_len             = cur_name->val.len;
+
+    // Write correct string tag and value
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tagged_string( p, start,
+                                                       cur_name->val.tag,
+                                                       (const char *) name,
+                                                       name_len ) );
+    // Write OID
+    //
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid,
+                                                       oid_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
+                                                    MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
+                                                 MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SET ) );
+
+    return( (int) len );
+}
+
+int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
+                              mbedtls_asn1_named_data *first )
+{
+    int ret;
+    size_t len = 0;
+    mbedtls_asn1_named_data *cur = first;
+
+    while( cur != NULL )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, x509_write_name( p, start, cur ) );
+        cur = cur->next;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len,
+                    unsigned char *sig, size_t size )
+{
+    int ret;
+    size_t len = 0;
+
+    if( *p < start || (size_t)( *p - start ) < size )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len = size;
+    (*p) -= len;
+    memcpy( *p, sig, len );
+
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *--(*p) = 0;
+    len += 1;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
+
+    // Write OID
+    //
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( p, start, oid,
+                                                        oid_len, 0 ) );
+
+    return( (int) len );
+}
+
+static int x509_write_extension( unsigned char **p, unsigned char *start,
+                                 mbedtls_asn1_named_data *ext )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->val.p + 1,
+                                              ext->val.len - 1 ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->val.len - 1 ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OCTET_STRING ) );
+
+    if( ext->val.p[0] != 0 )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( p, start, 1 ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->oid.p,
+                                              ext->oid.len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->oid.len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OID ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+/*
+ * Extension  ::=  SEQUENCE  {
+ *     extnID      OBJECT IDENTIFIER,
+ *     critical    BOOLEAN DEFAULT FALSE,
+ *     extnValue   OCTET STRING
+ *                 -- contains the DER encoding of an ASN.1 value
+ *                 -- corresponding to the extension type identified
+ *                 -- by extnID
+ *     }
+ */
+int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
+                           mbedtls_asn1_named_data *first )
+{
+    int ret;
+    size_t len = 0;
+    mbedtls_asn1_named_data *cur_ext = first;
+
+    while( cur_ext != NULL )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, x509_write_extension( p, start, cur_ext ) );
+        cur_ext = cur_ext->next;
+    }
+
+    return( (int) len );
+}
+
+#endif /* MBEDTLS_X509_CREATE_C */
diff --git a/ctrtool/deps/libmbedtls/src/x509_crl.c b/ctrtool/deps/libmbedtls/src/x509_crl.c
new file mode 100644
index 00000000..00f8545d
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/x509_crl.c
@@ -0,0 +1,773 @@
+/*
+ *  X.509 Certidicate Revocation List (CRL) parsing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#include <windows.h>
+#else
+#include <time.h>
+#endif
+
+#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
+#include <stdio.h>
+#endif
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0), v2(1)  }
+ */
+static int x509_crl_get_version( unsigned char **p,
+                             const unsigned char *end,
+                             int *ver )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            *ver = 0;
+            return( 0 );
+        }
+
+        return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * X.509 CRL v2 extensions
+ *
+ * We currently don't parse any extension's content, but we do check that the
+ * list of extensions is well-formed and abort on critical extensions (that
+ * are unsupported as we don't support any extension so far)
+ */
+static int x509_get_crl_ext( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_buf *ext )
+{
+    int ret;
+
+    if( *p == end )
+        return( 0 );
+
+    /*
+     * crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+     *                              -- if present, version MUST be v2
+     */
+    if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
+        return( ret );
+
+    end = ext->p + ext->len;
+
+    while( *p < end )
+    {
+        /*
+         * Extension  ::=  SEQUENCE  {
+         *      extnID      OBJECT IDENTIFIER,
+         *      critical    BOOLEAN DEFAULT FALSE,
+         *      extnValue   OCTET STRING  }
+         */
+        int is_critical = 0;
+        const unsigned char *end_ext_data;
+        size_t len;
+
+        /* Get enclosing sequence tag */
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        end_ext_data = *p + len;
+
+        /* Get OID (currently ignored) */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
+                                          MBEDTLS_ASN1_OID ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+        }
+        *p += len;
+
+        /* Get optional critical */
+        if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data,
+                                           &is_critical ) ) != 0 &&
+            ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+        }
+
+        /* Data should be octet string type */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
+                MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        /* Ignore data so far and just check its length */
+        *p += len;
+        if( *p != end_ext_data )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+        /* Abort on (unsupported) critical extensions */
+        if( is_critical )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 CRL v2 entry extensions (no extensions parsed yet.)
+ */
+static int x509_get_crl_entry_ext( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_buf *ext )
+{
+    int ret;
+    size_t len = 0;
+
+    /* OPTIONAL */
+    if( end <= *p )
+        return( 0 );
+
+    ext->tag = **p;
+    ext->p = *p;
+
+    /*
+     * Get CRL-entry extension sequence header
+     * crlEntryExtensions      Extensions OPTIONAL  -- if present, MUST be v2
+     */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            ext->p = NULL;
+            return( 0 );
+        }
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+    }
+
+    end = *p + ext->len;
+
+    if( end != *p + ext->len )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    while( *p < end )
+    {
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        *p += len;
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 CRL Entries
+ */
+static int x509_get_entries( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_crl_entry *entry )
+{
+    int ret;
+    size_t entry_len;
+    mbedtls_x509_crl_entry *cur_entry = entry;
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len,
+            MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( 0 );
+
+        return( ret );
+    }
+
+    end = *p + entry_len;
+
+    while( *p < end )
+    {
+        size_t len2;
+        const unsigned char *end2;
+
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
+                MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        cur_entry->raw.tag = **p;
+        cur_entry->raw.p = *p;
+        cur_entry->raw.len = len2;
+        end2 = *p + len2;
+
+        if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_x509_get_time( p, end2,
+                                   &cur_entry->revocation_date ) ) != 0 )
+            return( ret );
+
+        if( ( ret = x509_get_crl_entry_ext( p, end2,
+                                            &cur_entry->entry_ext ) ) != 0 )
+            return( ret );
+
+        if( *p < end )
+        {
+            cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) );
+
+            if( cur_entry->next == NULL )
+                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+            cur_entry = cur_entry->next;
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one  CRLs in DER format and append it to the chained list
+ */
+int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
+                        const unsigned char *buf, size_t buflen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p = NULL, *end = NULL;
+    mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
+    mbedtls_x509_crl *crl = chain;
+
+    /*
+     * Check for valid input
+     */
+    if( crl == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
+
+    /*
+     * Add new CRL on the end of the chain if needed.
+     */
+    while( crl->version != 0 && crl->next != NULL )
+        crl = crl->next;
+
+    if( crl->version != 0 && crl->next == NULL )
+    {
+        crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) );
+
+        if( crl->next == NULL )
+        {
+            mbedtls_x509_crl_free( crl );
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+        }
+
+        mbedtls_x509_crl_init( crl->next );
+        crl = crl->next;
+    }
+
+    /*
+     * Copy raw DER-encoded CRL
+     */
+    if( buflen == 0 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    p = mbedtls_calloc( 1, buflen );
+    if( p == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    memcpy( p, buf, buflen );
+
+    crl->raw.p = p;
+    crl->raw.len = buflen;
+
+    end = p + buflen;
+
+    /*
+     * CertificateList  ::=  SEQUENCE  {
+     *      tbsCertList          TBSCertList,
+     *      signatureAlgorithm   AlgorithmIdentifier,
+     *      signatureValue       BIT STRING  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+    }
+
+    if( len != (size_t) ( end - p ) )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    /*
+     * TBSCertList  ::=  SEQUENCE  {
+     */
+    crl->tbs.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+    crl->tbs.len = end - crl->tbs.p;
+
+    /*
+     * Version  ::=  INTEGER  OPTIONAL {  v1(0), v2(1)  }
+     *               -- if present, MUST be v2
+     *
+     * signature            AlgorithmIdentifier
+     */
+    if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
+        ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( crl->version < 0 || crl->version > 1 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
+    }
+
+    crl->version++;
+
+    if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
+                                  &crl->sig_md, &crl->sig_pk,
+                                  &crl->sig_opts ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
+    }
+
+    /*
+     * issuer               Name
+     */
+    crl->issuer_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    crl->issuer_raw.len = p - crl->issuer_raw.p;
+
+    /*
+     * thisUpdate          Time
+     * nextUpdate          Time OPTIONAL
+     */
+    if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
+    {
+        if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
+                        MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) &&
+            ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
+                        MBEDTLS_ERR_ASN1_OUT_OF_DATA ) )
+        {
+            mbedtls_x509_crl_free( crl );
+            return( ret );
+        }
+    }
+
+    /*
+     * revokedCertificates    SEQUENCE OF SEQUENCE   {
+     *      userCertificate        CertificateSerialNumber,
+     *      revocationDate         Time,
+     *      crlEntryExtensions     Extensions OPTIONAL
+     *                                   -- if present, MUST be v2
+     *                        } OPTIONAL
+     */
+    if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    /*
+     * crlExtensions          EXPLICIT Extensions OPTIONAL
+     *                              -- if present, MUST be v2
+     */
+    if( crl->version == 2 )
+    {
+        ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
+
+        if( ret != 0 )
+        {
+            mbedtls_x509_crl_free( crl );
+            return( ret );
+        }
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    end = crl->raw.p + crl->raw.len;
+
+    /*
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signatureValue       BIT STRING
+     */
+    if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( crl->sig_oid.len != sig_oid2.len ||
+        memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
+        sig_params1.len != sig_params2.len ||
+        ( sig_params1.len != 0 &&
+          memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_SIG_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one or more CRLs and add them to the chained list
+ */
+int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen )
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int ret;
+    size_t use_len;
+    mbedtls_pem_context pem;
+    int is_pem = 0;
+
+    if( chain == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    do
+    {
+        mbedtls_pem_init( &pem );
+
+        // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
+        // string
+        if( buflen == 0 || buf[buflen - 1] != '\0' )
+            ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+        else
+            ret = mbedtls_pem_read_buffer( &pem,
+                                           "-----BEGIN X509 CRL-----",
+                                           "-----END X509 CRL-----",
+                                            buf, NULL, 0, &use_len );
+
+        if( ret == 0 )
+        {
+            /*
+             * Was PEM encoded
+             */
+            is_pem = 1;
+
+            buflen -= use_len;
+            buf += use_len;
+
+            if( ( ret = mbedtls_x509_crl_parse_der( chain,
+                                            pem.buf, pem.buflen ) ) != 0 )
+            {
+                mbedtls_pem_free( &pem );
+                return( ret );
+            }
+        }
+        else if( is_pem )
+        {
+            mbedtls_pem_free( &pem );
+            return( ret );
+        }
+
+        mbedtls_pem_free( &pem );
+    }
+    /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
+     * And a valid CRL cannot be less than 1 byte anyway. */
+    while( is_pem && buflen > 1 );
+
+    if( is_pem )
+        return( 0 );
+    else
+#endif /* MBEDTLS_PEM_PARSE_C */
+        return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load one or more CRLs and add them to the chained list
+ */
+int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_x509_crl_parse( chain, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+/*
+ * Return an informational string about the certificate.
+ */
+#define BEFORE_COLON    14
+#define BC              "14"
+/*
+ * Return an informational string about the CRL.
+ */
+int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crl *crl )
+{
+    int ret;
+    size_t n;
+    char *p;
+    const mbedtls_x509_crl_entry *entry;
+
+    p = buf;
+    n = size;
+
+    ret = mbedtls_snprintf( p, n, "%sCRL version   : %d",
+                               prefix, crl->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sissuer name   : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crl->issuer );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sthis update   : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crl->this_update.year, crl->this_update.mon,
+                   crl->this_update.day,  crl->this_update.hour,
+                   crl->this_update.min,  crl->this_update.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%snext update   : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crl->next_update.year, crl->next_update.mon,
+                   crl->next_update.day,  crl->next_update.hour,
+                   crl->next_update.min,  crl->next_update.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    entry = &crl->entry;
+
+    ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:",
+                               prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    while( entry != NULL && entry->raw.len != 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%sserial number: ",
+                               prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        ret = mbedtls_x509_serial_gets( p, n, &entry->serial );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        ret = mbedtls_snprintf( p, n, " revocation date: " \
+                   "%04d-%02d-%02d %02d:%02d:%02d",
+                   entry->revocation_date.year, entry->revocation_date.mon,
+                   entry->revocation_date.day,  entry->revocation_date.hour,
+                   entry->revocation_date.min,  entry->revocation_date.sec );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        entry = entry->next;
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using  : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
+                             crl->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n" );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Initialize a CRL chain
+ */
+void mbedtls_x509_crl_init( mbedtls_x509_crl *crl )
+{
+    memset( crl, 0, sizeof(mbedtls_x509_crl) );
+}
+
+/*
+ * Unallocate all CRL data
+ */
+void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
+{
+    mbedtls_x509_crl *crl_cur = crl;
+    mbedtls_x509_crl *crl_prv;
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+    mbedtls_x509_crl_entry *entry_cur;
+    mbedtls_x509_crl_entry *entry_prv;
+
+    if( crl == NULL )
+        return;
+
+    do
+    {
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+        mbedtls_free( crl_cur->sig_opts );
+#endif
+
+        name_cur = crl_cur->issuer.next;
+        while( name_cur != NULL )
+        {
+            name_prv = name_cur;
+            name_cur = name_cur->next;
+            mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_free( name_prv );
+        }
+
+        entry_cur = crl_cur->entry.next;
+        while( entry_cur != NULL )
+        {
+            entry_prv = entry_cur;
+            entry_cur = entry_cur->next;
+            mbedtls_platform_zeroize( entry_prv,
+                                      sizeof( mbedtls_x509_crl_entry ) );
+            mbedtls_free( entry_prv );
+        }
+
+        if( crl_cur->raw.p != NULL )
+        {
+            mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len );
+            mbedtls_free( crl_cur->raw.p );
+        }
+
+        crl_cur = crl_cur->next;
+    }
+    while( crl_cur != NULL );
+
+    crl_cur = crl;
+    do
+    {
+        crl_prv = crl_cur;
+        crl_cur = crl_cur->next;
+
+        mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
+        if( crl_prv != crl )
+            mbedtls_free( crl_prv );
+    }
+    while( crl_cur != NULL );
+}
+
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
diff --git a/ctrtool/deps/libmbedtls/src/x509_crt.c b/ctrtool/deps/libmbedtls/src/x509_crt.c
new file mode 100644
index 00000000..9c2e3654
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/x509_crt.c
@@ -0,0 +1,2730 @@
+/*
+ *  X.509 certificate parsing and verification
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ *
+ *  [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#include <windows.h>
+#else
+#include <time.h>
+#endif
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#endif /* !_WIN32 || EFIX64 || EFI32 */
+#endif
+
+/*
+ * Item in a verification chain: cert and flags for it
+ */
+typedef struct {
+    mbedtls_x509_crt *crt;
+    uint32_t flags;
+} x509_crt_verify_chain_item;
+
+/*
+ * Max size of verification chain: end-entity + intermediates + trusted root
+ */
+#define X509_MAX_VERIFY_CHAIN_SIZE    ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
+
+/*
+ * Default profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
+{
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
+    /* Allow SHA-1 (weak, but still safe in controlled environments) */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
+#endif
+    /* Only SHA-2 hashes */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    0xFFFFFFF, /* Any PK alg    */
+    0xFFFFFFF, /* Any curve     */
+    2048,
+};
+
+/*
+ * Next-default profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
+{
+    /* Hashes from SHA-256 and above */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    0xFFFFFFF, /* Any PK alg    */
+#if defined(MBEDTLS_ECP_C)
+    /* Curves at or above 128-bit security level */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ),
+#else
+    0,
+#endif
+    2048,
+};
+
+/*
+ * NSA Suite B Profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
+{
+    /* Only SHA-256 and 384 */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ),
+    /* Only ECDSA */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECDSA ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECKEY ),
+#if defined(MBEDTLS_ECP_C)
+    /* Only NIST P-256 and P-384 */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ),
+#else
+    0,
+#endif
+    0,
+};
+
+/*
+ * Check md_alg against profile
+ * Return 0 if md_alg is acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
+                                      mbedtls_md_type_t md_alg )
+{
+    if( md_alg == MBEDTLS_MD_NONE )
+        return( -1 );
+
+    if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 )
+        return( 0 );
+
+    return( -1 );
+}
+
+/*
+ * Check pk_alg against profile
+ * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
+                                      mbedtls_pk_type_t pk_alg )
+{
+    if( pk_alg == MBEDTLS_PK_NONE )
+        return( -1 );
+
+    if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 )
+        return( 0 );
+
+    return( -1 );
+}
+
+/*
+ * Check key against profile
+ * Return 0 if pk is acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
+                                   const mbedtls_pk_context *pk )
+{
+    const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type( pk );
+
+#if defined(MBEDTLS_RSA_C)
+    if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS )
+    {
+        if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen )
+            return( 0 );
+
+        return( -1 );
+    }
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+    if( pk_alg == MBEDTLS_PK_ECDSA ||
+        pk_alg == MBEDTLS_PK_ECKEY ||
+        pk_alg == MBEDTLS_PK_ECKEY_DH )
+    {
+        const mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
+
+        if( gid == MBEDTLS_ECP_DP_NONE )
+            return( -1 );
+
+        if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 )
+            return( 0 );
+
+        return( -1 );
+    }
+#endif
+
+    return( -1 );
+}
+
+/*
+ * Like memcmp, but case-insensitive and always returns -1 if different
+ */
+static int x509_memcasecmp( const void *s1, const void *s2, size_t len )
+{
+    size_t i;
+    unsigned char diff;
+    const unsigned char *n1 = s1, *n2 = s2;
+
+    for( i = 0; i < len; i++ )
+    {
+        diff = n1[i] ^ n2[i];
+
+        if( diff == 0 )
+            continue;
+
+        if( diff == 32 &&
+            ( ( n1[i] >= 'a' && n1[i] <= 'z' ) ||
+              ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
+        {
+            continue;
+        }
+
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Return 0 if name matches wildcard, -1 otherwise
+ */
+static int x509_check_wildcard( const char *cn, const mbedtls_x509_buf *name )
+{
+    size_t i;
+    size_t cn_idx = 0, cn_len = strlen( cn );
+
+    /* We can't have a match if there is no wildcard to match */
+    if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' )
+        return( -1 );
+
+    for( i = 0; i < cn_len; ++i )
+    {
+        if( cn[i] == '.' )
+        {
+            cn_idx = i;
+            break;
+        }
+    }
+
+    if( cn_idx == 0 )
+        return( -1 );
+
+    if( cn_len - cn_idx == name->len - 1 &&
+        x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Compare two X.509 strings, case-insensitive, and allowing for some encoding
+ * variations (but not all).
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b )
+{
+    if( a->tag == b->tag &&
+        a->len == b->len &&
+        memcmp( a->p, b->p, b->len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
+        ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
+        a->len == b->len &&
+        x509_memcasecmp( a->p, b->p, b->len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Compare two X.509 Names (aka rdnSequence).
+ *
+ * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
+ * we sometimes return unequal when the full algorithm would return equal,
+ * but never the other way. (In particular, we don't do Unicode normalisation
+ * or space folding.)
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b )
+{
+    /* Avoid recursion, it might not be optimised by the compiler */
+    while( a != NULL || b != NULL )
+    {
+        if( a == NULL || b == NULL )
+            return( -1 );
+
+        /* type */
+        if( a->oid.tag != b->oid.tag ||
+            a->oid.len != b->oid.len ||
+            memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
+        {
+            return( -1 );
+        }
+
+        /* value */
+        if( x509_string_cmp( &a->val, &b->val ) != 0 )
+            return( -1 );
+
+        /* structure of the list of sets */
+        if( a->next_merged != b->next_merged )
+            return( -1 );
+
+        a = a->next;
+        b = b->next;
+    }
+
+    /* a == NULL == b */
+    return( 0 );
+}
+
+/*
+ * Reset (init or clear) a verify_chain
+ */
+static void x509_crt_verify_chain_reset(
+    mbedtls_x509_crt_verify_chain *ver_chain )
+{
+    size_t i;
+
+    for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ )
+    {
+        ver_chain->items[i].crt = NULL;
+        ver_chain->items[i].flags = (uint32_t) -1;
+    }
+
+    ver_chain->len = 0;
+}
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ */
+static int x509_get_version( unsigned char **p,
+                             const unsigned char *end,
+                             int *ver )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            *ver = 0;
+            return( 0 );
+        }
+
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = *p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_VERSION +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ *  Validity ::= SEQUENCE {
+ *       notBefore      Time,
+ *       notAfter       Time }
+ */
+static int x509_get_dates( unsigned char **p,
+                           const unsigned char *end,
+                           mbedtls_x509_time *from,
+                           mbedtls_x509_time *to )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+
+    end = *p + len;
+
+    if( ( ret = mbedtls_x509_get_time( p, end, from ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_x509_get_time( p, end, to ) ) != 0 )
+        return( ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 v2/v3 unique identifier (not parsed)
+ */
+static int x509_get_uid( unsigned char **p,
+                         const unsigned char *end,
+                         mbedtls_x509_buf *uid, int n )
+{
+    int ret;
+
+    if( *p == end )
+        return( 0 );
+
+    uid->tag = **p;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &uid->len,
+            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( 0 );
+
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    uid->p = *p;
+    *p += uid->len;
+
+    return( 0 );
+}
+
+static int x509_get_basic_constraints( unsigned char **p,
+                                       const unsigned char *end,
+                                       int *ca_istrue,
+                                       int *max_pathlen )
+{
+    int ret;
+    size_t len;
+
+    /*
+     * BasicConstraints ::= SEQUENCE {
+     *      cA                      BOOLEAN DEFAULT FALSE,
+     *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+     */
+    *ca_istrue = 0; /* DEFAULT FALSE */
+    *max_pathlen = 0; /* endless */
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_bool( p, end, ca_istrue ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            ret = mbedtls_asn1_get_int( p, end, ca_istrue );
+
+        if( ret != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        if( *ca_istrue != 0 )
+            *ca_istrue = 1;
+    }
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, max_pathlen ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    (*max_pathlen)++;
+
+    return( 0 );
+}
+
+static int x509_get_ns_cert_type( unsigned char **p,
+                                       const unsigned char *end,
+                                       unsigned char *ns_cert_type)
+{
+    int ret;
+    mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+    if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( bs.len != 1 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    /* Get actual bitstring */
+    *ns_cert_type = *bs.p;
+    return( 0 );
+}
+
+static int x509_get_key_usage( unsigned char **p,
+                               const unsigned char *end,
+                               unsigned int *key_usage)
+{
+    int ret;
+    size_t i;
+    mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+    if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( bs.len < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    /* Get actual bitstring */
+    *key_usage = 0;
+    for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ )
+    {
+        *key_usage |= (unsigned int) bs.p[i] << (8*i);
+    }
+
+    return( 0 );
+}
+
+/*
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ * KeyPurposeId ::= OBJECT IDENTIFIER
+ */
+static int x509_get_ext_key_usage( unsigned char **p,
+                               const unsigned char *end,
+                               mbedtls_x509_sequence *ext_key_usage)
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_sequence_of( p, end, ext_key_usage, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    /* Sequence length must be >= 1 */
+    if( ext_key_usage->buf.p == NULL )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    return( 0 );
+}
+
+/*
+ * SubjectAltName ::= GeneralNames
+ *
+ * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * GeneralName ::= CHOICE {
+ *      otherName                       [0]     OtherName,
+ *      rfc822Name                      [1]     IA5String,
+ *      dNSName                         [2]     IA5String,
+ *      x400Address                     [3]     ORAddress,
+ *      directoryName                   [4]     Name,
+ *      ediPartyName                    [5]     EDIPartyName,
+ *      uniformResourceIdentifier       [6]     IA5String,
+ *      iPAddress                       [7]     OCTET STRING,
+ *      registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ * OtherName ::= SEQUENCE {
+ *      type-id    OBJECT IDENTIFIER,
+ *      value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * EDIPartyName ::= SEQUENCE {
+ *      nameAssigner            [0]     DirectoryString OPTIONAL,
+ *      partyName               [1]     DirectoryString }
+ *
+ * NOTE: we only parse and use dNSName at this point.
+ */
+static int x509_get_subject_alt_name( unsigned char **p,
+                                      const unsigned char *end,
+                                      mbedtls_x509_sequence *subject_alt_name )
+{
+    int ret;
+    size_t len, tag_len;
+    mbedtls_asn1_buf *buf;
+    unsigned char tag;
+    mbedtls_asn1_sequence *cur = subject_alt_name;
+
+    /* Get main sequence tag */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    while( *p < end )
+    {
+        if( ( end - *p ) < 1 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+        tag = **p;
+        (*p)++;
+        if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
+                MBEDTLS_ASN1_CONTEXT_SPECIFIC )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+        }
+
+        /* Skip everything but DNS name */
+        if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) )
+        {
+            *p += tag_len;
+            continue;
+        }
+
+        /* Allocate and assign next pointer */
+        if( cur->buf.p != NULL )
+        {
+            if( cur->next != NULL )
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
+
+            cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
+
+            if( cur->next == NULL )
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                        MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+
+            cur = cur->next;
+        }
+
+        buf = &(cur->buf);
+        buf->tag = tag;
+        buf->p = *p;
+        buf->len = tag_len;
+        *p += buf->len;
+    }
+
+    /* Set final sequence entry's next pointer to NULL */
+    cur->next = NULL;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 v3 extensions
+ *
+ */
+static int x509_get_crt_ext( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_crt *crt )
+{
+    int ret;
+    size_t len;
+    unsigned char *end_ext_data, *end_ext_octet;
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
+        return( ret );
+
+    end = crt->v3_ext.p + crt->v3_ext.len;
+    while( *p < end )
+    {
+        /*
+         * Extension  ::=  SEQUENCE  {
+         *      extnID      OBJECT IDENTIFIER,
+         *      critical    BOOLEAN DEFAULT FALSE,
+         *      extnValue   OCTET STRING  }
+         */
+        mbedtls_x509_buf extn_oid = {0, 0, NULL};
+        int is_critical = 0; /* DEFAULT FALSE */
+        int ext_type = 0;
+
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        end_ext_data = *p + len;
+
+        /* Get extension ID */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len,
+                                          MBEDTLS_ASN1_OID ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        extn_oid.tag = MBEDTLS_ASN1_OID;
+        extn_oid.p = *p;
+        *p += extn_oid.len;
+
+        /* Get optional critical */
+        if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
+            ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        /* Data should be octet string type */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
+                MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        end_ext_octet = *p + len;
+
+        if( end_ext_octet != end_ext_data )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+        /*
+         * Detect supported extensions
+         */
+        ret = mbedtls_oid_get_x509_ext_type( &extn_oid, &ext_type );
+
+        if( ret != 0 )
+        {
+            /* No parser found, skip extension */
+            *p = end_ext_octet;
+
+#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+            if( is_critical )
+            {
+                /* Data is marked as critical: fail */
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                        MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+            }
+#endif
+            continue;
+        }
+
+        /* Forbid repeated extensions */
+        if( ( crt->ext_types & ext_type ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
+
+        crt->ext_types |= ext_type;
+
+        switch( ext_type )
+        {
+        case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
+            /* Parse basic constraints */
+            if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
+                    &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_KEY_USAGE:
+            /* Parse key usage */
+            if( ( ret = x509_get_key_usage( p, end_ext_octet,
+                    &crt->key_usage ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
+            /* Parse extended key usage */
+            if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
+                    &crt->ext_key_usage ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+            /* Parse subject alt name */
+            if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
+                    &crt->subject_alt_names ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+            /* Parse netscape certificate type */
+            if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
+                    &crt->ns_cert_type ) ) != 0 )
+                return( ret );
+            break;
+
+        default:
+            return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
+        }
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * Parse and fill a single X.509 certificate in DER format
+ */
+static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, const unsigned char *buf,
+                                    size_t buflen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p, *end, *crt_end;
+    mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
+
+    memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
+
+    /*
+     * Check for valid input
+     */
+    if( crt == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    // Use the original buffer until we figure out actual length
+    p = (unsigned char*) buf;
+    len = buflen;
+    end = p + len;
+
+    /*
+     * Certificate  ::=  SEQUENCE  {
+     *      tbsCertificate       TBSCertificate,
+     *      signatureAlgorithm   AlgorithmIdentifier,
+     *      signatureValue       BIT STRING  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+    }
+
+    if( len > (size_t) ( end - p ) )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    crt_end = p + len;
+
+    // Create and populate a new buffer for the raw field
+    crt->raw.len = crt_end - buf;
+    crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len );
+    if( p == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    memcpy( p, buf, crt->raw.len );
+
+    // Direct pointers to the new buffer
+    p += crt->raw.len - len;
+    end = crt_end = p + len;
+
+    /*
+     * TBSCertificate  ::=  SEQUENCE  {
+     */
+    crt->tbs.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+    crt->tbs.len = end - crt->tbs.p;
+
+    /*
+     * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     *
+     * CertificateSerialNumber  ::=  INTEGER
+     *
+     * signature            AlgorithmIdentifier
+     */
+    if( ( ret = x509_get_version(  &p, end, &crt->version  ) ) != 0 ||
+        ( ret = mbedtls_x509_get_serial(   &p, end, &crt->serial   ) ) != 0 ||
+        ( ret = mbedtls_x509_get_alg(      &p, end, &crt->sig_oid,
+                                            &sig_params1 ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    if( crt->version < 0 || crt->version > 2 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
+    }
+
+    crt->version++;
+
+    if( ( ret = mbedtls_x509_get_sig_alg( &crt->sig_oid, &sig_params1,
+                                  &crt->sig_md, &crt->sig_pk,
+                                  &crt->sig_opts ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    /*
+     * issuer               Name
+     */
+    crt->issuer_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    crt->issuer_raw.len = p - crt->issuer_raw.p;
+
+    /*
+     * Validity ::= SEQUENCE {
+     *      notBefore      Time,
+     *      notAfter       Time }
+     *
+     */
+    if( ( ret = x509_get_dates( &p, end, &crt->valid_from,
+                                         &crt->valid_to ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    /*
+     * subject              Name
+     */
+    crt->subject_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( len && ( ret = mbedtls_x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    crt->subject_raw.len = p - crt->subject_raw.p;
+
+    /*
+     * SubjectPublicKeyInfo
+     */
+    if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    /*
+     *  issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+     *                       -- If present, version shall be v2 or v3
+     *  subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+     *                       -- If present, version shall be v2 or v3
+     *  extensions      [3]  EXPLICIT Extensions OPTIONAL
+     *                       -- If present, version shall be v3
+     */
+    if( crt->version == 2 || crt->version == 3 )
+    {
+        ret = x509_get_uid( &p, end, &crt->issuer_id,  1 );
+        if( ret != 0 )
+        {
+            mbedtls_x509_crt_free( crt );
+            return( ret );
+        }
+    }
+
+    if( crt->version == 2 || crt->version == 3 )
+    {
+        ret = x509_get_uid( &p, end, &crt->subject_id,  2 );
+        if( ret != 0 )
+        {
+            mbedtls_x509_crt_free( crt );
+            return( ret );
+        }
+    }
+
+#if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
+    if( crt->version == 3 )
+#endif
+    {
+        ret = x509_get_crt_ext( &p, end, crt );
+        if( ret != 0 )
+        {
+            mbedtls_x509_crt_free( crt );
+            return( ret );
+        }
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    end = crt_end;
+
+    /*
+     *  }
+     *  -- end of TBSCertificate
+     *
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signatureValue       BIT STRING
+     */
+    if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    if( crt->sig_oid.len != sig_oid2.len ||
+        memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 ||
+        sig_params1.len != sig_params2.len ||
+        ( sig_params1.len != 0 &&
+          memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_SIG_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig( &p, end, &crt->sig ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one X.509 certificate in DER format from a buffer and add them to a
+ * chained list
+ */
+int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
+                        size_t buflen )
+{
+    int ret;
+    mbedtls_x509_crt *crt = chain, *prev = NULL;
+
+    /*
+     * Check for valid input
+     */
+    if( crt == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    while( crt->version != 0 && crt->next != NULL )
+    {
+        prev = crt;
+        crt = crt->next;
+    }
+
+    /*
+     * Add new certificate on the end of the chain if needed.
+     */
+    if( crt->version != 0 && crt->next == NULL )
+    {
+        crt->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
+
+        if( crt->next == NULL )
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+        prev = crt;
+        mbedtls_x509_crt_init( crt->next );
+        crt = crt->next;
+    }
+
+    if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 )
+    {
+        if( prev )
+            prev->next = NULL;
+
+        if( crt != chain )
+            mbedtls_free( crt );
+
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one or more PEM certificates from a buffer and add them to the chained
+ * list
+ */
+int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen )
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int success = 0, first_error = 0, total_failed = 0;
+    int buf_format = MBEDTLS_X509_FORMAT_DER;
+#endif
+
+    /*
+     * Check for valid input
+     */
+    if( chain == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    /*
+     * Determine buffer content. Buffer contains either one DER certificate or
+     * one or more PEM certificates.
+     */
+#if defined(MBEDTLS_PEM_PARSE_C)
+    if( buflen != 0 && buf[buflen - 1] == '\0' &&
+        strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
+    {
+        buf_format = MBEDTLS_X509_FORMAT_PEM;
+    }
+
+    if( buf_format == MBEDTLS_X509_FORMAT_DER )
+        return mbedtls_x509_crt_parse_der( chain, buf, buflen );
+#else
+    return mbedtls_x509_crt_parse_der( chain, buf, buflen );
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    if( buf_format == MBEDTLS_X509_FORMAT_PEM )
+    {
+        int ret;
+        mbedtls_pem_context pem;
+
+        /* 1 rather than 0 since the terminating NULL byte is counted in */
+        while( buflen > 1 )
+        {
+            size_t use_len;
+            mbedtls_pem_init( &pem );
+
+            /* If we get there, we know the string is null-terminated */
+            ret = mbedtls_pem_read_buffer( &pem,
+                           "-----BEGIN CERTIFICATE-----",
+                           "-----END CERTIFICATE-----",
+                           buf, NULL, 0, &use_len );
+
+            if( ret == 0 )
+            {
+                /*
+                 * Was PEM encoded
+                 */
+                buflen -= use_len;
+                buf += use_len;
+            }
+            else if( ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA )
+            {
+                return( ret );
+            }
+            else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+            {
+                mbedtls_pem_free( &pem );
+
+                /*
+                 * PEM header and footer were found
+                 */
+                buflen -= use_len;
+                buf += use_len;
+
+                if( first_error == 0 )
+                    first_error = ret;
+
+                total_failed++;
+                continue;
+            }
+            else
+                break;
+
+            ret = mbedtls_x509_crt_parse_der( chain, pem.buf, pem.buflen );
+
+            mbedtls_pem_free( &pem );
+
+            if( ret != 0 )
+            {
+                /*
+                 * Quit parsing on a memory error
+                 */
+                if( ret == MBEDTLS_ERR_X509_ALLOC_FAILED )
+                    return( ret );
+
+                if( first_error == 0 )
+                    first_error = ret;
+
+                total_failed++;
+                continue;
+            }
+
+            success = 1;
+        }
+    }
+
+    if( success )
+        return( total_failed );
+    else if( first_error )
+        return( first_error );
+    else
+        return( MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT );
+#endif /* MBEDTLS_PEM_PARSE_C */
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load one or more certificates and add them to the chained list
+ */
+int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_x509_crt_parse( chain, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
+{
+    int ret = 0;
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+    int w_ret;
+    WCHAR szDir[MAX_PATH];
+    char filename[MAX_PATH];
+    char *p;
+    size_t len = strlen( path );
+
+    WIN32_FIND_DATAW file_data;
+    HANDLE hFind;
+
+    if( len > MAX_PATH - 3 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    memset( szDir, 0, sizeof(szDir) );
+    memset( filename, 0, MAX_PATH );
+    memcpy( filename, path, len );
+    filename[len++] = '\\';
+    p = filename + len;
+    filename[len++] = '*';
+
+    w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int)len, szDir,
+                                 MAX_PATH - 3 );
+    if( w_ret == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    hFind = FindFirstFileW( szDir, &file_data );
+    if( hFind == INVALID_HANDLE_VALUE )
+        return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
+
+    len = MAX_PATH - len;
+    do
+    {
+        memset( p, 0, len );
+
+        if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
+            continue;
+
+        w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
+                                     lstrlenW( file_data.cFileName ),
+                                     p, (int) len - 1,
+                                     NULL, NULL );
+        if( w_ret == 0 )
+        {
+            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+            goto cleanup;
+        }
+
+        w_ret = mbedtls_x509_crt_parse_file( chain, filename );
+        if( w_ret < 0 )
+            ret++;
+        else
+            ret += w_ret;
+    }
+    while( FindNextFileW( hFind, &file_data ) != 0 );
+
+    if( GetLastError() != ERROR_NO_MORE_FILES )
+        ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+
+cleanup:
+    FindClose( hFind );
+#else /* _WIN32 */
+    int t_ret;
+    int snp_ret;
+    struct stat sb;
+    struct dirent *entry;
+    char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
+    DIR *dir = opendir( path );
+
+    if( dir == NULL )
+        return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &mbedtls_threading_readdir_mutex ) ) != 0 )
+    {
+        closedir( dir );
+        return( ret );
+    }
+#endif /* MBEDTLS_THREADING_C */
+
+    while( ( entry = readdir( dir ) ) != NULL )
+    {
+        snp_ret = mbedtls_snprintf( entry_name, sizeof entry_name,
+                                    "%s/%s", path, entry->d_name );
+
+        if( snp_ret < 0 || (size_t)snp_ret >= sizeof entry_name )
+        {
+            ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+            goto cleanup;
+        }
+        else if( stat( entry_name, &sb ) == -1 )
+        {
+            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+            goto cleanup;
+        }
+
+        if( !S_ISREG( sb.st_mode ) )
+            continue;
+
+        // Ignore parse errors
+        //
+        t_ret = mbedtls_x509_crt_parse_file( chain, entry_name );
+        if( t_ret < 0 )
+            ret++;
+        else
+            ret += t_ret;
+    }
+
+cleanup:
+    closedir( dir );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &mbedtls_threading_readdir_mutex ) != 0 )
+        ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+#endif /* MBEDTLS_THREADING_C */
+
+#endif /* _WIN32 */
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+static int x509_info_subject_alt_name( char **buf, size_t *size,
+                                       const mbedtls_x509_sequence *subject_alt_name )
+{
+    size_t i;
+    size_t n = *size;
+    char *p = *buf;
+    const mbedtls_x509_sequence *cur = subject_alt_name;
+    const char *sep = "";
+    size_t sep_len = 0;
+
+    while( cur != NULL )
+    {
+        if( cur->buf.len + sep_len >= n )
+        {
+            *p = '\0';
+            return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
+        }
+
+        n -= cur->buf.len + sep_len;
+        for( i = 0; i < sep_len; i++ )
+            *p++ = sep[i];
+        for( i = 0; i < cur->buf.len; i++ )
+            *p++ = cur->buf.p[i];
+
+        sep = ", ";
+        sep_len = 2;
+
+        cur = cur->next;
+    }
+
+    *p = '\0';
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+#define PRINT_ITEM(i)                           \
+    {                                           \
+        ret = mbedtls_snprintf( p, n, "%s" i, sep );    \
+        MBEDTLS_X509_SAFE_SNPRINTF;                        \
+        sep = ", ";                             \
+    }
+
+#define CERT_TYPE(type,name)                    \
+    if( ns_cert_type & (type) )                 \
+        PRINT_ITEM( name );
+
+static int x509_info_cert_type( char **buf, size_t *size,
+                                unsigned char ns_cert_type )
+{
+    int ret;
+    size_t n = *size;
+    char *p = *buf;
+    const char *sep = "";
+
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT,         "SSL Client" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER,         "SSL Server" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL,              "Email" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING,     "Object Signing" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_RESERVED,           "Reserved" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CA,             "SSL CA" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA,           "Email CA" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA,  "Object Signing CA" );
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+#define KEY_USAGE(code,name)    \
+    if( key_usage & (code) )    \
+        PRINT_ITEM( name );
+
+static int x509_info_key_usage( char **buf, size_t *size,
+                                unsigned int key_usage )
+{
+    int ret;
+    size_t n = *size;
+    char *p = *buf;
+    const char *sep = "";
+
+    KEY_USAGE( MBEDTLS_X509_KU_DIGITAL_SIGNATURE,    "Digital Signature" );
+    KEY_USAGE( MBEDTLS_X509_KU_NON_REPUDIATION,      "Non Repudiation" );
+    KEY_USAGE( MBEDTLS_X509_KU_KEY_ENCIPHERMENT,     "Key Encipherment" );
+    KEY_USAGE( MBEDTLS_X509_KU_DATA_ENCIPHERMENT,    "Data Encipherment" );
+    KEY_USAGE( MBEDTLS_X509_KU_KEY_AGREEMENT,        "Key Agreement" );
+    KEY_USAGE( MBEDTLS_X509_KU_KEY_CERT_SIGN,        "Key Cert Sign" );
+    KEY_USAGE( MBEDTLS_X509_KU_CRL_SIGN,             "CRL Sign" );
+    KEY_USAGE( MBEDTLS_X509_KU_ENCIPHER_ONLY,        "Encipher Only" );
+    KEY_USAGE( MBEDTLS_X509_KU_DECIPHER_ONLY,        "Decipher Only" );
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+static int x509_info_ext_key_usage( char **buf, size_t *size,
+                                    const mbedtls_x509_sequence *extended_key_usage )
+{
+    int ret;
+    const char *desc;
+    size_t n = *size;
+    char *p = *buf;
+    const mbedtls_x509_sequence *cur = extended_key_usage;
+    const char *sep = "";
+
+    while( cur != NULL )
+    {
+        if( mbedtls_oid_get_extended_key_usage( &cur->buf, &desc ) != 0 )
+            desc = "???";
+
+        ret = mbedtls_snprintf( p, n, "%s%s", sep, desc );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        sep = ", ";
+
+        cur = cur->next;
+    }
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+/*
+ * Return an informational string about the certificate.
+ */
+#define BEFORE_COLON    18
+#define BC              "18"
+int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crt *crt )
+{
+    int ret;
+    size_t n;
+    char *p;
+    char key_size_str[BEFORE_COLON];
+
+    p = buf;
+    n = size;
+
+    if( NULL == crt )
+    {
+        ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        return( (int) ( size - n ) );
+    }
+
+    ret = mbedtls_snprintf( p, n, "%scert. version     : %d\n",
+                               prefix, crt->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_snprintf( p, n, "%sserial number     : ",
+                               prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_serial_gets( p, n, &crt->serial );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sissuer name       : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crt->issuer  );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssubject name      : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crt->subject );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sissued  on        : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crt->valid_from.year, crt->valid_from.mon,
+                   crt->valid_from.day,  crt->valid_from.hour,
+                   crt->valid_from.min,  crt->valid_from.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sexpires on        : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crt->valid_to.year, crt->valid_to.mon,
+                   crt->valid_to.day,  crt->valid_to.hour,
+                   crt->valid_to.min,  crt->valid_to.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using      : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk,
+                             crt->sig_md, crt->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    /* Key size */
+    if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
+                                      mbedtls_pk_get_name( &crt->pk ) ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
+                          (int) mbedtls_pk_get_bitlen( &crt->pk ) );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    /*
+     * Optional extensions
+     */
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix,
+                        crt->ca_istrue ? "true" : "false" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( crt->max_pathlen > 0 )
+        {
+            ret = mbedtls_snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 );
+            MBEDTLS_X509_SAFE_SNPRINTF;
+        }
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%ssubject alt name  : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_subject_alt_name( &p, &n,
+                                            &crt->subject_alt_names ) ) != 0 )
+            return( ret );
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%scert. type        : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 )
+            return( ret );
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%skey usage         : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 )
+            return( ret );
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%sext key usage     : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_ext_key_usage( &p, &n,
+                                             &crt->ext_key_usage ) ) != 0 )
+            return( ret );
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n" );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( (int) ( size - n ) );
+}
+
+struct x509_crt_verify_string {
+    int code;
+    const char *string;
+};
+
+static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
+    { MBEDTLS_X509_BADCERT_EXPIRED,       "The certificate validity has expired" },
+    { MBEDTLS_X509_BADCERT_REVOKED,       "The certificate has been revoked (is on a CRL)" },
+    { MBEDTLS_X509_BADCERT_CN_MISMATCH,   "The certificate Common Name (CN) does not match with the expected CN" },
+    { MBEDTLS_X509_BADCERT_NOT_TRUSTED,   "The certificate is not correctly signed by the trusted CA" },
+    { MBEDTLS_X509_BADCRL_NOT_TRUSTED,    "The CRL is not correctly signed by the trusted CA" },
+    { MBEDTLS_X509_BADCRL_EXPIRED,        "The CRL is expired" },
+    { MBEDTLS_X509_BADCERT_MISSING,       "Certificate was missing" },
+    { MBEDTLS_X509_BADCERT_SKIP_VERIFY,   "Certificate verification was skipped" },
+    { MBEDTLS_X509_BADCERT_OTHER,         "Other reason (can be used by verify callback)" },
+    { MBEDTLS_X509_BADCERT_FUTURE,        "The certificate validity starts in the future" },
+    { MBEDTLS_X509_BADCRL_FUTURE,         "The CRL is from the future" },
+    { MBEDTLS_X509_BADCERT_KEY_USAGE,     "Usage does not match the keyUsage extension" },
+    { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
+    { MBEDTLS_X509_BADCERT_NS_CERT_TYPE,  "Usage does not match the nsCertType extension" },
+    { MBEDTLS_X509_BADCERT_BAD_MD,        "The certificate is signed with an unacceptable hash." },
+    { MBEDTLS_X509_BADCERT_BAD_PK,        "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+    { MBEDTLS_X509_BADCERT_BAD_KEY,       "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
+    { MBEDTLS_X509_BADCRL_BAD_MD,         "The CRL is signed with an unacceptable hash." },
+    { MBEDTLS_X509_BADCRL_BAD_PK,         "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+    { MBEDTLS_X509_BADCRL_BAD_KEY,        "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
+    { 0, NULL }
+};
+
+int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+                          uint32_t flags )
+{
+    int ret;
+    const struct x509_crt_verify_string *cur;
+    char *p = buf;
+    size_t n = size;
+
+    for( cur = x509_crt_verify_strings; cur->string != NULL ; cur++ )
+    {
+        if( ( flags & cur->code ) == 0 )
+            continue;
+
+        ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, cur->string );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+        flags ^= cur->code;
+    }
+
+    if( flags != 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "%sUnknown reason "
+                                       "(this should not happen)\n", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    return( (int) ( size - n ) );
+}
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
+                                      unsigned int usage )
+{
+    unsigned int usage_must, usage_may;
+    unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
+                          | MBEDTLS_X509_KU_DECIPHER_ONLY;
+
+    if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 )
+        return( 0 );
+
+    usage_must = usage & ~may_mask;
+
+    if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    usage_may = usage & may_mask;
+
+    if( ( ( crt->key_usage & may_mask ) | usage_may ) != usage_may )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+#endif
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
+                                       const char *usage_oid,
+                                       size_t usage_len )
+{
+    const mbedtls_x509_sequence *cur;
+
+    /* Extension is not mandatory, absent means no restriction */
+    if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 )
+        return( 0 );
+
+    /*
+     * Look for the requested usage (or wildcard ANY) in our list
+     */
+    for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next )
+    {
+        const mbedtls_x509_buf *cur_oid = &cur->buf;
+
+        if( cur_oid->len == usage_len &&
+            memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
+        {
+            return( 0 );
+        }
+
+        if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) == 0 )
+            return( 0 );
+    }
+
+    return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+}
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+/*
+ * Return 1 if the certificate is revoked, or 0 otherwise.
+ */
+int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl )
+{
+    const mbedtls_x509_crl_entry *cur = &crl->entry;
+
+    while( cur != NULL && cur->serial.len != 0 )
+    {
+        if( crt->serial.len == cur->serial.len &&
+            memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
+        {
+            if( mbedtls_x509_time_is_past( &cur->revocation_date ) )
+                return( 1 );
+        }
+
+        cur = cur->next;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Check that the given certificate is not revoked according to the CRL.
+ * Skip validation if no CRL for the given CA is present.
+ */
+static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
+                               mbedtls_x509_crl *crl_list,
+                               const mbedtls_x509_crt_profile *profile )
+{
+    int flags = 0;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    const mbedtls_md_info_t *md_info;
+
+    if( ca == NULL )
+        return( flags );
+
+    while( crl_list != NULL )
+    {
+        if( crl_list->version == 0 ||
+            x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 )
+        {
+            crl_list = crl_list->next;
+            continue;
+        }
+
+        /*
+         * Check if the CA is configured to sign CRLs
+         */
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+        if( mbedtls_x509_crt_check_key_usage( ca,
+                                              MBEDTLS_X509_KU_CRL_SIGN ) != 0 )
+        {
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+#endif
+
+        /*
+         * Check if CRL is correctly signed by the trusted CA
+         */
+        if( x509_profile_check_md_alg( profile, crl_list->sig_md ) != 0 )
+            flags |= MBEDTLS_X509_BADCRL_BAD_MD;
+
+        if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 )
+            flags |= MBEDTLS_X509_BADCRL_BAD_PK;
+
+        md_info = mbedtls_md_info_from_type( crl_list->sig_md );
+        if( mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 )
+        {
+            /* Note: this can't happen except after an internal error */
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        if( x509_profile_check_key( profile, &ca->pk ) != 0 )
+            flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+        if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
+                           crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
+                           crl_list->sig.p, crl_list->sig.len ) != 0 )
+        {
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        /*
+         * Check for validity of CRL (Do not drop out)
+         */
+        if( mbedtls_x509_time_is_past( &crl_list->next_update ) )
+            flags |= MBEDTLS_X509_BADCRL_EXPIRED;
+
+        if( mbedtls_x509_time_is_future( &crl_list->this_update ) )
+            flags |= MBEDTLS_X509_BADCRL_FUTURE;
+
+        /*
+         * Check if certificate is revoked
+         */
+        if( mbedtls_x509_crt_is_revoked( crt, crl_list ) )
+        {
+            flags |= MBEDTLS_X509_BADCERT_REVOKED;
+            break;
+        }
+
+        crl_list = crl_list->next;
+    }
+
+    return( flags );
+}
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+
+/*
+ * Check the signature of a certificate by its parent
+ */
+static int x509_crt_check_signature( const mbedtls_x509_crt *child,
+                                     mbedtls_x509_crt *parent,
+                                     mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    const mbedtls_md_info_t *md_info;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+    md_info = mbedtls_md_info_from_type( child->sig_md );
+    if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
+    {
+        /* Note: this can't happen except after an internal error */
+        return( -1 );
+    }
+
+    /* Skip expensive computation on obvious mismatch */
+    if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
+        return( -1 );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
+    {
+        return( mbedtls_pk_verify_restartable( &parent->pk,
+                    child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                    child->sig.p, child->sig.len, &rs_ctx->pk ) );
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+    return( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
+                child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                child->sig.p, child->sig.len ) );
+}
+
+/*
+ * Check if 'parent' is a suitable parent (signing CA) for 'child'.
+ * Return 0 if yes, -1 if not.
+ *
+ * top means parent is a locally-trusted certificate
+ */
+static int x509_crt_check_parent( const mbedtls_x509_crt *child,
+                                  const mbedtls_x509_crt *parent,
+                                  int top )
+{
+    int need_ca_bit;
+
+    /* Parent must be the issuer */
+    if( x509_name_cmp( &child->issuer, &parent->subject ) != 0 )
+        return( -1 );
+
+    /* Parent must have the basicConstraints CA bit set as a general rule */
+    need_ca_bit = 1;
+
+    /* Exception: v1/v2 certificates that are locally trusted. */
+    if( top && parent->version < 3 )
+        need_ca_bit = 0;
+
+    if( need_ca_bit && ! parent->ca_istrue )
+        return( -1 );
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    if( need_ca_bit &&
+        mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 )
+    {
+        return( -1 );
+    }
+#endif
+
+    return( 0 );
+}
+
+/*
+ * Find a suitable parent for child in candidates, or return NULL.
+ *
+ * Here suitable is defined as:
+ *  1. subject name matches child's issuer
+ *  2. if necessary, the CA bit is set and key usage allows signing certs
+ *  3. for trusted roots, the signature is correct
+ *     (for intermediates, the signature is checked and the result reported)
+ *  4. pathlen constraints are satisfied
+ *
+ * If there's a suitable candidate which is also time-valid, return the first
+ * such. Otherwise, return the first suitable candidate (or NULL if there is
+ * none).
+ *
+ * The rationale for this rule is that someone could have a list of trusted
+ * roots with two versions on the same root with different validity periods.
+ * (At least one user reported having such a list and wanted it to just work.)
+ * The reason we don't just require time-validity is that generally there is
+ * only one version, and if it's expired we want the flags to state that
+ * rather than NOT_TRUSTED, as would be the case if we required it here.
+ *
+ * The rationale for rule 3 (signature for trusted roots) is that users might
+ * have two versions of the same CA with different keys in their list, and the
+ * way we select the correct one is by checking the signature (as we don't
+ * rely on key identifier extensions). (This is one way users might choose to
+ * handle key rollover, another relies on self-issued certs, see [SIRO].)
+ *
+ * Arguments:
+ *  - [in] child: certificate for which we're looking for a parent
+ *  - [in] candidates: chained list of potential parents
+ *  - [out] r_parent: parent found (or NULL)
+ *  - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
+ *  - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
+ *         of the chain, 0 otherwise
+ *  - [in] path_cnt: number of intermediates seen so far
+ *  - [in] self_cnt: number of self-signed intermediates seen so far
+ *         (will never be greater than path_cnt)
+ *  - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ *  - 0 on success
+ *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
+ */
+static int x509_crt_find_parent_in(
+                        mbedtls_x509_crt *child,
+                        mbedtls_x509_crt *candidates,
+                        mbedtls_x509_crt **r_parent,
+                        int *r_signature_is_good,
+                        int top,
+                        unsigned path_cnt,
+                        unsigned self_cnt,
+                        mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_x509_crt *parent, *fallback_parent;
+    int signature_is_good, fallback_signature_is_good;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* did we have something in progress? */
+    if( rs_ctx != NULL && rs_ctx->parent != NULL )
+    {
+        /* restore saved state */
+        parent = rs_ctx->parent;
+        fallback_parent = rs_ctx->fallback_parent;
+        fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
+
+        /* clear saved state */
+        rs_ctx->parent = NULL;
+        rs_ctx->fallback_parent = NULL;
+        rs_ctx->fallback_signature_is_good = 0;
+
+        /* resume where we left */
+        goto check_signature;
+    }
+#endif
+
+    fallback_parent = NULL;
+    fallback_signature_is_good = 0;
+
+    for( parent = candidates; parent != NULL; parent = parent->next )
+    {
+        /* basic parenting skills (name, CA bit, key usage) */
+        if( x509_crt_check_parent( child, parent, top ) != 0 )
+            continue;
+
+        /* +1 because stored max_pathlen is 1 higher that the actual value */
+        if( parent->max_pathlen > 0 &&
+            (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt )
+        {
+            continue;
+        }
+
+        /* Signature */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+check_signature:
+#endif
+        ret = x509_crt_check_signature( child, parent, rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+        {
+            /* save state */
+            rs_ctx->parent = parent;
+            rs_ctx->fallback_parent = fallback_parent;
+            rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
+
+            return( ret );
+        }
+#else
+        (void) ret;
+#endif
+
+        signature_is_good = ret == 0;
+        if( top && ! signature_is_good )
+            continue;
+
+        /* optional time check */
+        if( mbedtls_x509_time_is_past( &parent->valid_to ) ||
+            mbedtls_x509_time_is_future( &parent->valid_from ) )
+        {
+            if( fallback_parent == NULL )
+            {
+                fallback_parent = parent;
+                fallback_signature_is_good = signature_is_good;
+            }
+
+            continue;
+        }
+
+        *r_parent = parent;
+        *r_signature_is_good = signature_is_good;
+
+        break;
+    }
+
+    if( parent == NULL )
+    {
+        *r_parent = fallback_parent;
+        *r_signature_is_good = fallback_signature_is_good;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Find a parent in trusted CAs or the provided chain, or return NULL.
+ *
+ * Searches in trusted CAs first, and return the first suitable parent found
+ * (see find_parent_in() for definition of suitable).
+ *
+ * Arguments:
+ *  - [in] child: certificate for which we're looking for a parent, followed
+ *         by a chain of possible intermediates
+ *  - [in] trust_ca: list of locally trusted certificates
+ *  - [out] parent: parent found (or NULL)
+ *  - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
+ *  - [out] signature_is_good: 1 if child signature by parent is valid, or 0
+ *  - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
+ *  - [in] self_cnt: number of self-signed certs in the chain so far
+ *         (will always be no greater than path_cnt)
+ *  - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ *  - 0 on success
+ *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
+ */
+static int x509_crt_find_parent(
+                        mbedtls_x509_crt *child,
+                        mbedtls_x509_crt *trust_ca,
+                        mbedtls_x509_crt **parent,
+                        int *parent_is_trusted,
+                        int *signature_is_good,
+                        unsigned path_cnt,
+                        unsigned self_cnt,
+                        mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_x509_crt *search_list;
+
+    *parent_is_trusted = 1;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* restore then clear saved state if we have some stored */
+    if( rs_ctx != NULL && rs_ctx->parent_is_trusted != -1 )
+    {
+        *parent_is_trusted = rs_ctx->parent_is_trusted;
+        rs_ctx->parent_is_trusted = -1;
+    }
+#endif
+
+    while( 1 ) {
+        search_list = *parent_is_trusted ? trust_ca : child->next;
+
+        ret = x509_crt_find_parent_in( child, search_list,
+                                       parent, signature_is_good,
+                                       *parent_is_trusted,
+                                       path_cnt, self_cnt, rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+        {
+            /* save state */
+            rs_ctx->parent_is_trusted = *parent_is_trusted;
+            return( ret );
+        }
+#else
+        (void) ret;
+#endif
+
+        /* stop here if found or already in second iteration */
+        if( *parent != NULL || *parent_is_trusted == 0 )
+            break;
+
+        /* prepare second iteration */
+        *parent_is_trusted = 0;
+    }
+
+    /* extra precaution against mistakes in the caller */
+    if( *parent == NULL )
+    {
+        *parent_is_trusted = 0;
+        *signature_is_good = 0;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Check if an end-entity certificate is locally trusted
+ *
+ * Currently we require such certificates to be self-signed (actually only
+ * check for self-issued as self-signatures are not checked)
+ */
+static int x509_crt_check_ee_locally_trusted(
+                    mbedtls_x509_crt *crt,
+                    mbedtls_x509_crt *trust_ca )
+{
+    mbedtls_x509_crt *cur;
+
+    /* must be self-issued */
+    if( x509_name_cmp( &crt->issuer, &crt->subject ) != 0 )
+        return( -1 );
+
+    /* look for an exact match with trusted cert */
+    for( cur = trust_ca; cur != NULL; cur = cur->next )
+    {
+        if( crt->raw.len == cur->raw.len &&
+            memcmp( crt->raw.p, cur->raw.p, crt->raw.len ) == 0 )
+        {
+            return( 0 );
+        }
+    }
+
+    /* too bad */
+    return( -1 );
+}
+
+/*
+ * Build and verify a certificate chain
+ *
+ * Given a peer-provided list of certificates EE, C1, ..., Cn and
+ * a list of trusted certs R1, ... Rp, try to build and verify a chain
+ *      EE, Ci1, ... Ciq [, Rj]
+ * such that every cert in the chain is a child of the next one,
+ * jumping to a trusted root as early as possible.
+ *
+ * Verify that chain and return it with flags for all issues found.
+ *
+ * Special cases:
+ * - EE == Rj -> return a one-element list containing it
+ * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
+ *   -> return that chain with NOT_TRUSTED set on Ciq
+ *
+ * Tests for (aspects of) this function should include at least:
+ * - trusted EE
+ * - EE -> trusted root
+ * - EE -> intermediate CA -> trusted root
+ * - if relevant: EE untrusted
+ * - if relevant: EE -> intermediate, untrusted
+ * with the aspect under test checked at each relevant level (EE, int, root).
+ * For some aspects longer chains are required, but usually length 2 is
+ * enough (but length 1 is not in general).
+ *
+ * Arguments:
+ *  - [in] crt: the cert list EE, C1, ..., Cn
+ *  - [in] trust_ca: the trusted list R1, ..., Rp
+ *  - [in] ca_crl, profile: as in verify_with_profile()
+ *  - [out] ver_chain: the built and verified chain
+ *      Only valid when return value is 0, may contain garbage otherwise!
+ *      Restart note: need not be the same when calling again to resume.
+ *  - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ *  - non-zero if the chain could not be fully built and examined
+ *  - 0 is the chain was successfully built and examined,
+ *      even if it was found to be invalid
+ */
+static int x509_crt_verify_chain(
+                mbedtls_x509_crt *crt,
+                mbedtls_x509_crt *trust_ca,
+                mbedtls_x509_crl *ca_crl,
+                const mbedtls_x509_crt_profile *profile,
+                mbedtls_x509_crt_verify_chain *ver_chain,
+                mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    /* Don't initialize any of those variables here, so that the compiler can
+     * catch potential issues with jumping ahead when restarting */
+    int ret;
+    uint32_t *flags;
+    mbedtls_x509_crt_verify_chain_item *cur;
+    mbedtls_x509_crt *child;
+    mbedtls_x509_crt *parent;
+    int parent_is_trusted;
+    int child_is_trusted;
+    int signature_is_good;
+    unsigned self_cnt;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* resume if we had an operation in progress */
+    if( rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent )
+    {
+        /* restore saved state */
+        *ver_chain = rs_ctx->ver_chain; /* struct copy */
+        self_cnt = rs_ctx->self_cnt;
+
+        /* restore derived state */
+        cur = &ver_chain->items[ver_chain->len - 1];
+        child = cur->crt;
+        flags = &cur->flags;
+
+        goto find_parent;
+    }
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    child = crt;
+    self_cnt = 0;
+    parent_is_trusted = 0;
+    child_is_trusted = 0;
+
+    while( 1 ) {
+        /* Add certificate to the verification chain */
+        cur = &ver_chain->items[ver_chain->len];
+        cur->crt = child;
+        cur->flags = 0;
+        ver_chain->len++;
+        flags = &cur->flags;
+
+        /* Check time-validity (all certificates) */
+        if( mbedtls_x509_time_is_past( &child->valid_to ) )
+            *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+
+        if( mbedtls_x509_time_is_future( &child->valid_from ) )
+            *flags |= MBEDTLS_X509_BADCERT_FUTURE;
+
+        /* Stop here for trusted roots (but not for trusted EE certs) */
+        if( child_is_trusted )
+            return( 0 );
+
+        /* Check signature algorithm: MD & PK algs */
+        if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
+
+        if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+
+        /* Special case: EE certs that are locally trusted */
+        if( ver_chain->len == 1 &&
+            x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 )
+        {
+            return( 0 );
+        }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+find_parent:
+#endif
+        /* Look for a parent in trusted CAs or up the chain */
+        ret = x509_crt_find_parent( child, trust_ca, &parent,
+                                       &parent_is_trusted, &signature_is_good,
+                                       ver_chain->len - 1, self_cnt, rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+        {
+            /* save state */
+            rs_ctx->in_progress = x509_crt_rs_find_parent;
+            rs_ctx->self_cnt = self_cnt;
+            rs_ctx->ver_chain = *ver_chain; /* struct copy */
+
+            return( ret );
+        }
+#else
+        (void) ret;
+#endif
+
+        /* No parent? We're done here */
+        if( parent == NULL )
+        {
+            *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+            return( 0 );
+        }
+
+        /* Count intermediate self-issued (not necessarily self-signed) certs.
+         * These can occur with some strategies for key rollover, see [SIRO],
+         * and should be excluded from max_pathlen checks. */
+        if( ver_chain->len != 1 &&
+            x509_name_cmp( &child->issuer, &child->subject ) == 0 )
+        {
+            self_cnt++;
+        }
+
+        /* path_cnt is 0 for the first intermediate CA,
+         * and if parent is trusted it's not an intermediate CA */
+        if( ! parent_is_trusted &&
+            ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
+        {
+            /* return immediately to avoid overflow the chain array */
+            return( MBEDTLS_ERR_X509_FATAL_ERROR );
+        }
+
+        /* signature was checked while searching parent */
+        if( ! signature_is_good )
+            *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+
+        /* check size of signing key */
+        if( x509_profile_check_key( profile, &parent->pk ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+        /* Check trusted CA's CRL for the given crt */
+        *flags |= x509_crt_verifycrl( child, parent, ca_crl, profile );
+#else
+        (void) ca_crl;
+#endif
+
+        /* prepare for next iteration */
+        child = parent;
+        parent = NULL;
+        child_is_trusted = parent_is_trusted;
+        signature_is_good = 0;
+    }
+}
+
+/*
+ * Check for CN match
+ */
+static int x509_crt_check_cn( const mbedtls_x509_buf *name,
+                              const char *cn, size_t cn_len )
+{
+    /* try exact match */
+    if( name->len == cn_len &&
+        x509_memcasecmp( cn, name->p, cn_len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    /* try wildcard match */
+    if( x509_check_wildcard( cn, name ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Verify the requested CN - only call this if cn is not NULL!
+ */
+static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
+                                  const char *cn,
+                                  uint32_t *flags )
+{
+    const mbedtls_x509_name *name;
+    const mbedtls_x509_sequence *cur;
+    size_t cn_len = strlen( cn );
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
+    {
+        for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
+        {
+            if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
+                break;
+        }
+
+        if( cur == NULL )
+            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+    }
+    else
+    {
+        for( name = &crt->subject; name != NULL; name = name->next )
+        {
+            if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
+                x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
+            {
+                break;
+            }
+        }
+
+        if( name == NULL )
+            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+    }
+}
+
+/*
+ * Merge the flags for all certs in the chain, after calling callback
+ */
+static int x509_crt_merge_flags_with_cb(
+           uint32_t *flags,
+           const mbedtls_x509_crt_verify_chain *ver_chain,
+           int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+           void *p_vrfy )
+{
+    int ret;
+    unsigned i;
+    uint32_t cur_flags;
+    const mbedtls_x509_crt_verify_chain_item *cur;
+
+    for( i = ver_chain->len; i != 0; --i )
+    {
+        cur = &ver_chain->items[i-1];
+        cur_flags = cur->flags;
+
+        if( NULL != f_vrfy )
+            if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 )
+                return( ret );
+
+        *flags |= cur_flags;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Verify the certificate validity (default profile, not restartable)
+ */
+int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
+                &mbedtls_x509_crt_profile_default, cn, flags,
+                f_vrfy, p_vrfy, NULL ) );
+}
+
+/*
+ * Verify the certificate validity (user-chosen profile, not restartable)
+ */
+int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
+                profile, cn, flags, f_vrfy, p_vrfy, NULL ) );
+}
+
+/*
+ * Verify the certificate validity, with profile, restartable version
+ *
+ * This function:
+ *  - checks the requested CN (if any)
+ *  - checks the type and size of the EE cert's key,
+ *    as that isn't done as part of chain building/verification currently
+ *  - builds and verifies the chain
+ *  - then calls the callback and merges the flags
+ */
+int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy,
+                     mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_pk_type_t pk_type;
+    mbedtls_x509_crt_verify_chain ver_chain;
+    uint32_t ee_flags;
+
+    *flags = 0;
+    ee_flags = 0;
+    x509_crt_verify_chain_reset( &ver_chain );
+
+    if( profile == NULL )
+    {
+        ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+        goto exit;
+    }
+
+    /* check name if requested */
+    if( cn != NULL )
+        x509_crt_verify_name( crt, cn, &ee_flags );
+
+    /* Check the type and size of the key */
+    pk_type = mbedtls_pk_get_type( &crt->pk );
+
+    if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+
+    if( x509_profile_check_key( profile, &crt->pk ) != 0 )
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+    /* Check the chain */
+    ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
+                                 &ver_chain, rs_ctx );
+
+    if( ret != 0 )
+        goto exit;
+
+    /* Merge end-entity flags */
+    ver_chain.items[0].flags |= ee_flags;
+
+    /* Build final flags, calling callback on the way if any */
+    ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
+
+exit:
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+        mbedtls_x509_crt_restart_free( rs_ctx );
+#endif
+
+    /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
+     * the SSL module for authmode optional, but non-zero return from the
+     * callback means a fatal error so it shouldn't be ignored */
+    if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
+        ret = MBEDTLS_ERR_X509_FATAL_ERROR;
+
+    if( ret != 0 )
+    {
+        *flags = (uint32_t) -1;
+        return( ret );
+    }
+
+    if( *flags != 0 )
+        return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
+
+    return( 0 );
+}
+
+/*
+ * Initialize a certificate chain
+ */
+void mbedtls_x509_crt_init( mbedtls_x509_crt *crt )
+{
+    memset( crt, 0, sizeof(mbedtls_x509_crt) );
+}
+
+/*
+ * Unallocate all certificate data
+ */
+void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
+{
+    mbedtls_x509_crt *cert_cur = crt;
+    mbedtls_x509_crt *cert_prv;
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+    mbedtls_x509_sequence *seq_cur;
+    mbedtls_x509_sequence *seq_prv;
+
+    if( crt == NULL )
+        return;
+
+    do
+    {
+        mbedtls_pk_free( &cert_cur->pk );
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+        mbedtls_free( cert_cur->sig_opts );
+#endif
+
+        name_cur = cert_cur->issuer.next;
+        while( name_cur != NULL )
+        {
+            name_prv = name_cur;
+            name_cur = name_cur->next;
+            mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_free( name_prv );
+        }
+
+        name_cur = cert_cur->subject.next;
+        while( name_cur != NULL )
+        {
+            name_prv = name_cur;
+            name_cur = name_cur->next;
+            mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_free( name_prv );
+        }
+
+        seq_cur = cert_cur->ext_key_usage.next;
+        while( seq_cur != NULL )
+        {
+            seq_prv = seq_cur;
+            seq_cur = seq_cur->next;
+            mbedtls_platform_zeroize( seq_prv,
+                                      sizeof( mbedtls_x509_sequence ) );
+            mbedtls_free( seq_prv );
+        }
+
+        seq_cur = cert_cur->subject_alt_names.next;
+        while( seq_cur != NULL )
+        {
+            seq_prv = seq_cur;
+            seq_cur = seq_cur->next;
+            mbedtls_platform_zeroize( seq_prv,
+                                      sizeof( mbedtls_x509_sequence ) );
+            mbedtls_free( seq_prv );
+        }
+
+        if( cert_cur->raw.p != NULL )
+        {
+            mbedtls_platform_zeroize( cert_cur->raw.p, cert_cur->raw.len );
+            mbedtls_free( cert_cur->raw.p );
+        }
+
+        cert_cur = cert_cur->next;
+    }
+    while( cert_cur != NULL );
+
+    cert_cur = crt;
+    do
+    {
+        cert_prv = cert_cur;
+        cert_cur = cert_cur->next;
+
+        mbedtls_platform_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) );
+        if( cert_prv != crt )
+            mbedtls_free( cert_prv );
+    }
+    while( cert_cur != NULL );
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )
+{
+    mbedtls_pk_restart_init( &ctx->pk );
+
+    ctx->parent = NULL;
+    ctx->fallback_parent = NULL;
+    ctx->fallback_signature_is_good = 0;
+
+    ctx->parent_is_trusted = -1;
+
+    ctx->in_progress = x509_crt_rs_none;
+    ctx->self_cnt = 0;
+    x509_crt_verify_chain_reset( &ctx->ver_chain );
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_pk_restart_free( &ctx->pk );
+    mbedtls_x509_crt_restart_init( ctx );
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
diff --git a/ctrtool/deps/libmbedtls/src/x509_csr.c b/ctrtool/deps/libmbedtls/src/x509_csr.c
new file mode 100644
index 00000000..c8c08c87
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/x509_csr.c
@@ -0,0 +1,419 @@
+/*
+ *  X.509 Certificate Signing Request (CSR) parsing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
+#include <stdio.h>
+#endif
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0)  }
+ */
+static int x509_csr_get_version( unsigned char **p,
+                             const unsigned char *end,
+                             int *ver )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            *ver = 0;
+            return( 0 );
+        }
+
+        return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse a CSR in DER format
+ */
+int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
+                        const unsigned char *buf, size_t buflen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p, *end;
+    mbedtls_x509_buf sig_params;
+
+    memset( &sig_params, 0, sizeof( mbedtls_x509_buf ) );
+
+    /*
+     * Check for valid input
+     */
+    if( csr == NULL || buf == NULL || buflen == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    mbedtls_x509_csr_init( csr );
+
+    /*
+     * first copy the raw DER data
+     */
+    p = mbedtls_calloc( 1, len = buflen );
+
+    if( p == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    memcpy( p, buf, buflen );
+
+    csr->raw.p = p;
+    csr->raw.len = len;
+    end = p + len;
+
+    /*
+     *  CertificationRequest ::= SEQUENCE {
+     *       certificationRequestInfo CertificationRequestInfo,
+     *       signatureAlgorithm AlgorithmIdentifier,
+     *       signature          BIT STRING
+     *  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+    }
+
+    if( len != (size_t) ( end - p ) )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    /*
+     *  CertificationRequestInfo ::= SEQUENCE {
+     */
+    csr->cri.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+    csr->cri.len = end - csr->cri.p;
+
+    /*
+     *  Version  ::=  INTEGER {  v1(0) }
+     */
+    if( ( ret = x509_csr_get_version( &p, end, &csr->version ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    if( csr->version != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
+    }
+
+    csr->version++;
+
+    /*
+     *  subject               Name
+     */
+    csr->subject_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    csr->subject_raw.len = p - csr->subject_raw.p;
+
+    /*
+     *  subjectPKInfo SubjectPublicKeyInfo
+     */
+    if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &csr->pk ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    /*
+     *  attributes    [0] Attributes
+     *
+     *  The list of possible attributes is open-ended, though RFC 2985
+     *  (PKCS#9) defines a few in section 5.4. We currently don't support any,
+     *  so we just ignore them. This is a safe thing to do as the worst thing
+     *  that could happen is that we issue a certificate that does not match
+     *  the requester's expectations - this cannot cause a violation of our
+     *  signature policies.
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    end = csr->raw.p + csr->raw.len;
+
+    /*
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signature            BIT STRING
+     */
+    if( ( ret = mbedtls_x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig_alg( &csr->sig_oid, &sig_params,
+                                  &csr->sig_md, &csr->sig_pk,
+                                  &csr->sig_opts ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig( &p, end, &csr->sig ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse a CSR, allowing for PEM or raw DER encoding
+ */
+int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen )
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int ret;
+    size_t use_len;
+    mbedtls_pem_context pem;
+#endif
+
+    /*
+     * Check for valid input
+     */
+    if( csr == NULL || buf == NULL || buflen == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( buf[buflen - 1] == '\0' )
+    {
+        mbedtls_pem_init( &pem );
+        ret = mbedtls_pem_read_buffer( &pem,
+                                       "-----BEGIN CERTIFICATE REQUEST-----",
+                                       "-----END CERTIFICATE REQUEST-----",
+                                       buf, NULL, 0, &use_len );
+        if( ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        {
+            ret = mbedtls_pem_read_buffer( &pem,
+                                           "-----BEGIN NEW CERTIFICATE REQUEST-----",
+                                           "-----END NEW CERTIFICATE REQUEST-----",
+                                           buf, NULL, 0, &use_len );
+        }
+
+        if( ret == 0 )
+        {
+            /*
+             * Was PEM encoded, parse the result
+             */
+            ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen );
+        }
+
+        mbedtls_pem_free( &pem );
+        if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+            return( ret );
+    }
+#endif /* MBEDTLS_PEM_PARSE_C */
+    return( mbedtls_x509_csr_parse_der( csr, buf, buflen ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load a CSR into the structure
+ */
+int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_x509_csr_parse( csr, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#define BEFORE_COLON    14
+#define BC              "14"
+/*
+ * Return an informational string about the CSR.
+ */
+int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_csr *csr )
+{
+    int ret;
+    size_t n;
+    char *p;
+    char key_size_str[BEFORE_COLON];
+
+    p = buf;
+    n = size;
+
+    ret = mbedtls_snprintf( p, n, "%sCSR version   : %d",
+                               prefix, csr->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssubject name  : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &csr->subject );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using  : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets( p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
+                             csr->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
+                                      mbedtls_pk_get_name( &csr->pk ) ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
+                          (int) mbedtls_pk_get_bitlen( &csr->pk ) );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Initialize a CSR
+ */
+void mbedtls_x509_csr_init( mbedtls_x509_csr *csr )
+{
+    memset( csr, 0, sizeof(mbedtls_x509_csr) );
+}
+
+/*
+ * Unallocate all CSR data
+ */
+void mbedtls_x509_csr_free( mbedtls_x509_csr *csr )
+{
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+
+    if( csr == NULL )
+        return;
+
+    mbedtls_pk_free( &csr->pk );
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    mbedtls_free( csr->sig_opts );
+#endif
+
+    name_cur = csr->subject.next;
+    while( name_cur != NULL )
+    {
+        name_prv = name_cur;
+        name_cur = name_cur->next;
+        mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+        mbedtls_free( name_prv );
+    }
+
+    if( csr->raw.p != NULL )
+    {
+        mbedtls_platform_zeroize( csr->raw.p, csr->raw.len );
+        mbedtls_free( csr->raw.p );
+    }
+
+    mbedtls_platform_zeroize( csr, sizeof( mbedtls_x509_csr ) );
+}
+
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
diff --git a/ctrtool/deps/libmbedtls/src/x509write_crt.c b/ctrtool/deps/libmbedtls/src/x509write_crt.c
new file mode 100644
index 00000000..61d7ba44
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/x509write_crt.c
@@ -0,0 +1,522 @@
+/*
+ *  X.509 certificate writing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * References:
+ * - certificates: RFC 5280, updated by RFC 6818
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+/*
+ * For the currently used signature algorithms the buffer to store any signature
+ * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
+ */
+#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
+#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#else
+#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
+void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
+
+    mbedtls_mpi_init( &ctx->serial );
+    ctx->version = MBEDTLS_X509_CRT_VERSION_3;
+}
+
+void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx )
+{
+    mbedtls_mpi_free( &ctx->serial );
+
+    mbedtls_asn1_free_named_data_list( &ctx->subject );
+    mbedtls_asn1_free_named_data_list( &ctx->issuer );
+    mbedtls_asn1_free_named_data_list( &ctx->extensions );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
+}
+
+void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
+{
+    ctx->version = version;
+}
+
+void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg )
+{
+    ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
+{
+    ctx->subject_key = key;
+}
+
+void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
+{
+    ctx->issuer_key = key;
+}
+
+int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
+                                    const char *subject_name )
+{
+    return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
+}
+
+int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
+                                   const char *issuer_name )
+{
+    return mbedtls_x509_string_to_names( &ctx->issuer, issuer_name );
+}
+
+int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_copy( &ctx->serial, serial ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
+                                const char *not_after )
+{
+    if( strlen( not_before ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ||
+        strlen( not_after )  != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 )
+    {
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+    }
+    strncpy( ctx->not_before, not_before, MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
+    strncpy( ctx->not_after , not_after , MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
+    ctx->not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+    ctx->not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+
+    return( 0 );
+}
+
+int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
+                                 const char *oid, size_t oid_len,
+                                 int critical,
+                                 const unsigned char *val, size_t val_len )
+{
+    return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
+                               critical, val, val_len );
+}
+
+int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
+                                         int is_ca, int max_pathlen )
+{
+    int ret;
+    unsigned char buf[9];
+    unsigned char *c = buf + sizeof(buf);
+    size_t len = 0;
+
+    memset( buf, 0, sizeof(buf) );
+
+    if( is_ca && max_pathlen > 127 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    if( is_ca )
+    {
+        if( max_pathlen >= 0 )
+        {
+            MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) );
+        }
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE ) );
+
+    return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
+                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ),
+                                        0, buf + sizeof(buf) - len, len );
+}
+
+#if defined(MBEDTLS_SHA1_C)
+int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
+    unsigned char *c = buf + sizeof(buf);
+    size_t len = 0;
+
+    memset( buf, 0, sizeof(buf) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) );
+
+    ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
+                            buf + sizeof( buf ) - 20 );
+    if( ret != 0 )
+        return( ret );
+    c = buf + sizeof( buf ) - 20;
+    len = 20;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) );
+
+    return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
+                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ),
+                                        0, buf + sizeof(buf) - len, len );
+}
+
+int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
+    unsigned char *c = buf + sizeof( buf );
+    size_t len = 0;
+
+    memset( buf, 0, sizeof(buf) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
+
+    ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
+                            buf + sizeof( buf ) - 20 );
+    if( ret != 0 )
+        return( ret );
+    c = buf + sizeof( buf ) - 20;
+    len = 20;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE ) );
+
+    return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
+                                   MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
+                                   0, buf + sizeof( buf ) - len, len );
+}
+#endif /* MBEDTLS_SHA1_C */
+
+static size_t crt_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+                                                       size_t bit_offset )
+{
+    size_t unused_bits;
+
+     /* Count the unused bits removing trailing 0s */
+    for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+        if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+            break;
+
+     return( unused_bits );
+}
+
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage )
+{
+    unsigned char buf[4], ku;
+    unsigned char *c;
+    int ret;
+    size_t unused_bits;
+    const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
+        MBEDTLS_X509_KU_NON_REPUDIATION   |
+        MBEDTLS_X509_KU_KEY_ENCIPHERMENT  |
+        MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
+        MBEDTLS_X509_KU_KEY_AGREEMENT     |
+        MBEDTLS_X509_KU_KEY_CERT_SIGN     |
+        MBEDTLS_X509_KU_CRL_SIGN;
+
+    /* Check that nothing other than the allowed flags is set */
+    if( ( key_usage & ~allowed_bits ) != 0 )
+        return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
+
+    c = buf + 4;
+    ku = (unsigned char)key_usage;
+    unused_bits = crt_get_unused_bits_for_named_bitstring( ku, 1 );
+    ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
+                                       1, c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
+                                    unsigned char ns_cert_type )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    size_t unused_bits;
+    int ret;
+
+    c = buf + 4;
+
+    unused_bits = crt_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c,
+                                        buf,
+                                        &ns_cert_type,
+                                        8 - unused_bits );
+    if( ret < 3 || ret > 4 )
+        return( ret );
+
+    ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
+                                       0, c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+static int x509_write_time( unsigned char **p, unsigned char *start,
+                            const char *t, size_t size )
+{
+    int ret;
+    size_t len = 0;
+
+    /*
+     * write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
+     */
+    if( t[0] == '2' && t[1] == '0' && t[2] < '5' )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                                             (const unsigned char *) t + 2,
+                                             size - 2 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_UTC_TIME ) );
+    }
+    else
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                                                  (const unsigned char *) t,
+                                                  size ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_GENERALIZED_TIME ) );
+    }
+
+    return( (int) len );
+}
+
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    const char *sig_oid;
+    size_t sig_oid_len = 0;
+    unsigned char *c, *c2;
+    unsigned char hash[64];
+    unsigned char sig[SIGNATURE_MAX_SIZE];
+    unsigned char tmp_buf[2048];
+    size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
+    size_t len = 0;
+    mbedtls_pk_type_t pk_alg;
+
+    /*
+     * Prepare data to be signed in tmp_buf
+     */
+    c = tmp_buf + sizeof( tmp_buf );
+
+    /* Signature algorithm needed in TBS, and later for actual signature */
+
+    /* There's no direct way of extracting a signature algorithm
+     * (represented as an element of mbedtls_pk_type_t) from a PK instance. */
+    if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) )
+        pk_alg = MBEDTLS_PK_RSA;
+    else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) )
+        pk_alg = MBEDTLS_PK_ECDSA;
+    else
+        return( MBEDTLS_ERR_X509_INVALID_ALG );
+
+    if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
+                                          &sig_oid, &sig_oid_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /*
+     *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+     */
+
+    /* Only for v3 */
+    if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                           MBEDTLS_ASN1_SEQUENCE ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+    }
+
+    /*
+     *  SubjectPublicKeyInfo
+     */
+    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
+                                                tmp_buf, c - tmp_buf ) );
+    c -= pub_len;
+    len += pub_len;
+
+    /*
+     *  Subject  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+
+    /*
+     *  Validity ::= SEQUENCE {
+     *       notBefore      Time,
+     *       notAfter       Time }
+     */
+    sub_len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+
+    len += sub_len;
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+
+    /*
+     *  Issuer  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
+
+    /*
+     *  Signature   ::=  AlgorithmIdentifier
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
+                       sig_oid, strlen( sig_oid ), 0 ) );
+
+    /*
+     *  Serial   ::=  INTEGER
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
+
+    /*
+     *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     */
+
+    /* Can be omitted for v1 */
+    if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
+    {
+        sub_len = 0;
+        MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
+        len += sub_len;
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                       MBEDTLS_ASN1_SEQUENCE ) );
+
+    /*
+     * Make signature
+     */
+    if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
+                            len, hash ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
+                         f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /*
+     * Write data to output buffer
+     */
+    c2 = buf + size;
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
+                                        sig_oid, sig_oid_len, sig, sig_len ) );
+
+    if( len > (size_t)( c2 - buf ) )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    c2 -= len;
+    memcpy( c2, c, len );
+
+    len += sig_and_oid_len;
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+#define PEM_BEGIN_CRT           "-----BEGIN CERTIFICATE-----\n"
+#define PEM_END_CRT             "-----END CERTIFICATE-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    unsigned char output_buf[4096];
+    size_t olen = 0;
+
+    if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
+                                   f_rng, p_rng ) ) < 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
diff --git a/ctrtool/deps/libmbedtls/src/x509write_csr.c b/ctrtool/deps/libmbedtls/src/x509write_csr.c
new file mode 100644
index 00000000..7406a975
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/x509write_csr.c
@@ -0,0 +1,302 @@
+/*
+ *  X.509 Certificate Signing Request writing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * References:
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+#include <stdlib.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+/*
+ * For the currently used signature algorithms the buffer to store any signature
+ * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
+ */
+#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
+#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#else
+#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
+void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
+}
+
+void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
+{
+    mbedtls_asn1_free_named_data_list( &ctx->subject );
+    mbedtls_asn1_free_named_data_list( &ctx->extensions );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
+}
+
+void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
+{
+    ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key )
+{
+    ctx->key = key;
+}
+
+int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
+                                    const char *subject_name )
+{
+    return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
+}
+
+int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
+                                 const char *oid, size_t oid_len,
+                                 const unsigned char *val, size_t val_len )
+{
+    return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
+                               0, val, val_len );
+}
+
+static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+                                                       size_t bit_offset )
+{
+    size_t unused_bits;
+
+     /* Count the unused bits removing trailing 0s */
+    for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+        if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+            break;
+
+     return( unused_bits );
+}
+
+int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    size_t unused_bits;
+    int ret;
+
+    c = buf + 4;
+
+    unused_bits = csr_get_unused_bits_for_named_bitstring( key_usage, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
+                                       c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
+                                    unsigned char ns_cert_type )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    size_t unused_bits;
+    int ret;
+
+    c = buf + 4;
+
+    unused_bits = csr_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c,
+                                        buf,
+                                        &ns_cert_type,
+                                        8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( ret );
+
+    ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
+                                       c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    const char *sig_oid;
+    size_t sig_oid_len = 0;
+    unsigned char *c, *c2;
+    unsigned char hash[64];
+    unsigned char sig[SIGNATURE_MAX_SIZE];
+    unsigned char tmp_buf[2048];
+    size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
+    size_t len = 0;
+    mbedtls_pk_type_t pk_alg;
+
+    /*
+     * Prepare data to be signed in tmp_buf
+     */
+    c = tmp_buf + sizeof( tmp_buf );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+
+    if( len )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                        MBEDTLS_ASN1_SEQUENCE ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                        MBEDTLS_ASN1_SET ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &c, tmp_buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
+                                          MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                        MBEDTLS_ASN1_SEQUENCE ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
+
+    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->key,
+                                                tmp_buf, c - tmp_buf ) );
+    c -= pub_len;
+    len += pub_len;
+
+    /*
+     *  Subject  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+
+    /*
+     *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, tmp_buf, 0 ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+
+    /*
+     * Prepare signature
+     */
+    ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
+    if( ret != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
+                                 f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
+        pk_alg = MBEDTLS_PK_RSA;
+    else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
+        pk_alg = MBEDTLS_PK_ECDSA;
+    else
+        return( MBEDTLS_ERR_X509_INVALID_ALG );
+
+    if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
+                                                &sig_oid, &sig_oid_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /*
+     * Write data to output buffer
+     */
+    c2 = buf + size;
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
+                                        sig_oid, sig_oid_len, sig, sig_len ) );
+
+    if( len > (size_t)( c2 - buf ) )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    c2 -= len;
+    memcpy( c2, c, len );
+
+    len += sig_and_oid_len;
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+#define PEM_BEGIN_CSR           "-----BEGIN CERTIFICATE REQUEST-----\n"
+#define PEM_END_CSR             "-----END CERTIFICATE REQUEST-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    unsigned char output_buf[4096];
+    size_t olen = 0;
+
+    if( ( ret = mbedtls_x509write_csr_der( ctx, output_buf, sizeof(output_buf),
+                                   f_rng, p_rng ) ) < 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
diff --git a/ctrtool/deps/libmbedtls/src/xtea.c b/ctrtool/deps/libmbedtls/src/xtea.c
new file mode 100644
index 00000000..a33707bc
--- /dev/null
+++ b/ctrtool/deps/libmbedtls/src/xtea.c
@@ -0,0 +1,277 @@
+/*
+ *  An 32-bit implementation of the XTEA algorithm
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_XTEA_C)
+
+#include "mbedtls/xtea.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_XTEA_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+void mbedtls_xtea_init( mbedtls_xtea_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_xtea_context ) );
+}
+
+void mbedtls_xtea_free( mbedtls_xtea_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_xtea_context ) );
+}
+
+/*
+ * XTEA key schedule
+ */
+void mbedtls_xtea_setup( mbedtls_xtea_context *ctx, const unsigned char key[16] )
+{
+    int i;
+
+    memset( ctx, 0, sizeof(mbedtls_xtea_context) );
+
+    for( i = 0; i < 4; i++ )
+    {
+        GET_UINT32_BE( ctx->k[i], key, i << 2 );
+    }
+}
+
+/*
+ * XTEA encrypt function
+ */
+int mbedtls_xtea_crypt_ecb( mbedtls_xtea_context *ctx, int mode,
+                    const unsigned char input[8], unsigned char output[8])
+{
+    uint32_t *k, v0, v1, i;
+
+    k = ctx->k;
+
+    GET_UINT32_BE( v0, input, 0 );
+    GET_UINT32_BE( v1, input, 4 );
+
+    if( mode == MBEDTLS_XTEA_ENCRYPT )
+    {
+        uint32_t sum = 0, delta = 0x9E3779B9;
+
+        for( i = 0; i < 32; i++ )
+        {
+            v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
+            sum += delta;
+            v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum>>11) & 3]);
+        }
+    }
+    else /* MBEDTLS_XTEA_DECRYPT */
+    {
+        uint32_t delta = 0x9E3779B9, sum = delta * 32;
+
+        for( i = 0; i < 32; i++ )
+        {
+            v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum>>11) & 3]);
+            sum -= delta;
+            v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
+        }
+    }
+
+    PUT_UINT32_BE( v0, output, 0 );
+    PUT_UINT32_BE( v1, output, 4 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * XTEA-CBC buffer encryption/decryption
+ */
+int mbedtls_xtea_crypt_cbc( mbedtls_xtea_context *ctx, int mode, size_t length,
+                    unsigned char iv[8], const unsigned char *input,
+                    unsigned char *output)
+{
+    int i;
+    unsigned char temp[8];
+
+    if( length % 8 )
+        return( MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_XTEA_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 8 );
+            mbedtls_xtea_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_xtea_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* !MBEDTLS_XTEA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * XTEA tests vectors (non-official)
+ */
+
+static const unsigned char xtea_test_key[6][16] =
+{
+   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+     0x0c, 0x0d, 0x0e, 0x0f },
+   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+     0x0c, 0x0d, 0x0e, 0x0f },
+   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+     0x0c, 0x0d, 0x0e, 0x0f },
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00 },
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00 },
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char xtea_test_pt[6][8] =
+{
+    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0x5a, 0x5b, 0x6e, 0x27, 0x89, 0x48, 0xd7, 0x7f },
+    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0x70, 0xe1, 0x22, 0x5d, 0x6e, 0x4e, 0x76, 0x55 }
+};
+
+static const unsigned char xtea_test_ct[6][8] =
+{
+    { 0x49, 0x7d, 0xf3, 0xd0, 0x72, 0x61, 0x2c, 0xb5 },
+    { 0xe7, 0x8f, 0x2d, 0x13, 0x74, 0x43, 0x41, 0xd8 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0xa0, 0x39, 0x05, 0x89, 0xf8, 0xb8, 0xef, 0xa5 },
+    { 0xed, 0x23, 0x37, 0x5a, 0x82, 0x1a, 0x8c, 0x2d },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_xtea_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char buf[8];
+    mbedtls_xtea_context ctx;
+
+    mbedtls_xtea_init( &ctx );
+    for( i = 0; i < 6; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  XTEA test #%d: ", i + 1 );
+
+        memcpy( buf, xtea_test_pt[i], 8 );
+
+        mbedtls_xtea_setup( &ctx, xtea_test_key[i] );
+        mbedtls_xtea_crypt_ecb( &ctx, MBEDTLS_XTEA_ENCRYPT, buf, buf );
+
+        if( memcmp( buf, xtea_test_ct[i], 8 ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_xtea_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_XTEA_C */
diff --git a/ctrtool/deps/libnintendo-n3ds/LICENSE b/ctrtool/deps/libnintendo-n3ds/LICENSE
new file mode 100644
index 00000000..38e64e9d
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Jack
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/ctrtool/deps/libnintendo-n3ds/README.md b/ctrtool/deps/libnintendo-n3ds/README.md
new file mode 100644
index 00000000..edaf7b1c
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/README.md
@@ -0,0 +1,2 @@
+# libnintendo-n3ds
+C++ Library for parsing Nintendo 3DS file formats
diff --git a/ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds.sln b/ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds.sln
new file mode 100644
index 00000000..0308a49b
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds.sln
@@ -0,0 +1,71 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.31229.75
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libnintendo-n3ds", "libnintendo-n3ds\libnintendo-n3ds.vcxproj", "{7789491C-5403-4613-B06B-DB0C58E19A01}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfmt", "..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj", "{F4B0540E-0AAE-4006-944B-356944EF61FA}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libmbedtls", "..\..\deps\libmbedtls\build\visualstudio\libmbedtls\libmbedtls.vcxproj", "{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libtoolchain", "..\..\deps\libtoolchain\build\visualstudio\libtoolchain\libtoolchain.vcxproj", "{E194E4B8-1482-40A2-901B-75D4387822E9}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libbroadon-es", "..\..\deps\libbroadon-es\build\visualstudio\libbroadon-es\libbroadon-es.vcxproj", "{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Debug|x64.ActiveCfg = Debug|x64
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Debug|x64.Build.0 = Debug|x64
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Debug|x86.ActiveCfg = Debug|Win32
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Debug|x86.Build.0 = Debug|Win32
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Release|x64.ActiveCfg = Release|x64
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Release|x64.Build.0 = Release|x64
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Release|x86.ActiveCfg = Release|Win32
+		{7789491C-5403-4613-B06B-DB0C58E19A01}.Release|x86.Build.0 = Release|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.ActiveCfg = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.Build.0 = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.ActiveCfg = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.Build.0 = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.ActiveCfg = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.Build.0 = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.ActiveCfg = Release|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.Build.0 = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.ActiveCfg = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.Build.0 = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.ActiveCfg = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.Build.0 = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.ActiveCfg = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.Build.0 = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.ActiveCfg = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.Build.0 = Release|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x64.ActiveCfg = Debug|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x64.Build.0 = Debug|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x86.ActiveCfg = Debug|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x86.Build.0 = Debug|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x64.ActiveCfg = Release|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x64.Build.0 = Release|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x86.ActiveCfg = Release|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x86.Build.0 = Release|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x64.ActiveCfg = Debug|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x64.Build.0 = Debug|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x86.ActiveCfg = Debug|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Debug|x86.Build.0 = Debug|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x64.ActiveCfg = Release|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x64.Build.0 = Release|x64
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x86.ActiveCfg = Release|Win32
+		{8A35D7DC-293A-4669-9C1E-4F45ABFE8838}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {E9C7A315-F87A-48C9-89E8-1238E856168F}
+	EndGlobalSection
+EndGlobal
diff --git a/ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds/libnintendo-n3ds.vcxproj b/ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds/libnintendo-n3ds.vcxproj
new file mode 100644
index 00000000..bf2ef981
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds/libnintendo-n3ds.vcxproj
@@ -0,0 +1,185 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{7789491c-5403-4613-b06b-db0c58e19a01}</ProjectGuid>
+    <RootNamespace>libnintendon3ds</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(SolutionDir)..\..\deps\libbroadon-es\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(SolutionDir)..\..\deps\libbroadon-es\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(SolutionDir)..\..\deps\libbroadon-es\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(SolutionDir)..\..\deps\libtoolchain\include;$(SolutionDir)..\..\deps\libbroadon-es\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ProjectReference Include="$(SolutionDir)..\..\deps\libmbedtls\build\visualstudio\libmbedtls\libmbedtls.vcxproj">
+      <Project>{7a7c66f3-2b5b-4e23-85d8-2a74fedad92c}</Project>
+    </ProjectReference>
+    <ProjectReference Include="$(SolutionDir)..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj">
+      <Project>{f4b0540e-0aae-4006-944b-356944ef61fa}</Project>
+    </ProjectReference>
+    <ProjectReference Include="$(SolutionDir)..\..\deps\libtoolchain\build\visualstudio\libtoolchain\libtoolchain.vcxproj">
+      <Project>{e194e4b8-1482-40a2-901b-75d4387822e9}</Project>
+    </ProjectReference>
+    <ProjectReference Include="$(SolutionDir)..\..\deps\libbroadon-es\build\visualstudio\libbroadon-es\libbroadon-es.vcxproj">
+      <Project>{8a35d7dc-293a-4669-9c1e-4f45abfe8838}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\CciFsSnapshotGenerator.cpp" />
+    <ClCompile Include="..\..\..\src\CiaFsSnapshotGenerator.cpp" />
+    <ClCompile Include="..\..\..\src\CtrKeyGenerator.cpp" />
+    <ClCompile Include="..\..\..\src\es\Certificate.cpp" />
+    <ClCompile Include="..\..\..\src\es\RsaSigner.cpp" />
+    <ClCompile Include="..\..\..\src\es\Signature.cpp" />
+    <ClCompile Include="..\..\..\src\es\Ticket.cpp" />
+    <ClCompile Include="..\..\..\src\es\TitleMetaData.cpp" />
+    <ClCompile Include="..\..\..\src\ExeFsSnapshotGenerator.cpp" />
+    <ClCompile Include="..\..\..\src\IvfcStream.cpp" />
+    <ClCompile Include="..\..\..\src\RomFsSnapshotGenerator.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\ntd\n3ds.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\bcwav.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\cci.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\CciFsSnapshotGenerator.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\cia.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\CiaFsSnapshotGenerator.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\cro.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\crr.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\CtrKeyGenerator.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\Certificate.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\ISigner.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\RsaSigner.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\Signature.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\Ticket.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\TitleMetaData.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\exefs.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\ExeFsSnapshotGenerator.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\exheader.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\firm.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\ivfc.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\IvfcStream.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\ncch.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\romfs.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\RomFsSnapshotGenerator.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\smdh.h" />
+    <ClInclude Include="..\..\..\include\ntd\n3ds\systemupdater.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds/libnintendo-n3ds.vcxproj.filters b/ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds/libnintendo-n3ds.vcxproj.filters
new file mode 100644
index 00000000..3877cc72
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/build/visualstudio/libnintendo-n3ds/libnintendo-n3ds.vcxproj.filters
@@ -0,0 +1,147 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Source Files\es">
+      <UniqueIdentifier>{6ff37ad4-4d41-489a-8dee-7a67ae5c3a0c}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\ntd">
+      <UniqueIdentifier>{a8556034-ba3b-4e55-99fe-75f9cec9442d}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\ntd\n3ds">
+      <UniqueIdentifier>{27d62e82-f179-4eaf-9592-4aefd77854a0}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\ntd\n3ds\es">
+      <UniqueIdentifier>{8ca97abf-9738-4b26-a728-0bb7a705496a}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\CciFsSnapshotGenerator.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\CiaFsSnapshotGenerator.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\CtrKeyGenerator.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ExeFsSnapshotGenerator.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\IvfcStream.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\RomFsSnapshotGenerator.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\es\Certificate.cpp">
+      <Filter>Source Files\es</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\es\RsaSigner.cpp">
+      <Filter>Source Files\es</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\es\Signature.cpp">
+      <Filter>Source Files\es</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\es\Ticket.cpp">
+      <Filter>Source Files\es</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\es\TitleMetaData.cpp">
+      <Filter>Source Files\es</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\ntd\n3ds.h">
+      <Filter>Header Files\ntd</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\bcwav.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\cci.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\CciFsSnapshotGenerator.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\cia.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\CiaFsSnapshotGenerator.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\cro.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\crr.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\CtrKeyGenerator.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\exefs.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\ExeFsSnapshotGenerator.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\exheader.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\firm.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\ivfc.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\IvfcStream.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\ncch.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\romfs.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\RomFsSnapshotGenerator.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\smdh.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\systemupdater.h">
+      <Filter>Header Files\ntd\n3ds</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\Certificate.h">
+      <Filter>Header Files\ntd\n3ds\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\ISigner.h">
+      <Filter>Header Files\ntd\n3ds\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\RsaSigner.h">
+      <Filter>Header Files\ntd\n3ds\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\Signature.h">
+      <Filter>Header Files\ntd\n3ds\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\Ticket.h">
+      <Filter>Header Files\ntd\n3ds\es</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\ntd\n3ds\es\TitleMetaData.h">
+      <Filter>Header Files\ntd\n3ds\es</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds.h
new file mode 100644
index 00000000..4a97d94e
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds.h
@@ -0,0 +1,26 @@
+#pragma once
+
+// definitions
+#include <ntd/n3ds/cci.h>
+#include <ntd/n3ds/cia.h>
+#include <ntd/n3ds/cro.h>
+#include <ntd/n3ds/crr.h>
+#include <ntd/n3ds/exefs.h>
+#include <ntd/n3ds/exheader.h>
+#include <ntd/n3ds/firm.h>
+#include <ntd/n3ds/ivfc.h>
+#include <ntd/n3ds/ncch.h>
+#include <ntd/n3ds/romfs.h>
+#include <ntd/n3ds/smdh.h>
+
+// Wrapped IStream
+#include <ntd/n3ds/IvfcStream.h>
+
+// Utilities
+#include <ntd/n3ds/CtrKeyGenerator.h>
+
+// VirtualFileSystem metadata generators
+#include <ntd/n3ds/ExeFsMetaGenerator.h>
+#include <ntd/n3ds/RomFsMetaGenerator.h>
+#include <ntd/n3ds/CciFsMetaGenerator.h>
+#include <ntd/n3ds/CiaFsMetaGenerator.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CciFsSnapshotGenerator.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CciFsSnapshotGenerator.h
new file mode 100644
index 00000000..70fe958e
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CciFsSnapshotGenerator.h
@@ -0,0 +1,19 @@
+#pragma once
+#include <tc/io/VirtualFileSystem.h>
+
+namespace ntd { namespace n3ds {
+
+struct CciFsShapshotGenerator : public tc::io::VirtualFileSystem::FileSystemSnapshot
+{
+public:
+	CciFsShapshotGenerator(const std::shared_ptr<tc::io::IStream>& stream);
+private:
+	CciFsShapshotGenerator();
+
+	std::shared_ptr<tc::io::IStream> mBaseStream;
+	size_t mCurDir;
+
+	void addFile(const std::string& name, int64_t offset, int64_t size);
+};
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CiaFsSnapshotGenerator.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CiaFsSnapshotGenerator.h
new file mode 100644
index 00000000..afbc3202
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CiaFsSnapshotGenerator.h
@@ -0,0 +1,19 @@
+#pragma once
+#include <tc/io/VirtualFileSystem.h>
+
+namespace ntd { namespace n3ds {
+
+struct CiaFsSnapshotGenerator : public tc::io::VirtualFileSystem::FileSystemSnapshot
+{
+public:
+	CiaFsSnapshotGenerator(const std::shared_ptr<tc::io::IStream>& stream);
+private:
+	CiaFsSnapshotGenerator();
+
+	std::shared_ptr<tc::io::IStream> mBaseStream;
+	size_t mCurDir;
+
+	void addFile(const std::string& name, int64_t offset, int64_t size);
+};
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CtrKeyGenerator.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CtrKeyGenerator.h
new file mode 100644
index 00000000..b6453246
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/CtrKeyGenerator.h
@@ -0,0 +1,19 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+class CtrKeyGenerator
+{
+public:
+	static void GenerateKey(const uint8_t *x, const uint8_t *y, uint8_t *key);
+private:
+	static int32_t wrap_index(int32_t i);
+	static void n128_rrot(const uint8_t *in, uint32_t rot, uint8_t *out);
+	static void n128_lrot(const uint8_t *in, uint32_t rot, uint8_t *out);
+	static void n128_add(const uint8_t *a, const uint8_t *b, uint8_t *out);
+	static void n128_sub(const uint8_t *a, const uint8_t *b, uint8_t *out);
+	static void n128_xor(const uint8_t *a, const uint8_t *b, uint8_t *out);
+};
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ExeFsSnapshotGenerator.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ExeFsSnapshotGenerator.h
new file mode 100644
index 00000000..78d421d9
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ExeFsSnapshotGenerator.h
@@ -0,0 +1,14 @@
+#pragma once
+#include <tc/io/VirtualFileSystem.h>
+
+namespace ntd { namespace n3ds {
+
+struct ExeFsSnapshotGenerator : public tc::io::VirtualFileSystem::FileSystemSnapshot
+{
+public:
+	ExeFsSnapshotGenerator(const std::shared_ptr<tc::io::IStream>& stream, bool verify_hashes = true);
+private:
+	ExeFsSnapshotGenerator();
+};
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/IvfcStream.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/IvfcStream.h
new file mode 100644
index 00000000..2ee2243b
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/IvfcStream.h
@@ -0,0 +1,141 @@
+#pragma once
+#include <tc/ByteData.h>
+#include <tc/io/IStream.h>
+#include <tc/io/IOUtil.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/crypto/CryptoException.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/ObjectDisposedException.h>
+
+namespace ntd { namespace n3ds {
+
+class IvfcStream : public tc::io::IStream
+{
+public:
+	IvfcStream();
+	IvfcStream(const std::shared_ptr<tc::io::IStream>& stream);
+
+		/**
+		 * @brief Indicates whether the current stream supports reading.
+		 **/ 
+	bool canRead() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports writing.
+		 **/
+	bool canWrite() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports seeking.
+		 **/
+	bool canSeek() const;
+
+		/**
+		 * @brief Gets the length in bytes of the stream.
+		 **/
+	int64_t length();
+
+		/** 
+		 * @brief Gets the position within the current stream. 
+		 * 
+		 * @return This is returns the current position within the stream.
+		 **/
+	int64_t position();
+
+		/**
+		 * @brief Reads a sequence of bytes from the current stream and advances the position within the stream by the number of bytes read.
+		 * 
+		 * @param[out] ptr Pointer to an array of bytes. When this method returns, @p ptr contains the specified byte array with the values between 0 and (@p count - 1) replaced by the bytes read from the current source.
+		 * @param[in] count The maximum number of bytes to be read from the current stream.
+		 * 
+		 * @return The total number of bytes read into @p ptr. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support reading for @ref read to work. 
+		 * @note Use @ref canRead to determine if this stream supports reading.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p count exceeds the length of readable data in the sub stream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t read(byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Writes a sequence of bytes to the current stream and advances the current position within this stream by the number of bytes written.
+		 * 
+		 * @param[in] ptr Pointer to an array of bytes. This method copies @p count bytes from @p ptr to the current stream.
+		 * @param[in] count The number of bytes to be written to the current stream.
+		 * 
+		 * @return The total number of bytes written to the stream. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support writing for @ref write to work. 
+		 * @note Use @ref canWrite to determine if this stream supports writing.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p count exceeds the length of writeable data in the sub stream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t write(const byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Sets the position within the current stream.
+		 * 
+		 * @param[in] offset A byte offset relative to the origin parameter.
+		 * @param[in] origin A value of type @ref tc::io::SeekOrigin indicating the reference point used to obtain the new position.
+		 * 
+		 * @return The new position within the current stream.
+		 * 
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * @note Use @ref canSeek to determine if this stream supports seeking.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p origin contains an invalid value.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	int64_t seek(int64_t offset, tc::io::SeekOrigin origin);
+
+		/**
+		 * @brief Sets the length of the current stream. This is not implemented for @ref SubStream.
+		 * @throw tc::NotImplementedException @ref setLength is not implemented for @ref SubStream
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void setLength(int64_t length);
+
+		/**
+		 * @brief Clears all buffers for this and the base stream and causes any buffered data to be written to the underlying device.
+		 * 
+		 * @throw tc::io::IOException An I/O error occurs.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void flush();
+	
+		/**
+		 * @brief Releases internal resources including base stream and clears internal state.
+		 **/
+	void dispose();
+private:
+	std::string mModuleLabel;
+
+	// base stream
+	std::shared_ptr<tc::io::IStream> mBaseStream;
+
+	// data layer stream
+	size_t mDataStreamBlockSize;
+	int64_t mDataStreamLogicalLength;
+	std::shared_ptr<tc::io::IStream> mDataStream;
+	inline size_t offsetToBlock(int64_t offset) { return tc::io::IOUtil::castInt64ToSize(offset / tc::io::IOUtil::castSizeToInt64(mDataStreamBlockSize)); };
+	inline size_t offsetInBlock(int64_t offset) { return tc::io::IOUtil::castInt64ToSize(offset % tc::io::IOUtil::castSizeToInt64(mDataStreamBlockSize)); };
+	inline int64_t blockToOffset(size_t block) { return tc::io::IOUtil::castSizeToInt64(block) * tc::io::IOUtil::castSizeToInt64(mDataStreamBlockSize); };
+
+	// hash cache for data layer
+	tc::ByteData mHashCache;
+	inline byte_t* getBlockHash(size_t begin_block) { return mHashCache.data() + (begin_block * tc::crypto::Sha256Generator::kHashSize); }
+
+	// hash calc temp
+	std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> mHash;
+	tc::crypto::Sha256Generator mHashCalc;
+
+	bool validateLayerBlocksWithHashLayer(const byte_t* layer, size_t block_size, size_t block_num, const byte_t* hash_layer);
+};
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/RomFsSnapshotGenerator.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/RomFsSnapshotGenerator.h
new file mode 100644
index 00000000..e19eb53a
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/RomFsSnapshotGenerator.h
@@ -0,0 +1,30 @@
+#pragma once
+#include <tc/ByteData.h>
+#include <tc/io/VirtualFileSystem.h>
+#include <ntd/n3ds/romfs.h>
+
+namespace ntd { namespace n3ds {
+
+struct RomFsSnapshotGenerator : public tc::io::VirtualFileSystem::FileSystemSnapshot
+{
+public:
+	RomFsSnapshotGenerator(const std::shared_ptr<tc::io::IStream>& stream);
+private:
+	RomFsSnapshotGenerator();
+
+	std::shared_ptr<tc::io::IStream> mBaseStream;
+
+	int64_t mDataOffset;
+
+	tc::ByteData mDirEntryTable;
+	std::map<uint32_t, size_t> mDirParentVaddrMap;
+	inline ntd::n3ds::RomFsDirectoryEntry* getDirEntry(uint32_t vaddr) { return (ntd::n3ds::RomFsDirectoryEntry*)(mDirEntryTable.data() + vaddr); }
+
+	tc::ByteData mFileEntryTable;
+	inline ntd::n3ds::RomFsFileEntry* getFileEntry(uint32_t vaddr) { return (ntd::n3ds::RomFsFileEntry*)(mFileEntryTable.data() + vaddr); }
+
+	void addFile(const ntd::n3ds::RomFsFileEntry* file_entry, size_t parent_dir);
+	void addDirectory(const ntd::n3ds::RomFsDirectoryEntry* dir_entry, size_t parent_dir);
+};
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/bcwav.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/bcwav.h
new file mode 100644
index 00000000..d72a587b
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/bcwav.h
@@ -0,0 +1,212 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+namespace bcwav {
+
+static const uint32_t kCwavMagic = tc::bn::make_struct_magic_uint32("CWAV");
+static const uint32_t kCwavVersion = 0x02010000;
+static const uint32_t kInfoMagic = tc::bn::make_struct_magic_uint32("INFO");
+static const uint32_t kDataMagic = tc::bn::make_struct_magic_uint32("DATA");
+
+enum TypeId
+{
+	TYPE_ID_DSP_ADPCM = 0x300,
+	TYPE_ID_IMA_ADPCM = 0x301,
+	TYPE_ID_INFO_BLOCK = 0x7000,
+	TYPE_ID_DATA_BLOCK = 0x7001,
+	TYPE_ID_CHANNEL_REF = 0x7100,
+};
+
+enum Encoding
+{
+	ENCODING_PCM8 = 0,
+	ENCODING_PCM16 = 1,
+	ENCODING_DSP_ADPCM = 2,
+	ENCODING_IMA_ADPCM = 3
+};
+
+enum ChannelIndex
+{
+	CHANNEL_INDEX_L = 0,
+	CHANNEL_INDEX_R = 1,
+};
+
+#pragma pack(push,1)
+
+struct Reference
+{
+	// 0x00
+	tc::bn::le16<uint16_t> type_id;
+	// 0x02
+	tc::bn::pad<2>         padding;
+	// 0x04
+	tc::bn::le32<uint32_t> offset;
+	// 0x08
+};
+
+struct ReferenceWithSize : public Reference
+{
+	// 0x08
+	tc::bn::le32<uint32_t> size;
+	// 0x0C
+};
+
+template <typename T>
+struct Table
+{
+	// 0x00
+	tc::bn::le32<uint32_t> count;
+	// 0x04
+	T                      item[];
+};
+
+struct FileHeader
+{
+	// 0x00
+	tc::bn::le32<uint32_t> signature; // 'CWAV'
+	// 0x04
+	tc::bn::le16<uint16_t> byte_order_mark; // 0xfeff (always little endian)
+	// 0x06
+	tc::bn::le16<uint16_t> header_size;
+	// 0x08
+	tc::bn::le32<uint32_t> version; // 2.1.0.0 (0x02010000)
+	// 0x0C
+	tc::bn::le32<uint32_t> file_size;
+	// 0x10
+	tc::bn::le16<uint16_t> data_blocks;
+	// 0x12
+	tc::bn::pad<2>         reserved;
+	// 0x14
+};
+
+struct BlockInfo
+{
+	// 0x00
+	ReferenceWithSize info_block_reference;
+	// 0x0C
+	ReferenceWithSize data_block_reference;
+	// 0x18
+};
+
+struct FileInfo
+{
+	// 0x00
+	FileHeader header;
+	// 0x14
+	BlockInfo  block_info;
+	// 0x2C
+};
+
+struct BlockHeader
+{
+	// 0x00
+	tc::bn::le32<uint32_t> kind; // 'INFO' or 'DATA'
+	// 0x04
+	tc::bn::le32<uint32_t> size;
+	// 0x08
+};
+
+struct WaveInfo
+{
+	// 0x00
+	byte_t                 encoding; // see Encoding
+	// 0x01
+	byte_t                 is_loop; // 0: noloop, 1: loop
+	// 0x02
+	tc::bn::pad<2>         padding;
+	// 0x04
+	tc::bn::le32<uint32_t> sample_rate;
+	// 0x08
+	tc::bn::le32<uint32_t> loop_start_frame;
+	// 0x0C
+	tc::bn::le32<uint32_t> loop_end_frame;
+	// 0x10
+};
+
+struct InfoBlockBody
+{
+	// 0x00
+	WaveInfo         wave_info;
+	// 0x10
+	tc::bn::pad<4>   reserved;
+	// 0x14
+	Table<Reference> channel_info_reference_table;
+	// 0x18
+};
+
+struct ChannelInfo
+{
+	// 0x00
+	Reference      to_samples;
+	// 0x08
+	Reference      to_adpcm_info;
+	// 0x10
+	tc::bn::pad<4> reserved;
+	// 0x14
+};
+
+struct AdpcmParam
+{
+	// 0x00
+	std::array<tc::bn::le16<uint16_t>, 16> coef;
+	// 0x20
+};
+
+struct AdpcmContext
+{
+	// 0x00
+	tc::bn::le16<uint16_t> pred_scale; // Stores the predicted value (4bit) and the scale value (4bit) of Adpcm. The upper 8 bits are not referenced
+	// 0x02
+	tc::bn::le16<int16_t> yn1; // Historical data (1st sample value)
+	// 0x04
+	tc::bn::le16<int16_t> yn2; // Historical data (2nd sample value)
+	// 0x06
+};
+
+struct DspAdpcmInfo
+{
+	// 0x00
+	AdpcmParam param;
+	// 0x20
+	AdpcmContext context;
+	// 0x26
+	AdpcmContext loop_context;
+	// 0x2C
+};
+
+struct ImaAdpcmContext
+{
+	// 0x00
+	tc::bn::le16<uint16_t> data;
+	// 0x02
+	byte_t                 table_index;
+	// 0x03
+	byte_t                 padding;
+	// 0x04
+};
+
+struct ImaAdpcmInfo
+{
+	// 0x00
+	ImaAdpcmContext context;
+	// 0x04
+	ImaAdpcmContext loop_context;
+	// 0x08
+};
+
+struct InfoBlock
+{
+	// 0x00
+	BlockHeader   header;
+	// 0x08
+	InfoBlockBody body;
+	// 0x20
+};
+
+#pragma pack(pop)
+
+} // namespace ntd::n3ds::bcwav
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h
new file mode 100644
index 00000000..f2ac0a8b
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h
@@ -0,0 +1,258 @@
+#pragma once
+#include <tc/types.h>
+#include <array>
+
+#include <ntd/n3ds/ncch.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,8)
+
+	/**
+	 * @struct NcsdCommonHeader
+	 * @brief NCSD header is used in both NAND storage and Gamecard Images
+	 */
+struct NcsdCommonHeader
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("NCSD");
+	static const size_t kPartitionNum = 8;
+
+	enum PartitionFsType
+	{
+		PartitionFsType_None = 0,
+		PartitionFsType_Normal = 1,
+		PartitionFsType_FIRM = 3,
+		PartitionFsType_AGBSave = 4,
+	};
+
+	enum PartitionCryptoType
+	{
+		PartitionCryptoType_None = 0x00,
+		PartitionCryptoType_TWL = 0x01,
+		PartitionCryptoType_CTR = 0x02,
+		PartitionCryptoType_SNAKE = 0x03,
+	};
+
+	enum MediaPlatform : byte_t
+	{
+		MediaPlatform_CTR = 0,
+		MediaPlatform_SNAKE = 1,
+	};
+
+	enum MediaType : byte_t
+	{
+		MediaType_InnerDevice = 0,
+		MediaType_Card1 = 1,
+		MediaType_Card2 = 2,
+		MediaType_ExtendedDevice = 3,
+	};
+
+	enum FlagIndex
+	{
+		FlagIndex_Platform = 4,
+		FlagIndex_Type = 5,
+		FlagIndex_BlockSizeLog = 6,
+	};
+
+	struct NcsdFlags
+	{
+		tc::bn::pad<4>        reserved;
+		tc::bn::bitarray<1>   media_platform;
+		byte_t                media_type;
+		byte_t                block_size_log; // this flag determines the block_size = 1 << (block_size_log + 9), alternatively this is always 0, and the blocksize is always 0x200
+		tc::bn::bitarray<1>   reserved_07;
+
+		// raw byte access
+		byte_t& operator[](size_t index) { return ((byte_t*)this)[index]; }
+		const byte_t& operator[](size_t index) const { return ((const byte_t*)this)[index]; }
+		const byte_t* data() const { return ((const byte_t*)this); }
+		const size_t size() const { return sizeof(uint64_t); }
+	};
+	static_assert(sizeof(NcsdFlags) == 8, "NcsdFlags had incorrect size.");
+
+	struct OffsetSize
+	{
+		tc::bn::le32<uint32_t> blk_offset;
+		tc::bn::le32<uint32_t> blk_size;
+	};
+	static_assert(sizeof(OffsetSize) == 8, "OffsetSize had incorrect size.");
+
+	struct GameCardExtendedHeader
+	{
+		// 0x90
+		std::array<tc::bn::le64<uint64_t>, kPartitionNum> partition_id;
+		// 0xD0
+		tc::bn::pad<0x30>                                 reserved;
+	};
+
+	struct NandExtendedHeader
+	{
+		// 0x90
+		tc::bn::pad<0x70>                                 reserved;
+	};
+
+	// 0x00
+	tc::bn::le32<uint32_t>                struct_magic; // NCSD
+	tc::bn::le32<uint32_t>                image_blk_size;
+	tc::bn::le64<uint64_t>                title_id;
+	// 0x10
+	std::array<byte_t, kPartitionNum>     partition_fs_type;
+	std::array<byte_t, kPartitionNum>     partition_crypto_type;
+	// 0x20
+	std::array<OffsetSize, kPartitionNum> partition_offsetsize;
+	// 0x60
+	/*
+	std::array<byte_t, 0x20>              extended_header_hash; // unused
+	// 0x80
+	tc::bn::le32<uint32_t>                additional_header_size; // unused
+	tc::bn::le32<uint32_t>                sector0_offset; // unused
+	*/
+	tc::bn::pad<0x28>                     reserved_0x60;
+	// 0x88
+	NcsdFlags                             flags;
+	// 0x90
+	union {
+		GameCardExtendedHeader card_ext;
+		NandExtendedHeader     nand_ext;
+	};
+};	
+static_assert(sizeof(NcsdCommonHeader) == 0x100, "NcsdCommonHeader had incorrect size.");
+
+struct CciHeader
+{
+	enum CardDevice : byte_t
+	{
+		CardDevice_Unspecified = 0,
+		CardDevice_NorFlash = 1,
+		CardDevice_None = 2,
+		CardDevice_BT = 3,
+	};
+
+	enum PartitionIndex : byte_t
+	{
+		PartitionIndex_Application = 0,
+		PartitionIndex_Manual = 1,
+		PartitionIndex_DlpChild = 2,
+		PartitionIndex_SnakeCup = 6,
+		PartitionIndex_CtrCup = 7,
+	};
+
+	enum RomSize : uint32_t
+	{
+		RomSize_128MB = 0x40000,
+		RomSize_256MB = 0x80000,
+		RomSize_512MB = 0x100000,
+		RomSize_1GB = 0x200000,
+		RomSize_2GB = 0x400000,
+		RomSize_4GB = 0x800000,
+	};
+
+	enum NcsdFlagIndex
+	{
+		NcsdFlagIndex_BackupWriteWaitTime = 0,
+		NcsdFlagIndex_BackupSecurityVersion = 1,
+		NcsdFlagIndex_CardInfo = 2,
+		NcsdFlagIndex_CardDevice = 3,
+		NcsdFlagIndex_MediaPlatform = 4,
+		NcsdFlagIndex_MediaType = 5,
+		NcsdFlagIndex_MediaBlockSize = 6,
+		NcsdFlagIndex_CardDevice_Deprecated = 7,
+	};
+
+	enum CardType
+	{
+		CardType_S1 = 0,
+		CardType_S2 = 1,
+	};
+
+	enum CryptoType
+	{
+		CryptoType_Secure = 0, // Secure initial data key (keyX bootrom, keyY initial data seed) (used in production ROMs)
+		CryptoType_FixedKey = 3, // Zeros initial data key (used in non-HSM enviroments like development)
+	};
+
+	struct CardInfo
+	{
+		struct Flag
+		{
+			byte_t reserved : 5;
+			byte_t card_type : 1; // see CardType
+			byte_t crypto_type : 2; // see CryptoType
+		};
+		
+		tc::bn::le32<uint32_t> writable_region; // offset in blocks
+		tc::bn::pad<3>         padding;
+		Flag                   flag;
+		tc::bn::pad<0xf8>      reserved;
+	};
+	static_assert(sizeof(CardInfo) == 0x100, "CardInfo had incorrect size.");
+
+	struct MasteringMetadata
+	{
+		tc::bn::le64<uint64_t> media_size_used;
+		tc::bn::pad<0x8>       padding0;
+		
+		tc::bn::le16<uint16_t> title_version;
+		tc::bn::le16<uint16_t> card_revision;
+		tc::bn::pad<0xc>       padding1;
+		
+		tc::bn::le64<uint64_t> cver_title_id;
+		tc::bn::le16<uint16_t> cver_title_version;
+		tc::bn::pad<0x6>       padding2;
+		
+		tc::bn::pad<0xd0>      reserved;
+	};
+	static_assert(sizeof(MasteringMetadata) == 0x100, "MasteringMetadata had incorrect size.");
+
+	struct InitialData
+	{
+		std::array<byte_t, 16> key_source;
+		std::array<byte_t, 16> encrypted_title_key;
+		std::array<byte_t, 16> mac;
+		std::array<byte_t, 12> nonce;
+		tc::bn::pad<4>         padding;
+		tc::bn::pad<0xc0>      reserved;
+	};
+	static_assert(sizeof(InitialData) == 0x100, "InitialData had incorrect size.");
+
+	struct CardDeviceInfo
+	{
+		tc::bn::pad<0x200>              card_device_reserved_0;
+		std::array<byte_t, 16>          title_key;
+		tc::bn::pad<0xf0>               card_device_reserved_1;
+	};
+	static_assert(sizeof(InitialData) == 0x100, "InitialData had incorrect size.");
+
+public:
+	// 0x0000 - 0x00ff: RSA2048-PKCS1-SHA2-256 over 0x0100-0x01ff
+	std::array<byte_t, 0x100> signature;
+	
+	// 0x0100 - 0x01ff: NcsdCommonHeader
+	NcsdCommonHeader          ncsd_header;
+
+	// 0x0200 - 0x02ff: CardInfo
+	CardInfo                  card_info; 
+
+	// 0x0300 - 0x03ff: Mastering metadata
+	MasteringMetadata         mastering_info;
+
+	// 0x0400 - 0x0fff: Reserved
+	tc::bn::pad<0xc00>        reserved_00;
+
+	// 0x1000 - 0x10ff: Initial Data
+	InitialData               initial_data;
+
+	// 0x1100 - 0x11ff: Partition0 NcchCommonHeader
+	NcchCommonHeader                ncch_header;
+
+	// 0x1200 - 0x14ff: Contains decrypted titlekey for programming cards
+	CardDeviceInfo            card_device_info;
+
+	// 0x1500 - 0x3fff: Reserved
+	tc::bn::pad<0x2B00>       reserved_01;
+};
+static_assert(sizeof(CciHeader) == 0x4000, "CciHeader had incorrect size.");
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cia.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cia.h
new file mode 100644
index 00000000..c1ca46a1
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cia.h
@@ -0,0 +1,61 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct CiaHeader
+{
+	static const size_t kCiaMaxContentNum = 0x10000;
+	static const size_t kCiaSectionAlignment = 64;
+	static const size_t kCiaContentAlignment = 16;
+
+	enum Type : uint16_t
+	{
+		Type_Normal = 0x0
+	};
+
+	enum FormatVersion : uint16_t
+	{
+		FormatVersion_Default = 0x0,
+		FormatVersion_SimpleCia = 0xFF,
+	};
+
+	tc::bn::le32<uint32_t> header_size;
+	tc::bn::le16<uint16_t> type;
+	tc::bn::le16<uint16_t> format_version;
+	tc::bn::le32<uint32_t> certificate_size;
+	tc::bn::le32<uint32_t> ticket_size;
+	tc::bn::le32<uint32_t> tmd_size;
+	tc::bn::le32<uint32_t> footer_size;
+	tc::bn::le64<uint64_t> content_size;
+	tc::bn::bitarray<kCiaMaxContentNum/8, true, false> content_bitarray;
+	//std::array<byte_t, kCiaMaxContentNum/8> content_bitarray;
+};
+static_assert(sizeof(CiaHeader) == 0x2020, "CiaHeader had invalid size");
+
+	/**
+	 * @struct CiaFooter
+	 * @brief This is an optional section of a CIA file that includes "Lot Check" metadata for CTR Titles (Not TWL titles).
+	 * 
+	 * @details
+	 * The CIA footer contains the following metadata
+	 * * List of title dependencies (titleids)
+	 * * The CoreVersion (titleid lower of the target firmware)
+	 * * (Optionally) SystemMenuData blob
+	 */
+struct CiaFooter
+{
+	static const size_t kMaxDependencyNum = 48;
+
+	std::array<tc::bn::le64<uint64_t>, kMaxDependencyNum> dependency_list;
+	tc::bn::pad<0x180>                                    padding0;
+	tc::bn::le32<uint32_t>                                firmware_title_id_lower; // aka "core version"
+	tc::bn::pad<0xfc>                                     padding1;
+};
+static_assert(sizeof(CiaFooter) == 0x400, "CiaFooter had invalid size");
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cro.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cro.h
new file mode 100644
index 00000000..5b080c21
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cro.h
@@ -0,0 +1,160 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct CroHeader
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("CRO0");
+
+	struct SectionEntry
+	{
+		tc::bn::le32<uint32_t> offset;
+		union
+		{
+			tc::bn::le32<uint32_t> size;
+			tc::bn::le32<uint32_t> num;
+		};
+	};
+	static_assert(sizeof(SectionEntry) == 0x8, "SectionEntry had invalid size");
+
+	using Hash = std::array<byte_t, 0x20>;
+
+	enum CoreFunctionIndex
+	{
+		CoreFunctionIndex_nnroControlObject_ = 0, // 0xFFFFFFFF in CRS
+		CoreFunctionIndex_OnLoad = 1, // will be called when the module is initialized. Set to 0xFFFFFFFF if not exists.
+		CoreFunctionIndex_OnExit = 2, // will be called when the module is finalized. Set to 0xFFFFFFFF if not exists.
+		CoreFunctionIndex_OnUnresolved = 3, // will be called when an unresolved function is called. Set to 0xFFFFFFFF if not exists.
+	};
+
+	enum SectionIndex
+	{
+		SectionIndex_Code = 0,
+		SectionIndex_Data = 1,
+		SectionIndex_ModuleName = 2,
+		SectionIndex_SegmentTable = 3, // (size = num*12)
+		SectionIndex_NamedExportTable = 4, // (size = num * 8)
+		SectionIndex_IndexedExportTable = 5, // (size = num * 4)
+		SectionIndex_ExportStrings = 6,
+		SectionIndex_ExportTree = 7, // fast lookups based on a trie-like structure, (size = num * 8)
+		SectionIndex_ImportModuleTable = 8, // (size = num * 20)
+		SectionIndex_ImportPatches = 9, // (size = num * 12)
+		SectionIndex_NamedImportTable = 10, // (size = num * 8)
+		SectionIndex_IndexedImportTable = 11, // (size = num * 8)
+		SectionIndex_AnonymousImportTable = 12, // (size = num * 8)
+		SectionIndex_ImportStrings = 13,
+		SectionIndex_Unk14 = 14,
+		SectionIndex_RelocationPatches = 15, // (size = num * 12)
+		SectionIndex_Unk16 = 16
+	};
+
+	std::array<Hash, 4> hash_table;
+	tc::bn::le32<uint32_t> struct_magic;
+	tc::bn::le32<uint32_t> name_offset;
+	tc::bn::le32<uint32_t> node0; // Next loaded CRO pointer, set by RO during loading (Usually zero when the CRO is being loaded)
+	tc::bn::le32<uint32_t> node1; // Previous loaded CRO pointer, set by RO during loading
+	tc::bn::le32<uint32_t> file_size;
+	tc::bn::le32<uint32_t> bss_size;
+	tc::bn::le32<uint32_t> unk0;
+	tc::bn::le32<uint32_t> unk1;
+	std::array<tc::bn::le32<uint32_t>, 4> core_function_segment_offset;
+	std::array<SectionEntry, 17> section;
+};
+static_assert(sizeof(CroHeader) == 0x138, "CroHeader had invalid size");
+
+struct CroSegmentOffset
+{
+	uint32_t segment_index : 4; // Segment index for table
+	uint32_t segment_offset : 28; // Offset into segment
+};
+static_assert(sizeof(CroSegmentOffset) == 0x4, "CroSegmentOffset had invalid size");
+
+struct CroSegmentTableEntry
+{
+	enum SegmentId : uint32_t
+	{
+		SegmentId_Text = 0,
+		SegmentId_RoData = 1,
+		SegmentId_Data = 2,
+		SegmentId_Bss = 4
+	};
+
+	tc::bn::le32<uint32_t> segment_offset;
+	tc::bn::le32<uint32_t> segment_size;
+	tc::bn::le32<SegmentId> segment_id;
+};
+static_assert(sizeof(CroSegmentTableEntry) == 0xC, "CroSegmentTableEntry had invalid size");
+
+struct CroNamedExportTableEntry
+{
+	tc::bn::le32<uint32_t> name_offset;
+	tc::bn::le32<CroSegmentOffset> segment_offset_for_export;
+};
+static_assert(sizeof(CroNamedExportTableEntry) == 0x8, "CroNamedExportTableEntry had invalid size");
+
+struct CroIndexedExportTableEntry
+{
+	tc::bn::le32<CroSegmentOffset> segment_offset_for_export;
+};
+static_assert(sizeof(CroIndexedExportTableEntry) == 0x4, "CroIndexedExportTableEntry had invalid size");
+
+struct CroNamedImportTableEntry
+{
+	tc::bn::le32<uint32_t> name_offset;
+	tc::bn::le32<uint32_t> import_patch_list_offset; // Offset of the head of a linear list that contains the patches for this import
+};
+static_assert(sizeof(CroNamedImportTableEntry) == 0x8, "CroNamedImportTableEntry had invalid size");
+
+struct CroIndexedImportTableEntry
+{
+	tc::bn::le32<uint32_t> export_symbol_index; // index of the export symbol
+	tc::bn::le32<uint32_t> import_patch_list_offset; // Offset of the head of a linear list that contains the patches for this import
+};
+static_assert(sizeof(CroIndexedImportTableEntry) == 0x8, "CroIndexedImportTableEntry had invalid size");
+
+struct CroAnonynousImportTableEntry
+{
+	tc::bn::le32<CroSegmentOffset> export_symbol_segment_offset;
+	tc::bn::le32<uint32_t> import_patch_list_offset; // Offset of the head of a linear list that contains the patches for this import
+};
+static_assert(sizeof(CroAnonynousImportTableEntry) == 0x8, "CroAnonynousImportTableEntry had invalid size");
+
+struct CroImportModuleTableEntry
+{
+	tc::bn::le32<uint32_t> module_name_offset;
+	tc::bn::le32<uint32_t> indexed_import_num;
+	tc::bn::le32<uint32_t> indexed_import_patch_list_offset; // Offset of the head of a sub list in Indexed Import Table
+	tc::bn::le32<uint32_t> anonynous_import_num;
+	tc::bn::le32<uint32_t> anonynous_import_patch_list_offset; // Offset of the head of a sub list in Anonymous Import Table
+};
+static_assert(sizeof(CroImportModuleTableEntry) == 0x14, "CroImportModuleTableEntry had invalid size");
+
+struct CroPatchEntry
+{
+	enum PatchType : byte_t
+	{
+		PatchType_Ignore = 0,
+		PatchType_WriteU32Absolute = 2, // (base+addend)
+		PatchType_WriteU32Relative = 3, // (base+addend-in_ptr)
+		PatchType_ThumbBranch = 10,
+		PatchType_ARM32Branch = 28,
+		PatchType_ModifyARM32BranchOffset = 29,
+		PatchType_WriteU32Absolute_2 = 38, // duplicate of PatchType_WriteU32Absolute
+		PatchType_WriteU32Relative_2 = 42, // (((signed int)base*2)/2+addend-in_ptr), otherwise err) (This is apparently a subset of relocation type for ARM ELF)
+	};
+
+	tc::bn::le32<CroSegmentOffset> segment_offset_for_output;
+	PatchType patch_type;
+	byte_t unk0; // For import patches, non-zero if last entry; for relocation patches, this is the referred segment index
+	byte_t unk1; // For import patches, 1 is written to first entry if all symbols loaded successfully; unknown (padding?) for relocation patches
+	byte_t unk2; // Unknown (padding?)
+	tc::bn::le32<uint32_t> addend;
+};
+static_assert(sizeof(CroPatchEntry) == 0xC, "CroPatchEntry had invalid size");
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/crr.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/crr.h
new file mode 100644
index 00000000..ec6ee7f3
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/crr.h
@@ -0,0 +1,48 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct CrrHeader
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("CRR0");
+
+	struct Certificate
+	{
+		tc::bn::le32<uint32_t> unique_id_mask;
+		tc::bn::le32<uint32_t> unique_id_pattern;
+		tc::bn::pad<0x18> reserved0;
+		std::array<byte_t, 0x100> crr_body_public_key;
+		std::array<byte_t, 0x100> signature; // PKCS1-RSA2048-SHA2-256 over 0x000-0x11f
+	};
+	static_assert(sizeof(Certificate) == 0x220, "Certificate had invalid size");
+
+	tc::bn::le32<uint32_t> struct_magic;
+	tc::bn::pad<4> reserved0;
+	tc::bn::le32<uint32_t> node0; // prev CRR (0 in file, set by RO module when loaded in memory)
+	tc::bn::le32<uint32_t> node1; // next CRR (0 in file, set by RO module when loaded in memory)
+	tc::bn::le32<int32_t> debug_info_offset;
+	tc::bn::le32<int32_t> debug_info_size;
+	tc::bn::pad<8> reserved1;
+	Certificate body_certificate;
+};
+static_assert(sizeof(CrrHeader) == 0x240, "CrrHeader had invalid size");
+
+struct CrrBodyHeader
+{
+	std::array<byte_t, 0x100> signature; // PKCS1-RSA2048-SHA2-256 over 0x000 - end of hashes (according to 3dbrew a fixed size of 0x358 bytes). CRR0 files must be stored under "romfs:/.crr/". The end of the file is aligned to a 0x1000-byte boundary with 0xCC bytes.
+	tc::bn::le32<uint32_t> unique_id;
+	tc::bn::le32<uint32_t> size;
+	tc::bn::pad<8> reserved0;
+	tc::bn::le32<uint32_t> hash_offset;
+	tc::bn::le32<uint32_t> num_hash;
+	tc::bn::le32<uint32_t> module_id_offset;
+	tc::bn::le32<uint32_t> module_id_size;
+};
+static_assert(sizeof(CrrBodyHeader) == 0x120, "CrrBodyHeader had invalid size");
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es.h
new file mode 100644
index 00000000..0fd49ee9
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es.h
@@ -0,0 +1,5 @@
+#pragma once
+
+//#include <ntd/n3ds/es/Certficate.h>
+#include <ntd/n3ds/es/Ticket.h>
+#include <ntd/n3ds/es/TitleMetaData.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Certificate.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Certificate.h
new file mode 100644
index 00000000..1a3fc94d
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Certificate.h
@@ -0,0 +1,117 @@
+#pragma once
+#include <bitset>
+#include <tc/types.h>
+#include <tc/io/IStream.h>
+#include <tc/crypto/RsaKey.h>
+#include <brd/es/es_cert.h>
+#include <ntd/n3ds/es/Signature.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/InvalidOperationException.h>
+
+namespace ntd { namespace n3ds { namespace es {
+
+	/**
+	 * @brief Get total size of certificate, from raw certificate blob.
+	 * 
+	 * @param[in] data Raw certificate data.
+	 * 
+	 * @return Size in bytes of certificate data, 0 if invalid data.
+	 */
+size_t getCertificateSize(byte_t* data);
+
+	/**
+	 * @brief Get total size of certificate signature structure, from raw certificate blob.
+	 * 
+	 * @param[in] data Raw certificate data.
+	 * 
+	 * @return Size in bytes of certificate signature structure, 0 if invalid data.
+	 */
+size_t getCertificateSignatureSize(byte_t* data);
+
+	/**
+	 * @brief Get offset of certificate signed data, from raw certificate blob.
+	 * 
+	 * @param[in] data Raw certificate data.
+	 * 
+	 * @return Offset in bytes of signed certificate data, 0 if invalid data.
+	 */
+size_t getCertificateSignableOffset(byte_t* data);
+
+	/**
+	 * @brief Get size of certificate signed data, from raw certificate blob.
+	 * 
+	 * @param[in] data Raw certificate data.
+	 * 
+	 * @return Size in bytes of signed certificate data, 0 if invalid data.
+	 */
+size_t getCertificateSignableSize(byte_t* data);
+
+	/**
+	 * @brief Get pointer to certificate header, from raw certificate blob.
+	 * 
+	 * @param[in] data Raw certificate data.
+	 * 
+	 * @return Void pointer to certificate header. See @ref ntd::es::ESCertHeader.
+	 */
+void* getCertificateHeaderPtr(byte_t* data);
+
+	/**
+	 * @brief Get pointer to certificate public key, from raw certificate blob.
+	 * 
+	 * @param[in] data Raw certificate data.
+	 * 
+	 * @return Void pointer to certificate public. See @ref ntd::es::ESCertRsa4096PublicKey @ref ntd::es::ESCertRsa2048PublicKey @ref ntd::es::ESCertEcc233PublicKey.
+	 */
+void* getCertificatePublicKeyPtr(byte_t* data);
+
+struct Certificate
+{
+public:
+	Certificate() :
+		signature(),
+		subject(),
+		date(),
+		public_key_type(),
+		rsa4096_public_key(),
+		rsa2048_public_key(),
+		ecc233_public_key()
+	{
+		memset(calculated_hash.data(), 0, calculated_hash.size());
+	}
+public:
+	// these fields are only used when deserialised
+	ntd::n3ds::es::Signature signature; // This includes the signature type, signature data, and issuer
+	std::array<byte_t, 32> calculated_hash; // This hash is calculated when deserialised so that signature validation can be performed.
+
+	// these fields are used in both deserialisation & serialisation
+	std::string subject;
+	uint32_t date; // 32bit unix timestamp, not always set
+	// public key
+	brd::es::ESCertPubKeyType public_key_type;
+	brd::es::Rsa4096PublicKey rsa4096_public_key;
+	brd::es::Rsa2048PublicKey rsa2048_public_key;
+	brd::es::Ecc233PublicKey ecc233_public_key;
+};
+
+class CertificateDeserialiser : public Certificate
+{
+public:
+	// cert stream
+	CertificateDeserialiser(const std::shared_ptr<tc::io::IStream>& cert_stream);
+private:
+	std::string mModuleLabel;
+};
+
+/*
+class CertificateSerialiser : public tc::io::IStream
+{
+public:
+	CertificateSerialiser();
+private:
+	std::string mModuleLabel;
+}
+*/
+
+}}} // namespace ntd::n3ds::es
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/ISigner.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/ISigner.h
new file mode 100644
index 00000000..0abd8470
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/ISigner.h
@@ -0,0 +1,18 @@
+#pragma once
+#include <bitset>
+#include <tc/types.h>
+#include <brd/es/es_sign.h>
+
+namespace ntd { namespace n3ds { namespace es {
+
+class ISigner
+{
+public:
+	virtual ~ISigner() = default;
+	virtual const std::string& getIssuer() = 0;
+	virtual brd::es::ESSigType getSigType() = 0;
+	virtual bool signHash(const byte_t* hash, byte_t* signature) = 0;
+	virtual bool verifyHash(const byte_t* hash, const byte_t* signature) = 0;
+};
+
+}}} // namespace ntd::n3ds::es
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/RsaSigner.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/RsaSigner.h
new file mode 100644
index 00000000..3a8fdd20
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/RsaSigner.h
@@ -0,0 +1,30 @@
+#pragma once
+#include <bitset>
+#include <tc/types.h>
+#include <tc/crypto/RsaKey.h>
+#include <ntd/n3ds/es/ISigner.h>
+
+#include <tc/InvalidOperationException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+
+namespace ntd { namespace n3ds { namespace es {
+
+class RsaSigner : public ntd::n3ds::es::ISigner
+{
+public:
+	RsaSigner(brd::es::ESSigType sig_type, const std::string& issuer, const tc::crypto::RsaKey& rsa_key);
+	
+	const std::string& getIssuer();
+	
+	brd::es::ESSigType getSigType();
+	
+	bool signHash(const byte_t* hash, byte_t* signature);
+	
+	bool verifyHash(const byte_t* hash, const byte_t* signature);
+private:
+	brd::es::ESSigType mSigType;
+	std::string mIssuer;
+	tc::crypto::RsaKey mRsaKey;
+};
+
+}}} // namespace ntd::n3ds::es
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Signature.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Signature.h
new file mode 100644
index 00000000..c9a472d4
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Signature.h
@@ -0,0 +1,50 @@
+#pragma once
+#include <bitset>
+#include <tc/types.h>
+#include <tc/io/IStream.h>
+#include <tc/crypto/RsaKey.h>
+#include <brd/es/es_sign.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/InvalidOperationException.h>
+
+namespace ntd { namespace n3ds { namespace es {
+
+size_t getSignatureSizeFromSigType(brd::es::ESSigType sig_type);
+size_t getSignatureIssuerOffset(brd::es::ESSigType sig_type);
+
+struct Signature
+{
+public:
+	Signature() :
+		sig_type(),
+		sig(),
+		issuer()
+	{}
+public:
+	brd::es::ESSigType sig_type;
+	tc::ByteData sig;
+	std::string issuer;
+};
+
+class SignatureDeserialiser : public Signature
+{
+public:
+	// input stream
+	SignatureDeserialiser(const std::shared_ptr<tc::io::IStream>& stream);
+private:
+	std::string mModuleLabel;
+};
+
+/*
+class SignatureSerialiser : public tc::io::IStream
+{
+public:
+	SignatureSerialiser();
+private:
+	std::string mModuleLabel;
+}
+*/
+
+}}} // namespace ntd::n3ds::es
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Ticket.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Ticket.h
new file mode 100644
index 00000000..62bc5a32
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/Ticket.h
@@ -0,0 +1,72 @@
+#pragma once
+#include <bitset>
+#include <tc/types.h>
+#include <tc/io/IStream.h>
+#include <ntd/n3ds/es/Signature.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/InvalidOperationException.h>
+
+namespace ntd { namespace n3ds { namespace es {
+
+struct Ticket
+{
+public:
+	Ticket() :
+		signature(),
+		ticket_id(0),
+		device_id(0),
+		title_id(0),
+		ticket_version(0),
+		license_type(0),
+		key_id(0),
+		ec_account_id(0),
+		launch_count(0),
+		enabled_content()
+	{
+		memset(calculated_hash.data(), 0, calculated_hash.size());
+		memset(title_key.data(), 0, title_key.size());
+	}
+
+public:
+	// these fields are only used in deserialisation
+	ntd::n3ds::es::Signature signature;
+	std::array<byte_t, 32> calculated_hash;
+
+	// these fields are used in both deserialisation & serialisation
+	std::array<byte_t, 16> title_key;
+	uint64_t ticket_id;
+	uint32_t device_id;
+	uint64_t title_id;
+	uint16_t ticket_version;
+	byte_t license_type;
+	byte_t key_id;
+	// reserved region data
+	uint32_t ec_account_id;
+	// lp record
+	uint32_t launch_count; // 0 = unlimited, x = limited to x launches
+	std::bitset<0x10000> enabled_content;
+};
+
+class TicketDeserialiser : public Ticket
+{
+public:
+	// tik stream
+	TicketDeserialiser(const std::shared_ptr<tc::io::IStream>& tik_stream);
+private:
+	std::string mModuleLabel;
+};
+
+/*
+class TicketSerialiser : public tc::io::IStream
+{
+public:
+	// tmd Ticket, issuer, RsaKey
+	TicketSerialiser();
+private:
+	std::string mModuleLabel;
+}
+*/
+
+}}} // namespace ntd::n3ds::es
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/TitleMetaData.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/TitleMetaData.h
new file mode 100644
index 00000000..0bc03b40
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/es/TitleMetaData.h
@@ -0,0 +1,106 @@
+#pragma once
+#include <tc/types.h>
+#include <tc/io/IStream.h>
+#include <ntd/n3ds/es/Signature.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/InvalidOperationException.h>
+
+namespace ntd { namespace n3ds { namespace es {
+
+struct TitleMetaData
+{
+public:
+	TitleMetaData() :
+		signature(),
+		title_id(0),
+		title_version(0),
+		content_info()
+	{
+		memset(calculated_hash.data(), 0, calculated_hash.size());
+		twl_custom_data.public_save_data_size = 0;
+		twl_custom_data.private_save_data_size = 0;
+		twl_custom_data.flag = 0;
+		ctr_custom_data.save_data_size = 0;
+		ctr_custom_data.is_snake_only = false;
+	}
+
+	struct ContentInfo
+	{
+	public:
+		ContentInfo() :
+			id(0),
+			index(0),
+			is_encrypted(0),
+			is_optional(0),
+			size(0)
+		{
+			memset(hash.data(), 0, hash.size());
+		}
+
+		ContentInfo(uint32_t id, uint16_t index, bool is_encrypted, bool is_optional, int64_t size, std::array<byte_t, 32>& hash) :
+			id(id),
+			index(index),
+			is_encrypted(is_encrypted),
+			is_optional(is_optional),
+			size(size),
+			hash(hash)
+		{
+		}
+	public:
+		uint32_t id;
+		uint16_t index;
+		bool is_encrypted;
+		bool is_optional;
+		int64_t size;
+		std::array<byte_t, 32> hash;
+	};
+
+public:
+	// these fields are only used in deserialisation
+	ntd::n3ds::es::Signature signature;
+	std::array<byte_t, 32> calculated_hash;
+
+
+	// these fields are used in both deserialisation & serialisation
+	uint64_t title_id;
+	uint16_t title_version;
+	struct TwlCustomData
+	{
+		uint32_t public_save_data_size;
+		uint32_t private_save_data_size;
+		uint8_t flag;
+	} twl_custom_data;
+
+	struct CtrCustomData
+	{
+		uint32_t save_data_size;
+		bool is_snake_only;
+	} ctr_custom_data;
+
+	std::vector<ContentInfo> content_info;
+};
+
+class TitleMetaDataDeserialiser : public TitleMetaData
+{
+public:
+	// tmd stream
+	TitleMetaDataDeserialiser(const std::shared_ptr<tc::io::IStream>& tmd_stream);
+private:
+	TitleMetaDataDeserialiser();
+	std::string mModuleLabel;
+};
+
+/*
+class TitleMetaDataSerialiser : public tc::io::IStream
+{
+public:
+	// tmd TitleMetaData, issuer, RsaKey
+	TitleMetaDataSerialiser();
+private:
+	std::string mModuleLabel;
+}
+*/
+
+}}} // namespace ntd::n3ds::es
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/exefs.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/exefs.h
new file mode 100644
index 00000000..9516f3a2
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/exefs.h
@@ -0,0 +1,33 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct ExeFsHeader
+{
+	static const size_t kFileNum = 8;
+	static const size_t kExeFsSectionAlignSize = 0x200;
+
+	struct FileEntry
+	{
+		tc::bn::string<8> name;
+		tc::bn::le32<uint32_t> offset;
+		tc::bn::le32<uint32_t> size;
+	};
+
+	using FileHash = std::array<byte_t, 0x20>;
+
+	std::array<FileEntry, kFileNum> file_table;
+	tc::bn::pad<0x80> reserved;
+	std::array<FileHash, kFileNum> hash_table;
+
+	// inline method to get pointer to file hash, since the ordering is unintuitive
+	FileHash* getFileHash(size_t index) { return (index < kFileNum) ? &hash_table[kFileNum - 1 - index] : nullptr; }
+};
+static_assert(sizeof(ExeFsHeader) == 0x200, "ExeFsHeader had invalid size");
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/exheader.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/exheader.h
new file mode 100644
index 00000000..f78f867d
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/exheader.h
@@ -0,0 +1,317 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct SystemControlInfo
+{
+	enum Flags
+	{
+		Flags_CompressExefsPartition0 = 0,
+		Flags_SdmcApplication = 1,
+	};
+
+	struct CodeSegmentInfo
+	{
+		tc::bn::le32<uint32_t> address;
+		tc::bn::le32<uint32_t> num_max_pages;
+		tc::bn::le32<uint32_t> code_size;
+	};
+	static_assert(sizeof(CodeSegmentInfo) == 0xC, "CodeSegmentInfo had incorrect size.");
+
+public:
+	tc::bn::string<8>                        name;
+	tc::bn::pad<5>                           padding0;
+	union
+	{
+	    tc::bn::bitarray<1>                  bitarray;
+	    byte_t                               raw;
+	}                                        flags;
+	tc::bn::le16<uint16_t>                   remaster_version;
+	CodeSegmentInfo                          text;
+	tc::bn::le32<uint32_t>                   stack_size;
+	CodeSegmentInfo                          rodata;
+	tc::bn::pad<4>                           padding1;
+	CodeSegmentInfo                          data;
+	tc::bn::le32<uint32_t>                   bss_size;
+	std::array<tc::bn::le64<uint64_t>, 0x30> dependency_list;
+	tc::bn::le64<uint64_t>                   savedata_size;
+	tc::bn::le64<uint64_t>                   jump_id;
+	tc::bn::pad<0x30>                        padding2;
+};
+static_assert(sizeof(SystemControlInfo) == 0x200, "SystemControlInfo had incorrect size.");
+
+struct AccessControlInfo
+{
+	enum CpuSpeed
+	{
+		CpuSpeed_268MHz = 0,
+		CpuSpeed_804MHz = 1,
+	};
+	
+	enum SystemMode : byte_t
+	{
+		SystemMode_PROD = 0, // For Apps 64MB memory
+		SystemMode_DEV1 = 2, // For Apps 96MB memory
+		SystemMode_DEV2 = 3, // For Apps 80MB memory
+		SystemMode_DEV3 = 4, // For Apps 72MB memory
+		SystemMode_DEV4 = 5, // For Apps 32MB memory
+	};
+
+	enum SystemModeExt : byte_t
+	{
+		SystemModeExt_LEGACY = 0, // Use SystemMode setting
+		SystemModeExt_PROD   = 1, // For Apps 124MB memory
+		SystemModeExt_DEV1   = 2, // For Apps 178MB memory
+		//SystemModeExt_DEV2   = 3, // Unknown App memory allocation (devunit only?, doesn't exist?)
+	};
+
+	enum FileSystemAccess
+	{
+		FileSystemAccess_CategorySystemApplication,
+		FileSystemAccess_CategoryHardwareCheck,
+		FileSystemAccess_CategoryFileSystemTool,
+		FileSystemAccess_Debug,
+		FileSystemAccess_TwlCardBackup,
+		FileSystemAccess_TwlNandData,
+		FileSystemAccess_Boss,
+		FileSystemAccess_DirectSdmc,
+		FileSystemAccess_Core,
+		FileSystemAccess_CtrNandRo,
+		FileSystemAccess_CtrNandRw,
+		FileSystemAccess_CtrNandRoWrite,
+		FileSystemAccess_CategorySystemSettings,
+		FileSystemAccess_CardBoard,
+		FileSystemAccess_ExportImportIvs,
+		FileSystemAccess_DirectSdmcWrite,
+		FileSystemAccess_SwitchCleanup,
+		FileSystemAccess_SaveDataMove,
+		FileSystemAccess_Shop,
+		FileSystemAccess_Shell,
+		FileSystemAccess_CategoryHomeMenu,
+		FileSystemAccess_ExternalSeed,
+	};
+
+	enum OtherAttribute
+	{
+		OtherAttribute_NotUseRomFs,
+		OtherAttribute_UseExtendedSavedataAccessControl,
+	};
+
+	enum ResourceLimitDescriptorIndex
+	{
+		ResourceLimitDescriptorIndex_MaxCpu = 0,
+	};
+
+	enum ResourceLimitCategory : byte_t
+	{
+		ResourceLimitCategory_Application = 0,
+		ResourceLimitCategory_SysApplet = 1,
+		ResourceLimitCategory_LibApplet = 2,
+		ResourceLimitCategory_Other = 3
+	};
+
+	struct Flags
+	{
+		uint32_t enable_l2_cache : 1; // 0=disable, 1=enable
+		uint32_t cpu_speed : 1; // CpuSpeed
+		uint32_t : 6;
+
+		uint32_t system_mode_ext : 4; // SystemModeExt
+		uint32_t : 4;
+
+		uint32_t ideal_processor : 2; // 0-3, default=0
+		uint32_t affinity_mask : 2; // 0-3, default=0
+		uint32_t system_mode : 4; // SystemMode
+
+		int32_t  thread_priority : 8;
+	};
+	static_assert(sizeof(Flags) == sizeof(uint32_t), "Flags had incorrect size.");
+
+	// the reason for the reverse ordering is because the normal serialization of this field is: "field |= save_id", then "field = field << 20"
+	struct AccessibleUniqueIds
+	{
+		uint64_t save_id2 : 20;
+		uint64_t save_id1 : 20;
+		uint64_t save_id0 : 20;
+		uint64_t flag : 1;
+		uint64_t : 0;
+	};
+	static_assert(sizeof(AccessibleUniqueIds) == sizeof(uint64_t), "AccessibleUniqueIds had incorrect size.");
+
+	using ServiceName = tc::bn::string<8>; // Those char[8] server names
+
+	enum DescriptorPrefix
+	{
+		DescriptorPrefix_InterruptNumList = 3,
+		DescriptorPrefix_SysCallList = 4,
+		DescriptorPrefix_ReleaseKernelVersion = 6,
+		DescriptorPrefix_HandleTableSize = 7,
+		DescriptorPrefix_OtherCapabilities = 8,
+		DescriptorPrefix_MappingStatic = 9,
+		DescriptorPrefix_MappingIo = 11
+	};
+
+	static const size_t kMaxSerializableInterruptCount = 32; // number of serializable interupts
+	static const size_t kMaxInterruptValue = 0x80; // system maximum total interupts
+	static const size_t kMaxInterruptDescriptorNum = 8;
+
+	struct InterruptDescriptor
+	{
+		uint32_t interrupt_0 : 7;
+		uint32_t interrupt_1 : 7;
+		uint32_t interrupt_2 : 7;
+		uint32_t interrupt_3 : 7;
+		uint32_t padding_bit : 1; // zero
+		uint32_t prefix_bits : 3; // all ones
+	};
+	static_assert(sizeof(InterruptDescriptor) == sizeof(uint32_t), "InterruptDescriptor had incorrect size.");
+
+	static const size_t kMaxSerializableSystemCallCount = 0xC0; // this is the physical maximum storable system calls
+	static const size_t kMaxSystemCallValue = 0x7d; // this is the maximum value for a system call according to the system
+	static const size_t kMaxSystemCallDescriptorNum = 8;
+
+	struct SystemCallDescriptor
+	{
+		uint32_t systemcall_lower_bitarray : 24;
+		uint32_t systemcall_upper : 3;
+		uint32_t padding_bit : 1; // zero
+		uint32_t prefix_bits : 4; // all ones
+	};
+	static_assert(sizeof(SystemCallDescriptor) == sizeof(uint32_t), "SystemCallDescriptor had incorrect size.");
+
+	struct ReleaseKernelVersionDescriptor
+	{
+		uint32_t version : 16;
+		uint32_t : 9;
+		uint32_t padding_bit : 1; // zero
+		uint32_t prefix_bits : 6; // all ones
+	};
+	static_assert(sizeof(ReleaseKernelVersionDescriptor) == sizeof(uint32_t), "ReleaseKernelVersionDescriptor had incorrect size.");
+
+	struct HandleTableSizeDescriptor
+	{
+		uint32_t size : 16;
+		uint32_t : 8;
+		uint32_t padding_bit : 1; // zero
+		uint32_t prefix_bits : 7; // all ones
+	};
+	static_assert(sizeof(HandleTableSizeDescriptor) == sizeof(uint32_t), "HandleTableSizeDescriptor had incorrect size.");
+
+	enum MemoryType
+	{
+		MemoryType_Application = 1,
+		MemoryType_System = 2,
+		MemoryType_Base = 3
+	};
+
+	// KernelFlags
+	struct OtherCapabilitiesDescriptor
+	{
+		uint32_t permit_debug : 1;
+		uint32_t force_debug : 1;
+		uint32_t can_use_non_alphabet_and_number : 1;
+		uint32_t can_write_shared_page : 1;
+		uint32_t can_use_privileged_priority : 1;
+		uint32_t permit_main_function_argument : 1;
+		uint32_t can_share_device_memory : 1;
+		uint32_t runnable_on_sleep : 1;
+		uint32_t memory_type : 4; // MemoryType
+		uint32_t special_memory_layout : 1;
+		uint32_t can_access_core2 : 1;
+		uint32_t : 9;
+		uint32_t padding_bit : 1; // zero
+		uint32_t prefix_bits : 8; // all ones
+	};
+	static_assert(sizeof(OtherCapabilitiesDescriptor) == sizeof(uint32_t), "OtherCapabilitiesDescriptor had incorrect size.");
+
+	// MappingStaticDescriptor come in pairs: [begin_page,end_page) where begin.flag == (true: range read-only, false: range is read-write), and end.flag == (true: static mapping, false: io mapping)
+	struct MappingStaticDescriptor
+	{
+		uint32_t page : 20; // page2addr: addr = page << 20
+		uint32_t flag : 1;
+		uint32_t : 1;
+		uint32_t padding_bit : 1; // zero
+		uint32_t prefix_bits : 9; // all ones
+	};
+	static_assert(sizeof(MappingStaticDescriptor) == sizeof(uint32_t), "MappingStaticDescriptor had incorrect size.");
+
+	// MappingIODescriptor describe single page IO mappings, these are always read-write permissions. [begin_page)
+	// When a multi-page IO mapping is required, these is indicated with two MappingStaticDescriptor
+	struct MappingIODescriptor
+	{
+		uint32_t page : 20; // page2addr: addr = page << 20
+		uint32_t padding_bit : 1; // zero
+		uint32_t prefix_bits : 11; // all ones
+	};
+	static_assert(sizeof(MappingIODescriptor) == sizeof(uint32_t), "MappingIODescriptor had incorrect size.");
+
+	enum Arm9Capability
+	{
+		Arm9Capability_FsMountNand = 0,
+		Arm9Capability_FsMountNandRoWrite = 1,
+		Arm9Capability_FsMountTwln = 2,
+		Arm9Capability_FsMountWnand = 3,
+		Arm9Capability_FsMountCardSpi = 4,
+		Arm9Capability_UseSdif3 = 5,
+		Arm9Capability_CreateSeed = 6,
+		Arm9Capability_UseCardSpi = 7,
+		Arm9Capability_SdApplication = 8,
+		Arm9Capability_UseDirectSdmc = 9,
+	};
+
+public:
+	// begin ARM11 System
+	tc::bn::le64<uint64_t>                 program_id;
+	tc::bn::le32<uint32_t>                 core_version;
+	tc::bn::le32<Flags>                    flags;
+	std::array<tc::bn::le16<uint16_t>, 16> resource_limit_descriptor; // for each descriptor use, see ResourceLimitDescriptorIndex
+	union 
+	{
+		tc::bn::le64<uint64_t>             ext_savedata_id; // this field is used when other_attributes.test(USE_EXTENDED_SAVEDATA_ACCESS_CONTROL) == false
+		tc::bn::le64<AccessibleUniqueIds>  accessible_unique_ids_1; // this field is used when other_attributes.test(USE_EXTENDED_SAVEDATA_ACCESS_CONTROL) == true
+	};
+	std::array<tc::bn::le32<uint32_t>, 2>  system_savedata_id;
+	tc::bn::le64<AccessibleUniqueIds>      accessible_unique_ids_0; // other_attributes.test(USE_EXTENDED_SAVEDATA_ACCESS_CONTROL): true = accessible_save_ids, false: other_user_save_ids
+	tc::bn::bitarray<7>                    fs_access; // FileSystemAccess
+	tc::bn::bitarray<1>                    other_attributes; // OtherAttribute
+	std::array<ServiceName, 34>            service_access_control; // In firmware versions prior to 9.2.0(?) this array is only 32 elements long
+	tc::bn::pad<0xf>                       padding0;
+	byte_t                                 resource_limit_category; // ResourceLimitCategory
+	// end ARM11 System
+
+	// begin ARM11 Kernel
+	std::array<tc::bn::le32<uint32_t>, 28> kernel_descriptors; // Descripters are a collection of u32s, with masks to differentiate between different descs. Impl'd Order: SysCallControl, InteruptNumList, AddressMapping(ExHdr order: IoMaps, MemMaps, AccDesc order: MemMaps, IoMaps), OtherCapabilities, HandleTableSize, ReleaseKernelVersion
+	tc::bn::pad<0x10>                      padding1;
+	// end ARM11 Kernel
+
+	// begin ARM9
+	tc::bn::bitarray<0xf>                  arm9_access_control;
+	byte_t                                 desc_version;
+	// end ARM9
+};
+static_assert(sizeof(AccessControlInfo) == 0x200, "AccessControlInfo had incorrect size.");
+
+struct ExtendedHeader
+{
+	SystemControlInfo system_control_info;
+	AccessControlInfo access_control_info;
+};
+static_assert(sizeof(ExtendedHeader) == 0x400, "ExtendedHeader had invalid size");
+
+struct AccessDescriptor
+{
+	using Rsa2048Block = std::array<byte_t, 0x100>;
+
+	Rsa2048Block signature;
+	Rsa2048Block ncch_rsa_modulus;
+	AccessControlInfo access_control_info;
+};
+static_assert(sizeof(AccessDescriptor) == 0x400, "AccessDescriptor had invalid size");
+
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/firm.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/firm.h
new file mode 100644
index 00000000..95f1ddfe
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/firm.h
@@ -0,0 +1,40 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct FirmwareHeader
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("FIRM");
+
+	struct SectionHeader
+	{
+		enum CopyMethod
+		{
+			CopyMethod_NDMA = 0,
+			CopyMethod_XDMA = 1,
+			CopyMethod_MEMCPY = 2
+		};
+
+		tc::bn::le32<uint32_t>   offset;
+		tc::bn::le32<uint32_t>   address;
+		tc::bn::le32<uint32_t>   size;
+		tc::bn::le32<uint32_t>   copy_method;
+		std::array<byte_t, 0x20> hash; // SHA2-256 over 0x000+offset - 0x000+offset+size-1
+	};
+
+	tc::bn::le32<uint32_t>       struct_magic; // FIRM
+	tc::bn::le32<uint32_t>       priority;
+	tc::bn::le32<uint32_t>       entrypoint_arm11;
+	tc::bn::le32<uint32_t>       entrypoint_arm9;
+	tc::bn::pad<0x30>            reserved1;
+	std::array<SectionHeader, 4> section;
+	std::array<byte_t, 0x100>    signature; // RSA2048-PKCS1-SHA2-256 over 0x000-0x0ff
+};
+static_assert(sizeof(FirmwareHeader) == 0x200, "FirmwareHeader had invalid size");
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ivfc.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ivfc.h
new file mode 100644
index 00000000..fe5a1f63
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ivfc.h
@@ -0,0 +1,70 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct IvfcHeader
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("IVFC");
+
+	enum TypeId : uint32_t
+	{
+		TypeId_A = 0x10000, // CTR RomFS
+		TypeId_B = 0x20000, // CTR SaveData
+	};
+
+	tc::bn::le32<uint32_t> struct_magic;
+	tc::bn::le32<TypeId>   type_id;
+};
+static_assert(sizeof(IvfcHeader) == 0x8, "IvfcHeader had invalid size");
+
+struct IvfcLevelEntry
+{
+	tc::bn::le64<uint64_t>    offset;
+	tc::bn::le64<uint64_t>    size;
+	tc::bn::le32<uint32_t>    block_size_log2;
+	tc::bn::pad<4>            reserved;
+};
+static_assert(sizeof(IvfcLevelEntry) == 0x18, "IvfcLevelEntry had invalid size");
+
+	/**
+	 * @struct IvfcCtrRomfsHeader
+	 * @details
+	 * IVFC for CTR uses 4 levels (1 master, 3 auxillary)
+	 * 
+	 * * The master level follows the IvfcCtrRomfsHeader aligned to 0x10 bytes (0x60 bytes total), for head.master_hash_size bytes, validating aux level 0
+	 * * Aux level 0 validates aux level 1
+	 * * Aux level 1 validates aux level 2
+	 * * Aux level 2 is RomFS data
+	 */ 
+struct IvfcCtrRomfsHeader
+{
+	static const size_t kLevelNum = 3;
+	static const size_t kHeaderAlign = 0x10;
+	static const size_t kDefaultRomFsBlockSize = 0x1000;
+
+	IvfcHeader                            head;
+	tc::bn::le32<uint32_t>                master_hash_size;
+	std::array<IvfcLevelEntry, kLevelNum> level;
+	tc::bn::le32<uint32_t>                header_size; // header_size == 0x5c
+	tc::bn::pad<4>                        reserved;
+};
+static_assert(sizeof(IvfcCtrRomfsHeader) == 0x5C, "IvfcCtrRomfsHeader had invalid size");
+
+struct IvfcCtrSavedataHeader
+{
+	static const size_t kLevelNum = 4;
+
+	IvfcHeader                            head;
+	tc::bn::le64<uint64_t>                master_hash_size;
+	std::array<IvfcLevelEntry, kLevelNum> level;
+	tc::bn::le32<uint32_t>                header_size; // header_size == 0x78
+	std::array<byte_t, 4>                 reserved;
+};
+static_assert(sizeof(IvfcCtrSavedataHeader) == 0x78, "IvfcCtrSavedataHeader had invalid size");
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ncch.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ncch.h
new file mode 100644
index 00000000..afb21117
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/ncch.h
@@ -0,0 +1,158 @@
+#pragma once
+#include <tc/types.h>
+
+
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,4)
+
+struct NcchCommonHeader
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("NCCH");
+
+	enum FormatVersion
+	{
+		FormatVersion_CFA = 0,
+		FormatVersion_CXI_PROTOTYPE = 1,
+		FormatVersion_CXI = 2,
+	};
+
+	enum FlagIndex
+	{
+		FlagIndex_SecurityVersion = 3, // this flag determines the security version for secure crypto
+		FlagIndex_ContentPlatform = 4,
+		FlagIndex_ContentTypeFlag = 5,
+		FlagIndex_BlockSizeLog = 6, // this flag determines the block_size = 1 << (block_size_log + 9), alternatively this is always 0, and the blocksize is always 0x200
+		FlagIndex_OtherFlag = 7,
+	};
+
+	enum ContentPlatform
+	{
+		ContentPlatform_CTR = 0,
+		ContentPlatform_SNAKE = 1,
+	};
+
+	enum FormType
+	{
+		FormType_Unassigned = 0, // invalid
+		FormType_SimpleContent = 1, // CFA (Non-executable data archive)
+		FormType_ExecutableWithoutRomFS = 2, // CXI (ExeFS Only)
+		FormType_Executable = 3, // CXI (ExeFS & RomFS)
+	};
+
+	enum ContentType
+	{
+		ContentType_Application = 0,
+		ContentType_SystemUpdate = 1, // CTR update
+		ContentType_Manual = 2,
+		ContentType_Child = 3,
+		ContentType_Trial = 4,
+		ContentType_ExtendedSystemUpdate = 5, // SNAKE update
+	};
+
+	enum OtherFlag
+	{
+		OtherFlag_FixedAesKey = 0,
+		OtherFlag_NoMountRomFS = 1,
+		OtherFlag_NoEncryption = 2,
+		OtherFlag_SeededAesKeyY = 5,
+		OtherFlag_ManualDisclosure = 6,
+	};
+
+	struct NcchFlags
+	{
+		struct ContentTypeFlag
+		{
+			byte_t form_type : 2;
+			byte_t content_type : 6;
+		};
+		static_assert(sizeof(ContentTypeFlag) == 1, "ContentTypeFlag had incorrect size.");
+
+		tc::bn::pad<3>        reserved;
+		byte_t                security_version; // this determines the secure crypto mode, where != 0 this uses a different key for: romfs, & non .icon&.banner exefs
+		tc::bn::bitarray<1>   content_platform;
+		ContentTypeFlag       content_flag;
+		byte_t                block_size_log; // this flag determines the block_size = 1 << (block_size_log + 9), alternatively this is always 0, and the blocksize is always 0x200
+		tc::bn::bitarray<1>   other_flag;
+
+		// raw byte access
+		byte_t& operator[](size_t index) { return ((byte_t*)this)[index]; }
+		const byte_t& operator[](size_t index) const { return ((const byte_t*)this)[index]; }
+		const byte_t* data() const { return ((const byte_t*)this); }
+		const size_t size() const { return sizeof(uint64_t); }
+	};
+	static_assert(sizeof(NcchFlags) == 8, "NcchFlags had incorrect size.");
+
+	// 0x00
+	tc::bn::le32<uint32_t>    struct_magic; // NCCH
+	tc::bn::le32<uint32_t>    content_blk_size;
+	tc::bn::le64<uint64_t>    content_id;
+	// 0x10
+	tc::bn::string<2>         maker_code;
+	tc::bn::le16<uint16_t>    format_version;
+	std::array<byte_t, 4>     seed_checksum;
+	tc::bn::le64<uint64_t>    program_id;
+	// 0x20
+	tc::bn::pad<16>           reserved_00;
+	// 0x30
+	std::array<byte_t, 0x20>  logo_hash; // SHA-256 over the entire logo region
+	// 0x50
+	tc::bn::string<16>        product_code;
+	// 0x60
+	std::array<byte_t, 0x20>  exhdr_hash; // SHA-256 over exhdr_size of the exhdr region
+	// 0x80
+	tc::bn::le32<uint32_t>    exhdr_size; // note that this size does not include the access_desc binary that follows the exheader
+	tc::bn::pad<4>            reserved_01;
+	NcchFlags                 flags;
+	// 0x90
+	tc::bn::le32<uint32_t>    plain_region_blk_offset;
+	tc::bn::le32<uint32_t>    plain_region_blk_size;
+	tc::bn::le32<uint32_t>    logo_blk_offset;
+	tc::bn::le32<uint32_t>    logo_blk_size;
+	// 0xA0
+	tc::bn::le32<uint32_t>    exefs_blk_offset;
+	tc::bn::le32<uint32_t>    exefs_blk_size;
+	tc::bn::le32<uint32_t>    exefs_prot_blk_size;
+	tc::bn::pad<4>            reserved_02;
+	// 0xB0
+	tc::bn::le32<uint32_t>    romfs_blk_offset;
+	tc::bn::le32<uint32_t>    romfs_blk_size;
+	tc::bn::le32<uint32_t>    romfs_prot_blk_size;
+	tc::bn::pad<4>            reserved_03;
+	// 0xC0
+	std::array<byte_t, 0x20>  exefs_prot_hash;
+	// 0xE0
+	std::array<byte_t, 0x20>  romfs_prot_hash;
+	// 0x100
+};
+static_assert(sizeof(NcchCommonHeader) == 0x100, "NcchCommonHeader had incorrect size.");
+
+struct NcchHeader
+{
+	// 0x000-0x0FF : RSA2048-PKCS1-SHA2-256 signature over 0x100-0x1FF
+	std::array<byte_t, 0x100> signature;
+	// 0x100-0x1FF : NcchCommonHeader
+	NcchCommonHeader          header;
+	// 0x200
+};
+static_assert(sizeof(NcchHeader) == 0x200, "NcchHeader had incorrect size.");
+
+struct CxiHeader
+{
+	// 0x000-0x0FF : RSA2048-PKCS1-SHA2-256 signature over 0x100-0x1FF
+	std::array<byte_t, 0x100> signature;
+	// 0x100-0x1FF : NcchCommonHeader
+	NcchCommonHeader          header;
+	// 0x200-0x5FF : NcchExtendedHeader
+	std::array<byte_t, 0x400> extended_header;
+	// 0x600-0x9FF : NcchAccessControlExtended
+	std::array<byte_t, 0x400> access_ctrl_ext;
+	// 0xA00
+};
+static_assert(sizeof(CxiHeader) == 0xA00, "CxiHeader had incorrect size.");
+
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/romfs.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/romfs.h
new file mode 100644
index 00000000..33feb944
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/romfs.h
@@ -0,0 +1,62 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct RomFsHeader
+{
+	static const size_t kSectionNum = 4;
+	static const size_t kRomFsDataAlignSize = 0x10;
+
+	struct SectionGeometry
+	{
+		tc::bn::le32<uint32_t> offset;
+		tc::bn::le32<uint32_t> size;
+	};
+
+	tc::bn::le32<uint32_t> header_size;
+	SectionGeometry        dir_hash_bucket;
+	SectionGeometry        dir_entry;
+	SectionGeometry        file_hash_bucket;
+	SectionGeometry        file_entry;
+	tc::bn::le32<uint32_t> data_offset;
+};
+static_assert(sizeof(RomFsHeader) == 0x28, "RomFsHeader had invalid size");
+
+#ifdef _WIN32
+#pragma warning(disable : 4200) // silence warnings for usage of empty arrays in stucts (for name[])
+#endif
+
+struct RomFsDirectoryEntry
+{
+	tc::bn::le32<uint32_t> parent_offset; // parent directory
+	tc::bn::le32<uint32_t> sibling_offset; // next sibling directory
+	tc::bn::le32<uint32_t> child_offset; // directory child
+	tc::bn::le32<uint32_t> file_offset; // file child
+	tc::bn::le32<uint32_t> hash_sibling_offset; // hashtable sibling directory
+	tc::bn::le32<uint32_t> name_size; // size of name field
+	tc::bn::le16<char16_t> name[]; // variable length le-16bit unicode name
+};
+static_assert(sizeof(RomFsDirectoryEntry) == 0x18, "RomFsDirectoryEntry had invalid size");
+
+struct RomFsFileEntry
+{
+	tc::bn::le32<uint32_t> parent_offset; // parent directory
+	tc::bn::le32<uint32_t> sibling_offset; // next sibling file
+	tc::bn::le64<uint64_t> data_offset; // file data offset
+	tc::bn::le64<uint64_t> data_size; // file data size
+	tc::bn::le32<uint32_t> hash_sibling_offset; // hashtable sibling file
+	tc::bn::le32<uint32_t> name_size; // size of name field
+	tc::bn::le16<char16_t> name[]; // variable length le-16bit unicode name
+};
+static_assert(sizeof(RomFsFileEntry) == 0x20, "RomFsFileEntry had invalid size");
+
+#ifdef _WIN32
+#pragma warning(default : 4200)
+#endif
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/smdh.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/smdh.h
new file mode 100644
index 00000000..7bd4ba0b
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/smdh.h
@@ -0,0 +1,128 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct SystemMenuDataHeader
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("SMDH");
+	static const uint16_t kFormatVersion = 0;
+	static const size_t kTitleNum = 16;
+
+	struct ApplicationTitle
+	{
+		static const size_t kShortDescriptionLength = 0x40;
+		static const size_t kLongDescriptionLength = 0x80;
+		static const size_t kPublisherLength = 0x40;
+
+		std::array<tc::bn::le16<char16_t>, kShortDescriptionLength> short_description;
+		std::array<tc::bn::le16<char16_t>, kLongDescriptionLength>  long_description;
+		std::array<tc::bn::le16<char16_t>, kPublisherLength>        publisher;
+	};
+	static_assert(sizeof(ApplicationTitle) == 0x200, "ApplicationTitle had invalid size");
+
+	enum Language
+	{
+		Language_Japanese = 0,
+		Language_English = 1,
+		Language_French = 2,
+		Language_German = 3,
+		Language_Italian = 4,
+		Language_Spanish = 5,
+		Language_ChineseSimplified = 6,
+		Language_Korean = 7,
+		Language_Dutch = 8,
+		Language_Portuguese = 9,
+		Language_Russian = 10,
+		Language_ChineseTraditional = 11,
+	};
+
+	struct ApplicationSettings
+	{
+		static const size_t kAgeRatingNum = 16;
+
+		enum Organisation
+		{
+			Organisation_CERO = 0, // Japan
+			Organisation_ESRB = 1, // North America (USA?)
+			Organisation_USK = 3, // Germany
+			Organisation_PEGI_GEN = 4, // Europe
+			Organisation_PEGI_PRT = 6, // Portugal
+			Organisation_PEGI_BBFC = 7, // UK
+			Organisation_COB = 8, // Australia (& NZ?)
+			Organisation_GRB = 9, // South Korea
+			Organisation_CGSRR = 10 // Taiwan
+		};
+
+		enum RegionFlag
+		{
+			RegionFlag_Japan = 0,
+			RegionFlag_NorthAmerica = 1,
+			RegionFlag_Europe = 2,
+			RegionFlag_Australia = 3,
+			RegionFlag_China = 4,
+			RegionFlag_Korea = 5,
+			RegionFlag_Taiwan = 6
+		};
+
+		enum AppFlag
+		{
+			AppFlag_Visible = 0,
+			AppFlag_Autoboot = 1,
+			AppFlag_Use3dEffect = 2,
+			AppFlag_RequireAcceptEula = 3,
+			AppFlag_AutosaveOnExit = 4,
+			AppFlag_UseExtendedBanner = 5,
+			AppFlag_RatingUsed = 6,
+			AppFlag_UsesSaveData = 7,
+			AppFlag_RecordUsage = 8,
+			AppFlag_DisableSaveDataBackup = 10,
+			AppFlag_EnableMiiverseJumpArgs = 11,
+			AppFlag_SnakeOnly = 12,
+			AppFlag_DepositSale = 13
+		};
+
+		struct AgeRating
+		{
+			byte_t age : 5;
+			byte_t no_age_restriction : 1;
+			byte_t rating_pending : 1;
+			byte_t enabled_rating : 1;
+		};
+		static_assert(sizeof(AgeRating) == 0x1, "AgeRating had invalid size");
+
+		struct EulaVersion
+		{
+			uint32_t minor : 8;
+			uint32_t major : 8;
+			uint32_t : 0;
+		};
+		static_assert(sizeof(EulaVersion) == 0x4, "EulaVersion had invalid size");
+
+		std::array<AgeRating, kAgeRatingNum> age_rating;
+		tc::bn::bitarray<sizeof(uint32_t)>   region_lockout; // see RegionFlag
+		tc::bn::le32<uint32_t>               match_maker_id;
+		tc::bn::le64<uint64_t>               match_maker_bit_id;
+		tc::bn::bitarray<sizeof(uint32_t)>   flags; // see AppFlag
+		tc::bn::le32<EulaVersion>            eula_version;
+		tc::bn::le32<float>                  optiminal_animation_frame; // for banner
+		tc::bn::le32<uint32_t>               cec_id;
+	};
+	static_assert(sizeof(ApplicationSettings) == 0x30, "ApplicationSettings had invalid size");
+
+	tc::bn::le32<uint32_t>                  struct_magic; // SMDH
+	tc::bn::le16<uint16_t>                  version;
+	tc::bn::pad<2>                          reserved0;
+	std::array<ApplicationTitle, kTitleNum> title;
+	ApplicationSettings                     settings;
+	tc::bn::pad<8>                          reserved1;
+	std::array<byte_t, 0x480>               small_icon_data;
+	std::array<byte_t, 0x1200>              large_icon_data;
+};
+static_assert(sizeof(SystemMenuDataHeader) == 0x36C0, "SystemMenuDataHeader had invalid size");
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/systemupdater.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/systemupdater.h
new file mode 100644
index 00000000..ab5baac9
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/systemupdater.h
@@ -0,0 +1,129 @@
+#pragma once
+#include <tc/types.h>
+
+namespace ntd { namespace n3ds {
+
+#pragma pack(push,1)
+
+struct ContentAddr
+{
+	tc::bn::le32<uint32_t> begin;
+	tc::bn::le32<uint32_t> end;
+};
+static_assert(sizeof(ContentAddr) == 0x8, "ContentAddr had invalid size");
+
+struct ContHeader
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("CONT");
+	static const uint32_t kFormatVersion = 4;
+	
+	// 0x000
+	tc::bn::le32<uint32_t> struct_magic; // CONT
+	tc::bn::le32<uint32_t> format_version; // 0x4
+	tc::bn::pad<0xBF8>     padding_08;
+	// 0xC00
+	ContentAddr            content_addr[];
+};
+static_assert(sizeof(ContHeader) == 0xC00, "ContHeader had invalid size");
+
+struct LegacyUpdaterConfig
+{
+	ContentAddr            unk_addr;
+	tc::bn::le64<uint64_t> update_kernel_id;
+};
+static_assert(sizeof(LegacyUpdaterConfig) == 0x10, "LegacyUpdaterConfig had invalid size");
+
+struct UpdaterConfig
+{
+	tc::bn::le64<uint64_t> update_kernel_id;
+	ContentAddr            updater_info_addr;
+	ContentAddr            twl_font_addr;
+	ContentAddr            cup_list_addr;
+};
+static_assert(sizeof(UpdaterConfig) == 0x20, "UpdaterConfig had invalid size");
+
+struct UpdaterInfo
+{
+	tc::bn::le32<uint32_t> firm_ver_major;
+	tc::bn::le32<uint32_t> firm_ver_minor;
+	tc::bn::le32<uint32_t> firm_ver_build;
+	tc::bn::le32<uint32_t> rel_step;
+	tc::bn::le32<uint32_t> firm_revision;
+	tc::bn::pad<4>         reserved;
+	tc::bn::string<0x20>   patch_info;
+	tc::bn::le32<uint32_t> kernel_ver_major;
+	tc::bn::le32<uint32_t> kernel_ver_minor;
+};
+static_assert(sizeof(UpdaterInfo) == 0x40, "UpdaterInfo had invalid size");
+
+struct UpdaterSpec
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("SPEC");
+	static const uint32_t kFormatVersion = 0;
+	
+	enum Region
+	{
+		Region_JP = 0,
+		Region_US = 1,
+		Region_EU = 2,
+		Region_CN = 4,
+		Region_KR = 5,
+		Region_TW = 6
+	};
+
+	enum SystemMode
+	{
+		SystemMode_prod = 0,
+		SystemMode_dev1 = 2,
+		SystemMode_dev2 = 3,
+		SystemMode_dev3 = 4
+	};
+
+	enum Flag
+	{
+		Flag_AutoRun = 0,
+		Flag_SkipImport = 1,
+		Flag_TmpUpdater = 2,
+		Flag_ForceChangeSystemMode = 3,
+
+		// SystemUpdater sets this flag at run-time if "rom:/contents/ClearProgram" is present
+		Flag_ClearProgramBeforeImport = 27,
+		// SystemUpdater sets this flag at run-time if "rom:/contents/ClearTicket" is present
+		Flag_ClearTickets = 28,
+		// SystemUpdater sets this flag at run-time
+		Flag_RebootAfterUpdate = 29,
+
+		// SystemUpdater sets these flags at run-time from key-combos
+		Flag_NotIncrementSeed = 30,
+		Flag_SdmcLog = 31
+	};
+
+	// 0x000
+	tc::bn::le32<uint32_t> struct_magic; // SPEC
+	tc::bn::le32<uint32_t> format_version; // 0x0
+	byte_t                 region;
+	byte_t                 system_mode;
+	tc::bn::pad<6>         padding;
+	tc::bn::bitarray<4>    flags;	
+};
+static_assert(sizeof(UpdaterSpec) == 0x14, "UpdaterSpec had invalid size");
+
+struct DeleteSpec
+{
+	enum Flag
+	{
+		Flag_DeleteNonSystemTitles = 0, // this deletes all titles from NAND without the system app bit, excluding "Self", see below
+		Flag_DeleteSelf = 1 // This refers to when the systemupdater was installed to NAND (old install method), the titleID was 0x000400000fd00200
+	};
+
+	tc::bn::le32<uint32_t> id_list_length;
+	tc::bn::bitarray<4>    flags;
+	tc::bn::pad<8>         padding;
+	tc::bn::le64<uint64_t> id_list[];
+};
+static_assert(sizeof(DeleteSpec) == 0x10, "DeleteSpec had invalid size");
+
+
+#pragma pack(pop)
+
+}} // namespace ntd::n3ds
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/makefile b/ctrtool/deps/libnintendo-n3ds/makefile
new file mode 100644
index 00000000..b786666b
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/makefile
@@ -0,0 +1,193 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 5
+
+# Project Name
+PROJECT_NAME = libnintendo-n3ds
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src src/es
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+PROJECT_INCLUDE_PATH = include
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Shared Library Definitions
+PROJECT_SO_VER_MAJOR = 0
+PROJECT_SO_VER_MINOR = 1
+PROJECT_SO_VER_PATCH = 0
+PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
+PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
+
+# Project Dependencies
+PROJECT_DEPEND = mbedtls fmt toolchain broadon-es
+PROJECT_DEPEND_LOCAL_DIR = libmbedtls libfmt libtoolchain libbroadon-es
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
+	INC +=
+	LIB +=
+	ARFLAGS = rc	
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building static library
+#	- 'shared_lib' for building shared library
+#	- 'program' for building the program
+#	- 'test_program' for building the test program
+# These can typically be used together however *_lib and program should not be used together
+all: static_lib
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+shared_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)
+	@gcc -shared -Wl,-soname,$(PROJECT_SONAME) -o "$(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/CciFsSnapshotGenerator.cpp b/ctrtool/deps/libnintendo-n3ds/src/CciFsSnapshotGenerator.cpp
new file mode 100644
index 00000000..21106ef9
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/CciFsSnapshotGenerator.cpp
@@ -0,0 +1,131 @@
+#include <ntd/n3ds/CciFsSnapshotGenerator.h>
+#include <tc/io/SubStream.h>
+#include <tc/crypto/Sha256Generator.h>
+
+#include <ntd/n3ds/cci.h>
+
+#include <iostream>
+#include <iomanip>
+#include <sstream>
+#include <tc/cli/FormatUtil.h>
+
+
+ntd::n3ds::CciFsShapshotGenerator::CciFsShapshotGenerator(const std::shared_ptr<tc::io::IStream>& stream) :
+	FileSystemSnapshot(),
+	mBaseStream(stream),
+	mCurDir(0)
+{
+	// validate stream properties
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException("ntd::n3ds::CciFsShapshotGenerator", "Failed to open input stream.");
+	}
+	if (mBaseStream->canRead() == false || mBaseStream->canSeek() == false)
+	{
+		throw tc::NotSupportedException("ntd::n3ds::CciFsShapshotGenerator", "Input stream requires read/seek permissions.");
+	}
+
+	// validate and read CCI header
+	ntd::n3ds::CciHeader hdr;
+	if (mBaseStream->length() < sizeof(ntd::n3ds::CciHeader))
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CciFsShapshotGenerator", "Input stream is too small.");
+	}
+	mBaseStream->seek(0, tc::io::SeekOrigin::Begin);
+	mBaseStream->read((byte_t*)(&hdr), sizeof(ntd::n3ds::CciHeader));
+
+	if (hdr.ncsd_header.struct_magic.unwrap() != hdr.ncsd_header.kStructMagic)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CciFsShapshotGenerator", "CCI header had invalid struct magic.");
+	}
+	if (hdr.ncsd_header.flags.media_type != hdr.ncsd_header.MediaType_Card1 && hdr.ncsd_header.flags.media_type != hdr.ncsd_header.MediaType_Card2)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CciFsShapshotGenerator", "CCI header had unexpected media type.");
+	}
+	if (hdr.ncsd_header.flags.block_size_log != 0)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CciFsShapshotGenerator", "CCI header had unexpected block size.");
+	}
+	if (hdr.ncsd_header.flags.media_platform.test(hdr.ncsd_header.MediaPlatform_CTR) == false)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CciFsShapshotGenerator", "CCI header had unexpected supported platforms.");
+	}
+
+	// parse header partitions
+	struct PartitionInformation
+	{
+		int64_t offset;
+		int64_t size;
+		uint64_t title_id;
+	};
+	
+	std::array<PartitionInformation, ntd::n3ds::NcsdCommonHeader::kPartitionNum> partition;
+
+	int64_t used_image_size = 0;
+	for (size_t i = 0; i < partition.size(); i++)
+	{
+		if (hdr.ncsd_header.partition_fs_type[i] != hdr.ncsd_header.PartitionFsType_None)
+		{
+			throw tc::ArgumentOutOfRangeException("ntd::n3ds::CciFsShapshotGenerator", "CCI partition had unexpected fs type.");
+		}
+		if (hdr.ncsd_header.partition_crypto_type[i] != hdr.ncsd_header.PartitionCryptoType_None)
+		{
+			throw tc::ArgumentOutOfRangeException("ntd::n3ds::CciFsShapshotGenerator", "CCI partition had unexpected crypto type.");
+		}
+
+		partition[i].offset = int64_t(hdr.ncsd_header.partition_offsetsize[i].blk_offset.unwrap()) << 9;
+		partition[i].size = int64_t(hdr.ncsd_header.partition_offsetsize[i].blk_size.unwrap()) << 9;
+		partition[i].title_id = hdr.ncsd_header.card_ext.partition_id[i].unwrap();
+
+		used_image_size = std::max<int64_t>((partition[i].offset + partition[i].size), used_image_size);
+	}
+
+	if (stream->length() < used_image_size)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CciFsShapshotGenerator", "Input stream is too small, given calculated CCI partition geometry.");
+	}
+
+	// Add root directory
+	dir_entries.push_back(DirEntry());
+	mCurDir = dir_entries.size() - 1;
+	dir_entries[mCurDir].dir_listing.abs_path = tc::io::Path("/");
+	dir_entry_path_map[tc::io::Path("/")] = mCurDir;
+
+	// populate virtual filesystem
+	// initial data
+	//addFile("initial_data.bin", sizeof(ntd::n3ds::NcsdCommonHeader) + 0xe00, sizeof(ntd::n3ds::CardInfoHeader::InitialData));
+
+	// NCCH partitions
+	for (size_t i = 0; i < partition.size(); i++)
+	{
+		if (partition[i].size != 0)
+		{
+			std::stringstream ss;
+			ss << std::hex << std::setfill('0') << std::setw(2) << i;
+			ss << "_";
+			ss << std::hex << std::setfill('0') << std::setw(16) << partition[i].title_id;
+			ss << ".app";
+
+			addFile(ss.str(), partition[i].offset, partition[i].size);
+		}
+	}
+}
+
+void ntd::n3ds::CciFsShapshotGenerator::addFile(const std::string& name, int64_t offset, int64_t size)
+{
+	FileEntry tmp;
+
+	tmp.stream = std::make_shared<tc::io::SubStream>(tc::io::SubStream(mBaseStream, offset, size));
+
+	// create file path
+	tc::io::Path file_path = dir_entries[mCurDir].dir_listing.abs_path + std::string(name);
+
+	// add file entry to list
+	file_entries.push_back(std::move(tmp));
+
+	// add file entry to map
+	file_entry_path_map[file_path] = file_entries.size()-1;
+
+	// add name to parent directory listing
+	dir_entries[mCurDir].dir_listing.file_list.push_back(name);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/CiaFsSnapshotGenerator.cpp b/ctrtool/deps/libnintendo-n3ds/src/CiaFsSnapshotGenerator.cpp
new file mode 100644
index 00000000..c6b548f0
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/CiaFsSnapshotGenerator.cpp
@@ -0,0 +1,241 @@
+#include <ntd/n3ds/CiaFsSnapshotGenerator.h>
+#include <tc/io/SubStream.h>
+#include <tc/crypto/Sha256Generator.h>
+
+#include <ntd/n3ds/cia.h>
+#include <brd/es/es_tmd.h>
+
+#include <iostream>
+#include <iomanip>
+#include <sstream>
+#include <tc/cli/FormatUtil.h>
+
+
+ntd::n3ds::CiaFsSnapshotGenerator::CiaFsSnapshotGenerator(const std::shared_ptr<tc::io::IStream>& stream) :
+	FileSystemSnapshot()
+{
+	mBaseStream = stream;
+
+	// validate stream properties
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException("ntd::n3ds::CiaFsSnapshotGenerator", "Failed to open input stream.");
+	}
+	if (mBaseStream->canRead() == false || mBaseStream->canSeek() == false)
+	{
+		throw tc::NotSupportedException("ntd::n3ds::CiaFsSnapshotGenerator", "Input stream requires read/seek permissions.");
+	}
+
+	// validate and read CIA header
+	ntd::n3ds::CiaHeader hdr;
+	if (mBaseStream->length() < sizeof(ntd::n3ds::CiaHeader))
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "Input stream is too small.");
+	}
+	mBaseStream->seek(0, tc::io::SeekOrigin::Begin);
+	mBaseStream->read((byte_t*)(&hdr), sizeof(ntd::n3ds::CiaHeader));
+
+	if (hdr.header_size.unwrap() != sizeof(ntd::n3ds::CiaHeader))
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "CIA header had unexpected size.");
+	}
+	if (hdr.format_version.unwrap() != ntd::n3ds::CiaHeader::FormatVersion_Default)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "CIA header had unexpected format version.");
+	}
+	if (hdr.type.unwrap() != ntd::n3ds::CiaHeader::Type_Normal)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "CIA header had unexpected type.");
+	}
+
+	// parse header sections
+
+	enum CiaSectionIndex
+	{
+		Header,
+		Certificate,
+		Tik,
+		Tmd,
+		Content,
+		Footer
+	};
+
+	struct CiaSectionInformation
+	{
+		int64_t offset;
+		int64_t size;
+	};
+	
+	std::array<CiaSectionInformation, 6> section;
+
+	section[Header].size = hdr.header_size.unwrap();
+	section[Header].offset = 0;
+	section[Certificate].size = hdr.certificate_size.unwrap();
+	section[Certificate].offset = align<int64_t>(section[Header].offset + section[Header].size, CiaHeader::kCiaSectionAlignment);
+	section[Tik].size = hdr.ticket_size.unwrap();
+	section[Tik].offset = align<int64_t>(section[Certificate].offset + section[Certificate].size, CiaHeader::kCiaSectionAlignment);
+	section[Tmd].size = hdr.tmd_size.unwrap();
+	section[Tmd].offset = align<int64_t>(section[Tik].offset + section[Tik].size, CiaHeader::kCiaSectionAlignment);
+	if (uint64_t(std::numeric_limits<int64_t>::max()) < hdr.content_size.unwrap())
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "CIA header had too large content section.");
+	}
+	section[Content].size = hdr.content_size.unwrap();
+	section[Content].offset = align<int64_t>(section[Tmd].offset + section[Tmd].size, CiaHeader::kCiaSectionAlignment);
+	section[Footer].size = hdr.footer_size.unwrap();
+	section[Footer].offset = align<int64_t>(section[Content].offset + section[Content].size, CiaHeader::kCiaSectionAlignment);
+
+	int64_t total_size = section[Footer].offset + section[Footer].size;
+	if (stream->length() < total_size)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "Input stream is too small, given calculated CIA section geometry.");
+	}
+
+	// Add root directory
+	dir_entries.push_back(DirEntry());
+	mCurDir = dir_entries.size() - 1;
+	dir_entries[mCurDir].dir_listing.abs_path = tc::io::Path("/");
+	dir_entry_path_map[tc::io::Path("/")] = mCurDir;
+
+	// populate virtual filesystem
+	if (section[Certificate].size != 0)
+	{
+		addFile("cert", section[Certificate].offset, section[Certificate].size);
+	}
+	if (section[Tik].size != 0)
+	{
+		addFile("tik", section[Tik].offset, section[Tik].size);
+	}
+	if (section[Tmd].size != 0)
+	{
+		addFile("tmd", section[Tmd].offset, section[Tmd].size);
+	}
+	if (section[Footer].size != 0)
+	{
+		addFile("footer", section[Footer].offset, section[Footer].size);	
+	}
+	if (section[Content].size != 0)
+	{
+		// if TMD exists, add the (included) <cid>.app files to the file system
+		if (section[Tmd].size != 0)
+		{
+			// test size before reading
+			if (section[Tmd].size < (sizeof(brd::es::ESV1TitleMeta) + sizeof(brd::es::ESV1ContentMeta)))
+			{
+				throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "TMD was too small.");
+			}
+
+			// import TMD v1 data
+			if (tc::is_int64_t_too_large_for_size_t(section[Tmd].size))
+			{
+				throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "TMD was too large to read into memory.");
+			}
+			tc::ByteData tmd_data = tc::ByteData(static_cast<size_t>(section[Tmd].size));
+			mBaseStream->seek(section[Tmd].offset, tc::io::SeekOrigin::Begin);
+			if (mBaseStream->read(tmd_data.data(), tmd_data.size()) < tmd_data.size())
+			{
+				throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "TMD had unexpected size after reading.");
+			}
+
+
+			// get pointer
+			brd::es::ESV1TitleMeta* tmd = (brd::es::ESV1TitleMeta*)tmd_data.data();
+			if (tmd->sig.sigType.unwrap() != brd::es::ESSigType::RSA2048_SHA256)
+			{
+				throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "TMD had unexpected signature type.");
+			}
+			if (tmd->head.version != 1)
+			{
+				throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "TMD had unexpected format version.");
+			}
+
+			// hash for staged validiation
+			std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+
+			// TODO validate signature
+			/*
+			tc::crypto::GenerateSha256Hash(hash.data(), (byte_t*)&tmd->sig.issuer, (size_t)((byte_t*)&tmd->v1Head.cmdGroups - (byte_t*)&tmd->sig.issuer));
+			if (tc::crypto::VerifyRsa2048Pkcs1Sha256(tmd->sig.sig.data(), hash.data(), <rsa key here>))
+			{
+				throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsMetaGenerator", "TMD had invalid signature.");
+			}
+			*/
+
+			tc::crypto::GenerateSha256Hash(hash.data(), (byte_t*)&tmd->v1Head.cmdGroups, sizeof(tmd->v1Head.cmdGroups));
+			if (memcmp(hash.data(), tmd->v1Head.hash.data(), hash.size()) != 0)
+			{
+				throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "TMD had invalid CMD group hash.");
+			}
+
+			/*
+			std::cout << "[Tmd]" << std::endl;
+			std::cout << "  > Issuer:            " << tmd->sig.issuer.data() << std::endl;
+			std::cout << "  > Version:           " << (int)tmd->head.version << std::endl;
+			std::cout << "  > CACrl Version:     " << (int)tmd->head.caCrlVersion << std::endl;
+			std::cout << "  > SignerCrl Version: " << (int)tmd->head.signerCrlVersion << std::endl;
+			std::cout << "  > TitleId:           " << std::hex << std::setfill('0') << std::setw(16) << tmd->head.titleId.unwrap() << std::endl;
+			*/
+
+			size_t cmd_table_num = tmd->v1Head.cmdGroups[0].nCmds.unwrap();
+			if (tmd_data.size() != (sizeof(brd::es::ESV1TitleMeta) + (cmd_table_num * sizeof(brd::es::ESV1ContentMeta))))
+			{
+				throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "TMD had unexpected size");
+			}
+
+			tc::crypto::GenerateSha256Hash(hash.data(), (byte_t*)&tmd->contents, cmd_table_num * sizeof(brd::es::ESV1ContentMeta));
+			if (memcmp(hash.data(), tmd->v1Head.cmdGroups[0].groupHash.data(), hash.size()) != 0)
+			{
+				throw tc::ArgumentOutOfRangeException("ntd::n3ds::CiaFsSnapshotGenerator", "TMD had invalid CMD group[0] hash.");
+			}
+	
+			// TODO SHA2 cmd_table before processing
+			int64_t content_offset = 0;
+			for (size_t i = 0; i < cmd_table_num; i++)
+			{
+				/*
+				std::cout << "Found content ";
+				std::cout << "cid(" << std::hex << std::setfill('0') << std::setw(8) << tmd->contents[i].cid.unwrap() << "), ";
+				std::cout << "index(" << std::hex << std::setfill('0') << std::setw(4) << tmd->contents[i].index.unwrap() << "), ";
+				std::cout << "type(" << std::hex << std::setfill('0') << std::setw(4) << tmd->contents[i].type.unwrap() << "), ";
+				std::cout << "size(" << std::hex << std::setfill('0') << std::setw(16) << tmd->contents[i].size.unwrap() << "), ";
+				std::cout << "" << std::endl;
+				*/
+				if (hdr.content_bitarray.test(tmd->contents[i].index.unwrap()))				
+				{
+					std::stringstream ss;
+					ss << std::hex << std::setfill('0') << std::setw(8) << tmd->contents[i].cid.unwrap() << ".app";
+
+					int64_t content_size = align<int64_t>(tmd->contents[i].size.unwrap(), CiaHeader::kCiaContentAlignment);
+
+					addFile(ss.str(), section[Content].offset + content_offset, content_size);
+					
+					content_offset += content_size;
+				}
+			}
+		}
+		// otherwise include the content blob as one file (00000000.app)
+		else
+		{
+			addFile("00000000.app", section[Content].offset, section[Content].size);
+		}
+	}
+}
+
+void ntd::n3ds::CiaFsSnapshotGenerator::addFile(const std::string& name, int64_t offset, int64_t size)
+{
+	FileEntry tmp;
+
+	tmp.stream = std::make_shared<tc::io::SubStream>(tc::io::SubStream(mBaseStream, offset, size));
+
+	// create file path
+	tc::io::Path file_path = dir_entries[mCurDir].dir_listing.abs_path + std::string(name);
+
+	// add file entry to list
+	file_entries.push_back(std::move(tmp));
+
+	// add file entry to map
+	file_entry_path_map[file_path] = file_entries.size()-1;
+
+	// add name to parent directory listing
+	dir_entries[mCurDir].dir_listing.file_list.push_back(name);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/CtrKeyGenerator.cpp b/ctrtool/deps/libnintendo-n3ds/src/CtrKeyGenerator.cpp
new file mode 100644
index 00000000..a825b8c9
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/CtrKeyGenerator.cpp
@@ -0,0 +1,99 @@
+#include <ntd/n3ds/CtrKeyGenerator.h>
+
+void ntd::n3ds::CtrKeyGenerator::GenerateKey(const uint8_t *x, const uint8_t *y, uint8_t *key)
+{
+	static const uint8_t KEYGEN_CONST[16] = { 0x1F, 0xF9, 0xE9, 0xAA, 0xC5, 0xFE, 0x04, 0x08, 0x02, 0x45, 0x91, 0xDC, 0x5D, 0x52, 0x76, 0x8A };
+
+	// overall algo:
+	// key = (((x <<< 2) ^ y) + KEYGEN_CONST) >>> 41
+	uint8_t x_rot[16], key_xy[16], key_xyc[16];
+
+	// x_rot = x <<< 2
+	n128_lrot(x, 2, x_rot);
+
+	// key_xy = x_rot ^ y
+	n128_xor(x_rot, y, key_xy);
+
+	// key_xyc = key_xy + KEYGEN_CONST
+	n128_add(key_xy, KEYGEN_CONST, key_xyc);
+
+	n128_rrot(key_xyc, 41, key);
+}
+
+// 128bit wrap-around math
+int32_t ntd::n3ds::CtrKeyGenerator::wrap_index(int32_t i)
+{
+	return i < 0 ? ((i % 16) + 16) % 16 : (i > 15 ? i % 16 : i);
+}
+
+void ntd::n3ds::CtrKeyGenerator::n128_rrot(const uint8_t *in, uint32_t rot, uint8_t *out)
+{
+	uint32_t bit_shift, byte_shift;
+
+	rot = rot % 128;
+	byte_shift = rot / 8;
+	bit_shift = rot % 8;
+
+	for (int32_t i = 0; i < 16; i++) {
+		out[i] = (in[wrap_index(i - byte_shift)] >> bit_shift) | (in[wrap_index(i - byte_shift - 1)] << (8 - bit_shift));
+	}
+
+}
+
+void ntd::n3ds::CtrKeyGenerator::n128_lrot(const uint8_t *in, uint32_t rot, uint8_t *out)
+{
+	uint32_t bit_shift, byte_shift;
+
+	rot = rot % 128;
+	byte_shift = rot / 8;
+	bit_shift = rot % 8;
+
+	for (int32_t i = 0; i < 16; i++) {
+		out[i] = (in[wrap_index(i + byte_shift)] << bit_shift) | (in[wrap_index(i + byte_shift + 1)] >> (8 - bit_shift));
+	}
+}
+
+/* out = a + b
+*/
+void ntd::n3ds::CtrKeyGenerator::n128_add(const uint8_t *a, const uint8_t *b, uint8_t *out)
+{
+	uint8_t carry = 0;
+	uint32_t sum = 0;
+
+	for (int i = 15; i >= 0; i--) {
+		sum = a[i] + b[i] + carry;
+		carry = sum >> 8;
+		out[i] = sum & 0xff;
+	}
+}
+
+/* out = a - b
+*/
+void ntd::n3ds::CtrKeyGenerator::n128_sub(const uint8_t *a, const uint8_t *b, uint8_t *out)
+{
+	uint8_t carry = 0;
+	uint32_t sum = 0;
+
+	for (int i = 15; i >= 0; i--) {
+		sum = a[i] - (b[i] + carry);
+
+		// check to see if anything was borrowed from next byte
+		if (a[i] < (b[i] + carry)) {
+			sum += 0x100;
+			carry = 1;
+		}
+		else {
+			carry = 0;
+		}
+
+		// set value
+		out[i] = sum & 0xff;
+	}
+}
+
+void ntd::n3ds::CtrKeyGenerator::n128_xor(const uint8_t *a, const uint8_t *b, uint8_t *out)
+{
+	for (int i = 0; i < 16; i++) {
+		out[i] = a[i] ^ b[i];
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/ExeFsSnapshotGenerator.cpp b/ctrtool/deps/libnintendo-n3ds/src/ExeFsSnapshotGenerator.cpp
new file mode 100644
index 00000000..424e5a6d
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/ExeFsSnapshotGenerator.cpp
@@ -0,0 +1,122 @@
+#include <ntd/n3ds/ExeFsSnapshotGenerator.h>
+#include <tc/io/SubStream.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/crypto/CryptoException.h>
+#include <tc/io/MemoryStream.h>
+
+#include <ntd/n3ds/exefs.h>
+
+#include <iostream>
+#include <iomanip>
+#include <sstream>
+#include <tc/cli/FormatUtil.h>
+
+ntd::n3ds::ExeFsSnapshotGenerator::ExeFsSnapshotGenerator(const std::shared_ptr<tc::io::IStream>& stream, bool verify_hashes) :
+	FileSystemSnapshot()
+{
+	// validate stream properties
+	if (stream == nullptr)
+	{
+		throw tc::ObjectDisposedException("ntd::n3ds::ExeFsSnapshotGenerator", "Failed to open input stream.");
+	}
+	if (stream->canRead() == false || stream->canSeek() == false)
+	{
+		throw tc::NotSupportedException("ntd::n3ds::ExeFsSnapshotGenerator", "Input stream requires read/seek permissions.");
+	}
+
+	// validate and read EXEFS header
+	ntd::n3ds::ExeFsHeader hdr;
+	if (stream->length() < sizeof(ntd::n3ds::ExeFsHeader))
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::ExeFsSnapshotGenerator", "Input stream is too small.");
+	}
+	stream->seek(0, tc::io::SeekOrigin::Begin);
+	stream->read((byte_t*)(&hdr), sizeof(ntd::n3ds::ExeFsHeader));
+
+	if (hdr.file_table[0].name[0] == 0 || hdr.file_table[0].offset.unwrap() != 0 || hdr.hash_table[ntd::n3ds::ExeFsHeader::kFileNum - 1][0] == 0)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::ExeFsSnapshotGenerator", "ExeFsHeader is corrupted (Bad first entry).");
+	}
+
+	// parse header sections
+	struct SectionInformation
+	{
+		std::string name;
+		uint32_t offset;
+		uint32_t size;
+		std::array<byte_t, 32> hash;
+	};
+	
+	std::vector<SectionInformation> section;
+
+	int64_t pos = 0;
+	for (size_t i = 0; i < ntd::n3ds::ExeFsHeader::kFileNum; i++)
+	{
+		// skip empty entry
+		if (hdr.file_table[i].name.size() == 0 || hdr.file_table[i].size.unwrap() == 0) { continue; }
+
+		if (hdr.file_table[i].offset.unwrap() != pos)
+		{
+			throw tc::ArgumentOutOfRangeException("ntd::n3ds::ExeFsSnapshotGenerator", "ExeFs section had unexpected offset.");
+		}
+
+		SectionInformation tmp;
+		tmp.name = hdr.file_table[i].name.decode();
+		tmp.offset = hdr.file_table[i].offset.unwrap();
+		tmp.size = hdr.file_table[i].size.unwrap();
+		tmp.hash = hdr.hash_table[ntd::n3ds::ExeFsHeader::kFileNum - 1 - i];
+
+		pos = align<int64_t>((static_cast<int64_t>(tmp.offset) + static_cast<int64_t>(tmp.size)), ntd::n3ds::ExeFsHeader::kExeFsSectionAlignSize);
+
+		section.push_back(std::move(tmp));
+	}
+
+	// Add root directory
+	dir_entries.push_back(DirEntry());
+	auto cur_dir = &dir_entries.front();
+	cur_dir->dir_listing.abs_path = tc::io::Path("/");
+	dir_entry_path_map[tc::io::Path("/")] = dir_entries.size()-1;
+
+	// populate virtual filesystem
+	std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash_tmp;
+	for (size_t i = 0; i < section.size(); i++)
+	{
+		if (section[i].size != 0)
+		{			
+			FileEntry tmp;
+			
+			// if we verify the hashes, we import and validate file, after validation creating a memorystream
+			if (verify_hashes)
+			{	
+				auto tmp_data = tc::ByteData(section[i].size);
+				stream->seek(section[i].offset + sizeof(ntd::n3ds::ExeFsHeader), tc::io::SeekOrigin::Begin);
+				stream->read(tmp_data.data(), tmp_data.size());
+
+				tc::crypto::GenerateSha256Hash(hash_tmp.data(), tmp_data.data(), tmp_data.size());
+				if (memcmp(hash_tmp.data(), section[i].hash.data(), hash_tmp.size()) != 0)
+				{
+					throw tc::crypto::CryptoException("ntd::n3ds::ExeFsSnapshotGenerator", "File failed hash check.");
+				}
+
+				tmp.stream = std::make_shared<tc::io::MemoryStream>(tc::io::MemoryStream(std::move(tmp_data)));				
+			}
+			// otherwise we just create a substream
+			else
+			{
+				tmp.stream = std::make_shared<tc::io::SubStream>(tc::io::SubStream(stream, static_cast<int64_t>(section[i].offset) + static_cast<int64_t>(sizeof(ntd::n3ds::ExeFsHeader)), static_cast<int64_t>(section[i].size)));
+			}
+
+			// create file path
+			tc::io::Path file_path = cur_dir->dir_listing.abs_path + section[i].name;
+
+			// add file entry to list
+			file_entries.push_back(std::move(tmp));
+
+			// add file entry to map
+			file_entry_path_map[file_path] = file_entries.size()-1;
+
+			// add name to parent directory listing
+			cur_dir->dir_listing.file_list.push_back(section[i].name);
+		}
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/IvfcStream.cpp b/ctrtool/deps/libnintendo-n3ds/src/IvfcStream.cpp
new file mode 100644
index 00000000..210099a9
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/IvfcStream.cpp
@@ -0,0 +1,467 @@
+#include <ntd/n3ds/IvfcStream.h>
+#include <tc/io/SubStream.h>
+#include <tc/io/IOUtil.h>
+#include <tc/io/StreamUtil.h>
+
+#include <ntd/n3ds/ivfc.h>
+
+#include <iostream>
+#include <iomanip>
+#include <sstream>
+#include <tc/cli/FormatUtil.h>
+
+ntd::n3ds::IvfcStream::IvfcStream() :
+	mModuleLabel("ntd::n3ds::IvfcStream"),
+	mBaseStream(),
+	mDataStreamBlockSize(0),
+	mDataStreamLogicalLength(0),
+	mDataStream(),
+	mHashCache()
+{
+}
+
+ntd::n3ds::IvfcStream::IvfcStream(const std::shared_ptr<tc::io::IStream>& stream) :
+	IvfcStream()
+{
+	mBaseStream = stream;
+
+	// validate stream properties
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException("ntd::n3ds::IvfcStream", "stream is null.");
+	}
+	if (mBaseStream->canRead() == false)
+	{
+		throw tc::InvalidOperationException("ntd::n3ds::IvfcStream", "stream does not support reading.");
+	}
+	if (mBaseStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException("ntd::n3ds::IvfcStream", "stream does not support seeking.");
+	}
+
+	// validate and read IVFC header
+	if (mBaseStream->length() < sizeof(ntd::n3ds::IvfcCtrRomfsHeader))
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::IvfcStream", "stream is too small.");
+	}
+	ntd::n3ds::IvfcCtrRomfsHeader hdr;
+	mBaseStream->seek(0, tc::io::SeekOrigin::Begin);
+	mBaseStream->read((byte_t*)&hdr, sizeof(ntd::n3ds::IvfcCtrRomfsHeader));
+
+	if (hdr.head.struct_magic.unwrap() != ntd::n3ds::IvfcHeader::kStructMagic)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::IvfcStream", "IVFC header had invalid struct magic.");
+	}
+	if (hdr.head.type_id.unwrap() != ntd::n3ds::IvfcHeader::TypeId_A)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::IvfcStream", "IVFC header had unexpected type id.");
+	}
+
+	enum LevelIndex
+	{
+		MasterHash,
+		HashLevel0,
+		HashLevel1,
+		DataLevel2
+	};
+
+	// parse level layout
+	struct LevelInfo
+	{
+		int64_t offset;
+		int64_t size;
+		size_t block_size;
+		size_t block_num;
+	};
+	
+	std::array<LevelInfo, 4> section;
+
+	for (size_t i = 0; i < section.size(); i++)
+	{
+		if (i == MasterHash)
+		{
+			section[i].offset = int64_t(align<size_t>(sizeof(ntd::n3ds::IvfcCtrRomfsHeader), ntd::n3ds::IvfcCtrRomfsHeader::kHeaderAlign));
+			section[i].size = int64_t(hdr.master_hash_size.unwrap());
+			section[i].block_size = 0;
+			section[i].block_num = 0;
+		}
+		else
+		{
+			if (tc::is_uint64_t_too_large_for_int64_t(hdr.level[i-1].offset.unwrap()))
+			{
+				throw tc::OutOfMemoryException("ntd::n3ds::IvfcStream", "IVFC layer offset too large.");
+			}
+			if (tc::is_uint64_t_too_large_for_int64_t(hdr.level[i-1].size.unwrap()))
+			{
+				throw tc::OutOfMemoryException("ntd::n3ds::IvfcStream", "IVFC layer size too large.");
+			}
+			section[i].offset = int64_t(hdr.level[i-1].offset.unwrap());
+			section[i].size = int64_t(hdr.level[i-1].size.unwrap());
+			section[i].block_size = size_t(size_t(1) << size_t(hdr.level[i-1].block_size_log2.unwrap()));
+			section[i].block_num = size_t(section[i].size / int64_t(section[i].block_size)) + (size_t(section[i].size % int64_t(section[i].block_size)) ? 1 : 0);
+		
+			/*
+			std::cout << "i: " << std::dec << i << std::endl;
+			std::cout << "size :           " << std::dec << section[i].size << std::endl;
+			std::cout << "block_size_log2: " << std::dec << hdr.level[i-1].block_size_log2.unwrap() << std::endl;
+			std::cout << "block_size     : " << std::dec << section[i].block_size << std::endl;
+			std::cout << "block_num      : " << std::dec << section[i].block_num << std::endl;
+			*/
+		}
+	}
+
+	// set actual offsets
+	section[DataLevel2].offset = align<int64_t>(section[MasterHash].offset + section[MasterHash].size, section[DataLevel2].block_size);
+	section[HashLevel0].offset = align<int64_t>(section[DataLevel2].offset + section[DataLevel2].size, section[HashLevel0].block_size);
+	section[HashLevel1].offset = align<int64_t>(section[HashLevel0].offset + section[HashLevel0].size, section[HashLevel1].block_size);
+
+	// verify that the hash tables can be read into memory
+	if (tc::is_int64_t_too_large_for_size_t(section[MasterHash].size))
+	{
+		throw tc::OutOfMemoryException("ntd::n3ds::IvfcStream", "IVFC master hash table too large.");
+	}
+	if (tc::is_int64_t_too_large_for_size_t(section[HashLevel0].size))
+	{
+		throw tc::OutOfMemoryException("ntd::n3ds::IvfcStream", "IVFC level0 hash table too large.");
+	}
+	if (tc::is_int64_t_too_large_for_size_t(section[HashLevel1].size))
+	{
+		throw tc::OutOfMemoryException("ntd::n3ds::IvfcStream", "IVFC level1 hash table too large.");
+	}
+
+	// validate hash tree
+	if ((section[DataLevel2].block_num * tc::crypto::Sha256Generator::kHashSize) != section[HashLevel1].size)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::IvfcStream", "IVFC level1 hash table had unexpected size.");
+	}
+	if ((section[HashLevel1].block_num * tc::crypto::Sha256Generator::kHashSize) != section[HashLevel0].size)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::IvfcStream", "IVFC level0 hash table had unexpected size.");
+	}
+	if ((section[HashLevel0].block_num * tc::crypto::Sha256Generator::kHashSize) != section[MasterHash].size)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::IvfcStream", "IVFC master hash table had unexpected size.");
+	}
+
+	auto master_hash_data = tc::ByteData(static_cast<size_t>(section[MasterHash].size));
+	auto hash_level0_data = tc::ByteData(align<size_t>(static_cast<size_t>(section[HashLevel0].size), section[HashLevel0].block_size));
+	auto hash_level1_data = tc::ByteData(align<size_t>(static_cast<size_t>(section[HashLevel1].size), section[HashLevel1].block_size));
+
+	mBaseStream->seek(section[MasterHash].offset, tc::io::SeekOrigin::Begin);
+	mBaseStream->read(master_hash_data.data(), master_hash_data.size());
+
+	mBaseStream->seek(section[HashLevel0].offset, tc::io::SeekOrigin::Begin);
+	mBaseStream->read(hash_level0_data.data(), hash_level0_data.size());
+
+	mBaseStream->seek(section[HashLevel1].offset, tc::io::SeekOrigin::Begin);
+	mBaseStream->read(hash_level1_data.data(), hash_level1_data.size());
+
+	/*
+	std::cout << "Master Hash:" << std::endl;
+	std::cout << tc::cli::FormatUtil::formatBytesAsHxdHexString(master_hash_data);
+
+	std::cout << "Level 0:" << std::endl;
+	std::cout << tc::cli::FormatUtil::formatBytesAsHxdHexString(hash_level0_data);
+
+	std::cout << "Level 1:" << std::endl;
+	std::cout << tc::cli::FormatUtil::formatBytesAsHxdHexString(hash_level1_data);
+	*/
+	
+
+	// validate level0
+	if (validateLayerBlocksWithHashLayer(hash_level0_data.data(), section[HashLevel0].block_size, section[HashLevel0].block_num, master_hash_data.data()) == false)
+	{
+		throw tc::crypto::CryptoException("ntd::n3ds::IvfcStream", "Hash layer0 failed hash validation.");
+	}
+
+	// validate level1
+	if (validateLayerBlocksWithHashLayer(hash_level1_data.data(), section[HashLevel1].block_size, section[HashLevel1].block_num, hash_level0_data.data()) == false)
+	{
+		throw tc::crypto::CryptoException("ntd::n3ds::IvfcStream", "Hash layer0 failed hash validation.");
+	}
+
+	// save hash level1 data for data layer
+	mHashCache = hash_level1_data;
+
+	// create data layer
+	mDataStreamBlockSize = section[DataLevel2].block_size;
+	mDataStreamLogicalLength = section[DataLevel2].size;
+	mDataStream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mBaseStream, section[DataLevel2].offset, tc::io::IOUtil::castSizeToInt64(section[DataLevel2].block_num) * tc::io::IOUtil::castSizeToInt64(section[DataLevel2].block_size)));
+}
+
+bool ntd::n3ds::IvfcStream::canRead() const
+{
+	return mDataStream == nullptr ? false : mDataStream->canRead();
+}
+
+bool ntd::n3ds::IvfcStream::canWrite() const
+{
+	return false; // always false this is a read-only stream
+}
+bool ntd::n3ds::IvfcStream::canSeek() const
+{
+	return mDataStream == nullptr ? false : mDataStream->canSeek();
+}
+
+int64_t ntd::n3ds::IvfcStream::length()
+{
+	return mDataStream == nullptr ? 0 : mDataStreamLogicalLength;
+}
+
+int64_t ntd::n3ds::IvfcStream::position()
+{
+	return mDataStream == nullptr ? 0 : mDataStream->position();
+}
+
+size_t ntd::n3ds::IvfcStream::read(byte_t* ptr, size_t count)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(mModuleLabel+"::read()", "Failed to read from stream (stream is disposed)");
+	}
+	
+	// track read_count
+	size_t data_read_count = 0;
+
+	// get predicted read count
+	count = tc::io::IOUtil::getReadableCount(this->length(), this->position(), count);
+	
+	// if count is 0 just return
+	if (count == 0) return data_read_count;
+
+	// determine begin & end offsets
+	int64_t begin_read_offset = this->position();
+	int64_t end_read_offset   = begin_read_offset + tc::io::IOUtil::castSizeToInt64(count);
+	int64_t begin_aligned_offset = begin_read_offset - offsetInBlock(begin_read_offset);
+	int64_t end_aligned_offset   = end_read_offset - offsetInBlock(end_read_offset) + (offsetInBlock(end_read_offset) ? mDataStreamBlockSize : 0x0);
+	size_t block_num = offsetToBlock(end_aligned_offset - begin_aligned_offset);
+
+	bool read_partial_begin_block     = false;
+	size_t partial_begin_block        = offsetToBlock(begin_read_offset);
+	size_t partial_begin_block_offset = 0;
+	size_t partial_begin_block_size   = mDataStreamBlockSize;
+
+	bool read_partial_end_block     = false;
+	size_t partial_end_block        = offsetToBlock(end_read_offset);
+	size_t partial_end_block_offset = 0;
+	size_t partial_end_block_size   = mDataStreamBlockSize;
+
+	if (offsetInBlock(begin_read_offset) != 0)
+	{
+		read_partial_begin_block   = true;
+		partial_begin_block_offset += offsetInBlock(begin_read_offset);
+		partial_begin_block_size   -= partial_begin_block_offset;
+	}
+	if (offsetInBlock(end_read_offset) != 0)
+	{
+		if (partial_begin_block == partial_end_block)
+		{
+			read_partial_begin_block = true;
+			partial_begin_block_size -= (mDataStreamBlockSize - offsetInBlock(end_read_offset));
+		}
+		else
+		{
+			read_partial_end_block = true;
+			partial_end_block_size = offsetInBlock(end_read_offset);
+		}
+	}
+
+	size_t continuous_block_num   = block_num - (size_t)read_partial_begin_block - (size_t)read_partial_end_block;
+	size_t continuous_begin_block = (continuous_block_num == 0) ? 0 : (offsetToBlock(begin_aligned_offset) + (size_t)read_partial_begin_block);
+
+	/*
+	std::cout << "##############################################" << std::endl;
+	std::cout << "count:                  0x" << std::hex << count << std::endl;
+	std::cout << "begin_read_offset:      0x" << std::hex << begin_read_offset << std::endl;
+	std::cout << "end_read_offset:        0x" << std::hex << end_read_offset << std::endl;
+	std::cout << "begin_aligned_offset:   0x" << std::hex << begin_aligned_offset << std::endl;
+	std::cout << "end_aligned_offset:     0x" << std::hex << end_aligned_offset << std::endl;
+	std::cout << "block_num:              0x" << std::hex << block_num << std::endl;
+	
+	std::cout << "partial_begin:" << std::endl;
+	std::cout << "  read_block:           " << std::boolalpha << read_partial_begin_block << std::endl;
+	std::cout << "  block:                0x" << std::hex << partial_begin_block << std::endl;
+	std::cout << "  offset:               0x" << std::hex << partial_begin_block_offset << std::endl;
+	std::cout << "  size:                 0x" << std::hex << partial_begin_block_size << std::endl;
+
+	std::cout << "partial_end:" << std::endl;
+	std::cout << "  read_block:           " << std::boolalpha << read_partial_end_block << std::endl;
+	std::cout << "  block:                0x" << std::hex << partial_end_block << std::endl;
+	std::cout << "  offset:               0x" << std::hex << partial_end_block_offset << std::endl;
+	std::cout << "  size:                 0x" << std::hex << partial_end_block_size << std::endl;
+
+	std::cout << "continuous:" << std::endl;
+	std::cout << "  block:                0x" << std::hex << continuous_begin_block << std::endl;
+	std::cout << "  block_num:            0x" << std::hex << continuous_block_num << std::endl;
+	*/
+
+	if (block_num == 0)
+	{
+		tc::InvalidOperationException("ntd::n3ds::IvfcStream", "Invalid block number (0 blocks, would have returned before now if count==0)");
+	}
+
+	if (block_num < continuous_block_num)
+	{
+		tc::InvalidOperationException("ntd::n3ds::IvfcStream", "Invalid block number (underflow error)");
+	}
+
+	// allocate memory for partial block
+	tc::ByteData partial_block = tc::ByteData(mDataStreamBlockSize);
+
+	// read un-aligned begin block
+	if (read_partial_begin_block)
+	{	
+		// read block
+		this->seek(blockToOffset(partial_begin_block), tc::io::SeekOrigin::Begin);
+		mDataStream->read(partial_block.data(), partial_block.size());
+		
+		// verify block
+		if (validateLayerBlocksWithHashLayer(partial_block.data(), mDataStreamBlockSize, 1, getBlockHash(partial_begin_block)) == false)
+		{
+			throw tc::crypto::CryptoException("ntd::n3ds::IvfcStream", "Data layer block(s) failed hash validation.");
+		}
+
+		// copy out block carving
+		memcpy(ptr + data_read_count, partial_block.data() + partial_begin_block_offset, partial_begin_block_size);
+
+		// increment data read count
+		data_read_count += partial_begin_block_size;
+	}
+
+	// read continous blocks
+	if (continuous_block_num > 0)
+	{
+		// read blocks
+		this->seek(blockToOffset(continuous_begin_block), tc::io::SeekOrigin::Begin);
+		mDataStream->read(ptr + data_read_count, continuous_block_num * mDataStreamBlockSize);
+		
+		// verify blocks
+		if (validateLayerBlocksWithHashLayer(ptr + data_read_count, mDataStreamBlockSize, continuous_block_num, getBlockHash(continuous_begin_block)) == false)
+		{
+			throw tc::crypto::CryptoException("ntd::n3ds::IvfcStream", "Data layer block(s) failed hash validation.");
+		}
+
+		// increment data read count
+		data_read_count += continuous_block_num * mDataStreamBlockSize;
+	}
+	
+	// read un-aligned end block
+	if (read_partial_end_block)
+	{
+		// read block
+		this->seek(blockToOffset(partial_end_block), tc::io::SeekOrigin::Begin);
+		mDataStream->read(partial_block.data(), partial_block.size());
+		
+		// verify block
+		if (validateLayerBlocksWithHashLayer(partial_block.data(), mDataStreamBlockSize, 1, getBlockHash(partial_end_block)) == false)
+		{
+			throw tc::crypto::CryptoException("ntd::n3ds::IvfcStream", "Data layer block(s) failed hash validation.");
+		}
+
+		// copy out block carving
+		memcpy(ptr + data_read_count, partial_block.data() + partial_end_block_offset, partial_end_block_size);
+
+		// increment
+		data_read_count += partial_end_block_size;
+	}
+
+	// restore expected logical position
+	this->seek(begin_read_offset + tc::io::IOUtil::castSizeToInt64(data_read_count), tc::io::SeekOrigin::Begin);
+
+	// return data read count
+	return data_read_count;
+}
+
+size_t ntd::n3ds::IvfcStream::write(const byte_t* ptr, size_t count)
+{
+	throw tc::NotImplementedException(mModuleLabel+"::write()", "write is not supported for IvfcStream");
+}
+
+int64_t ntd::n3ds::IvfcStream::seek(int64_t offset, tc::io::SeekOrigin origin)
+{
+	if (mDataStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(mModuleLabel+"::seek()", "Failed to set stream position (stream is disposed)");
+	}
+	
+	return mDataStream->seek(offset, origin);
+}
+
+void ntd::n3ds::IvfcStream::setLength(int64_t length)
+{
+	if (mDataStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(mModuleLabel+"::setLength()", "Failed to set stream length (stream is disposed)");
+	}
+
+	throw tc::NotSupportedException(mModuleLabel+"::setLength()", "setLength is not supported for IvfcStream");
+}
+
+void ntd::n3ds::IvfcStream::flush()
+{
+	if (mDataStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(mModuleLabel+"::seek()", "Failed to flush stream (stream is disposed)");
+	}
+
+	mDataStream->flush();
+	mBaseStream->flush();
+}
+
+void ntd::n3ds::IvfcStream::dispose()
+{
+	if (mDataStream.get() != nullptr)
+	{
+		// dispose data stream
+		mDataStream->dispose();
+
+		// release ptr
+		mDataStream.reset();
+	}
+
+	if (mBaseStream.get() != nullptr)
+	{
+		// dispose base stream
+		mBaseStream->dispose();
+
+		// release ptr
+		mBaseStream.reset();
+	}
+	
+	// clear hash cache
+	mHashCache = tc::ByteData();
+}
+
+bool ntd::n3ds::IvfcStream::validateLayerBlocksWithHashLayer(const byte_t* layer, size_t block_size, size_t block_num, const byte_t* hash_layer)
+{
+	size_t bad_block = block_num;
+	for (size_t i = 0; i < block_num; i++)
+	{
+		const byte_t* blk_ptr = layer + (block_size * i);
+		size_t blk_size = block_size;
+
+		const byte_t* blk_hash_ptr = hash_layer + (mHashCalc.kHashSize * i);
+		//std::cout << tc::cli::FormatUtil::formatBytesAsHxdHexString(blk_hash_ptr, block_size);
+
+		mHashCalc.initialize();
+		mHashCalc.update(blk_ptr, blk_size);
+		mHashCalc.getHash(mHash.data());
+
+		//std::cout << "test hash: " << tc::cli::FormatUtil::formatBytesAsString(blk_hash_ptr, 32, true, ":") << std::endl;
+		//std::cout << "calc hash: " << tc::cli::FormatUtil::formatBytesAsString(mHash.data(), 32, true, ":") << std::endl;
+
+		// if good hash, reduce bad block count
+		if (memcmp(mHash.data(), blk_hash_ptr, mHashCalc.kHashSize) == 0)
+		{
+			bad_block -= 1;
+		}
+		else
+		{
+			//std::cout << "BadBlock:" << std::endl;
+			//std::cout << tc::cli::FormatUtil::formatBytesAsHxdHexString(blk_ptr, block_size);
+		}
+		
+	}
+
+	return bad_block == 0;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/RomFsSnapshotGenerator.cpp b/ctrtool/deps/libnintendo-n3ds/src/RomFsSnapshotGenerator.cpp
new file mode 100644
index 00000000..bb13cab8
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/RomFsSnapshotGenerator.cpp
@@ -0,0 +1,360 @@
+#include <ntd/n3ds/RomFsSnapshotGenerator.h>
+
+#include <iostream>
+#include <iomanip>
+#include <sstream>
+#include <tc/cli.h>
+#include <tc/io.h>
+#include <tc/string.h>
+
+ntd::n3ds::RomFsSnapshotGenerator::RomFsSnapshotGenerator(const std::shared_ptr<tc::io::IStream>& stream) :
+	FileSystemSnapshot(),
+	mBaseStream(stream),
+	mDataOffset(0),
+	mDirEntryTable(),
+	mDirParentVaddrMap(),
+	mFileEntryTable()
+{
+	//std::cout << "RomFsSnapshotGenerator begin" << std::endl;
+
+	// validate stream properties
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException("ntd::n3ds::RomFsSnapshotGenerator", "Failed to open input stream.");
+	}
+	if (mBaseStream->canRead() == false || mBaseStream->canSeek() == false)
+	{
+		throw tc::NotSupportedException("ntd::n3ds::RomFsSnapshotGenerator", "Input stream requires read/seek permissions.");
+	}
+
+	//std::cout << "pos() -> " << mBaseStream->position() << std::endl;
+
+	// validate and read ROMFS header
+	ntd::n3ds::RomFsHeader hdr;
+	if (mBaseStream->length() < sizeof(ntd::n3ds::RomFsHeader))
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::RomFsSnapshotGenerator", "Input stream is too small.");
+	}
+	mBaseStream->seek(0, tc::io::SeekOrigin::Begin);
+	mBaseStream->read((byte_t*)(&hdr), sizeof(ntd::n3ds::RomFsHeader));
+
+	/*
+	std::cout << "hdr.header_size             : " << hdr.header_size.unwrap() << std::endl;
+	std::cout << "sizeof(ntd::n3ds::RomFsHeader)  : " << sizeof(ntd::n3ds::RomFsHeader) << std::endl;
+	std::cout << "hdr.dir_hash_bucket.offset : " << hdr.dir_hash_bucket.offset.unwrap() << std::endl;
+	std::cout << "hdr.data_offset             : " << hdr.data_offset.unwrap() << std::endl;
+	std::cout << "expected data offset        : " << align<uint32_t>(hdr.file_entry.offset.unwrap() + hdr.file_entry.size.unwrap(), ntd::n3ds::RomFsHeader::kRomFsDataAlignSize) << std::endl;
+	*/
+
+
+	if (hdr.header_size.unwrap() != sizeof(ntd::n3ds::RomFsHeader) ||
+	    hdr.dir_hash_bucket.offset.unwrap() != sizeof(ntd::n3ds::RomFsHeader) ||
+	    hdr.data_offset.unwrap() != align<uint32_t>(hdr.file_entry.offset.unwrap() + hdr.file_entry.size.unwrap(), ntd::n3ds::RomFsHeader::kRomFsDataAlignSize))
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::RomFsSnapshotGenerator", "RomFsHeader is corrupted.");
+	}
+
+	// save data offset
+	mDataOffset = hdr.data_offset.unwrap();
+
+	// get dir entry ptr
+	mDirEntryTable = tc::ByteData(hdr.dir_entry.size.unwrap());
+	mBaseStream->seek(hdr.dir_entry.offset.unwrap(), tc::io::SeekOrigin::Begin);
+	mBaseStream->read(mDirEntryTable.data(), mDirEntryTable.size());
+	
+
+	// get file entry ptr
+	mFileEntryTable = tc::ByteData(hdr.file_entry.size.unwrap());
+	mBaseStream->seek(hdr.file_entry.offset.unwrap(), tc::io::SeekOrigin::Begin);
+	mBaseStream->read(mFileEntryTable.data(), mFileEntryTable.size());
+
+	//std::cout << "DirTable:" << std::endl;
+	//std::cout << tc::cli::FormatUtil::formatBytesAsHxdHexString(mDirEntryTable.data(), mDirEntryTable.size());
+
+	/*
+	for (uint32_t v_addr = 0; v_addr < mDirEntryTable.size();)
+	{
+		std::cout << "Dir:            0x" << std::hex << v_addr << std::endl;
+		std::cout << " > parent:       0x" << std::hex << getDirEntry(v_addr)->parent_offset.unwrap() << std::endl;
+		std::cout << " > sibling:      0x" << std::hex << getDirEntry(v_addr)->sibling_offset.unwrap() << std::endl;
+		std::cout << " > child_offset: 0x" << std::hex << getDirEntry(v_addr)->child_offset.unwrap() << std::endl;
+		std::cout << " > file_offset:  0x" << std::hex << getDirEntry(v_addr)->file_offset.unwrap() << std::endl;
+		std::cout << " > hash_sibling: 0x" << std::hex << getDirEntry(v_addr)->hash_sibling_offset.unwrap() << std::endl;
+		std::cout << " > name_size:    0x" << std::hex << getDirEntry(v_addr)->name_size.unwrap() << std::endl;
+
+		uint32_t total_size = sizeof(ntd::n3ds::RomFsDirectoryEntry) + align<uint32_t>(getDirEntry(v_addr)->name_size.unwrap(), 4);
+		std::cout << " > entry_size:   0x" << std::hex << total_size << std::endl;
+
+		if (getDirEntry(v_addr)->sibling_offset.unwrap() < v_addr)
+		{
+			std::cout << "DirEntry looks sus" << std::endl;
+			break;
+		}
+
+		v_addr += total_size;
+	}
+	*/
+
+	//std::cout << "FileTable:" << std::endl;
+	//std::cout << tc::cli::FormatUtil::formatBytesAsHxdHexString(mFileEntryTable.data(), mFileEntryTable.size());
+	/*
+	for (uint32_t v_addr = 0; v_addr < mFileEntryTable.size();)
+	{
+		std::cout << "File:            0x" << std::hex << v_addr << std::endl;
+		std::cout << " > parent:       0x" << std::hex << getFileEntry(v_addr)->parent_offset.unwrap() << std::endl;
+		std::cout << " > sibling:      0x" << std::hex << getFileEntry(v_addr)->sibling_offset.unwrap() << std::endl;
+		std::cout << " > data_offset:  0x" << std::hex << getFileEntry(v_addr)->data_offset.unwrap() << std::endl;
+		std::cout << " > data_size:    0x" << std::hex << getFileEntry(v_addr)->data_size.unwrap() << std::endl;
+		std::cout << " > hash_sibling: 0x" << std::hex << getFileEntry(v_addr)->hash_sibling_offset.unwrap() << std::endl;
+		std::cout << " > name_size:    0x" << std::hex << getFileEntry(v_addr)->name_size.unwrap() << std::endl;
+
+		uint32_t total_size = sizeof(ntd::n3ds::RomFsFileEntry) + align<uint32_t>(getFileEntry(v_addr)->name_size.unwrap(), 4);
+		std::cout << " > entry_size:   0x" << std::hex << total_size << std::endl;
+
+		if (getFileEntry(v_addr)->sibling_offset.unwrap() < v_addr)
+		{
+			std::cout << "FileEntry looks sus" << std::endl;
+			break;
+		}
+
+		v_addr += total_size;
+	}
+	*/
+
+	if (getDirEntry(0)->parent_offset.unwrap() != 0 ||
+	    getDirEntry(0)->sibling_offset.unwrap() != 0xffffffff ||
+	    getDirEntry(0)->name_size.unwrap() != 0)
+	{
+		throw tc::ArgumentOutOfRangeException("ntd::n3ds::RomFsSnapshotGenerator", "Root RomFsDirectoryEntry corrupted.");
+	}
+
+	// add/index directories
+	DirEntry dir_tmp;
+	for (uint32_t v_addr = 0; v_addr < mDirEntryTable.size();)
+	{
+		// create root entry
+		if (v_addr == 0)
+		{
+			// create dir path
+			tc::io::Path dir_path = tc::io::Path("/");
+			dir_tmp.dir_listing.abs_path = dir_path;
+
+			// add dir entry to list
+			dir_entries.push_back(dir_tmp);
+
+			// add dir entry to map
+			dir_entry_path_map[dir_path] = dir_entries.size() - 1;
+			mDirParentVaddrMap[v_addr] = dir_entries.size() - 1;
+		}
+		// else create a regular entry
+		else
+		{
+			// check parent is in map
+			if (mDirParentVaddrMap.find(getDirEntry(v_addr)->parent_offset.unwrap()) == mDirParentVaddrMap.end())
+				throw tc::InvalidOperationException("ntd::n3ds::RomFsSnapshotGenerator", "Directory had invalid parent");
+
+			// save/transcode file name
+			std::u16string utf16_string;
+			std::string utf8_string;
+			size_t str_len = getDirEntry(v_addr)->name_size.unwrap() / sizeof(uint16_t);
+			for (size_t i = 0; i < str_len; i++)
+			{
+				utf16_string.push_back(getDirEntry(v_addr)->name[i].unwrap());
+			}
+			tc::string::TranscodeUtil::UTF16ToUTF8(utf16_string, utf8_string);
+
+			// create dir path
+			size_t parent_index = mDirParentVaddrMap[getDirEntry(v_addr)->parent_offset.unwrap()];
+			tc::io::Path dir_path = dir_entries[parent_index].dir_listing.abs_path + utf8_string;
+			dir_tmp.dir_listing.abs_path = dir_path;
+
+			// add dir entry to list
+			dir_entries.push_back(std::move(dir_tmp));
+
+			// add dir entry to map
+			dir_entry_path_map[dir_path] = dir_entries.size() - 1;
+			mDirParentVaddrMap[v_addr] = dir_entries.size() - 1;
+
+			// add name to parent directory listing
+			dir_entries[parent_index].dir_listing.dir_list.push_back(utf8_string);
+		}
+		
+
+		uint32_t total_size = sizeof(ntd::n3ds::RomFsDirectoryEntry) + align<uint32_t>(getDirEntry(v_addr)->name_size.unwrap(), 4);
+
+		if (getDirEntry(v_addr)->sibling_offset.unwrap() < v_addr)
+		{
+			throw tc::InvalidOperationException("ntd::n3ds::RomFsSnapshotGenerator", "Possibly corrupted directory entry");
+		}
+
+		v_addr += total_size;
+	}
+
+	// add files
+	FileEntry file_tmp;
+	for (uint32_t v_addr = 0; v_addr < mFileEntryTable.size();)
+	{
+		// check parent is in map
+		if (mDirParentVaddrMap.find(getFileEntry(v_addr)->parent_offset.unwrap()) == mDirParentVaddrMap.end())
+			throw tc::InvalidOperationException("ntd::n3ds::RomFsSnapshotGenerator", "File had invalid parent");
+
+		if (getFileEntry(v_addr)->data_size.unwrap() != 0)
+		{
+			// substream
+			//std::cout << "trying to add file" << std::endl;
+			//std::cout << "offset " << std::hex << getFileEntry(v_addr)->data_offset.unwrap() << std::endl;
+			//std::cout << "size   " << std::hex << getFileEntry(v_addr)->data_size.unwrap() << std::endl;
+			file_tmp.stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mBaseStream, mDataOffset + getFileEntry(v_addr)->data_offset.unwrap(), getFileEntry(v_addr)->data_size.unwrap()));
+			//std::cout << "file was added" << std::endl;
+		}
+		else
+		{
+			// empty stream
+			file_tmp.stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream());
+		}
+
+		// save/transcode file name
+		std::u16string utf16_string;
+		std::string utf8_string;
+		size_t str_len = getFileEntry(v_addr)->name_size.unwrap() / sizeof(uint16_t);
+		for (size_t i = 0; i < str_len; i++)
+		{
+			utf16_string.push_back(getFileEntry(v_addr)->name[i].unwrap());
+		}
+		tc::string::TranscodeUtil::UTF16ToUTF8(utf16_string, utf8_string);
+
+		// create file path
+		size_t parent_index = mDirParentVaddrMap[getFileEntry(v_addr)->parent_offset.unwrap()];
+		tc::io::Path file_path = dir_entries[parent_index].dir_listing.abs_path + utf8_string;
+
+		// add file entry to list
+		file_entries.push_back(std::move(file_tmp));
+
+		// add file entry to map
+		file_entry_path_map[file_path] = file_entries.size() - 1;
+
+		// add name to parent directory listing
+		dir_entries[parent_index].dir_listing.file_list.push_back(utf8_string);
+
+		uint32_t total_size = sizeof(ntd::n3ds::RomFsFileEntry) + align<uint32_t>(getFileEntry(v_addr)->name_size.unwrap(), 4);
+
+		if (getFileEntry(v_addr)->sibling_offset.unwrap() < v_addr)
+		{
+			throw tc::InvalidOperationException("ntd::n3ds::RomFsSnapshotGenerator", "Possibly corrupted file entry");
+		}
+
+		v_addr += total_size;
+	}
+	
+	// old style recursive add
+	//addDirectory(getDirEntry(0), 0);
+}
+
+void ntd::n3ds::RomFsSnapshotGenerator::addFile(const ntd::n3ds::RomFsFileEntry* file_entry, size_t parent_dir)
+{
+	// create file entry
+	FileEntry tmp;
+	if (file_entry->data_size.unwrap() != 0)
+	{
+		// substream
+		//std::cout << "trying to add file" << std::endl;
+		//std::cout << "offset " << std::hex << file_entry->data_offset.unwrap() << std::endl;
+		//std::cout << "size   " << std::hex << file_entry->data_size.unwrap() << std::endl;
+		tmp.stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mBaseStream, mDataOffset + file_entry->data_offset.unwrap(), file_entry->data_size.unwrap()));
+		//std::cout << "file was added" << std::endl;
+	}
+	else
+	{
+		// empty stream
+		tmp.stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream());
+	}
+
+	// save/transcode file name
+	std::u16string utf16_string;
+	std::string utf8_string;
+	size_t str_len = file_entry->name_size.unwrap() / sizeof(uint16_t);
+	for (size_t i = 0; i < str_len; i++)
+	{
+		utf16_string.push_back(file_entry->name[i].unwrap());
+	}
+	tc::string::TranscodeUtil::UTF16ToUTF8(utf16_string, utf8_string);
+
+	// create file path
+	tc::io::Path file_path = dir_entries[parent_dir].dir_listing.abs_path + utf8_string;
+
+	// add file entry to list
+	file_entries.push_back(tmp);
+
+	// add file entry to map
+	file_entry_path_map[file_path] = file_entries.size() - 1;
+
+	// add name to parent directory listing
+	dir_entries[parent_dir].dir_listing.file_list.push_back(utf8_string);
+}
+
+void ntd::n3ds::RomFsSnapshotGenerator::addDirectory(const ntd::n3ds::RomFsDirectoryEntry* dir_entry, size_t parent_dir)
+{
+	// create dir entry
+	DirEntry tmp;
+
+	// save/transcode file name
+	std::u16string utf16_string;
+	std::string utf8_string;
+	size_t str_len = dir_entry->name_size.unwrap() / sizeof(uint16_t);
+	for (size_t i = 0; i < str_len; i++)
+	{
+		utf16_string.push_back(dir_entry->name[i].unwrap());
+	}
+	tc::string::TranscodeUtil::UTF16ToUTF8(utf16_string, utf8_string);
+
+	// this is the root entry
+	if (dir_entry->parent_offset.unwrap() == 0 && dir_entry->sibling_offset.unwrap() == 0xffffffff && dir_entry->name_size.unwrap() == 0)
+	{
+		// create dir path
+		tc::io::Path dir_path = tc::io::Path("/");
+		tmp.dir_listing.abs_path = dir_path;
+
+		// add dir entry to list
+		dir_entries.push_back(tmp);
+
+		// add dir entry to map
+		dir_entry_path_map[dir_path] = dir_entries.size() - 1;
+	}
+	// this is a regular directory
+	else
+	{
+		// create dir path
+		tc::io::Path dir_path = dir_entries[parent_dir].dir_listing.abs_path + utf8_string;
+		tmp.dir_listing.abs_path = dir_path;
+
+		// add dir entry to list
+		dir_entries.push_back(tmp);
+
+		// add dir entry to map
+		dir_entry_path_map[dir_path] = dir_entries.size() - 1;
+
+		// add name to parent directory listing
+		dir_entries[parent_dir].dir_listing.dir_list.push_back(utf8_string);
+	}
+	
+	
+	// get cur_dir pointer
+	auto cur_dir = dir_entries.size() - 1;
+	
+	// add file children
+	for (uint32_t child = dir_entry->file_offset.unwrap();
+	    child != 0xffffffff; 
+	    child = getFileEntry(child)->sibling_offset.unwrap())
+	{
+		//std::cout << "file child addr :" << std::hex << std::setw(8) << std::setfill('0') << child << std::endl;
+		addFile(getFileEntry(child), cur_dir);
+	}
+
+	// add dir children
+	for (uint32_t child = dir_entry->child_offset.unwrap();
+	    child != 0xffffffff; 
+	    child = getDirEntry(child)->sibling_offset.unwrap())
+	{
+		addDirectory(getDirEntry(child), cur_dir);
+	}	
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/es/Certificate.cpp b/ctrtool/deps/libnintendo-n3ds/src/es/Certificate.cpp
new file mode 100644
index 00000000..782ebc87
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/es/Certificate.cpp
@@ -0,0 +1,200 @@
+#include <ntd/n3ds/es/Certificate.h>
+#include <fmt/core.h>
+
+#include <brd/es/es_cert.h>
+#include <tc/ByteData.h>
+#include <tc/crypto/Sha256Generator.h>
+
+#include <tc/cli.h>
+
+size_t ntd::n3ds::es::getCertificateSize(byte_t* data)
+{
+	size_t signature_size = 0;
+	size_t public_key_size = 0;
+
+	if (data == nullptr) { return 0; }
+
+	signature_size = getCertificateSignatureSize(data);
+	if (signature_size == 0) { return 0; }
+
+	brd::es::ESCertHeader* header = (brd::es::ESCertHeader*)(data + signature_size);
+	brd::es::ESCertPubKeyType public_key_type = header->pubKeyType.unwrap();
+	switch (public_key_type)
+	{
+		case brd::es::ESCertPubKeyType::RSA4096:
+			public_key_size = sizeof(brd::es::ESCertRsa4096PublicKey);
+			break;
+		case brd::es::ESCertPubKeyType::RSA2048:
+			public_key_size = sizeof(brd::es::ESCertRsa2048PublicKey);
+			break;
+		case brd::es::ESCertPubKeyType::ECC:
+			public_key_size = sizeof(brd::es::ESCertEcc233PublicKey);
+			break;
+		default:
+			return 0;
+	}
+
+	return signature_size + sizeof(brd::es::ESCertHeader) + public_key_size;
+}
+
+size_t ntd::n3ds::es::getCertificateSignatureSize(byte_t* data)
+{
+	size_t signature_size = 0;
+
+	if (data == nullptr) { return 0; }
+
+	brd::es::ESSigType sig_type = ((tc::bn::be32<brd::es::ESSigType>*)data)->unwrap();
+	switch (sig_type)
+	{
+		case brd::es::ESSigType::RSA4096_SHA1:
+		case brd::es::ESSigType::RSA4096_SHA256:
+			signature_size = sizeof(brd::es::ESSigRsa4096);
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+		case brd::es::ESSigType::RSA2048_SHA256:
+			signature_size = sizeof(brd::es::ESSigRsa2048);
+			break;
+		case brd::es::ESSigType::ECC_SHA1:
+		case brd::es::ESSigType::ECC_SHA256:
+			signature_size = sizeof(brd::es::ESSigEcc233);
+			break;
+		default:
+			return 0;
+	}
+
+	return signature_size;
+}
+
+size_t ntd::n3ds::es::getCertificateSignableOffset(byte_t* data)
+{
+	size_t signature_size = 0;
+
+	if (data == nullptr) { return 0; }
+
+	signature_size = getCertificateSignatureSize(data);
+	if (signature_size == 0) { return 0; }
+
+	return signature_size - sizeof(brd::es::ESIssuer);
+}
+
+size_t ntd::n3ds::es::getCertificateSignableSize(byte_t* data)
+{
+	return getCertificateSize(data) - getCertificateSignableOffset(data);
+}
+
+void* ntd::n3ds::es::getCertificateHeaderPtr(byte_t* data)
+{
+	size_t signature_size = 0;
+
+	if (data == nullptr) { return nullptr; }
+
+	signature_size = getCertificateSignatureSize(data);
+	if (signature_size == 0) { return nullptr; }
+
+	return (data + signature_size);
+}
+
+void* ntd::n3ds::es::getCertificatePublicKeyPtr(byte_t* data)
+{
+	size_t signature_size = 0;
+
+	if (data == nullptr) { return nullptr; }
+
+	signature_size = getCertificateSignatureSize(data);
+	if (signature_size == 0) { return nullptr; }
+
+	return (data + signature_size + sizeof(brd::es::ESCertHeader));
+}
+
+ntd::n3ds::es::CertificateDeserialiser::CertificateDeserialiser(const std::shared_ptr<tc::io::IStream>& cert_stream) :
+	Certificate(),
+	mModuleLabel("ntd::n3ds::es::CertificateDeserialiser")
+{
+	if (cert_stream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Stream was null.");
+	}
+
+	// process signature
+	this->signature = SignatureDeserialiser(cert_stream);
+	switch (this->signature.sig_type)
+	{
+		case brd::es::ESSigType::RSA4096_SHA1:
+		case brd::es::ESSigType::RSA4096_SHA256:
+		case brd::es::ESSigType::RSA2048_SHA1:
+		case brd::es::ESSigType::RSA2048_SHA256:
+		case brd::es::ESSigType::ECC_SHA1:
+		case brd::es::ESSigType::ECC_SHA256:
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException(mModuleLabel, "CERT had unexpected signature type.");
+	}
+	size_t signature_size = getSignatureSizeFromSigType(this->signature.sig_type);
+
+	// get certificate header
+	brd::es::ESCertHeader header;
+	cert_stream->seek(signature_size, tc::io::SeekOrigin::Begin);
+	if (cert_stream->read((byte_t*)&header, sizeof(brd::es::ESCertHeader)) < sizeof(brd::es::ESCertHeader))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "CERT had unexpected size after reading.");
+	}
+
+	// get public key
+	union CertificatePublicKey
+	{
+		brd::es::ESCertRsa4096PublicKey rsa4096;
+		brd::es::ESCertRsa2048PublicKey rsa2048;
+		brd::es::ESCertEcc233PublicKey ecc233;
+	} public_key;
+	size_t public_key_size;
+
+	switch (header.pubKeyType.unwrap())
+	{
+		case brd::es::ESCertPubKeyType::RSA4096:
+			public_key_size = sizeof(brd::es::ESCertRsa4096PublicKey);
+			break;
+		case brd::es::ESCertPubKeyType::RSA2048:
+			public_key_size = sizeof(brd::es::ESCertRsa2048PublicKey);
+			break;
+		case brd::es::ESCertPubKeyType::ECC:
+			public_key_size = sizeof(brd::es::ESCertEcc233PublicKey);
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException(mModuleLabel, "CERT had unexpected public key type.");
+	}
+
+	cert_stream->seek(signature_size + sizeof(brd::es::ESCertHeader), tc::io::SeekOrigin::Begin);
+	if (cert_stream->read((byte_t*)&public_key, public_key_size) < public_key_size)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "CERT had unexpected size after reading.");
+	}
+
+	// calculate hash for optional signature validation later
+	tc::ByteData total_cert_data = tc::ByteData(signature_size + sizeof(brd::es::ESCertHeader) + public_key_size);
+	cert_stream->seek(0, tc::io::SeekOrigin::Begin);
+	if (cert_stream->read(total_cert_data.data(), total_cert_data.size()) < total_cert_data.size())
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "CERT had unexpected size after reading.");
+	}
+	tc::crypto::GenerateSha256Hash(calculated_hash.data(), total_cert_data.data() + getCertificateSignableOffset(total_cert_data.data()), ntd::n3ds::es::getCertificateSignableSize(total_cert_data.data()));
+
+
+	// store properties
+	//this->signature = SignatureDeserialiser(cert_stream);
+	this->subject = header.name.deviceId.decode();
+	this->date = header.date.unwrap();
+	this->public_key_type = header.pubKeyType.unwrap();
+	switch (header.pubKeyType.unwrap())
+	{
+		case brd::es::ESCertPubKeyType::RSA4096:
+			memcpy(&this->rsa4096_public_key, &public_key.rsa4096.pubKey, sizeof(brd::es::Rsa4096PublicKey));
+			break;
+		case brd::es::ESCertPubKeyType::RSA2048:
+			memcpy(&this->rsa2048_public_key, &public_key.rsa2048.pubKey, sizeof(brd::es::Rsa2048PublicKey));
+			break;
+		case brd::es::ESCertPubKeyType::ECC:
+			memcpy(&this->ecc233_public_key, &public_key.ecc233.pubKey, sizeof(brd::es::Ecc233PublicKey));
+			break;
+	}
+	
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/es/RsaSigner.cpp b/ctrtool/deps/libnintendo-n3ds/src/es/RsaSigner.cpp
new file mode 100644
index 00000000..c7dda6b2
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/es/RsaSigner.cpp
@@ -0,0 +1,84 @@
+#include <ntd/n3ds/es/RsaSigner.h>
+
+#include <tc/crypto/RsaPkcs1Sha1Signer.h>
+#include <tc/crypto/RsaPkcs1Sha256Signer.h>
+
+ntd::n3ds::es::RsaSigner::RsaSigner(brd::es::ESSigType sig_type, const std::string& issuer, const tc::crypto::RsaKey& rsa_key) :
+	mSigType(sig_type),
+	mIssuer(issuer),
+	mRsaKey(rsa_key)
+{
+	switch (mSigType) {
+		case brd::es::ESSigType::RSA4096_SHA1:
+		case brd::es::ESSigType::RSA4096_SHA256:
+			if ((mRsaKey.n.size() << 3) != 4096) throw tc::ArgumentOutOfRangeException("ntd::n3ds::es::RsaSigner::RsaSigner()", "Key size inferred from SigType did not match actual key size.");
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+		case brd::es::ESSigType::RSA2048_SHA256:
+			if ((mRsaKey.n.size() << 3) != 2048) throw tc::ArgumentOutOfRangeException("ntd::n3ds::es::RsaSigner::RsaSigner()", "Key size inferred from SigType did not match actual key size.");
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException("ntd::n3ds::es::RsaSigner::RsaSigner()", "SigType not supported for RsaSigner.");
+			break;
+	}
+}
+
+const std::string& ntd::n3ds::es::RsaSigner::getIssuer()
+{
+	return mIssuer;
+}
+
+brd::es::ESSigType ntd::n3ds::es::RsaSigner::getSigType()
+{
+	return mSigType;
+}
+
+bool ntd::n3ds::es::RsaSigner::signHash(const byte_t* hash, byte_t* signature)
+{
+	bool signSucceed = false;
+
+	switch (mSigType) {
+		case brd::es::ESSigType::RSA4096_SHA1:
+			signSucceed = tc::crypto::SignRsa4096Pkcs1Sha1(signature, hash, mRsaKey);
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+			signSucceed = tc::crypto::SignRsa2048Pkcs1Sha1(signature, hash, mRsaKey);
+			break;
+		case brd::es::ESSigType::RSA4096_SHA256:
+			signSucceed = tc::crypto::SignRsa4096Pkcs1Sha256(signature, hash, mRsaKey);
+			break;
+		case brd::es::ESSigType::RSA2048_SHA256:
+			signSucceed = tc::crypto::SignRsa2048Pkcs1Sha256(signature, hash, mRsaKey);
+			break;
+		default:
+			signSucceed = false;
+			break;
+	}
+
+	return signSucceed;
+}
+
+bool ntd::n3ds::es::RsaSigner::verifyHash(const byte_t* hash, const byte_t* signature)
+{
+	bool verifySucceed = false;
+
+	switch (mSigType) {
+		case brd::es::ESSigType::RSA4096_SHA1:
+			verifySucceed = tc::crypto::VerifyRsa4096Pkcs1Sha1(signature, hash, mRsaKey);
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+			verifySucceed = tc::crypto::VerifyRsa2048Pkcs1Sha1(signature, hash, mRsaKey);
+			break;
+		case brd::es::ESSigType::RSA4096_SHA256:
+			verifySucceed = tc::crypto::VerifyRsa4096Pkcs1Sha256(signature, hash, mRsaKey);
+			break;
+		case brd::es::ESSigType::RSA2048_SHA256:
+			verifySucceed = tc::crypto::VerifyRsa2048Pkcs1Sha256(signature, hash, mRsaKey);
+			break;
+		default:
+			verifySucceed = false;
+			break;
+	}
+
+	return verifySucceed;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/es/Signature.cpp b/ctrtool/deps/libnintendo-n3ds/src/es/Signature.cpp
new file mode 100644
index 00000000..5da0dd0b
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/es/Signature.cpp
@@ -0,0 +1,138 @@
+#include <ntd/n3ds/es/Signature.h>
+#include <fmt/core.h>
+
+#include <brd/es/es_cert.h>
+#include <tc/ByteData.h>
+#include <tc/crypto/Sha256Generator.h>
+
+#include <tc/cli.h>
+
+size_t ntd::n3ds::es::getSignatureSizeFromSigType(brd::es::ESSigType sig_type)
+{
+	size_t signature_size = 0;
+	switch (sig_type)
+	{
+		case brd::es::ESSigType::RSA4096_SHA1:
+		case brd::es::ESSigType::RSA4096_SHA256:
+			signature_size = sizeof(brd::es::ESSigRsa4096);
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+		case brd::es::ESSigType::RSA2048_SHA256:
+			signature_size = sizeof(brd::es::ESSigRsa2048);
+			break;
+		case brd::es::ESSigType::ECC_SHA1:
+		case brd::es::ESSigType::ECC_SHA256:
+			signature_size = sizeof(brd::es::ESSigEcc233);
+			break;
+		default:
+			signature_size = 0;
+	}
+
+	return signature_size;
+}
+
+size_t ntd::n3ds::es::getSignatureIssuerOffset(brd::es::ESSigType sig_type)
+{
+	size_t issuer_offset = 0;
+	switch (sig_type)
+	{
+		case brd::es::ESSigType::RSA4096_SHA1:
+		case brd::es::ESSigType::RSA4096_SHA256:
+			issuer_offset = sizeof(brd::es::ESSigRsa4096) - sizeof(brd::es::ESIssuer);
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+		case brd::es::ESSigType::RSA2048_SHA256:
+			issuer_offset = sizeof(brd::es::ESSigRsa2048) - sizeof(brd::es::ESIssuer);
+			break;
+		case brd::es::ESSigType::ECC_SHA1:
+		case brd::es::ESSigType::ECC_SHA256:
+			issuer_offset = sizeof(brd::es::ESSigEcc233) - sizeof(brd::es::ESIssuer);
+			break;
+		default:
+			issuer_offset = 0;
+	}
+
+	return issuer_offset;
+}
+
+ntd::n3ds::es::SignatureDeserialiser::SignatureDeserialiser(const std::shared_ptr<tc::io::IStream>& stream) :
+	Signature(),
+	mModuleLabel("ntd::n3ds::es::SignatureDeserialiser")
+{
+	if (stream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Stream was null.");
+	}
+
+	// must have at least 4 bytes for signature magic code
+	if (stream->length() < sizeof(uint32_t))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "Stream was too small to import signature.");
+	}
+
+	// get signature
+	enum class SignType {
+		RSA4096,
+		RSA2048,
+		ECDSA233,
+	};
+	union SignatureSignature
+	{
+		tc::bn::be32<brd::es::ESSigType>    sigType;
+		brd::es::ESSigRsa4096 rsa4096;
+		brd::es::ESSigRsa2048 rsa2048;
+		brd::es::ESSigEcc233 ecdsa233;
+	} signature_data;
+	size_t signature_size = 0;
+
+	stream->seek(0, tc::io::SeekOrigin::Begin);
+	if (stream->read((byte_t*)&signature_data, sizeof(uint32_t)) < sizeof(uint32_t))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "Unexpected size after reading.");
+	}
+	switch (signature_data.sigType.unwrap())
+	{
+		case brd::es::ESSigType::RSA4096_SHA1:
+		case brd::es::ESSigType::RSA4096_SHA256:
+			signature_size = sizeof(brd::es::ESSigRsa4096);
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+		case brd::es::ESSigType::RSA2048_SHA256:
+			signature_size = sizeof(brd::es::ESSigRsa2048);
+			break;
+		case brd::es::ESSigType::ECC_SHA1:
+		case brd::es::ESSigType::ECC_SHA256:
+			signature_size = sizeof(brd::es::ESSigEcc233);
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException(mModuleLabel, "Unexpected signature type.");
+	}
+	stream->seek(0, tc::io::SeekOrigin::Begin);
+	if (stream->read((byte_t*)&signature_data, signature_size) < signature_size)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "Unexpected size after reading.");
+	}
+
+	// store properties
+	this->sig_type = signature_data.sigType.unwrap();
+	switch (signature_data.sigType.unwrap())
+	{
+		case brd::es::ESSigType::RSA4096_SHA1:
+		case brd::es::ESSigType::RSA4096_SHA256:
+			this->sig = tc::ByteData(signature_data.rsa4096.sig.data(), signature_data.rsa4096.sig.size());
+			this->issuer = signature_data.rsa4096.issuer.decode();
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+		case brd::es::ESSigType::RSA2048_SHA256:
+			this->sig = tc::ByteData(signature_data.rsa2048.sig.data(), signature_data.rsa2048.sig.size());
+			this->issuer = signature_data.rsa2048.issuer.decode();
+			break;
+		case brd::es::ESSigType::ECC_SHA1:
+		case brd::es::ESSigType::ECC_SHA256:
+			this->sig = tc::ByteData((byte_t*)&signature_data.ecdsa233.sig, sizeof(brd::es::Ecc233Sig));
+			this->issuer = signature_data.ecdsa233.issuer.decode();
+			break;
+		default:
+			break;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/es/Ticket.cpp b/ctrtool/deps/libnintendo-n3ds/src/es/Ticket.cpp
new file mode 100644
index 00000000..dc590ebe
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/es/Ticket.cpp
@@ -0,0 +1,182 @@
+#include <ntd/n3ds/es/Ticket.h>
+#include <fmt/core.h>
+
+#include <brd/es/es_ticket.h>
+#include <tc/ByteData.h>
+#include <tc/crypto/Sha256Generator.h>
+
+#include <tc/cli.h>
+
+ntd::n3ds::es::TicketDeserialiser::TicketDeserialiser(const std::shared_ptr<tc::io::IStream>& tik_stream) :
+	Ticket(),
+	mModuleLabel("ntd::n3ds::es::TicketDeserialiser")
+{
+	if (tik_stream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Stream was null.");
+	}
+
+	if (tik_stream->length() < sizeof(brd::es::ESV1Ticket))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "Stream was too small to import ticket.");
+	}
+
+	// import TIK v1 data (less the section headers)
+	tc::ByteData tik_data = tc::ByteData(sizeof(brd::es::ESV1Ticket));
+	tik_stream->seek(0, tc::io::SeekOrigin::Begin);
+	if (tik_stream->read(tik_data.data(), tik_data.size()) < tik_data.size())
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TIK had unexpected size after reading.");
+	}
+
+	// get pointer
+	brd::es::ESV1Ticket* tik = (brd::es::ESV1Ticket*)tik_data.data();
+	if (tik->head.sig.sigType.unwrap() != brd::es::ESSigType::RSA2048_SHA256)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TIK had unexpected signature type.");
+	}
+	if (tik->head.version != 1)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TIK had unexpected format version.");
+	}
+	if (tik->v1Head.hdrVersion.unwrap() != 1)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TIK v1 header extension had unexpected format version.");
+	}
+	if (tik->v1Head.hdrSize.unwrap() != sizeof(brd::es::ESV1TicketHeader))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TIK v1 header extension had header size.");
+	}
+	if (tik->v1Head.sectHdrOfst.unwrap() != sizeof(brd::es::ESV1TicketHeader))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TIK v1 header extension had poorly aligned sectHdrOfst.");
+	}
+	if (tik->v1Head.sectHdrEntrySize.unwrap() != sizeof(brd::es::ESV1SectionHeader))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TIK v1 header extension had unexpected size for section headers.");
+	}
+	if (tik_stream->length() < static_cast<int64_t>(sizeof(brd::es::ESTicket) + tik->v1Head.ticketSize.unwrap()))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "Stream was too small for calculated ticket size.");
+	}
+
+	// import full TIK v1 data
+	tik_data = tc::ByteData(sizeof(brd::es::ESTicket) + tik->v1Head.ticketSize.unwrap());
+	tik_stream->seek(0, tc::io::SeekOrigin::Begin);
+	if (tik_stream->read(tik_data.data(), tik_data.size()) < tik_data.size())
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TIK had unexpected size after reading.");
+	}
+
+	// update pointer
+	tik = (brd::es::ESV1Ticket*)tik_data.data();
+
+	/*
+	fmt::print("ESTicket:\n");
+	fmt::print("sigType:          {:x}\n", tik->head.sig.sigType.unwrap());
+	fmt::print("issuer:           {}\n", tik->head.sig.issuer.str());
+	fmt::print("version:          {:d}\n", tik->head.version);
+	fmt::print("caCrlVersion:     {:d}\n", tik->head.caCrlVersion);
+	fmt::print("signerCrlVersion: {:d}\n", tik->head.signerCrlVersion);
+	fmt::print("titleKey:         {}\n", tc::cli::FormatUtil::formatBytesAsString(tik->head.titleKey.data(), tik->head.titleKey.size(), true, ""));
+	fmt::print("ticketId:         {:016x}\n", tik->head.ticketId.unwrap());
+	fmt::print("deviceId:         {:08x}\n", tik->head.deviceId.unwrap());
+	fmt::print("titleId:          {:016x}\n", tik->head.titleId.unwrap());
+	fmt::print("sysAccessMask:    {}\n", tc::cli::FormatUtil::formatBytesAsString(tik->head.sysAccessMask.data(), tik->head.sysAccessMask.size(), true, ""));
+	fmt::print("ticketVersion:    {:d}\n", tik->head.ticketVersion.unwrap());
+	fmt::print("accessTitleId:    {:08x}\n", tik->head.accessTitleId.unwrap());
+	fmt::print("accessTitleMask:  {:08x}\n", tik->head.accessTitleMask.unwrap());
+	fmt::print("licenseType:      {:02x}\n", tik->head.licenseType);
+	fmt::print("keyId:            {:02x}\n", tik->head.keyId);
+	fmt::print("propertyMask:     {:04x}\n", tik->head.propertyMask.unwrap());
+	fmt::print("customData:       {}\n", tc::cli::FormatUtil::formatBytesAsString(tik->head.customData.data(), tik->head.customData.size(), true, ""));
+	fmt::print("audit:            {:02x}\n", tik->head.audit);
+	fmt::print("cidxMask:         {}\n", tc::cli::FormatUtil::formatBytesAsString(tik->head.cidxMask.data(), tik->head.cidxMask.size(), true, ""));
+	for (size_t i = 0; i < tik->head.limits.size(); i++)
+	{
+		fmt::print("lp entry {}:       code={:08x}, limit={:08x}\n", i, tik->head.limits[i].code.unwrap(), tik->head.limits[i].limit.unwrap());
+	}
+	fmt::print("ESV1TicketHeader:\n");
+	fmt::print("hdrVersion:       {:04x}\n", tik->v1Head.hdrVersion.unwrap());
+	fmt::print("hdrSize:          {:04x}\n", tik->v1Head.hdrSize.unwrap());
+	fmt::print("ticketSize:       {:08x}\n", tik->v1Head.ticketSize.unwrap());
+	fmt::print("sectHdrOfst:      {:08x}\n", tik->v1Head.sectHdrOfst.unwrap());
+	fmt::print("nSectHdrs:        {:04x}\n", tik->v1Head.nSectHdrs.unwrap());
+	fmt::print("sectHdrEntrySize: {:04x}\n", tik->v1Head.sectHdrEntrySize.unwrap());
+	fmt::print("flags:            {:08x}\n", tik->v1Head.flags.unwrap());
+	size_t sect_hdr_num = tik->v1Head.nSectHdrs.unwrap();
+	//brd::es::ESV1SectionHeader* sect_hdr = (brd::es::ESV1SectionHeader*)(tik_data.data() + sizeof(brd::es::ESTicket) + tik->v1Head.sectHdrOfst.unwrap());
+	for (size_t i = 0; i < sect_hdr_num; i++)
+	{
+		fmt::print("sectHdr {:d}:\n", i);
+		fmt::print(" sectOfst:        {:08x}\n", tik->sectHdrs[i].sectOfst.unwrap());
+		fmt::print(" nRecords:        {:08x}\n", tik->sectHdrs[i].nRecords.unwrap());
+		fmt::print(" recordSize:      {:08x}\n", tik->sectHdrs[i].recordSize.unwrap());
+		fmt::print(" sectionSize:     {:08x}\n", tik->sectHdrs[i].sectionSize.unwrap());
+		fmt::print(" sectionType:     {:04x}\n", tik->sectHdrs[i].sectionType.unwrap());
+		fmt::print(" flags:           {:04x}\n", tik->sectHdrs[i].flags.unwrap());
+	}
+	*/
+	
+
+	struct TicketReservedForCtr
+	{
+		tc::bn::pad<0x14> reserved_00;
+		tc::bn::le32<uint32_t> ec_account_id;
+		tc::bn::pad<0x01> reserved_01;
+	};
+
+	// generate hash
+	byte_t* tik_hash_begin = (byte_t*)&tik->head.sig.issuer;
+	size_t tik_hash_size = tik_data.size() - size_t(tik_hash_begin - tik_data.data());
+	tc::crypto::GenerateSha256Hash(this->calculated_hash.data(), tik_hash_begin, tik_hash_size);
+
+	// basic fields
+	this->signature.sig_type = tik->head.sig.sigType.unwrap();
+	this->signature.sig = tc::ByteData(tik->head.sig.sig.data(), tik->head.sig.sig.size());
+	this->signature.issuer = tik->head.sig.issuer.decode();
+	this->title_key = tik->head.titleKey;
+	this->ticket_id = tik->head.ticketId.unwrap();
+	this->device_id = tik->head.deviceId.unwrap();
+	this->title_id = tik->head.titleId.unwrap();
+	this->ticket_version = tik->head.ticketVersion.unwrap();
+	this->license_type = tik->head.licenseType;
+	this->key_id = tik->head.keyId;
+
+	// process data from reserved field
+	auto custom_data = (TicketReservedForCtr*)tik->head.reserved.data();
+	this->ec_account_id = custom_data->ec_account_id.unwrap();
+	
+	// find the demo launch limit
+	for (size_t i = 0; i < tik->head.limits.size(); i++)
+	{
+		if (tik->head.limits[i].code.unwrap() == (uint32_t)brd::es::ESLimitCode::NUM_LAUNCH)
+		{
+			launch_count = tik->head.limits[i].limit.unwrap();
+		}
+	}
+
+	// process content index
+	for (size_t i = 0; i < tik->v1Head.nSectHdrs.unwrap(); i++)
+	{
+		if (tik->sectHdrs[i].sectionType.unwrap() == (uint32_t)brd::es::ESItemType::CONTENT)
+		{
+			if (tik->sectHdrs[i].recordSize.unwrap() != sizeof(brd::es::ESV1ContentRecord))
+			{
+				throw tc::InvalidOperationException(mModuleLabel, fmt::format("Invalid size for ESV1ContentRecord. (expected: 0x{:x}, got 0x{:x})", sizeof(brd::es::ESV1ContentRecord), tik->sectHdrs[i].recordSize.unwrap()));
+			}
+			brd::es::ESV1ContentRecord* content_records = (brd::es::ESV1ContentRecord*)(tik_data.data() + sizeof(brd::es::ESTicket) + tik->sectHdrs[i].sectOfst.unwrap());
+			for (size_t j = 0; j < tik->sectHdrs[i].nRecords.unwrap(); j++)
+			{
+				tc::bn::bitarray<0x80>* access_mask = (tc::bn::bitarray<0x80>*)content_records[j].accessMask.data();
+				for (size_t bit = 0; bit < access_mask->bit_size(); bit++)
+				{
+					if (access_mask->test(bit)) 
+					{
+						this->enabled_content.set(content_records[j].offset.unwrap() + bit);
+					}
+				}
+			}
+		}
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp b/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp
new file mode 100644
index 00000000..c9e0ac04
--- /dev/null
+++ b/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp
@@ -0,0 +1,135 @@
+#include <ntd/n3ds/es/TitleMetaData.h>
+#include <fmt/core.h>
+
+#include <brd/es/es_tmd.h>
+#include <tc/ByteData.h>
+#include <tc/crypto/Sha256Generator.h>
+
+ntd::n3ds::es::TitleMetaDataDeserialiser::TitleMetaDataDeserialiser(const std::shared_ptr<tc::io::IStream>& tmd_stream) :
+	TitleMetaData(),
+	mModuleLabel("ntd::n3ds::es::TitleMetaDataDeserialiser")
+{
+	if (tmd_stream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "TMD stream was null.");
+	}
+
+	if (tmd_stream->length() < (sizeof(brd::es::ESV1TitleMeta) + sizeof(brd::es::ESV1ContentMeta)))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD was too small.");
+	}
+
+	// import TMD v1 data
+	if (tc::is_int64_t_too_large_for_size_t(tmd_stream->length()))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD was too large to read into memory.");
+	}
+	tc::ByteData tmd_data = tc::ByteData(static_cast<size_t>(tmd_stream->length()));
+	tmd_stream->seek(0, tc::io::SeekOrigin::Begin);
+	if (tmd_stream->read(tmd_data.data(), tmd_data.size()) < tmd_data.size())
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had unexpected size after reading.");
+	}
+
+
+	// get pointer
+	brd::es::ESV1TitleMeta* tmd = (brd::es::ESV1TitleMeta*)tmd_data.data();
+	if (tmd->sig.sigType.unwrap() != brd::es::ESSigType::RSA2048_SHA256)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had unexpected signature type.");
+	}
+	if (tmd->head.version != 1)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had unexpected format version.");
+	}
+
+	// hash for staged validiation
+	std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+
+	// calculate hash for optional signature validation later
+	tc::crypto::GenerateSha256Hash(calculated_hash.data(), (byte_t*)&tmd->sig.issuer, (size_t)((byte_t*)&tmd->v1Head.cmdGroups - (byte_t*)&tmd->sig.issuer));
+
+	// verify v1 ESV1ContentMetaGroup array using hash in v1 header
+	tc::crypto::GenerateSha256Hash(hash.data(), (byte_t*)&tmd->v1Head.cmdGroups, sizeof(tmd->v1Head.cmdGroups));
+	if (memcmp(hash.data(), tmd->v1Head.hash.data(), hash.size()) != 0)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had invalid CMD group hash.");
+	}
+
+	/*
+	std::cout << "[Tmd]" << std::endl;
+	std::cout << "  > Issuer:            " << tmd->sig.issuer.data() << std::endl;
+	std::cout << "  > Version:           " << (int)tmd->head.version << std::endl;
+	std::cout << "  > CACrl Version:     " << (int)tmd->head.caCrlVersion << std::endl;
+	std::cout << "  > SignerCrl Version: " << (int)tmd->head.signerCrlVersion << std::endl;
+	std::cout << "  > TitleId:           " << std::hex << std::setfill('0') << std::setw(16) << tmd->head.titleId.unwrap() << std::endl;
+	*/
+
+	// determine if the TMD is the correct size given expected number of ESV1ContentMeta entries
+	size_t cmd_table_num = tmd->v1Head.cmdGroups[0].nCmds.unwrap();
+	if (tmd_data.size() != (sizeof(brd::es::ESV1TitleMeta) + (cmd_table_num * sizeof(brd::es::ESV1ContentMeta))))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had unexpected size");
+	}
+
+	// verify ESV1ContentMeta array
+	tc::crypto::GenerateSha256Hash(hash.data(), (byte_t*)&tmd->contents, cmd_table_num * sizeof(brd::es::ESV1ContentMeta));
+	if (memcmp(hash.data(), tmd->v1Head.cmdGroups[0].groupHash.data(), hash.size()) != 0)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had invalid CMD group[0] hash.");
+	}
+
+	// verify other fields
+	if (tmd->head.sysVersion.unwrap() != 0)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "TMD sysVersion had unexpected value.");
+	}
+	if (tmd->head.type.unwrap() != brd::es::ESTitleType::CT_TITLE)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "TMD type had unexpected value.");
+	}
+
+	// process header now that it is verified
+	this->signature.sig_type = tmd->sig.sigType.unwrap();
+	this->signature.sig = tc::ByteData(tmd->sig.sig.data(), tmd->sig.sig.size());
+	this->signature.issuer = tmd->sig.issuer.decode();
+	this->title_id = tmd->head.titleId.unwrap();
+	this->title_version = tmd->head.titleVersion.unwrap();
+	struct TmdCustomDataForCtr
+	{
+		struct TwlCustomData
+		{
+			tc::bn::le32<uint32_t> public_save_data_size;
+			tc::bn::le32<uint32_t> private_save_data_size;
+			tc::bn::pad<4> padding;
+			byte_t flag;
+		};
+		struct CtrCustomData
+		{
+			tc::bn::le32<uint32_t> save_data_size;
+			tc::bn::bitarray<1> flag;
+		};
+		union {
+			TwlCustomData twl;
+			CtrCustomData ctr;
+		};
+	};
+	auto custom_data = (TmdCustomDataForCtr*)tmd->head.customData.data();
+	this->twl_custom_data.public_save_data_size = custom_data->twl.public_save_data_size;
+	this->twl_custom_data.private_save_data_size = custom_data->twl.private_save_data_size;
+	this->twl_custom_data.flag = custom_data->twl.flag;
+	this->ctr_custom_data.save_data_size = custom_data->ctr.save_data_size;
+	this->ctr_custom_data.is_snake_only = custom_data->ctr.flag.test(0);
+
+	// process ESV1ContentMeta entries 
+	for (size_t i = 0; i < cmd_table_num; i++)
+	{
+		this->content_info.push_back(ContentInfo(
+			tmd->contents[i].cid.unwrap(),
+			tmd->contents[i].index.unwrap(),
+			(tmd->contents[i].type.unwrap() & (uint16_t)brd::es::ESContentType_ENCRYPTED) == (uint16_t)brd::es::ESContentType_ENCRYPTED,
+			(tmd->contents[i].type.unwrap() & (uint16_t)brd::es::ESContentType_OPTIONAL) == (uint16_t)brd::es::ESContentType_OPTIONAL,
+			(int64_t)tmd->contents[i].size.unwrap(),
+			tmd->contents[i].hash));
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/BUILDING.md b/ctrtool/deps/libtoolchain/BUILDING.md
new file mode 100644
index 00000000..f552baab
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/BUILDING.md
@@ -0,0 +1,44 @@
+# Building
+## Linux (incl. Windows Subsystem for Linux) & MacOS - Makefile
+### Requirements
+* `make`
+* `doxygen`
+* `graphviz`
+* Terminal access
+* Typical GNU compatible development tools (e.g. `clang`, `g++`, `c++`, `ar` etc) with __C++11__ support
+
+### Using Makefile
+* `make` (default) - Compile library & self-test program
+* `make lib` - Compile library
+* `make test_program` - Compile self-test program
+* `make clean` - Remove all object files, compiled programs
+* `make docs` - Generate documentation
+* `make clean_docs` - Remove all documentation
+
+## Native Win32 - Visual Studio
+### Requirements
+* [Visual Studio Community](https://visualstudio.microsoft.com/vs/community/) 2015 or 2017 or 2019
+* [Doxygen](http://www.doxygen.nl/download.html#srcbin)
+* [Graphviz](https://graphviz.gitlab.io/_pages/Download/Download_windows.html) (make sure to download the GUI)
+	* Add the location of the Graphviz `bin` directory to `$(PATH)` or create a separate enviroment variable `$(DOT_PATH)` for it.
+
+### Compiling Library & Self-Test Program
+* Open `build/visualstudio/libtoolchain.sln` in Visual Studio
+* Select Target (e.g `Debug`|`Release` & `x86`|`x64`)
+* Navigate to `Build`->`Build Solution`
+
+### Including libtoolchain in another VS Solution for static linking
+* Clone `libtoolchain` as a submodule into your project
+* Navigate to the `Solution Explorer` window
+* Right-click on the Solution Item and select `Add`->`Existing Project...`
+* In the filesystem popup window open `<libtoolchain location>/build/visualstudio/libtoolchain/libtoolchain.vcxproj`
+* Update each dependant project's `References` to include libtoolchain
+* Update each dependant project's `Property Pages` so that for `All Configurations` and `All Platforms` the `Addition Include Directories` has the relative path to `<libtoolchain location>/include`
+* Update the `Project Build Order` so libtoolchain is built before any of its dependants
+* Update the `Project Dependencies` so that each dependant has the box checked for libtoolchain
+
+### Generating Doxygen Documentation
+* Open `Doxywizard`
+* Under `Step 1` specify the directory of libtoolchain as the working directory
+* This should open the Doxyfile and pre-fill all the configuration
+* Under `Step 2` navigate to `Run` and press `Run doxygen`
diff --git a/ctrtool/deps/libtoolchain/Doxyfile b/ctrtool/deps/libtoolchain/Doxyfile
new file mode 100644
index 00000000..2a6560ca
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/Doxyfile
@@ -0,0 +1,2565 @@
+# Doxyfile 1.8.15
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project.
+#
+# All text after a double hash (##) is considered a comment and is placed in
+# front of the TAG it is preceding.
+#
+# All text after a single hash (#) is considered a comment and will be ignored.
+# The format is:
+# TAG = value [value, ...]
+# For lists, items can also be appended using:
+# TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (\" \").
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# This tag specifies the encoding used for all characters in the configuration
+# file that follow. The default is UTF-8 which is also the encoding used for all
+# text before the first occurrence of this tag. Doxygen uses libiconv (or the
+# iconv built into libc) for the transcoding. See
+# https://www.gnu.org/software/libiconv/ for the list of possible encodings.
+# The default value is: UTF-8.
+
+DOXYFILE_ENCODING      = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded by
+# double-quotes, unless you are using Doxywizard) that should identify the
+# project for which the documentation is generated. This name is used in the
+# title of most generated pages and in a few other places.
+# The default value is: My Project.
+
+PROJECT_NAME           = libtoolchain
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. This
+# could be handy for archiving the generated documentation or if some version
+# control system is used.
+
+PROJECT_NUMBER         = v0.5.0
+
+# Using the PROJECT_BRIEF tag one can provide an optional one line description
+# for a project that appears at the top of each page and should give viewer a
+# quick idea about the purpose of the project. Keep the description short.
+
+PROJECT_BRIEF          =
+
+# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# in the documentation. The maximum height of the logo should not exceed 55
+# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# the logo to the output directory.
+
+PROJECT_LOGO           =
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
+# into which the generated documentation will be written. If a relative path is
+# entered, it will be relative to the location where doxygen was started. If
+# left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       = ./docs
+
+# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
+# directories (in 2 levels) under the output directory of each output format and
+# will distribute the generated files over these directories. Enabling this
+# option can be useful when feeding doxygen a huge amount of source files, where
+# putting all generated files in the same directory would otherwise causes
+# performance problems for the file system.
+# The default value is: NO.
+
+CREATE_SUBDIRS         = NO
+
+# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
+# characters to appear in the names of generated files. If set to NO, non-ASCII
+# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
+# U+3044.
+# The default value is: NO.
+
+ALLOW_UNICODE_NAMES    = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all
+# documentation generated by doxygen is written. Doxygen will use this
+# information to generate all constant output in the proper language.
+# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,
+# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),
+# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,
+# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),
+# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,
+# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,
+# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,
+# Ukrainian and Vietnamese.
+# The default value is: English.
+
+OUTPUT_LANGUAGE        = English
+
+# The OUTPUT_TEXT_DIRECTION tag is used to specify the direction in which all
+# documentation generated by doxygen is written. Doxygen will use this
+# information to generate all generated output in the proper direction.
+# Possible values are: None, LTR, RTL and Context.
+# The default value is: None.
+
+OUTPUT_TEXT_DIRECTION  = None
+
+# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
+# descriptions after the members that are listed in the file and class
+# documentation (similar to Javadoc). Set to NO to disable this.
+# The default value is: YES.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
+# description of a member or function before the detailed description
+#
+# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
+# brief descriptions will be completely suppressed.
+# The default value is: YES.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator that is
+# used to form the text in various listings. Each string in this list, if found
+# as the leading text of the brief description, will be stripped from the text
+# and the result, after processing the whole list, is used as the annotated
+# text. Otherwise, the brief description is used as-is. If left blank, the
+# following values are used ($name is automatically replaced with the name of
+# the entity):The $name class, The $name widget, The $name file, is, provides,
+# specifies, contains, represents, a, an and the.
+
+ABBREVIATE_BRIEF       = "The $name class" \
+                         "The $name widget" \
+                         "The $name file" \
+                         is \
+                         provides \
+                         specifies \
+                         contains \
+                         represents \
+                         a \
+                         an \
+                         the
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
+# doxygen will generate a detailed section even if there is only a brief
+# description.
+# The default value is: NO.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
+# inherited members of a class in the documentation of that class as if those
+# members were ordinary class members. Constructors, destructors and assignment
+# operators of the base classes will not be shown.
+# The default value is: NO.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
+# before files name in the file list and in the header files. If set to NO the
+# shortest path that makes the file name unique will be used
+# The default value is: YES.
+
+FULL_PATH_NAMES        = YES
+
+# The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path.
+# Stripping is only done if one of the specified strings matches the left-hand
+# part of the path. The tag can be used to show relative paths in the file list.
+# If left blank the directory from which doxygen is run is used as the path to
+# strip.
+#
+# Note that you can specify absolute paths here, but also relative paths, which
+# will be relative from the directory where doxygen is started.
+# This tag requires that the tag FULL_PATH_NAMES is set to YES.
+
+STRIP_FROM_PATH        = ./include
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
+# path mentioned in the documentation of a class, which tells the reader which
+# header file to include in order to use a class. If left blank only the name of
+# the header file containing the class definition is used. Otherwise one should
+# specify the list of include paths that are normally passed to the compiler
+# using the -I flag.
+
+STRIP_FROM_INC_PATH    = ./include
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
+# less readable) file names. This can be useful is your file systems doesn't
+# support long names like on DOS, Mac, or CD-ROM.
+# The default value is: NO.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the
+# first line (until the first dot) of a Javadoc-style comment as the brief
+# description. If set to NO, the Javadoc-style will behave just like regular Qt-
+# style comments (thus requiring an explicit @brief command for a brief
+# description.)
+# The default value is: NO.
+
+JAVADOC_AUTOBRIEF      = NO
+
+# If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first
+# line (until the first dot) of a Qt-style comment as the brief description. If
+# set to NO, the Qt-style will behave just like regular Qt-style comments (thus
+# requiring an explicit \brief command for a brief description.)
+# The default value is: NO.
+
+QT_AUTOBRIEF           = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a
+# multi-line C++ special comment block (i.e. a block of //! or /// comments) as
+# a brief description. This used to be the default behavior. The new default is
+# to treat a multi-line C++ comment block as a detailed description. Set this
+# tag to YES if you prefer the old behavior instead.
+#
+# Note that setting this tag to YES also means that rational rose comments are
+# not recognized any more.
+# The default value is: NO.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the
+# documentation from any documented member that it re-implements.
+# The default value is: YES.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# page for each member. If set to NO, the documentation of a member will be part
+# of the file/class/namespace that contains it.
+# The default value is: NO.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen
+# uses this value to replace tabs by spaces in code fragments.
+# Minimum value: 1, maximum value: 16, default value: 4.
+
+TAB_SIZE               = 4
+
+# This tag can be used to specify a number of aliases that act as commands in
+# the documentation. An alias has the form:
+# name=value
+# For example adding
+# "sideeffect=@par Side Effects:\n"
+# will allow you to put the command \sideeffect (or @sideeffect) in the
+# documentation, which will result in a user-defined paragraph with heading
+# "Side Effects:". You can put \n's in the value part of an alias to insert
+# newlines (in the resulting output). You can put ^^ in the value part of an
+# alias to insert a newline as if a physical newline was in the original file.
+# When you need a literal { or } or , in the value part of an alias you have to
+# escape them by means of a backslash (\), this can lead to conflicts with the
+# commands \{ and \} for these it is advised to use the version @{ and @} or use
+# a double escape (\\{ and \\})
+
+ALIASES                =
+
+# This tag can be used to specify a number of word-keyword mappings (TCL only).
+# A mapping has the form "name=value". For example adding "class=itcl::class"
+# will allow you to use the command class in the itcl::class meaning.
+
+TCL_SUBST              =
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
+# only. Doxygen will then generate output that is more tailored for C. For
+# instance, some of the names that are used will be different. The list of all
+# members will be omitted, etc.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_FOR_C  = NO
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or
+# Python sources only. Doxygen will then generate output that is more tailored
+# for that language. For instance, namespaces will be presented as packages,
+# qualified scopes will look different, etc.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
+# sources. Doxygen will then generate output that is tailored for Fortran.
+# The default value is: NO.
+
+OPTIMIZE_FOR_FORTRAN   = NO
+
+# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
+# sources. Doxygen will then generate output that is tailored for VHDL.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_VHDL   = NO
+
+# Set the OPTIMIZE_OUTPUT_SLICE tag to YES if your project consists of Slice
+# sources only. Doxygen will then generate output that is more tailored for that
+# language. For instance, namespaces will be presented as modules, types will be
+# separated into more groups, etc.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_SLICE  = NO
+
+# Doxygen selects the parser to use depending on the extension of the files it
+# parses. With this tag you can assign which parser to use for a given
+# extension. Doxygen has a built-in mapping, but you can override or extend it
+# using this tag. The format is ext=language, where ext is a file extension, and
+# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
+# Csharp (C#), C, C++, D, PHP, md (Markdown), Objective-C, Python, Slice,
+# Fortran (fixed format Fortran: FortranFixed, free formatted Fortran:
+# FortranFree, unknown formatted Fortran: Fortran. In the later case the parser
+# tries to guess whether the code is fixed or free formatted code, this is the
+# default for Fortran type files), VHDL, tcl. For instance to make doxygen treat
+# .inc files as Fortran files (default is PHP), and .f files as C (default is
+# Fortran), use: inc=Fortran f=C.
+#
+# Note: For files without extension you can use no_extension as a placeholder.
+#
+# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
+# the files are not read by doxygen.
+
+EXTENSION_MAPPING      =
+
+# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
+# according to the Markdown format, which allows for more readable
+# documentation. See https://daringfireball.net/projects/markdown/ for details.
+# The output of markdown processing is further processed by doxygen, so you can
+# mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in
+# case of backward compatibilities issues.
+# The default value is: YES.
+
+MARKDOWN_SUPPORT       = YES
+
+# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up
+# to that level are automatically included in the table of contents, even if
+# they do not have an id attribute.
+# Note: This feature currently applies only to Markdown headings.
+# Minimum value: 0, maximum value: 99, default value: 0.
+# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.
+
+TOC_INCLUDE_HEADINGS   = 0
+
+# When enabled doxygen tries to link words that correspond to documented
+# classes, or namespaces to their corresponding documentation. Such a link can
+# be prevented in individual cases by putting a % sign in front of the word or
+# globally by setting AUTOLINK_SUPPORT to NO.
+# The default value is: YES.
+
+AUTOLINK_SUPPORT       = YES
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
+# to include (a tag file for) the STL sources as input, then you should set this
+# tag to YES in order to let doxygen match functions declarations and
+# definitions whose arguments contain STL classes (e.g. func(std::string);
+# versus func(std::string) {}). This also make the inheritance and collaboration
+# diagrams that involve STL classes more complete and accurate.
+# The default value is: NO.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+# The default value is: NO.
+
+CPP_CLI_SUPPORT        = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip (see:
+# https://www.riverbankcomputing.com/software/sip/intro) sources only. Doxygen
+# will parse them like normal C++ but will assume all classes use public instead
+# of private inheritance when no explicit protection keyword is present.
+# The default value is: NO.
+
+SIP_SUPPORT            = NO
+
+# For Microsoft's IDL there are propget and propput attributes to indicate
+# getter and setter methods for a property. Setting this option to YES will make
+# doxygen to replace the get and set methods by a property in the documentation.
+# This will only work if the methods are indeed getting or setting a simple
+# type. If this is not the case, or you want to show the methods anyway, you
+# should set this option to NO.
+# The default value is: YES.
+
+IDL_PROPERTY_SUPPORT   = YES
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
+# tag is set to YES then doxygen will reuse the documentation of the first
+# member in the group (if any) for the other members of the group. By default
+# all members of a group must be documented explicitly.
+# The default value is: NO.
+
+DISTRIBUTE_GROUP_DOC   = NO
+
+# If one adds a struct or class to a group and this option is enabled, then also
+# any nested class or struct is added to the same group. By default this option
+# is disabled and one has to add nested compounds explicitly via \ingroup.
+# The default value is: NO.
+
+GROUP_NESTED_COMPOUNDS = NO
+
+# Set the SUBGROUPING tag to YES to allow class member groups of the same type
+# (for instance a group of public functions) to be put as a subgroup of that
+# type (e.g. under the Public Functions section). Set it to NO to prevent
+# subgrouping. Alternatively, this can be done per class using the
+# \nosubgrouping command.
+# The default value is: YES.
+
+SUBGROUPING            = YES
+
+# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions
+# are shown inside the group in which they are included (e.g. using \ingroup)
+# instead of on a separate page (for HTML and Man pages) or section (for LaTeX
+# and RTF).
+#
+# Note that this feature does not work in combination with
+# SEPARATE_MEMBER_PAGES.
+# The default value is: NO.
+
+INLINE_GROUPED_CLASSES = NO
+
+# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions
+# with only public data fields or simple typedef fields will be shown inline in
+# the documentation of the scope in which they are defined (i.e. file,
+# namespace, or group documentation), provided this scope is documented. If set
+# to NO, structs, classes, and unions are shown on a separate page (for HTML and
+# Man pages) or section (for LaTeX and RTF).
+# The default value is: NO.
+
+INLINE_SIMPLE_STRUCTS  = NO
+
+# When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or
+# enum is documented as struct, union, or enum with the name of the typedef. So
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
+# with name TypeT. When disabled the typedef will appear as a member of a file,
+# namespace, or class. And the struct will be named TypeS. This can typically be
+# useful for C code in case the coding convention dictates that all compound
+# types are typedef'ed and only the typedef is referenced, never the tag name.
+# The default value is: NO.
+
+TYPEDEF_HIDES_STRUCT   = NO
+
+# The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This
+# cache is used to resolve symbols given their name and scope. Since this can be
+# an expensive process and often the same symbol appears multiple times in the
+# code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small
+# doxygen will become slower. If the cache is too large, memory is wasted. The
+# cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range
+# is 0..9, the default is 0, corresponding to a cache size of 2^16=65536
+# symbols. At the end of a run doxygen will report the cache usage and suggest
+# the optimal cache size from a speed point of view.
+# Minimum value: 0, maximum value: 9, default value: 0.
+
+LOOKUP_CACHE_SIZE      = 0
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
+# documentation are documented, even if no documentation was available. Private
+# class members and static file members will be hidden unless the
+# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
+# Note: This will also disable the warnings about undocumented members that are
+# normally produced when WARNINGS is set to YES.
+# The default value is: NO.
+
+EXTRACT_ALL            = NO
+
+# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
+# be included in the documentation.
+# The default value is: NO.
+
+EXTRACT_PRIVATE        = NO
+
+# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
+# scope will be included in the documentation.
+# The default value is: NO.
+
+EXTRACT_PACKAGE        = NO
+
+# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
+# included in the documentation.
+# The default value is: NO.
+
+EXTRACT_STATIC         = NO
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO,
+# only classes defined in header files are included. Does not have any effect
+# for Java sources.
+# The default value is: YES.
+
+EXTRACT_LOCAL_CLASSES  = YES
+
+# This flag is only useful for Objective-C code. If set to YES, local methods,
+# which are defined in the implementation section but not in the interface are
+# included in the documentation. If set to NO, only methods in the interface are
+# included.
+# The default value is: NO.
+
+EXTRACT_LOCAL_METHODS  = NO
+
+# If this flag is set to YES, the members of anonymous namespaces will be
+# extracted and appear in the documentation as a namespace called
+# 'anonymous_namespace{file}', where file will be replaced with the base name of
+# the file that contains the anonymous namespace. By default anonymous namespace
+# are hidden.
+# The default value is: NO.
+
+EXTRACT_ANON_NSPACES   = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all
+# undocumented members inside documented classes or files. If set to NO these
+# members will be included in the various overviews, but no documentation
+# section is generated. This option has no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
+# undocumented classes that are normally visible in the class hierarchy. If set
+# to NO, these classes will be included in the various overviews. This option
+# has no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
+# (class|struct|union) declarations. If set to NO, these declarations will be
+# included in the documentation.
+# The default value is: NO.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
+# documentation blocks found inside the body of a function. If set to NO, these
+# blocks will be appended to the function's detailed documentation block.
+# The default value is: NO.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation that is typed after a
+# \internal command is included. If the tag is set to NO then the documentation
+# will be excluded. Set it to YES to include the internal documentation.
+# The default value is: NO.
+
+INTERNAL_DOCS          = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
+# names in lower-case letters. If set to YES, upper-case letters are also
+# allowed. This is useful if you have classes or files whose names only differ
+# in case and if your file system supports case sensitive file names. Windows
+# and Mac users are advised to set this option to NO.
+# The default value is: system dependent.
+
+CASE_SENSE_NAMES       = NO
+
+# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
+# their full class and namespace scopes in the documentation. If set to YES, the
+# scope will be hidden.
+# The default value is: NO.
+
+HIDE_SCOPE_NAMES       = NO
+
+# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
+# append additional text to a page's title, such as Class Reference. If set to
+# YES the compound reference will be hidden.
+# The default value is: NO.
+
+HIDE_COMPOUND_REFERENCE= NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
+# the files that are included by a file in the documentation of that file.
+# The default value is: YES.
+
+SHOW_INCLUDE_FILES     = YES
+
+# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each
+# grouped member an include statement to the documentation, telling the reader
+# which file to include in order to use the member.
+# The default value is: NO.
+
+SHOW_GROUPED_MEMB_INC  = NO
+
+# If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include
+# files with double quotes in the documentation rather than with sharp brackets.
+# The default value is: NO.
+
+FORCE_LOCAL_INCLUDES   = NO
+
+# If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the
+# documentation for inline members.
+# The default value is: YES.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
+# (detailed) documentation of file and class members alphabetically by member
+# name. If set to NO, the members will appear in declaration order.
+# The default value is: YES.
+
+SORT_MEMBER_DOCS       = YES
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
+# descriptions of file, namespace and class members alphabetically by member
+# name. If set to NO, the members will appear in declaration order. Note that
+# this will also influence the order of the classes in the class list.
+# The default value is: NO.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the
+# (brief and detailed) documentation of class members so that constructors and
+# destructors are listed first. If set to NO the constructors will appear in the
+# respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS.
+# Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief
+# member documentation.
+# Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting
+# detailed member documentation.
+# The default value is: NO.
+
+SORT_MEMBERS_CTORS_1ST = NO
+
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy
+# of group names into alphabetical order. If set to NO the group names will
+# appear in their defined order.
+# The default value is: NO.
+
+SORT_GROUP_NAMES       = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by
+# fully-qualified names, including namespaces. If set to NO, the class list will
+# be sorted only by class name, not including the namespace part.
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the alphabetical
+# list.
+# The default value is: NO.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper
+# type resolution of all parameters of a function it will reject a match between
+# the prototype and the implementation of a member function even if there is
+# only one candidate or it is obvious which candidate to choose by doing a
+# simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still
+# accept a match between prototype and implementation in such cases.
+# The default value is: NO.
+
+STRICT_PROTO_MATCHING  = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# list. This list is created by putting \todo commands in the documentation.
+# The default value is: YES.
+
+GENERATE_TODOLIST      = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# list. This list is created by putting \test commands in the documentation.
+# The default value is: YES.
+
+GENERATE_TESTLIST      = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
+# list. This list is created by putting \bug commands in the documentation.
+# The default value is: YES.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
+# the deprecated list. This list is created by putting \deprecated commands in
+# the documentation.
+# The default value is: YES.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional documentation
+# sections, marked by \if <section_label> ... \endif and \cond <section_label>
+# ... \endcond blocks.
+
+ENABLED_SECTIONS       =
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
+# initial value of a variable or macro / define can have for it to appear in the
+# documentation. If the initializer consists of more lines than specified here
+# it will be hidden. Use a value of 0 to hide initializers completely. The
+# appearance of the value of individual variables and macros / defines can be
+# controlled using \showinitializer or \hideinitializer command in the
+# documentation regardless of this setting.
+# Minimum value: 0, maximum value: 10000, default value: 30.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
+# the bottom of the documentation of classes and structs. If set to YES, the
+# list will mention the files that were used to generate the documentation.
+# The default value is: YES.
+
+SHOW_USED_FILES        = YES
+
+# Set the SHOW_FILES tag to NO to disable the generation of the Files page. This
+# will remove the Files entry from the Quick Index and from the Folder Tree View
+# (if specified).
+# The default value is: YES.
+
+SHOW_FILES             = YES
+
+# Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces
+# page. This will remove the Namespaces entry from the Quick Index and from the
+# Folder Tree View (if specified).
+# The default value is: YES.
+
+SHOW_NAMESPACES        = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that
+# doxygen should invoke to get the current version for each file (typically from
+# the version control system). Doxygen will invoke the program by executing (via
+# popen()) the command command input-file, where command is the value of the
+# FILE_VERSION_FILTER tag, and input-file is the name of an input file provided
+# by doxygen. Whatever the program writes to standard output is used as the file
+# version. For an example see the documentation.
+
+FILE_VERSION_FILTER    =
+
+# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
+# by doxygen. The layout file controls the global structure of the generated
+# output files in an output format independent way. To create the layout file
+# that represents doxygen's defaults, run doxygen with the -l option. You can
+# optionally specify a file name after the option, if omitted DoxygenLayout.xml
+# will be used as the name of the layout file.
+#
+# Note that if you run doxygen from a directory containing a file called
+# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
+# tag is left empty.
+
+LAYOUT_FILE            =
+
+# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
+# the reference definitions. This must be a list of .bib files. The .bib
+# extension is automatically appended if omitted. This requires the bibtex tool
+# to be installed. See also https://en.wikipedia.org/wiki/BibTeX for more info.
+# For LaTeX the style of the bibliography can be controlled using
+# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
+# search path. See also \cite for info how to create references.
+
+CITE_BIB_FILES         =
+
+#---------------------------------------------------------------------------
+# Configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated to
+# standard output by doxygen. If QUIET is set to YES this implies that the
+# messages are off.
+# The default value is: NO.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are
+# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
+# this implies that the warnings are on.
+#
+# Tip: Turn warnings on while writing the documentation.
+# The default value is: YES.
+
+WARNINGS               = YES
+
+# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
+# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
+# will automatically be disabled.
+# The default value is: YES.
+
+WARN_IF_UNDOCUMENTED   = YES
+
+# If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for
+# potential errors in the documentation, such as not documenting some parameters
+# in a documented function, or documenting parameters that don't exist or using
+# markup commands wrongly.
+# The default value is: YES.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
+# are documented, but have no documentation for their parameters or return
+# value. If set to NO, doxygen will only warn about wrong or incomplete
+# parameter documentation, but not about the absence of documentation. If
+# EXTRACT_ALL is set to YES then this flag will automatically be disabled.
+# The default value is: NO.
+
+WARN_NO_PARAMDOC       = NO
+
+# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when
+# a warning is encountered.
+# The default value is: NO.
+
+WARN_AS_ERROR          = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that doxygen
+# can produce. The string should contain the $file, $line, and $text tags, which
+# will be replaced by the file and line number from which the warning originated
+# and the warning text. Optionally the format may contain $version, which will
+# be replaced by the version of the file (if it could be obtained via
+# FILE_VERSION_FILTER)
+# The default value is: $file:$line: $text.
+
+WARN_FORMAT            = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning and error
+# messages should be written. If left blank the output is written to standard
+# error (stderr).
+
+WARN_LOGFILE           =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag is used to specify the files and/or directories that contain
+# documented source files. You may enter file names like myfile.cpp or
+# directories like /usr/src/myproject. Separate the files or directories with
+# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
+# Note: If this tag is empty the current directory is searched.
+
+INPUT                  = ./include ./DoxygenMainpage.md
+
+# This tag can be used to specify the character encoding of the source files
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
+# libiconv (or the iconv built into libc) for the transcoding. See the libiconv
+# documentation (see: https://www.gnu.org/software/libiconv/) for the list of
+# possible encodings.
+# The default value is: UTF-8.
+
+INPUT_ENCODING         = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the
+# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
+# *.h) to filter out the source-files in the directories.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# read by doxygen.
+#
+# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,
+# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,
+# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,
+# *.m, *.markdown, *.md, *.mm, *.dox, *.py, *.pyw, *.f90, *.f95, *.f03, *.f08,
+# *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf, *.qsf and *.ice.
+
+FILE_PATTERNS          = *.c \
+                         *.cc \
+                         *.cxx \
+                         *.cpp \
+                         *.c++ \
+                         *.java \
+                         *.ii \
+                         *.ixx \
+                         *.ipp \
+                         *.i++ \
+                         *.inl \
+                         *.idl \
+                         *.ddl \
+                         *.odl \
+                         *.h \
+                         *.hh \
+                         *.hxx \
+                         *.hpp \
+                         *.h++ \
+                         *.cs \
+                         *.d \
+                         *.php \
+                         *.php4 \
+                         *.php5 \
+                         *.phtml \
+                         *.inc \
+                         *.m \
+                         *.markdown \
+                         *.md \
+                         *.mm \
+                         *.dox \
+                         *.py \
+                         *.pyw \
+                         *.f90 \
+                         *.f95 \
+                         *.f03 \
+                         *.f08 \
+                         *.f \
+                         *.for \
+                         *.tcl \
+                         *.vhd \
+                         *.vhdl \
+                         *.ucf \
+                         *.qsf \
+                         *.ice
+
+# The RECURSIVE tag can be used to specify whether or not subdirectories should
+# be searched for input files as well.
+# The default value is: NO.
+
+RECURSIVE              = YES
+
+# The EXCLUDE tag can be used to specify files and/or directories that should be
+# excluded from the INPUT source files. This way you can easily exclude a
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+#
+# Note that relative paths are relative to the directory from which doxygen is
+# run.
+
+EXCLUDE                =
+
+# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
+# directories that are symbolic links (a Unix file system feature) are excluded
+# from the input.
+# The default value is: NO.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
+# certain files from those directories.
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       =
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
+# (namespaces, classes, functions, etc.) that should be excluded from the
+# output. The symbol name can be a fully qualified name, a word, or if the
+# wildcard * is used, a substring. Examples: ANamespace, AClass,
+# AClass::ANamespace, ANamespace::*Test
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories use the pattern */test/*
+
+EXCLUDE_SYMBOLS        =
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or directories
+# that contain example code fragments that are included (see the \include
+# command).
+
+EXAMPLE_PATH           =
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
+# *.h) to filter out the source-files in the directories. If left blank all
+# files are included.
+
+EXAMPLE_PATTERNS       = *
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
+# searched for input files to be used with the \include or \dontinclude commands
+# irrespective of the value of the RECURSIVE tag.
+# The default value is: NO.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or directories
+# that contain images that are to be included in the documentation (see the
+# \image command).
+
+IMAGE_PATH             =
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should
+# invoke to filter for each input file. Doxygen will invoke the filter program
+# by executing (via popen()) the command:
+#
+# <filter> <input-file>
+#
+# where <filter> is the value of the INPUT_FILTER tag, and <input-file> is the
+# name of an input file. Doxygen will then use the output that the filter
+# program writes to standard output. If FILTER_PATTERNS is specified, this tag
+# will be ignored.
+#
+# Note that the filter must not add or remove lines; it is applied before the
+# code is scanned, but not when the output code is generated. If lines are added
+# or removed, the anchors will not be placed correctly.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
+
+INPUT_FILTER           =
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
+# basis. Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match. The filters are a list of the form: pattern=filter
+# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
+# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
+# patterns match the file name, INPUT_FILTER is applied.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
+
+FILTER_PATTERNS        =
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
+# INPUT_FILTER) will also be used to filter the input files that are used for
+# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
+# The default value is: NO.
+
+FILTER_SOURCE_FILES    = NO
+
+# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
+# pattern. A pattern will override the setting for FILTER_PATTERN (if any) and
+# it is also possible to disable source filtering for a specific pattern using
+# *.ext= (so without naming a filter).
+# This tag requires that the tag FILTER_SOURCE_FILES is set to YES.
+
+FILTER_SOURCE_PATTERNS =
+
+# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
+# is part of the input, its contents will be placed on the main page
+# (index.html). This can be useful if you have a project on for instance GitHub
+# and want to reuse the introduction page also for the doxygen output.
+
+USE_MDFILE_AS_MAINPAGE =
+
+#---------------------------------------------------------------------------
+# Configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will be
+# generated. Documented entities will be cross-referenced with these sources.
+#
+# Note: To get rid of all source code in the generated output, make sure that
+# also VERBATIM_HEADERS is set to NO.
+# The default value is: NO.
+
+SOURCE_BROWSER         = YES
+
+# Setting the INLINE_SOURCES tag to YES will include the body of functions,
+# classes and enums directly into the documentation.
+# The default value is: NO.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any
+# special comment blocks from generated source code fragments. Normal C, C++ and
+# Fortran comments will always remain visible.
+# The default value is: YES.
+
+STRIP_CODE_COMMENTS    = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES then for each documented
+# entity all documented functions referencing it will be listed.
+# The default value is: NO.
+
+REFERENCED_BY_RELATION = NO
+
+# If the REFERENCES_RELATION tag is set to YES then for each documented function
+# all documented entities called/used by that function will be listed.
+# The default value is: NO.
+
+REFERENCES_RELATION    = NO
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
+# to YES then the hyperlinks from functions in REFERENCES_RELATION and
+# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
+# link to the documentation.
+# The default value is: YES.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the
+# source code will show a tooltip with additional information such as prototype,
+# brief description and links to the definition and documentation. Since this
+# will make the HTML file larger and loading of large files a bit slower, you
+# can opt to disable this feature.
+# The default value is: YES.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
+
+SOURCE_TOOLTIPS        = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code will
+# point to the HTML generated by the htags(1) tool instead of doxygen built-in
+# source browser. The htags tool is part of GNU's global source tagging system
+# (see https://www.gnu.org/software/global/global.html). You will need version
+# 4.8.6 or higher.
+#
+# To use it do the following:
+# - Install the latest version of global
+# - Enable SOURCE_BROWSER and USE_HTAGS in the configuration file
+# - Make sure the INPUT points to the root of the source tree
+# - Run doxygen as normal
+#
+# Doxygen will invoke htags (and that will in turn invoke gtags), so these
+# tools must be available from the command line (i.e. in the search path).
+#
+# The result: instead of the source browser generated by doxygen, the links to
+# source code will now point to the output of htags.
+# The default value is: NO.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a
+# verbatim copy of the header file for each class for which an include is
+# specified. Set to NO to disable this.
+# See also: Section \class.
+# The default value is: YES.
+
+VERBATIM_HEADERS       = YES
+
+# If the CLANG_ASSISTED_PARSING tag is set to YES then doxygen will use the
+# clang parser (see: http://clang.llvm.org/) for more accurate parsing at the
+# cost of reduced performance. This can be particularly helpful with template
+# rich C++ code for which doxygen's built-in parser lacks the necessary type
+# information.
+# Note: The availability of this option depends on whether or not doxygen was
+# generated with the -Duse_libclang=ON option for CMake.
+# The default value is: NO.
+
+CLANG_ASSISTED_PARSING = NO
+
+# If clang assisted parsing is enabled you can provide the compiler with command
+# line options that you would normally use when invoking the compiler. Note that
+# the include paths will already be set by doxygen for the files and directories
+# specified with INPUT and INCLUDE_PATH.
+# This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES.
+
+CLANG_OPTIONS          =
+
+# If clang assisted parsing is enabled you can provide the clang parser with the
+# path to the compilation database (see:
+# http://clang.llvm.org/docs/HowToSetupToolingForLLVM.html) used when the files
+# were built. This is equivalent to specifying the "-p" option to a clang tool,
+# such as clang-check. These options will then be passed to the parser.
+# Note: The availability of this option depends on whether or not doxygen was
+# generated with the -Duse_libclang=ON option for CMake.
+
+CLANG_DATABASE_PATH    =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all
+# compounds will be generated. Enable this if the project contains a lot of
+# classes, structs, unions or interfaces.
+# The default value is: YES.
+
+ALPHABETICAL_INDEX     = YES
+
+# The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in
+# which the alphabetical index list will be split.
+# Minimum value: 1, maximum value: 20, default value: 5.
+# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
+
+COLS_IN_ALPHA_INDEX    = 5
+
+# In case all classes in a project start with a common prefix, all classes will
+# be put under the same header in the alphabetical index. The IGNORE_PREFIX tag
+# can be used to specify a prefix (or a list of prefixes) that should be ignored
+# while generating the index headers.
+# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
+
+IGNORE_PREFIX          =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
+# The default value is: YES.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_OUTPUT            = .
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
+# generated HTML page (for example: .htm, .php, .asp).
+# The default value is: .html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a user-defined HTML header file for
+# each generated HTML page. If the tag is left blank doxygen will generate a
+# standard header.
+#
+# To get valid HTML the header file that includes any scripts and style sheets
+# that doxygen needs, which is dependent on the configuration options used (e.g.
+# the setting GENERATE_TREEVIEW). It is highly recommended to start with a
+# default header using
+# doxygen -w html new_header.html new_footer.html new_stylesheet.css
+# YourConfigFile
+# and then modify the file new_header.html. See also section "Doxygen usage"
+# for information on how to generate the default header that doxygen normally
+# uses.
+# Note: The header is subject to change so you typically have to regenerate the
+# default header when upgrading to a newer version of doxygen. For a description
+# of the possible markers and block names see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_HEADER            =
+
+# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
+# generated HTML page. If the tag is left blank doxygen will generate a standard
+# footer. See HTML_HEADER for more information on how to generate a default
+# footer and what special commands can be used inside the footer. See also
+# section "Doxygen usage" for information on how to generate the default footer
+# that doxygen normally uses.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_FOOTER            =
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
+# sheet that is used by each HTML page. It can be used to fine-tune the look of
+# the HTML output. If left blank doxygen will generate a default style sheet.
+# See also section "Doxygen usage" for information on how to generate the style
+# sheet that doxygen normally uses.
+# Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as
+# it is more robust and this tag (HTML_STYLESHEET) will in the future become
+# obsolete.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_STYLESHEET        =
+
+# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# cascading style sheets that are included after the standard style sheets
+# created by doxygen. Using this option one can overrule certain style aspects.
+# This is preferred over using HTML_STYLESHEET since it does not replace the
+# standard style sheet and is therefore more robust against future updates.
+# Doxygen will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list). For an example see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_EXTRA_STYLESHEET  =
+
+# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the HTML output directory. Note
+# that these files will be copied to the base HTML output directory. Use the
+# $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
+# files. In the HTML_STYLESHEET file, use the file name only. Also note that the
+# files will be copied as-is; there are no commands or markers available.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_EXTRA_FILES       =
+
+# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
+# will adjust the colors in the style sheet and background images according to
+# this color. Hue is specified as an angle on a colorwheel, see
+# https://en.wikipedia.org/wiki/Hue for more information. For instance the value
+# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
+# purple, and 360 is red again.
+# Minimum value: 0, maximum value: 359, default value: 220.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_HUE    = 220
+
+# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors
+# in the HTML output. For a value of 0 the output will use grayscales only. A
+# value of 255 will produce the most vivid colors.
+# Minimum value: 0, maximum value: 255, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_SAT    = 100
+
+# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the
+# luminance component of the colors in the HTML output. Values below 100
+# gradually make the output lighter, whereas values above 100 make the output
+# darker. The value divided by 100 is the actual gamma applied, so 80 represents
+# a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not
+# change the gamma.
+# Minimum value: 40, maximum value: 240, default value: 80.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_GAMMA  = 80
+
+# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
+# page will contain the date and time when the page was generated. Setting this
+# to YES can help to show when doxygen was last run and thus if the
+# documentation is up to date.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_TIMESTAMP         = NO
+
+# If the HTML_DYNAMIC_MENUS tag is set to YES then the generated HTML
+# documentation will contain a main index with vertical navigation menus that
+# are dynamically created via Javascript. If disabled, the navigation index will
+# consists of multiple levels of tabs that are statically embedded in every HTML
+# page. Disable this option to support browsers that do not have Javascript,
+# like the Qt help browser.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_DYNAMIC_MENUS     = YES
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_DYNAMIC_SECTIONS  = NO
+
+# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries
+# shown in the various tree structured indices initially; the user can expand
+# and collapse entries dynamically later on. Doxygen will expand the tree to
+# such a level that at most the specified number of entries are visible (unless
+# a fully collapsed tree already exceeds this amount). So setting the number of
+# entries 1 will produce a full collapsed tree by default. 0 is a special value
+# representing an infinite number of entries and will result in a full expanded
+# tree by default.
+# Minimum value: 0, maximum value: 9999, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_INDEX_NUM_ENTRIES = 100
+
+# If the GENERATE_DOCSET tag is set to YES, additional index files will be
+# generated that can be used as input for Apple's Xcode 3 integrated development
+# environment (see: https://developer.apple.com/xcode/), introduced with OSX
+# 10.5 (Leopard). To create a documentation set, doxygen will generate a
+# Makefile in the HTML output directory. Running make will produce the docset in
+# that directory and running make install will install the docset in
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at
+# startup. See https://developer.apple.com/library/archive/featuredarticles/Doxy
+# genXcode/_index.html for more information.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_DOCSET        = NO
+
+# This tag determines the name of the docset feed. A documentation feed provides
+# an umbrella under which multiple documentation sets from a single provider
+# (such as a company or product suite) can be grouped.
+# The default value is: Doxygen generated docs.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_FEEDNAME        = "Doxygen generated docs"
+
+# This tag specifies a string that should uniquely identify the documentation
+# set bundle. This should be a reverse domain-name style string, e.g.
+# com.mycompany.MyDocSet. Doxygen will append .docset to the name.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_BUNDLE_ID       = org.doxygen.Project
+
+# The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify
+# the documentation publisher. This should be a reverse domain-name style
+# string, e.g. com.mycompany.MyDocSet.documentation.
+# The default value is: org.doxygen.Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
+
+# The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher.
+# The default value is: Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_PUBLISHER_NAME  = Publisher
+
+# If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three
+# additional HTML index files: index.hhp, index.hhc, and index.hhk. The
+# index.hhp is a project file that can be read by Microsoft's HTML Help Workshop
+# (see: https://www.microsoft.com/en-us/download/details.aspx?id=21138) on
+# Windows.
+#
+# The HTML Help Workshop contains a compiler that can convert all HTML output
+# generated by doxygen into a single compiled HTML file (.chm). Compiled HTML
+# files are now used as the Windows 98 help format, and will replace the old
+# Windows help format (.hlp) on all Windows platforms in the future. Compressed
+# HTML files also contain an index, a table of contents, and you can search for
+# words in the documentation. The HTML workshop also contains a viewer for
+# compressed HTML files.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_HTMLHELP      = NO
+
+# The CHM_FILE tag can be used to specify the file name of the resulting .chm
+# file. You can add a path in front of the file if the result should not be
+# written to the html output directory.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+CHM_FILE               =
+
+# The HHC_LOCATION tag can be used to specify the location (absolute path
+# including file name) of the HTML help compiler (hhc.exe). If non-empty,
+# doxygen will try to run the HTML help compiler on the generated index.hhp.
+# The file has to be specified with full path.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+HHC_LOCATION           =
+
+# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# (YES) or that it should be included in the master .chm file (NO).
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+GENERATE_CHI           = NO
+
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
+# and project file content.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+CHM_INDEX_ENCODING     =
+
+# The BINARY_TOC flag controls whether a binary table of contents is generated
+# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# enables the Previous and Next buttons.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members to
+# the table of contents of the HTML help documentation and to the tree view.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+TOC_EXPAND             = NO
+
+# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
+# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that
+# can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help
+# (.qch) of the generated HTML documentation.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_QHP           = NO
+
+# If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify
+# the file name of the resulting .qch file. The path specified is relative to
+# the HTML output folder.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QCH_FILE               =
+
+# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
+# Project output. For more information please see Qt Help Project / Namespace
+# (see: http://doc.qt.io/archives/qt-4.8/qthelpproject.html#namespace).
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_NAMESPACE          = org.doxygen.Project
+
+# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt
+# Help Project output. For more information please see Qt Help Project / Virtual
+# Folders (see: http://doc.qt.io/archives/qt-4.8/qthelpproject.html#virtual-
+# folders).
+# The default value is: doc.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_VIRTUAL_FOLDER     = doc
+
+# If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom
+# filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_CUST_FILTER_NAME   =
+
+# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
+# custom filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://doc.qt.io/archives/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_CUST_FILTER_ATTRS  =
+
+# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
+# project's filter section matches. Qt Help Project / Filter Attributes (see:
+# http://doc.qt.io/archives/qt-4.8/qthelpproject.html#filter-attributes).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_SECT_FILTER_ATTRS  =
+
+# The QHG_LOCATION tag can be used to specify the location of Qt's
+# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
+# generated .qhp file.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHG_LOCATION           =
+
+# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
+# generated, together with the HTML files, they form an Eclipse help plugin. To
+# install this plugin and make it available under the help contents menu in
+# Eclipse, the contents of the directory containing the HTML and XML files needs
+# to be copied into the plugins directory of eclipse. The name of the directory
+# within the plugins directory should be the same as the ECLIPSE_DOC_ID value.
+# After copying Eclipse needs to be restarted before the help appears.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_ECLIPSEHELP   = NO
+
+# A unique identifier for the Eclipse help plugin. When installing the plugin
+# the directory name containing the HTML and XML files should also have this
+# name. Each documentation set should have its own identifier.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES.
+
+ECLIPSE_DOC_ID         = org.doxygen.Project
+
+# If you want full control over the layout of the generated HTML pages it might
+# be necessary to disable the index and replace it with your own. The
+# DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top
+# of each HTML page. A value of NO enables the index and the value YES disables
+# it. Since the tabs in the index contain the same information as the navigation
+# tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+DISABLE_INDEX          = NO
+
+# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
+# structure should be generated to display hierarchical information. If the tag
+# value is set to YES, a side panel will be generated containing a tree-like
+# index structure (just like the one that is generated for HTML Help). For this
+# to work a browser that supports JavaScript, DHTML, CSS and frames is required
+# (i.e. any modern browser). Windows users are probably better off using the
+# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
+# further fine-tune the look of the index. As an example, the default style
+# sheet generated by doxygen has an example that shows how to put an image at
+# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
+# the same information as the tab index, you could consider setting
+# DISABLE_INDEX to YES when enabling this option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_TREEVIEW      = NO
+
+# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that
+# doxygen will group on one line in the generated HTML documentation.
+#
+# Note that a value of 0 will completely suppress the enum values from appearing
+# in the overview section.
+# Minimum value: 0, maximum value: 20, default value: 4.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+ENUM_VALUES_PER_LINE   = 4
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used
+# to set the initial width (in pixels) of the frame in which the tree is shown.
+# Minimum value: 0, maximum value: 1500, default value: 250.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+TREEVIEW_WIDTH         = 250
+
+# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
+# external symbols imported via tag files in a separate window.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+EXT_LINKS_IN_WINDOW    = NO
+
+# Use this tag to change the font size of LaTeX formulas included as images in
+# the HTML documentation. When you change the font size after a successful
+# doxygen run you need to manually remove any form_*.png images from the HTML
+# output directory to force them to be regenerated.
+# Minimum value: 8, maximum value: 50, default value: 10.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+FORMULA_FONTSIZE       = 10
+
+# Use the FORMULA_TRANSPARENT tag to determine whether or not the images
+# generated for formulas are transparent PNGs. Transparent PNGs are not
+# supported properly for IE 6.0, but are supported on all modern browsers.
+#
+# Note that when changing this option you need to delete any form_*.png files in
+# the HTML output directory before the changes have effect.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+FORMULA_TRANSPARENT    = YES
+
+# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
+# https://www.mathjax.org) which uses client side Javascript for the rendering
+# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
+# installed or if you want to formulas look prettier in the HTML output. When
+# enabled you may also need to install MathJax separately and configure the path
+# to it using the MATHJAX_RELPATH option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+USE_MATHJAX            = NO
+
+# When MathJax is enabled you can set the default output format to be used for
+# the MathJax output. See the MathJax site (see:
+# http://docs.mathjax.org/en/latest/output.html) for more details.
+# Possible values are: HTML-CSS (which is slower, but has the best
+# compatibility), NativeMML (i.e. MathML) and SVG.
+# The default value is: HTML-CSS.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_FORMAT         = HTML-CSS
+
+# When MathJax is enabled you need to specify the location relative to the HTML
+# output directory using the MATHJAX_RELPATH option. The destination directory
+# should contain the MathJax.js script. For instance, if the mathjax directory
+# is located at the same level as the HTML output directory, then
+# MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax
+# Content Delivery Network so you can quickly see the result without installing
+# MathJax. However, it is strongly recommended to install a local copy of
+# MathJax from https://www.mathjax.org before deployment.
+# The default value is: https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_RELPATH        = https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/
+
+# The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax
+# extension names that should be enabled during MathJax rendering. For example
+# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_EXTENSIONS     =
+
+# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
+# of code that will be used on startup of the MathJax code. See the MathJax site
+# (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an
+# example see the documentation.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_CODEFILE       =
+
+# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
+# the HTML output. The underlying search engine uses javascript and DHTML and
+# should work on any modern browser. Note that when using HTML help
+# (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET)
+# there is already a search function so this one should typically be disabled.
+# For large projects the javascript based search engine can be slow, then
+# enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to
+# search using the keyboard; to jump to the search box use <access key> + S
+# (what the <access key> is depends on the OS and browser, but it is typically
+# <CTRL>, <ALT>/<option>, or both). Inside the search box use the <cursor down
+# key> to jump into the search results window, the results can be navigated
+# using the <cursor keys>. Press <Enter> to select an item or <escape> to cancel
+# the search. The filter options can be selected when the cursor is inside the
+# search box by pressing <Shift>+<cursor down>. Also here use the <cursor keys>
+# to select a filter and <Enter> or <escape> to activate or cancel the filter
+# option.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+SEARCHENGINE           = YES
+
+# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
+# implemented using a web server instead of a web client using Javascript. There
+# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# setting. When disabled, doxygen will generate a PHP script for searching and
+# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# and searching needs to be provided by external tools. See the section
+# "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SERVER_BASED_SEARCH    = NO
+
+# When EXTERNAL_SEARCH tag is enabled doxygen will no longer generate the PHP
+# script for searching. Instead the search results are written to an XML file
+# which needs to be processed by an external indexer. Doxygen will invoke an
+# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
+# search results.
+#
+# Doxygen ships with an example indexer (doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: https://xapian.org/).
+#
+# See the section "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH        = NO
+
+# The SEARCHENGINE_URL should point to a search engine hosted by a web server
+# which will return the search results when EXTERNAL_SEARCH is enabled.
+#
+# Doxygen ships with an example indexer (doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: https://xapian.org/). See the section "External Indexing and
+# Searching" for details.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHENGINE_URL       =
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
+# search data is written to a file for indexing by an external tool. With the
+# SEARCHDATA_FILE tag the name of this file can be specified.
+# The default file is: searchdata.xml.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHDATA_FILE        = searchdata.xml
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the
+# EXTERNAL_SEARCH_ID tag can be used as an identifier for the project. This is
+# useful in combination with EXTRA_SEARCH_MAPPINGS to search through multiple
+# projects and redirect the results back to the right project.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH_ID     =
+
+# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
+# projects other than the one defined by this configuration file, but that are
+# all added to the same external search index. Each project needs to have a
+# unique id set via EXTERNAL_SEARCH_ID. The search mapping then maps the id of
+# to a relative location where the documentation can be found. The format is:
+# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTRA_SEARCH_MAPPINGS  =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
+# The default value is: YES.
+
+GENERATE_LATEX         = NO
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: latex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
+# invoked.
+#
+# Note that when not enabling USE_PDFLATEX the default is latex when enabling
+# USE_PDFLATEX the default is pdflatex and when in the later case latex is
+# chosen this is overwritten by pdflatex. For specific output languages the
+# default can have been set differently, this depends on the implementation of
+# the output language.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_CMD_NAME         =
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to generate
+# index for LaTeX.
+# Note: This tag is used in the Makefile / make.bat.
+# See also: LATEX_MAKEINDEX_CMD for the part in the generated output file
+# (.tex).
+# The default file is: makeindex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# The LATEX_MAKEINDEX_CMD tag can be used to specify the command name to
+# generate index for LaTeX.
+# Note: This tag is used in the generated output file (.tex).
+# See also: MAKEINDEX_CMD_NAME for the part in the Makefile / make.bat.
+# The default value is: \makeindex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_MAKEINDEX_CMD    = \makeindex
+
+# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+COMPACT_LATEX          = NO
+
+# The PAPER_TYPE tag can be used to set the paper type that is used by the
+# printer.
+# Possible values are: a4 (210 x 297 mm), letter (8.5 x 11 inches), legal (8.5 x
+# 14 inches) and executive (7.25 x 10.5 inches).
+# The default value is: a4.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+PAPER_TYPE             = a4
+
+# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
+# that should be included in the LaTeX output. The package can be specified just
+# by its name or with the correct syntax as to be used with the LaTeX
+# \usepackage command. To get the times font for instance you can specify :
+# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times}
+# To use the option intlimits with the amsmath package you can specify:
+# EXTRA_PACKAGES=[intlimits]{amsmath}
+# If left blank no extra packages will be included.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+EXTRA_PACKAGES         =
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
+# generated LaTeX document. The header should contain everything until the first
+# chapter. If it is left blank doxygen will generate a standard header. See
+# section "Doxygen usage" for information on how to let doxygen write the
+# default header to a separate file.
+#
+# Note: Only use a user-defined header if you know what you are doing! The
+# following commands have a special meaning inside the header: $title,
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# string, for the replacement values of the other commands the user is referred
+# to HTML_HEADER.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_HEADER           =
+
+# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
+# generated LaTeX document. The footer should contain everything after the last
+# chapter. If it is left blank doxygen will generate a standard footer. See
+# LATEX_HEADER for more information on how to generate a default footer and what
+# special commands can be used inside the footer.
+#
+# Note: Only use a user-defined footer if you know what you are doing!
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_FOOTER           =
+
+# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# LaTeX style sheets that are included after the standard style sheets created
+# by doxygen. Using this option one can overrule certain style aspects. Doxygen
+# will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_STYLESHEET =
+
+# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the LATEX_OUTPUT output
+# directory. Note that the files will be copied as-is; there are no commands or
+# markers available.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_FILES      =
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
+# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
+# contain links (just like the HTML output) instead of page references. This
+# makes the output suitable for online browsing using a PDF viewer.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+PDF_HYPERLINKS         = YES
+
+# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES, to get a
+# higher quality PDF documentation.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+USE_PDFLATEX           = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \batchmode
+# command to the generated LaTeX files. This will instruct LaTeX to keep running
+# if errors occur, instead of asking the user for help. This option is also used
+# when generating formulas in HTML.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_BATCHMODE        = NO
+
+# If the LATEX_HIDE_INDICES tag is set to YES then doxygen will not include the
+# index chapters (such as File Index, Compound Index, etc.) in the output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_HIDE_INDICES     = NO
+
+# If the LATEX_SOURCE_CODE tag is set to YES then doxygen will include source
+# code with syntax highlighting in the LaTeX output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_SOURCE_CODE      = NO
+
+# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
+# bibliography, e.g. plainnat, or ieeetr. See
+# https://en.wikipedia.org/wiki/BibTeX and \cite for more info.
+# The default value is: plain.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_BIB_STYLE        = plain
+
+# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated
+# page will contain the date and time when the page was generated. Setting this
+# to NO can help when comparing the output of multiple runs.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_TIMESTAMP        = NO
+
+# The LATEX_EMOJI_DIRECTORY tag is used to specify the (relative or absolute)
+# path from which the emoji images will be read. If a relative path is entered,
+# it will be relative to the LATEX_OUTPUT directory. If left blank the
+# LATEX_OUTPUT directory will be used.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EMOJI_DIRECTORY  =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
+# RTF output is optimized for Word 97 and may not look too pretty with other RTF
+# readers/editors.
+# The default value is: NO.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: rtf.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated will
+# contain hyperlink fields. The RTF file will contain links (just like the HTML
+# output) instead of page references. This makes the output suitable for online
+# browsing using Word or some other Word compatible readers that support those
+# fields.
+#
+# Note: WordPad (write) and others do not support links.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's
+# configuration file, i.e. a series of assignments. You only have to provide
+# replacements, missing definitions are set to their default value.
+#
+# See also section "Doxygen usage" for information on how to generate the
+# default style sheet that doxygen normally uses.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_STYLESHEET_FILE    =
+
+# Set optional variables used in the generation of an RTF document. Syntax is
+# similar to doxygen's configuration file. A template extensions file can be
+# generated using doxygen -e rtf extensionFile.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_EXTENSIONS_FILE    =
+
+# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
+# with syntax highlighting in the RTF output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_SOURCE_CODE        = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
+# classes and files.
+# The default value is: NO.
+
+GENERATE_MAN           = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it. A directory man3 will be created inside the directory specified by
+# MAN_OUTPUT.
+# The default directory is: man.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to the generated
+# man pages. In case the manual section does not start with a number, the number
+# 3 is prepended. The dot (.) at the beginning of the MAN_EXTENSION tag is
+# optional.
+# The default value is: .3.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_EXTENSION          = .3
+
+# The MAN_SUBDIR tag determines the name of the directory created within
+# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
+# MAN_EXTENSION with the initial . removed.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_SUBDIR             =
+
+# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
+# will generate one additional man file for each entity documented in the real
+# man page(s). These additional files only source the real man page, but without
+# them the man command would be unable to find the correct page.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_LINKS              = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
+# captures the structure of the code including all documentation.
+# The default value is: NO.
+
+GENERATE_XML           = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: xml.
+# This tag requires that the tag GENERATE_XML is set to YES.
+
+XML_OUTPUT             = xml
+
+# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
+# listings (including syntax highlighting and cross-referencing information) to
+# the XML output. Note that enabling this will significantly increase the size
+# of the XML output.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_XML is set to YES.
+
+XML_PROGRAMLISTING     = YES
+
+# If the XML_NS_MEMB_FILE_SCOPE tag is set to YES, doxygen will include
+# namespace members in file scope as well, matching the HTML output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_XML is set to YES.
+
+XML_NS_MEMB_FILE_SCOPE = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the DOCBOOK output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
+# that can be used to generate PDF.
+# The default value is: NO.
+
+GENERATE_DOCBOOK       = NO
+
+# The DOCBOOK_OUTPUT tag is used to specify where the Docbook pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be put in
+# front of it.
+# The default directory is: docbook.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_OUTPUT         = docbook
+
+# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
+# program listings (including syntax highlighting and cross-referencing
+# information) to the DOCBOOK output. Note that enabling this will significantly
+# increase the size of the DOCBOOK output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_PROGRAMLISTING = NO
+
+#---------------------------------------------------------------------------
+# Configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# AutoGen Definitions (see http://autogen.sourceforge.net/) file that captures
+# the structure of the code including all documentation. Note that this feature
+# is still experimental and incomplete at the moment.
+# The default value is: NO.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
+# file that captures the structure of the code including all documentation.
+#
+# Note that this feature is still experimental and incomplete at the moment.
+# The default value is: NO.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
+# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
+# output from the Perl module output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
+# formatted so it can be parsed by a human reader. This is useful if you want to
+# understand what is going on. On the other hand, if this tag is set to NO, the
+# size of the Perl module output will be much smaller and Perl will parse it
+# just the same.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file are
+# prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. This is useful
+# so different doxyrules.make files included by the same Makefile don't
+# overwrite each other's variables.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_MAKEVAR_PREFIX =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
+# C-preprocessor directives found in the sources and include files.
+# The default value is: YES.
+
+ENABLE_PREPROCESSING   = YES
+
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
+# performed. Macro expansion can be done in a controlled way by setting
+# EXPAND_ONLY_PREDEF to YES.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+MACRO_EXPANSION        = YES
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
+# the macro expansion is limited to the macros specified with the PREDEFINED and
+# EXPAND_AS_DEFINED tags.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES, the include files in the
+# INCLUDE_PATH will be searched if a #include is found.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that
+# contain include files that are not input files but should be processed by the
+# preprocessor.
+# This tag requires that the tag SEARCH_INCLUDES is set to YES.
+
+INCLUDE_PATH           = 
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
+# patterns (like *.h and *.hpp) to filter out the header-files in the
+# directories. If left blank, the patterns specified with FILE_PATTERNS will be
+# used.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+INCLUDE_FILE_PATTERNS  =
+
+# The PREDEFINED tag can be used to specify one or more macro names that are
+# defined before the preprocessor is started (similar to the -D option of e.g.
+# gcc). The argument of the tag is a list of macros of the form: name or
+# name=definition (no spaces). If the definition and the "=" are omitted, "=1"
+# is assumed. To prevent a macro definition from being undefined via #undef or
+# recursively expanded use the := operator instead of the = operator.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+PREDEFINED             =
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
+# tag can be used to specify a list of macro names that should be expanded. The
+# macro definition that is found in the sources will be used. Use the PREDEFINED
+# tag if you want to use a different macro definition that overrules the
+# definition found in the source code.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_AS_DEFINED      =
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
+# remove all references to function-like macros that are alone on a line, have
+# an all uppercase name, and do not end with a semicolon. Such function macros
+# are typically used for boiler-plate code, and will confuse the parser if not
+# removed.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+SKIP_FUNCTION_MACROS   = YES
+
+#---------------------------------------------------------------------------
+# Configuration options related to external references
+#---------------------------------------------------------------------------
+
+# The TAGFILES tag can be used to specify one or more tag files. For each tag
+# file the location of the external documentation should be added. The format of
+# a tag file without this location is as follows:
+# TAGFILES = file1 file2 ...
+# Adding location for the tag files is done as follows:
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where loc1 and loc2 can be relative or absolute paths or URLs. See the
+# section "Linking to external documentation" for more information about the use
+# of tag files.
+# Note: Each tag file must have a unique name (where the name does NOT include
+# the path). If a tag file is not located in the directory in which doxygen is
+# run, you must also specify the path to the tagfile here.
+
+TAGFILES               =
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
+# tag file that is based on the input files it reads. See section "Linking to
+# external documentation" for more information about the usage of tag files.
+
+GENERATE_TAGFILE       =
+
+# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# the class index. If set to NO, only the inherited external classes will be
+# listed.
+# The default value is: NO.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will be
+# listed.
+# The default value is: YES.
+
+EXTERNAL_GROUPS        = YES
+
+# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
+# the related pages index. If set to NO, only the current project's pages will
+# be listed.
+# The default value is: YES.
+
+EXTERNAL_PAGES         = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script
+# interpreter (i.e. the result of 'which perl').
+# The default file (with absolute path) is: /usr/bin/perl.
+
+PERL_PATH              = /usr/bin/perl
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
+# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
+# NO turns the diagrams off. Note that this option also works with HAVE_DOT
+# disabled, but it is recommended to install and use dot, since it yields more
+# powerful graphs.
+# The default value is: YES.
+
+CLASS_DIAGRAMS         = YES
+
+# You can define message sequence charts within doxygen comments using the \msc
+# command. Doxygen will then run the mscgen tool (see:
+# http://www.mcternan.me.uk/mscgen/)) to produce the chart and insert it in the
+# documentation. The MSCGEN_PATH tag allows you to specify the directory where
+# the mscgen tool resides. If left empty the tool is assumed to be found in the
+# default search path.
+
+MSCGEN_PATH            =
+
+# You can include diagrams made with dia in doxygen documentation. Doxygen will
+# then run dia to produce the diagram and insert it in the documentation. The
+# DIA_PATH tag allows you to specify the directory where the dia binary resides.
+# If left empty dia is assumed to be found in the default search path.
+
+DIA_PATH               =
+
+# If set to YES the inheritance and collaboration graphs will hide inheritance
+# and usage relations if the target is undocumented or is not a class.
+# The default value is: YES.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
+# available from the path. This tool is part of Graphviz (see:
+# http://www.graphviz.org/), a graph visualization toolkit from AT&T and Lucent
+# Bell Labs. The other options in this section have no effect if this option is
+# set to NO
+# The default value is: NO.
+
+HAVE_DOT               = YES
+
+# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
+# to run in parallel. When set to 0 doxygen will base this on the number of
+# processors available in the system. You can set it explicitly to a value
+# larger than 0 to get control over the balance between CPU load and processing
+# speed.
+# Minimum value: 0, maximum value: 32, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_NUM_THREADS        = 0
+
+# When you want a differently looking font in the dot files that doxygen
+# generates you can specify the font name using DOT_FONTNAME. You need to make
+# sure dot is able to find the font, which can be done by putting it in a
+# standard location or by setting the DOTFONTPATH environment variable or by
+# setting DOT_FONTPATH to the directory containing the font.
+# The default value is: Helvetica.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTNAME           = Helvetica
+
+# The DOT_FONTSIZE tag can be used to set the size (in points) of the font of
+# dot graphs.
+# Minimum value: 4, maximum value: 24, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTSIZE           = 10
+
+# By default doxygen will tell dot to use the default font as specified with
+# DOT_FONTNAME. If you specify a different font using DOT_FONTNAME you can set
+# the path where dot can find it using this tag.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTPATH           =
+
+# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
+# each documented class showing the direct and indirect inheritance relations.
+# Setting this tag to YES will force the CLASS_DIAGRAMS tag to NO.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH tag is set to YES then doxygen will generate a
+# graph for each documented class showing the direct and indirect implementation
+# dependencies (inheritance, containment, and class references variables) of the
+# class with other documented classes.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+COLLABORATION_GRAPH    = NO
+
+# If the GROUP_GRAPHS tag is set to YES then doxygen will generate a graph for
+# groups, showing the direct groups dependencies.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
+# collaboration diagrams in a style similar to the OMG's Unified Modeling
+# Language.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+UML_LOOK               = YES
+
+# If the UML_LOOK tag is enabled, the fields and methods are shown inside the
+# class node. If there are many fields or methods and many nodes the graph may
+# become too big to be useful. The UML_LIMIT_NUM_FIELDS threshold limits the
+# number of items for each type to make the size more manageable. Set this to 0
+# for no limit. Note that the threshold may be exceeded by 50% before the limit
+# is enforced. So when you set the threshold to 10, up to 15 fields may appear,
+# but if the number exceeds 15, the total amount of fields shown is limited to
+# 10.
+# Minimum value: 0, maximum value: 100, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+UML_LIMIT_NUM_FIELDS   = 10
+
+# If the TEMPLATE_RELATIONS tag is set to YES then the inheritance and
+# collaboration graphs will show the relations between templates and their
+# instances.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the INCLUDE_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are set to
+# YES then doxygen will generate a graph for each documented file showing the
+# direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INCLUDE_GRAPH          = YES
+
+# If the INCLUDED_BY_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are
+# set to YES then doxygen will generate a graph for each documented file showing
+# the direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH tag is set to YES then doxygen will generate a call
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable call graphs for selected
+# functions only using the \callgraph command. Disabling a call graph can be
+# accomplished by means of the command \hidecallgraph.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CALL_GRAPH             = YES
+
+# If the CALLER_GRAPH tag is set to YES then doxygen will generate a caller
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable caller graphs for selected
+# functions only using the \callergraph command. Disabling a caller graph can be
+# accomplished by means of the command \hidecallergraph.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CALLER_GRAPH           = YES
+
+# If the GRAPHICAL_HIERARCHY tag is set to YES then doxygen will graphical
+# hierarchy of all classes instead of a textual one.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH tag is set to YES then doxygen will show the
+# dependencies a directory has on other directories in a graphical way. The
+# dependency relations are determined by the #include relations between the
+# files in the directories.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
+# generated by dot. For an explanation of the image formats see the section
+# output formats in the documentation of the dot tool (Graphviz (see:
+# http://www.graphviz.org/)).
+# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
+# to make the SVG files visible in IE 9+ (other browsers do not have this
+# requirement).
+# Possible values are: png, jpg, gif, svg, png:gd, png:gd:gd, png:cairo,
+# png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and
+# png:gdiplus:gdiplus.
+# The default value is: png.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_IMAGE_FORMAT       = png
+
+# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
+# enable generation of interactive SVG images that allow zooming and panning.
+#
+# Note that this requires a modern browser other than Internet Explorer. Tested
+# and working are Firefox, Chrome, Safari, and Opera.
+# Note: For IE 9+ you need to set HTML_FILE_EXTENSION to xhtml in order to make
+# the SVG files visible. Older versions of IE do not have SVG support.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INTERACTIVE_SVG        = NO
+
+# The DOT_PATH tag can be used to specify the path where the dot tool can be
+# found. If left blank, it is assumed the dot tool can be found in the path.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_PATH               = $(DOT_PATH)
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that
+# contain dot files that are included in the documentation (see the \dotfile
+# command).
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOTFILE_DIRS           =
+
+# The MSCFILE_DIRS tag can be used to specify one or more directories that
+# contain msc files that are included in the documentation (see the \mscfile
+# command).
+
+MSCFILE_DIRS           =
+
+# The DIAFILE_DIRS tag can be used to specify one or more directories that
+# contain dia files that are included in the documentation (see the \diafile
+# command).
+
+DIAFILE_DIRS           =
+
+# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
+# path where java can find the plantuml.jar file. If left blank, it is assumed
+# PlantUML is not used or called during a preprocessing step. Doxygen will
+# generate a warning when it encounters a \startuml command in this case and
+# will not generate output for the diagram.
+
+PLANTUML_JAR_PATH      =
+
+# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a
+# configuration file for plantuml.
+
+PLANTUML_CFG_FILE      =
+
+# When using plantuml, the specified paths are searched for files specified by
+# the !include statement in a plantuml block.
+
+PLANTUML_INCLUDE_PATH  =
+
+# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
+# that will be shown in the graph. If the number of nodes in a graph becomes
+# larger than this value, doxygen will truncate the graph, which is visualized
+# by representing a node as a red box. Note that doxygen if the number of direct
+# children of the root node in a graph is already larger than
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note that
+# the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+# Minimum value: 0, maximum value: 10000, default value: 50.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_GRAPH_MAX_NODES    = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the graphs
+# generated by dot. A depth value of 3 means that only nodes reachable from the
+# root by following a path via at most 3 edges will be shown. Nodes that lay
+# further from the root node will be omitted. Note that setting this option to 1
+# or 2 may greatly reduce the computation time needed for large code bases. Also
+# note that the size of a graph can be further restricted by
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+# Minimum value: 0, maximum value: 1000, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+MAX_DOT_GRAPH_DEPTH    = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
+# background. This is disabled by default, because dot on Windows does not seem
+# to support this out of the box.
+#
+# Warning: Depending on the platform used, enabling this option may lead to
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to
+# read).
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_TRANSPARENT        = NO
+
+# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
+# files in one run (i.e. multiple -o and -T options on the command line). This
+# makes dot run faster, but since only newer versions of dot (>1.8.10) support
+# this, this feature is disabled by default.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_MULTI_TARGETS      = NO
+
+# If the GENERATE_LEGEND tag is set to YES doxygen will generate a legend page
+# explaining the meaning of the various boxes and arrows in the dot generated
+# graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
+# files that are used to generate the various graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_CLEANUP            = YES
diff --git a/ctrtool/deps/libtoolchain/DoxygenMainpage.md b/ctrtool/deps/libtoolchain/DoxygenMainpage.md
new file mode 100644
index 00000000..fbee7502
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/DoxygenMainpage.md
@@ -0,0 +1,3 @@
+# libtoolchain - API Reference	{#mainpage}
+Notice: __This API is currently under development and is subject to change without notice.__
+
diff --git a/ctrtool/deps/libtoolchain/LICENSE b/ctrtool/deps/libtoolchain/LICENSE
new file mode 100644
index 00000000..aa9bcfd4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/LICENSE
@@ -0,0 +1,20 @@
+libtoolchain
+Copyright (c) 2019-2020 Jack (jakcron)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/README.md b/ctrtool/deps/libtoolchain/README.md
new file mode 100644
index 00000000..4221652e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/README.md
@@ -0,0 +1,46 @@
+# libtoolchain - Toolchain Development Library
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](./LICENSE)
+![Language](https://img.shields.io/badge/langauge-c++11-blue.svg)
+![Platform](https://img.shields.io/badge/platform-linux:%20x86__64,%20i386%20%7C%20win:%20x86__64,%20i386%20%7C%20macos:%20x86__64,%20arm64-lightgrey.svg)
+
+![Version](https://img.shields.io/badge/version-0.5.0%20%7C%20prerelease-green.svg)
+
+Library to ease the development of toolchain applications.
+
+This library helps with the busy work that is common to many toolchain development projects including:
+* Cross platform support (macOS/Windows/GNU)
+* Unicode entry-point (`umain()`)
+* Command-line option processing
+* Formating binary data for command-line output
+* Cross platform FileSystem IO with large file support for both 32bit & 64bit targets and unicode path support
+* String transcoding (UTF-8/UTF-16/UTF-32)
+* Extensible abstractions for generating and processing binary data
+* Properly integrated wrappers for Cryptographic Algorithms (AES, RSA, SHA, HMAC, PBKDF1/PBKDF2, PRBG)
+
+Planned features:
+* Serialisation of human readable formats (XML, JSON, YAML, INI, CSV, etc)
+* Properly integrated wrappers for Cryptographic Algorithms (Eliptic Curve, etc)
+* Properly integrated wrappers for Compression Algorithms (LZ4, etc)
+
+
+# File tree
+* `bin/` - Compiled binaries
+* `build/visualstudio/` - Visual Studio Project files
+* `docs/` - Doxygen Generated API Documentation
+* `include/` - Public headers
+* `src/` - Library source code & private headers
+* `test/` - Test program source code
+* `Makefile` - Root makefile (GNU/Unix build system file)
+* `LICENCE` - Distribution License 
+* `Doxyfile` -  Doxygen config
+
+# Building
+For GNU/unix systems `make` can be used. For native Windows, Visual Studio project files are provided.
+
+See more [here](./BUILDING.md).
+
+# Documentation
+The documentation is available at docs/index.html. Or alternatively at https://jakcron.github.io/libtoolchain.
+
+# License 
+This source code is made available under the [MIT license](./LICENSE).
diff --git a/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain-test/libtoolchain-test.vcxproj b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain-test/libtoolchain-test.vcxproj
new file mode 100644
index 00000000..31c653ea
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain-test/libtoolchain-test.vcxproj
@@ -0,0 +1,325 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>15.0</VCProjectVersion>
+    <ProjectGuid>{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}</ProjectGuid>
+    <RootNamespace>libtoolchaintest</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\..\..\deps\libmbedtls\build\visualstudio\libmbedtls\libmbedtls.vcxproj">
+      <Project>{7a7c66f3-2b5b-4e23-85d8-2a74fedad92c}</Project>
+    </ProjectReference>
+    <ProjectReference Include="..\..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj">
+      <Project>{f4b0540e-0aae-4006-944b-356944ef61fa}</Project>
+    </ProjectReference>
+    <ProjectReference Include="..\libtoolchain\libtoolchain.vcxproj">
+      <Project>{e194e4b8-1482-40a2-901b-75d4387822e9}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\test\bn_binaryutils_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\bn_bitarrayByteBEBitBE_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\bn_bitarrayByteBEBitLE_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\bn_bitarrayByteLEBitBE_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\bn_bitarrayByteLEBitLE_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\bn_endian_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\bn_pad_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\bn_string_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\ByteData_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\cli_FormatUtil_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\cli_OptionParser_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes128CbcEncryptedStream_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes128CbcEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes128CtrEncryptedStream_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes128CtrEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes128EcbEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes128Encryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes128XtsEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes192CbcEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes192CtrEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes192EcbEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes192Encryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes256CbcEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes256CtrEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes256EcbEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes256Encryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Aes256XtsEncryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_HmacMd5Generator_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_HmacSha1Generator_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_HmacSha256Generator_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_HmacSha512Generator_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Md5Generator_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf1Md5KeyDeriver_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf1Sha1KeyDeriver_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf2Sha1KeyDeriver_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf2Sha256KeyDeriver_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf2Sha512KeyDeriver_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_PseudoRandomByteGenerator_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024OaepSha256Encryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024Pkcs1Md5Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha1Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha256Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha512Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024PssSha256Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024PssSha512Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048OaepSha256Encryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048OaepSha512Encryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048Pkcs1Md5Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha1Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha256Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha512Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048PssSha256Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048PssSha512Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096OaepSha256Encryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096OaepSha512Encryptor_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096Pkcs1Md5Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha1Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha256Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha512Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096PssSha256Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096PssSha512Signer_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Sha1Generator_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Sha256Generator_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\crypto_Sha512Generator_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\Optional_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\PbkdfUtil.cpp" />
+    <ClCompile Include="..\..\..\test\RsaOaepUtil.cpp" />
+    <ClCompile Include="..\..\..\test\RsaPkcs1Util.cpp" />
+    <ClCompile Include="..\..\..\test\RsaPssUtil.cpp" />
+    <ClCompile Include="..\..\..\test\SinkTestUtil.cpp" />
+    <ClCompile Include="..\..\..\test\SourceTestUtil.cpp" />
+    <ClCompile Include="..\..\..\test\FileSystemTestUtil.cpp" />
+    <ClCompile Include="..\..\..\test\StreamTestUtil.cpp" />
+    <ClCompile Include="..\..\..\test\io_BasicPathResolver_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_ConcatenatedStream_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_FileStream_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_LocalFileSystem_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_MemorySource_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_MemoryStream_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_OverlayedSource_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_PaddingSource_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_Path_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_StreamSink_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_StreamSource_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_SubSink_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_SubSource_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_SubFileSystem_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_SubStream_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\io_VirtualFileSystem_TestClass.cpp" />
+    <ClCompile Include="..\..\..\test\main.cpp" />
+    <ClCompile Include="..\..\..\test\string_TranscodeUtil_TestClass.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\test\bn_binaryutils_TestClass.h" />
+    <ClInclude Include="..\..\..\test\bn_bitarrayByteBEBitBE_TestClass.h" />
+    <ClInclude Include="..\..\..\test\bn_bitarrayByteBEBitLE_TestClass.h" />
+    <ClInclude Include="..\..\..\test\bn_bitarrayByteLEBitBE_TestClass.h" />
+    <ClInclude Include="..\..\..\test\bn_bitarrayByteLEBitLE_TestClass.h" />
+    <ClInclude Include="..\..\..\test\bn_endian_TestClass.h" />
+    <ClInclude Include="..\..\..\test\bn_pad_TestClass.h" />
+    <ClInclude Include="..\..\..\test\bn_string_TestClass.h" />
+    <ClInclude Include="..\..\..\test\ByteData_TestClass.h" />
+    <ClInclude Include="..\..\..\test\cli_FormatUtil_TestClass.h" />
+    <ClInclude Include="..\..\..\test\cli_OptionParser_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes128CbcEncryptedStream_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes128CbcEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes128CtrEncryptedStream_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes128CtrEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes128EcbEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes128Encryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes128XtsEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes192CbcEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes192CtrEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes192EcbEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes192Encryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes256CbcEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes256CtrEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes256EcbEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes256Encryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Aes256XtsEncryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_HmacMd5Generator_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_HmacSha1Generator_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_HmacSha256Generator_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_HmacSha512Generator_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Md5Generator_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf1Md5KeyDeriver_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf1Sha1KeyDeriver_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf2Sha1KeyDeriver_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf2Sha256KeyDeriver_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf2Sha512KeyDeriver_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_PseudoRandomByteGenerator_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024OaepSha256Encryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024Pkcs1Md5Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha1Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha256Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha512Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024PssSha256Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024PssSha512Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048OaepSha256Encryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048OaepSha512Encryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048Pkcs1Md5Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha1Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha256Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha512Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048PssSha256Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048PssSha512Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096OaepSha256Encryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096OaepSha512Encryptor_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096Pkcs1Md5Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha1Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha256Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha512Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096PssSha256Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096PssSha512Signer_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Sha1Generator_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Sha256Generator_TestClass.h" />
+    <ClInclude Include="..\..\..\test\crypto_Sha512Generator_TestClass.h" />
+    <ClInclude Include="..\..\..\test\ITestClass.h" />
+    <ClInclude Include="..\..\..\test\Optional_TestClass.h" />
+    <ClInclude Include="..\..\..\test\PbkdfUtil.h" />
+    <ClInclude Include="..\..\..\test\RsaOaepUtil.h" />
+    <ClInclude Include="..\..\..\test\RsaPkcs1Util.h" />
+    <ClInclude Include="..\..\..\test\RsaPssUtil.h" />
+    <ClInclude Include="..\..\..\test\SinkTestUtil.h" />
+    <ClInclude Include="..\..\..\test\SourceTestUtil.h" />
+    <ClInclude Include="..\..\..\test\FileSystemTestUtil.h" />
+    <ClInclude Include="..\..\..\test\StreamTestUtil.h" />
+    <ClInclude Include="..\..\..\test\io_BasicPathResolver_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_ConcatenatedStream_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_FileStream_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_LocalFileSystem_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_MemorySource_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_MemoryStream_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_OverlayedSource_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_PaddingSource_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_Path_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_StreamSink_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_StreamSource_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_SubSink_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_SubSource_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_SubFileSystem_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_SubStream_TestClass.h" />
+    <ClInclude Include="..\..\..\test\io_VirtualFileSystem_TestClass.h" />
+    <ClInclude Include="..\..\..\test\string_TranscodeUtil_TestClass.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain-test/libtoolchain-test.vcxproj.filters b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain-test/libtoolchain-test.vcxproj.filters
new file mode 100644
index 00000000..d80162fb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain-test/libtoolchain-test.vcxproj.filters
@@ -0,0 +1,567 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\test\ByteData_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\Optional_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\SinkTestUtil.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\SourceTestUtil.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\FileSystemTestUtil.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\StreamTestUtil.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_FileStream_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_LocalFileSystem_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_MemorySource_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_MemoryStream_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_OverlayedSource_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_PaddingSource_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_Path_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_StreamSink_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_StreamSource_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_SubSink_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_SubSource_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_SubFileSystem_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_SubStream_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\main.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\string_TranscodeUtil_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\cli_FormatUtil_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes128CbcEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes128CtrEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes128EcbEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes128Encryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes128XtsEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes192CbcEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes192CtrEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes192EcbEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes192Encryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes256CbcEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes256CtrEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes256EcbEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes256Encryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes256XtsEncryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_HmacMd5Generator_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_HmacSha1Generator_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_HmacSha256Generator_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_HmacSha512Generator_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Md5Generator_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf1Md5KeyDeriver_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf1Sha1KeyDeriver_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf2Sha1KeyDeriver_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf2Sha256KeyDeriver_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Pbkdf2Sha512KeyDeriver_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_PseudoRandomByteGenerator_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024OaepSha256Encryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024Pkcs1Md5Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha1Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha256Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha512Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024PssSha256Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa1024PssSha512Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048OaepSha256Encryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048OaepSha512Encryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048Pkcs1Md5Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha1Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha256Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha512Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048PssSha256Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa2048PssSha512Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096OaepSha256Encryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096OaepSha512Encryptor_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096Pkcs1Md5Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha1Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha256Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha512Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096PssSha256Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Rsa4096PssSha512Signer_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Sha1Generator_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Sha256Generator_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Sha512Generator_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\PbkdfUtil.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\RsaOaepUtil.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\RsaPkcs1Util.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\RsaPssUtil.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\bn_bitarrayByteBEBitBE_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\bn_bitarrayByteBEBitLE_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\bn_bitarrayByteLEBitBE_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\bn_bitarrayByteLEBitLE_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\bn_endian_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\cli_OptionParser_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\bn_binaryutils_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\bn_pad_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\bn_string_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes128CbcEncryptedStream_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\crypto_Aes128CtrEncryptedStream_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_VirtualFileSystem_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_BasicPathResolver_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\test\io_ConcatenatedStream_TestClass.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\test\ByteData_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\ITestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\Optional_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\SinkTestUtil.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\SourceTestUtil.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\FileSystemTestUtil.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\StreamTestUtil.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_FileStream_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_LocalFileSystem_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_MemorySource_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_MemoryStream_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_OverlayedSource_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_PaddingSource_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_Path_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_StreamSink_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_StreamSource_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_SubSink_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_SubSource_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_SubFileSystem_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_SubStream_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\string_TranscodeUtil_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\cli_FormatUtil_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes128CbcEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes128CtrEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes128EcbEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes128Encryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes128XtsEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes192CbcEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes192CtrEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes192EcbEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes192Encryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes256CbcEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes256CtrEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes256EcbEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes256Encryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes256XtsEncryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_HmacMd5Generator_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_HmacSha1Generator_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_HmacSha256Generator_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_HmacSha512Generator_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Md5Generator_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf1Md5KeyDeriver_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf1Sha1KeyDeriver_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf2Sha1KeyDeriver_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf2Sha256KeyDeriver_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Pbkdf2Sha512KeyDeriver_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_PseudoRandomByteGenerator_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024OaepSha256Encryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024Pkcs1Md5Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha1Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha256Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024Pkcs1Sha512Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024PssSha256Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa1024PssSha512Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048OaepSha256Encryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048OaepSha512Encryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048Pkcs1Md5Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha1Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha256Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048Pkcs1Sha512Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048PssSha256Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa2048PssSha512Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096OaepSha256Encryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096OaepSha512Encryptor_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096Pkcs1Md5Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha1Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha256Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096Pkcs1Sha512Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096PssSha256Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Rsa4096PssSha512Signer_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Sha1Generator_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Sha256Generator_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Sha512Generator_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\PbkdfUtil.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\RsaOaepUtil.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\RsaPkcs1Util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\RsaPssUtil.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\bn_bitarrayByteBEBitBE_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\bn_bitarrayByteBEBitLE_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\bn_bitarrayByteLEBitBE_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\bn_bitarrayByteLEBitLE_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\bn_endian_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\cli_OptionParser_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\bn_binaryutils_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\bn_pad_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\bn_string_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes128CbcEncryptedStream_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\crypto_Aes128CtrEncryptedStream_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_VirtualFileSystem_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_BasicPathResolver_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\test\io_ConcatenatedStream_TestClass.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain.sln b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain.sln
new file mode 100644
index 00000000..ae055b59
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain.sln
@@ -0,0 +1,64 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28010.2036
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libtoolchain", "libtoolchain\libtoolchain.vcxproj", "{E194E4B8-1482-40A2-901B-75D4387822E9}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libtoolchain-test", "libtoolchain-test\libtoolchain-test.vcxproj", "{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}"
+	ProjectSection(ProjectDependencies) = postProject
+		{E194E4B8-1482-40A2-901B-75D4387822E9} = {E194E4B8-1482-40A2-901B-75D4387822E9}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libmbedtls", "..\..\deps\libmbedtls\build\visualstudio\libmbedtls\libmbedtls.vcxproj", "{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libfmt", "..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj", "{F4B0540E-0AAE-4006-944B-356944EF61FA}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x64.ActiveCfg = Debug|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x64.Build.0 = Debug|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x86.ActiveCfg = Debug|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Debug|x86.Build.0 = Debug|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x64.ActiveCfg = Release|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x64.Build.0 = Release|x64
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x86.ActiveCfg = Release|Win32
+		{E194E4B8-1482-40A2-901B-75D4387822E9}.Release|x86.Build.0 = Release|Win32
+		{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}.Debug|x64.ActiveCfg = Debug|x64
+		{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}.Debug|x64.Build.0 = Debug|x64
+		{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}.Debug|x86.ActiveCfg = Debug|Win32
+		{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}.Debug|x86.Build.0 = Debug|Win32
+		{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}.Release|x64.ActiveCfg = Release|x64
+		{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}.Release|x64.Build.0 = Release|x64
+		{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}.Release|x86.ActiveCfg = Release|Win32
+		{12EFBD9F-6A4F-4B2C-AFCA-165A64CC2B45}.Release|x86.Build.0 = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.ActiveCfg = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.Build.0 = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.ActiveCfg = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.Build.0 = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.ActiveCfg = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.Build.0 = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.ActiveCfg = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.Build.0 = Release|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.ActiveCfg = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x64.Build.0 = Debug|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.ActiveCfg = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Debug|x86.Build.0 = Debug|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.ActiveCfg = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x64.Build.0 = Release|x64
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.ActiveCfg = Release|Win32
+		{F4B0540E-0AAE-4006-944B-356944EF61FA}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {038AC70A-3947-464C-A5F7-F68A5BB31D1A}
+	EndGlobalSection
+EndGlobal
diff --git a/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain/libtoolchain.vcxproj b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain/libtoolchain.vcxproj
new file mode 100644
index 00000000..c2b6dfc3
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain/libtoolchain.vcxproj
@@ -0,0 +1,350 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>15.0</VCProjectVersion>
+    <ProjectGuid>{E194E4B8-1482-40A2-901B-75D4387822E9}</ProjectGuid>
+    <RootNamespace>libtoolchain</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(SolutionDir)..\..\deps\libmbedtls\include;$(SolutionDir)..\..\deps\libfmt\include;$(ProjectDir)..\..\..\include</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\tc\AccessViolationException.h" />
+    <ClInclude Include="..\..\..\include\tc\ArgumentException.h" />
+    <ClInclude Include="..\..\..\include\tc\ArgumentNullException.h" />
+    <ClInclude Include="..\..\..\include\tc\ArgumentOutOfRangeException.h" />
+    <ClInclude Include="..\..\..\include\tc\ArithmeticException.h" />
+    <ClInclude Include="..\..\..\include\tc\ByteData.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128CbcEncryptedStream.h" />
+    <ClInclude Include="..\..\..\include\tc\Exception.h" />
+    <ClInclude Include="..\..\..\include\tc\InvalidOperationException.h" />
+    <ClInclude Include="..\..\..\include\tc\NotImplementedException.h" />
+    <ClInclude Include="..\..\..\include\tc\NotSupportedException.h" />
+    <ClInclude Include="..\..\..\include\tc\ObjectDisposedException.h" />
+    <ClInclude Include="..\..\..\include\tc\Optional.h" />
+    <ClInclude Include="..\..\..\include\tc\OutOfMemoryException.h" />
+    <ClInclude Include="..\..\..\include\tc\OverflowException.h" />
+    <ClInclude Include="..\..\..\include\tc\PlatformErrorHandlingUtil.h" />
+    <ClInclude Include="..\..\..\include\tc\ResourceStatus.h" />
+    <ClInclude Include="..\..\..\include\tc\string\detail\utf16.h" />
+    <ClInclude Include="..\..\..\include\tc\string\detail\utf8.h" />
+    <ClInclude Include="..\..\..\include\tc\UnauthorisedAccessException.h" />
+    <ClInclude Include="..\..\..\include\tc\bn\binary_utils.h" />
+    <ClInclude Include="..\..\..\include\tc\bn\bitarray.h" />
+    <ClInclude Include="..\..\..\include\tc\bn\endian_types.h" />
+    <ClInclude Include="..\..\..\include\tc\bn\pad.h" />
+    <ClInclude Include="..\..\..\include\tc\bn\string.h" />
+    <ClInclude Include="..\..\..\include\tc\bn.h" />
+    <ClInclude Include="..\..\..\include\tc\cli\FormatUtil.h" />
+    <ClInclude Include="..\..\..\include\tc\cli\OptionParser.h" />
+    <ClInclude Include="..\..\..\include\tc\cli.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128CbcEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128CtrEncryptedStream.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128CtrEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128EcbEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128XtsEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes192CbcEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes192CtrEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes192EcbEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes256CbcEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes256CtrEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes256EcbEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes256XtsEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\AesEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\CbcEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\CryptoException.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\CtrEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\EcbEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacGenerator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacMd5Generator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacSha1Generator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacSha256Generator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacSha512Generator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Md5Generator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf1KeyDeriver.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf1Md5KeyDeriver.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf1Sha1KeyDeriver.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf2KeyDeriver.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf2Sha1KeyDeriver.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf2Sha256KeyDeriver.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf2Sha512KeyDeriver.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\PseudoRandomByteGenerator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaKey.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaKeyGenerator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaOaepEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaOaepSha256Encryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaOaepSha512Encryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Md5Signer.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Sha1Signer.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Sha256Signer.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Sha512Signer.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Signer.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPssSha256Signer.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPssSha512Signer.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPssSigner.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Sha1Generator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Sha256Generator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\Sha512Generator.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\XtsEncryptor.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\AesImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\BlockUtilImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\CbcModeImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\CtrModeImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\EcbModeImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\HmacImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Md5Impl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Pbkdf1Impl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Pbkdf2Impl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\PrbgImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaKeyGeneratorImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaOaepPadding.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaPkcs1Padding.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaPssPadding.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Sha1Impl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Sha2Impl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\XtsModeImpl.h" />
+    <ClInclude Include="..\..\..\include\tc\crypto.h" />
+    <ClInclude Include="..\..\..\include\tc\io\BasicPathResolver.h" />
+    <ClInclude Include="..\..\..\include\tc\io\ConcatenatedStream.h" />
+    <ClInclude Include="..\..\..\include\tc\io\DirectoryNotEmptyException.h" />
+    <ClInclude Include="..\..\..\include\tc\io\DirectoryNotFoundException.h" />
+    <ClInclude Include="..\..\..\include\tc\io\FileAccess.h" />
+    <ClInclude Include="..\..\..\include\tc\io\FileExistsException.h" />
+    <ClInclude Include="..\..\..\include\tc\io\FileMode.h" />
+    <ClInclude Include="..\..\..\include\tc\io\FileNotFoundException.h" />
+    <ClInclude Include="..\..\..\include\tc\io\FileStream.h" />
+    <ClInclude Include="..\..\..\include\tc\io\IOException.h" />
+    <ClInclude Include="..\..\..\include\tc\io\IOUtil.h" />
+    <ClInclude Include="..\..\..\include\tc\io\IPathResolver.h" />
+    <ClInclude Include="..\..\..\include\tc\io\IPortablePathResolver.h" />
+    <ClInclude Include="..\..\..\include\tc\io\IReadableSink.h" />
+    <ClInclude Include="..\..\..\include\tc\io\ISink.h" />
+    <ClInclude Include="..\..\..\include\tc\io\ISource.h" />
+    <ClInclude Include="..\..\..\include\tc\io\IFileSystem.h" />
+    <ClInclude Include="..\..\..\include\tc\io\IStream.h" />
+    <ClInclude Include="..\..\..\include\tc\io\LocalFileSystem.h" />
+    <ClInclude Include="..\..\..\include\tc\io\MemorySource.h" />
+    <ClInclude Include="..\..\..\include\tc\io\MemoryStream.h" />
+    <ClInclude Include="..\..\..\include\tc\io\OverlayedSource.h" />
+    <ClInclude Include="..\..\..\include\tc\io\PaddingSource.h" />
+    <ClInclude Include="..\..\..\include\tc\io\Path.h" />
+    <ClInclude Include="..\..\..\include\tc\io\PathTooLongException.h" />
+    <ClInclude Include="..\..\..\include\tc\io\PathUtil.h" />
+    <ClInclude Include="..\..\..\include\tc\io\SeekOrigin.h" />
+    <ClInclude Include="..\..\..\include\tc\io\StreamSink.h" />
+    <ClInclude Include="..\..\..\include\tc\io\StreamSource.h" />
+    <ClInclude Include="..\..\..\include\tc\io\StreamUtil.h" />
+    <ClInclude Include="..\..\..\include\tc\io\SubSink.h" />
+    <ClInclude Include="..\..\..\include\tc\io\SubSource.h" />
+    <ClInclude Include="..\..\..\include\tc\io\SubFileSystem.h" />
+    <ClInclude Include="..\..\..\include\tc\io\SubStream.h" />
+    <ClInclude Include="..\..\..\include\tc\io\VirtualFileSystem.h" />
+    <ClInclude Include="..\..\..\include\tc\io.h" />
+    <ClInclude Include="..\..\..\include\tc\os\Environment.h" />
+    <ClInclude Include="..\..\..\include\tc\os\UnicodeMain.h" />
+    <ClInclude Include="..\..\..\include\tc\os.h" />
+    <ClInclude Include="..\..\..\include\tc\string\TranscodeUtil.h" />
+    <ClInclude Include="..\..\..\include\tc\string.h" />
+    <ClInclude Include="..\..\..\include\tc\types.h" />
+    <ClInclude Include="..\..\..\include\tc.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\ByteData.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes128CbcEncryptedStream.cpp" />
+    <ClCompile Include="..\..\..\src\Exception.cpp" />
+    <ClCompile Include="..\..\..\src\PlatformErrorHandlingUtil.cpp" />
+    <ClCompile Include="..\..\..\src\cli\FormatUtil.cpp" />
+    <ClCompile Include="..\..\..\src\cli\OptionParser.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes128CbcEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes128CtrEncryptedStream.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes128CtrEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes128EcbEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes128XtsEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes192CbcEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes192CtrEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes192EcbEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes256CbcEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes256CtrEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes256EcbEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Aes256XtsEncryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\HmacMd5Generator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\HmacSha1Generator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\HmacSha256Generator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\HmacSha512Generator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Md5Generator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf1Md5KeyDeriver.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf1Sha1KeyDeriver.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf2Sha1KeyDeriver.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf2Sha256KeyDeriver.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf2Sha512KeyDeriver.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\PseudoRandomByteGenerator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaKey.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaKeyGenerator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaOaepSha256Encryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaOaepSha512Encryptor.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaPkcs1Md5Signer.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaPkcs1Sha1Signer.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaPkcs1Sha256Signer.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaPkcs1Sha512Signer.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaPssSha256Signer.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\RsaPssSha512Signer.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Sha1Generator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Sha256Generator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\Sha512Generator.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\detail\AesImpl.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\detail\Md5Impl.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\detail\PrbgImpl.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\detail\RsaImpl.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\detail\RsaKeyGeneratorImpl.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\detail\Sha1Impl.cpp" />
+    <ClCompile Include="..\..\..\src\crypto\detail\Sha2Impl.cpp" />
+    <ClCompile Include="..\..\..\src\io\BasicPathResolver.cpp" />
+    <ClCompile Include="..\..\..\src\io\ConcatenatedStream.cpp" />
+    <ClCompile Include="..\..\..\src\io\FileStream.cpp" />
+    <ClCompile Include="..\..\..\src\io\IOUtil.cpp" />
+    <ClCompile Include="..\..\..\src\io\LocalFileSystem.cpp" />
+    <ClCompile Include="..\..\..\src\io\MemorySource.cpp" />
+    <ClCompile Include="..\..\..\src\io\MemoryStream.cpp" />
+    <ClCompile Include="..\..\..\src\io\OverlayedSource.cpp" />
+    <ClCompile Include="..\..\..\src\io\PaddingSource.cpp" />
+    <ClCompile Include="..\..\..\src\io\Path.cpp" />
+    <ClCompile Include="..\..\..\src\io\PathUtil.cpp" />
+    <ClCompile Include="..\..\..\src\io\StreamSink.cpp" />
+    <ClCompile Include="..\..\..\src\io\StreamSource.cpp" />
+    <ClCompile Include="..\..\..\src\io\StreamUtil.cpp" />
+    <ClCompile Include="..\..\..\src\io\SubSink.cpp" />
+    <ClCompile Include="..\..\..\src\io\SubSource.cpp" />
+    <ClCompile Include="..\..\..\src\io\SubFileSystem.cpp" />
+    <ClCompile Include="..\..\..\src\io\SubStream.cpp" />
+    <ClCompile Include="..\..\..\src\io\VirtualFileSystem.cpp" />
+    <ClCompile Include="..\..\..\src\os\Environment.cpp" />
+    <ClCompile Include="..\..\..\src\string\TranscodeUtil.cpp" />
+    <ClCompile Include="..\..\..\src\types.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="$(SolutionDir)..\..\deps\libmbedtls\build\visualstudio\libmbedtls\libmbedtls.vcxproj">
+      <Project>{7a7c66f3-2b5b-4e23-85d8-2a74fedad92c}</Project>
+    </ProjectReference>
+    <ProjectReference Include="$(SolutionDir)..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj">
+      <Project>{f4b0540e-0aae-4006-944b-356944ef61fa}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain/libtoolchain.vcxproj.filters b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain/libtoolchain.vcxproj.filters
new file mode 100644
index 00000000..b1ed7ad3
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/build/visualstudio/libtoolchain/libtoolchain.vcxproj.filters
@@ -0,0 +1,690 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\ByteData.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\Exception.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\PlatformErrorHandlingUtil.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\types.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\cli\FormatUtil.cpp">
+      <Filter>Source Files\cli</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\cli\OptionParser.cpp">
+      <Filter>Source Files\cli</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes128CbcEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes128CtrEncryptedStream.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes128CtrEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes128EcbEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes128XtsEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes192CbcEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes192CtrEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes192EcbEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes256CbcEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes256CtrEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes256EcbEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes256XtsEncryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\HmacMd5Generator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\HmacSha1Generator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\HmacSha256Generator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\HmacSha512Generator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf1Md5KeyDeriver.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf1Sha1KeyDeriver.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf2Sha1KeyDeriver.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf2Sha256KeyDeriver.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Pbkdf2Sha512KeyDeriver.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Md5Generator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\PseudoRandomByteGenerator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaKey.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaKeyGenerator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaOaepSha256Encryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaOaepSha512Encryptor.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaPkcs1Md5Signer.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaPkcs1Sha256Signer.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaPkcs1Sha1Signer.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaPkcs1Sha512Signer.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaPssSha256Signer.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Sha1Generator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\RsaPssSha512Signer.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Sha256Generator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Sha512Generator.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\detail\AesImpl.cpp">
+      <Filter>Source Files\crypto\detail</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\detail\Md5Impl.cpp">
+      <Filter>Source Files\crypto\detail</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\detail\PrbgImpl.cpp">
+      <Filter>Source Files\crypto\detail</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\detail\RsaImpl.cpp">
+      <Filter>Source Files\crypto\detail</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\detail\RsaKeyGeneratorImpl.cpp">
+      <Filter>Source Files\crypto\detail</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\detail\Sha1Impl.cpp">
+      <Filter>Source Files\crypto\detail</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\detail\Sha2Impl.cpp">
+      <Filter>Source Files\crypto\detail</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\BasicPathResolver.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\FileStream.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\ConcatenatedStream.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\IOUtil.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\LocalFileSystem.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\MemorySource.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\MemoryStream.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\OverlayedSource.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\PaddingSource.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\Path.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\PathUtil.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\StreamSink.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\StreamSource.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\StreamUtil.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\SubSink.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\SubSource.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\SubFileSystem.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\SubStream.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\io\VirtualFileSystem.cpp">
+      <Filter>Source Files\io</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\os\Environment.cpp">
+      <Filter>Source Files\os</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\string\TranscodeUtil.cpp">
+      <Filter>Source Files\string</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\crypto\Aes128CbcEncryptedStream.cpp">
+      <Filter>Source Files\crypto</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\tc.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\AccessViolationException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\ArgumentException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\ArgumentNullException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\ArgumentOutOfRangeException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\ArithmeticException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\bn.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\ByteData.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\cli.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\Exception.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\InvalidOperationException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\NotImplementedException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\NotSupportedException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\ObjectDisposedException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\Optional.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\os.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\OutOfMemoryException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\OverflowException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\PlatformErrorHandlingUtil.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\ResourceStatus.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\string.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\types.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\bn\binary_utils.h">
+      <Filter>Header Files\tc\bn</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\bn\bitarray.h">
+      <Filter>Header Files\tc\bn</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\bn\endian_types.h">
+      <Filter>Header Files\tc\bn</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\bn\pad.h">
+      <Filter>Header Files\tc\bn</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\bn\string.h">
+      <Filter>Header Files\tc\bn</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\UnauthorisedAccessException.h">
+      <Filter>Header Files\tc</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\cli\FormatUtil.h">
+      <Filter>Header Files\tc\cli</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\cli\OptionParser.h">
+      <Filter>Header Files\tc\cli</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128CbcEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128CtrEncryptedStream.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128CtrEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128EcbEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128XtsEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes192CbcEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes192CtrEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes192EcbEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes256CbcEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes256CtrEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes256EcbEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes256XtsEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\AesEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\CbcEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\CryptoException.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\CtrEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\EcbEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacGenerator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacMd5Generator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacSha1Generator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacSha256Generator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\HmacSha512Generator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Md5Generator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf1KeyDeriver.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf1Md5KeyDeriver.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf1Sha1KeyDeriver.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf2KeyDeriver.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf2Sha1KeyDeriver.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf2Sha256KeyDeriver.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Pbkdf2Sha512KeyDeriver.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\PseudoRandomByteGenerator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaKey.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaKeyGenerator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaOaepEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaOaepSha256Encryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaOaepSha512Encryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Md5Signer.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Sha1Signer.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Sha256Signer.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Sha512Signer.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPkcs1Signer.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPssSha256Signer.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPssSha512Signer.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\RsaPssSigner.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Sha1Generator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Sha256Generator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Sha512Generator.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\XtsEncryptor.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\AesImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\BlockUtilImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\CbcModeImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\CtrModeImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\EcbModeImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\HmacImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Md5Impl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Pbkdf1Impl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Pbkdf2Impl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\PrbgImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaKeyGeneratorImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaOaepPadding.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaPkcs1Padding.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\RsaPssPadding.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Sha1Impl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\Sha2Impl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\detail\XtsModeImpl.h">
+      <Filter>Header Files\tc\crypto\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\BasicPathResolver.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\ConcatenatedStream.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\DirectoryNotEmptyException.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\DirectoryNotFoundException.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\FileAccess.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\FileExistsException.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\FileMode.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\FileNotFoundException.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\FileStream.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\IOException.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\IOUtil.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\IPathResolver.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\IPortablePathResolver.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\IReadableSink.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\ISink.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\ISource.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\IFileSystem.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\IStream.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\LocalFileSystem.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\MemorySource.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\MemoryStream.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\OverlayedSource.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\PaddingSource.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\Path.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\PathTooLongException.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\PathUtil.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\SeekOrigin.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\StreamSink.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\StreamSource.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\StreamUtil.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\SubSink.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\SubSource.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\SubFileSystem.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\SubStream.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\io\VirtualFileSystem.h">
+      <Filter>Header Files\tc\io</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\os\Environment.h">
+      <Filter>Header Files\tc\os</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\os\UnicodeMain.h">
+      <Filter>Header Files\tc\os</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\string\TranscodeUtil.h">
+      <Filter>Header Files\tc\string</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\string\detail\utf8.h">
+      <Filter>Header Files\tc\string\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\string\detail\utf16.h">
+      <Filter>Header Files\tc\string\detail</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\tc\crypto\Aes128CbcEncryptedStream.h">
+      <Filter>Header Files\tc\crypto</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{7187f0ad-653b-48dc-bb6a-e9cd948b54ed}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\tc">
+      <UniqueIdentifier>{6caebfb6-46f1-4d3b-9e1b-979b3ed8c98c}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\tc\bn">
+      <UniqueIdentifier>{49508f62-7068-4f18-a37c-207a90567c2e}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\tc\cli">
+      <UniqueIdentifier>{19683877-7cc0-4307-8a64-8430e4a647aa}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\tc\crypto">
+      <UniqueIdentifier>{1790ccfc-ff8d-42cf-a41b-c546f7c7e03a}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\tc\io">
+      <UniqueIdentifier>{db3218f8-61c4-444c-9758-eaf0a3fc7cb5}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\tc\string">
+      <UniqueIdentifier>{f110e29c-e832-412d-b35c-fe09f44cb48b}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\tc\crypto\detail">
+      <UniqueIdentifier>{07fdaf97-dd39-4b5e-8679-5f3a45ff300e}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{7cb67e0a-2201-4709-a0fa-7da68aaf8bb4}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\cli">
+      <UniqueIdentifier>{335b803b-a77f-48f1-8a2c-2b95ceba48e4}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\crypto">
+      <UniqueIdentifier>{fc4541ce-957c-4976-880e-5189f1d8c46e}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\io">
+      <UniqueIdentifier>{b6397317-93c5-48d9-a2bd-107761509eb7}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\os">
+      <UniqueIdentifier>{357e7fd9-82f3-4f28-a7cb-f3bc59eb7632}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\string">
+      <UniqueIdentifier>{d8bfe354-3e2c-40e9-8023-5cdbf8fd877d}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\tc\os">
+      <UniqueIdentifier>{2a9cc5ad-5ee9-4baf-b63c-d7af02b7309b}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Header Files\tc\string\detail">
+      <UniqueIdentifier>{68b83858-efc6-489d-a672-8eef14f0f2bc}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Source Files\crypto\detail">
+      <UniqueIdentifier>{e80dca43-1a2b-4037-8751-245a3b07d04a}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc.h b/ctrtool/deps/libtoolchain/include/tc.h
new file mode 100644
index 00000000..08106f50
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc.h
@@ -0,0 +1,37 @@
+	/**
+	 * @file		tc.h
+	 * @brief       Declaration of the libtoolchain namespace
+	 **/
+#pragma once
+#include <tc/types.h>
+
+	/**
+	 * @namespace   tc
+	 * @brief       Root namespace for libtoolchain
+	 **/
+// classes
+#include <tc/ByteData.h>
+#include <tc/Optional.h>
+
+// sub namespaces
+#include <tc/string.h>
+#include <tc/io.h>
+#include <tc/os.h>
+#include <tc/crypto.h>
+#include <tc/cli.h>
+#include <tc/bn.h>
+
+// exceptions
+#include <tc/Exception.h>
+#include <tc/AccessViolationException.h>
+#include <tc/ArgumentException.h>
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/ArithmeticException.h>
+#include <tc/InvalidOperationException.h>
+#include <tc/NotImplementedException.h>
+#include <tc/NotSupportedException.h>
+#include <tc/ObjectDisposedException.h>
+#include <tc/OutOfMemoryException.h>
+#include <tc/OverflowException.h>
+#include <tc/UnauthorisedAccessException.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/AccessViolationException.h b/ctrtool/deps/libtoolchain/include/tc/AccessViolationException.h
new file mode 100644
index 00000000..30eef1b8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/AccessViolationException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file AccessViolationException.h
+	 * @brief Declaration of tc::AccessViolationException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc {
+
+	/**
+	 * @class AccessViolationException
+	 * @brief The exception that is thrown when there is an attempt to read or write protected memory.
+	 **/
+class AccessViolationException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	AccessViolationException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	AccessViolationException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	AccessViolationException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/ArgumentException.h b/ctrtool/deps/libtoolchain/include/tc/ArgumentException.h
new file mode 100644
index 00000000..8faa2540
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/ArgumentException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file ArgumentException.h
+	 * @brief Declaration of tc::ArgumentException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc {
+
+	/**
+	 * @class ArgumentException
+	 * @brief The exception that is thrown when one of the arguments provided to a method is not valid.
+	 **/
+class ArgumentException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	ArgumentException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	ArgumentException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	ArgumentException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/ArgumentNullException.h b/ctrtool/deps/libtoolchain/include/tc/ArgumentNullException.h
new file mode 100644
index 00000000..7b8f6516
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/ArgumentNullException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file ArgumentNullException.h
+	 * @brief Declaration of tc::ArgumentNullException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/ArgumentException.h>
+
+namespace tc {
+
+	/**
+	 * @class ArgumentNullException
+	 * @brief The exception that is thrown when a null reference is passed to a method that does not accept it as a valid argument.
+	 **/
+class ArgumentNullException : public tc::ArgumentException
+{
+public:
+		/// Default Constructor
+	ArgumentNullException() noexcept :
+		tc::ArgumentException()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	ArgumentNullException(const std::string& what) noexcept :
+		tc::ArgumentException(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	ArgumentNullException(const std::string& module, const std::string& what) noexcept :
+		tc::ArgumentException(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/ArgumentOutOfRangeException.h b/ctrtool/deps/libtoolchain/include/tc/ArgumentOutOfRangeException.h
new file mode 100644
index 00000000..f03b15c5
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/ArgumentOutOfRangeException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file ArgumentOutOfRangeException.h
+	 * @brief Declaration of tc::ArgumentOutOfRangeException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/ArgumentException.h>
+
+namespace tc {
+
+	/**
+	 * @class ArgumentOutOfRangeException
+	 * @brief The exception that is thrown when the value of an argument is outside the allowable range of values as defined by the invoked method.
+	 **/
+class ArgumentOutOfRangeException : public tc::ArgumentException
+{
+public:
+		/// Default Constructor
+	ArgumentOutOfRangeException() noexcept :
+		tc::ArgumentException()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	ArgumentOutOfRangeException(const std::string& what) noexcept :
+		tc::ArgumentException(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	ArgumentOutOfRangeException(const std::string& module, const std::string& what) noexcept :
+		tc::ArgumentException(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/ArithmeticException.h b/ctrtool/deps/libtoolchain/include/tc/ArithmeticException.h
new file mode 100644
index 00000000..affed1fc
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/ArithmeticException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file ArithmeticException.h
+	 * @brief Declaration of tc::ArithmeticException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc {
+
+	/**
+	 * @class ArithmeticException
+	 * @brief The exception that is thrown for errors in an arithmetic, casting, or conversion operation.
+	 **/
+class ArithmeticException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	ArithmeticException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	ArithmeticException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	ArithmeticException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/ByteData.h b/ctrtool/deps/libtoolchain/include/tc/ByteData.h
new file mode 100644
index 00000000..f0da28da
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/ByteData.h
@@ -0,0 +1,102 @@
+	/**
+	 * @file ByteData.h
+	 * @brief Declaration of tc::ByteData
+	 * @author Jack (jakcron)
+	 * @version 0.5
+	 * @date 2020/10/31
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/OutOfMemoryException.h>
+
+namespace tc {
+
+	/**
+	 * @class ByteData
+	 * @brief A container of linear memory, used to hold raw data.
+	 **/
+class ByteData
+{
+public:
+		/// Create empty ByteData
+	ByteData();
+
+		/// Copy constructor
+	ByteData(const ByteData& other);
+
+		/// Move constructor
+	ByteData(ByteData&& other);
+
+		/// Create from byte_t initalizer list
+	ByteData(std::initializer_list<byte_t> l);
+
+		/**
+		 * @brief Create linear memory block
+		 * 
+		 * @param[in] size Size in bytes of the memory block.
+		 * @param[in] clear_memory Clear memory after allocation. Default is true.
+		 * 
+		 * @throw tc::OutOfMemoryException Insuffient memory available.
+		 **/
+	ByteData(size_t size, bool clear_memory = true);
+
+		/**
+		 * @brief Create ByteData from existing memory.
+		 * 
+		 * @param[in] data Pointer to memory to copy.
+		 * @param[in] size Size of memory to copy.
+		 * 
+		 * @throw tc::OutOfMemoryException Insuffient memory available.
+		 **/
+	ByteData(const byte_t* data, size_t size);
+		
+		/**
+		 * @brief Copy assignment operator (deep copy)
+		 **/
+	ByteData& operator=(const ByteData& other);
+
+		/**
+		 * @brief Move assignment
+		 **/
+	ByteData& operator=(ByteData&& other);
+
+		/**
+		 * @brief Element access operator
+		 **/
+	byte_t& operator[](size_t index);
+
+		/**
+		 * @brief Const Element access operator
+		 **/
+	byte_t operator[](size_t index) const;
+
+		/**
+		 * @brief Equality operator
+		 */
+	bool operator==(const ByteData& other) const;
+
+		/**
+		 * @brief Inequality operator
+		 */
+	bool operator!=(const ByteData& other) const;
+
+		/**
+		 * @brief Get data pointer
+		 * 
+		 * @return nullptr if @ref size() == 0
+		 **/
+	byte_t* data() const;
+
+		/**
+		 * @brief Get data size
+		 **/
+	size_t size() const;
+private:
+	static const std::string kClassName;
+
+	size_t mSize;
+	std::unique_ptr<byte_t> mPtr;
+}; 
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/Exception.h b/ctrtool/deps/libtoolchain/include/tc/Exception.h
new file mode 100644
index 00000000..00a848f4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/Exception.h
@@ -0,0 +1,71 @@
+	/**
+	 * @file Exception.h
+	 * @brief Declaration of tc::Exception
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2019/01/15
+	 **/
+#pragma once
+#include <exception>
+#include <string>
+
+namespace tc {
+
+	/**
+	 * @class Exception
+	 * @brief An extension of std::exception that allows optionally specifying a module name
+	 **/
+class Exception : public std::exception
+{
+public:
+		/// Default Constructor
+	Exception() noexcept;
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * Inherited from std::exception
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	Exception(const std::string& what) noexcept;
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	Exception(const std::string& module, const std::string& what) noexcept;
+
+		/// Get explanation for exception (inherited from std::exception)
+	const char* what() const noexcept;
+
+		/// Get module tag 
+	const char* module() const noexcept;
+
+		/**
+		 * @brief Get explanation for exception
+		 * 
+		 * Omits the module tag from the description
+		 * 
+		 * @returns exception description
+		 **/
+	const char* error() const noexcept;
+private:
+	std::string what_;
+	std::string module_;
+	std::string error_;
+};
+
+} // namespace tc
diff --git a/ctrtool/deps/libtoolchain/include/tc/InvalidOperationException.h b/ctrtool/deps/libtoolchain/include/tc/InvalidOperationException.h
new file mode 100644
index 00000000..7b181ef3
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/InvalidOperationException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file InvalidOperationException.h
+	 * @brief Declaration of tc::InvalidOperationException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc {
+
+	/**
+	 * @class InvalidOperationException
+	 * @brief The exception that is thrown when a method call is invalid for the object's current state.
+	 **/
+class InvalidOperationException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	InvalidOperationException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	InvalidOperationException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	InvalidOperationException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/NotImplementedException.h b/ctrtool/deps/libtoolchain/include/tc/NotImplementedException.h
new file mode 100644
index 00000000..7b1f56cd
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/NotImplementedException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file NotImplementedException.h
+	 * @brief Declaration of tc::NotImplementedException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc {
+
+	/**
+	 * @class NotImplementedException
+	 * @brief The exception that is thrown when a requested method or operation is not implemented.
+	 **/
+class NotImplementedException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	NotImplementedException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	NotImplementedException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	NotImplementedException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/NotSupportedException.h b/ctrtool/deps/libtoolchain/include/tc/NotSupportedException.h
new file mode 100644
index 00000000..5450ce24
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/NotSupportedException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file NotSupportedException.h
+	 * @brief Declaration of tc::NotSupportedException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc {
+
+	/**
+	 * @class NotSupportedException
+	 * @brief The exception that is thrown when an invoked method is not supported, or when there is an attempt to read, seek, or write to a stream that does not support the invoked functionality.
+	 **/
+class NotSupportedException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	NotSupportedException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	NotSupportedException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	NotSupportedException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/ObjectDisposedException.h b/ctrtool/deps/libtoolchain/include/tc/ObjectDisposedException.h
new file mode 100644
index 00000000..94e7d617
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/ObjectDisposedException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file ObjectDisposedException.h
+	 * @brief Declaration of tc::ObjectDisposedException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/InvalidOperationException.h>
+
+namespace tc {
+
+	/**
+	 * @class ObjectDisposedException
+	 * @brief The exception that is thrown when an operation is performed on a disposed object.
+	 **/
+class ObjectDisposedException : public tc::InvalidOperationException
+{
+public:
+		/// Default Constructor
+	ObjectDisposedException() noexcept :
+		tc::InvalidOperationException()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	ObjectDisposedException(const std::string& what) noexcept :
+		tc::InvalidOperationException(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	ObjectDisposedException(const std::string& module, const std::string& what) noexcept :
+		tc::InvalidOperationException(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/Optional.h b/ctrtool/deps/libtoolchain/include/tc/Optional.h
new file mode 100644
index 00000000..3442560c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/Optional.h
@@ -0,0 +1,151 @@
+	/**
+	 * @file Optional.h
+	 * @brief Declaration of tc::Optional
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2019/01/06
+	 **/
+#pragma once
+#include <tc/types.h>
+
+namespace tc {
+
+	/**
+	 * @class Optional
+	 * @brief A wrapper class, where the existence of the wrapped value is optional.
+	 **/
+template <class T>
+class Optional
+{
+public:
+		/**
+		 * @brief Default constructor
+		 *
+		 * This Optional shall be null initially.
+		 **/
+	Optional();
+
+		/**
+		 * @brief Initialising constructor with value to wrap
+		 * @param[in] value const T& Reference to value to wrap
+		 * 
+		 * This Optional shall be not null initially.
+		 **/
+	Optional(const T& value);
+
+		/**
+		 * @brief Copy constructor
+		 * @param[in] other const Optional<T>& Reference to Optional object to copy
+		 * 
+		 * This Optional shall be not null initially.
+		 **/
+	Optional(const Optional<T>& other);
+
+		/// Operator to wrap a value
+	void operator=(const T& value);
+
+		/// Operator to duplicate another Optional
+	void operator=(const Optional<T>& other);
+
+		/**
+		 * @brief Access the wrapped value
+		 * @return T& reference to value
+		 **/
+	T& get() const;
+
+		/**
+		 * @brief Determine if the Optional value doesn't exist
+		 * @return bool true if the value does not exist.
+		 **/
+	bool isNull() const;
+
+		/**
+		 * @brief Determine if the Optional value exists
+		 * @return bool true if the value exists.
+		 **/
+	bool isSet() const;
+
+		/**
+		 * @brief Release the wrapped value
+		 * 
+		 * This will destroy the wrapped value and make this Optional null.
+		 * If this Optional is already null, this does nothing.
+		 **/
+	void makeNull();
+private:
+	std::shared_ptr<T> mValue;
+};
+
+template <class T>
+inline Optional<T>::Optional() :
+	mValue()
+{
+}
+
+template <class T>
+inline Optional<T>::Optional(const T& value) :
+	Optional()
+{
+	*this = value;
+}
+
+template <class T>
+inline Optional<T>::Optional(const Optional<T>& other) :
+	Optional()
+{
+	*this = other;
+}
+
+template <class T>
+inline void Optional<T>::operator=(const T& value)
+{
+	// if mValue is null we need to allocate memory for it
+	if (mValue == nullptr)
+	{
+		mValue = std::shared_ptr<T>(new T);
+	}
+
+	// assign the value
+	*mValue = value;
+}
+
+template <class T>
+inline void Optional<T>::operator=(const Optional<T>& other)
+{
+	// if the other is null, then we make this null
+	if (other.isNull())
+	{
+		this->makeNull();
+	}
+	// otherwise we have to assign this with the unwrapped mValue of other
+	else
+	{
+		*this = other.get();
+	}
+}
+
+template <class T>
+inline T& Optional<T>::get() const
+{
+	return *mValue;
+}
+
+template <class T>
+inline bool Optional<T>::isNull() const
+{
+	return mValue == nullptr;
+}
+
+template <class T>
+inline bool Optional<T>::isSet() const
+{
+	return mValue != nullptr;
+}
+
+template <class T>
+inline void Optional<T>::makeNull()
+{
+	mValue.reset();
+}
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/OutOfMemoryException.h b/ctrtool/deps/libtoolchain/include/tc/OutOfMemoryException.h
new file mode 100644
index 00000000..9e49a30c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/OutOfMemoryException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file OutOfMemoryException.h
+	 * @brief Declaration of tc::OutOfMemoryException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc {
+
+	/**
+	 * @class OutOfMemoryException
+	 * @brief The exception that is thrown when there is not enough memory to continue the execution of a program.
+	 **/
+class OutOfMemoryException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	OutOfMemoryException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	OutOfMemoryException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	OutOfMemoryException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/OverflowException.h b/ctrtool/deps/libtoolchain/include/tc/OverflowException.h
new file mode 100644
index 00000000..dac30189
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/OverflowException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file OverflowException.h
+	 * @brief Declaration of tc::OverflowException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/ArithmeticException.h>
+
+namespace tc {
+
+	/**
+	 * @class OverflowException
+	 * @brief The exception that is thrown when an arithmetic, casting, or conversion operation in a checked context results in an overflow.
+	 **/
+class OverflowException : public tc::ArithmeticException
+{
+public:
+		/// Default Constructor
+	OverflowException() noexcept :
+		tc::ArithmeticException()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	OverflowException(const std::string& what) noexcept :
+		tc::ArithmeticException(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	OverflowException(const std::string& module, const std::string& what) noexcept :
+		tc::ArithmeticException(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/PlatformErrorHandlingUtil.h b/ctrtool/deps/libtoolchain/include/tc/PlatformErrorHandlingUtil.h
new file mode 100644
index 00000000..c67e1dc8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/PlatformErrorHandlingUtil.h
@@ -0,0 +1,46 @@
+	/**
+	 * @file PlatformErrorHandlingUtil.h
+	 * @brief Declaration of tc::PlatformErrorHandlingUtil
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/04/09
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#ifdef _WIN32
+#include <windows.h>
+#endif
+
+namespace tc
+{
+	/**
+	 * @class PlatformErrorHandlingUtil
+	 * @brief Platform specific error handling utilities.
+	 **/
+class PlatformErrorHandlingUtil
+{
+public:
+#ifdef _WIN32
+		/**
+		 * @brief Create a string from Win32 error code.
+		 * 
+		 * @param[in] error Error code, returned from GetLastError().
+		 * 
+		 * @return Error as a localised string.
+		 **/
+	static std::string GetLastErrorString(DWORD error);
+#else
+		/**
+		 * @brief Create a string from GNU error number.
+		 * 
+		 * @param[in] errnum Error code, returned from @a errno macro.
+		 * 
+		 * @return Error as a localised string.
+		 **/
+	static std::string GetGnuErrorNumString(int errnum);
+#endif
+
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/ResourceStatus.h b/ctrtool/deps/libtoolchain/include/tc/ResourceStatus.h
new file mode 100644
index 00000000..59fded03
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/ResourceStatus.h
@@ -0,0 +1,29 @@
+	/**
+	 * @file ResourceStatus.h
+	 * @brief Declaration of tc::ResourceStatus
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2019/01/16
+	 **/
+#pragma once
+#include <bitset>
+
+namespace tc {
+
+	/**
+	 * @enum ResourceStatusFlag
+	 * @brief Flags for ResourceStatus
+	 **/
+enum ResourceStatusFlag
+{
+	RESFLAG_READY, /**< Resource is ready for use */
+	RESFLAG_ERROR, /**< Resource encountered an error */
+	RESFLAG_NOINIT, /**< Resource is not initialized */
+};
+
+	/**
+	 * @brief Bitset indicating resource state information (see @ref ResourceStatusFlag)
+	 **/
+using ResourceStatus = std::bitset<32>; 
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/SecurityException.h b/ctrtool/deps/libtoolchain/include/tc/SecurityException.h
new file mode 100644
index 00000000..dd53e102
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/SecurityException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file SecurityException.h
+	 * @brief Declaration of tc::SecurityException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2022/02/06
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc {
+
+	/**
+	 * @class SecurityException
+	 * @brief The exception that is thrown when a security error is detected.
+	 **/
+class SecurityException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	SecurityException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	SecurityException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	SecurityException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/UnauthorisedAccessException.h b/ctrtool/deps/libtoolchain/include/tc/UnauthorisedAccessException.h
new file mode 100644
index 00000000..a2b43053
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/UnauthorisedAccessException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file UnauthorisedAccessException.h
+	 * @brief Declaration of tc::UnauthorisedAccessException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc {
+
+	/**
+	 * @class UnauthorisedAccessException
+	 * @brief The exception that is thrown when the operating system denies access because of an I/O error or a specific type of security error.
+	 **/
+class UnauthorisedAccessException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	UnauthorisedAccessException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	UnauthorisedAccessException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	UnauthorisedAccessException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+} // namespace tc
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/bn.h b/ctrtool/deps/libtoolchain/include/tc/bn.h
new file mode 100644
index 00000000..3775fa0c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/bn.h
@@ -0,0 +1,17 @@
+	/**
+	 * @file		bn.h
+	 * @brief       Declaration of the binary literals library
+	 */
+#pragma once
+#include <tc/types.h>
+#include <tc/Exception.h>
+
+	/**
+	 * @namespace   tc::bn
+	 * @brief       Namespace of the binary literals library
+	 */
+#include <tc/bn/binary_utils.h>
+#include <tc/bn/endian_types.h>
+#include <tc/bn/bitarray.h>
+#include <tc/bn/string.h>
+#include <tc/bn/pad.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/bn/binary_utils.h b/ctrtool/deps/libtoolchain/include/tc/bn/binary_utils.h
new file mode 100644
index 00000000..b77fe3f9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/bn/binary_utils.h
@@ -0,0 +1,39 @@
+	/**
+	 * @file binary_utils.h
+	 * @brief Declaration of inlines and classes for literal bit manipulation and other low-level operations.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/12/20
+	 */
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace bn {
+
+	/**
+	 * @brief Generate struct magic 32bit number.
+	 * @details This generates a little endian 32bit integer from char[4].
+	 * 
+	 * @param[in] magic Pointer to array of magic bytes.
+	 * 
+	 * @return Little endian magic uint32_t.
+	 */ 
+constexpr uint32_t make_struct_magic_uint32(const char magic[4])
+{
+	return uint32_t((uint32_t)(magic[3]) << 24 | (uint32_t)(magic[2]) << 16 | (uint32_t)(magic[1]) << 8 | (uint32_t)(magic[0]));
+}
+
+	/**
+	 * @brief Generate struct magic 64bit number.
+	 * @details This generates a little endian 64bit integer from char[8].
+	 * 
+	 * @param[in] magic Pointer to array of magic bytes.
+	 * 
+	 * @return Little endian magic uint64_t.
+	 */ 
+constexpr uint64_t make_struct_magic_uint64(const char magic[8])
+{
+	return uint64_t((uint64_t)(magic[7]) << 56 | (uint64_t)(magic[6]) << 48 | (uint64_t)(magic[5]) << 40 | (uint64_t)(magic[4]) << 32 | (uint64_t)(magic[3]) << 24 | (uint64_t)(magic[2]) << 16 | (uint64_t)(magic[1]) << 8 | (uint64_t)(magic[0]));
+}
+
+}} // namespace tc::bn
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/bn/bitarray.h b/ctrtool/deps/libtoolchain/include/tc/bn/bitarray.h
new file mode 100644
index 00000000..a5c6960b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/bn/bitarray.h
@@ -0,0 +1,69 @@
+	/**
+	 * @file bitarray.h
+	 * @brief Declaration of tc::bn::bitarray
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2021/02/27
+	 */
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace bn {
+
+	/**
+	 * @struct bitarray
+	 * @brief This struct is a literal bitarray, with configurable byte and bit endianness.
+	 * 
+	 * @tparam T size in bytes of the bitarray.
+	 * @tparam byte_order_le Boolean, true: byte order is little endian, false: byte order is big endian.
+	 * @tparam bit_order_le Boolean, true: bit order is little endian, false: bit order is big endian.
+	 * 
+	 * @details
+	 * This struct is meant to be used when defining written-to-disk structures, like file headers.
+	 */ 
+template <size_t T, bool byte_order_le = true, bool bit_order_le = true>
+struct bitarray
+{
+public:
+#define __BITARRAY_BYTE_INDEX_MATH(x) (byte_order_le? (x / 8) : (T - 1 - (x / 8)))
+#define __BITARRAY_BIT_INDEX_MATH(x) (bit_order_le? (1 << (x % 8)) : (1 << (7 - (x % 8))))
+
+		/// Returns the size in bits of this bitarray
+	size_t bit_size() const { return T * 8; }
+
+		/// Sets a given bit in this bitarray
+	void set(size_t bit)
+	{
+		bit %= (T*8);
+		mArray[__BITARRAY_BYTE_INDEX_MATH(bit)] |= __BITARRAY_BIT_INDEX_MATH(bit);
+	}
+
+		/// Clears a given bit in this bitarray
+	void reset(size_t bit)
+	{
+		bit %= (T*8);
+		mArray[__BITARRAY_BYTE_INDEX_MATH(bit)] &= ~(uint8_t(__BITARRAY_BIT_INDEX_MATH(bit)));
+	}
+
+		/// Flips a given bit in this bitarray
+	void flip(size_t bit)
+	{
+		bit %= (T*8);
+		test(bit) ? reset(bit) : set(bit);
+	}
+
+		/// Checks a given bit in this bitarray
+	bool test(size_t bit) const
+	{
+		bit %= (T*8);
+		return (mArray[__BITARRAY_BYTE_INDEX_MATH(bit)] & (__BITARRAY_BIT_INDEX_MATH(bit))) != 0;
+	}
+
+#undef __BITARRAY_BYTE_INDEX_MATH
+#undef __BITARRAY_BIT_INDEX_MATH
+
+private:
+	std::array<uint8_t, T> mArray;
+};
+
+}} // namespace tc::bn
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/bn/endian_types.h b/ctrtool/deps/libtoolchain/include/tc/bn/endian_types.h
new file mode 100644
index 00000000..1930c584
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/bn/endian_types.h
@@ -0,0 +1,233 @@
+	/**
+	 * @file endian_types.h
+	 * @brief Declaration of macros and classes to unwrap primatives in an endian agnostic way.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/12/05
+	 **/
+#pragma once
+#include <cinttypes>
+#include <type_traits>
+
+namespace tc { namespace bn { namespace detail {
+
+static inline uint16_t __local_bswap16(uint16_t x) {
+	return ((x << 8) & 0xff00) | ((x >> 8) & 0x00ff);
+}
+
+static inline void __local_bswap16(void* x) {
+	uint16_t tmp = *((uint16_t*)x);
+	*((uint16_t*)x) = ((tmp << 8) & 0xff00) | ((tmp >> 8) & 0x00ff);
+}
+
+static inline uint32_t __local_bswap32(uint32_t x) {
+	return	((x << 24) & 0xff000000 ) |
+			((x <<  8) & 0x00ff0000 ) |
+			((x >>  8) & 0x0000ff00 ) |
+			((x >> 24) & 0x000000ff );
+}
+
+static inline void __local_bswap32(void* x) {
+	uint32_t tmp = *((uint32_t*)x);
+	*((uint32_t*)x) =	((tmp << 24) & 0xff000000 ) |
+						((tmp <<  8) & 0x00ff0000 ) |
+						((tmp >>  8) & 0x0000ff00 ) |
+						((tmp >> 24) & 0x000000ff );
+}
+
+static inline uint64_t __local_bswap64(uint64_t x)
+{
+	return (uint64_t)__local_bswap32(x>>32) |
+	      ((uint64_t)__local_bswap32(x&0xFFFFFFFF) << 32);
+}
+
+static inline void __local_bswap64(void* x) {
+	uint64_t tmp = *((uint64_t*)x);
+	*((uint64_t*)x) =	((uint64_t)(tmp << 56) & (uint64_t)0xff00000000000000ULL ) |
+						((uint64_t)(tmp << 40) & (uint64_t)0x00ff000000000000ULL ) |
+						((uint64_t)(tmp << 24) & (uint64_t)0x0000ff0000000000ULL ) |
+						((uint64_t)(tmp <<  8) & (uint64_t)0x000000ff00000000ULL ) |
+						((uint64_t)(tmp >>  8) & (uint64_t)0x00000000ff000000ULL ) |
+						((uint64_t)(tmp >> 24) & (uint64_t)0x0000000000ff0000ULL ) |
+						((uint64_t)(tmp >> 40) & (uint64_t)0x000000000000ff00ULL ) |
+						((uint64_t)(tmp >> 56) & (uint64_t)0x00000000000000ffULL );
+}
+
+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+static inline uint64_t __be_uint64(uint64_t a) { return __local_bswap64(a); }
+static inline uint32_t __be_uint32(uint32_t a) { return __local_bswap32(a); }
+static inline uint16_t __be_uint16(uint16_t a) { return __local_bswap16(a); }
+static inline uint64_t __le_uint64(uint64_t a) { return a; }
+static inline uint32_t __le_uint32(uint32_t a) { return a; }
+static inline uint16_t __le_uint16(uint16_t a) { return a; }
+
+static inline void __be_swap64(void* a) { __local_bswap64(a); }
+static inline void __be_swap32(void* a) { __local_bswap32(a); }
+static inline void __be_swap16(void* a) { __local_bswap16(a); }
+static inline void __le_swap64(void* a) { return; }
+static inline void __le_swap32(void* a) { return; }
+static inline void __le_swap16(void* a) { return; }
+#elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+static inline uint64_t __be_uint64(uint64_t a) { return a; }
+static inline uint32_t __be_uint32(uint32_t a) { return a; }
+static inline uint16_t __be_uint16(uint16_t a) { return a; }
+static inline uint64_t __le_uint64(uint64_t a) { return __local_bswap64(a); }
+static inline uint32_t __le_uint32(uint32_t a) { return __local_bswap32(a); }
+static inline uint16_t __le_uint16(uint16_t a) { return __local_bswap16(a); }
+
+static inline void __be_swap64(void* a) { return; }
+static inline void __be_swap32(void* a) { return; }
+static inline void __be_swap16(void* a) { return; }
+static inline void __le_swap64(void* a) { __local_bswap64(a); }
+static inline void __le_swap32(void* a) { __local_bswap32(a); }
+static inline void __le_swap16(void* a) { __local_bswap16(a); }
+#endif
+
+}}} // namespace tc::bn::detail
+
+namespace tc { namespace bn {
+
+	/**
+	 * @struct le16
+	 * @brief Wrapper that allows accessing a little-endian 16-bit POD regardless of processor endianness 
+	 **/
+template <typename T>
+struct le16 {
+public:
+	static_assert(sizeof(T) == sizeof(uint16_t), "le16 requires T to be 16 bit.");
+	static_assert(std::is_pod<T>::value, "le16 requires T to be a POD.");
+
+		/// Unwrap value (Implicit)
+	operator T() const { return unwrap(); }
+		/// Wrap value (Implicit)
+	le16& operator=(const T& var) { wrap(var); return *this; }
+
+		/// Unwrap value
+	inline T unwrap() const { T tmp = mVar; detail::__le_swap16(&tmp); return tmp; }
+		/// Wrap value
+	inline void wrap(const T& var) { mVar = var; detail::__le_swap16(&mVar); }
+private:
+	T mVar;
+};
+
+	/**
+	 * @struct be16
+	 * @brief Wrapper that allows accessing a big-endian 16-bit POD regardless of processor endianness 
+	 **/
+template <typename T>
+struct be16 {
+public:
+	static_assert(sizeof(T) == sizeof(uint16_t), "be16 requires T to be 16 bit.");
+	static_assert(std::is_pod<T>::value, "be16 requires T to be a POD.");
+
+		/// Unwrap value (Implicit)
+	operator T() const { return unwrap(); }
+		/// Wrap value (Implicit)
+	be16& operator=(const T& var) { wrap(var); return *this; }
+
+		/// Unwrap value
+	inline T unwrap() const { T tmp = mVar; detail::__be_swap16(&tmp); return tmp; }
+		/// Wrap value
+	inline void wrap(const T& var) { mVar = var; detail::__be_swap16(&mVar); }
+private:
+	T mVar;
+};
+
+	/**
+	 * @struct le32
+	 * @brief Wrapper that allows accessing a little-endian 32-bit POD regardless of processor endianness 
+	 **/
+template <typename T>
+struct le32 {
+public:
+	static_assert(sizeof(T) == sizeof(uint32_t), "le32 requires T to be 32 bit.");
+	static_assert(std::is_pod<T>::value, "le32 requires T to be a POD.");
+
+		/// Unwrap value (Implicit)
+	operator T() const { return unwrap(); }
+		/// Wrap value (Implicit)
+	le32& operator=(const T& var) { wrap(var); return *this; }
+
+		/// Unwrap value
+	inline T unwrap() const { T tmp = mVar; detail::__le_swap32(&tmp); return tmp; }
+		/// Wrap value
+	inline void wrap(const T& var) { mVar = var; detail::__le_swap32(&mVar); }
+private:
+	T mVar;
+};
+
+	/**
+	 * @struct be32
+	 * @brief Wrapper that allows accessing a big-endian 32-bit POD regardless of processor endianness 
+	 **/
+template <typename T>
+struct be32 {
+public:
+	static_assert(sizeof(T) == sizeof(uint32_t), "be32 requires T to be 32 bit.");
+	static_assert(std::is_pod<T>::value, "be32 requires T to be a POD.");
+
+		/// Unwrap value (Implicit)
+	operator T() const { return unwrap(); }
+		/// Wrap value (Implicit)
+	be32& operator=(const T& var) { wrap(var); return *this; }
+
+		/// Unwrap value
+	inline T unwrap() const { T tmp = mVar; detail::__be_swap32(&tmp); return tmp; }
+		/// Wrap value
+	inline void wrap(const T& var) { mVar = var; detail::__be_swap32(&mVar); }
+private:
+	T mVar;
+};
+
+	/**
+	 * @struct le64
+	 * @brief Wrapper that allows accessing a little-endian 64-bit POD regardless of processor endianness 
+	 **/
+template <typename T>
+struct le64 {
+public:
+	static_assert(sizeof(T) == sizeof(uint64_t), "le64 requires T to be 64 bit.");
+	static_assert(std::is_pod<T>::value, "le64 requires T to be a POD.");
+
+		/// Unwrap value (Implicit)
+	operator T() const { return unwrap(); }
+		/// Wrap value (Implicit)
+	le64& operator=(const T& var) { wrap(var); return *this; }
+
+		/// Unwrap value
+	inline T unwrap() const { T tmp = mVar; detail::__le_swap64(&tmp); return tmp; }
+		/// Wrap value
+	inline void wrap(const T& var) { mVar = var; detail::__le_swap64(&mVar); }
+private:
+	T mVar;
+};
+
+	/**
+	 * @struct be64
+	 * @brief Wrapper that allows accessing a big-endian 64-bit POD regardless of processor endianness 
+	 **/
+template <typename T>
+struct be64 {
+public:
+	static_assert(sizeof(T) == sizeof(uint64_t), "be64 requires T to be 64 bit.");
+	static_assert(std::is_pod<T>::value, "be64 requires T to be a POD.");
+
+		/// Unwrap value (Implicit)
+	operator T() const { return unwrap(); }
+		/// Wrap value (Implicit)
+	be64& operator=(const T& var) { wrap(var); return *this; }
+
+		/// Unwrap value
+	inline T unwrap() const { T tmp = mVar; detail::__be_swap64(&tmp); return tmp; }
+		/// Wrap value
+	inline void wrap(const T& var) { mVar = var; detail::__be_swap64(&mVar); }
+private:
+	T mVar;
+};
+
+}} // namespace tc::bn
+
+namespace tc { namespace bn {
+
+
+}} // namespace tc::bn
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/bn/pad.h b/ctrtool/deps/libtoolchain/include/tc/bn/pad.h
new file mode 100644
index 00000000..b2281552
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/bn/pad.h
@@ -0,0 +1,29 @@
+	/**
+	 * @file pad.h
+	 * @brief Declaration of tc::bn::pad
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2022/02/05
+	 */
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace bn {
+
+	/**
+	 * @class pad
+	 * @brief This class creates padding.
+	 * 
+	 * @tparam T size in bytes of the padding.
+	 */ 
+template <size_t T>
+class pad 
+{
+public:
+		/// Returns size of padding in bytes
+	size_t size() const { return mArray.size(); }
+private:
+	std::array<uint8_t, T> mArray;
+};
+
+}} // namespace tc::bn
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/bn/string.h b/ctrtool/deps/libtoolchain/include/tc/bn/string.h
new file mode 100644
index 00000000..4840c917
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/bn/string.h
@@ -0,0 +1,141 @@
+	/**
+	 * @file string.h
+	 * @brief Declaration of tc::bn::string
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2022/02/05
+	 */
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace bn {
+
+	/**
+	 * @class string
+	 * @brief This class represents a literal char array.
+	 *
+	 * @tparam ENCODED_SIZE Literal size of the string structure. sizeof() will return this size.
+	 * @tparam LOGICAL_SIZE Logical maximum size of the string, LOGICAL_SIZE <= ENCODED_SIZE. 
+	 *
+	 * @details The intended for use is for defining structures read from files. 
+	 * 
+	 * Consider this structure read from a file with some comments from the spec:
+	 * @code
+	 *	struct MyStruct
+	 *	{
+	 *		uint32_t version;
+	 *		char product_sku[16]; // ASCII but not NULL terminated, so 16 usable characters
+	 *		char product_title[32]; // ASCII but must be NULL terminated, so only 31 usable chars
+	 *		uint32_t product_version;
+	 *	};
+	 * @endcode
+	 * The member @c product_sku according to specification can have all 16 chars populated, and if all 16 chars 
+	 * are populated it isn't guarenteed to be null terminated. The member @c product_title according to specification 
+	 * must be null terminated, reserving one byte for the null byte. This isn't the same behaviour as @c product_sku, 
+	 * requiring different string logic specific to this one struct. But these constraints can be enforced into the 
+	 * defintion of MyStruct using @ref tc::bn::string.
+	 *
+	 * Consider this revised struct using tc::bn::string :
+	 * @code
+	 *	struct MyStruct
+	 *	{
+	 *		uint32_t version;
+	 *		tc::bn::string<16> product_sku; // this has a ENCODED_SIZE & LOGICAL_SIZE of 16 bytes which mean's the size on disk is 16 bytes and there are 16 usable characters
+	 *		tc::bn::string<32,31> product_title; // this has a ENCODED_SIZE of 32 bytes & LOGICAL_SIZE of 31 bytes which mean's the size on disk is 32 bytes and there are 31 usable characters
+	 *		uint32_t product_version;
+	 *	};
+	 * @endcode
+	 * In the above struct the correct size of @c product_sku and @c product_title are preserved while also enforcing the logical size of the string.
+	 *
+	 * To get the maximum length a string can be for a given tc::bn::string, use @ref max_size():
+	 * @code
+	 * MyStruct st;
+	 * size_t product_sku_max_size = st.product_sku.max_size(); // 16
+	 * size_t product_title_max_size = st.product_title.max_size(); // 31
+	 * @endcode
+	 *
+	 * To get the current string length for a given tc::bn::string, use @ref size():
+	 * @code
+	 * MyStruct st;
+	 * size_t product_sku_str_size = st.product_sku.size();
+	 * size_t product_title_str_size = st.product_title.size();
+	 * @endcode
+	 *
+	 * To decode the data in a tc::bn::string to a std::string, use @ref decode():
+	 * @code
+	 * MyStruct st;
+	 * std::string product_sku = st.product_sku.decode();
+	 * std::string product_title = st.product_title.decode();
+	 * @endcode
+	 *
+	 * To encode a std::string into a tc::bn::string, use @ref encode():
+	 * @code
+	 * MyStruct st;
+	 * st.product_sku.encode("SKU-1234-X");
+	 * st.product_title.encode("MyProductTitle");
+	 * @endcode
+	 */
+template <size_t ENCODED_SIZE, size_t LOGICAL_SIZE = ENCODED_SIZE>
+class string
+{
+public:
+	static_assert(ENCODED_SIZE >= LOGICAL_SIZE, "literal string had a logical size greater than the encoded size.");
+
+		/// Access specific element
+	const char& operator[](size_t index) const { return mRawString[index]; }
+
+		/// Access specific element
+	char& operator[](size_t index) { return mRawString[index]; }
+
+		/// Direct access to the underlying array
+	const char* data() const { return mRawString.data(); }
+
+		/// Direct access to the underlying array
+	char* data() { return mRawString.data(); }
+
+		/// Returns maximum possible length for this string
+	size_t max_size() const { return LOGICAL_SIZE; }
+		
+		/// Returns length of string
+	size_t size() const
+	{
+		size_t chr_count = 0;
+
+		for (; chr_count < LOGICAL_SIZE; chr_count++)
+		{
+			if (mRawString[chr_count] == 0) break;
+		}
+
+		return chr_count;
+	}
+	
+		/// Returns a std::string created from the underlying char array
+	std::string decode() const { return std::string(this->data(), this->size()); }
+
+		/// Encode the underlying char array from a std::string
+	void encode(const std::string& source_str)
+	{
+		size_t chr_count = 0;
+
+		// copy chars from source_str
+		for (; chr_count < LOGICAL_SIZE; chr_count++)
+		{
+			// skip if chr count exceeds the size of the string, or the string char is null byte
+			if (chr_count >= source_str.size()) break;
+			if (source_str[chr_count] == 0) break;
+
+			mRawString[chr_count] = source_str[chr_count];
+		}
+
+		// clear remaining chars
+		for (; chr_count < LOGICAL_SIZE; chr_count++)
+		{
+			mRawString[chr_count] = 0;
+		}
+	}
+
+private:
+	std::array<char, ENCODED_SIZE> mRawString;
+};
+
+}} // namespace tc::bn
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/cli.h b/ctrtool/deps/libtoolchain/include/tc/cli.h
new file mode 100644
index 00000000..47562ad4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/cli.h
@@ -0,0 +1,14 @@
+	/**
+	 * @file		cli.h
+	 * @brief       Declaration of the command-line interface (CLI) library
+	 */
+#pragma once
+#include <tc/types.h>
+#include <tc/Exception.h>
+
+	/**
+	 * @namespace   tc::cli
+	 * @brief       Namespace of the command-line interface (CLI) library
+	 */
+#include <tc/cli/FormatUtil.h>
+#include <tc/cli/OptionParser.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/cli/FormatUtil.h b/ctrtool/deps/libtoolchain/include/tc/cli/FormatUtil.h
new file mode 100644
index 00000000..f2714086
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/cli/FormatUtil.h
@@ -0,0 +1,105 @@
+	/**
+	 * @file FormatUtil.h
+	 * @brief Declaration of tc::cli::FormatUtil
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/12/31
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+namespace tc { namespace cli {
+
+	/**
+	 * @class FormatUtil
+	 * @brief A collection of utilities to format binary data as strings and vice-versa.
+	 **/
+class FormatUtil
+{
+public:
+		/**
+		 * @brief Convert a hexadecimal string to bytes.
+		 * 
+		 * @param[in] str Hexadecimal string to convert.
+		 * 
+		 * @return Converted string as bytes.
+		 * 
+		 * @post ByteData returned will be empty if the string has encoding errors.
+		 **/
+	static tc::ByteData hexStringToBytes(const std::string& str);
+
+		/**
+		 * @brief Format raw bytes as a hexadecimal string.
+		 * 
+		 * @param[in] data Pointer to bytes to format.
+		 * @param[in] size Size of data to format.
+		 * @param[in] is_upper_case Format bytes in upper case. If false the bytes will be formatted in lower case.
+		 * @param[in] delimiter String to separate formated bytes with.
+		 * 
+		 * @return Formatted string
+		 **/
+	static std::string formatBytesAsString(const byte_t* data, size_t size, bool is_upper_case, const std::string& delimiter);
+
+		/**
+		 * @brief Format tc::ByteData as a hexadecimal string.
+		 * 
+		 * @param[in] data Reference to tc::ByteData object to format.
+		 * @param[in] is_upper_case Format bytes in upper case. If false the bytes will be formatted in lower case.
+		 * @param[in] delimiter String to separate formated bytes with.
+		 * 
+		 * @return Formatted string
+		 **/
+	static std::string formatBytesAsString(const tc::ByteData& data, bool is_upper_case, const std::string& delimiter);
+
+		/**
+		 * @brief Format raw bytes as a hexadecimal string. Introducing a new-line to keep each row within a certain size.
+		 * 
+		 * @param[in] data Pointer to bytes to format.
+		 * @param[in] size Size of data to format.
+		 * @param[in] is_upper_case Format bytes in upper case. If false the bytes will be formatted in lower case.
+		 * @param[in] delimiter String to separate formated bytes with.
+		 * @param[in] row_len Maximum length each row can be before a newline is introduced.
+		 * @param[in] indent_len Length of spaces each new line should be indented.
+		 * @param[in] print_first_indent Print the indent for the first line, default is true.
+		 * 
+		 * @return Formatted string
+		 **/
+	static std::string formatBytesAsStringWithLineLimit(const byte_t* data, size_t size, bool is_upper_case, const std::string& delimiter, size_t row_len, size_t indent_len, bool print_first_indent = true);
+
+		/**
+		 * @brief Format a list of strings as comma delimited. Introducing a new-line to keep each row within a certain size.
+		 * 
+		 * @param[in] str_list List of strings to print.
+		 * @param[in] row_len Maximum length each row can be before a newline is introduced.
+		 * @param[in] indent_len Length of spaces each new line should be indented.
+		 * @param[in] print_first_indent Print the indent for the first line, default is true.
+		 * 
+		 * @return Formatted string
+		 **/
+	static std::string formatListWithLineLimit(const std::vector<std::string>& str_list, size_t row_len, size_t indent_len, bool print_first_indent = true);
+
+		/**
+		 * @brief Format raw bytes in the style of HxD editor hex view. 
+		 * 
+		 * @param[in] data Pointer to bytes to format.
+		 * @param[in] size Size of data to format.
+		 * @param[in] bytes_per_row Number of bytes to print on each row.
+		 * @param[in] byte_group_size Size of each byte group.
+		 * 
+		 * @return Formatted string
+		 **/
+	static std::string formatBytesAsHxdHexString(const byte_t* data, size_t size, size_t bytes_per_row, size_t byte_group_size);
+
+		/**
+		 * @brief Format raw bytes in the style of HxD editor hex view. 
+		 * 
+		 * @param[in] data Pointer to bytes to format.
+		 * @param[in] size Size of data to format.
+		 * 
+		 * @return Formatted string
+		 **/
+	static std::string formatBytesAsHxdHexString(const byte_t* data, size_t size);
+};
+
+}} // namespace tc::cli
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/cli/OptionParser.h b/ctrtool/deps/libtoolchain/include/tc/cli/OptionParser.h
new file mode 100644
index 00000000..b49945b4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/cli/OptionParser.h
@@ -0,0 +1,285 @@
+	/**
+	 * @file OptionParser.h
+	 * @brief Declaration of tc::cli::OptionParser
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2022/01/22
+	 **/
+#pragma once
+#include <vector>
+#include <map>
+#include <list>
+#include <string>
+#include <regex>
+#include <memory>
+#include <tc/ArgumentException.h>
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+
+namespace tc { namespace cli {
+
+	/**
+	 * @class OptionParser
+	 * @brief Class for parsing command-line options.
+	 * 
+	 * This class processes command-line options according to user defined implementations of @ref tc::cli::OptionParser::IOptionHandler that are registered with this class.
+	 * 
+	 * The format of command-line arguments varies by system and convention. This class supports the following styles of command-line options:
+	 * * @b --opt : Option name prefixed by "--" with no parameters,
+	 * * @b --opt=var : Option name prefixed by "--" with only one parameter delimited by "=",
+	 * * @b --opt @b var1 @b var2 : Option name prefixed by "--" with one or more parameters delimited by white space,
+	 * * @b -opt : Option name prefixed by "-" with no parameters,
+	 * * @b -opt=var : Option name prefixed by "-" with one parameter delimited by "=",
+	 * * @b -opt @b var1 @b var2 : Option name prefixed by "-" with one or more parameters delimited by white space,
+	 * 
+	 * When parsing options from command-line arguments, it will (in order of occurence) collect the option name and the parameters that follow in 
+	 * accordance to the above rules, and defer to the user defined @ref tc::cli::OptionParser::IOptionHandler for this option. If none is defined 
+	 * it will throw a @ref tc::ArgumentException, or alternatively defer to a user defined unknown option handler (also a @ref tc::cli::OptionParser::IOptionHandler).
+	 * 
+	 * For example, say we have some state struct like this:
+	 * @code
+	 * struct UserOpt
+	 * {
+	 * 	std::string sku_code;
+	 * 	std::map<std::string, std::string> environment_vars;
+	 * };
+	 * @endcode 
+	 * 
+	 * And the command-line is intended be formatted as follows:
+	 * @code
+	 * someprogram -sku <your SKU code here> -DVAR1=<value for variable key VAR1 here> -DVAR2=<value for variable key VAR2 here>
+	 * @endcode
+	 * 
+	 * A possible IOptionHandler for "-sku <your SKU code here>" could be implemented as follows:
+	 * @code
+	 * class SkuOptionHandler : public tc::cli::OptionParser::IOptionHandler
+	 * {
+	 * public:
+	 * 	// The constructor is where you link the object to the state you want to modify in the call-back
+	 * 	SkuOptionHandler(UserOpt& user_opt) : 
+	 * 		mUserOpt(user_opt),
+	 * 		mOptStrings({"-sku"}), // here we define an array of literal options to match against
+	 * 		mOptRegex()
+	 * 	{}
+	 * 
+	 * 	// OptionParser uses this to determine which IOptionHandler to use, so this should return all aliases of the option
+	 * 	const std::vector<std::string>& getOptionStrings() const
+	 * 	{
+	 * 		return mOptStrings;
+	 * 	}
+	 *
+	 * 	// OptionParser uses this to determine which IOptionHandler to use, so this should return all regex patterns that will match for the option
+	 * 	const std::vector<std::string>& getOptionRegexPatterns() const
+	 * 	{
+	 * 		return mOptRegex;
+	 * 	}
+	 * 
+	 * 	// This is what is called when OptionParser defers to IOptionHandler to process the option and any arguments
+	 * 	// In your implementation this is where you validate the data and modify your linked state data accordingly
+	 * 	void processOption(const std::string& option, const std::vector<std::string>& params)
+	 * 	{
+	 * 		// validate number of paramaters (in this case you we only want 1 parameter)
+	 * 		if (params.size() != 1)
+	 * 		{
+	 * 			throw tc::ArgumentOutOfRangeException("Option \"" + option + "\" requires a parameter.");
+	 * 		}
+	 * 
+	 * 		mUserOpt.sku_code = params[0];
+	 * 	}
+	 * private:
+	 * 	UserOpt& mUserOpt;
+	 * 	std::vector<std::string> mOptStrings;
+	 * 	std::vector<std::string> mOptRegex;
+	 * };
+	 * @endcode
+	 *
+	 * A possible IOptionHandler for generic "-DKEY=VALUE" could be implemented as follows:
+	 * @code
+	 * class KeyValueOptionHandler : public tc::cli::OptionParser::IOptionHandler
+	 * {
+	 * public:
+	 * 	// The constructor is where you link the object to the state you want to modify in the call-back
+	 * 	KeyValueOptionHandler(UserOpt& user_opt) : 
+	 * 		mUserOpt(user_opt),
+	 * 		mOptStrings(),
+	 * 		mOptRegex({"(-D)(.+)"}) // here we define a REGEX pattern to match the beginning of the option "-D" followed by the key.
+	 * 	{}
+	 * 
+	 * 	// OptionParser uses this to determine which IOptionHandler to use, so this should return all aliases of the option
+	 * 	const std::vector<std::string>& getOptionStrings() const
+	 * 	{
+	 * 		return mOptStrings;
+	 * 	}
+	 * 
+	 * 	// OptionParser uses this to determine which IOptionHandler to use, so this should return all regex patterns that will match for the option
+	 * 	const std::vector<std::string>& getOptionRegexPatterns() const
+	 * 	{
+	 * 		return mOptRegex;
+	 * 	}
+	 *
+	 * 	// This is what is called when OptionParser defers to IOptionHandler to process the option and any arguments
+	 * 	// In your implementation this is where you validate the data and modify your linked state data accordingly
+	 * 	void processOption(const std::string& option, const std::vector<std::string>& params)
+	 * 	{
+	 * 		// validate number of paramaters (in this case you we only want 1 parameter)
+	 * 		if (params.size() != 1)
+	 * 		{
+	 * 			throw tc::ArgumentOutOfRangeException("Option \"" + option + "\" requires a parameter.");
+	 * 		}
+	 * 
+	 * 		mUserOpt.environment_vars.insert(std::pair<std::string>(option.substr(2), params[0]));
+	 * 	}
+	 * private:
+	 * 	UserOpt& mUserOpt;
+	 * 	std::vector<std::string> mOptStrings;
+	 * 	std::vector<std::string> mOptRegex;
+	 * };
+	 * @endcode
+	 * 
+	 * Defining an unknown option handler is optional, but at a minimum allows customising the exception.
+	 * @code
+	 * class UnkOptionHandler : public tc::cli::OptionParser::IOptionHandler
+	 * {
+	 * public:
+	 * 	UnkOptionHandler()
+	 * 	{}
+	 * 
+	 * 	// this throws an exception as it should not be called
+	 * 	const std::vector<std::string>& getOptionStrings() const
+	 * 	{
+	 * 		throw tc::InvalidOperationException("getOptionStrings() not defined for UnkOptionHandler.");
+	 * 	}
+	 *
+	 * 	// this throws an exception as it should not be called
+	 * 	const std::vector<std::string>& getOptionRegexPatterns() const
+	 * 	{
+	 * 		throw tc::InvalidOperationException("getOptionRegexPatterns() not defined for UnkOptionHandler.");
+	 * 	}
+	 * 
+	 * 	void processOption(const std::string& option, const std::vector<std::string>& params)
+	 * 	{
+	 * 		throw tc::Exception("Unrecognized option: \"" + option + "\"");
+	 * 	}
+	 * private:
+	 * };
+	 * @endcode
+	 * 
+	 * Then process the command-line arguments with OptionParser::processOptions():
+	 * @code
+	 * int umain(const std::vector<std::string>& args, const std::vector<std::string>& env)
+	 * {
+	 * 	UserOpt user_opt;
+	 * 	tc::cli::OptionParser opt_parser;
+	 * 
+	 * 	// register the option handler for "-sku"
+	 * 	opt_parser.registerOptionHandler(std::shared_ptr<SkuOptionHandler>(new SkuOptionHandler(user_opt)));
+	 *
+	 * 	// register the option handler for "-DKEY=VALUE"
+	 * 	opt_parser.registerOptionHandler(std::shared_ptr<KeyValueOptionHandler>(new KeyValueOptionHandler(user_opt)));
+	 * 
+	 * 	// register the unknown option handler
+	 * 	opt_parser.registerUnrecognisedOptionHandler(std::shared_ptr<UnkOptionHandler>(new UnkOptionHandler()));
+	 * 
+	 * 	// since args will include at args[0], the program executable path, use the overload of processOptions that selects a sub vector of args.
+	 * 	opt_parser.processOptions(args, 1, args.size()-1);
+	 * 
+	 * 	// user_opt.sku_type will now be populated if it was set via command-line with "-sku"
+	 * 	// user_opt.environment_vars will now be populated if it was set via command-line with "-DKEY=VALUE" style options.
+	 * 
+	 * 	std::cout << "SKUCODE: \"" << user_opt.sku_code << "\"" << std::endl;
+	 * 	for (auto itr = user_opt.environment_vars.begin(); itr != environment_vars.end(); itr++)
+	 * 	{
+	 * 		std::cout << "EnvVar: [" << itr->first << "] -> [" << itr->second << "]" << std::endl;
+	 * 	}
+	 * 
+	 * 	// finish program
+	 * 	return 0;
+	 * }
+	 * @endcode
+	 */
+class OptionParser
+{
+public:
+
+		/**
+		 * @class IOptionHandler
+		 * @brief Interface for handling command-line options and any parameters, to be used with @ref OptionParser.
+		 * 
+		 * See @ref OptionParser for an example on how to implement this class.
+		 */
+	class IOptionHandler
+	{
+	public:
+		virtual ~IOptionHandler() = default;
+
+			/**
+			 * @brief Returns a vector of aliases for the option this will handle.
+			 */
+		virtual const std::vector<std::string>& getOptionStrings() const = 0;
+
+			/**
+			 * @brief Returns a vector of option regex patterns that this will handle.
+			 */
+		virtual const std::vector<std::string>& getOptionRegexPatterns() const = 0;
+
+			/**
+			 * @brief Processes command-line option and any parameters.
+			 * 
+			 * @param[in] option This is full option name that was used.
+			 * @param[in] params This is a vector of parameters that were supplied with the option name, size may be 0 or more.
+			 */ 
+		virtual void processOption(const std::string& option, const std::vector<std::string>& params) = 0;
+	};
+
+		/// Default Constructor
+	OptionParser();
+
+		/**
+		 * @brief Register an IOptionHandler to handle an option.
+		 * 
+		 * @param[in] handler Shared pointer to the IOptionHandler.
+		 *
+		 * @throw tc::ArgumentNullException @p handler was null.
+		 * @throw tc::ArgumentOutOfRangeException @p handler had no option strings or regex patterns.
+		 */
+	void registerOptionHandler(const std::shared_ptr<IOptionHandler>& handler);
+
+		/**
+		 * @brief Register an IOptionHandler to handle all unrecognised options. Only use this extra processing of unrecognised options is required beyond a generic exception.
+		 * 
+		 * @param[in] handler Shared pointer to the IOptionHandler.
+		 *
+		 * @throw tc::ArgumentNullException @p handler was null.
+		 */
+	void registerUnrecognisedOptionHandler(const std::shared_ptr<IOptionHandler>& handler);
+
+		/**
+		 * @brief Process a vector of command-line args in accordance with the registered option handlers.
+		 * 
+		 * @param[in] args Command-line args to process.
+		 *
+		 * @throw tc::ArgumentException An option was not recognised, or otherwise malformed. 
+		 */
+	void processOptions(const std::vector<std::string>& args);
+
+		/**
+		 * @brief Process a vector of command-line args in accordance with the registered option handlers.
+		 * 
+		 * @param[in] args Command-line args to process.
+		 * @param[in] pos Position in args vector to begin with.
+		 * @param[in] num Number of elements in the args vector to process.
+		 *
+		 * @throw tc::ArgumentException An option was not recognised, or otherwise malformed. 
+		 */
+	void processOptions(const std::vector<std::string>& args, size_t pos, size_t num);
+
+private:
+	static const std::string kClassName;
+
+	void handleOption(const std::string& opt, const std::vector<std::string>& params);
+	std::map<std::string, std::shared_ptr<IOptionHandler>> mOptionaAliasMap;
+	std::list<std::pair<std::regex, std::shared_ptr<IOptionHandler>>> mOptionRegexList;
+	std::shared_ptr<IOptionHandler> mUnkOptHandler;
+};
+
+}} // namespace tc::cli
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto.h b/ctrtool/deps/libtoolchain/include/tc/crypto.h
new file mode 100644
index 00000000..7e8d4b0b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto.h
@@ -0,0 +1,85 @@
+	/**
+	 * @file		crypto.h
+	 * @brief       Declaration of the cryptography library
+	 */
+#pragma once
+#include <tc/types.h>
+#include <tc/Exception.h>
+
+	/**
+	 * @namespace   tc::crypto
+	 * @brief       Namespace of the cryptography library
+	 */
+// Exceptions
+#include <tc/crypto/CryptoException.h>
+
+// AES Encryption & Modes
+#include <tc/crypto/AesEncryptor.h>
+
+#include <tc/crypto/EcbEncryptor.h>
+#include <tc/crypto/Aes128EcbEncryptor.h>
+#include <tc/crypto/Aes192EcbEncryptor.h>
+#include <tc/crypto/Aes256EcbEncryptor.h>
+
+#include <tc/crypto/CtrEncryptor.h>
+#include <tc/crypto/Aes128CtrEncryptor.h>
+#include <tc/crypto/Aes192CtrEncryptor.h>
+#include <tc/crypto/Aes256CtrEncryptor.h>
+
+#include <tc/crypto/CbcEncryptor.h>
+#include <tc/crypto/Aes128CbcEncryptor.h>
+#include <tc/crypto/Aes192CbcEncryptor.h>
+#include <tc/crypto/Aes256CbcEncryptor.h>
+
+#include <tc/crypto/XtsEncryptor.h>
+#include <tc/crypto/Aes128XtsEncryptor.h>
+#include <tc/crypto/Aes256XtsEncryptor.h>
+
+// AES Encryption Streams
+#include <tc/crypto/Aes128CtrEncryptedStream.h>
+#include <tc/crypto/Aes128CbcEncryptedStream.h>
+
+
+// Hash Calculator
+#include <tc/crypto/Md5Generator.h>
+#include <tc/crypto/Sha1Generator.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/crypto/Sha512Generator.h>
+
+// HMAC Calculator
+#include <tc/crypto/HmacGenerator.h>
+#include <tc/crypto/HmacMd5Generator.h>
+#include <tc/crypto/HmacSha1Generator.h>
+#include <tc/crypto/HmacSha256Generator.h>
+#include <tc/crypto/HmacSha512Generator.h>
+
+// Password-based Key Derivation Function
+#include <tc/crypto/Pbkdf1KeyDeriver.h>
+#include <tc/crypto/Pbkdf1Md5KeyDeriver.h>
+#include <tc/crypto/Pbkdf1Sha1KeyDeriver.h>
+
+#include <tc/crypto/Pbkdf2KeyDeriver.h>
+#include <tc/crypto/Pbkdf2Sha1KeyDeriver.h>
+#include <tc/crypto/Pbkdf2Sha256KeyDeriver.h>
+#include <tc/crypto/Pbkdf2Sha512KeyDeriver.h>
+
+// Psuedo-random Byte Generation
+#include <tc/crypto/PseudoRandomByteGenerator.h>
+
+// RSA Signing & Encryption
+#include <tc/crypto/RsaKey.h>
+#include <tc/crypto/RsaKeyGenerator.h>
+
+#include <tc/crypto/RsaPkcs1Signer.h>
+#include <tc/crypto/RsaPkcs1Md5Signer.h>
+#include <tc/crypto/RsaPkcs1Sha1Signer.h>
+#include <tc/crypto/RsaPkcs1Sha256Signer.h>
+#include <tc/crypto/RsaPkcs1Sha512Signer.h>
+
+#include <tc/crypto/RsaPssSigner.h>
+#include <tc/crypto/RsaPssSha256Signer.h>
+#include <tc/crypto/RsaPssSha512Signer.h>
+
+#include <tc/crypto/RsaOaepEncryptor.h>
+#include <tc/crypto/RsaOaepSha256Encryptor.h>
+#include <tc/crypto/RsaOaepSha512Encryptor.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CbcEncryptedStream.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CbcEncryptedStream.h
new file mode 100644
index 00000000..fa0964de
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CbcEncryptedStream.h
@@ -0,0 +1,168 @@
+	/**
+	 * @file    Aes128CbcEncryptedStream.h
+	 * @brief   Declaration of tc::crypto::Aes128CbcEncryptedStream
+	 * @author  Jack (jakcron)
+	 * @version 0.2
+	 * @date    2022/02/13
+	 **/
+#pragma once
+#include <list>
+#include <tc/ByteData.h>
+#include <tc/io/IStream.h>
+#include <tc/crypto/Aes128CbcEncryptor.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/ObjectDisposedException.h>
+#include <tc/NotSupportedException.h>
+#include <tc/NotImplementedException.h>
+#include <tc/io/IOException.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class Aes128CbcEncryptedStream
+	 * @brief Class for reading from a stream that is encrypted with AES128-CBC.
+	 * @details This class takes an encrypted IStream, encryption parameters and creates an IStream that will transparently decrypt data when reading.
+	 */
+class Aes128CbcEncryptedStream : public tc::io::IStream
+{
+public:
+		/**
+		 * @brief This is the data-type for AES128-CBC key used with Aes128CbcEncryptedStream.
+		 * 
+		 */
+	using key_t = std::array<byte_t, tc::crypto::Aes128CbcEncryptor::kKeySize>;
+
+		/**
+		 * @brief This is the data-type for AES128-CBC initialization vector used with Aes128CbcEncryptedStream.
+		 * 
+		 */
+	using iv_t = std::array<byte_t, tc::crypto::Aes128CbcEncryptor::kBlockSize>;
+
+		/**
+		 * @brief This is the data-type for AES128-CBC data block used with Aes128CbcEncryptedStream.
+		 * 
+		 */
+	using block_t = std::array<byte_t, tc::crypto::Aes128CbcEncryptor::kBlockSize>;
+
+		/**
+		 * @brief Default Constructor
+		 * @post This will create an uninitialized Aes128CbcEncryptedStream, it will have to be assigned from a valid Aes128CbcEncryptedStream object to be usable.
+		 **/
+	Aes128CbcEncryptedStream();
+
+		/** 
+		 * @brief Create Aes128CbcEncryptedStream
+		 * 
+		 * @param[in] stream  The base IStream object which this stream will decrypt data from.
+		 * @param[in] key     AES128 Encryption Key. See @ref Aes128CbcEncryptedStream::key_t.
+		 * @param[in] iv      AES128-CBC Initilization vector relative to offset 0x0 of the base stream. See @ref Aes128CbcEncryptedStream::iv_t.
+		 * 
+		 * @pre The sub stream must be a subset of the base stream.
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * 
+		 * @throw tc::ArgumentNullException @p stream is a @p nullptr.
+		 * @throw tc::NotSupportedException The base stream does not support seeking or reading.
+		 * @throw tc::NotSupportedException The base stream is not block aligned.
+		 **/
+	Aes128CbcEncryptedStream(const std::shared_ptr<tc::io::IStream>& stream, const key_t& key, const iv_t& iv);
+
+		/**
+		 * @brief Indicates whether the current stream supports reading.
+		 **/ 
+	bool canRead() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports writing.
+		 **/
+	bool canWrite() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports seeking.
+		 **/
+	bool canSeek() const;
+
+		/**
+		 * @brief Gets the length in bytes of the stream.
+		 **/
+	int64_t length();
+
+		/** 
+		 * @brief Gets the position within the current stream. 
+		 * 
+		 * @return This is returns the current position within the stream.
+		 **/
+	int64_t position();
+
+		/**
+		 * @brief Reads a sequence of bytes from the current stream and advances the position within the stream by the number of bytes read.
+		 * 
+		 * @param[out] ptr Pointer to an array of bytes. When this method returns, @p ptr contains the specified byte array with the values between 0 and (@p count - 1) replaced by the bytes read from the current source.
+		 * @param[in] count The maximum number of bytes to be read from the current stream.
+		 * 
+		 * @return The total number of bytes read into @p ptr. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support reading for @ref read to work. 
+		 * @note Use @ref canRead to determine if this stream supports reading.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p count exceeds the length of readable data in the sub stream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t read(byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Writes a sequence of bytes to the current stream and advances the current position within this stream by the number of bytes written. @ref write is not implemented for @ref Aes128CbcEncryptedStream.
+		 * @throw tc::NotImplementedException @ref write is not implemented for @ref Aes128CbcEncryptedStream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t write(const byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Sets the position within the current stream.
+		 * 
+		 * @param[in] offset A byte offset relative to the origin parameter.
+		 * @param[in] origin A value of type @ref tc::io::SeekOrigin indicating the reference point used to obtain the new position.
+		 * 
+		 * @return The new position within the current stream.
+		 * 
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * @note Use @ref canSeek to determine if this stream supports seeking.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p origin contains an invalid value.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	int64_t seek(int64_t offset, tc::io::SeekOrigin origin);
+
+		/**
+		 * @brief Sets the length of the current stream. This is not implemented for @ref Aes128CbcEncryptedStream.
+		 * @throw tc::NotImplementedException @ref setLength is not implemented for @ref Aes128CbcEncryptedStream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void setLength(int64_t length);
+
+		/**
+		 * @brief Clears all buffers for this and the base stream and causes any buffered data to be written to the underlying device.
+		 * 
+		 * @throw tc::io::IOException An I/O error occurs.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void flush();
+	
+		/**
+		 * @brief Releases internal resources including base stream and clears internal state.
+		 **/
+	void dispose();
+private:
+	static const std::string kClassName;
+
+	// base source
+	std::shared_ptr<tc::io::IStream> mBaseStream;
+
+	// encryption cfg
+	std::shared_ptr<tc::crypto::Aes128CbcEncryptor> mCryptor;
+	iv_t mBaseIv;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CbcEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CbcEncryptor.h
new file mode 100644
index 00000000..9dc0bd6e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CbcEncryptor.h
@@ -0,0 +1,94 @@
+	/**
+	 * @file Aes128CbcEncryptor.h
+	 * @brief Declarations for API resources for related to AES128-CBC mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/CbcEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes128CbcEncryptor
+	 * @brief Class for AES-CBC encryption/decryption with a keysize of 128 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES128-CBC.
+	 * For more information refer to @ref CbcEncryptor.
+	 */
+using Aes128CbcEncryptor = CbcEncryptor<Aes128Encryptor>;
+
+	/**
+	 * @brief Utility function for AES128-CBC encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @ref Aes128CbcEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes128CbcEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes128CbcEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @ref Aes128CbcEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes128CbcEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes128CbcEncryptor::kBlockSize.
+	 */
+void EncryptAes128Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+	/**
+	 * @brief Utility function for AES128-CBC decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @ref Aes128CbcEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes128CbcEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes128CbcEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @ref Aes128CbcEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes128CbcEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes128CbcEncryptor::kBlockSize.
+	 */
+void DecryptAes128Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CtrEncryptedStream.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CtrEncryptedStream.h
new file mode 100644
index 00000000..21b383e1
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CtrEncryptedStream.h
@@ -0,0 +1,166 @@
+	/**
+	 * @file    Aes128CtrEncryptedStream.h
+	 * @brief   Declaration of tc::crypto::Aes128CtrEncryptedStream
+	 * @author  Jack (jakcron)
+	 * @version 0.2
+	 * @date    2022/02/13
+	 **/
+#pragma once
+#include <list>
+#include <tc/ByteData.h>
+#include <tc/io/IStream.h>
+#include <tc/crypto/Aes128CtrEncryptor.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/ObjectDisposedException.h>
+#include <tc/NotSupportedException.h>
+#include <tc/NotImplementedException.h>
+#include <tc/io/IOException.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class Aes128CtrEncryptedStream
+	 * @brief Class for reading from a stream that is encrypted with AES128-CTR.
+	 * @details This class takes an encrypted IStream, encryption parameters and creates an IStream that will transparently decrypt data when reading.
+	 */
+class Aes128CtrEncryptedStream : public tc::io::IStream
+{
+public:
+		/**
+		 * @brief This is the data-type for AES128-CTR key used with Aes128CtrEncryptedStream.
+		 * 
+		 */
+	using key_t = std::array<byte_t, tc::crypto::Aes128CtrEncryptor::kKeySize>;
+
+		/**
+		 * @brief This is the data-type for AES128-CTR block counter used with Aes128CtrEncryptedStream.
+		 * 
+		 */
+	using counter_t = std::array<byte_t, tc::crypto::Aes128CtrEncryptor::kBlockSize>;
+
+		/**
+		 * @brief This is the data-type for AES128-CTR data block used with Aes128CtrEncryptedStream.
+		 * 
+		 */
+	using block_t = std::array<byte_t, tc::crypto::Aes128CtrEncryptor::kBlockSize>;
+
+		/**
+		 * @brief Default Constructor
+		 * @post This will create an uninitialized Aes128CtrEncryptedStream, it will have to be assigned from a valid Aes128CtrEncryptedStream object to be usable.
+		 **/
+	Aes128CtrEncryptedStream();
+
+		/** 
+		 * @brief Create Aes128CtrEncryptedStream
+		 * 
+		 * @param[in] stream  The base IStream object which this stream will decrypt data from.
+		 * @param[in] key     AES128 Encryption Key. See @ref key_t.
+		 * @param[in] counter AES128-CTR Counter relative to offset 0x0 of the base stream. See @ref counter_t.
+		 * 
+		 * @pre The sub stream must be a subset of the base stream.
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * 
+		 * @throw tc::ArgumentNullException @p stream is a @p nullptr.
+		 * @throw tc::NotSupportedException The base stream does not support seeking or reading.
+		 **/
+	Aes128CtrEncryptedStream(const std::shared_ptr<tc::io::IStream>& stream, const key_t& key, const counter_t& counter);
+
+		/**
+		 * @brief Indicates whether the current stream supports reading.
+		 **/ 
+	bool canRead() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports writing.
+		 **/
+	bool canWrite() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports seeking.
+		 **/
+	bool canSeek() const;
+
+		/**
+		 * @brief Gets the length in bytes of the stream.
+		 **/
+	int64_t length();
+
+		/** 
+		 * @brief Gets the position within the current stream. 
+		 * 
+		 * @return This is returns the current position within the stream.
+		 **/
+	int64_t position();
+
+		/**
+		 * @brief Reads a sequence of bytes from the current stream and advances the position within the stream by the number of bytes read.
+		 * 
+		 * @param[out] ptr Pointer to an array of bytes. When this method returns, @p ptr contains the specified byte array with the values between 0 and (@p count - 1) replaced by the bytes read from the current source.
+		 * @param[in] count The maximum number of bytes to be read from the current stream.
+		 * 
+		 * @return The total number of bytes read into @p ptr. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support reading for @ref read to work. 
+		 * @note Use @ref canRead to determine if this stream supports reading.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p count exceeds the length of readable data in the sub stream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t read(byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Writes a sequence of bytes to the current stream and advances the current position within this stream by the number of bytes written. @ref write is not implemented for @ref Aes128CtrEncryptedStream.
+		 * @throw tc::NotImplementedException @ref write is not implemented for @ref Aes128CtrEncryptedStream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t write(const byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Sets the position within the current stream.
+		 * 
+		 * @param[in] offset A byte offset relative to the origin parameter.
+		 * @param[in] origin A value of type @ref tc::io::SeekOrigin indicating the reference point used to obtain the new position.
+		 * 
+		 * @return The new position within the current stream.
+		 * 
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * @note Use @ref canSeek to determine if this stream supports seeking.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p origin contains an invalid value.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	int64_t seek(int64_t offset, tc::io::SeekOrigin origin);
+
+		/**
+		 * @brief Sets the length of the current stream. This is not implemented for @ref Aes128CtrEncryptedStream.
+		 * @throw tc::NotImplementedException @ref setLength is not implemented for @ref Aes128CtrEncryptedStream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void setLength(int64_t length);
+
+		/**
+		 * @brief Clears all buffers for this and the base stream and causes any buffered data to be written to the underlying device.
+		 * 
+		 * @throw tc::io::IOException An I/O error occurs.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void flush();
+	
+		/**
+		 * @brief Releases internal resources including base stream and clears internal state.
+		 **/
+	void dispose();
+private:
+	static const std::string kClassName;
+
+	// base source
+	std::shared_ptr<tc::io::IStream> mBaseStream;
+	
+	// encryption cfg
+	std::shared_ptr<tc::crypto::Aes128CtrEncryptor> mCryptor;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CtrEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CtrEncryptor.h
new file mode 100644
index 00000000..76e7bd9c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128CtrEncryptor.h
@@ -0,0 +1,115 @@
+	/**
+	 * @file Aes128CtrEncryptor.h
+	 * @brief Declarations for API resources for related to AES128-CTR mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/CtrEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes128CtrEncryptor
+	 * @brief Class for AES-CTR encryption/decryption with a keysize of 128 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES128-CTR.
+	 * For more information refer to @ref CtrEncryptor.
+	 */
+using Aes128CtrEncryptor = CtrEncryptor<Aes128Encryptor>;
+
+	/**
+	 * @brief Utility function for AES128-CTR encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  block_number Block number of initial block to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size > 0.
+	 * - @p key_size == @ref Aes128CtrEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes128CtrEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was 0.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes128CtrEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes128CtrEncryptor::kBlockSize.
+	 */
+void EncryptAes128Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+	/**
+	 * @brief Utility function for AES128-CTR decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  block_number Block number of initial block to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size > 0.
+	 * - @p key_size == @ref Aes128CtrEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes128CtrEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was 0.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes128CtrEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes128CtrEncryptor::kBlockSize.
+	 */
+void DecryptAes128Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+	/**
+	 * @brief Utility function for incrementing a AES128-CTR block counter.
+	 * 
+	 * @param[in,out] counter Pointer to block counter to increment.
+	 * @param[in]     incr Value to increment the block counter with.
+	 * 
+	 * @pre
+	 * - @p counter != nullptr
+	 * 
+	 * @post
+	 * - Block counter @p counter is incremented by the value of @p incr.
+	 * 
+	 * @details
+	 * This increments the block counter (@p counter) (used in CTR-Mode as the initialization vector) by the value of @p incr.
+	 * 
+	 * @throw tc::ArgumentNullException @p counter was null.
+	 */
+void IncrementCounterAes128Ctr(byte_t* counter, uint64_t incr);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128EcbEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128EcbEncryptor.h
new file mode 100644
index 00000000..c0c3d8a2
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128EcbEncryptor.h
@@ -0,0 +1,84 @@
+	/**
+	 * @file Aes128EcbEncryptor.h
+	 * @brief Declarations for API resources for related to AES128-ECB mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/EcbEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes128EcbEncryptor
+	 * @brief Class for AES-ECB encryption/decryption with a keysize of 128 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES128-ECB.
+	 * For more information refer to @ref EcbEncryptor.
+	 */
+using Aes128EcbEncryptor = EcbEncryptor<Aes128Encryptor>;
+
+	/**
+	 * @brief Utility function for AES128-ECB encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - @p size >= @ref Aes128EcbEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes128EcbEncryptor::kKeySize.
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was less than @ref Aes128EcbEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes128EcbEncryptor::kKeySize.
+	 */
+void EncryptAes128Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size);
+
+	/**
+	 * @brief Utility function for AES128-ECB decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - @p size >= @ref Aes128EcbEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes128EcbEncryptor::kKeySize.
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was less than @ref Aes128EcbEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes128EcbEncryptor::kKeySize.
+	 */
+void DecryptAes128Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128XtsEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128XtsEncryptor.h
new file mode 100644
index 00000000..ffae6930
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes128XtsEncryptor.h
@@ -0,0 +1,104 @@
+	/**
+	 * @file Aes128XtsEncryptor.h
+	 * @brief Declarations for API resources for related to AES128-XTS mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/XtsEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes128XtsEncryptor
+	 * @brief Class for AES-XTS encryption/decryption with a keysize of 128 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES128-XTS.
+	 * For more information refer to @ref XtsEncryptor.
+	 */
+using Aes128XtsEncryptor = XtsEncryptor<Aes128Encryptor>;
+
+	/**
+	 * @brief Utility function for AES128-XTS encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  sector_number Initial sector number of sector to encrypt.
+	 * @param[in]  key1 Pointer to key1 data.
+	 * @param[in]  key1_size Size in bytes of key1 data.
+	 * @param[in]  key2 Pointer to key2 data.
+	 * @param[in]  key2_size Size in bytes of key2 data.
+	 * @param[in]  sector_size Size in bytes of the XTS data unit.
+	 * @param[in]  tweak_word_order Boolean to determine endianness of tweak. True = LittleEndian, False = BigEndian.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @p sector_size.
+	 * - @p key1_size == @ref Aes128XtsEncryptor::kKeySize.
+	 * - @p key2_size == @ref Aes128XtsEncryptor::kKeySize.
+	 * - @p sector_size >= @ref Aes128XtsEncryptor::kBlockSize. 
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @p sector_size.
+	 * @throw tc::ArgumentNullException @p key1 was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key1_size did not equal @ref Aes128XtsEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p key2 was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key2_size did not equal @ref Aes128XtsEncryptor::kKeySize.
+	 * @throw tc::ArgumentOutOfRangeException @p sector_size was less than @ref Aes128XtsEncryptor::kBlockSize.
+	 */
+void EncryptAes128Xts(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number, const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_word_order);
+
+	/**
+	 * @brief Utility function for AES128-XTS decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  sector_number Initial sector number of sector to decrypt.
+	 * @param[in]  key1 Pointer to key1 data.
+	 * @param[in]  key1_size Size in bytes of key1 data.
+	 * @param[in]  key2 Pointer to key2 data.
+	 * @param[in]  key2_size Size in bytes of key2 data.
+	 * @param[in]  sector_size Size in bytes of the XTS data unit.
+	 * @param[in]  tweak_word_order Boolean to determine endianness of tweak. True = LittleEndian, False = BigEndian.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @p sector_size.
+	 * - @p key1_size == @ref Aes128XtsEncryptor::kKeySize.
+	 * - @p key2_size == @ref Aes128XtsEncryptor::kKeySize.
+	 * - @p sector_size >= @ref Aes128XtsEncryptor::kBlockSize. 
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @p sector_size.
+	 * @throw tc::ArgumentNullException @p key1 was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key1_size did not equal @ref Aes128XtsEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p key2 was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key2_size did not equal @ref Aes128XtsEncryptor::kKeySize.
+	 * @throw tc::ArgumentOutOfRangeException @p sector_size was less than  @ref Aes128XtsEncryptor::kBlockSize.
+	 */
+void DecryptAes128Xts(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number, const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_word_order);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes192CbcEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes192CbcEncryptor.h
new file mode 100644
index 00000000..b5ae936d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes192CbcEncryptor.h
@@ -0,0 +1,94 @@
+	/**
+	 * @file Aes192CbcEncryptor.h
+	 * @brief Declarations for API resources for related to AES192-CBC mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/CbcEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes192CbcEncryptor
+	 * @brief Class for AES-CBC encryption/decryption with a keysize of 192 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES192-CBC.
+	 * For more information refer to @ref CbcEncryptor.
+	 */
+using Aes192CbcEncryptor = CbcEncryptor<Aes192Encryptor>;
+
+	/**
+	 * @brief Utility function for AES192-CBC encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @ref Aes192CbcEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes192CbcEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes192CbcEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @ref Aes192CbcEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes192CbcEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes192CbcEncryptor::kBlockSize.
+	 */
+void EncryptAes192Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+	/**
+	 * @brief Utility function for AES192-CBC decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @ref Aes192CbcEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes192CbcEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes192CbcEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @ref Aes192CbcEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes192CbcEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes192CbcEncryptor::kBlockSize.
+	 */
+void DecryptAes192Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes192CtrEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes192CtrEncryptor.h
new file mode 100644
index 00000000..2ce1d1db
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes192CtrEncryptor.h
@@ -0,0 +1,115 @@
+	/**
+	 * @file Aes192CtrEncryptor.h
+	 * @brief Declarations for API resources for related to AES192-CTR mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/CtrEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes192CtrEncryptor
+	 * @brief Class for AES-CTR encryption/decryption with a keysize of 192 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES192-CTR.
+	 * For more information refer to @ref CtrEncryptor.
+	 */
+using Aes192CtrEncryptor = CtrEncryptor<Aes192Encryptor>;
+
+	/**
+	 * @brief Utility function for AES192-CTR encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  block_number Block number of initial block to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size > 0.
+	 * - @p key_size == @ref Aes192CtrEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes192CtrEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was 0.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes192CtrEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes192CtrEncryptor::kBlockSize.
+	 */
+void EncryptAes192Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+	/**
+	 * @brief Utility function for AES192-CTR decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  block_number Block number of initial block to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size > 0.
+	 * - @p key_size == @ref Aes192CtrEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes192CtrEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was 0.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes192CtrEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes192CtrEncryptor::kBlockSize.
+	 */
+void DecryptAes192Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+	/**
+	 * @brief Utility function for incrementing a AES192-CTR block counter.
+	 * 
+	 * @param[in,out] counter Pointer to block counter to increment.
+	 * @param[in]     incr Value to increment the block counter with.
+	 * 
+	 * @pre
+	 * - @p counter != nullptr
+	 * 
+	 * @post
+	 * - Block counter @p counter is incremented by the value of @p incr.
+	 * 
+	 * @details
+	 * This increments the block counter (@p counter) (used in CTR-Mode as the initialization vector) by the value of @p incr.
+	 * 
+	 * @throw tc::ArgumentNullException @p counter was null.
+	 */
+void IncrementCounterAes192Ctr(byte_t* counter, uint64_t incr);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes192EcbEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes192EcbEncryptor.h
new file mode 100644
index 00000000..41ba7d06
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes192EcbEncryptor.h
@@ -0,0 +1,84 @@
+	/**
+	 * @file Aes192EcbEncryptor.h
+	 * @brief Declarations for API resources for related to AES192-ECB mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/EcbEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes192EcbEncryptor
+	 * @brief Class for AES-ECB encryption/decryption with a keysize of 192 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES192-ECB.
+	 * For more information refer to @ref EcbEncryptor.
+	 */
+using Aes192EcbEncryptor = EcbEncryptor<Aes192Encryptor>;
+
+	/**
+	 * @brief Utility function for AES192-ECB encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - @p size >= @ref Aes192EcbEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes192EcbEncryptor::kKeySize.
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was less than @ref Aes192EcbEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes192EcbEncryptor::kKeySize.
+	 */
+void EncryptAes192Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size);
+
+	/**
+	 * @brief Utility function for AES192-ECB decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - @p size >= @ref Aes192EcbEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes192EcbEncryptor::kKeySize.
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was less than @ref Aes192EcbEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes192EcbEncryptor::kKeySize.
+	 */
+void DecryptAes192Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256CbcEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256CbcEncryptor.h
new file mode 100644
index 00000000..677a583d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256CbcEncryptor.h
@@ -0,0 +1,94 @@
+	/**
+	 * @file Aes256CbcEncryptor.h
+	 * @brief Declarations for API resources for related to AES256-CBC mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/CbcEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes256CbcEncryptor
+	 * @brief Class for AES-CBC encryption/decryption with a keysize of 256 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES256-CBC.
+	 * For more information refer to @ref CbcEncryptor.
+	 */
+using Aes256CbcEncryptor = CbcEncryptor<Aes256Encryptor>;
+
+	/**
+	 * @brief Utility function for AES256-CBC encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @ref Aes256CbcEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes256CbcEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes256CbcEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @ref Aes256CbcEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes256CbcEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes256CbcEncryptor::kBlockSize.
+	 */
+void EncryptAes256Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+	/**
+	 * @brief Utility function for AES256-CBC decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @ref Aes256CbcEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes256CbcEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes256CbcEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @ref Aes256CbcEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes256CbcEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes256CbcEncryptor::kBlockSize.
+	 */
+void DecryptAes256Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256CtrEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256CtrEncryptor.h
new file mode 100644
index 00000000..81609575
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256CtrEncryptor.h
@@ -0,0 +1,115 @@
+	/**
+	 * @file Aes256CtrEncryptor.h
+	 * @brief Declarations for API resources for related to AES256-CTR mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/CtrEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes256CtrEncryptor
+	 * @brief Class for AES-CTR encryption/decryption with a keysize of 256 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES256-CTR.
+	 * For more information refer to @ref CtrEncryptor.
+	 */
+using Aes256CtrEncryptor = CtrEncryptor<Aes256Encryptor>;
+
+	/**
+	 * @brief Utility function for AES256-CTR encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  block_number Block number of initial block to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size > 0.
+	 * - @p key_size == @ref Aes256CtrEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes256CtrEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was 0.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes256CtrEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes256CtrEncryptor::kBlockSize.
+	 */
+void EncryptAes256Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+	/**
+	 * @brief Utility function for AES256-CTR decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  block_number Block number of initial block to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * @param[in]  iv Pointer to initialization vector.
+	 * @param[in]  iv_size Size in bytes of initialization vector.
+	 * 
+	 * @pre
+	 * - @p size > 0.
+	 * - @p key_size == @ref Aes256CtrEncryptor::kKeySize.
+	 * - @p iv_size == @ref Aes256CtrEncryptor::kBlockSize.
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was 0.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes256CtrEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p iv was null.
+	 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal @ref Aes256CtrEncryptor::kBlockSize.
+	 */
+void DecryptAes256Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size);
+
+	/**
+	 * @brief Utility function for incrementing a AES256-CTR block counter.
+	 * 
+	 * @param[in,out] counter Pointer to block counter to increment.
+	 * @param[in]     incr Value to increment the block counter with.
+	 * 
+	 * @pre
+	 * - @p counter != nullptr
+	 * 
+	 * @post
+	 * - Block counter @p counter is incremented by the value of @p incr.
+	 * 
+	 * @details
+	 * This increments the block counter (@p counter) (used in CTR-Mode as the initialization vector) by the value of @p incr.
+	 * 
+	 * @throw tc::ArgumentNullException @p counter was null.
+	 */
+void IncrementCounterAes256Ctr(byte_t* counter, uint64_t incr);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256EcbEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256EcbEncryptor.h
new file mode 100644
index 00000000..b5b89b34
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256EcbEncryptor.h
@@ -0,0 +1,84 @@
+	/**
+	 * @file Aes256EcbEncryptor.h
+	 * @brief Declarations for API resources for related to AES256-ECB mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/EcbEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes256EcbEncryptor
+	 * @brief Class for AES-ECB encryption/decryption with a keysize of 256 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES256-ECB.
+	 * For more information refer to @ref EcbEncryptor.
+	 */
+using Aes256EcbEncryptor = EcbEncryptor<Aes256Encryptor>;
+
+	/**
+	 * @brief Utility function for AES256-ECB encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - @p size >= @ref Aes256EcbEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes256EcbEncryptor::kKeySize.
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was less than @ref Aes256EcbEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes256EcbEncryptor::kKeySize.
+	 */
+void EncryptAes256Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size);
+
+	/**
+	 * @brief Utility function for AES256-ECB decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - @p size >= @ref Aes256EcbEncryptor::kBlockSize.
+	 * - @p key_size == @ref Aes256EcbEncryptor::kKeySize.
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was less than @ref Aes256EcbEncryptor::kBlockSize.
+	 * @throw tc::ArgumentNullException @p key was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref Aes256EcbEncryptor::kKeySize.
+	 */
+void DecryptAes256Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256XtsEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256XtsEncryptor.h
new file mode 100644
index 00000000..921c3ece
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Aes256XtsEncryptor.h
@@ -0,0 +1,104 @@
+	/**
+	 * @file Aes256XtsEncryptor.h
+	 * @brief Declarations for API resources for related to AES256-XTS mode encryption/decryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/crypto/XtsEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Aes256XtsEncryptor
+	 * @brief Class for AES-XTS encryption/decryption with a keysize of 256 bits.
+	 * 
+	 * @details This class encrypts/decrypts data using using AES256-XTS.
+	 * For more information refer to @ref XtsEncryptor.
+	 */
+using Aes256XtsEncryptor = XtsEncryptor<Aes256Encryptor>;
+
+	/**
+	 * @brief Utility function for AES256-XTS encryption.
+	 * 
+	 * @param[out] dst Buffer where encrypted data will be written.
+	 * @param[in]  src Pointer to data to encrypt.
+	 * @param[in]  size Size in bytes of data to encrypt.
+	 * @param[in]  sector_number Initial sector number of sector to encrypt.
+	 * @param[in]  key1 Pointer to key1 data.
+	 * @param[in]  key1_size Size in bytes of key1 data.
+	 * @param[in]  key2 Pointer to key2 data.
+	 * @param[in]  key2_size Size in bytes of key2 data.
+	 * @param[in]  sector_size Size in bytes of the XTS data unit.
+	 * @param[in]  tweak_word_order Boolean to determine endianness of tweak. True = LittleEndian, False = BigEndian.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @p sector_size.
+	 * - @p key1_size == @ref Aes256XtsEncryptor::kKeySize.
+	 * - @p key2_size == @ref Aes256XtsEncryptor::kKeySize.
+	 * - @p sector_size >= @ref Aes256XtsEncryptor::kBlockSize. 
+	 * 
+	 * @post
+	 * - Encrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This encrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @p sector_size.
+	 * @throw tc::ArgumentNullException @p key1 was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key1_size did not equal @ref Aes256XtsEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p key2 was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key2_size did not equal @ref Aes256XtsEncryptor::kKeySize.
+	 * @throw tc::ArgumentOutOfRangeException @p sector_size was less than @ref Aes256XtsEncryptor::kBlockSize.
+	 */
+void EncryptAes256Xts(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number, const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_word_order);
+
+	/**
+	 * @brief Utility function for AES256-XTS decryption.
+	 * 
+	 * @param[out] dst Buffer where decrypted data will be written.
+	 * @param[in]  src Pointer to data to decrypt.
+	 * @param[in]  size Size in bytes of data to decrypt.
+	 * @param[in]  sector_number Initial sector number of sector todecrypt.
+	 * @param[in]  key1 Pointer to key1 data.
+	 * @param[in]  key1_size Size in bytes of key1 data.
+	 * @param[in]  key2 Pointer to key2 data.
+	 * @param[in]  key2_size Size in bytes of key2 data.
+	 * @param[in]  sector_size Size in bytes of the XTS data unit.
+	 * @param[in]  tweak_word_order Boolean to determine endianness of tweak. True = LittleEndian, False = BigEndian.
+	 * 
+	 * @pre
+	 * - @p size is a multiple of @p sector_size.
+	 * - @p key1_size == @ref Aes256XtsEncryptor::kKeySize.
+	 * - @p key2_size == @ref Aes256XtsEncryptor::kKeySize.
+	 * - @p sector_size >= @ref Aes256XtsEncryptor::kBlockSize. 
+	 * 
+	 * @post
+	 * - Decrypted data is written to @p dst.
+	 * 
+	 * @details
+	 * This decrypts the data in @p src, writing it to @p dst.
+	 * 
+	 * @note
+	 * - @p dst and @p src can be the same pointer.
+	 * 
+	 * @throw tc::ArgumentNullException @p dst was null.
+	 * @throw tc::ArgumentNullException @p src was null.
+	 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of @p sector_size.
+	 * @throw tc::ArgumentNullException @p key1 was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key1_size did not equal @ref Aes256XtsEncryptor::kKeySize.
+	 * @throw tc::ArgumentNullException @p key2 was null.
+	 * @throw tc::ArgumentOutOfRangeException @p key2_size did not equal @ref Aes256XtsEncryptor::kKeySize.
+	 * @throw tc::ArgumentOutOfRangeException @p sector_size was less than  @ref Aes256XtsEncryptor::kBlockSize.
+	 */
+void DecryptAes256Xts(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number, const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_word_order);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/AesEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/AesEncryptor.h
new file mode 100644
index 00000000..8b3b4572
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/AesEncryptor.h
@@ -0,0 +1,140 @@
+	/**
+	 * @file AesEncryptor.h
+	 * @brief Declarations for API resources related to AES block encryption.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/AesImpl.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/ArgumentNullException.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class AesEncryptor
+	 * @brief Class for AES encryption/decryption.
+	 * 
+	 * @tparam KeySize Size in bytes of the AES encryption key. This must be 16, 24 or 32.
+	 * 
+	 * @details
+	 * This class has three states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize AES state with @ref initialize().
+	 * - Encrypt or decrypt block(s) using @ref encrypt() or @ref decrypt().
+	 */
+template <size_t KeySize> 
+class AesEncryptor
+{
+public:
+	static_assert(KeySize == 16 || KeySize == 24 || KeySize == 32, "Unsupported AES KeySize");
+
+	static const size_t kKeySize   = KeySize; /**< AES key size. */
+	static const size_t kBlockSize = 16; /**< AES processing block size. */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	AesEncryptor() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initialize AES state with key.
+		 * 
+		 * @param[in] key Pointer to key data.
+		 * @param[in] key_size Size in bytes of key data.
+		 * 
+		 * @pre 
+		 * - @p key_size == @ref kKeySize.
+		 * @post
+		 * - Instance is now in initialized state.
+		 * 
+		 * @throw tc::ArgumentNullException @p key was null.
+		 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal @ref kKeySize.
+		 */
+	void initialize(const byte_t* key, size_t key_size)
+	{
+		if (key_size != kKeySize) { throw tc::ArgumentOutOfRangeException("AesEncryptor::initialize()", "key_size did not equal kKeySize."); }
+
+		mImpl.initialize(key, key_size);
+	}
+
+		/**
+		 * @brief Encrypt data block.
+		 * 
+		 * @param[out] dst Buffer to store encrypted block.
+		 * @param[in]  src Pointer to block to encrypt.
+		 * 
+		 * @pre 
+		 * - Instance is in initialized state.
+		 * 
+		 * @details
+		 * This encrypts @ref kBlockSize number of bytes of data from @p src, writing it to @p dst.
+		 * 
+		 * @note 
+		 *  - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 */
+	void encrypt(byte_t* dst, const byte_t* src)
+	{
+		mImpl.encrypt(dst, src);
+	}
+
+		/**
+		 * @brief Decrypt data block.
+		 * 
+		 * @param[out] dst Buffer to store decrypted block.
+		 * @param[in]  src Pointer to block to decrypt.
+		 * 
+		 * @pre 
+		 * - Instance is in initialized state.
+		 * 
+		 * @details
+		 * This decrypts @ref kBlockSize number of bytes of data from @p src, writing it to @p dst.
+		 * 
+		 * @note 
+		 *  - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 */
+	void decrypt(byte_t* dst, const byte_t* src)
+	{
+		mImpl.decrypt(dst, src);
+	}
+
+private:
+	detail::AesImpl mImpl;
+};
+
+	/**
+	 * @typedef Aes128Encryptor
+	 * @brief Class for AES-128 encryption/decryption.
+	 */
+using Aes128Encryptor = AesEncryptor<16>;
+
+	/**
+	 * @typedef Aes192Encryptor
+	 * @brief Class for AES-192 encryption/decryption.
+	 */
+using Aes192Encryptor = AesEncryptor<24>;
+
+	/**
+	 * @typedef Aes256Encryptor
+	 * @brief Class for AES-256 encryption/decryption.
+	 */
+using Aes256Encryptor = AesEncryptor<32>;
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/CbcEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/CbcEncryptor.h
new file mode 100644
index 00000000..8332b161
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/CbcEncryptor.h
@@ -0,0 +1,177 @@
+	/**
+	 * @file CbcEncryptor.h
+	 * @brief Declaration of tc::crypto::CbcEncryptor
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/CbcModeImpl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class CbcEncryptor
+	 * @brief Class for CBC mode encryption/decryption.
+	 * 
+	 * @tparam BlockCipher The class that implements the block cipher used for CBC mode encryption/decryption.
+	 * 
+	 * @details
+	 * Cipher block chaining (CBC) mode is intended to encrypt whole sets of data. Random access is not a feature of CBC mode.
+	 * 
+	 * This class is a template class that takes a block cipher implementation class as template parameter.
+	 * See @ref Aes128CbcEncryptor or similar for supplied realizations of this template class.
+	 * 
+	 * The implementation of @a BlockCipher must satisfies the following conditions.
+	 * See @ref AesEncryptor or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a @p kBlockSize constant that defines the size of the block to process.
+	 * -# Has a @p kKeySize constant that defines the required key size to initialize the block cipher.
+	 * -# Has an @p initialize method that initializes the state of the block cipher.
+	 * -# Has an @p encrypt method that encrypts a block of input data.
+	 * -# Has a @p decrypt method that decrypts a block of input data.
+	 * 
+	 * This class has two states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize CBC state with @ref initialize().
+	 * - Encrypt or decrypt data using @ref encrypt() or @ref decrypt().
+	 */
+template <class BlockCipher>
+class CbcEncryptor
+{
+public:
+	static const size_t kKeySize   = BlockCipher::kKeySize; /**< CBC mode key size. */
+	static const size_t kBlockSize = BlockCipher::kBlockSize; /**< CBC mode block processing size. */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	CbcEncryptor() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initializes the CBC encryption state.
+		 * 
+		 * @param[in] key Pointer to key data.
+		 * @param[in] key_size Size in bytes of key data.
+		 * @param[in] iv Pointer to initialization vector.
+		 * @param[in] iv_size Size in bytes of initialization vector.
+		 * 
+		 * @pre
+		 * - @p key_size == @ref kKeySize.
+		 * - @p iv_size == @ref kBlockSize.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state.
+		 * 
+		 * @details
+		 * This resets the CBC state, initializing the key schedule and initialization vector.
+		 * 
+		 * @note
+		 * - This must be called before performing encryption/decryption.
+		 * 
+		 * @throw tc::ArgumentNullException @p key was null.
+		 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal kKeySize.
+		 * @throw tc::ArgumentNullException @p iv was null.
+		 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal kBlockSize.
+		 */
+	void initialize(const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+	{
+		mImpl.initialize(key, key_size, iv, iv_size);
+	}
+
+		/**
+		 * @brief Updates the CBC initialization vector.
+		 * 
+		 * @param[in] iv Pointer to initialization vector.
+		 * @param[in] iv_size Size in bytes of initialization vector.
+		 * 
+		 * @pre
+		 * - @p iv_size == @ref kBlockSize.
+		 * - Instance is in a Initialized state.
+		 * 
+		 * @post
+		 * - Initialization vector is updated.
+		 * 
+		 * @details
+		 * This updates the CBC state, initializing the initialization vector. The intended use is when data is encrypted/decrypted out of order, so the initialization vector needs to be updated manually.
+		 * 
+		 * @throw tc::ArgumentNullException @p key was null.
+		 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal kKeySize.
+		 * @throw tc::ArgumentNullException @p iv was null.
+		 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal kBlockSize.
+		 */
+	void update_iv(const byte_t* iv, size_t iv_size)
+	{
+		mImpl.update_iv(iv, iv_size);
+	}
+
+		/**
+		 * @brief Encrypt data.
+		 * 
+		 * @param[out] dst Buffer where encrypted data will be written.
+		 * @param[in]  src Pointer to data to encrypt.
+		 * @param[in]  size Size in bytes of data to encrypt.
+		 * 
+		 * @pre
+		 * - @p size is a multiple of @ref kBlockSize.
+		 * 
+		 * @post
+		 * - Encrypted data is written to @p dst.
+		 * 
+		 * @details
+		 * This encrypts the data in @p src, writing it to @p dst.
+		 * 
+		 * @note
+		 * - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 * @throw tc::ArgumentOutOfRangeException @p size size was not a multiple of @ref kBlockSize.
+		 */
+	void encrypt(byte_t* dst, const byte_t* src, size_t size)
+	{
+		mImpl.encrypt(dst, src, size);
+	}
+
+		/**
+		 * @brief Decrypt data.
+		 * 
+		 * @param[out] dst Buffer where decrypted data will be written.
+		 * @param[in]  src Pointer to data to decrypt.
+		 * @param[in]  size Size in bytes of data to decrypt.
+		 * 
+		 * @pre
+		 * - @p size is a multiple of @ref kBlockSize.
+		 * 
+		 * @post
+		 * - Decrypted data is written to @p dst.
+		 * 
+		 * @details
+		 * This decrypts the data in @p src, writing it to @p dst.
+		 * 
+		 * @note
+		 * - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 * @throw tc::ArgumentOutOfRangeException @p size size was not a multiple of @ref kBlockSize.
+		 */
+	void decrypt(byte_t* dst, const byte_t* src, size_t size)
+	{
+		mImpl.decrypt(dst, src, size);
+	}
+
+private:
+	detail::CbcModeImpl<BlockCipher> mImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/CryptoException.h b/ctrtool/deps/libtoolchain/include/tc/crypto/CryptoException.h
new file mode 100644
index 00000000..7ed9cafc
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/CryptoException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file CryptoException.h
+	 * @brief Declaration of tc::crypto::CryptoException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class CryptoException
+	 * @brief The exception that is thrown when an cryptography error occurs.
+	 **/
+class CryptoException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	CryptoException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	CryptoException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	CryptoException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/CtrEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/CtrEncryptor.h
new file mode 100644
index 00000000..d692d5b2
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/CtrEncryptor.h
@@ -0,0 +1,154 @@
+	/**
+	 * @file CtrEncryptor.h
+	 * @brief Declaration of tc::crypto::CtrEncryptor
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/CtrModeImpl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class CtrEncryptor
+	 * @brief Class for CTR mode encryption/decryption.
+	 * 
+	 * @tparam BlockCipher The class that implements the block cipher used for CTR mode encryption/decryption.
+	 * 
+	 * @details
+	 * Counter (CTR) mode encrypts blocks of data independently (and uniquely) of each other, acting as a psuedo stream cipher. Random access supported by CTR mode.
+	 * Encryption and decryption operations are identical.
+	 * 
+	 * This class is a template class that takes a block cipher implementation class as template parameter.
+	 * See @ref Aes128CtrEncryptor or similar for supplied realizations of this template class.
+	 * 
+	 * The implementation of @a BlockCipher must satisfies the following conditions.
+	 * See @ref AesEncryptor or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a @p kBlockSize constant that defines the size of the block to process.
+	 * -# Has a @p kKeySize constant that defines the required key size to initialize the block cipher.
+	 * -# Has an @p initialize method that initializes the state of the block cipher.
+	 * -# Has an @p encrypt method that encrypts a block of input data.
+	 * -# Has a @p decrypt method that decrypts a block of input data.
+	 * 
+	 * This class has two states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize CTR state with @ref initialize().
+	 * - Encrypt or decrypt data using @ref encrypt() or @ref decrypt().
+	 */
+template <class BlockCipher>
+class CtrEncryptor
+{
+public:
+	static const size_t kKeySize   = BlockCipher::kKeySize; /**< CTR mode key size. */
+	static const size_t kBlockSize = BlockCipher::kBlockSize; /**< CTR mode block processing size. */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	CtrEncryptor() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initializes the CTR encryption state.
+		 * 
+		 * @param[in] key Pointer to key data.
+		 * @param[in] key_size Size in bytes of key data.
+		 * @param[in] iv Pointer to initialization vector.
+		 * @param[in] iv_size Size in bytes of initialization vector.
+		 * 
+		 * @pre
+		 * - @p key_size == @ref kKeySize.
+		 * - @p iv_size == @ref kBlockSize.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state.
+		 * 
+		 * @details
+		 * This resets the CTR state, initializing the key schedule and initialization vector.
+		 * 
+		 * @note
+		 * - This must be called before performing encryption/decryption.
+		 * 
+		 * @throw tc::ArgumentNullException @p key was null.
+		 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal kKeySize.
+		 * @throw tc::ArgumentNullException @p iv was null.
+		 * @throw tc::ArgumentOutOfRangeException @p iv_size did not equal kBlockSize.
+		 */
+	void initialize(const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+	{
+		mImpl.initialize(key, key_size, iv, iv_size);
+	}
+
+		/**
+		 * @brief Encrypt data.
+		 * 
+		 * @param[out] dst Buffer where encrypted data will be written.
+		 * @param[in]  src Pointer to data to encrypt.
+		 * @param[in]  size Size in bytes of data to encrypt.
+		 * @param[in]  block_number Block number of initial block to encrypt.
+		 * 
+		 * @pre
+		 * - @p size > 0.
+		 * 
+		 * @post
+		 * - Encrypted data is written to @p dst.
+		 * 
+		 * @details
+		 * This encrypts the data in @p src, writing it to @p dst.
+		 * 
+		 * @note
+		 * - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 * @throw tc::ArgumentOutOfRangeException @p size size was 0.
+		 */
+	void encrypt(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number)
+	{
+		mImpl.crypt(dst, src, size, block_number);
+	}
+
+		/**
+		 * @brief Decrypt data.
+		 * 
+		 * @param[out] dst Buffer where decrypted data will be written.
+		 * @param[in]  src Pointer to data to decrypt.
+		 * @param[in]  size Size in bytes of data to decrypt.
+		 * @param[in]  block_number Block number of initial block to encrypt.
+		 * 
+		 * @pre
+		 * - @p size > 0.
+		 * 
+		 * @post
+		 * - Decrypted data is written to @p dst.
+		 * 
+		 * @details
+		 * This decrypts the data in @p src, writing it to @p dst.
+		 * 
+		 * @note
+		 * - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 * @throw tc::ArgumentOutOfRangeException @p size size was 0.
+		 */
+	void decrypt(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number)
+	{
+		mImpl.crypt(dst, src, size, block_number);
+	}
+
+private:
+	detail::CtrModeImpl<BlockCipher> mImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/EcbEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/EcbEncryptor.h
new file mode 100644
index 00000000..cac5fb95
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/EcbEncryptor.h
@@ -0,0 +1,146 @@
+	/**
+	 * @file EcbEncryptor.h
+	 * @brief Declaration of tc::crypto::EcbEncryptor
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/EcbModeImpl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class EcbEncryptor
+	 * @brief Class for ECB mode encryption/decryption.
+	 * 
+	 * @tparam BlockCipher The class that implements the block cipher used for ECB mode encryption/decryption.
+	 * 
+	 * @details
+	 * Electronic Codebook (ECB) mode is akin to using a block cipher in raw mode.
+	 * 
+	 * This class is a template class that takes a block cipher implementation class as template parameter.
+	 * See @ref Aes128EcbEncryptor or similar for supplied realizations of this template class.
+	 * 
+	 * The implementation of @a BlockCipher must satisfies the following conditions.
+	 * See @ref AesEncryptor or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a @p kBlockSize constant that defines the size of the block to process.
+	 * -# Has a @p kKeySize constant that defines the required key size to initialize the block cipher.
+	 * -# Has an @p initialize method that initializes the state of the block cipher.
+	 * -# Has an @p encrypt method that encrypts a block of input data.
+	 * -# Has a @p decrypt method that decrypts a block of input data.
+	 * 
+	 * This class has two states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize ECB state with @ref initialize().
+	 * - Encrypt or decrypt data using @ref encrypt() or @ref decrypt().
+	 */
+template <class BlockCipher>
+class EcbEncryptor
+{
+public:
+	static const size_t kKeySize   = BlockCipher::kKeySize; /**< ECB mode key size. */
+	static const size_t kBlockSize = BlockCipher::kBlockSize; /**< ECB mode block processing size. */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	EcbEncryptor() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initializes the ECB encryption state.
+		 * 
+		 * @param[in] key Pointer to key data.
+		 * @param[in] key_size Size in bytes of key data.
+		 * 
+		 * @pre
+		 * - @p key_size == @ref kKeySize.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state.
+		 * 
+		 * @details
+		 * This resets the ECB state, initializing the key schedule.
+		 * 
+		 * @note
+		 * - This must be called before performing encryption/decryption.
+		 * 
+		 * @throw tc::ArgumentNullException @p key was null.
+		 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal kKeySize.
+		 */
+	void initialize(const byte_t* key, size_t key_size)
+	{
+		mImpl.initialize(key, key_size);
+	}
+
+		/**
+		 * @brief Encrypt data.
+		 * 
+		 * @param[out] dst Buffer where encrypted data will be written.
+		 * @param[in]  src Pointer to data to encrypt.
+		 * @param[in]  size Size in bytes of data to encrypt.
+		 * 
+		 * @pre
+		 * - @p size >= @ref kBlockSize.
+		 * 
+		 * @post
+		 * - Encrypted data is written to @p dst.
+		 * 
+		 * @details
+		 * This encrypts the data in @p src, writing it to @p dst.
+		 * 
+		 * @note
+		 * - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 * @throw tc::ArgumentOutOfRangeException @p size was less than @ref kBlockSize.
+		 */
+	void encrypt(byte_t* dst, const byte_t* src, size_t size)
+	{
+		mImpl.encrypt(dst, src, size);
+	}
+
+		/**
+		 * @brief Decrypt data.
+		 * 
+		 * @param[out] dst Buffer where decrypted data will be written.
+		 * @param[in]  src Pointer to data to decrypt.
+		 * @param[in]  size Size in bytes of data to decrypt.
+		 * 
+		 * @pre
+		 * - @p size >= @ref kBlockSize.
+		 * 
+		 * @post
+		 * - Decrypted data is written to @p dst.
+		 * 
+		 * @details
+		 * This decrypts the data in @p src, writing it to @p dst.
+		 * 
+		 * @note
+		 * - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 * @throw tc::ArgumentOutOfRangeException @p size was less than @ref kBlockSize.
+		 */
+	void decrypt(byte_t* dst, const byte_t* src, size_t size)
+	{
+		mImpl.decrypt(dst, src, size);
+	}
+
+private:
+	detail::EcbModeImpl<BlockCipher> mImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/HmacGenerator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacGenerator.h
new file mode 100644
index 00000000..4cd9f2c4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacGenerator.h
@@ -0,0 +1,219 @@
+	/**
+	 * @file HmacGenerator.h
+	 * @brief Declaration of tc::crypto::HmacGenerator
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/05/30
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/HmacImpl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class HmacGenerator
+	 * @brief Class for calculating an HMAC.
+	 * 
+	 * @tparam HashFunction The class that implements the hash function for generating HMAC.
+	 * 
+	 * @details
+	 * This class is a template class that takes a hash function implementation class as template parameter.
+	 * See @ref HmacSha256Generator or similar for supplied realizations of this template class.
+	 * 
+	 * The implementation of <var>HashFunction</var> must satisfies the following conditions.
+	 * See @ref Sha256Generator or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kHashSize</tt> constant that defines the output size of the hash value.
+	 * -# Has an <tt>initialize</tt> method that begins processing.
+	 * -# Has an <tt>update</tt> method that updates the hash value on input.
+	 * -# Has a <tt>getHash</tt> method that gets the final hash value.
+	 * 
+	 * This class has three states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process input data
+	 * - Done : MAC is calculated
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize MAC Generator state with @ref initialize().
+	 * - Update MAC with input data with @ref update().
+	 * - Complete MAC calculation and export MAC with @ref getMac().
+	 * 
+	 * Below is code sample for calculating MAC with one call to @ref update():
+	 * @code
+	 * std::string key = "i am an hmac key";
+	 * 
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create array to store MAC
+	 * std::array<byte_t, tc::crypto::HmacGenerator<HashFunction>::kMacSize> mac;
+	 * 
+	 * // initialize generator. HmacGenerator<HashFunction> is now in a ready state. 
+	 * tc::crypto::HmacGenerator<HashFunction> impl;
+	 * impl.initialize((const byte_t*)key.c_str(), key.size());
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // read whole file into memory. This is unsafe for large file sizes especially on 32-bit systems.
+	 * tc::ByteData data = tc::ByteData((size_t)stream.length());
+	 * stream.read(data.data(), data.size());
+	 * 
+	 * // update generator state with stream data
+	 * impl.update(data.data(), data.size());
+	 * 
+	 * // complete generator state and write MAC to mac
+	 * impl.getMac(mac.data());
+	 * @endcode 
+	 * 
+	 * Below is code sample for calculating MAC with sequential calls to @ref update():
+	 * @code
+	 * std::string key = "i am an hmac key";
+	 * 
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create read block (size 512)
+	 * static const size_t kReadBlockSize = 0x200;
+	 * std::array<byte_t, kReadBlockSize> block;
+	 * 
+	 * // create array to store MAC
+	 * std::array<byte_t, tc::crypto::HmacGenerator<HashFunction>::kMacSize> mac;
+	 * 
+	 * // initialize generator. HmacGenerator<HashFunction> is now in a ready state. 
+	 * tc::crypto::HmacGenerator<HashFunction> impl;
+	 * impl.initialize((const byte_t*)key.c_str(), key.size());
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // iterate over blocks in stream until no more data can be read
+	 * size_t read_count = 0;
+	 * while ( 0 != (read_count = tc::io::IOUtil::getReadableCount(stream.position(), stream.length(), block.size())) )
+	 * {
+	 *   // read block from stream
+	 *   stream.read(block.data(), read_count);
+	 * 
+	 *   // update generator state with stream data
+	 *   impl.update(block.data(), read_count);
+	 * }
+	 * 
+	 * // complete generator state and write MAC to mac
+	 * impl.getMac(mac.data());
+	 * @endcode 
+	 */
+template <class HashFunction>
+class HmacGenerator
+{
+public:
+	static const size_t kMacSize   = HashFunction::kHashSize; /**< HMAC MAC size */
+	static const size_t kBlockSize = HashFunction::kBlockSize; /**< HMAC block processing size */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	HmacGenerator() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initializes the MAC calculation.
+		 * 
+		 * @param[in] key Pointer to key data.
+		 * @param[in] key_size Size in bytes of key data.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state
+		 * 
+		 * @details
+		 * Resets the MAC calculation state to the begin state.
+		 * 
+		 * @note
+		 * - This must be called before calculating a new MAC.
+		 */
+	void initialize(const byte_t* key, size_t key_size)
+	{
+		mImpl.initialize(key, key_size);
+	}
+
+		/**
+		 * @brief Update MAC with specified data.
+		 * 
+		 * @param[in] data Pointer to input data.
+		 * @param[in] data_size Size of input data.
+		 * 
+		 * @details
+		 * Data can be input to the generator in one @ref update() call or split across multiple sequential calls.
+		 * 
+		 * For example the following scenarios all generate the same MAC.
+		 * @code
+		 * std::string key = "i am an hmac key";
+		 * 
+		 * // generate data to be calculate MAC from
+		 * tc::ByteData data = tc::ByteData(0x30);
+		 * memset(data.data(), 0xff, data.size());
+		 * 
+		 * // create generator instance
+		 * tc::crypto::HmacGenerator<HashFunction> impl;
+		 * 
+		 * // scenario 1 (one call to update() 0x30 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::HmacGenerator<HashFunction>::kMacSize> mac1;
+		 * impl.initialize((const byte_t*)key.c_str(), key.size());
+		 * impl.update(data.data(), data.size());
+		 * impl.getMac(mac1.data());
+		 * 
+		 * // scenario 2 (three calls to update() 0x10 bytes each, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::HmacGenerator<HashFunction>::kMacSize> mac2;
+		 * impl.initialize((const byte_t*)key.c_str(), key.size());
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x10);
+		 * impl.update(data.data() + 0x20, 0x10);
+		 * impl.getMac(mac2.data());
+		 * 
+		 * // scenario 3 (two calls to update() one 0x10 bytes, the second 0x20 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::HmacGenerator<HashFunction>::kMacSize> mac3;
+		 * impl.initialize((const byte_t*)key.c_str(), key.size());
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x20);
+		 * impl.getMac(mac3.data());
+		 * @endcode
+		 * 
+		 * @note 
+		 * - If input data is broken up into blocks and supplied via multiple @ref update() calls, the order must be consistent with the original input data.
+		 */
+	void update(const byte_t* data, size_t data_size)
+	{
+		mImpl.update(data, data_size);
+	}
+
+		/**
+		 * @brief Completes MAC calculation and output MAC.
+		 * 
+		 * @param[out] mac Pointer to buffer storing MAC.
+		 * 
+		 * @pre
+		 * - Instance is in either Initialized or Done state.
+		 * - The size of the <tt><var>mac</var></tt> buffer must be >= @ref kMacSize.
+		 * 
+		 * @post
+		 * - Instance is now in a Done state.
+		 * - The calculated MAC is written to <tt><var>mac</var></tt>.
+		 * 
+		 * @note 
+		 * - If the instance is in a None state, then this call does nothing.
+		 */ 
+	void getMac(byte_t* mac)
+	{
+		mImpl.getMac(mac);
+	}
+
+private:
+	detail::HmacImpl<HashFunction> mImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/HmacMd5Generator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacMd5Generator.h
new file mode 100644
index 00000000..c8ee544d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacMd5Generator.h
@@ -0,0 +1,45 @@
+	/**
+	 * @file HmacMd5Generator.h
+	 * @brief Declarations for API resources for HMAC-MD5 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Md5Generator.h>
+#include <tc/crypto/HmacGenerator.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef HmacMd5Generator
+	 * @brief Class for calculating HMAC-MD5.
+	 * 
+	 * @details This class calcualtes MAC using MD5.
+	 * For more information refer to @ref HmacGenerator.
+	 */
+using HmacMd5Generator = HmacGenerator<Md5Generator>;
+
+	/**
+	 * @brief Utility function for calculating HMAC-MD5.
+	 * 
+	 * @param[out] mac Pointer to the buffer storing the MAC.
+	 * @param[in]  data Pointer to input data.
+	 * @param[in]  data_size Size in bytes of input data.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - Size of the MAC buffer must >= <tt>HmacMd5Generator::kMacSize</tt>.
+	 * 
+	 * @post
+	 * - The MAC is written to <tt><var>mac</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a MAC for the passed in data array.
+	 * To calculate a MAC for data split into multiple arrays, use the @ref HmacMd5Generator class.
+	 */
+void GenerateHmacMd5Mac(byte_t* mac, const byte_t* data, size_t data_size, const byte_t* key, size_t key_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha1Generator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha1Generator.h
new file mode 100644
index 00000000..3350a9f9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha1Generator.h
@@ -0,0 +1,45 @@
+	/**
+	 * @file HmacSha1Generator.h
+	 * @brief Declarations for API resources for HMAC-SHA1 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/05/30
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha1Generator.h>
+#include <tc/crypto/HmacGenerator.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef HmacSha1Generator
+	 * @brief Class for calculating HMAC-SHA1.
+	 * 
+	 * @details This class calcualtes MAC using SHA1.
+	 * For more information refer to @ref HmacGenerator.
+	 */
+using HmacSha1Generator = HmacGenerator<Sha1Generator>;
+
+	/**
+	 * @brief Utility function for calculating HMAC-SHA1.
+	 * 
+	 * @param[out] mac Pointer to the buffer storing the MAC.
+	 * @param[in]  data Pointer to input data.
+	 * @param[in]  data_size Size in bytes of input data.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - Size of the MAC buffer must >= <tt>HmacSha1Generator::kMacSize</tt>.
+	 * 
+	 * @post
+	 * - The MAC is written to <tt><var>mac</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a MAC for the passed in data array.
+	 * To calculate a MAC for data split into multiple arrays, use the @ref HmacSha1Generator class.
+	 */
+void GenerateHmacSha1Mac(byte_t* mac, const byte_t* data, size_t data_size, const byte_t* key, size_t key_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha256Generator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha256Generator.h
new file mode 100644
index 00000000..b171e03b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha256Generator.h
@@ -0,0 +1,45 @@
+	/**
+	 * @file HmacSha256Generator.h
+	 * @brief Declarations for API resources for HMAC-SHA2-256 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/crypto/HmacGenerator.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef HmacSha256Generator
+	 * @brief Class for calculating HMAC-SHA2-256.
+	 * 
+	 * @details This class calcualtes MAC using SHA2-256.
+	 * For more information refer to @ref HmacGenerator.
+	 */
+using HmacSha256Generator = HmacGenerator<Sha256Generator>;
+
+	/**
+	 * @brief Utility function for calculating HMAC-SHA2-256.
+	 * 
+	 * @param[out] mac Pointer to the buffer storing the MAC.
+	 * @param[in]  data Pointer to input data.
+	 * @param[in]  data_size Size in bytes of input data.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - Size of the MAC buffer must >= <tt>HmacSha256Generator::kMacSize</tt>.
+	 * 
+	 * @post
+	 * - The MAC is written to <tt><var>mac</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a MAC for the passed in data array.
+	 * To calculate a MAC for data split into multiple arrays, use the @ref HmacSha256Generator class.
+	 */
+void GenerateHmacSha256Mac(byte_t* mac, const byte_t* data, size_t data_size, const byte_t* key, size_t key_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha512Generator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha512Generator.h
new file mode 100644
index 00000000..5b72234e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/HmacSha512Generator.h
@@ -0,0 +1,45 @@
+	/**
+	 * @file HmacSha512Generator.h
+	 * @brief Declarations for API resources for HMAC-SHA2-512 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha512Generator.h>
+#include <tc/crypto/HmacGenerator.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef HmacSha512Generator
+	 * @brief Class for calculating HMAC-SHA2-512.
+	 * 
+	 * @details This class calcualtes MAC using SHA2-512.
+	 * For more information refer to @ref HmacGenerator.
+	 */
+using HmacSha512Generator = HmacGenerator<Sha512Generator>;
+
+	/**
+	 * @brief Utility function for calculating HMAC-SHA2-512.
+	 * 
+	 * @param[out] mac Pointer to the buffer storing the MAC.
+	 * @param[in]  data Pointer to input data.
+	 * @param[in]  data_size Size in bytes of input data.
+	 * @param[in]  key Pointer to key data.
+	 * @param[in]  key_size Size in bytes of key data.
+	 * 
+	 * @pre
+	 * - Size of the MAC buffer must >= <tt>HmacSha512Generator::kMacSize</tt>.
+	 * 
+	 * @post
+	 * - The MAC is written to <tt><var>mac</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a MAC for the passed in data array.
+	 * To calculate a MAC for data split into multiple arrays, use the @ref HmacSha512Generator class.
+	 */
+void GenerateHmacSha512Mac(byte_t* mac, const byte_t* data, size_t data_size, const byte_t* key, size_t key_size);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Md5Generator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Md5Generator.h
new file mode 100644
index 00000000..ca4e1ce0
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Md5Generator.h
@@ -0,0 +1,221 @@
+	/**
+	 * @file Md5Generator.h
+	 * @brief Declarations for API resources for MD5 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/06/01
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/Md5Impl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class Md5Generator
+	 * @brief Class for calculating MD5 hash.
+	 * 
+	 * @warning MD5 is considered a weak message digest and its use constitutes a security risk. It should only be used to maintain compatibility with legacy systems.
+	 * 
+	 * @details
+	 * This class has three states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process input data
+	 * - Done : Hash value is calculated
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize Hash Generator state with @ref initialize().
+	 * - Update hash value with input data with @ref update().
+	 * - Complete hash calculation and export hash value with @ref getHash().
+	 * 
+	 * Below is code sample for calculating hash value with one call to @ref update():
+	 * @code
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create array to store hash value
+	 * std::array<byte_t, tc::crypto::Md5Generator::kHashSize> hash;
+	 * 
+	 * // initialize generator. Md5Generator is now in a ready state. 
+	 * tc::crypto::Md5Generator impl;
+	 * impl.initialize();
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // read whole file into memory. This is unsafe for large file sizes especially on 32-bit systems.
+	 * tc::ByteData data = tc::ByteData((size_t)stream.length());
+	 * stream.read(data.data(), data.size());
+	 * 
+	 * // update generator state with stream data
+	 * impl.update(data.data(), data.size());
+	 * 
+	 * // complete generator state and write hash value to hash
+	 * impl.getHash(hash.data());
+	 * @endcode 
+	 * 
+	 * Below is code sample for calculating hash value with sequential calls to @ref update():
+	 * @code
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create read block (size 512)
+	 * static const size_t kReadBlockSize = 0x200;
+	 * std::array<byte_t, kReadBlockSize> block;
+	 * 
+	 * // create array to store hash value
+	 * std::array<byte_t, tc::crypto::Md5Generator::kHashSize> hash;
+	 * 
+	 * // initialize generator. Md5Generator is now in a ready state. 
+	 * tc::crypto::Md5Generator impl;
+	 * impl.initialize();
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // iterate over blocks in stream until no more data can be read
+	 * size_t read_count = 0;
+	 * while ( 0 != (read_count = tc::io::IOUtil::getReadableCount(stream.position(), stream.length(), block.size())) )
+	 * {
+	 *   // read block from stream
+	 *   stream.read(block.data(), read_count);
+	 * 
+	 *   // update generator state with stream data
+	 *   impl.update(block.data(), read_count);
+	 * }
+	 * 
+	 * // complete generator state and write hash value to hash
+	 * impl.getHash(hash.data());
+	 * @endcode 
+	 */
+class Md5Generator
+{
+public:
+	static const size_t kAsn1OidDataSize = 18; /**< MD5 ASN.1 Encoded OID length */
+	static const std::array<byte_t, kAsn1OidDataSize> kAsn1OidData; /**< MD5 ASN.1 Encoded OID */
+
+	static const size_t kHashSize  = 16; /**< MD5 hash size */
+	static const size_t kBlockSize = 64; /**< MD5 processing block size */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	Md5Generator() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initializes the hash calculation.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state
+		 * 
+		 * @details
+		 * Resets the hash calculation state to the begin state.
+		 * 
+		 * @note
+		 * - This must be called before calculating a new hash.
+		 */
+	void initialize()
+	{
+		mImpl.initialize();
+	}
+
+		/**
+		 * @brief Update hash value with specified data.
+		 * 
+		 * @param[in] data Pointer to input data.
+		 * @param[in] data_size Size of input data.
+		 * 
+		 * @details
+		 * Data can be input to the generator in one @ref update() call or split across multiple sequential calls.
+		 * 
+		 * For example the following scenarios all generate the same hash value.
+		 * @code
+		 * // generate data to be hashed
+		 * tc::ByteData data = tc::ByteData(0x30);
+		 * memset(data.data(), 0xff, data.size());
+		 * 
+		 * // create generator instance
+		 * tc::crypto::Md5Generator impl;
+		 * 
+		 * // scenario 1 (one call to update() 0x30 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Md5Generator::kHashSize> hash1;
+		 * impl.initialize();
+		 * impl.update(data.data(), data.size());
+		 * impl.getHash(hash1.data());
+		 * 
+		 * // scenario 2 (three calls to update() 0x10 bytes each, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Md5Generator::kHashSize> hash2;
+		 * impl.initialize();
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x10);
+		 * impl.update(data.data() + 0x20, 0x10);
+		 * impl.getHash(hash2.data());
+		 * 
+		 * // scenario 3 (two calls to update() one 0x10 bytes, the second 0x20 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Md5Generator::kHashSize> hash3;
+		 * impl.initialize();
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x20);
+		 * impl.getHash(hash3.data());
+		 * @endcode
+		 * 
+		 * @note 
+		 * - If input data is broken up into blocks and supplied via multiple @ref update() calls, the order must be consistent with the original input data.
+		 */
+	void update(const byte_t* data, size_t data_size)
+	{
+		mImpl.update(data, data_size);
+	}
+
+		/**
+		 * @brief Completes hash calculation and output hash value.
+		 * 
+		 * @param[out] hash Pointer to buffer storing hash value.
+		 * 
+		 * @pre
+		 * - Instance is in either Initialized or Done state.
+		 * - The size of the <tt><var>hash</var></tt> buffer must be >= @ref kHashSize.
+		 * 
+		 * @post
+		 * - Instance is now in a Done state.
+		 * - The calculated hash value is written to <tt><var>hash</var></tt>.
+		 * 
+		 * @note 
+		 * - If the instance is in a None state, then this call does nothing.
+		 */ 
+	void getHash(byte_t* hash)
+	{
+		mImpl.getHash(hash);
+	}
+
+private:
+	detail::Md5Impl mImpl;
+};
+
+	/**
+	 * @brief Utility function for calculating the MD5 hash.
+	 * 
+	 * @warning MD5 is considered a weak message digest and its use constitutes a security risk. It should only be used to maintain compatibility with legacy systems.
+	 * 
+	 * @param[out] hash Pointer to buffer storing hash value.
+	 * @param[in] data Pointer to input data.
+	 * @param[in] data_size Size of input data.
+	 * 
+	 * @pre
+	 * - The size of the <tt><var>hash</var></tt> buffer must be >= @ref Md5Generator::kHashSize.
+	 * 
+	 * @post
+	 * - The calculated hash value is written to <tt><var>hash</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates the hash value for input passed in the <tt><var>data</var></tt> array.
+	 * To calculate the hash value for input split across multiple arrays, use the @ref Md5Generator class.
+	 */
+void GenerateMd5Hash(byte_t* hash, const byte_t* data, size_t data_size);
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1KeyDeriver.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1KeyDeriver.h
new file mode 100644
index 00000000..dbdf7a8c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1KeyDeriver.h
@@ -0,0 +1,116 @@
+	/**
+	 * @file Pbkdf1KeyDeriver.h
+	 * @brief Declaration of tc::crypto::Pbkdf1KeyDeriver
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/Pbkdf1Impl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class Pbkdf1KeyDeriver
+	 * @brief Class for deriving a key using Password-Based Key Derivation Function 1 (PBKDF1).
+	 * 
+	 * @tparam HashFunction The class that implements the hash function used for key derivation.
+	 * 
+	 * @details
+	 * PBKDF1 is a hash based key derivation function, as defined in RFC 8018.
+	 * As such this template class requires @p HashFunction to implement one of the following hash functions to be compliant with RFC 8018.
+	 * -# MD4
+	 * -# MD5 (see @ref Md5Generator)
+	 * -# SHA-1 (see @ref Sha1Generator)
+	 * 
+	 * The implementation of <var>HashFunction</var> must satisfies the following conditions.
+	 * See @ref Sha1Generator or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kHashSize</tt> constant that defines the output size of the hash value.
+	 * -# Has an <tt>initialize</tt> method that begins processing.
+	 * -# Has an <tt>update</tt> method that updates the hash value on input.
+	 * -# Has a <tt>getHash</tt> method that gets the final hash value.
+	 * 
+	 * This class has three states:
+	 * - None : Not ready
+	 * - Initialized : Ready to derive key data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize PBKDF1 calculation with @ref initialize().
+	 * - Derive key data with @ref getBytes().
+	 */
+template <class HashFunction>
+class Pbkdf1KeyDeriver
+{
+public:
+	static const uint64_t kMaxDerivableSize = HashFunction::kHashSize; /**< Maximum total key data that can be derived */
+
+		/**
+		 * @brief Default constructor
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	Pbkdf1KeyDeriver() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initializes the PBKDF1 calculation.
+		 * 
+		 * @param[in] password Pointer to password.
+		 * @param[in] password_size Size in bytes of password.
+		 * @param[in] salt Pointer to salt.
+		 * @param[in] salt_size Size in bytes of salt.
+		 * @param[in] n_rounds Number of PBKDF1 rounds.
+		 * 
+		 * @pre
+		 * - @p n_rounds >= 1 
+		 * - @p salt is optional however the strength of the derived key is reduced if the salt is not sufficently random.
+		 * 
+		 * @post
+		 * - Instance is now in an Initialized state.
+		 * 
+		 * @throw tc::crypto::CryptoException @p n_rounds was < 1
+		 * 
+		 * @details
+		 * Resets the PBKDF1 calculation state to the begin state.
+		 * 
+		 * @note
+		 * - This must be called before deriving new key data.
+		 */
+	void initialize(const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds)
+	{
+		mImpl.initialize(password, password_size, salt, salt_size, n_rounds);
+	}
+
+		/**
+		 * @brief Performs PBKDF1 calculation, deriving key data.
+		 * 
+		 * @param[out] key Pointer to the buffer storing the derived key.
+		 * @param[in]  key_size Size of key to derive.
+		 * 
+		 * @pre
+		 * - Instance is in an Initialized state.
+		 * 
+		 * @post
+		 * - The derived key is written to <tt><var>key</var></tt>.
+		 * 
+		 * @throw tc::crypto::CryptoException @p key_size was too large.
+		 * 
+		 * @note 
+		 * - This method can be called successively to continue deriving key data for up to @ref kMaxDerivableSize bytes.
+		 * - If the instance is in a None state, then this call does nothing.
+		 */ 
+	void getBytes(byte_t* key, size_t key_size)
+	{
+		mImpl.getBytes(key, key_size);
+	}
+
+private:
+	detail::Pbkdf1Impl<HashFunction> mImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1Md5KeyDeriver.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1Md5KeyDeriver.h
new file mode 100644
index 00000000..4db73f7f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1Md5KeyDeriver.h
@@ -0,0 +1,47 @@
+	/**
+	 * @file Pbkdf1Md5KeyDeriver.h
+	 * @brief Declarations for API resources for PBKDF1-MD5 key derivation.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Md5Generator.h>
+#include <tc/crypto/Pbkdf1KeyDeriver.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Pbkdf1Md5KeyDeriver
+	 * @brief Class for deriving a key using PBKDF1-MD5.
+	 * 
+	 * @details This class derives a key using PBKDF1-MD5.
+	 * For more information refer to @ref Pbkdf1KeyDeriver.
+	 */
+using Pbkdf1Md5KeyDeriver = Pbkdf1KeyDeriver<Md5Generator>;
+
+	/**
+	 * @brief Utility function for deriving a key using PBKDF1-MD5.
+	 * 
+	 * @param[out] key Pointer to the buffer storing the derived key.
+	 * @param[in]  key_size Size of key to derive.
+	 * @param[in]  password Pointer to password.
+	 * @param[in]  password_size Size in bytes of password.
+	 * @param[in]  salt Pointer to salt.
+	 * @param[in]  salt_size Size in bytes of salt.
+	 * @param[in]  n_rounds Number of PBKDF1 rounds.
+	 * 
+	 * @pre
+	 * - @p n_rounds >= 1 
+	 * - @p salt is optional however the strength of the derived key is reduced if the salt is not sufficently random.
+	 * 
+	 * @post
+	 * - The derived key is written to <tt><var>key</var></tt>.
+	 * 
+	 * @throw tc::crypto::CryptoException @p n_rounds was < 1
+	 * @throw tc::crypto::CryptoException @p key_size was too large.
+	 */
+void DeriveKeyPbkdf1Md5(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1Sha1KeyDeriver.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1Sha1KeyDeriver.h
new file mode 100644
index 00000000..cbf3e039
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf1Sha1KeyDeriver.h
@@ -0,0 +1,47 @@
+	/**
+	 * @file Pbkdf1Sha1KeyDeriver.h
+	 * @brief Declarations for API resources for PBKDF1-SHA1 key derivation.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha1Generator.h>
+#include <tc/crypto/Pbkdf1KeyDeriver.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Pbkdf1Sha1KeyDeriver
+	 * @brief Class for deriving a key using PBKDF1-SHA1.
+	 * 
+	 * @details This class derives a key using PBKDF1-SHA1.
+	 * For more information refer to @ref Pbkdf1KeyDeriver.
+	 */
+using Pbkdf1Sha1KeyDeriver = Pbkdf1KeyDeriver<Sha1Generator>;
+
+	/**
+	 * @brief Utility function for deriving a key using PBKDF1-SHA1.
+	 * 
+	 * @param[out] key Pointer to the buffer storing the derived key.
+	 * @param[in]  key_size Size of key to derive.
+	 * @param[in]  password Pointer to password.
+	 * @param[in]  password_size Size in bytes of password.
+	 * @param[in]  salt Pointer to salt.
+	 * @param[in]  salt_size Size in bytes of salt.
+	 * @param[in]  n_rounds Number of PBKDF1 rounds.
+	 * 
+	 * @pre
+	 * - @p n_round >= 1 
+	 * - @p salt is optional however the strength of the derived key is reduced if the salt is not sufficently random.
+	 * 
+	 * @post
+	 * - The derived key is written to <tt><var>key</var></tt>.
+	 * 
+	 * @throw tc::crypto::CryptoException @p n_round was < 1
+	 * @throw tc::crypto::CryptoException @p key_size was too large.
+	 */
+void DeriveKeyPbkdf1Sha1(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2KeyDeriver.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2KeyDeriver.h
new file mode 100644
index 00000000..c3ce940b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2KeyDeriver.h
@@ -0,0 +1,118 @@
+	/**
+	 * @file Pbkdf2KeyDeriver.h
+	 * @brief Declaration of tc::crypto::Pbkdf2KeyDeriver
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/Pbkdf2Impl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class Pbkdf2KeyDeriver
+	 * @brief Class for deriving a key using Password-Based Key Derivation Function 2 (PBKDF2).
+	 * 
+	 * @tparam HashFunction The class that implements the hash function used for key derivation.
+	 * 
+	 * @details
+	 * PBKDF2 is a hmac based key derivation function, as defined in RFC 8018.
+	 * As such this template class requires @p HashFunction to implement one of the following hash functions to be compliant with RFC 8018.
+	 * -# SHA-1 (see @ref Sha1Generator)
+	 * -# SHA-224
+	 * -# SHA-256 (see @ref Sha256Generator)
+	 * -# SHA-384
+	 * -# SHA-512 (see @ref Sha512Generator)
+	 * 
+	 * The implementation of <var>HashFunction</var> must satisfies the following conditions.
+	 * See @ref Sha256Generator or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kHashSize</tt> constant that defines the output size of the hash value.
+	 * -# Has an <tt>initialize</tt> method that begins processing.
+	 * -# Has an <tt>update</tt> method that updates the hash value on input.
+	 * -# Has a <tt>getHash</tt> method that gets the final hash value.
+	 * 
+	 * This class has three states:
+	 * - None : Not ready
+	 * - Initialized : Ready to derive key data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize PBKDF2 calculation with @ref initialize().
+	 * - Derive key data with @ref getBytes().
+	 */
+template <class HashFunction>
+class Pbkdf2KeyDeriver
+{
+public:
+	static const uint64_t kMaxDerivableSize = uint64_t(0xffffffff) * uint64_t(HashFunction::kHashSize); /**< Maximum total key data that can be derived */
+
+		/**
+		 * @brief Default constructor
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	Pbkdf2KeyDeriver() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initializes the PBKDF2 calculation.
+		 * 
+		 * @param[in] password Pointer to password.
+		 * @param[in] password_size Size in bytes of password.
+		 * @param[in] salt Pointer to salt.
+		 * @param[in] salt_size Size in bytes of salt.
+		 * @param[in] n_rounds Number of PBKDF2 rounds.
+		 * 
+		 * @pre
+		 * - @p n_rounds >= 1.
+		 * - @p salt is optional however the strength of the derived key is reduced if the salt is not sufficently random.
+		 * 
+		 * @post
+		 * - Instance is now in an Initialized state.
+		 * 
+		 * @throw tc::crypto::CryptoException @p n_rounds was < 1.
+		 * 
+		 * @details
+		 * Resets the PBKDF2 calculation state to the begin state.
+		 * 
+		 * @note
+		 * - This must be called before deriving new key data.
+		 */
+	void initialize(const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds)
+	{
+		mImpl.initialize(password, password_size, salt, salt_size, n_rounds);
+	}
+
+		/**
+		 * @brief Performs PBKDF2 calculation, deriving key data.
+		 * 
+		 * @param[out] key Pointer to the buffer storing the derived key.
+		 * @param[in]  key_size Size of key to derive.
+		 * 
+		 * @pre
+		 * - Instance is in an Initialized state.
+		 * 
+		 * @post
+		 * - The derived key is written to <tt><var>key</var></tt>.
+		 * 
+		 * @throw tc::crypto::CryptoException @p key_size was too large.
+		 * 
+		 * @note 
+		 * - This method can be called successively to continue deriving key data for up to @ref kMaxDerivableSize bytes.
+		 * - If the instance is in a None state, then this call does nothing.
+		 */ 
+	void getBytes(byte_t* key, size_t key_size)
+	{
+		mImpl.getBytes(key, key_size);
+	}
+
+private:
+	detail::Pbkdf2Impl<HashFunction> mImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha1KeyDeriver.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha1KeyDeriver.h
new file mode 100644
index 00000000..8c0680a4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha1KeyDeriver.h
@@ -0,0 +1,47 @@
+	/**
+	 * @file Pbkdf2Sha1KeyDeriver.h
+	 * @brief Declarations for API resources for PBKDF2-SHA1 key derivation.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha1Generator.h>
+#include <tc/crypto/Pbkdf2KeyDeriver.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Pbkdf2Sha1KeyDeriver
+	 * @brief Class for deriving a key using PBKDF2-SHA1.
+	 * 
+	 * @details This class derives a key using PBKDF2-SHA1.
+	 * For more information refer to @ref Pbkdf2KeyDeriver.
+	 */
+using Pbkdf2Sha1KeyDeriver = Pbkdf2KeyDeriver<Sha1Generator>;
+
+	/**
+	 * @brief Utility function for deriving a key using PBKDF2-SHA1.
+	 * 
+	 * @param[out] key Pointer to the buffer storing the derived key.
+	 * @param[in]  key_size Size of key to derive.
+	 * @param[in]  password Pointer to password.
+	 * @param[in]  password_size Size in bytes of password.
+	 * @param[in]  salt Pointer to salt.
+	 * @param[in]  salt_size Size in bytes of salt.
+	 * @param[in]  n_rounds Number of PBKDF2 rounds.
+	 * 
+	 * @pre
+	 * - @p n_rounds >= 1 
+	 * - @p salt is optional however the strength of the derived key is reduced if the salt is not sufficently random.
+	 * 
+	 * @post
+	 * - The derived key is written to <tt><var>key</var></tt>.
+	 * 
+	 * @throw tc::crypto::CryptoException @p n_rounds was < 1.
+	 * @throw tc::crypto::CryptoException @p key_size was too large.
+	 */
+void DeriveKeyPbkdf2Sha1(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha256KeyDeriver.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha256KeyDeriver.h
new file mode 100644
index 00000000..62eaf150
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha256KeyDeriver.h
@@ -0,0 +1,47 @@
+	/**
+	 * @file Pbkdf2Sha256KeyDeriver.h
+	 * @brief Declarations for API resources for PBKDF2-SHA2-256 key derivation.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/crypto/Pbkdf2KeyDeriver.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Pbkdf2Sha256KeyDeriver
+	 * @brief Class for deriving a key using PBKDF2-SHA2-256.
+	 * 
+	 * @details This class derives a key using PBKDF2-SHA2-256.
+	 * For more information refer to @ref Pbkdf2KeyDeriver.
+	 */
+using Pbkdf2Sha256KeyDeriver = Pbkdf2KeyDeriver<Sha256Generator>;
+
+	/**
+	 * @brief Utility function for deriving a key using PBKDF2-SHA2-256.
+	 * 
+	 * @param[out] key Pointer to the buffer storing the derived key.
+	 * @param[in]  key_size Size of key to derive.
+	 * @param[in]  password Pointer to password.
+	 * @param[in]  password_size Size in bytes of password.
+	 * @param[in]  salt Pointer to salt.
+	 * @param[in]  salt_size Size in bytes of salt.
+	 * @param[in]  n_rounds Number of PBKDF2 rounds.
+	 * 
+	 * @pre
+	 * - @p n_rounds >= 1.
+	 * - @p salt is optional however the strength of the derived key is reduced if the salt is not sufficently random.
+	 * 
+	 * @post
+	 * - The derived key is written to <tt><var>key</var></tt>.
+	 * 
+	 * @throw tc::crypto::CryptoException @p n_rounds was < 1.
+	 * @throw tc::crypto::CryptoException @p key_size was too large.
+	 */
+void DeriveKeyPbkdf2Sha256(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha512KeyDeriver.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha512KeyDeriver.h
new file mode 100644
index 00000000..29e1e5ec
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Pbkdf2Sha512KeyDeriver.h
@@ -0,0 +1,47 @@
+	/**
+	 * @file Pbkdf2Sha512KeyDeriver.h
+	 * @brief Declarations for API resources for PBKDF2-SHA2-512 key derivation.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha512Generator.h>
+#include <tc/crypto/Pbkdf2KeyDeriver.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Pbkdf2Sha512KeyDeriver
+	 * @brief Class for deriving a key using PBKDF2-SHA2-512.
+	 * 
+	 * @details This class derives a key using PBKDF2-SHA2-512.
+	 * For more information refer to @ref Pbkdf2KeyDeriver.
+	 */
+using Pbkdf2Sha512KeyDeriver = Pbkdf2KeyDeriver<Sha512Generator>;
+
+	/**
+	 * @brief Utility function for deriving a key using PBKDF2-SHA2-512.
+	 * 
+	 * @param[out] key Pointer to the buffer storing the derived key.
+	 * @param[in]  key_size Size of key to derive.
+	 * @param[in]  password Pointer to password.
+	 * @param[in]  password_size Size in bytes of password.
+	 * @param[in]  salt Pointer to salt.
+	 * @param[in]  salt_size Size in bytes of salt.
+	 * @param[in]  n_rounds Number of PBKDF2 rounds.
+	 * 
+	 * @pre
+	 * - @p n_rounds >= 1.
+	 * - @p salt is optional however the strength of the derived key is reduced if the salt is not sufficently random.
+	 * 
+	 * @post
+	 * - The derived key is written to <tt><var>key</var></tt>.
+	 * 
+	 * @throw tc::crypto::CryptoException @p n_rounds was < 1.
+	 * @throw tc::crypto::CryptoException @p key_size was too large.
+	 */
+void DeriveKeyPbkdf2Sha512(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/PseudoRandomByteGenerator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/PseudoRandomByteGenerator.h
new file mode 100644
index 00000000..1b1dee03
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/PseudoRandomByteGenerator.h
@@ -0,0 +1,65 @@
+	/**
+	 * @file PseudoRandomByteGenerator.h
+	 * @brief Declarations for API resources for generating pseudo-random data.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/12
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/PrbgImpl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class PseudoRandomByteGenerator
+	 * @brief Class for generating random data.
+	 * 
+	 * @details
+	 * The underlying algorithm is CTR_DBRG.
+	 * This class generates random data suitable for encryption use cases.
+	 * - Initialization vectors
+	 * - Salts / Nonces
+	 * - HMAC keys
+	 * - AES keys
+	 */
+class PseudoRandomByteGenerator
+{
+public:
+		/**
+		 * @brief Default constructor.
+		 */
+	PseudoRandomByteGenerator() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Populate array with random data.
+		 * 
+		 * @param[out] data Buffer to hold random data.
+		 * @param[in] data_size Size of @p data buffer.
+		 * 
+		 * @throw tc::crypto::CryptoException An unexpected error has occurred.
+		 * @throw tc::crypto::CryptoException Request too big.
+		 */
+	void getBytes(byte_t* data, size_t data_size)
+	{
+		mImpl.getBytes(data, data_size);
+	}
+
+private:
+	detail::PrbgImpl mImpl;
+};
+
+	/**
+	 * @brief Utility function for generating pseudo-random data.
+	 * 
+	 * @param[out] data Pointer to buffer storing pseudo-random data.
+	 * @param[in]  data_size Size of pseudo-random data to generate.
+	 * 
+	 * @post
+	 * - The generated pseudo-random data is written to <tt><var>data</var></tt>.
+	 */
+void GeneratePseudoRandomBytes(byte_t* data, size_t data_size);
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaKey.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaKey.h
new file mode 100644
index 00000000..5553ba48
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaKey.h
@@ -0,0 +1,75 @@
+	/**
+	 * @file RsaKey.h
+	 * @brief Declarations for structures to store RSA keys.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/08/27
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @struct RsaKey
+	 * @brief Struct for storing a RSA key. For use with RSA calculations.
+	 */
+struct RsaKey
+{
+	tc::ByteData n; /**< Modulus */
+	tc::ByteData d; /**< Private exponent */
+	tc::ByteData e; /**< Public exponent */
+};
+
+	/**
+	 * @struct RsaPublicKey
+	 * @brief This extends RsaKey, exposing a constructor to create a RSA public key from a modulus.
+	 */
+struct RsaPublicKey : public RsaKey
+{
+		/**
+		 * @brief This constructs a @ref RsaKey from a modulus.
+		 * 
+		 * @param[in] modulus Buffer containing big-endian modulus.
+		 * @param[in] modulus_size Size in bytes of modulus.
+		 * 
+		 * @pre @p modulus != nullptr
+		 * @pre @p modulus_size != 0
+		 * 
+		 * @details Supplying a public exponent is not required, as this is the same for all RSA keys and is initialized internally by this constructor.
+		 */
+	RsaPublicKey(const byte_t* modulus, size_t modulus_size);
+};
+
+	/**
+	 * @struct RsaPrivateKey
+	 * @brief This extends RsaKey, exposing a constructor to create a RSA private key from a modulus and private exponent.
+	 */
+struct RsaPrivateKey : public RsaKey
+{
+		/**
+		 * @brief This constructs a @ref RsaKey from a modulus and private exponent.
+		 * 
+		 * @param[in] modulus Buffer containing big-endian modulus.
+		 * @param[in] modulus_size Size in bytes of modulus.
+		 * @param[in] private_exponent Buffer containing big-endian private exponent.
+		 * @param[in] private_exponent_size Size in bytes of private exponent.
+		 * 
+		 * @pre @p modulus != nullptr
+		 * @pre @p modulus_size != 0
+		 * @pre @p private_exponent != nullptr
+		 * @pre @p private_exponent_size != 0
+		 */
+	RsaPrivateKey(const byte_t* modulus, size_t modulus_size, const byte_t* private_exponent, size_t private_exponent_size);
+
+
+		/**
+		 * @brief Generate public key from this private key.
+		 * 
+		 * @return RsaKey containing the public key.
+		 */
+	RsaKey getPublicKey();
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaKeyGenerator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaKeyGenerator.h
new file mode 100644
index 00000000..dbf11ffb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaKeyGenerator.h
@@ -0,0 +1,71 @@
+	/**
+	 * @file RsaKeyGenerator.h
+	 * @brief Declarations for API resources for generating RSA keys.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/09/12
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/RsaKeyGeneratorImpl.h>
+#include <tc/crypto/RsaKey.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class RsaKeyGenerator
+	 * @brief Class for generating RSA keys.
+	 * 
+	 * @details
+	 * The underlying PRNG algorithm is CTR_DBRG.
+	 */
+class RsaKeyGenerator
+{
+public:
+		/**
+		 * @brief Default constructor.
+		 */
+	RsaKeyGenerator() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Generate an RSA key.
+		 * 
+		 * @param[out] key Buffer to generated RSA key.
+		 * @param[in]  key_bit_size Size in bits of RSA key to generate.
+		 * 
+		 * @post
+		 * - The generated key is written to <tt><var>key</var></tt>.
+		 * 
+		 * @throw tc::crypto::ArgumentException @p key_bit_size was not a multiple of 8.
+		 */
+	void generateKey(RsaKey& key, size_t key_bit_size)
+	{
+		if (key_bit_size == 0 || (key_bit_size % 8) != 0) throw tc::ArgumentException("tc::crypto::RsaKeyGenerator::generateKey()", "key_bit_size was not a multiple of 8.");
+
+		key.n = tc::ByteData(key_bit_size/8);
+		key.d = tc::ByteData(key_bit_size/8);
+		key.e = tc::ByteData(4);
+
+		mImpl.generateKey(key_bit_size, key.n.data(), key.n.size(), nullptr, 0, nullptr, 0, key.d.data(), key.d.size(), key.e.data(), key.e.size());
+	}
+
+private:
+	detail::RsaKeyGeneratorImpl mImpl;
+};
+
+	/**
+	 * @brief Utility function for generating an RSA key.
+	 * 
+	 * @param[out] key Buffer to generated RSA key.
+	  * @param[in]  key_bit_size Size in bits of RSA key to generate.
+	 * 
+	 * @post
+	 * - The generated key is written to <tt><var>key</var></tt>.
+	 * 
+	 * @throw tc::crypto::ArgumentException @p key_bit_size was not a multiple of 8.
+	 */
+void GenerateRsaKey(RsaKey& key, size_t key_bit_size);
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepEncryptor.h
new file mode 100644
index 00000000..91b24040
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepEncryptor.h
@@ -0,0 +1,246 @@
+	/**
+	 * @file RsaOaepEncryptor.h
+	 * @brief Declaration of tc::crypto::RsaOaepEncryptor
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/RsaImpl.h>
+#include <tc/crypto/detail/PrbgImpl.h>
+#include <tc/crypto/detail/RsaOaepPadding.h>
+#include <tc/crypto/RsaKey.h>
+
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class RsaOaepEncryptor
+	 * @brief Class for RSA-OAEP encryption/decryption.
+	 * 
+	 * @tparam KeyBitSize RSA key size in bits.
+	 * @tparam HashFunction The class that implements the hash function used with RSA-OAEP.
+	 * 
+	 * @details
+	 * This class is a template class that takes a key size and a hash function implementation class as template parameter.
+	 * See @ref Rsa2048OaepSha256Encryptor or similar for supplied realizations of this template class.
+	 * 
+	 * The <var>KeyBitSize</var> is the size in bits of the RSA key, this only supports key sizes aligned to 8 bits.
+	 * 
+	 * The implementation of <var>HashFunction</var> must satisfies the following conditions.
+	 * See @ref Sha256Generator or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kHashSize</tt> constant that defines the output size of the hash value.
+	 * -# Has an <tt>initialize</tt> method that begins processing.
+	 * -# Has an <tt>update</tt> method that updates the hash value on input.
+	 * -# Has a <tt>getHash</tt> method that gets the final hash value.
+	 * 
+	 * This class has two states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process input data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize RSA-OAEP Encryptor state with @ref initialize().
+	 * - Encrypt/Decrypt message with @ref encrypt() / @ref decrypt().
+	 */
+template <size_t KeyBitSize, class HashFunction>
+class RsaOaepEncryptor
+{
+public:
+	static_assert((KeyBitSize % 8) == 0, "KeyBitSize must be 8 bit aligned.");
+
+	static const size_t kBlockSize = KeyBitSize >> 3; /**< RSA-OAEP block size */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	RsaOaepEncryptor() :
+		mState(State::None),
+		mLabelDigest(HashFunction::kHashSize),
+		mRsaImpl(),
+		mPrbgImpl(),
+		mPadImpl()
+	{}
+
+		/**
+		 * @brief Initializes the encryption state.
+		 * 
+		 * @param[in] key RSA key data.
+		 * @param[in] label OAEP label data.
+		 * @param[in] label_size Size in bytes of OAEP label data.
+		 * @param[in] isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state
+		 * 
+		 * @details
+		 * Resets the RSA calculation state with an RSA key.
+		 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+		 */
+	void initialize(const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false)
+	{
+		if (key.n.size() == 0 || (key.d.size() == 0 && key.e.size() == 0))
+		{
+			throw tc::ArgumentNullException("RsaOaepEncryptor::initialize()", "key does not have minimal required key-data.");
+		}
+
+		mRsaImpl.initialize(KeyBitSize, key.n.data(), key.n.size(), nullptr, 0, nullptr, 0, key.d.data(), key.d.size(), key.e.data(), key.e.size());
+
+		if (((label == nullptr) ^ (label_size == 0)))
+		{
+			throw tc::ArgumentNullException("RsaOaepEncryptor::initialize()", "label was null when label_size was non-zero or vice-versa.");
+		}
+
+		if (isLabelDigested == true)
+		{
+			if (label_size != HashFunction::kHashSize)
+				throw tc::ArgumentOutOfRangeException("RsaOaepEncryptor::initialize()", "predigested label must be the size of HashFunction::kHashSize.");
+
+			memcpy(mLabelDigest.data(), label, mLabelDigest.size());
+		}
+		else
+		{
+			HashFunction hash_impl;
+			hash_impl.initialize();
+			hash_impl.update(label, label_size);
+			hash_impl.getHash(mLabelDigest.data());
+		}
+		
+
+		mState = State::Initialized;
+	}
+	
+		/**
+		 * @brief Encode and encrypt a message into an RSA-OAEP block.
+		 * 
+		 * @param[out] block Pointer to the buffer storing the encrypted RSA block.
+		 * @param[in]  message Pointer to message.
+		 * @param[in]  message_size Size of message.
+		 * @return true if encryption was successful.
+		 * 
+		 * @pre
+		 * - Size of the @p block buffer must >= <tt>RsaOaepEncryptor::kBlockSize</tt>.
+		 * - The maximum size for @p message_size is <tt>RsaOaepEncryptor::kBlockSize</tt> - (2 * <tt>HashFunction::kHashSize</tt>) - 2.
+		 * 
+		 * @post
+		 * - The encrypted block is written to <tt><var>block</var></tt>.
+		 * 
+		 * @details
+		 * This method encrypts a message using RSA-OAEP, using an RSA public key.
+		 * OAEP encoding uses a random seed, this overload of @ref encrypt() generates the seed internally. To manually specify the seed, please use the alternative @ref encrypt() method.
+		 */
+	bool encrypt(byte_t* block, const byte_t* message, size_t message_size)
+	{
+		if (mState != State::Initialized) { return false; }
+
+		std::array<byte_t, HashFunction::kHashSize> seed;
+		mPrbgImpl.getBytes(seed.data(), seed.size());
+		
+		return encrypt(block, message, message_size, seed.data(), seed.size());
+	}
+
+		/**
+		 * @brief Encode and encrypt a message into an RSA-OAEP block.
+		 * 
+		 * @param[out] block Pointer to the buffer storing the encrypted RSA block.
+		 * @param[in]  message Pointer to message.
+		 * @param[in]  message_size Size of message.
+		 * @param[in]  seed Pointer to random seed.
+		 * @param[in]  seed_size Size of random seed.
+		 * @return true if encryption was successful.
+		 * 
+		 * @pre
+		 * - Size of the @p block buffer must >= <tt>RsaOaepEncryptor::kBlockSize</tt>.
+		 * - The maximum size for @p message_size is <tt>RsaOaepEncryptor::kBlockSize</tt> - (2 * <tt>HashFunction::kHashSize</tt>) - 2.
+		 * - Size of the @p seed buffer must be == <tt>HashFunction::kHashSize</tt>.
+		 * - The seed should be random or the security of the encryption is reduced.
+		 * 
+		 * @post
+		 * - The encrypted block is written to <tt><var>block</var></tt>.
+		 * 
+		 * @details
+		 * This method encrypts a message using RSA-OAEP, using an RSA public key.
+		 */
+	bool encrypt(byte_t* block, const byte_t* message, size_t message_size, const byte_t* seed, size_t seed_size)
+	{
+		if (mState != State::Initialized) { return false; }
+		if (message_size > (kBlockSize - (2 * HashFunction::kBlockSize) - 2)) { return false;  }
+		if (block == nullptr) { return false; }
+		if (message == nullptr || message_size == 0) { return false; }
+		if (seed == nullptr || seed_size == 0) { return false; }
+
+		std::array<byte_t, kBlockSize> encoded_message;
+		//memset(encoded_message.data(), 0, encoded_message.size());
+
+		if (mPadImpl.BuildPad(encoded_message.data(), encoded_message.size(), mLabelDigest.data(), mLabelDigest.size(), message, message_size, seed, seed_size) != detail::RsaOaepPadding<HashFunction>::Result::kSuccess)
+		{
+			return false;
+		} 
+
+		try {
+			mRsaImpl.publicTransform(block, encoded_message.data());
+		} 
+		catch (...)	{
+			return false;
+		}
+
+		return true;
+	}
+
+		/**
+		 * @brief Decrypt & decode message from an RSA-OAEP block.
+		 * 
+		 * @param[out] message Pointer to the buffer storing the decrypted message.
+		 * @param[out] message_size Size of decrypted @p message.
+		 * @param[in]  message_capacity Capacity of @p message buffer.
+		 * @param[in]  block Pointer to encrypted RSA-OAEP block.
+		 * @return true if decryption was successful.
+		 * 
+		 * @pre
+		 * - Size of the @p block buffer must >= <tt>RsaOaepEncryptor::kBlockSize</tt>.
+		 * - @p message_capacity >= (<tt>RsaOaepEncryptor::kBlockSize</tt> - (2 * <tt>HashFunction::kHashSize</tt>) - 2)
+		 * 
+		 * @post
+		 * - The decrypted message is written to <tt><var>message</var></tt>.
+		 * - The size of the decrypted message is written to <tt><var>message_size</var></tt>.
+		 * 
+		 * @details
+		 * This method decrypts a RSA-OAEP encrypted message, using an RSA private key.
+		 */
+	bool decrypt(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block)
+	{
+		if (mState != State::Initialized) { return false; }
+		if (block == nullptr) { return false; }
+		if (message == nullptr || message_capacity == 0) { return false; }
+
+		std::array<byte_t, kBlockSize> decrypted_block;
+
+		try {
+			mRsaImpl.privateTransform(decrypted_block.data(), block);
+		} catch (...) {
+			return false;
+		}
+				
+		return (mPadImpl.RecoverFromPad(message, message_capacity, message_size, mLabelDigest.data(), mLabelDigest.size(), decrypted_block.data(), decrypted_block.size()) == detail::RsaOaepPadding<HashFunction>::Result::kSuccess);
+	}
+
+private:
+	enum class State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+	tc::ByteData mLabelDigest;
+	detail::RsaImpl mRsaImpl;
+	detail::PrbgImpl mPrbgImpl;
+	detail::RsaOaepPadding<HashFunction> mPadImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepSha256Encryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepSha256Encryptor.h
new file mode 100644
index 00000000..a061e28a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepSha256Encryptor.h
@@ -0,0 +1,201 @@
+	/**
+	 * @file RsaOaepSha256Encryptor.h
+	 * @brief Declarations for API resources for RSA-OAEP-SHA2-256 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/crypto/RsaOaepEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Rsa1024OaepSha256Encryptor
+	 * @brief Class for RSA1024-OAEP-SHA2-256 encryption/decryption.
+	 * 
+	 * @details This class encrypts/decrypts data using RSA1024-OAEP-SHA2-256.
+	 * For more information refer to @ref RsaOaepEncryptor.
+	 */
+using Rsa1024OaepSha256Encryptor = RsaOaepEncryptor<1024,Sha256Generator>;
+
+	/**
+	 * @typedef Rsa2048OaepSha256Encryptor
+	 * @brief Class for RSA2048-OAEP-SHA2-256 encryption/decryption.
+	 * 
+	 * @details This class encrypts/decrypts data using RSA2048-OAEP-SHA2-256.
+	 * For more information refer to @ref RsaOaepEncryptor.
+	 */
+using Rsa2048OaepSha256Encryptor = RsaOaepEncryptor<2048,Sha256Generator>;
+
+	/**
+	 * @typedef Rsa4096OaepSha256Encryptor
+	 * @brief Class for RSA4096-OAEP-SHA2-256 encryption/decryption.
+	 * 
+	 * @details This class encrypts/decrypts data using RSA4096-OAEP-SHA2-256.
+	 * For more information refer to @ref RsaOaepEncryptor.
+	 */
+using Rsa4096OaepSha256Encryptor = RsaOaepEncryptor<4096,Sha256Generator>;
+
+	/**
+	 * @brief Utility function for encrypting a message using RSA1024-OAEP-SHA2-256.
+	 * 
+	 * @param[out] block Pointer to the buffer storing the encrypted RSA block.
+	 * @param[in]  message Pointer to message.
+	 * @param[in]  message_size Size of message.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if encryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa1024OaepSha256Encryptor::kBlockSize</tt>.
+	 * - The maximum size for @p message_size is <tt>Rsa1024OaepSha256Encryptor::kBlockSize</tt> - (2 * <tt>Sha256Generator::kHashSize</tt>) - 2
+	 * 
+	 * @post
+	 * - The encrypted block is written to <tt><var>block</var></tt>.
+	 * 
+	 * @details
+	 * This function encrypts a message using RSA-OAEP, using an RSA public key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 * OAEP encoding uses a random seed, this function generates the seed internally. To manually specify the seed, please use the  @ref Rsa1024OaepSha256Encryptor class directly.
+	 */
+bool EncryptRsa1024OaepSha256(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+	/**
+	 * @brief Utility for decrypting a RSA1024-OAEP-SHA2-256 encrypted message.
+	 * 
+	 * @param[out] message Pointer to the buffer storing the decrypted message.
+	 * @param[out] message_size Size of decrypted @p message.
+	 * @param[in]  message_capacity Capacity of @p message buffer.
+	 * @param[in]  block Pointer to encrypted RSA-OAEP block.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if decryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa1024OaepSha256Encryptor::kBlockSize</tt>.
+	 * - @p message_capacity >= (<tt>Rsa1024OaepSha256Encryptor::kBlockSize</tt> - (2 * <tt>Sha256Generator::kHashSize</tt>) - 2)
+	 * 
+	 * @post
+	 * - The decrypted message is written to <tt><var>message</var></tt>.
+	 * - The size of the decrypted message is written to <tt><var>message_size</var></tt>.
+	 * 
+	 * @details
+	 * This function decrypts a RSA-OAEP encrypted message, using an RSA private key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 */
+bool DecryptRsa1024OaepSha256(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+	/**
+	 * @brief Utility function for encrypting a message using RSA2048-OAEP-SHA2-256.
+	 * 
+	 * @param[out] block Pointer to the buffer storing the encrypted RSA block.
+	 * @param[in]  message Pointer to message.
+	 * @param[in]  message_size Size of message.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if encryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa2048OaepSha256Encryptor::kBlockSize</tt>.
+	 * - The maximum size for @p message_size is <tt>Rsa2048OaepSha256Encryptor::kBlockSize</tt> - (2 * <tt>Sha256Generator::kHashSize</tt>) - 2
+	 * 
+	 * @post
+	 * - The encrypted block is written to <tt><var>block</var></tt>.
+	 * 
+	 * @details
+	 * This function encrypts a message using RSA-OAEP, using an RSA public key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 * OAEP encoding uses a random seed, this function generates the seed internally. To manually specify the seed, please use the  @ref Rsa2048OaepSha256Encryptor class directly.
+	 */
+bool EncryptRsa2048OaepSha256(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+	/**
+	 * @brief Utility for decrypting a RSA2048-OAEP-SHA2-256 encrypted message.
+	 * 
+	 * @param[out] message Pointer to the buffer storing the decrypted message.
+	 * @param[out] message_size Size of decrypted @p message.
+	 * @param[in]  message_capacity Capacity of @p message buffer.
+	 * @param[in]  block Pointer to encrypted RSA-OAEP block.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if decryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa2048OaepSha256Encryptor::kBlockSize</tt>.
+	 * - @p message_capacity >= (<tt>Rsa2048OaepSha256Encryptor::kBlockSize</tt> - (2 * <tt>Sha256Generator::kHashSize</tt>) - 2)
+	 * 
+	 * @post
+	 * - The decrypted message is written to <tt><var>message</var></tt>.
+	 * - The size of the decrypted message is written to <tt><var>message_size</var></tt>.
+	 * 
+	 * @details
+	 * This function decrypts a RSA-OAEP encrypted message, using an RSA private key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 */
+bool DecryptRsa2048OaepSha256(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+	/**
+	 * @brief Utility function for encrypting a message using RSA4096-OAEP-SHA2-256.
+	 * 
+	 * @param[out] block Pointer to the buffer storing the encrypted RSA block.
+	 * @param[in]  message Pointer to message.
+	 * @param[in]  message_size Size of message.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if encryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa4096OaepSha256Encryptor::kBlockSize</tt>.
+	 * - The maximum size for @p message_size is <tt>Rsa4096OaepSha256Encryptor::kBlockSize</tt> - (2 * <tt>Sha256Generator::kHashSize</tt>) - 2
+	 * 
+	 * @post
+	 * - The encrypted block is written to <tt><var>block</var></tt>.
+	 * 
+	 * @details
+	 * This function encrypts a message using RSA-OAEP, using an RSA public key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 * OAEP encoding uses a random seed, this function generates the seed internally. To manually specify the seed, please use the  @ref Rsa4096OaepSha256Encryptor class directly.
+	 */
+bool EncryptRsa4096OaepSha256(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+	/**
+	 * @brief Utility for decrypting a RSA4096-OAEP-SHA2-256 encrypted message.
+	 * 
+	 * @param[out] message Pointer to the buffer storing the decrypted message.
+	 * @param[out] message_size Size of decrypted @p message.
+	 * @param[in]  message_capacity Capacity of @p message buffer.
+	 * @param[in]  block Pointer to encrypted RSA-OAEP block.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if decryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa4096OaepSha256Encryptor::kBlockSize</tt>.
+	 * - @p message_capacity >= (<tt>Rsa4096OaepSha256Encryptor::kBlockSize</tt> - (2 * <tt>Sha256Generator::kHashSize</tt>) - 2)
+	 * 
+	 * @post
+	 * - The decrypted message is written to <tt><var>message</var></tt>.
+	 * - The size of the decrypted message is written to <tt><var>message_size</var></tt>.
+	 * 
+	 * @details
+	 * This function decrypts a RSA-OAEP encrypted message, using an RSA private key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 */
+bool DecryptRsa4096OaepSha256(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepSha512Encryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepSha512Encryptor.h
new file mode 100644
index 00000000..ee0d458a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaOaepSha512Encryptor.h
@@ -0,0 +1,139 @@
+	/**
+	 * @file RsaOaepSha512Encryptor.h
+	 * @brief Declarations for API resources for RSA-OAEP-SHA2-512 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/10/17
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha512Generator.h>
+#include <tc/crypto/RsaOaepEncryptor.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Rsa2048OaepSha512Encryptor
+	 * @brief Class for RSA2048-OAEP-SHA2-512 encryption/decryption.
+	 * 
+	 * @details This class encrypts/decrypts data using RSA2048-OAEP-SHA2-512.
+	 * For more information refer to @ref RsaOaepEncryptor.
+	 */
+using Rsa2048OaepSha512Encryptor = RsaOaepEncryptor<2048,Sha512Generator>;
+
+	/**
+	 * @typedef Rsa4096OaepSha512Encryptor
+	 * @brief Class for RSA4096-OAEP-SHA2-512 encryption/decryption.
+	 * 
+	 * @details This class encrypts/decrypts data using RSA4096-OAEP-SHA2-512.
+	 * For more information refer to @ref RsaOaepEncryptor.
+	 */
+using Rsa4096OaepSha512Encryptor = RsaOaepEncryptor<4096,Sha512Generator>;
+
+	/**
+	 * @brief Utility function for encrypting a message using RSA2048-OAEP-SHA2-512.
+	 * 
+	 * @param[out] block Pointer to the buffer storing the encrypted RSA block.
+	 * @param[in]  message Pointer to message.
+	 * @param[in]  message_size Size of message.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if encryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa2048OaepSha512Encryptor::kBlockSize</tt>.
+	 * - The maximum size for @p message_size is <tt>Rsa2048OaepSha512Encryptor::kBlockSize</tt> - (2 * <tt>Sha512Generator::kHashSize</tt>) - 2
+	 * 
+	 * @post
+	 * - The encrypted block is written to <tt><var>block</var></tt>.
+	 * 
+	 * @details
+	 * This function encrypts a message using RSA-OAEP, using an RSA public key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 * OAEP encoding uses a random seed, this function generates the seed internally. To manually specify the seed, please use the  @ref Rsa2048OaepSha512Encryptor class directly.
+	 */
+bool EncryptRsa2048OaepSha512(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+	/**
+	 * @brief Utility for decrypting a RSA2048-OAEP-SHA2-512 encrypted message.
+	 * 
+	 * @param[out] message Pointer to the buffer storing the decrypted message.
+	 * @param[out] message_size Size of decrypted @p message.
+	 * @param[in]  message_capacity Capacity of @p message buffer.
+	 * @param[in]  block Pointer to encrypted RSA-OAEP block.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if decryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa2048OaepSha512Encryptor::kBlockSize</tt>.
+	 * - @p message_capacity >= (<tt>Rsa2048OaepSha512Encryptor::kBlockSize</tt> - (2 * <tt>Sha512Generator::kHashSize</tt>) - 2)
+	 * 
+	 * @post
+	 * - The decrypted message is written to <tt><var>message</var></tt>.
+	 * - The size of the decrypted message is written to <tt><var>message_size</var></tt>.
+	 * 
+	 * @details
+	 * This function decrypts a RSA-OAEP encrypted message, using an RSA private key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 */
+bool DecryptRsa2048OaepSha512(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+	/**
+	 * @brief Utility function for encrypting a message using RSA4096-OAEP-SHA2-512.
+	 * 
+	 * @param[out] block Pointer to the buffer storing the encrypted RSA block.
+	 * @param[in]  message Pointer to message.
+	 * @param[in]  message_size Size of message.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if encryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa4096OaepSha512Encryptor::kBlockSize</tt>.
+	 * - The maximum size for @p message_size is <tt>Rsa4096OaepSha512Encryptor::kBlockSize</tt> - (2 * <tt>Sha512Generator::kHashSize</tt>) - 2
+	 * 
+	 * @post
+	 * - The encrypted block is written to <tt><var>block</var></tt>.
+	 * 
+	 * @details
+	 * This function encrypts a message using RSA-OAEP, using an RSA public key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 * OAEP encoding uses a random seed, this function generates the seed internally. To manually specify the seed, please use the  @ref Rsa4096OaepSha512Encryptor class directly.
+	 */
+bool EncryptRsa4096OaepSha512(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+	/**
+	 * @brief Utility for decrypting a RSA4096-OAEP-SHA2-512 encrypted message.
+	 * 
+	 * @param[out] message Pointer to the buffer storing the decrypted message.
+	 * @param[out] message_size Size of decrypted @p message.
+	 * @param[in]  message_capacity Capacity of @p message buffer.
+	 * @param[in]  block Pointer to encrypted RSA-OAEP block.
+	 * @param[in]  key RSA key data.
+	 * @param[in]  label OAEP label data.
+	 * @param[in]  label_size Size in bytes of OAEP label data.
+	 * @param[in]  isLabelDigested Boolean indicating if label data has already been digested. False is the default (label is in raw form).
+	 * @return true if decryption was successful.
+	 * 
+	 * @pre
+	 * - Size of the @p block buffer must >= <tt>Rsa4096OaepSha512Encryptor::kBlockSize</tt>.
+	 * - @p message_capacity >= (<tt>Rsa4096OaepSha512Encryptor::kBlockSize</tt> - (2 * <tt>Sha512Generator::kHashSize</tt>) - 2)
+	 * 
+	 * @post
+	 * - The decrypted message is written to <tt><var>message</var></tt>.
+	 * - The size of the decrypted message is written to <tt><var>message_size</var></tt>.
+	 * 
+	 * @details
+	 * This function decrypts a RSA-OAEP encrypted message, using an RSA private key.
+	 * OAEP encoding uses a label (which is digested using a hash algorithm) as part of the MGF1 masking process. It is possible to specify a pre-digested label instead, in which case set @p isLabelDigested to true.
+	 */
+bool DecryptRsa4096OaepSha512(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested = false);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Md5Signer.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Md5Signer.h
new file mode 100644
index 00000000..4d7d0b54
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Md5Signer.h
@@ -0,0 +1,144 @@
+	/**
+	 * @file RsaPkcs1Md5Signer.h
+	 * @brief Declarations for API resources for RSA-PKCS1-MD5 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Md5Generator.h>
+#include <tc/crypto/RsaPkcs1Signer.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Rsa1024Pkcs1Md5Signer
+	 * @brief Class for generating and verifying RSA1024-PKCS1-MD5 signatures.
+	 * 
+	 * @details This class uses RSA1024-PKCS1 to sign/validate MD5 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa1024Pkcs1Md5Signer = RsaPkcs1Signer<1024,Md5Generator>;
+
+	/**
+	 * @typedef Rsa2048Pkcs1Md5Signer
+	 * @brief Class for generating and verifying RSA2048-PKCS1-MD5 signatures.
+	 * 
+	 * @details This class uses RSA2048-PKCS1 to sign/validate MD5 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa2048Pkcs1Md5Signer = RsaPkcs1Signer<2048,Md5Generator>;
+
+	/**
+	 * @typedef Rsa4096Pkcs1Md5Signer
+	 * @brief Class for generating and verifying RSA4096-PKCS1-MD5 signatures.
+	 * 
+	 * @details This class uses RSA4096-PKCS1 to sign/validate MD5 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa4096Pkcs1Md5Signer = RsaPkcs1Signer<4096,Md5Generator>;
+
+	/**
+	 * @brief Utility function for calculating a RSA1024-PKCS1-MD5 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa1024Pkcs1Md5Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Md5Generator class.
+	 */
+bool SignRsa1024Pkcs1Md5(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA1024-PKCS1-MD5 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Md5Generator class.
+	 */
+bool VerifyRsa1024Pkcs1Md5(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA2048-PKCS1-MD5 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa2048Pkcs1Md5Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Md5Generator class.
+	 */
+bool SignRsa2048Pkcs1Md5(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA2048-PKCS1-MD5 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Md5Generator class.
+	 */
+bool VerifyRsa2048Pkcs1Md5(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA4096-PKCS1-MD5 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa4096Pkcs1Md5Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Md5Generator class.
+	 */
+bool SignRsa4096Pkcs1Md5(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA4096-PKCS1-MD5 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Md5Generator class.
+	 */
+bool VerifyRsa4096Pkcs1Md5(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha1Signer.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha1Signer.h
new file mode 100644
index 00000000..e9afffb7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha1Signer.h
@@ -0,0 +1,144 @@
+	/**
+	 * @file RsaPkcs1Sha1Signer.h
+	 * @brief Declarations for API resources for RSA-PKCS1-SHA1 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha1Generator.h>
+#include <tc/crypto/RsaPkcs1Signer.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Rsa1024Pkcs1Sha1Signer
+	 * @brief Class for generating and verifying RSA1024-PKCS1-SHA1 signatures.
+	 * 
+	 * @details This class uses RSA1024-PKCS1 to sign/validate SHA1 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa1024Pkcs1Sha1Signer = RsaPkcs1Signer<1024,Sha1Generator>;
+
+	/**
+	 * @typedef Rsa2048Pkcs1Sha1Signer
+	 * @brief Class for generating and verifying RSA2048-PKCS1-SHA1 signatures.
+	 * 
+	 * @details This class uses RSA2048-PKCS1 to sign/validate SHA1 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa2048Pkcs1Sha1Signer = RsaPkcs1Signer<2048,Sha1Generator>;
+
+	/**
+	 * @typedef Rsa4096Pkcs1Sha1Signer
+	 * @brief Class for generating and verifying RSA4096-PKCS1-SHA1 signatures.
+	 * 
+	 * @details This class uses RSA4096-PKCS1 to sign/validate SHA1 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa4096Pkcs1Sha1Signer = RsaPkcs1Signer<4096,Sha1Generator>;
+
+	/**
+	 * @brief Utility function for calculating a RSA1024-PKCS1-SHA1 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa1024Pkcs1Sha1Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha1Generator class.
+	 */
+bool SignRsa1024Pkcs1Sha1(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA1024-PKCS1-SHA1 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha1Generator class.
+	 */
+bool VerifyRsa1024Pkcs1Sha1(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA2048-PKCS1-SHA1 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa2048Pkcs1Sha1Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha1Generator class.
+	 */
+bool SignRsa2048Pkcs1Sha1(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA2048-PKCS1-SHA1 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha1Generator class.
+	 */
+bool VerifyRsa2048Pkcs1Sha1(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA4096-PKCS1-SHA1 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa4096Pkcs1Sha1Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha1Generator class.
+	 */
+bool SignRsa4096Pkcs1Sha1(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA4096-PKCS1-SHA1 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha1Generator class.
+	 */
+bool VerifyRsa4096Pkcs1Sha1(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha256Signer.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha256Signer.h
new file mode 100644
index 00000000..f975b0f6
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha256Signer.h
@@ -0,0 +1,144 @@
+	/**
+	 * @file RsaPkcs1Sha256Signer.h
+	 * @brief Declarations for API resources for RSA-PKCS1-SHA2-256 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/crypto/RsaPkcs1Signer.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Rsa1024Pkcs1Sha256Signer
+	 * @brief Class for generating and verifying RSA1024-PKCS1-SHA2-256 signatures.
+	 * 
+	 * @details This class uses RSA1024-PKCS1 to sign/validate SHA2-256 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa1024Pkcs1Sha256Signer = RsaPkcs1Signer<1024,Sha256Generator>;
+
+	/**
+	 * @typedef Rsa2048Pkcs1Sha256Signer
+	 * @brief Class for generating and verifying RSA2048-PKCS1-SHA2-256 signatures.
+	 * 
+	 * @details This class uses RSA2048-PKCS1 to sign/validate SHA2-256 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa2048Pkcs1Sha256Signer = RsaPkcs1Signer<2048,Sha256Generator>;
+
+	/**
+	 * @typedef Rsa4096Pkcs1Sha256Signer
+	 * @brief Class for generating and verifying RSA4096-PKCS1-SHA2-256 signatures.
+	 * 
+	 * @details This class uses RSA4096-PKCS1 to sign/validate SHA2-256 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa4096Pkcs1Sha256Signer = RsaPkcs1Signer<4096,Sha256Generator>;
+
+	/**
+	 * @brief Utility function for calculating a RSA1024-PKCS1-SHA2-256 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa1024Pkcs1Sha256Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool SignRsa1024Pkcs1Sha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA1024-PKCS1-SHA2-256 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool VerifyRsa1024Pkcs1Sha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA2048-PKCS1-SHA2-256 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa2048Pkcs1Sha256Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool SignRsa2048Pkcs1Sha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA2048-PKCS1-SHA2-256 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool VerifyRsa2048Pkcs1Sha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA4096-PKCS1-SHA2-256 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa4096Pkcs1Sha256Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool SignRsa4096Pkcs1Sha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA4096-PKCS1-SHA2-256 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool VerifyRsa4096Pkcs1Sha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha512Signer.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha512Signer.h
new file mode 100644
index 00000000..0f7c9433
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Sha512Signer.h
@@ -0,0 +1,144 @@
+	/**
+	 * @file RsaPkcs1Sha512Signer.h
+	 * @brief Declarations for API resources for RSA-PKCS1-SHA2-512 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha512Generator.h>
+#include <tc/crypto/RsaPkcs1Signer.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Rsa1024Pkcs1Sha512Signer
+	 * @brief Class for generating and verifying RSA1024-PKCS1-SHA2-512 signatures.
+	 * 
+	 * @details This class uses RSA1024-PKCS1 to sign/validate SHA2-512 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa1024Pkcs1Sha512Signer = RsaPkcs1Signer<1024,Sha512Generator>;
+
+	/**
+	 * @typedef Rsa2048Pkcs1Sha512Signer
+	 * @brief Class for generating and verifying RSA2048-PKCS1-SHA2-512 signatures.
+	 * 
+	 * @details This class uses RSA2048-PKCS1 to sign/validate SHA2-512 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa2048Pkcs1Sha512Signer = RsaPkcs1Signer<2048,Sha512Generator>;
+
+	/**
+	 * @typedef Rsa4096Pkcs1Sha512Signer
+	 * @brief Class for generating and verifying RSA4096-PKCS1-SHA2-512 signatures.
+	 * 
+	 * @details This class uses RSA4096-PKCS1 to sign/validate SHA2-512 message digests.
+	 * For more information refer to @ref RsaPkcs1Signer.
+	 */
+using Rsa4096Pkcs1Sha512Signer = RsaPkcs1Signer<4096,Sha512Generator>;
+
+	/**
+	 * @brief Utility function for calculating a RSA1024-PKCS1-SHA2-512 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa1024Pkcs1Sha512Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool SignRsa1024Pkcs1Sha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA1024-PKCS1-SHA2-512 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool VerifyRsa1024Pkcs1Sha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA2048-PKCS1-SHA2-512 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa2048Pkcs1Sha512Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool SignRsa2048Pkcs1Sha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA2048-PKCS1-SHA2-512 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool VerifyRsa2048Pkcs1Sha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA4096-PKCS1-SHA2-512 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa4096Pkcs1Sha512Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool SignRsa4096Pkcs1Sha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA4096-PKCS1-SHA2-512 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool VerifyRsa4096Pkcs1Sha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Signer.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Signer.h
new file mode 100644
index 00000000..fdc37cec
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPkcs1Signer.h
@@ -0,0 +1,172 @@
+	/**
+	 * @file RsaPkcs1Signer.h
+	 * @brief Declaration of tc::crypto::RsaPkcs1Signer
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/RsaImpl.h>
+#include <tc/crypto/detail/RsaPkcs1Padding.h>
+#include <tc/crypto/RsaKey.h>
+
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class RsaPkcs1Signer
+	 * @brief Class for calculating an RSA-PKCS1 signature.
+	 * 
+	 * @tparam KeyBitSize RSA key size in bits.
+	 * @tparam HashFunction The class that implements the hash function used with RSA-PKCS1.
+	 * 
+	 * @details
+	 * This class is a template class that takes a hash function implementation class as template parameter.
+	 * See @ref Rsa2048Pkcs1Sha256Signer or similar for supplied realizations of this template class.
+	 * 
+	 * The <var>KeyBitSize</var> is the size in bits of the RSA key, this only supports key sizes aligned to 8 bits.
+	 * 
+	 * The implementation of <var>HashFunction</var> must satisfies the following conditions.
+	 * See @ref Sha256Generator or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a <tt>kAsn1OidDataSize</tt> constant that defines the size of the ASN.1 encoded OID for the hash algorithm
+	 * -# Has a <tt>kAsn1OidData</tt> constant that defines the ASN.1 encoded OID for the hash algorithm
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kHashSize</tt> constant that defines the output size of the hash value.
+	 * -# Has an <tt>initialize</tt> method that begins processing.
+	 * -# Has an <tt>update</tt> method that updates the hash value on input.
+	 * -# Has a <tt>getHash</tt> method that gets the final hash value.
+	 * 
+	 * This class has two states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process input data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize RSA Signer state with @ref initialize().
+	 * - Sign/Verify message digest with @ref sign() / @ref verify().
+	 */
+template <size_t KeyBitSize, class HashFunction>
+class RsaPkcs1Signer
+{
+public:
+	static_assert((KeyBitSize % 8) == 0, "KeyBitSize must be 8 bit aligned.");
+
+	static const size_t kSignatureSize = KeyBitSize >> 3; /**< RSA-PKCS1 signature size */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	RsaPkcs1Signer() :
+		mState(State::None),
+		mRsaImpl(),
+		mPadImpl()
+	{}
+
+		/**
+		 * @brief Initializes the signature calculation.
+		 * 
+		 * @param[in] key RSA key data.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state
+		 * 
+		 * @details
+		 * Resets the RSA calculation state with an RSA key.
+		 */
+	void initialize(const RsaKey& key)
+	{
+		if (key.n.size() == 0 || (key.d.size() == 0 && key.e.size() == 0))
+		{
+			throw tc::ArgumentNullException("RsaPkcs1Signer::initialize()", "key does not have minimal required key-data.");
+		}
+
+		mRsaImpl.initialize(KeyBitSize, key.n.data(), key.n.size(), nullptr, 0, nullptr, 0, key.d.data(), key.d.size(), key.e.data(), key.e.size());
+		
+		mState = State::Initialized;
+	}
+	
+		/**
+		 * @brief Calculate RSA-PKCS1 signature.
+		 * 
+		 * @param[out] signature Pointer to the buffer storing the signature.
+		 * @param[in]  message_digest Pointer to message digest.
+		 * @return true if signature calculation was successful.
+		 * 
+		 * @pre
+		 * - Size of the signature buffer must >= <tt>Rsa1024Pkcs1Sha256Signer::kSignatureSize</tt>.
+		 * 
+		 * @post
+		 * - The signature is written to <tt><var>signature</var></tt>.
+		 * 
+		 * @details
+		 * This function calculates a signature for a message digest.
+		 */
+	bool sign(byte_t* signature, const byte_t* message_digest)
+	{
+		if (mState != State::Initialized) { return false; }
+		if (signature == nullptr) { return false; }
+		if (message_digest == nullptr) { return false; }
+
+		std::array<byte_t, kSignatureSize> block;
+		memset(block.data(), 0, block.size());
+
+		if (mPadImpl.BuildPad(block.data(), block.size(), message_digest, HashFunction::kHashSize) != detail::RsaPkcs1Padding<HashFunction>::Result::kSuccess)
+		{
+			return false;
+		} 
+
+		try{
+			mRsaImpl.privateTransform(signature, block.data());
+		} 
+		catch (...)	{
+			return false;
+		}
+
+		return true;
+	}
+
+		/**
+		 * @brief Verify RSA-PKCS1 signature.
+		 * 
+		 * @param[in] signature Pointer to signature.
+		 * @param[in] message_digest Pointer to message digest.
+		 * @return true if the signature is valid, otherwise false.
+		 * 
+		 * @details
+		 * This function verifies a signature for a message digest.
+		 */
+	bool verify(const byte_t* signature, const byte_t* message_digest)
+	{
+		if (mState != State::Initialized) { return false; }
+		if (signature == nullptr) { return false; }
+		if (message_digest == nullptr) { return false; }
+
+		std::array<byte_t, kSignatureSize> block;
+		memcpy(block.data(), signature, block.size());
+
+		try {
+			mRsaImpl.publicTransform(block.data(), signature);
+		} catch (...) {
+			return false;
+		}
+
+		return (mPadImpl.CheckPad(message_digest, HashFunction::kHashSize, block.data(), block.size()) == detail::RsaPkcs1Padding<HashFunction>::Result::kSuccess);
+	}
+
+private:
+	enum class State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+	detail::RsaImpl mRsaImpl;
+	detail::RsaPkcs1Padding<HashFunction> mPadImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSha256Signer.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSha256Signer.h
new file mode 100644
index 00000000..6c345360
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSha256Signer.h
@@ -0,0 +1,144 @@
+	/**
+	 * @file RsaPssSha256Signer.h
+	 * @brief Declarations for API resources for RSA-PSS-SHA2-256 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/crypto/RsaPssSigner.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Rsa1024PssSha256Signer
+	 * @brief Class for generating and verifying RSA1024-PSS-SHA2-256 signatures.
+	 * 
+	 * @details This class uses RSA1024-PSS to sign/validate SHA2-256 message digests.
+	 * For more information refer to @ref RsaPssSigner.
+	 */
+using Rsa1024PssSha256Signer = RsaPssSigner<1024,Sha256Generator>;
+
+	/**
+	 * @typedef Rsa2048PssSha256Signer
+	 * @brief Class for generating and verifying RSA2048-PSS-SHA2-256 signatures.
+	 * 
+	 * @details This class uses RSA2048-PSS to sign/validate SHA2-256 message digests.
+	 * For more information refer to @ref RsaPssSigner.
+	 */
+using Rsa2048PssSha256Signer = RsaPssSigner<2048,Sha256Generator>;
+
+	/**
+	 * @typedef Rsa4096PssSha256Signer
+	 * @brief Class for generating and verifying RSA4096-PSS-SHA2-256 signatures.
+	 * 
+	 * @details This class uses RSA4096-PSS to sign/validate SHA2-256 message digests.
+	 * For more information refer to @ref RsaPssSigner.
+	 */
+using Rsa4096PssSha256Signer = RsaPssSigner<4096,Sha256Generator>;
+
+	/**
+	 * @brief Utility function for calculating a RSA1024-PSS-SHA2-256 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa1024PssSha256Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool SignRsa1024PssSha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA1024-PSS-SHA2-256 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool VerifyRsa1024PssSha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA2048-PSS-SHA2-256 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa2048PssSha256Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool SignRsa2048PssSha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA2048-PSS-SHA2-256 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool VerifyRsa2048PssSha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA4096-PSS-SHA2-256 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa4096PssSha256Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool SignRsa4096PssSha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA4096-PSS-SHA2-256 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha256Generator class.
+	 */
+bool VerifyRsa4096PssSha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSha512Signer.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSha512Signer.h
new file mode 100644
index 00000000..a428d15d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSha512Signer.h
@@ -0,0 +1,144 @@
+	/**
+	 * @file RsaPssSha512Signer.h
+	 * @brief Declarations for API resources for RSA-PSS-SHA2-512 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/Sha512Generator.h>
+#include <tc/crypto/RsaPssSigner.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @typedef Rsa1024PssSha512Signer
+	 * @brief Class for generating and verifying RSA1024-PSS-SHA2-512 signatures.
+	 * 
+	 * @details This class uses RSA1024-PSS to sign/validate SHA2-512 message digests.
+	 * For more information refer to @ref RsaPssSigner.
+	 */
+using Rsa1024PssSha512Signer = RsaPssSigner<1024,Sha512Generator>;
+
+	/**
+	 * @typedef Rsa2048PssSha512Signer
+	 * @brief Class for generating and verifying RSA2048-PSS-SHA2-512 signatures.
+	 * 
+	 * @details This class uses RSA2048-PSS to sign/validate SHA2-512 message digests.
+	 * For more information refer to @ref RsaPssSigner.
+	 */
+using Rsa2048PssSha512Signer = RsaPssSigner<2048,Sha512Generator>;
+
+	/**
+	 * @typedef Rsa4096PssSha512Signer
+	 * @brief Class for generating and verifying RSA4096-PSS-SHA2-512 signatures.
+	 * 
+	 * @details This class uses RSA4096-PSS to sign/validate SHA2-512 message digests.
+	 * For more information refer to @ref RsaPssSigner.
+	 */
+using Rsa4096PssSha512Signer = RsaPssSigner<4096,Sha512Generator>;
+
+	/**
+	 * @brief Utility function for calculating a RSA1024-PSS-SHA2-512 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa1024PssSha512Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool SignRsa1024PssSha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA1024-PSS-SHA2-512 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool VerifyRsa1024PssSha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA2048-PSS-SHA2-512 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa2048PssSha512Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool SignRsa2048PssSha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA2048-PSS-SHA2-512 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool VerifyRsa2048PssSha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for calculating a RSA4096-PSS-SHA2-512 signature.
+	 * 
+	 * @param[out] signature Pointer to the buffer storing the signature.
+	 * @param[in]  message_digest Pointer to message digest.
+	 * @param[in]  key Reference to RSA private key.
+	 * @return true if signature calculation was successful.
+	 * 
+	 * @pre
+	 * - Size of the signature buffer must >= <tt>Rsa4096PssSha512Signer::kSignatureSize</tt>.
+	 * 
+	 * @post
+	 * - The signature is written to <tt><var>signature</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool SignRsa4096PssSha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+	/**
+	 * @brief Utility function for verfifying a RSA4096-PSS-SHA2-512 signature.
+	 * 
+	 * @param[in] signature Pointer to signature.
+	 * @param[in] message_digest Pointer to message digest.
+	 * @param[in] key Reference to RSA public key.
+	 * @return true if the signature is valid, otherwise false.
+	 * 
+	 * @details
+	 * This function verifies a signature for a message digest.
+	 * To calculate a message digest use the @ref Sha512Generator class.
+	 */
+bool VerifyRsa4096PssSha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key);
+
+}} // namespace tc::crypto
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSigner.h b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSigner.h
new file mode 100644
index 00000000..534a1bb6
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/RsaPssSigner.h
@@ -0,0 +1,208 @@
+	/**
+	 * @file RsaPssSigner.h
+	 * @brief Declaration of tc::crypto::RsaPssSigner
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2020/09/28
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/RsaImpl.h>
+#include <tc/crypto/detail/PrbgImpl.h>
+#include <tc/crypto/detail/RsaPssPadding.h>
+#include <tc/crypto/RsaKey.h>
+
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class RsaPssSigner
+	 * @brief Class for calculating an RSA-PSS signature.
+	 * 
+	 * @tparam KeyBitSize RSA key size in bits.
+	 * @tparam HashFunction The class that implements the hash function used with RSA-PSS.
+	 * 
+	 * @details
+	 * This class is a template class that takes a hash function implementation class as template parameter.
+	 * See @ref Rsa2048PssSha256Signer or similar for supplied realizations of this template class.
+	 * 
+	 * The <var>KeyBitSize</var> is the size in bits of the RSA key, this only supports key sizes aligned to 8 bits.
+	 * 
+	 * The implementation of <var>HashFunction</var> must satisfies the following conditions.
+	 * See @ref Sha256Generator or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kHashSize</tt> constant that defines the output size of the hash value.
+	 * -# Has an <tt>initialize</tt> method that begins processing.
+	 * -# Has an <tt>update</tt> method that updates the hash value on input.
+	 * -# Has a <tt>getHash</tt> method that gets the final hash value.
+	 * 
+	 * This class has two states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process input data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize RSA Signer state with @ref initialize().
+	 * - Sign/Verify message digest with @ref sign() / @ref verify().
+	 */
+template <size_t KeyBitSize, class HashFunction>
+class RsaPssSigner
+{
+public:
+	static_assert((KeyBitSize % 8) == 0, "KeyBitSize must be 8 bit aligned.");
+
+	static const size_t kSignatureSize = KeyBitSize >> 3; /**< RSA-PSS signature size */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	RsaPssSigner() :
+		mState(State::None),
+		mRsaImpl(),
+		mPrbgImpl(),
+		mPadImpl()
+	{}
+
+		/**
+		 * @brief Initializes the signature calculation.
+		 * 
+		 * @param[in] key RSA key data.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state
+		 * 
+		 * @details
+		 * Resets the RSA calculation state with an RSA key.
+		 */
+	void initialize(const RsaKey& key)
+	{
+		if (key.n.size() == 0 || (key.d.size() == 0 && key.e.size() == 0))
+		{
+			throw tc::ArgumentNullException("RsaPssSigner::initialize()", "key does not have minimal required key-data.");
+		}
+
+		mRsaImpl.initialize(KeyBitSize, key.n.data(), key.n.size(), nullptr, 0, nullptr, 0, key.d.data(), key.d.size(), key.e.data(), key.e.size());
+		
+		mState = State::Initialized;
+	}
+	
+		/**
+		 * @brief Calculate RSA-PSS signature.
+		 * 
+		 * @param[out] signature Pointer to the buffer storing the signature.
+		 * @param[in]  message_digest Pointer to message digest.
+		 * @return true if signature calculation was successful.
+		 * 
+		 * @pre
+		 * - Size of the signature buffer must >= <tt>Rsa1024PssSha256Signer::kSignatureSize</tt>.
+		 * 
+		 * @post
+		 * - The signature is written to <tt><var>signature</var></tt>.
+		 * 
+		 * @details
+		 * This function calculates a signature for a message digest.
+		 * This generates the salt internally. To manually specify the salt, please use the alternative @ref sign() method.
+		 */
+	bool sign(byte_t* signature, const byte_t* message_digest)
+	{
+		if (mState != State::Initialized) { return false; }
+
+		std::array<byte_t, HashFunction::kHashSize> salt;
+		mPrbgImpl.getBytes(salt.data(), salt.size());
+		// usable_salt_size: salt.size(), but if the blocksize isn't big enough, then its = KeySize - (HashFunction::kHashSize + 2)
+		// this may produce an illegal salt size (salt_size < HashFunction::kHashSize - 2), but this will be caught by BuildPad()
+		size_t usable_salt_size = std::min<size_t>(salt.size(), kSignatureSize - (HashFunction::kHashSize + 2));
+
+		return sign(signature, message_digest, salt.data(), usable_salt_size);
+	}
+
+		/**
+		 * @brief Calculate RSA-PSS signature.
+		 * 
+		 * @param[out] signature Pointer to the buffer storing the signature.
+		 * @param[in]  message_digest Pointer to message digest.
+		 * @param[in]  salt Pointer to salt.
+		 * @param[in]  salt_size Size of @p salt.
+		 * @return true if signature calculation was successful.
+		 * 
+		 * @pre
+		 * - Size of the signature buffer must >= <tt>Rsa1024PssSha256Signer::kSignatureSize</tt>.
+		 * - The data in @p salt should be random, otherwise the signature strength is reduced.
+		 * - Where KeySize >= (HashCalculator::kHashSize * 2 + 2) @p salt_size = HashCalculator::kHashSize. Otherwise @p salt_size = KeySize - (HashCalculator::kHashSize + 2). However the minimum legal salt size is (HashCalculator::kHashSize - 2), if the salt_size falls below this consider a larger KeySize as this operation will not complete successfully.
+		 * 
+		 * @post
+		 * - The signature is written to <tt><var>signature</var></tt>.
+		 * 
+		 * @details
+		 * This function calculates a signature for a message digest.
+		 */
+	bool sign(byte_t* signature, const byte_t* message_digest, const byte_t* salt, size_t salt_size)
+	{
+		if (mState != State::Initialized) { return false; }
+		if (signature == nullptr) { return false; }
+		if (message_digest == nullptr) { return false; }
+		if (salt == nullptr || salt_size == 0) { return false; }
+
+		std::array<byte_t, kSignatureSize> block;
+		memset(block.data(), 0, block.size());
+
+		if (mPadImpl.BuildPad(block.data(), block.size(), message_digest, HashFunction::kHashSize, salt, salt_size, KeyBitSize - 1) != detail::RsaPssPadding<HashFunction>::Result::kSuccess)
+		{
+			return false;
+		} 
+
+		try {
+			mRsaImpl.privateTransform(signature, block.data());
+		} 
+		catch (...) {
+			return false;
+		}
+
+		return true;
+	}
+
+		/**
+		 * @brief Verify RSA-PSS signature.
+		 * 
+		 * @param[in] signature Pointer to signature.
+		 * @param[in] message_digest Pointer to message digest.
+		 * @return true if the signature is valid, otherwise false.
+		 * 
+		 * @details
+		 * This function verifies a signature for a message digest.
+		 */
+	bool verify(const byte_t* signature, const byte_t* message_digest)
+	{
+		if (mState != State::Initialized) { return false; }
+		if (signature == nullptr) { return false; }
+		if (message_digest == nullptr) { return false; }
+
+		std::array<byte_t, kSignatureSize> block;
+		memcpy(block.data(), signature, block.size());
+
+		try {
+			mRsaImpl.publicTransform(block.data(), signature);
+		} catch (...) {
+			return false;
+		}
+
+		return (mPadImpl.CheckPad(message_digest, HashFunction::kHashSize, block.data(), block.size(), kSignatureSize - 1) == detail::RsaPssPadding<HashFunction>::Result::kSuccess);
+	}
+
+private:
+	enum class State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+	detail::RsaImpl mRsaImpl;
+	detail::PrbgImpl mPrbgImpl;
+	detail::RsaPssPadding<HashFunction> mPadImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Sha1Generator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Sha1Generator.h
new file mode 100644
index 00000000..6e2a5e8b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Sha1Generator.h
@@ -0,0 +1,221 @@
+	/**
+	 * @file Sha1Generator.h
+	 * @brief Declarations for API resources for SHA1 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2020/06/01
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/Sha1Impl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class Sha1Generator
+	 * @brief Class for calculating SHA1 hash.
+	 * 
+	 * @warning SHA1 is considered a weak message digest and its use constitutes a security risk. It should only be used to maintain compatibility with legacy systems.
+	 * 
+	 * @details
+	 * This class has three states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process input data
+	 * - Done : Hash value is calculated
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize Hash Generator state with @ref initialize().
+	 * - Update hash value with input data with @ref update().
+	 * - Complete hash calculation and export hash value with @ref getHash().
+	 * 
+	 * Below is code sample for calculating hash value with one call to @ref update():
+	 * @code
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create array to store hash value
+	 * std::array<byte_t, tc::crypto::Sha1Generator::kHashSize> hash;
+	 * 
+	 * // initialize generator. Sha1Generator is now in a ready state. 
+	 * tc::crypto::Sha1Generator impl;
+	 * impl.initialize();
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // read whole file into memory. This is unsafe for large file sizes especially on 32-bit systems.
+	 * tc::ByteData data = tc::ByteData((size_t)stream.length());
+	 * stream.read(data.data(), data.size());
+	 * 
+	 * // update generator state with stream data
+	 * impl.update(data.data(), data.size());
+	 * 
+	 * // complete generator state and write hash value to hash
+	 * impl.getHash(hash.data());
+	 * @endcode 
+	 * 
+	 * Below is code sample for calculating hash value with sequential calls to @ref update():
+	 * @code
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create read block (size 512)
+	 * static const size_t kReadBlockSize = 0x200;
+	 * std::array<byte_t, kReadBlockSize> block;
+	 * 
+	 * // create array to store hash value
+	 * std::array<byte_t, tc::crypto::Sha1Generator::kHashSize> hash;
+	 * 
+	 * // initialize generator. Sha1Generator is now in a ready state. 
+	 * tc::crypto::Sha1Generator impl;
+	 * impl.initialize();
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // iterate over blocks in stream until no more data can be read
+	 * size_t read_count = 0;
+	 * while ( 0 != (read_count = tc::io::IOUtil::getReadableCount(stream.position(), stream.length(), block.size())) )
+	 * {
+	 *   // read block from stream
+	 *   stream.read(block.data(), read_count);
+	 * 
+	 *   // update generator state with stream data
+	 *   impl.update(block.data(), read_count);
+	 * }
+	 * 
+	 * // complete generator state and write hash value to hash
+	 * impl.getHash(hash.data());
+	 * @endcode 
+	 */
+class Sha1Generator
+{
+public:
+	static const size_t kAsn1OidDataSize = 15; /**< SHA1 ASN.1 Encoded OID length */
+	static const std::array<byte_t, kAsn1OidDataSize> kAsn1OidData; /**< SHA1 ASN.1 Encoded OID */
+
+	static const size_t kHashSize  = 20; /**< SHA1 hash size */
+	static const size_t kBlockSize = 64; /**< SHA1 processing block size */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	Sha1Generator() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initializes the hash calculation.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state
+		 * 
+		 * @details
+		 * Resets the hash calculation state to the begin state.
+		 * 
+		 * @note
+		 * - This must be called before calculating a new hash.
+		 */
+	void initialize()
+	{
+		mImpl.initialize();
+	}
+
+		/**
+		 * @brief Update hash value with specified data.
+		 * 
+		 * @param[in] data Pointer to input data.
+		 * @param[in] data_size Size of input data.
+		 * 
+		 * @details
+		 * Data can be input to the generator in one @ref update() call or split across multiple sequential calls.
+		 * 
+		 * For example the following scenarios all generate the same hash value.
+		 * @code
+		 * // generate data to be hashed
+		 * tc::ByteData data = tc::ByteData(0x30);
+		 * memset(data.data(), 0xff, data.size());
+		 * 
+		 * // create generator instance
+		 * tc::crypto::Sha1Generator impl;
+		 * 
+		 * // scenario 1 (one call to update() 0x30 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Sha1Generator::kHashSize> hash1;
+		 * impl.initialize();
+		 * impl.update(data.data(), data.size());
+		 * impl.getHash(hash1.data());
+		 * 
+		 * // scenario 2 (three calls to update() 0x10 bytes each, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Sha1Generator::kHashSize> hash2;
+		 * impl.initialize();
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x10);
+		 * impl.update(data.data() + 0x20, 0x10);
+		 * impl.getHash(hash2.data());
+		 * 
+		 * // scenario 3 (two calls to update() one 0x10 bytes, the second 0x20 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Sha1Generator::kHashSize> hash3;
+		 * impl.initialize();
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x20);
+		 * impl.getHash(hash3.data());
+		 * @endcode
+		 * 
+		 * @note 
+		 * - If input data is broken up into blocks and supplied via multiple @ref update() calls, the order must be consistent with the original input data.
+		 */
+	void update(const byte_t* data, size_t data_size)
+	{
+		mImpl.update(data, data_size);
+	}
+
+		/**
+		 * @brief Completes hash calculation and output hash value.
+		 * 
+		 * @param[out] hash Pointer to buffer storing hash value.
+		 * 
+		 * @pre
+		 * - Instance is in either Initialized or Done state.
+		 * - The size of the <tt><var>hash</var></tt> buffer must be >= @ref kHashSize.
+		 * 
+		 * @post
+		 * - Instance is now in a Done state.
+		 * - The calculated hash value is written to <tt><var>hash</var></tt>.
+		 * 
+		 * @note 
+		 * - If the instance is in a None state, then this call does nothing.
+		 */ 
+	void getHash(byte_t* hash)
+	{
+		mImpl.getHash(hash);
+	}
+
+private:
+	detail::Sha1Impl mImpl;
+};
+
+	/**
+	 * @brief Utility function for calculating the SHA1 hash.
+	 * 
+	 * @warning SHA1 is considered a weak message digest and its use constitutes a security risk. It should only be used to maintain compatibility with legacy systems.
+	 * 
+	 * @param[out] hash Pointer to buffer storing hash value.
+	 * @param[in] data Pointer to input data.
+	 * @param[in] data_size Size of input data.
+	 * 
+	 * @pre
+	 * - The size of the <tt><var>hash</var></tt> buffer must be >= @ref Sha1Generator::kHashSize.
+	 * 
+	 * @post
+	 * - The calculated hash value is written to <tt><var>hash</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates the hash value for input passed in the <tt><var>data</var></tt> array.
+	 * To calculate the hash value for input split across multiple arrays, use the @ref Sha1Generator class.
+	 */
+void GenerateSha1Hash(byte_t* hash, const byte_t* data, size_t data_size);
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Sha256Generator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Sha256Generator.h
new file mode 100644
index 00000000..35b25605
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Sha256Generator.h
@@ -0,0 +1,216 @@
+	/**
+	 * @file Sha256Generator.h
+	 * @brief Declarations for API resources for SHA2-256 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/06/01
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/Sha2Impl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class Sha256Generator
+	 * @brief Class for calculating SHA2-256 hash.
+	 * 
+	 * @details
+	 * This class has three states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process input data
+	 * - Done : Hash value is calculated
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize Hash Generator state with @ref initialize().
+	 * - Update hash value with input data with @ref update().
+	 * - Complete hash calculation and export hash value with @ref getHash().
+	 * 
+	 * Below is code sample for calculating hash value with one call to @ref update():
+	 * @code
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create array to store hash value
+	 * std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+	 * 
+	 * // initialize generator. Sha256Generator is now in a ready state. 
+	 * tc::crypto::Sha256Generator impl;
+	 * impl.initialize();
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // read whole file into memory. This is unsafe for large file sizes especially on 32-bit systems.
+	 * tc::ByteData data = tc::ByteData((size_t)stream.length());
+	 * stream.read(data.data(), data.size());
+	 * 
+	 * // update generator state with stream data
+	 * impl.update(data.data(), data.size());
+	 * 
+	 * // complete generator state and write hash value to hash
+	 * impl.getHash(hash.data());
+	 * @endcode 
+	 * 
+	 * Below is code sample for calculating hash value with sequential calls to @ref update():
+	 * @code
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create read block (size 512)
+	 * static const size_t kReadBlockSize = 0x200;
+	 * std::array<byte_t, kReadBlockSize> block;
+	 * 
+	 * // create array to store hash value
+	 * std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+	 * 
+	 * // initialize generator. Sha256Generator is now in a ready state. 
+	 * tc::crypto::Sha256Generator impl;
+	 * impl.initialize();
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // iterate over blocks in stream until no more data can be read
+	 * size_t read_count = 0;
+	 * while ( 0 != (read_count = tc::io::IOUtil::getReadableCount(stream.position(), stream.length(), block.size())) )
+	 * {
+	 *   // read block from stream
+	 *   stream.read(block.data(), read_count);
+	 * 
+	 *   // update generator state with stream data
+	 *   impl.update(block.data(), read_count);
+	 * }
+	 * 
+	 * // complete generator state and write hash value to hash
+	 * impl.getHash(hash.data());
+	 * @endcode 
+	 */
+class Sha256Generator
+{
+public:
+	static const size_t kAsn1OidDataSize = 19; /**< SHA2-256 ASN.1 Encoded OID length */
+	static const std::array<byte_t, kAsn1OidDataSize> kAsn1OidData; /**< SHA2-256 ASN.1 Encoded OID */
+
+	static const size_t kHashSize  = 32; /**< SHA2-256 hash size */
+	static const size_t kBlockSize = 64; /**< SHA2-256 processing block size */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	Sha256Generator() :
+		mImpl(detail::Sha2Impl::SHA2BitSize_256)
+	{}
+
+		/**
+		 * @brief Initializes the hash calculation.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state
+		 * 
+		 * @details
+		 * Resets the hash calculation state to the begin state.
+		 * 
+		 * @note
+		 * - This must be called before calculating a new hash.
+		 */
+	void initialize()
+	{
+		mImpl.initialize();
+	}
+
+		/**
+		 * @brief Update hash value with specified data.
+		 * 
+		 * @param[in] data Pointer to input data.
+		 * @param[in] data_size Size of input data.
+		 * 
+		 * @details
+		 * Data can be input to the generator in one @ref update() call or split across multiple sequential calls.
+		 * 
+		 * For example the following scenarios all generate the same hash value.
+		 * @code
+		 * // generate data to be hashed
+		 * tc::ByteData data = tc::ByteData(0x30);
+		 * memset(data.data(), 0xff, data.size());
+		 * 
+		 * // create generator instance
+		 * tc::crypto::Sha256Generator impl;
+		 * 
+		 * // scenario 1 (one call to update() 0x30 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash1;
+		 * impl.initialize();
+		 * impl.update(data.data(), data.size());
+		 * impl.getHash(hash1.data());
+		 * 
+		 * // scenario 2 (three calls to update() 0x10 bytes each, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash2;
+		 * impl.initialize();
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x10);
+		 * impl.update(data.data() + 0x20, 0x10);
+		 * impl.getHash(hash2.data());
+		 * 
+		 * // scenario 3 (two calls to update() one 0x10 bytes, the second 0x20 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash3;
+		 * impl.initialize();
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x20);
+		 * impl.getHash(hash3.data());
+		 * @endcode
+		 * 
+		 * @note 
+		 * - If input data is broken up into blocks and supplied via multiple @ref update() calls, the order must be consistent with the original input data.
+		 */
+	void update(const byte_t* data, size_t data_size)
+	{
+		mImpl.update(data, data_size);
+	}
+
+		/**
+		 * @brief Completes hash calculation and output hash value.
+		 * 
+		 * @param[out] hash Pointer to buffer storing hash value.
+		 * 
+		 * @pre
+		 * - Instance is in either Initialized or Done state.
+		 * 
+		 * @post
+		 * - Instance is now in a Done state.
+		 * - The calculated hash value is written to <tt><var>hash</var></tt>.
+		 * 
+		 * @note 
+		 * - If the instance is in a None state, then this call does nothing.
+		 */ 
+	void getHash(byte_t* hash)
+	{
+		mImpl.getHash(hash);
+	}
+
+private:
+	detail::Sha2Impl mImpl;
+};
+
+	/**
+	 * @brief Utility function for calculating the SHA2-256 hash.
+	 * 
+	 * @param[out] hash Pointer to buffer storing hash value.
+	 * @param[in] data Pointer to input data.
+	 * @param[in] data_size Size of input data.
+	 * 
+	 * @pre
+	 * - The size of the <tt><var>hash</var></tt> buffer must be >= @ref Sha256Generator::kHashSize.
+	 * 
+	 * @post
+	 * - The calculated hash value is written to <tt><var>hash</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates the hash value for input passed in the <tt><var>data</var></tt> array.
+	 * To calculate the hash value for input split across multiple arrays, use the @ref Sha256Generator class.
+	 */
+void GenerateSha256Hash(byte_t* hash, const byte_t* data, size_t data_size);
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/Sha512Generator.h b/ctrtool/deps/libtoolchain/include/tc/crypto/Sha512Generator.h
new file mode 100644
index 00000000..e414c2b9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/Sha512Generator.h
@@ -0,0 +1,217 @@
+	/**
+	 * @file Sha512Generator.h
+	 * @brief Declarations for API resources for SHA2-512 calculations.
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/06/01
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/Sha2Impl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class Sha512Generator
+	 * @brief Class for calculating SHA2-512 hash.
+	 * 
+	 * @details
+	 * This class has three states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process input data
+	 * - Done : Hash value is calculated
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize Hash Generator state with @ref initialize().
+	 * - Update hash value with input data with @ref update().
+	 * - Complete hash calculation and export hash value with @ref getHash().
+	 * 
+	 * Below is code sample for calculating hash value with one call to @ref update():
+	 * @code
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create array to store hash value
+	 * std::array<byte_t, tc::crypto::Sha512Generator::kHashSize> hash;
+	 * 
+	 * // initialize generator. Sha512Generator is now in a ready state. 
+	 * tc::crypto::Sha512Generator impl;
+	 * impl.initialize();
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // read whole file into memory. This is unsafe for large file sizes especially on 32-bit systems.
+	 * tc::ByteData data = tc::ByteData((size_t)stream.length());
+	 * stream.read(data.data(), data.size());
+	 * 
+	 * // update generator state with stream data
+	 * impl.update(data.data(), data.size());
+	 * 
+	 * // complete generator state and write hash value to hash
+	 * impl.getHash(hash.data());
+	 * @endcode 
+	 * 
+	 * Below is code sample for calculating hash value with sequential calls to @ref update():
+	 * @code
+	 * // open file stream
+	 * auto stream = tc::io::FileStream("a_file.bin", tc::io::FileMode::Open, tc::io::FileAccess::Read);
+	 * 
+	 * // create read block (size 512)
+	 * static const size_t kReadBlockSize = 0x200;
+	 * std::array<byte_t, kReadBlockSize> block;
+	 * 
+	 * // create array to store hash value
+	 * std::array<byte_t, tc::crypto::Sha512Generator::kHashSize> hash;
+	 * 
+	 * // initialize generator. Sha512Generator is now in a ready state. 
+	 * tc::crypto::Sha512Generator impl;
+	 * impl.initialize();
+	 * 
+	 * // reset stream position to beginning (not strictly necessary for an unused tc::io::FileStream)
+	 * stream.seek(0, tc::io::SeekOrigin::Begin);
+	 * 
+	 * // iterate over blocks in stream until no more data can be read
+	 * size_t read_count = 0;
+	 * while ( 0 != (read_count = tc::io::IOUtil::getReadableCount(stream.position(), stream.length(), block.size())) )
+	 * {
+	 *   // read block from stream
+	 *   stream.read(block.data(), read_count);
+	 * 
+	 *   // update generator state with stream data
+	 *   impl.update(block.data(), read_count);
+	 * }
+	 * 
+	 * // complete generator state and write hash value to hash
+	 * impl.getHash(hash.data());
+	 * @endcode 
+	 */
+class Sha512Generator
+{
+public:
+	static const size_t kAsn1OidDataSize = 19; /**< SHA2-512 ASN.1 Encoded OID length */
+	static const std::array<byte_t, kAsn1OidDataSize> kAsn1OidData; /**< SHA2-512 ASN.1 Encoded OID */
+
+	static const size_t kHashSize  = 64; /**< SHA2-512 hash size */
+	static const size_t kBlockSize = 128; /**< SHA2-512 processing block size */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	Sha512Generator() :
+		mImpl(detail::Sha2Impl::SHA2BitSize_512)
+	{}
+
+		/**
+		 * @brief Initializes the hash calculation.
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state
+		 * 
+		 * @details
+		 * Resets the hash calculation state to the begin state.
+		 * 
+		 * @note
+		 * - This must be called before calculating a new hash.
+		 */
+	void initialize()
+	{
+		mImpl.initialize();
+	}
+
+		/**
+		 * @brief Update hash value with specified data.
+		 * 
+		 * @param[in] data Pointer to input data.
+		 * @param[in] data_size Size of input data.
+		 * 
+		 * @details
+		 * Data can be input to the generator in one @ref update() call or split across multiple sequential calls.
+		 * 
+		 * For example the following scenarios all generate the same hash value.
+		 * @code
+		 * // generate data to be hashed
+		 * tc::ByteData data = tc::ByteData(0x30);
+		 * memset(data.data(), 0xff, data.size());
+		 * 
+		 * // create generator instance
+		 * tc::crypto::Sha512Generator impl;
+		 * 
+		 * // scenario 1 (one call to update() 0x30 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Sha512Generator::kHashSize> hash1;
+		 * impl.initialize();
+		 * impl.update(data.data(), data.size());
+		 * impl.getHash(hash1.data());
+		 * 
+		 * // scenario 2 (three calls to update() 0x10 bytes each, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Sha512Generator::kHashSize> hash2;
+		 * impl.initialize();
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x10);
+		 * impl.update(data.data() + 0x20, 0x10);
+		 * impl.getHash(hash2.data());
+		 * 
+		 * // scenario 3 (two calls to update() one 0x10 bytes, the second 0x20 bytes, totaling 0x30 bytes inputted)
+		 * std::array<byte_t, tc::crypto::Sha512Generator::kHashSize> hash3;
+		 * impl.initialize();
+		 * impl.update(data.data() + 0x00, 0x10);
+		 * impl.update(data.data() + 0x10, 0x20);
+		 * impl.getHash(hash3.data());
+		 * @endcode
+		 * 
+		 * @note 
+		 * - If input data is broken up into blocks and supplied via multiple @ref update() calls, the order must be consistent with the original input data.
+		 */
+	void update(const byte_t* data, size_t data_size)
+	{
+		mImpl.update(data, data_size);
+	}
+
+		/**
+		 * @brief Completes hash calculation and output hash value.
+		 * 
+		 * @param[out] hash Pointer to buffer storing hash value.
+		 * 
+		 * @pre
+		 * - Instance is in either Initialized or Done state.
+		 * - The size of the <tt><var>hash</var></tt> buffer must be >= @ref kHashSize.
+		 * 
+		 * @post
+		 * - Instance is now in a Done state.
+		 * - The calculated hash value is written to <tt><var>hash</var></tt>.
+		 * 
+		 * @note 
+		 * - If the instance is in a None state, then this call does nothing.
+		 */ 
+	void getHash(byte_t* hash)
+	{
+		mImpl.getHash(hash);
+	}
+
+private:
+	detail::Sha2Impl mImpl;
+};
+
+	/**
+	 * @brief Utility function for calculating the SHA2-512 hash.
+	 * 
+	 * @param[out] hash Pointer to buffer storing hash value.
+	 * @param[in] data Pointer to input data.
+	 * @param[in] data_size Size of input data.
+	 * 
+	 * @pre
+	 * - The size of the <tt><var>hash</var></tt> buffer must be >= @ref Sha512Generator::kHashSize.
+	 * 
+	 * @post
+	 * - The calculated hash value is written to <tt><var>hash</var></tt>.
+	 * 
+	 * @details
+	 * This function calculates the hash value for input passed in the <tt><var>data</var></tt> array.
+	 * To calculate the hash value for input split across multiple arrays, use the @ref Sha512Generator class.
+	 */
+void GenerateSha512Hash(byte_t* hash, const byte_t* data, size_t data_size);
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/XtsEncryptor.h b/ctrtool/deps/libtoolchain/include/tc/crypto/XtsEncryptor.h
new file mode 100644
index 00000000..a4a87677
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/XtsEncryptor.h
@@ -0,0 +1,167 @@
+	/**
+	 * @file XtsEncryptor.h
+	 * @brief Declaration of tc::crypto::XtsEncryptor
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/detail/XtsModeImpl.h>
+
+namespace tc { namespace crypto {
+
+	/**
+	 * @class XtsEncryptor
+	 * @brief Class for XTS mode encryption/decryption.
+	 * 
+	 * @tparam BlockCipher The class that implements the block cipher used for XTS mode encryption/decryption.
+	 * 
+	 * @details
+	 * XTS (<b>X</b>EX mode with cipher<b>t</b>ext <b>s</b>tealing) mode is designed for disk encryption, and as such operates on sectors of data rather than blocks.
+	 * Unlike XEX (<b>X</b>OR <b>e</b>ncrypt <b>X</b>OR) mode the sector size does not have to be a multiple of the block size.
+	 * 
+	 * This class is a template class that takes a block cipher implementation class as template parameter.
+	 * See @ref Aes128XtsEncryptor or similar for supplied realizations of this template class.
+	 * 
+	 * The implementation of @a BlockCipher must satisfies the following conditions.
+	 * See @ref AesEncryptor or similar class, for more information including parameters to each function.
+	 * 
+	 * -# Has a @p kBlockSize constant that defines the size of the block to process.
+	 * -# Has a @p kKeySize constant that defines the required key size to initialize the block cipher.
+	 * -# Has an @p initialize method that initializes the state of the block cipher.
+	 * -# Has an @p encrypt method that encrypts a block of input data.
+	 * -# Has a @p decrypt method that decrypts a block of input data.
+	 * 
+	 * This class has two states:
+	 * - None : Not ready
+	 * - Initialized : Ready to process data
+	 * 
+	 * General usage of this class is as follows:
+	 * - Initialize XTS state with @ref initialize().
+	 * - Encrypt or decrypt sector(s) using @ref encrypt() or @ref decrypt().
+	 */
+template <class BlockCipher>
+class XtsEncryptor
+{
+public:
+	static const size_t kKeySize   = BlockCipher::kKeySize; /**< XTS mode key size. */
+	static const size_t kBlockSize = BlockCipher::kBlockSize; /**< XTS mode block processing size. */
+
+		/**
+		 * @brief Get specified sector size.
+		 */
+	size_t sector_size() const
+	{
+		return mImpl.sector_size();
+	}
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	XtsEncryptor() :
+		mImpl()
+	{}
+
+		/**
+		 * @brief Initializes the XTS encryption state.
+		 * 
+		 * @param[in] key1 Pointer to key1 data.
+		 * @param[in] key1_size Size in bytes of key1 data.
+		 * @param[in] key2 Pointer to key2 data.
+		 * @param[in] key2_size Size in bytes of key2 data.
+		 * @param[in] sector_size Size in bytes of the XTS data unit.
+		 * @param[in] tweak_word_order Boolean to determine word order of tweak. True = LittleEndian, False = BigEndian.
+		 * 
+		 * @pre
+		 * - @p key1_size == @ref kKeySize.
+		 * - @p key2_size == @ref kKeySize.
+		 * - @p sector_size >= @ref kBlockSize. 
+		 * 
+		 * @post
+		 * - Instance is now in a Initialized state.
+		 * 
+		 * @details
+		 * This resets the XTS state, initializes the two key schedules and the initialization vector (IV).
+		 * The IV should be the IV for sector 0. Using @ref encrypt() / @ref decrypt() will update the IV as required.
+		 * 
+		 * @note
+		 * - This must be called before performing encryption/decryption.
+		 * 
+		 * @throw tc::ArgumentNullException @p key1 was null.
+		 * @throw tc::ArgumentOutOfRangeException @p key1_size did not equal kKeySize.
+		 * @throw tc::ArgumentNullException @p key2 was null.
+		 * @throw tc::ArgumentOutOfRangeException @p key2_size did not equal kKeySize.
+		 * @throw tc::ArgumentOutOfRangeException @p sector_size was less than kBlockSize.
+		 */
+	void initialize(const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_word_order)
+	{
+		mImpl.initialize(key1, key1_size, key2, key2_size, sector_size, tweak_word_order);
+	}
+
+		/**
+		 * @brief Encrypts data in multiples of the sector size.
+		 * 
+		 * @param[out] dst Buffer where encrypted data will be written.
+		 * @param[in]  src Pointer to data to encrypt.
+		 * @param[in]  size Size in bytes of data to encrypt.
+		 * @param[in]  sector_number Initial sector number of sector to encrypt.
+		 * 
+		 * @pre
+		 * - @p size is a multiple of the sector size.
+		 * 
+		 * @post
+		 * - Encrypted data is written to @p dst.
+		 * 
+		 * @details
+		 * This encrypts the data in @p src, writing it to @p dst.
+		 * 
+		 * @note
+		 * - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of the sector size.
+		 */
+	void encrypt(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number)
+	{
+		mImpl.encrypt(dst, src, size, sector_number);
+	}
+
+		/**
+		 * @brief Decrypts data in multiples of the sector size.
+		 * 
+		 * @param[out] dst Buffer where decrypted data will be written.
+		 * @param[in]  src Pointer to data to decrypt.
+		 * @param[in]  size Size in bytes of data to decrypt.
+		 * @param[in]  sector_number Initial sector number of sector to decrypt.
+		 * 
+		 * @pre
+		 * - @p size is a multiple of the sector size.
+		 * 
+		 * @post
+		 * - Decrypted data is written to @p dst.
+		 * 
+		 * @details
+		 * This decrypts the data in @p src, writing it to @p dst.
+		 * 
+		 * @note
+		 * - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 * @throw tc::ArgumentOutOfRangeException @p size was not a multiple of the sector size.
+		 */
+	void decrypt(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number)
+	{
+		mImpl.decrypt(dst, src, size, sector_number);
+	}
+
+private:
+	detail::XtsModeImpl<BlockCipher> mImpl;
+};
+
+}} // namespace tc::crypto
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/AesImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/AesImpl.h
new file mode 100644
index 00000000..55289989
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/AesImpl.h
@@ -0,0 +1,102 @@
+	/**
+	 * @file AesImpl.h
+	 * @brief Declaration of tc::crypto::detail::AesImpl
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class AesImpl
+	 * @brief This class implements the AES block encryption algorithm.
+	 */
+class AesImpl
+{
+public:
+	static const size_t kBlockSize = 16; /**< AES processing block size. */
+
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	AesImpl();
+	~AesImpl();
+
+		/**
+		 * @brief Initialize AES state with key.
+		 * 
+		 * @param[in] key Pointer to key data.
+		 * @param[in] key_size Size in bytes of key data.
+		 * 
+		 * @pre 
+		 * - @p key_size must be 16, 24 or 32.
+		 * @post
+		 * - Instance is now in initialized state.
+		 * 
+		 * @throw tc::ArgumentNullException @p key was null.
+		 * @throw tc::ArgumentOutOfRangeException @p key_size did not equal 16, 24 or 32.
+		 */
+	void initialize(const byte_t* key, size_t key_size);
+
+		/**
+		 * @brief Encrypt data block.
+		 * 
+		 * @param[out] dst Buffer to store encrypted block.
+		 * @param[in]  src Pointer to block to encrypt.
+		 * 
+		 * @pre 
+		 * - Instance is in initialized state.
+		 * 
+		 * @details
+		 * This encrypts @ref kBlockSize number of bytes of data from @p src, writing it to @p dst.
+		 * 
+		 * @note 
+		 *  - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 */
+	void encrypt(byte_t* dst, const byte_t* src);
+
+		/**
+		 * @brief Decrypt data block.
+		 * 
+		 * @param[out] dst Buffer to store decrypted block.
+		 * @param[in]  src Pointer to block to decrypt.
+		 * 
+		 * @pre 
+		 * - Instance is in initialized state.
+		 * 
+		 * @details
+		 * This decrypts @ref kBlockSize number of bytes of data from @p src, writing it to @p dst.
+		 * 
+		 * @note 
+		 *  - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 */
+	void decrypt(byte_t* dst, const byte_t* src);
+private:
+	enum class State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+
+	struct ImplCtx;
+	std::unique_ptr<ImplCtx> mImplCtx;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/BlockUtilImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/BlockUtilImpl.h
new file mode 100644
index 00000000..791a2d4f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/BlockUtilImpl.h
@@ -0,0 +1,69 @@
+	/**
+	 * @file BlockUtilImpl.h
+	 * @brief Declaration of block utility functions for tc::crypto
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/10/04
+	 **/
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+template <size_t BlockSize>
+inline void incr_counter(byte_t* counter, uint64_t incr)
+{
+	for(uint64_t i = 0; i < incr; i++) {
+		for (uint32_t j = BlockSize; j > 0; j--) {
+			// increment u8 by 1
+			counter[j-1]++;
+
+			// if it didn't overflow to 0, then we can exit now
+			if (counter[j-1])
+				break;
+
+			// if we reach here, the next u8 needs to be incremented
+			if (j == 1)
+				j = BlockSize;
+		}
+	}
+}
+
+template <>
+inline void incr_counter<16>(byte_t* counter, uint64_t incr)
+{
+	tc::bn::be64<uint64_t>* counter_words = (tc::bn::be64<uint64_t>*)counter;
+
+	uint64_t carry = incr;
+	for (size_t i = 0; carry != 0 ; i = ((i + 1) % 2))
+	{
+		uint64_t word = counter_words[1 - i].unwrap();
+		uint64_t remaining = std::numeric_limits<uint64_t>::max() - word;
+
+		if (remaining > carry)
+		{
+			counter_words[1 - i].wrap(word + carry);
+			carry = 0;
+		}
+		else
+		{
+			counter_words[1 - i].wrap(carry - remaining - 1);
+			carry = 1;
+		}
+	}
+}
+
+template <size_t BlockSize>
+inline void xor_block(byte_t* dst, const byte_t* src_a, const byte_t* src_b)
+{
+	for (size_t i = 0; i < BlockSize; i++) { dst[i] = src_a[i] ^ src_b[i];}
+}
+
+template <>
+inline void xor_block<16>(byte_t* dst, const byte_t* src_a, const byte_t* src_b)
+{
+	((uint64_t*)dst)[0] = ((uint64_t*)src_a)[0] ^ ((uint64_t*)src_b)[0];
+	((uint64_t*)dst)[1] = ((uint64_t*)src_a)[1] ^ ((uint64_t*)src_b)[1];
+}
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/CbcModeImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/CbcModeImpl.h
new file mode 100644
index 00000000..f75e75b4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/CbcModeImpl.h
@@ -0,0 +1,130 @@
+	/**
+	 * @file CbcModeImpl.h
+	 * @brief Declaration of tc::crypto::detail::CbcModeImpl
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/10/04
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/crypto/detail/BlockUtilImpl.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/ArgumentNullException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class CbcModeImpl
+	 * @brief This class implements the CBC (<b>c</b>ipher <b>b</b>lock <b>c</b>haining) mode cipher as a template class.
+	 * 
+	 * @tparam BlockCipher The class that implements the block cipher used for CBC mode encryption/decryption.
+	 * 
+	 * @details
+	 * The implementation of <var>BlockCipher</var> must satisfies the following conditions.
+	 * 
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kKeySize</tt> constant that defines the required key size to initialize the block cipher.
+	 * -# Has an <tt>initialize</tt> method that initializes the state of the block cipher.
+	 * -# Has an <tt>encrypt</tt> method that encrypts a block of input data.
+	 * -# Has a <tt>decrypt</tt> method that decrypts a block of input data.
+	 */
+template <class BlockCipher>
+class CbcModeImpl
+{
+public:
+	static const size_t kKeySize = BlockCipher::kKeySize;
+	static const size_t kBlockSize = BlockCipher::kBlockSize;
+
+	CbcModeImpl() :
+		mState(None),
+		mCipher()
+	{
+
+	}
+
+	void initialize(const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size) 
+	{
+		if (key == nullptr) { throw tc::ArgumentNullException("CbcModeImpl::initialize()", "key was null."); }
+		if (key_size != kKeySize) { throw tc::ArgumentOutOfRangeException("CbcModeImpl::initialize()", "key_size did not equal kKeySize."); }
+		if (iv == nullptr) { throw tc::ArgumentNullException("CbcModeImpl::initialize()", "iv was null."); }
+		if (iv_size != kBlockSize) { throw tc::ArgumentOutOfRangeException("CbcModeImpl::initialize()", "iv_size did not equal kBlockSize."); }
+
+		mCipher.initialize(key, key_size);
+		memcpy(mIv.data(), iv, mIv.size());
+		mState = State::Initialized;
+	}
+
+	void update_iv(const byte_t* iv, size_t iv_size)
+	{
+		if (mState != State::Initialized) { return ; }
+		if (iv == nullptr) { throw tc::ArgumentNullException("CbcModeImpl::update_iv()", "iv was null."); }
+		if (iv_size != kBlockSize) { throw tc::ArgumentOutOfRangeException("CbcModeImpl::update_iv()", "iv_size did not equal kBlockSize."); }
+
+		memcpy(mIv.data(), iv, mIv.size());
+	}
+
+	void encrypt(byte_t* dst, const byte_t* src, size_t size)
+	{
+		if (mState != State::Initialized) { return ; }
+		if (dst == nullptr) { throw tc::ArgumentNullException("CbcModeImpl::encrypt()", "dst was null."); }
+		if (src == nullptr) { throw tc::ArgumentNullException("CbcModeImpl::encrypt()", "src was null."); }
+		if (size == 0 || size % kBlockSize) { throw tc::ArgumentOutOfRangeException("CbcModeImpl::encrypt()", "size was not a multiple of kBlockSize."); }
+
+		auto block = std::array<byte_t, kBlockSize>();
+
+		// iterate through blocks
+		for (size_t block_idx = 0, block_num = (size / kBlockSize); block_idx < block_num; block_idx++)
+		{
+			// block = src_block ^ iv
+			xor_block<kBlockSize>(block.data(), src + (block_idx * kBlockSize), mIv.data());
+
+			// dst_block = encrypt(block)
+			mCipher.encrypt(dst + (block_idx * kBlockSize), block.data());
+
+			// iv = dst_block
+			memcpy(mIv.data(), dst + (block_idx * kBlockSize), kBlockSize);
+		}
+	}
+
+	void decrypt(byte_t* dst, const byte_t* src, size_t size)
+	{
+		if (mState != State::Initialized) { return ; }
+		if (dst == nullptr) { throw tc::ArgumentNullException("CbcModeImpl::decrypt()", "dst was null."); }
+		if (src == nullptr) { throw tc::ArgumentNullException("CbcModeImpl::decrypt()", "src was null."); }
+		if (size == 0 || size % kBlockSize) { throw tc::ArgumentOutOfRangeException("CbcModeImpl::decrypt()", "size was not a multiple of kBlockSize."); }
+
+		auto block = std::array<byte_t, kBlockSize>();
+		auto next_iv = std::array<byte_t, kBlockSize>();
+
+		// iterate through blocks
+		for (size_t block_idx = 0, block_num = (size / kBlockSize); block_idx < block_num; block_idx++)
+		{
+			// next_iv = src_block
+			memcpy(next_iv.data(), src + (block_idx * kBlockSize), kBlockSize);
+
+			// block = decrypt(src_block)
+			mCipher.decrypt(block.data(), src + (block_idx * kBlockSize));
+
+			// dst_block = block ^ iv
+			xor_block<kBlockSize>(dst + (block_idx * kBlockSize), block.data(), mIv.data());
+
+			// iv = next_iv
+			memcpy(mIv.data(), next_iv.data(), kBlockSize);
+		}
+	}
+private:
+	enum State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+	
+	BlockCipher mCipher;
+	std::array<byte_t, kBlockSize> mIv;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/CtrModeImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/CtrModeImpl.h
new file mode 100644
index 00000000..c31c6e4f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/CtrModeImpl.h
@@ -0,0 +1,113 @@
+	/**
+	 * @file CtrModeImpl.h
+	 * @brief Declaration of tc::crypto::detail::CtrModeImpl
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/10/04
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/crypto/detail/BlockUtilImpl.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/ArgumentNullException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class CtrModeImpl
+	 * @brief This class implements the CTR (<b>c</b>oun<b>t</b>e<b>r</b>) mode cipher as a template class.
+	 * 
+	 * @tparam BlockCipher The class that implements the block cipher used for CTR mode encryption/decryption.
+	 * 
+	 * @details
+	 * The implementation of <var>BlockCipher</var> must satisfies the following conditions.
+	 * 
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kKeySize</tt> constant that defines the required key size to initialize the block cipher.
+	 * -# Has an <tt>initialize</tt> method that initializes the state of the block cipher.
+	 * -# Has an <tt>encrypt</tt> method that encrypts a block of input data.
+	 * -# Has a <tt>decrypt</tt> method that decrypts a block of input data.
+	 */
+template <class BlockCipher>
+class CtrModeImpl
+{
+public:
+	static const size_t kKeySize = BlockCipher::kKeySize;
+	static const size_t kBlockSize = BlockCipher::kBlockSize;
+
+	CtrModeImpl() :
+		mState(None),
+		mCipher()
+	{
+
+	}
+
+	void initialize(const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size) 
+	{
+		if (key == nullptr) { throw tc::ArgumentNullException("CtrModeImpl::initialize()", "key was null."); }
+		if (key_size != kKeySize) { throw tc::ArgumentOutOfRangeException("CtrModeImpl::initialize()", "key_size did not equal kKeySize."); }
+		if (iv == nullptr) { throw tc::ArgumentNullException("CtrModeImpl::initialize()", "iv was null."); }
+		if (iv_size != kBlockSize) { throw tc::ArgumentOutOfRangeException("CtrModeImpl::initialize()", "iv_size did not equal kBlockSize."); }
+
+		mCipher.initialize(key, key_size);
+		memcpy(mIv.data(), iv, mIv.size());
+		mState = State::Initialized;
+	}
+
+	void crypt(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number)
+	{
+		if (mState != State::Initialized) { return ; }
+		if (dst == nullptr) { throw tc::ArgumentNullException("CtrModeImpl::crypt()", "dst was null."); }
+		if (src == nullptr) { throw tc::ArgumentNullException("CtrModeImpl::crypt()", "src was null."); }
+		if (size == 0) { throw tc::ArgumentOutOfRangeException("CtrModeImpl::crypt()", "size was 0."); }
+
+		auto iv = std::array<byte_t, kBlockSize>();
+		auto enc_iv = std::array<byte_t, kBlockSize>();
+
+		// import and increment iv
+		memcpy(iv.data(), mIv.data(), mIv.size());
+		incr_counter<kBlockSize>(iv.data(), block_number);
+
+		// iterate through blocks
+		for (size_t block_idx = 0, block_num = (size / kBlockSize); block_idx < block_num; block_idx++)
+		{
+			// encrypt IV
+			mCipher.encrypt(enc_iv.data(), iv.data());
+
+			// dst = src ^ enc_iv
+			xor_block<kBlockSize>(dst + (block_idx * kBlockSize), src + (block_idx * kBlockSize), enc_iv.data());
+
+			// increment counter
+			incr_counter<kBlockSize>(iv.data(), 1);
+		}
+
+		// process partial block
+		size_t block_remaining = (size % kBlockSize);
+		if (block_remaining > 0)
+		{
+			// encrypt IV
+			mCipher.encrypt(enc_iv.data(), iv.data());
+
+			// dst = src ^ enc_iv
+			for (size_t i = 0; i < block_remaining; i++)
+			{
+				dst[((size / kBlockSize) * kBlockSize) + i] = src[((size / kBlockSize) * kBlockSize) + i] ^ enc_iv[i];
+			}
+		}
+	}
+private:
+	enum State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+	
+	BlockCipher mCipher;
+	std::array<byte_t, kBlockSize> mIv;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/EcbModeImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/EcbModeImpl.h
new file mode 100644
index 00000000..ab0b33b6
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/EcbModeImpl.h
@@ -0,0 +1,147 @@
+	/**
+	 * @file EcbModeImpl.h
+	 * @brief Declaration of tc::crypto::detail::EcbModeImpl
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/ArgumentNullException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class EcbModeImpl
+	 * @brief This class implements the ECB (<b>e</b>lectronic <b>c</b>ode<b>b</b>ook) mode cipher as a template class.
+	 * 
+	 * @tparam BlockCipher The class that implements the block cipher used for ECB mode encryption/decryption.
+	 * 
+	 * @details
+	 * The implementation of <var>BlockCipher</var> must satisfies the following conditions.
+	 * 
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kKeySize</tt> constant that defines the required key size to initialize the block cipher.
+	 * -# Has an <tt>initialize</tt> method that initializes the state of the block cipher.
+	 * -# Has an <tt>encrypt</tt> method that encrypts a block of input data.
+	 * -# Has a <tt>decrypt</tt> method that decrypts a block of input data.
+	 */
+template <class BlockCipher>
+class EcbModeImpl
+{
+public:
+	static const size_t kKeySize = BlockCipher::kKeySize;
+	static const size_t kBlockSize = BlockCipher::kBlockSize;
+
+	EcbModeImpl() :
+		mState(None),
+		mCipher()
+	{
+
+	}
+
+	void initialize(const byte_t* key, size_t key_size) 
+	{
+		if (key == nullptr) { throw tc::ArgumentNullException("EcbModeImpl::initialize()", "key was null."); }
+		if (key_size != kKeySize) { throw tc::ArgumentOutOfRangeException("EcbModeImpl::initialize()", "key_size did not equal kKeySize."); }
+
+		mCipher.initialize(key, key_size);
+		mState = State::Initialized;
+	}
+
+	void encrypt(byte_t* dst, const byte_t* src, size_t size)
+	{
+		if (mState != State::Initialized) { return ; }
+		if (dst == nullptr) { throw tc::ArgumentNullException("EcbModeImpl::encrypt()", "dst was null."); }
+		if (src == nullptr) { throw tc::ArgumentNullException("EcbModeImpl::encrypt()", "src was null."); }
+		if (size < kBlockSize) { throw tc::ArgumentOutOfRangeException("EcbModeImpl::encrypt()", "size was less than kBlockSize."); }
+
+		// for ciphertext stealing
+		size_t block_leftover = size % kBlockSize;
+
+		// iterate through blocks
+		for (size_t block_idx = 0, block_num = (size / kBlockSize); block_idx < block_num; block_idx++)
+		{
+			mCipher.encrypt(dst + (block_idx * kBlockSize), src + (block_idx * kBlockSize));
+		}
+		
+		// cipher text stealing
+		if (block_leftover)
+		{
+			size_t block_idx = (size / kBlockSize);
+			const byte_t* src_block = src + (block_idx * kBlockSize);
+			byte_t* prev_dst_block = dst + ((block_idx - 1) * kBlockSize);
+			byte_t* dst_block = dst + (block_idx * kBlockSize);
+
+			// part 1 : prep encryption thru cipher text stealing
+			std::array<byte_t, kBlockSize> block;
+
+			// block [0, block_leftover) = src_block [0, block_leftover)
+			memcpy(block.data(), src_block, block_leftover);
+
+			// block [block_leftover-kBlockSize with previous) = prev_dst_block [block_leftover-kBlockSize)
+			memcpy(block.data() + block_leftover, prev_dst_block + block_leftover, kBlockSize - block_leftover);
+
+			// dst_block [0-block_leftover) = prev_dst_block [0-block_leftover)
+			memcpy(dst_block, prev_dst_block, block_leftover);
+
+			// part 2 : encrypt block
+			mCipher.encrypt(prev_dst_block, block.data());
+		}
+	}
+
+	void decrypt(byte_t* dst, const byte_t* src, size_t size)
+	{
+		if (mState != State::Initialized) { return ; }
+		if (dst == nullptr) { throw tc::ArgumentNullException("EcbModeImpl::decrypt()", "dst was null."); }
+		if (src == nullptr) { throw tc::ArgumentNullException("EcbModeImpl::decrypt()", "src was null."); }
+		if (size < kBlockSize) { throw tc::ArgumentOutOfRangeException("EcbModeImpl::decrypt()", "size less than kBlockSize."); }
+
+		// for ciphertext stealing
+		size_t block_leftover = size % kBlockSize;
+
+		// iterate through blocks
+		for (size_t block_idx = 0, block_num = (size / kBlockSize); block_idx < block_num; block_idx++)
+		{
+			mCipher.decrypt(dst + (block_idx * kBlockSize), src + (block_idx * kBlockSize));
+		}
+
+		// cipher text stealing
+		if (block_leftover)
+		{
+			size_t block_idx = (size / kBlockSize);
+			const byte_t* src_block = src + (block_idx * kBlockSize);
+			byte_t* prev_dst_block = dst + ((block_idx - 1) * kBlockSize);
+			byte_t* dst_block = dst + (block_idx * kBlockSize);
+
+			// part 1 : prep encryption thru cipher text stealing
+			std::array<byte_t, kBlockSize> block;
+
+			// block [0, block_leftover) = src_block [0, block_leftover)
+			memcpy(block.data(), src_block, block_leftover);
+
+			// block [block_leftover-kBlockSize with previous) = prev_dst_block [block_leftover-kBlockSize)
+			memcpy(block.data() + block_leftover, prev_dst_block + block_leftover, kBlockSize - block_leftover);
+
+			// dst_block [0-block_leftover) = prev_dst_block [0-block_leftover)
+			memcpy(dst_block, prev_dst_block, block_leftover);
+
+			// part 2 : encrypt block
+			mCipher.decrypt(prev_dst_block, block.data());
+		}
+	}
+private:
+	enum State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+	
+	BlockCipher mCipher;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/HmacImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/HmacImpl.h
new file mode 100644
index 00000000..c6537d8a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/HmacImpl.h
@@ -0,0 +1,107 @@
+	/**
+	 * @file HmacImpl.h
+	 * @brief Declaration of tc::crypto::detail::HmacImpl
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class HmacImpl
+	 * @brief This class implements HMAC as a template class.
+	 * 
+	 * @tparam HashFunction The class that implements the hash function used for HMAC calculation.
+	 */
+template <typename HashFunction>
+class HmacImpl
+{
+public:
+	static const size_t kMacSize = HashFunction::kHashSize;
+	static const size_t kBlockSize = HashFunction::kBlockSize;
+
+	HmacImpl() :
+		mHashFunction(),
+		mState(State::None)
+	{
+	}
+	~HmacImpl()
+	{
+		std::memset(mKeyDigest.data(), 0, mKeyDigest.size());
+		std::memset(mMac.data(), 0, mMac.size());
+		mState = State::None;
+	}
+
+	void initialize(const byte_t* key, size_t key_size)
+	{
+		std::memset(mKeyDigest.data(), 0x00, mKeyDigest.size());
+
+		if (key_size > kBlockSize)
+		{
+			mHashFunction.initialize();
+			mHashFunction.update(key, key_size);
+			mHashFunction.getHash(mKeyDigest.data());
+		}
+		else
+		{
+			std::memcpy(mKeyDigest.data(), key, key_size);
+		}
+
+		for (uint32_t i = 0 ; i < kBlockSize / sizeof(uint32_t); i++)
+		{
+			((uint32_t*)mKeyDigest.data())[i] ^= uint32_t(0x36363636);
+		}
+
+		mHashFunction.initialize();
+		mHashFunction.update(mKeyDigest.data(), mKeyDigest.size());
+
+		mState = State::Initialized;
+	}
+
+	void update(const byte_t* data, size_t data_size)
+	{
+		mHashFunction.update(data, data_size);
+	}
+
+	void getMac(byte_t* mac)
+	{
+		if (mState == State::Initialized)
+		{
+			mHashFunction.getHash(mMac.data());
+
+			for (uint32_t i = 0 ; i < kBlockSize / sizeof(uint32_t); i++)
+			{
+				((uint32_t*)mKeyDigest.data())[i] ^= uint32_t(0x6A6A6A6A);
+			}
+
+			mHashFunction.initialize();
+			mHashFunction.update(mKeyDigest.data(), mKeyDigest.size());
+			mHashFunction.update(mMac.data(), mMac.size());
+			mHashFunction.getHash(mMac.data());
+
+			mState = State::Done;
+		}
+		if (mState == State::Done)
+		{
+			std::memcpy(mac, mMac.data(), mMac.size());
+		}		
+	}
+private:
+	enum class State
+	{
+		None,
+		Initialized,
+		Done
+	};
+
+	HashFunction mHashFunction;
+	std::array<byte_t, kBlockSize> mKeyDigest;
+	std::array<byte_t, kMacSize> mMac;
+	State mState;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Md5Impl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Md5Impl.h
new file mode 100644
index 00000000..153c0682
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Md5Impl.h
@@ -0,0 +1,44 @@
+	/**
+	 * @file Md5Impl.h
+	 * @brief Declaration of tc::crypto::detail::Md5Impl
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/06/01
+	 **/
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class Md5Impl
+	 * @brief This class implements the MD5 hash algorithm.
+	 */
+class Md5Impl
+{
+public:
+	static const size_t kHashSize = 16;
+	static const size_t kBlockSize = 64;
+
+	Md5Impl();
+	~Md5Impl();
+
+	void initialize();
+	void update(const byte_t* data, size_t data_size);
+	void getHash(byte_t* hash);
+private:
+	enum class State
+	{
+		None,
+		Initialized,
+		Done
+	};
+
+	State mState;
+	std::array<byte_t, kHashSize> mHash;
+
+	struct ImplCtx;
+	std::unique_ptr<ImplCtx> mImplCtx;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Pbkdf1Impl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Pbkdf1Impl.h
new file mode 100644
index 00000000..228ecefd
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Pbkdf1Impl.h
@@ -0,0 +1,159 @@
+	/**
+	 * @file Pbkdf1Impl.h
+	 * @brief Declaration of tc::crypto::detail::Pbkdf1Impl
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/HmacGenerator.h>
+
+#include <tc/crypto/CryptoException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class Pbkdf1Impl
+	 * @brief This class implements Password-Based Key Derivation Function 1 (PBKDF1)
+	 * 
+	 * @tparam HashFunction The class that implements the hash function used for key derivation.
+	 * 
+	 * @details
+	 * PBKDF1 is a hash based key derivation function, as defined in RFC 8018.
+	 * Applicable hash functions to use with PBKDF1 include.
+	 * -# MD4
+	 * -# MD5
+	 * -# SHA-1
+	 */
+template <typename HashFunction>
+class Pbkdf1Impl
+{
+public:
+	static const uint64_t kMaxDerivableSize = HashFunction::kHashSize; /**< Maximum total data that can be derived */
+
+	Pbkdf1Impl() :
+		mState(State::None),
+		mPassword(),
+		mSalt(),
+		mRoundCount(0),
+		mHash(),
+		mAvailableData(0),
+		mTotalDataDerived(0)
+	{
+		std::memset(mDerivedData.data(), 0, mDerivedData.size());
+	}
+
+	~Pbkdf1Impl()
+	{
+		mState = State::None;
+		std::memset(mPassword.data(), 0, mPassword.size());
+		std::memset(mSalt.data(), 0, mSalt.size());
+		std::memset(mDerivedData.data(), 0, mDerivedData.size());
+		mRoundCount = 0;
+		mAvailableData = 0;
+		mTotalDataDerived = 0;
+	}
+
+	void initialize(const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds)
+	{
+		if (n_rounds < 1) { throw tc::crypto::CryptoException("tc::crypto::detail::Pbkdf1Impl", "Round count must be >= 1."); }
+
+		mPassword = tc::ByteData(password, password_size);
+		mSalt = tc::ByteData(salt, salt_size);
+		mRoundCount = n_rounds;
+
+		mAvailableData = 0;
+		mTotalDataDerived = 0;
+		
+		mState = State::Initialized;
+	}
+
+	void getBytes(byte_t* key, size_t key_size)
+	{
+		if (mState != State::Initialized) return;
+
+		// determine data remaining
+		uint64_t derivable_data = kMaxDerivableSize - mTotalDataDerived + mAvailableData;
+
+		if (key_size > derivable_data) { throw tc::crypto::CryptoException("tc::crypto::detail::Pbkdf1Impl", "Request too large."); }
+
+		while (key_size != 0)
+		{
+			// if there is no availble data then we generate more
+			if (mAvailableData == 0)
+			{
+				deriveBytes();
+
+				// update the available digest to maximum
+				mAvailableData = mDerivedData.size();
+
+				mTotalDataDerived += mDerivedData.size();
+			}
+
+			// determine how much to copy in this loop
+			size_t copy_size = std::min<size_t>(key_size, size_t(std::min<uint64_t>(mAvailableData, std::numeric_limits<size_t>::max())));
+
+			// copy available data into key
+			memcpy(key, mDerivedData.data() + mDerivedData.size() - mAvailableData, copy_size);
+
+			// increment key pointer so next loop will copy to the right position
+			key += copy_size;
+
+			// decrement key_size so the next loop can track how much data is needed
+			key_size -= copy_size;
+
+			// decrement available digest so the next loop can determine where to copy from and generate more digest if needed
+			mAvailableData -= copy_size;
+		}
+	}
+private:
+	enum State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+
+	tc::ByteData mPassword;
+	tc::ByteData mSalt;
+	size_t mRoundCount;
+
+	HashFunction mHash;
+	std::array<byte_t, HashFunction::kHashSize> mDerivedData;
+	uint64_t mAvailableData;
+	uint64_t mTotalDataDerived;
+
+	void deriveBytes()
+	{
+		// generate round 0 hash (password | salt)
+
+		// init hash
+		mHash.initialize();
+
+		// Update Hash with password
+		mHash.update(mPassword.data(), mPassword.size());
+
+		// Update Hash with salt
+		mHash.update(mSalt.data(), mSalt.size());
+
+		// Save Hash
+		mHash.getHash(mDerivedData.data());
+
+		// do rounds 1 thru mRoundCount (prev round hash)
+		for (size_t round = 1; round < mRoundCount; round++)
+		{
+			// initialize hash
+			mHash.initialize();
+
+			// update with previous round hash
+			mHash.update(mDerivedData.data(), mDerivedData.size());
+
+			// overwrite old hash digest with new hash digest
+			mHash.getHash(mDerivedData.data());
+		}
+	}
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Pbkdf2Impl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Pbkdf2Impl.h
new file mode 100644
index 00000000..40064359
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Pbkdf2Impl.h
@@ -0,0 +1,179 @@
+	/**
+	 * @file Pbkdf2Impl.h
+	 * @brief Declaration of tc::crypto::detail::Pbkdf2Impl
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/06
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/crypto/HmacGenerator.h>
+
+#include <tc/crypto/CryptoException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class Pbkdf2Impl
+	 * @brief This class implements Password-Based Key Derivation Function 2 (PBKDF2)
+	 * 
+	 * @tparam HashFunction The class that implements the hash function used for key derivation.
+	 * 
+	 * @details
+	 * PBKDF2 is a hmac based key derivation function, as defined in RFC 8018.
+	 * Applicable hash functions to use with PBKDF2 include.
+	 * -# SHA-1
+	 * -# SHA-224
+	 * -# SHA-256
+	 * -# SHA-384
+	 * -# SHA-512
+	 */
+template <typename HashFunction>
+class Pbkdf2Impl
+{
+public:
+	static const uint64_t kMaxDerivableSize = uint64_t(0xffffffff) * uint64_t(HashFunction::kHashSize); /**< Maximum total data that can be derived */
+
+	Pbkdf2Impl() :
+		mState(State::None),
+		mPassword(),
+		mSalt(),
+		mRoundCount(0),
+		mHmac(),
+		mAvailableData(0),
+		mTotalDataDerived(0),
+		mBlockIndex(0)
+	{
+		std::memset(mDerivedData.data(), 0, mDerivedData.size());
+	}
+
+	~Pbkdf2Impl()
+	{
+		mState = State::None;
+		std::memset(mPassword.data(), 0, mPassword.size());
+		std::memset(mSalt.data(), 0, mSalt.size());
+		std::memset(mDerivedData.data(), 0, mDerivedData.size());
+		mRoundCount = 0;
+		mBlockIndex = 0;
+		mAvailableData = 0;
+	}
+
+	void initialize(const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds)
+	{
+		if (n_rounds < 1) { throw tc::crypto::CryptoException("tc::crypto::detail::Pbkdf2Impl", "Round count must be >= 1."); }
+
+		mPassword = tc::ByteData(password, password_size);
+		mSalt = tc::ByteData(salt, salt_size);
+		mRoundCount = n_rounds;
+		mBlockIndex = 1;
+
+		mAvailableData = 0;
+		mTotalDataDerived = 0;
+		
+		mState = State::Initialized;
+	}
+
+	void getBytes(byte_t* key, size_t key_size)
+	{
+		if (mState != State::Initialized) return;
+
+		// determine data remaining
+		uint64_t derivable_data = kMaxDerivableSize - mTotalDataDerived + mAvailableData;
+
+		if (key_size > derivable_data) { throw tc::crypto::CryptoException("tc::crypto::detail::Pbkdf1Impl", "Request too large."); }
+
+		while (key_size != 0)
+		{
+			// if there is no availble data then we generate more
+			if (mAvailableData == 0)
+			{
+				deriveBytes();
+
+				// incrementing the block index ensures the next block is (predictably) unique
+				mBlockIndex++;
+
+				// update the available digest to maximum
+				mAvailableData = mDerivedData.size();
+
+				mTotalDataDerived += mDerivedData.size();
+			}
+
+			// determine how much to copy in this loop 
+			size_t copy_size = std::min<size_t>(key_size, size_t(std::min<uint64_t>(mAvailableData, std::numeric_limits<size_t>::max())));
+
+			// copy available data into key
+			memcpy(key, mDerivedData.data() + mDerivedData.size() - mAvailableData, copy_size);
+
+			// increment key pointer so next loop will copy to the right position
+			key += copy_size;
+
+			// decrement key_size so the next loop can track how much data is needed
+			key_size -= copy_size;
+
+			// decrement available digest so the next loop can determine where to copy from and generate more digest if needed
+			mAvailableData -= copy_size;
+		}
+	}
+private:
+	static const size_t kMacSize = HmacGenerator<HashFunction>::kMacSize;
+
+	enum State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+
+	tc::ByteData mPassword;
+	tc::ByteData mSalt;
+	size_t mRoundCount;
+
+	HmacGenerator<HashFunction> mHmac;
+	std::array<byte_t, kMacSize> mDerivedData;
+	uint64_t mAvailableData;
+	uint64_t mTotalDataDerived;
+	uint32_t mBlockIndex;
+
+	void deriveBytes()
+	{
+		// Init HMAC with password
+		mHmac.initialize(mPassword.data(), mPassword.size());
+
+		// Update HMAC with Salt
+		mHmac.update(mSalt.data(), mSalt.size());
+
+		// Update HMAC with BigEndian block index
+		tc::bn::be32<uint32_t> be_block_index;
+		be_block_index.wrap(mBlockIndex);
+		mHmac.update((const byte_t*)&be_block_index, sizeof(tc::bn::be32<uint32_t>));
+
+		// Save MAC to temporary value
+		std::array<byte_t, kMacSize> mac;
+		mHmac.getMac(mac.data());
+
+		// Also save MAC to derived data
+		mHmac.getMac(mDerivedData.data());
+
+		// do HMAC rounds
+		for (size_t round = 1; round < mRoundCount; round++)
+		{
+			// initialize HMAC again from password
+			mHmac.initialize(mPassword.data(), mPassword.size());
+
+			// update hmac with old hmac digest
+			mHmac.update(mac.data(), mac.size());
+
+			// overwrite old hmac digest with new hmac digest
+			mHmac.getMac(mac.data());
+
+			// XOR temp digest with derived data
+			for (size_t i = 0; i < kMacSize; i++)
+			{
+				mDerivedData[i] ^= mac[i];
+			}
+		}
+	}
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/PrbgImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/PrbgImpl.h
new file mode 100644
index 00000000..e9b09756
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/PrbgImpl.h
@@ -0,0 +1,61 @@
+	/**
+	 * @file PrbgImpl.h
+	 * @brief Declaration of tc::crypto::detail::PrbgImpl
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/12
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/crypto/CryptoException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class PrbgImpl
+	 * @brief This class implements a Psuedo Random Byte Generator.
+	 * 
+	 * @details
+	 * The underlying algorithm is CTR_DBRG.
+	 * This class generates random data suitable for encryption use cases.
+	 * - Initialization vectors
+	 * - Salts / Nonces
+	 * - HMAC keys
+	 * - AES keys
+	 */
+class PrbgImpl
+{
+public:
+		/**
+		 * @brief Default constructor
+		 * @details
+		 * This initializes random number generator state
+		 */
+	PrbgImpl();
+
+		/**
+		 * @brief Destructor
+		 * @details
+		 * Cleans up random number generator state
+		 */
+	~PrbgImpl();
+
+		/**
+		 * @brief Populate array with random data.
+		 * 
+		 * @param[out] data Buffer to hold random data.
+		 * @param[in] data_size Size of @p data buffer.
+		 * 
+		 * @throw tc::crypto::CryptoException An unexpected error has occurred.
+		 * @throw tc::crypto::CryptoException Request too big.
+		 */
+	void getBytes(byte_t* data, size_t data_size);
+private:
+	static const std::string kClassName;	
+
+	struct ImplCtx;
+	std::unique_ptr<ImplCtx> mImplCtx;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaImpl.h
new file mode 100644
index 00000000..2247e500
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaImpl.h
@@ -0,0 +1,119 @@
+	/**
+	 * @file RsaImpl.h
+	 * @brief Declaration of tc::crypto::detail::RsaImpl
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/09/12
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/crypto/CryptoException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class RsaImpl
+	 * @brief This class implements the RSA algorithm.
+	 */
+class RsaImpl
+{
+public:
+		/**
+		 * @brief Default constructor.
+		 * 
+		 * @post
+		 * - State is None. @ref initialize() must be called before use.
+		 */
+	RsaImpl();
+	~RsaImpl();
+
+		/**
+		 * @brief Initialize RSA state with key.
+		 * 
+		 * @param[in] key_bit_size Size of rsa key in bits.
+		 * @param[in] n Pointer to modulus data.
+		 * @param[in] n_size Size in bytes of modulus data.
+		 * @param[in] p Pointer to prime p data.
+		 * @param[in] p_size Size in bytes of prime p data.
+		 * @param[in] q Pointer to prime q data.
+		 * @param[in] q_size Size in bytes of prime q data.
+		 * @param[in] d Pointer to private exponent data.
+		 * @param[in] d_size Size in bytes of private exponent data.
+		 * @param[in] e Pointer to public exponent data.
+		 * @param[in] e_size Size in bytes of public exponent data.
+		 * 
+		 * @pre 
+		 * - @p key_bit_size must a multiple of 8 bits (byte aligned).
+		 * @post
+		 * - Instance is now in initialized state.
+		 * 
+		 * @throw tc::ArgumentNullException @p n was null when @p n_size was not 0.
+		 * @throw tc::ArgumentNullException @p n was not null when @p n_size was 0.
+		 * @throw tc::ArgumentNullException @p p was null when @p p_size was not 0.
+		 * @throw tc::ArgumentNullException @p p was not null when @p p_size was 0.
+		 * @throw tc::ArgumentNullException @p q was null when @p q_size was not 0.
+		 * @throw tc::ArgumentNullException @p q was not null when @p q_size was 0.
+		 * @throw tc::ArgumentNullException @p d was null when @p d_size was not 0.
+		 * @throw tc::ArgumentNullException @p d was not null when @p d_size was 0.
+		 * @throw tc::ArgumentNullException @p e was null when @p e_size was not 0.
+		 * @throw tc::ArgumentNullException @p e was not null when @p e_size was 0.
+		 * @throw tc::ArgumentOutOfRangeException @p key_bit_size was not a multiple of 8 bits.
+		 */
+	void initialize(size_t key_bit_size, const byte_t* n, size_t n_size, const byte_t* p, size_t p_size, const byte_t* q, size_t q_size, const byte_t* d, size_t d_size, const byte_t* e, size_t e_size);
+
+		/**
+		 * @brief Transform data block using public key.
+		 * 
+		 * @param[out] dst Buffer to store transformed block.
+		 * @param[in]  src Pointer to block to transform.
+		 * 
+		 * @pre 
+		 * - Instance is in initialized state.
+		 * 
+		 * @details
+		 * This transforms block_size number of bytes of data from @p src, writing it to @p dst.
+		 * 
+		 * @note 
+		 *  - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 */
+	void publicTransform(byte_t* dst, const byte_t* src);
+
+		/**
+		 * @brief Transform data block using private key.
+		 * 
+		 * @param[out] dst Buffer to store transformed block.
+		 * @param[in]  src Pointer to block to transform.
+		 * 
+		 * @pre 
+		 * - Instance is in initialized state.
+		 * 
+		 * @details
+		 * This transforms block_size number of bytes of data from @p src, writing it to @p dst.
+		 * 
+		 * @note 
+		 *  - @p dst and @p src can be the same pointer.
+		 * 
+		 * @throw tc::ArgumentNullException @p dst was null.
+		 * @throw tc::ArgumentNullException @p src was null.
+		 */
+	void privateTransform(byte_t* dst, const byte_t* src);
+private:
+	enum class State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+
+	struct ImplCtx;
+	std::unique_ptr<ImplCtx> mImplCtx;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaKeyGeneratorImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaKeyGeneratorImpl.h
new file mode 100644
index 00000000..cace97d0
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaKeyGeneratorImpl.h
@@ -0,0 +1,79 @@
+	/**
+	 * @file RsaKeyGeneratorImpl.h
+	 * @brief Declaration of tc::crypto::detail::RsaKeyGeneratorImpl
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/09/12
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/crypto/CryptoException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class RsaKeyGeneratorImpl
+	 * @brief This class implements the RSA key generation.
+	 */
+class RsaKeyGeneratorImpl
+{
+public:
+		/**
+		 * @brief Default constructor
+		 * @details
+		 * This initializes RSA key generator state.
+		 */
+	RsaKeyGeneratorImpl();
+
+		/**
+		 * @brief Destructor
+		 * @details
+		 * Cleans up RSA key generator state.
+		 */
+	~RsaKeyGeneratorImpl();
+
+		/**
+		 * @brief Generate an RSA key.
+		 * 
+		 * @param[in]  key_bit_size Size of rsa key in bits.
+		 * @param[out] n      Buffer to store modulus.
+		 * @param[in]  n_size Size of modulus buffer.
+		 * @param[out] p      Buffer to store prime p.
+		 * @param[in]  p_size Size of prime p buffer.
+		 * @param[out] q      Buffer to store prime q.
+		 * @param[in]  q_size Size of prime q buffer.
+		 * @param[out] d      Buffer to store private exponent.
+		 * @param[in]  d_size Size of private exponent buffer.
+		 * @param[out] e      Buffer to store public exponent.
+		 * @param[in]  e_size Size of public exponent buffer.
+		 * 
+		 * @pre 
+		 * - @p key_bit_size must a multiple of 8 bits (byte aligned).
+		 * @post
+		 * - Key components are exported if the related buffers were not null.
+		 * 
+		 * @note
+		 * - Key components can be optionally not exported if the corresponding input variables are null and zero.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p key_bit_size was not a multiple of 8 bits.
+		 * @throw tc::crypto::CryptoException An unexpected error has occurred.
+		 * @throw tc::crypto::CryptoException Something failed during generation of a key.
+		 * @throw tc::crypto::CryptoException The random generator failed to generate non-zeros.
+		 * @throw tc::ArgumentException @p n was not null, but @p n_size was not large enough.
+		 * @throw tc::ArgumentException @p p was not null, but @p p_size was not large enough.
+		 * @throw tc::ArgumentException @p q was not null, but @p q_size was not large enough.
+		 * @throw tc::ArgumentException @p d was not null, but @p d_size was not large enough.
+		 * @throw tc::ArgumentException @p e was not null, but @p e_size was not large enough.
+		 */
+	void generateKey(size_t key_bit_size, byte_t* n, size_t n_size, byte_t* p, size_t p_size, byte_t* q, size_t q_size, byte_t* d, size_t d_size, byte_t* e, size_t e_size);
+private:
+	static const std::string kClassName;	
+
+	struct ImplCtx;
+	std::unique_ptr<ImplCtx> mImplCtx;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaOaepPadding.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaOaepPadding.h
new file mode 100644
index 00000000..faa15975
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaOaepPadding.h
@@ -0,0 +1,169 @@
+	/**
+	 * @file RsaOaepPadding.h
+	 * @brief Declaration of tc::crypto::detail::RsaOaepPadding
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/09/12
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class RsaOaepPadding
+	 * @brief This class implements RSA OAEP Padding as a template class.
+	 * 
+	 * @tparam HashFunction The class that implements the hash function used for padding generation.
+	 */
+template <typename HashFunction>
+class RsaOaepPadding
+{
+public:
+	static const size_t kHashSize = HashFunction::kHashSize;
+
+	enum class Result
+	{
+		kSuccess,
+		kBadSeedSize,
+		kBadLabelDigestSize,
+		kBlockSizeTooSmall,
+		kBadPadding,
+		kOutputBufferTooSmall
+	};
+
+	RsaOaepPadding::Result BuildPad(byte_t* out_block, size_t block_size, const byte_t* label_digest, size_t label_digest_size, const byte_t* raw_message, size_t raw_message_size, const byte_t* seed, size_t seed_size)
+	{
+		if (seed_size != kHashSize) { return Result::kBadSeedSize; }
+		if (label_digest_size != kHashSize) { return Result::kBadLabelDigestSize; }
+		if (block_size < (1 + seed_size + label_digest_size + 1 + raw_message_size)) { return Result::kBlockSizeTooSmall; }
+
+		size_t seed_offset = 0x01;
+		size_t label_digest_offset = seed_offset + seed_size;
+		size_t padding_offset = label_digest_offset + label_digest_size;
+		size_t padding_size = block_size - (1 + seed_size + label_digest_size + 1 + raw_message_size);
+		size_t msg_offset = padding_offset + padding_size + 0x01;
+
+		out_block[0] = 0x00;
+		memcpy(out_block + seed_offset, seed, seed_size);
+		memcpy(out_block + label_digest_offset, label_digest, label_digest_size);
+		memset(out_block + padding_offset, 00, padding_size);
+		out_block[padding_offset + padding_size] = 0x01;
+		memcpy(out_block + msg_offset, raw_message, raw_message_size);
+
+		// apply mask
+		apply_mgf1_mask<kHashSize>(out_block + label_digest_offset, block_size - label_digest_offset, out_block + seed_offset, seed_size);
+		apply_mgf1_mask<kHashSize>(out_block + seed_offset, seed_size, out_block + label_digest_offset, block_size - label_digest_offset);
+
+		return Result::kSuccess;
+	}
+
+	RsaOaepPadding::Result RecoverFromPad(byte_t* out_message, size_t out_size, size_t& message_size, const byte_t* label_digest, size_t label_digest_size, byte_t* block, size_t block_size)
+	{
+		size_t seed_size = kHashSize;
+
+		if (out_size == 0) { return Result::kOutputBufferTooSmall; }
+		if (label_digest_size != kHashSize) { return Result::kBadLabelDigestSize; }
+		if (block_size < (1 + seed_size + label_digest_size + 1 + 1)) { return Result::kBlockSizeTooSmall; }
+
+		size_t seed_offset = 0x01;
+		size_t label_digest_offset = seed_offset + seed_size;
+		size_t padding_offset = label_digest_offset + label_digest_size;
+		size_t padding_size = 0; // set later
+		size_t msg_offset = 0;// set later
+		size_t msg_size = 0;// set later
+
+		// constant time check
+		byte_t bad = 0;
+
+		// check byte 0
+		bad |= block[0] != 0x00;
+
+		// apply mask
+		apply_mgf1_mask<kHashSize>(block + seed_offset, seed_size, block + label_digest_offset, block_size - label_digest_offset);
+		apply_mgf1_mask<kHashSize>(block + label_digest_offset, block_size - label_digest_offset, block + seed_offset, seed_size);
+
+		// check label
+		for (size_t i = 0; i < label_digest_size; i++)
+			bad |= block[label_digest_offset + i] ^ label_digest[i];
+
+		// seek message begin {0x00, ..., 0x01, message} 
+		bool is0x01MarkerLocated = false;
+		for (size_t i = 0, size = block_size - padding_offset; i < size && is0x01MarkerLocated == false; i++)
+		{
+			// padding byte that should prefix the start marker
+			if (block[padding_offset + i] == 0x00)
+			{
+				continue;
+			}
+			// if the byte is the start marker then set other offsets/sizes and note the marker was located
+			else if (block[padding_offset + i] == 0x01)
+			{
+				padding_size = i;
+				msg_offset = padding_offset + padding_size + 0x01;
+				msg_size = block_size - msg_offset;
+				is0x01MarkerLocated = true;
+			}
+			// otherwise this is unexpected data
+			else
+			{
+				bad |= 1;
+				break;
+			}
+			
+		}
+
+		// throw error if bad
+		if (is0x01MarkerLocated == false || bad != 0)
+		{
+			return Result::kBadPadding;
+		}
+
+		// throw error if out_size isn't large enough
+		if (out_size < msg_size)
+		{
+			return Result::kOutputBufferTooSmall;
+		}
+
+		// export message
+		memcpy(out_message, &block[msg_offset], msg_size);
+		message_size = msg_size;
+
+		return Result::kSuccess;
+	}
+
+private:
+	template <size_t HashSize>
+	inline void apply_mgf1_mask(byte_t* dst, size_t dst_size, const byte_t* src, size_t src_size)
+	{
+		HashFunction hash;
+		std::array<byte_t, HashSize> mask;
+		tc::bn::be32<uint32_t> beRoundNum;
+
+		for (size_t round_idx = 0, round_num = (dst_size + HashSize - 1) / HashSize; round_idx < round_num; round_idx++)
+		{
+			hash.initialize();
+
+			// update using src data
+			hash.update(src, src_size);
+			
+			// update using big endian round num
+			beRoundNum.wrap((uint32_t)round_idx);
+			hash.update((byte_t*)&beRoundNum, sizeof(tc::bn::be32<uint32_t>));
+
+			// get mask
+			hash.getHash(mask.data());
+
+			// merge mask and dst
+			size_t dst_pos = round_idx * HashSize;
+
+			for (size_t i = 0, len = std::min(dst_size - dst_pos, HashSize); i < len; i++)
+			{
+				dst[dst_pos + i] ^= mask[i];
+			}
+		}
+	}
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaPkcs1Padding.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaPkcs1Padding.h
new file mode 100644
index 00000000..3f51a81b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaPkcs1Padding.h
@@ -0,0 +1,117 @@
+	/**
+	 * @file RsaPkcs1Padding.h
+	 * @brief Declaration of tc::crypto::detail::RsaPkcs1Padding
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/09/12
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class RsaPkcs1Padding
+	 * @brief This class implements RSA PKCS1 Padding as a template class.
+	 * 
+	 * @tparam HashFunction The class that implements the hash function used for padding generation.
+	 */
+template <typename HashFunction>
+class RsaPkcs1Padding
+{
+public:
+	static const size_t kHashSize = HashFunction::kHashSize;
+
+	enum class Result
+	{
+		kSuccess,
+		kBadMessageDigestSize,
+		kBlockSizeTooSmall,
+		kVerificationFailure
+	};
+
+	RsaPkcs1Padding::Result BuildPad(byte_t* out_block, size_t block_size, const byte_t* message_digest, size_t message_digest_size)
+	{
+		if (message_digest_size != kHashSize) { return Result::kBadMessageDigestSize; }
+
+		// the minimum block size has 0 padding and the ASN1 OID data, message digest and marker bytes
+		if (block_size < 2 + 1 + HashFunction::kAsn1OidData.size() + kHashSize) { return Result::kBlockSizeTooSmall; }
+
+		// determine sizes
+		size_t padding_size = block_size - 2 - 1 - HashFunction::kAsn1OidDataSize - kHashSize;
+
+		// determine offsets
+		size_t padding_offset = 0x02;
+		size_t asn1oid_offset = padding_offset + padding_size + 1;
+		size_t message_digest_offset = asn1oid_offset + HashFunction::kAsn1OidData.size();
+
+		// clear block
+		memset(out_block, 0, block_size);
+
+		// write begin marker
+		out_block[0] = 0x00;
+		out_block[1] = 0x01;
+		
+		// write padding
+		memset(out_block + padding_offset, 0xff, padding_size);
+
+		// write payload marker
+		out_block[padding_offset + padding_size] = 0x00;
+
+		// write ASN.1 encoded OID
+		memcpy(out_block + asn1oid_offset, HashFunction::kAsn1OidData.data(), HashFunction::kAsn1OidData.size());
+
+		// write message digest
+		memcpy(out_block + message_digest_offset, message_digest, kHashSize);
+
+		return Result::kSuccess;
+	}
+
+	RsaPkcs1Padding::Result CheckPad(const byte_t* message_digest, size_t message_digest_size, byte_t* block, size_t block_size)
+	{
+		if (message_digest_size != kHashSize) { return Result::kBadMessageDigestSize; }
+
+		// the minimum block size has 0 padding and the ASN1 OID data, message digest and marker bytes
+		if (block_size < 2 + 1 + HashFunction::kAsn1OidData.size() + kHashSize) { return Result::kBlockSizeTooSmall; }
+
+		// determine sizes
+		size_t padding_size = block_size - 2 - 1 - HashFunction::kAsn1OidDataSize - kHashSize;
+
+		// determine offsets
+		size_t padding_offset = 0x02;
+		size_t asn1oid_offset = padding_offset + padding_size + 1;
+		size_t message_digest_offset = asn1oid_offset + HashFunction::kAsn1OidData.size();
+
+		byte_t bad = 0;
+
+		// validate start marker
+		bad |= block[0] != 0x00;
+		bad |= block[1] != 0x01;
+
+		// validate padding
+		for (size_t i = 0; i < padding_size; i++)
+		{
+			bad |= block[padding_offset + i] != 0xFF;
+		}
+		
+		// validate payload marker
+		bad |= block[padding_offset + padding_size] != 0x00;
+
+		// validate ASN.1 data
+		for (size_t i = 0; i < HashFunction::kAsn1OidData.size(); i++)
+		{
+			bad |= block[asn1oid_offset + i] != HashFunction::kAsn1OidData[i];
+		}
+
+		// validate message digest
+		for (size_t i = 0; i < kHashSize; i++)
+		{
+			bad |= block[message_digest_offset + i] != message_digest[i];
+		}
+
+		return bad == 0? Result::kSuccess : Result::kVerificationFailure;
+	}
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaPssPadding.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaPssPadding.h
new file mode 100644
index 00000000..f73bd25f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/RsaPssPadding.h
@@ -0,0 +1,260 @@
+	/**
+	 * @file RsaPssPadding.h
+	 * @brief Declaration of tc::crypto::detail::RsaPssPadding
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/09/12
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class RsaPssPadding
+	 * @brief This class implements RSA PSS Padding as a template class.
+	 * 
+	 * @tparam HashFunction The class that implements the hash function used for padding generation.
+	 */
+template <typename HashFunction>
+class RsaPssPadding
+{
+public:
+	static const size_t kHashSize = HashFunction::kHashSize;
+
+	enum class Result
+	{
+		kSuccess,
+		kBadMessageDigestSize,
+		kBadSaltSize,
+		kBlockSizeTooSmall,
+		kBadPadding,
+		kBadInputData,
+		kVerificationFailure
+	};
+
+		/**
+		 * @note modulus_msb is usually (for byte aligned key sizes) ((block_size << 3) - 1)
+		 * @note Where (modulus_msb % 8 == 0) this fails tests. Investigation required.
+		 */
+	RsaPssPadding::Result BuildPad(byte_t* out_block, size_t block_size, const byte_t* message_digest, size_t message_digest_size, const byte_t* salt, size_t salt_size, size_t modulus_msb)
+	{
+		size_t min_salt_size = kHashSize - 2;
+		size_t expected_salt_size = 0;
+
+		// the block size is large enough to support a full sized salt (hash size)
+		if (block_size >= kHashSize + kHashSize + 2)
+		{
+			expected_salt_size = kHashSize;
+		}
+		// the block size is too small for a full sized salt, but is large enough for a smaller legal sized salt
+		else if (block_size >= min_salt_size + kHashSize + 2)
+		{
+			expected_salt_size = block_size - kHashSize - 2;
+		}
+		// else the block size is too small for any valid salt size
+		else
+		{
+			return Result::kBlockSizeTooSmall;
+		}
+
+		if (message_digest_size != kHashSize) { return Result::kBadMessageDigestSize; }
+
+		// salt_size cannot have any variance from the expected size
+		if (salt_size != expected_salt_size) { return Result::kBadSaltSize; }
+
+		// initial config
+		size_t signature_size = block_size;
+		size_t db_offset = 0x00;
+
+		/* Compensate for boundary condition when applying mask */
+		if (modulus_msb % 8 == 0)
+		{
+			db_offset++;
+			signature_size--;
+		}
+
+		// determine offsets and sizes
+		size_t db_size = signature_size - kHashSize - 1;
+		size_t db_padding_size = db_size - salt_size - 1;
+
+		size_t salt_offset = db_offset + db_padding_size + 1;
+		size_t message_digest_offset = db_offset + db_size;
+
+		// clear block
+		memset(out_block, 0, block_size);
+
+		// write salt start marker
+		out_block[db_offset + db_padding_size] = 0x01;
+		// write salt
+		memcpy(out_block + salt_offset, salt, salt_size);
+
+		// write encoded message digest
+		compute_encoded_message_digest(out_block + message_digest_offset, message_digest, salt, salt_size);
+
+		// mask db
+		apply_mgf1_mask<kHashSize>(out_block + db_offset, db_size, out_block + message_digest_offset, kHashSize);
+
+		out_block[0] &= 0xFF >> ( signature_size * 8 - modulus_msb );
+
+		// write BC to final byte of block when complete
+		out_block[block_size - 1] = 0xBC;
+
+		return Result::kSuccess;
+	}
+
+		/**
+		 * @note modulus_msb is usually (for byte aligned key sizes) ((block_size << 3) - 1)
+		 * @note Where (modulus_msb % 8 == 0) this fails tests. Investigation required.
+		 */
+	RsaPssPadding::Result CheckPad(const byte_t* message_digest, size_t message_digest_size, byte_t* block, size_t block_size, size_t modulus_msb)
+	{
+		size_t min_salt_size = kHashSize - 2;
+		size_t salt_size = 0;
+
+		// the block size is large enough to support a full sized salt (hash size)
+		if (block_size >= kHashSize + kHashSize + 2)
+		{
+			salt_size = kHashSize;
+		}
+		// the block size is too small for a full sized salt, but is large enought for a smaller legal sized salt
+		else if (block_size >= min_salt_size + kHashSize + 2)
+		{
+			salt_size = block_size - kHashSize - 2;
+		}
+		// else the block size is too small for any valid salt size
+		else
+		{
+			return Result::kBlockSizeTooSmall;
+		}
+
+		size_t signature_size = block_size;
+		size_t db_offset = 0x00;
+		
+		// check byte at end of block (written when padding is completed, so this should be here)
+		if (block[block_size - 1] != 0xBC) { return Result::kBadPadding; }
+
+		/*
+		 * Note: EMSA-PSS verification is over the length of N - 1 bits
+		 */
+		if (block[0] >> ( 8 - block_size * 8 + modulus_msb )) { return Result::kBadInputData; }
+
+		/* Compensate for boundary condition when applying mask */
+		if (modulus_msb % 8 == 0)
+		{
+			db_offset++;
+			signature_size--;
+		}
+
+		// determine offsets and sizes
+		size_t db_size = signature_size - kHashSize - 1;
+		size_t db_padding_size = db_size - salt_size - 1;
+
+		size_t salt_offset = db_offset + db_padding_size + 1;
+		size_t message_digest_offset = db_offset + db_size;
+
+		// apply mask
+		apply_mgf1_mask<kHashSize>(block + db_offset, db_size, block + message_digest_offset, kHashSize);
+
+		// mask byte0
+		block[0] &= 0xFF >> ( signature_size * 8 - modulus_msb );
+
+		// constant time check
+		byte_t bad = 0;
+
+		// validate padding seeking 01 byte, and validating the supposed salt size
+		bool salt_marker_located = false;
+		for (size_t i = 0, size = salt_offset; i < size && salt_marker_located == false; i++)
+		{
+			// padding byte that should prefix the start marker
+			if (block[i] == 0x00)
+			{
+				continue;
+			}
+			// if the byte is the salt start marker then check that the salt offset is correct
+			else if (block[i] == 0x01)
+			{
+				bad |= (i + 1) != salt_offset;
+				salt_marker_located = true;
+			}
+			// otherwise this is unexpected data
+			else
+			{
+				bad |= 1;
+				break;
+			}
+			
+		}
+
+		// update bad if marker did not exist
+		bad |= salt_marker_located == false;
+		
+		// calculate encoded hash (all these offsets should be safe as they aren't provided by the user)
+		std::array<byte_t, kHashSize> encoded_digest;
+		compute_encoded_message_digest(encoded_digest.data(), message_digest, block + salt_offset, salt_size);
+
+		// check encoded hash (all these offsets should be safe as they aren't provided by the user)
+		for (size_t i = 0; i < kHashSize; i++)
+			bad |= block[message_digest_offset + i] ^ encoded_digest[i];
+
+		// return success if no errors
+		return bad == 0 ? Result::kSuccess : Result::kVerificationFailure;
+	}
+
+private:
+	template <size_t HashSize>
+	inline void apply_mgf1_mask(byte_t* dst, size_t dst_size, const byte_t* src, size_t src_size)
+	{
+		HashFunction hash;
+		std::array<byte_t, HashSize> mask;
+		tc::bn::be32<uint32_t> beRoundNum;
+
+		for (size_t round_idx = 0, round_num = (dst_size + HashSize - 1) / HashSize; round_idx < round_num; round_idx++)
+		{
+			hash.initialize();
+
+			// update using src data
+			hash.update(src, src_size);
+			
+			// update using big endian round num
+			beRoundNum.wrap((uint32_t)round_idx);
+			hash.update((byte_t*)&beRoundNum, sizeof(tc::bn::be32<uint32_t>));
+
+			// get mask
+			hash.getHash(mask.data());
+
+			// merge mask and dst
+			size_t dst_pos = round_idx * HashSize;
+
+			for (size_t i = 0, len = std::min(dst_size - dst_pos, HashSize); i < len; i++)
+			{
+				dst[dst_pos + i] ^= mask[i];
+			}
+		}
+	}
+
+	inline void compute_encoded_message_digest(byte_t* dst, const byte_t* message_digest, const byte_t* salt, size_t salt_size)
+	{
+		HashFunction hash;
+		std::array<byte_t, 8> prime;
+
+		// initialize hash
+		hash.initialize();
+
+		// update hash with prime
+		memset(prime.data(), 0, prime.size());
+		hash.update(prime.data(), prime.size());
+
+		// update hash with original message digest
+		hash.update(message_digest, kHashSize);
+
+		// update hash with salt
+		hash.update(salt, salt_size);
+
+		// compute final hash digest
+		hash.getHash(dst);
+	}
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Sha1Impl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Sha1Impl.h
new file mode 100644
index 00000000..7dcfa858
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Sha1Impl.h
@@ -0,0 +1,44 @@
+	/**
+	 * @file Sha1Impl.h
+	 * @brief Declaration of tc::crypto::detail::Sha1Impl
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/06/01
+	 **/
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class Sha1Impl
+	 * @brief This class implements the SHA-1 hash algorithm.
+	 */
+class Sha1Impl
+{
+public:
+	static const size_t kHashSize = 20;
+	static const size_t kBlockSize = 64;
+
+	Sha1Impl();
+	~Sha1Impl();
+
+	void initialize();
+	void update(const byte_t* data, size_t data_size);
+	void getHash(byte_t* hash);
+private:
+	enum class State
+	{
+		None,
+		Initialized,
+		Done
+	};
+
+	State mState;
+	std::array<byte_t, kHashSize> mHash;
+
+	struct ImplCtx;
+	std::unique_ptr<ImplCtx> mImplCtx;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Sha2Impl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Sha2Impl.h
new file mode 100644
index 00000000..f62b2b51
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/Sha2Impl.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file Sha2Impl.h
+	 * @brief Declaration of tc::crypto::detail::Sha2Impl
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2022/02/27
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/crypto/CryptoException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class Sha2Impl
+	 * @brief This class implements the SHA2 family of hash algorithms.
+	 */
+class Sha2Impl
+{
+public:
+	enum SHA2BitSize
+	{
+		SHA2BitSize_256 = 256,
+		SHA2BitSize_512 = 512
+	};
+
+	static const size_t kSha2_256_HashSize = 32;
+	static const size_t kSha2_256_BlockSize = 64;
+
+	static const size_t kSha2_512_HashSize = 64;
+	static const size_t kSha2_512_BlockSize = 128;
+
+	Sha2Impl(SHA2BitSize algo = SHA2BitSize_256);
+	~Sha2Impl();
+
+	void initialize();
+	void update(const byte_t* data, size_t data_size);
+	void getHash(byte_t* hash);
+private:
+	enum class State
+	{
+		None,
+		Initialized,
+		Done
+	};
+
+	State mState;
+
+	size_t mHashSize;
+	std::array<byte_t, kSha2_512_HashSize> mHash;
+
+	struct ImplCtx;
+	std::unique_ptr<ImplCtx> mImplCtx;
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/crypto/detail/XtsModeImpl.h b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/XtsModeImpl.h
new file mode 100644
index 00000000..6ce35678
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/crypto/detail/XtsModeImpl.h
@@ -0,0 +1,330 @@
+	/**
+	 * @file XtsModeImpl.h
+	 * @brief Declaration of tc::crypto::detail::XtsModeImpl
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/07/04
+	 **/
+#pragma once
+#include <tc/types.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/ArgumentNullException.h>
+
+namespace tc { namespace crypto { namespace detail {
+
+	/**
+	 * @class XtsModeImpl
+	 * @brief This class implements the XTS (<b>X</b>EX mode with cipher<b>t</b>ext <b>s</b>tealing) mode cipher as a template class.
+	 * 
+	 * @tparam BlockCipher The class that implements the block cipher used for XTS mode encryption/decryption.
+	 * 
+	 * @details
+	 * The implementation of <var>BlockCipher</var> must satisfies the following conditions.
+	 * 
+	 * -# Has a <tt>kBlockSize</tt> constant that defines the size of the block to process.
+	 * -# Has a <tt>kKeySize</tt> constant that defines the required key size to initialize the block cipher.
+	 * -# Has an <tt>initialize</tt> method that initializes the state of the block cipher.
+	 * -# Has an <tt>encrypt</tt> method that encrypts a block of input data.
+	 * -# Has a <tt>decrypt</tt> method that decrypts a block of input data.
+	 */
+template <class BlockCipher>
+class XtsModeImpl
+{
+public:
+	static_assert(BlockCipher::kBlockSize == 16, "XtsModeImpl only supports BlockCiphers with block size 16.");
+
+	static const size_t kKeySize = BlockCipher::kKeySize;
+	static const size_t kBlockSize = BlockCipher::kBlockSize;
+
+	size_t sector_size() const { return mSectorSize; }
+
+	XtsModeImpl() :
+		mState(None),
+		mCryptCipher(),
+		mTweakCipher(),
+		mSectorSize(0),
+		mTweakIsLittleEndian(true)
+	{
+	}
+
+	void initialize(const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_little_endian = true) 
+	{
+		if (key1 == nullptr) { throw tc::ArgumentNullException("XtsModeImpl::initialize()", "key1 was null."); }
+		if (key1_size != kKeySize) { throw tc::ArgumentOutOfRangeException("XtsModeImpl::initialize()", "key1_size did not equal kKeySize."); }
+		if (key2 == nullptr) { throw tc::ArgumentNullException("XtsModeImpl::initialize()", "key2 was null."); }
+		if (key2_size != kKeySize) { throw tc::ArgumentOutOfRangeException("XtsModeImpl::initialize()", "key2_size did not equal kKeySize."); }
+		if (sector_size < kBlockSize) { throw tc::ArgumentOutOfRangeException("XtsModeImpl::initialize()", "sector_size was less than kBlockSize."); }
+
+		mCryptCipher.initialize(key1, key1_size);
+		mTweakCipher.initialize(key2, key2_size);
+		mSectorSize = sector_size;
+		mTweakIsLittleEndian = tweak_little_endian;
+		mState = State::Initialized;
+	}
+
+	void encrypt(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number)
+	{
+		if (mState != State::Initialized) { return ; }
+		if (dst == nullptr) { throw tc::ArgumentNullException("XtsModeImpl::encrypt()", "dst was null."); }
+		if (src == nullptr) { throw tc::ArgumentNullException("XtsModeImpl::encrypt()", "src was null."); }
+		if (size == 0 || size % mSectorSize) { throw tc::ArgumentOutOfRangeException("XtsModeImpl::encrypt()", "size was not a multiple of the sector size."); }
+		
+		auto block = std::array<byte_t, kBlockSize>();
+		auto dec_tweak = std::array<byte_t, kBlockSize>();
+		auto enc_tweak = std::array<byte_t, kBlockSize>();
+
+		// for ciphertext stealing
+		size_t sector_leftover = mSectorSize % kBlockSize;
+		
+		// initialize tweak
+		set_tweak(dec_tweak.data(), sector_number);
+
+		// iterate through sectors
+		for (size_t sector_idx = 0, sector_num = (size / mSectorSize); sector_idx < sector_num; sector_idx++)
+		{
+			// encrypt tweak
+			mTweakCipher.encrypt(enc_tweak.data(), dec_tweak.data());
+			
+			// process each block within a sector
+			for (size_t block_idx = 0, block_num = (mSectorSize / kBlockSize); block_idx < block_num; block_idx++)
+			{
+				const byte_t* src_block = src + (sector_idx * mSectorSize) + (block_idx * kBlockSize);
+				byte_t* dst_block = dst + (sector_idx * mSectorSize) + (block_idx * kBlockSize);
+
+				// block = src_block XOR enc_tweak
+				xor_block(block.data(), enc_tweak.data(), src_block);
+
+				// encrypt block
+				mCryptCipher.encrypt(block.data(), block.data());
+
+				// dst_block = enc_block XOR enc_tweak
+				xor_block(dst_block, block.data(), enc_tweak.data());
+
+				// Update encrypted tweak
+				galois_func(enc_tweak.data());
+			}
+
+			// cipher text stealing
+			if (sector_leftover > 0)
+			{
+				size_t block_idx = (mSectorSize / kBlockSize);
+				const byte_t* src_block = src + (sector_idx * mSectorSize) + (block_idx * kBlockSize);
+				byte_t* prev_dst_block = dst + (sector_idx * mSectorSize) + ((block_idx - 1) * kBlockSize);
+				byte_t* dst_block = dst + (sector_idx * mSectorSize) + (block_idx * kBlockSize);
+
+				for (size_t j = 0; j < sector_leftover; j++)
+				{
+					// block [0, sector_leftover) = src_block [0, sector_leftover) ^ enc_tweak[0, sector_leftover)
+					block[j] = src_block[j] ^ enc_tweak[j];
+
+					// dst_block [0, sector_leftover) = prev_dst_block [0, sector_leftover)
+					dst_block[j] = prev_dst_block[j];
+				}
+
+				for (size_t j = sector_leftover; j < kBlockSize; j++)
+				{
+					// block [sector_leftover, kBlockSize) = prev_dst_block[sector_leftover, kBlockSize) ^ enc_tweak[sector_leftover, kBlockSize)
+					block[j] = prev_dst_block[j] ^ enc_tweak[j];
+				}
+
+				// encrypt block
+				mCryptCipher.encrypt(block.data(), block.data());
+
+				// prev_dst_block = enc_block XOR enc_tweak
+				xor_block(prev_dst_block, block.data(), enc_tweak.data());
+			}
+			
+			// increment tweak
+			incr_tweak(dec_tweak.data(), 1);
+		}
+	}
+
+	void decrypt(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number)
+	{
+		if (mState != State::Initialized) { return ; }
+		if (dst == nullptr) { throw tc::ArgumentNullException("XtsModeImpl::decrypt()", "dst was null."); }
+		if (src == nullptr) { throw tc::ArgumentNullException("XtsModeImpl::decrypt()", "src was null."); }
+		if (size == 0 || size % mSectorSize) { throw tc::ArgumentOutOfRangeException("XtsModeImpl::decrypt()", "size was not a multiple of sector_size."); }
+	
+		auto block = std::array<byte_t, kBlockSize>();
+		auto dec_tweak = std::array<byte_t, kBlockSize>();
+		auto enc_tweak = std::array<byte_t, kBlockSize>();
+
+		// for ciphertext stealing
+		auto prev_tweak = std::array<byte_t, kBlockSize>();
+		size_t sector_leftover = mSectorSize % kBlockSize;
+
+		// initialize tweak
+		set_tweak(dec_tweak.data(), sector_number);
+
+		// iterate through sectors
+		for (size_t sector_idx = 0, sector_num = (size / mSectorSize); sector_idx < sector_num; sector_idx++)
+		{
+			// encrypt tweak
+			mTweakCipher.encrypt(enc_tweak.data(), dec_tweak.data());
+			
+			// process each block within a sector
+			for (size_t block_idx = 0, block_num = (mSectorSize / kBlockSize); block_idx < block_num; block_idx++)
+			{
+				const byte_t* src_block = src + (sector_idx * mSectorSize) + (block_idx * kBlockSize);
+				byte_t* dst_block = dst + (sector_idx * mSectorSize) + (block_idx * kBlockSize);
+
+				// if this is the last block && there is left-over data
+				if ((block_idx + 1) == block_num && sector_leftover > 0)
+				{
+					// save tweak for the cipher text stealing decryption
+					memcpy(prev_tweak.data(), enc_tweak.data(), kBlockSize);
+
+					// Update encrypted tweak since this block uses the next tweak due to encryption mode cipher text stealing
+					galois_func(enc_tweak.data());
+				}
+
+				// block = src_block XOR enc_tweak
+				xor_block(block.data(), enc_tweak.data(), src_block);
+
+				// decrypt block
+				mCryptCipher.decrypt(block.data(), block.data());
+
+				// dst_block = dec_block XOR enc_tweak
+				xor_block(dst_block, block.data(), enc_tweak.data());
+
+				// Update encrypted tweak
+				galois_func(enc_tweak.data());
+			}
+
+			// cipher text stealing
+			if (sector_leftover > 0)
+			{
+				size_t block_idx = (mSectorSize / kBlockSize);
+				const byte_t* src_block = src + (sector_idx * mSectorSize) + (block_idx * kBlockSize);
+				byte_t* prev_dst_block = dst + (sector_idx * mSectorSize) + ((block_idx - 1) * kBlockSize);
+				byte_t* dst_block = dst + (sector_idx * mSectorSize) + (block_idx * kBlockSize);
+
+				for (size_t j = 0; j < sector_leftover; j++)
+				{
+					// block [0, sector_leftover) = src_block [0, sector_leftover) ^ prev_tweak[0, sector_leftover)
+					block[j] = src_block[j] ^ prev_tweak[j];
+
+					// dst_block [0, sector_leftover) = prev_dst_block [0, sector_leftover)
+					dst_block[j] = prev_dst_block[j];
+				}
+
+				for (size_t j = sector_leftover; j < kBlockSize; j++)
+				{
+					// block [sector_leftover, kBlockSize) = prev_dst_block[sector_leftover, kBlockSize) ^ prev_tweak[sector_leftover, kBlockSize)
+					block[j] = prev_dst_block[j] ^ prev_tweak[j];
+				}
+
+				// encrypt block
+				mCryptCipher.decrypt(block.data(), block.data());
+
+				// prev_dst_block = enc_block XOR prev_tweak
+				xor_block(prev_dst_block, block.data(), prev_tweak.data());
+			}
+
+			// increment tweak
+			incr_tweak(dec_tweak.data(), 1);
+		}
+	}
+private:
+	enum State
+	{
+		None,
+		Initialized
+	};
+
+	State mState;
+	BlockCipher mCryptCipher;
+	BlockCipher mTweakCipher;
+	size_t mSectorSize;
+	bool mTweakIsLittleEndian;
+
+	inline void xor_block(byte_t* dst, const byte_t* src_a, const byte_t* src_b)
+	{
+		((uint64_t*)dst)[0] = ((uint64_t*)src_a)[0] ^ ((uint64_t*)src_b)[0];
+		((uint64_t*)dst)[1] = ((uint64_t*)src_a)[1] ^ ((uint64_t*)src_b)[1];
+		//for (size_t i = 0; i < kBlockSize; i++) { dst[i] = src_a[i] ^ src_b[i];}
+	}
+
+	inline void set_tweak_le(byte_t* tweak, uint64_t sector_number)
+	{
+		((tc::bn::le64<uint64_t>*)tweak)[0].wrap(sector_number);
+		((tc::bn::le64<uint64_t>*)tweak)[1].wrap(0x0);
+	}
+
+	inline void set_tweak_be(byte_t* tweak, uint64_t sector_number)
+	{
+		((tc::bn::be64<uint64_t>*)tweak)[1].wrap(sector_number);
+		((tc::bn::be64<uint64_t>*)tweak)[0].wrap(0x0);
+	}
+
+	inline void set_tweak(byte_t* tweak, uint64_t sector_number)
+	{
+		mTweakIsLittleEndian ? set_tweak_le(tweak, sector_number) : set_tweak_be(tweak, sector_number);
+	}
+
+	inline void incr_tweak_be(byte_t* tweak, uint64_t incr)
+	{
+		tc::bn::be64<uint64_t>* tweak_words = (tc::bn::be64<uint64_t>*)tweak;
+
+		uint64_t carry = incr;
+		for (size_t i = 0; carry != 0 ; i = ((i + 1) % 2))
+		{
+			uint64_t word = tweak_words[1 - i].unwrap();
+			uint64_t remaining = std::numeric_limits<uint64_t>::max() - word;
+
+			if (remaining > carry)
+			{
+				tweak_words[1 - i].wrap(word + carry);
+				carry = 0;
+			}
+			else
+			{
+				tweak_words[1 - i].wrap(carry - remaining - 1);
+				carry = 1;
+			}
+		}
+	}
+
+	inline void incr_tweak_le(byte_t* tweak, uint64_t incr)
+	{
+		tc::bn::le64<uint64_t>* tweak_words = (tc::bn::le64<uint64_t>*)tweak;
+
+		uint64_t carry = incr;
+		for (size_t i = 0; carry != 0 ; i = ((i + 1) % 2))
+		{
+			uint64_t word = tweak_words[i].unwrap();
+			uint64_t remaining = std::numeric_limits<uint64_t>::max() - word;
+
+			if (remaining > carry)
+			{
+				tweak_words[i].wrap(word + carry);
+				carry = 0;
+			}
+			else
+			{
+				tweak_words[i].wrap(carry - remaining - 1);
+				carry = 1;
+			}
+		}
+	}
+
+	inline void incr_tweak(byte_t* tweak, uint64_t incr)
+	{
+		mTweakIsLittleEndian ? incr_tweak_le(tweak, incr) : incr_tweak_be(tweak, incr);
+	}
+
+	inline void galois_func(byte_t* tweak)
+	{
+		tc::bn::le64<uint64_t>* tweak_u64 = (tc::bn::le64<uint64_t>*)tweak; 
+
+		uint64_t ra = ( tweak_u64[0].unwrap() << 1 )  ^ 0x0087 >> ( 8 - ( ( tweak_u64[1].unwrap() >> 63 ) << 3 ) );
+		uint64_t rb = ( tweak_u64[0].unwrap() >> 63 ) | ( tweak_u64[1].unwrap() << 1 );
+
+		tweak_u64[0].wrap(ra);
+		tweak_u64[1].wrap(rb);
+	}
+};
+
+}}} // namespace tc::crypto::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io.h b/ctrtool/deps/libtoolchain/include/tc/io.h
new file mode 100644
index 00000000..06456c39
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io.h
@@ -0,0 +1,48 @@
+	/**
+	 * @file		io.h
+	 * @brief       Declaration of the input/output library
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/Exception.h>
+
+	/**
+	 * @namespace   tc::io
+	 * @brief       Namespace of the input/output library
+	 **/
+#include <tc/io/Path.h>
+#include <tc/io/PathUtil.h>
+
+#include <tc/io/IPathResolver.h>
+#include <tc/io/IPortablePathResolver.h>
+#include <tc/io/BasicPathResolver.h>
+
+#include <tc/io/IStream.h>
+#include <tc/io/FileStream.h>
+#include <tc/io/SubStream.h>
+#include <tc/io/MemoryStream.h>
+#include <tc/io/ConcatenatedStream.h>
+
+#include <tc/io/IFileSystem.h>
+#include <tc/io/LocalFileSystem.h>
+#include <tc/io/SubFileSystem.h>
+#include <tc/io/VirtualFileSystem.h>
+
+#include <tc/io/ISink.h>
+#include <tc/io/SubSink.h>
+#include <tc/io/StreamSink.h>
+
+#include <tc/io/ISource.h>
+#include <tc/io/PaddingSource.h>
+#include <tc/io/SubSource.h>
+#include <tc/io/StreamSource.h>
+#include <tc/io/MemorySource.h>
+#include <tc/io/OverlayedSource.h>
+
+// Exceptions
+#include <tc/io/IOException.h>
+#include <tc/io/DirectoryNotEmptyException.h>
+#include <tc/io/DirectoryNotFoundException.h>
+#include <tc/io/FileExistsException.h>
+#include <tc/io/FileNotFoundException.h>
+#include <tc/io/PathTooLongException.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/BasicPathResolver.h b/ctrtool/deps/libtoolchain/include/tc/io/BasicPathResolver.h
new file mode 100644
index 00000000..55425d49
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/BasicPathResolver.h
@@ -0,0 +1,109 @@
+	/**
+	 * @file BasicPathResolver.h
+	 * @brief Declaration of tc::io::BasicPathResolver
+	 * @author Jack (jakcron)
+	 * @version 0.3
+	 * @date 2022/02/25
+	 **/
+#pragma once
+#include <tc/io/IPortablePathResolver.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+
+namespace tc { namespace io {
+
+	    /**
+		 * @class BasicPathResolver
+		 * @brief This implementation of IPortablePathResolver resolves a path and current directory to canonical path, resolving only '`.`', '`..`' and empty path elements.
+		 * @details 
+		 * This does not consider the local file-system/environment, so links or '`~`' will not be resolved properly. It is intended for processing archived/portable filesystems.
+		 * 
+		 * This supports custom root labels. A root label being the first element of absolute/canonical paths.
+		 * * For POSIX this is an empty string, e.g. the empty string prior to / in "/some/path/to/a/file"
+		 * * For Windows systems this is the drive letter, e.g. "C:" in "C:\some\path\to\a\file"
+		 * 
+		 * BasicPathResolver maintains a list of root labels to determine if a path being resolved is absolute or relative, including:
+		 * * Implicit Root Label : This is the first element in the current working directory, will change if the current working directory changes.
+		 * * Explicit Root Labels : This is a list of root labels supplied separately via @ref setExplicitRootLabels().
+		 */
+	class BasicPathResolver : public tc::io::IPortablePathResolver
+	{
+	public:
+			/**
+			 * @brief Default Constructor
+			 * 
+			 * @post The current directory will be "/" and the list of explicit root labels will be {}.
+			 */
+		BasicPathResolver();
+
+			/**
+			 * @brief Create BasicPathResolver
+			 * 
+			 * @param[in] current_directory_path Canonical path for the current directory.
+			 * 
+			 * @post The current directory will be @p current_directory_path and the list of explicit root labels will be {}.
+			 */
+		BasicPathResolver(const tc::io::Path& current_directory_path);
+
+			/**
+			 * @brief Create BasicPathResolver
+			 * 
+			 * @param[in] current_directory_path Canonical path for the current directory.
+			 * @param[in] root_labels Vector of valid root path names for this path resolver.
+			 * 
+			 * @post The current directory will be @p current_directory_path and the list of explicit root labels will be @p root_labels .
+			 */
+		BasicPathResolver(const tc::io::Path& current_directory_path, const std::vector<std::string>& root_labels);
+
+			/**
+			 * @brief Set the current directory path
+			 * 
+			 * @param path Canonical current directory path.
+			 * 
+			 * @throws tc::ArgumentOutOfRangeException @p path was an empty path.
+			 */
+		void setCurrentDirectory(const tc::io::Path& path);
+
+			/**
+			 * @brief Get the current directory path
+			 * 
+			 * @return tc::io::Path Canonical current directory path.
+			 */
+		const tc::io::Path& getCurrentDirectory() const;
+
+			/**
+			 * @brief Set explicit root labels
+			 * @details
+			 * This is only required where multiple root labels need to be registered.
+			 * 
+			 * @param root_labels Vector of root labels
+			 */
+		void setExplicitRootLabels(const std::vector<std::string>& root_labels);
+
+			/// Get explicit root labels
+		const std::vector<std::string>& getExplicitRootLabels() const;
+
+			/**
+			 * @brief Resolve path to its canonical path
+			 * 
+			 * @param path Input path.
+			 * @param canonical_path Output path to write resolved canonical path.
+			 */
+		void resolveCanonicalPath(const tc::io::Path& path, tc::io::Path& canonical_path) const;
+
+			/**
+			 * @brief Resolve path to its canonical path
+			 * 
+			 * @param path Input path.
+			 * 
+			 * @return Resolved canonical path.
+			 */
+		tc::io::Path resolveCanonicalPath(const tc::io::Path& path) const;
+	private:
+		static const std::string kClassName;
+
+		tc::io::Path mCurrentDirPath;
+		std::vector<std::string> mExplicitRootLabels;
+	};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/ConcatenatedStream.h b/ctrtool/deps/libtoolchain/include/tc/io/ConcatenatedStream.h
new file mode 100644
index 00000000..3036ac80
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/ConcatenatedStream.h
@@ -0,0 +1,205 @@
+	/**
+	 * @file ConcatenatedStream.h
+	 * @brief Declaration of tc::io::ConcatenatedStream
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2022/02/28
+	 **/
+#pragma once
+#include <tc/io/IStream.h>
+#include <tc/Optional.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/NotSupportedException.h>
+#include <tc/NotImplementedException.h>
+#include <tc/ObjectDisposedException.h>
+#include <tc/io/IOException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class ConcatenatedStream
+	 * @brief A stream that concatenates multiple streams into a single stream.
+	 **/
+class ConcatenatedStream : public tc::io::IStream
+{
+public:
+		/**
+		 * @brief Default Constructor
+		 * @post This will create an unusable ConcatenatedStream, it will have to be assigned from a valid ConcatenatedStream object to be usable.
+		 **/
+	ConcatenatedStream();
+
+		/**
+		 * @brief Move constructor
+		 **/
+	ConcatenatedStream(ConcatenatedStream&& other);
+
+		/** 
+		 * @brief Create ConcatenatedStream
+		 * 
+		 * @param[in] stream_list The list IStream objects to concatenate in this stream.
+		 * 
+		 * @pre All base streams must support seeking for @ref seek() to work
+		 * @pre All base streams must support reading for @ref read() to work.
+		 * @pre All base streams must support writing for @ref write() to work.
+		 * 
+		 * @throw tc::NotSupportedException List of streams did not all support either read or write.
+		 * @throw tc::NotSupportedException List of streams combined to a stream with no length.
+		 **/
+	ConcatenatedStream(const std::vector<std::shared_ptr<tc::io::IStream>>& stream_list);
+
+		/// Destructor
+	~ConcatenatedStream();
+
+		/**
+		 * @brief Move assignment
+		 **/
+	ConcatenatedStream& operator=(ConcatenatedStream&& other);
+
+		/**
+		 * @brief Indicates whether the current stream supports reading.
+		 **/ 
+	bool canRead() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports writing.
+		 **/
+	bool canWrite() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports seeking.
+		 **/
+	bool canSeek() const;
+
+		/**
+		 * @brief Gets the length in bytes of the stream.
+		 **/
+	int64_t length();
+
+		/** 
+		 * @brief Gets the position within the current stream. 
+		 * 
+		 * @return This is returns the current position within the stream.
+		 **/
+	int64_t position();
+
+		/**
+		 * @brief Reads a sequence of bytes from the current stream and advances the position within the stream by the number of bytes read.
+		 * 
+		 * @param[out] ptr Pointer to an array of bytes. When this method returns, @p ptr contains the specified byte array with the values between 0 and (@p count - 1) replaced by the bytes read from the current source.
+		 * @param[in] count The maximum number of bytes to be read from the current stream.
+		 * 
+		 * @return The total number of bytes read into @p ptr. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support reading for @ref read to work. 
+		 * @note Use @ref canRead to determine if this stream supports reading.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::io::IOException Failed to read data from an underlying stream.
+		 * @throw tc::NotSupportedException Stream does not support reading.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t read(byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Writes a sequence of bytes to the current stream and advances the current position within this stream by the number of bytes written.
+		 * 
+		 * @param[in] ptr Pointer to an array of bytes. This method copies @p count bytes from @p ptr to the current stream.
+		 * @param[in] count The number of bytes to be written to the current stream.
+		 * 
+		 * @return The total number of bytes written to the stream. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support writing for @ref write to work. 
+		 * @note Use @ref canWrite to determine if this stream supports writing.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::io::IOException Failed to write data to an underlying stream.
+		 * @throw tc::NotSupportedException Stream does not support writing.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t write(const byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Sets the position within the current stream.
+		 * 
+		 * @param[in] offset A byte offset relative to the origin parameter.
+		 * @param[in] origin A value of type @ref tc::io::SeekOrigin indicating the reference point used to obtain the new position.
+		 * 
+		 * @return The new position within the current stream.
+		 * 
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * @note Use @ref canSeek to determine if this stream supports seeking.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::io::IOException Failed to seek because underlying stream could not be determined.
+		 * @throw tc::ArgumentOutOfRangeException @p origin contains an invalid value.
+		 * @throw tc::NotSupportedException Stream does not support seeking.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	int64_t seek(int64_t offset, SeekOrigin origin);
+
+		/**
+		 * @brief Sets the length of the current stream. This is not implemented for @ref ConcatenatedStream.
+		 * @throw tc::NotImplementedException @ref setLength is not implemented for @ref ConcatenatedStream
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void setLength(int64_t length);
+
+		/**
+		 * @brief Clears all buffers for this and the base stream and causes any buffered data to be written to the underlying device.
+		 * 
+		 * @throw tc::io::IOException An I/O error occurs.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void flush();
+	
+		/**
+		 * @brief Releases internal resources including base stream and clears internal state.
+		 **/
+	void dispose();
+private:
+	static const std::string kClassName;
+
+	// delete copy constructor
+	ConcatenatedStream(const ConcatenatedStream&);
+
+	// delete copy assignment
+	ConcatenatedStream& operator=(const ConcatenatedStream&);
+
+	struct StreamRange
+	{
+		int64_t offset;
+		int64_t length;
+
+		StreamRange() : offset(0), length(0) {}
+		StreamRange(int64_t offset) : offset(offset), length(0) {}
+		StreamRange(int64_t offset, int64_t length) : offset(offset), length(length) {}
+
+		bool operator<(const StreamRange& other) const 
+		{
+			return (this->offset < other.offset && (this->offset + this->length) <= other.offset);
+		}
+	};
+
+	struct StreamInfo
+	{
+		StreamRange range;
+		std::shared_ptr<tc::io::IStream> stream;
+	};
+
+	std::vector<StreamInfo> mStreamList;
+	std::map<StreamRange, size_t> mStreamListMap;
+	tc::Optional<std::vector<StreamInfo>::iterator> mCurrentStream;
+
+	inline bool isStreamDisposed() const { return mStreamList.empty() || mCurrentStream.isNull() || mCurrentStream.get() == mStreamList.end(); }
+	void updateCurrentStream(std::vector<StreamInfo>::iterator stream_itr);
+
+	// static stream properties
+	bool mCanRead;
+	bool mCanWrite;
+	bool mCanSeek;
+	int64_t mStreamLength;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/DirectoryNotEmptyException.h b/ctrtool/deps/libtoolchain/include/tc/io/DirectoryNotEmptyException.h
new file mode 100644
index 00000000..23c9c67f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/DirectoryNotEmptyException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file DirectoryNotEmptyException.h
+	 * @brief Declaration of tc::io::DirectoryNotEmptyException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/io/IOException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class DirectoryNotEmptyException
+	 * @brief The exception that is thrown when a directory is not empty.
+	 **/
+class DirectoryNotEmptyException : public tc::io::IOException
+{
+public:
+		/// Default Constructor
+	DirectoryNotEmptyException() noexcept :
+		tc::io::IOException()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	DirectoryNotEmptyException(const std::string& what) noexcept :
+		tc::io::IOException(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	DirectoryNotEmptyException(const std::string& module, const std::string& what) noexcept :
+		tc::io::IOException(module, what)
+	{
+	}
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/DirectoryNotFoundException.h b/ctrtool/deps/libtoolchain/include/tc/io/DirectoryNotFoundException.h
new file mode 100644
index 00000000..ffa2ae3b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/DirectoryNotFoundException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file DirectoryNotFoundException.h
+	 * @brief Declaration of tc::io::DirectoryNotFoundException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/io/IOException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class DirectoryNotFoundException
+	 * @brief The exception that is thrown when part of a file or directory cannot be found.
+	 **/
+class DirectoryNotFoundException : public tc::io::IOException
+{
+public:
+		/// Default Constructor
+	DirectoryNotFoundException() noexcept :
+		tc::io::IOException()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	DirectoryNotFoundException(const std::string& what) noexcept :
+		tc::io::IOException(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	DirectoryNotFoundException(const std::string& module, const std::string& what) noexcept :
+		tc::io::IOException(module, what)
+	{
+	}
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/FileAccess.h b/ctrtool/deps/libtoolchain/include/tc/io/FileAccess.h
new file mode 100644
index 00000000..2a5bd361
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/FileAccess.h
@@ -0,0 +1,23 @@
+	/**
+	 * @file FileMode.h
+	 * @brief Declaration of tc::io::FileMode
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+
+namespace tc { namespace io {
+
+	/**
+	 * @enum FileAccess
+	 * @brief Defines constants for read, write, or read/write access to a file.
+	 **/
+enum class FileAccess
+{
+	Read = 1, /**< Read access to the file. Data can be read from the file. Combine with Write for read/write access. */
+	Write = 2, /**< Write access to the file. Data can be written to the file. Combine with Read for read/write access. */
+	ReadWrite = Read|Write /**< Read and write access to the file. Data can be written to and read from the file. */
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/FileExistsException.h b/ctrtool/deps/libtoolchain/include/tc/io/FileExistsException.h
new file mode 100644
index 00000000..23577183
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/FileExistsException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file FileExistsException.h
+	 * @brief Declaration of tc::io::FileExistsException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/26
+	 **/
+#pragma once
+#include <tc/io/IOException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class FileExistsException
+	 * @brief The exception that is thrown when an attempt to overwrite/remove a file that exists on disk fails.
+	 **/
+class FileExistsException : public tc::io::IOException
+{
+public:
+		/// Default Constructor
+	FileExistsException() noexcept :
+		tc::io::IOException()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	FileExistsException(const std::string& what) noexcept :
+		tc::io::IOException(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	FileExistsException(const std::string& module, const std::string& what) noexcept :
+		tc::io::IOException(module, what)
+	{
+	}
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/FileMode.h b/ctrtool/deps/libtoolchain/include/tc/io/FileMode.h
new file mode 100644
index 00000000..f6f93852
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/FileMode.h
@@ -0,0 +1,26 @@
+	/**
+	 * @file FileMode.h
+	 * @brief Declaration of tc::io::FileMode
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+
+namespace tc { namespace io {
+
+	/**
+	 * @enum FileMode
+	 * @brief Specifies how the operating system should open a file.
+	 **/
+enum class FileMode
+{
+	CreateNew = 1, /**< Specifies that the operating system should create a new file. This requires Write permission. If the file already exists, an @ref tc::io::IOException exception is thrown. */
+	Create = 2, /**< Specifies that the operating system should create a new file. If the file already exists, it will be overwritten. This requires Write permission. FileMode.Create is equivalent to requesting that if the file does not exist, use CreateNew; otherwise, use Truncate. If the file already exists but is a hidden file, an @ref tc::UnauthorisedAccessException exception is thrown. */
+	Open = 3, /**< Specifies that the operating system should open an existing file. The ability to open the file is dependent on the value specified by the FileAccess enumeration. A @ref tc::io::FileNotFoundException exception is thrown if the file does not exist. */
+	OpenOrCreate = 4, /**< Specifies that the operating system should open a file if it exists; otherwise, a new file should be created. If the file is opened with FileAccess.Read, Read permission is required. If the file access is FileAccess.Write, Write permission is required. If the file is opened with FileAccess.ReadWrite, both Read and Write permissions are required. */
+	Truncate = 5, /**< Specifies that the operating system should open an existing file. When the file is opened, it should be truncated so that its size is zero bytes. This requires Write permission. Attempts to read from a file opened with FileMode.Truncate cause an @ref tc::ArgumentException exception. */
+	Append = 6 /**< Opens the file if it exists and seeks to the end of the file, or creates a new file. This requires Append permission. FileMode.Append can be used only in conjunction with FileAccess.Write. Trying to seek to a position before the end of the file throws an @ref tc::io::IOException exception, and any attempt to read fails and throws a @ref tc::NotSupportedException exception. */
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/FileNotFoundException.h b/ctrtool/deps/libtoolchain/include/tc/io/FileNotFoundException.h
new file mode 100644
index 00000000..98200629
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/FileNotFoundException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file FileNotFoundException.h
+	 * @brief Declaration of tc::io::FileNotFoundException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/io/IOException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class FileNotFoundException
+	 * @brief The exception that is thrown when an attempt to access a file that does not exist on disk fails.
+	 **/
+class FileNotFoundException : public tc::io::IOException
+{
+public:
+		/// Default Constructor
+	FileNotFoundException() noexcept :
+		tc::io::IOException()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	FileNotFoundException(const std::string& what) noexcept :
+		tc::io::IOException(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	FileNotFoundException(const std::string& module, const std::string& what) noexcept :
+		tc::io::IOException(module, what)
+	{
+	}
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/FileStream.h b/ctrtool/deps/libtoolchain/include/tc/io/FileStream.h
new file mode 100644
index 00000000..bd557d25
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/FileStream.h
@@ -0,0 +1,240 @@
+	/**
+	 * @file FileStream.h
+	 * @brief Declaration of tc::io::FileStream
+	 * @author Jack (jakcron)
+	 * @version	0.4
+	 * @date 2020/01/23
+	 **/
+#pragma once
+#include <tc/io/IStream.h>
+#include <tc/io/Path.h>
+#include <tc/io/FileMode.h>
+#include <tc/io/FileAccess.h>
+
+#include <tc/AccessViolationException.h>
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/NotSupportedException.h>
+#include <tc/NotImplementedException.h>
+#include <tc/ObjectDisposedException.h>
+#include <tc/OverflowException.h>
+#include <tc/UnauthorisedAccessException.h>
+#include <tc/SecurityException.h>
+#include <tc/io/IOException.h>
+#include <tc/io/FileExistsException.h>
+#include <tc/io/FileNotFoundException.h>
+#include <tc/io/PathTooLongException.h>
+
+#ifdef _WIN32
+#include <Windows.h>
+#else
+#include <cstdio>
+#endif
+
+namespace tc { namespace io {
+
+	/**
+	 * @class FileStream
+	 * @brief An implementation of IStream as a wrapper to local OS file access functions.
+	 **/
+class FileStream : public tc::io::IStream
+{
+public:
+		/** 
+		 * @brief Default constuctor
+		 **/
+	FileStream();
+
+		/**
+		 * @brief Move constructor
+		 **/
+	FileStream(FileStream&& other);
+
+		/** 
+		 * @brief Open file stream
+		 * 
+		 * @param[in] path A relative or absolute path for the file that the current FileStream object will encapsulate.
+		 * @param[in] mode One of the enumeration values that determines how to open or create the file.
+		 * @param[in] access One of the enumeration values that determines how the file can be accessed by the FileStream object. This also determines the values returned by the @ref canRead and @ref canWrite methods of the FileStream object. @ref canSeek is true if path specifies a disk file.
+		 *
+		 * @throw tc::ArgumentException @p path contains invalid characters or is empty.
+		 * @throw tc::NotSupportedException @p path refers to an unsupported non-file device.
+		 * @throw tc::io::IOException An I/O error, such as specifying @p mode @a CreateNew when the file specified by @p path already exists, occurred. Or the stream has been closed.
+		 * @throw tc::SecurityException The caller does not have the required permission.
+		 * @throw tc::io::DirectoryNotFoundException The specified path is invalid, such as being on an unmapped drive.
+		 * @throw tc::UnauthorisedAccessException The @p access requested is not permitted by the operating system for the specified @p path, such as when @p access is @a Write or @a ReadWrite and the file or directory is set for read-only access.
+		 * @throw tc::io::PathTooLongException The specified @p path, file name, or both exceed the system-defined maximum length.
+		 * @throw tc::ArgumentOutOfRangeException @p mode contains an invalid value.
+		 * @throw tc::ArgumentOutOfRangeException @p access contains an invalid value.
+		 **/
+	FileStream(const tc::io::Path& path, FileMode mode, FileAccess access);
+
+		/**
+		 * @brief Move assignment
+		 **/
+	FileStream& operator=(FileStream&& other);
+
+		/**
+		 * @brief Indicates whether the current stream supports reading.
+		 **/ 
+	bool canRead() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports writing.
+		 **/
+	bool canWrite() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports seeking.
+		 **/
+	bool canSeek() const;
+
+		/**
+		 * @brief Gets the length in bytes of the stream.
+		 **/
+	int64_t length();
+
+		/** 
+		 * @brief Gets the position within the current stream. 
+		 * 
+		 * @return This is returns the result of seek(0, SeekOrigin::Current);
+		 * 
+		 * @throw tc::NotSupportedException The stream does not support seeking.
+		 **/
+	int64_t position();
+
+		/**
+		 * @brief Reads a sequence of bytes from the current stream and advances the position within the stream by the number of bytes read.
+		 * 
+		 * @param[out] ptr Pointer to an array of bytes. When this method returns, @p ptr contains the specified byte array with the values between 0 and (@p count - 1) replaced by the bytes read from the current source.
+		 * @param[in] count The maximum number of bytes to be read from the current stream.
+		 * 
+		 * @return The total number of bytes read into @p ptr. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support reading for @ref read to work. 
+		 * @note Use @ref canRead to determine if this stream supports reading.
+		 * 
+		 * @throw tc::AccessViolation @p ptr refers to inaccessible/protected memory.
+		 * @throw tc::ArgumentNullException @p ptr is @a nullptr.
+		 * @throw tc::ArgumentOutOfRangeException @p count is negative.
+		 * @throw tc::io::IOException An I/O error occurred.
+		 * @throw tc::NotSupportedException The stream does not support reading.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t read(byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Writes a sequence of bytes to the current stream and advances the current position within this stream by the number of bytes written.
+		 * 
+		 * @param[in] ptr Pointer to an array of bytes. This method copies @p count bytes from @p ptr to the current stream.
+		 * @param[in] count The number of bytes to be written to the current stream.
+		 * 
+		 * @return The total number of bytes written to the stream. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support writing for @ref write to work. 
+		 * @note Use @ref canWrite to determine if this stream supports writing.
+		 * 
+		 * @throw tc::AccessViolation @p ptr refers to inaccessible/protected memory.
+		 * @throw tc::ArgumentNullException @p ptr is @a nullptr.
+		 * @throw tc::ArgumentOutOfRangeException @p count is negative.
+		 * @throw tc::io::IOException An I/O error occurred.
+		 * @throw tc::NotSupportedException The stream does not support writing.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t write(const byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Sets the position within the current stream.
+		 * 
+		 * @param[in] offset A byte offset relative to the origin parameter.
+		 * @param[in] origin A value of type @ref tc::io::SeekOrigin indicating the reference point used to obtain the new position.
+		 * 
+		 * @return The new position within the current stream.
+		 * 
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * @note Use @ref canSeek to determine if this stream supports seeking.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p offset or @p origin contains an invalid value.
+		 * @throw tc::io::IOException An I/O error occurs.
+		 * @throw tc::NotSupportedException The stream does not support seeking, such as if the stream is constructed from a pipe or console output.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 * @throw tc::OverflowException The new stream position could not be represented in int64_t without overflowing.
+		 **/
+	int64_t seek(int64_t offset, SeekOrigin origin);
+
+
+		/**
+		 * @brief Sets the length of the current stream. THIS IS NOT IMPLEMENTED FOR @ref FileStream.
+		 * 
+		 * @param[in] length The desired length of the current stream in bytes.
+		 * 
+		 * @pre A stream must support both writing and seeking for @ref setLength to work. 
+		 * @note Use @ref canWrite to determine if this stream supports writing.
+		 * @note Use @ref canSeek to determine if this stream supports seeking.
+		 * 
+		 * @throw tc::NotSupportedException The stream does not support both writing and seeking, such as if the stream is constructed from a pipe or console output.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void setLength(int64_t length);
+
+		/**
+		 * @brief Clears all buffers for this stream and causes any buffered data to be written to the underlying device.
+		 * 
+		 * @throw tc::io::IOException An I/O error occurs.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void flush();
+
+	void dispose();
+private:
+	static const std::string kClassName;
+
+	// delete copy constructor
+	FileStream(const FileStream&);
+
+	// delete copy assignment
+	FileStream& operator=(const FileStream&);
+
+	struct FileHandle
+	{
+#ifdef _WIN32
+		HANDLE handle;
+		FileHandle(HANDLE h) : handle(h) {}
+#else
+		int handle;
+		FileHandle(int h) : handle(h) {}
+#endif
+		FileHandle() : handle(0) {}
+		FileHandle(FileHandle&& other) {handle = other.handle; other.handle = 0;}
+		~FileHandle();
+	private:
+		FileHandle(const FileHandle& other);
+	};
+
+
+	bool mCanRead;
+	bool mCanWrite;
+	bool mCanSeek;
+	bool mIsAppendRestrictSeekCall;
+	std::unique_ptr<tc::io::FileStream::FileHandle> mFileHandle;
+
+#ifdef _WIN32
+	void open_impl(const tc::io::Path& path, FileMode mode, FileAccess access);
+	int64_t length_impl();
+	size_t read_impl(byte_t* ptr, size_t count);
+	size_t write_impl(const byte_t* ptr, size_t count);
+	int64_t seek_impl(int64_t offset, SeekOrigin origin);
+	void setLength_impl(int64_t length);
+	void flush_impl();
+#else
+	void open_impl(const tc::io::Path& path, FileMode mode, FileAccess access);
+	int64_t length_impl();
+	size_t read_impl(byte_t* ptr, size_t count);
+	size_t write_impl(const byte_t* ptr, size_t count);
+	int64_t seek_impl(int64_t offset, SeekOrigin origin);
+	void setLength_impl(int64_t length);
+	void flush_impl();
+#endif
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/IFileSystem.h b/ctrtool/deps/libtoolchain/include/tc/io/IFileSystem.h
new file mode 100644
index 00000000..257d575c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/IFileSystem.h
@@ -0,0 +1,124 @@
+	/**
+	 * @file IFileSystem.h
+	 * @brief Declaration of tc::io::IFileSystem
+	 * @author Jack (jakcron)
+	 * @version 0.6
+	 * @date 2019/06/18
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ResourceStatus.h>
+#include <tc/io/IStream.h>
+#include <tc/io/Path.h>
+#include <tc/io/FileMode.h>
+#include <tc/io/FileAccess.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @struct sDirectoryListing
+	 * @brief Contains basic info about a directory with-in a FileSystem
+	 * 
+	 * The includes the absolute path of the directory, and lists of child directory and file names.
+	 * 
+	 * @note All strings are UTF-8
+	 **/
+struct sDirectoryListing
+{
+		/// Absolute Path
+	tc::io::Path abs_path;
+		/// List of child directory names
+	std::vector<std::string> dir_list;
+		/// List of child file names
+	std::vector<std::string> file_list;
+};
+
+	/**
+	 * @class IFileSystem
+	 * 
+	 * @brief An interface for implementing a basic FileSystem handler.
+	 *
+	 * Defines expected functionality including:
+	 * - File access (open)
+	 * - File management (create, remove)
+	 * - Directory traversal (get current directory, change current directory)
+	 * - Directory management (create, remove)
+	 * - Directory listing
+	 * 
+	 * @note IFileSystem uses the tc::io::Path class to represent a path, not as a literal string.
+	 * @note It is up to the implementation of IFileSystem to validate and process tc::io::Path objects.
+	 * @note It is up to the implementation to enforce tc::io::FileMode & tc::io::FileAccess.
+	 **/
+class IFileSystem
+{
+public:
+		/**
+		 * @brief Destructor
+		 **/
+	virtual ~IFileSystem() = default;
+
+		/**
+		 * @brief Get state of IFileSystem
+		 * @return ResourceStatus
+		 **/
+	virtual tc::ResourceStatus state() = 0;
+
+		/**
+		 * @brief Close the filesystem
+		 **/
+	virtual void dispose() = 0;
+
+		/** 
+		 * @brief Create a new file
+		 * @param[in] path A relative or absolute path to file.
+		 **/
+	virtual void createFile(const tc::io::Path& path) = 0;
+
+		/** 
+		 * @brief Remove a file
+		 * @param[in] path A relative or absolute path to file.
+		 **/
+	virtual void removeFile(const tc::io::Path& path) = 0;
+
+		/** 
+		 * @brief Open a file
+		 * @param[in] path A relative or absolute path to file.
+		 * @param[in] mode One of the enumeration values that determines how to open or create the file.
+		 * @param[in] access One of the enumeration values that determines how the file can be accessed by the @ref IStream object. This also determines the values returned by the @ref IStream::canRead and @ref IStream::canWrite methods of the IStream object. @ref IStream::canSeek is true if path specifies a disk file.
+		 * @param[out] stream Pointer to IStream object to be instantiated
+		 **/
+	virtual void openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream) = 0;
+	
+		/** 
+		 * @brief Create a new directory
+		 * @param[in] path A relative or absolute path to directory.
+		 **/
+	virtual void createDirectory(const tc::io::Path& path) = 0;
+
+		/** 
+		 * @brief Remove a directory
+		 * @param[in] path A relative or absolute path to directory.
+		 **/
+	virtual void removeDirectory(const tc::io::Path& path) = 0;
+
+		/** 
+		 * @brief Get the full path of the working directory
+		 * @param[out] path Path object to populate
+		 **/
+	virtual void getWorkingDirectory(tc::io::Path& path) = 0;
+
+		/** 
+		 * @brief Change the working directory
+		 * @param[in] path A relative or absolute path to directory.
+		 **/
+	virtual void setWorkingDirectory(const tc::io::Path& path) = 0;
+
+		/** 
+		 * @brief Get directory listing a directory
+		 * @param[in] path A relative or absolute path to directory.
+		 * @param[out] info sDirectoryListing object to populate
+		 **/
+	virtual void getDirectoryListing(const tc::io::Path& path, tc::io::sDirectoryListing& info) = 0;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/IOException.h b/ctrtool/deps/libtoolchain/include/tc/io/IOException.h
new file mode 100644
index 00000000..d36bab13
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/IOException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file IOException.h
+	 * @brief Declaration of tc::io::IOException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/Exception.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class IOException
+	 * @brief The exception that is thrown when an I/O error occurs.
+	 **/
+class IOException : public tc::Exception
+{
+public:
+		/// Default Constructor
+	IOException() noexcept :
+		tc::Exception()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	IOException(const std::string& what) noexcept :
+		tc::Exception(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	IOException(const std::string& module, const std::string& what) noexcept :
+		tc::Exception(module, what)
+	{
+	}
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/IOUtil.h b/ctrtool/deps/libtoolchain/include/tc/io/IOUtil.h
new file mode 100644
index 00000000..52e8d287
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/IOUtil.h
@@ -0,0 +1,63 @@
+	/**
+	 * @file IOUtil.h
+	 * @brief Declaration of tc::io::IOUtil
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/04/10
+	 **/
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class IOUtil
+	 * @brief Utility functions for IO based classes.
+	 **/
+class IOUtil
+{
+public:
+		/**
+		 * @brief Convert size_t to int64_t safely.
+		 **/
+	static int64_t castSizeToInt64(size_t size);
+
+		/**
+		 * @brief Convert int64_t to size_t safely.
+		 **/
+	static size_t castInt64ToSize(int64_t length);
+
+		/**
+		 * @brief Get size of available data for an IO class performing a read or write operation.
+		 * 
+		 * @param[in] data_length Total length of data.
+		 * @param[in] data_offset Byte offset in data to begin operation from.
+		 * 
+		 * @return Largest possible operable data size.
+		 **/
+	static size_t getAvailableSize(int64_t data_length, int64_t data_offset);
+
+		/**
+		 * @brief Get size of writeable data for an IO class, given the data length, desired read offset and count.
+		 * 
+		 * @param[in] data_length Total length of data.
+		 * @param[in] data_offset Byte offset in data to begin reading from.
+		 * @param[in] requested_read_count Number of bytes to read.
+		 * 
+		 * @return Largest possible readable count.
+		 **/
+	static size_t getReadableCount(int64_t data_length, int64_t data_offset, size_t requested_read_count);
+
+		/**
+		 * @brief Get size of writeable data for an IO class, given the data length, desired write offset and count.
+		 * 
+		 * @param[in] data_length Total length of data.
+		 * @param[in] data_offset Byte offset in data to begin writing from.
+		 * @param[in] requested_write_count Number of bytes to write.
+		 * 
+		 * @return Largest possible writeable count.
+		 **/
+	static size_t getWritableCount(int64_t data_length, int64_t data_offset, size_t requested_write_count);
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/IPathResolver.h b/ctrtool/deps/libtoolchain/include/tc/io/IPathResolver.h
new file mode 100644
index 00000000..7eb393a8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/IPathResolver.h
@@ -0,0 +1,40 @@
+	/**
+	 * @file IPathResolver.h
+	 * @brief Declaration of tc::io::IPathResolver
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2022/02/22
+	 **/
+#pragma once
+#include <tc/io/Path.h>
+
+namespace tc { namespace io {
+
+	    /**
+		 * @class IPathResolver
+		 * @brief This is an interface for a class that resolves relative paths to canonical paths.
+		 */
+	class IPathResolver
+	{
+	public:
+		virtual ~IPathResolver() = default;
+		
+			/**
+			 * @brief Resolve path to its canonical path
+			 * 
+			 * @param path Input path.
+			 * @param canonical_path Output path to write resolved canonical path.
+			 */
+		virtual void resolveCanonicalPath(const tc::io::Path& path, tc::io::Path& canonical_path) const = 0;
+
+			/**
+			 * @brief Resolve path to its canonical path
+			 * 
+			 * @param path Input path.
+			 * 
+			 * @return Resolved canonical path.
+			 */
+		virtual tc::io::Path resolveCanonicalPath(const tc::io::Path& path) const = 0;
+	};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/IPortablePathResolver.h b/ctrtool/deps/libtoolchain/include/tc/io/IPortablePathResolver.h
new file mode 100644
index 00000000..f4fec43b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/IPortablePathResolver.h
@@ -0,0 +1,37 @@
+	/**
+	 * @file IPortablePathResolver.h
+	 * @brief Declaration of tc::io::IPortablePathResolver
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2022/02/22
+	 **/
+#pragma once
+#include <tc/io/IPathResolver.h>
+
+namespace tc { namespace io {
+
+	    /**
+		 * @class IPortablePathResolver
+		 * @brief This is an extension for the IPathResolver interface that specifies additional methods for setting the current directory. For more information see @ref tc::io::IPathResolver.
+		 */
+	class IPortablePathResolver : public IPathResolver
+	{
+	public:
+		virtual ~IPortablePathResolver() = default;
+		
+			/**
+			 * @brief Set the current directory path
+			 * 
+			 * @param path Canonical current directory path.
+			 */
+		virtual void setCurrentDirectory(const tc::io::Path& path) = 0;
+
+			/**
+			 * @brief Get the current directory path
+			 * 
+			 * @return tc::io::Path Canonical current directory path.
+			 */
+		virtual const tc::io::Path& getCurrentDirectory() const = 0;
+	};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/IReadableSink.h b/ctrtool/deps/libtoolchain/include/tc/io/IReadableSink.h
new file mode 100644
index 00000000..bd18a84e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/IReadableSink.h
@@ -0,0 +1,28 @@
+	/**
+	 * @file IReadableSink.h
+	 * @brief Declaration of tc::io::IReadableSink
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/02/07
+	 **/
+#pragma once
+#include <tc/io/ISink.h>
+#include <tc/io/ISource.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class IReadableSink
+	 * @brief An interface defining a byte data sink that can be also provide an ISource.
+	 **/
+class IReadableSink : public tc::io::ISink
+{
+public:
+		/// Destructor
+	virtual ~IReadableSink() = default;
+
+		/// Convert to ISource
+	virtual std::shared_ptr<tc::io::ISource>& toSource() = 0;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/ISink.h b/ctrtool/deps/libtoolchain/include/tc/io/ISink.h
new file mode 100644
index 00000000..491d75c5
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/ISink.h
@@ -0,0 +1,46 @@
+	/**
+	 * @file ISink.h
+	 * @brief Declaration of tc::io::ISink
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/04/10
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ResourceStatus.h>
+#include <tc/ByteData.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class ISink
+	 * @brief An interface defining a byte data sink.
+	 **/
+class ISink
+{
+public:
+		/// Destructor
+	virtual ~ISink() = default;
+
+		/// Gets the length of the sink.
+	virtual int64_t length() = 0;
+
+		/**
+		 * @brief Sets the length of the sink.
+		 * 
+		 * @param[in] length The desired length of the sink in bytes.
+		 **/
+	virtual void setLength(int64_t length) = 0;
+
+		/**
+		 * @brief Push data to the sink.
+		 * 
+		 * @param[in] data Data to be pushed to the sink.
+		 * @param[in] offset Zero-based offset in sink to push data.
+		 * 
+		 * @return Number of bytes pushed to sink.
+		 **/
+	virtual size_t pushData(const tc::ByteData& data, int64_t offset) = 0;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/ISource.h b/ctrtool/deps/libtoolchain/include/tc/io/ISource.h
new file mode 100644
index 00000000..488bc4b8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/ISource.h
@@ -0,0 +1,39 @@
+	/**
+	 * @file ISource.h
+	 * @brief Declaration of tc::io::ISource
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/27
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ResourceStatus.h>
+#include <tc/ByteData.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class ISource
+	 * @brief An interface defining a byte data source.
+	 **/
+class ISource
+{
+public:
+		/// Destructor
+	virtual ~ISource() = default;
+
+		/// Gets the length of the source.
+	virtual int64_t length() = 0;
+
+		/**
+		 * @brief Pull data from the source.
+		 * 
+		 * @param[in] offset Zero-based offset in source to pull data.
+		 * @param[in] count The maximum number of bytes to be pull from the source.
+		 *
+		 * @return ByteData containing data pulled from source.
+		 **/
+	virtual tc::ByteData pullData(int64_t offset, size_t count) = 0;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/IStream.h b/ctrtool/deps/libtoolchain/include/tc/io/IStream.h
new file mode 100644
index 00000000..fb500cb1
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/IStream.h
@@ -0,0 +1,117 @@
+	/**
+	 * @file IStream.h
+	 * @brief Declaration of tc::io::IStream
+	 * @author Jack (jakcron)
+	 * @version	0.4
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/io/SeekOrigin.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class IStream
+	 * @brief An interface for implementing a basic data stream handler.
+	 *
+	 * Defines expcted functionality required to process/access a data stream.
+	 * 
+	 * Usage of size_t with offsets and lengths reflect run-time memory allocation limits
+	 * Usage of int64_t with offsets and lengths reflect more closely the natural size limits of a stream
+	 **/
+class IStream
+{
+public:
+		/**
+		 * @brief Destructor
+		 **/
+	virtual ~IStream() = default;
+
+		/**
+		 * @brief Indicates whether the current stream supports reading.
+		 **/ 
+	virtual bool canRead() const = 0;
+
+		/**
+		 * @brief Indicates whether the current stream supports writing.
+		 **/
+	virtual bool canWrite() const = 0;
+
+		/**
+		 * @brief Indicates whether the current stream supports seeking.
+		 **/
+	virtual bool canSeek() const = 0;
+
+		/**
+		 * @brief Gets the length in bytes of the stream.
+		 **/
+	virtual int64_t length() = 0;
+
+		/** 
+		 * @brief Gets the position within the current stream.
+		 **/
+	virtual int64_t position() = 0;
+
+		/**
+		 * @brief Reads a sequence of bytes from the current stream and advances the position within the stream by the number of bytes read.
+		 * 
+		 * @param[out] ptr Pointer to an array of bytes. When this method returns, @p ptr contains the specified byte array with the values between 0 and (@p count - 1) replaced by the bytes read from the current source.
+		 * @param[in] count The maximum number of bytes to be read from the current stream.
+		 * 
+		 * @return The total number of bytes read into @p ptr. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support reading for @ref read to work. 
+		 * @note Use @ref canRead to determine if this stream supports reading.
+		 **/
+	virtual size_t read(byte_t* ptr, size_t count) = 0;
+	
+		/**
+		 * @brief Writes a sequence of bytes to the current stream and advances the current position within this stream by the number of bytes written.
+		 * 
+		 * @param[in] ptr Pointer to an array of bytes. This method copies @p count bytes from @p ptr to the current stream.
+		 * @param[in] count The number of bytes to be written to the current stream.
+		 * 
+		 * @return The total number of bytes written to the stream. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support writing for @ref write to work. 
+		 * @note Use @ref canWrite to determine if this stream supports writing.
+		 **/
+	virtual size_t write(const byte_t* ptr, size_t count) = 0;
+	
+		/**
+		 * @brief Sets the position within the current stream.
+		 * 
+		 * @param[in] offset A byte offset relative to the origin parameter.
+		 * @param[in] origin A value of type @ref tc::io::SeekOrigin indicating the reference point used to obtain the new position.
+		 * 
+		 * @return The new position within the current stream.
+		 * 
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * @note Use @ref canSeek to determine if this stream supports seeking.
+		 **/
+	virtual int64_t seek(int64_t offset, SeekOrigin origin) = 0;
+
+		/**
+		 * @brief Sets the length of the current stream.
+		 * 
+		 * @param[in] length The desired length of the current stream in bytes.
+		 * 
+		 * @pre A stream must support both writing and seeking for @ref setLength to work. 
+		 * @note Use @ref canWrite to determine if this stream supports writing.
+		 * @note Use @ref canSeek to determine if this stream supports seeking.
+		 **/
+	virtual void setLength(int64_t length) = 0;
+	
+		/**
+		 * @brief Clears all buffers for this stream and causes any buffered data to be written to the underlying device.
+		 **/
+	virtual void flush() = 0;
+	
+		/**
+		 * @brief Releases all resources used by the Stream.
+		 **/
+	virtual void dispose() = 0;
+};
+
+}}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/LocalFileSystem.h b/ctrtool/deps/libtoolchain/include/tc/io/LocalFileSystem.h
new file mode 100644
index 00000000..af09ca31
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/LocalFileSystem.h
@@ -0,0 +1,143 @@
+	/**
+	 * @file LocalFileSystem.h
+	 * @brief Declaration of tc::io::LocalFileSystem
+	 * @author Jack (jakcron)
+	 * @version 0.6
+	 * @date 2022/01/23
+	 **/
+#pragma once
+#include <tc/io/IFileSystem.h>
+
+#include <tc/io/IOException.h>
+#include <tc/io/DirectoryNotEmptyException.h>
+#include <tc/io/DirectoryNotFoundException.h>
+#include <tc/io/FileNotFoundException.h>
+#include <tc/io/PathTooLongException.h>
+#include <tc/UnauthorisedAccessException.h>
+
+#ifdef _WIN32
+	#include <windows.h>
+#endif
+
+namespace tc { namespace io {
+
+	/**
+	 * @class LocalFileSystem
+	 * @brief An IFileSystem wrapper around the existing OS FileSystem API.
+	 **/
+class LocalFileSystem : public tc::io::IFileSystem
+{
+public:
+		/// Default Constructor
+	LocalFileSystem();
+
+	tc::ResourceStatus state();
+	void dispose();
+
+		/** 
+		 * @brief Create a new file
+		 * 
+		 * @param[in] path A relative or absolute path to file.
+		 * 
+		 * @throw tc::ArgumentException @p path contains invalid characters or is empty.
+		 * @throw tc::NotSupportedException @p path refers to an unsupported non-file device.
+		 * @throw tc::io::IOException An unspecfied I/O error occurred. Or the stream has been closed.
+		 * @throw tc::SecurityException The caller does not have the required permission.
+		 * @throw tc::io::DirectoryNotFoundException The specified path is invalid, such as being on an unmapped drive.
+		 * @throw tc::UnauthorisedAccessException The @p access requested is not permitted by the operating system for the specified @p path.
+		 * @throw tc::io::PathTooLongException The specified @p path, file name, or both exceed the system-defined maximum length.
+		 **/
+	void createFile(const tc::io::Path& path);
+
+		/** 
+		 * @brief Remove a file
+		 * @param[in] path A relative or absolute path for the file that the current @ref IFileSystem object will remove.
+		 * 
+		 * @throw tc::UnauthorisedAccessException @p path specified a read-only file.
+		 * @throw tc::UnauthorisedAccessException @p path is a directory.
+		 * @throw tc::UnauthorisedAccessException The caller does not have the required permission.
+		 * @throw tc::UnauthorisedAccessException The file is currently in use.
+		 * @throw tc::io::IOException File An I/O error has occured.
+		 * @throw tc::io::PathTooLongException The specified path, file name, or both exceed the system-defined maximum length.
+		 * @throw tc::io::DirectoryNotFoundException A component of the path prefix is not a directory.
+		 * @throw tc::io::FileNotFoundException The specifed file does not exist.
+		 **/
+	void removeFile(const tc::io::Path& path);
+
+		/** 
+		 * @brief Open a file
+		 * @param[in] path A relative or absolute path for the file that the current @ref IFileSystem object will open an @ref IStream for.
+		 * @param[in] mode One of the enumeration values that determines how to open or create the file.
+		 * @param[in] access One of the enumeration values that determines how the file can be accessed by the @ref IStream object. This also determines the values returned by the @ref IStream::canRead and @ref IStream::canWrite methods of the IStream object. @ref IStream::canSeek is true if path specifies a disk file.
+		 * @param[out] stream Pointer to IStream object to be instantiated
+		 **/
+	void openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream);
+	
+		/** 
+		 * @brief Create a new directory
+		 * @param[in] path Path to directory
+		 * 
+		 * @throw tc::UnauthorisedAccessException Write permission is denied for a parent direcory.
+		 * @throw tc::UnauthorisedAccessException Parent directory resides in a read-only file system.
+		 * @throw tc::UnauthorisedAccessException The caller does not have the required permission.
+
+		 * @throw tc::io::IOException An I/O error has occured.
+		 * @throw tc::io::PathTooLongException The specified path, directory name, or both exceed the system-defined maximum length.
+		 * @throw tc::io::DirectoryNotFoundException A component of the path prefix is not a directory or does not exist.
+		 **/
+	void createDirectory(const tc::io::Path& path);
+
+		/** 
+		 * @brief Remove a directory
+		 * @param[in] path Path to directory
+		 * 
+		 * @throw tc::UnauthorisedAccessException Directory resides in a read-only file system.
+		 * @throw tc::UnauthorisedAccessException The caller does not have the required permission.
+		 * @throw tc::UnauthorisedAccessException The directory is a mount point.
+		 * @throw tc::io::IOException An I/O error has occured.
+		 * @throw tc::io::PathTooLongException The specified path, directory name, or both exceed the system-defined maximum length.
+		 * @throw tc::io::DirectoryNotEmptyException The named directory is not empty.
+		 * @throw tc::io::DirectoryNotFoundException A component of the path prefix is not a directory.
+		 * @throw tc::io::DirectoryNotFoundException The named directory does not exist.
+		 **/
+	void removeDirectory(const tc::io::Path& path);
+
+		/** 
+		 * @brief Get the full path of the working directory
+		 * @param[out] path Path object to populate
+		 * 
+		 * @throw tc::UnauthorisedAccessException Read or search permission was denied for a component of the pathname.
+		 * @throw tc::io::IOException An I/O error has occured.
+		 **/
+	void getWorkingDirectory(tc::io::Path& path);
+
+		/** 
+		 * @brief Change the working directory
+		 * @param[in] path Path to directory
+		 * 
+		 * @throw tc::UnauthorisedAccessException Search permission was denied for a component of the pathname.
+		 * @throw tc::io::IOException An I/O error has occured.
+		 * @throw tc::io::PathTooLongException The specified path, directory name, or both exceed the system-defined maximum length.
+		 * @throw tc::io::DirectoryNotFoundException A component of the path prefix is not a directory.
+		 * @throw tc::io::DirectoryNotFoundException The named directory does not exist.
+		 **/
+	void setWorkingDirectory(const tc::io::Path& path);
+
+		/** 
+		 * @brief Get directory listing a directory
+		 * @param[in] path Path to directory
+		 * @param[out] info sDirectoryListing object to populate
+		 * 
+		 * @throw tc::UnauthorisedAccessException Permission denied.
+		 * @throw tc::io::IOException An I/O error has occured.
+		 * @throw tc::io::DirectoryNotFoundException A component of the path prefix is not a directory.
+		 * @throw tc::io::DirectoryNotFoundException The named directory does not exist.
+		 **/
+	void getDirectoryListing(const tc::io::Path& path, tc::io::sDirectoryListing& info);
+private:
+	static const std::string kClassName;
+
+	tc::ResourceStatus mState;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/MemorySource.h b/ctrtool/deps/libtoolchain/include/tc/io/MemorySource.h
new file mode 100644
index 00000000..e5ba3ec2
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/MemorySource.h
@@ -0,0 +1,68 @@
+	/**
+	 * @file MemorySource.h
+	 * @brief Declaration of tc::io::MemorySource
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/03/20
+	 **/
+#pragma once
+#include <tc/io/ISource.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class MemorySource
+	 * @brief A block of run-time memory wrapped as an ISource object.
+	 **/
+class MemorySource : public tc::io::ISource
+{
+public:
+		/**
+		 * @brief Default constructor
+		 * @post This will create a MemorySource with length() == 0.
+		 **/ 
+	MemorySource();
+
+		/** 
+		 * @brief Initialize MemorySource (by copy) with a tc::ByteData object.
+		 * 
+		 * @param[in] byte_data The base data to create the MemorySource from.
+		 **/
+	MemorySource(const tc::ByteData& byte_data);
+
+		/** 
+		 * @brief Initialize MemorySource (by move) with a tc::ByteData object.
+		 * 
+		 * @param[in] byte_data The base data to create the MemorySource from.
+		 **/
+	MemorySource(tc::ByteData&& byte_data);
+
+		/** 
+		 * @brief Initialize MemorySource (by copy) with a block of memory.
+		 * 
+		 * @param[in] data Pointer to block of memory which will populate this MemorySource.
+		 * @param[in] len Length of data to copy into this MemorySource.
+		 **/
+	MemorySource(const byte_t* data, size_t len);
+
+		/**
+		 * @brief Gets the length of the source.
+		 **/
+	int64_t length();
+
+		/**
+		 * @brief Pull data from source
+		 * 
+		 * @param[in] offset Zero-based offset in source to pull data.
+		 * @param[in] count The maximum number of bytes to be pull from the source.
+		 *
+		 * @return ByteData containing data pulled from source
+		 **/
+	tc::ByteData pullData(int64_t offset, size_t count);
+private:
+	static const std::string kClassName;
+
+	tc::ByteData mData;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/MemoryStream.h b/ctrtool/deps/libtoolchain/include/tc/io/MemoryStream.h
new file mode 100644
index 00000000..415f0f31
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/MemoryStream.h
@@ -0,0 +1,155 @@
+	/**
+	 * @file MemoryStream.h
+	 * @brief Declaration of tc::io::MemoryStream
+	 * @author Jack (jakcron)
+	 * @version	0.1
+	 * @date 2020/02/16
+	 **/
+#pragma once
+#include <tc/io/IStream.h>
+#include <tc/ByteData.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+
+#ifdef _WIN32
+#include <Windows.h>
+#else
+#include <cstdio>
+#endif
+
+namespace tc { namespace io {
+
+	/**
+	 * @class MemoryStream
+	 * @brief A block of run-time memory wrapped as an IStream object. 
+	 **/
+class MemoryStream : public tc::io::IStream
+{
+public:
+		/** 
+		 * @brief Default constuctor
+		 **/
+	MemoryStream();
+
+		/**
+		 * @brief Create MemoryStream
+		 * 
+		 * @param[in] length Length of the stream in bytes.
+		 **/
+	MemoryStream(size_t length);
+
+		/** 
+		 * @brief Initialize MemoryStream (by copy) with a tc::ByteData object.
+		 * 
+		 * @param[in] byte_data The base data to create the MemoryStream from.
+		 **/
+	MemoryStream(const tc::ByteData& byte_data);
+
+		/** 
+		 * @brief Initialize MemoryStream (by move) with a tc::ByteData object.
+		 * 
+		 * @param[in] byte_data The base data to create the MemoryStream from.
+		 **/
+	MemoryStream(tc::ByteData&& byte_data);
+
+		/** 
+		 * @brief Initialize MemoryStream (by copy) with a block of memory.
+		 * 
+		 * @param[in] data Pointer to memory block which will populate this MemoryStream.
+		 * @param[in] len Length of data to copy int this MemoryStream.
+		 **/
+	MemoryStream(const byte_t* data, size_t len);
+
+		/**
+		 * @brief Indicates whether the current stream supports reading.
+		 **/ 
+	bool canRead() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports writing.
+		 **/
+	bool canWrite() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports seeking.
+		 **/
+	bool canSeek() const;
+
+		/**
+		 * @brief Gets the length in bytes of the stream.
+		 **/
+	int64_t length();
+
+		/** 
+		 * @brief Gets the position within the current stream.
+		 **/
+	int64_t position();
+
+		/**
+		 * @brief Reads a sequence of bytes from the current stream and advances the position within the stream by the number of bytes read.
+		 * 
+		 * @param[out] ptr Pointer to an array of bytes. When this method returns, @p ptr contains the specified byte array with the values between 0 and (@p count - 1) replaced by the bytes read from the current source.
+		 * @param[in] count The maximum number of bytes to be read from the current stream.
+		 * 
+		 * @return The total number of bytes read into @p ptr. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @throw tc::ArgumentNullException @p ptr is @a nullptr.
+		 **/
+	size_t read(byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Writes a sequence of bytes to the current stream and advances the current position within this stream by the number of bytes written.
+		 * 
+		 * @param[in] ptr Pointer to an array of bytes. This method copies @p count bytes from @p ptr to the current stream.
+		 * @param[in] count The number of bytes to be written to the current stream.
+		 * 
+		 * @return The total number of bytes written to the stream. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @throw tc::ArgumentNullException @p ptr is @a nullptr.
+		 **/
+	size_t write(const byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Sets the position within the current stream.
+		 * 
+		 * @param[in] offset A byte offset relative to the origin parameter.
+		 * @param[in] origin A value of type @ref tc::io::SeekOrigin indicating the reference point used to obtain the new position.
+		 * 
+		 * @return The new position within the current stream.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p offset and @p origin indicate an invalid stream position.
+		 * @throw tc::ArgumentOutOfRangeException @p origin contains an invalid value.
+		 **/
+	int64_t seek(int64_t offset, SeekOrigin origin);
+
+
+		/**
+		 * @brief Sets the length of the current stream.
+		 * 
+		 * @param[in] length The desired length of the current stream in bytes.
+		 * 
+		 * @post If the new length is smaller than the current length, the data will be truncated.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p length exceeds the maximum possible value for a MemoryStream.
+		 * @throw tc::ArgumentOutOfRangeException @p length is negative.
+		 **/
+	void setLength(int64_t length);
+
+		/**
+		 * @brief This does nothing for tc::io::MemoryStream
+		 **/
+	void flush();
+
+		/**
+		 * @brief Release internal memory. This will make this stream length 0.
+		 **/
+	void dispose();
+private:
+	static const std::string kClassName;
+
+	tc::ByteData mData;
+	int64_t mPosition;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/OverlayedSource.h b/ctrtool/deps/libtoolchain/include/tc/io/OverlayedSource.h
new file mode 100644
index 00000000..bc622964
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/OverlayedSource.h
@@ -0,0 +1,96 @@
+	/**
+	 * @file OverlayedSource.h
+	 * @brief Declaration of tc::io::OverlayedSource
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/03/21
+	 **/
+#pragma once
+#include <tc/io/ISource.h>
+#include <vector>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class OverlayedSource
+	 * @brief This will replaces regions within a base source with one or more other sources, so as to override those regions in the base source when pullData() is called. 
+	 **/
+class OverlayedSource : public tc::io::ISource
+{
+public:
+
+		/**
+		 * @struct OverlaySourceInfo
+		 * @brief This contains information about an overlay region. Used with @ref OverlayedSource::OverlayedSource()
+		 **/
+	struct OverlaySourceInfo
+	{
+			/// ISource to overlay with
+		std::shared_ptr<tc::io::ISource> overlay_source;
+			/// Offset in base source to overlay
+		int64_t offset;
+			/// Length of region in base source to overlay
+		int64_t length;
+	};
+
+		/**
+		 * @brief Default constructor
+		 * @post This will create a OverlayedSource with length() == 0.
+		 **/ 
+	OverlayedSource();
+
+
+		/**
+		 * @brief Overlay base source with one source
+		 * 
+		 * @param[in] base_source Base source to be overlayed.
+		 * @param[in] overlay_source Source to overlay onto the base source.
+		 * @param[in] offset Offset in base source to overlay
+		 * @param[in] length Length in base source to overlay
+		 * 
+		 * @throw tc::ArgumentNullException @p base_source or @p overlay_source was null.
+		 * @throw tc::ArgumentOutOfRangeException @p length was greater than the length of @p overlay_source .
+		 * @throw tc::ArgumentOutOfRangeException The overlay region offset is negative or the total size exceeded the length of @p base_source .
+		 **/
+	OverlayedSource(const std::shared_ptr<tc::io::ISource>& base_source, const std::shared_ptr<tc::io::ISource>& overlay_source, int64_t offset, int64_t length);
+
+
+		/**
+		 * @brief Overlay base source with multiple sources
+		 * 
+		 * @param[in] base_source Base source to be overlayed.
+		 * @param[in] overlay_source_infos Vector of sources to overlay onto the base source. @ref OverlaySourceInfo
+		 * 
+		 * @throw tc::ArgumentNullException @p base_source or one of the overlay sources was null.
+		 * @throw tc::ArgumentOutOfRangeException An overlay source was smaller than the region in the base source it was supposed to overlay.
+		 * @throw tc::ArgumentOutOfRangeException A region to overlay in the base source either partly or entirely does not exist.
+		 **/
+	OverlayedSource(const std::shared_ptr<tc::io::ISource>& base_source, const std::vector<OverlaySourceInfo>& overlay_source_infos);
+
+		/**
+		 * @brief Gets the length of the source.
+		 **/
+	int64_t length();
+
+		/**
+		 * @brief Pull data from source
+		 * 
+		 * @param[in] offset Zero-based offset in source to pull data.
+		 * @param[in] count The maximum number of bytes to be pull from the source.
+		 *
+		 * @return ByteData containing data pulled from source.
+		 **/
+	tc::ByteData pullData(int64_t offset, size_t count);
+private:
+	static const std::string kClassName;
+
+	std::shared_ptr<tc::io::ISource> mBaseSource;
+	std::vector<OverlaySourceInfo> mOverlaySourceInfos;
+
+	void getOverlaySourcePullableRegion(int64_t base_pull_offset, size_t base_pull_count, const OverlaySourceInfo& overlay_info, int64_t& overlay_pull_offset, size_t& overlay_pull_count);
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/PaddingSource.h b/ctrtool/deps/libtoolchain/include/tc/io/PaddingSource.h
new file mode 100644
index 00000000..522c81c6
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/PaddingSource.h
@@ -0,0 +1,59 @@
+	/**
+	 * @file PaddingSource.h
+	 * @brief Declaration of tc::io::PaddingSource
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/02/07
+	 **/
+#pragma once
+#include <tc/io/ISource.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class PaddingSource
+	 * @brief A source that provides dummy/filler data.
+	 **/
+class PaddingSource : public tc::io::ISource
+{
+public:
+		/**
+		 * @brief Default constructor
+		 * @post This will create a PaddingSource with length() == 0.
+		 **/ 
+	PaddingSource();
+
+		/**
+		 * @brief Create PaddingSource
+		 * 
+		 * @param[in] padding_byte Byte to fill data pulled using @ref pullData.
+		 * @param[in] length Length of source.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p length is negative.
+		 **/ 
+	PaddingSource(byte_t padding_byte, int64_t length);
+
+		/// Get length of source
+	int64_t length();
+
+		/**
+		 * @brief Pull data from source
+		 * 
+		 * @param[in] offset Zero-based offset in source to pull data.
+		 * @param[in] count The maximum number of bytes to be pull from the source.
+		 *
+		 * @return ByteData containing data pulled from source
+		 * 
+		 * @throw tc::OutOfMemoryException The @ref tc::ByteData object could not be created due to insuffient memory.
+		 **/
+	tc::ByteData pullData(int64_t offset, size_t count);
+private:
+	static const std::string kClassName;
+
+	int64_t mSourceLength;
+	byte_t mPaddingByte;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/Path.h b/ctrtool/deps/libtoolchain/include/tc/io/Path.h
new file mode 100644
index 00000000..46a87b3f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/Path.h
@@ -0,0 +1,253 @@
+/**
+ * @file Path.h
+ * @brief Declaration of tc::io::Path
+ * @author Jack (jakcron)
+ * @version 0.5
+ * @date 2022/02/27
+ */
+#pragma once
+#include <list>
+#include <tc/types.h>
+
+#include <tc/ArgumentException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class Path
+	 * @brief Represents a unicode path for a filesystem
+	 *
+	 * This stores a path as a list of path elements.
+	 **/
+class Path
+{
+public:
+
+		/**
+		 * @brief This enum defines the Path format type, used for encoding to string.
+		 * @details 
+		 * This defines the encoding type used when encoding Path as a string. 
+		 * See @ref to_string(), @ref to_u16string() and @ref to_u32string() for more info.
+		 */
+	enum class Format
+	{
+		Native = 0, /**< Path format for the native environment */
+		POSIX = 1, /**< Path format for POSIX based environments (Unix, Linux, macOS, WSL, etc) */
+		Win32 = 2, /**< Path format for Microsoft Windows based environments */
+	};
+
+		/// Type of const_iterator for Path
+	using const_iterator = typename std::list<std::string>::const_iterator;
+
+		/// Type of iterator for Path
+	using iterator = typename std::list<std::string>::iterator;
+
+		/// Maximum value for size_t, used to indicated unbounded length for @ref subpath()
+	static const size_t npos = -1;
+
+		/// Default Constructor
+	Path();
+
+		/// Initalizer List Constructor
+	Path(std::initializer_list<std::string> list);
+
+		/**
+		 * @brief Create Path from a literal UTF-8 encoded string
+		 * 
+		 * @param[in] path UTF-8 encoded path
+		 * 
+		 * @pre
+		 * - @p path can have either forward or backward slash path separators ('/' or '\') but not both
+		 * 
+		 * @throws tc::ArgumentException Path literal has both forward ('/') and backward ('\') path separators.
+		 * 
+		 * @note No filtering or processing of special characters is done (e.g. '.', '~')
+		 **/
+	Path(const std::string& path);
+
+		/**
+		 * @brief Create Path from a literal UTF-16 encoded string
+		 *
+		 * @param[in] path UTF-16 encoded path
+		 * 
+		 * @pre
+		 * - @p path can have either forward or backward slash path separators ('/' or '\') but not both
+		 * 
+		 * @throws tc::ArgumentException Path literal has both forward ('/') and backward ('\') path separators.
+		 * 
+		 * @note 
+		 * No filtering or processing of special characters is done (e.g. '.', '~')
+		 **/
+	Path(const std::u16string& path);
+
+		/**
+		 * @brief Create Path from a literal UTF-32 encoded string
+		 *
+		 * @param[in] path UTF-32 encoded path
+		 * 
+		 * @pre
+		 * - @p path can have either forward or backward slash path separators ('/' or '\') but not both
+		 * 
+		 * @throws tc::ArgumentException Path literal has both forward ('/') and backward ('\') path separators.
+		 * 
+		 * @note 
+		 * No filtering or processing of special characters is done (e.g. '.', '~')
+		 **/
+	Path(const std::u32string& path);
+
+		/// Addition operator
+	Path operator+(const Path& other) const;
+
+		/// Append operator
+	void operator+=(const Path& other);
+
+		/// Equality operator
+	bool operator==(const Path& other) const;
+
+		/// Inequality operator
+	bool operator!=(const Path& other) const;
+
+		/// Comparison operator
+	bool operator<(const Path& other) const;
+
+		/**
+		 * @brief Returns a reference to the first element in the container.
+		 * 
+		 * @return reference to the first element 
+		 * 
+		 * @note Calling front on an empty container is undefined.
+		 * @note For a Path p, the expression p.front() is equivalent to *p.begin(). 
+		 **/
+	std::string& front();
+
+		/**
+		 * @brief Returns a const reference to the first element in the container.
+		 * 
+		 * @return const reference to the first element 
+		 * 
+		 * @note Calling front on an empty container is undefined.
+		 * @note For a Path p, the expression p.front() is equivalent to *p.begin(). 
+		 **/
+	const std::string& front() const;
+
+		/**
+		 * @brief Returns a reference to the last element in the container.
+		 * 
+		 * @return reference to the last element 
+		 * 
+		 * @note Calling back on an empty container is undefined.
+		 * @note For a Path p, the expression p.back() is equivalent to *(--p.end()). 
+		 **/
+	std::string& back();
+
+		/**
+		 * @brief Returns a const reference to the last element in the container.
+		 * 
+		 * @return const reference to the last element 
+		 * 
+		 * @note Calling back on an empty container is undefined.
+		 * @note For a Path p, the expression p.back() is equivalent to *(--p.end()). 
+		 **/
+	const std::string& back() const;
+
+		/// Begin Iterator, points to front element
+	iterator begin();
+
+		/// Const Begin Iterator, points to front element
+	const_iterator begin() const;
+
+		/// End Iterator, points to after the last element
+	iterator end();
+
+		/// Const End Iterator, points to after the last element
+	const_iterator end() const;
+
+		/**
+		 * @brief Remove element at the front of the path
+		 * 
+		 * @note Calling pop_front on an empty container is undefined.
+		 **/
+	void pop_front();
+
+		/**
+		 * @brief Remove element at the back of the path
+		 * 
+		 * @note Calling pop_back on an empty container is undefined.
+		 **/
+	void pop_back();
+
+		/// Insert path element at the front of the path
+	void push_front(const std::string& str);
+
+		/// Insert path element at the back of the path
+	void push_back(const std::string& str);
+
+		/// Clear all elements from the path
+	void clear();
+
+		/// Get number of path elements
+	size_t size() const;
+
+		/// Checks whether the path is empty 
+	bool empty() const;	
+
+		/**
+		 * @brief Create a path from a subset of this path
+		 * 
+		 * @param[in] pos Position of first path element
+		 * @param[in] len Number of path elements. Default value is @ref npos, indicating include all path elements after @p pos.
+		 * @return tc::io::Path Sub-path created from this path.
+		 */ 
+	tc::io::Path subpath(size_t pos, size_t len = npos) const;
+
+		/**
+		 * @brief Create a path from a subset of this path
+		 * 
+		 * @param[in] begin Iterator pointing to the first element
+		 * @param[in] end Iterator 
+		 * @return tc::io::Path Sub-path created from this path.
+		 */ 
+	tc::io::Path subpath(const_iterator begin, const_iterator end) const;
+
+		/**
+		 * @brief Convert path to std::string
+		 * 
+		 * @param[in] format @ref tc::io::Path::Format format to encode path as string. Default is @ref tc::io::Path::Format::Native.
+		 * @return std::string UTF-8 encoded path string
+		 */
+	std::string to_string(Format format = Format::Native) const;
+
+		/**
+		 * @brief Convert path to std::u16string
+		 * 
+		 * @param[in] format @ref tc::io::Path::Format format to encode path as string. Default is @ref tc::io::Path::Format::Native.
+		 * @return std::u16string UTF-16 encoded path string
+		 */
+	std::u16string to_u16string(Format format = Format::Native) const;
+
+			/**
+		 * @brief Convert path to std::u32string
+		 * 
+		 * @param[in] format @ref tc::io::Path::Format format to encode path as string. Default is @ref tc::io::Path::Format::Native.
+		 * @return std::u32string UTF-32 encoded path string
+		 */
+	std::u32string to_u32string(Format format = Format::Native) const;
+
+		/// Implicit conversion to a natively formatted std::string
+	operator std::string() const;
+
+		/// Implicit conversion to a natively formatted std::u16string
+	operator std::u16string() const;
+
+		/// Implicit conversion to a natively formatted std::u32string
+	operator std::u32string() const;
+private:
+	static const std::string kClassName;
+
+	std::list<std::string> mUnicodePath;
+
+	void initializePath(const std::string& src);
+	void appendPath(const std::list<std::string>& other);
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/PathTooLongException.h b/ctrtool/deps/libtoolchain/include/tc/io/PathTooLongException.h
new file mode 100644
index 00000000..3c1b4cf7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/PathTooLongException.h
@@ -0,0 +1,57 @@
+	/**
+	 * @file PathTooLongException.h
+	 * @brief Declaration of tc::io::PathTooLongException
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+#include <tc/io/IOException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class PathTooLongException
+	 * @brief The exception that is thrown when a path or fully qualified file name is longer than the system-defined maximum length.
+	 **/
+class PathTooLongException : public tc::io::IOException
+{
+public:
+		/// Default Constructor
+	PathTooLongException() noexcept :
+		tc::io::IOException()
+	{
+	}
+
+		/**
+		 * @brief Basic Parameterized Constructor
+		 * 
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == what
+		 * - module() == ""
+		 * - error() == what
+		 **/
+	PathTooLongException(const std::string& what) noexcept :
+		tc::io::IOException(what)
+	{}
+
+		/**
+		 * @brief Parameterized Constructor
+		 * 
+		 * @param[in] module Name of module that threw the exception
+		 * @param[in] what Explanation for exception
+		 * 
+		 * @post
+		 * - what() == "[" + module + " ERROR] " + what
+		 * - module() == module
+		 * - error() == what
+		 **/
+	PathTooLongException(const std::string& module, const std::string& what) noexcept :
+		tc::io::IOException(module, what)
+	{
+	}
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/PathUtil.h b/ctrtool/deps/libtoolchain/include/tc/io/PathUtil.h
new file mode 100644
index 00000000..9f2bb729
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/PathUtil.h
@@ -0,0 +1,39 @@
+/**
+ * @file PathUtil.h
+ * @brief Declaration of tc::io::PathUtil
+ * @author Jack (jakcron)
+ * @version 0.2
+ * @date 2020/03/22
+ */
+#pragma once
+#include <list>
+#include <tc/types.h>
+#include <tc/io/Path.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class PathUtil
+	 * @brief Collection of utilities related to tc::io::Path
+	 **/
+class PathUtil
+{
+public:
+		/**
+		 * @brief Format a Path as a Windows style UTF-16 string
+		 * @param[in] path Source Path
+		 * @param[out] out Destination UTF-16 string
+		 * @note See @ref tc::io::Path
+		 **/
+	static void pathToWindowsUTF16(const tc::io::Path& path, std::u16string& out);
+
+		/**
+		 * @brief Format a Path as a Unix/Linux style UTF-8 string
+		 * @param[in] path Source Path
+		 * @param[out] out Destination UTF-8 string
+		 * @note See @ref tc::io::Path
+		 **/
+	static void pathToUnixUTF8(const tc::io::Path& path, std::string& out);
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/SeekOrigin.h b/ctrtool/deps/libtoolchain/include/tc/io/SeekOrigin.h
new file mode 100644
index 00000000..fd233c23
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/SeekOrigin.h
@@ -0,0 +1,23 @@
+	/**
+	 * @file SeekOrigin.h
+	 * @brief Declaration of tc::io::SeekOrigin
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/01/22
+	 **/
+#pragma once
+
+namespace tc { namespace io {
+
+	/**
+	 * @enum SeekOrigin
+	 * @brief Specifies the position in a stream to use for seeking.
+	 **/
+enum class SeekOrigin
+{
+	Begin = 0, /**< Specifies the beginning of a stream. */
+	Current = 1, /**< Specifies the current position within a stream. */
+	End = 2 /**< Specifies the end of a stream. */
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/StreamSink.h b/ctrtool/deps/libtoolchain/include/tc/io/StreamSink.h
new file mode 100644
index 00000000..8be87581
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/StreamSink.h
@@ -0,0 +1,76 @@
+	/**
+	 * @file StreamSink.h
+	 * @brief Declaration of tc::io::StreamSink
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/04/10
+	 **/
+#pragma once
+#include <tc/io/ISink.h>
+#include <tc/io/IStream.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ObjectDisposedException.h>
+#include <tc/NotSupportedException.h>
+#include <tc/io/IOException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class StreamSink
+	 * @brief An IStream wrapped in an ISink.
+	 **/
+class StreamSink : public tc::io::ISink
+{
+public:
+		/**
+		 * @brief Default constructor
+		 * @post This will create an unusable StreamSink, it will have to be assigned from a valid StreamSink object to be usable.
+		 **/ 
+	StreamSink();
+
+		/** 
+		 * @brief Create StreamSink
+		 * 
+		 * @param[in] stream The base IStream object which this sink will derive from.
+		 * 
+		 * @pre The base stream must support writing.
+		 * 
+		 * @throw tc::ArgumentNullException @p stream is a @p nullptr.
+		 * @throw tc::NotSupportedException @p stream does not support writing.
+		 **/
+	StreamSink(const std::shared_ptr<tc::io::IStream>& stream);
+
+		/**
+		 * @brief Gets the length of the sink.
+		 **/
+	int64_t length();
+
+		/**
+		 * @brief Sets the length of the sink.
+		 * 
+		 * @param[in] length The desired length of the sink in bytes.
+		 * 
+		 * @throw tc::ObjectDisposedException The base stream was not initialized.
+		 **/
+	void setLength(int64_t length);
+
+		/**
+		 * @brief Push data to the sink.
+		 * 
+		 * @param[in] data Data to be pushed to the sink.
+		 * @param[in] offset Zero-based offset in sink to push data.
+		 * 
+		 * @return Number of bytes pushed to sink.
+		 * 
+		 * @throw tc::ObjectDisposedException The base stream was not initialized.
+		 * @throw tc::io::IOException Data was not written to base stream successfully.
+		 **/
+	size_t pushData(const tc::ByteData& data, int64_t offset);
+private:
+	static const std::string kClassName;
+
+	std::shared_ptr<tc::io::IStream> mBaseStream;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/StreamSource.h b/ctrtool/deps/libtoolchain/include/tc/io/StreamSource.h
new file mode 100644
index 00000000..fb666a52
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/StreamSource.h
@@ -0,0 +1,66 @@
+	/**
+	 * @file StreamSource.h
+	 * @brief Declaration of tc::io::StreamSource
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/03/29
+	 **/
+#pragma once
+#include <tc/io/ISource.h>
+#include <tc/io/IStream.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/NotSupportedException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class StreamSource
+	 * @brief An IStream wrapped in an ISource.
+	 **/
+class StreamSource : public tc::io::ISource
+{
+public:
+		/**
+		 * @brief Default constructor
+		 * @post This will create an unusable StreamSource, it will have to be assigned from a valid StreamSource object to be usable.
+		 **/ 
+	StreamSource();
+
+		/** 
+		 * @brief Create StreamSource
+		 * 
+		 * @param[in] stream The base IStream object which this sub source will derive from.
+		 * 
+		 * @pre The base stream must support reading.
+		 * 
+		 * @throw tc::ArgumentNullException @p stream is a @p nullptr.
+		 * @throw tc::NotSupportedException @p stream does not support reading.
+		 * @throw tc::NotSupportedException @p stream does not support seeking.
+		 **/
+	StreamSource(const std::shared_ptr<tc::io::IStream>& stream);
+
+		/**
+		 * @brief Gets the length of the source.
+		 **/
+	int64_t length();
+
+		/**
+		 * @brief Pull data from source
+		 * 
+		 * @param[in] offset Zero-based offset in source to pull data.
+		 * @param[in] count The maximum number of bytes to be pull from the source.
+		 *
+		 * @return ByteData containing data pulled from source
+		 **/
+	tc::ByteData pullData(int64_t offset, size_t count);
+private:
+	static const std::string kClassName;
+
+	std::shared_ptr<tc::io::IStream> mBaseStream;
+	int64_t mBaseSourceOffset;
+
+	int64_t mStreamSourceLength;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/StreamUtil.h b/ctrtool/deps/libtoolchain/include/tc/io/StreamUtil.h
new file mode 100644
index 00000000..3526f4f8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/StreamUtil.h
@@ -0,0 +1,37 @@
+	/**
+	 * @file StreamUtil.h
+	 * @brief Declaration of tc::io::StreamUtil
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/04/06
+	 **/
+#pragma once
+#include <tc/io/IStream.h>
+
+#include <tc/ArgumentOutOfRangeException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class StreamUtil
+	 * @brief Utility class for IStream objects.
+	 **/
+class StreamUtil
+{
+public:
+		/**
+		 * @brief Get the logical result for seek(), given the current position and stream length.
+		 * 
+		 * @param[in] offset A byte offset relative to the origin parameter.
+		 * @param[in] origin A value of type @ref tc::io::SeekOrigin indicating the reference point used to obtain the new position.
+		 * @param[in] current_position The current byte offset relative to the beginning of the stream.
+		 * @param[in] stream_length The length of the stream.
+		 * 
+		 * @return The new position within the stream.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p origin has an illegal value.
+		 **/
+	static int64_t getSeekResult(int64_t offset, tc::io::SeekOrigin origin, int64_t current_position, int64_t stream_length);
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/SubFileSystem.h b/ctrtool/deps/libtoolchain/include/tc/io/SubFileSystem.h
new file mode 100644
index 00000000..3a2d17bb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/SubFileSystem.h
@@ -0,0 +1,136 @@
+	/**
+	 * @file SubFileSystem.h
+	 * @brief Declaration of tc::io::SubFileSystem
+	 * @author Jack (jakcron)
+	 * @version 0.5
+	 * @date 2022/01/23
+	 **/
+#pragma once
+#include <tc/io/IFileSystem.h>
+#include <tc/io/BasicPathResolver.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/InvalidOperationException.h>
+#include <tc/ObjectDisposedException.h>
+#include <tc/UnauthorisedAccessException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class SubFileSystem
+	 * @brief A wrapper around an existing IFileSystem object that exposes a subset of the base IFileSystem directory tree.
+	 **/
+class SubFileSystem : public tc::io::IFileSystem
+{
+public:
+
+		/**
+		 * @brief Default constructor
+		 * @post This will create an unusable SubFileSystem, it will have to be assigned from a valid SubFileSystem object to be usable.
+		 **/
+	SubFileSystem();
+
+		/** 
+		 * @brief Create SubFileSystem
+		 * 
+		 * @param[in] file_system The base IFileSystem object which this sub file-system will derive from.
+		 * @param[in] base_path The path to the subdirectory used as the substream root directory.
+		 * 
+		 * @throw tc::ArgumentNullException @p file_system is @a nullptr.
+		 * @throw tc::InvalidOperationException @p file_system was not in a ready state.
+		 *
+		 * @note This will temporarily change and then restore the base file-system current working directory.
+		 **/
+	SubFileSystem(const std::shared_ptr<tc::io::IFileSystem>& file_system, const tc::io::Path& base_path);
+
+	tc::ResourceStatus state();
+	void dispose();
+
+		/** 
+		 * @brief Create a new file
+		 * 
+		 * @param[in] path A relative or absolute path to file.
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void createFile(const tc::io::Path& path);
+
+		/** 
+		 * @brief Remove a file
+		 * 
+		 * @param[in] path A relative or absolute path to file.
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void removeFile(const tc::io::Path& path);
+
+		/** 
+		 * @brief Open a file
+		 * 
+		 * @param[in] path A relative or absolute path to file.
+		 * @param[in] mode One of the enumeration values that determines how to open or create the file.
+		 * @param[in] access One of the enumeration values that determines how the file can be accessed by the @ref IStream object. This also determines the values returned by the @ref IStream::canRead and @ref IStream::canWrite methods of the IStream object. @ref IStream::canSeek is true if path specifies a disk file.
+		 * @param[out] stream Pointer to IStream object to be instantiated
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream);
+	
+		/** 
+		 * @brief Create a new directory
+		 * 
+		 * @param[in] path A relative or absolute path to directory.
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void createDirectory(const tc::io::Path& path);
+
+		/** 
+		 * @brief Remove a directory
+		 * @param[in] path A relative or absolute path to directory.
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void removeDirectory(const tc::io::Path& path);
+
+		/** 
+		 * @brief Get the full path of the working directory
+		 * @param[out] path Path object to populate
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 *
+		 * @note This will temporarily change and then restore the base file-system current working directory.
+		 **/
+	void getWorkingDirectory(tc::io::Path& path);
+
+		/** 
+		 * @brief Change the working directory
+		 * @param[in] path A relative or absolute path to directory.
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 * @throw tc::UnauthorisedAccessException Sub file-system escape detected.
+		 **/
+	void setWorkingDirectory(const tc::io::Path& path);
+
+		/** 
+		 * @brief Get directory listing a directory
+		 * @param[in] path A relative or absolute path to directory.
+		 * @param[out] info The sDirectoryListing object to populate
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 * @throw tc::UnauthorisedAccessException Sub file-system escape detected.
+		 **/
+	void getDirectoryListing(const tc::io::Path& path, tc::io::sDirectoryListing& info);
+private:
+	static const std::string kClassName;
+	
+	std::shared_ptr<tc::io::IFileSystem> mBaseFileSystem;
+
+	tc::io::BasicPathResolver mBasePathResolver;
+	tc::io::BasicPathResolver mSubPathResolver;
+
+	void subPathToRealPath(const tc::io::Path& sub_path, tc::io::Path& real_path);
+	void realPathToSubPath(const tc::io::Path& real_path, tc::io::Path& sub_path);
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/SubSink.h b/ctrtool/deps/libtoolchain/include/tc/io/SubSink.h
new file mode 100644
index 00000000..5348b003
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/SubSink.h
@@ -0,0 +1,77 @@
+	/**
+	 * @file SubSink.h
+	 * @brief Declaration of tc::io::SubSink
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/04/10
+	 **/
+#pragma once
+#include <tc/io/ISink.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/OutOfMemoryException.h>
+#include <tc/ObjectDisposedException.h>
+#include <tc/NotSupportedException.h>
+#include <tc/NotImplementedException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class SubSink
+	 * @brief A ISink that exposes a subset of a base ISink.
+	 **/
+class SubSink : public tc::io::ISink
+{
+public:
+		/**
+		 * @brief Default constructor
+		 * @post This will create an unusable SubSink, it will have to be assigned from a valid SubSink object to be usable.
+		 **/ 
+	SubSink();
+
+		/** 
+		 * @brief Create SubSink
+		 * 
+		 * @param[in] sink The base ISink object which this sub sink will derive from.
+		 * @param[in] offset The zero-based byte offset in sink at which to begin the sub sink.
+		 * @param[in] length Length of the sub sink.
+		 * 
+		 * @pre The sub sink must be a subset of the base sink.
+		 * 
+		 * @throw tc::ArgumentNullException @p sink is a @p nullptr.
+		 * @throw tc::ArgumentOutOfRangeException @p offset or @p length is negative or otherwise invalid given the length of the base sink.
+		 **/
+	SubSink(const std::shared_ptr<tc::io::ISink>& sink, int64_t offset, int64_t length);
+
+		/// Gets the length of the sink.
+	int64_t length();
+
+		/**
+		 * @brief Sets the length of the sink. This is not supported for SubSink. 
+		 * @throw tc::NotImplemented setLength is not implemented for SubSink.
+		 **/
+	void setLength(int64_t length);
+
+		/**
+		 * @brief Push data to the sink.
+		 * 
+		 * @param[in] data Data to be pushed to the sink.
+		 * @param[in] offset Zero-based offset in sink to push data.
+		 * 
+		 * @return Number of bytes pushed to sink.
+		 * 
+		 * @throw tc::ObjectDisposedException The base sink was not initialized.
+		 * @throw tc::ArgumentOutOfRangeException @p data was too large to be pushed to the sink.
+		 **/
+	size_t pushData(const tc::ByteData& data, int64_t offset);
+private:
+	static const std::string kClassName;
+
+	std::shared_ptr<tc::io::ISink> mBaseSink;
+	int64_t mBaseSinkOffset;
+
+	int64_t mSubSinkLength;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/SubSource.h b/ctrtool/deps/libtoolchain/include/tc/io/SubSource.h
new file mode 100644
index 00000000..fe5a062b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/SubSource.h
@@ -0,0 +1,64 @@
+	/**
+	 * @file SubSource.h
+	 * @brief Declaration of tc::io::SubSource
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/02/08
+	 **/
+#pragma once
+#include <tc/io/ISource.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class SubSource
+	 * @brief A ISource that exposes a subset of a base ISource.
+	 **/
+class SubSource : public tc::io::ISource
+{
+public:
+		/**
+		 * @brief Default constructor
+		 * @post This will create an unusable SubSource, it will have to be assigned from a valid SubSource object to be usable.
+		 **/ 
+	SubSource();
+
+		/** 
+		 * @brief Create SubSource
+		 * 
+		 * @param[in] source The base ISource object which this sub source will derive from.
+		 * @param[in] offset The zero-based byte offset in source at which to begin the sub source.
+		 * @param[in] length Length of the sub source.
+		 * 
+		 * @pre The sub source must be a subset of the base source.
+		 * 
+		 * @throw tc::ArgumentNullException @p source is a @p nullptr.
+		 * @throw tc::ArgumentOutOfRangeException @p offset or @p length is negative or otherwise invalid given the length of the base source.
+		 **/
+	SubSource(const std::shared_ptr<tc::io::ISource>& source, int64_t offset, int64_t length);
+
+		/// Get length of source
+	int64_t length();
+
+		/**
+		 * @brief Pull data from source
+		 * 
+		 * @param[in] offset Zero-based offset in source to pull data.
+		 * @param[in] count The maximum number of bytes to be pull from the source.
+		 *
+		 * @return ByteData containing data pulled from source
+		 **/
+	tc::ByteData pullData(int64_t offset, size_t count);
+private:
+	static const std::string kClassName;
+
+	std::shared_ptr<tc::io::ISource> mBaseSource;
+	int64_t mBaseSourceOffset;
+
+	int64_t mSubSourceLength;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/SubStream.h b/ctrtool/deps/libtoolchain/include/tc/io/SubStream.h
new file mode 100644
index 00000000..6607ebb6
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/SubStream.h
@@ -0,0 +1,155 @@
+	/**
+	 * @file SubStream.h
+	 * @brief Declaration of tc::io::SubStream
+	 * @author Jack (jakcron)
+	 * @version 0.4
+	 * @date 2020/01/26
+	 **/
+#pragma once
+#include <tc/io/IStream.h>
+
+#include <tc/ArgumentNullException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/NotSupportedException.h>
+#include <tc/NotImplementedException.h>
+#include <tc/ObjectDisposedException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class SubStream
+	 * @brief A wrapper around an existing IStream object that exposes a subset of the base the IStream object.
+	 **/
+class SubStream : public tc::io::IStream
+{
+public:
+		/**
+		 * @brief Default Constructor
+		 * @post This will create an unusable SubStream, it will have to be assigned from a valid SubStream object to be usable.
+		 **/
+	SubStream();
+
+		/** 
+		 * @brief Create SubStream
+		 * 
+		 * @param[in] stream The base IStream object which this sub stream will derive from.
+		 * @param[in] offset The zero-based byte offset in stream at which to begin the sub stream.
+		 * @param[in] length Length of the sub stream.
+		 * 
+		 * @pre The sub stream must be a subset of the base stream.
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * 
+		 * @throw tc::ArgumentNullException @p stream is a @p nullptr.
+		 * @throw tc::NotSupportedException The base stream does not support seeking.
+		 * @throw tc::ArgumentOutOfRangeException @p offset or @p length is negative or otherwise invalid given the length of the base stream.
+		 **/
+	SubStream(const std::shared_ptr<tc::io::IStream>& stream, int64_t offset, int64_t length);
+
+		/**
+		 * @brief Indicates whether the current stream supports reading.
+		 **/ 
+	bool canRead() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports writing.
+		 **/
+	bool canWrite() const;
+
+		/**
+		 * @brief Indicates whether the current stream supports seeking.
+		 **/
+	bool canSeek() const;
+
+		/**
+		 * @brief Gets the length in bytes of the stream.
+		 **/
+	int64_t length();
+
+		/** 
+		 * @brief Gets the position within the current stream. 
+		 * 
+		 * @return This is returns the current position within the stream.
+		 **/
+	int64_t position();
+
+		/**
+		 * @brief Reads a sequence of bytes from the current stream and advances the position within the stream by the number of bytes read.
+		 * 
+		 * @param[out] ptr Pointer to an array of bytes. When this method returns, @p ptr contains the specified byte array with the values between 0 and (@p count - 1) replaced by the bytes read from the current source.
+		 * @param[in] count The maximum number of bytes to be read from the current stream.
+		 * 
+		 * @return The total number of bytes read into @p ptr. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support reading for @ref read to work. 
+		 * @note Use @ref canRead to determine if this stream supports reading.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p count exceeds the length of readable data in the sub stream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t read(byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Writes a sequence of bytes to the current stream and advances the current position within this stream by the number of bytes written.
+		 * 
+		 * @param[in] ptr Pointer to an array of bytes. This method copies @p count bytes from @p ptr to the current stream.
+		 * @param[in] count The number of bytes to be written to the current stream.
+		 * 
+		 * @return The total number of bytes written to the stream. This can be less than the number of bytes requested if that many bytes are not currently available, or zero (0) if the end of the stream has been reached.
+		 * 
+		 * @pre A stream must support writing for @ref write to work. 
+		 * @note Use @ref canWrite to determine if this stream supports writing.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p count exceeds the length of writeable data in the sub stream.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	size_t write(const byte_t* ptr, size_t count);
+
+		/**
+		 * @brief Sets the position within the current stream.
+		 * 
+		 * @param[in] offset A byte offset relative to the origin parameter.
+		 * @param[in] origin A value of type @ref tc::io::SeekOrigin indicating the reference point used to obtain the new position.
+		 * 
+		 * @return The new position within the current stream.
+		 * 
+		 * @pre A stream must support seeking for @ref seek to work. 
+		 * @note Use @ref canSeek to determine if this stream supports seeking.
+		 * @note Exceptions thrown by the base stream are not altered/intercepted, refer to that module's documentation for those exceptions.
+		 * 
+		 * @throw tc::ArgumentOutOfRangeException @p origin contains an invalid value.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	int64_t seek(int64_t offset, SeekOrigin origin);
+
+		/**
+		 * @brief Sets the length of the current stream. This is not implemented for @ref SubStream.
+		 * @throw tc::NotImplementedException @ref setLength is not implemented for @ref SubStream
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void setLength(int64_t length);
+
+		/**
+		 * @brief Clears all buffers for this and the base stream and causes any buffered data to be written to the underlying device.
+		 * 
+		 * @throw tc::io::IOException An I/O error occurs.
+		 * @throw tc::ObjectDisposedException Methods were called after the stream was closed.
+		 **/
+	void flush();
+	
+		/**
+		 * @brief Releases internal resources including base stream and clears internal state.
+		 **/
+	void dispose();
+private:
+	static const std::string kClassName;
+
+	std::shared_ptr<tc::io::IStream> mBaseStream;
+	int64_t mBaseStreamOffset;
+
+	int64_t mSubStreamLength;
+	int64_t mSubStreamPosition;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/io/VirtualFileSystem.h b/ctrtool/deps/libtoolchain/include/tc/io/VirtualFileSystem.h
new file mode 100644
index 00000000..5f6de93f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/io/VirtualFileSystem.h
@@ -0,0 +1,212 @@
+	/**
+	 * @file VirtualFileSystem.h
+	 * @brief Declaration of tc::io::VirtualFileSystem
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2022/02/08
+	 **/
+#pragma once
+#include <tc/io/IFileSystem.h>
+#include <tc/io/BasicPathResolver.h>
+
+#include <tc/ObjectDisposedException.h>
+#include <tc/NotImplementedException.h>
+#include <tc/NotSupportedException.h>
+#include <tc/io/DirectoryNotFoundException.h>
+#include <tc/io/FileNotFoundException.h>
+
+namespace tc { namespace io {
+
+	/**
+	 * @class VirtualFileSystem
+	 * @brief A virtual read-only file-system created using a file-system snapshot.
+	 * 
+	 * @details
+	 * The intended use-case for VirtualFileSystem is for when the user must read/parse the file-system structures directly instead of using the OS to mount it.
+	 * The user generates a file-system snapshot from the file-system structures (see @ref VirtualFileSystem::FileSystemSnapshot) and supplies that to VirtualFileSystem to create a IFileSystem shim.
+	 *
+	 * User supplies:
+	 * * a @ref VirtualFileSystem::FileSystemSnapshot struct which contains vectors of directory and file entries, including mapping between absolute tc::io::Path and a dir/file entry.
+	 * * optionally an implementation of @ref tc::io::IPortablePathResolver to determine the absolute path from a relative path and the current directory. Providing a custom IPortablePathResolver implementation is only required when special logic (like case insensitivity) is required to resolve the correct absolute path.
+	 **/	
+class VirtualFileSystem : public tc::io::IFileSystem
+{
+public:
+		/**
+		 * @struct FileSystemSnapshot
+		 * @brief A struct which contains vectors of directory and file entries, including mapping between absolute tc::io::Path and a dir/file entry.
+		 *
+		 * @details
+		 * FileSystemSnapshot is snapshot of a FileSystem directory tree. It only has to support read-only access to directory information and file streams.
+		 *
+		 * VirtualFileSystem considers a directory to exist if the following conditions are satisfied:
+		 * * The absolute tc::io::Path to the directory exists in @b dir_entry_path_map
+		 * * The index from looking up the absolute path in @b dir_entry_path_map is a valid index for @b dir_entries
+		 *
+		 * VirtualFileSystem considers a file to exist if the following conditions are satisfied:
+		 * * The absolute tc::io::Path to the file exists in @b file_entry_path_map
+		 * * The index from looking up the absolute path in @b file_entry_path_map is a valid index for @b file_entries
+		 * * The FileEntry in @b file_entries has a @b stream member that is not @b nullptr
+		 * * The IStream has properties: @b .canRead() == @b true, @b .canWrite() == @b false
+		 */
+	struct FileSystemSnapshot
+	{
+		FileSystemSnapshot() :
+			dir_entries(),
+			file_entries(),
+			dir_entry_path_map(),
+			file_entry_path_map()
+		{
+		}
+
+			/**
+			 * @struct DirEntry
+			 * @brief This struct contains data for the directory entry.
+			 * @details
+			 * This currently contains only a @ref tc::io::sDirectoryListing.
+			 *
+			 * DirEntries are used to confirm that a directory exists, and also to provide the sDirectoryListing for getDirectoryListing()
+			 */
+		struct DirEntry
+		{
+			tc::io::sDirectoryListing dir_listing;
+		};
+
+			/**
+			 * @struct FileEntry
+			 * @brief This struct contains data for the file entry.
+			 * @details
+			 * This currently contains only a @ref tc::io::IStream pointer.
+			 *
+			 * FileEntry objects are used to confirm that a files exists, and also to provide the IStream for openFile() 
+			 * IStream objects should have .canRead() == true AND .canWrite() == false, canSeek() is preferred to be true, but it isn't required.
+			 */
+		struct FileEntry
+		{
+			std::shared_ptr<tc::io::IStream> stream;
+		};
+
+			/// Vector of directory entries
+		std::vector<DirEntry> dir_entries;
+			/// Vector of file entries
+		std::vector<FileEntry> file_entries;
+			/// Mapping of absolute path to index of DirEntry in dir_entries
+		std::map<tc::io::Path, size_t> dir_entry_path_map;
+			/// Mapping of absolute path to index of FileEntry in file_entries
+		std::map<tc::io::Path, size_t> file_entry_path_map;
+	};
+
+		/**
+		 * @brief Default constructor
+		 * @post This will create an unusable VirtualFileSystem, it will have to be assigned from a valid VirtualFileSystem object to be usable.
+		 **/
+	VirtualFileSystem();
+
+		/** 
+		 * @brief Create VirtualFileSystem
+		 * 
+		 * @param[in] fs_snapshot The FileSystemSnapshot object which this VirtualFileSystem will use to process file-system requests.
+		 * @param[in] path_resolver Pointer to @ref tc::io::IPortablePathResolver object that resolves relative paths to absolute paths. If @p nullptr, @ref tc::io::BasicPathResolver will be used.
+		 * 
+		 * @throw tc::InvalidOperationException @p fs_snapshot Did not contain a root directory entry.
+		 **/
+	VirtualFileSystem(const FileSystemSnapshot& fs_snapshot, const std::shared_ptr<tc::io::IPortablePathResolver>& path_resolver = nullptr);
+
+	tc::ResourceStatus state();
+
+		/// This will release the underlying FileSystemSnapshot and PathResolver
+	void dispose();
+
+		/** 
+		 * @brief Create a new file
+		 * @details This method is not implemented for VirtualFileSystem.
+		 * 
+		 * @param[in] path A relative or absolute path to file.
+		 * 
+		 * @throw tc::NotImplementedException This method is not implemented for VirtualFileSystem.
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void createFile(const tc::io::Path& path);
+
+		/** 
+		 * @brief Remove a file
+		 * @details This method is not implemented for VirtualFileSystem.
+		 * 
+		 * @param[in] path A relative or absolute path to file.
+		 * 
+		 * @throw tc::NotImplementedException This method is not implemented for VirtualFileSystem.
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void removeFile(const tc::io::Path& path);
+
+		/** 
+		 * @brief Open a file
+		 * 
+		 * @param[in] path A relative or absolute path to file.
+		 * @param[in] mode One of the enumeration values that determines how to open or create the file. This must be @ref tc::io::FileMode::Open for VirtualFileSystem.
+		 * @param[in] access One of the enumeration values that determines how the file can be accessed by the @ref IStream object. This must be @ref tc::io::FileAccess::Read for VirtualFileSystem.
+		 * @param[out] stream Pointer to IStream object to be instantiated.
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 * @throw tc::NotSupportedException Unsupported access/mode ( @p mode was not @ref tc::io::FileMode::Open, or @p access was not @ref tc::io::FileAccess::Read).
+		 * @throw tc::io::FileNotFoundException File was not found.
+		 **/
+	void openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream);
+	
+		/** 
+		 * @brief Create a new directory
+		 * @details This method is not implemented for VirtualFileSystem.
+		 * 
+		 * @param[in] path A relative or absolute path to directory.
+		 * 
+		 * @throw tc::NotImplementedException This method is not implemented for VirtualFileSystem.
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void createDirectory(const tc::io::Path& path);
+
+		/** 
+		 * @brief Remove a directory
+		 * @details This method is not implemented for VirtualFileSystem.
+		 * 
+		 * @param[in] path A relative or absolute path to directory.
+		 * 
+		 * @throw tc::NotImplementedException This method is not implemented for VirtualFileSystem.
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void removeDirectory(const tc::io::Path& path);
+
+		/** 
+		 * @brief Get the full path of the working directory
+		 * @param[out] path Path object to populate.
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 **/
+	void getWorkingDirectory(tc::io::Path& path);
+
+		/** 
+		 * @brief Change the working directory
+		 * @param[in] path A relative or absolute path to directory.
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 * @throw tc::io::DirectoryNotFoundException Directory was not found.
+		 **/
+	void setWorkingDirectory(const tc::io::Path& path);
+
+		/** 
+		 * @brief Get directory listing a directory
+		 * @param[in] path A relative or absolute path to directory.
+		 * @param[out] info The sDirectoryListing object to populate.
+		 * 
+		 * @throw tc::ObjectDisposedException Methods were called after the file-system was closed.
+		 * @throw tc::io::DirectoryNotFoundException Directory was not found.
+		 **/
+	void getDirectoryListing(const tc::io::Path& path, tc::io::sDirectoryListing& info);
+private:
+	static const std::string kClassName;
+	
+	FileSystemSnapshot::DirEntry* mCurDir;
+	FileSystemSnapshot mFsSnapshot;
+	std::shared_ptr<tc::io::IPortablePathResolver> mPathResolver;
+};
+
+}} // namespace tc::io
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/os.h b/ctrtool/deps/libtoolchain/include/tc/os.h
new file mode 100644
index 00000000..02d5bb49
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/os.h
@@ -0,0 +1,13 @@
+	/**
+	 * @file		os.h
+	 * @brief       Declaration of the operating system (OS) library
+	 */
+#pragma once
+#include <tc/types.h>
+#include <tc/Exception.h>
+
+	/**
+	 * @namespace   tc::os
+	 * @brief       Namespace of the operating system (OS) library
+	 */
+#include <tc/os/Environment.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/os/Environment.h b/ctrtool/deps/libtoolchain/include/tc/os/Environment.h
new file mode 100644
index 00000000..faa5e33a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/os/Environment.h
@@ -0,0 +1,28 @@
+	/**
+	 * @file Environment.h
+	 * @brief Declarations for API resources for accessing run-time environment
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/06/12
+	 **/
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+namespace tc { namespace os {
+
+	/**
+	 * @brief Get environment variable.
+	 * 
+	 * @details This function supports UTF-8 encoding
+	 * 
+	 * @param[in] name Name of environment variable.
+	 * @param[out] value Reference to string to populate with variable.
+	 *
+	 * @post @p value will contain the environment variable if it exists.
+	 * 
+	 * @return true if operation was successful.
+	 */
+bool getEnvVar(const std::string& name, std::string& value);
+
+}} // namespace tc::cli
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/os/UnicodeMain.h b/ctrtool/deps/libtoolchain/include/tc/os/UnicodeMain.h
new file mode 100644
index 00000000..3a7aa4aa
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/os/UnicodeMain.h
@@ -0,0 +1,71 @@
+	/**
+	 * @file UnicodeMain.h
+	 * @brief Declaration of unicode entry point (umain())
+	 * @author Jack (jakcron)
+	 * @version 0.1
+	 * @date 2020/04/13
+	 * @details
+	 * Including UnicodeMain.h bootstraps @ref umain() by defining the platform specific unicode entry point.
+	 * 
+	 * You must define @ref umain() as your entry point if you include this header. Compiler errors will occur if you define any other entrypoints or do not define @ref umain().
+	 **/
+#include <string>
+#include <vector>
+#ifdef _WIN32
+#include <wchar.h>
+#endif
+#include <tc/string/TranscodeUtil.h>
+
+#include <iostream>
+
+	/**
+	 * @brief Multi-platform UTF-8 entry point.
+	 * 
+	 * @param[in] args vector of UTF-8 encoded command-line arguments.
+	 * @param[in] env vector of UTF-8 encoded environment variables.
+	 * 
+	 * @details
+	 * You must define this function, it replaces using regular entry points like main, wmain, tmain, etc...
+	 */
+int umain(const std::vector<std::string>& args, const std::vector<std::string>& env);
+
+#ifdef _WIN32
+	/**
+	 * @brief Native unicode entry point is defined here and bootstraps @ref umain().
+	 * @warning Do not call or define this function
+	 */
+int wmain(int argc, wchar_t* argv[], wchar_t* envp[])
+#else
+	/**
+	 * @brief Native unicode entry point is defined here and bootstraps @ref umain().
+	 * @warning Do not call or define this function
+	 */
+int main(int argc, char* argv[], char* envp[])
+#endif
+{
+	std::vector<std::string> args;
+	for (size_t i = 0; i < (size_t)argc; i++)
+	{
+#ifdef _WIN32
+		std::string u8_arg;
+		tc::string::TranscodeUtil::UTF16ToUTF8(std::u16string((char16_t*)argv[i]), u8_arg);
+		args.push_back(u8_arg);
+#else
+		args.push_back(argv[i]);
+#endif
+	}
+
+	std::vector<std::string> env;
+	for (; *envp != nullptr; envp++)
+	{
+#ifdef _WIN32
+		std::string u8_env;
+		tc::string::TranscodeUtil::UTF16ToUTF8(std::u16string((char16_t*)*envp), u8_env);
+		env.push_back(u8_env);
+#else
+		env.push_back(std::string(*envp));
+#endif
+	}
+
+	return umain(args, env);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/string.h b/ctrtool/deps/libtoolchain/include/tc/string.h
new file mode 100644
index 00000000..01336705
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/string.h
@@ -0,0 +1,12 @@
+	/**
+	 * @file		string.h
+	 * @brief       Declaration of the string library
+	 **/
+#pragma once
+#include <tc/types.h>
+
+	/**
+	 * @namespace   tc::string
+	 * @brief       Namespace of the string library
+	 **/
+#include <tc/string/TranscodeUtil.h>
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/string/TranscodeUtil.h b/ctrtool/deps/libtoolchain/include/tc/string/TranscodeUtil.h
new file mode 100644
index 00000000..a53fc61a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/string/TranscodeUtil.h
@@ -0,0 +1,77 @@
+	/**
+	 * @file TranscodeUtil.h
+	 * @brief Declaration of tc::string::TranscodeUtil
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/03/22
+	 **/
+#pragma once
+#include <string>
+
+#include <tc/ArgumentException.h>
+
+namespace tc { namespace string {
+
+	/**
+	 * @class TranscodeUtil
+	 * @brief Collection of functions to transcode between UTF-8/UTF-16/UTF-32
+	 **/
+class TranscodeUtil
+{
+public:
+		/**
+		 * @brief Transcode a UTF-8 string to UTF-32.
+		 * @param[in] src Source UTF-8 string.
+		 * @param[out] dst Destination UTF-32 string.
+		 * 
+		 * @throw tc::ArgumentException When src is an invalid string.
+		 **/
+	static void UTF8ToUTF32(const std::string& src, std::u32string& dst);
+
+		/**
+		 * @brief Transcode a UTF-16 string to UTF-32.
+		 * @param[in] src Source UTF-16 string.
+		 * @param[out] dst Destination UTF-32 string.
+		 *
+		 * @throw tc::ArgumentException When src is an invalid string.
+		 **/
+	static void UTF16ToUTF32(const std::u16string& src, std::u32string& dst);
+
+		/**
+		 * @brief Transcode a UTF-32 string to UTF-8.
+		 * @param[in] src Source UTF-32 string.
+		 * @param[out] dst Destination UTF-8 string.
+		 * 
+		 * @throw tc::ArgumentException When src is an invalid string.
+		 **/
+	static void UTF32ToUTF8(const std::u32string& src, std::string& dst);
+
+		/**
+		 * @brief Transcode a UTF-32 string to UTF-16.
+		 * @param[in] src Source UTF-32 string.
+		 * @param[out] dst Destination UTF-16 string.
+		 * 
+		 * @throw tc::ArgumentException When src is an invalid string.
+		 **/
+	static void UTF32ToUTF16(const std::u32string& src, std::u16string& dst);
+
+		/**
+		 * @brief Transcode a UTF-8 string to UTF-16.
+		 * @param[in] src Source UTF-8 string.
+		 * @param[out] dst Destination UTF-16 string.
+		 * 
+		 * @throw tc::ArgumentException When src is an invalid string.
+		 **/
+	static void UTF8ToUTF16(const std::string& src, std::u16string& dst);
+
+		/**
+		 * @brief Transcode a UTF-16 string to UTF-8.
+		 * @param[in] src Source UTF-16 string.
+		 * @param[out] dst Destination UTF-8 string.
+		 * 
+		 * @throw tc::ArgumentException When src is an invalid string.
+		 **/
+	static void UTF16ToUTF8(const std::u16string& src, std::string& dst);
+};
+
+}} // namespace tc::string
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/string/detail/utf16.h b/ctrtool/deps/libtoolchain/include/tc/string/detail/utf16.h
new file mode 100644
index 00000000..7619c032
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/string/detail/utf16.h
@@ -0,0 +1,22 @@
+/**
+ * @file utf16.h
+ * @brief Declaration of UTF-16 constants and macros
+ * @author Jack (jakcron)
+ * @version 0.1
+ * @date 2019/01/15
+ */
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace string { namespace detail {
+
+static const char32_t kUtf16EncodeMax = 0x10FFFF;
+static const char32_t kUtf16NonNativeStart = 0x10000;
+static const char16_t kUtf16SurrogateBits = 10;
+static const char16_t kUtf16SurrogateMask = (1 << kUtf16SurrogateBits) - 1;
+static const char16_t kUtf16HighSurrogateStart = 0xD800;
+static const char16_t kUtf16HighSurrogateEnd = kUtf16HighSurrogateStart | kUtf16SurrogateMask;
+static const char16_t kUtf16LowSurrogateStart = 0xDC00;
+static const char16_t kUtf16LowSurrogateEnd = kUtf16LowSurrogateStart | kUtf16SurrogateMask;
+
+}}} // namespace tc::string::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/string/detail/utf8.h b/ctrtool/deps/libtoolchain/include/tc/string/detail/utf8.h
new file mode 100644
index 00000000..6c69bc3c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/string/detail/utf8.h
@@ -0,0 +1,39 @@
+
+	/**
+	 * @file utf8.h
+	 * @brief Declaration of UTF-8 constants and macros
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2021/01/26
+	 */
+#pragma once
+#include <tc/types.h>
+
+namespace tc { namespace string { namespace detail {
+
+static const char32_t kUtf8AsciiStart = 0x00;
+static const char32_t kUtf8AsciiEnd = 0x7F;
+static const char32_t kUtf82ByteStart = 0x80;
+static const char32_t kUtf82ByteEnd = 0x7FF;
+static const char32_t kUtf83ByteStart = 0x800;
+static const char32_t kUtf83ByteEnd = 0x7FFF;
+static const char32_t kUtf84ByteStart = 0x8000;
+static const char32_t kUtf84ByteEnd = 0x10FFFF;
+
+static inline uint8_t make_utf8_prefix(uint8_t prefix_bits) { return ((uint8_t)(-1)) << (8 - prefix_bits); }
+static inline uint8_t make_utf8_mask(uint8_t prefix_bits) { return ((uint8_t)(-1)) >> (prefix_bits + 1); }
+static inline uint8_t make_utf8(uint8_t prefix_bits, uint8_t data) { return make_utf8_prefix(prefix_bits) | (data & make_utf8_mask(prefix_bits)); }
+static inline uint8_t get_utf8_data(uint8_t prefix_bits, uint8_t utf8_chr) { return utf8_chr & make_utf8_mask(prefix_bits); }
+static inline bool utf8_has_prefix(uint8_t prefix_bits, uint8_t utf8_chr) { return ((utf8_chr & make_utf8_prefix(prefix_bits)) == make_utf8_prefix(prefix_bits)) && ((utf8_chr & ~make_utf8_mask(prefix_bits)) == make_utf8_prefix(prefix_bits)); }
+static inline uint8_t get_utf8_prefix(uint8_t utf8_chr)
+{
+	uint8_t prefix = 0;
+	while ((utf8_chr & (1 << 7)) != 0)
+	{
+		utf8_chr <<= 1;
+		prefix++;
+	}
+	return prefix;
+}
+
+}}} // namespace tc::string::detail
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/include/tc/types.h b/ctrtool/deps/libtoolchain/include/tc/types.h
new file mode 100644
index 00000000..8cdc8377
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/include/tc/types.h
@@ -0,0 +1,65 @@
+	/**
+	 * @file types.h
+	 * @brief Declaration of generic types used by libtoolchain
+	 * @author Jack (jakcron)
+	 * @version 0.2
+	 * @date 2020/04/05
+	 **/
+#pragma once
+#include <string>
+#include <array>
+#include <vector>
+#include <map>
+#include <cstdint>
+#include <cstring>
+#include <limits>
+#include <memory>
+#include <algorithm>
+#include <type_traits>
+#include <limits>
+#include <tc/bn.h>
+
+#ifdef _WIN32
+#define NOMINMAX
+#endif
+
+	/// Alias uint8_t to byte_t to more explicity indicate its role in memory related contexts
+using byte_t = uint8_t;
+
+	/**
+	 * @brief Round a value up to an alignment value.
+	 */
+template <typename T>
+inline T roundup(T value, T alignment)
+{
+	return value + alignment - value % alignment;
+}
+
+	/**
+	 * @brief Align a value to an alignment value.
+	 */
+template <typename T>
+inline T align(T value, T alignment)
+{
+	if(value % alignment != 0)
+		return roundup(value,alignment);
+	else
+		return value;
+}
+
+namespace tc {
+		/// Returns if type size_t is not 64bit.
+	bool is_size_t_not_64bit();
+
+		/// Returns if a value of type size_t is too large to be stored as int64_t.
+	bool is_size_t_too_large_for_int64_t(size_t val);
+
+		/// Returns if a value of type uint64_t is too large to be stored as int64_t.
+	bool is_uint64_t_too_large_for_int64_t(uint64_t val);
+
+		/// Returns if a value of type int64_t is too large to be stored as size_t.
+	bool is_int64_t_too_large_for_size_t(int64_t val);
+
+		/// Returns if a value of type uint64_t is too large to be stored as size_t.
+	bool is_uint64_t_too_large_for_size_t(uint64_t val);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/makefile b/ctrtool/deps/libtoolchain/makefile
new file mode 100644
index 00000000..e4821e6d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/makefile
@@ -0,0 +1,197 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 6 (20211110)
+
+# Project Name
+PROJECT_NAME = libtoolchain
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH) $(PROJECT_SRC_PATH)/io $(PROJECT_SRC_PATH)/string $(PROJECT_SRC_PATH)/cli $(PROJECT_SRC_PATH)/os $(PROJECT_SRC_PATH)/crypto $(PROJECT_SRC_PATH)/crypto/detail
+PROJECT_INCLUDE_PATH = include
+PROJECT_TESTSRC_PATH = test
+PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+PROJECT_DOCS_PATH = docs
+PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Shared Library Definitions
+PROJECT_SO_VER_MAJOR = 0
+PROJECT_SO_VER_MINOR = 5
+PROJECT_SO_VER_PATCH = 0
+PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
+PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
+
+# Project Dependencies
+PROJECT_DEPEND = mbedtls fmt
+PROJECT_DEPEND_LOCAL_DIR = libmbedtls libfmt
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
+	INC +=
+	LIB +=
+	ARFLAGS = rc	
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building static library
+#	- 'shared_lib' for building shared library
+#	- 'program' for building the program
+#	- 'test_program' for building the test program
+# These can typically be used together however *_lib and program should not be used together
+all: static_lib test_program
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+shared_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)
+	@gcc -shared -Wl,-soname,$(PROJECT_SONAME) -o "$(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/ByteData.cpp b/ctrtool/deps/libtoolchain/src/ByteData.cpp
new file mode 100644
index 00000000..ce530d99
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/ByteData.cpp
@@ -0,0 +1,110 @@
+#include <tc/ByteData.h>
+
+const std::string tc::ByteData::kClassName = "tc::ByteData";
+
+tc::ByteData::ByteData() :
+	ByteData(0)
+{}
+
+tc::ByteData::ByteData(const tc::ByteData& other) :
+	ByteData(other.mPtr.get(), other.mSize)
+{}
+
+tc::ByteData::ByteData(tc::ByteData&& other) :
+	mSize(other.mSize),
+	mPtr(std::move(other.mPtr))
+{
+	other.mSize = 0;
+}
+
+tc::ByteData::ByteData(std::initializer_list<byte_t> l) :
+	ByteData(l.size(), false)
+{
+	size_t i = 0;
+	for (auto itr = l.begin(); itr != l.end(); itr++, i++)
+	{
+		mPtr.get()[i] = *itr;
+	}
+}
+
+tc::ByteData::ByteData(size_t size, bool clear_memory)
+{
+	if (size == 0)
+	{
+		mPtr.reset();
+	}
+	else 
+	{
+		try
+		{
+			mPtr = std::unique_ptr<byte_t>(new byte_t[size]);
+		} 
+		catch (const std::bad_alloc&) 
+		{
+			throw tc::OutOfMemoryException(kClassName, "std::bad_alloc thrown");
+		}
+		
+		if (mPtr == nullptr)
+		{
+			throw tc::OutOfMemoryException(kClassName, "Failed to allocate memory");
+		}
+	}
+	
+	mSize = size;
+
+	if (clear_memory == true)
+	{
+		memset(mPtr.get(), 0, mSize);
+	}
+}
+
+tc::ByteData::ByteData(const byte_t* data, size_t size) :
+	ByteData(size, false)
+{
+	memcpy(mPtr.get(), data, mSize);
+}
+
+tc::ByteData& tc::ByteData::operator=(const ByteData& other)
+{
+	*this = tc::ByteData(other);
+	return *this;
+}
+
+tc::ByteData& tc::ByteData::operator=(ByteData&& other)
+{
+	this->mPtr = std::move(other.mPtr);
+	this->mSize = other.mSize;
+	other.mSize = 0;
+	
+	return *this;
+}
+
+byte_t& tc::ByteData::operator[](size_t index)
+{
+	return mPtr.get()[index];
+}
+
+byte_t tc::ByteData::operator[](size_t index) const
+{
+	return mPtr.get()[index];
+}
+
+bool tc::ByteData::operator==(const ByteData& other) const
+{
+	return (this->mSize == other.mSize && memcmp(this->mPtr.get(), other.mPtr.get(), this->mSize) == 0);
+}
+
+bool tc::ByteData::operator!=(const ByteData& other) const
+{
+	return !(*this == other);
+}
+
+byte_t* tc::ByteData::data() const
+{
+	return mPtr.get();
+}
+
+size_t tc::ByteData::size() const
+{
+	return mPtr == nullptr ? 0 : mSize;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/Exception.cpp b/ctrtool/deps/libtoolchain/src/Exception.cpp
new file mode 100644
index 00000000..c3f3302d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/Exception.cpp
@@ -0,0 +1,46 @@
+#include <tc/Exception.h>
+
+tc::Exception::Exception() noexcept :
+	what_(""),
+	module_(""),
+	error_("")
+{
+
+}
+
+tc::Exception::Exception(const std::string & what) noexcept :
+	what_(what),
+	module_(""),
+	error_(what)
+{
+}
+
+tc::Exception::Exception(const std::string & module, const std::string & what) noexcept :
+	what_(""),
+	module_(module),
+	error_(what)
+{
+	if (module_.length() > 0)
+	{
+		what_ = "[" + module_ + " ERROR] " + error_;
+	}
+	else
+	{
+		what_ = error_;
+	}
+}
+
+const char* tc::Exception::what() const noexcept 
+{
+	return what_.c_str();
+}
+
+const char* tc::Exception::module() const noexcept
+{
+	return module_.c_str();
+}
+
+const char * tc::Exception::error() const noexcept
+{
+	return error_.c_str();
+}
diff --git a/ctrtool/deps/libtoolchain/src/PlatformErrorHandlingUtil.cpp b/ctrtool/deps/libtoolchain/src/PlatformErrorHandlingUtil.cpp
new file mode 100644
index 00000000..9f4120d1
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/PlatformErrorHandlingUtil.cpp
@@ -0,0 +1,41 @@
+#include <tc/PlatformErrorHandlingUtil.h>
+#include <algorithm>
+
+#ifdef _WIN32
+std::string tc::PlatformErrorHandlingUtil::GetLastErrorString(DWORD error)
+{
+	if (error)
+	{
+		LPVOID lpMsgBuf;
+		DWORD bufLen = FormatMessage(
+			FORMAT_MESSAGE_ALLOCATE_BUFFER | 
+			FORMAT_MESSAGE_FROM_SYSTEM |
+			FORMAT_MESSAGE_IGNORE_INSERTS,
+			NULL,
+			error,
+			MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+			(LPTSTR) &lpMsgBuf,
+			0, NULL );
+			
+		if (bufLen)
+		{
+			LPCSTR lpMsgStr = (LPCSTR)lpMsgBuf;
+			std::string result(lpMsgStr, lpMsgStr+bufLen);
+			
+			LocalFree(lpMsgBuf);
+
+			// remove CR+LF from string
+			result.erase(std::remove(result.begin(), result.end(), '\n'), result.end());
+			result.erase(std::remove(result.begin(), result.end(), '\r'), result.end());
+
+			return result;
+		}
+	}
+	return std::string();
+}
+#else
+std::string tc::PlatformErrorHandlingUtil::GetGnuErrorNumString(int errnum)
+{
+	return std::string(strerror(errnum));
+}
+#endif
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/cli/FormatUtil.cpp b/ctrtool/deps/libtoolchain/src/cli/FormatUtil.cpp
new file mode 100644
index 00000000..1f540356
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/cli/FormatUtil.cpp
@@ -0,0 +1,222 @@
+#include <tc/cli/FormatUtil.h>
+
+#include <fmt/core.h>
+
+inline int charToByte(char chr)
+{
+	if (chr >= 'a' && chr <= 'f')
+		return (chr - 'a') + 0xa;
+	else if (chr >= 'A' && chr <= 'F')
+		return (chr - 'A') + 0xa; 
+	else if (chr >= '0' && chr <= '9')
+		return chr - '0';
+	return -1;
+}
+
+tc::ByteData tc::cli::FormatUtil::hexStringToBytes(const std::string& str)
+{
+	size_t size = str.size();
+	if ((size % 2))
+	{
+		return tc::ByteData();
+	}
+
+	auto bytes = tc::ByteData(size/2);
+
+	for (size_t i = 0; i < bytes.size(); i++)
+	{
+		int byte = 0;
+
+		byte = charToByte(str[i * 2]);
+		if (byte == -1)
+			return tc::ByteData();
+
+		bytes.data()[i] = byte_t((byte & 0xf) << 4);
+
+		byte = charToByte(str[(i * 2) + 1]);
+		if (byte == -1)
+			return tc::ByteData();
+		
+		bytes.data()[i] |= byte_t((byte & 0xf) << 0);
+	}
+
+	return bytes;
+}
+
+std::string tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(const byte_t* data, size_t len, bool upper_case, const std::string& delimiter, size_t row_len, size_t indent_len, bool print_first_indent)
+{
+	// create indentation string
+	std::string indent_str = "";
+	for (size_t i = 0; i < indent_len; i++)
+	{
+		indent_str += " ";
+	}
+
+	const byte_t* original_data = data;
+
+	// create output string
+	std::string output_str = "";
+
+	for (size_t print_len = 0; len > 0; len -= print_len, data += print_len)
+	{
+		if (data != original_data || print_first_indent)
+		{
+			output_str += indent_str;
+		}
+
+		print_len = std::min<size_t>(len, row_len);  
+
+		output_str += formatBytesAsString(data, print_len, upper_case, delimiter);
+
+		output_str += fmt::format("\n");
+	}
+
+	return output_str;
+}
+
+std::string tc::cli::FormatUtil::formatBytesAsString(const byte_t* data, size_t size, bool upper_case, const std::string& delimiter)
+{
+	// create output string
+	std::string output_str;
+
+	for (size_t i = 0; i < size; i++)
+	{
+		output_str += fmt::format((upper_case ? "{:02X}" : "{:02x}"), data[i]);
+		if (i+1 < size)
+		{
+			output_str += delimiter;
+		}	
+	}
+
+	return output_str;
+}
+
+std::string tc::cli::FormatUtil::formatBytesAsString(const tc::ByteData& data, bool upper_case, const std::string& delimiter)
+{
+	return formatBytesAsString(data.data(), data.size(), upper_case, delimiter);
+}
+
+
+std::string tc::cli::FormatUtil::formatListWithLineLimit(const std::vector<std::string>& str_list, size_t row_len, size_t indent_len, bool print_first_indent)
+{
+	if (str_list.size() == 0)
+	{
+		return "";
+	}
+
+	// create output string
+	std::string output_str = "";
+
+	// create indentation string
+	std::string indent_str = "";
+	for (size_t i = 0; i < indent_len; i++)
+	{
+		indent_str += " ";
+	}
+
+	// create delimiter string
+	std::string delimiter_str = ", ";
+
+	size_t printed_len = 0;
+	for (auto itr = str_list.begin(); itr != str_list.end(); itr++)
+	{
+		// format the strings
+		// wrap the line after row_len multples
+		if (printed_len > row_len || printed_len == 0)
+		{
+			// don't print the new line if this is the first string
+			if (itr != str_list.begin())
+			{
+				output_str += fmt::format("{:s}\n", delimiter_str);
+			}	
+
+			// print indent if this isn't the first string or the user has opted into printing the indent regardless
+			if (itr != str_list.begin() || print_first_indent)
+			{
+				output_str += indent_str;
+			}
+
+			// reset printed_len
+			printed_len = 0;
+		}
+		// within a line we want to separate the next string from the last one with a comma and a space
+		else
+		{
+			//ss << delimiter_str;
+			output_str += delimiter_str;
+		}
+		
+		// print string
+		output_str += *itr;
+
+		// note the length of the string printed
+		printed_len += itr->size() + delimiter_str.size();
+	}
+	output_str += fmt::format("\n");
+
+	return output_str;
+}
+
+std::string tc::cli::FormatUtil::formatBytesAsHxdHexString(const byte_t* data, size_t size, size_t bytes_per_row, size_t byte_group_size)
+{
+	if (size == 0 || bytes_per_row == 0 || byte_group_size == 0)
+	{
+		return "";
+	}
+
+	// create output string
+	std::string output_str = "";
+
+	// iterate over blocks
+	for (size_t i = 0; size > 0; i++)
+	{
+		size_t row_print_len = std::min<size_t>(size, bytes_per_row);
+
+		output_str += fmt::format("{:08x} | ", uint64_t(i) * uint64_t(bytes_per_row));
+
+		// for block i print each byte
+		for (size_t j = 0; j < bytes_per_row; j++)
+		{
+			if (j < row_print_len)
+			{
+				output_str += fmt::format("{:02X}", data[(i * bytes_per_row) + j]);
+			}
+			else
+			{
+				output_str += "  ";
+			}
+				
+
+			if (((j+1) % byte_group_size) == 0) 
+			{
+				output_str += " ";
+			}
+		}
+
+		output_str += " "; 
+
+		for (size_t j = 0; j < bytes_per_row; j++)
+		{
+			if (j < row_print_len)
+			{
+				byte_t byte = data[(i * bytes_per_row) + j];
+				output_str += fmt::format("{:c}", (iscntrl(byte) == 0 && byte < 0x7f) ? (char)byte : '.');
+			}
+			else
+			{
+				output_str += " ";
+			}
+		}
+
+		output_str += fmt::format("\n");
+
+		size -= row_print_len;
+	}
+
+	return output_str;
+}
+
+std::string tc::cli::FormatUtil::formatBytesAsHxdHexString(const byte_t* data, size_t size)
+{
+	return formatBytesAsHxdHexString(data, size, 0x10, 1);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/cli/OptionParser.cpp b/ctrtool/deps/libtoolchain/src/cli/OptionParser.cpp
new file mode 100644
index 00000000..ffd337ba
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/cli/OptionParser.cpp
@@ -0,0 +1,185 @@
+#include <tc/cli/OptionParser.h>
+
+#include <fmt/core.h>
+
+const std::string tc::cli::OptionParser::kClassName = "tc::cli::OptionParser";
+
+tc::cli::OptionParser::OptionParser() :
+	mOptionaAliasMap(),
+	mUnkOptHandler(nullptr)
+{
+}
+
+void tc::cli::OptionParser::registerOptionHandler(const std::shared_ptr<IOptionHandler>& handler)
+{
+	if (handler == nullptr)
+	{
+		// throw exception
+		throw tc::ArgumentNullException(kClassName, "OptionHandler was null.");
+	}
+
+	if (handler->getOptionStrings().empty() && handler->getOptionRegexPatterns().empty())
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "OptionHandler had no option strings or regex patterns.");
+	}
+
+	for (auto itr = handler->getOptionStrings().begin(); itr != handler->getOptionStrings().end(); itr++)
+	{
+		mOptionaAliasMap.insert(std::pair<std::string, std::shared_ptr<IOptionHandler>>(*itr, handler));
+	}
+
+	for (auto itr = handler->getOptionRegexPatterns().begin(); itr != handler->getOptionRegexPatterns().end(); itr++)
+	{
+		mOptionRegexList.push_back(std::pair<std::regex, std::shared_ptr<IOptionHandler>>(std::regex(*itr), handler));
+	}
+}
+
+void tc::cli::OptionParser::registerUnrecognisedOptionHandler(const std::shared_ptr<IOptionHandler>& handler)
+{
+	if (handler == nullptr)
+	{
+		// throw exception
+		throw tc::ArgumentNullException(kClassName, "OptionHandler was null.");
+	}
+
+	mUnkOptHandler = handler;
+}
+
+void tc::cli::OptionParser::processOptions(const std::vector<std::string>& args)
+{
+	/*
+	fmt::print("OptionParser\n");
+	fmt::print("  args:\n");
+	for (auto itr = args.begin(); itr != args.end(); itr++)
+	{
+		fmt::print("  #{:s}#\n", *itr);
+	}
+	*/
+
+	//fmt::print("Begin parsing options\n");
+
+	std::string opt = std::string();
+	std::vector<std::string> params = std::vector<std::string>();
+	for (auto itr = args.begin(); itr != args.end(); itr++)
+	{
+		//fmt::print("itr={:s}\n", *itr);
+
+		// (1) parse the current string
+		std::string tmp_opt = std::string();
+		std::string tmp_param = std::string();
+		bool is_compound = false;
+
+		// if the string begins with '-' then it is an option (which may be compound)
+		if (itr->compare(0,1,"-") == 0)
+		{
+			//fmt::print("looks like an option\n");
+
+			// if there is an "=" in this, then this is a compound option & paramter
+			size_t equalsign_pos = itr->find('=');
+			if (equalsign_pos == std::string::npos)
+			{
+				//fmt::print("the option looks like a solo option\n");
+				tmp_opt = *itr;				
+			}
+			else
+			{
+				//fmt::print("the option looks like a compound opt=param\n");
+				tmp_opt = itr->substr(0, equalsign_pos);
+				tmp_param = itr->substr(equalsign_pos + 1, std::string::npos);
+				//fmt::print(" > opt :   {:s}\n", tmp_opt);
+				//fmt::print(" > param : {:s}\n", tmp_param);
+				// --path=here
+				// 0123456789a
+				// --path : pos=0, size = 6 = equalsign_pos
+				// here : pos = 7 = eqialsign_pos + 1, size = 4 = 11 - 7 = itr->length() -(equalsign_pos+1)
+				is_compound = true;
+			}
+			
+		}
+		// otherwise it is a param
+		else
+		{
+			tmp_param = *itr;
+		}
+
+		// (2) interprete it in the context of the current state
+
+		// the user has indicated the end of the current option
+		// hand off to option handler and clear state
+		if (opt.empty() == false && tmp_opt.empty() == false)
+		{
+			handleOption(opt, params);
+
+			opt = std::string();
+			params = std::vector<std::string>();
+		}
+
+		// if tmp_opt isn't empty then make it the option
+		if (tmp_opt.empty() == false)
+		{
+			opt = tmp_opt;
+		}
+
+		// if tmp_param isn't empty then add it to the param list
+		if (tmp_param.empty() == false)
+		{
+			// if there is no option set, then this is a head-less parameter, throw exception
+			if (opt.empty() == true)
+			{
+				throw tc::ArgumentException(kClassName, "Option parameter was provided without an option.");
+			}
+			params.push_back(tmp_param);
+		}
+
+		// compound options only accept one parameter
+		if (is_compound)
+		{
+			handleOption(opt, params);
+
+			opt = std::string();
+			params = std::vector<std::string>();
+		}
+	}
+
+	// process dangling opt/params
+	if (opt.empty() == false)
+	{
+		handleOption(opt, params);
+	}
+}
+
+void tc::cli::OptionParser::processOptions(const std::vector<std::string>& args, size_t pos, size_t num)
+{
+	processOptions({args.begin()+pos, args.begin()+pos+num});
+}
+
+void tc::cli::OptionParser::handleOption(const std::string& opt, const std::vector<std::string>& params)
+{
+	// attempt to locate a literal alias
+	auto aliasItr = mOptionaAliasMap.find(opt);
+	if (aliasItr != mOptionaAliasMap.end())
+	{
+		aliasItr->second->processOption(opt, params);
+		return;
+	}
+
+	// attempt to pattern match
+	for (auto regexItr = mOptionRegexList.begin(); regexItr != mOptionRegexList.end(); regexItr++)
+	{
+		if (std::regex_match(opt, regexItr->first))
+		{
+			regexItr->second->processOption(opt, params);
+			return;
+		}
+	}
+
+	// attempt to use unknown option handler 
+	if (mUnkOptHandler != nullptr)
+	{
+		mUnkOptHandler->processOption(opt, params);
+		return;
+	}
+	
+	// if no handler is located, throw exception
+	throw tc::ArgumentException(kClassName, fmt::format("Option \"{}\" is not recognised.", opt));
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes128CbcEncryptedStream.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes128CbcEncryptedStream.cpp
new file mode 100644
index 00000000..a8ec3b78
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes128CbcEncryptedStream.cpp
@@ -0,0 +1,328 @@
+#include <tc/crypto/Aes128CbcEncryptedStream.h>
+#include <tc/io/IOUtil.h>
+#include <tc/io/StreamUtil.h>
+
+/*
+#include <fmt/core.h>
+#include <tc/cli/FormatUtil.h>
+*/
+
+// inline utils
+inline uint64_t castInt64ToUint64(int64_t val) { return val < 0 ? 0 : uint64_t(val); }
+inline int64_t castUint64ToInt64(uint64_t val) { return (int64_t)std::min<uint64_t>(val, uint64_t(std::numeric_limits<int64_t>::max())); }
+
+inline uint64_t offsetToBlockIndex(int64_t offset) { return castInt64ToUint64(offset / tc::io::IOUtil::castSizeToInt64(tc::crypto::Aes128CbcEncryptor::kBlockSize)); };
+inline int64_t blockIndexToOffset(uint64_t block_index) { return castUint64ToInt64(block_index) * tc::io::IOUtil::castSizeToInt64(tc::crypto::Aes128CbcEncryptor::kBlockSize); };
+
+inline size_t lengthToBlockNum(int64_t length) { return tc::io::IOUtil::castInt64ToSize(length / tc::io::IOUtil::castSizeToInt64(tc::crypto::Aes128CbcEncryptor::kBlockSize)); };
+inline size_t offsetInBlock(int64_t offset) { return tc::io::IOUtil::castInt64ToSize(offset % tc::io::IOUtil::castSizeToInt64(tc::crypto::Aes128CbcEncryptor::kBlockSize)); };
+
+
+const std::string tc::crypto::Aes128CbcEncryptedStream::kClassName = "tc::crypto::Aes128CbcEncryptedStream";
+
+tc::crypto::Aes128CbcEncryptedStream::Aes128CbcEncryptedStream() :
+	mBaseStream(),
+	mCryptor(std::shared_ptr<tc::crypto::Aes128CbcEncryptor>(new tc::crypto::Aes128CbcEncryptor()))
+{
+	memset(mBaseIv.data(), 0, mBaseIv.size());
+}
+
+tc::crypto::Aes128CbcEncryptedStream::Aes128CbcEncryptedStream(const std::shared_ptr<tc::io::IStream>& stream, const key_t& key, const iv_t& iv) :
+	Aes128CbcEncryptedStream()
+{
+	mBaseStream = stream;
+
+	// validate stream properties
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName, "stream is null.");
+	}
+	if (mBaseStream->canRead() == false)
+	{
+		throw tc::NotSupportedException(kClassName, "stream does not support reading.");
+	}
+	if (mBaseStream->canSeek() == false)
+	{
+		throw tc::NotSupportedException(kClassName, "stream does not support seeking.");
+	}
+	if ((mBaseStream->length() % sizeof(block_t)) != 0)
+	{
+		throw tc::NotSupportedException(kClassName, "stream does is not block aligned.");
+	}
+
+	// initialize cryptor
+	mCryptor->initialize(key.data(), key.size(), iv.data(), iv.size());
+	mBaseIv = iv;
+}
+
+bool tc::crypto::Aes128CbcEncryptedStream::canRead() const
+{
+	return mBaseStream == nullptr ? false : mBaseStream->canRead();
+}
+
+bool tc::crypto::Aes128CbcEncryptedStream::canWrite() const
+{
+	return false; // always false this is a read-only stream
+}
+bool tc::crypto::Aes128CbcEncryptedStream::canSeek() const
+{
+	return mBaseStream == nullptr ? false : mBaseStream->canSeek();
+}
+
+int64_t tc::crypto::Aes128CbcEncryptedStream::length()
+{
+	return mBaseStream == nullptr ? 0 : mBaseStream->length();
+}
+
+int64_t tc::crypto::Aes128CbcEncryptedStream::position()
+{
+	return mBaseStream == nullptr ? 0 : mBaseStream->position();
+}
+
+size_t tc::crypto::Aes128CbcEncryptedStream::read(byte_t* ptr, size_t count)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::read()", "Failed to read from stream (stream is disposed)");
+	}
+
+	// track read_count
+	size_t data_read_count = 0;
+
+	// get predicted read count
+	count = tc::io::IOUtil::getReadableCount(this->length(), this->position(), count);
+	
+	// if count is 0 just return
+	if (count == 0) return data_read_count;
+
+	// get current position
+	int64_t current_pos = mBaseStream->position();
+	if (current_pos < 0)
+	{
+		throw tc::InvalidOperationException(kClassName+"::read()", "Current stream position is negative.");
+	}
+
+	// determine begin & end offsets
+	int64_t begin_read_offset    = current_pos;
+	int64_t end_read_offset      = begin_read_offset + tc::io::IOUtil::castSizeToInt64(count);
+	int64_t begin_aligned_offset = begin_read_offset - tc::io::IOUtil::castSizeToInt64(offsetInBlock(begin_read_offset));
+	int64_t end_aligned_offset   = end_read_offset - tc::io::IOUtil::castSizeToInt64(offsetInBlock(end_read_offset)) + tc::io::IOUtil::castSizeToInt64(offsetInBlock(end_read_offset) ? sizeof(block_t) : 0x0);
+	size_t block_num             = lengthToBlockNum(end_aligned_offset - begin_aligned_offset);
+
+	bool read_partial_begin_block       = false;
+	uint64_t partial_begin_block_index  = offsetToBlockIndex(begin_read_offset);
+	size_t partial_begin_block_offset   = 0;
+	size_t partial_begin_block_size     = sizeof(block_t);
+
+	bool read_partial_end_block         = false;
+	uint64_t partial_end_block_index    = offsetToBlockIndex(end_read_offset);
+	size_t partial_end_block_offset     = 0;
+	size_t partial_end_block_size       = sizeof(block_t);
+
+	if (offsetInBlock(begin_read_offset) != 0)
+	{
+		read_partial_begin_block   = true;
+		partial_begin_block_offset += offsetInBlock(begin_read_offset);
+		partial_begin_block_size   -= partial_begin_block_offset;
+	}
+	if (offsetInBlock(end_read_offset) != 0)
+	{
+		if (partial_begin_block_index == partial_end_block_index)
+		{
+			read_partial_begin_block = true;
+			partial_begin_block_size -= (sizeof(block_t) - offsetInBlock(end_read_offset));
+		}
+		else
+		{
+			read_partial_end_block = true;
+			partial_end_block_size = offsetInBlock(end_read_offset);
+		}
+	}
+
+	size_t continuous_block_num           = block_num - (size_t)read_partial_begin_block - (size_t)read_partial_end_block;
+	uint64_t continuous_begin_block_index = (continuous_block_num == 0) ? 0 : (offsetToBlockIndex(begin_aligned_offset) + (uint64_t)read_partial_begin_block);
+
+	/*
+	fmt::print("##############################################\n");
+	fmt::print("count:                  0x{:x}\n", count);
+	fmt::print("begin_read_offset:      0x{:x}\n", begin_read_offset);
+	fmt::print("end_read_offset:        0x{:x}\n", end_read_offset);
+	fmt::print("begin_aligned_offset:   0x{:x}\n", begin_aligned_offset);
+	fmt::print("end_aligned_offset:     0x{:x}\n", end_aligned_offset);
+	fmt::print("block_num:              0x{:x}\n", block_num);
+	
+	fmt::print("partial_begin:\n");
+	fmt::print("  read_block:           {}\n", read_partial_begin_block);
+	fmt::print("  block_index:          0x{:x}\n", partial_begin_block_index);
+	fmt::print("  offset:               0x{:x}\n", partial_begin_block_offset);
+	fmt::print("  size:                 0x{:x}\n", partial_begin_block_size);
+	
+	fmt::print("partial_end:\n");
+	fmt::print("  read_block:           {}\n", read_partial_end_block);
+	fmt::print("  block_index:          0x{:x}\n", partial_end_block_index);
+	fmt::print("  offset:               0x{:x}\n", partial_end_block_offset);
+	fmt::print("  size:                 0x{:x}\n", partial_end_block_size);
+
+	fmt::print("continuous:\n");
+	fmt::print("  block_index:          0x{:x}\n", continuous_begin_block_index);
+	fmt::print("  block_num:            0x{:x}\n", continuous_block_num);
+	*/
+
+	if (block_num == 0)
+	{
+		tc::InvalidOperationException(kClassName+"::read()", "Invalid block number (0 blocks, would have returned before now if count==0)");
+	}
+
+	if (block_num < continuous_block_num)
+	{
+		tc::InvalidOperationException(kClassName+"::read()", "Invalid block number (underflow error)");
+	}
+
+	// allocate memory for partial block
+	tc::ByteData partial_block = tc::ByteData(sizeof(block_t));
+
+	// read un-aligned begin block
+	if (read_partial_begin_block)
+	{
+		// read iv	
+		iv_t iv;
+		if (partial_begin_block_index == 0)
+		{
+			iv = mBaseIv;
+		}
+		else
+		{
+			this->seek(blockIndexToOffset(partial_begin_block_index-1), tc::io::SeekOrigin::Begin);
+			mBaseStream->read(iv.data(), iv.size());
+		}
+		mCryptor->update_iv(iv.data(), iv.size());
+		
+		// read block
+		this->seek(blockIndexToOffset(partial_begin_block_index), tc::io::SeekOrigin::Begin);
+		mBaseStream->read(partial_block.data(), partial_block.size());
+		
+		// decrypt block
+		mCryptor->decrypt(partial_block.data(), partial_block.data(), partial_block.size());
+
+		// copy out block carving
+		memcpy(ptr + data_read_count, partial_block.data() + partial_begin_block_offset, partial_begin_block_size);
+
+		// increment data read count
+		data_read_count += partial_begin_block_size;
+	}
+
+	// read continous blocks
+	if (continuous_block_num > 0)
+	{
+		// read iv	
+		iv_t iv;
+		if (continuous_begin_block_index == 0)
+		{
+			iv = mBaseIv;
+		}
+		else
+		{
+			this->seek(blockIndexToOffset(continuous_begin_block_index-1), tc::io::SeekOrigin::Begin);
+			mBaseStream->read(iv.data(), iv.size());
+		}
+		mCryptor->update_iv(iv.data(), iv.size());
+
+		// read blocks
+		this->seek(blockIndexToOffset(continuous_begin_block_index), tc::io::SeekOrigin::Begin);
+		mBaseStream->read(ptr + data_read_count, continuous_block_num * sizeof(block_t));
+		
+		// decrypt blocks
+		mCryptor->decrypt(ptr + data_read_count, ptr + data_read_count, continuous_block_num * sizeof(block_t));
+
+		// increment data read count
+		data_read_count += continuous_block_num * sizeof(block_t);
+	}
+	
+	// read un-aligned end block
+	if (read_partial_end_block)
+	{
+		// read iv	
+		iv_t iv;
+		if (partial_end_block_index == 0)
+		{
+			iv = mBaseIv;
+		}
+		else
+		{
+			this->seek(blockIndexToOffset(partial_end_block_index-1), tc::io::SeekOrigin::Begin);
+			mBaseStream->read(iv.data(), iv.size());
+		}
+		mCryptor->update_iv(iv.data(), iv.size());
+
+		// read block
+		this->seek(blockIndexToOffset(partial_end_block_index), tc::io::SeekOrigin::Begin);
+		mBaseStream->read(partial_block.data(), partial_block.size());
+
+		// decrypt block
+		mCryptor->decrypt(partial_block.data(), partial_block.data(), partial_block.size());
+
+		// copy out block carving
+		memcpy(ptr + data_read_count, partial_block.data() + partial_end_block_offset, partial_end_block_size);
+
+		// increment
+		data_read_count += partial_end_block_size;
+	}
+
+	// restore expected logical position
+	this->seek(begin_read_offset + tc::io::IOUtil::castSizeToInt64(data_read_count), tc::io::SeekOrigin::Begin);
+
+	// return data read count
+	return data_read_count;
+}
+
+size_t tc::crypto::Aes128CbcEncryptedStream::write(const byte_t* ptr, size_t count)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::write()", "Failed to set stream position (stream is disposed)");
+	}
+
+	throw tc::NotImplementedException(kClassName+"::write()", "write is not implemented for Aes128CbcEncryptedStream");
+}
+
+int64_t tc::crypto::Aes128CbcEncryptedStream::seek(int64_t offset, tc::io::SeekOrigin origin)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::seek()", "Failed to set stream position (stream is disposed)");
+	}
+
+	return mBaseStream->seek(offset, origin);
+}
+
+void tc::crypto::Aes128CbcEncryptedStream::setLength(int64_t length)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::setLength()", "Failed to set stream length (stream is disposed)");
+	}
+
+	throw tc::NotImplementedException(kClassName+"::setLength()", "setLength is not implemented for Aes128CbcEncryptedStream");
+}
+
+void tc::crypto::Aes128CbcEncryptedStream::flush()
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::seek()", "Failed to flush stream (stream is disposed)");
+	}
+
+	mBaseStream->flush();
+}
+
+void tc::crypto::Aes128CbcEncryptedStream::dispose()
+{
+	if (mBaseStream.get() != nullptr)
+	{
+		// dispose base stream
+		mBaseStream->dispose();
+
+		// release ptr
+		mBaseStream.reset();
+	}	
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes128CbcEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes128CbcEncryptor.cpp
new file mode 100644
index 00000000..11dbb6ff
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes128CbcEncryptor.cpp
@@ -0,0 +1,15 @@
+#include <tc/crypto/Aes128CbcEncryptor.h>
+
+void tc::crypto::EncryptAes128Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes128CbcEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.encrypt(dst, src, size);
+}
+
+void tc::crypto::DecryptAes128Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes128CbcEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.decrypt(dst, src, size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes128CtrEncryptedStream.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes128CtrEncryptedStream.cpp
new file mode 100644
index 00000000..4b426189
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes128CtrEncryptedStream.cpp
@@ -0,0 +1,284 @@
+#include <tc/crypto/Aes128CtrEncryptedStream.h>
+#include <tc/io/IOUtil.h>
+#include <tc/io/StreamUtil.h>
+
+/*
+#include <fmt/core.h>
+#include <tc/cli/FormatUtil.h>
+*/
+
+// inline utils
+inline uint64_t castInt64ToUint64(int64_t val) { return val < 0 ? 0 : uint64_t(val); }
+inline int64_t castUint64ToInt64(uint64_t val) { return (int64_t)std::min<uint64_t>(val, uint64_t(std::numeric_limits<int64_t>::max())); }
+
+inline uint64_t offsetToBlockIndex(int64_t offset) { return castInt64ToUint64(offset / tc::io::IOUtil::castSizeToInt64(tc::crypto::Aes128CtrEncryptor::kBlockSize)); };
+inline int64_t blockIndexToOffset(uint64_t block_index) { return castUint64ToInt64(block_index) * tc::io::IOUtil::castSizeToInt64(tc::crypto::Aes128CtrEncryptor::kBlockSize); };
+
+inline size_t lengthToBlockNum(int64_t length) { return tc::io::IOUtil::castInt64ToSize(length / tc::io::IOUtil::castSizeToInt64(tc::crypto::Aes128CtrEncryptor::kBlockSize)); };
+inline size_t offsetInBlock(int64_t offset) { return tc::io::IOUtil::castInt64ToSize(offset % tc::io::IOUtil::castSizeToInt64(tc::crypto::Aes128CtrEncryptor::kBlockSize)); };
+
+const std::string tc::crypto::Aes128CtrEncryptedStream::kClassName = "tc::crypto::Aes128CtrEncryptedStream";
+
+tc::crypto::Aes128CtrEncryptedStream::Aes128CtrEncryptedStream() :
+	mBaseStream(),
+	mCryptor(std::shared_ptr<tc::crypto::Aes128CtrEncryptor>(new tc::crypto::Aes128CtrEncryptor()))
+{
+}
+
+tc::crypto::Aes128CtrEncryptedStream::Aes128CtrEncryptedStream(const std::shared_ptr<tc::io::IStream>& stream, const key_t& key, const counter_t& counter) :
+	Aes128CtrEncryptedStream()
+{
+	mBaseStream = stream;
+
+	// validate stream properties
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName, "stream is null.");
+	}
+	if (mBaseStream->canRead() == false)
+	{
+		throw tc::NotSupportedException(kClassName, "stream does not support reading.");
+	}
+	if (mBaseStream->canSeek() == false)
+	{
+		throw tc::NotSupportedException(kClassName, "stream does not support seeking.");
+	}
+
+	// initialize cryptor
+	mCryptor->initialize(key.data(), key.size(), counter.data(), counter.size());
+}
+
+bool tc::crypto::Aes128CtrEncryptedStream::canRead() const
+{
+	return mBaseStream == nullptr ? false : mBaseStream->canRead();
+}
+
+bool tc::crypto::Aes128CtrEncryptedStream::canWrite() const
+{
+	return false; // always false this is a read-only stream
+}
+bool tc::crypto::Aes128CtrEncryptedStream::canSeek() const
+{
+	return mBaseStream == nullptr ? false : mBaseStream->canSeek();
+}
+
+int64_t tc::crypto::Aes128CtrEncryptedStream::length()
+{
+	return mBaseStream == nullptr ? 0 : mBaseStream->length();
+}
+
+int64_t tc::crypto::Aes128CtrEncryptedStream::position()
+{
+	return mBaseStream == nullptr ? 0 : mBaseStream->position();
+}
+
+size_t tc::crypto::Aes128CtrEncryptedStream::read(byte_t* ptr, size_t count)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::read()", "Failed to read from stream (stream is disposed)");
+	}
+
+	// track read_count
+	size_t data_read_count = 0;
+
+	// get predicted read count
+	count = tc::io::IOUtil::getReadableCount(this->length(), this->position(), count);
+	
+	// if count is 0 just return
+	if (count == 0) return data_read_count;
+
+	// get current position
+	int64_t current_pos = mBaseStream->position();
+	if (current_pos < 0)
+	{
+		throw tc::InvalidOperationException(kClassName+"::read()", "Current stream position is negative.");
+	}
+
+	// determine begin & end offsets
+	int64_t begin_read_offset    = current_pos;
+	int64_t end_read_offset      = begin_read_offset + tc::io::IOUtil::castSizeToInt64(count);
+	int64_t begin_aligned_offset = begin_read_offset - tc::io::IOUtil::castSizeToInt64(offsetInBlock(begin_read_offset));
+	int64_t end_aligned_offset   = end_read_offset - tc::io::IOUtil::castSizeToInt64(offsetInBlock(end_read_offset)) + tc::io::IOUtil::castSizeToInt64(offsetInBlock(end_read_offset) ? sizeof(block_t) : 0x0);
+	size_t block_num             = lengthToBlockNum(end_aligned_offset - begin_aligned_offset);
+
+	bool read_partial_begin_block       = false;
+	uint64_t partial_begin_block_index  = offsetToBlockIndex(begin_read_offset);
+	size_t partial_begin_block_offset   = 0;
+	size_t partial_begin_block_size     = sizeof(block_t);
+
+	bool read_partial_end_block         = false;
+	uint64_t partial_end_block_index    = offsetToBlockIndex(end_read_offset);
+	size_t partial_end_block_offset     = 0;
+	size_t partial_end_block_size       = sizeof(block_t);
+
+	if (offsetInBlock(begin_read_offset) != 0)
+	{
+		read_partial_begin_block   = true;
+		partial_begin_block_offset += offsetInBlock(begin_read_offset);
+		partial_begin_block_size   -= partial_begin_block_offset;
+	}
+	if (offsetInBlock(end_read_offset) != 0)
+	{
+		if (partial_begin_block_index == partial_end_block_index)
+		{
+			read_partial_begin_block = true;
+			partial_begin_block_size -= (sizeof(block_t) - offsetInBlock(end_read_offset));
+		}
+		else
+		{
+			read_partial_end_block = true;
+			partial_end_block_size = offsetInBlock(end_read_offset);
+		}
+	}
+
+	size_t continuous_block_num           = block_num - (size_t)read_partial_begin_block - (size_t)read_partial_end_block;
+	uint64_t continuous_begin_block_index = (continuous_block_num == 0) ? 0 : (offsetToBlockIndex(begin_aligned_offset) + (uint64_t)read_partial_begin_block);
+
+	/*
+	fmt::print("##############################################\n");
+	fmt::print("count:                  0x{:x}\n", count);
+	fmt::print("begin_read_offset:      0x{:x}\n", begin_read_offset);
+	fmt::print("end_read_offset:        0x{:x}\n", end_read_offset);
+	fmt::print("begin_aligned_offset:   0x{:x}\n", begin_aligned_offset);
+	fmt::print("end_aligned_offset:     0x{:x}\n", end_aligned_offset);
+	fmt::print("block_num:              0x{:x}\n", block_num);
+	
+	fmt::print("partial_begin:\n");
+	fmt::print("  read_block:           {}\n", read_partial_begin_block);
+	fmt::print("  block_index:          0x{:x}\n", partial_begin_block_index);
+	fmt::print("  offset:               0x{:x}\n", partial_begin_block_offset);
+	fmt::print("  size:                 0x{:x}\n", partial_begin_block_size);
+	
+	fmt::print("partial_end:\n");
+	fmt::print("  read_block:           {}\n", read_partial_end_block);
+	fmt::print("  block_index:          0x{:x}\n", partial_end_block_index);
+	fmt::print("  offset:               0x{:x}\n", partial_end_block_offset);
+	fmt::print("  size:                 0x{:x}\n", partial_end_block_size);
+
+	fmt::print("continuous:\n");
+	fmt::print("  block_index:          0x{:x}\n", continuous_begin_block_index);
+	fmt::print("  block_num:            0x{:x}\n", continuous_block_num);
+	*/	
+
+	if (block_num == 0)
+	{
+		tc::InvalidOperationException(kClassName+"::read()", "Invalid block number (0 blocks, would have returned before now if count==0)");
+	}
+
+	if (block_num < continuous_block_num)
+	{
+		tc::InvalidOperationException(kClassName+"::read()", "Invalid block number (underflow error)");
+	}
+
+	// allocate memory for partial block
+	tc::ByteData partial_block = tc::ByteData(sizeof(block_t));
+
+	// read un-aligned begin block
+	if (read_partial_begin_block)
+	{	
+		// read block
+		this->seek(blockIndexToOffset(partial_begin_block_index), tc::io::SeekOrigin::Begin);
+		mBaseStream->read(partial_block.data(), partial_block.size());
+		
+		// decrypt block
+		mCryptor->decrypt(partial_block.data(), partial_block.data(), partial_block.size(), partial_begin_block_index);
+
+		// copy out block carving
+		memcpy(ptr + data_read_count, partial_block.data() + partial_begin_block_offset, partial_begin_block_size);
+
+		// increment data read count
+		data_read_count += partial_begin_block_size;
+	}
+
+	// read continous blocks
+	if (continuous_block_num > 0)
+	{
+		// read blocks
+		this->seek(blockIndexToOffset(continuous_begin_block_index), tc::io::SeekOrigin::Begin);
+		mBaseStream->read(ptr + data_read_count, continuous_block_num * sizeof(block_t));
+		
+		// decrypt blocks
+		mCryptor->decrypt(ptr + data_read_count, ptr + data_read_count, continuous_block_num * sizeof(block_t), continuous_begin_block_index);
+
+		// increment data read count
+		data_read_count += continuous_block_num * sizeof(block_t);
+	}
+	
+	// read un-aligned end block
+	if (read_partial_end_block)
+	{
+		// read block
+		this->seek(blockIndexToOffset(partial_end_block_index), tc::io::SeekOrigin::Begin);
+		mBaseStream->read(partial_block.data(), partial_block.size());
+
+		// decrypt block
+		mCryptor->decrypt(partial_block.data(), partial_block.data(), partial_block.size(), partial_end_block_index);
+
+		// copy out block carving
+		memcpy(ptr + data_read_count, partial_block.data() + partial_end_block_offset, partial_end_block_size);
+
+		// increment
+		data_read_count += partial_end_block_size;
+	}
+
+	// restore expected logical position
+	this->seek(begin_read_offset + tc::io::IOUtil::castSizeToInt64(data_read_count), tc::io::SeekOrigin::Begin);
+
+	// return data read count
+	return data_read_count;
+}
+
+size_t tc::crypto::Aes128CtrEncryptedStream::write(const byte_t* ptr, size_t count)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::write()", "Failed to set stream position (stream is disposed)");
+	}
+
+	throw tc::NotImplementedException(kClassName+"::write()", "write is not implemented for Aes128CtrEncryptedStream");
+}
+
+int64_t tc::crypto::Aes128CtrEncryptedStream::seek(int64_t offset, tc::io::SeekOrigin origin)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::seek()", "Failed to set stream position (stream is disposed)");
+	}
+
+	return mBaseStream->seek(offset, origin);
+}
+
+void tc::crypto::Aes128CtrEncryptedStream::setLength(int64_t length)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::setLength()", "Failed to set stream length (stream is disposed)");
+	}
+
+	throw tc::NotImplementedException(kClassName+"::setLength()", "setLength is not implemented for Aes128CtrEncryptedStream");
+}
+
+void tc::crypto::Aes128CtrEncryptedStream::flush()
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::seek()", "Failed to flush stream (stream is disposed)");
+	}
+
+	mBaseStream->flush();
+}
+
+void tc::crypto::Aes128CtrEncryptedStream::dispose()
+{
+	if (mBaseStream != nullptr)
+	{
+		// dispose base stream
+		mBaseStream->dispose();
+
+		// release ptr
+		mBaseStream.reset();
+	}
+	if (mCryptor != nullptr)
+		mCryptor.reset();
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes128CtrEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes128CtrEncryptor.cpp
new file mode 100644
index 00000000..c83240e7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes128CtrEncryptor.cpp
@@ -0,0 +1,24 @@
+#include <tc/crypto/Aes128CtrEncryptor.h>
+
+void tc::crypto::EncryptAes128Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes128CtrEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.encrypt(dst, src, size, block_number);
+}
+
+void tc::crypto::DecryptAes128Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes128CtrEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.decrypt(dst, src, size, block_number);
+}
+
+void tc::crypto::IncrementCounterAes128Ctr(byte_t* counter, uint64_t incr)
+{
+	if (counter == nullptr)
+	{
+		throw tc::ArgumentOutOfRangeException("counter was null.");
+	}
+	tc::crypto::detail::incr_counter<16>(counter, incr);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes128EcbEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes128EcbEncryptor.cpp
new file mode 100644
index 00000000..42c164e1
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes128EcbEncryptor.cpp
@@ -0,0 +1,15 @@
+#include <tc/crypto/Aes128EcbEncryptor.h>
+
+void tc::crypto::EncryptAes128Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::Aes128EcbEncryptor crypt;
+	crypt.initialize(key, key_size);
+	crypt.encrypt(dst, src, size);
+}
+
+void tc::crypto::DecryptAes128Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::Aes128EcbEncryptor crypt;
+	crypt.initialize(key, key_size);
+	crypt.decrypt(dst, src, size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes128XtsEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes128XtsEncryptor.cpp
new file mode 100644
index 00000000..c69d7a07
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes128XtsEncryptor.cpp
@@ -0,0 +1,15 @@
+#include <tc/crypto/Aes128XtsEncryptor.h>
+
+void tc::crypto::EncryptAes128Xts(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number, const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_word_order)
+{
+	tc::crypto::Aes128XtsEncryptor crypt;
+	crypt.initialize(key1, key1_size, key2, key2_size, sector_size, tweak_word_order);
+	crypt.encrypt(dst, src, size, sector_number);
+}
+
+void tc::crypto::DecryptAes128Xts(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number, const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_word_order)
+{
+	tc::crypto::Aes128XtsEncryptor crypt;
+	crypt.initialize(key1, key1_size, key2, key2_size, sector_size, tweak_word_order);
+	crypt.decrypt(dst, src, size, sector_number);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes192CbcEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes192CbcEncryptor.cpp
new file mode 100644
index 00000000..e0a30117
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes192CbcEncryptor.cpp
@@ -0,0 +1,15 @@
+#include <tc/crypto/Aes192CbcEncryptor.h>
+
+void tc::crypto::EncryptAes192Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes192CbcEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.encrypt(dst, src, size);
+}
+
+void tc::crypto::DecryptAes192Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes192CbcEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.decrypt(dst, src, size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes192CtrEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes192CtrEncryptor.cpp
new file mode 100644
index 00000000..f1b7f99d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes192CtrEncryptor.cpp
@@ -0,0 +1,24 @@
+#include <tc/crypto/Aes192CtrEncryptor.h>
+
+void tc::crypto::EncryptAes192Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes192CtrEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.encrypt(dst, src, size, block_number);
+}
+
+void tc::crypto::DecryptAes192Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes192CtrEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.decrypt(dst, src, size, block_number);
+}
+
+void tc::crypto::IncrementCounterAes192Ctr(byte_t* counter, uint64_t incr)
+{
+	if (counter == nullptr)
+	{
+		throw tc::ArgumentOutOfRangeException("counter was null.");
+	}
+	tc::crypto::detail::incr_counter<16>(counter, incr);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes192EcbEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes192EcbEncryptor.cpp
new file mode 100644
index 00000000..e9182967
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes192EcbEncryptor.cpp
@@ -0,0 +1,15 @@
+#include <tc/crypto/Aes192EcbEncryptor.h>
+
+void tc::crypto::EncryptAes192Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::Aes192EcbEncryptor crypt;
+	crypt.initialize(key, key_size);
+	crypt.encrypt(dst, src, size);
+}
+
+void tc::crypto::DecryptAes192Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::Aes192EcbEncryptor crypt;
+	crypt.initialize(key, key_size);
+	crypt.decrypt(dst, src, size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes256CbcEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes256CbcEncryptor.cpp
new file mode 100644
index 00000000..5548b6fb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes256CbcEncryptor.cpp
@@ -0,0 +1,15 @@
+#include <tc/crypto/Aes256CbcEncryptor.h>
+
+void tc::crypto::EncryptAes256Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes256CbcEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.encrypt(dst, src, size);
+}
+
+void tc::crypto::DecryptAes256Cbc(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes256CbcEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.decrypt(dst, src, size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes256CtrEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes256CtrEncryptor.cpp
new file mode 100644
index 00000000..4f02c055
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes256CtrEncryptor.cpp
@@ -0,0 +1,24 @@
+#include <tc/crypto/Aes256CtrEncryptor.h>
+
+void tc::crypto::EncryptAes256Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes256CtrEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.encrypt(dst, src, size, block_number);
+}
+
+void tc::crypto::DecryptAes256Ctr(byte_t* dst, const byte_t* src, size_t size, uint64_t block_number, const byte_t* key, size_t key_size, const byte_t* iv, size_t iv_size)
+{
+	tc::crypto::Aes256CtrEncryptor crypt;
+	crypt.initialize(key, key_size, iv, iv_size);
+	crypt.decrypt(dst, src, size, block_number);
+}
+
+void tc::crypto::IncrementCounterAes256Ctr(byte_t* counter, uint64_t incr)
+{
+	if (counter == nullptr)
+	{
+		throw tc::ArgumentOutOfRangeException("counter was null.");
+	}
+	tc::crypto::detail::incr_counter<16>(counter, incr);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes256EcbEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes256EcbEncryptor.cpp
new file mode 100644
index 00000000..479f5ac8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes256EcbEncryptor.cpp
@@ -0,0 +1,15 @@
+#include <tc/crypto/Aes256EcbEncryptor.h>
+
+void tc::crypto::EncryptAes256Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::Aes256EcbEncryptor crypt;
+	crypt.initialize(key, key_size);
+	crypt.encrypt(dst, src, size);
+}
+
+void tc::crypto::DecryptAes256Ecb(byte_t* dst, const byte_t* src, size_t size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::Aes256EcbEncryptor crypt;
+	crypt.initialize(key, key_size);
+	crypt.decrypt(dst, src, size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Aes256XtsEncryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/Aes256XtsEncryptor.cpp
new file mode 100644
index 00000000..6e2b597d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Aes256XtsEncryptor.cpp
@@ -0,0 +1,15 @@
+#include <tc/crypto/Aes256XtsEncryptor.h>
+
+void tc::crypto::EncryptAes256Xts(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number, const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_word_order)
+{
+	tc::crypto::Aes256XtsEncryptor crypt;
+	crypt.initialize(key1, key1_size, key2, key2_size, sector_size, tweak_word_order);
+	crypt.encrypt(dst, src, size, sector_number);
+}
+
+void tc::crypto::DecryptAes256Xts(byte_t* dst, const byte_t* src, size_t size, uint64_t sector_number, const byte_t* key1, size_t key1_size, const byte_t* key2, size_t key2_size, size_t sector_size, bool tweak_word_order)
+{
+	tc::crypto::Aes256XtsEncryptor crypt;
+	crypt.initialize(key1, key1_size, key2, key2_size, sector_size, tweak_word_order);
+	crypt.decrypt(dst, src, size, sector_number);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/HmacMd5Generator.cpp b/ctrtool/deps/libtoolchain/src/crypto/HmacMd5Generator.cpp
new file mode 100644
index 00000000..199c64db
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/HmacMd5Generator.cpp
@@ -0,0 +1,9 @@
+#include <tc/crypto/HmacMd5Generator.h>
+
+void tc::crypto::GenerateHmacMd5Mac(byte_t* mac, const byte_t* data, size_t data_size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::HmacMd5Generator impl;
+	impl.initialize(key, key_size);
+	impl.update(data, data_size);
+	impl.getMac(mac);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/HmacSha1Generator.cpp b/ctrtool/deps/libtoolchain/src/crypto/HmacSha1Generator.cpp
new file mode 100644
index 00000000..c482f8c5
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/HmacSha1Generator.cpp
@@ -0,0 +1,9 @@
+#include <tc/crypto/HmacSha1Generator.h>
+
+void tc::crypto::GenerateHmacSha1Mac(byte_t* mac, const byte_t* data, size_t data_size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::HmacSha1Generator impl;
+	impl.initialize(key, key_size);
+	impl.update(data, data_size);
+	impl.getMac(mac);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/HmacSha256Generator.cpp b/ctrtool/deps/libtoolchain/src/crypto/HmacSha256Generator.cpp
new file mode 100644
index 00000000..9249ab71
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/HmacSha256Generator.cpp
@@ -0,0 +1,9 @@
+#include <tc/crypto/HmacSha256Generator.h>
+
+void tc::crypto::GenerateHmacSha256Mac(byte_t* mac, const byte_t* data, size_t data_size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::HmacSha256Generator impl;
+	impl.initialize(key, key_size);
+	impl.update(data, data_size);
+	impl.getMac(mac);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/HmacSha512Generator.cpp b/ctrtool/deps/libtoolchain/src/crypto/HmacSha512Generator.cpp
new file mode 100644
index 00000000..df06e012
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/HmacSha512Generator.cpp
@@ -0,0 +1,9 @@
+#include <tc/crypto/HmacSha512Generator.h>
+
+void tc::crypto::GenerateHmacSha512Mac(byte_t* mac, const byte_t* data, size_t data_size, const byte_t* key, size_t key_size)
+{
+	tc::crypto::HmacSha512Generator impl;
+	impl.initialize(key, key_size);
+	impl.update(data, data_size);
+	impl.getMac(mac);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Md5Generator.cpp b/ctrtool/deps/libtoolchain/src/crypto/Md5Generator.cpp
new file mode 100644
index 00000000..376c7cd3
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Md5Generator.cpp
@@ -0,0 +1,11 @@
+#include <tc/crypto/Md5Generator.h>
+
+const std::array<byte_t, tc::crypto::Md5Generator::kAsn1OidDataSize> tc::crypto::Md5Generator::kAsn1OidData = {0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
+
+void tc::crypto::GenerateMd5Hash(byte_t* hash, const byte_t* data, size_t data_size)
+{
+	tc::crypto::Md5Generator impl;
+	impl.initialize();
+	impl.update(data, data_size);
+	impl.getHash(hash);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Pbkdf1Md5KeyDeriver.cpp b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf1Md5KeyDeriver.cpp
new file mode 100644
index 00000000..bc65c5e7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf1Md5KeyDeriver.cpp
@@ -0,0 +1,8 @@
+#include <tc/crypto/Pbkdf1Md5KeyDeriver.h>
+
+void tc::crypto::DeriveKeyPbkdf1Md5(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds)
+{
+	tc::crypto::Pbkdf1Md5KeyDeriver impl;
+	impl.initialize(password, password_size, salt, salt_size, n_rounds);
+	impl.getBytes(key, key_size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Pbkdf1Sha1KeyDeriver.cpp b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf1Sha1KeyDeriver.cpp
new file mode 100644
index 00000000..05cfa511
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf1Sha1KeyDeriver.cpp
@@ -0,0 +1,8 @@
+#include <tc/crypto/Pbkdf1Sha1KeyDeriver.h>
+
+void tc::crypto::DeriveKeyPbkdf1Sha1(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds)
+{
+	tc::crypto::Pbkdf1Sha1KeyDeriver impl;
+	impl.initialize(password, password_size, salt, salt_size, n_rounds);
+	impl.getBytes(key, key_size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha1KeyDeriver.cpp b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha1KeyDeriver.cpp
new file mode 100644
index 00000000..06d328fd
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha1KeyDeriver.cpp
@@ -0,0 +1,8 @@
+#include <tc/crypto/Pbkdf2Sha1KeyDeriver.h>
+
+void tc::crypto::DeriveKeyPbkdf2Sha1(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds)
+{
+	tc::crypto::Pbkdf2Sha1KeyDeriver impl;
+	impl.initialize(password, password_size, salt, salt_size, n_rounds);
+	impl.getBytes(key, key_size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha256KeyDeriver.cpp b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha256KeyDeriver.cpp
new file mode 100644
index 00000000..647c50ed
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha256KeyDeriver.cpp
@@ -0,0 +1,8 @@
+#include <tc/crypto/Pbkdf2Sha256KeyDeriver.h>
+
+void tc::crypto::DeriveKeyPbkdf2Sha256(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds)
+{
+	tc::crypto::Pbkdf2Sha256KeyDeriver impl;
+	impl.initialize(password, password_size, salt, salt_size, n_rounds);
+	impl.getBytes(key, key_size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha512KeyDeriver.cpp b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha512KeyDeriver.cpp
new file mode 100644
index 00000000..4efcf214
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Pbkdf2Sha512KeyDeriver.cpp
@@ -0,0 +1,8 @@
+#include <tc/crypto/Pbkdf2Sha512KeyDeriver.h>
+
+void tc::crypto::DeriveKeyPbkdf2Sha512(byte_t* key, size_t key_size, const byte_t* password, size_t password_size, const byte_t* salt, size_t salt_size, size_t n_rounds)
+{
+	tc::crypto::Pbkdf2Sha512KeyDeriver impl;
+	impl.initialize(password, password_size, salt, salt_size, n_rounds);
+	impl.getBytes(key, key_size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/PseudoRandomByteGenerator.cpp b/ctrtool/deps/libtoolchain/src/crypto/PseudoRandomByteGenerator.cpp
new file mode 100644
index 00000000..397c0e26
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/PseudoRandomByteGenerator.cpp
@@ -0,0 +1,7 @@
+#include <tc/crypto/PseudoRandomByteGenerator.h>
+
+void tc::crypto::GeneratePseudoRandomBytes(byte_t* data, size_t data_size)
+{
+	tc::crypto::PseudoRandomByteGenerator impl;
+	impl.getBytes(data, data_size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaKey.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaKey.cpp
new file mode 100644
index 00000000..188c682e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaKey.cpp
@@ -0,0 +1,29 @@
+#include <tc/crypto/RsaKey.h>
+
+tc::crypto::RsaPublicKey::RsaPublicKey(const byte_t* modulus, size_t modulus_size)
+{
+	static const byte_t kPublicExponent[3] = { 0x01, 0x00, 0x01 };
+
+	if (modulus != nullptr && modulus_size != 0)
+	{
+		this->n = tc::ByteData(modulus, modulus_size);
+		this->e = tc::ByteData(kPublicExponent, sizeof(kPublicExponent));
+	}
+}
+
+tc::crypto::RsaPrivateKey::RsaPrivateKey(const byte_t* modulus, size_t modulus_size, const byte_t* private_exponent, size_t private_exponent_size)
+{
+	static const byte_t kPublicExponent[3] = { 0x01, 0x00, 0x01 };
+
+	if (modulus != nullptr && modulus_size != 0 && private_exponent != nullptr && private_exponent_size != 0)
+	{
+		this->n = tc::ByteData(modulus, modulus_size);
+		this->d = tc::ByteData(private_exponent, private_exponent_size);
+		this->e = tc::ByteData(kPublicExponent, sizeof(kPublicExponent));
+	}
+}
+
+tc::crypto::RsaKey tc::crypto::RsaPrivateKey::getPublicKey()
+{
+	return RsaPublicKey(this->n.data(), this->n.size());
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaKeyGenerator.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaKeyGenerator.cpp
new file mode 100644
index 00000000..151a23ce
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaKeyGenerator.cpp
@@ -0,0 +1,7 @@
+#include <tc/crypto/RsaKeyGenerator.h>
+
+void tc::crypto::GenerateRsaKey(RsaKey& key, size_t key_bit_size)
+{
+	tc::crypto::RsaKeyGenerator impl;
+	impl.generateKey(key, key_bit_size);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaOaepSha256Encryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaOaepSha256Encryptor.cpp
new file mode 100644
index 00000000..b702411c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaOaepSha256Encryptor.cpp
@@ -0,0 +1,43 @@
+#include <tc/crypto/RsaOaepSha256Encryptor.h>
+
+bool tc::crypto::EncryptRsa1024OaepSha256(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa1024OaepSha256Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.encrypt(block, message, message_size);
+}
+
+bool tc::crypto::DecryptRsa1024OaepSha256(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa1024OaepSha256Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.decrypt(message, message_size, message_capacity, block);
+}
+
+bool tc::crypto::EncryptRsa2048OaepSha256(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa2048OaepSha256Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.encrypt(block, message, message_size);
+}
+
+bool tc::crypto::DecryptRsa2048OaepSha256(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa2048OaepSha256Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.decrypt(message, message_size, message_capacity, block);
+}
+
+bool tc::crypto::EncryptRsa4096OaepSha256(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa4096OaepSha256Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.encrypt(block, message, message_size);
+}
+
+bool tc::crypto::DecryptRsa4096OaepSha256(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa4096OaepSha256Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.decrypt(message, message_size, message_capacity, block);
+}
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaOaepSha512Encryptor.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaOaepSha512Encryptor.cpp
new file mode 100644
index 00000000..0994a9a8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaOaepSha512Encryptor.cpp
@@ -0,0 +1,29 @@
+#include <tc/crypto/RsaOaepSha512Encryptor.h>
+
+bool tc::crypto::EncryptRsa2048OaepSha512(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa2048OaepSha512Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.encrypt(block, message, message_size);
+}
+
+bool tc::crypto::DecryptRsa2048OaepSha512(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa2048OaepSha512Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.decrypt(message, message_size, message_capacity, block);
+}
+
+bool tc::crypto::EncryptRsa4096OaepSha512(byte_t* block, const byte_t* message, size_t message_size, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa4096OaepSha512Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.encrypt(block, message, message_size);
+}
+
+bool tc::crypto::DecryptRsa4096OaepSha512(byte_t* message, size_t& message_size, size_t message_capacity, const byte_t* block, const RsaKey& key, const byte_t* label, size_t label_size, bool isLabelDigested)
+{
+	tc::crypto::Rsa4096OaepSha512Encryptor impl;
+	impl.initialize(key, label, label_size, isLabelDigested);
+	return impl.decrypt(message, message_size, message_capacity, block);
+}
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Md5Signer.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Md5Signer.cpp
new file mode 100644
index 00000000..e421e9fd
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Md5Signer.cpp
@@ -0,0 +1,43 @@
+#include <tc/crypto/RsaPkcs1Md5Signer.h>
+
+bool tc::crypto::SignRsa1024Pkcs1Md5(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024Pkcs1Md5Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa1024Pkcs1Md5(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024Pkcs1Md5Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa2048Pkcs1Md5(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048Pkcs1Md5Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa2048Pkcs1Md5(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048Pkcs1Md5Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa4096Pkcs1Md5(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096Pkcs1Md5Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa4096Pkcs1Md5(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096Pkcs1Md5Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha1Signer.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha1Signer.cpp
new file mode 100644
index 00000000..11a2e5bb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha1Signer.cpp
@@ -0,0 +1,43 @@
+#include <tc/crypto/RsaPkcs1Sha1Signer.h>
+
+bool tc::crypto::SignRsa1024Pkcs1Sha1(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024Pkcs1Sha1Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa1024Pkcs1Sha1(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024Pkcs1Sha1Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa2048Pkcs1Sha1(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048Pkcs1Sha1Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa2048Pkcs1Sha1(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048Pkcs1Sha1Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa4096Pkcs1Sha1(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096Pkcs1Sha1Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa4096Pkcs1Sha1(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096Pkcs1Sha1Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha256Signer.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha256Signer.cpp
new file mode 100644
index 00000000..51adfd0a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha256Signer.cpp
@@ -0,0 +1,43 @@
+#include <tc/crypto/RsaPkcs1Sha256Signer.h>
+
+bool tc::crypto::SignRsa1024Pkcs1Sha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024Pkcs1Sha256Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa1024Pkcs1Sha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024Pkcs1Sha256Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa2048Pkcs1Sha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048Pkcs1Sha256Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa2048Pkcs1Sha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048Pkcs1Sha256Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa4096Pkcs1Sha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096Pkcs1Sha256Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa4096Pkcs1Sha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096Pkcs1Sha256Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha512Signer.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha512Signer.cpp
new file mode 100644
index 00000000..ed0185cf
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaPkcs1Sha512Signer.cpp
@@ -0,0 +1,43 @@
+#include <tc/crypto/RsaPkcs1Sha512Signer.h>
+
+bool tc::crypto::SignRsa1024Pkcs1Sha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024Pkcs1Sha512Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa1024Pkcs1Sha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024Pkcs1Sha512Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa2048Pkcs1Sha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048Pkcs1Sha512Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa2048Pkcs1Sha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048Pkcs1Sha512Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa4096Pkcs1Sha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096Pkcs1Sha512Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa4096Pkcs1Sha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096Pkcs1Sha512Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaPssSha256Signer.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaPssSha256Signer.cpp
new file mode 100644
index 00000000..a7cacf27
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaPssSha256Signer.cpp
@@ -0,0 +1,43 @@
+#include <tc/crypto/RsaPssSha256Signer.h>
+
+bool tc::crypto::SignRsa1024PssSha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024PssSha256Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa1024PssSha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024PssSha256Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa2048PssSha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048PssSha256Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa2048PssSha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048PssSha256Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa4096PssSha256(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096PssSha256Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa4096PssSha256(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096PssSha256Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/RsaPssSha512Signer.cpp b/ctrtool/deps/libtoolchain/src/crypto/RsaPssSha512Signer.cpp
new file mode 100644
index 00000000..805c3477
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/RsaPssSha512Signer.cpp
@@ -0,0 +1,43 @@
+#include <tc/crypto/RsaPssSha512Signer.h>
+
+bool tc::crypto::SignRsa1024PssSha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024PssSha512Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa1024PssSha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa1024PssSha512Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa2048PssSha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048PssSha512Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa2048PssSha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa2048PssSha512Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
+
+bool tc::crypto::SignRsa4096PssSha512(byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096PssSha512Signer impl;
+	impl.initialize(key);
+	return impl.sign(signature, message_digest);
+}
+
+bool tc::crypto::VerifyRsa4096PssSha512(const byte_t* signature, const byte_t* message_digest, const RsaKey& key)
+{
+	tc::crypto::Rsa4096PssSha512Signer impl;
+	impl.initialize(key);
+	return impl.verify(signature, message_digest);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Sha1Generator.cpp b/ctrtool/deps/libtoolchain/src/crypto/Sha1Generator.cpp
new file mode 100644
index 00000000..812d14b2
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Sha1Generator.cpp
@@ -0,0 +1,12 @@
+#include <tc/crypto/Sha1Generator.h>
+
+const std::array<byte_t, tc::crypto::Sha1Generator::kAsn1OidDataSize> tc::crypto::Sha1Generator::kAsn1OidData = {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14};
+
+
+void tc::crypto::GenerateSha1Hash(byte_t* hash, const byte_t* data, size_t data_size)
+{
+	tc::crypto::Sha1Generator impl;
+	impl.initialize();
+	impl.update(data, data_size);
+	impl.getHash(hash);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Sha256Generator.cpp b/ctrtool/deps/libtoolchain/src/crypto/Sha256Generator.cpp
new file mode 100644
index 00000000..ff5f316a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Sha256Generator.cpp
@@ -0,0 +1,11 @@
+#include <tc/crypto/Sha256Generator.h>
+
+const std::array<byte_t, tc::crypto::Sha256Generator::kAsn1OidDataSize> tc::crypto::Sha256Generator::kAsn1OidData = {0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
+
+void tc::crypto::GenerateSha256Hash(byte_t* hash, const byte_t* data, size_t data_size)
+{
+	tc::crypto::Sha256Generator impl;
+	impl.initialize();
+	impl.update(data, data_size);
+	impl.getHash(hash);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/Sha512Generator.cpp b/ctrtool/deps/libtoolchain/src/crypto/Sha512Generator.cpp
new file mode 100644
index 00000000..ea33ee43
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/Sha512Generator.cpp
@@ -0,0 +1,11 @@
+#include <tc/crypto/Sha512Generator.h>
+
+const std::array<byte_t, tc::crypto::Sha512Generator::kAsn1OidDataSize> tc::crypto::Sha512Generator::kAsn1OidData = {0x30, 0x51, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
+
+void tc::crypto::GenerateSha512Hash(byte_t* hash, const byte_t* data, size_t data_size)
+{
+	tc::crypto::Sha512Generator impl;
+	impl.initialize();
+	impl.update(data, data_size);
+	impl.getHash(hash);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/detail/AesImpl.cpp b/ctrtool/deps/libtoolchain/src/crypto/detail/AesImpl.cpp
new file mode 100644
index 00000000..e7f1fee5
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/detail/AesImpl.cpp
@@ -0,0 +1,51 @@
+#include <tc/crypto/detail/AesImpl.h>
+#include <mbedtls/aes.h>
+
+struct tc::crypto::detail::AesImpl::ImplCtx
+{
+	mbedtls_aes_context mEncContext;
+	mbedtls_aes_context mDecContext;
+};
+
+tc::crypto::detail::AesImpl::AesImpl() :
+	mState(State::None),
+	mImplCtx(new ImplCtx())
+{
+	mbedtls_aes_init(&(mImplCtx->mEncContext));
+	mbedtls_aes_init(&(mImplCtx->mDecContext));
+}
+
+tc::crypto::detail::AesImpl::~AesImpl()
+{
+	mbedtls_aes_free(&(mImplCtx->mEncContext));
+	mbedtls_aes_free(&(mImplCtx->mDecContext));
+}
+
+void tc::crypto::detail::AesImpl::initialize(const byte_t* key, size_t key_size)
+{
+	if (key == nullptr) { throw tc::ArgumentNullException("AesImpl::initialize()", "key was null."); }
+	if (key_size != 16 && key_size != 24 && key_size != 32) { throw tc::ArgumentOutOfRangeException("AesImpl::initialize()", "key_size did not equal 16, 24 or 32."); }
+
+	mbedtls_aes_setkey_enc(&(mImplCtx->mEncContext), key, uint32_t(key_size) * 8);
+	mbedtls_aes_setkey_dec(&(mImplCtx->mDecContext), key, uint32_t(key_size) * 8);
+
+	mState = State::Initialized;
+}
+
+void tc::crypto::detail::AesImpl::encrypt(byte_t* dst, const byte_t* src)
+{
+	if (mState != State::Initialized) { return; }
+	if (dst == nullptr) { throw tc::ArgumentNullException("AesImpl::encrypt()", "dst was null."); }
+	if (src == nullptr) { throw tc::ArgumentNullException("AesImpl::encrypt()", "src was null."); }
+
+	mbedtls_aes_crypt_ecb(&(mImplCtx->mEncContext), MBEDTLS_AES_ENCRYPT, src, dst);
+}
+
+void tc::crypto::detail::AesImpl::decrypt(byte_t* dst, const byte_t* src)
+{
+	if (mState != State::Initialized) { return; }
+	if (dst == nullptr) { throw tc::ArgumentNullException("AesImpl::decrypt()", "dst was null."); }
+	if (src == nullptr) { throw tc::ArgumentNullException("AesImpl::decrypt()", "src was null."); }
+
+	mbedtls_aes_crypt_ecb(&(mImplCtx->mDecContext), MBEDTLS_AES_DECRYPT, src, dst);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/detail/Md5Impl.cpp b/ctrtool/deps/libtoolchain/src/crypto/detail/Md5Impl.cpp
new file mode 100644
index 00000000..e6f826fb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/detail/Md5Impl.cpp
@@ -0,0 +1,44 @@
+#include <tc/crypto/detail/Md5Impl.h>
+#include <mbedtls/md.h>
+
+struct tc::crypto::detail::Md5Impl::ImplCtx
+{
+	mbedtls_md_context_t mMdContext;
+};
+
+tc::crypto::detail::Md5Impl::Md5Impl() :
+	mState(State::None),
+	mImplCtx(new ImplCtx())
+{
+	mbedtls_md_init(&(mImplCtx->mMdContext));
+	mbedtls_md_setup(&(mImplCtx->mMdContext), mbedtls_md_info_from_type(MBEDTLS_MD_MD5), 0);
+}
+
+tc::crypto::detail::Md5Impl::~Md5Impl()
+{
+	mbedtls_md_free(&(mImplCtx->mMdContext));
+}
+
+void tc::crypto::detail::Md5Impl::initialize()
+{
+	mbedtls_md_starts(&(mImplCtx->mMdContext));
+	mState = State::Initialized;
+}
+
+void tc::crypto::detail::Md5Impl::update(const byte_t* src, size_t src_size)
+{
+	mbedtls_md_update(&(mImplCtx->mMdContext), src, src_size);
+}
+
+void tc::crypto::detail::Md5Impl::getHash(byte_t* hash)
+{
+	if (mState == State::Initialized)
+	{
+		mbedtls_md_finish(&(mImplCtx->mMdContext), mHash.data());
+		mState = State::Done;
+	}
+	if (mState == State::Done)
+	{
+		memcpy(hash, mHash.data(), mHash.size());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/detail/PrbgImpl.cpp b/ctrtool/deps/libtoolchain/src/crypto/detail/PrbgImpl.cpp
new file mode 100644
index 00000000..02a71bfa
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/detail/PrbgImpl.cpp
@@ -0,0 +1,50 @@
+#include <tc/crypto/detail/PrbgImpl.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/ctr_drbg.h>
+
+const std::string tc::crypto::detail::PrbgImpl::kClassName = "tc::crypto::detail::PrbgImpl";
+
+struct tc::crypto::detail::PrbgImpl::ImplCtx
+{
+	mbedtls_ctr_drbg_context ctr_drbg;
+    mbedtls_entropy_context entropy;
+};
+
+tc::crypto::detail::PrbgImpl::PrbgImpl() :
+	mImplCtx(new ImplCtx())
+{
+	mbedtls_ctr_drbg_init(&(mImplCtx->ctr_drbg));
+	mbedtls_entropy_init(&(mImplCtx->entropy));
+	int ret = mbedtls_ctr_drbg_seed(&(mImplCtx->ctr_drbg), mbedtls_entropy_func, &(mImplCtx->entropy), (const unsigned char *)kClassName.c_str(), kClassName.size());
+	switch (ret)
+	{
+		case (0):
+			break;
+		case (MBEDTLS_ERR_ENTROPY_SOURCE_FAILED):
+			throw tc::crypto::CryptoException(kClassName, "Entropy source failed");
+		default:
+			throw tc::crypto::CryptoException(kClassName, "An unexpected error occurred");
+	}
+}
+
+tc::crypto::detail::PrbgImpl::~PrbgImpl()
+{
+	mbedtls_ctr_drbg_free(&(mImplCtx->ctr_drbg));
+	mbedtls_entropy_free(&(mImplCtx->entropy));
+}
+
+void tc::crypto::detail::PrbgImpl::getBytes(byte_t* data, size_t data_size)
+{
+	int ret = mbedtls_ctr_drbg_random(&(mImplCtx->ctr_drbg), data, data_size);
+	switch (ret)
+	{
+		case (0):
+			break;
+		case (MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG):
+			throw tc::crypto::CryptoException(kClassName, "Request too big");
+		case (MBEDTLS_ERR_ENTROPY_SOURCE_FAILED):
+			throw tc::crypto::CryptoException(kClassName, "Entropy source failed");
+		default:
+			throw tc::crypto::CryptoException(kClassName, "An unexpected error occurred");
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/detail/RsaImpl.cpp b/ctrtool/deps/libtoolchain/src/crypto/detail/RsaImpl.cpp
new file mode 100644
index 00000000..037d98fe
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/detail/RsaImpl.cpp
@@ -0,0 +1,140 @@
+#include <tc/crypto/detail/RsaImpl.h>
+#include <mbedtls/rsa.h>
+
+struct tc::crypto::detail::RsaImpl::ImplCtx
+{
+	mbedtls_rsa_context mContext;
+};
+
+tc::crypto::detail::RsaImpl::RsaImpl() :
+	mState(State::None),
+	mImplCtx(new ImplCtx())
+{
+	mbedtls_rsa_init(&(mImplCtx->mContext), MBEDTLS_RSA_PKCS_V15, 0);
+}
+
+tc::crypto::detail::RsaImpl::~RsaImpl()
+{
+	mbedtls_rsa_free(&(mImplCtx->mContext));
+}
+
+void tc::crypto::detail::RsaImpl::initialize(size_t key_bit_size, const byte_t* n, size_t n_size, const byte_t* p, size_t p_size, const byte_t* q, size_t q_size, const byte_t* d, size_t d_size, const byte_t* e, size_t e_size)
+{
+	if ((key_bit_size % 8) != 0) { throw tc::ArgumentOutOfRangeException("RsaImpl::initialize()", "key_bit_size was not a multiple of 8 bits."); }
+	if (n == nullptr && n_size != 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "n was null when n_size was not 0."); }
+	if (p == nullptr && p_size != 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "p was null when p_size was not 0."); }
+	if (q == nullptr && q_size != 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "q was null when q_size was not 0."); }
+	if (d == nullptr && d_size != 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "d was null when d_size was not 0."); }
+	if (e == nullptr && e_size != 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "e was null when e_size was not 0."); }
+	if (n != nullptr && n_size == 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "n was not null but n_size was 0."); }
+	if (p != nullptr && p_size == 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "p was not null but p_size was 0."); }
+	if (q != nullptr && q_size == 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "q was not null but q_size was 0."); }
+	if (d != nullptr && d_size == 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "d was not null but d_size was 0."); }
+	if (e != nullptr && e_size == 0) { throw tc::ArgumentNullException("RsaImpl::initialize()", "e was not null but e_size was 0."); }
+	if (n_size > 0 && n_size != (key_bit_size/8)) { throw tc::ArgumentNullException("RsaImpl::initialize()", "n_size was non-zero but not expected size."); }
+	if (p_size > 0 && p_size != (key_bit_size/8)/2) { throw tc::ArgumentNullException("RsaImpl::initialize()", "p_size was non-zero but not expected size."); }
+	if (q_size > 0 && q_size != (key_bit_size/8)/2) { throw tc::ArgumentNullException("RsaImpl::initialize()", "q_size was non-zero but not expected size."); }
+	if (d_size > 0 && d_size != (key_bit_size/8)) { throw tc::ArgumentNullException("RsaImpl::initialize()", "d_size was non-zero but not expected size."); }
+	if (e_size > 0 && e_size != 3 && e_size != 4) { throw tc::ArgumentNullException("RsaImpl::initialize()", "e_size was non-zero but not expected size."); }
+
+	mImplCtx->mContext.len = key_bit_size / 8;
+
+	int ret = mbedtls_rsa_import_raw(&(mImplCtx->mContext), n, n_size, p, p_size, q, q_size, d, d_size, e, e_size);
+
+	// TODO: Confirm these error codes
+	if (ret != 0)
+	{
+		if (ret < MBEDTLS_ERR_RSA_BAD_INPUT_DATA) { throw tc::crypto::CryptoException("RsaImpl::initialize()", "Bad input parameters to function."); }
+		else { throw tc::crypto::CryptoException("RsaImpl::initialize()", "An unexpected error occurred."); }
+	}
+
+	mState = State::Initialized;
+}
+
+void tc::crypto::detail::RsaImpl::publicTransform(byte_t* dst, const byte_t* src)
+{
+	if (mState != State::Initialized) { return; }
+	if (dst == nullptr) { throw tc::ArgumentNullException("RsaImpl::publicTransform()", "dst was null."); }
+	if (src == nullptr) { throw tc::ArgumentNullException("RsaImpl::publicTransform()", "src was null."); }
+
+	int ret = mbedtls_rsa_public(&(mImplCtx->mContext), src, dst);
+	
+	switch (ret)
+	{
+		case (0):
+			break;
+		case (MBEDTLS_ERR_RSA_BAD_INPUT_DATA):
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "Bad input parameters to function.");
+			break;
+		case (MBEDTLS_ERR_RSA_INVALID_PADDING):
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "Input data contains invalid padding and is rejected.");
+			break;
+		case (MBEDTLS_ERR_RSA_KEY_GEN_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "Something failed during generation of a key.");
+			break;
+		case (MBEDTLS_ERR_RSA_KEY_CHECK_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "Key failed to pass the validity check of the library.");
+			break;
+		case (MBEDTLS_ERR_RSA_PUBLIC_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "The public key operation failed.");
+			break;
+		case (MBEDTLS_ERR_RSA_PRIVATE_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "The private key operation failed.");
+			break;
+		case (MBEDTLS_ERR_RSA_VERIFY_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "The PKCS#1 verification failed.");
+			break;
+		case (MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE):
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "The output buffer for decryption is not large enough.");
+			break;
+		case (MBEDTLS_ERR_RSA_RNG_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "The random generator failed to generate non-zeros.");
+			break;
+		default:
+			throw tc::crypto::CryptoException("RsaImpl::publicTransform()", "An unexpected error occurred.");
+	} 
+}
+
+void tc::crypto::detail::RsaImpl::privateTransform(byte_t* dst, const byte_t* src)
+{
+	if (mState != State::Initialized) { return; }
+	if (dst == nullptr) { throw tc::ArgumentNullException("RsaImpl::privateTransform()", "dst was null."); }
+	if (src == nullptr) { throw tc::ArgumentNullException("RsaImpl::privateTransform()", "src was null."); }
+
+	int ret = mbedtls_rsa_private(&(mImplCtx->mContext), nullptr, nullptr, src, dst);
+
+	switch (ret)
+	{
+		case (0):
+			break;
+		case (MBEDTLS_ERR_RSA_BAD_INPUT_DATA):
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "Bad input parameters to function.");
+			break;
+		case (MBEDTLS_ERR_RSA_INVALID_PADDING):
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "Input data contains invalid padding and is rejected.");
+			break;
+		case (MBEDTLS_ERR_RSA_KEY_GEN_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "Something failed during generation of a key.");
+			break;
+		case (MBEDTLS_ERR_RSA_KEY_CHECK_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "Key failed to pass the validity check of the library.");
+			break;
+		case (MBEDTLS_ERR_RSA_PUBLIC_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "The public key operation failed.");
+			break;
+		case (MBEDTLS_ERR_RSA_PRIVATE_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "The private key operation failed.");
+			break;
+		case (MBEDTLS_ERR_RSA_VERIFY_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "The PKCS#1 verification failed.");
+			break;
+		case (MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE):
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "The output buffer for decryption is not large enough.");
+			break;
+		case (MBEDTLS_ERR_RSA_RNG_FAILED):
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "The random generator failed to generate non-zeros.");
+			break;
+		default:
+			throw tc::crypto::CryptoException("RsaImpl::privateTransform()", "An unexpected error occurred.");
+	} 
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/detail/RsaKeyGeneratorImpl.cpp b/ctrtool/deps/libtoolchain/src/crypto/detail/RsaKeyGeneratorImpl.cpp
new file mode 100644
index 00000000..373252c9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/detail/RsaKeyGeneratorImpl.cpp
@@ -0,0 +1,85 @@
+#include <tc/crypto/detail/RsaKeyGeneratorImpl.h>
+#include <mbedtls/rsa.h>
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
+
+const std::string tc::crypto::detail::RsaKeyGeneratorImpl::kClassName = "tc::crypto::detail::RsaKeyGeneratorImpl";
+
+struct tc::crypto::detail::RsaKeyGeneratorImpl::ImplCtx
+{
+	mbedtls_rsa_context rsa;
+	mbedtls_ctr_drbg_context ctr_drbg;
+	mbedtls_entropy_context entropy;
+};
+
+tc::crypto::detail::RsaKeyGeneratorImpl::RsaKeyGeneratorImpl() :
+	mImplCtx(new ImplCtx())
+{
+	mbedtls_entropy_init( &(mImplCtx->entropy) );
+	mbedtls_ctr_drbg_init( &(mImplCtx->ctr_drbg) );
+	mbedtls_rsa_init( &(mImplCtx->rsa), 0, 0 );
+
+	int ret = mbedtls_ctr_drbg_seed(&(mImplCtx->ctr_drbg), mbedtls_entropy_func, &(mImplCtx->entropy), (const unsigned char *)kClassName.c_str(), kClassName.size());
+	switch (ret)
+	{
+		case (0):
+			break;
+		case (MBEDTLS_ERR_ENTROPY_SOURCE_FAILED):
+			throw tc::crypto::CryptoException(kClassName, "mbedtls_ctr_drbg_seed() Entropy source failed");
+		default:
+			throw tc::crypto::CryptoException(kClassName, "mbedtls_ctr_drbg_seed() An unexpected error occurred");
+	}
+}
+
+tc::crypto::detail::RsaKeyGeneratorImpl::~RsaKeyGeneratorImpl()
+{
+	mbedtls_rsa_free( &(mImplCtx->rsa) );
+	mbedtls_ctr_drbg_free( &(mImplCtx->ctr_drbg) );
+	mbedtls_entropy_free( &(mImplCtx->entropy) );
+}
+
+void tc::crypto::detail::RsaKeyGeneratorImpl::generateKey(size_t key_bit_size, byte_t* n, size_t n_size, byte_t* p, size_t p_size, byte_t* q, size_t q_size, byte_t* d, size_t d_size, byte_t* e, size_t e_size)
+{
+	if ((key_bit_size % 8) != 0) { throw tc::ArgumentOutOfRangeException(kClassName, "key_bit_size was not a multiple of 8 bits."); }
+	if (n != nullptr && n_size < (key_bit_size/8)) { throw tc::ArgumentNullException(kClassName, "n was not null, but n_size was not large enough"); }
+	if (p != nullptr && p_size < (key_bit_size/8)/2) { throw tc::ArgumentNullException(kClassName, "p was not null, but p_size was not large enough"); }
+	if (q != nullptr && q_size < (key_bit_size/8)/2) { throw tc::ArgumentNullException(kClassName, "q was not null, but q_size was not large enough"); }
+	if (d != nullptr && d_size < (key_bit_size/8)) { throw tc::ArgumentNullException(kClassName, "d was not null, but d_size was not large enough"); }
+	if (e != nullptr && e_size < 3) { throw tc::ArgumentNullException(kClassName, "e was not null, but e_size was not large enough"); }
+
+	int ret = 1;
+	
+	// generate key
+	ret = mbedtls_rsa_gen_key(&(mImplCtx->rsa), mbedtls_ctr_drbg_random, &(mImplCtx->ctr_drbg), uint32_t(key_bit_size), 0x10001);
+	switch (ret)
+	{
+		case (0):
+			break;
+		case (MBEDTLS_ERR_RSA_KEY_GEN_FAILED):
+			throw tc::crypto::CryptoException(kClassName, "mbedtls_rsa_gen_key() Something failed during generation of a key.");
+		case (MBEDTLS_ERR_RSA_RNG_FAILED):
+			throw tc::crypto::CryptoException(kClassName, "mbedtls_rsa_gen_key() The random generator failed to generate non-zeros.");
+		default:
+			throw tc::crypto::CryptoException(kClassName, "mbedtls_rsa_gen_key() An unexpected error occurred.");
+	}
+	
+	// export key from mbedtls context
+	ret = mbedtls_rsa_export_raw(&(mImplCtx->rsa), \
+		n, n_size, \
+		p, p_size, \
+		q, q_size, \
+		d, d_size, \
+		e, e_size \
+	);
+
+	switch (ret)
+	{
+		case (0):
+			break;
+		default:
+			throw tc::crypto::CryptoException(kClassName, "mbedtls_rsa_export_raw() An unexpected error occurred.");
+	}
+
+	// clear key from mbedtls context
+	mbedtls_rsa_init( &(mImplCtx->rsa), 0, 0 );
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/detail/Sha1Impl.cpp b/ctrtool/deps/libtoolchain/src/crypto/detail/Sha1Impl.cpp
new file mode 100644
index 00000000..d4c7e067
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/detail/Sha1Impl.cpp
@@ -0,0 +1,44 @@
+#include <tc/crypto/detail/Sha1Impl.h>
+#include <mbedtls/md.h>
+
+struct tc::crypto::detail::Sha1Impl::ImplCtx
+{
+	mbedtls_md_context_t mMdContext;
+};
+
+tc::crypto::detail::Sha1Impl::Sha1Impl() :
+	mState(State::None),
+	mImplCtx(new ImplCtx())
+{
+	mbedtls_md_init(&(mImplCtx->mMdContext));
+	mbedtls_md_setup(&(mImplCtx->mMdContext), mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), 0);
+}
+
+tc::crypto::detail::Sha1Impl::~Sha1Impl()
+{
+	mbedtls_md_free(&(mImplCtx->mMdContext));
+}
+
+void tc::crypto::detail::Sha1Impl::initialize()
+{
+	mbedtls_md_starts(&(mImplCtx->mMdContext));
+	mState = State::Initialized;
+}
+
+void tc::crypto::detail::Sha1Impl::update(const byte_t* src, size_t src_size)
+{
+	mbedtls_md_update(&(mImplCtx->mMdContext), src, src_size);
+}
+
+void tc::crypto::detail::Sha1Impl::getHash(byte_t* hash)
+{
+	if (mState == State::Initialized)
+	{
+		mbedtls_md_finish(&(mImplCtx->mMdContext), mHash.data());
+		mState = State::Done;
+	}
+	if (mState == State::Done)
+	{
+		memcpy(hash, mHash.data(), mHash.size());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/crypto/detail/Sha2Impl.cpp b/ctrtool/deps/libtoolchain/src/crypto/detail/Sha2Impl.cpp
new file mode 100644
index 00000000..166f9869
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/crypto/detail/Sha2Impl.cpp
@@ -0,0 +1,58 @@
+#include <tc/crypto/detail/Sha2Impl.h>
+#include <mbedtls/md.h>
+
+struct tc::crypto::detail::Sha2Impl::ImplCtx
+{
+	mbedtls_md_context_t mMdContext;
+};
+
+tc::crypto::detail::Sha2Impl::Sha2Impl(SHA2BitSize algo) :
+	mState(State::None),
+	mHashSize(0),
+	mImplCtx(new ImplCtx())
+{
+	mbedtls_md_init(&(mImplCtx->mMdContext));
+	switch(algo)
+	{
+		case (SHA2BitSize_256):
+			mHashSize = kSha2_256_HashSize;
+			mbedtls_md_setup(&(mImplCtx->mMdContext), mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
+			break;
+		case (SHA2BitSize_512):
+			mHashSize = kSha2_512_HashSize;
+			mbedtls_md_setup(&(mImplCtx->mMdContext), mbedtls_md_info_from_type(MBEDTLS_MD_SHA512), 0);
+			break;
+		default:
+			throw tc::crypto::CryptoException("tc::crypto::detail::Sha2Impl", "Invalid value for SHA2BitSize");
+	}
+	
+}
+
+tc::crypto::detail::Sha2Impl::~Sha2Impl()
+{
+	mbedtls_md_free(&(mImplCtx->mMdContext));
+}
+
+void tc::crypto::detail::Sha2Impl::initialize()
+{
+	mbedtls_md_starts(&(mImplCtx->mMdContext));
+	mState = State::Initialized;
+}
+
+void tc::crypto::detail::Sha2Impl::update(const byte_t* src, size_t src_size)
+{
+	mbedtls_md_update(&(mImplCtx->mMdContext), src, src_size);
+}
+
+void tc::crypto::detail::Sha2Impl::getHash(byte_t* hash)
+{
+	if (mState == State::Initialized)
+	{
+		mbedtls_md_finish(&(mImplCtx->mMdContext), mHash.data());
+		mState = State::Done;
+	}
+	if (mState == State::Done)
+	{
+		memcpy(hash, mHash.data(), mHashSize);
+	}	
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/BasicPathResolver.cpp b/ctrtool/deps/libtoolchain/src/io/BasicPathResolver.cpp
new file mode 100644
index 00000000..901abcd1
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/BasicPathResolver.cpp
@@ -0,0 +1,97 @@
+#include <tc/io/BasicPathResolver.h>
+
+const std::string tc::io::BasicPathResolver::kClassName = "tc::io::BasicPathResolver";
+
+tc::io::BasicPathResolver::BasicPathResolver() :
+	BasicPathResolver(tc::io::Path("/"), {})
+{}
+
+tc::io::BasicPathResolver::BasicPathResolver(const tc::io::Path& current_directory_path) :
+	BasicPathResolver(current_directory_path, {})
+{}
+
+tc::io::BasicPathResolver::BasicPathResolver(const tc::io::Path& current_directory_path, const std::vector<std::string>& root_names) :
+	mCurrentDirPath(),
+	mExplicitRootLabels(root_names)
+{
+	setCurrentDirectory(current_directory_path);
+}
+
+
+void tc::io::BasicPathResolver::setCurrentDirectory(const tc::io::Path& path)
+{
+	if (path.empty())
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "path was empty.");
+	}
+
+	mCurrentDirPath = path;
+}
+
+const tc::io::Path& tc::io::BasicPathResolver::getCurrentDirectory() const
+{
+	return mCurrentDirPath;
+}
+
+void tc::io::BasicPathResolver::setExplicitRootLabels(const std::vector<std::string>& root_labels)
+{
+	mExplicitRootLabels = root_labels;
+}
+
+const std::vector<std::string>& tc::io::BasicPathResolver::getExplicitRootLabels() const
+{
+	return mExplicitRootLabels;
+}
+
+void tc::io::BasicPathResolver::resolveCanonicalPath(const tc::io::Path& path, tc::io::Path& canonical_path) const
+{
+	canonical_path = resolveCanonicalPath(path);
+}
+
+tc::io::Path tc::io::BasicPathResolver::resolveCanonicalPath(const tc::io::Path& path) const
+{
+	// create output path
+	tc::io::Path canonical_path;
+
+	// get iterator for input path
+	auto path_itr = path.begin();
+	
+	// if the begining of the path exists and is a valid root label, then the input path is an absolute (but not necessarily canonical) path
+	if (path_itr != path.end() && (std::find(mExplicitRootLabels.begin(), mExplicitRootLabels.end(), *path_itr) != mExplicitRootLabels.end() || *path_itr == mCurrentDirPath.front()))
+	{
+		// the beginning of canonical_path is the path root name
+		canonical_path = tc::io::Path(*path_itr + "/");
+
+		// increment path iterator
+		path_itr++;
+	}
+	else
+	{
+		// the beginning of the canonical_path is the current directory path
+		canonical_path = mCurrentDirPath;
+	}
+
+	// process relative elements of path, combining with the base canonical_path
+	for (; path_itr != path.end(); path_itr++)
+	{
+        // ignore "current directory" alias
+		if (*path_itr == ".")
+			continue;
+        // ignore empty path elements
+        else if (*path_itr == "")
+            continue;
+        // navigate up for "parent directory" alias
+		else if (*path_itr == "..")
+		{
+			// ".." is the parent directory, so if there are path elements then we remove from the back to "go to the parent directory"
+			if (canonical_path.size() > 1)
+				canonical_path.pop_back();
+			else
+				continue;
+		}
+		else
+			canonical_path.push_back(*path_itr);
+	}
+
+	return canonical_path;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/ConcatenatedStream.cpp b/ctrtool/deps/libtoolchain/src/io/ConcatenatedStream.cpp
new file mode 100644
index 00000000..d4b2bd26
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/ConcatenatedStream.cpp
@@ -0,0 +1,370 @@
+#include <tc/io/ConcatenatedStream.h>
+
+#include <tc/io/StreamUtil.h>
+#include <tc/io/IOUtil.h>
+
+const std::string tc::io::ConcatenatedStream::kClassName = "tc::io::ConcatenatedStream";
+
+tc::io::ConcatenatedStream::ConcatenatedStream() :
+	mStreamList(),
+	mStreamListMap(),
+	mCurrentStream(),
+	mCanRead(false),
+	mCanWrite(false),
+	mCanSeek(false),
+	mStreamLength(0)
+{}
+
+tc::io::ConcatenatedStream::ConcatenatedStream(ConcatenatedStream&& other) :
+	ConcatenatedStream()
+{
+	*this = std::move(other);
+}
+
+tc::io::ConcatenatedStream::ConcatenatedStream(const std::vector<std::shared_ptr<tc::io::IStream>>& stream_list) :
+	ConcatenatedStream()
+{
+	// track the overall stream properties
+	bool can_read = true;
+	bool can_write = true;
+	bool can_seek = true;
+
+	// reset stream length
+	mStreamLength = 0;
+
+	// process stream list
+	for (auto itr = stream_list.begin(); itr != stream_list.end(); itr++)
+	{
+		// skip null streams
+		if (*itr == nullptr)
+			continue;
+		// skip empty streams
+		if ((*itr)->length() == 0)
+			continue;
+		// skip streams that can't be read or writen to (so it's useless)
+		if ((*itr)->canRead() == false && (*itr)->canWrite() == false)
+			continue;
+
+		// create stream info for the input stream
+		StreamInfo info;
+		// range is from the current concatenated stream position for the length of the input stream
+		info.range = StreamRange(mStreamLength, (*itr)->length());
+		info.stream = *itr;
+
+		// throw an exception if the input stream range overlaps with an existing range (which shouldn't be possible)
+		if (mStreamListMap.find(info.range) != mStreamListMap.end())
+		{
+			throw tc::Exception(kClassName, "Poor state management detected.");
+		}
+
+		if (info.stream->canRead() == false)
+			can_read = false;
+		if (info.stream->canWrite() == false)
+			can_write = false;
+		if (info.stream->canSeek() == false)
+			can_seek = false;
+
+		mStreamListMap.insert(std::pair<StreamRange, size_t>(info.range, mStreamList.size()));
+		mStreamList.push_back(info);
+
+		mStreamLength += info.range.length;
+	}
+
+	// check the stream is usable
+	if (!can_read && !can_write)
+	{
+		throw tc::NotSupportedException(kClassName, "Stream does not support read or write.");
+	}
+	// check the stream is usable
+	if (mStreamLength == 0)
+	{
+		throw tc::NotSupportedException(kClassName, "Stream had no length.");
+	}
+
+	// save iterator to current stream
+	mCurrentStream = mStreamList.begin();
+
+	// save properties
+	mCanRead = can_read;
+	mCanWrite = can_write;
+	mCanSeek = can_seek;
+}
+
+tc::io::ConcatenatedStream::~ConcatenatedStream()
+{
+	dispose();
+}
+
+tc::io::ConcatenatedStream& tc::io::ConcatenatedStream::operator=(tc::io::ConcatenatedStream&& other)
+{
+	mStreamList = std::move(other.mStreamList);
+	mStreamListMap = std::move(other.mStreamListMap);
+	mCurrentStream = std::move(other.mCurrentStream);
+	mCanRead = other.mCanRead;
+	mCanWrite = other.mCanWrite;
+	mCanSeek = other.mCanSeek;
+	mStreamLength = other.mStreamLength;
+	
+	// clear other state
+	other.mStreamList.clear();
+	other.mStreamListMap.clear();
+	other.mCurrentStream.makeNull();
+	other.mCanRead = false;
+	other.mCanWrite = false;
+	other.mCanSeek = false;
+	other.mStreamLength = 0;
+
+	return *this;
+}
+
+bool tc::io::ConcatenatedStream::canRead() const
+{
+	return isStreamDisposed() ? false : mCanRead;
+}
+
+bool tc::io::ConcatenatedStream::canWrite() const
+{
+	return isStreamDisposed() ? false : mCanWrite;
+}
+
+bool tc::io::ConcatenatedStream::canSeek() const
+{
+	return isStreamDisposed() ? false : mCanSeek;
+}
+
+int64_t tc::io::ConcatenatedStream::length()
+{
+	return isStreamDisposed() ? 0 : mStreamLength;
+}
+
+int64_t tc::io::ConcatenatedStream::position()
+{
+	return isStreamDisposed() ? 0 : (mCurrentStream.get()->range.offset + mCurrentStream.get()->stream->position());
+}
+
+size_t tc::io::ConcatenatedStream::read(byte_t* ptr, size_t count)
+{
+	if (isStreamDisposed())
+	{
+		throw tc::ObjectDisposedException(kClassName+"read()", "Stream wasd.");
+	}
+	if (mCanRead == false)
+	{
+		throw tc::NotSupportedException(kClassName+"read()", "Stream does not support reading.");
+	}
+
+	// read
+	size_t readable_count = IOUtil::getReadableCount(mStreamLength, position(), count);
+	size_t remaining_readable_count = readable_count;
+	do {
+		// determine expected readable data count for the current stream
+		size_t readable_count_for_current_stream = IOUtil::getReadableCount(mCurrentStream.get()->range.length, mCurrentStream.get()->stream->position(), remaining_readable_count);
+
+		if (readable_count_for_current_stream != 0)
+		{
+			// read data and throw exception if unexpected read count is returned
+			if (readable_count_for_current_stream != mCurrentStream.get()->stream->read(ptr + (readable_count - remaining_readable_count), readable_count_for_current_stream))
+			{
+				throw tc::io::IOException(kClassName+"read()", "Reading from one of the base streams returned less data than expected.");
+			}
+
+			// decrement the remaining readable count
+			remaining_readable_count -= readable_count_for_current_stream;
+		}
+
+		// if there is more data to be read, increment the current stream
+		if (remaining_readable_count != 0)
+		{
+			updateCurrentStream(mCurrentStream.get() + 1);
+
+			// make sure we haven't somehow reached the end before we expected
+			if (mCurrentStream.get() == mStreamList.end())
+			{
+				throw tc::io::IOException(kClassName+"read()", "More data was expected to be readable but end of stream list was reached.");
+			}
+
+			// correct the position the 0x0 if not already
+			if (mCurrentStream.get()->stream->position() != 0x0)
+			{
+				if (!mCanSeek)
+				{
+					throw tc::io::IOException(kClassName+"read()", "Tried to continue reading from the next stream but the position was not 0, and seek was not supported.");
+				}
+				
+				mCurrentStream.get()->stream->seek(0, tc::io::SeekOrigin::Begin);
+			}
+		}
+	} while (remaining_readable_count > 0);
+	
+	return readable_count;
+}
+
+size_t tc::io::ConcatenatedStream::write(const byte_t* ptr, size_t count)
+{
+	if (isStreamDisposed())
+	{
+		throw tc::ObjectDisposedException(kClassName+"write()", "Stream was disposed.");
+	}
+	if (mCanWrite == false)
+	{
+		throw tc::NotSupportedException(kClassName+"write()", "Stream does not support writing.");
+	}
+
+	// write
+	size_t writable_count = IOUtil::getWritableCount(mStreamLength, position(), count);
+	size_t remaining_writable_count = writable_count;
+	do {
+		// determine expected writable data count for the current stream
+		size_t writable_count_for_current_stream = IOUtil::getWritableCount(mCurrentStream.get()->range.length, mCurrentStream.get()->stream->position(), remaining_writable_count);
+
+		if (writable_count_for_current_stream != 0)
+		{
+			// write data and throw exception if unexpected write count is returned
+			if (writable_count_for_current_stream != mCurrentStream.get()->stream->write(ptr + (writable_count - remaining_writable_count), writable_count_for_current_stream))
+			{
+				throw tc::io::IOException(kClassName+"write()", "Writing from one of the base streams returned less data than expected.");
+			}
+
+			// decrement the remaining writable count
+			remaining_writable_count -= writable_count_for_current_stream;
+		}
+
+		// if there is more data to be write, increment the current stream
+		if (remaining_writable_count != 0)
+		{
+			updateCurrentStream(mCurrentStream.get() + 1);
+
+			// make sure we haven't somehow reached the end before we expected
+			if (mCurrentStream.get() == mStreamList.end())
+			{
+				throw tc::io::IOException(kClassName+"write()", "More data was expected to be writable but end of stream list was reached.");
+			}
+
+			// correct the position the 0x0 if not already
+			if (mCurrentStream.get()->stream->position() != 0x0)
+			{
+				if (!mCanSeek)
+				{
+					throw tc::io::IOException(kClassName+"write()", "Tried to continue writing from the next stream but the position was not 0, and seek was not supported.");
+				}
+				
+				mCurrentStream.get()->stream->seek(0, tc::io::SeekOrigin::Begin);
+			}
+		}
+	} while (remaining_writable_count > 0);
+	
+	return writable_count;
+}
+
+int64_t tc::io::ConcatenatedStream::seek(int64_t offset, SeekOrigin origin)
+{
+	if (isStreamDisposed())
+	{
+		throw tc::ObjectDisposedException(kClassName+"seek()", "Stream was disposed.");
+	}
+	if (mCanSeek == false)
+	{
+		throw tc::NotSupportedException(kClassName+"seek()", "Stream does not support seeking.");
+	}
+
+	// seek
+	int64_t absolute_seek_pos = StreamUtil::getSeekResult(offset, origin, position(), mStreamLength);
+
+	// seek is <= 0 : we use the first stream and set the position to 0
+	if (absolute_seek_pos <= 0)
+	{
+		updateCurrentStream(mStreamList.begin());
+		if (mCurrentStream.get() == mStreamList.end())
+		{
+			throw tc::io::IOException(kClassName+"seek()", "Failed to seek because underlying stream could not be determined.");	
+		}
+		mCurrentStream.get()->stream->seek(0, tc::io::SeekOrigin::Begin);
+	}
+	// seek is < mStreamLength : we find the stream in the map and set the relative position 
+	else if (absolute_seek_pos < mStreamLength)
+	{
+		// before we do a map lookup, check if the current stream has the range the offset sits in
+		if ((absolute_seek_pos >= mCurrentStream.get()->range.offset) && (absolute_seek_pos < (mCurrentStream.get()->range.offset + mCurrentStream.get()->range.length)))
+		{
+			mCurrentStream.get()->stream->seek(absolute_seek_pos - mCurrentStream.get()->range.offset, tc::io::SeekOrigin::Begin);
+		}
+		// look up the correct stream in the map
+		else
+		{
+			auto rangeItr = mStreamListMap.find(StreamRange(absolute_seek_pos));
+			if (rangeItr == mStreamListMap.end())
+			{
+				throw tc::io::IOException(kClassName+"seek()", "Failed to seek because underlying stream could not be determined.");
+			}
+
+			if (rangeItr->second > mStreamList.size())
+			{
+				throw tc::io::IOException(kClassName+"seek()", "Failed to seek because underlying stream could not be determined.");
+			}
+
+			updateCurrentStream(mStreamList.begin() + rangeItr->second);
+			mCurrentStream.get()->stream->seek(absolute_seek_pos - mCurrentStream.get()->range.offset, tc::io::SeekOrigin::Begin);
+		}
+	}
+	// seek is >= mStreamLength : we use the end stream and seek to the end of it
+	else
+	{
+		updateCurrentStream(--mStreamList.end());
+		if (mCurrentStream.get() == mStreamList.end())
+		{
+			throw tc::io::IOException(kClassName+"seek()", "Failed to seek because underlying stream could not be determined.");	
+		}
+		mCurrentStream.get()->stream->seek(0, tc::io::SeekOrigin::End);
+	}
+
+	return position();
+}
+
+void tc::io::ConcatenatedStream::setLength(int64_t length)
+{
+	if (isStreamDisposed())
+	{
+		throw tc::ObjectDisposedException(kClassName+"setLength()", "Stream was disposed.");
+	}
+
+	throw tc::NotImplementedException(kClassName+"setLength()", "setLength() is not implemented for tc::io::ConcatenatedStream.");
+}
+
+void tc::io::ConcatenatedStream::flush()
+{
+	if (isStreamDisposed())
+	{
+		throw tc::ObjectDisposedException(kClassName+"flush()", "Stream was disposed.");
+	}
+
+	mCurrentStream.get()->stream->flush();
+}
+
+void tc::io::ConcatenatedStream::dispose()
+{
+	if (isStreamDisposed() == false)
+		mCurrentStream.get()->stream->flush();
+
+	mStreamList.clear();
+	mCurrentStream.makeNull();
+
+	mCanRead = false;
+	mCanWrite = false;
+	mCanSeek = false;
+	mStreamLength = 0;
+}
+
+void tc::io::ConcatenatedStream::updateCurrentStream(std::vector<StreamInfo>::iterator stream_itr)
+{
+	if (mCurrentStream.isNull())
+	{
+		mCurrentStream = stream_itr;
+	}
+	else if (mCurrentStream.get() != stream_itr)
+	{
+		// if stream itr != end() flush the stream
+		if (mCurrentStream.get() != mStreamList.end())
+			mCurrentStream.get()->stream->flush();
+		mCurrentStream = stream_itr;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/FileStream.cpp b/ctrtool/deps/libtoolchain/src/io/FileStream.cpp
new file mode 100644
index 00000000..56be43f1
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/FileStream.cpp
@@ -0,0 +1,752 @@
+#include <tc/io/FileStream.h>
+#include <tc/PlatformErrorHandlingUtil.h>
+
+#ifdef _WIN32
+#include <direct.h>
+#include <cstdlib>
+#else
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>    /* For O_RDWR */
+#include <unistd.h>   /* For open(), creat() */
+#endif
+
+const std::string tc::io::FileStream::kClassName = "tc::io::FileStream";
+
+tc::io::FileStream::FileHandle::~FileHandle()
+{
+#ifdef _WIN32
+	CloseHandle(handle);
+#else
+	::close(handle);
+#endif
+}
+
+tc::io::FileStream::FileStream() :
+	mCanRead(false),
+	mCanWrite(false),
+	mCanSeek(false),
+	mIsAppendRestrictSeekCall(false),
+	mFileHandle()
+{}
+
+tc::io::FileStream::FileStream(FileStream&& other) :
+	FileStream()
+{
+	*this = std::move(other);
+}
+
+tc::io::FileStream::FileStream(const tc::io::Path& path, FileMode mode, FileAccess access) :
+	FileStream()
+{
+	// dispose stream before opening new stream
+	dispose();
+
+	open_impl(path, mode, access);
+}
+
+tc::io::FileStream& tc::io::FileStream::operator=(tc::io::FileStream&& other)
+{
+	mCanRead = other.mCanRead;
+	mCanWrite = other.mCanWrite;
+	mCanSeek = other.mCanSeek;
+	mIsAppendRestrictSeekCall = other.mIsAppendRestrictSeekCall;
+	mFileHandle = std::move(other.mFileHandle);
+	other.dispose();
+
+	return *this;
+}
+
+bool tc::io::FileStream::canRead() const
+{
+	return mFileHandle == nullptr ? false : mCanRead;
+}
+
+bool tc::io::FileStream::canWrite() const
+{
+	return mFileHandle == nullptr ? false : mCanWrite;
+}
+bool tc::io::FileStream::canSeek() const
+{
+	return mFileHandle == nullptr || mIsAppendRestrictSeekCall == true ? false : mCanSeek;
+}
+
+int64_t tc::io::FileStream::length()
+{
+	return mFileHandle == nullptr ? 0 : length_impl();
+}
+
+int64_t tc::io::FileStream::position()
+{
+	if (mFileHandle == nullptr)
+	{
+		return 0;
+	}
+
+	if (mCanSeek == false)
+	{
+		throw tc::NotSupportedException(kClassName+"::position()", "This method is not supported for streams that do not support seeking");
+	}
+
+	return seek_impl(0, SeekOrigin::Current);
+}
+
+size_t tc::io::FileStream::read(byte_t* ptr, size_t count)
+{
+	if (mFileHandle == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::read()", "Failed to read from stream (stream is disposed)");
+	}
+
+	if (mCanRead == false)
+	{
+		throw tc::NotSupportedException(kClassName+"::read()", "Stream does not support reading");
+	}
+
+	if (ptr == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName+"::read()", "ptr was null");
+	}
+
+	if (count < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName+"::read()", "count was negative");
+	}
+
+	return read_impl(ptr, count);
+}
+
+size_t tc::io::FileStream::write(const byte_t* ptr, size_t count)
+{
+	if (mFileHandle == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::write()", "Failed to write to stream (no file open)");
+	}
+
+	if (mCanWrite == false)
+	{
+		throw tc::NotSupportedException(kClassName+"::write()", "Stream does not support writing");
+	}
+
+	if (ptr == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName+"::write()", "ptr was null");
+	}
+
+	if (count < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName+"::write()", "count was negative");
+	}
+
+	return write_impl(ptr, count);
+}
+
+int64_t tc::io::FileStream::seek(int64_t offset, SeekOrigin origin)
+{
+	if (mFileHandle == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::seek()", "Failed to set stream position (stream is disposed)");
+	}
+
+	if (mCanSeek == false)
+	{
+		throw tc::NotSupportedException(kClassName+"::seek()", "Stream does not support seeking");
+	}
+
+	if (mIsAppendRestrictSeekCall == true)
+	{
+		throw tc::io::IOException(kClassName+"::seek()", "Streams opened in Append mode are not allowed to change file position.");
+	}
+
+	return seek_impl(offset, origin);
+}
+
+void tc::io::FileStream::setLength(int64_t length)
+{
+	if (mFileHandle == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::setLength()", "Failed to set stream length (stream is disposed)");
+	}
+
+	if (mCanWrite == false || mCanSeek == false)
+	{
+		throw tc::NotSupportedException(kClassName+"::setLength()", "Stream does not support both writing and seeking");
+	}
+
+	setLength_impl(length);
+}
+
+void tc::io::FileStream::flush()
+{
+	if (mFileHandle != nullptr)
+	{
+		flush_impl();
+	}
+}
+
+void tc::io::FileStream::dispose()
+{
+	if (mFileHandle.get() != nullptr)
+	{
+		flush();
+		mFileHandle.reset();
+	}
+	mCanRead = false;
+	mCanWrite = false;
+	mCanSeek = false;
+}
+
+#ifdef _WIN32
+
+#pragma warning(disable : 4065) // disable warning for switch case with only default case
+
+void tc::io::FileStream::open_impl(const tc::io::Path& path, FileMode mode, FileAccess access)
+{
+	// convert Path to unicode string
+	std::u16string unicode_path = path.to_u16string(tc::io::Path::Format::Win32);
+
+	DWORD access_flag = 0;
+	DWORD share_mode_flag = 0;
+	DWORD creation_flag = 0;
+
+	// process mode
+	switch (mode) 
+	{
+		case (FileMode::CreateNew):
+			// create file if does not exist | return error if file does not exist
+			creation_flag = CREATE_NEW;
+			break;
+		case (FileMode::Create):
+			// create file if does not exist | truncate file if it exists
+			creation_flag = CREATE_ALWAYS;
+			break;
+		case (FileMode::Open):
+			// no flags
+			creation_flag = OPEN_EXISTING;
+			break;
+		case (FileMode::OpenOrCreate):
+			// create file if does not exist 
+			creation_flag = access == FileAccess::Read ? OPEN_EXISTING : OPEN_ALWAYS;
+			break;
+		case (FileMode::Truncate):
+			// truncate file if file exists
+			creation_flag = TRUNCATE_EXISTING;
+			break;
+		case (FileMode::Append):
+			// open in append mode
+			creation_flag = OPEN_ALWAYS;
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException(kClassName+"::open()", "Illegal value for mode");
+	}
+
+	// process access
+	switch (access)
+	{
+		case (FileAccess::Read):
+			// read access
+			access_flag = GENERIC_READ;
+			// shared read lock
+			share_mode_flag = FILE_SHARE_READ;
+			break;
+		case (FileAccess::Write):
+			// write access
+			access_flag = GENERIC_WRITE;
+			// exclusive lock
+			share_mode_flag = 0;
+			break;
+		case (FileAccess::ReadWrite):
+			// read/write access
+			access_flag = GENERIC_READ | GENERIC_WRITE;
+			// exclusive lock
+			share_mode_flag = 0;
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException(kClassName+"::open()", "Illegal value for access");
+	}
+	
+	// validate use of write dependent flags (open existing is the only one that supports no write flag)
+	if (creation_flag != OPEN_EXISTING && !(access_flag & GENERIC_WRITE))
+	{
+		throw tc::ArgumentException(kClassName + "::open()", "Stream open mode requires write access, but write access was not allowed");
+	}
+
+	// append can only open in write only mode
+	if (mode == tc::io::FileMode::Append && (access_flag & GENERIC_READ | GENERIC_WRITE) != GENERIC_WRITE)
+	{
+		throw tc::ArgumentException(kClassName + "::open()", "Stream opened in Append mode can only work with Write access. ReadWrite is not permitted");
+	}
+
+	// open file
+	HANDLE file_handle = CreateFileW((LPCWSTR)unicode_path.c_str(),
+							  access_flag,
+							  share_mode_flag,
+							  0,
+							  creation_flag,
+							  FILE_ATTRIBUTE_NORMAL,
+							  NULL);
+		
+	// check file handle
+	if (file_handle == INVALID_HANDLE_VALUE)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			case (ERROR_FILE_NOT_FOUND):
+			case (ERROR_PATH_NOT_FOUND):
+				throw tc::io::FileNotFoundException(kClassName+"::open()", PlatformErrorHandlingUtil::GetLastErrorString(error));
+			case (ERROR_FILE_EXISTS):
+				throw tc::io::FileExistsException(kClassName+"::open()", PlatformErrorHandlingUtil::GetLastErrorString(error));
+			case (ERROR_INVALID_PARAMETER):
+				throw tc::ArgumentException(kClassName + "::open()", PlatformErrorHandlingUtil::GetLastErrorString(error));
+			case (ERROR_ACCESS_DENIED):
+				throw tc::UnauthorisedAccessException(kClassName+"::open()", PlatformErrorHandlingUtil::GetLastErrorString(error));
+			default:
+				throw tc::io::IOException(kClassName+"::open()", "Failed to open file stream (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+
+	// store file handle
+	mFileHandle = std::unique_ptr<tc::io::FileStream::FileHandle>(new tc::io::FileStream::FileHandle(file_handle));
+	
+	// seek to end of file if in append mode
+	if (mode == FileMode::Append)
+	{
+		seek_impl(0, SeekOrigin::End);
+		mIsAppendRestrictSeekCall = true;
+	}
+		
+
+	// set state flags
+	mCanRead = (access_flag & GENERIC_READ) ? true : false;
+	mCanWrite = (access_flag & GENERIC_WRITE) ? true : false;
+	mCanSeek = GetFileType(mFileHandle->handle) == FILE_TYPE_DISK ? true : false;
+}
+
+int64_t tc::io::FileStream::length_impl()
+{
+	LARGE_INTEGER stream_length;
+
+	if (GetFileSizeEx(mFileHandle->handle, &stream_length) == false)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			// TODO: Directly handle usual errors for custom exceptions
+			default:
+				throw tc::io::IOException(kClassName+"::length()", "Failed to get stream length (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+	
+	return (int64_t) stream_length.QuadPart;
+}
+
+size_t tc::io::FileStream::read_impl(byte_t* ptr, size_t count)
+{
+	DWORD bytes_read;
+
+	if (ReadFile(mFileHandle->handle, ptr, (DWORD)count, &bytes_read, NULL) == false)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			// TODO: Directly handle usual errors for custom exceptions
+			default:
+				throw tc::io::IOException(kClassName+"::read()", "Failed to read from stream (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+
+	return bytes_read;
+}
+
+size_t tc::io::FileStream::write_impl(const byte_t* ptr, size_t count)
+{
+	DWORD bytes_written;
+
+	if (WriteFile(mFileHandle->handle, ptr, (DWORD)count, &bytes_written, NULL) == false)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			// TODO: Directly handle usual errors for custom exceptions
+			default:
+				throw tc::io::IOException(kClassName+"::write()", "Failed to write to stream (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+
+	return bytes_written;
+}
+
+int64_t tc::io::FileStream::seek_impl(int64_t offset, SeekOrigin origin)
+{
+	DWORD seek_flag = 0;
+	switch(origin)
+	{
+		case (SeekOrigin::Begin):
+			seek_flag = FILE_BEGIN;
+			break;
+		case (SeekOrigin::Current):
+			seek_flag = FILE_CURRENT;
+			break;
+		case (SeekOrigin::End):
+			seek_flag = FILE_END;
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException(kClassName+"::seek()", "Unknown SeekOrigin value");
+	}
+
+	LARGE_INTEGER win_pos, out;
+	win_pos.QuadPart = offset;
+	if (SetFilePointerEx(
+		mFileHandle->handle,
+		win_pos,
+		&out,
+		seek_flag
+	) == false)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+		case (ERROR_NEGATIVE_SEEK):
+			throw tc::ArgumentOutOfRangeException(kClassName+"::seek()", PlatformErrorHandlingUtil::GetLastErrorString(error));
+		default:
+			throw tc::io::IOException(kClassName+"::seek()", "Failed to set stream position (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+
+	return out.QuadPart;
+}
+
+void tc::io::FileStream::setLength_impl(int64_t length)
+{
+	seek(length, tc::io::SeekOrigin::Begin);
+
+	if (SetEndOfFile(
+		mFileHandle->handle
+	) == false)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+		default:
+			throw tc::io::IOException(kClassName+"::setLength()", "Failed to set end of file (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+}
+
+void tc::io::FileStream::flush_impl()
+{
+	if (mCanWrite)
+	{
+		// flush buffers only applies to written data
+		FlushFileBuffers(mFileHandle->handle);
+	}
+}
+
+#pragma warning(default : 4065)  // reenable warning for switch case with only default case
+
+#else
+void tc::io::FileStream::open_impl(const tc::io::Path& path, FileMode mode, FileAccess access)
+{
+	// convert Path to unicode string
+	std::string unicode_path = path.to_string(tc::io::Path::Format::POSIX);
+
+	// open file
+	int open_flag = 0;
+
+	// process mode
+	switch (mode) 
+	{
+		case (FileMode::CreateNew):
+			// create file if does not exist | return error if file does not exist
+			open_flag |= O_CREAT | O_EXCL;
+			break;
+		case (FileMode::Create):
+			// create file if does not exist | truncate file if it exists
+			open_flag |= O_CREAT | O_TRUNC;
+			break;
+		case (FileMode::Open):
+			// no flags
+			open_flag |= 0;
+			break;
+		case (FileMode::OpenOrCreate):
+			// create file if does not exist (however only enable create flag if write access is enabled)
+			open_flag |= (access == FileAccess::ReadWrite || access == FileAccess::Write) ? O_CREAT : 0;
+			break;
+		case (FileMode::Truncate):
+			// truncate file if file exists
+			open_flag |= O_TRUNC;
+			break;
+		case (FileMode::Append):
+			// open in append mode (create file if doesn't exist)
+			open_flag |= O_APPEND | O_CREAT;
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException(kClassName+"::open()", "Illegal value for mode");
+	}
+
+	// process access
+	switch (access)
+	{
+		case (FileAccess::Read):
+			// read access
+			open_flag |= O_RDONLY;
+#ifdef O_SHLOCK
+			// shared lock
+			open_flag |= O_SHLOCK;
+#endif
+			break;
+		case (FileAccess::Write):
+			// write access
+			open_flag |= O_WRONLY;
+#ifdef O_EXLOCK
+			// exclusive lock
+			open_flag |= O_EXLOCK;
+#endif
+			break;
+		case (FileAccess::ReadWrite):
+			// read/write access
+			open_flag |= O_RDWR;
+#ifdef O_EXLOCK
+			// exclusive lock
+			open_flag |= O_EXLOCK;
+#endif
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException(kClassName+"::open()", "Illegal value for access");
+	}
+
+	// validate use of write dependent flags
+	if ((open_flag & (O_APPEND | O_TRUNC | O_CREAT)) && !(open_flag & (O_WRONLY|O_RDWR))) 
+	{
+		throw tc::ArgumentException(kClassName+"::open()", "Stream open mode requires write access, but write access was not allowed");
+	}
+	// explicitly check APPEND as being write only
+	if ((open_flag & (O_APPEND)) && (open_flag & (O_RDWR))) 
+	{
+		throw tc::ArgumentException(kClassName+"::open()", "Stream opened in Append mode can only work with Write access. ReadWrite is not permitted");
+	}
+
+	// open file handle with Read/Write for User, Read for Group, nothing for others
+	int file_handle	= ::open(unicode_path.c_str(), open_flag, S_IRUSR | S_IWUSR | S_IRGRP);
+
+	// handle error
+	if (file_handle == -1)
+	{
+		switch (errno) 
+		{
+			case (EACCES):
+			case (EROFS):
+				throw tc::UnauthorisedAccessException(kClassName+"::open()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENAMETOOLONG):
+				throw tc::io::PathTooLongException(kClassName+"::open()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENOENT):
+				throw tc::io::FileNotFoundException(kClassName+"::open()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EEXIST):
+				throw tc::io::FileExistsException(kClassName+"::open()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EINVAL):
+				throw tc::ArgumentOutOfRangeException(kClassName+"::open()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EFAULT):
+				throw tc::AccessViolationException(kClassName+"::open()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EISDIR):
+				throw tc::io::FileNotFoundException(kClassName+"::open()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EDQUOT):
+			case (EFBIG):
+			case (EINTR):
+			case (ELOOP):
+			case (EMFILE):
+			case (ENFILE):
+			case (ENOMEM):
+			case (ENOSPC):
+			case (ENXIO):
+			case (EOVERFLOW):
+			case (EPERM):
+			case (ETXTBSY):
+			case (EWOULDBLOCK):
+			default:
+				throw tc::io::IOException(kClassName+"::open()", "Failed to open file stream (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+
+	// store file handle
+	mFileHandle = std::unique_ptr<tc::io::FileStream::FileHandle>(new tc::io::FileStream::FileHandle(file_handle));
+
+	// get stat info on file
+	struct stat stat_buf;
+	if (fstat(mFileHandle->handle, &stat_buf) == -1)
+	{
+		throw tc::io::IOException(kClassName+"::open()", "Failed to check stream properties using fstat() (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+	}
+
+	// if this is a directory throw an exception
+	if (S_ISDIR(stat_buf.st_mode))
+	{
+		throw tc::io::FileNotFoundException(kClassName+"::open()", "Path refers to a directory not a file");
+	}
+
+	// set state flags
+	// would check O_RDONLY but that resolves to 0 so it can't be bitmask checked
+	mCanRead = (open_flag & O_RDWR) || !(open_flag & O_WRONLY) ? true : false;
+	mCanWrite = (open_flag & (O_WRONLY|O_RDWR)) ? true : false;
+	mCanSeek = S_ISREG(stat_buf.st_mode) ? true : false;
+
+	// seek to end of file if in append mode
+	if (mode == FileMode::Append)
+	{
+		seek_impl(0, SeekOrigin::End);
+		mIsAppendRestrictSeekCall = true;
+	}
+}
+
+int64_t tc::io::FileStream::length_impl()
+{
+	int64_t length;
+
+	// get stat info on file
+	struct stat stat_buf;
+	if (fstat(mFileHandle->handle, &stat_buf) == -1)
+	{
+		throw tc::io::IOException(kClassName+"::length()", "Failed to check stream properties using fstat() (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+	}
+
+	if (S_ISREG(stat_buf.st_mode))
+	{
+		length = stat_buf.st_size;
+	}
+	else
+	{
+		throw tc::NotSupportedException(kClassName+"::length()", "length() cannot be used with device-files or pipes");
+	}
+	
+	return length;
+}
+
+size_t tc::io::FileStream::read_impl(byte_t* ptr, size_t count)
+{
+	int64_t read_len = ::read(mFileHandle->handle, ptr, count);
+
+	// handle error
+	if (read_len == -1)
+	{
+		switch (errno) 
+		{	
+			case (EINVAL):
+				throw tc::ArgumentOutOfRangeException(kClassName+"::read()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EFAULT):
+				throw tc::AccessViolationException(kClassName+"::read()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EISDIR):
+			case (EBADF):
+			case (EAGAIN):
+			case (EINTR):
+			case (EIO):
+			default:
+				throw tc::io::IOException(kClassName+"::read()", "Failed to read from stream (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+
+	return size_t(read_len);
+}
+
+size_t tc::io::FileStream::write_impl(const byte_t* ptr, size_t count)
+{
+	int64_t write_len = ::write(mFileHandle->handle, ptr, count);
+
+	// handle error
+	if (write_len == -1)
+	{
+		switch (errno) 
+		{	
+			case (EINVAL):
+				throw tc::ArgumentOutOfRangeException(kClassName+"::write()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EFAULT):
+				throw tc::AccessViolationException(kClassName+"::write()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EFBIG):
+			case (EAGAIN):
+			case (EDESTADDRREQ):
+			case (EDQUOT):
+			case (EINTR):
+			case (EIO):
+			case (ENOSPC):
+			case (EPERM):
+			case (EPIPE):
+			default:
+				throw tc::io::IOException(kClassName+"::write()", "Failed to write to stream (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+
+	return size_t(write_len);
+}
+
+int64_t tc::io::FileStream::seek_impl(int64_t offset, SeekOrigin origin)
+{
+	int seek_flag = 0;
+	switch(origin)
+	{
+		case (SeekOrigin::Begin):
+			seek_flag = SEEK_SET;
+			break;
+		case (SeekOrigin::Current):
+			seek_flag = SEEK_CUR;
+			break;
+		case (SeekOrigin::End):
+			seek_flag = SEEK_END;
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException(kClassName+"::seek()", "Unknown SeekOrigin value");
+	}
+
+#ifdef _LARGEFILE64_SOURCE
+	int64_t fpos = lseek64(mFileHandle->handle, offset, seek_flag);
+#else 
+	int64_t fpos = lseek(mFileHandle->handle, offset, seek_flag);
+#endif
+
+	// handle error
+	if (fpos == -1)
+	{
+		switch (errno) 
+		{
+			case (EINVAL):
+				throw tc::ArgumentOutOfRangeException(kClassName+"::seek()",  PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EOVERFLOW):
+				throw tc::OverflowException(kClassName+"::seek()",  PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EBADF):
+			case (ESPIPE):
+			case (ENXIO):
+			default:
+				throw tc::io::IOException(kClassName+"::seek()", "Failed to set stream position (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+
+	return fpos;
+}
+
+void tc::io::FileStream::setLength_impl(int64_t length)
+{
+#ifdef _LARGEFILE64_SOURCE
+	int trun_res = ftruncate64(mFileHandle->handle, length);
+#else 
+	int trun_res = ftruncate(mFileHandle->handle, length);
+#endif
+
+	if (trun_res == -1)
+	{
+		switch (errno)
+		{
+			case (EINTR):
+			case (EINVAL):
+			case (EFBIG):
+			case (EIO):
+			case (EBADF):
+			default:
+				throw tc::io::IOException(kClassName+"::seek()", "Failed to set stream position (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+	
+}
+
+void tc::io::FileStream::flush_impl()
+{
+	// open/read/write are non-buffered
+}
+#endif
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/IOUtil.cpp b/ctrtool/deps/libtoolchain/src/io/IOUtil.cpp
new file mode 100644
index 00000000..30c1e5db
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/IOUtil.cpp
@@ -0,0 +1,40 @@
+#include <tc/io/IOUtil.h>
+
+int64_t tc::io::IOUtil::castSizeToInt64(size_t size)
+{
+	if (std::numeric_limits<size_t>::digits > std::numeric_limits<int64_t>::digits)
+		size = std::min<size_t>(size, size_t(std::numeric_limits<int64_t>::max()));
+
+	return int64_t(size);
+}
+
+size_t tc::io::IOUtil::castInt64ToSize(int64_t length)
+{
+	if (length < 0)
+		return 0;
+
+	if (std::numeric_limits<size_t>::digits < std::numeric_limits<int64_t>::digits)
+		length = std::min<int64_t>(length, int64_t(std::numeric_limits<size_t>::max()));
+
+	return size_t(length);
+}
+
+size_t tc::io::IOUtil::getAvailableSize(int64_t data_length, int64_t data_offset)
+{
+	if (data_length < 0 || data_offset < 0)
+		return 0;
+
+	int64_t readable_length = (data_offset < data_length) ? (data_length - data_offset) : 0;
+
+	return castInt64ToSize(readable_length);
+}
+
+size_t tc::io::IOUtil::getReadableCount(int64_t data_length, int64_t data_offset, size_t requested_read_count)
+{
+	return std::min<size_t>(getAvailableSize(data_length, data_offset), requested_read_count);
+}
+
+size_t tc::io::IOUtil::getWritableCount(int64_t data_length, int64_t data_offset, size_t requested_write_count)
+{
+	return getReadableCount(data_length, data_offset, requested_write_count);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/LocalFileSystem.cpp b/ctrtool/deps/libtoolchain/src/io/LocalFileSystem.cpp
new file mode 100644
index 00000000..093d50e4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/LocalFileSystem.cpp
@@ -0,0 +1,419 @@
+#include <tc/io/LocalFileSystem.h>
+#include <tc/io/FileStream.h>
+#include <tc/PlatformErrorHandlingUtil.h>
+#include <tc/Exception.h>
+#include <tc/string.h>
+
+#ifdef _WIN32
+#include <direct.h>
+#include <cstdlib>
+
+#pragma warning(disable : 4065) // disable warning for switch case with only default case
+
+#else
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <dirent.h>
+#endif
+
+const std::string tc::io::LocalFileSystem::kClassName = "tc::io::LocalFileSystem";
+
+tc::io::LocalFileSystem::LocalFileSystem() :
+	mState(1 << tc::RESFLAG_READY)
+{
+}
+
+tc::ResourceStatus tc::io::LocalFileSystem::state()
+{
+	return mState;
+}
+
+void tc::io::LocalFileSystem::dispose()
+{
+	mState = (1 << tc::RESFLAG_NOINIT);
+}
+
+void tc::io::LocalFileSystem::createFile(const tc::io::Path& path)
+{
+	tc::io::FileStream file(path, FileMode::Create, FileAccess::Write);
+}
+
+void tc::io::LocalFileSystem::removeFile(const tc::io::Path& path)
+{
+#ifdef _WIN32
+	// convert Path to unicode string
+	std::u16string unicode_path = path.to_u16string(tc::io::Path::Format::Win32);
+
+	// delete file
+	if (DeleteFileW((LPCWSTR)unicode_path.c_str()) == false)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			default:
+				throw tc::io::IOException(kClassName+"::removeFile()", "Failed to remove file (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}	
+#else
+	// convert Path to unicode string
+	std::string unicode_path = path.to_string(tc::io::Path::Format::POSIX);
+
+	if (unlink(unicode_path.c_str()) == -1)
+	{
+		switch (errno) 
+		{
+			case (EACCES): // Search permission is denied for a component of the path prefix. -OR- Write permission is denied on the directory containing the link to be removed.
+			case (EROFS): // The named file resides on a read-only file system.
+			case (EPERM): // The named file is a directory and the effective user ID of the process is not the super-user. -OR- The directory containing the file is marked sticky, and neither the containing directory nor the file to be removed are owned by the effective user ID.
+			case (EBUSY): // The entry to be unlinked is the mount point for a mounted file system. -OR- The file named by the path argument cannot be unlinked because it is being used by the system or by another process.
+				throw tc::UnauthorisedAccessException(kClassName+"::removeFile()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENAMETOOLONG): // A component of a pathname exceeds {NAME_MAX} characters, or an entire path name exceeds {PATH_MAX} characters (possibly as a result of expanding a symlink).
+				throw tc::io::PathTooLongException(kClassName+"::removeFile()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENOENT): // The named file does not exist.
+				throw tc::io::FileNotFoundException(kClassName+"::removeFile()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENOTDIR): // A component of the path prefix is not a directory.
+				throw tc::io::DirectoryNotFoundException(kClassName+"::removeFile()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EFAULT): // Path points outside the process's allocated address space.
+			case (EIO): // An I/O error occurs while deleting the directory entry or deallocating the inode.
+			case (ELOOP): // Too many symbolic links are encountered in translating the pathname.  This is taken to be indicative of a looping symbolic link.
+			default:
+				throw tc::io::IOException(kClassName+"::removeFile()", "Failed to remove file (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}	
+#endif
+}
+
+void tc::io::LocalFileSystem::openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream)
+{
+	stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(path, mode, access));
+}
+
+void tc::io::LocalFileSystem::createDirectory(const tc::io::Path& path)
+{
+#ifdef _WIN32
+	// convert Path to unicode string
+	std::u16string unicode_path = path.to_u16string(tc::io::Path::Format::Win32);
+
+	// create directory
+	if (CreateDirectoryW((LPCWSTR)unicode_path.c_str(), nullptr) == false && GetLastError() != ERROR_ALREADY_EXISTS)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			default:
+				throw tc::io::IOException(kClassName+"::createDirectory()", "Failed to create directory (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+#else
+	// convert Path to unicode string
+	std::string unicode_path = path.to_string(tc::io::Path::Format::POSIX);
+
+	if (mkdir(unicode_path.c_str(), S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH) == -1 && errno != EEXIST)
+	{
+		switch (errno) 
+		{
+			case (EACCES): // Search permission is denied for a component of the path prefix. -OR- Write permission is denied for the parent directory.
+			case (EROFS): // The parent directory resides on a read-only file system.
+				throw tc::UnauthorisedAccessException(kClassName+"::createDirectory()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENOTDIR): // A component of the path prefix is not a directory.
+			case (ENOENT): // A component of the path prefix does not exist or path is an empty string.
+				throw tc::io::DirectoryNotFoundException(kClassName+"::removeFile()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENAMETOOLONG): // A component of a pathname exceeded {NAME_MAX} characters, or an entire path name exceeded {PATH_MAX} characters.
+				throw tc::io::PathTooLongException(kClassName+"::removeFile()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EISDIR): // The named file is the root directory.
+			case (EDQUOT): // The new directory cannot be created because the user's quota of disk blocks on the file system that will contain the directory has been exhausted. -OR- The user's quota of inodes on the file system on which the directory is being created has been exhausted.
+			//case (EEXIST): // The named file exists
+			case (EFAULT): // Path points outside the process's allocated address space.
+			case (EIO): // An I/O error occurred while reading from or writing to the file system. -OR- An I/O error occurred while making the directory entry or allocating the inode.
+			case (ELOOP): // Too many symbolic links were encountered in translating the pathname.  This is taken to be indicative of a looping symbolic link.
+			case (EMLINK): // The parent directory already has {LINK_MAX} links.
+			case (ENOSPC): // The new directory cannot be created because there is no space left on the file system that would contain it. -OR- There are no free inodes on the file system on which the directory is being created.
+			default:
+				throw tc::io::IOException(kClassName+"::createDirectory()", "Failed to create directory (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+#endif
+}
+
+void tc::io::LocalFileSystem::removeDirectory(const tc::io::Path& path)
+{
+#ifdef _WIN32
+	// convert Path to unicode string
+	std::u16string unicode_path = path.to_u16string(tc::io::Path::Format::Win32);
+
+	if (RemoveDirectoryW((wchar_t*)unicode_path.c_str()) == false)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+		case (ERROR_DIR_NOT_EMPTY):
+		case (ERROR_DIRECTORY):
+		default:
+			throw tc::io::IOException(kClassName+"::removeDirectory()", "Failed to remove directory (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+#else
+	// convert Path to unicode string
+	std::string unicode_path = path.to_string(tc::io::Path::Format::POSIX);
+
+	if (rmdir(unicode_path.c_str()) == -1)
+	{
+		switch (errno) 
+		{
+			case (EACCES): // Search permission is denied for a component of the path prefix. -OR- Write permission is denied on the directory containing the link to be removed.
+			case (EROFS): // The directory entry to be removed resides on a read-only file system.
+			case (EPERM): // The directory containing the directory to be removed is marked sticky, and neither the containing directory nor the directory to be removed are owned by the effective user ID.
+			case (EBUSY): // The directory to be removed is the mount point for a mounted file system.
+				throw tc::UnauthorisedAccessException(kClassName+"::removeDirectory()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENAMETOOLONG):
+				throw tc::io::PathTooLongException(kClassName+"::removeDirectory()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENOENT): // The named directory does not exist.
+			case (ENOTDIR): // A component of the path prefix is not a directory.
+				throw tc::io::DirectoryNotFoundException(kClassName+"::removeDirectory()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENOTEMPTY): // The named directory contains files other than `.' and `..' in it.
+				throw tc::io::DirectoryNotEmptyException(kClassName+"::removeDirectory()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EFAULT): // Path points outside the process's allocated address space.
+			case (EIO): // An I/O error occurred while reading from or writing to the file system.
+			case (ELOOP): // Too many symbolic links are encountered in translating the pathname.  This is taken to be indicative of a looping symbolic link.
+			default:
+				throw tc::io::IOException(kClassName+"::removeDirectory()", "Failed to remove directory (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}	
+#endif
+}
+
+void tc::io::LocalFileSystem::getWorkingDirectory(tc::io::Path& path)
+{
+#ifdef _WIN32
+	std::shared_ptr<char16_t> raw_char16_path(new char16_t[MAX_PATH]);
+
+	// get current directory
+	if (GetCurrentDirectoryW(MAX_PATH, (LPWSTR)(raw_char16_path.get())) == false)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			default:
+				throw tc::io::IOException(kClassName+"::getWorkingDirectory()", "Failed to get current working directory (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+
+	path = Path(raw_char16_path.get());
+#else
+	setWorkingDirectory(Path("."));
+
+	std::shared_ptr<char> raw_current_working_directory(new char[PATH_MAX]);
+
+	if (getcwd(raw_current_working_directory.get(), PATH_MAX) == nullptr)
+	{
+		switch (errno) 
+		{
+			case (EACCES): // Read or search permission was denied for a component of the pathname.  This is only checked in limited cases, depending on implementation details.
+				throw tc::UnauthorisedAccessException(kClassName+"::getWorkingDirectory()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EINVAL): // The size argument is zero.
+			case (ENOENT): // A component of the pathname no longer exists.
+			case (ENOMEM): // Insufficient memory is available.
+			case (ERANGE): // The size argument is greater than zero but smaller than the length of the pathname plus 1.
+			default:
+				throw tc::io::IOException(kClassName+"::getWorkingDirectory()", "Failed to get current working directory (getcwd) (" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+
+	path = Path(raw_current_working_directory.get());
+#endif
+}
+
+void tc::io::LocalFileSystem::setWorkingDirectory(const tc::io::Path& path)
+{
+#ifdef _WIN32
+	// convert Path to unicode string
+	std::u16string unicode_path = path.to_u16string(tc::io::Path::Format::Win32);
+
+	// delete file
+	if (SetCurrentDirectoryW((LPCWSTR)unicode_path.c_str()) == false)
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			default:
+				throw tc::io::IOException(kClassName+"::setWorkingDirectory()", "Failed to set current working directory (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+#else
+	// convert Path to unicode string
+	std::string unicode_path = path.to_string(tc::io::Path::Format::POSIX);
+
+	// get full path to directory
+	if (chdir(unicode_path.c_str()) != 0)
+	{
+		switch (errno) 
+		{
+			case (EACCES): // Search permission is denied for any component of the path name.
+				throw tc::UnauthorisedAccessException(kClassName+"::setWorkingDirectory()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENAMETOOLONG): // A component of a pathname exceeded {NAME_MAX} characters, or an entire path name exceeded {PATH_MAX} characters.
+				throw tc::io::PathTooLongException(kClassName+"::setWorkingDirectory()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENOENT): // The named directory does not exist.
+			case (ENOTDIR): // A component of the path prefix is not a directory.
+				throw tc::io::DirectoryNotFoundException(kClassName+"::setWorkingDirectory()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EFAULT): // Path points outside the process's allocated address space.
+			case (EIO): // An I/O error occurred while reading from or writing to the file system.
+			case (ELOOP): //  Too many symbolic links were encountered in translating the pathname.  This is taken to be indicative of a looping symbolic link.
+			default:
+				throw tc::io::IOException(kClassName+"::setWorkingDirectory()", "Failed to get directory info (chdir)(" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+#endif
+}
+
+void tc::io::LocalFileSystem::getDirectoryListing(const tc::io::Path& path, sDirectoryListing& info)
+{
+	std::vector<std::string> child_dir_name_list;
+	std::vector<std::string> child_file_name_list;
+	Path current_directory_path;
+#ifdef _WIN32
+	Path wildcard_path = path + tc::io::Path("*");
+
+	// convert Path to unicode string
+	std::u16string unicode_path = wildcard_path.to_u16string(tc::io::Path::Format::Win32);
+
+	HANDLE dir_handle = INVALID_HANDLE_VALUE;
+	WIN32_FIND_DATAW dir_entry;
+
+	dir_handle = FindFirstFileW((LPCWSTR)unicode_path.c_str(), &dir_entry);
+	if (dir_handle == INVALID_HANDLE_VALUE) 
+	{
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			default:
+				throw tc::io::IOException(kClassName+"::getDirectoryListing()", "Failed to open directory (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+
+	do {
+		std::string utf8_name;
+		tc::string::TranscodeUtil::UTF16ToUTF8((char16_t*)dir_entry.cFileName, utf8_name);
+
+		if (dir_entry.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) 
+		{
+			child_dir_name_list.push_back(utf8_name);
+		}
+		else 
+		{
+			child_file_name_list.push_back(utf8_name);
+		}
+	} while (FindNextFileW(dir_handle, &dir_entry) != 0);
+
+	// throw error where GetLastError() isn't just that there were no more files
+	if (GetLastError() != ERROR_NO_MORE_FILES) 
+	{
+		FindClose(dir_handle);
+
+		DWORD error = GetLastError();
+		switch (error)
+		{
+			default:
+				throw tc::io::IOException(kClassName+"::getDirectoryListing()", "Failed to open directory (" + PlatformErrorHandlingUtil::GetLastErrorString(error) + ")");
+		}
+	}
+
+	FindClose(dir_handle);
+	
+
+	// save current dir for later
+	Path prev_current_dir;
+	getWorkingDirectory(prev_current_dir);
+
+	// change the directory
+	setWorkingDirectory(path);
+
+	// save the path
+	getWorkingDirectory(current_directory_path);
+
+	// restore current directory
+	setWorkingDirectory(prev_current_dir);
+#else
+	// convert Path to unicode string
+	std::string unicode_path = path.to_string(tc::io::Path::Format::POSIX);
+	
+	// open directory
+	DIR *dp;
+	dp = opendir(unicode_path.c_str());
+	if (dp == nullptr)
+	{
+		switch (errno) 
+		{
+			case (EACCES): // Permission denied.
+				throw tc::UnauthorisedAccessException(kClassName+"::getDirectoryListing()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (ENOTDIR): // A component of the path prefix is not a directory. // name is not a directory.
+			case (ENOENT): // Directory does not exist, or name is an empty string.
+				throw tc::io::DirectoryNotFoundException(kClassName+"::getDirectoryListing()", PlatformErrorHandlingUtil::GetGnuErrorNumString(errno));
+			case (EBADF): // fd is not a valid file descriptor open for reading.
+			case (EMFILE):
+			case (ENFILE):
+			case (ENOMEM):
+			default:
+				throw tc::io::IOException(kClassName+"::getDirectoryListing()", "Failed to get directory info (opendir)(" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+
+	// get file and directory names
+	child_dir_name_list.clear();
+	child_file_name_list.clear();
+	
+	// since errno can be set by external sources it will be cleared, since the conditions for checking errno being set aren't specific to failure
+	errno = 0;
+	for (struct dirent *ep = readdir(dp); ep != nullptr && errno == 0; ep = readdir(dp))
+	{
+		if (ep->d_type == DT_DIR)
+		{
+			child_dir_name_list.push_back(std::string(ep->d_name));
+		}
+		else if (ep->d_type == DT_REG)
+		{
+			child_file_name_list.push_back(std::string(ep->d_name));
+		}
+	}
+
+	// throw an error if necessary 
+	if (errno != 0)
+	{
+		switch (errno) 
+		{
+			case (EBADF): // fd is not a valid file descriptor open for reading.
+			case (EIO): // An I/O error occurred while reading from or writing to the file system.
+			default:
+				throw tc::io::IOException(kClassName+"::getDirectoryListing()", "Failed to get directory info (readdir)(" + PlatformErrorHandlingUtil::GetGnuErrorNumString(errno) + ")");
+		}
+	}
+	
+
+	// close dp
+	closedir(dp);
+
+	// save current dir for later
+	Path prev_current_dir;
+	getWorkingDirectory(prev_current_dir);
+
+	// change the directory
+	setWorkingDirectory(path);
+
+	// save the path
+	getWorkingDirectory(current_directory_path);
+
+	// restore current directory
+	setWorkingDirectory(prev_current_dir);
+#endif
+	info.abs_path = current_directory_path;
+	info.dir_list = child_dir_name_list;
+	info.file_list = child_file_name_list;
+}
+
+#ifdef _WIN32
+
+#pragma warning(default : 4065) // reenable warning for switch case with only default case
+
+#endif
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/MemorySource.cpp b/ctrtool/deps/libtoolchain/src/io/MemorySource.cpp
new file mode 100644
index 00000000..e6bd3ea9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/MemorySource.cpp
@@ -0,0 +1,49 @@
+#include <tc/io/MemorySource.h>
+#include <tc/io/IOUtil.h>
+
+const std::string tc::io::MemorySource::kClassName = "tc::io::MemorySource";
+
+tc::io::MemorySource::MemorySource() :
+	mData()
+{
+
+}
+
+tc::io::MemorySource::MemorySource(const tc::ByteData& byte_data) :
+	mData(byte_data)
+{
+
+}
+
+tc::io::MemorySource::MemorySource(tc::ByteData&& byte_data) :
+	mData(std::move(byte_data))
+{
+
+}
+
+
+tc::io::MemorySource::MemorySource(const byte_t* data, size_t len) :
+	mData(data, len)
+{
+}
+
+int64_t tc::io::MemorySource::length()
+{
+	return int64_t(mData.size());
+}
+
+tc::ByteData tc::io::MemorySource::pullData(int64_t offset, size_t count)
+{
+	size_t read_len = IOUtil::getReadableCount(this->length(), offset, count);
+
+	// if the read length is zero then return now.
+	if (read_len == 0)
+		return tc::ByteData();
+
+
+	tc::ByteData out(read_len);
+
+	memcpy(out.data(), mData.data() + offset, read_len);
+
+	return out;
+}
diff --git a/ctrtool/deps/libtoolchain/src/io/MemoryStream.cpp b/ctrtool/deps/libtoolchain/src/io/MemoryStream.cpp
new file mode 100644
index 00000000..d7e3ed54
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/MemoryStream.cpp
@@ -0,0 +1,155 @@
+#include <tc/io/MemoryStream.h>
+
+#include <limits>
+#include <tc/io/StreamUtil.h>
+#include <tc/io/IOUtil.h>
+
+const std::string tc::io::MemoryStream::kClassName = "tc::io::MemoryStream";
+
+tc::io::MemoryStream::MemoryStream() :
+	MemoryStream(0)
+{}
+
+tc::io::MemoryStream::MemoryStream(size_t length) :
+	mData(),
+	mPosition(0)
+{
+	setLength(length);
+}
+
+tc::io::MemoryStream::MemoryStream(const tc::ByteData& byte_data) :
+	mData(byte_data),
+	mPosition(0)
+{
+
+}
+
+tc::io::MemoryStream::MemoryStream(tc::ByteData&& byte_data) :
+	mData(std::move(byte_data)),
+	mPosition(0)
+{
+
+}
+
+tc::io::MemoryStream::MemoryStream(const byte_t* data, size_t len) :
+	mData(data, len),
+	mPosition(0)
+{
+}
+
+bool tc::io::MemoryStream::canRead() const 
+{
+	return true;
+}
+
+bool tc::io::MemoryStream::canWrite() const 
+{
+	return true;
+}
+	
+bool tc::io::MemoryStream::canSeek() const 
+{
+	return true;
+}
+
+int64_t tc::io::MemoryStream::length() 
+{
+	return mData.size();
+}
+
+int64_t tc::io::MemoryStream::position() 
+{
+	return mPosition;
+}
+
+size_t tc::io::MemoryStream::read(byte_t* ptr, size_t count) 
+{
+	if (ptr == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName+"::read()", "ptr is null.");
+	}
+
+	count = IOUtil::getReadableCount(IOUtil::castSizeToInt64(mData.size()), mPosition, count);
+
+	memcpy(ptr, mData.data() + mPosition, count);
+
+	mPosition += IOUtil::castSizeToInt64(count);
+
+	return count;
+}
+
+size_t tc::io::MemoryStream::write(const byte_t* ptr, size_t count) 
+{
+	if (ptr == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName+"::write()", "ptr is null.");
+	}
+
+	// check if the position is past the end of stream, enlarge stream in this case
+	if ((IOUtil::castInt64ToSize(mPosition) + count) > mData.size())
+	{
+		setLength(mPosition + IOUtil::castSizeToInt64(count));
+	}
+
+	count = IOUtil::getWritableCount(IOUtil::castSizeToInt64(mData.size()), mPosition, count);
+
+	memcpy(mData.data() + mPosition, ptr, count);
+
+	mPosition += IOUtil::castSizeToInt64(count);
+
+	return count;
+}
+
+int64_t tc::io::MemoryStream::seek(int64_t offset, SeekOrigin origin) 
+{
+	int64_t new_pos = StreamUtil::getSeekResult(offset, origin, mPosition, (int64_t)mData.size());
+
+	if (new_pos < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName+"::seek()", "New position is negative.");
+	}
+
+	mPosition = new_pos;
+
+	return mPosition;
+}
+
+void tc::io::MemoryStream::setLength(int64_t length) 
+{
+	// check length isn't too large (int64_t could be larger than size_t)
+	if (IOUtil::castInt64ToSize(length) > std::numeric_limits<size_t>::max())
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName+"::setLength()", "Length greater than maxium possible length for MemoryStream");
+	}
+
+	// check length isn't negative
+	if (length < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName+"::setLength()", "Length is negative.");
+	}
+
+	// create new ByteData
+	ByteData data(IOUtil::castInt64ToSize(length));
+
+	// determine copy length (between old and new ByteData)
+	size_t copy_len = std::min<size_t>(data.size(), mData.size());
+
+	// copy from old to new ByteData
+	memcpy(data.data(), mData.data(), copy_len);
+
+	// re-assign mData (this frees the old mData)
+	mData = data;
+
+	// reduce position if shrunk
+	mPosition = std::min<int64_t>(mPosition, int64_t(mData.size()));
+}
+
+void tc::io::MemoryStream::flush() 
+{
+	// do nothing
+}
+
+void tc::io::MemoryStream::dispose() 
+{
+	mData = ByteData();
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/OverlayedSource.cpp b/ctrtool/deps/libtoolchain/src/io/OverlayedSource.cpp
new file mode 100644
index 00000000..d71a0944
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/OverlayedSource.cpp
@@ -0,0 +1,143 @@
+#include <tc/io/OverlayedSource.h>
+#include <tc/io/IOUtil.h>
+
+const std::string tc::io::OverlayedSource::kClassName = "tc::io::OverlayedSource";
+
+tc::io::OverlayedSource::OverlayedSource() :
+	mBaseSource(),
+	mOverlaySourceInfos()
+{
+
+}
+
+tc::io::OverlayedSource::OverlayedSource(const std::shared_ptr<tc::io::ISource>& base_source, const std::shared_ptr<tc::io::ISource>& overlay_source, int64_t offset, int64_t length) :
+	OverlayedSource(base_source, {OverlaySourceInfo{overlay_source, offset, length}})
+{
+
+}
+
+tc::io::OverlayedSource::OverlayedSource(const std::shared_ptr<tc::io::ISource>& base_source, const std::vector<OverlaySourceInfo>& overlay_source_infos)
+{
+	// throw exception if the base source is null
+	if (base_source == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName+"::OverlayedSource()", "base_source was null.");
+	}
+		
+	// copy base source ptr
+	mBaseSource = base_source;
+
+	// check/import overlay sources
+	for (auto itr = overlay_source_infos.begin(); itr != overlay_source_infos.end(); itr++)
+	{
+		// skip regions with no length
+		if (itr->length == 0)
+		{
+			continue;
+		}
+
+		// throw exception if a overlay source is null
+		if (itr->overlay_source == nullptr)
+		{
+			throw tc::ArgumentNullException(kClassName+"::OverlayedSource()", "overlay_source was null.");
+		}
+
+		// throw exception if overly region offset is negative
+		if (itr->offset < 0)
+		{
+			throw tc::ArgumentOutOfRangeException(kClassName+"::OverlayedSource()", "Invalid overlay region. Overlay offset is negative.");
+		}
+
+		// throw exception if the overlay region offset is beyond the length of the base source
+		if (itr->offset > mBaseSource->length())
+		{
+			throw tc::ArgumentOutOfRangeException(kClassName+"::OverlayedSource()", "Invalid overlay region. Overlay offset beyond length of base_source.");
+		}
+
+		// throw exception if the overlay region exceeds the length of the base source
+		if ((itr->offset + itr->length) > mBaseSource->length())
+		{
+			throw tc::ArgumentOutOfRangeException(kClassName+"::OverlayedSource()", "Invalid overlay region. Overlay region exceeds the length of base_source.");
+		}
+
+		// throw exception if the overlay region exceeds the length of the overlay source
+		if (itr->length > itr->overlay_source->length())
+		{
+			throw tc::ArgumentOutOfRangeException(kClassName+"::OverlayedSource()", "Invalid overlay region. Overlay region exceeds the length of overlay_source.");
+		}
+
+		// save overlay source info
+		mOverlaySourceInfos.push_back(*itr);
+	}
+}
+
+int64_t tc::io::OverlayedSource::length()
+{
+	// return 0 if mBaseSource is null, otherwise deref the pointer and get the length
+	return mBaseSource == nullptr ? 0 : mBaseSource->length();
+}
+
+tc::ByteData tc::io::OverlayedSource::pullData(int64_t offset, size_t count)
+{
+	// return empty byte_data if the base is empty
+	if (mBaseSource == nullptr)
+		return tc::ByteData();
+
+	size_t read_len = IOUtil::getReadableCount(this->length(), offset, count);
+
+	// if the read length is zero then return now.
+	if (read_len == 0)
+		return tc::ByteData();
+
+	// get base source byte_data, this will be overwritten with regions 
+	tc::ByteData out = mBaseSource->pullData(offset, count);
+
+	// iterate thru the overlays
+	for (auto itr = mOverlaySourceInfos.begin(); itr != mOverlaySourceInfos.end(); itr++)
+	{
+		int64_t overlay_pull_offset = 0;
+		size_t overlay_pull_count = 0;
+
+		// skip overlay if the pullable count is 0
+		getOverlaySourcePullableRegion(offset, count, *itr, overlay_pull_offset, overlay_pull_count);
+		if (overlay_pull_count == 0)
+		{
+			continue;
+		}
+
+		// pull data from overlay
+		ByteData overlay_pull = itr->overlay_source->pullData(overlay_pull_offset, overlay_pull_count);
+
+		// adjust the outsize to be the minimum of the ByteData & attempted pull_count
+		overlay_pull_count = std::min<size_t>(overlay_pull.size(), overlay_pull_count);
+		
+		// copy into out buffer
+		int64_t overlay_offset_in_out = (overlay_pull_offset + itr->offset) - offset;
+		memcpy(out.data() + overlay_offset_in_out, overlay_pull.data(), overlay_pull_count);
+	}
+
+	return out;
+}
+
+void tc::io::OverlayedSource::getOverlaySourcePullableRegion(int64_t base_pull_offset, size_t base_pull_count, const OverlaySourceInfo& overlay_info, int64_t& overlay_pull_offset, size_t& overlay_pull_count)
+{
+	int64_t overlay_relative_start_offset = base_pull_offset - overlay_info.offset;
+	int64_t overlay_relative_end_offset = overlay_relative_start_offset + int64_t(base_pull_count);
+
+	// if the start offset > overlay length: then the data starts after the overlay ends
+	// if the end offset < 0: then the data ends before the overlay begins
+	if (overlay_relative_start_offset > overlay_info.length || overlay_relative_end_offset < 0)
+	{
+		overlay_pull_offset = 0;
+		overlay_pull_count = 0;
+	}
+	// otherwise some or all of the overlay can be used
+	else
+	{
+		// the offset must be reset to zero if it is negative
+		overlay_pull_offset = overlay_relative_start_offset > 0 ? overlay_relative_start_offset : 0;
+
+		// getReadableSize will cap the amount read if it exceeds the base_length
+		overlay_pull_count = IOUtil::getReadableCount(overlay_info.length, overlay_pull_offset, size_t(overlay_relative_end_offset - overlay_pull_offset));
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/PaddingSource.cpp b/ctrtool/deps/libtoolchain/src/io/PaddingSource.cpp
new file mode 100644
index 00000000..8089f499
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/PaddingSource.cpp
@@ -0,0 +1,34 @@
+#include <tc/io/PaddingSource.h>
+#include <tc/io/IOUtil.h>
+
+const std::string tc::io::PaddingSource::kClassName = "tc::io::PaddingSource";
+
+tc::io::PaddingSource::PaddingSource() :
+	mSourceLength(0),
+	mPaddingByte(0)
+{
+}
+
+tc::io::PaddingSource::PaddingSource(byte_t padding_byte, int64_t size) :
+	mSourceLength(size),
+	mPaddingByte(padding_byte)
+{
+	if (size < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "length is negative");
+	}
+}
+
+int64_t tc::io::PaddingSource::length()
+{
+	return mSourceLength;
+}
+
+tc::ByteData tc::io::PaddingSource::pullData(int64_t offset, size_t count)
+{
+	tc::ByteData data(IOUtil::getReadableCount(mSourceLength, offset, count));
+
+	memset(data.data(), mPaddingByte, data.size());
+	
+	return data;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/Path.cpp b/ctrtool/deps/libtoolchain/src/io/Path.cpp
new file mode 100644
index 00000000..7f66a422
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/Path.cpp
@@ -0,0 +1,331 @@
+
+#include <tc/io/Path.h>
+#include <tc/string.h>
+#include <tc/Exception.h>
+
+#include <fmt/core.h>
+#include <sstream>
+#include <iostream>
+#include <regex>
+
+static const char kWindowsPathSeparator = '\\'; /**< Path separator used on Microsoft Windows based systems */
+static const char kPosixPathSeparator = '/'; /**< Path separator used on POSIX based systems */
+#ifdef _WIN32
+static const char kNativePathSeparator = kWindowsPathSeparator; /**< Path separator for the native environment */
+#else
+static const char kNativePathSeparator = kPosixPathSeparator; /**< Path separator for the native environment */
+#endif
+
+const std::string tc::io::Path::kClassName = "tc::io::Path";
+
+tc::io::Path::Path()
+{}
+
+tc::io::Path::Path(std::initializer_list<std::string> list) :
+	mUnicodePath(list)
+{
+}
+
+tc::io::Path::Path(const std::string& path)
+{
+	initializePath(path);
+}
+
+tc::io::Path::Path(const std::u16string& path)
+{
+	std::string utf8_path;
+	string::TranscodeUtil::UTF16ToUTF8(path, utf8_path);
+	initializePath(utf8_path);
+}
+
+tc::io::Path::Path(const std::u32string& path)
+{
+	std::string utf8_path;
+	string::TranscodeUtil::UTF32ToUTF8(path, utf8_path);
+	initializePath(utf8_path);
+}
+
+tc::io::Path tc::io::Path::operator+(const Path& other) const
+{
+	Path new_path = *this;
+	new_path.appendPath(other.mUnicodePath);
+	return new_path;
+}
+
+void tc::io::Path::operator+=(const Path& other)
+{
+	appendPath(other.mUnicodePath);
+}
+
+bool tc::io::Path::operator==(const Path& other) const
+{
+	return mUnicodePath == other.mUnicodePath;
+}
+
+bool tc::io::Path::operator!=(const Path& other) const
+{
+	return !(this->operator==(other));
+}
+
+bool tc::io::Path::operator<(const Path& other) const
+{
+	int cmp_score = 0;
+
+	auto self_itr = this->begin();
+	auto other_itr = other.begin();
+
+	// in this loop for as long as both path has an itr, it'll compare them
+	for (; self_itr != this->end() && other_itr != other.end(); self_itr++, other_itr++)
+	{
+		cmp_score = self_itr->compare(*other_itr);
+		if (cmp_score != 0)
+			break;
+	}
+
+	// if one of the itrs isn't the end, then that one is "larger"
+	// it can't be both or the prior loop won't have ended
+	if (cmp_score == 0 && (self_itr != this->end() || other_itr != other.end()))
+	{
+		cmp_score = self_itr == this->end() ? -1 : 1;
+	}
+
+	return cmp_score < 0;
+}
+
+tc::io::Path::iterator tc::io::Path::begin()
+{
+	return mUnicodePath.begin();
+}
+
+std::string& tc::io::Path::front()
+{
+	return mUnicodePath.front();
+}
+
+const std::string& tc::io::Path::front() const
+{
+	return mUnicodePath.front();
+}
+
+std::string& tc::io::Path::back()
+{
+	return mUnicodePath.back();
+}
+
+const std::string& tc::io::Path::back() const
+{
+	return mUnicodePath.back();
+}
+
+tc::io::Path::const_iterator tc::io::Path::begin() const
+{
+	return mUnicodePath.begin();
+}
+
+tc::io::Path::iterator tc::io::Path::end()
+{
+	return mUnicodePath.end();
+}
+
+tc::io::Path::const_iterator tc::io::Path::end() const
+{
+	return mUnicodePath.end();
+}
+
+void tc::io::Path::pop_front()
+{
+	mUnicodePath.pop_front();
+}
+
+void tc::io::Path::pop_back()
+{
+	mUnicodePath.pop_back();
+}
+
+void tc::io::Path::push_front(const std::string& str)
+{
+	mUnicodePath.push_front(str);
+}
+
+void tc::io::Path::push_back(const std::string& str)
+{
+	mUnicodePath.push_back(str);
+}
+
+void tc::io::Path::clear()
+{
+	mUnicodePath.clear();
+}
+
+size_t tc::io::Path::size() const
+{
+	return mUnicodePath.size();
+}
+
+bool tc::io::Path::empty() const
+{
+	return mUnicodePath.empty();
+}
+
+tc::io::Path tc::io::Path::subpath(size_t pos, size_t len) const
+{
+	tc::io::Path out_path;
+
+	auto itr = begin();
+	size_t index = 0;
+
+	// while the out_path size is less than len and the iterator hasn't ended
+	while ( out_path.size() < len && itr != end() )
+	{
+		// provided the index >= pos save the element
+		if (index >= pos)
+		{
+			out_path.push_back(*itr);
+		}
+
+		itr++;
+		index++;
+	}
+
+	return out_path;
+}
+
+tc::io::Path tc::io::Path::subpath(const_iterator begin, const_iterator end) const
+{
+	tc::io::Path out_path;
+
+	for (auto itr = begin; itr != end && itr != this->end(); itr++)
+	{
+		out_path.push_back(*itr);
+	}
+
+	return out_path;
+}
+
+std::string tc::io::Path::to_string(Format format) const
+{
+	std::string path_str = "";
+
+	if (format == Path::Format::Native)
+	{
+#ifdef _WIN32
+		format = Path::Format::Win32;
+#else
+		format = Path::Format::POSIX;
+#endif	
+	}
+
+	std::string path_separator_str;
+	switch (format)
+	{
+	case (Path::Format::POSIX):
+		path_separator_str = fmt::format("{:c}", kPosixPathSeparator);
+		break;
+	case (Path::Format::Win32):
+		path_separator_str = fmt::format("{:c}", kWindowsPathSeparator);
+		break;
+	default:
+		throw tc::ArgumentException(kClassName, "Invalid Format type.");
+	}
+
+	// special case where the path has one element and its the root path
+	if (this->size() == 1)
+	{
+		// for POSIX style this is the empty string ("/")
+		if (format == Path::Format::POSIX && this->front() == "")
+			return path_separator_str;
+		// for Win32 style this is a drive letter followed by ':' e.g. ("C:\")
+		else if (format == Path::Format::Win32 && std::regex_match(this->front(), std::regex("^([A-Z,a-z]):")))
+			return fmt::format("{}{}", this->front(), path_separator_str);
+	} 
+
+	for (const_iterator itr = this->begin(); itr != this->end(); itr++)
+	{
+		path_str += *itr;
+		// don't print path separator where it would be trailing character
+		if (itr != --(this->end()))
+			path_str += path_separator_str;
+	}
+
+	return path_str;
+}
+
+std::u16string tc::io::Path::to_u16string(Format format) const
+{
+	std::string u8string = to_string(format);
+	std::u16string u16string;
+
+	// convert
+	string::TranscodeUtil::UTF8ToUTF16(u8string, u16string);
+
+	// return
+	return u16string;
+}
+
+std::u32string tc::io::Path::to_u32string(Format format) const
+{
+	std::string u8string = to_string(format);
+	std::u32string u32string;
+
+	// convert
+	string::TranscodeUtil::UTF8ToUTF32(u8string, u32string);
+
+	// return
+	return u32string;
+}
+
+tc::io::Path::operator std::string() const
+{
+	return to_string(Format::Native);
+}
+
+tc::io::Path::operator std::u16string() const
+{
+	return to_u16string(Format::Native);
+}
+
+tc::io::Path::operator std::u32string() const
+{
+	return to_u32string(Format::Native);
+}
+
+void tc::io::Path::initializePath(const std::string& src)
+{
+	size_t windows_slash_count = 0;
+	size_t posix_slash_count = 0;
+	for (size_t i = 0; i < src.size(); i++)
+	{
+		if (src[i] == kWindowsPathSeparator)
+			windows_slash_count += 1;
+		else if (src[i] == kPosixPathSeparator)
+			posix_slash_count += 1;
+	}
+
+	if (windows_slash_count != 0 && posix_slash_count != 0)
+	{
+		throw tc::ArgumentException(kClassName, "Path literal has both forward ('/') and backward ('\\') path separators.");
+	}
+
+	char path_delimiter = kNativePathSeparator;
+	if (windows_slash_count > 0)
+		path_delimiter = kWindowsPathSeparator;
+	else if (posix_slash_count > 0)
+		path_delimiter = kPosixPathSeparator;
+
+
+	std::stringstream src_stream(src);
+
+	std::string element;
+	while (std::getline(src_stream, element, path_delimiter))
+	{
+		mUnicodePath.push_back(element);
+	}
+}
+
+void tc::io::Path::appendPath(const std::list<std::string>& other)
+{
+	for (std::list<std::string>::const_iterator itr = other.begin(); itr != other.end(); itr++)
+	{
+		mUnicodePath.push_back(*itr);
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/PathUtil.cpp b/ctrtool/deps/libtoolchain/src/io/PathUtil.cpp
new file mode 100644
index 00000000..7f601d9f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/PathUtil.cpp
@@ -0,0 +1,12 @@
+#include <tc/io/PathUtil.h>
+#include <tc/string.h>
+
+void tc::io::PathUtil::pathToWindowsUTF16(const tc::io::Path& path, std::u16string& out)
+{
+	out = path.to_u16string(tc::io::Path::Format::Win32);
+}
+
+void tc::io::PathUtil::pathToUnixUTF8(const tc::io::Path& path, std::string& out)
+{
+	out = path.to_string(tc::io::Path::Format::POSIX);
+}
diff --git a/ctrtool/deps/libtoolchain/src/io/StreamSink.cpp b/ctrtool/deps/libtoolchain/src/io/StreamSink.cpp
new file mode 100644
index 00000000..e78c0a50
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/StreamSink.cpp
@@ -0,0 +1,54 @@
+#include <tc/io/StreamSink.h>
+
+const std::string tc::io::StreamSink::kClassName = "tc::io::StreamSink";
+
+tc::io::StreamSink::StreamSink() :
+	mBaseStream(nullptr)
+{
+}
+
+tc::io::StreamSink::StreamSink(const std::shared_ptr<tc::io::IStream>& stream) :
+	mBaseStream(stream)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName, "The base stream is null.");
+	}
+
+	if (mBaseStream->canWrite() == false)
+	{
+		throw tc::NotSupportedException(kClassName, "The base stream does not support writing.");
+	}
+
+	if (mBaseStream->canSeek() == false)
+	{
+		throw tc::NotSupportedException(kClassName, "The base stream does not support seeking.");
+	}
+}
+
+int64_t tc::io::StreamSink::length()
+{
+	return mBaseStream == nullptr ? 0 :mBaseStream->length();
+}
+
+void tc::io::StreamSink::setLength(int64_t length)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::setLength()", "The base stream was not initialized.");
+	}
+
+	mBaseStream->setLength(length);
+}
+
+size_t tc::io::StreamSink::pushData(const tc::ByteData& data, int64_t offset)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::pushData()", "The base stream was not initialized.");
+	}
+
+	mBaseStream->seek(offset, tc::io::SeekOrigin::Begin);
+
+	return mBaseStream->write(data.data(), data.size());
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/StreamSource.cpp b/ctrtool/deps/libtoolchain/src/io/StreamSource.cpp
new file mode 100644
index 00000000..4ee18549
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/StreamSource.cpp
@@ -0,0 +1,55 @@
+#include <tc/io/StreamSource.h>
+#include <tc/io/IOUtil.h>
+
+const std::string tc::io::StreamSource::kClassName = "tc::io::StreamSource";
+
+tc::io::StreamSource::StreamSource() :
+	mBaseStream(nullptr)
+{
+}
+
+tc::io::StreamSource::StreamSource(const std::shared_ptr<tc::io::IStream>& stream) :
+	mBaseStream(stream)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName, "The base stream is null.");
+	}
+
+	if (mBaseStream->canRead() == false)
+	{
+		throw tc::NotSupportedException(kClassName, "The base stream does not support reading.");
+	}
+
+	if (mBaseStream->canSeek() == false)
+	{
+		throw tc::NotSupportedException(kClassName, "The base stream does not support seeking.");
+	}
+}
+
+int64_t tc::io::StreamSource::length()
+{
+	return mBaseStream == nullptr ? 0 : mBaseStream->length();
+}
+
+tc::ByteData tc::io::StreamSource::pullData(int64_t offset, size_t count)
+{
+	// get readable count
+	size_t read_count = IOUtil::getReadableCount(this->length(), offset, count);
+
+	// return if nothing is to be read
+	if (read_count == 0)
+	{
+		return tc::ByteData();
+	}
+	
+	// allocate ByteData
+	ByteData data(read_count);
+
+	// read from stream (note this will not be called if mBaseStream is null, as in that case read_count == 0, and this code won't be reached)
+	mBaseStream->seek(offset, tc::io::SeekOrigin::Begin);
+	mBaseStream->read(data.data(), data.size());
+
+	// return populated ByteData
+	return data;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/StreamUtil.cpp b/ctrtool/deps/libtoolchain/src/io/StreamUtil.cpp
new file mode 100644
index 00000000..c249c841
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/StreamUtil.cpp
@@ -0,0 +1,22 @@
+#include <tc/io/StreamUtil.h>
+
+int64_t tc::io::StreamUtil::getSeekResult(int64_t offset, tc::io::SeekOrigin origin, int64_t current_position, int64_t stream_length)
+{
+	int64_t new_pos = 0;
+	switch (origin)
+	{
+		case (SeekOrigin::Begin):
+			new_pos = offset;
+			break;
+		case (SeekOrigin::Current):
+			new_pos = current_position + offset;
+			break;
+		case (SeekOrigin::End):
+			new_pos = stream_length + offset;
+			break;
+		default:
+			throw tc::ArgumentOutOfRangeException("Illegal value for origin.");
+	}
+
+	return new_pos;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/SubFileSystem.cpp b/ctrtool/deps/libtoolchain/src/io/SubFileSystem.cpp
new file mode 100644
index 00000000..a5fe2add
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/SubFileSystem.cpp
@@ -0,0 +1,216 @@
+#include <tc/io/SubFileSystem.h>
+
+const std::string tc::io::SubFileSystem::kClassName = "tc::io::SubFileSystem";
+
+tc::io::SubFileSystem::SubFileSystem() :
+	mBaseFileSystem(),
+	mBasePathResolver(),
+	mSubPathResolver()
+{
+}
+
+tc::io::SubFileSystem::SubFileSystem(const std::shared_ptr<tc::io::IFileSystem>& file_system, const tc::io::Path& base_path) :
+	SubFileSystem()
+{
+	// copy IFileSystem ptr
+	mBaseFileSystem = file_system;
+	
+	if (mBaseFileSystem == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName, "file_system is null");
+	}
+	else if (mBaseFileSystem->state().test(RESFLAG_READY) == false)
+	{
+		throw tc::InvalidOperationException(kClassName, "file_system is not ready");
+	}	
+
+	// save current path
+	tc::io::Path prev_canonical_base_path;
+	mBaseFileSystem->getWorkingDirectory(prev_canonical_base_path);
+
+	// get full path of root
+	tc::io::Path canonical_base_path;
+	mBaseFileSystem->setWorkingDirectory(base_path);
+	mBaseFileSystem->getWorkingDirectory(canonical_base_path);
+
+	// restore current path
+	mBaseFileSystem->setWorkingDirectory(prev_canonical_base_path);
+
+	// set state for path resolvers
+	mBasePathResolver.setCurrentDirectory(canonical_base_path);
+	mSubPathResolver.setCurrentDirectory(tc::io::Path("/"));
+}
+
+tc::ResourceStatus tc::io::SubFileSystem::state()
+{
+	return mBaseFileSystem.get() ? mBaseFileSystem->state() : tc::ResourceStatus(1 << tc::RESFLAG_NOINIT);
+}
+
+void tc::io::SubFileSystem::dispose()
+{
+	if (mBaseFileSystem.get() != nullptr)
+		mBaseFileSystem->dispose();
+
+	mBasePathResolver = tc::io::BasicPathResolver();
+	mSubPathResolver = tc::io::BasicPathResolver();
+}
+
+void tc::io::SubFileSystem::createFile(const tc::io::Path& path)
+{
+	if (mBaseFileSystem == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::createFile()", "Failed to create file (no base file system)");
+	}
+
+	// convert sub filesystem path to real path
+	tc::io::Path real_path;
+	subPathToRealPath(path, real_path);
+
+	// create file
+	mBaseFileSystem->createFile(real_path);
+}
+
+void tc::io::SubFileSystem::removeFile(const tc::io::Path& path)
+{
+	if (mBaseFileSystem == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::removeFile()", "Failed to remove file (no base file system)");
+	}
+
+	// convert sub filesystem path to real path
+	tc::io::Path real_path;
+	subPathToRealPath(path, real_path);
+
+	// delete file
+	mBaseFileSystem->removeFile(real_path);
+}
+
+void tc::io::SubFileSystem::openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream)
+{
+	if (mBaseFileSystem == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::openFile()", "Failed to open file (no base file system)");
+	}
+
+	// convert sub filesystem path to real path
+	tc::io::Path real_path;
+	subPathToRealPath(path, real_path);
+
+	// open file
+	return mBaseFileSystem->openFile(real_path, mode, access, stream);
+}
+
+void tc::io::SubFileSystem::createDirectory(const tc::io::Path& path)
+{
+	if (mBaseFileSystem == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::createDirectory()", "Failed to create directory (no base file system)");
+	}
+
+	// convert sub filesystem path to real path
+	tc::io::Path real_path;
+	subPathToRealPath(path, real_path);
+
+	// create directory
+	mBaseFileSystem->createDirectory(real_path);
+}
+
+void tc::io::SubFileSystem::removeDirectory(const tc::io::Path& path)
+{
+	if (mBaseFileSystem == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::removeDirectory()", "Failed to remove directory (no base file system)");
+	}
+
+	// convert sub filesystem path to real path
+	tc::io::Path real_path;
+	subPathToRealPath(path, real_path);
+
+	// remove directory
+	mBaseFileSystem->removeDirectory(real_path);
+}
+
+void tc::io::SubFileSystem::getWorkingDirectory(tc::io::Path& path)
+{
+	if (mBaseFileSystem == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::getWorkingDirectory()", "Failed to get current working directory (no base file system)");
+	}
+
+	path = mSubPathResolver.getCurrentDirectory();
+}
+
+void tc::io::SubFileSystem::setWorkingDirectory(const tc::io::Path& path)
+{
+	if (mBaseFileSystem == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::setWorkingDirectory()", "Failed to set current working directory (no base file system)");
+	}
+
+	// convert sub filesystem path to real path
+	tc::io::Path canonical_base_path;
+	subPathToRealPath(path, canonical_base_path);
+
+	// save previous basefs working directory path
+	tc::io::Path prev_canonical_base_path;
+	mBaseFileSystem->getWorkingDirectory(prev_canonical_base_path);
+
+	// set and get working directory path so that canonical_base_path is populated with the full real path
+	mBaseFileSystem->setWorkingDirectory(canonical_base_path);
+	mBaseFileSystem->getWorkingDirectory(canonical_base_path);
+
+	// restore previous basefs working directory path
+	mBaseFileSystem->setWorkingDirectory(prev_canonical_base_path);
+
+	// save current directory
+	tc::io::Path canonical_sub_path;
+	realPathToSubPath(canonical_base_path, canonical_sub_path);
+	mSubPathResolver.setCurrentDirectory(canonical_sub_path);
+}
+
+void tc::io::SubFileSystem::getDirectoryListing(const tc::io::Path& path, sDirectoryListing& info)
+{
+	if (mBaseFileSystem == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::getDirectoryListing()", "Failed to get directory listing (no base file system)");
+	}
+
+	// convert sub filesystem path to real path
+	tc::io::Path canonical_base_path;
+	subPathToRealPath(path, canonical_base_path);
+
+	// get real directory info
+	tc::io::sDirectoryListing dir_info;
+	mBaseFileSystem->getDirectoryListing(canonical_base_path, dir_info);
+
+	// convert directory absolute path
+	tc::io::Path canonical_sub_path;
+	realPathToSubPath(dir_info.abs_path, canonical_sub_path);
+	
+	// update info with sub filesystem path
+	dir_info.abs_path = canonical_sub_path;
+
+	// write object to output
+	info = dir_info;
+}
+
+void tc::io::SubFileSystem::subPathToRealPath(const tc::io::Path& sub_path, tc::io::Path& real_path)
+{
+	// get canonical sub path
+	tc::io::Path canonical_sub_path = mSubPathResolver.resolveCanonicalPath(sub_path);
+
+	// get canonical base path
+	real_path = mBasePathResolver.resolveCanonicalPath(canonical_sub_path.subpath(1, tc::io::Path::npos));
+}
+
+void tc::io::SubFileSystem::realPathToSubPath(const tc::io::Path& real_path, tc::io::Path& sub_path)
+{
+	tc::io::Path canonical_base_path = mBasePathResolver.getCurrentDirectory();
+
+	if (real_path.subpath(0, canonical_base_path.size()) != canonical_base_path)
+	{
+		throw tc::UnauthorisedAccessException(kClassName, "Sub filesystem escape detected");
+	}
+
+	sub_path = tc::io::Path("/") + real_path.subpath(canonical_base_path.size(), tc::io::Path::npos);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/SubSink.cpp b/ctrtool/deps/libtoolchain/src/io/SubSink.cpp
new file mode 100644
index 00000000..93b07172
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/SubSink.cpp
@@ -0,0 +1,73 @@
+#include <tc/io/SubSink.h>
+#include <tc/io/IOUtil.h>
+
+const std::string tc::io::SubSink::kClassName = "tc::io::SubSink";
+
+tc::io::SubSink::SubSink() :
+	mBaseSink(nullptr),
+	mBaseSinkOffset(0),
+	mSubSinkLength(0)
+{
+
+}
+
+tc::io::SubSink::SubSink(const std::shared_ptr<tc::io::ISink>& sink, int64_t offset, int64_t length) :
+	SubSink()
+{
+	mBaseSink = sink;
+
+	// validate arguments
+	if (mBaseSink == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName, "The base sink is null.");
+	}
+
+	if (offset < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "offset is negative");
+	}
+	if (length < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "length is negative");
+	}
+
+	int64_t base_length = mBaseSink->length();
+
+	// validate arguments against sink length
+	// sub sink length should not be greater than the base sink length
+	if (length > base_length)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "The sub sink length is greater than base sink length.");
+	}
+	// Base length - length is the maximum possible offset for the sub sink
+	if (offset > (base_length - length))
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "The sub sink offset is greater than the maximum possible offset given the base sink length and sub sink length.");
+	}
+	
+	// set class state
+	mBaseSinkOffset = offset;
+	mSubSinkLength = length;
+}
+
+int64_t tc::io::SubSink::length()
+{
+	return mBaseSink == nullptr ? 0 : mSubSinkLength;
+}
+
+void tc::io::SubSink::setLength(int64_t length)
+{
+	throw tc::NotImplementedException(kClassName+"::setLength()", "setLength is not implemented for SubSink.");
+}
+
+size_t tc::io::SubSink::pushData(const tc::ByteData& data, int64_t offset)
+{
+	if (mBaseSink == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::pushData()", "Failed to push data (no base sink)");
+	}
+
+	auto new_data = tc::ByteData(data.data(), IOUtil::getWritableCount(mSubSinkLength, offset, data.size()));
+
+	return mBaseSink->pushData(new_data, mBaseSinkOffset + offset);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/SubSource.cpp b/ctrtool/deps/libtoolchain/src/io/SubSource.cpp
new file mode 100644
index 00000000..ff15adac
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/SubSource.cpp
@@ -0,0 +1,66 @@
+#include <tc/io/SubSource.h>
+#include <tc/io/IOUtil.h>
+
+const std::string tc::io::SubSource::kClassName = "tc::io::SubSource";
+
+tc::io::SubSource::SubSource() :
+	mBaseSource(nullptr),
+	mBaseSourceOffset(0),
+	mSubSourceLength(0)
+{
+
+}
+
+tc::io::SubSource::SubSource(const std::shared_ptr<tc::io::ISource>& source, int64_t offset, int64_t length) :
+	SubSource()
+{
+	mBaseSource = source;
+
+	// validate arguments
+	if (mBaseSource == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName, "source is null");
+	}
+
+	if (offset < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "offset is negative");
+	}
+	if (length < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "length is negative");
+	}
+
+	int64_t base_length = mBaseSource->length();
+
+	// validate arguments against source length
+	// sub source length should not be greater than the base source length
+	if (length > base_length)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "sub source length is greater than base source length");
+	}
+	// Base length - length is the maximum possible offset for the sub source
+	if (offset > (base_length - length))
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "sub source offset is greater than the maximum possible offset given the base source size and sub source size");
+	}
+	
+	// set class state
+	mBaseSourceOffset = offset;
+	mSubSourceLength = length;
+}
+
+int64_t tc::io::SubSource::length()
+{
+	return mBaseSource == nullptr ? 0 : mSubSourceLength;
+}
+
+tc::ByteData tc::io::SubSource::pullData(int64_t offset, size_t count)
+{
+	size_t pull_count = IOUtil::getReadableCount(length(), offset, count);
+
+	if (pull_count == 0)
+		return tc::ByteData();
+
+	return mBaseSource->pullData(mBaseSourceOffset + offset, pull_count);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/SubStream.cpp b/ctrtool/deps/libtoolchain/src/io/SubStream.cpp
new file mode 100644
index 00000000..d8044783
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/SubStream.cpp
@@ -0,0 +1,183 @@
+#include <tc/io/SubStream.h>
+#include <tc/io/IOUtil.h>
+#include <tc/io/StreamUtil.h>
+#include <algorithm>
+
+const std::string tc::io::SubStream::kClassName = "tc::io::SubStream";
+
+tc::io::SubStream::SubStream() :
+	mBaseStream(),
+	mBaseStreamOffset(0),
+	mSubStreamLength(0),
+	mSubStreamPosition(0)
+{}
+	
+
+tc::io::SubStream::SubStream(const std::shared_ptr<tc::io::IStream>& stream, int64_t offset, int64_t length) :
+	SubStream()
+{
+	// copy stream
+	mBaseStream = stream;
+
+	// validate the stream exists
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ArgumentNullException(kClassName, "stream is null");
+	}
+
+	// check if the stream supports seeking
+	if (mBaseStream->canSeek() == false)
+	{
+		tc::NotSupportedException(kClassName, "Streams that do not support seeking are not supported");
+	}
+
+	
+	// validate arguments
+	if (offset < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "offset is negative");
+	}
+	if (length < 0)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "length is negative");
+	}
+
+	int64_t base_length = mBaseStream->length();
+
+	// validate arguments against stream length
+	// substream length should not be greater than the base stream length
+	if (length > base_length)
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "SubStream length is greater than base stream length");
+	}
+	// Base length - length is the maximum possible offset for the substream
+	if (offset > (base_length - length))
+	{
+		throw tc::ArgumentOutOfRangeException(kClassName, "SubStream offset is greater than the maximum possible offset given the base stream size and SubStream size");
+	}
+	
+	// set class state
+	mBaseStreamOffset = offset;
+	mSubStreamLength = length;
+	mSubStreamPosition = 0;
+}
+
+bool tc::io::SubStream::canRead() const
+{
+	return mBaseStream == nullptr ? false : mBaseStream->canRead();
+}
+
+bool tc::io::SubStream::canWrite() const
+{
+	return mBaseStream == nullptr ? false : mBaseStream->canWrite();
+}
+bool tc::io::SubStream::canSeek() const
+{
+	return mBaseStream == nullptr ? false : mBaseStream->canSeek();
+}
+
+int64_t tc::io::SubStream::length()
+{
+	return mBaseStream == nullptr ? 0 : mSubStreamLength;
+}
+
+int64_t tc::io::SubStream::position()
+{
+	return mBaseStream == nullptr ? 0 : mSubStreamPosition;
+}
+
+size_t tc::io::SubStream::read(byte_t* ptr, size_t count)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::read()", "Failed to read from stream (stream is disposed)");
+	}
+
+	count = IOUtil::getReadableCount(mSubStreamLength, mSubStreamPosition, count);
+
+	// assert proper position in file
+	mBaseStream->seek(mBaseStreamOffset + mSubStreamPosition, SeekOrigin::Begin);
+
+	// read data
+	size_t data_read_size = mBaseStream->read(ptr, count);
+
+	// update sub stream position
+	seek(data_read_size, SeekOrigin::Current);
+
+	return data_read_size;
+}
+
+size_t tc::io::SubStream::write(const byte_t* ptr, size_t count)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::write()", "Failed to write to stream (stream is disposed)");
+	}
+
+	count = IOUtil::getWritableCount(mSubStreamLength, mSubStreamPosition, count);
+
+	// assert proper position in file
+	mBaseStream->seek(mBaseStreamOffset + mSubStreamPosition, SeekOrigin::Begin);
+
+	// write data
+	size_t data_written_size = mBaseStream->write(ptr, count);
+
+	// update sub stream position
+	seek(data_written_size, SeekOrigin::Current);
+
+	return data_written_size;
+}
+
+int64_t tc::io::SubStream::seek(int64_t offset, SeekOrigin origin)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::seek()", "Failed to set stream position (stream is disposed)");
+	}
+
+	mSubStreamPosition = StreamUtil::getSeekResult(offset, origin, mSubStreamPosition, mSubStreamLength);
+
+	if (mSubStreamPosition < 0)
+	{
+		throw tc::InvalidOperationException(kClassName+"::seek()", "Negative seek result determined");
+	}
+
+	return mSubStreamPosition;
+}
+
+void tc::io::SubStream::setLength(int64_t length)
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::setLength()", "Failed to set stream length (stream is disposed)");
+	}
+
+	throw tc::NotImplementedException(kClassName+"::setLength()", "setLength is not implemented for SubStream");
+}
+
+void tc::io::SubStream::flush()
+{
+	if (mBaseStream == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::seek()", "Failed to flush stream (stream is disposed)");
+	}
+
+	mBaseStream->flush();
+}
+
+void tc::io::SubStream::dispose()
+{
+	if (mBaseStream.get() != nullptr)
+	{
+		// dispose base stream
+		mBaseStream->dispose();
+
+		// release ptr
+		mBaseStream.reset();
+	}
+	
+	// clear state
+	mBaseStreamOffset = 0;
+	mSubStreamLength = 0;
+	mSubStreamPosition = 0;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/io/VirtualFileSystem.cpp b/ctrtool/deps/libtoolchain/src/io/VirtualFileSystem.cpp
new file mode 100644
index 00000000..899c13d7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/io/VirtualFileSystem.cpp
@@ -0,0 +1,192 @@
+#include <tc/io/VirtualFileSystem.h>
+
+const std::string tc::io::VirtualFileSystem::kClassName = "tc::io::VirtualFileSystem";
+
+tc::io::VirtualFileSystem::VirtualFileSystem() :
+	mCurDir(nullptr),
+	mFsSnapshot(),
+	mPathResolver()
+{
+}
+
+tc::io::VirtualFileSystem::VirtualFileSystem(const FileSystemSnapshot& fs_snapshot, const std::shared_ptr<tc::io::IPortablePathResolver>& path_resolver) :
+	VirtualFileSystem()
+{
+	mFsSnapshot = fs_snapshot;
+	mPathResolver = path_resolver;
+
+	// Use default path resolver if none was provided
+	if (mPathResolver == nullptr)
+	{
+		mPathResolver = std::shared_ptr<tc::io::BasicPathResolver>(new tc::io::BasicPathResolver());
+	}
+	
+	// get root directory
+	tc::io::Path canonical_root_path = mPathResolver->resolveCanonicalPath(tc::io::Path("/"));
+
+	auto root_itr = mFsSnapshot.dir_entry_path_map.find(canonical_root_path);
+	// if the path was not found in the map, throw exception
+	if (root_itr == mFsSnapshot.dir_entry_path_map.end())
+	{
+		throw tc::InvalidOperationException(kClassName, "Failed to located root directory");
+	}
+	// if the dir_entry index isn't valid, throw exception
+	if (root_itr->second >= mFsSnapshot.dir_entries.size())
+	{
+		throw tc::InvalidOperationException(kClassName, "Failed to located root directory");
+	}
+
+	mCurDir = &mFsSnapshot.dir_entries.at(root_itr->second);
+}
+
+tc::ResourceStatus tc::io::VirtualFileSystem::state()
+{
+	return mCurDir == nullptr? tc::ResourceStatus(1 << tc::RESFLAG_NOINIT) : tc::ResourceStatus(1 << tc::RESFLAG_READY);
+}
+
+void tc::io::VirtualFileSystem::dispose()
+{
+	mCurDir = nullptr;
+	mFsSnapshot.dir_entries.clear();
+	mFsSnapshot.file_entries.clear();
+	mFsSnapshot.dir_entry_path_map.clear();
+	mFsSnapshot.file_entry_path_map.clear();
+	mPathResolver.reset();
+}
+
+void tc::io::VirtualFileSystem::createFile(const tc::io::Path& path)
+{
+	if (mCurDir == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::createFile()", "VirtualFileSystem not initialized");
+	}
+
+	throw tc::NotImplementedException(kClassName+"::createFile()", "createFile is not supported for VirtualFileSystem");
+}
+
+void tc::io::VirtualFileSystem::removeFile(const tc::io::Path& path)
+{
+	if (mCurDir == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::removeFile()", "VirtualFileSystem not initialized");
+	}
+
+	throw tc::NotImplementedException(kClassName+"::removeFile()", "removeFile is not supported for VirtualFileSystem");
+}
+
+void tc::io::VirtualFileSystem::openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream)
+{
+	if (mCurDir == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::openFile()", "VirtualFileSystem not initialized");
+	}
+
+	tc::io::Path resolved_path = mPathResolver->resolveCanonicalPath(path);
+
+	if (mode != tc::io::FileMode::Open)
+	{
+		throw tc::NotSupportedException(kClassName+"::openFile()", "This file-system is read-only, only FileMode::Open is supported.");
+	}
+	if (access != tc::io::FileAccess::Read)
+	{
+		throw tc::NotSupportedException(kClassName+"::openFile()", "This file-system is read-only, only FileAccess::Read is supported.");
+	}
+
+	auto file_itr = mFsSnapshot.file_entry_path_map.find(resolved_path);
+	// if resolved_path does not exist in the map, throw exception
+	if (file_itr == mFsSnapshot.file_entry_path_map.end())
+	{
+		throw tc::io::FileNotFoundException(kClassName+"::openFile()", "File does not exist.");
+	}
+	// if the file_entry index isn't valid or leads to a null IStream pointer, throw exception
+	if (file_itr->second >= mFsSnapshot.file_entries.size() || mFsSnapshot.file_entries.at(file_itr->second).stream == nullptr)
+	{
+		throw tc::io::FileNotFoundException(kClassName+"::openFile()", "File does not exist.");
+	}
+	// if the stream has invalid properties, throw exception
+	if ( !(mFsSnapshot.file_entries.at(file_itr->second).stream->canRead() == true && mFsSnapshot.file_entries.at(file_itr->second).stream->canWrite() == false) )
+	{
+		throw tc::io::FileNotFoundException(kClassName+"::openFile()", "File does not exist.");
+	}
+
+	stream = mFsSnapshot.file_entries.at(file_itr->second).stream;
+}
+
+void tc::io::VirtualFileSystem::createDirectory(const tc::io::Path& path)
+{
+	if (mCurDir == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::createDirectory()", "VirtualFileSystem not initialized");
+	}
+
+	throw tc::NotImplementedException(kClassName+"::createDirectory()", "createDirectory is not supported for VirtualFileSystem");
+}
+
+void tc::io::VirtualFileSystem::removeDirectory(const tc::io::Path& path)
+{
+	if (mCurDir == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::removeDirectory()", "VirtualFileSystem not initialized");
+	}
+
+	throw tc::NotImplementedException(kClassName+"::removeDirectory()", "removeDirectory is not supported for VirtualFileSystem");
+}
+
+void tc::io::VirtualFileSystem::getWorkingDirectory(tc::io::Path& path)
+{
+	if (mCurDir == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::getWorkingDirectory()", "VirtualFileSystem not initialized");
+	}
+
+	path = mCurDir->dir_listing.abs_path;
+}
+
+void tc::io::VirtualFileSystem::setWorkingDirectory(const tc::io::Path& path)
+{
+	if (mCurDir == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::setWorkingDirectory()", "VirtualFileSystem not initialized");
+	}
+
+	tc::io::Path resolved_path = mPathResolver->resolveCanonicalPath(path);
+
+	auto dir_itr = mFsSnapshot.dir_entry_path_map.find(resolved_path);
+	// if the path was not found in the map, throw exception
+	if (dir_itr == mFsSnapshot.dir_entry_path_map.end())
+	{
+		throw tc::io::DirectoryNotFoundException(kClassName+"::setWorkingDirectory()", "Directory does not exist.");
+	}
+	// if the dir_entry index isn't valid, throw exception
+	if (dir_itr->second >= mFsSnapshot.dir_entries.size())
+	{
+		throw tc::io::DirectoryNotFoundException(kClassName+"::setWorkingDirectory()", "Directory does not exist.");
+	}
+
+	mCurDir = &mFsSnapshot.dir_entries.at(dir_itr->second);
+	mPathResolver->setCurrentDirectory(mCurDir->dir_listing.abs_path);
+}
+
+void tc::io::VirtualFileSystem::getDirectoryListing(const tc::io::Path& path, tc::io::sDirectoryListing& info)
+{
+	if (mCurDir == nullptr)
+	{
+		throw tc::ObjectDisposedException(kClassName+"::getDirectoryListing()", "VirtualFileSystem not initialized");
+	}
+
+	tc::io::Path resolved_path = mPathResolver->resolveCanonicalPath(path);
+
+	auto dir_itr = mFsSnapshot.dir_entry_path_map.find(resolved_path);
+	// if the path was not found in the map, throw exception
+	if (dir_itr == mFsSnapshot.dir_entry_path_map.end())
+	{
+		throw tc::io::DirectoryNotFoundException(kClassName+"::getDirectoryListing()", "Directory does not exist.");
+	}
+	// if the dir_entry index isn't valid, throw exception
+	if (dir_itr->second >= mFsSnapshot.dir_entries.size())
+	{
+		throw tc::io::DirectoryNotFoundException(kClassName+"::getDirectoryListing()", "Directory does not exist.");
+	}
+
+	info = mFsSnapshot.dir_entries.at(dir_itr->second).dir_listing;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/os/Environment.cpp b/ctrtool/deps/libtoolchain/src/os/Environment.cpp
new file mode 100644
index 00000000..ecdb68a3
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/os/Environment.cpp
@@ -0,0 +1,40 @@
+#include <tc/os/Environment.h>
+#include <tc/string.h>
+
+bool tc::os::getEnvVar(const std::string& name, std::string& value)
+{
+	bool did_find_variable = false;
+#ifdef _WIN32
+	// convert utf-8 to utf-16 for wide char functions
+	std::u16string utf16_name;
+	tc::string::TranscodeUtil::UTF8ToUTF16(name, utf16_name);
+
+	// get size of environment variable
+	size_t required_size = 0;
+	_wgetenv_s(&required_size, nullptr, 0, (wchar_t*)utf16_name.c_str());
+
+	// set output if variable was found
+	if (required_size != 0)
+	{
+		// get environment variable
+		std::shared_ptr<wchar_t> utf16_value(new wchar_t[required_size]);
+		_wgetenv_s(&required_size, utf16_value.get(), required_size, (wchar_t*)utf16_name.c_str());
+
+		// transcode back to utf-8
+		tc::string::TranscodeUtil::UTF16ToUTF8((char16_t*)utf16_value.get(), value);
+
+		did_find_variable = true;
+	}
+#else
+	// get ptr to env variable
+	char* env_ptr = getenv(name.c_str());
+
+	// set output if variable was found
+	if (env_ptr != nullptr)
+	{
+		value = std::string(env_ptr);
+		did_find_variable = true;
+	}
+#endif
+	return did_find_variable;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/string/TranscodeUtil.cpp b/ctrtool/deps/libtoolchain/src/string/TranscodeUtil.cpp
new file mode 100644
index 00000000..0bca5c31
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/string/TranscodeUtil.cpp
@@ -0,0 +1,165 @@
+#include <tc/string/TranscodeUtil.h>
+#include <tc/ArgumentException.h>
+
+#include <tc/string/detail/utf8.h>
+#include <tc/string/detail/utf16.h>
+
+void tc::string::TranscodeUtil::UTF8ToUTF32(const std::string& src, std::u32string& dst)
+{
+	size_t done = 0;
+	dst.clear();
+	for (size_t i = 0; i < src.length(); i += done)
+	{
+		// get number of leading high bits in first byte
+		uint8_t prefix = detail::get_utf8_prefix(src[i]);
+		if (prefix == 1 || prefix > 4) // 1 is reserved for trailer bytes
+		{
+			throw tc::ArgumentException("not a UTF-8 string");
+		}
+
+		// if there are no prefix bits, this is ASCII
+		if (prefix == 0)
+		{
+			dst.push_back(src[i]);
+			done = 1;
+		}
+		// otherwise this is a multibyte character
+		else
+		{
+			// there must be enough characters
+			if ((i + prefix) > src.length())
+			{
+				throw tc::ArgumentException("not a UTF-8 string");
+			}
+
+			char32_t uni = detail::get_utf8_data(prefix, src[i]);
+
+			for (uint8_t j = 1; j < prefix; j++)
+			{
+				if (detail::utf8_has_prefix(1, src[i + j]) == false)
+				{
+					throw tc::ArgumentException("not a UTF-8 string");
+				}
+
+				uni <<= 6;
+				uni |= detail::get_utf8_data(1, src[i + j]);
+			}
+
+			if (uni >= detail::kUtf16HighSurrogateStart && uni <= detail::kUtf16LowSurrogateEnd)
+			{
+				throw tc::ArgumentException("not a UTF-8 string");
+			}
+				
+			if (uni > detail::kUtf16EncodeMax)
+			{
+				throw tc::ArgumentException("not a UTF-8 string");
+			}
+				
+			dst.push_back(uni);
+			done = prefix;
+		}
+
+	}
+}
+
+void tc::string::TranscodeUtil::UTF16ToUTF32(const std::u16string& src, std::u32string& dst)
+{
+	size_t done = 0;
+	dst.clear();
+	for (size_t i = 0; i < src.length(); i+=done)
+	{
+		// this isn't a utf16 reserved character, so just add to unicode string
+		if (src[i] < detail::kUtf16HighSurrogateStart || src[i] > detail::kUtf16LowSurrogateEnd)
+		{
+			dst.push_back(src[i]);
+			done = 1;
+		}
+		// otherwise we need to decode it
+		else
+		{
+			// check that the high surrogate char exists first 
+			if (src[i] < detail::kUtf16HighSurrogateStart || src[i] > detail::kUtf16HighSurrogateEnd)
+			{
+				throw tc::ArgumentException("not a UTF-16 string");
+			}
+			// check that the low surrogate char exists next
+			if (i >= src.length() - 1 || src[i + 1] < detail::kUtf16LowSurrogateStart || src[i + 1] > detail::kUtf16LowSurrogateEnd)
+			{
+				throw tc::ArgumentException("not a UTF-16 string");
+			}
+
+			char32_t uni = ((src[i] & detail::kUtf16SurrogateMask) << detail::kUtf16SurrogateBits) | (src[i + 1] & detail::kUtf16SurrogateMask) | 0x10000;
+
+			dst.push_back(uni);
+			done = 2;
+		}
+	}
+}
+
+void tc::string::TranscodeUtil::UTF32ToUTF8(const std::u32string& src, std::string& dst)
+{
+	dst.clear();
+	for (size_t i = 0; i < src.length(); i++)
+	{
+		if (src[i] <= detail::kUtf8AsciiEnd)
+		{
+			dst.push_back((char)src[i]);
+		}
+		else if (src[i] <= detail::kUtf82ByteEnd)
+		{
+			dst.push_back(detail::make_utf8(2, (uint8_t)(src[i] >> 6)));
+			dst.push_back(detail::make_utf8(1, (uint8_t)(src[i] >> 0)));
+		}
+		else if (src[i] <= detail::kUtf83ByteEnd)
+		{
+			dst.push_back(detail::make_utf8(3, (uint8_t)(src[i] >> 12)));
+			dst.push_back(detail::make_utf8(1, (uint8_t)(src[i] >> 6)));
+			dst.push_back(detail::make_utf8(1, (uint8_t)(src[i] >> 0)));
+		}
+		else if (src[i] <= detail::kUtf84ByteEnd)
+		{
+			dst.push_back(detail::make_utf8(4, (uint8_t)(src[i] >> 18)));
+			dst.push_back(detail::make_utf8(1, (uint8_t)(src[i] >> 12)));
+			dst.push_back(detail::make_utf8(1, (uint8_t)(src[i] >> 6)));
+			dst.push_back(detail::make_utf8(1, (uint8_t)(src[i] >> 0)));
+		}
+		else
+		{
+			throw tc::ArgumentException("not a UTF-16 string");
+		}
+	}
+}
+
+void tc::string::TranscodeUtil::UTF32ToUTF16(const std::u32string& src, std::u16string& dst)
+{
+	dst.clear();
+	for (size_t i = 0; i < src.size(); i++)
+	{
+		char32_t uni = src[i];
+		if (uni < detail::kUtf16NonNativeStart)
+		{
+			dst.push_back((char16_t)uni);
+		}
+		else
+		{
+			uni -= detail::kUtf16NonNativeStart;
+			dst.push_back(((uni >> detail::kUtf16SurrogateBits) & detail::kUtf16SurrogateMask) + detail::kUtf16HighSurrogateStart);
+			dst.push_back((uni & detail::kUtf16SurrogateMask) + detail::kUtf16LowSurrogateStart);
+		}
+	}
+}
+
+
+void tc::string::TranscodeUtil::UTF8ToUTF16(const std::string& src, std::u16string& dst)
+{
+	std::u32string unicode;
+	TranscodeUtil::UTF8ToUTF32(src, unicode);
+	TranscodeUtil::UTF32ToUTF16(unicode, dst);
+}
+
+void tc::string::TranscodeUtil::UTF16ToUTF8(const std::u16string& src, std::string& dst)
+{
+	std::u32string unicode;
+	TranscodeUtil::UTF16ToUTF32(src, unicode);
+	TranscodeUtil::UTF32ToUTF8(unicode, dst);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/src/types.cpp b/ctrtool/deps/libtoolchain/src/types.cpp
new file mode 100644
index 00000000..680a53a6
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/src/types.cpp
@@ -0,0 +1,26 @@
+#include <tc/types.h>
+
+bool tc::is_size_t_not_64bit()
+{
+	return uint64_t(std::numeric_limits<size_t>::max()) < std::numeric_limits<uint64_t>::max();
+}
+
+bool tc::is_size_t_too_large_for_int64_t(size_t val)
+{
+	return uint64_t(std::numeric_limits<int64_t>::max()) < uint64_t(val);
+}
+
+bool tc::is_uint64_t_too_large_for_int64_t(uint64_t val)
+{
+	return uint64_t(std::numeric_limits<int64_t>::max()) < val;
+}
+
+bool tc::is_int64_t_too_large_for_size_t(int64_t val)
+{
+	return uint64_t(std::numeric_limits<size_t>::max()) < uint64_t(val) || val < 0;
+}
+
+bool tc::is_uint64_t_too_large_for_size_t(uint64_t val)
+{
+	return uint64_t(std::numeric_limits<size_t>::max()) < val;
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/ByteData_TestClass.cpp b/ctrtool/deps/libtoolchain/test/ByteData_TestClass.cpp
new file mode 100644
index 00000000..985ad868
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/ByteData_TestClass.cpp
@@ -0,0 +1,671 @@
+#include <tc/Exception.h>
+#include <iostream>
+#include <sstream>
+
+#include "ByteData_TestClass.h"
+
+//---------------------------------------------------------
+
+void ByteData_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::ByteData] START" << std::endl;
+	test_Constructor_DefaultConstructor();
+	test_Constructor_InitializerList();
+	test_Constructor_CreateZeroSized();
+	test_Constructor_CreateSmallSized();
+	test_Constructor_CreateLargeSized();
+	test_Constructor_ThrowExceptForBadAlloc();
+	test_Constructor_CreateFromPtr();
+	test_ImplicitCopy_CopyInSameScope();
+	test_ImplicitCopy_CopyOntoInitiallisedByteData();
+	test_ImplicitMove_CopyInSameScope();
+	test_ImplicitMove_MoveOntoInitiallisedByteData();
+	test_EqualityOperator();
+	test_InequalityOperator();
+	std::cout << "[tc::ByteData] END" << std::endl;
+}
+
+//---------------------------------------------------------
+
+void ByteData_TestClass::test_Constructor_DefaultConstructor()
+{
+	std::cout << "[tc::ByteData] test_Constructor_DefaultConstructor : " << std::flush;
+	try
+	{
+		try 
+		{
+			tc::ByteData data;
+
+			if (data.data() != nullptr)
+			{
+				throw tc::Exception(".data() did not return nullptr when ByteData was constructed with default constructor");
+			}
+
+			if (data.size() != 0)
+			{
+				throw tc::Exception(".size() did not return 0 when ByteData was constructed with default constructor");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_Constructor_CreateZeroSized()
+{
+	std::cout << "[tc::ByteData] test_Constructor_CreateZeroSized : " << std::flush;
+	try
+	{
+		try 
+		{
+			tc::ByteData data(0);
+
+			if (data.data() != nullptr)
+			{
+				throw tc::Exception(".data() did not return nullptr when ByteData was constructed with size 0");
+			}
+
+			if (data.size() != 0)
+			{
+				throw tc::Exception(".size() did not return 0 when ByteData was constructed with size 0");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_Constructor_InitializerList()
+{
+	std::cout << "[tc::ByteData] test_Constructor_InitializerList : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+			static const size_t expected_data_size = 0x10;
+			byte_t expected_data[expected_data_size] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
+			tc::ByteData data({0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f});
+
+			if (data.data() == nullptr)
+			{
+				error_ss << ".data() returned nullptr when ByteData was constructed with an initializer list";
+				throw tc::Exception(error_ss.str());
+			}
+
+			if (data.size() != expected_data_size)
+			{
+				error_ss << ".size() did not return " << expected_data_size << " when ByteData was constructed with an initializer list";
+				throw tc::Exception(error_ss.str());
+			}
+
+			if (memcmp(data.data(), expected_data, expected_data_size) != 0)
+			{
+				error_ss << ".data() did not contain expected data";
+				throw tc::Exception(error_ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_Constructor_CreateSmallSized()
+{
+	std::cout << "[tc::ByteData] test_Constructor_CreateSmallSized : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+			const size_t data_size = 1271;
+			tc::ByteData data(data_size);
+
+			if (data.data() == nullptr)
+			{
+				error_ss << ".data() returned nullptr when ByteData was constructed with size " << data_size;
+				throw tc::Exception(error_ss.str());
+			}
+
+			if (data.size() != data_size)
+			{
+				error_ss << ".size() did not return " << data_size << " when ByteData was constructed with size " << data_size;
+				throw tc::Exception(error_ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_Constructor_CreateLargeSized()
+{
+	std::cout << "[tc::ByteData] test_Constructor_CreateLargeSized : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+			const size_t data_size = 0x1000000;
+			tc::ByteData data(data_size);
+
+			if (data.data() == nullptr)
+			{
+				error_ss << ".data() returned nullptr when ByteData was constructed with size " << data_size;
+				throw tc::Exception(error_ss.str());
+			}
+
+			if (data.size() != data_size)
+			{
+				error_ss << ".size() did not return " << data_size << " when ByteData was constructed with size " << data_size;
+				throw tc::Exception(error_ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_Constructor_ThrowExceptForBadAlloc()
+{
+	std::cout << "[tc::ByteData] test_Constructor_ThrowExceptForBadAlloc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+			const size_t data_size = -1;
+			tc::ByteData data(data_size);
+
+			std::cout << "FAIL (Did not throw exception where it should be impossible to allocate the memory)" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_Constructor_CreateFromPtr()
+{
+	std::cout << "[tc::ByteData] test_Constructor_CreateFromPtr : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+			const size_t src_data_size = 0x1000;
+			tc::ByteData src_data(src_data_size);
+			memset(src_data.data(), 0xe0, src_data.size());
+
+			tc::ByteData data(src_data.data(), src_data.size());
+
+
+			if (data.data() == nullptr)
+			{
+				error_ss << ".data() returned nullptr when ByteData was constructed with size " << src_data_size;
+				throw tc::Exception(error_ss.str());
+			}
+
+			if (data.size() != src_data_size)
+			{
+				error_ss << ".size() did not return " << src_data_size << " when ByteData was constructed with size " << src_data_size;
+				throw tc::Exception(error_ss.str());
+			}
+
+			if (memcmp(data.data(), src_data.data(), src_data_size) != 0)
+			{
+				error_ss << ".data() did not have expected contents, when compared to source data";
+				throw tc::Exception(error_ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_ImplicitCopy_CopyInSameScope()
+{
+	std::cout << "[tc::ByteData] test_ImplicitCopy_CopyInSameScope : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+			const size_t data_size = 0x20;
+
+			// create data with allocating constructor
+			tc::ByteData data(data_size);
+
+			// create data2 as a copy of data using implicit copy constructor
+			tc::ByteData data2(data);
+
+			if (data.size() != data2.size())
+			{
+				throw tc::Exception("data2 after being constructed by copy, did not have the same size");
+			}
+
+			if (data.data() == data2.data())
+			{
+				throw tc::Exception("data2 after being constructed by copy, had the same pointer");
+			}
+
+			tc::ByteData data3 = data;
+
+			if (data.size() != data3.size())
+			{
+				throw tc::Exception("data3 after being constructed by copy assignment, did not have the same size");
+			}
+
+			if (data.data() == data3.data())
+			{
+				throw tc::Exception("data3 after being constructed by copy assignment, had the same pointer");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_ImplicitCopy_CopyOntoInitiallisedByteData()
+{
+	std::cout << "[tc::ByteData] test_ImplicitCopy_CopyOntoInitiallisedByteData : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+			const size_t data_size = 0x20;
+			const size_t data2_size = 0x30;
+
+			// create data with allocating constructor
+			tc::ByteData data(data_size);
+
+			// create data2 with allocating constructor
+			tc::ByteData data2(data2_size);
+
+			data2 = data;
+
+			if (data.size() != data2.size())
+			{
+				throw tc::Exception("data2 after being assigned by copy, did not have the same size");
+			}
+
+			if (data.data() == data2.data())
+			{
+				throw tc::Exception("data2 after being assigned by copy, had the same pointer");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_ImplicitMove_CopyInSameScope()
+{
+	std::cout << "[tc::ByteData] test_ImplicitMove_CopyInSameScope : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+			const size_t data_size = 0x20;
+
+			// create data with allocating constructor
+			tc::ByteData data(data_size);
+			// mark buffer[0] so we can see if buffer ptr is being moved properly
+			data.data()[0] = 0xff;
+
+			// create data2 as a copy of data using implicit move constructor
+			tc::ByteData data2(std::move(data));
+
+			if (data2.data()[0] != 0xff)
+			{
+				throw tc::Exception("data2 did not have expected byte at buffer()[0]");
+			}
+
+			if (data.data() != nullptr)
+			{
+				throw tc::Exception("data after being moved to data2 retained it's old pointer");
+			}
+
+			if (data.size() == data2.size())
+			{
+				throw tc::Exception("data2 after being constructed by move from data, had the same size");
+			}
+
+			tc::ByteData data3 = std::move(data2);
+
+			if (data3.data()[0] != 0xff)
+			{
+				throw tc::Exception("data3 did not have expected byte at buffer()[0]");
+			}
+
+			if (data2.data() != nullptr)
+			{
+				throw tc::Exception("data2 after being moved to data3 retained it's old pointer");
+			}
+
+			if (data.size() == data3.size())
+			{
+				throw tc::Exception("data3 after being constructed by move assignment from data2, has the same size");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_ImplicitMove_MoveOntoInitiallisedByteData()
+{
+	std::cout << "[tc::ByteData] test_ImplicitMove_MoveOntoInitiallisedByteData : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+			const size_t data_size = 0x20;
+			const size_t data2_size = 0x30;
+
+			// create data with allocating constructor
+			tc::ByteData data(data_size);
+			// mark buffer[0] so we can see if buffer ptr is being copied properly
+			data.data()[0] = 0xff;
+
+			// create data2 with allocating constructor
+			tc::ByteData data2(data2_size);
+
+			// move data to data2 by assignment
+			data2 = std::move(data);
+
+			if (data.data() != nullptr)
+			{
+				throw tc::Exception("data after being moved to data2 retained it's old pointer");
+			}
+
+			if (data.size() == data2.size())
+			{
+				throw tc::Exception("data2 after being assigned by copy, did not have the same size");
+			}
+
+			if (data.size() == data2.size())
+			{
+				throw tc::Exception("data2 after being constructed by move from data, had the same size");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_EqualityOperator()
+{
+	std::cout << "[tc::ByteData] test_EqualityOperator : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+
+			static const size_t kControlDataSize = 0x10;
+			const byte_t kControlData[kControlDataSize] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
+
+			auto control_data = tc::ByteData(kControlData, kControlDataSize);
+
+			// test 1 - data is the same
+			{
+				auto same_data = tc::ByteData(kControlData, kControlDataSize);
+				if ((control_data == same_data) != true)
+				{
+					throw tc::Exception("operator==(control, test) returned false for identical ByteData");
+				}
+				if ((same_data == control_data) != true)
+				{
+					throw tc::Exception("operator==(test, control) returned false for identical ByteData");
+				}
+			}
+
+			// test 2 - truncated ByteData
+			{
+				auto smaller = tc::ByteData(control_data.data(), control_data.size()-1);
+				if ((control_data == smaller) != false)
+				{
+					throw tc::Exception("operator==(control, test) returned true for when compared to truncated ByteData");
+				}
+				if ((smaller == control_data) != false)
+				{
+					throw tc::Exception("operator==(test, control) returned true for when compared to truncated ByteData");
+				}
+			}
+
+			// test 3 - same size different ByteData
+			{
+				auto different = tc::ByteData(control_data);
+				different[different.size()-1] = 0xff;
+				if ((control_data == different) != false)
+				{
+					throw tc::Exception("operator==(control, test) returned true for when compared to same size but different ByteData");
+				}
+				if ((different == control_data) != false)
+				{
+					throw tc::Exception("operator==(test, control) returned true for when compared to same size but different ByteData");
+				}
+			}
+
+			// test 4 - null ByteData
+			{
+				auto empty_data = tc::ByteData();
+				if ((control_data == empty_data) != false)
+				{
+					throw tc::Exception("operator==(control, test) returned true for when compared to empty ByteData");
+				}
+				if ((empty_data == control_data) != false)
+				{
+					throw tc::Exception("operator==(test, control) returned true for when compared to empty ByteData");
+				}
+			}
+			
+			// test 5 - null to null
+			{
+				auto empty_data = tc::ByteData();
+				auto empty_data2 = tc::ByteData();
+				if ((empty_data2 == empty_data) != true)
+				{
+					throw tc::Exception("operator==(empty, empty2) returned true for when comparing two empty ByteData");
+				}
+				if ((empty_data == empty_data2) != true)
+				{
+					throw tc::Exception("operator==(empty2, empty) returned true for when comparing two empty ByteData");
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void ByteData_TestClass::test_InequalityOperator()
+{
+	std::cout << "[tc::ByteData] test_InequalityOperator : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream error_ss;
+
+			static const size_t kControlDataSize = 0x10;
+			const byte_t kControlData[kControlDataSize] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f};
+
+			auto control_data = tc::ByteData(kControlData, kControlDataSize);
+
+			// test 1 - data is the same
+			{
+				auto same_data = tc::ByteData(kControlData, kControlDataSize);
+				if ((control_data != same_data) != false)
+				{
+					throw tc::Exception("operator!=(control, test) returned false for identical ByteData");
+				}
+				if ((same_data != control_data) != false)
+				{
+					throw tc::Exception("operator!=(test, control) returned false for identical ByteData");
+				}
+			}
+
+			// test 2 - truncated ByteData
+			{
+				auto smaller = tc::ByteData(control_data.data(), control_data.size()-1);
+				if ((control_data != smaller) != true)
+				{
+					throw tc::Exception("operator!=(control, test) returned true for when compared to truncated ByteData");
+				}
+				if ((smaller != control_data) != true)
+				{
+					throw tc::Exception("operator!=(test, control) returned true for when compared to truncated ByteData");
+				}
+			}
+
+			// test 3 - same size different ByteData
+			{
+				auto different = tc::ByteData(control_data);
+				different[different.size()-1] = 0xff;
+				if ((control_data != different) != true)
+				{
+					throw tc::Exception("operator!=(control, test) returned true for when compared to same size but different ByteData");
+				}
+				if ((different != control_data) != true)
+				{
+					throw tc::Exception("operator!=(test, control) returned true for when compared to same size but different ByteData");
+				}
+			}
+
+			// test 4 - null ByteData
+			{
+				auto empty_data = tc::ByteData();
+				if ((control_data != empty_data) != true)
+				{
+					throw tc::Exception("operator!=(control, test) returned true for when compared to empty ByteData");
+				}
+				if ((empty_data != control_data) != true)
+				{
+					throw tc::Exception("operator!=(test, control) returned true for when compared to empty ByteData");
+				}
+			}
+			
+			// test 5 - null to null
+			{
+				auto empty_data = tc::ByteData();
+				auto empty_data2 = tc::ByteData();
+				if ((empty_data2 != empty_data) != false)
+				{
+					throw tc::Exception("operator!=(empty, empty2) returned true for when comparing two empty ByteData");
+				}
+				if ((empty_data != empty_data2) != false)
+				{
+					throw tc::Exception("operator!=(empty2, empty) returned true for when comparing two empty ByteData");
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/ByteData_TestClass.h b/ctrtool/deps/libtoolchain/test/ByteData_TestClass.h
new file mode 100644
index 00000000..7bf6de99
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/ByteData_TestClass.h
@@ -0,0 +1,23 @@
+#pragma once
+#include "ITestClass.h"
+#include <tc/ByteData.h>
+
+class ByteData_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constructor_DefaultConstructor();
+	void test_Constructor_InitializerList();
+	void test_Constructor_CreateZeroSized();
+	void test_Constructor_CreateSmallSized();
+	void test_Constructor_CreateLargeSized();
+	void test_Constructor_ThrowExceptForBadAlloc();
+	void test_Constructor_CreateFromPtr();
+	void test_ImplicitCopy_CopyInSameScope();
+	void test_ImplicitCopy_CopyOntoInitiallisedByteData();
+	void test_ImplicitMove_CopyInSameScope();
+	void test_ImplicitMove_MoveOntoInitiallisedByteData();
+	void test_EqualityOperator();
+	void test_InequalityOperator();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/FileSystemTestUtil.cpp b/ctrtool/deps/libtoolchain/test/FileSystemTestUtil.cpp
new file mode 100644
index 00000000..1bdad400
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/FileSystemTestUtil.cpp
@@ -0,0 +1,3 @@
+#include "FileSystemTestUtil.h"
+
+const std::string FileSystemTestUtil::DummyFileSystemBase::kClassName = "DummyFileSystemBase";
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/FileSystemTestUtil.h b/ctrtool/deps/libtoolchain/test/FileSystemTestUtil.h
new file mode 100644
index 00000000..75452f72
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/FileSystemTestUtil.h
@@ -0,0 +1,79 @@
+#pragma once
+
+#include <tc/io.h>
+#include <tc/NotImplementedException.h>
+
+class FileSystemTestUtil
+{
+public:
+	class DummyFileSystemBase : public tc::io::IFileSystem
+	{
+	public:
+		DummyFileSystemBase()
+		{
+			init();
+		}
+
+		void init()
+		{
+			dispose();
+			mCurDir = std::make_shared<tc::io::Path>(tc::io::Path("/some/initial/path/"));
+			mState.set(tc::RESFLAG_READY);
+		}
+
+		virtual tc::ResourceStatus state()
+		{
+			return mState;
+		}
+
+		virtual void dispose()
+		{
+			mState.reset();
+			mCurDir.reset();
+		}
+
+		virtual void createFile(const tc::io::Path& path)
+		{
+			throw tc::NotImplementedException(kClassName, "createFile() not implemented");
+		}
+
+		virtual void removeFile(const tc::io::Path& path)
+		{
+			throw tc::NotImplementedException(kClassName, "removeFile() not implemented");
+		}
+
+		virtual void openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream)
+		{
+			throw tc::NotImplementedException(kClassName, "openFile() not implemented");
+		}
+
+		virtual void createDirectory(const tc::io::Path& path)
+		{
+			throw tc::NotImplementedException(kClassName, "createDirectory() not implemented");
+		}
+
+		virtual void removeDirectory(const tc::io::Path& path)
+		{
+			throw tc::NotImplementedException(kClassName, "removeDirectory() not implemented");
+		}
+
+		virtual void getWorkingDirectory(tc::io::Path& path)
+		{
+			path = *mCurDir;
+		}
+
+		virtual void setWorkingDirectory(const tc::io::Path& path)
+		{
+			*mCurDir = path;
+		}
+
+		virtual void getDirectoryListing(const tc::io::Path& path, tc::io::sDirectoryListing& info)
+		{
+			throw tc::NotImplementedException(kClassName, "getDirectoryListing() not implemented");
+		}
+	private:
+		static const std::string kClassName;
+		tc::ResourceStatus mState;
+		std::shared_ptr<tc::io::Path> mCurDir;
+	};
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/ITestClass.h b/ctrtool/deps/libtoolchain/test/ITestClass.h
new file mode 100644
index 00000000..c7045835
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/ITestClass.h
@@ -0,0 +1,8 @@
+#pragma once
+
+class ITestClass
+{
+public:
+	virtual ~ITestClass() = default;
+	virtual void runAllTests() = 0;
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/Optional_TestClass.cpp b/ctrtool/deps/libtoolchain/test/Optional_TestClass.cpp
new file mode 100644
index 00000000..f0537f3b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/Optional_TestClass.cpp
@@ -0,0 +1,300 @@
+#include <tc/Exception.h>
+#include <iostream>
+
+#include "Optional_TestClass.h"
+
+void Optional_TestClass::runAllTests()
+{
+	std::cout << "[tc::Optional] START" << std::endl;
+	testDefaultConstructor();
+	testWrapConstructor();
+	testCopyConstructorFromNullOptional();
+	testCopyConstructorFromExistingOptional();
+	testWrapOperator();
+	testCopyOperatorFromNullOptional();
+	testCopyOperatorFromExistingOptional();
+	testMakeNullOnNullOptional();
+	testMakeNullOnExistingOptional();
+	std::cout << "[tc::Optional] END" << std::endl;
+}
+
+void Optional_TestClass::testDefaultConstructor()
+{
+	std::cout << "[tc::Optional] testDefaultConstructor : " << std::flush;
+	try
+	{
+		{
+			tc::Optional<int> foo;
+
+			if (foo.isNull() == false)
+			{
+				throw tc::Exception("Default constructor created an object with null state, but isNull() returned false");
+			}
+
+			if (foo.isSet() == true)
+			{
+				throw tc::Exception("Default constructor created an object with null state, but isSet() returned true");
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "FAIL (" << e.what() << ")" << std::endl;
+	}
+	
+}
+
+void Optional_TestClass::testWrapConstructor()
+{
+	std::cout << "[tc::Optional] testWrapConstructor : " << std::flush;
+	try
+	{
+		{
+			int testInt = 42;
+
+			tc::Optional<int> foo(testInt);
+
+			if (foo.isNull() == true)
+			{
+				throw tc::Exception("Wrapping constructor created an object with a valid state, but isNull() returned true");
+			}
+
+			if (foo.isSet() == false)
+			{
+				throw tc::Exception("Wrapping constructor created an object with a valid state, but isSet() returned false");
+			}
+
+			if (foo.get() != testInt)
+			{
+				throw tc::Exception("Wrapping constructor created an object with an incorrect value");
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "FAIL (" << e.what() << ")" << std::endl;
+	}
+}
+
+void Optional_TestClass::testCopyConstructorFromNullOptional()
+{
+	std::cout << "[tc::Optional] testCopyConstructorFromNullOptional : " << std::flush;
+	try
+	{
+		{
+			tc::Optional<int> foo;
+			tc::Optional<int> bar(foo);
+
+			if (bar.isNull() == false)
+			{
+				throw tc::Exception("Copy constructor created an object with a null state, but isNull() returned false");
+			}
+
+			if (bar.isSet() == true)
+			{
+				throw tc::Exception("Copy constructor created an object with a null state, but isSet() returned true");
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "FAIL (" << e.what() << ")" << std::endl;
+	}
+}
+
+void Optional_TestClass::testCopyConstructorFromExistingOptional()
+{
+	std::cout << "[tc::Optional] testCopyConstructorFromExistingOptional : " << std::flush;
+	try
+	{
+		{
+			int testInt = 42;
+
+			tc::Optional<int> foo(testInt);
+			tc::Optional<int> bar(foo);
+
+			if (bar.isNull() == true)
+			{
+				throw tc::Exception("Copy constructor created an object with a set state, but isNull() returned true");
+			}
+			if (bar.isSet() == false)
+			{
+				throw tc::Exception("Copy constructor created an object with a set state, but isSet() returned true");
+			}
+
+			if (bar.get() != testInt)
+			{
+				throw tc::Exception("Copy constructor created an object where the wrapped value was unexpected");
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "FAIL (" << e.what() << ")" << std::endl;
+	}
+}
+
+void Optional_TestClass::testWrapOperator()
+{
+	std::cout << "[tc::Optional] testWrapOperator : " << std::flush;
+	try
+	{
+		{
+			int testInt = 42;
+
+			tc::Optional<int> foo;
+
+			foo = testInt;
+
+			if (foo.isNull() == true)
+			{
+				throw tc::Exception("Wrap operator created an object with a set state, but isNull() returned true");
+			}
+			if (foo.isSet() == false)
+			{
+				throw tc::Exception("Wrap operator created an object with a set state, but isSet() returned false");
+			}
+
+			if (foo.get() != testInt)
+			{
+				throw tc::Exception("Wrap operator created an object where the wrapped value was unexpected");
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "FAIL (" << e.what() << ")" << std::endl;
+	}
+}
+
+void Optional_TestClass::testCopyOperatorFromNullOptional()
+{
+	std::cout << "[tc::Optional] testCopyOperatorFromNullOptional : " << std::flush;
+	try
+	{
+		{
+			tc::Optional<int> foo;
+			tc::Optional<int> bar  = foo;
+
+			if (bar.isNull() == false)
+			{
+				throw tc::Exception("Copy operator created an object with a null state, but isNull() returned false");
+			}
+
+			if (bar.isSet() == true)
+			{
+				throw tc::Exception("Copy operator created an object with a null state, but isSet() returned false");
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "FAIL (" << e.what() << ")" << std::endl;
+	}
+}
+
+void Optional_TestClass::testCopyOperatorFromExistingOptional()
+{
+	std::cout << "[tc::Optional] testCopyOperatorFromExistingOptional : " << std::flush;
+	try
+	{
+		{
+			int testInt = 42;
+
+			tc::Optional<int> foo(testInt);
+			tc::Optional<int> bar = foo;
+
+			if (bar.isNull() == true)
+			{
+				throw tc::Exception("Copy operator created an object with a set state, but isNull() returned true");
+			}
+			if (bar.isSet() == false)
+			{
+				throw tc::Exception("Copy operator created an object with a set state, but isSet() returned false");
+			}
+
+			if (bar.get() != testInt)
+			{
+				throw tc::Exception("Copy operator created an object where the wrapped value was unexpected");
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "FAIL (" << e.what() << ")" << std::endl;
+	}
+}
+
+void Optional_TestClass::testMakeNullOnNullOptional()
+{
+	std::cout << "[tc::Optional] testMakeNullOnNullOptional : " << std::flush;
+	try
+	{
+		{
+			tc::Optional<int> foo;
+
+			foo.makeNull();
+
+			if (foo.isNull() == false)
+			{
+				throw tc::Exception("A null Object was nulled by makeNull(), but isNull() returned false");
+			}
+
+			if (foo.isSet() == true)
+			{
+				throw tc::Exception("A null Object was nulled by makeNull() but isSet() returned true");
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "FAIL (" << e.what() << ")" << std::endl;
+	}
+}
+
+void Optional_TestClass::testMakeNullOnExistingOptional()
+{
+	std::cout << "[tc::Optional] testMakeNullOnExistingOptional : " << std::flush;
+	try
+	{
+		{
+			int testInt = 42;
+
+			tc::Optional<int> foo(testInt);
+
+			foo.makeNull();
+
+			if (foo.isNull() == false)
+			{
+				throw tc::Exception("A set Object was nulled by makeNull(), but isNull() returned false");
+			}
+
+			if (foo.isSet() == true)
+			{
+				throw tc::Exception("A set Object was nulled by makeNull(), but isSet() returned true");
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "FAIL (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/Optional_TestClass.h b/ctrtool/deps/libtoolchain/test/Optional_TestClass.h
new file mode 100644
index 00000000..51c84dca
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/Optional_TestClass.h
@@ -0,0 +1,20 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/Optional.h>
+
+class Optional_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testDefaultConstructor();
+	void testWrapConstructor();
+	void testCopyConstructorFromNullOptional();
+	void testCopyConstructorFromExistingOptional();
+	void testWrapOperator();
+	void testCopyOperatorFromNullOptional();
+	void testCopyOperatorFromExistingOptional();
+	void testMakeNullOnNullOptional();
+	void testMakeNullOnExistingOptional();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/PbkdfUtil.cpp b/ctrtool/deps/libtoolchain/test/PbkdfUtil.cpp
new file mode 100644
index 00000000..7068996d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/PbkdfUtil.cpp
@@ -0,0 +1,245 @@
+#include "PbkdfUtil.h"
+
+#include <tc/cli/FormatUtil.h>
+
+void PbkdfUtil::generatePbkdf1TestVectors_Custom(std::vector<PbkdfUtil::TestVector>& test_list, PbkdfUtil::HashAlgo hash_algo)
+{
+	std::array<PbkdfUtil::TestVector, 6> tests;
+
+	// test 0
+	tests[0].test_name = "test 1";
+	tests[0].in_password = "password";
+	tests[0].in_salt = "salt";
+	tests[0].in_rounds = 1;
+
+	// test 1
+	tests[1].test_name = "test 2";
+	tests[1].in_password = "password";
+	tests[1].in_salt = "salt";
+	tests[1].in_rounds = 2;
+
+	// test 2
+	tests[2].test_name = "test 3";
+	tests[2].in_password = "password";
+	tests[2].in_salt = "salt";
+	tests[2].in_rounds = 4096;
+
+	// test 3
+	tests[3].test_name = "test 4";
+	tests[3].in_password = "password";
+	tests[3].in_salt = "salt";
+	tests[3].in_rounds = 16777216;
+
+	// test 4
+	tests[4].test_name = "test 5";
+	tests[4].in_password = "passwordPASSWORDpassword";
+	tests[4].in_salt = "saltSALTsaltSALTsaltSALTsaltSALTsalt";
+	tests[4].in_rounds = 4096;
+
+	// test 5
+	tests[5].test_name = "test 6";
+	tests[5].in_password = std::string("pass\0word", 9);
+	tests[5].in_salt = std::string("sa\0lt", 5);
+	tests[5].in_rounds = 4096;
+
+	if (hash_algo == HashAlgo::MD5)
+	{
+		tests[0].in_dk_len = 16;
+		tests[0].out_dk = tc::cli::FormatUtil::hexStringToBytes("B305CADBB3BCE54F3AA59C64FEC00DEA");
+
+		tests[1].in_dk_len = 16;
+		tests[1].out_dk = tc::cli::FormatUtil::hexStringToBytes("5B6DAD229782C6547D1B20D5668EB834");
+
+		tests[2].in_dk_len = 16;
+		tests[2].out_dk = tc::cli::FormatUtil::hexStringToBytes("C8C1EA2F5E2357447AE9244725FAABB9");
+
+		tests[3].in_dk_len = 16;
+		tests[3].out_dk = tc::cli::FormatUtil::hexStringToBytes("6BE21BD5D64E926E78F543DC119875E7");
+
+		tests[4].in_dk_len = 16;
+		tests[4].out_dk = tc::cli::FormatUtil::hexStringToBytes("DE806293ACB904A2B63DE565C014A6C3");
+
+		tests[5].in_dk_len = 8;
+		tests[5].out_dk = tc::cli::FormatUtil::hexStringToBytes("921F9BB3A34D998B");
+	}
+	else if (hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].in_dk_len = 20;
+		tests[0].out_dk = tc::cli::FormatUtil::hexStringToBytes("C88E9C67041A74E0357BEFDFF93F87DDE0904214");
+
+		tests[1].in_dk_len = 20;
+		tests[1].out_dk = tc::cli::FormatUtil::hexStringToBytes("47E97E39E2B32B15EB9278E53F7BFCA57F8E6B2C");
+
+		tests[2].in_dk_len = 20;
+		tests[2].out_dk = tc::cli::FormatUtil::hexStringToBytes("2DE33AD2137E4650EA29FB13136F967B0A4508D9");
+
+		tests[3].in_dk_len = 20;
+		tests[3].out_dk = tc::cli::FormatUtil::hexStringToBytes("4287903B55F17B04B5D1E769A3AFB8290B9F3D50");
+
+		tests[4].in_dk_len = 20;
+		tests[4].out_dk = tc::cli::FormatUtil::hexStringToBytes("EBABF2EF0353667E5581021DD84B1342B6BCC8FA");
+
+		tests[5].in_dk_len = 8;
+		tests[5].out_dk = tc::cli::FormatUtil::hexStringToBytes("2B664B45A9A129DB");
+	}
+	else
+	{
+		// no case for provided hash algo
+		return;
+	}
+	
+	// copy populated tests to output
+	for (size_t i = 0; i < tests.size(); i++)
+		test_list.push_back(tests[i]);
+}
+
+void PbkdfUtil::generatePbkdf2TestVectors_RFC6070(std::vector<PbkdfUtil::TestVector>& test_list, PbkdfUtil::HashAlgo hash_algo)
+{
+	std::array<PbkdfUtil::TestVector, 6> tests;
+
+	// test 0
+	tests[0].test_name = "test 1";
+	tests[0].in_password = "password";
+	tests[0].in_salt = "salt";
+	tests[0].in_rounds = 1;
+
+	// test 1
+	tests[1].test_name = "test 2";
+	tests[1].in_password = "password";
+	tests[1].in_salt = "salt";
+	tests[1].in_rounds = 2;
+
+	// test 2
+	tests[2].test_name = "test 3";
+	tests[2].in_password = "password";
+	tests[2].in_salt = "salt";
+	tests[2].in_rounds = 4096;
+
+	// test 3
+	tests[3].test_name = "test 4";
+	tests[3].in_password = "password";
+	tests[3].in_salt = "salt";
+	tests[3].in_rounds = 16777216;
+
+	// test 4
+	tests[4].test_name = "test 5";
+	tests[4].in_password = "passwordPASSWORDpassword";
+	tests[4].in_salt = "saltSALTsaltSALTsaltSALTsaltSALTsalt";
+	tests[4].in_rounds = 4096;
+
+	// test 5
+	tests[5].test_name = "test 6";
+	tests[5].in_password = std::string("pass\0word", 9);
+	tests[5].in_salt = std::string("sa\0lt", 5);
+	tests[5].in_rounds = 4096;
+
+	if (hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].in_dk_len = 20;
+		tests[0].out_dk = tc::cli::FormatUtil::hexStringToBytes("0c60c80f961f0e71f3a9b524af6012062fe037a6");
+
+		tests[1].in_dk_len = 20;
+		tests[1].out_dk = tc::cli::FormatUtil::hexStringToBytes("ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957");
+
+		tests[2].in_dk_len = 20;
+		tests[2].out_dk = tc::cli::FormatUtil::hexStringToBytes("4b007901b765489abead49d926f721d065a429c1");
+
+		tests[3].in_dk_len = 20;
+		tests[3].out_dk = tc::cli::FormatUtil::hexStringToBytes("eefe3d61cd4da4e4e9945b3d6ba2158c2634e984");
+
+		tests[4].in_dk_len = 25;
+		tests[4].out_dk = tc::cli::FormatUtil::hexStringToBytes("3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038");
+
+		tests[5].in_dk_len = 16;
+		tests[5].out_dk = tc::cli::FormatUtil::hexStringToBytes("56fa6aa75548099dcc37d7f03425e0c3");
+	}
+	else if (hash_algo == HashAlgo::SHA224)
+	{
+		tests[0].in_dk_len = 28;
+		tests[0].out_dk = tc::cli::FormatUtil::hexStringToBytes("3c198cbdb9464b7857966bd05b7bc92bc1cc4e6e63155d4e490557fd");
+
+		tests[1].in_dk_len = 28;
+		tests[1].out_dk = tc::cli::FormatUtil::hexStringToBytes("93200ffa96c5776d38fa10abdf8f5bfc0054b9718513df472d2331d2");
+
+		tests[2].in_dk_len = 28;
+		tests[2].out_dk = tc::cli::FormatUtil::hexStringToBytes("218c453bf90635bd0a21a75d172703ff6108ef603f65bb821aedade1");
+
+		tests[3].in_dk_len = 28;
+		tests[3].out_dk = tc::cli::FormatUtil::hexStringToBytes("b49925184cb4b559f365e94fcafcd4cdb9f7aef4a8ca8fcb4bd1ec53");
+
+		tests[4].in_dk_len = 35;
+		tests[4].out_dk = tc::cli::FormatUtil::hexStringToBytes("056c4ba438ded91fc14e0594e6f52b87e1f3690c0dc0fbc05784ed9a754ca780e6c017");
+
+		tests[5].in_dk_len = 16;
+		tests[5].out_dk = tc::cli::FormatUtil::hexStringToBytes("9b4011b641f40a2a500a31d4a392d15c");
+	}
+	else if (hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].in_dk_len = 32;
+		tests[0].out_dk = tc::cli::FormatUtil::hexStringToBytes("120fb6cffcf8b32c43e7225256c4f837a86548c92ccc35480805987cb70be17b");
+
+		tests[1].in_dk_len = 32;
+		tests[1].out_dk = tc::cli::FormatUtil::hexStringToBytes("ae4d0c95af6b46d32d0adff928f06dd02a303f8ef3c251dfd6e2d85a95474c43");
+
+		tests[2].in_dk_len = 32;
+		tests[2].out_dk = tc::cli::FormatUtil::hexStringToBytes("c5e478d59288c841aa530db6845c4c8d962893a001ce4e11a4963873aa98134a");
+
+		tests[3].in_dk_len = 32;
+		tests[3].out_dk = tc::cli::FormatUtil::hexStringToBytes("cf81c66fe8cfc04d1f31ecb65dab4089f7f179e89b3b0bcb17ad10e3ac6eba46");
+
+		tests[4].in_dk_len = 40;
+		tests[4].out_dk = tc::cli::FormatUtil::hexStringToBytes("348c89dbcbd32b2f32d814b8116e84cf2b17347ebc1800181c4e2a1fb8dd53e1c635518c7dac47e9");
+
+		tests[5].in_dk_len = 16;
+		tests[5].out_dk = tc::cli::FormatUtil::hexStringToBytes("89b69d0516f829893c696226650a8687");
+	}
+	else if (hash_algo == HashAlgo::SHA384)
+	{
+		tests[0].in_dk_len = 48;
+		tests[0].out_dk = tc::cli::FormatUtil::hexStringToBytes("c0e14f06e49e32d73f9f52ddf1d0c5c7191609233631dadd76a567db42b78676b38fc800cc53ddb642f5c74442e62be4");
+
+		tests[1].in_dk_len = 48;
+		tests[1].out_dk = tc::cli::FormatUtil::hexStringToBytes("54f775c6d790f21930459162fc535dbf04a939185127016a04176a0730c6f1f4fb48832ad1261baadd2cedd50814b1c8");
+
+		tests[2].in_dk_len = 48;
+		tests[2].out_dk = tc::cli::FormatUtil::hexStringToBytes("559726be38db125bc85ed7895f6e3cf574c7a01c080c3447db1e8a76764deb3c307b94853fbe424f6488c5f4f1289626");
+
+		tests[3].in_dk_len = 48;
+		tests[3].out_dk = tc::cli::FormatUtil::hexStringToBytes("a7fdb349ba2bfa6bf647bb0161bae1320df27e640a04e8f11148c81229e2131af179c3b3423b38abf763dfe208c1fb67");
+
+		tests[4].in_dk_len = 60;
+		tests[4].out_dk = tc::cli::FormatUtil::hexStringToBytes("819143ad66df9a552559b9e131c52ae6c5c1b0eed18f4d283b8c5c9eaeb92b392c147cc2d2869d58ffe2f7da13d15f8d925721f0ed1afafa24480d55");
+
+		tests[5].in_dk_len = 16;
+		tests[5].out_dk = tc::cli::FormatUtil::hexStringToBytes("a3f00ac8657e095f8e0823d232fc60b3");
+	}
+	else if (hash_algo == HashAlgo::SHA512)
+	{
+		tests[0].in_dk_len = 64;
+		tests[0].out_dk = tc::cli::FormatUtil::hexStringToBytes("867f70cf1ade02cff3752599a3a53dc4af34c7a669815ae5d513554e1c8cf252c02d470a285a0501bad999bfe943c08f050235d7d68b1da55e63f73b60a57fce");
+
+		tests[1].in_dk_len = 64;
+		tests[1].out_dk = tc::cli::FormatUtil::hexStringToBytes("e1d9c16aa681708a45f5c7c4e215ceb66e011a2e9f0040713f18aefdb866d53cf76cab2868a39b9f7840edce4fef5a82be67335c77a6068e04112754f27ccf4e");
+
+		tests[2].in_dk_len = 64;
+		tests[2].out_dk = tc::cli::FormatUtil::hexStringToBytes("d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5");
+
+		tests[3].in_dk_len = 64;
+		tests[3].out_dk = tc::cli::FormatUtil::hexStringToBytes("6180a3ceabab45cc3964112c811e0131bca93a35d17e833ebc221a40bd758ae8328802896e40a54d2be21c7dd8e665f6490abbbdff6c5590bc656c9d0b3dad2a");
+
+		tests[4].in_dk_len = 80;
+		tests[4].out_dk = tc::cli::FormatUtil::hexStringToBytes("8c0511f4c6e597c6ac6315d8f0362e225f3c501495ba23b868c005174dc4ee71115b59f9e60cd9532fa33e0f75aefe30225c583a186cd82bd4daea9724a3d3b804f75bdd41494fa324cab24bcc680fb3");
+
+		tests[5].in_dk_len = 16;
+		tests[5].out_dk = tc::cli::FormatUtil::hexStringToBytes("9d9e9c4cd21fe4be24d5b8244c759665");
+	}
+	else
+	{
+		// no case for provided hash algo
+		return;
+	}
+	
+	// copy populated tests to output
+	for (size_t i = 0; i < tests.size(); i++)
+		test_list.push_back(tests[i]);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/PbkdfUtil.h b/ctrtool/deps/libtoolchain/test/PbkdfUtil.h
new file mode 100644
index 00000000..86e02cc5
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/PbkdfUtil.h
@@ -0,0 +1,34 @@
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+class PbkdfUtil
+{
+public:
+	struct TestVector
+	{
+		std::string test_name;
+
+		std::string in_password;
+		std::string in_salt;
+		size_t in_rounds;
+		size_t in_dk_len;
+		tc::ByteData out_dk;
+	};
+
+	enum HashAlgo
+	{
+		MD4,
+		MD5,
+		SHA1,
+		SHA224,
+		SHA256,
+		SHA384,
+		SHA512
+	};
+
+	static void generatePbkdf1TestVectors_Custom(std::vector<PbkdfUtil::TestVector>& test_list, PbkdfUtil::HashAlgo hash_algo);
+
+		/// Implementation of https://gist.github.com/jakcron/ab05a200e5a6b53c77f28ebfc6342885
+	static void generatePbkdf2TestVectors_RFC6070(std::vector<PbkdfUtil::TestVector>& test_list, PbkdfUtil::HashAlgo hash_algo);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/RsaOaepUtil.cpp b/ctrtool/deps/libtoolchain/test/RsaOaepUtil.cpp
new file mode 100644
index 00000000..70e44784
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/RsaOaepUtil.cpp
@@ -0,0 +1,172 @@
+ #include "RsaOaepUtil.h"
+
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/crypto/Sha1Generator.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/crypto/Sha512Generator.h>
+
+void RsaOaepUtil::generateRsaOaepTestVectors_Custom(std::vector<RsaOaepUtil::TestVector>& test_list, size_t key_size, RsaOaepUtil::HashAlgo hash_algo)
+{
+	std::array<RsaOaepUtil::TestVector, 4> tests;
+
+	// test 0
+	tests[0].test_name = "test 1 (small message, raw label)";
+	tests[0].label = tc::ByteData((const byte_t*)"This is my label", strlen("This is my label"));
+	tests[0].label_is_digested = false;
+	tests[0].dec_message = tc::cli::FormatUtil::hexStringToBytes("D1EFB44DD179C3691A74AE3AA46E2DC1");
+
+	// test 1
+	tests[1].test_name = "test 2 (larger message, raw label)";
+	tests[1].label = tests[0].label;
+	tests[1].label_is_digested = tests[0].label_is_digested;
+	tests[1].dec_message = tc::cli::FormatUtil::hexStringToBytes("12269A9630054F054E79A9BE10EC27DD4BED6A3435DE2B764BCDEDA173D14C16");
+
+	// test 2
+	tests[2].test_name = "test 2 (small message, digested label)";
+	tests[2].label = tc::ByteData((const byte_t*)"This is my label", strlen("This is my label"));
+	tests[2].label_is_digested = true;
+	tests[2].dec_message = tc::cli::FormatUtil::hexStringToBytes("D1EFB44DD179C3691A74AE3AA46E2DC1");
+
+	// test 3
+	tests[3].test_name = "test 3 (larger message, digested label)";
+	tests[3].label = tests[0].label;
+	tests[3].label_is_digested = tests[0].label_is_digested;
+	tests[3].dec_message = tc::cli::FormatUtil::hexStringToBytes("12269A9630054F054E79A9BE10EC27DD4BED6A3435DE2B764BCDEDA173D14C16");
+
+	// set keys
+	auto modulus = tc::ByteData();
+	auto privexp = tc::ByteData();
+	switch (key_size)
+	{
+		case (1024):
+			modulus = tc::cli::FormatUtil::hexStringToBytes("A2A451678C1DFDB0A505DEC45FD34815054AEF603D8169B79743D8562D7F197021BBE7C9D07F67590E8B6720A6DB8C04CC52EAB90554F8F5CE903A820F9C50F7C09265DEEB5F2BFD8FC19A0A4BB6CD52129393AE09459BE75A8FCDA7C74D1CAF6506D121AD13B3CC595F0382EF896FA7569C223D330C1B4B0B4ECF4ADE8B18D3");
+			privexp = tc::cli::FormatUtil::hexStringToBytes("1E397113501BA6B0740A623A96203A6E059CC65D5930BA87AEA9A20369D30BD425C0B8B36D76AFAB0223EFD7468AD83B70091CABA38D05F3101F0770721C37837731039681CD536307AD3232C753485CCA60FC243E9CB2A388A79F2E8EA6CC13B912BAD042DAE58C72516D0AFDDB73579EBF095874DF2CF33129AB7BEA0121B1");
+			break;
+		case (2048):
+			modulus = tc::cli::FormatUtil::hexStringToBytes("DEBE4D3F6AA0C4B0F7B90FB132FF8ABAA98DE69FBDE58AABF0494E6C7327859A5C3638DA1236B2C23D92175AD1A74C72E30AEB539CC947CBE5ECB080ED45391FFA3DB93227EFF30804660782CF56E740DA584F677D96714823C6B1C31E719A2D479314A1E7A493D72909043580058C3AE8A17187140D0A6B60054435A1CBC01BE7DF0991ABF254F37713BD93F02B9906610809C5BCB88883B91D0ED86BD2C68AF5661FAE8B9DBEB2C3D90AEE85BBA9A350D29E2E6188696ECCB465B2313DEE088F3352C4D94BA91B36F3FFF2F918292A6A1429CD22E5A317B0BE9684A8B25F55CA38F9BAE9A6EA3CB48F618A71547D832C2E9CBAC97D2769010F5CD03526352D");
+			privexp = tc::cli::FormatUtil::hexStringToBytes("268F784D05B70E45FAA4B178423565FD599404BC5BC20CA72662726EA8E2CB28C554E7B3ACDA8648C522F0E31A8F65573041F82A51E6B084B669AAC6AF0CC04E6E625818BC3C386D0761E863F763FA85CA26E69C2A6C2C714A2C4022E0B6D6F386C40A1ADB40AD0D5EFFBE184AF0EAED59CF751966D9B9178C986CCE0214054E1CC0801CF5AABDBE1C7DB8CE9B043AE024A18723E3AB7A68F8806993DD6B872A05BC827CC9CD33E77AEDF7B828A635EE9C99A525204FF09EB8F440825C73C072AAC2AE9882E1B29318434CD6B556A2753451173442BD65082DC4CBB9318F5A8B7FF9AF84CB9F030259CF84039F63675574C16A7027828C2C7845E1841DA63B6B");
+			break;
+		case (4096):
+			modulus = tc::cli::FormatUtil::hexStringToBytes("92654BE390E6DA06A826A8CA54760ED3C2D4F424318C4EA4C0741A98EF13B9DAC07F6BFB5FB8F24889B47556FCCF53492BBAC6F4E3BECEC4F906723ECBC36BAEAFB050DE30A393B7AAADAF45CE258CD1859A708DB22642AD0062EF65BCFACA3519516576A877C431417BA19EE7981BA99FE2818DEDD0A8508080AF9E79D88F1B1B90CE61F8B600D9A919B4B7B2083A88CA536CAF67C2C09A2533DEEA647BA9B5EFE8660E086DF20D6EC5AAA2B7A668B9E8E5D276AD5EE697DA95DDE79A8E53CB2B1DC28268D132B413516ACD191423AC76C7EAD37301411382FE5FB68D2096A74F0811148A87FB3C285893032736CBF5901220C7B7BE04A5E215B0F0FF8076059839EED2E492E86BDE7D6E5206A635B67A62CFF261BC686B45C7E02F485CF7BF8800027A830AE1195E3895EBBDA47612B5E42198BAB3CE3E4837FBD4DABAE199390C7BBBCB9420C2E5173AA21597CA3537B9CC5FAFBEE4D72CB232F8796B525F031B6E9F0F9CDBCDFAD839270ABF8935FED7BF53ACF841091F6B53FE545F251F4754CCE3BC0426828F7473607CBE14DACDED705B800FA93389463DAA23FE187329CB13F00849273797EE5D5936C1CB0336A571964897CAAACE540BE2910B0127F6A2B54708329A4465E4780AC0FAFD25CF6C90857ED01A18370B42CB37DEE3D07D2336F16CA537AFF2A3E312178E89ED5850551328E49294A122F2013C50E7BF");
+			privexp = tc::cli::FormatUtil::hexStringToBytes("2CE9E40300C13A91C143FF13F81EB244D8A8F1F02ABD63A15B2423C6D8CE81FE3181C654BC54E70C472734BAC7DC29AEB0BA6070E070794A682648A5A8691F9FDBE9E99D89699E17C2C6FF97987BDFBCA6533005E0EAA9191F9DBAD9C9455E05356BCA07C1FEE093C605D29B886D1BCB8A307953DC6AE040B67404AD47AF9F940EFC79BD080B7AAE4C9984DEB8C19A87BE1F23209B625E29CC9121EA6282A81A17ED02667AC29478F78BB062B49A5AD5F2B493C1F245C3D441ED29C3F5208667B6262EB748C629DAA2749FA225F80E4BCAB36201966E83932364BC63AADF9D28DE6FD8A1A730B9ED0669CA4CB4DAB46F75D081FB140DB9AA54F717AE908CCE684913E078F1FC71032C50CE3A4175DC1E7337C6BB1AF998EADB2713A8D6B3AA66ABBF8FDF9C2783A046C782576F60A7AAAB38E25253A9235C9C94FDAB51380A427C9B604F6373744D23D7213CF1ABC561F4914F7EBFE92EA354FDDA251ACC4F55FF55A9A1F2A0D63654F44CD3A0CD9DACE8B93F47EB542EF825590779F191628EC6FCDDCB419FD89CCBA16E1131E15E0AD730446F993AC9AF9283494A53074CC84BD856D47FA8A682A6728B9F1F60EF283DA4533501FA36C276F5E2438A7A675B871DE92E325DA4E5F0CC5795AE36743BDF209F08C47D91F85F0280988267C71FC9B05F5C34BC5BFAADB1B006C5E18DA769CDD6F88CB0AFFAB0F7CC8E027DF6B5");
+			break;
+		default:
+			return;
+	}
+	for (size_t i = 0; i < tests.size(); i++)
+	{
+		tests[i].key_modulus = modulus;
+		tests[i].key_private_exponent = privexp;
+	}
+
+	// digest labels if required
+	for (size_t i = 0; i < tests.size(); i++)
+	{
+		if (tests[i].label_is_digested)
+		{
+			if (hash_algo == SHA1)
+			{
+				auto hash = tc::ByteData(tc::crypto::Sha1Generator::kHashSize, false);
+				tc::crypto::GenerateSha1Hash(hash.data(), tests[i].label.data(), tests[i].label.size());
+
+				tests[i].label = hash;
+			}
+			else if (hash_algo == SHA256)
+			{
+				auto hash = tc::ByteData(tc::crypto::Sha256Generator::kHashSize, false);
+				tc::crypto::GenerateSha256Hash(hash.data(), tests[i].label.data(), tests[i].label.size());
+
+				tests[i].label = hash;
+			}
+			else if (hash_algo == SHA512)
+			{
+				auto hash = tc::ByteData(tc::crypto::Sha512Generator::kHashSize, false);
+				tc::crypto::GenerateSha512Hash(hash.data(), tests[i].label.data(), tests[i].label.size());
+
+				tests[i].label = hash;
+			}
+			else
+			{
+				// hash not supported
+				return;
+			}
+		}
+	
+	}
+
+	// add expected results
+	if (key_size == 1024 && hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].enc_seed = tests[2].enc_seed = tc::cli::FormatUtil::hexStringToBytes("18C19B600B3A19FDD8FC3EFD89DCF02A93A38D49");
+		tests[0].enc_message = tests[2].enc_message = tc::cli::FormatUtil::hexStringToBytes("7FBB8CA153F44DFF6E69595F1CC3E8F9092B17F44400A1375F074366269FE20601888FED57E2C7C0C441B79853F86D1364DF6A8595F3A6FC9AACEB2AF46B31FB836B9D1679FEF94981338AFEC51D409B0C9B68FB5F3316F46A99C4AF2BA200DD98AC86F8467C7227895ED160D493CAC24B692C2A82AE813F49E218E028B8C126");
+
+		tests[1].enc_seed = tests[3].enc_seed = tc::cli::FormatUtil::hexStringToBytes("C276A7B930AD3D02B43A07288AC01DFE5BDFAAF5");
+		tests[1].enc_message = tests[3].enc_message = tc::cli::FormatUtil::hexStringToBytes("0EE0051E3C92FE2D595E1C518B291760DF621E2DBC660833E821947017D4F878152F6752E86D266B3504172B076E0D5FB2830DE3C8B3DAA36B05ED59AF414E453D0B1B688C8BBA68F2F3E9683CA6FFEE8CC85C1886586DA02BF387B9FD646864E7FE10387781A6D3B720A7C74C3DF7290E0EDF76FB7316109587325B95676B85");
+	}
+	else if (key_size == 1024 && hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].enc_seed = tests[2].enc_seed = tc::cli::FormatUtil::hexStringToBytes("4379DBF9B508CBD9D2CDFD951907C09084E8C9ABEDBCEA96C60FF1AC1D9B1943");
+		tests[0].enc_message = tests[2].enc_message = tc::cli::FormatUtil::hexStringToBytes("12120A3B1F1AB6A72B14B29CB220B9D042358865D423FB221D15698D987A387C015363DA1BCE6852F84987948B07FDBBC89AA87D70441EF8F339FAB5789EE277958445DB49148D6146D582255554C57B31CA9CBE010B54A76EAA7E9FBE67FEEE507198AD069B7B1BFFD487BAF6A66F4A2AF5FF975D55A00B98EFCBE7EF7D215D");
+
+		tests[1].enc_seed = tests[3].enc_seed = tc::cli::FormatUtil::hexStringToBytes("6A8277479CE751792CCF0A8A462416CB0A35D4BFC0C61DB4B81E401FEF006AA1");
+		tests[1].enc_message = tests[3].enc_message = tc::cli::FormatUtil::hexStringToBytes("6F8EBA9FFADCB912F9CE2CDD9CD8A9032736B431B631BB2E7F410250B5BFD19D3BB2EA19E89FAE8C0931DC94683FBC8349FF2EF2977550FB0029DC80D1199C3A35C7C04BF1AA8C51F70ADFB3E33FAE25B8FD808EB1D5F561A9FD06A08194A2746F5A24BEC4E925C0DDB2166E0F3E0078CFA0F5C4CE44D1BAAD3A05C85DC44411");
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].enc_seed = tests[2].enc_seed = tc::cli::FormatUtil::hexStringToBytes("8816C0CA54AAC6219B7ADB78A8CF401FA5ED00A0");
+		tests[0].enc_message = tests[2].enc_message = tc::cli::FormatUtil::hexStringToBytes("B9C5CB733B672D15B91E182B79DE9A9790177A4CF3BB1EE02E3D983D62C0F602D9045D88F4C18232D340D93A9EFB50E8B3F5814D910D01DC61B07D722DCDD70B556A45DA3E7616E801734FB6C50123AE234AAB4C85730502A488E44724AF52C635D28A0F74374173B3F46F0622F2E1109BFCC1FC47480F1F9400D9EC6A407C3ECB581874578D1E9EAF0996D621E40606EAEE5E5EAC9ADCD2A932FA36C3B6CAA8DCFE6FDD057049927FF5FED90BA503D539085BFA6B743B4DD4E1D00FB0678859B29AD9804857C598946E3DF6DDC418620DE627B786DBDCEC704B7D658E1F1AAD42A0FD971C8F2DBE978D852179E8B687F88C3CCAB173A425757F210979EBA634");
+
+		tests[1].enc_seed = tests[3].enc_seed = tc::cli::FormatUtil::hexStringToBytes("75D8F9CBA4B4BC0C36E203A09C16BFE02368CC89");
+		tests[1].enc_message = tests[3].enc_message = tc::cli::FormatUtil::hexStringToBytes("877E2803AD28235772F383BC2A0B508CB6D881C8F0168160D64B435EDD9AD08D2F19E1AE8CCC10FC4112C519D4A40F22599654ABDF8FB1BE178C5C5186AF01A4611554B384B64124699800DF925D9A30331A4DD467D18F6CCF8D5E861604FA1B448894757254873B7AD48C1B5BA0B854368716923C7C67663F5A869D789B3E45ADBDB0EB01676BCC16DC5691C96B2C6BD59BA280F9BCB865E546E833248982A0BAC52ED479BFDBE2BF5F402DF900BA3E6517B00A9728F59121E509C6AF4FBD4EC3A35AA1285C45256D1A2E9433D8FA2F894542C52347A7A14A9E7EA867E0851E51D44B5C79131924F285B8FADE778C56CDBA64C21F0A78B47BEA996BA3C250D4");
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].enc_seed = tests[2].enc_seed = tc::cli::FormatUtil::hexStringToBytes("1933B327491AAD845661C64963A1E91FD820AF6E16D3B07B2965481C0FCF25FF");
+		tests[0].enc_message = tests[2].enc_message = tc::cli::FormatUtil::hexStringToBytes("BC6678B5BC8460527C2A86A134C5E8657B4789B3FA4DAE988487907148739A5630F39A3FF8E94FF30331A02272FF2A6A59C3165DC2175BFDF9C77D4B4250FE614030B8AB7F3669CE8BB0A2F63E07CED087382E2C3A73B7A495184D407F7A3BDDF3F682BFE88B1981B0E31EDFB12556B7701BA49B8ACCCF57B48F6184F5255B5B237AD49C2863C70B07734B894A647B0683E187615C41B8AEF51FD0A21ADC4C5FB4FF087DE366C25ECCB9D0437793F4F7180AF9E8F8E9EFEC0E294E433BAD79D36511F876D657C8052DF2FC6182C30C80F9CEE1D9F160EE7850EB90D02DA4BABFEB3EAE272056D6E4424D617E41050259447D3F4A2BB559CB49BBBB509152A920");
+
+		tests[1].enc_seed = tests[3].enc_seed = tc::cli::FormatUtil::hexStringToBytes("1F57E87A75EF286DDF3FC368C06B3022A0B1D70F852F0018E2159A68C25E20D2");
+		tests[1].enc_message = tests[3].enc_message = tc::cli::FormatUtil::hexStringToBytes("64593270A26D75F88A13D88AF48E3DAA9342C8F3DBF030E6D3B61B0D20B30F9C33126E3EB3A13A94566897C74BFC2656617081BBFF5E358741FE6EA96A2912C4E5A0428860DF218BE77CAD183E8533226EEE8689289B89AFCCC9746F103567D050234F0060AF679292EE0E36BCF6BFA5F9F594284291991B08ED123E404F7413FD8B61393C5813A865DB1B40C010D240EFE6B0AFE7D2DF96A0DC863C0182605E93C5E6ABE2147B2D4B540B24D3E2993EA48C1D13B08B7E1CA8F14B351E9F0CD8EE31121002107649BBA9C58AD5382837640293A41AB02E835D51408C86C80CE2762054CA0CB005850025499F358E630C0D8394B089BDCFA2AA9103EF112F3C26");
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::SHA512)
+	{
+		tests[0].enc_seed = tests[2].enc_seed = tc::cli::FormatUtil::hexStringToBytes("D5D1D6980B658CF66E5CC44F0C6CD59461F72D531C3DA02A2874CDEA653630412DC03CABEF601E2F2CC500D2E001539E0F355B534505AF6F1A899AB76849E6E1");
+		tests[0].enc_message = tests[2].enc_message = tc::cli::FormatUtil::hexStringToBytes("04234CF8E2BB775CD69734F288B2EC5C3E0E77C9AF2CBEACF1A942FB8FB8703DE4462EA86C749C676646106B8D33D8443A1F3B3B60D771EAC7C28A47B633DB2D8643EA96C3D74E789AE17F52448369A7B62411312A469F22172A3E7E1F24C58D9BCABACD985EA51A9D8C44B36A221101B1FC5BBC64B1B1749912642A42582D1DFDD3C5D2821A4D4C0B9860BF5095AA01C8299CF1466FC761E6FFDD75657A37328A2DE0D6F96398EA26E6ED2853C575B1683CAD9DDA60D008D11A1CED17F7B30428953570D1B40CC3C55A3F4093CD66D5F56BCD39D39C218788AE550DAEC56990E81796608A01A6995E1B7A2FC8B3DE7970676CF2FCEF76E17852F973352A5F22");
+
+		tests[1].enc_seed = tests[3].enc_seed = tc::cli::FormatUtil::hexStringToBytes("9A7689D4F8B664915AFF99C9B267FCC37C09368275AEA44BFA00446142180ABB65011A41D43491CFC2DA939FD211FA5A5B2FCFFE67F40AE11B8EC9836B0CE5BB");
+		tests[1].enc_message = tests[3].enc_message = tc::cli::FormatUtil::hexStringToBytes("C0C45218128C97A70A8C966511021CE52447B236EDD0DDE17D711FD8B345E916E1F5D42BB56B86FC662BCF28C11FBA082359A81FE5C0608804E152D9F24C5FA4A86E3B0B23987B548183C16B91411F946B9C6DBB8FC5017E6D8C57F2F2CEA65CB5A71588DCAB1EBD5740A4135ADD276B74D51F57EC64C500FAF81CA22AF809D12B37AD04200BF95249809F36734B5BEC98680C3DB73DF1F4540234E035123420B3F67169B0C12286E23CFF54A7C1B90EC1C3443EA66E6ADF1E0F4BDB7D2C6F7F6668DD8E68D3F714B3ED963643DB61293C0D14C94FC57369BC50CD890EC76B72D1DA628D29CA8588F3727953D29D63BEB9A5A1CFADC24E3D9C1157F0E37CD487");
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].enc_seed = tests[2].enc_seed = tc::cli::FormatUtil::hexStringToBytes("144C65BD99D1660E0DF7F6552EC49A4F511A1324");
+		tests[0].enc_message = tests[2].enc_message = tc::cli::FormatUtil::hexStringToBytes("0CAD479D4F74F63398F35D546A0E2D91ACD88DE5F539F5324C8ADBF9DC14FB78C79414FBC7F619277F246239DFA06C889BCD102588452B366B1724E41BE92B2DFB4635200B2C6263815894B91A912E7B7FE8B96858385B6E74F26DBC4ABF96D4A99710881706A3F4CDC9914C9646AEB005A6EC6A996424DBD853BCCF1CDFC96F8A67EC05B64F7C1C30199F9AA6519F0BF9E643153F98A1DC430EBD650FC1F435111DA7120E65F878661C96C2952A635010FC9B0EA2ED1373B0A88FE2FBDC24D28C54A2F30FEF0C064D7FC2D5F5AD1BC4B51CD82CC8B2614FFB3CFAC20176ADD9AD08AC23EF8C478C98D4A36F3715C68920D7424F8552765FFAE28AAEB043B1BB64F1F9C79E4535EB834898F9B71F6FFC3199D2FA3332B671AF8D4489019ED54AF781BA981AEC5131C8F287C8677CF7A9908CC7D56E688018E9B971310D480E32B4966C5FE53AB2AB074AE021EFA46A8D1AD6C2EB4CB50E71150BE14AC6EE61F9B846BCCB236A9B28A9F86C6D29144521D2B9129EEF424E640E7E8CD273F9782DDEEF660242D6768ED480FF17FA529C230DFAD91E272F5E4E0C6A42ACDFB65CCAFFA8E61393DE24F355296941EAE7DBF9869E2D65ED8120CF83C72AEF79CB9BB61581ED26F0029DF80557689114E963690D2AC77D0744754C93C815A81121667C4CC4E09380C0FB9184DEC8266CBDAB7C75BE5EFC2E36F9DEAFB32273438DF5D6");
+
+		tests[1].enc_seed = tests[3].enc_seed = tc::cli::FormatUtil::hexStringToBytes("DD9D35B22A09EA34A759905960AED9F4081FE7F5");
+		tests[1].enc_message = tests[3].enc_message = tc::cli::FormatUtil::hexStringToBytes("5308061312A823A1AEE48EF80B64C804C868416F87497D1F5607ADEB3F87F539022CC26AACF630955D11EEAC6F7D84FF46BAC539CA690A90D81162E8870946A62054FB22C25CCBE9BBED517F77C730A08C90893423169E95BCF379AC387AD96B21129FAA93DCFFE3C9915B12340DAB17F5D6FC81664F5438ED06144B93958FCC23FCAEA2F49296B3C1BDDE44FB1CC087B37DBB32323B8FBA0B6D6239743294114C894ED854929C796E48AB8B7DF4E1BD276BADC47803D9339EC12F974D4946326E11567A0A2C107D6453A071A765E179806961FE7BC611792038DC64086E6B9B23CAD997DD46F3D07B27C909F63528F58EA8327C32D7C6FE102E81581B10D5C4783F85F23645F44528A72565BEC696D8077514726321E80681885B4B774F214C98651F39CF9C410F6C0BAA2A72D822F7AA830E52BE11479948E8AFC3159ED5CD55ACB1E5E77F0BC0863BA1F0C4C15E610187265ABA88FEA24BAE1FA5A9C2A062C6CDA7E9D5E1FD05F68722C9D44AA82528AE307DEEDB613A09266E389FE8CB92080B09910DD3A0DA1F9D9846948558D209DA4AF33130BDA311347EE39A11283F1954DA00EC28238FAA8D28383843434F5178BA4CD11190175BCA1B226A2CBA373AF425E9DA594AF9475AB61AA0A7C6B7A059ED3C7DFB4588672E065BE56206B9B30D96BEE387E4CB1B3F8F3CD5AC01E9DE136C10D94BDEC912CD2788AF2EF22F");
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].enc_seed = tests[2].enc_seed = tc::cli::FormatUtil::hexStringToBytes("037DFA32F9D90A0DC9D43CDE371FF816388E3D027ABC6C33C3AD443A0F8DFDCF");
+		tests[0].enc_message = tests[2].enc_message = tc::cli::FormatUtil::hexStringToBytes("5C478CB5E30CE0F96E9E98EDC8047A076667B18AEBFCEFA9A8CE6B69D97040DACB796BF12B01BF60E2819BEDE3C8AC6BF419C628BE5BBFE65783FE73C325B9FAF039CF58A444547A2509DC28D48B0A8E6B089614EFE5D13C77BFA74ECC4641BD432EE00A8149EDD8A7E2A3B98110C98B2D89505A4C5F93C2ACC1065DF1C55C7A907715D4CC8BBD9512BE079F82872B7DD56A3AE6D6ACFC751E8FC91986FC83C3452448DF04771293C3F15C57810310C95D6A901E2586A94CB66C9597804751D980561F88DBBA7AD20A0C34CAB9D94A666F2EBAD7B4C7F6A81415ABD5C7277A4313E0BA1CE6977D96A89E0A207E648A26AEEE208CD2000BA927982510521A59E574931431B74D43AEE19A2FD9C01E7B56FFAEB0A7063C776FC10728474827637CFDEB9639913B5CC4930649EE963A379F87818AAFFA96E6AC29B69B3057D55831DDABAFFC080C30997EE9D7F56C554F8D86214B4960DF342128D94B323118BA1F5C6BD472EFCD6A8B1921747BD0345292127B625E3001CFAB0AB000CFEB05593FEE3D59844BF172AD1E16FAD0DAD6612C40E799D32170427C7660AAB3C891A6CC32211DFA6798F372484E3F36AD41C9F000B04C3DAC3550B303B2EC2AB5C9AC4ACDABBF55B3C382F0F318BF9C09203787DBE2EE08CF1DB6F03AE07EED874F2E2BD114B4125BCCAD061A8E5BF6D3557DA6171150214633C0C832BD3C6DFC2985E9");
+
+		tests[1].enc_seed = tests[3].enc_seed = tc::cli::FormatUtil::hexStringToBytes("B4C84542A6E383C520FA1B4E055D69CF0DB174F24011485571E684108EF9BECB");
+		tests[1].enc_message = tests[3].enc_message = tc::cli::FormatUtil::hexStringToBytes("530B370F66765E2033AACFE6A114DAC84BD49FABFBBEC4A5202F2C1684693AFA3B145930B46514A03395CB978EA3BC81B89DDB200E223172FC1599E6E80A26C5393C0F04226D2DBB53DD1DC0B2A177C23D3BA7C5EBB0CBED10240FA4F2731BC7ED8696E1BD6CFA7B6FA7AE0BF85DE53EE98EC01805192BAAE933F234DBAF6D11E167C7781283D681CF31A9A0B202F75F06CFB3C7AAF7E8F313B890A3A83AB81FCD88AC09937EF5FBFDA50413DB347D58C425ABFECE21CCB5DB39A7022F2CE2F116B3B343FE32E70876F230F51F9A71C1200F0EA899C3968C19691E8A8322CB8BAEC66F7734AC309543951FBE80662C90D29C53217E78BFA470886570C970CDF1F43088D83DE1100DD0FB068A7C7A8E8CF39F84F11074FB89589B5F0517ED04B19E8651008F265982336D6D9A96CFD03BE909B5671659BADF447537461545156DD3058773D8F6C1840789451CC3419E3D18D199B0180F751BD6D0D9EE3687E467E7E5AB0F43437FB4F5E4CAA2E1DFFE3CEAC60DCD8229F131833CDB41E9B8BBDC517437BBBA43BCF411A69F9C6ADDD8C0386F9FA68009FC6041E8B91EEC00413FEF985CBAB6BB32A579A09170F48DB007A55BE8AACA65617DB3368421C163A9E9E78F561747D4BAAF64A68F3FE52B0061163340B9F007C46561502680874631E8AC2E39E645B732D263262F708A711E680277E0FCF5AEDAAAA25BF982DB4CC24E");
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::SHA512)
+	{
+		tests[0].enc_seed = tests[2].enc_seed = tc::cli::FormatUtil::hexStringToBytes("A8D827D8E8B0874B956D96C9647E76DF2F761C520EB28A548C651D917AB5A4FB6BC62F825C878F1C97E2FB2FF286DE827179A43302F2B573A64CD740B8AFC51F");
+		tests[0].enc_message = tests[2].enc_message = tc::cli::FormatUtil::hexStringToBytes("15D7A37165062CB21246F7A38A5C643C767BB1283BC07A396B6329D950B9FDDF3807590B0B9A42299D3F6C9453A0710D852E9AF99640B23D60BFEBC7DA6F091929D6B78F80DD0B8C676E69F6878501C6A9835077C17B9B3B4C9BB9D99E357B77879B2BBC5FA93F45ACC055F02A1A2777D1237E945EA166C105F3BEE662B967DBE24483CBD8FD118340197431A22682E47B4141E002A7E722B3798EA0C9B176041B9643AB1EAF312BD6946A09E6BC85E813FCF23B87A26BABDF31F88B91F62DFD4E6CDDA44E912CAD400332F24E7438472B39A3C1AF5D0A142ED80777678B3B4E21B8359AB61911075C009D23EF344F2FBFC9C6B5FEFF596F852CAF4BA5F5A28E6AF7349BB59720F7FAD094AD9132600FD761B4B6E3348D992EBB82DD7693D285F769036527152B0242D1F188B3AA1C626385AB7D24AC1667829063E7C84F6BB4E415164B2B45D3DF06F48A77E60D97B366C21C2AC8CABA5847375746AB56E44BC6F7BADCA2CC7AEA4F40F0D990563EE0F0930410E6CE07FC27EECC717141EF201BAE05DE92C8D998D8283E3A5929DCB40BF3226C560F6CD9BCE9EA3E8B45CE3A4A1C21B972335E06CFEA83728BB3D75F1FD848B520F353C992E7B4E4EDA943A24E52BB50B6F346140033ADF0C4B2E580C98380F7D78FA22BCA1FC43140B6DC67B1DC5075E21BF30B1BC9066BF091706BB49028DEBCE9C744AA15079184B97393");
+
+		tests[1].enc_seed = tests[3].enc_seed = tc::cli::FormatUtil::hexStringToBytes("BEA7FA2E2C9E9BDE240B7DDABDC083517E2CD57AFB2FEA999A3958B753D1C777DA278845ADD1EFEC446BD50417D4E9ABEBEDC28362DD7E661BF350D0E3805359");
+		tests[1].enc_message = tests[3].enc_message = tc::cli::FormatUtil::hexStringToBytes("558B1A6987E63E9A7FD97EB81F34E52BBB417690B417986CF75AAE18EE3A309B58FA1E4A2F8B1C1A1ED849AEA2F67CA56CD503FB4863B65267F8D6A62E440B0EA800F983D572232ED132539FA43BECF4E903A6795AC7CF462F44D19017D7393B877CA846704D0CCA1F5AF6574673E4DF374F1C572938DC69B9846E1CB066EF2D3820D26BAE89576ED7B21BE33AD27A2A30465823F70DE3D55E0A08D25E60E723C152E7A612CCF8A9A1185530A102AA43174DF3E3D900D559DBF15E4A36360C22B4550A1DE49D7105F64B02069118CB49C460AEF0EC4A063ACDB01FC83CA3F6796FA9DB0E58C435030499E70910512EBC4B73D6608B932C0DB3939476B3E0CDD7EE81B3890F9F2B0F4096A58954143773DFF1E97D27EDA1F53AE42E57FE28013AB8925E060B1B9F12D0E33706F1D3C711910A398EDA1E4D1C4A99DF96C706480C1A653A12D2F488629DDEFD1C3BA4EB6BBEA60E0CB28BCE769066DED683663D754476794A5F3F9D81E10A16CACE1BCAE7439785941868DF656830ECF62D367E46F9BF1C5C3FFC760C8FFD302D55A9E134401B4C55FE08F9509419022F05014CA30D75FCFCA33C882B803C38AC6E0A1CF07D6E9B27D1BAC7C4454D6DE03EFB0A3B46034D45AF9EDB7CC5C0914C04BAB2D252144947DCECAD197FE8BCA15CB0EF5D3A0621AD7824C65144B25759C1B9AFBFA0E808CBF0C613F1D79F3347048506ED");
+	}
+	else
+	{
+		// no case for provided key size and hash
+		return;
+	}
+	
+	// copy populated tests to output
+	for (size_t i = 0; i < tests.size(); i++)
+		test_list.push_back(tests[i]);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/RsaOaepUtil.h b/ctrtool/deps/libtoolchain/test/RsaOaepUtil.h
new file mode 100644
index 00000000..3592318f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/RsaOaepUtil.h
@@ -0,0 +1,34 @@
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+class RsaOaepUtil
+{
+public:
+	struct TestVector
+	{
+		std::string test_name;
+
+		tc::ByteData key_modulus;
+		tc::ByteData key_private_exponent;
+		tc::ByteData label;
+		bool         label_is_digested;
+		tc::ByteData dec_message;
+		tc::ByteData enc_seed;
+		tc::ByteData enc_message;
+	};
+
+	enum HashAlgo
+	{
+		MD4,
+		MD5,
+		SHA1,
+		SHA224,
+		SHA256,
+		SHA384,
+		SHA512
+	};
+
+		/// Implementation of https://gist.github.com/jakcron/1c00ed37089743e38df46da2d9ccf6a0
+	static void generateRsaOaepTestVectors_Custom(std::vector<RsaOaepUtil::TestVector>& test_list, size_t key_size, RsaOaepUtil::HashAlgo hash_algo);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/RsaPkcs1Util.cpp b/ctrtool/deps/libtoolchain/test/RsaPkcs1Util.cpp
new file mode 100644
index 00000000..ce394694
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/RsaPkcs1Util.cpp
@@ -0,0 +1,146 @@
+#include "RsaPkcs1Util.h"
+
+#include <tc/cli/FormatUtil.h>
+
+void RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(std::vector<RsaPkcs1Util::TestVector>& test_list, size_t key_size, RsaPkcs1Util::HashAlgo hash_algo)
+{
+	std::array<RsaPkcs1Util::TestVector, 2> tests;
+
+	// test 0
+	tests[0].test_name = "test 1";
+
+	// test 1
+	tests[1].test_name = "test 2";
+
+	// set keys
+	auto modulus = tc::ByteData();
+	auto privexp = tc::ByteData();
+	switch (key_size)
+	{
+		case (1024):
+			modulus = tc::cli::FormatUtil::hexStringToBytes("A2A451678C1DFDB0A505DEC45FD34815054AEF603D8169B79743D8562D7F197021BBE7C9D07F67590E8B6720A6DB8C04CC52EAB90554F8F5CE903A820F9C50F7C09265DEEB5F2BFD8FC19A0A4BB6CD52129393AE09459BE75A8FCDA7C74D1CAF6506D121AD13B3CC595F0382EF896FA7569C223D330C1B4B0B4ECF4ADE8B18D3");
+			privexp = tc::cli::FormatUtil::hexStringToBytes("1E397113501BA6B0740A623A96203A6E059CC65D5930BA87AEA9A20369D30BD425C0B8B36D76AFAB0223EFD7468AD83B70091CABA38D05F3101F0770721C37837731039681CD536307AD3232C753485CCA60FC243E9CB2A388A79F2E8EA6CC13B912BAD042DAE58C72516D0AFDDB73579EBF095874DF2CF33129AB7BEA0121B1");
+			break;
+		case (2048):
+			modulus = tc::cli::FormatUtil::hexStringToBytes("DEBE4D3F6AA0C4B0F7B90FB132FF8ABAA98DE69FBDE58AABF0494E6C7327859A5C3638DA1236B2C23D92175AD1A74C72E30AEB539CC947CBE5ECB080ED45391FFA3DB93227EFF30804660782CF56E740DA584F677D96714823C6B1C31E719A2D479314A1E7A493D72909043580058C3AE8A17187140D0A6B60054435A1CBC01BE7DF0991ABF254F37713BD93F02B9906610809C5BCB88883B91D0ED86BD2C68AF5661FAE8B9DBEB2C3D90AEE85BBA9A350D29E2E6188696ECCB465B2313DEE088F3352C4D94BA91B36F3FFF2F918292A6A1429CD22E5A317B0BE9684A8B25F55CA38F9BAE9A6EA3CB48F618A71547D832C2E9CBAC97D2769010F5CD03526352D");
+			privexp = tc::cli::FormatUtil::hexStringToBytes("268F784D05B70E45FAA4B178423565FD599404BC5BC20CA72662726EA8E2CB28C554E7B3ACDA8648C522F0E31A8F65573041F82A51E6B084B669AAC6AF0CC04E6E625818BC3C386D0761E863F763FA85CA26E69C2A6C2C714A2C4022E0B6D6F386C40A1ADB40AD0D5EFFBE184AF0EAED59CF751966D9B9178C986CCE0214054E1CC0801CF5AABDBE1C7DB8CE9B043AE024A18723E3AB7A68F8806993DD6B872A05BC827CC9CD33E77AEDF7B828A635EE9C99A525204FF09EB8F440825C73C072AAC2AE9882E1B29318434CD6B556A2753451173442BD65082DC4CBB9318F5A8B7FF9AF84CB9F030259CF84039F63675574C16A7027828C2C7845E1841DA63B6B");
+			break;
+		case (4096):
+			modulus = tc::cli::FormatUtil::hexStringToBytes("92654BE390E6DA06A826A8CA54760ED3C2D4F424318C4EA4C0741A98EF13B9DAC07F6BFB5FB8F24889B47556FCCF53492BBAC6F4E3BECEC4F906723ECBC36BAEAFB050DE30A393B7AAADAF45CE258CD1859A708DB22642AD0062EF65BCFACA3519516576A877C431417BA19EE7981BA99FE2818DEDD0A8508080AF9E79D88F1B1B90CE61F8B600D9A919B4B7B2083A88CA536CAF67C2C09A2533DEEA647BA9B5EFE8660E086DF20D6EC5AAA2B7A668B9E8E5D276AD5EE697DA95DDE79A8E53CB2B1DC28268D132B413516ACD191423AC76C7EAD37301411382FE5FB68D2096A74F0811148A87FB3C285893032736CBF5901220C7B7BE04A5E215B0F0FF8076059839EED2E492E86BDE7D6E5206A635B67A62CFF261BC686B45C7E02F485CF7BF8800027A830AE1195E3895EBBDA47612B5E42198BAB3CE3E4837FBD4DABAE199390C7BBBCB9420C2E5173AA21597CA3537B9CC5FAFBEE4D72CB232F8796B525F031B6E9F0F9CDBCDFAD839270ABF8935FED7BF53ACF841091F6B53FE545F251F4754CCE3BC0426828F7473607CBE14DACDED705B800FA93389463DAA23FE187329CB13F00849273797EE5D5936C1CB0336A571964897CAAACE540BE2910B0127F6A2B54708329A4465E4780AC0FAFD25CF6C90857ED01A18370B42CB37DEE3D07D2336F16CA537AFF2A3E312178E89ED5850551328E49294A122F2013C50E7BF");
+			privexp = tc::cli::FormatUtil::hexStringToBytes("2CE9E40300C13A91C143FF13F81EB244D8A8F1F02ABD63A15B2423C6D8CE81FE3181C654BC54E70C472734BAC7DC29AEB0BA6070E070794A682648A5A8691F9FDBE9E99D89699E17C2C6FF97987BDFBCA6533005E0EAA9191F9DBAD9C9455E05356BCA07C1FEE093C605D29B886D1BCB8A307953DC6AE040B67404AD47AF9F940EFC79BD080B7AAE4C9984DEB8C19A87BE1F23209B625E29CC9121EA6282A81A17ED02667AC29478F78BB062B49A5AD5F2B493C1F245C3D441ED29C3F5208667B6262EB748C629DAA2749FA225F80E4BCAB36201966E83932364BC63AADF9D28DE6FD8A1A730B9ED0669CA4CB4DAB46F75D081FB140DB9AA54F717AE908CCE684913E078F1FC71032C50CE3A4175DC1E7337C6BB1AF998EADB2713A8D6B3AA66ABBF8FDF9C2783A046C782576F60A7AAAB38E25253A9235C9C94FDAB51380A427C9B604F6373744D23D7213CF1ABC561F4914F7EBFE92EA354FDDA251ACC4F55FF55A9A1F2A0D63654F44CD3A0CD9DACE8B93F47EB542EF825590779F191628EC6FCDDCB419FD89CCBA16E1131E15E0AD730446F993AC9AF9283494A53074CC84BD856D47FA8A682A6728B9F1F60EF283DA4533501FA36C276F5E2438A7A675B871DE92E325DA4E5F0CC5795AE36743BDF209F08C47D91F85F0280988267C71FC9B05F5C34BC5BFAADB1B006C5E18DA769CDD6F88CB0AFFAB0F7CC8E027DF6B5");
+			break;
+		default:
+			return;
+	}
+	for (size_t i = 0; i < tests.size(); i++)
+	{
+		tests[i].key_modulus = modulus;
+		tests[i].key_private_exponent = privexp;
+	}
+
+	if (key_size == 1024 && hash_algo == HashAlgo::MD5)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("3E4A712262786316D5ABC63F40EA0976");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("5CCE86EDF8FBA6D576993977112EDD63D06355D0EEE4B01CBC8083D0B42D0E156BE700123E608AEF90B21F5E06D22DA279E96417B237A03661484BEEAE368ABD60DC41480F6C632C16B423C131FE4299628132AAD5A521DDB8BEC714E8E47E2894A659CAB34449D97CE78B65AF5AF45C373A3EB5BEC3A96AADDE24A826712F39");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("EAB56CCFFE46084FA63084A9AC1DC4AA");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("38F9035CF80DDA81C16473EA9DB8ECDD788EB278804AFE4678ACE0B2C59BBE6E1E982D16FF2A8A168CDCF4E3B1E828EFCB72E66FC31753D9532D8B49EA79B9272FFC4F21CFBA6ECBACBA169E2E65E22E6B50E72D184949E9F32B59E2418F3FCAD6DD321D582C76B38C317CD630D5BCF42EA5CFF2505D50D9AA04A46ACC5EC19C");	
+	}
+	else if (key_size == 1024 && hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("0B54234C25D22747C81C7365B04996AB3D96EBEF");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("308D0D22C57A94A1BD04E80081B1B908FFA1ED9255F834DF2A80BB45DABDB796297A18FDE3A5E9B8EDF9A7DED6DDF59A6D038D484368CB90C0A3B96B1FE675FF725F8793C2BA4AEA559E89331924CD8A3ACC6348B0533B1B8A6566780083F9C881E9E3205D5875045FEC4C906C078899E6E31D9BB715760DF779883691583DF2");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("62737496A3A99DB6808296117E3CE796201C84B7");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("96DDC708CBEE1CB1EABFCEA4A1A5D7DE8FBE75A84C8C6CE9D11586AEB082B5B95A4FE0CF58712595ACDF45CEC5C6BF4FD680C46A3AB0B4F1B239F0D56AF97F2771490AB43FE6F46513E3EE8F396E6C8A2C32FC307C05C6827C060AE8E52F5B72B609E64B861648A328509E86AC79AD64380BFB2675183CC8CEAD5267724F2B7A");	
+	}
+	else if (key_size == 1024 && hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("A2386D7FF4EF41BAD87D62CA8BAA1563AAFDF8013ED6B3668BFC1E7616D86CAC");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("6F00ABCD0C69C4BF0020B6078EC24AF0393D8271ADCABB16B05520F687DC5FE6C56C0090C5D042296608D655471A189254731B5D5193519B5C57CB323008EC2F4158740D1FB3A95DA2EE26483487D070498BB6D1580E11FBE046D750B66C649A7D5BEC483F73249F85D7DA175CE0ECA6BFC09EF9F1C2FA16CF72E062703979D2");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("0D9E93AE17D944B14BE6F382A64341AFE7B33BE21774654ECF9FB8D3CE036E86");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("365D0E0A3286DD6FF0E6DF0EE04883D73C618A120B4A2BF6275B1B30FEDD17D7F6F1DFCF97CF3CF459FDB7344646BF81FD71EEB45958AA7FE380EE3891CFC445FBEB59AFA1D9209886DE74E2399D9F3D9E2F80369B9FF56EF88BB23AFE986C421D57413B4B74D0E85DB9D203D62D4CA15CCF50AE6A32B451E0EBDF85CA9EEA74");	
+	}
+	else if (key_size == 1024 && hash_algo == HashAlgo::SHA512)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("1F5E7340F40C9B424E8112451133D56DC4EF2221083C96CDC4669BD4AE328659D4872AB16B4720EAEE67637EED14A637664AA92831DC0DE43AC659BB738FBD99");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("8F5AF83160E8B124712FFE5348853B5349BB54CE37E728A63B93A462E38147EF7EB3CA76DFEFF58C55FEC597F1A37A727705367872CA9FB92072717781052AFC8F110AA90C34049DD9A0FB51AFC6F519FA345C7B97B81A6886BF0D71187FEF049AACCA3F9C38F849C5353F6E4EA8DE84250B03AFA21569EC2A731A82A4224F48");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("709BA2DD10CFD1ED5D3B2833B6B42664ED9684DFA239520D842598A75BED777BB7D5D71E7D7A5E5658C925AB96C8ED99CFAE1E46A33C4736655CB3BC3EB23B6B");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("A01D15754D220D55B7597FD233235C425DDF5D141F38A7A4AA2A733788CB366384C3D621DC3BCADEBD85B7556D916D541672255FF634883447D49E84A73F2FE8AC67CD6E95BF3B2F4ED577F96EFBC5071ACF7E7E5F88236C553F3A74E98E2A3CA5CD0748B08E928902253E719A74FEC41A78916536F1144678DC4AC51DB19394");	
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::MD5)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("3E4A712262786316D5ABC63F40EA0976");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("1370B59A62B15002D3A0838AF12086214D7D1DC34ACB5618A46C0049D7C711AD23AC80D3A031A83C67E0787A41869850CD5BE423DD57FF549CB0E9AC168659714E57A4F07DE72E594E76810F1023D0D98A6EE1513F9208A873AE3DF484F81D47B78B6F06B5321A6ED394CEA43F8FC247A627F25A9186B6CB7BFE4030F3056CC4110E3116F17EB15650A1181EF8BEAFA00F9E943EFD173BE88A07729CA95A2EDEAA90C5D5EDB86C444F72B29F723FB955DAF507466E291BD78341455745C5B953C10DA75204FE4513AFA9B22A559A58C4433C9E375C185388ED553FC71369E1EAC86F50B0F1CC0C5917AB6A59BE9AFEB9A9A86B3EAF5E5092686EC4DEFF6B1C6B");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("EAB56CCFFE46084FA63084A9AC1DC4AA");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("559B0D9B41CC78F333671AE0F026DD3D4B001AF4A4B41508FE9F21B76C609577F5CFC243F66508BFAF688DD8AEAB45F34D0A51412F988F96347A22F5A6E20AE0455160B32EAD093070163AE148D3185D798A97C69AB3945B58079B52D11F1B96CC80DCDD82C2DE6805AE3CCE45CFCFE23F72E6F72F73D3E5BCFB44D58A9C835320C49DE66B41F1C2E528CCE6E152401AF060AAF6694206350595BF3EDAA938CFF9CBC190B4DC38DA7E7752651835A2B80839915CDDB50A740B613FB536DD8C09B08E05359F6B6C4714F1EED7784D6200B0CA66907278CB24C2ED0DFC772684CDED2B331E2B8B83DE9E774A80D7E52053DC122EDEE0F3392FFC27B60BBCC1985E");	
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("0B54234C25D22747C81C7365B04996AB3D96EBEF");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("2AA9197BE6C552A0AE8435BDFDA57D53AF126A77ABFE7BA3C3D746BBD1A56ABF83A95D0E827A355B3C9578006442D4A1498E7DFFAC387B8BFB2FD5C265B78F0E325B591AFC8E403EFD679B9665FA6871A8BEF0619062CC37E30BA656D8D63FF3F3BC2F7E52C565EF13017EA2AB7801E31367528714C3B421E260C8CACF7D6FB0A3E0A43BA56C1B4E21708FB2E4E5074B214B918B36BCCD9EB3E8E246CBC6DB3DF0CFBF24D29EA79FF77EB7B50700D02AD81C3D45E222B5C7189B9AC6028182C57C7519BA2BE360EBC1B5BF9654B40A0357B47F8DCA967339E0D8C426200A6F5CEADA3A484C9E9FFCDB7C3558214E3732835A4ACD40558942AA1F83F0FA62E7E7");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("62737496A3A99DB6808296117E3CE796201C84B7");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("A4D943211BCF11B6B900043D699DAB1391343C39B41369D4F103B0C5174A1CD4DD42D78CA5A9237EA8C8AAB4B26E6434F414AECFDF1FCB047B105096132F786023359FF1423C5F87AF6E2B513F3B8AF2FFE12AA5ED1999BB0C953C3EF2608A347676F76097092ADC59B3117C67D14AC7ECC5BCFA4587A6D651CE8AD0DCACF990727E32A3D2DBED1E52C6D5D96AA97276C2020B0C0928D3EE3E7D7E285BEDF781BD878B8468447E9C5DC0343837B5A1B83FBCB6747F536D41CFA6718162392F557BC5224357C170EA384502BC608F33EF9F5DFE42B12652F132C4C28142184D10B3D5CFAA43FAB01B63A761A571630BCBF8CD439AF11CD83EAE416D4892AB2640");	
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("A2386D7FF4EF41BAD87D62CA8BAA1563AAFDF8013ED6B3668BFC1E7616D86CAC");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("460AA83AABDCD786A4C20DFA4822E4BAAD19B1B51B51595789483A4597819A8DD7AD78F2C4587F8881A3F507A32C4E421420361FCEB617313092506C084C12153683073F637BA1517D52F157178C8CE8161C73DC017FE03282F170E5B6DABF2E5B58D7C5603786165B3889B103C9C1EB66D91EFD9B6A1708BFBE1B5D4BF5CE2EF0DDFE3AF1B52B4A120D9E89A15623E1E579A562F9FA342D41BB25F438BF4934C3DE592A79A3E0ABA0A181B6C402C10E0395CEA8D68D16CB916A66F18D16D7C3534E95D97E2501CE232A1FCAF4C09D8E7314A0E80C8D5867469F2730C894909197EDB3EA5D701160305CF6B335EDE647797C9278BB5D15CF8B48905FB469750F");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("0D9E93AE17D944B14BE6F382A64341AFE7B33BE21774654ECF9FB8D3CE036E86");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("76EAD23F3FA6392A8301B3AC8DD4DC28046BB4FD67E2FB53C00CE689202D67CE38BF64FFF9771EBEB306F4CF679FFFD6CCE39CE4252D827A965C2EAB6A44848AAB087535BD46858AF516632F8D82F8E98125BC59971369855490264226F286436746DFAEF3843710189E47AA95E478F626BF11E26A61BDAF726B5F44106EE290BA5A5551063623B276D504D5F391591303735BE8C5570E03A3A60FEE9816436AB99A3232A946E58E2CBC46887B5C382FFC00F09FC5FDEE8F27A0575F36F9146156FDF322359B06BFC5859585E978EE01508054557B2D2A213E53C813519B707A9D832A50B576D5918BA80C266A1FF4A88E6712835F9E74DF9E5B906E2B2249BE");	
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::SHA512)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("1F5E7340F40C9B424E8112451133D56DC4EF2221083C96CDC4669BD4AE328659D4872AB16B4720EAEE67637EED14A637664AA92831DC0DE43AC659BB738FBD99");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("916B2800B5E76111A2F12A935789CA36B1B5313BA0C0222355F5DC328C609930B6643DD3518C74DDFB5DD9720AA1762664EA82FD393A0DCFA80AF1757D4EDA56CCC0342E6A2878EA6D5502F34719D5371D9E297529DF4770A899B11B687342C8F213B89980247A724CD14489FF1BD627DD30614CEF8F733460AFB82EB1FC6FF9B256129C79B7313D015F1F414EE56CDB566AB54B7F769EA8C90D894D773E07073243DDED1E9FA64D1965B9C4F0AF815158FA85DA19BD35CE1FAE654A669B39E99853F4F2F15DB70949055F48320AA00838CB541A27E7871FFCBE449D4E64160BE0F6C48193997F1EEFAE0E62D978965B4460135DFBEBE692FA643764CD8F8E27");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("709BA2DD10CFD1ED5D3B2833B6B42664ED9684DFA239520D842598A75BED777BB7D5D71E7D7A5E5658C925AB96C8ED99CFAE1E46A33C4736655CB3BC3EB23B6B");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("BE89EDCE1642A8470F14D27B418BB4CFD3284129A42B596DFB05DFDC5F99FF2572C40513B19019B01D34465A22DEA89952D138C99E588ABEDDC2E4211F944CBEF7A9546541DAD747AA7E0024C8AB9E620D570383145D3BFE4D622AA8D6670E51B314DAE52BCFD1A8BF1F93FE8909318C7D1491E9013AAE223243248AA4DCCFA0DDCB6A6F9AABDC74F2395B666C85398628006D2CFC737DC1D566C6155FD6F84558FC543BBFA1256F8F91E0E69C5BD7C91619DA522F9A5E14A00E42981526D09B9FBFCECED41AC7023C7AA04E7942F67E446D35FD63F5A70D9C8CF30BD01ECAF5C311EBDD1A1B06BCA3C4261E8EB06E9583E18F5359683292D2ACB018E0082F61");	
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::MD5)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("3E4A712262786316D5ABC63F40EA0976");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("53131DE9F31347199696486F46169DAFA4F3825816392183F8BB43DA51559D8AED477B3042CBD6DAE7A6931CEF96DA86EEF198AE5FA799F0BEFC18D0F12A8EAF1B7F19C348BA3857257A708CAC6536145BBEE4E19C2EC2C313F8D2CB7DC9E9CB54F7A246E8FAF9E22C2AB9EAC8CAE57BD72D6E5C852F7A0631544AEF7B98E9C7579DF79D97858B72D123557A58D1AE32C1D4AB7CBD0DA99AD05423310DAAABF33CBF6CB7689AE28E9800AFAC0860AAB72294D71F67E40D905FF99EAEA405340862E3B81FBB0746B0EB8598DED8EABF05872C98C6AE1010C4DDDB1A3510C84BA595290E808200E7956820E55E472675B8C116A63CBDD46CCB917AC29BC8A3AB227A2D9F772F0110DD4D9ED1138D60729F5C5F8ABF165537ABC467B5CE93C2C9AA80833A0557F35B5C19B422524DCD0B592C16B9ACAC5F94C0211B92989E940FF115C81FD36B77E094A00E9193081BBA2148980EF29B8D104D5019CFE32A65DBC533B6F9E6365001A8104328317F249BFBABCC10B67F1CAF08718BC8AF4EFA914DDFC76F366649AC2E633C45F0C789EF6271FD2F27E32E4BB9C5B8078FA3A2F5E5CAC5C250E86C5D63D6FAE354CEDF7E351B213D9EC7583B14D7C689B92E52C0E94CAA586B6C9DE961CB2B64A027E3E4D39F2FC94B2CE03B29E3C7611ED4CEF865E1715EB8304A0F573B7DC991EBD086C73CD321F31A5B6395F5894904CF6F553F");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("EAB56CCFFE46084FA63084A9AC1DC4AA");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("07446D0F629CDF6078ABC1949186BA6E0C788866DE37322821289D4AB50588104C02BA49A35CCC8BE8D72364BC167D4372E7AC4D4DC121F0D09CD5F21E981BBB3FE3CEC3C36DF07B2FDC57ADCF538CDE093D69B63AA0F3F95DFB69BF35C68F83B090AB00831AE0E18E79389FB5BF3B52BE69FB497EDB8921B3E57BB999FF9475B4CE7CC8CC3C7FAAB793F09DBFE0A6C617E0E6359EBD6C6B425B1906BA032FBF814BC53596AC769057B7DC9FB77B3B0427955DD77469F6F210031562A949BE6413E1F482690A2C57845655786CFD21B0E2A0035B31FE63DD559188C992CC96DE0353AD105473B2FEADF37C86628E4A3BEAB051B3BA7FAA195EBC4EA8FB17EEF7E8A668CDC62C32B58E63AC60EC1CBDDA9485EFACC5F66888B66D4F35BB162EAC3CBAC38EFA9714CE3506CF50115F4E5F15034CCEFE554B03D112B9977CC472CF10F6B1635FED82874ED34B45D2BD4DB9A244C75408DC0B8A9EEFEA5AE5E26AB355F0556DDEC255D65807FDEFE57C2818E790B796B78A5D24D7444CD8356BC0E0139D2FDC18BFB0FB278D6197E052F4BDFCC454D72BDDF6828BC92826D95FF232F4399404F1486212509372EBC7B07529B97372AEACADB3179D34FC33344208A9043846F1EA498BC17E12FC0946DE474F080D46ED393B5F725B1DD707F95E1BA2E1B70837382EFC2232B881F9938230F2B320AD3F023540356B57AFC7A56E0958");	
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("0B54234C25D22747C81C7365B04996AB3D96EBEF");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("226D22515C2AD353AD9B44B20807FBDC18CCB36562FB18A3EE5FB83DC6060697913A06F8A26F8B262AB41E901F69D55B9F22FAE9CF94CA0A7CCB3FC93F36E564223DE09ABA33E1B069C10F26CD866DAF333376E680AF79DF470E5C3CC5ED640EF14279F8D044418126211D1FE26D1418743B549E1E9C74114BF20112B975668FCFC65771B84D604AB0C579DA70BF22522EACD831E1C1D85435FF811478FE95D6BE21E6D0A06E52756BDFA8AEC17D101E1B6FC72FF53E99F1FDD81050509C24DF36D850AAACB555AC43064F3A2424729E90001F29D83F9718A1E4914F9E88C47C2F14038A373251F810D34E504024DD86D44733B94F76D611B921C7B40F40610D0DCAB144CC3775D8D954658530894B925F12E80A5452E6D3FEEEB6F5FD607768D31CAC837A075AB31FBE2D185C36FEBA09C25016315FE8037C7B9A9B46FCB53593C64186690E1A38F6CD7D79D998EA54D372B74DBB0D28F60A23431A4162B38120E799BA0E1D92775FDA9B086F00266F7FB21318B8F8598BF1EF15B2BC21A27C5D2964501C0EED94883CAA842CB653467978560E5F46F3EE2F66F4F0680E0D9E220E532090F100785FB83D13EEA4D8041326C853C60489BD795F2E7AD22DDB01A0E6680DCD90FB76964E9B1D98B92C26B355C194C85A29D1BEC8C31321602C4CD2D4058530C8BEDD1B3D76EADF3379F4C70BD1B48607DED271EF11C970642F7F");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("62737496A3A99DB6808296117E3CE796201C84B7");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("5C525B4BDCDDDFE7A7FB890B80A4AAEC1E633C398B1BFE468908453F53E9B81381D0F5E52BD5C17158BEAFDB43672D3DF993847947CE42F3EF8BC72F38A57139F2F8FBB905E26AE6DD848A6C3BFEC35312C64D514ABCB3E28F811ECF5BE8BE8CF62A922B4A2D6D199AA6A3063B6E7DCCE4043840EDABBED252B2DF3644C7AC25E49481F44240F2001271E80ED77682EDCACE9372D144D66A149877DEC969F5A1E02872580B6265ED3ED9F015862805486739FE0162871D4EBEAE10D61A79C1FDB3C5521CA057994CC2444934E24B2232C67B6A3DCEAD846448E14BFAEED7B8F4914F27E1334953746C0AC18EB7CC4577E07B783629C9BD3F10ED91AC895196149DBAD7558EC5229D6BE4D6C5B9B0B8FBAF7E8A57563FBB8567A4E62B212401DC2757F5AAC08EA59924E8C2D475C4B26E8359C8B520315DD31053BF11DD46B1CF3F5F803F8209880D49740A2ADA07452DA58E088D353965206B6F1E429B0E3BBEEF1DF2CA08EFDBC9A84B805F1855608B4724247E0084060A99EDB9EB5FA85471E253E5DCDF83F761AE9597FB6C47B72FBC9EB78C6306B983FE3DC02566059A3784AF222891AEDBF11E906CC6AB7F72E6E194F4393BDF3D76B8674E522844FEB750C629A3BFA2E15D92C2C58B43925C28E70199CB0745C4BEFF0D6EC18A8CB15B740A61B65EE1D8B2204D176AB1A01BCA50F535E8230B742725DA19FC59FF5EE0");	
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("A2386D7FF4EF41BAD87D62CA8BAA1563AAFDF8013ED6B3668BFC1E7616D86CAC");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("29E3EF33332E80A21255159572A6BC3A85037B2FD471E5A259DE625FF8286523974B3FA170D23D54EE5E28FF26FCACB95EF6BF1682EECF1D298C55561A8B7D6DD51D0492E80E0F11C7FE3874049B8DDB6969387752465EE4CF988F709CB8E29CB2DED29BEA6F47D92C15AD7C01127217E34FF252753CABD1392D0FD4C6E55109CE512BEEB459EEC4E6BB69A5CA46B1C2B5691169408EB5C9E939D458371E674FD7C57E10042E01F283C4B63B7DCEAED1E5FAB696A2E24D5D5C3FA2885CCC456A93D4018EDCD0383B0B6EA6D5E047C200EB27535439B869EF925BF0D2396DE54D32E17492A8576519878E417EC09518428049072DC623CCD9B78EEC42BEFA9CE9B18DDD6AD3E0429D791B00588DA25327942FE9AD26C83B9699B161270B0927629716087F13D15D5FE56FAF8D615BC27403D8C3C8C2C1F2751074181D55556AE1D2B38E80589541B7CFE70B1B8B8261A9FC4BF6BD7CE0CA174F972959A24FFD07A6CDF2C2D80C7C128CFF722967DAF1F2A2D29596B92F56D2C65EB1A40E5DED0A8C78ACCEFE52133D08EF8FDC9E6600D67983B29059AEEB76B3449D7A099C2DEBD161F61A80F6F3B6DA8FF569A7C3990FA037BF222480F3727345AAB268C3B0D77BEABD2A8426FAE5B630C577B79586B5CFA3FBD9C4BACA9E5B22846C9A6DBCFA21C3EEC162420DF28184C2234A930FAE41B5B2718CE9C8F89F5F02ECF2FCC61E");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("0D9E93AE17D944B14BE6F382A64341AFE7B33BE21774654ECF9FB8D3CE036E86");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("6240DA2CD63671FC6C1E78E6BB5225CC27798B456A5082FE8E8F832CF8934E90F8CA83A03159589589943B9CF2BA46CE8B5509FDB9A3FB28B884D9A5358490CF3D52765F3E398366F768EBB9178E4B99C7A8D194D98CB4E502CBF28657D0E2D1DA26B80CDDFC8B9A7CAC7D51A9A97CA4B39C5464F0A073FE06431E21B1FD496BBC62D7B18DA03284AAB56FCFBD37ECBF8B86CD2C9C1670A1682CF6A448DB02B2941E9CF212219AE0DCF325E333A2F9895B686D61E192973BFEE96CB7876CA542EFED0FE9E5F2B2680822E0E4B72243EF19615EB50D7E7C66992924F15D44B8869776B1D397A104EEDC67B8C6E4F11576430861614B4658C5A4FE853D19B79EAEE18105C6583EF4CFBCE54260F0C8FDCBD2BE71DBE1126C63433741294A844D9FE39BF2189BD7DE4000073F1B3A98FD2215A49E4768A3384CBD589B01E3AD790C6CEE4462A36AA98E5ED03807021E63A841ADF159FCC4CCDA3CD19CFA21CBE5B73A81C8F1EF70E49D3D4807F5A80847ADFD86EA0D7B4699D25CDB5300EA241C6C2AEF2B7BA4A3B02A2C21FBDA0EA8D052CC8ACE8856312B443E86E913C1474D83AB3FF6CC7AB5F8137B4B710943741715634A3E85693636570E13D8433A292281AE0B29ADFE16FA6347CB1AE7F30047B4A95C7BDBB1CB3B4A599A41162E932EEC261B3E022FAA9E554BE84156721C009C987BC6982807DFA97DD7E1E7E1F1B1FC");	
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::SHA512)
+	{
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("1F5E7340F40C9B424E8112451133D56DC4EF2221083C96CDC4669BD4AE328659D4872AB16B4720EAEE67637EED14A637664AA92831DC0DE43AC659BB738FBD99");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("0264109A40938A354BD4D7BCB81FA4ADCCF4DFCDF575F6D30A9EA6A9361C5EBD0A5B9F51E553B9663629113A4E46A907A8A9C03C4A3AA6D4921E879F48D9E02D03AD5FA9F94411EE0BF5568317ECB008C6CCCAAF75B7C8F06A98E0F19BED2178A82263A2DB2BF37FBB8A539246B58686A27FEB0F77619A00B6C49739BFE00901D140CE49218C6B24803A9923C86971E516595901690572E29D4CC10E7D7D72A2726F41C116C3916DA41051C69315CD0EEA8A15F811762EBEE2EEC410D57BE31850C8B6C27C8ED8A768CA89A4DF44FD644D25C1789A5D339CD59397F3EA3464271737AB5E2A6BE47F4C2A8AADB298D8472566335ABD8BF093C72F059E2AFE2D5076ED0B26F935EA910C07D6B6050F0F4D19E3F9F300445EAB5BB264FF51CFF219C78F102E182D261227C280DCEAC646D55ED0C0EBFBF2F63091E3E5DE476BEB27F107B697A7EC9D01CF242A6465AEA164A073727D2BDCEA2D0889E6C547491A036AF7E095FF74E6F267E3533DE0131B391CD0985C095493CE7BC7A69D2D27201D078E0C4041D345A699E1E047B0CF3FED6AAC6CC58EA64752DF2AA6F5325CC3B5D9A9DB337E118B397EDE56EB0B922D6B980D48A63D3AD596AE9F496A3DAD44428E4CAEA3C818DBF672AE6FF72D27621C3600BA41926C9680BB1AA8A9524BCCDAEBDF90B5C094F92393590795F81AB40A5449A64B59BE3C372F738AE8795F3687");
+
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("709BA2DD10CFD1ED5D3B2833B6B42664ED9684DFA239520D842598A75BED777BB7D5D71E7D7A5E5658C925AB96C8ED99CFAE1E46A33C4736655CB3BC3EB23B6B");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("2023C38CCB2F4C29342321ADCC88E6C2DC2E5B1BF3BB1451FCAD87D3D2891C01FB14E412DA3E9064F33321DB0CD72C222060CAF65D99E0CC9C7A2E3431896EA07C0FFEC73928E1213A8828BBAFEB50F2E89B469C17BCB021CED7DE4FB556201D00EB8A30B6E6874EDACC9239EFFB06961126B22D4E598BCC712F99A49E1EF010C1D1762C77BFE911F7CF74279A5C1DB183C82F5673C264D388322E0B3F176F65F875956560FBBD7B293638661FE2E7DF26351D55CD64BC58853D33A712B6A9AE810C24CCF5DE1F86FE2636B22AC1A035A8B129A61B5AD962F7A90D5CFDE669497EE0CA4D1762A7278BB34286982BE170E595D05DACBC18FD0CEED89FAF30EFBBAE164456E310AA0A9E4A4D46A3E6643A06F38848C3D57B31F94E8B9832783010B1845469756C8A1C84B0A05A06A2B202C94EDCA4A4B20B019D070274C286268AFD56F14E195A3A437CF6B4677853CFC16DC4CDAEBE9389ED03E55750B1547700552C8D45A0BEBA2BDC4DB1DD5D308F94EDB40E8735BF57018285D54F9CF7D3D2BF9C915CDDD5A6BE3867F82597ACE6881EEA1ED4D68C806497D622261ED5E35B2D21067A5DE25FCA8437E265B57BBB10D03C9E49B5E5CC9EA81418C92AD1395F051FD1939499DB617B21587D6976255A178B98674AC565CAA99C775B002B6361985B3A4C302EB875494F9C1C9FC4D60932B1279B31F58D78A633F69561810DAB");	
+	}
+	else
+	{
+		// no case for provided key size and hash
+		return;
+	}
+	
+	// copy populated tests to output
+	for (size_t i = 0; i < tests.size(); i++)
+		test_list.push_back(tests[i]);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/RsaPkcs1Util.h b/ctrtool/deps/libtoolchain/test/RsaPkcs1Util.h
new file mode 100644
index 00000000..a70416b7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/RsaPkcs1Util.h
@@ -0,0 +1,31 @@
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+class RsaPkcs1Util
+{
+public:
+	struct TestVector
+	{
+		std::string test_name;
+
+		tc::ByteData key_modulus;
+		tc::ByteData key_private_exponent;
+		tc::ByteData message_digest;
+		tc::ByteData signature;
+	};
+
+	enum HashAlgo
+	{
+		MD4,
+		MD5,
+		SHA1,
+		SHA224,
+		SHA256,
+		SHA384,
+		SHA512
+	};
+
+		/// Implementation of https://gist.github.com/jakcron/1c00ed37089743e38df46da2d9ccf6a0
+	static void generateRsaPkcs1TestVectors_Custom(std::vector<RsaPkcs1Util::TestVector>& test_list, size_t key_size, RsaPkcs1Util::HashAlgo hash_algo);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/RsaPssUtil.cpp b/ctrtool/deps/libtoolchain/test/RsaPssUtil.cpp
new file mode 100644
index 00000000..6dd6ff25
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/RsaPssUtil.cpp
@@ -0,0 +1,143 @@
+#include "RsaPssUtil.h"
+
+#include <tc/cli/FormatUtil.h>
+
+void RsaPssUtil::generateRsaPssTestVectors_Custom(std::vector<RsaPssUtil::TestVector>& test_list, size_t key_size, RsaPssUtil::HashAlgo hash_algo)
+{
+	std::array<RsaPssUtil::TestVector, 2> tests;
+
+	// test 0
+	tests[0].test_name = "test 1";
+
+	// test 1
+	tests[1].test_name = "test 2";
+
+	// set keys
+	auto modulus = tc::ByteData();
+	auto privexp = tc::ByteData();
+	switch (key_size)
+	{
+		case (1024):
+			modulus = tc::cli::FormatUtil::hexStringToBytes("A2A451678C1DFDB0A505DEC45FD34815054AEF603D8169B79743D8562D7F197021BBE7C9D07F67590E8B6720A6DB8C04CC52EAB90554F8F5CE903A820F9C50F7C09265DEEB5F2BFD8FC19A0A4BB6CD52129393AE09459BE75A8FCDA7C74D1CAF6506D121AD13B3CC595F0382EF896FA7569C223D330C1B4B0B4ECF4ADE8B18D3");
+			privexp = tc::cli::FormatUtil::hexStringToBytes("1E397113501BA6B0740A623A96203A6E059CC65D5930BA87AEA9A20369D30BD425C0B8B36D76AFAB0223EFD7468AD83B70091CABA38D05F3101F0770721C37837731039681CD536307AD3232C753485CCA60FC243E9CB2A388A79F2E8EA6CC13B912BAD042DAE58C72516D0AFDDB73579EBF095874DF2CF33129AB7BEA0121B1");
+			break;
+		case (2048):
+			modulus = tc::cli::FormatUtil::hexStringToBytes("DEBE4D3F6AA0C4B0F7B90FB132FF8ABAA98DE69FBDE58AABF0494E6C7327859A5C3638DA1236B2C23D92175AD1A74C72E30AEB539CC947CBE5ECB080ED45391FFA3DB93227EFF30804660782CF56E740DA584F677D96714823C6B1C31E719A2D479314A1E7A493D72909043580058C3AE8A17187140D0A6B60054435A1CBC01BE7DF0991ABF254F37713BD93F02B9906610809C5BCB88883B91D0ED86BD2C68AF5661FAE8B9DBEB2C3D90AEE85BBA9A350D29E2E6188696ECCB465B2313DEE088F3352C4D94BA91B36F3FFF2F918292A6A1429CD22E5A317B0BE9684A8B25F55CA38F9BAE9A6EA3CB48F618A71547D832C2E9CBAC97D2769010F5CD03526352D");
+			privexp = tc::cli::FormatUtil::hexStringToBytes("268F784D05B70E45FAA4B178423565FD599404BC5BC20CA72662726EA8E2CB28C554E7B3ACDA8648C522F0E31A8F65573041F82A51E6B084B669AAC6AF0CC04E6E625818BC3C386D0761E863F763FA85CA26E69C2A6C2C714A2C4022E0B6D6F386C40A1ADB40AD0D5EFFBE184AF0EAED59CF751966D9B9178C986CCE0214054E1CC0801CF5AABDBE1C7DB8CE9B043AE024A18723E3AB7A68F8806993DD6B872A05BC827CC9CD33E77AEDF7B828A635EE9C99A525204FF09EB8F440825C73C072AAC2AE9882E1B29318434CD6B556A2753451173442BD65082DC4CBB9318F5A8B7FF9AF84CB9F030259CF84039F63675574C16A7027828C2C7845E1841DA63B6B");
+			break;
+		case (4096):
+			modulus = tc::cli::FormatUtil::hexStringToBytes("92654BE390E6DA06A826A8CA54760ED3C2D4F424318C4EA4C0741A98EF13B9DAC07F6BFB5FB8F24889B47556FCCF53492BBAC6F4E3BECEC4F906723ECBC36BAEAFB050DE30A393B7AAADAF45CE258CD1859A708DB22642AD0062EF65BCFACA3519516576A877C431417BA19EE7981BA99FE2818DEDD0A8508080AF9E79D88F1B1B90CE61F8B600D9A919B4B7B2083A88CA536CAF67C2C09A2533DEEA647BA9B5EFE8660E086DF20D6EC5AAA2B7A668B9E8E5D276AD5EE697DA95DDE79A8E53CB2B1DC28268D132B413516ACD191423AC76C7EAD37301411382FE5FB68D2096A74F0811148A87FB3C285893032736CBF5901220C7B7BE04A5E215B0F0FF8076059839EED2E492E86BDE7D6E5206A635B67A62CFF261BC686B45C7E02F485CF7BF8800027A830AE1195E3895EBBDA47612B5E42198BAB3CE3E4837FBD4DABAE199390C7BBBCB9420C2E5173AA21597CA3537B9CC5FAFBEE4D72CB232F8796B525F031B6E9F0F9CDBCDFAD839270ABF8935FED7BF53ACF841091F6B53FE545F251F4754CCE3BC0426828F7473607CBE14DACDED705B800FA93389463DAA23FE187329CB13F00849273797EE5D5936C1CB0336A571964897CAAACE540BE2910B0127F6A2B54708329A4465E4780AC0FAFD25CF6C90857ED01A18370B42CB37DEE3D07D2336F16CA537AFF2A3E312178E89ED5850551328E49294A122F2013C50E7BF");
+			privexp = tc::cli::FormatUtil::hexStringToBytes("2CE9E40300C13A91C143FF13F81EB244D8A8F1F02ABD63A15B2423C6D8CE81FE3181C654BC54E70C472734BAC7DC29AEB0BA6070E070794A682648A5A8691F9FDBE9E99D89699E17C2C6FF97987BDFBCA6533005E0EAA9191F9DBAD9C9455E05356BCA07C1FEE093C605D29B886D1BCB8A307953DC6AE040B67404AD47AF9F940EFC79BD080B7AAE4C9984DEB8C19A87BE1F23209B625E29CC9121EA6282A81A17ED02667AC29478F78BB062B49A5AD5F2B493C1F245C3D441ED29C3F5208667B6262EB748C629DAA2749FA225F80E4BCAB36201966E83932364BC63AADF9D28DE6FD8A1A730B9ED0669CA4CB4DAB46F75D081FB140DB9AA54F717AE908CCE684913E078F1FC71032C50CE3A4175DC1E7337C6BB1AF998EADB2713A8D6B3AA66ABBF8FDF9C2783A046C782576F60A7AAAB38E25253A9235C9C94FDAB51380A427C9B604F6373744D23D7213CF1ABC561F4914F7EBFE92EA354FDDA251ACC4F55FF55A9A1F2A0D63654F44CD3A0CD9DACE8B93F47EB542EF825590779F191628EC6FCDDCB419FD89CCBA16E1131E15E0AD730446F993AC9AF9283494A53074CC84BD856D47FA8A682A6728B9F1F60EF283DA4533501FA36C276F5E2438A7A675B871DE92E325DA4E5F0CC5795AE36743BDF209F08C47D91F85F0280988267C71FC9B05F5C34BC5BFAADB1B006C5E18DA769CDD6F88CB0AFFAB0F7CC8E027DF6B5");
+			break;
+		default:
+			return;
+	}
+	for (size_t i = 0; i < tests.size(); i++)
+	{
+		tests[i].key_modulus = modulus;
+		tests[i].key_private_exponent = privexp;
+	}
+
+	if (key_size == 1024 && hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].salt = tc::cli::FormatUtil::hexStringToBytes("6AD3C408F3565C97F0BEC62FF728921967287AB8");
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("0B54234C25D22747C81C7365B04996AB3D96EBEF");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("88FF134C0A0DA7FE0DEBF63C60D62DA524E98B73D8E905178258D7B645AC4CF5615165465C053A2596DD189F1DB4B7686BC36AA3F39AE67B19D3D36B64F96E7B45E0D2B4F36064D2E8EAD04CBF3F4153A0E630F4610973F625F9911A29F6C629062173810272B4B1C6C256757779C4DEE495306D798B61DACC2CB34A662368BB");
+
+		tests[1].salt =  tc::cli::FormatUtil::hexStringToBytes("6575F1C16518DA498E3DFD4BC06F6E30C91E5CD4");
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("62737496A3A99DB6808296117E3CE796201C84B7");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("049979E126E716538234962160FCED53A9B43A2AC2404679A1C3738E111F47488F881DA8A1A9BE25C7A8322EE40E19841FB0D38915300A4CF32EBA383ECA99A47DE95F12F3495F052B2EB575DC3D78FA6FB64EB986D7DDBB9C41CA4BD558543CA249D2A34A1EABA1A6584896C6C1F5D2E717BFECD1E172E34AFF25980841996B");	
+	}
+	else if (key_size == 1024 && hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].salt = tc::cli::FormatUtil::hexStringToBytes("EF01E25B33F6BF37B0BA88893672F640E200A2F6D2107AACCA4708F8891D682B");
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("A2386D7FF4EF41BAD87D62CA8BAA1563AAFDF8013ED6B3668BFC1E7616D86CAC");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("8267259B830A93F5C2D711FF005F7B46C0078E4F5558BC85FB4FB2517CECAD518B8AFC387BD9050A21397E456815A46ADEAC23F636C648B65943B51DF316DEA4C30B9F255801FFBB3EEA660DF7317F5F010FA0F3437ECC1F0140BEE08A50263588523C05F248E30FF14BEAF73E74842BECFB458FE892D833D341711D24F7FB86");
+
+		tests[1].salt = tc::cli::FormatUtil::hexStringToBytes("927EF7CC082FC43B7B012C38FC602369F67C8B770DDD3F4025FDC448601EE397");
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("0D9E93AE17D944B14BE6F382A64341AFE7B33BE21774654ECF9FB8D3CE036E86");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("05DBFEE535D4C2613B838D70DD6E571F221C3CDF5ED6BF7B6DCD875DBB46731A14DDE3681DE4F9A90662154607EEF50E181EDB19AD08648678FC853FBF7053F237E3BD544BF6D0D1C6A87CAEEE3E00D39484BF2BA69F83300582C879F547B7B67DD6DBAE0D7D16FBC4BCC21E0DB001DC4C0395FEAFA89C1B9B36A5CD80E5F2DD");	
+	}
+	else if (key_size == 1024 && hash_algo == HashAlgo::SHA512)
+	{
+		tests[0].salt = tc::cli::FormatUtil::hexStringToBytes("1990E6A72D59A4A855B9DBA69590B6225624C1353ED09AB5669346A0F3E51F760F1FEAE0A291912C7D83A3410375CE4AF7BEEBB6C7C0EFB4CEE507317B68");
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("1F5E7340F40C9B424E8112451133D56DC4EF2221083C96CDC4669BD4AE328659D4872AB16B4720EAEE67637EED14A637664AA92831DC0DE43AC659BB738FBD99");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("3C36282DDA02032D6BFD6856F950EAF0ECEA968A78CAB93E8A0DA0ED6CEF2A63EF2FB4A32CB100FD5FA4B9BEC648CE518DD6F65562E0C356C1D0E5F4B179032DD775DD18F0D598232B33E96B6E59E1453F3345EB3C9228C0CBFBD56FE4B6317C46ABF00976EE212257A39483373D5466BE9594FFD3FA8AA4421ACEA7D35CCDB2");
+
+		tests[1].salt = tc::cli::FormatUtil::hexStringToBytes("7C69FE4F0010847B11BD0B309A13DD8708F731B36B5913A2982055E89A48D58BBB42645D4CEB47B9D27BA0B138D0F5ED648EF11608C33AA1F3511C4D366A");
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("709BA2DD10CFD1ED5D3B2833B6B42664ED9684DFA239520D842598A75BED777BB7D5D71E7D7A5E5658C925AB96C8ED99CFAE1E46A33C4736655CB3BC3EB23B6B");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("9E2573124931E89DD9F4CCF040B46BFDAA397C9C7C7273B1E74AF978E48EC28FB5639257416A790AA07090B63887F4934A4ED646754576784A4C11EEBD9C361CDC960FB1C8C026E1C18367357ECEA2C29319CCF8B93F0B13E5AC7BE26B038031CCFF7C1938BF56D59C6FA0D7B59FA14C421BECB04146EDD9B2EC5C003137B5FF");	
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].salt = tc::cli::FormatUtil::hexStringToBytes("01B1B2F300B75AEB4163217DACB60F64E34C4B66");
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("0B54234C25D22747C81C7365B04996AB3D96EBEF");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("355C0CC734D72EEC991BE4ED7B01756180EAA2A99BAEE6658EFFA644429D2707723B5C01119751C5C6B23A42BB344D7FA14F385816C5C17369C002859BAAC2A5775D45E005F613BBFFDD0FAD4018DBCACE2811B5BAAFC5F99A4C4279FBAC661661488F0B78C2A70C1235D75DC276838561136EFE2D22C0277D718AC6F12EF7C7B79658B5EB591F5B0BDC8C4FB27A6824C50EA4FF19E570B09BB2B56865421653C678DEC6E9215B7FD3C0D8EF95745C34DA1CFFE388B56D6CDE27D106DD12C8746DD2230B37FA0C31782C37DB4ABE84132E2AE3D0F76D3EEA34AC5E160C4F61D280B73989929FDEEA78FB1809FD9EBA4B5AEF48B0F15DDF06BB0F49EF68863688");
+
+		tests[1].salt = tc::cli::FormatUtil::hexStringToBytes("77133B22F3404DF71350374D6FBEF778FDCF8B7F");
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("62737496A3A99DB6808296117E3CE796201C84B7");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("09D88EEF86C014F0B0E200FC6C018FA02E5DD0576DEFF828617A1F97B5B7CAA39A8B4F3E8248B13FD3FDC4638629585040E1F54D49690092FC36A857FE64DD4093CFF44F658A6183AAEFAE6D4442DD5199AF15DB791DE3B33BE7C3C3D04ECEAF7F8A085885C1EB71AB05D268354A8E9228128048B3B33A49C8BA5704DDC2CCEFB47EC553990B3978C1D06FFD741153341739E2CC39633AE9883236E5D2AAD0D3A84D345C80A2A474700A4E7831EDEBC50C055FD97698C3F489A0D679173D96C57BDC6B43B21160759DB80CA90EEE0752FD1B756796FB32E03B0CFB81B9E8014BBBA64E4A6BEB1592D734962587C7315499BB8148EE73D48C8015E52A7FFB7DA1");	
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].salt = tc::cli::FormatUtil::hexStringToBytes("F8975F369ACC0AA1DBFC213BADBBE48DC706872349A69D361F13602868314443");
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("A2386D7FF4EF41BAD87D62CA8BAA1563AAFDF8013ED6B3668BFC1E7616D86CAC");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("355C0CC734D72EEC991BE4ED7B01756180EAA2A99BAEE6658EFFA644429D2707723B5C01119751C5C6B23A42BB344D7FA14F385816C5C17369C002859BAAC2A5775D45E005F613BBFFDD0FAD4018DBCACE2811B5BAAFC5F99A4C4279FBAC661661488F0B78C2A70C1235D75DC276838561136EFE2D22C0277D718AC6F12EF7C7B79658B5EB591F5B0BDC8C4FB27A6824C50EA4FF19E570B09BB2B56865421653C678DEC6E9215B7FD3C0D8EF95745C34DA1CFFE388B56D6CDE27D106DD12C8746DD2230B37FA0C31782C37DB4ABE84132E2AE3D0F76D3EEA34AC5E160C4F61D280B73989929FDEEA78FB1809FD9EBA4B5AEF48B0F15DDF06BB0F49EF68863688");
+
+		tests[1].salt = tc::cli::FormatUtil::hexStringToBytes("ACF998221C624F853BC3A3FC4EDCF25B4B5B637A18DE521443EAB1D58BBE27E8");
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("0D9E93AE17D944B14BE6F382A64341AFE7B33BE21774654ECF9FB8D3CE036E86");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("09D88EEF86C014F0B0E200FC6C018FA02E5DD0576DEFF828617A1F97B5B7CAA39A8B4F3E8248B13FD3FDC4638629585040E1F54D49690092FC36A857FE64DD4093CFF44F658A6183AAEFAE6D4442DD5199AF15DB791DE3B33BE7C3C3D04ECEAF7F8A085885C1EB71AB05D268354A8E9228128048B3B33A49C8BA5704DDC2CCEFB47EC553990B3978C1D06FFD741153341739E2CC39633AE9883236E5D2AAD0D3A84D345C80A2A474700A4E7831EDEBC50C055FD97698C3F489A0D679173D96C57BDC6B43B21160759DB80CA90EEE0752FD1B756796FB32E03B0CFB81B9E8014BBBA64E4A6BEB1592D734962587C7315499BB8148EE73D48C8015E52A7FFB7DA1");	
+	}
+	else if (key_size == 2048 && hash_algo == HashAlgo::SHA512)
+	{
+		tests[0].salt = tc::cli::FormatUtil::hexStringToBytes("EA98D82C923787FDC2CF52A1F4F33921CF6DC0F5740693CAB2EA3A37FA908B377C6FFA7EAA744486836EE6757307260612E2BE53F196D6D35A7300EB4DE63171");
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("1F5E7340F40C9B424E8112451133D56DC4EF2221083C96CDC4669BD4AE328659D4872AB16B4720EAEE67637EED14A637664AA92831DC0DE43AC659BB738FBD99");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("C526E0FADBE7F4DB02E45F67914C0E1C121C5EC576AA691E2DB5DE1035A092E079DF434F0F49F2FE8D9D4E0C10EB188DC5F6F555CD122AD9E0C98D2FF5FD7C0B0F6DEB93E1752ED90BFC731ACB41FF5E1274B735FB5A0DB381968B3DEA21BB22055D0D67B78CBFEF1A3ADA77F2B8CA991786CC576CD1880D5824E1C1A15AB4F8FED7F1959A6C707448F776B3E4D9E53090B15241475AF1F16A2D5279982F1C25F2C0B056BEFE8A695C4FDB105FCFC54F5F2F4D4F028DB070468A20276BBA262A6CBE4F20723CA548FB4DA07E3E008B5BF71654E59D4F24C985B5EAAF93FF72A1CDC207457AF88FC1905EB05628E88859CEE615CA01F9275423E634B27F045CB9");
+
+		tests[1].salt = tc::cli::FormatUtil::hexStringToBytes("068D7064B137ECEC7F6C3580900B64E857865E3ED20F5DF7CC56189330B18F5EFBC3A713A0BF74264BAC125353A3A0F6AA38EFCE65EE5CF1638A61A1B5565BCB");
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("709BA2DD10CFD1ED5D3B2833B6B42664ED9684DFA239520D842598A75BED777BB7D5D71E7D7A5E5658C925AB96C8ED99CFAE1E46A33C4736655CB3BC3EB23B6B");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("07E9A6F65AC5F39CFB3F74FC3A5F95938FDCD0AF55EF501C9592B12551B9DE394B88E18ACC48453D64E9CB3C079332F4AB150D954945AE52652EC221738A333AEEAEB480198DC2473A1113F490E72714BF2F0AE38EB45EEF2D37F005747C7B45962BF803718004D150CA497F472BA497FC79105E61C512FA77F2D54D3085583BEC9406DE5DB94AF05C426CD147FB8EF67020C6B30E06F2B1044B2362958F12933E19E8AD718422E89F0054D1868428B3493966671B951949099F70FF8B11494E385E274B75BD666F7AC64A0BC5D05AC7BF5EDDD5CC635FFC125B92FD07BF20916CB83DC09B71469C2363D80AA4A407BAA4AB38909DFDE9A5D5C12B2EC040DE5F");	
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::SHA1)
+	{
+		tests[0].salt = tc::cli::FormatUtil::hexStringToBytes("C139B807BEB43849D4ECFC284C94900AFAB597B4");
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("0B54234C25D22747C81C7365B04996AB3D96EBEF");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("294BBB3537C59CD4222FCF7D3DE244F0DABCA547CBEFEFB4C6275439E48A73F48A4BD4DFCB4E176C4448C44C95AA0915488F5C286CF558BA3916E45CBD785F6798A658977418BDD9241D55EE633A95B34A876A60663CCC71ACDA935A0CA97DFB3B3545AC49AF432C26CE9765E0952BE1F9042F97441019572ADA4A17AE45A44ADFF3FD385A762886092A066DBEA60ACBCC86070C261A89FB59D6533E14B8CB2BB7F33E01DF511661066EFAD3FA1FD3DC2C3B79878B18BF863B8CC5423D4A18CF273396190B92E181B8A63B6114C09453AD9D827CF0B142D476120FED5A8705C1FAF7667D794849670832B85AEC87ACD9841E8E7224668081587602287BE31863A93BD151C0D40D949B40CAB8F748D962FE84419C7D1770B3754B313657136251DBAD597E3E6BA61764A3F22372EC6114083081916C7AD2EBC0970CBFC264509BFE3A02A07EE03BFA3CAFB7643937EEA7B247A4F9EAF47DF13BB8DDDD635B26F7AD1339008145DD5C18381813E2108D84707D8A8EA5E8D2A7F7675FB6BC28452A4AF33D4A21F53CC1C08458220026311D8E8D2AFA37D4C4E2981164F84D33B04B99D1F18C060A0C9067F854721F4DA4DB2D6C5AFB7FDA354598071D579AEBCF5F12FE1322FBAEC6CA57556C3490634D4D4BAA7908B573444AC689C21ADD10478D8A09410D2EB1892A0A74D63F617A9185321A06345655AABD0EA04E0BBDA7C579");
+
+		tests[1].salt = tc::cli::FormatUtil::hexStringToBytes("34E011F064EF219D0A01EF20BE64FDC2EE945799");
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("62737496A3A99DB6808296117E3CE796201C84B7");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("33C06415E53760E9812EABD077C9E50323DDC367E8361D4600030A34402CBAF53F4EAFAB0874A85EA5FE0EE6E0F56B71B87BCB838491AF04DEA64A0FFB2AEE5E49F777C364FB82C3FADEC94A396ADB67E207E6E5F2DBF9792F7036B37FD11095A293EF97BEA35AE8AB6FF5ADF631FCA1A8003BBF65F8F0B1E7756FA12792FDCC1F273C4AD0B36FBD6DFADF91C4C764AA3D9B2D374F646E7380C5919D9F245499CFB8BDE069844B9086D0E97B16E792519FFC41BBE657DC1A4888F1707C2E7A4EDFAA1F7BD0BA13E8164B75D7F180306462457AAD787396FD0DAB3CAD3BAEB974EA856B87D06E7B1B4C977DDC65A95EC483835F2F6BE0413DBDA0CCC78D5ABBE4FBD87CF5E5D7F8D5386C1E6ADCAB0EC277244C117BFC35B37CFFD41F08434A64AB862677351A6A27224D848C397EC83ED0BC6DDC4D5D2AD800311AFA5C2AB5E45AC6E6F2E99EE7538D4125AE389873EB2823AC19DCCEBA45A3D992BD5AC5ED63CAC6434D8B6EA875E7AE73BEAAF8BCD495EC12E6220604CA0617EBAA94AD9B95FAF0FFDF20925F27E928D60BCF0E59D9F5D49EC0FF854E7F7E5C580B572A9021D8EAE6D9ED3FF68D02B7BC357C2E465BCCE4B4391316C19F0050CAB8093ECA12C68365795561CC14F1448FB0AC83A365C75D3E4FA7D1FF4A73DCC5D226593EF899CA6E90C4FE42CA81CD98F7BADCB43927E83B3DF859A8C4E94CB1046A21C762");	
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::SHA256)
+	{
+		tests[0].salt = tc::cli::FormatUtil::hexStringToBytes("E01A8BDC3B51D0E4C4A92835AF2AE468D409F73233051F548EDCE0B8590FEEA2");
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("A2386D7FF4EF41BAD87D62CA8BAA1563AAFDF8013ED6B3668BFC1E7616D86CAC");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("1E9F68491378B9B4E2F5BC126BC8E0781ACADD18E07F0C96B6592ED069E3F864BE208004FBE3070073192BC3651EE50C67FDB5E2466606938C0A103F7AB973D9104C5F373B37FD9D81090EE248E5ACAAEE051BB672CD58979ABC3138A11E73684F1F3EDBD96DB2B59564B0DA7175A4E222F5F13AFEBFA1013EE6FF1E6A1C19F19350EA1A7AE0CCD34054D4FD62ACD1474B1B8A276AACD60C370F3198E3711CE00DDE58D1B124262CDC198BFCB074EA897EB3B7D78E3C62BBFFEAFEC736C405030C94DA7828BE27EABD72334512DCC50F54B967C0D68BBAAA3AEE805802943493650C18D6CCAA3ECBCC0B34DEBB053BE8DACC6C1B384EF1827384B95A79BDB454C5FF692BA26119267BFB75D830E1BB363C156C15BDF9F878D511CECDE3EFBE6D09F1FADB0346D0997992735548B0F753760C19B20FBB062CA84AFC1E38E629E5ED1782FB1172996EADD2A4E9B6EEDFDB3C54CB292F233312C6AA3D8F3826D0E2236196F33CDB02B49000C473F126CACCAA3E13DC8B0274F58DE2B80DE57C05A43EE7F9EDCCB41D86337479487E5CCC4F1DCB6F9AB3166773E02380329C62CD43DED51FE4D0C7D7F4249FD3B15571DA87F51A76AA06CE716C001EA619AC611265758E7AF6290AC09AEA14F54D9141CA81A833EB925F4DFB2AF07D2E400154E160FBF062315D2B82A345A34AB45E26D36ED46AE5AB23FF74FA6E66CEF6D43B50A6");
+
+		tests[1].salt = tc::cli::FormatUtil::hexStringToBytes("C89C80F4960432187ADAE12F706D0AE8AB2E2B61A8C97827451B303245C6A3D6");
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("0D9E93AE17D944B14BE6F382A64341AFE7B33BE21774654ECF9FB8D3CE036E86");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("6AE6CE7C125E00AA027BF902A09F1C51D6F7328A24E537BF07781D90DA390A505508D0DA6270F00A088BD5C66FE48CF1B049EE70F53BB683187CBB7FF67CAFBD1A39AB890A6B92E245398529627DF1DFA168644F5368D6D99A7313058402DE06A33CFAB360CB78887B6D80839CFDBAC4832DAB2C2BFD929D362E1535BD27C84EB4777E1D9015AFFA50DFB5A3C96B0D96BB9A09D47AD92F9AD666758344DE984C1E2ACA0B42618EE73F0AA654D466D1481CA41FB91EE211309C51E77F63CE955C3EBDA37D75D762D5F56A433836EEB2425534958E06AD74157F7808B70F626A2E953B547DAC8E8650F06E9D2DEAA5279CB7D7DC7AC3534928DD626AB77CB97F22AC3FF4ACBDE5EC2E60EE346F26B2E598DE5F00FA884B76627CCA24010FC65AD14B2E433099A0005B4B00A350E554E959A4DD4026D9ADDAE7297AF65B852CD1DEA1A9425EB2CEBF09BC60C0EE01E48CAF730E1FFA7FE190528103DABB735D5A0B04C2CDC01DA99512FC6615090D97D0A94A1988D7178430C27D77758DCF8A77BAAA958DE834EB5BC56786DF21304D58812DB187CC4ED8836B92F6F3440D02E949E356508273CF1F91DB3C056E8BA2A78ECED059E03EF8CA2B906504CDA98CE74B2B5AD4E25BA20D8C24B34C521BC10796C9BE840ED1811FB29936F575A33776322536F7EF449B75C363DA6FF6B45B7A471176638766C1F930DBE464027E48712F");	
+	}
+	else if (key_size == 4096 && hash_algo == HashAlgo::SHA512)
+	{
+		tests[0].salt = tc::cli::FormatUtil::hexStringToBytes("6B87C931844386E1EA9DD45F2AF92EC91F2E44A55FFCF80EB0FAF11A41C832FCA87939A0408C0A36A052A7D9ADC1311DB71789EA5F3E8C12F0716ADBB5FD3C67");
+		tests[0].message_digest = tc::cli::FormatUtil::hexStringToBytes("1F5E7340F40C9B424E8112451133D56DC4EF2221083C96CDC4669BD4AE328659D4872AB16B4720EAEE67637EED14A637664AA92831DC0DE43AC659BB738FBD99");
+		tests[0].signature = tc::cli::FormatUtil::hexStringToBytes("0CBF1D7BA11072DA92D6D1EB9C9484F848A70F6D3909E98BF323F342033EED440E85963B0298BA7EB003148A1FF92F2698C4EEC0B26445C5A5F1ABA10DC8C1601D9A0C6C935A5E031C8FE1EBBEFE3C81DA36EAEFB85B65033C33E1E2113B3BCB410A96A37F131C0F4E945BBC222900CE628EC2A92BD58B303DE171EAF518AF9C9460183FF1039C00F7D98308DC97272F8711A882920AB1502EA88B92BB905A58CC4059EE9BBB53006BAA0E4B04D51A6CFEE65AF3351EC4E2707CF35C57DC12351FCC95DE736B96CAC0C2DEB4275C2598E62D2A2AAAFFBF68F2CA5D247EEB818FD00BD58883F669F0D8E3877A77AA7391EFD5C69D8CB828CADEC7D60D4C589A882B9646DA32EC58BE2AE9A3C78E5821664903637F8A8837ABC55C874284B54BB3485AEE9094DBCC46822A8D6DF929D2DB01CC225CAC775AFF31DAFF0E64AE65CB57E9C24E89173C32F384553884CB0F46DEEB9233985A0B9E6F9B1B8421C20A5F29EE7AA54EF8AF134D754E98429F7EBE36B56686798964A3E2A258DC05D35097F825A630FE4695EB23CCADBC59A433F6104A7E55565D1A427E8B6E4ADE1780E8888C86EBCCE6EC950EB0BAFE3946423FE5CFF04707F245F51C7DF5C3AFC1542EC93D30D6402AF0F3CE43ECC9F0B338014F0941058AA69DECF9BFE7EA3CE3667AA434EDE1F1FC5596AC7BE326F4F4F37BD106E377093FD20B6A13D27EE50E161B");
+
+		tests[1].salt = tc::cli::FormatUtil::hexStringToBytes("0E5B60B7C6EE9DAC18ED464A4268C296C55B787D298FD23337E9D39077AC60266637D5B03338A0B752C631150EA9655AE71EC42779EF2B6119D31EAB19E33DAB");
+		tests[1].message_digest = tc::cli::FormatUtil::hexStringToBytes("709BA2DD10CFD1ED5D3B2833B6B42664ED9684DFA239520D842598A75BED777BB7D5D71E7D7A5E5658C925AB96C8ED99CFAE1E46A33C4736655CB3BC3EB23B6B");
+		tests[1].signature = tc::cli::FormatUtil::hexStringToBytes("853EF4AA99E0492D0CFD6F11653FA10164738BAD6A3CE53DA037FACEBFFD79E2350BF5F45729B262D8B5EFA769E0155D7B2AF1A837D84674269055BA69F042F6B2FDA4161D066EBDEDCDF989EE768A91C9653AD11157EAB98C0848BCE5F2052CCBFE5A67CB2621A5070219619BAE3E79333536384700AF1B9462F77904F30465107D0DAE9E40ADE7DE7167F8E29F6B8C8DF04B84781D5855BB22D3BECEDC7DEE545CEBA094028043FBD228F33D2656C4D74630DB2BF124E739AE3630BAF07855E72AF9488CD8036875805F0F6390C6C315D9A4BC65B935C0C172A0B871EAB66373D1293B37B3A95BE334A9C31B93D7F4C12397674BA59088B873973B22428C1ED8720C0488DE41FF072165B34CEE65EC78B39B141A9559395BC0EE42A81FBFADD1EAF6878F83F4BB0CA9B4AC72F900437597B32AD7878BB8921E61F0F3A522513A80BB58142EA2E16C58BC0AFF2DB30DC9475FBDE2D68BE3FD34BD9EAF35691BE40016893E86D34AD2B0423C7BE6116ECB1BB7EBF951F9E18C86626E1C106978F26DC6C8C9D4C97040634E9FEA87E6AC7F3BFB1AB585DE424F5F508BB9A01C27B5AF50768B03A37D430777A17EB34E5EFFB271034A5893213618B1022782F456A4AC006452C8D8C88B295C325C891A07D6242F2790B3E746935DCE19916594C764302A8444A859B8371B4119058BD41040B9A7032FC2B5110218A3AF78822ED1");	
+	}	
+	else
+	{
+		// no case for provided key size and hash
+		return;
+	}
+	
+	// copy populated tests to output
+	for (size_t i = 0; i < tests.size(); i++)
+	{
+		test_list.push_back(tests[i]);
+	}
+		
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/RsaPssUtil.h b/ctrtool/deps/libtoolchain/test/RsaPssUtil.h
new file mode 100644
index 00000000..5e7ac616
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/RsaPssUtil.h
@@ -0,0 +1,32 @@
+#pragma once
+#include <tc/types.h>
+#include <tc/ByteData.h>
+
+class RsaPssUtil
+{
+public:
+	struct TestVector
+	{
+		std::string test_name;
+
+		tc::ByteData key_modulus;
+		tc::ByteData key_private_exponent;
+		tc::ByteData message_digest;
+		tc::ByteData salt;
+		tc::ByteData signature;
+	};
+
+	enum HashAlgo
+	{
+		MD4,
+		MD5,
+		SHA1,
+		SHA224,
+		SHA256,
+		SHA384,
+		SHA512
+	};
+
+		/// Implementation of https://gist.github.com/jakcron/1c00ed37089743e38df46da2d9ccf6a0
+	static void generateRsaPssTestVectors_Custom(std::vector<RsaPssUtil::TestVector>& test_list, size_t key_size, RsaPssUtil::HashAlgo hash_algo);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/SinkTestUtil.cpp b/ctrtool/deps/libtoolchain/test/SinkTestUtil.cpp
new file mode 100644
index 00000000..cdb0aaad
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/SinkTestUtil.cpp
@@ -0,0 +1,90 @@
+#include "SinkTestUtil.h"
+#include <sstream>
+
+const std::string SinkTestUtil::DummySinkBase::kClassName = "DummySinkBase";
+
+void SinkTestUtil::testSinkLength(tc::io::ISink& sink, int64_t expected_len)
+{
+	std::stringstream error_ss;
+	int64_t actual_len = sink.length();
+	if (actual_len != expected_len)
+	{
+		error_ss << "length() returned: " << actual_len << ", when it should have been " << expected_len << ".";
+		throw tc::Exception(error_ss.str());
+	}
+}
+
+SinkTestUtil::DummySinkBase::DummySinkBase() :
+	DummySinkBase(0x10000000)
+{
+}
+
+SinkTestUtil::DummySinkBase::DummySinkBase(int64_t length) :
+	DummySinkBase(length, true)
+{
+}
+
+SinkTestUtil::DummySinkBase::DummySinkBase(int64_t length, bool canSetLength)
+{
+	init(length, canSetLength);
+}
+
+void SinkTestUtil::DummySinkBase::init(int64_t length, bool canSetLength)
+{
+	mCanSetLength = canSetLength;
+	mLength = length;
+}
+
+int64_t SinkTestUtil::DummySinkBase::length()
+{
+	return mLength;
+}
+
+void SinkTestUtil::DummySinkBase::setLength(int64_t length)
+{
+	if (mCanSetLength == false)
+		throw tc::NotImplementedException(kClassName, "setLength() is not implemented");
+		
+	mLength = length;
+}
+
+size_t SinkTestUtil::DummySinkBase::pushData(const tc::ByteData& data, int64_t offset)
+{
+	throw tc::NotImplementedException(kClassName, "pushData not implemented");
+}
+
+SinkTestUtil::DummySinkTestablePushData::DummySinkTestablePushData() :
+	DummySinkBase(),
+	expected_data(std::make_shared<tc::ByteData>(0)),
+	expected_offset(std::make_shared<int64_t>(0))
+{}
+
+void SinkTestUtil::DummySinkTestablePushData::setExpectedPushDataCfg(const tc::ByteData& data, int64_t offset)
+{
+	*expected_data = data;
+	*expected_offset = offset;
+}
+
+size_t SinkTestUtil::DummySinkTestablePushData::pushData(const tc::ByteData& data, int64_t offset)
+{
+	std::stringstream error_ss;
+
+	if (offset != *expected_offset)
+	{
+		error_ss << "pushData() was called on base_sink with offset " << offset << ", when it should have been " << *expected_offset << ".";
+		throw tc::Exception(error_ss.str());
+	}
+
+	if (data.size() != expected_data->size())
+	{
+		error_ss << "pushData() passed a ByteData to base_sink with size " << data.size() << ", when it should have been " << expected_data->size() << ".";
+		throw tc::Exception(error_ss.str());
+	}
+
+	if (memcmp(data.data(), expected_data->data(), data.size()) != 0)
+	{
+		throw tc::Exception("ByteData pushed to base sink did not have expected data.");
+	}
+
+	return data.size();
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/SinkTestUtil.h b/ctrtool/deps/libtoolchain/test/SinkTestUtil.h
new file mode 100644
index 00000000..07ea8ada
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/SinkTestUtil.h
@@ -0,0 +1,42 @@
+#pragma once
+
+#include <tc/io/ISink.h>
+#include <tc/NotImplementedException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+
+class SinkTestUtil
+{
+public:
+	static void testSinkLength(tc::io::ISink& source, int64_t expected_len);
+	
+	class DummySinkBase : public tc::io::ISink
+	{
+	public:
+		DummySinkBase();
+		DummySinkBase(int64_t length);
+		DummySinkBase(int64_t length, bool canSetLength);
+
+		void init(int64_t length, bool canSetLength);
+
+		int64_t length();
+		void setLength(int64_t length);
+		virtual size_t pushData(const tc::ByteData& data, int64_t offset);
+	private:
+		static const std::string kClassName;
+		bool mCanSetLength;
+		int64_t mLength;
+	};
+
+	class DummySinkTestablePushData : public DummySinkBase
+	{
+	public:
+		DummySinkTestablePushData();
+
+		void setExpectedPushDataCfg(const tc::ByteData& data, int64_t offset);
+
+		size_t pushData(const tc::ByteData& data, int64_t offset);
+	private:
+		std::shared_ptr<tc::ByteData> expected_data;
+		std::shared_ptr<int64_t> expected_offset;
+	};
+};
diff --git a/ctrtool/deps/libtoolchain/test/SourceTestUtil.cpp b/ctrtool/deps/libtoolchain/test/SourceTestUtil.cpp
new file mode 100644
index 00000000..6ba1e4fb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/SourceTestUtil.cpp
@@ -0,0 +1,32 @@
+#include "SourceTestUtil.h"
+#include <sstream>
+
+void SourceTestUtil::testSourceLength(tc::io::ISource& source, int64_t expected_len)
+{
+	std::stringstream error_ss;
+	int64_t actual_len = source.length();
+	if (actual_len != expected_len)
+	{
+		error_ss << "length() returned: " << actual_len << ", when it should have been " << expected_len << ".";
+		throw tc::Exception(error_ss.str());
+	}
+}
+
+void SourceTestUtil::pullTestHelper(tc::io::ISource& source, int64_t offset, size_t len, size_t expected_len, const byte_t* expected_data)
+{
+	std::stringstream error_ss;
+
+	tc::ByteData data = source.pullData(offset, len);
+
+	if (data.size() != expected_len)
+	{
+		error_ss << "pullData(offset: " << offset << ", len:" << len << ") returned ByteData with size(): " << data.size() << ", when it should have been " << expected_len;
+		throw tc::Exception(error_ss.str());
+	}
+
+	if (expected_data != nullptr && memcmp(data.data(), expected_data, expected_len) != 0)
+	{
+		error_ss << "pullData(offset: " << offset << ", len:" << len << ") returned ByteData with incorrect layout";
+		throw tc::Exception(error_ss.str());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/SourceTestUtil.h b/ctrtool/deps/libtoolchain/test/SourceTestUtil.h
new file mode 100644
index 00000000..be55babe
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/SourceTestUtil.h
@@ -0,0 +1,9 @@
+#pragma once
+#include <tc/io/ISource.h>
+
+class SourceTestUtil
+{
+public:
+	static void testSourceLength(tc::io::ISource& source, int64_t expected_len);
+	static void pullTestHelper(tc::io::ISource& source, int64_t offset, size_t len, size_t expected_len, const byte_t* expected_data);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/StreamTestUtil.cpp b/ctrtool/deps/libtoolchain/test/StreamTestUtil.cpp
new file mode 100644
index 00000000..466ae193
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/StreamTestUtil.cpp
@@ -0,0 +1,125 @@
+#include "StreamTestUtil.h"
+#include <fmt/core.h>
+#include <tc/cli.h>
+
+const std::string StreamTestUtil::DummyStreamBase::kClassName = "DummyStreamBase";
+
+void StreamTestUtil::constructor_TestHelper(tc::io::IStream& stream, int64_t stream_length, int64_t exp_pos_res, bool exp_canread_res, bool exp_canwrite_res, bool exp_canseek_res)
+{
+	int64_t length_res = stream.length();
+	int64_t pos_res = stream.position();
+	bool can_read = stream.canRead();
+	bool can_write = stream.canWrite();
+	bool can_seek = stream.canSeek();
+
+	if (length_res != stream_length)
+	{		
+		throw tc::Exception(fmt::format("Stream did not have length {:d} (actual {:d})", stream_length, length_res));
+	}
+
+	if (pos_res != exp_pos_res)
+	{
+		throw tc::Exception(fmt::format("Stream did not have position {:d} (actual {:d})", exp_pos_res, pos_res));
+	}
+
+	if (can_read != exp_canread_res)
+	{
+		throw tc::Exception(fmt::format("Stream property canRead() was not {} (actual {})", exp_canread_res, can_read));
+	}
+
+	if (can_write != exp_canwrite_res)
+	{
+		throw tc::Exception(fmt::format("Stream property canWrite() was not {} (actual {})", exp_canwrite_res, can_write));
+	}
+
+	if (can_seek != exp_canseek_res)
+	{
+		throw tc::Exception(fmt::format("Stream property canSeek() was not {} (actual {})", exp_canseek_res, can_seek));
+	}
+}
+
+void StreamTestUtil::seek_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, int64_t exp_seek_res, int64_t exp_pos_res)
+{
+	int64_t seek_res = stream.seek(seek_offset, seek_origin);
+	int64_t pos_res = stream.position();
+
+	if (seek_res != exp_seek_res)
+	{
+		throw tc::Exception(fmt::format("Stream did not return position from seek {:d} (actual {:d})", exp_seek_res, seek_res));
+	}
+
+	if (pos_res != exp_pos_res)
+	{
+		throw tc::Exception(fmt::format("Stream did not have position {:d} (actual {:d})", exp_pos_res, pos_res));
+	}
+}
+
+void StreamTestUtil::read_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, size_t dst_size, size_t read_count, size_t exp_read_res, int64_t exp_pos_res, const byte_t* expected_data)
+{
+	tc::ByteData data(dst_size);
+
+	// offset the position
+	stream.seek(seek_offset, seek_origin);
+
+	// read data
+	size_t read_res = stream.read(data.data(), read_count);
+
+	// check position
+	int64_t pos_res = stream.position();
+
+	// validate read result
+	if (read_res != exp_read_res)
+	{
+		throw tc::Exception(fmt::format("Stream did not read expected number of bytes {:d} (actual {:d})", exp_read_res, read_res));
+	}
+	
+	// validate read data
+	if (expected_data != nullptr && memcmp(data.data(), expected_data, exp_read_res) != 0)
+	{
+		throw tc::Exception(fmt::format("Stream did not read expected bytes (read: \"{}\", expected: \"{}\"", tc::cli::FormatUtil::formatBytesAsString(data.data(), data.size(), true, ""), tc::cli::FormatUtil::formatBytesAsString(expected_data, exp_read_res, true, "")));
+	}
+
+	// validate pos result
+	if (pos_res != exp_pos_res)
+	{
+		throw tc::Exception(fmt::format("Stream did not have position {:d} (actual {:d})", exp_pos_res, pos_res));
+	}
+}
+
+void StreamTestUtil::write_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, tc::ByteData& data, int64_t exp_pos_res)
+{
+	write_TestHelper(stream, seek_offset, seek_origin, data.data(), data.size(), exp_pos_res);
+}
+
+void StreamTestUtil::write_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, tc::ByteData& data, int64_t exp_pos_res, int64_t exp_length_res)
+{
+	write_TestHelper(stream, seek_offset, seek_origin, data.data(), data.size(), exp_pos_res, exp_length_res);
+}
+
+void StreamTestUtil::write_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, const byte_t* data, size_t data_size, int64_t exp_pos_res)
+{
+	// offset the position
+	stream.seek(seek_offset, seek_origin);
+
+	stream.write(data, data_size);
+
+	int64_t pos_res = stream.position();
+
+	// validate pos result
+	if (pos_res != exp_pos_res)
+	{
+		throw tc::Exception(fmt::format("Stream did not have position {:d} (actual {:d})", exp_pos_res, pos_res));
+	}
+}
+
+void StreamTestUtil::write_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, const byte_t* data, size_t data_size, int64_t exp_pos_res, int64_t exp_length_res)
+{
+	write_TestHelper(stream, seek_offset, seek_origin, data, data_size, exp_pos_res);
+
+	// validate length result
+	int64_t length_res = stream.length();
+	if (length_res != exp_length_res)
+	{
+		throw tc::Exception(fmt::format("Stream did not have length {:d} (actual {:d})", exp_length_res, length_res));
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/StreamTestUtil.h b/ctrtool/deps/libtoolchain/test/StreamTestUtil.h
new file mode 100644
index 00000000..28592181
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/StreamTestUtil.h
@@ -0,0 +1,154 @@
+#pragma once
+
+#include <tc/io/IStream.h>
+#include <tc/ByteData.h>
+#include <tc/NotImplementedException.h>
+#include <tc/ArgumentOutOfRangeException.h>
+
+class StreamTestUtil
+{
+public:
+	static void constructor_TestHelper(tc::io::IStream& stream, int64_t stream_length, int64_t exp_pos_res, bool exp_canread_res, bool exp_canwrite_res, bool exp_canseek_res);
+	static void seek_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, int64_t exp_seek_res, int64_t exp_pos_res);
+	static void read_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, size_t dst_size, size_t read_count, size_t exp_read_res, int64_t exp_pos_res, const byte_t* expected_data = nullptr);
+	static void write_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, tc::ByteData& data, int64_t exp_pos_res);
+	static void write_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, tc::ByteData& data, int64_t exp_pos_res, int64_t exp_length_res);
+	static void write_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, const byte_t* data, size_t data_size, int64_t exp_pos_res);
+	static void write_TestHelper(tc::io::IStream& stream, int64_t seek_offset, tc::io::SeekOrigin seek_origin, const byte_t* data, size_t data_size, int64_t exp_pos_res, int64_t exp_length_res);
+
+	class DummyStreamBase : public tc::io::IStream
+	{
+	public:
+		DummyStreamBase() :
+			DummyStreamBase(0x10000000)
+		{
+		}
+
+		DummyStreamBase(int64_t length) :
+			DummyStreamBase(length, true, true, true, true, true)
+		{
+		}
+
+		DummyStreamBase(int64_t length, bool canRead, bool canWrite, bool canSeek, bool canSeekOnlyFromBegin, bool canSetLength)
+		{
+			init(length, canRead, canWrite, canSeek, canSeekOnlyFromBegin, canSetLength);
+		}
+
+		DummyStreamBase(int64_t length, int64_t position, bool canRead, bool canWrite, bool canSeek, bool canSeekOnlyFromBegin, bool canSetLength)
+		{
+			init(length, position, canRead, canWrite, canSeek, canSeekOnlyFromBegin, canSetLength);
+		}
+
+		void init(int64_t length, bool canRead, bool canWrite, bool canSeek, bool canSeekOnlyFromBegin, bool canSetLength)
+		{
+			init(length, 0, canRead, canWrite, canSeek, canSeekOnlyFromBegin, canSetLength);
+		}
+
+		void init(int64_t length, int64_t position, bool canRead, bool canWrite, bool canSeek, bool canSeekOnlyFromBegin, bool canSetLength)
+		{
+			mCanRead = canRead;
+			mCanWrite = canWrite;
+			mCanSeek = canSeek;
+			mCanSeekOnlyFromBegin = canSeekOnlyFromBegin;
+			mPosition = position;
+			mLength = length;
+		}
+
+		bool canRead() const
+		{
+			return mCanRead;
+		}
+
+		bool canWrite() const
+		{
+			return mCanWrite;
+		}
+
+		bool canSeek() const
+		{
+			return mCanSeek;
+		}
+
+		int64_t length()
+		{
+			return mLength;
+		}
+
+		int64_t position()
+		{
+			return mPosition;
+		}
+
+		virtual size_t read(byte_t* ptr, size_t count)
+		{
+			throw tc::NotImplementedException(kClassName, "read() not implemented");
+		}
+
+		virtual size_t write(const byte_t* ptr, size_t count)
+		{
+			throw tc::NotImplementedException(kClassName, "write() not implemented");
+		}
+
+		int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+		{
+			if (origin != tc::io::SeekOrigin::Begin && mCanSeekOnlyFromBegin)
+				throw tc::ArgumentOutOfRangeException(kClassName, "Should not be passing seek origin values that are not SeekOrigin::Begin to the base stream");
+			
+			switch (origin)
+			{
+			case (tc::io::SeekOrigin::Begin):
+				mPosition = offset;
+				break;
+			case (tc::io::SeekOrigin::Current):
+				mPosition += offset;
+				break;
+			case (tc::io::SeekOrigin::End):
+				mPosition = mLength + offset;
+				break;
+			default:
+				throw tc::ArgumentOutOfRangeException(kClassName, "Illegal seek origin"); 
+			}
+
+			if (mPosition > mLength)
+			{
+				throw tc::ArgumentOutOfRangeException(kClassName, "Illegal seek position"); 
+			}
+
+			return mPosition;
+		}
+
+		void setLength(int64_t length)
+		{
+			if (mCanSetLength == false)
+				throw tc::NotImplementedException(kClassName, "setLength() is not implemented");
+
+			mLength = length;
+		}
+
+		void flush()
+		{
+			// nothing
+		}
+
+		void dispose()
+		{
+			flush();
+			mCanRead = false;
+			mCanWrite = false;
+			mCanSeek = false;
+			mCanSetLength = false;
+			mPosition = 0;
+			mLength = 0;
+		}
+	private:
+		static const std::string kClassName;
+		bool mCanRead;
+		bool mCanWrite;
+		bool mCanSeek;
+		bool mCanSeekOnlyFromBegin;
+		bool mCanSetLength;
+		int64_t mPosition;
+		int64_t mLength;
+	};
+	
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_binaryutils_TestClass.cpp b/ctrtool/deps/libtoolchain/test/bn_binaryutils_TestClass.cpp
new file mode 100644
index 00000000..79befee2
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_binaryutils_TestClass.cpp
@@ -0,0 +1,173 @@
+#include <tc/Exception.h>
+#include <iostream>
+#include <sstream>
+#include <iomanip>
+
+#include "bn_binaryutils_TestClass.h"
+
+void bn_binaryutils_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::bn (BinaryUtils)] START" << std::endl;
+	test_RoundUpFunc();
+	test_AlignFunc();
+	test_MakeStructMagicU32Func();
+	test_MakeStructMagicU64Func();
+	std::cout << "[tc::bn (BinaryUtils)] END" << std::endl;
+}
+
+void bn_binaryutils_TestClass::test_RoundUpFunc()
+{
+	std::cout << "[tc::bn (BinaryUtils)] test_RoundUpFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			util_RoundUpFuncTestCase(0, 0x200, 0x200);
+			util_RoundUpFuncTestCase(1, 0x200, 0x200);
+			util_RoundUpFuncTestCase(0x10, 0x200, 0x200);
+			util_RoundUpFuncTestCase(0x1FF, 0x200, 0x200);
+			util_RoundUpFuncTestCase(0x200, 0x200, 0x400);
+			util_RoundUpFuncTestCase(0x201, 0x200, 0x400);
+			util_RoundUpFuncTestCase(0x3FF, 0x200, 0x400);
+			util_RoundUpFuncTestCase(0xDEADBE00, 0x200, 0xDEADC000);
+			util_RoundUpFuncTestCase(0xDEADBEEF, 0x200, 0xDEADC000);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_binaryutils_TestClass::util_RoundUpFuncTestCase(uint32_t value, uint32_t alignment, uint32_t expected_result)
+{
+	std::stringstream error_ss;
+	uint32_t result = roundup<uint32_t>(value, alignment);
+	if (result != expected_result)
+	{
+		error_ss << std::hex;
+		error_ss << "roundup(0x" << value << ", 0x" << alignment << ") returned: 0x" << result << " (expected: 0x" << expected_result << ")" << std::endl;
+		throw tc::Exception(error_ss.str());
+	}
+}
+
+void bn_binaryutils_TestClass::test_AlignFunc()
+{
+	std::cout << "[tc::bn (BinaryUtils)] test_AlignFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			util_AlignFuncTestCase(0, 0x200, 0x0);
+			util_AlignFuncTestCase(1, 0x200, 0x200);
+			util_AlignFuncTestCase(0x10, 0x200, 0x200);
+			util_AlignFuncTestCase(0x1FF, 0x200, 0x200);
+			util_AlignFuncTestCase(0x200, 0x200, 0x200);
+			util_AlignFuncTestCase(0x201, 0x200, 0x400);
+			util_AlignFuncTestCase(0x3FF, 0x200, 0x400);
+			util_AlignFuncTestCase(0xDEADBE00, 0x200, 0xDEADBE00);
+			util_AlignFuncTestCase(0xDEADBEEF, 0x200, 0xDEADC000);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_binaryutils_TestClass::util_AlignFuncTestCase(uint32_t value, uint32_t alignment, uint32_t expected_result)
+{
+	std::stringstream error_ss;
+	uint32_t result = align<uint32_t>(value, alignment);
+	if (result != expected_result)
+	{
+		error_ss << std::hex;
+		error_ss << "align(0x" << value << ", 0x" << alignment << ") returned: 0x" << result << " (expected: 0x" << expected_result << ")" << std::endl;
+		throw tc::Exception(error_ss.str());
+	}
+}
+
+void bn_binaryutils_TestClass::test_MakeStructMagicU32Func()
+{
+	std::cout << "[tc::bn (BinaryUtils)] test_MakeStructMagicU32Func : " << std::flush;
+	try
+	{
+		try 
+		{
+			util_MakeStructMagicU32FuncTestCase("BABE", 0x45424142);
+			util_MakeStructMagicU32FuncTestCase("NEXT", 0x5458454E);
+			util_MakeStructMagicU32FuncTestCase("\x7F""ELF", 0x464C457F);
+			util_MakeStructMagicU32FuncTestCase("BIN0", 0x304E4942);
+		
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_binaryutils_TestClass::util_MakeStructMagicU32FuncTestCase(const char* struct_magic_str, uint32_t expected_result)
+{
+	std::stringstream error_ss;
+	uint32_t result = tc::bn::make_struct_magic_uint32(struct_magic_str);
+	if (result != expected_result)
+	{
+		error_ss << std::hex;
+		error_ss << "make_struct_magic_uint32() returned: 0x" << result << " (expected: 0x" << expected_result << ")" << std::endl;
+		throw tc::Exception(error_ss.str());
+	}
+}
+
+void bn_binaryutils_TestClass::test_MakeStructMagicU64Func()
+{
+	std::cout << "[tc::bn (BinaryUtils)] test_MakeStructMagicU64Func : " << std::flush;
+	try
+	{
+		try 
+		{
+			util_MakeStructMagicU64FuncTestCase("HOMEBREW", 0x57455242454D4F48);
+			util_MakeStructMagicU64FuncTestCase("NEXTSPEC", 0x434550535458454E);
+			util_MakeStructMagicU64FuncTestCase("EMPTY\0\0\0", 0x0000005954504D45);
+		
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_binaryutils_TestClass::util_MakeStructMagicU64FuncTestCase(const char* struct_magic_str, uint64_t expected_result)
+{
+	std::stringstream error_ss;
+	uint64_t result = tc::bn::make_struct_magic_uint64(struct_magic_str);
+	if (result != expected_result)
+	{
+		error_ss << std::hex;
+		error_ss << "make_struct_magic_uint32() returned: 0x" << result << " (expected: 0x" << expected_result << ")" << std::endl;
+		throw tc::Exception(error_ss.str());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_binaryutils_TestClass.h b/ctrtool/deps/libtoolchain/test/bn_binaryutils_TestClass.h
new file mode 100644
index 00000000..aa6dd79b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_binaryutils_TestClass.h
@@ -0,0 +1,25 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/bn.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/NotImplementedException.h>
+
+class bn_binaryutils_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_RoundUpFunc();
+	void util_RoundUpFuncTestCase(uint32_t value, uint32_t alignment, uint32_t expected_result);
+
+	void test_AlignFunc();
+	void util_AlignFuncTestCase(uint32_t value, uint32_t alignment, uint32_t expected_result);
+
+	void test_MakeStructMagicU32Func();
+	void util_MakeStructMagicU32FuncTestCase(const char* struct_magic_str, uint32_t expected_result);
+
+	void test_MakeStructMagicU64Func();
+	void util_MakeStructMagicU64FuncTestCase(const char* struct_magic_str, uint64_t expected_result);
+	
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitBE_TestClass.cpp b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitBE_TestClass.cpp
new file mode 100644
index 00000000..d94b13e7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitBE_TestClass.cpp
@@ -0,0 +1,238 @@
+#include <tc/Exception.h>
+#include <iostream>
+#include <sstream>
+#include <algorithm>
+
+#include <tc/types.h>
+
+#include "bn_bitarrayByteBEBitBE_TestClass.h"
+
+//---------------------------------------------------------
+
+void bn_bitarrayByteBEBitBE_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::bn::bitarray<BE,BE>] START" << std::endl;
+	test_Size();
+	test_TestBit();
+	test_SetBit();
+	test_ResetBit();
+	test_FlipBit();
+	std::cout << "[tc::bn::bitarray<BE,BE>] END" << std::endl;
+}
+
+//---------------------------------------------------------
+
+void bn_bitarrayByteBEBitBE_TestClass::test_Size()
+{
+	std::cout << "[tc::bn::bitarray<BE,BE>] test_Size : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			static const size_t kBitArraySize = sizeof(uint32_t);
+			tc::bn::bitarray<kBitArraySize, false, false> bf;
+			if (sizeof(bf) != kBitArraySize)
+			{
+				ss << "sizeof(bf) had value " << std::dec << sizeof(bf) << " (expected " << kBitArraySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitBE_TestClass::test_TestBit()
+{
+	std::cout << "[tc::bn::bitarray<BE,BE>] test_TestBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = 0;
+			helper_TestBit("All bits clear", bf, {});
+
+			// set all bits
+			*((uint32_t*)&bf) = -1;
+			helper_TestBit("All bits set", bf, {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31});
+
+			// test endianness calculation
+			byte_t* bf_raw = (byte_t*)&bf;
+
+			// set byte0 bit0
+			*((uint32_t*)&bf) = 0;
+			bf_raw[0] = 0x01;
+			helper_TestBit("byte0bit0 test", bf, {31});
+
+			// set byte0 bit7
+			*((uint32_t*)&bf) = 0;
+			bf_raw[0] = 0x80;
+			helper_TestBit("byte0bit7 test", bf, {24});
+
+			// set byte3 bit0
+			*((uint32_t*)&bf) = 0;
+			bf_raw[3] = 0x01;
+			helper_TestBit("byte3bit0 test", bf, {7});
+
+			// set byte3 bit7
+			*((uint32_t*)&bf) = 0;
+			bf_raw[3] = 0x80;
+			helper_TestBit("byte3bit7 test", bf, {0});
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitBE_TestClass::test_SetBit()
+{
+	std::cout << "[tc::bn::bitarray<BE,BE>] test_SetBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = 0;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.set(i);
+				if (bf.test(i) != true)
+				{
+					ss << "set() failed to set bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitBE_TestClass::test_ResetBit()
+{
+	std::cout << "[tc::bn::bitarray<BE,BE>] test_ResetBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = -1;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.reset(i);
+				if (bf.test(i) != false)
+				{
+					ss << "reset() failed to clear bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitBE_TestClass::test_FlipBit()
+{
+	std::cout << "[tc::bn::bitarray<BE,BE>] test_FlipBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = -1;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.flip(i);
+				if (bf.test(i) != false)
+				{
+					ss << "reset() failed to flip bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitBE_TestClass::helper_TestBit(const std::string& test_name, const testtype_t& bitarray, const std::vector<size_t>& expected_set_bits)
+{
+	std::stringstream ss;
+	for (size_t i = 0; i < bitarray.bit_size(); i++)
+	{
+		bool res = bitarray.test(i);
+		bool expected_res = std::find(expected_set_bits.begin(), expected_set_bits.end(), i) != expected_set_bits.end();
+		if (res != expected_res)
+		{
+			if (test_name.empty() == false)
+				ss << test_name << " : ";
+			ss << "bitarray.test(" << std::dec << i << ") had value " << std::boolalpha << res << " (expected " << std::boolalpha << expected_res << ")";
+			throw tc::Exception(ss.str());
+		}
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitBE_TestClass.h b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitBE_TestClass.h
new file mode 100644
index 00000000..0eed781c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitBE_TestClass.h
@@ -0,0 +1,19 @@
+#pragma once
+#include "ITestClass.h"
+#include <tc/types.h>
+
+class bn_bitarrayByteBEBitBE_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Size();
+	void test_TestBit();
+	void test_SetBit();
+	void test_ResetBit();
+	void test_FlipBit();
+
+	using testtype_t = tc::bn::bitarray<sizeof(uint32_t), false, false>;
+
+	void helper_TestBit(const std::string& test_name, const testtype_t& bitarray, const std::vector<size_t>& expected_set_bits);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitLE_TestClass.cpp b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitLE_TestClass.cpp
new file mode 100644
index 00000000..a6591e2f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitLE_TestClass.cpp
@@ -0,0 +1,238 @@
+#include <tc/Exception.h>
+#include <iostream>
+#include <sstream>
+#include <algorithm>
+
+#include <tc/types.h>
+
+#include "bn_bitarrayByteBEBitLE_TestClass.h"
+
+//---------------------------------------------------------
+
+void bn_bitarrayByteBEBitLE_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::bn::bitarray<BE,LE>] START" << std::endl;
+	test_Size();
+	test_TestBit();
+	test_SetBit();
+	test_ResetBit();
+	test_FlipBit();
+	std::cout << "[tc::bn::bitarray<BE,LE>] END" << std::endl;
+}
+
+//---------------------------------------------------------
+
+void bn_bitarrayByteBEBitLE_TestClass::test_Size()
+{
+	std::cout << "[tc::bn::bitarray<BE,LE>] test_Size : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			static const size_t kBitArraySize = sizeof(uint32_t);
+			tc::bn::bitarray<kBitArraySize, false, true> bf;
+			if (sizeof(bf) != kBitArraySize)
+			{
+				ss << "sizeof(bf) had value " << std::dec << sizeof(bf) << " (expected " << kBitArraySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitLE_TestClass::test_TestBit()
+{
+	std::cout << "[tc::bn::bitarray<BE,LE>] test_TestBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = 0;
+			helper_TestBit("All bits clear", bf, {});
+
+			// set all bits
+			*((uint32_t*)&bf) = -1;
+			helper_TestBit("All bits set", bf, {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31});
+
+			// test endianness calculation
+			byte_t* bf_raw = (byte_t*)&bf;
+
+			// set byte0 bit0
+			*((uint32_t*)&bf) = 0;
+			bf_raw[0] = 0x01;
+			helper_TestBit("byte0bit0 test", bf, {24});
+
+			// set byte0 bit7
+			*((uint32_t*)&bf) = 0;
+			bf_raw[0] = 0x80;
+			helper_TestBit("byte0bit7 test", bf, {31});
+
+			// set byte3 bit0
+			*((uint32_t*)&bf) = 0;
+			bf_raw[3] = 0x01;
+			helper_TestBit("byte3bit0 test", bf, {0});
+
+			// set byte3 bit7
+			*((uint32_t*)&bf) = 0;
+			bf_raw[3] = 0x80;
+			helper_TestBit("byte3bit7 test", bf, {7});
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitLE_TestClass::test_SetBit()
+{
+	std::cout << "[tc::bn::bitarray<BE,LE>] test_SetBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = 0;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.set(i);
+				if (bf.test(i) != true)
+				{
+					ss << "set() failed to set bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitLE_TestClass::test_ResetBit()
+{
+	std::cout << "[tc::bn::bitarray<BE,LE>] test_ResetBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = -1;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.reset(i);
+				if (bf.test(i) != false)
+				{
+					ss << "reset() failed to clear bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitLE_TestClass::test_FlipBit()
+{
+	std::cout << "[tc::bn::bitarray<BE,LE>] test_FlipBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = -1;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.flip(i);
+				if (bf.test(i) != false)
+				{
+					ss << "reset() failed to flip bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteBEBitLE_TestClass::helper_TestBit(const std::string& test_name, const testtype_t& bitarray, const std::vector<size_t>& expected_set_bits)
+{
+	std::stringstream ss;
+	for (size_t i = 0; i < bitarray.bit_size(); i++)
+	{
+		bool res = bitarray.test(i);
+		bool expected_res = std::find(expected_set_bits.begin(), expected_set_bits.end(), i) != expected_set_bits.end();
+		if (res != expected_res)
+		{
+			if (test_name.empty() == false)
+				ss << test_name << " : ";
+			ss << "bitarray.test(" << std::dec << i << ") had value " << std::boolalpha << res << " (expected " << std::boolalpha << expected_res << ")";
+			throw tc::Exception(ss.str());
+		}
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitLE_TestClass.h b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitLE_TestClass.h
new file mode 100644
index 00000000..4b3eef55
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteBEBitLE_TestClass.h
@@ -0,0 +1,19 @@
+#pragma once
+#include "ITestClass.h"
+#include <tc/types.h>
+
+class bn_bitarrayByteBEBitLE_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Size();
+	void test_TestBit();
+	void test_SetBit();
+	void test_ResetBit();
+	void test_FlipBit();
+
+	using testtype_t = tc::bn::bitarray<sizeof(uint32_t), false, true>;
+
+	void helper_TestBit(const std::string& test_name, const testtype_t& bitarray, const std::vector<size_t>& expected_set_bits);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitBE_TestClass.cpp b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitBE_TestClass.cpp
new file mode 100644
index 00000000..b5ed7335
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitBE_TestClass.cpp
@@ -0,0 +1,238 @@
+#include <tc/Exception.h>
+#include <iostream>
+#include <sstream>
+#include <algorithm>
+
+#include <tc/types.h>
+
+#include "bn_bitarrayByteLEBitBE_TestClass.h"
+
+//---------------------------------------------------------
+
+void bn_bitarrayByteLEBitBE_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::bn::bitarray<LE,BE>] START" << std::endl;
+	test_Size();
+	test_TestBit();
+	test_SetBit();
+	test_ResetBit();
+	test_FlipBit();
+	std::cout << "[tc::bn::bitarray<LE,BE>] END" << std::endl;
+}
+
+//---------------------------------------------------------
+
+void bn_bitarrayByteLEBitBE_TestClass::test_Size()
+{
+	std::cout << "[tc::bn::bitarray<LE,BE>] test_Size : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			static const size_t kBitArraySize = sizeof(uint32_t);
+			tc::bn::bitarray<kBitArraySize, true, false> bf;
+			if (sizeof(bf) != kBitArraySize)
+			{
+				ss << "sizeof(bf) had value " << std::dec << sizeof(bf) << " (expected " << kBitArraySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitBE_TestClass::test_TestBit()
+{
+	std::cout << "[tc::bn::bitarray<LE,BE>] test_TestBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = 0;
+			helper_TestBit("All bits clear", bf, {});
+
+			// set all bits
+			*((uint32_t*)&bf) = -1;
+			helper_TestBit("All bits set", bf, {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31});
+
+			// test endianness calculation
+			byte_t* bf_raw = (byte_t*)&bf;
+
+			// set byte0 bit0
+			*((uint32_t*)&bf) = 0;
+			bf_raw[0] = 0x01;
+			helper_TestBit("byte0bit0 test", bf, {7});
+
+			// set byte0 bit7
+			*((uint32_t*)&bf) = 0;
+			bf_raw[0] = 0x80;
+			helper_TestBit("byte0bit7 test", bf, {0});
+
+			// set byte3 bit0
+			*((uint32_t*)&bf) = 0;
+			bf_raw[3] = 0x01;
+			helper_TestBit("byte3bit0 test", bf, {31});
+
+			// set byte3 bit7
+			*((uint32_t*)&bf) = 0;
+			bf_raw[3] = 0x80;
+			helper_TestBit("byte3bit7 test", bf, {24});
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitBE_TestClass::test_SetBit()
+{
+	std::cout << "[tc::bn::bitarray<LE,BE>] test_SetBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = 0;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.set(i);
+				if (bf.test(i) != true)
+				{
+					ss << "set() failed to set bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitBE_TestClass::test_ResetBit()
+{
+	std::cout << "[tc::bn::bitarray<LE,BE>] test_ResetBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = -1;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.reset(i);
+				if (bf.test(i) != false)
+				{
+					ss << "reset() failed to clear bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitBE_TestClass::test_FlipBit()
+{
+	std::cout << "[tc::bn::bitarray<LE,BE>] test_FlipBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = -1;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.flip(i);
+				if (bf.test(i) != false)
+				{
+					ss << "reset() failed to flip bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitBE_TestClass::helper_TestBit(const std::string& test_name, const testtype_t& bitarray, const std::vector<size_t>& expected_set_bits)
+{
+	std::stringstream ss;
+	for (size_t i = 0; i < bitarray.bit_size(); i++)
+	{
+		bool res = bitarray.test(i);
+		bool expected_res = std::find(expected_set_bits.begin(), expected_set_bits.end(), i) != expected_set_bits.end();
+		if (res != expected_res)
+		{
+			if (test_name.empty() == false)
+				ss << test_name << " : ";
+			ss << "bitarray.test(" << std::dec << i << ") had value " << std::boolalpha << res << " (expected " << std::boolalpha << expected_res << ")";
+			throw tc::Exception(ss.str());
+		}
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitBE_TestClass.h b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitBE_TestClass.h
new file mode 100644
index 00000000..fff2845c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitBE_TestClass.h
@@ -0,0 +1,19 @@
+#pragma once
+#include "ITestClass.h"
+#include <tc/types.h>
+
+class bn_bitarrayByteLEBitBE_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Size();
+	void test_TestBit();
+	void test_SetBit();
+	void test_ResetBit();
+	void test_FlipBit();
+
+	using testtype_t = tc::bn::bitarray<sizeof(uint32_t), true, false>;
+
+	void helper_TestBit(const std::string& test_name, const testtype_t& bitarray, const std::vector<size_t>& expected_set_bits);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitLE_TestClass.cpp b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitLE_TestClass.cpp
new file mode 100644
index 00000000..f5cacaa3
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitLE_TestClass.cpp
@@ -0,0 +1,238 @@
+#include <tc/Exception.h>
+#include <iostream>
+#include <sstream>
+#include <algorithm>
+
+#include <tc/types.h>
+
+#include "bn_bitarrayByteLEBitLE_TestClass.h"
+
+//---------------------------------------------------------
+
+void bn_bitarrayByteLEBitLE_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::bn::bitarray<LE,LE>] START" << std::endl;
+	test_Size();
+	test_TestBit();
+	test_SetBit();
+	test_ResetBit();
+	test_FlipBit();
+	std::cout << "[tc::bn::bitarray<LE,LE>] END" << std::endl;
+}
+
+//---------------------------------------------------------
+
+void bn_bitarrayByteLEBitLE_TestClass::test_Size()
+{
+	std::cout << "[tc::bn::bitarray<LE,LE>] test_Size : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			static const size_t kBitArraySize = sizeof(uint32_t);
+			tc::bn::bitarray<kBitArraySize, true, true> bf;
+			if (sizeof(bf) != kBitArraySize)
+			{
+				ss << "sizeof(bf) had value " << std::dec << sizeof(bf) << " (expected " << kBitArraySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitLE_TestClass::test_TestBit()
+{
+	std::cout << "[tc::bn::bitarray<LE,LE>] test_TestBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = 0;
+			helper_TestBit("All bits clear", bf, {});
+
+			// set all bits
+			*((uint32_t*)&bf) = -1;
+			helper_TestBit("All bits set", bf, {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31});
+
+			// test endianness calculation
+			byte_t* bf_raw = (byte_t*)&bf;
+
+			// set byte0 bit0
+			*((uint32_t*)&bf) = 0;
+			bf_raw[0] = 0x01;
+			helper_TestBit("byte0bit0 test", bf, {0});
+
+			// set byte0 bit7
+			*((uint32_t*)&bf) = 0;
+			bf_raw[0] = 0x80;
+			helper_TestBit("byte0bit7 test", bf, {7});
+
+			// set byte3 bit0
+			*((uint32_t*)&bf) = 0;
+			bf_raw[3] = 0x01;
+			helper_TestBit("byte3bit0 test", bf, {24});
+
+			// set byte3 bit7
+			*((uint32_t*)&bf) = 0;
+			bf_raw[3] = 0x80;
+			helper_TestBit("byte3bit7 test", bf, {31});
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitLE_TestClass::test_SetBit()
+{
+	std::cout << "[tc::bn::bitarray<LE,LE>] test_SetBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = 0;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.set(i);
+				if (bf.test(i) != true)
+				{
+					ss << "set() failed to set bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitLE_TestClass::test_ResetBit()
+{
+	std::cout << "[tc::bn::bitarray<LE,LE>] test_ResetBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = -1;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.reset(i);
+				if (bf.test(i) != false)
+				{
+					ss << "reset() failed to clear bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitLE_TestClass::test_FlipBit()
+{
+	std::cout << "[tc::bn::bitarray<LE,LE>] test_FlipBit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check size
+			testtype_t bf;
+			
+			// clear all bits
+			*((uint32_t*)&bf) = -1;
+			
+			for (size_t i = 0; i < bf.bit_size(); i++)
+			{
+				bf.flip(i);
+				if (bf.test(i) != false)
+				{
+					ss << "reset() failed to flip bit " << std::dec << i << std::endl;
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void bn_bitarrayByteLEBitLE_TestClass::helper_TestBit(const std::string& test_name, const testtype_t& bitarray, const std::vector<size_t>& expected_set_bits)
+{
+	std::stringstream ss;
+	for (size_t i = 0; i < bitarray.bit_size(); i++)
+	{
+		bool res = bitarray.test(i);
+		bool expected_res = std::find(expected_set_bits.begin(), expected_set_bits.end(), i) != expected_set_bits.end();
+		if (res != expected_res)
+		{
+			if (test_name.empty() == false)
+				ss << test_name << " : ";
+			ss << "bitarray.test(" << std::dec << i << ") had value " << std::boolalpha << res << " (expected " << std::boolalpha << expected_res << ")";
+			throw tc::Exception(ss.str());
+		}
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitLE_TestClass.h b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitLE_TestClass.h
new file mode 100644
index 00000000..a02be1f4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_bitarrayByteLEBitLE_TestClass.h
@@ -0,0 +1,19 @@
+#pragma once
+#include "ITestClass.h"
+#include <tc/types.h>
+
+class bn_bitarrayByteLEBitLE_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Size();
+	void test_TestBit();
+	void test_SetBit();
+	void test_ResetBit();
+	void test_FlipBit();
+
+	using testtype_t = tc::bn::bitarray<sizeof(uint32_t), true, true>;
+
+	void helper_TestBit(const std::string& test_name, const testtype_t& bitarray, const std::vector<size_t>& expected_set_bits);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_endian_TestClass.cpp b/ctrtool/deps/libtoolchain/test/bn_endian_TestClass.cpp
new file mode 100644
index 00000000..0575be87
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_endian_TestClass.cpp
@@ -0,0 +1,778 @@
+#include <tc.h>
+#include <fmt/core.h>
+
+#include "bn_endian_TestClass.h"
+
+void bn_endian_TestClass::runAllTests()
+{
+	fmt::print("[tc::bn endian_types] START\n");
+	testLocalBSwap16();
+	testLocalBSwap32();
+	testLocalBSwap64();
+	testBeUint64Inline();
+	testBeUint32Inline();
+	testBeUint16Inline();
+	testLeUint64Inline();
+	testLeUint32Inline();
+	testLeUint16Inline();
+	testBeSwap64Inline();
+	testBeSwap32Inline();
+	testBeSwap16Inline();
+	testLeSwap64Inline();
+	testLeSwap32Inline();
+	testLeSwap16Inline();
+	testBe64TemplateClass();
+	testBe32TemplateClass();
+	testBe16TemplateClass();
+	testLe64TemplateClass();
+	testLe32TemplateClass();
+	testLe16TemplateClass();
+	fmt::print("[tc::bn endian_types] END\n");
+}
+
+void bn_endian_TestClass::testLocalBSwap16()
+{
+	fmt::print("[tc::bn::detail::__local_bswap16] testLocalBSwap16 : ");
+	try 
+	{
+		uint16_t x = 0xabcd;
+		uint16_t x_inv = 0xcdab;
+
+		uint16_t swap_ret = tc::bn::detail::__local_bswap16(x);
+		if (swap_ret != x_inv)
+		{
+			throw tc::Exception(fmt::format("tc::bn::detail::__local_bswap16(uint16_t) returned 0x{:x} (expected: 0x{:x}", swap_ret, x_inv));
+		}
+
+		uint16_t x_test = x;
+		tc::bn::detail::__local_bswap16(&x_test);
+		if (x_test != x_inv)
+		{
+			throw tc::Exception(fmt::format("tc::bn::detail::__local_bswap16(void*) transformed 0x{:x} -> 0x{:x} (expected: 0x{:x}", x, x_test, x_inv));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLocalBSwap32()
+{
+	fmt::print("[tc::bn::detail::__local_bswap32] testLocalBSwap32 : ");
+	try 
+	{
+		uint32_t x = 0xabcd1234;
+		uint32_t x_inv = 0x3412cdab;
+
+		uint32_t swap_ret = tc::bn::detail::__local_bswap32(x);
+		if (swap_ret != x_inv)
+		{
+			throw tc::Exception(fmt::format("tc::bn::detail::__local_bswap32(uint32_t) returned 0x{:x} (expected: 0x{:x}", swap_ret, x_inv));
+		}
+
+		uint32_t x_test = x;
+		tc::bn::detail::__local_bswap32(&x_test);
+		if (x_test != x_inv)
+		{
+			throw tc::Exception(fmt::format("tc::bn::detail::__local_bswap32(void*) transformed 0x{:x} -> 0x{:x} (expected: 0x{:x}", x, x_test, x_inv));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLocalBSwap64()
+{
+	fmt::print("[tc::bn::detail::__local_bswap64] testLocalBSwap64 : ");
+	try 
+	{
+		uint64_t x = 0x0123456789abcdef;
+		uint64_t x_inv = 0xefcdab8967452301;
+
+		uint64_t swap_ret = tc::bn::detail::__local_bswap64(x);
+		if (swap_ret != x_inv)
+		{
+			throw tc::Exception(fmt::format("tc::bn::detail::__local_bswap64(uint64_t) returned 0x{:x} (expected: 0x{:x}", swap_ret, x_inv));
+		}
+
+		uint64_t x_test = x;
+		tc::bn::detail::__local_bswap64(&x_test);
+		if (x_test != x_inv)
+		{
+			throw tc::Exception(fmt::format("tc::bn::detail::__local_bswap64(void*) transformed 0x{:x} -> 0x{:x} (expected: 0x{:x}", x, x_test, x_inv));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testBeUint64Inline()
+{
+	fmt::print("[tc::bn::detail::__be_uint64] testBeUint64Inline : ");
+	try 
+	{
+		uint8_t x_raw[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
+		uint64_t* x_raw_ptr = (uint64_t*)&x_raw;
+		uint64_t x_expected = 0x0123456789abcdef;
+
+		uint64_t x_ret = tc::bn::detail::__be_uint64(*x_raw_ptr);
+		if (x_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", *x_raw_ptr, x_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testBeUint32Inline()
+{
+	fmt::print("[tc::bn::detail::__be_uint32] testBeUint32Inline : ");
+	try 
+	{
+		uint8_t x_raw[4] = { 0x01, 0x23, 0x45, 0x67 };
+		uint32_t* x_raw_ptr = (uint32_t*)&x_raw;
+		uint32_t x_expected = 0x01234567;
+
+		uint32_t x_ret = tc::bn::detail::__be_uint32(*x_raw_ptr);
+		if (x_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", *x_raw_ptr, x_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testBeUint16Inline()
+{
+	fmt::print("[tc::bn::detail::__be_uint16] testBeUint16Inline : ");
+	try 
+	{
+		uint8_t x_raw[2] = { 0x01, 0x23 };
+		uint16_t* x_raw_ptr = (uint16_t*)&x_raw;
+		uint16_t x_expected = 0x0123;
+
+		uint16_t x_ret = tc::bn::detail::__be_uint16(*x_raw_ptr);
+		if (x_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", *x_raw_ptr, x_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLeUint64Inline()
+{
+	fmt::print("[tc::bn::detail::__le_uint64] testLeUint64Inline : ");
+	try 
+	{
+		uint8_t x_raw[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
+		uint64_t* x_raw_ptr = (uint64_t*)&x_raw;
+		uint64_t x_expected = 0xefcdab8967452301;
+
+		uint64_t x_ret = tc::bn::detail::__le_uint64(*x_raw_ptr);
+		if (x_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", *x_raw_ptr, x_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLeUint32Inline()
+{
+	fmt::print("[tc::bn::detail::__le_uint32] testLeUint32Inline : ");
+	try 
+	{
+		uint8_t x_raw[4] = { 0x01, 0x23, 0x45, 0x67 };
+		uint32_t* x_raw_ptr = (uint32_t*)&x_raw;
+		uint32_t x_expected = 0x67452301;
+
+		uint32_t x_ret = tc::bn::detail::__le_uint32(*x_raw_ptr);
+		if (x_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", *x_raw_ptr, x_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLeUint16Inline()
+{
+	fmt::print("[tc::bn::detail::__le_uint16] testLeUint16Inline : ");
+	try 
+	{
+		uint8_t x_raw[2] = { 0x01, 0x23 };
+		uint16_t* x_raw_ptr = (uint16_t*)&x_raw;
+		uint16_t x_expected = 0x2301;
+
+		uint16_t x_ret = tc::bn::detail::__le_uint16(*x_raw_ptr);
+		if (x_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", *x_raw_ptr, x_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testBeSwap64Inline()
+{
+	fmt::print("[tc::bn::detail::__be_swap64] testBeSwap64Inline : ");
+	try 
+	{
+		uint8_t x_raw[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
+		uint64_t* x_raw_ptr = (uint64_t*)&x_raw;
+		uint64_t x_expected = 0x0123456789abcdef;
+
+		uint64_t x_before = *x_raw_ptr;
+		tc::bn::detail::__be_swap64(x_raw);
+		uint64_t x_after = *x_raw_ptr;
+		if (x_after != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", x_before, x_after, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testBeSwap32Inline()
+{
+	fmt::print("[tc::bn::detail::__be_swap32] testBeSwap32Inline : ");
+	try 
+	{
+		uint8_t x_raw[4] = { 0x01, 0x23, 0x45, 0x67 };
+		uint32_t* x_raw_ptr = (uint32_t*)&x_raw;
+		uint32_t x_expected = 0x01234567;
+
+		uint32_t x_before = *x_raw_ptr;
+		tc::bn::detail::__be_swap32(x_raw);
+		uint32_t x_after = *x_raw_ptr;
+		if (x_after != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", x_before, x_after, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testBeSwap16Inline()
+{
+	fmt::print("[tc::bn::detail::__be_swap16] testBeSwap16Inline : ");
+	try 
+	{
+		uint8_t x_raw[2] = { 0x01, 0x23 };
+		uint16_t* x_raw_ptr = (uint16_t*)&x_raw;
+		uint16_t x_expected = 0x0123;
+
+		uint16_t x_before = *x_raw_ptr;
+		tc::bn::detail::__be_swap16(x_raw);
+		uint16_t x_after = *x_raw_ptr;
+		if (x_after != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", x_before, x_after, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLeSwap64Inline()
+{
+	fmt::print("[tc::bn::detail::__le_swap64] testLeSwap64Inline : ");
+	try 
+	{
+		uint8_t x_raw[8] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
+		uint64_t* x_raw_ptr = (uint64_t*)&x_raw;
+		uint64_t x_expected = 0xefcdab8967452301;
+
+		uint64_t x_before = *x_raw_ptr;
+		tc::bn::detail::__le_swap64(x_raw);
+		uint64_t x_after = *x_raw_ptr;
+		if (x_after != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", x_before, x_after, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLeSwap32Inline()
+{
+	fmt::print("[tc::bn::detail::__le_swap32] testLeSwap32Inline : ");
+	try 
+	{
+		uint8_t x_raw[4] = { 0x01, 0x23, 0x45, 0x67 };
+		uint32_t* x_raw_ptr = (uint32_t*)&x_raw;
+		uint32_t x_expected = 0x67452301;
+
+		uint32_t x_before = *x_raw_ptr;
+		tc::bn::detail::__le_swap32(x_raw);
+		uint32_t x_after = *x_raw_ptr;
+		if (x_after != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", x_before, x_after, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLeSwap16Inline()
+{
+	fmt::print("[tc::bn::detail::__le_swap16] testLeSwap16Inline : ");
+	try 
+	{
+		uint8_t x_raw[2] = { 0x01, 0x23 };
+		uint16_t* x_raw_ptr = (uint16_t*)&x_raw;
+		uint16_t x_expected = 0x2301;
+
+		uint16_t x_before = *x_raw_ptr;
+		tc::bn::detail::__le_swap16(x_raw);
+		uint16_t x_after = *x_raw_ptr;
+		if (x_after != x_expected)
+		{
+			throw tc::Exception(fmt::format("transformed 0x{:x} -> 0x{:x} (expected 0x{:x})", x_before, x_after, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testBe64TemplateClass()
+{
+	fmt::print("[tc::bn::be64<uint64_t>] testBe64TemplateClass : ");
+	try 
+	{
+		uint8_t x_raw[sizeof(uint64_t)] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
+		uint8_t x_raw_expected[sizeof(uint64_t)] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
+		tc::bn::be64<uint64_t>* x_raw_ptr = (tc::bn::be64<uint64_t>*)&x_raw;
+		uint64_t x_expected = 0x0123456789abcdef;
+		uint64_t unwrap_ret;
+
+		// explicit unwrap/wrap
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be64<uint64_t>::unwrap() returned 0x{:x} (expected 0x{:x}", unwrap_ret, x_expected));
+		}
+
+		x_raw_ptr->wrap(0);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be64<uint64_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0, unwrap_ret, 0));
+		}
+
+		x_raw_ptr->wrap(x_expected);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint64_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be64<uint64_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+
+		// implicit unwrap/wrap
+		x_raw_ptr = (tc::bn::be64<uint64_t>*)&x_raw;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be64<uint64_t> implicit unwrap returned 0x{:x} (expected 0x{:x})", unwrap_ret, x_expected));
+		}
+
+		(*x_raw_ptr) = 0;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be64<uint64_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0x0, unwrap_ret, 0x0));
+		}
+
+		(*x_raw_ptr) = x_expected;
+		unwrap_ret = (*x_raw_ptr);
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint64_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be64<uint64_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testBe32TemplateClass()
+{
+	fmt::print("[tc::bn::be32<uint32_t>] testBe32TemplateClass : ");
+	try 
+	{
+		uint8_t x_raw[sizeof(uint32_t)] = { 0x01, 0x23, 0x45, 0x67 };
+		uint8_t x_raw_expected[sizeof(uint32_t)] = { 0x01, 0x23, 0x45, 0x67 };
+		tc::bn::be32<uint32_t>* x_raw_ptr = (tc::bn::be32<uint32_t>*)&x_raw;
+		uint32_t x_expected = 0x01234567;
+		uint32_t unwrap_ret;
+
+		// explicit unwrap/wrap
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be32<uint32_t>::unwrap() returned 0x{:x} (expected 0x{:x}", unwrap_ret, x_expected));
+		}
+
+		x_raw_ptr->wrap(0);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be32<uint32_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0, unwrap_ret, 0));
+		}
+
+		x_raw_ptr->wrap(x_expected);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint32_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be32<uint32_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+
+		// implicit unwrap/wrap
+		x_raw_ptr = (tc::bn::be32<uint32_t>*)&x_raw;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be32<uint32_t> implicit unwrap returned 0x{:x} (expected 0x{:x})", unwrap_ret, x_expected));
+		}
+
+		(*x_raw_ptr) = 0;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be32<uint32_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0x0, unwrap_ret, 0x0));
+		}
+
+		(*x_raw_ptr) = x_expected;
+		unwrap_ret = (*x_raw_ptr);
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint32_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be32<uint32_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testBe16TemplateClass()
+{
+	fmt::print("[tc::bn::be16<uint16_t>] testBe16TemplateClass : ");
+	try 
+	{
+		uint8_t x_raw[sizeof(uint16_t)] = { 0x01, 0x23 };
+		uint8_t x_raw_expected[sizeof(uint16_t)] = { 0x01, 0x23 };
+		tc::bn::be16<uint16_t>* x_raw_ptr = (tc::bn::be16<uint16_t>*)&x_raw;
+		uint16_t x_expected = 0x0123;
+		uint16_t unwrap_ret;
+
+		// explicit unwrap/wrap
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be16<uint16_t>::unwrap() returned 0x{:x} (expected 0x{:x}", unwrap_ret, x_expected));
+		}
+
+		x_raw_ptr->wrap(0);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be16<uint16_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0, unwrap_ret, 0));
+		}
+
+		x_raw_ptr->wrap(x_expected);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint16_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be16<uint16_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+
+		// implicit unwrap/wrap
+		x_raw_ptr = (tc::bn::be16<uint16_t>*)&x_raw;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be16<uint16_t> implicit unwrap returned 0x{:x} (expected 0x{:x})", unwrap_ret, x_expected));
+		}
+
+		(*x_raw_ptr) = 0;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be16<uint16_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0x0, unwrap_ret, 0x0));
+		}
+
+		(*x_raw_ptr) = x_expected;
+		unwrap_ret = (*x_raw_ptr);
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint16_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::be16<uint16_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLe64TemplateClass()
+{
+	fmt::print("[tc::bn::le64<uint64_t>] testLe64TemplateClass : ");
+	try 
+	{
+		uint8_t x_raw[sizeof(uint64_t)] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
+		uint8_t x_raw_expected[sizeof(uint64_t)] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
+		tc::bn::le64<uint64_t>* x_raw_ptr = (tc::bn::le64<uint64_t>*)&x_raw;
+		uint64_t x_expected = 0xefcdab8967452301;
+		uint64_t unwrap_ret;
+
+		// explicit unwrap/wrap
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le64<uint64_t>::unwrap() returned 0x{:x} (expected 0x{:x}", unwrap_ret, x_expected));
+		}
+
+		x_raw_ptr->wrap(0);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le64<uint64_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0, unwrap_ret, 0));
+		}
+
+		x_raw_ptr->wrap(x_expected);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint64_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le64<uint64_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+
+		// implicit unwrap/wrap
+		x_raw_ptr = (tc::bn::le64<uint64_t>*)&x_raw;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le64<uint64_t> implicit unwrap returned 0x{:x} (expected 0x{:x})", unwrap_ret, x_expected));
+		}
+
+		(*x_raw_ptr) = 0;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le64<uint64_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0x0, unwrap_ret, 0x0));
+		}
+
+		(*x_raw_ptr) = x_expected;
+		unwrap_ret = (*x_raw_ptr);
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint64_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le64<uint64_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLe32TemplateClass()
+{
+	fmt::print("[tc::bn::le32<uint32_t>] testLe32TemplateClass : ");
+	try 
+	{
+		uint8_t x_raw[sizeof(uint32_t)] = { 0x01, 0x23, 0x45, 0x67 };
+		uint8_t x_raw_expected[sizeof(uint32_t)] = { 0x01, 0x23, 0x45, 0x67 };
+		tc::bn::le32<uint32_t>* x_raw_ptr = (tc::bn::le32<uint32_t>*)&x_raw;
+		uint32_t x_expected = 0x67452301;
+		uint32_t unwrap_ret;
+
+		// explicit unwrap/wrap
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le32<uint32_t>::unwrap() returned 0x{:x} (expected 0x{:x}", unwrap_ret, x_expected));
+		}
+
+		x_raw_ptr->wrap(0);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le32<uint32_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0, unwrap_ret, 0));
+		}
+
+		x_raw_ptr->wrap(x_expected);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint32_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le32<uint32_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+
+		// implicit unwrap/wrap
+		x_raw_ptr = (tc::bn::le32<uint32_t>*)&x_raw;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le32<uint32_t> implicit unwrap returned 0x{:x} (expected 0x{:x})", unwrap_ret, x_expected));
+		}
+
+		(*x_raw_ptr) = 0;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le32<uint32_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0x0, unwrap_ret, 0x0));
+		}
+
+		(*x_raw_ptr) = x_expected;
+		unwrap_ret = (*x_raw_ptr);
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint32_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le32<uint32_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
+
+void bn_endian_TestClass::testLe16TemplateClass()
+{
+	fmt::print("[tc::bn::le16<uint16_t>] testLe16TemplateClass : ");
+	try 
+	{
+		uint8_t x_raw[sizeof(uint16_t)] = { 0x01, 0x23 };
+		uint8_t x_raw_expected[sizeof(uint16_t)] = { 0x01, 0x23 };
+		tc::bn::le16<uint16_t>* x_raw_ptr = (tc::bn::le16<uint16_t>*)&x_raw;
+		uint16_t x_expected = 0x2301;
+		uint16_t unwrap_ret;
+
+		// explicit unwrap/wrap
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le16<uint16_t>::unwrap() returned 0x{:x} (expected 0x{:x}", unwrap_ret, x_expected));
+		}
+
+		x_raw_ptr->wrap(0);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le16<uint16_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0, unwrap_ret, 0));
+		}
+
+		x_raw_ptr->wrap(x_expected);
+		unwrap_ret = x_raw_ptr->unwrap();
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint16_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le16<uint16_t>::wrap() failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+
+		// implicit unwrap/wrap
+		x_raw_ptr = (tc::bn::le16<uint16_t>*)&x_raw;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le16<uint16_t> implicit unwrap returned 0x{:x} (expected 0x{:x})", unwrap_ret, x_expected));
+		}
+
+		(*x_raw_ptr) = 0;
+		unwrap_ret = (*x_raw_ptr);
+		if (unwrap_ret != 0)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le16<uint16_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", 0x0, unwrap_ret, 0x0));
+		}
+
+		(*x_raw_ptr) = x_expected;
+		unwrap_ret = (*x_raw_ptr);
+		if (memcmp(x_raw, x_raw_expected, sizeof(uint16_t)) != 0 || unwrap_ret != x_expected)
+		{
+			throw tc::Exception(fmt::format("tc::bn::le16<uint16_t> implicit wrap failed to wrap 0x{:x} (unwrap returned 0x{:x}, expected 0x{:x})", x_expected, unwrap_ret, x_expected));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_endian_TestClass.h b/ctrtool/deps/libtoolchain/test/bn_endian_TestClass.h
new file mode 100644
index 00000000..a90a3ff6
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_endian_TestClass.h
@@ -0,0 +1,32 @@
+#pragma once
+#include "ITestClass.h"
+
+class bn_endian_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testLocalBSwap16();
+	void testLocalBSwap32();
+	void testLocalBSwap64();
+	void testBeUint64Inline();
+	void testBeUint32Inline();
+	void testBeUint16Inline();
+	void testLeUint64Inline();
+	void testLeUint32Inline();
+	void testLeUint16Inline();
+
+	void testBeSwap64Inline();
+	void testBeSwap32Inline();
+	void testBeSwap16Inline();
+	void testLeSwap64Inline();
+	void testLeSwap32Inline();
+	void testLeSwap16Inline();
+
+	void testBe64TemplateClass();
+	void testBe32TemplateClass();
+	void testBe16TemplateClass();
+	void testLe64TemplateClass();
+	void testLe32TemplateClass();
+	void testLe16TemplateClass();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_pad_TestClass.cpp b/ctrtool/deps/libtoolchain/test/bn_pad_TestClass.cpp
new file mode 100644
index 00000000..566824bd
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_pad_TestClass.cpp
@@ -0,0 +1,55 @@
+#include <tc/Exception.h>
+#include <iostream>
+
+#include "bn_pad_TestClass.h"
+
+void bn_pad_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::bn::pad] START" << std::endl;
+	test_CorrectSize();
+	std::cout << "[tc::bn::pad] END" << std::endl;
+}
+
+void bn_pad_TestClass::test_CorrectSize()
+{
+	std::cout << "[tc::bn::pad] test_CorrectSize : " << std::flush;
+	try
+	{
+		try 
+		{
+			tc::bn::pad<5> test_pad0;
+
+			if (sizeof(test_pad0) != 5)
+			{
+				throw tc::Exception("tc::bn::pad<5> had incorrect sizeof()");
+			}
+
+			if (test_pad0.size() != 5)
+			{
+				throw tc::Exception("tc::bn::pad<5> had incorrect pad::size() result");
+			}
+
+			tc::bn::pad<0x200> test_pad1;
+
+			if (sizeof(test_pad1) != 0x200)
+			{
+				throw tc::Exception("tc::bn::pad<0x200> had incorrect sizeof()");
+			}
+
+			if (test_pad1.size() != 0x200)
+			{
+				throw tc::Exception("tc::bn::pad<0x200> had incorrect pad::size() result");
+			}
+		
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_pad_TestClass.h b/ctrtool/deps/libtoolchain/test/bn_pad_TestClass.h
new file mode 100644
index 00000000..f2878c0d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_pad_TestClass.h
@@ -0,0 +1,14 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/bn.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/NotImplementedException.h>
+
+class bn_pad_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_CorrectSize();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_string_TestClass.cpp b/ctrtool/deps/libtoolchain/test/bn_string_TestClass.cpp
new file mode 100644
index 00000000..19f40f5b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_string_TestClass.cpp
@@ -0,0 +1,219 @@
+#include <tc/Exception.h>
+#include <fmt/core.h>
+
+#include "bn_string_TestClass.h"
+
+void bn_string_TestClass::runAllTests(void)
+{
+	fmt::print("[tc::bn::string] START\n");
+	test_EncodedSizeVersusLogicalSize();
+	test_StringSizeNeverExceedsLogicalSize();
+	test_EncodeStringRespectsLogicalSize();
+	fmt::print("[tc::bn::string] END\n");
+}
+
+void bn_string_TestClass::test_EncodedSizeVersusLogicalSize()
+{
+	fmt::print("[tc::bn::string] test_EncodedSizeVersusLogicalSize : ");
+	try
+	{
+		try 
+		{
+			// create bn::string with encoded size of 16 bytes (and implicit logical size of 16)
+			{
+				static const size_t kEncodedSize = 16;
+				tc::bn::string<kEncodedSize> bn_string;
+
+				if (sizeof(bn_string) != kEncodedSize)
+				{
+					throw tc::Exception(fmt::format("sizeof(tc::bn::string<{:d}>) did not return ENCODED_SIZE ({:d})", kEncodedSize, kEncodedSize));
+				}
+
+				if (bn_string.max_size() != kEncodedSize)
+				{
+					throw tc::Exception(fmt::format("tc::bn::string<{:d}>::max_size() did not return LOGICAL_SIZE ({:d})", kEncodedSize, kEncodedSize));
+				}
+			}
+
+			// create bn::string with encoded size of 16 bytes and explicit logical size of 16
+			{
+				static const size_t kEncodedSize = 16;
+				static const size_t kLogicalSize = 16;
+				tc::bn::string<kEncodedSize, kLogicalSize> bn_string;
+
+				if (sizeof(bn_string) != kEncodedSize)
+				{
+					throw tc::Exception(fmt::format("sizeof(tc::bn::string<{:d}, {:d}>) did not return ENCODED_SIZE ({:d})", kEncodedSize, kLogicalSize, kEncodedSize));
+				}
+
+				if (bn_string.max_size() != kLogicalSize)
+				{
+					throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::max_size() did not return LOGICAL_SIZE ({:d})", kEncodedSize, kLogicalSize, kLogicalSize));
+				}
+			}
+
+			// create bn::string with encoded size of 16 bytes and explicit logical size of 8
+			{
+				static const size_t kEncodedSize = 16;
+				static const size_t kLogicalSize = 8;
+				tc::bn::string<kEncodedSize, kLogicalSize> bn_string;
+
+				if (sizeof(bn_string) != kEncodedSize)
+				{
+					throw tc::Exception(fmt::format("sizeof(tc::bn::string<{:d}, {:d}>) did not return ENCODED_SIZE ({:d})", kEncodedSize, kLogicalSize, kEncodedSize));
+				}
+
+				if (bn_string.max_size() != kLogicalSize)
+				{
+					throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::max_size() did not return LOGICAL_SIZE ({:d})", kEncodedSize, kLogicalSize, kLogicalSize));
+				}
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void bn_string_TestClass::test_StringSizeNeverExceedsLogicalSize()
+{
+	fmt::print("[tc::bn::string] test_StringSizeNeverExceedsLogicalSize : ");
+	try
+	{
+		try 
+		{
+			union {
+				std::array<char, 30> char_array;
+				tc::bn::string<20,20> str_2020;
+				tc::bn::string<20,10> str_2010;
+				tc::bn::string<20,05> str_2005;
+			} test;
+
+			// fill underlying data with different characters
+			for (char chr_idx = 0; chr_idx < test.char_array.size(); chr_idx++)
+			{
+				test.char_array[chr_idx] = ((chr_idx / 26) & 1) ? ('a' + (chr_idx % 26)) : ('A' + (chr_idx % 26));
+			}
+
+			// generate reference point string
+			std::string base_string = std::string(test.char_array.data(), 30);
+
+			if (test.str_2020.size() != 20)
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::size() did not respect LOGICAL_SIZE ({:d})", 20, 20, 20));
+			}
+
+			if (test.str_2020.data() != test.char_array.data())
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::data() did not return expected pointer)", 20, 20));
+			}
+
+			if (test.str_2020.decode() != base_string.substr(0, 20))
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::decode() returned \"{:s}\" (expected \"{:s}\")", 20, 20, test.str_2020.decode(), base_string.substr(0, 20)));
+			}
+
+			if (test.str_2010.size() != 10)
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::size() did not respect LOGICAL_SIZE ({:d})", 20, 10, 10));
+			}
+
+			if (test.str_2010.data() != test.char_array.data())
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::data() did not return expected pointer)", 20, 10));
+			}
+
+			if (test.str_2010.decode() != base_string.substr(0, 10))
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::decode() returned \"{:s}\" (expected \"{:s}\")", 20, 10, test.str_2010.decode(), base_string.substr(0, 10)));
+			}
+
+			if (test.str_2005.size() != 5)
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::size() did not respect LOGICAL_SIZE ({:d})", 20, 5, 5));
+			}
+
+			if (test.str_2005.data() != test.char_array.data())
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::data() did not return expected pointer)", 20, 05));
+			}
+
+			if (test.str_2005.decode() != base_string.substr(0, 5))
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::decode() returned \"{:s}\" (expected \"{:s}\")", 20, 5, test.str_2005.decode(), base_string.substr(0, 5)));
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void bn_string_TestClass::test_EncodeStringRespectsLogicalSize()
+{
+	fmt::print("[tc::bn::string] test_EncodeStringRespectsLogicalSize : ");
+	try
+	{
+		try 
+		{
+			union {
+				std::array<char, 30> char_array;
+				tc::bn::string<20,20> str_2020;
+			} test;
+
+			std::array<char, 30> empty_array;
+
+			// clear memory
+			memset(test.char_array.data(), 0, test.char_array.size());
+			memset(empty_array.data(), 0, empty_array.size());
+
+			// generate reference point string
+			std::string base_long_string = std::string("I am a very long string indeed");
+			std::string base_short_string = std::string("Smol str");
+
+			test.str_2020.encode(base_long_string);
+			if (test.str_2020.decode() != base_long_string.substr(0, 20))
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::encode() failed encode a string greater ({:d}) than the LOGICAL_SIZE", 20, 20, base_long_string.size()));
+			}
+			if (memcmp(test.char_array.data() + 20, empty_array.data(), 10) != 0)
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::encode() touched data after the LOGICAL_SIZE boundary", 20, 20));
+			}
+
+			test.str_2020.encode(base_short_string);
+			if (test.str_2020.decode() != base_short_string)
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::encode() failed encode a string smaller ({:d}) than the LOGICAL_SIZE)", 20, 20, base_short_string.size()));
+			}
+			if (memcmp(test.char_array.data() + base_short_string.size(), empty_array.data(), 20-base_short_string.size()) != 0)
+			{
+				throw tc::Exception(fmt::format("tc::bn::string<{:d}, {:d}>::encode() did not clear data after string ended", 20, 20));
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/bn_string_TestClass.h b/ctrtool/deps/libtoolchain/test/bn_string_TestClass.h
new file mode 100644
index 00000000..773a231a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/bn_string_TestClass.h
@@ -0,0 +1,16 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/bn.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/NotImplementedException.h>
+
+class bn_string_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_EncodedSizeVersusLogicalSize();
+	void test_StringSizeNeverExceedsLogicalSize();
+	void test_EncodeStringRespectsLogicalSize();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/cli_FormatUtil_TestClass.cpp b/ctrtool/deps/libtoolchain/test/cli_FormatUtil_TestClass.cpp
new file mode 100644
index 00000000..d226907c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/cli_FormatUtil_TestClass.cpp
@@ -0,0 +1,366 @@
+#include "cli_FormatUtil_TestClass.h"
+#include <iostream>
+#include <iomanip>
+#include <sstream>
+
+void cli_FormatUtil_TestClass::runAllTests()
+{
+	std::cout << "[tc::cli::FormatUtil] START" << std::endl;
+	testHexStringToBytes();
+	testFormatBytesAsString();
+	testFormatBytesAsStringWithLineLimit();
+	testFormatListWithLineLimit();
+	testFormatBytesAsHxdHexString();
+	std::cout << "[tc::cli::FormatUtil] END" << std::endl;
+}
+
+void cli_FormatUtil_TestClass::testHexStringToBytes()
+{
+	std::cout << "[tc::cli::FormatUtil] testHexStringToBytes : " << std::flush;
+	try
+	{
+		std::stringstream ss;
+
+		struct TestCase
+		{
+			std::string test_name;
+			std::string in_string;
+			tc::ByteData out_data;
+		};
+
+		// create manual tests
+		std::vector<TestCase> tests = 
+		{
+			{ "empty string", "", tc::ByteData()},
+			{ "unaligned string" ,"1", tc::ByteData()},
+			{ "unaligned larger string" ,"123456789", tc::ByteData()},
+			{ "multi-byte" ,"00112233445566778899aabbccddeeff010203", tc::ByteData({0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x01, 0x02, 0x03})},
+		};
+
+		// add programatically determined tests
+		for (size_t i = 0; i < 0xff; i++)
+		{
+			std::string all_lower, all_upper, upper_lower, lower_upper;
+
+			size_t upper_num = (i >> 4) & 0xf;
+			size_t lower_num = (i) & 0xf;
+
+			if (upper_num <= 9)
+			{
+				all_lower += char('0' + upper_num);
+				all_upper += char('0' + upper_num);
+				upper_lower += char('0' + upper_num);
+				lower_upper += char('0' + upper_num);
+			}
+			else
+			{
+				all_lower += char('a' + upper_num - 10);
+				all_upper += char('A' + upper_num - 10);
+				upper_lower += char('A' + upper_num - 10);
+				lower_upper += char('a' + upper_num - 10);
+			}
+
+			if (lower_num <= 9)
+			{
+				all_lower += char('0' + lower_num);
+				all_upper += char('0' + lower_num);
+				upper_lower += char('0' + lower_num);
+				lower_upper += char('0' + lower_num);
+			}
+			else
+			{
+				all_lower += char('a' + lower_num - 10);
+				all_upper += char('A' + lower_num - 10);
+				upper_lower += char('a' + lower_num - 10);
+				lower_upper += char('A' + lower_num - 10);
+			}
+
+			tests.push_back({"all_lower_" + all_lower, all_lower, tc::ByteData({(byte_t)i})});
+			tests.push_back({"all_upper_" + all_lower, all_upper, tc::ByteData({(byte_t)i})});
+			tests.push_back({"upper_lower_" + all_lower, upper_lower, tc::ByteData({(byte_t)i})});
+			tests.push_back({"lower_upper_" + all_lower, lower_upper, tc::ByteData({(byte_t)i})});
+		}
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			tc::ByteData out = tc::cli::FormatUtil::hexStringToBytes(test->in_string);
+
+			if (out.size() != test->out_data.size())
+			{
+				ss << "Test(" << test->test_name << ") to convert str(" << test->in_string << ") returned ByteData with wrong size: " << out.size() << " (should be: " << test->out_data.size() << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			if (out.size() != 0 && memcmp(out.data(), test->out_data.data(), out.size()) != 0)
+			{
+				ss << "Test(" << test->test_name << ") to convert str(" << test->in_string << ") returned ByteData with wrong data";
+				throw tc::Exception(ss.str());
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl; 
+	}
+}
+
+void cli_FormatUtil_TestClass::testFormatBytesAsString()
+{
+	std::cout << "[tc::cli::FormatUtil] testFormatBytesAsString : " << std::flush;
+	try
+	{
+		std::stringstream ss;
+
+		// test recipe
+		struct TestCase
+		{
+			std::string test_name;
+			tc::ByteData in_data;
+			bool in_is_uppercase;
+			std::string in_delimiter;
+			std::string out_string;
+		};
+
+		// create tests
+		std::vector<TestCase> tests = 
+		{
+			{"empty data", tc::ByteData(), false, "", ""},
+			{"8byte lowercase no delim", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), false, "", "00aa11bb22cc33dd"},
+			{"8byte lowercase ' ' delim", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), false, " ", "00 aa 11 bb 22 cc 33 dd"},
+			{"8byte lowercase ':' delim", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), false, ":", "00:aa:11:bb:22:cc:33:dd"},
+			{"8byte uppercase no delim", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), true, "", "00AA11BB22CC33DD"},
+			{"8byte uppercase ' ' delim", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), true, " ", "00 AA 11 BB 22 CC 33 DD"},
+			{"8byte uppercase ':' delim", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), true, ":", "00:AA:11:BB:22:CC:33:DD"},
+		};
+
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			std::string res = tc::cli::FormatUtil::formatBytesAsString(test->in_data.data(), test->in_data.size(), test->in_is_uppercase, test->in_delimiter);
+
+			if (res != test->out_string)
+			{
+				ss << "Test(" << test->test_name << ") Failed to format data correctly. Output: \"" << res << "\", Expected: \"" << test->out_string << "\"";
+				throw tc::Exception(ss.str());
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl; 
+	}
+}
+
+void cli_FormatUtil_TestClass::testFormatBytesAsStringWithLineLimit()
+{
+	std::cout << "[tc::cli::FormatUtil] testFormatBytesAsStringWithLineLimit : " << std::flush;
+	try
+	{
+		std::stringstream ss;
+
+		// test recipe
+		struct TestCase
+		{
+			std::string test_name;
+			tc::ByteData in_data;
+			size_t in_row_len;
+			size_t in_indent_len;
+			std::string out_string;
+		};
+
+		// create tests
+		std::vector<TestCase> tests = 
+		{
+			{"empty data", tc::ByteData(), 0, 0, ""},
+			{"size:8 row:8 indent:0", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), 8, 0, "00aa11bb22cc33dd\n"},
+			{"size:8 row:4 indent:0", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), 4, 0, "00aa11bb\n22cc33dd\n"},
+			{"size:8 row:3 indent:0", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), 3, 0, "00aa11\nbb22cc\n33dd\n"},
+			{"size:8 row:3 indent:2", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), 3, 2, "  00aa11\n  bb22cc\n  33dd\n"},
+			{"size:8 row:1 indent:3", tc::ByteData({0x00, 0xaa, 0x11, 0xbb, 0x22, 0xcc, 0x33, 0xdd}), 1, 3, "   00\n   aa\n   11\n   bb\n   22\n   cc\n   33\n   dd\n"},
+		};
+
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			std::string res = tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(test->in_data.data(), test->in_data.size(), false, "", test->in_row_len, test->in_indent_len);
+
+			if (res != test->out_string)
+			{
+				std::string& expected = test->out_string;
+
+				// replace literal new lines so they can be printed on one line for debugging
+				for (size_t pos = res.find('\n', 0); pos != std::string::npos; pos = res.find('\n', pos+1))
+				{
+					res.replace(pos, 1, "\\n");
+				}
+
+				// replace literal new lines so they can be printed on one line for debugging
+				for (size_t pos = expected.find('\n', 0); pos != std::string::npos; pos = expected.find('\n', pos+1))
+				{
+					expected.replace(pos, 1, "\\n");
+				}
+				
+				ss << "Test(" << test->test_name << ") Failed to format data correctly. Output: \"" << res << "\", Expected: \"" << expected << "\"";
+				throw tc::Exception(ss.str());
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl; 
+	}
+}
+
+void cli_FormatUtil_TestClass::testFormatListWithLineLimit()
+{
+	std::cout << "[tc::cli::FormatUtil] testFormatListWithLineLimit : " << std::flush;
+	try
+	{
+		std::stringstream ss;
+
+		// test recipe
+		struct TestCase
+		{
+			std::string test_name;
+			std::vector<std::string> in_list;
+			size_t in_row_len;
+			size_t in_indent_len;
+			std::string out_string;
+		};
+
+		// create tests
+		std::vector<TestCase> tests = 
+		{
+			{"empty", {}, 0, 0, ""},
+			{"empty list", {}, 40, 0, ""},
+			{"list of 4, row_len 20", {"Astr", "Bstr", "Cstr", "Dstr"}, 20, 0, "Astr, Bstr, Cstr, Dstr\n"},
+			{"list of 4, row_len 8", {"Astr", "Bstr", "Cstr", "Dstr"}, 8, 0, "Astr, Bstr, \nCstr, Dstr\n"},
+			{"list of 4, row_len 8, indent=2", {"Astr", "Bstr", "Cstr", "Dstr"}, 8, 2, "  Astr, Bstr, \n  Cstr, Dstr\n"},
+			{"list of 4, row_len 4", {"Astr", "Bstr", "Cstr", "Dstr"}, 4, 0, "Astr, \nBstr, \nCstr, \nDstr\n"},
+			{"list of 4, row_len 2", {"Astr", "Bstr", "Cstr", "Dstr"}, 2, 0, "Astr, \nBstr, \nCstr, \nDstr\n"},
+			{"list of 4, row_len 1", {"Astr", "Bstr", "Cstr", "Dstr"}, 1, 0, "Astr, \nBstr, \nCstr, \nDstr\n"},
+			{"list of 4, row_len 0", {"Astr", "Bstr", "Cstr", "Dstr"}, 0, 0, "Astr, \nBstr, \nCstr, \nDstr\n"},
+		};
+
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			std::string res = tc::cli::FormatUtil::formatListWithLineLimit(test->in_list, test->in_row_len, test->in_indent_len);
+
+			if (res != test->out_string)
+			{
+				std::string& expected = test->out_string;
+
+				// replace literal new lines so they can be printed on one line for debugging
+				for (size_t pos = res.find('\n', 0); pos != std::string::npos; pos = res.find('\n', pos+1))
+				{
+					res.replace(pos, 1, "\\n");
+				}
+
+				// replace literal new lines so they can be printed on one line for debugging
+				for (size_t pos = expected.find('\n', 0); pos != std::string::npos; pos = expected.find('\n', pos+1))
+				{
+					expected.replace(pos, 1, "\\n");
+				}
+				
+				ss << "Test(" << test->test_name << ") Failed to format data correctly. Output: \"" << res << "\", Expected: \"" << expected << "\"";
+				throw tc::Exception(ss.str());
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl; 
+	}
+}
+
+void cli_FormatUtil_TestClass::testFormatBytesAsHxdHexString()
+{
+	std::cout << "[tc::cli::FormatUtil] testFormatBytesAsHxdHexString : " << std::flush;
+	try
+	{
+		std::stringstream ss;
+
+		// test recipe
+		struct TestCase
+		{
+			std::string test_name;
+			tc::ByteData in_data;
+			size_t in_bytes_per_row;
+			size_t in_byte_group_size;
+			std::string out_string;
+		};
+
+		// create tests
+		std::vector<TestCase> tests = 
+		{
+			{"empty all", {}, 0, 0, ""},
+			{"empty data", {}, 16, 1, ""},
+			{"empty bytes_per_row", {0x00, 0x01}, 0, 1, ""},
+			{"empty byte_group_size", {0x00, 0x01}, 16, 0, ""},
+			{"little data", {0x00, 0x01}, 16, 1, "00000000 | 00 01                                            ..              \n"},
+			{"full row data", {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 1, "00000000 | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F  ................\n"},
+			{"2 row ascii", {0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4e, 0x4f, 0x50, 0x51, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66}, 16, 1, "00000000 | 41 42 43 44 45 46 47 48 49 4A 4B 4C 4E 4F 50 51  ABCDEFGHIJKLNOPQ\n00000010 | 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66  QRSTUVWXYZabcdef\n"},
+			{"full row data, byte_group_size=2",  {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 2,  "00000000 | 0001 0203 0405 0607 0809 0A0B 0C0D 0E0F  ................\n"},
+			{"full row data, byte_group_size=3",  {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 3,  "00000000 | 000102 030405 060708 090A0B 0C0D0E 0F ................\n"},
+			{"full row data, byte_group_size=4",  {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 4,  "00000000 | 00010203 04050607 08090A0B 0C0D0E0F  ................\n"},
+			{"full row data, byte_group_size=5",  {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 5,  "00000000 | 0001020304 0506070809 0A0B0C0D0E 0F ................\n"},
+			{"full row data, byte_group_size=6",  {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 6,  "00000000 | 000102030405 060708090A0B 0C0D0E0F ................\n"},
+			{"full row data, byte_group_size=7",  {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 7,  "00000000 | 00010203040506 0708090A0B0C0D 0E0F ................\n"},
+			{"full row data, byte_group_size=8",  {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 8,  "00000000 | 0001020304050607 08090A0B0C0D0E0F  ................\n"},
+			{"full row data, byte_group_size=9",  {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 9,  "00000000 | 000102030405060708 090A0B0C0D0E0F ................\n"},
+			{"full row data, byte_group_size=10", {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 10, "00000000 | 00010203040506070809 0A0B0C0D0E0F ................\n"},
+			{"full row data, byte_group_size=11", {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 11, "00000000 | 000102030405060708090A 0B0C0D0E0F ................\n"},
+			{"full row data, byte_group_size=12", {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 12, "00000000 | 000102030405060708090A0B 0C0D0E0F ................\n"},
+			{"full row data, byte_group_size=13", {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 13, "00000000 | 000102030405060708090A0B0C 0D0E0F ................\n"},
+			{"full row data, byte_group_size=14", {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 14, "00000000 | 000102030405060708090A0B0C0D 0E0F ................\n"},
+			{"full row data, byte_group_size=15", {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 15, "00000000 | 000102030405060708090A0B0C0D0E 0F ................\n"},
+			{"full row data, byte_group_size=16", {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}, 16, 16, "00000000 | 000102030405060708090A0B0C0D0E0F  ................\n"},
+		};
+
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			std::string res = tc::cli::FormatUtil::formatBytesAsHxdHexString(test->in_data.data(), test->in_data.size(), test->in_bytes_per_row, test->in_byte_group_size);
+
+			if (res != test->out_string)
+			{
+				std::string& expected = test->out_string;
+
+				// replace literal new lines so they can be printed on one line for debugging
+				for (size_t pos = res.find('\n', 0); pos != std::string::npos; pos = res.find('\n', pos+1))
+				{
+					res.replace(pos, 1, "\\n");
+				}
+
+				// replace literal new lines so they can be printed on one line for debugging
+				for (size_t pos = expected.find('\n', 0); pos != std::string::npos; pos = expected.find('\n', pos+1))
+				{
+					expected.replace(pos, 1, "\\n");
+				}
+				
+				ss << "Test(" << test->test_name << ") Failed to format data correctly. Output: \"" << res << "\", Expected: \"" << expected << "\"";
+				throw tc::Exception(ss.str());
+			}
+		}
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl; 
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/cli_FormatUtil_TestClass.h b/ctrtool/deps/libtoolchain/test/cli_FormatUtil_TestClass.h
new file mode 100644
index 00000000..77e9e3d0
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/cli_FormatUtil_TestClass.h
@@ -0,0 +1,15 @@
+#pragma once
+#include "ITestClass.h"
+#include <tc.h>
+
+class cli_FormatUtil_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testHexStringToBytes();
+	void testFormatBytesAsString();
+	void testFormatBytesAsStringWithLineLimit();
+	void testFormatListWithLineLimit();
+	void testFormatBytesAsHxdHexString();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/cli_OptionParser_TestClass.cpp b/ctrtool/deps/libtoolchain/test/cli_OptionParser_TestClass.cpp
new file mode 100644
index 00000000..bc56b08d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/cli_OptionParser_TestClass.cpp
@@ -0,0 +1,770 @@
+#include <tc/Exception.h>
+#include <fmt/core.h>
+
+#include "cli_OptionParser_TestClass.h"
+
+//---------------------------------------------------------
+
+void cli_OptionParser_TestClass::runAllTests(void)
+{
+	fmt::print("[tc::cli::OptionParser] START\n");
+	test_Constructor_DefaultConstructor();
+	test_ProcessNoOptionsWithNoHandlers();
+	test_ProcessOptionsWithNoHandlers();
+	test_ProcessOptionsWithOnlyUnkHandler();
+	test_ProcessOptionsWithLiteralHandlers();
+	test_ProcessOptionsWithRegexHandlers();
+	test_ProcessOptionsWithLiteralAndRegexHandlers();
+	test_NullHandlerSupplied();
+	test_RegularHandlerProvidesNoOptionLiteralOrRegex();
+	test_ProcessMalformedOptions();
+	fmt::print("[tc::cli::OptionParser] END\n");
+}
+
+//---------------------------------------------------------
+
+void cli_OptionParser_TestClass::test_Constructor_DefaultConstructor()
+{
+	fmt::print("[tc::cli::OptionParser] test_Constructor_DefaultConstructor : ");
+	try
+	{
+		try 
+		{
+			tc::cli::OptionParser opt;
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void cli_OptionParser_TestClass::test_ProcessNoOptionsWithNoHandlers()
+{
+	fmt::print("[tc::cli::OptionParser] test_ProcessNoOptionsWithNoHandlers : ");
+	try
+	{
+		try 
+		{
+			tc::cli::OptionParser opt;
+
+			std::vector<std::string> args;
+
+			opt.processOptions(args);
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void cli_OptionParser_TestClass::test_ProcessOptionsWithNoHandlers()
+{
+	fmt::print("[tc::cli::OptionParser] test_ProcessOptionsWithNoHandlers : ");
+	try
+	{
+		try 
+		{
+			tc::cli::OptionParser opt;
+
+			std::vector<std::string> args = {"-someopt", "someparameter"};
+
+			try 
+			{
+				opt.processOptions(args);
+				throw tc::Exception("Did not throw an ArgumentException for unhandled option");
+			}
+			catch (const tc::ArgumentException&) { /* do nothing */ }
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void cli_OptionParser_TestClass::test_ProcessOptionsWithOnlyUnkHandler()
+{
+	fmt::print("[tc::cli::OptionParser] test_ProcessOptionsWithOnlyUnkHandler : ");
+	try
+	{
+		enum class TestResult
+		{
+			Success,
+			DidNotUseUnkOptionHandler,
+			DidNotPassOptionsAndParameters
+		};
+
+		class UnkOptionHandler : public tc::cli::OptionParser::IOptionHandler
+		{
+		public:
+			UnkOptionHandler(TestResult& external_result) :
+				external_result(external_result)
+			{}
+
+			// this throws an exception as it should not be called
+			const std::vector<std::string>& getOptionStrings() const
+			{
+				throw tc::Exception("getOptionStrings() not defined for UnkOptionHandler.");
+			}
+
+			// this throws an exception as it should not be called
+			const std::vector<std::string>& getOptionRegexPatterns() const
+			{
+				throw tc::Exception("getOptionRegexPatterns() not defined for UnkOptionHandler.");
+			}
+
+			void processOption(const std::string& option, const std::vector<std::string>& params)
+			{
+				if (option == "-someopt" && params.size() == 1 && params[0] == "someparameter")
+				{
+					external_result = TestResult::Success;
+				}
+				else
+				{
+					external_result = TestResult::DidNotPassOptionsAndParameters;
+				}
+				
+			}
+		private:
+			TestResult& external_result;
+		};
+
+		try 
+		{
+			tc::cli::OptionParser opt;
+
+			TestResult result = TestResult::DidNotUseUnkOptionHandler;
+
+			opt.registerUnrecognisedOptionHandler(std::make_shared<UnkOptionHandler>(UnkOptionHandler(result)));
+
+			std::vector<std::string> args = {"-someopt", "someparameter"};
+
+			opt.processOptions(args);
+
+			if (result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (result == TestResult::DidNotUseUnkOptionHandler)
+			{
+				throw tc::Exception("Unrecognised option handler was registered but not used.");
+			}
+			else if (result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Unrecognised option handler was registered but the option & parameter were not passed to it correctly.");
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void cli_OptionParser_TestClass::test_ProcessOptionsWithLiteralHandlers()
+{
+	fmt::print("[tc::cli::OptionParser] test_ProcessOptionsWithLiteralHandlers : ");
+	try
+	{
+		enum class TestResult
+		{
+			Success,
+			DidNotUseOptionHandler,
+			DidNotPassOptionsAndParameters
+		};
+
+		class TestOptionHandler : public tc::cli::OptionParser::IOptionHandler
+		{
+		public:
+			// The constructor is where you link the object to the state you want to modify in the call-back
+			TestOptionHandler(TestResult& external_result, const std::string& opt_string, const std::vector<std::string>& expected_params) : 
+				mExternalResult(external_result),
+				mOptStrings({opt_string}),
+				mOptRegex(),
+				mExpectedParams(expected_params)
+			{}
+		
+			const std::vector<std::string>& getOptionStrings() const
+			{
+				return mOptStrings;
+			}
+		
+			const std::vector<std::string>& getOptionRegexPatterns() const
+			{
+				return mOptRegex;
+			}
+		
+			void processOption(const std::string& option, const std::vector<std::string>& params)
+			{
+				if (option == mOptStrings[0] && params == mExpectedParams)
+				{
+					mExternalResult = TestResult::Success;
+				}
+				else
+				{
+					mExternalResult = TestResult::DidNotPassOptionsAndParameters;
+				}
+			}
+		private:
+			TestResult& mExternalResult;
+			std::vector<std::string> mOptStrings;
+			std::vector<std::string> mOptRegex;
+
+			std::vector<std::string> mExpectedParams;
+		};
+
+		try 
+		{
+			tc::cli::OptionParser opt;
+
+			TestResult flag_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(flag_result, "-flagoption", {})));
+
+			TestResult single_param_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(single_param_result, "-singleparam", {"my_param"})));
+
+			TestResult multi_param_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(multi_param_result, "-multiparam", {"my_param1", "my_param2"})));
+
+			std::vector<std::string> args = {"-flagoption", "-singleparam", "my_param", "-multiparam", "my_param1", "my_param2"};
+
+			opt.processOptions(args);
+
+			if (flag_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (flag_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for flag option) was registered but not used.");
+			}
+			else if (flag_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for flag option) was registered but the option & parameter were not passed to it correctly.");
+			}
+
+			if (single_param_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (single_param_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for single param option) was registered but not used.");
+			}
+			else if (single_param_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for single param option) was registered but the option & parameter were not passed to it correctly.");
+			}
+
+			if (multi_param_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (multi_param_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for multi param option) was registered but not used.");
+			}
+			else if (multi_param_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for multi param option) was registered but the option & parameter were not passed to it correctly.");
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void cli_OptionParser_TestClass::test_ProcessOptionsWithRegexHandlers()
+{
+	fmt::print("[tc::cli::OptionParser] test_ProcessOptionsWithRegexHandlers : ");
+	try
+	{
+		enum class TestResult
+		{
+			Success,
+			DidNotUseOptionHandler,
+			DidNotPassOptionsAndParameters
+		};
+
+		class TestOptionHandler : public tc::cli::OptionParser::IOptionHandler
+		{
+		public:
+			// The constructor is where you link the object to the state you want to modify in the call-back
+			TestOptionHandler(TestResult& external_result, const std::string& opt_regex, const std::string& expected_option, const std::vector<std::string>& expected_params) : 
+				mExternalResult(external_result),
+				mOptStrings(),
+				mOptRegex({opt_regex}),
+				mExpectedOption(expected_option),
+				mExpectedParams(expected_params)
+			{}
+		
+			const std::vector<std::string>& getOptionStrings() const
+			{
+				return mOptStrings;
+			}
+		
+			const std::vector<std::string>& getOptionRegexPatterns() const
+			{
+				return mOptRegex;
+			}
+		
+			void processOption(const std::string& option, const std::vector<std::string>& params)
+			{
+				if (option == mExpectedOption && params == mExpectedParams)
+				{
+					mExternalResult = TestResult::Success;
+				}
+				else
+				{
+					mExternalResult = TestResult::DidNotPassOptionsAndParameters;
+				}
+			}
+		private:
+			TestResult& mExternalResult;
+			std::vector<std::string> mOptStrings;
+			std::vector<std::string> mOptRegex;
+
+			std::string mExpectedOption;
+			std::vector<std::string> mExpectedParams;
+		};
+
+		try 
+		{
+			tc::cli::OptionParser opt;
+
+			TestResult flag_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(flag_result, "(-F.a.+)", "-Flag", {})));
+
+			TestResult single_param_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(single_param_result, "(-s.+)", "-singleparam", {"my_param"})));
+
+			TestResult multi_param_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(multi_param_result, "(-multiparam)", "-multiparam", {"my_param1", "my_param2"})));
+
+			std::vector<std::string> args = {"-Flag", "-singleparam", "my_param", "-multiparam", "my_param1", "my_param2"};
+
+			opt.processOptions(args);
+
+			if (flag_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (flag_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for flag option) was registered but not used.");
+			}
+			else if (flag_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for flag option) was registered but the option & parameter were not passed to it correctly.");
+			}
+
+			if (single_param_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (single_param_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for single param option) was registered but not used.");
+			}
+			else if (single_param_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for single param option) was registered but the option & parameter were not passed to it correctly.");
+			}
+
+			if (multi_param_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (multi_param_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for multi param option) was registered but not used.");
+			}
+			else if (multi_param_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for multi param option) was registered but the option & parameter were not passed to it correctly.");
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void cli_OptionParser_TestClass::test_ProcessOptionsWithLiteralAndRegexHandlers()
+{
+	fmt::print("[tc::cli::OptionParser] test_ProcessOptionsWithLiteralAndRegexHandlers : ");
+	try
+	{
+		enum class TestResult
+		{
+			Success,
+			DidNotUseOptionHandler,
+			DidNotPassOptionsAndParameters
+		};
+
+		class TestOptionHandler : public tc::cli::OptionParser::IOptionHandler
+		{
+		public:
+			// The constructor is where you link the object to the state you want to modify in the call-back
+			TestOptionHandler(TestResult& external_result, const std::string& opt_literal, const std::string& opt_regex, const std::string& expected_option, const std::vector<std::string>& expected_params) : 
+				mExternalResult(external_result),
+				mOptStrings(opt_literal.empty() ? std::vector<std::string>({}) : std::vector<std::string>({opt_literal})),
+				mOptRegex(opt_regex.empty() ? std::vector<std::string>({}) : std::vector<std::string>({opt_regex})),
+				mExpectedOption(expected_option),
+				mExpectedParams(expected_params)
+			{}
+		
+			const std::vector<std::string>& getOptionStrings() const
+			{
+				return mOptStrings;
+			}
+		
+			const std::vector<std::string>& getOptionRegexPatterns() const
+			{
+				return mOptRegex;
+			}
+		
+			void processOption(const std::string& option, const std::vector<std::string>& params)
+			{
+				if (option == mExpectedOption && params == mExpectedParams)
+				{
+					mExternalResult = TestResult::Success;
+				}
+				else
+				{
+					mExternalResult = TestResult::DidNotPassOptionsAndParameters;
+				}
+			}
+		private:
+			TestResult& mExternalResult;
+			std::vector<std::string> mOptStrings;
+			std::vector<std::string> mOptRegex;
+
+			std::string mExpectedOption;
+			std::vector<std::string> mExpectedParams;
+		};
+
+		try 
+		{
+			tc::cli::OptionParser opt;
+
+			TestResult regex_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(regex_result, "", "(-D.+)", "-DKEY", {"value"})));
+
+			TestResult flag_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(flag_result, "-flag", "", "-flag", {})));
+
+			TestResult single_param_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(single_param_result, "-singleparam", "", "-singleparam", {"my_param"})));
+
+			TestResult multi_param_result = TestResult::DidNotUseOptionHandler;
+			opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(multi_param_result, "-multiparam", "", "-multiparam", {"my_param1", "my_param2"})));
+
+			std::vector<std::string> args = {"-flag", "-DKEY=value", "-singleparam", "my_param", "-multiparam", "my_param1", "my_param2"};
+
+			opt.processOptions(args);
+
+			if (regex_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (regex_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for regex option) was registered but not used.");
+			}
+			else if (regex_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for regex option) was registered but the option & parameter were not passed to it correctly.");
+			}
+
+			if (flag_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (flag_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for flag option) was registered but not used.");
+			}
+			else if (flag_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for flag option) was registered but the option & parameter were not passed to it correctly.");
+			}
+
+			if (single_param_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (single_param_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for single param option) was registered but not used.");
+			}
+			else if (single_param_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for single param option) was registered but the option & parameter were not passed to it correctly.");
+			}
+
+			if (multi_param_result == TestResult::Success)
+			{
+				// all good
+			}
+			else if (multi_param_result == TestResult::DidNotUseOptionHandler)
+			{
+				throw tc::Exception("Option handler (for multi param option) was registered but not used.");
+			}
+			else if (multi_param_result == TestResult::DidNotPassOptionsAndParameters)
+			{
+				throw tc::Exception("Option handler (for multi param option) was registered but the option & parameter were not passed to it correctly.");
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void cli_OptionParser_TestClass::test_NullHandlerSupplied()
+{
+	fmt::print("[tc::cli::OptionParser] test_NullHandlerSupplied : ");
+	try
+	{
+		try 
+		{
+			tc::cli::OptionParser opt;
+
+			try 
+			{
+				opt.registerOptionHandler(std::shared_ptr<tc::cli::OptionParser::IOptionHandler>());
+				throw tc::Exception(".registerOptionHandler() did not throw ArgumentNullException when passed a nullptr.");
+			}
+			catch (const tc::ArgumentNullException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				opt.registerUnrecognisedOptionHandler(std::shared_ptr<tc::cli::OptionParser::IOptionHandler>());
+				throw tc::Exception(".registerUnrecognisedOptionHandler() did not throw ArgumentNullException when passed a nullptr.");
+			}
+			catch (const tc::ArgumentNullException&)
+			{
+				// do nothing
+			}
+			
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void cli_OptionParser_TestClass::test_RegularHandlerProvidesNoOptionLiteralOrRegex()
+{
+	fmt::print("[tc::cli::OptionParser] test_RegularHandlerProvidesNoOptionLiteralOrRegex : ");
+	try
+	{
+		enum class TestResult
+		{
+			Success,
+			DidNotUseOptionHandler,
+			DidNotPassOptionsAndParameters
+		};
+
+		class TestOptionHandler : public tc::cli::OptionParser::IOptionHandler
+		{
+		public:
+			// The constructor is where you link the object to the state you want to modify in the call-back
+			TestOptionHandler(TestResult& external_result, const std::string& opt_literal, const std::string& opt_regex, const std::string& expected_option, const std::vector<std::string>& expected_params) : 
+				mExternalResult(external_result),
+				mOptStrings(opt_literal.empty() ? std::vector<std::string>({}) : std::vector<std::string>({opt_literal})),
+				mOptRegex(opt_regex.empty() ? std::vector<std::string>({}) : std::vector<std::string>({opt_regex})),
+				mExpectedOption(expected_option),
+				mExpectedParams(expected_params)
+			{}
+		
+			const std::vector<std::string>& getOptionStrings() const
+			{
+				return mOptStrings;
+			}
+		
+			const std::vector<std::string>& getOptionRegexPatterns() const
+			{
+				return mOptRegex;
+			}
+		
+			void processOption(const std::string& option, const std::vector<std::string>& params)
+			{
+				if (option == mExpectedOption && params == mExpectedParams)
+				{
+					mExternalResult = TestResult::Success;
+				}
+				else
+				{
+					mExternalResult = TestResult::DidNotPassOptionsAndParameters;
+				}
+			}
+		private:
+			TestResult& mExternalResult;
+			std::vector<std::string> mOptStrings;
+			std::vector<std::string> mOptRegex;
+
+			std::string mExpectedOption;
+			std::vector<std::string> mExpectedParams;
+		};
+
+		try 
+		{
+			tc::cli::OptionParser opt;
+
+
+			try
+			{
+				TestResult test_result = TestResult::DidNotUseOptionHandler;
+				opt.registerOptionHandler(std::make_shared<TestOptionHandler>(TestOptionHandler(test_result, "", "", "-DKEY", {"value"})));
+				throw tc::Exception(".registerOptionHandler() Did not throw tc::ArgumentOutOfRangeException when option handler had not option literals or option regex.");
+			}
+			catch (const tc::ArgumentOutOfRangeException&)
+			{
+				// do nothing
+			}
+
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void cli_OptionParser_TestClass::test_ProcessMalformedOptions()
+{
+	fmt::print("[tc::cli::OptionParser] test_ProcessMalformedOptions : ");
+	try
+	{
+		class DummyOptionHandler : public tc::cli::OptionParser::IOptionHandler
+		{
+		public:
+			// The constructor is where you link the object to the state you want to modify in the call-back
+			DummyOptionHandler(const std::string& opt_literal, const std::string& opt_regex) : 
+				mOptStrings(opt_literal.empty() ? std::vector<std::string>({}) : std::vector<std::string>({opt_literal})),
+				mOptRegex(opt_regex.empty() ? std::vector<std::string>({}) : std::vector<std::string>({opt_regex}))
+			{}
+		
+			const std::vector<std::string>& getOptionStrings() const
+			{
+				return mOptStrings;
+			}
+		
+			const std::vector<std::string>& getOptionRegexPatterns() const
+			{
+				return mOptRegex;
+			}
+		
+			void processOption(const std::string& option, const std::vector<std::string>& params)
+			{
+				// do nothing
+			}
+		private:
+			std::vector<std::string> mOptStrings;
+			std::vector<std::string> mOptRegex;
+		};
+
+		try 
+		{
+			try 
+			{
+				tc::cli::OptionParser opt;
+				opt.processOptions({"dangling_parameter"});
+				throw tc::Exception(".processOptions() did not throw exception for dangling parameter");
+			}
+			catch (const tc::ArgumentException&)
+			{
+				// do nothing
+			}
+			
+			try 
+			{
+				tc::cli::OptionParser opt;
+
+				opt.registerOptionHandler(std::make_shared<DummyOptionHandler>(DummyOptionHandler("-opt","")));
+				opt.processOptions({"-opt=param", "dangling_parameter"});
+				throw tc::Exception(".processOptions() did not throw exception for dangling parameter located after compound option");
+			}
+			catch (const tc::ArgumentException&)
+			{
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/cli_OptionParser_TestClass.h b/ctrtool/deps/libtoolchain/test/cli_OptionParser_TestClass.h
new file mode 100644
index 00000000..626feb8a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/cli_OptionParser_TestClass.h
@@ -0,0 +1,20 @@
+#pragma once
+#include "ITestClass.h"
+#include <tc/cli/OptionParser.h>
+
+class cli_OptionParser_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constructor_DefaultConstructor();
+	void test_ProcessNoOptionsWithNoHandlers();
+	void test_ProcessOptionsWithNoHandlers();
+	void test_ProcessOptionsWithOnlyUnkHandler();
+	void test_ProcessOptionsWithLiteralHandlers();
+	void test_ProcessOptionsWithRegexHandlers();
+	void test_ProcessOptionsWithLiteralAndRegexHandlers();
+	void test_NullHandlerSupplied();
+	void test_RegularHandlerProvidesNoOptionLiteralOrRegex();
+	void test_ProcessMalformedOptions();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptedStream_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptedStream_TestClass.cpp
new file mode 100644
index 00000000..6df8ad37
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptedStream_TestClass.cpp
@@ -0,0 +1,265 @@
+#include <tc/Exception.h>
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <fmt/core.h>
+
+#include "crypto_Aes128CbcEncryptedStream_TestClass.h"
+#include "StreamTestUtil.h"
+
+void crypto_Aes128CbcEncryptedStream_TestClass::runAllTests(void)
+{
+	fmt::print("[tc::crypto::Aes128CbcEncryptedStream] START\n");
+	test_CreateEmptyStream_DefaultConstructor();
+	test_CreateValidStream_CreateConstructor();
+	test_RunTestCases();
+	fmt::print("[tc::crypto::Aes128CbcEncryptedStream] END\n");
+}
+
+void crypto_Aes128CbcEncryptedStream_TestClass::test_CreateEmptyStream_DefaultConstructor()
+{
+	fmt::print("[tc::crypto::Aes128CbcEncryptedStream] test_CreateEmptyStream_DefaultConstructor : ");
+	try
+	{
+		try 
+		{
+			auto stream = tc::crypto::Aes128CbcEncryptedStream();
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, false, false);
+
+			try
+			{
+				stream.read(nullptr, 0);
+				throw tc::Exception(".read() did not throw tc::ObjectDisposedException for uninitialized Aes128CbcEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.write(nullptr, 0);
+				throw tc::Exception(".write() did not throw tc::ObjectDisposedException for uninitialized Aes128CbcEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.seek(0, tc::io::SeekOrigin::Begin);
+				throw tc::Exception(".seek() did not throw tc::ObjectDisposedException for uninitialized Aes128CbcEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.setLength(0);
+				throw tc::Exception(".setLength() did not throw tc::ObjectDisposedException for uninitialized Aes128CbcEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.flush();
+				throw tc::Exception(".flush() did not throw tc::ObjectDisposedException for uninitialized Aes128CbcEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void crypto_Aes128CbcEncryptedStream_TestClass::test_CreateValidStream_CreateConstructor()
+{
+	fmt::print("[tc::crypto::Aes128CbcEncryptedStream] test_CreateValidStream_CreateConstructor : ");
+	try
+	{
+		try 
+		{
+			tc::crypto::Aes128CbcEncryptedStream::key_t key;
+			tc::crypto::Aes128CbcEncryptedStream::iv_t iv;
+
+			std::shared_ptr<tc::io::IStream> base_stream;
+			base_stream = std::shared_ptr<tc::io::MemoryStream>(new tc::io::MemoryStream(tc::ByteData(0x100)));
+
+			auto stream = tc::crypto::Aes128CbcEncryptedStream(base_stream, key, iv);
+
+			try
+			{
+				stream.write(nullptr, 0);
+				throw tc::Exception(".write() did not throw tc::NotImplementedException for initialized Aes128CbcEncryptedStream");
+			}
+			catch (tc::NotImplementedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.setLength(0);
+				throw tc::Exception(".setLength() did not throw tc::NotImplementedException for initialized Aes128CbcEncryptedStream");
+			}
+			catch (tc::NotImplementedException&) {
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void crypto_Aes128CbcEncryptedStream_TestClass::test_RunTestCases()
+{
+	fmt::print("[tc::crypto::Aes128CbcEncryptedStream] test_RunTestCases : ");
+	try
+	{
+		try 
+		{
+			// get test cases
+			std::vector<crypto_Aes128CbcEncryptedStream_TestClass::TestCase> test_cases;
+			util_Setup_TestCases(test_cases);
+
+			for (auto itr = test_cases.begin(); itr != test_cases.end(); itr++)
+			{
+				tc::crypto::Aes128CbcEncryptedStream::key_t key;
+				memcpy(key.data(), itr->key.data(), itr->key.size());
+
+				tc::crypto::Aes128CbcEncryptedStream::iv_t iv;
+				memcpy(iv.data(), itr->iv.data(), itr->iv.size());
+
+				std::shared_ptr<tc::io::IStream> base_stream;
+				base_stream = std::shared_ptr<tc::io::MemoryStream>(new tc::io::MemoryStream(itr->ciphertext));
+
+
+				auto stream = tc::crypto::Aes128CbcEncryptedStream(base_stream, key, iv);
+
+				try 
+				{
+					StreamTestUtil::constructor_TestHelper(stream, itr->ciphertext.size(), 0, true, false, true);
+					StreamTestUtil::read_TestHelper(stream, itr->read_offset, tc::io::SeekOrigin::Begin, itr->read_size, itr->read_size, itr->read_plaintext.size(), itr->read_offset + int64_t(itr->read_size), itr->read_plaintext.data());
+				}
+				catch (const tc::Exception& e)
+				{
+					throw tc::Exception(fmt::format("{} Failed: {}", itr->test_name, e.error()));
+				}
+				
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void crypto_Aes128CbcEncryptedStream_TestClass::util_Setup_TestCases(std::vector<crypto_Aes128CbcEncryptedStream_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("2b7e151628aed2a6abf7158809cf4f3c");
+	tmp.iv  = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090A0B0C0D0E0F");
+
+	tc::ByteData plaintext =  tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710");
+	tc::ByteData ciphertext = tc::cli::FormatUtil::hexStringToBytes("7649abac8119b246cee98e9b12e9197d5086cb9b507219ee95db113a917678b273bed6b8e3c1743b7116e69e222295163ff1caa1681fac09120eca307586e1a7");
+
+	tmp.test_name  = "Test 1";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x00;
+	tmp.read_size = 0x10;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x10;
+	tmp.read_size = 0x10;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x20;
+	tmp.read_size = 0x10;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x30;
+	tmp.read_size = 0x10;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test read all blocks";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x0;
+	tmp.read_size = 0x40;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test un-aligned read over blocks 1-2";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x17;
+	tmp.read_size = 0x11;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test un-aligned read over blocks 0-3";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x07;
+	tmp.read_size = 0x31;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test partial block 0 read";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x2;
+	tmp.read_size = 0x8;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test partial block 1 read";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x12;
+	tmp.read_size = 0x8;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test partial block 3 read";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x32;
+	tmp.read_size = 0x8;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptedStream_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptedStream_TestClass.h
new file mode 100644
index 00000000..cac22293
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptedStream_TestClass.h
@@ -0,0 +1,29 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/crypto.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/NotImplementedException.h>
+
+class crypto_Aes128CbcEncryptedStream_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_CreateEmptyStream_DefaultConstructor();
+	void test_CreateValidStream_CreateConstructor();
+	void test_RunTestCases();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData iv;
+		tc::ByteData ciphertext;
+		int64_t read_offset;
+		size_t read_size;
+		tc::ByteData read_plaintext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes128CbcEncryptedStream_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptor_TestClass.cpp
new file mode 100644
index 00000000..c9c173b3
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptor_TestClass.cpp
@@ -0,0 +1,570 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes128CbcEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes128CbcEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes128CbcEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] END" << std::endl;
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes128CbcEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes128CbcEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 16;
+			if (tc::crypto::Aes128CbcEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes128CbcEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CbcEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CbcEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes128Cbc(data.data(), test->plaintext.data(), data.size(), test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes128Cbc(data.data(), test->ciphertext.data(), data.size(), test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes128CbcEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CbcEncryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes128CbcEncryptor::kKeySize-1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes128CbcEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes128CbcEncryptor::kKeySize+1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes128CbcEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), nullptr, tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where iv==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes128CbcEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes128CbcEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CbcEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size());
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), tc::crypto::Aes128CbcEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes128CbcEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), tc::crypto::Aes128CbcEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes128CbcEncryptor::kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128CbcEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CbcEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size());
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), tc::crypto::Aes128CbcEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes128CbcEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), tc::crypto::Aes128CbcEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes128CbcEncryptor::kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CbcEncryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes128CbcEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("2b7e151628aed2a6abf7158809cf4f3c");
+
+	tmp.test_name  = "Test 1";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090A0B0C0D0E0F");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7649abac8119b246cee98e9b12e9197d");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("7649ABAC8119B246CEE98E9B12E9197D");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("ae2d8a571e03ac9c9eb76fac45af8e51");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5086cb9b507219ee95db113a917678b2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("5086CB9B507219EE95DB113A917678B2");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("30c81c46a35ce411e5fbc1191a0a52ef");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("73bed6b8e3c1743b7116e69e22229516");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("73BED6B8E3C1743B7116E69E22229516");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("f69f2445df4f9b17ad2b417be66c3710");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3ff1caa1681fac09120eca307586e1a7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Tests 1-4";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090A0B0C0D0E0F");
+	tmp.plaintext  = tc::ByteData(test_cases[0].plaintext.size() * 4, false);
+	tmp.ciphertext = tc::ByteData(tmp.plaintext.size(), false);
+	for (size_t i = 0; i < 4; i++)
+	{
+		memcpy(tmp.plaintext.data() + (i * 0x10), test_cases[i].plaintext.data(), test_cases[i].plaintext.size());
+		memcpy(tmp.ciphertext.data() + (i * 0x10), test_cases[i].ciphertext.data(), test_cases[i].ciphertext.size());
+	}
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptor_TestClass.h
new file mode 100644
index 00000000..c1f9a44e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128CbcEncryptor_TestClass.h
@@ -0,0 +1,33 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes128CbcEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData iv;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes128CbcEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptedStream_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptedStream_TestClass.cpp
new file mode 100644
index 00000000..48c64221
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptedStream_TestClass.cpp
@@ -0,0 +1,265 @@
+#include <tc/Exception.h>
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <fmt/core.h>
+
+#include "crypto_Aes128CtrEncryptedStream_TestClass.h"
+#include "StreamTestUtil.h"
+
+void crypto_Aes128CtrEncryptedStream_TestClass::runAllTests(void)
+{
+	fmt::print("[tc::crypto::Aes128CtrEncryptedStream] START\n");
+	test_CreateEmptyStream_DefaultConstructor();
+	test_CreateValidStream_CreateConstructor();
+	test_RunTestCases();
+	fmt::print("[tc::crypto::Aes128CtrEncryptedStream] END\n");
+}
+
+void crypto_Aes128CtrEncryptedStream_TestClass::test_CreateEmptyStream_DefaultConstructor()
+{
+	fmt::print("[tc::crypto::Aes128CtrEncryptedStream] test_CreateEmptyStream_DefaultConstructor : ");
+	try
+	{
+		try 
+		{
+			auto stream = tc::crypto::Aes128CtrEncryptedStream();
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, false, false);
+
+			try
+			{
+				stream.read(nullptr, 0);
+				throw tc::Exception(".read() did not throw tc::ObjectDisposedException for uninitialized Aes128CtrEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.write(nullptr, 0);
+				throw tc::Exception(".write() did not throw tc::ObjectDisposedException for uninitialized Aes128CtrEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.seek(0, tc::io::SeekOrigin::Begin);
+				throw tc::Exception(".seek() did not throw tc::ObjectDisposedException for uninitialized Aes128CtrEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.setLength(0);
+				throw tc::Exception(".setLength() did not throw tc::ObjectDisposedException for uninitialized Aes128CtrEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.flush();
+				throw tc::Exception(".flush() did not throw tc::ObjectDisposedException for uninitialized Aes128CtrEncryptedStream");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void crypto_Aes128CtrEncryptedStream_TestClass::test_CreateValidStream_CreateConstructor()
+{
+	fmt::print("[tc::crypto::Aes128CtrEncryptedStream] test_CreateValidStream_CreateConstructor : ");
+	try
+	{
+		try 
+		{
+			tc::crypto::Aes128CtrEncryptedStream::key_t key;
+			tc::crypto::Aes128CtrEncryptedStream::counter_t counter;
+
+			std::shared_ptr<tc::io::IStream> base_stream;
+			base_stream = std::shared_ptr<tc::io::MemoryStream>(new tc::io::MemoryStream(tc::ByteData(0x100)));
+
+			auto stream = tc::crypto::Aes128CtrEncryptedStream(base_stream, key, counter);
+
+			try
+			{
+				stream.write(nullptr, 0);
+				throw tc::Exception(".write() did not throw tc::NotImplementedException for initialized Aes128CtrEncryptedStream");
+			}
+			catch (tc::NotImplementedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				stream.setLength(0);
+				throw tc::Exception(".setLength() did not throw tc::NotImplementedException for initialized Aes128CtrEncryptedStream");
+			}
+			catch (tc::NotImplementedException&) {
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void crypto_Aes128CtrEncryptedStream_TestClass::test_RunTestCases()
+{
+	fmt::print("[tc::crypto::Aes128CtrEncryptedStream] test_RunTestCases : ");
+	try
+	{
+		try 
+		{
+			// get test cases
+			std::vector<crypto_Aes128CtrEncryptedStream_TestClass::TestCase> test_cases;
+			util_Setup_TestCases(test_cases);
+
+			for (auto itr = test_cases.begin(); itr != test_cases.end(); itr++)
+			{
+				tc::crypto::Aes128CtrEncryptedStream::key_t key;
+				memcpy(key.data(), itr->key.data(), itr->key.size());
+
+				tc::crypto::Aes128CtrEncryptedStream::counter_t counter;
+				memcpy(counter.data(), itr->counter.data(), itr->counter.size());
+
+				std::shared_ptr<tc::io::IStream> base_stream;
+				base_stream = std::shared_ptr<tc::io::MemoryStream>(new tc::io::MemoryStream(itr->ciphertext));
+
+
+				auto stream = tc::crypto::Aes128CtrEncryptedStream(base_stream, key, counter);
+
+				try 
+				{
+					StreamTestUtil::constructor_TestHelper(stream, itr->ciphertext.size(), 0, true, false, true);
+					StreamTestUtil::read_TestHelper(stream, itr->read_offset, tc::io::SeekOrigin::Begin, itr->read_size, itr->read_size, itr->read_plaintext.size(), itr->read_offset + int64_t(itr->read_size), itr->read_plaintext.data());
+				}
+				catch (const tc::Exception& e)
+				{
+					throw tc::Exception(fmt::format("{} Failed: {}", itr->test_name, e.error()));
+				}
+				
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void crypto_Aes128CtrEncryptedStream_TestClass::util_Setup_TestCases(std::vector<crypto_Aes128CtrEncryptedStream_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("2b7e151628aed2a6abf7158809cf4f3c");
+	tmp.counter  = tc::cli::FormatUtil::hexStringToBytes("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+
+	tc::ByteData plaintext =  tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710");
+	tc::ByteData ciphertext = tc::cli::FormatUtil::hexStringToBytes("874d6191b620e3261bef6864990db6ce9806f66b7970fdff8617187bb9fffdff5ae4df3edbd5d35e5b4f09020db03eab1e031dda2fbe03d1792170a0f3009cee");
+
+	tmp.test_name  = "Test 1";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x00;
+	tmp.read_size = 0x10;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x10;
+	tmp.read_size = 0x10;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x20;
+	tmp.read_size = 0x10;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x30;
+	tmp.read_size = 0x10;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test read all blocks";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x0;
+	tmp.read_size = 0x40;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test un-aligned read over blocks 1-2";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x17;
+	tmp.read_size = 0x11;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test un-aligned read over blocks 0-3";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x07;
+	tmp.read_size = 0x31;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test partial block 0 read";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x2;
+	tmp.read_size = 0x8;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test partial block 1 read";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x12;
+	tmp.read_size = 0x8;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test partial block 3 read";
+	tmp.ciphertext = ciphertext;
+	tmp.read_offset = 0x32;
+	tmp.read_size = 0x8;
+	tmp.read_plaintext = tc::ByteData(plaintext.data() + tmp.read_offset, tmp.read_size);
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptedStream_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptedStream_TestClass.h
new file mode 100644
index 00000000..4a95af48
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptedStream_TestClass.h
@@ -0,0 +1,29 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/crypto.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/NotImplementedException.h>
+
+class crypto_Aes128CtrEncryptedStream_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_CreateEmptyStream_DefaultConstructor();
+	void test_CreateValidStream_CreateConstructor();
+	void test_RunTestCases();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData counter;
+		tc::ByteData ciphertext;
+		int64_t read_offset;
+		size_t read_size;
+		tc::ByteData read_plaintext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes128CtrEncryptedStream_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptor_TestClass.cpp
new file mode 100644
index 00000000..a6424fcb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptor_TestClass.cpp
@@ -0,0 +1,543 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes128CtrEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes128CtrEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes128CtrEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] END" << std::endl;
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes128CtrEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes128CtrEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 16;
+			if (tc::crypto::Aes128CtrEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes128CtrEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CtrEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size(), test->block_number);
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CtrEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size(), test->block_number);
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes128Ctr(data.data(), test->plaintext.data(), data.size(), test->block_number, test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes128Ctr(data.data(), test->ciphertext.data(), data.size(), test->block_number, test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes128CtrEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CtrEncryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes128CtrEncryptor::kKeySize-1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes128CtrEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes128CtrEncryptor::kKeySize+1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes128CtrEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), nullptr, tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where iv==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes128CtrEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes128CtrEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CtrEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size(), 0);
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128CtrEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128CtrEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size(), 0);
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128CtrEncryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes128CtrEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("2b7e151628aed2a6abf7158809cf4f3c");
+	tmp.iv  = tc::cli::FormatUtil::hexStringToBytes("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+
+	tmp.test_name  = "Test 1";
+	tmp.block_number = 0;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("874d6191b620e3261bef6864990db6ce");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.block_number = 1;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("ae2d8a571e03ac9c9eb76fac45af8e51");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9806f66b7970fdff8617187bb9fffdff");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.block_number = 2;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("30c81c46a35ce411e5fbc1191a0a52ef");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5ae4df3edbd5d35e5b4f09020db03eab");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.block_number = 3;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("f69f2445df4f9b17ad2b417be66c3710");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("1e031dda2fbe03d1792170a0f3009cee");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Tests 1-4";
+	tmp.block_number = 0;
+	tmp.plaintext  = tc::ByteData(test_cases[0].plaintext.size() * 4, false);
+	tmp.ciphertext = tc::ByteData(tmp.plaintext.size(), false);
+	for (size_t i = 0; i < 4; i++)
+	{
+		memcpy(tmp.plaintext.data() + (i * 0x10), test_cases[i].plaintext.data(), test_cases[i].plaintext.size());
+		memcpy(tmp.ciphertext.data() + (i * 0x10), test_cases[i].ciphertext.data(), test_cases[i].ciphertext.size());
+	}
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptor_TestClass.h
new file mode 100644
index 00000000..994f9b38
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128CtrEncryptor_TestClass.h
@@ -0,0 +1,34 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes128CtrEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData iv;
+		uint64_t block_number;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes128CtrEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128EcbEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes128EcbEncryptor_TestClass.cpp
new file mode 100644
index 00000000..5e1c6d1e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128EcbEncryptor_TestClass.cpp
@@ -0,0 +1,523 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes128EcbEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes128EcbEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes128EcbEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] END" << std::endl;
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes128EcbEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes128EcbEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 16;
+			if (tc::crypto::Aes128EcbEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes128EcbEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128EcbEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128EcbEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes128Ecb(data.data(), test->plaintext.data(), data.size(), test->key.data(), test->key.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes128Ecb(data.data(), test->ciphertext.data(), data.size(), test->key.data(), test->key.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes128EcbEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128EcbEncryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes128EcbEncryptor::kKeySize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes128EcbEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes128EcbEncryptor::kKeySize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes128EcbEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128EcbEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size());
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), tc::crypto::Aes128EcbEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes128EcbEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128EcbEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128EcbEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size());
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), tc::crypto::Aes128EcbEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes128EcbEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128EcbEncryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes128EcbEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("2b7e151628aed2a6abf7158809cf4f3c");
+
+	tmp.test_name  = "Test 1";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3ad77bb40d7a3660a89ecaf32466ef97");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("ae2d8a571e03ac9c9eb76fac45af8e51");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("f5d3d58503b9699de785895a96fdbaaf");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("30c81c46a35ce411e5fbc1191a0a52ef");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("43b1cd7f598ece23881b00e3ed030688");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("f69f2445df4f9b17ad2b417be66c3710");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7b0c785e27e8ad3f8223207104725dd4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Tests 1-4";
+	tmp.plaintext = tc::ByteData(test_cases[0].plaintext.size() * 4, false);
+	tmp.ciphertext = tc::ByteData(tmp.plaintext.size(), false);
+	for (size_t i = 0; i < 4; i++)
+	{
+		memcpy(tmp.plaintext.data() + (i * 0x10), test_cases[i].plaintext.data(), test_cases[i].plaintext.size());
+		memcpy(tmp.ciphertext.data() + (i * 0x10), test_cases[i].ciphertext.data(), test_cases[i].ciphertext.size());
+	}
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128EcbEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes128EcbEncryptor_TestClass.h
new file mode 100644
index 00000000..ade69849
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128EcbEncryptor_TestClass.h
@@ -0,0 +1,32 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes128EcbEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes128EcbEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128Encryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes128Encryptor_TestClass.cpp
new file mode 100644
index 00000000..216491cd
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128Encryptor_TestClass.cpp
@@ -0,0 +1,1016 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes128Encryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes128Encryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes128Encryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes128Encryptor] END" << std::endl;
+}
+
+void crypto_Aes128Encryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes128Encryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes128Encryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes128Encryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 16;
+			if (tc::crypto::Aes128Encryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes128Encryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128Encryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes128Encryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128Encryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes128Encryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128Encryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes128Encryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes128Encryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, tc::crypto::Aes128Encryptor::kBlockSize).pullData(0, tc::crypto::Aes128Encryptor::kBlockSize);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128Encryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128Encryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128Encryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes128Encryptor::kKeySize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes128Encryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes128Encryptor::kKeySize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes128Encryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128Encryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128Encryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128Encryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data());
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128Encryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128Encryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes128Encryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data());
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128Encryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes128Encryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Variable Key Known Answer Tests
+	// taken from "ecb_vk.txt" from https://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
+	tmp.plaintext = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000000");
+
+	tmp.test_name = "Variable Key Known Answer Test 1";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("80000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0EDD33D3C621E546455BD8BA1418BEC8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 2";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("40000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C0CC0C5DA5BD63ACD44A80774FAD5222");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 3";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("20000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2F0B4B71BC77851B9CA56D42EB8FF080");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 4";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("10000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6B1E2FFFE8A114009D8FE22F6DB5F876");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 5";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("08000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9AA042C315F94CBB97B62202F83358F5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 6";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("04000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("DBE01DE67E346A800C4C4B4880311DE4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 7";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("02000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C117D2238D53836ACD92DDCDB85D6A21");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 8";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("01000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("DC0ED85DF9611ABB7249CDD168C5467E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 9";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00800000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("807D678FFF1F56FA92DE3381904842F2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 10";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00400000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0E53B3FCAD8E4B130EF73AEB957FB402");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 11";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00200000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("969FFD3B7C35439417E7BDE923035D65");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 12";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00100000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A99B512C19CA56070491166A1503BF15");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 13";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00080000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6E9985252126EE344D26AE369D2327E3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 14";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00040000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B85F4809F904C275491FCDCD1610387E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 15";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00020000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("ED365B8D7D20C1F5D53FB94DD211DF7B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 16";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00010000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B3A575E86A8DB4A7135D604C43304896");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 17";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00008000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("89704BCB8E69F846259EB0ACCBC7F8A2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 18";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00004000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C56EE7C92197861F10D7A92B90882055");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 19";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00002000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("92F296F6846E0EAF9422A5A24A08B069");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 20";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00001000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E67E32BB8F11DEB8699318BEE9E91A60");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 21";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000800000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B08EEF85EAF626DD91B65C4C3A97D92B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 22";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000400000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("661083A6ADDCE79BB4E0859AB5538013");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 23";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000200000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("55DFE2941E0EB10AFC0B333BD34DE1FE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 24";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000100000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6BFE5945E715C9662609770F8846087A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 25";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000080000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("79848E9C30C2F8CDA8B325F7FED2B139");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 26";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000040000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7A713A53B99FEF34AC04DEEF80965BD0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 27";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000020000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("18144A2B46620D32C3C32CE52D49257F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 28";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000010000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("872E827C70887C80749F7B8BB1847C7E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 29";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000008000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6B86C6A4FE6A60C59B1A3102F8DE49F3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 30";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000004000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9848BB3DFDF6F532F094679A4C231A20");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 31";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000002000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("925AD528E852E329B2091CD3F1C2BCEE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 32";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000001000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("80DF436544B0DD596722E46792A40CD8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 33";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000800000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("525DAF18F93E83E1E74BBBDDE4263BBA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 34";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000400000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F65C9D2EE485D24701FFA3313B9D5BE6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 35";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000200000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E4FC8D8BCA06425BDF94AFA40FCC14BA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 36";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000100000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A53F0A5CA1E4E6440BB975FF320DE6F8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 37";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000080000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D55313B9394080462E87E02899B553F0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 38";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000040000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("34A71D761F71BCD344384C7F97D27906");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 39";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000020000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("233F3D819599612EBC89580245C996A8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 40";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000010000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B4F1374E5268DBCB676E447529E53F89");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 41";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000008000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0816BD27861D2BA891D1044E39951E96");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 42";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000004000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F3BE9EA3F10C73CA64FDE5DB13A951D1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 43";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000002000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2448086A8106FBD03048DDF857D3F1C8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 44";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000001000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("670756E65BEC8B68F03D77CDCDCE7B91");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 45";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000800000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EF968CF0D36FD6C6EFFD225F6FB44CA9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 46";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000400000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2E8767157922E3826DDCEC1B0CC1E105");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 47";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000200000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("78CE7EEC670E45A967BAB17E26A1AD36");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 48";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000100000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3C5CEE825655F098F6E81A2F417DA3FB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 49";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000080000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("67BFDB431DCE1292200BC6F5207ADB12");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 50";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000040000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7540FD38E447C0779228548747843A6F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 51";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000020000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B85E513301F8A936EA9EC8A21A85B5E6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 52";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000010000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("04C67DBF16C11427D507A455DE2C9BC5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 53";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000008000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("03F75EB8959E55079CFFB4FF149A37B6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 54";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000004000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("74550287F666C63BB9BC7838433434B0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 55";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000002000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7D537200195EBC3AEFD1EAAB1C385221");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 56";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000001000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("CE24E4D40C68A82B535CBD3C8E21652A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 57";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000800000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AB20072405AA8FC40265C6F1F3DC8BC0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 58";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000400000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6CFD2CF688F566B093F67B9B3839E80A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 59";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000200000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BD95977E6B7239D407A012C5544BF584");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 60";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000100000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("DF9C0130AC77E7C72C997F587B46DBE0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 61";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000080000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E7F1B82CADC53A648798945B34EFEFF2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 62";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000040000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("932C6DBF69255CF13EDCDB72233ACEA3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 63";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000020000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5C76002BC7206560EFE550C80B8F12CC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 64";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000010000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F6B7BDD1CAEEBAB574683893C4475484");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 65";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000008000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A920E37CC6DC6B31DA8C0169569F5034");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 66";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000004000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("919380ECD9C778BC513148B0C28D65FD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 67";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000002000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EE67308DD3F2D9E6C2170755E5784BE1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 68";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000001000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3CC73E53B85609023A05E149B223AE09");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 69";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000800000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("983E8AF7CF05EBB28D71EB841C9406E6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 70";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000400000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0F3099B2D31FA5299EE5BF43193287FC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 71";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000200000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B763D84F38C27FE6931DCEB6715D4DB6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 72";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000100000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5AE3C9B0E3CC29C0C61565CD01F8A248");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 73";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000080000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F58083572CD90981958565D48D2DEE25");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 74";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000040000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7E6255EEF8F70C0EF10337AAB1CCCEF8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 75";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000020000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AAD4BAC34DB22821841CE2F631961902");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 76";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000010000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D7431C0409BB1441BA9C6858DC7D4E81");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 77";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000008000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EF9298C65E339F6E801A59C626456993");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 78";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000004000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("53FE29F68FF541ABC3F0EF3350B72F7E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 79";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000002000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F6BBA5C10DB02529E2C2DA3FB582CC14");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 80";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000001000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E4239AA37FC531A386DAD1126FC0E9CD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 81";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000800000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8F7758F857D15BBE7BFD0E416404C365");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 82";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000400000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D273EB57C687BCD1B4EA7218A509E7B8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 83";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000200000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("65D64F8D76E8B3423FA25C4EB58A210A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 84";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000100000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("623D802B4EC450D66A16625702FCDBE0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 85";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000080000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7496460CB28E5791BAEAF9B68FB00022");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 86";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000040000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("34EA600F18BB0694B41681A49D510C1D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 87";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000020000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5F8FF0D47D5766D29B5D6E8F46423BD8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 88";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000010000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("225F9286C5928BF09F84D3F93F541959");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 89";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000008000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B21E90D25DF383416A5F072CEBEB1FFB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 90";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000004000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4AEFCDA089318125453EB9E8EB5E492E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 91";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000002000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4D3E75C6CD40EC4869BC85158591ADB8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 92";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000001000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("63A8B904405436A1B99D7751866771B7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 93";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000800000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("64F0DAAE47529199792EAE172BA53293");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 94";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000400000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C3EEF84BEA18225D515A8C852A9047EE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 95";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000200000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A44AC422B47D47B81AF73B3E9AC9596E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 96";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000100000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D16E04A8FBC435094F8D53ADF25F5084");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 97";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000080000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EF13DC34BAB03E124EEAD8B6BF44B532");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 98";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000040000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D94799075C24DCC067AF0D392049250D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 99";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000020000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("14F431771EDDCE4764C21A2254B5E3C8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 100";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000010000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7039329F36F2ED682B02991F28D64679");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 101";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000008000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("124EE24EDE5551639DB8B8B941F6141D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 102";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000004000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C2852879A34D5184E478EC918B993FEE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 103";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000002000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("86A806A3525B93E432053C9AB5ABBEDF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 104";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000001000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C1609BF5A4F07E37C17A36366EC23ECC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 105";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000800000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7E81E7CB92159A51FFCEA331B1E8EA53");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 106";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000400000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("37A7BE002856C5A59A6E03EAFCE7729A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 107";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000200000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BDF98A5A4F91E890C9A1D1E5FAAB138F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 108";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000100000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4E96ACB66E051F2BC739CC3D3E34A26B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 109";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000080000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EE996CDD120EB86E21ECFA49E8E1FCF1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 110";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000040000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("61B9E6B579DBF6070C351A1440DD85FF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 111";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000020000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AC369E484316440B40DFC83AA96E28E7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 112";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000010000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0A2D16DE985C76D45C579C1159413BBE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 113";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000008000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("DA3FDC38DA1D374FA4802CDA1A1C6B0F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 114";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000004000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B842523D4C41C2211AFE43A5800ADCE3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 115";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000002000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9E2CDA90D8E992DBA6C73D8229567192");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 116";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000001000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D49583B781D9E20F5BE101415957FC49");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 117";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000800");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EF09DA5C12B376E458B9B8670032498E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 118";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000400");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A96BE0463DA774461A5E1D5A9DD1AC10");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 119";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000200");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("32CEE3341060790D2D4B1362EF397090");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 120";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000100");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("21CEA416A3D3359D2C4D58FB6A035F06");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 121";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000080");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("172AEAB3D507678ECAF455C12587ADB7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 122";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000040");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B6F897941EF8EBFF9FE80A567EF38478");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 123";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000020");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A9723259D94A7DC662FB0C782CA3F1DD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 124";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000010");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2F91C984B9A4839F30001B9F430493B4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 125";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000008");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0472406345A610B048CB99EE0EF3FA0F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 126";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000004");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F5F39086646F8C05ED16EFA4B617957C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 127";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000002");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("26D50F485A30408D5AF47A5736292450");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 128";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000001");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0545AAD56DA2A97C3663D1432A3D1C84");
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128Encryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes128Encryptor_TestClass.h
new file mode 100644
index 00000000..1fef9e55
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128Encryptor_TestClass.h
@@ -0,0 +1,30 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes128Encryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes128Encryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128XtsEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes128XtsEncryptor_TestClass.cpp
new file mode 100644
index 00000000..e2e0a8c0
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128XtsEncryptor_TestClass.cpp
@@ -0,0 +1,691 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Aes128XtsEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes128XtsEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes128XtsEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] END" << std::endl;
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes128XtsEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes128XtsEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 16;
+			if (tc::crypto::Aes128XtsEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes128XtsEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes128XtsEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key1.data(), test->key1.size(), test->key2.data(), test->key2.size(), test->data_unit, true);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size(), test->data_unit_sequence_number);
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes128XtsEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key1.data(), test->key1.size(), test->key2.data(), test->key2.size(), test->data_unit, true);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size(), test->data_unit_sequence_number);
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes128Xts(data.data(), test->plaintext.data(), data.size(), test->data_unit_sequence_number, test->key1.data(), test->key1.size(), test->key2.data(), test->key2.size(), test->data_unit, true);
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes128Xts(data.data(), test->ciphertext.data(), data.size(), test->data_unit_sequence_number, test->key1.data(), test->key1.size(), test->key2.data(), test->key2.size(), test->data_unit, true);
+				
+				// validate plain text
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes128XtsEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			if (cryptor.sector_size() != 0)
+			{
+				ss << "Failed: sector_size() reported a non-zero answer when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes128XtsEncryptor cryptor;
+
+			// reference initialize call
+			//cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentNullException where key1==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), 0, tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key1_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tc::crypto::Aes128XtsEncryptor::kKeySize-1, tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key1_size==tc::crypto::Aes128XtsEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tc::crypto::Aes128XtsEncryptor::kKeySize+1, tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key1_size==tc::crypto::Aes128XtsEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), nullptr, tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentNullException where key2==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), 0, tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key2_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tc::crypto::Aes128XtsEncryptor::kKeySize-1, tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key2_size==tc::crypto::Aes128XtsEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tc::crypto::Aes128XtsEncryptor::kKeySize+1, tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key2_size==tc::crypto::Aes128XtsEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), 0, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where sector_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tc::crypto::Aes128XtsEncryptor::kBlockSize-1, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where sector_size==kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes128XtsEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size(), 0);
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), cryptor.sector_size()-1, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==cryptor.sector_size()-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes128XtsEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes128XtsEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size(), 0);
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].plaintext.data(), cryptor.sector_size()-1, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==cryptor.sector_size()-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes128XtsEncryptor_TestClass::util_Setup_IEEE1619_2007_TestCases(std::vector<crypto_Aes128XtsEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// XTS-AES applied for a data unit of 32 bytes, 32 bytes key material.
+	tmp.data_unit = 32;
+
+	tmp.test_name = "IEEE 1619-2007 Vector 1";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000000");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000000");
+	tmp.data_unit_sequence_number = 0x00;
+	tmp.plaintext = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e");
+	test_cases.push_back(tmp);
+	
+	tmp.test_name = "IEEE 1619-2007 Vector 2";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("11111111111111111111111111111111");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("22222222222222222222222222222222");
+	tmp.data_unit_sequence_number = 0x3333333333;
+	tmp.plaintext = tc::cli::FormatUtil::hexStringToBytes("4444444444444444444444444444444444444444444444444444444444444444");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("c454185e6a16936e39334038acef838bfb186fff7480adc4289382ecd6d394f0");
+	test_cases.push_back(tmp);
+	
+	tmp.test_name = "IEEE 1619-2007 Vector 3";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("22222222222222222222222222222222");
+	tmp.data_unit_sequence_number = 0x3333333333;
+	tmp.plaintext = tc::cli::FormatUtil::hexStringToBytes("4444444444444444444444444444444444444444444444444444444444444444");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("af85336b597afc1a900b2eb21ec949d292df4c047e0b21532186a5971a227a89");
+	test_cases.push_back(tmp);
+	
+	// XTS-AES-128 applied for a data unit of 512 bytes
+	tmp.data_unit = 512;
+
+	tmp.test_name = "IEEE 1619-2007 Vector 4";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("27182818284590452353602874713526");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("31415926535897932384626433832795");
+	tmp.data_unit_sequence_number = 0x00;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 5";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("27182818284590452353602874713526");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("31415926535897932384626433832795");
+	tmp.data_unit_sequence_number = 0x01;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412328063fd2aab53e5ea1e0a9f332500a5df9487d07a5c92cc512c8866c7e860ce93fdf166a24912b422976146ae20ce846bb7dc9ba94a767aaef20c0d61ad02655ea92dc4c4e41a8952c651d33174be51a10c421110e6d81588ede82103a252d8a750e8768defffed9122810aaeb99f9172af82b604dc4b8e51bcb08235a6f4341332e4ca60482a4ba1a03b3e65008fc5da76b70bf1690db4eae29c5f1badd03c5ccf2a55d705ddcd86d449511ceb7ec30bf12b1fa35b913f9f747a8afd1b130e94bff94effd01a91735ca1726acd0b197c4e5b03393697e126826fb6bbde8ecc1e08298516e2c9ed03ff3c1b7860f6de76d4cecd94c8119855ef5297ca67e9f3e7ff72b1e99785ca0a7e7720c5b36dc6d72cac9574c8cbbc2f801e23e56fd344b07f22154beba0f08ce8891e643ed995c94d9a69c9f1b5f499027a78572aeebd74d20cc39881c213ee770b1010e4bea718846977ae119f7a023ab58cca0ad752afe656bb3c17256a9f6e9bf19fdd5a38fc82bbe872c5539edb609ef4f79c203ebb140f2e583cb2ad15b4aa5b655016a8449277dbd477ef2c8d6c017db738b18deb4a427d1923ce3ff262735779a418f20a282df920147beabe421ee5319d0568");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 6";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("27182818284590452353602874713526");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("31415926535897932384626433832795");
+	tmp.data_unit_sequence_number = 0x02;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("264d3ca8512194fec312c8c9891f279fefdd608d0c027b60483a3fa811d65ee59d52d9e40ec5672d81532b38b6b089ce951f0f9c35590b8b978d175213f329bb1c2fd30f2f7f30492a61a532a79f51d36f5e31a7c9a12c286082ff7d2394d18f783e1a8e72c722caaaa52d8f065657d2631fd25bfd8e5baad6e527d763517501c68c5edc3cdd55435c532d7125c8614deed9adaa3acade5888b87bef641c4c994c8091b5bcd387f3963fb5bc37aa922fbfe3df4e5b915e6eb514717bdd2a74079a5073f5c4bfd46adf7d282e7a393a52579d11a028da4d9cd9c77124f9648ee383b1ac763930e7162a8d37f350b2f74b8472cf09902063c6b32e8c2d9290cefbd7346d1c779a0df50edcde4531da07b099c638e83a755944df2aef1aa31752fd323dcb710fb4bfbb9d22b925bc3577e1b8949e729a90bbafeacf7f7879e7b1147e28ba0bae940db795a61b15ecf4df8db07b824bb062802cc98a9545bb2aaeed77cb3fc6db15dcd7d80d7d5bc406c4970a3478ada8899b329198eb61c193fb6275aa8ca340344a75a862aebe92eee1ce032fd950b47d7704a3876923b4ad62844bf4a09c4dbe8b4397184b7471360c9564880aedddb9baa4af2e75394b08cd32ff479c57a07d3eab5d54de5f9738b8d27f27a9f0ab11799d7b7ffefb2704c95c6ad12c39f1e867a4b7b1d7818a4b753dfd2a89ccb45e001a03a867b187f225dd");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("fa762a3680b76007928ed4a4f49a9456031b704782e65e16cecb54ed7d017b5e18abd67b338e81078f21edb7868d901ebe9c731a7c18b5e6dec1d6a72e078ac9a4262f860beefa14f4e821018272e411a951502b6e79066e84252c3346f3aa62344351a291d4bedc7a07618bdea2af63145cc7a4b8d4070691ae890cd65733e7946e9021a1dffc4c59f159425ee6d50ca9b135fa6162cea18a939838dc000fb386fad086acce5ac07cb2ece7fd580b00cfa5e98589631dc25e8e2a3daf2ffdec26531659912c9d8f7a15e5865ea8fb5816d6207052bd7128cd743c12c8118791a4736811935eb982a532349e31dd401e0b660a568cb1a4711f552f55ded59f1f15bf7196b3ca12a91e488ef59d64f3a02bf45239499ac6176ae321c4a211ec545365971c5d3f4f09d4eb139bfdf2073d33180b21002b65cc9865e76cb24cd92c874c24c18350399a936ab3637079295d76c417776b94efce3a0ef7206b15110519655c956cbd8b2489405ee2b09a6b6eebe0c53790a12a8998378b33a5b71159625f4ba49d2a2fdba59fbf0897bc7aabd8d707dc140a80f0f309f835d3da54ab584e501dfa0ee977fec543f74186a802b9a37adb3e8291eca04d66520d229e60401e7282bef486ae059aa70696e0e305d777140a7a883ecdcb69b9ff938e8a4231864c69ca2c2043bed007ff3e605e014bcf518138dc3a25c5e236171a2d01d6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 7";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("27182818284590452353602874713526");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("31415926535897932384626433832795");
+	tmp.data_unit_sequence_number = 0xfd;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("8e41b78c390b5af9d758bb214a67e9f6bf7727b09ac6124084c37611398fa45daad94868600ed391fb1acd4857a95b466e62ef9f4b377244d1c152e7b30d731aad30c716d214b707aed99eb5b5e580b3e887cf7497465651d4b60e6042051da3693c3b78c14489543be8b6ad0ba629565bba202313ba7b0d0c94a3252b676f46cc02ce0f8a7d34c0ed229129673c1f61aed579d08a9203a25aac3a77e9db60267996db38df637356d9dcd1632e369939f2a29d89345c66e05066f1a3677aef18dea4113faeb629e46721a66d0a7e785d3e29af2594eb67dfa982affe0aac058f6e15864269b135418261fc3afb089472cf68c45dd7f231c6249ba0255e1e033833fc4d00a3fe02132d7bc3873614b8aee34273581ea0325c81f0270affa13641d052d36f0757d484014354d02d6883ca15c24d8c3956b1bd027bcf41f151fd8023c5340e5606f37e90fdb87c86fb4fa634b3718a30bace06a66eaf8f63c4aa3b637826a87fe8cfa44282e92cb1615af3a28e53bc74c7cba1a0977be9065d0c1a5dec6c54ae38d37f37aa35283e048e5530a85c4e7a29d7b92ec0c3169cdf2a805c7604bce60049b9fb7b8eaac10f51ae23794ceba68bb58112e293b9b692ca721b37c662f8574ed4dba6f88e170881c82cddc1034a0ca7e284bf0962b6b26292d836fa9f73c1ac770eef0f2d3a1eaf61d3e03555fd424eedd67e18a18094f888");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637");
+	test_cases.push_back(tmp);
+	
+	tmp.test_name = "IEEE 1619-2007 Vector 8";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("27182818284590452353602874713526");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("31415926535897932384626433832795");
+	tmp.data_unit_sequence_number = 0xfe;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("d55f684f81f4426e9fde92a5ff02df2ac896af63962888a97910c1379e20b0a3b1db613fb7fe2e07004329ea5c22bfd33e3dbe4cf58cc608c2c26c19a2e2fe22f98732c2b5cb844cc6c0702d91e1d50fc4382a7eba5635cd602432a2306ac4ce82f8d70c8d9bc15f918fe71e74c622d5cf71178bf6e0b9cc9f2b41dd8dbe441c41cd0c73a6dc47a348f6702f9d0e9b1b1431e948e299b9ec2272ab2c5f0c7be86affa5dec87a0bee81d3d50007edaa2bcfccb35605155ff36ed8edd4a40dcd4b243acd11b2b987bdbfaf91a7cac27e9c5aea525ee53de7b2d3332c8644402b823e94a7db26276d2d23aa07180f76b4fd29b9c0823099c9d62c519880aee7e9697617c1497d47bf3e571950311421b6b734d38b0db91eb85331b91ea9f61530f54512a5a52a4bad589eb69781d537f23297bb459bdad2948a29e1550bf4787e0be95bb173cf5fab17dab7a13a052a63453d97ccec1a321954886b7a1299faaeecae35c6eaaca753b041b5e5f093bf83397fd21dd6b3012066fcc058cc32c3b09d7562dee29509b5839392c9ff05f51f3166aaac4ac5f238038a3045e6f72e48ef0fe8bc675e82c318a268e43970271bf119b81bf6a982746554f84e72b9f00280a320a08142923c23c883423ff949827f29bbacdc1ccdb04938ce6098c95ba6b32528f4ef78eed778b2e122ddfd1cbdd11d1c0a6783e011fc536d63d053260637");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 9";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("27182818284590452353602874713526");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("31415926535897932384626433832795");
+	tmp.data_unit_sequence_number = 0xff;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("72efc1ebfe1ee25975a6eb3aa8589dda2b261f1c85bdab442a9e5b2dd1d7c3957a16fc08e526d4b1223f1b1232a11af274c3d70dac57f83e0983c498f1a6f1aecb021c3e70085a1e527f1ce41ee5911a82020161529cd82773762daf5459de94a0a82adae7e1703c808543c29ed6fb32d9e004327c1355180c995a07741493a09c21ba01a387882da4f62534b87bb15d60d197201c0fd3bf30c1500a3ecfecdd66d8721f90bcc4c17ee925c61b0a03727a9c0d5f5ca462fbfa0af1c2513a9d9d4b5345bd27a5f6e653f751693e6b6a2b8ead57d511e00e58c45b7b8d005af79288f5c7c22fd4f1bf7a898b03a5634c6a1ae3f9fae5de4f296a2896b23e7ed43ed14fa5a2803f4d28f0d3ffcf24757677aebdb47bb388378708948a8d4126ed1839e0da29a537a8c198b3c66ab00712dd261674bf45a73d67f76914f830ca014b65596f27e4cf62de66125a5566df9975155628b400fbfb3a29040ed50faffdbb18aece7c5c44693260aab386c0a37b11b114f1c415aebb653be468179428d43a4d8bc3ec38813eca30a13cf1bb18d524f1992d44d8b1a42ea30b22e6c95b199d8d182f8840b09d059585c31ad691fa0619ff038aca2c39a943421157361717c49d322028a74648113bd8c9d7ec77cf3c89c1ec8718ceff8516d96b34c3c614f10699c9abc4ed0411506223bea16af35c883accdbe1104eef0cfdb54e12fb230a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3260ae8dad1f4a32c5cafe3ab0eb95549d461a67ceb9e5aa2d3afb62dece0553193ba50c75be251e08d1d08f1088576c7efdfaaf3f459559571e12511753b07af073f35da06af0ce0bbf6b8f5ccc5cea500ec1b211bd51f63b606bf6528796ca12173ba39b8935ee44ccce646f90a45bf9ccc567f0ace13dc2d53ebeedc81f58b2e41179dddf0d5a5c42f5d8506c1a5d2f8f59f3ea873cbcd0eec19acbf325423bd3dcb8c2b1bf1d1eaed0eba7f0698e4314fbeb2f1566d1b9253008cbccf45a2b0d9c5c9c21474f4076e02be26050b99dee4fd68a4cf890e496e4fcae7b70f94ea5a9062da0daeba1993d2ccd1dd3c244b8428801495a58b216547e7e847c46d1d756377b6242d2e5fb83bf752b54e0df71e889f3a2bb0f4c10805bf3c590376e3c24e22ff57f7fa965577375325cea5d920db94b9c336b455f6e894c01866fe9fbb8c8d3f70a2957285f6dfb5dcd8cbf54782f8fe7766d4723819913ac773421e3a31095866bad22c86a6036b2518b2059b4229d18c8c2ccbdf906c6cc6e82464ee57bddb0bebcb1dc645325bfb3e665ef7251082c88ebb1cf203bd779fdd38675713c8daadd17e1cabee432b09787b6ddf3304e38b731b45df5df51b78fcfb3d32466028d0ba36555e7e11ab0ee0666061d1645d962444bc47a38188930a84b4d561395c73c087021927ca638b7afc8a8679ccb84c26555440ec7f10445cd");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Custom Test, Vectors 4-6";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("27182818284590452353602874713526");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("31415926535897932384626433832795");
+	tmp.data_unit_sequence_number = 0x00;
+	tmp.plaintext = tc::ByteData(tmp.data_unit * 3);
+	tmp.ciphertext = tc::ByteData(tmp.data_unit * 3);
+	for (size_t idx = 0; idx < 3; idx++)
+	{
+		memcpy(tmp.plaintext.data() + idx * tmp.data_unit, test_cases[3 + idx].plaintext.data(), tmp.data_unit);
+		memcpy(tmp.ciphertext.data() + idx * tmp.data_unit, test_cases[3 + idx].ciphertext.data(), tmp.data_unit);
+	}
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Custom Test, Vectors 7-9";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("27182818284590452353602874713526");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("31415926535897932384626433832795");
+	tmp.data_unit_sequence_number = 0xfd;
+	tmp.plaintext = tc::ByteData(tmp.data_unit * 3);
+	tmp.ciphertext = tc::ByteData(tmp.data_unit * 3);
+	for (size_t idx = 0; idx < 3; idx++)
+	{
+		memcpy(tmp.plaintext.data() + idx * tmp.data_unit, test_cases[6 + idx].plaintext.data(), tmp.data_unit);
+		memcpy(tmp.ciphertext.data() + idx * tmp.data_unit, test_cases[6 + idx].ciphertext.data(), tmp.data_unit);
+	}
+	test_cases.push_back(tmp);
+
+	// XTS-AES-128 applied for a data unit that is not a multiple of 16 bytes
+	// please note the ciphertext for these have been modified, as even the reference implementation cannot be validated against these test vectors
+	tmp.test_name = "IEEE 1619-2007 Vector 15";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0");
+	tmp.data_unit_sequence_number = 0x9a78563412;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f10");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("641610679DCBF92E505C41333FB06C2A95"); // original 6c1625db4671522d3d7599601de7ca09ed
+	tmp.data_unit = tmp.plaintext.size();
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 16";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0");
+	tmp.data_unit_sequence_number = 0x9a78563412;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f1011");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("223A725CBCD4DC647B9A9826D54C99C895C8"); // original d069444b7a7e0cab09e24447d24deb1fedbf
+	tmp.data_unit = tmp.plaintext.size();
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 17";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0");
+	tmp.data_unit_sequence_number = 0x9a78563412;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f101112");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0D39809A65C1D55501960B671D4B8B6B95C871"); // original e5df1351c0544ba1350b3363cd8ef4beedbf9d
+	tmp.data_unit = tmp.plaintext.size();
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 18";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0");
+	tmp.data_unit_sequence_number = 0x9a78563412;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f10111213");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A8BA0048D75084603EB8423A09B7BF7595C871F6"); // original 9d84c813f719aa2c7be3f66171c7c5c2edbf9dac
+	tmp.data_unit = tmp.plaintext.size();
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 19";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("e0e1e2e3e4e5e6e7e8e9eaebecedeeef");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("c0c1c2c3c4c5c6c7c8c9cacbcccdcecf");
+	tmp.data_unit_sequence_number = 0x21436587a9;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C4E60104E27AED4DEFF63B72B054AC82CC0175A5B8AEEEAA017EC12249AA641B36438DAB0589E8903BF23327127C12362E7D6864522C44538E4E979D97393BA67EAB768517E2C70B98035FC1BBEBFED48A9FF017EB3E04DC8E19AAD6BE04C23A6675726A4388C8A297FEF753BF71E9EA07DD354D42DC2393888A401188554A53315EB9A0624AE44E5B674B3607B73EE0E5FEB44F5BE7178EF54CBD460B1D6A2E93923F6B63210B06D74367BBB02884639AF3B958CACC041618A7940A983F8438123348F3D87F254377152302D821ECE64588F8BB1AF85CF934BD49C703186E48624772C9802228484249E887EBFD7440514130D8D38C2B1219241A42630BDFBD4135FAC6BEC92462D3EA9BEB95C797D23A8C04799E3EA2BA733C5E00718649E7AF0FDD6EAA5BFD5DF7F3FA9953A3B5266806709D17DDD0A0F5B7535BC9F986C109A848EF8C3A45F9033056817CE08DE8019EA103E28836B82D08C5D1FDEEC254E508BF253F6B90963FE43D7D8B8D66D30419C4733A32DA1505DE5DFD7A976E7852455DD454327EE8A1CB71D40F392A89EEE266A8F42772BB519F4044902D939E9716734F622F46E3C48F31D09E7859A14B54693F9EEB14FC021DC5B66589CA3FE16B7BC7166A3686CC869730656AE76285A518B290745E852C6AC626EB0DA25DFF404B83F001D6D23A65D91F3F38A097DA03A59B275B4F5A5480C9608E12F93B"); // original 38b45812ef43a05bd957e545907e223b954ab4aaf088303ad910eadf14b42be68b2461149d8c8ba85f992be970bc621f1b06573f63e867bf5875acafa04e42ccbd7bd3c2a0fb1fff791ec5ec36c66ae4ac1e806d81fbf709dbe29e471fad38549c8e66f5345d7c1eb94f405d1ec785cc6f6a68f6254dd8339f9d84057e01a17741990482999516b5611a38f41bb6478e6f173f320805dd71b1932fc333cb9ee39936beea9ad96fa10fb4112b901734ddad40bc1878995f8e11aee7d141a2f5d48b7a4e1e7f0b2c04830e69a4fd1378411c2f287edf48c6c4e5c247a19680f7fe41cefbd49b582106e3616cbbe4dfb2344b2ae9519391f3e0fb4922254b1d6d2d19c6d4d537b3a26f3bcc51588b32f3eca0829b6a5ac72578fb814fb43cf80d64a233e3f997a3f02683342f2b33d25b492536b93becb2f5e1a8b82f5b883342729e8ae09d16938841a21a97fb543eea3bbff59f13c1a18449e398701c1ad51648346cbc04c27bb2da3b93a1372ccae548fb53bee476f9e9c91773b1bb19828394d55d3e1a20ed69113a860b6829ffa847224604435070221b257e8dff783615d2cae4803a93aa4334ab482a0afac9c0aeda70b45a481df5dec5df8cc0f423c77a5fd46cd312021d4b438862419a791be03bb4d97c0e59578542531ba466a83baf92cefc151b5cc1611a167893819b63fb8a6b18e86de60290fa72b797b0ce59f3
+	tmp.data_unit = tmp.plaintext.size();
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes128XtsEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes128XtsEncryptor_TestClass.h
new file mode 100644
index 00000000..7d1ee3ee
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes128XtsEncryptor_TestClass.h
@@ -0,0 +1,35 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes128XtsEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key1;
+		tc::ByteData key2;
+		uint64_t data_unit;
+		uint64_t data_unit_sequence_number;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_IEEE1619_2007_TestCases(std::vector<crypto_Aes128XtsEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes192CbcEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes192CbcEncryptor_TestClass.cpp
new file mode 100644
index 00000000..a863ec83
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes192CbcEncryptor_TestClass.cpp
@@ -0,0 +1,570 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes192CbcEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes192CbcEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes192CbcEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] END" << std::endl;
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes192CbcEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes192CbcEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 24;
+			if (tc::crypto::Aes192CbcEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes192CbcEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CbcEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CbcEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes192Cbc(data.data(), test->plaintext.data(), data.size(), test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes192Cbc(data.data(), test->ciphertext.data(), data.size(), test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes192CbcEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CbcEncryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes192CbcEncryptor::kKeySize-1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes192CbcEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes192CbcEncryptor::kKeySize+1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes192CbcEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), nullptr, tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where iv==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes192CbcEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes192CbcEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CbcEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size());
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), tc::crypto::Aes192CbcEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes192CbcEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), tc::crypto::Aes192CbcEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes192CbcEncryptor::kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192CbcEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CbcEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size());
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), tc::crypto::Aes192CbcEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes192CbcEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), tc::crypto::Aes192CbcEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes192CbcEncryptor::kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CbcEncryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes192CbcEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b");
+
+	tmp.test_name  = "Test 1";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090A0B0C0D0E0F");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4f021db243bc633d7178183a9fa071e8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("4F021DB243BC633D7178183A9FA071E8");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("ae2d8a571e03ac9c9eb76fac45af8e51");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("b4d9ada9ad7dedf4e5e738763f69145a");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("B4D9ADA9AD7DEDF4E5E738763F69145A");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("30c81c46a35ce411e5fbc1191a0a52ef");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("571b242012fb7ae07fa9baac3df102e0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("571B242012FB7AE07FA9BAAC3DF102E0");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("f69f2445df4f9b17ad2b417be66c3710");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("08b0e27988598881d920a9e64f5615cd");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Tests 1-4";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090A0B0C0D0E0F");
+	tmp.plaintext  = tc::ByteData(test_cases[0].plaintext.size() * 4, false);
+	tmp.ciphertext = tc::ByteData(tmp.plaintext.size(), false);
+	for (size_t i = 0; i < 4; i++)
+	{
+		memcpy(tmp.plaintext.data() + (i * 0x10), test_cases[i].plaintext.data(), test_cases[i].plaintext.size());
+		memcpy(tmp.ciphertext.data() + (i * 0x10), test_cases[i].ciphertext.data(), test_cases[i].ciphertext.size());
+	}
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes192CbcEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes192CbcEncryptor_TestClass.h
new file mode 100644
index 00000000..81a81f2b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes192CbcEncryptor_TestClass.h
@@ -0,0 +1,33 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes192CbcEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData iv;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes192CbcEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes192CtrEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes192CtrEncryptor_TestClass.cpp
new file mode 100644
index 00000000..52c78343
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes192CtrEncryptor_TestClass.cpp
@@ -0,0 +1,543 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes192CtrEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes192CtrEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes192CtrEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] END" << std::endl;
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes192CtrEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes192CtrEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 24;
+			if (tc::crypto::Aes192CtrEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes192CtrEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CtrEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size(), test->block_number);
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CtrEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size(), test->block_number);
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes192Ctr(data.data(), test->plaintext.data(), data.size(), test->block_number, test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes192Ctr(data.data(), test->ciphertext.data(), data.size(), test->block_number, test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes192CtrEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CtrEncryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes192CtrEncryptor::kKeySize-1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes192CtrEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes192CtrEncryptor::kKeySize+1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes192CtrEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), nullptr, tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where iv==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes192CtrEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes192CtrEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CtrEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size(), 0);
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192CtrEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192CtrEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size(), 0);
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192CtrEncryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes192CtrEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b");
+	tmp.iv  = tc::cli::FormatUtil::hexStringToBytes("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+
+	tmp.test_name  = "Test 1";
+	tmp.block_number = 0;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("1abc932417521ca24f2b0459fe7e6e0b");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.block_number = 1;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("ae2d8a571e03ac9c9eb76fac45af8e51");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("090339ec0aa6faefd5ccc2c6f4ce8e94");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.block_number = 2;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("30c81c46a35ce411e5fbc1191a0a52ef");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("1e36b26bd1ebc670d1bd1d665620abf7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.block_number = 3;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("f69f2445df4f9b17ad2b417be66c3710");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4f78a7f6d29809585a97daec58c6b050");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Tests 1-4";
+	tmp.block_number = 0;
+	tmp.plaintext  = tc::ByteData(test_cases[0].plaintext.size() * 4, false);
+	tmp.ciphertext = tc::ByteData(tmp.plaintext.size(), false);
+	for (size_t i = 0; i < 4; i++)
+	{
+		memcpy(tmp.plaintext.data() + (i * 0x10), test_cases[i].plaintext.data(), test_cases[i].plaintext.size());
+		memcpy(tmp.ciphertext.data() + (i * 0x10), test_cases[i].ciphertext.data(), test_cases[i].ciphertext.size());
+	}
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes192CtrEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes192CtrEncryptor_TestClass.h
new file mode 100644
index 00000000..d35e6af7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes192CtrEncryptor_TestClass.h
@@ -0,0 +1,34 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes192CtrEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData iv;
+		uint64_t block_number;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes192CtrEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes192EcbEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes192EcbEncryptor_TestClass.cpp
new file mode 100644
index 00000000..e6d7d92d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes192EcbEncryptor_TestClass.cpp
@@ -0,0 +1,523 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes192EcbEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes192EcbEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes192EcbEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] END" << std::endl;
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes192EcbEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes192EcbEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 24;
+			if (tc::crypto::Aes192EcbEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes192EcbEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192EcbEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192EcbEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes192Ecb(data.data(), test->plaintext.data(), data.size(), test->key.data(), test->key.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes192Ecb(data.data(), test->ciphertext.data(), data.size(), test->key.data(), test->key.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes192EcbEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192EcbEncryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes192EcbEncryptor::kKeySize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes192EcbEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes192EcbEncryptor::kKeySize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes192EcbEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192EcbEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size());
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), tc::crypto::Aes192EcbEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes192EcbEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192EcbEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192EcbEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size());
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), tc::crypto::Aes192EcbEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes192EcbEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192EcbEncryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes192EcbEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b");
+
+	tmp.test_name  = "Test 1";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("bd334f1d6e45f25ff712a214571fa5cc");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("ae2d8a571e03ac9c9eb76fac45af8e51");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("974104846d0ad3ad7734ecb3ecee4eef");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("30c81c46a35ce411e5fbc1191a0a52ef");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("ef7afd2270e2e60adce0ba2face6444e");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("f69f2445df4f9b17ad2b417be66c3710");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9a4b41ba738d6c72fb16691603c18e0e");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Tests 1-4";
+	tmp.plaintext = tc::ByteData(test_cases[0].plaintext.size() * 4, false);
+	tmp.ciphertext = tc::ByteData(tmp.plaintext.size(), false);
+	for (size_t i = 0; i < 4; i++)
+	{
+		memcpy(tmp.plaintext.data() + (i * 0x10), test_cases[i].plaintext.data(), test_cases[i].plaintext.size());
+		memcpy(tmp.ciphertext.data() + (i * 0x10), test_cases[i].ciphertext.data(), test_cases[i].ciphertext.size());
+	}
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes192EcbEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes192EcbEncryptor_TestClass.h
new file mode 100644
index 00000000..f83f33ee
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes192EcbEncryptor_TestClass.h
@@ -0,0 +1,32 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes192EcbEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes192EcbEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes192Encryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes192Encryptor_TestClass.cpp
new file mode 100644
index 00000000..363487a4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes192Encryptor_TestClass.cpp
@@ -0,0 +1,1336 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes192Encryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes192Encryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes192Encryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes192Encryptor] END" << std::endl;
+}
+
+void crypto_Aes192Encryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes192Encryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes192Encryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes192Encryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 24;
+			if (tc::crypto::Aes192Encryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes192Encryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192Encryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes192Encryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192Encryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes192Encryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192Encryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes192Encryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes192Encryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, tc::crypto::Aes192Encryptor::kBlockSize).pullData(0, tc::crypto::Aes192Encryptor::kBlockSize);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192Encryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192Encryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192Encryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes192Encryptor::kKeySize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes192Encryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes192Encryptor::kKeySize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes192Encryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192Encryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192Encryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192Encryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data());
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192Encryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes192Encryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes192Encryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data());
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes192Encryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes192Encryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Variable Key Known Answer Tests
+	// taken from "ecb_vk.txt" from https://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
+	tmp.plaintext = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000000");
+
+	tmp.test_name = "Variable Key Known Answer Test 1";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("800000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("DE885DC87F5A92594082D02CC1E1B42C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 2";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("400000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C749194F94673F9DD2AA1932849630C1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 3";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("200000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0CEF643313912934D310297B90F56ECC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 4";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("100000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C4495D39D4A553B225FBA02A7B1B87E1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 5";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("080000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("636D10B1A0BCAB541D680A7970ADC830");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 6";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("040000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("07CF045786BD6AFCC147D99E45A901A7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 7";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("020000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6A8E3F425A7599348F95398448827976");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 8";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("010000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5518276836148A00D91089A20D8BFF57");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 9";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("008000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F267E07B5E87E3BC20B969C61D4FCB06");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 10";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("004000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5A1CDE69571D401BFCD20DEBADA2212C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 11";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("002000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("70A9057263254701D12ADD7D74CD509E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 12";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("001000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("35713A7E108031279388A33A0FE2E190");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 13";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000800000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E74EDE82B1254714F0C7B4B243108655");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 14";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000400000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("39272E3100FAA37B55B862320D1B3EB3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 15";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000200000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6D6E24C659FC5AEF712F77BCA19C9DD0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 16";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000100000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("76D18212F972370D3CC2C6C372C6CF2F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 17";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000080000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B21A1F0BAE39E55C7594ED570A7783EA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 18";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000040000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("77DE202111895AC48DD1C974B358B458");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 19";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000020000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("67810B311969012AAF7B504FFAF39FD1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 20";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000010000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C22EA2344D3E9417A6BA07843E713AEA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 21";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000008000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C79CAF4B97BEE0BD0630AB354539D653");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 22";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000004000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("135FD1AF761D9AE23DF4AA6B86760DB4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 23";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000002000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D4659D0B06ACD4D56AB8D11A16FD83B9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 24";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000001000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F7D270028FC188E4E4F35A4AAA25D4D4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 25";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000800000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("345CAE5A8C9620A9913D5473985852FF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 26";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000400000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4E8980ADDE60B0E42C0B287FEA41E729");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 27";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000200000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F11B6D74E1F15155633DC39743C1A527");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 28";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000100000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9C87916C0180064F9D3179C6F5DD8C35");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 29";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000080000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("71AB186BCAEA518E461D4F7FAD230E6A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 30";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000040000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C4A31BBC3DAAF742F9141C2A5001A49C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 31";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000020000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E7C47B7B1D40F182A8928C8A55671D07");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 32";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000010000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8E17F294B28FA373C6249538868A7EEF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 33";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000008000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("754404096A5CBC08AF09491BE249141A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 34";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000004000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("101CB56E55F05D86369B6D1069204F0A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 35";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000002000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("73F19BB6604205C6EE227B9759791E41");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 36";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000001000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6270C0028F0D136C37A56B2CB64D24D6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 37";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000800000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A3BF7C2C38D1114A087ECF212E694346");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 38";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000400000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("49CABFF2CEF7D9F95F5EFB1F7A1A7DDE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 39";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000200000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EC7F8A47CC59B849469255AD49F62752");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 40";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000100000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("68FAE55A13EFAF9B07B3552A8A0DC9D1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 41";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000080000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("211E6B19C69FAEF481F64F24099CDA65");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 42";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000040000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("DBB918C75BC5732416F79FB0C8EE4C5C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 43";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000020000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("98D494E5D963A6C8B92536D3EC35E3FD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 44";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000010000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C9A873404D403D6F074190851D67781A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 45";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000008000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("073AEF4A7C77D921928CB0DD9D27CAE7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 46";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000004000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("89BDE25CEE36FDE769A10E52298CF90F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 47";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000002000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("26D0842D37EAD38557C65E0A5E5F122E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 48";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000001000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F8294BA375AF46B3F22905BBAFFAB107");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 49";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000800000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2AD63EB4D0D43813B979CF72B35BDB94");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 50";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000400000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7710C171EE0F4EFA39BE4C995180181D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 51";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000200000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C0CB2B40DBA7BE8C0698FAE1E4B80FF8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 52";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000100000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("97970E505194622FD955CA1B80B784E9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 53";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000080000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7CB1824B29F850900DF2CAD9CF04C1CF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 54";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000040000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FDF4F036BB988E42F2F62DE63FE19A64");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 55";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000020000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("08908CFE2C82606B2C15DF61B75CF3E2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 56";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000010000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B3AA689EF2D07FF365ACB9ADBA2AF07A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 57";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000008000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F2672CD8EAA3B98776660D0263656F5C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 58";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000004000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5BDEAC00E986687B9E1D94A0DA7BF452");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 59";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000002000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E6D57BD66EA1627363EE0C4B711B0B21");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 60";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000001000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("03730DD6ACB4AD9996A63BE7765EC06F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 61";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000800000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A470E361AA5437B2BE8586D2F78DE582");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 62";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000400000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7567FEEFA559911FD479670246B484E3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 63";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000200000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("29829DEA15A4E7A4C049045E7B106E29");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 64";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000100000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A407834C3D89D48A2CB7A152208FA4ED");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 65";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000080000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("68F948053F78FEF0D8F9FE7EF3A89819");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 66";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000040000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B605174CAB13AD8FE3B20DA3AE7B0234");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 67";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000020000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("CCAB8F0AEBFF032893996D383CBFDBFA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 68";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000010000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AF14BB8428C9730B7DC17B6C1CBEBCC8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 69";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000008000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5A41A21332040877EB7B89E8E80D19FE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 70";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000004000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AC1BA52EFCDDE368B1596F2F0AD893A0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 71";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000002000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("41B890E31B9045E6ECDC1BC3F2DB9BCC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 72";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000001000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4D54A549728E55B19A23660424A0F146");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 73";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000800000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A917581F41C47C7DDCFFD5285E2D6A61");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 74";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000400000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("604DF24BA6099B93A7405A524D764FCB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 75";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000200000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("78D9D156F28B190E232D1B7AE7FC730A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 76";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000100000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5A12C39E442CD7F27B3CD77F5D029582");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 77";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000080000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FF2BF2F47CF7B0F28EE25AF95DBF790D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 78";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000040000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("1863BB7D193BDA39DF090659EB8AE48B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 79";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000020000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("38178F2FB4CFCF31E87E1ABCDC023EB5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 80";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000010000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F5B13DC690CC0D541C6BA533023DC8C9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 81";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000008000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("48EC05238D7375D126DC9D08884D4827");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 82";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000004000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("ACD0D81139691B310B92A6E377BACC87");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 83";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000002000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9A4AA43578B55CE9CC178F0D2E162C79");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 84";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000001000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("08AD94BC737DB3C87D49B9E01B720D81");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 85";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000800000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3BCFB2D5D210E8332900C5991D551A2A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 86";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000400000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C5F0C6B9397ACB29635CE1A0DA2D8D96");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 87";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000200000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("844A29EFC693E2FA9900F87FBF5DCD5F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 88";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000100000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5126A1C41051FEA158BE41200E1EA59D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 89";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000080000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("302123CA7B4F46D667FFFB0EB6AA7703");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 90";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000040000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A9D16BCE7DB5C024277709EE2A88D91A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 91";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000020000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F013C5EC123A26CFC34B598C992A996B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 92";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000010000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E38A825CD971A1D2E56FB1DBA248F2A8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 93";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000008000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6E701773C0311E0BD4C5A097406D22B3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 94";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000004000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("754262CEF0C64BE4C3E67C35ABE439F7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 95";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000002000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C9C2D4C47DF7D55CFA0EE5F1FE5070F4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 96";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000001000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6AB4BEA85B172573D8BD2D5F4329F13D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 97";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000800000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("11F03EF28E2CC9AE5165C587F7396C8C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 98";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000400000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0682F2EB1A68BAC7949922C630DD27FA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 99";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000200000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("ABB0FEC0413D659AFE8E3DCF6BA873BB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 100";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000100000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FE86A32E19F805D6569B2EFADD9C92AA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 101";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000080000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E434E472275D1837D3D717F2EECC88C3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 102";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000040000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("74E57DCD12A21D26EF8ADAFA5E60469A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 103";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000020000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C275429D6DAD45DDD423FA63C816A9C1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 104";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000010000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7F6EC1A9AE729E86F7744AED4B8F4F07");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 105";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000008000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("48B5A71AB9292BD4F9E608EF102636B2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 106";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000004000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("076FB95D5F536C78CBED3181BCCF3CF1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 107";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000002000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BFA76BEA1E684FD3BF9256119EE0BC0F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 108";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000001000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7D395923D56577F3FF8670998F8C4A71");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 109";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000800000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BA02C986E529AC18A882C34BA389625F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 110";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000400000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3DFCF2D882AFE75D3A191193013A84B5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 111";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000200000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FAD1FDE1D0241784B63080D2C74D236C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 112";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000100000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7D6C80D39E41F007A14FB9CD2B2C15CD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 113";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000080000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7975F401FC10637BB33EA2DB058FF6EC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 114";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000040000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("657983865C55A818F02B7FCD52ED7E99");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 115";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000020000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B32BEB1776F9827FF4C3AC9997E84B20");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 116";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000010000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2AE2C7C374F0A41E3D46DBC3E66BB59F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 117";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000008000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4D835E4ABDD4BDC6B88316A6E931A07F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 118";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000004000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E07EFABFF1C353F7384EBB87B435A3F3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 119";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000002000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("ED3088DC3FAF89AD87B4356FF1BB09C2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 120";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000001000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4324D01140C156FC898C2E32BA03FB05");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 121";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000800000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BE15D016FACB5BAFBC24FA9289132166");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 122";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000400000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AC9B7048EDB1ACF4D97A5B0B3F50884B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 123";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000200000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("448BECE1F86C7845DFA9A4BB2A016FB3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 124";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000100000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("10DD445E87686EB46EA9B1ABC49257F0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 125";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000080000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B7FCCF7659FA756D4B7303EEA6C07458");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 126";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000040000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("289117115CA3513BAA7640B1004872C2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 127";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000020000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("57CB42F7EE7186051F50B93FFA7B35BF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 128";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000010000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F2741BFBFB81663B9136802FB9C3126A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 129";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000008000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E32DDDC5C7398C096E3BD535B31DB5CE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 130";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000004000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("81D3C204E608AF9CC713EAEBCB72433F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 131";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000002000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D4DEEF4BFC36AAA579496E6935F8F98E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 132";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000001000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C356DB082B97802B038571C392C5C8F6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 133";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000800000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A3919ECD4861845F2527B77F06AC6A4E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 134";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000400000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A53858E17A2F802A20E40D44494FFDA0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 135";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000200000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5D989E122B78C758921EDBEEB827F0C0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 136";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000100000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4B1C0C8F9E7830CC3C4BE7BD226FA8DE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 137";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000080000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("82C40C5FD897FBCA7B899C70713573A1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 138";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000040000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("ED13EE2D45E00F75CCDB51EA8E3E36AD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 139";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000020000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F121799EEFE8432423176A3CCF6462BB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 140";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000010000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4FA0C06F07997E98271DD86F7B355C50");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 141";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000008000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("849EB364B4E81D058649DC5B1BF029B9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 142";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000004000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F48F9E0DE8DE7AD944A207809335D9B1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 143";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000002000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E59E9205B5A81A4FD26DFCF308966022");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 144";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000001000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3A91A1BE14AAE9ED700BDF9D70018804");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 145";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000800000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8ABAD78DCB79A48D79070E7DA89664EC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 146";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000400000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B68377D98AAE6044938A7457F6C649D9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 147";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000200000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E4E1275C42F5F1B63D662C099D6CE33D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 148";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000100000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7DEF32A34C6BE668F17DA1BB193B06EF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 149";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000080000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("78B6000CC3D30CB3A74B68D0EDBD2B53");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 150";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000040000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0A47531DE88DD8AE5C23EAE4F7D1F2D5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 151";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000020000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("667B24E8000CF68231EC484581D922E5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 152";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000010000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("39DAA5EBD4AACAE130E9C33236C52024");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 153";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000008000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E3C88760B3CB21360668A63E55BB45D1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 154";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000004000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F131EE903C1CDB49D416866FD5D8DE51");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 155";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000002000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7A1916135B0447CF4033FC13047A583A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 156";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000001000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F7D55FB27991143DCDFA90DDF0424FCB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 157";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000800000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EA93E7D1CA1111DBD8F7EC111A848C0C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 158";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000400000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2A689E39DFD3CBCBE221326E95888779");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 159";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000200000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C1CE399CA762318AC2C40D1928B4C57D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 160";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000100000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D43FB6F2B2879C8BFAF0092DA2CA63ED");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 161";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000080000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("224563E617158DF97650AF5D130E78A5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 162";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000040000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6562FDF6833B7C4F7484AE6EBCC243DD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 163";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000020000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("93D58BA7BED22615D661D002885A7457");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 164";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000010000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9A0EF559003AD9E52D3E09ED3C1D3320");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 165";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000008000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("96BAF5A7DC6F3DD27EB4C717A85D261C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 166";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000004000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B8762E06884900E8452293190E19CCDB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 167";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000002000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("785416A22BD63CBABF4B1789355197D3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 168";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000001000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A0D20CE1489BAA69A3612DCE90F7ABF6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 169";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000800000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("700244E93DC94230CC607FFBA0E48F32");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 170";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000400000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("85329E476829F872A2B4A7E59F91FF2D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 171";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000200000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E4219B4935D988DB719B8B8B2B53D247");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 172";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000100000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6ACDD04FD13D4DB4409FE8DD13FD737B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 173";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000080000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9EB7A670AB59E15BE582378701C1EC14");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 174";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000040000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("29DF2D6935FE657763BC7A9F22D3D492");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 175";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000020000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("99303359D4A13AFDBE6C784028CE533A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 176";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000010000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FF5C70A6334545F33B9DBF7BEA0417CA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 177";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000008000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("289F58A17E4C50EDA4269EFB3DF55815");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 178";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000004000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EA35DCB416E9E1C2861D1682F062B5EB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 179";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000002000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3A47BF354BE775383C50B0C0A83E3A58");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 180";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000001000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BF6C1DC069FB95D05D43B01D8206D66B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 181";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000800");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("046D1D580D5898DA6595F32FD1F0C33D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 182";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000400");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5F57803B7B82A110F7E9855D6A546082");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 183";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000200");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("25336ECF34E7BE97862CDFF715FF05A8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 184";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000100");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("ACBAA2A943D8078022D693890E8C4FEF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 185";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000080");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3947597879F6B58E4E2F0DF825A83A38");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 186";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000040");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4EB8CC3335496130655BF3CA570A4FC0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 187";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000020");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BBDA7769AD1FDA425E18332D97868824");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 188";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000010");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5E7532D22DDB0829A29C868198397154");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 189";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000008");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E66DA67B630AB7AE3E682855E1A1698E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 190";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000004");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4D93800F671B48559A64D1EA030A590A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 191";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000002");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F33159FCC7D9AE30C062CD3B322AC764");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 192";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("000000000000000000000000000000000000000000000001");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8BAE4EFB70D33A9792EEA9BE70889D72");
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes192Encryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes192Encryptor_TestClass.h
new file mode 100644
index 00000000..83eeccb9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes192Encryptor_TestClass.h
@@ -0,0 +1,30 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes192Encryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes192Encryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256CbcEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes256CbcEncryptor_TestClass.cpp
new file mode 100644
index 00000000..a9673884
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256CbcEncryptor_TestClass.cpp
@@ -0,0 +1,570 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes256CbcEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes256CbcEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes256CbcEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] END" << std::endl;
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes256CbcEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes256CbcEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 32;
+			if (tc::crypto::Aes256CbcEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes256CbcEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CbcEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CbcEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes256Cbc(data.data(), test->plaintext.data(), data.size(), test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes256Cbc(data.data(), test->ciphertext.data(), data.size(), test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes256CbcEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CbcEncryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes256CbcEncryptor::kKeySize-1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes256CbcEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes256CbcEncryptor::kKeySize+1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes256CbcEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), nullptr, tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where iv==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes256CbcEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes256CbcEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CbcEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size());
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), tc::crypto::Aes256CbcEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes256CbcEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), tc::crypto::Aes256CbcEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes256CbcEncryptor::kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256CbcEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CbcEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size());
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), tc::crypto::Aes256CbcEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes256CbcEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), tc::crypto::Aes256CbcEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes256CbcEncryptor::kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CbcEncryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes256CbcEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4");
+
+	tmp.test_name  = "Test 1";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090A0B0C0D0E0F");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("f58c4c04d6e5f1ba779eabfb5f7bfbd6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("F58C4C04D6E5F1BA779EABFB5F7BFBD6");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("ae2d8a571e03ac9c9eb76fac45af8e51");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9cfc4e967edb808d679f777bc6702c7d");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("9CFC4E967EDB808D679F777BC6702C7D");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("30c81c46a35ce411e5fbc1191a0a52ef");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("39f23369a9d9bacfa530e26304231461");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("39F23369A9D9BACFA530E26304231461");
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("f69f2445df4f9b17ad2b417be66c3710");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("b2eb05e2c39be9fcda6c19078c6a9d1b");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Tests 1-4";
+	tmp.iv         = tc::cli::FormatUtil::hexStringToBytes("000102030405060708090A0B0C0D0E0F");
+	tmp.plaintext  = tc::ByteData(test_cases[0].plaintext.size() * 4, false);
+	tmp.ciphertext = tc::ByteData(tmp.plaintext.size(), false);
+	for (size_t i = 0; i < 4; i++)
+	{
+		memcpy(tmp.plaintext.data() + (i * 0x10), test_cases[i].plaintext.data(), test_cases[i].plaintext.size());
+		memcpy(tmp.ciphertext.data() + (i * 0x10), test_cases[i].ciphertext.data(), test_cases[i].ciphertext.size());
+	}
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256CbcEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes256CbcEncryptor_TestClass.h
new file mode 100644
index 00000000..6d2c19eb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256CbcEncryptor_TestClass.h
@@ -0,0 +1,33 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes256CbcEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData iv;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes256CbcEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256CtrEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes256CtrEncryptor_TestClass.cpp
new file mode 100644
index 00000000..7b569183
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256CtrEncryptor_TestClass.cpp
@@ -0,0 +1,543 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes256CtrEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes256CtrEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes256CtrEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] END" << std::endl;
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes256CtrEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes256CtrEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 32;
+			if (tc::crypto::Aes256CtrEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes256CtrEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CtrEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size(), test->block_number);
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CtrEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size(), test->block_number);
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes256Ctr(data.data(), test->plaintext.data(), data.size(), test->block_number, test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes256Ctr(data.data(), test->ciphertext.data(), data.size(), test->block_number, test->key.data(), test->key.size(), test->iv.data(), test->iv.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes256CtrEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CtrEncryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes256CtrEncryptor::kKeySize-1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes256CtrEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes256CtrEncryptor::kKeySize+1, tests[0].iv.data(), tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes256CtrEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), nullptr, tests[0].iv.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where iv==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes256CtrEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tc::crypto::Aes256CtrEncryptor::kBlockSize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where iv_size==kBlockSize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CtrEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size(), 0);
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256CtrEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256CtrEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size(), tests[0].iv.data(), tests[0].iv.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size(), 0);
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256CtrEncryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes256CtrEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4");
+	tmp.iv  = tc::cli::FormatUtil::hexStringToBytes("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+
+	tmp.test_name  = "Test 1";
+	tmp.block_number = 0;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("601ec313775789a5b7a7f504bbf3d228");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.block_number = 1;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("ae2d8a571e03ac9c9eb76fac45af8e51");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("f443e3ca4d62b59aca84e990cacaf5c5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.block_number = 2;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("30c81c46a35ce411e5fbc1191a0a52ef");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2b0930daa23de94ce87017ba2d84988d");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.block_number = 3;
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("f69f2445df4f9b17ad2b417be66c3710");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("dfc9c58db67aada613c2dd08457941a6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Tests 1-4";
+	tmp.block_number = 0;
+	tmp.plaintext  = tc::ByteData(test_cases[0].plaintext.size() * 4, false);
+	tmp.ciphertext = tc::ByteData(tmp.plaintext.size(), false);
+	for (size_t i = 0; i < 4; i++)
+	{
+		memcpy(tmp.plaintext.data() + (i * 0x10), test_cases[i].plaintext.data(), test_cases[i].plaintext.size());
+		memcpy(tmp.ciphertext.data() + (i * 0x10), test_cases[i].ciphertext.data(), test_cases[i].ciphertext.size());
+	}
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256CtrEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes256CtrEncryptor_TestClass.h
new file mode 100644
index 00000000..dbe7055c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256CtrEncryptor_TestClass.h
@@ -0,0 +1,34 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes256CtrEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData iv;
+		uint64_t block_number;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes256CtrEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256EcbEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes256EcbEncryptor_TestClass.cpp
new file mode 100644
index 00000000..29301415
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256EcbEncryptor_TestClass.cpp
@@ -0,0 +1,523 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes256EcbEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes256EcbEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes256EcbEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] END" << std::endl;
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes256EcbEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes256EcbEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 32;
+			if (tc::crypto::Aes256EcbEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes256EcbEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256EcbEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256EcbEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				tc::crypto::EncryptAes256Ecb(data.data(), test->plaintext.data(), data.size(), test->key.data(), test->key.size());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				tc::crypto::DecryptAes256Ecb(data.data(), test->ciphertext.data(), data.size(), test->key.data(), test->key.size());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes256EcbEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256EcbEncryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes256EcbEncryptor::kKeySize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes256EcbEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes256EcbEncryptor::kKeySize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes256EcbEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256EcbEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size());
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), tc::crypto::Aes256EcbEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes256EcbEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256EcbEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256EcbEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size());
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), tc::crypto::Aes256EcbEncryptor::kBlockSize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==tc::crypto::Aes256EcbEncryptor::kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256EcbEncryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes256EcbEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Test vectors taken from NIST SP 800-38A
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4");
+
+	tmp.test_name  = "Test 1";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("6bc1bee22e409f96e93d7e117393172a");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("f3eed1bdb5d2a03c064b5a7e3db181f8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 2";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("ae2d8a571e03ac9c9eb76fac45af8e51");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("591ccb10d410ed26dc5ba74a31362870");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 3";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("30c81c46a35ce411e5fbc1191a0a52ef");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("b6ed21b99ca6f4f9f153e7b1beafed1d");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Test 4";
+	tmp.plaintext  = tc::cli::FormatUtil::hexStringToBytes("f69f2445df4f9b17ad2b417be66c3710");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("23304b7a39f9f3ff067d8d8f9e24ecc7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name  = "Tests 1-4";
+	tmp.plaintext = tc::ByteData(test_cases[0].plaintext.size() * 4, false);
+	tmp.ciphertext = tc::ByteData(tmp.plaintext.size(), false);
+	for (size_t i = 0; i < 4; i++)
+	{
+		memcpy(tmp.plaintext.data() + (i * 0x10), test_cases[i].plaintext.data(), test_cases[i].plaintext.size());
+		memcpy(tmp.ciphertext.data() + (i * 0x10), test_cases[i].ciphertext.data(), test_cases[i].ciphertext.size());
+	}
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256EcbEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes256EcbEncryptor_TestClass.h
new file mode 100644
index 00000000..2781a435
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256EcbEncryptor_TestClass.h
@@ -0,0 +1,32 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes256EcbEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+	
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes256EcbEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256Encryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes256Encryptor_TestClass.cpp
new file mode 100644
index 00000000..52f5c855
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256Encryptor_TestClass.cpp
@@ -0,0 +1,1656 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include <mbedtls/aes.h>
+
+#include "crypto_Aes256Encryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/AesEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes256Encryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes256Encryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes256Encryptor] END" << std::endl;
+}
+
+void crypto_Aes256Encryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes256Encryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes256Encryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes256Encryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 32;
+			if (tc::crypto::Aes256Encryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes256Encryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256Encryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes256Encryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());	
+
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// encrypt data
+				cryptor.encrypt(data.data(), test->plaintext.data());
+				
+				// validate cipher text
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256Encryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes256Encryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key.data(), test->key.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// decrypt data
+				cryptor.decrypt(data.data(), test->ciphertext.data());
+
+				// test plain text			
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256Encryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes256Encryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes256Encryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, tc::crypto::Aes256Encryptor::kBlockSize).pullData(0, tc::crypto::Aes256Encryptor::kBlockSize);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data());
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256Encryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256Encryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256Encryptor cryptor;
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key.size());
+				throw tc::Exception("Failed to throw ArgumentNullException where key==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes256Encryptor::kKeySize-1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes256Encryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key.data(), tc::crypto::Aes256Encryptor::kKeySize+1);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key_size==tc::crypto::Aes256Encryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256Encryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256Encryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256Encryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data());
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256Encryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256Encryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_TestCases(tests);
+
+			tc::crypto::Aes256Encryptor cryptor;
+
+			cryptor.initialize(tests[0].key.data(), tests[0].key.size());
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data());
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data());
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256Encryptor_TestClass::util_Setup_TestCases(std::vector<crypto_Aes256Encryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// Variable Key Known Answer Tests
+	// taken from "ecb_vk.txt" from https://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
+	tmp.plaintext = tc::cli::FormatUtil::hexStringToBytes("00000000000000000000000000000000");
+
+	tmp.test_name = "Variable Key Known Answer Test 1";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("8000000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E35A6DCB19B201A01EBCFA8AA22B5759");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 2";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("4000000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5075C2405B76F22F553488CAE47CE90B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 3";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("2000000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("49DF95D844A0145A7DE01C91793302D3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 4";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("1000000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E7396D778E940B8418A86120E5F421FE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 5";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0800000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("05F535C36FCEDE4657BE37F4087DB1EF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 6";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0400000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D0C1DDDD10DA777C68AB36AF51F2C204");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 7";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0200000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("1C55FB811B5C6464C4E5DE1535A75514");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 8";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0100000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("52917F3AE957D5230D3A2AF57C7B5A71");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 9";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0080000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C6E3D5501752DD5E9AEF086D6B45D705");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 10";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0040000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A24A9C7AF1D9B1E17E1C9A3E711B3FA7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 11";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0020000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B881ECA724A6D43DBC6B96F6F59A0D20");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 12";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0010000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EC524D9A24DFFF2A9639879B83B8E137");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 13";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0008000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("34C4F345F5466215A037F443635D6F75");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 14";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0004000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5BA5055BEDB8895F672E29F2EB5A355D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 15";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0002000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B3F692AA3A435259EBBEF9B51AD1E08D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 16";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0001000000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("414FEB4376F2C64A5D2FBB2ED531BA7D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 17";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000800000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A20D519E3BCA3303F07E81719F61605E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 18";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000400000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A08D10E520AF811F45BD60A2DC0DC4B1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 19";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000200000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B06893A8C563C430E6F3858826EFBBE4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 20";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000100000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0FFEE26AE2D3929C6BD9C6BEDFF84409");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 21";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000080000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4D0F5E906ED77801FC0EF53EDC5F9E2B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 22";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000040000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8B6EC00119AD8B026DCE56EA7DEFE930");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 23";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000020000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("69026591D43363EE9D83B5007F0B484E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 24";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000010000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("27135D86950C6A2F86872706279A4761");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 25";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000008000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("35E6DB8723F281DA410C3AC8535ED77C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 26";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000004000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("57427CF214B8C28E4BBF487CCB8D0E09");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 27";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000002000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6DF01BF56E5131AC87F96E99CAB86367");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 28";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000001000000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3856C5B55790B768BBF7D43031579BCF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 29";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000800000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("1E6ED8FB7C15BC4D2F63BA7037ED44D0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 30";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000400000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E1B2ED6CD8D93D455534E401156D4BCF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 31";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000200000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EFBCCA5BDFDAD10E875F02336212CE36");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 32";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000100000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0B777F02FD18DCE2646DCFE868DFAFAD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 33";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000080000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C8A104B5693D1B14F5BF1F10100BF508");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 34";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000040000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4CCE6615244AFCB38408FECE219962EA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 35";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000020000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F99E7845D3A255B394C9C050CBA258B1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 36";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000010000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B4AFBB787F9BCFB7B55FDF447F611295");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 37";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000008000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AE1C426A697FAF2808B7EF6ADDB5C020");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 38";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000004000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7572F92811A85B9BDD38DEAD9945BCAE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 39";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000002000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("71BC7AA46E43FB95A181527D9F6A360F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 40";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000001000000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5542EF2923066F1EC8F546DD0D8E7CA8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 41";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000800000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6B92317C7D623790B748FDD7EFC42422");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 42";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000400000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0FE7C097E899C71EF045360F8D6C25CF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 43";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000200000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4ECE7EE107D0264D04693151C25B9DF6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 44";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000100000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FD6AE687CBFCA9E301045888D3BB9605");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 45";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000080000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("476B579C8556C7254424902CC1D6D36E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 46";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000040000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4133CBCDFDD6B8860A1FC18665D6D71B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 47";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000020000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3B36EC2664798C108B816812C65DFDC7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 48";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000010000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("364E20A234FEA385D48DC5A09C9E70CF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 49";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000008000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4A4BA25969DE3F5EE5642C71AAD0EFD1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 50";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000004000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E42CBAAE43297F67A76C1C501BB79E36");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 51";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000002000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("23CEDEDA4C15B4C037E8C61492217937");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 52";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000001000000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A1719147A1F4A1A1180BD16E8593DCDE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 53";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000800000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AB82337E9FB0EC60D1F25A1D0014192C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 54";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000400000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("74BF2D8FC5A8388DF1A3A4D7D33FC164");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 55";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000200000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D5B493317E6FBC6FFFD664B3C491368A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 56";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000100000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BA767381586DA56A2A8D503D5F7ADA0B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 57";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000080000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E8E6BC57DFE9CCADB0DECABF4E5CF91F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 58";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000040000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3C8E5A5CDC9CEED90815D1F84BB2998C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 59";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000020000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("283843020BA38F056001B2FD585F7CC9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 60";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000010000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D8ADC7426F623ECE8741A70621D28870");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 61";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000008000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D7C5C215592D06F00E6A80DA69A28EA9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 62";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000004000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("52CF6FA433C3C870CAC70190358F7F16");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 63";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000002000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F63D442A584DA71786ADEC9F3346DF75");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 64";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000001000000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("549078F4B0CA7079B45F9A5ADAFAFD99");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 65";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000800000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F2A5986EE4E9984BE2BAFB79EA8152FA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 66";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000400000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8A74535017B4DB2776668A1FAE64384C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 67";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000200000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E613342F57A97FD95DC088711A5D0ECD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 68";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000100000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3FFAEBF6B22CF1DC82AE17CD48175B01");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 69";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000080000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BAFD52EFA15C248CCBF9757735E6B1CE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 70";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000040000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7AF94BC018D9DDD4539D2DD1C6F4000F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 71";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000020000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FE177AD61CA0FDB281086FBA8FE76803");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 72";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000010000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("74DBEA15E2E9285BAD163D7D534251B6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 73";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000008000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("23DD21331B3A92F200FE56FF050FFE74");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 74";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000004000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A69C5AA34AB20A858CAFA766EACED6D8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 75";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000002000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3F72BB4DF2A4F941A4A09CB78F04B97A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 76";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000001000000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("72CC43577E1FD5FD14622D24D97FCDCC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 77";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000800000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D83AF8EBE93E0B6B99CAFADE224937D1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 78";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000400000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("44042329128D56CAA8D084C8BD769D1E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 79";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000200000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("14102D72290DE4F2C430ADD1ED64BA1D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 80";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000100000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("449124097B1ECD0AE7065206DF06F03C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 81";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000080000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D060A99F8CC153A42E11E5F97BD7584A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 82";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000040000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("65605B3EA9261488D53E48602ADEA299");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 83";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000020000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C5E5CAD7A208DE8EA6BE049EFE5C7346");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 84";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000010000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4C280C46D2181646048DD5BC0C0831A5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 85";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000008000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5DD65CF37F2A0929559AABAFDA08E730");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 86";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000004000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("31F2335CAAF264172F69A693225E6D22");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 87";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000002000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3E28B35F99A72662590DA96426DD377F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 88";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000001000000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("570F40F5D7B20441486578ED344343BE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 89";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000800000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C54308AD1C9E3B19F8B7417873045A8C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 90";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000400000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("CBF335E39CE13ADE2B696179E8FD0CE1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 91";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000200000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9C2FBF422355D8293083D51F4A3C18A9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 92";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000100000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5ED8B5A31ECEFAB16C9AA6986DA67BCE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 93";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000080000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("627815DCFC814ABC75900041B1DD7B59");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 94";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000040000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9EF3E82A50A59F166260494F7A7F2CC3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 95";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000020000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("878CD0D8D920888B5935D6C351128737");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 96";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000010000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E44429474D6FC3084EB2A6B8B46AF754");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 97";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000008000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EBAACF9641D54E1FB18D0A2BE4F19BE5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 98";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000004000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("13B3BF497CEE780E123C7E193DEA3A01");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 99";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000002000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6E8F381DE00A41161F0DF03B4155BFD4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 100";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000001000000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("35E4F29BBA2BAE01144910783C3FEF49");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 101";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000800000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("55B17BD66788CEAC366398A31F289FFB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 102";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000400000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("11341F56C0D6D1008D28741DAA7679CE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 103";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000200000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4DF7253DF421D83358BDBE924745D98C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 104";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000100000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BAE2EE651116D93EDC8E83B5F3347BE1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 105";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000080000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F9721ABD06709157183AF3965A659D9D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 106";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000040000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("19A1C252A613FE2860A4AE6D75CE6FA3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 107";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000020000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B5DDB2F5D9752C949FBDE3FFF5556C6E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 108";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000010000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("81B044FCFFC78ECCFCD171AAD0405C66");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 109";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000008000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C640566D3C06020EB2C42F1D62E56A9B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 110";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000004000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EA6C4BCF425291679FDFFD26A424FBCC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 111";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000002000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("57F6901465D9440D9F15EE2CBA5A4090");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 112";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000001000000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FBCFA74CADC7406260F63D96C8AAB6B1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 113";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000800000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("DFF4F096CEA211D4BBDACA033D0EC7D1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 114";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000400000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("1EE5190D551F0F42F675227A381296A9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 115";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000200000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F98E1905012E580F097623C10B93054F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 116";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000100000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E7D43743D21DD3C9F168C86856558B9A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 117";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000080000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("632A9DDA730DAB67593C5D08D8AC1059");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 118";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000040000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E084317000715B9057BC9DE9F3AB6124");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 119";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000020000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("61F9EF33A0BB4E666C2ED99101919FAB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 120";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000010000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6DC1D68A11834657D46703C22578D59A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 121";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000008000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("53AC1548863D3D16F1D4DC7242E05F2C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 122";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000004000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E82CD587A408306AD78CEAE0916B9F8C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 123";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000002000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0FD2D40EA6AD17A3A767F0A8600D6295");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 124";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000001000000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AD84CC8255ADB39DFCA23F92761AE7E9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 125";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000800000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F4F20CF7D51BEE7DA024A2B11A7ECA0B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 126";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000400000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5057691B85D9CE93A193214DB0A016B6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 127";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000200000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0F58C960876390BDEF4BB6BE95CAA1EE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 128";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000100000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9A3E66EEBC21BC0BD9430B341EF465FA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 129";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000080000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("20415035F34B8BCBCB28ABF07F78F0D4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 130";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000040000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AC89FC7BA10479EBF10DE65BCEF89B3C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 131";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000020000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("068FA75A30BE443171AF3F6FEB1A20D2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 132";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000010000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("50E02F213246C525A8C27700CA34B502");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 133";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000008000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("227DA47D5A0906DB3AB042BB0A695FB6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 134";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000004000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8663AC30ED12514F1DE46777F4514BFC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 135";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000002000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A987D4BC12E1DE9F4B6DF43567C34A8B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 136";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000001000000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6D5A0370F599ACA605F63B04E5143D0C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 137";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000800000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9809266E378B07B7AFDB3BAA97B7E442");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 138";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000400000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8F753252B30CCCACE12D9A301F4D5090");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 139";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000200000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("032465F6C0CE34D41962F561692A1AFF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 140";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000100000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C50E9AD5BEB8F3B00821DD47FF8AC093");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 141";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000080000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9C6FEA3D46268D54A6829B2AD25BB276");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 142";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000040000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0FD8575E87706F561343D7B3A41E044A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 143";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000020000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BEE9BEB3739540D88CBCE77925F0A114");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 144";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000010000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D24EAEE7FFFBAC3D6F26C2DCE0DCDE28");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 145";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000008000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("47771A90398FF0F7FA821C2F8F5E1398");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 146";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000004000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4639741B6F84B135AD118C8249B64ED0");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 147";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000002000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8EE5505EC85567697A3306F250A27720");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 148";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000001000000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7C8A19AC1AEFBC5E0119D91A5F05D4C2");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 149";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000800000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5141B9B672E54773B672E3A6C424887B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 150";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000400000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B5A2D3CD206653C6402F34FB0AE3613D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 151";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000200000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0F5BD9408738231D114B0A82753279A3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 152";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000100000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FEF033FF4268EA487FC74C5E43A45338");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 153";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000080000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A3EDC09DCD529B113910D904AD855581");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 154";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000040000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AB8FBB6F27A0AC7C55B59FDD36B72F1C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 155";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000020000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EEA44D5ED4D769CC930CD83D8999EC46");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 156";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000010000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6972276803AE9AA7C6F431AB10979C34");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 157";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000008000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("86DEAA9F39244101818178474D7DBDE9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 158";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000004000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("88C6B466EA361D662D8D08CBF181F4FE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 159";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000002000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("91AB2C6B7C63FF59F7CBEEBF91B20B95");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 160";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000001000000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2DFE6C146AD5B3D8C3C1718F13B48E01");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 161";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000800000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C7CFF1623451711391A302EEC3584AAA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 162";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000400000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("089FE845CC05011686C66019D18BE050");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 163";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000200000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("08C8410B9B427211A67124B0DCCEAD48");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 164";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000100000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8D91592F5566085254784606334D7629");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 165";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000080000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3298FEAAF2E1201D6299FF8846639C97");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 166";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000040000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C497CB9F0BDFE0EFC8C2F3F90760AA72");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 167";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000020000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2788AFD046E0309CBE4424690DA2AB89");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 168";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000010000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E9891707F25EF29FEE372890D4258982");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 169";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000008000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("DB041D94A23D45D4D4DCED5A030CAF61");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 170";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000004000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("FFAFDBF0ECB18DF9EA02C27077448E6D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 171";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000002000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2DAAA42A7D0A1D3B0E4761D99CF2150A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 172";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000001000000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3B7A54CB7CF30ABE263DD6ED5BFE8D63");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 173";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000800000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EEFA090174C590C448A55D43648F534A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 174";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000400000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9E15798731ED42F43EA2740A691DA872");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 175";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000200000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("31FBD661540A5DEAAD1017CFD3909EC8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 176";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000100000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("CDA9AE05F224140E28CB951721B44D6A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 177";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000080000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0C5BC512C60A1EAC3434EFB1A8FBB182");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 178";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000040000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("AA863610DEEEEB62D045E87EA30B59B5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 179";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000020000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6AC2448DE568D279C7EEBE1DF403920C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 180";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000010000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E2011E3D292B26888AE801215FD0CB40");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 181";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000008000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E06F3E15EE3A61672D1C99BADE5B9DBE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 182";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000004000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BB7027F0548CF6712CEB4C7A4B28E178");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 183";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000002000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("061EC21FB70FADBDF87C3BD2AE23825B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 184";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000001000000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("4C21F26FE94ABBAC381352375314C3EB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 185";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000800000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F7CEE6DD99909C2B569EEDA61ED8942E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 186";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000400000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("CE98C4A876C65E4CCB261EBB1D9DF7F5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 187";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000200000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A5491881CF833C3604ABC08044F402AC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 188";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000100000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A1BA16E64CCCB3087D57A768507B0BFC");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 189";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000080000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D55951E202D2949EBD3BE43120C738BF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 190";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000040000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EBB8E43069E69F450EFEC65DCD52B7FD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 191";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000020000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2B292135663B4AA5ABFE9423D57E7EE9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 192";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000010000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E91BF974B3BE3AD966249D8655292A85");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 193";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000008000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("384365998EAA9562236CC58F6ADF9610");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 194";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000004000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("C2E997012AA3D4D8D359C9A947CBE69F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 195";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000002000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F49421204148BA213BE87E2D5C22B0BF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 196";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000001000000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("82ED0ED9953AA92E4DF30929CA65C00F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 197";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000800000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("291EB1D11653C8479437C74A977F5106");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 198";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000400000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("BCB997B1939B8983ABD550D6025683E3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 199";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000200000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("1FBA2592C6F489775CAADA71F9B983E9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 200";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000100000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("969F66F217AF1A3DB9E41C1B29039824");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 201";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000080000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A54BB7D6B17E423AC0A7744C19073CB8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 202";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000040000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B0AC6E6578D1021F47DCF9748A32EAD5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 203";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000020000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B87B361C3B7B194C77A4358D4669153E");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 204";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000010000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("46A133847F96EAA8282A799DC8899D58");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 205";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000008000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2265EC3A9F2D5C9547A091CC8CFB18EA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 206";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000004000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("54CBF3A6FC4FE56D426117AA1FFD1DDE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 207";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000002000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5312877CCEAB6CFB0905394A370A8003");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 208";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000001000000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7190BD6EC613FE38B84ECFE28F702FE4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 209";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000800000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D1FA5B9CA89A43B04C05F0EF29EF68CD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 210";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000400000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("808285751548ED934FD1056D2D9AE8BA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 211";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000200000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2758DEF3E7B95A9AE89777BE64D5A6CF");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 212";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000100000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("07D81F87DB3E0ACC82B01E08FB22F3C1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 213";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000080000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8DA250E5553D650711A75EE1CB4FD1C7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 214";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000040000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("A93D946BD0E87F32719DF5F158CEE669");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 215";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000020000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("03945236EC2A4D4EAF30B8ABEB54330D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 216";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000010000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("11CC35301F24B79DDE31AEA2D1354F88");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 217";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000008000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E73715B3E8D9A290F44AE6FFBF247E5D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 218";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000004000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("7345E07732B71CB158BBF64CCA5C5B96");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 219";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000002000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6E128F296D24705A1924FD9B70C4ED04");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 220";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000001000000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("95A789776F036783FBD330947083F54F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 221";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000800000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("360DEC2533EA4AA2E3E54FD3DE2906EB");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 222";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000400000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E68EFD7FECF4D601EA22727BD764965B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 223";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000200000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9065C64A8BFF44AC33EDBB611CF83D7B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 224";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000100000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8F33C8DF2A7A51CE8090E8F123BC3723");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 225";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000080000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("807F391FFBA8291BA625623210F99018");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 226";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000040000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5E8B3F3A701522CE5CAA761C929D6292");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 227";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000020000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("3BA404DC38735A78289E3809E8364835");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 228";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000010000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D23BEDBAD229F8305DC425B6B759DCC9");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 229";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000008000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("44880F21CF5913040AE376AEE2A10AD8");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 230";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000004000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("9BC98E29D057C0E828C3B5CCE69256C1");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 231";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000002000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B293CC7A975DA141A68279368057CC41");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 232";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000001000000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("8D60FB87ACD91385B313BE5F1D7BD30F");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 233";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000800000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2C8E56132D70291B303C48FDF75543CD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 234";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000400000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D1F80035B826791F6CE4E59B7DB1BB0D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 235";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000200000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("42CE6224FC36469339A133DD08173BD4");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 236";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000100000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("61817155EA41BCBA2AF7F06AE7CBF585");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 237";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000080000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D1923A9866068D2EF5FB77D57C3315B6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 238";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000040000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("B37CBDB5D719F49691CA968EF2E84140");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 239";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000020000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EC974E653A055D7F8F22171030F68E1D");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 240";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000010000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("DDE5D3B9AAD9C32213BB3675A822499C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 241";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000008000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D3B6E9216EA1AE57EB1C628A3C38AB78");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 242";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000004000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("82C99ECC69472B7E96324B042AE8B87A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 243";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000002000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("97144DC5338C43600F84439C0AA0D147");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 244";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000001000");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("400AC4A0BBADA1DB2121EB144C7E5209");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 245";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000800");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("EFD9D550EB419ED278F4885A490AB54C");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 246";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000400");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("2AB7816E149B7C0404C88A8857793670");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 247";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000200");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("5B591DFF9E8DEE15BAD24C025DBCA481");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 248";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000100");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("0C06633E30721C3749F49AD8CBF2B754");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 249";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000080");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("96D6D31A41B5123B2035FD91A921D4CA");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 250";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000040");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E7F6C34D86668BC2805CA7793C5E86AD");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 251";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000020");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("F46DFF5FF500D6879C4D3E45CF0CF0F3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 252";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000010");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("60D842D9C61DA7495C116197B7CECBBE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 253";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000008");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("D45B24EDB673353EBDF248B8FA06B67A");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 254";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000004");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("119EAEBCC165D0BD02C0D35DC82EF992");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 255";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000002");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("E673143680414ADA301D0ED34626B9FE");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "Variable Key Known Answer Test 256";
+	tmp.key = tc::cli::FormatUtil::hexStringToBytes("0000000000000000000000000000000000000000000000000000000000000001");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("6B6CFE160A6263631B292F879EEFF926");
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256Encryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes256Encryptor_TestClass.h
new file mode 100644
index 00000000..fb79da93
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256Encryptor_TestClass.h
@@ -0,0 +1,30 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes256Encryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_TestCases(std::vector<crypto_Aes256Encryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256XtsEncryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Aes256XtsEncryptor_TestClass.cpp
new file mode 100644
index 00000000..f429044b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256XtsEncryptor_TestClass.cpp
@@ -0,0 +1,575 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Aes256XtsEncryptor_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Aes256XtsEncryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Aes256XtsEncryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassEnc();
+	test_UseClassDec();
+	test_UseUtilFuncEnc();
+	test_UseUtilFuncDec();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptThrowsExceptionOnBadInput();
+	test_DecryptThrowsExceptionOnBadInput();
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] END" << std::endl;
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 16;
+			if (tc::crypto::Aes256XtsEncryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Aes256XtsEncryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check key size
+			static const size_t kExpectedKeySize = 32;
+			if (tc::crypto::Aes256XtsEncryptor::kKeySize != kExpectedKeySize)
+			{
+				ss << "kKeySize had value " << std::dec << tc::crypto::Aes256XtsEncryptor::kKeySize << " (expected " << kExpectedKeySize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes256XtsEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key1.data(), test->key1.size(), test->key2.data(), test->key2.size(), test->data_unit, true);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test encryption
+				cryptor.encrypt(data.data(), test->plaintext.data(), data.size(), test->data_unit_sequence_number);				
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes256XtsEncryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// initialize key
+				cryptor.initialize(test->key1.data(), test->key1.size(), test->key2.data(), test->key2.size(), test->data_unit, true);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				cryptor.decrypt(data.data(), test->ciphertext.data(), data.size(), test->data_unit_sequence_number);				
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test encryption
+				tc::crypto::EncryptAes256Xts(data.data(), test->plaintext.data(), data.size(), test->data_unit_sequence_number, test->key1.data(), test->key1.size(), test->key2.data(), test->key2.size(), test->data_unit, true);
+				if (memcmp(data.data(), test->ciphertext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->ciphertext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->plaintext.size());
+
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				tc::crypto::DecryptAes256Xts(data.data(), test->ciphertext.data(), data.size(), test->data_unit_sequence_number, test->key1.data(), test->key1.size(), test->key2.data(), test->key2.size(), test->data_unit, true);
+				if (memcmp(data.data(), test->plaintext.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->plaintext, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			tc::crypto::Aes256XtsEncryptor cryptor;
+
+			// create data
+			tc::ByteData control_data = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData data = tc::ByteData(control_data.data(), control_data.size());
+
+			if (cryptor.sector_size() != 0)
+			{
+				ss << "Failed: sector_size() reported a non-zero answer when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to decrypt without calling initialize()
+			cryptor.decrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			cryptor.encrypt(data.data(), data.data(), data.size(), 0);
+
+			// test plain text			
+			if (memcmp(data.data(), control_data.data(), data.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on data when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes256XtsEncryptor cryptor;
+
+			// reference initialize call
+			//cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+
+			try {
+				cryptor.initialize(nullptr, tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentNullException where key1==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), 0, tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key1_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tc::crypto::Aes256XtsEncryptor::kKeySize-1, tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key1_size==tc::crypto::Aes256XtsEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tc::crypto::Aes256XtsEncryptor::kKeySize+1, tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key1_size==tc::crypto::Aes256XtsEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), nullptr, tests[0].key2.size(), tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentNullException where key2==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), 0, tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key2_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tc::crypto::Aes256XtsEncryptor::kKeySize-1, tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key2_size==tc::crypto::Aes256XtsEncryptor::kKeySize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tc::crypto::Aes256XtsEncryptor::kKeySize+1, tests[0].data_unit, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where key2_size==tc::crypto::Aes256XtsEncryptor::kKeySize+1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), 0, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where sector_size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tc::crypto::Aes256XtsEncryptor::kBlockSize-1, true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where sector_size==kBlockSize-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::test_EncryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] test_EncryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes256XtsEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].plaintext.data(), data.size(), 0);
+
+			try {
+				cryptor.encrypt(nullptr, tests[0].plaintext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.encrypt(data.data(), tests[0].plaintext.data(), cryptor.sector_size()-1, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==cryptor.sector_size()-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::test_DecryptThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Aes256XtsEncryptor] test_DecryptThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_IEEE1619_2007_TestCases(tests);
+
+			tc::crypto::Aes256XtsEncryptor cryptor;
+
+			cryptor.initialize(tests[0].key1.data(), tests[0].key1.size(), tests[0].key2.data(), tests[0].key2.size(), tests[0].data_unit, true);
+
+			tc::ByteData data = tc::ByteData(tests[0].plaintext.size());
+
+			// reference decrypt call
+			//cryptor.decrypt(data.data(), tests[0].ciphertext.data(), data.size(), 0);
+
+			try {
+				cryptor.decrypt(nullptr, tests[0].ciphertext.data(), data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where dst==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), nullptr, data.size(), 0);
+				throw tc::Exception("Failed to throw ArgumentNullException where src==nullptr");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].ciphertext.data(), 0, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==0");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.decrypt(data.data(), tests[0].plaintext.data(), cryptor.sector_size()-1, 0);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where size==cryptor.sector_size()-1");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Aes256XtsEncryptor_TestClass::util_Setup_IEEE1619_2007_TestCases(std::vector<crypto_Aes256XtsEncryptor_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	// XTS-AES-256 applied for a data unit of 512 bytes
+	tmp.data_unit = 512;
+
+	tmp.test_name = "IEEE 1619-2007 Vector 10";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("2718281828459045235360287471352662497757247093699959574966967627");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("3141592653589793238462643383279502884197169399375105820974944592");
+	tmp.data_unit_sequence_number = 0xff;
+	tmp.plaintext =  tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("1c3b3a102f770386e4836c99e370cf9bea00803f5e482357a4ae12d414a3e63b5d31e276f8fe4a8d66b317f9ac683f44680a86ac35adfc3345befecb4bb188fd5776926c49a3095eb108fd1098baec70aaa66999a72a82f27d848b21d4a741b0c5cd4d5fff9dac89aeba122961d03a757123e9870f8acf1000020887891429ca2a3e7a7d7df7b10355165c8b9a6d0a7de8b062c4500dc4cd120c0f7418dae3d0b5781c34803fa75421c790dfe1de1834f280d7667b327f6c8cd7557e12ac3a0f93ec05c52e0493ef31a12d3d9260f79a289d6a379bc70c50841473d1a8cc81ec583e9645e07b8d9670655ba5bbcfecc6dc3966380ad8fecb17b6ba02469a020a84e18e8f84252070c13e9f1f289be54fbc481457778f616015e1327a02b140f1505eb309326d68378f8374595c849d84f4c333ec4423885143cb47bd71c5edae9be69a2ffeceb1bec9de244fbe15992b11b77c040f12bd8f6a975a44a0f90c29a9abc3d4d893927284c58754cce294529f8614dcd2aba991925fedc4ae74ffac6e333b93eb4aff0479da9a410e4450e0dd7ae4c6e2910900575da401fc07059f645e8b7e9bfdef33943054ff84011493c27b3429eaedb4ed5376441a77ed43851ad77f16f541dfd269d50d6a5f14fb0aab1cbb4c1550be97f7ab4066193c4caa773dad38014bd2092fa755c824bb5e54c4f36ffda9fcea70b9c6e693e148c151");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 11";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("2718281828459045235360287471352662497757247093699959574966967627");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("3141592653589793238462643383279502884197169399375105820974944592");
+	tmp.data_unit_sequence_number = 0xffff;
+	tmp.plaintext =  tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("77a31251618a15e6b92d1d66dffe7b50b50bad552305ba0217a610688eff7e11e1d0225438e093242d6db274fde801d4cae06f2092c728b2478559df58e837c2469ee4a4fa794e4bbc7f39bc026e3cb72c33b0888f25b4acf56a2a9804f1ce6d3d6e1dc6ca181d4b546179d55544aa7760c40d06741539c7e3cd9d2f6650b2013fd0eeb8c2b8e3d8d240ccae2d4c98320a7442e1c8d75a42d6e6cfa4c2eca1798d158c7aecdf82490f24bb9b38e108bcda12c3faf9a21141c3613b58367f922aaa26cd22f23d708dae699ad7cb40a8ad0b6e2784973dcb605684c08b8d6998c69aac049921871ebb65301a4619ca80ecb485a31d744223ce8ddc2394828d6a80470c092f5ba413c3378fa6054255c6f9df4495862bbb3287681f931b687c888abf844dfc8fc28331e579928cd12bd2390ae123cf03818d14dedde5c0c24c8ab018bfca75ca096f2d531f3d1619e785f1ada437cab92e980558b3dce1474afb75bfedbf8ff54cb2618e0244c9ac0d3c66fb51598cd2db11f9be39791abe447c63094f7c453b7ff87cb5bb36b7c79efb0872d17058b83b15ab0866ad8a58656c5a7e20dbdf308b2461d97c0ec0024a2715055249cf3b478ddd4740de654f75ca686e0d7345c69ed50cdc2a8b332b1f8824108ac937eb050585608ee734097fc09054fbff89eeaeea791f4a7ab1f9868294a4f9e27b42af8100cb9d59cef9645803");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 12";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("2718281828459045235360287471352662497757247093699959574966967627");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("3141592653589793238462643383279502884197169399375105820974944592");
+	tmp.data_unit_sequence_number = 0xffffff;
+	tmp.plaintext =  tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("e387aaa58ba483afa7e8eb469778317ecf4cf573aa9d4eac23f2cdf914e4e200a8b490e42ee646802dc6ee2b471b278195d60918ececb44bf79966f83faba0499298ebc699c0c8634715a320bb4f075d622e74c8c932004f25b41e361025b5a87815391f6108fc4afa6a05d9303c6ba68a128a55705d415985832fdeaae6c8e19110e84d1b1f199a2692119edc96132658f09da7c623efcec712537a3d94c0bf5d7e352ec94ae5797fdb377dc1551150721adf15bd26a8efc2fcaad56881fa9e62462c28f30ae1ceaca93c345cf243b73f542e2074a705bd2643bb9f7cc79bb6e7091ea6e232df0f9ad0d6cf502327876d82207abf2115cdacf6d5a48f6c1879a65b115f0f8b3cb3c59d15dd8c769bc014795a1837f3901b5845eb491adfefe097b1fa30a12fc1f65ba22905031539971a10f2f36c321bb51331cdefb39e3964c7ef079994f5b69b2edd83a71ef549971ee93f44eac3938fcdd61d01fa71799da3a8091c4c48aa9ed263ff0749df95d44fef6a0bb578ec69456aa5408ae32c7af08ad7ba8921287e3bbee31b767be06a0e705c864a769137df28292283ea81a2480241b44d9921cdbec1bc28dc1fda114bd8e5217ac9d8ebafa720e9da4f9ace231cc949e5b96fe76ffc21063fddc83a6b8679c00d35e09576a875305bed5f36ed242c8900dd1fa965bc950dfce09b132263a1eef52dd6888c309f5a7d712826");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "IEEE 1619-2007 Vector 13";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("2718281828459045235360287471352662497757247093699959574966967627");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("3141592653589793238462643383279502884197169399375105820974944592");
+	tmp.data_unit_sequence_number = 0xffffffff;
+	tmp.plaintext =  tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("bf53d2dade78e822a4d949a9bc6766b01b06a8ef70d26748c6a7fc36d80ae4c5520f7c4ab0ac8544424fa405162fef5a6b7f229498063618d39f0003cb5fb8d1c86b643497da1ff945c8d3bedeca4f479702a7a735f043ddb1d6aaade3c4a0ac7ca7f3fa5279bef56f82cd7a2f38672e824814e10700300a055e1630b8f1cb0e919f5e942010a416e2bf48cb46993d3cb6a51c19bacf864785a00bc2ecff15d350875b246ed53e68be6f55bd7e05cfc2b2ed6432198a6444b6d8c247fab941f569768b5c429366f1d3f00f0345b96123d56204c01c63b22ce78baf116e525ed90fdea39fa469494d3866c31e05f295ff21fea8d4e6e13d67e47ce722e9698a1c1048d68ebcde76b86fcf976eab8aa9790268b7068e017a8b9b749409514f1053027fd16c3786ea1bac5f15cb79711ee2abe82f5cf8b13ae73030ef5b9e4457e75d1304f988d62dd6fc4b94ed38ba831da4b7634971b6cd8ec325d9c61c00f1df73627ed3745a5e8489f3a95c69639c32cd6e1d537a85f75cc844726e8a72fc0077ad22000f1d5078f6b866318c668f1ad03d5a5fced5219f2eabbd0aa5c0f460d183f04404a0d6f469558e81fab24a167905ab4c7878502ad3e38fdbe62a41556cec37325759533ce8f25f367c87bb5578d667ae93f9e2fd99bcbc5f2fbba88cf6516139420fcff3b7361d86322c4bd84c82f335abb152c4a93411373aaa8220");
+	test_cases.push_back(tmp);
+	
+	tmp.test_name = "IEEE 1619-2007 Vector 14";
+	tmp.key1 = tc::cli::FormatUtil::hexStringToBytes("2718281828459045235360287471352662497757247093699959574966967627");
+	tmp.key2 = tc::cli::FormatUtil::hexStringToBytes("3141592653589793238462643383279502884197169399375105820974944592");
+	tmp.data_unit_sequence_number = 0xffffffffff;
+	tmp.plaintext =  tc::cli::FormatUtil::hexStringToBytes("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
+	tmp.ciphertext = tc::cli::FormatUtil::hexStringToBytes("64497e5a831e4a932c09be3e5393376daa599548b816031d224bbf50a818ed2350eae7e96087c8a0db51ad290bd00c1ac1620857635bf246c176ab463be30b808da548081ac847b158e1264be25bb0910bbc92647108089415d45fab1b3d2604e8a8eff1ae4020cfa39936b66827b23f371b92200be90251e6d73c5f86de5fd4a950781933d79a28272b782a2ec313efdfcc0628f43d744c2dc2ff3dcb66999b50c7ca895b0c64791eeaa5f29499fb1c026f84ce5b5c72ba1083cddb5ce45434631665c333b60b11593fb253c5179a2c8db813782a004856a1653011e93fb6d876c18366dd8683f53412c0c180f9c848592d593f8609ca736317d356e13e2bff3a9f59cd9aeb19cd482593d8c46128bb32423b37a9adfb482b99453fbe25a41bf6feb4aa0bef5ed24bf73c762978025482c13115e4015aac992e5613a3b5c2f685b84795cb6e9b2656d8c88157e52c42f978d8634c43d06fea928f2822e465aa6576e9bf419384506cc3ce3c54ac1a6f67dc66f3b30191e698380bc999b05abce19dc0c6dcc2dd001ec535ba18deb2df1a101023108318c75dc98611a09dc48a0acdec676fabdf222f07e026f059b672b56e5cbc8e1d21bbd867dd927212054681d70ea737134cdfce93b6f82ae22423274e58a0821cc5502e2d0ab4585e94de6975be5e0b4efce51cd3e70c25a1fbbbd609d273ad5b0d59631c531f6a0a57b9");
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Aes256XtsEncryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Aes256XtsEncryptor_TestClass.h
new file mode 100644
index 00000000..2bc6ac20
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Aes256XtsEncryptor_TestClass.h
@@ -0,0 +1,35 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Aes256XtsEncryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassEnc();
+	void test_UseClassDec();
+	void test_UseUtilFuncEnc();
+	void test_UseUtilFuncDec();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptThrowsExceptionOnBadInput();
+	void test_DecryptThrowsExceptionOnBadInput();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData key1;
+		tc::ByteData key2;
+		size_t data_unit;
+		uint64_t data_unit_sequence_number;
+		tc::ByteData plaintext;
+		tc::ByteData ciphertext;
+	};
+
+	void util_Setup_IEEE1619_2007_TestCases(std::vector<crypto_Aes256XtsEncryptor_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_HmacMd5Generator_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_HmacMd5Generator_TestClass.cpp
new file mode 100644
index 00000000..fdeb5cf9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_HmacMd5Generator_TestClass.cpp
@@ -0,0 +1,547 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_HmacMd5Generator_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/HmacMd5Generator.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_HmacMd5Generator_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] START" << std::endl;
+	test_Constants();
+	test_SingleUpdateCall();
+	test_MultiUpdateCall();
+	test_UtilFunc();
+
+	test_NoInitNoUpdateDoMac();
+	test_NoInitDoUpdateDoMac();
+	test_DoInitNoUpdateDoMac();
+	test_DoInitNoKeyDoUpdateDoMac();
+	test_DoInitNoKeyNoUpdateDoMac();
+
+	test_CallGetMacRepeatedly();
+	std::cout << "[tc::crypto::HmacMd5Generator] END" << std::endl;
+}
+
+void crypto_HmacMd5Generator_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check mac size
+			static const size_t kExpectedHashSize = 16;
+			if (tc::crypto::HmacMd5Generator::kMacSize != kExpectedHashSize)
+			{
+				ss << "kMacSize had value " << std::dec << tc::crypto::HmacMd5Generator::kMacSize << " (expected " << kExpectedHashSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check block size
+			static const size_t kExpectedBlockSize = 64;
+			if (tc::crypto::HmacMd5Generator::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::HmacMd5Generator::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::test_SingleUpdateCall()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_SingleUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacMd5Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacMd5Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::test_MultiUpdateCall()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_MultiUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacMd5Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacMd5Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+
+				// pick an offset to split the in_string at
+				size_t offset = test->in_data.size() / 2;
+
+				// update with first half
+				calc.update(test->in_data.data(), offset);
+
+				// update with second half
+				calc.update(test->in_data.data() + offset, test->in_data.size() - offset);
+				
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::test_UtilFunc()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacMd5Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				memset(mac.data(), 0xff, mac.size());
+				tc::crypto::GenerateHmacMd5Mac(mac.data(), (const byte_t*)test->in_data.data(), test->in_data.size(), test->in_key.data(), test->in_key.size());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::test_NoInitNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_NoInitNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacMd5Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacMd5Generator::kMacSize);
+			tc::ByteData expected_uninitialized_mac = tc::ByteData(mac.size());
+			memset(expected_uninitialized_mac.data(), 0xff, expected_uninitialized_mac.size());
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.size(), test->in_data.size());
+				memcpy(mac.data(), expected_uninitialized_mac.data(), mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), expected_uninitialized_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(expected_uninitialized_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::test_NoInitDoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_NoInitDoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacMd5Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacMd5Generator::kMacSize);
+			tc::ByteData expected_uninitialized_mac = tc::ByteData(mac.size());
+			memset(expected_uninitialized_mac.data(), 0xff, expected_uninitialized_mac.size());
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memcpy(mac.data(), expected_uninitialized_mac.data(), mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), expected_uninitialized_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(expected_uninitialized_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::test_DoInitNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_DoInitNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacMd5Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacMd5Generator::kMacSize);
+			
+			// override expected MAC for when no update() is called
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("C9E99A43CD8FA24A840AA85C7CCA0061");
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("60B57DA4237ED7C91B475EDDF0E798D3");
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("68333B4B8FCBAD8D64D914430788E601");
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("24CFC1B34D4FD3388EC723F7B6214669");
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("8AAFFA8F035AF4C09CA7D1635F8CF716");
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("172C1869F3E854DC888D3B2D3ADA639F");
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("172C1869F3E854DC888D3B2D3ADA639F");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.size(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::test_DoInitNoKeyDoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_DoInitNoKeyDoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacMd5Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacMd5Generator::kMacSize);
+			
+			// override expected MAC for when no key is used during initialize()
+			tests[0].in_key = tc::ByteData();
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("72C33C78CAC0B7A581AC263A344ED01D");
+			tests[1].in_key = tc::ByteData();
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("AE2E4B39F3B5EE2C8B585994294201EA");
+			tests[2].in_key = tc::ByteData();
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("1F265B5F8E396420867BA340A8B3AE2F");
+			tests[3].in_key = tc::ByteData();
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("EC0AE3C21F1BC5DD136C488FC11E62E4");
+			tests[4].in_key = tc::ByteData();
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("6F9F9B09EE74ABC55B72EA1003A5AE2B");
+			tests[5].in_key = tc::ByteData();
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("647DF53417E4E001CBD1842FB13C9AE2");
+			tests[6].in_key = tc::ByteData();
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("172C0788A36B21774D60D2D3B911C5D7");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::test_DoInitNoKeyNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_DoInitNoKeyNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacMd5Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacMd5Generator::kMacSize);
+			
+			// override expected MAC for when no key is used during initialize() and update is not called
+			tests[0].in_key = tc::ByteData();
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("74E6F7298A9C2D168935F58C001BAD88");
+			tests[1].in_key = tc::ByteData();
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("74E6F7298A9C2D168935F58C001BAD88");
+			tests[2].in_key = tc::ByteData();
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("74E6F7298A9C2D168935F58C001BAD88");
+			tests[3].in_key = tc::ByteData();
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("74E6F7298A9C2D168935F58C001BAD88");
+			tests[4].in_key = tc::ByteData();
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("74E6F7298A9C2D168935F58C001BAD88");
+			tests[5].in_key = tc::ByteData();
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("74E6F7298A9C2D168935F58C001BAD88");
+			tests[6].in_key = tc::ByteData();
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("74E6F7298A9C2D168935F58C001BAD88");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::test_CallGetMacRepeatedly()
+{
+	std::cout << "[tc::crypto::HmacMd5Generator] test_CallGetMacRepeatedly : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacMd5Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacMd5Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				for (size_t i = 0; i < 100; i++)
+				{
+					// by resetting the MAC here we can tell if it is updated each time
+					memset(mac.data(), 0xff, mac.size());
+					calc.getMac(mac.data());
+					if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+					{
+						ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+						throw tc::Exception(ss.str());
+					}
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacMd5Generator_TestClass::util_Setup_Rfc2202_TestCases(std::vector<crypto_HmacMd5Generator_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	tmp.test_name = "RFC 2202 Test 1";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("4869205468657265"); // "Hi There"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("9294727a3638bb1c13f48ef8158bfc9d");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 2";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("4a656665"); // "Jefe"
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("7768617420646f2079612077616e7420666f72206e6f7468696e673f"); // "what do ya want for nothing?"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("750c783e6ab0b503eaa86e310a5db738");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 3";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"); // 50 x 0xdd
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("56be34521d144c88dbb8c733f0e8b3f6");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 4";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0102030405060708090a0b0c0d0e0f10111213141516171819");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"); // 50 x 0xcd
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("697eaf0aca3a3aea3a75164746ffaa79");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 5";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("546573742057697468205472756e636174696f6e"); // "Test With Truncation"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("56461ef2342edc00f9bab995690efd4c");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 6";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); // 80 x 0xaa
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b6579202d2048617368204b6579204669727374"); // "Test Using Larger Than Block-Size Key - Hash Key First"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 7";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); // 80 x 0xaa
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b657920616e64204c6172676572205468616e204f6e6520426c6f636b2d53697a652044617461"); // "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("6f630fad67cda0ee1fb1f562db3aa53e");
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_HmacMd5Generator_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_HmacMd5Generator_TestClass.h
new file mode 100644
index 00000000..ea62f4d2
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_HmacMd5Generator_TestClass.h
@@ -0,0 +1,34 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_HmacMd5Generator_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_SingleUpdateCall();
+	void test_MultiUpdateCall();
+	void test_UtilFunc();
+
+	void test_NoInitNoUpdateDoMac();
+	void test_NoInitDoUpdateDoMac();
+	void test_DoInitNoUpdateDoMac();
+	void test_DoInitNoKeyDoUpdateDoMac();
+	void test_DoInitNoKeyNoUpdateDoMac();
+	
+	void test_CallGetMacRepeatedly();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData in_data;
+		tc::ByteData in_key;
+		tc::ByteData out_mac;
+	};
+
+	void util_Setup_Rfc2202_TestCases(std::vector<crypto_HmacMd5Generator_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_HmacSha1Generator_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_HmacSha1Generator_TestClass.cpp
new file mode 100644
index 00000000..450a02e5
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_HmacSha1Generator_TestClass.cpp
@@ -0,0 +1,547 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_HmacSha1Generator_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/HmacSha1Generator.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_HmacSha1Generator_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] START" << std::endl;
+	test_Constants();
+	test_SingleUpdateCall();
+	test_MultiUpdateCall();
+	test_UtilFunc();
+
+	test_NoInitNoUpdateDoMac();
+	test_NoInitDoUpdateDoMac();
+	test_DoInitNoUpdateDoMac();
+	test_DoInitNoKeyDoUpdateDoMac();
+	test_DoInitNoKeyNoUpdateDoMac();
+
+	test_CallGetMacRepeatedly();
+	std::cout << "[tc::crypto::HmacSha1Generator] END" << std::endl;
+}
+
+void crypto_HmacSha1Generator_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check mac size
+			static const size_t kExpectedHashSize = 20;
+			if (tc::crypto::HmacSha1Generator::kMacSize != kExpectedHashSize)
+			{
+				ss << "kMacSize had value " << std::dec << tc::crypto::HmacSha1Generator::kMacSize << " (expected " << kExpectedHashSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check block size
+			static const size_t kExpectedBlockSize = 64;
+			if (tc::crypto::HmacSha1Generator::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::HmacSha1Generator::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::test_SingleUpdateCall()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_SingleUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacSha1Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha1Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::test_MultiUpdateCall()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_MultiUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacSha1Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha1Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+
+				// pick an offset to split the in_string at
+				size_t offset = test->in_data.size() / 2;
+
+				// update with first half
+				calc.update(test->in_data.data(), offset);
+
+				// update with second half
+				calc.update(test->in_data.data() + offset, test->in_data.size() - offset);
+				
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::test_UtilFunc()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha1Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				memset(mac.data(), 0xff, mac.size());
+				tc::crypto::GenerateHmacSha1Mac(mac.data(), (const byte_t*)test->in_data.data(), test->in_data.size(), test->in_key.data(), test->in_key.size());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::test_NoInitNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_NoInitNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacSha1Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha1Generator::kMacSize);
+			tc::ByteData expected_uninitialized_mac = tc::ByteData(mac.size());
+			memset(expected_uninitialized_mac.data(), 0xff, expected_uninitialized_mac.size());
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.size(), test->in_data.size());
+				memcpy(mac.data(), expected_uninitialized_mac.data(), mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), expected_uninitialized_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(expected_uninitialized_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::test_NoInitDoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_NoInitDoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacSha1Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha1Generator::kMacSize);
+			tc::ByteData expected_uninitialized_mac = tc::ByteData(mac.size());
+			memset(expected_uninitialized_mac.data(), 0xff, expected_uninitialized_mac.size());
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memcpy(mac.data(), expected_uninitialized_mac.data(), mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), expected_uninitialized_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(expected_uninitialized_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::test_DoInitNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_DoInitNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacSha1Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha1Generator::kMacSize);
+			
+			// override expected MAC for when no update() is called
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("123FD78BDA0100786AE86B76F50F01BD18E477F3");
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("09D9E59D72239E62A8155C583D52743DE9B7231A");
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("4C2E4B8144C34521B2487190F0862E7E0978D42A");
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("932C2468DB83EEB23B6B8F1EDE8BE57136BA9C99");
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("3DF4B2ABD4FCFE0FF5EFA57D0E98CCA85F4B8C17");
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("6FB70A345B84A347A0CA3B58B4F8DDC6AB1EC61F");
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("6FB70A345B84A347A0CA3B58B4F8DDC6AB1EC61F");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.size(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::test_DoInitNoKeyDoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_DoInitNoKeyDoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacSha1Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha1Generator::kMacSize);
+			
+			// override expected MAC for when no key is used during initialize()
+			tests[0].in_key = tc::ByteData();
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("69536CC84EEE5FE51C5B051AFF8485F5C9EF0B58");
+			tests[1].in_key = tc::ByteData();
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("22E999C60F94D0F2D635CA4CF1B174E5CB514D38");
+			tests[2].in_key = tc::ByteData();
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("3EA23ADD7131920CEDD9FA0B7ED130F9E0320B1B");
+			tests[3].in_key = tc::ByteData();
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("74C78AEB607055FF54D8DFCCF1A82CA011ED7A77");
+			tests[4].in_key = tc::ByteData();
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("4ED74D69F9942A1852037F4D8F4F8D0AA680AFDC");
+			tests[5].in_key = tc::ByteData();
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("061B442BBD9AAC68E1AC811EDD8CA83D0586C766");
+			tests[6].in_key = tc::ByteData();
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("69C4969EBA33E494509E07AE006234EEF4CD7624");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::test_DoInitNoKeyNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_DoInitNoKeyNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacSha1Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha1Generator::kMacSize);
+			
+			// override expected MAC for when no key is used during initialize() and update is not called
+			tests[0].in_key = tc::ByteData();
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("FBDB1D1B18AA6C08324B7D64B71FB76370690E1D");
+			tests[1].in_key = tc::ByteData();
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("FBDB1D1B18AA6C08324B7D64B71FB76370690E1D");
+			tests[2].in_key = tc::ByteData();
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("FBDB1D1B18AA6C08324B7D64B71FB76370690E1D");
+			tests[3].in_key = tc::ByteData();
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("FBDB1D1B18AA6C08324B7D64B71FB76370690E1D");
+			tests[4].in_key = tc::ByteData();
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("FBDB1D1B18AA6C08324B7D64B71FB76370690E1D");
+			tests[5].in_key = tc::ByteData();
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("FBDB1D1B18AA6C08324B7D64B71FB76370690E1D");
+			tests[6].in_key = tc::ByteData();
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("FBDB1D1B18AA6C08324B7D64B71FB76370690E1D");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::test_CallGetMacRepeatedly()
+{
+	std::cout << "[tc::crypto::HmacSha1Generator] test_CallGetMacRepeatedly : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc2202_TestCases(tests);
+
+			tc::crypto::HmacSha1Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha1Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				for (size_t i = 0; i < 100; i++)
+				{
+					// by resetting the MAC here we can tell if it is updated each time
+					memset(mac.data(), 0xff, mac.size());
+					calc.getMac(mac.data());
+					if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+					{
+						ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+						throw tc::Exception(ss.str());
+					}
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha1Generator_TestClass::util_Setup_Rfc2202_TestCases(std::vector<crypto_HmacSha1Generator_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	tmp.test_name = "RFC 2202 Test 1";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("4869205468657265"); // "Hi There"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("b617318655057264e28bc0b6fb378c8ef146be00");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 2";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("4a656665"); // "Jefe"
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("7768617420646f2079612077616e7420666f72206e6f7468696e673f"); // "what do ya want for nothing?"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("effcdf6ae5eb2fa2d27416d5f184df9c259a7c79");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 3";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"); // 50 x 0xdd
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("125d7342b9ac11cd91a39af48aa17b4f63f175d3");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 4";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0102030405060708090a0b0c0d0e0f10111213141516171819");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"); // 50 x 0xcd
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("4c9007f4026250c6bc8414f9bf50c86c2d7235da");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 5";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("546573742057697468205472756e636174696f6e"); // "Test With Truncation"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("4c1a03424b55e07fe7f27be1d58bb9324a9a5a04");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 6";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); // 80 x 0xaa
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b6579202d2048617368204b6579204669727374"); // "Test Using Larger Than Block-Size Key - Hash Key First"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("aa4ae5e15272d00e95705637ce8a3b55ed402112");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 7";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); // 80 x 0xaa
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b657920616e64204c6172676572205468616e204f6e6520426c6f636b2d53697a652044617461"); // "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("e8e99d0f45237d786d6bbaa7965c7808bbff1a91");
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_HmacSha1Generator_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_HmacSha1Generator_TestClass.h
new file mode 100644
index 00000000..064b34ce
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_HmacSha1Generator_TestClass.h
@@ -0,0 +1,34 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_HmacSha1Generator_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_SingleUpdateCall();
+	void test_MultiUpdateCall();
+	void test_UtilFunc();
+
+	void test_NoInitNoUpdateDoMac();
+	void test_NoInitDoUpdateDoMac();
+	void test_DoInitNoUpdateDoMac();
+	void test_DoInitNoKeyDoUpdateDoMac();
+	void test_DoInitNoKeyNoUpdateDoMac();
+	
+	void test_CallGetMacRepeatedly();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData in_data;
+		tc::ByteData in_key;
+		tc::ByteData out_mac;
+	};
+
+	void util_Setup_Rfc2202_TestCases(std::vector<crypto_HmacSha1Generator_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_HmacSha256Generator_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_HmacSha256Generator_TestClass.cpp
new file mode 100644
index 00000000..6f4306ba
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_HmacSha256Generator_TestClass.cpp
@@ -0,0 +1,547 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_HmacSha256Generator_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/HmacSha256Generator.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_HmacSha256Generator_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] START" << std::endl;
+	test_Constants();
+	test_SingleUpdateCall();
+	test_MultiUpdateCall();
+	test_UtilFunc();
+
+	test_NoInitNoUpdateDoMac();
+	test_NoInitDoUpdateDoMac();
+	test_DoInitNoUpdateDoMac();
+	test_DoInitNoKeyDoUpdateDoMac();
+	test_DoInitNoKeyNoUpdateDoMac();
+
+	test_CallGetMacRepeatedly();
+	std::cout << "[tc::crypto::HmacSha256Generator] END" << std::endl;
+}
+
+void crypto_HmacSha256Generator_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check mac size
+			static const size_t kExpectedHashSize = 32;
+			if (tc::crypto::HmacSha256Generator::kMacSize != kExpectedHashSize)
+			{
+				ss << "kMacSize had value " << std::dec << tc::crypto::HmacSha256Generator::kMacSize << " (expected " << kExpectedHashSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check block size
+			static const size_t kExpectedBlockSize = 64;
+			if (tc::crypto::HmacSha256Generator::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::HmacSha256Generator::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::test_SingleUpdateCall()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_SingleUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha256Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha256Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::test_MultiUpdateCall()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_MultiUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha256Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha256Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+
+				// pick an offset to split the in_string at
+				size_t offset = test->in_data.size() / 2;
+
+				// update with first half
+				calc.update(test->in_data.data(), offset);
+
+				// update with second half
+				calc.update(test->in_data.data() + offset, test->in_data.size() - offset);
+				
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::test_UtilFunc()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha256Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				memset(mac.data(), 0xff, mac.size());
+				tc::crypto::GenerateHmacSha256Mac(mac.data(), (const byte_t*)test->in_data.data(), test->in_data.size(), test->in_key.data(), test->in_key.size());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::test_NoInitNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_NoInitNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha256Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha256Generator::kMacSize);
+			tc::ByteData expected_uninitialized_mac = tc::ByteData(mac.size());
+			memset(expected_uninitialized_mac.data(), 0xff, expected_uninitialized_mac.size());
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.size(), test->in_data.size());
+				memcpy(mac.data(), expected_uninitialized_mac.data(), mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), expected_uninitialized_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(expected_uninitialized_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::test_NoInitDoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_NoInitDoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha256Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha256Generator::kMacSize);
+			tc::ByteData expected_uninitialized_mac = tc::ByteData(mac.size());
+			memset(expected_uninitialized_mac.data(), 0xff, expected_uninitialized_mac.size());
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memcpy(mac.data(), expected_uninitialized_mac.data(), mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), expected_uninitialized_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(expected_uninitialized_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::test_DoInitNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_DoInitNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha256Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha256Generator::kMacSize);
+			
+			// override expected MAC for when no update() is called
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("999A901219F032CD497CADB5E6051E97B6A29AB297BD6AE722BD6062A2F59542");
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("923598CA6D64AF2A5DBA79DCD021A8A0FE5C5F557519ADAAF0AD532D4506DD30");
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("86E54FD448725D7E5DCFE22353C828AF48781EB48CAE8106A7E1D498949F3E46");
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("1B5713E10977DA96A5FE201005976A240544079C2724F6A9EAEAE42B9DE00F28");
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("4D36C675D91E0512D1B1BA412FE2F7D8A6595FD305BDEADF651B465D4251781F");
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("44B545DEF5B97EB719D856A15E327833E520E4770619C0E3EEFBDE24B71285A7");
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("44B545DEF5B97EB719D856A15E327833E520E4770619C0E3EEFBDE24B71285A7");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.size(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::test_DoInitNoKeyDoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_DoInitNoKeyDoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha256Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha256Generator::kMacSize);
+			
+			// override expected MAC for when no key is used during initialize()
+			tests[0].in_key = tc::ByteData();
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("E48411262715C8370CD5E7BF8E82BEF53BD53712D007F3429351843B77C7BB9B");
+			tests[1].in_key = tc::ByteData();
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("76D9E7194E7DBC3AA00BBE8FFB9F6FCB5A932170F971F948BB2AB61607D2B9D6");
+			tests[2].in_key = tc::ByteData();
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("658C192B47D1C84BC7D5EE38CAA75864FBF43E79BD18DB6C5FA814ED0D9C4AB3");
+			tests[3].in_key = tc::ByteData();
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("367352007EE6CA9FA755CE8352347D092C17A24077FD33C62F655574A8CF906D");
+			tests[4].in_key = tc::ByteData();
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("53273BDCBDF6DE9AFB0CDBD1E1CF133FE7529237B5A1FBA41F34CC8792430B16");
+			tests[5].in_key = tc::ByteData();
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("79E2A6536CB16B4A1E9C2AF81759764AFD026173526F79F7816E9A3BC5FBABA8");
+			tests[6].in_key = tc::ByteData();
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("4DA63281EA396C9E8FBFE3D6483A602CE18760273914D9DF5FF385FB639A696F");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::test_DoInitNoKeyNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_DoInitNoKeyNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha256Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha256Generator::kMacSize);
+			
+			// override expected MAC for when no key is used during initialize() and update is not called
+			tests[0].in_key = tc::ByteData();
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
+			tests[1].in_key = tc::ByteData();
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
+			tests[2].in_key = tc::ByteData();
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
+			tests[3].in_key = tc::ByteData();
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
+			tests[4].in_key = tc::ByteData();
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
+			tests[5].in_key = tc::ByteData();
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
+			tests[6].in_key = tc::ByteData();
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::test_CallGetMacRepeatedly()
+{
+	std::cout << "[tc::crypto::HmacSha256Generator] test_CallGetMacRepeatedly : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha256Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha256Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				for (size_t i = 0; i < 100; i++)
+				{
+					// by resetting the MAC here we can tell if it is updated each time
+					memset(mac.data(), 0xff, mac.size());
+					calc.getMac(mac.data());
+					if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+					{
+						ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+						throw tc::Exception(ss.str());
+					}
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha256Generator_TestClass::util_Setup_Rfc4231_TestCases(std::vector<crypto_HmacSha256Generator_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	tmp.test_name = "RFC 2202 Test 1";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("4869205468657265"); // "Hi There"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da726e9376c2e32cff7");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 2";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("4a656665"); // "Jefe"
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("7768617420646f2079612077616e7420666f72206e6f7468696e673f"); // "what do ya want for nothing?"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("5bdcc146bf60754e6a042426089575c75a003f089d2739839dec58b964ec3843");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 3";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"); // 50 x 0xdd
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("773ea91e36800e46854db8ebd09181a72959098b3ef8c122d9635514ced565fe");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 4";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0102030405060708090a0b0c0d0e0f10111213141516171819");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"); // 50 x 0xcd
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("82558a389a443c0ea4cc819899f2083a85f0faa3e578f8077a2e3ff46729665b");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 5";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("546573742057697468205472756e636174696f6e"); // "Test With Truncation"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("A3B6167473100EE06E0C796C2955552BFA6F7C0A6A8AEF8B93F860AAB0CD20C5");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 6";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); // 131 x 0xaa
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b6579202d2048617368204b6579204669727374"); // "Test Using Larger Than Block-Size Key - Hash Key First"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("60e431591ee0b67f0d8a26aacbf5b77f8e0bc6213728c5140546040f0ee37f54");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 7";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); // 131 x 0xaa
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("5468697320697320612074657374207573696e672061206c6172676572207468616e20626c6f636b2d73697a65206b657920616e642061206c6172676572207468616e20626c6f636b2d73697a6520646174612e20546865206b6579206e6565647320746f20626520686173686564206265666f7265206265696e6720757365642062792074686520484d414320616c676f726974686d2e"); // "This is a test using a larger than block-size key and a larger than block-size data. The key neds to be hashed before being used by the HMAC algorithm."
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("9b09ffa71b942fcb27635fbcd5b0e944bfdc63644f0713938a7f51535c3a35e2");
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_HmacSha256Generator_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_HmacSha256Generator_TestClass.h
new file mode 100644
index 00000000..7a97c489
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_HmacSha256Generator_TestClass.h
@@ -0,0 +1,34 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_HmacSha256Generator_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_SingleUpdateCall();
+	void test_MultiUpdateCall();
+	void test_UtilFunc();
+
+	void test_NoInitNoUpdateDoMac();
+	void test_NoInitDoUpdateDoMac();
+	void test_DoInitNoUpdateDoMac();
+	void test_DoInitNoKeyDoUpdateDoMac();
+	void test_DoInitNoKeyNoUpdateDoMac();
+	
+	void test_CallGetMacRepeatedly();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData in_data;
+		tc::ByteData in_key;
+		tc::ByteData out_mac;
+	};
+
+	void util_Setup_Rfc4231_TestCases(std::vector<crypto_HmacSha256Generator_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_HmacSha512Generator_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_HmacSha512Generator_TestClass.cpp
new file mode 100644
index 00000000..ef83aaea
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_HmacSha512Generator_TestClass.cpp
@@ -0,0 +1,547 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_HmacSha512Generator_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/HmacSha512Generator.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_HmacSha512Generator_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] START" << std::endl;
+	test_Constants();
+	test_SingleUpdateCall();
+	test_MultiUpdateCall();
+	test_UtilFunc();
+
+	test_NoInitNoUpdateDoMac();
+	test_NoInitDoUpdateDoMac();
+	test_DoInitNoUpdateDoMac();
+	test_DoInitNoKeyDoUpdateDoMac();
+	test_DoInitNoKeyNoUpdateDoMac();
+
+	test_CallGetMacRepeatedly();
+	std::cout << "[tc::crypto::HmacSha512Generator] END" << std::endl;
+}
+
+void crypto_HmacSha512Generator_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check mac size
+			static const size_t kExpectedHashSize = 64;
+			if (tc::crypto::HmacSha512Generator::kMacSize != kExpectedHashSize)
+			{
+				ss << "kMacSize had value " << std::dec << tc::crypto::HmacSha512Generator::kMacSize << " (expected " << kExpectedHashSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check block size
+			static const size_t kExpectedBlockSize = 128;
+			if (tc::crypto::HmacSha512Generator::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::HmacSha512Generator::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::test_SingleUpdateCall()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_SingleUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha512Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha512Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::test_MultiUpdateCall()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_MultiUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha512Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha512Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+
+				// pick an offset to split the in_string at
+				size_t offset = test->in_data.size() / 2;
+
+				// update with first half
+				calc.update(test->in_data.data(), offset);
+
+				// update with second half
+				calc.update(test->in_data.data() + offset, test->in_data.size() - offset);
+				
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::test_UtilFunc()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha512Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				memset(mac.data(), 0xff, mac.size());
+				tc::crypto::GenerateHmacSha512Mac(mac.data(), (const byte_t*)test->in_data.data(), test->in_data.size(), test->in_key.data(), test->in_key.size());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::test_NoInitNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_NoInitNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha512Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha512Generator::kMacSize);
+			tc::ByteData expected_uninitialized_mac = tc::ByteData(mac.size());
+			memset(expected_uninitialized_mac.data(), 0xff, expected_uninitialized_mac.size());
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.size(), test->in_data.size());
+				memcpy(mac.data(), expected_uninitialized_mac.data(), mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), expected_uninitialized_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(expected_uninitialized_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::test_NoInitDoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_NoInitDoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha512Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha512Generator::kMacSize);
+			tc::ByteData expected_uninitialized_mac = tc::ByteData(mac.size());
+			memset(expected_uninitialized_mac.data(), 0xff, expected_uninitialized_mac.size());
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memcpy(mac.data(), expected_uninitialized_mac.data(), mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), expected_uninitialized_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(expected_uninitialized_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::test_DoInitNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_DoInitNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha512Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha512Generator::kMacSize);
+			
+			// override expected MAC for when no update() is called
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("AD8DA3D882AF6E9B872457ADCDD638E9B87AF44825425085F8CE81A4122BAB781B92F5AB92AC24948AD369F86558FD469CA3F4861CB0F0DFB33154428ED03DFB");
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("B9D14C51A6D4DD41604EB06C9C240F1F64F143B5CFDEA37129B28BB75D1371D326FC219216171261A84E6C05707CD3BE0F61E0A973A33F706D190DB9ACFFC68F");
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("6393B26D6D510B77741BEC0037A40B3A31071DB90ABF9A9E857B9CA643F7AF5F2AF35201608D2E3F14394AAAEA46DBAEC3E7A4EBAD54D310DB7659D102F4C73A");
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("10CDF916AEE81A887E7F46BF329A18715A959E5E4EAAED386E7AE8779FC56F1CA6543219476B55D767D6E34D8EF1C76F251C95719346A588FBDDEED2FC3F013E");
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("2BAD6402A42592B704DAC5BD90A559ACF444D75B7E6C9C18D44BC02FF04C94CCD180F6B71F86B0A2D853F9146F5605B8F5807006EDE0F7F35370EEF7D50FBA16");
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("264428A9B95825C9ACD9D71AAC552BD95E9BD00169C02D3921DBD53A0FDF6F0E81A19EF54E7B143F131CC5FFD5896EEF3CDCF57066A70DA3698D826A1B6366DD");
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("264428A9B95825C9ACD9D71AAC552BD95E9BD00169C02D3921DBD53A0FDF6F0E81A19EF54E7B143F131CC5FFD5896EEF3CDCF57066A70DA3698D826A1B6366DD");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.size(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::test_DoInitNoKeyDoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_DoInitNoKeyDoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha512Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha512Generator::kMacSize);
+			
+			// override expected MAC for when no key is used during initialize()
+			tests[0].in_key = tc::ByteData();
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("F7688A104326D36C1940F6D28D746C0661D383E0D14FE8A04649444777610F5DD9565A36846AB9E9E734CF380D3A070D8EF021B5F3A50C481710A464968E3419");
+			tests[1].in_key = tc::ByteData();
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("1263AC6489324BDD55FEAD956DC2BE547BECE2B699214B63B0270143D740AD638F3CC6FEEDC740F8D9AC44866DF12A0073D57214EB393F692B4AE17EDF30D861");
+			tests[2].in_key = tc::ByteData();
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("364113906C7268F6C0C3F4977411CF34151DA703DBF6E0D3CD2A2179FA0446060BF5017D7F41330429AF17FAA4BCD4C3DA1E654767670EC177239C39B3EEF086");
+			tests[3].in_key = tc::ByteData();
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("17FD4AD25B6D1979AB38D833053B1B44FA99E9B410D5BC35541D6AA18A5AC8964B6B86C9C01ED10212BA45EFFB161C8676FD26EF28C557A27003294325275E9D");
+			tests[4].in_key = tc::ByteData();
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("6D3B39DCD123E86481D138C3237EE179329BEFB7FC82515FB6B694B6DF6E88A1827150E31366BB133A622527DAAA865E9E06BDFD0D9BDB574645292DDB7FE49E");
+			tests[5].in_key = tc::ByteData();
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("7E129DE32C9CBF193A88BF5107EC58A702D646F3A1ACF1ADE5631D950E96CAEC035C05DA4953F3063917954419889EFC27BA89E0B5B7767A19D36780F646BA24");
+			tests[6].in_key = tc::ByteData();
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("D9B8EE3286A49C2B649624D93E04322F0D29E9F49CE77BEF1E13C40553A3D01EAB341F67F1F208CE10FCBC696DE5BB24EC3E1F361A12485060CE561C54CC85CB");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::test_DoInitNoKeyNoUpdateDoMac()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_DoInitNoKeyNoUpdateDoMac : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha512Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha512Generator::kMacSize);
+			
+			// override expected MAC for when no key is used during initialize() and update is not called
+			tests[0].in_key = tc::ByteData();
+			tests[0].out_mac = tc::cli::FormatUtil::hexStringToBytes("B936CEE86C9F87AA5D3C6F2E84CB5A4239A5FE50480A6EC66B70AB5B1F4AC6730C6C515421B327EC1D69402E53DFB49AD7381EB067B338FD7B0CB22247225D47");
+			tests[1].in_key = tc::ByteData();
+			tests[1].out_mac = tc::cli::FormatUtil::hexStringToBytes("B936CEE86C9F87AA5D3C6F2E84CB5A4239A5FE50480A6EC66B70AB5B1F4AC6730C6C515421B327EC1D69402E53DFB49AD7381EB067B338FD7B0CB22247225D47");
+			tests[2].in_key = tc::ByteData();
+			tests[2].out_mac = tc::cli::FormatUtil::hexStringToBytes("B936CEE86C9F87AA5D3C6F2E84CB5A4239A5FE50480A6EC66B70AB5B1F4AC6730C6C515421B327EC1D69402E53DFB49AD7381EB067B338FD7B0CB22247225D47");
+			tests[3].in_key = tc::ByteData();
+			tests[3].out_mac = tc::cli::FormatUtil::hexStringToBytes("B936CEE86C9F87AA5D3C6F2E84CB5A4239A5FE50480A6EC66B70AB5B1F4AC6730C6C515421B327EC1D69402E53DFB49AD7381EB067B338FD7B0CB22247225D47");
+			tests[4].in_key = tc::ByteData();
+			tests[4].out_mac = tc::cli::FormatUtil::hexStringToBytes("B936CEE86C9F87AA5D3C6F2E84CB5A4239A5FE50480A6EC66B70AB5B1F4AC6730C6C515421B327EC1D69402E53DFB49AD7381EB067B338FD7B0CB22247225D47");
+			tests[5].in_key = tc::ByteData();
+			tests[5].out_mac = tc::cli::FormatUtil::hexStringToBytes("B936CEE86C9F87AA5D3C6F2E84CB5A4239A5FE50480A6EC66B70AB5B1F4AC6730C6C515421B327EC1D69402E53DFB49AD7381EB067B338FD7B0CB22247225D47");
+			tests[6].in_key = tc::ByteData();
+			tests[6].out_mac = tc::cli::FormatUtil::hexStringToBytes("B936CEE86C9F87AA5D3C6F2E84CB5A4239A5FE50480A6EC66B70AB5B1F4AC6730C6C515421B327EC1D69402E53DFB49AD7381EB067B338FD7B0CB22247225D47");
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				//calc.update(test->in_data.data(), test->in_data.size());
+				memset(mac.data(), 0xff, mac.size());
+				calc.getMac(mac.data());
+				if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::test_CallGetMacRepeatedly()
+{
+	std::cout << "[tc::crypto::HmacSha512Generator] test_CallGetMacRepeatedly : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<TestCase> tests;
+			util_Setup_Rfc4231_TestCases(tests);
+
+			tc::crypto::HmacSha512Generator calc;
+			tc::ByteData mac = tc::ByteData(tc::crypto::HmacSha512Generator::kMacSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize(test->in_key.data(), test->in_key.size());
+				calc.update(test->in_data.data(), test->in_data.size());
+				for (size_t i = 0; i < 100; i++)
+				{
+					// by resetting the MAC here we can tell if it is updated each time
+					memset(mac.data(), 0xff, mac.size());
+					calc.getMac(mac.data());
+					if (memcmp(mac.data(), test->out_mac.data(), mac.size()) != 0)
+					{
+						ss << "Test \"" << test->test_name << "\" Failed. Had wrong MAC: " << tc::cli::FormatUtil::formatBytesAsString(mac, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_mac, true, "");
+						throw tc::Exception(ss.str());
+					}
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_HmacSha512Generator_TestClass::util_Setup_Rfc4231_TestCases(std::vector<crypto_HmacSha512Generator_TestClass::TestCase>& test_cases)
+{
+	TestCase tmp;
+
+	test_cases.clear();
+
+	tmp.test_name = "RFC 2202 Test 1";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("4869205468657265"); // "Hi There"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("87aa7cdea5ef619d4ff0b4241a1d6cb02379f4e2ce4ec2787ad0b30545e17cdedaa833b7d6b8a702038b274eaea3f4e4be9d914eeb61f1702e696c203a126854");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 2";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("4a656665"); // "Jefe"
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("7768617420646f2079612077616e7420666f72206e6f7468696e673f"); // "what do ya want for nothing?"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("164b7a7bfcf819e2e395fbe73b56e0a387bd64222e831fd610270cd7ea2505549758bf75c05a994a6d034f65f8f0e6fdcaeab1a34d4a6b4b636e070a38bce737");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 3";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"); // 50 x 0xdd
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("fa73b0089d56a284efb0f0756c890be9b1b5dbdd8ee81a3655f83e33b2279d39bf3e848279a722c806b485a47e67c807b946a337bee8942674278859e13292fb");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 4";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0102030405060708090a0b0c0d0e0f10111213141516171819");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd"); // 50 x 0xcd
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("b0ba465637458c6990e5a8c5f61d4af7e576d97ff94b872de76f8050361ee3dba91ca5c11aa25eb4d679275cc5788063a5f19741120c4f2de2adebeb10a298dd");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 5";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("546573742057697468205472756e636174696f6e"); // "Test With Truncation"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("415FAD6271580A531D4179BC891D87A650188707922A4FBB36663A1EB16DA008711C5B50DDD0FC235084EB9D3364A1454FB2EF67CD1D29FE6773068EA266E96B");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 6";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); // 131 x 0xaa
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("54657374205573696e67204c6172676572205468616e20426c6f636b2d53697a65204b6579202d2048617368204b6579204669727374"); // "Test Using Larger Than Block-Size Key - Hash Key First"
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("80b24263c7c1a3ebb71493c1dd7be8b49b46d1f41b4aeec1121b013783f8f3526b56d037e05f2598bd0fd2215d6a1e5295e64f73f63f0aec8b915a985d786598");
+	test_cases.push_back(tmp);
+
+	tmp.test_name = "RFC 2202 Test 7";
+	tmp.in_key = tc::cli::FormatUtil::hexStringToBytes("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"); // 131 x 0xaa
+	tmp.in_data = tc::cli::FormatUtil::hexStringToBytes("5468697320697320612074657374207573696e672061206c6172676572207468616e20626c6f636b2d73697a65206b657920616e642061206c6172676572207468616e20626c6f636b2d73697a6520646174612e20546865206b6579206e6565647320746f20626520686173686564206265666f7265206265696e6720757365642062792074686520484d414320616c676f726974686d2e"); // "This is a test using a larger than block-size key and a larger than block-size data. The key neds to be hashed before being used by the HMAC algorithm."
+	tmp.out_mac = tc::cli::FormatUtil::hexStringToBytes("e37b6a775dc87dbaa4dfa9f96e5e3ffddebd71f8867289865df5a32d20cdc944b6022cac3c4982b10d5eeb55c3e4de15134676fb6de0446065c97440fa8c6a58");
+	test_cases.push_back(tmp);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_HmacSha512Generator_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_HmacSha512Generator_TestClass.h
new file mode 100644
index 00000000..43996d1c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_HmacSha512Generator_TestClass.h
@@ -0,0 +1,34 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_HmacSha512Generator_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_SingleUpdateCall();
+	void test_MultiUpdateCall();
+	void test_UtilFunc();
+
+	void test_NoInitNoUpdateDoMac();
+	void test_NoInitDoUpdateDoMac();
+	void test_DoInitNoUpdateDoMac();
+	void test_DoInitNoKeyDoUpdateDoMac();
+	void test_DoInitNoKeyNoUpdateDoMac();
+	
+	void test_CallGetMacRepeatedly();
+
+	struct TestCase
+	{
+		std::string test_name;
+		tc::ByteData in_data;
+		tc::ByteData in_key;
+		tc::ByteData out_mac;
+	};
+
+	void util_Setup_Rfc4231_TestCases(std::vector<crypto_HmacSha512Generator_TestClass::TestCase>& test_cases);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Md5Generator_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Md5Generator_TestClass.cpp
new file mode 100644
index 00000000..d6c7efde
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Md5Generator_TestClass.cpp
@@ -0,0 +1,490 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Md5Generator_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Md5Generator.h>
+#include <tc/cli/FormatUtil.h>
+#include <tc/ByteData.h>
+
+void crypto_Md5Generator_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Md5Generator] START" << std::endl;
+	test_Constants();
+	test_SingleUpdateCall();
+	test_MultiUpdateCall();
+	test_UtilFunc();
+
+	test_NoInitNoUpdateDoHash();
+	test_NoInitDoUpdateDoHash();
+	test_DoInitNoUpdateDoHash();
+
+	test_CallGetHashRepeatedly();
+	std::cout << "[tc::crypto::Md5Generator] END" << std::endl;
+}
+
+void crypto_Md5Generator_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Md5Generator] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check hash size
+			static const size_t kExpectedHashSize = 16;
+			if (tc::crypto::Md5Generator::kHashSize != kExpectedHashSize)
+			{
+				ss << "kHashSize had value " << std::dec << tc::crypto::Md5Generator::kHashSize << " (expected " << kExpectedHashSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check block size
+			static const size_t kExpectedBlockSize = 64;
+			if (tc::crypto::Md5Generator::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Md5Generator::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check ASN.1 OID data
+			tc::ByteData kExpectedAsn1OidData = tc::cli::FormatUtil::hexStringToBytes("3020300C06082A864886F70D020505000410");
+			if (tc::crypto::Md5Generator::kAsn1OidDataSize != kExpectedAsn1OidData.size())
+			{
+				ss << "kAsn1OidDataSize had value " << std::dec << tc::crypto::Md5Generator::kAsn1OidDataSize << " (expected " << kExpectedAsn1OidData.size() << ")";
+				throw tc::Exception(ss.str());
+			}
+			if (tc::crypto::Md5Generator::kAsn1OidData.size() != kExpectedAsn1OidData.size())
+			{
+				ss << "kAsn1OidData.size() had value " << std::dec << tc::crypto::Md5Generator::kAsn1OidData.size() << " (expected " << kExpectedAsn1OidData.size() << ")";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(tc::crypto::Md5Generator::kAsn1OidData.data(), kExpectedAsn1OidData.data(), kExpectedAsn1OidData.size()) != 0)
+			{
+				ss << "kAsn1OidData.data() had data " << tc::cli::FormatUtil::formatBytesAsString(tc::crypto::Md5Generator::kAsn1OidData.data(), tc::crypto::Md5Generator::kAsn1OidData.size(), true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(kExpectedAsn1OidData, true, "");
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Md5Generator_TestClass::test_SingleUpdateCall()
+{
+	std::cout << "[tc::crypto::Md5Generator] test_SingleUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+				{ "short string (\"a\")", "a", tc::cli::FormatUtil::hexStringToBytes("0CC175B9C0F1B6A831C399E269772661")},
+				{ "short string (\"abc\")", "abc", tc::cli::FormatUtil::hexStringToBytes("900150983CD24FB0D6963F7D28E17F72")},
+				{ "long string (\"message digest\")", "message digest", tc::cli::FormatUtil::hexStringToBytes("F96B697D7CB7938D525A2F31AAF161D0")},
+				{ "long string (alphabet)", "abcdefghijklmnopqrstuvwxyz", tc::cli::FormatUtil::hexStringToBytes("C3FCD3D76192E4007DFB496CCA67E13B")},
+				{ "long string (alphanum)", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", tc::cli::FormatUtil::hexStringToBytes("D174AB98D277D9F5A5611C2C9F419D9F")},
+				{ "long string (numerals)", "12345678901234567890123456789012345678901234567890123456789012345678901234567890", tc::cli::FormatUtil::hexStringToBytes("57EDF4A22BE3C955AC49DA2E2107B67A")},
+			};
+
+			tc::crypto::Md5Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Md5Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Md5Generator_TestClass::test_MultiUpdateCall()
+{
+	std::cout << "[tc::crypto::Md5Generator] test_MultiUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "short string (\"a\")", "a", tc::cli::FormatUtil::hexStringToBytes("0CC175B9C0F1B6A831C399E269772661")},
+				{ "short string (\"abc\")", "abc", tc::cli::FormatUtil::hexStringToBytes("900150983CD24FB0D6963F7D28E17F72")},
+				{ "long string (\"message digest\")", "message digest", tc::cli::FormatUtil::hexStringToBytes("F96B697D7CB7938D525A2F31AAF161D0")},
+				{ "long string (alphabet)", "abcdefghijklmnopqrstuvwxyz", tc::cli::FormatUtil::hexStringToBytes("C3FCD3D76192E4007DFB496CCA67E13B")},
+				{ "long string (alphanum)", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", tc::cli::FormatUtil::hexStringToBytes("D174AB98D277D9F5A5611C2C9F419D9F")},
+				{ "long string (numerals)", "12345678901234567890123456789012345678901234567890123456789012345678901234567890", tc::cli::FormatUtil::hexStringToBytes("57EDF4A22BE3C955AC49DA2E2107B67A")},
+			};
+
+			tc::crypto::Md5Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Md5Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+
+				// pick an offset to split the in_string at
+				size_t offset = test->in_string.size() / 2;
+
+				// update with first half
+				calc.update((const byte_t*)test->in_string.c_str(), offset);
+
+				// update with second half
+				calc.update((const byte_t*)test->in_string.c_str() + offset, test->in_string.size() - offset);
+				
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Md5Generator_TestClass::test_UtilFunc()
+{
+	std::cout << "[tc::crypto::Md5Generator] test_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+				{ "short string (\"a\")", "a", tc::cli::FormatUtil::hexStringToBytes("0CC175B9C0F1B6A831C399E269772661")},
+				{ "short string (\"abc\")", "abc", tc::cli::FormatUtil::hexStringToBytes("900150983CD24FB0D6963F7D28E17F72")},
+				{ "long string (\"message digest\")", "message digest", tc::cli::FormatUtil::hexStringToBytes("F96B697D7CB7938D525A2F31AAF161D0")},
+				{ "long string (alphabet)", "abcdefghijklmnopqrstuvwxyz", tc::cli::FormatUtil::hexStringToBytes("C3FCD3D76192E4007DFB496CCA67E13B")},
+				{ "long string (alphanum)", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", tc::cli::FormatUtil::hexStringToBytes("D174AB98D277D9F5A5611C2C9F419D9F")},
+				{ "long string (numerals)", "12345678901234567890123456789012345678901234567890123456789012345678901234567890", tc::cli::FormatUtil::hexStringToBytes("57EDF4A22BE3C955AC49DA2E2107B67A")},
+			};
+
+			tc::ByteData hash = tc::ByteData(tc::crypto::Md5Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				memset(hash.data(), 0xff, hash.size());
+				tc::crypto::GenerateMd5Hash(hash.data(), (const byte_t*)test->in_string.c_str(), test->in_string.size());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Md5Generator_TestClass::test_NoInitNoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Md5Generator] test_NoInitNoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (when not initalized getHash() should not populate the hash buffer, and so the hash buffer should remain as what we set it)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string (\"a\")", "a", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string (\"abc\")", "abc", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string (\"message digest\")", "message digest", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string (alphabet)", "abcdefghijklmnopqrstuvwxyz", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string (alphanum)", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string (numerals)", "12345678901234567890123456789012345678901234567890123456789012345678901234567890", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+			};
+
+			tc::crypto::Md5Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Md5Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize();
+				//calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Md5Generator_TestClass::test_NoInitDoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Md5Generator] test_NoInitDoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (when not initalized getHash() should not populate the hash buffer, and so the hash buffer should remain as what we set it)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string (\"a\")", "a", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string (\"abc\")", "abc", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string (\"message digest\")", "message digest", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string (alphabet)", "abcdefghijklmnopqrstuvwxyz", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string (alphanum)", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string (numerals)", "12345678901234567890123456789012345678901234567890123456789012345678901234567890", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+			};
+
+			tc::crypto::Md5Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Md5Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Md5Generator_TestClass::test_DoInitNoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Md5Generator] test_DoInitNoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (.getHash() should return the hash for an empty string if update is not called since they are logically the same thing)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+				{ "short string (\"a\")", "a", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+				{ "short string (\"abc\")", "abc", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+				{ "long string (\"message digest\")", "message digest", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+				{ "long string (alphabet)", "abcdefghijklmnopqrstuvwxyz", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+				{ "long string (alphanum)", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+				{ "long string (numerals)", "12345678901234567890123456789012345678901234567890123456789012345678901234567890", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+			};
+
+			tc::crypto::Md5Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Md5Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				//calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Md5Generator_TestClass::test_CallGetHashRepeatedly()
+{
+	std::cout << "[tc::crypto::Md5Generator] test_CallGetHashRepeatedly : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("D41D8CD98F00B204E9800998ECF8427E")},
+				{ "short string (\"a\")", "a", tc::cli::FormatUtil::hexStringToBytes("0CC175B9C0F1B6A831C399E269772661")},
+				{ "short string (\"abc\")", "abc", tc::cli::FormatUtil::hexStringToBytes("900150983CD24FB0D6963F7D28E17F72")},
+				{ "long string (\"message digest\")", "message digest", tc::cli::FormatUtil::hexStringToBytes("F96B697D7CB7938D525A2F31AAF161D0")},
+				{ "long string (alphabet)", "abcdefghijklmnopqrstuvwxyz", tc::cli::FormatUtil::hexStringToBytes("C3FCD3D76192E4007DFB496CCA67E13B")},
+				{ "long string (alphanum)", "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", tc::cli::FormatUtil::hexStringToBytes("D174AB98D277D9F5A5611C2C9F419D9F")},
+				{ "long string (numerals)", "12345678901234567890123456789012345678901234567890123456789012345678901234567890", tc::cli::FormatUtil::hexStringToBytes("57EDF4A22BE3C955AC49DA2E2107B67A")},
+			};
+
+			tc::crypto::Md5Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Md5Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				for (size_t i = 0; i < 100; i++)
+				{
+					// by resetting the hash here we can tell if it is updated each time
+					memset(hash.data(), 0xff, hash.size());
+					calc.getHash(hash.data());
+					if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+					{
+						ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+						throw tc::Exception(ss.str());
+					}
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Md5Generator_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Md5Generator_TestClass.h
new file mode 100644
index 00000000..8f2f6470
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Md5Generator_TestClass.h
@@ -0,0 +1,18 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_Md5Generator_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_SingleUpdateCall();
+	void test_MultiUpdateCall();
+	void test_UtilFunc();
+
+	void test_NoInitNoUpdateDoHash();
+	void test_NoInitDoUpdateDoHash();
+	void test_DoInitNoUpdateDoHash();
+	void test_CallGetHashRepeatedly();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Md5KeyDeriver_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Md5KeyDeriver_TestClass.cpp
new file mode 100644
index 00000000..b46cc753
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Md5KeyDeriver_TestClass.cpp
@@ -0,0 +1,285 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Pbkdf1Md5KeyDeriver_TestClass.h"
+#include "PbkdfUtil.h"
+
+#include <tc/crypto/Pbkdf1Md5KeyDeriver.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_Pbkdf1Md5KeyDeriver_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Pbkdf1Md5KeyDeriver] START" << std::endl;
+	test_Constants();
+	test_ConfirmTestVector_Class();
+	test_ConfirmTestVector_UtilFunc();
+	test_WillThrowExceptionOnZeroRounds();
+	if (std::numeric_limits<size_t>::max() < std::numeric_limits<uint64_t>::max())
+	{
+		std::cout << "[tc::crypto::Pbkdf1Md5KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : SKIP (Cannot perform this test non 64bit systems)" << std::endl;
+	}
+	else
+	{
+		test_WillThrowExceptionOnTooLargeDkSize();
+	}
+	test_GetBytesWithoutInitDoesNothing();
+	std::cout << "[tc::crypto::Pbkdf1Md5KeyDeriver] END" << std::endl;
+}
+
+void crypto_Pbkdf1Md5KeyDeriver_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Pbkdf1Md5KeyDeriver] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check max derivable size
+			static const uint64_t kExpectedMaxDerivableSize = tc::crypto::Md5Generator::kHashSize;
+			if (tc::crypto::Pbkdf1Md5KeyDeriver::kMaxDerivableSize != kExpectedMaxDerivableSize)
+			{
+				ss << "kMaxDerivableSize had value " << std::dec << tc::crypto::Pbkdf1Md5KeyDeriver::kMaxDerivableSize << " (expected " << kExpectedMaxDerivableSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Md5KeyDeriver_TestClass::test_ConfirmTestVector_Class()
+{
+	std::cout << "[tc::crypto::Pbkdf1Md5KeyDeriver] test_ConfirmTestVector_Class : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::MD5);
+
+			tc::crypto::Pbkdf1Md5KeyDeriver keydev;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{	
+				keydev.initialize((const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+				
+				auto dk = tc::ByteData(test->in_dk_len);
+				keydev.getBytes(dk.data(), dk.size());
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Md5KeyDeriver_TestClass::test_ConfirmTestVector_UtilFunc()
+{
+	std::cout << "[tc::crypto::Pbkdf1Md5KeyDeriver] test_ConfirmTestVector_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::MD5);
+
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				auto dk = tc::ByteData(test->in_dk_len);
+
+				tc::crypto::DeriveKeyPbkdf1Md5(dk.data(), dk.size(), (const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Md5KeyDeriver_TestClass::test_WillThrowExceptionOnZeroRounds()
+{
+	std::cout << "[tc::crypto::Pbkdf1Md5KeyDeriver] test_WillThrowExceptionOnZeroRounds : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::MD5);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+
+			try 
+			{
+				tc::crypto::DeriveKeyPbkdf1Md5(dk.data(), dk.size(), (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("DeriveKeyPbkdf1Md5() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf1Md5KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("Pbkdf1Md5KeyDeriver::initialize() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Md5KeyDeriver_TestClass::test_WillThrowExceptionOnTooLargeDkSize()
+{
+	std::cout << "[tc::crypto::Pbkdf1Md5KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::MD5);
+
+			// derive a key larger than the maximum derivable size
+			auto dk = tc::ByteData(tc::crypto::Pbkdf1Md5KeyDeriver::kMaxDerivableSize + 1);
+
+			try 
+			{
+				tc::crypto::DeriveKeyPbkdf1Md5(dk.data(), dk.size(), (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+
+				throw tc::Exception("DeriveKeyPbkdf1Md5() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf1Md5KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+				keydev.getBytes(dk.data(), dk.size());
+
+				throw tc::Exception("Pbkdf1Md5KeyDeriver::getBytes() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Md5KeyDeriver_TestClass::test_GetBytesWithoutInitDoesNothing()
+{
+	std::cout << "[tc::crypto::Pbkdf1Md5KeyDeriver] test_GetBytesWithoutInitDoesNothing : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::MD5);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+			memset(dk.data(), 0xab, dk.size());
+
+			tc::crypto::Pbkdf1Md5KeyDeriver keydev;
+			keydev.getBytes(dk.data(), dk.size());
+
+			byte_t cmp = 1;
+			for (size_t i = 0; i < dk.size(); i++)
+			{
+				cmp &= dk[i] == 0xab;
+			}
+
+			if (cmp != 1)
+			{
+				throw tc::Exception("getBytes() operated inspite of not being initialized.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Md5KeyDeriver_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Md5KeyDeriver_TestClass.h
new file mode 100644
index 00000000..d11f3496
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Md5KeyDeriver_TestClass.h
@@ -0,0 +1,15 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_Pbkdf1Md5KeyDeriver_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_ConfirmTestVector_Class();
+	void test_ConfirmTestVector_UtilFunc();
+	void test_WillThrowExceptionOnZeroRounds();
+	void test_WillThrowExceptionOnTooLargeDkSize();
+	void test_GetBytesWithoutInitDoesNothing();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Sha1KeyDeriver_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Sha1KeyDeriver_TestClass.cpp
new file mode 100644
index 00000000..82231bd4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Sha1KeyDeriver_TestClass.cpp
@@ -0,0 +1,285 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Pbkdf1Sha1KeyDeriver_TestClass.h"
+#include "PbkdfUtil.h"
+
+#include <tc/crypto/Pbkdf1Sha1KeyDeriver.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_Pbkdf1Sha1KeyDeriver_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Pbkdf1Sha1KeyDeriver] START" << std::endl;
+	test_Constants();
+	test_ConfirmTestVector_Class();
+	test_ConfirmTestVector_UtilFunc();
+	test_WillThrowExceptionOnZeroRounds();
+	if (std::numeric_limits<size_t>::max() < std::numeric_limits<uint64_t>::max())
+	{
+		std::cout << "[tc::crypto::Pbkdf1Sha1KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : SKIP (Cannot perform this test non 64bit systems)" << std::endl;
+	}
+	else
+	{
+		test_WillThrowExceptionOnTooLargeDkSize();
+	}
+	test_GetBytesWithoutInitDoesNothing();
+	std::cout << "[tc::crypto::Pbkdf1Sha1KeyDeriver] END" << std::endl;
+}
+
+void crypto_Pbkdf1Sha1KeyDeriver_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Pbkdf1Sha1KeyDeriver] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check max derivable size
+			static const uint64_t kExpectedMaxDerivableSize = tc::crypto::Sha1Generator::kHashSize;
+			if (tc::crypto::Pbkdf1Sha1KeyDeriver::kMaxDerivableSize != kExpectedMaxDerivableSize)
+			{
+				ss << "kMaxDerivableSize had value " << std::dec << tc::crypto::Pbkdf1Sha1KeyDeriver::kMaxDerivableSize << " (expected " << kExpectedMaxDerivableSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Sha1KeyDeriver_TestClass::test_ConfirmTestVector_Class()
+{
+	std::cout << "[tc::crypto::Pbkdf1Sha1KeyDeriver] test_ConfirmTestVector_Class : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::SHA1);
+
+			tc::crypto::Pbkdf1Sha1KeyDeriver keydev;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{	
+				keydev.initialize((const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+				
+				auto dk = tc::ByteData(test->in_dk_len);
+				keydev.getBytes(dk.data(), dk.size());
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Sha1KeyDeriver_TestClass::test_ConfirmTestVector_UtilFunc()
+{
+	std::cout << "[tc::crypto::Pbkdf1Sha1KeyDeriver] test_ConfirmTestVector_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::SHA1);
+
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				auto dk = tc::ByteData(test->in_dk_len);
+
+				tc::crypto::DeriveKeyPbkdf1Sha1(dk.data(), dk.size(), (const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Sha1KeyDeriver_TestClass::test_WillThrowExceptionOnZeroRounds()
+{
+	std::cout << "[tc::crypto::Pbkdf1Sha1KeyDeriver] test_WillThrowExceptionOnZeroRounds : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::SHA1);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+
+			try 
+			{
+				tc::crypto::DeriveKeyPbkdf1Sha1(dk.data(), dk.size(), (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("DeriveKeyPbkdf1Sha1() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf1Sha1KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("Pbkdf1Sha1KeyDeriver::initialize() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Sha1KeyDeriver_TestClass::test_WillThrowExceptionOnTooLargeDkSize()
+{
+	std::cout << "[tc::crypto::Pbkdf1Sha1KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::SHA1);
+
+			// derive a key larger than the maximum derivable size
+			auto dk = tc::ByteData(tc::crypto::Pbkdf1Sha1KeyDeriver::kMaxDerivableSize + 1);
+
+			try 
+			{
+				tc::crypto::DeriveKeyPbkdf1Sha1(dk.data(), dk.size(), (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+
+				throw tc::Exception("DeriveKeyPbkdf1Sha1() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf1Sha1KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+				keydev.getBytes(dk.data(), dk.size());
+
+				throw tc::Exception("Pbkdf1Sha1KeyDeriver::getBytes() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf1Sha1KeyDeriver_TestClass::test_GetBytesWithoutInitDoesNothing()
+{
+	std::cout << "[tc::crypto::Pbkdf1Sha1KeyDeriver] test_GetBytesWithoutInitDoesNothing : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf1TestVectors_Custom(tests, PbkdfUtil::SHA1);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+			memset(dk.data(), 0xab, dk.size());
+
+			tc::crypto::Pbkdf1Sha1KeyDeriver keydev;
+			keydev.getBytes(dk.data(), dk.size());
+
+			byte_t cmp = 1;
+			for (size_t i = 0; i < dk.size(); i++)
+			{
+				cmp &= dk[i] == 0xab;
+			}
+
+			if (cmp != 1)
+			{
+				throw tc::Exception("getBytes() operated inspite of not being initialized.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Sha1KeyDeriver_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Sha1KeyDeriver_TestClass.h
new file mode 100644
index 00000000..b7102dae
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf1Sha1KeyDeriver_TestClass.h
@@ -0,0 +1,15 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_Pbkdf1Sha1KeyDeriver_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_ConfirmTestVector_Class();
+	void test_ConfirmTestVector_UtilFunc();
+	void test_WillThrowExceptionOnZeroRounds();
+	void test_WillThrowExceptionOnTooLargeDkSize();
+	void test_GetBytesWithoutInitDoesNothing();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha1KeyDeriver_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha1KeyDeriver_TestClass.cpp
new file mode 100644
index 00000000..634fdfac
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha1KeyDeriver_TestClass.cpp
@@ -0,0 +1,286 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Pbkdf2Sha1KeyDeriver_TestClass.h"
+#include "PbkdfUtil.h"
+
+#include <tc/crypto/Pbkdf2Sha1KeyDeriver.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_Pbkdf2Sha1KeyDeriver_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha1KeyDeriver] START" << std::endl;
+	test_Constants();
+	test_ConfirmTestVector_Class();
+	test_ConfirmTestVector_UtilFunc();
+	test_WillThrowExceptionOnZeroRounds();
+	if (std::numeric_limits<size_t>::max() < std::numeric_limits<uint64_t>::max())
+	{
+		std::cout << "[tc::crypto::Pbkdf2Sha1KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : SKIP (Cannot perform this test non 64bit systems)" << std::endl;
+	}
+	else
+	{
+		test_WillThrowExceptionOnTooLargeDkSize();
+	}
+	test_GetBytesWithoutInitDoesNothing();
+	std::cout << "[tc::crypto::Pbkdf2Sha1KeyDeriver] END" << std::endl;
+}
+
+void crypto_Pbkdf2Sha1KeyDeriver_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha1KeyDeriver] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check max derivable size
+			static const uint64_t kExpectedMaxDerivableSize = uint64_t(0xffffffff) * uint64_t(tc::crypto::Sha1Generator::kHashSize);
+			if (tc::crypto::Pbkdf2Sha1KeyDeriver::kMaxDerivableSize != kExpectedMaxDerivableSize)
+			{
+				ss << "kMaxDerivableSize had value " << std::dec << tc::crypto::Pbkdf2Sha1KeyDeriver::kMaxDerivableSize << " (expected " << kExpectedMaxDerivableSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha1KeyDeriver_TestClass::test_ConfirmTestVector_Class()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha1KeyDeriver] test_ConfirmTestVector_Class : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA1);
+
+			tc::crypto::Pbkdf2Sha1KeyDeriver keydev;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{	
+				keydev.initialize((const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+				
+				auto dk = tc::ByteData(test->in_dk_len);
+				keydev.getBytes(dk.data(), dk.size());
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha1KeyDeriver_TestClass::test_ConfirmTestVector_UtilFunc()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha1KeyDeriver] test_ConfirmTestVector_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA1);
+
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				auto dk = tc::ByteData(test->in_dk_len);
+
+				tc::crypto::DeriveKeyPbkdf2Sha1(dk.data(), dk.size(), (const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha1KeyDeriver_TestClass::test_WillThrowExceptionOnZeroRounds()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha1KeyDeriver] test_WillThrowExceptionOnZeroRounds : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA1);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+
+			try 
+			{
+				tc::crypto::DeriveKeyPbkdf2Sha1(dk.data(), dk.size(), (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("DeriveKeyPbkdf2Sha1() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf2Sha1KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("Pbkdf2Sha1KeyDeriver::initialize() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha1KeyDeriver_TestClass::test_WillThrowExceptionOnTooLargeDkSize()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha1KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA1);
+			
+
+			try 
+			{
+				// nullptr because we expect this to fail outright and allocating kMaxDerivableSize+1 is too large
+				tc::crypto::DeriveKeyPbkdf2Sha1(nullptr, tc::crypto::Pbkdf2Sha1KeyDeriver::kMaxDerivableSize + 1, (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+
+				throw tc::Exception("DeriveKeyPbkdf2Sha1() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf2Sha1KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+				
+				// nullptr because we expect this to fail outright and allocating kMaxDerivableSize+1 is too large
+				keydev.getBytes(nullptr, tc::crypto::Pbkdf2Sha1KeyDeriver::kMaxDerivableSize + 1);
+
+				throw tc::Exception("Pbkdf2Sha1KeyDeriver::getBytes() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha1KeyDeriver_TestClass::test_GetBytesWithoutInitDoesNothing()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha1KeyDeriver] test_GetBytesWithoutInitDoesNothing : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA1);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+			memset(dk.data(), 0xab, dk.size());
+
+			tc::crypto::Pbkdf2Sha1KeyDeriver keydev;
+			keydev.getBytes(dk.data(), dk.size());
+
+			byte_t cmp = 1;
+			for (size_t i = 0; i < dk.size(); i++)
+			{
+				cmp &= dk[i] == 0xab;
+			}
+
+			if (cmp != 1)
+			{
+				throw tc::Exception("getBytes() operated inspite of not being initialized.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha1KeyDeriver_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha1KeyDeriver_TestClass.h
new file mode 100644
index 00000000..5578a1d4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha1KeyDeriver_TestClass.h
@@ -0,0 +1,15 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_Pbkdf2Sha1KeyDeriver_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_ConfirmTestVector_Class();
+	void test_ConfirmTestVector_UtilFunc();
+	void test_WillThrowExceptionOnZeroRounds();
+	void test_WillThrowExceptionOnTooLargeDkSize();
+	void test_GetBytesWithoutInitDoesNothing();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha256KeyDeriver_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha256KeyDeriver_TestClass.cpp
new file mode 100644
index 00000000..1b549207
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha256KeyDeriver_TestClass.cpp
@@ -0,0 +1,287 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Pbkdf2Sha256KeyDeriver_TestClass.h"
+#include "PbkdfUtil.h"
+
+#include <tc/crypto/Pbkdf2Sha256KeyDeriver.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_Pbkdf2Sha256KeyDeriver_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha256KeyDeriver] START" << std::endl;
+	test_Constants();
+	test_ConfirmTestVector_Class();
+	test_ConfirmTestVector_UtilFunc();
+	test_WillThrowExceptionOnZeroRounds();
+	if (std::numeric_limits<size_t>::max() < std::numeric_limits<uint64_t>::max())
+	{
+		std::cout << "[tc::crypto::Pbkdf2Sha256KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : SKIP (Cannot perform this test non 64bit systems)" << std::endl;
+	}
+	else
+	{
+		test_WillThrowExceptionOnTooLargeDkSize();
+	}
+	test_GetBytesWithoutInitDoesNothing();
+	std::cout << "[tc::crypto::Pbkdf2Sha256KeyDeriver] END" << std::endl;
+}
+
+void crypto_Pbkdf2Sha256KeyDeriver_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha256KeyDeriver] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check max derivable size
+			static const uint64_t kExpectedMaxDerivableSize = uint64_t(0xffffffff) * uint64_t(tc::crypto::Sha256Generator::kHashSize);
+			if (tc::crypto::Pbkdf2Sha256KeyDeriver::kMaxDerivableSize != kExpectedMaxDerivableSize)
+			{
+				ss << "kMaxDerivableSize had value " << std::dec << tc::crypto::Pbkdf2Sha256KeyDeriver::kMaxDerivableSize << " (expected " << kExpectedMaxDerivableSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha256KeyDeriver_TestClass::test_ConfirmTestVector_Class()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha256KeyDeriver] test_ConfirmTestVector_Class : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA256);
+
+			tc::crypto::Pbkdf2Sha256KeyDeriver keydev;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{	
+				keydev.initialize((const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+				
+				auto dk = tc::ByteData(test->in_dk_len);
+				keydev.getBytes(dk.data(), dk.size());
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha256KeyDeriver_TestClass::test_ConfirmTestVector_UtilFunc()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha256KeyDeriver] test_ConfirmTestVector_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA256);
+
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				auto dk = tc::ByteData(test->in_dk_len);
+
+				tc::crypto::DeriveKeyPbkdf2Sha256(dk.data(), dk.size(), (const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha256KeyDeriver_TestClass::test_WillThrowExceptionOnZeroRounds()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha256KeyDeriver] test_WillThrowExceptionOnZeroRounds : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA256);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+
+			try 
+			{
+				tc::crypto::DeriveKeyPbkdf2Sha256(dk.data(), dk.size(), (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("DeriveKeyPbkdf2Sha256() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf2Sha256KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("Pbkdf2Sha256KeyDeriver::initialize() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha256KeyDeriver_TestClass::test_WillThrowExceptionOnTooLargeDkSize()
+{
+	// this test relies on size_t being 64bit, since the maximum kMaxDerivableSize is uint64_t, manually generating kMaxDerivableSize bytes would take very long. The point of this test is to refuse it outright which can't be done on 32bit systems.
+	std::cout << "[tc::crypto::Pbkdf2Sha256KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA256);
+			
+
+			try 
+			{
+				// nullptr because we expect this to fail outright and allocating kMaxDerivableSize+1 is too large
+				tc::crypto::DeriveKeyPbkdf2Sha256(nullptr, tc::crypto::Pbkdf2Sha256KeyDeriver::kMaxDerivableSize + 1, (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+
+				throw tc::Exception("DeriveKeyPbkdf2Sha256() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf2Sha256KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+
+				// nullptr because we expect this to fail outright and allocating kMaxDerivableSize+1 is too large
+				keydev.getBytes(nullptr, tc::crypto::Pbkdf2Sha256KeyDeriver::kMaxDerivableSize + 1);
+
+				throw tc::Exception("Pbkdf2Sha256KeyDeriver::getBytes() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha256KeyDeriver_TestClass::test_GetBytesWithoutInitDoesNothing()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha256KeyDeriver] test_GetBytesWithoutInitDoesNothing : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA256);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+			memset(dk.data(), 0xab, dk.size());
+
+			tc::crypto::Pbkdf2Sha256KeyDeriver keydev;
+			keydev.getBytes(dk.data(), dk.size());
+
+			byte_t cmp = 1;
+			for (size_t i = 0; i < dk.size(); i++)
+			{
+				cmp &= dk[i] == 0xab;
+			}
+
+			if (cmp != 1)
+			{
+				throw tc::Exception("getBytes() operated in spite of not being initialized.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha256KeyDeriver_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha256KeyDeriver_TestClass.h
new file mode 100644
index 00000000..b0d256ae
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha256KeyDeriver_TestClass.h
@@ -0,0 +1,15 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_Pbkdf2Sha256KeyDeriver_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_ConfirmTestVector_Class();
+	void test_ConfirmTestVector_UtilFunc();
+	void test_WillThrowExceptionOnZeroRounds();
+	void test_WillThrowExceptionOnTooLargeDkSize();
+	void test_GetBytesWithoutInitDoesNothing();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha512KeyDeriver_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha512KeyDeriver_TestClass.cpp
new file mode 100644
index 00000000..7f94a076
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha512KeyDeriver_TestClass.cpp
@@ -0,0 +1,286 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Pbkdf2Sha512KeyDeriver_TestClass.h"
+#include "PbkdfUtil.h"
+
+#include <tc/crypto/Pbkdf2Sha512KeyDeriver.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_Pbkdf2Sha512KeyDeriver_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha512KeyDeriver] START" << std::endl;
+	test_Constants();
+	test_ConfirmTestVector_Class();
+	test_ConfirmTestVector_UtilFunc();
+	test_WillThrowExceptionOnZeroRounds();
+	if (std::numeric_limits<size_t>::max() < std::numeric_limits<uint64_t>::max())
+	{
+		std::cout << "[tc::crypto::Pbkdf2Sha512KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : SKIP (Cannot perform this test non 64bit systems)" << std::endl;
+	}
+	else
+	{
+		test_WillThrowExceptionOnTooLargeDkSize();
+	}
+	test_GetBytesWithoutInitDoesNothing();
+	std::cout << "[tc::crypto::Pbkdf2Sha512KeyDeriver] END" << std::endl;
+}
+
+void crypto_Pbkdf2Sha512KeyDeriver_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha512KeyDeriver] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check max derivable size
+			static const uint64_t kExpectedMaxDerivableSize = uint64_t(0xffffffff) * uint64_t(tc::crypto::Sha512Generator::kHashSize);
+			if (tc::crypto::Pbkdf2Sha512KeyDeriver::kMaxDerivableSize != kExpectedMaxDerivableSize)
+			{
+				ss << "kMaxDerivableSize had value " << std::dec << tc::crypto::Pbkdf2Sha512KeyDeriver::kMaxDerivableSize << " (expected " << kExpectedMaxDerivableSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha512KeyDeriver_TestClass::test_ConfirmTestVector_Class()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha512KeyDeriver] test_ConfirmTestVector_Class : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA512);
+
+			tc::crypto::Pbkdf2Sha512KeyDeriver keydev;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{	
+				keydev.initialize((const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+				
+				auto dk = tc::ByteData(test->in_dk_len);
+				keydev.getBytes(dk.data(), dk.size());
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha512KeyDeriver_TestClass::test_ConfirmTestVector_UtilFunc()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha512KeyDeriver] test_ConfirmTestVector_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA512);
+
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				auto dk = tc::ByteData(test->in_dk_len);
+
+				tc::crypto::DeriveKeyPbkdf2Sha512(dk.data(), dk.size(), (const byte_t*)test->in_password.c_str(), test->in_password.size(), (const byte_t*)test->in_salt.c_str(), test->in_salt.size(), test->in_rounds);
+
+				if (memcmp(dk.data(), test->out_dk.data(), dk.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong DK: " << tc::cli::FormatUtil::formatBytesAsString(dk, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_dk, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha512KeyDeriver_TestClass::test_WillThrowExceptionOnZeroRounds()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha512KeyDeriver] test_WillThrowExceptionOnZeroRounds : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA512);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+
+			try 
+			{
+				tc::crypto::DeriveKeyPbkdf2Sha512(dk.data(), dk.size(), (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("DeriveKeyPbkdf2Sha512() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf2Sha512KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), 0);
+
+				throw tc::Exception("Pbkdf2Sha512KeyDeriver::initialize() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha512KeyDeriver_TestClass::test_WillThrowExceptionOnTooLargeDkSize()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha512KeyDeriver] test_WillThrowExceptionOnTooLargeDkSize : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA512);
+			
+
+			try 
+			{
+				// nullptr because we expect this to fail outright and allocating kMaxDerivableSize+1 is too large
+				tc::crypto::DeriveKeyPbkdf2Sha512(nullptr, tc::crypto::Pbkdf2Sha512KeyDeriver::kMaxDerivableSize + 1, (const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+
+				throw tc::Exception("DeriveKeyPbkdf2Sha512() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::crypto::Pbkdf2Sha512KeyDeriver keydev;
+
+				keydev.initialize((const byte_t*)tests[0].in_password.c_str(), tests[0].in_password.size(), (const byte_t*)tests[0].in_salt.c_str(), tests[0].in_salt.size(), tests[0].in_rounds);
+				
+				// nullptr because we expect this to fail outright and allocating kMaxDerivableSize+1 is too large
+				keydev.getBytes(nullptr, tc::crypto::Pbkdf2Sha512KeyDeriver::kMaxDerivableSize + 1);
+
+				throw tc::Exception("Pbkdf2Sha512KeyDeriver::getBytes() Did not throw exception");
+			} catch (const tc::crypto::CryptoException&)
+			{
+				// do nothing
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Pbkdf2Sha512KeyDeriver_TestClass::test_GetBytesWithoutInitDoesNothing()
+{
+	std::cout << "[tc::crypto::Pbkdf2Sha512KeyDeriver] test_GetBytesWithoutInitDoesNothing : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<PbkdfUtil::TestVector> tests;
+			PbkdfUtil::generatePbkdf2TestVectors_RFC6070(tests, PbkdfUtil::SHA512);
+
+			auto dk = tc::ByteData(tests[0].in_dk_len);
+			memset(dk.data(), 0xab, dk.size());
+
+			tc::crypto::Pbkdf2Sha512KeyDeriver keydev;
+			keydev.getBytes(dk.data(), dk.size());
+
+			byte_t cmp = 1;
+			for (size_t i = 0; i < dk.size(); i++)
+			{
+				cmp &= dk[i] == 0xab;
+			}
+
+			if (cmp != 1)
+			{
+				throw tc::Exception("getBytes() operated inspite of not being initialized.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha512KeyDeriver_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha512KeyDeriver_TestClass.h
new file mode 100644
index 00000000..236072b9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Pbkdf2Sha512KeyDeriver_TestClass.h
@@ -0,0 +1,15 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_Pbkdf2Sha512KeyDeriver_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_ConfirmTestVector_Class();
+	void test_ConfirmTestVector_UtilFunc();
+	void test_WillThrowExceptionOnZeroRounds();
+	void test_WillThrowExceptionOnTooLargeDkSize();
+	void test_GetBytesWithoutInitDoesNothing();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_PseudoRandomByteGenerator_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_PseudoRandomByteGenerator_TestClass.cpp
new file mode 100644
index 00000000..129d567e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_PseudoRandomByteGenerator_TestClass.cpp
@@ -0,0 +1,226 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_PseudoRandomByteGenerator_TestClass.h"
+
+#include <tc/crypto/PseudoRandomByteGenerator.h>
+#include <tc/io/PaddingSource.h>
+#include <tc/cli/FormatUtil.h>
+
+void crypto_PseudoRandomByteGenerator_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::PseudoRandomByteGenerator] START" << std::endl;
+	test_Class();
+	test_UtilFunc();
+	test_MultipleObjectsCreateDifferentData();
+	test_RepeatedCallsCreateDifferentData();
+	std::cout << "[tc::crypto::PseudoRandomByteGenerator] END" << std::endl;
+}
+
+void crypto_PseudoRandomByteGenerator_TestClass::test_Class()
+{
+	std::cout << "[tc::crypto::PseudoRandomByteGenerator] test_Class : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create buffer to hold random data
+			auto random_data = tc::ByteData(0x20);
+
+			// generate control_data to compare to random_data to ensure that it is populated with random bytes
+			auto control_data = tc::io::PaddingSource(0xbe, random_data.size()).pullData(0, random_data.size());
+
+			// copy control data
+			memcpy(random_data.data(), control_data.data(), random_data.size());
+
+			// generate random bytes
+			tc::crypto::PseudoRandomByteGenerator prbg;
+			prbg.getBytes(random_data.data(), random_data.size());
+
+			// compare with control data to see if the data changed
+			if (memcmp(random_data.data(), control_data.data(), random_data.size()) == 0)
+			{
+				throw tc::Exception(".getBytes() did not populate array");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_PseudoRandomByteGenerator_TestClass::test_UtilFunc()
+{
+	std::cout << "[tc::crypto::PseudoRandomByteGenerator] test_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create buffer to hold random data
+			auto random_data = tc::ByteData(0x20);
+
+			// generate control_data to compare to random_data to ensure that it is populated with random bytes
+			auto control_data = tc::io::PaddingSource(0xbe, random_data.size()).pullData(0, random_data.size());
+
+			// copy control data
+			memcpy(random_data.data(), control_data.data(), random_data.size());
+
+			// generate random bytes
+			tc::crypto::GeneratePseudoRandomBytes(random_data.data(), random_data.size());
+
+			// compare with control data to see if the data changed
+			if (memcmp(random_data.data(), control_data.data(), random_data.size()) == 0)
+			{
+				throw tc::Exception("GeneratePseudoRandomBytes() did not populate array");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_PseudoRandomByteGenerator_TestClass::test_MultipleObjectsCreateDifferentData()
+{
+	std::cout << "[tc::crypto::PseudoRandomByteGenerator] test_MultipleObjectsCreateDifferentData : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// generate allocate storage for each test
+			static const size_t kRandomDataSize = 0x20;
+			auto random_data1 = tc::ByteData(kRandomDataSize);
+			auto random_data2 = tc::ByteData(kRandomDataSize);
+			auto random_data3 = tc::ByteData(kRandomDataSize);
+			
+			// create PRBG objects
+			tc::crypto::PseudoRandomByteGenerator prbg1, prbg2, prbg3;
+			
+			// generate random data
+			prbg1.getBytes(random_data1.data(), random_data1.size());
+			prbg2.getBytes(random_data2.data(), random_data2.size());
+			prbg3.getBytes(random_data3.data(), random_data3.size());
+
+			size_t cmp12 = 0, cmp13 = 0, cmp23 = 0;
+
+			for (size_t i = 0; i < kRandomDataSize; i++)
+			{
+				cmp12 += random_data1[i] == random_data2[i];
+				cmp13 += random_data1[i] == random_data3[i];
+				cmp23 += random_data2[i] == random_data3[i];
+			}
+
+			// check to see if any of the tests were similar
+			static const size_t kSimilarityThreshold = 2;
+			if (cmp12 > kSimilarityThreshold)
+			{
+				ss << "case 1 & case 2 has " << std::dec << cmp12 << " similar bytes" ;
+				throw tc::Exception(ss.str());
+			}
+			if (cmp13 > kSimilarityThreshold)
+			{
+				ss << "case 1 & case 3 has " << std::dec << cmp13 << " similar bytes" ;
+				throw tc::Exception(ss.str());
+			}
+			if (cmp23 > kSimilarityThreshold)
+			{
+				ss << "case 2 & case 3 has " << std::dec << cmp23 << " similar bytes" ;
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_PseudoRandomByteGenerator_TestClass::test_RepeatedCallsCreateDifferentData()
+{
+	std::cout << "[tc::crypto::PseudoRandomByteGenerator] test_RepeatedCallsCreateDifferentData : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// generate allocate storage for each test
+			static const size_t kRandomDataSize = 0x20;
+			auto random_data1 = tc::ByteData(kRandomDataSize);
+			auto random_data2 = tc::ByteData(kRandomDataSize);
+			auto random_data3 = tc::ByteData(kRandomDataSize);
+			
+			// create PRBG object
+			tc::crypto::PseudoRandomByteGenerator prbg;
+			
+			// generate random data
+			prbg.getBytes(random_data1.data(), random_data1.size());
+			prbg.getBytes(random_data2.data(), random_data2.size());
+			prbg.getBytes(random_data3.data(), random_data3.size());
+
+			size_t cmp12 = 0, cmp13 = 0, cmp23 = 0;
+
+			for (size_t i = 0; i < kRandomDataSize; i++)
+			{
+				cmp12 += random_data1[i] == random_data2[i];
+				cmp13 += random_data1[i] == random_data3[i];
+				cmp23 += random_data2[i] == random_data3[i];
+			}
+
+			// check to see if any of the tests were similar
+			static const size_t kSimilarityThreshold = 2;
+			if (cmp12 > kSimilarityThreshold)
+			{
+				ss << "case 1 & case 2 has " << std::dec << cmp12 << " similar bytes" ;
+				throw tc::Exception(ss.str());
+			}
+			if (cmp13 > kSimilarityThreshold)
+			{
+				ss << "case 1 & case 3 has " << std::dec << cmp13 << " similar bytes" ;
+				throw tc::Exception(ss.str());
+			}
+			if (cmp23 > kSimilarityThreshold)
+			{
+				ss << "case 2 & case 3 has " << std::dec << cmp23 << " similar bytes" ;
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_PseudoRandomByteGenerator_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_PseudoRandomByteGenerator_TestClass.h
new file mode 100644
index 00000000..1cc5418a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_PseudoRandomByteGenerator_TestClass.h
@@ -0,0 +1,14 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_PseudoRandomByteGenerator_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Class();
+	void test_UtilFunc();
+
+	void test_MultipleObjectsCreateDifferentData();
+	void test_RepeatedCallsCreateDifferentData();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024OaepSha256Encryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024OaepSha256Encryptor_TestClass.cpp
new file mode 100644
index 00000000..280dcafe
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024OaepSha256Encryptor_TestClass.cpp
@@ -0,0 +1,673 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa1024OaepSha256Encryptor_TestClass.h"
+#include "RsaOaepUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaOaepSha256Encryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassDec();
+	test_UseClassEnc();
+	test_UseUtilFuncDec();
+	test_UseUtilFuncEnc();
+	test_UnspecifiedSeedProducesDifferentBlock();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptReturnsFalseOnBadInput();
+	test_DecryptReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] END" << std::endl;
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 1024 >> 3;
+			if (tc::crypto::Rsa1024OaepSha256Encryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Rsa1024OaepSha256Encryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 1024, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024OaepSha256Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				cryptor.decrypt(data.data(), message_size, data.size(), test->enc_message.data());
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 1024, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024OaepSha256Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->enc_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test encryption
+				cryptor.encrypt(data.data(), test->dec_message.data(), test->dec_message.size(), test->enc_seed.data(), test->enc_seed.size());
+				if (memcmp(data.data(), test->enc_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->enc_message, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 1024, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				bool res = tc::crypto::DecryptRsa1024OaepSha256(data.data(), message_size, data.size(), test->enc_message.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: DecryptRsa1024OaepSha256 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 1024, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// the utility function doesn't support specifying a seed, so we'll have to do some `lite` validation using the already validated decryption utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData dec_data = tc::ByteData(test->dec_message.size());
+				tc::ByteData enc_data = tc::ByteData(test->enc_message.size());
+					
+				// clear data
+				memset(dec_data.data(), 0xff, dec_data.size());
+				memset(enc_data.data(), 0xff, enc_data.size());
+
+				// test encryption
+				bool res = tc::crypto::EncryptRsa1024OaepSha256(enc_data.data(), test->dec_message.data(), test->dec_message.size(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: EncryptRsa1024OaepSha256 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to decrypt message
+				size_t message_size = 0;
+				res = tc::crypto::DecryptRsa1024OaepSha256(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: encrypted message could not be decrypted";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}	
+				if (memcmp(dec_data.data(), test->dec_message.data(), dec_data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: decrypted message was not expected " << tc::cli::FormatUtil::formatBytesAsString(dec_data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_UnspecifiedSeedProducesDifferentBlock()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_UnspecifiedSeedProducesDifferentBlock : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 1024, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024OaepSha256Encryptor cryptor;
+
+			// initialize
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), tests[0].label_is_digested);
+
+			static const size_t kTestNum = 20;
+			std::vector<tc::ByteData> enc_messages;
+
+			int difference_score = 0;
+			for (size_t i = 0; i < kTestNum; i++)
+			{
+				// create message buffer
+				tc::ByteData msg = tc::ByteData(tests[0].enc_message.size());
+				
+				// encrypt using auto seed generator
+				cryptor.encrypt(msg.data(), tests[0].dec_message.data(), tests[0].dec_message.size());
+				
+				// add message to vector
+				enc_messages.push_back(msg);
+
+				// compare this message to the previous messages
+				for (size_t j = 0; j < i; j++)
+				{
+					difference_score += memcmp(enc_messages[i].data(), enc_messages[j].data(), tests[0].enc_message.size()) == 0;
+				}
+			}
+		
+			if (difference_score != 0)
+			{
+				throw tc::Exception("Failed to generate unique encrypted messages.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			bool res;
+			tc::crypto::Rsa1024OaepSha256Encryptor cryptor;
+
+			// create data
+			tc::ByteData control_message = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData message = tc::ByteData(control_message.data(), control_message.size());
+			tc::ByteData control_block = tc::io::PaddingSource(0xdd, tc::crypto::Rsa1024OaepSha256Encryptor::kBlockSize).pullData(0, tc::crypto::Rsa1024OaepSha256Encryptor::kBlockSize);
+			tc::ByteData block = tc::ByteData(control_block);
+			size_t control_message_size = 0x1337;
+			size_t message_size = control_message_size;
+
+			// try to decrypt without calling initialize()
+			res = cryptor.decrypt(message.data(), message_size, message.size(), block.data());
+
+			if (res != false)
+			{
+				ss << "Failed: decrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (message_size != control_message_size)
+			{
+				ss << "Failed: decrypt() modified message_size when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(message.data(), control_message.data(), message.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			res = cryptor.encrypt(block.data(), message.data(), message.size());
+
+			if (res != false)
+			{
+				ss << "Failed: encrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(block.data(), control_block.data(), block.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on block when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 1024, RsaOaepUtil::SHA256);
+
+			tc::crypto::Rsa1024OaepSha256Encryptor cryptor;
+
+			// reference initialize call
+			//cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+			
+			auto label = tc::io::PaddingSource(0xab, tc::crypto::Sha256Generator::kHashSize).pullData(0, tc::crypto::Sha256Generator::kHashSize-2);
+			auto empty_label = tc::ByteData();
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				cryptor.initialize(empty_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_modulus_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_modulus_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_privexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_pubexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_exponent_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), label.size(), true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where isLabelDigested==true but the label isn't the correct size");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), 0, false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label != nullptr but label_size == 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, nullptr, label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label == nullptr but label_size != 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_EncryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_EncryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 1024, RsaOaepUtil::SHA256);
+
+			tc::crypto::Rsa1024OaepSha256Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].enc_message.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+
+			bool result = false;
+
+			result = cryptor.encrypt(nullptr, tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), nullptr, tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), 0, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size==0"); // ArgumentOutOfRangeException
+			}
+
+			size_t max_message_size = tc::crypto::Rsa1024OaepSha256Encryptor::kBlockSize - (2 * tc::crypto::Sha256Generator::kHashSize) - 2;
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), max_message_size+1, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size was too large to be encrypted in one RSA-OAEP block"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), 0);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed_size!=HashCalculator::kHashSize"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), nullptr, tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed==nullptr"); // ArgumentNullException
+			}
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024OaepSha256Encryptor_TestClass::test_DecryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024OaepSha256Encryptor] test_DecryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 1024, RsaOaepUtil::SHA256);
+
+			tc::crypto::Rsa1024OaepSha256Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].dec_message.size());
+			size_t message_size = 0;
+
+			// reference encrypt call
+			//cryptor.decrypt(data.data(), message_size, data.size(), tests[0].enc_message.data());
+
+			bool result = false;
+
+			result = cryptor.decrypt(nullptr, message_size, data.size(), tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, 0, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity==0"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, data.size(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, tests[0].dec_message.size()-1, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity was not large enough"); // ArgumentOutOfRangeException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024OaepSha256Encryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024OaepSha256Encryptor_TestClass.h
new file mode 100644
index 00000000..6f68e896
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024OaepSha256Encryptor_TestClass.h
@@ -0,0 +1,23 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa1024OaepSha256Encryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassDec();
+	void test_UseClassEnc();
+	void test_UseUtilFuncDec();
+	void test_UseUtilFuncEnc();
+	void test_UnspecifiedSeedProducesDifferentBlock();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptReturnsFalseOnBadInput();
+	void test_DecryptReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Md5Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Md5Signer_TestClass.cpp
new file mode 100644
index 00000000..29cc15df
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Md5Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa1024Pkcs1Md5Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Md5Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] END" << std::endl;
+}
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 1024 >> 3;
+			if (tc::crypto::Rsa1024Pkcs1Md5Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa1024Pkcs1Md5Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024Pkcs1Md5Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024Pkcs1Md5Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa1024Pkcs1Md5(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa1024Pkcs1Md5(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa1024Pkcs1Md5Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::MD5);
+
+			tc::crypto::Rsa1024Pkcs1Md5Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::MD5);
+
+			tc::crypto::Rsa1024Pkcs1Md5Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Md5Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Md5Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::MD5);
+
+			tc::crypto::Rsa1024Pkcs1Md5Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Md5Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Md5Signer_TestClass.h
new file mode 100644
index 00000000..1bb3c079
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Md5Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa1024Pkcs1Md5Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha1Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha1Signer_TestClass.cpp
new file mode 100644
index 00000000..7973b606
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha1Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa1024Pkcs1Sha1Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Sha1Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] END" << std::endl;
+}
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 1024 >> 3;
+			if (tc::crypto::Rsa1024Pkcs1Sha1Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa1024Pkcs1Sha1Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024Pkcs1Sha1Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024Pkcs1Sha1Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa1024Pkcs1Sha1(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa1024Pkcs1Sha1(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa1024Pkcs1Sha1Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA1);
+
+			tc::crypto::Rsa1024Pkcs1Sha1Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA1);
+
+			tc::crypto::Rsa1024Pkcs1Sha1Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha1Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha1Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA1);
+
+			tc::crypto::Rsa1024Pkcs1Sha1Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha1Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha1Signer_TestClass.h
new file mode 100644
index 00000000..094ee669
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha1Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa1024Pkcs1Sha1Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha256Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha256Signer_TestClass.cpp
new file mode 100644
index 00000000..9eec61dc
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha256Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa1024Pkcs1Sha256Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Sha256Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] END" << std::endl;
+}
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 1024 >> 3;
+			if (tc::crypto::Rsa1024Pkcs1Sha256Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa1024Pkcs1Sha256Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024Pkcs1Sha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024Pkcs1Sha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa1024Pkcs1Sha256(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa1024Pkcs1Sha256(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa1024Pkcs1Sha256Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA256);
+
+			tc::crypto::Rsa1024Pkcs1Sha256Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA256);
+
+			tc::crypto::Rsa1024Pkcs1Sha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha256Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha256Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA256);
+
+			tc::crypto::Rsa1024Pkcs1Sha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha256Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha256Signer_TestClass.h
new file mode 100644
index 00000000..2d6ff721
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha256Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa1024Pkcs1Sha256Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha512Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha512Signer_TestClass.cpp
new file mode 100644
index 00000000..1e6f56ba
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha512Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa1024Pkcs1Sha512Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Sha512Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] END" << std::endl;
+}
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 1024 >> 3;
+			if (tc::crypto::Rsa1024Pkcs1Sha512Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa1024Pkcs1Sha512Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024Pkcs1Sha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024Pkcs1Sha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa1024Pkcs1Sha512(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa1024Pkcs1Sha512(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa1024Pkcs1Sha512Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA512);
+
+			tc::crypto::Rsa1024Pkcs1Sha512Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA512);
+
+			tc::crypto::Rsa1024Pkcs1Sha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024Pkcs1Sha512Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024Pkcs1Sha512Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 1024, RsaPkcs1Util::SHA512);
+
+			tc::crypto::Rsa1024Pkcs1Sha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha512Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha512Signer_TestClass.h
new file mode 100644
index 00000000..21555074
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024Pkcs1Sha512Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa1024Pkcs1Sha512Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha256Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha256Signer_TestClass.cpp
new file mode 100644
index 00000000..55b4d0b4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha256Signer_TestClass.cpp
@@ -0,0 +1,502 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa1024PssSha256Signer_TestClass.h"
+#include "RsaPssUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPssSha256Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa1024PssSha256Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] END" << std::endl;
+}
+
+void crypto_Rsa1024PssSha256Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 1024 >> 3;
+			if (tc::crypto::Rsa1024PssSha256Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa1024PssSha256Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha256Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024PssSha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data(), test->salt.data(), test->salt.size());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha256Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024PssSha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha256Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// signing using the util function does not support specifying the salt, so we'll have to do some `lite` validation using the verify utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa1024PssSha256(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to verify signature
+				result = tc::crypto::VerifyRsa1024PssSha256(signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size())); //(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (result != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: signature could not be verified";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha256Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa1024PssSha256(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha256Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa1024PssSha256Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha256Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA256);
+
+			tc::crypto::Rsa1024PssSha256Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha256Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA256);
+
+			tc::crypto::Rsa1024PssSha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha256Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha256Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA256);
+
+			tc::crypto::Rsa1024PssSha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha256Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha256Signer_TestClass.h
new file mode 100644
index 00000000..460a00b1
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha256Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa1024PssSha256Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha512Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha512Signer_TestClass.cpp
new file mode 100644
index 00000000..d8b2ca63
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha512Signer_TestClass.cpp
@@ -0,0 +1,503 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa1024PssSha512Signer_TestClass.h"
+#include "RsaPssUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPssSha512Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa1024PssSha512Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] END" << std::endl;
+}
+
+void crypto_Rsa1024PssSha512Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 1024 >> 3;
+			if (tc::crypto::Rsa1024PssSha512Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa1024PssSha512Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha512Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024PssSha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data(), test->salt.data(), test->salt.size());
+				signer.verify(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha512Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa1024PssSha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha512Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// signing using the util function does not support specifying the salt, so we'll have to do some `lite` validation using the verify utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa1024PssSha512(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to verify signature
+				result = tc::crypto::VerifyRsa1024PssSha512(signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size())); //(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (result != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: signature could not be verified";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha512Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa1024PssSha512(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha512Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa1024PssSha512Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha512Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA512);
+
+			tc::crypto::Rsa1024PssSha512Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha512Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA512);
+
+			tc::crypto::Rsa1024PssSha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa1024PssSha512Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa1024PssSha512Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 1024, RsaPssUtil::SHA512);
+
+			tc::crypto::Rsa1024PssSha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha512Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha512Signer_TestClass.h
new file mode 100644
index 00000000..ee8f4e8c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa1024PssSha512Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa1024PssSha512Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha256Encryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha256Encryptor_TestClass.cpp
new file mode 100644
index 00000000..dc92b275
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha256Encryptor_TestClass.cpp
@@ -0,0 +1,673 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa2048OaepSha256Encryptor_TestClass.h"
+#include "RsaOaepUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaOaepSha256Encryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassDec();
+	test_UseClassEnc();
+	test_UseUtilFuncDec();
+	test_UseUtilFuncEnc();
+	test_UnspecifiedSeedProducesDifferentBlock();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptReturnsFalseOnBadInput();
+	test_DecryptReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] END" << std::endl;
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 2048 >> 3;
+			if (tc::crypto::Rsa2048OaepSha256Encryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Rsa2048OaepSha256Encryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048OaepSha256Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				cryptor.decrypt(data.data(), message_size, data.size(), test->enc_message.data());
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048OaepSha256Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->enc_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test encryption
+				cryptor.encrypt(data.data(), test->dec_message.data(), test->dec_message.size(), test->enc_seed.data(), test->enc_seed.size());
+				if (memcmp(data.data(), test->enc_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->enc_message, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				bool res = tc::crypto::DecryptRsa2048OaepSha256(data.data(), message_size, data.size(), test->enc_message.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: DecryptRsa2048OaepSha256 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// the utility function doesn't support specifying a seed, so we'll have to do some `lite` validation using the already validated decryption utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData dec_data = tc::ByteData(test->dec_message.size());
+				tc::ByteData enc_data = tc::ByteData(test->enc_message.size());
+					
+				// clear data
+				memset(dec_data.data(), 0xff, dec_data.size());
+				memset(enc_data.data(), 0xff, enc_data.size());
+
+				// test encryption
+				bool res = tc::crypto::EncryptRsa2048OaepSha256(enc_data.data(), test->dec_message.data(), test->dec_message.size(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: EncryptRsa2048OaepSha256 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to decrypt message
+				size_t message_size = 0;
+				res = tc::crypto::DecryptRsa2048OaepSha256(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: encrypted message could not be decrypted";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}	
+				if (memcmp(dec_data.data(), test->dec_message.data(), dec_data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: decrypted message was not expected " << tc::cli::FormatUtil::formatBytesAsString(dec_data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_UnspecifiedSeedProducesDifferentBlock()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_UnspecifiedSeedProducesDifferentBlock : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048OaepSha256Encryptor cryptor;
+
+			// initialize
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), tests[0].label_is_digested);
+
+			static const size_t kTestNum = 20;
+			std::vector<tc::ByteData> enc_messages;
+
+			int difference_score = 0;
+			for (size_t i = 0; i < kTestNum; i++)
+			{
+				// create message buffer
+				tc::ByteData msg = tc::ByteData(tests[0].enc_message.size());
+				
+				// encrypt using auto seed generator
+				cryptor.encrypt(msg.data(), tests[0].dec_message.data(), tests[0].dec_message.size());
+				
+				// add message to vector
+				enc_messages.push_back(msg);
+
+				// compare this message to the previous messages
+				for (size_t j = 0; j < i; j++)
+				{
+					difference_score += memcmp(enc_messages[i].data(), enc_messages[j].data(), tests[0].enc_message.size()) == 0;
+				}
+			}
+		
+			if (difference_score != 0)
+			{
+				throw tc::Exception("Failed to generate unique encrypted messages.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			bool res;
+			tc::crypto::Rsa2048OaepSha256Encryptor cryptor;
+
+			// create data
+			tc::ByteData control_message = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData message = tc::ByteData(control_message.data(), control_message.size());
+			tc::ByteData control_block = tc::io::PaddingSource(0xdd, tc::crypto::Rsa2048OaepSha256Encryptor::kBlockSize).pullData(0, tc::crypto::Rsa2048OaepSha256Encryptor::kBlockSize);
+			tc::ByteData block = tc::ByteData(control_block);
+			size_t control_message_size = 0x1337;
+			size_t message_size = control_message_size;
+
+			// try to decrypt without calling initialize()
+			res = cryptor.decrypt(message.data(), message_size, message.size(), block.data());
+
+			if (res != false)
+			{
+				ss << "Failed: decrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (message_size != control_message_size)
+			{
+				ss << "Failed: decrypt() modified message_size when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(message.data(), control_message.data(), message.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			res = cryptor.encrypt(block.data(), message.data(), message.size());
+
+			if (res != false)
+			{
+				ss << "Failed: encrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(block.data(), control_block.data(), block.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on block when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA256);
+
+			tc::crypto::Rsa2048OaepSha256Encryptor cryptor;
+
+			// reference initialize call
+			//cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+			
+			auto label = tc::io::PaddingSource(0xab, tc::crypto::Sha256Generator::kHashSize).pullData(0, tc::crypto::Sha256Generator::kHashSize-2);
+			auto empty_label = tc::ByteData();
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				cryptor.initialize(empty_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_modulus_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_modulus_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_privexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_pubexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_exponent_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), label.size(), true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where isLabelDigested==true but the label isn't the correct size");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), 0, false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label != nullptr but label_size == 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, nullptr, label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label == nullptr but label_size != 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_EncryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_EncryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA256);
+
+			tc::crypto::Rsa2048OaepSha256Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].enc_message.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+
+			bool result = false;
+
+			result = cryptor.encrypt(nullptr, tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), nullptr, tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), 0, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size==0"); // ArgumentOutOfRangeException
+			}
+
+			size_t max_message_size = tc::crypto::Rsa2048OaepSha256Encryptor::kBlockSize - (2 * tc::crypto::Sha256Generator::kHashSize) - 2;
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), max_message_size+1, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size was too large to be encrypted in one RSA-OAEP block"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), 0);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed_size!=HashCalculator::kHashSize"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), nullptr, tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed==nullptr"); // ArgumentNullException
+			}
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha256Encryptor_TestClass::test_DecryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha256Encryptor] test_DecryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA256);
+
+			tc::crypto::Rsa2048OaepSha256Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].dec_message.size());
+			size_t message_size = 0;
+
+			// reference encrypt call
+			//cryptor.decrypt(data.data(), message_size, data.size(), tests[0].enc_message.data());
+
+			bool result = false;
+
+			result = cryptor.decrypt(nullptr, message_size, data.size(), tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, 0, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity==0"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, data.size(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, tests[0].dec_message.size()-1, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity was not large enough"); // ArgumentOutOfRangeException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha256Encryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha256Encryptor_TestClass.h
new file mode 100644
index 00000000..1f6c0d74
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha256Encryptor_TestClass.h
@@ -0,0 +1,23 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa2048OaepSha256Encryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassDec();
+	void test_UseClassEnc();
+	void test_UseUtilFuncDec();
+	void test_UseUtilFuncEnc();
+	void test_UnspecifiedSeedProducesDifferentBlock();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptReturnsFalseOnBadInput();
+	void test_DecryptReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha512Encryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha512Encryptor_TestClass.cpp
new file mode 100644
index 00000000..44588d09
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha512Encryptor_TestClass.cpp
@@ -0,0 +1,673 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa2048OaepSha512Encryptor_TestClass.h"
+#include "RsaOaepUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaOaepSha512Encryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassDec();
+	test_UseClassEnc();
+	test_UseUtilFuncDec();
+	test_UseUtilFuncEnc();
+	test_UnspecifiedSeedProducesDifferentBlock();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptReturnsFalseOnBadInput();
+	test_DecryptReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] END" << std::endl;
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 2048 >> 3;
+			if (tc::crypto::Rsa2048OaepSha512Encryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Rsa2048OaepSha512Encryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048OaepSha512Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				cryptor.decrypt(data.data(), message_size, data.size(), test->enc_message.data());
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048OaepSha512Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->enc_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test encryption
+				cryptor.encrypt(data.data(), test->dec_message.data(), test->dec_message.size(), test->enc_seed.data(), test->enc_seed.size());
+				if (memcmp(data.data(), test->enc_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->enc_message, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				bool res = tc::crypto::DecryptRsa2048OaepSha512(data.data(), message_size, data.size(), test->enc_message.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: DecryptRsa2048OaepSha512 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// the utility function doesn't support specifying a seed, so we'll have to do some `lite` validation using the already validated decryption utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData dec_data = tc::ByteData(test->dec_message.size());
+				tc::ByteData enc_data = tc::ByteData(test->enc_message.size());
+					
+				// clear data
+				memset(dec_data.data(), 0xff, dec_data.size());
+				memset(enc_data.data(), 0xff, enc_data.size());
+
+				// test encryption
+				bool res = tc::crypto::EncryptRsa2048OaepSha512(enc_data.data(), test->dec_message.data(), test->dec_message.size(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: EncryptRsa2048OaepSha512 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to decrypt message
+				size_t message_size = 0;
+				res = tc::crypto::DecryptRsa2048OaepSha512(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: encrypted message could not be decrypted";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}	
+				if (memcmp(dec_data.data(), test->dec_message.data(), dec_data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: decrypted message was not expected " << tc::cli::FormatUtil::formatBytesAsString(dec_data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_UnspecifiedSeedProducesDifferentBlock()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_UnspecifiedSeedProducesDifferentBlock : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048OaepSha512Encryptor cryptor;
+
+			// initialize
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), tests[0].label_is_digested);
+
+			static const size_t kTestNum = 20;
+			std::vector<tc::ByteData> enc_messages;
+
+			int difference_score = 0;
+			for (size_t i = 0; i < kTestNum; i++)
+			{
+				// create message buffer
+				tc::ByteData msg = tc::ByteData(tests[0].enc_message.size());
+				
+				// encrypt using auto seed generator
+				cryptor.encrypt(msg.data(), tests[0].dec_message.data(), tests[0].dec_message.size());
+				
+				// add message to vector
+				enc_messages.push_back(msg);
+
+				// compare this message to the previous messages
+				for (size_t j = 0; j < i; j++)
+				{
+					difference_score += memcmp(enc_messages[i].data(), enc_messages[j].data(), tests[0].enc_message.size()) == 0;
+				}
+			}
+		
+			if (difference_score != 0)
+			{
+				throw tc::Exception("Failed to generate unique encrypted messages.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			bool res;
+			tc::crypto::Rsa2048OaepSha512Encryptor cryptor;
+
+			// create data
+			tc::ByteData control_message = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData message = tc::ByteData(control_message.data(), control_message.size());
+			tc::ByteData control_block = tc::io::PaddingSource(0xdd, tc::crypto::Rsa2048OaepSha512Encryptor::kBlockSize).pullData(0, tc::crypto::Rsa2048OaepSha512Encryptor::kBlockSize);
+			tc::ByteData block = tc::ByteData(control_block);
+			size_t control_message_size = 0x1337;
+			size_t message_size = control_message_size;
+
+			// try to decrypt without calling initialize()
+			res = cryptor.decrypt(message.data(), message_size, message.size(), block.data());
+
+			if (res != false)
+			{
+				ss << "Failed: decrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (message_size != control_message_size)
+			{
+				ss << "Failed: decrypt() modified message_size when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(message.data(), control_message.data(), message.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			res = cryptor.encrypt(block.data(), message.data(), message.size());
+
+			if (res != false)
+			{
+				ss << "Failed: encrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(block.data(), control_block.data(), block.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on block when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA512);
+
+			tc::crypto::Rsa2048OaepSha512Encryptor cryptor;
+
+			// reference initialize call
+			//cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+			
+			auto label = tc::io::PaddingSource(0xab, tc::crypto::Sha512Generator::kHashSize).pullData(0, tc::crypto::Sha512Generator::kHashSize-2);
+			auto empty_label = tc::ByteData();
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				cryptor.initialize(empty_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_modulus_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_modulus_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_privexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_pubexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_exponent_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), label.size(), true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where isLabelDigested==true but the label isn't the correct size");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), 0, false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label != nullptr but label_size == 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, nullptr, label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label == nullptr but label_size != 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_EncryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_EncryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA512);
+
+			tc::crypto::Rsa2048OaepSha512Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].enc_message.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+
+			bool result = false;
+
+			result = cryptor.encrypt(nullptr, tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), nullptr, tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), 0, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size==0"); // ArgumentOutOfRangeException
+			}
+
+			size_t max_message_size = tc::crypto::Rsa2048OaepSha512Encryptor::kBlockSize - (2 * tc::crypto::Sha512Generator::kHashSize) - 2;
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), max_message_size+1, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size was too large to be encrypted in one RSA-OAEP block"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), 0);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed_size!=HashCalculator::kHashSize"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), nullptr, tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed==nullptr"); // ArgumentNullException
+			}
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048OaepSha512Encryptor_TestClass::test_DecryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048OaepSha512Encryptor] test_DecryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 2048, RsaOaepUtil::SHA512);
+
+			tc::crypto::Rsa2048OaepSha512Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].dec_message.size());
+			size_t message_size = 0;
+
+			// reference encrypt call
+			//cryptor.decrypt(data.data(), message_size, data.size(), tests[0].enc_message.data());
+
+			bool result = false;
+
+			result = cryptor.decrypt(nullptr, message_size, data.size(), tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, 0, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity==0"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, data.size(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, tests[0].dec_message.size()-1, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity was not large enough"); // ArgumentOutOfRangeException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha512Encryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha512Encryptor_TestClass.h
new file mode 100644
index 00000000..9044a1e4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048OaepSha512Encryptor_TestClass.h
@@ -0,0 +1,23 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa2048OaepSha512Encryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassDec();
+	void test_UseClassEnc();
+	void test_UseUtilFuncDec();
+	void test_UseUtilFuncEnc();
+	void test_UnspecifiedSeedProducesDifferentBlock();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptReturnsFalseOnBadInput();
+	void test_DecryptReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Md5Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Md5Signer_TestClass.cpp
new file mode 100644
index 00000000..0f8ba049
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Md5Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa2048Pkcs1Md5Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Md5Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] END" << std::endl;
+}
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 2048 >> 3;
+			if (tc::crypto::Rsa2048Pkcs1Md5Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa2048Pkcs1Md5Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048Pkcs1Md5Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048Pkcs1Md5Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa2048Pkcs1Md5(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa2048Pkcs1Md5(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa2048Pkcs1Md5Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::MD5);
+
+			tc::crypto::Rsa2048Pkcs1Md5Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::MD5);
+
+			tc::crypto::Rsa2048Pkcs1Md5Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Md5Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Md5Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::MD5);
+
+			tc::crypto::Rsa2048Pkcs1Md5Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Md5Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Md5Signer_TestClass.h
new file mode 100644
index 00000000..92207e46
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Md5Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa2048Pkcs1Md5Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha1Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha1Signer_TestClass.cpp
new file mode 100644
index 00000000..82501bd2
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha1Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa2048Pkcs1Sha1Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Sha1Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] END" << std::endl;
+}
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 2048 >> 3;
+			if (tc::crypto::Rsa2048Pkcs1Sha1Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa2048Pkcs1Sha1Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048Pkcs1Sha1Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048Pkcs1Sha1Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa2048Pkcs1Sha1(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa2048Pkcs1Sha1(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa2048Pkcs1Sha1Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA1);
+
+			tc::crypto::Rsa2048Pkcs1Sha1Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA1);
+
+			tc::crypto::Rsa2048Pkcs1Sha1Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha1Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha1Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA1);
+
+			tc::crypto::Rsa2048Pkcs1Sha1Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha1Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha1Signer_TestClass.h
new file mode 100644
index 00000000..7bc6e1a5
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha1Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa2048Pkcs1Sha1Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha256Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha256Signer_TestClass.cpp
new file mode 100644
index 00000000..8e141e45
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha256Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa2048Pkcs1Sha256Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Sha256Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] END" << std::endl;
+}
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 2048 >> 3;
+			if (tc::crypto::Rsa2048Pkcs1Sha256Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa2048Pkcs1Sha256Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048Pkcs1Sha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048Pkcs1Sha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa2048Pkcs1Sha256(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa2048Pkcs1Sha256(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa2048Pkcs1Sha256Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA256);
+
+			tc::crypto::Rsa2048Pkcs1Sha256Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA256);
+
+			tc::crypto::Rsa2048Pkcs1Sha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha256Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha256Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA256);
+
+			tc::crypto::Rsa2048Pkcs1Sha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha256Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha256Signer_TestClass.h
new file mode 100644
index 00000000..88ead798
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha256Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa2048Pkcs1Sha256Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha512Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha512Signer_TestClass.cpp
new file mode 100644
index 00000000..93742e6f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha512Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa2048Pkcs1Sha512Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Sha512Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] END" << std::endl;
+}
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 2048 >> 3;
+			if (tc::crypto::Rsa2048Pkcs1Sha512Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa2048Pkcs1Sha512Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048Pkcs1Sha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048Pkcs1Sha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa2048Pkcs1Sha512(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa2048Pkcs1Sha512(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa2048Pkcs1Sha512Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA512);
+
+			tc::crypto::Rsa2048Pkcs1Sha512Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA512);
+
+			tc::crypto::Rsa2048Pkcs1Sha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048Pkcs1Sha512Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048Pkcs1Sha512Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 2048, RsaPkcs1Util::SHA512);
+
+			tc::crypto::Rsa2048Pkcs1Sha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha512Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha512Signer_TestClass.h
new file mode 100644
index 00000000..3aa44e9b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048Pkcs1Sha512Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa2048Pkcs1Sha512Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha256Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha256Signer_TestClass.cpp
new file mode 100644
index 00000000..202be4c9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha256Signer_TestClass.cpp
@@ -0,0 +1,502 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa2048PssSha256Signer_TestClass.h"
+#include "RsaPssUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPssSha256Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa2048PssSha256Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] END" << std::endl;
+}
+
+void crypto_Rsa2048PssSha256Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 2048 >> 3;
+			if (tc::crypto::Rsa2048PssSha256Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa2048PssSha256Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha256Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048PssSha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data(), test->salt.data(), test->salt.size());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha256Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048PssSha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha256Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// signing using the util function does not support specifying the salt, so we'll have to do some `lite` validation using the verify utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa2048PssSha256(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to verify signature
+				result = tc::crypto::VerifyRsa2048PssSha256(signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size())); //(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (result != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: signature could not be verified";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha256Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa2048PssSha256(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha256Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa2048PssSha256Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha256Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA256);
+
+			tc::crypto::Rsa2048PssSha256Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha256Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA256);
+
+			tc::crypto::Rsa2048PssSha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha256Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha256Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA256);
+
+			tc::crypto::Rsa2048PssSha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha256Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha256Signer_TestClass.h
new file mode 100644
index 00000000..d159ddc9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha256Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa2048PssSha256Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha512Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha512Signer_TestClass.cpp
new file mode 100644
index 00000000..a3a68386
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha512Signer_TestClass.cpp
@@ -0,0 +1,502 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa2048PssSha512Signer_TestClass.h"
+#include "RsaPssUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPssSha512Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa2048PssSha512Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] END" << std::endl;
+}
+
+void crypto_Rsa2048PssSha512Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 2048 >> 3;
+			if (tc::crypto::Rsa2048PssSha512Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa2048PssSha512Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha512Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048PssSha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data(), test->salt.data(), test->salt.size());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha512Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa2048PssSha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha512Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// signing using the util function does not support specifying the salt, so we'll have to do some `lite` validation using the verify utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa2048PssSha512(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to verify signature
+				result = tc::crypto::VerifyRsa2048PssSha512(signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size())); //(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (result != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: signature could not be verified";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha512Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa2048PssSha512(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha512Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa2048PssSha512Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha512Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA512);
+
+			tc::crypto::Rsa2048PssSha512Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha512Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA512);
+
+			tc::crypto::Rsa2048PssSha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa2048PssSha512Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa2048PssSha512Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 2048, RsaPssUtil::SHA512);
+
+			tc::crypto::Rsa2048PssSha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha512Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha512Signer_TestClass.h
new file mode 100644
index 00000000..127a4ae4
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa2048PssSha512Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa2048PssSha512Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha256Encryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha256Encryptor_TestClass.cpp
new file mode 100644
index 00000000..4d2b3642
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha256Encryptor_TestClass.cpp
@@ -0,0 +1,673 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa4096OaepSha256Encryptor_TestClass.h"
+#include "RsaOaepUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaOaepSha256Encryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassDec();
+	test_UseClassEnc();
+	test_UseUtilFuncDec();
+	test_UseUtilFuncEnc();
+	test_UnspecifiedSeedProducesDifferentBlock();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptReturnsFalseOnBadInput();
+	test_DecryptReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] END" << std::endl;
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 4096 >> 3;
+			if (tc::crypto::Rsa4096OaepSha256Encryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Rsa4096OaepSha256Encryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096OaepSha256Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				cryptor.decrypt(data.data(), message_size, data.size(), test->enc_message.data());
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096OaepSha256Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->enc_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test encryption
+				cryptor.encrypt(data.data(), test->dec_message.data(), test->dec_message.size(), test->enc_seed.data(), test->enc_seed.size());
+				if (memcmp(data.data(), test->enc_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->enc_message, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				bool res = tc::crypto::DecryptRsa4096OaepSha256(data.data(), message_size, data.size(), test->enc_message.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: DecryptRsa4096OaepSha256 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// the utility function doesn't support specifying a seed, so we'll have to do some `lite` validation using the already validated decryption utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData dec_data = tc::ByteData(test->dec_message.size());
+				tc::ByteData enc_data = tc::ByteData(test->enc_message.size());
+					
+				// clear data
+				memset(dec_data.data(), 0xff, dec_data.size());
+				memset(enc_data.data(), 0xff, enc_data.size());
+
+				// test encryption
+				bool res = tc::crypto::EncryptRsa4096OaepSha256(enc_data.data(), test->dec_message.data(), test->dec_message.size(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: EncryptRsa4096OaepSha256 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to decrypt message
+				size_t message_size = 0;
+				res = tc::crypto::DecryptRsa4096OaepSha256(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: encrypted message could not be decrypted";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}	
+				if (memcmp(dec_data.data(), test->dec_message.data(), dec_data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: decrypted message was not expected " << tc::cli::FormatUtil::formatBytesAsString(dec_data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_UnspecifiedSeedProducesDifferentBlock()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_UnspecifiedSeedProducesDifferentBlock : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096OaepSha256Encryptor cryptor;
+
+			// initialize
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), tests[0].label_is_digested);
+
+			static const size_t kTestNum = 20;
+			std::vector<tc::ByteData> enc_messages;
+
+			int difference_score = 0;
+			for (size_t i = 0; i < kTestNum; i++)
+			{
+				// create message buffer
+				tc::ByteData msg = tc::ByteData(tests[0].enc_message.size());
+				
+				// encrypt using auto seed generator
+				cryptor.encrypt(msg.data(), tests[0].dec_message.data(), tests[0].dec_message.size());
+				
+				// add message to vector
+				enc_messages.push_back(msg);
+
+				// compare this message to the previous messages
+				for (size_t j = 0; j < i; j++)
+				{
+					difference_score += memcmp(enc_messages[i].data(), enc_messages[j].data(), tests[0].enc_message.size()) == 0;
+				}
+			}
+		
+			if (difference_score != 0)
+			{
+				throw tc::Exception("Failed to generate unique encrypted messages.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			bool res;
+			tc::crypto::Rsa4096OaepSha256Encryptor cryptor;
+
+			// create data
+			tc::ByteData control_message = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData message = tc::ByteData(control_message.data(), control_message.size());
+			tc::ByteData control_block = tc::io::PaddingSource(0xdd, tc::crypto::Rsa4096OaepSha256Encryptor::kBlockSize).pullData(0, tc::crypto::Rsa4096OaepSha256Encryptor::kBlockSize);
+			tc::ByteData block = tc::ByteData(control_block);
+			size_t control_message_size = 0x1337;
+			size_t message_size = control_message_size;
+
+			// try to decrypt without calling initialize()
+			res = cryptor.decrypt(message.data(), message_size, message.size(), block.data());
+
+			if (res != false)
+			{
+				ss << "Failed: decrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (message_size != control_message_size)
+			{
+				ss << "Failed: decrypt() modified message_size when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(message.data(), control_message.data(), message.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			res = cryptor.encrypt(block.data(), message.data(), message.size());
+
+			if (res != false)
+			{
+				ss << "Failed: encrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(block.data(), control_block.data(), block.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on block when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA256);
+
+			tc::crypto::Rsa4096OaepSha256Encryptor cryptor;
+
+			// reference initialize call
+			//cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+			
+			auto label = tc::io::PaddingSource(0xab, tc::crypto::Sha256Generator::kHashSize).pullData(0, tc::crypto::Sha256Generator::kHashSize-2);
+			auto empty_label = tc::ByteData();
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				cryptor.initialize(empty_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_modulus_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_modulus_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_privexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_pubexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_exponent_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), label.size(), true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where isLabelDigested==true but the label isn't the correct size");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), 0, false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label != nullptr but label_size == 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, nullptr, label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label == nullptr but label_size != 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_EncryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_EncryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA256);
+
+			tc::crypto::Rsa4096OaepSha256Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].enc_message.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+
+			bool result = false;
+
+			result = cryptor.encrypt(nullptr, tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), nullptr, tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), 0, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size==0"); // ArgumentOutOfRangeException
+			}
+
+			size_t max_message_size = tc::crypto::Rsa4096OaepSha256Encryptor::kBlockSize - (2 * tc::crypto::Sha256Generator::kHashSize) - 2;
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), max_message_size+1, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size was too large to be encrypted in one RSA-OAEP block"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), 0);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed_size!=HashCalculator::kHashSize"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), nullptr, tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed==nullptr"); // ArgumentNullException
+			}
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha256Encryptor_TestClass::test_DecryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha256Encryptor] test_DecryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA256);
+
+			tc::crypto::Rsa4096OaepSha256Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].dec_message.size());
+			size_t message_size = 0;
+
+			// reference encrypt call
+			//cryptor.decrypt(data.data(), message_size, data.size(), tests[0].enc_message.data());
+
+			bool result = false;
+
+			result = cryptor.decrypt(nullptr, message_size, data.size(), tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, 0, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity==0"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, data.size(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, tests[0].dec_message.size()-1, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity was not large enough"); // ArgumentOutOfRangeException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha256Encryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha256Encryptor_TestClass.h
new file mode 100644
index 00000000..dbe1b5bb
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha256Encryptor_TestClass.h
@@ -0,0 +1,23 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa4096OaepSha256Encryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassDec();
+	void test_UseClassEnc();
+	void test_UseUtilFuncDec();
+	void test_UseUtilFuncEnc();
+	void test_UnspecifiedSeedProducesDifferentBlock();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptReturnsFalseOnBadInput();
+	void test_DecryptReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha512Encryptor_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha512Encryptor_TestClass.cpp
new file mode 100644
index 00000000..59eb9ebe
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha512Encryptor_TestClass.cpp
@@ -0,0 +1,673 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa4096OaepSha512Encryptor_TestClass.h"
+#include "RsaOaepUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaOaepSha512Encryptor.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] START" << std::endl;
+	test_Constants();
+	test_UseClassDec();
+	test_UseClassEnc();
+	test_UseUtilFuncDec();
+	test_UseUtilFuncEnc();
+	test_UnspecifiedSeedProducesDifferentBlock();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_EncryptReturnsFalseOnBadInput();
+	test_DecryptReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] END" << std::endl;
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check block size
+			static const size_t kExpectedBlockSize = 4096 >> 3;
+			if (tc::crypto::Rsa4096OaepSha512Encryptor::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Rsa4096OaepSha512Encryptor::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_UseClassDec()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_UseClassDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096OaepSha512Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				cryptor.decrypt(data.data(), message_size, data.size(), test->enc_message.data());
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_UseClassEnc()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_UseClassEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096OaepSha512Encryptor cryptor;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->enc_message.size());
+				
+				// initialize
+				cryptor.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test encryption
+				cryptor.encrypt(data.data(), test->dec_message.data(), test->dec_message.size(), test->enc_seed.data(), test->enc_seed.size());
+				if (memcmp(data.data(), test->enc_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->enc_message, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_UseUtilFuncDec()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_UseUtilFuncDec : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData data = tc::ByteData(test->dec_message.size());
+				
+				// clear data
+				memset(data.data(), 0xff, data.size());
+
+				// test decryption
+				size_t message_size = 0;
+				bool res = tc::crypto::DecryptRsa4096OaepSha512(data.data(), message_size, data.size(), test->enc_message.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: DecryptRsa4096OaepSha512 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}		
+				if (memcmp(data.data(), test->dec_message.data(), data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_UseUtilFuncEnc()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_UseUtilFuncEnc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// the utility function doesn't support specifying a seed, so we'll have to do some `lite` validation using the already validated decryption utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData dec_data = tc::ByteData(test->dec_message.size());
+				tc::ByteData enc_data = tc::ByteData(test->enc_message.size());
+					
+				// clear data
+				memset(dec_data.data(), 0xff, dec_data.size());
+				memset(enc_data.data(), 0xff, enc_data.size());
+
+				// test encryption
+				bool res = tc::crypto::EncryptRsa4096OaepSha512(enc_data.data(), test->dec_message.data(), test->dec_message.size(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: EncryptRsa4096OaepSha512 returned " << std::boolalpha << res << " (expected " << std::boolalpha << true << ")";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to decrypt message
+				size_t message_size = 0;
+				res = tc::crypto::DecryptRsa4096OaepSha512(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (res != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: encrypted message could not be decrypted";
+					throw tc::Exception(ss.str());
+				}
+				if (message_size != test->dec_message.size())
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: message_size = " << message_size << " (expected " << test->dec_message.size() << ")";
+					throw tc::Exception(ss.str());
+				}	
+				if (memcmp(dec_data.data(), test->dec_message.data(), dec_data.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: decrypted message was not expected " << tc::cli::FormatUtil::formatBytesAsString(dec_data, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->dec_message, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_UnspecifiedSeedProducesDifferentBlock()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_UnspecifiedSeedProducesDifferentBlock : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096OaepSha512Encryptor cryptor;
+
+			// initialize
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), tests[0].label_is_digested);
+
+			static const size_t kTestNum = 20;
+			std::vector<tc::ByteData> enc_messages;
+
+			int difference_score = 0;
+			for (size_t i = 0; i < kTestNum; i++)
+			{
+				// create message buffer
+				tc::ByteData msg = tc::ByteData(tests[0].enc_message.size());
+				
+				// encrypt using auto seed generator
+				cryptor.encrypt(msg.data(), tests[0].dec_message.data(), tests[0].dec_message.size());
+				
+				// add message to vector
+				enc_messages.push_back(msg);
+
+				// compare this message to the previous messages
+				for (size_t j = 0; j < i; j++)
+				{
+					difference_score += memcmp(enc_messages[i].data(), enc_messages[j].data(), tests[0].enc_message.size()) == 0;
+				}
+			}
+		
+			if (difference_score != 0)
+			{
+				throw tc::Exception("Failed to generate unique encrypted messages.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			bool res;
+			tc::crypto::Rsa4096OaepSha512Encryptor cryptor;
+
+			// create data
+			tc::ByteData control_message = tc::io::PaddingSource(0xee, 0x20).pullData(0, 0x20);
+			tc::ByteData message = tc::ByteData(control_message.data(), control_message.size());
+			tc::ByteData control_block = tc::io::PaddingSource(0xdd, tc::crypto::Rsa4096OaepSha512Encryptor::kBlockSize).pullData(0, tc::crypto::Rsa4096OaepSha512Encryptor::kBlockSize);
+			tc::ByteData block = tc::ByteData(control_block);
+			size_t control_message_size = 0x1337;
+			size_t message_size = control_message_size;
+
+			// try to decrypt without calling initialize()
+			res = cryptor.decrypt(message.data(), message_size, message.size(), block.data());
+
+			if (res != false)
+			{
+				ss << "Failed: decrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (message_size != control_message_size)
+			{
+				ss << "Failed: decrypt() modified message_size when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(message.data(), control_message.data(), message.size()) != 0)
+			{
+				ss << "Failed: decrypt() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to encrypt without calling initialize()
+			res = cryptor.encrypt(block.data(), message.data(), message.size());
+
+			if (res != false)
+			{
+				ss << "Failed: encrypt() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(block.data(), control_block.data(), block.size()) != 0)
+			{
+				ss << "Failed: encrypt() operated on block when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			
+
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA512);
+
+			tc::crypto::Rsa4096OaepSha512Encryptor cryptor;
+
+			// reference initialize call
+			//cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+			
+			auto label = tc::io::PaddingSource(0xab, tc::crypto::Sha512Generator::kHashSize).pullData(0, tc::crypto::Sha512Generator::kHashSize-2);
+			auto empty_label = tc::ByteData();
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				cryptor.initialize(empty_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_modulus_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_modulus_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_privexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(bad_pubexp_size_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(no_exponent_key, label.data(), label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), label.size(), true);
+				throw tc::Exception("Failed to throw ArgumentOutOfRangeException where isLabelDigested==true but the label isn't the correct size");
+			} catch(const tc::ArgumentOutOfRangeException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, label.data(), 0, false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label != nullptr but label_size == 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				cryptor.initialize(key, nullptr, label.size(), false);
+				throw tc::Exception("Failed to throw ArgumentNullException where label == nullptr but label_size != 0");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_EncryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_EncryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA512);
+
+			tc::crypto::Rsa4096OaepSha512Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].enc_message.size());
+
+			// reference encrypt call
+			//cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+
+			bool result = false;
+
+			result = cryptor.encrypt(nullptr, tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), nullptr, tests[0].dec_message.size(), tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), 0, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size==0"); // ArgumentOutOfRangeException
+			}
+
+			size_t max_message_size = tc::crypto::Rsa4096OaepSha512Encryptor::kBlockSize - (2 * tc::crypto::Sha512Generator::kHashSize) - 2;
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), max_message_size+1, tests[0].enc_seed.data(), tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_size was too large to be encrypted in one RSA-OAEP block"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), tests[0].enc_seed.data(), 0);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed_size!=HashCalculator::kHashSize"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.encrypt(data.data(), tests[0].dec_message.data(), tests[0].dec_message.size(), nullptr, tests[0].enc_seed.size());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where seed==nullptr"); // ArgumentNullException
+			}
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096OaepSha512Encryptor_TestClass::test_DecryptReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096OaepSha512Encryptor] test_DecryptReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaOaepUtil::TestVector> tests;
+			RsaOaepUtil::generateRsaOaepTestVectors_Custom(tests, 4096, RsaOaepUtil::SHA512);
+
+			tc::crypto::Rsa4096OaepSha512Encryptor cryptor;
+
+			cryptor.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()), tests[0].label.data(), tests[0].label.size(), false);
+
+			tc::ByteData data = tc::ByteData(tests[0].dec_message.size());
+			size_t message_size = 0;
+
+			// reference encrypt call
+			//cryptor.decrypt(data.data(), message_size, data.size(), tests[0].enc_message.data());
+
+			bool result = false;
+
+			result = cryptor.decrypt(nullptr, message_size, data.size(), tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, 0, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity==0"); // ArgumentOutOfRangeException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, data.size(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where block==nullptr"); // ArgumentNullException
+			}
+
+			result = cryptor.decrypt(data.data(), message_size, tests[0].dec_message.size()-1, tests[0].enc_message.data());
+			if (result != false)
+			{
+				throw tc::Exception("decrypt() did not return false where message_capacity was not large enough"); // ArgumentOutOfRangeException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha512Encryptor_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha512Encryptor_TestClass.h
new file mode 100644
index 00000000..dec29754
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096OaepSha512Encryptor_TestClass.h
@@ -0,0 +1,23 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa4096OaepSha512Encryptor_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassDec();
+	void test_UseClassEnc();
+	void test_UseUtilFuncDec();
+	void test_UseUtilFuncEnc();
+	void test_UnspecifiedSeedProducesDifferentBlock();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_EncryptReturnsFalseOnBadInput();
+	void test_DecryptReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Md5Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Md5Signer_TestClass.cpp
new file mode 100644
index 00000000..cbe73b7f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Md5Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa4096Pkcs1Md5Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Md5Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] END" << std::endl;
+}
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 4096 >> 3;
+			if (tc::crypto::Rsa4096Pkcs1Md5Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa4096Pkcs1Md5Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096Pkcs1Md5Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096Pkcs1Md5Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa4096Pkcs1Md5(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa4096Pkcs1Md5(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::MD5);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa4096Pkcs1Md5Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::MD5);
+
+			tc::crypto::Rsa4096Pkcs1Md5Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::MD5);
+
+			tc::crypto::Rsa4096Pkcs1Md5Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Md5Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Md5Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::MD5);
+
+			tc::crypto::Rsa4096Pkcs1Md5Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Md5Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Md5Signer_TestClass.h
new file mode 100644
index 00000000..0e3fe220
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Md5Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa4096Pkcs1Md5Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha1Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha1Signer_TestClass.cpp
new file mode 100644
index 00000000..a7e7b7f7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha1Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa4096Pkcs1Sha1Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Sha1Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] END" << std::endl;
+}
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 4096 >> 3;
+			if (tc::crypto::Rsa4096Pkcs1Sha1Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa4096Pkcs1Sha1Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096Pkcs1Sha1Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096Pkcs1Sha1Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa4096Pkcs1Sha1(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa4096Pkcs1Sha1(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA1);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa4096Pkcs1Sha1Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA1);
+
+			tc::crypto::Rsa4096Pkcs1Sha1Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA1);
+
+			tc::crypto::Rsa4096Pkcs1Sha1Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha1Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha1Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA1);
+
+			tc::crypto::Rsa4096Pkcs1Sha1Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha1Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha1Signer_TestClass.h
new file mode 100644
index 00000000..23724a2b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha1Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa4096Pkcs1Sha1Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha256Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha256Signer_TestClass.cpp
new file mode 100644
index 00000000..8ca9ea57
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha256Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa4096Pkcs1Sha256Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Sha256Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] END" << std::endl;
+}
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 4096 >> 3;
+			if (tc::crypto::Rsa4096Pkcs1Sha256Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa4096Pkcs1Sha256Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096Pkcs1Sha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096Pkcs1Sha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa4096Pkcs1Sha256(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa4096Pkcs1Sha256(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa4096Pkcs1Sha256Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA256);
+
+			tc::crypto::Rsa4096Pkcs1Sha256Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA256);
+
+			tc::crypto::Rsa4096Pkcs1Sha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha256Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha256Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA256);
+
+			tc::crypto::Rsa4096Pkcs1Sha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha256Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha256Signer_TestClass.h
new file mode 100644
index 00000000..ecc145a9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha256Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa4096Pkcs1Sha256Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha512Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha512Signer_TestClass.cpp
new file mode 100644
index 00000000..9aa5c2bc
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha512Signer_TestClass.cpp
@@ -0,0 +1,498 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa4096Pkcs1Sha512Signer_TestClass.h"
+#include "RsaPkcs1Util.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPkcs1Sha512Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] END" << std::endl;
+}
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 4096 >> 3;
+			if (tc::crypto::Rsa4096Pkcs1Sha512Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa4096Pkcs1Sha512Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096Pkcs1Sha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096Pkcs1Sha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa4096Pkcs1Sha512(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa4096Pkcs1Sha512(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa4096Pkcs1Sha512Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA512);
+
+			tc::crypto::Rsa4096Pkcs1Sha512Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA512);
+
+			tc::crypto::Rsa4096Pkcs1Sha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096Pkcs1Sha512Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096Pkcs1Sha512Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPkcs1Util::TestVector> tests;
+			RsaPkcs1Util::generateRsaPkcs1TestVectors_Custom(tests, 4096, RsaPkcs1Util::SHA512);
+
+			tc::crypto::Rsa4096Pkcs1Sha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha512Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha512Signer_TestClass.h
new file mode 100644
index 00000000..c415b29e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096Pkcs1Sha512Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa4096Pkcs1Sha512Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha256Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha256Signer_TestClass.cpp
new file mode 100644
index 00000000..257cedf3
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha256Signer_TestClass.cpp
@@ -0,0 +1,502 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa4096PssSha256Signer_TestClass.h"
+#include "RsaPssUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPssSha256Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa4096PssSha256Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] END" << std::endl;
+}
+
+void crypto_Rsa4096PssSha256Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 4096 >> 3;
+			if (tc::crypto::Rsa4096PssSha256Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa4096PssSha256Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha256Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096PssSha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data(), test->salt.data(), test->salt.size());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha256Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096PssSha256Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha256Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// signing using the util function does not support specifying the salt, so we'll have to do some `lite` validation using the verify utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa4096PssSha256(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to verify signature
+				result = tc::crypto::VerifyRsa4096PssSha256(signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size())); //(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (result != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: signature could not be verified";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha256Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa4096PssSha256(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha256Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA256);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa4096PssSha256Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha256Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA256);
+
+			tc::crypto::Rsa4096PssSha256Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha256Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA256);
+
+			tc::crypto::Rsa4096PssSha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha256Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha256Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA256);
+
+			tc::crypto::Rsa4096PssSha256Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha256Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha256Signer_TestClass.h
new file mode 100644
index 00000000..922980f2
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha256Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa4096PssSha256Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha512Signer_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha512Signer_TestClass.cpp
new file mode 100644
index 00000000..05571db2
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha512Signer_TestClass.cpp
@@ -0,0 +1,502 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Rsa4096PssSha512Signer_TestClass.h"
+#include "RsaPssUtil.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/RsaPssSha512Signer.h>
+#include <tc/cli/FormatUtil.h>
+
+#include <tc/io/PaddingSource.h>
+
+void crypto_Rsa4096PssSha512Signer_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] START" << std::endl;
+	test_Constants();
+	test_UseClassSign();
+	test_UseClassVerify();
+	test_UseUtilFuncSign();
+	test_UseUtilFuncVerify();
+
+	test_DoesNothingWhenNotInit();
+	test_InitializeThrowsExceptionOnBadInput();
+	test_SignReturnsFalseOnBadInput();
+	test_VerifyReturnsFalseOnBadInput();
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] END" << std::endl;
+}
+
+void crypto_Rsa4096PssSha512Signer_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check signature size
+			static const size_t kExpectedSignatureSize = 4096 >> 3;
+			if (tc::crypto::Rsa4096PssSha512Signer::kSignatureSize != kExpectedSignatureSize)
+			{
+				ss << "kSignatureSize had value " << std::dec << tc::crypto::Rsa4096PssSha512Signer::kSignatureSize << " (expected " << kExpectedSignatureSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha512Signer_TestClass::test_UseClassSign()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] test_UseClassSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096PssSha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// initialize
+				signer.initialize(tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = signer.sign(signature.data(), test->message_digest.data(), test->salt.data(), test->salt.size());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+				if (memcmp(signature.data(), test->signature.data(), signature.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: " << tc::cli::FormatUtil::formatBytesAsString(signature, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->signature, true, "") << ")";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha512Signer_TestClass::test_UseClassVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] test_UseClassVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			tc::crypto::Rsa4096PssSha512Signer signer;
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// initialize
+				signer.initialize(tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+
+				// test verify
+				bool result = signer.verify(test->signature.data(), test->message_digest.data());
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha512Signer_TestClass::test_UseUtilFuncSign()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] test_UseUtilFuncSign : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			// signing using the util function does not support specifying the salt, so we'll have to do some `lite` validation using the verify utility.
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				tc::ByteData signature = tc::ByteData(test->signature.size());
+				
+				// clear data
+				memset(signature.data(), 0xff, signature.size());
+
+				// test sign
+				bool result = tc::crypto::SignRsa4096PssSha512(signature.data(), test->message_digest.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: sign() returned false";
+					throw tc::Exception(ss.str());
+				}
+
+				// try to verify signature
+				result = tc::crypto::VerifyRsa4096PssSha512(signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size())); //(dec_data.data(), message_size, dec_data.size(), enc_data.data(), tc::crypto::RsaPrivateKey(test->key_modulus.data(), test->key_modulus.size(), test->key_private_exponent.data(), test->key_private_exponent.size()), test->label.data(), test->label.size(), test->label_is_digested);
+				if (result != true)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: signature could not be verified";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha512Signer_TestClass::test_UseUtilFuncVerify()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] test_UseUtilFuncVerify : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{				
+				// test verify
+				bool result = tc::crypto::VerifyRsa4096PssSha512(test->signature.data(), test->message_digest.data(), tc::crypto::RsaPublicKey(test->key_modulus.data(), test->key_modulus.size()));
+				if (result == false)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed: verify() returned false";
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha512Signer_TestClass::test_DoesNothingWhenNotInit()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] test_DoesNothingWhenNotInit : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA512);
+
+			if (tests.begin() == tests.end())
+			{
+				throw tc::Exception("No tests");
+			}
+			
+			bool res;
+			tc::crypto::Rsa4096PssSha512Signer signer;
+
+			// create data
+			tc::ByteData hash = tc::ByteData(tests[0].message_digest.size());
+			tc::ByteData control_signature = tc::io::PaddingSource(0xee, tests[0].signature.size()).pullData(0, 0x20);
+			tc::ByteData signature = tc::ByteData(control_signature.data(), control_signature.size());
+			
+
+			// try to sign without calling initialize()
+			res = signer.sign(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: sign() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(signature.data(), control_signature.data(), signature.size()) != 0)
+			{
+				ss << "Failed: sign() operated on message when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			// try to verify without calling initialize()
+			res = signer.verify(signature.data(), hash.data());
+			if (res != false)
+			{
+				ss << "Failed: verify() returned true when not initialized";
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha512Signer_TestClass::test_InitializeThrowsExceptionOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] test_InitializeThrowsExceptionOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA512);
+
+			tc::crypto::Rsa4096PssSha512Signer signer;
+
+			// reference initialize call
+			//signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			auto key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto empty_key = tc::crypto::RsaKey();
+			auto bad_modulus_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()-2, tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size());
+			auto no_modulus_key = key;
+			no_modulus_key.n = tc::ByteData();
+			auto bad_privexp_size_key = tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()-2);
+			auto bad_pubexp_size_key = key;
+			bad_pubexp_size_key.e = tc::ByteData(5);
+			auto no_exponent_key = key;
+			no_exponent_key.d = tc::ByteData();
+			no_exponent_key.e = tc::ByteData();
+
+			try {
+				signer.initialize(empty_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey empty");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_modulus_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad modulus size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_modulus_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a no modulus");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_privexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad private exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(bad_pubexp_size_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a bad public exponent size");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			try {
+				signer.initialize(no_exponent_key);
+				throw tc::Exception("Failed to throw ArgumentNullException where RsaKey had a neither public nor private exponents");
+			} catch(const tc::ArgumentNullException&) {
+				// all good if this was thrown.
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha512Signer_TestClass::test_SignReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] test_SignReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA512);
+
+			tc::crypto::Rsa4096PssSha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPrivateKey(tests[0].key_modulus.data(), tests[0].key_modulus.size(), tests[0].key_private_exponent.data(), tests[0].key_private_exponent.size()));
+
+			tc::ByteData signature = tc::ByteData(tests[0].signature.size());
+
+			// reference sign call
+			//signer.sign(signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.sign(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.sign(signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("sign() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Rsa4096PssSha512Signer_TestClass::test_VerifyReturnsFalseOnBadInput()
+{
+	std::cout << "[tc::crypto::Rsa4096PssSha512Signer] test_VerifyReturnsFalseOnBadInput : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+			
+			// create tests
+			std::vector<RsaPssUtil::TestVector> tests;
+			RsaPssUtil::generateRsaPssTestVectors_Custom(tests, 4096, RsaPssUtil::SHA512);
+
+			tc::crypto::Rsa4096PssSha512Signer signer;
+
+			signer.initialize(tc::crypto::RsaPublicKey(tests[0].key_modulus.data(), tests[0].key_modulus.size()));
+
+			// reference verify call
+			//signer.verify(tests[0].signature.data(), tests[0].message_digest.data());
+
+			bool result = false;
+
+			result = signer.verify(nullptr, tests[0].message_digest.data());
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where signature==nullptr"); // ArgumentNullException
+			}
+
+			result = signer.verify(tests[0].signature.data(), nullptr);
+			if (result != false)
+			{
+				throw tc::Exception("encrypt() did not return false where message_digest==nullptr"); // ArgumentNullException
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha512Signer_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha512Signer_TestClass.h
new file mode 100644
index 00000000..6e49e2ac
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Rsa4096PssSha512Signer_TestClass.h
@@ -0,0 +1,22 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <vector>
+#include <tc/ByteData.h>
+
+class crypto_Rsa4096PssSha512Signer_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_UseClassSign();
+	void test_UseClassVerify();
+	void test_UseUtilFuncSign();
+	void test_UseUtilFuncVerify();
+
+	void test_DoesNothingWhenNotInit();
+	void test_InitializeThrowsExceptionOnBadInput();
+	void test_SignReturnsFalseOnBadInput();
+	void test_VerifyReturnsFalseOnBadInput();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Sha1Generator_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Sha1Generator_TestClass.cpp
new file mode 100644
index 00000000..3eace4a8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Sha1Generator_TestClass.cpp
@@ -0,0 +1,462 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Sha1Generator_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Sha1Generator.h>
+#include <tc/cli/FormatUtil.h>
+#include <tc/ByteData.h>
+
+void crypto_Sha1Generator_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Sha1Generator] START" << std::endl;
+	test_Constants();
+	test_SingleUpdateCall();
+	test_MultiUpdateCall();
+	test_UtilFunc();
+
+	test_NoInitNoUpdateDoHash();
+	test_NoInitDoUpdateDoHash();
+	test_DoInitNoUpdateDoHash();
+
+	test_CallGetHashRepeatedly();
+	std::cout << "[tc::crypto::Sha1Generator] END" << std::endl;
+}
+
+void crypto_Sha1Generator_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Sha1Generator] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check hash size
+			static const size_t kExpectedHashSize = 20;
+			if (tc::crypto::Sha1Generator::kHashSize != kExpectedHashSize)
+			{
+				ss << "kHashSize had value " << std::dec << tc::crypto::Sha1Generator::kHashSize << " (expected " << kExpectedHashSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check block size
+			static const size_t kExpectedBlockSize = 64;
+			if (tc::crypto::Sha1Generator::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Sha1Generator::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check ASN.1 OID data
+			tc::ByteData kExpectedAsn1OidData = tc::cli::FormatUtil::hexStringToBytes("3021300906052B0E03021A05000414");
+			if (tc::crypto::Sha1Generator::kAsn1OidDataSize != kExpectedAsn1OidData.size())
+			{
+				ss << "kAsn1OidDataSize had value " << std::dec << tc::crypto::Sha1Generator::kAsn1OidDataSize << " (expected " << kExpectedAsn1OidData.size() << ")";
+				throw tc::Exception(ss.str());
+			}
+			if (tc::crypto::Sha1Generator::kAsn1OidData.size() != kExpectedAsn1OidData.size())
+			{
+				ss << "kAsn1OidData.size() had value " << std::dec << tc::crypto::Sha1Generator::kAsn1OidData.size() << " (expected " << kExpectedAsn1OidData.size() << ")";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(tc::crypto::Sha1Generator::kAsn1OidData.data(), kExpectedAsn1OidData.data(), kExpectedAsn1OidData.size()) != 0)
+			{
+				ss << "kAsn1OidData.data() had data " << tc::cli::FormatUtil::formatBytesAsString(tc::crypto::Sha1Generator::kAsn1OidData.data(), tc::crypto::Sha1Generator::kAsn1OidData.size(), true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(kExpectedAsn1OidData, true, "");
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha1Generator_TestClass::test_SingleUpdateCall()
+{
+	std::cout << "[tc::crypto::Sha1Generator] test_SingleUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("DA39A3EE5E6B4B0D3255BFEF95601890AFD80709")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("A9993E364706816ABA3E25717850C26C9CD0D89D")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("84983E441C3BD26EBAAE4AA1F95129E5E54670F1")},
+			};
+
+			tc::crypto::Sha1Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha1Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha1Generator_TestClass::test_MultiUpdateCall()
+{
+	std::cout << "[tc::crypto::Sha1Generator] test_MultiUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("A9993E364706816ABA3E25717850C26C9CD0D89D")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("84983E441C3BD26EBAAE4AA1F95129E5E54670F1")},
+			};
+
+			tc::crypto::Sha1Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha1Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+
+				// pick an offset to split the in_string at
+				size_t offset = test->in_string.size() / 2;
+
+				// update with first half
+				calc.update((const byte_t*)test->in_string.c_str(), offset);
+
+				// update with second half
+				calc.update((const byte_t*)test->in_string.c_str() + offset, test->in_string.size() - offset);
+				
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha1Generator_TestClass::test_UtilFunc()
+{
+	std::cout << "[tc::crypto::Sha1Generator] test_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("DA39A3EE5E6B4B0D3255BFEF95601890AFD80709")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("A9993E364706816ABA3E25717850C26C9CD0D89D")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("84983E441C3BD26EBAAE4AA1F95129E5E54670F1")},
+			};
+
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha1Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				memset(hash.data(), 0xff, hash.size());
+				tc::crypto::GenerateSha1Hash(hash.data(), (const byte_t*)test->in_string.c_str(), test->in_string.size());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha1Generator_TestClass::test_NoInitNoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Sha1Generator] test_NoInitNoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (when not initalized getHash() should not populate the hash buffer, and so the hash buffer should remain as what we set it)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+			};
+
+			tc::crypto::Sha1Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha1Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize();
+				//calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha1Generator_TestClass::test_NoInitDoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Sha1Generator] test_NoInitDoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (when not initalized getHash() should not populate the hash buffer, and so the hash buffer should remain as what we set it)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+			};
+
+			tc::crypto::Sha1Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha1Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha1Generator_TestClass::test_DoInitNoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Sha1Generator] test_DoInitNoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (.getHash() should return the hash for an empty string if update is not called since they are logically the same thing)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("DA39A3EE5E6B4B0D3255BFEF95601890AFD80709")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("DA39A3EE5E6B4B0D3255BFEF95601890AFD80709")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("DA39A3EE5E6B4B0D3255BFEF95601890AFD80709")},
+			};
+
+			tc::crypto::Sha1Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha1Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				//calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha1Generator_TestClass::test_CallGetHashRepeatedly()
+{
+	std::cout << "[tc::crypto::Sha1Generator] test_CallGetHashRepeatedly : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("DA39A3EE5E6B4B0D3255BFEF95601890AFD80709")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("A9993E364706816ABA3E25717850C26C9CD0D89D")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("84983E441C3BD26EBAAE4AA1F95129E5E54670F1")},
+			};
+
+			tc::crypto::Sha1Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha1Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				for (size_t i = 0; i < 100; i++)
+				{
+					// by resetting the hash here we can tell if it is updated each time
+					memset(hash.data(), 0xff, hash.size());
+					calc.getHash(hash.data());
+					if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+					{
+						ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+						throw tc::Exception(ss.str());
+					}
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Sha1Generator_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Sha1Generator_TestClass.h
new file mode 100644
index 00000000..78e8074f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Sha1Generator_TestClass.h
@@ -0,0 +1,18 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_Sha1Generator_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_SingleUpdateCall();
+	void test_MultiUpdateCall();
+	void test_UtilFunc();
+
+	void test_NoInitNoUpdateDoHash();
+	void test_NoInitDoUpdateDoHash();
+	void test_DoInitNoUpdateDoHash();
+	void test_CallGetHashRepeatedly();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Sha256Generator_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Sha256Generator_TestClass.cpp
new file mode 100644
index 00000000..aafa8615
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Sha256Generator_TestClass.cpp
@@ -0,0 +1,462 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Sha256Generator_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Sha256Generator.h>
+#include <tc/cli/FormatUtil.h>
+#include <tc/ByteData.h>
+
+void crypto_Sha256Generator_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Sha256Generator] START" << std::endl;
+	test_Constants();
+	test_SingleUpdateCall();
+	test_MultiUpdateCall();
+	test_UtilFunc();
+
+	test_NoInitNoUpdateDoHash();
+	test_NoInitDoUpdateDoHash();
+	test_DoInitNoUpdateDoHash();
+
+	test_CallGetHashRepeatedly();
+	std::cout << "[tc::crypto::Sha256Generator] END" << std::endl;
+}
+
+void crypto_Sha256Generator_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Sha256Generator] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check hash size
+			static const size_t kExpectedHashSize = 32;
+			if (tc::crypto::Sha256Generator::kHashSize != kExpectedHashSize)
+			{
+				ss << "kHashSize had value " << std::dec << tc::crypto::Sha256Generator::kHashSize << " (expected " << kExpectedHashSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check block size
+			static const size_t kExpectedBlockSize = 64;
+			if (tc::crypto::Sha256Generator::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Sha256Generator::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check ASN.1 OID data
+			tc::ByteData kExpectedAsn1OidData = tc::cli::FormatUtil::hexStringToBytes("3031300D060960864801650304020105000420");
+			if (tc::crypto::Sha256Generator::kAsn1OidDataSize != kExpectedAsn1OidData.size())
+			{
+				ss << "kAsn1OidDataSize had value " << std::dec << tc::crypto::Sha256Generator::kAsn1OidDataSize << " (expected " << kExpectedAsn1OidData.size() << ")";
+				throw tc::Exception(ss.str());
+			}
+			if (tc::crypto::Sha256Generator::kAsn1OidData.size() != kExpectedAsn1OidData.size())
+			{
+				ss << "kAsn1OidData.size() had value " << std::dec << tc::crypto::Sha256Generator::kAsn1OidData.size() << " (expected " << kExpectedAsn1OidData.size() << ")";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(tc::crypto::Sha256Generator::kAsn1OidData.data(), kExpectedAsn1OidData.data(), kExpectedAsn1OidData.size()) != 0)
+			{
+				ss << "kAsn1OidData.data() had data " << tc::cli::FormatUtil::formatBytesAsString(tc::crypto::Sha256Generator::kAsn1OidData.data(), tc::crypto::Sha256Generator::kAsn1OidData.size(), true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(kExpectedAsn1OidData, true, "");
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha256Generator_TestClass::test_SingleUpdateCall()
+{
+	std::cout << "[tc::crypto::Sha256Generator] test_SingleUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("248D6A61D20638B8E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1")},
+			};
+
+			tc::crypto::Sha256Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha256Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha256Generator_TestClass::test_MultiUpdateCall()
+{
+	std::cout << "[tc::crypto::Sha256Generator] test_MultiUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("248D6A61D20638B8E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1")},
+			};
+
+			tc::crypto::Sha256Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha256Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+
+				// pick an offset to split the in_string at
+				size_t offset = test->in_string.size() / 2;
+
+				// update with first half
+				calc.update((const byte_t*)test->in_string.c_str(), offset);
+
+				// update with second half
+				calc.update((const byte_t*)test->in_string.c_str() + offset, test->in_string.size() - offset);
+				
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha256Generator_TestClass::test_UtilFunc()
+{
+	std::cout << "[tc::crypto::Sha256Generator] test_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("248D6A61D20638B8E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1")},
+			};
+
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha256Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				memset(hash.data(), 0xff, hash.size());
+				tc::crypto::GenerateSha256Hash(hash.data(), (const byte_t*)test->in_string.c_str(), test->in_string.size());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha256Generator_TestClass::test_NoInitNoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Sha256Generator] test_NoInitNoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (when not initalized getHash() should not populate the hash buffer, and so the hash buffer should remain as what we set it)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+			};
+
+			tc::crypto::Sha256Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha256Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize();
+				//calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha256Generator_TestClass::test_NoInitDoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Sha256Generator] test_NoInitDoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (when not initalized getHash() should not populate the hash buffer, and so the hash buffer should remain as what we set it)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+			};
+
+			tc::crypto::Sha256Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha256Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha256Generator_TestClass::test_DoInitNoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Sha256Generator] test_DoInitNoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (.getHash() should return the hash for an empty string if update is not called since they are logically the same thing)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855")},
+			};
+
+			tc::crypto::Sha256Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha256Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				//calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha256Generator_TestClass::test_CallGetHashRepeatedly()
+{
+	std::cout << "[tc::crypto::Sha256Generator] test_CallGetHashRepeatedly : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD")},
+				{ "long string" ,"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", tc::cli::FormatUtil::hexStringToBytes("248D6A61D20638B8E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1")},
+			};
+
+			tc::crypto::Sha256Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha256Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				for (size_t i = 0; i < 100; i++)
+				{
+					// by resetting the hash here we can tell if it is updated each time
+					memset(hash.data(), 0xff, hash.size());
+					calc.getHash(hash.data());
+					if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+					{
+						ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+						throw tc::Exception(ss.str());
+					}
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Sha256Generator_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Sha256Generator_TestClass.h
new file mode 100644
index 00000000..b1028780
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Sha256Generator_TestClass.h
@@ -0,0 +1,18 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_Sha256Generator_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_SingleUpdateCall();
+	void test_MultiUpdateCall();
+	void test_UtilFunc();
+
+	void test_NoInitNoUpdateDoHash();
+	void test_NoInitDoUpdateDoHash();
+	void test_DoInitNoUpdateDoHash();
+	void test_CallGetHashRepeatedly();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Sha512Generator_TestClass.cpp b/ctrtool/deps/libtoolchain/test/crypto_Sha512Generator_TestClass.cpp
new file mode 100644
index 00000000..e82f4e0a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Sha512Generator_TestClass.cpp
@@ -0,0 +1,462 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "crypto_Sha512Generator_TestClass.h"
+
+#include <tc/Exception.h>
+#include <tc/crypto/Sha512Generator.h>
+#include <tc/cli/FormatUtil.h>
+#include <tc/ByteData.h>
+
+void crypto_Sha512Generator_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::crypto::Sha512Generator] START" << std::endl;
+	test_Constants();
+	test_SingleUpdateCall();
+	test_MultiUpdateCall();
+	test_UtilFunc();
+
+	test_NoInitNoUpdateDoHash();
+	test_NoInitDoUpdateDoHash();
+	test_DoInitNoUpdateDoHash();
+
+	test_CallGetHashRepeatedly();
+	std::cout << "[tc::crypto::Sha512Generator] END" << std::endl;
+}
+
+void crypto_Sha512Generator_TestClass::test_Constants()
+{
+	std::cout << "[tc::crypto::Sha512Generator] test_Constants : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			// check hash size
+			static const size_t kExpectedHashSize = 64;
+			if (tc::crypto::Sha512Generator::kHashSize != kExpectedHashSize)
+			{
+				ss << "kHashSize had value " << std::dec << tc::crypto::Sha512Generator::kHashSize << " (expected " << kExpectedHashSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check block size
+			static const size_t kExpectedBlockSize = 128;
+			if (tc::crypto::Sha512Generator::kBlockSize != kExpectedBlockSize)
+			{
+				ss << "kBlockSize had value " << std::dec << tc::crypto::Sha512Generator::kBlockSize << " (expected " << kExpectedBlockSize << ")";
+				throw tc::Exception(ss.str());
+			}
+
+			// check ASN.1 OID data
+			tc::ByteData kExpectedAsn1OidData = tc::cli::FormatUtil::hexStringToBytes("3051300D060960864801650304020305000440");
+			if (tc::crypto::Sha512Generator::kAsn1OidDataSize != kExpectedAsn1OidData.size())
+			{
+				ss << "kAsn1OidDataSize had value " << std::dec << tc::crypto::Sha512Generator::kAsn1OidDataSize << " (expected " << kExpectedAsn1OidData.size() << ")";
+				throw tc::Exception(ss.str());
+			}
+			if (tc::crypto::Sha512Generator::kAsn1OidData.size() != kExpectedAsn1OidData.size())
+			{
+				ss << "kAsn1OidData.size() had value " << std::dec << tc::crypto::Sha512Generator::kAsn1OidData.size() << " (expected " << kExpectedAsn1OidData.size() << ")";
+				throw tc::Exception(ss.str());
+			}
+			if (memcmp(tc::crypto::Sha512Generator::kAsn1OidData.data(), kExpectedAsn1OidData.data(), kExpectedAsn1OidData.size()) != 0)
+			{
+				ss << "kAsn1OidData.data() had data " << tc::cli::FormatUtil::formatBytesAsString(tc::crypto::Sha512Generator::kAsn1OidData.data(), tc::crypto::Sha512Generator::kAsn1OidData.size(), true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(kExpectedAsn1OidData, true, "");
+				throw tc::Exception(ss.str());
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha512Generator_TestClass::test_SingleUpdateCall()
+{
+	std::cout << "[tc::crypto::Sha512Generator] test_SingleUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F")},
+				{ "long string" ,"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", tc::cli::FormatUtil::hexStringToBytes("8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA17299AEADB6889018501D289E4900F7E4331B99DEC4B5433AC7D329EEB6DD26545E96E55B874BE909")},
+			};
+
+			tc::crypto::Sha512Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha512Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha512Generator_TestClass::test_MultiUpdateCall()
+{
+	std::cout << "[tc::crypto::Sha512Generator] test_MultiUpdateCall : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F")},
+				{ "long string" ,"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", tc::cli::FormatUtil::hexStringToBytes("8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA17299AEADB6889018501D289E4900F7E4331B99DEC4B5433AC7D329EEB6DD26545E96E55B874BE909")},
+			};
+
+			tc::crypto::Sha512Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha512Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+
+				// pick an offset to split the in_string at
+				size_t offset = test->in_string.size() / 2;
+
+				// update with first half
+				calc.update((const byte_t*)test->in_string.c_str(), offset);
+
+				// update with second half
+				calc.update((const byte_t*)test->in_string.c_str() + offset, test->in_string.size() - offset);
+				
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha512Generator_TestClass::test_UtilFunc()
+{
+	std::cout << "[tc::crypto::Sha512Generator] test_UtilFunc : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F")},
+				{ "long string" ,"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", tc::cli::FormatUtil::hexStringToBytes("8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA17299AEADB6889018501D289E4900F7E4331B99DEC4B5433AC7D329EEB6DD26545E96E55B874BE909")},
+			};
+
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha512Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				memset(hash.data(), 0xff, hash.size());
+				tc::crypto::GenerateSha512Hash(hash.data(), (const byte_t*)test->in_string.c_str(), test->in_string.size());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha512Generator_TestClass::test_NoInitNoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Sha512Generator] test_NoInitNoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (when not initalized getHash() should not populate the hash buffer, and so the hash buffer should remain as what we set it)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string" ,"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+			};
+
+			tc::crypto::Sha512Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha512Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize();
+				//calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha512Generator_TestClass::test_NoInitDoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Sha512Generator] test_NoInitDoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (when not initalized getHash() should not populate the hash buffer, and so the hash buffer should remain as what we set it)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+				{ "long string" ,"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", tc::cli::FormatUtil::hexStringToBytes("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")},
+			};
+
+			tc::crypto::Sha512Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha512Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				//calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha512Generator_TestClass::test_DoInitNoUpdateDoHash()
+{
+	std::cout << "[tc::crypto::Sha512Generator] test_DoInitNoUpdateDoHash : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests (.getHash() should return the hash for an empty string if update is not called since they are logically the same thing)
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E")},
+				{ "long string" ,"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", tc::cli::FormatUtil::hexStringToBytes("CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E")},
+			};
+
+			tc::crypto::Sha512Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha512Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				//calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				memset(hash.data(), 0xff, hash.size());
+				calc.getHash(hash.data());
+				if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+				{
+					ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+					throw tc::Exception(ss.str());
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void crypto_Sha512Generator_TestClass::test_CallGetHashRepeatedly()
+{
+	std::cout << "[tc::crypto::Sha512Generator] test_CallGetHashRepeatedly : " << std::flush;
+	try
+	{
+		try 
+		{
+			std::stringstream ss;
+
+			struct TestCase
+			{
+				std::string test_name;
+				std::string in_string;
+				tc::ByteData out_hash;
+			};
+
+			// create tests
+			std::vector<TestCase> tests = 
+			{
+				{ "empty string", "", tc::cli::FormatUtil::hexStringToBytes("CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E")},
+				{ "short string", "abc", tc::cli::FormatUtil::hexStringToBytes("DDAF35A193617ABACC417349AE20413112E6FA4E89A97EA20A9EEEE64B55D39A2192992A274FC1A836BA3C23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F")},
+				{ "long string" ,"abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", tc::cli::FormatUtil::hexStringToBytes("8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7FA17299AEADB6889018501D289E4900F7E4331B99DEC4B5433AC7D329EEB6DD26545E96E55B874BE909")},
+			};
+
+			tc::crypto::Sha512Generator calc;
+			tc::ByteData hash = tc::ByteData(tc::crypto::Sha512Generator::kHashSize);
+
+			for (auto test = tests.begin(); test != tests.end(); test++)
+			{
+				calc.initialize();
+				calc.update((const byte_t*)test->in_string.c_str(), test->in_string.size());
+				for (size_t i = 0; i < 100; i++)
+				{
+					// by resetting the hash here we can tell if it is updated each time
+					memset(hash.data(), 0xff, hash.size());
+					calc.getHash(hash.data());
+					if (memcmp(hash.data(), test->out_hash.data(), hash.size()) != 0)
+					{
+						ss << "Test \"" << test->test_name << "\" Failed. Had wrong hash value: " << tc::cli::FormatUtil::formatBytesAsString(hash, true, "") << " (expected " << tc::cli::FormatUtil::formatBytesAsString(test->out_hash, true, "");
+						throw tc::Exception(ss.str());
+					}
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/crypto_Sha512Generator_TestClass.h b/ctrtool/deps/libtoolchain/test/crypto_Sha512Generator_TestClass.h
new file mode 100644
index 00000000..4681fff0
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/crypto_Sha512Generator_TestClass.h
@@ -0,0 +1,18 @@
+#pragma once
+#include "ITestClass.h"
+
+class crypto_Sha512Generator_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constants();
+	void test_SingleUpdateCall();
+	void test_MultiUpdateCall();
+	void test_UtilFunc();
+
+	void test_NoInitNoUpdateDoHash();
+	void test_NoInitDoUpdateDoHash();
+	void test_DoInitNoUpdateDoHash();
+	void test_CallGetHashRepeatedly();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_BasicPathResolver_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_BasicPathResolver_TestClass.cpp
new file mode 100644
index 00000000..38029a92
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_BasicPathResolver_TestClass.cpp
@@ -0,0 +1,292 @@
+#include <tc/Exception.h>
+#include <fmt/core.h>
+#include <fmt/ranges.h>
+
+#include <tc/io/BasicPathResolver.h>
+#include <tc/io/PathUtil.h>
+
+#include "io_BasicPathResolver_TestClass.h"
+#include "StreamTestUtil.h"
+
+void io_BasicPathResolver_TestClass::runAllTests(void)
+{
+	fmt::print("[tc::io::BasicPathResolver] START\n");
+	test_EmptyStateAfterDefaultConstructor();
+	test_setCurrentDirectory();
+	test_setExplicitRootLabels();
+	test_ResolveRootDirRelativePaths();
+	test_ResolveWorkingDirectoryRelativePaths();
+	test_ResolvePathsWithCustomRootLabels();
+	fmt::print("[tc::io::BasicPathResolver] END\n");
+}
+
+void io_BasicPathResolver_TestClass::test_EmptyStateAfterDefaultConstructor()
+{
+	fmt::print("[tc::io::BasicPathResolver] test_EmptyStateAfterDefaultConstructor : ");
+	try
+	{
+		try 
+		{
+			tc::io::BasicPathResolver resolver;
+
+			tc::io::Path cur_dir = resolver.getCurrentDirectory();
+			tc::io::Path expected_cur_dir = tc::io::Path("/");
+			if (cur_dir != expected_cur_dir)
+			{
+				throw tc::Exception(fmt::format(".getCurrentDirectory() returned the wrong path after default constructor (returned \"{}\", expected \"{}\")", (std::string)cur_dir, (std::string)expected_cur_dir));
+			}
+
+			std::vector<std::string> root_labels = resolver.getExplicitRootLabels();
+			std::vector<std::string> expected_root_labels = {};
+			if (root_labels != expected_root_labels)
+			{
+				throw tc::Exception(fmt::format(".getExplicitRootLabels() returned the root label list after default constructor (returned {}, expected {})", root_labels, expected_root_labels));
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_BasicPathResolver_TestClass::test_setCurrentDirectory()
+{
+	fmt::print("[tc::io::BasicPathResolver] test_setCurrentDirectory : ");
+	try
+	{
+		try 
+		{
+			tc::io::BasicPathResolver resolver;
+
+			try 
+			{
+				resolver.setCurrentDirectory(tc::io::Path());
+				throw tc::Exception(".setCurrentDirectory() failed to throw tc::ArgumentOutOfRangeException when passed an empty path");
+			}
+			catch (const tc::ArgumentOutOfRangeException&)
+			{
+				// do nothing
+			}
+
+			tc::io::Path expected_cur_dir = tc::io::Path("a/this/is/a/path/to/set");
+			resolver.setCurrentDirectory(expected_cur_dir);
+			tc::io::Path cur_dir = resolver.getCurrentDirectory();
+		
+			if (cur_dir != expected_cur_dir)
+			{
+				throw tc::Exception(fmt::format(".getCurrentDirectory() returned the wrong path after .setCurrentDirectory() (returned \"{}\", expected \"{}\")", (std::string)cur_dir, (std::string)expected_cur_dir));
+			}
+
+			std::vector<std::string> root_labels = resolver.getExplicitRootLabels();
+			std::vector<std::string> expected_root_labels = {};
+			if (root_labels != expected_root_labels)
+			{
+				throw tc::Exception(fmt::format(".getExplicitRootLabels() returned unexpected data list after .setCurrentDirectory() (returned {}, expected {})", root_labels, expected_root_labels));
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_BasicPathResolver_TestClass::test_setExplicitRootLabels()
+{
+	fmt::print("[tc::io::BasicPathResolver] test_setExplicitRootLabels : ");
+	try
+	{
+		try 
+		{
+			tc::io::BasicPathResolver resolver;
+
+			std::vector<std::string> expected_root_labels = {"C:", "D:", "E:"};
+			resolver.setExplicitRootLabels(expected_root_labels);
+			std::vector<std::string> root_labels = resolver.getExplicitRootLabels();
+			
+			if (root_labels != expected_root_labels)
+			{
+				throw tc::Exception(fmt::format(".getExplicitRootLabels() returned unexpected data list after .setExplicitRootLabels() (returned {}, expected {})", root_labels, expected_root_labels));
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_BasicPathResolver_TestClass::test_ResolveRootDirRelativePaths()
+{
+	fmt::print("[tc::io::BasicPathResolver] test_ResolveRootDirRelativePaths : ");
+	try
+	{
+		try 
+		{
+			struct ResolutionTest {
+				std::string in_path;
+				std::string in_working_directory_path;
+				std::string expected_resolved_path;
+			};
+
+			std::vector<ResolutionTest> tests = {
+				{"/a/path", "/", "/a/path"},
+				{"/a/path", "/a/working/directory", "/a/path"},
+				{"rom:/a/path", "rom:/a/working/directory", "rom:/a/path"},
+				{"/a/path/////with/empty//path/elements/", "/a/working/directory", "/a/path/with/empty/path/elements/"},
+				{"/a/path", "/another/working/directory", "/a/path"},
+				{"/a/path", "/a/very/long/working/directory/path/indeed/this/is/more/than/ten/elements", "/a/path"},
+				{"/a/path/with/../some/../../parent/directory/aliases/../", "/a/working/directory", "/a/parent/directory"},
+				{"/a/path/with/./some/././current/directory/aliases/./", "/a/working/directory", "/a/path/with/some/current/directory/aliases"},
+				{"/a/path/with/./a/./../mix/./of/../../parent/and/../current/directory/aliases/./", "/a/working/directory", "/a/path/with/parent/current/directory/aliases"},
+				{"/a/path/with/../../../more/../../parent/directory/../../../aliases/../than/../path/../elements/../..", "/a/working/directory", "/"},
+			};
+
+			for (auto itr = tests.begin(); itr != tests.end(); itr++)
+			{
+				util_RunResolutionTest(tc::io::Path(itr->in_path), tc::io::Path(itr->in_working_directory_path), tc::io::Path(itr->expected_resolved_path));
+			}
+			
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_BasicPathResolver_TestClass::test_ResolveWorkingDirectoryRelativePaths()
+{
+	fmt::print("[tc::io::BasicPathResolver] test_ResolveWorkingDirectoryRelativePaths : ");
+	try
+	{
+		try 
+		{
+			struct ResolutionTest {
+				std::string in_path;
+				std::string in_working_directory_path;
+				std::string expected_resolved_path;
+			};
+
+			std::vector<ResolutionTest> tests = {
+				{"./a/path", "/", "/a/path"},
+				{"a/path", "/", "/a/path"},
+				{"./a/path", "rom:/", "rom:/a/path"},
+				{"a/path", "rom:/", "rom:/a/path"},
+				{"/a/path", "rom:/", "rom:/a/path"},
+				{"./a/path", "/a/working/directory", "/a/working/directory/a/path"},
+				{"a/path", "/a/working/directory", "/a/working/directory/a/path"},
+				{"./a/path", "/a/very/long/working/directory/path/indeed/this/is/more/than/ten/elements", "/a/very/long/working/directory/path/indeed/this/is/more/than/ten/elements/a/path"},
+				{"a/path", "/a/very/long/working/directory/path/indeed/this/is/more/than/ten/elements", "/a/very/long/working/directory/path/indeed/this/is/more/than/ten/elements/a/path"},
+				{"./a/path/with/../some/../../parent/directory/aliases/../", "/a/working/directory", "/a/working/directory/a/parent/directory"},
+				{"a/path/with/../some/../../parent/directory/aliases/../", "/a/working/directory", "/a/working/directory/a/parent/directory"},
+				{"./a/path/with/./a/./../mix/./of/../../parent/and/../current/directory/aliases/./", "/a/working/directory", "/a/working/directory/a/path/with/parent/current/directory/aliases/"},
+				{"a/path/with/./a/./../mix/./of/../../parent/and/../current/directory/aliases/./", "/a/working/directory", "/a/working/directory/a/path/with/parent/current/directory/aliases/"},
+				{"./a/path/with/../../../more/../../parent/directory/../../../aliases/../than/../path/../elements/../../very/different/path", "/a/working/directory", "/very/different/path"},
+				{"a/path/with/../../../more/../../parent/directory/../../../aliases/../than/../path/../elements/../../very/different/path", "/a/working/directory", "/very/different/path"},
+
+			};
+
+			for (auto itr = tests.begin(); itr != tests.end(); itr++)
+			{
+				util_RunResolutionTest(tc::io::Path(itr->in_path), tc::io::Path(itr->in_working_directory_path), tc::io::Path(itr->expected_resolved_path));
+			}
+			
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_BasicPathResolver_TestClass::test_ResolvePathsWithCustomRootLabels()
+{
+	fmt::print("[tc::io::BasicPathResolver] test_ResolvePathsWithCustomRootLabels : ");
+	try
+	{
+		try 
+		{
+			struct ResolutionTest {
+				std::string in_path;
+				std::string in_working_directory_path;
+				std::vector<std::string> root_labels;
+				std::string expected_resolved_path;
+			};
+
+			std::vector<ResolutionTest> tests = {
+				{"Project\\MyFile.txt", "C:\\Users\\Administrator\\Desktop", {"C:", "D:"}, "C:\\Users\\Administrator\\Desktop\\Project\\MyFile.txt"},
+				{"C:\\Source\\Project\\MyFile.txt", "C:\\Users\\Administrator\\Desktop", {"C:", "D:"}, "C:\\Source\\Project\\MyFile.txt"},
+				{"D:\\Project\\MyFile.txt", "C:\\Users\\Administrator\\Desktop", {"C:", "D:"}, "D:\\Project\\MyFile.txt"},
+				{"E:\\Project\\MyFile.txt", "C:\\Users\\Administrator\\Desktop", {"C:", "D:"}, "C:\\Users\\Administrator\\Desktop\\E:\\Project\\MyFile.txt"},	
+			};
+
+			for (auto itr = tests.begin(); itr != tests.end(); itr++)
+			{
+				util_RunResolutionTest(tc::io::Path(itr->in_path), tc::io::Path(itr->in_working_directory_path), itr->root_labels, tc::io::Path(itr->expected_resolved_path));
+			}
+			
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_BasicPathResolver_TestClass::util_RunResolutionTest(const tc::io::Path& in_path, const tc::io::Path& in_working_dir_path, const tc::io::Path& expected_resolved_path)
+{
+	util_RunResolutionTest(in_path, in_working_dir_path, {}, expected_resolved_path);
+}
+
+void io_BasicPathResolver_TestClass::util_RunResolutionTest(const tc::io::Path& in_path, const tc::io::Path& in_working_dir_path, const std::vector<std::string>& root_labels, const tc::io::Path& expected_resolved_path)
+{
+	tc::io::BasicPathResolver res;
+
+	res.setCurrentDirectory(in_working_dir_path);
+	res.setExplicitRootLabels(root_labels);
+
+	tc::io::Path resolved_path = res.resolveCanonicalPath(in_path);
+
+	if (resolved_path != expected_resolved_path)
+	{
+		throw tc::Exception(fmt::format("Resolve (path=\"{:s}\", workingdir=\"{:s}\", rootlabels={}) returned \"{:s}\"  (expected: \"{:s}\").", (std::string)in_path, (std::string)in_working_dir_path, root_labels, (std::string)resolved_path, (std::string)expected_resolved_path));
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_BasicPathResolver_TestClass.h b/ctrtool/deps/libtoolchain/test/io_BasicPathResolver_TestClass.h
new file mode 100644
index 00000000..b2852783
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_BasicPathResolver_TestClass.h
@@ -0,0 +1,20 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/io/Path.h>
+
+class io_BasicPathResolver_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_EmptyStateAfterDefaultConstructor();
+	void test_setCurrentDirectory();
+	void test_setExplicitRootLabels();
+	void test_ResolveRootDirRelativePaths();
+	void test_ResolveWorkingDirectoryRelativePaths();
+	void test_ResolvePathsWithCustomRootLabels();
+
+	void util_RunResolutionTest(const tc::io::Path& in_path, const tc::io::Path& in_working_dir_path, const tc::io::Path& expected_resolved_path);
+	void util_RunResolutionTest(const tc::io::Path& in_path, const tc::io::Path& in_working_dir_path, const std::vector<std::string>& root_labels, const tc::io::Path& expected_resolved_path);
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_ConcatenatedStream_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_ConcatenatedStream_TestClass.cpp
new file mode 100644
index 00000000..f8fa69a9
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_ConcatenatedStream_TestClass.cpp
@@ -0,0 +1,2645 @@
+#include "io_ConcatenatedStream_TestClass.h"
+
+#include <fmt/core.h>
+#include "StreamTestUtil.h"
+
+#include <tc.h>
+#include <tc/io/IOUtil.h>
+
+void io_ConcatenatedStream_TestClass::runAllTests(void)
+{
+	fmt::print("[tc::io::ConcatenatedStream] START\n");
+	test_DefaultConstructor();
+	test_CreateConstructor_ThrowsOnBadInput();
+	test_CreateConstructor_SetsCorrectStreamState();
+	test_setLength_ThrowsOnUse();
+	test_read_ThrowsOnUnsupported();
+	test_write_ThrowsOnUnsupported();
+	test_seek_ThrowsOnUnsupported();
+	test_seek_SeeksToBeginOnNegativeSeek();
+	test_seek_SeeksToEndOnTooLargeSeek();
+	test_seek_CanFindCorrectStreamForSeek();
+	test_read_CanReadFromSingleStream();
+	test_read_CanReadFromMultipleStreamWithSeekSupport();
+	test_read_CanReadFromMultipleStreamWithNoSeekSupport();
+	test_read_ReadFromMultiStream_NoSeekSupport_ThrowsOnSeekRequired();
+	test_write_CanWriteFromSingleStream();
+	test_write_CanWriteFromMultipleStreamWithSeekSupport();
+	test_write_CanWriteFromMultipleStreamWithNoSeekSupport();
+	test_write_WriteFromMultiStream_NoSeekSupport_ThrowsOnSeekRequired();
+	test_MoveOperator_MoveDisposedToDisposed();
+	test_MoveOperator_MoveInitializedToDisposed();
+	test_MoveOperator_MoveDisposedToInitialized();
+	test_MoveOperator_MoveInitializedToInitialized();
+	test_MoveConstructor_MoveDisposed();
+	test_MoveConstructor_MoveInitialized();
+	fmt::print("[tc::io::ConcatenatedStream] END\n");
+}
+
+void io_ConcatenatedStream_TestClass::test_DefaultConstructor()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_DefaultConstructor : ");
+	try
+	{
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream();
+
+		// test state of stream
+		StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, false, false);
+
+		try
+		{
+			stream.read(nullptr, 0);
+			throw tc::Exception(".read() failed to throw tc::ObjectDisposedException when class was not initilaized.");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		try
+		{
+			stream.write(nullptr, 0);
+			throw tc::Exception(".write() failed to throw tc::ObjectDisposedException when class was not initilaized.");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		try
+		{
+			stream.seek(0, tc::io::SeekOrigin::Begin);
+			throw tc::Exception(".seek() failed to throw tc::ObjectDisposedException when class was not initilaized.");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		try
+		{
+			stream.setLength(0);
+			throw tc::Exception(".setLength() failed to throw tc::ObjectDisposedException when class was not initilaized.");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		try
+		{
+			stream.flush();
+			throw tc::Exception(".flush() failed to throw tc::ObjectDisposedException when class was not initilaized.");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_CreateConstructor_ThrowsOnBadInput()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_CreateConstructor_ThrowsOnBadInput : ");
+	try
+	{
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+			
+			throw tc::Exception(".ctor() did not throw tc::NotSupportedException where there were no input streams");
+		}
+		catch (tc::NotSupportedException&)
+		{
+			// do nothing
+		}
+
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				nullptr,
+				nullptr,
+				nullptr
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+			
+			throw tc::Exception(".ctor() did not throw tc::NotSupportedException where there were null input streams");
+		}
+		catch (tc::NotSupportedException&)
+		{
+			// do nothing
+		}
+
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x0)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x0)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x0))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+			
+			throw tc::Exception(".ctor() did not throw tc::NotSupportedException where there total length of input streams was 0.");
+		}
+		catch (tc::NotSupportedException&)
+		{
+			// do nothing
+		}
+
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false)), // canRead=false, canWrite=true, canSeek=true, ...
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, false, true, false, false)), // canRead=true, canWrite=false, canSeek=true, ...
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)) // canRead=true, canWrite=true, canSeek=true, ...
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+			
+			throw tc::Exception(".ctor() did not throw tc::NotSupportedException where the input streams did not all support atleast either read or write.");
+		}
+		catch (tc::NotSupportedException&)
+		{
+			// do nothing
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_CreateConstructor_SetsCorrectStreamState()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_CreateConstructor_SetsCorrectStreamState : ");
+	try
+	{
+		// test 1) (all input streams, length=0x100, canRead=true, canWrite=false, canSeek=false)
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, false, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, false, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, false, false, false, false))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, true, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 1 Failed: {}", e.error()));
+		}
+
+		// test 2) (all input streams, length=0x100, canRead=true, canWrite=mixed, canSeek=false)
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, false, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, false, false, false, false))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, true, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 2 Failed: {}", e.error()));
+		}
+
+		// test 3) (all input streams, length=0x100, canRead=true, canWrite=true, canSeek=false)
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, false, false, false))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, true, true, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 3 Failed: {}", e.error()));
+		}
+
+		// test 4) (all input streams, length=0x100, canRead=true, canWrite=true, canSeek=mixed)
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, false, false, false))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, true, true, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 4 Failed: {}", e.error()));
+		}
+
+		// test 5) (all input streams, length=0x100, canRead=true, canWrite=true, canSeek=true)
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 5 Failed: {}", e.error()));
+		}
+
+		// test 6) (all input streams, length=0x100, canRead=mixed, canWrite=true, canSeek=true)
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, false, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 6 Failed: {}", e.error()));
+		}
+
+		// test 7) (all input streams, length=0x100, canRead=false, canWrite=true, canSeek=true)
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, false, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 7 Failed: {}", e.error()));
+		}
+
+		// test 8) (all input streams, length=0x100, canRead=false, canWrite=true, canSeek=mixed)
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, false, true, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 8 Failed: {}", e.error()));
+		}
+
+		// test 9) (all input streams, length=0x100, canRead=false, canWrite=true, canSeek=false)
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, false, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, false, false, false))
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, false, true, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 9 Failed: {}", e.error()));
+		}
+
+		// test 10) (all input streams, length=0x100, canRead=true, canWrite=true, canSeek=true) & one empty stream with only read
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x000, true, false, false, false, false)), // this should be skipped because it has no size
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 10 Failed: {}", e.error()));
+		}
+
+		// test 11) (all input streams, length=0x100, canRead=true, canWrite=true, canSeek=true) & one populated stream with only no read/write
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, false, false, false, false)), // this should be skipped because it cannot be read or written too
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 11 Failed: {}", e.error()));
+		}
+
+		// test 12) (all input streams, length=0x100, canRead=true, canWrite=true, canSeek=true) & one nullptr stream
+		try
+		{
+			std::vector<std::shared_ptr<tc::io::IStream>> streams {
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+				nullptr, // this should be skipped because it is null
+				std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			};
+
+			tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0x300, 0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("Test 12 Failed: {}", e.error()));
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_setLength_ThrowsOnUse()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_setLength_ThrowsOnUse : ");
+	try
+	{
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false))
+		};
+
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		try
+		{
+			stream.setLength(0);
+			throw tc::Exception(".setLength() did not throw tc::NotImplementedException when called from an initalized class.");
+		}
+		catch (const tc::NotImplementedException&)
+		{
+			// do nothing
+		}
+		
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_read_ThrowsOnUnsupported()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_read_ThrowsOnUnsupported : ");
+	try
+	{
+		
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, false, true, true, false, false))
+		};
+
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		try
+		{
+			stream.read(nullptr, 0);
+			throw tc::Exception(".read() did not throw tc::NotSupportedException when canRead() == false.");
+		}
+		catch (const tc::NotSupportedException&)
+		{
+			// do nothing
+		}
+		
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_write_ThrowsOnUnsupported()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_write_ThrowsOnUnsupported : ");
+	try
+	{
+		
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, false, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, false, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, false, true, false, false))
+		};
+
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		try
+		{
+			stream.write(nullptr, 0);
+			throw tc::Exception(".write() did not throw tc::NotSupportedException when canWrite() == false.");
+		}
+		catch (const tc::NotSupportedException&)
+		{
+			// do nothing
+		}
+		
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_seek_ThrowsOnUnsupported()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_seek_ThrowsOnUnsupported : ");
+	try
+	{
+		
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, false, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, false, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, false, false, false))
+		};
+
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		try
+		{
+			stream.seek(0, tc::io::SeekOrigin::Begin);
+			throw tc::Exception(".seek() did not throw tc::NotSupportedException when canSeek() == false.");
+		}
+		catch (const tc::NotSupportedException&)
+		{
+			// do nothing
+		}
+		
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_seek_SeeksToBeginOnNegativeSeek()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_seek_SeeksToBeginOnNegativeSeek : ");
+	try
+	{
+		class ValidateSeekParamDummyStream : public StreamTestUtil::DummyStreamBase
+		{
+		public:
+			ValidateSeekParamDummyStream(int64_t seek_offset, tc::io::SeekOrigin seek_origin) :
+				DummyStreamBase(0x100, true, true, true, false, false),
+				mExpectedSeekOffset(seek_offset),
+				mExpectedSeekOrigin(seek_origin)
+			{}
+
+			int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+			{
+				if (offset != mExpectedSeekOffset)
+				{
+					throw tc::Exception(fmt::format("offset passed to seek() was 0x{:x} (expected 0x{:x}", offset, mExpectedSeekOffset));
+				}
+
+				if (origin != mExpectedSeekOrigin)
+				{
+					std::string origin_str;
+					switch (origin)
+					{
+					case tc::io::SeekOrigin::Begin:
+						origin_str = "SeekOrigin::Begin";
+						break;
+					case tc::io::SeekOrigin::Current:
+						origin_str = "SeekOrigin::Current";
+						break;
+					case tc::io::SeekOrigin::End:
+						origin_str = "SeekOrigin::End";
+						break;
+					}
+
+					std::string expected_origin_str;
+					switch (mExpectedSeekOrigin)
+					{
+					case tc::io::SeekOrigin::Begin:
+						expected_origin_str = "SeekOrigin::Begin";
+						break;
+					case tc::io::SeekOrigin::Current:
+						expected_origin_str = "SeekOrigin::Current";
+						break;
+					case tc::io::SeekOrigin::End:
+						expected_origin_str = "SeekOrigin::End";
+						break;
+					}
+
+					throw tc::Exception(fmt::format("origin passed to seek() was {:s} (expected {:s}", origin_str, expected_origin_str));
+				}
+
+				return DummyStreamBase::seek(offset, origin);
+			}
+		private:
+			int64_t mExpectedSeekOffset;
+			tc::io::SeekOrigin mExpectedSeekOrigin;
+		};
+
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ValidateSeekParamDummyStream>(ValidateSeekParamDummyStream(0, tc::io::SeekOrigin::Begin)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false))
+		};
+
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		struct Test {
+			int64_t seek_pos, exp_seek_res;
+		};
+
+		std::vector<Test> tests {
+			{0x0, 0x0},
+			{-1, 0x0},
+			{-2, 0x0},
+			{-3, 0x0},
+			{-10, 0x0},
+			{-1000, 0x0},
+			{-20000, 0x0},
+		};
+
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			int64_t seek_res = stream.seek(test->seek_pos, tc::io::SeekOrigin::Begin);
+			if (seek_res != test->exp_seek_res)
+			{
+				throw tc::Exception(fmt::format(".seek({}, tc::io::SeekOrigin::Begin) returned {} (expected {})", test->seek_pos, seek_res, test->exp_seek_res));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_seek_SeeksToEndOnTooLargeSeek()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_seek_SeeksToEndOnTooLargeSeek : ");
+	try
+	{
+		class ValidateSeekParamDummyStream : public StreamTestUtil::DummyStreamBase
+		{
+		public:
+			ValidateSeekParamDummyStream(int64_t seek_offset, tc::io::SeekOrigin seek_origin) :
+				DummyStreamBase(0x100, true, true, true, false, false),
+				mExpectedSeekOffset(seek_offset),
+				mExpectedSeekOrigin(seek_origin)
+			{}
+
+			int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+			{
+				if (offset != mExpectedSeekOffset)
+				{
+					throw tc::Exception(fmt::format("offset passed to seek() was 0x{:x} (expected 0x{:x}", offset, mExpectedSeekOffset));
+				}
+
+				if (origin != mExpectedSeekOrigin)
+				{
+					std::string origin_str;
+					switch (origin)
+					{
+					case tc::io::SeekOrigin::Begin:
+						origin_str = "SeekOrigin::Begin";
+						break;
+					case tc::io::SeekOrigin::Current:
+						origin_str = "SeekOrigin::Current";
+						break;
+					case tc::io::SeekOrigin::End:
+						origin_str = "SeekOrigin::End";
+						break;
+					}
+
+					std::string expected_origin_str;
+					switch (mExpectedSeekOrigin)
+					{
+					case tc::io::SeekOrigin::Begin:
+						expected_origin_str = "SeekOrigin::Begin";
+						break;
+					case tc::io::SeekOrigin::Current:
+						expected_origin_str = "SeekOrigin::Current";
+						break;
+					case tc::io::SeekOrigin::End:
+						expected_origin_str = "SeekOrigin::End";
+						break;
+					}
+
+					throw tc::Exception(fmt::format("origin passed to seek() was {:s} (expected {:s}", origin_str, expected_origin_str));
+				}
+
+				return DummyStreamBase::seek(offset, origin);
+			}
+		private:
+			int64_t mExpectedSeekOffset;
+			tc::io::SeekOrigin mExpectedSeekOrigin;
+		};
+
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<ValidateSeekParamDummyStream>(ValidateSeekParamDummyStream(0, tc::io::SeekOrigin::End))
+		};
+
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		struct Test {
+			int64_t seek_pos, exp_seek_res;
+		};
+
+		std::vector<Test> tests {
+			{0x300, 0x300},
+			{0x301, 0x300},
+			{0x302, 0x300},
+			{0x310, 0x300},
+			{0x400, 0x300},
+			{0x1000, 0x300},
+			{0x20000, 0x300},
+		};
+
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			int64_t seek_res = stream.seek(test->seek_pos, tc::io::SeekOrigin::Begin);
+			if (seek_res != test->exp_seek_res)
+			{
+				throw tc::Exception(fmt::format(".seek({}, tc::io::SeekOrigin::Begin) returned {} (expected {})", test->seek_pos, seek_res, test->exp_seek_res));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_seek_CanFindCorrectStreamForSeek()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_seek_CanFindCorrectStreamForSeek : ");
+	try
+	{
+		struct SeekReport
+		{
+			int64_t seek_pos;
+			size_t stream_id;
+		};
+
+		class ReportsSeekPosParamDummyStream : public StreamTestUtil::DummyStreamBase
+		{
+		public:
+			ReportsSeekPosParamDummyStream(SeekReport& seek_resport, size_t stream_id) :
+				DummyStreamBase(0x100, true, true, true, false, false),
+				mSeekReport(seek_resport),
+				mStreamId(stream_id)
+			{}
+
+			int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+			{
+				mSeekReport.seek_pos = DummyStreamBase::seek(offset, origin);
+				mSeekReport.stream_id = mStreamId;
+				
+				return mSeekReport.seek_pos;
+			}
+		private:
+			SeekReport& mSeekReport;
+			size_t mStreamId;
+		};
+
+		SeekReport seek_report;
+
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ReportsSeekPosParamDummyStream>(ReportsSeekPosParamDummyStream(seek_report, 0)), // 0x000 - 0x0ff
+			std::make_shared<ReportsSeekPosParamDummyStream>(ReportsSeekPosParamDummyStream(seek_report, 1)), // 0x100 - 0x1ff
+			std::make_shared<ReportsSeekPosParamDummyStream>(ReportsSeekPosParamDummyStream(seek_report, 2)), // 0x200 - 0x2ff
+			std::make_shared<ReportsSeekPosParamDummyStream>(ReportsSeekPosParamDummyStream(seek_report, 3)), // 0x300 - 0x3ff
+			std::make_shared<ReportsSeekPosParamDummyStream>(ReportsSeekPosParamDummyStream(seek_report, 4)), // 0x400 - 0x4ff
+			std::make_shared<ReportsSeekPosParamDummyStream>(ReportsSeekPosParamDummyStream(seek_report, 5)), // 0x500 - 0x5ff
+			std::make_shared<ReportsSeekPosParamDummyStream>(ReportsSeekPosParamDummyStream(seek_report, 6)), // 0x600 - 0x6ff
+			std::make_shared<ReportsSeekPosParamDummyStream>(ReportsSeekPosParamDummyStream(seek_report, 7)), // 0x700 - 0x7ff
+		};
+
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		struct Test {
+			int64_t seek_pos;
+			int64_t exp_seek_res;
+			SeekReport exp_seek_report;
+		};
+
+		std::vector<Test> tests {
+			{0x0, 0x0, {0x0, 0}},
+			{0x20, 0x20, {0x20, 0}},
+			{0xff, 0xff, {0xff, 0}},
+			{0x100, 0x100, {0x0, 1}},
+			{0x101, 0x101, {0x1, 1}},
+			{0x1ff, 0x1ff, {0xff, 1}},
+			{0x200, 0x200, {0x0, 2}},
+			{0x600, 0x600, {0x0, 6}},
+			{0x378, 0x378, {0x78, 3}},
+			{0x7ff, 0x7ff, {0xff, 7}},
+			{0x8, 0x8, {0x8, 0}},
+			// prior of stream case
+			{-1, 0x0, {0x0, 0}},
+			{-120, 0x0, {0x0, 0}},
+			// end of stream case
+			{0x800, 0x800, {0x100, 7}},
+			{0x1000, 0x800, {0x100, 7}},
+		};
+
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			int64_t seek_res = stream.seek(test->seek_pos, tc::io::SeekOrigin::Begin);
+			if (seek_res != test->exp_seek_res)
+			{
+				throw tc::Exception(fmt::format(".seek({}) returned {} (expected {})", test->seek_pos, seek_res, test->exp_seek_res));
+			}
+
+			if (seek_report.seek_pos != test->exp_seek_report.seek_pos || seek_report.stream_id != test->exp_seek_report.stream_id)
+			{
+				throw tc::Exception(fmt::format(".seek({}) triggered .seek({}) in stream {} (expected .seek({}) in stream {})", test->seek_pos, test->exp_seek_report.seek_pos, test->exp_seek_report.stream_id, seek_report.seek_pos, seek_report.stream_id));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_read_CanReadFromSingleStream()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_read_CanReadFromSingleStream : ");
+
+	class ReportDummyStream : public StreamTestUtil::DummyStreamBase
+	{
+	public:
+		struct SeekReport
+		{
+			int64_t seek_offset;
+			size_t stream_id;
+
+			bool operator==(const SeekReport& other) const
+			{
+				return seek_offset == other.seek_offset \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		struct ReadReport
+		{
+			const byte_t* read_ptr;
+			size_t read_count;
+			size_t stream_id;
+
+			bool operator==(const ReadReport& other) const
+			{
+				return read_ptr == other.read_ptr \
+					&& read_count == other.read_count \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		ReportDummyStream(std::vector<ReadReport>& read_report, std::vector<SeekReport>& seek_report, size_t stream_id) :
+			DummyStreamBase(0x100, true, true, true, false, false),
+			mReadReport(read_report),
+			mSeekReport(seek_report),
+			mStreamId(stream_id)
+		{}
+
+		size_t read(byte_t* ptr, size_t count)
+		{
+			mReadReport.push_back({ptr, count, mStreamId});
+
+			size_t readable_count = tc::io::IOUtil::getReadableCount(DummyStreamBase::length(), DummyStreamBase::position(), count);
+
+			// update stream position
+			DummyStreamBase::seek(int64_t(readable_count), tc::io::SeekOrigin::Current);
+
+			return readable_count;
+		}
+
+		int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+		{	
+			SeekReport seek_report = {DummyStreamBase::seek(offset, origin), mStreamId};
+
+			mSeekReport.push_back(seek_report);
+
+			return seek_report.seek_offset;
+		}
+	private:
+		std::vector<ReadReport>& mReadReport;
+		std::vector<SeekReport>& mSeekReport;
+		size_t mStreamId;
+	};
+
+	try
+	{
+		// declare report logs
+		std::vector<ReportDummyStream::ReadReport> read_report;
+		std::vector<ReportDummyStream::SeekReport> seek_report;
+
+		// create stream list with links to report logs
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 0)), // 0x000 - 0x0ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 1)), // 0x100 - 0x1ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 2)), // 0x200 - 0x2ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 3)), // 0x300 - 0x3ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 4)), // 0x400 - 0x4ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 5)), // 0x500 - 0x5ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 6)), // 0x600 - 0x6ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 7)), // 0x700 - 0x7ff
+		};
+
+		// create concatenated stream
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		// define test
+		struct Test {
+			// test name
+			std::string test_name;
+
+			// these seeks are done then seek log is cleared
+			std::vector<int64_t> unlogged_seeks;
+
+			// these seeks are done before reading but will be logged
+			std::vector<int64_t> logged_seeks;
+			
+			// read param
+			byte_t* read_ptr;
+			size_t read_count;
+
+			// expected log reports
+			std::vector<ReportDummyStream::ReadReport> exp_read_report;
+			std::vector<ReportDummyStream::SeekReport> exp_seek_report;
+		};
+
+		// create tests
+		std::vector<Test> tests {
+			{"ReadFromBeginning", {0}, {}, (byte_t*)0x1000, 0x30, {{(byte_t*)0x1000, 0x30, 0}}, {}},
+			{"ContinueReadingFromBeginning", {}, {}, (byte_t*)0x1000, 0x30, {{(byte_t*)0x1000, 0x30, 0}}, {}},
+			{"ReadFromSomewhereElseInExistingStream", {0xe0}, {}, (byte_t*)0x1000, 0x20, {{(byte_t*)0x1000, 0x20, 0}}, {}},
+		};
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			for (auto itr = test->unlogged_seeks.begin(); itr != test->unlogged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			read_report.clear();
+			seek_report.clear();
+
+			for (auto itr = test->logged_seeks.begin(); itr != test->logged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			stream.read(test->read_ptr, test->read_count);
+
+			if (read_report != test->exp_read_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .read() issued to base streams were not as expected", test->test_name));
+			}
+
+			if (seek_report != test->exp_seek_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .seek() issued to base streams were not as expected", test->test_name));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_read_CanReadFromMultipleStreamWithSeekSupport()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_read_CanReadFromMultipleStreamWithSeekSupport : ");
+
+	class ReportDummyStream : public StreamTestUtil::DummyStreamBase
+	{
+	public:
+		struct SeekReport
+		{
+			int64_t seek_offset;
+			size_t stream_id;
+
+			bool operator==(const SeekReport& other) const
+			{
+				return seek_offset == other.seek_offset \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		struct ReadReport
+		{
+			const byte_t* read_ptr;
+			size_t read_count;
+			size_t stream_id;
+
+			bool operator==(const ReadReport& other) const
+			{
+				return read_ptr == other.read_ptr \
+					&& read_count == other.read_count \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		ReportDummyStream(std::vector<ReadReport>& read_report, std::vector<SeekReport>& seek_report, size_t stream_id) :
+			DummyStreamBase(0x100, true, true, true, false, false),
+			mReadReport(read_report),
+			mSeekReport(seek_report),
+			mStreamId(stream_id)
+		{}
+
+		size_t read(byte_t* ptr, size_t count)
+		{
+			mReadReport.push_back({ptr, count, mStreamId});
+
+			size_t readable_count = tc::io::IOUtil::getReadableCount(DummyStreamBase::length(), DummyStreamBase::position(), count);
+
+			// update stream position
+			DummyStreamBase::seek(int64_t(readable_count), tc::io::SeekOrigin::Current);
+
+			return readable_count;
+		}
+
+		int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+		{	
+			SeekReport seek_report = {DummyStreamBase::seek(offset, origin), mStreamId};
+
+			mSeekReport.push_back(seek_report);
+
+			return seek_report.seek_offset;
+		}
+	private:
+		std::vector<ReadReport>& mReadReport;
+		std::vector<SeekReport>& mSeekReport;
+		size_t mStreamId;
+	};
+
+	try
+	{
+		// declare report logs
+		std::vector<ReportDummyStream::ReadReport> read_report;
+		std::vector<ReportDummyStream::SeekReport> seek_report;
+
+		// create stream list with links to report logs
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 0)), // 0x000 - 0x0ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 1)), // 0x100 - 0x1ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 2)), // 0x200 - 0x2ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 3)), // 0x300 - 0x3ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 4)), // 0x400 - 0x4ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 5)), // 0x500 - 0x5ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 6)), // 0x600 - 0x6ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 7)), // 0x700 - 0x7ff
+		};
+
+		// create concatenated stream
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		// define test
+		struct Test {
+			// test name
+			std::string test_name;
+
+			// these seeks are done then seek log is cleared
+			std::vector<int64_t> unlogged_seeks;
+
+			// these seeks are done before reading but will be logged
+			std::vector<int64_t> logged_seeks;
+			
+			// read param
+			byte_t* read_ptr;
+			size_t read_count;
+
+			// expected log reports
+			std::vector<ReportDummyStream::ReadReport> exp_read_report;
+			std::vector<ReportDummyStream::SeekReport> exp_seek_report;
+		};
+
+		// create tests
+		std::vector<Test> tests {
+			{"ReadAllOfStream 0-7 (stream 0x0 positions)", {0x000, 0x100, 0x200, 0x300, 0x400, 0x500, 0x600, 0x700, 0x000}, {}, (byte_t*)0x1000, 0x800, {{(byte_t*)0x1000, 0x100, 0}, {(byte_t*)0x1100, 0x100, 1}, {(byte_t*)0x1200, 0x100, 2}, {(byte_t*)0x1300, 0x100, 3}, {(byte_t*)0x1400, 0x100, 4}, {(byte_t*)0x1500, 0x100, 5}, {(byte_t*)0x1600, 0x100, 6}, {(byte_t*)0x1700, 0x100, 7}}, {}},
+			{"ReadAllOfStream 0-7 (stream 0x80 positions)", {0x080, 0x180, 0x280, 0x380, 0x480, 0x580, 0x680, 0x780, 0x000}, {}, (byte_t*)0x1000, 0x800, {{(byte_t*)0x1000, 0x100, 0}, {(byte_t*)0x1100, 0x100, 1}, {(byte_t*)0x1200, 0x100, 2}, {(byte_t*)0x1300, 0x100, 3}, {(byte_t*)0x1400, 0x100, 4}, {(byte_t*)0x1500, 0x100, 5}, {(byte_t*)0x1600, 0x100, 6}, {(byte_t*)0x1700, 0x100, 7}}, {{0x0, 1}, {0x0, 2}, {0x0, 3}, {0x0, 4}, {0x0, 5}, {0x0, 6}, {0x0, 7}}},
+			{"ReadAllOfStream 0-7 (stream 0x00 or 0x80 positions)", {0x080, 0x100, 0x280, 0x300, 0x480, 0x500, 0x680, 0x700, 0x000}, {}, (byte_t*)0x1000, 0x800, {{(byte_t*)0x1000, 0x100, 0}, {(byte_t*)0x1100, 0x100, 1}, {(byte_t*)0x1200, 0x100, 2}, {(byte_t*)0x1300, 0x100, 3}, {(byte_t*)0x1400, 0x100, 4}, {(byte_t*)0x1500, 0x100, 5}, {(byte_t*)0x1600, 0x100, 6}, {(byte_t*)0x1700, 0x100, 7}}, {{0x0, 2}, {0x0, 4}, {0x0, 6}}},
+			{"ReadAllOfStream 3-6 (stream 0x0 positions)", {0x000, 0x100, 0x200, 0x300, 0x400, 0x500, 0x600, 0x700, 0x300}, {}, (byte_t*)0x1000, 0x400, {{(byte_t*)0x1000, 0x100, 3}, {(byte_t*)0x1100, 0x100, 4}, {(byte_t*)0x1200, 0x100, 5}, {(byte_t*)0x1300, 0x100, 6}}, {}},
+			{"ReadAllOfStream 3-6 (stream 0x80 positions)", {0x080, 0x180, 0x280, 0x380, 0x480, 0x580, 0x680, 0x780, 0x300}, {}, (byte_t*)0x1000, 0x400, {{(byte_t*)0x1000, 0x100, 3}, {(byte_t*)0x1100, 0x100, 4}, {(byte_t*)0x1200, 0x100, 5}, {(byte_t*)0x1300, 0x100, 6}}, {{0x0, 4}, {0x0, 5}, {0x0, 6}}},
+			{"ReadStream (partial)3,4-5,(partial)6 (stream 0x0 positions)", {0x000, 0x100, 0x200, 0x300, 0x400, 0x500, 0x600, 0x700, 0x350}, {}, (byte_t*)0x1000, 0x300, {{(byte_t*)0x1000, 0xB0, 3}, {(byte_t*)0x10B0, 0x100, 4}, {(byte_t*)0x11B0, 0x100, 5}, {(byte_t*)0x12B0, 0x50, 6}}, {}},
+			{"ReadStream (partial)3,4-5,(partial)6 (stream 0x80 positions)", {0x080, 0x180, 0x280, 0x380, 0x480, 0x580, 0x680, 0x780, 0x350}, {}, (byte_t*)0x1000, 0x300, {{(byte_t*)0x1000, 0xB0, 3}, {(byte_t*)0x10B0, 0x100, 4}, {(byte_t*)0x11B0, 0x100, 5}, {(byte_t*)0x12B0, 0x50, 6}}, {{0x0, 4}, {0x0, 5}, {0x0, 6}}},
+		};
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			for (auto itr = test->unlogged_seeks.begin(); itr != test->unlogged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			read_report.clear();
+			seek_report.clear();
+
+			for (auto itr = test->logged_seeks.begin(); itr != test->logged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			stream.read(test->read_ptr, test->read_count);
+
+			if (read_report != test->exp_read_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .read() issued to base streams were not as expected", test->test_name));
+			}
+
+			if (seek_report != test->exp_seek_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .seek() issued to base streams were not as expected", test->test_name));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_read_CanReadFromMultipleStreamWithNoSeekSupport()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_read_CanReadFromMultipleStreamWithNoSeekSupport : ");
+
+	class ReportDummyStream : public StreamTestUtil::DummyStreamBase
+	{
+	public:
+		struct SeekReport
+		{
+			int64_t seek_offset;
+			size_t stream_id;
+
+			bool operator==(const SeekReport& other) const
+			{
+				return seek_offset == other.seek_offset \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		struct ReadReport
+		{
+			const byte_t* read_ptr;
+			size_t read_count;
+			size_t stream_id;
+
+			bool operator==(const ReadReport& other) const
+			{
+				return read_ptr == other.read_ptr \
+					&& read_count == other.read_count \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		ReportDummyStream(std::vector<ReadReport>& read_report, std::vector<SeekReport>& seek_report, size_t stream_id) :
+			DummyStreamBase(0x100, true, true, false, false, false),
+			mReadReport(read_report),
+			mSeekReport(seek_report),
+			mStreamId(stream_id)
+		{}
+
+		size_t read(byte_t* ptr, size_t count)
+		{
+			mReadReport.push_back({ptr, count, mStreamId});
+
+			size_t readable_count = tc::io::IOUtil::getReadableCount(DummyStreamBase::length(), DummyStreamBase::position(), count);
+
+			// update stream position
+			DummyStreamBase::seek(int64_t(readable_count), tc::io::SeekOrigin::Current);
+
+			return readable_count;
+		}
+
+		int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+		{	
+			SeekReport seek_report = {DummyStreamBase::seek(offset, origin), mStreamId};
+
+			mSeekReport.push_back(seek_report);
+
+			return seek_report.seek_offset;
+		}
+	private:
+		std::vector<ReadReport>& mReadReport;
+		std::vector<SeekReport>& mSeekReport;
+		size_t mStreamId;
+	};
+
+	try
+	{
+		// declare report logs
+		std::vector<ReportDummyStream::ReadReport> read_report;
+		std::vector<ReportDummyStream::SeekReport> seek_report;
+
+		// create stream list with links to report logs
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 0)), // 0x000 - 0x0ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 1)), // 0x100 - 0x1ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 2)), // 0x200 - 0x2ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 3)), // 0x300 - 0x3ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 4)), // 0x400 - 0x4ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 5)), // 0x500 - 0x5ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 6)), // 0x600 - 0x6ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 7)), // 0x700 - 0x7ff
+		};
+
+		// create concatenated stream
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		// define test
+		struct Test {
+			// test name
+			std::string test_name;
+
+			// these seeks are done then seek log is cleared
+			std::vector<int64_t> unlogged_seeks;
+
+			// these seeks are done before reading but will be logged
+			std::vector<int64_t> logged_seeks;
+			
+			// read param
+			byte_t* read_ptr;
+			size_t read_count;
+
+			// expected log reports
+			std::vector<ReportDummyStream::ReadReport> exp_read_report;
+			std::vector<ReportDummyStream::SeekReport> exp_seek_report;
+		};
+
+		// create tests
+		std::vector<Test> tests {
+			{"ReadStream (partial)0", {}, {}, (byte_t*)0x1000, 0xA0, {{(byte_t*)0x1000, 0xA0, 0}}, {}},
+			{"ReadStream (partial)0,1-4", {}, {}, (byte_t*)0x1000, 0x460, {{(byte_t*)0x1000, 0x60, 0}, {(byte_t*)0x1060, 0x100, 1}, {(byte_t*)0x1160, 0x100, 2}, {(byte_t*)0x1260, 0x100, 3}, {(byte_t*)0x1360, 0x100, 4}}, {}},
+			{"ReadStream 5-7", {}, {}, (byte_t*)0x1000, 0x300, {{(byte_t*)0x1000, 0x100, 5}, {(byte_t*)0x1100, 0x100, 6}, {(byte_t*)0x1200, 0x100, 7}}, {}},
+		};
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			for (auto itr = test->unlogged_seeks.begin(); itr != test->unlogged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			read_report.clear();
+			seek_report.clear();
+
+			for (auto itr = test->logged_seeks.begin(); itr != test->logged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			stream.read(test->read_ptr, test->read_count);
+
+			if (read_report != test->exp_read_report)
+			{
+				fmt::print("\n");
+				fmt::print("ReadLog:\n");
+				for (auto itr = read_report.begin(); itr != read_report.end(); itr++)
+				{
+					fmt::print("ReadReport (ptr: 0x{:x}, count: 0x{:x}, stream: {:d})\n", (size_t)itr->read_ptr, itr->read_count, itr->stream_id);
+				}
+				fmt::print("ExpReadLog:\n");
+				for (auto itr = test->exp_read_report.begin(); itr != test->exp_read_report.end(); itr++)
+				{
+					fmt::print("ReadReport (ptr: 0x{:x}, count: 0x{:x}, stream: {:d})\n", (size_t)itr->read_ptr, itr->read_count, itr->stream_id);
+				}
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .read() issued to base streams were not as expected", test->test_name));
+			}
+
+			if (seek_report != test->exp_seek_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .seek() issued to base streams were not as expected", test->test_name));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_read_ReadFromMultiStream_NoSeekSupport_ThrowsOnSeekRequired()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_read_ReadFromMultiStream_NoSeekSupport_ThrowsOnSeekRequired : ");
+
+	class ReportDummyStream : public StreamTestUtil::DummyStreamBase
+	{
+	public:
+		struct SeekReport
+		{
+			int64_t seek_offset;
+			size_t stream_id;
+
+			bool operator==(const SeekReport& other) const
+			{
+				return seek_offset == other.seek_offset \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		struct ReadReport
+		{
+			const byte_t* read_ptr;
+			size_t read_count;
+			size_t stream_id;
+
+			bool operator==(const ReadReport& other) const
+			{
+				return read_ptr == other.read_ptr \
+					&& read_count == other.read_count \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		ReportDummyStream(std::vector<ReadReport>& read_report, std::vector<SeekReport>& seek_report, size_t stream_id) :
+			DummyStreamBase(0x100, 0x80, true, true, false, false, false), // the initial position is 0x80
+			mReadReport(read_report),
+			mSeekReport(seek_report),
+			mStreamId(stream_id)
+		{}
+
+		size_t read(byte_t* ptr, size_t count)
+		{
+			mReadReport.push_back({ptr, count, mStreamId});
+
+			size_t readable_count = tc::io::IOUtil::getReadableCount(DummyStreamBase::length(), DummyStreamBase::position(), count);
+
+			// update stream position
+			DummyStreamBase::seek(int64_t(readable_count), tc::io::SeekOrigin::Current);
+
+			return readable_count;
+		}
+
+		int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+		{	
+			SeekReport seek_report = {DummyStreamBase::seek(offset, origin), mStreamId};
+
+			mSeekReport.push_back(seek_report);
+
+			return seek_report.seek_offset;
+		}
+	private:
+		std::vector<ReadReport>& mReadReport;
+		std::vector<SeekReport>& mSeekReport;
+		size_t mStreamId;
+	};
+
+	try
+	{
+		// declare report logs
+		std::vector<ReportDummyStream::ReadReport> read_report;
+		std::vector<ReportDummyStream::SeekReport> seek_report;
+
+		// create stream list with links to report logs
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 0)), // 0x000 - 0x0ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 1)), // 0x100 - 0x1ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 2)), // 0x200 - 0x2ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 3)), // 0x300 - 0x3ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 4)), // 0x400 - 0x4ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 5)), // 0x500 - 0x5ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 6)), // 0x600 - 0x6ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(read_report, seek_report, 7)), // 0x700 - 0x7ff
+		};
+
+		// create concatenated stream
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		try
+		{
+			stream.read((byte_t*)0x1000, 0x200);
+			throw tc::Exception(".read() did not throw tc::io::IOException where stream required seeking to begining but did not support seeking.");
+		}
+		catch (const tc::io::IOException&)
+		{
+			// do nothing
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_write_CanWriteFromSingleStream()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_write_CanWriteFromSingleStream : ");
+
+	class ReportDummyStream : public StreamTestUtil::DummyStreamBase
+	{
+	public:
+		struct SeekReport
+		{
+			int64_t seek_offset;
+			size_t stream_id;
+
+			bool operator==(const SeekReport& other) const
+			{
+				return seek_offset == other.seek_offset \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		struct WriteReport
+		{
+			const byte_t* write_ptr;
+			size_t write_count;
+			size_t stream_id;
+
+			bool operator==(const WriteReport& other) const
+			{
+				return write_ptr == other.write_ptr \
+					&& write_count == other.write_count \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		ReportDummyStream(std::vector<WriteReport>& write_report, std::vector<SeekReport>& seek_report, size_t stream_id) :
+			DummyStreamBase(0x100, true, true, true, false, false),
+			mWriteReport(write_report),
+			mSeekReport(seek_report),
+			mStreamId(stream_id)
+		{}
+
+		size_t write(const byte_t* ptr, size_t count)
+		{
+			mWriteReport.push_back({ptr, count, mStreamId});
+
+			size_t writable_count = tc::io::IOUtil::getWritableCount(DummyStreamBase::length(), DummyStreamBase::position(), count);
+
+			// update stream position
+			DummyStreamBase::seek(int64_t(writable_count), tc::io::SeekOrigin::Current);
+
+			return writable_count;
+		}
+
+		int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+		{	
+			SeekReport seek_report = {DummyStreamBase::seek(offset, origin), mStreamId};
+
+			mSeekReport.push_back(seek_report);
+
+			return seek_report.seek_offset;
+		}
+	private:
+		std::vector<WriteReport>& mWriteReport;
+		std::vector<SeekReport>& mSeekReport;
+		size_t mStreamId;
+	};
+
+	try
+	{
+		// declare report logs
+		std::vector<ReportDummyStream::WriteReport> write_report;
+		std::vector<ReportDummyStream::SeekReport> seek_report;
+
+		// create stream list with links to report logs
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 0)), // 0x000 - 0x0ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 1)), // 0x100 - 0x1ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 2)), // 0x200 - 0x2ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 3)), // 0x300 - 0x3ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 4)), // 0x400 - 0x4ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 5)), // 0x500 - 0x5ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 6)), // 0x600 - 0x6ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 7)), // 0x700 - 0x7ff
+		};
+
+		// create concatenated stream
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		// define test
+		struct Test {
+			// test name
+			std::string test_name;
+
+			// these seeks are done then seek log is cleared
+			std::vector<int64_t> unlogged_seeks;
+
+			// these seeks are done before writing but will be logged
+			std::vector<int64_t> logged_seeks;
+			
+			// write param
+			byte_t* write_ptr;
+			size_t write_count;
+
+			// expected log reports
+			std::vector<ReportDummyStream::WriteReport> exp_write_report;
+			std::vector<ReportDummyStream::SeekReport> exp_seek_report;
+		};
+
+		// create tests
+		std::vector<Test> tests {
+			{"WriteFromBeginning", {0}, {}, (byte_t*)0x1000, 0x30, {{(byte_t*)0x1000, 0x30, 0}}, {}},
+			{"ContinueWritingFromBeginning", {}, {}, (byte_t*)0x1000, 0x30, {{(byte_t*)0x1000, 0x30, 0}}, {}},
+			{"WriteFromSomewhereElseInExistingStream", {0xe0}, {}, (byte_t*)0x1000, 0x20, {{(byte_t*)0x1000, 0x20, 0}}, {}},
+		};
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			for (auto itr = test->unlogged_seeks.begin(); itr != test->unlogged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			write_report.clear();
+			seek_report.clear();
+
+			for (auto itr = test->logged_seeks.begin(); itr != test->logged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			stream.write(test->write_ptr, test->write_count);
+
+			if (write_report != test->exp_write_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .write() issued to base streams were not as expected", test->test_name));
+			}
+
+			if (seek_report != test->exp_seek_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .seek() issued to base streams were not as expected", test->test_name));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_write_CanWriteFromMultipleStreamWithSeekSupport()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_write_CanWriteFromMultipleStreamWithSeekSupport : ");
+
+	class ReportDummyStream : public StreamTestUtil::DummyStreamBase
+	{
+	public:
+		struct SeekReport
+		{
+			int64_t seek_offset;
+			size_t stream_id;
+
+			bool operator==(const SeekReport& other) const
+			{
+				return seek_offset == other.seek_offset \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		struct WriteReport
+		{
+			const byte_t* write_ptr;
+			size_t write_count;
+			size_t stream_id;
+
+			bool operator==(const WriteReport& other) const
+			{
+				return write_ptr == other.write_ptr \
+					&& write_count == other.write_count \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		ReportDummyStream(std::vector<WriteReport>& write_report, std::vector<SeekReport>& seek_report, size_t stream_id) :
+			DummyStreamBase(0x100, true, true, true, false, false),
+			mWriteReport(write_report),
+			mSeekReport(seek_report),
+			mStreamId(stream_id)
+		{}
+
+		size_t write(const byte_t* ptr, size_t count)
+		{
+			mWriteReport.push_back({ptr, count, mStreamId});
+
+			size_t writable_count = tc::io::IOUtil::getWritableCount(DummyStreamBase::length(), DummyStreamBase::position(), count);
+
+			// update stream position
+			DummyStreamBase::seek(int64_t(writable_count), tc::io::SeekOrigin::Current);
+
+			return writable_count;
+		}
+
+		int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+		{	
+			SeekReport seek_report = {DummyStreamBase::seek(offset, origin), mStreamId};
+
+			mSeekReport.push_back(seek_report);
+
+			return seek_report.seek_offset;
+		}
+	private:
+		std::vector<WriteReport>& mWriteReport;
+		std::vector<SeekReport>& mSeekReport;
+		size_t mStreamId;
+	};
+
+	try
+	{
+		// declare report logs
+		std::vector<ReportDummyStream::WriteReport> write_report;
+		std::vector<ReportDummyStream::SeekReport> seek_report;
+
+		// create stream list with links to report logs
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 0)), // 0x000 - 0x0ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 1)), // 0x100 - 0x1ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 2)), // 0x200 - 0x2ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 3)), // 0x300 - 0x3ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 4)), // 0x400 - 0x4ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 5)), // 0x500 - 0x5ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 6)), // 0x600 - 0x6ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 7)), // 0x700 - 0x7ff
+		};
+
+		// create concatenated stream
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		// define test
+		struct Test {
+			// test name
+			std::string test_name;
+
+			// these seeks are done then seek log is cleared
+			std::vector<int64_t> unlogged_seeks;
+
+			// these seeks are done before writeing but will be logged
+			std::vector<int64_t> logged_seeks;
+			
+			// write param
+			byte_t* write_ptr;
+			size_t write_count;
+
+			// expected log reports
+			std::vector<ReportDummyStream::WriteReport> exp_write_report;
+			std::vector<ReportDummyStream::SeekReport> exp_seek_report;
+		};
+
+		// create tests
+		std::vector<Test> tests {
+			{"WriteAllOfStream 0-7 (stream 0x0 positions)", {0x000, 0x100, 0x200, 0x300, 0x400, 0x500, 0x600, 0x700, 0x000}, {}, (byte_t*)0x1000, 0x800, {{(byte_t*)0x1000, 0x100, 0}, {(byte_t*)0x1100, 0x100, 1}, {(byte_t*)0x1200, 0x100, 2}, {(byte_t*)0x1300, 0x100, 3}, {(byte_t*)0x1400, 0x100, 4}, {(byte_t*)0x1500, 0x100, 5}, {(byte_t*)0x1600, 0x100, 6}, {(byte_t*)0x1700, 0x100, 7}}, {}},
+			{"WriteAllOfStream 0-7 (stream 0x80 positions)", {0x080, 0x180, 0x280, 0x380, 0x480, 0x580, 0x680, 0x780, 0x000}, {}, (byte_t*)0x1000, 0x800, {{(byte_t*)0x1000, 0x100, 0}, {(byte_t*)0x1100, 0x100, 1}, {(byte_t*)0x1200, 0x100, 2}, {(byte_t*)0x1300, 0x100, 3}, {(byte_t*)0x1400, 0x100, 4}, {(byte_t*)0x1500, 0x100, 5}, {(byte_t*)0x1600, 0x100, 6}, {(byte_t*)0x1700, 0x100, 7}}, {{0x0, 1}, {0x0, 2}, {0x0, 3}, {0x0, 4}, {0x0, 5}, {0x0, 6}, {0x0, 7}}},
+			{"WriteAllOfStream 0-7 (stream 0x00 or 0x80 positions)", {0x080, 0x100, 0x280, 0x300, 0x480, 0x500, 0x680, 0x700, 0x000}, {}, (byte_t*)0x1000, 0x800, {{(byte_t*)0x1000, 0x100, 0}, {(byte_t*)0x1100, 0x100, 1}, {(byte_t*)0x1200, 0x100, 2}, {(byte_t*)0x1300, 0x100, 3}, {(byte_t*)0x1400, 0x100, 4}, {(byte_t*)0x1500, 0x100, 5}, {(byte_t*)0x1600, 0x100, 6}, {(byte_t*)0x1700, 0x100, 7}}, {{0x0, 2}, {0x0, 4}, {0x0, 6}}},
+			{"WriteAllOfStream 3-6 (stream 0x0 positions)", {0x000, 0x100, 0x200, 0x300, 0x400, 0x500, 0x600, 0x700, 0x300}, {}, (byte_t*)0x1000, 0x400, {{(byte_t*)0x1000, 0x100, 3}, {(byte_t*)0x1100, 0x100, 4}, {(byte_t*)0x1200, 0x100, 5}, {(byte_t*)0x1300, 0x100, 6}}, {}},
+			{"WriteAllOfStream 3-6 (stream 0x80 positions)", {0x080, 0x180, 0x280, 0x380, 0x480, 0x580, 0x680, 0x780, 0x300}, {}, (byte_t*)0x1000, 0x400, {{(byte_t*)0x1000, 0x100, 3}, {(byte_t*)0x1100, 0x100, 4}, {(byte_t*)0x1200, 0x100, 5}, {(byte_t*)0x1300, 0x100, 6}}, {{0x0, 4}, {0x0, 5}, {0x0, 6}}},
+			{"WriteStream (partial)3,4-5,(partial)6 (stream 0x0 positions)", {0x000, 0x100, 0x200, 0x300, 0x400, 0x500, 0x600, 0x700, 0x350}, {}, (byte_t*)0x1000, 0x300, {{(byte_t*)0x1000, 0xB0, 3}, {(byte_t*)0x10B0, 0x100, 4}, {(byte_t*)0x11B0, 0x100, 5}, {(byte_t*)0x12B0, 0x50, 6}}, {}},
+			{"WriteStream (partial)3,4-5,(partial)6 (stream 0x80 positions)", {0x080, 0x180, 0x280, 0x380, 0x480, 0x580, 0x680, 0x780, 0x350}, {}, (byte_t*)0x1000, 0x300, {{(byte_t*)0x1000, 0xB0, 3}, {(byte_t*)0x10B0, 0x100, 4}, {(byte_t*)0x11B0, 0x100, 5}, {(byte_t*)0x12B0, 0x50, 6}}, {{0x0, 4}, {0x0, 5}, {0x0, 6}}},
+		};
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			for (auto itr = test->unlogged_seeks.begin(); itr != test->unlogged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			write_report.clear();
+			seek_report.clear();
+
+			for (auto itr = test->logged_seeks.begin(); itr != test->logged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			stream.write(test->write_ptr, test->write_count);
+
+			if (write_report != test->exp_write_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .write() issued to base streams were not as expected", test->test_name));
+			}
+
+			if (seek_report != test->exp_seek_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .seek() issued to base streams were not as expected", test->test_name));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_write_CanWriteFromMultipleStreamWithNoSeekSupport()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_write_CanWriteFromMultipleStreamWithNoSeekSupport : ");
+
+	class ReportDummyStream : public StreamTestUtil::DummyStreamBase
+	{
+	public:
+		struct SeekReport
+		{
+			int64_t seek_offset;
+			size_t stream_id;
+
+			bool operator==(const SeekReport& other) const
+			{
+				return seek_offset == other.seek_offset \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		struct WriteReport
+		{
+			const byte_t* write_ptr;
+			size_t write_count;
+			size_t stream_id;
+
+			bool operator==(const WriteReport& other) const
+			{
+				return write_ptr == other.write_ptr \
+					&& write_count == other.write_count \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		ReportDummyStream(std::vector<WriteReport>& write_report, std::vector<SeekReport>& seek_report, size_t stream_id) :
+			DummyStreamBase(0x100, true, true, false, false, false),
+			mWriteReport(write_report),
+			mSeekReport(seek_report),
+			mStreamId(stream_id)
+		{}
+
+		size_t write(const byte_t* ptr, size_t count)
+		{
+			mWriteReport.push_back({ptr, count, mStreamId});
+
+			size_t writable_count = tc::io::IOUtil::getWritableCount(DummyStreamBase::length(), DummyStreamBase::position(), count);
+
+			// update stream position
+			DummyStreamBase::seek(int64_t(writable_count), tc::io::SeekOrigin::Current);
+
+			return writable_count;
+		}
+
+		int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+		{	
+			SeekReport seek_report = {DummyStreamBase::seek(offset, origin), mStreamId};
+
+			mSeekReport.push_back(seek_report);
+
+			return seek_report.seek_offset;
+		}
+	private:
+		std::vector<WriteReport>& mWriteReport;
+		std::vector<SeekReport>& mSeekReport;
+		size_t mStreamId;
+	};
+
+	try
+	{
+		// declare report logs
+		std::vector<ReportDummyStream::WriteReport> write_report;
+		std::vector<ReportDummyStream::SeekReport> seek_report;
+
+		// create stream list with links to report logs
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 0)), // 0x000 - 0x0ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 1)), // 0x100 - 0x1ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 2)), // 0x200 - 0x2ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 3)), // 0x300 - 0x3ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 4)), // 0x400 - 0x4ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 5)), // 0x500 - 0x5ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 6)), // 0x600 - 0x6ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 7)), // 0x700 - 0x7ff
+		};
+
+		// create concatenated stream
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		// define test
+		struct Test {
+			// test name
+			std::string test_name;
+
+			// these seeks are done then seek log is cleared
+			std::vector<int64_t> unlogged_seeks;
+
+			// these seeks are done before writeing but will be logged
+			std::vector<int64_t> logged_seeks;
+			
+			// write param
+			byte_t* write_ptr;
+			size_t write_count;
+
+			// expected log reports
+			std::vector<ReportDummyStream::WriteReport> exp_write_report;
+			std::vector<ReportDummyStream::SeekReport> exp_seek_report;
+		};
+
+		// create tests
+		std::vector<Test> tests {
+			{"WriteStream (partial)0", {}, {}, (byte_t*)0x1000, 0xA0, {{(byte_t*)0x1000, 0xA0, 0}}, {}},
+			{"WriteStream (partial)0,1-4", {}, {}, (byte_t*)0x1000, 0x460, {{(byte_t*)0x1000, 0x60, 0}, {(byte_t*)0x1060, 0x100, 1}, {(byte_t*)0x1160, 0x100, 2}, {(byte_t*)0x1260, 0x100, 3}, {(byte_t*)0x1360, 0x100, 4}}, {}},
+			{"WriteStream 5-7", {}, {}, (byte_t*)0x1000, 0x300, {{(byte_t*)0x1000, 0x100, 5}, {(byte_t*)0x1100, 0x100, 6}, {(byte_t*)0x1200, 0x100, 7}}, {}},
+		};
+
+		// run tests
+		for (auto test = tests.begin(); test != tests.end(); test++)
+		{
+			for (auto itr = test->unlogged_seeks.begin(); itr != test->unlogged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			write_report.clear();
+			seek_report.clear();
+
+			for (auto itr = test->logged_seeks.begin(); itr != test->logged_seeks.end(); itr++)
+			{
+				stream.seek(*itr, tc::io::SeekOrigin::Begin);
+			}
+
+			stream.write(test->write_ptr, test->write_count);
+
+			if (write_report != test->exp_write_report)
+			{
+				fmt::print("\n");
+				fmt::print("WriteLog:\n");
+				for (auto itr = write_report.begin(); itr != write_report.end(); itr++)
+				{
+					fmt::print("WriteReport (ptr: 0x{:x}, count: 0x{:x}, stream: {:d})\n", (size_t)itr->write_ptr, itr->write_count, itr->stream_id);
+				}
+				fmt::print("ExpWriteLog:\n");
+				for (auto itr = test->exp_write_report.begin(); itr != test->exp_write_report.end(); itr++)
+				{
+					fmt::print("WriteReport (ptr: 0x{:x}, count: 0x{:x}, stream: {:d})\n", (size_t)itr->write_ptr, itr->write_count, itr->stream_id);
+				}
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .write() issued to base streams were not as expected", test->test_name));
+			}
+
+			if (seek_report != test->exp_seek_report)
+			{
+				throw tc::Exception(fmt::format("Test \"{}\" Failed: .seek() issued to base streams were not as expected", test->test_name));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_write_WriteFromMultiStream_NoSeekSupport_ThrowsOnSeekRequired()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_write_WriteFromMultiStream_NoSeekSupport_ThrowsOnSeekRequired : ");
+
+	class ReportDummyStream : public StreamTestUtil::DummyStreamBase
+	{
+	public:
+		struct SeekReport
+		{
+			int64_t seek_offset;
+			size_t stream_id;
+
+			bool operator==(const SeekReport& other) const
+			{
+				return seek_offset == other.seek_offset \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		struct WriteReport
+		{
+			const byte_t* write_ptr;
+			size_t write_count;
+			size_t stream_id;
+
+			bool operator==(const WriteReport& other) const
+			{
+				return write_ptr == other.write_ptr \
+					&& write_count == other.write_count \
+					&& stream_id == other.stream_id;
+			}
+		};
+
+		ReportDummyStream(std::vector<WriteReport>& write_report, std::vector<SeekReport>& seek_report, size_t stream_id) :
+			DummyStreamBase(0x100, 0x80, true, true, false, false, false), // the initial position is 0x80
+			mWriteReport(write_report),
+			mSeekReport(seek_report),
+			mStreamId(stream_id)
+		{}
+
+		size_t write(const byte_t* ptr, size_t count)
+		{
+			mWriteReport.push_back({ptr, count, mStreamId});
+
+			size_t writable_count = tc::io::IOUtil::getWritableCount(DummyStreamBase::length(), DummyStreamBase::position(), count);
+
+			// update stream position
+			DummyStreamBase::seek(int64_t(writable_count), tc::io::SeekOrigin::Current);
+
+			return writable_count;
+		}
+
+		int64_t seek(int64_t offset, tc::io::SeekOrigin origin)
+		{	
+			SeekReport seek_report = {DummyStreamBase::seek(offset, origin), mStreamId};
+
+			mSeekReport.push_back(seek_report);
+
+			return seek_report.seek_offset;
+		}
+	private:
+		std::vector<WriteReport>& mWriteReport;
+		std::vector<SeekReport>& mSeekReport;
+		size_t mStreamId;
+	};
+
+	try
+	{
+		// declare report logs
+		std::vector<ReportDummyStream::WriteReport> write_report;
+		std::vector<ReportDummyStream::SeekReport> seek_report;
+
+		// create stream list with links to report logs
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 0)), // 0x000 - 0x0ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 1)), // 0x100 - 0x1ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 2)), // 0x200 - 0x2ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 3)), // 0x300 - 0x3ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 4)), // 0x400 - 0x4ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 5)), // 0x500 - 0x5ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 6)), // 0x600 - 0x6ff
+			std::make_shared<ReportDummyStream>(ReportDummyStream(write_report, seek_report, 7)), // 0x700 - 0x7ff
+		};
+
+		// create concatenated stream
+		tc::io::ConcatenatedStream stream = tc::io::ConcatenatedStream(streams);
+
+		try
+		{
+			stream.write((byte_t*)0x1000, 0x200);
+			throw tc::Exception(".write() did not throw tc::io::IOException where stream required seeking to begining but did not support seeking.");
+		}
+		catch (const tc::io::IOException&)
+		{
+			// do nothing
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_MoveOperator_MoveDisposedToDisposed()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_MoveOperator_MoveDisposedToDisposed : ");
+	try
+	{
+		// create streams a and b (both disposed)
+		tc::io::ConcatenatedStream stream_a;
+		tc::io::ConcatenatedStream stream_b;
+
+		// ensure stream a had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after default .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_a was disposed upon construction, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// ensure stream b had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b had wrong properies after default .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_b was disposed upon construction, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// move stream_a to stream_b
+		stream_b = std::move(stream_a);
+
+		// ensure stream a had valid properties after being moved from
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after it was move assigned to stream_b ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_a was disposed upon being move assigned to stream_b, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// ensure stream b had valid properties after being moved to
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b has wrong properties after being move assigned from stream_a ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_b was disposed upon move assignment from stream_a, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_MoveOperator_MoveInitializedToDisposed()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_MoveOperator_MoveInitializedToDisposed : ");
+	try
+	{
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false))
+		};
+
+		// create streams a and b
+		tc::io::ConcatenatedStream stream_a(streams);
+		tc::io::ConcatenatedStream stream_b;
+
+		// ensure stream a had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x300, 0x0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after create .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			throw tc::Exception("stream_a was initialized upon construction, but threw tc::ObjectDisposedException when seek() was called");
+		}
+
+		// ensure stream b had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b had wrong properies after default .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_b was disposed upon construction, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// move stream_a to stream_b
+		stream_b = std::move(stream_a);
+
+		// ensure stream a had valid properties after being moved from
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after it was move assigned to stream_b ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_a was disposed upon being move assigned to stream_b, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// ensure stream b had valid properties after being moved to
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x300, 0x0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b has wrong properties after being move assigned from stream_a ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+			
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			throw tc::Exception("stream_b was initialized upon move assignment from stream_a, but threw tc::ObjectDisposedException when seek() was called");
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_MoveOperator_MoveDisposedToInitialized()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_MoveOperator_MoveDisposedToInitialized : ");
+	try
+	{
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false))
+		};
+
+		// create streams a and b
+		tc::io::ConcatenatedStream stream_a;
+		tc::io::ConcatenatedStream stream_b(streams);
+
+		// ensure stream b had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after default .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_a was disposed upon construction, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// ensure stream a had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x300, 0x0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b had wrong properies after create .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			throw tc::Exception("stream_b was initialized upon construction, but threw tc::ObjectDisposedException when seek() was called");
+		}
+
+		// move stream_a to stream_b
+		stream_b = std::move(stream_a);
+
+		// ensure stream a had valid properties after being moved from
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after it was move assigned to stream_b ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_a was disposed upon being move assigned to stream_b, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// ensure stream b had valid properties after being moved to
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b has wrong properties after being move assigned from stream_a ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_b was disposed upon move assignment from stream_a, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_MoveOperator_MoveInitializedToInitialized()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_MoveOperator_MoveInitializedToInitialized : ");
+	try
+	{
+		std::vector<std::shared_ptr<tc::io::IStream>> streams_a {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false))
+		};
+
+		std::vector<std::shared_ptr<tc::io::IStream>> streams_b {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x200, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x200, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x200, true, true, true, false, false))
+		};
+
+		// create streams a and b
+		tc::io::ConcatenatedStream stream_a(streams_a);
+		tc::io::ConcatenatedStream stream_b(streams_b);
+
+		// ensure stream a had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x300, 0x0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after create .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			throw tc::Exception("stream_a was initialized upon construction, but threw tc::ObjectDisposedException when seek() was called");
+		}
+
+		// ensure stream a had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x600, 0x0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b had wrong properies after create .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			throw tc::Exception("stream_b was initialized upon construction, but threw tc::ObjectDisposedException when seek() was called");
+		}
+
+		// move stream_a to stream_b
+		stream_b = std::move(stream_a);
+
+		// ensure stream a had valid properties after being moved from
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after it was move assigned to stream_b ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_a was disposed upon being move assigned to stream_b, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// ensure stream b had valid properties after being moved to
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x300, 0x0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b has wrong properties after being move assigned from stream_a ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+			
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			throw tc::Exception("stream_b was initialized upon move assignment from stream_a, but threw tc::ObjectDisposedException when seek() was called");
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_MoveConstructor_MoveDisposed()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_MoveConstructor_MoveDisposed : ");
+	try
+	{
+		// create stream a
+		tc::io::ConcatenatedStream stream_a;
+
+		// ensure stream a had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after default .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_a was disposed upon construction, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// move stream_a to stream_b
+		tc::io::ConcatenatedStream stream_b(std::move(stream_a));
+
+		// ensure stream a had valid properties after being moved from
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after it was move assigned to stream_b ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_a was disposed upon being move assigned to stream_b, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// ensure stream b had valid properties after being moved to
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b has wrong properties after being move assigned from stream_a ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_b was disposed upon move assignment from stream_a, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
+
+void io_ConcatenatedStream_TestClass::test_MoveConstructor_MoveInitialized()
+{
+	fmt::print("[tc::io::ConcatenatedStream] test_MoveConstructor_MoveInitialized : ");
+	try
+	{
+		std::vector<std::shared_ptr<tc::io::IStream>> streams {
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false)),
+			std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0x100, true, true, true, false, false))
+		};
+
+		// create stream a
+		tc::io::ConcatenatedStream stream_a(streams);
+
+		// ensure stream a had valid properties to begin with
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x300, 0x0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after create .ctor() ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			throw tc::Exception("stream_a was initialized upon construction, but threw tc::ObjectDisposedException when seek() was called");
+		}
+
+		// move stream_a to stream_b
+		tc::io::ConcatenatedStream stream_b(std::move(stream_a));
+
+		// ensure stream a had valid properties after being moved from
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_a, 0x0, 0x0, false, false, false);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_a had wrong properies after it was move assigned to stream_b ({})", e.error()));
+		}
+		try
+		{
+			stream_a.seek(0, tc::io::SeekOrigin::Current);
+			throw tc::Exception("stream_a was disposed upon being move assigned to stream_b, but failed throw tc::ObjectDisposedException when seek() was called");
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			// do nothing
+		}
+
+		// ensure stream b had valid properties after being moved to
+		try
+		{
+			StreamTestUtil::constructor_TestHelper(stream_b, 0x300, 0x0, true, true, true);
+		}
+		catch (const tc::Exception& e)
+		{
+			throw tc::Exception(fmt::format("stream_b has wrong properties after being move assigned from stream_a ({})", e.error()));
+		}
+		try
+		{
+			stream_b.seek(0, tc::io::SeekOrigin::Current);
+			
+		}
+		catch (const tc::ObjectDisposedException&)
+		{
+			throw tc::Exception("stream_b was initialized upon move assignment from stream_a, but threw tc::ObjectDisposedException when seek() was called");
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({:s})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL (unhandled exception) ({})\n", e.what());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_ConcatenatedStream_TestClass.h b/ctrtool/deps/libtoolchain/test/io_ConcatenatedStream_TestClass.h
new file mode 100644
index 00000000..c14a30f8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_ConcatenatedStream_TestClass.h
@@ -0,0 +1,50 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/io/ConcatenatedStream.h>
+
+class io_ConcatenatedStream_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	/*
+	test plan:
+	1) Ensure default constructor creates an object that return 0/false for property methods and throw tc::ObjectDisposedException for actions other than dispose
+	2) Ensure create constructor throw exceptions for all variations of bad input (empty list, a stream is null, the combination of streams did not at least all support read or write)
+	3) Ensure create constructor works with valid combinations of input (and stream properties are correct)
+	4) Ensure that even valid streams, calling setLength() will throw tc::NotImplementedException
+	5) For streams that have unsupported features (as indicated with false results from canSeek() & canRead() & canWrite()), make sure the related methods (seek() read() write()) throw tc::NotSupportedException when called if unsupported
+	6) For streams that support seek(), seek is quite vital for the performance for ConcatenatedStream as it may do a map lookup to find the correct stream, but also has edge cases. This needs to gracefully handle unexpected errors and edge cases.
+	7) For readable streams (that support seek), ensure read works for various kinds of ConcatenatedStreams (including base streams that do not are not at position==0 when they are iterated too)
+	8) For readable streams (that do not support seek), ensure read works for various kinds of ConcatenatedStreams (including base streams that do not are not at position==0 when they are iterated too, this is an error state)
+	9) For writable streams (that support seek), ensure read works for various kinds of ConcatenatedStreams (including base streams that do not are not at position==0 when they are iterated too)
+	10) For writable streams (that do not support seek), ensure read works for various kinds of ConcatenatedStreams (including base streams that do not are not at position==0 when they are iterated too, this is an error state)
+	11) Quality of life: The intended use case for ConcatenatedStream is when stored in std::shared_ptr<tc::io::IStream>, if copy/assignment/move operators/constructors aren't deleted, do they work as intended, if not fix behaviour or delete method...
+	*/
+
+	void test_DefaultConstructor(); // 1
+	void test_CreateConstructor_ThrowsOnBadInput(); // 2
+	void test_CreateConstructor_SetsCorrectStreamState(); // 3
+	void test_setLength_ThrowsOnUse(); // 4
+	void test_read_ThrowsOnUnsupported(); // 5
+	void test_write_ThrowsOnUnsupported(); // 5
+	void test_seek_ThrowsOnUnsupported(); // 5
+	void test_seek_SeeksToBeginOnNegativeSeek(); // 6
+	void test_seek_SeeksToEndOnTooLargeSeek(); // 6
+	void test_seek_CanFindCorrectStreamForSeek(); // 6
+	void test_read_CanReadFromSingleStream(); // 7
+	void test_read_CanReadFromMultipleStreamWithSeekSupport(); // 7
+	void test_read_CanReadFromMultipleStreamWithNoSeekSupport(); // 8
+	void test_read_ReadFromMultiStream_NoSeekSupport_ThrowsOnSeekRequired(); // 8
+	void test_write_CanWriteFromSingleStream(); // 9
+	void test_write_CanWriteFromMultipleStreamWithSeekSupport(); // 9
+	void test_write_CanWriteFromMultipleStreamWithNoSeekSupport(); // 10
+	void test_write_WriteFromMultiStream_NoSeekSupport_ThrowsOnSeekRequired(); // 10
+	void test_MoveOperator_MoveDisposedToDisposed(); // 11
+	void test_MoveOperator_MoveInitializedToDisposed(); // 11
+	void test_MoveOperator_MoveDisposedToInitialized(); // 11
+	void test_MoveOperator_MoveInitializedToInitialized(); // 11
+	void test_MoveConstructor_MoveDisposed(); // 11
+	void test_MoveConstructor_MoveInitialized(); // 11
+};
diff --git a/ctrtool/deps/libtoolchain/test/io_FileStream_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_FileStream_TestClass.cpp
new file mode 100644
index 00000000..dafc4ff7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_FileStream_TestClass.cpp
@@ -0,0 +1,2070 @@
+#include <iostream>
+#include <sstream>
+#include <fstream>
+
+#include "io_FileStream_TestClass.h"
+#include "StreamTestUtil.h"
+
+#include <tc.h>
+
+std::string io_FileStream_TestClass::kAsciiFilePath = "LocalFileTest.bin";
+std::string io_FileStream_TestClass::kUtf8TestPath = "ЀЁЂЃЄЅ-מבחן-тест-テスト.bin";
+std::string io_FileStream_TestClass::kNotExistFilePath = "ThisDoesNotExist.bin";
+std::string io_FileStream_TestClass::kTestPhrase = "Hello world!\n";
+std::string io_FileStream_TestClass::kRandomString = "uUkMx4MYhJdwUnr38Jk7nZvXQnW0IhGNQqjMRyKoRuxXwmxBS3p2Alzrv7BijPN2LDI1QGkEfQ3vrpoOGwKciwidTyuOPRRg9sj8QggPk7QSvJrrWKN3PfzN7JvEwax3vX3QaHIoX0afJtUiulzVf9SMlotimwrdOHbeAhLzQUSCAz6moIHhZd6DO0hFxjCxGpHUnDKE";
+
+void io_FileStream_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::FileStream] START" << std::endl;
+	
+	test_DefaultConstructor();
+
+	test_Constructor_CreateNew_Read_FileExists();
+	test_Constructor_CreateNew_Read_FileNotExist();
+	test_Constructor_CreateNew_Write_FileExists();
+	test_Constructor_CreateNew_Write_FileNotExist();
+	test_Constructor_CreateNew_ReadWrite_FileExists();
+	test_Constructor_CreateNew_ReadWrite_FileNotExist();
+
+	test_Constructor_Create_Read_FileExists();
+	test_Constructor_Create_Read_FileNotExist();
+	test_Constructor_Create_Write_FileExists();
+	test_Constructor_Create_Write_FileNotExist();
+	test_Constructor_Create_ReadWrite_FileExists();
+	test_Constructor_Create_ReadWrite_FileNotExist();
+
+	test_Constructor_Open_Read_FileExists();
+	test_Constructor_Open_Read_FileNotExist();
+	test_Constructor_Open_Write_FileExists();
+	test_Constructor_Open_Write_FileNotExist();
+	test_Constructor_Open_ReadWrite_FileExists();
+	test_Constructor_Open_ReadWrite_FileNotExist();
+
+	test_Constructor_OpenOrCreate_Read_FileExists();
+	test_Constructor_OpenOrCreate_Read_FileNotExist();
+	test_Constructor_OpenOrCreate_Write_FileExists();
+	test_Constructor_OpenOrCreate_Write_FileNotExist();
+	test_Constructor_OpenOrCreate_ReadWrite_FileExists();
+	test_Constructor_OpenOrCreate_ReadWrite_FileNotExist();
+
+	test_Constructor_Truncate_Read_FileExists();
+	test_Constructor_Truncate_Read_FileNotExist();
+	test_Constructor_Truncate_Write_FileExists();
+	test_Constructor_Truncate_Write_FileNotExist();
+	test_Constructor_Truncate_ReadWrite_FileExists();
+	test_Constructor_Truncate_ReadWrite_FileNotExist();
+
+	test_Constructor_Append_Read_FileExists();
+	test_Constructor_Append_Read_FileNotExist();
+	test_Constructor_Append_Write_FileExists();
+	test_Constructor_Append_Write_FileNotExist();
+	test_Constructor_Append_ReadWrite_FileExists();
+	test_Constructor_Append_ReadWrite_FileNotExist();
+
+	test_Constructor_IllegalMode();
+	test_Constructor_IllegalAccess();
+
+	test_Constructor_DirectoryPath();
+	test_Constructor_CreateThenReopenFileWithUnicodePath();
+
+	test_Seek_EmptyFile();
+	test_Seek_CreatedFile();
+	test_Seek_AppendMode();
+	test_Seek_PositionBeforeFileBegin();
+	test_Seek_PositionAfterFileEnd();
+
+	test_Read_NoData();
+	test_Read_SomeDataFromZero();
+	test_Read_SomeDataFromMiddle();
+	test_Read_AllData();
+	test_Read_TooMuchData();
+	test_Read_BeyondEnd();
+	test_Read_CanReadFalse();
+	test_Read_NullDstPointer();
+
+	test_Write_NoData();
+	test_Write_OverwriteSomeDataFromZero();
+	test_Write_OverwriteSomeDataFromMiddle();
+	test_Write_ExtendStreamSizeThruWritingDataFromZero();
+	test_Write_ExtendStreamSizeThruWritingDataFromMiddle();
+	test_Write_BeyondEnd();
+	test_Write_CanWriteFalse();
+	test_Write_NullSrcPointer();
+
+	std::cout << "[tc::io::FileStream] END" << std::endl;
+}
+
+void io_FileStream_TestClass::test_DefaultConstructor()
+{
+	std::cout << "[tc::io::FileStream] test_DefaultConstructor : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream();
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, false, false);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// Constructor_CreateNew
+
+void io_FileStream_TestClass::test_Constructor_CreateNew_Read_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_CreateNew_Read_FileExists : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::CreateNew, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, false, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_CreateNew_Read_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_CreateNew_Read_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::CreateNew, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, false, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_CreateNew_Write_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_CreateNew_Write_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::CreateNew, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, true, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::FileExistsException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_CreateNew_Write_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_CreateNew_Write_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::CreateNew, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_CreateNew_ReadWrite_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_CreateNew_ReadWrite_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::CreateNew, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::FileExistsException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_CreateNew_ReadWrite_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_CreateNew_ReadWrite_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::CreateNew, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// Constructor_Create
+
+void io_FileStream_TestClass::test_Constructor_Create_Read_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Create_Read_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Create, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, false, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Create_Read_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Create_Read_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Create, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, false, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Create_Write_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Create_Write_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Create, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Create_Write_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Create_Write_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Create, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Create_ReadWrite_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Create_ReadWrite_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Create, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Create_ReadWrite_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Create_ReadWrite_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Create, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// Constructor_Open
+
+void io_FileStream_TestClass::test_Constructor_Open_Read_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Open_Read_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, kRandomString.size(), 0, true, false, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Open_Read_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Open_Read_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, false, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::FileNotFoundException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Open_Write_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Open_Write_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, kRandomString.size(), 0, false, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Open_Write_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Open_Write_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, true, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::FileNotFoundException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Open_ReadWrite_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Open_ReadWrite_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, kRandomString.size(), 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Open_ReadWrite_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Open_ReadWrite_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::FileNotFoundException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// Constructor_OpenOrCreate
+
+void io_FileStream_TestClass::test_Constructor_OpenOrCreate_Read_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_OpenOrCreate_Read_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, kRandomString.size(), 0, true, false, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_OpenOrCreate_Read_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_OpenOrCreate_Read_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, false, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::FileNotFoundException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_OpenOrCreate_Write_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_OpenOrCreate_Write_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, kRandomString.size(), 0, false, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_OpenOrCreate_Write_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_OpenOrCreate_Write_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_OpenOrCreate_ReadWrite_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_OpenOrCreate_ReadWrite_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, kRandomString.size(), 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_OpenOrCreate_ReadWrite_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_OpenOrCreate_ReadWrite_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// Constructor_Truncate
+
+void io_FileStream_TestClass::test_Constructor_Truncate_Read_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Truncate_Read_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Truncate, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, false, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Truncate_Read_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Truncate_Read_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Truncate, tc::io::FileAccess::Read);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, false, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Truncate_Write_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Truncate_Write_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Truncate, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Truncate_Write_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Truncate_Write_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Truncate, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, true, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::FileNotFoundException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Truncate_ReadWrite_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Truncate_ReadWrite_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Truncate, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Truncate_ReadWrite_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Truncate_ReadWrite_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Truncate, tc::io::FileAccess::ReadWrite);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::FileNotFoundException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// Constructor_Append
+
+void io_FileStream_TestClass::test_Constructor_Append_Read_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Append_Read_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Append, tc::io::FileAccess::Read);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Append_Read_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Append_Read_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Append, tc::io::FileAccess::Read);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Append_Write_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Append_Write_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Append, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, kRandomString.size(), kRandomString.size(), false, true, false);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Append_Write_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Append_Write_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Append, tc::io::FileAccess::Write);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, false, true, false);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Append_ReadWrite_FileExists()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Append_ReadWrite_FileExists : " << std::flush;
+	try
+	{
+	
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.length());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Append, tc::io::FileAccess::ReadWrite);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_Append_ReadWrite_FileNotExist()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_Append_ReadWrite_FileNotExist : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Append, tc::io::FileAccess::ReadWrite);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// illegal constructor args
+
+void io_FileStream_TestClass::test_Constructor_IllegalMode()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_IllegalMode : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode(55), tc::io::FileAccess::ReadWrite);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentOutOfRangeException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_IllegalAccess()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_IllegalAccess : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::CreateNew, tc::io::FileAccess(55));
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentOutOfRangeException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_DirectoryPath()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_DirectoryPath : " << std::flush;
+	try
+	{
+		helper_CreateDirectory(kAsciiFilePath);
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::IOException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::UnauthorisedAccessException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteDirectory(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Constructor_CreateThenReopenFileWithUnicodePath()
+{
+	std::cout << "[tc::io::FileStream] test_Constructor_CreateThenReopenFileWithUnicodePath : " << std::flush;
+	try
+	{
+		try 
+		{
+			auto stream = tc::io::FileStream(kUtf8TestPath, tc::io::FileMode::Create, tc::io::FileAccess::ReadWrite);
+
+			stream.dispose();
+
+			stream = tc::io::FileStream(kUtf8TestPath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kUtf8TestPath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// seek() tests
+void io_FileStream_TestClass::test_Seek_EmptyFile()
+{
+	std::cout << "[tc::io::FileStream] test_Seek_EmptyFile : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, nullptr, 0);
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, 0, 0);
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::Current, 0, 0);
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::End, 0, 0);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Seek_CreatedFile()
+{
+	std::cout << "[tc::io::FileStream] test_Seek_CreatedFile : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, 0, 0);
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::Current, 0, 0);
+			StreamTestUtil::seek_TestHelper(stream, 100, tc::io::SeekOrigin::Current, 100, 100);
+			StreamTestUtil::seek_TestHelper(stream, 50, tc::io::SeekOrigin::Current, 150, 150);
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::End, 200, 200);
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::Current, 200, 200);
+			StreamTestUtil::seek_TestHelper(stream, 1, tc::io::SeekOrigin::Begin, 1, 1);
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::Current, 1, 1);
+			StreamTestUtil::seek_TestHelper(stream, -1, tc::io::SeekOrigin::End, 199, 199);
+			StreamTestUtil::seek_TestHelper(stream, -198, tc::io::SeekOrigin::Current, 1, 1);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Seek_AppendMode()
+{
+	std::cout << "[tc::io::FileStream] test_Seek_AppendMode : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Append, tc::io::FileAccess::Write);
+
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, 0, 0);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::io::IOException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Seek_PositionBeforeFileBegin()
+{
+	std::cout << "[tc::io::FileStream] test_Seek_PositionBeforeFileBegin : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::seek_TestHelper(stream, -1, tc::io::SeekOrigin::Begin, -1, -1);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentOutOfRangeException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Seek_PositionAfterFileEnd()
+{
+	std::cout << "[tc::io::FileStream] test_Seek_PositionAfterFileEnd : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::seek_TestHelper(stream, stream.length(), tc::io::SeekOrigin::Begin, stream.length(), stream.length());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// read tests
+
+void io_FileStream_TestClass::test_Read_NoData()
+{
+	std::cout << "[tc::io::FileStream] test_Read_NoData : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, kRandomString.size(), 0, 0, 0);
+			StreamTestUtil::read_TestHelper(stream, stream.length()/2, tc::io::SeekOrigin::Begin, kRandomString.size(), 0, 0, stream.length()/2);
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::End, kRandomString.size(), 0, 0, stream.length());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Read_SomeDataFromZero()
+{
+	std::cout << "[tc::io::FileStream] test_Read_SomeDataFromZero : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, kRandomString.size(), 0x01, 0x01, 0x01, (const byte_t*)kRandomString.c_str());
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, kRandomString.size(), 0x20, 0x20, 0x20, (const byte_t*)kRandomString.c_str());
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, kRandomString.size(), kRandomString.size()/2, kRandomString.size()/2, kRandomString.size()/2, (const byte_t*)kRandomString.c_str());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Read_SomeDataFromMiddle()
+{
+	std::cout << "[tc::io::FileStream] test_Read_SomeDataFromMiddle : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			int64_t offset;
+			size_t size;
+
+			offset = 01;
+			size = 20;
+			StreamTestUtil::read_TestHelper(stream, offset, tc::io::SeekOrigin::Begin, kRandomString.size(), size, size, offset + size, (const byte_t*)kRandomString.c_str() + offset);
+
+			offset = 67;
+			size = 100;
+			StreamTestUtil::read_TestHelper(stream, offset, tc::io::SeekOrigin::Begin, kRandomString.size(), size, size, offset + size, (const byte_t*)kRandomString.c_str() + offset);
+
+			offset = stream.length() / 2;
+			size = 80;
+			StreamTestUtil::read_TestHelper(stream, offset, tc::io::SeekOrigin::Begin, kRandomString.size(), size, size, offset + size, (const byte_t*)kRandomString.c_str() + offset);
+			
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Read_AllData()
+{
+	std::cout << "[tc::io::FileStream] test_Read_AllData : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, kRandomString.size(), kRandomString.size(), kRandomString.size(), kRandomString.size(), (const byte_t*)kRandomString.c_str());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Read_TooMuchData()
+{
+	std::cout << "[tc::io::FileStream] test_Read_TooMuchData : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, kRandomString.size()*2, kRandomString.size()*2, kRandomString.size(), kRandomString.size(), (const byte_t*)kRandomString.c_str());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Read_BeyondEnd()
+{
+	std::cout << "[tc::io::FileStream] test_Read_BeyondEnd : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::read_TestHelper(stream, 1, tc::io::SeekOrigin::End, kRandomString.size(), kRandomString.size(), 0, kRandomString.size() + 1, (const byte_t*)kRandomString.c_str());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Read_CanReadFalse()
+{
+	std::cout << "[tc::io::FileStream] test_Read_CanReadFalse : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Write);
+
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, kRandomString.size(), kRandomString.size(), 0, kRandomString.size(), (const byte_t*)kRandomString.c_str());
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::NotSupportedException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Read_NullDstPointer()
+{
+	std::cout << "[tc::io::FileStream] test_Read_NullDstPointer : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), kRandomString.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, 0, kRandomString.size(), 0, kRandomString.size(), (const byte_t*)kRandomString.c_str());
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentNullException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// write() test
+
+void io_FileStream_TestClass::test_Write_NoData()
+{
+	std::cout << "[tc::io::FileStream] test_Write_NoData : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, nullptr, 0);
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Write);
+
+			StreamTestUtil::write_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, (const byte_t*)kRandomString.c_str(), 0, 0);
+
+			stream.dispose();
+
+			helper_ValidateFileContents(kAsciiFilePath, (const byte_t*)kRandomString.c_str(), 0);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Write_OverwriteSomeDataFromZero()
+{
+	std::cout << "[tc::io::FileStream] test_Write_OverwriteSomeDataFromZero : " << std::flush;
+	try
+	{
+		auto padding = tc::io::PaddingSource(0xff, kRandomString.size());
+		auto padding_data = padding.pullData(0, padding.length());
+		helper_CreateFileForReading(kAsciiFilePath, padding_data.data(), padding_data.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Write);
+
+			const byte_t* original_ptr = padding_data.data();
+			size_t original_size = padding_data.size();
+
+			const byte_t* written_data_ptr = (const byte_t*)kRandomString.c_str();
+			size_t written_data_size = 30;
+			size_t written_data_offset = 0;
+
+			StreamTestUtil::write_TestHelper(stream, written_data_offset, tc::io::SeekOrigin::Begin, written_data_ptr, written_data_size, written_data_offset + written_data_size);
+			stream.dispose();
+
+			auto expected_file_layout = tc::ByteData(std::max<size_t>(original_size, written_data_offset + written_data_size));
+
+			memcpy(expected_file_layout.data(), original_ptr, original_size);
+			memcpy(expected_file_layout.data() + written_data_offset, written_data_ptr, written_data_size);
+
+			helper_ValidateFileContents(kAsciiFilePath, expected_file_layout.data(), expected_file_layout.size());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Write_OverwriteSomeDataFromMiddle()
+{
+	std::cout << "[tc::io::FileStream] test_Write_OverwriteSomeDataFromMiddle : " << std::flush;
+	try
+	{
+		auto padding = tc::io::PaddingSource(0xee, kRandomString.size());
+		auto padding_data = padding.pullData(0, padding.length());
+		helper_CreateFileForReading(kAsciiFilePath, padding_data.data(), padding_data.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Write);
+
+			const byte_t* original_ptr = padding_data.data();
+			size_t original_size = padding_data.size();
+
+			const byte_t* written_data_ptr = (const byte_t*)kRandomString.c_str();
+			size_t written_data_size = 90;
+			size_t written_data_offset = 50;
+
+			StreamTestUtil::write_TestHelper(stream, written_data_offset, tc::io::SeekOrigin::Begin, written_data_ptr, written_data_size, written_data_offset + written_data_size);
+			stream.dispose();
+
+			auto expected_file_layout = tc::ByteData(std::max<size_t>(original_size, written_data_offset + written_data_size));
+
+			memcpy(expected_file_layout.data(), original_ptr, original_size);
+			memcpy(expected_file_layout.data() + written_data_offset, written_data_ptr, written_data_size);
+
+			helper_ValidateFileContents(kAsciiFilePath, expected_file_layout.data(), expected_file_layout.size());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Write_ExtendStreamSizeThruWritingDataFromZero()
+{
+	std::cout << "[tc::io::FileStream] test_Write_ExtendStreamSizeThruWritingDataFromZero : " << std::flush;
+	try
+	{
+		auto padding = tc::io::PaddingSource(0xee, 0x20);
+		auto padding_data = padding.pullData(0, padding.length());
+		helper_CreateFileForReading(kAsciiFilePath, padding_data.data(), padding_data.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Write);
+
+			const byte_t* original_ptr = padding_data.data();
+			size_t original_size = padding_data.size();
+
+			const byte_t* written_data_ptr = (const byte_t*)kRandomString.c_str();
+			size_t written_data_size = 90;
+			size_t written_data_offset = 0;
+
+			StreamTestUtil::write_TestHelper(stream, written_data_offset, tc::io::SeekOrigin::Begin, written_data_ptr, written_data_size, written_data_offset + written_data_size, written_data_offset + written_data_size);
+			stream.dispose();
+
+			auto expected_file_layout = tc::ByteData(std::max<size_t>(original_size, written_data_offset + written_data_size));
+
+			memcpy(expected_file_layout.data(), original_ptr, original_size);
+			memcpy(expected_file_layout.data() + written_data_offset, written_data_ptr, written_data_size);
+
+			helper_ValidateFileContents(kAsciiFilePath, expected_file_layout.data(), expected_file_layout.size());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Write_ExtendStreamSizeThruWritingDataFromMiddle()
+{
+	std::cout << "[tc::io::FileStream] test_Write_ExtendStreamSizeThruWritingDataFromMiddle : " << std::flush;
+	try
+	{
+		auto padding = tc::io::PaddingSource(0xee, 0x20);
+		auto padding_data = padding.pullData(0, padding.length());
+		helper_CreateFileForReading(kAsciiFilePath, padding_data.data(), padding_data.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Write);
+
+			const byte_t* original_ptr = padding_data.data();
+			size_t original_size = padding_data.size();
+
+			const byte_t* written_data_ptr = (const byte_t*)kRandomString.c_str();
+			size_t written_data_size = 90;
+			size_t written_data_offset = 0x10;
+
+			StreamTestUtil::write_TestHelper(stream, written_data_offset, tc::io::SeekOrigin::Begin, written_data_ptr, written_data_size, written_data_offset + written_data_size, written_data_offset + written_data_size);
+			stream.dispose();
+
+			auto expected_file_layout = tc::ByteData(std::max<size_t>(original_size, written_data_offset + written_data_size));
+
+			memcpy(expected_file_layout.data(), original_ptr, original_size);
+			memcpy(expected_file_layout.data() + written_data_offset, written_data_ptr, written_data_size);
+
+			helper_ValidateFileContents(kAsciiFilePath, expected_file_layout.data(), expected_file_layout.size());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Write_BeyondEnd()
+{
+	std::cout << "[tc::io::FileStream] test_Write_BeyondEnd : " << std::flush;
+	try
+	{
+		auto padding = tc::io::PaddingSource(0xee, 0x20);
+		auto padding_data = padding.pullData(0, padding.length());
+		helper_CreateFileForReading(kAsciiFilePath, padding_data.data(), padding_data.size());
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write);
+
+			const byte_t* original_ptr = padding_data.data();
+			size_t original_size = padding_data.size();
+
+			const byte_t* written_data_ptr = (const byte_t*)kRandomString.c_str();
+			size_t written_data_size = 90;
+			size_t written_data_offset = original_size + 4;
+
+			StreamTestUtil::write_TestHelper(stream, written_data_offset, tc::io::SeekOrigin::Begin, written_data_ptr, written_data_size, written_data_offset + written_data_size, written_data_offset + written_data_size);
+			stream.dispose();
+
+			auto expected_file_layout = tc::ByteData(std::max<size_t>(original_size, written_data_offset + written_data_size));
+			memcpy(expected_file_layout.data(), original_ptr, original_size);
+			memcpy(expected_file_layout.data() + written_data_offset, written_data_ptr, written_data_size);
+
+			helper_ValidateFileContents(kAsciiFilePath, expected_file_layout.data(), expected_file_layout.size());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Write_CanWriteFalse()
+{
+	std::cout << "[tc::io::FileStream] test_Write_CanWriteFalse : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, nullptr, 0);
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Read);
+
+			StreamTestUtil::write_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, (const byte_t*)kRandomString.c_str(), kRandomString.size(), kRandomString.size());
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::NotSupportedException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_FileStream_TestClass::test_Write_NullSrcPointer()
+{
+	std::cout << "[tc::io::FileStream] test_Write_NullSrcPointer : " << std::flush;
+	try
+	{
+		helper_CreateFileForReading(kAsciiFilePath, nullptr, 0);
+
+		try 
+		{
+			auto stream = tc::io::FileStream(kAsciiFilePath, tc::io::FileMode::Open, tc::io::FileAccess::Write);
+
+			StreamTestUtil::write_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, nullptr, kRandomString.size(), kRandomString.size());
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::ArgumentNullException& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (Wrong Exception)(" << e.error() << ")" << std::endl;
+		}
+
+		helper_DeleteFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+// helper code
+
+void io_FileStream_TestClass::helper_CreateFileForReading(const std::string& path, const uint8_t* data, size_t data_len)
+{
+	auto test_file = std::ofstream(path, std::ios::binary);
+	if (data != nullptr && data_len != 0)
+	{
+		test_file.write((char*)data, data_len);
+	}
+	test_file.close();
+}
+
+void io_FileStream_TestClass::helper_ValidateFileContents(const std::string& path, const uint8_t* data, size_t data_len)
+{
+	auto test_file = std::ifstream(path, std::ios::binary);
+
+	if (test_file.fail())
+	{
+		throw tc::Exception("helper_ValidateFileContents : Failed to open file");
+	}
+
+	if (data == nullptr || data_len == 0)
+	{
+		return;
+	}
+
+	auto datablob = tc::ByteData(data_len);
+	test_file.read((char*)datablob.data(), data_len);
+
+	if (test_file.fail())
+	{
+		throw tc::Exception("helper_ValidateFileContents : Failed to read file");
+	}
+
+	test_file.close();
+
+	if (memcmp(datablob.data(), data, data_len) != 0)
+	{
+		throw tc::Exception("helper_ValidateFileContents : Invalid file contents");
+	}
+} 
+
+void io_FileStream_TestClass::helper_DeleteFile(const std::string& path)
+{
+	tc::io::LocalFileSystem s;
+	s.removeFile(path);
+}
+
+void io_FileStream_TestClass::helper_CreateDirectory(const std::string& path)
+{
+	tc::io::LocalFileSystem s;
+	s.createDirectory(path);
+}
+
+void io_FileStream_TestClass::helper_DeleteDirectory(const std::string& path)
+{
+	tc::io::LocalFileSystem s;
+	s.removeDirectory(path);
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_FileStream_TestClass.h b/ctrtool/deps/libtoolchain/test/io_FileStream_TestClass.h
new file mode 100644
index 00000000..31e1aa5f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_FileStream_TestClass.h
@@ -0,0 +1,94 @@
+#pragma once
+#include "ITestClass.h"
+
+class io_FileStream_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_DefaultConstructor();
+
+	void test_Constructor_CreateNew_Read_FileExists();
+	void test_Constructor_CreateNew_Read_FileNotExist();
+	void test_Constructor_CreateNew_Write_FileExists();
+	void test_Constructor_CreateNew_Write_FileNotExist();
+	void test_Constructor_CreateNew_ReadWrite_FileExists();
+	void test_Constructor_CreateNew_ReadWrite_FileNotExist();
+
+	void test_Constructor_Create_Read_FileExists();
+	void test_Constructor_Create_Read_FileNotExist();
+	void test_Constructor_Create_Write_FileExists();
+	void test_Constructor_Create_Write_FileNotExist();
+	void test_Constructor_Create_ReadWrite_FileExists();
+	void test_Constructor_Create_ReadWrite_FileNotExist();
+
+	void test_Constructor_Open_Read_FileExists();
+	void test_Constructor_Open_Read_FileNotExist();
+	void test_Constructor_Open_Write_FileExists();
+	void test_Constructor_Open_Write_FileNotExist();
+	void test_Constructor_Open_ReadWrite_FileExists();
+	void test_Constructor_Open_ReadWrite_FileNotExist();
+
+	void test_Constructor_OpenOrCreate_Read_FileExists();
+	void test_Constructor_OpenOrCreate_Read_FileNotExist();
+	void test_Constructor_OpenOrCreate_Write_FileExists();
+	void test_Constructor_OpenOrCreate_Write_FileNotExist();
+	void test_Constructor_OpenOrCreate_ReadWrite_FileExists();
+	void test_Constructor_OpenOrCreate_ReadWrite_FileNotExist();
+
+	void test_Constructor_Truncate_Read_FileExists();
+	void test_Constructor_Truncate_Read_FileNotExist();
+	void test_Constructor_Truncate_Write_FileExists();
+	void test_Constructor_Truncate_Write_FileNotExist();
+	void test_Constructor_Truncate_ReadWrite_FileExists();
+	void test_Constructor_Truncate_ReadWrite_FileNotExist();
+
+	void test_Constructor_Append_Read_FileExists();
+	void test_Constructor_Append_Read_FileNotExist();
+	void test_Constructor_Append_Write_FileExists();
+	void test_Constructor_Append_Write_FileNotExist();
+	void test_Constructor_Append_ReadWrite_FileExists();
+	void test_Constructor_Append_ReadWrite_FileNotExist();
+
+	void test_Constructor_IllegalMode();
+	void test_Constructor_IllegalAccess();
+
+	void test_Constructor_DirectoryPath();
+	void test_Constructor_CreateThenReopenFileWithUnicodePath();
+
+	void test_Seek_EmptyFile();
+	void test_Seek_CreatedFile();
+	void test_Seek_AppendMode();
+	void test_Seek_PositionBeforeFileBegin();
+	void test_Seek_PositionAfterFileEnd();
+
+	void test_Read_NoData();
+	void test_Read_SomeDataFromZero();
+	void test_Read_SomeDataFromMiddle();
+	void test_Read_AllData();
+	void test_Read_TooMuchData();
+	void test_Read_BeyondEnd();
+	void test_Read_CanReadFalse();
+	void test_Read_NullDstPointer();
+
+	void test_Write_NoData();
+	void test_Write_OverwriteSomeDataFromZero();
+	void test_Write_OverwriteSomeDataFromMiddle();
+	void test_Write_ExtendStreamSizeThruWritingDataFromZero();
+	void test_Write_ExtendStreamSizeThruWritingDataFromMiddle();
+	void test_Write_BeyondEnd();
+	void test_Write_CanWriteFalse();
+	void test_Write_NullSrcPointer();
+
+	void helper_CreateFileForReading(const std::string& path, const uint8_t* data, size_t data_len);
+	void helper_ValidateFileContents(const std::string& path, const uint8_t* data, size_t data_len); 
+	void helper_DeleteFile(const std::string& path);
+	void helper_CreateDirectory(const std::string& path);
+	void helper_DeleteDirectory(const std::string& path);
+
+	static std::string kAsciiFilePath;
+	static std::string kUtf8TestPath;
+	static std::string kNotExistFilePath;
+	static std::string kTestPhrase;
+	static std::string kRandomString;
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_LocalFileSystem_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_LocalFileSystem_TestClass.cpp
new file mode 100644
index 00000000..89bdb3ab
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_LocalFileSystem_TestClass.cpp
@@ -0,0 +1,535 @@
+#include <iostream>
+#include <sstream>
+
+#include "io_LocalFileSystem_TestClass.h"
+
+#include <tc.h>
+
+std::string io_LocalFileSystem_TestClass::kDirPath = "./testdir";
+std::string io_LocalFileSystem_TestClass::kUtf8DirPath = "./ЀЁЂЃЄЅテスト/";
+std::string io_LocalFileSystem_TestClass::kAsciiFilePath = "LocalFileTest.bin";
+std::string io_LocalFileSystem_TestClass::kUtf8TestPath = "ЀЁЂЃЄЅ-מבחן-тест-テスト.bin";
+std::string io_LocalFileSystem_TestClass::kNotExistFilePath = "ThisDoesNotExist.bin";
+
+void io_LocalFileSystem_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::LocalFileSystem] START" << std::endl;
+	test_CreateFile_NotExist();
+	test_CreateFile_DoesExist();
+	test_CreateFile_UnicodePath();
+	test_RemoveFile_DoesExist();
+	test_RemoveFile_NotExist();
+	test_RemoveFile_UnicodePath();
+	
+	test_CreateDirectory_NotExist();
+	test_CreateDirectory_DoesExist();
+	test_CreateDirectory_UnicodePath();
+	test_RemoveDirectory_DoesExist();
+	test_RemoveDirectory_NotExist();
+	test_RemoveDirectory_UnicodePath();
+	test_RemoveDirectory_HasChildren();
+	test_RemoveDirectory_NotDirectoryActuallyFile();
+	test_GetDirectoryListing_DoesExist();
+	test_GetDirectoryListing_NotExist();
+	test_GetDirectoryListing_UnicodePath();
+	test_ChangeWorkingDirectory_DoesExist();
+	test_ChangeWorkingDirectory_NotExist();
+	test_ChangeWorkingDirectory_UnicodePath();
+	std::cout << "[tc::io::LocalFileSystem] END" << std::endl;
+}
+
+void io_LocalFileSystem_TestClass::test_CreateFile_NotExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_CreateFile_NotExist : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.createFile(kAsciiFilePath);
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_CreateFile_DoesExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_CreateFile_DoesExist : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.createFile(kAsciiFilePath);
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_CreateFile_UnicodePath()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_CreateFile_UnicodePath : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.createFile(kUtf8TestPath);
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_RemoveFile_DoesExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_RemoveFile_DoesExist : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.removeFile(kAsciiFilePath);
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_RemoveFile_NotExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_RemoveFile_NotExist : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.removeFile(kNotExistFilePath);
+		std::cout << "FAIL (Did not throw exception when stream was not present on FS)" << std::endl;
+	}
+	catch (const tc::Exception& e) 
+	{
+		std::cout << "PASS (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_RemoveFile_UnicodePath()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_RemoveFile_UnicodePath : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.removeFile(kUtf8TestPath);
+
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_CreateDirectory_NotExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_CreateDirectory_NotExist : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.createDirectory(kDirPath);
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e) 
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_CreateDirectory_DoesExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_CreateDirectory_DoesExist : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.createDirectory(kDirPath);
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e) 
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_CreateDirectory_UnicodePath()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_CreateDirectory_UnicodePath : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.createDirectory(kUtf8DirPath);
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e) 
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_RemoveDirectory_DoesExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_RemoveDirectory_DoesExist : " << std::flush;
+	try
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.removeDirectory(kDirPath);
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_RemoveDirectory_NotExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_RemoveDirectory_NotExist : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.removeDirectory(kDirPath);
+		std::cout << "FAIL (did not throw exception on expected error)" << std::endl;
+	}
+	catch (const tc::Exception& e) 
+	{
+		std::cout << "PASS (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_RemoveDirectory_UnicodePath()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_RemoveDirectory_UnicodePath : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		local_storage.removeDirectory(kUtf8DirPath);
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e) 
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_RemoveDirectory_HasChildren()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_RemoveDirectory_HasChildren : " << std::flush;
+	try
+	{
+		tc::io::LocalFileSystem local_storage;
+	
+		tc::io::Path dir_child_path = tc::io::Path(kDirPath) + tc::io::Path(kUtf8DirPath);
+		tc::io::Path stream_child_path = tc::io::Path(kDirPath) + tc::io::Path(kAsciiFilePath);
+
+		try 
+		{
+			local_storage.createDirectory(kDirPath);
+			local_storage.createDirectory(dir_child_path);
+			local_storage.createFile(stream_child_path);
+			local_storage.removeDirectory(kDirPath);
+			std::cout << "FAIL (did not throw exception on expected error)" << std::endl;
+		}
+		catch (const tc::Exception& e) 
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+
+		local_storage.removeDirectory(dir_child_path);
+		local_storage.removeFile(stream_child_path);
+		local_storage.removeDirectory(kDirPath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_RemoveDirectory_NotDirectoryActuallyFile()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_RemoveDirectory_NotDirectoryActuallyFile : " << std::flush;
+	try
+	{
+		tc::io::LocalFileSystem local_storage;
+		try 
+		{
+			local_storage.createFile(kAsciiFilePath);
+			local_storage.removeDirectory(kAsciiFilePath);
+			std::cout << "FAIL (did not throw exception on expected error)" << std::endl;
+		}
+		catch (const tc::Exception& e) 
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+
+		local_storage.removeFile(kAsciiFilePath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_GetDirectoryListing_DoesExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_GetDirectoryListing_DoesExist : " << std::flush;
+	try
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		std::vector<std::string> file_list;
+		std::vector<std::string> dir_list;
+		
+		file_list.push_back("streamA.bin");
+		file_list.push_back("streamB.bin");
+		file_list.push_back("streamC.bin");
+		file_list.push_back("streamD.bin");
+
+		dir_list.push_back("dir000");
+		dir_list.push_back("dir001");
+		dir_list.push_back("dir002");
+		dir_list.push_back("dir003");
+
+		local_storage.createDirectory(kDirPath);
+
+		for (size_t i = 0; i < file_list.size(); i++)
+		{
+			local_storage.createFile(tc::io::Path(kDirPath) + tc::io::Path(file_list[i]));
+		}
+
+		for (size_t i = 0; i < dir_list.size(); i++)
+		{
+			local_storage.createDirectory(tc::io::Path(kDirPath) + tc::io::Path(dir_list[i]));
+		}
+
+		try
+		{
+			tc::io::sDirectoryListing info;
+
+			local_storage.getDirectoryListing(kDirPath, info);
+			
+			// + 2 for "." & ".."
+			if (info.dir_list.size() != (dir_list.size() + 2))
+			{
+				throw tc::Exception("Unexpected directory count");
+			}
+
+			if (info.file_list.size() != file_list.size())
+			{
+				throw tc::Exception("Unexpected stream count");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		for (size_t i = 0; i < file_list.size(); i++)
+		{
+			local_storage.removeFile(tc::io::Path(kDirPath) + tc::io::Path(file_list[i]));
+		}
+
+		for (size_t i = 0; i < dir_list.size(); i++)
+		{
+			local_storage.removeDirectory(tc::io::Path(kDirPath) + tc::io::Path(dir_list[i]));
+		}
+
+		local_storage.removeDirectory(tc::io::Path(kDirPath));
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_GetDirectoryListing_NotExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_GetDirectoryListing_NotExist : " << std::flush;
+	try 
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		tc::io::sDirectoryListing info;
+		local_storage.getDirectoryListing(kNotExistFilePath, info);
+		std::cout << "FAIL (did not throw exception on expected error)" << std::endl;
+	}
+	catch (const tc::Exception& e) 
+	{
+		std::cout << "PASS (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_GetDirectoryListing_UnicodePath()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_GetDirectoryListing_UnicodePath : " << std::flush;
+	try
+	{
+		tc::io::LocalFileSystem local_storage;
+
+		std::vector<std::string> file_list;
+		std::vector<std::string> dir_list;
+		
+		file_list.push_back("streamA.bin");
+		file_list.push_back("streamB.bin");
+		file_list.push_back("streamC.bin");
+		file_list.push_back("streamD.bin");
+
+		dir_list.push_back("dir000");
+		dir_list.push_back("dir001");
+		dir_list.push_back("dir002");
+		dir_list.push_back("dir003");
+
+		local_storage.createDirectory(kUtf8DirPath);
+
+		for (size_t i = 0; i < file_list.size(); i++)
+		{
+			local_storage.createFile(tc::io::Path(kUtf8DirPath) + tc::io::Path(file_list[i]));
+		}
+
+		for (size_t i = 0; i < dir_list.size(); i++)
+		{
+			local_storage.createDirectory(tc::io::Path(kUtf8DirPath) + tc::io::Path(dir_list[i]));
+		}
+
+		try
+		{
+			tc::io::sDirectoryListing info;
+
+			local_storage.getDirectoryListing(kUtf8DirPath, info);
+			
+			// + 2 for "." & ".."
+			if (info.dir_list.size() != (dir_list.size() + 2))
+			{
+				throw tc::Exception("Unexpected directory count");
+			}
+
+			if (info.file_list.size() != file_list.size())
+			{
+				throw tc::Exception("Unexpected stream count");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		for (size_t i = 0; i < file_list.size(); i++)
+		{
+			local_storage.removeFile(tc::io::Path(kUtf8DirPath) + tc::io::Path(file_list[i]));
+		}
+
+		for (size_t i = 0; i < dir_list.size(); i++)
+		{
+			local_storage.removeDirectory(tc::io::Path(kUtf8DirPath) + tc::io::Path(dir_list[i]));
+		}
+
+		local_storage.removeDirectory(tc::io::Path(kUtf8DirPath));
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_ChangeWorkingDirectory_DoesExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_ChangeWorkingDirectory_DoesExist : " << std::flush;
+	try
+	{
+		tc::io::LocalFileSystem local_storage;
+		
+		tc::io::Path old_dir;
+		local_storage.getWorkingDirectory(old_dir);
+
+		try 
+		{
+			local_storage.createDirectory(kDirPath);
+			local_storage.setWorkingDirectory(kDirPath);
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e) 
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		local_storage.setWorkingDirectory(old_dir);
+		local_storage.removeDirectory(tc::io::Path(kDirPath));
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_ChangeWorkingDirectory_NotExist()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_ChangeWorkingDirectory_NotExist : " << std::flush;
+	try
+	{
+		tc::io::LocalFileSystem local_storage;
+		
+		local_storage.setWorkingDirectory(kNotExistFilePath);
+		std::cout << "FAIL (did not throw exception on expected error)" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "PASS (" << e.error() << ")" << std::endl;
+	}
+}
+
+void io_LocalFileSystem_TestClass::test_ChangeWorkingDirectory_UnicodePath()
+{
+	std::cout << "[tc::io::LocalFileSystem] test_ChangeWorkingDirectory_UnicodePath : " << std::flush;
+	try
+	{
+		tc::io::LocalFileSystem local_storage;
+		
+		tc::io::Path old_dir;
+		local_storage.getWorkingDirectory(old_dir);
+
+		try 
+		{
+			local_storage.createDirectory(kUtf8DirPath);
+			local_storage.setWorkingDirectory(kUtf8DirPath);
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e) 
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+		local_storage.setWorkingDirectory(old_dir);
+		local_storage.removeDirectory(kUtf8DirPath);
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_LocalFileSystem_TestClass.h b/ctrtool/deps/libtoolchain/test/io_LocalFileSystem_TestClass.h
new file mode 100644
index 00000000..8849f973
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_LocalFileSystem_TestClass.h
@@ -0,0 +1,35 @@
+#pragma once
+#include "ITestClass.h"
+
+class io_LocalFileSystem_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_CreateFile_NotExist();
+	void test_CreateFile_DoesExist();
+	void test_CreateFile_UnicodePath();
+	void test_RemoveFile_DoesExist();
+	void test_RemoveFile_NotExist();
+	void test_RemoveFile_UnicodePath();
+	void test_CreateDirectory_NotExist();
+	void test_CreateDirectory_DoesExist();
+	void test_CreateDirectory_UnicodePath();
+	void test_RemoveDirectory_DoesExist();
+	void test_RemoveDirectory_NotExist();
+	void test_RemoveDirectory_UnicodePath();
+	void test_RemoveDirectory_HasChildren();
+	void test_RemoveDirectory_NotDirectoryActuallyFile();
+	void test_GetDirectoryListing_DoesExist();
+	void test_GetDirectoryListing_NotExist();
+	void test_GetDirectoryListing_UnicodePath();
+	void test_ChangeWorkingDirectory_DoesExist();
+	void test_ChangeWorkingDirectory_NotExist();
+	void test_ChangeWorkingDirectory_UnicodePath();
+
+	static std::string kDirPath;
+	static std::string kUtf8DirPath;
+	static std::string kAsciiFilePath;
+	static std::string kUtf8TestPath;
+	static std::string kNotExistFilePath;
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_MemorySource_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_MemorySource_TestClass.cpp
new file mode 100644
index 00000000..f16dd048
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_MemorySource_TestClass.cpp
@@ -0,0 +1,200 @@
+#include <iostream>
+#include <sstream>
+
+#include "io_MemorySource_TestClass.h"
+#include "SourceTestUtil.h"
+
+#include <tc.h>
+
+void io_MemorySource_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::MemorySource] START" << std::endl;
+	testDefaultConstructor();
+	testInitializeByCopyWithByteData();
+	testInitializeByMoveWithByteData();
+	testInitializeByCopyWithMemoryPointer();
+	testNegativeOffset();
+	testTooLargeOffset();
+	std::cout << "[tc::io::MemorySource] END" << std::endl;
+}
+
+void io_MemorySource_TestClass::testDefaultConstructor()
+{
+	std::cout << "[tc::io::MemorySource] testDefaultConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::MemorySource source;
+
+			SourceTestUtil::testSourceLength(source, 0);
+			SourceTestUtil::pullTestHelper(source, 0, 0xdead, 0, nullptr);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemorySource_TestClass::testInitializeByCopyWithByteData()
+{
+	std::cout << "[tc::io::MemorySource] testInitializeByCopyWithByteData : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::ByteData data(length);
+			memset(data.data(), 0xff, data.size());
+
+			tc::io::MemorySource source = tc::io::MemorySource(data);
+
+			SourceTestUtil::testSourceLength(source, length);
+			SourceTestUtil::pullTestHelper(source, 0, data.size(), data.size(), data.data());
+			SourceTestUtil::pullTestHelper(source, 0, data.size()*2, data.size(), data.data());
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemorySource_TestClass::testInitializeByMoveWithByteData()
+{
+	std::cout << "[tc::io::MemorySource] testInitializeByMoveWithByteData : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::ByteData control_data(length);
+			memset(control_data.data(), 0xff, control_data.size());
+			tc::ByteData experiment_data = control_data;
+
+			tc::io::MemorySource source = tc::io::MemorySource(std::move(experiment_data));
+
+			if (experiment_data.size() != 0)
+			{
+				throw tc::Exception("experiment_data.size() != 0 after being moved from.");
+			}
+			if (experiment_data.data() != nullptr)
+			{
+				throw tc::Exception("experiment_data.data() != nullptr after being moved from.");
+			}
+
+			SourceTestUtil::testSourceLength(source, length);
+			SourceTestUtil::pullTestHelper(source, 0, control_data.size(), control_data.size(), control_data.data());
+			SourceTestUtil::pullTestHelper(source, 0, control_data.size()*2, control_data.size(), control_data.data());
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemorySource_TestClass::testInitializeByCopyWithMemoryPointer()
+{
+	std::cout << "[tc::io::MemorySource] testInitializeByCopyWithMemoryPointer : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::ByteData data(length);
+			memset(data.data(), 0xff, data.size());
+
+			tc::io::MemorySource source = tc::io::MemorySource(data.data(), data.size());
+
+			SourceTestUtil::testSourceLength(source, length);
+			SourceTestUtil::pullTestHelper(source, 0, data.size(), data.size(), data.data());
+			SourceTestUtil::pullTestHelper(source, 0, data.size()*2, data.size(), data.data());
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemorySource_TestClass::testNegativeOffset()
+{
+	std::cout << "[tc::io::MemorySource] testNegativeOffset : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			size_t source_len = 0xbabe;
+			tc::io::MemorySource source = tc::io::MemorySource(tc::ByteData(source_len));
+
+			// test
+			SourceTestUtil::testSourceLength(source, source_len);
+			SourceTestUtil::pullTestHelper(source, -10, 20, 0, nullptr);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemorySource_TestClass::testTooLargeOffset()
+{
+	std::cout << "[tc::io::MemorySource] testTooLargeOffset : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			size_t source_len = 0xbabe;
+			tc::io::MemorySource source = tc::io::MemorySource(tc::ByteData(source_len));
+
+			// test
+			SourceTestUtil::testSourceLength(source, source_len);
+			SourceTestUtil::pullTestHelper(source, source_len * 2, 20, 0, nullptr);
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_MemorySource_TestClass.h b/ctrtool/deps/libtoolchain/test/io_MemorySource_TestClass.h
new file mode 100644
index 00000000..e621f29a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_MemorySource_TestClass.h
@@ -0,0 +1,17 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/io/MemorySource.h>
+
+class io_MemorySource_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testDefaultConstructor();
+	void testInitializeByCopyWithByteData();
+	void testInitializeByMoveWithByteData();
+	void testInitializeByCopyWithMemoryPointer();
+	void testNegativeOffset();
+	void testTooLargeOffset();
+};
diff --git a/ctrtool/deps/libtoolchain/test/io_MemoryStream_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_MemoryStream_TestClass.cpp
new file mode 100644
index 00000000..658d929e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_MemoryStream_TestClass.cpp
@@ -0,0 +1,1028 @@
+#include <iostream>
+#include <sstream>
+
+#include "io_MemoryStream_TestClass.h"
+#include "StreamTestUtil.h"
+
+#include <tc.h>
+
+void io_MemoryStream_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::MemoryStream] START" << std::endl;
+	testCreateEmptyStream_DefaultConstructor();
+	testCreateEmptyStream_SizedConstructor();
+	testCreatePopulatedStream();
+	testInitializeByCopyWithByteData();
+	testInitializeByMoveWithByteData();
+	testInitializeByCopyWithMemoryPointer();
+	testSeekBeginToZero();
+	testSeekBeginToMiddle();
+	testSeekBeginToEnd();
+	testSeekBeginPastEnd();
+	testSeekBeginNegative();
+	testSeekCurrentByZero();
+	testSeekCurrentToMiddle();
+	testSeekCurrentToEnd();
+	testSeekCurrentPastEnd();
+	testSeekCurrentNegative();
+	testSeekEndByZero();
+	testSeekEndPastEnd();
+	testSeekEndNegative();
+	testSeekEndTooNegative();
+	testReadAllDataAvailable();
+	testReadRequestsSubsetOfAvailableData();
+	testReadSomeDataAvailable();
+	testReadNoDataAvailable();
+	testWriteAllDataWritable();
+	testWriteToSomeOfDataAvailable();
+	testWriteSomeDataWritable();
+	testWriteNoDataWritable();
+	testWriteReadDataPersistence();
+	testResizeStreamLarger();
+	testResizeStreamSmaller();
+	testDispose();
+	std::cout << "[tc::io::MemoryStream] END" << std::endl;
+}
+
+void io_MemoryStream_TestClass::testCreateEmptyStream_DefaultConstructor()
+{
+	std::cout << "[tc::io::MemoryStream] testCreateEmptyStream_DefaultConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::MemoryStream stream;
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testCreateEmptyStream_SizedConstructor()
+{
+	std::cout << "[tc::io::MemoryStream] testCreateEmptyStream_SizedConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0, 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testCreatePopulatedStream()
+{
+	std::cout << "[tc::io::MemoryStream] testCreatePopulatedStream : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0xcafe, 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testInitializeByCopyWithByteData()
+{
+	std::cout << "[tc::io::MemoryStream] testInitializeByCopyWithByteData : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+
+			tc::ByteData data(length);
+			memset(data.data(), 0xff, data.size());
+
+			tc::io::MemoryStream stream = tc::io::MemoryStream(data);
+
+			StreamTestUtil::constructor_TestHelper(stream, 0xcafe, 0, true, true, true);
+
+			tc::ByteData output_data(stream.length());
+			stream.read(output_data.data(), output_data.size());
+
+			if (memcmp(output_data.data(), data.data(), length) != 0)
+			{
+				throw tc::Exception("Data in memory stream was not correct after being constructed from a ByteData object");
+			}
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testInitializeByMoveWithByteData()
+{
+	std::cout << "[tc::io::MemoryStream] testInitializeByMoveWithByteData : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+
+			tc::ByteData control_data(length);
+			memset(control_data.data(), 0xff, control_data.size());
+
+			tc::ByteData experiment_data = control_data;
+
+			tc::io::MemoryStream stream = tc::io::MemoryStream(std::move(experiment_data));
+
+			if (experiment_data.size() != 0)
+			{
+				throw tc::Exception("experiment_data.size() != 0 after being moved from.");
+			}
+			if (experiment_data.data() != nullptr)
+			{
+				throw tc::Exception("experiment_data.data() != nullptr after being moved from.");
+			}
+
+			StreamTestUtil::constructor_TestHelper(stream, 0xcafe, 0, true, true, true);
+
+			tc::ByteData output_data(stream.length());
+			stream.read(output_data.data(), output_data.size());
+
+			if (memcmp(output_data.data(), control_data.data(), length) != 0)
+			{
+				throw tc::Exception("Data in memory stream was not correct after being constructed from a ByteData object");
+			}
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testInitializeByCopyWithMemoryPointer()
+{
+	std::cout << "[tc::io::MemoryStream] testInitializeByCopyWithMemoryPointer : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::ByteData data(length);
+			tc::io::MemoryStream stream(data.data(), data.size());
+
+			StreamTestUtil::constructor_TestHelper(stream, 0xcafe, 0, true, true, true);
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekBeginToZero()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekBeginToZero : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::Begin, 0, 0);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekBeginToMiddle()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekBeginToMiddle : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::seek_TestHelper(stream, 0xbabe, tc::io::SeekOrigin::Begin, 0xbabe, 0xbabe);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekBeginToEnd()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekBeginToEnd : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::seek_TestHelper(stream, length, tc::io::SeekOrigin::Begin, length, length);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekBeginPastEnd()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekBeginPastEnd : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::seek_TestHelper(stream, length+0x10, tc::io::SeekOrigin::Begin, length+0x10, length+0x10);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekBeginNegative()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekBeginNegative : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::seek_TestHelper(stream, -23, tc::io::SeekOrigin::Begin, 0, 0);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekCurrentByZero()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekCurrentByZero : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			int64_t seek_pos = 0xbabe;
+			tc::io::MemoryStream stream(length);
+
+			stream.seek(seek_pos, tc::io::SeekOrigin::Begin);
+
+			StreamTestUtil::seek_TestHelper(stream, 0, tc::io::SeekOrigin::Current, seek_pos, seek_pos);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekCurrentToMiddle()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekCurrentToMiddle : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			int64_t seek_pos = 0xbabe;
+			tc::io::MemoryStream stream(length);
+
+			stream.seek(seek_pos, tc::io::SeekOrigin::Begin);
+
+			StreamTestUtil::seek_TestHelper(stream, 0x20, tc::io::SeekOrigin::Current, seek_pos+0x20, seek_pos+0x20);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekCurrentToEnd()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekCurrentToEnd : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			int64_t seek_pos = 0xbabe;
+			tc::io::MemoryStream stream(length);
+
+			stream.seek(seek_pos, tc::io::SeekOrigin::Begin);
+
+			StreamTestUtil::seek_TestHelper(stream, length - seek_pos, tc::io::SeekOrigin::Current, length, length);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekCurrentPastEnd()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekCurrentPastEnd : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			int64_t seek_pos = 0xbabe;
+			tc::io::MemoryStream stream(length);
+
+			stream.seek(seek_pos, tc::io::SeekOrigin::Begin);
+
+			StreamTestUtil::seek_TestHelper(stream, length, tc::io::SeekOrigin::Current, length, length);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekCurrentNegative()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekCurrentNegative : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			int64_t seek_pos = 0xbabe;
+			tc::io::MemoryStream stream(length);
+
+			stream.seek(seek_pos, tc::io::SeekOrigin::Begin);
+
+			StreamTestUtil::seek_TestHelper(stream, 0 - seek_pos + 1, tc::io::SeekOrigin::Current, 1, 1);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekEndByZero()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekEndByZero : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			int64_t seek_pos = 0;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::seek_TestHelper(stream, seek_pos, tc::io::SeekOrigin::End, length, length);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekEndPastEnd()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekEndPastEnd : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			int64_t seek_pos = 1;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::seek_TestHelper(stream, seek_pos, tc::io::SeekOrigin::End, length + seek_pos, length + seek_pos);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekEndNegative()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekEndNegative : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::seek_TestHelper(stream, 0 - length, tc::io::SeekOrigin::End, 0, 0);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testSeekEndTooNegative()
+{
+	std::cout << "[tc::io::MemoryStream] testSeekEndTooNegative : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t length = 0xcafe;
+			tc::io::MemoryStream stream(length);
+
+			StreamTestUtil::seek_TestHelper(stream, 0 - length - length, tc::io::SeekOrigin::End, 0, 0);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testReadAllDataAvailable()
+{
+	std::cout << "[tc::io::MemoryStream] testReadAllDataAvailable : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t stream_length = 0xcafe;
+			int64_t stream_offset = 0;
+			size_t read_len = size_t(stream_length);
+
+			tc::io::MemoryStream stream(stream_length);
+
+			StreamTestUtil::read_TestHelper(stream, stream_offset, tc::io::SeekOrigin::Begin, read_len, read_len, read_len, stream_length);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testReadRequestsSubsetOfAvailableData()
+{
+	std::cout << "[tc::io::MemoryStream] testReadRequestsSubsetOfAvailableData : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t stream_length = 0xcafe;
+			int64_t stream_offset = 0;
+			size_t read_len = 0xbabe;
+
+			tc::io::MemoryStream stream(stream_length);
+
+			StreamTestUtil::read_TestHelper(stream, stream_offset, tc::io::SeekOrigin::Begin, read_len, read_len, read_len, int64_t(read_len));
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testReadSomeDataAvailable()
+{
+	std::cout << "[tc::io::MemoryStream] testReadSomeDataAvailable : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t stream_length = 0xcafe;
+			int64_t stream_offset = 0xbabe;
+			size_t read_len = size_t(stream_length);
+
+			tc::io::MemoryStream stream(stream_length);
+
+			StreamTestUtil::read_TestHelper(stream, stream_offset, tc::io::SeekOrigin::Begin, read_len, read_len, read_len - size_t(stream_offset), stream_length);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testReadNoDataAvailable()
+{
+	std::cout << "[tc::io::MemoryStream] testReadNoDataAvailable : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t stream_length = 0xcafe;
+			size_t read_len = size_t(stream_length);
+			tc::io::MemoryStream stream(stream_length);
+
+			StreamTestUtil::read_TestHelper(stream, 0, tc::io::SeekOrigin::End, read_len, read_len, 0, stream_length);
+			StreamTestUtil::read_TestHelper(stream, 20, tc::io::SeekOrigin::End, read_len, read_len, 0, stream_length + 20);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testWriteAllDataWritable()
+{
+	std::cout << "[tc::io::MemoryStream] testWriteAllDataWritable : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t stream_length = 0xcafe;
+			int64_t stream_offset = 0;
+			size_t data_len = size_t(stream_length);
+
+			tc::ByteData data = tc::ByteData(data_len);
+			tc::io::MemoryStream stream(stream_length);
+
+			int64_t stream_expected_position = int64_t(data_len) + stream_offset;
+
+			StreamTestUtil::write_TestHelper(stream, stream_offset, tc::io::SeekOrigin::Begin, data, stream_expected_position);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testWriteToSomeOfDataAvailable()
+{
+	std::cout << "[tc::io::MemoryStream] testWriteToSomeOfDataAvailable : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t stream_length = 0xcafe;
+			int64_t stream_offset = 0x10;
+			size_t data_len = size_t(0xbabe);
+
+			tc::ByteData data = tc::ByteData(data_len);
+			tc::io::MemoryStream stream(stream_length);
+
+			int64_t stream_expected_position = int64_t(data_len) + stream_offset;
+
+			StreamTestUtil::write_TestHelper(stream, stream_offset, tc::io::SeekOrigin::Begin, data, stream_expected_position);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testWriteSomeDataWritable()
+{
+	std::cout << "[tc::io::MemoryStream] testWriteSomeDataWritable : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t stream_length = 0xcafe;
+			int64_t stream_offset = 0;
+			size_t data_len = size_t(0xdead);
+
+			tc::ByteData data = tc::ByteData(data_len);
+			tc::io::MemoryStream stream(stream_length);
+
+			int64_t stream_expected_position = int64_t(data_len) + stream_offset;
+
+			StreamTestUtil::write_TestHelper(stream, stream_offset, tc::io::SeekOrigin::Begin, data, stream_expected_position, stream_expected_position);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testWriteNoDataWritable()
+{
+	std::cout << "[tc::io::MemoryStream] testWriteNoDataWritable : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t stream_length = 0xcafe;
+			int64_t stream_offset = stream_length;
+			size_t data_len = size_t(0xcafe);
+
+			tc::ByteData data = tc::ByteData(data_len);
+			tc::io::MemoryStream stream(stream_length);
+
+			int64_t stream_expected_position = int64_t(data_len) + stream_offset;
+
+			StreamTestUtil::write_TestHelper(stream, stream_offset, tc::io::SeekOrigin::Begin, data, stream_expected_position, stream_expected_position);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testWriteReadDataPersistence()
+{
+	std::cout << "[tc::io::MemoryStream] testWriteReadDataPersistence : " << std::flush;
+	try
+	{
+		try
+		{
+			size_t data_size = 0x100;
+			tc::ByteData source(data_size), dst(data_size);
+
+			memset(source.data(), 0xab, source.size());
+
+			tc::io::MemoryStream stream(data_size);
+
+			stream.write(source.data(), source.size());
+			stream.seek(0, tc::io::SeekOrigin::Begin);
+			stream.read(dst.data(), dst.size());
+
+			if (memcmp(source.data(), dst.data(), data_size) != 0)
+			{
+				throw tc::Exception("Stream did not read back data written to it");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testResizeStreamLarger()
+{
+	std::cout << "[tc::io::MemoryStream] testResizeStreamLarger : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t initial_len = 0xbabe;
+			int64_t new_len = 0xcafe;
+
+			tc::io::MemoryStream stream(initial_len);
+			
+			// write data to stream
+			tc::ByteData initial_data = tc::ByteData(size_t(initial_len));
+			memset(initial_data.data(), 0xdf, initial_data.size());
+			stream.write(initial_data.data(), initial_data.size());
+
+			// resize stream larger
+			stream.setLength(new_len);
+
+			// check stream length
+			int64_t len_res = stream.length();
+
+			if (len_res != new_len)
+			{
+				throw tc::Exception("Stream length was not correct after resizing stream");
+			}
+
+			// check stream position
+			int64_t pos_res = stream.position();
+
+			if (pos_res != initial_len)
+			{
+				throw tc::Exception("Stream position was not correct after resizing stream");
+			}
+
+			// read data from stream
+			tc::ByteData new_data = tc::ByteData(size_t(stream.length()));
+			stream.seek(0, tc::io::SeekOrigin::Begin);
+			stream.read(new_data.data(), new_data.size());
+
+			// check data was correct
+			size_t cmp_size = std::min<size_t>(initial_data.size(), new_data.size());
+			if (memcmp(initial_data.data(), new_data.data(), cmp_size) != 0)
+			{
+				throw tc::Exception("After resizing data was not correct");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testResizeStreamSmaller()
+{
+	std::cout << "[tc::io::MemoryStream] testResizeStreamSmaller : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t initial_len = 0xdead;
+			int64_t new_len = 0xcafe;
+
+			tc::io::MemoryStream stream(initial_len);
+			
+			// write data to stream
+			tc::ByteData initial_data = tc::ByteData(size_t(initial_len));
+			memset(initial_data.data(), 0xdf, initial_data.size());
+			stream.write(initial_data.data(), initial_data.size());
+
+			// resize stream larger
+			stream.setLength(new_len);
+
+			// check stream length
+			int64_t len_res = stream.length();
+
+			if (len_res != new_len)
+			{
+				throw tc::Exception("Stream length was not correct after resizing stream");
+			}
+
+			// check stream position
+			int64_t pos_res = stream.position();
+
+			if (pos_res != new_len)
+			{
+				throw tc::Exception("Stream position was not correct after resizing stream");
+			}
+
+			// read data from stream
+			tc::ByteData new_data = tc::ByteData(size_t(stream.length()));
+			stream.seek(0, tc::io::SeekOrigin::Begin);
+			stream.read(new_data.data(), new_data.size());
+
+			// check data was correct
+			size_t cmp_size = std::min<size_t>(initial_data.size(), new_data.size());
+			if (memcmp(initial_data.data(), new_data.data(), cmp_size) != 0)
+			{
+				throw tc::Exception("After resizing data was not correct");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_MemoryStream_TestClass::testDispose()
+{
+	std::cout << "[tc::io::MemoryStream] testDispose : " << std::flush;
+	try
+	{
+		try
+		{
+			int64_t stream_length = 0xdead;
+			tc::io::MemoryStream stream(stream_length);
+
+			// test stream has a valid length pre-disposal
+			if (stream.length() != stream_length)
+			{
+				throw tc::Exception("Stream did not have expected length pre-disposal");
+			}
+
+			// dispose stream
+			stream.dispose();
+
+			// test stream has a no length post-disposal
+			if (stream.length() != 0)
+			{
+				throw tc::Exception("Stream did not have no length post-disposal");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_MemoryStream_TestClass.h b/ctrtool/deps/libtoolchain/test/io_MemoryStream_TestClass.h
new file mode 100644
index 00000000..b97defcc
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_MemoryStream_TestClass.h
@@ -0,0 +1,43 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/io/MemoryStream.h>
+
+class io_MemoryStream_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testCreateEmptyStream_DefaultConstructor();
+	void testCreateEmptyStream_SizedConstructor();
+	void testCreatePopulatedStream();
+	void testInitializeByCopyWithByteData();
+	void testInitializeByMoveWithByteData();
+	void testInitializeByCopyWithMemoryPointer();
+	void testSeekBeginToZero();
+	void testSeekBeginToMiddle();
+	void testSeekBeginToEnd();
+	void testSeekBeginPastEnd();
+	void testSeekBeginNegative();
+	void testSeekCurrentByZero();
+	void testSeekCurrentToMiddle();
+	void testSeekCurrentToEnd();
+	void testSeekCurrentPastEnd();
+	void testSeekCurrentNegative();
+	void testSeekEndByZero();
+	void testSeekEndPastEnd();
+	void testSeekEndNegative();
+	void testSeekEndTooNegative();
+	void testReadAllDataAvailable();
+	void testReadRequestsSubsetOfAvailableData();
+	void testReadSomeDataAvailable();
+	void testReadNoDataAvailable();
+	void testWriteAllDataWritable();
+	void testWriteToSomeOfDataAvailable();
+	void testWriteSomeDataWritable();
+	void testWriteNoDataWritable();
+	void testWriteReadDataPersistence();
+	void testResizeStreamLarger();
+	void testResizeStreamSmaller();
+	void testDispose();
+};
diff --git a/ctrtool/deps/libtoolchain/test/io_OverlayedSource_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_OverlayedSource_TestClass.cpp
new file mode 100644
index 00000000..16f6c73a
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_OverlayedSource_TestClass.cpp
@@ -0,0 +1,377 @@
+#include <iostream>
+#include <sstream>
+
+#include "io_OverlayedSource_TestClass.h"
+#include "SourceTestUtil.h"
+
+#include <tc.h>
+
+void io_OverlayedSource_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::OverlayedSource] START" << std::endl;
+	testDefaultConstructor();
+	testSingleOverlayConstructor();
+	testMultiOverlayConstructor();
+	testNullBaseStream();
+	testNullOverlayStream();
+	testOverlayStreamTooSmallForOverlayRegion();
+	testOverlayRegionBeforeBaseStream();
+	testOverlayRegionPartlyBeforeBaseStream();
+	testOverlayRegionAfterBaseStream();
+	testOverlayRegionPartlyAfterBaseStream();
+	std::cout << "[tc::io::OverlayedSource] END" << std::endl;
+}
+
+void io_OverlayedSource_TestClass::testDefaultConstructor()
+{
+	std::cout << "[tc::io::OverlayedSource] testDefaultConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::OverlayedSource source;
+
+			SourceTestUtil::testSourceLength(source, 0);
+			SourceTestUtil::pullTestHelper(source, 0, 0xdead, 0, nullptr);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_OverlayedSource_TestClass::testSingleOverlayConstructor()
+{
+	std::cout << "[tc::io::OverlayedSource] testSingleOverlayConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			// ## create overlay source
+			size_t overlay_offset = 0x80;
+			tc::io::PaddingSource base_source = tc::io::PaddingSource(0xff, 0x1000);
+			tc::io::PaddingSource overlay_source = tc::io::PaddingSource(0xaa, 0x100);
+
+			tc::io::OverlayedSource source(std::make_shared<tc::io::PaddingSource>(base_source), std::make_shared<tc::io::PaddingSource>(overlay_source), overlay_offset, overlay_source.length());
+
+			// ## create ByteData with expected data to test against
+			tc::ByteData expected_data = base_source.pullData(0, base_source.length());
+			tc::ByteData overlay_data = overlay_source.pullData(0, overlay_source.length());
+			
+			memcpy(expected_data.data() + overlay_offset, overlay_data.data(), overlay_data.size());
+
+			// ## validate overlay source
+			// source length
+			SourceTestUtil::testSourceLength(source, base_source.length());
+
+			// pullData tests
+			size_t pull_size;
+			int64_t pull_offset;
+
+			// pull full contents of source
+			pull_size = base_source.length();
+			pull_offset = 0;
+			SourceTestUtil::pullTestHelper(source, pull_offset, pull_size, pull_size, expected_data.data() + pull_offset);
+
+			// try to pull double the length of source
+			pull_size = base_source.length() * 2;
+			pull_offset = 0;
+			SourceTestUtil::pullTestHelper(source, pull_offset, pull_size, pull_size/2, expected_data.data() + pull_offset);
+			
+			// pull source up to overlay source
+			pull_size = overlay_offset;
+			pull_offset = 0;
+			SourceTestUtil::pullTestHelper(source, pull_offset, pull_size, pull_size, expected_data.data() + pull_offset);
+
+			// pull just overlay source
+			pull_size = overlay_source.length();
+			pull_offset = overlay_offset;
+			SourceTestUtil::pullTestHelper(source, pull_offset, pull_size, pull_size, expected_data.data() + pull_offset);
+
+			// pull part of overlay
+			pull_size = 0x20;
+			pull_offset = overlay_offset - 0x30;
+			SourceTestUtil::pullTestHelper(source, pull_offset, pull_size, pull_size, expected_data.data() + pull_offset);
+
+			// pull part of base and part of overlay
+			pull_size = 0x20;
+			pull_offset = overlay_offset - 0x10;
+			SourceTestUtil::pullTestHelper(source, pull_offset, pull_size, pull_size, expected_data.data() + pull_offset);
+
+			// pull part of overlay and part of base
+			pull_size = 0x20;
+			pull_offset = overlay_offset + overlay_source.length() - 0x10;
+			SourceTestUtil::pullTestHelper(source, pull_offset, pull_size, pull_size, expected_data.data() + pull_offset);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_OverlayedSource_TestClass::testMultiOverlayConstructor()
+{
+	std::cout << "[tc::io::OverlayedSource] testMultiOverlayConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			
+			// ## create overlay source
+			tc::io::PaddingSource base_source = tc::io::PaddingSource(0xff, 0x1000);
+
+			std::vector<tc::io::OverlayedSource::OverlaySourceInfo> overlay_info = {
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xaa, 0x1000)), 0x20, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xbb, 0x1000)), 0x100, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xcc, 0x1000)), 0x320, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xdd, 0x1000)), 0x420, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xee, 0x1000)), 0x520, 0x100 },
+			};
+
+			tc::io::OverlayedSource source(std::make_shared<tc::io::PaddingSource>(base_source), overlay_info);
+
+			// ## create ByteData with expected data to test against
+			tc::ByteData expected_data = base_source.pullData(0, base_source.length());
+			for (auto itr = overlay_info.begin(); itr != overlay_info.end(); itr++)
+			{
+				tc::ByteData tmp = itr->overlay_source->pullData(0, itr->length);
+				memcpy(expected_data.data() + itr->offset, tmp.data(), tmp.size());
+			}
+					
+			// ## validate overlay source
+			// source length
+			SourceTestUtil::testSourceLength(source, base_source.length());
+
+			// pullData tests
+			size_t pull_size;
+			int64_t pull_offset;
+
+			// pull full contents of source
+			pull_size = base_source.length();
+			pull_offset = 0;
+			SourceTestUtil::pullTestHelper(source, pull_offset, pull_size, pull_size, expected_data.data() + pull_offset);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_OverlayedSource_TestClass::testNullBaseStream()
+{
+	std::cout << "[tc::io::OverlayedSource] testNullBaseStream : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::PaddingSource base_source = tc::io::PaddingSource(0xff, 0x1000);
+
+			std::vector<tc::io::OverlayedSource::OverlaySourceInfo> overlay_info = {
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xaa, 0x1000)), 0x20, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xbb, 0x1000)), 0x100, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xcc, 0x1000)), 0x320, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xdd, 0x1000)), 0x420, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xee, 0x1000)), 0x520, 0x100 },
+			};
+
+			tc::io::OverlayedSource source(std::shared_ptr<tc::io::PaddingSource>(nullptr), overlay_info);
+
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_OverlayedSource_TestClass::testNullOverlayStream()
+{
+	std::cout << "[tc::io::OverlayedSource] testNullOverlayStream : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::PaddingSource base_source = tc::io::PaddingSource(0xff, 0x1000);
+
+			std::vector<tc::io::OverlayedSource::OverlaySourceInfo> overlay_info = {
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xaa, 0x1000)), 0x20, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xbb, 0x1000)), 0x100, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(nullptr), 0x320, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xdd, 0x1000)), 0x420, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xee, 0x1000)), 0x520, 0x100 },
+			};
+
+			tc::io::OverlayedSource source(std::make_shared<tc::io::PaddingSource>(base_source), overlay_info);
+
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_OverlayedSource_TestClass::testOverlayStreamTooSmallForOverlayRegion()
+{
+	std::cout << "[tc::io::OverlayedSource] testOverlayStreamTooSmallForOverlayRegion : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::PaddingSource base_source = tc::io::PaddingSource(0xff, 0x1000);
+
+			std::vector<tc::io::OverlayedSource::OverlaySourceInfo> overlay_info = {
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xaa, 0x1000)), 0x20, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xbb, 0x1000)), 0x100, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xcc, 0x10)), 0x300, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xdd, 0x1000)), 0x420, 0x100 },
+				{ std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0xee, 0x1000)), 0x520, 0x100 },
+			};
+
+			tc::io::OverlayedSource source(std::make_shared<tc::io::PaddingSource>(base_source), overlay_info);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_OverlayedSource_TestClass::testOverlayRegionBeforeBaseStream()
+{
+	std::cout << "[tc::io::OverlayedSource] testOverlayRegionBeforeBaseStream : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::PaddingSource base_source = tc::io::PaddingSource(0xff, 0x1000);
+			tc::io::PaddingSource padding_source = tc::io::PaddingSource(0xee, 0x1000);
+
+			tc::io::OverlayedSource source(std::make_shared<tc::io::PaddingSource>(base_source), std::make_shared<tc::io::PaddingSource>(padding_source), -1, 1);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_OverlayedSource_TestClass::testOverlayRegionPartlyBeforeBaseStream()
+{
+	std::cout << "[tc::io::OverlayedSource] testOverlayRegionPartlyBeforeBaseStream : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::PaddingSource base_source = tc::io::PaddingSource(0xff, 0x1000);
+			tc::io::PaddingSource padding_source = tc::io::PaddingSource(0xee, 0x1000);
+
+			tc::io::OverlayedSource source(std::make_shared<tc::io::PaddingSource>(base_source), std::make_shared<tc::io::PaddingSource>(padding_source), -1, 20);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_OverlayedSource_TestClass::testOverlayRegionAfterBaseStream()
+{
+	std::cout << "[tc::io::OverlayedSource] testOverlayRegionAfterBaseStream : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::PaddingSource base_source = tc::io::PaddingSource(0xff, 0x1000);
+			tc::io::PaddingSource padding_source = tc::io::PaddingSource(0xee, 0x1000);
+
+			tc::io::OverlayedSource source(std::make_shared<tc::io::PaddingSource>(base_source), std::make_shared<tc::io::PaddingSource>(padding_source), 0x1000, 0x100);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_OverlayedSource_TestClass::testOverlayRegionPartlyAfterBaseStream()
+{
+	std::cout << "[tc::io::OverlayedSource] testOverlayRegionPartlyAfterBaseStream : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::PaddingSource base_source = tc::io::PaddingSource(0xff, 0x1000);
+			tc::io::PaddingSource padding_source = tc::io::PaddingSource(0xee, 0x1000);
+
+			tc::io::OverlayedSource source(std::make_shared<tc::io::PaddingSource>(base_source), std::make_shared<tc::io::PaddingSource>(padding_source), 0xfff, 0x100);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_OverlayedSource_TestClass.h b/ctrtool/deps/libtoolchain/test/io_OverlayedSource_TestClass.h
new file mode 100644
index 00000000..0fc0e793
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_OverlayedSource_TestClass.h
@@ -0,0 +1,21 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/io/OverlayedSource.h>
+
+class io_OverlayedSource_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testDefaultConstructor();
+	void testSingleOverlayConstructor();
+	void testMultiOverlayConstructor();
+	void testNullBaseStream();
+	void testNullOverlayStream();
+	void testOverlayStreamTooSmallForOverlayRegion();
+	void testOverlayRegionBeforeBaseStream();
+	void testOverlayRegionPartlyBeforeBaseStream();
+	void testOverlayRegionAfterBaseStream();
+	void testOverlayRegionPartlyAfterBaseStream();
+};
diff --git a/ctrtool/deps/libtoolchain/test/io_PaddingSource_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_PaddingSource_TestClass.cpp
new file mode 100644
index 00000000..4bec28fa
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_PaddingSource_TestClass.cpp
@@ -0,0 +1,134 @@
+#include <iostream>
+
+#include "io_PaddingSource_TestClass.h"
+#include "SourceTestUtil.h"
+
+#include <tc.h>
+
+void io_PaddingSource_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::PaddingSource] START" << std::endl;
+	testDefaultConstructor();
+	testCreateConstructor();
+	testNegativeOffset();
+	testTooLargeOffset();
+	std::cout << "[tc::io::PaddingSource] END" << std::endl;
+}
+
+void io_PaddingSource_TestClass::testDefaultConstructor()
+{
+	std::cout << "[tc::io::PaddingSource] testDefaultConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::PaddingSource source;
+
+			SourceTestUtil::testSourceLength(source, 0);
+			SourceTestUtil::pullTestHelper(source, 0, 0xdead, 0, nullptr);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_PaddingSource_TestClass::testCreateConstructor()
+{
+	std::cout << "[tc::io::PaddingSource] testCreateConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			byte_t padding_byte = 0xef;
+			int64_t source_len = 0x21432;
+			tc::io::PaddingSource source(padding_byte, source_len);
+
+			// create expected data
+			tc::ByteData expected_data(source_len);
+			memset(expected_data.data(), padding_byte, expected_data.size());
+
+			// test source
+			SourceTestUtil::testSourceLength(source, source_len);
+			SourceTestUtil::pullTestHelper(source, 0, source_len, source_len, expected_data.data());
+			SourceTestUtil::pullTestHelper(source, 0, source_len/2, source_len/2, expected_data.data());
+			SourceTestUtil::pullTestHelper(source, 0, source_len*2, source_len, expected_data.data());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_PaddingSource_TestClass::testNegativeOffset()
+{
+	std::cout << "[tc::io::PaddingSource] testNegativeOffset : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			byte_t padding_byte = 0xef;
+			int64_t source_len = 0x21432;
+			tc::io::PaddingSource source(padding_byte, source_len);
+
+			// test
+			SourceTestUtil::testSourceLength(source, source_len);
+			SourceTestUtil::pullTestHelper(source, -10, 20, 0, nullptr);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_PaddingSource_TestClass::testTooLargeOffset()
+{
+	std::cout << "[tc::io::PaddingSource] testTooLargeOffset : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			byte_t padding_byte = 0xef;
+			int64_t source_len = 0x21432;
+			tc::io::PaddingSource source(padding_byte, source_len);
+
+			// test
+			SourceTestUtil::testSourceLength(source, source_len);
+			SourceTestUtil::pullTestHelper(source, source_len * 2, 20, 0, nullptr);
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_PaddingSource_TestClass.h b/ctrtool/deps/libtoolchain/test/io_PaddingSource_TestClass.h
new file mode 100644
index 00000000..3d4aca15
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_PaddingSource_TestClass.h
@@ -0,0 +1,13 @@
+#pragma once
+#include "ITestClass.h"
+
+class io_PaddingSource_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testDefaultConstructor();
+	void testCreateConstructor();
+	void testNegativeOffset();
+	void testTooLargeOffset();
+};
diff --git a/ctrtool/deps/libtoolchain/test/io_Path_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_Path_TestClass.cpp
new file mode 100644
index 00000000..5984bb7b
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_Path_TestClass.cpp
@@ -0,0 +1,1197 @@
+#include <tc/Exception.h>
+#include <tc/io/PathUtil.h>
+
+#include <fmt/core.h>
+#include <fmt/ranges.h>
+
+#include "io_Path_TestClass.h"
+
+//---------------------------------------------------------
+
+void io_Path_TestClass::runAllTests(void)
+{
+	fmt::print("[tc::io::Path] START\n");
+	test_Constructor_Default();
+	test_Constructor_InitializerList();
+	test_Constructor_u8string();
+	test_Constructor_u16string();
+	test_Constructor_u32string();
+	test_Method_pop_front();
+	test_Method_pop_back();
+	test_Method_push_front();
+	test_Method_push_back();
+	test_Method_clear();
+	test_Method_substr_withPosLen();
+	test_Method_substr_withIterator();
+	test_Method_to_string();
+	test_Method_to_u16string();
+	test_Method_to_u32string();
+	test_Operator_string();
+	test_Operator_u16string();
+	test_Operator_u32string();
+	test_Operator_Addition();
+	test_Operator_Append();
+	test_Scenario_AppendStressTest();
+	test_Operator_EqualityTest();
+	test_Operator_InequalityTest();
+	test_Operator_LessThanTest();
+	fmt::print("[tc::io::Path] END\n");
+}
+
+//---------------------------------------------------------
+
+void io_Path_TestClass::test_Constructor_Default()
+{
+	fmt::print("[tc::io::Path] test_Constructor_Default : ");
+	try
+	{
+		tc::io::Path path_empty;
+		
+		if (path_empty.size() != 0)
+		{
+			throw tc::Exception("Default constructor did not create a path with 0 elements (.size() != 0)");
+		}
+
+		if (path_empty.empty() != true)
+		{
+			throw tc::Exception("Default constructor did not create an empty path (.empty() != true)");
+		}
+
+		if (path_empty.begin() != path_empty.end())
+		{
+			throw tc::Exception("Default constructor did not create an empty path (.begin() == .end())");
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Constructor_InitializerList()
+{
+	fmt::print("[tc::io::Path] test_Constructor_InitializerList : ");
+	try
+	{
+		tc::io::Path path = {"a", "path", "from", "an", "initializer", "list"};
+		std::list<std::string> expected_elements = {"a", "path", "from", "an", "initializer", "list"};
+		
+		if (path.size() != expected_elements.size())
+		{
+			throw tc::Exception(fmt::format("InitializerList constructor did not create a path with {} elements (.size() == {})", expected_elements.size(), path.size()));
+		}
+
+		if (path.empty() != false)
+		{
+			throw tc::Exception("InitializerList constructor created an empty path (.empty() != false)");
+		}
+
+		if (path.begin() == path.end())
+		{
+			throw tc::Exception("InitializerList constructor created an empty path (.begin() == .end())");
+		}
+
+		for (auto pathItr = path.begin(), expItr = expected_elements.begin(); pathItr != path.end(); pathItr++, expItr++)
+		{
+			if (*pathItr != *expItr)
+			{
+				throw tc::Exception(fmt::format("InitializerList constructer created a path with unexpected elements (Path contained {}, expected {})", std::list<std::string>(path.begin(), path.end()), expected_elements) );
+			}
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Constructor_u8string()
+{
+	fmt::print("[tc::io::Path] test_Constructor_u8string : ");
+	try
+	{
+		struct Test
+		{
+			std::string path_string;
+			tc::io::Path expected_path;
+		};
+		std::vector<Test> tests {
+			{"", tc::io::Path({})},
+			{"/", tc::io::Path({""})},
+			{"C:\\", tc::io::Path({"C:"})},
+			{"~/.ssh/id_rsa", tc::io::Path({"~", ".ssh", "id_rsa"})},
+			{"C:\\Users\\Administrator\\Desktop", tc::io::Path({"C:", "Users", "Administrator", "Desktop"})},
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+			tc::io::Path path = itr->path_string;
+			if (path != itr->expected_path)
+			{
+				throw tc::Exception(fmt::format("Failed to convert \"{}\" to path. (Path contained {}, expected {})", itr->path_string, std::list<std::string>(path.begin(), path.end()), std::list<std::string>(itr->expected_path.begin(), itr->expected_path.end())));
+			}
+		}
+
+		try
+		{
+			tc::io::Path("A/Mix\\Of/Path\\Separators");
+			throw tc::Exception("Path(const std::string&) constructor did not throw tc::ArgumentException where there was a mix of path separators.");
+		}
+		catch(const tc::ArgumentException&)
+		{
+			// do nothing
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Constructor_u16string()
+{
+	fmt::print("[tc::io::Path] test_Constructor_u16string : ");
+	try
+	{
+		struct Test
+		{
+			std::u16string path_string;
+			tc::io::Path expected_path;
+		};
+		std::vector<Test> tests {
+			{u"", tc::io::Path({})},
+			{u"/", tc::io::Path({""})},
+			{u"C:\\", tc::io::Path({"C:"})},
+			{u"~/.ssh/id_rsa", tc::io::Path({"~", ".ssh", "id_rsa"})},
+			{u"C:\\Users\\Administrator\\Desktop", tc::io::Path({"C:", "Users", "Administrator", "Desktop"})},
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+			tc::io::Path path = itr->path_string;
+			if (path != itr->expected_path)
+			{
+				std::string u8_string;
+				tc::string::TranscodeUtil::UTF16ToUTF8(itr->path_string, u8_string);
+				throw tc::Exception(fmt::format("Failed to convert u\"{}\" to path. (Path contained {}, expected {})", u8_string, std::list<std::string>(path.begin(), path.end()), std::list<std::string>(itr->expected_path.begin(), itr->expected_path.end())));
+			}
+		}
+
+		try
+		{
+			tc::io::Path(u"A/Mix\\Of/Path\\Separators");
+			throw tc::Exception("Path(const std::u16string&) constructor did not throw tc::ArgumentException where there was a mix of path separators.");
+		}
+		catch(const tc::ArgumentException&)
+		{
+			// do nothing
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Constructor_u32string()
+{
+	fmt::print("[tc::io::Path] test_Constructor_u32string : ");
+	try
+	{
+		struct Test
+		{
+			std::u32string path_string;
+			tc::io::Path expected_path;
+		};
+		std::vector<Test> tests {
+			{U"", tc::io::Path({})},
+			{U"/", tc::io::Path({""})},
+			{U"C:\\", tc::io::Path({"C:"})},
+			{U"~/.ssh/id_rsa", tc::io::Path({"~", ".ssh", "id_rsa"})},
+			{U"C:\\Users\\Administrator\\Desktop", tc::io::Path({"C:", "Users", "Administrator", "Desktop"})},
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+			tc::io::Path path = itr->path_string;
+			if (path != itr->expected_path)
+			{
+				std::string u8_string;
+				tc::string::TranscodeUtil::UTF32ToUTF8(itr->path_string, u8_string);
+				throw tc::Exception(fmt::format("Failed to convert U\"{}\" to path. (Path contained {}, expected {})", u8_string, std::list<std::string>(path.begin(), path.end()), std::list<std::string>(itr->expected_path.begin(), itr->expected_path.end())));
+			}
+		}
+
+		try
+		{
+			tc::io::Path(U"A/Mix\\Of/Path\\Separators");
+			throw tc::Exception("Path(const std::u32string&) constructor did not throw tc::ArgumentException where there was a mix of path separators.");
+		}
+		catch(const tc::ArgumentException&)
+		{
+			// do nothing
+		}
+		
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_pop_front()
+{
+	fmt::print("[tc::io::Path] test_Method_pop_front : ");
+	try
+	{
+		tc::io::Path path("a/b/c/d/e/f/g/h/i/j");
+		std::list<std::string> expectedElements = {"a","b","c","d","e","f","g","h","i","j"};
+
+		for (size_t i = 0; i < 10; i++, path.pop_front(), expectedElements.pop_front())
+		{
+			if (*path.begin() != *expectedElements.begin())
+			{
+				throw tc::Exception("pop_front() did not place expected element at begin()");
+			}
+			if (path.front() != expectedElements.front())
+			{
+				throw tc::Exception("pop_front() did not place expected element at front()");
+			}
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_pop_back()
+{
+	fmt::print("[tc::io::Path] test_Method_pop_back : ");
+	try
+	{
+		tc::io::Path path("a/b/c/d/e/f/g/h/i/j");
+		std::list<std::string> expectedElements = {"a","b","c","d","e","f","g","h","i","j"};
+
+		for (size_t i = 0; i < 10; i++, path.pop_back(), expectedElements.pop_back())
+		{
+			if (*(--path.end()) != *(--expectedElements.end()))
+			{
+				throw tc::Exception("pop_back() did not place expected element at (--end())");
+			}
+			if (path.back() != expectedElements.back())
+			{
+				throw tc::Exception("pop_back() did not place expected element at back())");
+			}
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_push_front()
+{
+	fmt::print("[tc::io::Path] test_Method_push_front : ");
+	try
+	{
+		tc::io::Path path("");
+		std::list<std::string> expectedElements = {};
+
+		std::list<std::string> pushCue = {"a","b","c","d","e","f","g","h","i","j"};
+
+		for (size_t i = 0; i < 10; i++, pushCue.pop_front())
+		{
+			path.push_front(*(pushCue.begin()));
+			expectedElements.push_front(*(pushCue.begin()));
+			if (*(path.begin()) != *(expectedElements.begin()))
+			{
+				throw tc::Exception("push_front() did not place expected element at *(begin())");
+			}
+			if (path.front() != expectedElements.front())
+			{
+				throw tc::Exception("push_front() did not place expected element at front()");
+			}
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_push_back()
+{
+	fmt::print("[tc::io::Path] test_Method_push_back : ");
+	try
+	{
+		tc::io::Path path("");
+		std::list<std::string> expectedElements = {};
+
+		std::list<std::string> pushCue = {"a","b","c","d","e","f","g","h","i","j"};
+
+		for (size_t i = 0; i < 10; i++, pushCue.pop_front())
+		{
+			path.push_back(*(pushCue.begin()));
+			expectedElements.push_back(*(pushCue.begin()));
+			if (*(--path.end()) != *(--expectedElements.end()))
+			{
+				throw tc::Exception("push_back() did not place expected element at *(--end())");
+			}
+			if (path.back() != expectedElements.back())
+			{
+				throw tc::Exception("push_back() did not place expected element at back())");
+			}
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_clear()
+{
+	fmt::print("[tc::io::Path] test_Method_clear : ");
+	try
+	{
+		tc::io::Path path("a/b/c/d/e/f/g/h/i/j");
+		
+		path.clear();
+
+		if (path.size() != 0)
+		{
+			throw tc::Exception(".size() did not have expected value of 0 after .clear()");
+		}
+
+		if (path.empty() != true)
+		{
+			throw tc::Exception(".empty() did not have expected value of true after .clear()");
+		}
+
+		if (path.begin() != path.end())
+		{
+			throw tc::Exception(".begin() != .end() after .clear()");
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_substr_withPosLen()
+{
+	fmt::print("[tc::io::Path] test_Method_substr_withPosLen : ");
+	try
+	{
+		struct Test
+		{
+			tc::io::Path path;
+			size_t pos;
+			size_t len;
+			tc::io::Path exp_subpath;
+		};
+		std::vector<Test> tests {
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, tc::io::Path::npos, {"a","b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 1, tc::io::Path::npos, {"b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 2, tc::io::Path::npos, {"c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 3, tc::io::Path::npos, {"d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 4, tc::io::Path::npos, {"e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 5, tc::io::Path::npos, {"f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 6, tc::io::Path::npos, {"g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 7, tc::io::Path::npos, {"h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 8, tc::io::Path::npos, {"i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 9, tc::io::Path::npos, {"j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 10, tc::io::Path::npos, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 11, tc::io::Path::npos, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 12, tc::io::Path::npos, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 13, tc::io::Path::npos, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 12, {"a","b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 11, {"a","b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 10, {"a","b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 9, {"a","b","c","d","e","f","g","h","i"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 8, {"a","b","c","d","e","f","g","h"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 7, {"a","b","c","d","e","f","g"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 6, {"a","b","c","d","e","f"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 5, {"a","b","c","d","e"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 4, {"a","b","c","d"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 3, {"a","b","c"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 2, {"a","b"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 1, {"a"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 0, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 1, 4, {"b","c","d","e"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 2, 4, {"c","d","e","f"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 3, 4, {"d","e","f","g"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 4, 4, {"e","f","g","h"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 5, 4, {"f","g","h","i"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 6, 4, {"g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 7, 4, {"h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 8, 4, {"i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 9, 4, {"j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 10, 4, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, tc::io::Path::npos, tc::io::Path::npos, {}},
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+			tc::io::Path subpath = itr->path.subpath(itr->pos, itr->len);
+
+			if (subpath != itr->exp_subpath)
+			{
+				throw tc::Exception(fmt::format(".subpath(pos={},len={}) returned incorrect sub path (returned {}, expected {})", itr->pos, itr->len, std::list<std::string>(subpath.begin(), subpath.end()), std::list<std::string>(itr->exp_subpath.begin(), itr->exp_subpath.end())));
+			}
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_substr_withIterator()
+{
+	fmt::print("[tc::io::Path] test_Method_substr_withIterator : ");
+	try
+	{
+		struct Test
+		{
+			tc::io::Path path;
+			size_t pos;
+			size_t len;
+			tc::io::Path exp_subpath;
+		};
+		std::vector<Test> tests {
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, tc::io::Path::npos, {"a","b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 1, tc::io::Path::npos, {"b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 2, tc::io::Path::npos, {"c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 3, tc::io::Path::npos, {"d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 4, tc::io::Path::npos, {"e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 5, tc::io::Path::npos, {"f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 6, tc::io::Path::npos, {"g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 7, tc::io::Path::npos, {"h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 8, tc::io::Path::npos, {"i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 9, tc::io::Path::npos, {"j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 10, tc::io::Path::npos, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 11, tc::io::Path::npos, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 12, tc::io::Path::npos, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 13, tc::io::Path::npos, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 12, {"a","b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 11, {"a","b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 10, {"a","b","c","d","e","f","g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 9, {"a","b","c","d","e","f","g","h","i"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 8, {"a","b","c","d","e","f","g","h"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 7, {"a","b","c","d","e","f","g"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 6, {"a","b","c","d","e","f"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 5, {"a","b","c","d","e"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 4, {"a","b","c","d"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 3, {"a","b","c"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 2, {"a","b"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 1, {"a"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 0, 0, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 1, 4, {"b","c","d","e"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 2, 4, {"c","d","e","f"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 3, 4, {"d","e","f","g"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 4, 4, {"e","f","g","h"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 5, 4, {"f","g","h","i"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 6, 4, {"g","h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 7, 4, {"h","i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 8, 4, {"i","j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 9, 4, {"j"}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, 10, 4, {}},
+			{{"a","b","c","d","e","f","g","h","i","j"}, tc::io::Path::npos, tc::io::Path::npos, {}},
+		};
+
+		for (auto testItr = tests.begin(); testItr != tests.end(); testItr++)
+		{
+			tc::io::Path::iterator subPathBeginItr = testItr->path.end(), subPathEndItr = testItr->path.end();
+
+			size_t pos = 0;
+			for (auto pathItr = testItr->path.begin(); pathItr != testItr->path.end(); pathItr++)
+			{
+				if (pos == testItr->pos)
+					subPathBeginItr = pathItr;
+				if (pos == (testItr->pos + testItr->len))
+					subPathEndItr = pathItr;
+
+				pos++;
+			}
+
+			tc::io::Path subpath = testItr->path.subpath(subPathBeginItr, subPathEndItr);
+
+			if (subpath != testItr->exp_subpath)
+			{
+				throw tc::Exception(fmt::format(".subpath(begin,end) note({},{}) returned incorrect sub path (returned {}, expected {})", testItr->pos, testItr->len, std::list<std::string>(subpath.begin(), subpath.end()), std::list<std::string>(testItr->exp_subpath.begin(), testItr->exp_subpath.end())));
+			}
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_to_string()
+{
+	fmt::print("[tc::io::Path] test_Method_to_string : ");
+	try
+	{
+		struct Test
+		{
+			tc::io::Path path;
+			std::string exp_posix_str;
+			std::string exp_win32_str;
+		};
+		std::vector<Test> tests {
+			{{}, "", ""}, // empty path
+			{{""}, "/", ""}, // POSIX root path
+			{{"C:"}, "C:", "C:\\"}, // windows root path
+			{{"c:"}, "c:", "c:\\"}, // windows root path
+			{{"data:"}, "data:", "data:"}, // this is a counter test to test the special case handling root paths in POSIX and Win32 formatting
+			{{"some", "relative", "path", "that", "has", "seven", "elements"}, "some/relative/path/that/has/seven/elements", "some\\relative\\path\\that\\has\\seven\\elements"}, // relative path
+			{{"a dir", "a subdir"}, "a dir/a subdir", "a dir\\a subdir"}, // shorter relative path with spaces
+			{{"", "usr", "bin", "bash"}, "/usr/bin/bash", "\\usr\\bin\\bash"}, // absoulute POSIX path
+			{{"C:", "Users", "TestUser", "Desktop", "hi.txt"}, "C:/Users/TestUser/Desktop/hi.txt", "C:\\Users\\TestUser\\Desktop\\hi.txt"}, // absoulute Win32 path
+			{{std::string(u8"示例文本"), std::string(u8"サンプルテキスト"), std::string(u8"δείγμα κειμένου"), std::string(u8"טקסט לדוגמה")}, std::string(u8"示例文本/サンプルテキスト/δείγμα κειμένου/טקסט לדוגמה"), std::string(u8"示例文本\\サンプルテキスト\\δείγμα κειμένου\\טקסט לדוגמה")} // non-ASCII characters (chinese, japanese, greek, hebrew)
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+#ifdef _WIN32
+			std::string exp_native_str = itr->exp_win32_str;
+#else
+			std::string exp_native_str = itr->exp_posix_str;
+#endif
+
+			std::string native_str = itr->path.to_string(tc::io::Path::Format::Native);
+			std::string posix_str = itr->path.to_string(tc::io::Path::Format::POSIX);
+			std::string win32_str = itr->path.to_string(tc::io::Path::Format::Win32);
+
+			if (native_str != exp_native_str)
+			{
+				throw tc::Exception(fmt::format(".to_string(Format::Native) failed to format path as string. (returned: \"{}\", expected: \"{}\")", native_str, exp_native_str));
+			}
+
+			if (posix_str != itr->exp_posix_str)
+			{
+				throw tc::Exception(fmt::format(".to_string(Format::POSIX) failed to format path as string. (returned: \"{}\", expected: \"{}\")", posix_str, itr->exp_posix_str));
+			}
+
+			if (win32_str != itr->exp_win32_str)
+			{
+				throw tc::Exception(fmt::format(".to_string(Format::Win32) failed to format path as string. (returned: \"{}\", expected: \"{}\")", win32_str, itr->exp_win32_str));
+			}
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_to_u16string()
+{
+	fmt::print("[tc::io::Path] test_Method_to_u16string : ");
+	try
+	{
+		struct Test
+		{
+			tc::io::Path path;
+			std::u16string exp_posix_str;
+			std::u16string exp_win32_str;
+		};
+		std::vector<Test> tests {
+			{{}, u"", u""}, // empty path
+			{{""}, u"/", u""}, // POSIX root path
+			{{"C:"}, u"C:", u"C:\\"}, // windows root path
+			{{"data:"}, u"data:", u"data:"}, // this is a counter test to test the special case handling root paths in POSIX and Win32 formatting
+			{{"some", "relative", "path", "that", "has", "seven", "elements"}, u"some/relative/path/that/has/seven/elements", u"some\\relative\\path\\that\\has\\seven\\elements"}, // relative path
+			{{"a dir", "a subdir"}, u"a dir/a subdir", u"a dir\\a subdir"}, // shorter relative path with spaces
+			{{"", "usr", "bin", "bash"}, u"/usr/bin/bash", u"\\usr\\bin\\bash"}, // absoulute POSIX path
+			{{"C:", "Users", "TestUser", "Desktop", "hi.txt"}, u"C:/Users/TestUser/Desktop/hi.txt", u"C:\\Users\\TestUser\\Desktop\\hi.txt"}, // absoulute Win32 path
+			{{std::string(u8"示例文本"), std::string(u8"サンプルテキスト"), std::string(u8"δείγμα κειμένου"), std::string(u8"טקסט לדוגמה")}, std::u16string(u"示例文本/サンプルテキスト/δείγμα κειμένου/טקסט לדוגמה"), std::u16string(u"示例文本\\サンプルテキスト\\δείγμα κειμένου\\טקסט לדוגמה")} // non-ASCII characters (chinese, japanese, greek, hebrew)
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+#ifdef _WIN32
+			std::u16string exp_native_str = itr->exp_win32_str;
+#else
+			std::u16string exp_native_str = itr->exp_posix_str;
+#endif
+
+			std::u16string native_str = itr->path.to_u16string(tc::io::Path::Format::Native);
+			std::u16string posix_str = itr->path.to_u16string(tc::io::Path::Format::POSIX);
+			std::u16string win32_str = itr->path.to_u16string(tc::io::Path::Format::Win32);
+
+			if (native_str != exp_native_str)
+			{
+				std::string u8_path_str, u8_exp_path_str;
+				tc::string::TranscodeUtil::UTF16ToUTF8(native_str, u8_path_str);
+				tc::string::TranscodeUtil::UTF16ToUTF8(exp_native_str, u8_exp_path_str);
+				throw tc::Exception(fmt::format(".to_u16string(Format::Native) failed to format path as u16string. (returned: \"{}\", expected: \"{}\")", u8_path_str, u8_exp_path_str));
+			}
+
+			if (posix_str != itr->exp_posix_str)
+			{
+				std::string u8_path_str, u8_exp_path_str;
+				tc::string::TranscodeUtil::UTF16ToUTF8(posix_str, u8_path_str);
+				tc::string::TranscodeUtil::UTF16ToUTF8(itr->exp_posix_str, u8_exp_path_str);
+				throw tc::Exception(fmt::format(".to_u16string(Format::POSIX) failed to format path as u16string. (returned: \"{}\", expected: \"{}\")", u8_path_str, u8_exp_path_str));
+			}
+
+			if (win32_str != itr->exp_win32_str)
+			{
+				std::string u8_path_str, u8_exp_path_str;
+				tc::string::TranscodeUtil::UTF16ToUTF8(win32_str, u8_path_str);
+				tc::string::TranscodeUtil::UTF16ToUTF8(itr->exp_win32_str, u8_exp_path_str);
+				throw tc::Exception(fmt::format(".to_u16string(Format::Win32) failed to format path as u16string. (returned: \"{}\", expected: \"{}\")", u8_path_str, u8_exp_path_str));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Method_to_u32string()
+{
+	fmt::print("[tc::io::Path] test_Method_to_u32string : ");
+	try
+	{
+		struct Test
+		{
+			tc::io::Path path;
+			std::u32string exp_posix_str;
+			std::u32string exp_win32_str;
+		};
+		std::vector<Test> tests {
+			{{}, U"", U""}, // empty path
+			{{""}, U"/", U""}, // POSIX root path
+			{{"C:"}, U"C:", U"C:\\"}, // windows root path
+			{{"data:"}, U"data:", U"data:"}, // this is a counter test to test the special case handling root paths in POSIX and Win32 formatting
+			{{"some", "relative", "path", "that", "has", "seven", "elements"}, U"some/relative/path/that/has/seven/elements", U"some\\relative\\path\\that\\has\\seven\\elements"}, // relative path
+			{{"a dir", "a subdir"}, U"a dir/a subdir", U"a dir\\a subdir"}, // shorter relative path with spaces
+			{{"", "usr", "bin", "bash"}, U"/usr/bin/bash", U"\\usr\\bin\\bash"}, // absoulute POSIX path
+			{{"C:", "Users", "TestUser", "Desktop", "hi.txt"}, U"C:/Users/TestUser/Desktop/hi.txt", U"C:\\Users\\TestUser\\Desktop\\hi.txt"}, // absoulute Win32 path
+			{{std::string(u8"示例文本"), std::string(u8"サンプルテキスト"), std::string(u8"δείγμα κειμένου"), std::string(u8"טקסט לדוגמה")}, std::u32string(U"示例文本/サンプルテキスト/δείγμα κειμένου/טקסט לדוגמה"), std::u32string(U"示例文本\\サンプルテキスト\\δείγμα κειμένου\\טקסט לדוגמה")} // non-ASCII characters (chinese, japanese, greek, hebrew)
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+#ifdef _WIN32
+			std::u32string exp_native_str = itr->exp_win32_str;
+#else
+			std::u32string exp_native_str = itr->exp_posix_str;
+#endif
+
+			std::u32string native_str = itr->path.to_u32string(tc::io::Path::Format::Native);
+			std::u32string posix_str = itr->path.to_u32string(tc::io::Path::Format::POSIX);
+			std::u32string win32_str = itr->path.to_u32string(tc::io::Path::Format::Win32);
+
+			if (native_str != exp_native_str)
+			{
+				std::string u8_path_str, u8_exp_path_str;
+				tc::string::TranscodeUtil::UTF32ToUTF8(native_str, u8_path_str);
+				tc::string::TranscodeUtil::UTF32ToUTF8(exp_native_str, u8_exp_path_str);
+				throw tc::Exception(fmt::format(".to_u32string(Format::Native) failed to format path as u32string. (returned: \"{}\", expected: \"{}\")", u8_path_str, u8_exp_path_str));
+			}
+
+			if (posix_str != itr->exp_posix_str)
+			{
+				std::string u8_path_str, u8_exp_path_str;
+				tc::string::TranscodeUtil::UTF32ToUTF8(posix_str, u8_path_str);
+				tc::string::TranscodeUtil::UTF32ToUTF8(itr->exp_posix_str, u8_exp_path_str);
+				throw tc::Exception(fmt::format(".to_u32string(Format::POSIX) failed to format path as u32string. (returned: \"{}\", expected: \"{}\")", u8_path_str, u8_exp_path_str));
+			}
+
+			if (win32_str != itr->exp_win32_str)
+			{
+				std::string u8_path_str, u8_exp_path_str;
+				tc::string::TranscodeUtil::UTF32ToUTF8(win32_str, u8_path_str);
+				tc::string::TranscodeUtil::UTF32ToUTF8(itr->exp_win32_str, u8_exp_path_str);
+				throw tc::Exception(fmt::format(".to_u32string(Format::Win32) failed to format path as u32string. (returned: \"{}\", expected: \"{}\")", u8_path_str, u8_exp_path_str));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Operator_string()
+{
+	fmt::print("[tc::io::Path] test_Operator_string : ");
+	try
+	{
+		struct Test
+		{
+			tc::io::Path path;
+			std::string exp_posix_str;
+			std::string exp_win32_str;
+		};
+		std::vector<Test> tests {
+			{{}, "", ""}, // empty path
+			{{""}, "/", ""}, // POSIX root path
+			{{"C:"}, "C:", "C:\\"}, // windows root path
+			{{"c:"}, "c:", "c:\\"}, // windows root path
+			{{"data:"}, "data:", "data:"}, // this is a counter test to test the special case handling root paths in POSIX and Win32 formatting
+			{{"some", "relative", "path", "that", "has", "seven", "elements"}, "some/relative/path/that/has/seven/elements", "some\\relative\\path\\that\\has\\seven\\elements"}, // relative path
+			{{"a dir", "a subdir"}, "a dir/a subdir", "a dir\\a subdir"}, // shorter relative path with spaces
+			{{"", "usr", "bin", "bash"}, "/usr/bin/bash", "\\usr\\bin\\bash"}, // absoulute POSIX path
+			{{"C:", "Users", "TestUser", "Desktop", "hi.txt"}, "C:/Users/TestUser/Desktop/hi.txt", "C:\\Users\\TestUser\\Desktop\\hi.txt"}, // absoulute Win32 path
+			{{std::string(u8"示例文本"), std::string(u8"サンプルテキスト"), std::string(u8"δείγμα κειμένου"), std::string(u8"טקסט לדוגמה")}, std::string(u8"示例文本/サンプルテキスト/δείγμα κειμένου/טקסט לדוגמה"), std::string(u8"示例文本\\サンプルテキスト\\δείγμα κειμένου\\טקסט לדוגמה")} // non-ASCII characters (chinese, japanese, greek, hebrew)
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+#ifdef _WIN32
+			std::string exp_native_str = itr->exp_win32_str;
+#else
+			std::string exp_native_str = itr->exp_posix_str;
+#endif
+
+			std::string native_str = itr->path;
+
+			if (native_str != exp_native_str)
+			{
+				throw tc::Exception(fmt::format("operator string() failed to format path as string. (returned: \"{}\", expected: \"{}\")", native_str, exp_native_str));
+			}
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Operator_u16string()
+{
+	fmt::print("[tc::io::Path] test_Operator_u16string : ");
+	try
+	{
+		struct Test
+		{
+			tc::io::Path path;
+			std::u16string exp_posix_str;
+			std::u16string exp_win32_str;
+		};
+		std::vector<Test> tests {
+			{{}, u"", u""}, // empty path
+			{{""}, u"/", u""}, // POSIX root path
+			{{"C:"}, u"C:", u"C:\\"}, // windows root path
+			{{"data:"}, u"data:", u"data:"}, // this is a counter test to test the special case handling root paths in POSIX and Win32 formatting
+			{{"some", "relative", "path", "that", "has", "seven", "elements"}, u"some/relative/path/that/has/seven/elements", u"some\\relative\\path\\that\\has\\seven\\elements"}, // relative path
+			{{"a dir", "a subdir"}, u"a dir/a subdir", u"a dir\\a subdir"}, // shorter relative path with spaces
+			{{"", "usr", "bin", "bash"}, u"/usr/bin/bash", u"\\usr\\bin\\bash"}, // absoulute POSIX path
+			{{"C:", "Users", "TestUser", "Desktop", "hi.txt"}, u"C:/Users/TestUser/Desktop/hi.txt", u"C:\\Users\\TestUser\\Desktop\\hi.txt"}, // absoulute Win32 path
+			{{std::string(u8"示例文本"), std::string(u8"サンプルテキスト"), std::string(u8"δείγμα κειμένου"), std::string(u8"טקסט לדוגמה")}, std::u16string(u"示例文本/サンプルテキスト/δείγμα κειμένου/טקסט לדוגמה"), std::u16string(u"示例文本\\サンプルテキスト\\δείγμα κειμένου\\טקסט לדוגמה")} // non-ASCII characters (chinese, japanese, greek, hebrew)
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+#ifdef _WIN32
+			std::u16string exp_native_str = itr->exp_win32_str;
+#else
+			std::u16string exp_native_str = itr->exp_posix_str;
+#endif
+
+			std::u16string native_str = itr->path;
+
+			if (native_str != exp_native_str)
+			{
+				std::string u8_path_str, u8_exp_path_str;
+				tc::string::TranscodeUtil::UTF16ToUTF8(native_str, u8_path_str);
+				tc::string::TranscodeUtil::UTF16ToUTF8(exp_native_str, u8_exp_path_str);
+				throw tc::Exception(fmt::format("operator u16string() failed to format path as u16string. (returned: \"{}\", expected: \"{}\")", u8_path_str, u8_exp_path_str));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Operator_u32string()
+{
+	fmt::print("[tc::io::Path] test_Operator_u32string : ");
+	try
+	{
+		struct Test
+		{
+			tc::io::Path path;
+			std::u32string exp_posix_str;
+			std::u32string exp_win32_str;
+		};
+		std::vector<Test> tests {
+			{{}, U"", U""}, // empty path
+			{{""}, U"/", U""}, // POSIX root path
+			{{"C:"}, U"C:", U"C:\\"}, // windows root path
+			{{"data:"}, U"data:", U"data:"}, // this is a counter test to test the special case handling root paths in POSIX and Win32 formatting
+			{{"some", "relative", "path", "that", "has", "seven", "elements"}, U"some/relative/path/that/has/seven/elements", U"some\\relative\\path\\that\\has\\seven\\elements"}, // relative path
+			{{"a dir", "a subdir"}, U"a dir/a subdir", U"a dir\\a subdir"}, // shorter relative path with spaces
+			{{"", "usr", "bin", "bash"}, U"/usr/bin/bash", U"\\usr\\bin\\bash"}, // absoulute POSIX path
+			{{"C:", "Users", "TestUser", "Desktop", "hi.txt"}, U"C:/Users/TestUser/Desktop/hi.txt", U"C:\\Users\\TestUser\\Desktop\\hi.txt"}, // absoulute Win32 path
+			{{std::string(u8"示例文本"), std::string(u8"サンプルテキスト"), std::string(u8"δείγμα κειμένου"), std::string(u8"טקסט לדוגמה")}, std::u32string(U"示例文本/サンプルテキスト/δείγμα κειμένου/טקסט לדוגמה"), std::u32string(U"示例文本\\サンプルテキスト\\δείγμα κειμένου\\טקסט לדוגמה")} // non-ASCII characters (chinese, japanese, greek, hebrew)
+		};
+
+		for (auto itr = tests.begin(); itr != tests.end(); itr++)
+		{
+#ifdef _WIN32
+			std::u32string exp_native_str = itr->exp_win32_str;
+#else
+			std::u32string exp_native_str = itr->exp_posix_str;
+#endif
+
+			std::u32string native_str = itr->path;
+
+			if (native_str != exp_native_str)
+			{
+				std::string u8_path_str, u8_exp_path_str;
+				tc::string::TranscodeUtil::UTF32ToUTF8(native_str, u8_path_str);
+				tc::string::TranscodeUtil::UTF32ToUTF8(exp_native_str, u8_exp_path_str);
+				throw tc::Exception(fmt::format("operator u32string() failed to format path as u32string. (returned: \"{}\", expected: \"{}\")", u8_path_str, u8_exp_path_str));
+			}
+		}
+		
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Operator_Addition()
+{
+	fmt::print("[tc::io::Path] test_Operator_Addition : ");
+	try
+	{
+		const std::string raw_path_a = "foo/bar/";
+		const std::string raw_path_b = "file.txt";
+		const std::string raw_path_ab = raw_path_a + raw_path_b;
+
+		tc::io::Path path_a(raw_path_a);
+		tc::io::Path path_b(raw_path_b);
+		tc::io::Path path_ab = path_a + path_b;
+
+		std::string test_path;
+		tc::io::PathUtil::pathToUnixUTF8(path_ab, test_path);
+
+		if (test_path != raw_path_ab)
+		{
+			throw tc::Exception("operator+() did not operate produce expected output");
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Operator_Append()
+{
+	fmt::print("[tc::io::Path] test_Operator_Append : ");
+	try
+	{
+		const std::string raw_path_a = "foo/bar/";
+		const std::string raw_path_b = "file.txt";
+		const std::string raw_path_ab = raw_path_a + raw_path_b;
+
+		tc::io::Path path_a(raw_path_a);
+		tc::io::Path path_b(raw_path_b);
+		path_a += path_b;
+
+		std::string test_path;
+		tc::io::PathUtil::pathToUnixUTF8(path_a, test_path);
+
+		if (test_path != raw_path_ab)
+		{
+			throw tc::Exception("operator+() did not operate produce expected output");
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Scenario_AppendStressTest()
+{
+	fmt::print("[tc::io::Path] test_Scenario_AppendStressTest : ");
+	try
+	{
+		const std::string raw_dir_path = "foo/bar/";
+		const std::string raw_file_path = "file.txt";
+		size_t append_itteration_count = 1000;
+		size_t expected_element_count = (append_itteration_count * 2) + 1;
+	
+		tc::io::Path path;
+		tc::io::Path path_dir(raw_dir_path);
+
+		for (size_t i = 0; i < append_itteration_count; i++)
+			path += path_dir;
+
+		path += tc::io::Path(raw_file_path);
+
+		if (path.size() != expected_element_count)
+		{
+			throw tc::Exception("unexpected number of path elements");
+		}
+
+		if (path.empty() != (expected_element_count == 0))
+		{
+			throw tc::Exception("Path did not have expected element count (empty() returned unexpected value.)");
+		}
+
+		tc::io::Path::const_iterator itr = path.end();
+		if (*(--itr) != "file.txt")
+		{
+			throw tc::Exception("Unexpected value for tested path element");
+		}
+
+		if (*(--itr) != "bar")
+		{
+			throw tc::Exception("Unexpected value for tested path element");
+		}
+
+		if (*(--itr) != "foo")
+		{
+			throw tc::Exception("Unexpected value for tested path element");
+		}
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Operator_EqualityTest()
+{
+	fmt::print("[tc::io::Path] test_Operator_EqualityTest : ");
+	try
+	{
+		std::string raw_path_0 = "a directory/a subdirectory";
+
+		tc::io::Path path_a(raw_path_0);
+		tc::io::Path path_b(raw_path_0);
+
+		if ((path_a == path_b) == false)
+			throw tc::Exception("operator==() did not return true for equal Path objects");
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Operator_InequalityTest()
+{
+	fmt::print("[tc::io::Path] test_Operator_InequalityTest : ");
+	try
+	{
+		std::string raw_path_0 = "a directory/a subdirectory";
+		std::string raw_path_1 = "a different directory/a different subdirectory";
+		tc::io::Path path_a(raw_path_0);
+		tc::io::Path path_b(raw_path_1);
+
+		if ((path_a != path_b) == false)
+			throw tc::Exception("operator!=() did not return true for unequal Path objects");
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
+
+void io_Path_TestClass::test_Operator_LessThanTest()
+{
+	fmt::print("[tc::io::Path] test_Operator_LessThanTest : ");
+	try
+	{
+		std::string raw_path_a = "/a/path/to/check/";
+		std::string raw_path_b = "/a/path/to/check/that/is/longer";
+		std::string raw_path_c = "/a/path/";
+		std::string raw_path_d = "/very/different/path/";
+		tc::io::Path path_a(raw_path_a);
+		tc::io::Path path_a_duplicate(raw_path_a);
+		tc::io::Path path_b(raw_path_b);
+		tc::io::Path path_c(raw_path_c);
+		tc::io::Path path_d(raw_path_d);
+
+		// /a/path/to/check/ is not less than a copy of itself
+		if ((path_a < path_a_duplicate) != false)
+		{
+			throw tc::Exception("operator<() returned true for equal Path objects");
+		}
+
+		// /a/path/to/check/ is less than /a/path/to/check/that/is/longer
+		if ((path_a < path_b) != true)
+		{
+			throw tc::Exception("operator<() returned false for Path objects where (" + raw_path_a + ") < (" + raw_path_b + ")");
+		}
+
+		// /a/path/to/check/ is not less than /a/path/
+		if ((path_a < path_c) != false)
+		{
+			throw tc::Exception("operator<() returned true for Path objects where (" + raw_path_a + ") < (" + raw_path_c + ")");
+		}
+
+		// /a/path/to/check/ is less than /very/different/path/
+		if ((path_a < path_d) != true)
+		{
+			throw tc::Exception("operator<() returned false for Path objects where (" + raw_path_a + ") < (" + raw_path_d + ")");
+		}
+
+
+		fmt::print("PASS\n");
+	}
+	catch (const tc::Exception& e)
+	{
+		fmt::print("FAIL ({})\n", e.error());
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("FAIL UNEXPECTED ({})", e.what());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_Path_TestClass.h b/ctrtool/deps/libtoolchain/test/io_Path_TestClass.h
new file mode 100644
index 00000000..8d50217f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_Path_TestClass.h
@@ -0,0 +1,35 @@
+#pragma once
+#include "ITestClass.h"
+#include <tc/io.h>
+#include <tc/string.h>
+
+class io_Path_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_Constructor_Default();
+	void test_Constructor_InitializerList();
+	void test_Constructor_u8string();
+	void test_Constructor_u16string();
+	void test_Constructor_u32string();
+	void test_Method_pop_front();
+	void test_Method_pop_back();
+	void test_Method_push_front();
+	void test_Method_push_back();
+	void test_Method_clear();
+	void test_Method_substr_withPosLen();
+	void test_Method_substr_withIterator();
+	void test_Method_to_string();
+	void test_Method_to_u16string();
+	void test_Method_to_u32string();
+	void test_Operator_string();
+	void test_Operator_u16string();
+	void test_Operator_u32string();
+	void test_Operator_Addition();
+	void test_Operator_Append();
+	void test_Scenario_AppendStressTest();
+	void test_Operator_EqualityTest();
+	void test_Operator_InequalityTest();
+	void test_Operator_LessThanTest();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_StreamSink_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_StreamSink_TestClass.cpp
new file mode 100644
index 00000000..d82d98ea
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_StreamSink_TestClass.cpp
@@ -0,0 +1,307 @@
+#include <iostream>
+#include <sstream>
+
+#include "io_StreamSink_TestClass.h"
+#include "SinkTestUtil.h"
+#include "StreamTestUtil.h"
+
+#include <tc.h>
+
+void io_StreamSink_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::StreamSink] START" << std::endl;
+	testDefaultConstructor();
+	testCreateConstructor();
+	testCreateFromNullStream();
+	testCreateFromStreamWithoutSeek();
+	testCreateFromStreamWithoutRead();
+	testCreateFromStreamWithoutWrite();
+	testSetLengthOnDisposedBase();
+	testPushDataOnDisposedBase();
+	testPushDataOutsideOfBaseRange();
+	std::cout << "[tc::io::StreamSink] END" << std::endl;
+}
+
+void io_StreamSink_TestClass::testDefaultConstructor()
+{
+	std::cout << "[tc::io::StreamSink] testDefaultConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::StreamSink sink;
+
+			SinkTestUtil::testSinkLength(sink, 0);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSink_TestClass::testCreateConstructor()
+{
+	std::cout << "[tc::io::StreamSink] testCreateConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			size_t expected_data_len = 0x1000;
+			tc::ByteData expected_data(expected_data_len);
+			int64_t base_stream_len = 0x100000;
+			auto base_stream = std::shared_ptr<tc::io::MemoryStream>(new tc::io::MemoryStream(base_stream_len));	
+			tc::io::StreamSink sink = tc::io::StreamSink(base_stream);
+
+			// test
+			SinkTestUtil::testSinkLength(sink, base_stream->length());
+
+			memset(expected_data.data(), 0x5A, expected_data.size());
+			pushTestHelper(sink, base_stream, expected_data, 0);
+
+			memset(expected_data.data(), 0x08, expected_data.size());
+			pushTestHelper(sink, base_stream, expected_data, 0xcafe);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSink_TestClass::testCreateFromNullStream()
+{
+	std::cout << "[tc::io::StreamSink] testCreateFromNullStream : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			tc::io::StreamSink sink = tc::io::StreamSink(nullptr);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSink_TestClass::testCreateFromStreamWithoutSeek()
+{
+	std::cout << "[tc::io::StreamSink] testCreateFromStreamWithoutSeek : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			auto base_stream = StreamTestUtil::DummyStreamBase(0x1000, true, true, false, false, true);
+			tc::io::StreamSink sink = tc::io::StreamSink(std::make_shared<StreamTestUtil::DummyStreamBase>(base_stream));
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSink_TestClass::testCreateFromStreamWithoutRead()
+{
+	std::cout << "[tc::io::StreamSink] testCreateFromStreamWithoutRead : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			auto base_stream = StreamTestUtil::DummyStreamBase(0x1000, false, true, true, true, true);
+			tc::io::StreamSink sink = tc::io::StreamSink(std::make_shared<StreamTestUtil::DummyStreamBase>(base_stream));
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSink_TestClass::testCreateFromStreamWithoutWrite()
+{
+	std::cout << "[tc::io::StreamSink] testCreateFromStreamWithoutWrite : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			auto base_stream = StreamTestUtil::DummyStreamBase(0x1000, true, false, true, true, false);
+			tc::io::StreamSink sink = tc::io::StreamSink(std::make_shared<StreamTestUtil::DummyStreamBase>(base_stream));
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSink_TestClass::testSetLengthOnDisposedBase()
+{
+	std::cout << "[tc::io::StreamSink] testSetLengthOnDisposedBase : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			tc::io::StreamSink sink;
+
+			sink.setLength(0xdeadcafe);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSink_TestClass::testPushDataOnDisposedBase()
+{
+	std::cout << "[tc::io::StreamSink] testPushDataOnDisposedBase : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			tc::io::StreamSink sink;
+
+			sink.pushData(tc::ByteData(0xff), 0);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSink_TestClass::testPushDataOutsideOfBaseRange()
+{
+	std::cout << "[tc::io::StreamSink] testPushDataOutsideOfBaseRange : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			size_t data_len = 0x1000;
+			tc::ByteData data(data_len);
+			int64_t base_stream_len = 0x100000;
+			auto base_stream = std::shared_ptr<tc::io::MemoryStream>(new tc::io::MemoryStream(base_stream_len));	
+			tc::io::StreamSink sink = tc::io::StreamSink(base_stream);
+
+			// test
+			SinkTestUtil::testSinkLength(sink, base_stream->length());
+
+			memset(data.data(), 0x08, data.size());
+			pushTestHelper(sink, base_stream, data, base_stream_len);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSink_TestClass::pushTestHelper(tc::io::ISink& sink, const std::shared_ptr<tc::io::IStream>& base_stream, tc::ByteData& expected_data, int64_t push_offset)
+{
+	std::stringstream error_ss;
+
+	// push data
+	size_t push_ret = sink.pushData(expected_data, push_offset);
+	if (push_ret != expected_data.size())
+	{
+		error_ss << "pushData(offset: " << push_offset << ") returned: " << push_ret << ", when it should have been " << expected_data.size();
+		throw tc::Exception(error_ss.str());
+	}	
+
+	// setup memory for reading result of push
+	tc::ByteData output_data(expected_data.size());
+
+	int64_t position_ret = base_stream->position();
+	int64_t expected_position = push_offset + expected_data.size();
+	if (position_ret != expected_position)
+	{
+		error_ss << "pushData(offset: " << push_offset << ") failed to write enough bytes, position(): " << position_ret << ", when it should have been " << expected_position;
+		throw tc::Exception(error_ss.str());
+	}	
+
+	int64_t seek_ret = base_stream->seek(push_offset, tc::io::SeekOrigin::Begin);
+	if (seek_ret != push_offset)
+	{
+		error_ss << "internal test method to adjust base_stream position failed. seek(offset:" << push_offset << ", origin: Begin): " << seek_ret << ", when it should have been " << push_offset;
+		throw tc::Exception(error_ss.str());
+	}
+	
+	size_t read_ret = base_stream->read(output_data.data(), output_data.size());
+	if (read_ret != expected_data.size())
+	{
+		error_ss << "internal test method to read from base_stream failed. read(size: " << expected_data.size() << "): " << read_ret << ", when it should have been " << expected_data.size();
+		throw tc::Exception(error_ss.str());
+	}
+
+	if (memcmp(expected_data.data(), output_data.data(), expected_data.size()) != 0)
+	{
+		error_ss << "pushData(offset: " << push_offset << ") did not write data to base_stream as expected";
+		throw tc::Exception(error_ss.str());
+	}
+
+
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_StreamSink_TestClass.h b/ctrtool/deps/libtoolchain/test/io_StreamSink_TestClass.h
new file mode 100644
index 00000000..08fc10b0
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_StreamSink_TestClass.h
@@ -0,0 +1,23 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/io/ISink.h>
+#include <tc/io/IStream.h>
+
+class io_StreamSink_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testDefaultConstructor();
+	void testCreateConstructor();
+	void testCreateFromNullStream();
+	void testCreateFromStreamWithoutSeek();
+	void testCreateFromStreamWithoutRead();
+	void testCreateFromStreamWithoutWrite();
+	void testSetLengthOnDisposedBase();
+	void testPushDataOnDisposedBase();
+	void testPushDataOutsideOfBaseRange();
+
+	void pushTestHelper(tc::io::ISink& sink, const std::shared_ptr<tc::io::IStream>& base_stream, tc::ByteData& expected_data, int64_t push_offset);
+};
diff --git a/ctrtool/deps/libtoolchain/test/io_StreamSource_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_StreamSource_TestClass.cpp
new file mode 100644
index 00000000..797f4057
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_StreamSource_TestClass.cpp
@@ -0,0 +1,206 @@
+#include <iostream>
+
+#include "io_StreamSource_TestClass.h"
+#include "SourceTestUtil.h"
+#include "StreamTestUtil.h"
+
+#include <tc.h>
+
+void io_StreamSource_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::StreamSource] START" << std::endl;
+	testDefaultConstructor();
+	testCreateConstructor();
+	testCreateFromStreamWithoutSeek();
+	testCreateFromStreamWithoutRead();
+	testCreateFromStreamWithoutWrite();
+	testNegativeOffset();
+	testTooLargeOffset();
+	std::cout << "[tc::io::StreamSource] END" << std::endl;
+}
+
+void io_StreamSource_TestClass::testDefaultConstructor()
+{
+	std::cout << "[tc::io::StreamSource] testDefaultConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::StreamSource source;
+
+			SourceTestUtil::testSourceLength(source, 0);
+			SourceTestUtil::pullTestHelper(source, 0, 0xdead, 0, nullptr);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSource_TestClass::testCreateConstructor()
+{
+	std::cout << "[tc::io::StreamSource] testCreateConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			size_t expected_len = 0x1000;
+			tc::ByteData expected_data(expected_len);
+			memset(expected_data.data(), 0x5A, expected_data.size());
+			tc::io::MemoryStream base_stream = tc::io::MemoryStream(expected_data);	
+			tc::io::StreamSource source = tc::io::StreamSource(std::make_shared<tc::io::MemoryStream>(base_stream));
+
+			// test
+			SourceTestUtil::testSourceLength(source, expected_len);
+			SourceTestUtil::pullTestHelper(source, 0, expected_data.size(), expected_data.size(), expected_data.data());
+			SourceTestUtil::pullTestHelper(source, 0, expected_data.size()*2, expected_data.size(), expected_data.data());
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSource_TestClass::testCreateFromStreamWithoutSeek()
+{
+	std::cout << "[tc::io::StreamSource] testCreateFromStreamWithoutSeek : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			tc::io::StreamSource source = tc::io::StreamSource(std::shared_ptr<StreamTestUtil::DummyStreamBase>(new StreamTestUtil::DummyStreamBase(0x1000, true, true, false, true, true)));
+
+			std::cout << "FAIL" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSource_TestClass::testCreateFromStreamWithoutRead()
+{
+	std::cout << "[tc::io::StreamSource] testCreateFromStreamWithoutRead : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			tc::io::StreamSource source = tc::io::StreamSource(std::shared_ptr<StreamTestUtil::DummyStreamBase>(new StreamTestUtil::DummyStreamBase(0x1000, false, true, true, false, true)));
+
+			std::cout << "FAIL" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSource_TestClass::testCreateFromStreamWithoutWrite()
+{
+	std::cout << "[tc::io::StreamSource] testCreateFromStreamWithoutWrite : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			tc::io::StreamSource source = tc::io::StreamSource(std::shared_ptr<StreamTestUtil::DummyStreamBase>(new StreamTestUtil::DummyStreamBase(0x1000, true, false, true, false, true)));
+
+			std::cout << "PASS" << std::endl;	
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSource_TestClass::testNegativeOffset()
+{
+	std::cout << "[tc::io::StreamSource] testNegativeOffset : " << std::flush;
+	try
+	{
+		try
+		{
+			size_t expected_len = 0x1000;
+			tc::ByteData expected_data(expected_len);
+			memset(expected_data.data(), 0x5A, expected_data.size());
+			tc::io::MemoryStream base_stream = tc::io::MemoryStream(expected_data);	
+			tc::io::StreamSource source = tc::io::StreamSource(std::make_shared<tc::io::MemoryStream>(base_stream));
+
+			// test
+			SourceTestUtil::testSourceLength(source, expected_len);
+			SourceTestUtil::pullTestHelper(source, -10, 20, 0, nullptr);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_StreamSource_TestClass::testTooLargeOffset()
+{
+	std::cout << "[tc::io::StreamSource] testTooLargeOffset : " << std::flush;
+	try
+	{
+		try
+		{
+			size_t expected_len = 0x1000;
+			tc::ByteData expected_data(expected_len);
+			memset(expected_data.data(), 0x5A, expected_data.size());
+			tc::io::MemoryStream base_stream = tc::io::MemoryStream(expected_data);	
+			tc::io::StreamSource source = tc::io::StreamSource(std::make_shared<tc::io::MemoryStream>(base_stream));
+
+			// test
+			SourceTestUtil::testSourceLength(source, expected_len);
+			SourceTestUtil::pullTestHelper(source, expected_len * 2, 20, 0, nullptr);
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_StreamSource_TestClass.h b/ctrtool/deps/libtoolchain/test/io_StreamSource_TestClass.h
new file mode 100644
index 00000000..018a8d11
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_StreamSource_TestClass.h
@@ -0,0 +1,16 @@
+#pragma once
+#include "ITestClass.h"
+
+class io_StreamSource_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testDefaultConstructor();
+	void testCreateConstructor();
+	void testCreateFromStreamWithoutSeek();
+	void testCreateFromStreamWithoutRead();
+	void testCreateFromStreamWithoutWrite();
+	void testNegativeOffset();
+	void testTooLargeOffset();
+};
diff --git a/ctrtool/deps/libtoolchain/test/io_SubFileSystem_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_SubFileSystem_TestClass.cpp
new file mode 100644
index 00000000..cbd60a8f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_SubFileSystem_TestClass.cpp
@@ -0,0 +1,736 @@
+#include <tc/Exception.h>
+#include <iostream>
+
+#include "io_SubFileSystem_TestClass.h"
+#include "FileSystemTestUtil.h"
+#include "StreamTestUtil.h"
+
+void io_SubFileSystem_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::SubFileSystem] START" << std::endl;
+	testBaseFileSystemRetainsWorkingDirectory();
+	testGetSetWorkingDirectory();
+	testCreateFile();
+	testOpenFile();
+	testRemoveFile();
+	testCreateDirectory();
+	testRemoveDirectory();
+	testGetDirectoryListing();
+	testNavigateUpSubFileSystemEscape();
+	testOpenFileOutsideSubFileSystem();
+	std::cout << "[tc::io::SubFileSystem] END" << std::endl;
+}
+
+void io_SubFileSystem_TestClass::testBaseFileSystemRetainsWorkingDirectory()
+{
+	std::cout << "[tc::io::SubFileSystem] testBaseFileSystemRetainsWorkingDirectory : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem()
+			{
+			}
+		};
+		
+		// define sub filesystem base path
+		tc::io::Path subfilesystem_base_path = tc::io::Path("/home/jakcron/source/LibToolChain/testdir");
+
+		// define base filesystem
+		DummyFileSystem filesystem = DummyFileSystem();
+
+		// test sub filesystem creation & test base working directory is maintained after SubFileSystem constructor
+		try
+		{
+			// save a copy of the base filesystem working directory
+			tc::io::Path base_initial_working_dir_path;
+			filesystem.getWorkingDirectory(base_initial_working_dir_path);
+
+			// create sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), subfilesystem_base_path);
+
+			// check the sub filesystem preserved the base filesystem working directory after the constructor
+			tc::io::Path base_current_working_dir_path;
+			filesystem.getWorkingDirectory(base_current_working_dir_path);
+			if (base_initial_working_dir_path != base_current_working_dir_path)
+			{
+				throw tc::Exception("SubFileSystem constructor did not preserve the base file system working directory.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+	
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubFileSystem_TestClass::testGetSetWorkingDirectory()
+{
+	std::cout << "[tc::io::SubFileSystem] testGetSetWorkingDirectory : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem()
+			{
+			}
+		};
+		
+		// define sub filesystem base path
+		tc::io::Path subfilesystem_base_path = tc::io::Path("/home/jakcron/source/LibToolChain/testdir");
+
+		// define base filesystem
+		DummyFileSystem filesystem = DummyFileSystem();
+
+		// test sub filesystem creation & test base working directory is maintained after SubFileSystem constructor
+		try
+		{
+			// save a copy of the base filesystem working directory
+			tc::io::Path base_initial_working_dir_path;
+			filesystem.getWorkingDirectory(base_initial_working_dir_path);
+
+			// create sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), subfilesystem_base_path);
+
+			// check the sub filesystem preserved the base filesystem working directory after get/set the working directory
+
+			// test 1a) is the initial working directory for sub filesystem root?
+			{
+				tc::io::Path sub_current_working_dir_path;
+				sub_filesystem.getWorkingDirectory(sub_current_working_dir_path);
+				if (sub_current_working_dir_path != tc::io::Path("/"))
+				{
+					throw tc::Exception("SubFileSystem initial working directory was not root.");
+				}
+			}
+			
+
+			// test 1b) is the base filesystem working directory unchanged after using SubFileSystem::getWorkingDirectory()?
+			{
+				tc::io::Path base_current_working_dir_path;
+				filesystem.getWorkingDirectory(base_current_working_dir_path);
+				if (base_initial_working_dir_path != base_current_working_dir_path)
+				{
+					throw tc::Exception("SubFileSystem getWorkingDirectory did not preserve the base file system working directory.");
+				}
+			}
+
+			// test 2a) can the sub filesystem change its working directory?
+			tc::io::Path sub_test_path = tc::io::Path("/a/path/to/change/to");
+			{
+				sub_filesystem.setWorkingDirectory(sub_test_path);
+
+				tc::io::Path sub_current_working_dir_path;
+				sub_filesystem.getWorkingDirectory(sub_current_working_dir_path);
+
+				if (sub_current_working_dir_path != sub_test_path)
+				{
+					throw tc::Exception("SubFileSystem setWorkingDirectory() failed to set working directory as getWorkingDirectory() returned unexpected path.");
+				}
+			}
+
+			// test 2b) is the base filesystem working directory unchanged after using SubFileSystem::setWorkingDirectory()?
+			{
+				tc::io::Path base_current_working_dir_path;
+				filesystem.getWorkingDirectory(base_current_working_dir_path);
+				if (base_initial_working_dir_path != base_current_working_dir_path)
+				{
+					throw tc::Exception("SubFileSystem getWorkingDirectory did not preserve the base file system working directory.");
+				}
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+
+	
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubFileSystem_TestClass::testCreateFile()
+{
+	std::cout << "[tc::io::SubFileSystem] testCreateFile : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem(const tc::io::Path& expected_subfs_base) :
+				mExpectedSubfsBasePath(expected_subfs_base)
+			{
+				getWorkingDirectory(mInitialWorkingDirectoryPath);
+			}
+
+			void createFile(const tc::io::Path& path)
+			{
+				// validate base working directory was preserved
+				tc::io::Path cur_dir;
+				getWorkingDirectory(cur_dir);
+
+				if (cur_dir != mInitialWorkingDirectoryPath)
+				{
+					throw tc::Exception("DummyFileSystem", "Working directory was not preserved by SubFileSystem.");
+				}
+
+				// check input was correct
+				if (path != mExpectedSubfsBasePath + tc::io::Path("a_dir/testfile"))
+				{
+					throw tc::Exception("DummyFileSystem", "file had incorrect path");
+				}
+			}
+		private:
+			tc::io::Path mInitialWorkingDirectoryPath;
+			tc::io::Path mExpectedSubfsBasePath;
+		};
+
+		// define sub filesystem base path
+		tc::io::Path subfilesystem_base_path = tc::io::Path("/home/jakcron/source/LibToolChain/testdir");
+
+		// define base filesystem
+		DummyFileSystem filesystem = DummyFileSystem(subfilesystem_base_path);
+
+		// test sub filesystem creation & test translation of input to base filesystem
+		try
+		{
+			// create sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), subfilesystem_base_path);
+
+			// attempt to create file
+			sub_filesystem.createFile(tc::io::Path("/a_dir/testfile"));
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubFileSystem_TestClass::testOpenFile()
+{
+	std::cout << "[tc::io::SubFileSystem] testOpenFile : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem(const tc::io::Path& expected_subfs_base) :
+				mExpectedSubfsBasePath(expected_subfs_base)
+			{
+				getWorkingDirectory(mInitialWorkingDirectoryPath);
+			}
+
+			void openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream)
+			{
+				// validate base working directory was preserved
+				tc::io::Path cur_dir;
+				getWorkingDirectory(cur_dir);
+
+				if (cur_dir != mInitialWorkingDirectoryPath)
+				{
+					throw tc::Exception("DummyFileSystem", "Working directory was not preserved by SubFileSystem.");
+				}
+				
+				// check input was correct
+				if (mode != tc::io::FileMode::Open || access != tc::io::FileAccess::Read)
+				{
+					throw tc::Exception("DummyFileSystem", "file had incorrect access permissions");
+				}
+				if (path != mExpectedSubfsBasePath + tc::io::Path("a_dir/testfile"))
+				{
+					throw tc::Exception("DummyFileSystem", "file had incorrect path");
+				}
+
+				// popualate file stream pointer
+				stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xdeadbeef));
+			}
+		private:
+			tc::io::Path mInitialWorkingDirectoryPath;
+			tc::io::Path mExpectedSubfsBasePath;
+		};
+
+		// define sub filesystem base path
+		tc::io::Path subfilesystem_base_path = tc::io::Path("/home/jakcron/source/LibToolChain/testdir");
+
+		// define base filesystem
+		DummyFileSystem filesystem = DummyFileSystem(subfilesystem_base_path);
+
+		// test sub filesystem creation & test translation of input/output to/from base filesystem
+		try
+		{
+			// create sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), subfilesystem_base_path);
+
+			// attempt to open file
+			std::shared_ptr<tc::io::IStream> file;
+			sub_filesystem.openFile(tc::io::Path("/a_dir/testfile"), tc::io::FileMode::Open, tc::io::FileAccess::Read, file);
+
+			// check file was opened and correct
+			if (file == nullptr)
+			{
+				throw tc::Exception("openFile() did not populate stream pointer");
+			}
+			if (file->length() != 0xdeadbeef)
+			{
+				throw tc::Exception("openFile() did not populate stream pointer correctly");
+			}
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubFileSystem_TestClass::testRemoveFile()
+{
+	std::cout << "[tc::io::SubFileSystem] testRemoveFile : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem(const tc::io::Path& expected_subfs_base) :
+				mExpectedSubfsBasePath(expected_subfs_base)
+			{
+				getWorkingDirectory(mInitialWorkingDirectoryPath);
+			}
+
+			void removeFile(const tc::io::Path& path)
+			{
+				// validate base working directory was preserved
+				tc::io::Path cur_dir;
+				getWorkingDirectory(cur_dir);
+
+				if (cur_dir != mInitialWorkingDirectoryPath)
+				{
+					throw tc::Exception("DummyFileSystem", "Working directory was not preserved by SubFileSystem.");
+				}
+
+				// check input was correct
+				if (path != mExpectedSubfsBasePath + tc::io::Path("a_dir/testfile"))
+				{
+					throw tc::Exception("DummyFileSystem", "file had incorrect path");
+				}
+			}
+		private:
+			tc::io::Path mInitialWorkingDirectoryPath;
+			tc::io::Path mExpectedSubfsBasePath;
+		};
+	
+		// define sub filesystem base path
+		tc::io::Path subfilesystem_base_path = tc::io::Path("/home/jakcron/source/LibToolChain/testdir");
+
+		// define base filesystem
+		DummyFileSystem filesystem = DummyFileSystem(subfilesystem_base_path);
+
+		// test sub filesystem creation & test translation of input to base filesystem
+		try
+		{
+			// create sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), subfilesystem_base_path);
+
+			// attempt to delete file
+			sub_filesystem.removeFile(tc::io::Path("/a_dir/testfile"));
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+
+void io_SubFileSystem_TestClass::testCreateDirectory()
+{
+	std::cout << "[tc::io::SubFileSystem] testCreateDirectory : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem(const tc::io::Path& expected_subfs_base) :
+				mExpectedSubfsBasePath(expected_subfs_base)
+			{
+				getWorkingDirectory(mInitialWorkingDirectoryPath);
+			}
+
+			void createDirectory(const tc::io::Path& path)
+			{
+				// validate base working directory was preserved
+				tc::io::Path cur_dir;
+				getWorkingDirectory(cur_dir);
+
+				if (cur_dir != mInitialWorkingDirectoryPath)
+				{
+					throw tc::Exception("DummyFileSystem", "Working directory was not preserved by SubFileSystem.");
+				}
+
+				// check input was correct
+				if (path != mExpectedSubfsBasePath + tc::io::Path("a_dir/testdir/hey"))
+				{
+					throw tc::Exception("DummyFileSystem", "dir had incorrect path");
+				}
+			}
+		private:
+			tc::io::Path mInitialWorkingDirectoryPath;
+			tc::io::Path mExpectedSubfsBasePath;
+		};
+	
+		// define sub filesystem base path
+		tc::io::Path subfilesystem_base_path = tc::io::Path("/home/jakcron/source/LibToolChain/testdir");
+
+		// define base filesystem
+		DummyFileSystem filesystem = DummyFileSystem(subfilesystem_base_path);
+
+		// test sub filesystem creation & test translation of input to base filesystem
+		try
+		{
+			// create sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), subfilesystem_base_path);
+
+			// attempt to create directory
+			sub_filesystem.createDirectory(tc::io::Path("/a_dir/testdir/hey"));
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubFileSystem_TestClass::testRemoveDirectory()
+{
+	std::cout << "[tc::io::SubFileSystem] testRemoveDirectory : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem(const tc::io::Path& expected_subfs_base) :
+				mExpectedSubfsBasePath(expected_subfs_base)
+			{
+				getWorkingDirectory(mInitialWorkingDirectoryPath);
+			}
+
+			void removeDirectory(const tc::io::Path& path)
+			{
+				// validate base working directory was preserved
+				tc::io::Path cur_dir;
+				getWorkingDirectory(cur_dir);
+
+				if (cur_dir != mInitialWorkingDirectoryPath)
+				{
+					throw tc::Exception("DummyFileSystem", "Working directory was not preserved by SubFileSystem.");
+				}
+
+				// check input was correct
+				if (path != mExpectedSubfsBasePath + tc::io::Path("a_dir/testdir/hey"))
+				{
+					throw tc::Exception("DummyFileSystem", "dir had incorrect path");
+				}
+			}
+		private:
+			tc::io::Path mInitialWorkingDirectoryPath;
+			tc::io::Path mExpectedSubfsBasePath;
+		};
+	
+		// define sub filesystem base path
+		tc::io::Path subfilesystem_base_path = tc::io::Path("/home/jakcron/source/LibToolChain/testdir");
+
+		// define base filesystem
+		DummyFileSystem filesystem = DummyFileSystem(subfilesystem_base_path);
+
+		// test sub filesystem creation & test translation of input to base filesystem
+		try
+		{
+			// create sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), subfilesystem_base_path);
+
+			// attempt to remove directory
+			sub_filesystem.removeDirectory(tc::io::Path("/a_dir/testdir/hey"));
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubFileSystem_TestClass::testGetDirectoryListing()
+{
+	std::cout << "[tc::io::SubFileSystem] testGetDirectoryListing : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem(const tc::io::Path& expected_subfs_base) :
+				mExpectedSubfsBasePath(expected_subfs_base)
+			{
+				getWorkingDirectory(mInitialWorkingDirectoryPath);
+			}
+
+			void getDirectoryListing(const tc::io::Path& path, tc::io::sDirectoryListing& dir_info)
+			{
+				// validate base working directory was preserved
+				tc::io::Path cur_dir;
+				getWorkingDirectory(cur_dir);
+
+				if (cur_dir != mInitialWorkingDirectoryPath)
+				{
+					throw tc::Exception("DummyFileSystem", "Working directory was not preserved by SubFileSystem.");
+				}
+
+				// check input was correct
+				if (path != mExpectedSubfsBasePath + tc::io::Path("a_dir/testdir/hey"))
+				{
+					throw tc::Exception("DummyFileSystem", "dir had incorrect path");
+				}
+
+				dir_info.abs_path = path;
+				dir_info.dir_list = std::vector<std::string>({ "dir0", "dir1", "dir2" });
+				dir_info.file_list = std::vector<std::string>({ "file0", "file1" });
+			}
+		private:
+			tc::io::Path mInitialWorkingDirectoryPath;
+			tc::io::Path mExpectedSubfsBasePath;
+		};
+	
+		// define sub filesystem base path
+		tc::io::Path subfilesystem_base_path = tc::io::Path("/home/jakcron/source/LibToolChain/testdir");
+
+		// define base filesystem
+		DummyFileSystem filesystem = DummyFileSystem(subfilesystem_base_path);
+
+		// test sub filesystem creation & test translation of input to base filesystem
+		try
+		{
+			// create sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), subfilesystem_base_path);
+
+			// save sub filesystem dir info
+			tc::io::sDirectoryListing sb_dir_info;
+			sub_filesystem.getDirectoryListing(tc::io::Path("/a_dir/testdir/hey"), sb_dir_info);
+
+			// save real dir info
+			tc::io::sDirectoryListing real_dir_info;
+			filesystem.getDirectoryListing(subfilesystem_base_path + tc::io::Path("a_dir/testdir/hey"), real_dir_info);
+
+			if (sb_dir_info.file_list != real_dir_info.file_list)
+			{
+				throw tc::Exception("DummyFileSystem", "File list was not as expected");
+			}
+
+			if (sb_dir_info.dir_list != real_dir_info.dir_list)
+			{
+				throw tc::Exception("DummyFileSystem", "Directory list was not as expected");
+			}
+
+			tc::io::Path fixed_sub_filesystem_path;
+			for (tc::io::Path::const_iterator itr = sb_dir_info.abs_path.begin(); itr != sb_dir_info.abs_path.end(); itr++)
+			{
+				if (*itr == "" && itr == sb_dir_info.abs_path.begin())
+				{
+					continue;
+				}
+
+				fixed_sub_filesystem_path.push_back(*itr);
+			}
+
+			if ((subfilesystem_base_path + fixed_sub_filesystem_path) != real_dir_info.abs_path)
+			{
+				throw tc::Exception("DummyFileSystem", "Directory absolute path was not as expected");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+
+void io_SubFileSystem_TestClass::testNavigateUpSubFileSystemEscape()
+{
+	std::cout << "[tc::io::SubFileSystem] testNavigateUpSubFileSystemEscape : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem() :
+				mLastUsedPath(new tc::io::Path())
+			{
+			}
+
+			void getDirectoryListing(const tc::io::Path& path, tc::io::sDirectoryListing& dir_info)
+			{			
+				dir_info.abs_path = path;
+				*mLastUsedPath = path;
+			}
+
+			const tc::io::Path& getLastUsedPath()
+			{
+				return *mLastUsedPath;
+			}
+		private:
+			std::shared_ptr<tc::io::Path> mLastUsedPath;
+		};
+
+		DummyFileSystem filesystem;
+
+		// save the current directory
+		tc::io::Path dummyio_curdir = tc::io::Path("/home/jakcron/source/LibToolChain");
+
+		// define directory names
+		tc::io::Path testdir_path = tc::io::Path("testdir");
+		tc::io::Path sub_filesystem_relative_root = testdir_path + tc::io::Path("subfilesystem");
+
+		// test navigating outside of sub filesystem with ".." navigation
+		try
+		{
+			// get sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), dummyio_curdir + sub_filesystem_relative_root);
+
+			// get info about current directory
+			tc::io::sDirectoryListing dir_info;
+			sub_filesystem.getDirectoryListing(tc::io::Path("./../../../../../../../../../../../../../..///./././"), dir_info);
+			
+			if (dir_info.abs_path != tc::io::Path("/"))
+			{
+				throw tc::Exception("SubFileSystem directory path not as expected");
+			}
+
+			if (filesystem.getLastUsedPath() != dummyio_curdir + sub_filesystem_relative_root)
+			{
+				throw tc::Exception("Real directory path not as expected");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubFileSystem_TestClass::testOpenFileOutsideSubFileSystem()
+{
+	std::cout << "[tc::io::SubFileSystem] testOpenFileOutsideSubFileSystem : " << std::flush;
+	try
+	{
+		class DummyFileSystem : public FileSystemTestUtil::DummyFileSystemBase
+		{
+		public:
+			DummyFileSystem()
+			{
+			}
+
+			void openFile(const tc::io::Path& path, tc::io::FileMode mode, tc::io::FileAccess access, std::shared_ptr<tc::io::IStream>& stream)
+			{
+				tc::io::Path mCurDir;
+				getWorkingDirectory(mCurDir);
+				if (mode != tc::io::FileMode::Open || access != tc::io::FileAccess::Read)
+				{
+					throw tc::Exception("DummyFileSystem", "file had incorrect access mode");
+				}
+				if (path == tc::io::Path("/home/jakcron/source/LibToolChain/testdir/inaccessible_file0"))
+				{
+					throw tc::Exception("DummyFileSystem", "escaped sub filesystem");
+				}
+				if (path != tc::io::Path("/home/jakcron/source/LibToolChain/testdir/subfilesystem/inaccessible_file0"))
+				{
+					throw tc::Exception("DummyFileSystem", "sub filesystem path was not as expected");
+				}
+			}
+		};
+
+		DummyFileSystem filesystem;
+
+		// save the current directory
+		tc::io::Path dummyio_curdir = tc::io::Path("/home/jakcron/source/LibToolChain");
+
+		// define directory names
+		tc::io::Path testdir_path = tc::io::Path("testdir");
+		tc::io::Path sub_filesystem_relative_root = testdir_path + tc::io::Path("subfilesystem");
+
+		// test accessing file outside of sub filesystem
+		try {
+			// create sub filesystem
+			tc::io::SubFileSystem sub_filesystem(std::make_shared<DummyFileSystem>(filesystem), dummyio_curdir + sub_filesystem_relative_root);
+			  
+			// try to open the file just outside the sub filesystem
+			sub_filesystem.setWorkingDirectory(tc::io::Path("/"));
+			std::shared_ptr<tc::io::IStream> inaccessible_file;
+			sub_filesystem.openFile(tc::io::Path("../inaccessible_file0"), tc::io::FileMode::Open, tc::io::FileAccess::Read, inaccessible_file);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_SubFileSystem_TestClass.h b/ctrtool/deps/libtoolchain/test/io_SubFileSystem_TestClass.h
new file mode 100644
index 00000000..a6e8813c
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_SubFileSystem_TestClass.h
@@ -0,0 +1,19 @@
+#pragma once
+#include "ITestClass.h"
+
+class io_SubFileSystem_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testBaseFileSystemRetainsWorkingDirectory();
+	void testGetSetWorkingDirectory();
+	void testCreateFile();
+	void testOpenFile();
+	void testRemoveFile();
+	void testCreateDirectory();
+	void testRemoveDirectory();
+	void testGetDirectoryListing();
+	void testNavigateUpSubFileSystemEscape();
+	void testOpenFileOutsideSubFileSystem();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_SubSink_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_SubSink_TestClass.cpp
new file mode 100644
index 00000000..073fc2a8
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_SubSink_TestClass.cpp
@@ -0,0 +1,352 @@
+#include <iostream>
+
+#include "io_SubSink_TestClass.h"
+#include "SinkTestUtil.h"
+
+#include <tc.h>
+#include <tc/io/IOUtil.h>
+#include <sstream>
+#include <iomanip>
+
+void io_SubSink_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::SubSink] START" << std::endl;
+	testDefaultConstructor();
+	testCreateConstructor();
+	testCreateFromNullBase();
+	testCreateWithNegativeSubSinkOffset();
+	testCreateWithNegativeSubSinkLength();
+	testCreateWithExcessiveSubSink();
+	testCreateThenSetLength();
+	testSetLengthOnDisposedBase();
+	testPushDataOnDisposedBase();
+	testPushDataOutsideOfBaseRange();
+	std::cout << "[tc::io::SubSink] END" << std::endl;
+}
+
+void io_SubSink_TestClass::testDefaultConstructor()
+{
+	std::cout << "[tc::io::SubSink] testDefaultConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::SubSink sink;
+
+			SinkTestUtil::testSinkLength(sink, 0);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::testCreateConstructor()
+{
+	std::cout << "[tc::io::SubSink] testCreateConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			// create data to push
+			auto data = tc::ByteData(0x100);
+
+			// create base sink
+			auto base_sink = std::shared_ptr<SinkTestUtil::DummySinkTestablePushData>(new SinkTestUtil::DummySinkTestablePushData());
+			base_sink->setLength(0x10000);
+
+			// create sub sink
+			int64_t sub_sink_offset = 0xcafe;
+			int64_t sub_sink_size = 0x1000;
+			auto sub_sink = tc::io::SubSink(base_sink, sub_sink_offset, sub_sink_size);
+
+			// test
+			SinkTestUtil::testSinkLength(sub_sink, sub_sink_size);
+
+			memset(data.data(), 0x33, data.size());
+			pushDataTestHelper(sub_sink, base_sink, sub_sink_offset, 0, data, data);
+			
+			memset(data.data(), 0xea, data.size());
+			pushDataTestHelper(sub_sink, base_sink, sub_sink_offset, 0x200, data, data);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::testCreateFromNullBase()
+{
+	std::cout << "[tc::io::SubSink] testCreateFromNullBase : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			auto sub_sink = tc::io::SubSink(nullptr, 0, 0);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::testCreateWithNegativeSubSinkOffset()
+{
+	std::cout << "[tc::io::SubSink] testCreateWithNegativeSubSinkOffset : " << std::flush;
+	try
+	{
+		try
+		{
+			// create data to push
+			auto data = tc::ByteData(0x100);
+
+			// create base sink
+			auto base_sink = std::shared_ptr<SinkTestUtil::DummySinkTestablePushData>(new SinkTestUtil::DummySinkTestablePushData());
+			base_sink->setLength(0x10000);
+
+			// create sub sink
+			int64_t sub_sink_offset = -1;
+			int64_t sub_sink_size = 0x1000;
+			auto sub_sink = tc::io::SubSink(base_sink, sub_sink_offset, sub_sink_size);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::testCreateWithNegativeSubSinkLength()
+{
+	std::cout << "[tc::io::SubSink] testCreateWithNegativeSubSinkLength : " << std::flush;
+	try
+	{
+		try
+		{
+			// create data to push
+			auto data = tc::ByteData(0x100);
+
+			// create base sink
+			auto base_sink = std::shared_ptr<SinkTestUtil::DummySinkTestablePushData>(new SinkTestUtil::DummySinkTestablePushData());
+			base_sink->setLength(0x10000);
+
+			// create sub sink
+			int64_t sub_sink_offset = 0x200;
+			int64_t sub_sink_size = -1;
+			auto sub_sink = tc::io::SubSink(base_sink, sub_sink_offset, sub_sink_size);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::testCreateWithExcessiveSubSink()
+{
+	std::cout << "[tc::io::SubSink] testCreateWithExcessiveSubSink : " << std::flush;
+	try
+	{
+		try
+		{
+			// create data to push
+			auto data = tc::ByteData(0x100);
+
+			// create base sink
+			auto base_sink = std::shared_ptr<SinkTestUtil::DummySinkTestablePushData>(new SinkTestUtil::DummySinkTestablePushData());
+			base_sink->setLength(0x10000);
+
+			// create sub sink
+			int64_t sub_sink_offset = base_sink->length() - 1;
+			int64_t sub_sink_size = 2;
+			auto sub_sink = tc::io::SubSink(base_sink, sub_sink_offset, sub_sink_size);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::testCreateThenSetLength()
+{
+	std::cout << "[tc::io::SubSink] testCreateThenSetLength : " << std::flush;
+	try
+	{
+		try
+		{
+			// create data to push
+			auto data = tc::ByteData(0x100);
+
+			// create base sink
+			auto base_sink = std::shared_ptr<SinkTestUtil::DummySinkTestablePushData>(new SinkTestUtil::DummySinkTestablePushData());
+			base_sink->setLength(0x10000);
+
+			// create sub sink
+			int64_t sub_sink_offset = 0xcafe;
+			int64_t sub_sink_size = 0x1000;
+			auto sub_sink = tc::io::SubSink(base_sink, sub_sink_offset, sub_sink_size);
+
+			// test
+			int64_t new_length = 0xdeadcafe;
+			sub_sink.setLength(new_length);
+
+			SinkTestUtil::testSinkLength(sub_sink, new_length);
+			
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::testSetLengthOnDisposedBase()
+{
+	std::cout << "[tc::io::SubSink] testSetLengthOnDisposedBase : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			tc::io::SubSink sink;
+
+			sink.setLength(0xdeadcafe);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::testPushDataOnDisposedBase()
+{
+	std::cout << "[tc::io::SubSink] testPushDataOnDisposedBase : " << std::flush;
+	try
+	{
+		try
+		{
+			// create sink
+			tc::io::SubSink sink;
+
+			sink.pushData(tc::ByteData(0xff), 0);
+
+			std::cout << "FAIL" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "PASS (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::testPushDataOutsideOfBaseRange()
+{
+	std::cout << "[tc::io::SubSink] testPushDataOutsideOfBaseRange : " << std::flush;
+	try
+	{
+		try
+		{
+			// create base sink
+			auto base_sink = std::shared_ptr<SinkTestUtil::DummySinkTestablePushData>(new SinkTestUtil::DummySinkTestablePushData());
+			base_sink->setLength(0x10000);
+
+			// create sub sink
+			int64_t sub_sink_offset = 0xcafe;
+			int64_t sub_sink_size = 0x1000;
+			auto sub_sink = tc::io::SubSink(base_sink, sub_sink_offset, sub_sink_size);
+
+			// test
+			SinkTestUtil::testSinkLength(sub_sink, sub_sink_size);
+
+			// create data to push
+			auto push_data = tc::ByteData(0x100);
+			memset(push_data.data(), 0x08, push_data.size());
+
+			// create data to expect
+			int64_t push_offset = sub_sink_size - 0x20;
+			auto expected_data = tc::ByteData(push_data.data(), tc::io::IOUtil::getWritableCount(sub_sink_size, push_offset, push_data.size()));
+
+			pushDataTestHelper(sub_sink, base_sink, sub_sink_offset, push_offset, push_data, expected_data);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSink_TestClass::pushDataTestHelper(tc::io::ISink& sub_sink, const std::shared_ptr<SinkTestUtil::DummySinkTestablePushData>& base_sink, int64_t sub_base_offset, int64_t sub_push_offset, tc::ByteData& push_data, tc::ByteData& expected_data)
+{
+	base_sink->setExpectedPushDataCfg(expected_data, sub_base_offset + sub_push_offset);
+	size_t push_ret = sub_sink.pushData(push_data, sub_push_offset);
+	if (push_ret != expected_data.size())
+	{
+		std::stringstream error_ss;
+		error_ss << "pushData(offset: " << sub_push_offset << ") returned: " << push_ret << ", when it should have been " << expected_data.size();;
+		throw tc::Exception(error_ss.str());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_SubSink_TestClass.h b/ctrtool/deps/libtoolchain/test/io_SubSink_TestClass.h
new file mode 100644
index 00000000..39c947f0
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_SubSink_TestClass.h
@@ -0,0 +1,24 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/io/ISink.h>
+#include "SinkTestUtil.h"
+
+class io_SubSink_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testDefaultConstructor();
+	void testCreateConstructor();
+	void testCreateFromNullBase();
+	void testCreateWithNegativeSubSinkOffset();
+	void testCreateWithNegativeSubSinkLength();
+	void testCreateWithExcessiveSubSink();
+	void testCreateThenSetLength();
+	void testSetLengthOnDisposedBase();
+	void testPushDataOnDisposedBase();
+	void testPushDataOutsideOfBaseRange();
+
+	void pushDataTestHelper(tc::io::ISink& sub_sink, const std::shared_ptr<SinkTestUtil::DummySinkTestablePushData>& base_sink, int64_t sub_base_offset, int64_t sub_push_offset, tc::ByteData& push_data, tc::ByteData& expected_data);
+};
diff --git a/ctrtool/deps/libtoolchain/test/io_SubSource_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_SubSource_TestClass.cpp
new file mode 100644
index 00000000..58c227c6
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_SubSource_TestClass.cpp
@@ -0,0 +1,141 @@
+#include <iostream>
+
+#include "io_SubSource_TestClass.h"
+#include "SourceTestUtil.h"
+
+#include <tc.h>
+
+void io_SubSource_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::SubSource] START" << std::endl;
+	testDefaultConstructor();
+	testCreateConstructor();
+	testNegativeOffset();
+	testTooLargeOffset();
+	std::cout << "[tc::io::SubSource] END" << std::endl;
+}
+
+void io_SubSource_TestClass::testDefaultConstructor()
+{
+	std::cout << "[tc::io::SubSource] testDefaultConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			tc::io::SubSource source;
+
+			SourceTestUtil::testSourceLength(source, 0);
+			SourceTestUtil::pullTestHelper(source, 0, 0xdead, 0, nullptr);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSource_TestClass::testCreateConstructor()
+{
+	std::cout << "[tc::io::SubSource] testCreateConstructor : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			int64_t sub_offset = 0xc000;
+			int64_t sub_length = 0x1000;
+			tc::io::PaddingSource expected_subsource = tc::io::PaddingSource(0xff, 0x1000);
+			
+			tc::io::OverlayedSource base_source = tc::io::OverlayedSource(std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0, 0x10000)), std::make_shared<tc::io::PaddingSource>(expected_subsource), sub_offset, sub_length);
+			tc::io::SubSource source = tc::io::SubSource(std::make_shared<tc::io::OverlayedSource>(base_source), sub_offset, sub_length);
+
+			// create expected data
+			tc::ByteData expected_data = expected_subsource.pullData(0, expected_subsource.length());
+
+			// test source
+			SourceTestUtil::testSourceLength(source, sub_length);
+			SourceTestUtil::pullTestHelper(source, 0, sub_length, sub_length, expected_data.data());
+			SourceTestUtil::pullTestHelper(source, 0, sub_length*2, sub_length, expected_data.data());
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSource_TestClass::testNegativeOffset()
+{
+	std::cout << "[tc::io::SubSource] testNegativeOffset : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			int64_t sub_offset = 0xc000;
+			int64_t sub_length = 0x1000;
+			tc::io::PaddingSource expected_subsource = tc::io::PaddingSource(0xff, 0x1000);
+			
+			tc::io::OverlayedSource base_source = tc::io::OverlayedSource(std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0, 0x10000)), std::make_shared<tc::io::PaddingSource>(expected_subsource), sub_offset, sub_length);
+			tc::io::SubSource source = tc::io::SubSource(std::make_shared<tc::io::OverlayedSource>(base_source), sub_offset, sub_length);
+
+			// test
+			SourceTestUtil::testSourceLength(source, sub_length);
+			SourceTestUtil::pullTestHelper(source, -10, 20, 0, nullptr);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubSource_TestClass::testTooLargeOffset()
+{
+	std::cout << "[tc::io::SubSource] testTooLargeOffset : " << std::flush;
+	try
+	{
+		try
+		{
+			// create source
+			int64_t sub_offset = 0xc000;
+			int64_t sub_length = 0x1000;
+			tc::io::PaddingSource expected_subsource = tc::io::PaddingSource(0xff, 0x1000);
+			
+			tc::io::OverlayedSource base_source = tc::io::OverlayedSource(std::shared_ptr<tc::io::PaddingSource>(new tc::io::PaddingSource(0, 0x10000)), std::make_shared<tc::io::PaddingSource>(expected_subsource), sub_offset, sub_length);
+			tc::io::SubSource source = tc::io::SubSource(std::make_shared<tc::io::OverlayedSource>(base_source), sub_offset, sub_length);
+
+			// test
+			SourceTestUtil::testSourceLength(source, sub_length);
+			SourceTestUtil::pullTestHelper(source, sub_length * 2, 20, 0, nullptr);
+			
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_SubSource_TestClass.h b/ctrtool/deps/libtoolchain/test/io_SubSource_TestClass.h
new file mode 100644
index 00000000..19e0a65f
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_SubSource_TestClass.h
@@ -0,0 +1,13 @@
+#pragma once
+#include "ITestClass.h"
+
+class io_SubSource_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testDefaultConstructor();
+	void testCreateConstructor();
+	void testNegativeOffset();
+	void testTooLargeOffset();
+};
diff --git a/ctrtool/deps/libtoolchain/test/io_SubStream_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_SubStream_TestClass.cpp
new file mode 100644
index 00000000..58b8737d
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_SubStream_TestClass.cpp
@@ -0,0 +1,344 @@
+#include <tc/Exception.h>
+#include <iostream>
+
+#include "io_SubStream_TestClass.h"
+#include "StreamTestUtil.h"
+
+void io_SubStream_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::io::SubStream] START" << std::endl;
+	testProperties();
+	testSize();
+	testSeekPos();
+	testRead();
+	testWrite();
+	std::cout << "[tc::io::SubStream] END" << std::endl;
+}
+
+void io_SubStream_TestClass::testProperties()
+{
+	std::cout << "[tc::io::SubStream] testProperties : " << std::flush;
+	try
+	{
+		class DummyStream : public StreamTestUtil::DummyStreamBase
+		{
+		public:
+			DummyStream()
+			{
+			}
+		};
+
+		try
+		{
+			int64_t substream_offset = 0x56;
+			int64_t substream_length = 0x1000;
+
+			auto dummy_stream = std::shared_ptr<DummyStream>(new DummyStream());
+			dummy_stream->init(0x10000, true, true, true, false, true);
+
+			// create null substream
+			auto substream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream());
+			if (substream->canSeek() != false)
+			{
+				throw tc::Exception("canSeek() returned true when base stream was null.");
+			}
+			if (substream->canRead() != false)
+			{
+				throw tc::Exception("canRead() returned true when base stream was null.");
+			}
+			if (substream->canWrite() != false)
+			{
+				throw tc::Exception("canWrite() returned true when base stream was null.");
+			}
+
+			// create proper substream
+			substream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(dummy_stream, substream_offset, substream_length));
+			if (substream->canSeek() != true)
+			{
+				throw tc::Exception("canSeek() returned false when base stream was valid.");
+			}
+			if (substream->canRead() != true)
+			{
+				throw tc::Exception("canRead() returned false when base stream was valid.");
+			}
+			if (substream->canWrite() != true)
+			{
+				throw tc::Exception("canWrite() returned false when base stream was valid.");
+			}
+
+			// basestream has canRead==false
+			dummy_stream->init(0x10000, false, true, true, false, true);
+			if (substream->canSeek() != true)
+			{
+				throw tc::Exception("canSeek() returned false when base stream was valid.");
+			}
+			if (substream->canRead() != false)
+			{
+				throw tc::Exception("canRead() returned true when base stream was valid, but basestream->canRead() was false.");
+			}
+			if (substream->canWrite() != true)
+			{
+				throw tc::Exception("canWrite() returned false when base stream was valid.");
+			}
+
+			// basestream has canWrite==false
+			dummy_stream->init(0x10000, true, false, true, false, true);
+			if (substream->canSeek() != true)
+			{
+				throw tc::Exception("canSeek() returned false when base stream was valid.");
+			}
+			if (substream->canRead() != true)
+			{
+				throw tc::Exception("canRead() returned false when base stream was valid.");
+			}
+			if (substream->canWrite() != false)
+			{
+				throw tc::Exception("canWrite() returned true when base stream was valid, but basestream->canWrite() was false.");
+			}
+
+			// basestream has canSeek==false
+			dummy_stream->init(0x10000, true, true, false, false, true);
+			if (substream->canSeek() != false)
+			{
+				throw tc::Exception("canSeek() returned true when base stream was valid, but basestream->canSeek() was false.");
+			}
+			if (substream->canRead() != true)
+			{
+				throw tc::Exception("canRead() returned false when base stream was valid.");
+			}
+			if (substream->canWrite() != true)
+			{
+				throw tc::Exception("canWrite() returned false when base stream was valid.");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubStream_TestClass::testSize()
+{
+	std::cout << "[tc::io::SubStream] testSize : " << std::flush;
+	try
+	{
+		class DummyStream : public StreamTestUtil::DummyStreamBase
+		{
+		public:
+			DummyStream()
+			{
+			}
+		};
+
+		try
+		{
+			int64_t substream_offset = 0x56;
+			int64_t substream_length = 0x1000;
+
+			// get substream file
+			tc::io::SubStream substream(std::shared_ptr<DummyStream>(new DummyStream()), substream_offset, substream_length);
+
+			if (substream.length() != substream_length)
+			{
+				throw tc::Exception("Unexpected substream length");
+			}
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubStream_TestClass::testSeekPos()
+{
+	std::cout << "[tc::io::SubStream] testSeekPos : " << std::flush;
+	try
+	{
+		class DummyStream : public StreamTestUtil::DummyStreamBase
+		{
+		public:
+			DummyStream()
+			{
+
+			}
+
+			virtual size_t read(byte_t* ptr, size_t count)
+			{
+				if (this->position() != (0x56 + 0x337))
+				{
+					throw tc::Exception("The base stream position was not as expected.");
+				}
+
+				return count;
+			}
+		};
+
+		try
+		{
+			int64_t substream_offset = 0x56;
+			int64_t substream_size = 0x1000;
+
+			DummyStream stream;
+
+			// get sandbox file
+			tc::io::SubStream substream(std::make_shared<DummyStream>(stream), substream_offset, substream_size);
+
+			int64_t offset_to_seek = 0x337;
+			substream.seek(offset_to_seek, tc::io::SeekOrigin::Begin);
+
+			if (substream.position() != offset_to_seek)
+			{
+				throw tc::Exception("Was not able to seek as expected");
+			}
+
+			substream.read(nullptr, 0x20);
+
+			if (substream.position() != offset_to_seek + 0x20)
+			{
+				throw tc::Exception("Was not able to seek as expected");
+			}
+
+
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubStream_TestClass::testRead()
+{
+	std::cout << "[tc::io::SubStream] testRead : " << std::flush;
+	try
+	{
+		class DummyStream : public StreamTestUtil::DummyStreamBase
+		{
+		public:
+			DummyStream()
+			{
+
+			}
+
+			virtual size_t read(byte_t* ptr, size_t count)
+			{
+				if (ptr != (byte_t*)0xcafe)
+				{
+					throw tc::Exception("'ptr' pointer was passed to base IStream object not as expected");
+				}
+
+				if (count != 0xbabe)
+				{
+					throw tc::Exception("'count' parameter was passed to base IStream object not as expected");
+				}
+
+				return count;
+			}
+		};
+
+		try
+		{
+			uint64_t substream_offset = 0x56;
+			uint64_t substream_size = 0x100000;
+
+			// get sandbox file
+			tc::io::SubStream substream(std::shared_ptr<DummyStream>(new DummyStream()), substream_offset, substream_size);
+
+			uint64_t offset_to_seek = 0x337;
+			substream.seek(offset_to_seek, tc::io::SeekOrigin::Begin);
+
+			byte_t* dummy_ptr = (byte_t*)0xcafe;
+			size_t dummy_read_len = 0xbabe;
+
+			substream.read(dummy_ptr, dummy_read_len);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
+
+void io_SubStream_TestClass::testWrite()
+{
+	std::cout << "[tc::io::SubStream] testWrite : " << std::flush;
+	try
+	{
+		class DummyStream : public StreamTestUtil::DummyStreamBase
+		{
+		public:
+			DummyStream()
+			{
+
+			}
+
+			virtual size_t write(const byte_t* data, size_t count)
+			{
+				if (data != (const byte_t*)0xcafe)
+				{
+					throw tc::Exception("'data' pointer was passed to base IStream object not as expected");
+				}
+
+				if (count != 0xbabe)
+				{
+					throw tc::Exception("'count' parameter was passed to base IStream object not as expected");
+				}
+
+				return count;
+			}
+		};
+
+		try
+		{
+			uint64_t substream_offset = 0x56;
+			uint64_t substream_size = 0x100000;
+
+			// get sandbox file
+			tc::io::SubStream substream(std::shared_ptr<DummyStream>(new DummyStream()), substream_offset, substream_size);
+
+			uint64_t offset_to_seek = 0x337;
+			substream.seek(offset_to_seek, tc::io::SeekOrigin::Begin);
+
+			byte_t* dummy_ptr = (byte_t*)0xcafe;
+			size_t dummy_read_len = 0xbabe;
+
+			substream.write(dummy_ptr, dummy_read_len);
+
+			std::cout << "PASS" << std::endl;
+		}
+		catch (const tc::Exception& e)
+		{
+			std::cout << "FAIL (" << e.error() << ")" << std::endl;
+		}
+	}
+	catch (const std::exception& e)
+	{
+		std::cout << "UNHANDLED EXCEPTION (" << e.what() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_SubStream_TestClass.h b/ctrtool/deps/libtoolchain/test/io_SubStream_TestClass.h
new file mode 100644
index 00000000..b6a05884
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_SubStream_TestClass.h
@@ -0,0 +1,18 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/io.h>
+#include <tc/ArgumentOutOfRangeException.h>
+#include <tc/NotImplementedException.h>
+
+class io_SubStream_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testProperties();
+	void testSize();
+	void testSeekPos();
+	void testRead();
+	void testWrite();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_VirtualFileSystem_TestClass.cpp b/ctrtool/deps/libtoolchain/test/io_VirtualFileSystem_TestClass.cpp
new file mode 100644
index 00000000..2964cf46
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_VirtualFileSystem_TestClass.cpp
@@ -0,0 +1,2543 @@
+#include <tc/Exception.h>
+#include <fmt/core.h>
+
+#include <tc/io/VirtualFileSystem.h>
+#include <tc/io/PathUtil.h>
+
+#include "io_VirtualFileSystem_TestClass.h"
+#include "StreamTestUtil.h"
+
+void io_VirtualFileSystem_TestClass::runAllTests(void)
+{
+	fmt::print("[tc::io::VirtualFileSystem] START\n");
+	test_CreateUninitializedFs_DefaultConstructor();
+	test_BadFsSnapshot_CreateConstructor();
+	test_CreateFs_CreateConstructor();
+	test_ThrowsOnBadPermissions_OpenFile();
+	test_ThrowsOnBadFileEntry_OpenFile();
+	test_ThrowsOnBadFileEntry_GetDirectoryListing();
+	test_ThrowsOnBadFileEntry_SetWorkingDirectory();
+	test_WorksForAllValidPaths_OpenFile();
+	test_WorksForAllValidPaths_GetDirectoryListing();
+	test_WorksForAllValidPaths_SetWorkingDirectory();
+	test_WorksForAllValidPaths_GetWorkingDirectory();
+	test_DisposeWillChangeStateToUninitialized();
+	fmt::print("[tc::io::VirtualFileSystem] END\n");
+}
+
+void io_VirtualFileSystem_TestClass::test_CreateUninitializedFs_DefaultConstructor()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_CreateUninitializedFs_DefaultConstructor : ");
+	try
+	{
+		try 
+		{
+			// create filesystem
+			auto filesystem = tc::io::VirtualFileSystem();
+
+			// Test .state() returns correct
+			uint64_t state_ulong = filesystem.state().to_ulong();
+			uint64_t expected_state_ulong = (1 << tc::RESFLAG_NOINIT);
+			if (state_ulong != expected_state_ulong)
+			{
+				throw tc::Exception(fmt::format(".state().to_ulong() returned 0x{:x} (expected 0x{:x})", state_ulong, expected_state_ulong));
+			}
+
+			bool state_test_ready = filesystem.state().test(tc::RESFLAG_READY);
+			bool expected_state_test_ready = false;
+			if (state_test_ready != expected_state_test_ready)
+			{
+				throw tc::Exception(fmt::format(".state().test(tc::RESFLAG_READY) returned {} (expected {})", state_test_ready, expected_state_test_ready));
+			}
+
+			bool state_test_error = filesystem.state().test(tc::RESFLAG_ERROR);
+			bool expected_state_test_error = false;
+			if (state_test_error != expected_state_test_error)
+			{
+				throw tc::Exception(fmt::format(".state().test(tc::RESFLAG_ERROR) returned {} (expected {})", state_test_error, expected_state_test_error));
+			}
+
+			bool state_test_noinit = filesystem.state().test(tc::RESFLAG_NOINIT);
+			bool expected_state_test_noinit = true;
+			if (state_test_noinit != expected_state_test_noinit)
+			{
+				throw tc::Exception(fmt::format(".state().test(tc::RESFLAG_NOINIT) returned {} (expected {})", state_test_noinit, expected_state_test_noinit));
+			}
+
+			// Test using methods that should throw ObjectDisposedException, as this is not initialized
+			try
+			{
+				filesystem.createFile(tc::io::Path());
+				throw tc::Exception(".createFile() did not throw tc::ObjectDisposedException for uninitialized VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.removeFile(tc::io::Path());
+				throw tc::Exception(".removeFile() did not throw tc::ObjectDisposedException for uninitialized VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				tc::io::Path file_path;
+				std::shared_ptr<tc::io::IStream> file_stream;
+				filesystem.openFile(file_path, tc::io::FileMode::Open, tc::io::FileAccess::Read, file_stream);
+				throw tc::Exception(".openFile() did not throw tc::ObjectDisposedException for uninitialized VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.createDirectory(tc::io::Path());
+				throw tc::Exception(".createDirectory() did not throw tc::ObjectDisposedException for uninitialized VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.removeDirectory(tc::io::Path());
+				throw tc::Exception(".removeDirectory() did not throw tc::ObjectDisposedException for uninitialized VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				tc::io::Path path;
+				filesystem.getWorkingDirectory(path);
+				throw tc::Exception(".getWorkingDirectory() did not throw tc::ObjectDisposedException for uninitialized VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.setWorkingDirectory(tc::io::Path());
+				throw tc::Exception(".setWorkingDirectory() did not throw tc::ObjectDisposedException for uninitialized VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				tc::io::sDirectoryListing info;
+
+				filesystem.getDirectoryListing(tc::io::Path(), info);
+				throw tc::Exception(".setWorkingDirectory() did not throw tc::ObjectDisposedException for uninitialized VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_BadFsSnapshot_CreateConstructor()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_BadFsSnapshot_CreateConstructor : ");
+	try
+	{
+		try 
+		{
+			try
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				throw tc::Exception("Create Constructor did not throw tc::InvalidOperationException for an unpopulated fs snapshot.");
+			}
+			catch (tc::InvalidOperationException&) {
+				// do nothing
+			}
+
+			try
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+
+				// create snapshot data
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				/* // omit including dir_entry
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+				*/
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirC_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				throw tc::Exception("Create Constructor did not throw tc::InvalidOperationException for a fs snapshot that did not have a root directory.");
+			}
+			catch (tc::InvalidOperationException&) {
+				// do nothing
+			}
+
+			try
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+
+				// create snapshot data
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, -1)); // invalid index for root entry
+				
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirC_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				throw tc::Exception("Create Constructor did not throw tc::InvalidOperationException for a fs snapshot that had an invalid root directory index.");
+			}
+			catch (tc::InvalidOperationException&) {
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_CreateFs_CreateConstructor()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_CreateFs_CreateConstructor : ");
+	try
+	{
+		try 
+		{
+			tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+
+			// create snapshot data
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+			dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+			dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+			dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+			dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+			dirA_entry.dir_listing.dir_list = {};
+			dirA_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+			dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+			dirB_entry.dir_listing.dir_list = {};
+			dirB_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+			dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+			dirC_entry.dir_listing.dir_list = {};
+			dirC_entry.dir_listing.file_list = {};
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+			fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+			fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+			fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+			// add data to snapshot
+			snapshot.dir_entries.push_back(dirRoot_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirA_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirB_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirC_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileA_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileB_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileC_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+
+			// create filesystem
+			auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+			// Test .state() returns correct
+			uint64_t state_ulong = filesystem.state().to_ulong();
+			uint64_t expected_state_ulong = (1 << tc::RESFLAG_READY);
+			if (state_ulong != expected_state_ulong)
+			{
+				throw tc::Exception(fmt::format(".state().to_ulong() returned 0x{:x} (expected 0x{:x})", state_ulong, expected_state_ulong));
+			}
+
+			bool state_test_ready = filesystem.state().test(tc::RESFLAG_READY);
+			bool expected_state_test_ready = true;
+			if (state_test_ready != expected_state_test_ready)
+			{
+				throw tc::Exception(fmt::format(".state().test(tc::RESFLAG_READY) returned {} (expected {})", state_test_ready, expected_state_test_ready));
+			}
+
+			bool state_test_error = filesystem.state().test(tc::RESFLAG_ERROR);
+			bool expected_state_test_error = false;
+			if (state_test_error != expected_state_test_error)
+			{
+				throw tc::Exception(fmt::format(".state().test(tc::RESFLAG_ERROR) returned {} (expected {})", state_test_error, expected_state_test_error));
+			}
+
+			bool state_test_noinit = filesystem.state().test(tc::RESFLAG_NOINIT);
+			bool expected_state_test_noinit = false;
+			if (state_test_noinit != expected_state_test_noinit)
+			{
+				throw tc::Exception(fmt::format(".state().test(tc::RESFLAG_NOINIT) returned {} (expected {})", state_test_noinit, expected_state_test_noinit));
+			}
+
+			// Test using methods that should throw NotImplementedException, since this is initialized
+			try
+			{
+				filesystem.createFile(tc::io::Path());
+				throw tc::Exception(".createFile() did not throw tc::NotImplementedException for initialized VirtualFileSystem");
+			}
+			catch (tc::NotImplementedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.removeFile(tc::io::Path());
+				throw tc::Exception(".removeFile() did not throw tc::NotImplementedException for initialized VirtualFileSystem");
+			}
+			catch (tc::NotImplementedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.createDirectory(tc::io::Path());
+				throw tc::Exception(".createDirectory() did not throw tc::NotImplementedException for initialized VirtualFileSystem");
+			}
+			catch (tc::NotImplementedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.removeDirectory(tc::io::Path());
+				throw tc::Exception(".removeDirectory() did not throw tc::NotImplementedException for initialized VirtualFileSystem");
+			}
+			catch (tc::NotImplementedException&) {
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_ThrowsOnBadPermissions_OpenFile()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_ThrowsOnBadPermissions_OpenFile : ");
+	try
+	{
+		try 
+		{
+			tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+
+			// create snapshot data
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+			dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+			dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+			dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+			dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+			dirA_entry.dir_listing.dir_list = {};
+			dirA_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+			dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+			dirB_entry.dir_listing.dir_list = {};
+			dirB_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+			dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+			dirC_entry.dir_listing.dir_list = {};
+			dirC_entry.dir_listing.file_list = {};
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+			fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+			fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+			fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+			// add data to snapshot
+			snapshot.dir_entries.push_back(dirRoot_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirA_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirB_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirC_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileA_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileB_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileC_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+
+			// create filesystem
+			auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+			// test openFile throws exceptions for bad permissions
+
+			/* tc::io::FileMode // only open is allowed
+			CreateNew = 1,
+			Create = 2,
+			Open = 3, 
+			OpenOrCreate = 4,
+			Truncate = 5,
+			Append = 6
+			*/
+
+			/* tc::io::FileAccess  // only read is allowed
+			Read = 1,
+			Write = 2,
+			ReadWrite = Read|Write, // (1|2 == 3)
+			*/
+
+			// CreateNew,Read
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::CreateNew, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "CreateNew", "Read"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// CreateNew,Write
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::CreateNew, tc::io::FileAccess::Write, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "CreateNew", "Write"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// CreateNew,ReadWrite
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::CreateNew, tc::io::FileAccess::ReadWrite, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "CreateNew", "ReadWrite"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Create,Read
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Create, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Create", "Read"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Create,Write
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Create, tc::io::FileAccess::Write, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Create", "Write"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Create,ReadWrite
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Create, tc::io::FileAccess::ReadWrite, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Create", "ReadWrite"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Open,Read (this is the only supported combination)
+			/*
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Open, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Open", "Read"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+			*/
+
+			// Open,Write
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Open, tc::io::FileAccess::Write, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Open", "Write"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Open,ReadWrite
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Open, tc::io::FileAccess::ReadWrite, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Open", "ReadWrite"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// OpenOrCreate,Read
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "OpenOrCreate", "Read"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// OpenOrCreate,Write
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "OpenOrCreate", "Write"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// OpenOrCreate,ReadWrite
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::ReadWrite, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "OpenOrCreate", "ReadWrite"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Truncate,Read
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Truncate, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Truncate", "Read"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Truncate,Write
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Truncate, tc::io::FileAccess::Write, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Truncate", "Write"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Truncate,ReadWrite
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Truncate, tc::io::FileAccess::ReadWrite, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Truncate", "ReadWrite"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Append,Read
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Append, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Append", "Read"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Append,Write
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Append, tc::io::FileAccess::Write, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Append", "Write"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			// Append,ReadWrite
+			try 
+			{
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+
+			
+				filesystem.openFile(path, tc::io::FileMode::Append, tc::io::FileAccess::ReadWrite, stream);
+				
+				throw tc::Exception(fmt::format(".openFile() did not throw tc::NotSupportedException where unsupported mode ({:s}) and access ({:s}) were used.", "Append", "ReadWrite"));
+			}
+			catch (const tc::NotSupportedException&)
+			{
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_ThrowsOnBadFileEntry_OpenFile()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_ThrowsOnBadFileEntry_OpenFile : ");
+	try
+	{
+		try 
+		{
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirC_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				// error: file entry not created
+				//snapshot.file_entries.push_back(fileB_entry);
+				//snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// open file
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+				filesystem.openFile(path, tc::io::FileMode::Open, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(".openFile() did not throw tc::io::FileNotFoundException where file entry did not exist");
+			}
+			catch (tc::io::FileNotFoundException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirC_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				// error: file entry not created but not mapped to a path
+				snapshot.file_entries.push_back(fileB_entry);
+				//snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// open file
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+				filesystem.openFile(path, tc::io::FileMode::Open, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(".openFile() did not throw tc::io::FileNotFoundException where file entry did exist, but not mapped to a path");
+			}
+			catch (tc::io::FileNotFoundException&)
+			{
+				// do nothing
+			}
+			
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirC_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				// error: file entry created, but not mapped correctly (index == -1)
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), -1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// open file
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+				filesystem.openFile(path, tc::io::FileMode::Open, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(".openFile() did not throw tc::io::FileNotFoundException where file entry did exist, but had a bad mapping");
+			}
+			catch (tc::io::FileNotFoundException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirC_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				// error: file entry created and mapped, but stream is null
+				fileB_entry.stream.reset(); // <- null the pointer here
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// open file
+				tc::io::Path path = tc::io::Path("/fileB");
+				std::shared_ptr<tc::io::IStream> stream;
+				filesystem.openFile(path, tc::io::FileMode::Open, tc::io::FileAccess::Read, stream);
+				
+				throw tc::Exception(".openFile() did not throw tc::io::FileNotFoundException where file entry did exist, but stream was null");
+			}
+			catch (tc::io::FileNotFoundException&)
+			{
+				// do nothing
+			}
+
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_ThrowsOnBadFileEntry_GetDirectoryListing()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_ThrowsOnBadFileEntry_GetDirectoryListing : ");
+	try
+	{
+		try 
+		{
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				// error: dir entry not created
+				//snapshot.dir_entries.push_back(dirC_entry);
+				//snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// get directory listing
+				tc::io::Path path = tc::io::Path("/dirC");
+				tc::io::sDirectoryListing info;
+				filesystem.getDirectoryListing(path, info);
+				
+				throw tc::Exception(".getDirectoryListing() did not throw tc::io::DirectoryNotFoundException where dir entry did not exist");
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				// error: dir entry created, but not mapped to a path
+				snapshot.dir_entries.push_back(dirC_entry);
+				//snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// get directory listing
+				tc::io::Path path = tc::io::Path("/dirC");
+				tc::io::sDirectoryListing info;
+				filesystem.getDirectoryListing(path, info);
+				
+				throw tc::Exception(".getDirectoryListing() did not throw tc::io::DirectoryNotFoundException where dir entry did exist, but not mapped to a path");
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				// do nothing
+			}
+			
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				// error: dir entry created, but not mapped correctly (index == -1)
+				snapshot.dir_entries.push_back(dirC_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, -1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// get directory listing
+				tc::io::Path path = tc::io::Path("/dirC");
+				tc::io::sDirectoryListing info;
+				filesystem.getDirectoryListing(path, info);
+				
+				throw tc::Exception(".getDirectoryListing() did not throw tc::io::DirectoryNotFoundException where dir entry did exist, but not mapped correctly.");
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				// do nothing
+			}
+			
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_ThrowsOnBadFileEntry_SetWorkingDirectory()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_ThrowsOnBadFileEntry_SetWorkingDirectory : ");
+	try
+	{
+		try 
+		{
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				// error: dir entry not created
+				//snapshot.dir_entries.push_back(dirC_entry);
+				//snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// set working directory
+				tc::io::Path path = tc::io::Path("/dirC");
+				filesystem.setWorkingDirectory(path);
+				
+				throw tc::Exception(".setWorkingDirectory() did not throw tc::io::DirectoryNotFoundException where dir entry did not exist");
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				// do nothing
+			}
+
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				// error: dir entry created, but not mapped to a path
+				snapshot.dir_entries.push_back(dirC_entry);
+				//snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// set working directory
+				tc::io::Path path = tc::io::Path("/dirC");
+				filesystem.setWorkingDirectory(path);
+				
+				throw tc::Exception(".setWorkingDirectory() did not throw tc::io::DirectoryNotFoundException where dir entry did exist, but not mapped to a path");
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				// do nothing
+			}
+			
+			try 
+			{
+				tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+				// create snapshot data
+			
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+				dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+				dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+				dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+				dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+				dirA_entry.dir_listing.dir_list = {};
+				dirA_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+				dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+				dirB_entry.dir_listing.dir_list = {};
+				dirB_entry.dir_listing.file_list = {};
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+				dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+				dirC_entry.dir_listing.dir_list = {};
+				dirC_entry.dir_listing.file_list = {};
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+				fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+				
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+				fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+				tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+				fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+				// add data to snapshot
+				snapshot.dir_entries.push_back(dirRoot_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirA_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				snapshot.dir_entries.push_back(dirB_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+				// error: dir entry created, but not mapped correctly (index == -1)
+				snapshot.dir_entries.push_back(dirC_entry);
+				snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, -1));
+
+				snapshot.file_entries.push_back(fileA_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileB_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+				snapshot.file_entries.push_back(fileC_entry);
+				snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+			
+				// create filesystem
+				auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+				// set working directory
+				tc::io::Path path = tc::io::Path("/dirC");
+				filesystem.setWorkingDirectory(path);
+				
+				throw tc::Exception(".setWorkingDirectory() did not throw tc::io::DirectoryNotFoundException where dir entry did exist, but not mapped correctly.");
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				// do nothing
+			}
+			
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_WorksForAllValidPaths_OpenFile()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_WorksForAllValidPaths_OpenFile : ");
+	try
+	{
+		try 
+		{
+			tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+			// create snapshot data
+		
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+			dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+			dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+			dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+			dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+			dirA_entry.dir_listing.dir_list = {};
+			dirA_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+			dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+			dirB_entry.dir_listing.dir_list = {};
+			dirB_entry.dir_listing.file_list = {"fileD"};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+			dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+			dirC_entry.dir_listing.dir_list = {};
+			dirC_entry.dir_listing.file_list = {};
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+			fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+			fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+			fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileD_entry;
+			fileD_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xD, true, false, true, false, false));
+
+			// add data to snapshot
+			snapshot.dir_entries.push_back(dirRoot_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirA_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirB_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirC_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileA_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileB_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileC_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileD_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path + tc::io::Path("fileD"), snapshot.file_entries.size()-1));
+		
+			// create filesystem
+			auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+
+			// test that openFile works for all valid paths
+			std::string literal_path;
+			
+			literal_path = "/fileA";
+			try 
+			{
+				// open file
+				std::shared_ptr<tc::io::IStream> stream;
+				filesystem.openFile(tc::io::Path(literal_path), tc::io::FileMode::Open, tc::io::FileAccess::Read, stream);
+
+				if (stream == nullptr)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a null stream for file \"{:s}\".", literal_path));
+				}
+
+				if (stream->canRead() == false)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where canRead() was false for file \"{:s}\".", literal_path));
+				}
+
+				if (stream->canWrite() == true)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where canWrite() was true for file \"{:s}\".", literal_path));
+				}
+
+				int64_t expected_length = 0xA;
+				int64_t actual_length = stream->length();
+				if (actual_length != expected_length)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where length was 0x{:x} (expected 0x{:x}) for file \"{:s}\".", actual_length, expected_length, literal_path));
+				}
+			}
+			catch (tc::io::FileNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".openFile() threw tc::io::FileNotFoundException where file (\"{:s}\") did exist.", literal_path));
+			}
+
+			literal_path = "/fileB";
+			try 
+			{
+				// open file
+				std::shared_ptr<tc::io::IStream> stream;
+				filesystem.openFile(tc::io::Path(literal_path), tc::io::FileMode::Open, tc::io::FileAccess::Read, stream);
+
+				if (stream == nullptr)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a null stream for file \"{:s}\".", literal_path));
+				}
+
+				if (stream->canRead() == false)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where canRead() was false for file \"{:s}\".", literal_path));
+				}
+
+				if (stream->canWrite() == true)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where canWrite() was true for file \"{:s}\".", literal_path));
+				}
+
+				int64_t expected_length = 0xB;
+				int64_t actual_length = stream->length();
+				if (actual_length != expected_length)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where length was 0x{:x} (expected 0x{:x}) for file \"{:s}\".", actual_length, expected_length, literal_path));
+				}
+			}
+			catch (tc::io::FileNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".openFile() threw tc::io::FileNotFoundException where file (\"{:s}\") did exist.", literal_path));
+			}
+
+			literal_path = "/fileC";
+			try 
+			{
+				// open file
+				std::shared_ptr<tc::io::IStream> stream;
+				filesystem.openFile(tc::io::Path(literal_path), tc::io::FileMode::Open, tc::io::FileAccess::Read, stream);
+
+				if (stream == nullptr)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a null stream for file \"{:s}\".", literal_path));
+				}
+
+				if (stream->canRead() == false)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where canRead() was false for file \"{:s}\".", literal_path));
+				}
+
+				if (stream->canWrite() == true)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where canWrite() was true for file \"{:s}\".", literal_path));
+				}
+
+				int64_t expected_length = 0xC;
+				int64_t actual_length = stream->length();
+				if (actual_length != expected_length)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where length was 0x{:x} (expected 0x{:x}) for file \"{:s}\".", actual_length, expected_length, literal_path));
+				}
+			}
+			catch (tc::io::FileNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".openFile() threw tc::io::FileNotFoundException where file (\"{:s}\") did exist.", literal_path));
+			}
+
+			literal_path = "/dirB/fileD";
+			try 
+			{
+				// open file
+				std::shared_ptr<tc::io::IStream> stream;
+				filesystem.openFile(tc::io::Path(literal_path), tc::io::FileMode::Open, tc::io::FileAccess::Read, stream);
+
+				if (stream == nullptr)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a null stream for file \"{:s}\".", literal_path));
+				}
+
+				if (stream->canRead() == false)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where canRead() was false for file \"{:s}\".", literal_path));
+				}
+
+				if (stream->canWrite() == true)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where canWrite() was true for file \"{:s}\".", literal_path));
+				}
+
+				int64_t expected_length = 0xD;
+				int64_t actual_length = stream->length();
+				if (actual_length != expected_length)
+				{
+					throw tc::Exception(fmt::format(".openFile() returned a stream where length was 0x{:x} (expected 0x{:x}) for file \"{:s}\".", actual_length, expected_length, literal_path));
+				}
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".openFile() threw tc::io::DirectoryNotFoundException where file (\"{:s}\") did exist.", literal_path));
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_WorksForAllValidPaths_GetDirectoryListing()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_WorksForAllValidPaths_GetDirectoryListing : ");
+	try
+	{
+		try 
+		{
+			tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+			// create snapshot data
+		
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+			dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+			dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+			dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+			dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+			dirA_entry.dir_listing.dir_list = {};
+			dirA_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+			dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+			dirB_entry.dir_listing.dir_list = {};
+			dirB_entry.dir_listing.file_list = {"fileD"};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+			dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+			dirC_entry.dir_listing.dir_list = {};
+			dirC_entry.dir_listing.file_list = {};
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+			fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+			fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+			fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileD_entry;
+			fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xD, true, false, true, false, false));
+
+			// add data to snapshot
+			snapshot.dir_entries.push_back(dirRoot_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirA_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirB_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirC_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileA_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileB_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileC_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileD_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path + tc::io::Path("fileD"), snapshot.file_entries.size()-1));
+		
+			// create filesystem
+			auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+
+			// test that getDirectoryListing works for all valid paths
+			std::string literal_path;
+			
+			literal_path = "/";
+			try 
+			{
+				// get directory listing
+				tc::io::sDirectoryListing info;
+				filesystem.getDirectoryListing(tc::io::Path(literal_path), info);
+
+				if (info.abs_path != dirRoot_entry.dir_listing.abs_path)
+				{
+					throw tc::Exception(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong absolute path).", literal_path);
+				}
+
+				if (info.dir_list != dirRoot_entry.dir_listing.dir_list)
+				{
+					throw tc::Exception(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong dir list).", literal_path);
+				}
+
+				if (info.file_list != dirRoot_entry.dir_listing.file_list)
+				{
+					throw tc::Exception(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong dir list).", literal_path);
+				}
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".getDirectoryListing() threw tc::io::DirectoryNotFoundException where directory (\"{:s}\") did exist.", literal_path));
+			}
+
+			literal_path = "/dirA/";
+			try 
+			{
+				// get directory listing
+				tc::io::sDirectoryListing info;
+				filesystem.getDirectoryListing(tc::io::Path(literal_path), info);
+
+				if (info.abs_path != dirA_entry.dir_listing.abs_path)
+				{
+					throw tc::Exception(fmt::format(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong absolute path).", literal_path));
+				}
+
+				if (info.dir_list != dirA_entry.dir_listing.dir_list)
+				{
+					throw tc::Exception(fmt::format(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong dir list).", literal_path));
+				}
+
+				if (info.file_list != dirA_entry.dir_listing.file_list)
+				{
+					throw tc::Exception(fmt::format(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong dir list).", literal_path));
+				}
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".getDirectoryListing() threw tc::io::DirectoryNotFoundException where directory (\"{:s}\") did exist.", literal_path));
+			}
+
+			literal_path = "/dirB/";
+			try 
+			{
+				// get directory listing
+				tc::io::sDirectoryListing info;
+				filesystem.getDirectoryListing(tc::io::Path(literal_path), info);
+
+				if (info.abs_path != dirB_entry.dir_listing.abs_path)
+				{
+					throw tc::Exception(fmt::format(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong absolute path).", literal_path));
+				}
+
+				if (info.dir_list != dirB_entry.dir_listing.dir_list)
+				{
+					throw tc::Exception(fmt::format(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong dir list).", literal_path));
+				}
+
+				if (info.file_list != dirB_entry.dir_listing.file_list)
+				{
+					throw tc::Exception(fmt::format(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong dir list).", literal_path));
+				}
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".getDirectoryListing() threw tc::io::DirectoryNotFoundException where directory (\"{:s}\") did exist.", literal_path));
+			}
+
+			literal_path = "/dirC/";
+			try 
+			{
+				// get directory listing
+				tc::io::sDirectoryListing info;
+				filesystem.getDirectoryListing(tc::io::Path(literal_path), info);
+
+				if (info.abs_path != dirC_entry.dir_listing.abs_path)
+				{
+					throw tc::Exception(fmt::format(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong absolute path).", literal_path));
+				}
+
+				if (info.dir_list != dirC_entry.dir_listing.dir_list)
+				{
+					throw tc::Exception(fmt::format(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong dir list).", literal_path));
+				}
+
+				if (info.file_list != dirC_entry.dir_listing.file_list)
+				{
+					throw tc::Exception(fmt::format(".getDirectoryListing() did not return the correct DirectoryListing for directory \"{:s}\" (wrong dir list).", literal_path));
+				}
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".getDirectoryListing() threw tc::io::DirectoryNotFoundException where directory (\"{:s}\") did exist.", literal_path));
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_WorksForAllValidPaths_SetWorkingDirectory()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_WorksForAllValidPaths_SetWorkingDirectory : ");
+	try
+	{
+		try 
+		{
+			tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+			// create snapshot data
+		
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+			dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+			dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+			dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+			dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+			dirA_entry.dir_listing.dir_list = {};
+			dirA_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+			dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+			dirB_entry.dir_listing.dir_list = {};
+			dirB_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+			dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+			dirC_entry.dir_listing.dir_list = {};
+			dirC_entry.dir_listing.file_list = {};
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+			fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+			fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+			fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+			// add data to snapshot
+			snapshot.dir_entries.push_back(dirRoot_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirA_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirB_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirC_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileA_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileB_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileC_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+		
+			// create filesystem
+			auto filesystem = tc::io::VirtualFileSystem(snapshot);
+
+
+			// test that setWorkingDirectory works for all valid paths
+			std::string literal_path;
+			
+			literal_path = "/";
+			try 
+			{
+				// set working directory
+				filesystem.setWorkingDirectory(tc::io::Path(literal_path));
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".setWorkingDirectory() threw tc::io::DirectoryNotFoundException where directory (\"{:s}\") did exist.", literal_path));
+			}
+
+			literal_path = "/dirA/";
+			try 
+			{
+				// set working directory
+				filesystem.setWorkingDirectory(tc::io::Path(literal_path));
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".setWorkingDirectory() threw tc::io::DirectoryNotFoundException where directory (\"{:s}\") did exist.", literal_path));
+			}
+
+			literal_path = "/dirB/";
+			try 
+			{
+				// set working directory
+				filesystem.setWorkingDirectory(tc::io::Path(literal_path));
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".setWorkingDirectory() threw tc::io::DirectoryNotFoundException where directory (\"{:s}\") did exist.", literal_path));
+			}
+
+			literal_path = "/dirC/";
+			try 
+			{
+				// set working directory
+				filesystem.setWorkingDirectory(tc::io::Path(literal_path));
+			}
+			catch (tc::io::DirectoryNotFoundException&)
+			{
+				throw tc::Exception(fmt::format(".setWorkingDirectory() threw tc::io::DirectoryNotFoundException where directory (\"{:s}\") did exist.", literal_path));
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_WorksForAllValidPaths_GetWorkingDirectory()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_WorksForAllValidPaths_GetWorkingDirectory : ");
+	try
+	{
+		try 
+		{
+			tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+			// create snapshot data
+		
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+			dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+			dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+			dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+			dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+			dirA_entry.dir_listing.dir_list = {};
+			dirA_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+			dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+			dirB_entry.dir_listing.dir_list = {};
+			dirB_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+			dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+			dirC_entry.dir_listing.dir_list = {};
+			dirC_entry.dir_listing.file_list = {};
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+			fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+			fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+			fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+			// add data to snapshot
+			snapshot.dir_entries.push_back(dirRoot_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirA_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirB_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirC_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileA_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileB_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileC_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+		
+			// create filesystem
+			auto filesystem = tc::io::VirtualFileSystem(snapshot);
+		
+
+			// test that working directory at point of filesystem creation is root
+			{
+				tc::io::Path expected_working_directory = tc::io::Path("/");
+				tc::io::Path working_directory;
+
+				filesystem.getWorkingDirectory(working_directory);
+
+				if (expected_working_directory != working_directory)
+				{
+					std::string expected_working_directory_string;
+					std::string working_directory_string;
+					tc::io::PathUtil::pathToUnixUTF8(expected_working_directory, expected_working_directory_string);
+					tc::io::PathUtil::pathToUnixUTF8(working_directory, working_directory_string);
+					throw tc::Exception(fmt::format("getWorkingDirectory() returned a path that was not root after the filesystem was created. (returned: \"{:s}\", expected: \"{:s}\")", working_directory_string, expected_working_directory_string));
+				}
+			}
+
+
+			// test that setWorkingDirectory works for all valid paths
+			std::string literal_path;
+			
+			literal_path = "/"; 
+			{
+				tc::io::Path expected_working_directory = tc::io::Path(literal_path);
+				tc::io::Path working_directory;
+
+				filesystem.setWorkingDirectory(expected_working_directory);
+				filesystem.getWorkingDirectory(working_directory);
+
+				if (expected_working_directory != working_directory)
+				{
+					std::string expected_working_directory_string;
+					std::string working_directory_string;
+					tc::io::PathUtil::pathToUnixUTF8(expected_working_directory, expected_working_directory_string);
+					tc::io::PathUtil::pathToUnixUTF8(working_directory, working_directory_string);
+					throw tc::Exception(fmt::format("getWorkingDirectory() did not return the expected path. (returned: \"{:s}\", expected: \"{:s}\")", working_directory_string, expected_working_directory_string));
+				}
+			}
+			
+
+			literal_path = "/dirA/";
+			{
+				tc::io::Path expected_working_directory = tc::io::Path(literal_path);
+				tc::io::Path working_directory;
+
+				filesystem.setWorkingDirectory(expected_working_directory);
+				filesystem.getWorkingDirectory(working_directory);
+
+				if (expected_working_directory != working_directory)
+				{
+					std::string expected_working_directory_string;
+					std::string working_directory_string;
+					tc::io::PathUtil::pathToUnixUTF8(expected_working_directory, expected_working_directory_string);
+					tc::io::PathUtil::pathToUnixUTF8(working_directory, working_directory_string);
+					throw tc::Exception(fmt::format("getWorkingDirectory() did not return the expected path. (returned: \"{:s}\", expected: \"{:s}\")", working_directory_string, expected_working_directory_string));
+				}
+			}
+
+			literal_path = "/dirB/";
+			{
+				tc::io::Path expected_working_directory = tc::io::Path(literal_path);
+				tc::io::Path working_directory;
+
+				filesystem.setWorkingDirectory(expected_working_directory);
+				filesystem.getWorkingDirectory(working_directory);
+
+				if (expected_working_directory != working_directory)
+				{
+					std::string expected_working_directory_string;
+					std::string working_directory_string;
+					tc::io::PathUtil::pathToUnixUTF8(expected_working_directory, expected_working_directory_string);
+					tc::io::PathUtil::pathToUnixUTF8(working_directory, working_directory_string);
+					throw tc::Exception(fmt::format("getWorkingDirectory() did not return the expected path. (returned: \"{:s}\", expected: \"{:s}\")", working_directory_string, expected_working_directory_string));
+				}
+			}
+
+			literal_path = "/dirC/";
+			{
+				tc::io::Path expected_working_directory = tc::io::Path(literal_path);
+				tc::io::Path working_directory;
+
+				filesystem.setWorkingDirectory(expected_working_directory);
+				filesystem.getWorkingDirectory(working_directory);
+
+				if (expected_working_directory != working_directory)
+				{
+					std::string expected_working_directory_string;
+					std::string working_directory_string;
+					tc::io::PathUtil::pathToUnixUTF8(expected_working_directory, expected_working_directory_string);
+					tc::io::PathUtil::pathToUnixUTF8(working_directory, working_directory_string);
+					throw tc::Exception(fmt::format("getWorkingDirectory() did not return the expected path. (returned: \"{:s}\", expected: \"{:s}\")", working_directory_string, expected_working_directory_string));
+				}
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
+
+void io_VirtualFileSystem_TestClass::test_DisposeWillChangeStateToUninitialized()
+{
+	fmt::print("[tc::io::VirtualFileSystem] test_DisposeWillChangeStateToUninitialized : ");
+	try
+	{
+		try 
+		{
+			tc::io::VirtualFileSystem::FileSystemSnapshot snapshot;
+				
+			// create snapshot data
+		
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirRoot_entry;
+			dirRoot_entry.dir_listing.abs_path = tc::io::Path("/");
+			dirRoot_entry.dir_listing.dir_list = {"dirA", "dirB", "dirC"};
+			dirRoot_entry.dir_listing.file_list = {"fileA", "fileB", "fileC"};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirA_entry;
+			dirA_entry.dir_listing.abs_path = tc::io::Path("/dirA/");
+			dirA_entry.dir_listing.dir_list = {};
+			dirA_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirB_entry;
+			dirB_entry.dir_listing.abs_path = tc::io::Path("/dirB/");
+			dirB_entry.dir_listing.dir_list = {};
+			dirB_entry.dir_listing.file_list = {};
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::DirEntry dirC_entry;
+			dirC_entry.dir_listing.abs_path = tc::io::Path("/dirC/");
+			dirC_entry.dir_listing.dir_list = {};
+			dirC_entry.dir_listing.file_list = {};
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileA_entry;
+			fileA_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xA, true, false, true, false, false));
+			
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileB_entry;
+			fileB_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xB, true, false, true, false, false));
+
+			tc::io::VirtualFileSystem::FileSystemSnapshot::FileEntry fileC_entry;
+			fileC_entry.stream = std::make_shared<StreamTestUtil::DummyStreamBase>(StreamTestUtil::DummyStreamBase(0xC, true, false, true, false, false));
+
+			// add data to snapshot
+			snapshot.dir_entries.push_back(dirRoot_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirA_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirA_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirB_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirB_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.dir_entries.push_back(dirC_entry);
+			snapshot.dir_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirC_entry.dir_listing.abs_path, snapshot.dir_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileA_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileA"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileB_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileB"), snapshot.file_entries.size()-1));
+
+			snapshot.file_entries.push_back(fileC_entry);
+			snapshot.file_entry_path_map.insert(std::pair<tc::io::Path, size_t>(dirRoot_entry.dir_listing.abs_path + tc::io::Path("fileC"), snapshot.file_entries.size()-1));
+		
+			// create filesystem
+			auto filesystem = tc::io::VirtualFileSystem(snapshot);
+		
+			filesystem.dispose();
+
+			// Test .state() returns correct
+			uint64_t state_ulong = filesystem.state().to_ulong();
+			uint64_t expected_state_ulong = (1 << tc::RESFLAG_NOINIT);
+			if (state_ulong != expected_state_ulong)
+			{
+				throw tc::Exception(fmt::format(".state().to_ulong() returned 0x{:x} (expected 0x{:x})", state_ulong, expected_state_ulong));
+			}
+
+			bool state_test_ready = filesystem.state().test(tc::RESFLAG_READY);
+			bool expected_state_test_ready = false;
+			if (state_test_ready != expected_state_test_ready)
+			{
+				throw tc::Exception(fmt::format(".state().test(tc::RESFLAG_READY) returned {} (expected {})", state_test_ready, expected_state_test_ready));
+			}
+
+			bool state_test_error = filesystem.state().test(tc::RESFLAG_ERROR);
+			bool expected_state_test_error = false;
+			if (state_test_error != expected_state_test_error)
+			{
+				throw tc::Exception(fmt::format(".state().test(tc::RESFLAG_ERROR) returned {} (expected {})", state_test_error, expected_state_test_error));
+			}
+
+			bool state_test_noinit = filesystem.state().test(tc::RESFLAG_NOINIT);
+			bool expected_state_test_noinit = true;
+			if (state_test_noinit != expected_state_test_noinit)
+			{
+				throw tc::Exception(fmt::format(".state().test(tc::RESFLAG_NOINIT) returned {} (expected {})", state_test_noinit, expected_state_test_noinit));
+			}
+
+			// Test using methods that should throw ObjectDisposedException, as this is not initialized
+			try
+			{
+				filesystem.createFile(tc::io::Path());
+				throw tc::Exception(".createFile() did not throw tc::ObjectDisposedException for disposed VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.removeFile(tc::io::Path());
+				throw tc::Exception(".removeFile() did not throw tc::ObjectDisposedException for disposed VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				tc::io::Path file_path;
+				std::shared_ptr<tc::io::IStream> file_stream;
+				filesystem.openFile(file_path, tc::io::FileMode::Open, tc::io::FileAccess::Read, file_stream);
+				throw tc::Exception(".openFile() did not throw tc::ObjectDisposedException for disposed VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.createDirectory(tc::io::Path());
+				throw tc::Exception(".createDirectory() did not throw tc::ObjectDisposedException for disposed VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.removeDirectory(tc::io::Path());
+				throw tc::Exception(".removeDirectory() did not throw tc::ObjectDisposedException for disposed VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				tc::io::Path path;
+				filesystem.getWorkingDirectory(path);
+				throw tc::Exception(".getWorkingDirectory() did not throw tc::ObjectDisposedException for disposed VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				filesystem.setWorkingDirectory(tc::io::Path());
+				throw tc::Exception(".setWorkingDirectory() did not throw tc::ObjectDisposedException for disposed VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+
+			try
+			{
+				tc::io::sDirectoryListing info;
+
+				filesystem.getDirectoryListing(tc::io::Path(), info);
+				throw tc::Exception(".setWorkingDirectory() did not throw tc::ObjectDisposedException for disposed VirtualFileSystem");
+			}
+			catch (tc::ObjectDisposedException&) {
+				// do nothing
+			}
+			
+			fmt::print("PASS\n");
+		}
+		catch (const tc::Exception& e)
+		{
+			fmt::print("FAIL ({:s})\n", e.error());
+		}
+	}
+	catch (const std::exception& e)
+	{
+		fmt::print("UNHANDLED EXCEPTION ({:s})\n", e.what());
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/io_VirtualFileSystem_TestClass.h b/ctrtool/deps/libtoolchain/test/io_VirtualFileSystem_TestClass.h
new file mode 100644
index 00000000..24161008
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/io_VirtualFileSystem_TestClass.h
@@ -0,0 +1,21 @@
+#pragma once
+#include "ITestClass.h"
+
+class io_VirtualFileSystem_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void test_CreateUninitializedFs_DefaultConstructor();
+	void test_BadFsSnapshot_CreateConstructor();
+	void test_CreateFs_CreateConstructor();
+	void test_ThrowsOnBadPermissions_OpenFile();
+	void test_ThrowsOnBadFileEntry_OpenFile();
+	void test_ThrowsOnBadFileEntry_GetDirectoryListing();
+	void test_ThrowsOnBadFileEntry_SetWorkingDirectory();
+	void test_WorksForAllValidPaths_OpenFile();
+	void test_WorksForAllValidPaths_GetDirectoryListing();
+	void test_WorksForAllValidPaths_SetWorkingDirectory();
+	void test_WorksForAllValidPaths_GetWorkingDirectory();
+	void test_DisposeWillChangeStateToUninitialized();
+};
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/main.cpp b/ctrtool/deps/libtoolchain/test/main.cpp
new file mode 100644
index 00000000..af86c8ac
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/main.cpp
@@ -0,0 +1,195 @@
+#include "string_TranscodeUtil_TestClass.h"
+#include "ByteData_TestClass.h"
+#include "bn_binaryutils_TestClass.h"
+#include "bn_pad_TestClass.h"
+#include "bn_string_TestClass.h"
+#include "bn_endian_TestClass.h"
+#include "bn_bitarrayByteBEBitBE_TestClass.h"
+#include "bn_bitarrayByteBEBitLE_TestClass.h"
+#include "bn_bitarrayByteLEBitBE_TestClass.h"
+#include "bn_bitarrayByteLEBitLE_TestClass.h"
+#include "Optional_TestClass.h"
+#include "io_Path_TestClass.h"
+#include "io_BasicPathResolver_TestClass.h"
+#include "io_LocalFileSystem_TestClass.h"
+#include "io_FileStream_TestClass.h"
+#include "io_MemoryStream_TestClass.h"
+#include "io_SubStream_TestClass.h"
+#include "io_ConcatenatedStream_TestClass.h"
+#include "io_SubFileSystem_TestClass.h"
+#include "io_VirtualFileSystem_TestClass.h"
+#include "io_PaddingSource_TestClass.h"
+#include "io_MemorySource_TestClass.h"
+#include "io_OverlayedSource_TestClass.h"
+#include "io_SubSource_TestClass.h"
+#include "io_SubSink_TestClass.h"
+#include "io_StreamSource_TestClass.h"
+#include "io_StreamSink_TestClass.h"
+#include "cli_FormatUtil_TestClass.h"
+#include "cli_OptionParser_TestClass.h"
+#include "crypto_Md5Generator_TestClass.h"
+#include "crypto_Sha1Generator_TestClass.h"
+#include "crypto_Sha256Generator_TestClass.h"
+#include "crypto_Sha512Generator_TestClass.h"
+#include "crypto_HmacMd5Generator_TestClass.h"
+#include "crypto_HmacSha1Generator_TestClass.h"
+#include "crypto_HmacSha256Generator_TestClass.h"
+#include "crypto_HmacSha512Generator_TestClass.h"
+#include "crypto_Pbkdf1Md5KeyDeriver_TestClass.h"
+#include "crypto_Pbkdf1Sha1KeyDeriver_TestClass.h"
+#include "crypto_Pbkdf2Sha1KeyDeriver_TestClass.h"
+#include "crypto_Pbkdf2Sha256KeyDeriver_TestClass.h"
+#include "crypto_Pbkdf2Sha512KeyDeriver_TestClass.h"
+#include "crypto_PseudoRandomByteGenerator_TestClass.h"
+#include "crypto_Aes128Encryptor_TestClass.h"
+#include "crypto_Aes192Encryptor_TestClass.h"
+#include "crypto_Aes256Encryptor_TestClass.h"
+#include "crypto_Aes128EcbEncryptor_TestClass.h"
+#include "crypto_Aes192EcbEncryptor_TestClass.h"
+#include "crypto_Aes256EcbEncryptor_TestClass.h"
+#include "crypto_Aes128CbcEncryptor_TestClass.h"
+#include "crypto_Aes192CbcEncryptor_TestClass.h"
+#include "crypto_Aes256CbcEncryptor_TestClass.h"
+#include "crypto_Aes128CbcEncryptedStream_TestClass.h"
+#include "crypto_Aes128CtrEncryptor_TestClass.h"
+#include "crypto_Aes192CtrEncryptor_TestClass.h"
+#include "crypto_Aes256CtrEncryptor_TestClass.h"
+#include "crypto_Aes128CtrEncryptedStream_TestClass.h"
+#include "crypto_Aes128XtsEncryptor_TestClass.h"
+#include "crypto_Aes256XtsEncryptor_TestClass.h"
+#include "crypto_Rsa1024OaepSha256Encryptor_TestClass.h"
+#include "crypto_Rsa2048OaepSha256Encryptor_TestClass.h"
+#include "crypto_Rsa4096OaepSha256Encryptor_TestClass.h"
+#include "crypto_Rsa2048OaepSha512Encryptor_TestClass.h"
+#include "crypto_Rsa4096OaepSha512Encryptor_TestClass.h"
+#include "crypto_Rsa1024Pkcs1Md5Signer_TestClass.h"
+#include "crypto_Rsa2048Pkcs1Md5Signer_TestClass.h"
+#include "crypto_Rsa4096Pkcs1Md5Signer_TestClass.h"
+#include "crypto_Rsa1024Pkcs1Sha1Signer_TestClass.h"
+#include "crypto_Rsa2048Pkcs1Sha1Signer_TestClass.h"
+#include "crypto_Rsa4096Pkcs1Sha1Signer_TestClass.h"
+#include "crypto_Rsa1024Pkcs1Sha256Signer_TestClass.h"
+#include "crypto_Rsa2048Pkcs1Sha256Signer_TestClass.h"
+#include "crypto_Rsa4096Pkcs1Sha256Signer_TestClass.h"
+#include "crypto_Rsa1024Pkcs1Sha512Signer_TestClass.h"
+#include "crypto_Rsa2048Pkcs1Sha512Signer_TestClass.h"
+#include "crypto_Rsa4096Pkcs1Sha512Signer_TestClass.h"
+#include "crypto_Rsa1024PssSha256Signer_TestClass.h"
+#include "crypto_Rsa1024PssSha512Signer_TestClass.h"
+#include "crypto_Rsa2048PssSha256Signer_TestClass.h"
+#include "crypto_Rsa2048PssSha512Signer_TestClass.h"
+#include "crypto_Rsa4096PssSha256Signer_TestClass.h"
+#include "crypto_Rsa4096PssSha512Signer_TestClass.h"
+
+#include <iostream>
+
+void runTest(ITestClass* testClass)
+{
+	testClass->runAllTests();
+	delete testClass;
+}
+
+int main(int argc, char** argv)
+{
+	bool includeSlowTests = false;
+	if (argc > 1)
+	{
+		static const std::string kNoSlowTestFlag = "--slow";
+		if (strncmp(argv[1], kNoSlowTestFlag.c_str(), kNoSlowTestFlag.size()) == 0)
+		{
+			includeSlowTests = true;
+		}
+		else
+		{
+			std::cout << "usage: " << std::string(argv[0]) << " [--slow]" << std::endl;
+			return 1;
+		}
+		
+	}
+
+	runTest(new string_TranscodeUtil_TestClass());
+	runTest(new ByteData_TestClass());
+	runTest(new bn_binaryutils_TestClass());
+	runTest(new bn_pad_TestClass());
+	runTest(new bn_string_TestClass());
+	runTest(new bn_endian_TestClass());
+	runTest(new bn_bitarrayByteBEBitBE_TestClass());
+	runTest(new bn_bitarrayByteBEBitLE_TestClass());
+	runTest(new bn_bitarrayByteLEBitBE_TestClass());
+	runTest(new bn_bitarrayByteLEBitLE_TestClass());
+	runTest(new Optional_TestClass());
+	runTest(new io_Path_TestClass());
+	runTest(new io_BasicPathResolver_TestClass());
+	runTest(new io_LocalFileSystem_TestClass());
+	runTest(new io_FileStream_TestClass());
+	runTest(new io_MemoryStream_TestClass());
+	runTest(new io_SubStream_TestClass());
+	runTest(new io_ConcatenatedStream_TestClass());
+	runTest(new io_SubFileSystem_TestClass());
+	runTest(new io_VirtualFileSystem_TestClass());
+	runTest(new io_PaddingSource_TestClass());
+	runTest(new io_MemorySource_TestClass());
+	runTest(new io_OverlayedSource_TestClass());
+	runTest(new io_SubSource_TestClass());
+	runTest(new io_SubSink_TestClass());
+	runTest(new io_StreamSource_TestClass());
+	runTest(new io_StreamSink_TestClass());
+	runTest(new cli_FormatUtil_TestClass());
+	runTest(new cli_OptionParser_TestClass());
+	runTest(new crypto_Md5Generator_TestClass());
+	runTest(new crypto_Sha1Generator_TestClass());
+	runTest(new crypto_Sha256Generator_TestClass());
+	runTest(new crypto_Sha512Generator_TestClass());
+	runTest(new crypto_HmacMd5Generator_TestClass());
+	runTest(new crypto_HmacSha1Generator_TestClass());
+	runTest(new crypto_HmacSha256Generator_TestClass());
+	runTest(new crypto_HmacSha512Generator_TestClass());
+	if (includeSlowTests)
+	{
+		runTest(new crypto_Pbkdf1Md5KeyDeriver_TestClass());
+		runTest(new crypto_Pbkdf1Sha1KeyDeriver_TestClass());
+		runTest(new crypto_Pbkdf2Sha1KeyDeriver_TestClass());
+		runTest(new crypto_Pbkdf2Sha256KeyDeriver_TestClass());
+		runTest(new crypto_Pbkdf2Sha512KeyDeriver_TestClass());
+	}
+	runTest(new crypto_PseudoRandomByteGenerator_TestClass());
+	runTest(new crypto_Aes128Encryptor_TestClass());
+	runTest(new crypto_Aes192Encryptor_TestClass());
+	runTest(new crypto_Aes256Encryptor_TestClass());
+	runTest(new crypto_Aes128EcbEncryptor_TestClass());
+	runTest(new crypto_Aes192EcbEncryptor_TestClass());
+	runTest(new crypto_Aes256EcbEncryptor_TestClass());
+	runTest(new crypto_Aes128CbcEncryptor_TestClass());
+	runTest(new crypto_Aes192CbcEncryptor_TestClass());
+	runTest(new crypto_Aes256CbcEncryptor_TestClass());
+	runTest(new crypto_Aes128CbcEncryptedStream_TestClass());
+	runTest(new crypto_Aes128CtrEncryptor_TestClass());
+	runTest(new crypto_Aes192CtrEncryptor_TestClass());
+	runTest(new crypto_Aes256CtrEncryptor_TestClass());
+	runTest(new crypto_Aes128CtrEncryptedStream_TestClass());
+	runTest(new crypto_Aes128XtsEncryptor_TestClass());
+	runTest(new crypto_Aes256XtsEncryptor_TestClass());
+	runTest(new crypto_Rsa1024OaepSha256Encryptor_TestClass());
+	runTest(new crypto_Rsa2048OaepSha256Encryptor_TestClass());
+	runTest(new crypto_Rsa4096OaepSha256Encryptor_TestClass());
+	runTest(new crypto_Rsa2048OaepSha512Encryptor_TestClass());
+	runTest(new crypto_Rsa4096OaepSha512Encryptor_TestClass());
+	runTest(new crypto_Rsa1024Pkcs1Md5Signer_TestClass());
+	runTest(new crypto_Rsa2048Pkcs1Md5Signer_TestClass());
+	runTest(new crypto_Rsa4096Pkcs1Md5Signer_TestClass());
+	runTest(new crypto_Rsa1024Pkcs1Sha1Signer_TestClass());
+	runTest(new crypto_Rsa2048Pkcs1Sha1Signer_TestClass());
+	runTest(new crypto_Rsa4096Pkcs1Sha1Signer_TestClass());
+	runTest(new crypto_Rsa1024Pkcs1Sha256Signer_TestClass());
+	runTest(new crypto_Rsa2048Pkcs1Sha256Signer_TestClass());
+	runTest(new crypto_Rsa4096Pkcs1Sha256Signer_TestClass());
+	runTest(new crypto_Rsa1024Pkcs1Sha512Signer_TestClass());
+	runTest(new crypto_Rsa2048Pkcs1Sha512Signer_TestClass());
+	runTest(new crypto_Rsa4096Pkcs1Sha512Signer_TestClass());
+	runTest(new crypto_Rsa1024PssSha256Signer_TestClass());
+	runTest(new crypto_Rsa1024PssSha512Signer_TestClass());
+	runTest(new crypto_Rsa2048PssSha256Signer_TestClass());
+	runTest(new crypto_Rsa2048PssSha512Signer_TestClass());
+	runTest(new crypto_Rsa4096PssSha256Signer_TestClass());
+	runTest(new crypto_Rsa4096PssSha512Signer_TestClass());
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/string_TranscodeUtil_TestClass.cpp b/ctrtool/deps/libtoolchain/test/string_TranscodeUtil_TestClass.cpp
new file mode 100644
index 00000000..b588e0c7
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/string_TranscodeUtil_TestClass.cpp
@@ -0,0 +1,69 @@
+#include <tc/Exception.h>
+#include <iostream>
+#include <iomanip>
+
+#include "string_TranscodeUtil_TestClass.h"
+
+static const size_t kUtf8RawLen = 46;
+static byte_t kUtf8Raw[kUtf8RawLen] = {0x2E, 0x2F, 0xD0, 0x80, 0xD0, 0x81, 0xD0, 0x82, 0xD0, 0x83, 0xD0, 0x84, 0xD0, 0x85, 0x2D, 0xD7, 0x9E, 0xD7, 0x91, 0xD7, 0x97, 0xD7, 0x9F, 0x2D, 0xD1, 0x82, 0xD0, 0xB5, 0xD1, 0x81, 0xD1, 0x82, 0x2D, 0xE3, 0x83, 0x86, 0xE3, 0x82, 0xB9, 0xE3, 0x83, 0x88, 0x2E, 0x62, 0x69, 0x6E};
+static const size_t kUtf16RawLen = 26;
+static uint16_t kUtf16Raw[kUtf16RawLen] = {0x2e, 0x2f, 0x400, 0x401, 0x402, 0x403, 0x404, 0x405, 0x2d, 0x5de, 0x5d1, 0x5d7, 0x5df, 0x2d, 0x442, 0x435, 0x441, 0x442, 0x2d, 0x30c6, 0x30b9, 0x30c8, 0x2e, 0x62, 0x69, 0x6e};
+
+static std::string kUtf8Str = std::string((const char*)kUtf8Raw, kUtf8RawLen);
+static std::u16string kUtf16Str = std::u16string((const char16_t*)kUtf16Raw, kUtf16RawLen);
+
+void string_TranscodeUtil_TestClass::runAllTests(void)
+{
+	std::cout << "[tc::string::TranscodeUtil] START" << std::endl;
+	testUtf8ToUtf16();
+	testUtf16ToUtf8();
+	std::cout << "[tc::string::TranscodeUtil] END" << std::endl;
+}
+
+void string_TranscodeUtil_TestClass::testUtf8ToUtf16()
+{
+	std::cout << "[tc::string::TranscodeUtil] testUtf8ToUtf16 : ";
+	try
+	{
+		std::u16string utf16_str;
+
+		tc::string::TranscodeUtil::UTF8ToUTF16(kUtf8Str, utf16_str);
+
+		for (size_t i = 0; i < kUtf16RawLen; i++)
+		{
+			if (kUtf16Raw[i] != utf16_str.c_str()[i])
+			{
+				throw tc::Exception("unexpected UTF-16 char");
+			}
+		}
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
+
+void string_TranscodeUtil_TestClass::testUtf16ToUtf8()
+{
+	std::cout << "[tc::string::TranscodeUtil] testUtf16ToUtf8 : ";
+	try
+	{
+		std::string utf8_str;
+
+		tc::string::TranscodeUtil::UTF16ToUTF8(kUtf16Str, utf8_str);
+
+		for (size_t i = 0; i < kUtf8RawLen; i++)
+		{
+			if ((kUtf8Raw[i] & 0xff) != (utf8_str.c_str()[i] & 0xff))
+			{
+				throw tc::Exception("unexpected UTF-8 char");
+			}
+		}
+		std::cout << "PASS" << std::endl;
+	}
+	catch (const tc::Exception& e)
+	{
+		std::cout << "FAIL (" << e.error() << ")" << std::endl;
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/deps/libtoolchain/test/string_TranscodeUtil_TestClass.h b/ctrtool/deps/libtoolchain/test/string_TranscodeUtil_TestClass.h
new file mode 100644
index 00000000..bd53794e
--- /dev/null
+++ b/ctrtool/deps/libtoolchain/test/string_TranscodeUtil_TestClass.h
@@ -0,0 +1,13 @@
+#pragma once
+#include "ITestClass.h"
+
+#include <tc/string.h>
+
+class string_TranscodeUtil_TestClass : public ITestClass
+{
+public:
+	void runAllTests();
+private:
+	void testUtf8ToUtf16();
+	void testUtf16ToUtf8();
+};
\ No newline at end of file
diff --git a/ctrtool/makefile b/ctrtool/makefile
new file mode 100644
index 00000000..2195df1f
--- /dev/null
+++ b/ctrtool/makefile
@@ -0,0 +1,177 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 4
+
+# Project Name
+PROJECT_NAME = ctrtool
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+#PROJECT_INCLUDE_PATH = include
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Shared Library Definitions
+PROJECT_SO_VER_MAJOR = 0
+PROJECT_SO_VER_MINOR = 1
+PROJECT_SO_VER_PATCH = 0
+PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
+PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
+
+# Project Dependencies
+PROJECT_DEPEND = mbedtls toolchain nintendo-n3ds broadon-es fmt
+PROJECT_DEPEND_LOCAL_DIR = libmbedtls libtoolchain libnintendo-n3ds libbroadon-es libfmt
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	INC +=
+	LIB +=
+	ARFLAGS = rc	
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building static library
+#	- 'shared_lib' for building shared library
+#	- 'program' for building the program
+#	- 'test_program' for building the test program
+# These can typically be used together however *_lib and program should not be used together
+all: program
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+shared_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)
+	@gcc -shared -Wl,-soname,$(PROJECT_SONAME) -o "$(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/ctrtool/src/CciProcess.cpp b/ctrtool/src/CciProcess.cpp
new file mode 100644
index 00000000..e4424ca0
--- /dev/null
+++ b/ctrtool/src/CciProcess.cpp
@@ -0,0 +1,567 @@
+#include "CciProcess.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+
+#include <ntd/n3ds/CciFsSnapshotGenerator.h>
+#include <ntd/n3ds/CtrKeyGenerator.h>
+
+#include <mbedtls/ccm.h>
+
+ctrtool::CciProcess::CciProcess() :
+	mModuleLabel("ctrtool::CciProcess"),
+	mInputStream(),
+	mKeyBag(),
+	mShowHeaderInfo(false),
+	mShowFs(false),
+	mVerbose(false),
+	mVerify(false),
+	mExtractPath(),
+	mContentIndex(0),
+	mBlockSize(0),
+	mUsedImageSize(0),
+	mValidSignature(ValidState::Unchecked),
+	mValidInitialDataMac(ValidState::Unchecked),
+	mDecryptedTitleKey(),
+	mNcchProcess(),
+	mFsReader()
+{
+	memset(&mHeader, 0, sizeof(mHeader));
+}
+
+void ctrtool::CciProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::CciProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+	mNcchProcess.setKeyBag(key_bag);
+}
+
+void ctrtool::CciProcess::setCliOutputMode(bool show_header_info, bool show_fs)
+{
+	mShowHeaderInfo = show_header_info;
+	mShowFs = show_fs;
+}
+
+void ctrtool::CciProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+	mNcchProcess.setVerboseMode(verbose);
+}
+
+void ctrtool::CciProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+	mNcchProcess.setVerifyMode(verify);
+}
+
+void ctrtool::CciProcess::setExtractPath(const tc::io::Path& extract_path)
+{
+	mExtractPath = extract_path;
+}
+
+void ctrtool::CciProcess::setContentIndex(size_t index)
+{
+	mContentIndex = index;
+}
+
+void ctrtool::CciProcess::setRawMode(bool raw)
+{
+	mNcchProcess.setRawMode(raw);
+}
+
+void ctrtool::CciProcess::setPlainMode(bool plain)
+{
+	mNcchProcess.setPlainMode(plain);
+}
+
+void ctrtool::CciProcess::setShowSyscallName(bool show_name)
+{
+	mNcchProcess.setShowSyscallName(show_name);
+}
+
+void ctrtool::CciProcess::setNcchRegionProcessOutputMode(NcchProcess::NcchRegion region, bool show_info, bool show_fs, const tc::Optional<tc::io::Path>& bin_extract_path, const tc::Optional<tc::io::Path>& fs_extract_path)
+{
+	mNcchProcess.setRegionProcessOutputMode(region, show_info, show_fs, bin_extract_path, fs_extract_path);
+}
+
+void ctrtool::CciProcess::process()
+{
+	importHeader();
+	if (mVerify)
+		verifyHeader();
+	if (mShowHeaderInfo)
+		printHeader();
+	if (mShowFs)
+		printFs();
+	if (mExtractPath.isSet())
+		extractFs();
+	processContent();
+}
+
+void ctrtool::CciProcess::importHeader()
+{
+	// validate input stream
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}
+
+	// import header
+	if (mInputStream->length() < sizeof(ntd::n3ds::CciHeader))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small. (Too small to read header).");
+	}
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read((byte_t*)&mHeader, sizeof(ntd::n3ds::CciHeader));
+
+	// check the struct magic
+	if (mHeader.ncsd_header.struct_magic.unwrap() != mHeader.ncsd_header.kStructMagic)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "NcsdCommonHeader is corrupted (Bad struct magic).");
+	}
+
+	// check supported media types
+	if (mHeader.ncsd_header.flags.media_type != mHeader.ncsd_header.MediaType_Card1 && mHeader.ncsd_header.flags.media_type != mHeader.ncsd_header.MediaType_Card2)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "NcsdCommonHeader has an unsupported MediaType.");
+	}
+
+	// determine block size
+	int64_t block_shift = (mHeader.ncsd_header.flags.block_size_log + 9);
+	mBlockSize = static_cast<int64_t>(1) << block_shift;
+
+
+	// determine used image size
+	int64_t pos = 0;
+	for (size_t i = 0; i < mHeader.ncsd_header.partition_offsetsize.size(); i++)
+	{
+		int64_t offset = mHeader.ncsd_header.partition_offsetsize[i].blk_offset.unwrap() * mBlockSize;
+		int64_t size = mHeader.ncsd_header.partition_offsetsize[i].blk_size.unwrap() * mBlockSize;
+
+		if (size != 0)
+		{
+				if (offset < pos)
+			{
+				throw tc::InvalidOperationException(mModuleLabel, "NcsdCommonHeader has an poorly aligned content offsets.");
+			}
+
+			pos = offset + size;
+		}
+
+	}
+	mUsedImageSize = pos;
+
+	if (mUsedImageSize > (mHeader.ncsd_header.image_blk_size.unwrap() * mBlockSize))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "NcsdCommonHeader content geometry exceeded media size.");
+	}
+
+	// check input stream is large enough
+	if (mInputStream->length() < mUsedImageSize)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small. (Too small for total used image size).");
+	}
+
+	// decrypt title key
+	ctrtool::KeyBag::Aes128Key initial_data_key;
+	bool initial_data_key_available = false;
+
+	// crypto_type 0 is the normal "secure" initial data key 
+	if (mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_Secure)
+	{
+		if (mKeyBag.brom_static_key_x.find(mKeyBag.KEYSLOT_INITIAL_DATA) != mKeyBag.brom_static_key_x.end())
+		{	
+			ntd::n3ds::CtrKeyGenerator::GenerateKey(mKeyBag.brom_static_key_x[mKeyBag.KEYSLOT_INITIAL_DATA].data(), mHeader.initial_data.key_source.data(), initial_data_key.data());
+			initial_data_key_available = true;
+		}
+		else
+		{
+			initial_data_key_available = false;
+		}
+	}
+	// crypto_type 3 zeros initial_data key (used in developer roms mostly)
+	else if (mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_FixedKey)
+	{
+		memset(initial_data_key.data(), 0, initial_data_key.size());
+		initial_data_key_available = true;
+	}
+	else
+	{
+		fmt::print("[WARNING] Unsupported CardInfo::CryptoType ({})\n", (uint32_t)mHeader.card_info.flag.crypto_type);
+	}
+
+	if (initial_data_key_available)
+	{
+		// initialise ccm context
+		mbedtls_ccm_context ccm_ctx;
+		mbedtls_ccm_init(&ccm_ctx);
+		mbedtls_ccm_setkey(&ccm_ctx, MBEDTLS_CIPHER_ID_AES, initial_data_key.data(), 128);
+
+		// decrypt titlekey
+		ctrtool::KeyBag::Aes128Key decrypted_title_key;
+		int dec_result = mbedtls_ccm_auth_decrypt(&ccm_ctx, decrypted_title_key.size(), mHeader.initial_data.nonce.data(), mHeader.initial_data.nonce.size(), nullptr, 0, mHeader.initial_data.encrypted_title_key.data(), decrypted_title_key.data(), mHeader.initial_data.mac.data(), mHeader.initial_data.mac.size());
+		// dec_result will be non-zero if MAC was invalid
+		if (dec_result == 0)
+		{
+			mDecryptedTitleKey = decrypted_title_key;
+		}
+
+		/*
+		// test encrypt
+		ctrtool::KeyBag::Aes128Key enc_title_key, mac;
+		mbedtls_ccm_encrypt_and_tag(&ccm_ctx, enc_title_key.size(), mHeader.initial_data.nonce.data(), mHeader.initial_data.nonce.size(), nullptr, 0, decrypted_title_key.data(), enc_title_key.data(), mac.data(), mac.size());
+
+		std::cout << "enc key: " << tc::cli::FormatUtil::formatBytesAsString(enc_title_key.data(), enc_title_key.size(), true, "") << std::endl;
+		std::cout << "mac:     " << tc::cli::FormatUtil::formatBytesAsString(mac.data(), mac.size(), true, "") << std::endl;
+		*/
+
+		mbedtls_ccm_free(&ccm_ctx);
+	}
+
+	// open fs reader
+	mFsReader = std::shared_ptr<tc::io::VirtualFileSystem>(new tc::io::VirtualFileSystem(ntd::n3ds::CciFsShapshotGenerator(mInputStream)));
+}
+
+void ctrtool::CciProcess::verifyHeader()
+{
+	std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> ncsd_header_hash;
+	
+	tc::crypto::GenerateSha256Hash(ncsd_header_hash.data(), (byte_t*)(&mHeader.ncsd_header), sizeof(mHeader.ncsd_header));
+
+	if (mKeyBag.rsa_key.find(mKeyBag.RSAKEY_CFA_CCI) != mKeyBag.rsa_key.end())
+	{
+		tc::crypto::RsaKey pubkey = mKeyBag.rsa_key[mKeyBag.RSAKEY_CFA_CCI];
+
+		mValidSignature = tc::crypto::VerifyRsa2048Pkcs1Sha256(mHeader.signature.data(), ncsd_header_hash.data(), pubkey) ? ValidState::Good : ValidState::Fail;
+	}
+	else
+	{
+		fmt::print(stderr, "Could not read static CFA_CCI public key.\n");
+		mValidSignature = ValidState::Fail;
+	}
+
+	mValidInitialDataMac = mDecryptedTitleKey.isSet() ? ValidState::Good : ValidState::Fail;
+}
+
+void ctrtool::CciProcess::printHeader()
+{
+	fmt::print("\n");
+	fmt::print("[CCI]\n");
+
+	// NCSD common header
+	fmt::print("NcsdCommonHeader:\n");
+	fmt::print(" Header:                 {}\n", "NCSD");
+	fmt::print(" Signature: {:6}       {}", getValidString(mValidSignature), tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(mHeader.signature.data(), mHeader.signature.size(), true, "", 0x20, 25, false));
+	fmt::print(" RomSize:                {} (Used: 0x{:X})\n", getRomSizeString(mHeader.ncsd_header.image_blk_size.unwrap()), mUsedImageSize);
+	fmt::print(" TitleId:                {:016x}\n", mHeader.ncsd_header.title_id.unwrap());
+	fmt::print("\n");
+	for (size_t i = 0; i < ntd::n3ds::NcsdCommonHeader::kPartitionNum; i++)
+	{
+		int64_t offset = mHeader.ncsd_header.partition_offsetsize[i].blk_offset.unwrap() * mBlockSize;
+		int64_t size = mHeader.ncsd_header.partition_offsetsize[i].blk_size.unwrap() * mBlockSize;
+		byte_t fs_type = mHeader.ncsd_header.partition_fs_type[i];
+		byte_t crypto_type = mHeader.ncsd_header.partition_crypto_type[i];
+		uint64_t id = mHeader.ncsd_header.card_ext.partition_id[i].unwrap();
+
+		if (size != 0)
+		{
+			fmt::print(" Partition {}\n", i);
+			fmt::print("  Id:                    {:016x}\n", id);
+			fmt::print("  Area:                  0x{:08X}-0x{:08X}\n", offset, (offset + size));
+			fmt::print("  FsType:                {:02X}\n", fs_type);
+			fmt::print("  CryptoType:            {:02X}\n", crypto_type);
+			fmt::print("\n");
+		}
+	}
+	fmt::print(" Flags:                  {}\n", tc::cli::FormatUtil::formatBytesAsString(mHeader.ncsd_header.flags.data(), mHeader.ncsd_header.flags.size(), true, ""));
+	fmt::print("  BackupWriteWaitTime:   {:02x}\n", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_BackupWriteWaitTime]);
+	fmt::print("  BackupSecurityVersion: {:02x}\n", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_BackupSecurityVersion]);
+	fmt::print("  CardInfo:              {:02x}\n", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_CardInfo]);
+	byte_t card_device = (mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_CardDevice] | mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_CardDevice_Deprecated]);
+	fmt::print("  CardDevice:            {:02x} ({})\n", (uint32_t)card_device, getCardDeviceString(card_device));
+	fmt::print("  MediaPlatform:         {:02x}", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_MediaPlatform]);
+	for (size_t bit = 0; bit < mHeader.ncsd_header.flags.media_platform.bit_size(); bit++)
+	{
+		if (mHeader.ncsd_header.flags.media_platform.test(bit))
+		{
+			fmt::print(" [{}]", getPlatformString(bit));
+		}
+	}
+	fmt::print("\n");
+	fmt::print("  MediaType:             {:02x} ({})\n", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_MediaType], getMediaTypeString(mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_MediaType]));
+	fmt::print("  MediaBlockSize:        {:02x} (0x{:x})\n", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_MediaBlockSize], mBlockSize);
+
+	// card info
+	fmt::print("CardInfo:\n");
+	fmt::print(" WriteableRegion:        0x{:08X}\n", mHeader.card_info.writable_region.unwrap());
+	fmt::print(" CardType:               {} ({:X})\n", getCardTypeString(mHeader.card_info.flag.card_type), (uint32_t)mHeader.card_info.flag.card_type);
+	fmt::print(" CryptoType:             {} ({:X})\n", getCryptoTypeString(mHeader.card_info.flag.crypto_type), (uint32_t)mHeader.card_info.flag.crypto_type);
+	
+	// mastering metadata
+	fmt::print("MasteringMetadata:\n");
+	fmt::print(" MediaSizeUsed:          0x{:08X}\n", mHeader.mastering_info.media_size_used.unwrap());
+	fmt::print(" TitleVersion:           {} (v{:d})\n", getTitleVersionString(mHeader.mastering_info.title_version.unwrap()), mHeader.mastering_info.title_version.unwrap());
+	fmt::print(" CardRevision:           {:d}\n", (uint32_t)mHeader.mastering_info.card_revision.unwrap());
+	fmt::print(" CVer TitleId:           {:016x}\n", mHeader.mastering_info.cver_title_id.unwrap());
+	fmt::print(" CVer Version:           {} (v{:d})\n", getTitleVersionString(mHeader.mastering_info.cver_title_version.unwrap()), mHeader.mastering_info.cver_title_version.unwrap());
+	
+	// initial data
+	fmt::print("InitialData:\n");
+	fmt::print(" KeySource:              {}\n", tc::cli::FormatUtil::formatBytesAsString(mHeader.initial_data.key_source.data(), mHeader.initial_data.key_source.size(), true, ""));
+	fmt::print(" Enc TitleKey:           {}", tc::cli::FormatUtil::formatBytesAsString(mHeader.initial_data.encrypted_title_key.data(), mHeader.initial_data.encrypted_title_key.size(), true, ""));
+	if (mDecryptedTitleKey.isSet())
+	{
+		fmt::print(" (decrypted: {})", tc::cli::FormatUtil::formatBytesAsString(mDecryptedTitleKey.get().data(), mDecryptedTitleKey.get().size(), true, ""));
+	}
+	fmt::print("\n");
+	fmt::print(" MAC: {:6}""             {}\n", getValidString(mValidInitialDataMac), tc::cli::FormatUtil::formatBytesAsString(mHeader.initial_data.mac.data(), mHeader.initial_data.mac.size(), true, ""));
+
+	// card device info
+	fmt::print("CardDeviceInfo:\n");
+	fmt::print(" TitleKey:               {}\n", tc::cli::FormatUtil::formatBytesAsString(mHeader.card_device_info.title_key.data(), mHeader.card_device_info.title_key.size(), true, ""));
+}
+
+void ctrtool::CciProcess::printFs()
+{
+	tc::io::sDirectoryListing dir;
+	mFsReader->getDirectoryListing(tc::io::Path("/"), dir);
+
+	fmt::print("[CCI Filesystem]\n");
+	fmt::print("  CCI:/\n");
+	for (auto itr = dir.file_list.begin(); itr != dir.file_list.end(); itr++)
+	{
+		fmt::print("    {}\n", *itr); 
+	}
+}
+
+void ctrtool::CciProcess::extractFs()
+{
+	tc::io::LocalFileSystem local_fs;
+
+	tc::io::sDirectoryListing dir;
+
+	mFsReader->getDirectoryListing(tc::io::Path("/"), dir);
+
+	local_fs.createDirectory(mExtractPath.get());
+
+	// iterate thru child files
+	tc::ByteData cache = tc::ByteData(0x10000);
+	size_t cache_read_len;
+	tc::io::Path out_path;
+	std::shared_ptr<tc::io::IStream> in_stream;
+	std::shared_ptr<tc::io::IStream> out_stream;
+	for (auto itr = dir.file_list.begin(); itr != dir.file_list.end(); itr++)
+	{
+		// build out path
+		out_path = mExtractPath.get() + *itr;
+
+		fmt::print("Saving {}...\n", out_path.to_string());
+
+		// begin export
+		mFsReader->openFile(*itr, tc::io::FileMode::Open, tc::io::FileAccess::Read, in_stream);
+		local_fs.openFile(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, out_stream);
+
+		in_stream->seek(0, tc::io::SeekOrigin::Begin);
+		out_stream->seek(0, tc::io::SeekOrigin::Begin);
+		for (int64_t remaining_data = in_stream->length(); remaining_data > 0;)
+		{
+			cache_read_len = in_stream->read(cache.data(), cache.size());
+			if (cache_read_len == 0)
+			{
+				throw tc::io::IOException(mModuleLabel, "Failed to read from RomFs file.");
+			}
+
+			out_stream->write(cache.data(), cache_read_len);
+
+			remaining_data -= int64_t(cache_read_len);
+		}
+	}
+}
+
+void ctrtool::CciProcess::processContent()
+{
+	if (mContentIndex >= ntd::n3ds::NcsdCommonHeader::kPartitionNum)
+	{
+		fmt::print(stderr, "Content index {:d} isn't valid for CCI, use index 0-7, defaulting to 0 now.\n", mContentIndex);
+		mContentIndex = 0;
+	}
+	if (mHeader.ncsd_header.partition_offsetsize[mContentIndex].blk_size.unwrap() != 0)
+	{
+		mNcchProcess.setInputStream(std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mHeader.ncsd_header.partition_offsetsize[mContentIndex].blk_offset.unwrap() * mBlockSize, mHeader.ncsd_header.partition_offsetsize[mContentIndex].blk_size.unwrap() * mBlockSize)));
+		mNcchProcess.process();
+	}	
+}
+
+std::string ctrtool::CciProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+	switch (validstate)
+	{
+		case ValidState::Unchecked:
+			ret_str =  "";
+			break;
+		case ValidState::Good:
+			ret_str =  "(GOOD)";
+			break;
+		case ValidState::Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CciProcess::getRomSizeString(uint32_t rom_blk_size)
+{
+	std::string ret_str;
+
+	switch (rom_blk_size)
+	{
+		case ntd::n3ds::CciHeader::RomSize_128MB :
+			ret_str = "128MB";
+			break;
+		case ntd::n3ds::CciHeader::RomSize_256MB :
+			ret_str = "256MB";
+			break;
+		case ntd::n3ds::CciHeader::RomSize_512MB :
+			ret_str = "512MB";
+			break;
+		case ntd::n3ds::CciHeader::RomSize_1GB :
+			ret_str = "1GB";
+			break;
+		case ntd::n3ds::CciHeader::RomSize_2GB :
+			ret_str = "2GB";
+			break;
+		case ntd::n3ds::CciHeader::RomSize_4GB :
+			ret_str = "4GB";
+			break;
+		default:
+			ret_str = fmt::format("0x{:08X} blocks", rom_blk_size);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CciProcess::getMediaTypeString(byte_t media_type)
+{
+	std::string ret_str;
+
+	switch (media_type)
+	{
+		case ntd::n3ds::NcsdCommonHeader::MediaType_InnerDevice :
+			ret_str = "Inner Device";
+			break;
+		case ntd::n3ds::NcsdCommonHeader::MediaType_Card1 :
+			ret_str = "CARD1";
+			break;
+		case ntd::n3ds::NcsdCommonHeader::MediaType_Card2 :
+			ret_str = "CARD2";
+			break;
+		case ntd::n3ds::NcsdCommonHeader::MediaType_ExtendedDevice :
+			ret_str = "Extended Device";
+			break;
+		default:
+			ret_str = fmt::format("Unknown (0x{:02x})", media_type);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CciProcess::getCardDeviceString(byte_t card_device)
+{
+	std::string ret_str;
+
+	switch (card_device)
+	{
+		case ntd::n3ds::CciHeader::CardDevice_Unspecified :
+			ret_str = "Not Specified";
+			break;
+		case ntd::n3ds::CciHeader::CardDevice_NorFlash :
+			ret_str = "NorFlash";
+			break;
+		case ntd::n3ds::CciHeader::CardDevice_None :
+			ret_str = "None";
+			break;
+		case ntd::n3ds::CciHeader::CardDevice_BT :
+			ret_str = "BT";
+			break;
+		default:
+			ret_str = fmt::format("Unknown (0x{:02x})", card_device);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CciProcess::getPlatformString(size_t bit)
+{
+	std::string ret_str;
+
+	switch(bit)
+	{
+		case ntd::n3ds::NcsdCommonHeader::MediaPlatform_CTR :
+			ret_str = "CTR";
+			break;
+		case ntd::n3ds::NcsdCommonHeader::MediaPlatform_SNAKE :
+			ret_str = "SNAKE";
+			break;
+		default:
+			ret_str = fmt::format("Unknown (bit {:d})", bit);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CciProcess::getCardTypeString(byte_t card_type)
+{
+	std::string ret_str;
+
+	switch(card_type)
+	{
+		case ntd::n3ds::CciHeader::CardType_S1 :
+			ret_str = "S1";
+			break;
+		case ntd::n3ds::CciHeader::CardType_S2 :
+			ret_str = "S2";
+			break;
+		default:
+			ret_str = "Unknown";
+			break;
+	}
+	
+	return ret_str;
+}
+
+std::string ctrtool::CciProcess::getCryptoTypeString(byte_t crypto_type)
+{
+	std::string ret_str;
+
+	switch(crypto_type)
+	{
+		case ntd::n3ds::CciHeader::CryptoType_Secure :
+			ret_str = "Secure";
+			break;
+		case ntd::n3ds::CciHeader::CryptoType_FixedKey :
+			ret_str = "FixedKey";
+			break;
+		default:
+			ret_str = "Unknown";
+			break;
+	}
+	
+	return ret_str;
+}
+
+std::string ctrtool::CciProcess::getTitleVersionString(uint16_t version)
+{
+	return fmt::format("{major:d}.{minor:d}.{build:d}", fmt::arg("major", (uint32_t)((version >> 10) & 0x3F)), fmt::arg("minor", (uint32_t)((version >> 4) & 0x3F)), fmt::arg("build", (uint32_t)(version & 0xF)));
+}
\ No newline at end of file
diff --git a/ctrtool/src/CciProcess.h b/ctrtool/src/CciProcess.h
new file mode 100644
index 00000000..5167e166
--- /dev/null
+++ b/ctrtool/src/CciProcess.h
@@ -0,0 +1,70 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include "NcchProcess.h"
+#include <tc/Optional.h>
+#include <tc/io/IFileSystem.h>
+#include <ntd/n3ds/cci.h>
+
+namespace ctrtool {
+
+class CciProcess
+{
+public:
+	CciProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setCliOutputMode(bool show_header_info, bool show_fs);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	void setExtractPath(const tc::io::Path& extract_path);
+	void setContentIndex(size_t index);
+	
+	// ncch settings passed on
+	void setRawMode(bool raw);
+	void setPlainMode(bool plain);
+	void setShowSyscallName(bool show_name);
+	void setNcchRegionProcessOutputMode(NcchProcess::NcchRegion region, bool show_info, bool show_fs, const tc::Optional<tc::io::Path>& bin_extract_path, const tc::Optional<tc::io::Path>& fs_extract_path);
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mShowHeaderInfo;
+	bool mShowFs;
+	bool mVerbose;
+	bool mVerify;
+	tc::Optional<tc::io::Path> mExtractPath;
+	size_t mContentIndex;
+
+	int64_t mBlockSize;
+	int64_t mUsedImageSize;
+	byte_t mValidSignature;
+	byte_t mValidInitialDataMac;
+	ntd::n3ds::CciHeader mHeader;
+	tc::Optional<KeyBag::Aes128Key> mDecryptedTitleKey;
+	ctrtool::NcchProcess mNcchProcess;
+	std::shared_ptr<tc::io::IFileSystem> mFsReader;
+
+	void importHeader();
+	void verifyHeader();
+	void printHeader();
+	void printFs();
+	void extractFs();
+	void processContent();
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+	std::string getRomSizeString(uint32_t rom_blk_size);
+	std::string getMediaTypeString(byte_t media_type);
+	std::string getCardDeviceString(byte_t card_device);
+	std::string getPlatformString(size_t bit);
+	std::string getCardTypeString(byte_t card_type);
+	std::string getCryptoTypeString(byte_t crypto_type);
+	std::string getTitleVersionString(uint16_t version);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
new file mode 100644
index 00000000..ecf06d54
--- /dev/null
+++ b/ctrtool/src/CiaProcess.cpp
@@ -0,0 +1,913 @@
+#include "CiaProcess.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+#include <tc/NotSupportedException.h>
+
+#include <ntd/n3ds/CiaFsSnapshotGenerator.h>
+#include <ntd/n3ds/CtrKeyGenerator.h>
+
+ctrtool::CiaProcess::CiaProcess() :
+	mModuleLabel("ctrtool::CiaProcess"),
+	mInputStream(),
+	mKeyBag(),
+	mShowHeaderInfo(false),
+	mShowFs(false),
+	mVerbose(false),
+	mVerify(false),
+	mCertExtractPath(),
+	mTikExtractPath(),
+	mTmdExtractPath(),
+	mContentExtractPath(),
+	mFooterExtractPath(),
+	mContentIndex(0),
+	mIssuerSigner(),
+	mCertChain(),
+	mCertSigValid(),
+	mTicket(),
+	mTicketSigValid(ValidState::Unchecked),
+	mTitleMetaData(),
+	mTitleMetaDataSigValid(ValidState::Unchecked),
+	mDecryptedTitleKey(),
+	mIsTwlTitle(false),
+	mNcchProcess(),
+	mFsReader()
+{
+	memset(&mHeader, 0, sizeof(mHeader));
+}
+
+void ctrtool::CiaProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::CiaProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+	mNcchProcess.setKeyBag(key_bag);
+}
+
+void ctrtool::CiaProcess::setCliOutputMode(bool show_header_info, bool show_fs)
+{
+	mShowHeaderInfo = show_header_info;
+	mShowFs = show_fs;
+}
+
+void ctrtool::CiaProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+	mNcchProcess.setVerboseMode(verbose);
+}
+
+void ctrtool::CiaProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+	mNcchProcess.setVerifyMode(verify);
+}
+
+void ctrtool::CiaProcess::setCertExtractPath(const tc::io::Path& extract_path)
+{
+	mCertExtractPath = extract_path;
+}
+
+void ctrtool::CiaProcess::setTikExtractPath(const tc::io::Path& extract_path)
+{
+	mTikExtractPath = extract_path;
+}
+
+void ctrtool::CiaProcess::setTmdExtractPath(const tc::io::Path& extract_path)
+{
+	mTmdExtractPath = extract_path;
+}
+
+void ctrtool::CiaProcess::setContentExtractPath(const tc::io::Path& extract_path)
+{
+	mContentExtractPath = extract_path;
+}
+
+void ctrtool::CiaProcess::setFooterExtractPath(const tc::io::Path& extract_path)
+{
+	mFooterExtractPath = extract_path;
+}
+
+
+void ctrtool::CiaProcess::setContentIndex(size_t index)
+{
+	mContentIndex = index;
+}
+
+void ctrtool::CiaProcess::setRawMode(bool raw)
+{
+	mNcchProcess.setRawMode(raw);
+}
+
+void ctrtool::CiaProcess::setPlainMode(bool plain)
+{
+	mNcchProcess.setPlainMode(plain);
+}
+
+void ctrtool::CiaProcess::setShowSyscallName(bool show_name)
+{
+	mNcchProcess.setShowSyscallName(show_name);
+}
+
+void ctrtool::CiaProcess::setNcchRegionProcessOutputMode(NcchProcess::NcchRegion region, bool show_info, bool show_fs, const tc::Optional<tc::io::Path>& bin_extract_path, const tc::Optional<tc::io::Path>& fs_extract_path)
+{
+	mNcchProcess.setRegionProcessOutputMode(region, show_info, show_fs, bin_extract_path, fs_extract_path);
+}
+
+void ctrtool::CiaProcess::process()
+{
+	importIssuerProfiles();
+	importHeader();
+
+	if (mVerify)
+	{
+		verifyMetadata();
+		verifyContent();
+	}
+		
+	if (mShowHeaderInfo)
+	{
+		printHeader();
+	}
+		
+		
+	extractCia();
+	processContent();
+}
+
+void ctrtool::CiaProcess::importIssuerProfiles()
+{
+	// import issuer profiles from keybag
+	for (auto itr = mKeyBag.broadon_rsa_signer.begin(); itr != mKeyBag.broadon_rsa_signer.end(); itr++)
+	{
+		brd::es::ESSigType sigType = itr->first == "Root" ? brd::es::ESSigType::RSA4096_SHA256 : brd::es::ESSigType::RSA2048_SHA256;
+		mIssuerSigner.insert(std::pair<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>>(itr->first, std::make_shared<ntd::n3ds::es::RsaSigner>(ntd::n3ds::es::RsaSigner(sigType, itr->first, itr->second.key))));
+	}
+}
+
+void ctrtool::CiaProcess::importHeader()
+{
+	// validate input stream
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}
+
+	// import header
+	if (mInputStream->length() < sizeof(ntd::n3ds::CiaHeader))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small. (Too small to read header).");
+	}
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read((byte_t*)&mHeader, sizeof(ntd::n3ds::CiaHeader));
+
+	// check the header size
+	if (mHeader.header_size.unwrap() != sizeof(ntd::n3ds::CiaHeader))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "CiaHeader is corrupted (Bad header size).");
+	}
+
+	// check cia type
+	if (mHeader.type.unwrap() != mHeader.Type_Normal)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, fmt::format("CiaHeader has an unsupported Type (0x{:04x}).", mHeader.type.unwrap()));
+	}
+
+	// check format versions
+	if (mHeader.format_version.unwrap() != mHeader.FormatVersion_Default && mHeader.format_version.unwrap() != mHeader.FormatVersion_SimpleCia)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, fmt::format("CiaHeader has an unsupported FormatVersion (0x{:04x}).", mHeader.format_version.unwrap()));
+	}
+
+	// determine expected CIA size
+	int64_t pos = 0;
+
+	// add header size
+	pos += mHeader.header_size.unwrap();
+
+	// add cert size
+	if (mHeader.certificate_size.unwrap())
+	{
+		pos = align<int64_t>(pos, ntd::n3ds::CiaHeader::kCiaSectionAlignment);
+		
+		mCertSizeInfo.offset = pos;
+		mCertSizeInfo.size = mHeader.certificate_size.unwrap();
+
+		pos += mCertSizeInfo.size;
+	}
+
+	// add ticket size
+	if (mHeader.ticket_size.unwrap())
+	{
+		pos = align<int64_t>(pos, ntd::n3ds::CiaHeader::kCiaSectionAlignment);
+
+		mTikSizeInfo.offset = pos;
+		mTikSizeInfo.size = mHeader.ticket_size.unwrap();
+
+		pos += mTikSizeInfo.size;
+	}
+
+	// add tmd size
+	if (mHeader.tmd_size.unwrap())
+	{
+		pos = align<int64_t>(pos, ntd::n3ds::CiaHeader::kCiaSectionAlignment);
+
+		mTmdSizeInfo.offset = pos;
+		mTmdSizeInfo.size = mHeader.tmd_size.unwrap();
+
+		pos += mTmdSizeInfo.size;
+	}
+
+	// add content size
+	if (mHeader.content_size.unwrap())
+	{
+		pos = align<int64_t>(pos, ntd::n3ds::CiaHeader::kCiaSectionAlignment);
+
+		mContentSizeInfo.offset = pos;
+		mContentSizeInfo.size = mHeader.content_size.unwrap();
+
+		pos += mContentSizeInfo.size;
+	}
+
+	// add footer size
+	if (mHeader.footer_size.unwrap())
+	{
+		pos = align<int64_t>(pos, ntd::n3ds::CiaHeader::kCiaSectionAlignment);
+
+		mFooterSizeInfo.offset = pos;
+		mFooterSizeInfo.size = mHeader.footer_size.unwrap();
+
+		pos += mFooterSizeInfo.size;
+	}
+
+	if (mInputStream->length() < pos)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small, given calculated CIA size.");
+	}
+
+	// process CIA
+	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default)
+	{
+		std::shared_ptr<tc::io::IStream> cert_stream;
+		if (mCertSizeInfo.size > 0)
+		{
+			cert_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mCertSizeInfo.offset, mCertSizeInfo.size));
+
+			if (mCertSizeInfo.size < 0x1000000)
+			{
+				tc::ByteData cert_data = tc::ByteData(mCertSizeInfo.size);
+
+				cert_stream->seek(0, tc::io::SeekOrigin::Begin);
+				cert_stream->read(cert_data.data(), cert_data.size());
+
+				for (size_t certchain_pos = 0; certchain_pos < cert_data.size();)
+				{
+					size_t certbin_size = ntd::n3ds::es::getCertificateSize(cert_data.data() + certchain_pos);
+					if (certbin_size == 0)
+					{
+						throw tc::InvalidOperationException(mModuleLabel, "Certificate chain had invalid data.");
+					}
+
+					mCertChain.push_back(ntd::n3ds::es::CertificateDeserialiser(std::make_shared<tc::io::SubStream>(tc::io::SubStream(cert_stream, certchain_pos, certbin_size))));
+					mCertSigValid.push_back(ValidState::Unchecked);
+
+					certchain_pos += certbin_size;
+				}				
+			}
+			else
+			{
+				fmt::print("[LOG] Certificate chain too large, cannot verify Ticket or TitleMetaData.\n");
+				mCertSizeInfo.size = 0;
+				mCertSizeInfo.offset = 0;
+			}
+
+		}
+		// TODO load certificates from KeyBag
+		else
+		{
+			fmt::print("[LOG] CIA has no Certificate, cannot verify Ticket or TitleMetaData.\n");
+		}
+
+		if (mTikSizeInfo.size > 0)
+		{
+			mTicket = ntd::n3ds::es::TicketDeserialiser(std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTikSizeInfo.offset, mTikSizeInfo.size)));
+
+			// determine title key
+			if (mKeyBag.fallback_title_key.isSet())
+			{
+				fmt::print("[LOG] Using fallback titlekey.\n");
+				mDecryptedTitleKey = mKeyBag.fallback_title_key.get();
+			}
+			else if (mKeyBag.common_key.find(mTicket.key_id) != mKeyBag.common_key.end())
+			{
+				fmt::print("[LOG] Decrypting titlekey from ticket.\n");
+				
+				// get common key
+				auto common_key = mKeyBag.common_key[mTicket.key_id];
+				
+				// initialise iv
+				std::array<byte_t, 16> title_key_iv;
+				memset(title_key_iv.data(), 0, title_key_iv.size());
+				((tc::bn::be64<uint64_t>*)(&(title_key_iv[0])))->wrap(mTicket.title_id);
+
+				// decrypt title key
+				std::array<byte_t, 16> title_key;
+				tc::crypto::DecryptAes128Cbc(title_key.data(), mTicket.title_key.data(), title_key.size(), common_key.data(), common_key.size(), title_key_iv.data(), title_key_iv.size());
+			
+				mDecryptedTitleKey = title_key;
+			}
+			else
+			{
+				fmt::print("[LOG] Cannot determine titlekey.\n");
+			}
+		}
+		else
+		{
+			throw tc::InvalidOperationException(mModuleLabel, "CIA has no Ticket.");
+		}
+		
+		if (mTmdSizeInfo.size > 0)
+		{
+			mTitleMetaData = ntd::n3ds::es::TitleMetaDataDeserialiser(std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTmdSizeInfo.offset, mTmdSizeInfo.size)));
+
+			mIsTwlTitle = isTwlTitle(mTitleMetaData.title_id);
+		}
+		else
+		{
+			throw tc::InvalidOperationException(mModuleLabel, "CIA has no TitleMetaData.");
+		}
+		if (mContentSizeInfo.size > 0)
+		{
+			int64_t content_pos = 0;
+			for (auto itr = mTitleMetaData.content_info.begin(); itr != mTitleMetaData.content_info.end(); itr++)
+			{
+				// skip content not included
+				if (mHeader.content_bitarray.test(itr->index) == false) continue;
+				
+				ContentInfo cnt;
+				cnt.offset = mContentSizeInfo.offset + align<int64_t>(content_pos, (int64_t)ntd::n3ds::CiaHeader::kCiaContentAlignment);
+				cnt.size = itr->size;
+				cnt.cid = itr->id;
+				cnt.cindex = itr->index;
+				cnt.is_encrypted = itr->is_encrypted;
+				cnt.is_hashed = true;
+				cnt.hash = itr->hash;
+
+				content_pos += cnt.size;
+
+				mContentInfo[cnt.cindex] = std::move(cnt);
+			}
+		}
+		else
+		{
+			throw tc::InvalidOperationException(mModuleLabel, "CIA has no Content.");
+		}
+	}
+	else if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_SimpleCia)
+	{
+		if (mContentSizeInfo.size > 0)
+		{
+			ContentInfo cnt;
+			cnt.offset = mContentSizeInfo.offset;
+			cnt.size = mContentSizeInfo.size;
+			cnt.cid = 0;
+			cnt.cindex = 0;
+			cnt.is_encrypted = false;
+			cnt.is_hashed = false;
+			memset(cnt.hash.data(), 0, cnt.hash.size());
+
+			mContentInfo[cnt.cindex] = std::move(cnt);
+
+			mIsTwlTitle = false;
+		}
+		else
+		{
+			throw tc::InvalidOperationException(mModuleLabel, "CIA has no Content.");
+		}
+	}
+	else
+	{
+		throw tc::NotSupportedException(mModuleLabel, fmt::format("Unsupported CIA format version: 0x{:04x}.", mHeader.format_version.unwrap()));
+	}
+}
+
+void ctrtool::CiaProcess::verifyMetadata()
+{
+	// validate signatures
+	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mCertSizeInfo.size > 0)
+	{
+		// verify cert
+		for (size_t i = 0; i < mCertChain.size(); i++)
+		{
+			auto issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
+			if (issuer_itr != mIssuerSigner.end() && issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+			{
+				//fmt::print("CertHash[{:d}]: {}\n", i, getTruncatedBytesString(mCertChain[i].calculated_hash.data(), mCertChain[i].calculated_hash.size(), mVerbose));
+				mCertSigValid[i] = issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			}
+			else
+			{
+				// cannot locate rsa key to verify
+				fmt::print(stderr, "Could not read public key for \"{}\" (certificate).\n", mCertChain[i].signature.issuer);
+				mCertSigValid[i] = ValidState::Fail;
+			}
+		}
+	}
+	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTikSizeInfo.size > 0)
+	{
+		// verify ticket
+		auto issuer_itr = mIssuerSigner.find(mTicket.signature.issuer);
+		if (issuer_itr != mIssuerSigner.end() && issuer_itr->second->getSigType() == mTicket.signature.sig_type)
+		{
+			//fmt::print("TikHash: {}\n", getTruncatedBytesString(mTicket.calculated_hash.data(), mTicket.calculated_hash.size(), mVerbose));
+			mTicketSigValid = issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		else
+		{
+			// cannot locate rsa key to verify
+			fmt::print(stderr, "Could not read public key for \"{}\" (ticket).\n", mTicket.signature.issuer);
+			mTicketSigValid = ValidState::Fail;
+		}
+	}
+	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTmdSizeInfo.size > 0)
+	{
+		// verify tmd
+		auto issuer_itr = mIssuerSigner.find(mTitleMetaData.signature.issuer);
+		if (issuer_itr != mIssuerSigner.end() && issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
+		{
+			//fmt::print("TmdHash: {}\n", getTruncatedBytesString(mTitleMetaData.calculated_hash.data(), mTitleMetaData.calculated_hash.size(), mVerbose));
+			mTitleMetaDataSigValid = issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		else
+		{
+			// cannot locate rsa key to verify
+			fmt::print(stderr, "Could not read public key for \"{}\" (tmd).\n", mTitleMetaData.signature.issuer);
+			mTitleMetaDataSigValid = ValidState::Fail;
+		}
+	}
+}
+
+void ctrtool::CiaProcess::verifyContent()
+{
+	std::shared_ptr<tc::io::IStream> content_stream;
+	tc::ByteData cache = tc::ByteData(0x10000);
+	size_t cache_read_len;
+	tc::crypto::Sha256Generator sha256_calc;
+	std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> sha256_hash;
+
+	if (mContentInfo.size() > 0)
+	{
+		for (auto itr = mContentInfo.begin(); itr != mContentInfo.end(); itr++)
+		{
+			// skip unhashed content
+			if (itr->second.is_hashed == false) continue;
+
+			content_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, itr->second.offset, itr->second.size));
+
+			if (itr->second.is_encrypted && mDecryptedTitleKey.isSet())
+			{
+				tc::crypto::Aes128CbcEncryptedStream::iv_t content_iv;
+				createContentIv(content_iv, itr->second.cindex);
+
+				content_stream = std::shared_ptr<tc::crypto::Aes128CbcEncryptedStream>(new tc::crypto::Aes128CbcEncryptedStream(content_stream, mDecryptedTitleKey.get(), content_iv));
+			}
+		
+			sha256_calc.initialize();
+			memset(sha256_hash.data(), 0, sha256_hash.size());
+
+			content_stream->seek(0, tc::io::SeekOrigin::Begin);
+			for (int64_t remaining_data = content_stream->length(); remaining_data > 0;)
+			{
+				cache_read_len = content_stream->read(cache.data(), cache.size());
+				if (cache_read_len == 0)
+				{
+					throw tc::io::IOException(mModuleLabel, "Failed to read from source file.");
+				}
+
+				sha256_calc.update(cache.data(), cache_read_len);
+
+				remaining_data -= int64_t(cache_read_len);
+			}
+
+			sha256_calc.getHash(sha256_hash.data());
+
+			itr->second.valid_state = memcmp(sha256_hash.data(), itr->second.hash.data(), sha256_hash.size()) == 0 ? ValidState::Good : ValidState::Fail;
+		}
+	}
+}
+
+void ctrtool::CiaProcess::printHeader()
+{
+	{
+		fmt::print("CiaHeader:\n");
+		fmt::print("|- HeaderSize:      0x{:x}\n", mHeader.header_size.unwrap());
+		fmt::print("|- Type:            {} (0x{:04x})\n", getCiaTypeString(mHeader.type.unwrap()), mHeader.type.unwrap());
+		fmt::print("|- FormatVersion:   {} (0x{:04x})\n", getFormatVersionString(mHeader.format_version.unwrap()), mHeader.format_version.unwrap());
+		fmt::print("|- CertificateSize: 0x{:x}\n", mHeader.certificate_size.unwrap());
+		fmt::print("|- TicketSize:      0x{:x}\n", mHeader.ticket_size.unwrap());
+		fmt::print("|- TitleMetaSize:   0x{:x}\n", mHeader.tmd_size.unwrap());
+		fmt::print("|- FooterSize:      0x{:x}\n", mHeader.footer_size.unwrap());
+		fmt::print("|- ContentSize:     0x{:x}\n", mHeader.content_size.unwrap());
+		fmt::print("\\- EnabledContent:\n");
+		std::vector<size_t> enabled_content;
+		for (size_t i = 0; i < mHeader.content_bitarray.bit_size(); i++)
+		{
+			if (mHeader.content_bitarray.test(i))
+			{
+				enabled_content.push_back(i);
+			}
+		}
+		for (size_t i = 0; i < enabled_content.size(); i++)
+		{
+			fmt::print("   {:1}- 0x{:04x}\n", (i+1 < enabled_content.size() ? "|" : "\\"), enabled_content[i]);
+		}
+	}
+	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mCertSizeInfo.size > 0)
+	{
+		fmt::print("Certificate Chain:\n");
+		for (size_t i = 0; i < mCertChain.size(); i++)
+		{
+			#define _CERT_FORMAT_MACRO(x,y) (i+1 < mCertChain.size() ? (x) : (y))
+
+			fmt::print("{:1}- Certificate {:d}:\n", _CERT_FORMAT_MACRO("|","\\"), i);
+			fmt::print("{:1}  |- DigitalSignature: {:s}\n", _CERT_FORMAT_MACRO("|"," "), getValidString(mCertSigValid[i]));
+			fmt::print("{:1}  |  |- SigType:    {:s} (0x{:x})\n", _CERT_FORMAT_MACRO("|"," "), getSigTypeString(mCertChain[i].signature.sig_type), (uint32_t)mCertChain[i].signature.sig_type);
+			fmt::print("{:1}  |  |- Issuer:     {:s}\n", _CERT_FORMAT_MACRO("|"," "), mCertChain[i].signature.issuer);
+			fmt::print("{:1}  |  \\- Signature:  {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].signature.sig.data(), mCertChain[i].signature.sig.size(), mVerbose));
+			fmt::print("{:1}  |- Subject:       {:s}\n", _CERT_FORMAT_MACRO("|"," "), mCertChain[i].subject);
+			//fmt::print("{:1}  |- Date:          {:d}\n", _CERT_FORMAT_MACRO("|"," "), mCertChain[i].date);
+			fmt::print("{:1}  \\- PublicKey:     {:s} (0x{:x})\n", _CERT_FORMAT_MACRO("|"," "), getCertificatePublicKeyTypeString(mCertChain[i].public_key_type), (uint32_t)mCertChain[i].public_key_type);
+			switch (mCertChain[i].public_key_type)
+			{
+				case brd::es::ESCertPubKeyType::RSA4096:
+					fmt::print("{:1}     |- m:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa4096_public_key.m.data(), mCertChain[i].rsa4096_public_key.m.size(), mVerbose));
+					fmt::print("{:1}     \\- e:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa4096_public_key.e.data(), mCertChain[i].rsa4096_public_key.e.size(), mVerbose));
+					break;
+				case brd::es::ESCertPubKeyType::RSA2048:
+					fmt::print("{:1}     |- m:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa2048_public_key.m.data(), mCertChain[i].rsa2048_public_key.m.size(), mVerbose));
+					fmt::print("{:1}     \\- e:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa2048_public_key.e.data(), mCertChain[i].rsa2048_public_key.e.size(), mVerbose));
+					break;
+				case brd::es::ESCertPubKeyType::ECC:
+					fmt::print("{:1}     |- x:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].ecc233_public_key.x.data(), mCertChain[i].ecc233_public_key.x.size(), mVerbose));
+					fmt::print("{:1}     \\- y:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].ecc233_public_key.y.data(), mCertChain[i].ecc233_public_key.y.size(), mVerbose));
+					break;
+				default:
+					break;
+			}
+
+			#undef _CERT_FORMAT_MACRO
+		}
+		
+	}
+	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTikSizeInfo.size > 0)
+	{
+		fmt::print("Ticket:\n");
+		fmt::print("|- DigitalSignature: {:s} \n", getValidString(mTicketSigValid));
+		fmt::print("|  |- SigType:    {:s} (0x{:x})\n", getSigTypeString(mTicket.signature.sig_type), (uint32_t)mTicket.signature.sig_type);
+		fmt::print("|  |- Issuer:     {:s}\n", mTicket.signature.issuer);
+		fmt::print("|  \\- Signature:  {:s}\n", getTruncatedBytesString(mTicket.signature.sig.data(), mTicket.signature.sig.size(), mVerbose));
+		fmt::print("|- TitleKey:      {}", tc::cli::FormatUtil::formatBytesAsString(mTicket.title_key.data(), mTicket.title_key.size(), true, ""));
+		if (mDecryptedTitleKey.isSet())
+		{
+			fmt::print(" (decrypted: {})", tc::cli::FormatUtil::formatBytesAsString(mDecryptedTitleKey.get().data(), mDecryptedTitleKey.get().size(), true, ""));
+		}
+		fmt::print("\n");
+		fmt::print("|- TicketId:      {:016x}\n", mTicket.ticket_id);
+		fmt::print("|- DeviceId:      {:08x}\n", mTicket.device_id);
+		fmt::print("|- TitleId:       {:016x}\n", mTicket.title_id);
+		fmt::print("|- TicketVersion: {} ({:d})\n", getTitleVersionString(mTicket.ticket_version), mTicket.ticket_version);
+		fmt::print("|- LicenseType:   {:02x}\n", mTicket.license_type);
+		fmt::print("|- KeyId:         {:02x}\n", mTicket.key_id);
+		fmt::print("|- ECAccountID:   {:08x}\n", mTicket.ec_account_id);
+		fmt::print("|- DemoLaunchCnt: {:d}\n", mTicket.launch_count);
+		fmt::print("\\- EnabledContent:\n");
+		std::vector<size_t> enabled_content;
+		for (size_t i = 0; i < mTicket.enabled_content.size(); i++)
+		{
+			if (mTicket.enabled_content.test(i))
+			{
+				enabled_content.push_back(i);
+			}
+		}
+		for (size_t i = 0; i < enabled_content.size(); i++)
+		{
+			fmt::print("   {:1}- 0x{:04x}\n", (i+1 < enabled_content.size() ? "|" : "\\"), enabled_content[i]);
+		}
+	}
+	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTmdSizeInfo.size > 0)
+	{
+		fmt::print("TitleMetaData:\n");
+		fmt::print("|- DigitalSignature: {:s}\n", getValidString(mTitleMetaDataSigValid));
+		fmt::print("|  |- SigType:    {:s} (0x{:x})\n", getSigTypeString(mTitleMetaData.signature.sig_type), (uint32_t)mTitleMetaData.signature.sig_type);
+		fmt::print("|  |- Issuer:     {:s}\n", mTitleMetaData.signature.issuer);
+		fmt::print("|  \\- Signature:  {:s}\n", getTruncatedBytesString(mTitleMetaData.signature.sig.data(), mTitleMetaData.signature.sig.size(), mVerbose));
+		fmt::print("|- TitleId:       {:016x}\n", mTitleMetaData.title_id);
+		fmt::print("|- TitleVersion:  {} ({:d})\n", getTitleVersionString(mTitleMetaData.title_version), mTitleMetaData.title_version);
+		fmt::print("|- CustomData:\n");
+		// TWL Title
+		if (isTwlTitle(mTitleMetaData.title_id))
+		{
+			fmt::print("|  |- PublicSaveDataSize:  0x{:x}\n", mTitleMetaData.twl_custom_data.public_save_data_size);
+			fmt::print("|  |- PrivateSaveDataSize: 0x{:x}\n", mTitleMetaData.twl_custom_data.private_save_data_size);
+			fmt::print("|  \\- Flag:                0x{:02x}\n", mTitleMetaData.twl_custom_data.flag);
+		}
+		// CTR
+		else
+		{
+			fmt::print("|  |- SaveDataSize: 0x{:x}\n", mTitleMetaData.ctr_custom_data.save_data_size);
+			fmt::print("|  \\- IsSnakeOnly: {}\n", mTitleMetaData.ctr_custom_data.is_snake_only);
+		}
+		fmt::print("\\- ContentInfo:\n");
+		for (size_t i = 0; i < mTitleMetaData.content_info.size(); i++)
+		{
+			fmt::print("   {:1}- 0x{:04x}:\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : "\\"), mTitleMetaData.content_info[i].index);
+			fmt::print("   {:1}  |- ContentId:   0x{:08x}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""), mTitleMetaData.content_info[i].id);
+			fmt::print("   {:1}  |- Encrypted:   {}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""), (mTitleMetaData.content_info[i].is_encrypted ? "YES" : "NO"));
+			fmt::print("   {:1}  |- Optional:    {}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""), (mTitleMetaData.content_info[i].is_optional ? "YES" : "NO"));
+			fmt::print("   {:1}  |- Size:        0x{:x}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""), mTitleMetaData.content_info[i].size);
+			fmt::print("   {:1}  \\- Hash: {:6} {}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""),
+				getValidString(mContentInfo.find(mTitleMetaData.content_info[i].index) != mContentInfo.end() ? mContentInfo[mTitleMetaData.content_info[i].index].valid_state : ValidState::Unchecked),
+				tc::cli::FormatUtil::formatBytesAsString(mTitleMetaData.content_info[i].hash.data(), mTitleMetaData.content_info[i].hash.size(), true, ""));
+		}
+	}
+	
+}
+
+void ctrtool::CiaProcess::extractCia()
+{
+	tc::io::Path out_path;
+	std::shared_ptr<tc::io::IStream> in_stream;
+	std::shared_ptr<tc::io::IStream> out_stream;
+
+	if (mCertExtractPath.isSet() && mCertSizeInfo.size > 0)
+	{
+		out_path = mCertExtractPath.get();
+
+		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mCertSizeInfo.offset, mCertSizeInfo.size));
+		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
+
+		fmt::print("Saving certs to {}...\n", out_path.to_string());
+		copyStream(in_stream, out_stream);
+	}
+
+	if (mTikExtractPath.isSet() && mTikSizeInfo.size > 0)
+	{
+		out_path = mTikExtractPath.get();
+
+		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTikSizeInfo.offset, mTikSizeInfo.size));
+		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
+
+		fmt::print("Saving tik to {}...\n", out_path.to_string());
+		copyStream(in_stream, out_stream);
+	}
+
+	if (mTmdExtractPath.isSet() && mTmdSizeInfo.size > 0)
+	{
+		out_path = mTmdExtractPath.get();
+
+		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTmdSizeInfo.offset, mTmdSizeInfo.size));
+		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
+
+		fmt::print("Saving tmd to {}...\n", out_path.to_string());
+		copyStream(in_stream, out_stream);
+	}
+
+	if (mFooterExtractPath.isSet() && mFooterSizeInfo.size > 0)
+	{
+		out_path = mFooterExtractPath.get();
+
+		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mFooterSizeInfo.offset, mFooterSizeInfo.size));
+		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
+
+		fmt::print("Saving meta to {}...\n", out_path.to_string());
+		copyStream(in_stream, out_stream);
+	}
+
+	if (mContentExtractPath.isSet() && mContentInfo.size() > 0)
+	{
+		for (auto itr = mContentInfo.begin(); itr != mContentInfo.end(); itr++)
+		{
+			out_path = mContentExtractPath.get();
+			out_path.back() = fmt::format("{}.{:04x}.{:08x}", out_path.back(), itr->second.cindex, itr->second.cid);
+
+			in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, itr->second.offset, itr->second.size));
+
+			if (itr->second.is_encrypted && mDecryptedTitleKey.isSet())
+			{
+				tc::crypto::Aes128CbcEncryptedStream::iv_t content_iv;
+				createContentIv(content_iv, itr->second.cindex);
+
+				in_stream = std::shared_ptr<tc::crypto::Aes128CbcEncryptedStream>(new tc::crypto::Aes128CbcEncryptedStream(in_stream, mDecryptedTitleKey.get(), content_iv));
+			}
+
+			out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
+
+			fmt::print("Saving content {:04x} to {}...\n", itr->second.cindex, out_path.to_string());
+			copyStream(in_stream, out_stream);
+		}
+	}
+}
+
+void ctrtool::CiaProcess::copyStream(const std::shared_ptr<tc::io::IStream>& in, const std::shared_ptr<tc::io::IStream>& out)
+{
+	tc::ByteData cache = tc::ByteData(0x10000);
+	size_t cache_read_len;
+
+	in->seek(0, tc::io::SeekOrigin::Begin);
+	out->seek(0, tc::io::SeekOrigin::Begin);
+	for (int64_t remaining_data = in->length(); remaining_data > 0;)
+	{
+		cache_read_len = in->read(cache.data(), cache.size());
+		if (cache_read_len == 0)
+		{
+			throw tc::io::IOException(mModuleLabel, "Failed to read from source file.");
+		}
+
+		out->write(cache.data(), cache_read_len);
+
+		remaining_data -= int64_t(cache_read_len);
+	}
+}
+
+void ctrtool::CiaProcess::processContent()
+{
+	if (mContentIndex >= ntd::n3ds::CiaHeader::kCiaMaxContentNum)
+	{
+		fmt::print(stderr, "Content index {:d} isn't valid for CIA, use index 0-{:d}, defaulting to 0 now.\n", mContentIndex, ((size_t)ntd::n3ds::CiaHeader::kCiaMaxContentNum)-1);
+		mContentIndex = 0;
+	}
+	if (mContentInfo.find(mContentIndex) != mContentInfo.end() && mContentInfo[mContentIndex].size != 0)
+	{
+		std::shared_ptr<tc::io::IStream> content_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mContentInfo[mContentIndex].offset, mContentInfo[mContentIndex].size));
+		
+		if (mContentInfo[mContentIndex].is_encrypted && mDecryptedTitleKey.isSet())
+		{
+			tc::crypto::Aes128CbcEncryptedStream::iv_t content_iv;
+			createContentIv(content_iv, mContentInfo[mContentIndex].cindex);
+
+			content_stream = std::shared_ptr<tc::crypto::Aes128CbcEncryptedStream>(new tc::crypto::Aes128CbcEncryptedStream(content_stream, mDecryptedTitleKey.get(), content_iv));
+		}
+		
+		if (mIsTwlTitle == false)
+		{
+			mNcchProcess.setInputStream(content_stream);
+			mNcchProcess.process();
+		}
+		else
+		{
+			fmt::print("[LOG] TWL title processing not supported\n");
+		}
+	}
+}
+
+void ctrtool::CiaProcess::createContentIv(std::array<byte_t, 16>& content_iv, uint16_t index)
+{
+	memset(content_iv.data(), 0, content_iv.size());
+	((tc::bn::be16<uint16_t>*)&content_iv[0])->wrap(index);
+}
+
+bool ctrtool::CiaProcess::isTwlTitle(uint64_t title_id)
+{
+	return ((title_id >> 47) & 1) == 1;
+}
+
+std::string ctrtool::CiaProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+
+	switch (validstate)
+	{
+		case ValidState::Unchecked:
+			ret_str =  "";
+			break;
+		case ValidState::Good:
+			ret_str =  "(GOOD)";
+			break;
+		case ValidState::Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CiaProcess::getCiaTypeString(uint16_t type)
+{
+	std::string ret_str;
+
+	switch (type)
+	{
+		case ntd::n3ds::CiaHeader::Type_Normal:
+			ret_str =  "Normal";
+			break;
+		default:
+			ret_str =  "Unknown";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CiaProcess::getFormatVersionString(uint16_t format_version)
+{
+	std::string ret_str;
+
+	switch (format_version)
+	{
+		case ntd::n3ds::CiaHeader::FormatVersion_Default:
+			ret_str =  "Cia";
+			break;
+		case ntd::n3ds::CiaHeader::FormatVersion_SimpleCia:
+			ret_str =  "SimpleCia";
+			break;
+		default:
+			ret_str =  "Unknown";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CiaProcess::getTruncatedBytesString(const byte_t* data, size_t len, bool do_not_truncate)
+{
+	if (data == nullptr) { return fmt::format(""); }
+
+	std::string str = "";
+
+	if (len <= 8 || do_not_truncate)
+	{
+		str = tc::cli::FormatUtil::formatBytesAsString(data, len, true, "");
+	}
+	else
+	{
+		str = fmt::format("{:02X}{:02X}{:02X}{:02X}...{:02X}{:02X}{:02X}{:02X}", data[0], data[1], data[2], data[3], data[len-4], data[len-3], data[len-2], data[len-1]);
+	}
+
+	return str;
+}
+
+std::string ctrtool::CiaProcess::getSigTypeString(brd::es::ESSigType sig_type)
+{
+	std::string ret_str;
+
+	switch (sig_type)
+	{
+		case brd::es::ESSigType::RSA4096_SHA1:
+			ret_str =  "RSA-4096-SHA1";
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+			ret_str =  "RSA-2048-SHA1";
+			break;
+		case brd::es::ESSigType::ECC_SHA1:
+			ret_str =  "ECDSA-233-SHA1";
+			break;
+		case brd::es::ESSigType::RSA4096_SHA256:
+			ret_str =  "RSA-4096-SHA256";
+			break;
+		case brd::es::ESSigType::RSA2048_SHA256:
+			ret_str =  "RSA-2048-SHA256";
+			break;
+		case brd::es::ESSigType::ECC_SHA256:
+			ret_str =  "ECDSA-233-SHA256";
+			break;
+		default:
+			ret_str = fmt::format("0x{:x}", (uint32_t)sig_type);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CiaProcess::getCertificatePublicKeyTypeString(brd::es::ESCertPubKeyType public_key_type)
+{
+	std::string ret_str;
+
+	switch (public_key_type)
+	{
+		case brd::es::ESCertPubKeyType::RSA4096:
+			ret_str =  "RSA-4096";
+			break;
+		case brd::es::ESCertPubKeyType::RSA2048:
+			ret_str =  "RSA-2048";
+			break;
+		case brd::es::ESCertPubKeyType::ECC:
+			ret_str =  "ECC-233";
+			break;
+		default:
+			ret_str = fmt::format("0x{:x}", (uint32_t)public_key_type);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::CiaProcess::getTitleVersionString(uint16_t version)
+{
+	return fmt::format("{major:d}.{minor:d}.{build:d}", fmt::arg("major", (uint32_t)((version >> 10) & 0x3F)), fmt::arg("minor", (uint32_t)((version >> 4) & 0x3F)), fmt::arg("build", (uint32_t)(version & 0xF)));
+}
\ No newline at end of file
diff --git a/ctrtool/src/CiaProcess.h b/ctrtool/src/CiaProcess.h
new file mode 100644
index 00000000..efcc5458
--- /dev/null
+++ b/ctrtool/src/CiaProcess.h
@@ -0,0 +1,128 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include "NcchProcess.h"
+#include <tc/Optional.h>
+#include <tc/io/IFileSystem.h>
+#include <ntd/n3ds/cia.h>
+
+#include <ntd/n3ds/es/RsaSigner.h>
+#include <ntd/n3ds/es/Certificate.h>
+#include <ntd/n3ds/es/Ticket.h>
+#include <ntd/n3ds/es/TitleMetaData.h>
+
+namespace ctrtool {
+
+class CiaProcess
+{
+public:
+	CiaProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setCliOutputMode(bool show_header_info, bool show_fs);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	void setCertExtractPath(const tc::io::Path& extract_path);
+	void setTikExtractPath(const tc::io::Path& extract_path);
+	void setTmdExtractPath(const tc::io::Path& extract_path);
+	void setContentExtractPath(const tc::io::Path& extract_path);
+	void setFooterExtractPath(const tc::io::Path& extract_path);
+	void setContentIndex(size_t index);
+	
+	// ncch settings passed on
+	void setRawMode(bool raw);
+	void setPlainMode(bool plain);
+	void setShowSyscallName(bool show_name);
+	void setNcchRegionProcessOutputMode(NcchProcess::NcchRegion region, bool show_info, bool show_fs, const tc::Optional<tc::io::Path>& bin_extract_path, const tc::Optional<tc::io::Path>& fs_extract_path);
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	// input args
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mShowHeaderInfo;
+	bool mShowFs;
+	bool mVerbose;
+	bool mVerify;
+	tc::Optional<tc::io::Path> mCertExtractPath;
+	tc::Optional<tc::io::Path> mTikExtractPath;
+	tc::Optional<tc::io::Path> mTmdExtractPath;
+	tc::Optional<tc::io::Path> mContentExtractPath;
+	tc::Optional<tc::io::Path> mFooterExtractPath;
+	size_t mContentIndex;
+
+	// process variables
+	ntd::n3ds::CiaHeader mHeader;
+	std::map<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>> mIssuerSigner;
+	std::vector<ntd::n3ds::es::Certificate> mCertChain;
+	std::vector<ValidState> mCertSigValid;
+	ntd::n3ds::es::Ticket mTicket;
+	ValidState mTicketSigValid;
+	ntd::n3ds::es::TitleMetaData mTitleMetaData;
+	ValidState mTitleMetaDataSigValid;
+	tc::Optional<KeyBag::Aes128Key> mDecryptedTitleKey;
+	bool mIsTwlTitle;
+	ctrtool::NcchProcess mNcchProcess;
+	std::shared_ptr<tc::io::IFileSystem> mFsReader;
+	
+	struct CiaSectionInfo
+	{		
+		int64_t offset;
+		int64_t size;
+
+		CiaSectionInfo() : offset(0), size(0) {} 
+	} mCertSizeInfo, mTikSizeInfo, mTmdSizeInfo, mContentSizeInfo, mFooterSizeInfo;
+
+	struct ContentInfo
+	{
+		int64_t offset;
+		int64_t size;
+		uint32_t cid;
+		uint16_t cindex;
+		bool is_encrypted;
+		bool is_hashed;
+		std::array<byte_t, 32> hash;
+		int valid_state;
+
+		ContentInfo() :
+			offset(0),
+			size(0),
+			cid(0),
+			cindex(0),
+			is_encrypted(false),
+			is_hashed(false),
+			valid_state(ValidState::Unchecked)
+		{
+			memset(hash.data(), 0, hash.size());
+		}
+	};
+	std::map<size_t, ContentInfo> mContentInfo;
+
+	// helper methods
+	void importIssuerProfiles();
+	void importHeader();
+	void verifyMetadata();
+	void verifyContent();
+	void printHeader();
+	void extractCia();
+	void copyStream(const std::shared_ptr<tc::io::IStream>& in, const std::shared_ptr<tc::io::IStream>& out);
+	void processContent();
+
+	void createContentIv(std::array<byte_t, 16>& content_iv, uint16_t index);
+
+	bool isTwlTitle(uint64_t title_id);
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+	std::string getCiaTypeString(uint16_t type);
+	std::string getFormatVersionString(uint16_t format_version);
+	std::string getTruncatedBytesString(const byte_t* data, size_t len, bool do_not_truncate = false);
+	std::string getSigTypeString(brd::es::ESSigType sig_type);
+	std::string getCertificatePublicKeyTypeString(brd::es::ESCertPubKeyType public_key_type);
+	std::string getTitleVersionString(uint16_t version);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/CrrProcess.cpp b/ctrtool/src/CrrProcess.cpp
new file mode 100644
index 00000000..a0f35376
--- /dev/null
+++ b/ctrtool/src/CrrProcess.cpp
@@ -0,0 +1,192 @@
+#include "CrrProcess.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+
+ctrtool::CrrProcess::CrrProcess() :
+	mModuleLabel("ctrtool::CrrProcess"),
+	mInputStream(),
+	mKeyBag(),
+	mShowInfo(false),
+	mVerbose(false),
+	mVerify(false),
+	mCrrData(false),
+	mValidCertificateSignature(ValidState::Unchecked),
+	mValidBodySignature(ValidState::Unchecked),
+	mValidUniqueId(ValidState::Unchecked)
+{
+	memset((byte_t*)&mHeader, 0, sizeof(mHeader));
+	memset((byte_t*)&mBodyHeader, 0, sizeof(mBodyHeader));
+}
+
+void ctrtool::CrrProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::CrrProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+}
+
+void ctrtool::CrrProcess::setCliOutputMode(bool show_info)
+{
+	mShowInfo = show_info;
+}
+
+void ctrtool::CrrProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+}
+
+void ctrtool::CrrProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+}
+
+
+void ctrtool::CrrProcess::process()
+{
+	// begin processing
+	importData();
+	if (mVerify)
+		verifyData();
+	if (mShowInfo)
+		printData();
+}
+
+void ctrtool::CrrProcess::importData()
+{
+	// validate input stream
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}	
+
+	// import header
+	if (mInputStream->length() < (sizeof(ntd::n3ds::CrrHeader) + sizeof(ntd::n3ds::CrrBodyHeader)))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small to import header.");
+	}
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read((byte_t*)&mHeader, sizeof(mHeader));
+	mInputStream->read((byte_t*)&mBodyHeader, sizeof(mBodyHeader));
+
+	if (mHeader.struct_magic.unwrap() != mHeader.kStructMagic)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Invalid struct magic.");
+	}
+
+	if (mBodyHeader.size.unwrap() % 0x1000 != 0)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "CRR file size was not aligned to 0x1000 bytes.");
+	}
+
+	if (((mBodyHeader.num_hash.unwrap() * 0x20) + mBodyHeader.hash_offset.unwrap()) > mBodyHeader.size.unwrap())
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "CRR invalid hash geometry.");
+	}
+	if ((mBodyHeader.module_id_offset.unwrap() + mBodyHeader.module_id_size.unwrap()) > mBodyHeader.size.unwrap())
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "CRR invalid module_id geometry.");
+	}
+
+	if (mInputStream->length() < int64_t(mBodyHeader.size.unwrap()))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small for logical file size.");
+	}
+
+	mCrrData = tc::ByteData(mBodyHeader.size.unwrap());
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read(mCrrData.data(), mCrrData.size());
+}
+
+void ctrtool::CrrProcess::verifyData()
+{
+	// validate certificate signature
+	if (mKeyBag.rsa_key.find(mKeyBag.RSAKEY_CRR) != mKeyBag.rsa_key.end())
+	{
+		std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+		tc::crypto::RsaKey pubkey = mKeyBag.rsa_key[mKeyBag.RSAKEY_CRR];
+
+		// generate hash
+		size_t offset = sizeof(mHeader) - sizeof(mHeader.body_certificate);
+		size_t size = sizeof(mHeader.body_certificate) - sizeof(mHeader.body_certificate.signature);
+		tc::crypto::GenerateSha256Hash(hash.data(), mCrrData.data() + offset, size);
+
+		// validate signature
+		mValidCertificateSignature = tc::crypto::VerifyRsa2048Pkcs1Sha256(mHeader.body_certificate.signature.data(), hash.data(), pubkey) ? ValidState::Good : ValidState::Fail;
+	}
+	else
+	{
+		fmt::print(stderr, "Could not read static CRR public key.\n");
+		mValidCertificateSignature = ValidState::Fail;
+	}
+
+	// validate body signature
+	{
+		std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+		tc::crypto::RsaKey pubkey = tc::crypto::RsaPublicKey(mHeader.body_certificate.crr_body_public_key.data(), mHeader.body_certificate.crr_body_public_key.size());
+
+		// generate hash
+		size_t offset = sizeof(mHeader) + sizeof(mBodyHeader.signature);
+		size_t size = (mBodyHeader.hash_offset.unwrap() + (mBodyHeader.num_hash.unwrap() * 0x20)) - offset;
+		tc::crypto::GenerateSha256Hash(hash.data(), mCrrData.data() + offset, size);
+
+		mValidBodySignature = tc::crypto::VerifyRsa2048Pkcs1Sha256(mBodyHeader.signature.data(), hash.data(), pubkey) ? ValidState::Good : ValidState::Fail;
+	}
+
+	// validate unique id
+	{
+		mValidUniqueId = ((mBodyHeader.unique_id.unwrap() & mHeader.body_certificate.unique_id_mask.unwrap()) == 0) ? ValidState::Good : ValidState::Fail;
+	}
+}
+
+void ctrtool::CrrProcess::printData()
+{
+	fmt::print("\n");
+	fmt::print("CRR:\n");
+	fmt::print("Magic:                  {}\n", "CRR0");
+	fmt::print("DebugInfo Offset:       0x{:08x}\n", mHeader.debug_info_offset.unwrap());
+	fmt::print("DebugInfo Size:         0x{:08x}\n", mHeader.debug_info_size.unwrap());
+	fmt::print("\n");
+	fmt::print("CRR certificate:\n");
+	fmt::print("UniqueIdMask:           0x{:08x}\n", mHeader.body_certificate.unique_id_mask.unwrap());
+	fmt::print("UniqueIdPattern:        0x{:08x}\n", mHeader.body_certificate.unique_id_pattern.unwrap());
+	fmt::print("PublicKey:              {}", tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(mHeader.body_certificate.crr_body_public_key.data(), mHeader.body_certificate.crr_body_public_key.size(), true, "", 0x20, 24, false));
+	fmt::print("Signature: {:6}       {}", getValidString(mValidCertificateSignature), tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(mHeader.body_certificate.signature.data(), mHeader.body_certificate.signature.size(), true, "", 0x20, 24, false));
+	fmt::print("\n");
+	fmt::print("CRR body header:\n");
+	fmt::print("Signature: {:6}       {}", getValidString(mValidBodySignature), tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(mBodyHeader.signature.data(), mBodyHeader.signature.size(), true, "", 0x20, 24, false));
+	fmt::print("UniqueId: {:6}        0x{:08x}\n", getValidString(mValidUniqueId), mBodyHeader.unique_id.unwrap());
+	fmt::print("CRR Size:               0x{:08x}\n", mBodyHeader.size.unwrap());
+	fmt::print("Hash Offset:            0x{:08x}\n", mBodyHeader.hash_offset.unwrap());
+	fmt::print("Hash Num:               {:d}\n", mBodyHeader.num_hash.unwrap());
+	fmt::print("ModuleId Offset:        0x{:08x}\n", mBodyHeader.module_id_offset.unwrap());
+	fmt::print("ModuleId Size:          0x{:08x}\n", mBodyHeader.module_id_size.unwrap());
+}
+
+std::string ctrtool::CrrProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+	switch (validstate)
+	{
+		case ValidState::Unchecked:
+			ret_str =  "";
+			break;
+		case ValidState::Good:
+			ret_str =  "(GOOD)";
+			break;
+		case ValidState::Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
\ No newline at end of file
diff --git a/ctrtool/src/CrrProcess.h b/ctrtool/src/CrrProcess.h
new file mode 100644
index 00000000..770d1501
--- /dev/null
+++ b/ctrtool/src/CrrProcess.h
@@ -0,0 +1,46 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include <tc/Optional.h>
+#include <ntd/n3ds/crr.h>
+
+namespace ctrtool {
+
+class CrrProcess
+{
+public:
+	CrrProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setCliOutputMode(bool show_info);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mShowInfo;
+	bool mVerbose;
+	bool mVerify;
+
+	ntd::n3ds::CrrHeader mHeader;
+	ntd::n3ds::CrrBodyHeader mBodyHeader;
+	tc::ByteData mCrrData;
+
+	byte_t mValidCertificateSignature;
+	byte_t mValidBodySignature;
+	byte_t mValidUniqueId;
+
+	void importData();
+	void verifyData();
+	void printData();
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/ExHeaderProcess.cpp b/ctrtool/src/ExHeaderProcess.cpp
new file mode 100644
index 00000000..fc5976c8
--- /dev/null
+++ b/ctrtool/src/ExHeaderProcess.cpp
@@ -0,0 +1,993 @@
+#include "ExHeaderProcess.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+
+ctrtool::ExHeaderProcess::ExHeaderProcess() :
+	mModuleLabel("ctrtool::ExHeaderProcess"),
+	mInputStream(),
+	mKeyBag(),
+	mShowInfo(false),
+	mVerbose(false),
+	mVerify(false),
+	mShowSyscallNames(false),
+	mValidSignature(ValidState::Unchecked),
+	mValidLocalCaps()
+{
+	memset((byte_t*)&mHeader, 0, sizeof(ntd::n3ds::ExtendedHeader));
+	memset((byte_t*)&mDesc, 0, sizeof(ntd::n3ds::AccessDescriptor));
+}
+
+void ctrtool::ExHeaderProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::ExHeaderProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+}
+
+void ctrtool::ExHeaderProcess::setCliOutputMode(bool show_info)
+{
+	mShowInfo = show_info;
+}
+
+void ctrtool::ExHeaderProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+}
+
+void ctrtool::ExHeaderProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+}
+
+void ctrtool::ExHeaderProcess::setShowSyscallName(bool show_name)
+{
+	mShowSyscallNames = show_name;
+}
+
+void ctrtool::ExHeaderProcess::process()
+{
+	// begin processing
+	importExHeader();
+	if (mVerify)
+		verifyExHeader();
+	if (mShowInfo)
+		printExHeader();
+}
+
+void ctrtool::ExHeaderProcess::importExHeader()
+{
+	// validate input stream
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}	
+
+	// import header
+	if (mInputStream->length() < (sizeof(ntd::n3ds::ExtendedHeader) + sizeof(ntd::n3ds::AccessDescriptor)))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small.");
+	}
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read((byte_t*)&mHeader, sizeof(ntd::n3ds::ExtendedHeader));
+	mInputStream->read((byte_t*)&mDesc, sizeof(ntd::n3ds::AccessDescriptor));
+
+}
+
+void ctrtool::ExHeaderProcess::verifyExHeader()
+{
+	std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> desc_hash;
+	
+	tc::crypto::GenerateSha256Hash(desc_hash.data(), (byte_t*)&mDesc.ncch_rsa_modulus, sizeof(mDesc) - sizeof(mDesc.signature));
+
+	if (mKeyBag.rsa_key.find(mKeyBag.RSAKEY_ACCESSDESC) != mKeyBag.rsa_key.end())
+	{
+		tc::crypto::RsaKey pubkey = mKeyBag.rsa_key[mKeyBag.RSAKEY_ACCESSDESC];
+
+		mValidSignature = tc::crypto::VerifyRsa2048Pkcs1Sha256(mDesc.signature.data(), desc_hash.data(), pubkey) ? ValidState::Good : ValidState::Fail;
+	}
+	else
+	{
+		fmt::print(stderr, "Could not read AccessDescriptor public key.\n");
+		mValidSignature = ValidState::Fail;
+	}
+	
+	mValidLocalCaps.system_save_id[0] = ValidState::Good;
+	mValidLocalCaps.system_save_id[1] = ValidState::Good;
+	mValidLocalCaps.access_info = ValidState::Good;
+	mValidLocalCaps.core_version = ValidState::Good;
+	mValidLocalCaps.program_id = ValidState::Good;
+	mValidLocalCaps.priority = ValidState::Good;
+	mValidLocalCaps.affinity_mask = ValidState::Good;
+	mValidLocalCaps.ideal_processor = ValidState::Good;
+	mValidLocalCaps.old3ds_system_mode = ValidState::Good;
+	mValidLocalCaps.new3ds_system_mode = ValidState::Good;
+	mValidLocalCaps.enable_l2_cache = ValidState::Good;
+	mValidLocalCaps.new3ds_cpu_speed = ValidState::Good;
+	mValidLocalCaps.service_control = ValidState::Good;
+
+	byte_t* exhdr_program_id = (byte_t*)&mHeader.access_control_info.program_id;
+	byte_t* desc_program_id = (byte_t*)&mDesc.access_control_info.program_id;
+	for (size_t i = 0; i < sizeof(uint64_t); i++)
+	{
+		if (exhdr_program_id[i] == desc_program_id[i] || desc_program_id[i] == 0xFF)
+			continue;
+
+		mValidLocalCaps.program_id = ValidState::Fail;
+		break;
+	}
+
+	/*
+	// this does not appear to be correct given working examples: SystemUpdater exhdr: 0x1, desc: 0x2
+	auto exhdr_core_version = mHeader.access_control_info.core_version.unwrap();
+	auto desc_core_version = mDesc.access_control_info.core_version.unwrap();
+	if (exhdr_core_version != desc_core_version)
+		mValidLocalCaps.core_version = ValidState::Fail;
+	*/
+
+	auto exhdr_thread_priority = mHeader.access_control_info.flags.unwrap().thread_priority;
+	auto desc_thread_priority = mDesc.access_control_info.flags.unwrap().thread_priority;
+	if (exhdr_thread_priority < desc_thread_priority)
+		mValidLocalCaps.priority = ValidState::Fail;
+
+	auto exhdr_ideal_processor = mHeader.access_control_info.flags.unwrap().ideal_processor;
+	auto desc_ideal_processor = mDesc.access_control_info.flags.unwrap().ideal_processor;
+	if((1<<exhdr_ideal_processor & desc_ideal_processor) == 0)
+		mValidLocalCaps.ideal_processor = ValidState::Fail;
+	
+	auto exhdr_affinity_mask = mHeader.access_control_info.flags.unwrap().affinity_mask;
+	auto desc_affinity_mask = mDesc.access_control_info.flags.unwrap().affinity_mask;
+	if (exhdr_affinity_mask & ~desc_affinity_mask)
+		mValidLocalCaps.affinity_mask = ValidState::Fail;
+
+	auto exhdr_system_mode = mHeader.access_control_info.flags.unwrap().system_mode;
+	auto desc_system_mode = mDesc.access_control_info.flags.unwrap().system_mode;
+	if (exhdr_system_mode > desc_system_mode)
+		mValidLocalCaps.old3ds_system_mode = ValidState::Fail;
+
+	auto exhdr_system_mode_ext = mHeader.access_control_info.flags.unwrap().system_mode_ext;
+	auto desc_system_mode_ext = mDesc.access_control_info.flags.unwrap().system_mode_ext;
+	if (exhdr_system_mode_ext > desc_system_mode_ext)
+		mValidLocalCaps.new3ds_system_mode = ValidState::Fail;
+
+	auto exhdr_enable_l2_cache = mHeader.access_control_info.flags.unwrap().enable_l2_cache;
+	auto desc_enable_l2_cache = mDesc.access_control_info.flags.unwrap().enable_l2_cache;
+	if (exhdr_enable_l2_cache != desc_enable_l2_cache)
+		mValidLocalCaps.enable_l2_cache = ValidState::Fail;
+
+	auto exhdr_cpu_speed = mHeader.access_control_info.flags.unwrap().cpu_speed;
+	auto desc_cpu_speed = mDesc.access_control_info.flags.unwrap().cpu_speed;
+	if (exhdr_cpu_speed != desc_cpu_speed)
+		mValidLocalCaps.new3ds_cpu_speed = ValidState::Fail;
+
+
+	// Storage Info Verify
+	auto exhdr_system_savedata_id = mHeader.access_control_info.system_savedata_id;
+	auto desc_system_savedata_id = mDesc.access_control_info.system_savedata_id;
+	if(exhdr_system_savedata_id[0].unwrap() & ~desc_system_savedata_id[0].unwrap())
+		mValidLocalCaps.system_save_id[0] = ValidState::Fail;
+	if(exhdr_system_savedata_id[1].unwrap() & ~desc_system_savedata_id[1].unwrap())
+		mValidLocalCaps.system_save_id[1] = ValidState::Fail;
+
+	auto exhdr_fs_access = mHeader.access_control_info.fs_access;
+	auto desc_fs_access = mDesc.access_control_info.fs_access;
+	for (size_t fs_bit = 0; fs_bit < exhdr_fs_access.bit_size(); fs_bit++)
+	{
+		if (exhdr_fs_access.test(fs_bit) == true && desc_fs_access.test(fs_bit) == false)
+		{
+			mValidLocalCaps.access_info = ValidState::Fail;
+			if (mVerbose)
+			{
+				fmt::print("[LOG/ExHeader] FsAccess Bit {:d} was not permitted\n", fs_bit);
+			}
+		}
+	}
+
+	// Service Access Control
+	auto exhdr_service_access_control = mHeader.access_control_info.service_access_control;
+	auto desc_service_access_control = mDesc.access_control_info.service_access_control;
+	bool found_service;
+	for (size_t i = 0, j; i < exhdr_service_access_control.size(); i++) {
+		// skip if empty string
+		if (exhdr_service_access_control[i].decode().empty())
+			break;
+
+		found_service = false;
+
+		// locate entry in desc
+		for (j = 0; j < desc_service_access_control.size(); j++) {
+			if (exhdr_service_access_control[i].decode() == desc_service_access_control[j].decode())
+				found_service = true;
+		}
+
+		if (found_service == false)
+		{
+			mValidLocalCaps.service_control = Fail;
+			if (mVerbose)
+			{
+				fmt::print("[LOG/ExHeader] Service \"{}\" was not permitted\n", exhdr_service_access_control[i].decode());
+			}
+		}
+	}
+}
+
+void ctrtool::ExHeaderProcess::printExHeader()
+{
+	fmt::print("\n");
+	fmt::print("Extended header:\n");
+	fmt::print("Signature: {:6}       {}", getValidString(mValidSignature), tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(mDesc.signature.data(), mDesc.signature.size(), true, "", 0x20, 24, false));
+	fmt::print("NCCH Hdr RSA Modulus:   {}", tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(mDesc.ncch_rsa_modulus.data(), mDesc.ncch_rsa_modulus.size(), true, "", 0x20, 24, false));
+	printSystemControlInfo(mHeader.system_control_info);
+	printARM11SystemLocalCapabilities(mHeader.access_control_info, mValidLocalCaps);
+	printARM11KernelCapabilities(mHeader.access_control_info);
+	printARM9AccessControlInfo(mHeader.access_control_info);
+}
+
+void ctrtool::ExHeaderProcess::printSystemControlInfo(const ntd::n3ds::SystemControlInfo& info)
+{
+	//fmt::print("[SystemControlInfo]\n");
+	// basic info
+	fmt::print("Name:                   {}\n", info.name.decode());
+	fmt::print("Flags:                  {:02X}", (uint32_t)info.flags.raw);
+	if (info.flags.bitarray.test(info.Flags_CompressExefsPartition0))
+		fmt::print(" [compressed]");
+	if (info.flags.bitarray.test(info.Flags_SdmcApplication))
+		fmt::print(" [sd app]");
+	fmt::print("\n");
+	fmt::print("Remaster version:       {:04x}\n", (uint32_t)info.remaster_version.unwrap());
+
+	// code set info
+	fmt::print("Code text address:      0x{:08X}\n", info.text.address.unwrap());
+	fmt::print("Code text size:         0x{:08X}\n", info.text.code_size.unwrap());
+	fmt::print("Code text max pages:    0x{:08X} (0x{:08X})\n", info.text.num_max_pages.unwrap(), info.text.num_max_pages.unwrap() * 0x1000);
+
+	fmt::print("Code ro address:        0x{:08X}\n", info.rodata.address.unwrap());
+	fmt::print("Code ro size:           0x{:08X}\n", info.rodata.code_size.unwrap());
+	fmt::print("Code ro max pages:      0x{:08X} (0x{:08X})\n", info.rodata.num_max_pages.unwrap(), info.rodata.num_max_pages.unwrap() * 0x1000);
+
+	fmt::print("Code data address:      0x{:08X}\n", info.data.address.unwrap());
+	fmt::print("Code data size:         0x{:08X}\n", info.data.code_size.unwrap());
+	fmt::print("Code data max pages:    0x{:08X} (0x{:08X})\n", info.data.num_max_pages.unwrap(), info.data.num_max_pages.unwrap() * 0x1000);
+
+	fmt::print("Code bss size:          0x{:08X}\n", info.bss_size.unwrap());
+	fmt::print("Code stack size:        0x{:08X}\n", info.stack_size.unwrap());
+
+	// Dependency
+	for (size_t i = 0; i < info.dependency_list.size(); i++)
+	{
+		if (info.dependency_list[i].unwrap() != 0)
+		{
+			fmt::print("Dependency:             {:016x}\n", info.dependency_list[i].unwrap());
+		}
+	}
+
+	// savedata size
+	fmt::print("Savedata size:          ");
+	uint64_t savedata_size = info.savedata_size.unwrap();
+	if (savedata_size < (1024)) // < KB
+	{
+		fmt::print("0x{:x}", savedata_size);
+	}
+	else if (savedata_size < (1024 * 1024)) // < MB
+	{
+		fmt::print("{:d}K", (savedata_size >> 10));
+	}
+	else
+	{
+		fmt::print("{:d}M", (savedata_size >> 20));
+	}
+	fmt::print("\n");
+
+	fmt::print("Jump id:                {:016x}\n", info.jump_id.unwrap());
+}
+
+void ctrtool::ExHeaderProcess::printARM11SystemLocalCapabilities(const ntd::n3ds::AccessControlInfo& info, const ValidARM11SystemLocalCapabilities& valid)
+{
+	//fmt::print("[ARM11SystemLocalCapabilities]\n");
+	fmt::print("Program id:             {:016x} {}\n", info.program_id.unwrap(), getValidString(valid.program_id));
+	fmt::print("Core version:           0x{:08x}\n", info.core_version.unwrap());
+	fmt::print("System mode:            {} (AppMemory: {}) {}\n", getSystemModeString(info.flags.unwrap().system_mode), getSystemModeAppMemorySizeString(info.flags.unwrap().system_mode), getValidString(valid.old3ds_system_mode));
+	fmt::print("System mode (New3DS):   {} (AppMemory: {}) {}\n", getSystemModeExtString(info.flags.unwrap().system_mode_ext, info.flags.unwrap().system_mode), getSystemModeExtAppMemorySizeString(info.flags.unwrap().system_mode_ext, info.flags.unwrap().system_mode), getValidString(valid.new3ds_system_mode));
+	fmt::print("CPU Speed (New3DS):     {} {}\n", (info.flags.unwrap().cpu_speed ? "804MHz" : "268MHz"), getValidString(valid.new3ds_cpu_speed));
+	fmt::print("Enable L2 Cache:        {} {}\n", (info.flags.unwrap().enable_l2_cache ? "YES" : "NO"), getValidString(valid.enable_l2_cache));
+	fmt::print("Ideal processor:        {:d} {}\n", (uint32_t)info.flags.unwrap().ideal_processor, getValidString(valid.ideal_processor));
+	fmt::print("Affinity mask:          {:d} {}\n", (uint32_t)info.flags.unwrap().affinity_mask, getValidString(valid.affinity_mask));
+	fmt::print("Main thread priority:   {:d} {}\n", (uint32_t)info.flags.unwrap().thread_priority, getValidString(valid.priority));
+	fmt::print("MaxCpu:                 {:d}\n", info.resource_limit_descriptor[info.ResourceLimitDescriptorIndex_MaxCpu].unwrap());
+
+	std::vector<uint32_t> accessible_save_ids;
+	uint64_t ext_savedata_id = 0;
+	std::array<uint32_t, 3> other_user_save_ids = {0, 0, 0};
+	bool use_other_variation_savedata = false;
+	if (info.other_attributes.test(info.OtherAttribute_UseExtendedSavedataAccessControl))
+	{
+		uint32_t id;
+
+		if (0 != (id = info.accessible_unique_ids_0.unwrap().save_id0))
+			accessible_save_ids.push_back(id);
+		
+		if (0 != (id = info.accessible_unique_ids_0.unwrap().save_id1))
+			accessible_save_ids.push_back(id);
+		
+		if (0 != (id = info.accessible_unique_ids_0.unwrap().save_id2))
+			accessible_save_ids.push_back(id);
+		
+		if (0 != (id = info.accessible_unique_ids_1.unwrap().save_id0))
+			accessible_save_ids.push_back(id);
+		
+		if (0 != (id = info.accessible_unique_ids_1.unwrap().save_id1))
+			accessible_save_ids.push_back(id);
+
+		if (0 != (id = info.accessible_unique_ids_1.unwrap().save_id2))
+			accessible_save_ids.push_back(id);
+	}
+	else
+	{
+		ext_savedata_id = info.ext_savedata_id.unwrap();
+
+		other_user_save_ids[0] = info.accessible_unique_ids_0.unwrap().save_id0;
+		other_user_save_ids[1] = info.accessible_unique_ids_0.unwrap().save_id1;
+		other_user_save_ids[2] = info.accessible_unique_ids_0.unwrap().save_id2;
+	}
+	use_other_variation_savedata = info.accessible_unique_ids_0.unwrap().flag;
+
+	fmt::print("Ext savedata id:        0x{:016x}\n", ext_savedata_id);
+	for (size_t i = 0; i < info.system_savedata_id.size(); i++)
+	{
+		fmt::print("System savedata id {:d}:   0x{:08x} {}\n", i+1, info.system_savedata_id[i].unwrap(), getValidString(valid.system_save_id[i]));
+	}
+	for (size_t i = 0; i < other_user_save_ids.size(); i++)
+	{
+		fmt::print("OtherUserSaveDataId{:d}:   0x{:05x}\n", i+1, other_user_save_ids[i]);
+	}
+	fmt::print("Accessible Savedata Ids: {}\n", (accessible_save_ids.size() == 0 ? "None" : ""));
+	for (size_t i = 0; i < accessible_save_ids.size(); i++)
+	{
+		fmt::print(" > 0x{:05x}\n", accessible_save_ids[i]);
+	}
+	fmt::print("Other Variation Saves:  {}\n", (use_other_variation_savedata ? "Accessible" : "Inaccessible"));
+	uint64_t fs_access_raw = ((((tc::bn::le64<uint64_t>*)&info.fs_access)->unwrap() << 8) >> 8); // clearing the upper 8 bits since fs_access is 56 bits
+	fmt::print("Access info: {:6}     0x{:014x}\n", getValidString(valid.access_info), fs_access_raw);
+	for (size_t i = 0; i < info.fs_access.bit_size(); i++)
+	{
+		if (info.fs_access.test(i))
+		{
+			fmt::print(" > {}\n", getFsAccessBitString(i));
+		}
+	}
+
+	fmt::print("Service access: {}\n", getValidString(mValidLocalCaps.service_control));
+	auto& service_access = info.service_access_control;
+	for (size_t i = 0; i < service_access.size(); i++)
+	{
+		if (service_access[i].decode().empty())
+			break;
+
+		fmt::print(" > {}\n", service_access[i].decode());
+	}
+	fmt::print("Reslimit category:      {:02X}\n", (uint32_t)info.resource_limit_category);
+}
+
+void ctrtool::ExHeaderProcess::printARM11KernelCapabilities(const ntd::n3ds::AccessControlInfo& info)
+{
+	size_t i, j;
+	std::vector<byte_t> syscall_list;
+	std::vector<byte_t> interrupt_list;
+	std::vector<uint32_t> unknown_desc_list;
+
+	union KernDesc
+	{
+		uint32_t raw;
+		tc::bn::bitarray<4> bits;
+		ntd::n3ds::AccessControlInfo::InterruptDescriptor interrupt;
+		ntd::n3ds::AccessControlInfo::SystemCallDescriptor syscall;
+		ntd::n3ds::AccessControlInfo::ReleaseKernelVersionDescriptor kernel_ver;
+		ntd::n3ds::AccessControlInfo::HandleTableSizeDescriptor handle_table;
+		ntd::n3ds::AccessControlInfo::OtherCapabilitiesDescriptor other_cap;
+		ntd::n3ds::AccessControlInfo::MappingStaticDescriptor mapping_static;
+		ntd::n3ds::AccessControlInfo::MappingIODescriptor mapping_io;
+	};
+
+	KernDesc prev_desc;
+	prev_desc.raw = 0;
+
+	for (i = 0; i < info.kernel_descriptors.size(); i++)
+	{
+		KernDesc desc;
+		desc.raw = info.kernel_descriptors[i].unwrap();
+		
+		uint32_t prefix_bits;
+		for (prefix_bits = 0; prefix_bits < 32; prefix_bits++)
+		{
+			if (desc.bits.test(31 - prefix_bits) == false)
+			{
+				break;
+			}
+		}
+
+		if (prefix_bits == ntd::n3ds::AccessControlInfo::DescriptorPrefix_InterruptNumList)
+		{
+			if (desc.interrupt.interrupt_0 != 0)
+				interrupt_list.push_back(desc.interrupt.interrupt_0);
+			if (desc.interrupt.interrupt_1 != 0)
+				interrupt_list.push_back(desc.interrupt.interrupt_1);
+			if (desc.interrupt.interrupt_2 != 0)
+				interrupt_list.push_back(desc.interrupt.interrupt_2);
+			if (desc.interrupt.interrupt_3 != 0)
+				interrupt_list.push_back(desc.interrupt.interrupt_3);
+		}
+		else if (prefix_bits == ntd::n3ds::AccessControlInfo::DescriptorPrefix_SysCallList)
+		{
+			for (j = 0; j < 24; j++)
+			{
+				if ((desc.syscall.systemcall_lower_bitarray >> j) & 1)
+					syscall_list.push_back(byte_t(desc.syscall.systemcall_upper * 24) + byte_t(j));
+			}
+		}
+		else if (prefix_bits == ntd::n3ds::AccessControlInfo::DescriptorPrefix_ReleaseKernelVersion)
+		{
+			fmt::print("Kernel release version: {:d}.{:d}\n", ((desc.kernel_ver.version >> 8) & 0xFF), ((desc.kernel_ver.version >> 0) & 0xFF));
+		}
+		else if (prefix_bits == ntd::n3ds::AccessControlInfo::DescriptorPrefix_HandleTableSize)
+		{
+			fmt::print("Handle table size:      0x{:X}\n", (uint32_t)desc.handle_table.size);
+		}
+		else if (prefix_bits == ntd::n3ds::AccessControlInfo::DescriptorPrefix_OtherCapabilities)
+		{
+			fmt::print("Kernel flags:           \n");
+			fmt::print(" > Allow debug:         {}\n", (desc.other_cap.permit_debug ? "YES" : "NO"));
+			fmt::print(" > Force debug:         {}\n", (desc.other_cap.force_debug ? "YES" : "NO"));
+			fmt::print(" > Allow non-alphanum:  {}\n", (desc.other_cap.can_use_non_alphabet_and_number ? "YES" : "NO"));
+			fmt::print(" > Shared page writing: {}\n", (desc.other_cap.can_write_shared_page ? "YES" : "NO"));
+			fmt::print(" > Privilege priority:  {}\n", (desc.other_cap.can_use_privileged_priority ? "YES" : "NO"));
+			fmt::print(" > Allow main() args:   {}\n", (desc.other_cap.permit_main_function_argument ? "YES" : "NO"));
+			fmt::print(" > Shared device mem:   {}\n", (desc.other_cap.can_share_device_memory ? "YES" : "NO"));
+			fmt::print(" > Memory Type:         {}\n", getMemoryTypeString(desc.other_cap.memory_type));
+			fmt::print(" > Runnable on sleep:   {}\n", (desc.other_cap.runnable_on_sleep ? "YES" : "NO"));
+			fmt::print(" > Special memory:      {}\n", (desc.other_cap.special_memory_layout ? "YES" : "NO"));
+			fmt::print(" > Access Core 2:       {}\n", (desc.other_cap.can_access_core2 ? "YES" : "NO"));
+		}
+		else if (prefix_bits == ntd::n3ds::AccessControlInfo::DescriptorPrefix_MappingStatic)
+		{
+			if (prev_desc.raw == 0)
+			{
+				prev_desc.raw = desc.raw;
+			}
+			else
+			{
+				fmt::print("{:24}0x{:X}-0x{:X}{}\n", 
+					(desc.mapping_static.flag ? "StaticMapping:" : "IoMapping:"),
+					(prev_desc.mapping_static.page << 12),
+					(desc.mapping_static.page << 12)-1,
+					(prev_desc.mapping_static.flag ? ":r" : "")
+				);
+				prev_desc.raw = 0;
+			}
+		}
+		else if (prefix_bits == ntd::n3ds::AccessControlInfo::DescriptorPrefix_MappingIo)
+		{
+			fmt::print("IoMapping:              0x{:X}\n", (desc.mapping_io.page << 12));
+		}
+		else if (prefix_bits == 32)
+		{
+			continue;
+		}
+		else
+		{
+			unknown_desc_list.push_back(desc.raw);
+		}
+	}
+
+	fmt::print("Allowed systemcalls:    ");
+	if (syscall_list.size() > 0)
+	{
+		if (!mShowSyscallNames)
+		{
+			std::vector<std::string> string_list;
+			for (size_t i = 0; i < syscall_list.size(); i++)
+			{
+				string_list.push_back(getByteHexString(syscall_list[i]));
+			}
+
+			fmt::print("{}", tc::cli::FormatUtil::formatListWithLineLimit(string_list, 46, 24, false));
+		}
+		else
+		{
+			fmt::print("\n");
+			for (size_t i = 0; i < syscall_list.size(); i++)
+			{
+				fmt::print(" > {} {}\n", getByteHexString(syscall_list[i]), getSysCallName(syscall_list[i]));
+			}
+		}
+		
+	}
+	else
+	{
+		fmt::print("none\n");
+	}
+
+	fmt::print("Allowed interrupts:     ");
+	if (interrupt_list.size() > 0)
+	{
+		std::vector<std::string> string_list;
+		for (size_t i = 0; i < interrupt_list.size(); i++)
+		{
+			string_list.push_back(getByteHexString(interrupt_list[i]));
+		}
+
+		fmt::print("{}", tc::cli::FormatUtil::formatListWithLineLimit(string_list, 46, 24, false));
+	}
+	else
+	{
+		fmt::print("none\n");
+	}
+
+	for (i = 0; i < unknown_desc_list.size(); i++)
+	{
+		fmt::print("Unknown descriptor:     {:08X}\n", unknown_desc_list[i]);
+	}
+}
+
+void ctrtool::ExHeaderProcess::printARM9AccessControlInfo(const ntd::n3ds::AccessControlInfo& info)
+{
+	//fmt::print("[ARM9AccessControlInfo]\n");
+	
+	// collect arm9 caps as a vector of strings
+	std::vector<std::string> arm9_caps_str;
+	for (size_t i = 0; i < info.arm9_access_control.bit_size(); i++)
+	{
+		if (info.arm9_access_control.test(i))
+		{
+			arm9_caps_str.push_back(getArm9CapabilityBitString(i));
+		}
+	}
+	
+	// print arm9 caps
+	fmt::print("Arm9Capability:         {}\n", (arm9_caps_str.size() == 0 ? "none" : ""));
+	for (size_t i = 0; i < arm9_caps_str.size(); i++)
+	{
+		fmt::print(" > {}\n", arm9_caps_str[i]);
+	}
+	
+	// print desc version
+	fmt::print("Desc Version:           0x{:x}\n", (uint32_t)info.desc_version);
+}
+
+std::string ctrtool::ExHeaderProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+
+	switch (validstate)
+	{
+		case ValidState::Unchecked:
+			ret_str =  "";
+			break;
+		case ValidState::Good:
+			ret_str =  "(GOOD)";
+			break;
+		case ValidState::Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::ExHeaderProcess::getSystemModeString(byte_t system_mode)
+{
+	std::string str;
+
+	switch (system_mode)
+	{
+		case ntd::n3ds::AccessControlInfo::SystemMode_PROD :
+			str = "prod";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemMode_DEV1 :
+			str = "dev1";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemMode_DEV2 :
+			str = "dev2";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemMode_DEV3 :
+			str = "dev3";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemMode_DEV4 :
+			str = "dev4";
+			break;
+		default:
+			str = fmt::format("Unknown (0x{:x})", (uint32_t)system_mode);
+			break;
+	}
+
+	return str;
+}
+
+std::string ctrtool::ExHeaderProcess::getSystemModeExtString(byte_t system_mode_ext, byte_t system_mode)
+{
+	std::string str;
+
+	switch (system_mode_ext)
+	{
+		case ntd::n3ds::AccessControlInfo::SystemModeExt_LEGACY :
+			//str = "Legacy";
+			str = fmt::format("ctr {}", getSystemModeString(system_mode));
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemModeExt_PROD :
+			str = "snake prod";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemModeExt_DEV1 :
+			str = "snake dev1";
+			break;
+		default:
+			str = fmt::format("Unknown (0x{:x})", (uint32_t)system_mode_ext);
+			break;
+	}
+
+	return str;
+}
+
+std::string ctrtool::ExHeaderProcess::getSystemModeAppMemorySizeString(byte_t system_mode)
+{
+	std::string str;
+
+	switch (system_mode)
+	{
+		case ntd::n3ds::AccessControlInfo::SystemMode_PROD :
+			str = "64MB";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemMode_DEV1 :
+			str = "96MB";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemMode_DEV2 :
+			str = "80MB";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemMode_DEV3 :
+			str = "72MB";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemMode_DEV4 :
+			str = "32MB";
+			break;
+		default:
+			str = "Unknown";
+			break;
+	}
+
+	return str;
+}
+
+std::string ctrtool::ExHeaderProcess::getSystemModeExtAppMemorySizeString(byte_t system_mode_ext, byte_t system_mode)
+{
+	std::string str;
+
+	switch (system_mode_ext)
+	{
+		case ntd::n3ds::AccessControlInfo::SystemModeExt_LEGACY :
+			str = getSystemModeAppMemorySizeString(system_mode);
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemModeExt_PROD :
+			str = "124MB";
+			break;
+		case ntd::n3ds::AccessControlInfo::SystemModeExt_DEV1 :
+			str = "178MB";
+			break;
+		default:
+			str = "Unknown";
+			break;
+	}
+
+	return str;
+}
+
+std::string ctrtool::ExHeaderProcess::getFsAccessBitString(size_t bit)
+{
+	std::string str;
+
+	switch(bit)
+	{
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_CategorySystemApplication : 
+			str = "Category System Application";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_CategoryHardwareCheck : 
+			str = "Category Hardware Check";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_CategoryFileSystemTool : 
+			str = "Category File System Tool";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_Debug : 
+			str = "Debug";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_TwlCardBackup : 
+			str = "TWL Card Backup";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_TwlNandData : 
+			str = "TWL Nand Data";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_Boss : 
+			str = "BOSS";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_DirectSdmc : 
+			str = "Direct SDMC";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_Core : 
+			str = "Core";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_CtrNandRo : 
+			str = "CTR NAND RO";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_CtrNandRw : 
+			str = "CTR NAND RW";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_CtrNandRoWrite : 
+			str = "CTR NAND RO (Write Access)";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_CategorySystemSettings : 
+			str = "Category System Settings";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_CardBoard : 
+			str = "CARD BOARD";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_ExportImportIvs : 
+			str = "Export Import IVS";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_DirectSdmcWrite : 
+			str = "Direct SDMC (Write Only)";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_SwitchCleanup : 
+			str = "Switch Cleanup";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_SaveDataMove : 
+			str = "Save Data Move";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_Shop : 
+			str = "Shop";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_Shell : 
+			str = "Shell";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_CategoryHomeMenu : 
+			str = "Category HomeMenu";
+			break;
+		case ntd::n3ds::AccessControlInfo::FileSystemAccess_ExternalSeed : 
+			str = "External Seed (Seed DB)";
+			break;
+		default : 
+			str = fmt::format("Bit {:d} (unknown)", bit);
+			break;
+	}
+	
+	return str;
+}
+
+std::string ctrtool::ExHeaderProcess::getMemoryTypeString(byte_t memory_type)
+{
+	std::string str;
+
+	switch(memory_type)
+	{
+		case ntd::n3ds::AccessControlInfo::MemoryType_Application : 
+			str = "APPLICATION";
+			break;
+		case ntd::n3ds::AccessControlInfo::MemoryType_System : 
+			str = "SYSTEM";
+			break;
+		case ntd::n3ds::AccessControlInfo::MemoryType_Base : 
+			str = "BASE";
+			break;
+		default : 
+			str = fmt::format("Unknown ({:d})", memory_type);
+			break;
+	}
+	
+	return str;
+}
+
+std::string ctrtool::ExHeaderProcess::getByteHexString(byte_t byte)
+{
+	return fmt::format("{:02X}", byte);
+}
+
+std::string ctrtool::ExHeaderProcess::getSysCallName(byte_t syscall)
+{
+	// List of 3DS system calls.  NULL indicates unknown.
+	static const size_t kSysCallNum = 128;
+	static const char *const kSysCallList[kSysCallNum] =
+	{
+		NULL,                                // 00
+		"ControlMemory",                     // 01
+		"QueryMemory",                       // 02
+		"ExitProcess",                       // 03
+		"GetProcessAffinityMask",            // 04
+		"SetProcessAffinityMask",            // 05
+		"GetProcessIdealProcessor",          // 06
+		"SetProcessIdealProcessor",          // 07
+		"CreateThread",                      // 08
+		"ExitThread",                        // 09
+		"SleepThread",                       // 0A
+		"GetThreadPriority",                 // 0B
+		"SetThreadPriority",                 // 0C
+		"GetThreadAffinityMask",             // 0D
+		"SetThreadAffinityMask",             // 0E
+		"GetThreadIdealProcessor",           // 0F
+		"SetThreadIdealProcessor",           // 10
+		"GetCurrentProcessorNumber",         // 11
+		"Run",                               // 12
+		"CreateMutex",                       // 13
+		"ReleaseMutex",                      // 14
+		"CreateSemaphore",                   // 15
+		"ReleaseSemaphore",                  // 16
+		"CreateEvent",                       // 17
+		"SignalEvent",                       // 18
+		"ClearEvent",                        // 19
+		"CreateTimer",                       // 1A
+		"SetTimer",                          // 1B
+		"CancelTimer",                       // 1C
+		"ClearTimer",                        // 1D
+		"CreateMemoryBlock",                 // 1E
+		"MapMemoryBlock",                    // 1F
+		"UnmapMemoryBlock",                  // 20
+		"CreateAddressArbiter",              // 21
+		"ArbitrateAddress",                  // 22
+		"CloseHandle",                       // 23
+		"WaitSynchronization1",              // 24
+		"WaitSynchronizationN",              // 25
+		"SignalAndWait",                     // 26
+		"DuplicateHandle",                   // 27
+		"GetSystemTick",                     // 28
+		"GetHandleInfo",                     // 29
+		"GetSystemInfo",                     // 2A
+		"GetProcessInfo",                    // 2B
+		"GetThreadInfo",                     // 2C
+		"ConnectToPort",                     // 2D
+		"SendSyncRequest1",                  // 2E
+		"SendSyncRequest2",                  // 2F
+		"SendSyncRequest3",                  // 30
+		"SendSyncRequest4",                  // 31
+		"SendSyncRequest",                   // 32
+		"OpenProcess",                       // 33
+		"OpenThread",                        // 34
+		"GetProcessId",                      // 35
+		"GetProcessIdOfThread",              // 36
+		"GetThreadId",                       // 37
+		"GetResourceLimit",                  // 38
+		"GetResourceLimitLimitValues",       // 39
+		"GetResourceLimitCurrentValues",     // 3A
+		"GetThreadContext",                  // 3B
+		"Break",                             // 3C
+		"OutputDebugString",                 // 3D
+		"ControlPerformanceCounter",         // 3E
+		NULL,                                // 3F
+		NULL,                                // 40
+		NULL,                                // 41
+		NULL,                                // 42
+		NULL,                                // 43
+		NULL,                                // 44
+		NULL,                                // 45
+		NULL,                                // 46
+		"CreatePort",                        // 47
+		"CreateSessionToPort",               // 48
+		"CreateSession",                     // 49
+		"AcceptSession",                     // 4A
+		"ReplyAndReceive1",                  // 4B
+		"ReplyAndReceive2",                  // 4C
+		"ReplyAndReceive3",                  // 4D
+		"ReplyAndReceive4",                  // 4E
+		"ReplyAndReceive",                   // 4F
+		"BindInterrupt",                     // 50
+		"UnbindInterrupt",                   // 51
+		"InvalidateProcessDataCache",        // 52
+		"StoreProcessDataCache",             // 53
+		"FlushProcessDataCache",             // 54
+		"StartInterProcessDma",              // 55
+		"StopDma",                           // 56
+		"GetDmaState",                       // 57
+		"RestartDma",                        // 58
+		"SetGpuProt",                        // 59
+		"SetWifiEnabled",                    // 5A
+		NULL,                                // 5B
+		NULL,                                // 5C
+		NULL,                                // 5D
+		NULL,                                // 5E
+		NULL,                                // 5F
+		"DebugActiveProcess",                // 60
+		"BreakDebugProcess",                 // 61
+		"TerminateDebugProcess",             // 62
+		"GetProcessDebugEvent",              // 63
+		"ContinueDebugEvent",                // 64
+		"GetProcessList",                    // 65
+		"GetThreadList",                     // 66
+		"GetDebugThreadContext",             // 67
+		"SetDebugThreadContext",             // 68
+		"QueryDebugProcessMemory",           // 69
+		"ReadProcessMemory",                 // 6A
+		"WriteProcessMemory",                // 6B
+		"SetHardwareBreakPoint",             // 6C
+		"GetDebugThreadParam",               // 6D
+		NULL,                                // 6E
+		NULL,                                // 6F
+		"ControlProcessMemory",              // 70
+		"MapProcessMemory",                  // 71
+		"UnmapProcessMemory",                // 72
+		"CreateCodeSet",                     // 73
+		NULL,                                // 74
+		"CreateProcess",                     // 75
+		"TerminateProcess",                  // 76
+		"SetProcessResourceLimits",          // 77
+		"CreateResourceLimit",               // 78
+		"SetResourceLimitValues",            // 79
+		"AddCodeSegment",                    // 7A
+		"Backdoor",                          // 7B
+		"KernelSetState",                    // 7C
+		"QueryProcessMemory",                // 7D
+		NULL,                                // 7E
+		NULL,                                // 7F
+	};
+
+	std::string str;
+
+	if (syscall >= kSysCallNum)
+		return std::string();
+
+	if (kSysCallList[syscall] != nullptr)
+	{
+		str = kSysCallList[syscall];
+	}
+	else
+	{
+		str = fmt::format("Unknown {:02X}", syscall);;
+	}
+
+	return str;
+}
+
+std::string ctrtool::ExHeaderProcess::getArm9CapabilityBitString(size_t bit)
+{
+	std::string str;
+
+	switch(bit)
+	{
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_FsMountNand : 
+			str = "FsMountNand";
+			break;
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_FsMountNandRoWrite : 
+			str = "FsMountNandRoWrite";
+			break;
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_FsMountTwln : 
+			str = "FsMountTwln";
+			break;
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_FsMountWnand : 
+			str = "FsMountWnand";
+			break;
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_FsMountCardSpi : 
+			str = "FsMountCardSpi";
+			break;
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_UseSdif3 : 
+			str = "UseSdif3";
+			break;
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_CreateSeed : 
+			str = "CreateSeed";
+			break;
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_UseCardSpi : 
+			str = "UseCardSpi";
+			break;
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_SdApplication : 
+			str = "SdApplication";
+			break;
+		case ntd::n3ds::AccessControlInfo::Arm9Capability_UseDirectSdmc : 
+			str = "UseDirectSdmc";
+			break;
+		default : 
+			str = fmt::format("Bit {:d} (unknown)", bit);
+			break;
+	}
+	
+	return str;
+}
\ No newline at end of file
diff --git a/ctrtool/src/ExHeaderProcess.h b/ctrtool/src/ExHeaderProcess.h
new file mode 100644
index 00000000..38219850
--- /dev/null
+++ b/ctrtool/src/ExHeaderProcess.h
@@ -0,0 +1,92 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include <tc/Optional.h>
+#include <ntd/n3ds/exheader.h>
+
+namespace ctrtool {
+
+class ExHeaderProcess
+{
+public:
+	ExHeaderProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setCliOutputMode(bool show_info);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	void setShowSyscallName(bool show_name);
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mShowInfo;
+	bool mVerbose;
+	bool mVerify;
+	bool mShowSyscallNames;
+
+	ntd::n3ds::ExtendedHeader mHeader;
+	ntd::n3ds::AccessDescriptor mDesc;
+
+	byte_t mValidSignature;
+	struct ValidARM11SystemLocalCapabilities
+	{
+		ValidARM11SystemLocalCapabilities()
+		{
+			system_save_id[0] = ValidState::Unchecked;
+			system_save_id[1] = ValidState::Unchecked;
+			access_info = ValidState::Unchecked;
+			core_version = ValidState::Unchecked;
+			program_id = ValidState::Unchecked;
+			priority = ValidState::Unchecked;
+			affinity_mask = ValidState::Unchecked;
+			ideal_processor = ValidState::Unchecked;
+			old3ds_system_mode = ValidState::Unchecked;
+			new3ds_system_mode = ValidState::Unchecked;
+			enable_l2_cache = ValidState::Unchecked;
+			new3ds_cpu_speed = ValidState::Unchecked;
+			service_control = ValidState::Unchecked;
+		}
+
+		std::array<byte_t, 2> system_save_id;
+		byte_t access_info;
+		byte_t core_version;
+		byte_t program_id;
+		byte_t priority;
+		byte_t affinity_mask;
+		byte_t ideal_processor;
+		byte_t old3ds_system_mode;
+		byte_t new3ds_system_mode;
+		byte_t enable_l2_cache;
+		byte_t new3ds_cpu_speed;
+		byte_t service_control;
+	} mValidLocalCaps;
+
+	void importExHeader();
+	void verifyExHeader();
+	void printExHeader();
+
+	void printSystemControlInfo(const ntd::n3ds::SystemControlInfo& info);
+	void printARM11SystemLocalCapabilities(const ntd::n3ds::AccessControlInfo& info, const ValidARM11SystemLocalCapabilities& valid);
+	void printARM11KernelCapabilities(const ntd::n3ds::AccessControlInfo& info);
+	void printARM9AccessControlInfo(const ntd::n3ds::AccessControlInfo& info);
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+	std::string getSystemModeString(byte_t system_mode);
+	std::string getSystemModeExtString(byte_t system_mode_ext, byte_t system_mode);
+	std::string getSystemModeAppMemorySizeString(byte_t system_mode);
+	std::string getSystemModeExtAppMemorySizeString(byte_t system_mode_ext, byte_t system_mode);
+	std::string getFsAccessBitString(size_t bit);
+	std::string getMemoryTypeString(byte_t memory_type);
+	std::string getByteHexString(byte_t byte);
+	std::string getSysCallName(byte_t syscall);
+	std::string getArm9CapabilityBitString(size_t bit);
+
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/ExeFsProcess.cpp b/ctrtool/src/ExeFsProcess.cpp
new file mode 100644
index 00000000..6acada89
--- /dev/null
+++ b/ctrtool/src/ExeFsProcess.cpp
@@ -0,0 +1,275 @@
+#include "ExeFsProcess.h"
+#include "lzss.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+
+#include <ntd/n3ds/ExeFsSnapshotGenerator.h>
+
+ctrtool::ExeFsProcess::ExeFsProcess() :
+	mModuleLabel("ctrtool::ExeFsProcess"),
+	mInputStream(),
+	mShowHeaderInfo(false),
+	mShowFs(false),
+	mVerbose(false),
+	mVerify(false),
+	mRaw(false),
+	mDecompressCode(false),
+	mExtractPath(),
+	mFsReader()
+{
+	memset((byte_t*)&mHeader, 0, sizeof(ntd::n3ds::ExeFsHeader));
+	memset(mSectionValidation.data(), ValidState::Unchecked, mSectionValidation.size());
+}
+
+void ctrtool::ExeFsProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::ExeFsProcess::setCliOutputMode(bool show_header_info, bool show_fs)
+{
+	mShowHeaderInfo = show_header_info;
+	mShowFs = show_fs;
+}
+
+void ctrtool::ExeFsProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+}
+
+void ctrtool::ExeFsProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+}
+
+void ctrtool::ExeFsProcess::setRawMode(bool raw)
+{
+	mRaw = raw;
+}
+
+void ctrtool::ExeFsProcess::setDecompressCode(bool decompress)
+{
+	mDecompressCode = decompress;
+}
+
+void ctrtool::ExeFsProcess::setExtractPath(const tc::io::Path& extract_path)
+{
+	mExtractPath = extract_path;
+}
+
+void ctrtool::ExeFsProcess::process()
+{
+	// begin processing
+	importHeader();
+	if (mVerify)
+		verifyFs();
+	if (mShowHeaderInfo)
+		printHeader();
+	if (mShowFs)
+		printFs();
+	if (mExtractPath.isSet())
+		extractFs();
+}
+
+void ctrtool::ExeFsProcess::importHeader()
+{
+	// validate input stream
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}
+
+	// import header
+	if (mInputStream->length() < sizeof(ntd::n3ds::ExeFsHeader))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small.");
+	}
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read((byte_t*)&mHeader, sizeof(ntd::n3ds::ExeFsHeader));
+
+	// do some simple checks to verify if this is an EXEFS header
+	if (mHeader.file_table[0].name[0] == 0 || mHeader.file_table[0].offset.unwrap() != 0 || mHeader.hash_table[ntd::n3ds::ExeFsHeader::kFileNum - 1][0] == 0)
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "ExeFsHeader is corrupted (Bad first entry).");
+	}
+
+	// create FileSystem reader (but don't verify the hashes, we'll do this if necessary to match ctrtool behaviour)
+	mFsReader = std::shared_ptr<tc::io::VirtualFileSystem>(new tc::io::VirtualFileSystem(ntd::n3ds::ExeFsSnapshotGenerator(mInputStream, false)));
+}
+
+void ctrtool::ExeFsProcess::verifyFs()
+{
+	tc::crypto::Sha256Generator hash_calc;
+	std::array<byte_t, hash_calc.kHashSize> hash;
+	tc::ByteData cache = tc::ByteData(0x10000);
+
+	for (size_t i = 0; i < ntd::n3ds::ExeFsHeader::kFileNum; i++)
+	{
+		if (mHeader.file_table[i].size.unwrap() > 0)
+		{
+			auto offset = mHeader.file_table[i].offset.unwrap() + sizeof(ntd::n3ds::ExeFsHeader);
+			auto size = mHeader.file_table[i].size.unwrap();
+			auto& hdr_hash = mHeader.hash_table[ntd::n3ds::ExeFsHeader::kFileNum - 1 - i];
+
+			mInputStream->seek(offset, tc::io::SeekOrigin::Begin);
+			hash_calc.initialize();
+			for (size_t i = size; i > 0;)
+			{
+				size_t read_len = std::min<size_t>(i, cache.size());
+				read_len = mInputStream->read(cache.data(), read_len);
+
+				hash_calc.update(cache.data(), read_len);
+
+				i -= read_len;
+			}
+			hash_calc.getHash(hash.data());
+
+			mSectionValidation[i] = memcmp(hash.data(), hdr_hash.data(), hash.size()) == 0? Good : Fail;
+
+			if (mVerbose)
+			{
+				fmt::print("[LOG/ExeFs] File: \"{}\" {} hash validation\n", mHeader.file_table[i].name.decode(), (mSectionValidation[i] == ValidState::Good ? "passed" : "failed"));
+			}
+		}
+	}
+}
+
+void ctrtool::ExeFsProcess::printHeader()
+{
+	fmt::print("\n");
+	fmt::print("ExeFS:\n");
+	for (size_t i = 0; i < ntd::n3ds::ExeFsHeader::kFileNum; i++)
+	{
+		if (mHeader.file_table[i].size.unwrap() > 0)
+		{
+			const auto& name = mHeader.file_table[i].name;
+			const auto& offset = mHeader.file_table[i].offset;
+			const auto& size = mHeader.file_table[i].size;
+			const auto& hash = mHeader.hash_table[ntd::n3ds::ExeFsHeader::kFileNum - 1 - i];
+
+			fmt::print("Section name:           {}\n", name.decode());
+			fmt::print("Section offset:         0x{:08x}\n", offset.unwrap() + sizeof(ntd::n3ds::ExeFsHeader));
+			fmt::print("Section size:           0x{:08x}\n", size.unwrap());
+			fmt::print("Section hash: {:6}    {}\n", getValidString(mSectionValidation[i]), tc::cli::FormatUtil::formatBytesAsString(hash.data(), hash.size(), true, ""));
+		}
+	}
+}
+
+void ctrtool::ExeFsProcess::printFs()
+{
+	tc::io::sDirectoryListing dir;
+	mFsReader->getDirectoryListing(tc::io::Path("/"), dir);
+
+	fmt::print("[ExeFs Filesystem]\n");
+	fmt::print("  ExeFs:/\n");
+	for (auto itr = dir.file_list.begin(); itr != dir.file_list.end(); itr++)
+	{
+		fmt::print("    {}\n", *itr);
+	}
+}
+
+void ctrtool::ExeFsProcess::extractFs()
+{
+	tc::io::sDirectoryListing dir;
+
+	mFsReader->getDirectoryListing(tc::io::Path("/"), dir);
+
+	tc::io::LocalFileSystem local_fs;
+	std::shared_ptr<tc::io::IStream> in_stream;
+	std::shared_ptr<tc::io::IStream> out_stream;
+	for (auto itr = dir.file_list.begin(); itr != dir.file_list.end(); itr++)
+	{
+		
+		// open input stream
+		mFsReader->openFile(*itr, tc::io::FileMode::Open, tc::io::FileAccess::Read, in_stream);
+
+		// create output file name
+		std::string f_name;
+		if (itr->at(0) == '.')
+			f_name = itr->substr(1, std::string::npos) + ".bin";
+		else
+			f_name = *itr + ".bin";
+
+		// create output file path
+		tc::io::Path f_path = mExtractPath.get() + f_name;
+
+		// open out stream
+		local_fs.createDirectory(mExtractPath.get());
+		local_fs.openFile(f_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, out_stream);
+
+		if (*itr == ".code" && mDecompressCode && !mRaw)
+		{
+			tc::ByteData compdata = tc::ByteData(in_stream->length());
+			in_stream->seek(0, tc::io::SeekOrigin::Begin);
+			in_stream->read(compdata.data(), compdata.size());
+
+			// get code hash, only decompress if hash is valid
+			std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+			tc::crypto::GenerateSha256Hash(hash.data(), compdata.data(), compdata.size());
+			const byte_t* test_hash = nullptr;
+			for (size_t i = 0; i < ntd::n3ds::ExeFsHeader::kFileNum; i++)
+			{
+				if (mHeader.file_table[i].name.decode() == *itr)
+				{
+					test_hash = mHeader.getFileHash(i)->data();
+					break;
+				}
+			}
+			if (test_hash != nullptr && memcmp(test_hash, hash.data(), hash.size()) == 0)
+			{
+				fmt::print("Decompressing section {} to {}...\n", *itr, f_path.to_string());
+
+				tc::ByteData decompdata = tc::ByteData(lzss_get_decompressed_size(compdata.data(), compdata.size()));
+				lzss_decompress(compdata.data(), compdata.size(), decompdata.data(), decompdata.size());
+
+				out_stream->seek(0, tc::io::SeekOrigin::Begin);
+				out_stream->write(decompdata.data(), decompdata.size());
+			}
+			else
+			{
+				fmt::print("Saving section {} to {}...\n", *itr, f_path.to_string());
+
+				out_stream->seek(0, tc::io::SeekOrigin::Begin);
+				out_stream->write(compdata.data(), compdata.size());
+			}
+		}
+		else
+		{
+			fmt::print("Saving section {} to {}...\n", *itr, f_path.to_string());
+
+			tc::ByteData filedata = tc::ByteData(in_stream->length());
+			in_stream->seek(0, tc::io::SeekOrigin::Begin);
+			in_stream->read(filedata.data(), filedata.size());
+
+			out_stream->seek(0, tc::io::SeekOrigin::Begin);
+			out_stream->write(filedata.data(), filedata.size());
+		}
+		
+	}
+}
+
+std::string ctrtool::ExeFsProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+	switch (validstate)
+	{
+		case ValidState::Unchecked:
+			ret_str =  "";
+			break;
+		case ValidState::Good:
+			ret_str =  "(GOOD)";
+			break;
+		case ValidState::Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
\ No newline at end of file
diff --git a/ctrtool/src/ExeFsProcess.h b/ctrtool/src/ExeFsProcess.h
new file mode 100644
index 00000000..eb95b102
--- /dev/null
+++ b/ctrtool/src/ExeFsProcess.h
@@ -0,0 +1,49 @@
+#pragma once
+#include "types.h"
+#include <tc/Optional.h>
+#include <tc/io/IFileSystem.h>
+#include <ntd/n3ds/exefs.h>
+
+namespace ctrtool {
+
+class ExeFsProcess
+{
+public:
+	ExeFsProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setCliOutputMode(bool show_header_info, bool show_fs);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	void setRawMode(bool raw);
+	void setDecompressCode(bool decompress_code);
+	void setExtractPath(const tc::io::Path& extract_path);
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	bool mShowHeaderInfo;
+	bool mShowFs;
+	bool mVerbose;
+	bool mVerify;
+	bool mRaw;
+	bool mDecompressCode;
+	tc::Optional<tc::io::Path> mExtractPath;
+
+	ntd::n3ds::ExeFsHeader mHeader;
+	std::shared_ptr<tc::io::IFileSystem> mFsReader;
+	std::array<byte_t, ntd::n3ds::ExeFsHeader::kFileNum> mSectionValidation;
+
+	void importHeader();
+	void verifyFs();
+	void printHeader();
+	void printFs();
+	void extractFs();
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/FirmProcess.cpp b/ctrtool/src/FirmProcess.cpp
new file mode 100644
index 00000000..aa9949a8
--- /dev/null
+++ b/ctrtool/src/FirmProcess.cpp
@@ -0,0 +1,396 @@
+#include "FirmProcess.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+
+#include <tc/crypto/Aes128CbcEncryptedStream.h>
+
+ctrtool::FirmProcess::FirmProcess() :
+	mModuleLabel("ctrtool::FirmProcess"),
+	mInputStream(),
+	mKeyBag(),
+	mShowInfo(false),
+	mVerbose(false),
+	mVerify(false),
+	mExtractPath(),
+	mFirmwareType(FirmwareType_Nand),
+	mSignatureState(SignatureState_Unchecked)
+{
+	memset((byte_t*)&mHeader, 0, sizeof(mHeader));
+	memset(mValidFirmSectionHash.data(), ValidState::Unchecked, mValidFirmSectionHash.size());
+}
+
+void ctrtool::FirmProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::FirmProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+}
+
+void ctrtool::FirmProcess::setCliOutputMode(bool show_info)
+{
+	mShowInfo = show_info;
+}
+
+void ctrtool::FirmProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+}
+
+void ctrtool::FirmProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+}
+
+void ctrtool::FirmProcess::setExtractPath(const tc::io::Path& extract_path)
+{
+	mExtractPath = extract_path;
+}
+
+void ctrtool::FirmProcess::setFirmwareType(FirmwareType type)
+{
+	mFirmwareType = type;
+}
+
+void ctrtool::FirmProcess::process()
+{
+	// begin processing
+	importHeader();
+	generateSectionStreams();
+
+	if (mVerify)
+	{
+		verifyHashes();
+		verifySignature();
+	}
+		
+	if (mShowInfo)
+		printData();
+
+	if (mExtractPath.isSet())
+		extractSections();
+}
+
+void ctrtool::FirmProcess::importHeader()
+{
+	// validate input stream
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}	
+
+	// import header
+	if (mInputStream->length() < (sizeof(ntd::n3ds::FirmwareHeader)))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small to import header.");
+	}
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read((byte_t*)&mHeader, sizeof(mHeader));
+
+	if (mHeader.struct_magic.unwrap() != mHeader.kStructMagic)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Invalid struct magic.");
+	}
+}
+
+void ctrtool::FirmProcess::generateSectionStreams()
+{
+	tc::crypto::Aes128CbcEncryptedStream::key_t aes_key;
+	tc::crypto::Aes128CbcEncryptedStream::iv_t aes_iv;
+
+	// generate AES key
+	memset(aes_key.data(), 0, aes_key.size());
+	memset(aes_iv.data(), 0, aes_iv.size());
+	if (mFirmwareType == FirmwareType_Ngc)
+	{
+		auto key_itr = mKeyBag.firmware_key.find(mKeyBag.FIRM_NGC_KEY);
+		if (key_itr != mKeyBag.firmware_key.end())
+		{
+			memcpy(aes_key.data(), key_itr->second.data(), 16);
+		}
+	}
+	else if (mFirmwareType == FirmwareType_Nor)
+	{
+		auto key_itr = mKeyBag.firmware_key.find(mKeyBag.FIRM_NOR_KEY);
+		if (key_itr != mKeyBag.firmware_key.end())
+		{
+			memcpy(aes_key.data(), key_itr->second.data(), 16);
+		}
+	}
+	else if (mFirmwareType == FirmwareType_Sdmc)
+	{
+		auto key_itr = mKeyBag.firmware_key.find(mKeyBag.FIRM_SD_KEY);
+		if (key_itr != mKeyBag.firmware_key.end())
+		{
+			memcpy(aes_key.data(), key_itr->second.data(), 16);
+		}
+	}
+
+	for (size_t i = 0; i < mHeader.section.size(); i++)
+	{
+		if (mHeader.section[i].size.unwrap() > 0)
+		{
+			std::shared_ptr<tc::io::IStream> raw_stream = std::make_shared<tc::io::SubStream>(tc::io::SubStream(mInputStream, mHeader.section[i].offset.unwrap(), mHeader.section[i].size.unwrap()));
+
+			switch (mFirmwareType)
+			{
+				case FirmwareType_Nand:
+					mSectionStreams[i] = raw_stream;
+					break;
+				case FirmwareType_Ngc:
+				case FirmwareType_Nor:
+				case FirmwareType_Sdmc:
+					createSectionAesIv(aes_iv, mHeader.section[i]);
+					mSectionStreams[i] = std::make_shared<tc::crypto::Aes128CbcEncryptedStream>(tc::crypto::Aes128CbcEncryptedStream(raw_stream, aes_key, aes_iv));
+					break;
+			}
+		}
+		else
+		{
+			mSectionStreams[i] = nullptr;
+		}
+	}
+}
+
+void ctrtool::FirmProcess::verifyHashes()
+{
+	tc::crypto::Sha256Generator hash_calc;
+	std::array<byte_t, hash_calc.kHashSize> hash;
+	tc::ByteData cache = tc::ByteData(0x10000);
+
+	// get encryption key
+
+	for (size_t i = 0; i < mHeader.section.size(); i++)
+	{
+		if (mHeader.section[i].size.unwrap() > 0 && mSectionStreams[i] != nullptr)
+		{
+			auto& hdr_hash = mHeader.section[i].hash;
+
+			mSectionStreams[i]->seek(0, tc::io::SeekOrigin::Begin);
+			hash_calc.initialize();
+			for (size_t j = mSectionStreams[i]->length(); j > 0;)
+			{
+				size_t read_len = std::min<size_t>(j, cache.size());
+				read_len = mSectionStreams[i]->read(cache.data(), read_len);
+
+				hash_calc.update(cache.data(), read_len);
+
+				j -= read_len;
+			}
+			hash_calc.getHash(hash.data());
+
+			mValidFirmSectionHash[i] = memcmp(hash.data(), hdr_hash.data(), hash.size()) == 0? ValidState::Good : ValidState::Fail;
+		}
+	}
+}
+
+void ctrtool::FirmProcess::verifySignature()
+{
+	byte_t key_id = 0;
+
+	switch (mFirmwareType)
+	{
+		case FirmwareType_Nand:
+		case FirmwareType_Sdmc:
+			key_id = mKeyBag.RSAKEY_FIRM_NAND;
+			break;
+		case FirmwareType_Ngc:
+		case FirmwareType_Nor:
+			key_id = mKeyBag.RSAKEY_FIRM_RECOVERY;
+	}
+
+	byte_t valid_signature = ValidState::Unchecked;
+	bool is_sighax = false;
+
+	// validate header signature
+	if (mKeyBag.rsa_key.find(key_id) != mKeyBag.rsa_key.end())
+	{
+		std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+		tc::crypto::RsaKey pubkey = mKeyBag.rsa_key[key_id];
+
+		// generate hash
+		size_t offset = 0;
+		size_t size = sizeof(mHeader) - sizeof(mHeader.signature);
+		tc::crypto::GenerateSha256Hash(hash.data(), ((byte_t*)&mHeader) + offset, size);
+
+		// validate signature
+		valid_signature = tc::crypto::VerifyRsa2048Pkcs1Sha256(mHeader.signature.data(), hash.data(), pubkey) ? ValidState::Good : ValidState::Fail;
+	}
+	else
+	{
+		fmt::print(stderr, "Could not read static rsa_key {}.\n", key_id == mKeyBag.RSAKEY_FIRM_NAND ? "RSAKEY_FIRM_NAND" : "RSAKEY_FIRM_RECOVERY");
+		valid_signature = ValidState::Fail;
+	}
+
+	// check if signature is sighax
+	if (mKeyBag.rsa_sighax_signature.find(key_id) != mKeyBag.rsa_sighax_signature.end())
+	{
+		auto signature = mKeyBag.rsa_sighax_signature[key_id];
+
+		is_sighax = memcmp(signature.data(), mHeader.signature.data(), mHeader.signature.size()) == 0;
+	}
+	else
+	{
+		fmt::print(stderr, "Could not read rsa_sighax_signature for {}.\n", key_id == mKeyBag.RSAKEY_FIRM_NAND ? "RSAKEY_FIRM_NAND" : "RSAKEY_FIRM_RECOVERY");
+		is_sighax = false;
+	}
+
+	// test if signature was valid
+	if (valid_signature == ValidState::Good)
+	{
+		mSignatureState = SignatureState_Good;
+	}
+	// check if sighax
+	else if (valid_signature == ValidState::Fail && is_sighax == true)
+	{
+		mSignatureState = SignatureState_SigHax;
+	}
+	else
+	{
+		mSignatureState = SignatureState_Fail;
+	}
+}
+
+void ctrtool::FirmProcess::printData()
+{
+	fmt::print("\n");
+	fmt::print("FIRM:\n");
+	fmt::print("Signature: {:8}     {}\n", getSignatureStateString(mSignatureState) , tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(mHeader.signature.data(), mHeader.signature.size(), true, "", 0x20, 24, false));
+	fmt::print("Magic:                  {}\n", "FIRM");
+	fmt::print("Priority:               {:d}\n", mHeader.priority.unwrap());
+	fmt::print("Entrypoint ARM11:       0x{:08x}\n", mHeader.entrypoint_arm11.unwrap());
+	fmt::print("Entrypoint ARM9:        0x{:08x}\n", mHeader.entrypoint_arm9.unwrap());
+	fmt::print("\n");
+	for (size_t i = 0; i < mHeader.section.size(); i++)
+	{
+		if (mHeader.section[i].size.unwrap() == 0) continue;
+		
+		fmt::print("Section {:d}\n", i);
+		fmt::print(" Offset:                0x{:08x}\n", mHeader.section[i].offset.unwrap());
+		fmt::print(" Address:               0x{:08x}\n", mHeader.section[i].address.unwrap());
+		fmt::print(" Size:                  0x{:08x}\n", mHeader.section[i].size.unwrap());
+		fmt::print(" Copy Method:           {} (0x{:08x})\n", getCopyMethodString(mHeader.section[i].copy_method.unwrap()), mHeader.section[i].copy_method.unwrap());
+		fmt::print(" Hash: {:6}           {}\n", getValidString(mValidFirmSectionHash[i]), tc::cli::FormatUtil::formatBytesAsString(mHeader.section[i].hash.data(), mHeader.section[i].hash.size(), true, ""));
+	}
+}
+
+void ctrtool::FirmProcess::extractSections()
+{
+	tc::io::LocalFileSystem local_fs;
+	std::shared_ptr<tc::io::IStream> in_stream;
+	std::shared_ptr<tc::io::IStream> out_stream;
+
+	for (size_t i = 0; i < mHeader.section.size(); i++)
+	{
+		if (mHeader.section[i].size.unwrap() > 0 && mSectionStreams[i] != nullptr)
+		{
+			in_stream = mSectionStreams[i];
+
+			// create output file name
+			std::string f_name = fmt::format("firm_{:d}_{:08x}.bin", i, mHeader.section[i].address.unwrap());
+			
+			// create output file path
+			tc::io::Path f_path = mExtractPath.get() + f_name;
+
+			// save output file path string
+			std::string f_path_str;
+			tc::io::PathUtil::pathToUnixUTF8(f_path, f_path_str);
+
+			// open out stream
+			local_fs.createDirectory(mExtractPath.get());
+			local_fs.openFile(f_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, out_stream);
+
+			fmt::print("Saving section {} to {}...\n", i, f_path_str);
+
+			tc::ByteData filedata = tc::ByteData(in_stream->length());
+			in_stream->seek(0, tc::io::SeekOrigin::Begin);
+			in_stream->read(filedata.data(), filedata.size());
+
+			out_stream->seek(0, tc::io::SeekOrigin::Begin);
+			out_stream->write(filedata.data(), filedata.size());
+		}
+	}
+}
+
+void ctrtool::FirmProcess::createSectionAesIv(std::array<byte_t, 16>& iv, const ntd::n3ds::FirmwareHeader::SectionHeader& section)
+{
+	tc::bn::le32<uint32_t>* aes_iv_words = (tc::bn::le32<uint32_t>*)(iv.data());
+	aes_iv_words[0].wrap(section.offset.unwrap());
+	aes_iv_words[1].wrap(section.address.unwrap());
+	aes_iv_words[2].wrap(section.size.unwrap());
+	aes_iv_words[3].wrap(section.size.unwrap());
+}
+
+std::string ctrtool::FirmProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+	switch (validstate)
+	{
+		case ValidState::Unchecked:
+			ret_str =  "";
+			break;
+		case ValidState::Good:
+			ret_str =  "(GOOD)";
+			break;
+		case ValidState::Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::FirmProcess::getSignatureStateString(byte_t signature_state)
+{
+	std::string ret_str;
+
+	switch(signature_state)
+	{
+		case SignatureState_Unchecked: 
+			ret_str = "";
+			break;
+		case SignatureState_Good: 
+			ret_str = "(GOOD)";
+			break;
+		case SignatureState_Fail: 
+			ret_str = "(FAIL)";
+			break;
+		case SignatureState_SigHax: 
+			ret_str = "(SIGHAX)";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::FirmProcess::getCopyMethodString(uint32_t method)
+{
+	std::string ret_str;
+
+	switch(method)
+	{
+		case ntd::n3ds::FirmwareHeader::SectionHeader::CopyMethod_NDMA :
+			ret_str = "NDMA";
+			break;
+		case ntd::n3ds::FirmwareHeader::SectionHeader::CopyMethod_XDMA :
+			ret_str = "XDMA";
+			break;
+		case ntd::n3ds::FirmwareHeader::SectionHeader::CopyMethod_MEMCPY :
+			ret_str = "MEMCPY";
+			break;
+		default:
+			ret_str = "Unknown";
+			break;
+	}
+
+	return ret_str;
+}
\ No newline at end of file
diff --git a/ctrtool/src/FirmProcess.h b/ctrtool/src/FirmProcess.h
new file mode 100644
index 00000000..076fd3d1
--- /dev/null
+++ b/ctrtool/src/FirmProcess.h
@@ -0,0 +1,71 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include <tc/io/IStream.h>
+#include <ntd/n3ds/firm.h>
+
+namespace ctrtool {
+
+class FirmProcess
+{
+public:
+	enum FirmwareType
+	{
+		FirmwareType_Nand = 0, // NAND signature, sections not encrypted
+		FirmwareType_Ngc = 1, // Recovery Signature, but sections are encrypted
+		FirmwareType_Nor = 2, // Recovery Signature like NGC, but different section encryption key.
+		FirmwareType_Sdmc = 3, // NAND signature, but sections are encrypted.
+	};
+
+	FirmProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setCliOutputMode(bool show_info);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	void setExtractPath(const tc::io::Path& extract_path);
+	void setFirmwareType(FirmwareType type);
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mShowInfo;
+	bool mVerbose;
+	bool mVerify;
+	tc::Optional<tc::io::Path> mExtractPath;
+	FirmwareType mFirmwareType;
+
+	ntd::n3ds::FirmwareHeader mHeader;
+	
+	enum SignatureState
+	{
+		SignatureState_Unchecked = 0,
+		SignatureState_Good = 1,
+		SignatureState_Fail = 2,
+		SignatureState_SigHax = 3,
+	};
+
+	byte_t mSignatureState;
+	std::array<std::shared_ptr<tc::io::IStream>, 4> mSectionStreams;
+	std::array<byte_t, 4> mValidFirmSectionHash;
+
+	void importHeader();
+	void generateSectionStreams();
+	void verifyHashes();
+	void verifySignature();
+	void printData();
+	void extractSections();
+
+	void createSectionAesIv(std::array<byte_t, 16>& iv, const ntd::n3ds::FirmwareHeader::SectionHeader& section);
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+	std::string getSignatureStateString(byte_t signature_state);
+	std::string getCopyMethodString(uint32_t method);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/IvfcProcess.cpp b/ctrtool/src/IvfcProcess.cpp
new file mode 100644
index 00000000..80343426
--- /dev/null
+++ b/ctrtool/src/IvfcProcess.cpp
@@ -0,0 +1,199 @@
+#include "IvfcProcess.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+
+ctrtool::IvfcProcess::IvfcProcess() :
+	mModuleLabel("ctrtool::IvfcProcess"),
+	mInputStream(),
+	mKeyBag(),
+	mShowHeaderInfo(false),
+	mShowFs(false),
+	mVerbose(false),
+	mVerify(),
+	mExtractPath(),
+	mRomFsProcess()
+{
+	memset((byte_t*)&mHeader, 0, sizeof(ntd::n3ds::IvfcCtrRomfsHeader));
+	mMasterHashOffset = 0;
+	for (size_t i = 0; i < ntd::n3ds::IvfcCtrRomfsHeader::kLevelNum; i++)
+	{
+		mActualLevelOffsets[i] = 0;
+		mLevelValidation[i] = ValidState::Unchecked;
+	}
+}
+
+void ctrtool::IvfcProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::IvfcProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+}
+
+void ctrtool::IvfcProcess::setCliOutputMode(bool show_header_info, bool show_fs)
+{
+	mShowHeaderInfo = show_header_info;
+	mShowFs = show_fs;
+}
+
+void ctrtool::IvfcProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+}
+
+void ctrtool::IvfcProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+}
+
+void ctrtool::IvfcProcess::setExtractPath(const tc::io::Path& extract_path)
+{
+	mExtractPath = extract_path;
+}
+
+void ctrtool::IvfcProcess::process()
+{
+	// begin processing
+	processHeader();
+	if (mVerify)
+		verifyLevels();
+	if (mShowHeaderInfo)
+		printHeader();
+	processRomFs();
+}
+
+void ctrtool::IvfcProcess::processHeader()
+{
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}
+
+	// import header
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read((byte_t*)&mHeader, sizeof(ntd::n3ds::IvfcCtrRomfsHeader));
+
+	// do some simple checks to verify if this is an IVFC header
+	if (mHeader.head.struct_magic.unwrap() != mHeader.head.kStructMagic ||
+		mHeader.head.type_id.unwrap() != mHeader.head.TypeId_A ||
+	    mHeader.header_size.unwrap() != sizeof(ntd::n3ds::IvfcCtrRomfsHeader))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "IvfcCtrRomfsHeader is corrupted.");
+	}
+
+	mMasterHashOffset = align<int64_t>(sizeof(ntd::n3ds::IvfcCtrRomfsHeader), ntd::n3ds::IvfcCtrRomfsHeader::kHeaderAlign);
+	mActualLevelOffsets[2] = align<int64_t>(mMasterHashOffset + static_cast<int64_t>(mHeader.master_hash_size.unwrap()), static_cast<int64_t>(1) << static_cast<int64_t>(mHeader.level[1].block_size_log2.unwrap()));
+	mActualLevelOffsets[0] = align<int64_t>(mActualLevelOffsets[2] + static_cast<int64_t>(mHeader.level[2].size.unwrap()), static_cast<int64_t>(1) << static_cast<int64_t>(mHeader.level[2].block_size_log2.unwrap()));
+	mActualLevelOffsets[1] = align<int64_t>(mActualLevelOffsets[0] + static_cast<int64_t>(mHeader.level[0].size.unwrap()), static_cast<int64_t>(1) << static_cast<int64_t>(mHeader.level[0].block_size_log2.unwrap()));
+}
+
+void ctrtool::IvfcProcess::verifyLevels()
+{
+	size_t blk_num;
+	size_t blk_sz;
+	int64_t hash_base_offset;
+	size_t hash_sz;
+	tc::crypto::Sha256Generator hashgen;
+	std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> calc_hash;
+	for (size_t i = 0; i < mActualLevelOffsets.size(); i++)
+	{
+		blk_sz = size_t(1) << size_t(mHeader.level[i].block_size_log2.unwrap());
+		blk_num = (mHeader.level[i].size.unwrap() / blk_sz) + ((mHeader.level[i].size.unwrap() % blk_sz) ? 1 : 0);
+		hash_base_offset = (i == 0) ? mMasterHashOffset : mActualLevelOffsets[i-1];
+		hash_sz = blk_num * tc::crypto::Sha256Generator::kHashSize;
+
+		tc::ByteData test_hash = tc::ByteData(hash_sz);
+		mInputStream->seek(hash_base_offset, tc::io::SeekOrigin::Begin);
+		mInputStream->read(test_hash.data(), test_hash.size());
+
+		tc::ByteData block = tc::ByteData(blk_sz);
+		mInputStream->seek(mActualLevelOffsets[i], tc::io::SeekOrigin::Begin);
+		size_t bad_blocks = blk_num;
+		for (size_t j = 0; j < blk_num; j++)
+		{
+			mInputStream->read(block.data(), block.size());
+			hashgen.initialize();
+			hashgen.update(block.data(), block.size());
+			hashgen.getHash(calc_hash.data());
+			if (memcmp(calc_hash.data(), test_hash.data() + j*tc::crypto::Sha256Generator::kHashSize, tc::crypto::Sha256Generator::kHashSize) != 0)
+			{
+				if (mVerbose)
+				{
+					fmt::print("[LOG/IVFC] IVFC Layer {:d}, Block {:d} failed validation\n", i, j);
+				}
+					
+			}
+			else
+			{
+				bad_blocks -= 1;
+			}
+		}
+
+		mLevelValidation[i] = bad_blocks == 0? ValidState::Good : ValidState::Fail;
+		if (mVerbose)
+		{
+			fmt::print("[LOG/IVFC] IVFC Layer {:d} {} validation\n", i, (mLevelValidation[i] == ValidState::Good ? "passed" : "failed"));
+		}
+	}
+}
+
+void ctrtool::IvfcProcess::printHeader()
+{
+	fmt::print("\n");
+	fmt::print("IVFC:\n");
+	fmt::print("Header:                 {}\n", "IVFC");
+	fmt::print("Id:                     {:08x}\n", mHeader.head.type_id.unwrap());
+	fmt::print("Master hash size:       0x{:08x}\n", mHeader.master_hash_size.unwrap());
+	fmt::print("Header size:            0x{:08x}\n", mHeader.header_size.unwrap());
+
+	for (size_t i = 0; i < ntd::n3ds::IvfcCtrRomfsHeader::kLevelNum; i++)
+	{
+		fmt::print("\n");
+		fmt::print("Level {:d}: {}\n", i, getValidString(mLevelValidation[i]));
+		fmt::print(" Offset:            0x{:08x} (Actual: 0x{:08x})\n", mHeader.level[i].offset.unwrap(), mActualLevelOffsets[i]);
+		fmt::print(" Size:              0x{:08x}\n", mHeader.level[i].size.unwrap());
+		fmt::print(" BlockSizeLog2:     0x{:08x} (BlockSize: 0x{:08x})\n", mHeader.level[i].block_size_log2.unwrap(), 1 << mHeader.level[i].block_size_log2.unwrap());
+	}
+}
+
+void ctrtool::IvfcProcess::processRomFs()
+{
+	std::shared_ptr<ntd::n3ds::IvfcStream> data_layer = std::shared_ptr<ntd::n3ds::IvfcStream>(new ntd::n3ds::IvfcStream(mInputStream));
+
+	mRomFsProcess.setInputStream(data_layer);
+	mRomFsProcess.setKeyBag(mKeyBag);
+	mRomFsProcess.setCliOutputMode(mShowHeaderInfo, mShowFs);
+	mRomFsProcess.setVerboseMode(mVerbose);
+	mRomFsProcess.setVerifyMode(mVerify);
+	if (mExtractPath.isSet())
+		mRomFsProcess.setExtractPath(mExtractPath.get());
+	mRomFsProcess.process();
+}
+
+std::string ctrtool::IvfcProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+	switch (validstate)
+	{
+		case ValidState::Unchecked:
+			ret_str =  "";
+			break;
+		case ValidState::Good:
+			ret_str =  "(GOOD)";
+			break;
+		case ValidState::Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
\ No newline at end of file
diff --git a/ctrtool/src/IvfcProcess.h b/ctrtool/src/IvfcProcess.h
new file mode 100644
index 00000000..cc59340f
--- /dev/null
+++ b/ctrtool/src/IvfcProcess.h
@@ -0,0 +1,50 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include "RomFsProcess.h"
+#include <tc/Optional.h>
+#include <ntd/n3ds/ivfc.h>
+#include <ntd/n3ds/IvfcStream.h>
+
+namespace ctrtool {
+
+class IvfcProcess
+{
+public:
+	IvfcProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setCliOutputMode(bool show_header_info, bool show_fs);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	void setExtractPath(const tc::io::Path& extract_path);
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mShowHeaderInfo;
+	bool mShowFs;
+	bool mVerbose;
+	bool mVerify;
+	tc::Optional<tc::io::Path> mExtractPath;
+
+	ntd::n3ds::IvfcCtrRomfsHeader mHeader;
+	ctrtool::RomFsProcess mRomFsProcess;
+	int64_t mMasterHashOffset;
+	std::array<int64_t, ntd::n3ds::IvfcCtrRomfsHeader::kLevelNum> mActualLevelOffsets;
+	std::array<byte_t, ntd::n3ds::IvfcCtrRomfsHeader::kLevelNum> mLevelValidation;
+
+	void processHeader();
+	void verifyLevels();
+	void printHeader();
+	void processRomFs();
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/KeyBag.cpp b/ctrtool/src/KeyBag.cpp
new file mode 100644
index 00000000..55ebc085
--- /dev/null
+++ b/ctrtool/src/KeyBag.cpp
@@ -0,0 +1,945 @@
+#include "KeyBag.h"
+
+#include <tc/cli/FormatUtil.h>
+
+ctrtool::KeyBagInitializer::KeyBagInitializer(bool isDev, const tc::Optional<std::string>& fallback_title_key_str, const tc::Optional<tc::io::Path>& seed_db_path, const tc::Optional<std::string>& fallback_seed_str)
+{
+	// add static data
+	addStaticAesKeys(isDev);
+	addStaticRsaKeys(isDev);
+	addSigHaxSignatures(isDev);
+
+	// import seed database
+	if (seed_db_path.isSet())
+	{
+		auto file_source = std::shared_ptr<tc::io::StreamSource>();
+		
+		try {
+			auto file_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(seed_db_path.get(), tc::io::FileMode::Open, tc::io::FileAccess::Read));
+			file_source = std::shared_ptr<tc::io::StreamSource>(new tc::io::StreamSource(file_stream));
+		}
+		catch (tc::io::FileNotFoundException&) {
+			throw tc::ArgumentException("ctrtool::KeyBagInitializer", "Failed to open seed database file.");
+		}
+
+		importSeedDb(file_source);
+	}
+
+	// import fallback keys
+	if (fallback_title_key_str.isSet())
+	{
+		if (importFallbackKey(fallback_title_key, fallback_title_key_str.get()) == false)
+		{
+			throw tc::ArgumentOutOfRangeException("ctrtool::KeyBagInitializer", "Fallback title key failed to import.");
+		}
+	}
+	if (fallback_seed_str.isSet())
+	{
+		if (importFallbackKey(fallback_seed, fallback_seed_str.get()) == false)
+		{
+			throw tc::ArgumentOutOfRangeException("ctrtool::KeyBagInitializer", "Fallback seed failed to import.");
+		}
+	}
+}
+
+void ctrtool::KeyBagInitializer::addStaticAesKeys(bool isDev)
+{
+	struct DefaultAesKey
+	{
+		byte_t key_index;
+		KeyBag::Aes128Key key;
+	};
+
+	static const size_t kDefaultNcchFixedKeyNum = 2;
+	const DefaultAesKey default_ncch_fixed_aes_keys[kDefaultNcchFixedKeyNum][2] = 
+	{
+		{
+			{NCCH_APPLICATION_FIXED_KEY, {0}},
+			{NCCH_APPLICATION_FIXED_KEY, {0}},
+		},
+		{
+			{NCCH_SYSTEM_FIXED_KEY, {0x52, 0x7c, 0xe6, 0x30, 0xa9, 0xca, 0x30, 0x5f, 0x36, 0x96, 0xf3, 0xcd, 0xe9, 0x54, 0x19, 0x4b}},
+			{NCCH_SYSTEM_FIXED_KEY, {0x52, 0x7c, 0xe6, 0x30, 0xa9, 0xca, 0x30, 0x5f, 0x36, 0x96, 0xf3, 0xcd, 0xe9, 0x54, 0x19, 0x4b}},
+		}
+	};
+
+	static const size_t kDefaultNcchSecureKeyXNum = 4;
+	const DefaultAesKey default_ncch_secure_aes_keys_x[kDefaultNcchSecureKeyXNum][2] = 
+	{
+		{
+			// retail
+			{NCCH_SECURE_KEY_FW1, {0xb9, 0x8e, 0x95, 0xce, 0xca, 0x3e, 0x4d, 0x17, 0x1f, 0x76, 0xa9, 0x4d, 0xe9, 0x34, 0xc0, 0x53}},
+			// dev
+			{NCCH_SECURE_KEY_FW1, {0x51, 0x02, 0x07, 0x51, 0x55, 0x07, 0xcb, 0xb1, 0x8e, 0x24, 0x3d, 0xcb, 0x85, 0xe2, 0x3a, 0x1d}},
+		},
+		{
+			// retail
+			{NCCH_SECURE_KEY_FW7, {0xce, 0xe7, 0xd8, 0xab, 0x30, 0xc0, 0x0d, 0xae, 0x85, 0x0e, 0xf5, 0xe3, 0x82, 0xac, 0x5a, 0xf3}},
+			// dev
+			{NCCH_SECURE_KEY_FW7, {0x81, 0x90, 0x7a, 0x4b, 0x6f, 0x1b, 0x47, 0x32, 0x3a, 0x67, 0x79, 0x74, 0xce, 0x4a, 0xd7, 0x1b}},
+		},
+		{
+			// retail
+			{NCCH_SECURE_KEY_FW9_3, {0x82, 0xe9, 0xc9, 0xbe, 0xbf, 0xb8, 0xbd, 0xb8, 0x75, 0xec, 0xc0, 0xa0, 0x7d, 0x47, 0x43, 0x74}},
+			// dev
+			{NCCH_SECURE_KEY_FW9_3, {0x30, 0x4b, 0xf1, 0x46, 0x83, 0x72, 0xee, 0x64, 0x11, 0x5e, 0xbd, 0x40, 0x93, 0xd8, 0x42, 0x76}},
+		},
+		{
+			// retail
+			{NCCH_SECURE_KEY_FW9_6, {0x45, 0xad, 0x04, 0x95, 0x39, 0x92, 0xc7, 0xc8, 0x93, 0x72, 0x4a, 0x9a, 0x7b, 0xce, 0x61, 0x82}},
+			// dev
+			{NCCH_SECURE_KEY_FW9_6, {0x6c, 0x8b, 0x29, 0x44, 0xa0, 0x72, 0x60, 0x35, 0xf9, 0x41, 0xdf, 0xc0, 0x18, 0x52, 0x4f, 0xb6}},
+		},
+	};
+
+	static const size_t kDefaultCommonKeyNum = 6;
+	const DefaultAesKey default_common_aes_keys[kDefaultCommonKeyNum][2] = 
+	{
+		{
+			// retail
+			{COMMONKEY_APPLICATION, {0x64, 0xC5, 0xFD, 0x55, 0xDD, 0x3A, 0xD9, 0x88, 0x32, 0x5B, 0xAA, 0xEC, 0x52, 0x43, 0xDB, 0x98}},
+			// dev
+			{COMMONKEY_APPLICATION, {0x55, 0xA3, 0xF8, 0x72, 0xBD, 0xC8, 0x0C, 0x55, 0x5A, 0x65, 0x43, 0x81, 0x13, 0x9E, 0x15, 0x3B}},
+		},
+		{
+			// retail
+			{COMMONKEY_SYSTEM, {0x4A, 0xAA, 0x3D, 0x0E, 0x27, 0xD4, 0xD7, 0x28, 0xD0, 0xB1, 0xB4, 0x33, 0xF0, 0xF9, 0xCB, 0xC8}},
+			// dev
+			{COMMONKEY_SYSTEM, {0x44, 0x34, 0xED, 0x14, 0x82, 0x0C, 0xA1, 0xEB, 0xAB, 0x82, 0xC1, 0x6E, 0x7B, 0xEF, 0x0C, 0x25}},
+		},
+		{
+			// retail
+			{COMMONKEY_UNUSED_2, {0xFB, 0xB0, 0xEF, 0x8C, 0xDB, 0xB0, 0xD8, 0xE4, 0x53, 0xCD, 0x99, 0x34, 0x43, 0x71, 0x69, 0x7F}},
+			// dev
+			{COMMONKEY_UNUSED_2, {0xF6, 0x2E, 0x3F, 0x95, 0x8E, 0x28, 0xA2, 0x1F, 0x28, 0x9E, 0xEC, 0x71, 0xA8, 0x66, 0x29, 0xDC}},
+		},
+		{
+			// retail
+			{COMMONKEY_UNUSED_3, {0x25, 0x95, 0x9B, 0x7A, 0xD0, 0x40, 0x9F, 0x72, 0x68, 0x41, 0x98, 0xBA, 0x2E, 0xCD, 0x7D, 0xC6}},
+			// dev
+			{COMMONKEY_UNUSED_3, {0x2B, 0x49, 0xCB, 0x6F, 0x99, 0x98, 0xD9, 0xAD, 0x94, 0xF2, 0xED, 0xE7, 0xB5, 0xDA, 0x3E, 0x27}},
+		},
+		{
+			// retail
+			{COMMONKEY_UNUSED_4, {0x7A, 0xDA, 0x22, 0xCA, 0xFF, 0xC4, 0x76, 0xCC, 0x82, 0x97, 0xA0, 0xC7, 0xCE, 0xEE, 0xEE, 0xBE}},
+			// dev
+			{COMMONKEY_UNUSED_4, {0x75, 0x05, 0x52, 0xBF, 0xAA, 0x1C, 0x04, 0x07, 0x55, 0xC8, 0xD5, 0x9A, 0x55, 0xF9, 0xAD, 0x1F}},
+		},
+		{
+			// retail
+			{COMMONKEY_UNUSED_4, {0xA5, 0x05, 0x1C, 0xA1, 0xB3, 0x7D, 0xCF, 0x3A, 0xFB, 0xCF, 0x8C, 0xC1, 0xED, 0xD9, 0xCE, 0x02}},
+			// dev
+			{COMMONKEY_UNUSED_4, {0xAA, 0xDA, 0x4C, 0xA8, 0xF6, 0xE5, 0xA9, 0x77, 0xE0, 0xA0, 0xF9, 0xE4, 0x76, 0xCF, 0x0D, 0x63}},
+		}
+	};
+	
+	// ncch fixed keys
+	for (size_t i = 0; i < kDefaultNcchFixedKeyNum; i++)
+	{
+		ncch_fixed_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(default_ncch_fixed_aes_keys[i][isDev].key_index, default_ncch_fixed_aes_keys[i][isDev].key));
+	}
+
+	// ncch secure key x
+	for (size_t i = 0; i < kDefaultNcchSecureKeyXNum; i++)
+	{
+		ncch_secure_key_x.insert(std::pair<byte_t, KeyBag::Aes128Key>(default_ncch_secure_aes_keys_x[i][isDev].key_index, default_ncch_secure_aes_keys_x[i][isDev].key));
+	}
+	
+	// ticket common key
+	for (size_t i = 0; i < kDefaultCommonKeyNum; i++)
+	{
+		common_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(default_common_aes_keys[i][isDev].key_index, default_common_aes_keys[i][isDev].key));
+	}
+
+	// populate aes keyslots
+	enum StaticKeyXSlots
+	{
+		KEYX_2C_2F,
+		KEYX_30_33,
+		KEYX_34_37,
+		KEYX_38_3B,
+		KEYX_3C,
+		KEYX_3D,
+		KEYX_3E,
+		KEYX_3F,
+		BROM_KEYX_NUM
+	};
+	const DefaultAesKey default_brom_static_keyx[BROM_KEYX_NUM][2] = 
+	{
+		{
+			// retail
+			{KEYX_2C_2F, {0xB9, 0x8E, 0x95, 0xCE, 0xCA, 0x3E, 0x4D, 0x17, 0x1F, 0x76, 0xA9, 0x4D, 0xE9, 0x34, 0xC0, 0x53}},
+			// dev
+			{KEYX_2C_2F, {0x51, 0x02, 0x07, 0x51, 0x55, 0x07, 0xCB, 0xB1, 0x8E, 0x24, 0x3D, 0xCB, 0x85, 0xE2, 0x3A, 0x1D}},
+		},
+		{
+			// retail
+			{KEYX_30_33, {0xC6, 0x6E, 0x23, 0x12, 0x8F, 0x28, 0x91, 0x33, 0xF0, 0x4C, 0xDB, 0x87, 0x7A, 0x37, 0x49, 0xF2}},
+			// dev
+			{KEYX_30_33, {0x3F, 0x05, 0x4E, 0x66, 0x3B, 0x3E, 0xF7, 0x28, 0xC8, 0x98, 0x4D, 0x20, 0xC4, 0xAF, 0xD5, 0xA0}},
+		},
+		{
+			// retail
+			{KEYX_34_37, {0x6F, 0xBB, 0x01, 0xF8, 0x72, 0xCA, 0xF9, 0xC0, 0x18, 0x34, 0xEE, 0xC0, 0x40, 0x65, 0xEE, 0x53}},
+			// dev
+			{KEYX_34_37, {0x7B, 0xFB, 0x77, 0xBC, 0xBC, 0x05, 0x9A, 0x06, 0xAC, 0xAD, 0x88, 0xEF, 0x2F, 0xCA, 0xBE, 0xDB}},
+		},
+		{
+			// retail
+			{KEYX_38_3B, {0xB5, 0x29, 0x22, 0x1C, 0xDD, 0xB5, 0xDB, 0x5A, 0x1B, 0xF2, 0x6E, 0xFF, 0x20, 0x41, 0xE8, 0x75}},
+			// dev
+			{KEYX_38_3B, {0x5C, 0x3D, 0x38, 0xAC, 0x17, 0x40, 0x99, 0x4E, 0xFC, 0x8F, 0xD0, 0xBE, 0x8D, 0x80, 0x97, 0xB3}},
+		},
+		{
+			// retail
+			{KEYX_3C, {0xC3, 0x5D, 0x6D, 0x15, 0x68, 0x0B, 0x1A, 0xD4, 0xE9, 0x12, 0xA3, 0x41, 0x83, 0x61, 0x21, 0xB3}},
+			// dev
+			{KEYX_3C, {0x61, 0xBF, 0x11, 0x37, 0x0B, 0x29, 0x2F, 0xFA, 0xB3, 0x88, 0x51, 0xEC, 0x5D, 0xAE, 0x5D, 0xEC}},
+		},
+		// commonkey
+		{
+			// retail
+			{KEYX_3D, {0x61, 0x70, 0x85, 0x71, 0x9B, 0x7C, 0xFB, 0x31, 0x6D, 0xF4, 0xDF, 0x2E, 0x83, 0x62, 0xC6, 0xE2}},
+			// dev
+			{KEYX_3D, {0xBD, 0x4F, 0xE7, 0xE7, 0x33, 0xC7, 0x55, 0xFC, 0xE7, 0x54, 0x0E, 0xAB, 0xBD, 0x8A, 0xC3, 0xD3}},
+		},
+		{
+			// retail
+			{KEYX_3E, {0x24, 0xBA, 0xF6, 0x28, 0xD0, 0x68, 0x89, 0xBF, 0x28, 0x2D, 0x0A, 0xA3, 0x5D, 0xC5, 0x56, 0x50}},
+			// dev
+			{KEYX_3E, {0x28, 0x87, 0xA4, 0xD4, 0x28, 0xF6, 0xF2, 0x24, 0xB0, 0x3A, 0xB3, 0x36, 0xE2, 0x2C, 0x61, 0x1E}},
+		},
+		{
+			// retail
+			{KEYX_3F, {0xA3, 0x12, 0x33, 0x28, 0x0B, 0xB4, 0xDA, 0xA7, 0x76, 0x13, 0x93, 0xF7, 0x8C, 0x42, 0x49, 0x52}},
+			// dev
+			{KEYX_3F, {0xBE, 0x66, 0x5D, 0xE6, 0xFB, 0x8C, 0x3F, 0x0A, 0x98, 0x71, 0x96, 0x0A, 0xD7, 0xCF, 0xBE, 0x79}},
+		}
+	};
+
+	// 0x2C-0x2F
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key_x.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x2C + i, default_brom_static_keyx[KEYX_2C_2F][isDev].key));
+	}
+	// 0x30-0x33
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key_x.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x30 + i, default_brom_static_keyx[KEYX_30_33][isDev].key));
+	}
+	// 0x34-0x37
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key_x.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x34 + i, default_brom_static_keyx[KEYX_34_37][isDev].key));
+	}
+	// 0x38-0x3B
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key_x.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x38 + i, default_brom_static_keyx[KEYX_38_3B][isDev].key));
+	}
+	// 0x3C
+	brom_static_key_x.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x3C, default_brom_static_keyx[KEYX_3C][isDev].key));
+	// 0x3D common key
+	brom_static_key_x.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x3D, default_brom_static_keyx[KEYX_3D][isDev].key));
+	// 0x3E
+	brom_static_key_x.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x3E, default_brom_static_keyx[KEYX_3E][isDev].key));
+	// 0x3F
+	brom_static_key_x.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x3F, default_brom_static_keyx[KEYX_3F][isDev].key));
+
+	enum StaticKeyYSlots
+	{
+		KEYY_04,
+		KEYY_05,
+		KEYY_06,
+		KEYY_07,
+		KEYY_08,
+		KEYY_09,
+		KEYY_0A,
+		KEYY_0B,
+		BROM_KEYY_NUM
+	};
+	const DefaultAesKey default_brom_static_keyy[BROM_KEYY_NUM][2] = 
+	{
+		{
+			// retail
+			{KEYY_04, {0xFF, 0x33, 0x88, 0xEC, 0xD2, 0x17, 0x05, 0xBB, 0x33, 0x9E, 0x96, 0x79, 0x86, 0xDC, 0x49, 0x07}},
+			// dev
+			{KEYY_04, {0x5C, 0xE6, 0xB1, 0xEC, 0x3F, 0x5F, 0x9D, 0x7B, 0x2E, 0x81, 0xE2, 0x21, 0x45, 0xA5, 0x76, 0x8D}},
+		},
+		{
+			// retail
+			{KEYY_05, {0x54, 0xEF, 0x03, 0x5F, 0x30, 0x26, 0x0E, 0x0E, 0x9B, 0x5E, 0x00, 0x4F, 0xC9, 0x85, 0xDC, 0x22}},
+			// dev
+			{KEYY_05, {0x28, 0x5B, 0x2E, 0x23, 0xA3, 0xC3, 0x0E, 0x54, 0x8F, 0x24, 0xEE, 0x8D, 0x28, 0x7C, 0x26, 0x42}},
+		},
+		{
+			// retail
+			{KEYY_06, {0x24, 0xB0, 0x5A, 0xAA, 0xAC, 0x0B, 0x09, 0x92, 0x52, 0x03, 0x0C, 0x02, 0xD1, 0x04, 0x03, 0x17}},
+			// dev
+			{KEYY_06, {0xAE, 0x94, 0xFC, 0x90, 0xBE, 0x6B, 0x6C, 0xD5, 0xF1, 0xB0, 0xCB, 0x55, 0x95, 0x07, 0x22, 0x0E}},
+		},
+		{
+			// retail
+			{KEYY_07, {0xE9, 0xAC, 0xC5, 0xAB, 0xD4, 0xAD, 0x3F, 0x06, 0x60, 0xC8, 0x3C, 0x89, 0x34, 0x88, 0x2F, 0x3F}},
+			// dev
+			{KEYY_07, {0x49, 0x97, 0x4D, 0x47, 0xB6, 0xE2, 0xC9, 0xD9, 0x19, 0x4A, 0x2D, 0x97, 0xFD, 0xF2, 0x83, 0xBE}},
+		},
+		{
+			// retail
+			{KEYY_08, {0x48, 0x03, 0x05, 0x01, 0x06, 0xD4, 0x82, 0xDC, 0xD7, 0x5F, 0x85, 0xC5, 0xAA, 0xDF, 0xF9, 0xB3}},
+			// dev
+			{KEYY_08, {0x25, 0xA6, 0x19, 0x50, 0x4F, 0x07, 0xD0, 0x68, 0x19, 0x03, 0x34, 0xA8, 0x14, 0x09, 0xC2, 0x08}},
+		},
+		{
+			// retail
+			{KEYY_09, {0xAF, 0x63, 0x46, 0xEF, 0xDD, 0xDF, 0xA9, 0x80, 0x6E, 0x3C, 0x6B, 0x68, 0x55, 0xB7, 0x89, 0x30}},
+			// dev
+			{KEYY_09, {0x65, 0x7B, 0xBD, 0x65, 0x2E, 0x8B, 0xF3, 0x0F, 0x37, 0x40, 0xC4, 0x8F, 0xAC, 0x6C, 0xC5, 0x9E}},
+		},
+		{
+			// retail
+			{KEYY_0A, {0x0A, 0x87, 0x0A, 0x2C, 0x4B, 0x2F, 0xC3, 0x17, 0x2E, 0x5F, 0x03, 0x35, 0xD8, 0xC5, 0x08, 0x5D}},
+			// dev
+			{KEYY_0A, {0x14, 0x7A, 0xD1, 0x4A, 0xC2, 0x06, 0xB1, 0x00, 0xE2, 0x00, 0x2A, 0x7B, 0x1A, 0x0D, 0xDD, 0x3D}},
+		},
+		{
+			// retail
+			{KEYY_0B, {0xFD, 0xA0, 0x15, 0x2F, 0xCD, 0x6D, 0xDB, 0x31, 0x33, 0xB8, 0x87, 0xBA, 0x72, 0x7C, 0x0A, 0xDA}},
+			// dev
+			{KEYY_0B, {0xA3, 0xD0, 0x0D, 0x9E, 0x2C, 0x5E, 0xDF, 0x30, 0x86, 0x64, 0x86, 0x61, 0x1C, 0xE0, 0x8D, 0x25}},
+		}
+	};
+	// 0x04
+	brom_static_key_y.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x04, default_brom_static_keyy[KEYY_04][isDev].key));
+	// 0x05
+	brom_static_key_y.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x05, default_brom_static_keyy[KEYY_05][isDev].key));
+	// 0x06
+	brom_static_key_y.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x06, default_brom_static_keyy[KEYY_06][isDev].key));
+	// 0x07
+	brom_static_key_y.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x07, default_brom_static_keyy[KEYY_07][isDev].key));
+	// 0x08
+	brom_static_key_y.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x08, default_brom_static_keyy[KEYY_08][isDev].key));
+	// 0x09
+	brom_static_key_y.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x09, default_brom_static_keyy[KEYY_09][isDev].key));
+	// 0x0A
+	brom_static_key_y.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x0A, default_brom_static_keyy[KEYY_0A][isDev].key));
+	// 0x0B
+	brom_static_key_y.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x0B, default_brom_static_keyy[KEYY_0B][isDev].key));
+
+
+	enum StaticKeySlots
+	{
+		KEY_0C_0F,
+		KEY_10_13,
+		KEY_14,
+		KEY_15,
+		KEY_16,
+		KEY_17,
+		KEY_18_1B,
+		KEY_1C_1F,
+		KEY_20_23,
+		KEY_24_27,
+		KEY_28,
+		KEY_29,
+		KEY_2A,
+		KEY_2B,
+		KEY_2C_2F,
+		KEY_30_33,
+		KEY_34_37,
+		KEY_38_3B,
+		KEY_3C,
+		KEY_3D,
+		KEY_3E,
+		KEY_3F,
+		BROM_KEY_NUM
+	};
+	const DefaultAesKey default_brom_static_key[BROM_KEY_NUM][2] = 
+	{
+		{
+			// retail
+			{KEY_0C_0F, {0xE7, 0xC9, 0xFF, 0x9D, 0x4F, 0x5B, 0x6F, 0x4D, 0xC5, 0xE2, 0xF5, 0x0E, 0x85, 0x6F, 0x0A, 0xB2}},
+			// dev
+			{KEY_0C_0F, {0x25, 0xC6, 0x26, 0x59, 0x55, 0xA4, 0xFC, 0x6A, 0xC7, 0xE8, 0x58, 0x08, 0x7B, 0xD3, 0x09, 0x71}},
+		},
+		{
+			// retail
+			{KEY_10_13, {0x28, 0x57, 0x13, 0xDB, 0x53, 0x05, 0x1C, 0x08, 0x9B, 0xDF, 0xB3, 0xB6, 0xAA, 0x63, 0x8F, 0xDA}},
+			// dev
+			{KEY_10_13, {0x29, 0x72, 0xAF, 0xF5, 0x0F, 0xEE, 0x9F, 0x6F, 0x7B, 0x44, 0x3E, 0xC3, 0x4C, 0x7F, 0xDE, 0xAD}},
+		},
+		{
+			// retail
+			{KEY_14, {0x2A, 0xF3, 0xBB, 0xD3, 0x2C, 0xD5, 0x9C, 0x06, 0xFD, 0x4A, 0xBE, 0x58, 0x65, 0x19, 0x87, 0xAD}},
+			// dev
+			{KEY_14, {0x09, 0x71, 0x2F, 0x77, 0xEF, 0x36, 0x7C, 0xC0, 0xC9, 0x68, 0x41, 0x93, 0x8D, 0xC0, 0xB3, 0xA1}},
+		},
+		{
+			// retail
+			{KEY_15, {0xBE, 0x28, 0x36, 0x75, 0x1C, 0x73, 0x4B, 0xA8, 0xDA, 0x18, 0xE1, 0x88, 0x7F, 0x88, 0x8B, 0xD6}},
+			// dev
+			{KEY_15, {0x62, 0xEE, 0x74, 0x6F, 0x91, 0xE0, 0x2B, 0x1D, 0xD2, 0xF1, 0x7D, 0x46, 0xBB, 0xC2, 0xC9, 0xC5}},
+		},
+		{
+			// retail
+			{KEY_16, {0xE3, 0xA1, 0x8E, 0xB1, 0xC1, 0xDC, 0x8A, 0x3D, 0x27, 0xC3, 0x96, 0x7E, 0x6E, 0x36, 0x2D, 0xE3}},
+			// dev
+			{KEY_16, {0x41, 0x97, 0x20, 0xED, 0x83, 0x04, 0xAC, 0x7C, 0x38, 0xE7, 0x30, 0xC6, 0xF4, 0x4E, 0xAC, 0x7C}},
+		},
+		{
+			// retail
+			{KEY_17, {0xD0, 0x29, 0x4C, 0xFB, 0x7B, 0xE0, 0xB4, 0xFB, 0x73, 0x24, 0xD9, 0x86, 0xFD, 0x39, 0x93, 0xBB}},
+			// dev
+			{KEY_17, {0xC8, 0xE1, 0x94, 0x3B, 0x63, 0x9A, 0x02, 0xF1, 0x48, 0xB4, 0xFC, 0x99, 0xDF, 0xCF, 0x64, 0x6D}},
+		},
+		{
+			// retail
+			{KEY_18_1B, {0x5D, 0xDD, 0x47, 0x39, 0x03, 0x7B, 0xC6, 0xA8, 0x70, 0xE6, 0x20, 0xB7, 0x0F, 0x67, 0x35, 0x04}},
+			// dev
+			{KEY_18_1B, {0x76, 0xF8, 0x45, 0x68, 0x11, 0x32, 0xBB, 0x31, 0xB6, 0xCF, 0x9E, 0x2E, 0x39, 0x48, 0x99, 0x3A}},
+		},
+		{
+			// retail
+			{KEY_1C_1F, {0x59, 0xF4, 0x39, 0x9C, 0x2F, 0x95, 0xA4, 0x12, 0x8A, 0x1F, 0xE4, 0x9D, 0x4D, 0xB6, 0x86, 0xDD}},
+			// dev
+			{KEY_1C_1F, {0x18, 0x5C, 0x51, 0x17, 0x0D, 0x68, 0x16, 0xF2, 0xE4, 0xA5, 0x63, 0x22, 0xFA, 0xBB, 0xB3, 0x9D}},
+		},
+		{
+			// retail
+			{KEY_20_23, {0x7C, 0x92, 0xF6, 0x27, 0x25, 0x51, 0xC4, 0x61, 0x4D, 0xB0, 0xB3, 0x45, 0xED, 0xD2, 0xE8, 0x69}},
+			// dev
+			{KEY_20_23, {0xE3, 0x86, 0x81, 0x5A, 0xA0, 0x4F, 0xEE, 0x3A, 0x23, 0xAE, 0x8E, 0x5A, 0xD7, 0xC5, 0x0F, 0x48}},
+		},
+		{
+			// retail
+			{KEY_24_27, {0xBB, 0xE8, 0xB4, 0xE0, 0x9D, 0x09, 0x37, 0x81, 0x6B, 0x23, 0x4D, 0x8E, 0xB3, 0xCD, 0x3C, 0xA2}},
+			// dev
+			{KEY_24_27, {0xD9, 0xC0, 0x1E, 0xC5, 0x68, 0xE9, 0xC5, 0x85, 0x08, 0x27, 0xEE, 0xED, 0x59, 0xCC, 0x10, 0x57}},
+		},
+		{
+			// retail
+			{KEY_28, {0x52, 0x18, 0x12, 0x7E, 0x13, 0x3C, 0xE3, 0xB8, 0x5B, 0xB8, 0xC0, 0x18, 0xCE, 0x76, 0xB7, 0xE2}},
+			// dev
+			{KEY_28, {0x29, 0x62, 0xF3, 0x47, 0xB1, 0xF9, 0x8A, 0x69, 0x7C, 0x68, 0x94, 0xA8, 0xBA, 0xBD, 0x15, 0xA2}},
+		},
+		{
+			// retail
+			{KEY_29, {0x4A, 0x42, 0x64, 0xCF, 0x32, 0xE8, 0x41, 0x70, 0x66, 0x6F, 0x29, 0xAC, 0x88, 0xEF, 0x3F, 0x7E}},
+			// dev
+			{KEY_29, {0xEB, 0xCD, 0xE8, 0x6C, 0x34, 0xBE, 0x2D, 0x9E, 0xB9, 0x5E, 0x18, 0xB0, 0x3D, 0x8A, 0x41, 0x68}},
+		},
+		{
+			// retail
+			{KEY_2A, {0x51, 0xAF, 0x6C, 0x4C, 0x8B, 0x13, 0xDA, 0x32, 0x28, 0xBD, 0x29, 0xB3, 0x71, 0xCF, 0x84, 0xE1}},
+			// dev
+			{KEY_2A, {0x35, 0x08, 0xCF, 0xD3, 0xEA, 0xE5, 0xA4, 0xDA, 0x14, 0xAA, 0xCD, 0xD7, 0x37, 0x26, 0x3F, 0x77}},
+		},
+		{
+			// retail
+			{KEY_2B, {0x3E, 0xD6, 0xF5, 0xCF, 0x2C, 0xC3, 0x7C, 0x54, 0x65, 0x50, 0x00, 0xB7, 0xC8, 0xB5, 0x2E, 0x0D}},
+			// dev
+			{KEY_2B, {0x4F, 0x04, 0xC8, 0xB6, 0x7F, 0xEA, 0x1F, 0x5F, 0x3D, 0x9F, 0xFE, 0xCD, 0x13, 0x95, 0xF9, 0xDD}},
+		},
+		{
+			// retail
+			{KEY_2C_2F, {0xB8, 0x7E, 0x64, 0x01, 0x8B, 0x19, 0x0F, 0xFE, 0x04, 0x8A, 0x81, 0x24, 0xC6, 0x45, 0x41, 0x96}},
+			// dev
+			{KEY_2C_2F, {0x8A, 0xFE, 0x0F, 0x82, 0x69, 0x90, 0x1A, 0xD9, 0x31, 0x9A, 0x4C, 0xA7, 0x0F, 0xB0, 0x97, 0x0C}},
+		},
+		{
+			// retail
+			{KEY_30_33, {0x28, 0xC0, 0xD5, 0x9B, 0x73, 0x66, 0x57, 0xBC, 0xDF, 0x50, 0xFF, 0x17, 0x49, 0x79, 0x95, 0x8A}},
+			// dev
+			{KEY_30_33, {0xFA, 0xD5, 0xB8, 0x49, 0x64, 0x08, 0x96, 0xC3, 0x4E, 0xAC, 0xDB, 0x2C, 0x72, 0xD3, 0x71, 0x3A}},
+		},
+		{
+			// retail
+			{KEY_34_37, {0x6E, 0x78, 0xA3, 0xBE, 0x9B, 0xDD, 0xDA, 0x09, 0xBF, 0xD5, 0x69, 0x48, 0x3F, 0x24, 0xFC, 0xE0}},
+			// dev
+			{KEY_34_37, {0xA9, 0xBE, 0x6A, 0xB4, 0x31, 0x6C, 0xA5, 0x8A, 0x00, 0xC2, 0xA2, 0x3B, 0xE7, 0x57, 0xDF, 0x39}},
+		},
+		{
+			// retail
+			{KEY_38_3B, {0x13, 0xE6, 0x2E, 0x5D, 0x6F, 0xB1, 0x65, 0x6B, 0x24, 0xDD, 0x33, 0x4B, 0xF1, 0x54, 0x68, 0xC3}},
+			// dev
+			{KEY_38_3B, {0xD1, 0xF8, 0xB1, 0x55, 0x29, 0xD6, 0x4B, 0x64, 0xE0, 0xD7, 0x4F, 0x98, 0xB5, 0xF8, 0xCC, 0x24}},
+		},
+		{
+			// retail
+			{KEY_3C, {0x85, 0xDB, 0x63, 0x07, 0x7C, 0x50, 0x11, 0x6B, 0x94, 0x90, 0xD4, 0xFA, 0xD6, 0x1A, 0xB2, 0x41}},
+			// dev
+			{KEY_3C, {0x82, 0x22, 0x6A, 0x9B, 0x55, 0x4A, 0x47, 0xEB, 0xA3, 0x8B, 0xD4, 0x04, 0x98, 0xED, 0x3F, 0x38}},
+		},
+		{
+			// retail
+			{KEY_3D, {0xA3, 0x08, 0xEB, 0x30, 0x64, 0x11, 0x42, 0x13, 0xA6, 0x0C, 0x56, 0x15, 0x8F, 0x5C, 0x49, 0x63}},
+			// dev
+			{KEY_3D, {0xE3, 0x03, 0x88, 0x02, 0xDE, 0x96, 0x9E, 0x1D, 0x5E, 0x5D, 0xB5, 0xB9, 0xF4, 0x54, 0x41, 0xBF}},
+		},
+		{
+			// retail
+			{KEY_3E, {0x07, 0x01, 0x98, 0xA2, 0xE4, 0x19, 0x4B, 0x9D, 0x02, 0x27, 0x92, 0x18, 0x35, 0xE4, 0x10, 0x6F}},
+			// dev
+			{KEY_3E, {0xE9, 0x86, 0xEC, 0xDF, 0x2C, 0x45, 0x07, 0x30, 0xB4, 0x17, 0x61, 0xE0, 0x37, 0x42, 0x58, 0x6D}},
+		},
+		{
+			// retail
+			{KEY_3F, {0x8E, 0xB7, 0x46, 0xF5, 0x18, 0xF7, 0xA8, 0xD8, 0x0E, 0x06, 0x91, 0xC8, 0x64, 0x1A, 0x56, 0xC5}},
+			// dev
+			{KEY_3F, {0xE5, 0x88, 0x3F, 0x09, 0xC9, 0x81, 0x17, 0x9B, 0x76, 0x8C, 0xB1, 0x33, 0x2C, 0xC6, 0xBB, 0xAC}},
+		},
+	};
+	
+	// 0x0C-0x0F
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x0C + i, default_brom_static_key[KEY_0C_0F][isDev].key));
+	}
+	// 0x10-0x13
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x10 + i, default_brom_static_key[KEY_10_13][isDev].key));
+	}
+	// 0x14
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x14, default_brom_static_key[KEY_14][isDev].key));
+	// 0x15
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x15, default_brom_static_key[KEY_15][isDev].key));
+	// 0x16
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x16, default_brom_static_key[KEY_16][isDev].key));
+	// 0x17
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x17, default_brom_static_key[KEY_17][isDev].key));
+	// 0x18-0x1B
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x18 + i, default_brom_static_key[KEY_18_1B][isDev].key));
+	}
+	// 0x1C-0x1F
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x1C + i, default_brom_static_key[KEY_1C_1F][isDev].key));
+	}
+	// 0x20-0x23
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x20 + i, default_brom_static_key[KEY_20_23][isDev].key));
+	}
+	// 0x24-0x27
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x24 + i, default_brom_static_key[KEY_24_27][isDev].key));
+	}
+	// 0x28
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x28, default_brom_static_key[KEY_28][isDev].key));
+	// 0x29
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x29, default_brom_static_key[KEY_29][isDev].key));
+	// 0x2A
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x2A, default_brom_static_key[KEY_2A][isDev].key));
+	// 0x2B
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x2B, default_brom_static_key[KEY_2B][isDev].key));
+	// 0x2C-0x2F
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x2C + i, default_brom_static_key[KEY_2C_2F][isDev].key));
+	}
+	// 0x30-0x33
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x30 + i, default_brom_static_key[KEY_30_33][isDev].key));
+	}
+	// 0x34-0x37
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x34 + i, default_brom_static_key[KEY_34_37][isDev].key));
+	}
+	// 0x38-0x3B
+	for (size_t i = 0; i < 4; i++)
+	{
+		brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x38 + i, default_brom_static_key[KEY_38_3B][isDev].key));
+	}
+	// 0x3C
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x3C, default_brom_static_key[KEY_3C][isDev].key));
+	// 0x3D
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x3D, default_brom_static_key[KEY_3D][isDev].key));
+	// 0x3E
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x3E, default_brom_static_key[KEY_3E][isDev].key));
+	// 0x3F
+	brom_static_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(0x3F, default_brom_static_key[KEY_3F][isDev].key));
+	
+	// Add Firmware AES keys
+	static const size_t kFirmwareAesKeyNum = 3;
+	const DefaultAesKey default_firmware_key[kFirmwareAesKeyNum][2] = 
+	{
+		{
+			// retail
+			{FIRM_NGC_KEY, {0x07, 0x55, 0x0C, 0x97, 0x0C, 0x3D, 0xBD, 0x9E, 0xDD, 0xA9, 0xFB, 0x5D, 0x4C, 0x7F, 0xB7, 0x13}},
+			// dev
+			{FIRM_NGC_KEY, {0x4D, 0xAD, 0x21, 0x24, 0xC2, 0xD3, 0x29, 0x73, 0x10, 0x0F, 0xBF, 0xBD, 0x16, 0x04, 0xC6, 0xF1}},
+		},
+		{
+			// retail
+			{FIRM_NOR_KEY, {0x19, 0x2F, 0x08, 0x61, 0x03, 0x07, 0x35, 0xF2, 0x60, 0xB0, 0x64, 0x0B, 0xC0, 0x74, 0xEF, 0x93}},
+			// dev
+			{FIRM_NOR_KEY, {0xC0, 0x85, 0xC3, 0x07, 0x26, 0xFC, 0x4E, 0xD9, 0x1D, 0xD9, 0x75, 0x67, 0xC0, 0x41, 0xA9, 0x9C}},
+		},
+		{
+			// retail
+			{FIRM_SD_KEY, {0x85, 0xDB, 0x63, 0x07, 0x7C, 0x50, 0x11, 0x6B, 0x94, 0x90, 0xD4, 0xFA, 0xD6, 0x1A, 0xB2, 0x41}},
+			// dev
+			{FIRM_SD_KEY, {0x82, 0x22, 0x6A, 0x9B, 0x55, 0x4A, 0x47, 0xEB, 0xA3, 0x8B, 0xD4, 0x04, 0x98, 0xED, 0x3F, 0x38}},
+		},
+	};
+	for (size_t i = 0; i < kFirmwareAesKeyNum; i++)
+	{
+		firmware_key.insert(std::pair<byte_t, KeyBag::Aes128Key>(default_firmware_key[i][isDev].key_index, default_firmware_key[i][isDev].key));
+	}
+}
+
+void ctrtool::KeyBagInitializer::addStaticRsaKeys(bool isDev)
+{
+	auto public_exp = tc::ByteData({0x01,0x00,0x01});
+
+	struct DefaultRsaKey
+	{
+		byte_t key_index;
+		tc::crypto::RsaKey key;
+	};
+
+	static const size_t kDefaultRsaKeyNum = 9;
+	DefaultRsaKey default_rsa_keys[kDefaultRsaKeyNum][2] = 
+	{
+		{
+			// retail
+			{RSAKEY_FIRM_NAND, {tc::cli::FormatUtil::hexStringToBytes("DECFB6FC3D33E955FDAC90E88817B003A16B9AAB72707932A2A08CBB336FB076962EC4E92ED88F92C02D4D410FDE451B253CBE376B458221E64DB1238182B68162B730F4604BC7F7F0170CB575887793526370F00BC6734341EEE4F071ECC8C132C4DCA9991D31B8A47EDD19040F02A81AAFB3489A29295E4984E09411D17EABB2C0447EA11B5E9D0D1AF9029A2E53032D48967C2CA6D7ACF1ED2B18BB01CB13B9ACA6EE5500377C696162890154779F075D26343AA949A5AFF25E0651B71CE0DEDA5C0B9F98C215FDBAD8A99900ABA48E4A169D662AE85664B2B6C093AF4D38A0165CE4BD62C2466BC95A594A7258FDB2CC36873085E8A1045BE0179BD0EC9B"), tc::ByteData(), public_exp}},
+			// dev
+			{RSAKEY_FIRM_NAND, {tc::cli::FormatUtil::hexStringToBytes("C11E84E4DAD7EDC8A5D9CB0BE93B9DBC1569F795F68FB7912419BE8FFEBBC11D09F0E378A20CC00B8ECDBA0E694C614ABD13EAE223E40B621F9B631B3134B71273646B4E60410A3D5486FA49EC2D77AD1DBC48E7FB07EF48C3BEC3D6E15B3DCD5E6B46086A3A0EAE254944A5400D945318A48F578EF4CDB4D34EE7159B11958500C49294B8BEFECBB750A0BE8AF5FDC80E4BA941136248CD1AF3C86BA5A0DFF19D3DFDE4D17C1F000D99726BA3057F8638BE4D5EAB93DFF3EEA19F2250A87F31AA2B03719B14C43088426FD52C7B03643B14EC4633CC2C959F5C7B83C567DD7CA12DD6EC170B23C7B19A72BA78CB39685CB6B461E198CF1D69F9D7B0A05E9CEB"), tc::ByteData(), public_exp}},
+		},
+		{
+			// retail
+			{RSAKEY_FIRM_RECOVERY, {tc::cli::FormatUtil::hexStringToBytes("D29FF5678F4BE3760C5FB1A6F846B4AE7D95CC50ED6515EE5BBDB9F0BCAB7E2B736B7EE1F623C473C7C3F84E680486DBBEBC8084EC5413CA21633CF4437636C05921F5D25953F0C1B38B07C94F03108BE9F9F791F67F15FD9B74F36220DAC235733BCCB3405B41040E41FF440DA9C5F76F9A64F210C6FC7A5BA84486575DB8B3A9949C536CCD81B446A917E3788D93113B638C253A5CF9FE94E6064DC828C83A124D2650D49B8CD9974D64B23D8DC4D3C6B28C1A07F074274ED34E208DB943ADD13A721B2C59745852A041506E1CB64C9D65275528AB0C931289FBCC8799C11C6AE7FC28659C7D4730FE8F605F7A1D6828DCF01D39A148C376BE8869B769FCE5"), tc::ByteData(), public_exp}},
+			// dev
+			{RSAKEY_FIRM_RECOVERY, {tc::cli::FormatUtil::hexStringToBytes("C0C6E3B52B1EBA2233CA36F0AA3FE3EF69AC8191CB71FA20798E15F88F8725AD92F200D9128B35BEE7A989448C794B929A76DA20B0EE4596C01F51C618F4DA71BB0209FE5577599C68AA6D9A8DF93A921B7F9B9F4B318917225F29EEE3A8A018B33B8822057A324F56037FC90FCC68D0C6E753BE48F5189464E0AC91CAFF95101BA52A73AC196862DEA7701FD00C071EB176F3E6436531B5CFAC0594D40F3B9CBC0F10E30DA06484692A382F3B70135BFB9C37FEB3CB27AC291D4694442AD351E2C3CDE94C21CDE9BB0BB8850CA67F5F9DC930425CAB834471AEB418EAF9EE52EE86249270220AECDFBF3978F0FB024C89555E0EB66FA9A067B1DE847CE2200B"), tc::ByteData(), public_exp}},
+		},
+		{
+			// retail
+			{RSAKEY_NCSD_NAND, {tc::cli::FormatUtil::hexStringToBytes("AA948C55BE3CAAFD5B53E5A9F583EB6D02EE4F72365A81CAFAE0E0D95869C5E65DFE389CA16D7AA00DA999341614B88FDDD8C0DB82E929500B6C9C2728AA3B2C9AEE1A5C3080BE97FDFCF55EBC75A9CF06FE7915F43D7A6B50B553B0A7DF112632FAB970C688F0AF36BE9101788D2C13313D28AE17AF6A80114CA6E06092D82C8061FB2814A4938556FF80B7D1AB4DFC2587F81A3E4EB9CD66EF322AA3D3DCDC3C04B94D6A4B47AB43941BEA092ED688EDF845F14163606AFBD881E7A7473656D873034B28E13D120181DA07BC6763476F2D3A52D19A44EF5960F6FB027E0103A4E0F9202791D4F90F867E56015DFCD42D8C913DD90D1565E65614B1E45C6831"), tc::ByteData(), public_exp}},
+			// dev
+			{RSAKEY_NCSD_NAND, {tc::cli::FormatUtil::hexStringToBytes("C767DA7B195440553720B382CF7496B9AE884AF5711CBA4E1AEC6D62078DDBAA4B594A3D63CF6CC0BF8DFB32430CCE7C0EE24FDF049F3C650A0EA7A8E91AC44414CF845E1C7B9EDADD6C076B7CC4412841A35B8F4A11C126F8A23C12F23DF88D71D478363DBDF6479B8D5BBBBA04A8A24D274881AB2F2121E9049F5706488F6565D7EA2BC6BDFC529EDCE1C385FC0C66CD1B4D2D882AB431F0665B9F0E86CA44529A8160095D54417D16C623A08DA1DC3FBDAE705D862F025B033591B8F4D7A7928DCE3556FD48A54C0A47E440BD31E224AE86A7BDC94C0E4B124B5AC8F6F08F84FAD15C674D0CE39E706119C108F01EFEA58B63A99C5BB9949782EE0DE71653"), tc::ByteData(), public_exp}},
+		},
+		{
+			// retail
+			{RSAKEY_CFA_CCI, {tc::cli::FormatUtil::hexStringToBytes("FBDEB82B40930FF6B19A08061B86FED0DF1079173D8CE27ACE8F2345B90A6DED300EC1A892C4BD1ACEA7AC77AA47E5204A4491DF1CFE8628122D66DFBEAD9661EDF2F7417B57886B241E7DECBE986565366599A9FE24678599EE2AAEEEB1811A22E36D756E21BCEF115C61AF0C3000B6A223EDFE7015DA52E1E62DCE34E8AA4CF1D6675657D3DBC090496F4573934E303070F5C98F3125F2C2E7337F4EB6F52ADF2000E579B2D0F917F77E1690400057914478EF1CE08509DAF4147E4BD735D687548F2AB5A76F50D0F7D1F119C9AC227E0511F5F26DEE9227575FE5150D2768BF52657473A6586D7918AC31DDDD808B7524E117E195251629AB6969C828EE5D"), tc::ByteData(), public_exp}},
+			// dev
+			{RSAKEY_CFA_CCI, {tc::cli::FormatUtil::hexStringToBytes("B90CC4C678F86E300528C1CBD2CFA7805C574D169CAFA6CD01BB8333AD03BB0663D817F5E3DFDA0D3B860EA2804794446FD9977E786AC39393EF02FC229F80778C70921C43B1374C76E0573BAB89FFEFE5BB3EAB9139B8D9660B64289192E9D0B3DFD14BC173B53F56A04010FE152B1FA27ADE31B02640C357FD35CBF0FAFFFB6FDBCD341D512D2D8118FF0C0851D5B44B5616029F4E6ADF066ECB7285E92E43A208780C389C19BD7B747468C42DC1359E653BD899041C8B938E7E927CBBDD60ECE7FE0E9D4F3646E6F15C9470EE675F362B70448DCA09B95867D29FAD1F135474ADA6844428F3DE7E4C202BC5E912E95EFB8D77A9A4D20D3C3824BEF58AB5F5"), tc::ByteData(), public_exp}},
+		},
+		{
+			// retail
+			{RSAKEY_ACCESSDESC, {tc::cli::FormatUtil::hexStringToBytes("B1E3E35F013980D156789DB706F71DBF3E2276EDF95DA236B630610596D300B9EDF1D7E01DA04FB7CF5A198775498840EDE36F7C904A644598D704B95A6B45AA7E94C0B3B7DB7B665920B708E2F383A37FE32021A0EBB7280FF32B15A4C9D0AB8939997E765F9E4D1E01228D74A6EB9AA39D45E510616E20FD2375C0C50503C54C024F544B5708B446C32CF1F9526CCD1455A855926DE24A4146EB08C5F3B48D0D5E21EAAF4D274DDE779397E2C76B661FDB2D6EA95F6114177B2B665AB50189F2237525259C869A89FF641D5BCED77E3F2DA8DAB55AC55F5920B0ED1C91FFA327B88ECF8215E549EFE458E15F8F53B9332A5624AAA1D36E471A634419B38EA5"), tc::ByteData(), public_exp}},
+			// dev
+			{RSAKEY_ACCESSDESC, {tc::cli::FormatUtil::hexStringToBytes("F43C4582FBF8905D07029F2A988B63B7D38F3CE2E0E093BFDF32434DBEF4D17A3A4E5431D773AE994CC41F3C3EF05705A38A455460D88FD91D680D0E2EEFC8E83DC919F3731E2DDA77883ECA5E25704BF77095835424E0C31A75DF613DD142EC351B38D6C1F67E182A8485DD57741F0A2EF6B294A23EE9A1D009F73A998005AF5755EF52FA243E7FD47C41447B067FB95B2E8E96AE46124D6421E50F85CCEB92E5F0F5A742273BECF8E781756F630A8B0D773851E66633BA79DC2F2C8FC32806BB039CDBD1640A66F0F8C12A491D0C6E35BBEAB35C0DE9957C67BE6577EC07C023050A724886E99EFC2515E7C82165E01BD5D50ED31154BB2978BF2A3C3BB6B1"), tc::ByteData(), public_exp}},
+		},
+		{
+			// retail
+			{RSAKEY_CRR, {tc::cli::FormatUtil::hexStringToBytes("D00E6756858ABCF213D87FBB29D192349EE42743D1111DFE9593C4783F4A2D2AB1CA6FB0BA32A2242E2BE5726EF0B49768CCDA171514F074D435B4EE04D89CA9ECDBCB29E895F257BABD65473D6CE50DE5103EB5C37302AEC893777CC523220171CCC60BEACAA0FED4CDA949655A3B0D5BB7B2EA329A43856CCA045C900D9E34B9EF802B2E6D96BC31157E1401C000E0197A2E17E58BA37AD2C247779A8B832E9866A1A1020F0299E7D79FDCC852A22823081B87FFE4BA90025015C720A0AB76607D1FC1BF339D66246A803BF4A27F15B10C36EF44E8D036949A7484488789499A0B7E10F27355623D68AC9E5FAE1D54F8BA628E29BC49E7FDEEBD3D7BCCF8BF"), tc::ByteData(), public_exp}},
+			// dev
+			{RSAKEY_CRR, {tc::cli::FormatUtil::hexStringToBytes("C5F709805FDADCBD460752AA6DCD72B2500977478A4F092AE291B45F04975175C9196F95BB23147D34DF777807E8D11011AFCE02B873A9FB64B76587E567DD673775FD0FE297BC79A8CCF9FA18B2624DF7536B9C0E1AAB90E65286C81C922C6153A901DA4393D0422EDDD54C8C4CE89156ECEE12700B64F00AD6AFF860C2A8267AC8BA559AA144FD094726A0C1999EF124DFA3C2BBFF0745D9D6A4C0FF6C6C787B6D708C7444B095E6C6665E7EBE71C5913473A7D44C0DFCA921499492A16A4D30A3D69F6C60400CEEEBF89922E16FFC3C9623AA1134004EFC2D604145E35D7806B1F1C307B9D347D0F18C26331F6B46DDF3E38464A7F15311E1534E99DBAC53"), tc::ByteData(), public_exp}},
+		},
+		
+		{
+			// retail
+			{RSAKEY_SECUREINFO, {tc::cli::FormatUtil::hexStringToBytes("B1791A6D1EADD429BA89A1CD433630174BC68730C5E70560197B50D8C4546710A6E8A101BC2CEB0376F005C70CE0B6D6DFFD26DF33468BDBB2391E7EC01AA1A5A091E807DA378676BA390A25429D5961E161D40485A74BB20186BEB11A3572C1C2EA28AB7A1015325C9E712B7DF965EAE6C6FB8BAED76C2A94A6C5ECE40EAF987E06F20F884FD20635A476E9F70ABA5C5B1461520054044593E468270435355AAD5809D1193F5A0728D6DB6B551F77945DC3BE6FAE5BCC0863E476DFA29B36EA853403E616EAA905E07F3A3E7E7077CF166A61D17E4D354C744485D4F67B0EEE32F1C2D5790248E9621A33BAA39B02B02294057FF6B43888E301E55A237C9C0B"), tc::ByteData(), public_exp}},
+			// dev
+			{RSAKEY_SECUREINFO, {tc::cli::FormatUtil::hexStringToBytes("B1AA6C553CA84D833C2E9756B52BD3701D0FD4D1EEF171F4FD95961D52BF7563B89D2FF5F815E40A76E20F551163E9E98568415A283122E199DEEC771712C678DA0BB4DD50F30C615FA57DEA74D71D1187BFEBC333D7350EDD45981BEF6FB973E8359CE5B0C8FF5C429BA790AEF9B7625604B1B0B244D68634E62F794D9CAFB59A3BFAC88103966F9BDC878B323C37EBCD21C8B9276FFCC84702FF87D1D02F64D436D48501AD70F3A2B10D13EF5594A0238171F94AD20158906013FB6DB6183831DF1144B59649A35308B264C1EF119E1D17179A8744173A73A2F7D9961A79E1F9866EEE6FBBD2DCCF3B0DC4E276D1D0C03798BEC1BCD9646FC4CB46BB5FF555"), tc::ByteData(), public_exp}},
+		},
+		{
+			// retail
+			{RSAKEY_LOCALFRIENDCODESEED, {tc::cli::FormatUtil::hexStringToBytes("A3759A3546CFA7FE30EC55A1B64E08E9449D0C72FCD191FD610A288975BCE6A9B21556E9C7670255ADFC3CEE5EDB78259A4B221B71E7E9515B2A6793B21868CE5E5E12FFD86806AF318D56F9549902346A17E7837496A05AAF6EFDE6BED686AAFD7A65A8EBE11C983A15C17AB540C23D9B7CFDD463C5E6DEB77824C629473335B2E937E054EE9FA53DD793CA3EAE4DB60F5A11E70CDFBA03B21E2B31B65906DB5F940BF76E74CAD4AB55D940058F10FE06050C81BB422190BA4F5C5382E1E10FBC949F60695D1303AAE2E0C108424C200B9BAA552D55276E24E5D60457588FF75F0CEC819F6D2D28F31055F83B7662D4E4A69369B5DA6B4023AF07EB9CBFA9C9"), tc::ByteData(), public_exp}},
+			// dev
+			{RSAKEY_LOCALFRIENDCODESEED, {tc::cli::FormatUtil::hexStringToBytes("985992B9651768F5E79F6AE500CC57418E6B8DF9D4409CEAFD9627C425D616C2BC31CC23206B0A494931AA567E6EAE1C550663A8721DEB16C51E0023E0BABD26166519CEFEDB7F4299CEE5CECCB2C518957E4BDBB6567D7D73ED9CD594CE265D8BCA6635CB60CAA3C1B652212FF4FF45C73BEBF4CDB6463D0761D661C349AFBCF55BAC71CD0668462FD12E82C23FEB57CF622EE7E2721E73707AF4F7B01B8ADFC28D59C2D440CCF14150D391A1F95D9D45BC5A74641E22CE10D62CE35C7DD2B0EBC516645C9ADC6093A44E7500C1BE16E9D7D35FB869E62C143851B31515577FEAFE7450E36D6027AE8C9CAACABE78EAE4A48A655B39650B7F0BDBC073E091BB"), tc::ByteData(), public_exp}},
+		},
+		{
+			// retail
+			{RSAKEY_DSP, {tc::cli::FormatUtil::hexStringToBytes("CB6537CA75D0AC0085B52E5C93491BA09B7BAE24D6B3252C707F513439463B55C5DBFB97422A04D15C1363E4EBF4AF3ABFF447D09D25C819F99DE9632FA2B88186A7A1F4D83456228A6BCAA8B30F56D95F070C98139D1C3E59811C33C6AA707E41B8B9AAA0B41251C61E233876A208C332413B57ABCAD004CBCAD4A8EEA93CED2BE1E61196B7C829C93C70BBCD7955A20258CDD17D6476C7A98DA5CCF339E5B51204BE6AF85237EAAC4CF63863F618637A2760E0B78565E9483B107F1D7917498A211CEC01AAA4232FC50AEFE74CE2056A09ED720D3F877B3EF9A30003191751E969EC10E7E0891C2B46611816858458E279F6F4A7286246E94958DCF94765D9"), tc::ByteData(), public_exp}},
+			// dev
+			{RSAKEY_DSP, {tc::cli::FormatUtil::hexStringToBytes("CB6537CA75D0AC0085B52E5C93491BA09B7BAE24D6B3252C707F513439463B55C5DBFB97422A04D15C1363E4EBF4AF3ABFF447D09D25C819F99DE9632FA2B88186A7A1F4D83456228A6BCAA8B30F56D95F070C98139D1C3E59811C33C6AA707E41B8B9AAA0B41251C61E233876A208C332413B57ABCAD004CBCAD4A8EEA93CED2BE1E61196B7C829C93C70BBCD7955A20258CDD17D6476C7A98DA5CCF339E5B51204BE6AF85237EAAC4CF63863F618637A2760E0B78565E9483B107F1D7917498A211CEC01AAA4232FC50AEFE74CE2056A09ED720D3F877B3EF9A30003191751E969EC10E7E0891C2B46611816858458E279F6F4A7286246E94958DCF94765D9"), tc::ByteData(), public_exp}},
+		},
+		
+	};
+
+	for (size_t i = 0; i < kDefaultRsaKeyNum; i++)
+	{
+		rsa_key.insert(std::pair<byte_t, tc::crypto::RsaKey>(default_rsa_keys[i][isDev].key_index, default_rsa_keys[i][isDev].key));
+	}
+
+	struct BroadonRsaSignerProfile
+	{
+		std::string issuer;
+		KeyBag::BroadOnRsaSignerProfile profile;
+	};
+
+	static const size_t kDefaultBroadonProfileNum = 4;
+	BroadonRsaSignerProfile default_broadon_profile[kDefaultBroadonProfileNum][2] = 
+	{
+		// root
+		{
+			// retail
+			{"Root", {tc::ByteData(), {tc::cli::FormatUtil::hexStringToBytes("F8246C58BAE7500301FBB7C2EBE0010571DA922378F0514EC0031DD0D21ED3D07EFC852069B5DE9BB951A8BC90A244926D379295AE9436AAA6A302510C7B1DEDD5FB20869D7F3016F6BE65D383A16DB3321B95351890B17002937EE193F57E99A2474E9D3824C7AEE38541F567E7518C7A0E38E7EBAF41191BCFF17B42A6B4EDE6CE8DE7318F7F5204B3990E226745AFD485B24493008B08C7F6B7E56B02B3E8FE0C9D859CB8B68223B8AB27EE5F6538078B2DB91E2A153E85818072A23B6DD93281054F6FB0F6F5AD283ECA0B7AF35455E03DA7B68326F3EC834AF314048AC6DF20D28508673CAB62A2C7BC131A533E0B66806B1C30664B372331BDC4B0CAD8D11EE7BBD9285548AAEC1F66E821B3C8A0476900C5E688E80CCE3C61D69CBBA137C6604F7A72DD8C7B3E3D51290DAA6A597B081F9D3633A3467A356109ACA7DD7D2E2FB2C1AEB8E20F4892D8B9F8B46F4E3C11F4F47D8B757DFEFEA3899C33595C5EFDEBCBABE8413E3A9A803C69356EB2B2AD5CC4C858455EF5F7B30644B47C64068CDF809F76025A2DB446E03D7CF62F34E702457B02A4CF5D9DD53CA53A7CA629788C67CA08BFECCA43A957AD16C94E1CD875CA107DCE7E0118F0DF6BFEE51DDBD991C26E60CD4858AA592C820075F29F526C917C6FE5403EA7D4A50CEC3B7384DE886E82D2EB4D4E42B5F2B149A81EA7CE7144DC2994CFC44E1F91CBD495"), tc::ByteData(), public_exp}}},
+			// dev
+			{"Root", {tc::ByteData(), {tc::cli::FormatUtil::hexStringToBytes("D01FE100D43556B24B56DAE971B5A5D384B93003BE1BBF28A2305B060645467D5B0251D2561A274F9E9F9CEC646150AB3D2AE3366866ACA4BAE81AE3D79AA6B04A8BCBA7E6FB648945EBDFDB85BA091FD7D114B5A3A780E3A22E6ECD87B5A4C6F910E4032208814B0CEEA1A17DF739695F617EF63528DB949637A056037F7B32413895C0A8F1982E1565E38EEDC22E590EE2677B8609F48C2E303FBC405CAC18042F822084E4936803DA7F41349248562B8EE12F78F803246330BC7BE7EE724AF458A472E7AB46A1A7C10C2F18FA07C3DDD89806A11C9CC130B247A33C8D47DE67F29E5577B11C43493D5BBA7634A7E4E71531B7DF5981FE24A114554CBD8F005CE1DB35085CCFC77806B6DE254068A26CB5492D4580438FE1E5A9ED75C5ED451DCE789439CCC3BA28A2312A1B8719EF0F73B713950C02591A7462A607F37C0AA7A18FA943A36D752A5F4192F0136100AA9CB41BBE14BEB1F9FC692FDFA09446DE5A9DDE2CA5F68C1C0C21429287CB2DAAA3D263752F73E09FAF4479D2817429F69800AFDE6B592DC19882BDF581CCABF2CB91029EF35C4CFDBBFF49C1FA1B2FE31DE7A560ECB47EBCFE32425B956F81B69917487E3B789151DB2E78B1FD2EBE7E626B3EA165B4FB00CCB751AF507329C4A3939EA6DD9C50A0E7386B0145796B41AF61F78555944F3BC22DC3BD0D00F8798A42B1AAA08320659AC7395AB4F329"), tc::ByteData(), public_exp}}},
+		},
+		// ca
+		{
+			// retail
+			{"Root-CA00000003", {tc::cli::FormatUtil::hexStringToBytes("00010003704138EFBBBDA16A987DD901326D1C9459484C88A2861B91A312587AE70EF6237EC50E1032DC39DDE89A96A8E859D76A98A6E7E36A0CFE352CA893058234FF833FCB3B03811E9F0DC0D9A52F8045B4B2F9411B67A51C44B5EF8CE77BD6D56BA75734A1856DE6D4BED6D3A242C7C8791B3422375E5C779ABF072F7695EFA0F75BCB83789FC30E3FE4CC8392207840638949C7F688565F649B74D63D8D58FFADDA571E9554426B1318FC468983D4C8A5628B06B6FC5D507C13E7A18AC1511EB6D62EA5448F83501447A9AFB3ECC2903C9DD52F922AC9ACDBEF58C6021848D96E208732D3D1D9D9EA440D91621C7A99DB8843C59C1F2E2C7D9B577D512C166D6F7E1AAD4A774A37447E78FE2021E14A95D112A068ADA019F463C7A55685AABB6888B9246483D18B9C806F474918331782344A4B8531334B26303263D9D2EB4F4BB99602B352F6AE4046C69A5E7E8E4A18EF9BC0A2DED61310417012FD824CC116CFB7C4C1F7EC7177A17446CBDE96F3EDD88FCD052F0B888A45FDAF2B631354F40D16E5FA9C2C4EDA98E798D15E6046DC5363F3096B2C607A9D8DD55B1502A6AC7D3CC8D8C575998E7D796910C804C495235057E91ECD2637C9C1845151AC6B9A0490AE3EC6F47740A0DB0BA36D075956CEE7354EA3E9A4F2720B26550C7D394324BC0CB7E9317D8A8661F42191FF10B08256CE3FD25B745E5194906B4D61CB4C2E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000526F6F7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001434130303030303030330000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007BE8EF6CB279C9E2EEE121C6EAF44FF639F88F078B4B77ED9F9560B0358281B50E55AB721115A177703C7A30FE3AE9EF1C60BC1D974676B23A68CC04B198525BC968F11DE2DB50E4D9E7F071E562DAE2092233E9D363F61DD7C19FF3A4A91E8F6553D471DD7B84B9F1B8CE7335F0F5540563A1EAB83963E09BE901011F99546361287020E9CC0DAB487F140D6626A1836D27111F2068DE4772149151CF69C61BA60EF9D949A0F71F5499F2D39AD28C7005348293C431FFBD33F6BCA60DC7195EA2BCC56D200BAF6D06D09C41DB8DE9C720154CA4832B69C08C69CD3B073A0063602F462D338061A5EA6C915CD5623579C3EB64CE44EF586D14BAAA8834019B3EEBEED3790001000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), {tc::cli::FormatUtil::hexStringToBytes("B279C9E2EEE121C6EAF44FF639F88F078B4B77ED9F9560B0358281B50E55AB721115A177703C7A30FE3AE9EF1C60BC1D974676B23A68CC04B198525BC968F11DE2DB50E4D9E7F071E562DAE2092233E9D363F61DD7C19FF3A4A91E8F6553D471DD7B84B9F1B8CE7335F0F5540563A1EAB83963E09BE901011F99546361287020E9CC0DAB487F140D6626A1836D27111F2068DE4772149151CF69C61BA60EF9D949A0F71F5499F2D39AD28C7005348293C431FFBD33F6BCA60DC7195EA2BCC56D200BAF6D06D09C41DB8DE9C720154CA4832B69C08C69CD3B073A0063602F462D338061A5EA6C915CD5623579C3EB64CE44EF586D14BAAA8834019B3EEBEED379"), tc::ByteData(), public_exp}}},
+			// dev
+			{"Root-CA00000004", {tc::cli::FormatUtil::hexStringToBytes("000100031949429D1E58A62E7E8B56D1B76AE302FD8B97491F778745F75388C4DD0BEB1DF122FB9642151497764A53CF78151845E42CA8FDE486FD2A4F53F8A1BA008A7485FF73B3BF7E3C980729D0656B693219ADE835EB5FFFFCCB7CBB5E307FE0688B888EF2D2053FB7E791E985FD15EF10D79CCA88D6BB15E8E4714A98EE09BF7B8AF053232B6450E6D5FDFFC20A6D1EA6A23812E1014525D56D4082703B86986959A73CD1A14364D2C2DAEA96B095F76C46E4FF4155465E70EF1ED31053D97011E010CC93E7914013687FA3A802996D1E557B1CCC7A7E8F5865C1742E28E26DEF38A93AB5D82D43ECCCBF0BEF22E1FD57E2864333582FEDEABC012F986DDFC3E9447973470308455BDC57AA170B84427F73A29B48F6DA135F66C745C142A84AFB0E6A5EED85D7B9719936F8CE2B621F395F40DC03BEF8854C1117FF0C128641CC7843B97B4346DB226F6026ACB56C278B8E0EA79A2D65EF798E1078AD80ED4B9604D2F08B2CD64A23A3DB270833B402F80851F35BED3EE4577C6660FBF16D9413E09C917A49D42C6DA375BC27F0230DB98F8973AB027B522CD57EC03D25E8B3FC3494C97FB108FE18C68A4336E46C26B6F280D27E34BE287C3E4687BC9D776B76D928D1B6352EC0347D7294AA9360268D26F5F652064AF240D7D00C7C5EA3C32DE62D9B5C4B4CAB6FD7BD371D57C2166095910E4AD8E9ED181EF761936153892D77000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000526F6F74000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014341303030303030303400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081122A46C9CC2DC4DF2930E4DF3F8C70A078948775AD5E9AA604C5B4D8EAFF2AA1D214676564EFCA28CC00154554A1A3EA1379E9E6CAACED1593FE88D89AC6B8ACCCAB6E207CEB7CCA29809E2980440662B7D4382A15DA43085745A9AAE59AA05BDB32F66869A2DD4295386C87ECDD3508A2CF60D01E23EC2FE698F470D6001549A2F06759131E534C7006057DEF1D18A83F0AC79CFE80FF5A91F2BED4A0837061190A0329902165403C9A908FB615739F3CE33BF1BAEA16C25BCED7963FACC9D24D9C0AD76FC020B2C4B84C10A741A2CC7D9BAC3AACCCA3529BAC316A9AA75D2A26C7D7D288CBA466C5FE5F454AE679744A90A15772DB3B0E47A49AF031D16DBEAB332B0001000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), {tc::cli::FormatUtil::hexStringToBytes("C9CC2DC4DF2930E4DF3F8C70A078948775AD5E9AA604C5B4D8EAFF2AA1D214676564EFCA28CC00154554A1A3EA1379E9E6CAACED1593FE88D89AC6B8ACCCAB6E207CEB7CCA29809E2980440662B7D4382A15DA43085745A9AAE59AA05BDB32F66869A2DD4295386C87ECDD3508A2CF60D01E23EC2FE698F470D6001549A2F06759131E534C7006057DEF1D18A83F0AC79CFE80FF5A91F2BED4A0837061190A0329902165403C9A908FB615739F3CE33BF1BAEA16C25BCED7963FACC9D24D9C0AD76FC020B2C4B84C10A741A2CC7D9BAC3AACCCA3529BAC316A9AA75D2A26C7D7D288CBA466C5FE5F454AE679744A90A15772DB3B0E47A49AF031D16DBEAB332B"), tc::ByteData(), public_exp}}},
+		},
+		// tmd
+		{
+			// retail
+			{"Root-CA00000003-CP0000000b", {tc::cli::FormatUtil::hexStringToBytes("000100042EA66C66CFF335797D0497B77A197F9FE51AB5A41375DC73FD9E0B10669B1B9A5B7E8AB28F01B67B6254C14AA1331418F25BA549004C378DD72F0CE63B1F7091AAFE3809B7AC6C2876A61D60516C43A63729162D280BE21BE8E2FE057D8EB6E204242245731AB6FEE30E5335373EEBA970D531BBA2CB222D9684387D5F2A1BF75200CE0656E390CE19135B59E14F0FA5C1281A7386CCD1C8EC3FAD70FBCE74DEEE1FD05F46330B51F9B79E1DDBF4E33F14889D05282924C5F5DC2766EF0627D7EEDC736E67C2E5B93834668072216D1C78B823A072D34FF3ECF9BD11A29AF16C33BD09AFB2D74D534E027C19240D595A68EBB305ACC44AB38AB820C6D426560C000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000526F6F742D43413030303030303033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000143503030303030303062000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000137A080BA689C590FD0B2F0D4F56B632FB934ED0739517B33A79DE040EE92DC31D37C7F73BF04BD3E44E20AB5A6FEAF5984CC1F6062E9A9FE56C3285DC6F25DDD5D0BF9FE2EFE835DF2634ED937FAB0214D104809CF74B860E6B0483F4CD2DAB2A9602BC56F0D6BD946AED6E0BE4F08F26686BD09EF7DB325F82B18F6AF2ED525BFD828B653FEE6ECE400D5A48FFE22D538BB5335B4153342D4335ACF590D0D30AE2043C7F5AD214FC9C0FE6FA40A5C86506CA6369BCEE44A32D9E695CF00B4FD79ADB568D149C2028A14C9D71B850CA365B37F70B657791FC5D728C4E18FD22557C4062D74771533C70179D3DAE8F92B117E45CB332F3B3C2A22E705CFEC66F6DA3772B0001000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), {tc::cli::FormatUtil::hexStringToBytes("A689C590FD0B2F0D4F56B632FB934ED0739517B33A79DE040EE92DC31D37C7F73BF04BD3E44E20AB5A6FEAF5984CC1F6062E9A9FE56C3285DC6F25DDD5D0BF9FE2EFE835DF2634ED937FAB0214D104809CF74B860E6B0483F4CD2DAB2A9602BC56F0D6BD946AED6E0BE4F08F26686BD09EF7DB325F82B18F6AF2ED525BFD828B653FEE6ECE400D5A48FFE22D538BB5335B4153342D4335ACF590D0D30AE2043C7F5AD214FC9C0FE6FA40A5C86506CA6369BCEE44A32D9E695CF00B4FD79ADB568D149C2028A14C9D71B850CA365B37F70B657791FC5D728C4E18FD22557C4062D74771533C70179D3DAE8F92B117E45CB332F3B3C2A22E705CFEC66F6DA3772B"), tc::ByteData(), public_exp}}},
+			// dev
+			{"Root-CA00000004-CP0000000a", {tc::cli::FormatUtil::hexStringToBytes("000100045005D75E6DDEB8783C81E9EF0D17CD58F59426A3FD6F6990E8F83287122EC25CA14B99242337BA91A75B0F7C59FBF7D1892722C4E6AFC7DEC74A6E007F434A888A8215E8DF2B52ED4200BC69B4DA7FEB746C7A2D96565B45597B8FAEB16BDC76C1C80C47F50DA9C3E1FE28501C26A2D1544BD1604A9E8F322AEF315FEA48226722B7CB372FF35F5E616A5344A585E5A08A2E1777572B7A9AF7D2D8C49CD0A054BF8A9DB49FC660617CB8354E257F68682F94B3CC538C426F88C5485CBEC1D0480474965A7E8259AA9FB66146CE5921C6F0C1751F21917F2496CB0C70157AB7BB3A9F5756565C38922EFDC8F170B9AEA1AE36F55E3526630ABAB2050FF00CDCBB000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000526F6F742D4341303030303030303400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014350303030303030306100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018A34D5BAA7F9380289BE89863107AE10C592C2F7CFFBDAADD74F4A2FBACD76F00934206347156D84049729F3E24FA5E19D15B635CD2EF09DE32EE6B6FC8FA328E2E96B99441047D076295DA0D91D80935D0DE8E6BC6AB1427019CFE4996FC9B54794DEBD7C66673A6DD3A77654794EC1C87AA46D978A97DDB11226ED412C2784B218392C710C77419FFAAF60B75D823DD33C3A15BA72D30A5A4D8F80FD673FD26CB29A6EF5039E25F5961846BDA2EC7CBE4384B28FB0DD58E7CAA7D4B373AD781DD73E30993BDBD7E08554A8CA5C9842D7101A22A01B015FB3078B913F4C73FB5A6F1A25E22B002B6E009547F0FBDF0FEA5501D9315F93D830F0F0E3DE23D96E709D9770001000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), {tc::cli::FormatUtil::hexStringToBytes("AA7F9380289BE89863107AE10C592C2F7CFFBDAADD74F4A2FBACD76F00934206347156D84049729F3E24FA5E19D15B635CD2EF09DE32EE6B6FC8FA328E2E96B99441047D076295DA0D91D80935D0DE8E6BC6AB1427019CFE4996FC9B54794DEBD7C66673A6DD3A77654794EC1C87AA46D978A97DDB11226ED412C2784B218392C710C77419FFAAF60B75D823DD33C3A15BA72D30A5A4D8F80FD673FD26CB29A6EF5039E25F5961846BDA2EC7CBE4384B28FB0DD58E7CAA7D4B373AD781DD73E30993BDBD7E08554A8CA5C9842D7101A22A01B015FB3078B913F4C73FB5A6F1A25E22B002B6E009547F0FBDF0FEA5501D9315F93D830F0F0E3DE23D96E709D977"), tc::ByteData(), public_exp}}},
+		},
+		// tik
+		{
+			// retail
+			{"Root-CA00000003-XS0000000c", {tc::cli::FormatUtil::hexStringToBytes("00010004919EBE464AD0F552CD1B72E7884910CF55A9F02E50789641D896683DC005BD0AEA87079D8AC284C675065F74C8BF37C88044409502A022980BB8AD48383F6D28A79DE39626CCB2B22A0F19E41032F094B39FF0133146DEC8F6C1A9D55CD28D9E1C47B3D11F4F5426C2C780135A2775D3CA679BC7E834F0E0FB58E68860A71330FC95791793C8FBA935A7A6908F229DEE2A0CA6B9B23B12D495A6FE19D0D72648216878605A66538DBF376899905D3445FC5C727A0E13E0E2C8971C9CFA6C60678875732A4E75523D2F562F12AABD1573BF06C94054AEFA81A71417AF9A4A066D0FFC5AD64BAB28B1FF60661F4437D49E1E0D9412EB4BCACF4CFD6A3408847982000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000526F6F742D43413030303030303033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000158533030303030303063000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000137A0894AD505BB6C67E2E5BDD6A3BEC43D910C772E9CC290DA58588B77DCC11680BB3E29F4EABBB26E98C2601985C041BB14378E689181AAD770568E928A2B98167EE3E10D072BEEF1FA22FA2AA3E13F11E1836A92A4281EF70AAF4E462998221C6FBB9BDD017E6AC590494E9CEA9859CEB2D2A4C1766F2C33912C58F14A803E36FCCDCCCDC13FD7AE77C7A78D997E6ACC35557E0D3E9EB64B43C92F4C50D67A602DEB391B06661CD32880BD64912AF1CBCB7162A06F02565D3B0ECE4FCECDDAE8A4934DB8EE67F3017986221155D131C6C3F09AB1945C206AC70C942B36F49A1183BCD78B6E4B47C6C5CAC0F8D62F897C6953DD12F28B70C5B7DF751819A98346526250001000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), {tc::cli::FormatUtil::hexStringToBytes("AD505BB6C67E2E5BDD6A3BEC43D910C772E9CC290DA58588B77DCC11680BB3E29F4EABBB26E98C2601985C041BB14378E689181AAD770568E928A2B98167EE3E10D072BEEF1FA22FA2AA3E13F11E1836A92A4281EF70AAF4E462998221C6FBB9BDD017E6AC590494E9CEA9859CEB2D2A4C1766F2C33912C58F14A803E36FCCDCCCDC13FD7AE77C7A78D997E6ACC35557E0D3E9EB64B43C92F4C50D67A602DEB391B06661CD32880BD64912AF1CBCB7162A06F02565D3B0ECE4FCECDDAE8A4934DB8EE67F3017986221155D131C6C3F09AB1945C206AC70C942B36F49A1183BCD78B6E4B47C6C5CAC0F8D62F897C6953DD12F28B70C5B7DF751819A9834652625"), tc::ByteData(), public_exp}}},
+			// dev
+			{"Root-CA00000004-XS00000009", {tc::cli::FormatUtil::hexStringToBytes("0001000463805A351A437BA24319BB3A777B7AF35E724B150A06396C5FEC3845B18876268D5EDAE62F14BA02FAD6FC3B2BBE8707638E55BF055AFCFCB347691189DB1CAF4B4376623E30890A9D3BBB3E50BDF7A6C0F7F8BB0DB56ABBC6C350C888BB9DF09BD130646069DD3467A700EBDCF98CB0F7930E81FE98D972458B947E59E2BE4E912D75CA1B8E2EF46D73B16B35B5670D632D51385328191D9DAE8DC661CCEFA4ABE2F3B04C7BE271B5F92CFA55CD888B72CCBE67FADFEF6B533C45D8CBDFB2764146D6C26F2716C507F3F44466A315D277F289DAFDD550CFA49BEACAC97BE5460EED9BFB04A9DA1958D92A208AACC1F48EE914D88AD741D55B9B6422D8AFAEC7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000526F6F742D4341303030303030303400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000015853303030303030303900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000018A347A4C0844CEB7EB0CFF0AEB777698593E4995A954E581738CED681B0BD7709E7F89ADFAD054883F6C3FDDF7B83E00C2681544329EA826C89F0A67442864D3260327DA77A13406659DA3E416B2794034FAA229DD55452DB270A6AA23D19B1661B197DABC70E881791A12AB43C6CCBF5AA7C3ADD36FB35717B20015900D6F69039354131F8C1C0573A35185890B1AD9A0EECE0F47A7DA52748C972AB0D087B62354091142BB11D1AFAF9CD5C1713535271CAE22A78B17F4ACD59D8BA1D7D705F781B9F9D37188ED7CD0D49577469883A6B8E4E1B85DDBE39450589561297599A09A4C82D2FF5CFB47370DB581EB24E776FA47E62DFB705E880425CB87887977F662C5F0001000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"), {tc::cli::FormatUtil::hexStringToBytes("C0844CEB7EB0CFF0AEB777698593E4995A954E581738CED681B0BD7709E7F89ADFAD054883F6C3FDDF7B83E00C2681544329EA826C89F0A67442864D3260327DA77A13406659DA3E416B2794034FAA229DD55452DB270A6AA23D19B1661B197DABC70E881791A12AB43C6CCBF5AA7C3ADD36FB35717B20015900D6F69039354131F8C1C0573A35185890B1AD9A0EECE0F47A7DA52748C972AB0D087B62354091142BB11D1AFAF9CD5C1713535271CAE22A78B17F4ACD59D8BA1D7D705F781B9F9D37188ED7CD0D49577469883A6B8E4E1B85DDBE39450589561297599A09A4C82D2FF5CFB47370DB581EB24E776FA47E62DFB705E880425CB87887977F662C5F"), tc::ByteData(), public_exp}}},
+		}
+	};
+
+	for (size_t i = 0; i < kDefaultBroadonProfileNum; i++)
+	{
+		broadon_rsa_signer.insert(std::pair<std::string, KeyBag::BroadOnRsaSignerProfile>(default_broadon_profile[i][isDev].issuer, default_broadon_profile[i][isDev].profile));
+	}
+}
+
+void ctrtool::KeyBagInitializer::addSigHaxSignatures(bool isDev)
+{
+	struct SigHaxSignature
+	{
+		byte_t key_index;
+		KeyBag::Rsa2048Signature signature;
+	};
+
+	static const size_t kSigHaxSignatureNum = 3;
+	SigHaxSignature sighax_signatures[kSigHaxSignatureNum][2] = 
+	{
+		{
+			// retail
+			{RSAKEY_FIRM_NAND, {0xB6, 0x72, 0x45, 0x31, 0xC4, 0x48, 0x65, 0x7A, 0x2A, 0x2E, 0xE3, 0x06,
+		0x45, 0x7E, 0x35, 0x0A, 0x10, 0xD5, 0x44, 0xB4, 0x28, 0x59, 0xB0, 0xE5,
+		0xB0, 0xBE, 0xD2, 0x75, 0x34, 0xCC, 0xCC, 0x2A, 0x4D, 0x47, 0xED, 0xEA,
+		0x60, 0xA7, 0xDD, 0x99, 0x93, 0x99, 0x50, 0xA6, 0x35, 0x7B, 0x1E, 0x35,
+		0xDF, 0xC7, 0xFA, 0xC7, 0x73, 0xB7, 0xE1, 0x2E, 0x7C, 0x14, 0x81, 0x23,
+		0x4A, 0xF1, 0x41, 0xB3, 0x1C, 0xF0, 0x8E, 0x9F, 0x62, 0x29, 0x3A, 0xA6,
+		0xBA, 0xAE, 0x24, 0x6C, 0x15, 0x09, 0x5F, 0x8B, 0x78, 0x40, 0x2A, 0x68,
+		0x4D, 0x85, 0x2C, 0x68, 0x05, 0x49, 0xFA, 0x5B, 0x3F, 0x14, 0xD9, 0xE8,
+		0x38, 0xA2, 0xFB, 0x9C, 0x09, 0xA1, 0x5A, 0xBB, 0x40, 0xDC, 0xA2, 0x5E,
+		0x40, 0xA3, 0xDD, 0xC1, 0xF5, 0x8E, 0x79, 0xCE, 0xC9, 0x01, 0x97, 0x43,
+		0x63, 0xA9, 0x46, 0xE9, 0x9B, 0x43, 0x46, 0xE8, 0xA3, 0x72, 0xB6, 0xCD,
+		0x55, 0xA7, 0x07, 0xE1, 0xEA, 0xB9, 0xBE, 0xC0, 0x20, 0x0B, 0x5B, 0xA0,
+		0xB6, 0x61, 0x23, 0x6A, 0x87, 0x08, 0xD7, 0x04, 0x51, 0x7F, 0x43, 0xC6,
+		0xC3, 0x8E, 0xE9, 0x56, 0x01, 0x11, 0xE1, 0x40, 0x5E, 0x5E, 0x8E, 0xD3,
+		0x56, 0xC4, 0x9C, 0x4F, 0xF6, 0x82, 0x3D, 0x12, 0x19, 0xAF, 0xAE, 0xEB,
+		0x3D, 0xF3, 0xC3, 0x6B, 0x62, 0xBB, 0xA8, 0x8F, 0xC1, 0x5B, 0xA8, 0x64,
+		0x8F, 0x93, 0x33, 0xFD, 0x9F, 0xC0, 0x92, 0xB8, 0x14, 0x6C, 0x3D, 0x90,
+		0x8F, 0x73, 0x15, 0x5D, 0x48, 0xBE, 0x89, 0xD7, 0x26, 0x12, 0xE1, 0x8E,
+		0x4A, 0xA8, 0xEB, 0x9B, 0x7F, 0xD2, 0xA5, 0xF7, 0x32, 0x8C, 0x4E, 0xCB,
+		0xFB, 0x00, 0x83, 0x83, 0x3C, 0xBD, 0x5C, 0x98, 0x3A, 0x25, 0xCE, 0xB8,
+		0xB9, 0x41, 0xCC, 0x68, 0xEB, 0x01, 0x7C, 0xE8, 0x7F, 0x5D, 0x79, 0x3A,
+		0xCA, 0x09, 0xAC, 0xF7}},
+			// dev
+			{RSAKEY_FIRM_NAND, {0x88, 0x69, 0x7C, 0xDC, 0xA9, 0xD1, 0xEA, 0x31, 0x82, 0x56, 0xFC, 0xD9,
+		0xCE, 0xD4, 0x29, 0x64, 0xC1, 0xE9, 0x8A, 0xBC, 0x64, 0x86, 0xB2, 0xF1,
+		0x28, 0xEC, 0x02, 0xE7, 0x1C, 0x5A, 0xE3, 0x5D, 0x63, 0xD3, 0xBF, 0x12,
+		0x46, 0x13, 0x40, 0x81, 0xAF, 0x68, 0x75, 0x47, 0x87, 0xFC, 0xB9, 0x22,
+		0x57, 0x1D, 0x7F, 0x61, 0xA3, 0x0D, 0xE4, 0xFC, 0xFA, 0x82, 0x93, 0xA9,
+		0xDA, 0x51, 0x23, 0x96, 0xF1, 0x31, 0x9A, 0x36, 0x49, 0x68, 0x46, 0x4C,
+		0xA9, 0x80, 0x6E, 0x0A, 0x52, 0x56, 0x74, 0x86, 0x75, 0x4C, 0xDD, 0xD4,
+		0xC3, 0xA6, 0x2B, 0xDC, 0xE2, 0x55, 0xE0, 0xDE, 0xEC, 0x23, 0x01, 0x29,
+		0xC1, 0xBA, 0xE1, 0xAE, 0x95, 0xD7, 0x86, 0x86, 0x56, 0x37, 0xC1, 0xE6,
+		0x5F, 0xAE, 0x83, 0xED, 0xF8, 0xE7, 0xB0, 0x7D, 0x17, 0xC0, 0xAA, 0xDA,
+		0x8F, 0x05, 0x5B, 0x64, 0x0D, 0x45, 0xAB, 0x0B, 0xAC, 0x76, 0xFF, 0x7B,
+		0x34, 0x39, 0xF5, 0xA4, 0xBF, 0xE8, 0xF7, 0xE0, 0xE1, 0x03, 0xBC, 0xE9,
+		0x95, 0xFA, 0xD9, 0x13, 0xFB, 0x72, 0x9D, 0x3D, 0x03, 0x0B, 0x26, 0x44,
+		0xEC, 0x48, 0x39, 0x64, 0x24, 0xE0, 0x56, 0x3A, 0x1B, 0x3E, 0x6A, 0x1F,
+		0x68, 0x0B, 0x39, 0xFC, 0x14, 0x61, 0x88, 0x6F, 0xA7, 0xA6, 0x0B, 0x6B,
+		0x56, 0xC5, 0xA8, 0x46, 0x55, 0x4A, 0xE6, 0x48, 0xFC, 0x46, 0xE3, 0x0E,
+		0x24, 0x67, 0x8F, 0xAF, 0x1D, 0xC3, 0xCE, 0xB1, 0x0C, 0x2A, 0x95, 0x0F,
+		0x4F, 0xFA, 0x20, 0x83, 0x23, 0x4E, 0xD8, 0xDC, 0xC3, 0x58, 0x7A, 0x6D,
+		0x75, 0x1A, 0x7E, 0x9A, 0xFA, 0x06, 0x15, 0x69, 0x55, 0x08, 0x4F, 0xF2,
+		0x72, 0x5B, 0x69, 0x8E, 0xB1, 0x74, 0x54, 0xD9, 0xB0, 0x2B, 0x6B, 0x76,
+		0xBE, 0x47, 0xAB, 0xBE, 0x20, 0x62, 0x94, 0x36, 0x69, 0x87, 0xA4, 0xCA,
+		0xB4, 0x2C, 0xBD, 0x0B}},
+		},
+		{
+			// retail
+			{RSAKEY_FIRM_RECOVERY, {0x37, 0xE9, 0x6B, 0x10, 0xBA, 0xF2, 0x8C, 0x74, 0xA7, 0x10, 0xEF, 0x35,
+		0x82, 0x4C, 0x93, 0xF5, 0xFB, 0xB3, 0x41, 0xCE, 0xE4, 0xFB, 0x44, 0x6C,
+		0xE4, 0xD2, 0x90, 0xAB, 0xFC, 0xEF, 0xAC, 0xB0, 0x63, 0xA9, 0xB5, 0x5B,
+		0x3E, 0x8A, 0x65, 0x51, 0x1D, 0x90, 0x0C, 0x5A, 0x6E, 0x94, 0x03, 0xAA,
+		0xB5, 0x94, 0x3C, 0xEF, 0x3A, 0x1E, 0x88, 0x2B, 0x77, 0xD2, 0x34, 0x79,
+		0x42, 0xB9, 0xE9, 0xEB, 0x0D, 0x75, 0x66, 0x37, 0x0F, 0x0C, 0xB7, 0x31,
+		0x0C, 0x38, 0xCB, 0x4A, 0xC9, 0x40, 0xD1, 0xA6, 0xBB, 0x47, 0x6B, 0xCC,
+		0x2C, 0x48, 0x7D, 0x1C, 0x53, 0x21, 0x20, 0xF1, 0xD2, 0xA3, 0x7D, 0xDB,
+		0x3E, 0x36, 0xF8, 0xA2, 0x94, 0x5B, 0xD8, 0xB1, 0x6F, 0xB3, 0x54, 0x98,
+		0x03, 0x84, 0x99, 0x8E, 0xCC, 0x38, 0x0C, 0xD5, 0xCF, 0x85, 0x30, 0xF1,
+		0xDA, 0xD2, 0xFD, 0x74, 0xBA, 0x35, 0xAC, 0xB9, 0xC9, 0xDA, 0x2C, 0x13,
+		0x1C, 0xB2, 0x95, 0x73, 0x6A, 0xE7, 0xEF, 0xA0, 0xD2, 0x68, 0xEE, 0x01,
+		0x87, 0x2E, 0xF0, 0x33, 0x05, 0x8A, 0xBA, 0x07, 0xB5, 0xC6, 0x84, 0xEA,
+		0xD6, 0x0D, 0x76, 0xEA, 0x84, 0xA1, 0x8D, 0x86, 0x63, 0x07, 0xAA, 0xAA,
+		0xB7, 0x64, 0x78, 0x6E, 0x39, 0x6F, 0x2F, 0x8B, 0x63, 0x0E, 0x60, 0xE3,
+		0x0E, 0x3F, 0x1C, 0xD8, 0xA6, 0x7D, 0x02, 0xF0, 0xA8, 0x81, 0x52, 0xDE,
+		0x7A, 0x9E, 0x0D, 0xD5, 0xE6, 0x4A, 0xB7, 0x59, 0x3A, 0x37, 0x01, 0xE4,
+		0x84, 0x6B, 0x6F, 0x33, 0x8D, 0x22, 0xFD, 0x45, 0x5D, 0x45, 0xDF, 0x21,
+		0x2C, 0x55, 0x77, 0x26, 0x6A, 0xA8, 0xC3, 0x67, 0xAE, 0x6E, 0x4C, 0xE8,
+		0x9D, 0xF4, 0x16, 0x91, 0xBF, 0x1F, 0x7F, 0xE5, 0x8F, 0x22, 0x61, 0xF5,
+		0xD2, 0x51, 0xDF, 0x36, 0xDE, 0x9F, 0x5A, 0xF1, 0xF3, 0x68, 0xE6, 0x50,
+		0xD5, 0x76, 0x81, 0x0B}},
+			// dev
+			{RSAKEY_FIRM_RECOVERY, {0x18, 0x72, 0x2B, 0xC7, 0x6D, 0xC3, 0x60, 0x2E, 0x2C, 0x01, 0x71, 0xF3,
+		0xBC, 0xA1, 0x2A, 0xB4, 0x0E, 0xA6, 0xD1, 0x12, 0xAE, 0xFB, 0xEC, 0xF4,
+		0xBE, 0x7A, 0x2A, 0x58, 0xFF, 0x75, 0x90, 0x58, 0xA9, 0x3C, 0x95, 0xCD,
+		0xA9, 0xB3, 0xB6, 0x76, 0xD0, 0x9A, 0x4E, 0x4C, 0x9E, 0x84, 0x2E, 0x5C,
+		0x68, 0x22, 0x9A, 0x6A, 0x9D, 0x77, 0xFA, 0xC7, 0x64, 0x45, 0xE7, 0x8E,
+		0xB5, 0xB3, 0x63, 0xF8, 0xC6, 0x6B, 0x16, 0x6B, 0xE6, 0x5A, 0xFA, 0xE4,
+		0x0A, 0x14, 0x85, 0xA3, 0x64, 0xC2, 0xC1, 0x3B, 0x85, 0x5C, 0xEE, 0xDE,
+		0x3D, 0xFE, 0xAC, 0xEC, 0x68, 0xDD, 0x6B, 0x86, 0x87, 0xDD, 0x6D, 0xF8,
+		0xB6, 0xD3, 0x21, 0x3F, 0x72, 0x25, 0x2E, 0x7C, 0x03, 0xC0, 0x27, 0xEE,
+		0x60, 0x79, 0xF9, 0xC5, 0xE0, 0x29, 0x0E, 0x5D, 0xB8, 0xCA, 0x0B, 0xBC,
+		0xF3, 0x0F, 0xCA, 0xD7, 0x2E, 0xB6, 0x37, 0xA1, 0x70, 0xC4, 0xA2, 0xF4,
+		0x1D, 0x96, 0xBF, 0x7D, 0x51, 0x7A, 0x2F, 0x4F, 0x33, 0x59, 0x30, 0xDC,
+		0x5E, 0x97, 0x92, 0xD7, 0x8E, 0xDF, 0xB5, 0x1D, 0xC7, 0x9A, 0xD9, 0xD7,
+		0xA4, 0xE7, 0xF1, 0xED, 0x4D, 0x5A, 0x5C, 0x62, 0x1B, 0x62, 0x45, 0xA7,
+		0xF1, 0x65, 0x22, 0x56, 0x01, 0x1D, 0xC3, 0x2C, 0x49, 0xB9, 0x55, 0x30,
+		0x4A, 0x42, 0x30, 0x09, 0xE2, 0xB7, 0x80, 0x72, 0xCE, 0xBC, 0x12, 0xB3,
+		0x85, 0xB7, 0x2F, 0x92, 0x6F, 0x19, 0x31, 0x8D, 0x64, 0x07, 0x5F, 0x09,
+		0x27, 0x8F, 0xBA, 0x84, 0x48, 0xFD, 0x24, 0x84, 0xB8, 0x26, 0x54, 0xA5,
+		0x5D, 0x06, 0x45, 0x42, 0xA8, 0xF5, 0xD9, 0xF9, 0x82, 0x8C, 0xDA, 0x5E,
+		0x60, 0xD3, 0x1A, 0x40, 0xCF, 0x8E, 0xF1, 0x8D, 0x02, 0x73, 0x10, 0xDA,
+		0x4F, 0x80, 0x79, 0x88, 0xBC, 0x75, 0x3C, 0x1E, 0xB3, 0xB3, 0xFC, 0x06,
+		0x20, 0x7E, 0x84, 0xDE}},
+		},
+		{
+			// retail
+			{RSAKEY_NCSD_NAND, {0x6C, 0xF5, 0x2F, 0x89, 0xF3, 0x78, 0x12, 0x0B, 0xFA, 0x4E, 0x10, 0x61,
+		0xD7, 0x36, 0x16, 0x34, 0xD9, 0xA2, 0x54, 0xA4, 0xF5, 0x7A, 0xA5, 0xBD,
+		0x9F, 0x2C, 0x30, 0x93, 0x4F, 0x0E, 0x68, 0xCB, 0xE6, 0x61, 0x1D, 0x90,
+		0xD7, 0x4C, 0xAA, 0xAC, 0xB6, 0xA9, 0x95, 0x56, 0x56, 0x47, 0x33, 0x3D,
+		0xC1, 0x70, 0x92, 0xD3, 0x20, 0x13, 0x10, 0x89, 0xCC, 0xCD, 0x63, 0x31,
+		0xCB, 0x3A, 0x59, 0x5D, 0x1B, 0xA2, 0x99, 0xA3, 0x2F, 0xF4, 0xD8, 0xE5,
+		0xDD, 0x1E, 0xB4, 0x6A, 0x2A, 0x57, 0x93, 0x5F, 0x6F, 0xE6, 0x37, 0x32,
+		0x2D, 0x3B, 0xC4, 0xF6, 0x7C, 0xFE, 0xD6, 0xC2, 0x25, 0x4C, 0x08, 0x9C,
+		0x62, 0xFA, 0x11, 0xD0, 0x82, 0x4A, 0x84, 0x4C, 0x79, 0xEE, 0x5A, 0x4F,
+		0x27, 0x3D, 0x46, 0xC2, 0x3B, 0xBB, 0xF0, 0xA2, 0xAF, 0x6A, 0xCA, 0xDB,
+		0xE6, 0x46, 0xF4, 0x6B, 0x86, 0xD1, 0x28, 0x9C, 0x7F, 0xF7, 0xE8, 0x16,
+		0xCF, 0xDA, 0x4B, 0xC3, 0x3D, 0xFF, 0x9D, 0x17, 0x5A, 0xC6, 0x9F, 0x72,
+		0x40, 0x6C, 0x07, 0x1B, 0x51, 0xF4, 0x5A, 0x1A, 0xCB, 0x87, 0xF1, 0x68,
+		0xC1, 0x77, 0xCB, 0x9B, 0xE6, 0xC3, 0x92, 0xF0, 0x34, 0x18, 0x49, 0xAE,
+		0x5D, 0x51, 0x0D, 0x26, 0xEE, 0xC1, 0x09, 0x7B, 0xEB, 0xFB, 0x9D, 0x14,
+		0x4A, 0x16, 0x47, 0x30, 0x1B, 0xEA, 0xF9, 0x52, 0x0D, 0x22, 0xC5, 0x5A,
+		0xF4, 0x6D, 0x49, 0x28, 0x4C, 0xC7, 0xF9, 0xFB, 0xBA, 0x37, 0x1A, 0x6D,
+		0x6E, 0x4C, 0x55, 0xF1, 0xE5, 0x36, 0xD6, 0x23, 0x7F, 0xFF, 0x54, 0xB3,
+		0xE9, 0xC1, 0x1A, 0x20, 0xCF, 0xCC, 0xAC, 0x0C, 0x6B, 0x06, 0xF6, 0x95,
+		0x76, 0x6A, 0xCE, 0xB1, 0x8B, 0xE3, 0x32, 0x99, 0xA9, 0x4C, 0xFC, 0xA7,
+		0xE2, 0x58, 0x81, 0x86, 0x52, 0xF7, 0x52, 0x6B, 0x30, 0x6B, 0x52, 0xE0,
+		0xAE, 0xD0, 0x42, 0x18}},
+			// dev
+			{RSAKEY_NCSD_NAND, {0x53, 0xCB, 0x0E, 0x4E, 0xB1, 0xA6, 0xFF, 0x84, 0x28, 0x4B, 0xE0, 0xE7,
+		0x38, 0x5A, 0xB4, 0xA6, 0x86, 0xA8, 0xBB, 0xCB, 0xC1, 0x61, 0x02, 0x47,
+		0x92, 0x80, 0xE0, 0x58, 0x36, 0x55, 0xD2, 0x71, 0x3F, 0xE5, 0x06, 0xFA,
+		0xEE, 0x74, 0xF8, 0xD1, 0x0F, 0x12, 0x20, 0x44, 0x1C, 0xC2, 0xFF, 0x5D,
+		0x6D, 0xDE, 0x99, 0xBE, 0x79, 0xC1, 0x9B, 0x38, 0x6C, 0xAF, 0x68, 0xD5,
+		0xEB, 0x8C, 0xED, 0x1A, 0xAB, 0x4D, 0x24, 0x3C, 0x5F, 0x39, 0x86, 0x80,
+		0xD3, 0x1C, 0xD2, 0xE3, 0xC9, 0xDD, 0x56, 0x70, 0xF2, 0xA8, 0x8D, 0x56,
+		0x3B, 0x8F, 0x65, 0xF5, 0xB2, 0x34, 0xFD, 0x2E, 0xBB, 0x3B, 0xE4, 0x4A,
+		0x3B, 0x6C, 0x30, 0x27, 0x22, 0xA2, 0xAD, 0xFB, 0x56, 0xAE, 0x3E, 0x1F,
+		0x64, 0x17, 0xBD, 0xEC, 0x1E, 0x5A, 0x86, 0xAA, 0xBB, 0xAF, 0xBE, 0x94,
+		0x19, 0xAC, 0xA8, 0xFD, 0xCD, 0x45, 0xE2, 0xCD, 0xF1, 0xEB, 0x69, 0x5F,
+		0x6E, 0xA8, 0x78, 0x16, 0x12, 0x2D, 0x7B, 0xE9, 0x8E, 0xEF, 0x92, 0xC0,
+		0x81, 0x4B, 0x16, 0xB2, 0x15, 0xB3, 0x1D, 0x8C, 0x81, 0x3B, 0xB3, 0x55,
+		0xCE, 0xA8, 0x13, 0x8F, 0xB3, 0xBF, 0x23, 0x74, 0x24, 0x68, 0x42, 0xCD,
+		0x91, 0xE1, 0xF9, 0xAA, 0xFF, 0x76, 0x87, 0x86, 0x17, 0xCE, 0x02, 0x06,
+		0x47, 0x77, 0xAE, 0xA0, 0x87, 0x6A, 0x2C, 0x24, 0x5C, 0x78, 0x43, 0x41,
+		0xCD, 0xEE, 0x90, 0xD6, 0x91, 0x74, 0x59, 0x08, 0xA6, 0xFF, 0x9C, 0xE7,
+		0x81, 0x16, 0x67, 0x96, 0xF9, 0xF1, 0x23, 0x8F, 0x88, 0x4C, 0x84, 0xD6,
+		0xF1, 0xEE, 0xBB, 0x2E, 0x40, 0xB4, 0xBC, 0xA0, 0x0A, 0x7B, 0x1E, 0x91,
+		0x3E, 0x09, 0x80, 0xD2, 0x9F, 0xF6, 0x06, 0x1D, 0x8A, 0xA9, 0x44, 0xC6,
+		0x63, 0xF2, 0x63, 0x81, 0x27, 0xF7, 0xCC, 0xAB, 0x6F, 0xC7, 0x15, 0x38,
+		0x47, 0x1A, 0x51, 0x38}},
+		},
+		
+	};
+
+	for (size_t i = 0; i < kSigHaxSignatureNum; i++)
+	{
+		rsa_sighax_signature.insert(std::pair<byte_t, KeyBag::Rsa2048Signature>(sighax_signatures[i][isDev].key_index, sighax_signatures[i][isDev].signature));
+	}
+}
+
+void ctrtool::KeyBagInitializer::importSeedDb(const std::shared_ptr<tc::io::ISource>& seed_db_source)
+{
+	// validate source exists
+	if (seed_db_source == nullptr)
+	{
+		throw tc::ArgumentNullException("ctrtool::KeyBagInitializer", "SeedDb source is null.");
+	}
+
+	// validate source has minimum size
+	if (seed_db_source->length() < (sizeof(SeedDbHeader) + sizeof(SeedDbEntry)))
+	{
+		throw tc::ArgumentNullException("ctrtool::KeyBagInitializer", "SeedDb source is too small.");
+	}
+
+	// read header
+	auto hdr_data = seed_db_source->pullData(0, sizeof(SeedDbHeader));
+	SeedDbHeader* hdr = (SeedDbHeader*)hdr_data.data();
+
+	// check padding
+	for (size_t i = 0; i < hdr->padding.size(); i++)
+	{
+		if (hdr->padding[i] != 0)
+		{
+			throw tc::ArgumentNullException("ctrtool::KeyBagInitializer", "SeedDb header had invalid padding.");
+		}
+	}
+
+	// get entry num
+	size_t n_entries = hdr->n_entries.unwrap();
+
+	// check size of source fits expected total seeddb size
+	if (seed_db_source->length() < static_cast<int64_t>(sizeof(SeedDbHeader) + n_entries * sizeof(SeedDbEntry)))
+	{
+		throw tc::ArgumentNullException("ctrtool::KeyBagInitializer", "SeedDb source is too small.");
+	}
+
+	// read entries
+	auto entry_data = seed_db_source->pullData(sizeof(SeedDbHeader), sizeof(SeedDbEntry) * n_entries);
+	SeedDbEntry* entry = (SeedDbEntry*)entry_data.data();
+
+	// import entries
+	for (size_t i = 0; i < n_entries; i++)
+	{
+		seed_db.insert(std::pair<byte_t, KeyBag::Aes128Key>(entry[i].title_id.unwrap(), entry[i].seed));
+	}
+}
+
+bool ctrtool::KeyBagInitializer::importFallbackKey(tc::Optional<KeyBag::Aes128Key>& key, const std::string& key_str)
+{
+	// check key_str size
+	if (key_str.size() != sizeof(KeyBag::Aes128Key)*2) { return false; }
+
+	// convert to keydata
+	auto keydata = tc::cli::FormatUtil::hexStringToBytes(key_str);
+	
+	// check keydata size
+	if (keydata.size() != sizeof(KeyBag::Aes128Key)) { return false; }
+
+	// save key
+	KeyBag::Aes128Key tmp;
+	memcpy(tmp.data(), keydata.data(), tmp.size());
+	key = tmp;
+
+	return true;
+}
\ No newline at end of file
diff --git a/ctrtool/src/KeyBag.h b/ctrtool/src/KeyBag.h
new file mode 100644
index 00000000..9614e6ae
--- /dev/null
+++ b/ctrtool/src/KeyBag.h
@@ -0,0 +1,128 @@
+#pragma once
+#include <string>
+#include <vector>
+#include <array>
+#include <map>
+#include <tc/Optional.h>
+#include <tc/io.h>
+#include <tc/crypto/RsaKey.h>
+
+namespace ctrtool {
+
+struct KeyBag
+{
+	using Aes128Key = std::array<byte_t, 16>;
+
+	// NCCH encryption keys
+	enum NcchFixedKeyIndex
+	{
+		NCCH_APPLICATION_FIXED_KEY = 0,
+		NCCH_SYSTEM_FIXED_KEY = 1,
+	};
+	enum NcchSecureKeyIndex
+	{
+		NCCH_SECURE_KEY_FW1 = 0,
+		NCCH_SECURE_KEY_FW7 = 1,
+		NCCH_SECURE_KEY_FW9_3 = 10,
+		NCCH_SECURE_KEY_FW9_6 = 11
+	};
+	std::map<byte_t, Aes128Key> ncch_fixed_key;
+	std::map<byte_t, Aes128Key> ncch_secure_key_x;
+	
+	// ticket
+	enum CommonKeyIndex
+	{
+		COMMONKEY_APPLICATION = 0,
+		COMMONKEY_SYSTEM = 1,
+		COMMONKEY_UNUSED_2 = 2,
+		COMMONKEY_UNUSED_3 = 3,
+		COMMONKEY_UNUSED_4 = 4,
+		COMMONKEY_UNUSED_5 = 5
+	};
+	std::map<byte_t, Aes128Key> common_key;
+	tc::Optional<Aes128Key> fallback_title_key;
+
+	// NCCH seed
+	std::map<uint64_t, Aes128Key> seed_db;
+	tc::Optional<Aes128Key> fallback_seed;
+
+	// BootROM Initialized Keyslots
+	enum AesKeySlot
+	{
+		KEYSLOT_INITIAL_DATA = 0x3B,
+		KEYSLOT_ES_COMMON_KEY = 0x3D
+	};
+	std::map<byte_t, Aes128Key> brom_static_key_x;
+	std::map<byte_t, Aes128Key> brom_static_key_y;
+	std::map<byte_t, Aes128Key> brom_static_key;
+
+	// Firmware Keys
+	enum FirmwareKeyIndex
+	{
+		FIRM_NGC_KEY = 0,
+		FIRM_NOR_KEY = 1,
+		FIRM_SD_KEY = 2,
+	};
+	std::map<byte_t, Aes128Key> firmware_key;
+
+	// Normal RSA Keys
+	enum RsaKeyIndex
+	{
+		RSAKEY_FIRM_NAND = 0, // normal: read from NCSD partition
+		RSAKEY_FIRM_RECOVERY = 1, // recovery: read from NWN SPI / NTRCARD
+		RSAKEY_NCSD_NAND = 2,
+		RSAKEY_CFA_CCI = 3,
+		RSAKEY_ACCESSDESC = 4,
+		RSAKEY_CRR = 5,
+		RSAKEY_SECUREINFO = 6,
+		RSAKEY_LOCALFRIENDCODESEED = 7,
+		RSAKEY_DSP = 8,
+	};
+	std::map<byte_t, tc::crypto::RsaKey> rsa_key;
+
+	// SigHax Signatures
+	using Rsa2048Signature = std::array<byte_t, 0x100>;
+	std::map<byte_t, Rsa2048Signature> rsa_sighax_signature;
+
+	// BroadOn RSA Keys
+	struct BroadOnRsaSignerProfile
+	{
+		tc::ByteData certificate;
+		tc::crypto::RsaKey key;
+	};
+	std::map<std::string, BroadOnRsaSignerProfile> broadon_rsa_signer;
+};
+
+class KeyBagInitializer : public KeyBag
+{
+public:
+	KeyBagInitializer(bool isDev, const tc::Optional<std::string>& fallback_title_key_str, const tc::Optional<tc::io::Path>& seed_db_path, const tc::Optional<std::string>& fallback_seed_str);
+private:
+	KeyBagInitializer();
+
+	void addStaticAesKeys(bool isDev);
+	void addStaticRsaKeys(bool isDev);
+	void addSigHaxSignatures(bool isDev);
+	void importSeedDb(const std::shared_ptr<tc::io::ISource>& seed_db_source);
+	bool importFallbackKey(tc::Optional<KeyBag::Aes128Key>& key, const std::string& key_str);
+
+#pragma pack(push,1)
+	struct SeedDbHeader
+	{
+		tc::bn::le32<uint32_t> n_entries;
+		std::array<byte_t, 0xC> padding;
+	};
+	static_assert(sizeof(SeedDbHeader) == 0x10, "Size of Entry was incorrect.");
+
+	struct SeedDbEntry
+	{
+		tc::bn::le64<uint64_t> title_id;
+		KeyBag::Aes128Key seed;
+		std::array<byte_t, 8> padding;
+	};
+	static_assert(sizeof(SeedDbEntry) == 0x20, "Size of SeedDbEntry was incorrect.");
+#pragma pack(pop)
+	
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/LzssProcess.cpp b/ctrtool/src/LzssProcess.cpp
new file mode 100644
index 00000000..bf6f908e
--- /dev/null
+++ b/ctrtool/src/LzssProcess.cpp
@@ -0,0 +1,54 @@
+#include "LzssProcess.h"
+#include "lzss.h"
+
+#include <tc/io.h>
+
+ctrtool::LzssProcess::LzssProcess() :
+	mModuleLabel("ctrtool::LzssProcess"),
+	mInputStream(),
+	mExtractPath()
+{
+}
+
+void ctrtool::LzssProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::LzssProcess::setExtractPath(const tc::io::Path& extract_path)
+{
+	mExtractPath = extract_path;
+}
+
+void ctrtool::LzssProcess::process()
+{
+	if (mExtractPath.isSet())
+	{
+		// read input file into memory
+		// check if input file is too large
+		if (tc::is_int64_t_too_large_for_size_t(mInputStream->length()))
+		{
+			throw tc::InvalidOperationException(mModuleLabel, "Input file is too large.");
+		}
+
+		// allocate memory for file
+		auto compressed_data = tc::ByteData((size_t)mInputStream->length());
+
+		// read file
+		mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+		mInputStream->read(compressed_data.data(), compressed_data.size());
+
+		// decompress
+		tc::ByteData decompressed_data = tc::ByteData(lzss_get_decompressed_size(compressed_data.data(), compressed_data.size()));
+		lzss_decompress(compressed_data.data(), compressed_data.size(), decompressed_data.data(), decompressed_data.size());
+
+		// open output file
+		tc::io::LocalFileSystem local_fs;
+		std::shared_ptr<tc::io::IStream> output_stream;
+		local_fs.openFile(mExtractPath.get(), tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, output_stream);
+
+		// write decompressed data
+		output_stream->seek(0, tc::io::SeekOrigin::Begin);
+		output_stream->write(decompressed_data.data(), decompressed_data.size());
+	}
+}
diff --git a/ctrtool/src/LzssProcess.h b/ctrtool/src/LzssProcess.h
new file mode 100644
index 00000000..3c50b192
--- /dev/null
+++ b/ctrtool/src/LzssProcess.h
@@ -0,0 +1,25 @@
+#pragma once
+#include "types.h"
+#include <tc/Optional.h>
+#include <tc/io/Path.h>
+#include <tc/io/IStream.h>
+
+namespace ctrtool {
+
+class LzssProcess
+{
+public:
+	LzssProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setExtractPath(const tc::io::Path& extract_path);
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	tc::Optional<tc::io::Path> mExtractPath;
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/NcchProcess.cpp b/ctrtool/src/NcchProcess.cpp
new file mode 100644
index 00000000..bc3596e2
--- /dev/null
+++ b/ctrtool/src/NcchProcess.cpp
@@ -0,0 +1,968 @@
+#include "NcchProcess.h"
+#include "lzss.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+
+#include <ntd/n3ds/CtrKeyGenerator.h>
+#include <ntd/n3ds/exheader.h>
+#include "ExHeaderProcess.h"
+#include "ExeFsProcess.h"
+#include "IvfcProcess.h"
+
+ctrtool::NcchProcess::NcchProcess() :
+	mModuleLabel("ctrtool::NcchProcess"),
+	mInputStream(),
+	mVerbose(false),
+	mVerify(false),
+	mRaw(false),
+	mPlain(false),
+	mShowSyscallNames(false),
+	mContentSize(0),
+	mBlockSize(0),
+	mDecompressExeFsCode(false)
+{
+	memset((byte_t*)&mHeader, 0, sizeof(ntd::n3ds::NcchHeader));
+	for (size_t i = 0; i < NcchRegionNum; i++)
+	{
+		mRegionOpt[i].show_info = true;
+		mRegionOpt[i].show_fs = false;
+		mRegionOpt[i].bin_extract_path.makeNull();
+		mRegionOpt[i].fs_extract_path.makeNull();
+
+		mRegionInfo[i].valid = ValidState::Unchecked;
+		mRegionInfo[i].offset = 0;
+		mRegionInfo[i].size = 0;
+		mRegionInfo[i].hashed_offset = 0;
+		mRegionInfo[i].hashed_size = 0;
+		mRegionInfo[i].raw_stream = nullptr;
+		mRegionInfo[i].ready_stream = nullptr;
+	}
+}
+
+void ctrtool::NcchProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::NcchProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+}
+
+void ctrtool::NcchProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+}
+
+void ctrtool::NcchProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+}
+
+void ctrtool::NcchProcess::setRawMode(bool raw)
+{
+	mRaw = raw;
+}
+
+void ctrtool::NcchProcess::setPlainMode(bool plain)
+{
+	mPlain = plain;
+}
+
+void ctrtool::NcchProcess::setShowSyscallName(bool show_name)
+{
+	mShowSyscallNames = show_name;
+}
+
+
+void ctrtool::NcchProcess::setRegionProcessOutputMode(NcchRegion region, bool show_info, bool show_fs, const tc::Optional<tc::io::Path>& bin_extract_path, const tc::Optional<tc::io::Path>& fs_extract_path)
+{
+	mRegionOpt[region].show_info = show_info;
+	mRegionOpt[region].show_fs = show_fs;
+	mRegionOpt[region].bin_extract_path = bin_extract_path;
+	mRegionOpt[region].fs_extract_path = fs_extract_path;
+}
+
+void ctrtool::NcchProcess::process()
+{
+	importHeader();
+	determineRegionLayout();
+	determineRegionEncryption();
+	if (mVerify)
+		verifyRegions();
+	if (mRegionOpt[NcchRegion_Header].show_info)
+		printHeader();
+	extractRegionBinaries();
+	processRegions();
+}
+
+void ctrtool::NcchProcess::importHeader()
+{
+	// validate input stream
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}
+
+	// import header
+	if (mInputStream->length() < sizeof(ntd::n3ds::NcchHeader))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small.");
+	}
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read((byte_t*)&mHeader, sizeof(ntd::n3ds::NcchHeader));
+
+	// check the struct magic
+	if (mHeader.header.struct_magic.unwrap() != ntd::n3ds::NcchCommonHeader::kStructMagic)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "NcchHeader is corrupted (Bad struct magic).");
+	}
+
+
+	// determine block size
+	switch (mHeader.header.format_version.unwrap())
+	{
+		// CFA
+		case ntd::n3ds::NcchCommonHeader::FormatVersion_CFA:
+		// CXI
+		case ntd::n3ds::NcchCommonHeader::FormatVersion_CXI:
+			mBlockSize = static_cast<int64_t>(1) << (mHeader.header.flags.block_size_log + 9);
+			break;
+		// Prototype
+		case ntd::n3ds::NcchCommonHeader::FormatVersion_CXI_PROTOTYPE:
+			mBlockSize = static_cast<int64_t>(1);
+			break;
+		default:
+			throw tc::InvalidOperationException(mModuleLabel, fmt::format("NcchHeader has unsupported format version. (0x{:02x})", mHeader.header.format_version.unwrap()));
+
+	}
+
+
+	if (mHeader.header.exhdr_size.unwrap() != 0 && mHeader.header.exhdr_size.unwrap() != sizeof(ntd::n3ds::ExtendedHeader))
+	{
+		throw tc::InvalidOperationException(mModuleLabel, fmt::format("NcchHeader has invalid ExHeader size. (0x{:02x})", mHeader.header.exhdr_size.unwrap()));
+	}
+
+	// get content size
+	mContentSize = int64_t(mHeader.header.content_blk_size.unwrap()) * mBlockSize;
+
+	if (mInputStream->length() < mContentSize)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream too small.");
+	}
+}
+
+void ctrtool::NcchProcess::determineRegionLayout()
+{
+	// get region layout
+	mRegionInfo[NcchRegion_Header].offset = 0;
+	mRegionInfo[NcchRegion_Header].size = sizeof(ntd::n3ds::NcchHeader);
+	mRegionInfo[NcchRegion_Header].hashed_offset = sizeof(ntd::n3ds::NcchHeader::signature);
+	mRegionInfo[NcchRegion_Header].hashed_size = sizeof(ntd::n3ds::NcchCommonHeader);
+
+	if (mHeader.header.exhdr_size.unwrap() > 0)
+	{
+		mRegionInfo[NcchRegion_ExHeader].offset = sizeof(ntd::n3ds::NcchHeader);
+		mRegionInfo[NcchRegion_ExHeader].size = mHeader.header.exhdr_size.unwrap() + sizeof(ntd::n3ds::AccessDescriptor);
+		mRegionInfo[NcchRegion_ExHeader].hashed_offset = 0;
+		mRegionInfo[NcchRegion_ExHeader].hashed_size = mHeader.header.exhdr_size.unwrap();
+	}
+	if (mHeader.header.format_version.unwrap() == ntd::n3ds::NcchCommonHeader::FormatVersion_CXI_PROTOTYPE && mHeader.header.exhdr_hash[0] != 0)
+	{
+		mRegionInfo[NcchRegion_ExHeader].offset = sizeof(ntd::n3ds::NcchHeader);
+		mRegionInfo[NcchRegion_ExHeader].size = sizeof(ntd::n3ds::ExtendedHeader) + sizeof(ntd::n3ds::AccessDescriptor);
+		mRegionInfo[NcchRegion_ExHeader].hashed_offset = 0;
+		mRegionInfo[NcchRegion_ExHeader].hashed_size = mHeader.header.exhdr_size.unwrap();
+	}
+	if (mHeader.header.plain_region_blk_size.unwrap() > 0)
+	{
+		mRegionInfo[NcchRegion_PlainRegion].offset = mHeader.header.plain_region_blk_offset.unwrap() * mBlockSize;
+		mRegionInfo[NcchRegion_PlainRegion].size = mHeader.header.plain_region_blk_size.unwrap() * mBlockSize;
+		mRegionInfo[NcchRegion_PlainRegion].hashed_offset = 0;
+		mRegionInfo[NcchRegion_PlainRegion].hashed_size = 0;
+	}
+	if (mHeader.header.logo_blk_size.unwrap() > 0)
+	{
+		mRegionInfo[NcchRegion_Logo].offset = mHeader.header.logo_blk_offset.unwrap() * mBlockSize;
+		mRegionInfo[NcchRegion_Logo].size = mHeader.header.logo_blk_size.unwrap() * mBlockSize;
+		mRegionInfo[NcchRegion_Logo].hashed_offset = 0;
+		mRegionInfo[NcchRegion_Logo].hashed_size = mRegionInfo[NcchRegion_Logo].size;
+	}
+	if (mHeader.header.exefs_blk_size.unwrap() > 0)
+	{
+		mRegionInfo[NcchRegion_ExeFs].offset = mHeader.header.exefs_blk_offset.unwrap() * mBlockSize;
+		mRegionInfo[NcchRegion_ExeFs].size = mHeader.header.exefs_blk_size.unwrap() * mBlockSize;
+		mRegionInfo[NcchRegion_ExeFs].hashed_offset = 0;
+		mRegionInfo[NcchRegion_ExeFs].hashed_size = mHeader.header.exefs_prot_blk_size.unwrap() * mBlockSize;
+	}
+	if (mHeader.header.romfs_blk_size.unwrap() > 0)
+	{
+		mRegionInfo[NcchRegion_RomFs].offset = mHeader.header.romfs_blk_offset.unwrap() * mBlockSize;
+		mRegionInfo[NcchRegion_RomFs].size = mHeader.header.romfs_blk_size.unwrap() * mBlockSize;
+		mRegionInfo[NcchRegion_RomFs].hashed_offset = 0;
+		mRegionInfo[NcchRegion_RomFs].hashed_size = mHeader.header.romfs_prot_blk_size.unwrap() * mBlockSize;
+	}
+	
+	// create raw streams
+	for (size_t i = 0; i < NcchRegionNum; i++)
+	{
+		if (mRegionInfo[i].size)
+		{
+			mRegionInfo[i].raw_stream = std::make_shared<tc::io::SubStream>(tc::io::SubStream(mInputStream, mRegionInfo[i].offset, mRegionInfo[i].size));
+			// plain region & header are never encrypted
+			if (i == NcchRegion_PlainRegion || i == NcchRegion_Header || i == NcchRegion_Logo)
+			{
+				mRegionInfo[i].ready_stream = mRegionInfo[i].raw_stream;
+			}
+		}
+	}
+}
+
+
+void ctrtool::NcchProcess::determineRegionEncryption()
+{
+	// quick test to determine if the crypto layer has been stripped by tools like GodMode9, not strictly required, but this matches classic ctrtool behaviour
+	bool crypto_is_stripped = false;
+	if (mRegionInfo[NcchRegion_ExHeader].size >= sizeof(ntd::n3ds::ExtendedHeader) && mHeader.header.flags.other_flag.test(ntd::n3ds::NcchCommonHeader::OtherFlag_NoEncryption) == false)
+	{
+		std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> exheader_hash;
+		tc::ByteData exheader_data = tc::ByteData(sizeof(ntd::n3ds::ExtendedHeader));
+		mRegionInfo[NcchRegion_ExHeader].raw_stream->seek(0, tc::io::SeekOrigin::Begin);
+		mRegionInfo[NcchRegion_ExHeader].raw_stream->read(exheader_data.data(), exheader_data.size());
+	
+		tc::crypto::GenerateSha256Hash(exheader_hash.data(), exheader_data.data(), exheader_data.size());
+		crypto_is_stripped = memcmp(exheader_hash.data(), mHeader.header.exhdr_hash.data(), exheader_hash.size()) == 0;
+	}
+	if (crypto_is_stripped)
+	{
+		fmt::print("[LOG/NCCH] NCCH appears to be decrypted, contrary to header flags.\n");
+	}
+
+	// determine encryption mode
+	if (mHeader.header.flags.other_flag.test(ntd::n3ds::NcchCommonHeader::OtherFlag_NoEncryption) || mPlain || crypto_is_stripped)
+	{
+		// set ready streams to be not encrypted
+		for (size_t i = 0; i < NcchRegionNum; i++)
+		{
+			if (mRegionInfo[i].size && mRegionInfo[i].ready_stream == nullptr && mRegionInfo[i].raw_stream != nullptr)
+			{
+				mRegionInfo[i].ready_stream = mRegionInfo[i].raw_stream;
+			}
+		}
+	}
+	else
+	{
+		struct KeySlot
+		{
+			byte_t valid_x;
+			KeyBag::Aes128Key x;
+			byte_t valid_y;
+			KeyBag::Aes128Key y;
+			byte_t valid_key;
+			KeyBag::Aes128Key key;
+		} keyslot[2];
+
+		keyslot[0].valid_x = ValidState::Unchecked;
+		keyslot[0].valid_y = ValidState::Unchecked;
+		keyslot[0].valid_key = ValidState::Unchecked;
+		keyslot[1].valid_x = ValidState::Unchecked;
+		keyslot[1].valid_y = ValidState::Unchecked;
+		keyslot[1].valid_key = ValidState::Unchecked;
+
+		// if fixed AES key
+		if (mHeader.header.flags.other_flag.test(ntd::n3ds::NcchCommonHeader::OtherFlag_FixedAesKey))
+		{
+			// set AES keys to fixed key
+
+			// load aes keys
+			auto key_itr = mKeyBag.ncch_fixed_key.find(isSystemTitle() ? mKeyBag.NCCH_SYSTEM_FIXED_KEY : mKeyBag.NCCH_APPLICATION_FIXED_KEY);
+			if (key_itr == mKeyBag.ncch_fixed_key.end())
+			{
+				keyslot[0].valid_key = ValidState::Fail;
+				keyslot[1].valid_key = ValidState::Fail;
+
+				fmt::print(stderr, "Could not read {} fixed key.\n", (isSystemTitle()? "system" : "application"));
+			}
+
+			// save keys
+			keyslot[0].key = key_itr->second;
+			keyslot[1].key = key_itr->second;
+
+			keyslot[0].valid_key = ValidState::Good;
+			keyslot[1].valid_key = ValidState::Good;
+
+		}
+		else
+		{
+			// keyslot[0]
+			// load key_x
+			auto keyx_itr = mKeyBag.ncch_secure_key_x.find(0);
+			if (keyx_itr == mKeyBag.ncch_secure_key_x.end())
+			{
+				keyslot[0].valid_x = ValidState::Fail;
+
+				fmt::print(stderr, "Could not read secure key_x[0x{:02x}].\n", 0);
+			}
+			else
+			{
+				keyslot[0].x = keyx_itr->second;
+
+				keyslot[0].valid_x = ValidState::Good;
+			}
+			
+			// load key_y
+			memcpy(keyslot[0].y.data(), mHeader.signature.data(), keyslot[0].y.size());
+			keyslot[0].valid_y = ValidState::Good;
+			
+			// keyslot[1]
+			// load key_x
+			byte_t security_version = mHeader.header.flags.security_version;
+			keyx_itr = mKeyBag.ncch_secure_key_x.find(security_version);
+			if (keyx_itr == mKeyBag.ncch_secure_key_x.end())
+			{
+				keyslot[1].valid_x = ValidState::Fail;
+
+				fmt::print(stderr, "Could not read secure key_x[0x{:02x}].\n", security_version);
+			}
+			else
+			{
+				keyslot[1].x = keyx_itr->second;
+
+				keyslot[1].valid_x = ValidState::Good;
+			}
+			
+			memcpy(keyslot[1].x.data(), keyx_itr->second.data(), keyslot[1].x.size());
+
+			// load key_y
+			if (mHeader.header.flags.other_flag.test(ntd::n3ds::NcchCommonHeader::OtherFlag_SeededAesKeyY))
+			{
+				tc::crypto::Sha256Generator hashgen;
+				std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+
+				// import seed
+				KeyBag::Aes128Key seed;
+				auto seed_itr = mKeyBag.seed_db.find(mHeader.header.program_id.unwrap());
+				if (seed_itr != mKeyBag.seed_db.end())
+				{
+					memcpy(seed.data(), seed_itr->second.data(), seed.size());
+				}
+				else if (mKeyBag.fallback_seed.isSet())
+				{
+					memcpy(seed.data(), mKeyBag.fallback_seed.get().data(), seed.size());
+				}
+				else
+				{
+					keyslot[1].valid_y = ValidState::Fail;
+
+					fmt::print(stderr, "This title uses seed crypto, but no seed is set, unable to decrypt.\n");
+					fmt::print(stderr, "Use -p to avoid decryption or use --seeddb=dbfile or --seed=SEEDHERE.\n");
+				}
+
+				if (keyslot[1].valid_y != ValidState::Fail)
+				{
+					// validate seed
+					hashgen.initialize();
+					hashgen.update(seed.data(), seed.size());
+					hashgen.update((byte_t*)&mHeader.header.program_id, sizeof(mHeader.header.program_id));
+					hashgen.getHash(hash.data());
+					if (memcmp(hash.data(), mHeader.header.seed_checksum.data(), mHeader.header.seed_checksum.size()) != 0)
+					{
+						keyslot[1].valid_y = ValidState::Fail;
+
+						fmt::print(stderr, "Seed check mismatch. (Got {:08x}, expected: {:08x})\n",
+							((tc::bn::be32<uint32_t>*)hash.data())->unwrap(),
+							((tc::bn::be32<uint32_t>*)mHeader.header.seed_checksum.data())->unwrap());
+					}
+				}
+
+				if (keyslot[1].valid_y != ValidState::Fail)
+				{
+					// generate seeded key_y
+					hashgen.initialize();
+					hashgen.update(keyslot[0].y.data(), keyslot[0].y.size());
+					hashgen.update(seed.data(), seed.size());
+					hashgen.getHash(hash.data());
+
+					memcpy(keyslot[1].y.data(), hash.data(), keyslot[1].y.size());
+					keyslot[1].valid_y = ValidState::Good;
+				}
+			}
+			else
+			{
+				memcpy(keyslot[1].y.data(), mHeader.signature.data(), keyslot[1].y.size());
+				keyslot[1].valid_y = ValidState::Good;
+			}
+			
+			// generate secure keys
+			if (keyslot[0].valid_x == ValidState::Good && keyslot[0].valid_y == ValidState::Good)
+			{
+				ntd::n3ds::CtrKeyGenerator::GenerateKey(keyslot[0].x.data(), keyslot[0].y.data(), keyslot[0].key.data());
+				keyslot[0].valid_key = ValidState::Good;
+			}
+			else
+			{
+				keyslot[0].valid_key = ValidState::Fail;
+			}
+
+			if (keyslot[1].valid_x == ValidState::Good && keyslot[1].valid_y == ValidState::Good)
+			{
+				ntd::n3ds::CtrKeyGenerator::GenerateKey(keyslot[1].x.data(), keyslot[1].y.data(), keyslot[1].key.data());
+				keyslot[1].valid_key = ValidState::Good;
+			}
+			else
+			{
+				keyslot[1].valid_key = ValidState::Fail;
+			}	
+		}
+
+		// output keys if required
+		if (mVerbose)
+		{
+			fmt::print("[LOG/NCCH] NCCH AES Key0 {}\n", (keyslot[0].valid_key ? tc::cli::FormatUtil::formatBytesAsString(keyslot[0].key.data(), keyslot[0].key.size(), true, "") : "could not be determined"));
+			fmt::print("[LOG/NCCH] NCCH AES Key1 {}\n", (keyslot[1].valid_key ? tc::cli::FormatUtil::formatBytesAsString(keyslot[1].key.data(), keyslot[1].key.size(), true, "") : "could not be determined"));
+		}
+
+		// generate aes counter
+		KeyBag::Aes128Key exheader_aesctr, exefs_aesctr, romfs_aesctr;
+		if (mRegionInfo[NcchRegion_ExHeader].size)
+		{
+			getAesCounter(exheader_aesctr.data(), NcchRegion_ExHeader);
+
+			if (mVerbose)
+			{
+				fmt::print("[LOG/NCCH] NCCH ExHeader AES Counter {}\n", tc::cli::FormatUtil::formatBytesAsString(exheader_aesctr.data(), exheader_aesctr.size(), true, ""));
+			}
+		}
+		if (mRegionInfo[NcchRegion_ExeFs].size)
+		{
+			getAesCounter(exefs_aesctr.data(), NcchRegion_ExeFs);
+
+			if (mVerbose)
+			{
+				fmt::print("[LOG/NCCH] NCCH ExeFS AES Counter {}\n", tc::cli::FormatUtil::formatBytesAsString(exefs_aesctr.data(), exefs_aesctr.size(), true, ""));
+			}
+		}
+		if (mRegionInfo[NcchRegion_RomFs].size)
+		{
+			getAesCounter(romfs_aesctr.data(), NcchRegion_RomFs);
+
+			if (mVerbose)
+			{
+				fmt::print("[LOG/NCCH] NCCH RomFS AES Counter {}\n", tc::cli::FormatUtil::formatBytesAsString(romfs_aesctr.data(), romfs_aesctr.size(), true, ""));
+			}
+		}
+
+		// prepare ready_stream using encryption streams if keys are available
+		if (mRegionInfo[NcchRegion_ExHeader].size && keyslot[0].valid_key == ValidState::Good)
+		{
+			mRegionInfo[NcchRegion_ExHeader].ready_stream = std::shared_ptr<tc::crypto::Aes128CtrEncryptedStream>(new tc::crypto::Aes128CtrEncryptedStream(mRegionInfo[NcchRegion_ExHeader].raw_stream, keyslot[0].key, exheader_aesctr));
+		}
+		if (mRegionInfo[NcchRegion_ExeFs].size && keyslot[0].valid_key == ValidState::Good)
+		{
+			// if key[1] is valid create the correct mixed key stream
+			if (keyslot[1].valid_key == ValidState::Good)
+			{
+				// if the keys are the same, don't over complicate the encrypted stream
+				if (false)//(memcmp(keyslot[0].key.data(), keyslot[1].key.data(), keyslot[0].key.size()) == 0)
+				{
+					mRegionInfo[NcchRegion_ExeFs].ready_stream = std::shared_ptr<tc::crypto::Aes128CtrEncryptedStream>(new tc::crypto::Aes128CtrEncryptedStream(mRegionInfo[NcchRegion_ExeFs].raw_stream, keyslot[0].key, exefs_aesctr));
+				}
+				else
+				{
+					// import ExeFs header
+					if (mRegionInfo[NcchRegion_ExeFs].raw_stream->length() < sizeof(ntd::n3ds::ExeFsHeader))
+					{
+						throw tc::InvalidOperationException(mModuleLabel, "Stream is too small (cannot import ExeFsHeader).");
+					}
+					ntd::n3ds::ExeFsHeader exefs_hdr;
+					mRegionInfo[NcchRegion_ExeFs].raw_stream->seek(0, tc::io::SeekOrigin::Begin);
+					mRegionInfo[NcchRegion_ExeFs].raw_stream->read((byte_t*)&exefs_hdr, sizeof(exefs_hdr));
+
+					tc::crypto::DecryptAes128Ctr((byte_t*)&exefs_hdr, (byte_t*)&exefs_hdr, sizeof(exefs_hdr), 0, keyslot[0].key.data(), keyslot[0].key.size(), exefs_aesctr.data(), exefs_aesctr.size());
+
+					// quick header validation
+					if (exefs_hdr.file_table[0].name[0] == 0 ||
+					    exefs_hdr.file_table[0].offset.unwrap() != 0 ||
+					    exefs_hdr.getFileHash(0)->operator[](0) == 0)
+					{
+						throw tc::ArgumentOutOfRangeException(mModuleLabel, "ExeFsHeader is corrupted (Bad first entry).");
+					}
+
+					// create key maps
+					std::vector<std::shared_ptr<tc::io::IStream>> exefs_streams;
+					exefs_streams.push_back(std::make_shared<tc::crypto::Aes128CtrEncryptedStream>(tc::crypto::Aes128CtrEncryptedStream(std::make_shared<tc::io::SubStream>(tc::io::SubStream(mRegionInfo[NcchRegion_ExeFs].raw_stream, 0x0, sizeof(ntd::n3ds::ExeFsHeader))), keyslot[0].key, exefs_aesctr)));
+					byte_t keyslot_index;
+					for (size_t i = 0; i < exefs_hdr.kFileNum; i++)
+					{
+						std::string file_name = exefs_hdr.file_table[i].name.decode();
+						int64_t file_offset = sizeof(ntd::n3ds::ExeFsHeader) + int64_t(exefs_hdr.file_table[i].offset.unwrap());
+						int64_t file_length = align<int64_t>(exefs_hdr.file_table[i].size.unwrap(), exefs_hdr.kExeFsSectionAlignSize);
+
+						// skip empty sections
+						if (exefs_hdr.file_table[i].size.unwrap() == 0)
+							continue;
+
+						// determine range based on name
+						if (file_name == "icon" || file_name == "banner")
+						{
+							// old key
+							keyslot_index = 0;
+						}
+						else
+						{
+							// new key
+							keyslot_index = 1;
+						}
+
+						tc::crypto::Aes128CtrEncryptedStream::counter_t file_counter;
+						memcpy(file_counter.data(), exefs_aesctr.data(), exefs_aesctr.size());
+						tc::crypto::IncrementCounterAes128Ctr(file_counter.data(), file_offset >> 4);
+						exefs_streams.push_back(std::make_shared<tc::crypto::Aes128CtrEncryptedStream>(tc::crypto::Aes128CtrEncryptedStream(std::make_shared<tc::io::SubStream>(tc::io::SubStream(mRegionInfo[NcchRegion_ExeFs].raw_stream, file_offset, file_length)), keyslot[keyslot_index].key, file_counter)));
+					}
+					mRegionInfo[NcchRegion_ExeFs].ready_stream = std::make_shared<tc::io::ConcatenatedStream>(tc::io::ConcatenatedStream(exefs_streams));
+				}
+			}
+			// otherwise use the "best-effort" single key stream (only icon and banner will be decrypt properly)
+			else
+			{
+				fmt::print(stderr, "Only NCCH key0 was determined, so ExeFS will be partially decrypted\n");
+				mRegionInfo[NcchRegion_ExeFs].ready_stream = std::shared_ptr<tc::crypto::Aes128CtrEncryptedStream>(new tc::crypto::Aes128CtrEncryptedStream(mRegionInfo[NcchRegion_ExeFs].raw_stream, keyslot[0].key, exefs_aesctr));
+			}
+		}
+		if (mRegionInfo[NcchRegion_RomFs].size && keyslot[1].valid_key == ValidState::Good)
+		{
+			mRegionInfo[NcchRegion_RomFs].ready_stream = std::shared_ptr<tc::crypto::Aes128CtrEncryptedStream>(new tc::crypto::Aes128CtrEncryptedStream(mRegionInfo[NcchRegion_RomFs].raw_stream, keyslot[1].key, romfs_aesctr));
+		}
+	}
+}
+
+
+void ctrtool::NcchProcess::verifyRegions()
+{
+	tc::crypto::Sha256Generator hash_calc;
+	using Sha256Hash = std::array<byte_t, hash_calc.kHashSize>;
+	std::array<Sha256Hash, NcchRegionNum> region_hashes;
+	tc::ByteData cache = tc::ByteData(0x10000);
+	size_t cache_read_len = 0;
+
+	// generate region sha2-256 hashes
+	for (size_t i = 0; i < mRegionInfo.size(); i++)
+	{
+		if (mRegionInfo[i].hashed_size > 0 && mRegionInfo[i].ready_stream != nullptr)
+		{
+			// seek ready_stream to hashed_offset
+			mRegionInfo[i].ready_stream->seek(mRegionInfo[i].hashed_offset, tc::io::SeekOrigin::Begin);
+
+			// init hash calc
+			hash_calc.initialize();
+
+			// update hash with cache reads
+			for (int64_t remaining_data = mRegionInfo[i].hashed_size; remaining_data > 0; remaining_data -= int64_t(cache_read_len))
+			{
+				cache_read_len = size_t(std::min<int64_t>(cache.size(), remaining_data));
+				cache_read_len = mRegionInfo[i].ready_stream->read(cache.data(), cache_read_len);
+				if (cache_read_len == 0)
+				{
+					throw tc::io::IOException(mModuleLabel, "Failed to read from NCCH region file.");
+				}
+
+				hash_calc.update(cache.data(), cache_read_len);
+			}
+			
+			// save hash
+			hash_calc.getHash(region_hashes[i].data());
+		}
+	}
+	
+	// header signature
+	if (mRegionInfo[NcchRegion_Header].hashed_size > 0)
+	{
+		// verify hash using CFA key
+		if (mHeader.header.flags.content_flag.form_type == mHeader.header.FormType_SimpleContent)
+		{
+			auto rsakey_itr = mKeyBag.rsa_key.find(mKeyBag.RSAKEY_CFA_CCI);
+			if (rsakey_itr != mKeyBag.rsa_key.end())
+			{
+				tc::crypto::RsaKey pubkey = rsakey_itr->second;
+
+				mRegionInfo[NcchRegion_Header].valid = tc::crypto::VerifyRsa2048Pkcs1Sha256(mHeader.signature.data(), region_hashes[NcchRegion_Header].data(), pubkey) ? ValidState::Good : ValidState::Fail;
+			}
+			else
+			{
+				// cannot locate rsa key to verify
+				fmt::print(stderr, "Could not read CFA public key.\n");
+				mRegionInfo[NcchRegion_Header].valid = ValidState::Fail;
+			}
+			
+		}
+		// verify hash using CXI key from exheader
+		else
+		{
+			if (mRegionInfo[NcchRegion_ExHeader].size > 0 && mRegionInfo[NcchRegion_ExHeader].ready_stream != nullptr)
+			{
+				// import exheader
+				tc::ByteData exheader_data = tc::ByteData(mRegionInfo[NcchRegion_ExHeader].size);
+				mRegionInfo[NcchRegion_ExHeader].ready_stream->seek(0, tc::io::SeekOrigin::Begin);
+				mRegionInfo[NcchRegion_ExHeader].ready_stream->read(exheader_data.data(), exheader_data.size());
+				ntd::n3ds::AccessDescriptor* accessdesc = (ntd::n3ds::AccessDescriptor*)(exheader_data.data() + sizeof(ntd::n3ds::ExtendedHeader));
+
+				// create public key from access desc
+				tc::crypto::RsaKey pubkey = tc::crypto::RsaPublicKey(accessdesc->ncch_rsa_modulus.data(), accessdesc->ncch_rsa_modulus.size());
+
+				// verify header signature
+				mRegionInfo[NcchRegion_Header].valid = tc::crypto::VerifyRsa2048Pkcs1Sha256(mHeader.signature.data(), region_hashes[NcchRegion_Header].data(), pubkey) ? ValidState::Good : ValidState::Fail;
+			}
+			else
+			{
+				// cannot locate rsa key to verify
+				fmt::print(stderr, "Could not read CXI public key from AccessDescriptor.\n");
+				mRegionInfo[NcchRegion_Header].valid = ValidState::Fail;
+			}
+		}
+	}
+
+	// exheader hash
+	if (mRegionInfo[NcchRegion_ExHeader].hashed_size > 0)
+	{
+		mRegionInfo[NcchRegion_ExHeader].valid = memcmp(region_hashes[NcchRegion_ExHeader].data(), mHeader.header.exhdr_hash.data(), region_hashes[NcchRegion_ExHeader].size()) == 0 ? ValidState::Good : ValidState::Fail;
+	}
+
+	// logo hash
+	if (mRegionInfo[NcchRegion_Logo].hashed_size > 0)
+	{
+		mRegionInfo[NcchRegion_Logo].valid = memcmp(region_hashes[NcchRegion_Logo].data(), mHeader.header.logo_hash.data(), region_hashes[NcchRegion_Logo].size()) == 0 ? ValidState::Good : ValidState::Fail;
+	}
+
+	// exefs hash
+	if (mRegionInfo[NcchRegion_ExeFs].hashed_size > 0)
+	{
+		mRegionInfo[NcchRegion_ExeFs].valid = memcmp(region_hashes[NcchRegion_ExeFs].data(), mHeader.header.exefs_prot_hash.data(), region_hashes[NcchRegion_ExeFs].size()) == 0 ? ValidState::Good : ValidState::Fail;
+	}
+
+	// romfs hash
+	if (mRegionInfo[NcchRegion_RomFs].hashed_size > 0)
+	{
+		mRegionInfo[NcchRegion_RomFs].valid = memcmp(region_hashes[NcchRegion_RomFs].data(), mHeader.header.romfs_prot_hash.data(), region_hashes[NcchRegion_RomFs].size()) == 0 ? ValidState::Good : ValidState::Fail;
+	}
+
+}
+
+void ctrtool::NcchProcess::printHeader()
+{
+	fmt::print("\n");
+	fmt::print("NCCH:\n");
+	fmt::print("Header:                 {}\n", "NCCH");
+	fmt::print("Signature: {:6}       {}", getValidString(mRegionInfo[NcchRegion_Header].valid), tc::cli::FormatUtil::formatBytesAsStringWithLineLimit(mHeader.signature.data(), mHeader.signature.size(), true, "", 0x20, 24, false));
+	fmt::print("Content size:           0x{:08x}\n", mHeader.header.content_blk_size.unwrap() * mBlockSize);
+	fmt::print("Title id:               {:016x}\n", mHeader.header.content_id.unwrap());
+	fmt::print("Maker code:             {}\n", mHeader.header.maker_code.decode());
+	fmt::print("FormatVersion:          {:d}\n", mHeader.header.format_version.unwrap());
+	fmt::print("Title seed check:       {}\n", tc::cli::FormatUtil::formatBytesAsString(mHeader.header.seed_checksum.data(), mHeader.header.seed_checksum.size(), true, ""));
+	fmt::print("Program id:             {:016x}\n", mHeader.header.program_id.unwrap());
+	fmt::print("Logo hash: {:6}       {}\n", getValidString(mRegionInfo[NcchRegion_Logo].valid), tc::cli::FormatUtil::formatBytesAsString(mHeader.header.logo_hash.data(), mHeader.header.logo_hash.size(), true, ""));
+	fmt::print("Product code:           {}\n",  mHeader.header.product_code.decode());
+	fmt::print("Exheader size:          0x{:x}\n", mHeader.header.exhdr_size.unwrap());
+	fmt::print("Exheader hash: {:6}   {}\n", getValidString(mRegionInfo[NcchRegion_ExHeader].valid), tc::cli::FormatUtil::formatBytesAsString(mHeader.header.exhdr_hash.data(), mHeader.header.exhdr_hash.size(), true, ""));
+	fmt::print("Flags:                  {}\n", tc::cli::FormatUtil::formatBytesAsString(mHeader.header.flags.data(), mHeader.header.flags.size(), true, ""));
+
+	// crypto key
+	fmt::print(" > Crypto Key           ");
+	if (mHeader.header.flags.other_flag.test(ntd::n3ds::NcchCommonHeader::OtherFlag_NoEncryption))
+	{
+		fmt::print("None");
+	}
+	else if (mHeader.header.flags.other_flag.test(ntd::n3ds::NcchCommonHeader::OtherFlag_FixedAesKey))
+	{
+		fmt::print("Fixed ({})", (isSystemTitle() ? "System" : "Application"));
+	}
+	else
+	{
+		fmt::print("Secure ({:d})", (uint32_t)mHeader.header.flags.security_version);
+		if (mHeader.header.flags.other_flag.test(ntd::n3ds::NcchCommonHeader::OtherFlag_SeededAesKeyY))
+		{
+			fmt::print(" (KeyY seeded)");
+		}
+	}
+	fmt::print("\n");
+
+	std::vector<std::string> content_platforms;
+	for (size_t bit = 0; bit < mHeader.header.flags.content_platform.bit_size(); bit++)
+	{
+		if (mHeader.header.flags.content_platform.test(bit))
+		{
+			content_platforms.push_back(getContentPlatformString(bit));
+		}
+	}
+	fmt::print(" > ContentPlatorm:      {}", tc::cli::FormatUtil::formatListWithLineLimit(content_platforms, 4, 24, false));
+
+	fmt::print(" > FormType:            {}\n", getFormTypeString(mHeader.header.flags.content_flag.form_type));
+	fmt::print(" > ContentType:         {}\n", getContentTypeString(mHeader.header.flags.content_flag.content_type));
+	fmt::print(" > BlockSize:           0x{:x}\n", mBlockSize);
+	if (mHeader.header.flags.other_flag.test(ntd::n3ds::NcchCommonHeader::OtherFlag_NoMountRomFS))
+		fmt::print(" > No RomFS mount\n");
+	if (mHeader.header.flags.other_flag.test(ntd::n3ds::NcchCommonHeader::OtherFlag_ManualDisclosure))
+		fmt::print(" > Disclose eManual\n");
+
+	fmt::print("Plain region offset:    0x{:08x}\n", mHeader.header.plain_region_blk_offset.unwrap() * mBlockSize);
+	fmt::print("Plain region size:      0x{:08x}\n", mHeader.header.plain_region_blk_size.unwrap() * mBlockSize);
+	fmt::print("Logo offset:            0x{:08x}\n", mHeader.header.logo_blk_offset.unwrap() * mBlockSize);
+	fmt::print("Logo size:              0x{:08x}\n", mHeader.header.logo_blk_size.unwrap() * mBlockSize);
+	fmt::print("ExeFS offset:           0x{:08x}\n", mHeader.header.exefs_blk_offset.unwrap() * mBlockSize);
+	fmt::print("ExeFS size:             0x{:08x}\n", mHeader.header.exefs_blk_size.unwrap() * mBlockSize);
+	fmt::print("ExeFS hash region size: 0x{:08x}\n", mHeader.header.exefs_prot_blk_size.unwrap() * mBlockSize);
+	fmt::print("RomFS offset:           0x{:08x}\n", mHeader.header.romfs_blk_offset.unwrap() * mBlockSize);
+	fmt::print("RomFS size:             0x{:08x}\n", mHeader.header.romfs_blk_size.unwrap() * mBlockSize);
+	fmt::print("RomFS hash region size: 0x{:08x}\n", mHeader.header.romfs_prot_blk_size.unwrap() * mBlockSize);
+	fmt::print("ExeFS hash: {:6}      {}\n", getValidString(mRegionInfo[NcchRegion_ExeFs].valid), tc::cli::FormatUtil::formatBytesAsString(mHeader.header.exefs_prot_hash.data(), mHeader.header.exefs_prot_hash.size(), true, ""));
+	fmt::print("RomFS hash: {:6}      {}\n", getValidString(mRegionInfo[NcchRegion_RomFs].valid), tc::cli::FormatUtil::formatBytesAsString(mHeader.header.romfs_prot_hash.data(), mHeader.header.romfs_prot_hash.size(), true, ""));
+}
+
+void ctrtool::NcchProcess::extractRegionBinaries()
+{
+	/*
+	original order
+		ncch_save(ctx, NCCHTYPE_EXEFS, actions);
+		ncch_save(ctx, NCCHTYPE_ROMFS, actions);
+		ncch_save(ctx, NCCHTYPE_EXHEADER, actions);
+		ncch_save(ctx, NCCHTYPE_LOGO, actions);
+		ncch_save(ctx, NCCHTYPE_PLAINRGN, actions);
+	*/
+
+	tc::io::LocalFileSystem local_fs;
+	tc::ByteData cache = tc::ByteData(0x10000);
+	size_t cache_read_len;
+	std::shared_ptr<tc::io::IStream> in_stream;
+	std::shared_ptr<tc::io::IStream> out_stream;
+	for (size_t i = 0; i < NcchRegionNum; i++)
+	{
+		if (mRegionOpt[i].bin_extract_path.isSet() && mRegionInfo[i].ready_stream != nullptr)
+		{
+			switch(i)
+			{
+				case NcchRegion_Header: fmt::print("Saving Header...\n"); break;
+				case NcchRegion_ExHeader: fmt::print("Saving Extended Header...\n"); break;
+				case NcchRegion_PlainRegion: fmt::print("Saving Plain Region...\n"); break;
+				case NcchRegion_Logo: fmt::print("Saving Logo...\n"); break;
+				case NcchRegion_ExeFs: fmt::print("Saving ExeFS...\n"); break;
+				case NcchRegion_RomFs: fmt::print("Saving RomFS...\n"); break;
+			}
+
+			in_stream = mRegionInfo[i].ready_stream;
+			local_fs.openFile(mRegionOpt[i].bin_extract_path.get(), tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, out_stream);
+
+			in_stream->seek(0, tc::io::SeekOrigin::Begin);
+			out_stream->seek(0, tc::io::SeekOrigin::Begin);
+			for (int64_t remaining_data = in_stream->length(); remaining_data > 0;)
+			{
+				cache_read_len = in_stream->read(cache.data(), cache.size());
+				if (cache_read_len == 0)
+				{
+					throw tc::io::IOException(mModuleLabel, "Failed to read from NCCH Region.");
+				}
+
+				out_stream->write(cache.data(), cache_read_len);
+
+				remaining_data -= int64_t(cache_read_len);
+			}
+		}
+	}
+}
+
+void ctrtool::NcchProcess::processRegions()
+{
+	if (mRegionInfo[NcchRegion_ExHeader].size != 0 && mRegionInfo[NcchRegion_ExHeader].ready_stream != nullptr)
+	{
+		ctrtool::ExHeaderProcess proc;
+		proc.setInputStream(mRegionInfo[NcchRegion_ExHeader].ready_stream);
+		proc.setKeyBag(mKeyBag);
+		proc.setCliOutputMode(mRegionOpt[NcchRegion_ExHeader].show_info);
+		proc.setVerboseMode(mVerbose);
+		proc.setVerifyMode(mVerify);
+		proc.setShowSyscallName(mShowSyscallNames);
+		
+		proc.process();
+	}
+	if (mRegionInfo[NcchRegion_ExeFs].size != 0 && mRegionInfo[NcchRegion_ExeFs].ready_stream != nullptr)
+	{
+		ctrtool::ExeFsProcess proc;
+		proc.setInputStream(mRegionInfo[NcchRegion_ExeFs].ready_stream);
+		proc.setCliOutputMode(mRegionOpt[NcchRegion_ExeFs].show_info, mRegionOpt[NcchRegion_ExeFs].show_fs);
+		proc.setVerboseMode(mVerbose);
+		proc.setVerifyMode(mVerify);
+		proc.setRawMode(mRaw);
+		proc.setDecompressCode(mDecompressExeFsCode);
+		if (mRegionOpt[NcchRegion_ExeFs].fs_extract_path.isSet())
+		{
+			proc.setExtractPath(mRegionOpt[NcchRegion_ExeFs].fs_extract_path.get());
+		}
+		proc.process();
+	}
+	if (mRegionInfo[NcchRegion_RomFs].size != 0 && mRegionInfo[NcchRegion_RomFs].ready_stream != nullptr)
+	{
+		ctrtool::IvfcProcess proc;
+		proc.setInputStream(mRegionInfo[NcchRegion_RomFs].ready_stream);
+		proc.setKeyBag(mKeyBag);
+		proc.setCliOutputMode(mRegionOpt[NcchRegion_RomFs].show_info, mRegionOpt[NcchRegion_RomFs].show_fs);
+		proc.setVerboseMode(mVerbose);
+		proc.setVerifyMode(mVerify);
+		if (mRegionOpt[NcchRegion_RomFs].fs_extract_path.isSet())
+		{
+			proc.setExtractPath(mRegionOpt[NcchRegion_RomFs].fs_extract_path.get());
+		}
+		proc.process();
+	}
+}
+
+std::string ctrtool::NcchProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+
+	switch (validstate)
+	{
+		case Unchecked:
+			ret_str =  "";
+			break;
+		case Good:
+			ret_str =  "(GOOD)";
+			break;
+		case Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::NcchProcess::getContentPlatformString(size_t bit)
+{
+	std::string ret_str;
+
+	switch(bit)
+	{
+		case ntd::n3ds::NcchCommonHeader::ContentPlatform_CTR :
+			ret_str = "CTR";
+			break;
+		case ntd::n3ds::NcchCommonHeader::ContentPlatform_SNAKE :
+			ret_str = "SNAKE";
+			break;
+		default:
+			ret_str = fmt::format("Unknown (bit {:d}", bit);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::NcchProcess::getFormTypeString(byte_t var)
+{
+	std::string ret_str;
+
+	switch(var)
+	{
+		case ntd::n3ds::NcchCommonHeader::FormType_Unassigned :
+			ret_str = "Not Assigned";
+			break;
+		case ntd::n3ds::NcchCommonHeader::FormType_SimpleContent :
+			ret_str = "Simple Content";
+			break;
+		case ntd::n3ds::NcchCommonHeader::FormType_ExecutableWithoutRomFS :
+			ret_str = "Executable (without RomFS)";
+			break;
+		case ntd::n3ds::NcchCommonHeader::FormType_Executable :
+			ret_str = "Executable";
+			break;
+		default:
+			ret_str = "Unknown";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::NcchProcess::getContentTypeString(byte_t var)
+{
+	std::string ret_str;
+
+	switch(var)
+	{
+		case ntd::n3ds::NcchCommonHeader::ContentType_Application :
+			ret_str = "Application";
+			break;
+		case ntd::n3ds::NcchCommonHeader::ContentType_SystemUpdate :
+			ret_str = "System Update (CTR)";
+			break;
+		case ntd::n3ds::NcchCommonHeader::ContentType_Manual :
+			ret_str = "Manual";
+			break;
+		case ntd::n3ds::NcchCommonHeader::ContentType_Child :
+			ret_str = "Child";
+			break;
+		case ntd::n3ds::NcchCommonHeader::ContentType_Trial :
+			ret_str = "Trial";
+			break;
+		case ntd::n3ds::NcchCommonHeader::ContentType_ExtendedSystemUpdate :
+			ret_str = "System Update (SNAKE)";
+			break;
+		default:
+			ret_str = "Unknown";
+			break;
+	}
+
+	return ret_str;
+}
+
+
+bool ctrtool::NcchProcess::isSystemTitle()
+{
+	return (mHeader.header.content_id.unwrap() & 0x0000001000000000) != 0;
+}
+
+void ctrtool::NcchProcess::getAesCounter(byte_t* counter, byte_t ncch_region)
+{
+	uint16_t version = mHeader.header.format_version.unwrap();
+
+	struct AesCounter_v0_v2
+	{
+		enum NcchTypeForCtr
+		{
+			NcchTypeForCtr_ExHeader = 1,
+			NcchTypeForCtr_ExeFs = 2,
+			NcchTypeForCtr_RomFs = 3
+		};
+
+		tc::bn::be64<uint64_t> title_id;
+		byte_t type;
+		std::array<byte_t, 7> block_bytes;
+	};
+
+	struct AesCounter_v1
+	{
+		tc::bn::le64<uint64_t> title_id;
+		tc::bn::be64<uint64_t> begin_offset;
+	};
+
+	if (version == ntd::n3ds::NcchCommonHeader::FormatVersion_CFA || version == ntd::n3ds::NcchCommonHeader::FormatVersion_CXI)
+	{
+		AesCounter_v0_v2* tmp = (AesCounter_v0_v2*)counter;
+		tmp->title_id.wrap(mHeader.header.content_id.unwrap());
+		if (ncch_region == NcchRegion_ExHeader)
+			tmp->type = tmp->NcchTypeForCtr_ExHeader;
+		else if (ncch_region == NcchRegion_ExeFs)
+			tmp->type = tmp->NcchTypeForCtr_ExeFs;
+		else if (ncch_region == NcchRegion_RomFs)
+			tmp->type = tmp->NcchTypeForCtr_RomFs;
+		memset(tmp->block_bytes.data(), 0, tmp->block_bytes.size());
+	}
+	else if (version == ntd::n3ds::NcchCommonHeader::FormatVersion_CXI_PROTOTYPE)
+	{
+		AesCounter_v1* tmp = (AesCounter_v1*)counter;
+		tmp->title_id.wrap(mHeader.header.content_id.unwrap());
+		tmp->begin_offset.wrap(mRegionInfo[ncch_region].offset);
+	}
+}
diff --git a/ctrtool/src/NcchProcess.h b/ctrtool/src/NcchProcess.h
new file mode 100644
index 00000000..319379bb
--- /dev/null
+++ b/ctrtool/src/NcchProcess.h
@@ -0,0 +1,92 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include <tc/Optional.h>
+#include <ntd/n3ds/ncch.h>
+
+namespace ctrtool {
+
+class NcchProcess
+{
+public:
+	enum NcchRegion
+	{
+		NcchRegion_Header,
+		NcchRegion_ExHeader,
+		NcchRegion_PlainRegion,
+		NcchRegion_Logo,
+		NcchRegion_ExeFs,
+		NcchRegion_RomFs,
+		NcchRegionNum
+	};
+
+	NcchProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	void setRawMode(bool raw);
+	void setPlainMode(bool plain);
+	void setShowSyscallName(bool show_name);
+	void setRegionProcessOutputMode(NcchRegion region, bool show_info, bool show_fs, const tc::Optional<tc::io::Path>& bin_extract_path, const tc::Optional<tc::io::Path>& fs_extract_path);
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	// Options
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mVerbose;
+	bool mVerify;
+	bool mRaw;
+	bool mPlain;
+	bool mShowSyscallNames;
+	struct NcchRegionOpt
+	{
+		bool show_info;
+		bool show_fs;
+		tc::Optional<tc::io::Path> bin_extract_path;
+		tc::Optional<tc::io::Path> fs_extract_path;
+	};
+	std::array<NcchRegionOpt, NcchRegionNum> mRegionOpt;
+
+
+	// BEGIN Runtime NCCH info
+	ntd::n3ds::NcchHeader mHeader;
+	int64_t mContentSize; // determined in ncch header processing
+	int64_t mBlockSize; // determined in ncch header processing
+	bool mDecompressExeFsCode; // determined in ncch exheader processing
+	struct NcchRegionInfo
+	{
+		byte_t valid;
+		int64_t offset;
+		int64_t size;
+		int64_t hashed_offset;
+		int64_t hashed_size;
+		std::shared_ptr<tc::io::IStream> raw_stream;
+		std::shared_ptr<tc::io::IStream> ready_stream;
+	};
+	std::array<NcchRegionInfo, NcchRegionNum> mRegionInfo;
+
+	void importHeader();
+	void determineRegionLayout();
+	void determineRegionEncryption();
+	void verifyRegions();
+	void printHeader();
+	void extractRegionBinaries();
+	void processRegions();
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+	std::string getContentPlatformString(size_t bit);
+	std::string getFormTypeString(byte_t var);
+	std::string getContentTypeString(byte_t var);
+	
+	// utils
+	bool isSystemTitle();
+	void getAesCounter(byte_t* counter, byte_t ncch_region);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/RomFsProcess.cpp b/ctrtool/src/RomFsProcess.cpp
new file mode 100644
index 00000000..dfbb2c08
--- /dev/null
+++ b/ctrtool/src/RomFsProcess.cpp
@@ -0,0 +1,231 @@
+#include "RomFsProcess.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/ArgumentNullException.h>
+
+#include <ntd/n3ds/RomFsSnapshotGenerator.h>
+
+#include "CrrProcess.h"
+
+ctrtool::RomFsProcess::RomFsProcess() :
+	mModuleLabel("ctrtool::RomFsProcess"),
+	mInputStream(),
+	mKeyBag(),
+	mShowHeaderInfo(false),
+	mShowFs(false),
+	mVerbose(false),
+	mVerify(false),
+	mExtractPath(),
+	mFsReader(),
+	mStaticCrr()
+{
+	memset((byte_t*)&mHeader, 0, sizeof(ntd::n3ds::RomFsHeader));
+}
+
+void ctrtool::RomFsProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::RomFsProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+}
+
+void ctrtool::RomFsProcess::setCliOutputMode(bool show_header_info, bool show_fs)
+{
+	mShowHeaderInfo = show_header_info;
+	mShowFs = show_fs;
+}
+
+void ctrtool::RomFsProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+}
+
+void ctrtool::RomFsProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+}
+
+
+void ctrtool::RomFsProcess::setExtractPath(const tc::io::Path& extract_path)
+{
+	mExtractPath = extract_path;
+}
+
+void ctrtool::RomFsProcess::process()
+{
+	// begin processing
+	processHeader();
+	if (mShowHeaderInfo)
+		printHeader();
+	if (mStaticCrr != nullptr)
+		processCrr();
+	if (mShowFs)
+		printFs();
+	if (mExtractPath.isSet())
+		extractFs();
+}
+
+void ctrtool::RomFsProcess::processHeader()
+{
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}
+
+	if (mInputStream->length() < sizeof(ntd::n3ds::RomFsHeader))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "Input stream is too small.");
+	}
+
+	// import header
+	mInputStream->seek(0, tc::io::SeekOrigin::Begin);
+	mInputStream->read((byte_t*)&mHeader, sizeof(ntd::n3ds::RomFsHeader));
+
+	/*
+	std::cout << "mHeader.header_size             : " << mHeader.header_size.unwrap() << std::endl;
+	std::cout << "sizeof(ntd::n3ds::RomFsHeader)      : " << sizeof(ntd::n3ds::RomFsHeader) << std::endl;
+	std::cout << "mHeader.dir_hash_bucket.offset : " << mHeader.dir_hash_bucket.offset.unwrap() << std::endl;
+	std::cout << "mHeader.data_offset             : " << mHeader.data_offset.unwrap() << std::endl;
+	std::cout << "expected data offset            : " << align<uint32_t>(mHeader.file_entry.offset.unwrap() + mHeader.file_entry.size.unwrap(), ntd::n3ds::RomFsHeader::kRomFsDataAlignSize) << std::endl;
+	*/
+
+	// do some simple checks to verify if this is an ROMFS header
+	if (mHeader.header_size.unwrap() != sizeof(ntd::n3ds::RomFsHeader) ||
+	    mHeader.dir_hash_bucket.offset.unwrap() != sizeof(ntd::n3ds::RomFsHeader) ||
+	    mHeader.data_offset.unwrap() != align<uint32_t>(mHeader.file_entry.offset.unwrap() + mHeader.file_entry.size.unwrap(), ntd::n3ds::RomFsHeader::kRomFsDataAlignSize))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "RomFsHeader is corrupted.");
+	}
+
+	// create FileSystem reader
+	mFsReader = std::shared_ptr<tc::io::VirtualFileSystem>(new tc::io::VirtualFileSystem(ntd::n3ds::RomFsSnapshotGenerator(mInputStream)));
+
+	// Open romfs:/.crr/static.crr
+	if (mFsReader != nullptr)
+	{
+		try {
+			mFsReader->openFile(tc::io::Path("/.crr/static.crr"), tc::io::FileMode::Open, tc::io::FileAccess::Read, mStaticCrr);
+		} catch (const tc::io::FileNotFoundException&) {
+			// do nothing
+		}
+	}
+	
+}
+
+void ctrtool::RomFsProcess::printHeader()
+{
+	fmt::print("\n");
+	fmt::print("RomFS:\n");
+	fmt::print("Header size:            0x{:08x}\n", mHeader.header_size.unwrap());
+	fmt::print("DirHashBucket offset:   0x{:08x}\n", mHeader.dir_hash_bucket.offset.unwrap());
+	fmt::print("DirHashBucket size:     0x{:08x}\n", mHeader.dir_hash_bucket.size.unwrap());
+	fmt::print("DirEntryTable offset:   0x{:08x}\n", mHeader.dir_entry.offset.unwrap());
+	fmt::print("DirEntryTable size:     0x{:08x}\n", mHeader.dir_entry.size.unwrap());
+	fmt::print("FileHashBucket offset:  0x{:08x}\n", mHeader.file_hash_bucket.offset.unwrap());
+	fmt::print("FileHashBucket size:    0x{:08x}\n", mHeader.file_hash_bucket.size.unwrap());
+	fmt::print("FileEntryTable offset:  0x{:08x}\n", mHeader.file_entry.offset.unwrap());
+	fmt::print("FileEntryTable size:    0x{:08x}\n", mHeader.file_entry.size.unwrap());
+	fmt::print("Data offset:            0x{:08x}\n", mHeader.data_offset.unwrap());
+}
+
+void ctrtool::RomFsProcess::processCrr()
+{
+	CrrProcess crr_proc;
+
+	crr_proc.setInputStream(mStaticCrr);
+	crr_proc.setKeyBag(mKeyBag);
+	crr_proc.setCliOutputMode(mShowHeaderInfo);
+	crr_proc.setVerboseMode(mVerbose);
+	crr_proc.setVerifyMode(mVerify);
+
+	crr_proc.process();
+}
+
+void ctrtool::RomFsProcess::printFs()
+{
+	fmt::print("[RomFs Filesystem]\n");
+	visitDir(tc::io::Path("/"),tc::io::Path("/"), false, true);
+}
+
+void ctrtool::RomFsProcess::extractFs()
+{
+	visitDir(tc::io::Path("/"), mExtractPath.get(), true, false);
+}
+
+void ctrtool::RomFsProcess::visitDir(const tc::io::Path& v_path, const tc::io::Path& l_path, bool extract_fs, bool print_fs)
+{
+	tc::io::LocalFileSystem local_fs;
+
+	// get listing for directory
+	tc::io::sDirectoryListing info;
+	mFsReader->getDirectoryListing(v_path, info);
+
+	if (print_fs)
+	{
+		for (size_t i = 0; i < v_path.size(); i++)
+			fmt::print(" ");
+
+		fmt::print("{}/\n", (v_path.size() == 1) ? "RomFs:" : v_path.back());
+	}
+	if (extract_fs)
+	{
+		// create local dir
+		local_fs.createDirectory(l_path);
+	}
+
+	// iterate thru child files
+	tc::ByteData cache = tc::ByteData(0x10000);
+	size_t cache_read_len;
+	tc::io::Path out_path;
+	std::shared_ptr<tc::io::IStream> in_stream;
+	std::shared_ptr<tc::io::IStream> out_stream;
+	for (auto itr = info.file_list.begin(); itr != info.file_list.end(); itr++)
+	{
+		if (print_fs)
+		{
+			for (size_t i = 0; i < v_path.size(); i++)
+				fmt::print(" ");
+
+			fmt::print(" {}\n", *itr);
+		}
+		if (extract_fs)
+		{
+			// build out path
+			out_path = l_path + *itr;
+
+			fmt::print("Saving {}...\n", out_path.to_string());
+
+			// begin export
+			mFsReader->openFile(v_path + *itr, tc::io::FileMode::Open, tc::io::FileAccess::Read, in_stream);
+			local_fs.openFile(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, out_stream);
+
+			in_stream->seek(0, tc::io::SeekOrigin::Begin);
+			out_stream->seek(0, tc::io::SeekOrigin::Begin);
+			for (int64_t remaining_data = in_stream->length(); remaining_data > 0;)
+			{
+				cache_read_len = in_stream->read(cache.data(), cache.size());
+				if (cache_read_len == 0)
+				{
+					throw tc::io::IOException(mModuleLabel, "Failed to read from RomFs file.");
+				}
+
+				out_stream->write(cache.data(), cache_read_len);
+
+				remaining_data -= int64_t(cache_read_len);
+			}
+		}
+	}
+
+	// iterate thru child dirs
+	for (auto itr = info.dir_list.begin(); itr != info.dir_list.end(); itr++)
+	{
+		visitDir(v_path + *itr, l_path + *itr, extract_fs, print_fs);
+	}
+}
\ No newline at end of file
diff --git a/ctrtool/src/RomFsProcess.h b/ctrtool/src/RomFsProcess.h
new file mode 100644
index 00000000..ab0d8582
--- /dev/null
+++ b/ctrtool/src/RomFsProcess.h
@@ -0,0 +1,48 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include <tc/Optional.h>
+#include <tc/io/IFileSystem.h>
+#include <ntd/n3ds/romfs.h>
+
+namespace ctrtool {
+
+class RomFsProcess
+{
+public:
+	RomFsProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setCliOutputMode(bool show_header_info, bool show_fs);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	void setExtractPath(const tc::io::Path& extract_path);
+
+
+	void process();
+private:
+	std::string mModuleLabel;
+
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mShowHeaderInfo;
+	bool mShowFs;
+	bool mVerbose;
+	bool mVerify;
+	tc::Optional<tc::io::Path> mExtractPath;
+
+	ntd::n3ds::RomFsHeader mHeader;
+	std::shared_ptr<tc::io::IFileSystem> mFsReader;
+	std::shared_ptr<tc::io::IStream> mStaticCrr;
+
+	void processHeader();
+	void printHeader();
+	void processCrr();
+	void printFs();
+	void extractFs();
+
+	void visitDir(const tc::io::Path& v_path, const tc::io::Path& l_path, bool extract_fs, bool print_fs);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/Settings.cpp b/ctrtool/src/Settings.cpp
new file mode 100644
index 00000000..641ede54
--- /dev/null
+++ b/ctrtool/src/Settings.cpp
@@ -0,0 +1,704 @@
+#include <tc/cli.h>
+#include <tc/ArgumentException.h>
+#include <tc/io/StreamSource.h>
+#include "types.h"
+#include "version.h"
+#include "Settings.h"
+
+#include <ntd/n3ds/cci.h>
+#include <ntd/n3ds/cia.h>
+#include <ntd/n3ds/cro.h>
+#include <ntd/n3ds/crr.h>
+#include <ntd/n3ds/exefs.h>
+#include <ntd/n3ds/firm.h>
+#include <ntd/n3ds/ivfc.h>
+#include <ntd/n3ds/ncch.h>
+#include <ntd/n3ds/romfs.h>
+#include <ntd/n3ds/smdh.h>
+#include <brd/es/es_cert.h>
+#include <brd/es/es_ticket.h>
+#include <brd/es/es_tmd.h>
+
+class UnkOptionHandler : public tc::cli::OptionParser::IOptionHandler
+{
+public:
+	UnkOptionHandler(const std::string& module_label) : mModuleLabel(module_label)
+	{}
+
+	const std::vector<std::string>& getOptionStrings() const
+	{
+		throw tc::InvalidOperationException("getOptionStrings() not defined for UnkOptionHandler.");
+	}
+
+	const std::vector<std::string>& getOptionRegexPatterns() const
+	{
+		throw tc::InvalidOperationException("getOptionRegexPatterns() not defined for UnkOptionHandler.");
+	}
+
+	void processOption(const std::string& option, const std::vector<std::string>& params)
+	{
+		throw tc::Exception(mModuleLabel, "Unrecognized option: \"" + option + "\"");
+	}
+private:
+	std::string mModuleLabel;
+};
+
+class DeprecatedOptionHandler : public tc::cli::OptionParser::IOptionHandler
+{
+public:
+	DeprecatedOptionHandler(const std::string& warn_message, const std::vector<std::string>& opts) : 
+		mWarnMessage(warn_message),
+		mOptStrings(opts),
+		mOptRegexPatterns()
+	{}
+
+	const std::vector<std::string>& getOptionStrings() const
+	{
+		return mOptStrings;
+	}
+
+	const std::vector<std::string>& getOptionRegexPatterns() const
+	{
+		return mOptRegexPatterns;
+	}
+
+	void processOption(const std::string& option, const std::vector<std::string>& params)
+	{
+		fmt::print("[WARNING] Option \"{}\" is deprecated.{}{}\n", option, (mWarnMessage.empty() ? "" : " "), mWarnMessage);
+	}
+private:
+	std::string mWarnMessage;
+	std::vector<std::string> mOptStrings;
+	std::vector<std::string> mOptRegexPatterns;
+};
+
+class FlagOptionHandler : public tc::cli::OptionParser::IOptionHandler
+{
+public:
+	FlagOptionHandler(bool& flag, const std::vector<std::string>& opts) : 
+		mFlag(flag),
+		mOptStrings(opts),
+		mOptRegexPatterns()
+	{}
+
+	const std::vector<std::string>& getOptionStrings() const
+	{
+		return mOptStrings;
+	}
+
+	const std::vector<std::string>& getOptionRegexPatterns() const
+	{
+		return mOptRegexPatterns;
+	}
+
+	void processOption(const std::string& option, const std::vector<std::string>& params)
+	{
+		if (params.size() != 0)
+		{
+			throw tc::ArgumentOutOfRangeException(fmt::format("Option \"{:s}\" is a flag, that takes no parameters.", option));
+		}
+
+		mFlag = true;
+	}
+private:
+	bool& mFlag;
+	std::vector<std::string> mOptStrings;
+	std::vector<std::string> mOptRegexPatterns;
+};
+
+class SingleParamStringOptionHandler : public tc::cli::OptionParser::IOptionHandler
+{
+public:
+	SingleParamStringOptionHandler(tc::Optional<std::string>& param, const std::vector<std::string>& opts) : 
+		mParam(param),
+		mOptStrings(opts),
+		mOptRegexPatterns()
+	{}
+
+	const std::vector<std::string>& getOptionStrings() const
+	{
+		return mOptStrings;
+	}
+
+	const std::vector<std::string>& getOptionRegexPatterns() const
+	{
+		return mOptRegexPatterns;
+	}
+
+	void processOption(const std::string& option, const std::vector<std::string>& params)
+	{
+		if (params.size() != 1)
+		{
+			throw tc::ArgumentOutOfRangeException(fmt::format("Option \"{:s}\" requires a parameter.", option));
+		}
+
+		mParam = params[0];
+	}
+private:
+	tc::Optional<std::string>& mParam;
+	std::vector<std::string> mOptStrings;
+	std::vector<std::string> mOptRegexPatterns;
+};
+
+class SingleParamPathOptionHandler : public tc::cli::OptionParser::IOptionHandler
+{
+public:
+	SingleParamPathOptionHandler(tc::Optional<tc::io::Path>& param, const std::vector<std::string>& opts) : 
+		mParam(param),
+		mOptStrings(opts),
+		mOptRegexPatterns()
+	{}
+
+	const std::vector<std::string>& getOptionStrings() const
+	{
+		return mOptStrings;
+	}
+
+	const std::vector<std::string>& getOptionRegexPatterns() const
+	{
+		return mOptRegexPatterns;
+	}
+
+	void processOption(const std::string& option, const std::vector<std::string>& params)
+	{
+		if (params.size() != 1)
+		{
+			throw tc::ArgumentOutOfRangeException(fmt::format("Option \"{:s}\" requires a parameter.", option));
+		}
+
+		mParam = params[0];
+	}
+private:
+	tc::Optional<tc::io::Path>& mParam;
+	std::vector<std::string> mOptStrings;
+	std::vector<std::string> mOptRegexPatterns;
+};
+
+
+class SingleParamSizetOptionHandler : public tc::cli::OptionParser::IOptionHandler
+{
+public:
+	SingleParamSizetOptionHandler(size_t& param, const std::vector<std::string>& opts) : 
+		mParam(param),
+		mOptStrings(opts),
+		mOptRegexPatterns()
+	{}
+
+	const std::vector<std::string>& getOptionStrings() const
+	{
+		return mOptStrings;
+	}
+
+	const std::vector<std::string>& getOptionRegexPatterns() const
+	{
+		return mOptRegexPatterns;
+	}
+
+	void processOption(const std::string& option, const std::vector<std::string>& params)
+	{
+		if (params.size() != 1)
+		{
+			throw tc::ArgumentOutOfRangeException(fmt::format("Option \"{:s}\" requires a parameter.", option));
+		}
+
+		mParam = strtoul(params[0].c_str(), nullptr, 0);
+	}
+private:
+	size_t& mParam;
+	std::vector<std::string> mOptStrings;
+	std::vector<std::string> mOptRegexPatterns;
+};
+
+class FirmTypeOptionHandler : public tc::cli::OptionParser::IOptionHandler
+{
+public:
+	FirmTypeOptionHandler(ctrtool::FirmProcess::FirmwareType& param, const std::vector<std::string>& opts) : 
+		mParam(param),
+		mOptStrings(opts),
+		mOptRegexPatterns()
+	{}
+
+	const std::vector<std::string>& getOptionStrings() const
+	{
+		return mOptStrings;
+	}
+
+	const std::vector<std::string>& getOptionRegexPatterns() const
+	{
+		return mOptRegexPatterns;
+	}
+
+	void processOption(const std::string& option, const std::vector<std::string>& params)
+	{
+		if (params.size() != 1)
+		{
+			throw tc::ArgumentOutOfRangeException(fmt::format("Option \"{:s}\" requires a parameter.", option));
+		}
+
+		if (params[0] == "nand" \
+		 || params[0] == "normal")
+		{
+			mParam = ctrtool::FirmProcess::FirmwareType_Nand;
+		}
+		else if (params[0] == "ngc" \
+		      || params[0] == "ntr" \
+		      || params[0] == "ntrboot")
+		{
+			mParam = ctrtool::FirmProcess::FirmwareType_Ngc;
+		}
+		else if (params[0] == "nor")
+		{
+			mParam = ctrtool::FirmProcess::FirmwareType_Nor;
+		}
+		else if (params[0] == "sdmc")
+		{
+			mParam = ctrtool::FirmProcess::FirmwareType_Sdmc;
+		}
+		else
+		{
+			throw tc::ArgumentException(fmt::format("Firmware type \"{}\" unrecognised.", params[0]));
+		}
+	}
+private:
+	ctrtool::FirmProcess::FirmwareType& mParam;
+	std::vector<std::string> mOptStrings;
+	std::vector<std::string> mOptRegexPatterns;
+};
+
+class FileTypeOptionHandler : public tc::cli::OptionParser::IOptionHandler
+{
+public:
+	FileTypeOptionHandler(ctrtool::Settings::FileType& param, const std::vector<std::string>& opts) : 
+		mParam(param),
+		mOptStrings(opts),
+		mOptRegexPatterns()
+	{}
+
+	const std::vector<std::string>& getOptionStrings() const
+	{
+		return mOptStrings;
+	}
+
+	const std::vector<std::string>& getOptionRegexPatterns() const
+	{
+		return mOptRegexPatterns;
+	}
+
+	void processOption(const std::string& option, const std::vector<std::string>& params)
+	{
+		if (params.size() != 1)
+		{
+			throw tc::ArgumentOutOfRangeException(fmt::format("Option \"{:s}\" requires a parameter.", option));
+		}
+
+		if (params[0] == "ncsd" \
+		 || params[0] == "cci" \
+		 || params[0] == "csu" \
+		 || params[0] == "3ds" \
+		 || params[0] == "3dx")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_NCSD;
+		}
+		else if (params[0] == "cia")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_CIA;
+		}
+		else if (params[0] == "ncch" \
+		 || params[0] == "cxi" \
+		 || params[0] == "cfa")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_NCCH;
+		}
+		else if (params[0] == "exheader")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_EXHEADER;
+		}
+		else if (params[0] == "exefs")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_EXEFS;
+		}
+		else if (params[0] == "romfs")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_ROMFS;
+		}
+		else if (params[0] == "firm")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_FIRM;
+		}
+		else if (params[0] == "cert")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_CERT;
+		}
+		else if (params[0] == "tik")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_TIK;
+		}
+		else if (params[0] == "tmd")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_TMD;
+		}
+		else if (params[0] == "lzss")
+		{
+			mParam = ctrtool::Settings::FILE_TYPE_LZSS;
+		}
+		else
+		{
+			throw tc::ArgumentException(fmt::format("File type \"{}\" unrecognised.", params[0]));
+		}
+	}
+private:
+	ctrtool::Settings::FileType& mParam;
+	std::vector<std::string> mOptStrings;
+	std::vector<std::string> mOptRegexPatterns;
+};
+
+ctrtool::SettingsInitializer::SettingsInitializer(const std::vector<std::string>& args) :
+	Settings(),
+	mModuleLabel("ctrtool::SettingsInitializer"),
+	mFallBackTitleKey(),
+	mFallBackSeed(),
+	mSeedDbPath()
+{
+	// parse input arguments
+	parse_args(args);
+	if (infile.path.isNull())
+		throw tc::ArgumentException(mModuleLabel, "No input file was specified.");
+
+	opt.keybag = KeyBagInitializer(opt.is_dev, mFallBackTitleKey, mSeedDbPath, mFallBackSeed);
+
+	// determine filetype if not manually specified
+	if (infile.filetype == FILE_TYPE_ERROR)
+	{
+		determine_filetype();
+		if (infile.filetype == FILE_TYPE_ERROR)
+		{
+			throw tc::ArgumentException(mModuleLabel, "Input file type was undetermined.");
+		}
+	}
+}
+
+void ctrtool::SettingsInitializer::parse_args(const std::vector<std::string>& args)
+{
+	// check for minimum arguments
+	if (args.size() < 2)
+	{
+		usage_text();
+		throw tc::ArgumentException(mModuleLabel, "Not enough arguments.");
+	}
+	
+	// detect request for help
+	for (auto itr = ++(args.begin()); itr != args.end(); itr++)
+	{
+		if (*itr == "-h" || *itr == "--help" || *itr == "-help")
+		{
+			usage_text();
+			throw tc::ArgumentException(mModuleLabel, "Help required.");
+		}
+	}
+
+	// save input file
+	infile.path = tc::io::Path(args.back());
+
+
+	// test new option parser
+	tc::cli::OptionParser opts;
+
+	// register unk option handler
+	opts.registerUnrecognisedOptionHandler(std::shared_ptr<UnkOptionHandler>(new UnkOptionHandler(mModuleLabel)));
+
+	// register handler for deprecated options DeprecatedOptionHandler
+	opts.registerOptionHandler(std::shared_ptr<DeprecatedOptionHandler>(new DeprecatedOptionHandler("Generic AES/RSA keys are initialised internally.", {"-k", "--keyset"})));
+	opts.registerOptionHandler(std::shared_ptr<DeprecatedOptionHandler>(new DeprecatedOptionHandler("", {"--unitsize"})));
+	opts.registerOptionHandler(std::shared_ptr<DeprecatedOptionHandler>(new DeprecatedOptionHandler("All common keys are initialised internally.", {"--commonkey"})));
+	opts.registerOptionHandler(std::shared_ptr<DeprecatedOptionHandler>(new DeprecatedOptionHandler("All secure NCCH keys are initialised internally.", {"--ncchkey"})));
+	opts.registerOptionHandler(std::shared_ptr<DeprecatedOptionHandler>(new DeprecatedOptionHandler("The NCCH system key is initialised internally.", {"--ncchsyskey"})));
+
+
+	// get option flags
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.plain, {"-p", "--plain"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.raw, {"-r", "--raw"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.verbose, {"-v", "--verbose"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.verify, {"-y", "--verify"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.is_dev, {"-d", "--dev"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.show_keys, {"--showkeys"})));
+
+	// get user-provided keydata
+	opts.registerOptionHandler(std::shared_ptr<SingleParamStringOptionHandler>(new SingleParamStringOptionHandler(mFallBackTitleKey, {"--titlekey"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(mSeedDbPath, {"--seeddb"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamStringOptionHandler>(new SingleParamStringOptionHandler(mFallBackSeed, {"--seed"})));
+
+	// lzss options
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(lzss.extract_path, {"--lzssout"})));
+
+
+	// rom options
+	opts.registerOptionHandler(std::shared_ptr<SingleParamSizetOptionHandler>(new SingleParamSizetOptionHandler(rom.content_process_index, {"-n", "--ncch", "--cidx"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(rom.content_extract_path, {"--contents"})));
+
+
+	// ncch options
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(ncch.exheader_path, {"--exheader"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(ncch.logo_path, {"--logo"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(ncch.plainregion_path, {"--plainrgn", "--plainregion"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(ncch.exefs_path, {"--exefs"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(ncch.romfs_path, {"--romfs"})));
+
+
+	// exheader options
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(exheader.show_syscalls_as_names, {"--showsyscalls"})));
+
+
+	// exefs options
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(exefs.extract_path, {"--exefsdir"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(exefs.decompress_code_partition, {"--decompresscode"})));
+	//opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(exefs.list_fs, {"--listexefs"})));
+	exefs.list_fs = false;
+
+	// romfs options
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(romfs.extract_path, {"--romfsdir"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(romfs.list_fs, {"--listromfs"})));
+
+
+	// cia specific options
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(cia.certs_path, {"--certs"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(cia.tik_path, {"--tik"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(cia.tmd_path, {"--tmd"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(cia.meta_path, {"--meta"})));
+
+	// firm options
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(firm.extract_path, {"--firmdir"})));
+	opts.registerOptionHandler(std::shared_ptr<FirmTypeOptionHandler>(new FirmTypeOptionHandler(firm.firm_type, {"--firmtype"})));
+
+	// wav options
+	opts.registerOptionHandler(std::shared_ptr<SingleParamPathOptionHandler>(new SingleParamPathOptionHandler(cwav.extract_path, {"--wav"})));
+	opts.registerOptionHandler(std::shared_ptr<SingleParamSizetOptionHandler>(new SingleParamSizetOptionHandler(cwav.wav_loops, {"--wavloops"})));
+	
+	// process input file type
+	opts.registerOptionHandler(std::shared_ptr<FileTypeOptionHandler>(new FileTypeOptionHandler(infile.filetype, {"-t", "--intype"})));
+
+	opts.processOptions(args, 1, args.size() - 2);
+}
+
+void ctrtool::SettingsInitializer::determine_filetype()
+{
+	auto file = tc::io::StreamSource(std::make_shared<tc::io::FileStream>(tc::io::FileStream(infile.path.get(), tc::io::FileMode::Open, tc::io::FileAccess::Read)));
+
+	auto raw_data = file.pullData(0, 0x1000);
+
+#define _TYPE_PTR(st) ((st*)(raw_data.data()))
+#define _ASSERT_FILE_SIZE(sz) (file.length() >= (sz))
+
+	// do tests
+	if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::CciHeader)) 
+	 && _TYPE_PTR(ntd::n3ds::CciHeader)->ncsd_header.struct_magic.unwrap() == ntd::n3ds::NcsdCommonHeader::kStructMagic)
+	{
+		infile.filetype = FILE_TYPE_NCSD;
+	}
+	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::CiaHeader))
+	      && _TYPE_PTR(ntd::n3ds::CiaHeader)->header_size.unwrap() == sizeof(ntd::n3ds::CiaHeader))
+	{
+		infile.filetype = FILE_TYPE_CIA;
+	}
+	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::CrrHeader)) 
+	      && _TYPE_PTR(ntd::n3ds::CrrHeader)->struct_magic.unwrap() == ntd::n3ds::CrrHeader::kStructMagic)
+	{
+		infile.filetype = FILE_TYPE_CRR;
+	}
+	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::CroHeader)) 
+	      && _TYPE_PTR(ntd::n3ds::CroHeader)->struct_magic.unwrap() == ntd::n3ds::CroHeader::kStructMagic)
+	{
+		infile.filetype = FILE_TYPE_CRO;
+	}
+	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::ExeFsHeader)) 
+	      && _TYPE_PTR(ntd::n3ds::ExeFsHeader)->file_table[0].offset.unwrap() == 0 
+	      && _TYPE_PTR(ntd::n3ds::ExeFsHeader)->file_table[0].size.unwrap() != 0 
+	      && _TYPE_PTR(ntd::n3ds::ExeFsHeader)->file_table[0].name[0] == '.')
+	{
+		infile.filetype = FILE_TYPE_EXEFS;
+	}
+	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::FirmwareHeader)) 
+	      && _TYPE_PTR(ntd::n3ds::FirmwareHeader)->struct_magic.unwrap() == ntd::n3ds::FirmwareHeader::kStructMagic)
+	{
+		infile.filetype = FILE_TYPE_FIRM;
+	}
+	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::IvfcHeader)) 
+	      && _TYPE_PTR(ntd::n3ds::IvfcHeader)->struct_magic.unwrap() == ntd::n3ds::IvfcHeader::kStructMagic)
+	{
+		infile.filetype = FILE_TYPE_IVFC;
+	}
+	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::NcchHeader)) 
+	      && _TYPE_PTR(ntd::n3ds::NcchHeader)->header.struct_magic.unwrap() == ntd::n3ds::NcchCommonHeader::kStructMagic)
+	{
+		infile.filetype = FILE_TYPE_NCCH;
+	}
+	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::RomFsHeader)) 
+	      && _TYPE_PTR(ntd::n3ds::RomFsHeader)->header_size.unwrap() == sizeof(ntd::n3ds::RomFsHeader))
+	{
+		infile.filetype = FILE_TYPE_ROMFS;
+	}
+	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::SystemMenuDataHeader)) 
+	      && _TYPE_PTR(ntd::n3ds::SystemMenuDataHeader)->struct_magic.unwrap() == sizeof(ntd::n3ds::SystemMenuDataHeader::kStructMagic))
+	{
+		infile.filetype = FILE_TYPE_SMDH;
+	}
+
+	// CTR CA cert
+	else if (_ASSERT_FILE_SIZE(sizeof(brd::es::ESCACert)) 
+	      && _TYPE_PTR(brd::es::ESCACert)->sig.sigType.unwrap() == brd::es::ESSigType::RSA4096_SHA256
+	      && _TYPE_PTR(brd::es::ESCACert)->sig.issuer.decode() == "Root"
+	      && _TYPE_PTR(brd::es::ESCACert)->head.pubKeyType.unwrap() == brd::es::ESCertPubKeyType::RSA2048
+	      && _TYPE_PTR(brd::es::ESCACert)->head.name.serverId.decode().substr(0, 2) == "CA")
+	{
+		infile.filetype = FILE_TYPE_CERT;
+	}
+
+	// CTR CA-signed cert
+	else if (_ASSERT_FILE_SIZE(sizeof(brd::es::ESCASignedCert)) 
+	      && _TYPE_PTR(brd::es::ESCASignedCert)->sig.sigType.unwrap() == brd::es::ESSigType::RSA2048_SHA256
+	      && _TYPE_PTR(brd::es::ESCASignedCert)->sig.issuer.decode().substr(0, 5) == "Root-CA"
+	      && _TYPE_PTR(brd::es::ESCASignedCert)->head.pubKeyType.unwrap() == brd::es::ESCertPubKeyType::RSA2048)
+	{
+		infile.filetype = FILE_TYPE_CERT;
+	}
+
+	// detect ticket
+	else if (_ASSERT_FILE_SIZE(sizeof(brd::es::ESV1Ticket)) 
+	      && _TYPE_PTR(brd::es::ESV1Ticket)->head.sig.sigType.unwrap() == brd::es::ESSigType::RSA2048_SHA256
+	      && _TYPE_PTR(brd::es::ESV1Ticket)->head.sig.issuer.decode().substr(0, 5) == "Root-"
+	      && _TYPE_PTR(brd::es::ESV1Ticket)->head.sig.issuer.decode().substr(16, 2) == "XS")
+	{
+		infile.filetype = FILE_TYPE_TIK;
+	}
+	// detect tmd
+	else if (_ASSERT_FILE_SIZE(sizeof(brd::es::ESV1TitleMeta)) 
+	      && _TYPE_PTR(brd::es::ESV1TitleMeta)->sig.sigType.unwrap() == brd::es::ESSigType::RSA2048_SHA256
+	      && _TYPE_PTR(brd::es::ESV1TitleMeta)->sig.issuer.decode().substr(0, 5) == "Root-"
+	      && _TYPE_PTR(brd::es::ESV1TitleMeta)->sig.issuer.decode().substr(16, 2) == "CP")
+	{
+		infile.filetype = FILE_TYPE_TMD;
+	}
+
+#undef _TYPE_PTR
+#undef _ASSERT_FILE_SIZE
+}
+
+void ctrtool::SettingsInitializer::usage_text()
+{
+	fmt::print(stderr, "{:s} v{:d}.{:d}.{:d} (C) {:s}\n", APP_NAME, VER_MAJOR, VER_MINOR, VER_PATCH, AUTHORS);
+	fmt::print(stderr, "Built: {:s} {:s}\n\n", __TIME__, __DATE__);
+
+	fmt::print(stderr, "Usage: {:s} [options... ] <file>\n", BIN_NAME);
+
+	fmt::print(stderr,
+		"Options:\n"
+		"  -i, --info         Show file info.\n"
+		"                          This is the default action.\n"
+		"  -x, --extract      Extract data from file.\n"
+		"                          This is also the default action.\n"
+		"  -p, --plain        Extract data without decrypting.\n"
+		"  -r, --raw          Keep raw data, don't unpack.\n"
+		//"  -k, --keyset=file  Specify keyset file.\n"
+		"  -v, --verbose      Give verbose output.\n"
+		"  -y, --verify       Verify hashes and signatures.\n"
+		"  -d, --dev          Decrypt with development keys instead of retail.\n"
+		//"  --unitsize=size    Set media unit size (default 0x200).\n"
+		//"  --commonkey=key    Set common key.\n"
+		"  --titlekey=key     Set tik title key.\n"
+		//"  --ncchkey=key      Set ncch key.\n"
+		//"  --ncchsyskey=key   Set ncch fixed system key.\n"
+		"  --seeddb=file      Set seeddb for ncch seed crypto.\n"
+		"  --seed=key         Set specific seed for ncch seed crypto.\n"
+		"  --showkeys         Show the keys being used.\n"
+		"  --showsyscalls     Show system call names instead of numbers.\n"
+		"  -t, --intype=type  Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
+		"                        firm, cwav, exefs, romfs]\n"
+		"LZSS options:\n"
+		"  --lzssout=file	  Specify lzss output file\n"
+		"CXI/CCI options:\n"
+		"  -n, --ncch=index   Specify NCCH partition index.\n"
+		"  --exheader=file    Specify Extended Header file path.\n"
+		"  --logo=file        Specify Logo file path.\n"
+		"  --plainrgn=file    Specify Plain region file path\n"
+		"  --exefs=file       Specify ExeFS file path.\n"
+		"  --exefsdir=dir     Specify ExeFS directory path.\n"
+		"  --romfs=file       Specify RomFS file path.\n"
+		"  --romfsdir=dir     Specify RomFS directory path.\n"
+		"  --listromfs        List files in RomFS.\n" 
+		"CIA options:\n"
+		"  --certs=file       Specify Certificate chain file path.\n"
+		"  --tik=file         Specify Ticket file path.\n"
+		"  --tmd=file         Specify TMD file path.\n"
+		"  --contents=file    Specify Contents file path.\n"
+		"  --meta=file        Specify Meta file path.\n"
+		"FIRM options:\n"
+		"  --firmdir=dir      Specify Firm directory path.\n"
+		"  --firmtype=type    Specify Firm location type, this determines encryption/signing.\n"
+		"                       - nand: (default) FIRM images installed to internal NAND,\n"
+	    "                       - ngc: FIRM images loaded from NTR game card at boot,\n"
+		"                       - nor: FIRM images loaded from WiFi board NOR at boot,\n"
+		"                       - sdmc: FIRM images installed from SD card by FIRM installers (internal dev tool).\n"
+		"CWAV options:\n"
+		"  --wav=file         Specify wav output file.\n"
+		"  --wavloops=count   Specify wav loop count, default 0.\n"
+		"EXEFS options:\n"
+		"  --decompresscode   Decompress .code section\n"
+		"                     (only needed when using raw EXEFS file)\n");
+/*
+	std::cerr << 
+		"Options:\n"
+		"  -i, --info         Show file info.\n"
+		"                          This is the default action.\n"
+		"  -x, --extract      Extract data from file.\n"
+		"                          This is also the default action.\n"
+		"  -p, --plain        Extract data without decrypting.\n"
+		"  -r, --raw          Keep raw data, don't unpack.\n"
+		//"  -k, --keyset=file  Specify keyset file.\n"
+		"  -v, --verbose      Give verbose output.\n"
+		"  -y, --verify       Verify hashes and signatures.\n"
+		"  -d, --dev          Decrypt with development keys instead of retail.\n"
+		//"  --unitsize=size    Set media unit size (default 0x200).\n"
+		//"  --commonkey=key    Set common key.\n"
+		"  --titlekey=key     Set tik title key.\n"
+		//"  --ncchkey=key      Set ncch key.\n"
+		//"  --ncchsyskey=key   Set ncch fixed system key.\n"
+		"  --seeddb=file      Set seeddb for ncch seed crypto.\n"
+		"  --seed=key         Set specific seed for ncch seed crypto.\n"
+		"  --showkeys         Show the keys being used.\n"
+		"  --showsyscalls     Show system call names instead of numbers.\n"
+		"  -t, --intype=type  Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
+		"                        firm, cwav, exefs, romfs]\n"
+		"LZSS options:\n"
+		"  --lzssout=file	  Specify lzss output file\n"
+		"CCI/CIA options:\n"
+		"  -n, --ncch=index   Specify NCCH partition index.\n"
+		"  --contents=dir     Specify Contents directory path.\n"
+		"CCI options:\n"
+		"  --initdata=file    Specify Initial Data file path.\n"
+		"CIA options:\n"
+		"  --certs=file       Specify Certificate chain file path.\n"
+		"  --tik=file         Specify Ticket file path.\n"
+		"  --tmd=file         Specify TMD file path.\n"
+		"  --footer=file      Specify Footer file path.\n"
+		"NCCH options:\n"
+		"  --exheader=file    Specify Extended Header file path.\n"
+		"  --logo=file        Specify Logo file path.\n"
+		"  --plainrgn=file    Specify Plain region file path\n"
+		"  --exefs=file       Specify ExeFS file path.\n"
+		"  --romfs=file       Specify RomFS file path.\n"
+		"EXEFS options:\n"
+		"  --exefsdir=dir     Specify ExeFS directory path.\n"
+		"  --listexefs        List files in ExeFS.\n" 
+		"  --decompresscode   Decompress .code section\n"
+		"                     (only needed when using raw ExeFS file)\n"
+		"ROMFS options:\n"
+		"  --romfsdir=dir     Specify RomFS directory path.\n"
+		"  --listromfs        List files in RomFS.\n" 
+		"FIRM options:\n"
+		"  --firmdir=dir      Specify Firm directory path.\n"
+		"CWAV options:\n"
+		"  --wav=file         Specify wav output file.\n"
+		"  --wavloops=count   Specify wav loop count, default 0.\n"
+		
+		<< std::flush;
+*/
+}
\ No newline at end of file
diff --git a/ctrtool/src/Settings.h b/ctrtool/src/Settings.h
new file mode 100644
index 00000000..4c56aa93
--- /dev/null
+++ b/ctrtool/src/Settings.h
@@ -0,0 +1,175 @@
+#pragma once
+#include <string>
+#include <vector>
+#include <tc/Optional.h>
+#include <tc/io.h>
+
+#include "FirmProcess.h"
+#include "KeyBag.h"
+
+namespace ctrtool {
+
+struct Settings
+{
+	enum FileType
+	{
+		FILE_TYPE_ERROR,
+		FILE_TYPE_NCSD,
+		FILE_TYPE_CIA,
+		FILE_TYPE_NCCH,
+		FILE_TYPE_EXHEADER,
+		FILE_TYPE_EXEFS,
+		FILE_TYPE_ROMFS,
+		FILE_TYPE_FIRM,
+		FILE_TYPE_CERT,
+		FILE_TYPE_TIK,
+		FILE_TYPE_TMD,
+		FILE_TYPE_LZSS,
+		FILE_TYPE_CRR,
+		FILE_TYPE_CRO,
+		FILE_TYPE_IVFC,
+		FILE_TYPE_SMDH
+	};
+
+	struct InputFileOptions
+	{
+		FileType filetype;
+		tc::Optional<tc::io::Path> path;
+	} infile;
+
+	struct Options
+	{
+		bool plain;
+		bool raw;
+		bool verbose;
+		bool verify;
+		bool show_keys;
+		bool is_dev;
+		KeyBag keybag;
+	} opt;
+
+	// LZSS options
+	struct LzssOptions
+	{
+		tc::Optional<tc::io::Path> extract_path;
+	} lzss;
+
+	// NCCH options
+	struct NcchOptions
+	{
+		tc::Optional<tc::io::Path> exheader_path;
+		tc::Optional<tc::io::Path> logo_path;
+		tc::Optional<tc::io::Path> plainregion_path;
+		tc::Optional<tc::io::Path> exefs_path;
+		tc::Optional<tc::io::Path> romfs_path;
+	} ncch;
+
+	// ExHeader options
+	struct ExheaderOptions
+	{
+		bool show_syscalls_as_names;
+	} exheader;
+
+	// ExeFs options
+	struct ExefsOptions
+	{
+		tc::Optional<tc::io::Path> extract_path;
+		bool list_fs;
+		bool decompress_code_partition;
+	} exefs;
+
+	// RomFs options
+	struct RomfsOptions
+	{
+		tc::Optional<tc::io::Path> extract_path;
+		bool list_fs;
+	} romfs;
+
+	// CCI/CIA options
+	struct RomOptions
+	{
+		size_t content_process_index;
+		tc::Optional<tc::io::Path> content_extract_path;
+	} rom;
+
+	// CIA options
+	struct CiaOptions
+	{
+		tc::Optional<tc::io::Path> certs_path;
+		tc::Optional<tc::io::Path> tik_path;
+		tc::Optional<tc::io::Path> tmd_path;
+		tc::Optional<tc::io::Path> meta_path;
+	} cia;
+	
+	// FIRM options
+	struct FirmOptions
+	{
+		tc::Optional<tc::io::Path> extract_path;
+		FirmProcess::FirmwareType firm_type;
+	} firm;
+
+	// CWAV options
+	struct CwavOptions
+	{
+		tc::Optional<tc::io::Path> extract_path;
+		size_t wav_loops;
+	} cwav;
+	
+
+	Settings()
+	{
+		infile.filetype = FILE_TYPE_ERROR;
+		infile.path = tc::Optional<tc::io::Path>();
+
+		opt.plain = false;
+		opt.raw = false;
+		opt.verbose = false;
+		opt.verify = false;
+		opt.show_keys = false;
+		opt.is_dev = false;
+		opt.keybag = KeyBag();
+
+		exheader.show_syscalls_as_names = false;
+
+		exefs.extract_path = tc::Optional<tc::io::Path>();
+		exefs.list_fs = false;
+		exefs.decompress_code_partition = false;
+
+		romfs.extract_path = tc::Optional<tc::io::Path>();
+		romfs.list_fs = false;
+
+		rom.content_process_index = 0;
+		rom.content_extract_path = tc::Optional<tc::io::Path>();
+
+		cia.certs_path = tc::Optional<tc::io::Path>();
+		cia.tik_path = tc::Optional<tc::io::Path>();
+		cia.tmd_path = tc::Optional<tc::io::Path>();
+		cia.meta_path = tc::Optional<tc::io::Path>();
+
+		firm.extract_path = tc::Optional<tc::io::Path>();
+		firm.firm_type = FirmProcess::FirmwareType_Nand;
+
+		cwav.extract_path = tc::Optional<tc::io::Path>();
+		cwav.wav_loops = 0;
+	}
+};
+
+class SettingsInitializer : public Settings
+{
+public:
+	SettingsInitializer(const std::vector<std::string>& args);
+private:
+	void parse_args(const std::vector<std::string>& args);
+	void register_option_handlers();
+	void determine_filetype();
+	void usage_text();
+
+	std::string mModuleLabel;
+
+	bool mShowKeys;
+	tc::Optional<std::string> mFallBackTitleKey;
+	tc::Optional<std::string> mFallBackSeed;
+	tc::Optional<tc::io::Path> mSeedDbPath;
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/cwav.h b/ctrtool/src/cwav.h
new file mode 100644
index 00000000..4b1bc7f1
--- /dev/null
+++ b/ctrtool/src/cwav.h
@@ -0,0 +1,152 @@
+#pragma once
+
+#include "types.h"
+
+enum CWAV_ENCODING
+{
+	CWAV_ENCODING_PCM8			= 0,
+	CWAV_ENCODING_PCM16			= 1,
+	CWAV_ENCODING_DSPADPCM		= 2,
+	CWAV_ENCODING_IMAADPCM		= 3,
+};
+
+enum CWAV_REFTYPE
+{
+	CWAV_REFTYPE_DSP_ADPCM_INFO = 0x0300,
+	CWAV_REFTYPE_IMA_ADPCM_INFO = 0x0301,
+	CWAV_REFTYPE_SAMPLE_DATA    = 0x1F00,
+	CWAV_REFTYPE_INFO_BLOCK     = 0x7000,
+	CWAV_REFTYPE_DATA_BLOCK     = 0x7001,
+	CWAV_REFTYPE_CHANNEL_INFO  = 0x7100,
+};
+
+struct cwav_reference
+{
+	// 0x00
+	tc::bn::le16<uint16_t> idtype; // See CWAV_REFTYPE
+	// 0x02
+	tc::bn::pad<2> padding;
+	// 0x04
+	tc::bn::le32<uint32_t> offset;
+	// 0x08
+};
+
+struct cwav_sizedreference
+{
+	// 0x00
+	tc::bn::le16<uint16_t> idtype; // See CWAV_REFTYPE
+	// 0x02
+	tc::bn::pad<2> padding;
+	// 0x04
+	tc::bn::le32<uint32_t> offset;
+	// 0x08
+	tc::bn::le32<uint32_t> size;
+	// 0x0C
+};
+
+struct cwav_header
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("CWAV");
+
+	// 0x00
+	tc::bn::le32<uint32_t> magic;
+	// 0x04
+	tc::bn::le16<uint16_t> byteordermark; // byte_t[2]{0xFF,0xFE} == little endian, byte_t[2]{0xFE,0xFF} == big endian
+	// 0x06
+	tc::bn::le16<uint16_t> headersize;
+	// 0x08
+	tc::bn::le32<uint32_t> version;
+	// 0x0C
+	tc::bn::le32<uint32_t> totalsize;
+	// 0x10
+	tc::bn::le16<uint16_t> datablocks;
+	// 0x12
+	tc::bn::pad<2> reserved;
+	// 0x14
+	cwav_sizedreference infoblockref;
+	// 0x20
+	cwav_sizedreference datablockref;
+	// 0x2C
+};
+
+struct cwav_infoheader
+{
+	static const uint32_t kStructMagic = tc::bn::make_struct_magic_uint32("INFO");
+
+	// 0x00
+	tc::bn::le32<uint32_t> magic;
+	// 0x04
+	tc::bn::le32<uint32_t> size;
+	// 0x08
+	byte_t encoding; // See CWAV_ENCODING
+	// 0x09
+	byte_t looped; // 0 = no loop, 1 = loop
+	// 0x0A
+	tc::bn::pad<2> padding;
+	// 0x0C
+	tc::bn::le32<uint32_t> samplerate;
+	// 0x10
+	tc::bn::le32<uint32_t> loopstart;
+	// 0x14
+	tc::bn::le32<uint32_t> loopend;
+	// 0x18
+	tc::bn::pad<4>         reserved;
+	// 0x1C
+	//tc::bn::le32<uint32_t> channelcount;
+	// 0x20
+};
+
+struct cwav_referencetable
+{
+	// 0x00
+	tc::bn::le32<uint32_t> ref_count;
+	// 0x04
+	cwav_reference[] ref_entry;
+};
+
+struct cwav_channelinfo
+{
+	// 0x00
+	cwav_reference sampleref;
+	// 0x08
+	cwav_reference codecref;
+	// 0x10
+	tc::bn::pad<4> reserved;
+	// 0x14
+};
+
+struct cwav_dspadpcminfo
+{
+	// 0x00
+	std::array<tc::bn::le16<uint16_t>, 16> coef;
+	// 0x20
+	tc::bn::le16<uint16_t> scale;
+	// 0x22
+	tc::bn::le16<uint16_t> yn1;
+	// 0x24
+	tc::bn::le16<uint16_t> yn2;
+	// 0x26
+	tc::bn::le16<uint16_t> loopscale;
+	// 0x28
+	tc::bn::le16<uint16_t> loopyn1;
+	// 0x2A
+	tc::bn::le16<uint16_t> loopyn2;
+	// 0x2C
+};
+
+struct cwav_imaadpcminfo
+{
+	// 0x00
+	tc::bn::le16<uint16_t> data;
+	// 0x02
+	byte_t tableindex;
+	// 0x03
+	byte_t padding;
+	// 0x04
+	tc::bn::le16<uint16_t> loopdata;
+	// 0x06
+	byte_t looptableindex;
+	// 0x07
+	byte_t looppadding;
+	// 0x08
+};
\ No newline at end of file
diff --git a/ctrtool/src/lzss.c b/ctrtool/src/lzss.c
new file mode 100644
index 00000000..69868c3e
--- /dev/null
+++ b/ctrtool/src/lzss.c
@@ -0,0 +1,107 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "lzss.h"
+
+uint32_t getle32(const uint8_t* p)
+{
+	return (p[0]<<0) | (p[1]<<8) | (p[2]<<16) | (p[3]<<24);
+}
+
+uint32_t lzss_get_decompressed_size(uint8_t* compressed, uint32_t compressedsize)
+{
+	uint8_t* footer = compressed + compressedsize - 8;
+
+	//uint32_t buffertopandbottom = getle32(footer+0);
+	uint32_t originalbottom = getle32(footer+4);
+
+	return originalbottom + compressedsize;
+}
+
+int lzss_decompress(uint8_t* compressed, uint32_t compressedsize, uint8_t* decompressed, uint32_t decompressedsize)
+{
+	uint8_t* footer = compressed + compressedsize - 8;
+	uint32_t buffertopandbottom = getle32(footer+0);
+	//uint32_t originalbottom = getle32(footer+4);
+	uint32_t i, j;
+	uint32_t out = decompressedsize;
+	uint32_t index = compressedsize - ((buffertopandbottom>>24)&0xFF);
+	uint32_t segmentoffset;
+	uint32_t segmentsize;
+	uint8_t control;
+	uint32_t stopindex = compressedsize - (buffertopandbottom&0xFFFFFF);
+
+	memset(decompressed, 0, decompressedsize);
+	memcpy(decompressed, compressed, compressedsize);
+
+	
+	while(index > stopindex)
+	{
+		control = compressed[--index];
+		
+
+		for(i=0; i<8; i++)
+		{
+			if (index <= stopindex)
+				break;
+
+			if (index <= 0)
+				break;
+
+			if (out <= 0)
+				break;
+
+			if (control & 0x80)
+			{
+				if (index < 2)
+				{
+					fprintf(stderr, "Error, compression out of bounds\n");
+					goto clean;
+				}
+
+				index -= 2;
+
+				segmentoffset = compressed[index] | (compressed[index+1]<<8);
+				segmentsize = ((segmentoffset >> 12)&15)+3;
+				segmentoffset &= 0x0FFF;
+				segmentoffset += 2;
+
+				
+				if (out < segmentsize)
+				{
+					fprintf(stderr, "Error, compression out of bounds\n");
+					goto clean;
+				}
+
+				for(j=0; j<segmentsize; j++)
+				{
+					uint8_t data;
+					
+					if (out+segmentoffset >= decompressedsize)
+					{
+						fprintf(stderr, "Error, compression out of bounds\n");
+						goto clean;
+					}
+
+					data  = decompressed[out+segmentoffset];
+					decompressed[--out] = data;
+				}
+			}
+			else
+			{
+				if (out < 1)
+				{
+					fprintf(stderr, "Error, compression out of bounds\n");
+					goto clean;
+				}
+				decompressed[--out] = compressed[--index];
+			}
+
+			control <<= 1;
+		}
+	}
+
+	return 1;
+clean:
+	return 0;
+}
diff --git a/ctrtool/src/lzss.h b/ctrtool/src/lzss.h
new file mode 100644
index 00000000..4e73f18d
--- /dev/null
+++ b/ctrtool/src/lzss.h
@@ -0,0 +1,13 @@
+#pragma once
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+uint32_t lzss_get_decompressed_size(uint8_t* compressed, uint32_t compressedsize);
+int lzss_decompress(uint8_t* compressed, uint32_t compressedsize, uint8_t* decompressed, uint32_t decompressedsize);
+
+#ifdef __cplusplus
+}
+#endif
\ No newline at end of file
diff --git a/ctrtool/src/main.cpp b/ctrtool/src/main.cpp
new file mode 100644
index 00000000..2901c416
--- /dev/null
+++ b/ctrtool/src/main.cpp
@@ -0,0 +1,245 @@
+#include <tc.h>
+#include <tc/os/UnicodeMain.h>
+#include "Settings.h"
+
+#include "ExeFsProcess.h"
+#include "RomFsProcess.h"
+#include "IvfcProcess.h"
+#include "NcchProcess.h"
+#include "ExHeaderProcess.h"
+#include "CciProcess.h"
+#include "CiaProcess.h"
+#include "LzssProcess.h"
+#include "CrrProcess.h"
+#include "FirmProcess.h"
+
+#include <tc/io/SubStream.h>
+#include <ntd/n3ds/IvfcStream.h>
+
+int umain(const std::vector<std::string>& args, const std::vector<std::string>& env)
+{
+	try 
+	{
+		ctrtool::Settings set = ctrtool::SettingsInitializer(args);
+		
+		std::shared_ptr<tc::io::IStream> infile_stream = std::make_shared<tc::io::FileStream>(tc::io::FileStream(set.infile.path.get(), tc::io::FileMode::Open, tc::io::FileAccess::Read));
+
+		if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_EXEFS)
+		{
+			ctrtool::ExeFsProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setCliOutputMode(true, set.exefs.list_fs);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			proc.setRawMode(set.opt.raw);
+			proc.setDecompressCode(set.exefs.decompress_code_partition);
+			if (set.exefs.extract_path.isSet())
+			{
+				proc.setExtractPath(set.exefs.extract_path.get());
+			}
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_ROMFS)
+		{
+			ctrtool::RomFsProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setCliOutputMode(true, set.romfs.list_fs);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			if (set.romfs.extract_path.isSet())
+			{
+				proc.setExtractPath(set.romfs.extract_path.get());
+			}
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_IVFC)
+		{
+			ctrtool::IvfcProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setCliOutputMode(true, set.romfs.list_fs);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			if (set.romfs.extract_path.isSet())
+			{
+				proc.setExtractPath(set.romfs.extract_path.get());
+			}
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_NCCH)
+		{
+			ctrtool::NcchProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			proc.setRawMode(set.opt.raw);
+			proc.setPlainMode(set.opt.raw);
+			proc.setShowSyscallName(set.exheader.show_syscalls_as_names);
+			proc.setRegionProcessOutputMode(proc.NcchRegion_Header, true, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
+			proc.setRegionProcessOutputMode(proc.NcchRegion_ExHeader, true, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());
+			proc.setRegionProcessOutputMode(proc.NcchRegion_PlainRegion, false, false, set.ncch.plainregion_path, tc::Optional<tc::io::Path>());
+			proc.setRegionProcessOutputMode(proc.NcchRegion_Logo, false, false, set.ncch.logo_path, tc::Optional<tc::io::Path>());
+			proc.setRegionProcessOutputMode(proc.NcchRegion_ExeFs, true, set.exefs.list_fs, set.ncch.exefs_path, set.exefs.extract_path);
+			proc.setRegionProcessOutputMode(proc.NcchRegion_RomFs, true, set.romfs.list_fs, set.ncch.romfs_path, set.romfs.extract_path);
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_EXHEADER)
+		{
+			ctrtool::ExHeaderProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setCliOutputMode(true);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			proc.setShowSyscallName(set.exheader.show_syscalls_as_names);
+			
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_NCSD)
+		{
+			ctrtool::CciProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setCliOutputMode(true, false);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			if (set.rom.content_extract_path.isSet())
+				proc.setExtractPath(set.rom.content_extract_path.get());
+			proc.setContentIndex(set.rom.content_process_index);
+			proc.setRawMode(set.opt.raw);
+			proc.setPlainMode(set.opt.plain);
+			proc.setShowSyscallName(set.exheader.show_syscalls_as_names);
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Header, true, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExHeader, true, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_PlainRegion, false, false, set.ncch.plainregion_path, tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Logo, false, false, set.ncch.logo_path, tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExeFs, true, set.exefs.list_fs, set.ncch.exefs_path, set.exefs.extract_path);
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_RomFs, true, set.romfs.list_fs, set.ncch.romfs_path, set.romfs.extract_path);
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_CIA)
+		{
+			ctrtool::CiaProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setCliOutputMode(true, false);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			if (set.rom.content_extract_path.isSet())
+				proc.setContentExtractPath(set.rom.content_extract_path.get());
+			proc.setContentIndex(set.rom.content_process_index);
+			if (set.cia.certs_path.isSet())
+				proc.setCertExtractPath(set.cia.certs_path.get());
+			if (set.cia.tik_path.isSet())
+				proc.setTikExtractPath(set.cia.tik_path.get());
+			if (set.cia.tmd_path.isSet())
+				proc.setTmdExtractPath(set.cia.tmd_path.get());
+			if (set.cia.meta_path.isSet())
+				proc.setFooterExtractPath(set.cia.meta_path.get());
+			proc.setRawMode(set.opt.raw);
+			proc.setPlainMode(set.opt.plain);
+			proc.setShowSyscallName(set.exheader.show_syscalls_as_names);
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Header, true, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExHeader, true, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_PlainRegion, false, false, set.ncch.plainregion_path, tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Logo, false, false, set.ncch.logo_path, tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExeFs, true, set.exefs.list_fs, set.ncch.exefs_path, set.exefs.extract_path);
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_RomFs, true, set.romfs.list_fs, set.ncch.romfs_path, set.romfs.extract_path);
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_LZSS)
+		{
+			ctrtool::LzssProcess proc;
+			proc.setInputStream(infile_stream);
+			if (set.lzss.extract_path.isSet())
+				proc.setExtractPath(set.lzss.extract_path.get());
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_CRR)
+		{
+			ctrtool::CrrProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setCliOutputMode(true);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_FIRM)
+		{
+			ctrtool::FirmProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setCliOutputMode(true);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			if (set.firm.extract_path.isSet())
+			{
+				proc.setExtractPath(set.firm.extract_path.get());
+			}
+			proc.setFirmwareType(set.firm.firm_type);
+			proc.process();
+		}
+		
+		switch (set.infile.filetype)
+		{
+			case ctrtool::Settings::FILE_TYPE_NCSD :
+				fmt::print("## FILE_TYPE_NCSD ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_CIA :
+				fmt::print("## FILE_TYPE_CIA ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_NCCH :
+				fmt::print("## FILE_TYPE_NCCH ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_EXHEADER :
+				fmt::print("## FILE_TYPE_EXHEADER ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_EXEFS :
+				fmt::print("## FILE_TYPE_EXEFS ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_ROMFS :
+				fmt::print("## FILE_TYPE_ROMFS ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_FIRM :
+				fmt::print("## FILE_TYPE_FIRM ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_CERT :
+				fmt::print("## FILE_TYPE_CERT ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_TIK :
+				fmt::print("## FILE_TYPE_TIK ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_TMD :
+				fmt::print("## FILE_TYPE_TMD ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_LZSS :
+				fmt::print("## FILE_TYPE_LZSS ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_CRR :
+				fmt::print("## FILE_TYPE_CRR ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_CRO :
+				fmt::print("## FILE_TYPE_CRO ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_IVFC :
+				fmt::print("## FILE_TYPE_IVFC ##\n");
+				break;
+			case ctrtool::Settings::FILE_TYPE_SMDH :
+				fmt::print("## FILE_TYPE_SMDH ##\n");
+				break;
+			default:
+				fmt::print("## unknown({}) ##\n", (int)set.infile.filetype);
+				break;
+		}
+		
+	}
+	catch (tc::Exception& e)
+	{
+		fmt::print("[{0}{1}ERROR] {2}\n", e.module(), (strlen(e.module()) != 0 ? " ": ""), e.error());
+		return 1;
+	}
+	return 0;
+}
\ No newline at end of file
diff --git a/ctrtool/src/types.h b/ctrtool/src/types.h
new file mode 100644
index 00000000..2da45731
--- /dev/null
+++ b/ctrtool/src/types.h
@@ -0,0 +1,15 @@
+#pragma once
+#include <tc/types.h>
+#include <fmt/core.h>
+
+
+namespace ctrtool {
+
+enum ValidState : byte_t
+{
+	Unchecked,
+	Good,
+	Fail
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
new file mode 100644
index 00000000..2f0406dd
--- /dev/null
+++ b/ctrtool/src/version.h
@@ -0,0 +1,7 @@
+#pragma once
+#define APP_NAME	"CTRTool"
+#define BIN_NAME	"ctrtool"
+#define VER_MAJOR	1
+#define VER_MINOR	0
+#define VER_PATCH	0
+#define AUTHORS		"jakcron"
\ No newline at end of file

From 5c72ce2430c9a4c4cefb90e98562db9c6eb788bd Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 12 Mar 2022 16:05:09 +0800
Subject: [PATCH 246/317] Add CTRTool build workflow

---
 .github/workflows/Build_CTRTool.yml | 71 +++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 .github/workflows/Build_CTRTool.yml

diff --git a/.github/workflows/Build_CTRTool.yml b/.github/workflows/Build_CTRTool.yml
new file mode 100644
index 00000000..6d0cb39e
--- /dev/null
+++ b/.github/workflows/Build_CTRTool.yml
@@ -0,0 +1,71 @@
+name: Compile CTRTool (on master branch)
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  release:
+    types: [ created ]
+
+jobs:
+  build_makefile:
+    name: Compile ${{ matrix.prog }} for ${{ matrix.dist }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        dist: [ubuntu_x86_64, macos_x86_64, macos_arm64]
+        prog: [ctrtool]
+        include:
+         - dist: ubuntu_x86_64
+           os: ubuntu-latest
+           arch: x86_64
+         - dist: macos_x86_64
+           os: macos-latest
+           arch: x86_64
+         - dist: macos_arm64
+           os: macos-latest
+           arch: arm64
+    steps:
+    - uses: actions/checkout@v1
+    - name: Change to ${{ matrix.prog }} directory
+      run: cd ./${{ matrix.prog }}
+    - name: Clone submodules
+      run: git submodule init && git submodule update
+    - name: Compile ${{ matrix.prog }}
+      run: make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
+    - uses: actions/upload-artifact@v2
+      with:
+        name: ${{ matrix.prog }}-${{ matrix.dist }}
+        path: ./${{ matrix.prog }}/bin/${{ matrix.prog }}
+  build_visualstudio:
+    name: Compile ${{ matrix.prog }} for ${{ matrix.dist }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        dist: [win_x64, win_x86]
+        prog: [ctrtool]
+        include:
+         - dist: win_x64
+           os: windows-latest
+           platform: x64
+           configuration: Release
+           build_path: x64\Release
+         - dist: win_x86
+           os: windows-latest
+           platform: x86
+           configuration: Release
+           build_path: Release
+    steps:
+    - uses: actions/checkout@v1
+    - name: Add msbuild to PATH
+      uses: microsoft/setup-msbuild@v1.1
+    - name: Clone submodules
+      run: git submodule init && git submodule update
+    - name: Compile ${{ matrix.prog }}
+      run: msbuild .\${{ matrix.prog }}\build\visualstudio\${{ matrix.prog }}.sln /p:configuration=${{ matrix.configuration }} /p:platform=${{ matrix.platform }} 
+    - uses: actions/upload-artifact@v2
+      with:
+        name: ${{ matrix.prog }}-${{ matrix.dist }}
+        path: .\${{ matrix.prog }}\build\visualstudio\${{ matrix.build_path }}\${{ matrix.prog }}.exe
+

From 5f5f24a73132649f0e2c5d334283913acba8039a Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 12 Mar 2022 16:22:34 +0800
Subject: [PATCH 247/317] Fix Build_CTRTool.yml

---
 .github/workflows/Build_CTRTool.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/Build_CTRTool.yml b/.github/workflows/Build_CTRTool.yml
index 6d0cb39e..9fb17f51 100644
--- a/.github/workflows/Build_CTRTool.yml
+++ b/.github/workflows/Build_CTRTool.yml
@@ -28,12 +28,10 @@ jobs:
            arch: arm64
     steps:
     - uses: actions/checkout@v1
-    - name: Change to ${{ matrix.prog }} directory
-      run: cd ./${{ matrix.prog }}
     - name: Clone submodules
       run: git submodule init && git submodule update
     - name: Compile ${{ matrix.prog }}
-      run: make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
+      run: cd ./${{ matrix.prog }} && make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
     - uses: actions/upload-artifact@v2
       with:
         name: ${{ matrix.prog }}-${{ matrix.dist }}

From 70f253152dad98784dacc9e265f1ac67d399ae67 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 08:41:53 +0800
Subject: [PATCH 248/317] Misc formatting logging text.

---
 ctrtool/src/FirmProcess.cpp | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ctrtool/src/FirmProcess.cpp b/ctrtool/src/FirmProcess.cpp
index aa9949a8..aefa57ab 100644
--- a/ctrtool/src/FirmProcess.cpp
+++ b/ctrtool/src/FirmProcess.cpp
@@ -300,15 +300,11 @@ void ctrtool::FirmProcess::extractSections()
 			// create output file path
 			tc::io::Path f_path = mExtractPath.get() + f_name;
 
-			// save output file path string
-			std::string f_path_str;
-			tc::io::PathUtil::pathToUnixUTF8(f_path, f_path_str);
-
 			// open out stream
 			local_fs.createDirectory(mExtractPath.get());
 			local_fs.openFile(f_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, out_stream);
 
-			fmt::print("Saving section {} to {}...\n", i, f_path_str);
+			fmt::print("Saving section {} to {}...\n", i, f_path.to_string());
 
 			tc::ByteData filedata = tc::ByteData(in_stream->length());
 			in_stream->seek(0, tc::io::SeekOrigin::Begin);

From c57a691c2f114eebe48997aa7e267c41c118c787 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 08:42:10 +0800
Subject: [PATCH 249/317] Properly detect SMDH magic.

---
 ctrtool/src/Settings.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/src/Settings.cpp b/ctrtool/src/Settings.cpp
index 641ede54..fd847dd2 100644
--- a/ctrtool/src/Settings.cpp
+++ b/ctrtool/src/Settings.cpp
@@ -537,7 +537,7 @@ void ctrtool::SettingsInitializer::determine_filetype()
 		infile.filetype = FILE_TYPE_ROMFS;
 	}
 	else if (_ASSERT_FILE_SIZE(sizeof(ntd::n3ds::SystemMenuDataHeader)) 
-	      && _TYPE_PTR(ntd::n3ds::SystemMenuDataHeader)->struct_magic.unwrap() == sizeof(ntd::n3ds::SystemMenuDataHeader::kStructMagic))
+	      && _TYPE_PTR(ntd::n3ds::SystemMenuDataHeader)->struct_magic.unwrap() == ntd::n3ds::SystemMenuDataHeader::kStructMagic)
 	{
 		infile.filetype = FILE_TYPE_SMDH;
 	}

From ec7f1b964cc23e82c3d0232c0fdd54694e631dca Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 08:59:25 +0800
Subject: [PATCH 250/317] Try to fix Build_CTRTool.yml

---
 .github/workflows/Build_CTRTool.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/Build_CTRTool.yml b/.github/workflows/Build_CTRTool.yml
index 9fb17f51..3e5aed45 100644
--- a/.github/workflows/Build_CTRTool.yml
+++ b/.github/workflows/Build_CTRTool.yml
@@ -31,7 +31,8 @@ jobs:
     - name: Clone submodules
       run: git submodule init && git submodule update
     - name: Compile ${{ matrix.prog }}
-      run: cd ./${{ matrix.prog }} && make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
+      working-directory: ${{ matrix.prog }}
+      run: make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
     - uses: actions/upload-artifact@v2
       with:
         name: ${{ matrix.prog }}-${{ matrix.dist }}

From 85f0fea9707414620d2c1c6c88ee579edebcb6c4 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 09:18:27 +0800
Subject: [PATCH 251/317] Update makefiles

---
 ctrtool/deps/libbroadon-es/makefile    | 26 ++++++++++-------
 ctrtool/deps/libnintendo-n3ds/makefile | 28 ++++++++++--------
 ctrtool/makefile                       | 40 +++++++++++++++++++-------
 3 files changed, 61 insertions(+), 33 deletions(-)

diff --git a/ctrtool/deps/libbroadon-es/makefile b/ctrtool/deps/libbroadon-es/makefile
index 87521a45..9b818f46 100644
--- a/ctrtool/deps/libbroadon-es/makefile
+++ b/ctrtool/deps/libbroadon-es/makefile
@@ -1,6 +1,6 @@
 # C++/C Recursive Project Makefile 
 # (c) Jack
-# Version 5
+# Version 6 (20211110)
 
 # Project Name
 PROJECT_NAME = libbroadon-es
@@ -10,11 +10,11 @@ PROJECT_PATH = $(CURDIR)
 PROJECT_SRC_PATH = src
 PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
 PROJECT_INCLUDE_PATH = include
-#PROJECT_TESTSRC_PATH = test
-#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_TESTSRC_PATH = test
+PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
 PROJECT_BIN_PATH = bin
-#PROJECT_DOCS_PATH = docs
-#PROJECT_DOXYFILE_PATH = Doxyfile
+PROJECT_DOCS_PATH = docs
+PROJECT_DOXYFILE_PATH = Doxyfile
 
 # Determine if the root makefile has been established, and if not establish this makefile as the root makefile
 ifeq ($(ROOT_PROJECT_NAME),)
@@ -31,8 +31,8 @@ PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
 PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
 
 # Project Dependencies
-PROJECT_DEPEND = mbedtls toolchain
-PROJECT_DEPEND_LOCAL_DIR = libmbedtls libtoolchain
+PROJECT_DEPEND = toolchain mbedtls fmt
+PROJECT_DEPEND_LOCAL_DIR = libtoolchain libmbedtls libfmt
 
 # Generate compiler flags for including project include path
 ifneq ($(PROJECT_INCLUDE_PATH),)
@@ -112,8 +112,8 @@ CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
 CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
 
 # Object Files
-SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
-TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 
 # all is the default, user should specify what the default should do
 #	- 'static_lib' for building static library
@@ -134,6 +134,10 @@ clean: clean_object_files remove_binary_dir
 	@echo CXX $<
 	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
 
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
 # Binary Directory
 .PHONY: create_binary_dir
 create_binary_dir:
@@ -161,13 +165,13 @@ shared_lib: $(SRC_OBJ) create_binary_dir
 # Build Program
 program: $(SRC_OBJ) create_binary_dir
 	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
-	@$(CXX) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
 
 # Build Test Program
 test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
 ifneq ($(PROJECT_TESTSRC_PATH),)
 	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
-	@$(CXX) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
 endif
 
 # Documentation
diff --git a/ctrtool/deps/libnintendo-n3ds/makefile b/ctrtool/deps/libnintendo-n3ds/makefile
index b786666b..6584d99d 100644
--- a/ctrtool/deps/libnintendo-n3ds/makefile
+++ b/ctrtool/deps/libnintendo-n3ds/makefile
@@ -1,20 +1,20 @@
 # C++/C Recursive Project Makefile 
 # (c) Jack
-# Version 5
+# Version 6 (20211110)
 
 # Project Name
 PROJECT_NAME = libnintendo-n3ds
 
 # Project Relative Paths
 PROJECT_PATH = $(CURDIR)
-PROJECT_SRC_PATH = src src/es
+PROJECT_SRC_PATH = src
 PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
 PROJECT_INCLUDE_PATH = include
-#PROJECT_TESTSRC_PATH = test
-#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_TESTSRC_PATH = test
+PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
 PROJECT_BIN_PATH = bin
-#PROJECT_DOCS_PATH = docs
-#PROJECT_DOXYFILE_PATH = Doxyfile
+PROJECT_DOCS_PATH = docs
+PROJECT_DOXYFILE_PATH = Doxyfile
 
 # Determine if the root makefile has been established, and if not establish this makefile as the root makefile
 ifeq ($(ROOT_PROJECT_NAME),)
@@ -31,8 +31,8 @@ PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
 PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
 
 # Project Dependencies
-PROJECT_DEPEND = mbedtls fmt toolchain broadon-es
-PROJECT_DEPEND_LOCAL_DIR = libmbedtls libfmt libtoolchain libbroadon-es
+PROJECT_DEPEND = broadon-es toolchain mbedtls fmt  
+PROJECT_DEPEND_LOCAL_DIR = libbroadon-es libtoolchain libmbedtls libfmt  
 
 # Generate compiler flags for including project include path
 ifneq ($(PROJECT_INCLUDE_PATH),)
@@ -112,8 +112,8 @@ CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
 CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
 
 # Object Files
-SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
-TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 
 # all is the default, user should specify what the default should do
 #	- 'static_lib' for building static library
@@ -134,6 +134,10 @@ clean: clean_object_files remove_binary_dir
 	@echo CXX $<
 	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
 
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
 # Binary Directory
 .PHONY: create_binary_dir
 create_binary_dir:
@@ -161,13 +165,13 @@ shared_lib: $(SRC_OBJ) create_binary_dir
 # Build Program
 program: $(SRC_OBJ) create_binary_dir
 	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
-	@$(CXX) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
 
 # Build Test Program
 test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
 ifneq ($(PROJECT_TESTSRC_PATH),)
 	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
-	@$(CXX) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
 endif
 
 # Documentation
diff --git a/ctrtool/makefile b/ctrtool/makefile
index 2195df1f..58247056 100644
--- a/ctrtool/makefile
+++ b/ctrtool/makefile
@@ -1,6 +1,6 @@
 # C++/C Recursive Project Makefile 
 # (c) Jack
-# Version 4
+# Version 6 (20211110)
 
 # Project Name
 PROJECT_NAME = ctrtool
@@ -31,8 +31,8 @@ PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
 PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
 
 # Project Dependencies
-PROJECT_DEPEND = mbedtls toolchain nintendo-n3ds broadon-es fmt
-PROJECT_DEPEND_LOCAL_DIR = libmbedtls libtoolchain libnintendo-n3ds libbroadon-es libfmt
+PROJECT_DEPEND = nintendo-n3ds broadon-es toolchain mbedtls fmt
+PROJECT_DEPEND_LOCAL_DIR = libnintendo-n3ds libbroadon-es libtoolchain libmbedtls libfmt
 
 # Generate compiler flags for including project include path
 ifneq ($(PROJECT_INCLUDE_PATH),)
@@ -64,12 +64,26 @@ ifeq ($(PROJECT_PLATFORM),)
 	endif
 endif
 
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
 # Generate platform specific compiler flags
 ifeq ($(PROJECT_PLATFORM), WIN32)
 	# Windows Flags/Libs
 	CC = x86_64-w64-mingw32-gcc
 	CXX = x86_64-w64-mingw32-g++
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
 	INC +=
 	LIB += -static
 	ARFLAGS = cr -o
@@ -78,6 +92,7 @@ else ifeq ($(PROJECT_PLATFORM), GNU)
 	#CC = 
 	#CXX =
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
 	INC +=
 	LIB +=
 	ARFLAGS = cr -o
@@ -86,18 +101,19 @@ else ifeq ($(PROJECT_PLATFORM), MACOS)
 	#CC = 
 	#CXX =
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
 	INC +=
 	LIB +=
 	ARFLAGS = rc	
 endif
 
 # Compiler Flags
-CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) -fPIC
-CFLAGS = -std=c11 $(INC) $(WARNFLAGS) -fPIC
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
 
 # Object Files
-SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
-TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
 
 # all is the default, user should specify what the default should do
 #	- 'static_lib' for building static library
@@ -105,7 +121,7 @@ TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcar
 #	- 'program' for building the program
 #	- 'test_program' for building the test program
 # These can typically be used together however *_lib and program should not be used together
-all: program
+all: static_lib
 	
 clean: clean_object_files remove_binary_dir
 
@@ -118,6 +134,10 @@ clean: clean_object_files remove_binary_dir
 	@echo CXX $<
 	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
 
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
 # Binary Directory
 .PHONY: create_binary_dir
 create_binary_dir:
@@ -145,13 +165,13 @@ shared_lib: $(SRC_OBJ) create_binary_dir
 # Build Program
 program: $(SRC_OBJ) create_binary_dir
 	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
-	@$(CXX) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
 
 # Build Test Program
 test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
 ifneq ($(PROJECT_TESTSRC_PATH),)
 	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
-	@$(CXX) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
 endif
 
 # Documentation

From 8dd17ce5feca3dc5fa0718a56e2d1852484dbfb2 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 09:21:37 +0800
Subject: [PATCH 252/317] Fix copy/paste bug in ctrtool makefile

---
 ctrtool/makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/makefile b/ctrtool/makefile
index 58247056..b5639341 100644
--- a/ctrtool/makefile
+++ b/ctrtool/makefile
@@ -121,7 +121,7 @@ TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcar
 #	- 'program' for building the program
 #	- 'test_program' for building the test program
 # These can typically be used together however *_lib and program should not be used together
-all: static_lib
+all: program
 	
 clean: clean_object_files remove_binary_dir
 

From 90dd1abc63b1eab796cae2ca300cc94ef9e36a54 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 10:05:33 +0800
Subject: [PATCH 253/317] Fix copy-pasta mistake in libnintendo-n3ds makefile

---
 ctrtool/deps/libnintendo-n3ds/makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/deps/libnintendo-n3ds/makefile b/ctrtool/deps/libnintendo-n3ds/makefile
index 6584d99d..0257804e 100644
--- a/ctrtool/deps/libnintendo-n3ds/makefile
+++ b/ctrtool/deps/libnintendo-n3ds/makefile
@@ -11,7 +11,7 @@ PROJECT_SRC_PATH = src
 PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
 PROJECT_INCLUDE_PATH = include
 PROJECT_TESTSRC_PATH = test
-PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH) $(PROJECT_TESTSRC_PATH)/es
 PROJECT_BIN_PATH = bin
 PROJECT_DOCS_PATH = docs
 PROJECT_DOXYFILE_PATH = Doxyfile

From dbd8c9570166acf733b55f56f6c1723246988f68 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 10:11:09 +0800
Subject: [PATCH 254/317] More makefile fixes

---
 ctrtool/deps/libbroadon-es/makefile    |  8 ++++----
 ctrtool/deps/libnintendo-n3ds/makefile | 10 +++++-----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/ctrtool/deps/libbroadon-es/makefile b/ctrtool/deps/libbroadon-es/makefile
index 9b818f46..0ddcf5e4 100644
--- a/ctrtool/deps/libbroadon-es/makefile
+++ b/ctrtool/deps/libbroadon-es/makefile
@@ -10,11 +10,11 @@ PROJECT_PATH = $(CURDIR)
 PROJECT_SRC_PATH = src
 PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
 PROJECT_INCLUDE_PATH = include
-PROJECT_TESTSRC_PATH = test
-PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
 PROJECT_BIN_PATH = bin
-PROJECT_DOCS_PATH = docs
-PROJECT_DOXYFILE_PATH = Doxyfile
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
 
 # Determine if the root makefile has been established, and if not establish this makefile as the root makefile
 ifeq ($(ROOT_PROJECT_NAME),)
diff --git a/ctrtool/deps/libnintendo-n3ds/makefile b/ctrtool/deps/libnintendo-n3ds/makefile
index 0257804e..a76562ac 100644
--- a/ctrtool/deps/libnintendo-n3ds/makefile
+++ b/ctrtool/deps/libnintendo-n3ds/makefile
@@ -8,13 +8,13 @@ PROJECT_NAME = libnintendo-n3ds
 # Project Relative Paths
 PROJECT_PATH = $(CURDIR)
 PROJECT_SRC_PATH = src
-PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH) $(PROJECT_TESTSRC_PATH)/es
 PROJECT_INCLUDE_PATH = include
-PROJECT_TESTSRC_PATH = test
-PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH) $(PROJECT_TESTSRC_PATH)/es
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
 PROJECT_BIN_PATH = bin
-PROJECT_DOCS_PATH = docs
-PROJECT_DOXYFILE_PATH = Doxyfile
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
 
 # Determine if the root makefile has been established, and if not establish this makefile as the root makefile
 ifeq ($(ROOT_PROJECT_NAME),)

From 031d45cfde25c2a2fe778b39a6455ee1f5ea07cf Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 10:19:09 +0800
Subject: [PATCH 255/317] Fix more mistakes in makefiles

---
 ctrtool/deps/libnintendo-n3ds/makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/deps/libnintendo-n3ds/makefile b/ctrtool/deps/libnintendo-n3ds/makefile
index a76562ac..0707c029 100644
--- a/ctrtool/deps/libnintendo-n3ds/makefile
+++ b/ctrtool/deps/libnintendo-n3ds/makefile
@@ -8,7 +8,7 @@ PROJECT_NAME = libnintendo-n3ds
 # Project Relative Paths
 PROJECT_PATH = $(CURDIR)
 PROJECT_SRC_PATH = src
-PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH) $(PROJECT_TESTSRC_PATH)/es
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH) $(PROJECT_SRC_PATH)/es
 PROJECT_INCLUDE_PATH = include
 #PROJECT_TESTSRC_PATH = test
 #PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)

From 51e3433bec7a8e0511035ee7be315388cffa9ea2 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 13:45:29 +0800
Subject: [PATCH 256/317] Revise usage text/handler

---
 ctrtool/src/Settings.cpp | 91 ++++++++++------------------------------
 ctrtool/src/Settings.h   |  4 ++
 2 files changed, 25 insertions(+), 70 deletions(-)

diff --git a/ctrtool/src/Settings.cpp b/ctrtool/src/Settings.cpp
index fd847dd2..34d07cc1 100644
--- a/ctrtool/src/Settings.cpp
+++ b/ctrtool/src/Settings.cpp
@@ -309,7 +309,8 @@ class FileTypeOptionHandler : public tc::cli::OptionParser::IOptionHandler
 		{
 			mParam = ctrtool::Settings::FILE_TYPE_NCCH;
 		}
-		else if (params[0] == "exheader")
+		else if (params[0] == "exheader" \
+		 || params[0] == "exhdr")
 		{
 			mParam = ctrtool::Settings::FILE_TYPE_EXHEADER;
 		}
@@ -399,7 +400,6 @@ void ctrtool::SettingsInitializer::parse_args(const std::vector<std::string>& ar
 	// save input file
 	infile.path = tc::io::Path(args.back());
 
-
 	// test new option parser
 	tc::cli::OptionParser opts;
 
@@ -415,6 +415,8 @@ void ctrtool::SettingsInitializer::parse_args(const std::vector<std::string>& ar
 
 
 	// get option flags
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.info, {"-i", "--info"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.info, {"-x", "--extract"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.plain, {"-p", "--plain"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.raw, {"-r", "--raw"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.verbose, {"-v", "--verbose"})));
@@ -608,73 +610,17 @@ void ctrtool::SettingsInitializer::usage_text()
 		//"  --ncchsyskey=key   Set ncch fixed system key.\n"
 		"  --seeddb=file      Set seeddb for ncch seed crypto.\n"
 		"  --seed=key         Set specific seed for ncch seed crypto.\n"
-		"  --showkeys         Show the keys being used.\n"
+		//"  --showkeys         Show the keys being used.\n"
 		"  --showsyscalls     Show system call names instead of numbers.\n"
-		"  -t, --intype=type  Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
-		"                        firm, cwav, exefs, romfs]\n"
-		"LZSS options:\n"
-		"  --lzssout=file	  Specify lzss output file\n"
-		"CXI/CCI options:\n"
+		"  -t, --intype=type  Specify input file type. [cia, tik, tmd, ncsd, ncch, exheader, exefs, romfs, firm, lzss]\n"
+		"                     (only needed when file type isn't detected automatically)\n"
+		"CCI options:\n"
 		"  -n, --ncch=index   Specify NCCH partition index.\n"
-		"  --exheader=file    Specify Extended Header file path.\n"
-		"  --logo=file        Specify Logo file path.\n"
-		"  --plainrgn=file    Specify Plain region file path\n"
-		"  --exefs=file       Specify ExeFS file path.\n"
-		"  --exefsdir=dir     Specify ExeFS directory path.\n"
-		"  --romfs=file       Specify RomFS file path.\n"
-		"  --romfsdir=dir     Specify RomFS directory path.\n"
-		"  --listromfs        List files in RomFS.\n" 
+		"  --contents=dir     Specify Contents directory path.\n"
+		//"  --initdata=file    Specify Initial Data file path.\n"
 		"CIA options:\n"
-		"  --certs=file       Specify Certificate chain file path.\n"
-		"  --tik=file         Specify Ticket file path.\n"
-		"  --tmd=file         Specify TMD file path.\n"
-		"  --contents=file    Specify Contents file path.\n"
-		"  --meta=file        Specify Meta file path.\n"
-		"FIRM options:\n"
-		"  --firmdir=dir      Specify Firm directory path.\n"
-		"  --firmtype=type    Specify Firm location type, this determines encryption/signing.\n"
-		"                       - nand: (default) FIRM images installed to internal NAND,\n"
-	    "                       - ngc: FIRM images loaded from NTR game card at boot,\n"
-		"                       - nor: FIRM images loaded from WiFi board NOR at boot,\n"
-		"                       - sdmc: FIRM images installed from SD card by FIRM installers (internal dev tool).\n"
-		"CWAV options:\n"
-		"  --wav=file         Specify wav output file.\n"
-		"  --wavloops=count   Specify wav loop count, default 0.\n"
-		"EXEFS options:\n"
-		"  --decompresscode   Decompress .code section\n"
-		"                     (only needed when using raw EXEFS file)\n");
-/*
-	std::cerr << 
-		"Options:\n"
-		"  -i, --info         Show file info.\n"
-		"                          This is the default action.\n"
-		"  -x, --extract      Extract data from file.\n"
-		"                          This is also the default action.\n"
-		"  -p, --plain        Extract data without decrypting.\n"
-		"  -r, --raw          Keep raw data, don't unpack.\n"
-		//"  -k, --keyset=file  Specify keyset file.\n"
-		"  -v, --verbose      Give verbose output.\n"
-		"  -y, --verify       Verify hashes and signatures.\n"
-		"  -d, --dev          Decrypt with development keys instead of retail.\n"
-		//"  --unitsize=size    Set media unit size (default 0x200).\n"
-		//"  --commonkey=key    Set common key.\n"
-		"  --titlekey=key     Set tik title key.\n"
-		//"  --ncchkey=key      Set ncch key.\n"
-		//"  --ncchsyskey=key   Set ncch fixed system key.\n"
-		"  --seeddb=file      Set seeddb for ncch seed crypto.\n"
-		"  --seed=key         Set specific seed for ncch seed crypto.\n"
-		"  --showkeys         Show the keys being used.\n"
-		"  --showsyscalls     Show system call names instead of numbers.\n"
-		"  -t, --intype=type  Specify input file type [ncsd, ncch, exheader, cia, tmd, lzss,\n"
-		"                        firm, cwav, exefs, romfs]\n"
-		"LZSS options:\n"
-		"  --lzssout=file	  Specify lzss output file\n"
-		"CCI/CIA options:\n"
 		"  -n, --ncch=index   Specify NCCH partition index.\n"
 		"  --contents=dir     Specify Contents directory path.\n"
-		"CCI options:\n"
-		"  --initdata=file    Specify Initial Data file path.\n"
-		"CIA options:\n"
 		"  --certs=file       Specify Certificate chain file path.\n"
 		"  --tik=file         Specify Ticket file path.\n"
 		"  --tmd=file         Specify TMD file path.\n"
@@ -695,10 +641,15 @@ void ctrtool::SettingsInitializer::usage_text()
 		"  --listromfs        List files in RomFS.\n" 
 		"FIRM options:\n"
 		"  --firmdir=dir      Specify Firm directory path.\n"
-		"CWAV options:\n"
-		"  --wav=file         Specify wav output file.\n"
-		"  --wavloops=count   Specify wav loop count, default 0.\n"
-		
-		<< std::flush;
-*/
+		"  --firmtype=type    Specify Firm location type, this determines encryption/signing.\n"
+		"                       - nand: (default) FIRM images installed to internal NAND,\n"
+	    "                       - ngc: FIRM images loaded from NTR game card at boot,\n"
+		"                       - nor: FIRM images loaded from WiFi board NOR at boot,\n"
+		"                       - sdmc: FIRM images installed from SD card by FIRM installers (internal dev tool).\n"
+		"LZSS options:\n"
+		"  --lzssout=file     Specify lzss output file\n"
+		//"CWAV options:\n"
+		//"  --wav=file         Specify wav output file.\n"
+		//"  --wavloops=count   Specify wav loop count, default 0.\n"
+	);
 }
\ No newline at end of file
diff --git a/ctrtool/src/Settings.h b/ctrtool/src/Settings.h
index 4c56aa93..c8a839af 100644
--- a/ctrtool/src/Settings.h
+++ b/ctrtool/src/Settings.h
@@ -39,6 +39,8 @@ struct Settings
 
 	struct Options
 	{
+		bool info;
+		bool extract;
 		bool plain;
 		bool raw;
 		bool verbose;
@@ -121,6 +123,8 @@ struct Settings
 		infile.filetype = FILE_TYPE_ERROR;
 		infile.path = tc::Optional<tc::io::Path>();
 
+		opt.info = true;
+		opt.extract = true;
 		opt.plain = false;
 		opt.raw = false;
 		opt.verbose = false;

From 5f0186d19f6ab245150092cf6017b4ea3d252e9b Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 17:23:19 +0800
Subject: [PATCH 257/317] Change behaviour of TitleMetaDataDeserialiser to read
 only the length of the actual data.

---
 .../libnintendo-n3ds/src/es/TitleMetaData.cpp | 50 +++++++++++--------
 1 file changed, 29 insertions(+), 21 deletions(-)

diff --git a/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp b/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp
index c9e0ac04..ca1894f2 100644
--- a/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp
+++ b/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp
@@ -19,12 +19,8 @@ ntd::n3ds::es::TitleMetaDataDeserialiser::TitleMetaDataDeserialiser(const std::s
 		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD was too small.");
 	}
 
-	// import TMD v1 data
-	if (tc::is_int64_t_too_large_for_size_t(tmd_stream->length()))
-	{
-		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD was too large to read into memory.");
-	}
-	tc::ByteData tmd_data = tc::ByteData(static_cast<size_t>(tmd_stream->length()));
+	// import TMD v1 data (less the ESV1ContentMeta data)
+	tc::ByteData tmd_data = tc::ByteData(sizeof(brd::es::ESV1TitleMeta));
 	tmd_stream->seek(0, tc::io::SeekOrigin::Begin);
 	if (tmd_stream->read(tmd_data.data(), tmd_data.size()) < tmd_data.size())
 	{
@@ -43,19 +39,6 @@ ntd::n3ds::es::TitleMetaDataDeserialiser::TitleMetaDataDeserialiser(const std::s
 		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had unexpected format version.");
 	}
 
-	// hash for staged validiation
-	std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
-
-	// calculate hash for optional signature validation later
-	tc::crypto::GenerateSha256Hash(calculated_hash.data(), (byte_t*)&tmd->sig.issuer, (size_t)((byte_t*)&tmd->v1Head.cmdGroups - (byte_t*)&tmd->sig.issuer));
-
-	// verify v1 ESV1ContentMetaGroup array using hash in v1 header
-	tc::crypto::GenerateSha256Hash(hash.data(), (byte_t*)&tmd->v1Head.cmdGroups, sizeof(tmd->v1Head.cmdGroups));
-	if (memcmp(hash.data(), tmd->v1Head.hash.data(), hash.size()) != 0)
-	{
-		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had invalid CMD group hash.");
-	}
-
 	/*
 	std::cout << "[Tmd]" << std::endl;
 	std::cout << "  > Issuer:            " << tmd->sig.issuer.data() << std::endl;
@@ -67,9 +50,34 @@ ntd::n3ds::es::TitleMetaDataDeserialiser::TitleMetaDataDeserialiser(const std::s
 
 	// determine if the TMD is the correct size given expected number of ESV1ContentMeta entries
 	size_t cmd_table_num = tmd->v1Head.cmdGroups[0].nCmds.unwrap();
-	if (tmd_data.size() != (sizeof(brd::es::ESV1TitleMeta) + (cmd_table_num * sizeof(brd::es::ESV1ContentMeta))))
+	size_t tmd_full_size = sizeof(brd::es::ESV1TitleMeta) + (cmd_table_num * sizeof(brd::es::ESV1ContentMeta));
+
+	if (tmd_stream->length() < (tmd_full_size))
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD was too small.");
+	}
+
+	// import full TMD v1 data
+	tmd_data = tc::ByteData(tmd_full_size);
+	tmd_stream->seek(0, tc::io::SeekOrigin::Begin);
+	if (tmd_stream->read(tmd_data.data(), tmd_data.size()) < tmd_data.size())
+	{
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had unexpected size after reading.");
+	}
+	// update tmd pointer
+	tmd = (brd::es::ESV1TitleMeta*)tmd_data.data();
+
+	// hash for staged validiation
+	std::array<byte_t, tc::crypto::Sha256Generator::kHashSize> hash;
+
+	// calculate hash for optional signature validation later
+	tc::crypto::GenerateSha256Hash(calculated_hash.data(), (byte_t*)&tmd->sig.issuer, (size_t)((byte_t*)&tmd->v1Head.cmdGroups - (byte_t*)&tmd->sig.issuer));
+
+	// verify v1 ESV1ContentMetaGroup array using hash in v1 header
+	tc::crypto::GenerateSha256Hash(hash.data(), (byte_t*)&tmd->v1Head.cmdGroups, sizeof(tmd->v1Head.cmdGroups));
+	if (memcmp(hash.data(), tmd->v1Head.hash.data(), hash.size()) != 0)
 	{
-		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had unexpected size");
+		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had invalid CMD group hash.");
 	}
 
 	// verify ESV1ContentMeta array

From ea74ca4e9358f8948bf6a2396360cbbb948a5fc7 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 17:23:51 +0800
Subject: [PATCH 258/317] Enable CiaProcess to fallback use certs to verify
 cert/tik/tmd.

---
 ctrtool/src/CiaProcess.cpp | 93 +++++++++++++++++++++++---------------
 ctrtool/src/CiaProcess.h   |  1 +
 2 files changed, 58 insertions(+), 36 deletions(-)

diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
index ecf06d54..bf5c7d1b 100644
--- a/ctrtool/src/CiaProcess.cpp
+++ b/ctrtool/src/CiaProcess.cpp
@@ -23,6 +23,7 @@ ctrtool::CiaProcess::CiaProcess() :
 	mFooterExtractPath(),
 	mContentIndex(0),
 	mIssuerSigner(),
+	mCertImportedIssuerSigner(),
 	mCertChain(),
 	mCertSigValid(),
 	mTicket(),
@@ -255,37 +256,36 @@ void ctrtool::CiaProcess::importHeader()
 	// process CIA
 	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default)
 	{
-		std::shared_ptr<tc::io::IStream> cert_stream;
 		if (mCertSizeInfo.size > 0)
 		{
-			cert_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mCertSizeInfo.offset, mCertSizeInfo.size));
+			std::shared_ptr<tc::io::IStream> certchain_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mCertSizeInfo.offset, mCertSizeInfo.size));
 
-			if (mCertSizeInfo.size < 0x1000000)
+			while (certchain_stream->position() < certchain_stream->length())
 			{
-				tc::ByteData cert_data = tc::ByteData(mCertSizeInfo.size);
+				std::shared_ptr<tc::io::IStream> cert_stream = std::make_shared<tc::io::SubStream>(tc::io::SubStream(certchain_stream, certchain_stream->position(), certchain_stream->length() - certchain_stream->position()));
+				mCertChain.push_back(ntd::n3ds::es::CertificateDeserialiser(cert_stream));
+				mCertSigValid.push_back(ValidState::Unchecked);
 
-				cert_stream->seek(0, tc::io::SeekOrigin::Begin);
-				cert_stream->read(cert_data.data(), cert_data.size());
+				// update position of input stream
+				//certchain_stream->seek(cert_stream->position(), tc::io::SeekOrigin::Current);
 
-				for (size_t certchain_pos = 0; certchain_pos < cert_data.size();)
+				// import issuer profile from certificate
+				if (mCertChain.back().public_key_type == brd::es::ESCertPubKeyType::RSA2048)
 				{
-					size_t certbin_size = ntd::n3ds::es::getCertificateSize(cert_data.data() + certchain_pos);
-					if (certbin_size == 0)
-					{
-						throw tc::InvalidOperationException(mModuleLabel, "Certificate chain had invalid data.");
-					}
-
-					mCertChain.push_back(ntd::n3ds::es::CertificateDeserialiser(std::make_shared<tc::io::SubStream>(tc::io::SubStream(cert_stream, certchain_pos, certbin_size))));
-					mCertSigValid.push_back(ValidState::Unchecked);
-
-					certchain_pos += certbin_size;
-				}				
-			}
-			else
-			{
-				fmt::print("[LOG] Certificate chain too large, cannot verify Ticket or TitleMetaData.\n");
-				mCertSizeInfo.size = 0;
-				mCertSizeInfo.offset = 0;
+					std::string issuer = fmt::format("{}-{}", mCertChain.back().signature.issuer, mCertChain.back().subject);
+					brd::es::ESSigType sig_type = brd::es::ESSigType::RSA2048_SHA256;
+					auto& public_key = mCertChain.back().rsa2048_public_key;
+					
+					mCertImportedIssuerSigner.insert(std::pair<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>>(issuer, std::make_shared<ntd::n3ds::es::RsaSigner>(ntd::n3ds::es::RsaSigner(sig_type, issuer, tc::crypto::RsaPublicKey(public_key.m.data(), public_key.m.size())))));
+				}
+				else if (mCertChain.back().public_key_type == brd::es::ESCertPubKeyType::RSA4096)
+				{
+					std::string issuer = fmt::format("{}-{}", mCertChain.back().signature.issuer + mCertChain.back().subject);
+					brd::es::ESSigType sig_type = brd::es::ESSigType::RSA4096_SHA256;
+					auto& public_key = mCertChain.back().rsa4096_public_key;
+					
+					mCertImportedIssuerSigner.insert(std::pair<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>>(issuer, std::make_shared<ntd::n3ds::es::RsaSigner>(ntd::n3ds::es::RsaSigner(sig_type, issuer, tc::crypto::RsaPublicKey(public_key.m.data(), public_key.m.size())))));
+				}
 			}
 
 		}
@@ -406,11 +406,18 @@ void ctrtool::CiaProcess::verifyMetadata()
 		// verify cert
 		for (size_t i = 0; i < mCertChain.size(); i++)
 		{
-			auto issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
-			if (issuer_itr != mIssuerSigner.end() && issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+			auto keybag_issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
+			auto local_issuer_itr = mCertImportedIssuerSigner.find(mCertChain[i].signature.issuer);
+			
+			// try first with the keybag imported issuer
+			if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
 			{
-				//fmt::print("CertHash[{:d}]: {}\n", i, getTruncatedBytesString(mCertChain[i].calculated_hash.data(), mCertChain[i].calculated_hash.size(), mVerbose));
-				mCertSigValid[i] = issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+				mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			}
+			// fallback try with the issuer profiles imported from the local certificates
+			else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+			{
+				mCertSigValid[i] = local_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 			}
 			else
 			{
@@ -423,11 +430,18 @@ void ctrtool::CiaProcess::verifyMetadata()
 	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTikSizeInfo.size > 0)
 	{
 		// verify ticket
-		auto issuer_itr = mIssuerSigner.find(mTicket.signature.issuer);
-		if (issuer_itr != mIssuerSigner.end() && issuer_itr->second->getSigType() == mTicket.signature.sig_type)
+		auto keybag_issuer_itr = mIssuerSigner.find(mTicket.signature.issuer);
+		auto local_issuer_itr = mCertImportedIssuerSigner.find(mTicket.signature.issuer);
+
+		// try first with the keybag imported issuer
+		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
+		{
+			mTicketSigValid = keybag_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		// fallback try with the issuer profiles imported from the local certificates
+		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
 		{
-			//fmt::print("TikHash: {}\n", getTruncatedBytesString(mTicket.calculated_hash.data(), mTicket.calculated_hash.size(), mVerbose));
-			mTicketSigValid = issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			mTicketSigValid = local_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
@@ -439,11 +453,18 @@ void ctrtool::CiaProcess::verifyMetadata()
 	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTmdSizeInfo.size > 0)
 	{
 		// verify tmd
-		auto issuer_itr = mIssuerSigner.find(mTitleMetaData.signature.issuer);
-		if (issuer_itr != mIssuerSigner.end() && issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
+		auto keybag_issuer_itr = mIssuerSigner.find(mTitleMetaData.signature.issuer);
+		auto local_issuer_itr = mCertImportedIssuerSigner.find(mTitleMetaData.signature.issuer);
+
+		// try first with the keybag imported issuer
+		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
+		{
+			mTitleMetaDataSigValid = keybag_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		// fallback try with the issuer profiles imported from the local certificates
+		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
 		{
-			//fmt::print("TmdHash: {}\n", getTruncatedBytesString(mTitleMetaData.calculated_hash.data(), mTitleMetaData.calculated_hash.size(), mVerbose));
-			mTitleMetaDataSigValid = issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			mTitleMetaDataSigValid = local_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
diff --git a/ctrtool/src/CiaProcess.h b/ctrtool/src/CiaProcess.h
index efcc5458..4c37be69 100644
--- a/ctrtool/src/CiaProcess.h
+++ b/ctrtool/src/CiaProcess.h
@@ -57,6 +57,7 @@ class CiaProcess
 	// process variables
 	ntd::n3ds::CiaHeader mHeader;
 	std::map<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>> mIssuerSigner;
+	std::map<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>> mCertImportedIssuerSigner;
 	std::vector<ntd::n3ds::es::Certificate> mCertChain;
 	std::vector<ValidState> mCertSigValid;
 	ntd::n3ds::es::Ticket mTicket;

From 30c11c9ea6be4ffd91d8ab429f99d32af1080452 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 17:24:17 +0800
Subject: [PATCH 259/317] Add support for processing tik/tmd files directly.

---
 ctrtool/src/TikProcess.cpp | 367 +++++++++++++++++++++++++++++++++++++
 ctrtool/src/TikProcess.h   |  60 ++++++
 ctrtool/src/TmdProcess.cpp | 347 +++++++++++++++++++++++++++++++++++
 ctrtool/src/TmdProcess.h   |  60 ++++++
 ctrtool/src/main.cpp       |  22 +++
 5 files changed, 856 insertions(+)
 create mode 100644 ctrtool/src/TikProcess.cpp
 create mode 100644 ctrtool/src/TikProcess.h
 create mode 100644 ctrtool/src/TmdProcess.cpp
 create mode 100644 ctrtool/src/TmdProcess.h

diff --git a/ctrtool/src/TikProcess.cpp b/ctrtool/src/TikProcess.cpp
new file mode 100644
index 00000000..598fca84
--- /dev/null
+++ b/ctrtool/src/TikProcess.cpp
@@ -0,0 +1,367 @@
+#include "TikProcess.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+#include <tc/NotSupportedException.h>
+
+ctrtool::TikProcess::TikProcess() :
+	mModuleLabel("ctrtool::TikProcess"),
+	mInputStream(),
+	mKeyBag(),
+	mShowInfo(false),
+	mVerbose(false),
+	mVerify(false),
+	mIssuerSigner(),
+	mCertImportedIssuerSigner(),
+	mCertChain(),
+	mCertSigValid(),
+	mTicket(),
+	mTicketSigValid(ValidState::Unchecked),
+	mDecryptedTitleKey()
+{
+}
+
+void ctrtool::TikProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::TikProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+}
+
+void ctrtool::TikProcess::setCliOutputMode(bool show_info)
+{
+	mShowInfo = show_info;
+}
+
+void ctrtool::TikProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+}
+
+void ctrtool::TikProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+}
+
+void ctrtool::TikProcess::process()
+{
+	importIssuerProfiles();
+	importData();
+
+	if (mVerify)
+	{
+		verifyData();
+	}
+		
+	if (mShowInfo)
+	{
+		printData();
+	}
+}
+
+void ctrtool::TikProcess::importIssuerProfiles()
+{
+	// import issuer profiles from keybag
+	for (auto itr = mKeyBag.broadon_rsa_signer.begin(); itr != mKeyBag.broadon_rsa_signer.end(); itr++)
+	{
+		brd::es::ESSigType sigType = itr->first == "Root" ? brd::es::ESSigType::RSA4096_SHA256 : brd::es::ESSigType::RSA2048_SHA256;
+		mIssuerSigner.insert(std::pair<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>>(itr->first, std::make_shared<ntd::n3ds::es::RsaSigner>(ntd::n3ds::es::RsaSigner(sigType, itr->first, itr->second.key))));
+	}
+}
+
+void ctrtool::TikProcess::importData()
+{
+	// validate input stream
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}
+
+	// process ticket
+	{
+		mTicket = ntd::n3ds::es::TicketDeserialiser(mInputStream);
+		mTicketSigValid = ValidState::Unchecked;
+
+		// determine title key
+		if (mKeyBag.common_key.find(mTicket.key_id) != mKeyBag.common_key.end())
+		{
+			fmt::print("[LOG] Decrypting titlekey from ticket.\n");
+			
+			// get common key
+			auto common_key = mKeyBag.common_key[mTicket.key_id];
+			
+			// initialise iv
+			std::array<byte_t, 16> title_key_iv;
+			memset(title_key_iv.data(), 0, title_key_iv.size());
+			((tc::bn::be64<uint64_t>*)(&(title_key_iv[0])))->wrap(mTicket.title_id);
+
+			// decrypt title key
+			std::array<byte_t, 16> title_key;
+			tc::crypto::DecryptAes128Cbc(title_key.data(), mTicket.title_key.data(), title_key.size(), common_key.data(), common_key.size(), title_key_iv.data(), title_key_iv.size());
+		
+			mDecryptedTitleKey = title_key;
+		}
+		else
+		{
+			fmt::print("[LOG] Cannot determine titlekey.\n");
+		}
+	}
+
+	// process trailing cert chain (this assumes ntd::n3ds::es::TicketDeserialiser leaves the stream position at the end of the ticket data)
+	while (mInputStream->position() < mInputStream->length())
+	{
+		std::shared_ptr<tc::io::IStream> cert_stream = std::make_shared<tc::io::SubStream>(tc::io::SubStream(mInputStream, mInputStream->position(), mInputStream->length() - mInputStream->position()));
+		mCertChain.push_back(ntd::n3ds::es::CertificateDeserialiser(cert_stream));
+		mCertSigValid.push_back(ValidState::Unchecked);
+
+		// update position of input stream
+		//mInputStream->seek(cert_stream->position(), tc::io::SeekOrigin::Current);
+
+		// import issuer profile from certificate
+		if (mCertChain.back().public_key_type == brd::es::ESCertPubKeyType::RSA2048)
+		{
+			std::string issuer = fmt::format("{}-{}", mCertChain.back().signature.issuer, mCertChain.back().subject);
+			brd::es::ESSigType sig_type = brd::es::ESSigType::RSA2048_SHA256;
+			auto& public_key = mCertChain.back().rsa2048_public_key;
+			
+			mCertImportedIssuerSigner.insert(std::pair<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>>(issuer, std::make_shared<ntd::n3ds::es::RsaSigner>(ntd::n3ds::es::RsaSigner(sig_type, issuer, tc::crypto::RsaPublicKey(public_key.m.data(), public_key.m.size())))));
+		}
+		else if (mCertChain.back().public_key_type == brd::es::ESCertPubKeyType::RSA4096)
+		{
+			std::string issuer = fmt::format("{}-{}", mCertChain.back().signature.issuer + mCertChain.back().subject);
+			brd::es::ESSigType sig_type = brd::es::ESSigType::RSA4096_SHA256;
+			auto& public_key = mCertChain.back().rsa4096_public_key;
+			
+			mCertImportedIssuerSigner.insert(std::pair<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>>(issuer, std::make_shared<ntd::n3ds::es::RsaSigner>(ntd::n3ds::es::RsaSigner(sig_type, issuer, tc::crypto::RsaPublicKey(public_key.m.data(), public_key.m.size())))));
+		}
+	}
+}
+
+void ctrtool::TikProcess::verifyData()
+{
+	// verify cert
+	for (size_t i = 0; i < mCertChain.size(); i++)
+	{
+		auto keybag_issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
+		auto local_issuer_itr = mCertImportedIssuerSigner.find(mCertChain[i].signature.issuer);
+		
+		// try first with the keybag imported issuer
+		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+		{
+			mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		// fallback try with the issuer profiles imported from the local certificates
+		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+		{
+			mCertSigValid[i] = local_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		else
+		{
+			// cannot locate rsa key to verify
+			fmt::print(stderr, "Could not read public key for \"{}\" (certificate).\n", mCertChain[i].signature.issuer);
+			mCertSigValid[i] = ValidState::Fail;
+		}
+	}
+
+	// verify ticket
+	{
+		auto keybag_issuer_itr = mIssuerSigner.find(mTicket.signature.issuer);
+		auto local_issuer_itr = mCertImportedIssuerSigner.find(mTicket.signature.issuer);
+
+		// try first with the keybag imported issuer
+		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
+		{
+			mTicketSigValid = keybag_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		// fallback try with the issuer profiles imported from the local certificates
+		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
+		{
+			mTicketSigValid = local_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		else
+		{
+			// cannot locate rsa key to verify
+			fmt::print(stderr, "Could not read public key for \"{}\" (ticket).\n", mTicket.signature.issuer);
+			mTicketSigValid = ValidState::Fail;
+		}
+	}
+}
+
+void ctrtool::TikProcess::printData()
+{
+	{
+		fmt::print("Ticket:\n");
+		fmt::print("|- DigitalSignature: {:s} \n", getValidString(mTicketSigValid));
+		fmt::print("|  |- SigType:    {:s} (0x{:x})\n", getSigTypeString(mTicket.signature.sig_type), (uint32_t)mTicket.signature.sig_type);
+		fmt::print("|  |- Issuer:     {:s}\n", mTicket.signature.issuer);
+		fmt::print("|  \\- Signature:  {:s}\n", getTruncatedBytesString(mTicket.signature.sig.data(), mTicket.signature.sig.size(), mVerbose));
+		fmt::print("|- TitleKey:      {}", tc::cli::FormatUtil::formatBytesAsString(mTicket.title_key.data(), mTicket.title_key.size(), true, ""));
+		if (mDecryptedTitleKey.isSet())
+		{
+			fmt::print(" (decrypted: {})", tc::cli::FormatUtil::formatBytesAsString(mDecryptedTitleKey.get().data(), mDecryptedTitleKey.get().size(), true, ""));
+		}
+		fmt::print("\n");
+		fmt::print("|- TicketId:      {:016x}\n", mTicket.ticket_id);
+		fmt::print("|- DeviceId:      {:08x}\n", mTicket.device_id);
+		fmt::print("|- TitleId:       {:016x}\n", mTicket.title_id);
+		fmt::print("|- TicketVersion: {} ({:d})\n", getTitleVersionString(mTicket.ticket_version), mTicket.ticket_version);
+		fmt::print("|- LicenseType:   {:02x}\n", mTicket.license_type);
+		fmt::print("|- KeyId:         {:02x}\n", mTicket.key_id);
+		fmt::print("|- ECAccountID:   {:08x}\n", mTicket.ec_account_id);
+		fmt::print("|- DemoLaunchCnt: {:d}\n", mTicket.launch_count);
+		fmt::print("\\- EnabledContent:\n");
+		std::vector<size_t> enabled_content;
+		for (size_t i = 0; i < mTicket.enabled_content.size(); i++)
+		{
+			if (mTicket.enabled_content.test(i))
+			{
+				enabled_content.push_back(i);
+			}
+		}
+		for (size_t i = 0; i < enabled_content.size(); i++)
+		{
+			fmt::print("   {:1}- 0x{:04x}\n", (i+1 < enabled_content.size() ? "|" : "\\"), enabled_content[i]);
+		}
+	}
+	if (mCertChain.size() > 0)
+	{
+		fmt::print("Certificate Chain:\n");
+		for (size_t i = 0; i < mCertChain.size(); i++)
+		{
+			#define _CERT_FORMAT_MACRO(x,y) (i+1 < mCertChain.size() ? (x) : (y))
+
+			fmt::print("{:1}- Certificate {:d}:\n", _CERT_FORMAT_MACRO("|","\\"), i);
+			fmt::print("{:1}  |- DigitalSignature: {:s}\n", _CERT_FORMAT_MACRO("|"," "), getValidString(mCertSigValid[i]));
+			fmt::print("{:1}  |  |- SigType:    {:s} (0x{:x})\n", _CERT_FORMAT_MACRO("|"," "), getSigTypeString(mCertChain[i].signature.sig_type), (uint32_t)mCertChain[i].signature.sig_type);
+			fmt::print("{:1}  |  |- Issuer:     {:s}\n", _CERT_FORMAT_MACRO("|"," "), mCertChain[i].signature.issuer);
+			fmt::print("{:1}  |  \\- Signature:  {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].signature.sig.data(), mCertChain[i].signature.sig.size(), mVerbose));
+			fmt::print("{:1}  |- Subject:       {:s}\n", _CERT_FORMAT_MACRO("|"," "), mCertChain[i].subject);
+			//fmt::print("{:1}  |- Date:          {:d}\n", _CERT_FORMAT_MACRO("|"," "), mCertChain[i].date);
+			fmt::print("{:1}  \\- PublicKey:     {:s} (0x{:x})\n", _CERT_FORMAT_MACRO("|"," "), getCertificatePublicKeyTypeString(mCertChain[i].public_key_type), (uint32_t)mCertChain[i].public_key_type);
+			switch (mCertChain[i].public_key_type)
+			{
+				case brd::es::ESCertPubKeyType::RSA4096:
+					fmt::print("{:1}     |- m:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa4096_public_key.m.data(), mCertChain[i].rsa4096_public_key.m.size(), mVerbose));
+					fmt::print("{:1}     \\- e:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa4096_public_key.e.data(), mCertChain[i].rsa4096_public_key.e.size(), mVerbose));
+					break;
+				case brd::es::ESCertPubKeyType::RSA2048:
+					fmt::print("{:1}     |- m:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa2048_public_key.m.data(), mCertChain[i].rsa2048_public_key.m.size(), mVerbose));
+					fmt::print("{:1}     \\- e:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa2048_public_key.e.data(), mCertChain[i].rsa2048_public_key.e.size(), mVerbose));
+					break;
+				case brd::es::ESCertPubKeyType::ECC:
+					fmt::print("{:1}     |- x:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].ecc233_public_key.x.data(), mCertChain[i].ecc233_public_key.x.size(), mVerbose));
+					fmt::print("{:1}     \\- y:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].ecc233_public_key.y.data(), mCertChain[i].ecc233_public_key.y.size(), mVerbose));
+					break;
+				default:
+					break;
+			}
+
+			#undef _CERT_FORMAT_MACRO
+		}
+	}
+}
+
+std::string ctrtool::TikProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+
+	switch (validstate)
+	{
+		case ValidState::Unchecked:
+			ret_str =  "";
+			break;
+		case ValidState::Good:
+			ret_str =  "(GOOD)";
+			break;
+		case ValidState::Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::TikProcess::getTruncatedBytesString(const byte_t* data, size_t len, bool do_not_truncate)
+{
+	if (data == nullptr) { return fmt::format(""); }
+
+	std::string str = "";
+
+	if (len <= 8 || do_not_truncate)
+	{
+		str = tc::cli::FormatUtil::formatBytesAsString(data, len, true, "");
+	}
+	else
+	{
+		str = fmt::format("{:02X}{:02X}{:02X}{:02X}...{:02X}{:02X}{:02X}{:02X}", data[0], data[1], data[2], data[3], data[len-4], data[len-3], data[len-2], data[len-1]);
+	}
+
+	return str;
+}
+
+std::string ctrtool::TikProcess::getSigTypeString(brd::es::ESSigType sig_type)
+{
+	std::string ret_str;
+
+	switch (sig_type)
+	{
+		case brd::es::ESSigType::RSA4096_SHA1:
+			ret_str =  "RSA-4096-SHA1";
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+			ret_str =  "RSA-2048-SHA1";
+			break;
+		case brd::es::ESSigType::ECC_SHA1:
+			ret_str =  "ECDSA-233-SHA1";
+			break;
+		case brd::es::ESSigType::RSA4096_SHA256:
+			ret_str =  "RSA-4096-SHA256";
+			break;
+		case brd::es::ESSigType::RSA2048_SHA256:
+			ret_str =  "RSA-2048-SHA256";
+			break;
+		case brd::es::ESSigType::ECC_SHA256:
+			ret_str =  "ECDSA-233-SHA256";
+			break;
+		default:
+			ret_str = fmt::format("0x{:x}", (uint32_t)sig_type);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::TikProcess::getCertificatePublicKeyTypeString(brd::es::ESCertPubKeyType public_key_type)
+{
+	std::string ret_str;
+
+	switch (public_key_type)
+	{
+		case brd::es::ESCertPubKeyType::RSA4096:
+			ret_str =  "RSA-4096";
+			break;
+		case brd::es::ESCertPubKeyType::RSA2048:
+			ret_str =  "RSA-2048";
+			break;
+		case brd::es::ESCertPubKeyType::ECC:
+			ret_str =  "ECC-233";
+			break;
+		default:
+			ret_str = fmt::format("0x{:x}", (uint32_t)public_key_type);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::TikProcess::getTitleVersionString(uint16_t version)
+{
+	return fmt::format("{major:d}.{minor:d}.{build:d}", fmt::arg("major", (uint32_t)((version >> 10) & 0x3F)), fmt::arg("minor", (uint32_t)((version >> 4) & 0x3F)), fmt::arg("build", (uint32_t)(version & 0xF)));
+}
\ No newline at end of file
diff --git a/ctrtool/src/TikProcess.h b/ctrtool/src/TikProcess.h
new file mode 100644
index 00000000..0ae59d6b
--- /dev/null
+++ b/ctrtool/src/TikProcess.h
@@ -0,0 +1,60 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include <tc/Optional.h>
+
+#include <ntd/n3ds/es/RsaSigner.h>
+#include <ntd/n3ds/es/Certificate.h>
+#include <ntd/n3ds/es/Ticket.h>
+
+namespace ctrtool {
+
+class TikProcess
+{
+public:
+	TikProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setCliOutputMode(bool show_header_info);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	
+	void process();
+private:
+	std::string mModuleLabel;
+
+	// input args
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mShowInfo;
+	bool mVerbose;
+	bool mVerify;
+
+	// process variables
+	std::map<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>> mIssuerSigner;
+	std::map<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>> mCertImportedIssuerSigner;
+
+	std::vector<ntd::n3ds::es::Certificate> mCertChain;
+	std::vector<ValidState> mCertSigValid;
+	
+	ntd::n3ds::es::Ticket mTicket;
+	ValidState mTicketSigValid;
+
+	tc::Optional<KeyBag::Aes128Key> mDecryptedTitleKey;
+
+	// helper methods
+	void importIssuerProfiles();
+	void importData();
+	void verifyData();
+	void printData();
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+	std::string getTruncatedBytesString(const byte_t* data, size_t len, bool do_not_truncate = false);
+	std::string getSigTypeString(brd::es::ESSigType sig_type);
+	std::string getCertificatePublicKeyTypeString(brd::es::ESCertPubKeyType public_key_type);
+	std::string getTitleVersionString(uint16_t version);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/TmdProcess.cpp b/ctrtool/src/TmdProcess.cpp
new file mode 100644
index 00000000..ba45c2c1
--- /dev/null
+++ b/ctrtool/src/TmdProcess.cpp
@@ -0,0 +1,347 @@
+#include "TmdProcess.h"
+#include <tc/io.h>
+#include <tc/cli.h>
+#include <tc/crypto.h>
+#include <tc/ArgumentNullException.h>
+#include <tc/NotSupportedException.h>
+
+ctrtool::TmdProcess::TmdProcess() :
+	mModuleLabel("ctrtool::TmdProcess"),
+	mInputStream(),
+	mKeyBag(),
+	mShowInfo(false),
+	mVerbose(false),
+	mVerify(false),
+	mIssuerSigner(),
+	mCertImportedIssuerSigner(),
+	mCertChain(),
+	mCertSigValid(),
+	mTitleMetaData(),
+	mTitleMetaDataSigValid(ValidState::Unchecked)
+{
+}
+
+void ctrtool::TmdProcess::setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream)
+{
+	mInputStream = input_stream;
+}
+
+void ctrtool::TmdProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
+{
+	mKeyBag = key_bag;
+}
+
+void ctrtool::TmdProcess::setCliOutputMode(bool show_info)
+{
+	mShowInfo = show_info;
+}
+
+void ctrtool::TmdProcess::setVerboseMode(bool verbose)
+{
+	mVerbose = verbose;
+}
+
+void ctrtool::TmdProcess::setVerifyMode(bool verify)
+{
+	mVerify = verify;
+}
+
+void ctrtool::TmdProcess::process()
+{
+	importIssuerProfiles();
+	importData();
+
+	if (mVerify)
+	{
+		verifyData();
+	}
+		
+	if (mShowInfo)
+	{
+		printData();
+	}
+}
+
+void ctrtool::TmdProcess::importIssuerProfiles()
+{
+	// import issuer profiles from keybag
+	for (auto itr = mKeyBag.broadon_rsa_signer.begin(); itr != mKeyBag.broadon_rsa_signer.end(); itr++)
+	{
+		brd::es::ESSigType sigType = itr->first == "Root" ? brd::es::ESSigType::RSA4096_SHA256 : brd::es::ESSigType::RSA2048_SHA256;
+		mIssuerSigner.insert(std::pair<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>>(itr->first, std::make_shared<ntd::n3ds::es::RsaSigner>(ntd::n3ds::es::RsaSigner(sigType, itr->first, itr->second.key))));
+	}
+}
+
+void ctrtool::TmdProcess::importData()
+{
+	// validate input stream
+	if (mInputStream == nullptr)
+	{
+		throw tc::ArgumentNullException(mModuleLabel, "Input stream was null.");
+	}
+	if (mInputStream->canRead() == false || mInputStream->canSeek() == false)
+	{
+		throw tc::InvalidOperationException(mModuleLabel, "Input stream requires read/seek permissions.");
+	}
+
+	// process tmd
+	{
+		mTitleMetaData = ntd::n3ds::es::TitleMetaDataDeserialiser(mInputStream);
+		mTitleMetaDataSigValid = ValidState::Unchecked;
+	}
+
+	// process trailing cert chain (this assumes ntd::n3ds::es::TitleMetaDataDeserialiser leaves the stream position at the end of the tmd data)
+	while (mInputStream->position() < mInputStream->length())
+	{
+		std::shared_ptr<tc::io::IStream> cert_stream = std::make_shared<tc::io::SubStream>(tc::io::SubStream(mInputStream, mInputStream->position(), mInputStream->length() - mInputStream->position()));
+		mCertChain.push_back(ntd::n3ds::es::CertificateDeserialiser(cert_stream));
+		mCertSigValid.push_back(ValidState::Unchecked);
+
+		// update position of input stream
+		//mInputStream->seek(cert_stream->position(), tc::io::SeekOrigin::Current);
+
+		// import issuer profile from certificate
+		if (mCertChain.back().public_key_type == brd::es::ESCertPubKeyType::RSA2048)
+		{
+			std::string issuer = fmt::format("{}-{}", mCertChain.back().signature.issuer, mCertChain.back().subject);
+			brd::es::ESSigType sig_type = brd::es::ESSigType::RSA2048_SHA256;
+			auto& public_key = mCertChain.back().rsa2048_public_key;
+			
+			mCertImportedIssuerSigner.insert(std::pair<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>>(issuer, std::make_shared<ntd::n3ds::es::RsaSigner>(ntd::n3ds::es::RsaSigner(sig_type, issuer, tc::crypto::RsaPublicKey(public_key.m.data(), public_key.m.size())))));
+		}
+		else if (mCertChain.back().public_key_type == brd::es::ESCertPubKeyType::RSA4096)
+		{
+			std::string issuer = fmt::format("{}-{}", mCertChain.back().signature.issuer + mCertChain.back().subject);
+			brd::es::ESSigType sig_type = brd::es::ESSigType::RSA4096_SHA256;
+			auto& public_key = mCertChain.back().rsa4096_public_key;
+			
+			mCertImportedIssuerSigner.insert(std::pair<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>>(issuer, std::make_shared<ntd::n3ds::es::RsaSigner>(ntd::n3ds::es::RsaSigner(sig_type, issuer, tc::crypto::RsaPublicKey(public_key.m.data(), public_key.m.size())))));
+		}
+	}
+}
+
+void ctrtool::TmdProcess::verifyData()
+{
+	// verify cert
+	for (size_t i = 0; i < mCertChain.size(); i++)
+	{
+		auto keybag_issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
+		auto local_issuer_itr = mCertImportedIssuerSigner.find(mCertChain[i].signature.issuer);
+		
+		// try first with the keybag imported issuer
+		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+		{
+			mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		// fallback try with the issuer profiles imported from the local certificates
+		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+		{
+			mCertSigValid[i] = local_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		else
+		{
+			// cannot locate rsa key to verify
+			fmt::print(stderr, "Could not read public key for \"{}\" (certificate).\n", mCertChain[i].signature.issuer);
+			mCertSigValid[i] = ValidState::Fail;
+		}
+	}
+
+	// verify tmd
+	{
+		auto keybag_issuer_itr = mIssuerSigner.find(mTitleMetaData.signature.issuer);
+		auto local_issuer_itr = mCertImportedIssuerSigner.find(mTitleMetaData.signature.issuer);
+
+		// try first with the keybag imported issuer
+		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
+		{
+			mTitleMetaDataSigValid = keybag_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		// fallback try with the issuer profiles imported from the local certificates
+		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
+		{
+			mTitleMetaDataSigValid = local_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+		}
+		else
+		{
+			// cannot locate rsa key to verify
+			fmt::print(stderr, "Could not read public key for \"{}\" (tmd).\n", mTitleMetaData.signature.issuer);
+			mTitleMetaDataSigValid = ValidState::Fail;
+		}
+	}
+}
+
+void ctrtool::TmdProcess::printData()
+{	
+	{
+		fmt::print("TitleMetaData:\n");
+		fmt::print("|- DigitalSignature: {:s}\n", getValidString(mTitleMetaDataSigValid));
+		fmt::print("|  |- SigType:    {:s} (0x{:x})\n", getSigTypeString(mTitleMetaData.signature.sig_type), (uint32_t)mTitleMetaData.signature.sig_type);
+		fmt::print("|  |- Issuer:     {:s}\n", mTitleMetaData.signature.issuer);
+		fmt::print("|  \\- Signature:  {:s}\n", getTruncatedBytesString(mTitleMetaData.signature.sig.data(), mTitleMetaData.signature.sig.size(), mVerbose));
+		fmt::print("|- TitleId:       {:016x}\n", mTitleMetaData.title_id);
+		fmt::print("|- TitleVersion:  {} ({:d})\n", getTitleVersionString(mTitleMetaData.title_version), mTitleMetaData.title_version);
+		fmt::print("|- CustomData:\n");
+		// TWL Title
+		if (isTwlTitle(mTitleMetaData.title_id))
+		{
+			fmt::print("|  |- PublicSaveDataSize:  0x{:x}\n", mTitleMetaData.twl_custom_data.public_save_data_size);
+			fmt::print("|  |- PrivateSaveDataSize: 0x{:x}\n", mTitleMetaData.twl_custom_data.private_save_data_size);
+			fmt::print("|  \\- Flag:                0x{:02x}\n", mTitleMetaData.twl_custom_data.flag);
+		}
+		// CTR
+		else
+		{
+			fmt::print("|  |- SaveDataSize: 0x{:x}\n", mTitleMetaData.ctr_custom_data.save_data_size);
+			fmt::print("|  \\- IsSnakeOnly: {}\n", mTitleMetaData.ctr_custom_data.is_snake_only);
+		}
+		fmt::print("\\- ContentInfo:\n");
+		for (size_t i = 0; i < mTitleMetaData.content_info.size(); i++)
+		{
+			fmt::print("   {:1}- 0x{:04x}:\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : "\\"), mTitleMetaData.content_info[i].index);
+			fmt::print("   {:1}  |- ContentId:   0x{:08x}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""), mTitleMetaData.content_info[i].id);
+			fmt::print("   {:1}  |- Encrypted:   {}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""), (mTitleMetaData.content_info[i].is_encrypted ? "YES" : "NO"));
+			fmt::print("   {:1}  |- Optional:    {}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""), (mTitleMetaData.content_info[i].is_optional ? "YES" : "NO"));
+			fmt::print("   {:1}  |- Size:        0x{:x}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""), mTitleMetaData.content_info[i].size);
+			fmt::print("   {:1}  \\- Hash:        {}\n", (i+1 < mTitleMetaData.content_info.size() ? "|" : ""),
+				tc::cli::FormatUtil::formatBytesAsString(mTitleMetaData.content_info[i].hash.data(), mTitleMetaData.content_info[i].hash.size(), true, ""));
+		}
+	}
+	if (mCertChain.size() > 0)
+	{
+		fmt::print("Certificate Chain:\n");
+		for (size_t i = 0; i < mCertChain.size(); i++)
+		{
+			#define _CERT_FORMAT_MACRO(x,y) (i+1 < mCertChain.size() ? (x) : (y))
+
+			fmt::print("{:1}- Certificate {:d}:\n", _CERT_FORMAT_MACRO("|","\\"), i);
+			fmt::print("{:1}  |- DigitalSignature: {:s}\n", _CERT_FORMAT_MACRO("|"," "), getValidString(mCertSigValid[i]));
+			fmt::print("{:1}  |  |- SigType:    {:s} (0x{:x})\n", _CERT_FORMAT_MACRO("|"," "), getSigTypeString(mCertChain[i].signature.sig_type), (uint32_t)mCertChain[i].signature.sig_type);
+			fmt::print("{:1}  |  |- Issuer:     {:s}\n", _CERT_FORMAT_MACRO("|"," "), mCertChain[i].signature.issuer);
+			fmt::print("{:1}  |  \\- Signature:  {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].signature.sig.data(), mCertChain[i].signature.sig.size(), mVerbose));
+			fmt::print("{:1}  |- Subject:       {:s}\n", _CERT_FORMAT_MACRO("|"," "), mCertChain[i].subject);
+			//fmt::print("{:1}  |- Date:          {:d}\n", _CERT_FORMAT_MACRO("|"," "), mCertChain[i].date);
+			fmt::print("{:1}  \\- PublicKey:     {:s} (0x{:x})\n", _CERT_FORMAT_MACRO("|"," "), getCertificatePublicKeyTypeString(mCertChain[i].public_key_type), (uint32_t)mCertChain[i].public_key_type);
+			switch (mCertChain[i].public_key_type)
+			{
+				case brd::es::ESCertPubKeyType::RSA4096:
+					fmt::print("{:1}     |- m:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa4096_public_key.m.data(), mCertChain[i].rsa4096_public_key.m.size(), mVerbose));
+					fmt::print("{:1}     \\- e:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa4096_public_key.e.data(), mCertChain[i].rsa4096_public_key.e.size(), mVerbose));
+					break;
+				case brd::es::ESCertPubKeyType::RSA2048:
+					fmt::print("{:1}     |- m:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa2048_public_key.m.data(), mCertChain[i].rsa2048_public_key.m.size(), mVerbose));
+					fmt::print("{:1}     \\- e:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].rsa2048_public_key.e.data(), mCertChain[i].rsa2048_public_key.e.size(), mVerbose));
+					break;
+				case brd::es::ESCertPubKeyType::ECC:
+					fmt::print("{:1}     |- x:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].ecc233_public_key.x.data(), mCertChain[i].ecc233_public_key.x.size(), mVerbose));
+					fmt::print("{:1}     \\- y:          {:s}\n", _CERT_FORMAT_MACRO("|"," "), getTruncatedBytesString(mCertChain[i].ecc233_public_key.y.data(), mCertChain[i].ecc233_public_key.y.size(), mVerbose));
+					break;
+				default:
+					break;
+			}
+
+			#undef _CERT_FORMAT_MACRO
+		}
+	}
+}
+
+bool ctrtool::TmdProcess::isTwlTitle(uint64_t title_id)
+{
+	return ((title_id >> 47) & 1) == 1;
+}
+
+std::string ctrtool::TmdProcess::getValidString(byte_t validstate)
+{
+	std::string ret_str;
+
+	switch (validstate)
+	{
+		case ValidState::Unchecked:
+			ret_str =  "";
+			break;
+		case ValidState::Good:
+			ret_str =  "(GOOD)";
+			break;
+		case ValidState::Fail:
+		default:
+			ret_str =  "(FAIL)";
+			break;
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::TmdProcess::getTruncatedBytesString(const byte_t* data, size_t len, bool do_not_truncate)
+{
+	if (data == nullptr) { return fmt::format(""); }
+
+	std::string str = "";
+
+	if (len <= 8 || do_not_truncate)
+	{
+		str = tc::cli::FormatUtil::formatBytesAsString(data, len, true, "");
+	}
+	else
+	{
+		str = fmt::format("{:02X}{:02X}{:02X}{:02X}...{:02X}{:02X}{:02X}{:02X}", data[0], data[1], data[2], data[3], data[len-4], data[len-3], data[len-2], data[len-1]);
+	}
+
+	return str;
+}
+
+std::string ctrtool::TmdProcess::getSigTypeString(brd::es::ESSigType sig_type)
+{
+	std::string ret_str;
+
+	switch (sig_type)
+	{
+		case brd::es::ESSigType::RSA4096_SHA1:
+			ret_str =  "RSA-4096-SHA1";
+			break;
+		case brd::es::ESSigType::RSA2048_SHA1:
+			ret_str =  "RSA-2048-SHA1";
+			break;
+		case brd::es::ESSigType::ECC_SHA1:
+			ret_str =  "ECDSA-233-SHA1";
+			break;
+		case brd::es::ESSigType::RSA4096_SHA256:
+			ret_str =  "RSA-4096-SHA256";
+			break;
+		case brd::es::ESSigType::RSA2048_SHA256:
+			ret_str =  "RSA-2048-SHA256";
+			break;
+		case brd::es::ESSigType::ECC_SHA256:
+			ret_str =  "ECDSA-233-SHA256";
+			break;
+		default:
+			ret_str = fmt::format("0x{:x}", (uint32_t)sig_type);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::TmdProcess::getCertificatePublicKeyTypeString(brd::es::ESCertPubKeyType public_key_type)
+{
+	std::string ret_str;
+
+	switch (public_key_type)
+	{
+		case brd::es::ESCertPubKeyType::RSA4096:
+			ret_str =  "RSA-4096";
+			break;
+		case brd::es::ESCertPubKeyType::RSA2048:
+			ret_str =  "RSA-2048";
+			break;
+		case brd::es::ESCertPubKeyType::ECC:
+			ret_str =  "ECC-233";
+			break;
+		default:
+			ret_str = fmt::format("0x{:x}", (uint32_t)public_key_type);
+	}
+
+	return ret_str;
+}
+
+std::string ctrtool::TmdProcess::getTitleVersionString(uint16_t version)
+{
+	return fmt::format("{major:d}.{minor:d}.{build:d}", fmt::arg("major", (uint32_t)((version >> 10) & 0x3F)), fmt::arg("minor", (uint32_t)((version >> 4) & 0x3F)), fmt::arg("build", (uint32_t)(version & 0xF)));
+}
\ No newline at end of file
diff --git a/ctrtool/src/TmdProcess.h b/ctrtool/src/TmdProcess.h
new file mode 100644
index 00000000..fd9232d9
--- /dev/null
+++ b/ctrtool/src/TmdProcess.h
@@ -0,0 +1,60 @@
+#pragma once
+#include "types.h"
+#include "KeyBag.h"
+#include <tc/Optional.h>
+
+#include <ntd/n3ds/es/RsaSigner.h>
+#include <ntd/n3ds/es/Certificate.h>
+#include <ntd/n3ds/es/TitleMetaData.h>
+
+namespace ctrtool {
+
+class TmdProcess
+{
+public:
+	TmdProcess();
+
+	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
+	void setKeyBag(const ctrtool::KeyBag& key_bag);
+	void setCliOutputMode(bool show_header_info);
+	void setVerboseMode(bool verbose);
+	void setVerifyMode(bool verify);
+	
+	void process();
+private:
+	std::string mModuleLabel;
+
+	// input args
+	std::shared_ptr<tc::io::IStream> mInputStream;
+	ctrtool::KeyBag mKeyBag;
+	bool mShowInfo;
+	bool mVerbose;
+	bool mVerify;
+
+	// process variables
+	std::map<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>> mIssuerSigner;
+	std::map<std::string, std::shared_ptr<ntd::n3ds::es::ISigner>> mCertImportedIssuerSigner;
+
+	std::vector<ntd::n3ds::es::Certificate> mCertChain;
+	std::vector<ValidState> mCertSigValid;
+	
+	ntd::n3ds::es::TitleMetaData mTitleMetaData;
+	ValidState mTitleMetaDataSigValid;
+
+	// helper methods
+	void importIssuerProfiles();
+	void importData();
+	void verifyData();
+	void printData();
+
+	bool isTwlTitle(uint64_t title_id);
+
+	// string utils
+	std::string getValidString(byte_t validstate);
+	std::string getTruncatedBytesString(const byte_t* data, size_t len, bool do_not_truncate = false);
+	std::string getSigTypeString(brd::es::ESSigType sig_type);
+	std::string getCertificatePublicKeyTypeString(brd::es::ESCertPubKeyType public_key_type);
+	std::string getTitleVersionString(uint16_t version);
+};
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/main.cpp b/ctrtool/src/main.cpp
index 2901c416..680bb6a8 100644
--- a/ctrtool/src/main.cpp
+++ b/ctrtool/src/main.cpp
@@ -12,6 +12,8 @@
 #include "LzssProcess.h"
 #include "CrrProcess.h"
 #include "FirmProcess.h"
+#include "TikProcess.h"
+#include "TmdProcess.h"
 
 #include <tc/io/SubStream.h>
 #include <ntd/n3ds/IvfcStream.h>
@@ -182,6 +184,26 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			proc.setFirmwareType(set.firm.firm_type);
 			proc.process();
 		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_TIK)
+		{
+			ctrtool::TikProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setCliOutputMode(true);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			proc.process();
+		}
+		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_TMD)
+		{
+			ctrtool::TmdProcess proc;
+			proc.setInputStream(infile_stream);
+			proc.setKeyBag(set.opt.keybag);
+			proc.setCliOutputMode(true);
+			proc.setVerboseMode(set.opt.verbose);
+			proc.setVerifyMode(set.opt.verify);
+			proc.process();
+		}
 		
 		switch (set.infile.filetype)
 		{

From fb824cab046b65154adb6b8e610395a271f94d77 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 17:40:55 +0800
Subject: [PATCH 260/317] Comment debug text in umain()

---
 ctrtool/src/main.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ctrtool/src/main.cpp b/ctrtool/src/main.cpp
index 680bb6a8..add642bc 100644
--- a/ctrtool/src/main.cpp
+++ b/ctrtool/src/main.cpp
@@ -205,6 +205,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			proc.process();
 		}
 		
+		/*
 		switch (set.infile.filetype)
 		{
 			case ctrtool::Settings::FILE_TYPE_NCSD :
@@ -256,6 +257,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 				fmt::print("## unknown({}) ##\n", (int)set.infile.filetype);
 				break;
 		}
+		*/
 		
 	}
 	catch (tc::Exception& e)

From 4ded736c72fc68cd74b7fcccb42b0888ec78a01c Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 13 Mar 2022 17:44:28 +0800
Subject: [PATCH 261/317] Add TikProcess and TmdProcess to VS project files.

---
 ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj   |  4 ++++
 .../visualstudio/CTRTool/CTRTool.vcxproj.filters     | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj
index 69ff2fe8..c8f7dc3f 100644
--- a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj
+++ b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj
@@ -151,6 +151,8 @@
     <ClInclude Include="..\..\..\src\RomFsProcess.h" />
     <ClInclude Include="..\..\..\src\Settings.h" />
     <ClInclude Include="..\..\..\src\types.h" />
+    <ClInclude Include="..\..\..\src\TikProcess.h" />
+    <ClInclude Include="..\..\..\src\TmdProcess.h" />
     <ClInclude Include="..\..\..\src\version.h" />
   </ItemGroup>
   <ItemGroup>
@@ -168,6 +170,8 @@
     <ClCompile Include="..\..\..\src\NcchProcess.cpp" />
     <ClCompile Include="..\..\..\src\RomFsProcess.cpp" />
     <ClCompile Include="..\..\..\src\Settings.cpp" />
+    <ClCompile Include="..\..\..\src\TikProcess.cpp" />
+    <ClCompile Include="..\..\..\src\TmdProcess.cpp" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj">
diff --git a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters
index 947c47c1..91b9ca0f 100644
--- a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters
+++ b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters
@@ -60,6 +60,12 @@
     <ClInclude Include="..\..\..\src\types.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\..\src\TikProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\src\TmdProcess.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\..\src\version.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -107,5 +113,11 @@
     <ClCompile Include="..\..\..\src\Settings.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\..\src\TikProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\TmdProcess.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>
\ No newline at end of file

From b73d95ef897dc5b7142d6d2428b53491a9b640e1 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Mon, 14 Mar 2022 17:11:25 +0800
Subject: [PATCH 262/317] Change -x/--extract option handling to be as a
 deprecated option.

---
 ctrtool/src/Settings.cpp | 6 +++---
 ctrtool/src/Settings.h   | 2 --
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/ctrtool/src/Settings.cpp b/ctrtool/src/Settings.cpp
index 34d07cc1..1cfafbe4 100644
--- a/ctrtool/src/Settings.cpp
+++ b/ctrtool/src/Settings.cpp
@@ -407,6 +407,7 @@ void ctrtool::SettingsInitializer::parse_args(const std::vector<std::string>& ar
 	opts.registerUnrecognisedOptionHandler(std::shared_ptr<UnkOptionHandler>(new UnkOptionHandler(mModuleLabel)));
 
 	// register handler for deprecated options DeprecatedOptionHandler
+	opts.registerOptionHandler(std::shared_ptr<DeprecatedOptionHandler>(new DeprecatedOptionHandler("Extract flag is redundant.", {"-x", "--extract"})));
 	opts.registerOptionHandler(std::shared_ptr<DeprecatedOptionHandler>(new DeprecatedOptionHandler("Generic AES/RSA keys are initialised internally.", {"-k", "--keyset"})));
 	opts.registerOptionHandler(std::shared_ptr<DeprecatedOptionHandler>(new DeprecatedOptionHandler("", {"--unitsize"})));
 	opts.registerOptionHandler(std::shared_ptr<DeprecatedOptionHandler>(new DeprecatedOptionHandler("All common keys are initialised internally.", {"--commonkey"})));
@@ -416,7 +417,6 @@ void ctrtool::SettingsInitializer::parse_args(const std::vector<std::string>& ar
 
 	// get option flags
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.info, {"-i", "--info"})));
-	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.info, {"-x", "--extract"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.plain, {"-p", "--plain"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.raw, {"-r", "--raw"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.verbose, {"-v", "--verbose"})));
@@ -595,8 +595,8 @@ void ctrtool::SettingsInitializer::usage_text()
 		"Options:\n"
 		"  -i, --info         Show file info.\n"
 		"                          This is the default action.\n"
-		"  -x, --extract      Extract data from file.\n"
-		"                          This is also the default action.\n"
+		//"  -x, --extract      Extract data from file.\n"
+		//"                          This is also the default action.\n"
 		"  -p, --plain        Extract data without decrypting.\n"
 		"  -r, --raw          Keep raw data, don't unpack.\n"
 		//"  -k, --keyset=file  Specify keyset file.\n"
diff --git a/ctrtool/src/Settings.h b/ctrtool/src/Settings.h
index c8a839af..be4ef4bc 100644
--- a/ctrtool/src/Settings.h
+++ b/ctrtool/src/Settings.h
@@ -40,7 +40,6 @@ struct Settings
 	struct Options
 	{
 		bool info;
-		bool extract;
 		bool plain;
 		bool raw;
 		bool verbose;
@@ -124,7 +123,6 @@ struct Settings
 		infile.path = tc::Optional<tc::io::Path>();
 
 		opt.info = true;
-		opt.extract = true;
 		opt.plain = false;
 		opt.raw = false;
 		opt.verbose = false;

From d3343000f4eb7998ff9f8f44512737eb585479ba Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Mon, 14 Mar 2022 17:12:23 +0800
Subject: [PATCH 263/317] Misc whitespace removal

---
 ctrtool/src/CiaProcess.cpp | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
index bf5c7d1b..9ebbb82f 100644
--- a/ctrtool/src/CiaProcess.cpp
+++ b/ctrtool/src/CiaProcess.cpp
@@ -128,13 +128,12 @@ void ctrtool::CiaProcess::process()
 		verifyMetadata();
 		verifyContent();
 	}
-		
+	
 	if (mShowHeaderInfo)
 	{
 		printHeader();
 	}
-		
-		
+
 	extractCia();
 	processContent();
 }

From f08c3a11a0d740694ed27f3324833a19e951f1f4 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Mon, 14 Mar 2022 17:12:46 +0800
Subject: [PATCH 264/317] Remove "FS" view option from CciProcess as it was
 never going to be used.

---
 ctrtool/src/CciProcess.cpp | 19 +------------------
 ctrtool/src/CciProcess.h   |  4 +---
 2 files changed, 2 insertions(+), 21 deletions(-)

diff --git a/ctrtool/src/CciProcess.cpp b/ctrtool/src/CciProcess.cpp
index e4424ca0..fccad6fa 100644
--- a/ctrtool/src/CciProcess.cpp
+++ b/ctrtool/src/CciProcess.cpp
@@ -14,7 +14,6 @@ ctrtool::CciProcess::CciProcess() :
 	mInputStream(),
 	mKeyBag(),
 	mShowHeaderInfo(false),
-	mShowFs(false),
 	mVerbose(false),
 	mVerify(false),
 	mExtractPath(),
@@ -41,10 +40,9 @@ void ctrtool::CciProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
 	mNcchProcess.setKeyBag(key_bag);
 }
 
-void ctrtool::CciProcess::setCliOutputMode(bool show_header_info, bool show_fs)
+void ctrtool::CciProcess::setCliOutputMode(bool show_header_info)
 {
 	mShowHeaderInfo = show_header_info;
-	mShowFs = show_fs;
 }
 
 void ctrtool::CciProcess::setVerboseMode(bool verbose)
@@ -96,8 +94,6 @@ void ctrtool::CciProcess::process()
 		verifyHeader();
 	if (mShowHeaderInfo)
 		printHeader();
-	if (mShowFs)
-		printFs();
 	if (mExtractPath.isSet())
 		extractFs();
 	processContent();
@@ -330,19 +326,6 @@ void ctrtool::CciProcess::printHeader()
 	fmt::print(" TitleKey:               {}\n", tc::cli::FormatUtil::formatBytesAsString(mHeader.card_device_info.title_key.data(), mHeader.card_device_info.title_key.size(), true, ""));
 }
 
-void ctrtool::CciProcess::printFs()
-{
-	tc::io::sDirectoryListing dir;
-	mFsReader->getDirectoryListing(tc::io::Path("/"), dir);
-
-	fmt::print("[CCI Filesystem]\n");
-	fmt::print("  CCI:/\n");
-	for (auto itr = dir.file_list.begin(); itr != dir.file_list.end(); itr++)
-	{
-		fmt::print("    {}\n", *itr); 
-	}
-}
-
 void ctrtool::CciProcess::extractFs()
 {
 	tc::io::LocalFileSystem local_fs;
diff --git a/ctrtool/src/CciProcess.h b/ctrtool/src/CciProcess.h
index 5167e166..7d845617 100644
--- a/ctrtool/src/CciProcess.h
+++ b/ctrtool/src/CciProcess.h
@@ -15,7 +15,7 @@ class CciProcess
 
 	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
 	void setKeyBag(const ctrtool::KeyBag& key_bag);
-	void setCliOutputMode(bool show_header_info, bool show_fs);
+	void setCliOutputMode(bool show_header_info);
 	void setVerboseMode(bool verbose);
 	void setVerifyMode(bool verify);
 	void setExtractPath(const tc::io::Path& extract_path);
@@ -34,7 +34,6 @@ class CciProcess
 	std::shared_ptr<tc::io::IStream> mInputStream;
 	ctrtool::KeyBag mKeyBag;
 	bool mShowHeaderInfo;
-	bool mShowFs;
 	bool mVerbose;
 	bool mVerify;
 	tc::Optional<tc::io::Path> mExtractPath;
@@ -52,7 +51,6 @@ class CciProcess
 	void importHeader();
 	void verifyHeader();
 	void printHeader();
-	void printFs();
 	void extractFs();
 	void processContent();
 

From 8108bea6dec48ae4aeaec930ed3bf2af5b4978b4 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Mon, 14 Mar 2022 17:13:23 +0800
Subject: [PATCH 265/317] Use set.opt.info into *Process::setCliOutputMode()
 instead of hardcoding values.

---
 ctrtool/src/main.cpp | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/ctrtool/src/main.cpp b/ctrtool/src/main.cpp
index add642bc..a5a8bf17 100644
--- a/ctrtool/src/main.cpp
+++ b/ctrtool/src/main.cpp
@@ -30,7 +30,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 		{
 			ctrtool::ExeFsProcess proc;
 			proc.setInputStream(infile_stream);
-			proc.setCliOutputMode(true, set.exefs.list_fs);
+			proc.setCliOutputMode(set.opt.info, set.exefs.list_fs);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			proc.setRawMode(set.opt.raw);
@@ -46,7 +46,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			ctrtool::RomFsProcess proc;
 			proc.setInputStream(infile_stream);
 			proc.setKeyBag(set.opt.keybag);
-			proc.setCliOutputMode(true, set.romfs.list_fs);
+			proc.setCliOutputMode(set.opt.info, set.romfs.list_fs);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			if (set.romfs.extract_path.isSet())
@@ -60,7 +60,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			ctrtool::IvfcProcess proc;
 			proc.setInputStream(infile_stream);
 			proc.setKeyBag(set.opt.keybag);
-			proc.setCliOutputMode(true, set.romfs.list_fs);
+			proc.setCliOutputMode(set.opt.info, set.romfs.list_fs);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			if (set.romfs.extract_path.isSet())
@@ -79,12 +79,12 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			proc.setRawMode(set.opt.raw);
 			proc.setPlainMode(set.opt.raw);
 			proc.setShowSyscallName(set.exheader.show_syscalls_as_names);
-			proc.setRegionProcessOutputMode(proc.NcchRegion_Header, true, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
-			proc.setRegionProcessOutputMode(proc.NcchRegion_ExHeader, true, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());
+			proc.setRegionProcessOutputMode(proc.NcchRegion_Header, set.opt.info, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
+			proc.setRegionProcessOutputMode(proc.NcchRegion_ExHeader, set.opt.info, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());
 			proc.setRegionProcessOutputMode(proc.NcchRegion_PlainRegion, false, false, set.ncch.plainregion_path, tc::Optional<tc::io::Path>());
 			proc.setRegionProcessOutputMode(proc.NcchRegion_Logo, false, false, set.ncch.logo_path, tc::Optional<tc::io::Path>());
-			proc.setRegionProcessOutputMode(proc.NcchRegion_ExeFs, true, set.exefs.list_fs, set.ncch.exefs_path, set.exefs.extract_path);
-			proc.setRegionProcessOutputMode(proc.NcchRegion_RomFs, true, set.romfs.list_fs, set.ncch.romfs_path, set.romfs.extract_path);
+			proc.setRegionProcessOutputMode(proc.NcchRegion_ExeFs, set.opt.info, set.exefs.list_fs, set.ncch.exefs_path, set.exefs.extract_path);
+			proc.setRegionProcessOutputMode(proc.NcchRegion_RomFs, set.opt.info, set.romfs.list_fs, set.ncch.romfs_path, set.romfs.extract_path);
 			proc.process();
 		}
 		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_EXHEADER)
@@ -92,7 +92,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			ctrtool::ExHeaderProcess proc;
 			proc.setInputStream(infile_stream);
 			proc.setKeyBag(set.opt.keybag);
-			proc.setCliOutputMode(true);
+			proc.setCliOutputMode(set.opt.info);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			proc.setShowSyscallName(set.exheader.show_syscalls_as_names);
@@ -104,7 +104,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			ctrtool::CciProcess proc;
 			proc.setInputStream(infile_stream);
 			proc.setKeyBag(set.opt.keybag);
-			proc.setCliOutputMode(true, false);
+			proc.setCliOutputMode(set.opt.info);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			if (set.rom.content_extract_path.isSet())
@@ -113,12 +113,12 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			proc.setRawMode(set.opt.raw);
 			proc.setPlainMode(set.opt.plain);
 			proc.setShowSyscallName(set.exheader.show_syscalls_as_names);
-			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Header, true, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
-			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExHeader, true, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Header, set.opt.info, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExHeader, set.opt.info, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());
 			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_PlainRegion, false, false, set.ncch.plainregion_path, tc::Optional<tc::io::Path>());
 			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Logo, false, false, set.ncch.logo_path, tc::Optional<tc::io::Path>());
-			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExeFs, true, set.exefs.list_fs, set.ncch.exefs_path, set.exefs.extract_path);
-			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_RomFs, true, set.romfs.list_fs, set.ncch.romfs_path, set.romfs.extract_path);
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExeFs, set.opt.info, set.exefs.list_fs, set.ncch.exefs_path, set.exefs.extract_path);
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_RomFs, set.opt.info, set.romfs.list_fs, set.ncch.romfs_path, set.romfs.extract_path);
 			proc.process();
 		}
 		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_CIA)
@@ -143,12 +143,12 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			proc.setRawMode(set.opt.raw);
 			proc.setPlainMode(set.opt.plain);
 			proc.setShowSyscallName(set.exheader.show_syscalls_as_names);
-			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Header, true, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
-			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExHeader, true, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Header, set.opt.info, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExHeader, set.opt.info, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());
 			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_PlainRegion, false, false, set.ncch.plainregion_path, tc::Optional<tc::io::Path>());
 			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_Logo, false, false, set.ncch.logo_path, tc::Optional<tc::io::Path>());
-			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExeFs, true, set.exefs.list_fs, set.ncch.exefs_path, set.exefs.extract_path);
-			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_RomFs, true, set.romfs.list_fs, set.ncch.romfs_path, set.romfs.extract_path);
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_ExeFs, set.opt.info, set.exefs.list_fs, set.ncch.exefs_path, set.exefs.extract_path);
+			proc.setNcchRegionProcessOutputMode(ctrtool::NcchProcess::NcchRegion_RomFs, set.opt.info, set.romfs.list_fs, set.ncch.romfs_path, set.romfs.extract_path);
 			proc.process();
 		}
 		else if (set.infile.filetype == ctrtool::Settings::FILE_TYPE_LZSS)
@@ -164,7 +164,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			ctrtool::CrrProcess proc;
 			proc.setInputStream(infile_stream);
 			proc.setKeyBag(set.opt.keybag);
-			proc.setCliOutputMode(true);
+			proc.setCliOutputMode(set.opt.info);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			proc.process();
@@ -174,7 +174,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			ctrtool::FirmProcess proc;
 			proc.setInputStream(infile_stream);
 			proc.setKeyBag(set.opt.keybag);
-			proc.setCliOutputMode(true);
+			proc.setCliOutputMode(set.opt.info);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			if (set.firm.extract_path.isSet())
@@ -189,7 +189,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			ctrtool::TikProcess proc;
 			proc.setInputStream(infile_stream);
 			proc.setKeyBag(set.opt.keybag);
-			proc.setCliOutputMode(true);
+			proc.setCliOutputMode(set.opt.info);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			proc.process();
@@ -199,7 +199,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			ctrtool::TmdProcess proc;
 			proc.setInputStream(infile_stream);
 			proc.setKeyBag(set.opt.keybag);
-			proc.setCliOutputMode(true);
+			proc.setCliOutputMode(set.opt.info);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			proc.process();

From c861f0eb7692d9bf469cf1530914f20888ace2e1 Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Mon, 14 Mar 2022 18:19:37 +0800
Subject: [PATCH 266/317] Update README.md

---
 README.md | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 6587032d..50b4d922 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,6 @@
 Project_CTR
 ===========
 
-ctrtool - updated version of neimod's ctrtool.
+ctrtool - a tool to read/extract Nintendo 3DS files.
 
 makerom - creates CTR cxi/cfa/cci/cia files.
-
-# Community Input Wanted
-I'm looking for some feedback on where to take Project_CTR, see here:
-https://github.com/3DSGuy/Project_CTR/issues/103

From dd7c33e9964398d570e92b4b69ebe9fed91e8a6b Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Mon, 14 Mar 2022 21:44:09 +0800
Subject: [PATCH 267/317] [ctrtool] Fix common-key 05 init.

---
 ctrtool/src/KeyBag.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ctrtool/src/KeyBag.cpp b/ctrtool/src/KeyBag.cpp
index 55ebc085..26ff7acb 100644
--- a/ctrtool/src/KeyBag.cpp
+++ b/ctrtool/src/KeyBag.cpp
@@ -127,9 +127,9 @@ void ctrtool::KeyBagInitializer::addStaticAesKeys(bool isDev)
 		},
 		{
 			// retail
-			{COMMONKEY_UNUSED_4, {0xA5, 0x05, 0x1C, 0xA1, 0xB3, 0x7D, 0xCF, 0x3A, 0xFB, 0xCF, 0x8C, 0xC1, 0xED, 0xD9, 0xCE, 0x02}},
+			{COMMONKEY_UNUSED_5, {0xA5, 0x05, 0x1C, 0xA1, 0xB3, 0x7D, 0xCF, 0x3A, 0xFB, 0xCF, 0x8C, 0xC1, 0xED, 0xD9, 0xCE, 0x02}},
 			// dev
-			{COMMONKEY_UNUSED_4, {0xAA, 0xDA, 0x4C, 0xA8, 0xF6, 0xE5, 0xA9, 0x77, 0xE0, 0xA0, 0xF9, 0xE4, 0x76, 0xCF, 0x0D, 0x63}},
+			{COMMONKEY_UNUSED_5, {0xAA, 0xDA, 0x4C, 0xA8, 0xF6, 0xE5, 0xA9, 0x77, 0xE0, 0xA0, 0xF9, 0xE4, 0x76, 0xCF, 0x0D, 0x63}},
 		}
 	};
 	

From cc8a4d6ccbc3e49707dceec563e1ef25c53ce184 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Mon, 14 Mar 2022 21:44:24 +0800
Subject: [PATCH 268/317] Bump version.

---
 ctrtool/src/version.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
index 2f0406dd..ac894438 100644
--- a/ctrtool/src/version.h
+++ b/ctrtool/src/version.h
@@ -3,5 +3,5 @@
 #define BIN_NAME	"ctrtool"
 #define VER_MAJOR	1
 #define VER_MINOR	0
-#define VER_PATCH	0
+#define VER_PATCH	1
 #define AUTHORS		"jakcron"
\ No newline at end of file

From 986a8cd85979e0b9d4051a365b3f5f6bf4900ee7 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 19 Mar 2022 15:04:07 +0800
Subject: [PATCH 269/317] Add readme and build instructions.

---
 ctrtool/BUILDING.md | 22 +++++++++++++
 ctrtool/README.md   | 75 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 97 insertions(+)
 create mode 100644 ctrtool/BUILDING.md
 create mode 100644 ctrtool/README.md

diff --git a/ctrtool/BUILDING.md b/ctrtool/BUILDING.md
new file mode 100644
index 00000000..f0735f12
--- /dev/null
+++ b/ctrtool/BUILDING.md
@@ -0,0 +1,22 @@
+# Building
+## Linux (incl. Windows Subsystem for Linux) & MacOS - Makefile
+### Requirements
+* `make`
+* Terminal access
+* Typical GNU compatible development tools (e.g. `clang`, `g++`, `c++`, `ar` etc) with __C++11__ support
+
+### Using Makefile
+* `make` (default) - Compile program
+	* Compiling the program requires local dependencies to be compiled via `make deps` beforehand
+* `make clean` - Remove executable and object files
+* `make deps` - Compile locally included dependency libraries
+* `make clean_deps` - Remove compiled library binaries and object files
+
+## Native Windows - Visual Studio
+### Requirements
+* [Visual Studio Community](https://visualstudio.microsoft.com/vs/community/) 2015 / 2017 / 2019
+
+### Compiling CTRTool
+* Open `build/visualstudio/CTRTool.sln` in Visual Studio
+* Select Target (e.g `Debug`|`Release` & `x86`|`x64`)
+* Navigate to `Build`->`Build Solution`
\ No newline at end of file
diff --git a/ctrtool/README.md b/ctrtool/README.md
new file mode 100644
index 00000000..8eb97003
--- /dev/null
+++ b/ctrtool/README.md
@@ -0,0 +1,75 @@
+# CTR Tool (CTRTool)
+General purpose reading/extraction tool for Nintendo 3DS file formats.
+
+## Supported File Formats
+* ExeFs (.exefs)
+* RomFs (.romfs) (and RomFS wrapped in IVFC)
+* NCCH Format Variants:
+  * CTR Executable Image (.cxi)
+  * CTR File Archive (.cfa)
+  * CIP (.cip) (These are the processes bundled with the kernel image)
+* NCCH ExtendedHeader (.exhdr)
+* CTR Importable Archive (.cia)
+* NCSD Format Variants:
+  * CTR Card Image (.cci/.3ds/.3dz)
+  * CTR System Update (.csu)
+* ES TitleMetaData (.tmd)
+* ES eTicket (.tik)
+* Firmware Images (.firm)
+* CRR (.crr)
+
+
+# Usage
+```
+Usage: ctrtool [options... ] <file>
+Options:
+  -i, --info         Show file info.
+                          This is the default action.
+  -p, --plain        Extract data without decrypting.
+  -r, --raw          Keep raw data, don't unpack.
+  -v, --verbose      Give verbose output.
+  -y, --verify       Verify hashes and signatures.
+  -d, --dev          Decrypt with development keys instead of retail.
+  --titlekey=key     Set tik title key.
+  --seeddb=file      Set seeddb for ncch seed crypto.
+  --seed=key         Set specific seed for ncch seed crypto.
+  --showsyscalls     Show system call names instead of numbers.
+  -t, --intype=type  Specify input file type. [cia, tik, tmd, ncsd, ncch, exheader, exefs, romfs, firm, lzss]
+                     (only needed when file type isn't detected automatically)
+CCI options:
+  -n, --ncch=index   Specify NCCH partition index.
+  --contents=dir     Specify Contents directory path.
+CIA options:
+  -n, --ncch=index   Specify NCCH partition index.
+  --contents=dir     Specify Contents directory path.
+  --certs=file       Specify Certificate chain file path.
+  --tik=file         Specify Ticket file path.
+  --tmd=file         Specify TMD file path.
+  --footer=file      Specify Footer file path.
+NCCH options:
+  --exheader=file    Specify Extended Header file path.
+  --logo=file        Specify Logo file path.
+  --plainrgn=file    Specify Plain region file path
+  --exefs=file       Specify ExeFS file path.
+  --romfs=file       Specify RomFS file path.
+EXEFS options:
+  --exefsdir=dir     Specify ExeFS directory path.
+  --listexefs        List files in ExeFS.
+  --decompresscode   Decompress .code section
+                     (only needed when using raw ExeFS file)
+ROMFS options:
+  --romfsdir=dir     Specify RomFS directory path.
+  --listromfs        List files in RomFS.
+FIRM options:
+  --firmdir=dir      Specify Firm directory path.
+  --firmtype=type    Specify Firm location type, this determines encryption/signing.
+                       - nand: (default) FIRM images installed to internal NAND,
+                       - ngc: FIRM images loaded from NTR game card at boot,
+                       - nor: FIRM images loaded from WiFi board NOR at boot,
+                       - sdmc: FIRM images installed from SD card by FIRM installers (internal dev tool).
+LZSS options:
+  --lzssout=file     Specify lzss output file
+```
+
+# Building
+See [BUILDING.md](/BUILDING.md).
\ No newline at end of file

From 400a68e1baf632507b62ec3f7dd9d273ae7468b9 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sat, 19 Mar 2022 15:05:38 +0800
Subject: [PATCH 270/317] Fix link to BUILDING.md

---
 ctrtool/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/README.md b/ctrtool/README.md
index 8eb97003..183f6164 100644
--- a/ctrtool/README.md
+++ b/ctrtool/README.md
@@ -72,4 +72,4 @@ LZSS options:
 ```
 
 # Building
-See [BUILDING.md](/BUILDING.md).
\ No newline at end of file
+See [BUILDING.md](/ctrtool/BUILDING.md).
\ No newline at end of file

From 1684a3a7e02e18de007e6c28bca296f3c783b861 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 27 Mar 2022 09:09:10 +0800
Subject: [PATCH 271/317] Correct documentation about automatic alignment
 padding.

---
 ctrtool/deps/libbroadon-es/include/brd/es/es_ticket.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/deps/libbroadon-es/include/brd/es/es_ticket.h b/ctrtool/deps/libbroadon-es/include/brd/es/es_ticket.h
index e9a38fe1..d712d4a1 100644
--- a/ctrtool/deps/libbroadon-es/include/brd/es/es_ticket.h
+++ b/ctrtool/deps/libbroadon-es/include/brd/es/es_ticket.h
@@ -109,8 +109,8 @@ struct ESTicket
     ESTicketCustomData        customData;        // 20-byte custom data
     ESTicketReserved          reserved;          // 25-byte reserved info
     uint8_t                   audit;             //
-    /* 2 bytes alignment padding */
     ESCidxMask                cidxMask;          // Bit-mask of the content indices
+    /* 2 bytes alignment padding */
     ESLimitedPlayArray        limits;            // Limited play entries
 };
 static_assert(sizeof(ESTicket) == 676, "ESTicket size");

From 5f58433bcf96f5530ff9b133435a66b1a664ec3c Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Mon, 28 Mar 2022 15:49:01 +0800
Subject: [PATCH 272/317] Fix issue where titleid was being read incorrectly
 when importing SeedDB.

---
 ctrtool/src/KeyBag.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/src/KeyBag.cpp b/ctrtool/src/KeyBag.cpp
index 26ff7acb..10275a4c 100644
--- a/ctrtool/src/KeyBag.cpp
+++ b/ctrtool/src/KeyBag.cpp
@@ -921,7 +921,7 @@ void ctrtool::KeyBagInitializer::importSeedDb(const std::shared_ptr<tc::io::ISou
 	// import entries
 	for (size_t i = 0; i < n_entries; i++)
 	{
-		seed_db.insert(std::pair<byte_t, KeyBag::Aes128Key>(entry[i].title_id.unwrap(), entry[i].seed));
+		seed_db.insert(std::pair<uint64_t, KeyBag::Aes128Key>(entry[i].title_id.unwrap(), entry[i].seed));
 	}
 }
 

From d9f9d4ec481889620b82e0ca2246a09ea567e24c Mon Sep 17 00:00:00 2001
From: Jakcron <jakcron.dev@gmail.com>
Date: Tue, 29 Mar 2022 17:02:34 +0800
Subject: [PATCH 273/317] Bump patch version

---
 ctrtool/src/version.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
index ac894438..1c697089 100644
--- a/ctrtool/src/version.h
+++ b/ctrtool/src/version.h
@@ -3,5 +3,5 @@
 #define BIN_NAME	"ctrtool"
 #define VER_MAJOR	1
 #define VER_MINOR	0
-#define VER_PATCH	1
+#define VER_PATCH	2
 #define AUTHORS		"jakcron"
\ No newline at end of file

From cbc20b2a15ee06db6d935d5cbb4072d47d28ba0b Mon Sep 17 00:00:00 2001
From: Jakcron <jakcron.dev@gmail.com>
Date: Tue, 29 Mar 2022 17:26:12 +0800
Subject: [PATCH 274/317] Honour opt.info when running CiaProcess

---
 ctrtool/src/CiaProcess.cpp | 4 +---
 ctrtool/src/CiaProcess.h   | 3 +--
 ctrtool/src/main.cpp       | 2 +-
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
index 9ebbb82f..974b661e 100644
--- a/ctrtool/src/CiaProcess.cpp
+++ b/ctrtool/src/CiaProcess.cpp
@@ -13,7 +13,6 @@ ctrtool::CiaProcess::CiaProcess() :
 	mInputStream(),
 	mKeyBag(),
 	mShowHeaderInfo(false),
-	mShowFs(false),
 	mVerbose(false),
 	mVerify(false),
 	mCertExtractPath(),
@@ -49,10 +48,9 @@ void ctrtool::CiaProcess::setKeyBag(const ctrtool::KeyBag& key_bag)
 	mNcchProcess.setKeyBag(key_bag);
 }
 
-void ctrtool::CiaProcess::setCliOutputMode(bool show_header_info, bool show_fs)
+void ctrtool::CiaProcess::setCliOutputMode(bool show_header_info)
 {
 	mShowHeaderInfo = show_header_info;
-	mShowFs = show_fs;
 }
 
 void ctrtool::CiaProcess::setVerboseMode(bool verbose)
diff --git a/ctrtool/src/CiaProcess.h b/ctrtool/src/CiaProcess.h
index 4c37be69..245184eb 100644
--- a/ctrtool/src/CiaProcess.h
+++ b/ctrtool/src/CiaProcess.h
@@ -20,7 +20,7 @@ class CiaProcess
 
 	void setInputStream(const std::shared_ptr<tc::io::IStream>& input_stream);
 	void setKeyBag(const ctrtool::KeyBag& key_bag);
-	void setCliOutputMode(bool show_header_info, bool show_fs);
+	void setCliOutputMode(bool show_header_info);
 	void setVerboseMode(bool verbose);
 	void setVerifyMode(bool verify);
 	void setCertExtractPath(const tc::io::Path& extract_path);
@@ -44,7 +44,6 @@ class CiaProcess
 	std::shared_ptr<tc::io::IStream> mInputStream;
 	ctrtool::KeyBag mKeyBag;
 	bool mShowHeaderInfo;
-	bool mShowFs;
 	bool mVerbose;
 	bool mVerify;
 	tc::Optional<tc::io::Path> mCertExtractPath;
diff --git a/ctrtool/src/main.cpp b/ctrtool/src/main.cpp
index a5a8bf17..7d1fa861 100644
--- a/ctrtool/src/main.cpp
+++ b/ctrtool/src/main.cpp
@@ -126,7 +126,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			ctrtool::CiaProcess proc;
 			proc.setInputStream(infile_stream);
 			proc.setKeyBag(set.opt.keybag);
-			proc.setCliOutputMode(true, false);
+			proc.setCliOutputMode(set.opt.info);
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			if (set.rom.content_extract_path.isSet())

From b1629a4aa6bdce7b2667c516ad546d1fde049474 Mon Sep 17 00:00:00 2001
From: Jakcron <jakcron.dev@gmail.com>
Date: Tue, 29 Mar 2022 17:34:45 +0800
Subject: [PATCH 275/317] Fix bug when processing NCCH files directly,
 -p/--plain flag was not honoured.

---
 ctrtool/src/main.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/src/main.cpp b/ctrtool/src/main.cpp
index 7d1fa861..5a9f94a6 100644
--- a/ctrtool/src/main.cpp
+++ b/ctrtool/src/main.cpp
@@ -77,7 +77,7 @@ int umain(const std::vector<std::string>& args, const std::vector<std::string>&
 			proc.setVerboseMode(set.opt.verbose);
 			proc.setVerifyMode(set.opt.verify);
 			proc.setRawMode(set.opt.raw);
-			proc.setPlainMode(set.opt.raw);
+			proc.setPlainMode(set.opt.plain);
 			proc.setShowSyscallName(set.exheader.show_syscalls_as_names);
 			proc.setRegionProcessOutputMode(proc.NcchRegion_Header, set.opt.info, false, tc::Optional<tc::io::Path>(), tc::Optional<tc::io::Path>());
 			proc.setRegionProcessOutputMode(proc.NcchRegion_ExHeader, set.opt.info, false, set.ncch.exheader_path, tc::Optional<tc::io::Path>());

From 0715b3d5b9fdc90da91d46184a148a3f00c0fb14 Mon Sep 17 00:00:00 2001
From: Jakcron <jakcron.dev@gmail.com>
Date: Tue, 29 Mar 2022 17:37:26 +0800
Subject: [PATCH 276/317] Add flag -q/--quiet to suppress non-errors.

---
 ctrtool/src/Settings.cpp | 22 ++++++++++++++++++----
 ctrtool/src/Settings.h   |  6 ++++--
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/ctrtool/src/Settings.cpp b/ctrtool/src/Settings.cpp
index 1cfafbe4..a41cacfe 100644
--- a/ctrtool/src/Settings.cpp
+++ b/ctrtool/src/Settings.cpp
@@ -356,6 +356,8 @@ class FileTypeOptionHandler : public tc::cli::OptionParser::IOptionHandler
 ctrtool::SettingsInitializer::SettingsInitializer(const std::vector<std::string>& args) :
 	Settings(),
 	mModuleLabel("ctrtool::SettingsInitializer"),
+	mSuppressOutput(false),
+	mShowKeys(false),
 	mFallBackTitleKey(),
 	mFallBackSeed(),
 	mSeedDbPath()
@@ -365,6 +367,15 @@ ctrtool::SettingsInitializer::SettingsInitializer(const std::vector<std::string>
 	if (infile.path.isNull())
 		throw tc::ArgumentException(mModuleLabel, "No input file was specified.");
 
+	// suppress output if requested
+	if (mSuppressOutput)
+	{
+		opt.info = false;
+		opt.verbose = false;
+		exefs.list_fs = false;
+		romfs.list_fs = false;
+	}
+
 	opt.keybag = KeyBagInitializer(opt.is_dev, mFallBackTitleKey, mSeedDbPath, mFallBackSeed);
 
 	// determine filetype if not manually specified
@@ -417,9 +428,10 @@ void ctrtool::SettingsInitializer::parse_args(const std::vector<std::string>& ar
 
 	// get option flags
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.info, {"-i", "--info"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.verbose, {"-v", "--verbose"})));
+	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(mSuppressOutput, {"-q", "--quiet"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.plain, {"-p", "--plain"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.raw, {"-r", "--raw"})));
-	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.verbose, {"-v", "--verbose"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.verify, {"-y", "--verify"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.is_dev, {"-d", "--dev"})));
 	opts.registerOptionHandler(std::shared_ptr<FlagOptionHandler>(new FlagOptionHandler(opt.show_keys, {"--showkeys"})));
@@ -593,14 +605,16 @@ void ctrtool::SettingsInitializer::usage_text()
 
 	fmt::print(stderr,
 		"Options:\n"
-		"  -i, --info         Show file info.\n"
-		"                          This is the default action.\n"
+		//"  -i, --info         Show file info.\n"
+		//"                          This is the default action.\n"
 		//"  -x, --extract      Extract data from file.\n"
 		//"                          This is also the default action.\n"
+		"  -v, --verbose      Give verbose output.\n"
+		"  -q, --quiet        Only output errors (regular output is silenced).\n"
 		"  -p, --plain        Extract data without decrypting.\n"
 		"  -r, --raw          Keep raw data, don't unpack.\n"
 		//"  -k, --keyset=file  Specify keyset file.\n"
-		"  -v, --verbose      Give verbose output.\n"
+
 		"  -y, --verify       Verify hashes and signatures.\n"
 		"  -d, --dev          Decrypt with development keys instead of retail.\n"
 		//"  --unitsize=size    Set media unit size (default 0x200).\n"
diff --git a/ctrtool/src/Settings.h b/ctrtool/src/Settings.h
index be4ef4bc..e3301fb5 100644
--- a/ctrtool/src/Settings.h
+++ b/ctrtool/src/Settings.h
@@ -40,9 +40,9 @@ struct Settings
 	struct Options
 	{
 		bool info;
+		bool verbose;
 		bool plain;
 		bool raw;
-		bool verbose;
 		bool verify;
 		bool show_keys;
 		bool is_dev;
@@ -123,9 +123,9 @@ struct Settings
 		infile.path = tc::Optional<tc::io::Path>();
 
 		opt.info = true;
+		opt.verbose = false;
 		opt.plain = false;
 		opt.raw = false;
-		opt.verbose = false;
 		opt.verify = false;
 		opt.show_keys = false;
 		opt.is_dev = false;
@@ -168,6 +168,8 @@ class SettingsInitializer : public Settings
 
 	std::string mModuleLabel;
 
+	bool mSuppressOutput;
+
 	bool mShowKeys;
 	tc::Optional<std::string> mFallBackTitleKey;
 	tc::Optional<std::string> mFallBackSeed;

From 97e956d782d86d6ba6bf17d1552752ea1c891b31 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Wed, 30 Mar 2022 14:26:56 +0800
Subject: [PATCH 277/317] [BugFix] Honour exheader code compressed flag.

---
 ctrtool/src/NcchProcess.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ctrtool/src/NcchProcess.cpp b/ctrtool/src/NcchProcess.cpp
index bc3596e2..d3ab0073 100644
--- a/ctrtool/src/NcchProcess.cpp
+++ b/ctrtool/src/NcchProcess.cpp
@@ -790,6 +790,17 @@ void ctrtool::NcchProcess::processRegions()
 	}
 	if (mRegionInfo[NcchRegion_ExeFs].size != 0 && mRegionInfo[NcchRegion_ExeFs].ready_stream != nullptr)
 	{
+		// prior to reading exefs, check compressed flag in exheader
+		if (mRegionInfo[NcchRegion_ExHeader].size > 0 && mRegionInfo[NcchRegion_ExHeader].ready_stream != nullptr)
+		{
+			// import exheader			
+			ntd::n3ds::ExtendedHeader exheader;
+			mRegionInfo[NcchRegion_ExHeader].ready_stream->seek(0, tc::io::SeekOrigin::Begin);
+			mRegionInfo[NcchRegion_ExHeader].ready_stream->read((byte_t*)&exheader, sizeof(ntd::n3ds::ExtendedHeader));
+
+			mDecompressExeFsCode = exheader.system_control_info.flags.bitarray.test(ntd::n3ds::SystemControlInfo::Flags_CompressExefsPartition0);
+		}
+
 		ctrtool::ExeFsProcess proc;
 		proc.setInputStream(mRegionInfo[NcchRegion_ExeFs].ready_stream);
 		proc.setCliOutputMode(mRegionOpt[NcchRegion_ExeFs].show_info, mRegionOpt[NcchRegion_ExeFs].show_fs);

From ea3b188de4a70e8dc54181bd37a9a88cdd3f5686 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Wed, 30 Mar 2022 14:27:12 +0800
Subject: [PATCH 278/317] Bump patch version.

---
 ctrtool/src/version.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
index 1c697089..2ee7a9f7 100644
--- a/ctrtool/src/version.h
+++ b/ctrtool/src/version.h
@@ -3,5 +3,5 @@
 #define BIN_NAME	"ctrtool"
 #define VER_MAJOR	1
 #define VER_MINOR	0
-#define VER_PATCH	2
+#define VER_PATCH	3
 #define AUTHORS		"jakcron"
\ No newline at end of file

From e7d872934a62b8b10040622092c4a577517d3f08 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Wed, 30 Mar 2022 20:09:04 +0800
Subject: [PATCH 279/317] (ctrtool::CciProcess) Emit errors/warns/logs in a
 consistent manner.

---
 ctrtool/src/CciProcess.cpp | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/ctrtool/src/CciProcess.cpp b/ctrtool/src/CciProcess.cpp
index fccad6fa..b0fc98c8 100644
--- a/ctrtool/src/CciProcess.cpp
+++ b/ctrtool/src/CciProcess.cpp
@@ -192,7 +192,7 @@ void ctrtool::CciProcess::importHeader()
 	}
 	else
 	{
-		fmt::print("[WARNING] Unsupported CardInfo::CryptoType ({})\n", (uint32_t)mHeader.card_info.flag.crypto_type);
+		fmt::print(stderr, "[{} LOG] Unsupported CardInfo::CryptoType ({})\n", mModuleLabel, (uint32_t)mHeader.card_info.flag.crypto_type);
 	}
 
 	if (initial_data_key_available)
@@ -210,6 +210,16 @@ void ctrtool::CciProcess::importHeader()
 		{
 			mDecryptedTitleKey = decrypted_title_key;
 		}
+		// Since CCM mode decrypts AND verifies, we should process the result here if required
+		if (mVerify)
+		{
+			mValidInitialDataMac = dec_result == 0 ? ValidState::Good :  ValidState::Fail;
+
+			if (mValidInitialDataMac != ValidState::Good)
+			{
+				fmt::print(stderr, "[{} LOG] InitialData MAC was invalid.\n", mModuleLabel);
+			}
+		}
 
 		/*
 		// test encrypt
@@ -222,6 +232,11 @@ void ctrtool::CciProcess::importHeader()
 
 		mbedtls_ccm_free(&ccm_ctx);
 	}
+	else
+	{
+		// no initial data key
+		fmt::print(stderr, "[{} LOG] Failed to determine key to decrypt InitialData.\n", mModuleLabel);
+	}
 
 	// open fs reader
 	mFsReader = std::shared_ptr<tc::io::VirtualFileSystem>(new tc::io::VirtualFileSystem(ntd::n3ds::CciFsShapshotGenerator(mInputStream)));
@@ -241,11 +256,14 @@ void ctrtool::CciProcess::verifyHeader()
 	}
 	else
 	{
-		fmt::print(stderr, "Could not read static CFA_CCI public key.\n");
+		fmt::print(stderr, "[{} LOG] Could not read static CFA/CCI RSA2048 public key.\n", mModuleLabel);
 		mValidSignature = ValidState::Fail;
 	}
 
-	mValidInitialDataMac = mDecryptedTitleKey.isSet() ? ValidState::Good : ValidState::Fail;
+	if (mValidSignature != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] Signature for NcsdCommonHeader was invalid.\n", mModuleLabel);
+	}
 }
 
 void ctrtool::CciProcess::printHeader()
@@ -347,7 +365,7 @@ void ctrtool::CciProcess::extractFs()
 		// build out path
 		out_path = mExtractPath.get() + *itr;
 
-		fmt::print("Saving {}...\n", out_path.to_string());
+		fmt::print(stderr, "[{} LOG] Saving {}...\n", mModuleLabel, out_path.to_string());
 
 		// begin export
 		mFsReader->openFile(*itr, tc::io::FileMode::Open, tc::io::FileAccess::Read, in_stream);
@@ -360,7 +378,7 @@ void ctrtool::CciProcess::extractFs()
 			cache_read_len = in_stream->read(cache.data(), cache.size());
 			if (cache_read_len == 0)
 			{
-				throw tc::io::IOException(mModuleLabel, "Failed to read from RomFs file.");
+				throw tc::io::IOException(mModuleLabel, fmt::format("Failed to read from \"{}\".", (std::string)(dir.abs_path + *itr)));
 			}
 
 			out_stream->write(cache.data(), cache_read_len);
@@ -374,7 +392,7 @@ void ctrtool::CciProcess::processContent()
 {
 	if (mContentIndex >= ntd::n3ds::NcsdCommonHeader::kPartitionNum)
 	{
-		fmt::print(stderr, "Content index {:d} isn't valid for CCI, use index 0-7, defaulting to 0 now.\n", mContentIndex);
+		fmt::print(stderr, "[{} LOG] Content index {:d} isn't valid for CCI, use index 0-7, defaulting to 0 now.\n", mModuleLabel, mContentIndex);
 		mContentIndex = 0;
 	}
 	if (mHeader.ncsd_header.partition_offsetsize[mContentIndex].blk_size.unwrap() != 0)

From 6509b431d8d6d1abcf1c2ece3970f3d95603811c Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Wed, 30 Mar 2022 20:09:25 +0800
Subject: [PATCH 280/317] (ctrtool::CiaProcess) Emit errors/warns/logs in a
 consistent manner.

---
 ctrtool/src/CiaProcess.cpp | 52 +++++++++++++++++++++++++++-----------
 1 file changed, 37 insertions(+), 15 deletions(-)

diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
index 974b661e..7ca595fc 100644
--- a/ctrtool/src/CiaProcess.cpp
+++ b/ctrtool/src/CiaProcess.cpp
@@ -286,10 +286,9 @@ void ctrtool::CiaProcess::importHeader()
 			}
 
 		}
-		// TODO load certificates from KeyBag
 		else
 		{
-			fmt::print("[LOG] CIA has no Certificate, cannot verify Ticket or TitleMetaData.\n");
+			fmt::print(stderr, "[{} LOG] CIA has no Certificate, cannot verify Ticket or TitleMetaData.\n", mModuleLabel);
 		}
 
 		if (mTikSizeInfo.size > 0)
@@ -299,12 +298,12 @@ void ctrtool::CiaProcess::importHeader()
 			// determine title key
 			if (mKeyBag.fallback_title_key.isSet())
 			{
-				fmt::print("[LOG] Using fallback titlekey.\n");
+				fmt::print(stderr, "[{} LOG] Using fallback titlekey.\n", mModuleLabel);
 				mDecryptedTitleKey = mKeyBag.fallback_title_key.get();
 			}
 			else if (mKeyBag.common_key.find(mTicket.key_id) != mKeyBag.common_key.end())
 			{
-				fmt::print("[LOG] Decrypting titlekey from ticket.\n");
+				fmt::print(stderr, "[{} LOG] Decrypting titlekey from ticket.\n", mModuleLabel);
 				
 				// get common key
 				auto common_key = mKeyBag.common_key[mTicket.key_id];
@@ -322,7 +321,7 @@ void ctrtool::CiaProcess::importHeader()
 			}
 			else
 			{
-				fmt::print("[LOG] Cannot determine titlekey.\n");
+				fmt::print(stderr, "[{} LOG] Cannot determine titlekey.\n", mModuleLabel);
 			}
 		}
 		else
@@ -419,9 +418,15 @@ void ctrtool::CiaProcess::verifyMetadata()
 			else
 			{
 				// cannot locate rsa key to verify
-				fmt::print(stderr, "Could not read public key for \"{}\" (certificate).\n", mCertChain[i].signature.issuer);
+				fmt::print(stderr, "[{} LOG] Could not read public key for \"{}\" (certificate).\n", mModuleLabel, mCertChain[i].signature.issuer);
 				mCertSigValid[i] = ValidState::Fail;
 			}
+
+			// log certificate signature validation error
+			if (mCertSigValid[i] != ValidState::Good)
+			{
+				fmt::print(stderr, "[{} LOG] Signature for Certificate \"{}\" was invalid.\n", mModuleLabel, mCertChain[i].signature.issuer);
+			}
 		}
 	}
 	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTikSizeInfo.size > 0)
@@ -443,9 +448,15 @@ void ctrtool::CiaProcess::verifyMetadata()
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "Could not read public key for \"{}\" (ticket).\n", mTicket.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Could not read public key for \"{}\" (ticket).\n", mModuleLabel, mTicket.signature.issuer);
 			mTicketSigValid = ValidState::Fail;
 		}
+
+		// log ticket signature validation error
+		if (mTicketSigValid != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] Signature for Ticket \"{}\" was invalid.\n", mModuleLabel, mTicket.signature.issuer);
+		}
 	}
 	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTmdSizeInfo.size > 0)
 	{
@@ -466,9 +477,15 @@ void ctrtool::CiaProcess::verifyMetadata()
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "Could not read public key for \"{}\" (tmd).\n", mTitleMetaData.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Could not read public key for \"{}\" (tmd).\n", mModuleLabel, mTitleMetaData.signature.issuer);
 			mTitleMetaDataSigValid = ValidState::Fail;
 		}
+
+		// log tmd signature validation error
+		if (mTitleMetaDataSigValid != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] Signature for TitleMetaData \"{}\" was invalid.\n", mModuleLabel, mTitleMetaData.signature.issuer);
+		}
 	}
 }
 
@@ -517,6 +534,11 @@ void ctrtool::CiaProcess::verifyContent()
 			sha256_calc.getHash(sha256_hash.data());
 
 			itr->second.valid_state = memcmp(sha256_hash.data(), itr->second.hash.data(), sha256_hash.size()) == 0 ? ValidState::Good : ValidState::Fail;
+
+			if (itr->second.valid_state != ValidState::Good)
+			{
+				fmt::print(stderr, "[{} LOG] Hash for content (index=0x{:04x}, id=0x{:08x}) was invalid.\n", mModuleLabel, itr->second.cindex, itr->second.cid);
+			}
 		}
 	}
 }
@@ -671,7 +693,7 @@ void ctrtool::CiaProcess::extractCia()
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mCertSizeInfo.offset, mCertSizeInfo.size));
 		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-		fmt::print("Saving certs to {}...\n", out_path.to_string());
+		fmt::print(stderr, "[{} LOG] Saving certs to {}...\n", mModuleLabel, out_path.to_string());
 		copyStream(in_stream, out_stream);
 	}
 
@@ -682,7 +704,7 @@ void ctrtool::CiaProcess::extractCia()
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTikSizeInfo.offset, mTikSizeInfo.size));
 		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-		fmt::print("Saving tik to {}...\n", out_path.to_string());
+		fmt::print(stderr, "[{} LOG] Saving tik to {}...\n", mModuleLabel, out_path.to_string());
 		copyStream(in_stream, out_stream);
 	}
 
@@ -693,7 +715,7 @@ void ctrtool::CiaProcess::extractCia()
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTmdSizeInfo.offset, mTmdSizeInfo.size));
 		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-		fmt::print("Saving tmd to {}...\n", out_path.to_string());
+		fmt::print(stderr, "[{} LOG] Saving tmd to {}...\n", mModuleLabel, out_path.to_string());
 		copyStream(in_stream, out_stream);
 	}
 
@@ -704,7 +726,7 @@ void ctrtool::CiaProcess::extractCia()
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mFooterSizeInfo.offset, mFooterSizeInfo.size));
 		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-		fmt::print("Saving meta to {}...\n", out_path.to_string());
+		fmt::print(stderr, "[{} LOG] Saving meta to {}...\n", mModuleLabel, out_path.to_string());
 		copyStream(in_stream, out_stream);
 	}
 
@@ -727,7 +749,7 @@ void ctrtool::CiaProcess::extractCia()
 
 			out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-			fmt::print("Saving content {:04x} to {}...\n", itr->second.cindex, out_path.to_string());
+			fmt::print(stderr, "[{} LOG] Saving content {:04x} to {}...\n", mModuleLabel, itr->second.cindex, out_path.to_string());
 			copyStream(in_stream, out_stream);
 		}
 	}
@@ -758,7 +780,7 @@ void ctrtool::CiaProcess::processContent()
 {
 	if (mContentIndex >= ntd::n3ds::CiaHeader::kCiaMaxContentNum)
 	{
-		fmt::print(stderr, "Content index {:d} isn't valid for CIA, use index 0-{:d}, defaulting to 0 now.\n", mContentIndex, ((size_t)ntd::n3ds::CiaHeader::kCiaMaxContentNum)-1);
+		fmt::print(stderr, "[{} LOG] Content index {:d} isn't valid for CIA, use index 0-{:d}, defaulting to 0 now.\n", mModuleLabel, mContentIndex, ((size_t)ntd::n3ds::CiaHeader::kCiaMaxContentNum)-1);
 		mContentIndex = 0;
 	}
 	if (mContentInfo.find(mContentIndex) != mContentInfo.end() && mContentInfo[mContentIndex].size != 0)
@@ -780,7 +802,7 @@ void ctrtool::CiaProcess::processContent()
 		}
 		else
 		{
-			fmt::print("[LOG] TWL title processing not supported\n");
+			fmt::print(stderr, "[{} LOG] TWL title processing not supported\n", mModuleLabel);
 		}
 	}
 }

From 4652a08d1029c1fc0d448bed5f1b105efa72fadc Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Thu, 31 Mar 2022 14:59:55 +0800
Subject: [PATCH 281/317] (ctrtool::CrrProcess) Emit errors/warns/logs in a
 consistent manner.

---
 ctrtool/src/CrrProcess.cpp | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/ctrtool/src/CrrProcess.cpp b/ctrtool/src/CrrProcess.cpp
index a0f35376..bffd1b5c 100644
--- a/ctrtool/src/CrrProcess.cpp
+++ b/ctrtool/src/CrrProcess.cpp
@@ -124,7 +124,7 @@ void ctrtool::CrrProcess::verifyData()
 	}
 	else
 	{
-		fmt::print(stderr, "Could not read static CRR public key.\n");
+		fmt::print(stderr, "[{} LOG] Could not read static CRR public key.\n", mModuleLabel);
 		mValidCertificateSignature = ValidState::Fail;
 	}
 
@@ -145,6 +145,20 @@ void ctrtool::CrrProcess::verifyData()
 	{
 		mValidUniqueId = ((mBodyHeader.unique_id.unwrap() & mHeader.body_certificate.unique_id_mask.unwrap()) == 0) ? ValidState::Good : ValidState::Fail;
 	}
+
+	// log validation errors
+	if (mValidCertificateSignature != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] Signature for CRR Certificate was invalid.\n", mModuleLabel);
+	}
+	if (mValidBodySignature != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] Signature for CRR Body was invalid.\n", mModuleLabel);
+	}
+	if (mValidUniqueId != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] CRR UniqueId was invalid.\n", mModuleLabel);
+	}
 }
 
 void ctrtool::CrrProcess::printData()

From f79a5666a5aa7954eb6dd57cd7aa2a0df68613ed Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Thu, 31 Mar 2022 16:01:36 +0800
Subject: [PATCH 282/317] When verifying CIA cert/tik/tmd, preference certchain
 over keybag.

---
 ctrtool/src/CiaProcess.cpp | 65 ++++++++++++++++++++++----------------
 1 file changed, 38 insertions(+), 27 deletions(-)

diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
index 7ca595fc..8c5868bc 100644
--- a/ctrtool/src/CiaProcess.cpp
+++ b/ctrtool/src/CiaProcess.cpp
@@ -288,7 +288,11 @@ void ctrtool::CiaProcess::importHeader()
 		}
 		else
 		{
-			fmt::print(stderr, "[{} LOG] CIA has no Certificate, cannot verify Ticket or TitleMetaData.\n", mModuleLabel);
+			if (mVerify)
+			{
+				fmt::print(stderr, "[{} LOG] CIA has no Certificates, verifying Ticket or TitleMetaData will use the bundled public keys.\n", mModuleLabel);
+			}
+			
 		}
 
 		if (mTikSizeInfo.size > 0)
@@ -402,23 +406,28 @@ void ctrtool::CiaProcess::verifyMetadata()
 		// verify cert
 		for (size_t i = 0; i < mCertChain.size(); i++)
 		{
-			auto keybag_issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
 			auto local_issuer_itr = mCertImportedIssuerSigner.find(mCertChain[i].signature.issuer);
+			auto keybag_issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
 			
-			// try first with the keybag imported issuer
-			if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+			// first try with the issuer profiles imported from the local certificates
+			if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
 			{
-				mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+				mCertSigValid[i] = local_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 			}
-			// fallback try with the issuer profiles imported from the local certificates
-			else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+			// fallback try with the keybag imported issuer
+			else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
 			{
-				mCertSigValid[i] = local_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+				// only show this warning for non-root signed certificates
+				if (mCertChain[i].signature.issuer != "Root")
+				{
+					fmt::print(stderr, "[{} LOG] Public key \"{}\" (for certificate \"{}\") was not present in the CIA certificate chain. The bundled public key was used instead.\n", mModuleLabel, mCertChain[i].signature.issuer, mCertChain[i].subject);
+				}
+				mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 			}
 			else
 			{
 				// cannot locate rsa key to verify
-				fmt::print(stderr, "[{} LOG] Could not read public key for \"{}\" (certificate).\n", mModuleLabel, mCertChain[i].signature.issuer);
+				fmt::print(stderr, "[{} LOG] Could not locate public key for \"{}\" (certificate).\n", mModuleLabel, mCertChain[i].signature.issuer);
 				mCertSigValid[i] = ValidState::Fail;
 			}
 
@@ -432,59 +441,61 @@ void ctrtool::CiaProcess::verifyMetadata()
 	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTikSizeInfo.size > 0)
 	{
 		// verify ticket
-		auto keybag_issuer_itr = mIssuerSigner.find(mTicket.signature.issuer);
 		auto local_issuer_itr = mCertImportedIssuerSigner.find(mTicket.signature.issuer);
+		auto keybag_issuer_itr = mIssuerSigner.find(mTicket.signature.issuer);
 
-		// try first with the keybag imported issuer
-		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
+		// first try with the issuer profiles imported from the local certificates
+		if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
 		{
-			mTicketSigValid = keybag_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			mTicketSigValid = local_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
-		// fallback try with the issuer profiles imported from the local certificates
-		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
+		// fallback try with the keybag imported issuer
+		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
 		{
-			mTicketSigValid = local_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			fmt::print(stderr, "[{} LOG] Public key \"{}\" (for ticket) was not present in the CIA certificate chain. The bundled public key was used instead.\n", mModuleLabel, mTicket.signature.issuer);
+			mTicketSigValid = keybag_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "[{} LOG] Could not read public key for \"{}\" (ticket).\n", mModuleLabel, mTicket.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Could not locate public key \"{}\" (for ticket).\n", mModuleLabel, mTicket.signature.issuer);
 			mTicketSigValid = ValidState::Fail;
 		}
 
 		// log ticket signature validation error
 		if (mTicketSigValid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] Signature for Ticket \"{}\" was invalid.\n", mModuleLabel, mTicket.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Signature for Ticket was invalid.\n", mModuleLabel);
 		}
 	}
 	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTmdSizeInfo.size > 0)
 	{
 		// verify tmd
-		auto keybag_issuer_itr = mIssuerSigner.find(mTitleMetaData.signature.issuer);
 		auto local_issuer_itr = mCertImportedIssuerSigner.find(mTitleMetaData.signature.issuer);
+		auto keybag_issuer_itr = mIssuerSigner.find(mTitleMetaData.signature.issuer);
 
-		// try first with the keybag imported issuer
-		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
+		// first try with the issuer profiles imported from the local certificates
+		if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
 		{
-			mTitleMetaDataSigValid = keybag_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			mTitleMetaDataSigValid = local_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
-		// fallback try with the issuer profiles imported from the local certificates
-		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
+		// fallback try with the keybag imported issuer
+		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
 		{
-			mTitleMetaDataSigValid = local_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			fmt::print(stderr, "[{} LOG] Public key \"{}\" (for tmd) was not present in the CIA certificate chain. The bundled public key was used instead.\n", mModuleLabel, mTitleMetaData.signature.issuer);
+			mTitleMetaDataSigValid = keybag_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "[{} LOG] Could not read public key for \"{}\" (tmd).\n", mModuleLabel, mTitleMetaData.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Could not locate public key \"{}\" (for tmd).\n", mModuleLabel, mTitleMetaData.signature.issuer);
 			mTitleMetaDataSigValid = ValidState::Fail;
 		}
 
 		// log tmd signature validation error
 		if (mTitleMetaDataSigValid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] Signature for TitleMetaData \"{}\" was invalid.\n", mModuleLabel, mTitleMetaData.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Signature for TitleMetaData was invalid.\n", mModuleLabel);
 		}
 	}
 }

From 7798ddda90bcb3cb0577cc2b33deafb9b6bf2077 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Thu, 31 Mar 2022 16:15:49 +0800
Subject: [PATCH 283/317] (ctrtool::ExeFsProcess) Emit errors/warns/logs in a
 consistent manner.

---
 ctrtool/src/ExeFsProcess.cpp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/ctrtool/src/ExeFsProcess.cpp b/ctrtool/src/ExeFsProcess.cpp
index 6acada89..3f2adba5 100644
--- a/ctrtool/src/ExeFsProcess.cpp
+++ b/ctrtool/src/ExeFsProcess.cpp
@@ -130,11 +130,11 @@ void ctrtool::ExeFsProcess::verifyFs()
 			}
 			hash_calc.getHash(hash.data());
 
-			mSectionValidation[i] = memcmp(hash.data(), hdr_hash.data(), hash.size()) == 0? Good : Fail;
+			mSectionValidation[i] = memcmp(hash.data(), hdr_hash.data(), hash.size()) == 0? ValidState::Good : ValidState::Fail;
 
-			if (mVerbose)
+			if (mSectionValidation[i] != ValidState::Good)
 			{
-				fmt::print("[LOG/ExeFs] File: \"{}\" {} hash validation\n", mHeader.file_table[i].name.decode(), (mSectionValidation[i] == ValidState::Good ? "passed" : "failed"));
+				fmt::print(stderr, "[{} LOG] ExeFs file \"{}\" had an invalid SHA2-256 hash.\n", mModuleLabel, mHeader.file_table[i].name.decode());
 			}
 		}
 	}
@@ -223,7 +223,7 @@ void ctrtool::ExeFsProcess::extractFs()
 			}
 			if (test_hash != nullptr && memcmp(test_hash, hash.data(), hash.size()) == 0)
 			{
-				fmt::print("Decompressing section {} to {}...\n", *itr, f_path.to_string());
+				fmt::print(stderr, "[{} LOG] Decompressing file /{} to {}...\n", mModuleLabel, *itr, f_path.to_string());
 
 				tc::ByteData decompdata = tc::ByteData(lzss_get_decompressed_size(compdata.data(), compdata.size()));
 				lzss_decompress(compdata.data(), compdata.size(), decompdata.data(), decompdata.size());
@@ -233,7 +233,7 @@ void ctrtool::ExeFsProcess::extractFs()
 			}
 			else
 			{
-				fmt::print("Saving section {} to {}...\n", *itr, f_path.to_string());
+				fmt::print(stderr, "[{} LOG] Saving file /{} to {}...\n", mModuleLabel, *itr, f_path.to_string());
 
 				out_stream->seek(0, tc::io::SeekOrigin::Begin);
 				out_stream->write(compdata.data(), compdata.size());
@@ -241,7 +241,7 @@ void ctrtool::ExeFsProcess::extractFs()
 		}
 		else
 		{
-			fmt::print("Saving section {} to {}...\n", *itr, f_path.to_string());
+			fmt::print(stderr, "[{} LOG] Saving file /{} to {}...\n", mModuleLabel, *itr, f_path.to_string());
 
 			tc::ByteData filedata = tc::ByteData(in_stream->length());
 			in_stream->seek(0, tc::io::SeekOrigin::Begin);

From a1f86a681335aa2a87b887cee756455344bdd738 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Mon, 11 Apr 2022 18:01:05 +0800
Subject: [PATCH 284/317] Add support for processing InitialData CryptoTypes
 1-2

---
 .../deps/libnintendo-n3ds/include/ntd/n3ds/cci.h |  4 +++-
 ctrtool/src/CciProcess.cpp                       | 16 ++++++++++++----
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h
index f2ac0a8b..57f62fd2 100644
--- a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h
@@ -167,7 +167,9 @@ struct CciHeader
 
 	enum CryptoType
 	{
-		CryptoType_Secure = 0, // Secure initial data key (keyX bootrom, keyY initial data seed) (used in production ROMs)
+		CryptoType_Secure0 = 0, // Secure initial data key (keyX bootrom, keyY initial data seed) (used in production ROMs)
+		CryptoType_Secure1 = 1, // Secure initial data key (keyX bootrom, keyY initial data seed) (used in production ROMs)
+		CryptoType_Secure2 = 2, // Secure initial data key (keyX bootrom, keyY initial data seed) (used in production ROMs)
 		CryptoType_FixedKey = 3, // Zeros initial data key (used in non-HSM enviroments like development)
 	};
 
diff --git a/ctrtool/src/CciProcess.cpp b/ctrtool/src/CciProcess.cpp
index fccad6fa..f286edf1 100644
--- a/ctrtool/src/CciProcess.cpp
+++ b/ctrtool/src/CciProcess.cpp
@@ -171,8 +171,10 @@ void ctrtool::CciProcess::importHeader()
 	ctrtool::KeyBag::Aes128Key initial_data_key;
 	bool initial_data_key_available = false;
 
-	// crypto_type 0 is the normal "secure" initial data key 
-	if (mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_Secure)
+	// crypto_type 0-2 is the normal "secure" initial data key 
+	if (mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_Secure0 ||
+		mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_Secure1 ||
+		mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_Secure2)
 	{
 		if (mKeyBag.brom_static_key_x.find(mKeyBag.KEYSLOT_INITIAL_DATA) != mKeyBag.brom_static_key_x.end())
 		{	
@@ -530,8 +532,14 @@ std::string ctrtool::CciProcess::getCryptoTypeString(byte_t crypto_type)
 
 	switch(crypto_type)
 	{
-		case ntd::n3ds::CciHeader::CryptoType_Secure :
-			ret_str = "Secure";
+		case ntd::n3ds::CciHeader::CryptoType_Secure0 :
+			ret_str = "Secure0";
+			break;
+		case ntd::n3ds::CciHeader::CryptoType_Secure1 :
+			ret_str = "Secure1";
+			break;
+		case ntd::n3ds::CciHeader::CryptoType_Secure2 :
+			ret_str = "Secure2";
 			break;
 		case ntd::n3ds::CciHeader::CryptoType_FixedKey :
 			ret_str = "FixedKey";

From 5c584f4d36b246e3d7b25b2be30cd29f86d59b49 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Mon, 11 Apr 2022 18:01:44 +0800
Subject: [PATCH 285/317] Bump version.

---
 ctrtool/src/version.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
index 2ee7a9f7..27dba3b5 100644
--- a/ctrtool/src/version.h
+++ b/ctrtool/src/version.h
@@ -3,5 +3,5 @@
 #define BIN_NAME	"ctrtool"
 #define VER_MAJOR	1
 #define VER_MINOR	0
-#define VER_PATCH	3
+#define VER_PATCH	4
 #define AUTHORS		"jakcron"
\ No newline at end of file

From 60334cd7ddd2bc76815d7f25b15b73de7797bb62 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Tue, 12 Apr 2022 19:43:24 +0800
Subject: [PATCH 286/317] Don't silence verbosity with -q/--quiet

---
 ctrtool/src/Settings.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/src/Settings.cpp b/ctrtool/src/Settings.cpp
index a41cacfe..52f5dff7 100644
--- a/ctrtool/src/Settings.cpp
+++ b/ctrtool/src/Settings.cpp
@@ -371,7 +371,7 @@ ctrtool::SettingsInitializer::SettingsInitializer(const std::vector<std::string>
 	if (mSuppressOutput)
 	{
 		opt.info = false;
-		opt.verbose = false;
+		//opt.verbose = false;
 		exefs.list_fs = false;
 		romfs.list_fs = false;
 	}

From c0ce043b306f1613f9420db8da661317f1989658 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Tue, 12 Apr 2022 20:05:02 +0800
Subject: [PATCH 287/317] Emit errors/warns/logs in a consistent manner.

---
 ctrtool/src/CciProcess.cpp      | 22 ++++------
 ctrtool/src/CiaProcess.cpp      | 24 +++++------
 ctrtool/src/ExHeaderProcess.cpp | 74 +++++++++++++++++++++++++++++----
 ctrtool/src/ExHeaderProcess.h   |  4 +-
 ctrtool/src/FirmProcess.cpp     | 11 ++++-
 ctrtool/src/IvfcProcess.cpp     |  7 ++--
 ctrtool/src/NcchProcess.cpp     | 57 ++++++++++++++++++-------
 ctrtool/src/RomFsProcess.cpp    |  2 +-
 ctrtool/src/TikProcess.cpp      | 62 +++++++++++++++++++--------
 ctrtool/src/TmdProcess.cpp      | 57 +++++++++++++++++--------
 10 files changed, 227 insertions(+), 93 deletions(-)

diff --git a/ctrtool/src/CciProcess.cpp b/ctrtool/src/CciProcess.cpp
index 888c8071..53201297 100644
--- a/ctrtool/src/CciProcess.cpp
+++ b/ctrtool/src/CciProcess.cpp
@@ -171,10 +171,14 @@ void ctrtool::CciProcess::importHeader()
 	ctrtool::KeyBag::Aes128Key initial_data_key;
 	bool initial_data_key_available = false;
 
+	// crypto_type 3 zeros initial_data key (used in developer ROMs only)
+	if (mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_FixedKey)
+	{
+		memset(initial_data_key.data(), 0, initial_data_key.size());
+		initial_data_key_available = true;
+	}
 	// crypto_type 0-2 is the normal "secure" initial data key 
-	if (mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_Secure0 ||
-		mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_Secure1 ||
-		mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_Secure2)
+	else
 	{
 		if (mKeyBag.brom_static_key_x.find(mKeyBag.KEYSLOT_INITIAL_DATA) != mKeyBag.brom_static_key_x.end())
 		{	
@@ -186,16 +190,6 @@ void ctrtool::CciProcess::importHeader()
 			initial_data_key_available = false;
 		}
 	}
-	// crypto_type 3 zeros initial_data key (used in developer roms mostly)
-	else if (mHeader.card_info.flag.crypto_type == ntd::n3ds::CciHeader::CryptoType_FixedKey)
-	{
-		memset(initial_data_key.data(), 0, initial_data_key.size());
-		initial_data_key_available = true;
-	}
-	else
-	{
-		fmt::print(stderr, "[{} LOG] Unsupported CardInfo::CryptoType ({})\n", mModuleLabel, (uint32_t)mHeader.card_info.flag.crypto_type);
-	}
 
 	if (initial_data_key_available)
 	{
@@ -258,7 +252,7 @@ void ctrtool::CciProcess::verifyHeader()
 	}
 	else
 	{
-		fmt::print(stderr, "[{} LOG] Could not read static CFA/CCI RSA2048 public key.\n", mModuleLabel);
+		fmt::print(stderr, "[{} LOG] Could not load CCI RSA2048 public key.\n", mModuleLabel);
 		mValidSignature = ValidState::Fail;
 	}
 
diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
index 8c5868bc..5e037f27 100644
--- a/ctrtool/src/CiaProcess.cpp
+++ b/ctrtool/src/CiaProcess.cpp
@@ -285,14 +285,6 @@ void ctrtool::CiaProcess::importHeader()
 				}
 			}
 
-		}
-		else
-		{
-			if (mVerify)
-			{
-				fmt::print(stderr, "[{} LOG] CIA has no Certificates, verifying Ticket or TitleMetaData will use the bundled public keys.\n", mModuleLabel);
-			}
-			
 		}
 
 		if (mTikSizeInfo.size > 0)
@@ -302,12 +294,18 @@ void ctrtool::CiaProcess::importHeader()
 			// determine title key
 			if (mKeyBag.fallback_title_key.isSet())
 			{
-				fmt::print(stderr, "[{} LOG] Using fallback titlekey.\n", mModuleLabel);
+				if (mVerbose)
+				{
+					fmt::print(stderr, "[{} LOG] Using fallback titlekey.\n", mModuleLabel);
+				}
 				mDecryptedTitleKey = mKeyBag.fallback_title_key.get();
 			}
 			else if (mKeyBag.common_key.find(mTicket.key_id) != mKeyBag.common_key.end())
 			{
-				fmt::print(stderr, "[{} LOG] Decrypting titlekey from ticket.\n", mModuleLabel);
+				if (mVerbose)
+				{
+					fmt::print(stderr, "[{} LOG] Decrypting titlekey from ticket.\n", mModuleLabel);
+				}
 				
 				// get common key
 				auto common_key = mKeyBag.common_key[mTicket.key_id];
@@ -420,7 +418,7 @@ void ctrtool::CiaProcess::verifyMetadata()
 				// only show this warning for non-root signed certificates
 				if (mCertChain[i].signature.issuer != "Root")
 				{
-					fmt::print(stderr, "[{} LOG] Public key \"{}\" (for certificate \"{}\") was not present in the CIA certificate chain. The bundled public key was used instead.\n", mModuleLabel, mCertChain[i].signature.issuer, mCertChain[i].subject);
+					fmt::print(stderr, "[{} LOG] Public key \"{}\" (for certificate \"{}\") was not present in the CIA certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mCertChain[i].signature.issuer, mCertChain[i].subject);
 				}
 				mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 			}
@@ -452,7 +450,7 @@ void ctrtool::CiaProcess::verifyMetadata()
 		// fallback try with the keybag imported issuer
 		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
 		{
-			fmt::print(stderr, "[{} LOG] Public key \"{}\" (for ticket) was not present in the CIA certificate chain. The bundled public key was used instead.\n", mModuleLabel, mTicket.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Public key \"{}\" (for ticket) was not present in the CIA certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTicket.signature.issuer);
 			mTicketSigValid = keybag_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
@@ -482,7 +480,7 @@ void ctrtool::CiaProcess::verifyMetadata()
 		// fallback try with the keybag imported issuer
 		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
 		{
-			fmt::print(stderr, "[{} LOG] Public key \"{}\" (for tmd) was not present in the CIA certificate chain. The bundled public key was used instead.\n", mModuleLabel, mTitleMetaData.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Public key \"{}\" (for tmd) was not present in the CIA certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTitleMetaData.signature.issuer);
 			mTitleMetaDataSigValid = keybag_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
diff --git a/ctrtool/src/ExHeaderProcess.cpp b/ctrtool/src/ExHeaderProcess.cpp
index fc5976c8..ebaf9c84 100644
--- a/ctrtool/src/ExHeaderProcess.cpp
+++ b/ctrtool/src/ExHeaderProcess.cpp
@@ -96,13 +96,18 @@ void ctrtool::ExHeaderProcess::verifyExHeader()
 	}
 	else
 	{
-		fmt::print(stderr, "Could not read AccessDescriptor public key.\n");
+		fmt::print(stderr, "[{} LOG] Could not load AccessDescriptor RSA2048 public key.\n", mModuleLabel);
 		mValidSignature = ValidState::Fail;
 	}
-	
+
+	if (mValidSignature != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] Signature for AccessDescriptor was invalid.\n", mModuleLabel);
+	}
+
 	mValidLocalCaps.system_save_id[0] = ValidState::Good;
 	mValidLocalCaps.system_save_id[1] = ValidState::Good;
-	mValidLocalCaps.access_info = ValidState::Good;
+	mValidLocalCaps.fs_access = ValidState::Good;
 	mValidLocalCaps.core_version = ValidState::Good;
 	mValidLocalCaps.program_id = ValidState::Good;
 	mValidLocalCaps.priority = ValidState::Good;
@@ -183,10 +188,10 @@ void ctrtool::ExHeaderProcess::verifyExHeader()
 	{
 		if (exhdr_fs_access.test(fs_bit) == true && desc_fs_access.test(fs_bit) == false)
 		{
-			mValidLocalCaps.access_info = ValidState::Fail;
+			mValidLocalCaps.fs_access = ValidState::Fail;
 			if (mVerbose)
 			{
-				fmt::print("[LOG/ExHeader] FsAccess Bit {:d} was not permitted\n", fs_bit);
+				fmt::print(stderr, "[{} LOG] FsAccess Bit {:d} was not permitted\n", mModuleLabel, fs_bit);
 			}
 		}
 	}
@@ -213,10 +218,65 @@ void ctrtool::ExHeaderProcess::verifyExHeader()
 			mValidLocalCaps.service_control = Fail;
 			if (mVerbose)
 			{
-				fmt::print("[LOG/ExHeader] Service \"{}\" was not permitted\n", exhdr_service_access_control[i].decode());
+				fmt::print(stderr, "[{} LOG] Service \"{}\" was not permitted\n", mModuleLabel, exhdr_service_access_control[i].decode());
 			}
 		}
 	}
+
+	if (mValidLocalCaps.system_save_id[0] != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemSaveId1");
+	}
+	if (mValidLocalCaps.system_save_id[1] != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemSaveId2");
+	}
+	if (mValidLocalCaps.fs_access != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "FsAccess");
+	}
+	/*
+	if (mValidLocalCaps.core_version != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "CoreVersion");
+	}
+	*/
+	if (mValidLocalCaps.program_id != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "ProgramId");
+	}
+	if (mValidLocalCaps.priority != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "ThreadPriority");
+	}
+	if (mValidLocalCaps.affinity_mask != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "AffinityMask");
+	}
+	if (mValidLocalCaps.ideal_processor != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "IdealProcessor");
+	}
+	if (mValidLocalCaps.old3ds_system_mode != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemMode (Old3DS)");
+	}
+	if (mValidLocalCaps.new3ds_system_mode != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemMode (New3DS)");
+	}
+	if (mValidLocalCaps.enable_l2_cache != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "EnableL2Cache");
+	}
+	if (mValidLocalCaps.new3ds_cpu_speed != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "CpuSpeed");
+	}
+	if (mValidLocalCaps.service_control != ValidState::Good)
+	{
+		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "ServiceAccess");
+	}
 }
 
 void ctrtool::ExHeaderProcess::printExHeader()
@@ -355,7 +415,7 @@ void ctrtool::ExHeaderProcess::printARM11SystemLocalCapabilities(const ntd::n3ds
 	}
 	fmt::print("Other Variation Saves:  {}\n", (use_other_variation_savedata ? "Accessible" : "Inaccessible"));
 	uint64_t fs_access_raw = ((((tc::bn::le64<uint64_t>*)&info.fs_access)->unwrap() << 8) >> 8); // clearing the upper 8 bits since fs_access is 56 bits
-	fmt::print("Access info: {:6}     0x{:014x}\n", getValidString(valid.access_info), fs_access_raw);
+	fmt::print("FS access: {:6}       0x{:014x}\n", getValidString(valid.fs_access), fs_access_raw);
 	for (size_t i = 0; i < info.fs_access.bit_size(); i++)
 	{
 		if (info.fs_access.test(i))
diff --git a/ctrtool/src/ExHeaderProcess.h b/ctrtool/src/ExHeaderProcess.h
index 38219850..dace5d67 100644
--- a/ctrtool/src/ExHeaderProcess.h
+++ b/ctrtool/src/ExHeaderProcess.h
@@ -39,7 +39,7 @@ class ExHeaderProcess
 		{
 			system_save_id[0] = ValidState::Unchecked;
 			system_save_id[1] = ValidState::Unchecked;
-			access_info = ValidState::Unchecked;
+			fs_access = ValidState::Unchecked;
 			core_version = ValidState::Unchecked;
 			program_id = ValidState::Unchecked;
 			priority = ValidState::Unchecked;
@@ -53,7 +53,7 @@ class ExHeaderProcess
 		}
 
 		std::array<byte_t, 2> system_save_id;
-		byte_t access_info;
+		byte_t fs_access;
 		byte_t core_version;
 		byte_t program_id;
 		byte_t priority;
diff --git a/ctrtool/src/FirmProcess.cpp b/ctrtool/src/FirmProcess.cpp
index aefa57ab..c98f9e05 100644
--- a/ctrtool/src/FirmProcess.cpp
+++ b/ctrtool/src/FirmProcess.cpp
@@ -188,6 +188,11 @@ void ctrtool::FirmProcess::verifyHashes()
 			hash_calc.getHash(hash.data());
 
 			mValidFirmSectionHash[i] = memcmp(hash.data(), hdr_hash.data(), hash.size()) == 0? ValidState::Good : ValidState::Fail;
+
+			if (mValidFirmSectionHash[i] != ValidState::Good)
+			{
+				fmt::print(stderr, "[{} LOG] FIRM section {:d} SHA2-256 hash was invalid.\n", mModuleLabel, i);
+			}
 		}
 	}
 }
@@ -226,7 +231,7 @@ void ctrtool::FirmProcess::verifySignature()
 	}
 	else
 	{
-		fmt::print(stderr, "Could not read static rsa_key {}.\n", key_id == mKeyBag.RSAKEY_FIRM_NAND ? "RSAKEY_FIRM_NAND" : "RSAKEY_FIRM_RECOVERY");
+		fmt::print(stderr, "[{} LOG] Could not load {} RSA2048 public key.\n", mModuleLabel, key_id == mKeyBag.RSAKEY_FIRM_NAND ? "FIRM_NAND" : "FIRM_RECOVERY");
 		valid_signature = ValidState::Fail;
 	}
 
@@ -239,7 +244,7 @@ void ctrtool::FirmProcess::verifySignature()
 	}
 	else
 	{
-		fmt::print(stderr, "Could not read rsa_sighax_signature for {}.\n", key_id == mKeyBag.RSAKEY_FIRM_NAND ? "RSAKEY_FIRM_NAND" : "RSAKEY_FIRM_RECOVERY");
+		fmt::print(stderr, "[{} LOG] Could not load {} SigHax RSA2048 signature.\n", mModuleLabel, key_id == mKeyBag.RSAKEY_FIRM_NAND ? "FIRM_NAND" : "FIRM_RECOVERY");
 		is_sighax = false;
 	}
 
@@ -251,10 +256,12 @@ void ctrtool::FirmProcess::verifySignature()
 	// check if sighax
 	else if (valid_signature == ValidState::Fail && is_sighax == true)
 	{
+		fmt::print(stderr, "[{} LOG] Signature for FIRM was invalid (SigHax).\n", mModuleLabel);
 		mSignatureState = SignatureState_SigHax;
 	}
 	else
 	{
+		fmt::print(stderr, "[{} LOG] Signature for FIRM was invalid.\n", mModuleLabel);
 		mSignatureState = SignatureState_Fail;
 	}
 }
diff --git a/ctrtool/src/IvfcProcess.cpp b/ctrtool/src/IvfcProcess.cpp
index 80343426..56c8579c 100644
--- a/ctrtool/src/IvfcProcess.cpp
+++ b/ctrtool/src/IvfcProcess.cpp
@@ -127,7 +127,7 @@ void ctrtool::IvfcProcess::verifyLevels()
 			{
 				if (mVerbose)
 				{
-					fmt::print("[LOG/IVFC] IVFC Layer {:d}, Block {:d} failed validation\n", i, j);
+					fmt::print(stderr, "[{} LOG] IVFC Layer {:d}, Block {:d} failed validation.\n", mModuleLabel, i, j);
 				}
 					
 			}
@@ -138,9 +138,10 @@ void ctrtool::IvfcProcess::verifyLevels()
 		}
 
 		mLevelValidation[i] = bad_blocks == 0? ValidState::Good : ValidState::Fail;
-		if (mVerbose)
+		
+		if (mLevelValidation[i] != ValidState::Good)
 		{
-			fmt::print("[LOG/IVFC] IVFC Layer {:d} {} validation\n", i, (mLevelValidation[i] == ValidState::Good ? "passed" : "failed"));
+			fmt::print(stderr, "[{} LOG] IVFC Layer {:d} failed validation.\n", mModuleLabel, i);
 		}
 	}
 }
diff --git a/ctrtool/src/NcchProcess.cpp b/ctrtool/src/NcchProcess.cpp
index d3ab0073..642b9dec 100644
--- a/ctrtool/src/NcchProcess.cpp
+++ b/ctrtool/src/NcchProcess.cpp
@@ -241,7 +241,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 	}
 	if (crypto_is_stripped)
 	{
-		fmt::print("[LOG/NCCH] NCCH appears to be decrypted, contrary to header flags.\n");
+		fmt::print(stderr, "[{} LOG] NCCH appears to be decrypted, contrary to header flags.\n", mModuleLabel);
 	}
 
 	// determine encryption mode
@@ -287,7 +287,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 				keyslot[0].valid_key = ValidState::Fail;
 				keyslot[1].valid_key = ValidState::Fail;
 
-				fmt::print(stderr, "Could not read {} fixed key.\n", (isSystemTitle()? "system" : "application"));
+				fmt::print(stderr, "[{} LOG] Could not load {} fixed key.\n", mModuleLabel, (isSystemTitle()? "system" : "application"));
 			}
 
 			// save keys
@@ -307,7 +307,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 			{
 				keyslot[0].valid_x = ValidState::Fail;
 
-				fmt::print(stderr, "Could not read secure key_x[0x{:02x}].\n", 0);
+				fmt::print(stderr, "[{} LOG] Could not load secure key_x[0x{:02x}].\n", mModuleLabel, 0);
 			}
 			else
 			{
@@ -328,7 +328,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 			{
 				keyslot[1].valid_x = ValidState::Fail;
 
-				fmt::print(stderr, "Could not read secure key_x[0x{:02x}].\n", security_version);
+				fmt::print(stderr, "[{} LOG] Could not read secure key_x[0x{:02x}].\n", mModuleLabel, security_version);
 			}
 			else
 			{
@@ -360,8 +360,8 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 				{
 					keyslot[1].valid_y = ValidState::Fail;
 
-					fmt::print(stderr, "This title uses seed crypto, but no seed is set, unable to decrypt.\n");
-					fmt::print(stderr, "Use -p to avoid decryption or use --seeddb=dbfile or --seed=SEEDHERE.\n");
+					fmt::print(stderr, "[{} LOG] This title uses seed crypto, but no seed is set, unable to decrypt.\n", mModuleLabel);
+					fmt::print(stderr, "         Use -p to avoid decryption or use --seeddb=dbfile or --seed=SEEDHERE.\n");
 				}
 
 				if (keyslot[1].valid_y != ValidState::Fail)
@@ -375,7 +375,8 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 					{
 						keyslot[1].valid_y = ValidState::Fail;
 
-						fmt::print(stderr, "Seed check mismatch. (Got {:08x}, expected: {:08x})\n",
+						fmt::print(stderr, "[{} LOG] Seed check mismatch. (Got {:08x}, expected: {:08x})\n",
+							mModuleLabel,
 							((tc::bn::be32<uint32_t>*)hash.data())->unwrap(),
 							((tc::bn::be32<uint32_t>*)mHeader.header.seed_checksum.data())->unwrap());
 					}
@@ -424,8 +425,8 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 		// output keys if required
 		if (mVerbose)
 		{
-			fmt::print("[LOG/NCCH] NCCH AES Key0 {}\n", (keyslot[0].valid_key ? tc::cli::FormatUtil::formatBytesAsString(keyslot[0].key.data(), keyslot[0].key.size(), true, "") : "could not be determined"));
-			fmt::print("[LOG/NCCH] NCCH AES Key1 {}\n", (keyslot[1].valid_key ? tc::cli::FormatUtil::formatBytesAsString(keyslot[1].key.data(), keyslot[1].key.size(), true, "") : "could not be determined"));
+			fmt::print(stderr, "[{} LOG] NCCH AES Key0 {}\n", mModuleLabel, (keyslot[0].valid_key ? tc::cli::FormatUtil::formatBytesAsString(keyslot[0].key.data(), keyslot[0].key.size(), true, "") : "could not be determined"));
+			fmt::print(stderr, "[{} LOG] NCCH AES Key1 {}\n", mModuleLabel, (keyslot[1].valid_key ? tc::cli::FormatUtil::formatBytesAsString(keyslot[1].key.data(), keyslot[1].key.size(), true, "") : "could not be determined"));
 		}
 
 		// generate aes counter
@@ -436,7 +437,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 
 			if (mVerbose)
 			{
-				fmt::print("[LOG/NCCH] NCCH ExHeader AES Counter {}\n", tc::cli::FormatUtil::formatBytesAsString(exheader_aesctr.data(), exheader_aesctr.size(), true, ""));
+				fmt::print(stderr, "[{} LOG] NCCH ExHeader AES Counter {}\n", mModuleLabel, tc::cli::FormatUtil::formatBytesAsString(exheader_aesctr.data(), exheader_aesctr.size(), true, ""));
 			}
 		}
 		if (mRegionInfo[NcchRegion_ExeFs].size)
@@ -445,7 +446,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 
 			if (mVerbose)
 			{
-				fmt::print("[LOG/NCCH] NCCH ExeFS AES Counter {}\n", tc::cli::FormatUtil::formatBytesAsString(exefs_aesctr.data(), exefs_aesctr.size(), true, ""));
+				fmt::print(stderr, "[{} LOG] NCCH ExeFS AES Counter {}\n", mModuleLabel, tc::cli::FormatUtil::formatBytesAsString(exefs_aesctr.data(), exefs_aesctr.size(), true, ""));
 			}
 		}
 		if (mRegionInfo[NcchRegion_RomFs].size)
@@ -454,7 +455,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 
 			if (mVerbose)
 			{
-				fmt::print("[LOG/NCCH] NCCH RomFS AES Counter {}\n", tc::cli::FormatUtil::formatBytesAsString(romfs_aesctr.data(), romfs_aesctr.size(), true, ""));
+				fmt::print(stderr, "[{} LOG] NCCH RomFS AES Counter {}\n", mModuleLabel, tc::cli::FormatUtil::formatBytesAsString(romfs_aesctr.data(), romfs_aesctr.size(), true, ""));
 			}
 		}
 
@@ -531,7 +532,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 			// otherwise use the "best-effort" single key stream (only icon and banner will be decrypt properly)
 			else
 			{
-				fmt::print(stderr, "Only NCCH key0 was determined, so ExeFS will be partially decrypted\n");
+				fmt::print(stderr, "[{} LOG] Only NCCH key0 was determined, ExeFS may be partially decrypted\n", mModuleLabel);
 				mRegionInfo[NcchRegion_ExeFs].ready_stream = std::shared_ptr<tc::crypto::Aes128CtrEncryptedStream>(new tc::crypto::Aes128CtrEncryptedStream(mRegionInfo[NcchRegion_ExeFs].raw_stream, keyslot[0].key, exefs_aesctr));
 			}
 		}
@@ -596,7 +597,7 @@ void ctrtool::NcchProcess::verifyRegions()
 			else
 			{
 				// cannot locate rsa key to verify
-				fmt::print(stderr, "Could not read CFA public key.\n");
+				fmt::print(stderr, "[{} LOG] Could not load CFA RSA2048 public key.\n", mModuleLabel);
 				mRegionInfo[NcchRegion_Header].valid = ValidState::Fail;
 			}
 			
@@ -621,36 +622,60 @@ void ctrtool::NcchProcess::verifyRegions()
 			else
 			{
 				// cannot locate rsa key to verify
-				fmt::print(stderr, "Could not read CXI public key from AccessDescriptor.\n");
+				fmt::print(stderr, "[{} LOG] Could not load CXI RSA2048 public key from AccessDescriptor.\n", mModuleLabel);
 				mRegionInfo[NcchRegion_Header].valid = ValidState::Fail;
 			}
 		}
+
+		if (mRegionInfo[NcchRegion_Header].valid != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] Signature for NcchHeader was invalid.\n", mModuleLabel);
+		}
 	}
 
 	// exheader hash
 	if (mRegionInfo[NcchRegion_ExHeader].hashed_size > 0)
 	{
 		mRegionInfo[NcchRegion_ExHeader].valid = memcmp(region_hashes[NcchRegion_ExHeader].data(), mHeader.header.exhdr_hash.data(), region_hashes[NcchRegion_ExHeader].size()) == 0 ? ValidState::Good : ValidState::Fail;
+	
+		if (mRegionInfo[NcchRegion_ExHeader].valid != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] ExtendedHeader SHA2-256 hash was invalid.\n", mModuleLabel);
+		}
 	}
 
 	// logo hash
 	if (mRegionInfo[NcchRegion_Logo].hashed_size > 0)
 	{
 		mRegionInfo[NcchRegion_Logo].valid = memcmp(region_hashes[NcchRegion_Logo].data(), mHeader.header.logo_hash.data(), region_hashes[NcchRegion_Logo].size()) == 0 ? ValidState::Good : ValidState::Fail;
+	
+		if (mRegionInfo[NcchRegion_Logo].valid != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] Logo SHA2-256 hash was invalid.\n", mModuleLabel);
+		}
 	}
 
 	// exefs hash
 	if (mRegionInfo[NcchRegion_ExeFs].hashed_size > 0)
 	{
 		mRegionInfo[NcchRegion_ExeFs].valid = memcmp(region_hashes[NcchRegion_ExeFs].data(), mHeader.header.exefs_prot_hash.data(), region_hashes[NcchRegion_ExeFs].size()) == 0 ? ValidState::Good : ValidState::Fail;
+	
+		if (mRegionInfo[NcchRegion_ExeFs].valid != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] ExeFs SuperBlock SHA2-256 hash was invalid.\n", mModuleLabel);
+		}
 	}
 
 	// romfs hash
 	if (mRegionInfo[NcchRegion_RomFs].hashed_size > 0)
 	{
 		mRegionInfo[NcchRegion_RomFs].valid = memcmp(region_hashes[NcchRegion_RomFs].data(), mHeader.header.romfs_prot_hash.data(), region_hashes[NcchRegion_RomFs].size()) == 0 ? ValidState::Good : ValidState::Fail;
+	
+		if (mRegionInfo[NcchRegion_RomFs].valid != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] RomFs SuperBlock SHA2-256 hash was invalid.\n", mModuleLabel);
+		}
 	}
-
 }
 
 void ctrtool::NcchProcess::printHeader()
diff --git a/ctrtool/src/RomFsProcess.cpp b/ctrtool/src/RomFsProcess.cpp
index dfbb2c08..cb362f57 100644
--- a/ctrtool/src/RomFsProcess.cpp
+++ b/ctrtool/src/RomFsProcess.cpp
@@ -200,7 +200,7 @@ void ctrtool::RomFsProcess::visitDir(const tc::io::Path& v_path, const tc::io::P
 			// build out path
 			out_path = l_path + *itr;
 
-			fmt::print("Saving {}...\n", out_path.to_string());
+			fmt::print(stderr, "[{} LOG] Saving {}...\n", mModuleLabel, out_path.to_string());
 
 			// begin export
 			mFsReader->openFile(v_path + *itr, tc::io::FileMode::Open, tc::io::FileAccess::Read, in_stream);
diff --git a/ctrtool/src/TikProcess.cpp b/ctrtool/src/TikProcess.cpp
index 598fca84..0fc7989b 100644
--- a/ctrtool/src/TikProcess.cpp
+++ b/ctrtool/src/TikProcess.cpp
@@ -93,7 +93,10 @@ void ctrtool::TikProcess::importData()
 		// determine title key
 		if (mKeyBag.common_key.find(mTicket.key_id) != mKeyBag.common_key.end())
 		{
-			fmt::print("[LOG] Decrypting titlekey from ticket.\n");
+			if (mVerbose)
+			{
+				fmt::print(stderr, "[{} LOG] Decrypting titlekey from ticket.\n", mModuleLabel);
+			}
 			
 			// get common key
 			auto common_key = mKeyBag.common_key[mTicket.key_id];
@@ -111,7 +114,7 @@ void ctrtool::TikProcess::importData()
 		}
 		else
 		{
-			fmt::print("[LOG] Cannot determine titlekey.\n");
+			fmt::print(stderr, "[{} LOG] Cannot determine titlekey.\n", mModuleLabel);
 		}
 	}
 
@@ -150,48 +153,71 @@ void ctrtool::TikProcess::verifyData()
 	// verify cert
 	for (size_t i = 0; i < mCertChain.size(); i++)
 	{
-		auto keybag_issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
 		auto local_issuer_itr = mCertImportedIssuerSigner.find(mCertChain[i].signature.issuer);
+		auto keybag_issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
 		
-		// try first with the keybag imported issuer
-		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+		// first try with the issuer profiles imported from the local certificates
+		if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
 		{
-			mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			mCertSigValid[i] = local_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
-		// fallback try with the issuer profiles imported from the local certificates
-		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+		// fallback try with the keybag imported issuer
+		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
 		{
-			mCertSigValid[i] = local_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			// only show this warning for non-root signed certificates
+			if (mCertChain[i].signature.issuer != "Root")
+			{
+				fmt::print(stderr, "[{} LOG] Public key \"{}\" (for certificate \"{}\") was not present in the certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mCertChain[i].signature.issuer, mCertChain[i].subject);
+			}
+			mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "Could not read public key for \"{}\" (certificate).\n", mCertChain[i].signature.issuer);
+			fmt::print(stderr, "[{} LOG] Could not locate public key for \"{}\" (certificate).\n", mModuleLabel, mCertChain[i].signature.issuer);
 			mCertSigValid[i] = ValidState::Fail;
 		}
+
+		// log certificate signature validation error
+		if (mCertSigValid[i] != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] Signature for Certificate \"{}\" was invalid.\n", mModuleLabel, mCertChain[i].signature.issuer);
+		}
 	}
 
 	// verify ticket
 	{
-		auto keybag_issuer_itr = mIssuerSigner.find(mTicket.signature.issuer);
+		// verify ticket
 		auto local_issuer_itr = mCertImportedIssuerSigner.find(mTicket.signature.issuer);
+		auto keybag_issuer_itr = mIssuerSigner.find(mTicket.signature.issuer);
 
-		// try first with the keybag imported issuer
-		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
+		// first try with the issuer profiles imported from the local certificates
+		if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
 		{
-			mTicketSigValid = keybag_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			mTicketSigValid = local_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
-		// fallback try with the issuer profiles imported from the local certificates
-		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
+		// fallback try with the keybag imported issuer
+		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
 		{
-			mTicketSigValid = local_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			// only show this warning when there are certificates appended to the ticket (only tickets downloaded from CDN will have an appended certificate chain)
+			if (mCertChain.size() != 0)
+			{
+				fmt::print(stderr, "[{} LOG] Public key \"{}\" (for ticket) was not present in the appended certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTicket.signature.issuer);
+			}
+			mTicketSigValid = keybag_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "Could not read public key for \"{}\" (ticket).\n", mTicket.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Could not locate public key \"{}\" (for ticket).\n", mModuleLabel, mTicket.signature.issuer);
 			mTicketSigValid = ValidState::Fail;
 		}
+
+		// log ticket signature validation error
+		if (mTicketSigValid != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] Signature for Ticket was invalid.\n", mModuleLabel);
+		}
 	}
 }
 
diff --git a/ctrtool/src/TmdProcess.cpp b/ctrtool/src/TmdProcess.cpp
index ba45c2c1..0fe136aa 100644
--- a/ctrtool/src/TmdProcess.cpp
+++ b/ctrtool/src/TmdProcess.cpp
@@ -125,48 +125,71 @@ void ctrtool::TmdProcess::verifyData()
 	// verify cert
 	for (size_t i = 0; i < mCertChain.size(); i++)
 	{
-		auto keybag_issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
 		auto local_issuer_itr = mCertImportedIssuerSigner.find(mCertChain[i].signature.issuer);
+		auto keybag_issuer_itr = mIssuerSigner.find(mCertChain[i].signature.issuer);
 		
-		// try first with the keybag imported issuer
-		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+		// first try with the issuer profiles imported from the local certificates
+		if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
 		{
-			mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			mCertSigValid[i] = local_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
-		// fallback try with the issuer profiles imported from the local certificates
-		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
+		// fallback try with the keybag imported issuer
+		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mCertChain[i].signature.sig_type)
 		{
-			mCertSigValid[i] = local_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			// only show this warning for non-root signed certificates
+			if (mCertChain[i].signature.issuer != "Root")
+			{
+				fmt::print(stderr, "[{} LOG] Public key \"{}\" (for certificate \"{}\") was not present in the certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mCertChain[i].signature.issuer, mCertChain[i].subject);
+			}
+			mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "Could not read public key for \"{}\" (certificate).\n", mCertChain[i].signature.issuer);
+			fmt::print(stderr, "[{} LOG] Could not locate public key for \"{}\" (certificate).\n", mModuleLabel, mCertChain[i].signature.issuer);
 			mCertSigValid[i] = ValidState::Fail;
 		}
+
+		// log certificate signature validation error
+		if (mCertSigValid[i] != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] Signature for Certificate \"{}\" was invalid.\n", mModuleLabel, mCertChain[i].signature.issuer);
+		}
 	}
 
-	// verify tmd
+	// verify ticket
 	{
-		auto keybag_issuer_itr = mIssuerSigner.find(mTitleMetaData.signature.issuer);
+		// verify ticket
 		auto local_issuer_itr = mCertImportedIssuerSigner.find(mTitleMetaData.signature.issuer);
+		auto keybag_issuer_itr = mIssuerSigner.find(mTitleMetaData.signature.issuer);
 
-		// try first with the keybag imported issuer
-		if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
+		// first try with the issuer profiles imported from the local certificates
+		if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
 		{
-			mTitleMetaDataSigValid = keybag_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			mTitleMetaDataSigValid = local_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
-		// fallback try with the issuer profiles imported from the local certificates
-		else if (local_issuer_itr != mCertImportedIssuerSigner.end() && local_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
+		// fallback try with the keybag imported issuer
+		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
 		{
-			mTitleMetaDataSigValid = local_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
+			// only show this warning when there are certificates appended to the tmd (only tmd downloaded from CDN will have an appended certificate chain)
+			if (mCertChain.size() != 0)
+			{
+				fmt::print(stderr, "[{} LOG] Public key \"{}\" (for tmd) was not present in the appended certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTitleMetaData.signature.issuer);
+			}
+			mTitleMetaDataSigValid = keybag_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "Could not read public key for \"{}\" (tmd).\n", mTitleMetaData.signature.issuer);
+			fmt::print(stderr, "[{} LOG] Could not locate public key \"{}\" (for tmd).\n", mModuleLabel, mTitleMetaData.signature.issuer);
 			mTitleMetaDataSigValid = ValidState::Fail;
 		}
+
+		// log tmd signature validation error
+		if (mTitleMetaDataSigValid != ValidState::Good)
+		{
+			fmt::print(stderr, "[{} LOG] Signature for TitleMetaData was invalid.\n", mModuleLabel);
+		}
 	}
 }
 

From 247045ba8f69d3fc7c678a30d9cab6025a770f07 Mon Sep 17 00:00:00 2001
From: Jakcron <jakcron.dev@gmail.com>
Date: Fri, 15 Apr 2022 00:21:35 +0800
Subject: [PATCH 288/317] Extraction progress logs are now only shown in
 verbose mode.

---
 ctrtool/src/CciProcess.cpp   |  7 +++++--
 ctrtool/src/CiaProcess.cpp   | 27 ++++++++++++++++++++++-----
 ctrtool/src/ExeFsProcess.cpp | 19 ++++++++++++++-----
 ctrtool/src/FirmProcess.cpp  |  5 ++++-
 ctrtool/src/NcchProcess.cpp  | 18 +++++++++++-------
 ctrtool/src/RomFsProcess.cpp |  5 ++++-
 6 files changed, 60 insertions(+), 21 deletions(-)

diff --git a/ctrtool/src/CciProcess.cpp b/ctrtool/src/CciProcess.cpp
index 53201297..39c08c7d 100644
--- a/ctrtool/src/CciProcess.cpp
+++ b/ctrtool/src/CciProcess.cpp
@@ -209,7 +209,7 @@ void ctrtool::CciProcess::importHeader()
 		// Since CCM mode decrypts AND verifies, we should process the result here if required
 		if (mVerify)
 		{
-			mValidInitialDataMac = dec_result == 0 ? ValidState::Good :  ValidState::Fail;
+			mValidInitialDataMac = dec_result == 0 ? ValidState::Good : ValidState::Fail;
 
 			if (mValidInitialDataMac != ValidState::Good)
 			{
@@ -361,7 +361,10 @@ void ctrtool::CciProcess::extractFs()
 		// build out path
 		out_path = mExtractPath.get() + *itr;
 
-		fmt::print(stderr, "[{} LOG] Saving {}...\n", mModuleLabel, out_path.to_string());
+		if (mVerbose)
+		{
+			fmt::print(stderr, "[{} LOG] Saving {}...\n", mModuleLabel, out_path.to_string());
+		}
 
 		// begin export
 		mFsReader->openFile(*itr, tc::io::FileMode::Open, tc::io::FileAccess::Read, in_stream);
diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
index 5e037f27..dd8f9a85 100644
--- a/ctrtool/src/CiaProcess.cpp
+++ b/ctrtool/src/CiaProcess.cpp
@@ -702,7 +702,11 @@ void ctrtool::CiaProcess::extractCia()
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mCertSizeInfo.offset, mCertSizeInfo.size));
 		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-		fmt::print(stderr, "[{} LOG] Saving certs to {}...\n", mModuleLabel, out_path.to_string());
+		if (mVerbose)
+		{
+			fmt::print(stderr, "[{} LOG] Saving certs to {}...\n", mModuleLabel, out_path.to_string());
+		}
+		
 		copyStream(in_stream, out_stream);
 	}
 
@@ -713,7 +717,10 @@ void ctrtool::CiaProcess::extractCia()
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTikSizeInfo.offset, mTikSizeInfo.size));
 		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-		fmt::print(stderr, "[{} LOG] Saving tik to {}...\n", mModuleLabel, out_path.to_string());
+		if (mVerbose)
+		{
+			fmt::print(stderr, "[{} LOG] Saving tik to {}...\n", mModuleLabel, out_path.to_string());
+		}
 		copyStream(in_stream, out_stream);
 	}
 
@@ -724,7 +731,10 @@ void ctrtool::CiaProcess::extractCia()
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTmdSizeInfo.offset, mTmdSizeInfo.size));
 		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-		fmt::print(stderr, "[{} LOG] Saving tmd to {}...\n", mModuleLabel, out_path.to_string());
+		if (mVerbose)
+		{
+			fmt::print(stderr, "[{} LOG] Saving tmd to {}...\n", mModuleLabel, out_path.to_string());
+		}
 		copyStream(in_stream, out_stream);
 	}
 
@@ -735,7 +745,10 @@ void ctrtool::CiaProcess::extractCia()
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mFooterSizeInfo.offset, mFooterSizeInfo.size));
 		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-		fmt::print(stderr, "[{} LOG] Saving meta to {}...\n", mModuleLabel, out_path.to_string());
+		if (mVerbose)
+		{
+			fmt::print(stderr, "[{} LOG] Saving meta to {}...\n", mModuleLabel, out_path.to_string());
+		}
 		copyStream(in_stream, out_stream);
 	}
 
@@ -758,7 +771,11 @@ void ctrtool::CiaProcess::extractCia()
 
 			out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
-			fmt::print(stderr, "[{} LOG] Saving content {:04x} to {}...\n", mModuleLabel, itr->second.cindex, out_path.to_string());
+			if (mVerbose)
+			{
+				fmt::print(stderr, "[{} LOG] Saving content {:04x} to {}...\n", mModuleLabel, itr->second.cindex, out_path.to_string());
+			}
+			
 			copyStream(in_stream, out_stream);
 		}
 	}
diff --git a/ctrtool/src/ExeFsProcess.cpp b/ctrtool/src/ExeFsProcess.cpp
index 3f2adba5..d2a068eb 100644
--- a/ctrtool/src/ExeFsProcess.cpp
+++ b/ctrtool/src/ExeFsProcess.cpp
@@ -223,8 +223,11 @@ void ctrtool::ExeFsProcess::extractFs()
 			}
 			if (test_hash != nullptr && memcmp(test_hash, hash.data(), hash.size()) == 0)
 			{
-				fmt::print(stderr, "[{} LOG] Decompressing file /{} to {}...\n", mModuleLabel, *itr, f_path.to_string());
-
+				if (mVerbose)
+				{
+					fmt::print(stderr, "[{} LOG] Decompressing {} to {}...\n", mModuleLabel, *itr, f_path.to_string());
+				}
+				
 				tc::ByteData decompdata = tc::ByteData(lzss_get_decompressed_size(compdata.data(), compdata.size()));
 				lzss_decompress(compdata.data(), compdata.size(), decompdata.data(), decompdata.size());
 
@@ -233,7 +236,10 @@ void ctrtool::ExeFsProcess::extractFs()
 			}
 			else
 			{
-				fmt::print(stderr, "[{} LOG] Saving file /{} to {}...\n", mModuleLabel, *itr, f_path.to_string());
+				if (mVerbose)
+				{
+					fmt::print(stderr, "[{} LOG] Saving {} to {}...\n", mModuleLabel, *itr, f_path.to_string());
+				}
 
 				out_stream->seek(0, tc::io::SeekOrigin::Begin);
 				out_stream->write(compdata.data(), compdata.size());
@@ -241,8 +247,11 @@ void ctrtool::ExeFsProcess::extractFs()
 		}
 		else
 		{
-			fmt::print(stderr, "[{} LOG] Saving file /{} to {}...\n", mModuleLabel, *itr, f_path.to_string());
-
+			if (mVerbose)
+			{
+				fmt::print(stderr, "[{} LOG] Saving {} to {}...\n", mModuleLabel, *itr, f_path.to_string());
+			}
+			
 			tc::ByteData filedata = tc::ByteData(in_stream->length());
 			in_stream->seek(0, tc::io::SeekOrigin::Begin);
 			in_stream->read(filedata.data(), filedata.size());
diff --git a/ctrtool/src/FirmProcess.cpp b/ctrtool/src/FirmProcess.cpp
index c98f9e05..671d27fd 100644
--- a/ctrtool/src/FirmProcess.cpp
+++ b/ctrtool/src/FirmProcess.cpp
@@ -311,7 +311,10 @@ void ctrtool::FirmProcess::extractSections()
 			local_fs.createDirectory(mExtractPath.get());
 			local_fs.openFile(f_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, out_stream);
 
-			fmt::print("Saving section {} to {}...\n", i, f_path.to_string());
+			if (mVerbose)
+			{
+				fmt::print(stderr, "[{} LOG] Saving section {} to {}...\n", mModuleLabel, i, f_path.to_string());
+			}
 
 			tc::ByteData filedata = tc::ByteData(in_stream->length());
 			in_stream->seek(0, tc::io::SeekOrigin::Begin);
diff --git a/ctrtool/src/NcchProcess.cpp b/ctrtool/src/NcchProcess.cpp
index 642b9dec..21ac722b 100644
--- a/ctrtool/src/NcchProcess.cpp
+++ b/ctrtool/src/NcchProcess.cpp
@@ -768,15 +768,19 @@ void ctrtool::NcchProcess::extractRegionBinaries()
 	{
 		if (mRegionOpt[i].bin_extract_path.isSet() && mRegionInfo[i].ready_stream != nullptr)
 		{
-			switch(i)
+			if (mVerbose)
 			{
-				case NcchRegion_Header: fmt::print("Saving Header...\n"); break;
-				case NcchRegion_ExHeader: fmt::print("Saving Extended Header...\n"); break;
-				case NcchRegion_PlainRegion: fmt::print("Saving Plain Region...\n"); break;
-				case NcchRegion_Logo: fmt::print("Saving Logo...\n"); break;
-				case NcchRegion_ExeFs: fmt::print("Saving ExeFS...\n"); break;
-				case NcchRegion_RomFs: fmt::print("Saving RomFS...\n"); break;
+				switch(i)
+				{
+					case NcchRegion_Header: fmt::print(stderr, "[{} LOG] Saving Header...\n", mModuleLabel); break;
+					case NcchRegion_ExHeader: fmt::print(stderr, "[{} LOG] Saving Extended Header...\n", mModuleLabel); break;
+					case NcchRegion_PlainRegion: fmt::print(stderr, "[{} LOG] Saving Plain Region...\n", mModuleLabel); break;
+					case NcchRegion_Logo: fmt::print(stderr, "[{} LOG] Saving Logo...\n", mModuleLabel); break;
+					case NcchRegion_ExeFs: fmt::print(stderr, "[{} LOG] Saving ExeFS...\n", mModuleLabel); break;
+					case NcchRegion_RomFs: fmt::print(stderr, "[{} LOG] Saving RomFS...\n", mModuleLabel); break;
+				}
 			}
+			
 
 			in_stream = mRegionInfo[i].ready_stream;
 			local_fs.openFile(mRegionOpt[i].bin_extract_path.get(), tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write, out_stream);
diff --git a/ctrtool/src/RomFsProcess.cpp b/ctrtool/src/RomFsProcess.cpp
index cb362f57..cc1bc739 100644
--- a/ctrtool/src/RomFsProcess.cpp
+++ b/ctrtool/src/RomFsProcess.cpp
@@ -200,7 +200,10 @@ void ctrtool::RomFsProcess::visitDir(const tc::io::Path& v_path, const tc::io::P
 			// build out path
 			out_path = l_path + *itr;
 
-			fmt::print(stderr, "[{} LOG] Saving {}...\n", mModuleLabel, out_path.to_string());
+			if (mVerbose)
+			{
+				fmt::print(stderr, "[{} LOG] Saving {}...\n", mModuleLabel, out_path.to_string());
+			}
 
 			// begin export
 			mFsReader->openFile(v_path + *itr, tc::io::FileMode::Open, tc::io::FileAccess::Read, in_stream);

From be1394234a4c65c006cb34a11964d96737077acf Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Fri, 15 Apr 2022 11:26:20 +0800
Subject: [PATCH 289/317] Tag error output as [ctrtool::ClassName ERROR],
 leaving warnings/progress indicators as [ctrtool::ClassName LOG]

---
 ctrtool/src/CciProcess.cpp      | 10 +++++-----
 ctrtool/src/CiaProcess.cpp      | 26 ++++++++++++-------------
 ctrtool/src/CrrProcess.cpp      |  8 ++++----
 ctrtool/src/ExHeaderProcess.cpp | 34 ++++++++++++++++-----------------
 ctrtool/src/ExeFsProcess.cpp    |  2 +-
 ctrtool/src/FirmProcess.cpp     | 10 +++++-----
 ctrtool/src/IvfcProcess.cpp     |  4 ++--
 ctrtool/src/NcchProcess.cpp     | 32 +++++++++++++++----------------
 ctrtool/src/TikProcess.cpp      |  6 +++---
 ctrtool/src/TmdProcess.cpp      | 12 ++++++------
 10 files changed, 72 insertions(+), 72 deletions(-)

diff --git a/ctrtool/src/CciProcess.cpp b/ctrtool/src/CciProcess.cpp
index 39c08c7d..f1bc54d1 100644
--- a/ctrtool/src/CciProcess.cpp
+++ b/ctrtool/src/CciProcess.cpp
@@ -213,7 +213,7 @@ void ctrtool::CciProcess::importHeader()
 
 			if (mValidInitialDataMac != ValidState::Good)
 			{
-				fmt::print(stderr, "[{} LOG] InitialData MAC was invalid.\n", mModuleLabel);
+				fmt::print(stderr, "[{} ERROR] InitialData MAC was invalid.\n", mModuleLabel);
 			}
 		}
 
@@ -231,7 +231,7 @@ void ctrtool::CciProcess::importHeader()
 	else
 	{
 		// no initial data key
-		fmt::print(stderr, "[{} LOG] Failed to determine key to decrypt InitialData.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Failed to determine key to decrypt InitialData.\n", mModuleLabel);
 	}
 
 	// open fs reader
@@ -252,13 +252,13 @@ void ctrtool::CciProcess::verifyHeader()
 	}
 	else
 	{
-		fmt::print(stderr, "[{} LOG] Could not load CCI RSA2048 public key.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Could not load CCI RSA2048 public key.\n", mModuleLabel);
 		mValidSignature = ValidState::Fail;
 	}
 
 	if (mValidSignature != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] Signature for NcsdCommonHeader was invalid.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Signature for NcsdCommonHeader was invalid.\n", mModuleLabel);
 	}
 }
 
@@ -391,7 +391,7 @@ void ctrtool::CciProcess::processContent()
 {
 	if (mContentIndex >= ntd::n3ds::NcsdCommonHeader::kPartitionNum)
 	{
-		fmt::print(stderr, "[{} LOG] Content index {:d} isn't valid for CCI, use index 0-7, defaulting to 0 now.\n", mModuleLabel, mContentIndex);
+		fmt::print(stderr, "[{} ERROR] Content index {:d} isn't valid for CCI, use index 0-7, defaulting to 0 now.\n", mModuleLabel, mContentIndex);
 		mContentIndex = 0;
 	}
 	if (mHeader.ncsd_header.partition_offsetsize[mContentIndex].blk_size.unwrap() != 0)
diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
index dd8f9a85..6b89d7ab 100644
--- a/ctrtool/src/CiaProcess.cpp
+++ b/ctrtool/src/CiaProcess.cpp
@@ -323,7 +323,7 @@ void ctrtool::CiaProcess::importHeader()
 			}
 			else
 			{
-				fmt::print(stderr, "[{} LOG] Cannot determine titlekey.\n", mModuleLabel);
+				fmt::print(stderr, "[{} ERROR] Cannot determine titlekey.\n", mModuleLabel);
 			}
 		}
 		else
@@ -418,21 +418,21 @@ void ctrtool::CiaProcess::verifyMetadata()
 				// only show this warning for non-root signed certificates
 				if (mCertChain[i].signature.issuer != "Root")
 				{
-					fmt::print(stderr, "[{} LOG] Public key \"{}\" (for certificate \"{}\") was not present in the CIA certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mCertChain[i].signature.issuer, mCertChain[i].subject);
+					fmt::print(stderr, "[{} ERROR] Public key \"{}\" (for certificate \"{}\") was not present in the CIA certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mCertChain[i].signature.issuer, mCertChain[i].subject);
 				}
 				mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 			}
 			else
 			{
 				// cannot locate rsa key to verify
-				fmt::print(stderr, "[{} LOG] Could not locate public key for \"{}\" (certificate).\n", mModuleLabel, mCertChain[i].signature.issuer);
+				fmt::print(stderr, "[{} ERROR] Could not locate public key for \"{}\" (certificate).\n", mModuleLabel, mCertChain[i].signature.issuer);
 				mCertSigValid[i] = ValidState::Fail;
 			}
 
 			// log certificate signature validation error
 			if (mCertSigValid[i] != ValidState::Good)
 			{
-				fmt::print(stderr, "[{} LOG] Signature for Certificate \"{}\" was invalid.\n", mModuleLabel, mCertChain[i].signature.issuer);
+				fmt::print(stderr, "[{} ERROR] Signature for Certificate \"{}\" was invalid.\n", mModuleLabel, mCertChain[i].signature.issuer);
 			}
 		}
 	}
@@ -450,20 +450,20 @@ void ctrtool::CiaProcess::verifyMetadata()
 		// fallback try with the keybag imported issuer
 		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTicket.signature.sig_type)
 		{
-			fmt::print(stderr, "[{} LOG] Public key \"{}\" (for ticket) was not present in the CIA certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTicket.signature.issuer);
+			fmt::print(stderr, "[{} ERROR] Public key \"{}\" (for ticket) was not present in the CIA certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTicket.signature.issuer);
 			mTicketSigValid = keybag_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "[{} LOG] Could not locate public key \"{}\" (for ticket).\n", mModuleLabel, mTicket.signature.issuer);
+			fmt::print(stderr, "[{} ERROR] Could not locate public key \"{}\" (for ticket).\n", mModuleLabel, mTicket.signature.issuer);
 			mTicketSigValid = ValidState::Fail;
 		}
 
 		// log ticket signature validation error
 		if (mTicketSigValid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] Signature for Ticket was invalid.\n", mModuleLabel);
+			fmt::print(stderr, "[{} ERROR] Signature for Ticket was invalid.\n", mModuleLabel);
 		}
 	}
 	if (mHeader.format_version.unwrap() == ntd::n3ds::CiaHeader::FormatVersion_Default && mTmdSizeInfo.size > 0)
@@ -480,20 +480,20 @@ void ctrtool::CiaProcess::verifyMetadata()
 		// fallback try with the keybag imported issuer
 		else if (keybag_issuer_itr != mIssuerSigner.end() && keybag_issuer_itr->second->getSigType() == mTitleMetaData.signature.sig_type)
 		{
-			fmt::print(stderr, "[{} LOG] Public key \"{}\" (for tmd) was not present in the CIA certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTitleMetaData.signature.issuer);
+			fmt::print(stderr, "[{} ERROR] Public key \"{}\" (for tmd) was not present in the CIA certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTitleMetaData.signature.issuer);
 			mTitleMetaDataSigValid = keybag_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "[{} LOG] Could not locate public key \"{}\" (for tmd).\n", mModuleLabel, mTitleMetaData.signature.issuer);
+			fmt::print(stderr, "[{} ERROR] Could not locate public key \"{}\" (for tmd).\n", mModuleLabel, mTitleMetaData.signature.issuer);
 			mTitleMetaDataSigValid = ValidState::Fail;
 		}
 
 		// log tmd signature validation error
 		if (mTitleMetaDataSigValid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] Signature for TitleMetaData was invalid.\n", mModuleLabel);
+			fmt::print(stderr, "[{} ERROR] Signature for TitleMetaData was invalid.\n", mModuleLabel);
 		}
 	}
 }
@@ -546,7 +546,7 @@ void ctrtool::CiaProcess::verifyContent()
 
 			if (itr->second.valid_state != ValidState::Good)
 			{
-				fmt::print(stderr, "[{} LOG] Hash for content (index=0x{:04x}, id=0x{:08x}) was invalid.\n", mModuleLabel, itr->second.cindex, itr->second.cid);
+				fmt::print(stderr, "[{} ERROR] Hash for content (index=0x{:04x}, id=0x{:08x}) was invalid.\n", mModuleLabel, itr->second.cindex, itr->second.cid);
 			}
 		}
 	}
@@ -806,7 +806,7 @@ void ctrtool::CiaProcess::processContent()
 {
 	if (mContentIndex >= ntd::n3ds::CiaHeader::kCiaMaxContentNum)
 	{
-		fmt::print(stderr, "[{} LOG] Content index {:d} isn't valid for CIA, use index 0-{:d}, defaulting to 0 now.\n", mModuleLabel, mContentIndex, ((size_t)ntd::n3ds::CiaHeader::kCiaMaxContentNum)-1);
+		fmt::print(stderr, "[{} ERROR] Content index {:d} isn't valid for CIA, use index 0-{:d}, defaulting to 0 now.\n", mModuleLabel, mContentIndex, ((size_t)ntd::n3ds::CiaHeader::kCiaMaxContentNum)-1);
 		mContentIndex = 0;
 	}
 	if (mContentInfo.find(mContentIndex) != mContentInfo.end() && mContentInfo[mContentIndex].size != 0)
@@ -828,7 +828,7 @@ void ctrtool::CiaProcess::processContent()
 		}
 		else
 		{
-			fmt::print(stderr, "[{} LOG] TWL title processing not supported\n", mModuleLabel);
+			throw tc::NotImplementedException(mModuleLabel, "TWL title processing not supported.");
 		}
 	}
 }
diff --git a/ctrtool/src/CrrProcess.cpp b/ctrtool/src/CrrProcess.cpp
index bffd1b5c..90aba6e6 100644
--- a/ctrtool/src/CrrProcess.cpp
+++ b/ctrtool/src/CrrProcess.cpp
@@ -124,7 +124,7 @@ void ctrtool::CrrProcess::verifyData()
 	}
 	else
 	{
-		fmt::print(stderr, "[{} LOG] Could not read static CRR public key.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Could not read static CRR public key.\n", mModuleLabel);
 		mValidCertificateSignature = ValidState::Fail;
 	}
 
@@ -149,15 +149,15 @@ void ctrtool::CrrProcess::verifyData()
 	// log validation errors
 	if (mValidCertificateSignature != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] Signature for CRR Certificate was invalid.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Signature for CRR Certificate was invalid.\n", mModuleLabel);
 	}
 	if (mValidBodySignature != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] Signature for CRR Body was invalid.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Signature for CRR Body was invalid.\n", mModuleLabel);
 	}
 	if (mValidUniqueId != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] CRR UniqueId was invalid.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] CRR UniqueId was invalid.\n", mModuleLabel);
 	}
 }
 
diff --git a/ctrtool/src/ExHeaderProcess.cpp b/ctrtool/src/ExHeaderProcess.cpp
index ebaf9c84..be07f417 100644
--- a/ctrtool/src/ExHeaderProcess.cpp
+++ b/ctrtool/src/ExHeaderProcess.cpp
@@ -96,13 +96,13 @@ void ctrtool::ExHeaderProcess::verifyExHeader()
 	}
 	else
 	{
-		fmt::print(stderr, "[{} LOG] Could not load AccessDescriptor RSA2048 public key.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Could not load AccessDescriptor RSA2048 public key.\n", mModuleLabel);
 		mValidSignature = ValidState::Fail;
 	}
 
 	if (mValidSignature != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] Signature for AccessDescriptor was invalid.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Signature for AccessDescriptor was invalid.\n", mModuleLabel);
 	}
 
 	mValidLocalCaps.system_save_id[0] = ValidState::Good;
@@ -191,7 +191,7 @@ void ctrtool::ExHeaderProcess::verifyExHeader()
 			mValidLocalCaps.fs_access = ValidState::Fail;
 			if (mVerbose)
 			{
-				fmt::print(stderr, "[{} LOG] FsAccess Bit {:d} was not permitted\n", mModuleLabel, fs_bit);
+				fmt::print(stderr, "[{} ERROR] FsAccess Bit {:d} was not permitted\n", mModuleLabel, fs_bit);
 			}
 		}
 	}
@@ -218,64 +218,64 @@ void ctrtool::ExHeaderProcess::verifyExHeader()
 			mValidLocalCaps.service_control = Fail;
 			if (mVerbose)
 			{
-				fmt::print(stderr, "[{} LOG] Service \"{}\" was not permitted\n", mModuleLabel, exhdr_service_access_control[i].decode());
+				fmt::print(stderr, "[{} ERROR] Service \"{}\" was not permitted\n", mModuleLabel, exhdr_service_access_control[i].decode());
 			}
 		}
 	}
 
 	if (mValidLocalCaps.system_save_id[0] != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemSaveId1");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemSaveId1");
 	}
 	if (mValidLocalCaps.system_save_id[1] != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemSaveId2");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemSaveId2");
 	}
 	if (mValidLocalCaps.fs_access != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "FsAccess");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "FsAccess");
 	}
 	/*
 	if (mValidLocalCaps.core_version != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "CoreVersion");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "CoreVersion");
 	}
 	*/
 	if (mValidLocalCaps.program_id != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "ProgramId");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "ProgramId");
 	}
 	if (mValidLocalCaps.priority != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "ThreadPriority");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "ThreadPriority");
 	}
 	if (mValidLocalCaps.affinity_mask != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "AffinityMask");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "AffinityMask");
 	}
 	if (mValidLocalCaps.ideal_processor != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "IdealProcessor");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "IdealProcessor");
 	}
 	if (mValidLocalCaps.old3ds_system_mode != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemMode (Old3DS)");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemMode (Old3DS)");
 	}
 	if (mValidLocalCaps.new3ds_system_mode != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemMode (New3DS)");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "SystemMode (New3DS)");
 	}
 	if (mValidLocalCaps.enable_l2_cache != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "EnableL2Cache");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "EnableL2Cache");
 	}
 	if (mValidLocalCaps.new3ds_cpu_speed != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "CpuSpeed");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "CpuSpeed");
 	}
 	if (mValidLocalCaps.service_control != ValidState::Good)
 	{
-		fmt::print(stderr, "[{} LOG] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "ServiceAccess");
+		fmt::print(stderr, "[{} ERROR] {} was not permmited by AccessDescriptor.\n", mModuleLabel, "ServiceAccess");
 	}
 }
 
diff --git a/ctrtool/src/ExeFsProcess.cpp b/ctrtool/src/ExeFsProcess.cpp
index d2a068eb..3d6c62f7 100644
--- a/ctrtool/src/ExeFsProcess.cpp
+++ b/ctrtool/src/ExeFsProcess.cpp
@@ -134,7 +134,7 @@ void ctrtool::ExeFsProcess::verifyFs()
 
 			if (mSectionValidation[i] != ValidState::Good)
 			{
-				fmt::print(stderr, "[{} LOG] ExeFs file \"{}\" had an invalid SHA2-256 hash.\n", mModuleLabel, mHeader.file_table[i].name.decode());
+				fmt::print(stderr, "[{} ERROR] ExeFs file \"{}\" had an invalid SHA2-256 hash.\n", mModuleLabel, mHeader.file_table[i].name.decode());
 			}
 		}
 	}
diff --git a/ctrtool/src/FirmProcess.cpp b/ctrtool/src/FirmProcess.cpp
index 671d27fd..d979d95a 100644
--- a/ctrtool/src/FirmProcess.cpp
+++ b/ctrtool/src/FirmProcess.cpp
@@ -191,7 +191,7 @@ void ctrtool::FirmProcess::verifyHashes()
 
 			if (mValidFirmSectionHash[i] != ValidState::Good)
 			{
-				fmt::print(stderr, "[{} LOG] FIRM section {:d} SHA2-256 hash was invalid.\n", mModuleLabel, i);
+				fmt::print(stderr, "[{} ERROR] FIRM section {:d} SHA2-256 hash was invalid.\n", mModuleLabel, i);
 			}
 		}
 	}
@@ -231,7 +231,7 @@ void ctrtool::FirmProcess::verifySignature()
 	}
 	else
 	{
-		fmt::print(stderr, "[{} LOG] Could not load {} RSA2048 public key.\n", mModuleLabel, key_id == mKeyBag.RSAKEY_FIRM_NAND ? "FIRM_NAND" : "FIRM_RECOVERY");
+		fmt::print(stderr, "[{} ERROR] Could not load {} RSA2048 public key.\n", mModuleLabel, key_id == mKeyBag.RSAKEY_FIRM_NAND ? "FIRM_NAND" : "FIRM_RECOVERY");
 		valid_signature = ValidState::Fail;
 	}
 
@@ -244,7 +244,7 @@ void ctrtool::FirmProcess::verifySignature()
 	}
 	else
 	{
-		fmt::print(stderr, "[{} LOG] Could not load {} SigHax RSA2048 signature.\n", mModuleLabel, key_id == mKeyBag.RSAKEY_FIRM_NAND ? "FIRM_NAND" : "FIRM_RECOVERY");
+		fmt::print(stderr, "[{} ERROR] Could not load {} SigHax RSA2048 signature.\n", mModuleLabel, key_id == mKeyBag.RSAKEY_FIRM_NAND ? "FIRM_NAND" : "FIRM_RECOVERY");
 		is_sighax = false;
 	}
 
@@ -256,12 +256,12 @@ void ctrtool::FirmProcess::verifySignature()
 	// check if sighax
 	else if (valid_signature == ValidState::Fail && is_sighax == true)
 	{
-		fmt::print(stderr, "[{} LOG] Signature for FIRM was invalid (SigHax).\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Signature for FIRM was invalid (SigHax).\n", mModuleLabel);
 		mSignatureState = SignatureState_SigHax;
 	}
 	else
 	{
-		fmt::print(stderr, "[{} LOG] Signature for FIRM was invalid.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] Signature for FIRM was invalid.\n", mModuleLabel);
 		mSignatureState = SignatureState_Fail;
 	}
 }
diff --git a/ctrtool/src/IvfcProcess.cpp b/ctrtool/src/IvfcProcess.cpp
index 56c8579c..2550c5e2 100644
--- a/ctrtool/src/IvfcProcess.cpp
+++ b/ctrtool/src/IvfcProcess.cpp
@@ -127,7 +127,7 @@ void ctrtool::IvfcProcess::verifyLevels()
 			{
 				if (mVerbose)
 				{
-					fmt::print(stderr, "[{} LOG] IVFC Layer {:d}, Block {:d} failed validation.\n", mModuleLabel, i, j);
+					fmt::print(stderr, "[{} ERROR] IVFC Layer {:d}, Block {:d} failed validation.\n", mModuleLabel, i, j);
 				}
 					
 			}
@@ -141,7 +141,7 @@ void ctrtool::IvfcProcess::verifyLevels()
 		
 		if (mLevelValidation[i] != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] IVFC Layer {:d} failed validation.\n", mModuleLabel, i);
+			fmt::print(stderr, "[{} ERROR] IVFC Layer {:d} failed validation.\n", mModuleLabel, i);
 		}
 	}
 }
diff --git a/ctrtool/src/NcchProcess.cpp b/ctrtool/src/NcchProcess.cpp
index 21ac722b..30417229 100644
--- a/ctrtool/src/NcchProcess.cpp
+++ b/ctrtool/src/NcchProcess.cpp
@@ -241,7 +241,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 	}
 	if (crypto_is_stripped)
 	{
-		fmt::print(stderr, "[{} LOG] NCCH appears to be decrypted, contrary to header flags.\n", mModuleLabel);
+		fmt::print(stderr, "[{} ERROR] NCCH appears to be decrypted, contrary to header flags.\n", mModuleLabel);
 	}
 
 	// determine encryption mode
@@ -287,7 +287,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 				keyslot[0].valid_key = ValidState::Fail;
 				keyslot[1].valid_key = ValidState::Fail;
 
-				fmt::print(stderr, "[{} LOG] Could not load {} fixed key.\n", mModuleLabel, (isSystemTitle()? "system" : "application"));
+				fmt::print(stderr, "[{} ERROR] Could not load {} fixed key.\n", mModuleLabel, (isSystemTitle()? "system" : "application"));
 			}
 
 			// save keys
@@ -307,7 +307,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 			{
 				keyslot[0].valid_x = ValidState::Fail;
 
-				fmt::print(stderr, "[{} LOG] Could not load secure key_x[0x{:02x}].\n", mModuleLabel, 0);
+				fmt::print(stderr, "[{} ERROR] Could not load secure key_x[0x{:02x}].\n", mModuleLabel, 0);
 			}
 			else
 			{
@@ -328,7 +328,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 			{
 				keyslot[1].valid_x = ValidState::Fail;
 
-				fmt::print(stderr, "[{} LOG] Could not read secure key_x[0x{:02x}].\n", mModuleLabel, security_version);
+				fmt::print(stderr, "[{} ERROR] Could not load secure key_x[0x{:02x}].\n", mModuleLabel, security_version);
 			}
 			else
 			{
@@ -360,7 +360,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 				{
 					keyslot[1].valid_y = ValidState::Fail;
 
-					fmt::print(stderr, "[{} LOG] This title uses seed crypto, but no seed is set, unable to decrypt.\n", mModuleLabel);
+					fmt::print(stderr, "[{} ERROR] This title uses seed crypto, but no seed is set, unable to decrypt.\n", mModuleLabel);
 					fmt::print(stderr, "         Use -p to avoid decryption or use --seeddb=dbfile or --seed=SEEDHERE.\n");
 				}
 
@@ -375,7 +375,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 					{
 						keyslot[1].valid_y = ValidState::Fail;
 
-						fmt::print(stderr, "[{} LOG] Seed check mismatch. (Got {:08x}, expected: {:08x})\n",
+						fmt::print(stderr, "[{} ERROR] Seed check mismatch. (Got {:08x}, expected: {:08x})\n",
 							mModuleLabel,
 							((tc::bn::be32<uint32_t>*)hash.data())->unwrap(),
 							((tc::bn::be32<uint32_t>*)mHeader.header.seed_checksum.data())->unwrap());
@@ -532,7 +532,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 			// otherwise use the "best-effort" single key stream (only icon and banner will be decrypt properly)
 			else
 			{
-				fmt::print(stderr, "[{} LOG] Only NCCH key0 was determined, ExeFS may be partially decrypted\n", mModuleLabel);
+				fmt::print(stderr, "[{} ERROR] Only NCCH key0 was determined, ExeFS may be partially decrypted\n", mModuleLabel);
 				mRegionInfo[NcchRegion_ExeFs].ready_stream = std::shared_ptr<tc::crypto::Aes128CtrEncryptedStream>(new tc::crypto::Aes128CtrEncryptedStream(mRegionInfo[NcchRegion_ExeFs].raw_stream, keyslot[0].key, exefs_aesctr));
 			}
 		}
@@ -597,7 +597,7 @@ void ctrtool::NcchProcess::verifyRegions()
 			else
 			{
 				// cannot locate rsa key to verify
-				fmt::print(stderr, "[{} LOG] Could not load CFA RSA2048 public key.\n", mModuleLabel);
+				fmt::print(stderr, "[{} ERROR] Could not load CFA RSA2048 public key.\n", mModuleLabel);
 				mRegionInfo[NcchRegion_Header].valid = ValidState::Fail;
 			}
 			
@@ -622,14 +622,14 @@ void ctrtool::NcchProcess::verifyRegions()
 			else
 			{
 				// cannot locate rsa key to verify
-				fmt::print(stderr, "[{} LOG] Could not load CXI RSA2048 public key from AccessDescriptor.\n", mModuleLabel);
+				fmt::print(stderr, "[{} ERROR] Could not load CXI RSA2048 public key from AccessDescriptor.\n", mModuleLabel);
 				mRegionInfo[NcchRegion_Header].valid = ValidState::Fail;
 			}
 		}
 
 		if (mRegionInfo[NcchRegion_Header].valid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] Signature for NcchHeader was invalid.\n", mModuleLabel);
+			fmt::print(stderr, "[{} ERROR] Signature for NcchHeader was invalid.\n", mModuleLabel);
 		}
 	}
 
@@ -640,7 +640,7 @@ void ctrtool::NcchProcess::verifyRegions()
 	
 		if (mRegionInfo[NcchRegion_ExHeader].valid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] ExtendedHeader SHA2-256 hash was invalid.\n", mModuleLabel);
+			fmt::print(stderr, "[{} ERROR] ExtendedHeader SHA2-256 hash was invalid.\n", mModuleLabel);
 		}
 	}
 
@@ -651,7 +651,7 @@ void ctrtool::NcchProcess::verifyRegions()
 	
 		if (mRegionInfo[NcchRegion_Logo].valid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] Logo SHA2-256 hash was invalid.\n", mModuleLabel);
+			fmt::print(stderr, "[{} ERROR] Logo SHA2-256 hash was invalid.\n", mModuleLabel);
 		}
 	}
 
@@ -662,7 +662,7 @@ void ctrtool::NcchProcess::verifyRegions()
 	
 		if (mRegionInfo[NcchRegion_ExeFs].valid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] ExeFs SuperBlock SHA2-256 hash was invalid.\n", mModuleLabel);
+			fmt::print(stderr, "[{} ERROR] ExeFs SuperBlock SHA2-256 hash was invalid.\n", mModuleLabel);
 		}
 	}
 
@@ -673,7 +673,7 @@ void ctrtool::NcchProcess::verifyRegions()
 	
 		if (mRegionInfo[NcchRegion_RomFs].valid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] RomFs SuperBlock SHA2-256 hash was invalid.\n", mModuleLabel);
+			fmt::print(stderr, "[{} ERROR] RomFs SuperBlock SHA2-256 hash was invalid.\n", mModuleLabel);
 		}
 	}
 }
@@ -776,8 +776,8 @@ void ctrtool::NcchProcess::extractRegionBinaries()
 					case NcchRegion_ExHeader: fmt::print(stderr, "[{} LOG] Saving Extended Header...\n", mModuleLabel); break;
 					case NcchRegion_PlainRegion: fmt::print(stderr, "[{} LOG] Saving Plain Region...\n", mModuleLabel); break;
 					case NcchRegion_Logo: fmt::print(stderr, "[{} LOG] Saving Logo...\n", mModuleLabel); break;
-					case NcchRegion_ExeFs: fmt::print(stderr, "[{} LOG] Saving ExeFS...\n", mModuleLabel); break;
-					case NcchRegion_RomFs: fmt::print(stderr, "[{} LOG] Saving RomFS...\n", mModuleLabel); break;
+					case NcchRegion_ExeFs: fmt::print(stderr, "[{} LOG] Saving ExeFs...\n", mModuleLabel); break;
+					case NcchRegion_RomFs: fmt::print(stderr, "[{} LOG] Saving RomFs...\n", mModuleLabel); break;
 				}
 			}
 			
diff --git a/ctrtool/src/TikProcess.cpp b/ctrtool/src/TikProcess.cpp
index 0fc7989b..71042fdb 100644
--- a/ctrtool/src/TikProcess.cpp
+++ b/ctrtool/src/TikProcess.cpp
@@ -202,21 +202,21 @@ void ctrtool::TikProcess::verifyData()
 			// only show this warning when there are certificates appended to the ticket (only tickets downloaded from CDN will have an appended certificate chain)
 			if (mCertChain.size() != 0)
 			{
-				fmt::print(stderr, "[{} LOG] Public key \"{}\" (for ticket) was not present in the appended certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTicket.signature.issuer);
+				fmt::print(stderr, "[{} ERROR] Public key \"{}\" (for ticket) was not present in the appended certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTicket.signature.issuer);
 			}
 			mTicketSigValid = keybag_issuer_itr->second->verifyHash(mTicket.calculated_hash.data(), mTicket.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "[{} LOG] Could not locate public key \"{}\" (for ticket).\n", mModuleLabel, mTicket.signature.issuer);
+			fmt::print(stderr, "[{} ERROR] Could not locate public key \"{}\" (for ticket).\n", mModuleLabel, mTicket.signature.issuer);
 			mTicketSigValid = ValidState::Fail;
 		}
 
 		// log ticket signature validation error
 		if (mTicketSigValid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] Signature for Ticket was invalid.\n", mModuleLabel);
+			fmt::print(stderr, "[{} ERROR] Signature for Ticket was invalid.\n", mModuleLabel);
 		}
 	}
 }
diff --git a/ctrtool/src/TmdProcess.cpp b/ctrtool/src/TmdProcess.cpp
index 0fe136aa..3d469b59 100644
--- a/ctrtool/src/TmdProcess.cpp
+++ b/ctrtool/src/TmdProcess.cpp
@@ -139,21 +139,21 @@ void ctrtool::TmdProcess::verifyData()
 			// only show this warning for non-root signed certificates
 			if (mCertChain[i].signature.issuer != "Root")
 			{
-				fmt::print(stderr, "[{} LOG] Public key \"{}\" (for certificate \"{}\") was not present in the certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mCertChain[i].signature.issuer, mCertChain[i].subject);
+				fmt::print(stderr, "[{} ERROR] Public key \"{}\" (for certificate \"{}\") was not present in the certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mCertChain[i].signature.issuer, mCertChain[i].subject);
 			}
 			mCertSigValid[i] = keybag_issuer_itr->second->verifyHash(mCertChain[i].calculated_hash.data(), mCertChain[i].signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "[{} LOG] Could not locate public key for \"{}\" (certificate).\n", mModuleLabel, mCertChain[i].signature.issuer);
+			fmt::print(stderr, "[{} ERROR] Could not locate public key for \"{}\" (certificate).\n", mModuleLabel, mCertChain[i].signature.issuer);
 			mCertSigValid[i] = ValidState::Fail;
 		}
 
 		// log certificate signature validation error
 		if (mCertSigValid[i] != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] Signature for Certificate \"{}\" was invalid.\n", mModuleLabel, mCertChain[i].signature.issuer);
+			fmt::print(stderr, "[{} ERROR] Signature for Certificate \"{}\" was invalid.\n", mModuleLabel, mCertChain[i].signature.issuer);
 		}
 	}
 
@@ -174,21 +174,21 @@ void ctrtool::TmdProcess::verifyData()
 			// only show this warning when there are certificates appended to the tmd (only tmd downloaded from CDN will have an appended certificate chain)
 			if (mCertChain.size() != 0)
 			{
-				fmt::print(stderr, "[{} LOG] Public key \"{}\" (for tmd) was not present in the appended certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTitleMetaData.signature.issuer);
+				fmt::print(stderr, "[{} ERROR] Public key \"{}\" (for tmd) was not present in the appended certificate chain. The public key included with CTRTool was used instead.\n", mModuleLabel, mTitleMetaData.signature.issuer);
 			}
 			mTitleMetaDataSigValid = keybag_issuer_itr->second->verifyHash(mTitleMetaData.calculated_hash.data(), mTitleMetaData.signature.sig.data()) ? ValidState::Good : ValidState::Fail;
 		}
 		else
 		{
 			// cannot locate rsa key to verify
-			fmt::print(stderr, "[{} LOG] Could not locate public key \"{}\" (for tmd).\n", mModuleLabel, mTitleMetaData.signature.issuer);
+			fmt::print(stderr, "[{} ERROR] Could not locate public key \"{}\" (for tmd).\n", mModuleLabel, mTitleMetaData.signature.issuer);
 			mTitleMetaDataSigValid = ValidState::Fail;
 		}
 
 		// log tmd signature validation error
 		if (mTitleMetaDataSigValid != ValidState::Good)
 		{
-			fmt::print(stderr, "[{} LOG] Signature for TitleMetaData was invalid.\n", mModuleLabel);
+			fmt::print(stderr, "[{} ERROR] Signature for TitleMetaData was invalid.\n", mModuleLabel);
 		}
 	}
 }

From e1a6f9101d024c2283312143f3a31a0419fb0693 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Fri, 15 Apr 2022 11:27:33 +0800
Subject: [PATCH 290/317] Bump version to v1.1.0

---
 ctrtool/src/version.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
index 27dba3b5..c59c9ed7 100644
--- a/ctrtool/src/version.h
+++ b/ctrtool/src/version.h
@@ -2,6 +2,6 @@
 #define APP_NAME	"CTRTool"
 #define BIN_NAME	"ctrtool"
 #define VER_MAJOR	1
-#define VER_MINOR	0
-#define VER_PATCH	4
+#define VER_MINOR	1
+#define VER_PATCH	0
 #define AUTHORS		"jakcron"
\ No newline at end of file

From cc707c160ffc95778a8a85e86715055164f2bcdb Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sun, 17 Apr 2022 10:49:05 +0800
Subject: [PATCH 291/317] Modernize MakeROM build system + bug fixes (#120)

* Move files around to new directory structure

* Rework libyaml into a stand-alone dep for makerom.

* Rework libpolarssl to be standalone dependency for makerom.

* Update includes.

* Delete makefile

* Add new makefile for makerom.

* Update MakeROM github actions script.

* Fix again.

* Update MakeROM's makefile

* Tweak makerom build script

* Tweak MakeROM build script.

* Fix typo

* Update MakeROM makefiles.

* Tweak CTRTool build script.

* Tweak build script

* Tweak CTRTool build script.

* Tweak CTRTool build script

* Add libmbedtls to makerom deps

* Partially migrate makerom to libmbedtls

* Break out libblz as an external dependency for makerom.

* Tweak makerom build script.

* Move dependencies to the top level.

* Put everything back.

* misc

* Update makerom documentation.

* Link to ctrtool/makerom readmes from the root readme.

* Update root readme again.

* Migrate makerom to modern mbedtls

* Bump makerom version to 0.18.1

* Change signing errors to be warnings when they fail.

* Add error verbosity to errors when generating CIA files.

* Fix bug in RSA code.

* misc.

* Remove polarssl now migration to mbedtls complete.

* Surface more makerom errors.

* [makerom] Tolerate CCI signing errors as a warning.

* Add missing return.

* Import initial data key_x (prod/dev included)

* [makerom] Fix initial data generation.
---
 .github/workflows/Build_CTRTool.yml           |   28 +-
 .github/workflows/Build_MakeROM.yml           |   21 +-
 README.md                                     |    9 +-
 .../libbroadon-es/libbroadon-es.vcxproj       |    2 +-
 makefile                                      |   49 +
 makerom/BUILDING.md                           |   13 +
 makerom/LICENSE                               |    2 +-
 makerom/Makefile                              |   37 -
 makerom/README.md                             |  193 +
 makerom/blz.h                                 |    6 -
 makerom/{ => build/visualstudio}/makerom.sln  |    0
 .../{ => build/visualstudio}/makerom.vcxproj  |    0
 .../visualstudio}/makerom.vcxproj.filters     |    0
 makerom/{ => build/visualstudio}/readme.txt   |    0
 makerom/deps/libblz/include/blz.h             |   15 +
 makerom/deps/libblz/makefile                  |  185 +
 makerom/{ => deps/libblz/src}/blz.c           |   66 +-
 makerom/deps/libmbedtls/BUILDING.md           |   31 +
 makerom/deps/libmbedtls/LICENSE               |    2 +
 makerom/deps/libmbedtls/README.md             |    2 +
 makerom/deps/libmbedtls/apache-2.0.txt        |  202 +
 .../build/visualstudio/libmbedtls.sln         |   31 +
 .../libmbedtls/libmbedtls.vcxproj             |  289 +
 .../libmbedtls/libmbedtls.vcxproj.filters     |  492 +
 makerom/deps/libmbedtls/include/mbedtls/aes.h |  674 ++
 .../deps/libmbedtls/include/mbedtls/aesni.h   |  138 +
 .../deps/libmbedtls/include/mbedtls/arc4.h    |  146 +
 .../deps/libmbedtls/include/mbedtls/aria.h    |  370 +
 .../deps/libmbedtls/include/mbedtls/asn1.h    |  358 +
 .../libmbedtls/include/mbedtls/asn1write.h    |  329 +
 .../deps/libmbedtls/include/mbedtls/base64.h  |   98 +
 .../deps/libmbedtls/include/mbedtls/bignum.h  |  984 ++
 .../libmbedtls/include/mbedtls/blowfish.h     |  287 +
 .../deps/libmbedtls/include/mbedtls/bn_mul.h  |  916 ++
 .../libmbedtls/include/mbedtls/camellia.h     |  326 +
 makerom/deps/libmbedtls/include/mbedtls/ccm.h |  310 +
 .../deps/libmbedtls/include/mbedtls/certs.h   |  252 +
 .../libmbedtls/include/mbedtls/chacha20.h     |  226 +
 .../libmbedtls/include/mbedtls/chachapoly.h   |  358 +
 .../libmbedtls/include/mbedtls/check_config.h |  708 ++
 .../deps/libmbedtls/include/mbedtls/cipher.h  |  872 ++
 .../include/mbedtls/cipher_internal.h         |  125 +
 .../deps/libmbedtls/include/mbedtls/cmac.h    |  213 +
 .../libmbedtls/include/mbedtls/compat-1.3.h   | 2531 +++++
 .../deps/libmbedtls/include/mbedtls/config.h  | 3344 ++++++
 .../libmbedtls/include/mbedtls/ctr_drbg.h     |  512 +
 .../deps/libmbedtls/include/mbedtls/debug.h   |  265 +
 makerom/deps/libmbedtls/include/mbedtls/des.h |  356 +
 makerom/deps/libmbedtls/include/mbedtls/dhm.h | 1096 ++
 .../deps/libmbedtls/include/mbedtls/ecdh.h    |  440 +
 .../deps/libmbedtls/include/mbedtls/ecdsa.h   |  604 +
 .../deps/libmbedtls/include/mbedtls/ecjpake.h |  277 +
 makerom/deps/libmbedtls/include/mbedtls/ecp.h | 1132 ++
 .../libmbedtls/include/mbedtls/ecp_internal.h |  299 +
 .../deps/libmbedtls/include/mbedtls/entropy.h |  289 +
 .../libmbedtls/include/mbedtls/entropy_poll.h |  110 +
 .../deps/libmbedtls/include/mbedtls/error.h   |  129 +
 makerom/deps/libmbedtls/include/mbedtls/gcm.h |  326 +
 .../deps/libmbedtls/include/mbedtls/havege.h  |   81 +
 .../deps/libmbedtls/include/mbedtls/hkdf.h    |  141 +
 .../libmbedtls/include/mbedtls/hmac_drbg.h    |  415 +
 makerom/deps/libmbedtls/include/mbedtls/md.h  |  468 +
 makerom/deps/libmbedtls/include/mbedtls/md2.h |  306 +
 makerom/deps/libmbedtls/include/mbedtls/md4.h |  311 +
 makerom/deps/libmbedtls/include/mbedtls/md5.h |  311 +
 .../libmbedtls/include/mbedtls/md_internal.h  |  115 +
 .../include/mbedtls/memory_buffer_alloc.h     |  151 +
 makerom/deps/libmbedtls/include/mbedtls/net.h |   37 +
 .../libmbedtls/include/mbedtls/net_sockets.h  |  271 +
 .../deps/libmbedtls/include/mbedtls/nist_kw.h |  184 +
 makerom/deps/libmbedtls/include/mbedtls/oid.h |  605 +
 .../deps/libmbedtls/include/mbedtls/padlock.h |  126 +
 makerom/deps/libmbedtls/include/mbedtls/pem.h |  136 +
 makerom/deps/libmbedtls/include/mbedtls/pk.h  |  755 ++
 .../libmbedtls/include/mbedtls/pk_internal.h  |  138 +
 .../deps/libmbedtls/include/mbedtls/pkcs11.h  |  175 +
 .../deps/libmbedtls/include/mbedtls/pkcs12.h  |  130 +
 .../deps/libmbedtls/include/mbedtls/pkcs5.h   |  109 +
 .../libmbedtls/include/mbedtls/platform.h     |  367 +
 .../include/mbedtls/platform_time.h           |   82 +
 .../include/mbedtls/platform_util.h           |  196 +
 .../libmbedtls/include/mbedtls/poly1305.h     |  192 +
 .../libmbedtls/include/mbedtls/ripemd160.h    |  237 +
 makerom/deps/libmbedtls/include/mbedtls/rsa.h | 1274 +++
 .../libmbedtls/include/mbedtls/rsa_internal.h |  226 +
 .../deps/libmbedtls/include/mbedtls/sha1.h    |  352 +
 .../deps/libmbedtls/include/mbedtls/sha256.h  |  297 +
 .../deps/libmbedtls/include/mbedtls/sha512.h  |  300 +
 makerom/deps/libmbedtls/include/mbedtls/ssl.h | 3262 ++++++
 .../libmbedtls/include/mbedtls/ssl_cache.h    |  150 +
 .../include/mbedtls/ssl_ciphersuites.h        |  540 +
 .../libmbedtls/include/mbedtls/ssl_cookie.h   |  115 +
 .../libmbedtls/include/mbedtls/ssl_internal.h |  782 ++
 .../libmbedtls/include/mbedtls/ssl_ticket.h   |  142 +
 .../libmbedtls/include/mbedtls/threading.h    |  122 +
 .../deps/libmbedtls/include/mbedtls/timing.h  |  153 +
 .../deps/libmbedtls/include/mbedtls/version.h |  112 +
 .../deps/libmbedtls/include/mbedtls/x509.h    |  337 +
 .../libmbedtls/include/mbedtls/x509_crl.h     |  174 +
 .../libmbedtls/include/mbedtls/x509_crt.h     |  785 ++
 .../libmbedtls/include/mbedtls/x509_csr.h     |  307 +
 .../deps/libmbedtls/include/mbedtls/xtea.h    |  139 +
 makerom/deps/libmbedtls/makefile              |  197 +
 makerom/deps/libmbedtls/src/aes.c             | 2233 ++++
 makerom/deps/libmbedtls/src/aesni.c           |  470 +
 makerom/deps/libmbedtls/src/arc4.c            |  201 +
 makerom/deps/libmbedtls/src/aria.c            | 1079 ++
 makerom/deps/libmbedtls/src/asn1parse.c       |  389 +
 makerom/deps/libmbedtls/src/asn1write.c       |  421 +
 .../libmbedtls/src}/base64.c                  |  176 +-
 makerom/deps/libmbedtls/src/bignum.c          | 2866 +++++
 makerom/deps/libmbedtls/src/blowfish.c        |  696 ++
 makerom/deps/libmbedtls/src/camellia.c        | 1114 ++
 makerom/deps/libmbedtls/src/ccm.c             |  545 +
 makerom/deps/libmbedtls/src/certs.c           | 1753 +++
 makerom/deps/libmbedtls/src/chacha20.c        |  570 +
 makerom/deps/libmbedtls/src/chachapoly.c      |  540 +
 makerom/deps/libmbedtls/src/cipher.c          | 1158 ++
 makerom/deps/libmbedtls/src/cipher_wrap.c     | 2272 ++++
 makerom/deps/libmbedtls/src/cmac.c            | 1078 ++
 makerom/deps/libmbedtls/src/ctr_drbg.c        |  722 ++
 makerom/deps/libmbedtls/src/debug.c           |  450 +
 makerom/deps/libmbedtls/src/des.c             | 1064 ++
 makerom/deps/libmbedtls/src/dhm.c             |  712 ++
 makerom/deps/libmbedtls/src/ecdh.c            |  676 ++
 makerom/deps/libmbedtls/src/ecdsa.c           |  991 ++
 makerom/deps/libmbedtls/src/ecjpake.c         | 1140 ++
 makerom/deps/libmbedtls/src/ecp.c             | 2999 +++++
 makerom/deps/libmbedtls/src/ecp_curves.c      | 1470 +++
 makerom/deps/libmbedtls/src/entropy.c         |  721 ++
 makerom/deps/libmbedtls/src/entropy_poll.c    |  236 +
 makerom/deps/libmbedtls/src/error.c           |  916 ++
 makerom/deps/libmbedtls/src/gcm.c             |  994 ++
 makerom/deps/libmbedtls/src/havege.c          |  253 +
 makerom/deps/libmbedtls/src/hkdf.c            |  192 +
 makerom/deps/libmbedtls/src/hmac_drbg.c       |  625 ++
 makerom/deps/libmbedtls/src/md.c              |  475 +
 makerom/deps/libmbedtls/src/md2.c             |  363 +
 makerom/deps/libmbedtls/src/md4.c             |  484 +
 makerom/deps/libmbedtls/src/md5.c             |  498 +
 makerom/deps/libmbedtls/src/md_wrap.c         |  586 +
 .../deps/libmbedtls/src/memory_buffer_alloc.c |  750 ++
 makerom/deps/libmbedtls/src/net_sockets.c     |  668 ++
 makerom/deps/libmbedtls/src/nist_kw.c         |  755 ++
 makerom/deps/libmbedtls/src/oid.c             |  758 ++
 makerom/deps/libmbedtls/src/padlock.c         |  170 +
 makerom/deps/libmbedtls/src/pem.c             |  490 +
 makerom/deps/libmbedtls/src/pk.c              |  546 +
 makerom/deps/libmbedtls/src/pk_wrap.c         |  719 ++
 makerom/deps/libmbedtls/src/pkcs11.c          |  240 +
 makerom/deps/libmbedtls/src/pkcs12.c          |  365 +
 makerom/deps/libmbedtls/src/pkcs5.c           |  411 +
 makerom/deps/libmbedtls/src/pkparse.c         | 1538 +++
 makerom/deps/libmbedtls/src/pkwrite.c         |  566 +
 makerom/deps/libmbedtls/src/platform.c        |  348 +
 makerom/deps/libmbedtls/src/platform_util.c   |  139 +
 makerom/deps/libmbedtls/src/poly1305.c        |  559 +
 makerom/deps/libmbedtls/src/ripemd160.c       |  559 +
 makerom/deps/libmbedtls/src/rsa.c             | 2729 +++++
 makerom/deps/libmbedtls/src/rsa_internal.c    |  492 +
 makerom/deps/libmbedtls/src/sha1.c            |  573 +
 makerom/deps/libmbedtls/src/sha256.c          |  586 +
 makerom/deps/libmbedtls/src/sha512.c          |  636 ++
 makerom/deps/libmbedtls/src/ssl_cache.c       |  327 +
 .../deps/libmbedtls/src/ssl_ciphersuites.c    | 2373 ++++
 makerom/deps/libmbedtls/src/ssl_cli.c         | 3636 ++++++
 makerom/deps/libmbedtls/src/ssl_cookie.c      |  256 +
 makerom/deps/libmbedtls/src/ssl_srv.c         | 4379 ++++++++
 makerom/deps/libmbedtls/src/ssl_ticket.c      |  485 +
 makerom/deps/libmbedtls/src/ssl_tls.c         | 9791 +++++++++++++++++
 makerom/deps/libmbedtls/src/threading.c       |  187 +
 makerom/deps/libmbedtls/src/timing.c          |  536 +
 makerom/deps/libmbedtls/src/version.c         |   50 +
 .../deps/libmbedtls/src/version_features.c    |  785 ++
 makerom/deps/libmbedtls/src/x509.c            | 1072 ++
 makerom/deps/libmbedtls/src/x509_create.c     |  379 +
 makerom/deps/libmbedtls/src/x509_crl.c        |  773 ++
 makerom/deps/libmbedtls/src/x509_crt.c        | 2730 +++++
 makerom/deps/libmbedtls/src/x509_csr.c        |  419 +
 makerom/deps/libmbedtls/src/x509write_crt.c   |  522 +
 makerom/deps/libmbedtls/src/x509write_csr.c   |  302 +
 makerom/deps/libmbedtls/src/xtea.c            |  277 +
 makerom/{ => deps}/libyaml/LICENSE            |    0
 .../{ => deps/libyaml/include}/libyaml/yaml.h |    0
 makerom/deps/libyaml/makefile                 |  185 +
 makerom/{libyaml => deps/libyaml/src}/api.c   |    2 +-
 .../{libyaml => deps/libyaml/src}/dumper.c    |    2 +-
 .../{libyaml => deps/libyaml/src}/emitter.c   |    2 +-
 .../{libyaml => deps/libyaml/src}/loader.c    |    2 +-
 .../{libyaml => deps/libyaml/src}/parser.c    |    2 +-
 .../{libyaml => deps/libyaml/src}/reader.c    |    2 +-
 .../{libyaml => deps/libyaml/src}/scanner.c   |    2 +-
 .../{libyaml => deps/libyaml/src}/writer.c    |    2 +-
 .../libyaml/src}/yaml_private.h               |    2 +-
 makerom/makefile                              |  185 +
 makerom/polarssl/aes.c                        | 1352 ---
 makerom/polarssl/aes.h                        |  202 -
 makerom/polarssl/base64.h                     |   88 -
 makerom/polarssl/bignum.c                     | 2135 ----
 makerom/polarssl/bignum.h                     |  685 --
 makerom/polarssl/bn_mul.h                     |  864 --
 makerom/polarssl/config.h                     | 1013 --
 makerom/polarssl/rsa.c                        | 1466 ---
 makerom/polarssl/rsa.h                        |  597 -
 makerom/polarssl/sha1.c                       |  624 --
 makerom/polarssl/sha1.h                       |  180 -
 makerom/polarssl/sha2.c                       |  705 --
 makerom/polarssl/sha2.h                       |  183 -
 makerom/readme                                |    3 -
 makerom/{ => src}/accessdesc.c                |   24 +-
 makerom/{ => src}/accessdesc.h                |    0
 makerom/{ => src}/aes_keygen.c                |    0
 makerom/{ => src}/aes_keygen.h                |    0
 makerom/{ => src}/cardinfo.c                  |  117 +-
 makerom/{ => src}/cardinfo.h                  |    0
 makerom/{ => src}/certs.c                     |    0
 makerom/{ => src}/certs.h                     |    0
 makerom/{ => src}/cia.c                       |   30 +-
 makerom/{ => src}/cia.h                       |    0
 makerom/{ => src}/cia_build.h                 |    0
 makerom/{ => src}/cia_read.h                  |    0
 makerom/{ => src}/code.c                      |    3 +-
 makerom/{ => src}/code.h                      |    0
 makerom/{ => src}/crr.h                       |    0
 makerom/{ => src}/crypto.c                    |   98 +-
 makerom/{ => src}/crypto.h                    |    6 -
 makerom/{ => src}/ctr_utils.c                 |    0
 makerom/{ => src}/ctr_utils.h                 |    0
 makerom/{ => src}/desc/desc.h                 |    0
 makerom/{ => src}/desc/dev_sigdata.h          |    2 +-
 makerom/{ => src}/desc/presets.h              |    2 +-
 makerom/{ => src}/elf.c                       |    0
 makerom/{ => src}/elf.h                       |    0
 makerom/{ => src}/exefs.c                     |    0
 makerom/{ => src}/exefs.h                     |    0
 makerom/{ => src}/exefs_build.h               |    0
 makerom/{ => src}/exefs_read.h                |    0
 makerom/{ => src}/exheader.c                  |    0
 makerom/{ => src}/exheader.h                  |    0
 makerom/{ => src}/exheader_build.h            |    0
 makerom/{ => src}/exheader_read.h             |    0
 makerom/{ => src}/keyset.c                    |   14 +
 makerom/{ => src}/keyset.h                    |    4 +
 makerom/{ => src}/lib.h                       |    0
 makerom/{ => src}/makerom.c                   |    6 +-
 makerom/{ => src}/ncch.c                      |   74 +-
 makerom/{ => src}/ncch.h                      |    0
 makerom/{ => src}/ncch_build.h                |    0
 makerom/{ => src}/ncch_logo.h                 |    0
 makerom/{ => src}/ncch_read.h                 |    0
 makerom/{ => src}/ncsd.c                      |   10 +-
 makerom/{ => src}/ncsd.h                      |    0
 makerom/{ => src}/ncsd_build.h                |    0
 makerom/{ => src}/ncsd_read.h                 |    0
 makerom/{ => src}/oschar.c                    |    0
 makerom/{ => src}/oschar.h                    |    0
 makerom/{ => src}/pki/dev.h                   |    5 +
 makerom/{ => src}/pki/dev_legacy.h            |    0
 makerom/{ => src}/pki/prod.h                  |    5 +
 makerom/{ => src}/pki/prod_legacy.h           |    0
 makerom/{ => src}/pki/rsa_key.h               |    0
 makerom/{ => src}/pki/test.h                  |    0
 makerom/{ => src}/romfs.c                     |    0
 makerom/{ => src}/romfs.h                     |    0
 makerom/{ => src}/romfs_fs.c                  |    0
 makerom/{ => src}/romfs_fs.h                  |    0
 makerom/{ => src}/romfs_gen.c                 |    0
 makerom/{ => src}/romfs_gen.h                 |    0
 makerom/{ => src}/romfs_import.c              |    0
 makerom/{ => src}/romfs_import.h              |    0
 makerom/{ => src}/rsf_settings.c              |    0
 makerom/{ => src}/rsf_settings.h              |    0
 makerom/{ => src}/srl.h                       |    0
 makerom/{ => src}/tik.c                       |   12 +-
 makerom/{ => src}/tik.h                       |    0
 makerom/{ => src}/tik_build.h                 |    0
 makerom/{ => src}/tik_read.h                  |    0
 makerom/{ => src}/titleid.c                   |    0
 makerom/{ => src}/titleid.h                   |    0
 makerom/{ => src}/tmd.c                       |   14 +-
 makerom/{ => src}/tmd.h                       |    0
 makerom/{ => src}/tmd_build.h                 |    0
 makerom/{ => src}/tmd_read.h                  |    0
 makerom/{ => src}/types.h                     |    0
 makerom/{ => src}/user_settings.c             |    2 +-
 makerom/{ => src}/user_settings.h             |    0
 makerom/{ => src}/utils.c                     |   24 +-
 makerom/{ => src}/utils.h                     |    6 +-
 makerom/{ => src}/yaml_parser.c               |    0
 makerom/{ => src}/yaml_parser.h               |    2 +-
 290 files changed, 115411 insertions(+), 10418 deletions(-)
 create mode 100644 makefile
 create mode 100644 makerom/BUILDING.md
 delete mode 100644 makerom/Makefile
 create mode 100644 makerom/README.md
 delete mode 100644 makerom/blz.h
 rename makerom/{ => build/visualstudio}/makerom.sln (100%)
 rename makerom/{ => build/visualstudio}/makerom.vcxproj (100%)
 rename makerom/{ => build/visualstudio}/makerom.vcxproj.filters (100%)
 rename makerom/{ => build/visualstudio}/readme.txt (100%)
 create mode 100644 makerom/deps/libblz/include/blz.h
 create mode 100644 makerom/deps/libblz/makefile
 rename makerom/{ => deps/libblz/src}/blz.c (85%)
 create mode 100644 makerom/deps/libmbedtls/BUILDING.md
 create mode 100644 makerom/deps/libmbedtls/LICENSE
 create mode 100644 makerom/deps/libmbedtls/README.md
 create mode 100644 makerom/deps/libmbedtls/apache-2.0.txt
 create mode 100644 makerom/deps/libmbedtls/build/visualstudio/libmbedtls.sln
 create mode 100644 makerom/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj
 create mode 100644 makerom/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj.filters
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/aes.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/aesni.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/arc4.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/aria.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/asn1.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/asn1write.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/base64.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/bignum.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/blowfish.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/bn_mul.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/camellia.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ccm.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/certs.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/chacha20.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/chachapoly.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/check_config.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/cipher.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/cipher_internal.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/cmac.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/compat-1.3.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/config.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ctr_drbg.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/debug.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/des.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/dhm.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ecdh.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ecdsa.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ecjpake.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ecp.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ecp_internal.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/entropy.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/entropy_poll.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/error.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/gcm.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/havege.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/hkdf.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/hmac_drbg.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/md.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/md2.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/md4.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/md5.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/md_internal.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/memory_buffer_alloc.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/net.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/net_sockets.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/nist_kw.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/oid.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/padlock.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/pem.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/pk.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/pk_internal.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/pkcs11.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/pkcs12.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/pkcs5.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/platform.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/platform_time.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/platform_util.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/poly1305.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ripemd160.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/rsa.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/rsa_internal.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/sha1.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/sha256.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/sha512.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ssl.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ssl_cache.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ssl_ciphersuites.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ssl_cookie.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ssl_internal.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/ssl_ticket.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/threading.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/timing.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/version.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/x509.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/x509_crl.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/x509_crt.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/x509_csr.h
 create mode 100644 makerom/deps/libmbedtls/include/mbedtls/xtea.h
 create mode 100644 makerom/deps/libmbedtls/makefile
 create mode 100644 makerom/deps/libmbedtls/src/aes.c
 create mode 100644 makerom/deps/libmbedtls/src/aesni.c
 create mode 100644 makerom/deps/libmbedtls/src/arc4.c
 create mode 100644 makerom/deps/libmbedtls/src/aria.c
 create mode 100644 makerom/deps/libmbedtls/src/asn1parse.c
 create mode 100644 makerom/deps/libmbedtls/src/asn1write.c
 rename makerom/{polarssl => deps/libmbedtls/src}/base64.c (52%)
 create mode 100644 makerom/deps/libmbedtls/src/bignum.c
 create mode 100644 makerom/deps/libmbedtls/src/blowfish.c
 create mode 100644 makerom/deps/libmbedtls/src/camellia.c
 create mode 100644 makerom/deps/libmbedtls/src/ccm.c
 create mode 100644 makerom/deps/libmbedtls/src/certs.c
 create mode 100644 makerom/deps/libmbedtls/src/chacha20.c
 create mode 100644 makerom/deps/libmbedtls/src/chachapoly.c
 create mode 100644 makerom/deps/libmbedtls/src/cipher.c
 create mode 100644 makerom/deps/libmbedtls/src/cipher_wrap.c
 create mode 100644 makerom/deps/libmbedtls/src/cmac.c
 create mode 100644 makerom/deps/libmbedtls/src/ctr_drbg.c
 create mode 100644 makerom/deps/libmbedtls/src/debug.c
 create mode 100644 makerom/deps/libmbedtls/src/des.c
 create mode 100644 makerom/deps/libmbedtls/src/dhm.c
 create mode 100644 makerom/deps/libmbedtls/src/ecdh.c
 create mode 100644 makerom/deps/libmbedtls/src/ecdsa.c
 create mode 100644 makerom/deps/libmbedtls/src/ecjpake.c
 create mode 100644 makerom/deps/libmbedtls/src/ecp.c
 create mode 100644 makerom/deps/libmbedtls/src/ecp_curves.c
 create mode 100644 makerom/deps/libmbedtls/src/entropy.c
 create mode 100644 makerom/deps/libmbedtls/src/entropy_poll.c
 create mode 100644 makerom/deps/libmbedtls/src/error.c
 create mode 100644 makerom/deps/libmbedtls/src/gcm.c
 create mode 100644 makerom/deps/libmbedtls/src/havege.c
 create mode 100644 makerom/deps/libmbedtls/src/hkdf.c
 create mode 100644 makerom/deps/libmbedtls/src/hmac_drbg.c
 create mode 100644 makerom/deps/libmbedtls/src/md.c
 create mode 100644 makerom/deps/libmbedtls/src/md2.c
 create mode 100644 makerom/deps/libmbedtls/src/md4.c
 create mode 100644 makerom/deps/libmbedtls/src/md5.c
 create mode 100644 makerom/deps/libmbedtls/src/md_wrap.c
 create mode 100644 makerom/deps/libmbedtls/src/memory_buffer_alloc.c
 create mode 100644 makerom/deps/libmbedtls/src/net_sockets.c
 create mode 100644 makerom/deps/libmbedtls/src/nist_kw.c
 create mode 100644 makerom/deps/libmbedtls/src/oid.c
 create mode 100644 makerom/deps/libmbedtls/src/padlock.c
 create mode 100644 makerom/deps/libmbedtls/src/pem.c
 create mode 100644 makerom/deps/libmbedtls/src/pk.c
 create mode 100644 makerom/deps/libmbedtls/src/pk_wrap.c
 create mode 100644 makerom/deps/libmbedtls/src/pkcs11.c
 create mode 100644 makerom/deps/libmbedtls/src/pkcs12.c
 create mode 100644 makerom/deps/libmbedtls/src/pkcs5.c
 create mode 100644 makerom/deps/libmbedtls/src/pkparse.c
 create mode 100644 makerom/deps/libmbedtls/src/pkwrite.c
 create mode 100644 makerom/deps/libmbedtls/src/platform.c
 create mode 100644 makerom/deps/libmbedtls/src/platform_util.c
 create mode 100644 makerom/deps/libmbedtls/src/poly1305.c
 create mode 100644 makerom/deps/libmbedtls/src/ripemd160.c
 create mode 100644 makerom/deps/libmbedtls/src/rsa.c
 create mode 100644 makerom/deps/libmbedtls/src/rsa_internal.c
 create mode 100644 makerom/deps/libmbedtls/src/sha1.c
 create mode 100644 makerom/deps/libmbedtls/src/sha256.c
 create mode 100644 makerom/deps/libmbedtls/src/sha512.c
 create mode 100644 makerom/deps/libmbedtls/src/ssl_cache.c
 create mode 100644 makerom/deps/libmbedtls/src/ssl_ciphersuites.c
 create mode 100644 makerom/deps/libmbedtls/src/ssl_cli.c
 create mode 100644 makerom/deps/libmbedtls/src/ssl_cookie.c
 create mode 100644 makerom/deps/libmbedtls/src/ssl_srv.c
 create mode 100644 makerom/deps/libmbedtls/src/ssl_ticket.c
 create mode 100644 makerom/deps/libmbedtls/src/ssl_tls.c
 create mode 100644 makerom/deps/libmbedtls/src/threading.c
 create mode 100644 makerom/deps/libmbedtls/src/timing.c
 create mode 100644 makerom/deps/libmbedtls/src/version.c
 create mode 100644 makerom/deps/libmbedtls/src/version_features.c
 create mode 100644 makerom/deps/libmbedtls/src/x509.c
 create mode 100644 makerom/deps/libmbedtls/src/x509_create.c
 create mode 100644 makerom/deps/libmbedtls/src/x509_crl.c
 create mode 100644 makerom/deps/libmbedtls/src/x509_crt.c
 create mode 100644 makerom/deps/libmbedtls/src/x509_csr.c
 create mode 100644 makerom/deps/libmbedtls/src/x509write_crt.c
 create mode 100644 makerom/deps/libmbedtls/src/x509write_csr.c
 create mode 100644 makerom/deps/libmbedtls/src/xtea.c
 rename makerom/{ => deps}/libyaml/LICENSE (100%)
 rename makerom/{ => deps/libyaml/include}/libyaml/yaml.h (100%)
 create mode 100644 makerom/deps/libyaml/makefile
 rename makerom/{libyaml => deps/libyaml/src}/api.c (99%)
 rename makerom/{libyaml => deps/libyaml/src}/dumper.c (99%)
 rename makerom/{libyaml => deps/libyaml/src}/emitter.c (99%)
 rename makerom/{libyaml => deps/libyaml/src}/loader.c (99%)
 rename makerom/{libyaml => deps/libyaml/src}/parser.c (99%)
 rename makerom/{libyaml => deps/libyaml/src}/reader.c (99%)
 rename makerom/{libyaml => deps/libyaml/src}/scanner.c (99%)
 rename makerom/{libyaml => deps/libyaml/src}/writer.c (99%)
 rename makerom/{libyaml => deps/libyaml/src}/yaml_private.h (99%)
 create mode 100644 makerom/makefile
 delete mode 100644 makerom/polarssl/aes.c
 delete mode 100644 makerom/polarssl/aes.h
 delete mode 100644 makerom/polarssl/base64.h
 delete mode 100644 makerom/polarssl/bignum.c
 delete mode 100644 makerom/polarssl/bignum.h
 delete mode 100644 makerom/polarssl/bn_mul.h
 delete mode 100644 makerom/polarssl/config.h
 delete mode 100644 makerom/polarssl/rsa.c
 delete mode 100644 makerom/polarssl/rsa.h
 delete mode 100644 makerom/polarssl/sha1.c
 delete mode 100644 makerom/polarssl/sha1.h
 delete mode 100644 makerom/polarssl/sha2.c
 delete mode 100644 makerom/polarssl/sha2.h
 delete mode 100644 makerom/readme
 rename makerom/{ => src}/accessdesc.c (90%)
 rename makerom/{ => src}/accessdesc.h (100%)
 rename makerom/{ => src}/aes_keygen.c (100%)
 rename makerom/{ => src}/aes_keygen.h (100%)
 rename makerom/{ => src}/cardinfo.c (68%)
 rename makerom/{ => src}/cardinfo.h (100%)
 rename makerom/{ => src}/certs.c (100%)
 rename makerom/{ => src}/certs.h (100%)
 rename makerom/{ => src}/cia.c (97%)
 rename makerom/{ => src}/cia.h (100%)
 rename makerom/{ => src}/cia_build.h (100%)
 rename makerom/{ => src}/cia_read.h (100%)
 rename makerom/{ => src}/code.c (99%)
 rename makerom/{ => src}/code.h (100%)
 rename makerom/{ => src}/crr.h (100%)
 rename makerom/{ => src}/crypto.c (54%)
 rename makerom/{ => src}/crypto.h (88%)
 rename makerom/{ => src}/ctr_utils.c (100%)
 rename makerom/{ => src}/ctr_utils.h (100%)
 rename makerom/{ => src}/desc/desc.h (100%)
 rename makerom/{ => src}/desc/dev_sigdata.h (99%)
 rename makerom/{ => src}/desc/presets.h (99%)
 rename makerom/{ => src}/elf.c (100%)
 rename makerom/{ => src}/elf.h (100%)
 rename makerom/{ => src}/exefs.c (100%)
 rename makerom/{ => src}/exefs.h (100%)
 rename makerom/{ => src}/exefs_build.h (100%)
 rename makerom/{ => src}/exefs_read.h (100%)
 rename makerom/{ => src}/exheader.c (100%)
 rename makerom/{ => src}/exheader.h (100%)
 rename makerom/{ => src}/exheader_build.h (100%)
 rename makerom/{ => src}/exheader_read.h (100%)
 rename makerom/{ => src}/keyset.c (96%)
 rename makerom/{ => src}/keyset.h (94%)
 rename makerom/{ => src}/lib.h (100%)
 rename makerom/{ => src}/makerom.c (92%)
 rename makerom/{ => src}/ncch.c (95%)
 rename makerom/{ => src}/ncch.h (100%)
 rename makerom/{ => src}/ncch_build.h (100%)
 rename makerom/{ => src}/ncch_logo.h (100%)
 rename makerom/{ => src}/ncch_read.h (100%)
 rename makerom/{ => src}/ncsd.c (98%)
 rename makerom/{ => src}/ncsd.h (100%)
 rename makerom/{ => src}/ncsd_build.h (100%)
 rename makerom/{ => src}/ncsd_read.h (100%)
 rename makerom/{ => src}/oschar.c (100%)
 rename makerom/{ => src}/oschar.h (100%)
 rename makerom/{ => src}/pki/dev.h (99%)
 rename makerom/{ => src}/pki/dev_legacy.h (100%)
 rename makerom/{ => src}/pki/prod.h (99%)
 rename makerom/{ => src}/pki/prod_legacy.h (100%)
 rename makerom/{ => src}/pki/rsa_key.h (100%)
 rename makerom/{ => src}/pki/test.h (100%)
 rename makerom/{ => src}/romfs.c (100%)
 rename makerom/{ => src}/romfs.h (100%)
 rename makerom/{ => src}/romfs_fs.c (100%)
 rename makerom/{ => src}/romfs_fs.h (100%)
 rename makerom/{ => src}/romfs_gen.c (100%)
 rename makerom/{ => src}/romfs_gen.h (100%)
 rename makerom/{ => src}/romfs_import.c (100%)
 rename makerom/{ => src}/romfs_import.h (100%)
 rename makerom/{ => src}/rsf_settings.c (100%)
 rename makerom/{ => src}/rsf_settings.h (100%)
 rename makerom/{ => src}/srl.h (100%)
 rename makerom/{ => src}/tik.c (93%)
 rename makerom/{ => src}/tik.h (100%)
 rename makerom/{ => src}/tik_build.h (100%)
 rename makerom/{ => src}/tik_read.h (100%)
 rename makerom/{ => src}/titleid.c (100%)
 rename makerom/{ => src}/titleid.h (100%)
 rename makerom/{ => src}/tmd.c (93%)
 rename makerom/{ => src}/tmd.h (100%)
 rename makerom/{ => src}/tmd_build.h (100%)
 rename makerom/{ => src}/tmd_read.h (100%)
 rename makerom/{ => src}/types.h (100%)
 rename makerom/{ => src}/user_settings.c (99%)
 rename makerom/{ => src}/user_settings.h (100%)
 rename makerom/{ => src}/utils.c (94%)
 rename makerom/{ => src}/utils.h (90%)
 rename makerom/{ => src}/yaml_parser.c (100%)
 rename makerom/{ => src}/yaml_parser.h (98%)

diff --git a/.github/workflows/Build_CTRTool.yml b/.github/workflows/Build_CTRTool.yml
index 3e5aed45..2a509a98 100644
--- a/.github/workflows/Build_CTRTool.yml
+++ b/.github/workflows/Build_CTRTool.yml
@@ -27,16 +27,17 @@ jobs:
            os: macos-latest
            arch: arm64
     steps:
-    - uses: actions/checkout@v1
-    - name: Clone submodules
-      run: git submodule init && git submodule update
-    - name: Compile ${{ matrix.prog }}
-      working-directory: ${{ matrix.prog }}
-      run: make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
-    - uses: actions/upload-artifact@v2
-      with:
-        name: ${{ matrix.prog }}-${{ matrix.dist }}
-        path: ./${{ matrix.prog }}/bin/${{ matrix.prog }}
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Compile ${{ matrix.prog }}
+        working-directory: ${{ matrix.prog }}
+        run: make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
+      - uses: actions/upload-artifact@v2
+        with:
+          name: ${{ matrix.prog }}-${{ matrix.dist }}
+          path: ./${{ matrix.prog }}/bin/${{ matrix.prog }}
+          if-no-files-found: error
   build_visualstudio:
     name: Compile ${{ matrix.prog }} for ${{ matrix.dist }}
     runs-on: ${{ matrix.os }}
@@ -56,15 +57,16 @@ jobs:
            configuration: Release
            build_path: Release
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 0
     - name: Add msbuild to PATH
       uses: microsoft/setup-msbuild@v1.1
-    - name: Clone submodules
-      run: git submodule init && git submodule update
     - name: Compile ${{ matrix.prog }}
       run: msbuild .\${{ matrix.prog }}\build\visualstudio\${{ matrix.prog }}.sln /p:configuration=${{ matrix.configuration }} /p:platform=${{ matrix.platform }} 
     - uses: actions/upload-artifact@v2
       with:
         name: ${{ matrix.prog }}-${{ matrix.dist }}
         path: .\${{ matrix.prog }}\build\visualstudio\${{ matrix.build_path }}\${{ matrix.prog }}.exe
+        if-no-files-found: error
 
diff --git a/.github/workflows/Build_MakeROM.yml b/.github/workflows/Build_MakeROM.yml
index f6db2083..35ac2c2d 100644
--- a/.github/workflows/Build_MakeROM.yml
+++ b/.github/workflows/Build_MakeROM.yml
@@ -15,28 +15,31 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        dist: [ubuntu_x86_64, macos_x86_64, win_x86_64]
+        dist: [ubuntu_x86_64, macos_x86_64, macos_arm64, win_x86_64]
         prog: [makerom]
         include:
-          - dist: win_x86_64
-            os: windows-latest
-            makeArgs: -j $env:NUMBER_OF_PROCESSORS
-            binExt: .exe
           - dist: ubuntu_x86_64
             os: ubuntu-latest
-            makeArgs: -j$(nproc)
+            arch: x86_64
           - dist: macos_x86_64
             os: macos-latest
-            makeArgs: -j$(sysctl -n hw.activecpu)
+            arch: x86_64
+          - dist: macos_arm64
+            os: macos-latest
+            arch: arm64
+          - dist: win_x86_64
+            os: windows-latest
+            arch: x86_64
+            binExt: .exe
     steps:
       - uses: actions/checkout@v2
         with:
           fetch-depth: 0
       - name: Compile ${{ matrix.prog }}
         working-directory: ${{ matrix.prog }}
-        run: make ${{ matrix.makeArgs }}
+        run: make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
       - uses: actions/upload-artifact@v2
         with:
           name: ${{ matrix.prog }}-${{ matrix.dist }}
-          path: ${{ matrix.prog }}/${{ matrix.prog }}${{ matrix.binExt }}
+          path: ./${{ matrix.prog }}/bin/${{ matrix.prog }}${{ matrix.binExt }}
           if-no-files-found: error
diff --git a/README.md b/README.md
index 50b4d922..3f7f976b 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
-Project_CTR
-===========
+# Project_CTR
+Project CTR is a collection of custom Nintendo 3DS tools.
 
-ctrtool - a tool to read/extract Nintendo 3DS files.
+## Tools
+[ctrtool](ctrtool/README.md) - a tool to read/extract Nintendo 3DS files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/ctrtool-v1.1.0))
 
-makerom - creates CTR cxi/cfa/cci/cia files.
+[makerom](makerom/README.md) - creates CTR cxi/cfa/cci/cia files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/makerom-v0.18)) 
diff --git a/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj b/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj
index a83e05a9..3e78ca4d 100644
--- a/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj
+++ b/ctrtool/deps/libbroadon-es/build/visualstudio/libbroadon-es/libbroadon-es.vcxproj
@@ -22,7 +22,7 @@
     <VCProjectVersion>16.0</VCProjectVersion>
     <Keyword>Win32Proj</Keyword>
     <ProjectGuid>{8a35d7dc-293a-4669-9c1e-4f45abfe8838}</ProjectGuid>
-    <RootNamespace>libnintendoesdrm</RootNamespace>
+    <RootNamespace>libbroadones</RootNamespace>
     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
diff --git a/makefile b/makefile
new file mode 100644
index 00000000..4cddd35a
--- /dev/null
+++ b/makefile
@@ -0,0 +1,49 @@
+# Project Name
+PROJECT_NAME = Project_CTR
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_PROGRAM_LOCAL_DIR = ctrtool makerom
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# all is the default, user should specify what the default should do
+#	- 'deps' for building local dependencies.
+#	- 'program' for building executable programs.
+all: progs
+	
+clean: clean_progs
+
+# Programs
+.PHONY: progs
+progs:
+	@$(foreach prog,$(PROJECT_PROGRAM_LOCAL_DIR), cd "$(prog)" && $(MAKE) deps program && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_progs
+clean_progs:
+	@$(foreach prog,$(PROJECT_PROGRAM_LOCAL_DIR), cd "$(prog)" && $(MAKE) clean_deps clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/makerom/BUILDING.md b/makerom/BUILDING.md
new file mode 100644
index 00000000..ad9e50c2
--- /dev/null
+++ b/makerom/BUILDING.md
@@ -0,0 +1,13 @@
+# Building
+## Linux (incl. Windows Subsystem for Linux) & MacOS & Windows (MinGW)- Makefile
+### Requirements
+* `make`
+* Terminal access
+* Typical GNU compatible development tools (e.g. `clang`, `gcc`, `ar` etc) with __C11__ support
+
+### Using Makefile
+* `make` (default) - Compile program
+	* Compiling the program requires local dependencies to be compiled via `make deps` beforehand
+* `make clean` - Remove executable and object files
+* `make deps` - Compile locally included dependency libraries
+* `make clean_deps` - Remove compiled library binaries and object files
\ No newline at end of file
diff --git a/makerom/LICENSE b/makerom/LICENSE
index 61db3e0a..95cc9c36 100644
--- a/makerom/LICENSE
+++ b/makerom/LICENSE
@@ -2,7 +2,7 @@ MIT License
 
 Copyright (c) 2014 3DSGuy
 Copyright (c) 2014 applestash
-Copyright (c) 2015-2016 Jakcron
+Copyright (c) 2015-2022 Jakcron
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/makerom/Makefile b/makerom/Makefile
deleted file mode 100644
index 5192bf4c..00000000
--- a/makerom/Makefile
+++ /dev/null
@@ -1,37 +0,0 @@
-# Sources
-SRC_DIR = . polarssl libyaml
-OBJS = $(foreach dir,$(SRC_DIR),$(subst .c,.o,$(wildcard $(dir)/*.c)))
-
-# Compiler Settings
-CFLAGS = --std=gnu99 -O2 -Wall -Wno-unused-value -Wno-unused-result -I.
-CC = gcc
-
-SYS := $(shell gcc -dumpmachine)
-ifneq (, $(findstring linux, $(SYS)))
-    # Linux
-    CFLAGS += -Wno-unused-but-set-variable
-else ifneq (, $(findstring cygwin, $(SYS)))
-    # Cygwin
-    CFLAGS += -Wno-unused-but-set-variable
-    LIBS += -liconv
-else ifneq (, $(findstring darwin, $(SYS)))
-    # OS X
-    LIBS += -liconv
-else
-    #Windows Build CFG
-    CFLAGS += -Wno-unused-but-set-variable
-    LIBS += -static-libgcc
-endif
-
-# MAKEROM Build Settings
-OUTPUT = makerom
-
-main: build
-
-rebuild: clean build
-
-build: $(OBJS)
-	$(CC) -o $(OUTPUT) $(OBJS) $(LIBS)
-
-clean:
-	rm -rf $(OUTPUT) $(OBJS)
\ No newline at end of file
diff --git a/makerom/README.md b/makerom/README.md
new file mode 100644
index 00000000..0d9ce1b7
--- /dev/null
+++ b/makerom/README.md
@@ -0,0 +1,193 @@
+# CTR Make ROM (MakeROM)
+A CLI tool to create CTR (Nintendo 3DS) ROM images.
+
+## Supported Output File Formats
+* NCCH Format Variants:
+  * CTR Executable Image (.cxi)
+  * CTR File Archive (.cfa)
+  * CIP (.cip) (These are the processes bundled with the kernel image)
+* CTR Importable Archive (.cia)
+* CTR Card Image (.cci/.3ds)
+
+## Format Overviews
+### NCCH
+The native format storing code binaries and data archives for the 3DS is NCCH. NCCH files are comprised of:
+* code/exheader/plainregion (used for code execution) (plainregion just lists included SDK library add-ons)
+* icon (app title text, icon, HOME menu settings)
+* banner (cbmd + cwav, i.e. the upper screen banner/sound shown on the homemenu)
+* logo (the splash screen displayed after an application is launched from the homemenu)
+* romfs (read-only filesystem used to store resources)
+
+Typical uses for NCCH files include:
+* Executable image (code+exheader+icon+banner+logo+romfs)
+* e-Manual archive (accessed from homemenu) (romfs)
+* Download Play child CIA archive (accessed from application) (romfs)
+* Update Data archive (romfs)
+* Standalone data archive (romfs)
+* DLC index archive (icon+romfs)
+* DLC archive (romfs)
+
+### CCI
+The native format for gamecard images is CCI and is a NCCH container format. CCI files are limited to containing `8` NCCH files, and can contain NCCH files for applications titles only.
+#### NCCH configuration for CCI
+| NCCH | Required | Index |
+| ---- | -------- | ----- |
+| Executable image | YES | 0 |
+| e-Manual archive | NO | 1 |
+| DLP child CIA archive | NO | 2 |
+| (New 3DS) Update Data archive | NO | 6 |
+| (Old 3DS) Update Data archive | NO | 7 |
+
+### CIA
+The native format for packaging NCCH files for install is CIA, which is also a NCCH container format. CIA files are limited to containing `65535` NCCH files and can be used to contain NCCH files for any title type. CIA files also contain __signed__ data used by the 3DS for general title management and DRM. Installing custom CIA files on a 3DS which also uses eShop/SysUpdates is unwise as conflicts will likely occur.
+
+#### NCCH configurations for CIA
+Applications (Application/DlpChild/Demo/Patch/SystemApplication):
+| NCCH | Required | Index |
+| ---- | -------- | ----- |
+| Executable image | YES | 0 |
+| e-Manual archive | NO | 1 |
+| DLP child CIA archive | NO | 2 |
+
+System Applet/Module:
+| NCCH | Required | Index |
+| ---- | -------- | ----- |
+| Executable image | YES | 0 |
+
+System Data Archives:
+| NCCH | Required | Index |
+| ---- | -------- | ----- |
+| Data archive | YES | 0 |
+
+DLC:
+
+The number of DLC data archives in DLC varies for each DLC.
+| NCCH | Required | Index |
+| ---- | -------- | ----- |
+| DLC index archive | YES | 0 |
+| DLC data archive | YES | Varies |
+
+
+## Using Makerom
+
+### Command line
+
+```
+makerom [general args] [rsf args] [crypto args] [ncch 0 build args] [cci args] [cia args]
+```
+
+__General Arguments__
+| Argument | Acceptable values | Notes |
+| -------- | ----------------- | ----- |
+| `-f <format>` | `ncch`/`cxi`/`cfa`/`cci`/`cia` | Specify the output file format. `cxi`/`cfa` are aliases of `ncch`. |
+| `-o <path>` | Valid file path. | Specify name/path for output file. Makerom will decided a name if this is not specified. |
+| `-v` | not required | Enables verbose output. |
+
+__RSF Arguments__
+| Argument | Acceptable values | Notes |
+| -------- | ----------------- | ----- |
+| `-rsf <path>` | Valid file path | Specify the path to Rom Specification File (RSF). See below for creating RSF. |
+| `-D<KEY>=<VALUE>` |  | This is used to substitute where `$(<KEY>)` exists in the RSF files with `<VALUE>`. This is useful for scripting. |
+
+__Crypto Arguments__
+| Argument | Acceptable values | Notes |
+| -------- | ----------------- | ----- |
+| `-target <target>` | `t`/`d`/`p` | Specify key-chain. This affects encryption, signing and `-desc` template availability. `t`=`test`, suitable for homebrew. `d`=`devkit`(incomplete), suitable for devkits. `p`=`retail`(incomplete), suitable for production hardware. Not all RSA private keys are known, so `d` and `p` targets may not sign data properly. |
+| `-ckeyid <index>` | Any value between 0-255 (inclusive). | Overrides the default common key used to encrypt CIA title keys. |
+| `-showkeys` | none | Dumps loaded key-chain to stdout. |
+
+__NCCH Build Arguments__
+| Argument | Acceptable values | Notes |
+| -------- | ----------------- | ----- |
+| `-elf <file>` | Valid file path | Specify ELF. See below for creating ELF. |
+| `-icon <file>` | Valid file path | Specify SystemMenuData icon. |
+| `-banner <file>` | Valid file path | Specify banner. |
+| `-desc <apptype>:<fw>` | `<apptype>`=`app`/`ecapp`/`demo`/`dlpchild`. `<fw>`=`kernel version minor`. | Use a template for exheader/accessdesc. These are hard-coded, so not all firmwares have a template. A value from `1`-`7` can be used in place of 'kernel version minor'. A template shouldn't be used if the title needs "special" permissions, the RSF must be configured fully. |
+| `-exefslogo` | none | Include logo in ExeFS. Required for usage on <5.0 systems. |
+
+__Arguments useful for rebuilding a NCCH file__
+| Argument | Acceptable values | Notes |
+| -------- | ----------------- | ----- |
+| `-code <file>` | Valid file path | Specify decompressed/plaintext exefs code binary. |
+| `-exheader <file>` | Valid file path | Specify plaintext exheader binary. |
+| `-logo <file>` | Valid file path | Specify logo. |
+| `-plainrgn <file>` | Valid file path | Specify NCCH plain-region. |
+| `-romfs <file>` | Valid file path | Specify an unencrypted RomFS binary. |
+
+__CCI Arguments__
+| Argument | Acceptable values | Notes |
+| -------- | ----------------- | ----- |
+| `-content <path>:<index>` | `<path>`=Valid file path. `<index>`=Any value between `0`-`7` (inclusive) | Include a built NCCH file in the CCI container. `-i` can be used instead of `-content`. |
+| `-devcci` | none | Build a debug CCI? |
+| `-nomodtid` | none | Don't modify the TitleIds of NCCH files included to match NCCH0 |
+| `-alignwr` | none | Align the offset for the Card2 writable region to the end of the last NCCH in the CCI. |
+
+__CIA Arguments__
+| Argument | Acceptable values | Notes |
+| -------- | ----------------- | ----- |
+| `-content <path>:<index>:<id>` | `<path>`=Valid file path. `<index>`=Any value between `0x0`-`0xFFFF` (inclusive). `<id>`=Any value between `0x0`-`0xFFFFFFFF` (inclusive) | Include a built NCCH file in the CIA container. If `<id>` isn't specified, it will be generated randomly. `-i` can be used instead of `-content`.
+| `-major <version>` | Any value between `0`-`63` (inclusive) | Specify the version major for the title. This cannot be used with `-dver`. |
+| `-minor <version>` | Any value between `0`-`63` (inclusive) | Specify the version minor for the title. This cannot be used with `-dver`. |
+| `-micro <version>` | Any value between `0`-`15` (inclusive) | Specify the version micro for the title. |
+| `-dver <version>` | Any value between `0`-`4095` (inclusive) | Specify the data-title version for the title. This cannot be used with `-major` or `-minor`. |
+| `-dlc` | none | Specify this flag when building a DLC CIA. |
+| `-rand` | none | Use a random title key to encrypt CIA content. |
+
+### Examples
+
+General examples:
+
+__Create CXI__
+```
+makerom -o sample.cxi -rsf sample.rsf -target t -elf sample.elf -icon sample.icn -banner sample.bnr -desc app:4
+```
+
+__Create CFA__
+```
+makerom -o sample.cfa -rsf sample.rsf -target t
+```
+
+__Create CCI__
+```
+makerom -f cci -o sample.cci -target t -i sample.cxi:0 -i sample.cfa:1
+```
+
+__Create CIA__
+```
+makerom -f cia -o sample.cia -target t -i sample.cxi:0:0 -i sample.cfa:1:1
+```
+
+
+Makerom supports building a NCCH file and including it automatically (as index 0) into a NCCH container:
+
+__Create CCI and CXI at the same time and include a CFA__
+```
+makerom -f cci -o sample.cci -rsf sample.rsf -target t -elf sample.elf -icon sample.icn -banner sample.bnr -desc app:4 -i sample.cfa:1
+```
+
+__Create CIA and CXI at the same time and include a CFA__
+```
+makerom -f cia -o sample.cia -rsf sample.rsf -target t -elf sample.elf -icon sample.icn -banner sample.bnr -desc app:4 -i sample.cfa:1:1
+```
+
+__Rebuilding CXI__
+```
+makerom -o rebuild.cxi -rsf rebuild.rsf -target t -code rebuild/code.bin -exheader rebuild/exheader.bin -icon rebuild/icon.bin -banner rebuild/banner.bin -romfs rebuild/romfs.bin
+```
+
+### Creating RSF files
+Inspired by Nintendo's format for their makerom, a yaml configuration file is required for creating NCCH files. CIA/CCI can be created without using a RSF file, but default settings will be used.
+
+For CXI, RSF files can be used to specify permissions, and access control settings. Makerom can use default settings by use of the "-desc" option, which removes the requirement for specifying them in the RSF file.
+
+Sample RSF to be used with "-desc": [download](https://gist.githubusercontent.com/3DSGuy/83e12e0ae3dcccb9827f/raw/sample0.rsf) (link broken)
+
+Sample RSF to be used without "-desc": [download](https://gist.github.com/jakcron/9f9f02ffd94d98a72632)
+
+### Creating ELF files
+The latest devkitARM used in conjunction with [ctrulib](https://github.com/smealum/ctrulib) can create ELF files compatible with makerom.
+
+ELF files that are created using the official SDK are also supported by makerom.
+
+# Building
+See [BUILDING.md](/makerom/BUILDING.md).
\ No newline at end of file
diff --git a/makerom/blz.h b/makerom/blz.h
deleted file mode 100644
index 4e1dd263..00000000
--- a/makerom/blz.h
+++ /dev/null
@@ -1,6 +0,0 @@
-#pragma once
-
-#define BLZ_NORMAL    0          // normal mode
-#define BLZ_BEST      1          // best mode
-
-u8 *BLZ_Code(u8 *raw_buffer, int raw_len, u32 *new_len, int best);
\ No newline at end of file
diff --git a/makerom/makerom.sln b/makerom/build/visualstudio/makerom.sln
similarity index 100%
rename from makerom/makerom.sln
rename to makerom/build/visualstudio/makerom.sln
diff --git a/makerom/makerom.vcxproj b/makerom/build/visualstudio/makerom.vcxproj
similarity index 100%
rename from makerom/makerom.vcxproj
rename to makerom/build/visualstudio/makerom.vcxproj
diff --git a/makerom/makerom.vcxproj.filters b/makerom/build/visualstudio/makerom.vcxproj.filters
similarity index 100%
rename from makerom/makerom.vcxproj.filters
rename to makerom/build/visualstudio/makerom.vcxproj.filters
diff --git a/makerom/readme.txt b/makerom/build/visualstudio/readme.txt
similarity index 100%
rename from makerom/readme.txt
rename to makerom/build/visualstudio/readme.txt
diff --git a/makerom/deps/libblz/include/blz.h b/makerom/deps/libblz/include/blz.h
new file mode 100644
index 00000000..e0cea224
--- /dev/null
+++ b/makerom/deps/libblz/include/blz.h
@@ -0,0 +1,15 @@
+#pragma once
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define BLZ_NORMAL    0          // normal mode
+#define BLZ_BEST      1          // best mode
+
+uint8_t *BLZ_Code(uint8_t *raw_buffer, int raw_len, uint32_t *new_len, int best);
+
+#ifdef __cplusplus
+}
+#endif
\ No newline at end of file
diff --git a/makerom/deps/libblz/makefile b/makerom/deps/libblz/makefile
new file mode 100644
index 00000000..7dc6a33d
--- /dev/null
+++ b/makerom/deps/libblz/makefile
@@ -0,0 +1,185 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 7 (20220416)
+
+# Project Name
+PROJECT_NAME = libblz
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+PROJECT_INCLUDE_PATH = include
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Project Dependencies
+PROJECT_DEPEND = 
+PROJECT_DEPEND_LOCAL_DIR = 
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
+	INC +=
+	LIB +=
+	ARFLAGS = rc
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building source as a static library
+#	- 'program' for building source as executable program
+#	- 'test_program' for building the test program
+# test_program can be used with program or static_lib, but program and static_lib cannot be used together
+all: static_lib
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/makerom/blz.c b/makerom/deps/libblz/src/blz.c
similarity index 85%
rename from makerom/blz.c
rename to makerom/deps/libblz/src/blz.c
index 7f4622d2..a57eccec 100644
--- a/makerom/blz.c
+++ b/makerom/deps/libblz/src/blz.c
@@ -17,8 +17,10 @@
 /*----------------------------------------------------------------------------*/
 
 /*----------------------------------------------------------------------------*/
-#include "lib.h"
-#include "blz.h"
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <blz.h>
 
 /*----------------------------------------------------------------------------*/
 #define CMD_DECODE    0x00       // decode
@@ -47,16 +49,16 @@
 #define EXIT(text)    { printf(text); exit(-1); }
 
 /*----------------------------------------------------------------------------*/
-u8 *Memory(int length, int size);
+uint8_t *Memory(int length, int size);
 
-u8 *BLZ_Code(u8 *raw_buffer, int raw_len, u32 *new_len, int best);
-void  BLZ_Invert(u8 *buffer, int length);
+uint8_t *BLZ_Code(uint8_t *raw_buffer, int raw_len, uint32_t *new_len, int best);
+void  BLZ_Invert(uint8_t *buffer, int length);
 
 /*----------------------------------------------------------------------------*/
-u8 *Memory(int length, int size) {
-  u8 *fb;
+uint8_t *Memory(int length, int size) {
+  uint8_t *fb;
 
-  fb = (u8 *) calloc(length * size, size);
+  fb = (uint8_t *) calloc(length * size, size);
   if (fb == NULL) EXIT("\nMemory error\n");
 
   return(fb);
@@ -64,15 +66,15 @@ u8 *Memory(int length, int size) {
 
 /*----------------------------------------------------------------------------*/
 void BLZ_Decode(char *filename) {
-  // u8 *pak_buffer, *raw_buffer, *pak, *raw, *pak_end, *raw_end;
-  // u32   pak_len, raw_len, len, pos, inc_len, hdr_len, enc_len, dec_len;
-  // u8  flags, mask;
+  // uint8_t *pak_buffer, *raw_buffer, *pak, *raw, *pak_end, *raw_end;
+  // uint32_t   pak_len, raw_len, len, pos, inc_len, hdr_len, enc_len, dec_len;
+  // uint8_t  flags, mask;
 
   // printf("- decoding '%s'", filename);
 
   // // pak_buffer = Load(filename, &pak_len, BLZ_MINIM, BLZ_MAXIM);
 
-  // inc_len = *(u32 *)(pak_buffer + pak_len - 4);
+  // inc_len = *(uint32_t *)(pak_buffer + pak_len - 4);
   // if (!inc_len) {
   //   enc_len = 0;
   //   dec_len = pak_len - 4;
@@ -83,14 +85,14 @@ void BLZ_Decode(char *filename) {
   //   hdr_len = pak_buffer[pak_len - 5];
   //   if ((hdr_len < 0x08) || (hdr_len > 0x0B)) EXIT("Bad header length\n");
   //   if (pak_len <= hdr_len) EXIT("Bad length\n");
-  //   enc_len = *(u32 *)(pak_buffer + pak_len - 8) & 0x00FFFFFF;
+  //   enc_len = *(uint32_t *)(pak_buffer + pak_len - 8) & 0x00FFFFFF;
   //   dec_len = pak_len - enc_len;
   //   pak_len = enc_len - hdr_len;
   //   raw_len = dec_len + enc_len + inc_len;
   //   if (raw_len > RAW_MAXIM) EXIT("Bad decoded length\n");
   // }
 
-  // raw_buffer = (u8 *) Memory(raw_len, sizeof(char));
+  // raw_buffer = (uint8_t *) Memory(raw_len, sizeof(char));
 
   // pak = pak_buffer;
   // raw = raw_buffer;
@@ -141,10 +143,10 @@ void BLZ_Decode(char *filename) {
   // printf("\n");
 }
 
-u8 *Load(char *filename, u32 *length, int min, int max) {
+uint8_t *Load(char *filename, uint32_t *length, int min, int max) {
   FILE *fp;
   int   fs;
-  u8 *fb;
+  uint8_t *fb;
 
   if ((fp = fopen(filename, "rb")) == NULL) EXIT("\nFile open error\n");
   fseek(fp, 0, SEEK_END);
@@ -161,9 +163,9 @@ u8 *Load(char *filename, u32 *length, int min, int max) {
 }
 
 /*----------------------------------------------------------------------------*/
-u8* BLZ_Encode(char *filename, u32* pak_len, int mode) {
-  u8 *raw_buffer, *pak_buffer, *new_buffer;
-  u32   raw_len, new_len;
+uint8_t* BLZ_Encode(char *filename, uint32_t* pak_len, int mode) {
+  uint8_t *raw_buffer, *pak_buffer, *new_buffer;
+  uint32_t   raw_len, new_len;
 
   raw_buffer = Load(filename, &raw_len, RAW_MINIM, RAW_MAXIM);
 
@@ -181,12 +183,12 @@ u8* BLZ_Encode(char *filename, u32* pak_len, int mode) {
 }
 
 /*----------------------------------------------------------------------------*/
-u8 *BLZ_Code(u8 *raw_buffer, int raw_len, u32 *new_len, int best) {
-  u8 *pak_buffer, *pak, *raw, *raw_end, *flg = NULL, *tmp;
-  u32   pak_len, inc_len, hdr_len, enc_len, len, pos, max;
-  u32   len_best, pos_best = 0, len_next, pos_next, len_post, pos_post;
-  u32   pak_tmp, raw_tmp;
-  u8  mask;
+uint8_t *BLZ_Code(uint8_t *raw_buffer, int raw_len, uint32_t *new_len, int best) {
+  uint8_t *pak_buffer, *pak, *raw, *raw_end, *flg = NULL, *tmp;
+  uint32_t   pak_len, inc_len, hdr_len, enc_len, len, pos, max;
+  uint32_t   len_best, pos_best = 0, len_next, pos_next, len_post, pos_post;
+  uint32_t   pak_tmp, raw_tmp;
+  uint8_t  mask;
 
 #define SEARCH(l,p) { \
   l = BLZ_THRESHOLD;                                          \
@@ -210,7 +212,7 @@ u8 *BLZ_Code(u8 *raw_buffer, int raw_len, u32 *new_len, int best) {
   raw_tmp = raw_len;
 
   pak_len = raw_len + ((raw_len + 7) / 8) + 11;
-  pak_buffer = (u8 *) Memory(pak_len, sizeof(char));
+  pak_buffer = (uint8_t *) Memory(pak_len, sizeof(char));
 
   BLZ_Invert(raw_buffer, raw_len);
 
@@ -282,9 +284,9 @@ u8 *BLZ_Code(u8 *raw_buffer, int raw_len, u32 *new_len, int best) {
 
     while ((pak - pak_buffer) & 3) *pak++ = 0;
 
-    *(u32 *)pak = 0; pak += 4;
+    *(uint32_t *)pak = 0; pak += 4;
   } else {
-    tmp = (u8 *) Memory(raw_tmp + pak_tmp + 11, sizeof(char));
+    tmp = (uint8_t *) Memory(raw_tmp + pak_tmp + 11, sizeof(char));
 
     for (len = 0; len < raw_tmp; len++)
       tmp[len] = raw_buffer[len];
@@ -308,9 +310,9 @@ u8 *BLZ_Code(u8 *raw_buffer, int raw_len, u32 *new_len, int best) {
       hdr_len++;
     }
 
-    *(u32 *)pak = enc_len + hdr_len; pak += 3;
+    *(uint32_t *)pak = enc_len + hdr_len; pak += 3;
     *pak++ = hdr_len;
-    *(u32 *)pak = inc_len - hdr_len; pak += 4;
+    *(uint32_t *)pak = inc_len - hdr_len; pak += 4;
   }
 
   *new_len = pak - pak_buffer;
@@ -319,8 +321,8 @@ u8 *BLZ_Code(u8 *raw_buffer, int raw_len, u32 *new_len, int best) {
 }
 
 /*----------------------------------------------------------------------------*/
-void BLZ_Invert(u8 *buffer, int length) {
-  u8 *bottom, ch;
+void BLZ_Invert(uint8_t *buffer, int length) {
+  uint8_t *bottom, ch;
 
   bottom = buffer + length - 1;
 
diff --git a/makerom/deps/libmbedtls/BUILDING.md b/makerom/deps/libmbedtls/BUILDING.md
new file mode 100644
index 00000000..b5979c32
--- /dev/null
+++ b/makerom/deps/libmbedtls/BUILDING.md
@@ -0,0 +1,31 @@
+# Building
+## Linux (incl. Windows Subsystem for Linux) & MacOS - Makefile
+### Requirements
+* `make`
+* Terminal access
+* Typical GNU compatible development tools (e.g. `clang`, `g++`, `c++`, `ar` etc) with __C++11__ support
+
+### Using Makefile
+* `make` (default) - Compile library
+* `make static_lib` - Compile library
+* `make clean` - Remove all object files
+
+## Native Win32 - Visual Studio
+### Requirements
+* [Visual Studio Community](https://visualstudio.microsoft.com/vs/community/) 2015 or 2017
+
+### Compiling Library
+* Open `build/visualstudio/libmbedtls.sln` in Visual Studio
+* Select Target (e.g `Debug`|`Release` & `x86`|`x64`)
+* Navigate to `Build`->`Build Solution`
+
+### Including libmbedtls in another VS Solution for static linking
+* Clone `libmbedtls` as a submodule into your project
+* Navigate to the `Solution Explorer` window
+* Right-click on the Solution Item and select `Add`->`Existing Project...`
+* In the filesystem popup window open `<libmbedtls location>\build\visualstudio\libmbedtls\libmbedtls.vcxproj`
+* Update each dependant project's `References` to include libmbedtls
+* Update each dependant project's `Property Pages` so that for `All Configurations` and `All Platforms` the `Addition Include Directories` has the relative path to `<libmbedtls location>\include`
+	* If `libmbedtls` is being included as a dependency in a similarly structured project the relative path is `$(SolutionDir)..\..\deps\libmbedtls\include`
+* Update the `Project Build Order` so libmbedtls is built before any of its dependants
+* Update the `Project Dependencies` so that each dependant has the box checked for libmbedtls
diff --git a/makerom/deps/libmbedtls/LICENSE b/makerom/deps/libmbedtls/LICENSE
new file mode 100644
index 00000000..546a8e63
--- /dev/null
+++ b/makerom/deps/libmbedtls/LICENSE
@@ -0,0 +1,2 @@
+Unless specifically indicated otherwise in a file, files are licensed
+under the Apache 2.0 license, as can be found in: apache-2.0.txt
diff --git a/makerom/deps/libmbedtls/README.md b/makerom/deps/libmbedtls/README.md
new file mode 100644
index 00000000..4cbd026c
--- /dev/null
+++ b/makerom/deps/libmbedtls/README.md
@@ -0,0 +1,2 @@
+# libmbedtls
+Cryptographic functions. Clone of [mbedtls 2.16.5](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16).
diff --git a/makerom/deps/libmbedtls/apache-2.0.txt b/makerom/deps/libmbedtls/apache-2.0.txt
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/makerom/deps/libmbedtls/apache-2.0.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/makerom/deps/libmbedtls/build/visualstudio/libmbedtls.sln b/makerom/deps/libmbedtls/build/visualstudio/libmbedtls.sln
new file mode 100644
index 00000000..52d81942
--- /dev/null
+++ b/makerom/deps/libmbedtls/build/visualstudio/libmbedtls.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28010.2036
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "libmbedtls", "libmbedtls\libmbedtls.vcxproj", "{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.ActiveCfg = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x64.Build.0 = Debug|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.ActiveCfg = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Debug|x86.Build.0 = Debug|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.ActiveCfg = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x64.Build.0 = Release|x64
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.ActiveCfg = Release|Win32
+		{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {339FDA10-37B3-49E3-B5F4-44515FFBBC6A}
+	EndGlobalSection
+EndGlobal
diff --git a/makerom/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj b/makerom/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj
new file mode 100644
index 00000000..c7dda398
--- /dev/null
+++ b/makerom/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj
@@ -0,0 +1,289 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>15.0</VCProjectVersion>
+    <ProjectGuid>{7A7C66F3-2B5B-4E23-85D8-2A74FEDAD92C}</ProjectGuid>
+    <RootNamespace>libmbedtls</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include;</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include;</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include;</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <ConformanceMode>true</ConformanceMode>
+      <AdditionalIncludeDirectories>$(ProjectDir)..\..\..\include;</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\mbedtls\aes.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\aesni.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\arc4.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\aria.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\asn1.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\asn1write.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\base64.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\bignum.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\blowfish.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\bn_mul.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\camellia.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ccm.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\certs.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\chacha20.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\chachapoly.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\check_config.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\cipher.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\cipher_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\cmac.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\compat-1.3.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\config.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ctr_drbg.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\debug.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\des.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\dhm.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecdh.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecdsa.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecjpake.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecp.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ecp_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\entropy.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\entropy_poll.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\error.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\gcm.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\havege.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\hkdf.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\hmac_drbg.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md2.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md4.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md5.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\md_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\memory_buffer_alloc.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\net.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\net_sockets.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\nist_kw.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\oid.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\padlock.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pem.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pk.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs11.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs12.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs5.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\pk_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\platform.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\platform_time.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\platform_util.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\poly1305.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ripemd160.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\rsa.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\rsa_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\sha1.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\sha256.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\sha512.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_cache.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_ciphersuites.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_cookie.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_internal.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_ticket.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\threading.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\timing.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\version.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\x509.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\x509_crl.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\x509_crt.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\x509_csr.h" />
+    <ClInclude Include="..\..\..\include\mbedtls\xtea.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\aes.c" />
+    <ClCompile Include="..\..\..\src\aesni.c" />
+    <ClCompile Include="..\..\..\src\arc4.c" />
+    <ClCompile Include="..\..\..\src\aria.c" />
+    <ClCompile Include="..\..\..\src\asn1parse.c" />
+    <ClCompile Include="..\..\..\src\asn1write.c" />
+    <ClCompile Include="..\..\..\src\base64.c" />
+    <ClCompile Include="..\..\..\src\bignum.c" />
+    <ClCompile Include="..\..\..\src\blowfish.c" />
+    <ClCompile Include="..\..\..\src\camellia.c" />
+    <ClCompile Include="..\..\..\src\ccm.c" />
+    <ClCompile Include="..\..\..\src\certs.c" />
+    <ClCompile Include="..\..\..\src\chacha20.c" />
+    <ClCompile Include="..\..\..\src\chachapoly.c" />
+    <ClCompile Include="..\..\..\src\cipher.c" />
+    <ClCompile Include="..\..\..\src\cipher_wrap.c" />
+    <ClCompile Include="..\..\..\src\cmac.c" />
+    <ClCompile Include="..\..\..\src\ctr_drbg.c" />
+    <ClCompile Include="..\..\..\src\debug.c" />
+    <ClCompile Include="..\..\..\src\des.c" />
+    <ClCompile Include="..\..\..\src\dhm.c" />
+    <ClCompile Include="..\..\..\src\ecdh.c" />
+    <ClCompile Include="..\..\..\src\ecdsa.c" />
+    <ClCompile Include="..\..\..\src\ecjpake.c" />
+    <ClCompile Include="..\..\..\src\ecp.c" />
+    <ClCompile Include="..\..\..\src\ecp_curves.c" />
+    <ClCompile Include="..\..\..\src\entropy.c" />
+    <ClCompile Include="..\..\..\src\entropy_poll.c" />
+    <ClCompile Include="..\..\..\src\error.c" />
+    <ClCompile Include="..\..\..\src\gcm.c" />
+    <ClCompile Include="..\..\..\src\havege.c" />
+    <ClCompile Include="..\..\..\src\hkdf.c" />
+    <ClCompile Include="..\..\..\src\hmac_drbg.c" />
+    <ClCompile Include="..\..\..\src\md.c" />
+    <ClCompile Include="..\..\..\src\md2.c" />
+    <ClCompile Include="..\..\..\src\md4.c" />
+    <ClCompile Include="..\..\..\src\md5.c" />
+    <ClCompile Include="..\..\..\src\md_wrap.c" />
+    <ClCompile Include="..\..\..\src\memory_buffer_alloc.c" />
+    <ClCompile Include="..\..\..\src\net_sockets.c" />
+    <ClCompile Include="..\..\..\src\nist_kw.c" />
+    <ClCompile Include="..\..\..\src\oid.c" />
+    <ClCompile Include="..\..\..\src\padlock.c" />
+    <ClCompile Include="..\..\..\src\pem.c" />
+    <ClCompile Include="..\..\..\src\pk.c" />
+    <ClCompile Include="..\..\..\src\pk_wrap.c" />
+    <ClCompile Include="..\..\..\src\pkcs11.c" />
+    <ClCompile Include="..\..\..\src\pkcs12.c" />
+    <ClCompile Include="..\..\..\src\pkcs5.c" />
+    <ClCompile Include="..\..\..\src\pkparse.c" />
+    <ClCompile Include="..\..\..\src\pkwrite.c" />
+    <ClCompile Include="..\..\..\src\platform.c" />
+    <ClCompile Include="..\..\..\src\platform_util.c" />
+    <ClCompile Include="..\..\..\src\poly1305.c" />
+    <ClCompile Include="..\..\..\src\ripemd160.c" />
+    <ClCompile Include="..\..\..\src\rsa.c" />
+    <ClCompile Include="..\..\..\src\rsa_internal.c" />
+    <ClCompile Include="..\..\..\src\sha1.c" />
+    <ClCompile Include="..\..\..\src\sha256.c" />
+    <ClCompile Include="..\..\..\src\sha512.c" />
+    <ClCompile Include="..\..\..\src\ssl_cache.c" />
+    <ClCompile Include="..\..\..\src\ssl_ciphersuites.c" />
+    <ClCompile Include="..\..\..\src\ssl_cli.c" />
+    <ClCompile Include="..\..\..\src\ssl_cookie.c" />
+    <ClCompile Include="..\..\..\src\ssl_srv.c" />
+    <ClCompile Include="..\..\..\src\ssl_ticket.c" />
+    <ClCompile Include="..\..\..\src\ssl_tls.c" />
+    <ClCompile Include="..\..\..\src\threading.c" />
+    <ClCompile Include="..\..\..\src\timing.c" />
+    <ClCompile Include="..\..\..\src\version.c" />
+    <ClCompile Include="..\..\..\src\version_features.c" />
+    <ClCompile Include="..\..\..\src\x509.c" />
+    <ClCompile Include="..\..\..\src\x509_create.c" />
+    <ClCompile Include="..\..\..\src\x509_crl.c" />
+    <ClCompile Include="..\..\..\src\x509_crt.c" />
+    <ClCompile Include="..\..\..\src\x509_csr.c" />
+    <ClCompile Include="..\..\..\src\x509write_crt.c" />
+    <ClCompile Include="..\..\..\src\x509write_csr.c" />
+    <ClCompile Include="..\..\..\src\xtea.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/makerom/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj.filters b/makerom/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj.filters
new file mode 100644
index 00000000..27a1966d
--- /dev/null
+++ b/makerom/deps/libmbedtls/build/visualstudio/libmbedtls/libmbedtls.vcxproj.filters
@@ -0,0 +1,492 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\include\mbedtls\aes.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\aesni.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\arc4.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\aria.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\asn1.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\asn1write.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\base64.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\bignum.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\blowfish.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\bn_mul.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\camellia.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ccm.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\certs.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\chacha20.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\chachapoly.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\check_config.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\cipher.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\cipher_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\cmac.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\compat-1.3.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\config.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ctr_drbg.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\debug.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\des.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\dhm.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecdh.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecdsa.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecjpake.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecp.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ecp_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\entropy.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\entropy_poll.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\error.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\gcm.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\havege.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\hkdf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\hmac_drbg.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md2.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md4.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\md5.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\memory_buffer_alloc.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\net.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\net_sockets.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\nist_kw.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\oid.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\padlock.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pem.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pk.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pk_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs5.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs11.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\pkcs12.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\platform.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\platform_time.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\platform_util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\poly1305.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ripemd160.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\rsa.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\rsa_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\sha1.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\sha256.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\sha512.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_cache.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_ciphersuites.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_cookie.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_internal.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\ssl_ticket.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\threading.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\timing.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\x509.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\x509_crl.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\x509_crt.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\x509_csr.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\include\mbedtls\xtea.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\src\aes.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\aesni.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\arc4.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\aria.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\asn1parse.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\asn1write.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\base64.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\bignum.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\blowfish.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\camellia.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ccm.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\certs.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\chacha20.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\chachapoly.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\cipher.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\cipher_wrap.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\cmac.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ctr_drbg.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\debug.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\des.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\dhm.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecdh.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecdsa.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecjpake.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecp.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ecp_curves.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\entropy.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\entropy_poll.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\error.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\gcm.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\havege.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\hkdf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\hmac_drbg.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md2.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md4.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md5.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\md_wrap.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\memory_buffer_alloc.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\net_sockets.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\nist_kw.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\oid.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\padlock.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pem.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pk.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pk_wrap.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkcs11.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkcs12.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkcs5.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkparse.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\pkwrite.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\platform.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\platform_util.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\poly1305.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ripemd160.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\rsa.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\rsa_internal.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\sha1.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\sha256.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\sha512.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_cache.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_ciphersuites.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_cli.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_cookie.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_srv.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_ticket.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\ssl_tls.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\threading.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\timing.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\version_features.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509_create.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509_crl.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509_crt.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509_csr.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509write_crt.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\x509write_csr.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\src\xtea.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/makerom/deps/libmbedtls/include/mbedtls/aes.h b/makerom/deps/libmbedtls/include/mbedtls/aes.h
new file mode 100644
index 00000000..94e7282d
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/aes.h
@@ -0,0 +1,674 @@
+/**
+ * \file aes.h
+ *
+ * \brief   This file contains AES definitions and functions.
+ *
+ *          The Advanced Encryption Standard (AES) specifies a FIPS-approved
+ *          cryptographic algorithm that can be used to protect electronic
+ *          data.
+ *
+ *          The AES algorithm is a symmetric block cipher that can
+ *          encrypt and decrypt information. For more information, see
+ *          <em>FIPS Publication 197: Advanced Encryption Standard</em> and
+ *          <em>ISO/IEC 18033-2:2006: Information technology -- Security
+ *          techniques -- Encryption algorithms -- Part 2: Asymmetric
+ *          ciphers</em>.
+ *
+ *          The AES-XTS block mode is standardized by NIST SP 800-38E
+ *          <https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38e.pdf>
+ *          and described in detail by IEEE P1619
+ *          <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_AES_H
+#define MBEDTLS_AES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* padlock.c and aesni.c rely on these values! */
+#define MBEDTLS_AES_ENCRYPT     1 /**< AES encryption. */
+#define MBEDTLS_AES_DECRYPT     0 /**< AES decryption. */
+
+/* Error codes in range 0x0020-0x0022 */
+#define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020  /**< Invalid key length. */
+#define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022  /**< Invalid data input length. */
+
+/* Error codes in range 0x0021-0x0025 */
+#define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021  /**< Invalid input data. */
+
+/* MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE is deprecated and should not be used. */
+#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023  /**< Feature not available. For example, an unsupported AES key size. */
+
+/* MBEDTLS_ERR_AES_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_AES_HW_ACCEL_FAILED                   -0x0025  /**< AES hardware accelerator failed. */
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_AES_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief The AES context-type definition.
+ */
+typedef struct mbedtls_aes_context
+{
+    int nr;                     /*!< The number of rounds. */
+    uint32_t *rk;               /*!< AES round keys. */
+    uint32_t buf[68];           /*!< Unaligned data buffer. This buffer can
+                                     hold 32 extra Bytes, which can be used for
+                                     one of the following purposes:
+                                     <ul><li>Alignment if VIA padlock is
+                                             used.</li>
+                                     <li>Simplifying key expansion in the 256-bit
+                                         case by generating an extra round key.
+                                         </li></ul> */
+}
+mbedtls_aes_context;
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief The AES XTS context-type definition.
+ */
+typedef struct mbedtls_aes_xts_context
+{
+    mbedtls_aes_context crypt; /*!< The AES context to use for AES block
+                                        encryption or decryption. */
+    mbedtls_aes_context tweak; /*!< The AES context used for tweak
+                                        computation. */
+} mbedtls_aes_xts_context;
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#else  /* MBEDTLS_AES_ALT */
+#include "aes_alt.h"
+#endif /* MBEDTLS_AES_ALT */
+
+/**
+ * \brief          This function initializes the specified AES context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The AES context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aes_init( mbedtls_aes_context *ctx );
+
+/**
+ * \brief          This function releases and clears the specified AES context.
+ *
+ * \param ctx      The AES context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
+ */
+void mbedtls_aes_free( mbedtls_aes_context *ctx );
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief          This function initializes the specified AES XTS context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The AES XTS context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx );
+
+/**
+ * \brief          This function releases and clears the specified AES XTS context.
+ *
+ * \param ctx      The AES XTS context to clear.
+ *                 If this is \c NULL, this function does nothing.
+ *                 Otherwise, the context must have been at least initialized.
+ */
+void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/**
+ * \brief          This function sets the encryption key.
+ *
+ * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The encryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of data passed in bits. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits );
+
+/**
+ * \brief          This function sets the decryption key.
+ *
+ * \param ctx      The AES context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The decryption key.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of data passed. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits );
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief          This function prepares an XTS context for encryption and
+ *                 sets the encryption key.
+ *
+ * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The encryption key. This is comprised of the XTS key1
+ *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of \p key passed in bits. Valid options are:
+ *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits );
+
+/**
+ * \brief          This function prepares an XTS context for decryption and
+ *                 sets the decryption key.
+ *
+ * \param ctx      The AES XTS context to which the key should be bound.
+ *                 It must be initialized.
+ * \param key      The decryption key. This is comprised of the XTS key1
+ *                 concatenated with the XTS key2.
+ *                 This must be a readable buffer of size \p keybits bits.
+ * \param keybits  The size of \p key passed in bits. Valid options are:
+ *                 <ul><li>256 bits (each of key1 and key2 is a 128-bit key)</li>
+ *                 <li>512 bits (each of key1 and key2 is a 256-bit key)</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
+ */
+int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/**
+ * \brief          This function performs an AES single-block encryption or
+ *                 decryption operation.
+ *
+ *                 It performs the operation defined in the \p mode parameter
+ *                 (encrypt or decrypt), on the input data buffer defined in
+ *                 the \p input parameter.
+ *
+ *                 mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or
+ *                 mbedtls_aes_setkey_dec() must be called before the first
+ *                 call to this API with the same context.
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and at least \c 16 Bytes long.
+ * \param output   The buffer where the output data will be written.
+ *                 It must be writeable and at least \c 16 Bytes long.
+
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief  This function performs an AES-CBC encryption or decryption operation
+ *         on full blocks.
+ *
+ *         It performs the operation defined in the \p mode
+ *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *         the \p input parameter.
+ *
+ *         It can be called as many times as needed, until all the input
+ *         data is processed. mbedtls_aes_init(), and either
+ *         mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called
+ *         before the first call to this API with the same context.
+ *
+ * \note   This function operates on full blocks, that is, the input size
+ *         must be a multiple of the AES block size of \c 16 Bytes.
+ *
+ * \note   Upon exit, the content of the IV is updated so that you can
+ *         call the same function again on the next
+ *         block(s) of data and get the same result as if it was
+ *         encrypted in one call. This allows a "streaming" usage.
+ *         If you need to retain the contents of the IV, you should
+ *         either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param length   The length of the input data in Bytes. This must be a
+ *                 multiple of the block size (\c 16 Bytes).
+ * \param iv       Initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+ *                 on failure.
+ */
+int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief      This function performs an AES-XTS encryption or decryption
+ *             operation for an entire XTS data unit.
+ *
+ *             AES-XTS encrypts or decrypts blocks based on their location as
+ *             defined by a data unit number. The data unit number must be
+ *             provided by \p data_unit.
+ *
+ *             NIST SP 800-38E limits the maximum size of a data unit to 2^20
+ *             AES blocks. If the data unit is larger than this, this function
+ *             returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
+ *
+ * \param ctx          The AES XTS context to use for AES XTS operations.
+ *                     It must be initialized and bound to a key.
+ * \param mode         The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                     #MBEDTLS_AES_DECRYPT.
+ * \param length       The length of a data unit in Bytes. This can be any
+ *                     length between 16 bytes and 2^24 bytes inclusive
+ *                     (between 1 and 2^20 block cipher blocks).
+ * \param data_unit    The address of the data unit encoded as an array of 16
+ *                     bytes in little-endian format. For disk encryption, this
+ *                     is typically the index of the block device sector that
+ *                     contains the data.
+ * \param input        The buffer holding the input data (which is an entire
+ *                     data unit). This function reads \p length Bytes from \p
+ *                     input.
+ * \param output       The buffer holding the output data (which is an entire
+ *                     data unit). This function writes \p length Bytes to \p
+ *                     output.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if \p length is
+ *                     smaller than an AES block in size (16 Bytes) or if \p
+ *                     length is larger than 2^20 blocks (16 MiB).
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
+                           int mode,
+                           size_t length,
+                           const unsigned char data_unit[16],
+                           const unsigned char *input,
+                           unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an AES-CFB128 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt or decrypt), on the input data buffer
+ *        defined in the \p input parameter.
+ *
+ *        For CFB, you must set up the context with mbedtls_aes_setkey_enc(),
+ *        regardless of whether you are performing an encryption or decryption
+ *        operation, that is, regardless of the \p mode parameter. This is
+ *        because CFB mode uses the same key schedule for encryption and
+ *        decryption.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you must either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT.
+ * \param length   The length of the input data in Bytes.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+
+/**
+ * \brief This function performs an AES-CFB8 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt/decrypt), on the input data buffer defined
+ *        in the \p input parameter.
+ *
+ *        Due to the nature of CFB, you must use the same key schedule for
+ *        both encryption and decryption operations. Therefore, you must
+ *        use the context initialized with mbedtls_aes_setkey_enc() for
+ *        both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you should either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param mode     The AES operation: #MBEDTLS_AES_ENCRYPT or
+ *                 #MBEDTLS_AES_DECRYPT
+ * \param length   The length of the input data.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/**
+ * \brief       This function performs an AES-OFB (Output Feedback Mode)
+ *              encryption or decryption operation.
+ *
+ *              For OFB, you must set up the context with
+ *              mbedtls_aes_setkey_enc(), regardless of whether you are
+ *              performing an encryption or decryption operation. This is
+ *              because OFB mode uses the same key schedule for encryption and
+ *              decryption.
+ *
+ *              The OFB operation is identical for encryption or decryption,
+ *              therefore no operation mode needs to be specified.
+ *
+ * \note        Upon exit, the content of iv, the Initialisation Vector, is
+ *              updated so that you can call the same function again on the next
+ *              block(s) of data and get the same result as if it was encrypted
+ *              in one call. This allows a "streaming" usage, by initialising
+ *              iv_off to 0 before the first call, and preserving its value
+ *              between calls.
+ *
+ *              For non-streaming use, the iv should be initialised on each call
+ *              to a unique value, and iv_off set to 0 on each call.
+ *
+ *              If you need to retain the contents of the initialisation vector,
+ *              you must either save it manually or use the cipher module
+ *              instead.
+ *
+ * \warning     For the OFB mode, the initialisation vector must be unique
+ *              every encryption operation. Reuse of an initialisation vector
+ *              will compromise security.
+ *
+ * \param ctx      The AES context to use for encryption or decryption.
+ *                 It must be initialized and bound to a key.
+ * \param length   The length of the input data.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 It must point to a valid \c size_t.
+ * \param iv       The initialization vector (updated after use).
+ *                 It must be a readable and writeable buffer of \c 16 Bytes.
+ * \param input    The buffer holding the input data.
+ *                 It must be readable and of size \p length Bytes.
+ * \param output   The buffer holding the output data.
+ *                 It must be writeable and of size \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ */
+int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      This function performs an AES-CTR encryption or decryption
+ *             operation.
+ *
+ *             This function performs the operation defined in the \p mode
+ *             parameter (encrypt/decrypt), on the input data buffer
+ *             defined in the \p input parameter.
+ *
+ *             Due to the nature of CTR, you must use the same key schedule
+ *             for both encryption and decryption operations. Therefore, you
+ *             must use the context initialized with mbedtls_aes_setkey_enc()
+ *             for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 12 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 12 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter. An alternative is to generate random nonces, but this
+ *             limits the number of messages that can be securely encrypted:
+ *             for example, with 96-bit random nonces, you should not encrypt
+ *             more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that an AES block is 16 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx              The AES context to use for encryption or decryption.
+ *                         It must be initialized and bound to a key.
+ * \param length           The length of the input data.
+ * \param nc_off           The offset in the current \p stream_block, for
+ *                         resuming within the current cipher stream. The
+ *                         offset pointer should be 0 at the start of a stream.
+ *                         It must point to a valid \c size_t.
+ * \param nonce_counter    The 128-bit nonce and counter.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
+ * \param stream_block     The saved stream block for resuming. This is
+ *                         overwritten by the function.
+ *                         It must be a readable-writeable buffer of \c 16 Bytes.
+ * \param input            The buffer holding the input data.
+ *                         It must be readable and of size \p length Bytes.
+ * \param output           The buffer holding the output data.
+ *                         It must be writeable and of size \p length Bytes.
+ *
+ * \return                 \c 0 on success.
+ */
+int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/**
+ * \brief           Internal AES block encryption function. This is only
+ *                  exposed to allow overriding it using
+ *                  \c MBEDTLS_AES_ENCRYPT_ALT.
+ *
+ * \param ctx       The AES context to use for encryption.
+ * \param input     The plaintext block.
+ * \param output    The output (ciphertext) block.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] );
+
+/**
+ * \brief           Internal AES block decryption function. This is only
+ *                  exposed to allow overriding it using see
+ *                  \c MBEDTLS_AES_DECRYPT_ALT.
+ *
+ * \param ctx       The AES context to use for decryption.
+ * \param input     The ciphertext block.
+ * \param output    The output (plaintext) block.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief           Deprecated internal AES block encryption function
+ *                  without return value.
+ *
+ * \deprecated      Superseded by mbedtls_internal_aes_encrypt()
+ *
+ * \param ctx       The AES context to use for encryption.
+ * \param input     Plaintext block.
+ * \param output    Output (ciphertext) block.
+ */
+MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
+                                             const unsigned char input[16],
+                                             unsigned char output[16] );
+
+/**
+ * \brief           Deprecated internal AES block decryption function
+ *                  without return value.
+ *
+ * \deprecated      Superseded by mbedtls_internal_aes_decrypt()
+ *
+ * \param ctx       The AES context to use for decryption.
+ * \param input     Ciphertext block.
+ * \param output    Output (plaintext) block.
+ */
+MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
+                                             const unsigned char input[16],
+                                             unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_aes_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aes.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/aesni.h b/makerom/deps/libmbedtls/include/mbedtls/aesni.h
new file mode 100644
index 00000000..a4ca012f
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/aesni.h
@@ -0,0 +1,138 @@
+/**
+ * \file aesni.h
+ *
+ * \brief AES-NI for hardware AES acceleration on some Intel processors
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_AESNI_H
+#define MBEDTLS_AESNI_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "aes.h"
+
+#define MBEDTLS_AESNI_AES      0x02000000u
+#define MBEDTLS_AESNI_CLMUL    0x00000002u
+
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) &&  \
+    ( defined(__amd64__) || defined(__x86_64__) )   &&  \
+    ! defined(MBEDTLS_HAVE_X86_64)
+#define MBEDTLS_HAVE_X86_64
+#endif
+
+#if defined(MBEDTLS_HAVE_X86_64)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Internal function to detect the AES-NI feature in CPUs.
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param what     The feature to detect
+ *                 (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_aesni_has_support( unsigned int what );
+
+/**
+ * \brief          Internal AES-NI AES-ECB block encryption and decryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 on success (cannot fail)
+ */
+int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
+                             int mode,
+                             const unsigned char input[16],
+                             unsigned char output[16] );
+
+/**
+ * \brief          Internal GCM multiplication: c = a * b in GF(2^128)
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param c        Result
+ * \param a        First operand
+ * \param b        Second operand
+ *
+ * \note           Both operands and result are bit strings interpreted as
+ *                 elements of GF(2^128) as per the GCM spec.
+ */
+void mbedtls_aesni_gcm_mult( unsigned char c[16],
+                             const unsigned char a[16],
+                             const unsigned char b[16] );
+
+/**
+ * \brief           Internal round key inversion. This function computes
+ *                  decryption round keys from the encryption round keys.
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
+ *
+ * \param invkey    Round keys for the equivalent inverse cipher
+ * \param fwdkey    Original round keys (for encryption)
+ * \param nr        Number of rounds (that is, number of round keys minus one)
+ */
+void mbedtls_aesni_inverse_key( unsigned char *invkey,
+                                const unsigned char *fwdkey,
+                                int nr );
+
+/**
+ * \brief           Internal key expansion for encryption
+ *
+ * \note            This function is only for internal use by other library
+ *                  functions; you must not call it directly.
+ *
+ * \param rk        Destination buffer where the round keys are written
+ * \param key       Encryption key
+ * \param bits      Key size in bits (must be 128, 192 or 256)
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+ */
+int mbedtls_aesni_setkey_enc( unsigned char *rk,
+                              const unsigned char *key,
+                              size_t bits );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_HAVE_X86_64 */
+
+#endif /* MBEDTLS_AESNI_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/arc4.h b/makerom/deps/libmbedtls/include/mbedtls/arc4.h
new file mode 100644
index 00000000..fb044d5b
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/arc4.h
@@ -0,0 +1,146 @@
+/**
+ * \file arc4.h
+ *
+ * \brief The ARCFOUR stream cipher
+ *
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+#ifndef MBEDTLS_ARC4_H
+#define MBEDTLS_ARC4_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED                  -0x0019  /**< ARC4 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_ARC4_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief     ARC4 context structure
+ *
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ *
+ */
+typedef struct mbedtls_arc4_context
+{
+    int x;                      /*!< permutation index */
+    int y;                      /*!< permutation index */
+    unsigned char m[256];       /*!< permutation table */
+}
+mbedtls_arc4_context;
+
+#else  /* MBEDTLS_ARC4_ALT */
+#include "arc4_alt.h"
+#endif /* MBEDTLS_ARC4_ALT */
+
+/**
+ * \brief          Initialize ARC4 context
+ *
+ * \param ctx      ARC4 context to be initialized
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+void mbedtls_arc4_init( mbedtls_arc4_context *ctx );
+
+/**
+ * \brief          Clear ARC4 context
+ *
+ * \param ctx      ARC4 context to be cleared
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+void mbedtls_arc4_free( mbedtls_arc4_context *ctx );
+
+/**
+ * \brief          ARC4 key schedule
+ *
+ * \param ctx      ARC4 context to be setup
+ * \param key      the secret key
+ * \param keylen   length of the key, in bytes
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key,
+                 unsigned int keylen );
+
+/**
+ * \brief          ARC4 cipher function
+ *
+ * \param ctx      ARC4 context
+ * \param length   length of the input data
+ * \param input    buffer holding the input data
+ * \param output   buffer for the output data
+ *
+ * \return         0 if successful
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
+                unsigned char *output );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        ARC4 is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ *
+ */
+int mbedtls_arc4_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* arc4.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/aria.h b/makerom/deps/libmbedtls/include/mbedtls/aria.h
new file mode 100644
index 00000000..1e8956ed
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/aria.h
@@ -0,0 +1,370 @@
+/**
+ * \file aria.h
+ *
+ * \brief ARIA block cipher
+ *
+ *        The ARIA algorithm is a symmetric block cipher that can encrypt and
+ *        decrypt information. It is defined by the Korean Agency for
+ *        Technology and Standards (KATS) in <em>KS X 1213:2004</em> (in
+ *        Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
+ *        and also described by the IETF in <em>RFC 5794</em>.
+ */
+/*  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ARIA_H
+#define MBEDTLS_ARIA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "platform_util.h"
+
+#define MBEDTLS_ARIA_ENCRYPT     1 /**< ARIA encryption. */
+#define MBEDTLS_ARIA_DECRYPT     0 /**< ARIA decryption. */
+
+#define MBEDTLS_ARIA_BLOCKSIZE   16 /**< ARIA block size in bytes. */
+#define MBEDTLS_ARIA_MAX_ROUNDS  16 /**< Maxiumum number of rounds in ARIA. */
+#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x005C )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C /**< Bad input data. */
+
+#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE  -0x005A  /**< Feature not available. For example, an unsupported ARIA key size. */
+
+/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED      -0x0058  /**< ARIA hardware accelerator failed. */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+// Regular implementation
+//
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief The ARIA context-type definition.
+ */
+typedef struct mbedtls_aria_context
+{
+    unsigned char nr;           /*!< The number of rounds (12, 14 or 16) */
+    /*! The ARIA round keys. */
+    uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4];
+}
+mbedtls_aria_context;
+
+#else  /* MBEDTLS_ARIA_ALT */
+#include "aria_alt.h"
+#endif /* MBEDTLS_ARIA_ALT */
+
+/**
+ * \brief          This function initializes the specified ARIA context.
+ *
+ *                 It must be the first API called before using
+ *                 the context.
+ *
+ * \param ctx      The ARIA context to initialize. This must not be \c NULL.
+ */
+void mbedtls_aria_init( mbedtls_aria_context *ctx );
+
+/**
+ * \brief          This function releases and clears the specified ARIA context.
+ *
+ * \param ctx      The ARIA context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized ARIA context.
+ */
+void mbedtls_aria_free( mbedtls_aria_context *ctx );
+
+/**
+ * \brief          This function sets the encryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The encryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of \p key in Bits. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
+                             const unsigned char *key,
+                             unsigned int keybits );
+
+/**
+ * \brief          This function sets the decryption key.
+ *
+ * \param ctx      The ARIA context to which the key should be bound.
+ *                 This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The size of data passed. Valid options are:
+ *                 <ul><li>128 bits</li>
+ *                 <li>192 bits</li>
+ *                 <li>256 bits</li></ul>
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
+                             const unsigned char *key,
+                             unsigned int keybits );
+
+/**
+ * \brief          This function performs an ARIA single-block encryption or
+ *                 decryption operation.
+ *
+ *                 It performs encryption or decryption (depending on whether
+ *                 the key was set for encryption on decryption) on the input
+ *                 data buffer defined in the \p input parameter.
+ *
+ *                 mbedtls_aria_init(), and either mbedtls_aria_setkey_enc() or
+ *                 mbedtls_aria_setkey_dec() must be called before the first
+ *                 call to this API with the same context.
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param input    The 16-Byte buffer holding the input data.
+ * \param output   The 16-Byte buffer holding the output data.
+
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
+                            const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief  This function performs an ARIA-CBC encryption or decryption operation
+ *         on full blocks.
+ *
+ *         It performs the operation defined in the \p mode
+ *         parameter (encrypt/decrypt), on the input data buffer defined in
+ *         the \p input parameter.
+ *
+ *         It can be called as many times as needed, until all the input
+ *         data is processed. mbedtls_aria_init(), and either
+ *         mbedtls_aria_setkey_enc() or mbedtls_aria_setkey_dec() must be called
+ *         before the first call to this API with the same context.
+ *
+ * \note   This function operates on aligned blocks, that is, the input size
+ *         must be a multiple of the ARIA block size of 16 Bytes.
+ *
+ * \note   Upon exit, the content of the IV is updated so that you can
+ *         call the same function again on the next
+ *         block(s) of data and get the same result as if it was
+ *         encrypted in one call. This allows a "streaming" usage.
+ *         If you need to retain the contents of the IV, you should
+ *         either save it manually or use the cipher module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes. This must be a
+ *                 multiple of the block size (16 Bytes).
+ * \param iv       Initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
+                            int mode,
+                            size_t length,
+                            unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief This function performs an ARIA-CFB128 encryption or decryption
+ *        operation.
+ *
+ *        It performs the operation defined in the \p mode
+ *        parameter (encrypt or decrypt), on the input data buffer
+ *        defined in the \p input parameter.
+ *
+ *        For CFB, you must set up the context with mbedtls_aria_setkey_enc(),
+ *        regardless of whether you are performing an encryption or decryption
+ *        operation, that is, regardless of the \p mode parameter. This is
+ *        because CFB mode uses the same key schedule for encryption and
+ *        decryption.
+ *
+ * \note  Upon exit, the content of the IV is updated so that you can
+ *        call the same function again on the next
+ *        block(s) of data and get the same result as if it was
+ *        encrypted in one call. This allows a "streaming" usage.
+ *        If you need to retain the contents of the
+ *        IV, you must either save it manually or use the cipher
+ *        module instead.
+ *
+ *
+ * \param ctx      The ARIA context to use for encryption or decryption.
+ *                 This must be initialized and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_ARIA_ENCRYPT for encryption, or
+ *                 #MBEDTLS_ARIA_DECRYPT for decryption.
+ * \param length   The length of the input data \p input in Bytes.
+ * \param iv_off   The offset in IV (updated after use).
+ *                 This must not be larger than 15.
+ * \param iv       The initialization vector (updated after use).
+ *                 This must be a readable buffer of size 16 Bytes.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must
+ *                 be a writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
+                               int mode,
+                               size_t length,
+                               size_t *iv_off,
+                               unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                               const unsigned char *input,
+                               unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      This function performs an ARIA-CTR encryption or decryption
+ *             operation.
+ *
+ *             This function performs the operation defined in the \p mode
+ *             parameter (encrypt/decrypt), on the input data buffer
+ *             defined in the \p input parameter.
+ *
+ *             Due to the nature of CTR, you must use the same key schedule
+ *             for both encryption and decryption operations. Therefore, you
+ *             must use the context initialized with mbedtls_aria_setkey_enc()
+ *             for both #MBEDTLS_ARIA_ENCRYPT and #MBEDTLS_ARIA_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 12 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 12 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**96 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter. An alternative is to generate random nonces, but this
+ *             limits the number of messages that can be securely encrypted:
+ *             for example, with 96-bit random nonces, you should not encrypt
+ *             more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that an ARIA block is 16 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx              The ARIA context to use for encryption or decryption.
+ *                         This must be initialized and bound to a key.
+ * \param length           The length of the input data \p input in Bytes.
+ * \param nc_off           The offset in Bytes in the current \p stream_block,
+ *                         for resuming within the current cipher stream. The
+ *                         offset pointer should be \c 0 at the start of a
+ *                         stream. This must not be larger than \c 15 Bytes.
+ * \param nonce_counter    The 128-bit nonce and counter. This must point to
+ *                         a read/write buffer of length \c 16 bytes.
+ * \param stream_block     The saved stream block for resuming. This must
+ *                         point to a read/write buffer of length \c 16 bytes.
+ *                         This is overwritten by the function.
+ * \param input            The buffer holding the input data. This must
+ *                         be a readable buffer of length \p length Bytes.
+ * \param output           The buffer holding the output data. This must
+ *                         be a writable buffer of length \p length Bytes.
+ *
+ * \return                 \c 0 on success.
+ * \return                 A negative error code on failure.
+ */
+int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
+                            size_t length,
+                            size_t *nc_off,
+                            unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine.
+ *
+ * \return         \c 0 on success, or \c 1 on failure.
+ */
+int mbedtls_aria_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* aria.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/asn1.h b/makerom/deps/libmbedtls/include/mbedtls/asn1.h
new file mode 100644
index 00000000..96c1c9a8
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/asn1.h
@@ -0,0 +1,358 @@
+/**
+ * \file asn1.h
+ *
+ * \brief Generic ASN.1 parsing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ASN1_H
+#define MBEDTLS_ASN1_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "bignum.h"
+#endif
+
+/**
+ * \addtogroup asn1_module
+ * \{
+ */
+
+/**
+ * \name ASN1 Error codes
+ * These error codes are OR'ed to X509 error codes for
+ * higher error granularity.
+ * ASN1 is a standard to specify data structures.
+ * \{
+ */
+#define MBEDTLS_ERR_ASN1_OUT_OF_DATA                      -0x0060  /**< Out of data when parsing an ASN1 data structure. */
+#define MBEDTLS_ERR_ASN1_UNEXPECTED_TAG                   -0x0062  /**< ASN1 tag was of an unexpected value. */
+#define MBEDTLS_ERR_ASN1_INVALID_LENGTH                   -0x0064  /**< Error when trying to determine the length or invalid length. */
+#define MBEDTLS_ERR_ASN1_LENGTH_MISMATCH                  -0x0066  /**< Actual length differs from expected length. */
+#define MBEDTLS_ERR_ASN1_INVALID_DATA                     -0x0068  /**< Data is invalid. (not used) */
+#define MBEDTLS_ERR_ASN1_ALLOC_FAILED                     -0x006A  /**< Memory allocation failed */
+#define MBEDTLS_ERR_ASN1_BUF_TOO_SMALL                    -0x006C  /**< Buffer too small when writing ASN.1 data structure. */
+
+/* \} name */
+
+/**
+ * \name DER constants
+ * These constants comply with the DER encoded ASN.1 type tags.
+ * DER encoding uses hexadecimal representation.
+ * An example DER sequence is:\n
+ * - 0x02 -- tag indicating INTEGER
+ * - 0x01 -- length in octets
+ * - 0x05 -- value
+ * Such sequences are typically read into \c ::mbedtls_x509_buf.
+ * \{
+ */
+#define MBEDTLS_ASN1_BOOLEAN                 0x01
+#define MBEDTLS_ASN1_INTEGER                 0x02
+#define MBEDTLS_ASN1_BIT_STRING              0x03
+#define MBEDTLS_ASN1_OCTET_STRING            0x04
+#define MBEDTLS_ASN1_NULL                    0x05
+#define MBEDTLS_ASN1_OID                     0x06
+#define MBEDTLS_ASN1_UTF8_STRING             0x0C
+#define MBEDTLS_ASN1_SEQUENCE                0x10
+#define MBEDTLS_ASN1_SET                     0x11
+#define MBEDTLS_ASN1_PRINTABLE_STRING        0x13
+#define MBEDTLS_ASN1_T61_STRING              0x14
+#define MBEDTLS_ASN1_IA5_STRING              0x16
+#define MBEDTLS_ASN1_UTC_TIME                0x17
+#define MBEDTLS_ASN1_GENERALIZED_TIME        0x18
+#define MBEDTLS_ASN1_UNIVERSAL_STRING        0x1C
+#define MBEDTLS_ASN1_BMP_STRING              0x1E
+#define MBEDTLS_ASN1_PRIMITIVE               0x00
+#define MBEDTLS_ASN1_CONSTRUCTED             0x20
+#define MBEDTLS_ASN1_CONTEXT_SPECIFIC        0x80
+
+/*
+ * Bit masks for each of the components of an ASN.1 tag as specified in
+ * ITU X.690 (08/2015), section 8.1 "General rules for encoding",
+ * paragraph 8.1.2.2:
+ *
+ * Bit  8     7   6   5          1
+ *     +-------+-----+------------+
+ *     | Class | P/C | Tag number |
+ *     +-------+-----+------------+
+ */
+#define MBEDTLS_ASN1_TAG_CLASS_MASK          0xC0
+#define MBEDTLS_ASN1_TAG_PC_MASK             0x20
+#define MBEDTLS_ASN1_TAG_VALUE_MASK          0x1F
+
+/* \} name */
+/* \} addtogroup asn1_module */
+
+/** Returns the size of the binary string, without the trailing \\0 */
+#define MBEDTLS_OID_SIZE(x) (sizeof(x) - 1)
+
+/**
+ * Compares an mbedtls_asn1_buf structure to a reference OID.
+ *
+ * Only works for 'defined' oid_str values (MBEDTLS_OID_HMAC_SHA1), you cannot use a
+ * 'unsigned char *oid' here!
+ */
+#define MBEDTLS_OID_CMP(oid_str, oid_buf)                                   \
+        ( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf)->len ) ||                \
+          memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) != 0 )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name Functions to parse ASN.1 data structures
+ * \{
+ */
+
+/**
+ * Type-length-value structure that allows for ASN1 using DER.
+ */
+typedef struct mbedtls_asn1_buf
+{
+    int tag;                /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */
+    size_t len;             /**< ASN1 length, in octets. */
+    unsigned char *p;       /**< ASN1 data, e.g. in ASCII. */
+}
+mbedtls_asn1_buf;
+
+/**
+ * Container for ASN1 bit strings.
+ */
+typedef struct mbedtls_asn1_bitstring
+{
+    size_t len;                 /**< ASN1 length, in octets. */
+    unsigned char unused_bits;  /**< Number of unused bits at the end of the string */
+    unsigned char *p;           /**< Raw ASN1 data for the bit string */
+}
+mbedtls_asn1_bitstring;
+
+/**
+ * Container for a sequence of ASN.1 items
+ */
+typedef struct mbedtls_asn1_sequence
+{
+    mbedtls_asn1_buf buf;                   /**< Buffer containing the given ASN.1 item. */
+    struct mbedtls_asn1_sequence *next;    /**< The next entry in the sequence. */
+}
+mbedtls_asn1_sequence;
+
+/**
+ * Container for a sequence or list of 'named' ASN.1 data items
+ */
+typedef struct mbedtls_asn1_named_data
+{
+    mbedtls_asn1_buf oid;                   /**< The object identifier. */
+    mbedtls_asn1_buf val;                   /**< The named value. */
+    struct mbedtls_asn1_named_data *next;  /**< The next entry in the sequence. */
+    unsigned char next_merged;      /**< Merge next item into the current one? */
+}
+mbedtls_asn1_named_data;
+
+/**
+ * \brief       Get the length of an ASN.1 element.
+ *              Updates the pointer to immediately behind the length.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   The variable that will receive the value
+ *
+ * \return      0 if successful, MBEDTLS_ERR_ASN1_OUT_OF_DATA on reaching
+ *              end of data, MBEDTLS_ERR_ASN1_INVALID_LENGTH if length is
+ *              unparseable.
+ */
+int mbedtls_asn1_get_len( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len );
+
+/**
+ * \brief       Get the tag and length of the tag. Check for the requested tag.
+ *              Updates the pointer to immediately behind the tag and length.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   The variable that will receive the length
+ * \param tag   The expected tag
+ *
+ * \return      0 if successful, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG if tag did
+ *              not match requested tag, or another specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_tag( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len, int tag );
+
+/**
+ * \brief       Retrieve a boolean ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param val   The variable that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_bool( unsigned char **p,
+                   const unsigned char *end,
+                   int *val );
+
+/**
+ * \brief       Retrieve an integer ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param val   The variable that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_int( unsigned char **p,
+                  const unsigned char *end,
+                  int *val );
+
+/**
+ * \brief       Retrieve a bitstring ASN.1 tag and its value.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param bs    The variable that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_bitstring( unsigned char **p, const unsigned char *end,
+                        mbedtls_asn1_bitstring *bs);
+
+/**
+ * \brief       Retrieve a bitstring ASN.1 tag without unused bits and its
+ *              value.
+ *              Updates the pointer to the beginning of the bit/octet string.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param len   Length of the actual bit/octect string in bytes
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_bitstring_null( unsigned char **p, const unsigned char *end,
+                             size_t *len );
+
+/**
+ * \brief       Parses and splits an ASN.1 "SEQUENCE OF <tag>"
+ *              Updated the pointer to immediately behind the full sequence tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param cur   First variable in the chain to fill
+ * \param tag   Type of sequence
+ *
+ * \return      0 if successful or a specific ASN.1 error code.
+ */
+int mbedtls_asn1_get_sequence_of( unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_asn1_sequence *cur,
+                          int tag);
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief       Retrieve a MPI value from an integer ASN.1 tag.
+ *              Updates the pointer to immediately behind the full tag.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param X     The MPI that will receive the value
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_mpi( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_mpi *X );
+#endif /* MBEDTLS_BIGNUM_C */
+
+/**
+ * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence.
+ *              Updates the pointer to immediately behind the full
+ *              AlgorithmIdentifier.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param alg   The buffer to receive the OID
+ * \param params The buffer to receive the params (if any)
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_alg( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params );
+
+/**
+ * \brief       Retrieve an AlgorithmIdentifier ASN.1 sequence with NULL or no
+ *              params.
+ *              Updates the pointer to immediately behind the full
+ *              AlgorithmIdentifier.
+ *
+ * \param p     The position in the ASN.1 data
+ * \param end   End of data
+ * \param alg   The buffer to receive the OID
+ *
+ * \return      0 if successful or a specific ASN.1 or MPI error code.
+ */
+int mbedtls_asn1_get_alg_null( unsigned char **p,
+                       const unsigned char *end,
+                       mbedtls_asn1_buf *alg );
+
+/**
+ * \brief       Find a specific named_data entry in a sequence or list based on
+ *              the OID.
+ *
+ * \param list  The list to seek through
+ * \param oid   The OID to look for
+ * \param len   Size of the OID
+ *
+ * \return      NULL if not found, or a pointer to the existing entry.
+ */
+mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( mbedtls_asn1_named_data *list,
+                                       const char *oid, size_t len );
+
+/**
+ * \brief       Free a mbedtls_asn1_named_data entry
+ *
+ * \param entry The named data entry to free
+ */
+void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *entry );
+
+/**
+ * \brief       Free all entries in a mbedtls_asn1_named_data list
+ *              Head will be set to NULL
+ *
+ * \param head  Pointer to the head of the list of named data entries to free
+ */
+void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* asn1.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/asn1write.h b/makerom/deps/libmbedtls/include/mbedtls/asn1write.h
new file mode 100644
index 00000000..a1942436
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/asn1write.h
@@ -0,0 +1,329 @@
+/**
+ * \file asn1write.h
+ *
+ * \brief ASN.1 buffer writing functionality
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ASN1_WRITE_H
+#define MBEDTLS_ASN1_WRITE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+
+#define MBEDTLS_ASN1_CHK_ADD(g, f)                      \
+    do                                                  \
+    {                                                   \
+        if( ( ret = (f) ) < 0 )                         \
+            return( ret );                              \
+        else                                            \
+            (g) += ret;                                 \
+    } while( 0 )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           Write a length field in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param len       The length value to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start,
+                            size_t len );
+/**
+ * \brief           Write an ASN.1 tag in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The tag to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start,
+                            unsigned char tag );
+
+/**
+ * \brief           Write raw buffer data.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The data buffer to write.
+ * \param size      The length of the data buffer.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
+                                   const unsigned char *buf, size_t size );
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief           Write a arbitrary-precision number (#MBEDTLS_ASN1_INTEGER)
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param X         The MPI to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start,
+                            const mbedtls_mpi *X );
+#endif /* MBEDTLS_BIGNUM_C */
+
+/**
+ * \brief           Write a NULL tag (#MBEDTLS_ASN1_NULL) with zero data
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_null( unsigned char **p, unsigned char *start );
+
+/**
+ * \brief           Write an OID tag (#MBEDTLS_ASN1_OID) and data
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID to write.
+ * \param oid_len   The length of the OID.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_oid( unsigned char **p, unsigned char *start,
+                            const char *oid, size_t oid_len );
+
+/**
+ * \brief           Write an AlgorithmIdentifier sequence in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param oid       The OID of the algorithm to write.
+ * \param oid_len   The length of the algorithm's OID.
+ * \param par_len   The length of the parameters, which must be already written.
+ *                  If 0, NULL parameters are added
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_algorithm_identifier( unsigned char **p,
+                                             unsigned char *start,
+                                             const char *oid, size_t oid_len,
+                                             size_t par_len );
+
+/**
+ * \brief           Write a boolean tag (#MBEDTLS_ASN1_BOOLEAN) and value
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param boolean   The boolean value to write, either \c 0 or \c 1.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start,
+                             int boolean );
+
+/**
+ * \brief           Write an int tag (#MBEDTLS_ASN1_INTEGER) and value
+ *                  in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param val       The integer value to write.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val );
+
+/**
+ * \brief           Write a string in ASN.1 format using a specific
+ *                  string encoding tag.
+
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param tag       The string encoding tag to write, e.g.
+ *                  #MBEDTLS_ASN1_UTF8_STRING.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_tagged_string( unsigned char **p, unsigned char *start,
+                                      int tag, const char *text,
+                                      size_t text_len );
+
+/**
+ * \brief           Write a string in ASN.1 format using the PrintableString
+ *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_printable_string( unsigned char **p,
+                                         unsigned char *start,
+                                         const char *text, size_t text_len );
+
+/**
+ * \brief           Write a UTF8 string in ASN.1 format using the UTF8String
+ *                  string encoding tag (#MBEDTLS_ASN1_PRINTABLE_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_utf8_string( unsigned char **p, unsigned char *start,
+                                    const char *text, size_t text_len );
+
+/**
+ * \brief           Write a string in ASN.1 format using the IA5String
+ *                  string encoding tag (#MBEDTLS_ASN1_IA5_STRING).
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param text      The string to write.
+ * \param text_len  The length of \p text in bytes (which might
+ *                  be strictly larger than the number of characters).
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
+                                   const char *text, size_t text_len );
+
+/**
+ * \brief           Write a bitstring tag (#MBEDTLS_ASN1_BIT_STRING) and
+ *                  value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The bitstring to write.
+ * \param bits      The total number of bits in the bitstring.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
+                                  const unsigned char *buf, size_t bits );
+
+/**
+ * \brief           Write an octet string tag (#MBEDTLS_ASN1_OCTET_STRING)
+ *                  and value in ASN.1 format.
+ *
+ * \note            This function works backwards in data buffer.
+ *
+ * \param p         The reference to the current position pointer.
+ * \param start     The start of the buffer, for bounds-checking.
+ * \param buf       The buffer holding the data to write.
+ * \param size      The length of the data buffer \p buf.
+ *
+ * \return          The number of bytes written to \p p on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
+                                     const unsigned char *buf, size_t size );
+
+/**
+ * \brief           Create or find a specific named_data entry for writing in a
+ *                  sequence or list based on the OID. If not already in there,
+ *                  a new entry is added to the head of the list.
+ *                  Warning: Destructive behaviour for the val data!
+ *
+ * \param list      The pointer to the location of the head of the list to seek
+ *                  through (will be updated in case of a new entry).
+ * \param oid       The OID to look for.
+ * \param oid_len   The size of the OID.
+ * \param val       The data to store (can be \c NULL if you want to fill
+ *                  it by hand).
+ * \param val_len   The minimum length of the data buffer needed.
+ *
+ * \return          A pointer to the new / existing entry on success.
+ * \return          \c NULL if if there was a memory allocation error.
+ */
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data **list,
+                                        const char *oid, size_t oid_len,
+                                        const unsigned char *val,
+                                        size_t val_len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_ASN1_WRITE_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/base64.h b/makerom/deps/libmbedtls/include/mbedtls/base64.h
new file mode 100644
index 00000000..0d024164
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/base64.h
@@ -0,0 +1,98 @@
+/**
+ * \file base64.h
+ *
+ * \brief RFC 1521 base64 encoding/decoding
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_BASE64_H
+#define MBEDTLS_BASE64_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
+#define MBEDTLS_ERR_BASE64_INVALID_CHARACTER              -0x002C  /**< Invalid character in input. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Encode a buffer into base64 format
+ *
+ * \param dst      destination buffer
+ * \param dlen     size of the destination buffer
+ * \param olen     number of bytes written
+ * \param src      source buffer
+ * \param slen     amount of data to be encoded
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL.
+ *                 *olen is always updated to reflect the amount
+ *                 of data that has (or would have) been written.
+ *                 If that length cannot be represented, then no data is
+ *                 written to the buffer and *olen is set to the maximum
+ *                 length representable as a size_t.
+ *
+ * \note           Call this function with dlen = 0 to obtain the
+ *                 required buffer size in *olen
+ */
+int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen );
+
+/**
+ * \brief          Decode a base64-formatted buffer
+ *
+ * \param dst      destination buffer (can be NULL for checking size)
+ * \param dlen     size of the destination buffer
+ * \param olen     number of bytes written
+ * \param src      source buffer
+ * \param slen     amount of data to be decoded
+ *
+ * \return         0 if successful, MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, or
+ *                 MBEDTLS_ERR_BASE64_INVALID_CHARACTER if the input data is
+ *                 not correct. *olen is always updated to reflect the amount
+ *                 of data that has (or would have) been written.
+ *
+ * \note           Call this function with *dst = NULL or dlen = 0 to obtain
+ *                 the required buffer size in *olen
+ */
+int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
+                   const unsigned char *src, size_t slen );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_base64_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* base64.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/bignum.h b/makerom/deps/libmbedtls/include/mbedtls/bignum.h
new file mode 100644
index 00000000..22b37311
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/bignum.h
@@ -0,0 +1,984 @@
+/**
+ * \file bignum.h
+ *
+ * \brief Multi-precision integer library
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_BIGNUM_H
+#define MBEDTLS_BIGNUM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#define MBEDTLS_ERR_MPI_FILE_IO_ERROR                     -0x0002  /**< An error occurred while reading from or writing to a file. */
+#define MBEDTLS_ERR_MPI_BAD_INPUT_DATA                    -0x0004  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_MPI_INVALID_CHARACTER                 -0x0006  /**< There is an invalid character in the digit string. */
+#define MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL                  -0x0008  /**< The buffer is too small to write to. */
+#define MBEDTLS_ERR_MPI_NEGATIVE_VALUE                    -0x000A  /**< The input arguments are negative or result in illegal output. */
+#define MBEDTLS_ERR_MPI_DIVISION_BY_ZERO                  -0x000C  /**< The input argument for division is zero, which is not allowed. */
+#define MBEDTLS_ERR_MPI_NOT_ACCEPTABLE                    -0x000E  /**< The input arguments are not acceptable. */
+#define MBEDTLS_ERR_MPI_ALLOC_FAILED                      -0x0010  /**< Memory allocation failed. */
+
+#define MBEDTLS_MPI_CHK(f)       \
+    do                           \
+    {                            \
+        if( ( ret = (f) ) != 0 ) \
+            goto cleanup;        \
+    } while( 0 )
+
+/*
+ * Maximum size MPIs are allowed to grow to in number of limbs.
+ */
+#define MBEDTLS_MPI_MAX_LIMBS                             10000
+
+#if !defined(MBEDTLS_MPI_WINDOW_SIZE)
+/*
+ * Maximum window size used for modular exponentiation. Default: 6
+ * Minimum value: 1. Maximum value: 6.
+ *
+ * Result is an array of ( 2 << MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
+ * for the sliding window calculation. (So 64 by default)
+ *
+ * Reduction in size, reduces speed.
+ */
+#define MBEDTLS_MPI_WINDOW_SIZE                           6        /**< Maximum windows size used. */
+#endif /* !MBEDTLS_MPI_WINDOW_SIZE */
+
+#if !defined(MBEDTLS_MPI_MAX_SIZE)
+/*
+ * Maximum size of MPIs allowed in bits and bytes for user-MPIs.
+ * ( Default: 512 bytes => 4096 bits, Maximum tested: 2048 bytes => 16384 bits )
+ *
+ * Note: Calculations can temporarily result in larger MPIs. So the number
+ * of limbs required (MBEDTLS_MPI_MAX_LIMBS) is higher.
+ */
+#define MBEDTLS_MPI_MAX_SIZE                              1024     /**< Maximum number of bytes for usable MPIs. */
+#endif /* !MBEDTLS_MPI_MAX_SIZE */
+
+#define MBEDTLS_MPI_MAX_BITS                              ( 8 * MBEDTLS_MPI_MAX_SIZE )    /**< Maximum number of bits for usable MPIs. */
+
+/*
+ * When reading from files with mbedtls_mpi_read_file() and writing to files with
+ * mbedtls_mpi_write_file() the buffer should have space
+ * for a (short) label, the MPI (in the provided radix), the newline
+ * characters and the '\0'.
+ *
+ * By default we assume at least a 10 char label, a minimum radix of 10
+ * (decimal) and a maximum of 4096 bit numbers (1234 decimal chars).
+ * Autosized at compile time for at least a 10 char label, a minimum radix
+ * of 10 (decimal) for a number of MBEDTLS_MPI_MAX_BITS size.
+ *
+ * This used to be statically sized to 1250 for a maximum of 4096 bit
+ * numbers (1234 decimal chars).
+ *
+ * Calculate using the formula:
+ *  MBEDTLS_MPI_RW_BUFFER_SIZE = ceil(MBEDTLS_MPI_MAX_BITS / ln(10) * ln(2)) +
+ *                                LabelSize + 6
+ */
+#define MBEDTLS_MPI_MAX_BITS_SCALE100          ( 100 * MBEDTLS_MPI_MAX_BITS )
+#define MBEDTLS_LN_2_DIV_LN_10_SCALE100                 332
+#define MBEDTLS_MPI_RW_BUFFER_SIZE             ( ((MBEDTLS_MPI_MAX_BITS_SCALE100 + MBEDTLS_LN_2_DIV_LN_10_SCALE100 - 1) / MBEDTLS_LN_2_DIV_LN_10_SCALE100) + 10 + 6 )
+
+/*
+ * Define the base integer type, architecture-wise.
+ *
+ * 32 or 64-bit integer types can be forced regardless of the underlying
+ * architecture by defining MBEDTLS_HAVE_INT32 or MBEDTLS_HAVE_INT64
+ * respectively and undefining MBEDTLS_HAVE_ASM.
+ *
+ * Double-width integers (e.g. 128-bit in 64-bit architectures) can be
+ * disabled by defining MBEDTLS_NO_UDBL_DIVISION.
+ */
+#if !defined(MBEDTLS_HAVE_INT32)
+    #if defined(_MSC_VER) && defined(_M_AMD64)
+        /* Always choose 64-bit when using MSC */
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* !MBEDTLS_HAVE_INT64 */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+    #elif defined(__GNUC__) && (                         \
+        defined(__amd64__) || defined(__x86_64__)     || \
+        defined(__ppc64__) || defined(__powerpc64__)  || \
+        defined(__ia64__)  || defined(__alpha__)      || \
+        ( defined(__sparc__) && defined(__arch64__) ) || \
+        defined(__s390x__) || defined(__mips64) )
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* MBEDTLS_HAVE_INT64 */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+            /* mbedtls_t_udbl defined as 128-bit unsigned int */
+            typedef unsigned int mbedtls_t_udbl __attribute__((mode(TI)));
+            #define MBEDTLS_HAVE_UDBL
+        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+    #elif defined(__ARMCC_VERSION) && defined(__aarch64__)
+        /*
+         * __ARMCC_VERSION is defined for both armcc and armclang and
+         * __aarch64__ is only defined by armclang when compiling 64-bit code
+         */
+        #if !defined(MBEDTLS_HAVE_INT64)
+            #define MBEDTLS_HAVE_INT64
+        #endif /* !MBEDTLS_HAVE_INT64 */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+        #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+            /* mbedtls_t_udbl defined as 128-bit unsigned int */
+            typedef __uint128_t mbedtls_t_udbl;
+            #define MBEDTLS_HAVE_UDBL
+        #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+    #elif defined(MBEDTLS_HAVE_INT64)
+        /* Force 64-bit integers with unknown compiler */
+        typedef  int64_t mbedtls_mpi_sint;
+        typedef uint64_t mbedtls_mpi_uint;
+    #endif
+#endif /* !MBEDTLS_HAVE_INT32 */
+
+#if !defined(MBEDTLS_HAVE_INT64)
+    /* Default to 32-bit compilation */
+    #if !defined(MBEDTLS_HAVE_INT32)
+        #define MBEDTLS_HAVE_INT32
+    #endif /* !MBEDTLS_HAVE_INT32 */
+    typedef  int32_t mbedtls_mpi_sint;
+    typedef uint32_t mbedtls_mpi_uint;
+    #if !defined(MBEDTLS_NO_UDBL_DIVISION)
+        typedef uint64_t mbedtls_t_udbl;
+        #define MBEDTLS_HAVE_UDBL
+    #endif /* !MBEDTLS_NO_UDBL_DIVISION */
+#endif /* !MBEDTLS_HAVE_INT64 */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          MPI structure
+ */
+typedef struct mbedtls_mpi
+{
+    int s;              /*!<  Sign: -1 if the mpi is negative, 1 otherwise */
+    size_t n;           /*!<  total # of limbs  */
+    mbedtls_mpi_uint *p;          /*!<  pointer to limbs  */
+}
+mbedtls_mpi;
+
+/**
+ * \brief           Initialize an MPI context.
+ *
+ *                  This makes the MPI ready to be set or freed,
+ *                  but does not define a value for the MPI.
+ *
+ * \param X         The MPI context to initialize. This must not be \c NULL.
+ */
+void mbedtls_mpi_init( mbedtls_mpi *X );
+
+/**
+ * \brief          This function frees the components of an MPI context.
+ *
+ * \param X        The MPI context to be cleared. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is
+ *                 not \c NULL, it must point to an initialized MPI.
+ */
+void mbedtls_mpi_free( mbedtls_mpi *X );
+
+/**
+ * \brief          Enlarge an MPI to the specified number of limbs.
+ *
+ * \note           This function does nothing if the MPI is
+ *                 already large enough.
+ *
+ * \param X        The MPI to grow. It must be initialized.
+ * \param nblimbs  The target number of limbs.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs );
+
+/**
+ * \brief          This function resizes an MPI downwards, keeping at least the
+ *                 specified number of limbs.
+ *
+ *                 If \c X is smaller than \c nblimbs, it is resized up
+ *                 instead.
+ *
+ * \param X        The MPI to shrink. This must point to an initialized MPI.
+ * \param nblimbs  The minimum number of limbs to keep.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
+ *                 (this can only happen when resizing up).
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs );
+
+/**
+ * \brief          Make a copy of an MPI.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param Y        The source MPI. This must point to an initialized MPI.
+ *
+ * \note           The limb-buffer in the destination MPI is enlarged
+ *                 if necessary to hold the value in the source MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y );
+
+/**
+ * \brief          Swap the contents of two MPIs.
+ *
+ * \param X        The first MPI. It must be initialized.
+ * \param Y        The second MPI. It must be initialized.
+ */
+void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y );
+
+/**
+ * \brief          Perform a safe conditional copy of MPI which doesn't
+ *                 reveal whether the condition was true or not.
+ *
+ * \param X        The MPI to conditionally assign to. This must point
+ *                 to an initialized MPI.
+ * \param Y        The MPI to be assigned from. This must point to an
+ *                 initialized MPI.
+ * \param assign   The condition deciding whether to perform the
+ *                 assignment or not. Possible values:
+ *                 * \c 1: Perform the assignment `X = Y`.
+ *                 * \c 0: Keep the original value of \p X.
+ *
+ * \note           This function is equivalent to
+ *                      `if( assign ) mbedtls_mpi_copy( X, Y );`
+ *                 except that it avoids leaking any information about whether
+ *                 the assignment was done or not (the above code may leak
+ *                 information through branch prediction and/or memory access
+ *                 patterns analysis).
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign );
+
+/**
+ * \brief          Perform a safe conditional swap which doesn't
+ *                 reveal whether the condition was true or not.
+ *
+ * \param X        The first MPI. This must be initialized.
+ * \param Y        The second MPI. This must be initialized.
+ * \param assign   The condition deciding whether to perform
+ *                 the swap or not. Possible values:
+ *                 * \c 1: Swap the values of \p X and \p Y.
+ *                 * \c 0: Keep the original values of \p X and \p Y.
+ *
+ * \note           This function is equivalent to
+ *                      if( assign ) mbedtls_mpi_swap( X, Y );
+ *                 except that it avoids leaking any information about whether
+ *                 the assignment was done or not (the above code may leak
+ *                 information through branch prediction and/or memory access
+ *                 patterns analysis).
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ *
+ */
+int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char assign );
+
+/**
+ * \brief          Store integer value in MPI.
+ *
+ * \param X        The MPI to set. This must be initialized.
+ * \param z        The value to use.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z );
+
+/**
+ * \brief          Get a specific bit from an MPI.
+ *
+ * \param X        The MPI to query. This must be initialized.
+ * \param pos      Zero-based index of the bit to query.
+ *
+ * \return         \c 0 or \c 1 on success, depending on whether bit \c pos
+ *                 of \c X is unset or set.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos );
+
+/**
+ * \brief          Modify a specific bit in an MPI.
+ *
+ * \note           This function will grow the target MPI if necessary to set a
+ *                 bit to \c 1 in a not yet existing limb. It will not grow if
+ *                 the bit should be set to \c 0.
+ *
+ * \param X        The MPI to modify. This must be initialized.
+ * \param pos      Zero-based index of the bit to modify.
+ * \param val      The desired value of bit \c pos: \c 0 or \c 1.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val );
+
+/**
+ * \brief          Return the number of bits of value \c 0 before the
+ *                 least significant bit of value \c 1.
+ *
+ * \note           This is the same as the zero-based index of
+ *                 the least significant bit of value \c 1.
+ *
+ * \param X        The MPI to query.
+ *
+ * \return         The number of bits of value \c 0 before the least significant
+ *                 bit of value \c 1 in \p X.
+ */
+size_t mbedtls_mpi_lsb( const mbedtls_mpi *X );
+
+/**
+ * \brief          Return the number of bits up to and including the most
+ *                 significant bit of value \c 1.
+ *
+ * * \note         This is same as the one-based index of the most
+ *                 significant bit of value \c 1.
+ *
+ * \param X        The MPI to query. This must point to an initialized MPI.
+ *
+ * \return         The number of bits up to and including the most
+ *                 significant bit of value \c 1.
+ */
+size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X );
+
+/**
+ * \brief          Return the total size of an MPI value in bytes.
+ *
+ * \param X        The MPI to use. This must point to an initialized MPI.
+ *
+ * \note           The value returned by this function may be less than
+ *                 the number of bytes used to store \p X internally.
+ *                 This happens if and only if there are trailing bytes
+ *                 of value zero.
+ *
+ * \return         The least number of bytes capable of storing
+ *                 the absolute value of \p X.
+ */
+size_t mbedtls_mpi_size( const mbedtls_mpi *X );
+
+/**
+ * \brief          Import an MPI from an ASCII string.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the input string.
+ * \param s        Null-terminated string buffer.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s );
+
+/**
+ * \brief          Export an MPI to an ASCII string.
+ *
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the output string.
+ * \param buf      The buffer to write the string to. This must be writable
+ *                 buffer of length \p buflen Bytes.
+ * \param buflen   The available size in Bytes of \p buf.
+ * \param olen     The address at which to store the length of the string
+ *                 written, including the  final \c NULL byte. This must
+ *                 not be \c NULL.
+ *
+ * \note           You can call this function with `buflen == 0` to obtain the
+ *                 minimum required buffer size in `*olen`.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the target buffer \p buf
+ *                 is too small to hold the value of \p X in the desired base.
+ *                 In this case, `*olen` is nonetheless updated to contain the
+ *                 size of \p buf required for a successful call.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
+                              char *buf, size_t buflen, size_t *olen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Read an MPI from a line in an opened file.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base of the string representation used
+ *                 in the source line.
+ * \param fin      The input file handle to use. This must not be \c NULL.
+ *
+ * \note           On success, this function advances the file stream
+ *                 to the end of the current line or to EOF.
+ *
+ *                 The function returns \c 0 on an empty line.
+ *
+ *                 Leading whitespaces are ignored, as is a
+ *                 '0x' prefix for radix \c 16.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if the file read buffer
+ *                 is too small.
+ * \return         Another negative error code on failure.
+ */
+int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin );
+
+/**
+ * \brief          Export an MPI into an opened file.
+ *
+ * \param p        A string prefix to emit prior to the MPI data.
+ *                 For example, this might be a label, or "0x" when
+ *                 printing in base \c 16. This may be \c NULL if no prefix
+ *                 is needed.
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param radix    The numeric base to be used in the emitted string.
+ * \param fout     The output file handle. This may be \c NULL, in which case
+ *                 the output is written to \c stdout.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X,
+                            int radix, FILE *fout );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Import an MPI from unsigned big endian binary data.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param buf      The input buffer. This must be a readable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The length of the input buffer \p p in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf,
+                             size_t buflen );
+
+/**
+ * \brief          Export an MPI into unsigned big endian binary data
+ *                 of fixed size.
+ *
+ * \param X        The source MPI. This must point to an initialized MPI.
+ * \param buf      The output buffer. This must be a writable buffer of length
+ *                 \p buflen Bytes.
+ * \param buflen   The size of the output buffer \p buf in Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL if \p buf isn't
+ *                 large enough to hold the value of \p X.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_write_binary( const mbedtls_mpi *X, unsigned char *buf,
+                              size_t buflen );
+
+/**
+ * \brief          Perform a left-shift on an MPI: X <<= count
+ *
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ * \param count    The number of bits to shift by.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count );
+
+/**
+ * \brief          Perform a right-shift on an MPI: X >>= count
+ *
+ * \param X        The MPI to shift. This must point to an initialized MPI.
+ * \param count    The number of bits to shift by.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count );
+
+/**
+ * \brief          Compare the absolute values of two MPIs.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
+ *
+ * \return         \c 1 if `|X|` is greater than `|Y|`.
+ * \return         \c -1 if `|X|` is lesser than `|Y|`.
+ * \return         \c 0 if `|X|` is equal to `|Y|`.
+ */
+int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y );
+
+/**
+ * \brief          Compare two MPIs.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI.
+ *
+ * \return         \c 1 if \p X is greater than \p Y.
+ * \return         \c -1 if \p X is lesser than \p Y.
+ * \return         \c 0 if \p X is equal to \p Y.
+ */
+int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y );
+
+/**
+ * \brief          Check if an MPI is less than the other in constant time.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as Y.
+ * \param Y        The right-hand MPI. This must point to an initialized MPI
+ *                 with the same allocated length as X.
+ * \param ret      The result of the comparison:
+ *                 \c 1 if \p X is less than \p Y.
+ *                 \c 0 if \p X is greater than or equal to \p Y.
+ *
+ * \return         0 on success.
+ * \return         MBEDTLS_ERR_MPI_BAD_INPUT_DATA if the allocated length of
+ *                 the two input MPIs is not the same.
+ */
+int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
+        unsigned *ret );
+
+/**
+ * \brief          Compare an MPI with an integer.
+ *
+ * \param X        The left-hand MPI. This must point to an initialized MPI.
+ * \param z        The integer value to compare \p X to.
+ *
+ * \return         \c 1 if \p X is greater than \p z.
+ * \return         \c -1 if \p X is lesser than \p z.
+ * \return         \c 0 if \p X is equal to \p z.
+ */
+int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z );
+
+/**
+ * \brief          Perform an unsigned addition of MPIs: X = |A| + |B|
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform an unsigned subtraction of MPIs: X = |A| - |B|
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is greater than \p A.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a signed addition of MPIs: X = A + B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param B        The second summand. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a signed subtraction of MPIs: X = A - B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param B        The subtrahend. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a signed addition of an MPI and an integer: X = A + b
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first summand. This must point to an initialized MPI.
+ * \param b        The second summand.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
+
+/**
+ * \brief          Perform a signed subtraction of an MPI and an integer:
+ *                 X = A - b
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The minuend. This must point to an initialized MPI.
+ * \param b        The subtrahend.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
+
+/**
+ * \brief          Perform a multiplication of two MPIs: X = A * B
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param B        The second factor. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a multiplication of an MPI with an unsigned integer:
+ *                 X = A * b
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first factor. This must point to an initialized MPI.
+ * \param b        The second factor.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         mbedtls_mpi_uint b );
+
+/**
+ * \brief          Perform a division with remainder of two MPIs:
+ *                 A = Q * B + R
+ *
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed.
+ * \param A        The dividend. This must point to an initialized MPi.
+ * \param B        The divisor. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a division with remainder of an MPI by an integer:
+ *                 A = Q * b + R
+ *
+ * \param Q        The destination MPI for the quotient.
+ *                 This may be \c NULL if the value of the
+ *                 quotient is not needed.
+ * \param R        The destination MPI for the remainder value.
+ *                 This may be \c NULL if the value of the
+ *                 remainder is not needed.
+ * \param A        The dividend. This must point to an initialized MPi.
+ * \param b        The divisor.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
+
+/**
+ * \brief          Perform a modular reduction. R = A mod B
+ *
+ * \param R        The destination MPI for the residue value.
+ *                 This must point to an initialized MPI.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPI.
+ * \param B        The base of the modular reduction.
+ *                 This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p B equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p B is negative.
+ * \return         Another negative error code on different kinds of failure.
+ *
+ */
+int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B );
+
+/**
+ * \brief          Perform a modular reduction with respect to an integer.
+ *                 r = A mod b
+ *
+ * \param r        The address at which to store the residue.
+ *                 This must not be \c NULL.
+ * \param A        The MPI to compute the residue of.
+ *                 This must point to an initialized MPi.
+ * \param b        The integer base of the modular reduction.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_DIVISION_BY_ZERO if \p b equals zero.
+ * \return         #MBEDTLS_ERR_MPI_NEGATIVE_VALUE if \p b is negative.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b );
+
+/**
+ * \brief          Perform a sliding-window exponentiation: X = A^E mod N
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The base of the exponentiation.
+ *                 This must point to an initialized MPI.
+ * \param E        The exponent MPI. This must point to an initialized MPI.
+ * \param N        The base for the modular reduction. This must point to an
+ *                 initialized MPI.
+ * \param _RR      A helper MPI depending solely on \p N which can be used to
+ *                 speed-up multiple modular exponentiations for the same value
+ *                 of \p N. This may be \c NULL. If it is not \c NULL, it must
+ *                 point to an initialized MPI. If it hasn't been used after
+ *                 the call to mbedtls_mpi_init(), this function will compute
+ *                 the helper value and store it in \p _RR for reuse on
+ *                 subsequent calls to this function. Otherwise, the function
+ *                 will assume that \p _RR holds the helper value set by a
+ *                 previous call to mbedtls_mpi_exp_mod(), and reuse it.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
+ *                 even, or if \c E is negative.
+ * \return         Another negative error code on different kinds of failures.
+ *
+ */
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *E, const mbedtls_mpi *N,
+                         mbedtls_mpi *_RR );
+
+/**
+ * \brief          Fill an MPI with a number of random bytes.
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param size     The number of random bytes to generate.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on failure.
+ *
+ * \note           The bytes obtained from the RNG are interpreted
+ *                 as a big-endian representation of an MPI; this can
+ *                 be relevant in applications like deterministic ECDSA.
+ */
+int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          Compute the greatest common divisor: G = gcd(A, B)
+ *
+ * \param G        The destination MPI. This must point to an initialized MPI.
+ * \param A        The first operand. This must point to an initialized MPI.
+ * \param B        The second operand. This must point to an initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         Another negative error code on different kinds of failure.
+ */
+int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A,
+                     const mbedtls_mpi *B );
+
+/**
+ * \brief          Compute the modular inverse: X = A^-1 mod N
+ *
+ * \param X        The destination MPI. This must point to an initialized MPI.
+ * \param A        The MPI to calculate the modular inverse of. This must point
+ *                 to an initialized MPI.
+ * \param N        The base of the modular inversion. This must point to an
+ *                 initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p N is less than
+ *                 or equal to one.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p has no modular inverse
+ *                 with respect to \p N.
+ */
+int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *N );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Perform a Miller-Rabin primality test with error
+ *                 probability of 2<sup>-80</sup>.
+ *
+ * \deprecated     Superseded by mbedtls_mpi_is_prime_ext() which allows
+ *                 specifying the number of Miller-Rabin rounds.
+ *
+ * \param X        The MPI to check for primality.
+ *                 This must point to an initialized MPI.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use a
+ *                 context parameter.
+ *
+ * \return         \c 0 if successful, i.e. \p X is probably prime.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return         Another negative error code on other kinds of failure.
+ */
+MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
+                          int (*f_rng)(void *, unsigned char *, size_t),
+                          void *p_rng );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Miller-Rabin primality test.
+ *
+ * \warning        If \p X is potentially generated by an adversary, for example
+ *                 when validating cryptographic parameters that you didn't
+ *                 generate yourself and that are supposed to be prime, then
+ *                 \p rounds should be at least the half of the security
+ *                 strength of the cryptographic algorithm. On the other hand,
+ *                 if \p X is chosen uniformly or non-adversially (as is the
+ *                 case when mbedtls_mpi_gen_prime calls this function), then
+ *                 \p rounds can be much lower.
+ *
+ * \param X        The MPI to check for primality.
+ *                 This must point to an initialized MPI.
+ * \param rounds   The number of bases to perform the Miller-Rabin primality
+ *                 test for. The probability of returning 0 on a composite is
+ *                 at most 2<sup>-2*\p rounds</sup>.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
+ *
+ * \return         \c 0 if successful, i.e. \p X is probably prime.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
+ * \return         Another negative error code on other kinds of failure.
+ */
+int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng );
+/**
+ * \brief Flags for mbedtls_mpi_gen_prime()
+ *
+ * Each of these flags is a constraint on the result X returned by
+ * mbedtls_mpi_gen_prime().
+ */
+typedef enum {
+    MBEDTLS_MPI_GEN_PRIME_FLAG_DH =      0x0001, /**< (X-1)/2 is prime too */
+    MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR = 0x0002, /**< lower error rate from 2<sup>-80</sup> to 2<sup>-128</sup> */
+} mbedtls_mpi_gen_prime_flag_t;
+
+/**
+ * \brief          Generate a prime number.
+ *
+ * \param X        The destination MPI to store the generated prime in.
+ *                 This must point to an initialized MPi.
+ * \param nbits    The required size of the destination MPI in bits.
+ *                 This must be between \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ * \param flags    A mask of flags of type #mbedtls_mpi_gen_prime_flag_t.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG parameter to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't use
+ *                 a context parameter.
+ *
+ * \return         \c 0 if successful, in which case \p X holds a
+ *                 probably prime number.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return         #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if `nbits` is not between
+ *                 \c 3 and #MBEDTLS_MPI_MAX_BITS.
+ */
+int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
+                   int (*f_rng)(void *, unsigned char *, size_t),
+                   void *p_rng );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_mpi_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* bignum.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/blowfish.h b/makerom/deps/libmbedtls/include/mbedtls/blowfish.h
new file mode 100644
index 00000000..f01573dc
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/blowfish.h
@@ -0,0 +1,287 @@
+/**
+ * \file blowfish.h
+ *
+ * \brief Blowfish block cipher
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_BLOWFISH_H
+#define MBEDTLS_BLOWFISH_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "platform_util.h"
+
+#define MBEDTLS_BLOWFISH_ENCRYPT     1
+#define MBEDTLS_BLOWFISH_DECRYPT     0
+#define MBEDTLS_BLOWFISH_MAX_KEY_BITS     448
+#define MBEDTLS_BLOWFISH_MIN_KEY_BITS     32
+#define MBEDTLS_BLOWFISH_ROUNDS      16         /**< Rounds to use. When increasing this value, make sure to extend the initialisation vectors */
+#define MBEDTLS_BLOWFISH_BLOCKSIZE   8          /* Blowfish uses 64 bit blocks */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0016 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA -0x0016 /**< Bad input data. */
+
+#define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED                   -0x0017  /**< Blowfish hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_BLOWFISH_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          Blowfish context structure
+ */
+typedef struct mbedtls_blowfish_context
+{
+    uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2];    /*!<  Blowfish round keys    */
+    uint32_t S[4][256];                 /*!<  key dependent S-boxes  */
+}
+mbedtls_blowfish_context;
+
+#else  /* MBEDTLS_BLOWFISH_ALT */
+#include "blowfish_alt.h"
+#endif /* MBEDTLS_BLOWFISH_ALT */
+
+/**
+ * \brief          Initialize a Blowfish context.
+ *
+ * \param ctx      The Blowfish context to be initialized.
+ *                 This must not be \c NULL.
+ */
+void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx );
+
+/**
+ * \brief          Clear a Blowfish context.
+ *
+ * \param ctx      The Blowfish context to be cleared.
+ *                 This may be \c NULL, in which case this function
+ *                 returns immediately. If it is not \c NULL, it must
+ *                 point to an initialized Blowfish context.
+ */
+void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx );
+
+/**
+ * \brief          Perform a Blowfish key schedule operation.
+ *
+ * \param ctx      The Blowfish context to perform the key schedule on.
+ * \param key      The encryption key. This must be a readable buffer of
+ *                 length \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be between
+ *                 \c 32 and \c 448 and a multiple of \c 8.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx, const unsigned char *key,
+                     unsigned int keybits );
+
+/**
+ * \brief          Perform a Blowfish-ECB block encryption/decryption operation.
+ *
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param input    The input block. This must be a readable buffer
+ *                 of size \c 8 Bytes.
+ * \param output   The output block. This must be a writable buffer
+ *                 of size \c 8 Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
+                        int mode,
+                        const unsigned char input[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          Perform a Blowfish-CBC buffer encryption/decryption operation.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes. This must be
+ *                 multiple of \c 8.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 8 Bytes. It is updated by this function.
+ * \param input    The input data. This must be a readable buffer of length
+ *                 \p length Bytes.
+ * \param output   The output data. This must be a writable buffer of length
+ *                 \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
+                        int mode,
+                        size_t length,
+                        unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        const unsigned char *input,
+                        unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief          Perform a Blowfish CFB buffer encryption/decryption operation.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The Blowfish context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. Possible values are
+ *                 #MBEDTLS_BLOWFISH_ENCRYPT for encryption, or
+ *                 #MBEDTLS_BLOWFISH_DECRYPT for decryption.
+ * \param length   The length of the input data in Bytes.
+ * \param iv_off   The offset in the initialiation vector.
+ *                 The value pointed to must be smaller than \c 8 Bytes.
+ *                 It is updated by this function to support the aforementioned
+ *                 streaming usage.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of size \c 8 Bytes. It is updated after use.
+ * \param input    The input data. This must be a readable buffer of length
+ *                 \p length Bytes.
+ * \param output   The output data. This must be a writable buffer of length
+ *                 \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
+                          int mode,
+                          size_t length,
+                          size_t *iv_off,
+                          unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                          const unsigned char *input,
+                          unsigned char *output );
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      Perform a Blowfish-CTR buffer encryption/decryption operation.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**64
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first 4 bytes for the
+ *             per-message nonce, and the last 4 bytes for internal use. In that
+ *             case, before calling this function on a new message you need to
+ *             set the first 4 bytes of \p nonce_counter to your chosen nonce
+ *             value, the last 4 to 0, and \p nc_off to 0 (which will cause \p
+ *             stream_block to be ignored). That way, you can encrypt at most
+ *             2**32 messages of up to 2**32 blocks each with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be unique.
+ *             The recommended way to ensure uniqueness is to use a message
+ *             counter.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that a Blowfish block is 8 bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx           The Blowfish context to use. This must be initialized
+ *                      and bound to a key.
+ * \param length        The length of the input data in Bytes.
+ * \param nc_off        The offset in the current stream_block (for resuming
+ *                      within current cipher stream). The offset pointer
+ *                      should be \c 0 at the start of a stream and must be
+ *                      smaller than \c 8. It is updated by this function.
+ * \param nonce_counter The 64-bit nonce and counter. This must point to a
+ *                      read/write buffer of length \c 8 Bytes.
+ * \param stream_block  The saved stream-block for resuming. This must point to
+ *                      a read/write buffer of length \c 8 Bytes.
+ * \param input         The input data. This must be a readable buffer of
+ *                      length \p length Bytes.
+ * \param output        The output data. This must be a writable buffer of
+ *                      length \p length Bytes.
+ *
+ * \return              \c 0 if successful.
+ * \return              A negative error code on failure.
+ */
+int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
+                        size_t length,
+                        size_t *nc_off,
+                        unsigned char nonce_counter[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        unsigned char stream_block[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                        const unsigned char *input,
+                        unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* blowfish.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/bn_mul.h b/makerom/deps/libmbedtls/include/mbedtls/bn_mul.h
new file mode 100644
index 00000000..748975ea
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/bn_mul.h
@@ -0,0 +1,916 @@
+/**
+ * \file bn_mul.h
+ *
+ * \brief Multi-precision integer library
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *      Multiply source vector [s] with b, add result
+ *       to destination vector [d] and set carry c.
+ *
+ *      Currently supports:
+ *
+ *         . IA-32 (386+)         . AMD64 / EM64T
+ *         . IA-32 (SSE2)         . Motorola 68000
+ *         . PowerPC, 32-bit      . MicroBlaze
+ *         . PowerPC, 64-bit      . TriCore
+ *         . SPARC v8             . ARM v3+
+ *         . Alpha                . MIPS32
+ *         . C, longlong          . C, generic
+ */
+#ifndef MBEDTLS_BN_MUL_H
+#define MBEDTLS_BN_MUL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+
+#if defined(MBEDTLS_HAVE_ASM)
+
+#ifndef asm
+#define asm __asm
+#endif
+
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
+
+/*
+ * Disable use of the i386 assembly code below if option -O0, to disable all
+ * compiler optimisations, is passed, detected with __OPTIMIZE__
+ * This is done as the number of registers used in the assembly code doesn't
+ * work with the -O0 option.
+ */
+#if defined(__i386__) && defined(__OPTIMIZE__)
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "movl   %%ebx, %0           \n\t"   \
+        "movl   %5, %%esi           \n\t"   \
+        "movl   %6, %%edi           \n\t"   \
+        "movl   %7, %%ecx           \n\t"   \
+        "movl   %8, %%ebx           \n\t"
+
+#define MULADDC_CORE                        \
+        "lodsl                      \n\t"   \
+        "mull   %%ebx               \n\t"   \
+        "addl   %%ecx,   %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "addl   (%%edi), %%eax      \n\t"   \
+        "adcl   $0,      %%edx      \n\t"   \
+        "movl   %%edx,   %%ecx      \n\t"   \
+        "stosl                      \n\t"
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define MULADDC_HUIT                            \
+        "movd     %%ecx,     %%mm1      \n\t"   \
+        "movd     %%ebx,     %%mm0      \n\t"   \
+        "movd     (%%edi),   %%mm3      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     (%%esi),   %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "movd     4(%%esi),  %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "movd     8(%%esi),  %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     12(%%esi), %%mm7      \n\t"   \
+        "pmuludq  %%mm0,     %%mm7      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     4(%%edi),  %%mm3      \n\t"   \
+        "paddq    %%mm4,     %%mm3      \n\t"   \
+        "movd     8(%%edi),  %%mm5      \n\t"   \
+        "paddq    %%mm6,     %%mm5      \n\t"   \
+        "movd     12(%%edi), %%mm4      \n\t"   \
+        "paddq    %%mm4,     %%mm7      \n\t"   \
+        "movd     %%mm1,     (%%edi)    \n\t"   \
+        "movd     16(%%esi), %%mm2      \n\t"   \
+        "pmuludq  %%mm0,     %%mm2      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     20(%%esi), %%mm4      \n\t"   \
+        "pmuludq  %%mm0,     %%mm4      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     24(%%esi), %%mm6      \n\t"   \
+        "pmuludq  %%mm0,     %%mm6      \n\t"   \
+        "movd     %%mm1,     4(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     28(%%esi), %%mm3      \n\t"   \
+        "pmuludq  %%mm0,     %%mm3      \n\t"   \
+        "paddq    %%mm5,     %%mm1      \n\t"   \
+        "movd     16(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm2      \n\t"   \
+        "movd     %%mm1,     8(%%edi)   \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm7,     %%mm1      \n\t"   \
+        "movd     20(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm4      \n\t"   \
+        "movd     %%mm1,     12(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm2,     %%mm1      \n\t"   \
+        "movd     24(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm6      \n\t"   \
+        "movd     %%mm1,     16(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm4,     %%mm1      \n\t"   \
+        "movd     28(%%edi), %%mm5      \n\t"   \
+        "paddq    %%mm5,     %%mm3      \n\t"   \
+        "movd     %%mm1,     20(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm6,     %%mm1      \n\t"   \
+        "movd     %%mm1,     24(%%edi)  \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "paddq    %%mm3,     %%mm1      \n\t"   \
+        "movd     %%mm1,     28(%%edi)  \n\t"   \
+        "addl     $32,       %%edi      \n\t"   \
+        "addl     $32,       %%esi      \n\t"   \
+        "psrlq    $32,       %%mm1      \n\t"   \
+        "movd     %%mm1,     %%ecx      \n\t"
+
+#define MULADDC_STOP                    \
+        "emms                   \n\t"   \
+        "movl   %4, %%ebx       \n\t"   \
+        "movl   %%ecx, %1       \n\t"   \
+        "movl   %%edi, %2       \n\t"   \
+        "movl   %%esi, %3       \n\t"   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    );
+
+#else
+
+#define MULADDC_STOP                    \
+        "movl   %4, %%ebx       \n\t"   \
+        "movl   %%ecx, %1       \n\t"   \
+        "movl   %%edi, %2       \n\t"   \
+        "movl   %%esi, %3       \n\t"   \
+        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
+        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
+        : "eax", "ebx", "ecx", "edx", "esi", "edi"      \
+    );
+#endif /* SSE2 */
+#endif /* i386 */
+
+#if defined(__amd64__) || defined (__x86_64__)
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "xorq   %%r8, %%r8\n"
+
+#define MULADDC_CORE                        \
+        "movq   (%%rsi), %%rax\n"           \
+        "mulq   %%rbx\n"                    \
+        "addq   $8, %%rsi\n"                \
+        "addq   %%rcx, %%rax\n"             \
+        "movq   %%r8, %%rcx\n"              \
+        "adcq   $0, %%rdx\n"                \
+        "nop    \n"                         \
+        "addq   %%rax, (%%rdi)\n"           \
+        "adcq   %%rdx, %%rcx\n"             \
+        "addq   $8, %%rdi\n"
+
+#define MULADDC_STOP                        \
+        : "+c" (c), "+D" (d), "+S" (s)      \
+        : "b" (b)                           \
+        : "rax", "rdx", "r8"                \
+    );
+
+#endif /* AMD64 */
+
+#if defined(__mc68020__) || defined(__mcpu32__)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "movl   %3, %%a2        \n\t"   \
+        "movl   %4, %%a3        \n\t"   \
+        "movl   %5, %%d3        \n\t"   \
+        "movl   %6, %%d2        \n\t"   \
+        "moveq  #0, %%d0        \n\t"
+
+#define MULADDC_CORE                    \
+        "movel  %%a2@+, %%d1    \n\t"   \
+        "mulul  %%d2, %%d4:%%d1 \n\t"   \
+        "addl   %%d3, %%d1      \n\t"   \
+        "addxl  %%d0, %%d4      \n\t"   \
+        "moveq  #0,   %%d3      \n\t"   \
+        "addl   %%d1, %%a3@+    \n\t"   \
+        "addxl  %%d4, %%d3      \n\t"
+
+#define MULADDC_STOP                    \
+        "movl   %%d3, %0        \n\t"   \
+        "movl   %%a3, %1        \n\t"   \
+        "movl   %%a2, %2        \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "d0", "d1", "d2", "d3", "d4", "a2", "a3"  \
+    );
+
+#define MULADDC_HUIT                        \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d4:%%d1  \n\t"   \
+        "addxl  %%d3,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d4       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "movel  %%a2@+,  %%d1       \n\t"   \
+        "mulul  %%d2,    %%d3:%%d1  \n\t"   \
+        "addxl  %%d4,    %%d1       \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"   \
+        "addl   %%d1,    %%a3@+     \n\t"   \
+        "addxl  %%d0,    %%d3       \n\t"
+
+#endif /* MC68000 */
+
+#if defined(__powerpc64__) || defined(__ppc64__)
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "ld     r3, %3              \n\t"   \
+        "ld     r4, %4              \n\t"   \
+        "ld     r5, %5              \n\t"   \
+        "ld     r6, %6              \n\t"   \
+        "addi   r3, r3, -8          \n\t"   \
+        "addi   r4, r4, -8          \n\t"   \
+        "addic  r5, r5,  0          \n\t"
+
+#define MULADDC_CORE                        \
+        "ldu    r7, 8(r3)           \n\t"   \
+        "mulld  r8, r7, r6          \n\t"   \
+        "mulhdu r9, r7, r6          \n\t"   \
+        "adde   r8, r8, r5          \n\t"   \
+        "ld     r7, 8(r4)           \n\t"   \
+        "addze  r5, r9              \n\t"   \
+        "addc   r8, r8, r7          \n\t"   \
+        "stdu   r8, 8(r4)           \n\t"
+
+#define MULADDC_STOP                        \
+        "addze  r5, r5              \n\t"   \
+        "addi   r4, r4, 8           \n\t"   \
+        "addi   r3, r3, 8           \n\t"   \
+        "std    r5, %0              \n\t"   \
+        "std    r4, %1              \n\t"   \
+        "std    r3, %2              \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "ld     %%r3, %3            \n\t"   \
+        "ld     %%r4, %4            \n\t"   \
+        "ld     %%r5, %5            \n\t"   \
+        "ld     %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -8      \n\t"   \
+        "addi   %%r4, %%r4, -8      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
+
+#define MULADDC_CORE                        \
+        "ldu    %%r7, 8(%%r3)       \n\t"   \
+        "mulld  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhdu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "ld     %%r7, 8(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stdu   %%r8, 8(%%r4)       \n\t"
+
+#define MULADDC_STOP                        \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 8       \n\t"   \
+        "addi   %%r3, %%r3, 8       \n\t"   \
+        "std    %%r5, %0            \n\t"   \
+        "std    %%r4, %1            \n\t"   \
+        "std    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#elif defined(__powerpc__) || defined(__ppc__) /* end PPC64/begin PPC32  */
+
+#if defined(__MACH__) && defined(__APPLE__)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "lwz    r3, %3          \n\t"   \
+        "lwz    r4, %4          \n\t"   \
+        "lwz    r5, %5          \n\t"   \
+        "lwz    r6, %6          \n\t"   \
+        "addi   r3, r3, -4      \n\t"   \
+        "addi   r4, r4, -4      \n\t"   \
+        "addic  r5, r5,  0      \n\t"
+
+#define MULADDC_CORE                    \
+        "lwzu   r7, 4(r3)       \n\t"   \
+        "mullw  r8, r7, r6      \n\t"   \
+        "mulhwu r9, r7, r6      \n\t"   \
+        "adde   r8, r8, r5      \n\t"   \
+        "lwz    r7, 4(r4)       \n\t"   \
+        "addze  r5, r9          \n\t"   \
+        "addc   r8, r8, r7      \n\t"   \
+        "stwu   r8, 4(r4)       \n\t"
+
+#define MULADDC_STOP                    \
+        "addze  r5, r5          \n\t"   \
+        "addi   r4, r4, 4       \n\t"   \
+        "addi   r3, r3, 4       \n\t"   \
+        "stw    r5, %0          \n\t"   \
+        "stw    r4, %1          \n\t"   \
+        "stw    r3, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#else /* __MACH__ && __APPLE__ */
+
+#define MULADDC_INIT                        \
+    asm(                                    \
+        "lwz    %%r3, %3            \n\t"   \
+        "lwz    %%r4, %4            \n\t"   \
+        "lwz    %%r5, %5            \n\t"   \
+        "lwz    %%r6, %6            \n\t"   \
+        "addi   %%r3, %%r3, -4      \n\t"   \
+        "addi   %%r4, %%r4, -4      \n\t"   \
+        "addic  %%r5, %%r5,  0      \n\t"
+
+#define MULADDC_CORE                        \
+        "lwzu   %%r7, 4(%%r3)       \n\t"   \
+        "mullw  %%r8, %%r7, %%r6    \n\t"   \
+        "mulhwu %%r9, %%r7, %%r6    \n\t"   \
+        "adde   %%r8, %%r8, %%r5    \n\t"   \
+        "lwz    %%r7, 4(%%r4)       \n\t"   \
+        "addze  %%r5, %%r9          \n\t"   \
+        "addc   %%r8, %%r8, %%r7    \n\t"   \
+        "stwu   %%r8, 4(%%r4)       \n\t"
+
+#define MULADDC_STOP                        \
+        "addze  %%r5, %%r5          \n\t"   \
+        "addi   %%r4, %%r4, 4       \n\t"   \
+        "addi   %%r3, %%r3, 4       \n\t"   \
+        "stw    %%r5, %0            \n\t"   \
+        "stw    %%r4, %1            \n\t"   \
+        "stw    %%r3, %2            \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8", "r9"  \
+    );
+
+#endif /* __MACH__ && __APPLE__ */
+
+#endif /* PPC32 */
+
+/*
+ * The Sparc(64) assembly is reported to be broken.
+ * Disable it for now, until we're able to fix it.
+ */
+#if 0 && defined(__sparc__)
+#if defined(__sparc64__)
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+                "ldx     %3, %%o0               \n\t"   \
+                "ldx     %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
+
+#define MULADDC_CORE                                    \
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
+
+        #define MULADDC_STOP                            \
+                "st      %%o2, %0               \n\t"   \
+                "stx     %%o1, %1               \n\t"   \
+                "stx     %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
+
+#else /* __sparc64__ */
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+                "ld      %3, %%o0               \n\t"   \
+                "ld      %4, %%o1               \n\t"   \
+                "ld      %5, %%o2               \n\t"   \
+                "ld      %6, %%o3               \n\t"
+
+#define MULADDC_CORE                                    \
+                "ld      [%%o0], %%o4           \n\t"   \
+                "inc     4, %%o0                \n\t"   \
+                "ld      [%%o1], %%o5           \n\t"   \
+                "umul    %%o3, %%o4, %%o4       \n\t"   \
+                "addcc   %%o4, %%o2, %%o4       \n\t"   \
+                "rd      %%y, %%g1              \n\t"   \
+                "addx    %%g1, 0, %%g1          \n\t"   \
+                "addcc   %%o4, %%o5, %%o4       \n\t"   \
+                "st      %%o4, [%%o1]           \n\t"   \
+                "addx    %%g1, 0, %%o2          \n\t"   \
+                "inc     4, %%o1                \n\t"
+
+#define MULADDC_STOP                                    \
+                "st      %%o2, %0               \n\t"   \
+                "st      %%o1, %1               \n\t"   \
+                "st      %%o0, %2               \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "g1", "o0", "o1", "o2", "o3", "o4",   \
+          "o5"                                  \
+        );
+
+#endif /* __sparc64__ */
+#endif /* __sparc__ */
+
+#if defined(__microblaze__) || defined(microblaze)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "lwi   r3,   %3         \n\t"   \
+        "lwi   r4,   %4         \n\t"   \
+        "lwi   r5,   %5         \n\t"   \
+        "lwi   r6,   %6         \n\t"   \
+        "andi  r7,   r6, 0xffff \n\t"   \
+        "bsrli r6,   r6, 16     \n\t"
+
+#define MULADDC_CORE                    \
+        "lhui  r8,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "lhui  r9,   r3,   0    \n\t"   \
+        "addi  r3,   r3,   2    \n\t"   \
+        "mul   r10,  r9,  r6    \n\t"   \
+        "mul   r11,  r8,  r7    \n\t"   \
+        "mul   r12,  r9,  r7    \n\t"   \
+        "mul   r13,  r8,  r6    \n\t"   \
+        "bsrli  r8, r10,  16    \n\t"   \
+        "bsrli  r9, r11,  16    \n\t"   \
+        "add   r13, r13,  r8    \n\t"   \
+        "add   r13, r13,  r9    \n\t"   \
+        "bslli r10, r10,  16    \n\t"   \
+        "bslli r11, r11,  16    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12, r11    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "lwi   r10,  r4,   0    \n\t"   \
+        "add   r12, r12, r10    \n\t"   \
+        "addc  r13, r13,  r0    \n\t"   \
+        "add   r12, r12,  r5    \n\t"   \
+        "addc   r5, r13,  r0    \n\t"   \
+        "swi   r12,  r4,   0    \n\t"   \
+        "addi   r4,  r4,   4    \n\t"
+
+#define MULADDC_STOP                    \
+        "swi   r5,   %0         \n\t"   \
+        "swi   r4,   %1         \n\t"   \
+        "swi   r3,   %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "r3", "r4", "r5", "r6", "r7", "r8",       \
+          "r9", "r10", "r11", "r12", "r13"          \
+    );
+
+#endif /* MicroBlaze */
+
+#if defined(__tricore__)
+
+#define MULADDC_INIT                            \
+    asm(                                        \
+        "ld.a   %%a2, %3                \n\t"   \
+        "ld.a   %%a3, %4                \n\t"   \
+        "ld.w   %%d4, %5                \n\t"   \
+        "ld.w   %%d1, %6                \n\t"   \
+        "xor    %%d5, %%d5              \n\t"
+
+#define MULADDC_CORE                            \
+        "ld.w   %%d0,   [%%a2+]         \n\t"   \
+        "madd.u %%e2, %%e4, %%d0, %%d1  \n\t"   \
+        "ld.w   %%d0,   [%%a3]          \n\t"   \
+        "addx   %%d2,    %%d2,  %%d0    \n\t"   \
+        "addc   %%d3,    %%d3,    0     \n\t"   \
+        "mov    %%d4,    %%d3           \n\t"   \
+        "st.w  [%%a3+],  %%d2           \n\t"
+
+#define MULADDC_STOP                            \
+        "st.w   %0, %%d4                \n\t"   \
+        "st.a   %1, %%a3                \n\t"   \
+        "st.a   %2, %%a2                \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)          \
+        : "m" (s), "m" (d), "m" (c), "m" (b)    \
+        : "d0", "d1", "e2", "d4", "a2", "a3"    \
+    );
+
+#endif /* TriCore */
+
+/*
+ * Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
+ * our use of r7 below, unless -fomit-frame-pointer is passed.
+ *
+ * On the other hand, -fomit-frame-pointer is implied by any -Ox options with
+ * x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
+ * clang and armcc5 under the same conditions).
+ *
+ * So, only use the optimized assembly below for optimized build, which avoids
+ * the build error and is pretty reasonable anyway.
+ */
+#if defined(__GNUC__) && !defined(__OPTIMIZE__)
+#define MULADDC_CANNOT_USE_R7
+#endif
+
+#if defined(__arm__) && !defined(MULADDC_CANNOT_USE_R7)
+
+#if defined(__thumb__) && !defined(__thumb2__)
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"   \
+            "lsr    r7, r3, #16                 \n\t"   \
+            "mov    r9, r7                      \n\t"   \
+            "lsl    r7, r3, #16                 \n\t"   \
+            "lsr    r7, r7, #16                 \n\t"   \
+            "mov    r8, r7                      \n\t"
+
+#define MULADDC_CORE                                    \
+            "ldmia  r0!, {r6}                   \n\t"   \
+            "lsr    r7, r6, #16                 \n\t"   \
+            "lsl    r6, r6, #16                 \n\t"   \
+            "lsr    r6, r6, #16                 \n\t"   \
+            "mov    r4, r8                      \n\t"   \
+            "mul    r4, r6                      \n\t"   \
+            "mov    r3, r9                      \n\t"   \
+            "mul    r6, r3                      \n\t"   \
+            "mov    r5, r9                      \n\t"   \
+            "mul    r5, r7                      \n\t"   \
+            "mov    r3, r8                      \n\t"   \
+            "mul    r7, r3                      \n\t"   \
+            "lsr    r3, r6, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "lsr    r3, r7, #16                 \n\t"   \
+            "add    r5, r5, r3                  \n\t"   \
+            "add    r4, r4, r2                  \n\t"   \
+            "mov    r2, #0                      \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, r6, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "lsl    r3, r7, #16                 \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r5, r2                      \n\t"   \
+            "ldr    r3, [r1]                    \n\t"   \
+            "add    r4, r4, r3                  \n\t"   \
+            "adc    r2, r5                      \n\t"   \
+            "stmia  r1!, {r4}                   \n\t"
+
+#define MULADDC_STOP                                    \
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", "r7", "r8", "r9", "cc"         \
+         );
+
+#elif (__ARM_ARCH >= 6) && \
+    defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
+
+#define MULADDC_INIT                            \
+    asm(
+
+#define MULADDC_CORE                            \
+            "ldr    r0, [%0], #4        \n\t"   \
+            "ldr    r1, [%1]            \n\t"   \
+            "umaal  r1, %2, %3, r0      \n\t"   \
+            "str    r1, [%1], #4        \n\t"
+
+#define MULADDC_STOP                            \
+         : "=r" (s),  "=r" (d), "=r" (c)        \
+         : "r" (b), "0" (s), "1" (d), "2" (c)   \
+         : "r0", "r1", "memory"                 \
+         );
+
+#else
+
+#define MULADDC_INIT                                    \
+    asm(                                                \
+            "ldr    r0, %3                      \n\t"   \
+            "ldr    r1, %4                      \n\t"   \
+            "ldr    r2, %5                      \n\t"   \
+            "ldr    r3, %6                      \n\t"
+
+#define MULADDC_CORE                                    \
+            "ldr    r4, [r0], #4                \n\t"   \
+            "mov    r5, #0                      \n\t"   \
+            "ldr    r6, [r1]                    \n\t"   \
+            "umlal  r2, r5, r3, r4              \n\t"   \
+            "adds   r7, r6, r2                  \n\t"   \
+            "adc    r2, r5, #0                  \n\t"   \
+            "str    r7, [r1], #4                \n\t"
+
+#define MULADDC_STOP                                    \
+            "str    r2, %0                      \n\t"   \
+            "str    r1, %1                      \n\t"   \
+            "str    r0, %2                      \n\t"   \
+         : "=m" (c),  "=m" (d), "=m" (s)        \
+         : "m" (s), "m" (d), "m" (c), "m" (b)   \
+         : "r0", "r1", "r2", "r3", "r4", "r5",  \
+           "r6", "r7", "cc"                     \
+         );
+
+#endif /* Thumb */
+
+#endif /* ARMv3 */
+
+#if defined(__alpha__)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "ldq    $1, %3          \n\t"   \
+        "ldq    $2, %4          \n\t"   \
+        "ldq    $3, %5          \n\t"   \
+        "ldq    $4, %6          \n\t"
+
+#define MULADDC_CORE                    \
+        "ldq    $6,  0($1)      \n\t"   \
+        "addq   $1,  8, $1      \n\t"   \
+        "mulq   $6, $4, $7      \n\t"   \
+        "umulh  $6, $4, $6      \n\t"   \
+        "addq   $7, $3, $7      \n\t"   \
+        "cmpult $7, $3, $3      \n\t"   \
+        "ldq    $5,  0($2)      \n\t"   \
+        "addq   $7, $5, $7      \n\t"   \
+        "cmpult $7, $5, $5      \n\t"   \
+        "stq    $7,  0($2)      \n\t"   \
+        "addq   $2,  8, $2      \n\t"   \
+        "addq   $6, $3, $3      \n\t"   \
+        "addq   $5, $3, $3      \n\t"
+
+#define MULADDC_STOP                                    \
+        "stq    $3, %0          \n\t"   \
+        "stq    $2, %1          \n\t"   \
+        "stq    $1, %2          \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)              \
+        : "m" (s), "m" (d), "m" (c), "m" (b)        \
+        : "$1", "$2", "$3", "$4", "$5", "$6", "$7"  \
+    );
+#endif /* Alpha */
+
+#if defined(__mips__) && !defined(__mips64)
+
+#define MULADDC_INIT                    \
+    asm(                                \
+        "lw     $10, %3         \n\t"   \
+        "lw     $11, %4         \n\t"   \
+        "lw     $12, %5         \n\t"   \
+        "lw     $13, %6         \n\t"
+
+#define MULADDC_CORE                    \
+        "lw     $14, 0($10)     \n\t"   \
+        "multu  $13, $14        \n\t"   \
+        "addi   $10, $10, 4     \n\t"   \
+        "mflo   $14             \n\t"   \
+        "mfhi   $9              \n\t"   \
+        "addu   $14, $12, $14   \n\t"   \
+        "lw     $15, 0($11)     \n\t"   \
+        "sltu   $12, $14, $12   \n\t"   \
+        "addu   $15, $14, $15   \n\t"   \
+        "sltu   $14, $15, $14   \n\t"   \
+        "addu   $12, $12, $9    \n\t"   \
+        "sw     $15, 0($11)     \n\t"   \
+        "addu   $12, $12, $14   \n\t"   \
+        "addi   $11, $11, 4     \n\t"
+
+#define MULADDC_STOP                    \
+        "sw     $12, %0         \n\t"   \
+        "sw     $11, %1         \n\t"   \
+        "sw     $10, %2         \n\t"   \
+        : "=m" (c), "=m" (d), "=m" (s)                      \
+        : "m" (s), "m" (d), "m" (c), "m" (b)                \
+        : "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
+    );
+
+#endif /* MIPS */
+#endif /* GNUC */
+
+#if (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
+
+#define MULADDC_INIT                            \
+    __asm   mov     esi, s                      \
+    __asm   mov     edi, d                      \
+    __asm   mov     ecx, c                      \
+    __asm   mov     ebx, b
+
+#define MULADDC_CORE                            \
+    __asm   lodsd                               \
+    __asm   mul     ebx                         \
+    __asm   add     eax, ecx                    \
+    __asm   adc     edx, 0                      \
+    __asm   add     eax, [edi]                  \
+    __asm   adc     edx, 0                      \
+    __asm   mov     ecx, edx                    \
+    __asm   stosd
+
+#if defined(MBEDTLS_HAVE_SSE2)
+
+#define EMIT __asm _emit
+
+#define MULADDC_HUIT                            \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0xC9             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0xC3             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x1F             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x16             \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x7E  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF8             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x5F  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xDC             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xEE             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x67  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xFC             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x0F             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x56  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x04  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x5E  EMIT 0x1C  \
+    EMIT 0x0F  EMIT 0xF4  EMIT 0xD8             \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCD             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xD5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x08  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCF             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xE5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x0C  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xF5             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x10  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCC             \
+    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x1C  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xDD             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x14  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCE             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x18  \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x1C  \
+    EMIT 0x83  EMIT 0xC7  EMIT 0x20             \
+    EMIT 0x83  EMIT 0xC6  EMIT 0x20             \
+    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
+    EMIT 0x0F  EMIT 0x7E  EMIT 0xC9
+
+#define MULADDC_STOP                            \
+    EMIT 0x0F  EMIT 0x77                        \
+    __asm   mov     c, ecx                      \
+    __asm   mov     d, edi                      \
+    __asm   mov     s, esi                      \
+
+#else
+
+#define MULADDC_STOP                            \
+    __asm   mov     c, ecx                      \
+    __asm   mov     d, edi                      \
+    __asm   mov     s, esi                      \
+
+#endif /* SSE2 */
+#endif /* MSVC */
+
+#endif /* MBEDTLS_HAVE_ASM */
+
+#if !defined(MULADDC_CORE)
+#if defined(MBEDTLS_HAVE_UDBL)
+
+#define MULADDC_INIT                    \
+{                                       \
+    mbedtls_t_udbl r;                           \
+    mbedtls_mpi_uint r0, r1;
+
+#define MULADDC_CORE                    \
+    r   = *(s++) * (mbedtls_t_udbl) b;          \
+    r0  = (mbedtls_mpi_uint) r;                   \
+    r1  = (mbedtls_mpi_uint)( r >> biL );         \
+    r0 += c;  r1 += (r0 <  c);          \
+    r0 += *d; r1 += (r0 < *d);          \
+    c = r1; *(d++) = r0;
+
+#define MULADDC_STOP                    \
+}
+
+#else
+#define MULADDC_INIT                    \
+{                                       \
+    mbedtls_mpi_uint s0, s1, b0, b1;              \
+    mbedtls_mpi_uint r0, r1, rx, ry;              \
+    b0 = ( b << biH ) >> biH;           \
+    b1 = ( b >> biH );
+
+#define MULADDC_CORE                    \
+    s0 = ( *s << biH ) >> biH;          \
+    s1 = ( *s >> biH ); s++;            \
+    rx = s0 * b1; r0 = s0 * b0;         \
+    ry = s1 * b0; r1 = s1 * b1;         \
+    r1 += ( rx >> biH );                \
+    r1 += ( ry >> biH );                \
+    rx <<= biH; ry <<= biH;             \
+    r0 += rx; r1 += (r0 < rx);          \
+    r0 += ry; r1 += (r0 < ry);          \
+    r0 +=  c; r1 += (r0 <  c);          \
+    r0 += *d; r1 += (r0 < *d);          \
+    c = r1; *(d++) = r0;
+
+#define MULADDC_STOP                    \
+}
+
+#endif /* C (generic)  */
+#endif /* C (longlong) */
+
+#endif /* bn_mul.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/camellia.h b/makerom/deps/libmbedtls/include/mbedtls/camellia.h
new file mode 100644
index 00000000..3eeb6636
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/camellia.h
@@ -0,0 +1,326 @@
+/**
+ * \file camellia.h
+ *
+ * \brief Camellia block cipher
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_CAMELLIA_H
+#define MBEDTLS_CAMELLIA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "platform_util.h"
+
+#define MBEDTLS_CAMELLIA_ENCRYPT     1
+#define MBEDTLS_CAMELLIA_DECRYPT     0
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x0024 )
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#define MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA -0x0024 /**< Bad input data. */
+
+#define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026 /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED              -0x0027  /**< Camellia hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          CAMELLIA context structure
+ */
+typedef struct mbedtls_camellia_context
+{
+    int nr;                     /*!<  number of rounds  */
+    uint32_t rk[68];            /*!<  CAMELLIA round keys    */
+}
+mbedtls_camellia_context;
+
+#else  /* MBEDTLS_CAMELLIA_ALT */
+#include "camellia_alt.h"
+#endif /* MBEDTLS_CAMELLIA_ALT */
+
+/**
+ * \brief          Initialize a CAMELLIA context.
+ *
+ * \param ctx      The CAMELLIA context to be initialized.
+ *                 This must not be \c NULL.
+ */
+void mbedtls_camellia_init( mbedtls_camellia_context *ctx );
+
+/**
+ * \brief          Clear a CAMELLIA context.
+ *
+ * \param ctx      The CAMELLIA context to be cleared. This may be \c NULL,
+ *                 in which case this function returns immediately. If it is not
+ *                 \c NULL, it must be initialized.
+ */
+void mbedtls_camellia_free( mbedtls_camellia_context *ctx );
+
+/**
+ * \brief          Perform a CAMELLIA key schedule operation for encryption.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The encryption key to use. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits );
+
+/**
+ * \brief          Perform a CAMELLIA key schedule operation for decryption.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized.
+ * \param key      The decryption key. This must be a readable buffer
+ *                 of size \p keybits Bits.
+ * \param keybits  The length of \p key in Bits. This must be either \c 128,
+ *                 \c 192 or \c 256.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits );
+
+/**
+ * \brief          Perform a CAMELLIA-ECB block encryption/decryption operation.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param input    The input block. This must be a readable buffer
+ *                 of size \c 16 Bytes.
+ * \param output   The output block. This must be a writable buffer
+ *                 of size \c 16 Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          Perform a CAMELLIA-CBC buffer encryption/decryption operation.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length in Bytes of the input data \p input.
+ *                 This must be a multiple of \c 16 Bytes.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated to allow streaming
+ *                 use as explained above.
+ * \param input    The buffer holding the input data. This must point to a
+ *                 readable buffer of length \p length Bytes.
+ * \param output   The buffer holding the output data. This must point to a
+ *                 writable buffer of length \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/**
+ * \brief          Perform a CAMELLIA-CFB128 buffer encryption/decryption
+ *                 operation.
+ *
+ * \note           Due to the nature of CFB mode, you should use the same
+ *                 key for both encryption and decryption. In particular, calls
+ *                 to this function should be preceded by a key-schedule via
+ *                 mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ *                 is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      The CAMELLIA context to use. This must be initialized
+ *                 and bound to a key.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ * \param length   The length of the input data \p input. Any value is allowed.
+ * \param iv_off   The current offset in the IV. This must be smaller
+ *                 than \c 16 Bytes. It is updated after this call to allow
+ *                 the aforementioned streaming usage.
+ * \param iv       The initialization vector. This must be a read/write buffer
+ *                 of length \c 16 Bytes. It is updated after this call to
+ *                 allow the aforementioned streaming usage.
+ * \param input    The buffer holding the input data. This must be a readable
+ *                 buffer of size \p length Bytes.
+ * \param output   The buffer to hold the output data. This must be a writable
+ *                 buffer of length \p length Bytes.
+ *
+ * \return         \c 0 if successful.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/**
+ * \brief      Perform a CAMELLIA-CTR buffer encryption/decryption operation.
+ *
+ * *note       Due to the nature of CTR mode, you should use the same
+ *             key for both encryption and decryption. In particular, calls
+ *             to this function should be preceded by a key-schedule via
+ *             mbedtls_camellia_setkey_enc() regardless of whether \p mode
+ *             is #MBEDTLS_CAMELLIA_ENCRYPT or #MBEDTLS_CAMELLIA_DECRYPT.
+ *
+ * \warning    You must never reuse a nonce value with the same key. Doing so
+ *             would void the encryption for the two messages encrypted with
+ *             the same nonce and key.
+ *
+ *             There are two common strategies for managing nonces with CTR:
+ *
+ *             1. You can handle everything as a single message processed over
+ *             successive calls to this function. In that case, you want to
+ *             set \p nonce_counter and \p nc_off to 0 for the first call, and
+ *             then preserve the values of \p nonce_counter, \p nc_off and \p
+ *             stream_block across calls to this function as they will be
+ *             updated by this function.
+ *
+ *             With this strategy, you must not encrypt more than 2**128
+ *             blocks of data with the same key.
+ *
+ *             2. You can encrypt separate messages by dividing the \p
+ *             nonce_counter buffer in two areas: the first one used for a
+ *             per-message nonce, handled by yourself, and the second one
+ *             updated by this function internally.
+ *
+ *             For example, you might reserve the first \c 12 Bytes for the
+ *             per-message nonce, and the last \c 4 Bytes for internal use.
+ *             In that case, before calling this function on a new message you
+ *             need to set the first \c 12 Bytes of \p nonce_counter to your
+ *             chosen nonce value, the last four to \c 0, and \p nc_off to \c 0
+ *             (which will cause \p stream_block to be ignored). That way, you
+ *             can encrypt at most \c 2**96 messages of up to \c 2**32 blocks
+ *             each  with the same key.
+ *
+ *             The per-message nonce (or information sufficient to reconstruct
+ *             it) needs to be communicated with the ciphertext and must be
+ *             unique. The recommended way to ensure uniqueness is to use a
+ *             message counter. An alternative is to generate random nonces,
+ *             but this limits the number of messages that can be securely
+ *             encrypted: for example, with 96-bit random nonces, you should
+ *             not encrypt more than 2**32 messages with the same key.
+ *
+ *             Note that for both stategies, sizes are measured in blocks and
+ *             that a CAMELLIA block is \c 16 Bytes.
+ *
+ * \warning    Upon return, \p stream_block contains sensitive data. Its
+ *             content must not be written to insecure storage and should be
+ *             securely discarded as soon as it's no longer needed.
+ *
+ * \param ctx           The CAMELLIA context to use. This must be initialized
+ *                      and bound to a key.
+ * \param length        The length of the input data \p input in Bytes.
+ *                      Any value is allowed.
+ * \param nc_off        The offset in the current \p stream_block (for resuming
+ *                      within current cipher stream). The offset pointer to
+ *                      should be \c 0 at the start of a stream. It is updated
+ *                      at the end of this call.
+ * \param nonce_counter The 128-bit nonce and counter. This must be a read/write
+ *                      buffer of length \c 16 Bytes.
+ * \param stream_block  The saved stream-block for resuming. This must be a
+ *                      read/write buffer of length \c 16 Bytes.
+ * \param input         The input data stream. This must be a readable buffer of
+ *                      size \p length Bytes.
+ * \param output        The output data stream. This must be a writable buffer
+ *                      of size \p length Bytes.
+ *
+ * \return              \c 0 if successful.
+ * \return              A negative error code on failure.
+ */
+int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_camellia_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* camellia.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ccm.h b/makerom/deps/libmbedtls/include/mbedtls/ccm.h
new file mode 100644
index 00000000..f03e3b58
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ccm.h
@@ -0,0 +1,310 @@
+/**
+ * \file ccm.h
+ *
+ * \brief This file provides an API for the CCM authenticated encryption
+ *        mode for block ciphers.
+ *
+ * CCM combines Counter mode encryption with CBC-MAC authentication
+ * for 128-bit block ciphers.
+ *
+ * Input to CCM includes the following elements:
+ * <ul><li>Payload - data that is both authenticated and encrypted.</li>
+ * <li>Associated data (Adata) - data that is authenticated but not
+ * encrypted, For example, a header.</li>
+ * <li>Nonce - A unique value that is assigned to the payload and the
+ * associated data.</li></ul>
+ *
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ *
+ * Definition of CCM*:
+ * IEEE 802.15.4 - IEEE Standard for Local and metropolitan area networks
+ * Integer representation is fixed most-significant-octet-first order and
+ * the representation of octets is most-significant-bit-first order. This is
+ * consistent with RFC 3610.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CCM_H
+#define MBEDTLS_CCM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#define MBEDTLS_ERR_CCM_BAD_INPUT       -0x000D /**< Bad input parameters to the function. */
+#define MBEDTLS_ERR_CCM_AUTH_FAILED     -0x000F /**< Authenticated decryption failed. */
+
+/* MBEDTLS_ERR_CCM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CCM_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief    The CCM context-type definition. The CCM context is passed
+ *           to the APIs called.
+ */
+typedef struct mbedtls_ccm_context
+{
+    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+}
+mbedtls_ccm_context;
+
+#else  /* MBEDTLS_CCM_ALT */
+#include "ccm_alt.h"
+#endif /* MBEDTLS_CCM_ALT */
+
+/**
+ * \brief           This function initializes the specified CCM context,
+ *                  to make references valid, and prepare the context
+ *                  for mbedtls_ccm_setkey() or mbedtls_ccm_free().
+ *
+ * \param ctx       The CCM context to initialize. This must not be \c NULL.
+ */
+void mbedtls_ccm_init( mbedtls_ccm_context *ctx );
+
+/**
+ * \brief           This function initializes the CCM context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The CCM context to initialize. This must be an initialized
+ *                  context.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key. This must not be \c NULL.
+ * \param keybits   The key size in bits. This must be acceptable by the cipher.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits );
+
+/**
+ * \brief   This function releases and clears the specified CCM context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The CCM context to clear. If this is \c NULL, the function
+ *                  has no effect. Otherwise, this must be initialized.
+ */
+void mbedtls_ccm_free( mbedtls_ccm_context *ctx );
+
+/**
+ * \brief           This function encrypts a buffer using CCM.
+ *
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. If \p add_len is greater than
+ *                  zero, \p add must be a readable buffer of at least that
+ *                  length.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than `2^16 - 2^8`.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief           This function encrypts a buffer using CCM*.
+ *
+ * \note            The tag is written to a separate buffer. To concatenate
+ *                  the \p tag with the \p output, as done in <em>RFC-3610:
+ *                  Counter with CBC-MAC (CCM)</em>, use
+ *                  \p tag = \p output + \p length, and make sure that the
+ *                  output buffer is at least \p length + \p tag_len wide.
+ *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be encoded into the \p iv passed to
+ *                  this function.
+ *
+ * \param ctx       The CCM context to use for encryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer of
+ *                  at least \p add_len Bytes.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is no
+ *                  longer authenticated.
+ *
+ * \return          \c 0 on success.
+ * \return          A CCM or cipher-specific error code on failure.
+ */
+int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief           This function performs a CCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer
+ *                  of at least that \p add_len Bytes..
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field to generate in Bytes:
+ *                  4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \return          \c 0 on success. This indicates that the message is authentic.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief           This function performs a CCM* authenticated decryption of a
+ *                  buffer.
+ *
+ * \note            When using this function in a variable tag length context,
+ *                  the tag length has to be decoded from \p iv and passed to
+ *                  this function as \p tag_len. (\p tag needs to be adjusted
+ *                  accordingly.)
+ *
+ * \param ctx       The CCM context to use for decryption. This must be
+ *                  initialized and bound to a key.
+ * \param length    The length of the input data in Bytes.
+ * \param iv        The initialization vector (nonce). This must be a readable
+ *                  buffer of at least \p iv_len Bytes.
+ * \param iv_len    The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
+ *                  or 13. The length L of the message length field is
+ *                  15 - \p iv_len.
+ * \param add       The additional data field. This must be a readable buffer of
+ *                  at least that \p add_len Bytes.
+ * \param add_len   The length of additional data in Bytes.
+ *                  This must be less than 2^16 - 2^8.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, \p input must be a readable buffer of at least
+ *                  that length.
+ * \param output    The buffer holding the output data. If \p length is greater
+ *                  than zero, \p output must be a writable buffer of at least
+ *                  that length.
+ * \param tag       The buffer holding the authentication field. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the authentication field in Bytes.
+ *                  0, 4, 6, 8, 10, 12, 14 or 16.
+ *
+ * \warning         Passing \c 0 as \p tag_len means that the message is nos
+ *                  longer authenticated.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match.
+ * \return          A cipher-specific error code on calculation failure.
+ */
+int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len );
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief          The CCM checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_ccm_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CCM_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/certs.h b/makerom/deps/libmbedtls/include/mbedtls/certs.h
new file mode 100644
index 00000000..179ebbba
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/certs.h
@@ -0,0 +1,252 @@
+/**
+ * \file certs.h
+ *
+ * \brief Sample certificates and DHM parameters for testing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_CERTS_H
+#define MBEDTLS_CERTS_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* List of all PEM-encoded CA certificates, terminated by NULL;
+ * PEM encoded if MBEDTLS_PEM_PARSE_C is enabled, DER encoded
+ * otherwise. */
+extern const char * mbedtls_test_cas[];
+extern const size_t mbedtls_test_cas_len[];
+
+/* List of all DER-encoded CA certificates, terminated by NULL */
+extern const unsigned char * mbedtls_test_cas_der[];
+extern const size_t mbedtls_test_cas_der_len[];
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+/* Concatenation of all CA certificates in PEM format if available */
+extern const char   mbedtls_test_cas_pem[];
+extern const size_t mbedtls_test_cas_pem_len;
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+/*
+ * CA test certificates
+ */
+
+extern const char mbedtls_test_ca_crt_ec_pem[];
+extern const char mbedtls_test_ca_key_ec_pem[];
+extern const char mbedtls_test_ca_pwd_ec_pem[];
+extern const char mbedtls_test_ca_key_rsa_pem[];
+extern const char mbedtls_test_ca_pwd_rsa_pem[];
+extern const char mbedtls_test_ca_crt_rsa_sha1_pem[];
+extern const char mbedtls_test_ca_crt_rsa_sha256_pem[];
+
+extern const unsigned char mbedtls_test_ca_crt_ec_der[];
+extern const unsigned char mbedtls_test_ca_key_ec_der[];
+extern const unsigned char mbedtls_test_ca_key_rsa_der[];
+extern const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[];
+extern const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[];
+
+extern const size_t mbedtls_test_ca_crt_ec_pem_len;
+extern const size_t mbedtls_test_ca_key_ec_pem_len;
+extern const size_t mbedtls_test_ca_pwd_ec_pem_len;
+extern const size_t mbedtls_test_ca_key_rsa_pem_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len;
+
+extern const size_t mbedtls_test_ca_crt_ec_der_len;
+extern const size_t mbedtls_test_ca_key_ec_der_len;
+extern const size_t mbedtls_test_ca_pwd_ec_der_len;
+extern const size_t mbedtls_test_ca_key_rsa_der_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_der_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_der_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_ca_crt_ec[];
+extern const char mbedtls_test_ca_key_ec[];
+extern const char mbedtls_test_ca_pwd_ec[];
+extern const char mbedtls_test_ca_key_rsa[];
+extern const char mbedtls_test_ca_pwd_rsa[];
+extern const char mbedtls_test_ca_crt_rsa_sha1[];
+extern const char mbedtls_test_ca_crt_rsa_sha256[];
+
+extern const size_t mbedtls_test_ca_crt_ec_len;
+extern const size_t mbedtls_test_ca_key_ec_len;
+extern const size_t mbedtls_test_ca_pwd_ec_len;
+extern const size_t mbedtls_test_ca_key_rsa_len;
+extern const size_t mbedtls_test_ca_pwd_rsa_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha1_len;
+extern const size_t mbedtls_test_ca_crt_rsa_sha256_len;
+
+/* Config-dependent dispatch between SHA-1 and SHA-256
+ * (SHA-256 if enabled, otherwise SHA-1) */
+
+extern const char mbedtls_test_ca_crt_rsa[];
+extern const size_t mbedtls_test_ca_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char * mbedtls_test_ca_crt;
+extern const char * mbedtls_test_ca_key;
+extern const char * mbedtls_test_ca_pwd;
+extern const size_t mbedtls_test_ca_crt_len;
+extern const size_t mbedtls_test_ca_key_len;
+extern const size_t mbedtls_test_ca_pwd_len;
+
+/*
+ * Server test certificates
+ */
+
+extern const char mbedtls_test_srv_crt_ec_pem[];
+extern const char mbedtls_test_srv_key_ec_pem[];
+extern const char mbedtls_test_srv_pwd_ec_pem[];
+extern const char mbedtls_test_srv_key_rsa_pem[];
+extern const char mbedtls_test_srv_pwd_rsa_pem[];
+extern const char mbedtls_test_srv_crt_rsa_sha1_pem[];
+extern const char mbedtls_test_srv_crt_rsa_sha256_pem[];
+
+extern const unsigned char mbedtls_test_srv_crt_ec_der[];
+extern const unsigned char mbedtls_test_srv_key_ec_der[];
+extern const unsigned char mbedtls_test_srv_key_rsa_der[];
+extern const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[];
+extern const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[];
+
+extern const size_t mbedtls_test_srv_crt_ec_pem_len;
+extern const size_t mbedtls_test_srv_key_ec_pem_len;
+extern const size_t mbedtls_test_srv_pwd_ec_pem_len;
+extern const size_t mbedtls_test_srv_key_rsa_pem_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len;
+
+extern const size_t mbedtls_test_srv_crt_ec_der_len;
+extern const size_t mbedtls_test_srv_key_ec_der_len;
+extern const size_t mbedtls_test_srv_pwd_ec_der_len;
+extern const size_t mbedtls_test_srv_key_rsa_der_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_der_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_der_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_srv_crt_ec[];
+extern const char mbedtls_test_srv_key_ec[];
+extern const char mbedtls_test_srv_pwd_ec[];
+extern const char mbedtls_test_srv_key_rsa[];
+extern const char mbedtls_test_srv_pwd_rsa[];
+extern const char mbedtls_test_srv_crt_rsa_sha1[];
+extern const char mbedtls_test_srv_crt_rsa_sha256[];
+
+extern const size_t mbedtls_test_srv_crt_ec_len;
+extern const size_t mbedtls_test_srv_key_ec_len;
+extern const size_t mbedtls_test_srv_pwd_ec_len;
+extern const size_t mbedtls_test_srv_key_rsa_len;
+extern const size_t mbedtls_test_srv_pwd_rsa_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha1_len;
+extern const size_t mbedtls_test_srv_crt_rsa_sha256_len;
+
+/* Config-dependent dispatch between SHA-1 and SHA-256
+ * (SHA-256 if enabled, otherwise SHA-1) */
+
+extern const char mbedtls_test_srv_crt_rsa[];
+extern const size_t mbedtls_test_srv_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char * mbedtls_test_srv_crt;
+extern const char * mbedtls_test_srv_key;
+extern const char * mbedtls_test_srv_pwd;
+extern const size_t mbedtls_test_srv_crt_len;
+extern const size_t mbedtls_test_srv_key_len;
+extern const size_t mbedtls_test_srv_pwd_len;
+
+/*
+ * Client test certificates
+ */
+
+extern const char mbedtls_test_cli_crt_ec_pem[];
+extern const char mbedtls_test_cli_key_ec_pem[];
+extern const char mbedtls_test_cli_pwd_ec_pem[];
+extern const char mbedtls_test_cli_key_rsa_pem[];
+extern const char mbedtls_test_cli_pwd_rsa_pem[];
+extern const char mbedtls_test_cli_crt_rsa_pem[];
+
+extern const unsigned char mbedtls_test_cli_crt_ec_der[];
+extern const unsigned char mbedtls_test_cli_key_ec_der[];
+extern const unsigned char mbedtls_test_cli_key_rsa_der[];
+extern const unsigned char mbedtls_test_cli_crt_rsa_der[];
+
+extern const size_t mbedtls_test_cli_crt_ec_pem_len;
+extern const size_t mbedtls_test_cli_key_ec_pem_len;
+extern const size_t mbedtls_test_cli_pwd_ec_pem_len;
+extern const size_t mbedtls_test_cli_key_rsa_pem_len;
+extern const size_t mbedtls_test_cli_pwd_rsa_pem_len;
+extern const size_t mbedtls_test_cli_crt_rsa_pem_len;
+
+extern const size_t mbedtls_test_cli_crt_ec_der_len;
+extern const size_t mbedtls_test_cli_key_ec_der_len;
+extern const size_t mbedtls_test_cli_key_rsa_der_len;
+extern const size_t mbedtls_test_cli_crt_rsa_der_len;
+
+/* Config-dependent dispatch between PEM and DER encoding
+ * (PEM if enabled, otherwise DER) */
+
+extern const char mbedtls_test_cli_crt_ec[];
+extern const char mbedtls_test_cli_key_ec[];
+extern const char mbedtls_test_cli_pwd_ec[];
+extern const char mbedtls_test_cli_key_rsa[];
+extern const char mbedtls_test_cli_pwd_rsa[];
+extern const char mbedtls_test_cli_crt_rsa[];
+
+extern const size_t mbedtls_test_cli_crt_ec_len;
+extern const size_t mbedtls_test_cli_key_ec_len;
+extern const size_t mbedtls_test_cli_pwd_ec_len;
+extern const size_t mbedtls_test_cli_key_rsa_len;
+extern const size_t mbedtls_test_cli_pwd_rsa_len;
+extern const size_t mbedtls_test_cli_crt_rsa_len;
+
+/* Config-dependent dispatch between EC and RSA
+ * (RSA if enabled, otherwise EC) */
+
+extern const char * mbedtls_test_cli_crt;
+extern const char * mbedtls_test_cli_key;
+extern const char * mbedtls_test_cli_pwd;
+extern const size_t mbedtls_test_cli_crt_len;
+extern const size_t mbedtls_test_cli_key_len;
+extern const size_t mbedtls_test_cli_pwd_len;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* certs.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/chacha20.h b/makerom/deps/libmbedtls/include/mbedtls/chacha20.h
new file mode 100644
index 00000000..2ae5e6e5
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/chacha20.h
@@ -0,0 +1,226 @@
+/**
+ * \file chacha20.h
+ *
+ * \brief   This file contains ChaCha20 definitions and functions.
+ *
+ *          ChaCha20 is a stream cipher that can encrypt and decrypt
+ *          information. ChaCha was created by Daniel Bernstein as a variant of
+ *          its Salsa cipher https://cr.yp.to/chacha/chacha-20080128.pdf
+ *          ChaCha20 is the variant with 20 rounds, that was also standardized
+ *          in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CHACHA20_H
+#define MBEDTLS_CHACHA20_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA         -0x0051 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE    -0x0053 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED        -0x0055  /**< Chacha20 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+typedef struct mbedtls_chacha20_context
+{
+    uint32_t state[16];          /*! The state (before round operations). */
+    uint8_t  keystream8[64];     /*! Leftover keystream bytes. */
+    size_t keystream_bytes_used; /*! Number of keystream bytes already used. */
+}
+mbedtls_chacha20_context;
+
+#else  /* MBEDTLS_CHACHA20_ALT */
+#include "chacha20_alt.h"
+#endif /* MBEDTLS_CHACHA20_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by calls to
+ *                  \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts(), then one or more calls to
+ *                  to \c mbedtls_chacha20_update(), and finally to
+ *                  \c mbedtls_chacha20_free().
+ *
+ * \param ctx       The ChaCha20 context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20 context.
+ *
+ * \param ctx       The ChaCha20 context to clear. This may be \c NULL,
+ *                  in which case this function is a no-op. If it is not
+ *                  \c NULL, it must point to an initialized context.
+ *
+ */
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx );
+
+/**
+ * \brief           This function sets the encryption/decryption key.
+ *
+ * \note            After using this function, you must also call
+ *                  \c mbedtls_chacha20_starts() to set a nonce before you
+ *                  start encrypting/decrypting data with
+ *                  \c mbedtls_chacha_update().
+ *
+ * \param ctx       The ChaCha20 context to which the key should be bound.
+ *                  It must be initialized.
+ * \param key       The encryption/decryption key. This must be \c 32 Bytes
+ *                  in length.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or key is NULL.
+ */
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+                             const unsigned char key[32] );
+
+/**
+ * \brief           This function sets the nonce and initial counter value.
+ *
+ * \note            A ChaCha20 context can be re-used with the same key by
+ *                  calling this function to change the nonce.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality guarantees for the
+ *                  messages encrypted with the same nonce and key.
+ *
+ * \param ctx       The ChaCha20 context to which the nonce should be bound.
+ *                  It must be initialized and bound to a key.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or nonce is
+ *                  NULL.
+ */
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+                             const unsigned char nonce[12],
+                             uint32_t counter );
+
+/**
+ * \brief           This function encrypts or decrypts data.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \note            \c mbedtls_chacha20_setkey() and
+ *                  \c mbedtls_chacha20_starts() must be called at least once
+ *                  to setup the context before this function can be called.
+ *
+ * \note            This function can be called multiple times in a row in
+ *                  order to encrypt of decrypt data piecewise with the same
+ *                  key and nonce.
+ *
+ * \param ctx       The ChaCha20 context to use for encryption or decryption.
+ *                  It must be initialized and bound to a key and nonce.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
+                             size_t size,
+                             const unsigned char *input,
+                             unsigned char *output );
+
+/**
+ * \brief           This function encrypts or decrypts data with ChaCha20 and
+ *                  the given key and nonce.
+ *
+ *                  Since ChaCha20 is a stream cipher, the same operation is
+ *                  used for encrypting and decrypting data.
+ *
+ * \warning         You must never use the same (key, nonce) pair more than
+ *                  once. This would void any confidentiality guarantees for
+ *                  the messages encrypted with the same nonce and key.
+ *
+ * \note            The \p input and \p output pointers must either be equal or
+ *                  point to non-overlapping buffers.
+ *
+ * \param key       The encryption/decryption key.
+ *                  This must be \c 32 Bytes in length.
+ * \param nonce     The nonce. This must be \c 12 Bytes in size.
+ * \param counter   The initial counter value. This is usually \c 0.
+ * \param size      The length of the input data in Bytes.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `size == 0`.
+ * \param output    The buffer holding the output data.
+ *                  This must be able to hold \p size Bytes.
+ *                  This pointer can be \c NULL if `size == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+                            const unsigned char nonce[12],
+                            uint32_t counter,
+                            size_t size,
+                            const unsigned char* input,
+                            unsigned char* output );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chacha20_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHA20_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/chachapoly.h b/makerom/deps/libmbedtls/include/mbedtls/chachapoly.h
new file mode 100644
index 00000000..49e615d2
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/chachapoly.h
@@ -0,0 +1,358 @@
+/**
+ * \file chachapoly.h
+ *
+ * \brief   This file contains the AEAD-ChaCha20-Poly1305 definitions and
+ *          functions.
+ *
+ *          ChaCha20-Poly1305 is an algorithm for Authenticated Encryption
+ *          with Associated Data (AEAD) that can be used to encrypt and
+ *          authenticate data. It is based on ChaCha20 and Poly1305 by Daniel
+ *          Bernstein and was standardized in RFC 7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CHACHAPOLY_H
+#define MBEDTLS_CHACHAPOLY_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/* for shared error codes */
+#include "poly1305.h"
+
+#define MBEDTLS_ERR_CHACHAPOLY_BAD_STATE            -0x0054 /**< The requested operation is not permitted in the current state. */
+#define MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED          -0x0056 /**< Authenticated decryption failed: data was not authentic. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum
+{
+    MBEDTLS_CHACHAPOLY_ENCRYPT,     /**< The mode value for performing encryption. */
+    MBEDTLS_CHACHAPOLY_DECRYPT      /**< The mode value for performing decryption. */
+}
+mbedtls_chachapoly_mode_t;
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+#include "chacha20.h"
+
+typedef struct mbedtls_chachapoly_context
+{
+    mbedtls_chacha20_context chacha20_ctx;  /**< The ChaCha20 context. */
+    mbedtls_poly1305_context poly1305_ctx;  /**< The Poly1305 context. */
+    uint64_t aad_len;                       /**< The length (bytes) of the Additional Authenticated Data. */
+    uint64_t ciphertext_len;                /**< The length (bytes) of the ciphertext. */
+    int state;                              /**< The current state of the context. */
+    mbedtls_chachapoly_mode_t mode;         /**< Cipher mode (encrypt or decrypt). */
+}
+mbedtls_chachapoly_context;
+
+#else /* !MBEDTLS_CHACHAPOLY_ALT */
+#include "chachapoly_alt.h"
+#endif /* !MBEDTLS_CHACHAPOLY_ALT */
+
+/**
+ * \brief           This function initializes the specified ChaCha20-Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context. It must be followed by a call to
+ *                  \c mbedtls_chachapoly_setkey() before any operation can be
+ *                  done, and to \c mbedtls_chachapoly_free() once all
+ *                  operations with that context have been finished.
+ *
+ *                  In order to encrypt or decrypt full messages at once, for
+ *                  each message you should make a single call to
+ *                  \c mbedtls_chachapoly_crypt_and_tag() or
+ *                  \c mbedtls_chachapoly_auth_decrypt().
+ *
+ *                  In order to encrypt messages piecewise, for each
+ *                  message you should make a call to
+ *                  \c mbedtls_chachapoly_starts(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update_aad(), then 0 or more calls to
+ *                  \c mbedtls_chachapoly_update(), then one call to
+ *                  \c mbedtls_chachapoly_finish().
+ *
+ * \warning         Decryption with the piecewise API is discouraged! Always
+ *                  use \c mbedtls_chachapoly_auth_decrypt() when possible!
+ *
+ *                  If however this is not possible because the data is too
+ *                  large to fit in memory, you need to:
+ *
+ *                  - call \c mbedtls_chachapoly_starts() and (if needed)
+ *                  \c mbedtls_chachapoly_update_aad() as above,
+ *                  - call \c mbedtls_chachapoly_update() multiple times and
+ *                  ensure its output (the plaintext) is NOT used in any other
+ *                  way than placing it in temporary storage at this point,
+ *                  - call \c mbedtls_chachapoly_finish() to compute the
+ *                  authentication tag and compared it in constant time to the
+ *                  tag received with the ciphertext.
+ *
+ *                  If the tags are not equal, you must immediately discard
+ *                  all previous outputs of \c mbedtls_chachapoly_update(),
+ *                  otherwise you can now safely use the plaintext.
+ *
+ * \param ctx       The ChachaPoly context to initialize. Must not be \c NULL.
+ */
+void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx );
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  ChaCha20-Poly1305 context.
+ *
+ * \param ctx       The ChachaPoly context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op.
+ */
+void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx );
+
+/**
+ * \brief           This function sets the ChaCha20-Poly1305
+ *                  symmetric encryption key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to which the key should be
+ *                  bound. This must be initialized.
+ * \param key       The \c 256 Bit (\c 32 Bytes) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
+                               const unsigned char key[32] );
+
+/**
+ * \brief           This function starts a ChaCha20-Poly1305 encryption or
+ *                  decryption operation.
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \note            If the context is being used for AAD only (no data to
+ *                  encrypt or decrypt) then \p mode can be set to any value.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param nonce     The nonce/IV to use for the message.
+ *                  This must be a redable buffer of length \c 12 Bytes.
+ * \param mode      The operation to perform: #MBEDTLS_CHACHAPOLY_ENCRYPT or
+ *                  #MBEDTLS_CHACHAPOLY_DECRYPT (discouraged, see warning).
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
+                               const unsigned char nonce[12],
+                               mbedtls_chachapoly_mode_t mode );
+
+/**
+ * \brief           This function feeds additional data to be authenticated
+ *                  into an ongoing ChaCha20-Poly1305 operation.
+ *
+ *                  The Additional Authenticated Data (AAD), also called
+ *                  Associated Data (AD) is only authenticated but not
+ *                  encrypted nor included in the encrypted output. It is
+ *                  usually transmitted separately from the ciphertext or
+ *                  computed locally by each party.
+ *
+ * \note            This function is called before data is encrypted/decrypted.
+ *                  I.e. call this function to process the AAD before calling
+ *                  \c mbedtls_chachapoly_update().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of AAD. It is permitted to call
+ *                  this function 0 times, if no AAD is used.
+ *
+ *                  This function cannot be called any more if data has
+ *                  been processed by \c mbedtls_chachapoly_update(),
+ *                  or if the context has been finished.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context. This must be initialized
+ *                  and bound to a key.
+ * \param aad_len   The length in Bytes of the AAD. The length has no
+ *                  restrictions.
+ * \param aad       Buffer containing the AAD.
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA
+ *                  if \p ctx or \p aad are NULL.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operations has not been started or has been
+ *                  finished, or if the AAD has been finished.
+ */
+int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
+                                   const unsigned char *aad,
+                                   size_t aad_len );
+
+/**
+ * \brief           Thus function feeds data to be encrypted or decrypted
+ *                  into an on-going ChaCha20-Poly1305
+ *                  operation.
+ *
+ *                  The direction (encryption or decryption) depends on the
+ *                  mode that was given when calling
+ *                  \c mbedtls_chachapoly_starts().
+ *
+ *                  You may call this function multiple times to process
+ *                  an arbitrary amount of data. It is permitted to call
+ *                  this function 0 times, if no data is to be encrypted
+ *                  or decrypted.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param len       The length (in bytes) of the data to encrypt or decrypt.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `len == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data is
+ *                  written. This must be able to hold \p len bytes.
+ *                  This pointer can be \c NULL if `len == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
+                               size_t len,
+                               const unsigned char *input,
+                               unsigned char *output );
+
+/**
+ * \brief           This function finished the ChaCha20-Poly1305 operation and
+ *                  generates the MAC (authentication tag).
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use. This must be initialized.
+ * \param mac       The buffer to where the 128-bit (16 bytes) MAC is written.
+ *
+ * \warning         Decryption with the piecewise API is discouraged, see the
+ *                  warning on \c mbedtls_chachapoly_init().
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_BAD_STATE
+ *                  if the operation has not been started or has been
+ *                  finished.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
+                               unsigned char mac[16] );
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated encryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \warning         You must never use the same nonce twice with the same key.
+ *                  This would void any confidentiality and authenticity
+ *                  guarantees for the messages encrypted with the same nonce
+ *                  and key.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ *                  This must be initialized.
+ * \param length    The length (in bytes) of the data to encrypt or decrypt.
+ * \param nonce     The 96-bit (12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated
+ *                  data (AAD). This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param input     The buffer containing the data to encrypt or decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the encrypted or decrypted data
+ *                  is written. This pointer can be \c NULL if `ilen == 0`.
+ * \param tag       The buffer to where the computed 128-bit (16 bytes) MAC
+ *                  is written. This must not be \c NULL.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                        size_t length,
+                                        const unsigned char nonce[12],
+                                        const unsigned char *aad,
+                                        size_t aad_len,
+                                        const unsigned char *input,
+                                        unsigned char *output,
+                                        unsigned char tag[16] );
+
+/**
+ * \brief           This function performs a complete ChaCha20-Poly1305
+ *                  authenticated decryption with the previously-set key.
+ *
+ * \note            Before using this function, you must set the key with
+ *                  \c mbedtls_chachapoly_setkey().
+ *
+ * \param ctx       The ChaCha20-Poly1305 context to use (holds the key).
+ * \param length    The length (in Bytes) of the data to decrypt.
+ * \param nonce     The \c 96 Bit (\c 12 bytes) nonce/IV to use.
+ * \param aad       The buffer containing the additional authenticated data (AAD).
+ *                  This pointer can be \c NULL if `aad_len == 0`.
+ * \param aad_len   The length (in bytes) of the AAD data to process.
+ * \param tag       The buffer holding the authentication tag.
+ *                  This must be a readable buffer of length \c 16 Bytes.
+ * \param input     The buffer containing the data to decrypt.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param output    The buffer to where the decrypted data is written.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED
+ *                  if the data was not authentic.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char tag[16],
+                                     const unsigned char *input,
+                                     unsigned char *output );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The ChaCha20-Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_chachapoly_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CHACHAPOLY_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/check_config.h b/makerom/deps/libmbedtls/include/mbedtls/check_config.h
new file mode 100644
index 00000000..d076c235
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/check_config.h
@@ -0,0 +1,708 @@
+/**
+ * \file check_config.h
+ *
+ * \brief Consistency checks for configuration options
+ */
+/*
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * It is recommended to include this file from your config.h
+ * in order to catch dependency issues early.
+ */
+
+#ifndef MBEDTLS_CHECK_CONFIG_H
+#define MBEDTLS_CHECK_CONFIG_H
+
+/*
+ * We assume CHAR_BIT is 8 in many places. In practice, this is true on our
+ * target platforms, so not an issue, but let's just be extra sure.
+ */
+#include <limits.h>
+#if CHAR_BIT != 8
+#error "mbed TLS requires a platform with 8-bit chars"
+#endif
+
+#if defined(_WIN32)
+#if !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_C is required on Windows"
+#endif
+
+/* Fix the config here. Not convenient to put an #ifdef _WIN32 in config.h as
+ * it would confuse config.pl. */
+#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
+    !defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+#endif
+#endif /* _WIN32 */
+
+#if defined(TARGET_LIKE_MBED) && \
+    ( defined(MBEDTLS_NET_C) || defined(MBEDTLS_TIMING_C) )
+#error "The NET and TIMING modules are not available for mbed OS - please use the network and timing functions provided by mbed OS"
+#endif
+
+#if defined(MBEDTLS_DEPRECATED_WARNING) && \
+    !defined(__GNUC__) && !defined(__clang__)
+#error "MBEDTLS_DEPRECATED_WARNING only works with GCC and Clang"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_HAVE_TIME)
+#error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense"
+#endif
+
+#if defined(MBEDTLS_AESNI_C) && !defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_AESNI_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
+#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_DHM_C) && !defined(MBEDTLS_BIGNUM_C)
+#error "MBEDTLS_DHM_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_CMAC_C) && \
+    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C)
+#error "MBEDTLS_CMAC_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C) && \
+    ( !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CIPHER_C) )
+#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
+#error "MBEDTLS_ECDH_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C) &&            \
+    ( !defined(MBEDTLS_ECP_C) ||           \
+      !defined(MBEDTLS_ASN1_PARSE_C) ||    \
+      !defined(MBEDTLS_ASN1_WRITE_C) )
+#error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECJPAKE_C) &&           \
+    ( !defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C) )
+#error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)           && \
+    ( defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT) || \
+      defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)     || \
+      defined(MBEDTLS_ECDSA_SIGN_ALT)          || \
+      defined(MBEDTLS_ECDSA_VERIFY_ALT)        || \
+      defined(MBEDTLS_ECDSA_GENKEY_ALT)        || \
+      defined(MBEDTLS_ECP_INTERNAL_ALT)        || \
+      defined(MBEDTLS_ECP_ALT) )
+#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation"
+#endif
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
+#error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || (    \
+    !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   &&                  \
+    !defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   &&                  \
+    !defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) &&                  \
+    !defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) &&                 \
+    !defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) )
+#error "MBEDTLS_ECP_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
+#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) &&      \
+                                    !defined(MBEDTLS_SHA256_C))
+#error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
+#endif
+#if defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_SHA512_C) &&         \
+    defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 64)
+#error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
+#endif
+#if defined(MBEDTLS_ENTROPY_C) &&                                            \
+    ( !defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_ENTROPY_FORCE_SHA256) ) \
+    && defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 32)
+#error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
+#endif
+#if defined(MBEDTLS_ENTROPY_C) && \
+    defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_SHA256_C)
+#error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
+    ( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
+#error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"
+#endif
+#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
+     ( defined(MBEDTLS_ENTROPY_NV_SEED) || defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \
+    defined(MBEDTLS_HAVEGE_C) )
+#error "MBEDTLS_TEST_NULL_ENTROPY defined, but entropy sources too"
+#endif
+
+#if defined(MBEDTLS_GCM_C) && (                                        \
+        !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) )
+#error "MBEDTLS_GCM_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_RANDOMIZE_JAC_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_ADD_MIXED_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_DOUBLE_JAC_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NORMALIZE_JAC_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C) && !defined(MBEDTLS_TIMING_C)
+#error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C)
+#error "MBEDTLS_HKDF_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C) && !defined(MBEDTLS_MD_C)
+#error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) && !defined(MBEDTLS_DHM_C)
+#error "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) &&                     \
+    !defined(MBEDTLS_ECDH_C)
+#error "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) &&                   \
+    ( !defined(MBEDTLS_DHM_C) || !defined(MBEDTLS_RSA_C) ||           \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) ||          \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) &&                 \
+    ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) ||          \
+      !defined(MBEDTLS_X509_CRT_PARSE_C) )
+#error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) &&                   \
+    ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
+      !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) &&                       \
+    ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
+      !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
+    ( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) ||      \
+      !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
+#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) &&                          \
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
+#error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#error "MBEDTLS_MEMORY_BACKTRACE defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_MEMORY_DEBUG) && !defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#error "MBEDTLS_MEMORY_DEBUG defined, but not all prerequesites"
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) && !defined(MBEDTLS_BASE64_C)
+#error "MBEDTLS_PEM_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PEM_WRITE_C) && !defined(MBEDTLS_BASE64_C)
+#error "MBEDTLS_PEM_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_C) && \
+    ( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) )
+#error "MBEDTLS_PK_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_PK_C)
+#error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PK_WRITE_C) && !defined(MBEDTLS_PK_C)
+#error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PKCS11_C) && !defined(MBEDTLS_PK_C)
+#error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_EXIT_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_EXIT) ||\
+        defined(MBEDTLS_PLATFORM_EXIT_ALT) )
+#error "MBEDTLS_PLATFORM_EXIT_MACRO and MBEDTLS_PLATFORM_STD_EXIT/MBEDTLS_PLATFORM_EXIT_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_ALT) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_TYPE_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_TIME) ||\
+        defined(MBEDTLS_PLATFORM_TIME_ALT) )
+#error "MBEDTLS_PLATFORM_TIME_MACRO and MBEDTLS_PLATFORM_STD_TIME/MBEDTLS_PLATFORM_TIME_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_TIME) ||\
+        defined(MBEDTLS_PLATFORM_TIME_ALT) )
+#error "MBEDTLS_PLATFORM_TIME_TYPE_MACRO and MBEDTLS_PLATFORM_STD_TIME/MBEDTLS_PLATFORM_TIME_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_FPRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_FPRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_FPRINTF) ||\
+        defined(MBEDTLS_PLATFORM_FPRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_FPRINTF_MACRO and MBEDTLS_PLATFORM_STD_FPRINTF/MBEDTLS_PLATFORM_FPRINTF_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
+#error "MBEDTLS_PLATFORM_FREE_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) &&\
+    defined(MBEDTLS_PLATFORM_STD_FREE)
+#error "MBEDTLS_PLATFORM_FREE_MACRO and MBEDTLS_PLATFORM_STD_FREE cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && !defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+#error "MBEDTLS_PLATFORM_CALLOC_MACRO must be defined if MBEDTLS_PLATFORM_FREE_MACRO is"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
+#error "MBEDTLS_PLATFORM_CALLOC_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&\
+    defined(MBEDTLS_PLATFORM_STD_CALLOC)
+#error "MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_STD_CALLOC cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) && !defined(MBEDTLS_PLATFORM_FREE_MACRO)
+#error "MBEDTLS_PLATFORM_FREE_MACRO must be defined if MBEDTLS_PLATFORM_CALLOC_MACRO is"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_MEMORY) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_MEMORY defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_PRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_PRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_PRINTF) ||\
+        defined(MBEDTLS_PLATFORM_PRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_PRINTF_MACRO and MBEDTLS_PLATFORM_STD_PRINTF/MBEDTLS_PLATFORM_PRINTF_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SNPRINTF_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
+#error "MBEDTLS_PLATFORM_SNPRINTF_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_SNPRINTF) ||\
+        defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) )
+#error "MBEDTLS_PLATFORM_SNPRINTF_MACRO and MBEDTLS_PLATFORM_STD_SNPRINTF/MBEDTLS_PLATFORM_SNPRINTF_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR) &&\
+    !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+#error "MBEDTLS_PLATFORM_STD_MEM_HDR defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_CALLOC) && !defined(MBEDTLS_PLATFORM_MEMORY)
+#error "MBEDTLS_PLATFORM_STD_CALLOC defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_CALLOC) && !defined(MBEDTLS_PLATFORM_MEMORY)
+#error "MBEDTLS_PLATFORM_STD_CALLOC defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_FREE) && !defined(MBEDTLS_PLATFORM_MEMORY)
+#error "MBEDTLS_PLATFORM_STD_FREE defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_EXIT) &&\
+    !defined(MBEDTLS_PLATFORM_EXIT_ALT)
+#error "MBEDTLS_PLATFORM_STD_EXIT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_TIME) &&\
+    ( !defined(MBEDTLS_PLATFORM_TIME_ALT) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_STD_TIME defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_FPRINTF) &&\
+    !defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+#error "MBEDTLS_PLATFORM_STD_FPRINTF defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_PRINTF) &&\
+    !defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+#error "MBEDTLS_PLATFORM_STD_PRINTF defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_SNPRINTF) &&\
+    !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+#error "MBEDTLS_PLATFORM_STD_SNPRINTF defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_ENTROPY_C) )
+#error "MBEDTLS_ENTROPY_NV_SEED defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT) &&\
+    !defined(MBEDTLS_ENTROPY_NV_SEED)
+#error "MBEDTLS_PLATFORM_NV_SEED_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ) &&\
+    !defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#error "MBEDTLS_PLATFORM_STD_NV_SEED_READ defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE) &&\
+    !defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#error "MBEDTLS_PLATFORM_STD_NV_SEED_WRITE defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ) ||\
+      defined(MBEDTLS_PLATFORM_NV_SEED_ALT) )
+#error "MBEDTLS_PLATFORM_NV_SEED_READ_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_READ cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE) ||\
+      defined(MBEDTLS_PLATFORM_NV_SEED_ALT) )
+#error "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_WRITE cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \
+    !defined(MBEDTLS_OID_C) )
+#error "MBEDTLS_RSA_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_PKCS1_V21) &&         \
+    !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_RSA_C defined, but none of the PKCS1 versions enabled"
+#endif
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) &&                        \
+    ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) )
+#error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && ( !defined(MBEDTLS_MD5_C) ||     \
+    !defined(MBEDTLS_SHA1_C) )
+#error "MBEDTLS_SSL_PROTO_SSL3 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) && ( !defined(MBEDTLS_MD5_C) ||     \
+    !defined(MBEDTLS_SHA1_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) && ( !defined(MBEDTLS_MD5_C) ||     \
+    !defined(MBEDTLS_SHA1_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1_1 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && ( !defined(MBEDTLS_SHA1_C) &&     \
+    !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)     && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1)  && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_CLI_C) && !defined(MBEDTLS_SSL_TLS_C)
+#error "MBEDTLS_SSL_CLI_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && ( !defined(MBEDTLS_CIPHER_C) ||     \
+    !defined(MBEDTLS_MD_C) )
+#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_TLS_C)
+#error "MBEDTLS_SSL_SRV_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2))
+#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1) && !defined(MBEDTLS_SSL_PROTO_TLS1))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_TLS1) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_SSL_PROTO_TLS1_1))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && (!defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1)))
+#error "Illegal protocol selection"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && !defined(MBEDTLS_SSL_PROTO_DTLS)
+#error "MBEDTLS_SSL_DTLS_HELLO_VERIFY  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && \
+    !defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+#error "MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) &&                              \
+    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
+#error "MBEDTLS_SSL_DTLS_ANTI_REPLAY  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) &&                              \
+    ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
+#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT  defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) &&   \
+    !defined(MBEDTLS_SSL_PROTO_TLS1)   &&      \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1) &&      \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites"
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
+    !defined(MBEDTLS_SSL_PROTO_TLS1)   &&          \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_1) &&          \
+    !defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites"
+#endif
+
+#if defined(MBEDTLS_SSL_TICKET_C) && !defined(MBEDTLS_CIPHER_C)
+#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) && \
+    !defined(MBEDTLS_SSL_PROTO_SSL3) && !defined(MBEDTLS_SSL_PROTO_TLS1)
+#error "MBEDTLS_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
+        !defined(MBEDTLS_X509_CRT_PARSE_C)
+#error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
+#error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
+#endif
+#define MBEDTLS_THREADING_IMPL
+#endif
+
+#if defined(MBEDTLS_THREADING_ALT)
+#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
+#error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"
+#endif
+#define MBEDTLS_THREADING_IMPL
+#endif
+
+#if defined(MBEDTLS_THREADING_C) && !defined(MBEDTLS_THREADING_IMPL)
+#error "MBEDTLS_THREADING_C defined, single threading implementation required"
+#endif
+#undef MBEDTLS_THREADING_IMPL
+
+#if defined(MBEDTLS_VERSION_FEATURES) && !defined(MBEDTLS_VERSION_C)
+#error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) && ( !defined(MBEDTLS_BIGNUM_C) ||  \
+    !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) ||      \
+    !defined(MBEDTLS_PK_PARSE_C) )
+#error "MBEDTLS_X509_USE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CREATE_C) && ( !defined(MBEDTLS_BIGNUM_C) ||  \
+    !defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) ||       \
+    !defined(MBEDTLS_PK_WRITE_C) )
+#error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
+#error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
+#error "MBEDTLS_X509_CRL_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
+#error "MBEDTLS_X509_CSR_PARSE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
+#error "MBEDTLS_X509_CRT_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
+#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_HAVE_INT32) && defined(MBEDTLS_HAVE_INT64)
+#error "MBEDTLS_HAVE_INT32 and MBEDTLS_HAVE_INT64 cannot be defined simultaneously"
+#endif /* MBEDTLS_HAVE_INT32 && MBEDTLS_HAVE_INT64 */
+
+#if ( defined(MBEDTLS_HAVE_INT32) || defined(MBEDTLS_HAVE_INT64) ) && \
+    defined(MBEDTLS_HAVE_ASM)
+#error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously"
+#endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */
+
+/*
+ * Avoid warning from -pedantic. This is a convenient place for this
+ * workaround since this is included by every single file before the
+ * #if defined(MBEDTLS_xxx_C) that results in empty translation units.
+ */
+typedef int mbedtls_iso_c_forbids_empty_translation_units;
+
+#endif /* MBEDTLS_CHECK_CONFIG_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/cipher.h b/makerom/deps/libmbedtls/include/mbedtls/cipher.h
new file mode 100644
index 00000000..082a6917
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/cipher.h
@@ -0,0 +1,872 @@
+/**
+ * \file cipher.h
+ *
+ * \brief This file contains an abstraction interface for use with the cipher
+ * primitives provided by the library. It provides a common interface to all of
+ * the available cipher operations.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CIPHER_H
+#define MBEDTLS_CIPHER_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include "platform_util.h"
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+#define MBEDTLS_CIPHER_MODE_AEAD
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_CIPHER_MODE_WITH_PADDING
+#endif
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
+    defined(MBEDTLS_CHACHA20_C)
+#define MBEDTLS_CIPHER_MODE_STREAM
+#endif
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE  -0x6080  /**< The selected feature is not available. */
+#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA       -0x6100  /**< Bad input parameters. */
+#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED         -0x6180  /**< Failed to allocate memory. */
+#define MBEDTLS_ERR_CIPHER_INVALID_PADDING      -0x6200  /**< Input data contains invalid padding and is rejected. */
+#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED  -0x6280  /**< Decryption of block requires a full block. */
+#define MBEDTLS_ERR_CIPHER_AUTH_FAILED          -0x6300  /**< Authentication failed (for AEAD modes). */
+#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT      -0x6380  /**< The context is invalid. For example, because it was freed. */
+
+/* MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED      -0x6400  /**< Cipher hardware accelerator failed. */
+
+#define MBEDTLS_CIPHER_VARIABLE_IV_LEN     0x01    /**< Cipher accepts IVs of variable length. */
+#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN    0x02    /**< Cipher accepts keys of variable length. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief     Supported cipher types.
+ *
+ * \warning   RC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. Arm recommends considering stronger
+ *            ciphers instead.
+ */
+typedef enum {
+    MBEDTLS_CIPHER_ID_NONE = 0,  /**< Placeholder to mark the end of cipher ID lists. */
+    MBEDTLS_CIPHER_ID_NULL,      /**< The identity cipher, treated as a stream cipher. */
+    MBEDTLS_CIPHER_ID_AES,       /**< The AES cipher. */
+    MBEDTLS_CIPHER_ID_DES,       /**< The DES cipher. */
+    MBEDTLS_CIPHER_ID_3DES,      /**< The Triple DES cipher. */
+    MBEDTLS_CIPHER_ID_CAMELLIA,  /**< The Camellia cipher. */
+    MBEDTLS_CIPHER_ID_BLOWFISH,  /**< The Blowfish cipher. */
+    MBEDTLS_CIPHER_ID_ARC4,      /**< The RC4 cipher. */
+    MBEDTLS_CIPHER_ID_ARIA,      /**< The Aria cipher. */
+    MBEDTLS_CIPHER_ID_CHACHA20,  /**< The ChaCha20 cipher. */
+} mbedtls_cipher_id_t;
+
+/**
+ * \brief     Supported {cipher type, cipher mode} pairs.
+ *
+ * \warning   RC4 and DES are considered weak ciphers and their use
+ *            constitutes a security risk. Arm recommends considering stronger
+ *            ciphers instead.
+ */
+typedef enum {
+    MBEDTLS_CIPHER_NONE = 0,             /**< Placeholder to mark the end of cipher-pair lists. */
+    MBEDTLS_CIPHER_NULL,                 /**< The identity stream cipher. */
+    MBEDTLS_CIPHER_AES_128_ECB,          /**< AES cipher with 128-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_192_ECB,          /**< AES cipher with 192-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_256_ECB,          /**< AES cipher with 256-bit ECB mode. */
+    MBEDTLS_CIPHER_AES_128_CBC,          /**< AES cipher with 128-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_192_CBC,          /**< AES cipher with 192-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_256_CBC,          /**< AES cipher with 256-bit CBC mode. */
+    MBEDTLS_CIPHER_AES_128_CFB128,       /**< AES cipher with 128-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_192_CFB128,       /**< AES cipher with 192-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_256_CFB128,       /**< AES cipher with 256-bit CFB128 mode. */
+    MBEDTLS_CIPHER_AES_128_CTR,          /**< AES cipher with 128-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_192_CTR,          /**< AES cipher with 192-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_256_CTR,          /**< AES cipher with 256-bit CTR mode. */
+    MBEDTLS_CIPHER_AES_128_GCM,          /**< AES cipher with 128-bit GCM mode. */
+    MBEDTLS_CIPHER_AES_192_GCM,          /**< AES cipher with 192-bit GCM mode. */
+    MBEDTLS_CIPHER_AES_256_GCM,          /**< AES cipher with 256-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_ECB,     /**< Camellia cipher with 128-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_ECB,     /**< Camellia cipher with 192-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_ECB,     /**< Camellia cipher with 256-bit ECB mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CBC,     /**< Camellia cipher with 128-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CBC,     /**< Camellia cipher with 192-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CBC,     /**< Camellia cipher with 256-bit CBC mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  /**< Camellia cipher with 128-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  /**< Camellia cipher with 192-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  /**< Camellia cipher with 256-bit CFB128 mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CTR,     /**< Camellia cipher with 128-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CTR,     /**< Camellia cipher with 192-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CTR,     /**< Camellia cipher with 256-bit CTR mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_GCM,     /**< Camellia cipher with 128-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_GCM,     /**< Camellia cipher with 192-bit GCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_GCM,     /**< Camellia cipher with 256-bit GCM mode. */
+    MBEDTLS_CIPHER_DES_ECB,              /**< DES cipher with ECB mode. */
+    MBEDTLS_CIPHER_DES_CBC,              /**< DES cipher with CBC mode. */
+    MBEDTLS_CIPHER_DES_EDE_ECB,          /**< DES cipher with EDE ECB mode. */
+    MBEDTLS_CIPHER_DES_EDE_CBC,          /**< DES cipher with EDE CBC mode. */
+    MBEDTLS_CIPHER_DES_EDE3_ECB,         /**< DES cipher with EDE3 ECB mode. */
+    MBEDTLS_CIPHER_DES_EDE3_CBC,         /**< DES cipher with EDE3 CBC mode. */
+    MBEDTLS_CIPHER_BLOWFISH_ECB,         /**< Blowfish cipher with ECB mode. */
+    MBEDTLS_CIPHER_BLOWFISH_CBC,         /**< Blowfish cipher with CBC mode. */
+    MBEDTLS_CIPHER_BLOWFISH_CFB64,       /**< Blowfish cipher with CFB64 mode. */
+    MBEDTLS_CIPHER_BLOWFISH_CTR,         /**< Blowfish cipher with CTR mode. */
+    MBEDTLS_CIPHER_ARC4_128,             /**< RC4 cipher with 128-bit mode. */
+    MBEDTLS_CIPHER_AES_128_CCM,          /**< AES cipher with 128-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_192_CCM,          /**< AES cipher with 192-bit CCM mode. */
+    MBEDTLS_CIPHER_AES_256_CCM,          /**< AES cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM,     /**< Camellia cipher with 128-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM,     /**< Camellia cipher with 192-bit CCM mode. */
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM,     /**< Camellia cipher with 256-bit CCM mode. */
+    MBEDTLS_CIPHER_ARIA_128_ECB,         /**< Aria cipher with 128-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_192_ECB,         /**< Aria cipher with 192-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_256_ECB,         /**< Aria cipher with 256-bit key and ECB mode. */
+    MBEDTLS_CIPHER_ARIA_128_CBC,         /**< Aria cipher with 128-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_192_CBC,         /**< Aria cipher with 192-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_256_CBC,         /**< Aria cipher with 256-bit key and CBC mode. */
+    MBEDTLS_CIPHER_ARIA_128_CFB128,      /**< Aria cipher with 128-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_192_CFB128,      /**< Aria cipher with 192-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_256_CFB128,      /**< Aria cipher with 256-bit key and CFB-128 mode. */
+    MBEDTLS_CIPHER_ARIA_128_CTR,         /**< Aria cipher with 128-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_192_CTR,         /**< Aria cipher with 192-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_256_CTR,         /**< Aria cipher with 256-bit key and CTR mode. */
+    MBEDTLS_CIPHER_ARIA_128_GCM,         /**< Aria cipher with 128-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_192_GCM,         /**< Aria cipher with 192-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_256_GCM,         /**< Aria cipher with 256-bit key and GCM mode. */
+    MBEDTLS_CIPHER_ARIA_128_CCM,         /**< Aria cipher with 128-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_192_CCM,         /**< Aria cipher with 192-bit key and CCM mode. */
+    MBEDTLS_CIPHER_ARIA_256_CCM,         /**< Aria cipher with 256-bit key and CCM mode. */
+    MBEDTLS_CIPHER_AES_128_OFB,          /**< AES 128-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_192_OFB,          /**< AES 192-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_256_OFB,          /**< AES 256-bit cipher in OFB mode. */
+    MBEDTLS_CIPHER_AES_128_XTS,          /**< AES 128-bit cipher in XTS block mode. */
+    MBEDTLS_CIPHER_AES_256_XTS,          /**< AES 256-bit cipher in XTS block mode. */
+    MBEDTLS_CIPHER_CHACHA20,             /**< ChaCha20 stream cipher. */
+    MBEDTLS_CIPHER_CHACHA20_POLY1305,    /**< ChaCha20-Poly1305 AEAD cipher. */
+} mbedtls_cipher_type_t;
+
+/** Supported cipher modes. */
+typedef enum {
+    MBEDTLS_MODE_NONE = 0,               /**< None. */
+    MBEDTLS_MODE_ECB,                    /**< The ECB cipher mode. */
+    MBEDTLS_MODE_CBC,                    /**< The CBC cipher mode. */
+    MBEDTLS_MODE_CFB,                    /**< The CFB cipher mode. */
+    MBEDTLS_MODE_OFB,                    /**< The OFB cipher mode. */
+    MBEDTLS_MODE_CTR,                    /**< The CTR cipher mode. */
+    MBEDTLS_MODE_GCM,                    /**< The GCM cipher mode. */
+    MBEDTLS_MODE_STREAM,                 /**< The stream cipher mode. */
+    MBEDTLS_MODE_CCM,                    /**< The CCM cipher mode. */
+    MBEDTLS_MODE_XTS,                    /**< The XTS cipher mode. */
+    MBEDTLS_MODE_CHACHAPOLY,             /**< The ChaCha-Poly cipher mode. */
+} mbedtls_cipher_mode_t;
+
+/** Supported cipher padding types. */
+typedef enum {
+    MBEDTLS_PADDING_PKCS7 = 0,     /**< PKCS7 padding (default).        */
+    MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding.         */
+    MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding.             */
+    MBEDTLS_PADDING_ZEROS,         /**< Zero padding (not reversible). */
+    MBEDTLS_PADDING_NONE,          /**< Never pad (full blocks only).   */
+} mbedtls_cipher_padding_t;
+
+/** Type of operation. */
+typedef enum {
+    MBEDTLS_OPERATION_NONE = -1,
+    MBEDTLS_DECRYPT = 0,
+    MBEDTLS_ENCRYPT,
+} mbedtls_operation_t;
+
+enum {
+    /** Undefined key length. */
+    MBEDTLS_KEY_LENGTH_NONE = 0,
+    /** Key length, in bits (including parity), for DES keys. */
+    MBEDTLS_KEY_LENGTH_DES  = 64,
+    /** Key length in bits, including parity, for DES in two-key EDE. */
+    MBEDTLS_KEY_LENGTH_DES_EDE = 128,
+    /** Key length in bits, including parity, for DES in three-key EDE. */
+    MBEDTLS_KEY_LENGTH_DES_EDE3 = 192,
+};
+
+/** Maximum length of any IV, in Bytes. */
+#define MBEDTLS_MAX_IV_LENGTH      16
+/** Maximum block size of any cipher, in Bytes. */
+#define MBEDTLS_MAX_BLOCK_LENGTH   16
+
+/**
+ * Base cipher information (opaque struct).
+ */
+typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t;
+
+/**
+ * CMAC context (opaque struct).
+ */
+typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
+
+/**
+ * Cipher information. Allows calling cipher functions
+ * in a generic way.
+ */
+typedef struct mbedtls_cipher_info_t
+{
+    /** Full cipher identifier. For example,
+     * MBEDTLS_CIPHER_AES_256_CBC.
+     */
+    mbedtls_cipher_type_t type;
+
+    /** The cipher mode. For example, MBEDTLS_MODE_CBC. */
+    mbedtls_cipher_mode_t mode;
+
+    /** The cipher key length, in bits. This is the
+     * default length for variable sized ciphers.
+     * Includes parity bits for ciphers like DES.
+     */
+    unsigned int key_bitlen;
+
+    /** Name of the cipher. */
+    const char * name;
+
+    /** IV or nonce size, in Bytes.
+     * For ciphers that accept variable IV sizes,
+     * this is the recommended size.
+     */
+    unsigned int iv_size;
+
+    /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and
+     *  MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the
+     *  cipher supports variable IV or variable key sizes, respectively.
+     */
+    int flags;
+
+    /** The block size, in Bytes. */
+    unsigned int block_size;
+
+    /** Struct for base cipher information and functions. */
+    const mbedtls_cipher_base_t *base;
+
+} mbedtls_cipher_info_t;
+
+/**
+ * Generic cipher context.
+ */
+typedef struct mbedtls_cipher_context_t
+{
+    /** Information about the associated cipher. */
+    const mbedtls_cipher_info_t *cipher_info;
+
+    /** Key length to use. */
+    int key_bitlen;
+
+    /** Operation that the key of the context has been
+     * initialized for.
+     */
+    mbedtls_operation_t operation;
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /** Padding functions to use, if relevant for
+     * the specific cipher mode.
+     */
+    void (*add_padding)( unsigned char *output, size_t olen, size_t data_len );
+    int (*get_padding)( unsigned char *input, size_t ilen, size_t *data_len );
+#endif
+
+    /** Buffer for input that has not been processed yet. */
+    unsigned char unprocessed_data[MBEDTLS_MAX_BLOCK_LENGTH];
+
+    /** Number of Bytes that have not been processed yet. */
+    size_t unprocessed_len;
+
+    /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number
+     * for XTS-mode. */
+    unsigned char iv[MBEDTLS_MAX_IV_LENGTH];
+
+    /** IV size in Bytes, for ciphers with variable-length IVs. */
+    size_t iv_size;
+
+    /** The cipher-specific context. */
+    void *cipher_ctx;
+
+#if defined(MBEDTLS_CMAC_C)
+    /** CMAC-specific context. */
+    mbedtls_cmac_context_t *cmac_ctx;
+#endif
+} mbedtls_cipher_context_t;
+
+/**
+ * \brief This function retrieves the list of ciphers supported by the generic
+ * cipher module.
+ *
+ * \return      A statically-allocated array of ciphers. The last entry
+ *              is zero.
+ */
+const int *mbedtls_cipher_list( void );
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher name.
+ *
+ * \param cipher_name   Name of the cipher to search for. This must not be
+ *                      \c NULL.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_name.
+ * \return              \c NULL if the associated cipher information is not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name );
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher type.
+ *
+ * \param cipher_type   Type of the cipher to search for.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_type.
+ * \return              \c NULL if the associated cipher information is not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type );
+
+/**
+ * \brief               This function retrieves the cipher-information
+ *                      structure associated with the given cipher ID,
+ *                      key size and mode.
+ *
+ * \param cipher_id     The ID of the cipher to search for. For example,
+ *                      #MBEDTLS_CIPHER_ID_AES.
+ * \param key_bitlen    The length of the key in bits.
+ * \param mode          The cipher mode. For example, #MBEDTLS_MODE_CBC.
+ *
+ * \return              The cipher information structure associated with the
+ *                      given \p cipher_id.
+ * \return              \c NULL if the associated cipher information is not found.
+ */
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
+                                              int key_bitlen,
+                                              const mbedtls_cipher_mode_t mode );
+
+/**
+ * \brief               This function initializes a \p cipher_context as NONE.
+ *
+ * \param ctx           The context to be initialized. This must not be \c NULL.
+ */
+void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx );
+
+/**
+ * \brief               This function frees and clears the cipher-specific
+ *                      context of \p ctx. Freeing \p ctx itself remains the
+ *                      responsibility of the caller.
+ *
+ * \param ctx           The context to be freed. If this is \c NULL, the
+ *                      function has no effect, otherwise this must point to an
+ *                      initialized context.
+ */
+void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx );
+
+
+/**
+ * \brief               This function initializes and fills the cipher-context
+ *                      structure with the appropriate values. It also clears
+ *                      the structure.
+ *
+ * \param ctx           The context to initialize. This must be initialized.
+ * \param cipher_info   The cipher to use.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the
+ *                      cipher-specific context fails.
+ *
+ * \internal Currently, the function also clears the structure.
+ * In future versions, the caller will be required to call
+ * mbedtls_cipher_init() on the structure first.
+ */
+int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
+                          const mbedtls_cipher_info_t *cipher_info );
+
+/**
+ * \brief        This function returns the block size of the given cipher.
+ *
+ * \param ctx    The context of the cipher. This must be initialized.
+ *
+ * \return       The block size of the underlying cipher.
+ * \return       \c 0 if \p ctx has not been initialized.
+ */
+static inline unsigned int mbedtls_cipher_get_block_size(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+    if( ctx->cipher_info == NULL )
+        return 0;
+
+    return ctx->cipher_info->block_size;
+}
+
+/**
+ * \brief        This function returns the mode of operation for
+ *               the cipher. For example, MBEDTLS_MODE_CBC.
+ *
+ * \param ctx    The context of the cipher. This must be initialized.
+ *
+ * \return       The mode of operation.
+ * \return       #MBEDTLS_MODE_NONE if \p ctx has not been initialized.
+ */
+static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, MBEDTLS_MODE_NONE );
+    if( ctx->cipher_info == NULL )
+        return MBEDTLS_MODE_NONE;
+
+    return ctx->cipher_info->mode;
+}
+
+/**
+ * \brief       This function returns the size of the IV or nonce
+ *              of the cipher, in Bytes.
+ *
+ * \param ctx   The context of the cipher. This must be initialized.
+ *
+ * \return      The recommended IV size if no IV has been set.
+ * \return      \c 0 for ciphers not using an IV or a nonce.
+ * \return      The actual size if an IV has been set.
+ */
+static inline int mbedtls_cipher_get_iv_size(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+    if( ctx->cipher_info == NULL )
+        return 0;
+
+    if( ctx->iv_size != 0 )
+        return (int) ctx->iv_size;
+
+    return (int) ctx->cipher_info->iv_size;
+}
+
+/**
+ * \brief               This function returns the type of the given cipher.
+ *
+ * \param ctx           The context of the cipher. This must be initialized.
+ *
+ * \return              The type of the cipher.
+ * \return              #MBEDTLS_CIPHER_NONE if \p ctx has not been initialized.
+ */
+static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_CIPHER_NONE );
+    if( ctx->cipher_info == NULL )
+        return MBEDTLS_CIPHER_NONE;
+
+    return ctx->cipher_info->type;
+}
+
+/**
+ * \brief               This function returns the name of the given cipher
+ *                      as a string.
+ *
+ * \param ctx           The context of the cipher. This must be initialized.
+ *
+ * \return              The name of the cipher.
+ * \return              NULL if \p ctx has not been not initialized.
+ */
+static inline const char *mbedtls_cipher_get_name(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 );
+    if( ctx->cipher_info == NULL )
+        return 0;
+
+    return ctx->cipher_info->name;
+}
+
+/**
+ * \brief               This function returns the key length of the cipher.
+ *
+ * \param ctx           The context of the cipher. This must be initialized.
+ *
+ * \return              The key length of the cipher in bits.
+ * \return              #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been
+ *                      initialized.
+ */
+static inline int mbedtls_cipher_get_key_bitlen(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_KEY_LENGTH_NONE );
+    if( ctx->cipher_info == NULL )
+        return MBEDTLS_KEY_LENGTH_NONE;
+
+    return (int) ctx->cipher_info->key_bitlen;
+}
+
+/**
+ * \brief          This function returns the operation of the given cipher.
+ *
+ * \param ctx      The context of the cipher. This must be initialized.
+ *
+ * \return         The type of operation: #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
+ * \return         #MBEDTLS_OPERATION_NONE if \p ctx has not been initialized.
+ */
+static inline mbedtls_operation_t mbedtls_cipher_get_operation(
+    const mbedtls_cipher_context_t *ctx )
+{
+    MBEDTLS_INTERNAL_VALIDATE_RET(
+        ctx != NULL, MBEDTLS_OPERATION_NONE );
+    if( ctx->cipher_info == NULL )
+        return MBEDTLS_OPERATION_NONE;
+
+    return ctx->operation;
+}
+
+/**
+ * \brief               This function sets the key to use with the given context.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
+ * \param key           The key to use. This must be a readable buffer of at
+ *                      least \p key_bitlen Bits.
+ * \param key_bitlen    The key length to use, in Bits.
+ * \param operation     The operation that the key will be used for:
+ *                      #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *key,
+                           int key_bitlen,
+                           const mbedtls_operation_t operation );
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+/**
+ * \brief               This function sets the padding mode, for cipher modes
+ *                      that use padding.
+ *
+ *                      The default passing mode is PKCS7 padding.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a cipher information structure.
+ * \param mode          The padding mode.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+ *                      if the selected padding mode is not supported.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode
+ *                      does not support padding.
+ */
+int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
+                                     mbedtls_cipher_padding_t mode );
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+/**
+ * \brief           This function sets the initialization vector (IV)
+ *                  or nonce.
+ *
+ * \note            Some ciphers do not use IVs nor nonce. For these
+ *                  ciphers, this function has no effect.
+ *
+ * \param ctx       The generic cipher context. This must be initialized and
+ *                  bound to a cipher information structure.
+ * \param iv        The IV to use, or NONCE_COUNTER for CTR-mode ciphers. This
+ *                  must be a readable buffer of at least \p iv_len Bytes.
+ * \param iv_len    The IV length for ciphers with variable-size IV.
+ *                  This parameter is discarded by ciphers with fixed-size IV.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                  parameter-verification failure.
+ */
+int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *iv,
+                           size_t iv_len );
+
+/**
+ * \brief         This function resets the cipher state.
+ *
+ * \param ctx     The generic cipher context. This must be initialized.
+ *
+ * \return        \c 0 on success.
+ * \return        #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                parameter-verification failure.
+ */
+int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx );
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/**
+ * \brief               This function adds additional data for AEAD ciphers.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called exactly once, after
+ *                      mbedtls_cipher_reset().
+ *
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param ad            The additional data to use. This must be a readable
+ *                      buffer of at least \p ad_len Bytes.
+ * \param ad_len        the Length of \p ad Bytes.
+ *
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
+ */
+int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *ad, size_t ad_len );
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/**
+ * \brief               The generic cipher update function. It encrypts or
+ *                      decrypts using the given cipher context. Writes as
+ *                      many block-sized blocks of data as possible to output.
+ *                      Any data that cannot be written immediately is either
+ *                      added to the next block, or flushed when
+ *                      mbedtls_cipher_finish() is called.
+ *                      Exception: For MBEDTLS_MODE_ECB, expects a single block
+ *                      in size. For example, 16 Bytes for AES.
+ *
+ * \note                If the underlying cipher is used in GCM mode, all calls
+ *                      to this function, except for the last one before
+ *                      mbedtls_cipher_finish(), must have \p ilen as a
+ *                      multiple of the block size of the cipher.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an
+ *                      unsupported mode for a cipher.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
+                   size_t ilen, unsigned char *output, size_t *olen );
+
+/**
+ * \brief               The generic cipher finalization function. If data still
+ *                      needs to be flushed from an incomplete block, the data
+ *                      contained in it is padded to the size of
+ *                      the last block, and written to the \p output buffer.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param output        The buffer to write data to. This needs to be a writable
+ *                      buffer of at least \p block_size Bytes.
+ * \param olen          The length of the data written to the \p output buffer.
+ *                      This may not be \c NULL.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ *                      expecting a full block but not receiving one.
+ * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
+                   unsigned char *output, size_t *olen );
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/**
+ * \brief               This function writes a tag for AEAD ciphers.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx           The generic cipher context. This must be initialized,
+ *                      bound to a key, and have just completed a cipher
+ *                      operation through mbedtls_cipher_finish() the tag for
+ *                      which should be written.
+ * \param tag           The buffer to write the tag to. This must be a writable
+ *                      buffer of at least \p tag_len Bytes.
+ * \param tag_len       The length of the tag to write.
+ *
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
+ */
+int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
+                      unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief               This function checks the tag for AEAD ciphers.
+ *                      Currently supported with GCM and ChaCha20+Poly1305.
+ *                      This must be called after mbedtls_cipher_finish().
+ *
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param tag           The buffer holding the tag. This must be a readable
+ *                      buffer of at least \p tag_len Bytes.
+ * \param tag_len       The length of the tag to check.
+ *
+ * \return              \c 0 on success.
+ * \return              A specific error code on failure.
+ */
+int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *tag, size_t tag_len );
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/**
+ * \brief               The generic all-in-one encryption/decryption function,
+ *                      for all ciphers except AEAD constructs.
+ *
+ * \param ctx           The generic cipher context. This must be initialized.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size
+ *                      IV.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data in Bytes.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least `ilen + block_size`. This must not be the
+ *                      same buffer as \p input.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ *
+ * \note                Some ciphers do not use IVs nor nonce. For these
+ *                      ciphers, use \p iv = NULL and \p iv_len = 0.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED on decryption
+ *                      expecting a full block but not receiving one.
+ * \return              #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding
+ *                      while decrypting.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
+                  const unsigned char *iv, size_t iv_len,
+                  const unsigned char *input, size_t ilen,
+                  unsigned char *output, size_t *olen );
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+/**
+ * \brief               The generic autenticated encryption (AEAD) function.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      bound to a key.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size IV.
+ * \param ad            The additional data to authenticate. This must be a
+ *                      readable buffer of at least \p ad_len Bytes.
+ * \param ad_len        The length of \p ad.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data. This must be able to
+ *                      hold at least \p ilen Bytes.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ * \param tag           The buffer for the authentication tag. This must be a
+ *                      writable buffer of at least \p tag_len Bytes.
+ * \param tag_len       The desired length of the authentication tag.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         unsigned char *tag, size_t tag_len );
+
+/**
+ * \brief               The generic autenticated decryption (AEAD) function.
+ *
+ * \note                If the data is not authentic, then the output buffer
+ *                      is zeroed out to prevent the unauthentic plaintext being
+ *                      used, making this interface safer.
+ *
+ * \param ctx           The generic cipher context. This must be initialized and
+ *                      and bound to a key.
+ * \param iv            The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
+ *                      This must be a readable buffer of at least \p iv_len
+ *                      Bytes.
+ * \param iv_len        The IV length for ciphers with variable-size IV.
+ *                      This parameter is discarded by ciphers with fixed-size IV.
+ * \param ad            The additional data to be authenticated. This must be a
+ *                      readable buffer of at least \p ad_len Bytes.
+ * \param ad_len        The length of \p ad.
+ * \param input         The buffer holding the input data. This must be a
+ *                      readable buffer of at least \p ilen Bytes.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the output data.
+ *                      This must be able to hold at least \p ilen Bytes.
+ * \param olen          The length of the output data, to be updated with the
+ *                      actual number of Bytes written. This must not be
+ *                      \c NULL.
+ * \param tag           The buffer holding the authentication tag. This must be
+ *                      a readable buffer of at least \p tag_len Bytes.
+ * \param tag_len       The length of the authentication tag.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ *                      parameter-verification failure.
+ * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         const unsigned char *tag, size_t tag_len );
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CIPHER_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/cipher_internal.h b/makerom/deps/libmbedtls/include/mbedtls/cipher_internal.h
new file mode 100644
index 00000000..c6def0be
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/cipher_internal.h
@@ -0,0 +1,125 @@
+/**
+ * \file cipher_internal.h
+ *
+ * \brief Cipher wrappers.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_CIPHER_WRAP_H
+#define MBEDTLS_CIPHER_WRAP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Base cipher information. The non-mode specific functions and values.
+ */
+struct mbedtls_cipher_base_t
+{
+    /** Base Cipher type (e.g. MBEDTLS_CIPHER_ID_AES) */
+    mbedtls_cipher_id_t cipher;
+
+    /** Encrypt using ECB */
+    int (*ecb_func)( void *ctx, mbedtls_operation_t mode,
+                     const unsigned char *input, unsigned char *output );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /** Encrypt using CBC */
+    int (*cbc_func)( void *ctx, mbedtls_operation_t mode, size_t length,
+                     unsigned char *iv, const unsigned char *input,
+                     unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    /** Encrypt using CFB (Full length) */
+    int (*cfb_func)( void *ctx, mbedtls_operation_t mode, size_t length, size_t *iv_off,
+                     unsigned char *iv, const unsigned char *input,
+                     unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    /** Encrypt using OFB (Full length) */
+    int (*ofb_func)( void *ctx, size_t length, size_t *iv_off,
+                     unsigned char *iv,
+                     const unsigned char *input,
+                     unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /** Encrypt using CTR */
+    int (*ctr_func)( void *ctx, size_t length, size_t *nc_off,
+                     unsigned char *nonce_counter, unsigned char *stream_block,
+                     const unsigned char *input, unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    /** Encrypt or decrypt using XTS. */
+    int (*xts_func)( void *ctx, mbedtls_operation_t mode, size_t length,
+                     const unsigned char data_unit[16],
+                     const unsigned char *input, unsigned char *output );
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    /** Encrypt using STREAM */
+    int (*stream_func)( void *ctx, size_t length,
+                        const unsigned char *input, unsigned char *output );
+#endif
+
+    /** Set key for encryption purposes */
+    int (*setkey_enc_func)( void *ctx, const unsigned char *key,
+                            unsigned int key_bitlen );
+
+    /** Set key for decryption purposes */
+    int (*setkey_dec_func)( void *ctx, const unsigned char *key,
+                            unsigned int key_bitlen);
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)( void );
+
+    /** Free the given context */
+    void (*ctx_free_func)( void *ctx );
+
+};
+
+typedef struct
+{
+    mbedtls_cipher_type_t type;
+    const mbedtls_cipher_info_t *info;
+} mbedtls_cipher_definition_t;
+
+extern const mbedtls_cipher_definition_t mbedtls_cipher_definitions[];
+
+extern int mbedtls_cipher_supported[];
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CIPHER_WRAP_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/cmac.h b/makerom/deps/libmbedtls/include/mbedtls/cmac.h
new file mode 100644
index 00000000..9d42b3f2
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/cmac.h
@@ -0,0 +1,213 @@
+/**
+ * \file cmac.h
+ *
+ * \brief This file contains CMAC definitions and functions.
+ *
+ * The Cipher-based Message Authentication Code (CMAC) Mode for
+ * Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
+ */
+/*
+ *  Copyright (C) 2015-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CMAC_H
+#define MBEDTLS_CMAC_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A  /**< CMAC hardware accelerator failed. */
+
+#define MBEDTLS_AES_BLOCK_SIZE          16
+#define MBEDTLS_DES3_BLOCK_SIZE         8
+
+#if defined(MBEDTLS_AES_C)
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      16  /**< The longest block used by CMAC is that of AES. */
+#else
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      8   /**< The longest block used by CMAC is that of 3DES. */
+#endif
+
+#if !defined(MBEDTLS_CMAC_ALT)
+
+/**
+ * The CMAC context structure.
+ */
+struct mbedtls_cmac_context_t
+{
+    /** The internal state of the CMAC algorithm.  */
+    unsigned char       state[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    /** Unprocessed data - either data that was not block aligned and is still
+     *  pending processing, or the final block. */
+    unsigned char       unprocessed_block[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    /** The length of data pending processing. */
+    size_t              unprocessed_len;
+};
+
+#else  /* !MBEDTLS_CMAC_ALT */
+#include "cmac_alt.h"
+#endif /* !MBEDTLS_CMAC_ALT */
+
+/**
+ * \brief               This function sets the CMAC key, and prepares to authenticate
+ *                      the input data.
+ *                      Must be called with an initialized cipher context.
+ *
+ * \param ctx           The cipher context used for the CMAC operation, initialized
+ *                      as one of the following types: MBEDTLS_CIPHER_AES_128_ECB,
+ *                      MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB,
+ *                      or MBEDTLS_CIPHER_DES_EDE3_ECB.
+ * \param key           The CMAC key.
+ * \param keybits       The length of the CMAC key in bits.
+ *                      Must be supported by the cipher.
+ *
+ * \return              \c 0 on success.
+ * \return              A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *key, size_t keybits );
+
+/**
+ * \brief               This function feeds an input buffer into an ongoing CMAC
+ *                      computation.
+ *
+ *                      It is called between mbedtls_cipher_cmac_starts() or
+ *                      mbedtls_cipher_cmac_reset(), and mbedtls_cipher_cmac_finish().
+ *                      Can be called repeatedly.
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                     if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *input, size_t ilen );
+
+/**
+ * \brief               This function finishes the CMAC operation, and writes
+ *                      the result to the output buffer.
+ *
+ *                      It is called after mbedtls_cipher_cmac_update().
+ *                      It can be followed by mbedtls_cipher_cmac_reset() and
+ *                      mbedtls_cipher_cmac_update(), or mbedtls_cipher_free().
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ * \param output        The output buffer for the CMAC checksum result.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
+                                unsigned char *output );
+
+/**
+ * \brief               This function prepares the authentication of another
+ *                      message with the same key as the previous CMAC
+ *                      operation.
+ *
+ *                      It is called after mbedtls_cipher_cmac_finish()
+ *                      and before mbedtls_cipher_cmac_update().
+ *
+ * \param ctx           The cipher context used for the CMAC operation.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
+
+/**
+ * \brief               This function calculates the full generic CMAC
+ *                      on the input buffer with the provided key.
+ *
+ *                      The function allocates the context, performs the
+ *                      calculation, and frees the context.
+ *
+ *                      The CMAC result is calculated as
+ *                      output = generic CMAC(cmac key, input buffer).
+ *
+ *
+ * \param cipher_info   The cipher information.
+ * \param key           The CMAC key.
+ * \param keylen        The length of the CMAC key in bits.
+ * \param input         The buffer holding the input data.
+ * \param ilen          The length of the input data.
+ * \param output        The buffer for the generic CMAC result.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA
+ *                      if parameter verification fails.
+ */
+int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output );
+
+#if defined(MBEDTLS_AES_C)
+/**
+ * \brief           This function implements the AES-CMAC-PRF-128 pseudorandom
+ *                  function, as defined in
+ *                  <em>RFC-4615: The Advanced Encryption Standard-Cipher-based
+ *                  Message Authentication Code-Pseudo-Random Function-128
+ *                  (AES-CMAC-PRF-128) Algorithm for the Internet Key
+ *                  Exchange Protocol (IKE).</em>
+ *
+ * \param key       The key to use.
+ * \param key_len   The key length in Bytes.
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ * \param output    The buffer holding the generated 16 Bytes of
+ *                  pseudorandom output.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len,
+                              const unsigned char *input, size_t in_len,
+                              unsigned char output[16] );
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) )
+/**
+ * \brief          The CMAC checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_cmac_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CMAC_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/compat-1.3.h b/makerom/deps/libmbedtls/include/mbedtls/compat-1.3.h
new file mode 100644
index 00000000..a58b4724
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/compat-1.3.h
@@ -0,0 +1,2531 @@
+/**
+ * \file compat-1.3.h
+ *
+ * \brief Compatibility definitions for using mbed TLS with client code written
+ *  for the PolarSSL naming conventions.
+ *
+ * \deprecated Use the new names directly instead
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Including compat-1.3.h is deprecated"
+#endif
+
+#ifndef MBEDTLS_COMPAT13_H
+#define MBEDTLS_COMPAT13_H
+
+/*
+ * config.h options
+ */
+#if defined MBEDTLS_AESNI_C
+#define POLARSSL_AESNI_C MBEDTLS_AESNI_C
+#endif
+#if defined MBEDTLS_AES_ALT
+#define POLARSSL_AES_ALT MBEDTLS_AES_ALT
+#endif
+#if defined MBEDTLS_AES_C
+#define POLARSSL_AES_C MBEDTLS_AES_C
+#endif
+#if defined MBEDTLS_AES_ROM_TABLES
+#define POLARSSL_AES_ROM_TABLES MBEDTLS_AES_ROM_TABLES
+#endif
+#if defined MBEDTLS_ARC4_ALT
+#define POLARSSL_ARC4_ALT MBEDTLS_ARC4_ALT
+#endif
+#if defined MBEDTLS_ARC4_C
+#define POLARSSL_ARC4_C MBEDTLS_ARC4_C
+#endif
+#if defined MBEDTLS_ASN1_PARSE_C
+#define POLARSSL_ASN1_PARSE_C MBEDTLS_ASN1_PARSE_C
+#endif
+#if defined MBEDTLS_ASN1_WRITE_C
+#define POLARSSL_ASN1_WRITE_C MBEDTLS_ASN1_WRITE_C
+#endif
+#if defined MBEDTLS_BASE64_C
+#define POLARSSL_BASE64_C MBEDTLS_BASE64_C
+#endif
+#if defined MBEDTLS_BIGNUM_C
+#define POLARSSL_BIGNUM_C MBEDTLS_BIGNUM_C
+#endif
+#if defined MBEDTLS_BLOWFISH_ALT
+#define POLARSSL_BLOWFISH_ALT MBEDTLS_BLOWFISH_ALT
+#endif
+#if defined MBEDTLS_BLOWFISH_C
+#define POLARSSL_BLOWFISH_C MBEDTLS_BLOWFISH_C
+#endif
+#if defined MBEDTLS_CAMELLIA_ALT
+#define POLARSSL_CAMELLIA_ALT MBEDTLS_CAMELLIA_ALT
+#endif
+#if defined MBEDTLS_CAMELLIA_C
+#define POLARSSL_CAMELLIA_C MBEDTLS_CAMELLIA_C
+#endif
+#if defined MBEDTLS_CAMELLIA_SMALL_MEMORY
+#define POLARSSL_CAMELLIA_SMALL_MEMORY MBEDTLS_CAMELLIA_SMALL_MEMORY
+#endif
+#if defined MBEDTLS_CCM_C
+#define POLARSSL_CCM_C MBEDTLS_CCM_C
+#endif
+#if defined MBEDTLS_CERTS_C
+#define POLARSSL_CERTS_C MBEDTLS_CERTS_C
+#endif
+#if defined MBEDTLS_CIPHER_C
+#define POLARSSL_CIPHER_C MBEDTLS_CIPHER_C
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CBC
+#define POLARSSL_CIPHER_MODE_CBC MBEDTLS_CIPHER_MODE_CBC
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CFB
+#define POLARSSL_CIPHER_MODE_CFB MBEDTLS_CIPHER_MODE_CFB
+#endif
+#if defined MBEDTLS_CIPHER_MODE_CTR
+#define POLARSSL_CIPHER_MODE_CTR MBEDTLS_CIPHER_MODE_CTR
+#endif
+#if defined MBEDTLS_CIPHER_NULL_CIPHER
+#define POLARSSL_CIPHER_NULL_CIPHER MBEDTLS_CIPHER_NULL_CIPHER
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#define POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_PKCS7
+#define POLARSSL_CIPHER_PADDING_PKCS7 MBEDTLS_CIPHER_PADDING_PKCS7
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ZEROS
+#define POLARSSL_CIPHER_PADDING_ZEROS MBEDTLS_CIPHER_PADDING_ZEROS
+#endif
+#if defined MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#define POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#endif
+#if defined MBEDTLS_CTR_DRBG_C
+#define POLARSSL_CTR_DRBG_C MBEDTLS_CTR_DRBG_C
+#endif
+#if defined MBEDTLS_DEBUG_C
+#define POLARSSL_DEBUG_C MBEDTLS_DEBUG_C
+#endif
+#if defined MBEDTLS_DEPRECATED_REMOVED
+#define POLARSSL_DEPRECATED_REMOVED MBEDTLS_DEPRECATED_REMOVED
+#endif
+#if defined MBEDTLS_DEPRECATED_WARNING
+#define POLARSSL_DEPRECATED_WARNING MBEDTLS_DEPRECATED_WARNING
+#endif
+#if defined MBEDTLS_DES_ALT
+#define POLARSSL_DES_ALT MBEDTLS_DES_ALT
+#endif
+#if defined MBEDTLS_DES_C
+#define POLARSSL_DES_C MBEDTLS_DES_C
+#endif
+#if defined MBEDTLS_DHM_C
+#define POLARSSL_DHM_C MBEDTLS_DHM_C
+#endif
+#if defined MBEDTLS_ECDH_C
+#define POLARSSL_ECDH_C MBEDTLS_ECDH_C
+#endif
+#if defined MBEDTLS_ECDSA_C
+#define POLARSSL_ECDSA_C MBEDTLS_ECDSA_C
+#endif
+#if defined MBEDTLS_ECDSA_DETERMINISTIC
+#define POLARSSL_ECDSA_DETERMINISTIC MBEDTLS_ECDSA_DETERMINISTIC
+#endif
+#if defined MBEDTLS_ECP_C
+#define POLARSSL_ECP_C MBEDTLS_ECP_C
+#endif
+#if defined MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define POLARSSL_ECP_DP_BP256R1_ENABLED MBEDTLS_ECP_DP_BP256R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define POLARSSL_ECP_DP_BP384R1_ENABLED MBEDTLS_ECP_DP_BP384R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_BP512R1_ENABLED
+#define POLARSSL_ECP_DP_BP512R1_ENABLED MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define POLARSSL_ECP_DP_M255_ENABLED MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define POLARSSL_ECP_DP_SECP192K1_ENABLED MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define POLARSSL_ECP_DP_SECP192R1_ENABLED MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define POLARSSL_ECP_DP_SECP224K1_ENABLED MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define POLARSSL_ECP_DP_SECP224R1_ENABLED MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define POLARSSL_ECP_DP_SECP256K1_ENABLED MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define POLARSSL_ECP_DP_SECP256R1_ENABLED MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define POLARSSL_ECP_DP_SECP384R1_ENABLED MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define POLARSSL_ECP_DP_SECP521R1_ENABLED MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif
+#if defined MBEDTLS_ECP_FIXED_POINT_OPTIM
+#define POLARSSL_ECP_FIXED_POINT_OPTIM MBEDTLS_ECP_FIXED_POINT_OPTIM
+#endif
+#if defined MBEDTLS_ECP_MAX_BITS
+#define POLARSSL_ECP_MAX_BITS MBEDTLS_ECP_MAX_BITS
+#endif
+#if defined MBEDTLS_ECP_NIST_OPTIM
+#define POLARSSL_ECP_NIST_OPTIM MBEDTLS_ECP_NIST_OPTIM
+#endif
+#if defined MBEDTLS_ECP_WINDOW_SIZE
+#define POLARSSL_ECP_WINDOW_SIZE MBEDTLS_ECP_WINDOW_SIZE
+#endif
+#if defined MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+#define POLARSSL_ENABLE_WEAK_CIPHERSUITES MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+#endif
+#if defined MBEDTLS_ENTROPY_C
+#define POLARSSL_ENTROPY_C MBEDTLS_ENTROPY_C
+#endif
+#if defined MBEDTLS_ENTROPY_FORCE_SHA256
+#define POLARSSL_ENTROPY_FORCE_SHA256 MBEDTLS_ENTROPY_FORCE_SHA256
+#endif
+#if defined MBEDTLS_ERROR_C
+#define POLARSSL_ERROR_C MBEDTLS_ERROR_C
+#endif
+#if defined MBEDTLS_ERROR_STRERROR_DUMMY
+#define POLARSSL_ERROR_STRERROR_DUMMY MBEDTLS_ERROR_STRERROR_DUMMY
+#endif
+#if defined MBEDTLS_FS_IO
+#define POLARSSL_FS_IO MBEDTLS_FS_IO
+#endif
+#if defined MBEDTLS_GCM_C
+#define POLARSSL_GCM_C MBEDTLS_GCM_C
+#endif
+#if defined MBEDTLS_GENPRIME
+#define POLARSSL_GENPRIME MBEDTLS_GENPRIME
+#endif
+#if defined MBEDTLS_HAVEGE_C
+#define POLARSSL_HAVEGE_C MBEDTLS_HAVEGE_C
+#endif
+#if defined MBEDTLS_HAVE_ASM
+#define POLARSSL_HAVE_ASM MBEDTLS_HAVE_ASM
+#endif
+#if defined MBEDTLS_HAVE_SSE2
+#define POLARSSL_HAVE_SSE2 MBEDTLS_HAVE_SSE2
+#endif
+#if defined MBEDTLS_HAVE_TIME
+#define POLARSSL_HAVE_TIME MBEDTLS_HAVE_TIME
+#endif
+#if defined MBEDTLS_HMAC_DRBG_C
+#define POLARSSL_HMAC_DRBG_C MBEDTLS_HMAC_DRBG_C
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_INPUT
+#define POLARSSL_HMAC_DRBG_MAX_INPUT MBEDTLS_HMAC_DRBG_MAX_INPUT
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#define POLARSSL_HMAC_DRBG_MAX_REQUEST MBEDTLS_HMAC_DRBG_MAX_REQUEST
+#endif
+#if defined MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
+#define POLARSSL_HMAC_DRBG_MAX_SEED_INPUT MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT
+#endif
+#if defined MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+#define POLARSSL_HMAC_DRBG_RESEED_INTERVAL MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#define POLARSSL_KEY_EXCHANGE_RSA_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#endif
+#if defined MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#endif
+#if defined MBEDTLS_MD2_ALT
+#define POLARSSL_MD2_ALT MBEDTLS_MD2_ALT
+#endif
+#if defined MBEDTLS_MD2_C
+#define POLARSSL_MD2_C MBEDTLS_MD2_C
+#endif
+#if defined MBEDTLS_MD2_PROCESS_ALT
+#define POLARSSL_MD2_PROCESS_ALT MBEDTLS_MD2_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD4_ALT
+#define POLARSSL_MD4_ALT MBEDTLS_MD4_ALT
+#endif
+#if defined MBEDTLS_MD4_C
+#define POLARSSL_MD4_C MBEDTLS_MD4_C
+#endif
+#if defined MBEDTLS_MD4_PROCESS_ALT
+#define POLARSSL_MD4_PROCESS_ALT MBEDTLS_MD4_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD5_ALT
+#define POLARSSL_MD5_ALT MBEDTLS_MD5_ALT
+#endif
+#if defined MBEDTLS_MD5_C
+#define POLARSSL_MD5_C MBEDTLS_MD5_C
+#endif
+#if defined MBEDTLS_MD5_PROCESS_ALT
+#define POLARSSL_MD5_PROCESS_ALT MBEDTLS_MD5_PROCESS_ALT
+#endif
+#if defined MBEDTLS_MD_C
+#define POLARSSL_MD_C MBEDTLS_MD_C
+#endif
+#if defined MBEDTLS_MEMORY_ALIGN_MULTIPLE
+#define POLARSSL_MEMORY_ALIGN_MULTIPLE MBEDTLS_MEMORY_ALIGN_MULTIPLE
+#endif
+#if defined MBEDTLS_MEMORY_BACKTRACE
+#define POLARSSL_MEMORY_BACKTRACE MBEDTLS_MEMORY_BACKTRACE
+#endif
+#if defined MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define POLARSSL_MEMORY_BUFFER_ALLOC_C MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#endif
+#if defined MBEDTLS_MEMORY_DEBUG
+#define POLARSSL_MEMORY_DEBUG MBEDTLS_MEMORY_DEBUG
+#endif
+#if defined MBEDTLS_MPI_MAX_SIZE
+#define POLARSSL_MPI_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+#if defined MBEDTLS_MPI_WINDOW_SIZE
+#define POLARSSL_MPI_WINDOW_SIZE MBEDTLS_MPI_WINDOW_SIZE
+#endif
+#if defined MBEDTLS_NET_C
+#define POLARSSL_NET_C MBEDTLS_NET_C
+#endif
+#if defined MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define POLARSSL_NO_DEFAULT_ENTROPY_SOURCES MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#endif
+#if defined MBEDTLS_NO_PLATFORM_ENTROPY
+#define POLARSSL_NO_PLATFORM_ENTROPY MBEDTLS_NO_PLATFORM_ENTROPY
+#endif
+#if defined MBEDTLS_OID_C
+#define POLARSSL_OID_C MBEDTLS_OID_C
+#endif
+#if defined MBEDTLS_PADLOCK_C
+#define POLARSSL_PADLOCK_C MBEDTLS_PADLOCK_C
+#endif
+#if defined MBEDTLS_PEM_PARSE_C
+#define POLARSSL_PEM_PARSE_C MBEDTLS_PEM_PARSE_C
+#endif
+#if defined MBEDTLS_PEM_WRITE_C
+#define POLARSSL_PEM_WRITE_C MBEDTLS_PEM_WRITE_C
+#endif
+#if defined MBEDTLS_PKCS11_C
+#define POLARSSL_PKCS11_C MBEDTLS_PKCS11_C
+#endif
+#if defined MBEDTLS_PKCS12_C
+#define POLARSSL_PKCS12_C MBEDTLS_PKCS12_C
+#endif
+#if defined MBEDTLS_PKCS1_V15
+#define POLARSSL_PKCS1_V15 MBEDTLS_PKCS1_V15
+#endif
+#if defined MBEDTLS_PKCS1_V21
+#define POLARSSL_PKCS1_V21 MBEDTLS_PKCS1_V21
+#endif
+#if defined MBEDTLS_PKCS5_C
+#define POLARSSL_PKCS5_C MBEDTLS_PKCS5_C
+#endif
+#if defined MBEDTLS_PK_C
+#define POLARSSL_PK_C MBEDTLS_PK_C
+#endif
+#if defined MBEDTLS_PK_PARSE_C
+#define POLARSSL_PK_PARSE_C MBEDTLS_PK_PARSE_C
+#endif
+#if defined MBEDTLS_PK_PARSE_EC_EXTENDED
+#define POLARSSL_PK_PARSE_EC_EXTENDED MBEDTLS_PK_PARSE_EC_EXTENDED
+#endif
+#if defined MBEDTLS_PK_RSA_ALT_SUPPORT
+#define POLARSSL_PK_RSA_ALT_SUPPORT MBEDTLS_PK_RSA_ALT_SUPPORT
+#endif
+#if defined MBEDTLS_PK_WRITE_C
+#define POLARSSL_PK_WRITE_C MBEDTLS_PK_WRITE_C
+#endif
+#if defined MBEDTLS_PLATFORM_C
+#define POLARSSL_PLATFORM_C MBEDTLS_PLATFORM_C
+#endif
+#if defined MBEDTLS_PLATFORM_EXIT_ALT
+#define POLARSSL_PLATFORM_EXIT_ALT MBEDTLS_PLATFORM_EXIT_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_EXIT_MACRO
+#define POLARSSL_PLATFORM_EXIT_MACRO MBEDTLS_PLATFORM_EXIT_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_FPRINTF_ALT
+#define POLARSSL_PLATFORM_FPRINTF_ALT MBEDTLS_PLATFORM_FPRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_FPRINTF_MACRO
+#define POLARSSL_PLATFORM_FPRINTF_MACRO MBEDTLS_PLATFORM_FPRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_FREE_MACRO
+#define POLARSSL_PLATFORM_FREE_MACRO MBEDTLS_PLATFORM_FREE_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_MEMORY
+#define POLARSSL_PLATFORM_MEMORY MBEDTLS_PLATFORM_MEMORY
+#endif
+#if defined MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define POLARSSL_PLATFORM_NO_STD_FUNCTIONS MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#endif
+#if defined MBEDTLS_PLATFORM_PRINTF_ALT
+#define POLARSSL_PLATFORM_PRINTF_ALT MBEDTLS_PLATFORM_PRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_PRINTF_MACRO
+#define POLARSSL_PLATFORM_PRINTF_MACRO MBEDTLS_PLATFORM_PRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_SNPRINTF_ALT
+#define POLARSSL_PLATFORM_SNPRINTF_ALT MBEDTLS_PLATFORM_SNPRINTF_ALT
+#endif
+#if defined MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#define POLARSSL_PLATFORM_SNPRINTF_MACRO MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#endif
+#if defined MBEDTLS_PLATFORM_STD_EXIT
+#define POLARSSL_PLATFORM_STD_EXIT MBEDTLS_PLATFORM_STD_EXIT
+#endif
+#if defined MBEDTLS_PLATFORM_STD_FPRINTF
+#define POLARSSL_PLATFORM_STD_FPRINTF MBEDTLS_PLATFORM_STD_FPRINTF
+#endif
+#if defined MBEDTLS_PLATFORM_STD_FREE
+#define POLARSSL_PLATFORM_STD_FREE MBEDTLS_PLATFORM_STD_FREE
+#endif
+#if defined MBEDTLS_PLATFORM_STD_MEM_HDR
+#define POLARSSL_PLATFORM_STD_MEM_HDR MBEDTLS_PLATFORM_STD_MEM_HDR
+#endif
+#if defined MBEDTLS_PLATFORM_STD_PRINTF
+#define POLARSSL_PLATFORM_STD_PRINTF MBEDTLS_PLATFORM_STD_PRINTF
+#endif
+#if defined MBEDTLS_PLATFORM_STD_SNPRINTF
+#define POLARSSL_PLATFORM_STD_SNPRINTF MBEDTLS_PLATFORM_STD_SNPRINTF
+#endif
+#if defined MBEDTLS_PSK_MAX_LEN
+#define POLARSSL_PSK_MAX_LEN MBEDTLS_PSK_MAX_LEN
+#endif
+#if defined MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#define POLARSSL_REMOVE_ARC4_CIPHERSUITES MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#endif
+#if defined MBEDTLS_RIPEMD160_ALT
+#define POLARSSL_RIPEMD160_ALT MBEDTLS_RIPEMD160_ALT
+#endif
+#if defined MBEDTLS_RIPEMD160_C
+#define POLARSSL_RIPEMD160_C MBEDTLS_RIPEMD160_C
+#endif
+#if defined MBEDTLS_RIPEMD160_PROCESS_ALT
+#define POLARSSL_RIPEMD160_PROCESS_ALT MBEDTLS_RIPEMD160_PROCESS_ALT
+#endif
+#if defined MBEDTLS_RSA_C
+#define POLARSSL_RSA_C MBEDTLS_RSA_C
+#endif
+#if defined MBEDTLS_RSA_NO_CRT
+#define POLARSSL_RSA_NO_CRT MBEDTLS_RSA_NO_CRT
+#endif
+#if defined MBEDTLS_SELF_TEST
+#define POLARSSL_SELF_TEST MBEDTLS_SELF_TEST
+#endif
+#if defined MBEDTLS_SHA1_ALT
+#define POLARSSL_SHA1_ALT MBEDTLS_SHA1_ALT
+#endif
+#if defined MBEDTLS_SHA1_C
+#define POLARSSL_SHA1_C MBEDTLS_SHA1_C
+#endif
+#if defined MBEDTLS_SHA1_PROCESS_ALT
+#define POLARSSL_SHA1_PROCESS_ALT MBEDTLS_SHA1_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SHA256_ALT
+#define POLARSSL_SHA256_ALT MBEDTLS_SHA256_ALT
+#endif
+#if defined MBEDTLS_SHA256_C
+#define POLARSSL_SHA256_C MBEDTLS_SHA256_C
+#endif
+#if defined MBEDTLS_SHA256_PROCESS_ALT
+#define POLARSSL_SHA256_PROCESS_ALT MBEDTLS_SHA256_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SHA512_ALT
+#define POLARSSL_SHA512_ALT MBEDTLS_SHA512_ALT
+#endif
+#if defined MBEDTLS_SHA512_C
+#define POLARSSL_SHA512_C MBEDTLS_SHA512_C
+#endif
+#if defined MBEDTLS_SHA512_PROCESS_ALT
+#define POLARSSL_SHA512_PROCESS_ALT MBEDTLS_SHA512_PROCESS_ALT
+#endif
+#if defined MBEDTLS_SSL_ALL_ALERT_MESSAGES
+#define POLARSSL_SSL_ALL_ALERT_MESSAGES MBEDTLS_SSL_ALL_ALERT_MESSAGES
+#endif
+#if defined MBEDTLS_SSL_ALPN
+#define POLARSSL_SSL_ALPN MBEDTLS_SSL_ALPN
+#endif
+#if defined MBEDTLS_SSL_CACHE_C
+#define POLARSSL_SSL_CACHE_C MBEDTLS_SSL_CACHE_C
+#endif
+#if defined MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#define POLARSSL_SSL_CBC_RECORD_SPLITTING MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#endif
+#if defined MBEDTLS_SSL_CLI_C
+#define POLARSSL_SSL_CLI_C MBEDTLS_SSL_CLI_C
+#endif
+#if defined MBEDTLS_SSL_COOKIE_C
+#define POLARSSL_SSL_COOKIE_C MBEDTLS_SSL_COOKIE_C
+#endif
+#if defined MBEDTLS_SSL_COOKIE_TIMEOUT
+#define POLARSSL_SSL_COOKIE_TIMEOUT MBEDTLS_SSL_COOKIE_TIMEOUT
+#endif
+#if defined MBEDTLS_SSL_DEBUG_ALL
+#define POLARSSL_SSL_DEBUG_ALL MBEDTLS_SSL_DEBUG_ALL
+#endif
+#if defined MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#define POLARSSL_SSL_DTLS_ANTI_REPLAY MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#endif
+#if defined MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#define POLARSSL_SSL_DTLS_BADMAC_LIMIT MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#endif
+#if defined MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#define POLARSSL_SSL_DTLS_HELLO_VERIFY MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#endif
+#if defined MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#define POLARSSL_SSL_ENCRYPT_THEN_MAC MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#endif
+#if defined MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#define POLARSSL_SSL_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#endif
+#if defined MBEDTLS_SSL_FALLBACK_SCSV
+#define POLARSSL_SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
+#endif
+#if defined MBEDTLS_SSL_HW_RECORD_ACCEL
+#define POLARSSL_SSL_HW_RECORD_ACCEL MBEDTLS_SSL_HW_RECORD_ACCEL
+#endif
+#if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+#define POLARSSL_SSL_MAX_FRAGMENT_LENGTH MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+#endif
+#if defined MBEDTLS_SSL_PROTO_DTLS
+#define POLARSSL_SSL_PROTO_DTLS MBEDTLS_SSL_PROTO_DTLS
+#endif
+#if defined MBEDTLS_SSL_PROTO_SSL3
+#define POLARSSL_SSL_PROTO_SSL3 MBEDTLS_SSL_PROTO_SSL3
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1
+#define POLARSSL_SSL_PROTO_TLS1 MBEDTLS_SSL_PROTO_TLS1
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1_1
+#define POLARSSL_SSL_PROTO_TLS1_1 MBEDTLS_SSL_PROTO_TLS1_1
+#endif
+#if defined MBEDTLS_SSL_PROTO_TLS1_2
+#define POLARSSL_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_2
+#endif
+#if defined MBEDTLS_SSL_RENEGOTIATION
+#define POLARSSL_SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
+#endif
+#if defined MBEDTLS_SSL_SERVER_NAME_INDICATION
+#define POLARSSL_SSL_SERVER_NAME_INDICATION MBEDTLS_SSL_SERVER_NAME_INDICATION
+#endif
+#if defined MBEDTLS_SSL_SESSION_TICKETS
+#define POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS
+#endif
+#if defined MBEDTLS_SSL_SRV_C
+#define POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C
+#endif
+#if defined MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+#define POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+#endif
+#if defined MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+#endif
+#if defined MBEDTLS_SSL_TLS_C
+#define POLARSSL_SSL_TLS_C MBEDTLS_SSL_TLS_C
+#endif
+#if defined MBEDTLS_SSL_TRUNCATED_HMAC
+#define POLARSSL_SSL_TRUNCATED_HMAC MBEDTLS_SSL_TRUNCATED_HMAC
+#endif
+#if defined MBEDTLS_THREADING_ALT
+#define POLARSSL_THREADING_ALT MBEDTLS_THREADING_ALT
+#endif
+#if defined MBEDTLS_THREADING_C
+#define POLARSSL_THREADING_C MBEDTLS_THREADING_C
+#endif
+#if defined MBEDTLS_THREADING_PTHREAD
+#define POLARSSL_THREADING_PTHREAD MBEDTLS_THREADING_PTHREAD
+#endif
+#if defined MBEDTLS_TIMING_ALT
+#define POLARSSL_TIMING_ALT MBEDTLS_TIMING_ALT
+#endif
+#if defined MBEDTLS_TIMING_C
+#define POLARSSL_TIMING_C MBEDTLS_TIMING_C
+#endif
+#if defined MBEDTLS_VERSION_C
+#define POLARSSL_VERSION_C MBEDTLS_VERSION_C
+#endif
+#if defined MBEDTLS_VERSION_FEATURES
+#define POLARSSL_VERSION_FEATURES MBEDTLS_VERSION_FEATURES
+#endif
+#if defined MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+#define POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+#endif
+#if defined MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#endif
+#if defined MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#endif
+#if defined MBEDTLS_X509_CHECK_KEY_USAGE
+#define POLARSSL_X509_CHECK_KEY_USAGE MBEDTLS_X509_CHECK_KEY_USAGE
+#endif
+#if defined MBEDTLS_X509_CREATE_C
+#define POLARSSL_X509_CREATE_C MBEDTLS_X509_CREATE_C
+#endif
+#if defined MBEDTLS_X509_CRL_PARSE_C
+#define POLARSSL_X509_CRL_PARSE_C MBEDTLS_X509_CRL_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CRT_PARSE_C
+#define POLARSSL_X509_CRT_PARSE_C MBEDTLS_X509_CRT_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CRT_WRITE_C
+#define POLARSSL_X509_CRT_WRITE_C MBEDTLS_X509_CRT_WRITE_C
+#endif
+#if defined MBEDTLS_X509_CSR_PARSE_C
+#define POLARSSL_X509_CSR_PARSE_C MBEDTLS_X509_CSR_PARSE_C
+#endif
+#if defined MBEDTLS_X509_CSR_WRITE_C
+#define POLARSSL_X509_CSR_WRITE_C MBEDTLS_X509_CSR_WRITE_C
+#endif
+#if defined MBEDTLS_X509_MAX_INTERMEDIATE_CA
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA MBEDTLS_X509_MAX_INTERMEDIATE_CA
+#endif
+#if defined MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#define POLARSSL_X509_RSASSA_PSS_SUPPORT MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#endif
+#if defined MBEDTLS_X509_USE_C
+#define POLARSSL_X509_USE_C MBEDTLS_X509_USE_C
+#endif
+#if defined MBEDTLS_XTEA_ALT
+#define POLARSSL_XTEA_ALT MBEDTLS_XTEA_ALT
+#endif
+#if defined MBEDTLS_XTEA_C
+#define POLARSSL_XTEA_C MBEDTLS_XTEA_C
+#endif
+#if defined MBEDTLS_ZLIB_SUPPORT
+#define POLARSSL_ZLIB_SUPPORT MBEDTLS_ZLIB_SUPPORT
+#endif
+
+/*
+ * Misc names (macros, types, functions, enum constants...)
+ */
+#define AES_DECRYPT MBEDTLS_AES_DECRYPT
+#define AES_ENCRYPT MBEDTLS_AES_ENCRYPT
+#define ASN1_BIT_STRING MBEDTLS_ASN1_BIT_STRING
+#define ASN1_BMP_STRING MBEDTLS_ASN1_BMP_STRING
+#define ASN1_BOOLEAN MBEDTLS_ASN1_BOOLEAN
+#define ASN1_CHK_ADD MBEDTLS_ASN1_CHK_ADD
+#define ASN1_CONSTRUCTED MBEDTLS_ASN1_CONSTRUCTED
+#define ASN1_CONTEXT_SPECIFIC MBEDTLS_ASN1_CONTEXT_SPECIFIC
+#define ASN1_GENERALIZED_TIME MBEDTLS_ASN1_GENERALIZED_TIME
+#define ASN1_IA5_STRING MBEDTLS_ASN1_IA5_STRING
+#define ASN1_INTEGER MBEDTLS_ASN1_INTEGER
+#define ASN1_NULL MBEDTLS_ASN1_NULL
+#define ASN1_OCTET_STRING MBEDTLS_ASN1_OCTET_STRING
+#define ASN1_OID MBEDTLS_ASN1_OID
+#define ASN1_PRIMITIVE MBEDTLS_ASN1_PRIMITIVE
+#define ASN1_PRINTABLE_STRING MBEDTLS_ASN1_PRINTABLE_STRING
+#define ASN1_SEQUENCE MBEDTLS_ASN1_SEQUENCE
+#define ASN1_SET MBEDTLS_ASN1_SET
+#define ASN1_T61_STRING MBEDTLS_ASN1_T61_STRING
+#define ASN1_UNIVERSAL_STRING MBEDTLS_ASN1_UNIVERSAL_STRING
+#define ASN1_UTC_TIME MBEDTLS_ASN1_UTC_TIME
+#define ASN1_UTF8_STRING MBEDTLS_ASN1_UTF8_STRING
+#define BADCERT_CN_MISMATCH MBEDTLS_X509_BADCERT_CN_MISMATCH
+#define BADCERT_EXPIRED MBEDTLS_X509_BADCERT_EXPIRED
+#define BADCERT_FUTURE MBEDTLS_X509_BADCERT_FUTURE
+#define BADCERT_MISSING MBEDTLS_X509_BADCERT_MISSING
+#define BADCERT_NOT_TRUSTED MBEDTLS_X509_BADCERT_NOT_TRUSTED
+#define BADCERT_OTHER MBEDTLS_X509_BADCERT_OTHER
+#define BADCERT_REVOKED MBEDTLS_X509_BADCERT_REVOKED
+#define BADCERT_SKIP_VERIFY MBEDTLS_X509_BADCERT_SKIP_VERIFY
+#define BADCRL_EXPIRED MBEDTLS_X509_BADCRL_EXPIRED
+#define BADCRL_FUTURE MBEDTLS_X509_BADCRL_FUTURE
+#define BADCRL_NOT_TRUSTED MBEDTLS_X509_BADCRL_NOT_TRUSTED
+#define BLOWFISH_BLOCKSIZE MBEDTLS_BLOWFISH_BLOCKSIZE
+#define BLOWFISH_DECRYPT MBEDTLS_BLOWFISH_DECRYPT
+#define BLOWFISH_ENCRYPT MBEDTLS_BLOWFISH_ENCRYPT
+#define BLOWFISH_MAX_KEY MBEDTLS_BLOWFISH_MAX_KEY_BITS
+#define BLOWFISH_MIN_KEY MBEDTLS_BLOWFISH_MIN_KEY_BITS
+#define BLOWFISH_ROUNDS MBEDTLS_BLOWFISH_ROUNDS
+#define CAMELLIA_DECRYPT MBEDTLS_CAMELLIA_DECRYPT
+#define CAMELLIA_ENCRYPT MBEDTLS_CAMELLIA_ENCRYPT
+#define COLLECT_SIZE MBEDTLS_HAVEGE_COLLECT_SIZE
+#define CTR_DRBG_BLOCKSIZE MBEDTLS_CTR_DRBG_BLOCKSIZE
+#define CTR_DRBG_ENTROPY_LEN MBEDTLS_CTR_DRBG_ENTROPY_LEN
+#define CTR_DRBG_KEYBITS MBEDTLS_CTR_DRBG_KEYBITS
+#define CTR_DRBG_KEYSIZE MBEDTLS_CTR_DRBG_KEYSIZE
+#define CTR_DRBG_MAX_INPUT MBEDTLS_CTR_DRBG_MAX_INPUT
+#define CTR_DRBG_MAX_REQUEST MBEDTLS_CTR_DRBG_MAX_REQUEST
+#define CTR_DRBG_MAX_SEED_INPUT MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+#define CTR_DRBG_PR_OFF MBEDTLS_CTR_DRBG_PR_OFF
+#define CTR_DRBG_PR_ON MBEDTLS_CTR_DRBG_PR_ON
+#define CTR_DRBG_RESEED_INTERVAL MBEDTLS_CTR_DRBG_RESEED_INTERVAL
+#define CTR_DRBG_SEEDLEN MBEDTLS_CTR_DRBG_SEEDLEN
+#define DEPRECATED MBEDTLS_DEPRECATED
+#define DES_DECRYPT MBEDTLS_DES_DECRYPT
+#define DES_ENCRYPT MBEDTLS_DES_ENCRYPT
+#define DES_KEY_SIZE MBEDTLS_DES_KEY_SIZE
+#define ENTROPY_BLOCK_SIZE MBEDTLS_ENTROPY_BLOCK_SIZE
+#define ENTROPY_MAX_GATHER MBEDTLS_ENTROPY_MAX_GATHER
+#define ENTROPY_MAX_SEED_SIZE MBEDTLS_ENTROPY_MAX_SEED_SIZE
+#define ENTROPY_MAX_SOURCES MBEDTLS_ENTROPY_MAX_SOURCES
+#define ENTROPY_MIN_HARDCLOCK MBEDTLS_ENTROPY_MIN_HARDCLOCK
+#define ENTROPY_MIN_HAVEGE MBEDTLS_ENTROPY_MIN_HAVEGE
+#define ENTROPY_MIN_PLATFORM MBEDTLS_ENTROPY_MIN_PLATFORM
+#define ENTROPY_SOURCE_MANUAL MBEDTLS_ENTROPY_SOURCE_MANUAL
+#define EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER
+#define EXT_BASIC_CONSTRAINTS MBEDTLS_X509_EXT_BASIC_CONSTRAINTS
+#define EXT_CERTIFICATE_POLICIES MBEDTLS_X509_EXT_CERTIFICATE_POLICIES
+#define EXT_CRL_DISTRIBUTION_POINTS MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS
+#define EXT_EXTENDED_KEY_USAGE MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE
+#define EXT_FRESHEST_CRL MBEDTLS_X509_EXT_FRESHEST_CRL
+#define EXT_INIHIBIT_ANYPOLICY MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY
+#define EXT_ISSUER_ALT_NAME MBEDTLS_X509_EXT_ISSUER_ALT_NAME
+#define EXT_KEY_USAGE MBEDTLS_X509_EXT_KEY_USAGE
+#define EXT_NAME_CONSTRAINTS MBEDTLS_X509_EXT_NAME_CONSTRAINTS
+#define EXT_NS_CERT_TYPE MBEDTLS_X509_EXT_NS_CERT_TYPE
+#define EXT_POLICY_CONSTRAINTS MBEDTLS_X509_EXT_POLICY_CONSTRAINTS
+#define EXT_POLICY_MAPPINGS MBEDTLS_X509_EXT_POLICY_MAPPINGS
+#define EXT_SUBJECT_ALT_NAME MBEDTLS_X509_EXT_SUBJECT_ALT_NAME
+#define EXT_SUBJECT_DIRECTORY_ATTRS MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS
+#define EXT_SUBJECT_KEY_IDENTIFIER MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER
+#define GCM_DECRYPT MBEDTLS_GCM_DECRYPT
+#define GCM_ENCRYPT MBEDTLS_GCM_ENCRYPT
+#define KU_CRL_SIGN MBEDTLS_X509_KU_CRL_SIGN
+#define KU_DATA_ENCIPHERMENT MBEDTLS_X509_KU_DATA_ENCIPHERMENT
+#define KU_DIGITAL_SIGNATURE MBEDTLS_X509_KU_DIGITAL_SIGNATURE
+#define KU_KEY_AGREEMENT MBEDTLS_X509_KU_KEY_AGREEMENT
+#define KU_KEY_CERT_SIGN MBEDTLS_X509_KU_KEY_CERT_SIGN
+#define KU_KEY_ENCIPHERMENT MBEDTLS_X509_KU_KEY_ENCIPHERMENT
+#define KU_NON_REPUDIATION MBEDTLS_X509_KU_NON_REPUDIATION
+#define LN_2_DIV_LN_10_SCALE100 MBEDTLS_LN_2_DIV_LN_10_SCALE100
+#define MEMORY_VERIFY_ALLOC MBEDTLS_MEMORY_VERIFY_ALLOC
+#define MEMORY_VERIFY_ALWAYS MBEDTLS_MEMORY_VERIFY_ALWAYS
+#define MEMORY_VERIFY_FREE MBEDTLS_MEMORY_VERIFY_FREE
+#define MEMORY_VERIFY_NONE MBEDTLS_MEMORY_VERIFY_NONE
+#define MPI_CHK MBEDTLS_MPI_CHK
+#define NET_PROTO_TCP MBEDTLS_NET_PROTO_TCP
+#define NET_PROTO_UDP MBEDTLS_NET_PROTO_UDP
+#define NS_CERT_TYPE_EMAIL MBEDTLS_X509_NS_CERT_TYPE_EMAIL
+#define NS_CERT_TYPE_EMAIL_CA MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA
+#define NS_CERT_TYPE_OBJECT_SIGNING MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING
+#define NS_CERT_TYPE_OBJECT_SIGNING_CA MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA
+#define NS_CERT_TYPE_RESERVED MBEDTLS_X509_NS_CERT_TYPE_RESERVED
+#define NS_CERT_TYPE_SSL_CA MBEDTLS_X509_NS_CERT_TYPE_SSL_CA
+#define NS_CERT_TYPE_SSL_CLIENT MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT
+#define NS_CERT_TYPE_SSL_SERVER MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER
+#define OID_ANSI_X9_62 MBEDTLS_OID_ANSI_X9_62
+#define OID_ANSI_X9_62_FIELD_TYPE MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE
+#define OID_ANSI_X9_62_PRIME_FIELD MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD
+#define OID_ANSI_X9_62_SIG MBEDTLS_OID_ANSI_X9_62_SIG
+#define OID_ANSI_X9_62_SIG_SHA2 MBEDTLS_OID_ANSI_X9_62_SIG_SHA2
+#define OID_ANY_EXTENDED_KEY_USAGE MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE
+#define OID_AT MBEDTLS_OID_AT
+#define OID_AT_CN MBEDTLS_OID_AT_CN
+#define OID_AT_COUNTRY MBEDTLS_OID_AT_COUNTRY
+#define OID_AT_DN_QUALIFIER MBEDTLS_OID_AT_DN_QUALIFIER
+#define OID_AT_GENERATION_QUALIFIER MBEDTLS_OID_AT_GENERATION_QUALIFIER
+#define OID_AT_GIVEN_NAME MBEDTLS_OID_AT_GIVEN_NAME
+#define OID_AT_INITIALS MBEDTLS_OID_AT_INITIALS
+#define OID_AT_LOCALITY MBEDTLS_OID_AT_LOCALITY
+#define OID_AT_ORGANIZATION MBEDTLS_OID_AT_ORGANIZATION
+#define OID_AT_ORG_UNIT MBEDTLS_OID_AT_ORG_UNIT
+#define OID_AT_POSTAL_ADDRESS MBEDTLS_OID_AT_POSTAL_ADDRESS
+#define OID_AT_POSTAL_CODE MBEDTLS_OID_AT_POSTAL_CODE
+#define OID_AT_PSEUDONYM MBEDTLS_OID_AT_PSEUDONYM
+#define OID_AT_SERIAL_NUMBER MBEDTLS_OID_AT_SERIAL_NUMBER
+#define OID_AT_STATE MBEDTLS_OID_AT_STATE
+#define OID_AT_SUR_NAME MBEDTLS_OID_AT_SUR_NAME
+#define OID_AT_TITLE MBEDTLS_OID_AT_TITLE
+#define OID_AT_UNIQUE_IDENTIFIER MBEDTLS_OID_AT_UNIQUE_IDENTIFIER
+#define OID_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER
+#define OID_BASIC_CONSTRAINTS MBEDTLS_OID_BASIC_CONSTRAINTS
+#define OID_CERTICOM MBEDTLS_OID_CERTICOM
+#define OID_CERTIFICATE_POLICIES MBEDTLS_OID_CERTIFICATE_POLICIES
+#define OID_CLIENT_AUTH MBEDTLS_OID_CLIENT_AUTH
+#define OID_CMP MBEDTLS_OID_CMP
+#define OID_CODE_SIGNING MBEDTLS_OID_CODE_SIGNING
+#define OID_COUNTRY_US MBEDTLS_OID_COUNTRY_US
+#define OID_CRL_DISTRIBUTION_POINTS MBEDTLS_OID_CRL_DISTRIBUTION_POINTS
+#define OID_CRL_NUMBER MBEDTLS_OID_CRL_NUMBER
+#define OID_DES_CBC MBEDTLS_OID_DES_CBC
+#define OID_DES_EDE3_CBC MBEDTLS_OID_DES_EDE3_CBC
+#define OID_DIGEST_ALG_MD2 MBEDTLS_OID_DIGEST_ALG_MD2
+#define OID_DIGEST_ALG_MD4 MBEDTLS_OID_DIGEST_ALG_MD4
+#define OID_DIGEST_ALG_MD5 MBEDTLS_OID_DIGEST_ALG_MD5
+#define OID_DIGEST_ALG_SHA1 MBEDTLS_OID_DIGEST_ALG_SHA1
+#define OID_DIGEST_ALG_SHA224 MBEDTLS_OID_DIGEST_ALG_SHA224
+#define OID_DIGEST_ALG_SHA256 MBEDTLS_OID_DIGEST_ALG_SHA256
+#define OID_DIGEST_ALG_SHA384 MBEDTLS_OID_DIGEST_ALG_SHA384
+#define OID_DIGEST_ALG_SHA512 MBEDTLS_OID_DIGEST_ALG_SHA512
+#define OID_DOMAIN_COMPONENT MBEDTLS_OID_DOMAIN_COMPONENT
+#define OID_ECDSA_SHA1 MBEDTLS_OID_ECDSA_SHA1
+#define OID_ECDSA_SHA224 MBEDTLS_OID_ECDSA_SHA224
+#define OID_ECDSA_SHA256 MBEDTLS_OID_ECDSA_SHA256
+#define OID_ECDSA_SHA384 MBEDTLS_OID_ECDSA_SHA384
+#define OID_ECDSA_SHA512 MBEDTLS_OID_ECDSA_SHA512
+#define OID_EC_ALG_ECDH MBEDTLS_OID_EC_ALG_ECDH
+#define OID_EC_ALG_UNRESTRICTED MBEDTLS_OID_EC_ALG_UNRESTRICTED
+#define OID_EC_BRAINPOOL_V1 MBEDTLS_OID_EC_BRAINPOOL_V1
+#define OID_EC_GRP_BP256R1 MBEDTLS_OID_EC_GRP_BP256R1
+#define OID_EC_GRP_BP384R1 MBEDTLS_OID_EC_GRP_BP384R1
+#define OID_EC_GRP_BP512R1 MBEDTLS_OID_EC_GRP_BP512R1
+#define OID_EC_GRP_SECP192K1 MBEDTLS_OID_EC_GRP_SECP192K1
+#define OID_EC_GRP_SECP192R1 MBEDTLS_OID_EC_GRP_SECP192R1
+#define OID_EC_GRP_SECP224K1 MBEDTLS_OID_EC_GRP_SECP224K1
+#define OID_EC_GRP_SECP224R1 MBEDTLS_OID_EC_GRP_SECP224R1
+#define OID_EC_GRP_SECP256K1 MBEDTLS_OID_EC_GRP_SECP256K1
+#define OID_EC_GRP_SECP256R1 MBEDTLS_OID_EC_GRP_SECP256R1
+#define OID_EC_GRP_SECP384R1 MBEDTLS_OID_EC_GRP_SECP384R1
+#define OID_EC_GRP_SECP521R1 MBEDTLS_OID_EC_GRP_SECP521R1
+#define OID_EMAIL_PROTECTION MBEDTLS_OID_EMAIL_PROTECTION
+#define OID_EXTENDED_KEY_USAGE MBEDTLS_OID_EXTENDED_KEY_USAGE
+#define OID_FRESHEST_CRL MBEDTLS_OID_FRESHEST_CRL
+#define OID_GOV MBEDTLS_OID_GOV
+#define OID_HMAC_SHA1 MBEDTLS_OID_HMAC_SHA1
+#define OID_ID_CE MBEDTLS_OID_ID_CE
+#define OID_INIHIBIT_ANYPOLICY MBEDTLS_OID_INIHIBIT_ANYPOLICY
+#define OID_ISO_CCITT_DS MBEDTLS_OID_ISO_CCITT_DS
+#define OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ISO_IDENTIFIED_ORG
+#define OID_ISO_ITU_COUNTRY MBEDTLS_OID_ISO_ITU_COUNTRY
+#define OID_ISO_ITU_US_ORG MBEDTLS_OID_ISO_ITU_US_ORG
+#define OID_ISO_MEMBER_BODIES MBEDTLS_OID_ISO_MEMBER_BODIES
+#define OID_ISSUER_ALT_NAME MBEDTLS_OID_ISSUER_ALT_NAME
+#define OID_KEY_USAGE MBEDTLS_OID_KEY_USAGE
+#define OID_KP MBEDTLS_OID_KP
+#define OID_MGF1 MBEDTLS_OID_MGF1
+#define OID_NAME_CONSTRAINTS MBEDTLS_OID_NAME_CONSTRAINTS
+#define OID_NETSCAPE MBEDTLS_OID_NETSCAPE
+#define OID_NS_BASE_URL MBEDTLS_OID_NS_BASE_URL
+#define OID_NS_CA_POLICY_URL MBEDTLS_OID_NS_CA_POLICY_URL
+#define OID_NS_CA_REVOCATION_URL MBEDTLS_OID_NS_CA_REVOCATION_URL
+#define OID_NS_CERT MBEDTLS_OID_NS_CERT
+#define OID_NS_CERT_SEQUENCE MBEDTLS_OID_NS_CERT_SEQUENCE
+#define OID_NS_CERT_TYPE MBEDTLS_OID_NS_CERT_TYPE
+#define OID_NS_COMMENT MBEDTLS_OID_NS_COMMENT
+#define OID_NS_DATA_TYPE MBEDTLS_OID_NS_DATA_TYPE
+#define OID_NS_RENEWAL_URL MBEDTLS_OID_NS_RENEWAL_URL
+#define OID_NS_REVOCATION_URL MBEDTLS_OID_NS_REVOCATION_URL
+#define OID_NS_SSL_SERVER_NAME MBEDTLS_OID_NS_SSL_SERVER_NAME
+#define OID_OCSP_SIGNING MBEDTLS_OID_OCSP_SIGNING
+#define OID_OIW_SECSIG MBEDTLS_OID_OIW_SECSIG
+#define OID_OIW_SECSIG_ALG MBEDTLS_OID_OIW_SECSIG_ALG
+#define OID_OIW_SECSIG_SHA1 MBEDTLS_OID_OIW_SECSIG_SHA1
+#define OID_ORGANIZATION MBEDTLS_OID_ORGANIZATION
+#define OID_ORG_ANSI_X9_62 MBEDTLS_OID_ORG_ANSI_X9_62
+#define OID_ORG_CERTICOM MBEDTLS_OID_ORG_CERTICOM
+#define OID_ORG_DOD MBEDTLS_OID_ORG_DOD
+#define OID_ORG_GOV MBEDTLS_OID_ORG_GOV
+#define OID_ORG_NETSCAPE MBEDTLS_OID_ORG_NETSCAPE
+#define OID_ORG_OIW MBEDTLS_OID_ORG_OIW
+#define OID_ORG_RSA_DATA_SECURITY MBEDTLS_OID_ORG_RSA_DATA_SECURITY
+#define OID_ORG_TELETRUST MBEDTLS_OID_ORG_TELETRUST
+#define OID_PKCS MBEDTLS_OID_PKCS
+#define OID_PKCS1 MBEDTLS_OID_PKCS1
+#define OID_PKCS12 MBEDTLS_OID_PKCS12
+#define OID_PKCS12_PBE MBEDTLS_OID_PKCS12_PBE
+#define OID_PKCS12_PBE_SHA1_DES2_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC
+#define OID_PKCS12_PBE_SHA1_DES3_EDE_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC
+#define OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC
+#define OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC
+#define OID_PKCS12_PBE_SHA1_RC4_128 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128
+#define OID_PKCS12_PBE_SHA1_RC4_40 MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_40
+#define OID_PKCS1_MD2 MBEDTLS_OID_PKCS1_MD2
+#define OID_PKCS1_MD4 MBEDTLS_OID_PKCS1_MD4
+#define OID_PKCS1_MD5 MBEDTLS_OID_PKCS1_MD5
+#define OID_PKCS1_RSA MBEDTLS_OID_PKCS1_RSA
+#define OID_PKCS1_SHA1 MBEDTLS_OID_PKCS1_SHA1
+#define OID_PKCS1_SHA224 MBEDTLS_OID_PKCS1_SHA224
+#define OID_PKCS1_SHA256 MBEDTLS_OID_PKCS1_SHA256
+#define OID_PKCS1_SHA384 MBEDTLS_OID_PKCS1_SHA384
+#define OID_PKCS1_SHA512 MBEDTLS_OID_PKCS1_SHA512
+#define OID_PKCS5 MBEDTLS_OID_PKCS5
+#define OID_PKCS5_PBES2 MBEDTLS_OID_PKCS5_PBES2
+#define OID_PKCS5_PBE_MD2_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD2_DES_CBC
+#define OID_PKCS5_PBE_MD2_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD2_RC2_CBC
+#define OID_PKCS5_PBE_MD5_DES_CBC MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC
+#define OID_PKCS5_PBE_MD5_RC2_CBC MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC
+#define OID_PKCS5_PBE_SHA1_DES_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC
+#define OID_PKCS5_PBE_SHA1_RC2_CBC MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC
+#define OID_PKCS5_PBKDF2 MBEDTLS_OID_PKCS5_PBKDF2
+#define OID_PKCS5_PBMAC1 MBEDTLS_OID_PKCS5_PBMAC1
+#define OID_PKCS9 MBEDTLS_OID_PKCS9
+#define OID_PKCS9_CSR_EXT_REQ MBEDTLS_OID_PKCS9_CSR_EXT_REQ
+#define OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9_EMAIL
+#define OID_PKIX MBEDTLS_OID_PKIX
+#define OID_POLICY_CONSTRAINTS MBEDTLS_OID_POLICY_CONSTRAINTS
+#define OID_POLICY_MAPPINGS MBEDTLS_OID_POLICY_MAPPINGS
+#define OID_PRIVATE_KEY_USAGE_PERIOD MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD
+#define OID_RSASSA_PSS MBEDTLS_OID_RSASSA_PSS
+#define OID_RSA_COMPANY MBEDTLS_OID_RSA_COMPANY
+#define OID_RSA_SHA_OBS MBEDTLS_OID_RSA_SHA_OBS
+#define OID_SERVER_AUTH MBEDTLS_OID_SERVER_AUTH
+#define OID_SIZE MBEDTLS_OID_SIZE
+#define OID_SUBJECT_ALT_NAME MBEDTLS_OID_SUBJECT_ALT_NAME
+#define OID_SUBJECT_DIRECTORY_ATTRS MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS
+#define OID_SUBJECT_KEY_IDENTIFIER MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER
+#define OID_TELETRUST MBEDTLS_OID_TELETRUST
+#define OID_TIME_STAMPING MBEDTLS_OID_TIME_STAMPING
+#define PADLOCK_ACE MBEDTLS_PADLOCK_ACE
+#define PADLOCK_ALIGN16 MBEDTLS_PADLOCK_ALIGN16
+#define PADLOCK_PHE MBEDTLS_PADLOCK_PHE
+#define PADLOCK_PMM MBEDTLS_PADLOCK_PMM
+#define PADLOCK_RNG MBEDTLS_PADLOCK_RNG
+#define PKCS12_DERIVE_IV MBEDTLS_PKCS12_DERIVE_IV
+#define PKCS12_DERIVE_KEY MBEDTLS_PKCS12_DERIVE_KEY
+#define PKCS12_DERIVE_MAC_KEY MBEDTLS_PKCS12_DERIVE_MAC_KEY
+#define PKCS12_PBE_DECRYPT MBEDTLS_PKCS12_PBE_DECRYPT
+#define PKCS12_PBE_ENCRYPT MBEDTLS_PKCS12_PBE_ENCRYPT
+#define PKCS5_DECRYPT MBEDTLS_PKCS5_DECRYPT
+#define PKCS5_ENCRYPT MBEDTLS_PKCS5_ENCRYPT
+#define POLARSSL_AESNI_AES MBEDTLS_AESNI_AES
+#define POLARSSL_AESNI_CLMUL MBEDTLS_AESNI_CLMUL
+#define POLARSSL_AESNI_H MBEDTLS_AESNI_H
+#define POLARSSL_AES_H MBEDTLS_AES_H
+#define POLARSSL_ARC4_H MBEDTLS_ARC4_H
+#define POLARSSL_ASN1_H MBEDTLS_ASN1_H
+#define POLARSSL_ASN1_WRITE_H MBEDTLS_ASN1_WRITE_H
+#define POLARSSL_BASE64_H MBEDTLS_BASE64_H
+#define POLARSSL_BIGNUM_H MBEDTLS_BIGNUM_H
+#define POLARSSL_BLOWFISH_H MBEDTLS_BLOWFISH_H
+#define POLARSSL_BN_MUL_H MBEDTLS_BN_MUL_H
+#define POLARSSL_CAMELLIA_H MBEDTLS_CAMELLIA_H
+#define POLARSSL_CCM_H MBEDTLS_CCM_H
+#define POLARSSL_CERTS_H MBEDTLS_CERTS_H
+#define POLARSSL_CHECK_CONFIG_H MBEDTLS_CHECK_CONFIG_H
+#define POLARSSL_CIPHERSUITE_NODTLS MBEDTLS_CIPHERSUITE_NODTLS
+#define POLARSSL_CIPHERSUITE_SHORT_TAG MBEDTLS_CIPHERSUITE_SHORT_TAG
+#define POLARSSL_CIPHERSUITE_WEAK MBEDTLS_CIPHERSUITE_WEAK
+#define POLARSSL_CIPHER_AES_128_CBC MBEDTLS_CIPHER_AES_128_CBC
+#define POLARSSL_CIPHER_AES_128_CCM MBEDTLS_CIPHER_AES_128_CCM
+#define POLARSSL_CIPHER_AES_128_CFB128 MBEDTLS_CIPHER_AES_128_CFB128
+#define POLARSSL_CIPHER_AES_128_CTR MBEDTLS_CIPHER_AES_128_CTR
+#define POLARSSL_CIPHER_AES_128_ECB MBEDTLS_CIPHER_AES_128_ECB
+#define POLARSSL_CIPHER_AES_128_GCM MBEDTLS_CIPHER_AES_128_GCM
+#define POLARSSL_CIPHER_AES_192_CBC MBEDTLS_CIPHER_AES_192_CBC
+#define POLARSSL_CIPHER_AES_192_CCM MBEDTLS_CIPHER_AES_192_CCM
+#define POLARSSL_CIPHER_AES_192_CFB128 MBEDTLS_CIPHER_AES_192_CFB128
+#define POLARSSL_CIPHER_AES_192_CTR MBEDTLS_CIPHER_AES_192_CTR
+#define POLARSSL_CIPHER_AES_192_ECB MBEDTLS_CIPHER_AES_192_ECB
+#define POLARSSL_CIPHER_AES_192_GCM MBEDTLS_CIPHER_AES_192_GCM
+#define POLARSSL_CIPHER_AES_256_CBC MBEDTLS_CIPHER_AES_256_CBC
+#define POLARSSL_CIPHER_AES_256_CCM MBEDTLS_CIPHER_AES_256_CCM
+#define POLARSSL_CIPHER_AES_256_CFB128 MBEDTLS_CIPHER_AES_256_CFB128
+#define POLARSSL_CIPHER_AES_256_CTR MBEDTLS_CIPHER_AES_256_CTR
+#define POLARSSL_CIPHER_AES_256_ECB MBEDTLS_CIPHER_AES_256_ECB
+#define POLARSSL_CIPHER_AES_256_GCM MBEDTLS_CIPHER_AES_256_GCM
+#define POLARSSL_CIPHER_ARC4_128 MBEDTLS_CIPHER_ARC4_128
+#define POLARSSL_CIPHER_BLOWFISH_CBC MBEDTLS_CIPHER_BLOWFISH_CBC
+#define POLARSSL_CIPHER_BLOWFISH_CFB64 MBEDTLS_CIPHER_BLOWFISH_CFB64
+#define POLARSSL_CIPHER_BLOWFISH_CTR MBEDTLS_CIPHER_BLOWFISH_CTR
+#define POLARSSL_CIPHER_BLOWFISH_ECB MBEDTLS_CIPHER_BLOWFISH_ECB
+#define POLARSSL_CIPHER_CAMELLIA_128_CBC MBEDTLS_CIPHER_CAMELLIA_128_CBC
+#define POLARSSL_CIPHER_CAMELLIA_128_CCM MBEDTLS_CIPHER_CAMELLIA_128_CCM
+#define POLARSSL_CIPHER_CAMELLIA_128_CFB128 MBEDTLS_CIPHER_CAMELLIA_128_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_128_CTR MBEDTLS_CIPHER_CAMELLIA_128_CTR
+#define POLARSSL_CIPHER_CAMELLIA_128_ECB MBEDTLS_CIPHER_CAMELLIA_128_ECB
+#define POLARSSL_CIPHER_CAMELLIA_128_GCM MBEDTLS_CIPHER_CAMELLIA_128_GCM
+#define POLARSSL_CIPHER_CAMELLIA_192_CBC MBEDTLS_CIPHER_CAMELLIA_192_CBC
+#define POLARSSL_CIPHER_CAMELLIA_192_CCM MBEDTLS_CIPHER_CAMELLIA_192_CCM
+#define POLARSSL_CIPHER_CAMELLIA_192_CFB128 MBEDTLS_CIPHER_CAMELLIA_192_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_192_CTR MBEDTLS_CIPHER_CAMELLIA_192_CTR
+#define POLARSSL_CIPHER_CAMELLIA_192_ECB MBEDTLS_CIPHER_CAMELLIA_192_ECB
+#define POLARSSL_CIPHER_CAMELLIA_192_GCM MBEDTLS_CIPHER_CAMELLIA_192_GCM
+#define POLARSSL_CIPHER_CAMELLIA_256_CBC MBEDTLS_CIPHER_CAMELLIA_256_CBC
+#define POLARSSL_CIPHER_CAMELLIA_256_CCM MBEDTLS_CIPHER_CAMELLIA_256_CCM
+#define POLARSSL_CIPHER_CAMELLIA_256_CFB128 MBEDTLS_CIPHER_CAMELLIA_256_CFB128
+#define POLARSSL_CIPHER_CAMELLIA_256_CTR MBEDTLS_CIPHER_CAMELLIA_256_CTR
+#define POLARSSL_CIPHER_CAMELLIA_256_ECB MBEDTLS_CIPHER_CAMELLIA_256_ECB
+#define POLARSSL_CIPHER_CAMELLIA_256_GCM MBEDTLS_CIPHER_CAMELLIA_256_GCM
+#define POLARSSL_CIPHER_DES_CBC MBEDTLS_CIPHER_DES_CBC
+#define POLARSSL_CIPHER_DES_ECB MBEDTLS_CIPHER_DES_ECB
+#define POLARSSL_CIPHER_DES_EDE3_CBC MBEDTLS_CIPHER_DES_EDE3_CBC
+#define POLARSSL_CIPHER_DES_EDE3_ECB MBEDTLS_CIPHER_DES_EDE3_ECB
+#define POLARSSL_CIPHER_DES_EDE_CBC MBEDTLS_CIPHER_DES_EDE_CBC
+#define POLARSSL_CIPHER_DES_EDE_ECB MBEDTLS_CIPHER_DES_EDE_ECB
+#define POLARSSL_CIPHER_H MBEDTLS_CIPHER_H
+#define POLARSSL_CIPHER_ID_3DES MBEDTLS_CIPHER_ID_3DES
+#define POLARSSL_CIPHER_ID_AES MBEDTLS_CIPHER_ID_AES
+#define POLARSSL_CIPHER_ID_ARC4 MBEDTLS_CIPHER_ID_ARC4
+#define POLARSSL_CIPHER_ID_BLOWFISH MBEDTLS_CIPHER_ID_BLOWFISH
+#define POLARSSL_CIPHER_ID_CAMELLIA MBEDTLS_CIPHER_ID_CAMELLIA
+#define POLARSSL_CIPHER_ID_DES MBEDTLS_CIPHER_ID_DES
+#define POLARSSL_CIPHER_ID_NONE MBEDTLS_CIPHER_ID_NONE
+#define POLARSSL_CIPHER_ID_NULL MBEDTLS_CIPHER_ID_NULL
+#define POLARSSL_CIPHER_MODE_AEAD MBEDTLS_CIPHER_MODE_AEAD
+#define POLARSSL_CIPHER_MODE_STREAM MBEDTLS_CIPHER_MODE_STREAM
+#define POLARSSL_CIPHER_MODE_WITH_PADDING MBEDTLS_CIPHER_MODE_WITH_PADDING
+#define POLARSSL_CIPHER_NONE MBEDTLS_CIPHER_NONE
+#define POLARSSL_CIPHER_NULL MBEDTLS_CIPHER_NULL
+#define POLARSSL_CIPHER_VARIABLE_IV_LEN MBEDTLS_CIPHER_VARIABLE_IV_LEN
+#define POLARSSL_CIPHER_VARIABLE_KEY_LEN MBEDTLS_CIPHER_VARIABLE_KEY_LEN
+#define POLARSSL_CIPHER_WRAP_H MBEDTLS_CIPHER_WRAP_H
+#define POLARSSL_CONFIG_H MBEDTLS_CONFIG_H
+#define POLARSSL_CTR_DRBG_H MBEDTLS_CTR_DRBG_H
+#define POLARSSL_DEBUG_H MBEDTLS_DEBUG_H
+#define POLARSSL_DECRYPT MBEDTLS_DECRYPT
+#define POLARSSL_DES_H MBEDTLS_DES_H
+#define POLARSSL_DHM_H MBEDTLS_DHM_H
+#define POLARSSL_DHM_RFC3526_MODP_2048_G MBEDTLS_DHM_RFC3526_MODP_2048_G
+#define POLARSSL_DHM_RFC3526_MODP_2048_P MBEDTLS_DHM_RFC3526_MODP_2048_P
+#define POLARSSL_DHM_RFC3526_MODP_3072_G MBEDTLS_DHM_RFC3526_MODP_3072_G
+#define POLARSSL_DHM_RFC3526_MODP_3072_P MBEDTLS_DHM_RFC3526_MODP_3072_P
+#define POLARSSL_DHM_RFC5114_MODP_2048_G MBEDTLS_DHM_RFC5114_MODP_2048_G
+#define POLARSSL_DHM_RFC5114_MODP_2048_P MBEDTLS_DHM_RFC5114_MODP_2048_P
+#define POLARSSL_ECDH_H MBEDTLS_ECDH_H
+#define POLARSSL_ECDH_OURS MBEDTLS_ECDH_OURS
+#define POLARSSL_ECDH_THEIRS MBEDTLS_ECDH_THEIRS
+#define POLARSSL_ECDSA_H MBEDTLS_ECDSA_H
+#define POLARSSL_ECP_DP_BP256R1 MBEDTLS_ECP_DP_BP256R1
+#define POLARSSL_ECP_DP_BP384R1 MBEDTLS_ECP_DP_BP384R1
+#define POLARSSL_ECP_DP_BP512R1 MBEDTLS_ECP_DP_BP512R1
+#define POLARSSL_ECP_DP_M255 MBEDTLS_ECP_DP_CURVE25519
+#define POLARSSL_ECP_DP_MAX MBEDTLS_ECP_DP_MAX
+#define POLARSSL_ECP_DP_NONE MBEDTLS_ECP_DP_NONE
+#define POLARSSL_ECP_DP_SECP192K1 MBEDTLS_ECP_DP_SECP192K1
+#define POLARSSL_ECP_DP_SECP192R1 MBEDTLS_ECP_DP_SECP192R1
+#define POLARSSL_ECP_DP_SECP224K1 MBEDTLS_ECP_DP_SECP224K1
+#define POLARSSL_ECP_DP_SECP224R1 MBEDTLS_ECP_DP_SECP224R1
+#define POLARSSL_ECP_DP_SECP256K1 MBEDTLS_ECP_DP_SECP256K1
+#define POLARSSL_ECP_DP_SECP256R1 MBEDTLS_ECP_DP_SECP256R1
+#define POLARSSL_ECP_DP_SECP384R1 MBEDTLS_ECP_DP_SECP384R1
+#define POLARSSL_ECP_DP_SECP521R1 MBEDTLS_ECP_DP_SECP521R1
+#define POLARSSL_ECP_H MBEDTLS_ECP_H
+#define POLARSSL_ECP_MAX_BYTES MBEDTLS_ECP_MAX_BYTES
+#define POLARSSL_ECP_MAX_PT_LEN MBEDTLS_ECP_MAX_PT_LEN
+#define POLARSSL_ECP_PF_COMPRESSED MBEDTLS_ECP_PF_COMPRESSED
+#define POLARSSL_ECP_PF_UNCOMPRESSED MBEDTLS_ECP_PF_UNCOMPRESSED
+#define POLARSSL_ECP_TLS_NAMED_CURVE MBEDTLS_ECP_TLS_NAMED_CURVE
+#define POLARSSL_ENCRYPT MBEDTLS_ENCRYPT
+#define POLARSSL_ENTROPY_H MBEDTLS_ENTROPY_H
+#define POLARSSL_ENTROPY_POLL_H MBEDTLS_ENTROPY_POLL_H
+#define POLARSSL_ENTROPY_SHA256_ACCUMULATOR MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
+#define POLARSSL_ENTROPY_SHA512_ACCUMULATOR MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
+#define POLARSSL_ERROR_H MBEDTLS_ERROR_H
+#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_ASN1_BUF_TOO_SMALL MBEDTLS_ERR_ASN1_BUF_TOO_SMALL
+#define POLARSSL_ERR_ASN1_INVALID_DATA MBEDTLS_ERR_ASN1_INVALID_DATA
+#define POLARSSL_ERR_ASN1_INVALID_LENGTH MBEDTLS_ERR_ASN1_INVALID_LENGTH
+#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+#define POLARSSL_ERR_ASN1_MALLOC_FAILED MBEDTLS_ERR_ASN1_ALLOC_FAILED
+#define POLARSSL_ERR_ASN1_OUT_OF_DATA MBEDTLS_ERR_ASN1_OUT_OF_DATA
+#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+#define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_BASE64_INVALID_CHARACTER MBEDTLS_ERR_BASE64_INVALID_CHARACTER
+#define POLARSSL_ERR_BLOWFISH_INVALID_INPUT_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_BLOWFISH_INVALID_KEY_LENGTH MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_CAMELLIA_INVALID_INPUT_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_CAMELLIA_INVALID_KEY_LENGTH MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH
+#define POLARSSL_ERR_CCM_AUTH_FAILED MBEDTLS_ERR_CCM_AUTH_FAILED
+#define POLARSSL_ERR_CCM_BAD_INPUT MBEDTLS_ERR_CCM_BAD_INPUT
+#define POLARSSL_ERR_CIPHER_ALLOC_FAILED MBEDTLS_ERR_CIPHER_ALLOC_FAILED
+#define POLARSSL_ERR_CIPHER_AUTH_FAILED MBEDTLS_ERR_CIPHER_AUTH_FAILED
+#define POLARSSL_ERR_CIPHER_BAD_INPUT_DATA MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA
+#define POLARSSL_ERR_CIPHER_FEATURE_UNAVAILABLE MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_CIPHER_FULL_BLOCK_EXPECTED MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED
+#define POLARSSL_ERR_CIPHER_INVALID_PADDING MBEDTLS_ERR_CIPHER_INVALID_PADDING
+#define POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR
+#define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG
+#define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG
+#define POLARSSL_ERR_DES_INVALID_INPUT_LENGTH MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+#define POLARSSL_ERR_DHM_BAD_INPUT_DATA MBEDTLS_ERR_DHM_BAD_INPUT_DATA
+#define POLARSSL_ERR_DHM_CALC_SECRET_FAILED MBEDTLS_ERR_DHM_CALC_SECRET_FAILED
+#define POLARSSL_ERR_DHM_FILE_IO_ERROR MBEDTLS_ERR_DHM_FILE_IO_ERROR
+#define POLARSSL_ERR_DHM_INVALID_FORMAT MBEDTLS_ERR_DHM_INVALID_FORMAT
+#define POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED
+#define POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED
+#define POLARSSL_ERR_DHM_MALLOC_FAILED MBEDTLS_ERR_DHM_ALLOC_FAILED
+#define POLARSSL_ERR_DHM_READ_PARAMS_FAILED MBEDTLS_ERR_DHM_READ_PARAMS_FAILED
+#define POLARSSL_ERR_DHM_READ_PUBLIC_FAILED MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED
+#define POLARSSL_ERR_ECP_BAD_INPUT_DATA MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+#define POLARSSL_ERR_ECP_BUFFER_TOO_SMALL MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_ECP_INVALID_KEY MBEDTLS_ERR_ECP_INVALID_KEY
+#define POLARSSL_ERR_ECP_MALLOC_FAILED MBEDTLS_ERR_ECP_ALLOC_FAILED
+#define POLARSSL_ERR_ECP_RANDOM_FAILED MBEDTLS_ERR_ECP_RANDOM_FAILED
+#define POLARSSL_ERR_ECP_SIG_LEN_MISMATCH MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH
+#define POLARSSL_ERR_ECP_VERIFY_FAILED MBEDTLS_ERR_ECP_VERIFY_FAILED
+#define POLARSSL_ERR_ENTROPY_FILE_IO_ERROR MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR
+#define POLARSSL_ERR_ENTROPY_MAX_SOURCES MBEDTLS_ERR_ENTROPY_MAX_SOURCES
+#define POLARSSL_ERR_ENTROPY_NO_SOURCES_DEFINED MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED
+#define POLARSSL_ERR_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_GCM_AUTH_FAILED MBEDTLS_ERR_GCM_AUTH_FAILED
+#define POLARSSL_ERR_GCM_BAD_INPUT MBEDTLS_ERR_GCM_BAD_INPUT
+#define POLARSSL_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+#define POLARSSL_ERR_HMAC_DRBG_FILE_IO_ERROR MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR
+#define POLARSSL_ERR_HMAC_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG
+#define POLARSSL_ERR_HMAC_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG
+#define POLARSSL_ERR_MD_ALLOC_FAILED MBEDTLS_ERR_MD_ALLOC_FAILED
+#define POLARSSL_ERR_MD_BAD_INPUT_DATA MBEDTLS_ERR_MD_BAD_INPUT_DATA
+#define POLARSSL_ERR_MD_FEATURE_UNAVAILABLE MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_MD_FILE_IO_ERROR MBEDTLS_ERR_MD_FILE_IO_ERROR
+#define POLARSSL_ERR_MPI_BAD_INPUT_DATA MBEDTLS_ERR_MPI_BAD_INPUT_DATA
+#define POLARSSL_ERR_MPI_BUFFER_TOO_SMALL MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_MPI_DIVISION_BY_ZERO MBEDTLS_ERR_MPI_DIVISION_BY_ZERO
+#define POLARSSL_ERR_MPI_FILE_IO_ERROR MBEDTLS_ERR_MPI_FILE_IO_ERROR
+#define POLARSSL_ERR_MPI_INVALID_CHARACTER MBEDTLS_ERR_MPI_INVALID_CHARACTER
+#define POLARSSL_ERR_MPI_MALLOC_FAILED MBEDTLS_ERR_MPI_ALLOC_FAILED
+#define POLARSSL_ERR_MPI_NEGATIVE_VALUE MBEDTLS_ERR_MPI_NEGATIVE_VALUE
+#define POLARSSL_ERR_MPI_NOT_ACCEPTABLE MBEDTLS_ERR_MPI_NOT_ACCEPTABLE
+#define POLARSSL_ERR_NET_ACCEPT_FAILED MBEDTLS_ERR_NET_ACCEPT_FAILED
+#define POLARSSL_ERR_NET_BIND_FAILED MBEDTLS_ERR_NET_BIND_FAILED
+#define POLARSSL_ERR_NET_CONNECT_FAILED MBEDTLS_ERR_NET_CONNECT_FAILED
+#define POLARSSL_ERR_NET_CONN_RESET MBEDTLS_ERR_NET_CONN_RESET
+#define POLARSSL_ERR_NET_LISTEN_FAILED MBEDTLS_ERR_NET_LISTEN_FAILED
+#define POLARSSL_ERR_NET_RECV_FAILED MBEDTLS_ERR_NET_RECV_FAILED
+#define POLARSSL_ERR_NET_SEND_FAILED MBEDTLS_ERR_NET_SEND_FAILED
+#define POLARSSL_ERR_NET_SOCKET_FAILED MBEDTLS_ERR_NET_SOCKET_FAILED
+#define POLARSSL_ERR_NET_TIMEOUT MBEDTLS_ERR_SSL_TIMEOUT
+#define POLARSSL_ERR_NET_UNKNOWN_HOST MBEDTLS_ERR_NET_UNKNOWN_HOST
+#define POLARSSL_ERR_NET_WANT_READ MBEDTLS_ERR_SSL_WANT_READ
+#define POLARSSL_ERR_NET_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE
+#define POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL
+#define POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND
+#define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED
+#define POLARSSL_ERR_PEM_BAD_INPUT_DATA MBEDTLS_ERR_PEM_BAD_INPUT_DATA
+#define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PEM_INVALID_DATA MBEDTLS_ERR_PEM_INVALID_DATA
+#define POLARSSL_ERR_PEM_INVALID_ENC_IV MBEDTLS_ERR_PEM_INVALID_ENC_IV
+#define POLARSSL_ERR_PEM_MALLOC_FAILED MBEDTLS_ERR_PEM_ALLOC_FAILED
+#define POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
+#define POLARSSL_ERR_PEM_PASSWORD_MISMATCH MBEDTLS_ERR_PEM_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PEM_PASSWORD_REQUIRED MBEDTLS_ERR_PEM_PASSWORD_REQUIRED
+#define POLARSSL_ERR_PEM_UNKNOWN_ENC_ALG MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
+#define POLARSSL_ERR_PKCS12_BAD_INPUT_DATA MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA
+#define POLARSSL_ERR_PKCS12_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PKCS12_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PKCS12_PBE_INVALID_FORMAT MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT
+#define POLARSSL_ERR_PKCS5_BAD_INPUT_DATA MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA
+#define POLARSSL_ERR_PKCS5_FEATURE_UNAVAILABLE MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PKCS5_INVALID_FORMAT MBEDTLS_ERR_PKCS5_INVALID_FORMAT
+#define POLARSSL_ERR_PKCS5_PASSWORD_MISMATCH MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PK_BAD_INPUT_DATA MBEDTLS_ERR_PK_BAD_INPUT_DATA
+#define POLARSSL_ERR_PK_FEATURE_UNAVAILABLE MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_PK_FILE_IO_ERROR MBEDTLS_ERR_PK_FILE_IO_ERROR
+#define POLARSSL_ERR_PK_INVALID_ALG MBEDTLS_ERR_PK_INVALID_ALG
+#define POLARSSL_ERR_PK_INVALID_PUBKEY MBEDTLS_ERR_PK_INVALID_PUBKEY
+#define POLARSSL_ERR_PK_KEY_INVALID_FORMAT MBEDTLS_ERR_PK_KEY_INVALID_FORMAT
+#define POLARSSL_ERR_PK_KEY_INVALID_VERSION MBEDTLS_ERR_PK_KEY_INVALID_VERSION
+#define POLARSSL_ERR_PK_MALLOC_FAILED MBEDTLS_ERR_PK_ALLOC_FAILED
+#define POLARSSL_ERR_PK_PASSWORD_MISMATCH MBEDTLS_ERR_PK_PASSWORD_MISMATCH
+#define POLARSSL_ERR_PK_PASSWORD_REQUIRED MBEDTLS_ERR_PK_PASSWORD_REQUIRED
+#define POLARSSL_ERR_PK_SIG_LEN_MISMATCH MBEDTLS_ERR_PK_SIG_LEN_MISMATCH
+#define POLARSSL_ERR_PK_TYPE_MISMATCH MBEDTLS_ERR_PK_TYPE_MISMATCH
+#define POLARSSL_ERR_PK_UNKNOWN_NAMED_CURVE MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE
+#define POLARSSL_ERR_PK_UNKNOWN_PK_ALG MBEDTLS_ERR_PK_UNKNOWN_PK_ALG
+#define POLARSSL_ERR_RSA_BAD_INPUT_DATA MBEDTLS_ERR_RSA_BAD_INPUT_DATA
+#define POLARSSL_ERR_RSA_INVALID_PADDING MBEDTLS_ERR_RSA_INVALID_PADDING
+#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED MBEDTLS_ERR_RSA_KEY_CHECK_FAILED
+#define POLARSSL_ERR_RSA_KEY_GEN_FAILED MBEDTLS_ERR_RSA_KEY_GEN_FAILED
+#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
+#define POLARSSL_ERR_RSA_PRIVATE_FAILED MBEDTLS_ERR_RSA_PRIVATE_FAILED
+#define POLARSSL_ERR_RSA_PUBLIC_FAILED MBEDTLS_ERR_RSA_PUBLIC_FAILED
+#define POLARSSL_ERR_RSA_RNG_FAILED MBEDTLS_ERR_RSA_RNG_FAILED
+#define POLARSSL_ERR_RSA_VERIFY_FAILED MBEDTLS_ERR_RSA_VERIFY_FAILED
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST
+#define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY
+#define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS
+#define POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP
+#define POLARSSL_ERR_SSL_BAD_HS_FINISHED MBEDTLS_ERR_SSL_BAD_HS_FINISHED
+#define POLARSSL_ERR_SSL_BAD_HS_NEW_SESSION_TICKET MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET
+#define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO_DONE MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE
+#define POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE
+#define POLARSSL_ERR_SSL_BAD_INPUT_DATA MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+#define POLARSSL_ERR_SSL_BUFFER_TOO_SMALL MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
+#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
+#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
+#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE
+#define POLARSSL_ERR_SSL_COMPRESSION_FAILED MBEDTLS_ERR_SSL_COMPRESSION_FAILED
+#define POLARSSL_ERR_SSL_CONN_EOF MBEDTLS_ERR_SSL_CONN_EOF
+#define POLARSSL_ERR_SSL_COUNTER_WRAPPING MBEDTLS_ERR_SSL_COUNTER_WRAPPING
+#define POLARSSL_ERR_SSL_FATAL_ALERT_MESSAGE MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE
+#define POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+#define POLARSSL_ERR_SSL_HW_ACCEL_FAILED MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
+#define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH
+#define POLARSSL_ERR_SSL_INTERNAL_ERROR MBEDTLS_ERR_SSL_INTERNAL_ERROR
+#define POLARSSL_ERR_SSL_INVALID_MAC MBEDTLS_ERR_SSL_INVALID_MAC
+#define POLARSSL_ERR_SSL_INVALID_RECORD MBEDTLS_ERR_SSL_INVALID_RECORD
+#define POLARSSL_ERR_SSL_MALLOC_FAILED MBEDTLS_ERR_SSL_ALLOC_FAILED
+#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN
+#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
+#define POLARSSL_ERR_SSL_NO_RNG MBEDTLS_ERR_SSL_NO_RNG
+#define POLARSSL_ERR_SSL_NO_USABLE_CIPHERSUITE MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE
+#define POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY
+#define POLARSSL_ERR_SSL_PEER_VERIFY_FAILED MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED
+#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH
+#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED
+#define POLARSSL_ERR_SSL_SESSION_TICKET_EXPIRED MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED
+#define POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
+#define POLARSSL_ERR_SSL_UNKNOWN_CIPHER MBEDTLS_ERR_SSL_UNKNOWN_CIPHER
+#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY
+#define POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
+#define POLARSSL_ERR_THREADING_BAD_INPUT_DATA MBEDTLS_ERR_THREADING_BAD_INPUT_DATA
+#define POLARSSL_ERR_THREADING_FEATURE_UNAVAILABLE MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_THREADING_MUTEX_ERROR MBEDTLS_ERR_THREADING_MUTEX_ERROR
+#define POLARSSL_ERR_X509_BAD_INPUT_DATA MBEDTLS_ERR_X509_BAD_INPUT_DATA
+#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT
+#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
+#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
+#define POLARSSL_ERR_X509_FILE_IO_ERROR MBEDTLS_ERR_X509_FILE_IO_ERROR
+#define POLARSSL_ERR_X509_INVALID_ALG MBEDTLS_ERR_X509_INVALID_ALG
+#define POLARSSL_ERR_X509_INVALID_DATE MBEDTLS_ERR_X509_INVALID_DATE
+#define POLARSSL_ERR_X509_INVALID_EXTENSIONS MBEDTLS_ERR_X509_INVALID_EXTENSIONS
+#define POLARSSL_ERR_X509_INVALID_FORMAT MBEDTLS_ERR_X509_INVALID_FORMAT
+#define POLARSSL_ERR_X509_INVALID_NAME MBEDTLS_ERR_X509_INVALID_NAME
+#define POLARSSL_ERR_X509_INVALID_SERIAL MBEDTLS_ERR_X509_INVALID_SERIAL
+#define POLARSSL_ERR_X509_INVALID_SIGNATURE MBEDTLS_ERR_X509_INVALID_SIGNATURE
+#define POLARSSL_ERR_X509_INVALID_VERSION MBEDTLS_ERR_X509_INVALID_VERSION
+#define POLARSSL_ERR_X509_MALLOC_FAILED MBEDTLS_ERR_X509_ALLOC_FAILED
+#define POLARSSL_ERR_X509_SIG_MISMATCH MBEDTLS_ERR_X509_SIG_MISMATCH
+#define POLARSSL_ERR_X509_UNKNOWN_OID MBEDTLS_ERR_X509_UNKNOWN_OID
+#define POLARSSL_ERR_X509_UNKNOWN_SIG_ALG MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
+#define POLARSSL_ERR_X509_UNKNOWN_VERSION MBEDTLS_ERR_X509_UNKNOWN_VERSION
+#define POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH
+#define POLARSSL_GCM_H MBEDTLS_GCM_H
+#define POLARSSL_HAVEGE_H MBEDTLS_HAVEGE_H
+#define POLARSSL_HAVE_INT32 MBEDTLS_HAVE_INT32
+#define POLARSSL_HAVE_INT64 MBEDTLS_HAVE_INT64
+#define POLARSSL_HAVE_UDBL MBEDTLS_HAVE_UDBL
+#define POLARSSL_HAVE_X86 MBEDTLS_HAVE_X86
+#define POLARSSL_HAVE_X86_64 MBEDTLS_HAVE_X86_64
+#define POLARSSL_HMAC_DRBG_H MBEDTLS_HMAC_DRBG_H
+#define POLARSSL_HMAC_DRBG_PR_OFF MBEDTLS_HMAC_DRBG_PR_OFF
+#define POLARSSL_HMAC_DRBG_PR_ON MBEDTLS_HMAC_DRBG_PR_ON
+#define POLARSSL_KEY_EXCHANGE_DHE_PSK MBEDTLS_KEY_EXCHANGE_DHE_PSK
+#define POLARSSL_KEY_EXCHANGE_DHE_RSA MBEDTLS_KEY_EXCHANGE_DHE_RSA
+#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
+#define POLARSSL_KEY_EXCHANGE_ECDHE_PSK MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
+#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
+#define POLARSSL_KEY_EXCHANGE_ECDH_ECDSA MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
+#define POLARSSL_KEY_EXCHANGE_ECDH_RSA MBEDTLS_KEY_EXCHANGE_ECDH_RSA
+#define POLARSSL_KEY_EXCHANGE_NONE MBEDTLS_KEY_EXCHANGE_NONE
+#define POLARSSL_KEY_EXCHANGE_PSK MBEDTLS_KEY_EXCHANGE_PSK
+#define POLARSSL_KEY_EXCHANGE_RSA MBEDTLS_KEY_EXCHANGE_RSA
+#define POLARSSL_KEY_EXCHANGE_RSA_PSK MBEDTLS_KEY_EXCHANGE_RSA_PSK
+#define POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
+#define POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
+#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
+#define POLARSSL_KEY_LENGTH_DES MBEDTLS_KEY_LENGTH_DES
+#define POLARSSL_KEY_LENGTH_DES_EDE MBEDTLS_KEY_LENGTH_DES_EDE
+#define POLARSSL_KEY_LENGTH_DES_EDE3 MBEDTLS_KEY_LENGTH_DES_EDE3
+#define POLARSSL_KEY_LENGTH_NONE MBEDTLS_KEY_LENGTH_NONE
+#define POLARSSL_MAX_BLOCK_LENGTH MBEDTLS_MAX_BLOCK_LENGTH
+#define POLARSSL_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH
+#define POLARSSL_MD2_H MBEDTLS_MD2_H
+#define POLARSSL_MD4_H MBEDTLS_MD4_H
+#define POLARSSL_MD5_H MBEDTLS_MD5_H
+#define POLARSSL_MD_H MBEDTLS_MD_H
+#define POLARSSL_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE
+#define POLARSSL_MD_MD2 MBEDTLS_MD_MD2
+#define POLARSSL_MD_MD4 MBEDTLS_MD_MD4
+#define POLARSSL_MD_MD5 MBEDTLS_MD_MD5
+#define POLARSSL_MD_NONE MBEDTLS_MD_NONE
+#define POLARSSL_MD_RIPEMD160 MBEDTLS_MD_RIPEMD160
+#define POLARSSL_MD_SHA1 MBEDTLS_MD_SHA1
+#define POLARSSL_MD_SHA224 MBEDTLS_MD_SHA224
+#define POLARSSL_MD_SHA256 MBEDTLS_MD_SHA256
+#define POLARSSL_MD_SHA384 MBEDTLS_MD_SHA384
+#define POLARSSL_MD_SHA512 MBEDTLS_MD_SHA512
+#define POLARSSL_MD_WRAP_H MBEDTLS_MD_WRAP_H
+#define POLARSSL_MEMORY_BUFFER_ALLOC_H MBEDTLS_MEMORY_BUFFER_ALLOC_H
+#define POLARSSL_MODE_CBC MBEDTLS_MODE_CBC
+#define POLARSSL_MODE_CCM MBEDTLS_MODE_CCM
+#define POLARSSL_MODE_CFB MBEDTLS_MODE_CFB
+#define POLARSSL_MODE_CTR MBEDTLS_MODE_CTR
+#define POLARSSL_MODE_ECB MBEDTLS_MODE_ECB
+#define POLARSSL_MODE_GCM MBEDTLS_MODE_GCM
+#define POLARSSL_MODE_NONE MBEDTLS_MODE_NONE
+#define POLARSSL_MODE_OFB MBEDTLS_MODE_OFB
+#define POLARSSL_MODE_STREAM MBEDTLS_MODE_STREAM
+#define POLARSSL_MPI_MAX_BITS MBEDTLS_MPI_MAX_BITS
+#define POLARSSL_MPI_MAX_BITS_SCALE100 MBEDTLS_MPI_MAX_BITS_SCALE100
+#define POLARSSL_MPI_MAX_LIMBS MBEDTLS_MPI_MAX_LIMBS
+#define POLARSSL_MPI_RW_BUFFER_SIZE MBEDTLS_MPI_RW_BUFFER_SIZE
+#define POLARSSL_NET_H MBEDTLS_NET_SOCKETS_H
+#define POLARSSL_NET_LISTEN_BACKLOG MBEDTLS_NET_LISTEN_BACKLOG
+#define POLARSSL_OID_H MBEDTLS_OID_H
+#define POLARSSL_OPERATION_NONE MBEDTLS_OPERATION_NONE
+#define POLARSSL_PADDING_NONE MBEDTLS_PADDING_NONE
+#define POLARSSL_PADDING_ONE_AND_ZEROS MBEDTLS_PADDING_ONE_AND_ZEROS
+#define POLARSSL_PADDING_PKCS7 MBEDTLS_PADDING_PKCS7
+#define POLARSSL_PADDING_ZEROS MBEDTLS_PADDING_ZEROS
+#define POLARSSL_PADDING_ZEROS_AND_LEN MBEDTLS_PADDING_ZEROS_AND_LEN
+#define POLARSSL_PADLOCK_H MBEDTLS_PADLOCK_H
+#define POLARSSL_PEM_H MBEDTLS_PEM_H
+#define POLARSSL_PKCS11_H MBEDTLS_PKCS11_H
+#define POLARSSL_PKCS12_H MBEDTLS_PKCS12_H
+#define POLARSSL_PKCS5_H MBEDTLS_PKCS5_H
+#define POLARSSL_PK_DEBUG_ECP MBEDTLS_PK_DEBUG_ECP
+#define POLARSSL_PK_DEBUG_MAX_ITEMS MBEDTLS_PK_DEBUG_MAX_ITEMS
+#define POLARSSL_PK_DEBUG_MPI MBEDTLS_PK_DEBUG_MPI
+#define POLARSSL_PK_DEBUG_NONE MBEDTLS_PK_DEBUG_NONE
+#define POLARSSL_PK_ECDSA MBEDTLS_PK_ECDSA
+#define POLARSSL_PK_ECKEY MBEDTLS_PK_ECKEY
+#define POLARSSL_PK_ECKEY_DH MBEDTLS_PK_ECKEY_DH
+#define POLARSSL_PK_H MBEDTLS_PK_H
+#define POLARSSL_PK_NONE MBEDTLS_PK_NONE
+#define POLARSSL_PK_RSA MBEDTLS_PK_RSA
+#define POLARSSL_PK_RSASSA_PSS MBEDTLS_PK_RSASSA_PSS
+#define POLARSSL_PK_RSA_ALT MBEDTLS_PK_RSA_ALT
+#define POLARSSL_PK_WRAP_H MBEDTLS_PK_WRAP_H
+#define POLARSSL_PLATFORM_H MBEDTLS_PLATFORM_H
+#define POLARSSL_PREMASTER_SIZE MBEDTLS_PREMASTER_SIZE
+#define POLARSSL_RIPEMD160_H MBEDTLS_RIPEMD160_H
+#define POLARSSL_RSA_H MBEDTLS_RSA_H
+#define POLARSSL_SHA1_H MBEDTLS_SHA1_H
+#define POLARSSL_SHA256_H MBEDTLS_SHA256_H
+#define POLARSSL_SHA512_H MBEDTLS_SHA512_H
+#define POLARSSL_SSL_CACHE_H MBEDTLS_SSL_CACHE_H
+#define POLARSSL_SSL_CIPHERSUITES_H MBEDTLS_SSL_CIPHERSUITES_H
+#define POLARSSL_SSL_COOKIE_H MBEDTLS_SSL_COOKIE_H
+#define POLARSSL_SSL_H MBEDTLS_SSL_H
+#define POLARSSL_THREADING_H MBEDTLS_THREADING_H
+#define POLARSSL_THREADING_IMPL MBEDTLS_THREADING_IMPL
+#define POLARSSL_TIMING_H MBEDTLS_TIMING_H
+#define POLARSSL_VERSION_H MBEDTLS_VERSION_H
+#define POLARSSL_VERSION_MAJOR MBEDTLS_VERSION_MAJOR
+#define POLARSSL_VERSION_MINOR MBEDTLS_VERSION_MINOR
+#define POLARSSL_VERSION_NUMBER MBEDTLS_VERSION_NUMBER
+#define POLARSSL_VERSION_PATCH MBEDTLS_VERSION_PATCH
+#define POLARSSL_VERSION_STRING MBEDTLS_VERSION_STRING
+#define POLARSSL_VERSION_STRING_FULL MBEDTLS_VERSION_STRING_FULL
+#define POLARSSL_X509_CRL_H MBEDTLS_X509_CRL_H
+#define POLARSSL_X509_CRT_H MBEDTLS_X509_CRT_H
+#define POLARSSL_X509_CSR_H MBEDTLS_X509_CSR_H
+#define POLARSSL_X509_H MBEDTLS_X509_H
+#define POLARSSL_XTEA_H MBEDTLS_XTEA_H
+#define RSA_CRYPT MBEDTLS_RSA_CRYPT
+#define RSA_PKCS_V15 MBEDTLS_RSA_PKCS_V15
+#define RSA_PKCS_V21 MBEDTLS_RSA_PKCS_V21
+#define RSA_PRIVATE MBEDTLS_RSA_PRIVATE
+#define RSA_PUBLIC MBEDTLS_RSA_PUBLIC
+#define RSA_SALT_LEN_ANY MBEDTLS_RSA_SALT_LEN_ANY
+#define RSA_SIGN MBEDTLS_RSA_SIGN
+#define SSL_ALERT_LEVEL_FATAL MBEDTLS_SSL_ALERT_LEVEL_FATAL
+#define SSL_ALERT_LEVEL_WARNING MBEDTLS_SSL_ALERT_LEVEL_WARNING
+#define SSL_ALERT_MSG_ACCESS_DENIED MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED
+#define SSL_ALERT_MSG_BAD_CERT MBEDTLS_SSL_ALERT_MSG_BAD_CERT
+#define SSL_ALERT_MSG_BAD_RECORD_MAC MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC
+#define SSL_ALERT_MSG_CERT_EXPIRED MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED
+#define SSL_ALERT_MSG_CERT_REVOKED MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED
+#define SSL_ALERT_MSG_CERT_UNKNOWN MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN
+#define SSL_ALERT_MSG_CLOSE_NOTIFY MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY
+#define SSL_ALERT_MSG_DECODE_ERROR MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
+#define SSL_ALERT_MSG_DECOMPRESSION_FAILURE MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE
+#define SSL_ALERT_MSG_DECRYPTION_FAILED MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED
+#define SSL_ALERT_MSG_DECRYPT_ERROR MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR
+#define SSL_ALERT_MSG_EXPORT_RESTRICTION MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION
+#define SSL_ALERT_MSG_HANDSHAKE_FAILURE MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
+#define SSL_ALERT_MSG_ILLEGAL_PARAMETER MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER
+#define SSL_ALERT_MSG_INAPROPRIATE_FALLBACK MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK
+#define SSL_ALERT_MSG_INSUFFICIENT_SECURITY MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY
+#define SSL_ALERT_MSG_INTERNAL_ERROR MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR
+#define SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL
+#define SSL_ALERT_MSG_NO_CERT MBEDTLS_SSL_ALERT_MSG_NO_CERT
+#define SSL_ALERT_MSG_NO_RENEGOTIATION MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION
+#define SSL_ALERT_MSG_PROTOCOL_VERSION MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION
+#define SSL_ALERT_MSG_RECORD_OVERFLOW MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW
+#define SSL_ALERT_MSG_UNEXPECTED_MESSAGE MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE
+#define SSL_ALERT_MSG_UNKNOWN_CA MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
+#define SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY
+#define SSL_ALERT_MSG_UNRECOGNIZED_NAME MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME
+#define SSL_ALERT_MSG_UNSUPPORTED_CERT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
+#define SSL_ALERT_MSG_UNSUPPORTED_EXT MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT
+#define SSL_ALERT_MSG_USER_CANCELED MBEDTLS_SSL_ALERT_MSG_USER_CANCELED
+#define SSL_ANTI_REPLAY_DISABLED MBEDTLS_SSL_ANTI_REPLAY_DISABLED
+#define SSL_ANTI_REPLAY_ENABLED MBEDTLS_SSL_ANTI_REPLAY_ENABLED
+#define SSL_ARC4_DISABLED MBEDTLS_SSL_ARC4_DISABLED
+#define SSL_ARC4_ENABLED MBEDTLS_SSL_ARC4_ENABLED
+#define SSL_BUFFER_LEN ( ( ( MBEDTLS_SSL_IN_BUFFER_LEN ) < ( MBEDTLS_SSL_OUT_BUFFER_LEN ) ) \
+                         ? ( MBEDTLS_SSL_IN_BUFFER_LEN ) : ( MBEDTLS_SSL_OUT_BUFFER_LEN ) )
+#define SSL_CACHE_DEFAULT_MAX_ENTRIES MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES
+#define SSL_CACHE_DEFAULT_TIMEOUT MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT
+#define SSL_CBC_RECORD_SPLITTING_DISABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
+#define SSL_CBC_RECORD_SPLITTING_ENABLED MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
+#define SSL_CERTIFICATE_REQUEST MBEDTLS_SSL_CERTIFICATE_REQUEST
+#define SSL_CERTIFICATE_VERIFY MBEDTLS_SSL_CERTIFICATE_VERIFY
+#define SSL_CERT_TYPE_ECDSA_SIGN MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN
+#define SSL_CERT_TYPE_RSA_SIGN MBEDTLS_SSL_CERT_TYPE_RSA_SIGN
+#define SSL_CHANNEL_INBOUND MBEDTLS_SSL_CHANNEL_INBOUND
+#define SSL_CHANNEL_OUTBOUND MBEDTLS_SSL_CHANNEL_OUTBOUND
+#define SSL_CIPHERSUITES MBEDTLS_SSL_CIPHERSUITES
+#define SSL_CLIENT_CERTIFICATE MBEDTLS_SSL_CLIENT_CERTIFICATE
+#define SSL_CLIENT_CHANGE_CIPHER_SPEC MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
+#define SSL_CLIENT_FINISHED MBEDTLS_SSL_CLIENT_FINISHED
+#define SSL_CLIENT_HELLO MBEDTLS_SSL_CLIENT_HELLO
+#define SSL_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_CLIENT_KEY_EXCHANGE
+#define SSL_COMPRESSION_ADD MBEDTLS_SSL_COMPRESSION_ADD
+#define SSL_COMPRESS_DEFLATE MBEDTLS_SSL_COMPRESS_DEFLATE
+#define SSL_COMPRESS_NULL MBEDTLS_SSL_COMPRESS_NULL
+#define SSL_DEBUG_BUF MBEDTLS_SSL_DEBUG_BUF
+#define SSL_DEBUG_CRT MBEDTLS_SSL_DEBUG_CRT
+#define SSL_DEBUG_ECP MBEDTLS_SSL_DEBUG_ECP
+#define SSL_DEBUG_MPI MBEDTLS_SSL_DEBUG_MPI
+#define SSL_DEBUG_MSG MBEDTLS_SSL_DEBUG_MSG
+#define SSL_DEBUG_RET MBEDTLS_SSL_DEBUG_RET
+#define SSL_DEFAULT_TICKET_LIFETIME MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME
+#define SSL_DTLS_TIMEOUT_DFL_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
+#define SSL_DTLS_TIMEOUT_DFL_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
+#define SSL_EMPTY_RENEGOTIATION_INFO MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO
+#define SSL_ETM_DISABLED MBEDTLS_SSL_ETM_DISABLED
+#define SSL_ETM_ENABLED MBEDTLS_SSL_ETM_ENABLED
+#define SSL_EXTENDED_MS_DISABLED MBEDTLS_SSL_EXTENDED_MS_DISABLED
+#define SSL_EXTENDED_MS_ENABLED MBEDTLS_SSL_EXTENDED_MS_ENABLED
+#define SSL_FALLBACK_SCSV MBEDTLS_SSL_FALLBACK_SCSV
+#define SSL_FLUSH_BUFFERS MBEDTLS_SSL_FLUSH_BUFFERS
+#define SSL_HANDSHAKE_OVER MBEDTLS_SSL_HANDSHAKE_OVER
+#define SSL_HANDSHAKE_WRAPUP MBEDTLS_SSL_HANDSHAKE_WRAPUP
+#define SSL_HASH_MD5 MBEDTLS_SSL_HASH_MD5
+#define SSL_HASH_NONE MBEDTLS_SSL_HASH_NONE
+#define SSL_HASH_SHA1 MBEDTLS_SSL_HASH_SHA1
+#define SSL_HASH_SHA224 MBEDTLS_SSL_HASH_SHA224
+#define SSL_HASH_SHA256 MBEDTLS_SSL_HASH_SHA256
+#define SSL_HASH_SHA384 MBEDTLS_SSL_HASH_SHA384
+#define SSL_HASH_SHA512 MBEDTLS_SSL_HASH_SHA512
+#define SSL_HELLO_REQUEST MBEDTLS_SSL_HELLO_REQUEST
+#define SSL_HS_CERTIFICATE MBEDTLS_SSL_HS_CERTIFICATE
+#define SSL_HS_CERTIFICATE_REQUEST MBEDTLS_SSL_HS_CERTIFICATE_REQUEST
+#define SSL_HS_CERTIFICATE_VERIFY MBEDTLS_SSL_HS_CERTIFICATE_VERIFY
+#define SSL_HS_CLIENT_HELLO MBEDTLS_SSL_HS_CLIENT_HELLO
+#define SSL_HS_CLIENT_KEY_EXCHANGE MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE
+#define SSL_HS_FINISHED MBEDTLS_SSL_HS_FINISHED
+#define SSL_HS_HELLO_REQUEST MBEDTLS_SSL_HS_HELLO_REQUEST
+#define SSL_HS_HELLO_VERIFY_REQUEST MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
+#define SSL_HS_NEW_SESSION_TICKET MBEDTLS_SSL_HS_NEW_SESSION_TICKET
+#define SSL_HS_SERVER_HELLO MBEDTLS_SSL_HS_SERVER_HELLO
+#define SSL_HS_SERVER_HELLO_DONE MBEDTLS_SSL_HS_SERVER_HELLO_DONE
+#define SSL_HS_SERVER_KEY_EXCHANGE MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE
+#define SSL_INITIAL_HANDSHAKE MBEDTLS_SSL_INITIAL_HANDSHAKE
+#define SSL_IS_CLIENT MBEDTLS_SSL_IS_CLIENT
+#define SSL_IS_FALLBACK MBEDTLS_SSL_IS_FALLBACK
+#define SSL_IS_NOT_FALLBACK MBEDTLS_SSL_IS_NOT_FALLBACK
+#define SSL_IS_SERVER MBEDTLS_SSL_IS_SERVER
+#define SSL_LEGACY_ALLOW_RENEGOTIATION MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
+#define SSL_LEGACY_BREAK_HANDSHAKE MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
+#define SSL_LEGACY_NO_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
+#define SSL_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_RENEGOTIATION
+#define SSL_MAC_ADD MBEDTLS_SSL_MAC_ADD
+#define SSL_MAJOR_VERSION_3 MBEDTLS_SSL_MAJOR_VERSION_3
+#define SSL_MAX_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#define SSL_MAX_FRAG_LEN_1024 MBEDTLS_SSL_MAX_FRAG_LEN_1024
+#define SSL_MAX_FRAG_LEN_2048 MBEDTLS_SSL_MAX_FRAG_LEN_2048
+#define SSL_MAX_FRAG_LEN_4096 MBEDTLS_SSL_MAX_FRAG_LEN_4096
+#define SSL_MAX_FRAG_LEN_512 MBEDTLS_SSL_MAX_FRAG_LEN_512
+#define SSL_MAX_FRAG_LEN_INVALID MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
+#define SSL_MAX_FRAG_LEN_NONE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
+#define SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAX_MAJOR_VERSION
+#define SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MAX_MINOR_VERSION
+#define SSL_MINOR_VERSION_0 MBEDTLS_SSL_MINOR_VERSION_0
+#define SSL_MINOR_VERSION_1 MBEDTLS_SSL_MINOR_VERSION_1
+#define SSL_MINOR_VERSION_2 MBEDTLS_SSL_MINOR_VERSION_2
+#define SSL_MINOR_VERSION_3 MBEDTLS_SSL_MINOR_VERSION_3
+#define SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MIN_MAJOR_VERSION
+#define SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MIN_MINOR_VERSION
+#define SSL_MSG_ALERT MBEDTLS_SSL_MSG_ALERT
+#define SSL_MSG_APPLICATION_DATA MBEDTLS_SSL_MSG_APPLICATION_DATA
+#define SSL_MSG_CHANGE_CIPHER_SPEC MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
+#define SSL_MSG_HANDSHAKE MBEDTLS_SSL_MSG_HANDSHAKE
+#define SSL_PADDING_ADD MBEDTLS_SSL_PADDING_ADD
+#define SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
+#define SSL_RENEGOTIATION_DISABLED MBEDTLS_SSL_RENEGOTIATION_DISABLED
+#define SSL_RENEGOTIATION_DONE MBEDTLS_SSL_RENEGOTIATION_DONE
+#define SSL_RENEGOTIATION_ENABLED MBEDTLS_SSL_RENEGOTIATION_ENABLED
+#define SSL_RENEGOTIATION_NOT_ENFORCED MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED
+#define SSL_RENEGOTIATION_PENDING MBEDTLS_SSL_RENEGOTIATION_PENDING
+#define SSL_RENEGO_MAX_RECORDS_DEFAULT MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT
+#define SSL_RETRANS_FINISHED MBEDTLS_SSL_RETRANS_FINISHED
+#define SSL_RETRANS_PREPARING MBEDTLS_SSL_RETRANS_PREPARING
+#define SSL_RETRANS_SENDING MBEDTLS_SSL_RETRANS_SENDING
+#define SSL_RETRANS_WAITING MBEDTLS_SSL_RETRANS_WAITING
+#define SSL_SECURE_RENEGOTIATION MBEDTLS_SSL_SECURE_RENEGOTIATION
+#define SSL_SERVER_CERTIFICATE MBEDTLS_SSL_SERVER_CERTIFICATE
+#define SSL_SERVER_CHANGE_CIPHER_SPEC MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
+#define SSL_SERVER_FINISHED MBEDTLS_SSL_SERVER_FINISHED
+#define SSL_SERVER_HELLO MBEDTLS_SSL_SERVER_HELLO
+#define SSL_SERVER_HELLO_DONE MBEDTLS_SSL_SERVER_HELLO_DONE
+#define SSL_SERVER_HELLO_VERIFY_REQUEST_SENT MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT
+#define SSL_SERVER_KEY_EXCHANGE MBEDTLS_SSL_SERVER_KEY_EXCHANGE
+#define SSL_SERVER_NEW_SESSION_TICKET MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET
+#define SSL_SESSION_TICKETS_DISABLED MBEDTLS_SSL_SESSION_TICKETS_DISABLED
+#define SSL_SESSION_TICKETS_ENABLED MBEDTLS_SSL_SESSION_TICKETS_ENABLED
+#define SSL_SIG_ANON MBEDTLS_SSL_SIG_ANON
+#define SSL_SIG_ECDSA MBEDTLS_SSL_SIG_ECDSA
+#define SSL_SIG_RSA MBEDTLS_SSL_SIG_RSA
+#define SSL_TRANSPORT_DATAGRAM MBEDTLS_SSL_TRANSPORT_DATAGRAM
+#define SSL_TRANSPORT_STREAM MBEDTLS_SSL_TRANSPORT_STREAM
+#define SSL_TRUNCATED_HMAC_LEN MBEDTLS_SSL_TRUNCATED_HMAC_LEN
+#define SSL_TRUNC_HMAC_DISABLED MBEDTLS_SSL_TRUNC_HMAC_DISABLED
+#define SSL_TRUNC_HMAC_ENABLED MBEDTLS_SSL_TRUNC_HMAC_ENABLED
+#define SSL_VERIFY_DATA_MAX_LEN MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
+#define SSL_VERIFY_NONE MBEDTLS_SSL_VERIFY_NONE
+#define SSL_VERIFY_OPTIONAL MBEDTLS_SSL_VERIFY_OPTIONAL
+#define SSL_VERIFY_REQUIRED MBEDTLS_SSL_VERIFY_REQUIRED
+#define TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_DHE_PSK_WITH_AES_128_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM
+#define TLS_DHE_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8
+#define TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+#define TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_DHE_PSK_WITH_AES_256_CCM MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM
+#define TLS_DHE_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8
+#define TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_DHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
+#define TLS_DHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
+#define TLS_DHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
+#define TLS_DHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_DHE_RSA_WITH_AES_128_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM
+#define TLS_DHE_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8
+#define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+#define TLS_DHE_RSA_WITH_AES_256_CCM MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM
+#define TLS_DHE_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8
+#define TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+#define TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_DHE_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
+#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
+#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
+#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
+#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDHE_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
+#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+#define TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_PSK_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
+#define TLS_ECDHE_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
+#define TLS_ECDHE_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
+#define TLS_ECDHE_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDHE_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
+#define TLS_ECDHE_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+#define TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDH_ECDSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
+#define TLS_ECDH_ECDSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+#define TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+#define TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+#define TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_ECDH_RSA_WITH_NULL_SHA MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
+#define TLS_ECDH_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+#define TLS_EXT_ALPN MBEDTLS_TLS_EXT_ALPN
+#define TLS_EXT_ENCRYPT_THEN_MAC MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC
+#define TLS_EXT_EXTENDED_MASTER_SECRET MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET
+#define TLS_EXT_MAX_FRAGMENT_LENGTH MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH
+#define TLS_EXT_RENEGOTIATION_INFO MBEDTLS_TLS_EXT_RENEGOTIATION_INFO
+#define TLS_EXT_SERVERNAME MBEDTLS_TLS_EXT_SERVERNAME
+#define TLS_EXT_SERVERNAME_HOSTNAME MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME
+#define TLS_EXT_SESSION_TICKET MBEDTLS_TLS_EXT_SESSION_TICKET
+#define TLS_EXT_SIG_ALG MBEDTLS_TLS_EXT_SIG_ALG
+#define TLS_EXT_SUPPORTED_ELLIPTIC_CURVES MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES
+#define TLS_EXT_SUPPORTED_POINT_FORMATS MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS
+#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT
+#define TLS_EXT_TRUNCATED_HMAC MBEDTLS_TLS_EXT_TRUNCATED_HMAC
+#define TLS_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+#define TLS_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_PSK_WITH_AES_128_CCM MBEDTLS_TLS_PSK_WITH_AES_128_CCM
+#define TLS_PSK_WITH_AES_128_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8
+#define TLS_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+#define TLS_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_PSK_WITH_AES_256_CCM MBEDTLS_TLS_PSK_WITH_AES_256_CCM
+#define TLS_PSK_WITH_AES_256_CCM_8 MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8
+#define TLS_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_PSK_WITH_NULL_SHA MBEDTLS_TLS_PSK_WITH_NULL_SHA
+#define TLS_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_PSK_WITH_NULL_SHA256
+#define TLS_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_PSK_WITH_NULL_SHA384
+#define TLS_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+#define TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+#define TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+#define TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+#define TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+#define TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+#define TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_RSA_PSK_WITH_NULL_SHA MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
+#define TLS_RSA_PSK_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
+#define TLS_RSA_PSK_WITH_NULL_SHA384 MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
+#define TLS_RSA_PSK_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+#define TLS_RSA_WITH_3DES_EDE_CBC_SHA MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+#define TLS_RSA_WITH_AES_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+#define TLS_RSA_WITH_AES_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+#define TLS_RSA_WITH_AES_128_CCM MBEDTLS_TLS_RSA_WITH_AES_128_CCM
+#define TLS_RSA_WITH_AES_128_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8
+#define TLS_RSA_WITH_AES_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+#define TLS_RSA_WITH_AES_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+#define TLS_RSA_WITH_AES_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+#define TLS_RSA_WITH_AES_256_CCM MBEDTLS_TLS_RSA_WITH_AES_256_CCM
+#define TLS_RSA_WITH_AES_256_CCM_8 MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8
+#define TLS_RSA_WITH_AES_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+#define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+#define TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+#define TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+#define TLS_RSA_WITH_DES_CBC_SHA MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
+#define TLS_RSA_WITH_NULL_MD5 MBEDTLS_TLS_RSA_WITH_NULL_MD5
+#define TLS_RSA_WITH_NULL_SHA MBEDTLS_TLS_RSA_WITH_NULL_SHA
+#define TLS_RSA_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_WITH_NULL_SHA256
+#define TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+#define TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+#define X509_CRT_VERSION_1 MBEDTLS_X509_CRT_VERSION_1
+#define X509_CRT_VERSION_2 MBEDTLS_X509_CRT_VERSION_2
+#define X509_CRT_VERSION_3 MBEDTLS_X509_CRT_VERSION_3
+#define X509_FORMAT_DER MBEDTLS_X509_FORMAT_DER
+#define X509_FORMAT_PEM MBEDTLS_X509_FORMAT_PEM
+#define X509_MAX_DN_NAME_SIZE MBEDTLS_X509_MAX_DN_NAME_SIZE
+#define X509_RFC5280_MAX_SERIAL_LEN MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN
+#define X509_RFC5280_UTC_TIME_LEN MBEDTLS_X509_RFC5280_UTC_TIME_LEN
+#define XTEA_DECRYPT MBEDTLS_XTEA_DECRYPT
+#define XTEA_ENCRYPT MBEDTLS_XTEA_ENCRYPT
+#define _asn1_bitstring mbedtls_asn1_bitstring
+#define _asn1_buf mbedtls_asn1_buf
+#define _asn1_named_data mbedtls_asn1_named_data
+#define _asn1_sequence mbedtls_asn1_sequence
+#define _ssl_cache_context mbedtls_ssl_cache_context
+#define _ssl_cache_entry mbedtls_ssl_cache_entry
+#define _ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
+#define _ssl_context mbedtls_ssl_context
+#define _ssl_flight_item mbedtls_ssl_flight_item
+#define _ssl_handshake_params mbedtls_ssl_handshake_params
+#define _ssl_key_cert mbedtls_ssl_key_cert
+#define _ssl_premaster_secret mbedtls_ssl_premaster_secret
+#define _ssl_session mbedtls_ssl_session
+#define _ssl_transform mbedtls_ssl_transform
+#define _x509_crl mbedtls_x509_crl
+#define _x509_crl_entry mbedtls_x509_crl_entry
+#define _x509_crt mbedtls_x509_crt
+#define _x509_csr mbedtls_x509_csr
+#define _x509_time mbedtls_x509_time
+#define _x509write_cert mbedtls_x509write_cert
+#define _x509write_csr mbedtls_x509write_csr
+#define aes_context mbedtls_aes_context
+#define aes_crypt_cbc mbedtls_aes_crypt_cbc
+#define aes_crypt_cfb128 mbedtls_aes_crypt_cfb128
+#define aes_crypt_cfb8 mbedtls_aes_crypt_cfb8
+#define aes_crypt_ctr mbedtls_aes_crypt_ctr
+#define aes_crypt_ecb mbedtls_aes_crypt_ecb
+#define aes_free mbedtls_aes_free
+#define aes_init mbedtls_aes_init
+#define aes_self_test mbedtls_aes_self_test
+#define aes_setkey_dec mbedtls_aes_setkey_dec
+#define aes_setkey_enc mbedtls_aes_setkey_enc
+#define aesni_crypt_ecb mbedtls_aesni_crypt_ecb
+#define aesni_gcm_mult mbedtls_aesni_gcm_mult
+#define aesni_inverse_key mbedtls_aesni_inverse_key
+#define aesni_setkey_enc mbedtls_aesni_setkey_enc
+#define aesni_supports mbedtls_aesni_has_support
+#define alarmed mbedtls_timing_alarmed
+#define arc4_context mbedtls_arc4_context
+#define arc4_crypt mbedtls_arc4_crypt
+#define arc4_free mbedtls_arc4_free
+#define arc4_init mbedtls_arc4_init
+#define arc4_self_test mbedtls_arc4_self_test
+#define arc4_setup mbedtls_arc4_setup
+#define asn1_bitstring mbedtls_asn1_bitstring
+#define asn1_buf mbedtls_asn1_buf
+#define asn1_find_named_data mbedtls_asn1_find_named_data
+#define asn1_free_named_data mbedtls_asn1_free_named_data
+#define asn1_free_named_data_list mbedtls_asn1_free_named_data_list
+#define asn1_get_alg mbedtls_asn1_get_alg
+#define asn1_get_alg_null mbedtls_asn1_get_alg_null
+#define asn1_get_bitstring mbedtls_asn1_get_bitstring
+#define asn1_get_bitstring_null mbedtls_asn1_get_bitstring_null
+#define asn1_get_bool mbedtls_asn1_get_bool
+#define asn1_get_int mbedtls_asn1_get_int
+#define asn1_get_len mbedtls_asn1_get_len
+#define asn1_get_mpi mbedtls_asn1_get_mpi
+#define asn1_get_sequence_of mbedtls_asn1_get_sequence_of
+#define asn1_get_tag mbedtls_asn1_get_tag
+#define asn1_named_data mbedtls_asn1_named_data
+#define asn1_sequence mbedtls_asn1_sequence
+#define asn1_store_named_data mbedtls_asn1_store_named_data
+#define asn1_write_algorithm_identifier mbedtls_asn1_write_algorithm_identifier
+#define asn1_write_bitstring mbedtls_asn1_write_bitstring
+#define asn1_write_bool mbedtls_asn1_write_bool
+#define asn1_write_ia5_string mbedtls_asn1_write_ia5_string
+#define asn1_write_int mbedtls_asn1_write_int
+#define asn1_write_len mbedtls_asn1_write_len
+#define asn1_write_mpi mbedtls_asn1_write_mpi
+#define asn1_write_null mbedtls_asn1_write_null
+#define asn1_write_octet_string mbedtls_asn1_write_octet_string
+#define asn1_write_oid mbedtls_asn1_write_oid
+#define asn1_write_printable_string mbedtls_asn1_write_printable_string
+#define asn1_write_raw_buffer mbedtls_asn1_write_raw_buffer
+#define asn1_write_tag mbedtls_asn1_write_tag
+#define base64_decode mbedtls_base64_decode
+#define base64_encode mbedtls_base64_encode
+#define base64_self_test mbedtls_base64_self_test
+#define blowfish_context mbedtls_blowfish_context
+#define blowfish_crypt_cbc mbedtls_blowfish_crypt_cbc
+#define blowfish_crypt_cfb64 mbedtls_blowfish_crypt_cfb64
+#define blowfish_crypt_ctr mbedtls_blowfish_crypt_ctr
+#define blowfish_crypt_ecb mbedtls_blowfish_crypt_ecb
+#define blowfish_free mbedtls_blowfish_free
+#define blowfish_init mbedtls_blowfish_init
+#define blowfish_setkey mbedtls_blowfish_setkey
+#define camellia_context mbedtls_camellia_context
+#define camellia_crypt_cbc mbedtls_camellia_crypt_cbc
+#define camellia_crypt_cfb128 mbedtls_camellia_crypt_cfb128
+#define camellia_crypt_ctr mbedtls_camellia_crypt_ctr
+#define camellia_crypt_ecb mbedtls_camellia_crypt_ecb
+#define camellia_free mbedtls_camellia_free
+#define camellia_init mbedtls_camellia_init
+#define camellia_self_test mbedtls_camellia_self_test
+#define camellia_setkey_dec mbedtls_camellia_setkey_dec
+#define camellia_setkey_enc mbedtls_camellia_setkey_enc
+#define ccm_auth_decrypt mbedtls_ccm_auth_decrypt
+#define ccm_context mbedtls_ccm_context
+#define ccm_encrypt_and_tag mbedtls_ccm_encrypt_and_tag
+#define ccm_free mbedtls_ccm_free
+#define ccm_init mbedtls_ccm_init
+#define ccm_self_test mbedtls_ccm_self_test
+#define cipher_auth_decrypt mbedtls_cipher_auth_decrypt
+#define cipher_auth_encrypt mbedtls_cipher_auth_encrypt
+#define cipher_base_t mbedtls_cipher_base_t
+#define cipher_check_tag mbedtls_cipher_check_tag
+#define cipher_context_t mbedtls_cipher_context_t
+#define cipher_crypt mbedtls_cipher_crypt
+#define cipher_definition_t mbedtls_cipher_definition_t
+#define cipher_definitions mbedtls_cipher_definitions
+#define cipher_finish mbedtls_cipher_finish
+#define cipher_free mbedtls_cipher_free
+#define cipher_get_block_size mbedtls_cipher_get_block_size
+#define cipher_get_cipher_mode mbedtls_cipher_get_cipher_mode
+#define cipher_get_iv_size mbedtls_cipher_get_iv_size
+#define cipher_get_key_size mbedtls_cipher_get_key_bitlen
+#define cipher_get_name mbedtls_cipher_get_name
+#define cipher_get_operation mbedtls_cipher_get_operation
+#define cipher_get_type mbedtls_cipher_get_type
+#define cipher_id_t mbedtls_cipher_id_t
+#define cipher_info_from_string mbedtls_cipher_info_from_string
+#define cipher_info_from_type mbedtls_cipher_info_from_type
+#define cipher_info_from_values mbedtls_cipher_info_from_values
+#define cipher_info_t mbedtls_cipher_info_t
+#define cipher_init mbedtls_cipher_init
+#define cipher_init_ctx mbedtls_cipher_setup
+#define cipher_list mbedtls_cipher_list
+#define cipher_mode_t mbedtls_cipher_mode_t
+#define cipher_padding_t mbedtls_cipher_padding_t
+#define cipher_reset mbedtls_cipher_reset
+#define cipher_set_iv mbedtls_cipher_set_iv
+#define cipher_set_padding_mode mbedtls_cipher_set_padding_mode
+#define cipher_setkey mbedtls_cipher_setkey
+#define cipher_type_t mbedtls_cipher_type_t
+#define cipher_update mbedtls_cipher_update
+#define cipher_update_ad mbedtls_cipher_update_ad
+#define cipher_write_tag mbedtls_cipher_write_tag
+#define ctr_drbg_context mbedtls_ctr_drbg_context
+#define ctr_drbg_free mbedtls_ctr_drbg_free
+#define ctr_drbg_init mbedtls_ctr_drbg_init
+#define ctr_drbg_random mbedtls_ctr_drbg_random
+#define ctr_drbg_random_with_add mbedtls_ctr_drbg_random_with_add
+#define ctr_drbg_reseed mbedtls_ctr_drbg_reseed
+#define ctr_drbg_self_test mbedtls_ctr_drbg_self_test
+#define ctr_drbg_set_entropy_len mbedtls_ctr_drbg_set_entropy_len
+#define ctr_drbg_set_prediction_resistance mbedtls_ctr_drbg_set_prediction_resistance
+#define ctr_drbg_set_reseed_interval mbedtls_ctr_drbg_set_reseed_interval
+#define ctr_drbg_update mbedtls_ctr_drbg_update
+#define ctr_drbg_update_seed_file mbedtls_ctr_drbg_update_seed_file
+#define ctr_drbg_write_seed_file mbedtls_ctr_drbg_write_seed_file
+#define debug_print_buf mbedtls_debug_print_buf
+#define debug_print_crt mbedtls_debug_print_crt
+#define debug_print_ecp mbedtls_debug_print_ecp
+#define debug_print_mpi mbedtls_debug_print_mpi
+#define debug_print_msg mbedtls_debug_print_msg
+#define debug_print_ret mbedtls_debug_print_ret
+#define debug_set_threshold mbedtls_debug_set_threshold
+#define des3_context mbedtls_des3_context
+#define des3_crypt_cbc mbedtls_des3_crypt_cbc
+#define des3_crypt_ecb mbedtls_des3_crypt_ecb
+#define des3_free mbedtls_des3_free
+#define des3_init mbedtls_des3_init
+#define des3_set2key_dec mbedtls_des3_set2key_dec
+#define des3_set2key_enc mbedtls_des3_set2key_enc
+#define des3_set3key_dec mbedtls_des3_set3key_dec
+#define des3_set3key_enc mbedtls_des3_set3key_enc
+#define des_context mbedtls_des_context
+#define des_crypt_cbc mbedtls_des_crypt_cbc
+#define des_crypt_ecb mbedtls_des_crypt_ecb
+#define des_free mbedtls_des_free
+#define des_init mbedtls_des_init
+#define des_key_check_key_parity mbedtls_des_key_check_key_parity
+#define des_key_check_weak mbedtls_des_key_check_weak
+#define des_key_set_parity mbedtls_des_key_set_parity
+#define des_self_test mbedtls_des_self_test
+#define des_setkey_dec mbedtls_des_setkey_dec
+#define des_setkey_enc mbedtls_des_setkey_enc
+#define dhm_calc_secret mbedtls_dhm_calc_secret
+#define dhm_context mbedtls_dhm_context
+#define dhm_free mbedtls_dhm_free
+#define dhm_init mbedtls_dhm_init
+#define dhm_make_params mbedtls_dhm_make_params
+#define dhm_make_public mbedtls_dhm_make_public
+#define dhm_parse_dhm mbedtls_dhm_parse_dhm
+#define dhm_parse_dhmfile mbedtls_dhm_parse_dhmfile
+#define dhm_read_params mbedtls_dhm_read_params
+#define dhm_read_public mbedtls_dhm_read_public
+#define dhm_self_test mbedtls_dhm_self_test
+#define ecdh_calc_secret mbedtls_ecdh_calc_secret
+#define ecdh_compute_shared mbedtls_ecdh_compute_shared
+#define ecdh_context mbedtls_ecdh_context
+#define ecdh_free mbedtls_ecdh_free
+#define ecdh_gen_public mbedtls_ecdh_gen_public
+#define ecdh_get_params mbedtls_ecdh_get_params
+#define ecdh_init mbedtls_ecdh_init
+#define ecdh_make_params mbedtls_ecdh_make_params
+#define ecdh_make_public mbedtls_ecdh_make_public
+#define ecdh_read_params mbedtls_ecdh_read_params
+#define ecdh_read_public mbedtls_ecdh_read_public
+#define ecdh_side mbedtls_ecdh_side
+#define ecdsa_context mbedtls_ecdsa_context
+#define ecdsa_free mbedtls_ecdsa_free
+#define ecdsa_from_keypair mbedtls_ecdsa_from_keypair
+#define ecdsa_genkey mbedtls_ecdsa_genkey
+#define ecdsa_info mbedtls_ecdsa_info
+#define ecdsa_init mbedtls_ecdsa_init
+#define ecdsa_read_signature mbedtls_ecdsa_read_signature
+#define ecdsa_sign mbedtls_ecdsa_sign
+#define ecdsa_sign_det mbedtls_ecdsa_sign_det
+#define ecdsa_verify mbedtls_ecdsa_verify
+#define ecdsa_write_signature mbedtls_ecdsa_write_signature
+#define ecdsa_write_signature_det mbedtls_ecdsa_write_signature_det
+#define eckey_info mbedtls_eckey_info
+#define eckeydh_info mbedtls_eckeydh_info
+#define ecp_check_privkey mbedtls_ecp_check_privkey
+#define ecp_check_pub_priv mbedtls_ecp_check_pub_priv
+#define ecp_check_pubkey mbedtls_ecp_check_pubkey
+#define ecp_copy mbedtls_ecp_copy
+#define ecp_curve_info mbedtls_ecp_curve_info
+#define ecp_curve_info_from_grp_id mbedtls_ecp_curve_info_from_grp_id
+#define ecp_curve_info_from_name mbedtls_ecp_curve_info_from_name
+#define ecp_curve_info_from_tls_id mbedtls_ecp_curve_info_from_tls_id
+#define ecp_curve_list mbedtls_ecp_curve_list
+#define ecp_gen_key mbedtls_ecp_gen_key
+#define ecp_gen_keypair mbedtls_ecp_gen_keypair
+#define ecp_group mbedtls_ecp_group
+#define ecp_group_copy mbedtls_ecp_group_copy
+#define ecp_group_free mbedtls_ecp_group_free
+#define ecp_group_id mbedtls_ecp_group_id
+#define ecp_group_init mbedtls_ecp_group_init
+#define ecp_grp_id_list mbedtls_ecp_grp_id_list
+#define ecp_is_zero mbedtls_ecp_is_zero
+#define ecp_keypair mbedtls_ecp_keypair
+#define ecp_keypair_free mbedtls_ecp_keypair_free
+#define ecp_keypair_init mbedtls_ecp_keypair_init
+#define ecp_mul mbedtls_ecp_mul
+#define ecp_point mbedtls_ecp_point
+#define ecp_point_free mbedtls_ecp_point_free
+#define ecp_point_init mbedtls_ecp_point_init
+#define ecp_point_read_binary mbedtls_ecp_point_read_binary
+#define ecp_point_read_string mbedtls_ecp_point_read_string
+#define ecp_point_write_binary mbedtls_ecp_point_write_binary
+#define ecp_self_test mbedtls_ecp_self_test
+#define ecp_set_zero mbedtls_ecp_set_zero
+#define ecp_tls_read_group mbedtls_ecp_tls_read_group
+#define ecp_tls_read_point mbedtls_ecp_tls_read_point
+#define ecp_tls_write_group mbedtls_ecp_tls_write_group
+#define ecp_tls_write_point mbedtls_ecp_tls_write_point
+#define ecp_use_known_dp mbedtls_ecp_group_load
+#define entropy_add_source mbedtls_entropy_add_source
+#define entropy_context mbedtls_entropy_context
+#define entropy_free mbedtls_entropy_free
+#define entropy_func mbedtls_entropy_func
+#define entropy_gather mbedtls_entropy_gather
+#define entropy_init mbedtls_entropy_init
+#define entropy_self_test mbedtls_entropy_self_test
+#define entropy_update_manual mbedtls_entropy_update_manual
+#define entropy_update_seed_file mbedtls_entropy_update_seed_file
+#define entropy_write_seed_file mbedtls_entropy_write_seed_file
+#define error_strerror mbedtls_strerror
+#define f_source_ptr mbedtls_entropy_f_source_ptr
+#define gcm_auth_decrypt mbedtls_gcm_auth_decrypt
+#define gcm_context mbedtls_gcm_context
+#define gcm_crypt_and_tag mbedtls_gcm_crypt_and_tag
+#define gcm_finish mbedtls_gcm_finish
+#define gcm_free mbedtls_gcm_free
+#define gcm_init mbedtls_gcm_init
+#define gcm_self_test mbedtls_gcm_self_test
+#define gcm_starts mbedtls_gcm_starts
+#define gcm_update mbedtls_gcm_update
+#define get_timer mbedtls_timing_get_timer
+#define hardclock mbedtls_timing_hardclock
+#define hardclock_poll mbedtls_hardclock_poll
+#define havege_free mbedtls_havege_free
+#define havege_init mbedtls_havege_init
+#define havege_poll mbedtls_havege_poll
+#define havege_random mbedtls_havege_random
+#define havege_state mbedtls_havege_state
+#define hmac_drbg_context mbedtls_hmac_drbg_context
+#define hmac_drbg_free mbedtls_hmac_drbg_free
+#define hmac_drbg_init mbedtls_hmac_drbg_init
+#define hmac_drbg_random mbedtls_hmac_drbg_random
+#define hmac_drbg_random_with_add mbedtls_hmac_drbg_random_with_add
+#define hmac_drbg_reseed mbedtls_hmac_drbg_reseed
+#define hmac_drbg_self_test mbedtls_hmac_drbg_self_test
+#define hmac_drbg_set_entropy_len mbedtls_hmac_drbg_set_entropy_len
+#define hmac_drbg_set_prediction_resistance mbedtls_hmac_drbg_set_prediction_resistance
+#define hmac_drbg_set_reseed_interval mbedtls_hmac_drbg_set_reseed_interval
+#define hmac_drbg_update mbedtls_hmac_drbg_update
+#define hmac_drbg_update_seed_file mbedtls_hmac_drbg_update_seed_file
+#define hmac_drbg_write_seed_file mbedtls_hmac_drbg_write_seed_file
+#define hr_time mbedtls_timing_hr_time
+#define key_exchange_type_t mbedtls_key_exchange_type_t
+#define md mbedtls_md
+#define md2 mbedtls_md2
+#define md2_context mbedtls_md2_context
+#define md2_finish mbedtls_md2_finish
+#define md2_free mbedtls_md2_free
+#define md2_info mbedtls_md2_info
+#define md2_init mbedtls_md2_init
+#define md2_process mbedtls_md2_process
+#define md2_self_test mbedtls_md2_self_test
+#define md2_starts mbedtls_md2_starts
+#define md2_update mbedtls_md2_update
+#define md4 mbedtls_md4
+#define md4_context mbedtls_md4_context
+#define md4_finish mbedtls_md4_finish
+#define md4_free mbedtls_md4_free
+#define md4_info mbedtls_md4_info
+#define md4_init mbedtls_md4_init
+#define md4_process mbedtls_md4_process
+#define md4_self_test mbedtls_md4_self_test
+#define md4_starts mbedtls_md4_starts
+#define md4_update mbedtls_md4_update
+#define md5 mbedtls_md5
+#define md5_context mbedtls_md5_context
+#define md5_finish mbedtls_md5_finish
+#define md5_free mbedtls_md5_free
+#define md5_info mbedtls_md5_info
+#define md5_init mbedtls_md5_init
+#define md5_process mbedtls_md5_process
+#define md5_self_test mbedtls_md5_self_test
+#define md5_starts mbedtls_md5_starts
+#define md5_update mbedtls_md5_update
+#define md_context_t mbedtls_md_context_t
+#define md_file mbedtls_md_file
+#define md_finish mbedtls_md_finish
+#define md_free mbedtls_md_free
+#define md_get_name mbedtls_md_get_name
+#define md_get_size mbedtls_md_get_size
+#define md_get_type mbedtls_md_get_type
+#define md_hmac mbedtls_md_hmac
+#define md_hmac_finish mbedtls_md_hmac_finish
+#define md_hmac_reset mbedtls_md_hmac_reset
+#define md_hmac_starts mbedtls_md_hmac_starts
+#define md_hmac_update mbedtls_md_hmac_update
+#define md_info_from_string mbedtls_md_info_from_string
+#define md_info_from_type mbedtls_md_info_from_type
+#define md_info_t mbedtls_md_info_t
+#define md_init mbedtls_md_init
+#define md_init_ctx mbedtls_md_init_ctx
+#define md_list mbedtls_md_list
+#define md_process mbedtls_md_process
+#define md_starts mbedtls_md_starts
+#define md_type_t mbedtls_md_type_t
+#define md_update mbedtls_md_update
+#define memory_buffer_alloc_cur_get mbedtls_memory_buffer_alloc_cur_get
+#define memory_buffer_alloc_free mbedtls_memory_buffer_alloc_free
+#define memory_buffer_alloc_init mbedtls_memory_buffer_alloc_init
+#define memory_buffer_alloc_max_get mbedtls_memory_buffer_alloc_max_get
+#define memory_buffer_alloc_max_reset mbedtls_memory_buffer_alloc_max_reset
+#define memory_buffer_alloc_self_test mbedtls_memory_buffer_alloc_self_test
+#define memory_buffer_alloc_status mbedtls_memory_buffer_alloc_status
+#define memory_buffer_alloc_verify mbedtls_memory_buffer_alloc_verify
+#define memory_buffer_set_verify mbedtls_memory_buffer_set_verify
+#define mpi mbedtls_mpi
+#define mpi_add_abs mbedtls_mpi_add_abs
+#define mpi_add_int mbedtls_mpi_add_int
+#define mpi_add_mpi mbedtls_mpi_add_mpi
+#define mpi_cmp_abs mbedtls_mpi_cmp_abs
+#define mpi_cmp_int mbedtls_mpi_cmp_int
+#define mpi_cmp_mpi mbedtls_mpi_cmp_mpi
+#define mpi_copy mbedtls_mpi_copy
+#define mpi_div_int mbedtls_mpi_div_int
+#define mpi_div_mpi mbedtls_mpi_div_mpi
+#define mpi_exp_mod mbedtls_mpi_exp_mod
+#define mpi_fill_random mbedtls_mpi_fill_random
+#define mpi_free mbedtls_mpi_free
+#define mpi_gcd mbedtls_mpi_gcd
+#define mpi_gen_prime mbedtls_mpi_gen_prime
+#define mpi_get_bit mbedtls_mpi_get_bit
+#define mpi_grow mbedtls_mpi_grow
+#define mpi_init mbedtls_mpi_init
+#define mpi_inv_mod mbedtls_mpi_inv_mod
+#define mpi_is_prime mbedtls_mpi_is_prime
+#define mpi_lsb mbedtls_mpi_lsb
+#define mpi_lset mbedtls_mpi_lset
+#define mpi_mod_int mbedtls_mpi_mod_int
+#define mpi_mod_mpi mbedtls_mpi_mod_mpi
+#define mpi_msb mbedtls_mpi_bitlen
+#define mpi_mul_int mbedtls_mpi_mul_int
+#define mpi_mul_mpi mbedtls_mpi_mul_mpi
+#define mpi_read_binary mbedtls_mpi_read_binary
+#define mpi_read_file mbedtls_mpi_read_file
+#define mpi_read_string mbedtls_mpi_read_string
+#define mpi_safe_cond_assign mbedtls_mpi_safe_cond_assign
+#define mpi_safe_cond_swap mbedtls_mpi_safe_cond_swap
+#define mpi_self_test mbedtls_mpi_self_test
+#define mpi_set_bit mbedtls_mpi_set_bit
+#define mpi_shift_l mbedtls_mpi_shift_l
+#define mpi_shift_r mbedtls_mpi_shift_r
+#define mpi_shrink mbedtls_mpi_shrink
+#define mpi_size mbedtls_mpi_size
+#define mpi_sub_abs mbedtls_mpi_sub_abs
+#define mpi_sub_int mbedtls_mpi_sub_int
+#define mpi_sub_mpi mbedtls_mpi_sub_mpi
+#define mpi_swap mbedtls_mpi_swap
+#define mpi_write_binary mbedtls_mpi_write_binary
+#define mpi_write_file mbedtls_mpi_write_file
+#define mpi_write_string mbedtls_mpi_write_string
+#define net_accept mbedtls_net_accept
+#define net_bind mbedtls_net_bind
+#define net_close mbedtls_net_free
+#define net_connect mbedtls_net_connect
+#define net_recv mbedtls_net_recv
+#define net_recv_timeout mbedtls_net_recv_timeout
+#define net_send mbedtls_net_send
+#define net_set_block mbedtls_net_set_block
+#define net_set_nonblock mbedtls_net_set_nonblock
+#define net_usleep mbedtls_net_usleep
+#define oid_descriptor_t mbedtls_oid_descriptor_t
+#define oid_get_attr_short_name mbedtls_oid_get_attr_short_name
+#define oid_get_cipher_alg mbedtls_oid_get_cipher_alg
+#define oid_get_ec_grp mbedtls_oid_get_ec_grp
+#define oid_get_extended_key_usage mbedtls_oid_get_extended_key_usage
+#define oid_get_md_alg mbedtls_oid_get_md_alg
+#define oid_get_numeric_string mbedtls_oid_get_numeric_string
+#define oid_get_oid_by_ec_grp mbedtls_oid_get_oid_by_ec_grp
+#define oid_get_oid_by_md mbedtls_oid_get_oid_by_md
+#define oid_get_oid_by_pk_alg mbedtls_oid_get_oid_by_pk_alg
+#define oid_get_oid_by_sig_alg mbedtls_oid_get_oid_by_sig_alg
+#define oid_get_pk_alg mbedtls_oid_get_pk_alg
+#define oid_get_pkcs12_pbe_alg mbedtls_oid_get_pkcs12_pbe_alg
+#define oid_get_sig_alg mbedtls_oid_get_sig_alg
+#define oid_get_sig_alg_desc mbedtls_oid_get_sig_alg_desc
+#define oid_get_x509_ext_type mbedtls_oid_get_x509_ext_type
+#define operation_t mbedtls_operation_t
+#define padlock_supports mbedtls_padlock_has_support
+#define padlock_xcryptcbc mbedtls_padlock_xcryptcbc
+#define padlock_xcryptecb mbedtls_padlock_xcryptecb
+#define pem_context mbedtls_pem_context
+#define pem_free mbedtls_pem_free
+#define pem_init mbedtls_pem_init
+#define pem_read_buffer mbedtls_pem_read_buffer
+#define pem_write_buffer mbedtls_pem_write_buffer
+#define pk_can_do mbedtls_pk_can_do
+#define pk_check_pair mbedtls_pk_check_pair
+#define pk_context mbedtls_pk_context
+#define pk_debug mbedtls_pk_debug
+#define pk_debug_item mbedtls_pk_debug_item
+#define pk_debug_type mbedtls_pk_debug_type
+#define pk_decrypt mbedtls_pk_decrypt
+#define pk_ec mbedtls_pk_ec
+#define pk_encrypt mbedtls_pk_encrypt
+#define pk_free mbedtls_pk_free
+#define pk_get_len mbedtls_pk_get_len
+#define pk_get_name mbedtls_pk_get_name
+#define pk_get_size mbedtls_pk_get_bitlen
+#define pk_get_type mbedtls_pk_get_type
+#define pk_info_from_type mbedtls_pk_info_from_type
+#define pk_info_t mbedtls_pk_info_t
+#define pk_init mbedtls_pk_init
+#define pk_init_ctx mbedtls_pk_setup
+#define pk_init_ctx_rsa_alt mbedtls_pk_setup_rsa_alt
+#define pk_load_file mbedtls_pk_load_file
+#define pk_parse_key mbedtls_pk_parse_key
+#define pk_parse_keyfile mbedtls_pk_parse_keyfile
+#define pk_parse_public_key mbedtls_pk_parse_public_key
+#define pk_parse_public_keyfile mbedtls_pk_parse_public_keyfile
+#define pk_parse_subpubkey mbedtls_pk_parse_subpubkey
+#define pk_rsa mbedtls_pk_rsa
+#define pk_rsa_alt_decrypt_func mbedtls_pk_rsa_alt_decrypt_func
+#define pk_rsa_alt_key_len_func mbedtls_pk_rsa_alt_key_len_func
+#define pk_rsa_alt_sign_func mbedtls_pk_rsa_alt_sign_func
+#define pk_rsassa_pss_options mbedtls_pk_rsassa_pss_options
+#define pk_sign mbedtls_pk_sign
+#define pk_type_t mbedtls_pk_type_t
+#define pk_verify mbedtls_pk_verify
+#define pk_verify_ext mbedtls_pk_verify_ext
+#define pk_write_key_der mbedtls_pk_write_key_der
+#define pk_write_key_pem mbedtls_pk_write_key_pem
+#define pk_write_pubkey mbedtls_pk_write_pubkey
+#define pk_write_pubkey_der mbedtls_pk_write_pubkey_der
+#define pk_write_pubkey_pem mbedtls_pk_write_pubkey_pem
+#define pkcs11_context mbedtls_pkcs11_context
+#define pkcs11_decrypt mbedtls_pkcs11_decrypt
+#define pkcs11_priv_key_free mbedtls_pkcs11_priv_key_free
+#define pkcs11_priv_key_init mbedtls_pkcs11_priv_key_bind
+#define pkcs11_sign mbedtls_pkcs11_sign
+#define pkcs11_x509_cert_init mbedtls_pkcs11_x509_cert_bind
+#define pkcs12_derivation mbedtls_pkcs12_derivation
+#define pkcs12_pbe mbedtls_pkcs12_pbe
+#define pkcs12_pbe_sha1_rc4_128 mbedtls_pkcs12_pbe_sha1_rc4_128
+#define pkcs5_pbes2 mbedtls_pkcs5_pbes2
+#define pkcs5_pbkdf2_hmac mbedtls_pkcs5_pbkdf2_hmac
+#define pkcs5_self_test mbedtls_pkcs5_self_test
+#define platform_entropy_poll mbedtls_platform_entropy_poll
+#define platform_set_exit mbedtls_platform_set_exit
+#define platform_set_fprintf mbedtls_platform_set_fprintf
+#define platform_set_printf mbedtls_platform_set_printf
+#define platform_set_snprintf mbedtls_platform_set_snprintf
+#define polarssl_exit mbedtls_exit
+#define polarssl_fprintf mbedtls_fprintf
+#define polarssl_free mbedtls_free
+#define polarssl_mutex_free mbedtls_mutex_free
+#define polarssl_mutex_init mbedtls_mutex_init
+#define polarssl_mutex_lock mbedtls_mutex_lock
+#define polarssl_mutex_unlock mbedtls_mutex_unlock
+#define polarssl_printf mbedtls_printf
+#define polarssl_snprintf mbedtls_snprintf
+#define polarssl_strerror mbedtls_strerror
+#define ripemd160 mbedtls_ripemd160
+#define ripemd160_context mbedtls_ripemd160_context
+#define ripemd160_finish mbedtls_ripemd160_finish
+#define ripemd160_free mbedtls_ripemd160_free
+#define ripemd160_info mbedtls_ripemd160_info
+#define ripemd160_init mbedtls_ripemd160_init
+#define ripemd160_process mbedtls_ripemd160_process
+#define ripemd160_self_test mbedtls_ripemd160_self_test
+#define ripemd160_starts mbedtls_ripemd160_starts
+#define ripemd160_update mbedtls_ripemd160_update
+#define rsa_alt_context mbedtls_rsa_alt_context
+#define rsa_alt_info mbedtls_rsa_alt_info
+#define rsa_check_privkey mbedtls_rsa_check_privkey
+#define rsa_check_pub_priv mbedtls_rsa_check_pub_priv
+#define rsa_check_pubkey mbedtls_rsa_check_pubkey
+#define rsa_context mbedtls_rsa_context
+#define rsa_copy mbedtls_rsa_copy
+#define rsa_free mbedtls_rsa_free
+#define rsa_gen_key mbedtls_rsa_gen_key
+#define rsa_info mbedtls_rsa_info
+#define rsa_init mbedtls_rsa_init
+#define rsa_pkcs1_decrypt mbedtls_rsa_pkcs1_decrypt
+#define rsa_pkcs1_encrypt mbedtls_rsa_pkcs1_encrypt
+#define rsa_pkcs1_sign mbedtls_rsa_pkcs1_sign
+#define rsa_pkcs1_verify mbedtls_rsa_pkcs1_verify
+#define rsa_private mbedtls_rsa_private
+#define rsa_public mbedtls_rsa_public
+#define rsa_rsaes_oaep_decrypt mbedtls_rsa_rsaes_oaep_decrypt
+#define rsa_rsaes_oaep_encrypt mbedtls_rsa_rsaes_oaep_encrypt
+#define rsa_rsaes_pkcs1_v15_decrypt mbedtls_rsa_rsaes_pkcs1_v15_decrypt
+#define rsa_rsaes_pkcs1_v15_encrypt mbedtls_rsa_rsaes_pkcs1_v15_encrypt
+#define rsa_rsassa_pkcs1_v15_sign mbedtls_rsa_rsassa_pkcs1_v15_sign
+#define rsa_rsassa_pkcs1_v15_verify mbedtls_rsa_rsassa_pkcs1_v15_verify
+#define rsa_rsassa_pss_sign mbedtls_rsa_rsassa_pss_sign
+#define rsa_rsassa_pss_verify mbedtls_rsa_rsassa_pss_verify
+#define rsa_rsassa_pss_verify_ext mbedtls_rsa_rsassa_pss_verify_ext
+#define rsa_self_test mbedtls_rsa_self_test
+#define rsa_set_padding mbedtls_rsa_set_padding
+#define safer_memcmp mbedtls_ssl_safer_memcmp
+#define set_alarm mbedtls_set_alarm
+#define sha1 mbedtls_sha1
+#define sha1_context mbedtls_sha1_context
+#define sha1_finish mbedtls_sha1_finish
+#define sha1_free mbedtls_sha1_free
+#define sha1_info mbedtls_sha1_info
+#define sha1_init mbedtls_sha1_init
+#define sha1_process mbedtls_sha1_process
+#define sha1_self_test mbedtls_sha1_self_test
+#define sha1_starts mbedtls_sha1_starts
+#define sha1_update mbedtls_sha1_update
+#define sha224_info mbedtls_sha224_info
+#define sha256 mbedtls_sha256
+#define sha256_context mbedtls_sha256_context
+#define sha256_finish mbedtls_sha256_finish
+#define sha256_free mbedtls_sha256_free
+#define sha256_info mbedtls_sha256_info
+#define sha256_init mbedtls_sha256_init
+#define sha256_process mbedtls_sha256_process
+#define sha256_self_test mbedtls_sha256_self_test
+#define sha256_starts mbedtls_sha256_starts
+#define sha256_update mbedtls_sha256_update
+#define sha384_info mbedtls_sha384_info
+#define sha512 mbedtls_sha512
+#define sha512_context mbedtls_sha512_context
+#define sha512_finish mbedtls_sha512_finish
+#define sha512_free mbedtls_sha512_free
+#define sha512_info mbedtls_sha512_info
+#define sha512_init mbedtls_sha512_init
+#define sha512_process mbedtls_sha512_process
+#define sha512_self_test mbedtls_sha512_self_test
+#define sha512_starts mbedtls_sha512_starts
+#define sha512_update mbedtls_sha512_update
+#define source_state mbedtls_entropy_source_state
+#define ssl_cache_context mbedtls_ssl_cache_context
+#define ssl_cache_entry mbedtls_ssl_cache_entry
+#define ssl_cache_free mbedtls_ssl_cache_free
+#define ssl_cache_get mbedtls_ssl_cache_get
+#define ssl_cache_init mbedtls_ssl_cache_init
+#define ssl_cache_set mbedtls_ssl_cache_set
+#define ssl_cache_set_max_entries mbedtls_ssl_cache_set_max_entries
+#define ssl_cache_set_timeout mbedtls_ssl_cache_set_timeout
+#define ssl_check_cert_usage mbedtls_ssl_check_cert_usage
+#define ssl_ciphersuite_from_id mbedtls_ssl_ciphersuite_from_id
+#define ssl_ciphersuite_from_string mbedtls_ssl_ciphersuite_from_string
+#define ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t
+#define ssl_ciphersuite_uses_ec mbedtls_ssl_ciphersuite_uses_ec
+#define ssl_ciphersuite_uses_psk mbedtls_ssl_ciphersuite_uses_psk
+#define ssl_close_notify mbedtls_ssl_close_notify
+#define ssl_context mbedtls_ssl_context
+#define ssl_cookie_check mbedtls_ssl_cookie_check
+#define ssl_cookie_check_t mbedtls_ssl_cookie_check_t
+#define ssl_cookie_ctx mbedtls_ssl_cookie_ctx
+#define ssl_cookie_free mbedtls_ssl_cookie_free
+#define ssl_cookie_init mbedtls_ssl_cookie_init
+#define ssl_cookie_set_timeout mbedtls_ssl_cookie_set_timeout
+#define ssl_cookie_setup mbedtls_ssl_cookie_setup
+#define ssl_cookie_write mbedtls_ssl_cookie_write
+#define ssl_cookie_write_t mbedtls_ssl_cookie_write_t
+#define ssl_derive_keys mbedtls_ssl_derive_keys
+#define ssl_dtls_replay_check mbedtls_ssl_dtls_replay_check
+#define ssl_dtls_replay_update mbedtls_ssl_dtls_replay_update
+#define ssl_fetch_input mbedtls_ssl_fetch_input
+#define ssl_flight_item mbedtls_ssl_flight_item
+#define ssl_flush_output mbedtls_ssl_flush_output
+#define ssl_free mbedtls_ssl_free
+#define ssl_get_alpn_protocol mbedtls_ssl_get_alpn_protocol
+#define ssl_get_bytes_avail mbedtls_ssl_get_bytes_avail
+#define ssl_get_ciphersuite mbedtls_ssl_get_ciphersuite
+#define ssl_get_ciphersuite_id mbedtls_ssl_get_ciphersuite_id
+#define ssl_get_ciphersuite_name mbedtls_ssl_get_ciphersuite_name
+#define ssl_get_ciphersuite_sig_pk_alg mbedtls_ssl_get_ciphersuite_sig_pk_alg
+#define ssl_get_peer_cert mbedtls_ssl_get_peer_cert
+#define ssl_get_record_expansion mbedtls_ssl_get_record_expansion
+#define ssl_get_session mbedtls_ssl_get_session
+#define ssl_get_verify_result mbedtls_ssl_get_verify_result
+#define ssl_get_version mbedtls_ssl_get_version
+#define ssl_handshake mbedtls_ssl_handshake
+#define ssl_handshake_client_step mbedtls_ssl_handshake_client_step
+#define ssl_handshake_free mbedtls_ssl_handshake_free
+#define ssl_handshake_params mbedtls_ssl_handshake_params
+#define ssl_handshake_server_step mbedtls_ssl_handshake_server_step
+#define ssl_handshake_step mbedtls_ssl_handshake_step
+#define ssl_handshake_wrapup mbedtls_ssl_handshake_wrapup
+#define ssl_hdr_len mbedtls_ssl_hdr_len
+#define ssl_hs_hdr_len mbedtls_ssl_hs_hdr_len
+#define ssl_hw_record_activate mbedtls_ssl_hw_record_activate
+#define ssl_hw_record_finish mbedtls_ssl_hw_record_finish
+#define ssl_hw_record_init mbedtls_ssl_hw_record_init
+#define ssl_hw_record_read mbedtls_ssl_hw_record_read
+#define ssl_hw_record_reset mbedtls_ssl_hw_record_reset
+#define ssl_hw_record_write mbedtls_ssl_hw_record_write
+#define ssl_init mbedtls_ssl_init
+#define ssl_key_cert mbedtls_ssl_key_cert
+#define ssl_legacy_renegotiation mbedtls_ssl_conf_legacy_renegotiation
+#define ssl_list_ciphersuites mbedtls_ssl_list_ciphersuites
+#define ssl_md_alg_from_hash mbedtls_ssl_md_alg_from_hash
+#define ssl_optimize_checksum mbedtls_ssl_optimize_checksum
+#define ssl_own_cert mbedtls_ssl_own_cert
+#define ssl_own_key mbedtls_ssl_own_key
+#define ssl_parse_certificate mbedtls_ssl_parse_certificate
+#define ssl_parse_change_cipher_spec mbedtls_ssl_parse_change_cipher_spec
+#define ssl_parse_finished mbedtls_ssl_parse_finished
+#define ssl_pk_alg_from_sig mbedtls_ssl_pk_alg_from_sig
+#define ssl_pkcs11_decrypt mbedtls_ssl_pkcs11_decrypt
+#define ssl_pkcs11_key_len mbedtls_ssl_pkcs11_key_len
+#define ssl_pkcs11_sign mbedtls_ssl_pkcs11_sign
+#define ssl_psk_derive_premaster mbedtls_ssl_psk_derive_premaster
+#define ssl_read mbedtls_ssl_read
+#define ssl_read_record mbedtls_ssl_read_record
+#define ssl_read_version mbedtls_ssl_read_version
+#define ssl_recv_flight_completed mbedtls_ssl_recv_flight_completed
+#define ssl_renegotiate mbedtls_ssl_renegotiate
+#define ssl_resend mbedtls_ssl_resend
+#define ssl_reset_checksum mbedtls_ssl_reset_checksum
+#define ssl_send_alert_message mbedtls_ssl_send_alert_message
+#define ssl_send_fatal_handshake_failure mbedtls_ssl_send_fatal_handshake_failure
+#define ssl_send_flight_completed mbedtls_ssl_send_flight_completed
+#define ssl_session mbedtls_ssl_session
+#define ssl_session_free mbedtls_ssl_session_free
+#define ssl_session_init mbedtls_ssl_session_init
+#define ssl_session_reset mbedtls_ssl_session_reset
+#define ssl_set_alpn_protocols mbedtls_ssl_conf_alpn_protocols
+#define ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
+#define ssl_set_authmode mbedtls_ssl_conf_authmode
+#define ssl_set_bio mbedtls_ssl_set_bio
+#define ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
+#define ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
+#define ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites
+#define ssl_set_ciphersuites_for_version mbedtls_ssl_conf_ciphersuites_for_version
+#define ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id
+#define ssl_set_curves mbedtls_ssl_conf_curves
+#define ssl_set_dbg mbedtls_ssl_conf_dbg
+#define ssl_set_dh_param mbedtls_ssl_conf_dh_param
+#define ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx
+#define ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay
+#define ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit
+#define ssl_set_dtls_cookies mbedtls_ssl_conf_dtls_cookies
+#define ssl_set_encrypt_then_mac mbedtls_ssl_conf_encrypt_then_mac
+#define ssl_set_endpoint mbedtls_ssl_conf_endpoint
+#define ssl_set_extended_master_secret mbedtls_ssl_conf_extended_master_secret
+#define ssl_set_fallback mbedtls_ssl_conf_fallback
+#define ssl_set_handshake_timeout mbedtls_ssl_conf_handshake_timeout
+#define ssl_set_hostname mbedtls_ssl_set_hostname
+#define ssl_set_max_frag_len mbedtls_ssl_conf_max_frag_len
+#define ssl_set_max_version mbedtls_ssl_conf_max_version
+#define ssl_set_min_version mbedtls_ssl_conf_min_version
+#define ssl_set_own_cert mbedtls_ssl_conf_own_cert
+#define ssl_set_psk mbedtls_ssl_conf_psk
+#define ssl_set_psk_cb mbedtls_ssl_conf_psk_cb
+#define ssl_set_renegotiation mbedtls_ssl_conf_renegotiation
+#define ssl_set_renegotiation_enforced mbedtls_ssl_conf_renegotiation_enforced
+#define ssl_set_renegotiation_period mbedtls_ssl_conf_renegotiation_period
+#define ssl_set_rng mbedtls_ssl_conf_rng
+#define ssl_set_session mbedtls_ssl_set_session
+#define ssl_set_session_cache mbedtls_ssl_conf_session_cache
+#define ssl_set_session_tickets mbedtls_ssl_conf_session_tickets
+#define ssl_set_sni mbedtls_ssl_conf_sni
+#define ssl_set_transport mbedtls_ssl_conf_transport
+#define ssl_set_truncated_hmac mbedtls_ssl_conf_truncated_hmac
+#define ssl_set_verify mbedtls_ssl_conf_verify
+#define ssl_sig_from_pk mbedtls_ssl_sig_from_pk
+#define ssl_states mbedtls_ssl_states
+#define ssl_transform mbedtls_ssl_transform
+#define ssl_transform_free mbedtls_ssl_transform_free
+#define ssl_write mbedtls_ssl_write
+#define ssl_write_certificate mbedtls_ssl_write_certificate
+#define ssl_write_change_cipher_spec mbedtls_ssl_write_change_cipher_spec
+#define ssl_write_finished mbedtls_ssl_write_finished
+#define ssl_write_record mbedtls_ssl_write_record
+#define ssl_write_version mbedtls_ssl_write_version
+#define supported_ciphers mbedtls_cipher_supported
+#define t_sint mbedtls_mpi_sint
+#define t_udbl mbedtls_t_udbl
+#define t_uint mbedtls_mpi_uint
+#define test_ca_crt mbedtls_test_ca_crt
+#define test_ca_crt_ec mbedtls_test_ca_crt_ec
+#define test_ca_crt_rsa mbedtls_test_ca_crt_rsa
+#define test_ca_key mbedtls_test_ca_key
+#define test_ca_key_ec mbedtls_test_ca_key_ec
+#define test_ca_key_rsa mbedtls_test_ca_key_rsa
+#define test_ca_list mbedtls_test_cas_pem
+#define test_ca_pwd mbedtls_test_ca_pwd
+#define test_ca_pwd_ec mbedtls_test_ca_pwd_ec
+#define test_ca_pwd_rsa mbedtls_test_ca_pwd_rsa
+#define test_cli_crt mbedtls_test_cli_crt
+#define test_cli_crt_ec mbedtls_test_cli_crt_ec
+#define test_cli_crt_rsa mbedtls_test_cli_crt_rsa
+#define test_cli_key mbedtls_test_cli_key
+#define test_cli_key_ec mbedtls_test_cli_key_ec
+#define test_cli_key_rsa mbedtls_test_cli_key_rsa
+#define test_srv_crt mbedtls_test_srv_crt
+#define test_srv_crt_ec mbedtls_test_srv_crt_ec
+#define test_srv_crt_rsa mbedtls_test_srv_crt_rsa
+#define test_srv_key mbedtls_test_srv_key
+#define test_srv_key_ec mbedtls_test_srv_key_ec
+#define test_srv_key_rsa mbedtls_test_srv_key_rsa
+#define threading_mutex_t mbedtls_threading_mutex_t
+#define threading_set_alt mbedtls_threading_set_alt
+#define timing_self_test mbedtls_timing_self_test
+#define version_check_feature mbedtls_version_check_feature
+#define version_get_number mbedtls_version_get_number
+#define version_get_string mbedtls_version_get_string
+#define version_get_string_full mbedtls_version_get_string_full
+#define x509_bitstring mbedtls_x509_bitstring
+#define x509_buf mbedtls_x509_buf
+#define x509_crl mbedtls_x509_crl
+#define x509_crl_entry mbedtls_x509_crl_entry
+#define x509_crl_free mbedtls_x509_crl_free
+#define x509_crl_info mbedtls_x509_crl_info
+#define x509_crl_init mbedtls_x509_crl_init
+#define x509_crl_parse mbedtls_x509_crl_parse
+#define x509_crl_parse_der mbedtls_x509_crl_parse_der
+#define x509_crl_parse_file mbedtls_x509_crl_parse_file
+#define x509_crt mbedtls_x509_crt
+#define x509_crt_check_extended_key_usage mbedtls_x509_crt_check_extended_key_usage
+#define x509_crt_check_key_usage mbedtls_x509_crt_check_key_usage
+#define x509_crt_free mbedtls_x509_crt_free
+#define x509_crt_info mbedtls_x509_crt_info
+#define x509_crt_init mbedtls_x509_crt_init
+#define x509_crt_parse mbedtls_x509_crt_parse
+#define x509_crt_parse_der mbedtls_x509_crt_parse_der
+#define x509_crt_parse_file mbedtls_x509_crt_parse_file
+#define x509_crt_parse_path mbedtls_x509_crt_parse_path
+#define x509_crt_revoked mbedtls_x509_crt_is_revoked
+#define x509_crt_verify mbedtls_x509_crt_verify
+#define x509_csr mbedtls_x509_csr
+#define x509_csr_free mbedtls_x509_csr_free
+#define x509_csr_info mbedtls_x509_csr_info
+#define x509_csr_init mbedtls_x509_csr_init
+#define x509_csr_parse mbedtls_x509_csr_parse
+#define x509_csr_parse_der mbedtls_x509_csr_parse_der
+#define x509_csr_parse_file mbedtls_x509_csr_parse_file
+#define x509_dn_gets mbedtls_x509_dn_gets
+#define x509_get_alg mbedtls_x509_get_alg
+#define x509_get_alg_null mbedtls_x509_get_alg_null
+#define x509_get_ext mbedtls_x509_get_ext
+#define x509_get_name mbedtls_x509_get_name
+#define x509_get_rsassa_pss_params mbedtls_x509_get_rsassa_pss_params
+#define x509_get_serial mbedtls_x509_get_serial
+#define x509_get_sig mbedtls_x509_get_sig
+#define x509_get_sig_alg mbedtls_x509_get_sig_alg
+#define x509_get_time mbedtls_x509_get_time
+#define x509_key_size_helper mbedtls_x509_key_size_helper
+#define x509_name mbedtls_x509_name
+#define x509_self_test mbedtls_x509_self_test
+#define x509_sequence mbedtls_x509_sequence
+#define x509_serial_gets mbedtls_x509_serial_gets
+#define x509_set_extension mbedtls_x509_set_extension
+#define x509_sig_alg_gets mbedtls_x509_sig_alg_gets
+#define x509_string_to_names mbedtls_x509_string_to_names
+#define x509_time mbedtls_x509_time
+#define x509_time_expired mbedtls_x509_time_is_past
+#define x509_time_future mbedtls_x509_time_is_future
+#define x509_write_extensions mbedtls_x509_write_extensions
+#define x509_write_names mbedtls_x509_write_names
+#define x509_write_sig mbedtls_x509_write_sig
+#define x509write_cert mbedtls_x509write_cert
+#define x509write_crt_der mbedtls_x509write_crt_der
+#define x509write_crt_free mbedtls_x509write_crt_free
+#define x509write_crt_init mbedtls_x509write_crt_init
+#define x509write_crt_pem mbedtls_x509write_crt_pem
+#define x509write_crt_set_authority_key_identifier mbedtls_x509write_crt_set_authority_key_identifier
+#define x509write_crt_set_basic_constraints mbedtls_x509write_crt_set_basic_constraints
+#define x509write_crt_set_extension mbedtls_x509write_crt_set_extension
+#define x509write_crt_set_issuer_key mbedtls_x509write_crt_set_issuer_key
+#define x509write_crt_set_issuer_name mbedtls_x509write_crt_set_issuer_name
+#define x509write_crt_set_key_usage mbedtls_x509write_crt_set_key_usage
+#define x509write_crt_set_md_alg mbedtls_x509write_crt_set_md_alg
+#define x509write_crt_set_ns_cert_type mbedtls_x509write_crt_set_ns_cert_type
+#define x509write_crt_set_serial mbedtls_x509write_crt_set_serial
+#define x509write_crt_set_subject_key mbedtls_x509write_crt_set_subject_key
+#define x509write_crt_set_subject_key_identifier mbedtls_x509write_crt_set_subject_key_identifier
+#define x509write_crt_set_subject_name mbedtls_x509write_crt_set_subject_name
+#define x509write_crt_set_validity mbedtls_x509write_crt_set_validity
+#define x509write_crt_set_version mbedtls_x509write_crt_set_version
+#define x509write_csr mbedtls_x509write_csr
+#define x509write_csr_der mbedtls_x509write_csr_der
+#define x509write_csr_free mbedtls_x509write_csr_free
+#define x509write_csr_init mbedtls_x509write_csr_init
+#define x509write_csr_pem mbedtls_x509write_csr_pem
+#define x509write_csr_set_extension mbedtls_x509write_csr_set_extension
+#define x509write_csr_set_key mbedtls_x509write_csr_set_key
+#define x509write_csr_set_key_usage mbedtls_x509write_csr_set_key_usage
+#define x509write_csr_set_md_alg mbedtls_x509write_csr_set_md_alg
+#define x509write_csr_set_ns_cert_type mbedtls_x509write_csr_set_ns_cert_type
+#define x509write_csr_set_subject_name mbedtls_x509write_csr_set_subject_name
+#define xtea_context mbedtls_xtea_context
+#define xtea_crypt_cbc mbedtls_xtea_crypt_cbc
+#define xtea_crypt_ecb mbedtls_xtea_crypt_ecb
+#define xtea_free mbedtls_xtea_free
+#define xtea_init mbedtls_xtea_init
+#define xtea_self_test mbedtls_xtea_self_test
+#define xtea_setup mbedtls_xtea_setup
+
+#endif /* compat-1.3.h */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/config.h b/makerom/deps/libmbedtls/include/mbedtls/config.h
new file mode 100644
index 00000000..159163f9
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/config.h
@@ -0,0 +1,3344 @@
+/**
+ * \file config.h
+ *
+ * \brief Configuration options (set of defines)
+ *
+ *  This set of compile-time options may be used to enable
+ *  or disable features selectively, and reduce the global
+ *  memory footprint.
+ */
+/*
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+/**
+ * \name SECTION: System support
+ *
+ * This section sets system specific settings.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_HAVE_ASM
+ *
+ * The compiler has support for asm().
+ *
+ * Requires support for asm() in compiler.
+ *
+ * Used in:
+ *      library/aria.c
+ *      library/timing.c
+ *      include/mbedtls/bn_mul.h
+ *
+ * Required by:
+ *      MBEDTLS_AESNI_C
+ *      MBEDTLS_PADLOCK_C
+ *
+ * Comment to disable the use of assembly code.
+ */
+#define MBEDTLS_HAVE_ASM
+
+/**
+ * \def MBEDTLS_NO_UDBL_DIVISION
+ *
+ * The platform lacks support for double-width integer division (64-bit
+ * division on a 32-bit platform, 128-bit division on a 64-bit platform).
+ *
+ * Used in:
+ *      include/mbedtls/bignum.h
+ *      library/bignum.c
+ *
+ * The bignum code uses double-width division to speed up some operations.
+ * Double-width division is often implemented in software that needs to
+ * be linked with the program. The presence of a double-width integer
+ * type is usually detected automatically through preprocessor macros,
+ * but the automatic detection cannot know whether the code needs to
+ * and can be linked with an implementation of division for that type.
+ * By default division is assumed to be usable if the type is present.
+ * Uncomment this option to prevent the use of double-width division.
+ *
+ * Note that division for the native integer type is always required.
+ * Furthermore, a 64-bit type is always required even on a 32-bit
+ * platform, but it need not support multiplication or division. In some
+ * cases it is also desirable to disable some double-width operations. For
+ * example, if double-width division is implemented in software, disabling
+ * it can reduce code size in some embedded targets.
+ */
+//#define MBEDTLS_NO_UDBL_DIVISION
+
+/**
+ * \def MBEDTLS_NO_64BIT_MULTIPLICATION
+ *
+ * The platform lacks support for 32x32 -> 64-bit multiplication.
+ *
+ * Used in:
+ *      library/poly1305.c
+ *
+ * Some parts of the library may use multiplication of two unsigned 32-bit
+ * operands with a 64-bit result in order to speed up computations. On some
+ * platforms, this is not available in hardware and has to be implemented in
+ * software, usually in a library provided by the toolchain.
+ *
+ * Sometimes it is not desirable to have to link to that library. This option
+ * removes the dependency of that library on platforms that lack a hardware
+ * 64-bit multiplier by embedding a software implementation in Mbed TLS.
+ *
+ * Note that depending on the compiler, this may decrease performance compared
+ * to using the library function provided by the toolchain.
+ */
+//#define MBEDTLS_NO_64BIT_MULTIPLICATION
+
+/**
+ * \def MBEDTLS_HAVE_SSE2
+ *
+ * CPU supports SSE2 instruction set.
+ *
+ * Uncomment if the CPU supports SSE2 (IA-32 specific).
+ */
+//#define MBEDTLS_HAVE_SSE2
+
+/**
+ * \def MBEDTLS_HAVE_TIME
+ *
+ * System has time.h and time().
+ * The time does not need to be correct, only time differences are used,
+ * by contrast with MBEDTLS_HAVE_TIME_DATE
+ *
+ * Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
+ * MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
+ * MBEDTLS_PLATFORM_STD_TIME.
+ *
+ * Comment if your system does not support time functions
+ */
+#define MBEDTLS_HAVE_TIME
+
+/**
+ * \def MBEDTLS_HAVE_TIME_DATE
+ *
+ * System has time.h, time(), and an implementation for
+ * mbedtls_platform_gmtime_r() (see below).
+ * The time needs to be correct (not necessarily very accurate, but at least
+ * the date should be correct). This is used to verify the validity period of
+ * X.509 certificates.
+ *
+ * Comment if your system does not have a correct clock.
+ *
+ * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that
+ * behaves similarly to the gmtime_r() function from the C standard. Refer to
+ * the documentation for mbedtls_platform_gmtime_r() for more information.
+ *
+ * \note It is possible to configure an implementation for
+ * mbedtls_platform_gmtime_r() at compile-time by using the macro
+ * MBEDTLS_PLATFORM_GMTIME_R_ALT.
+ */
+#define MBEDTLS_HAVE_TIME_DATE
+
+/**
+ * \def MBEDTLS_PLATFORM_MEMORY
+ *
+ * Enable the memory allocation layer.
+ *
+ * By default mbed TLS uses the system-provided calloc() and free().
+ * This allows different allocators (self-implemented or provided) to be
+ * provided to the platform abstraction layer.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY without the
+ * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide
+ * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and
+ * free() function pointer at runtime.
+ *
+ * Enabling MBEDTLS_PLATFORM_MEMORY and specifying
+ * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the
+ * alternate function at compile time.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Enable this layer to allow use of alternative memory allocators.
+ */
+//#define MBEDTLS_PLATFORM_MEMORY
+
+/**
+ * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+ *
+ * Do not assign standard functions in the platform layer (e.g. calloc() to
+ * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF)
+ *
+ * This makes sure there are no linking errors on platforms that do not support
+ * these functions. You will HAVE to provide alternatives, either at runtime
+ * via the platform_set_xxx() functions or at compile time by setting
+ * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a
+ * MBEDTLS_PLATFORM_XXX_MACRO.
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *
+ * Uncomment to prevent default assignment of standard functions in the
+ * platform layer.
+ */
+//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+
+/**
+ * \def MBEDTLS_PLATFORM_EXIT_ALT
+ *
+ * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the
+ * function in the platform abstraction layer.
+ *
+ * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will
+ * provide a function "mbedtls_platform_set_printf()" that allows you to set an
+ * alternative printf function pointer.
+ *
+ * All these define require MBEDTLS_PLATFORM_C to be defined!
+ *
+ * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows;
+ * it will be enabled automatically by check_config.h
+ *
+ * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as
+ * MBEDTLS_PLATFORM_XXX_MACRO!
+ *
+ * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME
+ *
+ * Uncomment a macro to enable alternate implementation of specific base
+ * platform function
+ */
+//#define MBEDTLS_PLATFORM_EXIT_ALT
+//#define MBEDTLS_PLATFORM_TIME_ALT
+//#define MBEDTLS_PLATFORM_FPRINTF_ALT
+//#define MBEDTLS_PLATFORM_PRINTF_ALT
+//#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+//#define MBEDTLS_PLATFORM_NV_SEED_ALT
+//#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT
+
+/**
+ * \def MBEDTLS_DEPRECATED_WARNING
+ *
+ * Mark deprecated functions so that they generate a warning if used.
+ * Functions deprecated in one version will usually be removed in the next
+ * version. You can enable this to help you prepare the transition to a new
+ * major version by making sure your code is not using these functions.
+ *
+ * This only works with GCC and Clang. With other compilers, you may want to
+ * use MBEDTLS_DEPRECATED_REMOVED
+ *
+ * Uncomment to get warnings on using deprecated functions.
+ */
+//#define MBEDTLS_DEPRECATED_WARNING
+
+/**
+ * \def MBEDTLS_DEPRECATED_REMOVED
+ *
+ * Remove deprecated functions so that they generate an error if used.
+ * Functions deprecated in one version will usually be removed in the next
+ * version. You can enable this to help you prepare the transition to a new
+ * major version by making sure your code is not using these functions.
+ *
+ * Uncomment to get errors on using deprecated functions.
+ */
+//#define MBEDTLS_DEPRECATED_REMOVED
+
+/**
+ * \def MBEDTLS_CHECK_PARAMS
+ *
+ * This configuration option controls whether the library validates more of
+ * the parameters passed to it.
+ *
+ * When this flag is not defined, the library only attempts to validate an
+ * input parameter if: (1) they may come from the outside world (such as the
+ * network, the filesystem, etc.) or (2) not validating them could result in
+ * internal memory errors such as overflowing a buffer controlled by the
+ * library. On the other hand, it doesn't attempt to validate parameters whose
+ * values are fully controlled by the application (such as pointers).
+ *
+ * When this flag is defined, the library additionally attempts to validate
+ * parameters that are fully controlled by the application, and should always
+ * be valid if the application code is fully correct and trusted.
+ *
+ * For example, when a function accepts as input a pointer to a buffer that may
+ * contain untrusted data, and its documentation mentions that this pointer
+ * must not be NULL:
+ * - The pointer is checked to be non-NULL only if this option is enabled.
+ * - The content of the buffer is always validated.
+ *
+ * When this flag is defined, if a library function receives a parameter that
+ * is invalid:
+ * 1. The function will invoke the macro MBEDTLS_PARAM_FAILED().
+ * 2. If MBEDTLS_PARAM_FAILED() did not terminate the program, the function
+ *   will immediately return. If the function returns an Mbed TLS error code,
+ *   the error code in this case is MBEDTLS_ERR_xxx_BAD_INPUT_DATA.
+ *
+ * When defining this flag, you also need to arrange a definition for
+ * MBEDTLS_PARAM_FAILED(). You can do this by any of the following methods:
+ * - By default, the library defines MBEDTLS_PARAM_FAILED() to call a
+ *   function mbedtls_param_failed(), but the library does not define this
+ *   function. If you do not make any other arrangements, you must provide
+ *   the function mbedtls_param_failed() in your application.
+ *   See `platform_util.h` for its prototype.
+ * - If you enable the macro #MBEDTLS_CHECK_PARAMS_ASSERT, then the
+ *   library defines #MBEDTLS_PARAM_FAILED(\c cond) to be `assert(cond)`.
+ *   You can still supply an alternative definition of
+ *   MBEDTLS_PARAM_FAILED(), which may call `assert`.
+ * - If you define a macro MBEDTLS_PARAM_FAILED() before including `config.h`
+ *   or you uncomment the definition of MBEDTLS_PARAM_FAILED() in `config.h`,
+ *   the library will call the macro that you defined and will not supply
+ *   its own version. Note that if MBEDTLS_PARAM_FAILED() calls `assert`,
+ *   you need to enable #MBEDTLS_CHECK_PARAMS_ASSERT so that library source
+ *   files include `<assert.h>`.
+ *
+ * Uncomment to enable validation of application-controlled parameters.
+ */
+//#define MBEDTLS_CHECK_PARAMS
+
+/**
+ * \def MBEDTLS_CHECK_PARAMS_ASSERT
+ *
+ * Allow MBEDTLS_PARAM_FAILED() to call `assert`, and make it default to
+ * `assert`. This macro is only used if #MBEDTLS_CHECK_PARAMS is defined.
+ *
+ * If this macro is not defined, then MBEDTLS_PARAM_FAILED() defaults to
+ * calling a function mbedtls_param_failed(). See the documentation of
+ * #MBEDTLS_CHECK_PARAMS for details.
+ *
+ * Uncomment to allow MBEDTLS_PARAM_FAILED() to call `assert`.
+ */
+//#define MBEDTLS_CHECK_PARAMS_ASSERT
+
+/* \} name SECTION: System support */
+
+/**
+ * \name SECTION: mbed TLS feature support
+ *
+ * This section sets support for features that are or are not needed
+ * within the modules that are enabled.
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_TIMING_ALT
+ *
+ * Uncomment to provide your own alternate implementation for mbedtls_timing_hardclock(),
+ * mbedtls_timing_get_timer(), mbedtls_set_alarm(), mbedtls_set/get_delay()
+ *
+ * Only works if you have MBEDTLS_TIMING_C enabled.
+ *
+ * You will need to provide a header "timing_alt.h" and an implementation at
+ * compile time.
+ */
+//#define MBEDTLS_TIMING_ALT
+
+/**
+ * \def MBEDTLS_AES_ALT
+ *
+ * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your
+ * alternate core implementation of a symmetric crypto, an arithmetic or hash
+ * module (e.g. platform specific assembly optimized implementations). Keep
+ * in mind that the function prototypes should remain the same.
+ *
+ * This replaces the whole module. If you only want to replace one of the
+ * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
+ *
+ * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer
+ * provide the "struct mbedtls_aes_context" definition and omit the base
+ * function declarations and implementations. "aes_alt.h" will be included from
+ * "aes.h" to include the new function definitions.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * module.
+ *
+ * \warning   MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their
+ *            use constitutes a security risk. If possible, we recommend
+ *            avoiding dependencies on them, and considering stronger message
+ *            digests and ciphers instead.
+ *
+ */
+//#define MBEDTLS_AES_ALT
+//#define MBEDTLS_ARC4_ALT
+//#define MBEDTLS_ARIA_ALT
+//#define MBEDTLS_BLOWFISH_ALT
+//#define MBEDTLS_CAMELLIA_ALT
+//#define MBEDTLS_CCM_ALT
+//#define MBEDTLS_CHACHA20_ALT
+//#define MBEDTLS_CHACHAPOLY_ALT
+//#define MBEDTLS_CMAC_ALT
+//#define MBEDTLS_DES_ALT
+//#define MBEDTLS_DHM_ALT
+//#define MBEDTLS_ECJPAKE_ALT
+//#define MBEDTLS_GCM_ALT
+//#define MBEDTLS_NIST_KW_ALT
+//#define MBEDTLS_MD2_ALT
+//#define MBEDTLS_MD4_ALT
+//#define MBEDTLS_MD5_ALT
+//#define MBEDTLS_POLY1305_ALT
+//#define MBEDTLS_RIPEMD160_ALT
+//#define MBEDTLS_RSA_ALT
+//#define MBEDTLS_SHA1_ALT
+//#define MBEDTLS_SHA256_ALT
+//#define MBEDTLS_SHA512_ALT
+//#define MBEDTLS_XTEA_ALT
+
+/*
+ * When replacing the elliptic curve module, pleace consider, that it is
+ * implemented with two .c files:
+ *      - ecp.c
+ *      - ecp_curves.c
+ * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
+ * macros as described above. The only difference is that you have to make sure
+ * that you provide functionality for both .c files.
+ */
+//#define MBEDTLS_ECP_ALT
+
+/**
+ * \def MBEDTLS_MD2_PROCESS_ALT
+ *
+ * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
+ * alternate core implementation of symmetric crypto or hash function. Keep in
+ * mind that function prototypes should remain the same.
+ *
+ * This replaces only one function. The header file from mbed TLS is still
+ * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
+ *
+ * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
+ * no longer provide the mbedtls_sha1_process() function, but it will still provide
+ * the other function (using your mbedtls_sha1_process() function) and the definition
+ * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
+ * with this definition.
+ *
+ * \note Because of a signature change, the core AES encryption and decryption routines are
+ *       currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
+ *       respectively. When setting up alternative implementations, these functions should
+ *       be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
+ *       must stay untouched.
+ *
+ * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
+ *       MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
+ *       tables.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * function.
+ *
+ * \warning   MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
+ *            constitutes a security risk. If possible, we recommend avoiding
+ *            dependencies on them, and considering stronger message digests
+ *            and ciphers instead.
+ *
+ * \warning   If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are
+ *            enabled, then the deterministic ECDH signature functions pass the
+ *            the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore
+ *            alternative implementations should use the RNG only for generating
+ *            the ephemeral key and nothing else. If this is not possible, then
+ *            MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
+ *            implementation should be provided for mbedtls_ecdsa_sign_det_ext()
+ *            (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
+ *            desirable).
+ *
+ */
+//#define MBEDTLS_MD2_PROCESS_ALT
+//#define MBEDTLS_MD4_PROCESS_ALT
+//#define MBEDTLS_MD5_PROCESS_ALT
+//#define MBEDTLS_RIPEMD160_PROCESS_ALT
+//#define MBEDTLS_SHA1_PROCESS_ALT
+//#define MBEDTLS_SHA256_PROCESS_ALT
+//#define MBEDTLS_SHA512_PROCESS_ALT
+//#define MBEDTLS_DES_SETKEY_ALT
+//#define MBEDTLS_DES_CRYPT_ECB_ALT
+//#define MBEDTLS_DES3_CRYPT_ECB_ALT
+//#define MBEDTLS_AES_SETKEY_ENC_ALT
+//#define MBEDTLS_AES_SETKEY_DEC_ALT
+//#define MBEDTLS_AES_ENCRYPT_ALT
+//#define MBEDTLS_AES_DECRYPT_ALT
+//#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
+//#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
+//#define MBEDTLS_ECDSA_VERIFY_ALT
+//#define MBEDTLS_ECDSA_SIGN_ALT
+//#define MBEDTLS_ECDSA_GENKEY_ALT
+
+/**
+ * \def MBEDTLS_ECP_INTERNAL_ALT
+ *
+ * Expose a part of the internal interface of the Elliptic Curve Point module.
+ *
+ * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your
+ * alternative core implementation of elliptic curve arithmetic. Keep in mind
+ * that function prototypes should remain the same.
+ *
+ * This partially replaces one function. The header file from mbed TLS is still
+ * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
+ * is still present and it is used for group structures not supported by the
+ * alternative.
+ *
+ * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
+ * and implementing the following functions:
+ *      unsigned char mbedtls_internal_ecp_grp_capable(
+ *          const mbedtls_ecp_group *grp )
+ *      int  mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
+ *      void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
+ * The mbedtls_internal_ecp_grp_capable function should return 1 if the
+ * replacement functions implement arithmetic for the given group and 0
+ * otherwise.
+ * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
+ * called before and after each point operation and provide an opportunity to
+ * implement optimized set up and tear down instructions.
+ *
+ * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and
+ * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac
+ * function, but will use your mbedtls_internal_ecp_double_jac if the group is
+ * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when
+ * receives it as an argument). If the group is not supported then the original
+ * implementation is used. The other functions and the definition of
+ * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your
+ * implementation of mbedtls_internal_ecp_double_jac and
+ * mbedtls_internal_ecp_grp_capable must be compatible with this definition.
+ *
+ * Uncomment a macro to enable alternate implementation of the corresponding
+ * function.
+ */
+/* Required for all the functions in this section */
+//#define MBEDTLS_ECP_INTERNAL_ALT
+/* Support for Weierstrass curves with Jacobi representation */
+//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
+//#define MBEDTLS_ECP_ADD_MIXED_ALT
+//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
+//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
+//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
+/* Support for curves with Montgomery arithmetic */
+//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
+//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
+//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
+
+/**
+ * \def MBEDTLS_TEST_NULL_ENTROPY
+ *
+ * Enables testing and use of mbed TLS without any configured entropy sources.
+ * This permits use of the library on platforms before an entropy source has
+ * been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
+ * MBEDTLS_ENTROPY_NV_SEED switches).
+ *
+ * WARNING! This switch MUST be disabled in production builds, and is suitable
+ * only for development.
+ * Enabling the switch negates any security provided by the library.
+ *
+ * Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+ *
+ */
+//#define MBEDTLS_TEST_NULL_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_HARDWARE_ALT
+ *
+ * Uncomment this macro to let mbed TLS use your own implementation of a
+ * hardware entropy collector.
+ *
+ * Your function must be called \c mbedtls_hardware_poll(), have the same
+ * prototype as declared in entropy_poll.h, and accept NULL as first argument.
+ *
+ * Uncomment to use your own hardware entropy collector.
+ */
+//#define MBEDTLS_ENTROPY_HARDWARE_ALT
+
+/**
+ * \def MBEDTLS_AES_ROM_TABLES
+ *
+ * Use precomputed AES tables stored in ROM.
+ *
+ * Uncomment this macro to use precomputed AES tables stored in ROM.
+ * Comment this macro to generate AES tables in RAM at runtime.
+ *
+ * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb
+ * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the
+ * initialization time before the first AES operation can be performed.
+ * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c
+ * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded
+ * performance if ROM access is slower than RAM access.
+ *
+ * This option is independent of \c MBEDTLS_AES_FEWER_TABLES.
+ *
+ */
+//#define MBEDTLS_AES_ROM_TABLES
+
+/**
+ * \def MBEDTLS_AES_FEWER_TABLES
+ *
+ * Use less ROM/RAM for AES tables.
+ *
+ * Uncommenting this macro omits 75% of the AES tables from
+ * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES)
+ * by computing their values on the fly during operations
+ * (the tables are entry-wise rotations of one another).
+ *
+ * Tradeoff: Uncommenting this reduces the RAM / ROM footprint
+ * by ~6kb but at the cost of more arithmetic operations during
+ * runtime. Specifically, one has to compare 4 accesses within
+ * different tables to 4 accesses with additional arithmetic
+ * operations within the same table. The performance gain/loss
+ * depends on the system and memory details.
+ *
+ * This option is independent of \c MBEDTLS_AES_ROM_TABLES.
+ *
+ */
+//#define MBEDTLS_AES_FEWER_TABLES
+
+/**
+ * \def MBEDTLS_CAMELLIA_SMALL_MEMORY
+ *
+ * Use less ROM for the Camellia implementation (saves about 768 bytes).
+ *
+ * Uncomment this macro to use less memory for Camellia.
+ */
+//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CBC
+ *
+ * Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CBC
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CFB
+ *
+ * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_CTR
+ *
+ * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_CTR
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_OFB
+ *
+ * Enable Output Feedback mode (OFB) for symmetric ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_OFB
+
+/**
+ * \def MBEDTLS_CIPHER_MODE_XTS
+ *
+ * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
+ */
+#define MBEDTLS_CIPHER_MODE_XTS
+
+/**
+ * \def MBEDTLS_CIPHER_NULL_CIPHER
+ *
+ * Enable NULL cipher.
+ * Warning: Only do so when you know what you are doing. This allows for
+ * encryption or channels without any security!
+ *
+ * Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
+ * the following ciphersuites:
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA
+ *      MBEDTLS_TLS_RSA_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_NULL_SHA
+ *      MBEDTLS_TLS_RSA_WITH_NULL_MD5
+ *      MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA
+ *      MBEDTLS_TLS_PSK_WITH_NULL_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_NULL_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_NULL_SHA
+ *
+ * Uncomment this macro to enable the NULL cipher and ciphersuites
+ */
+//#define MBEDTLS_CIPHER_NULL_CIPHER
+
+/**
+ * \def MBEDTLS_CIPHER_PADDING_PKCS7
+ *
+ * MBEDTLS_CIPHER_PADDING_XXX: Uncomment or comment macros to add support for
+ * specific padding modes in the cipher layer with cipher modes that support
+ * padding (e.g. CBC)
+ *
+ * If you disable all padding modes, only full blocks can be used with CBC.
+ *
+ * Enable padding modes in the cipher layer.
+ */
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
+#define MBEDTLS_CIPHER_PADDING_ZEROS
+
+/** \def MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+ *
+ * Uncomment this macro to use a 128-bit key in the CTR_DRBG module.
+ * By default, CTR_DRBG uses a 256-bit key.
+ */
+//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
+
+/**
+ * \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+ *
+ * Enable weak ciphersuites in SSL / TLS.
+ * Warning: Only do so when you know what you are doing. This allows for
+ * channels with virtually no security at all!
+ *
+ * This enables the following ciphersuites:
+ *      MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA
+ *
+ * Uncomment this macro to enable weak ciphersuites
+ *
+ * \warning   DES is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ */
+//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
+
+/**
+ * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+ *
+ * Remove RC4 ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on RC4 from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
+ * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
+ * explicitly.
+ *
+ * Uncomment this macro to remove RC4 ciphersuites by default.
+ */
+#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+
+/**
+ * \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
+ *
+ * Remove 3DES ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on 3DES from the default list as
+ * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible
+ * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
+ * them explicitly.
+ *
+ * A man-in-the-browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
+ * Comment this macro to keep 3DES in the default ciphersuite list.
+ */
+#define MBEDTLS_REMOVE_3DES_CIPHERSUITES
+
+/**
+ * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ *
+ * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve
+ * module.  By default all supported curves are enabled.
+ *
+ * Comment macros to disable the curve and functions for it
+ */
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define MBEDTLS_ECP_DP_CURVE448_ENABLED
+
+/**
+ * \def MBEDTLS_ECP_NIST_OPTIM
+ *
+ * Enable specific 'modulo p' routines for each NIST prime.
+ * Depending on the prime and architecture, makes operations 4 to 8 times
+ * faster on the corresponding curve.
+ *
+ * Comment this macro to disable NIST curves optimisation.
+ */
+#define MBEDTLS_ECP_NIST_OPTIM
+
+/**
+ * \def MBEDTLS_ECP_RESTARTABLE
+ *
+ * Enable "non-blocking" ECC operations that can return early and be resumed.
+ *
+ * This allows various functions to pause by returning
+ * #MBEDTLS_ERR_ECP_IN_PROGRESS (or, for functions in the SSL module,
+ * #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) and then be called later again in
+ * order to further progress and eventually complete their operation. This is
+ * controlled through mbedtls_ecp_set_max_ops() which limits the maximum
+ * number of ECC operations a function may perform before pausing; see
+ * mbedtls_ecp_set_max_ops() for more information.
+ *
+ * This is useful in non-threaded environments if you want to avoid blocking
+ * for too long on ECC (and, hence, X.509 or SSL/TLS) operations.
+ *
+ * Uncomment this macro to enable restartable ECC computations.
+ *
+ * \note  This option only works with the default software implementation of
+ *        elliptic curve functionality. It is incompatible with
+ *        MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT and MBEDTLS_ECDSA_XXX_ALT.
+ */
+//#define MBEDTLS_ECP_RESTARTABLE
+
+/**
+ * \def MBEDTLS_ECDSA_DETERMINISTIC
+ *
+ * Enable deterministic ECDSA (RFC 6979).
+ * Standard ECDSA is "fragile" in the sense that lack of entropy when signing
+ * may result in a compromise of the long-term signing key. This is avoided by
+ * the deterministic variant.
+ *
+ * Requires: MBEDTLS_HMAC_DRBG_C
+ *
+ * Comment this macro to disable deterministic ECDSA.
+ */
+#define MBEDTLS_ECDSA_DETERMINISTIC
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+ *
+ * Enable the PSK based ciphersuite modes in SSL / TLS.
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+ *
+ * Enable the DHE-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_DHM_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+ *
+ * \warning    Using DHE constitutes a security risk as it
+ *             is not possible to validate custom DH parameters.
+ *             If possible, it is recommended users should consider
+ *             preferring other methods of key exchange.
+ *             See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+ *
+ * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+ *
+ * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+ *
+ * Enable the RSA-only based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+ */
+#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+ *
+ * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_DHM_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *
+ * \warning    Using DHE constitutes a security risk as it
+ *             is not possible to validate custom DH parameters.
+ *             If possible, it is recommended users should consider
+ *             preferring other methods of key exchange.
+ *             See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+ *
+ * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15,
+ *           MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+ *
+ * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C,
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+ *
+ * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+ *
+ * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
+ *
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ */
+#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+
+/**
+ * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+ *
+ * Enable the ECJPAKE based ciphersuite modes in SSL / TLS.
+ *
+ * \warning This is currently experimental. EC J-PAKE support is based on the
+ * Thread v1.0.0 specification; incompatible changes to the specification
+ * might still happen. For this reason, this is disabled by default.
+ *
+ * Requires: MBEDTLS_ECJPAKE_C
+ *           MBEDTLS_SHA256_C
+ *           MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ *
+ * This enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
+ */
+//#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+
+/**
+ * \def MBEDTLS_PK_PARSE_EC_EXTENDED
+ *
+ * Enhance support for reading EC keys using variants of SEC1 not allowed by
+ * RFC 5915 and RFC 5480.
+ *
+ * Currently this means parsing the SpecifiedECDomain choice of EC
+ * parameters (only known groups are supported, not arbitrary domains, to
+ * avoid validation issues).
+ *
+ * Disable if you only need to support RFC 5915 + 5480 key formats.
+ */
+#define MBEDTLS_PK_PARSE_EC_EXTENDED
+
+/**
+ * \def MBEDTLS_ERROR_STRERROR_DUMMY
+ *
+ * Enable a dummy error function to make use of mbedtls_strerror() in
+ * third party libraries easier when MBEDTLS_ERROR_C is disabled
+ * (no effect when MBEDTLS_ERROR_C is enabled).
+ *
+ * You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
+ * not using mbedtls_strerror() or error_strerror() in your application.
+ *
+ * Disable if you run into name conflicts and want to really remove the
+ * mbedtls_strerror()
+ */
+#define MBEDTLS_ERROR_STRERROR_DUMMY
+
+/**
+ * \def MBEDTLS_GENPRIME
+ *
+ * Enable the prime-number generation code.
+ *
+ * Requires: MBEDTLS_BIGNUM_C
+ */
+#define MBEDTLS_GENPRIME
+
+/**
+ * \def MBEDTLS_FS_IO
+ *
+ * Enable functions that use the filesystem.
+ */
+#define MBEDTLS_FS_IO
+
+/**
+ * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+ *
+ * Do not add default entropy sources. These are the platform specific,
+ * mbedtls_timing_hardclock and HAVEGE based poll functions.
+ *
+ * This is useful to have more control over the added entropy sources in an
+ * application.
+ *
+ * Uncomment this macro to prevent loading of default entropy functions.
+ */
+//#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+
+/**
+ * \def MBEDTLS_NO_PLATFORM_ENTROPY
+ *
+ * Do not use built-in platform entropy functions.
+ * This is useful if your platform does not support
+ * standards like the /dev/urandom or Windows CryptoAPI.
+ *
+ * Uncomment this macro to disable the built-in platform entropy functions.
+ */
+//#define MBEDTLS_NO_PLATFORM_ENTROPY
+
+/**
+ * \def MBEDTLS_ENTROPY_FORCE_SHA256
+ *
+ * Force the entropy accumulator to use a SHA-256 accumulator instead of the
+ * default SHA-512 based one (if both are available).
+ *
+ * Requires: MBEDTLS_SHA256_C
+ *
+ * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
+ * if you have performance concerns.
+ *
+ * This option is only useful if both MBEDTLS_SHA256_C and
+ * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
+ */
+//#define MBEDTLS_ENTROPY_FORCE_SHA256
+
+/**
+ * \def MBEDTLS_ENTROPY_NV_SEED
+ *
+ * Enable the non-volatile (NV) seed file-based entropy source.
+ * (Also enables the NV seed read/write functions in the platform layer)
+ *
+ * This is crucial (if not required) on systems that do not have a
+ * cryptographic entropy source (in hardware or kernel) available.
+ *
+ * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C
+ *
+ * \note The read/write functions that are used by the entropy source are
+ *       determined in the platform layer, and can be modified at runtime and/or
+ *       compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used.
+ *
+ * \note If you use the default implementation functions that read a seedfile
+ *       with regular fopen(), please make sure you make a seedfile with the
+ *       proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at
+ *       least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from
+ *       and written to or you will get an entropy source error! The default
+ *       implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE
+ *       bytes from the file.
+ *
+ * \note The entropy collector will write to the seed file before entropy is
+ *       given to an external source, to update it.
+ */
+//#define MBEDTLS_ENTROPY_NV_SEED
+
+/**
+ * \def MBEDTLS_MEMORY_DEBUG
+ *
+ * Enable debugging of buffer allocator memory issues. Automatically prints
+ * (to stderr) all (fatal) messages on memory allocation issues. Enables
+ * function for 'debug output' of allocated memory.
+ *
+ * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Uncomment this macro to let the buffer allocator print out error messages.
+ */
+//#define MBEDTLS_MEMORY_DEBUG
+
+/**
+ * \def MBEDTLS_MEMORY_BACKTRACE
+ *
+ * Include backtrace information with each allocated block.
+ *
+ * Requires: MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *           GLIBC-compatible backtrace() an backtrace_symbols() support
+ *
+ * Uncomment this macro to include backtrace information
+ */
+//#define MBEDTLS_MEMORY_BACKTRACE
+
+/**
+ * \def MBEDTLS_PK_RSA_ALT_SUPPORT
+ *
+ * Support external private RSA keys (eg from a HSM) in the PK layer.
+ *
+ * Comment this macro to disable support for external private RSA keys.
+ */
+#define MBEDTLS_PK_RSA_ALT_SUPPORT
+
+/**
+ * \def MBEDTLS_PKCS1_V15
+ *
+ * Enable support for PKCS#1 v1.5 encoding.
+ *
+ * Requires: MBEDTLS_RSA_C
+ *
+ * This enables support for PKCS#1 v1.5 operations.
+ */
+#define MBEDTLS_PKCS1_V15
+
+/**
+ * \def MBEDTLS_PKCS1_V21
+ *
+ * Enable support for PKCS#1 v2.1 encoding.
+ *
+ * Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C
+ *
+ * This enables support for RSAES-OAEP and RSASSA-PSS operations.
+ */
+#define MBEDTLS_PKCS1_V21
+
+/**
+ * \def MBEDTLS_RSA_NO_CRT
+ *
+ * Do not use the Chinese Remainder Theorem
+ * for the RSA private operation.
+ *
+ * Uncomment this macro to disable the use of CRT in RSA.
+ *
+ */
+#define MBEDTLS_RSA_NO_CRT
+
+/**
+ * \def MBEDTLS_SELF_TEST
+ *
+ * Enable the checkup functions (*_self_test).
+ */
+#define MBEDTLS_SELF_TEST
+
+/**
+ * \def MBEDTLS_SHA256_SMALLER
+ *
+ * Enable an implementation of SHA-256 that has lower ROM footprint but also
+ * lower performance.
+ *
+ * The default implementation is meant to be a reasonnable compromise between
+ * performance and size. This version optimizes more aggressively for size at
+ * the expense of performance. Eg on Cortex-M4 it reduces the size of
+ * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
+ * 30%.
+ *
+ * Uncomment to enable the smaller implementation of SHA256.
+ */
+//#define MBEDTLS_SHA256_SMALLER
+
+/**
+ * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
+ *
+ * Enable sending of alert messages in case of encountered errors as per RFC.
+ * If you choose not to send the alert messages, mbed TLS can still communicate
+ * with other servers, only debugging of failures is harder.
+ *
+ * The advantage of not sending alert messages, is that no information is given
+ * about reasons for failures thus preventing adversaries of gaining intel.
+ *
+ * Enable sending of all alert messages
+ */
+#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
+
+/**
+ * \def MBEDTLS_SSL_ASYNC_PRIVATE
+ *
+ * Enable asynchronous external private key operations in SSL. This allows
+ * you to configure an SSL connection to call an external cryptographic
+ * module to perform private key operations instead of performing the
+ * operation inside the library.
+ *
+ */
+//#define MBEDTLS_SSL_ASYNC_PRIVATE
+
+/**
+ * \def MBEDTLS_SSL_DEBUG_ALL
+ *
+ * Enable the debug messages in SSL module for all issues.
+ * Debug messages have been disabled in some places to prevent timing
+ * attacks due to (unbalanced) debugging function calls.
+ *
+ * If you need all error reporting you should enable this during debugging,
+ * but remove this for production servers that should log as well.
+ *
+ * Uncomment this macro to report all debug messages on errors introducing
+ * a timing side-channel.
+ *
+ */
+//#define MBEDTLS_SSL_DEBUG_ALL
+
+/** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
+ *
+ * Enable support for Encrypt-then-MAC, RFC 7366.
+ *
+ * This allows peers that both support it to use a more robust protection for
+ * ciphersuites using CBC, providing deep resistance against timing attacks
+ * on the padding or underlying cipher.
+ *
+ * This only affects CBC ciphersuites, and is useless if none is defined.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1    or
+ *           MBEDTLS_SSL_PROTO_TLS1_1  or
+ *           MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for Encrypt-then-MAC
+ */
+#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
+
+/** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+ *
+ * Enable support for Extended Master Secret, aka Session Hash
+ * (draft-ietf-tls-session-hash-02).
+ *
+ * This was introduced as "the proper fix" to the Triple Handshake familiy of
+ * attacks, but it is recommended to always use it (even if you disable
+ * renegotiation), since it actually fixes a more fundamental issue in the
+ * original SSL/TLS design, and has implications beyond Triple Handshake.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1    or
+ *           MBEDTLS_SSL_PROTO_TLS1_1  or
+ *           MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for Extended Master Secret.
+ */
+#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+
+/**
+ * \def MBEDTLS_SSL_FALLBACK_SCSV
+ *
+ * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
+ *
+ * For servers, it is recommended to always enable this, unless you support
+ * only one version of TLS, or know for sure that none of your clients
+ * implements a fallback strategy.
+ *
+ * For clients, you only need this if you're using a fallback strategy, which
+ * is not recommended in the first place, unless you absolutely need it to
+ * interoperate with buggy (version-intolerant) servers.
+ *
+ * Comment this macro to disable support for FALLBACK_SCSV
+ */
+#define MBEDTLS_SSL_FALLBACK_SCSV
+
+/**
+ * \def MBEDTLS_SSL_HW_RECORD_ACCEL
+ *
+ * Enable hooking functions in SSL module for hardware acceleration of
+ * individual records.
+ *
+ * Uncomment this macro to enable hooking functions.
+ */
+//#define MBEDTLS_SSL_HW_RECORD_ACCEL
+
+/**
+ * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
+ *
+ * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
+ *
+ * This is a countermeasure to the BEAST attack, which also minimizes the risk
+ * of interoperability issues compared to sending 0-length records.
+ *
+ * Comment this macro to disable 1/n-1 record splitting.
+ */
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
+
+/**
+ * \def MBEDTLS_SSL_RENEGOTIATION
+ *
+ * Enable support for TLS renegotiation.
+ *
+ * The two main uses of renegotiation are (1) refresh keys on long-lived
+ * connections and (2) client authentication after the initial handshake.
+ * If you don't need renegotiation, it's probably better to disable it, since
+ * it has been associated with security issues in the past and is easy to
+ * misuse/misunderstand.
+ *
+ * Comment this to disable support for renegotiation.
+ *
+ * \note   Even if this option is disabled, both client and server are aware
+ *         of the Renegotiation Indication Extension (RFC 5746) used to
+ *         prevent the SSL renegotiation attack (see RFC 5746 Sect. 1).
+ *         (See \c mbedtls_ssl_conf_legacy_renegotiation for the
+ *          configuration of this extension).
+ *
+ */
+#define MBEDTLS_SSL_RENEGOTIATION
+
+/**
+ * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+ *
+ * Enable support for receiving and parsing SSLv2 Client Hello messages for the
+ * SSL Server module (MBEDTLS_SSL_SRV_C).
+ *
+ * Uncomment this macro to enable support for SSLv2 Client Hello messages.
+ */
+//#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
+
+/**
+ * \def MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+ *
+ * Pick the ciphersuite according to the client's preferences rather than ours
+ * in the SSL Server module (MBEDTLS_SSL_SRV_C).
+ *
+ * Uncomment this macro to respect client's ciphersuite order
+ */
+//#define MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
+
+/**
+ * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+ *
+ * Enable support for RFC 6066 max_fragment_length extension in SSL.
+ *
+ * Comment this macro to disable support for the max_fragment_length extension
+ */
+#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+
+/**
+ * \def MBEDTLS_SSL_PROTO_SSL3
+ *
+ * Enable support for SSL 3.0.
+ *
+ * Requires: MBEDTLS_MD5_C
+ *           MBEDTLS_SHA1_C
+ *
+ * Comment this macro to disable support for SSL 3.0
+ */
+//#define MBEDTLS_SSL_PROTO_SSL3
+
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1
+ *
+ * Enable support for TLS 1.0.
+ *
+ * Requires: MBEDTLS_MD5_C
+ *           MBEDTLS_SHA1_C
+ *
+ * Comment this macro to disable support for TLS 1.0
+ */
+#define MBEDTLS_SSL_PROTO_TLS1
+
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1_1
+ *
+ * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
+ *
+ * Requires: MBEDTLS_MD5_C
+ *           MBEDTLS_SHA1_C
+ *
+ * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
+ */
+#define MBEDTLS_SSL_PROTO_TLS1_1
+
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
+ *
+ * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
+ *           (Depends on ciphersuites)
+ *
+ * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
+ */
+#define MBEDTLS_SSL_PROTO_TLS1_2
+
+/**
+ * \def MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Enable support for DTLS (all available versions).
+ *
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
+ * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_1
+ *        or MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for DTLS
+ */
+#define MBEDTLS_SSL_PROTO_DTLS
+
+/**
+ * \def MBEDTLS_SSL_ALPN
+ *
+ * Enable support for RFC 7301 Application Layer Protocol Negotiation.
+ *
+ * Comment this macro to disable support for ALPN.
+ */
+#define MBEDTLS_SSL_ALPN
+
+/**
+ * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
+ *
+ * Enable support for the anti-replay mechanism in DTLS.
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *           MBEDTLS_SSL_PROTO_DTLS
+ *
+ * \warning Disabling this is often a security risk!
+ * See mbedtls_ssl_conf_dtls_anti_replay() for details.
+ *
+ * Comment this to disable anti-replay in DTLS.
+ */
+#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
+
+/**
+ * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
+ *
+ * Enable support for HelloVerifyRequest on DTLS servers.
+ *
+ * This feature is highly recommended to prevent DTLS servers being used as
+ * amplifiers in DoS attacks against other hosts. It should always be enabled
+ * unless you know for sure amplification cannot be a problem in the
+ * environment in which your server operates.
+ *
+ * \warning Disabling this can ba a security risk! (see above)
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ *
+ * Comment this to disable support for HelloVerifyRequest.
+ */
+#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
+
+/**
+ * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+ *
+ * Enable server-side support for clients that reconnect from the same port.
+ *
+ * Some clients unexpectedly close the connection and try to reconnect using the
+ * same source port. This needs special support from the server to handle the
+ * new connection securely, as described in section 4.2.8 of RFC 6347. This
+ * flag enables that support.
+ *
+ * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY
+ *
+ * Comment this to disable support for clients reusing the source port.
+ */
+#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+
+/**
+ * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+ *
+ * Enable support for a limit of records with bad MAC.
+ *
+ * See mbedtls_ssl_conf_dtls_badmac_limit().
+ *
+ * Requires: MBEDTLS_SSL_PROTO_DTLS
+ */
+#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+
+/**
+ * \def MBEDTLS_SSL_SESSION_TICKETS
+ *
+ * Enable support for RFC 5077 session tickets in SSL.
+ * Client-side, provides full support for session tickets (maintenance of a
+ * session store remains the responsibility of the application, though).
+ * Server-side, you also need to provide callbacks for writing and parsing
+ * tickets, including authenticated encryption and key management. Example
+ * callbacks are provided by MBEDTLS_SSL_TICKET_C.
+ *
+ * Comment this macro to disable support for SSL session tickets
+ */
+#define MBEDTLS_SSL_SESSION_TICKETS
+
+/**
+ * \def MBEDTLS_SSL_EXPORT_KEYS
+ *
+ * Enable support for exporting key block and master secret.
+ * This is required for certain users of TLS, e.g. EAP-TLS.
+ *
+ * Comment this macro to disable support for key export
+ */
+#define MBEDTLS_SSL_EXPORT_KEYS
+
+/**
+ * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
+ *
+ * Enable support for RFC 6066 server name indication (SNI) in SSL.
+ *
+ * Requires: MBEDTLS_X509_CRT_PARSE_C
+ *
+ * Comment this macro to disable support for server name indication in SSL
+ */
+#define MBEDTLS_SSL_SERVER_NAME_INDICATION
+
+/**
+ * \def MBEDTLS_SSL_TRUNCATED_HMAC
+ *
+ * Enable support for RFC 6066 truncated HMAC in SSL.
+ *
+ * Comment this macro to disable support for truncated HMAC in SSL
+ */
+#define MBEDTLS_SSL_TRUNCATED_HMAC
+
+/**
+ * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+ *
+ * Fallback to old (pre-2.7), non-conforming implementation of the truncated
+ * HMAC extension which also truncates the HMAC key. Note that this option is
+ * only meant for a transitory upgrade period and is likely to be removed in
+ * a future version of the library.
+ *
+ * \warning The old implementation is non-compliant and has a security weakness
+ *          (2^80 brute force attack on the HMAC key used for a single,
+ *          uninterrupted connection). This should only be enabled temporarily
+ *          when (1) the use of truncated HMAC is essential in order to save
+ *          bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
+ *          the fixed implementation yet (pre-2.7).
+ *
+ * \deprecated This option is deprecated and will likely be removed in a
+ *             future version of Mbed TLS.
+ *
+ * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
+ *
+ * Requires: MBEDTLS_SSL_TRUNCATED_HMAC
+ */
+//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
+
+/**
+ * \def MBEDTLS_THREADING_ALT
+ *
+ * Provide your own alternate threading implementation.
+ *
+ * Requires: MBEDTLS_THREADING_C
+ *
+ * Uncomment this to allow your own alternate threading implementation.
+ */
+//#define MBEDTLS_THREADING_ALT
+
+/**
+ * \def MBEDTLS_THREADING_PTHREAD
+ *
+ * Enable the pthread wrapper layer for the threading layer.
+ *
+ * Requires: MBEDTLS_THREADING_C
+ *
+ * Uncomment this to enable pthread mutexes.
+ */
+//#define MBEDTLS_THREADING_PTHREAD
+
+/**
+ * \def MBEDTLS_VERSION_FEATURES
+ *
+ * Allow run-time checking of compile-time enabled features. Thus allowing users
+ * to check at run-time if the library is for instance compiled with threading
+ * support via mbedtls_version_check_feature().
+ *
+ * Requires: MBEDTLS_VERSION_C
+ *
+ * Comment this to disable run-time checking and save ROM space
+ */
+#define MBEDTLS_VERSION_FEATURES
+
+/**
+ * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+ *
+ * If set, the X509 parser will not break-off when parsing an X509 certificate
+ * and encountering an extension in a v1 or v2 certificate.
+ *
+ * Uncomment to prevent an error.
+ */
+//#define MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+
+/**
+ * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+ *
+ * If set, the X509 parser will not break-off when parsing an X509 certificate
+ * and encountering an unknown critical extension.
+ *
+ * \warning Depending on your PKI use, enabling this can be a security risk!
+ *
+ * Uncomment to prevent an error.
+ */
+//#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+
+/**
+ * \def MBEDTLS_X509_CHECK_KEY_USAGE
+ *
+ * Enable verification of the keyUsage extension (CA and leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused
+ * (intermediate) CA and leaf certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip keyUsage checking for both CA and leaf certificates.
+ */
+#define MBEDTLS_X509_CHECK_KEY_USAGE
+
+/**
+ * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+ *
+ * Enable verification of the extendedKeyUsage extension (leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip extendedKeyUsage checking for certificates.
+ */
+#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+
+/**
+ * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
+ *
+ * Enable parsing and verification of X.509 certificates, CRLs and CSRS
+ * signed with RSASSA-PSS (aka PKCS#1 v2.1).
+ *
+ * Comment this macro to disallow using RSASSA-PSS in certificates.
+ */
+#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
+
+/**
+ * \def MBEDTLS_ZLIB_SUPPORT
+ *
+ * If set, the SSL/TLS module uses ZLIB to support compression and
+ * decompression of packet data.
+ *
+ * \warning TLS-level compression MAY REDUCE SECURITY! See for example the
+ * CRIME attack. Before enabling this option, you should examine with care if
+ * CRIME or similar exploits may be applicable to your use case.
+ *
+ * \note Currently compression can't be used with DTLS.
+ *
+ * \deprecated This feature is deprecated and will be removed
+ *             in the next major revision of the library.
+ *
+ * Used in: library/ssl_tls.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This feature requires zlib library and headers to be present.
+ *
+ * Uncomment to enable use of ZLIB
+ */
+//#define MBEDTLS_ZLIB_SUPPORT
+/* \} name SECTION: mbed TLS feature support */
+
+/**
+ * \name SECTION: mbed TLS modules
+ *
+ * This section enables or disables entire modules in mbed TLS
+ * \{
+ */
+
+/**
+ * \def MBEDTLS_AESNI_C
+ *
+ * Enable AES-NI support on x86-64.
+ *
+ * Module:  library/aesni.c
+ * Caller:  library/aes.c
+ *
+ * Requires: MBEDTLS_HAVE_ASM
+ *
+ * This modules adds support for the AES-NI instructions on x86-64
+ */
+#define MBEDTLS_AESNI_C
+
+/**
+ * \def MBEDTLS_AES_C
+ *
+ * Enable the AES block cipher.
+ *
+ * Module:  library/aes.c
+ * Caller:  library/cipher.c
+ *          library/pem.c
+ *          library/ctr_drbg.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA
+ *
+ * PEM_PARSE uses AES for decrypting encrypted keys.
+ */
+#define MBEDTLS_AES_C
+
+/**
+ * \def MBEDTLS_ARC4_C
+ *
+ * Enable the ARCFOUR stream cipher.
+ *
+ * Module:  library/arc4.c
+ * Caller:  library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
+ *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+ *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+ *
+ * \warning   ARC4 is considered a weak cipher and its use constitutes a
+ *            security risk. If possible, we recommend avoidng dependencies on
+ *            it, and considering stronger ciphers instead.
+ *
+ */
+#define MBEDTLS_ARC4_C
+
+/**
+ * \def MBEDTLS_ASN1_PARSE_C
+ *
+ * Enable the generic ASN1 parser.
+ *
+ * Module:  library/asn1.c
+ * Caller:  library/x509.c
+ *          library/dhm.c
+ *          library/pkcs12.c
+ *          library/pkcs5.c
+ *          library/pkparse.c
+ */
+#define MBEDTLS_ASN1_PARSE_C
+
+/**
+ * \def MBEDTLS_ASN1_WRITE_C
+ *
+ * Enable the generic ASN1 writer.
+ *
+ * Module:  library/asn1write.c
+ * Caller:  library/ecdsa.c
+ *          library/pkwrite.c
+ *          library/x509_create.c
+ *          library/x509write_crt.c
+ *          library/x509write_csr.c
+ */
+#define MBEDTLS_ASN1_WRITE_C
+
+/**
+ * \def MBEDTLS_BASE64_C
+ *
+ * Enable the Base64 module.
+ *
+ * Module:  library/base64.c
+ * Caller:  library/pem.c
+ *
+ * This module is required for PEM support (required by X.509).
+ */
+#define MBEDTLS_BASE64_C
+
+/**
+ * \def MBEDTLS_BIGNUM_C
+ *
+ * Enable the multi-precision integer library.
+ *
+ * Module:  library/bignum.c
+ * Caller:  library/dhm.c
+ *          library/ecp.c
+ *          library/ecdsa.c
+ *          library/rsa.c
+ *          library/rsa_internal.c
+ *          library/ssl_tls.c
+ *
+ * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
+ */
+#define MBEDTLS_BIGNUM_C
+
+/**
+ * \def MBEDTLS_BLOWFISH_C
+ *
+ * Enable the Blowfish block cipher.
+ *
+ * Module:  library/blowfish.c
+ */
+#define MBEDTLS_BLOWFISH_C
+
+/**
+ * \def MBEDTLS_CAMELLIA_C
+ *
+ * Enable the Camellia block cipher.
+ *
+ * Module:  library/camellia.c
+ * Caller:  library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+ */
+#define MBEDTLS_CAMELLIA_C
+
+/**
+ * \def MBEDTLS_ARIA_C
+ *
+ * Enable the ARIA block cipher.
+ *
+ * Module:  library/aria.c
+ * Caller:  library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
+ *      MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
+ */
+//#define MBEDTLS_ARIA_C
+
+/**
+ * \def MBEDTLS_CCM_C
+ *
+ * Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher.
+ *
+ * Module:  library/ccm.c
+ *
+ * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
+ *
+ * This module enables the AES-CCM ciphersuites, if other requisites are
+ * enabled as well.
+ */
+#define MBEDTLS_CCM_C
+
+/**
+ * \def MBEDTLS_CERTS_C
+ *
+ * Enable the test certificates.
+ *
+ * Module:  library/certs.c
+ * Caller:
+ *
+ * This module is used for testing (ssl_client/server).
+ */
+#define MBEDTLS_CERTS_C
+
+/**
+ * \def MBEDTLS_CHACHA20_C
+ *
+ * Enable the ChaCha20 stream cipher.
+ *
+ * Module:  library/chacha20.c
+ */
+#define MBEDTLS_CHACHA20_C
+
+/**
+ * \def MBEDTLS_CHACHAPOLY_C
+ *
+ * Enable the ChaCha20-Poly1305 AEAD algorithm.
+ *
+ * Module:  library/chachapoly.c
+ *
+ * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C
+ */
+#define MBEDTLS_CHACHAPOLY_C
+
+/**
+ * \def MBEDTLS_CIPHER_C
+ *
+ * Enable the generic cipher layer.
+ *
+ * Module:  library/cipher.c
+ * Caller:  library/ssl_tls.c
+ *
+ * Uncomment to enable generic cipher wrappers.
+ */
+#define MBEDTLS_CIPHER_C
+
+/**
+ * \def MBEDTLS_CMAC_C
+ *
+ * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
+ * ciphers.
+ *
+ * Module:  library/cmac.c
+ *
+ * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
+ *
+ */
+//#define MBEDTLS_CMAC_C
+
+/**
+ * \def MBEDTLS_CTR_DRBG_C
+ *
+ * Enable the CTR_DRBG AES-based random generator.
+ * The CTR_DRBG generator uses AES-256 by default.
+ * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
+ *
+ * \note To achieve a 256-bit security strength with CTR_DRBG,
+ *       you must use AES-256 *and* use sufficient entropy.
+ *       See ctr_drbg.h for more details.
+ *
+ * Module:  library/ctr_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_AES_C
+ *
+ * This module provides the CTR_DRBG AES random number generator.
+ */
+#define MBEDTLS_CTR_DRBG_C
+
+/**
+ * \def MBEDTLS_DEBUG_C
+ *
+ * Enable the debug functions.
+ *
+ * Module:  library/debug.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *
+ * This module provides debugging functions.
+ */
+#define MBEDTLS_DEBUG_C
+
+/**
+ * \def MBEDTLS_DES_C
+ *
+ * Enable the DES block cipher.
+ *
+ * Module:  library/des.c
+ * Caller:  library/pem.c
+ *          library/cipher.c
+ *
+ * This module enables the following ciphersuites (if other requisites are
+ * enabled as well):
+ *      MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+ *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
+ *
+ * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
+ *
+ * \warning   DES is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers instead.
+ */
+#define MBEDTLS_DES_C
+
+/**
+ * \def MBEDTLS_DHM_C
+ *
+ * Enable the Diffie-Hellman-Merkle module.
+ *
+ * Module:  library/dhm.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This module is used by the following key exchanges:
+ *      DHE-RSA, DHE-PSK
+ *
+ * \warning    Using DHE constitutes a security risk as it
+ *             is not possible to validate custom DH parameters.
+ *             If possible, it is recommended users should consider
+ *             preferring other methods of key exchange.
+ *             See dhm.h for more details.
+ *
+ */
+#define MBEDTLS_DHM_C
+
+/**
+ * \def MBEDTLS_ECDH_C
+ *
+ * Enable the elliptic curve Diffie-Hellman library.
+ *
+ * Module:  library/ecdh.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This module is used by the following key exchanges:
+ *      ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
+ *
+ * Requires: MBEDTLS_ECP_C
+ */
+#define MBEDTLS_ECDH_C
+
+/**
+ * \def MBEDTLS_ECDSA_C
+ *
+ * Enable the elliptic curve DSA library.
+ *
+ * Module:  library/ecdsa.c
+ * Caller:
+ *
+ * This module is used by the following key exchanges:
+ *      ECDHE-ECDSA
+ *
+ * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
+ */
+#define MBEDTLS_ECDSA_C
+
+/**
+ * \def MBEDTLS_ECJPAKE_C
+ *
+ * Enable the elliptic curve J-PAKE library.
+ *
+ * \warning This is currently experimental. EC J-PAKE support is based on the
+ * Thread v1.0.0 specification; incompatible changes to the specification
+ * might still happen. For this reason, this is disabled by default.
+ *
+ * Module:  library/ecjpake.c
+ * Caller:
+ *
+ * This module is used by the following key exchanges:
+ *      ECJPAKE
+ *
+ * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
+ */
+//#define MBEDTLS_ECJPAKE_C
+
+/**
+ * \def MBEDTLS_ECP_C
+ *
+ * Enable the elliptic curve over GF(p) library.
+ *
+ * Module:  library/ecp.c
+ * Caller:  library/ecdh.c
+ *          library/ecdsa.c
+ *          library/ecjpake.c
+ *
+ * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
+ */
+#define MBEDTLS_ECP_C
+
+/**
+ * \def MBEDTLS_ENTROPY_C
+ *
+ * Enable the platform-specific entropy code.
+ *
+ * Module:  library/entropy.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C
+ *
+ * This module provides a generic entropy pool
+ */
+#define MBEDTLS_ENTROPY_C
+
+/**
+ * \def MBEDTLS_ERROR_C
+ *
+ * Enable error code to error string conversion.
+ *
+ * Module:  library/error.c
+ * Caller:
+ *
+ * This module enables mbedtls_strerror().
+ */
+#define MBEDTLS_ERROR_C
+
+/**
+ * \def MBEDTLS_GCM_C
+ *
+ * Enable the Galois/Counter Mode (GCM) for AES.
+ *
+ * Module:  library/gcm.c
+ *
+ * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
+ *
+ * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
+ * requisites are enabled as well.
+ */
+#define MBEDTLS_GCM_C
+
+/**
+ * \def MBEDTLS_HAVEGE_C
+ *
+ * Enable the HAVEGE random generator.
+ *
+ * Warning: the HAVEGE random generator is not suitable for virtualized
+ *          environments
+ *
+ * Warning: the HAVEGE random generator is dependent on timing and specific
+ *          processor traits. It is therefore not advised to use HAVEGE as
+ *          your applications primary random generator or primary entropy pool
+ *          input. As a secondary input to your entropy pool, it IS able add
+ *          the (limited) extra entropy it provides.
+ *
+ * Module:  library/havege.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_TIMING_C
+ *
+ * Uncomment to enable the HAVEGE random generator.
+ */
+//#define MBEDTLS_HAVEGE_C
+
+/**
+ * \def MBEDTLS_HKDF_C
+ *
+ * Enable the HKDF algorithm (RFC 5869).
+ *
+ * Module:  library/hkdf.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the Hashed Message Authentication Code
+ * (HMAC)-based key derivation function (HKDF).
+ */
+#define MBEDTLS_HKDF_C
+
+/**
+ * \def MBEDTLS_HMAC_DRBG_C
+ *
+ * Enable the HMAC_DRBG random generator.
+ *
+ * Module:  library/hmac_drbg.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * Uncomment to enable the HMAC_DRBG random number geerator.
+ */
+#define MBEDTLS_HMAC_DRBG_C
+
+/**
+ * \def MBEDTLS_NIST_KW_C
+ *
+ * Enable the Key Wrapping mode for 128-bit block ciphers,
+ * as defined in NIST SP 800-38F. Only KW and KWP modes
+ * are supported. At the moment, only AES is approved by NIST.
+ *
+ * Module:  library/nist_kw.c
+ *
+ * Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
+ */
+//#define MBEDTLS_NIST_KW_C
+
+/**
+ * \def MBEDTLS_MD_C
+ *
+ * Enable the generic message digest layer.
+ *
+ * Module:  library/md.c
+ * Caller:
+ *
+ * Uncomment to enable generic message digest wrappers.
+ */
+#define MBEDTLS_MD_C
+
+/**
+ * \def MBEDTLS_MD2_C
+ *
+ * Enable the MD2 hash algorithm.
+ *
+ * Module:  library/md2.c
+ * Caller:
+ *
+ * Uncomment to enable support for (rare) MD2-signed X.509 certs.
+ *
+ * \warning   MD2 is considered a weak message digest and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger message digests instead.
+ *
+ */
+//#define MBEDTLS_MD2_C
+
+/**
+ * \def MBEDTLS_MD4_C
+ *
+ * Enable the MD4 hash algorithm.
+ *
+ * Module:  library/md4.c
+ * Caller:
+ *
+ * Uncomment to enable support for (rare) MD4-signed X.509 certs.
+ *
+ * \warning   MD4 is considered a weak message digest and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger message digests instead.
+ *
+ */
+//#define MBEDTLS_MD4_C
+
+/**
+ * \def MBEDTLS_MD5_C
+ *
+ * Enable the MD5 hash algorithm.
+ *
+ * Module:  library/md5.c
+ * Caller:  library/md.c
+ *          library/pem.c
+ *          library/ssl_tls.c
+ *
+ * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2
+ * depending on the handshake parameters. Further, it is used for checking
+ * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded
+ * encrypted keys.
+ *
+ * \warning   MD5 is considered a weak message digest and its use constitutes a
+ *            security risk. If possible, we recommend avoiding dependencies on
+ *            it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_MD5_C
+
+/**
+ * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ *
+ * Enable the buffer allocator implementation that makes use of a (stack)
+ * based buffer to 'allocate' dynamic memory. (replaces calloc() and free()
+ * calls)
+ *
+ * Module:  library/memory_buffer_alloc.c
+ *
+ * Requires: MBEDTLS_PLATFORM_C
+ *           MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS)
+ *
+ * Enable this module to enable the buffer memory allocator.
+ */
+//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+/**
+ * \def MBEDTLS_NET_C
+ *
+ * Enable the TCP and UDP over IPv6/IPv4 networking routines.
+ *
+ * \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
+ * and Windows. For other platforms, you'll want to disable it, and write your
+ * own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ *
+ * Module:  library/net_sockets.c
+ *
+ * This module provides networking routines.
+ */
+#define MBEDTLS_NET_C
+
+/**
+ * \def MBEDTLS_OID_C
+ *
+ * Enable the OID database.
+ *
+ * Module:  library/oid.c
+ * Caller:  library/asn1write.c
+ *          library/pkcs5.c
+ *          library/pkparse.c
+ *          library/pkwrite.c
+ *          library/rsa.c
+ *          library/x509.c
+ *          library/x509_create.c
+ *          library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
+ *          library/x509write_crt.c
+ *          library/x509write_csr.c
+ *
+ * This modules translates between OIDs and internal values.
+ */
+#define MBEDTLS_OID_C
+
+/**
+ * \def MBEDTLS_PADLOCK_C
+ *
+ * Enable VIA Padlock support on x86.
+ *
+ * Module:  library/padlock.c
+ * Caller:  library/aes.c
+ *
+ * Requires: MBEDTLS_HAVE_ASM
+ *
+ * This modules adds support for the VIA PadLock on x86.
+ */
+#define MBEDTLS_PADLOCK_C
+
+/**
+ * \def MBEDTLS_PEM_PARSE_C
+ *
+ * Enable PEM decoding / parsing.
+ *
+ * Module:  library/pem.c
+ * Caller:  library/dhm.c
+ *          library/pkparse.c
+ *          library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
+ *
+ * Requires: MBEDTLS_BASE64_C
+ *
+ * This modules adds support for decoding / parsing PEM files.
+ */
+#define MBEDTLS_PEM_PARSE_C
+
+/**
+ * \def MBEDTLS_PEM_WRITE_C
+ *
+ * Enable PEM encoding / writing.
+ *
+ * Module:  library/pem.c
+ * Caller:  library/pkwrite.c
+ *          library/x509write_crt.c
+ *          library/x509write_csr.c
+ *
+ * Requires: MBEDTLS_BASE64_C
+ *
+ * This modules adds support for encoding / writing PEM files.
+ */
+#define MBEDTLS_PEM_WRITE_C
+
+/**
+ * \def MBEDTLS_PK_C
+ *
+ * Enable the generic public (asymetric) key layer.
+ *
+ * Module:  library/pk.c
+ * Caller:  library/ssl_tls.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
+ *
+ * Uncomment to enable generic public key wrappers.
+ */
+#define MBEDTLS_PK_C
+
+/**
+ * \def MBEDTLS_PK_PARSE_C
+ *
+ * Enable the generic public (asymetric) key parser.
+ *
+ * Module:  library/pkparse.c
+ * Caller:  library/x509_crt.c
+ *          library/x509_csr.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key parse functions.
+ */
+#define MBEDTLS_PK_PARSE_C
+
+/**
+ * \def MBEDTLS_PK_WRITE_C
+ *
+ * Enable the generic public (asymetric) key writer.
+ *
+ * Module:  library/pkwrite.c
+ * Caller:  library/x509write.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * Uncomment to enable generic public key write functions.
+ */
+#define MBEDTLS_PK_WRITE_C
+
+/**
+ * \def MBEDTLS_PKCS5_C
+ *
+ * Enable PKCS#5 functions.
+ *
+ * Module:  library/pkcs5.c
+ *
+ * Requires: MBEDTLS_MD_C
+ *
+ * This module adds support for the PKCS#5 functions.
+ */
+#define MBEDTLS_PKCS5_C
+
+/**
+ * \def MBEDTLS_PKCS11_C
+ *
+ * Enable wrapper for PKCS#11 smartcard support.
+ *
+ * Module:  library/pkcs11.c
+ * Caller:  library/pk.c
+ *
+ * Requires: MBEDTLS_PK_C
+ *
+ * This module enables SSL/TLS PKCS #11 smartcard support.
+ * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
+ */
+//#define MBEDTLS_PKCS11_C
+
+/**
+ * \def MBEDTLS_PKCS12_C
+ *
+ * Enable PKCS#12 PBE functions.
+ * Adds algorithms for parsing PKCS#8 encrypted private keys
+ *
+ * Module:  library/pkcs12.c
+ * Caller:  library/pkparse.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
+ * Can use:  MBEDTLS_ARC4_C
+ *
+ * This module enables PKCS#12 functions.
+ */
+#define MBEDTLS_PKCS12_C
+
+/**
+ * \def MBEDTLS_PLATFORM_C
+ *
+ * Enable the platform abstraction layer that allows you to re-assign
+ * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit().
+ *
+ * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT
+ * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned
+ * above to be specified at runtime or compile time respectively.
+ *
+ * \note This abstraction layer must be enabled on Windows (including MSYS2)
+ * as other module rely on it for a fixed snprintf implementation.
+ *
+ * Module:  library/platform.c
+ * Caller:  Most other .c files
+ *
+ * This module enables abstraction of common (libc) functions.
+ */
+#define MBEDTLS_PLATFORM_C
+
+/**
+ * \def MBEDTLS_POLY1305_C
+ *
+ * Enable the Poly1305 MAC algorithm.
+ *
+ * Module:  library/poly1305.c
+ * Caller:  library/chachapoly.c
+ */
+#define MBEDTLS_POLY1305_C
+
+/**
+ * \def MBEDTLS_RIPEMD160_C
+ *
+ * Enable the RIPEMD-160 hash algorithm.
+ *
+ * Module:  library/ripemd160.c
+ * Caller:  library/md.c
+ *
+ */
+#define MBEDTLS_RIPEMD160_C
+
+/**
+ * \def MBEDTLS_RSA_C
+ *
+ * Enable the RSA public-key cryptosystem.
+ *
+ * Module:  library/rsa.c
+ *          library/rsa_internal.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *          library/x509.c
+ *
+ * This module is used by the following key exchanges:
+ *      RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
+ *
+ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
+ */
+#define MBEDTLS_RSA_C
+
+/**
+ * \def MBEDTLS_SHA1_C
+ *
+ * Enable the SHA1 cryptographic hash algorithm.
+ *
+ * Module:  library/sha1.c
+ * Caller:  library/md.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *          library/x509write_crt.c
+ *
+ * This module is required for SSL/TLS up to version 1.1, for TLS 1.2
+ * depending on the handshake parameters, and for SHA1-signed certificates.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. If possible, we recommend avoiding dependencies
+ *            on it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_SHA1_C
+
+/**
+ * \def MBEDTLS_SHA256_C
+ *
+ * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
+ *
+ * Module:  library/sha256.c
+ * Caller:  library/entropy.c
+ *          library/md.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *
+ * This module adds support for SHA-224 and SHA-256.
+ * This module is required for the SSL/TLS 1.2 PRF function.
+ */
+#define MBEDTLS_SHA256_C
+
+/**
+ * \def MBEDTLS_SHA512_C
+ *
+ * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
+ *
+ * Module:  library/sha512.c
+ * Caller:  library/entropy.c
+ *          library/md.c
+ *          library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * This module adds support for SHA-384 and SHA-512.
+ */
+#define MBEDTLS_SHA512_C
+
+/**
+ * \def MBEDTLS_SSL_CACHE_C
+ *
+ * Enable simple SSL cache implementation.
+ *
+ * Module:  library/ssl_cache.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_CACHE_C
+ */
+#define MBEDTLS_SSL_CACHE_C
+
+/**
+ * \def MBEDTLS_SSL_COOKIE_C
+ *
+ * Enable basic implementation of DTLS cookies for hello verification.
+ *
+ * Module:  library/ssl_cookie.c
+ * Caller:
+ */
+#define MBEDTLS_SSL_COOKIE_C
+
+/**
+ * \def MBEDTLS_SSL_TICKET_C
+ *
+ * Enable an implementation of TLS server-side callbacks for session tickets.
+ *
+ * Module:  library/ssl_ticket.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_CIPHER_C
+ */
+#define MBEDTLS_SSL_TICKET_C
+
+/**
+ * \def MBEDTLS_SSL_CLI_C
+ *
+ * Enable the SSL/TLS client code.
+ *
+ * Module:  library/ssl_cli.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *
+ * This module is required for SSL/TLS client support.
+ */
+#define MBEDTLS_SSL_CLI_C
+
+/**
+ * \def MBEDTLS_SSL_SRV_C
+ *
+ * Enable the SSL/TLS server code.
+ *
+ * Module:  library/ssl_srv.c
+ * Caller:
+ *
+ * Requires: MBEDTLS_SSL_TLS_C
+ *
+ * This module is required for SSL/TLS server support.
+ */
+#define MBEDTLS_SSL_SRV_C
+
+/**
+ * \def MBEDTLS_SSL_TLS_C
+ *
+ * Enable the generic SSL/TLS code.
+ *
+ * Module:  library/ssl_tls.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *
+ * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
+ *           and at least one of the MBEDTLS_SSL_PROTO_XXX defines
+ *
+ * This module is required for SSL/TLS.
+ */
+#define MBEDTLS_SSL_TLS_C
+
+/**
+ * \def MBEDTLS_THREADING_C
+ *
+ * Enable the threading abstraction layer.
+ * By default mbed TLS assumes it is used in a non-threaded environment or that
+ * contexts are not shared between threads. If you do intend to use contexts
+ * between threads, you will need to enable this layer to prevent race
+ * conditions. See also our Knowledge Base article about threading:
+ * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
+ *
+ * Module:  library/threading.c
+ *
+ * This allows different threading implementations (self-implemented or
+ * provided).
+ *
+ * You will have to enable either MBEDTLS_THREADING_ALT or
+ * MBEDTLS_THREADING_PTHREAD.
+ *
+ * Enable this layer to allow use of mutexes within mbed TLS
+ */
+//#define MBEDTLS_THREADING_C
+
+/**
+ * \def MBEDTLS_TIMING_C
+ *
+ * Enable the semi-portable timing interface.
+ *
+ * \note The provided implementation only works on POSIX/Unix (including Linux,
+ * BSD and OS X) and Windows. On other platforms, you can either disable that
+ * module and provide your own implementations of the callbacks needed by
+ * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide
+ * your own implementation of the whole module by setting
+ * \c MBEDTLS_TIMING_ALT in the current file.
+ *
+ * \note See also our Knowledge Base article about porting to a new
+ * environment:
+ * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
+ *
+ * Module:  library/timing.c
+ * Caller:  library/havege.c
+ *
+ * This module is used by the HAVEGE random number generator.
+ */
+#define MBEDTLS_TIMING_C
+
+/**
+ * \def MBEDTLS_VERSION_C
+ *
+ * Enable run-time version information.
+ *
+ * Module:  library/version.c
+ *
+ * This module provides run-time version information.
+ */
+#define MBEDTLS_VERSION_C
+
+/**
+ * \def MBEDTLS_X509_USE_C
+ *
+ * Enable X.509 core for using certificates.
+ *
+ * Module:  library/x509.c
+ * Caller:  library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
+ *
+ * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
+ *           MBEDTLS_PK_PARSE_C
+ *
+ * This module is required for the X.509 parsing modules.
+ */
+#define MBEDTLS_X509_USE_C
+
+/**
+ * \def MBEDTLS_X509_CRT_PARSE_C
+ *
+ * Enable X.509 certificate parsing.
+ *
+ * Module:  library/x509_crt.c
+ * Caller:  library/ssl_cli.c
+ *          library/ssl_srv.c
+ *          library/ssl_tls.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is required for X.509 certificate parsing.
+ */
+#define MBEDTLS_X509_CRT_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CRL_PARSE_C
+ *
+ * Enable X.509 CRL parsing.
+ *
+ * Module:  library/x509_crl.c
+ * Caller:  library/x509_crt.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is required for X.509 CRL parsing.
+ */
+#define MBEDTLS_X509_CRL_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CSR_PARSE_C
+ *
+ * Enable X.509 Certificate Signing Request (CSR) parsing.
+ *
+ * Module:  library/x509_csr.c
+ * Caller:  library/x509_crt_write.c
+ *
+ * Requires: MBEDTLS_X509_USE_C
+ *
+ * This module is used for reading X.509 certificate request.
+ */
+#define MBEDTLS_X509_CSR_PARSE_C
+
+/**
+ * \def MBEDTLS_X509_CREATE_C
+ *
+ * Enable X.509 core for creating certificates.
+ *
+ * Module:  library/x509_create.c
+ *
+ * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
+ *
+ * This module is the basis for creating X.509 certificates and CSRs.
+ */
+#define MBEDTLS_X509_CREATE_C
+
+/**
+ * \def MBEDTLS_X509_CRT_WRITE_C
+ *
+ * Enable creating X.509 certificates.
+ *
+ * Module:  library/x509_crt_write.c
+ *
+ * Requires: MBEDTLS_X509_CREATE_C
+ *
+ * This module is required for X.509 certificate creation.
+ */
+#define MBEDTLS_X509_CRT_WRITE_C
+
+/**
+ * \def MBEDTLS_X509_CSR_WRITE_C
+ *
+ * Enable creating X.509 Certificate Signing Requests (CSR).
+ *
+ * Module:  library/x509_csr_write.c
+ *
+ * Requires: MBEDTLS_X509_CREATE_C
+ *
+ * This module is required for X.509 certificate request writing.
+ */
+#define MBEDTLS_X509_CSR_WRITE_C
+
+/**
+ * \def MBEDTLS_XTEA_C
+ *
+ * Enable the XTEA block cipher.
+ *
+ * Module:  library/xtea.c
+ * Caller:
+ */
+#define MBEDTLS_XTEA_C
+
+/* \} name SECTION: mbed TLS modules */
+
+/**
+ * \name SECTION: Module configuration options
+ *
+ * This section allows for the setting of module specific sizes and
+ * configuration options. The default values are already present in the
+ * relevant header files and should suffice for the regular use cases.
+ *
+ * Our advice is to enable options and change their values here
+ * only if you have a good reason and know the consequences.
+ *
+ * Please check the respective header file for documentation on these
+ * parameters (to prevent duplicate documentation).
+ * \{
+ */
+
+/* MPI / BIGNUM options */
+//#define MBEDTLS_MPI_WINDOW_SIZE            6 /**< Maximum windows size used. */
+//#define MBEDTLS_MPI_MAX_SIZE            1024 /**< Maximum number of bytes for usable MPIs. */
+
+/* CTR_DRBG options */
+//#define MBEDTLS_CTR_DRBG_ENTROPY_LEN               48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */
+//#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL        10000 /**< Interval before reseed is performed by default */
+//#define MBEDTLS_CTR_DRBG_MAX_INPUT                256 /**< Maximum number of additional input bytes */
+//#define MBEDTLS_CTR_DRBG_MAX_REQUEST             1024 /**< Maximum number of requested bytes per call */
+//#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT           384 /**< Maximum size of (re)seed buffer */
+
+/* HMAC_DRBG options */
+//#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000 /**< Interval before reseed is performed by default */
+//#define MBEDTLS_HMAC_DRBG_MAX_INPUT           256 /**< Maximum number of additional input bytes */
+//#define MBEDTLS_HMAC_DRBG_MAX_REQUEST        1024 /**< Maximum number of requested bytes per call */
+//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT      384 /**< Maximum size of (re)seed buffer */
+
+/* ECP options */
+//#define MBEDTLS_ECP_MAX_BITS             521 /**< Maximum bit size of groups */
+//#define MBEDTLS_ECP_WINDOW_SIZE            6 /**< Maximum window size used */
+//#define MBEDTLS_ECP_FIXED_POINT_OPTIM      1 /**< Enable fixed-point speed-up */
+
+/* Entropy options */
+//#define MBEDTLS_ENTROPY_MAX_SOURCES                20 /**< Maximum number of sources supported */
+//#define MBEDTLS_ENTROPY_MAX_GATHER                128 /**< Maximum amount requested from entropy sources */
+//#define MBEDTLS_ENTROPY_MIN_HARDWARE               32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */
+
+/* Memory buffer allocator options */
+//#define MBEDTLS_MEMORY_ALIGN_MULTIPLE      4 /**< Align on multiples of this value */
+
+/* Platform options */
+//#define MBEDTLS_PLATFORM_STD_MEM_HDR   <stdlib.h> /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */
+//#define MBEDTLS_PLATFORM_STD_CALLOC        calloc /**< Default allocator to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_FREE            free /**< Default free to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT            exit /**< Default exit to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_TIME            time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_STD_FPRINTF      fprintf /**< Default fprintf to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_PRINTF        printf /**< Default printf to use, can be undefined */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
+//#define MBEDTLS_PLATFORM_STD_SNPRINTF    snprintf /**< Default snprintf to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS       0 /**< Default exit value to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE       1 /**< Default exit value to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE  "seedfile" /**< Seed file to read/write with default implementation */
+
+/* To Use Function Macros MBEDTLS_PLATFORM_C must be enabled */
+/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */
+//#define MBEDTLS_PLATFORM_CALLOC_MACRO        calloc /**< Default allocator macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_FREE_MACRO            free /**< Default free macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_EXIT_MACRO            exit /**< Default exit macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_TIME_MACRO            time /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO       time_t /**< Default time macro to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */
+//#define MBEDTLS_PLATFORM_FPRINTF_MACRO      fprintf /**< Default fprintf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_PRINTF_MACRO        printf /**< Default printf macro to use, can be undefined */
+/* Note: your snprintf must correctly zero-terminate the buffer! */
+//#define MBEDTLS_PLATFORM_SNPRINTF_MACRO    snprintf /**< Default snprintf macro to use, can be undefined */
+//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO   mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
+//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO  mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
+
+/**
+ * \brief       This macro is invoked by the library when an invalid parameter
+ *              is detected that is only checked with #MBEDTLS_CHECK_PARAMS
+ *              (see the documentation of that option for context).
+ *
+ *              When you leave this undefined here, the library provides
+ *              a default definition. If the macro #MBEDTLS_CHECK_PARAMS_ASSERT
+ *              is defined, the default definition is `assert(cond)`,
+ *              otherwise the default definition calls a function
+ *              mbedtls_param_failed(). This function is declared in
+ *              `platform_util.h` for the benefit of the library, but
+ *              you need to define in your application.
+ *
+ *              When you define this here, this replaces the default
+ *              definition in platform_util.h (which no longer declares the
+ *              function mbedtls_param_failed()) and it is your responsibility
+ *              to make sure this macro expands to something suitable (in
+ *              particular, that all the necessary declarations are visible
+ *              from within the library - you can ensure that by providing
+ *              them in this file next to the macro definition).
+ *              If you define this macro to call `assert`, also define
+ *              #MBEDTLS_CHECK_PARAMS_ASSERT so that library source files
+ *              include `<assert.h>`.
+ *
+ *              Note that you may define this macro to expand to nothing, in
+ *              which case you don't have to worry about declarations or
+ *              definitions. However, you will then be notified about invalid
+ *              parameters only in non-void functions, and void function will
+ *              just silently return early on invalid parameters, which
+ *              partially negates the benefits of enabling
+ *              #MBEDTLS_CHECK_PARAMS in the first place, so is discouraged.
+ *
+ * \param cond  The expression that should evaluate to true, but doesn't.
+ */
+//#define MBEDTLS_PARAM_FAILED( cond )               assert( cond )
+
+/* SSL Cache options */
+//#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400 /**< 1 day  */
+//#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50 /**< Maximum entries in cache */
+
+/* SSL options */
+
+/** \def MBEDTLS_SSL_MAX_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of incoming and outgoing plaintext fragments.
+ *
+ * This determines the size of both the incoming and outgoing TLS I/O buffers
+ * in such a way that both are capable of holding the specified amount of
+ * plaintext data, regardless of the protection mechanism used.
+ *
+ * To configure incoming and outgoing I/O buffers separately, use
+ * #MBEDTLS_SSL_IN_CONTENT_LEN and #MBEDTLS_SSL_OUT_CONTENT_LEN,
+ * which overwrite the value set by this option.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of both
+ * incoming and outgoing I/O buffers.
+ */
+//#define MBEDTLS_SSL_MAX_CONTENT_LEN             16384
+
+/** \def MBEDTLS_SSL_IN_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of incoming plaintext fragments.
+ *
+ * This determines the size of the incoming TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option is undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * \note When using a value less than the default of 16KB on the client, it is
+ *       recommended to use the Maximum Fragment Length (MFL) extension to
+ *       inform the server about this limitation. On the server, there
+ *       is no supported, standardized way of informing the client about
+ *       restriction on the maximum size of incoming messages, and unless
+ *       the limitation has been communicated by other means, it is recommended
+ *       to only change the outgoing buffer size #MBEDTLS_SSL_OUT_CONTENT_LEN
+ *       while keeping the default value of 16KB for the incoming buffer.
+ *
+ * Uncomment to set the maximum plaintext size of the incoming I/O buffer
+ * independently of the outgoing I/O buffer.
+ */
+//#define MBEDTLS_SSL_IN_CONTENT_LEN              16384
+
+/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
+ *
+ * Maximum length (in bytes) of outgoing plaintext fragments.
+ *
+ * This determines the size of the outgoing TLS I/O buffer in such a way
+ * that it is capable of holding the specified amount of plaintext data,
+ * regardless of the protection mechanism used.
+ *
+ * If this option undefined, it inherits its value from
+ * #MBEDTLS_SSL_MAX_CONTENT_LEN.
+ *
+ * It is possible to save RAM by setting a smaller outward buffer, while keeping
+ * the default inward 16384 byte buffer to conform to the TLS specification.
+ *
+ * The minimum required outward buffer size is determined by the handshake
+ * protocol's usage. Handshaking will fail if the outward buffer is too small.
+ * The specific size requirement depends on the configured ciphers and any
+ * certificate data which is sent during the handshake.
+ *
+ * Uncomment to set the maximum plaintext size of the outgoing I/O buffer
+ * independently of the incoming I/O buffer.
+ */
+//#define MBEDTLS_SSL_OUT_CONTENT_LEN             16384
+
+/** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING
+ *
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ *
+ * This should be at least 9/8 * MBEDTLSSL_IN_CONTENT_LEN
+ * to account for a reassembled handshake message of maximum size,
+ * together with its reassembly bitmap.
+ *
+ * A value of 2 * MBEDTLS_SSL_IN_CONTENT_LEN (32768 by default)
+ * should be sufficient for all practical situations as it allows
+ * to reassembly a large handshake message (such as a certificate)
+ * while buffering multiple smaller handshake messages.
+ *
+ */
+//#define MBEDTLS_SSL_DTLS_MAX_BUFFERING             32768
+
+//#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
+//#define MBEDTLS_PSK_MAX_LEN               32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
+//#define MBEDTLS_SSL_COOKIE_TIMEOUT        60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+
+/**
+ * Complete list of ciphersuites to use, in order of preference.
+ *
+ * \warning No dependency checking is done on that field! This option can only
+ * be used to restrict the set of available ciphersuites. It is your
+ * responsibility to make sure the needed modules are active.
+ *
+ * Use this to save a few hundred bytes of ROM (default ordering of all
+ * available ciphersuites) and a few to a few hundred bytes of RAM.
+ *
+ * The value below is only an example, not the default.
+ */
+//#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+
+/* X509 options */
+//#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8   /**< Maximum number of intermediate CAs in a verification chain. */
+//#define MBEDTLS_X509_MAX_FILE_PATH_LEN     512 /**< Maximum length of a path/filename string in bytes including the null terminator character ('\0'). */
+
+/**
+ * Allow SHA-1 in the default TLS configuration for certificate signing.
+ * Without this build-time option, SHA-1 support must be activated explicitly
+ * through mbedtls_ssl_conf_cert_profile. Turning on this option is not
+ * recommended because of it is possible to generate SHA-1 collisions, however
+ * this may be safe for legacy infrastructure where additional controls apply.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. If possible, we recommend avoiding dependencies
+ *            on it, and considering stronger message digests instead.
+ *
+ */
+// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+
+/**
+ * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake
+ * signature and ciphersuite selection. Without this build-time option, SHA-1
+ * support must be activated explicitly through mbedtls_ssl_conf_sig_hashes.
+ * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by
+ * default. At the time of writing, there is no practical attack on the use
+ * of SHA-1 in handshake signatures, hence this option is turned on by default
+ * to preserve compatibility with existing peers, but the general
+ * warning applies nonetheless:
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. If possible, we recommend avoiding dependencies
+ *            on it, and considering stronger message digests instead.
+ *
+ */
+#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
+
+/**
+ * Uncomment the macro to let mbed TLS use your alternate implementation of
+ * mbedtls_platform_zeroize(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * mbedtls_platform_zeroize() is a widely used function across the library to
+ * zero a block of memory. The implementation is expected to be secure in the
+ * sense that it has been written to prevent the compiler from removing calls
+ * to mbedtls_platform_zeroize() as part of redundant code elimination
+ * optimizations. However, it is difficult to guarantee that calls to
+ * mbedtls_platform_zeroize() will not be optimized by the compiler as older
+ * versions of the C language standards do not provide a secure implementation
+ * of memset(). Therefore, MBEDTLS_PLATFORM_ZEROIZE_ALT enables users to
+ * configure their own implementation of mbedtls_platform_zeroize(), for
+ * example by using directives specific to their compiler, features from newer
+ * C standards (e.g using memset_s() in C11) or calling a secure memset() from
+ * their system (e.g explicit_bzero() in BSD).
+ */
+//#define MBEDTLS_PLATFORM_ZEROIZE_ALT
+
+/**
+ * Uncomment the macro to let Mbed TLS use your alternate implementation of
+ * mbedtls_platform_gmtime_r(). This replaces the default implementation in
+ * platform_util.c.
+ *
+ * gmtime() is not a thread-safe function as defined in the C standard. The
+ * library will try to use safer implementations of this function, such as
+ * gmtime_r() when available. However, if Mbed TLS cannot identify the target
+ * system, the implementation of mbedtls_platform_gmtime_r() will default to
+ * using the standard gmtime(). In this case, calls from the library to
+ * gmtime() will be guarded by the global mutex mbedtls_threading_gmtime_mutex
+ * if MBEDTLS_THREADING_C is enabled. We recommend that calls from outside the
+ * library are also guarded with this mutex to avoid race conditions. However,
+ * if the macro MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, Mbed TLS will
+ * unconditionally use the implementation for mbedtls_platform_gmtime_r()
+ * supplied at compile time.
+ */
+//#define MBEDTLS_PLATFORM_GMTIME_R_ALT
+
+/* \} name SECTION: Customisation configuration options */
+
+/* Target and application specific configurations
+ *
+ * Allow user to override any previous default.
+ *
+ */
+#if defined(MBEDTLS_USER_CONFIG_FILE)
+#include MBEDTLS_USER_CONFIG_FILE
+#endif
+
+#include "check_config.h"
+
+#endif /* MBEDTLS_CONFIG_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ctr_drbg.h b/makerom/deps/libmbedtls/include/mbedtls/ctr_drbg.h
new file mode 100644
index 00000000..e0b5ed9c
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ctr_drbg.h
@@ -0,0 +1,512 @@
+/**
+ * \file ctr_drbg.h
+ *
+ * \brief    This file contains definitions and functions for the
+ *           CTR_DRBG pseudorandom generator.
+ *
+ * CTR_DRBG is a standardized way of building a PRNG from a block-cipher
+ * in counter mode operation, as defined in <em>NIST SP 800-90A:
+ * Recommendation for Random Number Generation Using Deterministic Random
+ * Bit Generators</em>.
+ *
+ * The Mbed TLS implementation of CTR_DRBG uses AES-256 (default) or AES-128
+ * (if \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled at compile time)
+ * as the underlying block cipher, with a derivation function.
+ * The initial seeding grabs #MBEDTLS_CTR_DRBG_ENTROPY_LEN bytes of entropy.
+ * See the documentation of mbedtls_ctr_drbg_seed() for more details.
+ *
+ * Based on NIST SP 800-90A §10.2.1 table 3 and NIST SP 800-57 part 1 table 2,
+ * here are the security strengths achieved in typical configuration:
+ * - 256 bits under the default configuration of the library, with AES-256
+ *   and with #MBEDTLS_CTR_DRBG_ENTROPY_LEN set to 48 or more.
+ * - 256 bits if AES-256 is used, #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set
+ *   to 32 or more, and the DRBG is initialized with an explicit
+ *   nonce in the \c custom parameter to mbedtls_ctr_drbg_seed().
+ * - 128 bits if AES-256 is used but #MBEDTLS_CTR_DRBG_ENTROPY_LEN is
+ *   between 24 and 47 and the DRBG is not initialized with an explicit
+ *   nonce (see mbedtls_ctr_drbg_seed()).
+ * - 128 bits if AES-128 is used (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY enabled)
+ *   and #MBEDTLS_CTR_DRBG_ENTROPY_LEN is set to 24 or more (which is
+ *   always the case unless it is explicitly set to a different value
+ *   in config.h).
+ *
+ * Note that the value of #MBEDTLS_CTR_DRBG_ENTROPY_LEN defaults to:
+ * - \c 48 if the module \c MBEDTLS_SHA512_C is enabled and the symbol
+ *   \c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled at compile time.
+ *   This is the default configuration of the library.
+ * - \c 32 if the module \c MBEDTLS_SHA512_C is disabled at compile time.
+ * - \c 32 if \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled at compile time.
+ */
+/*
+ *  Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CTR_DRBG_H
+#define MBEDTLS_CTR_DRBG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "aes.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+#define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED        -0x0034  /**< The entropy source failed. */
+#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG              -0x0036  /**< The requested random buffer length is too big. */
+#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG                -0x0038  /**< The input (entropy + additional data) is too large. */
+#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR                -0x003A  /**< Read or write error in file. */
+
+#define MBEDTLS_CTR_DRBG_BLOCKSIZE          16 /**< The block size used by the cipher. */
+
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+#define MBEDTLS_CTR_DRBG_KEYSIZE            16
+/**< The key size in bytes used by the cipher.
+ *
+ * Compile-time choice: 16 bytes (128 bits)
+ * because #MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled.
+ */
+#else
+#define MBEDTLS_CTR_DRBG_KEYSIZE            32
+/**< The key size in bytes used by the cipher.
+ *
+ * Compile-time choice: 32 bytes (256 bits)
+ * because \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled.
+ */
+#endif
+
+#define MBEDTLS_CTR_DRBG_KEYBITS            ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) /**< The key size for the DRBG operation, in bits. */
+#define MBEDTLS_CTR_DRBG_SEEDLEN            ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) /**< The seed length, calculated as (counter + AES key). */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them using the compiler command
+ * line.
+ * \{
+ */
+
+/** \def MBEDTLS_CTR_DRBG_ENTROPY_LEN
+ *
+ * \brief The amount of entropy used per seed by default, in bytes.
+ */
+#if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+/** This is 48 bytes because the entropy module uses SHA-512
+ * (\c MBEDTLS_ENTROPY_FORCE_SHA256 is disabled).
+ */
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        48
+
+#else /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+
+/** This is 32 bytes because the entropy module uses SHA-256
+ * (the SHA512 module is disabled or
+ * \c MBEDTLS_ENTROPY_FORCE_SHA256 is enabled).
+ */
+#if !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+/** \warning To achieve a 256-bit security strength, you must pass a nonce
+ *           to mbedtls_ctr_drbg_seed().
+ */
+#endif /* !defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) */
+#define MBEDTLS_CTR_DRBG_ENTROPY_LEN        32
+#endif /* defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) */
+#endif /* !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) */
+
+#if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL)
+#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL    10000
+/**< The interval before reseed is performed by default. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_INPUT)
+#define MBEDTLS_CTR_DRBG_MAX_INPUT          256
+/**< The maximum number of additional input Bytes. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_REQUEST)
+#define MBEDTLS_CTR_DRBG_MAX_REQUEST        1024
+/**< The maximum number of requested Bytes per call. */
+#endif
+
+#if !defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT)
+#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT     384
+/**< The maximum size of seed or reseed buffer in bytes. */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_CTR_DRBG_PR_OFF             0
+/**< Prediction resistance is disabled. */
+#define MBEDTLS_CTR_DRBG_PR_ON              1
+/**< Prediction resistance is enabled. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          The CTR_DRBG context structure.
+ */
+typedef struct mbedtls_ctr_drbg_context
+{
+    unsigned char counter[16];  /*!< The counter (V). */
+    int reseed_counter;         /*!< The reseed counter. */
+    int prediction_resistance;  /*!< This determines whether prediction
+                                     resistance is enabled, that is
+                                     whether to systematically reseed before
+                                     each random generation. */
+    size_t entropy_len;         /*!< The amount of entropy grabbed on each
+                                     seed or reseed operation. */
+    int reseed_interval;        /*!< The reseed interval. */
+
+    mbedtls_aes_context aes_ctx;        /*!< The AES context. */
+
+    /*
+     * Callbacks (Entropy)
+     */
+    int (*f_entropy)(void *, unsigned char *, size_t);
+                                /*!< The entropy callback function. */
+
+    void *p_entropy;            /*!< The context for the entropy function. */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+}
+mbedtls_ctr_drbg_context;
+
+/**
+ * \brief               This function initializes the CTR_DRBG context,
+ *                      and prepares it for mbedtls_ctr_drbg_seed()
+ *                      or mbedtls_ctr_drbg_free().
+ *
+ * \param ctx           The CTR_DRBG context to initialize.
+ */
+void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
+
+/**
+ * \brief               This function seeds and sets up the CTR_DRBG
+ *                      entropy source for future reseeds.
+ *
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * The entropy length is #MBEDTLS_CTR_DRBG_ENTROPY_LEN by default.
+ * You can override it by calling mbedtls_ctr_drbg_set_entropy_len().
+ *
+ * You can provide a personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ *
+ * \note                The _seed_material_ value passed to the derivation
+ *                      function in the CTR_DRBG Instantiate Process
+ *                      described in NIST SP 800-90A §10.2.1.3.2
+ *                      is the concatenation of the string obtained from
+ *                      calling \p f_entropy and the \p custom string.
+ *                      The origin of the nonce depends on the value of
+ *                      the entropy length relative to the security strength.
+ *                      - If the entropy length is at least 1.5 times the
+ *                        security strength then the nonce is taken from the
+ *                        string obtained with \p f_entropy.
+ *                      - If the entropy length is less than the security
+ *                        strength, then the nonce is taken from \p custom.
+ *                        In this case, for compliance with SP 800-90A,
+ *                        you must pass a unique value of \p custom at
+ *                        each invocation. See SP 800-90A §8.6.7 for more
+ *                        details.
+ */
+#if MBEDTLS_CTR_DRBG_ENTROPY_LEN < MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2
+/** \warning            When #MBEDTLS_CTR_DRBG_ENTROPY_LEN is less than
+ *                      #MBEDTLS_CTR_DRBG_KEYSIZE * 3 / 2, to achieve the
+ *                      maximum security strength permitted by CTR_DRBG,
+ *                      you must pass a value of \p custom that is a nonce:
+ *                      this value must never be repeated in subsequent
+ *                      runs of the same application or on a different
+ *                      device.
+ */
+#endif
+/**
+ * \param ctx           The CTR_DRBG context to seed.
+ *                      It must have been initialized with
+ *                      mbedtls_ctr_drbg_init().
+ *                      After a successful call to mbedtls_ctr_drbg_seed(),
+ *                      you may not call mbedtls_ctr_drbg_seed() again on
+ *                      the same context unless you call
+ *                      mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init()
+ *                      again first.
+ * \param f_entropy     The entropy callback, taking as arguments the
+ *                      \p p_entropy context, the buffer to fill, and the
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a buffer size
+ *                      equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT
+ *                      - #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ */
+int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
+                   int (*f_entropy)(void *, unsigned char *, size_t),
+                   void *p_entropy,
+                   const unsigned char *custom,
+                   size_t len );
+
+/**
+ * \brief               This function clears CTR_CRBG context data.
+ *
+ * \param ctx           The CTR_DRBG context to clear.
+ */
+void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx );
+
+/**
+ * \brief               This function turns prediction resistance on or off.
+ *                      The default value is off.
+ *
+ * \note                If enabled, entropy is gathered at the beginning of
+ *                      every call to mbedtls_ctr_drbg_random_with_add()
+ *                      or mbedtls_ctr_drbg_random().
+ *                      Only use this if your entropy source has sufficient
+ *                      throughput.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param resistance    #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF.
+ */
+void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
+                                         int resistance );
+
+/**
+ * \brief               This function sets the amount of entropy grabbed on each
+ *                      seed or reseed.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_ENTROPY_LEN.
+ *
+ * \note                The security strength of CTR_DRBG is bounded by the
+ *                      entropy length. Thus:
+ *                      - When using AES-256
+ *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is disabled,
+ *                        which is the default),
+ *                        \p len must be at least 32 (in bytes)
+ *                        to achieve a 256-bit strength.
+ *                      - When using AES-128
+ *                        (\c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY is enabled)
+ *                        \p len must be at least 16 (in bytes)
+ *                        to achieve a 128-bit strength.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param len           The amount of entropy to grab, in bytes.
+ *                      This must be at most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ */
+void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
+                               size_t len );
+
+/**
+ * \brief               This function sets the reseed interval.
+ *
+ * The reseed interval is the number of calls to mbedtls_ctr_drbg_random()
+ * or mbedtls_ctr_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param interval      The reseed interval.
+ */
+void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
+                                   int interval );
+
+/**
+ * \brief               This function reseeds the CTR_DRBG context, that is
+ *                      extracts data from the entropy source.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param additional    Additional data to add to the state. Can be \c NULL.
+ * \param len           The length of the additional data.
+ *                      This must be less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure.
+ */
+int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
+                     const unsigned char *additional, size_t len );
+
+/**
+ * \brief              This function updates the state of the CTR_DRBG context.
+ *
+ * \param ctx          The CTR_DRBG context.
+ * \param additional   The data to update the state with. This must not be
+ *                     \c NULL unless \p add_len is \c 0.
+ * \param add_len      Length of \p additional in bytes. This must be at
+ *                     most #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ *
+ * \return             \c 0 on success.
+ * \return             #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if
+ *                     \p add_len is more than
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT.
+ * \return             An error from the underlying AES cipher on failure.
+ */
+int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
+                                 const unsigned char *additional,
+                                 size_t add_len );
+
+/**
+ * \brief   This function updates a CTR_DRBG instance with additional
+ *          data and uses it to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \param p_rng         The CTR_DRBG context. This must be a pointer to a
+ *                      #mbedtls_ctr_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ * \param additional    Additional data to update. Can be \c NULL, in which
+ *                      case the additional data is empty regardless of
+ *                      the value of \p add_len.
+ * \param add_len       The length of the additional data
+ *                      if \p additional is not \c NULL.
+ *                      This must be less than #MBEDTLS_CTR_DRBG_MAX_INPUT
+ *                      and less than
+ *                      #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - \c entropy_len
+ *                      where \c entropy_len is the entropy length
+ *                      configured for the context.
+ *
+ * \return    \c 0 on success.
+ * \return    #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ *            #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
+ */
+int mbedtls_ctr_drbg_random_with_add( void *p_rng,
+                              unsigned char *output, size_t output_len,
+                              const unsigned char *additional, size_t add_len );
+
+/**
+ * \brief   This function uses CTR_DRBG to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ *
+ * \param p_rng         The CTR_DRBG context. This must be a pointer to a
+ *                      #mbedtls_ctr_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
+ *                      #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
+ */
+int mbedtls_ctr_drbg_random( void *p_rng,
+                     unsigned char *output, size_t output_len );
+
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief              This function updates the state of the CTR_DRBG context.
+ *
+ * \deprecated         Superseded by mbedtls_ctr_drbg_update_ret()
+ *                     in 2.16.0.
+ *
+ * \note               If \p add_len is greater than
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
+ *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
+ *                     The remaining Bytes are silently discarded.
+ *
+ * \param ctx          The CTR_DRBG context.
+ * \param additional   The data to update the state with.
+ * \param add_len      Length of \p additional data.
+ */
+MBEDTLS_DEPRECATED void mbedtls_ctr_drbg_update(
+    mbedtls_ctr_drbg_context *ctx,
+    const unsigned char *additional,
+    size_t add_len );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               This function writes a seed file.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      failure.
+ */
+int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
+
+/**
+ * \brief               This function reads and updates a seed file. The seed
+ *                      is added to this instance.
+ *
+ * \param ctx           The CTR_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
+ */
+int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief               The CTR_DRBG checkup routine.
+ *
+ * \return              \c 0 on success.
+ * \return              \c 1 on failure.
+ */
+int mbedtls_ctr_drbg_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+/* Internal functions (do not call directly) */
+int mbedtls_ctr_drbg_seed_entropy_len( mbedtls_ctr_drbg_context *,
+                               int (*)(void *, unsigned char *, size_t), void *,
+                               const unsigned char *, size_t, size_t );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ctr_drbg.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/debug.h b/makerom/deps/libmbedtls/include/mbedtls/debug.h
new file mode 100644
index 00000000..736444bb
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/debug.h
@@ -0,0 +1,265 @@
+/**
+ * \file debug.h
+ *
+ * \brief Functions for controlling and providing debug output from the library.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_DEBUG_H
+#define MBEDTLS_DEBUG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#if defined(MBEDTLS_ECP_C)
+#include "ecp.h"
+#endif
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#define MBEDTLS_DEBUG_STRIP_PARENS( ... )   __VA_ARGS__
+
+#define MBEDTLS_SSL_DEBUG_MSG( level, args )                    \
+    mbedtls_debug_print_msg( ssl, level, __FILE__, __LINE__,    \
+                             MBEDTLS_DEBUG_STRIP_PARENS args )
+
+#define MBEDTLS_SSL_DEBUG_RET( level, text, ret )                \
+    mbedtls_debug_print_ret( ssl, level, __FILE__, __LINE__, text, ret )
+
+#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len )           \
+    mbedtls_debug_print_buf( ssl, level, __FILE__, __LINE__, text, buf, len )
+
+#if defined(MBEDTLS_BIGNUM_C)
+#define MBEDTLS_SSL_DEBUG_MPI( level, text, X )                  \
+    mbedtls_debug_print_mpi( ssl, level, __FILE__, __LINE__, text, X )
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#define MBEDTLS_SSL_DEBUG_ECP( level, text, X )                  \
+    mbedtls_debug_print_ecp( ssl, level, __FILE__, __LINE__, text, X )
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )                \
+    mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )               \
+    mbedtls_debug_printf_ecdh( ssl, level, __FILE__, __LINE__, ecdh, attr )
+#endif
+
+#else /* MBEDTLS_DEBUG_C */
+
+#define MBEDTLS_SSL_DEBUG_MSG( level, args )            do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_RET( level, text, ret )       do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len )  do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_MPI( level, text, X )         do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_ECP( level, text, X )         do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt )       do { } while( 0 )
+#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr )     do { } while( 0 )
+
+#endif /* MBEDTLS_DEBUG_C */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Set the threshold error level to handle globally all debug output.
+ *          Debug messages that have a level over the threshold value are
+ *          discarded.
+ *          (Default value: 0 = No debug )
+ *
+ * \param threshold     theshold level of messages to filter on. Messages at a
+ *                      higher level will be discarded.
+ *                          - Debug levels
+ *                              - 0 No debug
+ *                              - 1 Error
+ *                              - 2 State change
+ *                              - 3 Informational
+ *                              - 4 Verbose
+ */
+void mbedtls_debug_set_threshold( int threshold );
+
+/**
+ * \brief    Print a message to the debug output. This function is always used
+ *          through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
+ *          context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the message has occurred in
+ * \param line      line number the message has occurred at
+ * \param format    format specifier, in printf format
+ * \param ...       variables used by the format specifier
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
+                              const char *file, int line,
+                              const char *format, ... );
+
+/**
+ * \brief   Print the return value of a function to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      the name of the function that returned the error
+ * \param ret       the return code value
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, int ret );
+
+/**
+ * \brief   Output a buffer of size len bytes to the debug output. This function
+ *          is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the buffer being dumped. Normally the
+ *                  variable or buffer name
+ * \param buf       the buffer to be outputted
+ * \param len       length of the buffer
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line, const char *text,
+                      const unsigned char *buf, size_t len );
+
+#if defined(MBEDTLS_BIGNUM_C)
+/**
+ * \brief   Print a MPI variable to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the MPI being output. Normally the
+ *                  variable name
+ * \param X         the MPI variable
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_mpi *X );
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief   Print an ECP point to the debug output. This function is always
+ *          used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
+ *          ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the ECP point being output. Normally the
+ *                  variable name
+ * \param X         the ECP point
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_ecp_point *X );
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief   Print a X.509 certificate structure to the debug output. This
+ *          function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
+ *          which supplies the ssl context, file and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param text      a name or label for the certificate being output
+ * \param crt       X.509 certificate structure
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_x509_crt *crt );
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+typedef enum
+{
+    MBEDTLS_DEBUG_ECDH_Q,
+    MBEDTLS_DEBUG_ECDH_QP,
+    MBEDTLS_DEBUG_ECDH_Z,
+} mbedtls_debug_ecdh_attr;
+
+/**
+ * \brief   Print a field of the ECDH structure in the SSL context to the debug
+ *          output. This function is always used through the
+ *          MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
+ *          and line number parameters.
+ *
+ * \param ssl       SSL context
+ * \param level     error level of the debug message
+ * \param file      file the error has occurred in
+ * \param line      line number the error has occurred in
+ * \param ecdh      the ECDH context
+ * \param attr      the identifier of the attribute being output
+ *
+ * \attention       This function is intended for INTERNAL usage within the
+ *                  library only.
+ */
+void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
+                                const char *file, int line,
+                                const mbedtls_ecdh_context *ecdh,
+                                mbedtls_debug_ecdh_attr attr );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* debug.h */
+
diff --git a/makerom/deps/libmbedtls/include/mbedtls/des.h b/makerom/deps/libmbedtls/include/mbedtls/des.h
new file mode 100644
index 00000000..54e6b789
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/des.h
@@ -0,0 +1,356 @@
+/**
+ * \file des.h
+ *
+ * \brief DES block cipher
+ *
+ * \warning   DES is considered a weak cipher and its use constitutes a
+ *            security risk. We recommend considering stronger ciphers
+ *            instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+#ifndef MBEDTLS_DES_H
+#define MBEDTLS_DES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_DES_ENCRYPT     1
+#define MBEDTLS_DES_DECRYPT     0
+
+#define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH              -0x0032  /**< The data input has an invalid length. */
+
+/* MBEDTLS_ERR_DES_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_DES_HW_ACCEL_FAILED                   -0x0033  /**< DES hardware accelerator failed. */
+
+#define MBEDTLS_DES_KEY_SIZE    8
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_DES_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          DES context structure
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+typedef struct mbedtls_des_context
+{
+    uint32_t sk[32];            /*!<  DES subkeys       */
+}
+mbedtls_des_context;
+
+/**
+ * \brief          Triple-DES context structure
+ */
+typedef struct mbedtls_des3_context
+{
+    uint32_t sk[96];            /*!<  3DES subkeys      */
+}
+mbedtls_des3_context;
+
+#else  /* MBEDTLS_DES_ALT */
+#include "des_alt.h"
+#endif /* MBEDTLS_DES_ALT */
+
+/**
+ * \brief          Initialize DES context
+ *
+ * \param ctx      DES context to be initialized
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_init( mbedtls_des_context *ctx );
+
+/**
+ * \brief          Clear DES context
+ *
+ * \param ctx      DES context to be cleared
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_free( mbedtls_des_context *ctx );
+
+/**
+ * \brief          Initialize Triple-DES context
+ *
+ * \param ctx      DES3 context to be initialized
+ */
+void mbedtls_des3_init( mbedtls_des3_context *ctx );
+
+/**
+ * \brief          Clear Triple-DES context
+ *
+ * \param ctx      DES3 context to be cleared
+ */
+void mbedtls_des3_free( mbedtls_des3_context *ctx );
+
+/**
+ * \brief          Set key parity on the given key to odd.
+ *
+ *                 DES keys are 56 bits long, but each byte is padded with
+ *                 a parity bit to allow verification.
+ *
+ * \param key      8-byte secret key
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          Check that key parity on the given key is odd.
+ *
+ *                 DES keys are 56 bits long, but each byte is padded with
+ *                 a parity bit to allow verification.
+ *
+ * \param key      8-byte secret key
+ *
+ * \return         0 is parity was ok, 1 if parity was not correct.
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          Check that key is not a weak or semi-weak DES key
+ *
+ * \param key      8-byte secret key
+ *
+ * \return         0 if no weak key was found, 1 if a weak key was identified.
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          DES key schedule (56-bit, encryption)
+ *
+ * \param ctx      DES context to be initialized
+ * \param key      8-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          DES key schedule (56-bit, decryption)
+ *
+ * \param ctx      DES context to be initialized
+ * \param key      8-byte secret key
+ *
+ * \return         0
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+/**
+ * \brief          Triple-DES key schedule (112-bit, encryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      16-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] );
+
+/**
+ * \brief          Triple-DES key schedule (112-bit, decryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      16-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] );
+
+/**
+ * \brief          Triple-DES key schedule (168-bit, encryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      24-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] );
+
+/**
+ * \brief          Triple-DES key schedule (168-bit, decryption)
+ *
+ * \param ctx      3DES context to be initialized
+ * \param key      24-byte secret key
+ *
+ * \return         0
+ */
+int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] );
+
+/**
+ * \brief          DES-ECB block encryption/decryption
+ *
+ * \param ctx      DES context
+ * \param input    64-bit input block
+ * \param output   64-bit output block
+ *
+ * \return         0 if successful
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
+                    const unsigned char input[8],
+                    unsigned char output[8] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          DES-CBC buffer encryption/decryption
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      DES context
+ * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[8],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/**
+ * \brief          3DES-ECB block encryption/decryption
+ *
+ * \param ctx      3DES context
+ * \param input    64-bit input block
+ * \param output   64-bit output block
+ *
+ * \return         0 if successful
+ */
+int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
+                     const unsigned char input[8],
+                     unsigned char output[8] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          3DES-CBC buffer encryption/decryption
+ *
+ * \note           Upon exit, the content of the IV is updated so that you can
+ *                 call the function same function again on the following
+ *                 block(s) of data and get the same result as if it was
+ *                 encrypted in one call. This allows a "streaming" usage.
+ *                 If on the other hand you need to retain the contents of the
+ *                 IV, you should either save it manually or use the cipher
+ *                 module instead.
+ *
+ * \param ctx      3DES context
+ * \param mode     MBEDTLS_DES_ENCRYPT or MBEDTLS_DES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
+ */
+int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
+                     int mode,
+                     size_t length,
+                     unsigned char iv[8],
+                     const unsigned char *input,
+                     unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/**
+ * \brief          Internal function for key expansion.
+ *                 (Only exposed to allow overriding it,
+ *                 see MBEDTLS_DES_SETKEY_ALT)
+ *
+ * \param SK       Round keys
+ * \param key      Base key
+ *
+ * \warning        DES is considered a weak cipher and its use constitutes a
+ *                 security risk. We recommend considering stronger ciphers
+ *                 instead.
+ */
+void mbedtls_des_setkey( uint32_t SK[32],
+                         const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_des_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* des.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/dhm.h b/makerom/deps/libmbedtls/include/mbedtls/dhm.h
new file mode 100644
index 00000000..2909f5fb
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/dhm.h
@@ -0,0 +1,1096 @@
+/**
+ * \file dhm.h
+ *
+ * \brief   This file contains Diffie-Hellman-Merkle (DHM) key exchange
+ *          definitions and functions.
+ *
+ * Diffie-Hellman-Merkle (DHM) key exchange is defined in
+ * <em>RFC-2631: Diffie-Hellman Key Agreement Method</em> and
+ * <em>Public-Key Cryptography Standards (PKCS) #3: Diffie
+ * Hellman Key Agreement Standard</em>.
+ *
+ * <em>RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for
+ * Internet Key Exchange (IKE)</em> defines a number of standardized
+ * Diffie-Hellman groups for IKE.
+ *
+ * <em>RFC-5114: Additional Diffie-Hellman Groups for Use with IETF
+ * Standards</em> defines a number of standardized Diffie-Hellman
+ * groups that can be used.
+ *
+ * \warning  The security of the DHM key exchange relies on the proper choice
+ *           of prime modulus - optimally, it should be a safe prime. The usage
+ *           of non-safe primes both decreases the difficulty of the underlying
+ *           discrete logarithm problem and can lead to small subgroup attacks
+ *           leaking private exponent bits when invalid public keys are used
+ *           and not detected. This is especially relevant if the same DHM
+ *           parameters are reused for multiple key exchanges as in static DHM,
+ *           while the criticality of small-subgroup attacks is lower for
+ *           ephemeral DHM.
+ *
+ * \warning  For performance reasons, the code does neither perform primality
+ *           nor safe primality tests, nor the expensive checks for invalid
+ *           subgroups. Moreover, even if these were performed, non-standardized
+ *           primes cannot be trusted because of the possibility of backdoors
+ *           that can't be effectively checked for.
+ *
+ * \warning  Diffie-Hellman-Merkle is therefore a security risk when not using
+ *           standardized primes generated using a trustworthy ("nothing up
+ *           my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS
+ *           protocol, DH parameters need to be negotiated, so using the default
+ *           primes systematically is not always an option. If possible, use
+ *           Elliptic Curve Diffie-Hellman (ECDH), which has better performance,
+ *           and for which the TLS protocol mandates the use of standard
+ *           parameters.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_DHM_H
+#define MBEDTLS_DHM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+#include "bignum.h"
+
+/*
+ * DHM Error codes
+ */
+#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA                    -0x3080  /**< Bad input parameters. */
+#define MBEDTLS_ERR_DHM_READ_PARAMS_FAILED                -0x3100  /**< Reading of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED                -0x3180  /**< Making of the DHM parameters failed. */
+#define MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED                -0x3200  /**< Reading of the public values failed. */
+#define MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED                -0x3280  /**< Making of the public value failed. */
+#define MBEDTLS_ERR_DHM_CALC_SECRET_FAILED                -0x3300  /**< Calculation of the DHM secret failed. */
+#define MBEDTLS_ERR_DHM_INVALID_FORMAT                    -0x3380  /**< The ASN.1 data is not formatted correctly. */
+#define MBEDTLS_ERR_DHM_ALLOC_FAILED                      -0x3400  /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_DHM_FILE_IO_ERROR                     -0x3480  /**< Read or write of file failed. */
+
+/* MBEDTLS_ERR_DHM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED                   -0x3500  /**< DHM hardware accelerator failed. */
+
+#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED                  -0x3580  /**< Setting the modulus and generator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_DHM_ALT)
+
+/**
+ * \brief          The DHM context structure.
+ */
+typedef struct mbedtls_dhm_context
+{
+    size_t len;         /*!<  The size of \p P in Bytes. */
+    mbedtls_mpi P;      /*!<  The prime modulus. */
+    mbedtls_mpi G;      /*!<  The generator. */
+    mbedtls_mpi X;      /*!<  Our secret value. */
+    mbedtls_mpi GX;     /*!<  Our public key = \c G^X mod \c P. */
+    mbedtls_mpi GY;     /*!<  The public key of the peer = \c G^Y mod \c P. */
+    mbedtls_mpi K;      /*!<  The shared secret = \c G^(XY) mod \c P. */
+    mbedtls_mpi RP;     /*!<  The cached value = \c R^2 mod \c P. */
+    mbedtls_mpi Vi;     /*!<  The blinding value. */
+    mbedtls_mpi Vf;     /*!<  The unblinding value. */
+    mbedtls_mpi pX;     /*!<  The previous \c X. */
+}
+mbedtls_dhm_context;
+
+#else /* MBEDTLS_DHM_ALT */
+#include "dhm_alt.h"
+#endif /* MBEDTLS_DHM_ALT */
+
+/**
+ * \brief          This function initializes the DHM context.
+ *
+ * \param ctx      The DHM context to initialize.
+ */
+void mbedtls_dhm_init( mbedtls_dhm_context *ctx );
+
+/**
+ * \brief          This function parses the DHM parameters in a
+ *                 TLS ServerKeyExchange handshake message
+ *                 (DHM modulus, generator, and public key).
+ *
+ * \note           In a TLS handshake, this is the how the client
+ *                 sets up its DHM context from the server's public
+ *                 DHM key material.
+ *
+ * \param ctx      The DHM context to use. This must be initialized.
+ * \param p        On input, *p must be the start of the input buffer.
+ *                 On output, *p is updated to point to the end of the data
+ *                 that has been read. On success, this is the first byte
+ *                 past the end of the ServerKeyExchange parameters.
+ *                 On error, this is the point at which an error has been
+ *                 detected, which is usually not useful except to debug
+ *                 failures.
+ * \param end      The end of the input buffer.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
+                             unsigned char **p,
+                             const unsigned char *end );
+
+/**
+ * \brief          This function generates a DHM key pair and exports its
+ *                 public part together with the DHM parameters in the format
+ *                 used in a TLS ServerKeyExchange handshake message.
+ *
+ * \note           This function assumes that the DHM parameters \c ctx->P
+ *                 and \c ctx->G have already been properly set. For that, use
+ *                 mbedtls_dhm_set_group() below in conjunction with
+ *                 mbedtls_mpi_read_binary() and mbedtls_mpi_read_string().
+ *
+ * \note           In a TLS handshake, this is the how the server generates
+ *                 and exports its DHM key material.
+ *
+ * \param ctx      The DHM context to use. This must be initialized
+ *                 and have the DHM parameters set. It may or may not
+ *                 already have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param olen     The address at which to store the number of Bytes
+ *                 written on success. This must not be \c NULL.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 sufficient size to hold the reduced binary presentation of
+ *                 the modulus, the generator and the public key, each wrapped
+ *                 with a 2-byte length field. It is the responsibility of the
+ *                 caller to ensure that enough space is available. Refer to
+ *                 mbedtls_mpi_size() to computing the byte-size of an MPI.
+ * \param f_rng    The RNG function. Must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          This function sets the prime modulus and generator.
+ *
+ * \note           This function can be used to set \c ctx->P, \c ctx->G
+ *                 in preparation for mbedtls_dhm_make_params().
+ *
+ * \param ctx      The DHM context to configure. This must be initialized.
+ * \param P        The MPI holding the DHM prime modulus. This must be
+ *                 an initialized MPI.
+ * \param G        The MPI holding the DHM generator. This must be an
+ *                 initialized MPI.
+ *
+ * \return         \c 0 if successful.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
+                           const mbedtls_mpi *P,
+                           const mbedtls_mpi *G );
+
+/**
+ * \brief          This function imports the raw public value of the peer.
+ *
+ * \note           In a TLS handshake, this is the how the server imports
+ *                 the Client's public DHM key.
+ *
+ * \param ctx      The DHM context to use. This must be initialized and have
+ *                 its DHM parameters set, e.g. via mbedtls_dhm_set_group().
+ *                 It may or may not already have generated its own private key.
+ * \param input    The input buffer containing the \c G^Y value of the peer.
+ *                 This must be a readable buffer of size \p ilen Bytes.
+ * \param ilen     The size of the input buffer \p input in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
+                     const unsigned char *input, size_t ilen );
+
+/**
+ * \brief          This function creates a DHM key pair and exports
+ *                 the raw public key in big-endian format.
+ *
+ * \note           The destination buffer is always fully written
+ *                 so as to contain a big-endian representation of G^X mod P.
+ *                 If it is larger than \c ctx->len, it is padded accordingly
+ *                 with zero-bytes at the beginning.
+ *
+ * \param ctx      The DHM context to use. This must be initialized and
+ *                 have the DHM parameters set. It may or may not already
+ *                 have imported the peer's public key.
+ * \param x_size   The private key size in Bytes.
+ * \param output   The destination buffer. This must be a writable buffer of
+ *                 size \p olen Bytes.
+ * \param olen     The length of the destination buffer. This must be at least
+ *                 equal to `ctx->len` (the size of \c P).
+ * \param f_rng    The RNG function. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          This function derives and exports the shared secret
+ *                 \c (G^Y)^X mod \c P.
+ *
+ * \note           If \p f_rng is not \c NULL, it is used to blind the input as
+ *                 a countermeasure against timing attacks. Blinding is used
+ *                 only if our private key \c X is re-used, and not used
+ *                 otherwise. We recommend always passing a non-NULL
+ *                 \p f_rng argument.
+ *
+ * \param ctx           The DHM context to use. This must be initialized
+ *                      and have its own private key generated and the peer's
+ *                      public key imported.
+ * \param output        The buffer to write the generated shared key to. This
+ *                      must be a writable buffer of size \p output_size Bytes.
+ * \param output_size   The size of the destination buffer. This must be at
+ *                      least the size of \c ctx->len (the size of \c P).
+ * \param olen          On exit, holds the actual number of Bytes written.
+ * \param f_rng         The RNG function, for blinding purposes. This may
+ *                      b \c NULL if blinding isn't needed.
+ * \param p_rng         The RNG context. This may be \c NULL if \p f_rng
+ *                      doesn't need a context argument.
+ *
+ * \return              \c 0 on success.
+ * \return              An \c MBEDTLS_ERR_DHM_XXX error code on failure.
+ */
+int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
+                     unsigned char *output, size_t output_size, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief          This function frees and clears the components
+ *                 of a DHM context.
+ *
+ * \param ctx      The DHM context to free and clear. This may be \c NULL,
+ *                 in which case this function is a no-op. If it is not \c NULL,
+ *                 it must point to an initialized DHM context.
+ */
+void mbedtls_dhm_free( mbedtls_dhm_context *ctx );
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/** \ingroup x509_module */
+/**
+ * \brief             This function parses DHM parameters in PEM or DER format.
+ *
+ * \param dhm         The DHM context to import the DHM parameters into.
+ *                    This must be initialized.
+ * \param dhmin       The input buffer. This must be a readable buffer of
+ *                    length \p dhminlen Bytes.
+ * \param dhminlen    The size of the input buffer \p dhmin, including the
+ *                    terminating \c NULL Byte for PEM data.
+ *
+ * \return            \c 0 on success.
+ * \return            An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX error
+ *                    code on failure.
+ */
+int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                           size_t dhminlen );
+
+#if defined(MBEDTLS_FS_IO)
+/** \ingroup x509_module */
+/**
+ * \brief          This function loads and parses DHM parameters from a file.
+ *
+ * \param dhm      The DHM context to load the parameters to.
+ *                 This must be initialized.
+ * \param path     The filename to read the DHM parameters from.
+ *                 This must not be \c NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_DHM_XXX or \c MBEDTLS_ERR_PEM_XXX
+ *                 error code on failure.
+ */
+int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path );
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The DMH checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_dhm_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+#ifdef __cplusplus
+}
+#endif
+
+/**
+ * RFC 3526, RFC 5114 and RFC 7919 standardize a number of
+ * Diffie-Hellman groups, some of which are included here
+ * for use within the SSL/TLS module and the user's convenience
+ * when configuring the Diffie-Hellman parameters by hand
+ * through \c mbedtls_ssl_conf_dh_param.
+ *
+ * The following lists the source of the above groups in the standards:
+ * - RFC 5114 section 2.2:  2048-bit MODP Group with 224-bit Prime Order Subgroup
+ * - RFC 3526 section 3:    2048-bit MODP Group
+ * - RFC 3526 section 4:    3072-bit MODP Group
+ * - RFC 3526 section 5:    4096-bit MODP Group
+ * - RFC 7919 section A.1:  ffdhe2048
+ * - RFC 7919 section A.2:  ffdhe3072
+ * - RFC 7919 section A.3:  ffdhe4096
+ * - RFC 7919 section A.4:  ffdhe6144
+ * - RFC 7919 section A.5:  ffdhe8192
+ *
+ * The constants with suffix "_p" denote the chosen prime moduli, while
+ * the constants with suffix "_g" denote the chosen generator
+ * of the associated prime field.
+ *
+ * The constants further suffixed with "_bin" are provided in binary format,
+ * while all other constants represent null-terminated strings holding the
+ * hexadecimal presentation of the respective numbers.
+ *
+ * The primes from RFC 3526 and RFC 7919 have been generating by the following
+ * trust-worthy procedure:
+ * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number
+ *   the first and last 64 bits are all 1, and the remaining N - 128 bits of
+ *   which are 0x7ff...ff.
+ * - Add the smallest multiple of the first N - 129 bits of the binary expansion
+ *   of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string
+ *   such that the resulting integer is a safe-prime.
+ * - The result is the respective RFC 3526 / 7919 prime, and the corresponding
+ *   generator is always chosen to be 2 (which is a square for these prime,
+ *   hence the corresponding subgroup has order (p-1)/2 and avoids leaking a
+ *   bit in the private exponent).
+ *
+ */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+/**
+ * \warning The origin of the primes in RFC 5114 is not documented and
+ *          their use therefore constitutes a security risk!
+ *
+ * \deprecated The hex-encoded primes from RFC 5114 are deprecated and are
+ *             likely to be removed in a future version of the library without
+ *             replacement.
+ */
+
+/**
+ * The hexadecimal presentation of the prime underlying the
+ * 2048-bit MODP Group with 224-bit Prime Order Subgroup, as defined
+ * in <em>RFC-5114: Additional Diffie-Hellman Groups for Use with
+ * IETF Standards</em>.
+ */
+#define MBEDTLS_DHM_RFC5114_MODP_2048_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1"      \
+        "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15"      \
+        "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212"      \
+        "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207"      \
+        "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708"      \
+        "B3BF8A317091883681286130BC8985DB1602E714415D9330"      \
+        "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D"      \
+        "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8"      \
+        "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763"      \
+        "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71"      \
+        "CF9DE5384E71B81C0AC4DFFE0C10E64F" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group with 224-bit Prime Order Subgroup, as defined in <em>RFC-5114:
+ * Additional Diffie-Hellman Groups for Use with IETF Standards</em>.
+ */
+#define MBEDTLS_DHM_RFC5114_MODP_2048_G                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"      \
+        "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"      \
+        "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7"      \
+        "C17669101999024AF4D027275AC1348BB8A762D0521BC98A"      \
+        "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE"      \
+        "F180EB34118E98D119529A45D6F834566E3025E316A330EF"      \
+        "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB"      \
+        "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381"      \
+        "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269"      \
+        "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179"      \
+        "81BC087F2A7065B384B890D3191F2BFA" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ *
+ * \deprecated The hex-encoded primes from RFC 3625 are deprecated and
+ *             superseded by the corresponding macros providing them as
+ *             binary constants. Their hex-encoded constants are likely
+ *             to be removed in a future version of the library.
+ *
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_2048_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
+        "15728E5A8AACAA68FFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_2048_G                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 3072-bit MODP
+ * Group, as defined in <em>RFC-3072: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_3072_P                         \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
+        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"      \
+        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"      \
+        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"      \
+        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"      \
+        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"      \
+        "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 3072-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_3072_G                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+/**
+ * The hexadecimal presentation of the prime underlying the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_4096_P                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT(                      \
+        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"   \
+        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"   \
+        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"   \
+        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"   \
+        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"   \
+        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"   \
+        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"   \
+        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"   \
+        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"   \
+        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"   \
+        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"   \
+        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"   \
+        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"   \
+        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"   \
+        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"   \
+        "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7"   \
+        "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA"   \
+        "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6"   \
+        "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED"   \
+        "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9"   \
+        "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199"   \
+        "FFFFFFFFFFFFFFFF" )
+
+/**
+ * The hexadecimal presentation of the chosen generator of the 4096-bit MODP
+ * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
+ * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
+ */
+#define MBEDTLS_DHM_RFC3526_MODP_4096_G                      \
+    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * Trustworthy DHM parameters in binary form
+ */
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+     0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+     0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+     0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+     0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+     0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+     0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+     0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+     0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+     0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+     0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+     0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+     0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+     0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+     0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+     0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+     0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+     0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+     0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+     0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+     0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+     0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+     0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+     0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+     0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+     0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+     0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+     0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+     0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+     0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN {       \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+    0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \
+    0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \
+    0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \
+    0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \
+    0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \
+    0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \
+    0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \
+    0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \
+    0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \
+    0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \
+    0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \
+    0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \
+    0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \
+    0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \
+    0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \
+    0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \
+    0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \
+    0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \
+    0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \
+    0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \
+    0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \
+    0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \
+    0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \
+    0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \
+    0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \
+    0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \
+    0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \
+    0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \
+    0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \
+    0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \
+    0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \
+    0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \
+    0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \
+    0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \
+    0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \
+    0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \
+    0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \
+    0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \
+    0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \
+    0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \
+    0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \
+    0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \
+    0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \
+    0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \
+    0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \
+    0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_P_BIN  {       \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,  \
+    0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,  \
+    0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,  \
+    0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,  \
+    0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,  \
+    0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,  \
+    0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,  \
+    0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,  \
+    0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,  \
+    0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,  \
+    0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,  \
+    0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,  \
+    0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,  \
+    0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,  \
+    0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,  \
+    0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,  \
+    0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,  \
+    0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,  \
+    0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,  \
+    0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,  \
+    0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,  \
+    0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,  \
+    0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,  \
+    0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,  \
+    0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,  \
+    0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,  \
+    0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,  \
+    0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,  \
+    0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,  \
+    0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,  \
+    0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,  \
+    0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,  \
+    0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,  \
+    0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,  \
+    0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,  \
+    0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,  \
+    0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,  \
+    0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,  \
+    0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,  \
+    0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,  \
+    0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,  \
+    0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,  \
+    0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,  \
+    0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,  \
+    0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,  \
+    0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,  \
+    0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,  \
+    0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,  \
+    0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,  \
+    0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,  \
+    0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,  \
+    0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,  \
+    0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,  \
+    0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,  \
+    0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,  \
+    0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,  \
+    0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,  \
+    0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,  \
+    0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,  \
+    0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,  \
+    0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,  \
+    0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,  \
+    0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,  \
+    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC3526_MODP_4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN { \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+     0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+     0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+     0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+     0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+     0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+     0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+     0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+     0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+     0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+     0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+     0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+     0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+     0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+     0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+     0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+     0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+     0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+     0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+     0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+     0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+     0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+     0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+     0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+     0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+     0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+     0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+     0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+     0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+     0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+     0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+     0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+     0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN { 0x02 }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN {        \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \
+     0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \
+     0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \
+     0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \
+     0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \
+     0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \
+     0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \
+     0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \
+     0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \
+     0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \
+     0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \
+     0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \
+     0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \
+     0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \
+     0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \
+     0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \
+     0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \
+     0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \
+     0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \
+     0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \
+     0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \
+     0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \
+     0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \
+     0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \
+     0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \
+     0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \
+     0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \
+     0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \
+     0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \
+     0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \
+     0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \
+     0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \
+     0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \
+     0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \
+     0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \
+     0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \
+     0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \
+     0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \
+     0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \
+     0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \
+     0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \
+     0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \
+     0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \
+     0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \
+     0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \
+     0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \
+     0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \
+     0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \
+     0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \
+     0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \
+     0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \
+     0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \
+     0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \
+     0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \
+     0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \
+     0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \
+     0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \
+     0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \
+     0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \
+     0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \
+     0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \
+     0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \
+     0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \
+     0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \
+     0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \
+     0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \
+     0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \
+     0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \
+     0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \
+     0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \
+     0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \
+     0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \
+     0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \
+     0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \
+     0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \
+     0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \
+     0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \
+     0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \
+     0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \
+     0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \
+     0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \
+     0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \
+     0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \
+     0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \
+     0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \
+     0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \
+     0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \
+     0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \
+     0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \
+     0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \
+     0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \
+     0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \
+     0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \
+     0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \
+     0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA, \
+     0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, \
+     0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, \
+     0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43, \
+     0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, \
+     0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, \
+     0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29, \
+     0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, \
+     0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, \
+     0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4, \
+     0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, \
+     0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, \
+     0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51, \
+     0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, \
+     0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, \
+     0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE, \
+     0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, \
+     0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, \
+     0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B, \
+     0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, \
+     0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, \
+     0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31, \
+     0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, \
+     0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, \
+     0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E, \
+     0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, \
+     0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, \
+     0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE, \
+     0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, \
+     0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, \
+     0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E, \
+     0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, \
+     0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, \
+     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
+
+#define MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN { 0x02 }
+
+#endif /* dhm.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ecdh.h b/makerom/deps/libmbedtls/include/mbedtls/ecdh.h
new file mode 100644
index 00000000..4479a1d4
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ecdh.h
@@ -0,0 +1,440 @@
+/**
+ * \file ecdh.h
+ *
+ * \brief This file contains ECDH definitions and functions.
+ *
+ * The Elliptic Curve Diffie-Hellman (ECDH) protocol is an anonymous
+ * key agreement protocol allowing two parties to establish a shared
+ * secret over an insecure channel. Each party must have an
+ * elliptic-curve public–private key pair.
+ *
+ * For more information, see <em>NIST SP 800-56A Rev. 2: Recommendation for
+ * Pair-Wise Key Establishment Schemes Using Discrete Logarithm
+ * Cryptography</em>.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ECDH_H
+#define MBEDTLS_ECDH_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ecp.h"
+
+/*
+ * Use a backward compatible ECDH context.
+ *
+ * This flag is always enabled for now and future versions might add a
+ * configuration option that conditionally undefines this flag.
+ * The configuration option in question may have a different name.
+ *
+ * Features undefining this flag, must have a warning in their description in
+ * config.h stating that the feature breaks backward compatibility.
+ */
+#define MBEDTLS_ECDH_LEGACY_CONTEXT
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Defines the source of the imported EC key.
+ */
+typedef enum
+{
+    MBEDTLS_ECDH_OURS,   /**< Our key. */
+    MBEDTLS_ECDH_THEIRS, /**< The key of the peer. */
+} mbedtls_ecdh_side;
+
+#if !defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+/**
+ * Defines the ECDH implementation used.
+ *
+ * Later versions of the library may add new variants, therefore users should
+ * not make any assumptions about them.
+ */
+typedef enum
+{
+    MBEDTLS_ECDH_VARIANT_NONE = 0,   /*!< Implementation not defined. */
+    MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0,/*!< The default Mbed TLS implementation */
+} mbedtls_ecdh_variant;
+
+/**
+ * The context used by the default ECDH implementation.
+ *
+ * Later versions might change the structure of this context, therefore users
+ * should not make any assumptions about the structure of
+ * mbedtls_ecdh_context_mbed.
+ */
+typedef struct mbedtls_ecdh_context_mbed
+{
+    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
+    mbedtls_mpi d;           /*!< The private key. */
+    mbedtls_ecp_point Q;     /*!< The public key. */
+    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
+    mbedtls_mpi z;           /*!< The shared secret. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif
+} mbedtls_ecdh_context_mbed;
+#endif
+
+/**
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
+ * \brief           The ECDH context structure.
+ */
+typedef struct mbedtls_ecdh_context
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_ecp_group grp;   /*!< The elliptic curve used. */
+    mbedtls_mpi d;           /*!< The private key. */
+    mbedtls_ecp_point Q;     /*!< The public key. */
+    mbedtls_ecp_point Qp;    /*!< The value of the public key of the peer. */
+    mbedtls_mpi z;           /*!< The shared secret. */
+    int point_format;        /*!< The format of point export in TLS messages. */
+    mbedtls_ecp_point Vi;    /*!< The blinding value. */
+    mbedtls_ecp_point Vf;    /*!< The unblinding value. */
+    mbedtls_mpi _d;          /*!< The previous \p d. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    int restart_enabled;        /*!< The flag for restartable mode. */
+    mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#else
+    uint8_t point_format;       /*!< The format of point export in TLS messages
+                                  as defined in RFC 4492. */
+    mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */
+    mbedtls_ecdh_variant var;   /*!< The ECDH implementation/structure used. */
+    union
+    {
+        mbedtls_ecdh_context_mbed   mbed_ecdh;
+    } ctx;                      /*!< Implementation-specific context. The
+                                  context in use is specified by the \c var
+                                  field. */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    uint8_t restart_enabled;    /*!< The flag for restartable mode. Functions of
+                                  an alternative implementation not supporting
+                                  restartable mode must return
+                                  MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error
+                                  if this flag is set. */
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
+}
+mbedtls_ecdh_context;
+
+/**
+ * \brief           This function generates an ECDH keypair on an elliptic
+ *                  curve.
+ *
+ *                  This function performs the first of two core computations
+ *                  implemented during the ECDH key exchange. The second core
+ *                  computation is performed by mbedtls_ecdh_compute_shared().
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
+ * \param d         The destination MPI (private key).
+ *                  This must be initialized.
+ * \param Q         The destination point (public key).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief           This function computes the shared secret.
+ *
+ *                  This function performs the second of two core computations
+ *                  implemented during the ECDH key exchange. The first core
+ *                  computation is performed by mbedtls_ecdh_gen_public().
+ *
+ * \see             ecp.h
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
+ *
+ * \param grp       The ECP group to use. This must be initialized and have
+ *                  domain parameters loaded, for example through
+ *                  mbedtls_ecp_load() or mbedtls_ecp_tls_read_group().
+ * \param z         The destination MPI (shared secret).
+ *                  This must be initialized.
+ * \param Q         The public key from another party.
+ *                  This must be initialized.
+ * \param d         Our secret exponent (private key).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results during the ECP computations is
+ *                  not needed (discouraged). See the documentation of
+ *                  mbedtls_ecp_mul() for more.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't need a
+ *                  context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or
+ *                  \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+/**
+ * \brief           This function initializes an ECDH context.
+ *
+ * \param ctx       The ECDH context to initialize. This must not be \c NULL.
+ */
+void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx );
+
+/**
+ * \brief           This function sets up the ECDH context with the information
+ *                  given.
+ *
+ *                  This function should be called after mbedtls_ecdh_init() but
+ *                  before mbedtls_ecdh_make_params(). There is no need to call
+ *                  this function before mbedtls_ecdh_read_params().
+ *
+ *                  This is the first function used by a TLS server for ECDHE
+ *                  ciphersuites.
+ *
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param grp_id    The group id of the group to set up the context for.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx,
+                        mbedtls_ecp_group_id grp_id );
+
+/**
+ * \brief           This function frees a context.
+ *
+ * \param ctx       The context to free. This may be \c NULL, in which
+ *                  case this function does nothing. If it is not \c NULL,
+ *                  it must point to an initialized ECDH context.
+ */
+void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx );
+
+/**
+ * \brief           This function generates an EC key pair and exports its
+ *                  in the format used in a TLS ServerKeyExchange handshake
+ *                  message.
+ *
+ *                  This is the second function used by a TLS server for ECDHE
+ *                  ciphersuites. (It is called after mbedtls_ecdh_setup().)
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param olen      The address at which to store the number of Bytes written.
+ * \param buf       The destination buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+/**
+ * \brief           This function parses the ECDHE parameters in a
+ *                  TLS ServerKeyExchange handshake message.
+ *
+ * \note            In a TLS handshake, this is the how the client
+ *                  sets up its ECDHE context from the server's public
+ *                  ECDHE key material.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDHE context to use. This must be initialized.
+ * \param buf       On input, \c *buf must be the start of the input buffer.
+ *                  On output, \c *buf is updated to point to the end of the
+ *                  data that has been read. On success, this is the first byte
+ *                  past the end of the ServerKeyExchange parameters.
+ *                  On error, this is the point at which an error has been
+ *                  detected, which is usually not useful except to debug
+ *                  failures.
+ * \param end       The end of the input buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ *
+ */
+int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
+                              const unsigned char **buf,
+                              const unsigned char *end );
+
+/**
+ * \brief           This function sets up an ECDH context from an EC key.
+ *
+ *                  It is used by clients and servers in place of the
+ *                  ServerKeyEchange for static ECDH, and imports ECDH
+ *                  parameters from the EC key information of a certificate.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to set up. This must be initialized.
+ * \param key       The EC key to use. This must be initialized.
+ * \param side      Defines the source of the key. Possible values are:
+ *                  - #MBEDTLS_ECDH_OURS: The key is ours.
+ *                  - #MBEDTLS_ECDH_THEIRS: The key is that of the peer.
+ *
+ * \return          \c 0 on success.
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ *
+ */
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
+                             const mbedtls_ecp_keypair *key,
+                             mbedtls_ecdh_side side );
+
+/**
+ * \brief           This function generates a public key and exports it
+ *                  as a TLS ClientKeyExchange payload.
+ *
+ *                  This is the second function used by a TLS client for ECDH(E)
+ *                  ciphersuites.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and bound to a group, the latter usually by
+ *                  mbedtls_ecdh_read_params().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The destination buffer. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The size of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL in case \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+/**
+ * \brief       This function parses and processes the ECDHE payload of a
+ *              TLS ClientKeyExchange message.
+ *
+ *              This is the third function used by a TLS server for ECDH(E)
+ *              ciphersuites. (It is called after mbedtls_ecdh_setup() and
+ *              mbedtls_ecdh_make_params().)
+ *
+ * \see         ecp.h
+ *
+ * \param ctx   The ECDH context to use. This must be initialized
+ *              and bound to a group, for example via mbedtls_ecdh_setup().
+ * \param buf   The pointer to the ClientKeyExchange payload. This must
+ *              be a readable buffer of length \p blen Bytes.
+ * \param blen  The length of the input buffer \p buf in Bytes.
+ *
+ * \return      \c 0 on success.
+ * \return      An \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
+                              const unsigned char *buf, size_t blen );
+
+/**
+ * \brief           This function derives and exports the shared secret.
+ *
+ *                  This is the last function used by both TLS client
+ *                  and servers.
+ *
+ * \note            If \p f_rng is not NULL, it is used to implement
+ *                  countermeasures against side-channel attacks.
+ *                  For more information, see mbedtls_ecp_mul().
+ *
+ * \see             ecp.h
+
+ * \param ctx       The ECDH context to use. This must be initialized
+ *                  and have its own private key generated and the peer's
+ *                  public key imported.
+ * \param olen      The address at which to store the total number of
+ *                  Bytes written on success. This must not be \c NULL.
+ * \param buf       The buffer to write the generated shared key to. This
+ *                  must be a writable buffer of size \p blen Bytes.
+ * \param blen      The length of the destination buffer \p buf in Bytes.
+ * \param f_rng     The RNG function, for blinding purposes. This may
+ *                  b \c NULL if blinding isn't needed.
+ * \param p_rng     The RNG context. This may be \c NULL if \p f_rng
+ *                  doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX error code on failure.
+ */
+int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
+                      unsigned char *buf, size_t blen,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           This function enables restartable EC computations for this
+ *                  context.  (Default: disabled.)
+ *
+ * \see             \c mbedtls_ecp_set_max_ops()
+ *
+ * \note            It is not possible to safely disable restartable
+ *                  computations once enabled, except by free-ing the context,
+ *                  which cancels possible in-progress operations.
+ *
+ * \param ctx       The ECDH context to use. This must be initialized.
+ */
+void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecdh.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ecdsa.h b/makerom/deps/libmbedtls/include/mbedtls/ecdsa.h
new file mode 100644
index 00000000..932acc6d
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ecdsa.h
@@ -0,0 +1,604 @@
+/**
+ * \file ecdsa.h
+ *
+ * \brief This file contains ECDSA definitions and functions.
+ *
+ * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
+ * <em>Standards for Efficient Cryptography Group (SECG):
+ * SEC1 Elliptic Curve Cryptography</em>.
+ * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve
+ * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ECDSA_H
+#define MBEDTLS_ECDSA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ecp.h"
+#include "md.h"
+
+/*
+ * RFC-4492 page 20:
+ *
+ *     Ecdsa-Sig-Value ::= SEQUENCE {
+ *         r       INTEGER,
+ *         s       INTEGER
+ *     }
+ *
+ * Size is at most
+ *    1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s,
+ *    twice that + 1 (tag) + 2 (len) for the sequence
+ * (assuming ECP_MAX_BYTES is less than 126 for r and s,
+ * and less than 124 (total len <= 255) for the sequence)
+ */
+#if MBEDTLS_ECP_MAX_BYTES > 124
+#error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN"
+#endif
+/** The maximal size of an ECDSA signature in Bytes. */
+#define MBEDTLS_ECDSA_MAX_LEN  ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           The ECDSA context structure.
+ *
+ * \warning         Performing multiple operations concurrently on the same
+ *                  ECDSA context is not supported; objects of this type
+ *                  should not be shared between multiple threads.
+ */
+typedef mbedtls_ecp_keypair mbedtls_ecdsa_context;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for ecdsa_verify()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx;
+
+/**
+ * \brief           Internal restart context for ecdsa_sign()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief           Internal restart context for ecdsa_sign_det()
+ *
+ * \note            Opaque struct, defined in ecdsa.c
+ */
+typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx;
+#endif
+
+/**
+ * \brief           General context for resuming ECDSA operations
+ */
+typedef struct
+{
+    mbedtls_ecp_restart_ctx ecp;        /*!<  base context for ECP restart and
+                                              shared administrative info    */
+    mbedtls_ecdsa_restart_ver_ctx *ver; /*!<  ecdsa_verify() sub-context    */
+    mbedtls_ecdsa_restart_sig_ctx *sig; /*!<  ecdsa_sign() sub-context      */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    mbedtls_ecdsa_restart_det_ctx *det; /*!<  ecdsa_sign_det() sub-context  */
+#endif
+} mbedtls_ecdsa_restart_ctx;
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_ecdsa_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message.
+ *
+ * \note            The deterministic version implemented in
+ *                  mbedtls_ecdsa_sign_det() is usually preferred.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated
+ *                  as defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The context for the elliptic curve to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param r         The MPI context in which to store the first part
+ *                  the signature. This must be initialized.
+ * \param s         The MPI context in which to store the second part
+ *                  the signature. This must be initialized.
+ * \param d         The private signing key. This must be initialized.
+ * \param buf       The content to be signed. This is usually the hash of
+ *                  the original data to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX
+ *                  or \c MBEDTLS_MPI_XXX error code on failure.
+ */
+int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message, deterministic version.
+ *
+ *                  For more information, see <em>RFC-6979: Deterministic
+ *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \warning         Since the output of the internal RNG is always the same for
+ *                  the same key and message, this limits the efficiency of
+ *                  blinding and leaks information through side channels. For
+ *                  secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
+ *
+ *                  (Optimally the blinding is a random value that is different
+ *                  on every execution. In this case the blinding is still
+ *                  random from the attackers perspective, but is the same on
+ *                  each execution. This means that this blinding does not
+ *                  prevent attackers from recovering secrets by combining
+ *                  several measurement traces, but may prevent some attacks
+ *                  that exploit relationships between secret data.)
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The context for the elliptic curve to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param r         The MPI context in which to store the first part
+ *                  the signature. This must be initialized.
+ * \param s         The MPI context in which to store the second part
+ *                  the signature. This must be initialized.
+ * \param d         The private signing key. This must be initialized
+ *                  and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf       The hashed content to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param md_alg    The hash algorithm used to hash the original data.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                            mbedtls_mpi *s, const mbedtls_mpi *d,
+                            const unsigned char *buf, size_t blen,
+                            mbedtls_md_type_t md_alg );
+/**
+ * \brief           This function computes the ECDSA signature of a
+ *                  previously-hashed message, deterministic version.
+ *
+ *                  For more information, see <em>RFC-6979: Deterministic
+ *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param grp           The context for the elliptic curve to use.
+ *                      This must be initialized and have group parameters
+ *                      set, for example through mbedtls_ecp_group_load().
+ * \param r             The MPI context in which to store the first part
+ *                      the signature. This must be initialized.
+ * \param s             The MPI context in which to store the second part
+ *                      the signature. This must be initialized.
+ * \param d             The private signing key. This must be initialized
+ *                      and setup, for example through mbedtls_ecp_gen_privkey().
+ * \param buf           The hashed content to be signed. This must be a readable
+ *                      buffer of length \p blen Bytes. It may be \c NULL if
+ *                      \p blen is zero.
+ * \param blen          The length of \p buf in Bytes.
+ * \param md_alg        The hash algorithm used to hash the original data.
+ * \param f_rng_blind   The RNG function used for blinding. This must not be
+ *                      \c NULL.
+ * \param p_rng_blind   The RNG context to be passed to \p f_rng. This may be
+ *                      \c NULL if \p f_rng doesn't need a context parameter.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                                mbedtls_mpi *s, const mbedtls_mpi *d,
+                                const unsigned char *buf, size_t blen,
+                                mbedtls_md_type_t md_alg,
+                                int (*f_rng_blind)(void *, unsigned char *,
+                                                   size_t),
+                                void *p_rng_blind );
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+/**
+ * \brief           This function verifies the ECDSA signature of a
+ *                  previously-hashed message.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \see             ecp.h
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param buf       The hashed content that was signed. This must be a readable
+ *                  buffer of length \p blen Bytes. It may be \c NULL if
+ *                  \p blen is zero.
+ * \param blen      The length of \p buf in Bytes.
+ * \param Q         The public key to use for verification. This must be
+ *                  initialized and setup.
+ * \param r         The first integer of the signature.
+ *                  This must be initialized.
+ * \param s         The second integer of the signature.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature
+ *                  is invalid.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
+                          const unsigned char *buf, size_t blen,
+                          const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
+                          const mbedtls_mpi *s);
+
+/**
+ * \brief           This function computes the ECDSA signature and writes it
+ *                  to a buffer, serialized as defined in <em>RFC-4492:
+ *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
+ *                  Transport Layer Security (TLS)</em>.
+ *
+ * \warning         It is not thread-safe to use the same context in
+ *                  multiple threads.
+ *
+ * \note            The deterministic version is used if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more
+ *                  information, see <em>RFC-6979: Deterministic Usage
+ *                  of the Digital Signature Algorithm (DSA) and Elliptic
+ *                  Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is unused and may be set to \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
+                                   mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hlen,
+                           unsigned char *sig, size_t *slen,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng );
+
+/**
+ * \brief           This function computes the ECDSA signature and writes it
+ *                  to a buffer, in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_write_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_write_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param md_alg    The message digest that was used to hash the message.
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param f_rng     The RNG function. This must not be \c NULL if
+ *                  #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise,
+ *                  it is unused and may be set to \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng is \c NULL or doesn't use a context.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
+                           mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hlen,
+                           unsigned char *sig, size_t *slen,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           mbedtls_ecdsa_restart_ctx *rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief           This function computes an ECDSA signature and writes
+ *                  it to a buffer, serialized as defined in <em>RFC-4492:
+ *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
+ *                  Transport Layer Security (TLS)</em>.
+ *
+ *                  The deterministic version is defined in <em>RFC-6979:
+ *                  Deterministic Usage of the Digital Signature Algorithm (DSA)
+ *                  and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
+ *
+ * \warning         It is not thread-safe to use the same context in
+ *                  multiple threads.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.3, step 5.
+ *
+ * \see             ecp.h
+ *
+ * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in
+ *                  Mbed TLS version 2.0 and later.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and private key bound to it, for example
+ *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
+ * \param hash      The message hash to be signed. This must be a readable
+ *                  buffer of length \p blen Bytes.
+ * \param hlen      The length of the hash \p hash in Bytes.
+ * \param sig       The buffer to which to write the signature. This must be a
+ *                  writable buffer of length at least twice as large as the
+ *                  size of the curve used, plus 9. For example, 73 Bytes if
+ *                  a 256-bit curve is used. A buffer length of
+ *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
+ * \param slen      The address at which to store the actual length of
+ *                  the signature written. Must not be \c NULL.
+ * \param md_alg    The message digest that was used to hash the message.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
+ *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
+ */
+int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
+                               const unsigned char *hash, size_t hlen,
+                               unsigned char *sig, size_t *slen,
+                               mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
+#undef MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+/**
+ * \brief           This function reads and verifies an ECDSA signature.
+ *
+ * \note            If the bitlength of the message hash is larger than the
+ *                  bitlength of the group order, then the hash is truncated as
+ *                  defined in <em>Standards for Efficient Cryptography Group
+ *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ *                  4.1.4, step 3.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p size Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig, but its length is less than \p siglen.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen );
+
+/**
+ * \brief           This function reads and verifies an ECDSA signature,
+ *                  in a restartable way.
+ *
+ * \see             \c mbedtls_ecdsa_read_signature()
+ *
+ * \note            This function is like \c mbedtls_ecdsa_read_signature()
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param ctx       The ECDSA context to use. This must be initialized
+ *                  and have a group and public key bound to it.
+ * \param hash      The message hash that was signed. This must be a readable
+ *                  buffer of length \p size Bytes.
+ * \param hlen      The size of the hash \p hash.
+ * \param sig       The signature to read and verify. This must be a readable
+ *                  buffer of length \p slen Bytes.
+ * \param slen      The size of \p sig in Bytes.
+ * \param rs_ctx    The restart context to use. This may be \c NULL to disable
+ *                  restarting. If it is not \c NULL, it must point to an
+ *                  initialized restart context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid.
+ * \return          #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in \p sig, but its length is less than \p siglen.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on failure for any other reason.
+ */
+int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen,
+                          mbedtls_ecdsa_restart_ctx *rs_ctx );
+
+/**
+ * \brief          This function generates an ECDSA keypair on the given curve.
+ *
+ * \see            ecp.h
+ *
+ * \param ctx      The ECDSA context to store the keypair in.
+ *                 This must be initialized.
+ * \param gid      The elliptic curve to use. One of the various
+ *                 \c MBEDTLS_ECP_DP_XXX macros depending on configuration.
+ * \param f_rng    The RNG function to use. This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_ECP_XXX code on failure.
+ */
+int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           This function sets up an ECDSA context from an EC key pair.
+ *
+ * \see             ecp.h
+ *
+ * \param ctx       The ECDSA context to setup. This must be initialized.
+ * \param key       The EC key to use. This must be initialized and hold
+ *                  a private-public key pair or a public key. In the former
+ *                  case, the ECDSA context may be used for signature creation
+ *                  and verification after this call. In the latter case, it
+ *                  may be used for signature verification.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX code on failure.
+ */
+int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx,
+                                const mbedtls_ecp_keypair *key );
+
+/**
+ * \brief           This function initializes an ECDSA context.
+ *
+ * \param ctx       The ECDSA context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx );
+
+/**
+ * \brief           This function frees an ECDSA context.
+ *
+ * \param ctx       The ECDSA context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
+ */
+void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context.
+ *
+ * \param ctx       The restart context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context.
+ *
+ * \param ctx       The restart context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it
+ *                  is not \c NULL, it must be initialized.
+ */
+void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecdsa.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ecjpake.h b/makerom/deps/libmbedtls/include/mbedtls/ecjpake.h
new file mode 100644
index 00000000..3d8d02ae
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ecjpake.h
@@ -0,0 +1,277 @@
+/**
+ * \file ecjpake.h
+ *
+ * \brief Elliptic curve J-PAKE
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ECJPAKE_H
+#define MBEDTLS_ECJPAKE_H
+
+/*
+ * J-PAKE is a password-authenticated key exchange that allows deriving a
+ * strong shared secret from a (potentially low entropy) pre-shared
+ * passphrase, with forward secrecy and mutual authentication.
+ * https://en.wikipedia.org/wiki/Password_Authenticated_Key_Exchange_by_Juggling
+ *
+ * This file implements the Elliptic Curve variant of J-PAKE,
+ * as defined in Chapter 7.4 of the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ *
+ * As the J-PAKE algorithm is inherently symmetric, so is our API.
+ * Each party needs to send its first round message, in any order, to the
+ * other party, then each sends its second round message, in any order.
+ * The payloads are serialized in a way suitable for use in TLS, but could
+ * also be use outside TLS.
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ecp.h"
+#include "md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Roles in the EC J-PAKE exchange
+ */
+typedef enum {
+    MBEDTLS_ECJPAKE_CLIENT = 0,         /**< Client                         */
+    MBEDTLS_ECJPAKE_SERVER,             /**< Server                         */
+} mbedtls_ecjpake_role;
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+/**
+ * EC J-PAKE context structure.
+ *
+ * J-PAKE is a symmetric protocol, except for the identifiers used in
+ * Zero-Knowledge Proofs, and the serialization of the second message
+ * (KeyExchange) as defined by the Thread spec.
+ *
+ * In order to benefit from this symmetry, we choose a different naming
+ * convetion from the Thread v1.0 spec. Correspondance is indicated in the
+ * description as a pair C: client name, S: server name
+ */
+typedef struct mbedtls_ecjpake_context
+{
+    const mbedtls_md_info_t *md_info;   /**< Hash to use                    */
+    mbedtls_ecp_group grp;              /**< Elliptic curve                 */
+    mbedtls_ecjpake_role role;          /**< Are we client or server?       */
+    int point_format;                   /**< Format for point export        */
+
+    mbedtls_ecp_point Xm1;              /**< My public key 1   C: X1, S: X3 */
+    mbedtls_ecp_point Xm2;              /**< My public key 2   C: X2, S: X4 */
+    mbedtls_ecp_point Xp1;              /**< Peer public key 1 C: X3, S: X1 */
+    mbedtls_ecp_point Xp2;              /**< Peer public key 2 C: X4, S: X2 */
+    mbedtls_ecp_point Xp;               /**< Peer public key   C: Xs, S: Xc */
+
+    mbedtls_mpi xm1;                    /**< My private key 1  C: x1, S: x3 */
+    mbedtls_mpi xm2;                    /**< My private key 2  C: x2, S: x4 */
+
+    mbedtls_mpi s;                      /**< Pre-shared secret (passphrase) */
+} mbedtls_ecjpake_context;
+
+#else  /* MBEDTLS_ECJPAKE_ALT */
+#include "ecjpake_alt.h"
+#endif /* MBEDTLS_ECJPAKE_ALT */
+
+/**
+ * \brief           Initialize an ECJPAKE context.
+ *
+ * \param ctx       The ECJPAKE context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx );
+
+/**
+ * \brief           Set up an ECJPAKE context for use.
+ *
+ * \note            Currently the only values for hash/curve allowed by the
+ *                  standard are #MBEDTLS_MD_SHA256/#MBEDTLS_ECP_DP_SECP256R1.
+ *
+ * \param ctx       The ECJPAKE context to set up. This must be initialized.
+ * \param role      The role of the caller. This must be either
+ *                  #MBEDTLS_ECJPAKE_CLIENT or #MBEDTLS_ECJPAKE_SERVER.
+ * \param hash      The identifier of the hash function to use,
+ *                  for example #MBEDTLS_MD_SHA256.
+ * \param curve     The identifier of the elliptic curve to use,
+ *                  for example #MBEDTLS_ECP_DP_SECP256R1.
+ * \param secret    The pre-shared secret (passphrase). This must be
+ *                  a readable buffer of length \p len Bytes. It need
+ *                  only be valid for the duration of this call.
+ * \param len       The length of the pre-shared secret \p secret.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
+                           mbedtls_ecjpake_role role,
+                           mbedtls_md_type_t hash,
+                           mbedtls_ecp_group_id curve,
+                           const unsigned char *secret,
+                           size_t len );
+
+/**
+ * \brief           Check if an ECJPAKE context is ready for use.
+ *
+ * \param ctx       The ECJPAKE context to check. This must be
+ *                  initialized.
+ *
+ * \return          \c 0 if the context is ready for use.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA otherwise.
+ */
+int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx );
+
+/**
+ * \brief           Generate and write the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be
+ *                  initialized and set up.
+ * \param buf       The buffer to write the contents to. This must be a
+ *                  writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number
+ *                  of Bytes written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng );
+
+/**
+ * \brief           Read and process the first round message
+ *                  (TLS: contents of the Client/ServerHello extension,
+ *                  excluding extension type and length bytes).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up.
+ * \param buf       The buffer holding the first round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
+                                    const unsigned char *buf,
+                                    size_t len );
+
+/**
+ * \brief           Generate and write the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up, and already have performed round one.
+ * \param buf       The buffer to write the round two contents to.
+ *                  This must be a writable buffer of length \p len Bytes.
+ * \param len       The size of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng );
+
+/**
+ * \brief           Read and process the second round message
+ *                  (TLS: contents of the Client/ServerKeyExchange).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized
+ *                  and set up and already have performed round one.
+ * \param buf       The buffer holding the second round message. This must
+ *                  be a readable buffer of length \p len Bytes.
+ * \param len       The length in Bytes of \p buf.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
+                                    const unsigned char *buf,
+                                    size_t len );
+
+/**
+ * \brief           Derive the shared secret
+ *                  (TLS: Pre-Master Secret).
+ *
+ * \param ctx       The ECJPAKE context to use. This must be initialized,
+ *                  set up and have performed both round one and two.
+ * \param buf       The buffer to write the derived secret to. This must
+ *                  be a writable buffer of length \p len Bytes.
+ * \param len       The length of \p buf in Bytes.
+ * \param olen      The address at which to store the total number of Bytes
+ *                  written to \p buf. This must not be \c NULL.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This
+ *                  may be \c NULL if \p f_rng doesn't use a context.
+ *
+ * \return          \c 0 if successful.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng );
+
+/**
+ * \brief           This clears an ECJPAKE context and frees any
+ *                  embedded data structure.
+ *
+ * \param ctx       The ECJPAKE context to free. This may be \c NULL,
+ *                  in which case this function does nothing. If it is not
+ *                  \c NULL, it must point to an initialized ECJPAKE context.
+ */
+void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_ecjpake_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* ecjpake.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ecp.h b/makerom/deps/libmbedtls/include/mbedtls/ecp.h
new file mode 100644
index 00000000..065a4cc0
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ecp.h
@@ -0,0 +1,1132 @@
+/**
+ * \file ecp.h
+ *
+ * \brief This file provides an API for Elliptic Curves over GF(P) (ECP).
+ *
+ * The use of ECP in cryptography and TLS is defined in
+ * <em>Standards for Efficient Cryptography Group (SECG): SEC1
+ * Elliptic Curve Cryptography</em> and
+ * <em>RFC-4492: Elliptic Curve Cryptography (ECC) Cipher Suites
+ * for Transport Layer Security (TLS)</em>.
+ *
+ * <em>RFC-2409: The Internet Key Exchange (IKE)</em> defines ECP
+ * group types.
+ *
+ */
+
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_ECP_H
+#define MBEDTLS_ECP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+
+/*
+ * ECP error codes
+ */
+#define MBEDTLS_ERR_ECP_BAD_INPUT_DATA                    -0x4F80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL                  -0x4F00  /**< The buffer is too small to write to. */
+#define MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE               -0x4E80  /**< The requested feature is not available, for example, the requested curve is not supported. */
+#define MBEDTLS_ERR_ECP_VERIFY_FAILED                     -0x4E00  /**< The signature is not valid. */
+#define MBEDTLS_ERR_ECP_ALLOC_FAILED                      -0x4D80  /**< Memory allocation failed. */
+#define MBEDTLS_ERR_ECP_RANDOM_FAILED                     -0x4D00  /**< Generation of random value, such as ephemeral key, failed. */
+#define MBEDTLS_ERR_ECP_INVALID_KEY                       -0x4C80  /**< Invalid private or public key. */
+#define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH                  -0x4C00  /**< The buffer contains a valid signature followed by more data. */
+
+/* MBEDTLS_ERR_ECP_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED                   -0x4B80  /**< The ECP hardware accelerator failed. */
+
+#define MBEDTLS_ERR_ECP_IN_PROGRESS                       -0x4B00  /**< Operation in progress, call again with the same parameters to continue. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Domain-parameter identifiers: curve, subgroup, and generator.
+ *
+ * \note Only curves over prime fields are supported.
+ *
+ * \warning This library does not support validation of arbitrary domain
+ * parameters. Therefore, only standardized domain parameters from trusted
+ * sources should be used. See mbedtls_ecp_group_load().
+ */
+typedef enum
+{
+    MBEDTLS_ECP_DP_NONE = 0,       /*!< Curve not defined. */
+    MBEDTLS_ECP_DP_SECP192R1,      /*!< Domain parameters for the 192-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP224R1,      /*!< Domain parameters for the 224-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP256R1,      /*!< Domain parameters for the 256-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP384R1,      /*!< Domain parameters for the 384-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_SECP521R1,      /*!< Domain parameters for the 521-bit curve defined by FIPS 186-4 and SEC1. */
+    MBEDTLS_ECP_DP_BP256R1,        /*!< Domain parameters for 256-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_BP384R1,        /*!< Domain parameters for 384-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_BP512R1,        /*!< Domain parameters for 512-bit Brainpool curve. */
+    MBEDTLS_ECP_DP_CURVE25519,     /*!< Domain parameters for Curve25519. */
+    MBEDTLS_ECP_DP_SECP192K1,      /*!< Domain parameters for 192-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_SECP224K1,      /*!< Domain parameters for 224-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_SECP256K1,      /*!< Domain parameters for 256-bit "Koblitz" curve. */
+    MBEDTLS_ECP_DP_CURVE448,       /*!< Domain parameters for Curve448. */
+} mbedtls_ecp_group_id;
+
+/**
+ * The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
+ *
+ * \note Montgomery curves are currently excluded.
+ */
+#define MBEDTLS_ECP_DP_MAX     12
+
+/**
+ * Curve information, for use by other modules.
+ */
+typedef struct mbedtls_ecp_curve_info
+{
+    mbedtls_ecp_group_id grp_id;    /*!< An internal identifier. */
+    uint16_t tls_id;                /*!< The TLS NamedCurve identifier. */
+    uint16_t bit_size;              /*!< The curve size in bits. */
+    const char *name;               /*!< A human-friendly name. */
+} mbedtls_ecp_curve_info;
+
+/**
+ * \brief           The ECP point structure, in Jacobian coordinates.
+ *
+ * \note            All functions expect and return points satisfying
+ *                  the following condition: <code>Z == 0</code> or
+ *                  <code>Z == 1</code>. Other values of \p Z are
+ *                  used only by internal functions.
+ *                  The point is zero, or "at infinity", if <code>Z == 0</code>.
+ *                  Otherwise, \p X and \p Y are its standard (affine)
+ *                  coordinates.
+ */
+typedef struct mbedtls_ecp_point
+{
+    mbedtls_mpi X;          /*!< The X coordinate of the ECP point. */
+    mbedtls_mpi Y;          /*!< The Y coordinate of the ECP point. */
+    mbedtls_mpi Z;          /*!< The Z coordinate of the ECP point. */
+}
+mbedtls_ecp_point;
+
+#if !defined(MBEDTLS_ECP_ALT)
+/*
+ * default mbed TLS elliptic curve arithmetic implementation
+ *
+ * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an
+ * alternative implementation for the whole module and it will replace this
+ * one.)
+ */
+
+/**
+ * \brief           The ECP group structure.
+ *
+ * We consider two types of curve equations:
+ * <ul><li>Short Weierstrass: <code>y^2 = x^3 + A x + B mod P</code>
+ * (SEC1 + RFC-4492)</li>
+ * <li>Montgomery: <code>y^2 = x^3 + A x^2 + x mod P</code> (Curve25519,
+ * Curve448)</li></ul>
+ * In both cases, the generator (\p G) for a prime-order subgroup is fixed.
+ *
+ * For Short Weierstrass, this subgroup is the whole curve, and its
+ * cardinality is denoted by \p N. Our code requires that \p N is an
+ * odd prime as mbedtls_ecp_mul() requires an odd number, and
+ * mbedtls_ecdsa_sign() requires that it is prime for blinding purposes.
+ *
+ * For Montgomery curves, we do not store \p A, but <code>(A + 2) / 4</code>,
+ * which is the quantity used in the formulas. Additionally, \p nbits is
+ * not the size of \p N but the required size for private keys.
+ *
+ * If \p modp is NULL, reduction modulo \p P is done using a generic algorithm.
+ * Otherwise, \p modp must point to a function that takes an \p mbedtls_mpi in the
+ * range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
+ * which is congruent mod \p P to the given MPI, and is close enough to \p pbits
+ * in size, so that it may be efficiently brought in the 0..P-1 range by a few
+ * additions or subtractions. Therefore, it is only an approximative modular
+ * reduction. It must return 0 on success and non-zero on failure.
+ *
+ * \note        Alternative implementations must keep the group IDs distinct. If
+ *              two group structures have the same ID, then they must be
+ *              identical.
+ *
+ */
+typedef struct mbedtls_ecp_group
+{
+    mbedtls_ecp_group_id id;    /*!< An internal group identifier. */
+    mbedtls_mpi P;              /*!< The prime modulus of the base field. */
+    mbedtls_mpi A;              /*!< For Short Weierstrass: \p A in the equation. For
+                                     Montgomery curves: <code>(A + 2) / 4</code>. */
+    mbedtls_mpi B;              /*!< For Short Weierstrass: \p B in the equation.
+                                     For Montgomery curves: unused. */
+    mbedtls_ecp_point G;        /*!< The generator of the subgroup used. */
+    mbedtls_mpi N;              /*!< The order of \p G. */
+    size_t pbits;               /*!< The number of bits in \p P.*/
+    size_t nbits;               /*!< For Short Weierstrass: The number of bits in \p P.
+                                     For Montgomery curves: the number of bits in the
+                                     private keys. */
+    unsigned int h;             /*!< \internal 1 if the constants are static. */
+    int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction
+                                     mod \p P (see above).*/
+    int (*t_pre)(mbedtls_ecp_point *, void *);  /*!< Unused. */
+    int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */
+    void *t_data;               /*!< Unused. */
+    mbedtls_ecp_point *T;       /*!< Pre-computed points for ecp_mul_comb(). */
+    size_t T_size;              /*!< The number of pre-computed points. */
+}
+mbedtls_ecp_group;
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h, or define them using the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_ECP_MAX_BITS)
+/**
+ * The maximum size of the groups, that is, of \c N and \c P.
+ */
+#define MBEDTLS_ECP_MAX_BITS     521   /**< The maximum size of groups, in bits. */
+#endif
+
+#define MBEDTLS_ECP_MAX_BYTES    ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 )
+#define MBEDTLS_ECP_MAX_PT_LEN   ( 2 * MBEDTLS_ECP_MAX_BYTES + 1 )
+
+#if !defined(MBEDTLS_ECP_WINDOW_SIZE)
+/*
+ * Maximum "window" size used for point multiplication.
+ * Default: 6.
+ * Minimum value: 2. Maximum value: 7.
+ *
+ * Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
+ * points used for point multiplication. This value is directly tied to EC
+ * peak memory usage, so decreasing it by one should roughly cut memory usage
+ * by two (if large curves are in use).
+ *
+ * Reduction in size may reduce speed, but larger curves are impacted first.
+ * Sample performances (in ECDHE handshakes/s, with FIXED_POINT_OPTIM = 1):
+ *      w-size:     6       5       4       3       2
+ *      521       145     141     135     120      97
+ *      384       214     209     198     177     146
+ *      256       320     320     303     262     226
+ *      224       475     475     453     398     342
+ *      192       640     640     633     587     476
+ */
+#define MBEDTLS_ECP_WINDOW_SIZE    6   /**< The maximum window size used. */
+#endif /* MBEDTLS_ECP_WINDOW_SIZE */
+
+#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
+/*
+ * Trade memory for speed on fixed-point multiplication.
+ *
+ * This speeds up repeated multiplication of the generator (that is, the
+ * multiplication in ECDSA signatures, and half of the multiplications in
+ * ECDSA verification and ECDHE) by a factor roughly 3 to 4.
+ *
+ * The cost is increasing EC peak memory usage by a factor roughly 2.
+ *
+ * Change this value to 0 to reduce peak memory usage.
+ */
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM  1   /**< Enable fixed-point speed-up. */
+#endif /* MBEDTLS_ECP_FIXED_POINT_OPTIM */
+
+/* \} name SECTION: Module settings */
+
+#else  /* MBEDTLS_ECP_ALT */
+#include "ecp_alt.h"
+#endif /* MBEDTLS_ECP_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief           Internal restart context for multiplication
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_mul mbedtls_ecp_restart_mul_ctx;
+
+/**
+ * \brief           Internal restart context for ecp_muladd()
+ *
+ * \note            Opaque struct
+ */
+typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx;
+
+/**
+ * \brief           General context for resuming ECC operations
+ */
+typedef struct
+{
+    unsigned ops_done;                  /*!<  current ops count             */
+    unsigned depth;                     /*!<  call depth (0 = top-level)    */
+    mbedtls_ecp_restart_mul_ctx *rsm;   /*!<  ecp_mul_comb() sub-context    */
+    mbedtls_ecp_restart_muladd_ctx *ma; /*!<  ecp_muladd() sub-context      */
+} mbedtls_ecp_restart_ctx;
+
+/*
+ * Operation counts for restartable functions
+ */
+#define MBEDTLS_ECP_OPS_CHK   3 /*!< basic ops count for ecp_check_pubkey()  */
+#define MBEDTLS_ECP_OPS_DBL   8 /*!< basic ops count for ecp_double_jac()    */
+#define MBEDTLS_ECP_OPS_ADD  11 /*!< basic ops count for see ecp_add_mixed() */
+#define MBEDTLS_ECP_OPS_INV 120 /*!< empirical equivalent for mpi_mod_inv()  */
+
+/**
+ * \brief           Internal; for restartable functions in other modules.
+ *                  Check and update basic ops budget.
+ *
+ * \param grp       Group structure
+ * \param rs_ctx    Restart context
+ * \param ops       Number of basic ops to do
+ *
+ * \return          \c 0 if doing \p ops basic ops is still allowed,
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS otherwise.
+ */
+int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
+                              mbedtls_ecp_restart_ctx *rs_ctx,
+                              unsigned ops );
+
+/* Utility macro for checking and updating ops budget */
+#define MBEDTLS_ECP_BUDGET( ops )   \
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, rs_ctx, \
+                                               (unsigned) (ops) ) );
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define MBEDTLS_ECP_BUDGET( ops )   /* no-op; for compatibility */
+
+/* We want to declare restartable versions of existing functions anyway */
+typedef void mbedtls_ecp_restart_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief    The ECP key-pair structure.
+ *
+ * A generic key-pair that may be used for ECDSA and fixed ECDH, for example.
+ *
+ * \note    Members are deliberately in the same order as in the
+ *          ::mbedtls_ecdsa_context structure.
+ */
+typedef struct mbedtls_ecp_keypair
+{
+    mbedtls_ecp_group grp;      /*!<  Elliptic curve and base point     */
+    mbedtls_mpi d;              /*!<  our secret value                  */
+    mbedtls_ecp_point Q;        /*!<  our public value                  */
+}
+mbedtls_ecp_keypair;
+
+/*
+ * Point formats, from RFC 4492's enum ECPointFormat
+ */
+#define MBEDTLS_ECP_PF_UNCOMPRESSED    0   /**< Uncompressed point format. */
+#define MBEDTLS_ECP_PF_COMPRESSED      1   /**< Compressed point format. */
+
+/*
+ * Some other constants from RFC 4492
+ */
+#define MBEDTLS_ECP_TLS_NAMED_CURVE    3   /**< The named_curve of ECCurveType. */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Set the maximum number of basic operations done in a row.
+ *
+ *                  If more operations are needed to complete a computation,
+ *                  #MBEDTLS_ERR_ECP_IN_PROGRESS will be returned by the
+ *                  function performing the computation. It is then the
+ *                  caller's responsibility to either call again with the same
+ *                  parameters until it returns 0 or an error code; or to free
+ *                  the restart context if the operation is to be aborted.
+ *
+ *                  It is strictly required that all input parameters and the
+ *                  restart context be the same on successive calls for the
+ *                  same operation, but output parameters need not be the
+ *                  same; they must not be used until the function finally
+ *                  returns 0.
+ *
+ *                  This only applies to functions whose documentation
+ *                  mentions they may return #MBEDTLS_ERR_ECP_IN_PROGRESS (or
+ *                  #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS for functions in the
+ *                  SSL module). For functions that accept a "restart context"
+ *                  argument, passing NULL disables restart and makes the
+ *                  function equivalent to the function with the same name
+ *                  with \c _restartable removed. For functions in the ECDH
+ *                  module, restart is disabled unless the function accepts
+ *                  an "ECDH context" argument and
+ *                  mbedtls_ecdh_enable_restart() was previously called on
+ *                  that context. For function in the SSL module, restart is
+ *                  only enabled for specific sides and key exchanges
+ *                  (currently only for clients and ECDHE-ECDSA).
+ *
+ * \param max_ops   Maximum number of basic operations done in a row.
+ *                  Default: 0 (unlimited).
+ *                  Lower (non-zero) values mean ECC functions will block for
+ *                  a lesser maximum amount of time.
+ *
+ * \note            A "basic operation" is defined as a rough equivalent of a
+ *                  multiplication in GF(p) for the NIST P-256 curve.
+ *                  As an indication, with default settings, a scalar
+ *                  multiplication (full run of \c mbedtls_ecp_mul()) is:
+ *                  - about 3300 basic operations for P-256
+ *                  - about 9400 basic operations for P-384
+ *
+ * \note            Very low values are not always respected: sometimes
+ *                  functions need to block for a minimum number of
+ *                  operations, and will do so even if max_ops is set to a
+ *                  lower value.  That minimum depends on the curve size, and
+ *                  can be made lower by decreasing the value of
+ *                  \c MBEDTLS_ECP_WINDOW_SIZE.  As an indication, here is the
+ *                  lowest effective value for various curves and values of
+ *                  that parameter (w for short):
+ *                          w=6     w=5     w=4     w=3     w=2
+ *                  P-256   208     208     160     136     124
+ *                  P-384   682     416     320     272     248
+ *                  P-521  1364     832     640     544     496
+ *
+ * \note            This setting is currently ignored by Curve25519.
+ */
+void mbedtls_ecp_set_max_ops( unsigned max_ops );
+
+/**
+ * \brief           Check if restart is enabled (max_ops != 0)
+ *
+ * \return          \c 0 if \c max_ops == 0 (restart disabled)
+ * \return          \c 1 otherwise (restart enabled)
+ */
+int mbedtls_ecp_restart_is_enabled( void );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           This function retrieves the information defined in
+ *                  mbedtls_ecp_curve_info() for all supported curves in order
+ *                  of preference.
+ *
+ * \return          A statically allocated array. The last entry is 0.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void );
+
+/**
+ * \brief           This function retrieves the list of internal group
+ *                  identifiers of all supported curves in the order of
+ *                  preference.
+ *
+ * \return          A statically allocated array,
+ *                  terminated with MBEDTLS_ECP_DP_NONE.
+ */
+const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void );
+
+/**
+ * \brief           This function retrieves curve information from an internal
+ *                  group identifier.
+ *
+ * \param grp_id    An \c MBEDTLS_ECP_DP_XXX value.
+ *
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id );
+
+/**
+ * \brief           This function retrieves curve information from a TLS
+ *                  NamedCurve value.
+ *
+ * \param tls_id    An \c MBEDTLS_ECP_DP_XXX value.
+ *
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id );
+
+/**
+ * \brief           This function retrieves curve information from a
+ *                  human-readable name.
+ *
+ * \param name      The human-readable name.
+ *
+ * \return          The associated curve information on success.
+ * \return          NULL on failure.
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name );
+
+/**
+ * \brief           This function initializes a point as zero.
+ *
+ * \param pt        The point to initialize.
+ */
+void mbedtls_ecp_point_init( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function initializes an ECP group context
+ *                  without loading any domain parameters.
+ *
+ * \note            After this function is called, domain parameters
+ *                  for various ECP groups can be loaded through the
+ *                  mbedtls_ecp_group_load() or mbedtls_ecp_tls_read_group()
+ *                  functions.
+ */
+void mbedtls_ecp_group_init( mbedtls_ecp_group *grp );
+
+/**
+ * \brief           This function initializes a key pair as an invalid one.
+ *
+ * \param key       The key pair to initialize.
+ */
+void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key );
+
+/**
+ * \brief           This function frees the components of a point.
+ *
+ * \param pt        The point to free.
+ */
+void mbedtls_ecp_point_free( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function frees the components of an ECP group.
+ *
+ * \param grp       The group to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP group.
+ */
+void mbedtls_ecp_group_free( mbedtls_ecp_group *grp );
+
+/**
+ * \brief           This function frees the components of a key pair.
+ *
+ * \param key       The key pair to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized ECP key pair.
+ */
+void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context.
+ *
+ * \param ctx       The restart context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context.
+ *
+ * \param ctx       The restart context to free. This may be \c NULL, in which
+ *                  case this function returns immediately. If it is not
+ *                  \c NULL, it must point to an initialized restart context.
+ */
+void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           This function copies the contents of point \p Q into
+ *                  point \p P.
+ *
+ * \param P         The destination point. This must be initialized.
+ * \param Q         The source point. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code for other kinds of failure.
+ */
+int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q );
+
+/**
+ * \brief           This function copies the contents of group \p src into
+ *                  group \p dst.
+ *
+ * \param dst       The destination group. This must be initialized.
+ * \param src       The source group. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst,
+                            const mbedtls_ecp_group *src );
+
+/**
+ * \brief           This function sets a point to the point at infinity.
+ *
+ * \param pt        The point to set. This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function checks if a point is the point at infinity.
+ *
+ * \param pt        The point to test. This must be initialized.
+ *
+ * \return          \c 1 if the point is zero.
+ * \return          \c 0 if the point is non-zero.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function compares two points.
+ *
+ * \note            This assumes that the points are normalized. Otherwise,
+ *                  they may compare as "not equal" even if they are.
+ *
+ * \param P         The first point to compare. This must be initialized.
+ * \param Q         The second point to compare. This must be initialized.
+ *
+ * \return          \c 0 if the points are equal.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the points are not equal.
+ */
+int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
+                           const mbedtls_ecp_point *Q );
+
+/**
+ * \brief           This function imports a non-zero point from two ASCII
+ *                  strings.
+ *
+ * \param P         The destination point. This must be initialized.
+ * \param radix     The numeric base of the input.
+ * \param x         The first affine coordinate, as a null-terminated string.
+ * \param y         The second affine coordinate, as a null-terminated string.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_MPI_XXX error code on failure.
+ */
+int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
+                           const char *x, const char *y );
+
+/**
+ * \brief           This function exports a point into unsigned binary data.
+ *
+ * \param grp       The group to which the point should belong.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The point to export. This must be initialized.
+ * \param format    The point format. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen      The address at which to store the length of
+ *                  the output in Bytes. This must not be \c NULL.
+ * \param buf       The output buffer. This must be a writable buffer
+ *                  of length \p buflen Bytes.
+ * \param buflen    The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output buffer
+ *                  is too small to hold the point.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *P,
+                            int format, size_t *olen,
+                            unsigned char *buf, size_t buflen );
+
+/**
+ * \brief           This function imports a point from unsigned binary data.
+ *
+ * \note            This function does not check that the point actually
+ *                  belongs to the given group, see mbedtls_ecp_check_pubkey()
+ *                  for that.
+ *
+ * \param grp       The group to which the point should belong.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param P         The destination context to import the point to.
+ *                  This must be initialized.
+ * \param buf       The input buffer. This must be a readable buffer
+ *                  of length \p ilen Bytes.
+ * \param ilen      The length of the input buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the point format
+ *                  is not implemented.
+ */
+int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,
+                                   mbedtls_ecp_point *P,
+                                   const unsigned char *buf, size_t ilen );
+
+/**
+ * \brief           This function imports a point from a TLS ECPoint record.
+ *
+ * \note            On function return, \p *buf is updated to point immediately
+ *                  after the ECPoint record.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The destination point.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_MPI_XXX error code on initialization
+ *                  failure.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ */
+int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point *pt,
+                                const unsigned char **buf, size_t len );
+
+/**
+ * \brief           This function exports a point as a TLS ECPoint record
+ *                  defined in RFC 4492, Section 5.4.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to be exported. This must be initialized.
+ * \param format    The point format to use. This must be either
+ *                  #MBEDTLS_ECP_PF_COMPRESSED or #MBEDTLS_ECP_PF_UNCOMPRESSED.
+ * \param olen      The address at which to store the length in Bytes
+ *                  of the data written.
+ * \param buf       The target buffer. This must be a writable buffer of
+ *                  length \p blen Bytes.
+ * \param blen      The length of the target buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the target buffer
+ *                  is too small to hold the exported point.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp,
+                                 const mbedtls_ecp_point *pt,
+                                 int format, size_t *olen,
+                                 unsigned char *buf, size_t blen );
+
+/**
+ * \brief           This function sets up an ECP group context
+ *                  from a standardized set of domain parameters.
+ *
+ * \note            The index should be a value of the NamedCurve enum,
+ *                  as defined in <em>RFC-4492: Elliptic Curve Cryptography
+ *                  (ECC) Cipher Suites for Transport Layer Security (TLS)</em>,
+ *                  usually in the form of an \c MBEDTLS_ECP_DP_XXX macro.
+ *
+ * \param grp       The group context to setup. This must be initialized.
+ * \param id        The identifier of the domain parameter set to load.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p id doesn't
+ *                  correspond to a known group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id );
+
+/**
+ * \brief           This function sets up an ECP group context from a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
+ *
+ * \param grp       The group context to setup. This must be initialized.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,
+                                const unsigned char **buf, size_t len );
+
+/**
+ * \brief           This function extracts an elliptic curve group ID from a
+ *                  TLS ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \note            The read pointer \p buf is updated to point right after
+ *                  the ECParameters record on exit.
+ *
+ * \param grp       The address at which to store the group id.
+ *                  This must not be \c NULL.
+ * \param buf       The address of the pointer to the start of the input buffer.
+ * \param len       The length of the input buffer \c *buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if input is invalid.
+ * \return          #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the group is not
+ *                  recognized.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,
+                                   const unsigned char **buf,
+                                   size_t len );
+/**
+ * \brief           This function exports an elliptic curve as a TLS
+ *                  ECParameters record as defined in RFC 4492, Section 5.4.
+ *
+ * \param grp       The ECP group to be exported.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param olen      The address at which to store the number of Bytes written.
+ *                  This must not be \c NULL.
+ * \param buf       The buffer to write to. This must be a writable buffer
+ *                  of length \p blen Bytes.
+ * \param blen      The length of the output buffer \p buf in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the output
+ *                  buffer is too small to hold the exported group.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,
+                                 size_t *olen,
+                                 unsigned char *buf, size_t blen );
+
+/**
+ * \brief           This function performs a scalar multiplication of a point
+ *                  by an integer: \p R = \p m * \p P.
+ *
+ *                  It is not thread-safe to use same group in multiple threads.
+ *
+ * \note            To prevent timing attacks, this function
+ *                  executes the exact same sequence of base-field
+ *                  operations for any valid \p m. It avoids any if-branch or
+ *                  array index depending on the value of \p m.
+ *
+ * \note            If \p f_rng is not NULL, it is used to randomize
+ *                  intermediate results to prevent potential timing attacks
+ *                  targeting these results. We recommend always providing
+ *                  a non-NULL \p f_rng. The overhead is negligible.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results isn't desired (discouraged).
+ * \param p_rng     The RNG context to be passed to \p p_rng.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ *                  key, or \p P is not a valid public key.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           This function performs multiplication of a point by
+ *                  an integer: \p R = \p m * \p P in a restartable way.
+ *
+ * \see             mbedtls_ecp_mul()
+ *
+ * \note            This function does the same as \c mbedtls_ecp_mul(), but
+ *                  it can return early and restart according to the limit set
+ *                  with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply. This must be initialized.
+ * \param P         The point to multiply. This must be initialized.
+ * \param f_rng     The RNG function. This may be \c NULL if randomization
+ *                  of intermediate results isn't desired (discouraged).
+ * \param p_rng     The RNG context to be passed to \p p_rng.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m is not a valid private
+ *                  key, or \p P is not a valid public key.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_ecp_restart_ctx *rs_ctx );
+
+/**
+ * \brief           This function performs multiplication and addition of two
+ *                  points by integers: \p R = \p m * \p P + \p n * \p Q
+ *
+ *                  It is not thread-safe to use same group in multiple threads.
+ *
+ * \note            In contrast to mbedtls_ecp_mul(), this function does not
+ *                  guarantee a constant execution flow and timing.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply \p P.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
+ * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
+ * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ *                  valid private keys, or \p P or \p Q are not valid public
+ *                  keys.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q );
+
+/**
+ * \brief           This function performs multiplication and addition of two
+ *                  points by integers: \p R = \p m * \p P + \p n * \p Q in a
+ *                  restartable way.
+ *
+ * \see             \c mbedtls_ecp_muladd()
+ *
+ * \note            This function works the same as \c mbedtls_ecp_muladd(),
+ *                  but it can return early and restart according to the limit
+ *                  set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param grp       The ECP group to use.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param R         The point in which to store the result of the calculation.
+ *                  This must be initialized.
+ * \param m         The integer by which to multiply \p P.
+ *                  This must be initialized.
+ * \param P         The point to multiply by \p m. This must be initialized.
+ * \param n         The integer by which to multiply \p Q.
+ *                  This must be initialized.
+ * \param Q         The point to be multiplied by \p n.
+ *                  This must be initialized.
+ * \param rs_ctx    The restart context (NULL disables restart).
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if \p m or \p n are not
+ *                  valid private keys, or \p P or \p Q are not valid public
+ *                  keys.
+ * \return          #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_muladd_restartable(
+             mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+             mbedtls_ecp_restart_ctx *rs_ctx );
+
+/**
+ * \brief           This function checks that a point is a valid public key
+ *                  on this curve.
+ *
+ *                  It only checks that the point is non-zero, has
+ *                  valid coordinates and lies on the curve. It does not verify
+ *                  that it is indeed a multiple of \p G. This additional
+ *                  check is computationally more expensive, is not required
+ *                  by standards, and should not be necessary if the group
+ *                  used has a small cofactor. In particular, it is useless for
+ *                  the NIST groups which all have a cofactor of 1.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure, to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group the point should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param pt        The point to check. This must be initialized.
+ *
+ * \return          \c 0 if the point is a valid public key.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not
+ *                  a valid public key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
+                              const mbedtls_ecp_point *pt );
+
+/**
+ * \brief           This function checks that an \p mbedtls_mpi is a
+ *                  valid private key for this curve.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group the private key should belong to.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The integer to check. This must be initialized.
+ *
+ * \return          \c 0 if the point is a valid private key.
+ * \return          #MBEDTLS_ERR_ECP_INVALID_KEY if the point is not a valid
+ *                  private key for the given curve.
+ * \return          Another negative error code on other kinds of failure.
+ */
+int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,
+                               const mbedtls_mpi *d );
+
+/**
+ * \brief           This function generates a private key.
+ *
+ * \param grp       The ECP group to generate a private key for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The destination MPI (secret part). This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG parameter to be passed to \p f_rng. This may be
+ *                  \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+                     mbedtls_mpi *d,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng );
+
+/**
+ * \brief           This function generates a keypair with a configurable base
+ *                  point.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param G         The base point to use. This must be initialized
+ *                  and belong to \p grp. It replaces the default base
+ *                  point \c grp->G used by mbedtls_ecp_gen_keypair().
+ * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
+ * \param Q         The destination point (public part).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
+                                  const mbedtls_ecp_point *G,
+                                  mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                                  int (*f_rng)(void *, unsigned char *, size_t),
+                                  void *p_rng );
+
+/**
+ * \brief           This function generates an ECP keypair.
+ *
+ * \note            This function uses bare components rather than an
+ *                  ::mbedtls_ecp_keypair structure to ease use with other
+ *                  structures, such as ::mbedtls_ecdh_context or
+ *                  ::mbedtls_ecdsa_context.
+ *
+ * \param grp       The ECP group to generate a key pair for.
+ *                  This must be initialized and have group parameters
+ *                  set, for example through mbedtls_ecp_group_load().
+ * \param d         The destination MPI (secret part).
+ *                  This must be initialized.
+ * \param Q         The destination point (public part).
+ *                  This must be initialized.
+ * \param f_rng     The RNG function. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d,
+                             mbedtls_ecp_point *Q,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng );
+
+/**
+ * \brief           This function generates an ECP key.
+ *
+ * \param grp_id    The ECP group identifier.
+ * \param key       The destination key. This must be initialized.
+ * \param f_rng     The RNG function to use. This must not be \c NULL.
+ * \param p_rng     The RNG context to be passed to \p f_rng. This may
+ *                  be \c NULL if \p f_rng doesn't need a context argument.
+ *
+ * \return          \c 0 on success.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX error code
+ *                  on failure.
+ */
+int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+/**
+ * \brief           This function checks that the keypair objects
+ *                  \p pub and \p prv have the same group and the
+ *                  same public point, and that the private key in
+ *                  \p prv is consistent with the public key.
+ *
+ * \param pub       The keypair structure holding the public key. This
+ *                  must be initialized. If it contains a private key, that
+ *                  part is ignored.
+ * \param prv       The keypair structure holding the full keypair.
+ *                  This must be initialized.
+ *
+ * \return          \c 0 on success, meaning that the keys are valid and match.
+ * \return          #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the keys are invalid or do not match.
+ * \return          An \c MBEDTLS_ERR_ECP_XXX or an \c MBEDTLS_ERR_MPI_XXX
+ *                  error code on calculation failure.
+ */
+int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub,
+                                const mbedtls_ecp_keypair *prv );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The ECP checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_ecp_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ecp.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ecp_internal.h b/makerom/deps/libmbedtls/include/mbedtls/ecp_internal.h
new file mode 100644
index 00000000..7625ed48
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ecp_internal.h
@@ -0,0 +1,299 @@
+/**
+ * \file ecp_internal.h
+ *
+ * \brief Function declarations for alternative implementation of elliptic curve
+ * point arithmetic.
+ */
+/*
+ *  Copyright (C) 2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records.
+ *     <http://cr.yp.to/ecdh/curve25519-20060209.pdf>
+ *
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
+ *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
+ *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
+ *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
+ *
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
+ *     render ECC resistant against Side Channel Attacks. IACR Cryptology
+ *     ePrint Archive, 2004, vol. 2004, p. 342.
+ *     <http://eprint.iacr.org/2004/342.pdf>
+ *
+ * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters.
+ *     <http://www.secg.org/sec2-v2.pdf>
+ *
+ * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic
+ *     Curve Cryptography.
+ *
+ * [6] Digital Signature Standard (DSS), FIPS 186-4.
+ *     <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>
+ *
+ * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
+ *     Security (TLS), RFC 4492.
+ *     <https://tools.ietf.org/search/rfc4492>
+ *
+ * [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html>
+ *
+ * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory.
+ *     Springer Science & Business Media, 1 Aug 2000
+ */
+
+#ifndef MBEDTLS_ECP_INTERNAL_H
+#define MBEDTLS_ECP_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+
+/**
+ * \brief           Indicate if the Elliptic Curve Point module extension can
+ *                  handle the group.
+ *
+ * \param grp       The pointer to the elliptic curve group that will be the
+ *                  basis of the cryptographic computations.
+ *
+ * \return          Non-zero if successful.
+ */
+unsigned char mbedtls_internal_ecp_grp_capable( const mbedtls_ecp_group *grp );
+
+/**
+ * \brief           Initialise the Elliptic Curve Point module extension.
+ *
+ *                  If mbedtls_internal_ecp_grp_capable returns true for a
+ *                  group, this function has to be able to initialise the
+ *                  module for it.
+ *
+ *                  This module can be a driver to a crypto hardware
+ *                  accelerator, for which this could be an initialise function.
+ *
+ * \param grp       The pointer to the group the module needs to be
+ *                  initialised for.
+ *
+ * \return          0 if successful.
+ */
+int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp );
+
+/**
+ * \brief           Frees and deallocates the Elliptic Curve Point module
+ *                  extension.
+ *
+ * \param grp       The pointer to the group the module was initialised for.
+ */
+void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp );
+
+#if defined(ECP_SHORTWEIERSTRASS)
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+/**
+ * \brief           Randomize jacobian coordinates:
+ *                  (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l.
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param pt        The point on the curve to be randomised, given with Jacobian
+ *                  coordinates.
+ *
+ * \param f_rng     A function pointer to the random number generator.
+ *
+ * \param p_rng     A pointer to the random number generator state.
+ *
+ * \return          0 if successful.
+ */
+int mbedtls_internal_ecp_randomize_jac( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *pt, int (*f_rng)(void *, unsigned char *, size_t),
+        void *p_rng );
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+/**
+ * \brief           Addition: R = P + Q, mixed affine-Jacobian coordinates.
+ *
+ *                  The coordinates of Q must be normalized (= affine),
+ *                  but those of P don't need to. R is not normalized.
+ *
+ *                  This function is used only as a subrutine of
+ *                  ecp_mul_comb().
+ *
+ *                  Special cases: (1) P or Q is zero, (2) R is zero,
+ *                      (3) P == Q.
+ *                  None of these cases can happen as intermediate step in
+ *                  ecp_mul_comb():
+ *                      - at each step, P, Q and R are multiples of the base
+ *                      point, the factor being less than its order, so none of
+ *                      them is zero;
+ *                      - Q is an odd multiple of the base point, P an even
+ *                      multiple, due to the choice of precomputed points in the
+ *                      modified comb method.
+ *                  So branches for these cases do not leak secret information.
+ *
+ *                  We accept Q->Z being unset (saving memory in tables) as
+ *                  meaning 1.
+ *
+ *                  Cost in field operations if done by [5] 3.22:
+ *                      1A := 8M + 3S
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param R         Pointer to a point structure to hold the result.
+ *
+ * \param P         Pointer to the first summand, given with Jacobian
+ *                  coordinates
+ *
+ * \param Q         Pointer to the second summand, given with affine
+ *                  coordinates.
+ *
+ * \return          0 if successful.
+ */
+int mbedtls_internal_ecp_add_mixed( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *R, const mbedtls_ecp_point *P,
+        const mbedtls_ecp_point *Q );
+#endif
+
+/**
+ * \brief           Point doubling R = 2 P, Jacobian coordinates.
+ *
+ *                  Cost:   1D := 3M + 4S    (A ==  0)
+ *                          4M + 4S          (A == -3)
+ *                          3M + 6S + 1a     otherwise
+ *                  when the implementation is based on the "dbl-1998-cmo-2"
+ *                  doubling formulas in [8] and standard optimizations are
+ *                  applied when curve parameter A is one of { 0, -3 }.
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param R         Pointer to a point structure to hold the result.
+ *
+ * \param P         Pointer to the point that has to be doubled, given with
+ *                  Jacobian coordinates.
+ *
+ * \return          0 if successful.
+ */
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+int mbedtls_internal_ecp_double_jac( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *R, const mbedtls_ecp_point *P );
+#endif
+
+/**
+ * \brief           Normalize jacobian coordinates of an array of (pointers to)
+ *                  points.
+ *
+ *                  Using Montgomery's trick to perform only one inversion mod P
+ *                  the cost is:
+ *                      1N(t) := 1I + (6t - 3)M + 1S
+ *                  (See for example Algorithm 10.3.4. in [9])
+ *
+ *                  This function is used only as a subrutine of
+ *                  ecp_mul_comb().
+ *
+ *                  Warning: fails (returning an error) if one of the points is
+ *                  zero!
+ *                  This should never happen, see choice of w in ecp_mul_comb().
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param T         Array of pointers to the points to normalise.
+ *
+ * \param t_len     Number of elements in the array.
+ *
+ * \return          0 if successful,
+ *                      an error if one of the points is zero.
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+int mbedtls_internal_ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *T[], size_t t_len );
+#endif
+
+/**
+ * \brief           Normalize jacobian coordinates so that Z == 0 || Z == 1.
+ *
+ *                  Cost in field operations if done by [5] 3.2.1:
+ *                      1N := 1I + 3M + 1S
+ *
+ * \param grp       Pointer to the group representing the curve.
+ *
+ * \param pt        pointer to the point to be normalised. This is an
+ *                  input/output parameter.
+ *
+ * \return          0 if successful.
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+int mbedtls_internal_ecp_normalize_jac( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *pt );
+#endif
+
+#endif /* ECP_SHORTWEIERSTRASS */
+
+#if defined(ECP_MONTGOMERY)
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+int mbedtls_internal_ecp_double_add_mxz( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *R, mbedtls_ecp_point *S, const mbedtls_ecp_point *P,
+        const mbedtls_ecp_point *Q, const mbedtls_mpi *d );
+#endif
+
+/**
+ * \brief           Randomize projective x/z coordinates:
+ *                      (X, Z) -> (l X, l Z) for random l
+ *
+ * \param grp       pointer to the group representing the curve
+ *
+ * \param P         the point on the curve to be randomised given with
+ *                  projective coordinates. This is an input/output parameter.
+ *
+ * \param f_rng     a function pointer to the random number generator
+ *
+ * \param p_rng     a pointer to the random number generator state
+ *
+ * \return          0 if successful
+ */
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+int mbedtls_internal_ecp_randomize_mxz( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t),
+        void *p_rng );
+#endif
+
+/**
+ * \brief           Normalize Montgomery x/z coordinates: X = X/Z, Z = 1.
+ *
+ * \param grp       pointer to the group representing the curve
+ *
+ * \param P         pointer to the point to be normalised. This is an
+ *                  input/output parameter.
+ *
+ * \return          0 if successful
+ */
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+int mbedtls_internal_ecp_normalize_mxz( const mbedtls_ecp_group *grp,
+        mbedtls_ecp_point *P );
+#endif
+
+#endif /* ECP_MONTGOMERY */
+
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#endif /* ecp_internal.h */
+
diff --git a/makerom/deps/libmbedtls/include/mbedtls/entropy.h b/makerom/deps/libmbedtls/include/mbedtls/entropy.h
new file mode 100644
index 00000000..ca06dc3c
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/entropy.h
@@ -0,0 +1,289 @@
+/**
+ * \file entropy.h
+ *
+ * \brief Entropy accumulator implementation
+ */
+/*
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ENTROPY_H
+#define MBEDTLS_ENTROPY_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+#include "sha512.h"
+#define MBEDTLS_ENTROPY_SHA512_ACCUMULATOR
+#else
+#if defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_ENTROPY_SHA256_ACCUMULATOR
+#include "sha256.h"
+#endif
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C)
+#include "havege.h"
+#endif
+
+#define MBEDTLS_ERR_ENTROPY_SOURCE_FAILED                 -0x003C  /**< Critical entropy source failure. */
+#define MBEDTLS_ERR_ENTROPY_MAX_SOURCES                   -0x003E  /**< No more sources can be added. */
+#define MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED            -0x0040  /**< No sources have been added to poll. */
+#define MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE              -0x003D  /**< No strong sources have been added to poll. */
+#define MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR                 -0x003F  /**< Read/write error in file. */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_ENTROPY_MAX_SOURCES)
+#define MBEDTLS_ENTROPY_MAX_SOURCES     20      /**< Maximum number of sources supported */
+#endif
+
+#if !defined(MBEDTLS_ENTROPY_MAX_GATHER)
+#define MBEDTLS_ENTROPY_MAX_GATHER      128     /**< Maximum amount requested from entropy sources */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      64      /**< Block size of entropy accumulator (SHA-512) */
+#else
+#define MBEDTLS_ENTROPY_BLOCK_SIZE      32      /**< Block size of entropy accumulator (SHA-256) */
+#endif
+
+#define MBEDTLS_ENTROPY_MAX_SEED_SIZE   1024    /**< Maximum size of seed we read from seed file */
+#define MBEDTLS_ENTROPY_SOURCE_MANUAL   MBEDTLS_ENTROPY_MAX_SOURCES
+
+#define MBEDTLS_ENTROPY_SOURCE_STRONG   1       /**< Entropy source is strong   */
+#define MBEDTLS_ENTROPY_SOURCE_WEAK     0       /**< Entropy source is weak     */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief           Entropy poll callback pointer
+ *
+ * \param data      Callback-specific data pointer
+ * \param output    Data to fill
+ * \param len       Maximum size to provide
+ * \param olen      The actual amount of bytes put into the buffer (Can be 0)
+ *
+ * \return          0 if no critical failures occurred,
+ *                  MBEDTLS_ERR_ENTROPY_SOURCE_FAILED otherwise
+ */
+typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, size_t len,
+                            size_t *olen);
+
+/**
+ * \brief           Entropy source state
+ */
+typedef struct mbedtls_entropy_source_state
+{
+    mbedtls_entropy_f_source_ptr    f_source;   /**< The entropy source callback */
+    void *          p_source;   /**< The callback data pointer */
+    size_t          size;       /**< Amount received in bytes */
+    size_t          threshold;  /**< Minimum bytes required before release */
+    int             strong;     /**< Is the source strong? */
+}
+mbedtls_entropy_source_state;
+
+/**
+ * \brief           Entropy context structure
+ */
+typedef struct mbedtls_entropy_context
+{
+    int accumulator_started;
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_context  accumulator;
+#else
+    mbedtls_sha256_context  accumulator;
+#endif
+    int             source_count;
+    mbedtls_entropy_source_state    source[MBEDTLS_ENTROPY_MAX_SOURCES];
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_havege_state    havege_data;
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;    /*!< mutex                  */
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    int initial_entropy_run;
+#endif
+}
+mbedtls_entropy_context;
+
+/**
+ * \brief           Initialize the context
+ *
+ * \param ctx       Entropy context to initialize
+ */
+void mbedtls_entropy_init( mbedtls_entropy_context *ctx );
+
+/**
+ * \brief           Free the data in the context
+ *
+ * \param ctx       Entropy context to free
+ */
+void mbedtls_entropy_free( mbedtls_entropy_context *ctx );
+
+/**
+ * \brief           Adds an entropy source to poll
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ * \param f_source  Entropy function
+ * \param p_source  Function data
+ * \param threshold Minimum required from source before entropy is released
+ *                  ( with mbedtls_entropy_func() ) (in bytes)
+ * \param strong    MBEDTLS_ENTROPY_SOURCE_STRONG or
+ *                  MBEDTLS_ENTROPY_SOURCE_WEAK.
+ *                  At least one strong source needs to be added.
+ *                  Weaker sources (such as the cycle counter) can be used as
+ *                  a complement.
+ *
+ * \return          0 if successful or MBEDTLS_ERR_ENTROPY_MAX_SOURCES
+ */
+int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx,
+                        mbedtls_entropy_f_source_ptr f_source, void *p_source,
+                        size_t threshold, int strong );
+
+/**
+ * \brief           Trigger an extra gather poll for the accumulator
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_gather( mbedtls_entropy_context *ctx );
+
+/**
+ * \brief           Retrieve entropy from the accumulator
+ *                  (Maximum length: MBEDTLS_ENTROPY_BLOCK_SIZE)
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data      Entropy context
+ * \param output    Buffer to fill
+ * \param len       Number of bytes desired, must be at most MBEDTLS_ENTROPY_BLOCK_SIZE
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_func( void *data, unsigned char *output, size_t len );
+
+/**
+ * \brief           Add data to the accumulator manually
+ *                  (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param ctx       Entropy context
+ * \param data      Data to add
+ * \param len       Length of data
+ *
+ * \return          0 if successful
+ */
+int mbedtls_entropy_update_manual( mbedtls_entropy_context *ctx,
+                           const unsigned char *data, size_t len );
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/**
+ * \brief           Trigger an update of the seed file in NV by using the
+ *                  current entropy pool.
+ *
+ * \param ctx       Entropy context
+ *
+ * \return          0 if successful
+ */
+int mbedtls_entropy_update_nv_seed( mbedtls_entropy_context *ctx );
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               Write a seed file
+ *
+ * \param ctx           Entropy context
+ * \param path          Name of the file
+ *
+ * \return              0 if successful,
+ *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error, or
+ *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *path );
+
+/**
+ * \brief               Read and update a seed file. Seed is added to this
+ *                      instance. No more than MBEDTLS_ENTROPY_MAX_SEED_SIZE bytes are
+ *                      read from the seed file. The rest is ignored.
+ *
+ * \param ctx           Entropy context
+ * \param path          Name of the file
+ *
+ * \return              0 if successful,
+ *                      MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR on file error,
+ *                      MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
+ */
+int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ *                 This module self-test also calls the entropy self-test,
+ *                 mbedtls_entropy_source_self_test();
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_entropy_self_test( int verbose );
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+/**
+ * \brief          Checkup routine
+ *
+ *                 Verifies the integrity of the hardware entropy source
+ *                 provided by the function 'mbedtls_hardware_poll()'.
+ *
+ *                 Note this is the only hardware entropy source that is known
+ *                 at link time, and other entropy sources configured
+ *                 dynamically at runtime by the function
+ *                 mbedtls_entropy_add_source() will not be tested.
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_entropy_source_self_test( int verbose );
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* entropy.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/entropy_poll.h b/makerom/deps/libmbedtls/include/mbedtls/entropy_poll.h
new file mode 100644
index 00000000..94dd657e
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/entropy_poll.h
@@ -0,0 +1,110 @@
+/**
+ * \file entropy_poll.h
+ *
+ * \brief Platform-specific and custom entropy polling functions
+ */
+/*
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ENTROPY_POLL_H
+#define MBEDTLS_ENTROPY_POLL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Default thresholds for built-in sources, in bytes
+ */
+#define MBEDTLS_ENTROPY_MIN_PLATFORM     32     /**< Minimum for platform source    */
+#define MBEDTLS_ENTROPY_MIN_HAVEGE       32     /**< Minimum for HAVEGE             */
+#define MBEDTLS_ENTROPY_MIN_HARDCLOCK     4     /**< Minimum for mbedtls_timing_hardclock()        */
+#if !defined(MBEDTLS_ENTROPY_MIN_HARDWARE)
+#define MBEDTLS_ENTROPY_MIN_HARDWARE     32     /**< Minimum for the hardware source */
+#endif
+
+/**
+ * \brief           Entropy poll callback that provides 0 entropy.
+ */
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    int mbedtls_null_entropy_poll( void *data,
+                                unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+/**
+ * \brief           Platform-specific entropy poll callback
+ */
+int mbedtls_platform_entropy_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C)
+/**
+ * \brief           HAVEGE based entropy poll callback
+ *
+ * Requires an HAVEGE state as its data pointer.
+ */
+int mbedtls_havege_poll( void *data,
+                 unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_TIMING_C)
+/**
+ * \brief           mbedtls_timing_hardclock-based entropy poll callback
+ */
+int mbedtls_hardclock_poll( void *data,
+                    unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+/**
+ * \brief           Entropy poll callback for a hardware source
+ *
+ * \warning         This is not provided by mbed TLS!
+ *                  See \c MBEDTLS_ENTROPY_HARDWARE_ALT in config.h.
+ *
+ * \note            This must accept NULL as its first argument.
+ */
+int mbedtls_hardware_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/**
+ * \brief           Entropy poll callback for a non-volatile seed file
+ *
+ * \note            This must accept NULL as its first argument.
+ */
+int mbedtls_nv_seed_poll( void *data,
+                          unsigned char *output, size_t len, size_t *olen );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* entropy_poll.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/error.h b/makerom/deps/libmbedtls/include/mbedtls/error.h
new file mode 100644
index 00000000..bee0fe48
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/error.h
@@ -0,0 +1,129 @@
+/**
+ * \file error.h
+ *
+ * \brief Error to string translation
+ */
+/*
+ *  Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_ERROR_H
+#define MBEDTLS_ERROR_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * Error code layout.
+ *
+ * Currently we try to keep all error codes within the negative space of 16
+ * bits signed integers to support all platforms (-0x0001 - -0x7FFF). In
+ * addition we'd like to give two layers of information on the error if
+ * possible.
+ *
+ * For that purpose the error codes are segmented in the following manner:
+ *
+ * 16 bit error code bit-segmentation
+ *
+ * 1 bit  - Unused (sign bit)
+ * 3 bits - High level module ID
+ * 5 bits - Module-dependent error code
+ * 7 bits - Low level module errors
+ *
+ * For historical reasons, low-level error codes are divided in even and odd,
+ * even codes were assigned first, and -1 is reserved for other errors.
+ *
+ * Low-level module errors (0x0002-0x007E, 0x0003-0x007F)
+ *
+ * Module   Nr  Codes assigned
+ * MPI       7  0x0002-0x0010
+ * GCM       3  0x0012-0x0014   0x0013-0x0013
+ * BLOWFISH  3  0x0016-0x0018   0x0017-0x0017
+ * THREADING 3  0x001A-0x001E
+ * AES       5  0x0020-0x0022   0x0021-0x0025
+ * CAMELLIA  3  0x0024-0x0026   0x0027-0x0027
+ * XTEA      2  0x0028-0x0028   0x0029-0x0029
+ * BASE64    2  0x002A-0x002C
+ * OID       1  0x002E-0x002E   0x000B-0x000B
+ * PADLOCK   1  0x0030-0x0030
+ * DES       2  0x0032-0x0032   0x0033-0x0033
+ * CTR_DBRG  4  0x0034-0x003A
+ * ENTROPY   3  0x003C-0x0040   0x003D-0x003F
+ * NET      13  0x0042-0x0052   0x0043-0x0049
+ * ARIA      4  0x0058-0x005E
+ * ASN1      7  0x0060-0x006C
+ * CMAC      1  0x007A-0x007A
+ * PBKDF2    1  0x007C-0x007C
+ * HMAC_DRBG 4                  0x0003-0x0009
+ * CCM       3                  0x000D-0x0011
+ * ARC4      1                  0x0019-0x0019
+ * MD2       1                  0x002B-0x002B
+ * MD4       1                  0x002D-0x002D
+ * MD5       1                  0x002F-0x002F
+ * RIPEMD160 1                  0x0031-0x0031
+ * SHA1      1                  0x0035-0x0035 0x0073-0x0073
+ * SHA256    1                  0x0037-0x0037 0x0074-0x0074
+ * SHA512    1                  0x0039-0x0039 0x0075-0x0075
+ * CHACHA20  3                  0x0051-0x0055
+ * POLY1305  3                  0x0057-0x005B
+ * CHACHAPOLY 2 0x0054-0x0056
+ * PLATFORM  1  0x0070-0x0072
+ *
+ * High-level module nr (3 bits - 0x0...-0x7...)
+ * Name      ID  Nr of Errors
+ * PEM       1   9
+ * PKCS#12   1   4 (Started from top)
+ * X509      2   20
+ * PKCS5     2   4 (Started from top)
+ * DHM       3   11
+ * PK        3   15 (Started from top)
+ * RSA       4   11
+ * ECP       4   10 (Started from top)
+ * MD        5   5
+ * HKDF      5   1 (Started from top)
+ * CIPHER    6   8
+ * SSL       6   23 (Started from top)
+ * SSL       7   32
+ *
+ * Module dependent error code (5 bits 0x.00.-0x.F8.)
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Translate a mbed TLS error code into a string representation,
+ *        Result is truncated if necessary and always includes a terminating
+ *        null byte.
+ *
+ * \param errnum    error code
+ * \param buffer    buffer to place representation in
+ * \param buflen    length of the buffer
+ */
+void mbedtls_strerror( int errnum, char *buffer, size_t buflen );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* error.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/gcm.h b/makerom/deps/libmbedtls/include/mbedtls/gcm.h
new file mode 100644
index 00000000..fd130abd
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/gcm.h
@@ -0,0 +1,326 @@
+/**
+ * \file gcm.h
+ *
+ * \brief This file contains GCM definitions and functions.
+ *
+ * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
+ * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
+ * (GCM), Natl. Inst. Stand. Technol.</em>
+ *
+ * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
+ * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_GCM_H
+#define MBEDTLS_GCM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#include <stdint.h>
+
+#define MBEDTLS_GCM_ENCRYPT     1
+#define MBEDTLS_GCM_DECRYPT     0
+
+#define MBEDTLS_ERR_GCM_AUTH_FAILED                       -0x0012  /**< Authenticated decryption failed. */
+
+/* MBEDTLS_ERR_GCM_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED                   -0x0013  /**< GCM hardware accelerator failed. */
+
+#define MBEDTLS_ERR_GCM_BAD_INPUT                         -0x0014  /**< Bad input parameters to function. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+/**
+ * \brief          The GCM context structure.
+ */
+typedef struct mbedtls_gcm_context
+{
+    mbedtls_cipher_context_t cipher_ctx;  /*!< The cipher context used. */
+    uint64_t HL[16];                      /*!< Precalculated HTable low. */
+    uint64_t HH[16];                      /*!< Precalculated HTable high. */
+    uint64_t len;                         /*!< The total length of the encrypted data. */
+    uint64_t add_len;                     /*!< The total length of the additional data. */
+    unsigned char base_ectr[16];          /*!< The first ECTR for tag. */
+    unsigned char y[16];                  /*!< The Y working value. */
+    unsigned char buf[16];                /*!< The buf working value. */
+    int mode;                             /*!< The operation to perform:
+                                               #MBEDTLS_GCM_ENCRYPT or
+                                               #MBEDTLS_GCM_DECRYPT. */
+}
+mbedtls_gcm_context;
+
+#else  /* !MBEDTLS_GCM_ALT */
+#include "gcm_alt.h"
+#endif /* !MBEDTLS_GCM_ALT */
+
+/**
+ * \brief           This function initializes the specified GCM context,
+ *                  to make references valid, and prepares the context
+ *                  for mbedtls_gcm_setkey() or mbedtls_gcm_free().
+ *
+ *                  The function does not bind the GCM context to a particular
+ *                  cipher, nor set the key. For this purpose, use
+ *                  mbedtls_gcm_setkey().
+ *
+ * \param ctx       The GCM context to initialize. This must not be \c NULL.
+ */
+void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
+
+/**
+ * \brief           This function associates a GCM context with a
+ *                  cipher algorithm and a key.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param cipher    The 128-bit block cipher to use.
+ * \param key       The encryption key. This must be a readable buffer of at
+ *                  least \p keybits bits.
+ * \param keybits   The key size in bits. Valid options are:
+ *                  <ul><li>128 bits</li>
+ *                  <li>192 bits</li>
+ *                  <li>256 bits</li></ul>
+ *
+ * \return          \c 0 on success.
+ * \return          A cipher-specific error code on failure.
+ */
+int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits );
+
+/**
+ * \brief           This function performs GCM encryption or decryption of a buffer.
+ *
+ * \note            For encryption, the output buffer can be the same as the
+ *                  input buffer. For decryption, the output buffer cannot be
+ *                  the same as input buffer. If the buffers overlap, the output
+ *                  buffer must trail at least 8 Bytes behind the input buffer.
+ *
+ * \warning         When this function performs a decryption, it outputs the
+ *                  authentication tag and does not verify that the data is
+ *                  authentic. You should use this function to perform encryption
+ *                  only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
+ *
+ * \param ctx       The GCM context to use for encryption or decryption. This
+ *                  must be initialized.
+ * \param mode      The operation to perform:
+ *                  - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
+ *                    The ciphertext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                  - #MBEDTLS_GCM_DECRYPT to perform decryption.
+ *                    The plaintext is written to \p output and the
+ *                    authentication tag is written to \p tag.
+ *                    Note that this mode is not recommended, because it does
+ *                    not verify the authenticity of the data. For this reason,
+ *                    you should use mbedtls_gcm_auth_decrypt() instead of
+ *                    calling this function in decryption mode.
+ * \param length    The length of the input data, which is equal to the length
+ *                  of the output data.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
+ * \param add_len   The length of the additional data.
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size in Bytes.
+ * \param output    The buffer for holding the output data. If \p length is greater
+ *                  than zero, this must be a writable buffer of at least that
+ *                  size in Bytes.
+ * \param tag_len   The length of the tag to generate.
+ * \param tag       The buffer for holding the tag. This must be a readable
+ *                  buffer of at least \p tag_len Bytes.
+ *
+ * \return          \c 0 if the encryption or decryption was performed
+ *                  successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
+ *                  this does not indicate that the data is authentic.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the encryption
+ *                  or decryption failed.
+ */
+int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
+                       int mode,
+                       size_t length,
+                       const unsigned char *iv,
+                       size_t iv_len,
+                       const unsigned char *add,
+                       size_t add_len,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t tag_len,
+                       unsigned char *tag );
+
+/**
+ * \brief           This function performs a GCM authenticated decryption of a
+ *                  buffer.
+ *
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param length    The length of the ciphertext to decrypt, which is also
+ *                  the length of the decrypted plaintext.
+ * \param iv        The initialization vector. This must be a readable buffer
+ *                  of at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data. This must be of at
+ *                  least that size in Bytes.
+ * \param add_len   The length of the additional data.
+ * \param tag       The buffer holding the tag to verify. This must be a
+ *                  readable buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the tag to verify.
+ * \param input     The buffer holding the ciphertext. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size.
+ * \param output    The buffer for holding the decrypted plaintext. If \p length
+ *                  is greater than zero, this must be a writable buffer of at
+ *                  least that size.
+ *
+ * \return          \c 0 if successful and authenticated.
+ * \return          #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
+ *                  not valid or a cipher-specific error code if the decryption
+ *                  failed.
+ */
+int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
+                      size_t length,
+                      const unsigned char *iv,
+                      size_t iv_len,
+                      const unsigned char *add,
+                      size_t add_len,
+                      const unsigned char *tag,
+                      size_t tag_len,
+                      const unsigned char *input,
+                      unsigned char *output );
+
+/**
+ * \brief           This function starts a GCM encryption or decryption
+ *                  operation.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param mode      The operation to perform: #MBEDTLS_GCM_ENCRYPT or
+ *                  #MBEDTLS_GCM_DECRYPT.
+ * \param iv        The initialization vector. This must be a readable buffer of
+ *                  at least \p iv_len Bytes.
+ * \param iv_len    The length of the IV.
+ * \param add       The buffer holding the additional data, or \c NULL
+ *                  if \p add_len is \c 0.
+ * \param add_len   The length of the additional data. If \c 0,
+ *                  \p add may be \c NULL.
+ *
+ * \return          \c 0 on success.
+ */
+int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
+                int mode,
+                const unsigned char *iv,
+                size_t iv_len,
+                const unsigned char *add,
+                size_t add_len );
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing GCM
+ *                  encryption or decryption operation.
+ *
+ *    `             The function expects input to be a multiple of 16
+ *                  Bytes. Only the last call before calling
+ *                  mbedtls_gcm_finish() can be less than 16 Bytes.
+ *
+ * \note            For decryption, the output buffer cannot be the same as
+ *                  input buffer. If the buffers overlap, the output buffer
+ *                  must trail at least 8 Bytes behind the input buffer.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param length    The length of the input data. This must be a multiple of
+ *                  16 except in the last call before mbedtls_gcm_finish().
+ * \param input     The buffer holding the input data. If \p length is greater
+ *                  than zero, this must be a readable buffer of at least that
+ *                  size in Bytes.
+ * \param output    The buffer for holding the output data. If \p length is
+ *                  greater than zero, this must be a writable buffer of at
+ *                  least that size in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ */
+int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
+                size_t length,
+                const unsigned char *input,
+                unsigned char *output );
+
+/**
+ * \brief           This function finishes the GCM operation and generates
+ *                  the authentication tag.
+ *
+ *                  It wraps up the GCM stream, and generates the
+ *                  tag. The tag can have a maximum length of 16 Bytes.
+ *
+ * \param ctx       The GCM context. This must be initialized.
+ * \param tag       The buffer for holding the tag. This must be a readable
+ *                  buffer of at least \p tag_len Bytes.
+ * \param tag_len   The length of the tag to generate. This must be at least
+ *                  four.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
+ */
+int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
+                unsigned char *tag,
+                size_t tag_len );
+
+/**
+ * \brief           This function clears a GCM context and the underlying
+ *                  cipher sub-context.
+ *
+ * \param ctx       The GCM context to clear. If this is \c NULL, the call has
+ *                  no effect. Otherwise, this must be initialized.
+ */
+void mbedtls_gcm_free( mbedtls_gcm_context *ctx );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The GCM checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_gcm_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif /* gcm.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/havege.h b/makerom/deps/libmbedtls/include/mbedtls/havege.h
new file mode 100644
index 00000000..4c1c8608
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/havege.h
@@ -0,0 +1,81 @@
+/**
+ * \file havege.h
+ *
+ * \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_HAVEGE_H
+#define MBEDTLS_HAVEGE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+#define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          HAVEGE state structure
+ */
+typedef struct mbedtls_havege_state
+{
+    int PT1, PT2, offset[2];
+    int pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
+    int WALK[8192];
+}
+mbedtls_havege_state;
+
+/**
+ * \brief          HAVEGE initialization
+ *
+ * \param hs       HAVEGE state to be initialized
+ */
+void mbedtls_havege_init( mbedtls_havege_state *hs );
+
+/**
+ * \brief          Clear HAVEGE state
+ *
+ * \param hs       HAVEGE state to be cleared
+ */
+void mbedtls_havege_free( mbedtls_havege_state *hs );
+
+/**
+ * \brief          HAVEGE rand function
+ *
+ * \param p_rng    A HAVEGE state
+ * \param output   Buffer to fill
+ * \param len      Length of buffer
+ *
+ * \return         0
+ */
+int mbedtls_havege_random( void *p_rng, unsigned char *output, size_t len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* havege.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/hkdf.h b/makerom/deps/libmbedtls/include/mbedtls/hkdf.h
new file mode 100644
index 00000000..bcafe425
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/hkdf.h
@@ -0,0 +1,141 @@
+/**
+ * \file hkdf.h
+ *
+ * \brief   This file contains the HKDF interface.
+ *
+ *          The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is
+ *          specified by RFC 5869.
+ */
+/*
+ *  Copyright (C) 2016-2019, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_HKDF_H
+#define MBEDTLS_HKDF_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+/**
+ *  \name HKDF Error codes
+ *  \{
+ */
+#define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA  -0x5F80  /**< Bad input parameters to function. */
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ *  \brief  This is the HMAC-based Extract-and-Expand Key Derivation Function
+ *          (HKDF).
+ *
+ *  \param  md        A hash function; md.size denotes the length of the hash
+ *                    function output in bytes.
+ *  \param  salt      An optional salt value (a non-secret random value);
+ *                    if the salt is not provided, a string of all zeros of
+ *                    md.size length is used as the salt.
+ *  \param  salt_len  The length in bytes of the optional \p salt.
+ *  \param  ikm       The input keying material.
+ *  \param  ikm_len   The length in bytes of \p ikm.
+ *  \param  info      An optional context and application specific information
+ *                    string. This can be a zero-length string.
+ *  \param  info_len  The length of \p info in bytes.
+ *  \param  okm       The output keying material of \p okm_len bytes.
+ *  \param  okm_len   The length of the output keying material in bytes. This
+ *                    must be less than or equal to 255 * md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
+                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+                  const unsigned char *info, size_t info_len,
+                  unsigned char *okm, size_t okm_len );
+
+/**
+ *  \brief  Take the input keying material \p ikm and extract from it a
+ *          fixed-length pseudorandom key \p prk.
+ *
+ *  \warning    This function should only be used if the security of it has been
+ *              studied and established in that particular context (eg. TLS 1.3
+ *              key schedule). For standard HKDF security guarantees use
+ *              \c mbedtls_hkdf instead.
+ *
+ *  \param       md        A hash function; md.size denotes the length of the
+ *                         hash function output in bytes.
+ *  \param       salt      An optional salt value (a non-secret random value);
+ *                         if the salt is not provided, a string of all zeros
+ *                         of md.size length is used as the salt.
+ *  \param       salt_len  The length in bytes of the optional \p salt.
+ *  \param       ikm       The input keying material.
+ *  \param       ikm_len   The length in bytes of \p ikm.
+ *  \param[out]  prk       A pseudorandom key of at least md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
+                          const unsigned char *salt, size_t salt_len,
+                          const unsigned char *ikm, size_t ikm_len,
+                          unsigned char *prk );
+
+/**
+ *  \brief  Expand the supplied \p prk into several additional pseudorandom
+ *          keys, which is the output of the HKDF.
+ *
+ *  \warning    This function should only be used if the security of it has been
+ *              studied and established in that particular context (eg. TLS 1.3
+ *              key schedule). For standard HKDF security guarantees use
+ *              \c mbedtls_hkdf instead.
+ *
+ *  \param  md        A hash function; md.size denotes the length of the hash
+ *                    function output in bytes.
+ *  \param  prk       A pseudorandom key of at least md.size bytes. \p prk is
+ *                    usually the output from the HKDF extract step.
+ *  \param  prk_len   The length in bytes of \p prk.
+ *  \param  info      An optional context and application specific information
+ *                    string. This can be a zero-length string.
+ *  \param  info_len  The length of \p info in bytes.
+ *  \param  okm       The output keying material of \p okm_len bytes.
+ *  \param  okm_len   The length of the output keying material in bytes. This
+ *                    must be less than or equal to 255 * md.size bytes.
+ *
+ *  \return 0 on success.
+ *  \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
+ *  \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
+ *          MD layer.
+ */
+int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
+                         size_t prk_len, const unsigned char *info,
+                         size_t info_len, unsigned char *okm, size_t okm_len );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hkdf.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/hmac_drbg.h b/makerom/deps/libmbedtls/include/mbedtls/hmac_drbg.h
new file mode 100644
index 00000000..7931c228
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/hmac_drbg.h
@@ -0,0 +1,415 @@
+/**
+ * \file hmac_drbg.h
+ *
+ * \brief The HMAC_DRBG pseudorandom generator.
+ *
+ * This module implements the HMAC_DRBG pseudorandom generator described
+ * in <em>NIST SP 800-90A: Recommendation for Random Number Generation Using
+ * Deterministic Random Bit Generators</em>.
+ */
+/*
+ *  Copyright (C) 2006-2019, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_HMAC_DRBG_H
+#define MBEDTLS_HMAC_DRBG_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/*
+ * Error codes
+ */
+#define MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG              -0x0003  /**< Too many random requested in single call. */
+#define MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG                -0x0005  /**< Input too large (Entropy + additional). */
+#define MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR                -0x0007  /**< Read/write error in file. */
+#define MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED        -0x0009  /**< The entropy source failed. */
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_HMAC_DRBG_RESEED_INTERVAL)
+#define MBEDTLS_HMAC_DRBG_RESEED_INTERVAL   10000   /**< Interval before reseed is performed by default */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_INPUT         256     /**< Maximum number of additional input bytes */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_REQUEST)
+#define MBEDTLS_HMAC_DRBG_MAX_REQUEST       1024    /**< Maximum number of requested bytes per call */
+#endif
+
+#if !defined(MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT)
+#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT    384     /**< Maximum size of (re)seed buffer */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_HMAC_DRBG_PR_OFF   0   /**< No prediction resistance       */
+#define MBEDTLS_HMAC_DRBG_PR_ON    1   /**< Prediction resistance enabled  */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * HMAC_DRBG context.
+ */
+typedef struct mbedtls_hmac_drbg_context
+{
+    /* Working state: the key K is not stored explicitly,
+     * but is implied by the HMAC context */
+    mbedtls_md_context_t md_ctx;                    /*!< HMAC context (inc. K)  */
+    unsigned char V[MBEDTLS_MD_MAX_SIZE];  /*!< V in the spec          */
+    int reseed_counter;                     /*!< reseed counter         */
+
+    /* Administrative state */
+    size_t entropy_len;         /*!< entropy bytes grabbed on each (re)seed */
+    int prediction_resistance;  /*!< enable prediction resistance (Automatic
+                                     reseed before every random generation) */
+    int reseed_interval;        /*!< reseed interval   */
+
+    /* Callbacks */
+    int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */
+    void *p_entropy;            /*!< context for the entropy function        */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+} mbedtls_hmac_drbg_context;
+
+/**
+ * \brief               HMAC_DRBG context initialization.
+ *
+ * This function makes the context ready for mbedtls_hmac_drbg_seed(),
+ * mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
+ *
+ * \param ctx           HMAC_DRBG context to be initialized.
+ */
+void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx );
+
+/**
+ * \brief               HMAC_DRBG initial seeding.
+ *
+ * Set the initial seed and set up the entropy source for future reseeds.
+ *
+ * A typical choice for the \p f_entropy and \p p_entropy parameters is
+ * to use the entropy module:
+ * - \p f_entropy is mbedtls_entropy_func();
+ * - \p p_entropy is an instance of ::mbedtls_entropy_context initialized
+ *   with mbedtls_entropy_init() (which registers the platform's default
+ *   entropy sources).
+ *
+ * You can provide a personalization string in addition to the
+ * entropy source, to make this instantiation as unique as possible.
+ *
+ * \note                By default, the security strength as defined by NIST is:
+ *                      - 128 bits if \p md_info is SHA-1;
+ *                      - 192 bits if \p md_info is SHA-224;
+ *                      - 256 bits if \p md_info is SHA-256, SHA-384 or SHA-512.
+ *                      Note that SHA-256 is just as efficient as SHA-224.
+ *                      The security strength can be reduced if a smaller
+ *                      entropy length is set with
+ *                      mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                The default entropy length is the security strength
+ *                      (converted from bits to bytes). You can override
+ *                      it by calling mbedtls_hmac_drbg_set_entropy_len().
+ *
+ * \note                During the initial seeding, this function calls
+ *                      the entropy source to obtain a nonce
+ *                      whose length is half the entropy length.
+ *
+ * \param ctx           HMAC_DRBG context to be seeded.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param f_entropy     The entropy callback, taking as arguments the
+ *                      \p p_entropy context, the buffer to fill, and the
+ *                      length of the buffer.
+ *                      \p f_entropy is always called with a length that is
+ *                      less than or equal to the entropy length.
+ * \param p_entropy     The entropy context to pass to \p f_entropy.
+ * \param custom        The personalization string.
+ *                      This can be \c NULL, in which case the personalization
+ *                      string is empty regardless of the value of \p len.
+ * \param len           The length of the personalization string.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len * 3 / 2
+ *                      where \p entropy_len is the entropy length
+ *                      described above.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if the call to \p f_entropy failed.
+ */
+int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
+                    const mbedtls_md_info_t * md_info,
+                    int (*f_entropy)(void *, unsigned char *, size_t),
+                    void *p_entropy,
+                    const unsigned char *custom,
+                    size_t len );
+
+/**
+ * \brief               Initilisation of simpified HMAC_DRBG (never reseeds).
+ *
+ * This function is meant for use in algorithms that need a pseudorandom
+ * input such as deterministic ECDSA.
+ *
+ * \param ctx           HMAC_DRBG context to be initialised.
+ * \param md_info       MD algorithm to use for HMAC_DRBG.
+ * \param data          Concatenation of the initial entropy string and
+ *                      the additional data.
+ * \param data_len      Length of \p data in bytes.
+ *
+ * \return              \c 0 if successful. or
+ * \return              #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info is
+ *                      invalid.
+ * \return              #MBEDTLS_ERR_MD_ALLOC_FAILED if there was not enough
+ *                      memory to allocate context data.
+ */
+int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
+                        const mbedtls_md_info_t * md_info,
+                        const unsigned char *data, size_t data_len );
+
+/**
+ * \brief               This function turns prediction resistance on or off.
+ *                      The default value is off.
+ *
+ * \note                If enabled, entropy is gathered at the beginning of
+ *                      every call to mbedtls_hmac_drbg_random_with_add()
+ *                      or mbedtls_hmac_drbg_random().
+ *                      Only use this if your entropy source has sufficient
+ *                      throughput.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param resistance    #MBEDTLS_HMAC_DRBG_PR_ON or #MBEDTLS_HMAC_DRBG_PR_OFF.
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
+                                          int resistance );
+
+/**
+ * \brief               This function sets the amount of entropy grabbed on each
+ *                      seed or reseed.
+ *
+ * See the documentation of mbedtls_hmac_drbg_seed() for the default value.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param len           The amount of entropy to grab, in bytes.
+ */
+void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx,
+                                size_t len );
+
+/**
+ * \brief               Set the reseed interval.
+ *
+ * The reseed interval is the number of calls to mbedtls_hmac_drbg_random()
+ * or mbedtls_hmac_drbg_random_with_add() after which the entropy function
+ * is called again.
+ *
+ * The default value is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param interval      The reseed interval.
+ */
+void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx,
+                                    int interval );
+
+/**
+ * \brief               This function updates the state of the HMAC_DRBG context.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    The data to update the state with.
+ *                      If this is \c NULL, there is no additional data.
+ * \param add_len       Length of \p additional in bytes.
+ *                      Unused if \p additional is \c NULL.
+ *
+ * \return              \c 0 on success, or an error from the underlying
+ *                      hash calculation.
+ */
+int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
+                       const unsigned char *additional, size_t add_len );
+
+/**
+ * \brief               This function reseeds the HMAC_DRBG context, that is
+ *                      extracts data from the entropy source.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    Additional data to add to the state.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p len should be \c 0.
+ * \param len           The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT
+ *                      and also at most
+ *                      #MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT - \p entropy_len
+ *                      where \p entropy_len is the entropy length
+ *                      (see mbedtls_hmac_drbg_set_entropy_len()).
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy function failed.
+ */
+int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
+                      const unsigned char *additional, size_t len );
+
+/**
+ * \brief   This function updates an HMAC_DRBG instance with additional
+ *          data and uses it to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param output_len    The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \param additional    Additional data to update with.
+ *                      If this is \c NULL, there is no additional data
+ *                      and \p add_len should be \c 0.
+ * \param add_len       The length of the additional data.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p output_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if
+ *                      \p add_len > #MBEDTLS_HMAC_DRBG_MAX_INPUT.
+ */
+int mbedtls_hmac_drbg_random_with_add( void *p_rng,
+                               unsigned char *output, size_t output_len,
+                               const unsigned char *additional,
+                               size_t add_len );
+
+/**
+ * \brief   This function uses HMAC_DRBG to generate random data.
+ *
+ * This function automatically reseeds if the reseed counter is exceeded
+ * or prediction resistance is enabled.
+ *
+ * \param p_rng         The HMAC_DRBG context. This must be a pointer to a
+ *                      #mbedtls_hmac_drbg_context structure.
+ * \param output        The buffer to fill.
+ * \param out_len       The length of the buffer in bytes.
+ *                      This must be at most #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ *
+ * \return              \c 0 if successful.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED
+ *                      if a call to the entropy source failed.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG if
+ *                      \p out_len > #MBEDTLS_HMAC_DRBG_MAX_REQUEST.
+ */
+int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len );
+
+/**
+ * \brief               Free an HMAC_DRBG context
+ *
+ * \param ctx           The HMAC_DRBG context to free.
+ */
+void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief               This function updates the state of the HMAC_DRBG context.
+ *
+ * \deprecated          Superseded by mbedtls_hmac_drbg_update_ret()
+ *                      in 2.16.0.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param additional    The data to update the state with.
+ *                      If this is \c NULL, there is no additional data.
+ * \param add_len       Length of \p additional in bytes.
+ *                      Unused if \p additional is \c NULL.
+ */
+MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
+    mbedtls_hmac_drbg_context *ctx,
+    const unsigned char *additional, size_t add_len );
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief               This function writes a seed file.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on reseed
+ *                      failure.
+ */
+int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
+
+/**
+ * \brief               This function reads and updates a seed file. The seed
+ *                      is added to this instance.
+ *
+ * \param ctx           The HMAC_DRBG context.
+ * \param path          The name of the file.
+ *
+ * \return              \c 0 on success.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR on file error.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED on
+ *                      reseed failure.
+ * \return              #MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG if the existing
+ *                      seed file is too large.
+ */
+int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief               The HMAC_DRBG Checkup routine.
+ *
+ * \return              \c 0 if successful.
+ * \return              \c 1 if the test failed.
+ */
+int mbedtls_hmac_drbg_self_test( int verbose );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* hmac_drbg.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/md.h b/makerom/deps/libmbedtls/include/mbedtls/md.h
new file mode 100644
index 00000000..8bcf766a
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/md.h
@@ -0,0 +1,468 @@
+ /**
+ * \file md.h
+ *
+ * \brief This file contains the generic message-digest wrapper.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_MD_H
+#define MBEDTLS_MD_H
+
+#include <stddef.h>
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE                -0x5080  /**< The selected feature is not available. */
+#define MBEDTLS_ERR_MD_BAD_INPUT_DATA                     -0x5100  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_MD_ALLOC_FAILED                       -0x5180  /**< Failed to allocate memory. */
+#define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200  /**< Opening or reading of file failed. */
+
+/* MBEDTLS_ERR_MD_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD_HW_ACCEL_FAILED                    -0x5280  /**< MD hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief     Supported message digests.
+ *
+ * \warning   MD2, MD4, MD5 and SHA-1 are considered weak message digests and
+ *            their use constitutes a security risk. We recommend considering
+ *            stronger message digests instead.
+ *
+ */
+typedef enum {
+    MBEDTLS_MD_NONE=0,    /**< None. */
+    MBEDTLS_MD_MD2,       /**< The MD2 message digest. */
+    MBEDTLS_MD_MD4,       /**< The MD4 message digest. */
+    MBEDTLS_MD_MD5,       /**< The MD5 message digest. */
+    MBEDTLS_MD_SHA1,      /**< The SHA-1 message digest. */
+    MBEDTLS_MD_SHA224,    /**< The SHA-224 message digest. */
+    MBEDTLS_MD_SHA256,    /**< The SHA-256 message digest. */
+    MBEDTLS_MD_SHA384,    /**< The SHA-384 message digest. */
+    MBEDTLS_MD_SHA512,    /**< The SHA-512 message digest. */
+    MBEDTLS_MD_RIPEMD160, /**< The RIPEMD-160 message digest. */
+} mbedtls_md_type_t;
+
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_MD_MAX_SIZE         64  /* longest known is SHA512 */
+#else
+#define MBEDTLS_MD_MAX_SIZE         32  /* longest known is SHA256 or less */
+#endif
+
+/**
+ * Opaque struct defined in md_internal.h.
+ */
+typedef struct mbedtls_md_info_t mbedtls_md_info_t;
+
+/**
+ * The generic message-digest context.
+ */
+typedef struct mbedtls_md_context_t
+{
+    /** Information about the associated message digest. */
+    const mbedtls_md_info_t *md_info;
+
+    /** The digest-specific context. */
+    void *md_ctx;
+
+    /** The HMAC part of the context. */
+    void *hmac_ctx;
+} mbedtls_md_context_t;
+
+/**
+ * \brief           This function returns the list of digests supported by the
+ *                  generic digest module.
+ *
+ * \return          A statically allocated array of digests. Each element
+ *                  in the returned list is an integer belonging to the
+ *                  message-digest enumeration #mbedtls_md_type_t.
+ *                  The last entry is 0.
+ */
+const int *mbedtls_md_list( void );
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  associated with the given digest name.
+ *
+ * \param md_name   The name of the digest to search for.
+ *
+ * \return          The message-digest information associated with \p md_name.
+ * \return          NULL if the associated message-digest information is not found.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name );
+
+/**
+ * \brief           This function returns the message-digest information
+ *                  associated with the given digest type.
+ *
+ * \param md_type   The type of digest to search for.
+ *
+ * \return          The message-digest information associated with \p md_type.
+ * \return          NULL if the associated message-digest information is not found.
+ */
+const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type );
+
+/**
+ * \brief           This function initializes a message-digest context without
+ *                  binding it to a particular message-digest algorithm.
+ *
+ *                  This function should always be called first. It prepares the
+ *                  context for mbedtls_md_setup() for binding it to a
+ *                  message-digest algorithm.
+ */
+void mbedtls_md_init( mbedtls_md_context_t *ctx );
+
+/**
+ * \brief           This function clears the internal structure of \p ctx and
+ *                  frees any embedded internal structure, but does not free
+ *                  \p ctx itself.
+ *
+ *                  If you have called mbedtls_md_setup() on \p ctx, you must
+ *                  call mbedtls_md_free() when you are no longer using the
+ *                  context.
+ *                  Calling this function if you have previously
+ *                  called mbedtls_md_init() and nothing else is optional.
+ *                  You must not call this function if you have not called
+ *                  mbedtls_md_init().
+ */
+void mbedtls_md_free( mbedtls_md_context_t *ctx );
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief           This function selects the message digest algorithm to use,
+ *                  and allocates internal structures.
+ *
+ *                  It should be called after mbedtls_md_init() or mbedtls_md_free().
+ *                  Makes it necessary to call mbedtls_md_free() later.
+ *
+ * \deprecated      Superseded by mbedtls_md_setup() in 2.0.0
+ *
+ * \param ctx       The context to set up.
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
+ */
+int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info ) MBEDTLS_DEPRECATED;
+#undef MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief           This function selects the message digest algorithm to use,
+ *                  and allocates internal structures.
+ *
+ *                  It should be called after mbedtls_md_init() or
+ *                  mbedtls_md_free(). Makes it necessary to call
+ *                  mbedtls_md_free() later.
+ *
+ * \param ctx       The context to set up.
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ * \param hmac      Defines if HMAC is used. 0: HMAC is not used (saves some memory),
+ *                  or non-zero: HMAC is used with this context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ * \return          #MBEDTLS_ERR_MD_ALLOC_FAILED on memory-allocation failure.
+ */
+int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac );
+
+/**
+ * \brief           This function clones the state of an message-digest
+ *                  context.
+ *
+ * \note            You must call mbedtls_md_setup() on \c dst before calling
+ *                  this function.
+ *
+ * \note            The two contexts must have the same type,
+ *                  for example, both are SHA-256.
+ *
+ * \warning         This function clones the message-digest state, not the
+ *                  HMAC state.
+ *
+ * \param dst       The destination context.
+ * \param src       The context to be cloned.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification failure.
+ */
+int mbedtls_md_clone( mbedtls_md_context_t *dst,
+                      const mbedtls_md_context_t *src );
+
+/**
+ * \brief           This function extracts the message-digest size from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The size of the message-digest output in Bytes.
+ */
+unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info );
+
+/**
+ * \brief           This function extracts the message-digest type from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The type of the message digest.
+ */
+mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info );
+
+/**
+ * \brief           This function extracts the message-digest name from the
+ *                  message-digest information structure.
+ *
+ * \param md_info   The information structure of the message-digest algorithm
+ *                  to use.
+ *
+ * \return          The name of the message digest.
+ */
+const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info );
+
+/**
+ * \brief           This function starts a message-digest computation.
+ *
+ *                  You must call this function after setting up the context
+ *                  with mbedtls_md_setup(), and before passing data with
+ *                  mbedtls_md_update().
+ *
+ * \param ctx       The generic message-digest context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_starts( mbedtls_md_context_t *ctx );
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing
+ *                  message-digest computation.
+ *
+ *                  You must call mbedtls_md_starts() before calling this
+ *                  function. You may call this function multiple times.
+ *                  Afterwards, call mbedtls_md_finish().
+ *
+ * \param ctx       The generic message-digest context.
+ * \param input     The buffer holding the input data.
+ * \param ilen      The length of the input data.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen );
+
+/**
+ * \brief           This function finishes the digest operation,
+ *                  and writes the result to the output buffer.
+ *
+ *                  Call this function after a call to mbedtls_md_starts(),
+ *                  followed by any number of calls to mbedtls_md_update().
+ *                  Afterwards, you may either clear the context with
+ *                  mbedtls_md_free(), or call mbedtls_md_starts() to reuse
+ *                  the context for another digest operation with the same
+ *                  algorithm.
+ *
+ * \param ctx       The generic message-digest context.
+ * \param output    The buffer for the generic message-digest checksum result.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output );
+
+/**
+ * \brief          This function calculates the message-digest of a buffer,
+ *                 with respect to a configurable message-digest algorithm
+ *                 in a single call.
+ *
+ *                 The result is calculated as
+ *                 Output = message_digest(input buffer).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param input    The buffer holding the data.
+ * \param ilen     The length of the input data.
+ * \param output   The generic message-digest checksum result.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                 failure.
+ */
+int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
+        unsigned char *output );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          This function calculates the message-digest checksum
+ *                 result of the contents of the provided file.
+ *
+ *                 The result is calculated as
+ *                 Output = message_digest(file contents).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param path     The input file name.
+ * \param output   The generic message-digest checksum result.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_FILE_IO_ERROR on an I/O error accessing
+ *                 the file pointed by \p path.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL.
+ */
+int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path,
+                     unsigned char *output );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief           This function sets the HMAC key and prepares to
+ *                  authenticate a new message.
+ *
+ *                  Call this function after mbedtls_md_setup(), to use
+ *                  the MD context for an HMAC calculation, then call
+ *                  mbedtls_md_hmac_update() to provide the input data, and
+ *                  mbedtls_md_hmac_finish() to get the HMAC value.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param key       The HMAC secret key.
+ * \param keylen    The length of the HMAC key in Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key,
+                    size_t keylen );
+
+/**
+ * \brief           This function feeds an input buffer into an ongoing HMAC
+ *                  computation.
+ *
+ *                  Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset()
+ *                  before calling this function.
+ *                  You may call this function multiple times to pass the
+ *                  input piecewise.
+ *                  Afterwards, call mbedtls_md_hmac_finish().
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param input     The buffer holding the input data.
+ * \param ilen      The length of the input data.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input,
+                    size_t ilen );
+
+/**
+ * \brief           This function finishes the HMAC operation, and writes
+ *                  the result to the output buffer.
+ *
+ *                  Call this function after mbedtls_md_hmac_starts() and
+ *                  mbedtls_md_hmac_update() to get the HMAC value. Afterwards
+ *                  you may either call mbedtls_md_free() to clear the context,
+ *                  or call mbedtls_md_hmac_reset() to reuse the context with
+ *                  the same HMAC key.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ * \param output    The generic HMAC checksum result.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output);
+
+/**
+ * \brief           This function prepares to authenticate a new message with
+ *                  the same key as the previous HMAC operation.
+ *
+ *                  You may call this function after mbedtls_md_hmac_finish().
+ *                  Afterwards call mbedtls_md_hmac_update() to pass the new
+ *                  input.
+ *
+ * \param ctx       The message digest context containing an embedded HMAC
+ *                  context.
+ *
+ * \return          \c 0 on success.
+ * \return          #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                  failure.
+ */
+int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx );
+
+/**
+ * \brief          This function calculates the full generic HMAC
+ *                 on the input buffer with the provided key.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The HMAC result is calculated as
+ *                 output = generic HMAC(hmac key, input buffer).
+ *
+ * \param md_info  The information structure of the message-digest algorithm
+ *                 to use.
+ * \param key      The HMAC secret key.
+ * \param keylen   The length of the HMAC secret key in Bytes.
+ * \param input    The buffer holding the input data.
+ * \param ilen     The length of the input data.
+ * \param output   The generic HMAC result.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter-verification
+ *                 failure.
+ */
+int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output );
+
+/* Internal use */
+int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_MD_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/md2.h b/makerom/deps/libmbedtls/include/mbedtls/md2.h
new file mode 100644
index 00000000..fe97cf08
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/md2.h
@@ -0,0 +1,306 @@
+/**
+ * \file md2.h
+ *
+ * \brief MD2 message digest algorithm (hash function)
+ *
+ * \warning MD2 is considered a weak message digest and its use constitutes a
+ *          security risk. We recommend considering stronger message digests
+ *          instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+#ifndef MBEDTLS_MD2_H
+#define MBEDTLS_MD2_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/* MBEDTLS_ERR_MD2_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED                   -0x002B  /**< MD2 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_MD2_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          MD2 context structure
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_md2_context
+{
+    unsigned char cksum[16];    /*!< checksum of the data block */
+    unsigned char state[48];    /*!< intermediate digest state  */
+    unsigned char buffer[16];   /*!< data block being processed */
+    size_t left;                /*!< amount of data in buffer   */
+}
+mbedtls_md2_context;
+
+#else  /* MBEDTLS_MD2_ALT */
+#include "md2_alt.h"
+#endif /* MBEDTLS_MD2_ALT */
+
+/**
+ * \brief          Initialize MD2 context
+ *
+ * \param ctx      MD2 context to be initialized
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_init( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          Clear MD2 context
+ *
+ * \param ctx      MD2 context to be cleared
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_free( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an MD2 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md2_clone( mbedtls_md2_context *dst,
+                        const mbedtls_md2_context *src );
+
+/**
+ * \brief          MD2 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          MD2 process buffer
+ *
+ * \param ctx      MD2 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_update_ret( mbedtls_md2_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen );
+
+/**
+ * \brief          MD2 final digest
+ *
+ * \param ctx      MD2 context
+ * \param output   MD2 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx,
+                            unsigned char output[16] );
+
+/**
+ * \brief          MD2 process data block (internal use only)
+ *
+ * \param ctx      MD2 context
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md2_process( mbedtls_md2_context *ctx );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD2 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md2_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_starts( mbedtls_md2_context *ctx );
+
+/**
+ * \brief          MD2 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md2_update_ret() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_update( mbedtls_md2_context *ctx,
+                                            const unsigned char *input,
+                                            size_t ilen );
+
+/**
+ * \brief          MD2 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md2_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_finish( mbedtls_md2_context *ctx,
+                                            unsigned char output[16] );
+
+/**
+ * \brief          MD2 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md2_process() in 2.7.0
+ *
+ * \param ctx      MD2 context
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2_process( mbedtls_md2_context *ctx );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = MD2( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD2( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md2_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD2 checksum result
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md2( const unsigned char *input,
+                                     size_t ilen,
+                                     unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD2 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md2_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md2.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/md4.h b/makerom/deps/libmbedtls/include/mbedtls/md4.h
new file mode 100644
index 00000000..ce703c0b
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/md4.h
@@ -0,0 +1,311 @@
+/**
+ * \file md4.h
+ *
+ * \brief MD4 message digest algorithm (hash function)
+ *
+ * \warning MD4 is considered a weak message digest and its use constitutes a
+ *          security risk. We recommend considering stronger message digests
+ *          instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+#ifndef MBEDTLS_MD4_H
+#define MBEDTLS_MD4_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_MD4_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED                   -0x002D  /**< MD4 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_MD4_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          MD4 context structure
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_md4_context
+{
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[4];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_md4_context;
+
+#else  /* MBEDTLS_MD4_ALT */
+#include "md4_alt.h"
+#endif /* MBEDTLS_MD4_ALT */
+
+/**
+ * \brief          Initialize MD4 context
+ *
+ * \param ctx      MD4 context to be initialized
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_init( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          Clear MD4 context
+ *
+ * \param ctx      MD4 context to be cleared
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_free( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an MD4 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md4_clone( mbedtls_md4_context *dst,
+                        const mbedtls_md4_context *src );
+
+/**
+ * \brief          MD4 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ */
+int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          MD4 process buffer
+ *
+ * \param ctx      MD4 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_update_ret( mbedtls_md4_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen );
+
+/**
+ * \brief          MD4 final digest
+ *
+ * \param ctx      MD4 context
+ * \param output   MD4 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx,
+                            unsigned char output[16] );
+
+/**
+ * \brief          MD4 process data block (internal use only)
+ *
+ * \param ctx      MD4 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
+                                  const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD4 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md4_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_starts( mbedtls_md4_context *ctx );
+
+/**
+ * \brief          MD4 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md4_update_ret() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_update( mbedtls_md4_context *ctx,
+                                            const unsigned char *input,
+                                            size_t ilen );
+
+/**
+ * \brief          MD4 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md4_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param output   MD4 checksum result
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_finish( mbedtls_md4_context *ctx,
+                                            unsigned char output[16] );
+
+/**
+ * \brief          MD4 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md4_process() in 2.7.0
+ *
+ * \param ctx      MD4 context
+ * \param data     buffer holding one block of data
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4_process( mbedtls_md4_context *ctx,
+                                             const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = MD4( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD4 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD4( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md4_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD4 checksum result
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md4( const unsigned char *input,
+                                     size_t ilen,
+                                     unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD4 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md4_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md4.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/md5.h b/makerom/deps/libmbedtls/include/mbedtls/md5.h
new file mode 100644
index 00000000..6eed6cc8
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/md5.h
@@ -0,0 +1,311 @@
+/**
+ * \file md5.h
+ *
+ * \brief MD5 message digest algorithm (hash function)
+ *
+ * \warning   MD5 is considered a weak message digest and its use constitutes a
+ *            security risk. We recommend considering stronger message
+ *            digests instead.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_MD5_H
+#define MBEDTLS_MD5_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_MD5_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED                   -0x002F  /**< MD5 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_MD5_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          MD5 context structure
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_md5_context
+{
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[4];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_md5_context;
+
+#else  /* MBEDTLS_MD5_ALT */
+#include "md5_alt.h"
+#endif /* MBEDTLS_MD5_ALT */
+
+/**
+ * \brief          Initialize MD5 context
+ *
+ * \param ctx      MD5 context to be initialized
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_init( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          Clear MD5 context
+ *
+ * \param ctx      MD5 context to be cleared
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_free( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an MD5 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+void mbedtls_md5_clone( mbedtls_md5_context *dst,
+                        const mbedtls_md5_context *src );
+
+/**
+ * \brief          MD5 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          MD5 process buffer
+ *
+ * \param ctx      MD5 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_update_ret( mbedtls_md5_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen );
+
+/**
+ * \brief          MD5 final digest
+ *
+ * \param ctx      MD5 context
+ * \param output   MD5 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx,
+                            unsigned char output[16] );
+
+/**
+ * \brief          MD5 process data block (internal use only)
+ *
+ * \param ctx      MD5 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
+                                  const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          MD5 context setup
+ *
+ * \deprecated     Superseded by mbedtls_md5_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_starts( mbedtls_md5_context *ctx );
+
+/**
+ * \brief          MD5 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_md5_update_ret() in 2.7.0
+ *
+ * \param ctx      MD5 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_update( mbedtls_md5_context *ctx,
+                                            const unsigned char *input,
+                                            size_t ilen );
+
+/**
+ * \brief          MD5 final digest
+ *
+ * \deprecated     Superseded by mbedtls_md5_finish_ret() in 2.7.0
+ *
+ * \param ctx      MD5 context
+ * \param output   MD5 checksum result
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_finish( mbedtls_md5_context *ctx,
+                                            unsigned char output[16] );
+
+/**
+ * \brief          MD5 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_md5_process() in 2.7.0
+ *
+ * \param ctx      MD5 context
+ * \param data     buffer holding one block of data
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5_process( mbedtls_md5_context *ctx,
+                                             const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = MD5( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD5 checksum result
+ *
+ * \return         0 if successful
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = MD5( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_md5_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   MD5 checksum result
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_md5( const unsigned char *input,
+                                     size_t ilen,
+                                     unsigned char output[16] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ *
+ * \warning        MD5 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+int mbedtls_md5_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_md5.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/md_internal.h b/makerom/deps/libmbedtls/include/mbedtls/md_internal.h
new file mode 100644
index 00000000..04de4829
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/md_internal.h
@@ -0,0 +1,115 @@
+/**
+ * \file md_internal.h
+ *
+ * \brief Message digest wrappers.
+ *
+ * \warning This in an internal header. Do not include directly.
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_MD_WRAP_H
+#define MBEDTLS_MD_WRAP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Message digest information.
+ * Allows message digest functions to be called in a generic way.
+ */
+struct mbedtls_md_info_t
+{
+    /** Digest identifier */
+    mbedtls_md_type_t type;
+
+    /** Name of the message digest */
+    const char * name;
+
+    /** Output length of the digest function in bytes */
+    int size;
+
+    /** Block length of the digest function in bytes */
+    int block_size;
+
+    /** Digest initialisation function */
+    int (*starts_func)( void *ctx );
+
+    /** Digest update function */
+    int (*update_func)( void *ctx, const unsigned char *input, size_t ilen );
+
+    /** Digest finalisation function */
+    int (*finish_func)( void *ctx, unsigned char *output );
+
+    /** Generic digest function */
+    int (*digest_func)( const unsigned char *input, size_t ilen,
+                        unsigned char *output );
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)( void );
+
+    /** Free the given context */
+    void (*ctx_free_func)( void *ctx );
+
+    /** Clone state from a context */
+    void (*clone_func)( void *dst, const void *src );
+
+    /** Internal use only */
+    int (*process_func)( void *ctx, const unsigned char *input );
+};
+
+#if defined(MBEDTLS_MD2_C)
+extern const mbedtls_md_info_t mbedtls_md2_info;
+#endif
+#if defined(MBEDTLS_MD4_C)
+extern const mbedtls_md_info_t mbedtls_md4_info;
+#endif
+#if defined(MBEDTLS_MD5_C)
+extern const mbedtls_md_info_t mbedtls_md5_info;
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+extern const mbedtls_md_info_t mbedtls_ripemd160_info;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+extern const mbedtls_md_info_t mbedtls_sha1_info;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+extern const mbedtls_md_info_t mbedtls_sha224_info;
+extern const mbedtls_md_info_t mbedtls_sha256_info;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+extern const mbedtls_md_info_t mbedtls_sha384_info;
+extern const mbedtls_md_info_t mbedtls_sha512_info;
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_MD_WRAP_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/memory_buffer_alloc.h b/makerom/deps/libmbedtls/include/mbedtls/memory_buffer_alloc.h
new file mode 100644
index 00000000..705f9a63
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/memory_buffer_alloc.h
@@ -0,0 +1,151 @@
+/**
+ * \file memory_buffer_alloc.h
+ *
+ * \brief Buffer-based memory allocator
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_MEMORY_BUFFER_ALLOC_H
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_MEMORY_ALIGN_MULTIPLE)
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE       4 /**< Align on multiples of this value */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#define MBEDTLS_MEMORY_VERIFY_NONE         0
+#define MBEDTLS_MEMORY_VERIFY_ALLOC        (1 << 0)
+#define MBEDTLS_MEMORY_VERIFY_FREE         (1 << 1)
+#define MBEDTLS_MEMORY_VERIFY_ALWAYS       (MBEDTLS_MEMORY_VERIFY_ALLOC | MBEDTLS_MEMORY_VERIFY_FREE)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Initialize use of stack-based memory allocator.
+ *          The stack-based allocator does memory management inside the
+ *          presented buffer and does not call calloc() and free().
+ *          It sets the global mbedtls_calloc() and mbedtls_free() pointers
+ *          to its own functions.
+ *          (Provided mbedtls_calloc() and mbedtls_free() are thread-safe if
+ *           MBEDTLS_THREADING_C is defined)
+ *
+ * \note    This code is not optimized and provides a straight-forward
+ *          implementation of a stack-based memory allocator.
+ *
+ * \param buf   buffer to use as heap
+ * \param len   size of the buffer
+ */
+void mbedtls_memory_buffer_alloc_init( unsigned char *buf, size_t len );
+
+/**
+ * \brief   Free the mutex for thread-safety and clear remaining memory
+ */
+void mbedtls_memory_buffer_alloc_free( void );
+
+/**
+ * \brief   Determine when the allocator should automatically verify the state
+ *          of the entire chain of headers / meta-data.
+ *          (Default: MBEDTLS_MEMORY_VERIFY_NONE)
+ *
+ * \param verify    One of MBEDTLS_MEMORY_VERIFY_NONE, MBEDTLS_MEMORY_VERIFY_ALLOC,
+ *                  MBEDTLS_MEMORY_VERIFY_FREE or MBEDTLS_MEMORY_VERIFY_ALWAYS
+ */
+void mbedtls_memory_buffer_set_verify( int verify );
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+/**
+ * \brief   Print out the status of the allocated memory (primarily for use
+ *          after a program should have de-allocated all memory)
+ *          Prints out a list of 'still allocated' blocks and their stack
+ *          trace if MBEDTLS_MEMORY_BACKTRACE is defined.
+ */
+void mbedtls_memory_buffer_alloc_status( void );
+
+/**
+ * \brief   Get the peak heap usage so far
+ *
+ * \param max_used      Peak number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param max_blocks    Peak number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_max_get( size_t *max_used, size_t *max_blocks );
+
+/**
+ * \brief   Reset peak statistics
+ */
+void mbedtls_memory_buffer_alloc_max_reset( void );
+
+/**
+ * \brief   Get the current heap usage
+ *
+ * \param cur_used      Current number of bytes in use or committed. This
+ *                      includes bytes in allocated blocks too small to split
+ *                      into smaller blocks but larger than the requested size.
+ * \param cur_blocks    Current number of blocks in use, including free and used
+ */
+void mbedtls_memory_buffer_alloc_cur_get( size_t *cur_used, size_t *cur_blocks );
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+/**
+ * \brief   Verifies that all headers in the memory buffer are correct
+ *          and contain sane values. Helps debug buffer-overflow errors.
+ *
+ *          Prints out first failure if MBEDTLS_MEMORY_DEBUG is defined.
+ *          Prints out full header information if MBEDTLS_MEMORY_DEBUG
+ *          is defined. (Includes stack trace information for each block if
+ *          MBEDTLS_MEMORY_BACKTRACE is defined as well).
+ *
+ * \return             0 if verified, 1 otherwise
+ */
+int mbedtls_memory_buffer_alloc_verify( void );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_memory_buffer_alloc_self_test( int verbose );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* memory_buffer_alloc.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/net.h b/makerom/deps/libmbedtls/include/mbedtls/net.h
new file mode 100644
index 00000000..8cead58e
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/net.h
@@ -0,0 +1,37 @@
+/**
+ * \file net.h
+ *
+ * \brief Deprecated header file that includes net_sockets.h
+ *
+ * \deprecated Superseded by mbedtls/net_sockets.h
+ */
+/*
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#include "net_sockets.h"
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/net_sockets.h b/makerom/deps/libmbedtls/include/mbedtls/net_sockets.h
new file mode 100644
index 00000000..4c7ef00f
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/net_sockets.h
@@ -0,0 +1,271 @@
+/**
+ * \file net_sockets.h
+ *
+ * \brief   Network sockets abstraction layer to integrate Mbed TLS into a
+ *          BSD-style sockets API.
+ *
+ *          The network sockets module provides an example integration of the
+ *          Mbed TLS library into a BSD sockets implementation. The module is
+ *          intended to be an example of how Mbed TLS can be integrated into a
+ *          networking stack, as well as to be Mbed TLS's network integration
+ *          for its supported platforms.
+ *
+ *          The module is intended only to be used with the Mbed TLS library and
+ *          is not intended to be used by third party application software
+ *          directly.
+ *
+ *          The supported platforms are as follows:
+ *              * Microsoft Windows and Windows CE
+ *              * POSIX/Unix platforms including Linux, OS X
+ *
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_NET_SOCKETS_H
+#define MBEDTLS_NET_SOCKETS_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_NET_SOCKET_FAILED                     -0x0042  /**< Failed to open a socket. */
+#define MBEDTLS_ERR_NET_CONNECT_FAILED                    -0x0044  /**< The connection to the given server / port failed. */
+#define MBEDTLS_ERR_NET_BIND_FAILED                       -0x0046  /**< Binding of the socket failed. */
+#define MBEDTLS_ERR_NET_LISTEN_FAILED                     -0x0048  /**< Could not listen on the socket. */
+#define MBEDTLS_ERR_NET_ACCEPT_FAILED                     -0x004A  /**< Could not accept the incoming connection. */
+#define MBEDTLS_ERR_NET_RECV_FAILED                       -0x004C  /**< Reading information from the socket failed. */
+#define MBEDTLS_ERR_NET_SEND_FAILED                       -0x004E  /**< Sending information through the socket failed. */
+#define MBEDTLS_ERR_NET_CONN_RESET                        -0x0050  /**< Connection was reset by peer. */
+#define MBEDTLS_ERR_NET_UNKNOWN_HOST                      -0x0052  /**< Failed to get an IP address for the given hostname. */
+#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL                  -0x0043  /**< Buffer is too small to hold the data. */
+#define MBEDTLS_ERR_NET_INVALID_CONTEXT                   -0x0045  /**< The context is invalid, eg because it was free()ed. */
+#define MBEDTLS_ERR_NET_POLL_FAILED                       -0x0047  /**< Polling the net context failed. */
+#define MBEDTLS_ERR_NET_BAD_INPUT_DATA                    -0x0049  /**< Input invalid. */
+
+#define MBEDTLS_NET_LISTEN_BACKLOG         10 /**< The backlog that listen() should use. */
+
+#define MBEDTLS_NET_PROTO_TCP 0 /**< The TCP transport protocol */
+#define MBEDTLS_NET_PROTO_UDP 1 /**< The UDP transport protocol */
+
+#define MBEDTLS_NET_POLL_READ  1 /**< Used in \c mbedtls_net_poll to check for pending data  */
+#define MBEDTLS_NET_POLL_WRITE 2 /**< Used in \c mbedtls_net_poll to check if write possible */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Wrapper type for sockets.
+ *
+ * Currently backed by just a file descriptor, but might be more in the future
+ * (eg two file descriptors for combined IPv4 + IPv6 support, or additional
+ * structures for hand-made UDP demultiplexing).
+ */
+typedef struct mbedtls_net_context
+{
+    int fd;             /**< The underlying file descriptor                 */
+}
+mbedtls_net_context;
+
+/**
+ * \brief          Initialize a context
+ *                 Just makes the context ready to be used or freed safely.
+ *
+ * \param ctx      Context to initialize
+ */
+void mbedtls_net_init( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Initiate a connection with host:port in the given protocol
+ *
+ * \param ctx      Socket to use
+ * \param host     Host to connect to
+ * \param port     Port to connect to
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_UNKNOWN_HOST,
+ *                      MBEDTLS_ERR_NET_CONNECT_FAILED
+ *
+ * \note           Sets the socket in connected mode even with UDP.
+ */
+int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char *port, int proto );
+
+/**
+ * \brief          Create a receiving socket on bind_ip:port in the chosen
+ *                 protocol. If bind_ip == NULL, all interfaces are bound.
+ *
+ * \param ctx      Socket to use
+ * \param bind_ip  IP to bind to, can be NULL
+ * \param port     Port number to use
+ * \param proto    Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
+ *
+ * \return         0 if successful, or one of:
+ *                      MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                      MBEDTLS_ERR_NET_BIND_FAILED,
+ *                      MBEDTLS_ERR_NET_LISTEN_FAILED
+ *
+ * \note           Regardless of the protocol, opens the sockets and binds it.
+ *                 In addition, make the socket listening if protocol is TCP.
+ */
+int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto );
+
+/**
+ * \brief           Accept a connection from a remote client
+ *
+ * \param bind_ctx  Relevant socket
+ * \param client_ctx Will contain the connected client socket
+ * \param client_ip Will contain the client IP address, can be NULL
+ * \param buf_size  Size of the client_ip buffer
+ * \param ip_len    Will receive the size of the client IP written,
+ *                  can be NULL if client_ip is null
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_NET_ACCEPT_FAILED, or
+ *                  MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
+ *                  MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
+ *                  non-blocking and accept() would block.
+ */
+int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+                        mbedtls_net_context *client_ctx,
+                        void *client_ip, size_t buf_size, size_t *ip_len );
+
+/**
+ * \brief          Check and wait for the context to be ready for read/write
+ *
+ * \param ctx      Socket to check
+ * \param rw       Bitflag composed of MBEDTLS_NET_POLL_READ and
+ *                 MBEDTLS_NET_POLL_WRITE specifying the events
+ *                 to wait for:
+ *                 - If MBEDTLS_NET_POLL_READ is set, the function
+ *                   will return as soon as the net context is available
+ *                   for reading.
+ *                 - If MBEDTLS_NET_POLL_WRITE is set, the function
+ *                   will return as soon as the net context is available
+ *                   for writing.
+ * \param timeout  Maximal amount of time to wait before returning,
+ *                 in milliseconds. If \c timeout is zero, the
+ *                 function returns immediately. If \c timeout is
+ *                 -1u, the function blocks potentially indefinitely.
+ *
+ * \return         Bitmask composed of MBEDTLS_NET_POLL_READ/WRITE
+ *                 on success or timeout, or a negative return code otherwise.
+ */
+int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout );
+
+/**
+ * \brief          Set the socket blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_block( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Set the socket non-blocking
+ *
+ * \param ctx      Socket to set
+ *
+ * \return         0 if successful, or a non-zero error code
+ */
+int mbedtls_net_set_nonblock( mbedtls_net_context *ctx );
+
+/**
+ * \brief          Portable usleep helper
+ *
+ * \param usec     Amount of microseconds to sleep
+ *
+ * \note           Real amount of time slept will not be less than
+ *                 select()'s timeout granularity (typically, 10ms).
+ */
+void mbedtls_net_usleep( unsigned long usec );
+
+/**
+ * \brief          Read at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ *
+ * \return         the number of bytes received,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_READ indicates read() would block.
+ */
+int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len );
+
+/**
+ * \brief          Write at most 'len' characters. If no error occurs,
+ *                 the actual amount read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to read from
+ * \param len      The length of the buffer
+ *
+ * \return         the number of bytes sent,
+ *                 or a non-zero error code; with a non-blocking socket,
+ *                 MBEDTLS_ERR_SSL_WANT_WRITE indicates write() would block.
+ */
+int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
+
+/**
+ * \brief          Read at most 'len' characters, blocking for at most
+ *                 'timeout' seconds. If no error occurs, the actual amount
+ *                 read is returned.
+ *
+ * \param ctx      Socket
+ * \param buf      The buffer to write to
+ * \param len      Maximum length of the buffer
+ * \param timeout  Maximum number of milliseconds to wait for data
+ *                 0 means no timeout (wait forever)
+ *
+ * \return         the number of bytes received,
+ *                 or a non-zero error code:
+ *                 MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
+ *                 MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *
+ * \note           This function will block (until data becomes available or
+ *                 timeout is reached) even if the socket is set to
+ *                 non-blocking. Handling timeouts with non-blocking reads
+ *                 requires a different strategy.
+ */
+int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+                      uint32_t timeout );
+
+/**
+ * \brief          Gracefully shutdown the connection and free associated data
+ *
+ * \param ctx      The context to free
+ */
+void mbedtls_net_free( mbedtls_net_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* net_sockets.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/nist_kw.h b/makerom/deps/libmbedtls/include/mbedtls/nist_kw.h
new file mode 100644
index 00000000..3b67b59c
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/nist_kw.h
@@ -0,0 +1,184 @@
+/**
+ * \file nist_kw.h
+ *
+ * \brief This file provides an API for key wrapping (KW) and key wrapping with
+ *        padding (KWP) as defined in NIST SP 800-38F.
+ *        https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ *
+ *        Key wrapping specifies a deterministic authenticated-encryption mode
+ *        of operation, according to <em>NIST SP 800-38F: Recommendation for
+ *        Block Cipher Modes of Operation: Methods for Key Wrapping</em>. Its
+ *        purpose is to protect cryptographic keys.
+ *
+ *        Its equivalent is RFC 3394 for KW, and RFC 5649 for KWP.
+ *        https://tools.ietf.org/html/rfc3394
+ *        https://tools.ietf.org/html/rfc5649
+ *
+ */
+/*
+ *  Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_NIST_KW_H
+#define MBEDTLS_NIST_KW_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum
+{
+    MBEDTLS_KW_MODE_KW = 0,
+    MBEDTLS_KW_MODE_KWP = 1
+} mbedtls_nist_kw_mode_t;
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief    The key wrapping context-type definition. The key wrapping context is passed
+ *           to the APIs called.
+ *
+ * \note     The definition of this type may change in future library versions.
+ *           Don't make any assumptions on this context!
+ */
+typedef struct {
+    mbedtls_cipher_context_t cipher_ctx;    /*!< The cipher context used. */
+} mbedtls_nist_kw_context;
+
+#else  /* MBEDTLS_NIST_key wrapping_ALT */
+#include "nist_kw_alt.h"
+#endif /* MBEDTLS_NIST_KW_ALT */
+
+/**
+ * \brief           This function initializes the specified key wrapping context
+ *                  to make references valid and prepare the context
+ *                  for mbedtls_nist_kw_setkey() or mbedtls_nist_kw_free().
+ *
+ * \param ctx       The key wrapping context to initialize.
+ *
+ */
+void mbedtls_nist_kw_init( mbedtls_nist_kw_context *ctx );
+
+/**
+ * \brief           This function initializes the key wrapping context set in the
+ *                  \p ctx parameter and sets the encryption key.
+ *
+ * \param ctx       The key wrapping context.
+ * \param cipher    The 128-bit block cipher to use. Only AES is supported.
+ * \param key       The Key Encryption Key (KEK).
+ * \param keybits   The KEK size in bits. This must be acceptable by the cipher.
+ * \param is_wrap   Specify whether the operation within the context is wrapping or unwrapping
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for any invalid input.
+ * \return          \c MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE for 128-bit block ciphers
+ *                  which are not supported.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
+                            mbedtls_cipher_id_t cipher,
+                            const unsigned char *key,
+                            unsigned int keybits,
+                            const int is_wrap );
+
+/**
+ * \brief   This function releases and clears the specified key wrapping context
+ *          and underlying cipher sub-context.
+ *
+ * \param ctx       The key wrapping context to clear.
+ */
+void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx );
+
+/**
+ * \brief           This function encrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for encryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 16 and 2^57-8 inclusive. </li>
+ *                  <li>For KWP mode: any length between 1 and 2^32-1 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  <ul><li>For KW mode: Must be at least 8 bytes larger than \p in_len.</li>
+ *                  <li>For KWP mode: Must be at least 8 bytes larger rounded up to a multiple of
+ *                  8 bytes for KWP (15 bytes at most).</li></ul>
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                          const unsigned char *input, size_t in_len,
+                          unsigned char *output, size_t* out_len, size_t out_size );
+
+/**
+ * \brief           This function decrypts a buffer using key wrapping.
+ *
+ * \param ctx       The key wrapping context to use for decryption.
+ * \param mode      The key wrapping mode to use (MBEDTLS_KW_MODE_KW or MBEDTLS_KW_MODE_KWP)
+ * \param input     The buffer holding the input data.
+ * \param in_len    The length of the input data in Bytes.
+ *                  The input uses units of 8 Bytes called semiblocks.
+ *                  The input must be a multiple of semiblocks.
+ *                  <ul><li>For KW mode: a multiple of 8 bytes between 24 and 2^57 inclusive. </li>
+ *                  <li>For KWP mode: a multiple of 8 bytes between 16 and 2^32 inclusive.</li></ul>
+ * \param[out] output    The buffer holding the output data.
+ *                  The output buffer's minimal length is 8 bytes shorter than \p in_len.
+ * \param[out] out_len The number of bytes written to the output buffer. \c 0 on failure.
+ *                  For KWP mode, the length could be up to 15 bytes shorter than \p in_len,
+ *                  depending on how much padding was added to the data.
+ * \param[in] out_size The capacity of the output buffer.
+ *
+ * \return          \c 0 on success.
+ * \return          \c MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA for invalid input length.
+ * \return          \c MBEDTLS_ERR_CIPHER_AUTH_FAILED for verification failure of the ciphertext.
+ * \return          cipher-specific error code on failure of the underlying cipher.
+ */
+int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx, mbedtls_nist_kw_mode_t mode,
+                            const unsigned char *input, size_t in_len,
+                            unsigned char *output, size_t* out_len, size_t out_size);
+
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/**
+ * \brief          The key wrapping checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_nist_kw_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_NIST_KW_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/oid.h b/makerom/deps/libmbedtls/include/mbedtls/oid.h
new file mode 100644
index 00000000..6fbd018a
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/oid.h
@@ -0,0 +1,605 @@
+/**
+ * \file oid.h
+ *
+ * \brief Object Identifier (OID) database
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_OID_H
+#define MBEDTLS_OID_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+#include "pk.h"
+
+#include <stddef.h>
+
+#if defined(MBEDTLS_CIPHER_C)
+#include "cipher.h"
+#endif
+
+#if defined(MBEDTLS_MD_C)
+#include "md.h"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "x509.h"
+#endif
+
+#define MBEDTLS_ERR_OID_NOT_FOUND                         -0x002E  /**< OID is not found. */
+#define MBEDTLS_ERR_OID_BUF_TOO_SMALL                     -0x000B  /**< output buffer is too small */
+
+/*
+ * Top level OID tuples
+ */
+#define MBEDTLS_OID_ISO_MEMBER_BODIES           "\x2a"          /* {iso(1) member-body(2)} */
+#define MBEDTLS_OID_ISO_IDENTIFIED_ORG          "\x2b"          /* {iso(1) identified-organization(3)} */
+#define MBEDTLS_OID_ISO_CCITT_DS                "\x55"          /* {joint-iso-ccitt(2) ds(5)} */
+#define MBEDTLS_OID_ISO_ITU_COUNTRY             "\x60"          /* {joint-iso-itu-t(2) country(16)} */
+
+/*
+ * ISO Member bodies OID parts
+ */
+#define MBEDTLS_OID_COUNTRY_US                  "\x86\x48"      /* {us(840)} */
+#define MBEDTLS_OID_ORG_RSA_DATA_SECURITY       "\x86\xf7\x0d"  /* {rsadsi(113549)} */
+#define MBEDTLS_OID_RSA_COMPANY                 MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
+                                        MBEDTLS_OID_ORG_RSA_DATA_SECURITY /* {iso(1) member-body(2) us(840) rsadsi(113549)} */
+#define MBEDTLS_OID_ORG_ANSI_X9_62              "\xce\x3d" /* ansi-X9-62(10045) */
+#define MBEDTLS_OID_ANSI_X9_62                  MBEDTLS_OID_ISO_MEMBER_BODIES MBEDTLS_OID_COUNTRY_US \
+                                        MBEDTLS_OID_ORG_ANSI_X9_62
+
+/*
+ * ISO Identified organization OID parts
+ */
+#define MBEDTLS_OID_ORG_DOD                     "\x06"          /* {dod(6)} */
+#define MBEDTLS_OID_ORG_OIW                     "\x0e"
+#define MBEDTLS_OID_OIW_SECSIG                  MBEDTLS_OID_ORG_OIW "\x03"
+#define MBEDTLS_OID_OIW_SECSIG_ALG              MBEDTLS_OID_OIW_SECSIG "\x02"
+#define MBEDTLS_OID_OIW_SECSIG_SHA1             MBEDTLS_OID_OIW_SECSIG_ALG "\x1a"
+#define MBEDTLS_OID_ORG_CERTICOM                "\x81\x04"  /* certicom(132) */
+#define MBEDTLS_OID_CERTICOM                    MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_CERTICOM
+#define MBEDTLS_OID_ORG_TELETRUST               "\x24" /* teletrust(36) */
+#define MBEDTLS_OID_TELETRUST                   MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_TELETRUST
+
+/*
+ * ISO ITU OID parts
+ */
+#define MBEDTLS_OID_ORGANIZATION                "\x01"          /* {organization(1)} */
+#define MBEDTLS_OID_ISO_ITU_US_ORG              MBEDTLS_OID_ISO_ITU_COUNTRY MBEDTLS_OID_COUNTRY_US MBEDTLS_OID_ORGANIZATION /* {joint-iso-itu-t(2) country(16) us(840) organization(1)} */
+
+#define MBEDTLS_OID_ORG_GOV                     "\x65"          /* {gov(101)} */
+#define MBEDTLS_OID_GOV                         MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_GOV /* {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)} */
+
+#define MBEDTLS_OID_ORG_NETSCAPE                "\x86\xF8\x42"  /* {netscape(113730)} */
+#define MBEDTLS_OID_NETSCAPE                    MBEDTLS_OID_ISO_ITU_US_ORG MBEDTLS_OID_ORG_NETSCAPE /* Netscape OID {joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730)} */
+
+/* ISO arc for standard certificate and CRL extensions */
+#define MBEDTLS_OID_ID_CE                       MBEDTLS_OID_ISO_CCITT_DS "\x1D" /**< id-ce OBJECT IDENTIFIER  ::=  {joint-iso-ccitt(2) ds(5) 29} */
+
+#define MBEDTLS_OID_NIST_ALG                    MBEDTLS_OID_GOV "\x03\x04" /** { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) */
+
+/**
+ * Private Internet Extensions
+ * { iso(1) identified-organization(3) dod(6) internet(1)
+ *                      security(5) mechanisms(5) pkix(7) }
+ */
+#define MBEDTLS_OID_PKIX                        MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_ORG_DOD "\x01\x05\x05\x07"
+
+/*
+ * Arc for standard naming attributes
+ */
+#define MBEDTLS_OID_AT                          MBEDTLS_OID_ISO_CCITT_DS "\x04" /**< id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4} */
+#define MBEDTLS_OID_AT_CN                       MBEDTLS_OID_AT "\x03" /**< id-at-commonName AttributeType:= {id-at 3} */
+#define MBEDTLS_OID_AT_SUR_NAME                 MBEDTLS_OID_AT "\x04" /**< id-at-surName AttributeType:= {id-at 4} */
+#define MBEDTLS_OID_AT_SERIAL_NUMBER            MBEDTLS_OID_AT "\x05" /**< id-at-serialNumber AttributeType:= {id-at 5} */
+#define MBEDTLS_OID_AT_COUNTRY                  MBEDTLS_OID_AT "\x06" /**< id-at-countryName AttributeType:= {id-at 6} */
+#define MBEDTLS_OID_AT_LOCALITY                 MBEDTLS_OID_AT "\x07" /**< id-at-locality AttributeType:= {id-at 7} */
+#define MBEDTLS_OID_AT_STATE                    MBEDTLS_OID_AT "\x08" /**< id-at-state AttributeType:= {id-at 8} */
+#define MBEDTLS_OID_AT_ORGANIZATION             MBEDTLS_OID_AT "\x0A" /**< id-at-organizationName AttributeType:= {id-at 10} */
+#define MBEDTLS_OID_AT_ORG_UNIT                 MBEDTLS_OID_AT "\x0B" /**< id-at-organizationalUnitName AttributeType:= {id-at 11} */
+#define MBEDTLS_OID_AT_TITLE                    MBEDTLS_OID_AT "\x0C" /**< id-at-title AttributeType:= {id-at 12} */
+#define MBEDTLS_OID_AT_POSTAL_ADDRESS           MBEDTLS_OID_AT "\x10" /**< id-at-postalAddress AttributeType:= {id-at 16} */
+#define MBEDTLS_OID_AT_POSTAL_CODE              MBEDTLS_OID_AT "\x11" /**< id-at-postalCode AttributeType:= {id-at 17} */
+#define MBEDTLS_OID_AT_GIVEN_NAME               MBEDTLS_OID_AT "\x2A" /**< id-at-givenName AttributeType:= {id-at 42} */
+#define MBEDTLS_OID_AT_INITIALS                 MBEDTLS_OID_AT "\x2B" /**< id-at-initials AttributeType:= {id-at 43} */
+#define MBEDTLS_OID_AT_GENERATION_QUALIFIER     MBEDTLS_OID_AT "\x2C" /**< id-at-generationQualifier AttributeType:= {id-at 44} */
+#define MBEDTLS_OID_AT_UNIQUE_IDENTIFIER        MBEDTLS_OID_AT "\x2D" /**< id-at-uniqueIdentifier AttributType:= {id-at 45} */
+#define MBEDTLS_OID_AT_DN_QUALIFIER             MBEDTLS_OID_AT "\x2E" /**< id-at-dnQualifier AttributeType:= {id-at 46} */
+#define MBEDTLS_OID_AT_PSEUDONYM                MBEDTLS_OID_AT "\x41" /**< id-at-pseudonym AttributeType:= {id-at 65} */
+
+#define MBEDTLS_OID_DOMAIN_COMPONENT            "\x09\x92\x26\x89\x93\xF2\x2C\x64\x01\x19" /** id-domainComponent AttributeType:= {itu-t(0) data(9) pss(2342) ucl(19200300) pilot(100) pilotAttributeType(1) domainComponent(25)} */
+
+/*
+ * OIDs for standard certificate extensions
+ */
+#define MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER    MBEDTLS_OID_ID_CE "\x23" /**< id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 } */
+#define MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER      MBEDTLS_OID_ID_CE "\x0E" /**< id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 } */
+#define MBEDTLS_OID_KEY_USAGE                   MBEDTLS_OID_ID_CE "\x0F" /**< id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 } */
+#define MBEDTLS_OID_CERTIFICATE_POLICIES        MBEDTLS_OID_ID_CE "\x20" /**< id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 } */
+#define MBEDTLS_OID_POLICY_MAPPINGS             MBEDTLS_OID_ID_CE "\x21" /**< id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 } */
+#define MBEDTLS_OID_SUBJECT_ALT_NAME            MBEDTLS_OID_ID_CE "\x11" /**< id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 } */
+#define MBEDTLS_OID_ISSUER_ALT_NAME             MBEDTLS_OID_ID_CE "\x12" /**< id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 } */
+#define MBEDTLS_OID_SUBJECT_DIRECTORY_ATTRS     MBEDTLS_OID_ID_CE "\x09" /**< id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 } */
+#define MBEDTLS_OID_BASIC_CONSTRAINTS           MBEDTLS_OID_ID_CE "\x13" /**< id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 } */
+#define MBEDTLS_OID_NAME_CONSTRAINTS            MBEDTLS_OID_ID_CE "\x1E" /**< id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 } */
+#define MBEDTLS_OID_POLICY_CONSTRAINTS          MBEDTLS_OID_ID_CE "\x24" /**< id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 } */
+#define MBEDTLS_OID_EXTENDED_KEY_USAGE          MBEDTLS_OID_ID_CE "\x25" /**< id-ce-extKeyUsage OBJECT IDENTIFIER ::= { id-ce 37 } */
+#define MBEDTLS_OID_CRL_DISTRIBUTION_POINTS     MBEDTLS_OID_ID_CE "\x1F" /**< id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::=  { id-ce 31 } */
+#define MBEDTLS_OID_INIHIBIT_ANYPOLICY          MBEDTLS_OID_ID_CE "\x36" /**< id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::=  { id-ce 54 } */
+#define MBEDTLS_OID_FRESHEST_CRL                MBEDTLS_OID_ID_CE "\x2E" /**< id-ce-freshestCRL OBJECT IDENTIFIER ::=  { id-ce 46 } */
+
+/*
+ * Netscape certificate extensions
+ */
+#define MBEDTLS_OID_NS_CERT                 MBEDTLS_OID_NETSCAPE "\x01"
+#define MBEDTLS_OID_NS_CERT_TYPE            MBEDTLS_OID_NS_CERT  "\x01"
+#define MBEDTLS_OID_NS_BASE_URL             MBEDTLS_OID_NS_CERT  "\x02"
+#define MBEDTLS_OID_NS_REVOCATION_URL       MBEDTLS_OID_NS_CERT  "\x03"
+#define MBEDTLS_OID_NS_CA_REVOCATION_URL    MBEDTLS_OID_NS_CERT  "\x04"
+#define MBEDTLS_OID_NS_RENEWAL_URL          MBEDTLS_OID_NS_CERT  "\x07"
+#define MBEDTLS_OID_NS_CA_POLICY_URL        MBEDTLS_OID_NS_CERT  "\x08"
+#define MBEDTLS_OID_NS_SSL_SERVER_NAME      MBEDTLS_OID_NS_CERT  "\x0C"
+#define MBEDTLS_OID_NS_COMMENT              MBEDTLS_OID_NS_CERT  "\x0D"
+#define MBEDTLS_OID_NS_DATA_TYPE            MBEDTLS_OID_NETSCAPE "\x02"
+#define MBEDTLS_OID_NS_CERT_SEQUENCE        MBEDTLS_OID_NS_DATA_TYPE "\x05"
+
+/*
+ * OIDs for CRL extensions
+ */
+#define MBEDTLS_OID_PRIVATE_KEY_USAGE_PERIOD    MBEDTLS_OID_ID_CE "\x10"
+#define MBEDTLS_OID_CRL_NUMBER                  MBEDTLS_OID_ID_CE "\x14" /**< id-ce-cRLNumber OBJECT IDENTIFIER ::= { id-ce 20 } */
+
+/*
+ * X.509 v3 Extended key usage OIDs
+ */
+#define MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE      MBEDTLS_OID_EXTENDED_KEY_USAGE "\x00" /**< anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 } */
+
+#define MBEDTLS_OID_KP                          MBEDTLS_OID_PKIX "\x03" /**< id-kp OBJECT IDENTIFIER ::= { id-pkix 3 } */
+#define MBEDTLS_OID_SERVER_AUTH                 MBEDTLS_OID_KP "\x01" /**< id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 } */
+#define MBEDTLS_OID_CLIENT_AUTH                 MBEDTLS_OID_KP "\x02" /**< id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 } */
+#define MBEDTLS_OID_CODE_SIGNING                MBEDTLS_OID_KP "\x03" /**< id-kp-codeSigning OBJECT IDENTIFIER ::= { id-kp 3 } */
+#define MBEDTLS_OID_EMAIL_PROTECTION            MBEDTLS_OID_KP "\x04" /**< id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 } */
+#define MBEDTLS_OID_TIME_STAMPING               MBEDTLS_OID_KP "\x08" /**< id-kp-timeStamping OBJECT IDENTIFIER ::= { id-kp 8 } */
+#define MBEDTLS_OID_OCSP_SIGNING                MBEDTLS_OID_KP "\x09" /**< id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } */
+
+/*
+ * PKCS definition OIDs
+ */
+
+#define MBEDTLS_OID_PKCS                MBEDTLS_OID_RSA_COMPANY "\x01" /**< pkcs OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) 1 } */
+#define MBEDTLS_OID_PKCS1               MBEDTLS_OID_PKCS "\x01" /**< pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 } */
+#define MBEDTLS_OID_PKCS5               MBEDTLS_OID_PKCS "\x05" /**< pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 5 } */
+#define MBEDTLS_OID_PKCS9               MBEDTLS_OID_PKCS "\x09" /**< pkcs-9 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 } */
+#define MBEDTLS_OID_PKCS12              MBEDTLS_OID_PKCS "\x0c" /**< pkcs-12 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 12 } */
+
+/*
+ * PKCS#1 OIDs
+ */
+#define MBEDTLS_OID_PKCS1_RSA           MBEDTLS_OID_PKCS1 "\x01" /**< rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */
+#define MBEDTLS_OID_PKCS1_MD2           MBEDTLS_OID_PKCS1 "\x02" /**< md2WithRSAEncryption ::= { pkcs-1 2 } */
+#define MBEDTLS_OID_PKCS1_MD4           MBEDTLS_OID_PKCS1 "\x03" /**< md4WithRSAEncryption ::= { pkcs-1 3 } */
+#define MBEDTLS_OID_PKCS1_MD5           MBEDTLS_OID_PKCS1 "\x04" /**< md5WithRSAEncryption ::= { pkcs-1 4 } */
+#define MBEDTLS_OID_PKCS1_SHA1          MBEDTLS_OID_PKCS1 "\x05" /**< sha1WithRSAEncryption ::= { pkcs-1 5 } */
+#define MBEDTLS_OID_PKCS1_SHA224        MBEDTLS_OID_PKCS1 "\x0e" /**< sha224WithRSAEncryption ::= { pkcs-1 14 } */
+#define MBEDTLS_OID_PKCS1_SHA256        MBEDTLS_OID_PKCS1 "\x0b" /**< sha256WithRSAEncryption ::= { pkcs-1 11 } */
+#define MBEDTLS_OID_PKCS1_SHA384        MBEDTLS_OID_PKCS1 "\x0c" /**< sha384WithRSAEncryption ::= { pkcs-1 12 } */
+#define MBEDTLS_OID_PKCS1_SHA512        MBEDTLS_OID_PKCS1 "\x0d" /**< sha512WithRSAEncryption ::= { pkcs-1 13 } */
+
+#define MBEDTLS_OID_RSA_SHA_OBS         "\x2B\x0E\x03\x02\x1D"
+
+#define MBEDTLS_OID_PKCS9_EMAIL         MBEDTLS_OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */
+
+/* RFC 4055 */
+#define MBEDTLS_OID_RSASSA_PSS          MBEDTLS_OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */
+#define MBEDTLS_OID_MGF1                MBEDTLS_OID_PKCS1 "\x08" /**< id-mgf1 ::= { pkcs-1 8 } */
+
+/*
+ * Digest algorithms
+ */
+#define MBEDTLS_OID_DIGEST_ALG_MD2              MBEDTLS_OID_RSA_COMPANY "\x02\x02" /**< id-mbedtls_md2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } */
+#define MBEDTLS_OID_DIGEST_ALG_MD4              MBEDTLS_OID_RSA_COMPANY "\x02\x04" /**< id-mbedtls_md4 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_MD5              MBEDTLS_OID_RSA_COMPANY "\x02\x05" /**< id-mbedtls_md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA1             MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_SHA1 /**< id-mbedtls_sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA224           MBEDTLS_OID_NIST_ALG "\x02\x04" /**< id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } */
+#define MBEDTLS_OID_DIGEST_ALG_SHA256           MBEDTLS_OID_NIST_ALG "\x02\x01" /**< id-mbedtls_sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA384           MBEDTLS_OID_NIST_ALG "\x02\x02" /**< id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } */
+
+#define MBEDTLS_OID_DIGEST_ALG_SHA512           MBEDTLS_OID_NIST_ALG "\x02\x03" /**< id-mbedtls_sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } */
+
+#define MBEDTLS_OID_HMAC_SHA1                   MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
+
+#define MBEDTLS_OID_HMAC_SHA224                 MBEDTLS_OID_RSA_COMPANY "\x02\x08" /**< id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } */
+
+#define MBEDTLS_OID_HMAC_SHA256                 MBEDTLS_OID_RSA_COMPANY "\x02\x09" /**< id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 } */
+
+#define MBEDTLS_OID_HMAC_SHA384                 MBEDTLS_OID_RSA_COMPANY "\x02\x0A" /**< id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 } */
+
+#define MBEDTLS_OID_HMAC_SHA512                 MBEDTLS_OID_RSA_COMPANY "\x02\x0B" /**< id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 } */
+
+/*
+ * Encryption algorithms
+ */
+#define MBEDTLS_OID_DES_CBC                     MBEDTLS_OID_ISO_IDENTIFIED_ORG MBEDTLS_OID_OIW_SECSIG_ALG "\x07" /**< desCBC OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7 } */
+#define MBEDTLS_OID_DES_EDE3_CBC                MBEDTLS_OID_RSA_COMPANY "\x03\x07" /**< des-ede3-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) -- us(840) rsadsi(113549) encryptionAlgorithm(3) 7 } */
+#define MBEDTLS_OID_AES                         MBEDTLS_OID_NIST_ALG "\x01" /** aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } */
+
+/*
+ * Key Wrapping algorithms
+ */
+/*
+ * RFC 5649
+ */
+#define MBEDTLS_OID_AES128_KW                   MBEDTLS_OID_AES "\x05" /** id-aes128-wrap     OBJECT IDENTIFIER ::= { aes 5 } */
+#define MBEDTLS_OID_AES128_KWP                  MBEDTLS_OID_AES "\x08" /** id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 } */
+#define MBEDTLS_OID_AES192_KW                   MBEDTLS_OID_AES "\x19" /** id-aes192-wrap     OBJECT IDENTIFIER ::= { aes 25 } */
+#define MBEDTLS_OID_AES192_KWP                  MBEDTLS_OID_AES "\x1c" /** id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 } */
+#define MBEDTLS_OID_AES256_KW                   MBEDTLS_OID_AES "\x2d" /** id-aes256-wrap     OBJECT IDENTIFIER ::= { aes 45 } */
+#define MBEDTLS_OID_AES256_KWP                  MBEDTLS_OID_AES "\x30" /** id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } */
+/*
+ * PKCS#5 OIDs
+ */
+#define MBEDTLS_OID_PKCS5_PBKDF2                MBEDTLS_OID_PKCS5 "\x0c" /**< id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12} */
+#define MBEDTLS_OID_PKCS5_PBES2                 MBEDTLS_OID_PKCS5 "\x0d" /**< id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13} */
+#define MBEDTLS_OID_PKCS5_PBMAC1                MBEDTLS_OID_PKCS5 "\x0e" /**< id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14} */
+
+/*
+ * PKCS#5 PBES1 algorithms
+ */
+#define MBEDTLS_OID_PKCS5_PBE_MD2_DES_CBC       MBEDTLS_OID_PKCS5 "\x01" /**< pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} */
+#define MBEDTLS_OID_PKCS5_PBE_MD2_RC2_CBC       MBEDTLS_OID_PKCS5 "\x04" /**< pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} */
+#define MBEDTLS_OID_PKCS5_PBE_MD5_DES_CBC       MBEDTLS_OID_PKCS5 "\x03" /**< pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} */
+#define MBEDTLS_OID_PKCS5_PBE_MD5_RC2_CBC       MBEDTLS_OID_PKCS5 "\x06" /**< pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} */
+#define MBEDTLS_OID_PKCS5_PBE_SHA1_DES_CBC      MBEDTLS_OID_PKCS5 "\x0a" /**< pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} */
+#define MBEDTLS_OID_PKCS5_PBE_SHA1_RC2_CBC      MBEDTLS_OID_PKCS5 "\x0b" /**< pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11} */
+
+/*
+ * PKCS#8 OIDs
+ */
+#define MBEDTLS_OID_PKCS9_CSR_EXT_REQ           MBEDTLS_OID_PKCS9 "\x0e" /**< extensionRequest OBJECT IDENTIFIER ::= {pkcs-9 14} */
+
+/*
+ * PKCS#12 PBE OIDs
+ */
+#define MBEDTLS_OID_PKCS12_PBE                      MBEDTLS_OID_PKCS12 "\x01" /**< pkcs-12PbeIds OBJECT IDENTIFIER ::= {pkcs-12 1} */
+
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128         MBEDTLS_OID_PKCS12_PBE "\x01" /**< pbeWithSHAAnd128BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 1} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_40          MBEDTLS_OID_PKCS12_PBE "\x02" /**< pbeWithSHAAnd40BitRC4 OBJECT IDENTIFIER ::= {pkcs-12PbeIds 2} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x03" /**< pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC    MBEDTLS_OID_PKCS12_PBE "\x04" /**< pbeWithSHAAnd2-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 4} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC     MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
+#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC      MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+
+/*
+ * EC key algorithms from RFC 5480
+ */
+
+/* id-ecPublicKey OBJECT IDENTIFIER ::= {
+ *       iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } */
+#define MBEDTLS_OID_EC_ALG_UNRESTRICTED         MBEDTLS_OID_ANSI_X9_62 "\x02\01"
+
+/*   id-ecDH OBJECT IDENTIFIER ::= {
+ *     iso(1) identified-organization(3) certicom(132)
+ *     schemes(1) ecdh(12) } */
+#define MBEDTLS_OID_EC_ALG_ECDH                 MBEDTLS_OID_CERTICOM "\x01\x0c"
+
+/*
+ * ECParameters namedCurve identifiers, from RFC 5480, RFC 5639, and SEC2
+ */
+
+/* secp192r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 1 } */
+#define MBEDTLS_OID_EC_GRP_SECP192R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x01"
+
+/* secp224r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 33 } */
+#define MBEDTLS_OID_EC_GRP_SECP224R1        MBEDTLS_OID_CERTICOM "\x00\x21"
+
+/* secp256r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) prime(1) 7 } */
+#define MBEDTLS_OID_EC_GRP_SECP256R1        MBEDTLS_OID_ANSI_X9_62 "\x03\x01\x07"
+
+/* secp384r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 34 } */
+#define MBEDTLS_OID_EC_GRP_SECP384R1        MBEDTLS_OID_CERTICOM "\x00\x22"
+
+/* secp521r1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 35 } */
+#define MBEDTLS_OID_EC_GRP_SECP521R1        MBEDTLS_OID_CERTICOM "\x00\x23"
+
+/* secp192k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 31 } */
+#define MBEDTLS_OID_EC_GRP_SECP192K1        MBEDTLS_OID_CERTICOM "\x00\x1f"
+
+/* secp224k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 32 } */
+#define MBEDTLS_OID_EC_GRP_SECP224K1        MBEDTLS_OID_CERTICOM "\x00\x20"
+
+/* secp256k1 OBJECT IDENTIFIER ::= {
+ *   iso(1) identified-organization(3) certicom(132) curve(0) 10 } */
+#define MBEDTLS_OID_EC_GRP_SECP256K1        MBEDTLS_OID_CERTICOM "\x00\x0a"
+
+/* RFC 5639 4.1
+ * ecStdCurvesAndGeneration OBJECT IDENTIFIER::= {iso(1)
+ * identified-organization(3) teletrust(36) algorithm(3) signature-
+ * algorithm(3) ecSign(2) 8}
+ * ellipticCurve OBJECT IDENTIFIER ::= {ecStdCurvesAndGeneration 1}
+ * versionOne OBJECT IDENTIFIER ::= {ellipticCurve 1} */
+#define MBEDTLS_OID_EC_BRAINPOOL_V1         MBEDTLS_OID_TELETRUST "\x03\x03\x02\x08\x01\x01"
+
+/* brainpoolP256r1 OBJECT IDENTIFIER ::= {versionOne 7} */
+#define MBEDTLS_OID_EC_GRP_BP256R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x07"
+
+/* brainpoolP384r1 OBJECT IDENTIFIER ::= {versionOne 11} */
+#define MBEDTLS_OID_EC_GRP_BP384R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0B"
+
+/* brainpoolP512r1 OBJECT IDENTIFIER ::= {versionOne 13} */
+#define MBEDTLS_OID_EC_GRP_BP512R1          MBEDTLS_OID_EC_BRAINPOOL_V1 "\x0D"
+
+/*
+ * SEC1 C.1
+ *
+ * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+ * id-fieldType OBJECT IDENTIFIER ::= { ansi-X9-62 fieldType(1)}
+ */
+#define MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE   MBEDTLS_OID_ANSI_X9_62 "\x01"
+#define MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD  MBEDTLS_OID_ANSI_X9_62_FIELD_TYPE "\x01"
+
+/*
+ * ECDSA signature identifiers, from RFC 5480
+ */
+#define MBEDTLS_OID_ANSI_X9_62_SIG          MBEDTLS_OID_ANSI_X9_62 "\x04" /* signatures(4) */
+#define MBEDTLS_OID_ANSI_X9_62_SIG_SHA2     MBEDTLS_OID_ANSI_X9_62_SIG "\x03" /* ecdsa-with-SHA2(3) */
+
+/* ecdsa-with-SHA1 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } */
+#define MBEDTLS_OID_ECDSA_SHA1              MBEDTLS_OID_ANSI_X9_62_SIG "\x01"
+
+/* ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 1 } */
+#define MBEDTLS_OID_ECDSA_SHA224            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x01"
+
+/* ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 2 } */
+#define MBEDTLS_OID_ECDSA_SHA256            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x02"
+
+/* ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 3 } */
+#define MBEDTLS_OID_ECDSA_SHA384            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x03"
+
+/* ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
+ *   iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
+ *   ecdsa-with-SHA2(3) 4 } */
+#define MBEDTLS_OID_ECDSA_SHA512            MBEDTLS_OID_ANSI_X9_62_SIG_SHA2 "\x04"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief Base OID descriptor structure
+ */
+typedef struct mbedtls_oid_descriptor_t
+{
+    const char *asn1;               /*!< OID ASN.1 representation       */
+    size_t asn1_len;                /*!< length of asn1                 */
+    const char *name;               /*!< official name (e.g. from RFC)  */
+    const char *description;        /*!< human friendly description     */
+} mbedtls_oid_descriptor_t;
+
+/**
+ * \brief           Translate an ASN.1 OID into its numeric representation
+ *                  (e.g. "\x2A\x86\x48\x86\xF7\x0D" into "1.2.840.113549")
+ *
+ * \param buf       buffer to put representation in
+ * \param size      size of the buffer
+ * \param oid       OID to translate
+ *
+ * \return          Length of the string written (excluding final NULL) or
+ *                  MBEDTLS_ERR_OID_BUF_TOO_SMALL in case of error
+ */
+int mbedtls_oid_get_numeric_string( char *buf, size_t size, const mbedtls_asn1_buf *oid );
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+/**
+ * \brief          Translate an X.509 extension OID into local values
+ *
+ * \param oid      OID to use
+ * \param ext_type place to store the extension type
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_x509_ext_type( const mbedtls_asn1_buf *oid, int *ext_type );
+#endif
+
+/**
+ * \brief          Translate an X.509 attribute type OID into the short name
+ *                 (e.g. the OID for an X520 Common Name into "CN")
+ *
+ * \param oid      OID to use
+ * \param short_name    place to store the string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_attr_short_name( const mbedtls_asn1_buf *oid, const char **short_name );
+
+/**
+ * \brief          Translate PublicKeyAlgorithm OID into pk_type
+ *
+ * \param oid      OID to use
+ * \param pk_alg   place to store public key algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_pk_alg( const mbedtls_asn1_buf *oid, mbedtls_pk_type_t *pk_alg );
+
+/**
+ * \brief          Translate pk_type into PublicKeyAlgorithm OID
+ *
+ * \param pk_alg   Public key type to look for
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_pk_alg( mbedtls_pk_type_t pk_alg,
+                           const char **oid, size_t *olen );
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief          Translate NamedCurve OID into an EC group identifier
+ *
+ * \param oid      OID to use
+ * \param grp_id   place to store group id
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_ec_grp( const mbedtls_asn1_buf *oid, mbedtls_ecp_group_id *grp_id );
+
+/**
+ * \brief          Translate EC group identifier into NamedCurve OID
+ *
+ * \param grp_id   EC group identifier
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_ec_grp( mbedtls_ecp_group_id grp_id,
+                           const char **oid, size_t *olen );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_MD_C)
+/**
+ * \brief          Translate SignatureAlgorithm OID into md_type and pk_type
+ *
+ * \param oid      OID to use
+ * \param md_alg   place to store message digest algorithm
+ * \param pk_alg   place to store public key algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_sig_alg( const mbedtls_asn1_buf *oid,
+                     mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg );
+
+/**
+ * \brief          Translate SignatureAlgorithm OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_sig_alg_desc( const mbedtls_asn1_buf *oid, const char **desc );
+
+/**
+ * \brief          Translate md_type and pk_type into SignatureAlgorithm OID
+ *
+ * \param md_alg   message digest algorithm
+ * \param pk_alg   public key algorithm
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_sig_alg( mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                            const char **oid, size_t *olen );
+
+/**
+ * \brief          Translate hash algorithm OID into md_type
+ *
+ * \param oid      OID to use
+ * \param md_alg   place to store message digest algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg );
+
+/**
+ * \brief          Translate hmac algorithm OID into md_type
+ *
+ * \param oid      OID to use
+ * \param md_hmac  place to store message hmac algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac );
+#endif /* MBEDTLS_MD_C */
+
+/**
+ * \brief          Translate Extended Key Usage OID into description
+ *
+ * \param oid      OID to use
+ * \param desc     place to store string pointer
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_extended_key_usage( const mbedtls_asn1_buf *oid, const char **desc );
+
+/**
+ * \brief          Translate md_type into hash algorithm OID
+ *
+ * \param md_alg   message digest algorithm
+ * \param oid      place to store ASN.1 OID string pointer
+ * \param olen     length of the OID
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_oid_by_md( mbedtls_md_type_t md_alg, const char **oid, size_t *olen );
+
+#if defined(MBEDTLS_CIPHER_C)
+/**
+ * \brief          Translate encryption algorithm OID into cipher_type
+ *
+ * \param oid           OID to use
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_cipher_alg( const mbedtls_asn1_buf *oid, mbedtls_cipher_type_t *cipher_alg );
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+/**
+ * \brief          Translate PKCS#12 PBE algorithm OID into md_type and
+ *                 cipher_type
+ *
+ * \param oid           OID to use
+ * \param md_alg        place to store message digest algorithm
+ * \param cipher_alg    place to store cipher algorithm
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
+ */
+int mbedtls_oid_get_pkcs12_pbe_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_alg,
+                            mbedtls_cipher_type_t *cipher_alg );
+#endif /* MBEDTLS_PKCS12_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* oid.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/padlock.h b/makerom/deps/libmbedtls/include/mbedtls/padlock.h
new file mode 100644
index 00000000..721a5d49
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/padlock.h
@@ -0,0 +1,126 @@
+/**
+ * \file padlock.h
+ *
+ * \brief VIA PadLock ACE for HW encryption/decryption supported by some
+ *        processors
+ *
+ * \warning These functions are only for internal use by other library
+ *          functions; you must not call them directly.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PADLOCK_H
+#define MBEDTLS_PADLOCK_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "aes.h"
+
+#define MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED               -0x0030  /**< Input data should be aligned. */
+
+#if defined(__has_feature)
+#if __has_feature(address_sanitizer)
+#define MBEDTLS_HAVE_ASAN
+#endif
+#endif
+
+/* Some versions of ASan result in errors about not enough registers */
+#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \
+    !defined(MBEDTLS_HAVE_ASAN)
+
+#ifndef MBEDTLS_HAVE_X86
+#define MBEDTLS_HAVE_X86
+#endif
+
+#include <stdint.h>
+
+#define MBEDTLS_PADLOCK_RNG 0x000C
+#define MBEDTLS_PADLOCK_ACE 0x00C0
+#define MBEDTLS_PADLOCK_PHE 0x0C00
+#define MBEDTLS_PADLOCK_PMM 0x3000
+
+#define MBEDTLS_PADLOCK_ALIGN16(x) (uint32_t *) (16 + ((int32_t) (x) & ~15))
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Internal PadLock detection routine
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param feature  The feature to detect
+ *
+ * \return         1 if CPU has support for the feature, 0 otherwise
+ */
+int mbedtls_padlock_has_support( int feature );
+
+/**
+ * \brief          Internal PadLock AES-ECB block en(de)cryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param input    16-byte input block
+ * \param output   16-byte output block
+ *
+ * \return         0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
+                               int mode,
+                               const unsigned char input[16],
+                               unsigned char output[16] );
+
+/**
+ * \brief          Internal PadLock AES-CBC buffer en(de)cryption
+ *
+ * \note           This function is only for internal use by other library
+ *                 functions; you must not call it directly.
+ *
+ * \param ctx      AES context
+ * \param mode     MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param length   length of the input data
+ * \param iv       initialization vector (updated after use)
+ * \param input    buffer holding the input data
+ * \param output   buffer holding the output data
+ *
+ * \return         0 if success, 1 if operation failed
+ */
+int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx,
+                               int mode,
+                               size_t length,
+                               unsigned char iv[16],
+                               const unsigned char *input,
+                               unsigned char *output );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* HAVE_X86  */
+
+#endif /* padlock.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/pem.h b/makerom/deps/libmbedtls/include/mbedtls/pem.h
new file mode 100644
index 00000000..a29e9ce3
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/pem.h
@@ -0,0 +1,136 @@
+/**
+ * \file pem.h
+ *
+ * \brief Privacy Enhanced Mail (PEM) decoding
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PEM_H
+#define MBEDTLS_PEM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+
+/**
+ * \name PEM Error codes
+ * These error codes are returned in case of errors reading the
+ * PEM data.
+ * \{
+ */
+#define MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT          -0x1080  /**< No PEM header or footer found. */
+#define MBEDTLS_ERR_PEM_INVALID_DATA                      -0x1100  /**< PEM string is not as expected. */
+#define MBEDTLS_ERR_PEM_ALLOC_FAILED                      -0x1180  /**< Failed to allocate memory. */
+#define MBEDTLS_ERR_PEM_INVALID_ENC_IV                    -0x1200  /**< RSA IV is not in hex-format. */
+#define MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG                   -0x1280  /**< Unsupported key encryption algorithm. */
+#define MBEDTLS_ERR_PEM_PASSWORD_REQUIRED                 -0x1300  /**< Private key password can't be empty. */
+#define MBEDTLS_ERR_PEM_PASSWORD_MISMATCH                 -0x1380  /**< Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE               -0x1400  /**< Unavailable feature, e.g. hashing/encryption combination. */
+#define MBEDTLS_ERR_PEM_BAD_INPUT_DATA                    -0x1480  /**< Bad input parameters to function. */
+/* \} name */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+/**
+ * \brief       PEM context structure
+ */
+typedef struct mbedtls_pem_context
+{
+    unsigned char *buf;     /*!< buffer for decoded data             */
+    size_t buflen;          /*!< length of the buffer                */
+    unsigned char *info;    /*!< buffer for extra header information */
+}
+mbedtls_pem_context;
+
+/**
+ * \brief       PEM context setup
+ *
+ * \param ctx   context to be initialized
+ */
+void mbedtls_pem_init( mbedtls_pem_context *ctx );
+
+/**
+ * \brief       Read a buffer for PEM information and store the resulting
+ *              data into the specified context buffers.
+ *
+ * \param ctx       context to use
+ * \param header    header string to seek and expect
+ * \param footer    footer string to seek and expect
+ * \param data      source data to look in (must be nul-terminated)
+ * \param pwd       password for decryption (can be NULL)
+ * \param pwdlen    length of password
+ * \param use_len   destination for total length used (set after header is
+ *                  correctly read, so unless you get
+ *                  MBEDTLS_ERR_PEM_BAD_INPUT_DATA or
+ *                  MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT, use_len is
+ *                  the length to skip)
+ *
+ * \note            Attempts to check password correctness by verifying if
+ *                  the decrypted text starts with an ASN.1 sequence of
+ *                  appropriate length
+ *
+ * \return          0 on success, or a specific PEM error code
+ */
+int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const char *footer,
+                     const unsigned char *data,
+                     const unsigned char *pwd,
+                     size_t pwdlen, size_t *use_len );
+
+/**
+ * \brief       PEM context memory freeing
+ *
+ * \param ctx   context to be freed
+ */
+void mbedtls_pem_free( mbedtls_pem_context *ctx );
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a buffer of PEM information from a DER encoded
+ *                  buffer.
+ *
+ * \param header    header string to write
+ * \param footer    footer string to write
+ * \param der_data  DER data to write
+ * \param der_len   length of the DER data
+ * \param buf       buffer to write to
+ * \param buf_len   length of output buffer
+ * \param olen      total length written / required (if buf_len is not enough)
+ *
+ * \return          0 on success, or a specific PEM or BASE64 error code. On
+ *                  MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL olen is the required
+ *                  size.
+ */
+int mbedtls_pem_write_buffer( const char *header, const char *footer,
+                      const unsigned char *der_data, size_t der_len,
+                      unsigned char *buf, size_t buf_len, size_t *olen );
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pem.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/pk.h b/makerom/deps/libmbedtls/include/mbedtls/pk.h
new file mode 100644
index 00000000..13642750
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/pk.h
@@ -0,0 +1,755 @@
+/**
+ * \file pk.h
+ *
+ * \brief Public Key abstraction layer
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_PK_H
+#define MBEDTLS_PK_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "rsa.h"
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#include "ecp.h"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#include "ecdsa.h"
+#endif
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define MBEDTLS_ERR_PK_ALLOC_FAILED        -0x3F80  /**< Memory allocation failed. */
+#define MBEDTLS_ERR_PK_TYPE_MISMATCH       -0x3F00  /**< Type mismatch, eg attempt to encrypt with an ECDSA key */
+#define MBEDTLS_ERR_PK_BAD_INPUT_DATA      -0x3E80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_PK_FILE_IO_ERROR       -0x3E00  /**< Read/write of file failed. */
+#define MBEDTLS_ERR_PK_KEY_INVALID_VERSION -0x3D80  /**< Unsupported key version */
+#define MBEDTLS_ERR_PK_KEY_INVALID_FORMAT  -0x3D00  /**< Invalid key tag or value. */
+#define MBEDTLS_ERR_PK_UNKNOWN_PK_ALG      -0x3C80  /**< Key algorithm is unsupported (only RSA and EC are supported). */
+#define MBEDTLS_ERR_PK_PASSWORD_REQUIRED   -0x3C00  /**< Private key password can't be empty. */
+#define MBEDTLS_ERR_PK_PASSWORD_MISMATCH   -0x3B80  /**< Given private key password does not allow for correct decryption. */
+#define MBEDTLS_ERR_PK_INVALID_PUBKEY      -0x3B00  /**< The pubkey tag or value is invalid (only RSA and EC are supported). */
+#define MBEDTLS_ERR_PK_INVALID_ALG         -0x3A80  /**< The algorithm tag or value is invalid. */
+#define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00  /**< Elliptic curve is unsupported (only NIST curves are supported). */
+#define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980  /**< Unavailable feature, e.g. RSA disabled for RSA key. */
+#define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH    -0x3900  /**< The buffer contains a valid signature followed by more data. */
+
+/* MBEDTLS_ERR_PK_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_PK_HW_ACCEL_FAILED     -0x3880  /**< PK hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Public key types
+ */
+typedef enum {
+    MBEDTLS_PK_NONE=0,
+    MBEDTLS_PK_RSA,
+    MBEDTLS_PK_ECKEY,
+    MBEDTLS_PK_ECKEY_DH,
+    MBEDTLS_PK_ECDSA,
+    MBEDTLS_PK_RSA_ALT,
+    MBEDTLS_PK_RSASSA_PSS,
+} mbedtls_pk_type_t;
+
+/**
+ * \brief           Options for RSASSA-PSS signature verification.
+ *                  See \c mbedtls_rsa_rsassa_pss_verify_ext()
+ */
+typedef struct mbedtls_pk_rsassa_pss_options
+{
+    mbedtls_md_type_t mgf1_hash_id;
+    int expected_salt_len;
+
+} mbedtls_pk_rsassa_pss_options;
+
+/**
+ * \brief           Types for interfacing with the debug module
+ */
+typedef enum
+{
+    MBEDTLS_PK_DEBUG_NONE = 0,
+    MBEDTLS_PK_DEBUG_MPI,
+    MBEDTLS_PK_DEBUG_ECP,
+} mbedtls_pk_debug_type;
+
+/**
+ * \brief           Item to send to the debug module
+ */
+typedef struct mbedtls_pk_debug_item
+{
+    mbedtls_pk_debug_type type;
+    const char *name;
+    void *value;
+} mbedtls_pk_debug_item;
+
+/** Maximum number of item send for debugging, plus 1 */
+#define MBEDTLS_PK_DEBUG_MAX_ITEMS 3
+
+/**
+ * \brief           Public key information and operations
+ */
+typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
+
+/**
+ * \brief           Public key container
+ */
+typedef struct mbedtls_pk_context
+{
+    const mbedtls_pk_info_t *   pk_info; /**< Public key information         */
+    void *                      pk_ctx;  /**< Underlying public key context  */
+} mbedtls_pk_context;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Context for resuming operations
+ */
+typedef struct
+{
+    const mbedtls_pk_info_t *   pk_info; /**< Public key information         */
+    void *                      rs_ctx;  /**< Underlying restart context     */
+} mbedtls_pk_restart_ctx;
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_pk_restart_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_RSA_C)
+/**
+ * Quick access to an RSA context inside a PK context.
+ *
+ * \warning You must make sure the PK context actually holds an RSA context
+ * before using this function!
+ */
+static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk )
+{
+    return( (mbedtls_rsa_context *) (pk).pk_ctx );
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * Quick access to an EC context inside a PK context.
+ *
+ * \warning You must make sure the PK context actually holds an EC context
+ * before using this function!
+ */
+static inline mbedtls_ecp_keypair *mbedtls_pk_ec( const mbedtls_pk_context pk )
+{
+    return( (mbedtls_ecp_keypair *) (pk).pk_ctx );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/**
+ * \brief           Types for RSA-alt abstraction
+ */
+typedef int (*mbedtls_pk_rsa_alt_decrypt_func)( void *ctx, int mode, size_t *olen,
+                    const unsigned char *input, unsigned char *output,
+                    size_t output_max_len );
+typedef int (*mbedtls_pk_rsa_alt_sign_func)( void *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                    int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                    const unsigned char *hash, unsigned char *sig );
+typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)( void *ctx );
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/**
+ * \brief           Return information associated with the given PK type
+ *
+ * \param pk_type   PK type to search for.
+ *
+ * \return          The PK info associated with the type or NULL if not found.
+ */
+const mbedtls_pk_info_t *mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type );
+
+/**
+ * \brief           Initialize a #mbedtls_pk_context (as NONE).
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_pk_init( mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Free the components of a #mbedtls_pk_context.
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
+ */
+void mbedtls_pk_free( mbedtls_pk_context *ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context
+ *
+ * \param ctx       The context to initialize.
+ *                  This must not be \c NULL.
+ */
+void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context
+ *
+ * \param ctx       The context to clear. It must have been initialized.
+ *                  If this is \c NULL, this function does nothing.
+ */
+void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/**
+ * \brief           Initialize a PK context with the information given
+ *                  and allocates the type-specific PK subcontext.
+ *
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
+ * \param info      Information to use
+ *
+ * \return          0 on success,
+ *                  MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input,
+ *                  MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
+ *
+ * \note            For contexts holding an RSA-alt key, use
+ *                  \c mbedtls_pk_setup_rsa_alt() instead.
+ */
+int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/**
+ * \brief           Initialize an RSA-alt context
+ *
+ * \param ctx       Context to initialize. It must not have been set
+ *                  up yet (type #MBEDTLS_PK_NONE).
+ * \param key       RSA key pointer
+ * \param decrypt_func  Decryption function
+ * \param sign_func     Signing function
+ * \param key_len_func  Function returning key length in bytes
+ *
+ * \return          0 on success, or MBEDTLS_ERR_PK_BAD_INPUT_DATA if the
+ *                  context wasn't already initialized as RSA_ALT.
+ *
+ * \note            This function replaces \c mbedtls_pk_setup() for RSA-alt.
+ */
+int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
+                         mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
+                         mbedtls_pk_rsa_alt_sign_func sign_func,
+                         mbedtls_pk_rsa_alt_key_len_func key_len_func );
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/**
+ * \brief           Get the size in bits of the underlying key
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ *
+ * \return          Key size in bits, or 0 on error
+ */
+size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Get the length in bytes of the underlying key
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ *
+ * \return          Key length in bytes, or 0 on error
+ */
+static inline size_t mbedtls_pk_get_len( const mbedtls_pk_context *ctx )
+{
+    return( ( mbedtls_pk_get_bitlen( ctx ) + 7 ) / 8 );
+}
+
+/**
+ * \brief           Tell if a context can do the operation given by type
+ *
+ * \param ctx       The context to query. It must have been initialized.
+ * \param type      The desired type.
+ *
+ * \return          1 if the context can do operations on the given type.
+ * \return          0 if the context cannot do the operations on the given
+ *                  type. This is always the case for a context that has
+ *                  been initialized but not set up, or that has been
+ *                  cleared with mbedtls_pk_free().
+ */
+int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type );
+
+/**
+ * \brief           Verify signature (including padding if relevant).
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ *
+ * \return          0 on success (signature is valid),
+ *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in sig but its length is less than \p siglen,
+ *                  or a specific error code.
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *                  Use \c mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, ... )
+ *                  to verify RSASSA_PSS signatures.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
+ */
+int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len );
+
+/**
+ * \brief           Restartable version of \c mbedtls_pk_verify()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_verify(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_verify().
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_verify(), or
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
+               mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len,
+               mbedtls_pk_restart_ctx *rs_ctx );
+
+/**
+ * \brief           Verify signature, with options.
+ *                  (Includes verification of the padding depending on type.)
+ *
+ * \param type      Signature type (inc. possible padding type) to verify
+ * \param options   Pointer to type-specific options, or NULL
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Signature to verify
+ * \param sig_len   Signature length
+ *
+ * \return          0 on success (signature is valid),
+ *                  #MBEDTLS_ERR_PK_TYPE_MISMATCH if the PK context can't be
+ *                  used for this type of signatures,
+ *                  #MBEDTLS_ERR_PK_SIG_LEN_MISMATCH if there is a valid
+ *                  signature in sig but its length is less than \p siglen,
+ *                  or a specific error code.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            md_alg may be MBEDTLS_MD_NONE, only if hash_len != 0
+ *
+ * \note            If type is MBEDTLS_PK_RSASSA_PSS, then options must point
+ *                  to a mbedtls_pk_rsassa_pss_options structure,
+ *                  otherwise it must be NULL.
+ */
+int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
+                   mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   const unsigned char *sig, size_t sig_len );
+
+/**
+ * \brief           Make signature, including padding if relevant.
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Place to write the signature
+ * \param sig_len   Number of bytes written
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 on success, or a specific error code.
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *                  There is no interface in the PK module to make RSASSA-PSS
+ *                  signatures yet.
+ *
+ * \note            If hash_len is 0, then the length associated with md_alg
+ *                  is used instead, or an error returned if it is invalid.
+ *
+ * \note            For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
+ *                  For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
+ *
+ * \note            In order to ensure enough space for the signature, the
+ *                  \p sig buffer size must be of at least
+ *                  `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
+ */
+int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Restartable version of \c mbedtls_pk_sign()
+ *
+ * \note            Performs the same job as \c mbedtls_pk_sign(), but can
+ *                  return early and restart according to the limit set with
+ *                  \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
+ *                  operations. For RSA, same as \c mbedtls_pk_sign().
+ *
+ * \note            In order to ensure enough space for the signature, the
+ *                  \p sig buffer size must be of at least
+ *                  `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param md_alg    Hash algorithm used (see notes)
+ * \param hash      Hash of the message to sign
+ * \param hash_len  Hash length or 0 (see notes)
+ * \param sig       Place to write the signature
+ * \param sig_len   Number of bytes written
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ * \param rs_ctx    Restart context (NULL to disable restart)
+ *
+ * \return          See \c mbedtls_pk_sign(), or
+ * \return          #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                  operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
+             mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_pk_restart_ctx *rs_ctx );
+
+/**
+ * \brief           Decrypt message (including padding if relevant).
+ *
+ * \param ctx       The PK context to use. It must have been set up
+ *                  with a private key.
+ * \param input     Input to decrypt
+ * \param ilen      Input size
+ * \param output    Decrypted output
+ * \param olen      Decrypted message length
+ * \param osize     Size of the output buffer
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *
+ * \return          0 on success, or a specific error code.
+ */
+int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Encrypt message (including padding if relevant).
+ *
+ * \param ctx       The PK context to use. It must have been set up.
+ * \param input     Message to encrypt
+ * \param ilen      Message size
+ * \param output    Encrypted output
+ * \param olen      Encrypted output length
+ * \param osize     Size of the output buffer
+ * \param f_rng     RNG function
+ * \param p_rng     RNG parameter
+ *
+ * \note            For RSA keys, the default padding type is PKCS#1 v1.5.
+ *
+ * \return          0 on success, or a specific error code.
+ */
+int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+/**
+ * \brief           Check if a public-private pair of keys matches.
+ *
+ * \param pub       Context holding a public key.
+ * \param prv       Context holding a private (and public) key.
+ *
+ * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
+ */
+int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_context *prv );
+
+/**
+ * \brief           Export debug information
+ *
+ * \param ctx       The PK context to use. It must have been initialized.
+ * \param items     Place to write debug items
+ *
+ * \return          0 on success or MBEDTLS_ERR_PK_BAD_INPUT_DATA
+ */
+int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items );
+
+/**
+ * \brief           Access the type name
+ *
+ * \param ctx       The PK context to use. It must have been initialized.
+ *
+ * \return          Type name on success, or "invalid PK"
+ */
+const char * mbedtls_pk_get_name( const mbedtls_pk_context *ctx );
+
+/**
+ * \brief           Get the key type
+ *
+ * \param ctx       The PK context to use. It must have been initialized.
+ *
+ * \return          Type on success.
+ * \return          #MBEDTLS_PK_NONE for a context that has not been set up.
+ */
+mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx );
+
+#if defined(MBEDTLS_PK_PARSE_C)
+/** \ingroup pk_module */
+/**
+ * \brief           Parse a private key in PEM or DER format
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
+ * \param pwd       Optional password for decryption.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a string of \p pwdlen bytes if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
+ * \param pwdlen    Size of the password in bytes.
+ *                  Ignored if \p pwd is \c NULL.
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_key( mbedtls_pk_context *ctx,
+                  const unsigned char *key, size_t keylen,
+                  const unsigned char *pwd, size_t pwdlen );
+
+/** \ingroup pk_module */
+/**
+ * \brief           Parse a public key in PEM or DER format
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param key       Input buffer to parse.
+ *                  The buffer must contain the input exactly, with no
+ *                  extra trailing material. For PEM, the buffer must
+ *                  contain a null-terminated string.
+ * \param keylen    Size of \b key in bytes.
+ *                  For PEM data, this includes the terminating null byte,
+ *                  so \p keylen must be equal to `strlen(key) + 1`.
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
+                         const unsigned char *key, size_t keylen );
+
+#if defined(MBEDTLS_FS_IO)
+/** \ingroup pk_module */
+/**
+ * \brief           Load and parse a private key
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param path      filename to read the private key from
+ * \param password  Optional password to decrypt the file.
+ *                  Pass \c NULL if expecting a non-encrypted key.
+ *                  Pass a null-terminated string if expecting an encrypted
+ *                  key; a non-encrypted key will also be accepted.
+ *                  The empty password is not supported.
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
+ *                  specific key type, check the result with mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
+                      const char *path, const char *password );
+
+/** \ingroup pk_module */
+/**
+ * \brief           Load and parse a public key
+ *
+ * \param ctx       The PK context to fill. It must have been initialized
+ *                  but not set up.
+ * \param path      filename to read the public key from
+ *
+ * \note            On entry, ctx must be empty, either freshly initialised
+ *                  with mbedtls_pk_init() or reset with mbedtls_pk_free(). If
+ *                  you need a specific key type, check the result with
+ *                  mbedtls_pk_can_do().
+ *
+ * \note            The key is also checked for correctness.
+ *
+ * \return          0 if successful, or a specific PK or PEM error code
+ */
+int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path );
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+/**
+ * \brief           Write a private key to a PKCS#1 or SEC1 DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       PK context which must contain a valid private key.
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ */
+int mbedtls_pk_write_key_der( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+
+/**
+ * \brief           Write a public key to a SubjectPublicKeyInfo DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       PK context which must contain a valid public or private key.
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ */
+int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a public key to a PEM string
+ *
+ * \param ctx       PK context which must contain a valid public or private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
+ *
+ * \return          0 if successful, or a specific error code
+ */
+int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+
+/**
+ * \brief           Write a private key to a PKCS#1 or SEC1 PEM string
+ *
+ * \param ctx       PK context which must contain a valid private key.
+ * \param buf       Buffer to write to. The output includes a
+ *                  terminating null byte.
+ * \param size      Size of the buffer in bytes.
+ *
+ * \return          0 if successful, or a specific error code
+ */
+int mbedtls_pk_write_key_pem( mbedtls_pk_context *ctx, unsigned char *buf, size_t size );
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_PK_WRITE_C */
+
+/*
+ * WARNING: Low-level functions. You probably do not want to use these unless
+ *          you are certain you do ;)
+ */
+
+#if defined(MBEDTLS_PK_PARSE_C)
+/**
+ * \brief           Parse a SubjectPublicKeyInfo DER structure
+ *
+ * \param p         the position in the ASN.1 data
+ * \param end       end of the buffer
+ * \param pk        The PK context to fill. It must have been initialized
+ *                  but not set up.
+ *
+ * \return          0 if successful, or a specific PK error code
+ */
+int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
+                        mbedtls_pk_context *pk );
+#endif /* MBEDTLS_PK_PARSE_C */
+
+#if defined(MBEDTLS_PK_WRITE_C)
+/**
+ * \brief           Write a subjectPublicKey to ASN.1 data
+ *                  Note: function works backwards in data buffer
+ *
+ * \param p         reference to current position pointer
+ * \param start     start of the buffer (for bounds-checking)
+ * \param key       PK context which must contain a valid public or private key.
+ *
+ * \return          the length written or a negative error code
+ */
+int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
+                     const mbedtls_pk_context *key );
+#endif /* MBEDTLS_PK_WRITE_C */
+
+/*
+ * Internal module functions. You probably do not want to use these unless you
+ * know you do.
+ */
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PK_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/pk_internal.h b/makerom/deps/libmbedtls/include/mbedtls/pk_internal.h
new file mode 100644
index 00000000..48b7a5f7
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/pk_internal.h
@@ -0,0 +1,138 @@
+/**
+ * \file pk_internal.h
+ *
+ * \brief Public Key abstraction layer: wrapper functions
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_PK_WRAP_H
+#define MBEDTLS_PK_WRAP_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "pk.h"
+
+struct mbedtls_pk_info_t
+{
+    /** Public key type */
+    mbedtls_pk_type_t type;
+
+    /** Type name */
+    const char *name;
+
+    /** Get key size in bits */
+    size_t (*get_bitlen)( const void * );
+
+    /** Tell if the context implements this type (e.g. ECKEY can do ECDSA) */
+    int (*can_do)( mbedtls_pk_type_t type );
+
+    /** Verify signature */
+    int (*verify_func)( void *ctx, mbedtls_md_type_t md_alg,
+                        const unsigned char *hash, size_t hash_len,
+                        const unsigned char *sig, size_t sig_len );
+
+    /** Make signature */
+    int (*sign_func)( void *ctx, mbedtls_md_type_t md_alg,
+                      const unsigned char *hash, size_t hash_len,
+                      unsigned char *sig, size_t *sig_len,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Verify signature (restartable) */
+    int (*verify_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hash_len,
+                           const unsigned char *sig, size_t sig_len,
+                           void *rs_ctx );
+
+    /** Make signature (restartable) */
+    int (*sign_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
+                         const unsigned char *hash, size_t hash_len,
+                         unsigned char *sig, size_t *sig_len,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng, void *rs_ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    /** Decrypt message */
+    int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen, size_t osize,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+    /** Encrypt message */
+    int (*encrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen, size_t osize,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng );
+
+    /** Check public-private key pair */
+    int (*check_pair_func)( const void *pub, const void *prv );
+
+    /** Allocate a new context */
+    void * (*ctx_alloc_func)( void );
+
+    /** Free the given context */
+    void (*ctx_free_func)( void *ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /** Allocate the restart context */
+    void * (*rs_alloc_func)( void );
+
+    /** Free the restart context */
+    void (*rs_free_func)( void *rs_ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    /** Interface with the debug module */
+    void (*debug_func)( const void *ctx, mbedtls_pk_debug_item *items );
+
+};
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/* Container for RSA-alt */
+typedef struct
+{
+    void *key;
+    mbedtls_pk_rsa_alt_decrypt_func decrypt_func;
+    mbedtls_pk_rsa_alt_sign_func sign_func;
+    mbedtls_pk_rsa_alt_key_len_func key_len_func;
+} mbedtls_rsa_alt_context;
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+extern const mbedtls_pk_info_t mbedtls_rsa_info;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+extern const mbedtls_pk_info_t mbedtls_eckey_info;
+extern const mbedtls_pk_info_t mbedtls_eckeydh_info;
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+extern const mbedtls_pk_info_t mbedtls_ecdsa_info;
+#endif
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
+#endif
+
+#endif /* MBEDTLS_PK_WRAP_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/pkcs11.h b/makerom/deps/libmbedtls/include/mbedtls/pkcs11.h
new file mode 100644
index 00000000..02427ddc
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/pkcs11.h
@@ -0,0 +1,175 @@
+/**
+ * \file pkcs11.h
+ *
+ * \brief Wrapper for PKCS#11 library libpkcs11-helper
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PKCS11_H
+#define MBEDTLS_PKCS11_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS11_C)
+
+#include "x509_crt.h"
+
+#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Context for PKCS #11 private keys.
+ */
+typedef struct mbedtls_pkcs11_context
+{
+        pkcs11h_certificate_t pkcs11h_cert;
+        int len;
+} mbedtls_pkcs11_context;
+
+/**
+ * Initialize a mbedtls_pkcs11_context.
+ * (Just making memory references valid.)
+ */
+void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
+
+/**
+ * Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
+ *
+ * \param cert          X.509 certificate to fill
+ * \param pkcs11h_cert  PKCS #11 helper certificate
+ *
+ * \return              0 on success.
+ */
+int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
+
+/**
+ * Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
+ * mbedtls_pkcs11_context will take over control of the certificate, freeing it when
+ * done.
+ *
+ * \param priv_key      Private key structure to fill.
+ * \param pkcs11_cert   PKCS #11 helper certificate
+ *
+ * \return              0 on success
+ */
+int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
+        pkcs11h_certificate_t pkcs11_cert );
+
+/**
+ * Free the contents of the given private key context. Note that the structure
+ * itself is not freed.
+ *
+ * \param priv_key      Private key structure to cleanup
+ */
+void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
+
+/**
+ * \brief          Do an RSA private key decrypt, then remove the message
+ *                 padding
+ *
+ * \param ctx      PKCS #11 context
+ * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
+ * \param input    buffer holding the encrypted data
+ * \param output   buffer that will hold the plaintext
+ * \param olen     will contain the plaintext length
+ * \param output_max_len    maximum length of the output buffer
+ *
+ * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
+ *
+ * \note           The output buffer must be as large as the size
+ *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
+ *                 an error is thrown.
+ */
+int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len );
+
+/**
+ * \brief          Do a private RSA to sign a message digest
+ *
+ * \param ctx      PKCS #11 context
+ * \param mode     must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
+ * \param md_alg   a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
+ * \param hashlen  message digest length (for MBEDTLS_MD_NONE only)
+ * \param hash     buffer holding the message digest
+ * \param sig      buffer that will hold the ciphertext
+ *
+ * \return         0 if the signing operation was successful,
+ *                 or an MBEDTLS_ERR_RSA_XXX error code
+ *
+ * \note           The "sig" buffer must be as large as the size
+ *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
+ */
+int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig );
+
+/**
+ * SSL/TLS wrappers for PKCS#11 functions
+ */
+static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
+                        const unsigned char *input, unsigned char *output,
+                        size_t output_max_len )
+{
+    return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
+                           output_max_len );
+}
+
+static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
+                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                     int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
+                     const unsigned char *hash, unsigned char *sig )
+{
+    ((void) f_rng);
+    ((void) p_rng);
+    return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
+                        hashlen, hash, sig );
+}
+
+static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
+{
+    return ( (mbedtls_pkcs11_context *) ctx )->len;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PKCS11_C */
+
+#endif /* MBEDTLS_PKCS11_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/pkcs12.h b/makerom/deps/libmbedtls/include/mbedtls/pkcs12.h
new file mode 100644
index 00000000..d441357b
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/pkcs12.h
@@ -0,0 +1,130 @@
+/**
+ * \file pkcs12.h
+ *
+ * \brief PKCS#12 Personal Information Exchange Syntax
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PKCS12_H
+#define MBEDTLS_PKCS12_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "md.h"
+#include "cipher.h"
+#include "asn1.h"
+
+#include <stddef.h>
+
+#define MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA                 -0x1F80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE            -0x1F00  /**< Feature not available, e.g. unsupported encryption scheme. */
+#define MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT             -0x1E80  /**< PBE ASN.1 data not as expected. */
+#define MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH              -0x1E00  /**< Given private key password does not allow for correct decryption. */
+
+#define MBEDTLS_PKCS12_DERIVE_KEY       1   /**< encryption/decryption key */
+#define MBEDTLS_PKCS12_DERIVE_IV        2   /**< initialization vector     */
+#define MBEDTLS_PKCS12_DERIVE_MAC_KEY   3   /**< integrity / MAC key       */
+
+#define MBEDTLS_PKCS12_PBE_DECRYPT      0
+#define MBEDTLS_PKCS12_PBE_ENCRYPT      1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+/**
+ * \brief            PKCS12 Password Based function (encryption / decryption)
+ *                   for pbeWithSHAAnd128BitRC4
+ *
+ * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure
+ * \param mode       either MBEDTLS_PKCS12_PBE_ENCRYPT or MBEDTLS_PKCS12_PBE_DECRYPT
+ * \param pwd        the password used (may be NULL if no password is used)
+ * \param pwdlen     length of the password (may be 0)
+ * \param input      the input data
+ * \param len        data length
+ * \param output     the output buffer
+ *
+ * \return           0 if successful, or a MBEDTLS_ERR_XXX code
+ */
+int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
+                             const unsigned char *pwd,  size_t pwdlen,
+                             const unsigned char *input, size_t len,
+                             unsigned char *output );
+
+/**
+ * \brief            PKCS12 Password Based function (encryption / decryption)
+ *                   for cipher-based and mbedtls_md-based PBE's
+ *
+ * \param pbe_params an ASN1 buffer containing the pkcs-12PbeParams structure
+ * \param mode       either MBEDTLS_PKCS12_PBE_ENCRYPT or MBEDTLS_PKCS12_PBE_DECRYPT
+ * \param cipher_type the cipher used
+ * \param md_type     the mbedtls_md used
+ * \param pwd        the password used (may be NULL if no password is used)
+ * \param pwdlen     length of the password (may be 0)
+ * \param input      the input data
+ * \param len        data length
+ * \param output     the output buffer
+ *
+ * \return           0 if successful, or a MBEDTLS_ERR_XXX code
+ */
+int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
+                mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                const unsigned char *pwd,  size_t pwdlen,
+                const unsigned char *input, size_t len,
+                unsigned char *output );
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+/**
+ * \brief            The PKCS#12 derivation function uses a password and a salt
+ *                   to produce pseudo-random bits for a particular "purpose".
+ *
+ *                   Depending on the given id, this function can produce an
+ *                   encryption/decryption key, an nitialization vector or an
+ *                   integrity key.
+ *
+ * \param data       buffer to store the derived data in
+ * \param datalen    length to fill
+ * \param pwd        password to use (may be NULL if no password is used)
+ * \param pwdlen     length of the password (may be 0)
+ * \param salt       salt buffer to use
+ * \param saltlen    length of the salt
+ * \param mbedtls_md         mbedtls_md type to use during the derivation
+ * \param id         id that describes the purpose (can be MBEDTLS_PKCS12_DERIVE_KEY,
+ *                   MBEDTLS_PKCS12_DERIVE_IV or MBEDTLS_PKCS12_DERIVE_MAC_KEY)
+ * \param iterations number of iterations
+ *
+ * \return          0 if successful, or a MD, BIGNUM type error.
+ */
+int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen,
+                       const unsigned char *pwd, size_t pwdlen,
+                       const unsigned char *salt, size_t saltlen,
+                       mbedtls_md_type_t mbedtls_md, int id, int iterations );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs12.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/pkcs5.h b/makerom/deps/libmbedtls/include/mbedtls/pkcs5.h
new file mode 100644
index 00000000..c92185f7
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/pkcs5.h
@@ -0,0 +1,109 @@
+/**
+ * \file pkcs5.h
+ *
+ * \brief PKCS#5 functions
+ *
+ * \author Mathias Olsson <mathias@kompetensum.com>
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PKCS5_H
+#define MBEDTLS_PKCS5_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+#include "md.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA                  -0x2f80  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_PKCS5_INVALID_FORMAT                  -0x2f00  /**< Unexpected ASN.1 data. */
+#define MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE             -0x2e80  /**< Requested encryption or digest alg not available. */
+#define MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH               -0x2e00  /**< Given private key password does not allow for correct decryption. */
+
+#define MBEDTLS_PKCS5_DECRYPT      0
+#define MBEDTLS_PKCS5_ENCRYPT      1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+/**
+ * \brief          PKCS#5 PBES2 function
+ *
+ * \param pbe_params the ASN.1 algorithm parameters
+ * \param mode       either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT
+ * \param pwd        password to use when generating key
+ * \param pwdlen     length of password
+ * \param data       data to process
+ * \param datalen    length of data
+ * \param output     output buffer
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
+                 const unsigned char *pwd,  size_t pwdlen,
+                 const unsigned char *data, size_t datalen,
+                 unsigned char *output );
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+/**
+ * \brief          PKCS#5 PBKDF2 using HMAC
+ *
+ * \param ctx      Generic HMAC context
+ * \param password Password to use when generating key
+ * \param plen     Length of password
+ * \param salt     Salt to use when generating key
+ * \param slen     Length of salt
+ * \param iteration_count       Iteration count
+ * \param key_length            Length of generated key in bytes
+ * \param output   Generated key. Must be at least as big as key_length
+ *
+ * \returns        0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
+ */
+int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password,
+                       size_t plen, const unsigned char *salt, size_t slen,
+                       unsigned int iteration_count,
+                       uint32_t key_length, unsigned char *output );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_pkcs5_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* pkcs5.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/platform.h b/makerom/deps/libmbedtls/include/mbedtls/platform.h
new file mode 100644
index 00000000..89fe8a7b
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/platform.h
@@ -0,0 +1,367 @@
+/**
+ * \file platform.h
+ *
+ * \brief This file contains the definitions and functions of the
+ *        Mbed TLS platform abstraction layer.
+ *
+ *        The platform abstraction layer removes the need for the library
+ *        to directly link to standard C library functions or operating
+ *        system services, making the library easier to port and embed.
+ *        Application developers and users of the library can provide their own
+ *        implementations of these functions, or implementations specific to
+ *        their platform, which can be statically linked to the library or
+ *        dynamically configured at runtime.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PLATFORM_H
+#define MBEDTLS_PLATFORM_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "platform_time.h"
+#endif
+
+#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED     -0x0070 /**< Hardware accelerator failed */
+#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072 /**< The requested feature is not supported by the platform */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+#if defined(_WIN32)
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   mbedtls_platform_win32_snprintf /**< The default \c snprintf function to use.  */
+#else
+#define MBEDTLS_PLATFORM_STD_SNPRINTF   snprintf /**< The default \c snprintf function to use.  */
+#endif
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
+#define MBEDTLS_PLATFORM_STD_PRINTF   printf /**< The default \c printf function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< The default \c fprintf function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+#define MBEDTLS_PLATFORM_STD_CALLOC   calloc /**< The default \c calloc function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_FREE)
+#define MBEDTLS_PLATFORM_STD_FREE       free /**< The default \c free function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
+#define MBEDTLS_PLATFORM_STD_EXIT      exit /**< The default \c exit function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+#define MBEDTLS_PLATFORM_STD_TIME       time    /**< The default \c time function to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS  EXIT_SUCCESS /**< The default exit value to use. */
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE  EXIT_FAILURE /**< The default exit value to use. */
+#endif
+#if defined(MBEDTLS_FS_IO)
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   mbedtls_platform_std_nv_seed_read
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE  mbedtls_platform_std_nv_seed_write
+#endif
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_FILE)
+#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE   "seedfile"
+#endif
+#endif /* MBEDTLS_FS_IO */
+#else /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR)
+#include MBEDTLS_PLATFORM_STD_MEM_HDR
+#endif
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+
+/* \} name SECTION: Module settings */
+
+/*
+ * The function pointers for calloc and free.
+ */
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
+    defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+#define mbedtls_free       MBEDTLS_PLATFORM_FREE_MACRO
+#define mbedtls_calloc     MBEDTLS_PLATFORM_CALLOC_MACRO
+#else
+/* For size_t */
+#include <stddef.h>
+extern void *mbedtls_calloc( size_t n, size_t size );
+extern void mbedtls_free( void *ptr );
+
+/**
+ * \brief               This function dynamically sets the memory-management
+ *                      functions used by the library, during runtime.
+ *
+ * \param calloc_func   The \c calloc function implementation.
+ * \param free_func     The \c free function implementation.
+ *
+ * \return              \c 0.
+ */
+int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
+                              void (*free_func)( void * ) );
+#endif /* MBEDTLS_PLATFORM_FREE_MACRO && MBEDTLS_PLATFORM_CALLOC_MACRO */
+#else /* !MBEDTLS_PLATFORM_MEMORY */
+#define mbedtls_free       free
+#define mbedtls_calloc     calloc
+#endif /* MBEDTLS_PLATFORM_MEMORY && !MBEDTLS_PLATFORM_{FREE,CALLOC}_MACRO */
+
+/*
+ * The function pointers for fprintf
+ */
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+/* We need FILE * */
+#include <stdio.h>
+extern int (*mbedtls_fprintf)( FILE *stream, const char *format, ... );
+
+/**
+ * \brief                This function dynamically configures the fprintf
+ *                       function that is called when the
+ *                       mbedtls_fprintf() function is invoked by the library.
+ *
+ * \param fprintf_func   The \c fprintf function implementation.
+ *
+ * \return               \c 0.
+ */
+int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *stream, const char *,
+                                               ... ) );
+#else
+#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO)
+#define mbedtls_fprintf    MBEDTLS_PLATFORM_FPRINTF_MACRO
+#else
+#define mbedtls_fprintf    fprintf
+#endif /* MBEDTLS_PLATFORM_FPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+/*
+ * The function pointers for printf
+ */
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+extern int (*mbedtls_printf)( const char *format, ... );
+
+/**
+ * \brief               This function dynamically configures the snprintf
+ *                      function that is called when the mbedtls_snprintf()
+ *                      function is invoked by the library.
+ *
+ * \param printf_func   The \c printf function implementation.
+ *
+ * \return              \c 0 on success.
+ */
+int mbedtls_platform_set_printf( int (*printf_func)( const char *, ... ) );
+#else /* !MBEDTLS_PLATFORM_PRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO)
+#define mbedtls_printf     MBEDTLS_PLATFORM_PRINTF_MACRO
+#else
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_PLATFORM_PRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+/*
+ * The function pointers for snprintf
+ *
+ * The snprintf implementation should conform to C99:
+ * - it *must* always correctly zero-terminate the buffer
+ *   (except when n == 0, then it must leave the buffer untouched)
+ * - however it is acceptable to return -1 instead of the required length when
+ *   the destination buffer is too short.
+ */
+#if defined(_WIN32)
+/* For Windows (inc. MSYS2), we provide our own fixed implementation */
+int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... );
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+extern int (*mbedtls_snprintf)( char * s, size_t n, const char * format, ... );
+
+/**
+ * \brief                 This function allows configuring a custom
+ *                        \c snprintf function pointer.
+ *
+ * \param snprintf_func   The \c snprintf function implementation.
+ *
+ * \return                \c 0 on success.
+ */
+int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
+                                                 const char * format, ... ) );
+#else /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
+#define mbedtls_snprintf   MBEDTLS_PLATFORM_SNPRINTF_MACRO
+#else
+#define mbedtls_snprintf   MBEDTLS_PLATFORM_STD_SNPRINTF
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+/*
+ * The function pointers for exit
+ */
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+extern void (*mbedtls_exit)( int status );
+
+/**
+ * \brief             This function dynamically configures the exit
+ *                    function that is called when the mbedtls_exit()
+ *                    function is invoked by the library.
+ *
+ * \param exit_func   The \c exit function implementation.
+ *
+ * \return            \c 0 on success.
+ */
+int mbedtls_platform_set_exit( void (*exit_func)( int status ) );
+#else
+#if defined(MBEDTLS_PLATFORM_EXIT_MACRO)
+#define mbedtls_exit   MBEDTLS_PLATFORM_EXIT_MACRO
+#else
+#define mbedtls_exit   exit
+#endif /* MBEDTLS_PLATFORM_EXIT_MACRO */
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+/*
+ * The default exit values
+ */
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS)
+#define MBEDTLS_EXIT_SUCCESS MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
+#else
+#define MBEDTLS_EXIT_SUCCESS 0
+#endif
+#if defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE)
+#define MBEDTLS_EXIT_FAILURE MBEDTLS_PLATFORM_STD_EXIT_FAILURE
+#else
+#define MBEDTLS_EXIT_FAILURE 1
+#endif
+
+/*
+ * The function pointers for reading from and writing a seed file to
+ * Non-Volatile storage (NV) in a platform-independent way
+ *
+ * Only enabled when the NV seed entropy source is enabled
+ */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Internal standard platform definitions */
+int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len );
+int mbedtls_platform_std_nv_seed_write( unsigned char *buf, size_t buf_len );
+#endif
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+extern int (*mbedtls_nv_seed_read)( unsigned char *buf, size_t buf_len );
+extern int (*mbedtls_nv_seed_write)( unsigned char *buf, size_t buf_len );
+
+/**
+ * \brief   This function allows configuring custom seed file writing and
+ *          reading functions.
+ *
+ * \param   nv_seed_read_func   The seed reading function implementation.
+ * \param   nv_seed_write_func  The seed writing function implementation.
+ *
+ * \return  \c 0 on success.
+ */
+int mbedtls_platform_set_nv_seed(
+            int (*nv_seed_read_func)( unsigned char *buf, size_t buf_len ),
+            int (*nv_seed_write_func)( unsigned char *buf, size_t buf_len )
+            );
+#else
+#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) && \
+    defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO)
+#define mbedtls_nv_seed_read    MBEDTLS_PLATFORM_NV_SEED_READ_MACRO
+#define mbedtls_nv_seed_write   MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO
+#else
+#define mbedtls_nv_seed_read    mbedtls_platform_std_nv_seed_read
+#define mbedtls_nv_seed_write   mbedtls_platform_std_nv_seed_write
+#endif
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+
+/**
+ * \brief   The platform context structure.
+ *
+ * \note    This structure may be used to assist platform-specific
+ *          setup or teardown operations.
+ */
+typedef struct mbedtls_platform_context
+{
+    char dummy; /**< A placeholder member, as empty structs are not portable. */
+}
+mbedtls_platform_context;
+
+#else
+#include "platform_alt.h"
+#endif /* !MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+/**
+ * \brief   This function performs any platform-specific initialization
+ *          operations.
+ *
+ * \note    This function should be called before any other library functions.
+ *
+ *          Its implementation is platform-specific, and unless
+ *          platform-specific code is provided, it does nothing.
+ *
+ * \note    The usage and necessity of this function is dependent on the platform.
+ *
+ * \param   ctx     The platform context.
+ *
+ * \return  \c 0 on success.
+ */
+int mbedtls_platform_setup( mbedtls_platform_context *ctx );
+/**
+ * \brief   This function performs any platform teardown operations.
+ *
+ * \note    This function should be called after every other Mbed TLS module
+ *          has been correctly freed using the appropriate free function.
+ *
+ *          Its implementation is platform-specific, and unless
+ *          platform-specific code is provided, it does nothing.
+ *
+ * \note    The usage and necessity of this function is dependent on the platform.
+ *
+ * \param   ctx     The platform context.
+ *
+ */
+void mbedtls_platform_teardown( mbedtls_platform_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* platform.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/platform_time.h b/makerom/deps/libmbedtls/include/mbedtls/platform_time.h
new file mode 100644
index 00000000..2ed36f56
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/platform_time.h
@@ -0,0 +1,82 @@
+/**
+ * \file platform_time.h
+ *
+ * \brief mbed TLS Platform time abstraction
+ */
+/*
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PLATFORM_TIME_H
+#define MBEDTLS_PLATFORM_TIME_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+/*
+ * The time_t datatype
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO)
+typedef MBEDTLS_PLATFORM_TIME_TYPE_MACRO mbedtls_time_t;
+#else
+/* For time_t */
+#include <time.h>
+typedef time_t mbedtls_time_t;
+#endif /* MBEDTLS_PLATFORM_TIME_TYPE_MACRO */
+
+/*
+ * The function pointers for time
+ */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+extern mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* time );
+
+/**
+ * \brief   Set your own time function pointer
+ *
+ * \param   time_func   the time function implementation
+ *
+ * \return              0
+ */
+int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* time ) );
+#else
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO)
+#define mbedtls_time    MBEDTLS_PLATFORM_TIME_MACRO
+#else
+#define mbedtls_time   time
+#endif /* MBEDTLS_PLATFORM_TIME_MACRO */
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* platform_time.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/platform_util.h b/makerom/deps/libmbedtls/include/mbedtls/platform_util.h
new file mode 100644
index 00000000..09d09651
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/platform_util.h
@@ -0,0 +1,196 @@
+/**
+ * \file platform_util.h
+ *
+ * \brief Common and shared functions used by multiple modules in the Mbed TLS
+ *        library.
+ */
+/*
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_PLATFORM_UTIL_H
+#define MBEDTLS_PLATFORM_UTIL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "platform_time.h"
+#include <time.h>
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_CHECK_PARAMS)
+
+#if defined(MBEDTLS_CHECK_PARAMS_ASSERT)
+/* Allow the user to define MBEDTLS_PARAM_FAILED to something like assert
+ * (which is what our config.h suggests). */
+#include <assert.h>
+#endif /* MBEDTLS_CHECK_PARAMS_ASSERT */
+
+#if defined(MBEDTLS_PARAM_FAILED)
+/** An alternative definition of MBEDTLS_PARAM_FAILED has been set in config.h.
+ *
+ * This flag can be used to check whether it is safe to assume that
+ * MBEDTLS_PARAM_FAILED() will expand to a call to mbedtls_param_failed().
+ */
+#define MBEDTLS_PARAM_FAILED_ALT
+
+#elif defined(MBEDTLS_CHECK_PARAMS_ASSERT)
+#define MBEDTLS_PARAM_FAILED( cond ) assert( cond )
+#define MBEDTLS_PARAM_FAILED_ALT
+
+#else /* MBEDTLS_PARAM_FAILED */
+#define MBEDTLS_PARAM_FAILED( cond ) \
+    mbedtls_param_failed( #cond, __FILE__, __LINE__ )
+
+/**
+ * \brief       User supplied callback function for parameter validation failure.
+ *              See #MBEDTLS_CHECK_PARAMS for context.
+ *
+ *              This function will be called unless an alternative treatement
+ *              is defined through the #MBEDTLS_PARAM_FAILED macro.
+ *
+ *              This function can return, and the operation will be aborted, or
+ *              alternatively, through use of setjmp()/longjmp() can resume
+ *              execution in the application code.
+ *
+ * \param failure_condition The assertion that didn't hold.
+ * \param file  The file where the assertion failed.
+ * \param line  The line in the file where the assertion failed.
+ */
+void mbedtls_param_failed( const char *failure_condition,
+                           const char *file,
+                           int line );
+#endif /* MBEDTLS_PARAM_FAILED */
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  \
+    do {                                            \
+        if( !(cond) )                               \
+        {                                           \
+            MBEDTLS_PARAM_FAILED( cond );           \
+            return( ret );                          \
+        }                                           \
+    } while( 0 )
+
+/* Internal macro meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE( cond )           \
+    do {                                            \
+        if( !(cond) )                               \
+        {                                           \
+            MBEDTLS_PARAM_FAILED( cond );           \
+            return;                                 \
+        }                                           \
+    } while( 0 )
+
+#else /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal macros meant to be called only from within the library. */
+#define MBEDTLS_INTERNAL_VALIDATE_RET( cond, ret )  do { } while( 0 )
+#define MBEDTLS_INTERNAL_VALIDATE( cond )           do { } while( 0 )
+
+#endif /* MBEDTLS_CHECK_PARAMS */
+
+/* Internal helper macros for deprecating API constants. */
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+/* Deliberately don't (yet) export MBEDTLS_DEPRECATED here
+ * to avoid conflict with other headers which define and use
+ * it, too. We might want to move all these definitions here at
+ * some point for uniformity. */
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_string_constant_t;
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL )       \
+    ( (mbedtls_deprecated_string_constant_t) ( VAL ) )
+MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL )       \
+    ( (mbedtls_deprecated_numeric_constant_t) ( VAL ) )
+#undef MBEDTLS_DEPRECATED
+#else /* MBEDTLS_DEPRECATED_WARNING */
+#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
+#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) VAL
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief       Securely zeroize a buffer
+ *
+ *              The function is meant to wipe the data contained in a buffer so
+ *              that it can no longer be recovered even if the program memory
+ *              is later compromised. Call this function on sensitive data
+ *              stored on the stack before returning from a function, and on
+ *              sensitive data stored on the heap before freeing the heap
+ *              object.
+ *
+ *              It is extremely difficult to guarantee that calls to
+ *              mbedtls_platform_zeroize() are not removed by aggressive
+ *              compiler optimizations in a portable way. For this reason, Mbed
+ *              TLS provides the configuration option
+ *              MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
+ *              mbedtls_platform_zeroize() to use a suitable implementation for
+ *              their platform and needs
+ *
+ * \param buf   Buffer to be zeroized
+ * \param len   Length of the buffer in bytes
+ *
+ */
+void mbedtls_platform_zeroize( void *buf, size_t len );
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/**
+ * \brief      Platform-specific implementation of gmtime_r()
+ *
+ *             The function is a thread-safe abstraction that behaves
+ *             similarly to the gmtime_r() function from Unix/POSIX.
+ *
+ *             Mbed TLS will try to identify the underlying platform and
+ *             make use of an appropriate underlying implementation (e.g.
+ *             gmtime_r() for POSIX and gmtime_s() for Windows). If this is
+ *             not possible, then gmtime() will be used. In this case, calls
+ *             from the library to gmtime() will be guarded by the mutex
+ *             mbedtls_threading_gmtime_mutex if MBEDTLS_THREADING_C is
+ *             enabled. It is recommended that calls from outside the library
+ *             are also guarded by this mutex.
+ *
+ *             If MBEDTLS_PLATFORM_GMTIME_R_ALT is defined, then Mbed TLS will
+ *             unconditionally use the alternative implementation for
+ *             mbedtls_platform_gmtime_r() supplied by the user at compile time.
+ *
+ * \param tt     Pointer to an object containing time (in seconds) since the
+ *               epoch to be converted
+ * \param tm_buf Pointer to an object where the results will be stored
+ *
+ * \return      Pointer to an object of type struct tm on success, otherwise
+ *              NULL
+ */
+struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
+                                      struct tm *tm_buf );
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_PLATFORM_UTIL_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/poly1305.h b/makerom/deps/libmbedtls/include/mbedtls/poly1305.h
new file mode 100644
index 00000000..f0ec44c9
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/poly1305.h
@@ -0,0 +1,192 @@
+/**
+ * \file poly1305.h
+ *
+ * \brief   This file contains Poly1305 definitions and functions.
+ *
+ *          Poly1305 is a one-time message authenticator that can be used to
+ *          authenticate messages. Poly1305-AES was created by Daniel
+ *          Bernstein https://cr.yp.to/mac/poly1305-20050329.pdf The generic
+ *          Poly1305 algorithm (not tied to AES) was also standardized in RFC
+ *          7539.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ */
+
+/*  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_POLY1305_H
+#define MBEDTLS_POLY1305_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+#include <stddef.h>
+
+#define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA         -0x0057 /**< Invalid input parameter(s). */
+
+/* MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE    -0x0059 /**< Feature not available. For example, s part of the API is not implemented. */
+
+/* MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED        -0x005B  /**< Poly1305 hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+typedef struct mbedtls_poly1305_context
+{
+    uint32_t r[4];      /** The value for 'r' (low 128 bits of the key). */
+    uint32_t s[4];      /** The value for 's' (high 128 bits of the key). */
+    uint32_t acc[5];    /** The accumulator number. */
+    uint8_t queue[16];  /** The current partial block of data. */
+    size_t queue_len;   /** The number of bytes stored in 'queue'. */
+}
+mbedtls_poly1305_context;
+
+#else  /* MBEDTLS_POLY1305_ALT */
+#include "poly1305_alt.h"
+#endif /* MBEDTLS_POLY1305_ALT */
+
+/**
+ * \brief           This function initializes the specified Poly1305 context.
+ *
+ *                  It must be the first API called before using
+ *                  the context.
+ *
+ *                  It is usually followed by a call to
+ *                  \c mbedtls_poly1305_starts(), then one or more calls to
+ *                  \c mbedtls_poly1305_update(), then one call to
+ *                  \c mbedtls_poly1305_finish(), then finally
+ *                  \c mbedtls_poly1305_free().
+ *
+ * \param ctx       The Poly1305 context to initialize. This must
+ *                  not be \c NULL.
+ */
+void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx );
+
+/**
+ * \brief           This function releases and clears the specified
+ *                  Poly1305 context.
+ *
+ * \param ctx       The Poly1305 context to clear. This may be \c NULL, in which
+ *                  case this function is a no-op. If it is not \c NULL, it must
+ *                  point to an initialized Poly1305 context.
+ */
+void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx );
+
+/**
+ * \brief           This function sets the one-time authentication key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param ctx       The Poly1305 context to which the key should be bound.
+ *                  This must be initialized.
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
+                             const unsigned char key[32] );
+
+/**
+ * \brief           This functions feeds an input buffer into an ongoing
+ *                  Poly1305 computation.
+ *
+ *                  It is called between \c mbedtls_cipher_poly1305_starts() and
+ *                  \c mbedtls_cipher_poly1305_finish().
+ *                  It can be called repeatedly to process a stream of data.
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen );
+
+/**
+ * \brief           This function generates the Poly1305 Message
+ *                  Authentication Code (MAC).
+ *
+ * \param ctx       The Poly1305 context to use for the Poly1305 operation.
+ *                  This must be initialized and bound to a key.
+ * \param mac       The buffer to where the MAC is written. This must
+ *                  be a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
+                             unsigned char mac[16] );
+
+/**
+ * \brief           This function calculates the Poly1305 MAC of the input
+ *                  buffer with the provided key.
+ *
+ * \warning         The key must be unique and unpredictable for each
+ *                  invocation of Poly1305.
+ *
+ * \param key       The buffer containing the \c 32 Byte (\c 256 Bit) key.
+ * \param ilen      The length of the input data in Bytes.
+ *                  Any value is accepted.
+ * \param input     The buffer holding the input data.
+ *                  This pointer can be \c NULL if `ilen == 0`.
+ * \param mac       The buffer to where the MAC is written. This must be
+ *                  a writable buffer of length \c 16 Bytes.
+ *
+ * \return          \c 0 on success.
+ * \return          A negative error code on failure.
+ */
+int mbedtls_poly1305_mac( const unsigned char key[32],
+                          const unsigned char *input,
+                          size_t ilen,
+                          unsigned char mac[16] );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief           The Poly1305 checkup routine.
+ *
+ * \return          \c 0 on success.
+ * \return          \c 1 on failure.
+ */
+int mbedtls_poly1305_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_POLY1305_H */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ripemd160.h b/makerom/deps/libmbedtls/include/mbedtls/ripemd160.h
new file mode 100644
index 00000000..b42f6d2a
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ripemd160.h
@@ -0,0 +1,237 @@
+/**
+ * \file ripemd160.h
+ *
+ * \brief RIPE MD-160 message digest
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_RIPEMD160_H
+#define MBEDTLS_RIPEMD160_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED             -0x0031  /**< RIPEMD160 hardware accelerator failed */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          RIPEMD-160 context structure
+ */
+typedef struct mbedtls_ripemd160_context
+{
+    uint32_t total[2];          /*!< number of bytes processed  */
+    uint32_t state[5];          /*!< intermediate digest state  */
+    unsigned char buffer[64];   /*!< data block being processed */
+}
+mbedtls_ripemd160_context;
+
+#else  /* MBEDTLS_RIPEMD160_ALT */
+#include "ripemd160.h"
+#endif /* MBEDTLS_RIPEMD160_ALT */
+
+/**
+ * \brief          Initialize RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be initialized
+ */
+void mbedtls_ripemd160_init( mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          Clear RIPEMD-160 context
+ *
+ * \param ctx      RIPEMD-160 context to be cleared
+ */
+void mbedtls_ripemd160_free( mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          Clone (the state of) an RIPEMD-160 context
+ *
+ * \param dst      The destination context
+ * \param src      The context to be cloned
+ */
+void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst,
+                        const mbedtls_ripemd160_context *src );
+
+/**
+ * \brief          RIPEMD-160 context setup
+ *
+ * \param ctx      context to be initialized
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_starts_ret( mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          RIPEMD-160 process buffer
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_update_ret( mbedtls_ripemd160_context *ctx,
+                                  const unsigned char *input,
+                                  size_t ilen );
+
+/**
+ * \brief          RIPEMD-160 final digest
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx,
+                                  unsigned char output[20] );
+
+/**
+ * \brief          RIPEMD-160 process data block (internal use only)
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param data     buffer holding one block of data
+ *
+ * \return         0 if successful
+ */
+int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
+                                        const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          RIPEMD-160 context setup
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_starts_ret() in 2.7.0
+ *
+ * \param ctx      context to be initialized
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_starts(
+                                            mbedtls_ripemd160_context *ctx );
+
+/**
+ * \brief          RIPEMD-160 process buffer
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_update_ret() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_update(
+                                                mbedtls_ripemd160_context *ctx,
+                                                const unsigned char *input,
+                                                size_t ilen );
+
+/**
+ * \brief          RIPEMD-160 final digest
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_finish_ret() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param output   RIPEMD-160 checksum result
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_finish(
+                                                mbedtls_ripemd160_context *ctx,
+                                                unsigned char output[20] );
+
+/**
+ * \brief          RIPEMD-160 process data block (internal use only)
+ *
+ * \deprecated     Superseded by mbedtls_internal_ripemd160_process() in 2.7.0
+ *
+ * \param ctx      RIPEMD-160 context
+ * \param data     buffer holding one block of data
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160_process(
+                                            mbedtls_ripemd160_context *ctx,
+                                            const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Output = RIPEMD-160( input buffer )
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   RIPEMD-160 checksum result
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ripemd160_ret( const unsigned char *input,
+                           size_t ilen,
+                           unsigned char output[20] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          Output = RIPEMD-160( input buffer )
+ *
+ * \deprecated     Superseded by mbedtls_ripemd160_ret() in 2.7.0
+ *
+ * \param input    buffer holding the data
+ * \param ilen     length of the input data
+ * \param output   RIPEMD-160 checksum result
+ */
+MBEDTLS_DEPRECATED void mbedtls_ripemd160( const unsigned char *input,
+                                           size_t ilen,
+                                           unsigned char output[20] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_ripemd160_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_ripemd160.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/rsa.h b/makerom/deps/libmbedtls/include/mbedtls/rsa.h
new file mode 100644
index 00000000..35bacd87
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/rsa.h
@@ -0,0 +1,1274 @@
+/**
+ * \file rsa.h
+ *
+ * \brief This file provides an API for the RSA public-key cryptosystem.
+ *
+ * The RSA public-key cryptosystem is defined in <em>Public-Key
+ * Cryptography Standards (PKCS) #1 v1.5: RSA Encryption</em>
+ * and <em>Public-Key Cryptography Standards (PKCS) #1 v2.1:
+ * RSA Cryptography Specifications</em>.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_RSA_H
+#define MBEDTLS_RSA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+#include "md.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/*
+ * RSA Error codes
+ */
+#define MBEDTLS_ERR_RSA_BAD_INPUT_DATA                    -0x4080  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_RSA_INVALID_PADDING                   -0x4100  /**< Input data contains invalid padding and is rejected. */
+#define MBEDTLS_ERR_RSA_KEY_GEN_FAILED                    -0x4180  /**< Something failed during generation of a key. */
+#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED                  -0x4200  /**< Key failed to pass the validity check of the library. */
+#define MBEDTLS_ERR_RSA_PUBLIC_FAILED                     -0x4280  /**< The public key operation failed. */
+#define MBEDTLS_ERR_RSA_PRIVATE_FAILED                    -0x4300  /**< The private key operation failed. */
+#define MBEDTLS_ERR_RSA_VERIFY_FAILED                     -0x4380  /**< The PKCS#1 verification failed. */
+#define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400  /**< The output buffer for decryption is not large enough. */
+#define MBEDTLS_ERR_RSA_RNG_FAILED                        -0x4480  /**< The random generator failed to generate non-zeros. */
+
+/* MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is deprecated and should not be used.
+ */
+#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION             -0x4500  /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */
+
+/* MBEDTLS_ERR_RSA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED                   -0x4580  /**< RSA hardware accelerator failed. */
+
+/*
+ * RSA constants
+ */
+#define MBEDTLS_RSA_PUBLIC      0 /**< Request private key operation. */
+#define MBEDTLS_RSA_PRIVATE     1 /**< Request public key operation. */
+
+#define MBEDTLS_RSA_PKCS_V15    0 /**< Use PKCS#1 v1.5 encoding. */
+#define MBEDTLS_RSA_PKCS_V21    1 /**< Use PKCS#1 v2.1 encoding. */
+
+#define MBEDTLS_RSA_SIGN        1 /**< Identifier for RSA signature operations. */
+#define MBEDTLS_RSA_CRYPT       2 /**< Identifier for RSA encryption and decryption operations. */
+
+#define MBEDTLS_RSA_SALT_LEN_ANY    -1
+
+/*
+ * The above constants may be used even if the RSA module is compile out,
+ * eg for alternative (PKCS#11) RSA implemenations in the PK layers.
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_RSA_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief   The RSA context structure.
+ *
+ * \note    Direct manipulation of the members of this structure
+ *          is deprecated. All manipulation should instead be done through
+ *          the public interface functions.
+ */
+typedef struct mbedtls_rsa_context
+{
+    int ver;                    /*!<  Always 0.*/
+    size_t len;                 /*!<  The size of \p N in Bytes. */
+
+    mbedtls_mpi N;              /*!<  The public modulus. */
+    mbedtls_mpi E;              /*!<  The public exponent. */
+
+    mbedtls_mpi D;              /*!<  The private exponent. */
+    mbedtls_mpi P;              /*!<  The first prime factor. */
+    mbedtls_mpi Q;              /*!<  The second prime factor. */
+
+    mbedtls_mpi DP;             /*!<  <code>D % (P - 1)</code>. */
+    mbedtls_mpi DQ;             /*!<  <code>D % (Q - 1)</code>. */
+    mbedtls_mpi QP;             /*!<  <code>1 / (Q % P)</code>. */
+
+    mbedtls_mpi RN;             /*!<  cached <code>R^2 mod N</code>. */
+
+    mbedtls_mpi RP;             /*!<  cached <code>R^2 mod P</code>. */
+    mbedtls_mpi RQ;             /*!<  cached <code>R^2 mod Q</code>. */
+
+    mbedtls_mpi Vi;             /*!<  The cached blinding value. */
+    mbedtls_mpi Vf;             /*!<  The cached un-blinding value. */
+
+    int padding;                /*!< Selects padding mode:
+                                     #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and
+                                     #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */
+    int hash_id;                /*!< Hash identifier of mbedtls_md_type_t type,
+                                     as specified in md.h for use in the MGF
+                                     mask generating function used in the
+                                     EME-OAEP and EMSA-PSS encodings. */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;    /*!<  Thread-safety mutex. */
+#endif
+}
+mbedtls_rsa_context;
+
+#else  /* MBEDTLS_RSA_ALT */
+#include "rsa_alt.h"
+#endif /* MBEDTLS_RSA_ALT */
+
+/**
+ * \brief          This function initializes an RSA context.
+ *
+ * \note           Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP
+ *                 encryption scheme and the RSASSA-PSS signature scheme.
+ *
+ * \note           The \p hash_id parameter is ignored when using
+ *                 #MBEDTLS_RSA_PKCS_V15 padding.
+ *
+ * \note           The choice of padding mode is strictly enforced for private key
+ *                 operations, since there might be security concerns in
+ *                 mixing padding modes. For public key operations it is
+ *                 a default value, which can be overridden by calling specific
+ *                 \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions.
+ *
+ * \note           The hash selected in \p hash_id is always used for OEAP
+ *                 encryption. For PSS signatures, it is always used for
+ *                 making signatures, but can be overridden for verifying them.
+ *                 If set to #MBEDTLS_MD_NONE, it is always overridden.
+ *
+ * \param ctx      The RSA context to initialize. This must not be \c NULL.
+ * \param padding  The padding mode to use. This must be either
+ *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id  The hash identifier of ::mbedtls_md_type_t type, if
+ *                 \p padding is #MBEDTLS_RSA_PKCS_V21. It is unused
+ *                 otherwise.
+ */
+void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
+                       int padding,
+                       int hash_id );
+
+/**
+ * \brief          This function imports a set of core parameters into an
+ *                 RSA context.
+ *
+ * \note           This function can be called multiple times for successive
+ *                 imports, if the parameters are not simultaneously present.
+ *
+ *                 Any sequence of calls to this function should be followed
+ *                 by a call to mbedtls_rsa_complete(), which checks and
+ *                 completes the provided information to a ready-for-use
+ *                 public or private RSA key.
+ *
+ * \note           See mbedtls_rsa_complete() for more information on which
+ *                 parameters are necessary to set up a private or public
+ *                 RSA key.
+ *
+ * \note           The imported parameters are copied and need not be preserved
+ *                 for the lifetime of the RSA context being set up.
+ *
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param E        The public exponent. This may be \c NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
+                        const mbedtls_mpi *N,
+                        const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                        const mbedtls_mpi *D, const mbedtls_mpi *E );
+
+/**
+ * \brief          This function imports core RSA parameters, in raw big-endian
+ *                 binary format, into an RSA context.
+ *
+ * \note           This function can be called multiple times for successive
+ *                 imports, if the parameters are not simultaneously present.
+ *
+ *                 Any sequence of calls to this function should be followed
+ *                 by a call to mbedtls_rsa_complete(), which checks and
+ *                 completes the provided information to a ready-for-use
+ *                 public or private RSA key.
+ *
+ * \note           See mbedtls_rsa_complete() for more information on which
+ *                 parameters are necessary to set up a private or public
+ *                 RSA key.
+ *
+ * \note           The imported parameters are copied and need not be preserved
+ *                 for the lifetime of the RSA context being set up.
+ *
+ * \param ctx      The initialized RSA context to store the parameters in.
+ * \param N        The RSA modulus. This may be \c NULL.
+ * \param N_len    The Byte length of \p N; it is ignored if \p N == NULL.
+ * \param P        The first prime factor of \p N. This may be \c NULL.
+ * \param P_len    The Byte length of \p P; it ns ignored if \p P == NULL.
+ * \param Q        The second prime factor of \p N. This may be \c NULL.
+ * \param Q_len    The Byte length of \p Q; it is ignored if \p Q == NULL.
+ * \param D        The private exponent. This may be \c NULL.
+ * \param D_len    The Byte length of \p D; it is ignored if \p D == NULL.
+ * \param E        The public exponent. This may be \c NULL.
+ * \param E_len    The Byte length of \p E; it is ignored if \p E == NULL.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ */
+int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
+                            unsigned char const *N, size_t N_len,
+                            unsigned char const *P, size_t P_len,
+                            unsigned char const *Q, size_t Q_len,
+                            unsigned char const *D, size_t D_len,
+                            unsigned char const *E, size_t E_len );
+
+/**
+ * \brief          This function completes an RSA context from
+ *                 a set of imported core parameters.
+ *
+ *                 To setup an RSA public key, precisely \p N and \p E
+ *                 must have been imported.
+ *
+ *                 To setup an RSA private key, sufficient information must
+ *                 be present for the other parameters to be derivable.
+ *
+ *                 The default implementation supports the following:
+ *                 <ul><li>Derive \p P, \p Q from \p N, \p D, \p E.</li>
+ *                 <li>Derive \p N, \p D from \p P, \p Q, \p E.</li></ul>
+ *                 Alternative implementations need not support these.
+ *
+ *                 If this function runs successfully, it guarantees that
+ *                 the RSA context can be used for RSA operations without
+ *                 the risk of failure or crash.
+ *
+ * \warning        This function need not perform consistency checks
+ *                 for the imported parameters. In particular, parameters that
+ *                 are not needed by the implementation might be silently
+ *                 discarded and left unchecked. To check the consistency
+ *                 of the key material, see mbedtls_rsa_check_privkey().
+ *
+ * \param ctx      The initialized RSA context holding imported parameters.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted derivations
+ *                 failed.
+ *
+ */
+int mbedtls_rsa_complete( mbedtls_rsa_context *ctx );
+
+/**
+ * \brief          This function exports the core parameters of an RSA key.
+ *
+ *                 If this function runs successfully, the non-NULL buffers
+ *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
+ *                 written, with additional unused space filled leading by
+ *                 zero Bytes.
+ *
+ *                 Possible reasons for returning
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
+ *                 <li>An alternative RSA implementation is in use, which
+ *                 stores the key externally, and either cannot or should
+ *                 not export it into RAM.</li>
+ *                 <li>A SW or HW implementation might not support a certain
+ *                 deduction. For example, \p P, \p Q from \p N, \p D,
+ *                 and \p E if the former are not part of the
+ *                 implementation.</li></ul>
+ *
+ *                 If the function fails due to an unsupported operation,
+ *                 the RSA context stays intact and remains usable.
+ *
+ * \param ctx      The initialized RSA context.
+ * \param N        The MPI to hold the RSA modulus.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param P        The MPI to hold the first prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param Q        The MPI to hold the second prime factor of \p N.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param D        The MPI to hold the private exponent.
+ *                 This may be \c NULL if this field need not be exported.
+ * \param E        The MPI to hold the public exponent.
+ *                 This may be \c NULL if this field need not be exported.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
+ *                 requested parameters cannot be done due to missing
+ *                 functionality or because of security policies.
+ * \return         A non-zero return code on any other failure.
+ *
+ */
+int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
+                        mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
+                        mbedtls_mpi *D, mbedtls_mpi *E );
+
+/**
+ * \brief          This function exports core parameters of an RSA key
+ *                 in raw big-endian binary format.
+ *
+ *                 If this function runs successfully, the non-NULL buffers
+ *                 pointed to by \p N, \p P, \p Q, \p D, and \p E are fully
+ *                 written, with additional unused space filled leading by
+ *                 zero Bytes.
+ *
+ *                 Possible reasons for returning
+ *                 #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED:<ul>
+ *                 <li>An alternative RSA implementation is in use, which
+ *                 stores the key externally, and either cannot or should
+ *                 not export it into RAM.</li>
+ *                 <li>A SW or HW implementation might not support a certain
+ *                 deduction. For example, \p P, \p Q from \p N, \p D,
+ *                 and \p E if the former are not part of the
+ *                 implementation.</li></ul>
+ *                 If the function fails due to an unsupported operation,
+ *                 the RSA context stays intact and remains usable.
+ *
+ * \note           The length parameters are ignored if the corresponding
+ *                 buffer pointers are NULL.
+ *
+ * \param ctx      The initialized RSA context.
+ * \param N        The Byte array to store the RSA modulus,
+ *                 or \c NULL if this field need not be exported.
+ * \param N_len    The size of the buffer for the modulus.
+ * \param P        The Byte array to hold the first prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
+ * \param P_len    The size of the buffer for the first prime factor.
+ * \param Q        The Byte array to hold the second prime factor of \p N,
+ *                 or \c NULL if this field need not be exported.
+ * \param Q_len    The size of the buffer for the second prime factor.
+ * \param D        The Byte array to hold the private exponent,
+ *                 or \c NULL if this field need not be exported.
+ * \param D_len    The size of the buffer for the private exponent.
+ * \param E        The Byte array to hold the public exponent,
+ *                 or \c NULL if this field need not be exported.
+ * \param E_len    The size of the buffer for the public exponent.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED if exporting the
+ *                 requested parameters cannot be done due to missing
+ *                 functionality or because of security policies.
+ * \return         A non-zero return code on any other failure.
+ */
+int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
+                            unsigned char *N, size_t N_len,
+                            unsigned char *P, size_t P_len,
+                            unsigned char *Q, size_t Q_len,
+                            unsigned char *D, size_t D_len,
+                            unsigned char *E, size_t E_len );
+
+/**
+ * \brief          This function exports CRT parameters of a private RSA key.
+ *
+ * \note           Alternative RSA implementations not using CRT-parameters
+ *                 internally can implement this function based on
+ *                 mbedtls_rsa_deduce_opt().
+ *
+ * \param ctx      The initialized RSA context.
+ * \param DP       The MPI to hold \c D modulo `P-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param DQ       The MPI to hold \c D modulo `Q-1`,
+ *                 or \c NULL if it need not be exported.
+ * \param QP       The MPI to hold modular inverse of \c Q modulo \c P,
+ *                 or \c NULL if it need not be exported.
+ *
+ * \return         \c 0 on success.
+ * \return         A non-zero error code on failure.
+ *
+ */
+int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
+                            mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP );
+
+/**
+ * \brief          This function sets padding for an already initialized RSA
+ *                 context. See mbedtls_rsa_init() for details.
+ *
+ * \param ctx      The initialized RSA context to be configured.
+ * \param padding  The padding mode to use. This must be either
+ *                 #MBEDTLS_RSA_PKCS_V15 or #MBEDTLS_RSA_PKCS_V21.
+ * \param hash_id  The #MBEDTLS_RSA_PKCS_V21 hash identifier.
+ */
+void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
+                              int hash_id );
+
+/**
+ * \brief          This function retrieves the length of RSA modulus in Bytes.
+ *
+ * \param ctx      The initialized RSA context.
+ *
+ * \return         The length of the RSA modulus in Bytes.
+ *
+ */
+size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx );
+
+/**
+ * \brief          This function generates an RSA keypair.
+ *
+ * \note           mbedtls_rsa_init() must be called before this function,
+ *                 to set up the RSA context.
+ *
+ * \param ctx      The initialized RSA context used to hold the key.
+ * \param f_rng    The RNG function to be used for key generation.
+ *                 This must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng.
+ *                 This may be \c NULL if \p f_rng doesn't need a context.
+ * \param nbits    The size of the public key in bits.
+ * \param exponent The public exponent to use. For example, \c 65537.
+ *                 This must be odd and greater than \c 1.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         unsigned int nbits, int exponent );
+
+/**
+ * \brief          This function checks if a context contains at least an RSA
+ *                 public key.
+ *
+ *                 If the function runs successfully, it is guaranteed that
+ *                 enough information is present to perform an RSA public key
+ *                 operation using mbedtls_rsa_public().
+ *
+ * \param ctx      The initialized RSA context to check.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ */
+int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx );
+
+/**
+ * \brief      This function checks if a context contains an RSA private key
+ *             and perform basic consistency checks.
+ *
+ * \note       The consistency checks performed by this function not only
+ *             ensure that mbedtls_rsa_private() can be called successfully
+ *             on the given context, but that the various parameters are
+ *             mutually consistent with high probability, in the sense that
+ *             mbedtls_rsa_public() and mbedtls_rsa_private() are inverses.
+ *
+ * \warning    This function should catch accidental misconfigurations
+ *             like swapping of parameters, but it cannot establish full
+ *             trust in neither the quality nor the consistency of the key
+ *             material that was used to setup the given RSA context:
+ *             <ul><li>Consistency: Imported parameters that are irrelevant
+ *             for the implementation might be silently dropped. If dropped,
+ *             the current function does not have access to them,
+ *             and therefore cannot check them. See mbedtls_rsa_complete().
+ *             If you want to check the consistency of the entire
+ *             content of an PKCS1-encoded RSA private key, for example, you
+ *             should use mbedtls_rsa_validate_params() before setting
+ *             up the RSA context.
+ *             Additionally, if the implementation performs empirical checks,
+ *             these checks substantiate but do not guarantee consistency.</li>
+ *             <li>Quality: This function is not expected to perform
+ *             extended quality assessments like checking that the prime
+ *             factors are safe. Additionally, it is the responsibility of the
+ *             user to ensure the trustworthiness of the source of his RSA
+ *             parameters, which goes beyond what is effectively checkable
+ *             by the library.</li></ul>
+ *
+ * \param ctx  The initialized RSA context to check.
+ *
+ * \return     \c 0 on success.
+ * \return     An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx );
+
+/**
+ * \brief          This function checks a public-private RSA key pair.
+ *
+ *                 It checks each of the contexts, and makes sure they match.
+ *
+ * \param pub      The initialized RSA context holding the public key.
+ * \param prv      The initialized RSA context holding the private key.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
+                                const mbedtls_rsa_context *prv );
+
+/**
+ * \brief          This function performs an RSA public key operation.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \note           This function does not handle message padding.
+ *
+ * \note           Make sure to set \p input[0] = 0 or ensure that
+ *                 input is smaller than \p N.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
+                const unsigned char *input,
+                unsigned char *output );
+
+/**
+ * \brief          This function performs an RSA private key operation.
+ *
+ * \note           Blinding is used if and only if a PRNG is provided.
+ *
+ * \note           If blinding is used, both the base of exponentation
+ *                 and the exponent are blinded, providing protection
+ *                 against some side-channel attacks.
+ *
+ * \warning        It is deprecated and a security risk to not provide
+ *                 a PRNG here and thereby prevent the use of blinding.
+ *                 Future versions of the library may enforce the presence
+ *                 of a PRNG.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function, used for blinding. It is discouraged
+ *                 and deprecated to pass \c NULL here, in which case
+ *                 blinding will be omitted.
+ * \param p_rng    The RNG context to pass to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or if \p f_rng doesn't need a context.
+ * \param input    The input buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ */
+int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t),
+                 void *p_rng,
+                 const unsigned char *input,
+                 unsigned char *output );
+
+/**
+ * \brief          This function adds the message padding, then performs an RSA
+ *                 operation.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1 encryption
+ *                 operation using the \p mode from the context.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG to use. It is mandatory for PKCS#1 v2.1 padding
+ *                 encoding, and for PKCS#1 v1.5 padding encoding when used
+ *                 with \p mode set to #MBEDTLS_RSA_PUBLIC. For PKCS#1 v1.5
+ *                 padding encoding and \p mode set to #MBEDTLS_RSA_PRIVATE,
+ *                 it is used for blinding and should be provided in this
+ *                 case; see mbedtls_rsa_private() for more.
+ * \param p_rng    The RNG context to be passed to \p f_rng. May be
+ *                 \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't
+ *                 need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t ilen,
+                       const unsigned char *input,
+                       unsigned char *output );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 encryption operation
+ *                 (RSAES-PKCS1-v1_5-ENCRYPT).
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. It is needed for padding generation
+ *                 if \p mode is #MBEDTLS_RSA_PUBLIC. If \p mode is
+ *                 #MBEDTLS_RSA_PRIVATE (discouraged), it is used for
+ *                 blinding and should be provided; see mbedtls_rsa_private().
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may
+ *                 be \c NULL if \p f_rng is \c NULL or if \p f_rng
+ *                 doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param ilen     The length of the plaintext in Bytes.
+ * \param input    The input data to encrypt. This must be a readable
+ *                 buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output   The output buffer. This must be a writable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t ilen,
+                                 const unsigned char *input,
+                                 unsigned char *output );
+
+/**
+ * \brief            This function performs a PKCS#1 v2.1 OAEP encryption
+ *                   operation (RSAES-OAEP-ENCRYPT).
+ *
+ * \note             The output buffer must be as large as the size
+ *                   of ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \deprecated       It is deprecated and discouraged to call this function
+ *                   in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                   are likely to remove the \p mode argument and have it
+ *                   implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note             Alternative implementations of RSA need not support
+ *                   mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx        The initnialized RSA context to use.
+ * \param f_rng      The RNG function to use. This is needed for padding
+ *                   generation and must be provided.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may
+ *                   be \c NULL if \p f_rng doesn't need a context argument.
+ * \param mode       The mode of operation. This must be either
+ *                   #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param label      The buffer holding the custom label to use.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param ilen       The length of the plaintext buffer \p input in Bytes.
+ * \param input      The input data to encrypt. This must be a readable
+ *                   buffer of size \p ilen Bytes. This must not be \c NULL.
+ * \param output     The output buffer. This must be a writable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
+ *
+ * \return           \c 0 on success.
+ * \return           An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t ilen,
+                            const unsigned char *input,
+                            unsigned char *output );
+
+/**
+ * \brief          This function performs an RSA operation, then removes the
+ *                 message padding.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1 decryption
+ *                 operation using the \p mode from the context.
+ *
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N (for example,
+ *                 128 Bytes if RSA-1024 is used) to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 decryption
+ *                 operation (RSAES-PKCS1-v1_5-DECRYPT).
+ *
+ * \note           The output buffer length \c output_max_len should be
+ *                 as large as the size \p ctx->len of \p ctx->N, for example,
+ *                 128 Bytes if RSA-1024 is used, to be able to hold an
+ *                 arbitrary decrypted message. If it is not large enough to
+ *                 hold the decryption of the particular ciphertext provided,
+ *                 the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param olen     The address at which to store the length of
+ *                 the plaintext. This must not be \c NULL.
+ * \param input    The ciphertext buffer. This must be a readable buffer
+ *                 of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ * \param output   The buffer used to hold the plaintext. This must
+ *                 be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ *
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t *olen,
+                                 const unsigned char *input,
+                                 unsigned char *output,
+                                 size_t output_max_len );
+
+/**
+ * \brief            This function performs a PKCS#1 v2.1 OAEP decryption
+ *                   operation (RSAES-OAEP-DECRYPT).
+ *
+ * \note             The output buffer length \c output_max_len should be
+ *                   as large as the size \p ctx->len of \p ctx->N, for
+ *                   example, 128 Bytes if RSA-1024 is used, to be able to
+ *                   hold an arbitrary decrypted message. If it is not
+ *                   large enough to hold the decryption of the particular
+ *                   ciphertext provided, the function returns
+ *                   #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE.
+ *
+ * \deprecated       It is deprecated and discouraged to call this function
+ *                   in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                   are likely to remove the \p mode argument and have it
+ *                   implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note             Alternative implementations of RSA need not support
+ *                   mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                   return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx        The initialized RSA context to use.
+ * \param f_rng      The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                   this is used for blinding and should be provided; see
+ *                   mbedtls_rsa_private() for more. If \p mode is
+ *                   #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng      The RNG context to be passed to \p f_rng. This may be
+ *                   \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode       The mode of operation. This must be either
+ *                   #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param label      The buffer holding the custom label to use.
+ *                   This must be a readable buffer of length \p label_len
+ *                   Bytes. It may be \c NULL if \p label_len is \c 0.
+ * \param label_len  The length of the label in Bytes.
+ * \param olen       The address at which to store the length of
+ *                   the plaintext. This must not be \c NULL.
+ * \param input      The ciphertext buffer. This must be a readable buffer
+ *                   of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                   for an 2048-bit RSA modulus.
+ * \param output     The buffer used to hold the plaintext. This must
+ *                   be a writable buffer of length \p output_max_len Bytes.
+ * \param output_max_len The length in Bytes of the output buffer \p output.
+ *
+ * \return         \c 0 on success.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t *olen,
+                            const unsigned char *input,
+                            unsigned char *output,
+                            size_t output_max_len );
+
+/**
+ * \brief          This function performs a private RSA operation to sign
+ *                 a message digest using PKCS#1.
+ *
+ *                 It is the generic wrapper for performing a PKCS#1
+ *                 signature using the \p mode from the context.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_sign() for details on
+ *                 \p md_alg and \p hash_id.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function to use. If the padding mode is PKCS#1 v2.1,
+ *                 this must be provided. If the padding mode is PKCS#1 v1.5 and
+ *                 \p mode is #MBEDTLS_RSA_PRIVATE, it is used for blinding
+ *                 and should be provided; see mbedtls_rsa_private() for more
+ *                 more. It is ignored otherwise.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t),
+                    void *p_rng,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 signature
+ *                 operation (RSASSA-PKCS1-v1_5-SIGN).
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. If \p mode is
+ *                 #MBEDTLS_RSA_PUBLIC, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng is \c NULL or doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS signature
+ *                 operation (RSASSA-PSS-SIGN).
+ *
+ * \note           The \p hash_id in the RSA context is the one used for the
+ *                 encoding. \p md_alg in the function call is the type of hash
+ *                 that is encoded. According to <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em> it is advised to keep both hashes the
+ *                 same.
+ *
+ * \note           This function always uses the maximum possible salt size,
+ *                 up to the length of the payload hash. This choice of salt
+ *                 size complies with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1
+ *                 v2.2) §9.1.1 step 3. Furthermore this function enforces a
+ *                 minimum salt size which is the hash size minus 2 bytes. If
+ *                 this minimum size is too large given the key size (the salt
+ *                 size, plus the hash size, plus 2 bytes must be no more than
+ *                 the key size in bytes), this function returns
+ *                 #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PRIVATE.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PUBLIC and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA context to use.
+ * \param f_rng    The RNG function. It must not be \c NULL.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be \c NULL
+ *                 if \p f_rng doesn't need a context argument.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer to hold the signature. This must be a writable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus. A buffer length of
+ *                 #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return         \c 0 if the signing operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         int mode,
+                         mbedtls_md_type_t md_alg,
+                         unsigned int hashlen,
+                         const unsigned char *hash,
+                         unsigned char *sig );
+
+/**
+ * \brief          This function performs a public RSA operation and checks
+ *                 the message digest.
+ *
+ *                 This is the generic wrapper for performing a PKCS#1
+ *                 verification using the mode from the context.
+ *
+ * \note           For PKCS#1 v2.1 encoding, see comments on
+ *                 mbedtls_rsa_rsassa_pss_verify() about \p md_alg and
+ *                 \p hash_id.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng,
+                      int mode,
+                      mbedtls_md_type_t md_alg,
+                      unsigned int hashlen,
+                      const unsigned char *hash,
+                      const unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v1.5 verification
+ *                 operation (RSASSA-PKCS1-v1_5-VERIFY).
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode,
+                                 mbedtls_md_type_t md_alg,
+                                 unsigned int hashlen,
+                                 const unsigned char *hash,
+                                 const unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS verification
+ *                 operation (RSASSA-PSS-VERIFY).
+ *
+ *                 The hash function for the MGF mask generating function
+ *                 is that specified in the RSA context.
+ *
+ * \note           The \p hash_id in the RSA context is the one used for the
+ *                 verification. \p md_alg in the function call is the type of
+ *                 hash that is verified. According to <em>RFC-3447: Public-Key
+ *                 Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ *                 Specifications</em> it is advised to keep both hashes the
+ *                 same. If \p hash_id in the RSA context is unset,
+ *                 the \p md_alg from the function call is used.
+ *
+ * \deprecated     It is deprecated and discouraged to call this function
+ *                 in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
+ *                 are likely to remove the \p mode argument and have it
+ *                 implicitly set to #MBEDTLS_RSA_PUBLIC.
+ *
+ * \note           Alternative implementations of RSA need not support
+ *                 mode being set to #MBEDTLS_RSA_PRIVATE and might instead
+ *                 return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           int mode,
+                           mbedtls_md_type_t md_alg,
+                           unsigned int hashlen,
+                           const unsigned char *hash,
+                           const unsigned char *sig );
+
+/**
+ * \brief          This function performs a PKCS#1 v2.1 PSS verification
+ *                 operation (RSASSA-PSS-VERIFY).
+ *
+ *                 The hash function for the MGF mask generating function
+ *                 is that specified in \p mgf1_hash_id.
+ *
+ * \note           The \p sig buffer must be as large as the size
+ *                 of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
+ *
+ * \note           The \p hash_id in the RSA context is ignored.
+ *
+ * \param ctx      The initialized RSA public key context to use.
+ * \param f_rng    The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
+ *                 this is used for blinding and should be provided; see
+ *                 mbedtls_rsa_private() for more. Otherwise, it is ignored.
+ * \param p_rng    The RNG context to be passed to \p f_rng. This may be
+ *                 \c NULL if \p f_rng is \c NULL or doesn't need a context.
+ * \param mode     The mode of operation. This must be either
+ *                 #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
+ * \param md_alg   The message-digest algorithm used to hash the original data.
+ *                 Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen  The length of the message digest.
+ *                 This is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash     The buffer holding the message digest or raw data.
+ *                 If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ *                 buffer of length \p hashlen Bytes. If \p md_alg is not
+ *                 #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ *                 the size of the hash corresponding to \p md_alg.
+ * \param mgf1_hash_id      The message digest used for mask generation.
+ * \param expected_salt_len The length of the salt used in padding. Use
+ *                          #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
+ * \param sig      The buffer holding the signature. This must be a readable
+ *                 buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ *                 for an 2048-bit RSA modulus.
+ *
+ * \return         \c 0 if the verify operation was successful.
+ * \return         An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               mbedtls_md_type_t mgf1_hash_id,
+                               int expected_salt_len,
+                               const unsigned char *sig );
+
+/**
+ * \brief          This function copies the components of an RSA context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The source context. This must be initialized.
+ *
+ * \return         \c 0 on success.
+ * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
+ */
+int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src );
+
+/**
+ * \brief          This function frees the components of an RSA key.
+ *
+ * \param ctx      The RSA context to free. May be \c NULL, in which case
+ *                 this function is a no-op. If it is not \c NULL, it must
+ *                 point to an initialized RSA context.
+ */
+void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The RSA checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_rsa_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* rsa.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/rsa_internal.h b/makerom/deps/libmbedtls/include/mbedtls/rsa_internal.h
new file mode 100644
index 00000000..53abd3c5
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/rsa_internal.h
@@ -0,0 +1,226 @@
+/**
+ * \file rsa_internal.h
+ *
+ * \brief Context-independent RSA helper functions
+ *
+ *  This module declares some RSA-related helper functions useful when
+ *  implementing the RSA interface. These functions are provided in a separate
+ *  compilation unit in order to make it easy for designers of alternative RSA
+ *  implementations to use them in their own code, as it is conceived that the
+ *  functionality they provide will be necessary for most complete
+ *  implementations.
+ *
+ *  End-users of Mbed TLS who are not providing their own alternative RSA
+ *  implementations should not use these functions directly, and should instead
+ *  use only the functions declared in rsa.h.
+ *
+ *  The interface provided by this module will be maintained through LTS (Long
+ *  Term Support) branches of Mbed TLS, but may otherwise be subject to change,
+ *  and must be considered an internal interface of the library.
+ *
+ *  There are two classes of helper functions:
+ *
+ *  (1) Parameter-generating helpers. These are:
+ *      - mbedtls_rsa_deduce_primes
+ *      - mbedtls_rsa_deduce_private_exponent
+ *      - mbedtls_rsa_deduce_crt
+ *       Each of these functions takes a set of core RSA parameters and
+ *       generates some other, or CRT related parameters.
+ *
+ *  (2) Parameter-checking helpers. These are:
+ *      - mbedtls_rsa_validate_params
+ *      - mbedtls_rsa_validate_crt
+ *      They take a set of core or CRT related RSA parameters and check their
+ *      validity.
+ *
+ */
+/*
+ *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+
+#ifndef MBEDTLS_RSA_INTERNAL_H
+#define MBEDTLS_RSA_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * \brief          Compute RSA prime moduli P, Q from public modulus N=PQ
+ *                 and a pair of private and public key.
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param N        RSA modulus N = PQ, with P, Q to be found
+ * \param E        RSA public exponent
+ * \param D        RSA private exponent
+ * \param P        Pointer to MPI holding first prime factor of N on success
+ * \param Q        Pointer to MPI holding second prime factor of N on success
+ *
+ * \return
+ *                 - 0 if successful. In this case, P and Q constitute a
+ *                   factorization of N.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           It is neither checked that P, Q are prime nor that
+ *                 D, E are modular inverses wrt. P-1 and Q-1. For that,
+ *                 use the helper function \c mbedtls_rsa_validate_params.
+ *
+ */
+int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N, mbedtls_mpi const *E,
+                               mbedtls_mpi const *D,
+                               mbedtls_mpi *P, mbedtls_mpi *Q );
+
+/**
+ * \brief          Compute RSA private exponent from
+ *                 prime moduli and public key.
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of RSA modulus
+ * \param Q        Second prime factor of RSA modulus
+ * \param E        RSA public exponent
+ * \param D        Pointer to MPI holding the private exponent on success.
+ *
+ * \return
+ *                 - 0 if successful. In this case, D is set to a simultaneous
+ *                   modular inverse of E modulo both P-1 and Q-1.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           This function does not check whether P and Q are primes.
+ *
+ */
+int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
+                                         mbedtls_mpi const *Q,
+                                         mbedtls_mpi const *E,
+                                         mbedtls_mpi *D );
+
+
+/**
+ * \brief          Generate RSA-CRT parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of N
+ * \param Q        Second prime factor of N
+ * \param D        RSA private exponent
+ * \param DP       Output variable for D modulo P-1
+ * \param DQ       Output variable for D modulo Q-1
+ * \param QP       Output variable for the modular inverse of Q modulo P.
+ *
+ * \return         0 on success, non-zero error code otherwise.
+ *
+ * \note           This function does not check whether P, Q are
+ *                 prime and whether D is a valid private exponent.
+ *
+ */
+int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                            const mbedtls_mpi *D, mbedtls_mpi *DP,
+                            mbedtls_mpi *DQ, mbedtls_mpi *QP );
+
+
+/**
+ * \brief          Check validity of core RSA parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param N        RSA modulus N = PQ
+ * \param P        First prime factor of N
+ * \param Q        Second prime factor of N
+ * \param D        RSA private exponent
+ * \param E        RSA public exponent
+ * \param f_rng    PRNG to be used for primality check, or NULL
+ * \param p_rng    PRNG context for f_rng, or NULL
+ *
+ * \return
+ *                 - 0 if the following conditions are satisfied
+ *                   if all relevant parameters are provided:
+ *                    - P prime if f_rng != NULL (%)
+ *                    - Q prime if f_rng != NULL (%)
+ *                    - 1 < N = P * Q
+ *                    - 1 < D, E < N
+ *                    - D and E are modular inverses modulo P-1 and Q-1
+ *                   (%) This is only done if MBEDTLS_GENPRIME is defined.
+ *                 - A non-zero error code otherwise.
+ *
+ * \note           The function can be used with a restricted set of arguments
+ *                 to perform specific checks only. E.g., calling it with
+ *                 (-,P,-,-,-) and a PRNG amounts to a primality check for P.
+ */
+int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
+                                 const mbedtls_mpi *Q, const mbedtls_mpi *D,
+                                 const mbedtls_mpi *E,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng );
+
+/**
+ * \brief          Check validity of RSA CRT parameters
+ *
+ * \note           This is a 'static' helper function not operating on
+ *                 an RSA context. Alternative implementations need not
+ *                 overwrite it.
+ *
+ * \param P        First prime factor of RSA modulus
+ * \param Q        Second prime factor of RSA modulus
+ * \param D        RSA private exponent
+ * \param DP       MPI to check for D modulo P-1
+ * \param DQ       MPI to check for D modulo P-1
+ * \param QP       MPI to check for the modular inverse of Q modulo P.
+ *
+ * \return
+ *                 - 0 if the following conditions are satisfied:
+ *                    - D = DP mod P-1 if P, D, DP != NULL
+ *                    - Q = DQ mod P-1 if P, D, DQ != NULL
+ *                    - QP = Q^-1 mod P if P, Q, QP != NULL
+ *                 - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed,
+ *                   potentially including \c MBEDTLS_ERR_MPI_XXX if some
+ *                   MPI calculations failed.
+ *                 - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient
+ *                   data was provided to check DP, DQ or QP.
+ *
+ * \note           The function can be used with a restricted set of arguments
+ *                 to perform specific checks only. E.g., calling it with the
+ *                 parameters (P, -, D, DP, -, -) will check DP = D mod P-1.
+ */
+int mbedtls_rsa_validate_crt( const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                              const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                              const mbedtls_mpi *DQ, const mbedtls_mpi *QP );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* rsa_internal.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/sha1.h b/makerom/deps/libmbedtls/include/mbedtls/sha1.h
new file mode 100644
index 00000000..bb6ecf05
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/sha1.h
@@ -0,0 +1,352 @@
+/**
+ * \file sha1.h
+ *
+ * \brief This file contains SHA-1 definitions and functions.
+ *
+ * The Secure Hash Algorithm 1 (SHA-1) cryptographic hash function is defined in
+ * <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
+ *
+ * \warning   SHA-1 is considered a weak message digest and its use constitutes
+ *            a security risk. We recommend considering stronger message
+ *            digests instead.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SHA1_H
+#define MBEDTLS_SHA1_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED                  -0x0035  /**< SHA-1 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA1_BAD_INPUT_DATA                   -0x0073  /**< SHA-1 input data was malformed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          The SHA-1 context structure.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ */
+typedef struct mbedtls_sha1_context
+{
+    uint32_t total[2];          /*!< The number of Bytes processed.  */
+    uint32_t state[5];          /*!< The intermediate digest state.  */
+    unsigned char buffer[64];   /*!< The data block being processed. */
+}
+mbedtls_sha1_context;
+
+#else  /* MBEDTLS_SHA1_ALT */
+#include "sha1_alt.h"
+#endif /* MBEDTLS_SHA1_ALT */
+
+/**
+ * \brief          This function initializes a SHA-1 context.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to initialize.
+ *                 This must not be \c NULL.
+ *
+ */
+void mbedtls_sha1_init( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function clears a SHA-1 context.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it is
+ *                 not \c NULL, it must point to an initialized
+ *                 SHA-1 context.
+ *
+ */
+void mbedtls_sha1_free( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function clones the state of a SHA-1 context.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param dst      The SHA-1 context to clone to. This must be initialized.
+ * \param src      The SHA-1 context to clone from. This must be initialized.
+ *
+ */
+void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
+                         const mbedtls_sha1_context *src );
+
+/**
+ * \brief          This function starts a SHA-1 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to initialize. This must be initialized.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
+ */
+int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing SHA-1
+ *                 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-1 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to use. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-1 checksum result. This must be a writable
+ *                 buffer of length \c 20 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
+                             unsigned char output[20] );
+
+/**
+ * \brief          SHA-1 process data block (internal use only).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param ctx      The SHA-1 context to use. This must be initialized.
+ * \param data     The data block being processed. This must be a
+ *                 readable buffer of length \c 64 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
+ */
+int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
+                                   const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function starts a SHA-1 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_sha1_starts_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context to initialize. This must be initialized.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_starts( mbedtls_sha1_context *ctx );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing SHA-1
+ *                 checksum calculation.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_sha1_update_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
+                                             const unsigned char *input,
+                                             size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-1 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_sha1_finish_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-1 checksum result.
+ *                 This must be a writable buffer of length \c 20 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
+                                             unsigned char output[20] );
+
+/**
+ * \brief          SHA-1 process data block (internal use only).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_internal_sha1_process() in 2.7.0.
+ *
+ * \param ctx      The SHA-1 context. This must be initialized.
+ * \param data     The data block being processed.
+ *                 This must be a readable buffer of length \c 64 bytes.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
+                                              const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          This function calculates the SHA-1 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-1 result is calculated as
+ *                 output = SHA-1(input buffer).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ * \param output   The SHA-1 checksum result.
+ *                 This must be a writable buffer of length \c 20 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ *
+ */
+int mbedtls_sha1_ret( const unsigned char *input,
+                      size_t ilen,
+                      unsigned char output[20] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function calculates the SHA-1 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-1 result is calculated as
+ *                 output = SHA-1(input buffer).
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \deprecated     Superseded by mbedtls_sha1_ret() in 2.7.0
+ *
+ * \param input    The buffer holding the input data.
+ *                 This must be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data \p input in Bytes.
+ * \param output   The SHA-1 checksum result. This must be a writable
+ *                 buffer of size \c 20 Bytes.
+ *
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha1( const unsigned char *input,
+                                      size_t ilen,
+                                      unsigned char output[20] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The SHA-1 checkup routine.
+ *
+ * \warning        SHA-1 is considered a weak message digest and its use
+ *                 constitutes a security risk. We recommend considering
+ *                 stronger message digests instead.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ *
+ */
+int mbedtls_sha1_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha1.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/sha256.h b/makerom/deps/libmbedtls/include/mbedtls/sha256.h
new file mode 100644
index 00000000..d6473982
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/sha256.h
@@ -0,0 +1,297 @@
+/**
+ * \file sha256.h
+ *
+ * \brief This file contains SHA-224 and SHA-256 definitions and functions.
+ *
+ * The Secure Hash Algorithms 224 and 256 (SHA-224 and SHA-256) cryptographic
+ * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SHA256_H
+#define MBEDTLS_SHA256_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED                -0x0037  /**< SHA-256 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA256_BAD_INPUT_DATA                 -0x0074  /**< SHA-256 input data was malformed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_SHA256_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          The SHA-256 context structure.
+ *
+ *                 The structure is used both for SHA-256 and for SHA-224
+ *                 checksum calculations. The choice between these two is
+ *                 made in the call to mbedtls_sha256_starts_ret().
+ */
+typedef struct mbedtls_sha256_context
+{
+    uint32_t total[2];          /*!< The number of Bytes processed.  */
+    uint32_t state[8];          /*!< The intermediate digest state.  */
+    unsigned char buffer[64];   /*!< The data block being processed. */
+    int is224;                  /*!< Determines which function to use:
+                                     0: Use SHA-256, or 1: Use SHA-224. */
+}
+mbedtls_sha256_context;
+
+#else  /* MBEDTLS_SHA256_ALT */
+#include "sha256_alt.h"
+#endif /* MBEDTLS_SHA256_ALT */
+
+/**
+ * \brief          This function initializes a SHA-256 context.
+ *
+ * \param ctx      The SHA-256 context to initialize. This must not be \c NULL.
+ */
+void mbedtls_sha256_init( mbedtls_sha256_context *ctx );
+
+/**
+ * \brief          This function clears a SHA-256 context.
+ *
+ * \param ctx      The SHA-256 context to clear. This may be \c NULL, in which
+ *                 case this function returns immediately. If it is not \c NULL,
+ *                 it must point to an initialized SHA-256 context.
+ */
+void mbedtls_sha256_free( mbedtls_sha256_context *ctx );
+
+/**
+ * \brief          This function clones the state of a SHA-256 context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
+ */
+void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
+                           const mbedtls_sha256_context *src );
+
+/**
+ * \brief          This function starts a SHA-224 or SHA-256 checksum
+ *                 calculation.
+ *
+ * \param ctx      The context to use. This must be initialized.
+ * \param is224    This determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-256 checksum calculation.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-256 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-224 or SHA-256 checksum result.
+ *                 This must be a writable buffer of length \c 32 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
+                               unsigned char output[32] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-256 computation. This function is for
+ *                 internal use only.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must
+ *                 be a readable buffer of length \c 64 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
+                                     const unsigned char data[64] );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function starts a SHA-224 or SHA-256 checksum
+ *                 calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha256_starts_ret() in 2.7.0.
+ *
+ * \param ctx      The context to use. This must be initialized.
+ * \param is224    Determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
+                                               int is224 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-256 checksum calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha256_update_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context to use. This must be
+ *                 initialized and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
+                                               const unsigned char *input,
+                                               size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-256 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \deprecated     Superseded by mbedtls_sha256_finish_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized and
+ *                 have a hash operation started.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must be
+ *                 a writable buffer of length \c 32 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
+                                               unsigned char output[32] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-256 computation. This function is for
+ *                 internal use only.
+ *
+ * \deprecated     Superseded by mbedtls_internal_sha256_process() in 2.7.0.
+ *
+ * \param ctx      The SHA-256 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must be
+ *                 a readable buffer of size \c 64 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
+                                                const unsigned char data[64] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          This function calculates the SHA-224 or SHA-256
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-256 result is calculated as
+ *                 output = SHA-256(input buffer).
+ *
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must
+ *                 be a writable buffer of length \c 32 Bytes.
+ * \param is224    Determines which function to use. This must be
+ *                 either \c 0 for SHA-256, or \c 1 for SHA-224.
+ */
+int mbedtls_sha256_ret( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[32],
+                        int is224 );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          This function calculates the SHA-224 or SHA-256 checksum
+ *                 of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-256 result is calculated as
+ *                 output = SHA-256(input buffer).
+ *
+ * \deprecated     Superseded by mbedtls_sha256_ret() in 2.7.0.
+ *
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-224 or SHA-256 checksum result. This must be
+ *                 a writable buffer of length \c 32 Bytes.
+ * \param is224    Determines which function to use. This must be either
+ *                 \c 0 for SHA-256, or \c 1 for SHA-224.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha256( const unsigned char *input,
+                                        size_t ilen,
+                                        unsigned char output[32],
+                                        int is224 );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          The SHA-224 and SHA-256 checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_sha256_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha256.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/sha512.h b/makerom/deps/libmbedtls/include/mbedtls/sha512.h
new file mode 100644
index 00000000..c06ceed1
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/sha512.h
@@ -0,0 +1,300 @@
+/**
+ * \file sha512.h
+ * \brief This file contains SHA-384 and SHA-512 definitions and functions.
+ *
+ * The Secure Hash Algorithms 384 and 512 (SHA-384 and SHA-512) cryptographic
+ * hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
+ */
+/*
+ *  Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SHA512_H
+#define MBEDTLS_SHA512_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED                -0x0039  /**< SHA-512 hardware accelerator failed */
+#define MBEDTLS_ERR_SHA512_BAD_INPUT_DATA                 -0x0075  /**< SHA-512 input data was malformed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_SHA512_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          The SHA-512 context structure.
+ *
+ *                 The structure is used both for SHA-384 and for SHA-512
+ *                 checksum calculations. The choice between these two is
+ *                 made in the call to mbedtls_sha512_starts_ret().
+ */
+typedef struct mbedtls_sha512_context
+{
+    uint64_t total[2];          /*!< The number of Bytes processed. */
+    uint64_t state[8];          /*!< The intermediate digest state. */
+    unsigned char buffer[128];  /*!< The data block being processed. */
+    int is384;                  /*!< Determines which function to use:
+                                     0: Use SHA-512, or 1: Use SHA-384. */
+}
+mbedtls_sha512_context;
+
+#else  /* MBEDTLS_SHA512_ALT */
+#include "sha512_alt.h"
+#endif /* MBEDTLS_SHA512_ALT */
+
+/**
+ * \brief          This function initializes a SHA-512 context.
+ *
+ * \param ctx      The SHA-512 context to initialize. This must
+ *                 not be \c NULL.
+ */
+void mbedtls_sha512_init( mbedtls_sha512_context *ctx );
+
+/**
+ * \brief          This function clears a SHA-512 context.
+ *
+ * \param ctx      The SHA-512 context to clear. This may be \c NULL,
+ *                 in which case this function does nothing. If it
+ *                 is not \c NULL, it must point to an initialized
+ *                 SHA-512 context.
+ */
+void mbedtls_sha512_free( mbedtls_sha512_context *ctx );
+
+/**
+ * \brief          This function clones the state of a SHA-512 context.
+ *
+ * \param dst      The destination context. This must be initialized.
+ * \param src      The context to clone. This must be initialized.
+ */
+void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
+                           const mbedtls_sha512_context *src );
+
+/**
+ * \brief          This function starts a SHA-384 or SHA-512 checksum
+ *                 calculation.
+ *
+ * \param ctx      The SHA-512 context to use. This must be initialized.
+ * \param is384    Determines which function to use. This must be
+ *                 either \c for SHA-512, or \c 1 for SHA-384.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-512 checksum calculation.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the input data. This must
+ *                 be a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
+                    const unsigned char *input,
+                    size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-512 operation, and writes
+ *                 the result to the output buffer. This function is for
+ *                 internal use only.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ *                 This must be a writable buffer of length \c 64 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
+                               unsigned char output[64] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-512 computation.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This
+ *                 must be a readable buffer of length \c 128 Bytes.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
+                                     const unsigned char data[128] );
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+/**
+ * \brief          This function starts a SHA-384 or SHA-512 checksum
+ *                 calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha512_starts_ret() in 2.7.0
+ *
+ * \param ctx      The SHA-512 context to use. This must be initialized.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512 or \c 1 for SHA-384.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
+                                               int is384 );
+
+/**
+ * \brief          This function feeds an input buffer into an ongoing
+ *                 SHA-512 checksum calculation.
+ *
+ * \deprecated     Superseded by mbedtls_sha512_update_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param input    The buffer holding the data. This must be a readable
+ *                 buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
+                                               const unsigned char *input,
+                                               size_t ilen );
+
+/**
+ * \brief          This function finishes the SHA-512 operation, and writes
+ *                 the result to the output buffer.
+ *
+ * \deprecated     Superseded by mbedtls_sha512_finish_ret() in 2.7.0.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized
+ *                 and have a hash operation started.
+ * \param output   The SHA-384 or SHA-512 checksum result. This must
+ *                 be a writable buffer of size \c 64 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
+                                               unsigned char output[64] );
+
+/**
+ * \brief          This function processes a single data block within
+ *                 the ongoing SHA-512 computation. This function is for
+ *                 internal use only.
+ *
+ * \deprecated     Superseded by mbedtls_internal_sha512_process() in 2.7.0.
+ *
+ * \param ctx      The SHA-512 context. This must be initialized.
+ * \param data     The buffer holding one block of data. This must be
+ *                 a readable buffer of length \c 128 Bytes.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512_process(
+                                            mbedtls_sha512_context *ctx,
+                                            const unsigned char data[128] );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          This function calculates the SHA-512 or SHA-384
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-512 result is calculated as
+ *                 output = SHA-512(input buffer).
+ *
+ * \param input    The buffer holding the input data. This must be
+ *                 a readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-384 or SHA-512 checksum result.
+ *                 This must be a writable buffer of length \c 64 Bytes.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512, or \c 1 for SHA-384.
+ *
+ * \return         \c 0 on success.
+ * \return         A negative error code on failure.
+ */
+int mbedtls_sha512_ret( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[64],
+                        int is384 );
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          This function calculates the SHA-512 or SHA-384
+ *                 checksum of a buffer.
+ *
+ *                 The function allocates the context, performs the
+ *                 calculation, and frees the context.
+ *
+ *                 The SHA-512 result is calculated as
+ *                 output = SHA-512(input buffer).
+ *
+ * \deprecated     Superseded by mbedtls_sha512_ret() in 2.7.0
+ *
+ * \param input    The buffer holding the data. This must be a
+ *                 readable buffer of length \p ilen Bytes.
+ * \param ilen     The length of the input data in Bytes.
+ * \param output   The SHA-384 or SHA-512 checksum result. This must
+ *                 be a writable buffer of length \c 64 Bytes.
+ * \param is384    Determines which function to use. This must be either
+ *                 \c 0 for SHA-512, or \c 1 for SHA-384.
+ */
+MBEDTLS_DEPRECATED void mbedtls_sha512( const unsigned char *input,
+                                        size_t ilen,
+                                        unsigned char output[64],
+                                        int is384 );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+ /**
+ * \brief          The SHA-384 or SHA-512 checkup routine.
+ *
+ * \return         \c 0 on success.
+ * \return         \c 1 on failure.
+ */
+int mbedtls_sha512_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_sha512.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ssl.h b/makerom/deps/libmbedtls/include/mbedtls/ssl.h
new file mode 100644
index 00000000..1adf9608
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ssl.h
@@ -0,0 +1,3262 @@
+/**
+ * \file ssl.h
+ *
+ * \brief SSL/TLS functions.
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_H
+#define MBEDTLS_SSL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "bignum.h"
+#include "ecp.h"
+
+#include "ssl_ciphersuites.h"
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "x509_crt.h"
+#include "x509_crl.h"
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+#include "dhm.h"
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+#include "ecdh.h"
+#endif
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and will be removed in the next major revision of the library"
+#endif
+
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "Record compression support via MBEDTLS_ZLIB_SUPPORT is deprecated and cannot be used if MBEDTLS_DEPRECATED_REMOVED is set"
+#endif
+
+#include "zlib.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "platform_time.h"
+#endif
+
+/*
+ * SSL Error codes
+ */
+#define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE               -0x7080  /**< The requested feature is not available. */
+#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA                    -0x7100  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_SSL_INVALID_MAC                       -0x7180  /**< Verification of the message MAC failed. */
+#define MBEDTLS_ERR_SSL_INVALID_RECORD                    -0x7200  /**< An invalid SSL record was received. */
+#define MBEDTLS_ERR_SSL_CONN_EOF                          -0x7280  /**< The connection indicated an EOF. */
+#define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER                    -0x7300  /**< An unknown cipher was received. */
+#define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN                  -0x7380  /**< The server has no ciphersuites in common with the client. */
+#define MBEDTLS_ERR_SSL_NO_RNG                            -0x7400  /**< No RNG was provided to the SSL module. */
+#define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE             -0x7480  /**< No client certification received from the client, but required by the authentication mode. */
+#define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE             -0x7500  /**< Our own certificate(s) is/are too large to send in an SSL message. */
+#define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED              -0x7580  /**< The own certificate is not set, but needed by the server. */
+#define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED              -0x7600  /**< The own private key or pre-shared key is not set, but needed. */
+#define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED                 -0x7680  /**< No CA Chain is set, but required to operate. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE                -0x7700  /**< An unexpected message was received from our peer. */
+#define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE               -0x7780  /**< A fatal alert message was received from our peer. */
+#define MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED                -0x7800  /**< Verification of our peer failed. */
+#define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY                 -0x7880  /**< The peer notified us that the connection is going to be closed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO               -0x7900  /**< Processing of the ClientHello handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO               -0x7980  /**< Processing of the ServerHello handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE                -0x7A00  /**< Processing of the Certificate handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST        -0x7A80  /**< Processing of the CertificateRequest handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE        -0x7B00  /**< Processing of the ServerKeyExchange handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE          -0x7B80  /**< Processing of the ServerHelloDone handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE        -0x7C00  /**< Processing of the ClientKeyExchange handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP     -0x7C80  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS     -0x7D00  /**< Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY         -0x7D80  /**< Processing of the CertificateVerify handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC         -0x7E00  /**< Processing of the ChangeCipherSpec handshake message failed. */
+#define MBEDTLS_ERR_SSL_BAD_HS_FINISHED                   -0x7E80  /**< Processing of the Finished handshake message failed. */
+#define MBEDTLS_ERR_SSL_ALLOC_FAILED                      -0x7F00  /**< Memory allocation failed */
+#define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED                   -0x7F80  /**< Hardware acceleration function returned with error */
+#define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH              -0x6F80  /**< Hardware acceleration function skipped / left alone data */
+#define MBEDTLS_ERR_SSL_COMPRESSION_FAILED                -0x6F00  /**< Processing of the compression / decompression failed */
+#define MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION           -0x6E80  /**< Handshake protocol not within min/max boundaries */
+#define MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET         -0x6E00  /**< Processing of the NewSessionTicket handshake message failed. */
+#define MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED            -0x6D80  /**< Session ticket has expired. */
+#define MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH                  -0x6D00  /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
+#define MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY                  -0x6C80  /**< Unknown identity received (eg, PSK identity) */
+#define MBEDTLS_ERR_SSL_INTERNAL_ERROR                    -0x6C00  /**< Internal error (eg, unexpected failure in lower-level module) */
+#define MBEDTLS_ERR_SSL_COUNTER_WRAPPING                  -0x6B80  /**< A counter would wrap (eg, too many messages exchanged). */
+#define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO       -0x6B00  /**< Unexpected message at ServerHello in renegotiation. */
+#define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED             -0x6A80  /**< DTLS client must retry for hello verification */
+#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL                  -0x6A00  /**< A buffer is too small to receive or write a message */
+#define MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE             -0x6980  /**< None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages). */
+#define MBEDTLS_ERR_SSL_WANT_READ                         -0x6900  /**< No data of requested type currently available on underlying transport. */
+#define MBEDTLS_ERR_SSL_WANT_WRITE                        -0x6880  /**< Connection requires a write call. */
+#define MBEDTLS_ERR_SSL_TIMEOUT                           -0x6800  /**< The operation timed out. */
+#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT                  -0x6780  /**< The client initiated a reconnect from the same port. */
+#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD                 -0x6700  /**< Record header looks valid but is not expected. */
+#define MBEDTLS_ERR_SSL_NON_FATAL                         -0x6680  /**< The alert message received indicates a non-fatal error. */
+#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH               -0x6600  /**< Couldn't set the hash for verifying CertificateVerify */
+#define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING               -0x6580  /**< Internal-only message signaling that further message-processing should be done */
+#define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS                 -0x6500  /**< The asynchronous operation is not completed yet. */
+#define MBEDTLS_ERR_SSL_EARLY_MESSAGE                     -0x6480  /**< Internal-only message signaling that a message arrived early. */
+#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS                -0x7000  /**< A cryptographic operation is in progress. Try again later. */
+
+/*
+ * Various constants
+ */
+#define MBEDTLS_SSL_MAJOR_VERSION_3             3
+#define MBEDTLS_SSL_MINOR_VERSION_0             0   /*!< SSL v3.0 */
+#define MBEDTLS_SSL_MINOR_VERSION_1             1   /*!< TLS v1.0 */
+#define MBEDTLS_SSL_MINOR_VERSION_2             2   /*!< TLS v1.1 */
+#define MBEDTLS_SSL_MINOR_VERSION_3             3   /*!< TLS v1.2 */
+
+#define MBEDTLS_SSL_TRANSPORT_STREAM            0   /*!< TLS      */
+#define MBEDTLS_SSL_TRANSPORT_DATAGRAM          1   /*!< DTLS     */
+
+#define MBEDTLS_SSL_MAX_HOST_NAME_LEN           255 /*!< Maximum host name defined in RFC 1035 */
+
+/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
+ * NONE must be zero so that memset()ing structure to zero works */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_NONE           0   /*!< don't use this extension   */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_512            1   /*!< MaxFragmentLength 2^9      */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_1024           2   /*!< MaxFragmentLength 2^10     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_2048           3   /*!< MaxFragmentLength 2^11     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_4096           4   /*!< MaxFragmentLength 2^12     */
+#define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID        5   /*!< first invalid value        */
+
+#define MBEDTLS_SSL_IS_CLIENT                   0
+#define MBEDTLS_SSL_IS_SERVER                   1
+
+#define MBEDTLS_SSL_IS_NOT_FALLBACK             0
+#define MBEDTLS_SSL_IS_FALLBACK                 1
+
+#define MBEDTLS_SSL_EXTENDED_MS_DISABLED        0
+#define MBEDTLS_SSL_EXTENDED_MS_ENABLED         1
+
+#define MBEDTLS_SSL_ETM_DISABLED                0
+#define MBEDTLS_SSL_ETM_ENABLED                 1
+
+#define MBEDTLS_SSL_COMPRESS_NULL               0
+#define MBEDTLS_SSL_COMPRESS_DEFLATE            1
+
+#define MBEDTLS_SSL_VERIFY_NONE                 0
+#define MBEDTLS_SSL_VERIFY_OPTIONAL             1
+#define MBEDTLS_SSL_VERIFY_REQUIRED             2
+#define MBEDTLS_SSL_VERIFY_UNSET                3 /* Used only for sni_authmode */
+
+#define MBEDTLS_SSL_LEGACY_RENEGOTIATION        0
+#define MBEDTLS_SSL_SECURE_RENEGOTIATION        1
+
+#define MBEDTLS_SSL_RENEGOTIATION_DISABLED      0
+#define MBEDTLS_SSL_RENEGOTIATION_ENABLED       1
+
+#define MBEDTLS_SSL_ANTI_REPLAY_DISABLED        0
+#define MBEDTLS_SSL_ANTI_REPLAY_ENABLED         1
+
+#define MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED  -1
+#define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT  16
+
+#define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION     0
+#define MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION  1
+#define MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE      2
+
+#define MBEDTLS_SSL_TRUNC_HMAC_DISABLED         0
+#define MBEDTLS_SSL_TRUNC_HMAC_ENABLED          1
+#define MBEDTLS_SSL_TRUNCATED_HMAC_LEN          10  /* 80 bits, rfc 6066 section 7 */
+
+#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED     0
+#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED      1
+
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED    0
+#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED     1
+
+#define MBEDTLS_SSL_ARC4_ENABLED                0
+#define MBEDTLS_SSL_ARC4_DISABLED               1
+
+#define MBEDTLS_SSL_PRESET_DEFAULT              0
+#define MBEDTLS_SSL_PRESET_SUITEB               2
+
+#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED       1
+#define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED      0
+
+/*
+ * Default range for DTLS retransmission timer value, in milliseconds.
+ * RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
+ */
+#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN    1000
+#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX   60000
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME)
+#define MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME     86400 /**< Lifetime of session tickets (if enabled) */
+#endif
+
+/*
+ * Maximum fragment length in bytes,
+ * determines the size of each of the two internal I/O buffers.
+ *
+ * Note: the RFC defines the default size of SSL / TLS messages. If you
+ * change the value here, other clients / servers may not be able to
+ * communicate with you anymore. Only change this value if you control
+ * both sides of the connection and have it reduced at both sides, or
+ * if you're using the Max Fragment Length extension and you know all your
+ * peers are using it too!
+ */
+#if !defined(MBEDTLS_SSL_MAX_CONTENT_LEN)
+#define MBEDTLS_SSL_MAX_CONTENT_LEN         16384   /**< Size of the input / output buffer */
+#endif
+
+#if !defined(MBEDTLS_SSL_IN_CONTENT_LEN)
+#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
+#if !defined(MBEDTLS_SSL_OUT_CONTENT_LEN)
+#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN
+#endif
+
+/*
+ * Maximum number of heap-allocated bytes for the purpose of
+ * DTLS handshake message reassembly and future message buffering.
+ */
+#if !defined(MBEDTLS_SSL_DTLS_MAX_BUFFERING)
+#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768
+#endif
+
+/* \} name SECTION: Module settings */
+
+/*
+ * Length of the verify data for secure renegotiation
+ */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 36
+#else
+#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN 12
+#endif
+
+/*
+ * Signaling ciphersuite values (SCSV)
+ */
+#define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO    0xFF   /**< renegotiation info ext */
+#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE         0x5600 /**< RFC 7507 section 2 */
+
+/*
+ * Supported Signature and Hash algorithms (For TLS 1.2)
+ * RFC 5246 section 7.4.1.4.1
+ */
+#define MBEDTLS_SSL_HASH_NONE                0
+#define MBEDTLS_SSL_HASH_MD5                 1
+#define MBEDTLS_SSL_HASH_SHA1                2
+#define MBEDTLS_SSL_HASH_SHA224              3
+#define MBEDTLS_SSL_HASH_SHA256              4
+#define MBEDTLS_SSL_HASH_SHA384              5
+#define MBEDTLS_SSL_HASH_SHA512              6
+
+#define MBEDTLS_SSL_SIG_ANON                 0
+#define MBEDTLS_SSL_SIG_RSA                  1
+#define MBEDTLS_SSL_SIG_ECDSA                3
+
+/*
+ * Client Certificate Types
+ * RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
+ */
+#define MBEDTLS_SSL_CERT_TYPE_RSA_SIGN       1
+#define MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN    64
+
+/*
+ * Message, alert and handshake types
+ */
+#define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC     20
+#define MBEDTLS_SSL_MSG_ALERT                  21
+#define MBEDTLS_SSL_MSG_HANDSHAKE              22
+#define MBEDTLS_SSL_MSG_APPLICATION_DATA       23
+
+#define MBEDTLS_SSL_ALERT_LEVEL_WARNING         1
+#define MBEDTLS_SSL_ALERT_LEVEL_FATAL           2
+
+#define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY           0  /* 0x00 */
+#define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE    10  /* 0x0A */
+#define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC        20  /* 0x14 */
+#define MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED     21  /* 0x15 */
+#define MBEDTLS_SSL_ALERT_MSG_RECORD_OVERFLOW       22  /* 0x16 */
+#define MBEDTLS_SSL_ALERT_MSG_DECOMPRESSION_FAILURE 30  /* 0x1E */
+#define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE     40  /* 0x28 */
+#define MBEDTLS_SSL_ALERT_MSG_NO_CERT               41  /* 0x29 */
+#define MBEDTLS_SSL_ALERT_MSG_BAD_CERT              42  /* 0x2A */
+#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT      43  /* 0x2B */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED          44  /* 0x2C */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED          45  /* 0x2D */
+#define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN          46  /* 0x2E */
+#define MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER     47  /* 0x2F */
+#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA            48  /* 0x30 */
+#define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED         49  /* 0x31 */
+#define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR          50  /* 0x32 */
+#define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR         51  /* 0x33 */
+#define MBEDTLS_SSL_ALERT_MSG_EXPORT_RESTRICTION    60  /* 0x3C */
+#define MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION      70  /* 0x46 */
+#define MBEDTLS_SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71  /* 0x47 */
+#define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR        80  /* 0x50 */
+#define MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86  /* 0x56 */
+#define MBEDTLS_SSL_ALERT_MSG_USER_CANCELED         90  /* 0x5A */
+#define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION     100  /* 0x64 */
+#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT      110  /* 0x6E */
+#define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME    112  /* 0x70 */
+#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115  /* 0x73 */
+#define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL 120 /* 0x78 */
+
+#define MBEDTLS_SSL_HS_HELLO_REQUEST            0
+#define MBEDTLS_SSL_HS_CLIENT_HELLO             1
+#define MBEDTLS_SSL_HS_SERVER_HELLO             2
+#define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST     3
+#define MBEDTLS_SSL_HS_NEW_SESSION_TICKET       4
+#define MBEDTLS_SSL_HS_CERTIFICATE             11
+#define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE     12
+#define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST     13
+#define MBEDTLS_SSL_HS_SERVER_HELLO_DONE       14
+#define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY      15
+#define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE     16
+#define MBEDTLS_SSL_HS_FINISHED                20
+
+/*
+ * TLS extensions
+ */
+#define MBEDTLS_TLS_EXT_SERVERNAME                   0
+#define MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME          0
+
+#define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH          1
+
+#define MBEDTLS_TLS_EXT_TRUNCATED_HMAC               4
+
+#define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES   10
+#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS     11
+
+#define MBEDTLS_TLS_EXT_SIG_ALG                     13
+
+#define MBEDTLS_TLS_EXT_ALPN                        16
+
+#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC            22 /* 0x16 */
+#define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET  0x0017 /* 23 */
+
+#define MBEDTLS_TLS_EXT_SESSION_TICKET              35
+
+#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP               256 /* experimental */
+
+#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      0xFF01
+
+/*
+ * Size defines
+ */
+#if !defined(MBEDTLS_PSK_MAX_LEN)
+#define MBEDTLS_PSK_MAX_LEN            32 /* 256 bits */
+#endif
+
+/* Dummy type used only for its size */
+union mbedtls_ssl_premaster_secret
+{
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    unsigned char _pms_rsa[48];                         /* RFC 5246 8.1.1 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    unsigned char _pms_dhm[MBEDTLS_MPI_MAX_SIZE];      /* RFC 5246 8.1.2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)    || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)  || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES];    /* RFC 4492 5.10 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    unsigned char _pms_psk[4 + 2 * MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    unsigned char _pms_dhe_psk[4 + MBEDTLS_MPI_MAX_SIZE
+                                 + MBEDTLS_PSK_MAX_LEN];       /* RFC 4279 3 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    unsigned char _pms_rsa_psk[52 + MBEDTLS_PSK_MAX_LEN];      /* RFC 4279 4 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    unsigned char _pms_ecdhe_psk[4 + MBEDTLS_ECP_MAX_BYTES
+                                   + MBEDTLS_PSK_MAX_LEN];     /* RFC 5489 2 */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    unsigned char _pms_ecjpake[32];     /* Thread spec: SHA-256 output */
+#endif
+};
+
+#define MBEDTLS_PREMASTER_SIZE     sizeof( union mbedtls_ssl_premaster_secret )
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * SSL state machine
+ */
+typedef enum
+{
+    MBEDTLS_SSL_HELLO_REQUEST,
+    MBEDTLS_SSL_CLIENT_HELLO,
+    MBEDTLS_SSL_SERVER_HELLO,
+    MBEDTLS_SSL_SERVER_CERTIFICATE,
+    MBEDTLS_SSL_SERVER_KEY_EXCHANGE,
+    MBEDTLS_SSL_CERTIFICATE_REQUEST,
+    MBEDTLS_SSL_SERVER_HELLO_DONE,
+    MBEDTLS_SSL_CLIENT_CERTIFICATE,
+    MBEDTLS_SSL_CLIENT_KEY_EXCHANGE,
+    MBEDTLS_SSL_CERTIFICATE_VERIFY,
+    MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC,
+    MBEDTLS_SSL_CLIENT_FINISHED,
+    MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC,
+    MBEDTLS_SSL_SERVER_FINISHED,
+    MBEDTLS_SSL_FLUSH_BUFFERS,
+    MBEDTLS_SSL_HANDSHAKE_WRAPUP,
+    MBEDTLS_SSL_HANDSHAKE_OVER,
+    MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET,
+    MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
+}
+mbedtls_ssl_states;
+
+/**
+ * \brief          Callback type: send data on the network.
+ *
+ * \note           That callback may be either blocking or non-blocking.
+ *
+ * \param ctx      Context for the send callback (typically a file descriptor)
+ * \param buf      Buffer holding the data to send
+ * \param len      Length of the data to send
+ *
+ * \return         The callback must return the number of bytes sent if any,
+ *                 or a non-zero error code.
+ *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 must be returned when the operation would block.
+ *
+ * \note           The callback is allowed to send fewer bytes than requested.
+ *                 It must always return the number of bytes actually sent.
+ */
+typedef int mbedtls_ssl_send_t( void *ctx,
+                                const unsigned char *buf,
+                                size_t len );
+
+/**
+ * \brief          Callback type: receive data from the network.
+ *
+ * \note           That callback may be either blocking or non-blocking.
+ *
+ * \param ctx      Context for the receive callback (typically a file
+ *                 descriptor)
+ * \param buf      Buffer to write the received data to
+ * \param len      Length of the receive buffer
+ *
+ * \return         The callback must return the number of bytes received,
+ *                 or a non-zero error code.
+ *                 If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
+ *                 must be returned when the operation would block.
+ *
+ * \note           The callback may receive fewer bytes than the length of the
+ *                 buffer. It must always return the number of bytes actually
+ *                 received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_t( void *ctx,
+                                unsigned char *buf,
+                                size_t len );
+
+/**
+ * \brief          Callback type: receive data from the network, with timeout
+ *
+ * \note           That callback must block until data is received, or the
+ *                 timeout delay expires, or the operation is interrupted by a
+ *                 signal.
+ *
+ * \param ctx      Context for the receive callback (typically a file descriptor)
+ * \param buf      Buffer to write the received data to
+ * \param len      Length of the receive buffer
+ * \param timeout  Maximum nomber of millisecondes to wait for data
+ *                 0 means no timeout (potentially waiting forever)
+ *
+ * \return         The callback must return the number of bytes received,
+ *                 or a non-zero error code:
+ *                 \c MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
+ *                 \c MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ *
+ * \note           The callback may receive fewer bytes than the length of the
+ *                 buffer. It must always return the number of bytes actually
+ *                 received and written to the buffer.
+ */
+typedef int mbedtls_ssl_recv_timeout_t( void *ctx,
+                                        unsigned char *buf,
+                                        size_t len,
+                                        uint32_t timeout );
+/**
+ * \brief          Callback type: set a pair of timers/delays to watch
+ *
+ * \param ctx      Context pointer
+ * \param int_ms   Intermediate delay in milliseconds
+ * \param fin_ms   Final delay in milliseconds
+ *                 0 cancels the current timer.
+ *
+ * \note           This callback must at least store the necessary information
+ *                 for the associated \c mbedtls_ssl_get_timer_t callback to
+ *                 return correct information.
+ *
+ * \note           If using a event-driven style of programming, an event must
+ *                 be generated when the final delay is passed. The event must
+ *                 cause a call to \c mbedtls_ssl_handshake() with the proper
+ *                 SSL context to be scheduled. Care must be taken to ensure
+ *                 that at most one such call happens at a time.
+ *
+ * \note           Only one timer at a time must be running. Calling this
+ *                 function while a timer is running must cancel it. Cancelled
+ *                 timers must not generate any event.
+ */
+typedef void mbedtls_ssl_set_timer_t( void * ctx,
+                                      uint32_t int_ms,
+                                      uint32_t fin_ms );
+
+/**
+ * \brief          Callback type: get status of timers/delays
+ *
+ * \param ctx      Context pointer
+ *
+ * \return         This callback must return:
+ *                 -1 if cancelled (fin_ms == 0),
+ *                  0 if none of the delays have passed,
+ *                  1 if only the intermediate delay has passed,
+ *                  2 if the final delay has passed.
+ */
+typedef int mbedtls_ssl_get_timer_t( void * ctx );
+
+/* Defined below */
+typedef struct mbedtls_ssl_session mbedtls_ssl_session;
+typedef struct mbedtls_ssl_context mbedtls_ssl_context;
+typedef struct mbedtls_ssl_config  mbedtls_ssl_config;
+
+/* Defined in ssl_internal.h */
+typedef struct mbedtls_ssl_transform mbedtls_ssl_transform;
+typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params;
+typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief           Callback type: start external signature operation.
+ *
+ *                  This callback is called during an SSL handshake to start
+ *                  a signature decryption operation using an
+ *                  external processor. The parameter \p cert contains
+ *                  the public key; it is up to the callback function to
+ *                  determine how to access the associated private key.
+ *
+ *                  This function typically sends or enqueues a request, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  The parameters \p ssl and \p cert are guaranteed to remain
+ *                  valid throughout the handshake. On the other hand, this
+ *                  function must save the contents of \p hash if the value
+ *                  is needed for later processing, because the \p hash buffer
+ *                  is no longer valid after this function returns.
+ *
+ *                  This function may call mbedtls_ssl_set_async_operation_data()
+ *                  to store an operation context for later retrieval
+ *                  by the resume or cancel callback.
+ *
+ * \note            For RSA signatures, this function must produce output
+ *                  that is consistent with PKCS#1 v1.5 in the same way as
+ *                  mbedtls_rsa_pkcs1_sign(). Before the private key operation,
+ *                  apply the padding steps described in RFC 8017, section 9.2
+ *                  "EMSA-PKCS1-v1_5" as follows.
+ *                  - If \p md_alg is #MBEDTLS_MD_NONE, apply the PKCS#1 v1.5
+ *                    encoding, treating \p hash as the DigestInfo to be
+ *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ *                    from step 3, with `T = hash` and `tLen = hash_len`.
+ *                  - If `md_alg != MBEDTLS_MD_NONE`, apply the PKCS#1 v1.5
+ *                    encoding, treating \p hash as the hash to be encoded and
+ *                    padded. In other words, apply EMSA-PKCS1-v1_5 starting
+ *                    from step 2, with `digestAlgorithm` obtained by calling
+ *                    mbedtls_oid_get_oid_by_md() on \p md_alg.
+ *
+ * \note            For ECDSA signatures, the output format is the DER encoding
+ *                  `Ecdsa-Sig-Value` defined in
+ *                  [RFC 4492 section 5.4](https://tools.ietf.org/html/rfc4492#section-5.4).
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param cert            Certificate containing the public key.
+ *                        In simple cases, this is one of the pointers passed to
+ *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
+ * \param md_alg          Hash algorithm.
+ * \param hash            Buffer containing the hash. This buffer is
+ *                        no longer valid when the function returns.
+ * \param hash_len        Size of the \c hash buffer in bytes.
+ *
+ * \return          0 if the operation was started successfully and the SSL
+ *                  stack should call the resume callback immediately.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  was started successfully and the SSL stack should return
+ *                  immediately without calling the resume callback yet.
+ * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ *                  processor does not support this key. The SSL stack will
+ *                  use the private key object instead.
+ * \return          Any other error indicates a fatal failure and is
+ *                  propagated up the call chain. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_sign_t( mbedtls_ssl_context *ssl,
+                                      mbedtls_x509_crt *cert,
+                                      mbedtls_md_type_t md_alg,
+                                      const unsigned char *hash,
+                                      size_t hash_len );
+
+/**
+ * \brief           Callback type: start external decryption operation.
+ *
+ *                  This callback is called during an SSL handshake to start
+ *                  an RSA decryption operation using an
+ *                  external processor. The parameter \p cert contains
+ *                  the public key; it is up to the callback function to
+ *                  determine how to access the associated private key.
+ *
+ *                  This function typically sends or enqueues a request, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  The parameters \p ssl and \p cert are guaranteed to remain
+ *                  valid throughout the handshake. On the other hand, this
+ *                  function must save the contents of \p input if the value
+ *                  is needed for later processing, because the \p input buffer
+ *                  is no longer valid after this function returns.
+ *
+ *                  This function may call mbedtls_ssl_set_async_operation_data()
+ *                  to store an operation context for later retrieval
+ *                  by the resume or cancel callback.
+ *
+ * \warning         RSA decryption as used in TLS is subject to a potential
+ *                  timing side channel attack first discovered by Bleichenbacher
+ *                  in 1998. This attack can be remotely exploitable
+ *                  in practice. To avoid this attack, you must ensure that
+ *                  if the callback performs an RSA decryption, the time it
+ *                  takes to execute and return the result does not depend
+ *                  on whether the RSA decryption succeeded or reported
+ *                  invalid padding.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param cert            Certificate containing the public key.
+ *                        In simple cases, this is one of the pointers passed to
+ *                        mbedtls_ssl_conf_own_cert() when configuring the SSL
+ *                        connection. However, if other callbacks are used, this
+ *                        property may not hold. For example, if an SNI callback
+ *                        is registered with mbedtls_ssl_conf_sni(), then
+ *                        this callback determines what certificate is used.
+ * \param input           Buffer containing the input ciphertext. This buffer
+ *                        is no longer valid when the function returns.
+ * \param input_len       Size of the \p input buffer in bytes.
+ *
+ * \return          0 if the operation was started successfully and the SSL
+ *                  stack should call the resume callback immediately.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  was started successfully and the SSL stack should return
+ *                  immediately without calling the resume callback yet.
+ * \return          #MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH if the external
+ *                  processor does not support this key. The SSL stack will
+ *                  use the private key object instead.
+ * \return          Any other error indicates a fatal failure and is
+ *                  propagated up the call chain. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_decrypt_t( mbedtls_ssl_context *ssl,
+                                         mbedtls_x509_crt *cert,
+                                         const unsigned char *input,
+                                         size_t input_len );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief           Callback type: resume external operation.
+ *
+ *                  This callback is called during an SSL handshake to resume
+ *                  an external operation started by the
+ *                  ::mbedtls_ssl_async_sign_t or
+ *                  ::mbedtls_ssl_async_decrypt_t callback.
+ *
+ *                  This function typically checks the status of a pending
+ *                  request or causes the request queue to make progress, and
+ *                  does not wait for the operation to complete. This allows
+ *                  the handshake step to be non-blocking.
+ *
+ *                  This function may call mbedtls_ssl_get_async_operation_data()
+ *                  to retrieve an operation context set by the start callback.
+ *                  It may call mbedtls_ssl_set_async_operation_data() to modify
+ *                  this context.
+ *
+ *                  Note that when this function returns a status other than
+ *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, it must free any
+ *                  resources associated with the operation.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified other than via
+ *                        mbedtls_ssl_set_async_operation_data().
+ * \param output          Buffer containing the output (signature or decrypted
+ *                        data) on success.
+ * \param output_len      On success, number of bytes written to \p output.
+ * \param output_size     Size of the \p output buffer in bytes.
+ *
+ * \return          0 if output of the operation is available in the
+ *                  \p output buffer.
+ * \return          #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if the operation
+ *                  is still in progress. Subsequent requests for progress
+ *                  on the SSL connection will call the resume callback
+ *                  again.
+ * \return          Any other error means that the operation is aborted.
+ *                  The SSL handshake is aborted. The callback should
+ *                  use \c MBEDTLS_ERR_PK_xxx error codes, and <b>must not</b>
+ *                  use \c MBEDTLS_ERR_SSL_xxx error codes except as
+ *                  directed in the documentation of this callback.
+ */
+typedef int mbedtls_ssl_async_resume_t( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        size_t *output_len,
+                                        size_t output_size );
+
+/**
+ * \brief           Callback type: cancel external operation.
+ *
+ *                  This callback is called if an SSL connection is closed
+ *                  while an asynchronous operation is in progress. Note that
+ *                  this callback is not called if the
+ *                  ::mbedtls_ssl_async_resume_t callback has run and has
+ *                  returned a value other than
+ *                  #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, since in that case
+ *                  the asynchronous operation has already completed.
+ *
+ *                  This function may call mbedtls_ssl_get_async_operation_data()
+ *                  to retrieve an operation context set by the start callback.
+ *
+ * \param ssl             The SSL connection instance. It should not be
+ *                        modified.
+ */
+typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/*
+ * This structure is used for storing current session data.
+ */
+struct mbedtls_ssl_session
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t start;       /*!< starting time      */
+#endif
+    int ciphersuite;            /*!< chosen ciphersuite */
+    int compression;            /*!< chosen compression */
+    size_t id_len;              /*!< session id length  */
+    unsigned char id[32];       /*!< session identifier */
+    unsigned char master[48];   /*!< the master secret  */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_x509_crt *peer_cert;        /*!< peer X.509 cert chain */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+    uint32_t verify_result;          /*!<  verification result     */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned char *ticket;      /*!< RFC 5077 session ticket */
+    size_t ticket_len;          /*!< session ticket length   */
+    uint32_t ticket_lifetime;   /*!< ticket lifetime hint    */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    unsigned char mfl_code;     /*!< MaxFragmentLength negotiated by peer */
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    int trunc_hmac;             /*!< flag for truncated hmac activation   */
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    int encrypt_then_mac;       /*!< flag for EtM activation                */
+#endif
+};
+
+/**
+ * SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
+ */
+struct mbedtls_ssl_config
+{
+    /* Group items by size (largest first) to minimize padding overhead */
+
+    /*
+     * Pointers
+     */
+
+    const int *ciphersuite_list[4]; /*!< allowed ciphersuites per version   */
+
+    /** Callback for printing debug output                                  */
+    void (*f_dbg)(void *, int, const char *, int, const char *);
+    void *p_dbg;                    /*!< context for the debug function     */
+
+    /** Callback for getting (pseudo-)random numbers                        */
+    int  (*f_rng)(void *, unsigned char *, size_t);
+    void *p_rng;                    /*!< context for the RNG function       */
+
+    /** Callback to retrieve a session from the cache                       */
+    int (*f_get_cache)(void *, mbedtls_ssl_session *);
+    /** Callback to store a session into the cache                          */
+    int (*f_set_cache)(void *, const mbedtls_ssl_session *);
+    void *p_cache;                  /*!< context for cache callbacks        */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    /** Callback for setting cert according to SNI extension                */
+    int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
+    void *p_sni;                    /*!< context for SNI callback           */
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /** Callback to customize X.509 certificate chain verification          */
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;                   /*!< context for X.509 verify calllback */
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    /** Callback to retrieve PSK key from identity                          */
+    int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t);
+    void *p_psk;                    /*!< context for PSK callback           */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    /** Callback to create & write a cookie for ClientHello veirifcation    */
+    int (*f_cookie_write)( void *, unsigned char **, unsigned char *,
+                           const unsigned char *, size_t );
+    /** Callback to verify validity of a ClientHello cookie                 */
+    int (*f_cookie_check)( void *, const unsigned char *, size_t,
+                           const unsigned char *, size_t );
+    void *p_cookie;                 /*!< context for the cookie callbacks   */
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+    /** Callback to create & write a session ticket                         */
+    int (*f_ticket_write)( void *, const mbedtls_ssl_session *,
+            unsigned char *, const unsigned char *, size_t *, uint32_t * );
+    /** Callback to parse a session ticket into a session structure         */
+    int (*f_ticket_parse)( void *, mbedtls_ssl_session *, unsigned char *, size_t);
+    void *p_ticket;                 /*!< context for the ticket callbacks   */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    /** Callback to export key block and master secret                      */
+    int (*f_export_keys)( void *, const unsigned char *,
+            const unsigned char *, size_t, size_t, size_t );
+    void *p_export_keys;            /*!< context for key export callback    */
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */
+    mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s)        */
+    mbedtls_x509_crt *ca_chain;     /*!< trusted CAs                        */
+    mbedtls_x509_crl *ca_crl;       /*!< trusted CAs CRLs                   */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_ssl_async_sign_t *f_async_sign_start; /*!< start asynchronous signature operation */
+    mbedtls_ssl_async_decrypt_t *f_async_decrypt_start; /*!< start asynchronous decryption operation */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+    mbedtls_ssl_async_resume_t *f_async_resume; /*!< resume asynchronous operation */
+    mbedtls_ssl_async_cancel_t *f_async_cancel; /*!< cancel asynchronous operation */
+    void *p_async_config_data; /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    const int *sig_hashes;          /*!< allowed signature hashes           */
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+    const mbedtls_ecp_group_id *curve_list; /*!< allowed curves             */
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_mpi dhm_P;              /*!< prime modulus for DHM              */
+    mbedtls_mpi dhm_G;              /*!< generator for DHM                  */
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    unsigned char *psk;             /*!< pre-shared key. This field should
+                                         only be set via
+                                         mbedtls_ssl_conf_psk() */
+    size_t         psk_len;         /*!< length of the pre-shared key. This
+                                         field should only be set via
+                                         mbedtls_ssl_conf_psk() */
+    unsigned char *psk_identity;    /*!< identity for PSK negotiation. This
+                                         field should only be set via
+                                         mbedtls_ssl_conf_psk() */
+    size_t         psk_identity_len;/*!< length of identity. This field should
+                                         only be set via
+                                         mbedtls_ssl_conf_psk() */
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    const char **alpn_list;         /*!< ordered list of protocols          */
+#endif
+
+    /*
+     * Numerical settings (int then char)
+     */
+
+    uint32_t read_timeout;          /*!< timeout for mbedtls_ssl_read (ms)  */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint32_t hs_timeout_min;        /*!< initial value of the handshake
+                                         retransmission timeout (ms)        */
+    uint32_t hs_timeout_max;        /*!< maximum value of the handshake
+                                         retransmission timeout (ms)        */
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renego_max_records;         /*!< grace period for renegotiation     */
+    unsigned char renego_period[8]; /*!< value of the record counters
+                                         that triggers renegotiation        */
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    unsigned int badmac_limit;      /*!< limit of records with a bad MAC    */
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned int dhm_min_bitlen;    /*!< min. bit length of the DHM prime   */
+#endif
+
+    unsigned char max_major_ver;    /*!< max. major version used            */
+    unsigned char max_minor_ver;    /*!< max. minor version used            */
+    unsigned char min_major_ver;    /*!< min. major version used            */
+    unsigned char min_minor_ver;    /*!< min. minor version used            */
+
+    /*
+     * Flags (bitfields)
+     */
+
+    unsigned int endpoint : 1;      /*!< 0: client, 1: server               */
+    unsigned int transport : 1;     /*!< stream (TLS) or datagram (DTLS)    */
+    unsigned int authmode : 2;      /*!< MBEDTLS_SSL_VERIFY_XXX             */
+    /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE          */
+    unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX   */
+#if defined(MBEDTLS_ARC4_C)
+    unsigned int arc4_disabled : 1; /*!< blacklist RC4 ciphersuites?        */
+#endif
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    unsigned int mfl_code : 3;      /*!< desired fragment length            */
+#endif
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    unsigned int encrypt_then_mac : 1 ; /*!< negotiate encrypt-then-mac?    */
+#endif
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    unsigned int extended_ms : 1;   /*!< negotiate extended master secret?  */
+#endif
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    unsigned int anti_replay : 1;   /*!< detect and prevent replay?         */
+#endif
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    unsigned int cbc_record_splitting : 1;  /*!< do cbc record splitting    */
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    unsigned int disable_renegotiation : 1; /*!< disable renegotiation?     */
+#endif
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    unsigned int trunc_hmac : 1;    /*!< negotiate truncated hmac?          */
+#endif
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    unsigned int session_tickets : 1;   /*!< use session tickets?           */
+#endif
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+    unsigned int fallback : 1;      /*!< is this a fallback?                */
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+    unsigned int cert_req_ca_list : 1;  /*!< enable sending CA list in
+                                          Certificate Request messages?     */
+#endif
+};
+
+
+struct mbedtls_ssl_context
+{
+    const mbedtls_ssl_config *conf; /*!< configuration information          */
+
+    /*
+     * Miscellaneous
+     */
+    int state;                  /*!< SSL handshake: current state     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renego_status;          /*!< Initial, in progress, pending?   */
+    int renego_records_seen;    /*!< Records since renego request, or with DTLS,
+                                  number of retransmissions of request if
+                                  renego_max_records is < 0           */
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    int major_ver;              /*!< equal to  MBEDTLS_SSL_MAJOR_VERSION_3    */
+    int minor_ver;              /*!< either 0 (SSL3) or 1 (TLS1.0)    */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    unsigned badmac_seen;       /*!< records with a bad MAC received    */
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+    mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
+    mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
+    mbedtls_ssl_recv_timeout_t *f_recv_timeout;
+                                /*!< Callback for network receive with timeout */
+
+    void *p_bio;                /*!< context for I/O operations   */
+
+    /*
+     * Session layer
+     */
+    mbedtls_ssl_session *session_in;            /*!<  current session data (in)   */
+    mbedtls_ssl_session *session_out;           /*!<  current session data (out)  */
+    mbedtls_ssl_session *session;               /*!<  negotiated session data     */
+    mbedtls_ssl_session *session_negotiate;     /*!<  session data in negotiation */
+
+    mbedtls_ssl_handshake_params *handshake;    /*!<  params required only during
+                                              the handshake process        */
+
+    /*
+     * Record layer transformations
+     */
+    mbedtls_ssl_transform *transform_in;        /*!<  current transform params (in)   */
+    mbedtls_ssl_transform *transform_out;       /*!<  current transform params (in)   */
+    mbedtls_ssl_transform *transform;           /*!<  negotiated transform params     */
+    mbedtls_ssl_transform *transform_negotiate; /*!<  transform params in negotiation */
+
+    /*
+     * Timers
+     */
+    void *p_timer;              /*!< context for the timer callbacks */
+
+    mbedtls_ssl_set_timer_t *f_set_timer;       /*!< set timer callback */
+    mbedtls_ssl_get_timer_t *f_get_timer;       /*!< get timer callback */
+
+    /*
+     * Record layer (incoming data)
+     */
+    unsigned char *in_buf;      /*!< input buffer                     */
+    unsigned char *in_ctr;      /*!< 64-bit incoming message counter
+                                     TLS: maintained by us
+                                     DTLS: read from peer             */
+    unsigned char *in_hdr;      /*!< start of record header           */
+    unsigned char *in_len;      /*!< two-bytes message length field   */
+    unsigned char *in_iv;       /*!< ivlen-byte IV                    */
+    unsigned char *in_msg;      /*!< message contents (in_iv+ivlen)   */
+    unsigned char *in_offt;     /*!< read offset in application data  */
+
+    int in_msgtype;             /*!< record header: message type      */
+    size_t in_msglen;           /*!< record header: message length    */
+    size_t in_left;             /*!< amount of data read so far       */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint16_t in_epoch;          /*!< DTLS epoch for incoming records  */
+    size_t next_record_offset;  /*!< offset of the next record in datagram
+                                     (equal to in_left if none)       */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    uint64_t in_window_top;     /*!< last validated record seq_num    */
+    uint64_t in_window;         /*!< bitmask for replay detection     */
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+    size_t in_hslen;            /*!< current handshake message length,
+                                     including the handshake header   */
+    int nb_zero;                /*!< # of 0-length encrypted messages */
+
+    int keep_current_message;   /*!< drop or reuse current message
+                                     on next call to record layer? */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint8_t disable_datagram_packing;  /*!< Disable packing multiple records
+                                        *   within a single datagram.  */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Record layer (outgoing data)
+     */
+    unsigned char *out_buf;     /*!< output buffer                    */
+    unsigned char *out_ctr;     /*!< 64-bit outgoing message counter  */
+    unsigned char *out_hdr;     /*!< start of record header           */
+    unsigned char *out_len;     /*!< two-bytes message length field   */
+    unsigned char *out_iv;      /*!< ivlen-byte IV                    */
+    unsigned char *out_msg;     /*!< message contents (out_iv+ivlen)  */
+
+    int out_msgtype;            /*!< record header: message type      */
+    size_t out_msglen;          /*!< record header: message length    */
+    size_t out_left;            /*!< amount of data not yet written   */
+
+    unsigned char cur_out_ctr[8]; /*!<  Outgoing record sequence  number. */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    uint16_t mtu;               /*!< path mtu, used to fragment outgoing messages */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    unsigned char *compress_buf;        /*!<  zlib data buffer        */
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    signed char split_done;     /*!< current record already splitted? */
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+    /*
+     * PKI layer
+     */
+    int client_auth;                    /*!<  flag for client auth.   */
+
+    /*
+     * User settings
+     */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    char *hostname;             /*!< expected peer CN for verification
+                                     (and SNI if available)                 */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_ALPN)
+    const char *alpn_chosen;    /*!<  negotiated protocol                   */
+#endif /* MBEDTLS_SSL_ALPN */
+
+    /*
+     * Information for DTLS hello verify
+     */
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    unsigned char  *cli_id;         /*!<  transport-level ID of the client  */
+    size_t          cli_id_len;     /*!<  length of cli_id                  */
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+    /*
+     * Secure renegotiation
+     */
+    /* needed to know when to send extension on server */
+    int secure_renegotiation;           /*!<  does peer support legacy or
+                                              secure renegotiation           */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    size_t verify_data_len;             /*!<  length of verify data stored   */
+    char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
+    char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!<  previous handshake verify data */
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+};
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+
+#define MBEDTLS_SSL_CHANNEL_OUTBOUND    0
+#define MBEDTLS_SSL_CHANNEL_INBOUND     1
+
+extern int (*mbedtls_ssl_hw_record_init)(mbedtls_ssl_context *ssl,
+                const unsigned char *key_enc, const unsigned char *key_dec,
+                size_t keylen,
+                const unsigned char *iv_enc,  const unsigned char *iv_dec,
+                size_t ivlen,
+                const unsigned char *mac_enc, const unsigned char *mac_dec,
+                size_t maclen);
+extern int (*mbedtls_ssl_hw_record_activate)(mbedtls_ssl_context *ssl, int direction);
+extern int (*mbedtls_ssl_hw_record_reset)(mbedtls_ssl_context *ssl);
+extern int (*mbedtls_ssl_hw_record_write)(mbedtls_ssl_context *ssl);
+extern int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl);
+extern int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl);
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+/**
+ * \brief               Return the name of the ciphersuite associated with the
+ *                      given ID
+ *
+ * \param ciphersuite_id SSL ciphersuite ID
+ *
+ * \return              a string containing the ciphersuite name
+ */
+const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id );
+
+/**
+ * \brief               Return the ID of the ciphersuite associated with the
+ *                      given name
+ *
+ * \param ciphersuite_name SSL ciphersuite name
+ *
+ * \return              the ID with the ciphersuite or 0 if not found
+ */
+int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name );
+
+/**
+ * \brief          Initialize an SSL context
+ *                 Just makes the context ready for mbedtls_ssl_setup() or
+ *                 mbedtls_ssl_free()
+ *
+ * \param ssl      SSL context
+ */
+void mbedtls_ssl_init( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Set up an SSL context for use
+ *
+ * \note           No copy of the configuration context is made, it can be
+ *                 shared by many mbedtls_ssl_context structures.
+ *
+ * \warning        The conf structure will be accessed during the session.
+ *                 It must not be modified or freed as long as the session
+ *                 is active.
+ *
+ * \warning        This function must be called exactly once per context.
+ *                 Calling mbedtls_ssl_setup again is not supported, even
+ *                 if no session is active.
+ *
+ * \param ssl      SSL context
+ * \param conf     SSL configuration to use
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if
+ *                 memory allocation failed
+ */
+int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
+                       const mbedtls_ssl_config *conf );
+
+/**
+ * \brief          Reset an already initialized SSL context for re-use
+ *                 while retaining application-set variables, function
+ *                 pointers and data.
+ *
+ * \param ssl      SSL context
+ * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED,
+                   MBEDTLS_ERR_SSL_HW_ACCEL_FAILED or
+ *                 MBEDTLS_ERR_SSL_COMPRESSION_FAILED
+ */
+int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Set the current endpoint type
+ *
+ * \param conf     SSL configuration
+ * \param endpoint must be MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
+ */
+void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint );
+
+/**
+ * \brief           Set the transport type (TLS or DTLS).
+ *                  Default: TLS
+ *
+ * \note            For DTLS, you must either provide a recv callback that
+ *                  doesn't block, or one that handles timeouts, see
+ *                  \c mbedtls_ssl_set_bio(). You also need to provide timer
+ *                  callbacks with \c mbedtls_ssl_set_timer_cb().
+ *
+ * \param conf      SSL configuration
+ * \param transport transport type:
+ *                  MBEDTLS_SSL_TRANSPORT_STREAM for TLS,
+ *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS.
+ */
+void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport );
+
+/**
+ * \brief          Set the certificate verification mode
+ *                 Default: NONE on server, REQUIRED on client
+ *
+ * \param conf     SSL configuration
+ * \param authmode can be:
+ *
+ *  MBEDTLS_SSL_VERIFY_NONE:      peer certificate is not checked
+ *                        (default on server)
+ *                        (insecure on client)
+ *
+ *  MBEDTLS_SSL_VERIFY_OPTIONAL:  peer certificate is checked, however the
+ *                        handshake continues even if verification failed;
+ *                        mbedtls_ssl_get_verify_result() can be called after the
+ *                        handshake is complete.
+ *
+ *  MBEDTLS_SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
+ *                        handshake is aborted if verification failed.
+ *                        (default on client)
+ *
+ * \note On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode.
+ * With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at
+ * the right time(s), which may not be obvious, while REQUIRED always perform
+ * the verification as soon as possible. For example, REQUIRED was protecting
+ * against the "triple handshake" attack even before it was found.
+ */
+void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set the verification callback (Optional).
+ *
+ *                 If set, the verify callback is called for each
+ *                 certificate in the chain. For implementation
+ *                 information, please see \c mbedtls_x509_crt_verify()
+ *
+ * \param conf     SSL configuration
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ */
+void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/**
+ * \brief          Set the random number generator callback
+ *
+ * \param conf     SSL configuration
+ * \param f_rng    RNG function
+ * \param p_rng    RNG parameter
+ */
+void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng );
+
+/**
+ * \brief          Set the debug callback
+ *
+ *                 The callback has the following argument:
+ *                 void *           opaque context for the callback
+ *                 int              debug level
+ *                 const char *     file name
+ *                 int              line number
+ *                 const char *     message
+ *
+ * \param conf     SSL configuration
+ * \param f_dbg    debug function
+ * \param p_dbg    debug parameter
+ */
+void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
+                  void (*f_dbg)(void *, int, const char *, int, const char *),
+                  void  *p_dbg );
+
+/**
+ * \brief          Set the underlying BIO callbacks for write, read and
+ *                 read-with-timeout.
+ *
+ * \param ssl      SSL context
+ * \param p_bio    parameter (context) shared by BIO callbacks
+ * \param f_send   write callback
+ * \param f_recv   read callback
+ * \param f_recv_timeout blocking read callback with timeout.
+ *
+ * \note           One of f_recv or f_recv_timeout can be NULL, in which case
+ *                 the other is used. If both are non-NULL, f_recv_timeout is
+ *                 used and f_recv is ignored (as if it were NULL).
+ *
+ * \note           The two most common use cases are:
+ *                 - non-blocking I/O, f_recv != NULL, f_recv_timeout == NULL
+ *                 - blocking I/O, f_recv == NULL, f_recv_timout != NULL
+ *
+ * \note           For DTLS, you need to provide either a non-NULL
+ *                 f_recv_timeout callback, or a f_recv that doesn't block.
+ *
+ * \note           See the documentations of \c mbedtls_ssl_sent_t,
+ *                 \c mbedtls_ssl_recv_t and \c mbedtls_ssl_recv_timeout_t for
+ *                 the conventions those callbacks must follow.
+ *
+ * \note           On some platforms, net_sockets.c provides
+ *                 \c mbedtls_net_send(), \c mbedtls_net_recv() and
+ *                 \c mbedtls_net_recv_timeout() that are suitable to be used
+ *                 here.
+ */
+void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
+                          void *p_bio,
+                          mbedtls_ssl_send_t *f_send,
+                          mbedtls_ssl_recv_t *f_recv,
+                          mbedtls_ssl_recv_timeout_t *f_recv_timeout );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/**
+ * \brief          Set the Maximum Tranport Unit (MTU).
+ *                 Special value: 0 means unset (no limit).
+ *                 This represents the maximum size of a datagram payload
+ *                 handled by the transport layer (usually UDP) as determined
+ *                 by the network link and stack. In practice, this controls
+ *                 the maximum size datagram the DTLS layer will pass to the
+ *                 \c f_send() callback set using \c mbedtls_ssl_set_bio().
+ *
+ * \note           The limit on datagram size is converted to a limit on
+ *                 record payload by subtracting the current overhead of
+ *                 encapsulation and encryption/authentication if any.
+ *
+ * \note           This can be called at any point during the connection, for
+ *                 example when a Path Maximum Transfer Unit (PMTU)
+ *                 estimate becomes available from other sources,
+ *                 such as lower (or higher) protocol layers.
+ *
+ * \note           This setting only controls the size of the packets we send,
+ *                 and does not restrict the size of the datagrams we're
+ *                 willing to receive. Client-side, you can request the
+ *                 server to use smaller records with \c
+ *                 mbedtls_ssl_conf_max_frag_len().
+ *
+ * \note           If both a MTU and a maximum fragment length have been
+ *                 configured (or negotiated with the peer), the resulting
+ *                 lower limit on record payload (see first note) is used.
+ *
+ * \note           This can only be used to decrease the maximum size
+ *                 of datagrams (hence records, see first note) sent. It
+ *                 cannot be used to increase the maximum size of records over
+ *                 the limit set by #MBEDTLS_SSL_OUT_CONTENT_LEN.
+ *
+ * \note           Values lower than the current record layer expansion will
+ *                 result in an error when trying to send data.
+ *
+ * \note           Using record compression together with a non-zero MTU value
+ *                 will result in an error when trying to send data.
+ *
+ * \param ssl      SSL context
+ * \param mtu      Value of the path MTU in bytes
+ */
+void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/**
+ * \brief          Set the timeout period for mbedtls_ssl_read()
+ *                 (Default: no timeout.)
+ *
+ * \param conf     SSL configuration context
+ * \param timeout  Timeout value in milliseconds.
+ *                 Use 0 for no timeout (default).
+ *
+ * \note           With blocking I/O, this will only work if a non-NULL
+ *                 \c f_recv_timeout was set with \c mbedtls_ssl_set_bio().
+ *                 With non-blocking I/O, this will only work if timer
+ *                 callbacks were set with \c mbedtls_ssl_set_timer_cb().
+ *
+ * \note           With non-blocking I/O, you may also skip this function
+ *                 altogether and handle timeouts at the application layer.
+ */
+void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
+
+/**
+ * \brief          Set the timer callbacks (Mandatory for DTLS.)
+ *
+ * \param ssl      SSL context
+ * \param p_timer  parameter (context) shared by timer callbacks
+ * \param f_set_timer   set timer callback
+ * \param f_get_timer   get timer callback. Must return:
+ *
+ * \note           See the documentation of \c mbedtls_ssl_set_timer_t and
+ *                 \c mbedtls_ssl_get_timer_t for the conventions this pair of
+ *                 callbacks must follow.
+ *
+ * \note           On some platforms, timing.c provides
+ *                 \c mbedtls_timing_set_delay() and
+ *                 \c mbedtls_timing_get_delay() that are suitable for using
+ *                 here, except if using an event-driven style.
+ *
+ * \note           See also the "DTLS tutorial" article in our knowledge base.
+ *                 https://tls.mbed.org/kb/how-to/dtls-tutorial
+ */
+void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
+                               void *p_timer,
+                               mbedtls_ssl_set_timer_t *f_set_timer,
+                               mbedtls_ssl_get_timer_t *f_get_timer );
+
+/**
+ * \brief           Callback type: generate and write session ticket
+ *
+ * \note            This describes what a callback implementation should do.
+ *                  This callback should generate an encrypted and
+ *                  authenticated ticket for the session and write it to the
+ *                  output buffer. Here, ticket means the opaque ticket part
+ *                  of the NewSessionTicket structure of RFC 5077.
+ *
+ * \param p_ticket  Context for the callback
+ * \param session   SSL session to be written in the ticket
+ * \param start     Start of the output buffer
+ * \param end       End of the output buffer
+ * \param tlen      On exit, holds the length written
+ * \param lifetime  On exit, holds the lifetime of the ticket in seconds
+ *
+ * \return          0 if successful, or
+ *                  a specific MBEDTLS_ERR_XXX code.
+ */
+typedef int mbedtls_ssl_ticket_write_t( void *p_ticket,
+                                        const mbedtls_ssl_session *session,
+                                        unsigned char *start,
+                                        const unsigned char *end,
+                                        size_t *tlen,
+                                        uint32_t *lifetime );
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+/**
+ * \brief           Callback type: Export key block and master secret
+ *
+ * \note            This is required for certain uses of TLS, e.g. EAP-TLS
+ *                  (RFC 5216) and Thread. The key pointers are ephemeral and
+ *                  therefore must not be stored. The master secret and keys
+ *                  should not be used directly except as an input to a key
+ *                  derivation function.
+ *
+ * \param p_expkey  Context for the callback
+ * \param ms        Pointer to master secret (fixed length: 48 bytes)
+ * \param kb        Pointer to key block, see RFC 5246 section 6.3
+ *                  (variable length: 2 * maclen + 2 * keylen + 2 * ivlen).
+ * \param maclen    MAC length
+ * \param keylen    Key length
+ * \param ivlen     IV length
+ *
+ * \return          0 if successful, or
+ *                  a specific MBEDTLS_ERR_XXX code.
+ */
+typedef int mbedtls_ssl_export_keys_t( void *p_expkey,
+                                const unsigned char *ms,
+                                const unsigned char *kb,
+                                size_t maclen,
+                                size_t keylen,
+                                size_t ivlen );
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+/**
+ * \brief           Callback type: parse and load session ticket
+ *
+ * \note            This describes what a callback implementation should do.
+ *                  This callback should parse a session ticket as generated
+ *                  by the corresponding mbedtls_ssl_ticket_write_t function,
+ *                  and, if the ticket is authentic and valid, load the
+ *                  session.
+ *
+ * \note            The implementation is allowed to modify the first len
+ *                  bytes of the input buffer, eg to use it as a temporary
+ *                  area for the decrypted ticket contents.
+ *
+ * \param p_ticket  Context for the callback
+ * \param session   SSL session to be loaded
+ * \param buf       Start of the buffer containing the ticket
+ * \param len       Length of the ticket.
+ *
+ * \return          0 if successful, or
+ *                  MBEDTLS_ERR_SSL_INVALID_MAC if not authentic, or
+ *                  MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED if expired, or
+ *                  any other non-zero code for other failures.
+ */
+typedef int mbedtls_ssl_ticket_parse_t( void *p_ticket,
+                                        mbedtls_ssl_session *session,
+                                        unsigned char *buf,
+                                        size_t len );
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief           Configure SSL session ticket callbacks (server only).
+ *                  (Default: none.)
+ *
+ * \note            On server, session tickets are enabled by providing
+ *                  non-NULL callbacks.
+ *
+ * \note            On client, use \c mbedtls_ssl_conf_session_tickets().
+ *
+ * \param conf      SSL configuration context
+ * \param f_ticket_write    Callback for writing a ticket
+ * \param f_ticket_parse    Callback for parsing a ticket
+ * \param p_ticket          Context shared by the two callbacks
+ */
+void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_ticket_write_t *f_ticket_write,
+        mbedtls_ssl_ticket_parse_t *f_ticket_parse,
+        void *p_ticket );
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+/**
+ * \brief           Configure key export callback.
+ *                  (Default: none.)
+ *
+ * \note            See \c mbedtls_ssl_export_keys_t.
+ *
+ * \param conf      SSL configuration context
+ * \param f_export_keys     Callback for exporting keys
+ * \param p_export_keys     Context for the callback
+ */
+void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_export_keys_t *f_export_keys,
+        void *p_export_keys );
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+/**
+ * \brief           Configure asynchronous private key operation callbacks.
+ *
+ * \param conf              SSL configuration context
+ * \param f_async_sign      Callback to start a signature operation. See
+ *                          the description of ::mbedtls_ssl_async_sign_t
+ *                          for more information. This may be \c NULL if the
+ *                          external processor does not support any signature
+ *                          operation; in this case the private key object
+ *                          associated with the certificate will be used.
+ * \param f_async_decrypt   Callback to start a decryption operation. See
+ *                          the description of ::mbedtls_ssl_async_decrypt_t
+ *                          for more information. This may be \c NULL if the
+ *                          external processor does not support any decryption
+ *                          operation; in this case the private key object
+ *                          associated with the certificate will be used.
+ * \param f_async_resume    Callback to resume an asynchronous operation. See
+ *                          the description of ::mbedtls_ssl_async_resume_t
+ *                          for more information. This may not be \c NULL unless
+ *                          \p f_async_sign and \p f_async_decrypt are both
+ *                          \c NULL.
+ * \param f_async_cancel    Callback to cancel an asynchronous operation. See
+ *                          the description of ::mbedtls_ssl_async_cancel_t
+ *                          for more information. This may be \c NULL if
+ *                          no cleanup is needed.
+ * \param config_data       A pointer to configuration data which can be
+ *                          retrieved with
+ *                          mbedtls_ssl_conf_get_async_config_data(). The
+ *                          library stores this value without dereferencing it.
+ */
+void mbedtls_ssl_conf_async_private_cb( mbedtls_ssl_config *conf,
+                                        mbedtls_ssl_async_sign_t *f_async_sign,
+                                        mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+                                        mbedtls_ssl_async_resume_t *f_async_resume,
+                                        mbedtls_ssl_async_cancel_t *f_async_cancel,
+                                        void *config_data );
+
+/**
+ * \brief           Retrieve the configuration data set by
+ *                  mbedtls_ssl_conf_async_private_cb().
+ *
+ * \param conf      SSL configuration context
+ * \return          The configuration data set by
+ *                  mbedtls_ssl_conf_async_private_cb().
+ */
+void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf );
+
+/**
+ * \brief           Retrieve the asynchronous operation user context.
+ *
+ * \note            This function may only be called while a handshake
+ *                  is in progress.
+ *
+ * \param ssl       The SSL context to access.
+ *
+ * \return          The asynchronous operation user context that was last
+ *                  set during the current handshake. If
+ *                  mbedtls_ssl_set_async_operation_data() has not yet been
+ *                  called during the current handshake, this function returns
+ *                  \c NULL.
+ */
+void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief           Retrieve the asynchronous operation user context.
+ *
+ * \note            This function may only be called while a handshake
+ *                  is in progress.
+ *
+ * \param ssl       The SSL context to access.
+ * \param ctx       The new value of the asynchronous operation user context.
+ *                  Call mbedtls_ssl_get_async_operation_data() later during the
+ *                  same handshake to retrieve this value.
+ */
+void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
+                                 void *ctx );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/**
+ * \brief          Callback type: generate a cookie
+ *
+ * \param ctx      Context for the callback
+ * \param p        Buffer to write to,
+ *                 must be updated to point right after the cookie
+ * \param end      Pointer to one past the end of the output buffer
+ * \param info     Client ID info that was passed to
+ *                 \c mbedtls_ssl_set_client_transport_id()
+ * \param ilen     Length of info in bytes
+ *
+ * \return         The callback must return 0 on success,
+ *                 or a negative error code.
+ */
+typedef int mbedtls_ssl_cookie_write_t( void *ctx,
+                                unsigned char **p, unsigned char *end,
+                                const unsigned char *info, size_t ilen );
+
+/**
+ * \brief          Callback type: verify a cookie
+ *
+ * \param ctx      Context for the callback
+ * \param cookie   Cookie to verify
+ * \param clen     Length of cookie
+ * \param info     Client ID info that was passed to
+ *                 \c mbedtls_ssl_set_client_transport_id()
+ * \param ilen     Length of info in bytes
+ *
+ * \return         The callback must return 0 if cookie is valid,
+ *                 or a negative error code.
+ */
+typedef int mbedtls_ssl_cookie_check_t( void *ctx,
+                                const unsigned char *cookie, size_t clen,
+                                const unsigned char *info, size_t ilen );
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief           Register callbacks for DTLS cookies
+ *                  (Server only. DTLS only.)
+ *
+ *                  Default: dummy callbacks that fail, in order to force you to
+ *                  register working callbacks (and initialize their context).
+ *
+ *                  To disable HelloVerifyRequest, register NULL callbacks.
+ *
+ * \warning         Disabling hello verification allows your server to be used
+ *                  for amplification in DoS attacks against other hosts.
+ *                  Only disable if you known this can't happen in your
+ *                  particular environment.
+ *
+ * \note            See comments on \c mbedtls_ssl_handshake() about handling
+ *                  the MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED that is expected
+ *                  on the first handshake attempt when this is enabled.
+ *
+ * \note            This is also necessary to handle client reconnection from
+ *                  the same port as described in RFC 6347 section 4.2.8 (only
+ *                  the variant with cookies is supported currently). See
+ *                  comments on \c mbedtls_ssl_read() for details.
+ *
+ * \param conf              SSL configuration
+ * \param f_cookie_write    Cookie write callback
+ * \param f_cookie_check    Cookie check callback
+ * \param p_cookie          Context for both callbacks
+ */
+void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
+                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+                           void *p_cookie );
+
+/**
+ * \brief          Set client's transport-level identification info.
+ *                 (Server only. DTLS only.)
+ *
+ *                 This is usually the IP address (and port), but could be
+ *                 anything identify the client depending on the underlying
+ *                 network stack. Used for HelloVerifyRequest with DTLS.
+ *                 This is *not* used to route the actual packets.
+ *
+ * \param ssl      SSL context
+ * \param info     Transport-level info identifying the client (eg IP + port)
+ * \param ilen     Length of info in bytes
+ *
+ * \note           An internal copy is made, so the info buffer can be reused.
+ *
+ * \return         0 on success,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory.
+ */
+int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
+                                 const unsigned char *info,
+                                 size_t ilen );
+
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+/**
+ * \brief          Enable or disable anti-replay protection for DTLS.
+ *                 (DTLS only, no effect on TLS.)
+ *                 Default: enabled.
+ *
+ * \param conf     SSL configuration
+ * \param mode     MBEDTLS_SSL_ANTI_REPLAY_ENABLED or MBEDTLS_SSL_ANTI_REPLAY_DISABLED.
+ *
+ * \warning        Disabling this is a security risk unless the application
+ *                 protocol handles duplicated packets in a safe way. You
+ *                 should not disable this without careful consideration.
+ *                 However, if your application already detects duplicated
+ *                 packets and needs information about them to adjust its
+ *                 transmission strategy, then you'll want to disable this.
+ */
+void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode );
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+/**
+ * \brief          Set a limit on the number of records with a bad MAC
+ *                 before terminating the connection.
+ *                 (DTLS only, no effect on TLS.)
+ *                 Default: 0 (disabled).
+ *
+ * \param conf     SSL configuration
+ * \param limit    Limit, or 0 to disable.
+ *
+ * \note           If the limit is N, then the connection is terminated when
+ *                 the Nth non-authentic record is seen.
+ *
+ * \note           Records with an invalid header are not counted, only the
+ *                 ones going through the authentication-decryption phase.
+ *
+ * \note           This is a security trade-off related to the fact that it's
+ *                 often relatively easy for an active attacker ot inject UDP
+ *                 datagrams. On one hand, setting a low limit here makes it
+ *                 easier for such an attacker to forcibly terminated a
+ *                 connection. On the other hand, a high limit or no limit
+ *                 might make us waste resources checking authentication on
+ *                 many bogus packets.
+ */
+void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit );
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/**
+ * \brief          Allow or disallow packing of multiple handshake records
+ *                 within a single datagram.
+ *
+ * \param ssl           The SSL context to configure.
+ * \param allow_packing This determines whether datagram packing may
+ *                      be used or not. A value of \c 0 means that every
+ *                      record will be sent in a separate datagram; a
+ *                      value of \c 1 means that, if space permits,
+ *                      multiple handshake messages (including CCS) belonging to
+ *                      a single flight may be packed within a single datagram.
+ *
+ * \note           This is enabled by default and should only be disabled
+ *                 for test purposes, or if datagram packing causes
+ *                 interoperability issues with peers that don't support it.
+ *
+ * \note           Allowing datagram packing reduces the network load since
+ *                 there's less overhead if multiple messages share the same
+ *                 datagram. Also, it increases the handshake efficiency
+ *                 since messages belonging to a single datagram will not
+ *                 be reordered in transit, and so future message buffering
+ *                 or flight retransmission (if no buffering is used) as
+ *                 means to deal with reordering are needed less frequently.
+ *
+ * \note           Application records are not affected by this option and
+ *                 are currently always sent in separate datagrams.
+ *
+ */
+void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
+                                       unsigned allow_packing );
+
+/**
+ * \brief          Set retransmit timeout values for the DTLS handshake.
+ *                 (DTLS only, no effect on TLS.)
+ *
+ * \param conf     SSL configuration
+ * \param min      Initial timeout value in milliseconds.
+ *                 Default: 1000 (1 second).
+ * \param max      Maximum timeout value in milliseconds.
+ *                 Default: 60000 (60 seconds).
+ *
+ * \note           Default values are from RFC 6347 section 4.2.4.1.
+ *
+ * \note           The 'min' value should typically be slightly above the
+ *                 expected round-trip time to your peer, plus whatever time
+ *                 it takes for the peer to process the message. For example,
+ *                 if your RTT is about 600ms and you peer needs up to 1s to
+ *                 do the cryptographic operations in the handshake, then you
+ *                 should set 'min' slightly above 1600. Lower values of 'min'
+ *                 might cause spurious resends which waste network resources,
+ *                 while larger value of 'min' will increase overall latency
+ *                 on unreliable network links.
+ *
+ * \note           The more unreliable your network connection is, the larger
+ *                 your max / min ratio needs to be in order to achieve
+ *                 reliable handshakes.
+ *
+ * \note           Messages are retransmitted up to log2(ceil(max/min)) times.
+ *                 For example, if min = 1s and max = 5s, the retransmit plan
+ *                 goes: send ... 1s -> resend ... 2s -> resend ... 4s ->
+ *                 resend ... 5s -> give up and return a timeout error.
+ */
+void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf, uint32_t min, uint32_t max );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief          Set the session cache callbacks (server-side only)
+ *                 If not set, no session resuming is done (except if session
+ *                 tickets are enabled too).
+ *
+ *                 The session cache has the responsibility to check for stale
+ *                 entries based on timeout. See RFC 5246 for recommendations.
+ *
+ *                 Warning: session.peer_cert is cleared by the SSL/TLS layer on
+ *                 connection shutdown, so do not cache the pointer! Either set
+ *                 it to NULL or make a full copy of the certificate.
+ *
+ *                 The get callback is called once during the initial handshake
+ *                 to enable session resuming. The get function has the
+ *                 following parameters: (void *parameter, mbedtls_ssl_session *session)
+ *                 If a valid entry is found, it should fill the master of
+ *                 the session object with the cached values and return 0,
+ *                 return 1 otherwise. Optionally peer_cert can be set as well
+ *                 if it is properly present in cache entry.
+ *
+ *                 The set callback is called once during the initial handshake
+ *                 to enable session resuming after the entire handshake has
+ *                 been finished. The set function has the following parameters:
+ *                 (void *parameter, const mbedtls_ssl_session *session). The function
+ *                 should create a cache entry for future retrieval based on
+ *                 the data in the session structure and should keep in mind
+ *                 that the mbedtls_ssl_session object presented (and all its referenced
+ *                 data) is cleared by the SSL/TLS layer when the connection is
+ *                 terminated. It is recommended to add metadata to determine if
+ *                 an entry is still valid in the future. Return 0 if
+ *                 successfully cached, return 1 otherwise.
+ *
+ * \param conf           SSL configuration
+ * \param p_cache        parmater (context) for both callbacks
+ * \param f_get_cache    session get callback
+ * \param f_set_cache    session set callback
+ */
+void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
+        void *p_cache,
+        int (*f_get_cache)(void *, mbedtls_ssl_session *),
+        int (*f_set_cache)(void *, const mbedtls_ssl_session *) );
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Request resumption of session (client-side only)
+ *                 Session data is copied from presented session structure.
+ *
+ * \param ssl      SSL context
+ * \param session  session context
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
+ *                 arguments are otherwise invalid
+ *
+ * \sa             mbedtls_ssl_get_session()
+ */
+int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session );
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/**
+ * \brief               Set the list of allowed ciphersuites and the preference
+ *                      order. First in the list has the highest preference.
+ *                      (Overrides all version-specific lists)
+ *
+ *                      The ciphersuites array is not copied, and must remain
+ *                      valid for the lifetime of the ssl_config.
+ *
+ *                      Note: The server uses its own preferences
+ *                      over the preference of the client unless
+ *                      MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
+ *
+ * \param conf          SSL configuration
+ * \param ciphersuites  0-terminated list of allowed ciphersuites
+ */
+void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
+                                   const int *ciphersuites );
+
+/**
+ * \brief               Set the list of allowed ciphersuites and the
+ *                      preference order for a specific version of the protocol.
+ *                      (Only useful on the server side)
+ *
+ *                      The ciphersuites array is not copied, and must remain
+ *                      valid for the lifetime of the ssl_config.
+ *
+ * \param conf          SSL configuration
+ * \param ciphersuites  0-terminated list of allowed ciphersuites
+ * \param major         Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3
+ *                      supported)
+ * \param minor         Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                      MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                      MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ *
+ * \note                With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0
+ *                      and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ */
+void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
+                                       const int *ciphersuites,
+                                       int major, int minor );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set the X.509 security profile used for verification
+ *
+ * \note           The restrictions are enforced for all certificates in the
+ *                 chain. However, signatures in the handshake are not covered
+ *                 by this setting but by \b mbedtls_ssl_conf_sig_hashes().
+ *
+ * \param conf     SSL configuration
+ * \param profile  Profile to use
+ */
+void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
+                                    const mbedtls_x509_crt_profile *profile );
+
+/**
+ * \brief          Set the data required to verify peer certificate
+ *
+ * \note           See \c mbedtls_x509_crt_verify() for notes regarding the
+ *                 parameters ca_chain (maps to trust_ca for that function)
+ *                 and ca_crl.
+ *
+ * \param conf     SSL configuration
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
+ * \param ca_crl   trusted CA CRLs
+ */
+void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
+                               mbedtls_x509_crt *ca_chain,
+                               mbedtls_x509_crl *ca_crl );
+
+/**
+ * \brief          Set own certificate chain and private key
+ *
+ * \note           own_cert should contain in order from the bottom up your
+ *                 certificate chain. The top certificate (self-signed)
+ *                 can be omitted.
+ *
+ * \note           On server, this function can be called multiple times to
+ *                 provision more than one cert/key pair (eg one ECDSA, one
+ *                 RSA with SHA-256, one RSA with SHA-1). An adequate
+ *                 certificate will be selected according to the client's
+ *                 advertised capabilities. In case multiple certificates are
+ *                 adequate, preference is given to the one set by the first
+ *                 call to this function, then second, etc.
+ *
+ * \note           On client, only the first call has any effect. That is,
+ *                 only one client certificate can be provisioned. The
+ *                 server's preferences in its CertficateRequest message will
+ *                 be ignored and our only cert will be sent regardless of
+ *                 whether it matches those preferences - the server can then
+ *                 decide what it wants to do with it.
+ *
+ * \note           The provided \p pk_key needs to match the public key in the
+ *                 first certificate in \p own_cert, or all handshakes using
+ *                 that certificate will fail. It is your responsibility
+ *                 to ensure that; this function will not perform any check.
+ *                 You may use mbedtls_pk_check_pair() in order to perform
+ *                 this check yourself, but be aware that this function can
+ *                 be computationally expensive on some key types.
+ *
+ * \param conf     SSL configuration
+ * \param own_cert own public certificate chain
+ * \param pk_key   own private key
+ *
+ * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
+                              mbedtls_x509_crt *own_cert,
+                              mbedtls_pk_context *pk_key );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+/**
+ * \brief          Set the Pre Shared Key (PSK) and the expected identity name
+ *
+ * \note           This is mainly useful for clients. Servers will usually
+ *                 want to use \c mbedtls_ssl_conf_psk_cb() instead.
+ *
+ * \note           Currently clients can only register one pre-shared key.
+ *                 In other words, the servers' identity hint is ignored.
+ *                 Support for setting multiple PSKs on clients and selecting
+ *                 one based on the identity hint is not a planned feature but
+ *                 feedback is welcomed.
+ *
+ * \param conf     SSL configuration
+ * \param psk      pointer to the pre-shared key
+ * \param psk_len  pre-shared key length
+ * \param psk_identity      pointer to the pre-shared key identity
+ * \param psk_identity_len  identity key length
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
+                const unsigned char *psk, size_t psk_len,
+                const unsigned char *psk_identity, size_t psk_identity_len );
+
+
+/**
+ * \brief          Set the Pre Shared Key (PSK) for the current handshake
+ *
+ * \note           This should only be called inside the PSK callback,
+ *                 ie the function passed to \c mbedtls_ssl_conf_psk_cb().
+ *
+ * \param ssl      SSL context
+ * \param psk      pointer to the pre-shared key
+ * \param psk_len  pre-shared key length
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
+                            const unsigned char *psk, size_t psk_len );
+
+/**
+ * \brief          Set the PSK callback (server-side only).
+ *
+ *                 If set, the PSK callback is called for each
+ *                 handshake where a PSK ciphersuite was negotiated.
+ *                 The caller provides the identity received and wants to
+ *                 receive the actual PSK data and length.
+ *
+ *                 The callback has the following parameters: (void *parameter,
+ *                 mbedtls_ssl_context *ssl, const unsigned char *psk_identity,
+ *                 size_t identity_len)
+ *                 If a valid PSK identity is found, the callback should use
+ *                 \c mbedtls_ssl_set_hs_psk() on the ssl context to set the
+ *                 correct PSK and return 0.
+ *                 Any other return value will result in a denied PSK identity.
+ *
+ * \note           If you set a PSK callback using this function, then you
+ *                 don't need to set a PSK key and identity using
+ *                 \c mbedtls_ssl_conf_psk().
+ *
+ * \param conf     SSL configuration
+ * \param f_psk    PSK identity function
+ * \param p_psk    PSK identity parameter
+ */
+void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
+                     int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
+                                  size_t),
+                     void *p_psk );
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values,
+ *                 read as hexadecimal strings (server-side only)
+ *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG])
+ *
+ * \param conf     SSL configuration
+ * \param dhm_P    Diffie-Hellman-Merkle modulus
+ * \param dhm_G    Diffie-Hellman-Merkle generator
+ *
+ * \deprecated     Superseded by \c mbedtls_ssl_conf_dh_param_bin.
+ *
+ * \return         0 if successful
+ */
+MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf,
+                                                  const char *dhm_P,
+                                                  const char *dhm_G );
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values
+ *                 from big-endian binary presentations.
+ *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN)
+ *
+ * \param conf     SSL configuration
+ * \param dhm_P    Diffie-Hellman-Merkle modulus in big-endian binary form
+ * \param P_len    Length of DHM modulus
+ * \param dhm_G    Diffie-Hellman-Merkle generator in big-endian binary form
+ * \param G_len    Length of DHM generator
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
+                                   const unsigned char *dhm_P, size_t P_len,
+                                   const unsigned char *dhm_G,  size_t G_len );
+
+/**
+ * \brief          Set the Diffie-Hellman public P and G values,
+ *                 read from existing context (server-side only)
+ *
+ * \param conf     SSL configuration
+ * \param dhm_ctx  Diffie-Hellman-Merkle context
+ *
+ * \return         0 if successful
+ */
+int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx );
+#endif /* MBEDTLS_DHM_C && defined(MBEDTLS_SSL_SRV_C) */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Set the minimum length for Diffie-Hellman parameters.
+ *                 (Client-side only.)
+ *                 (Default: 1024 bits.)
+ *
+ * \param conf     SSL configuration
+ * \param bitlen   Minimum bit length of the DHM prime
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
+                                      unsigned int bitlen );
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_ECP_C)
+/**
+ * \brief          Set the allowed curves in order of preference.
+ *                 (Default: all defined curves.)
+ *
+ *                 On server: this only affects selection of the ECDHE curve;
+ *                 the curves used for ECDH and ECDSA are determined by the
+ *                 list of available certificates instead.
+ *
+ *                 On client: this affects the list of curves offered for any
+ *                 use. The server can override our preference order.
+ *
+ *                 Both sides: limits the set of curves accepted for use in
+ *                 ECDHE and in the peer's end-entity certificate.
+ *
+ * \note           This has no influence on which curves are allowed inside the
+ *                 certificate chains, see \c mbedtls_ssl_conf_cert_profile()
+ *                 for that. For the end-entity certificate however, the key
+ *                 will be accepted only if it is allowed both by this list
+ *                 and by the cert profile.
+ *
+ * \note           This list should be ordered by decreasing preference
+ *                 (preferred curve first).
+ *
+ * \param conf     SSL configuration
+ * \param curves   Ordered list of allowed curves,
+ *                 terminated by MBEDTLS_ECP_DP_NONE.
+ */
+void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
+                              const mbedtls_ecp_group_id *curves );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/**
+ * \brief          Set the allowed hashes for signatures during the handshake.
+ *                 (Default: all available hashes except MD5.)
+ *
+ * \note           This only affects which hashes are offered and can be used
+ *                 for signatures during the handshake. Hashes for message
+ *                 authentication and the TLS PRF are controlled by the
+ *                 ciphersuite, see \c mbedtls_ssl_conf_ciphersuites(). Hashes
+ *                 used for certificate signature are controlled by the
+ *                 verification profile, see \c mbedtls_ssl_conf_cert_profile().
+ *
+ * \note           This list should be ordered by decreasing preference
+ *                 (preferred hash first).
+ *
+ * \param conf     SSL configuration
+ * \param hashes   Ordered list of allowed signature hashes,
+ *                 terminated by \c MBEDTLS_MD_NONE.
+ */
+void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
+                                  const int *hashes );
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Set or reset the hostname to check against the received
+ *                 server certificate. It sets the ServerName TLS extension,
+ *                 too, if that extension is enabled. (client-side only)
+ *
+ * \param ssl      SSL context
+ * \param hostname the server hostname, may be NULL to clear hostname
+
+ * \note           Maximum hostname length MBEDTLS_SSL_MAX_HOST_NAME_LEN.
+ *
+ * \return         0 if successful, MBEDTLS_ERR_SSL_ALLOC_FAILED on
+ *                 allocation failure, MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
+ *                 too long input hostname.
+ *
+ *                 Hostname set to the one provided on success (cleared
+ *                 when NULL). On allocation failure hostname is cleared.
+ *                 On too long input failure, old hostname is unchanged.
+ */
+int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+/**
+ * \brief          Set own certificate and key for the current handshake
+ *
+ * \note           Same as \c mbedtls_ssl_conf_own_cert() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param own_cert own public certificate chain
+ * \param pk_key   own private key
+ *
+ * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ */
+int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
+                                 mbedtls_x509_crt *own_cert,
+                                 mbedtls_pk_context *pk_key );
+
+/**
+ * \brief          Set the data required to verify peer certificate for the
+ *                 current handshake
+ *
+ * \note           Same as \c mbedtls_ssl_conf_ca_chain() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
+ * \param ca_crl   trusted CA CRLs
+ */
+void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
+                                  mbedtls_x509_crt *ca_chain,
+                                  mbedtls_x509_crl *ca_crl );
+
+/**
+ * \brief          Set authmode for the current handshake.
+ *
+ * \note           Same as \c mbedtls_ssl_conf_authmode() but for use within
+ *                 the SNI callback.
+ *
+ * \param ssl      SSL context
+ * \param authmode MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL or
+ *                 MBEDTLS_SSL_VERIFY_REQUIRED
+ */
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
+                                  int authmode );
+
+/**
+ * \brief          Set server side ServerName TLS extension callback
+ *                 (optional, server-side only).
+ *
+ *                 If set, the ServerName callback is called whenever the
+ *                 server receives a ServerName TLS extension from the client
+ *                 during a handshake. The ServerName callback has the
+ *                 following parameters: (void *parameter, mbedtls_ssl_context *ssl,
+ *                 const unsigned char *hostname, size_t len). If a suitable
+ *                 certificate is found, the callback must set the
+ *                 certificate(s) and key(s) to use with \c
+ *                 mbedtls_ssl_set_hs_own_cert() (can be called repeatedly),
+ *                 and may optionally adjust the CA and associated CRL with \c
+ *                 mbedtls_ssl_set_hs_ca_chain() as well as the client
+ *                 authentication mode with \c mbedtls_ssl_set_hs_authmode(),
+ *                 then must return 0. If no matching name is found, the
+ *                 callback must either set a default cert, or
+ *                 return non-zero to abort the handshake at this point.
+ *
+ * \param conf     SSL configuration
+ * \param f_sni    verification function
+ * \param p_sni    verification parameter
+ */
+void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
+                  int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *,
+                               size_t),
+                  void *p_sni );
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+/**
+ * \brief          Set the EC J-PAKE password for current handshake.
+ *
+ * \note           An internal copy is made, and destroyed as soon as the
+ *                 handshake is completed, or when the SSL context is reset or
+ *                 freed.
+ *
+ * \note           The SSL context needs to be already set up. The right place
+ *                 to call this function is between \c mbedtls_ssl_setup() or
+ *                 \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake().
+ *
+ * \param ssl      SSL context
+ * \param pw       EC J-PAKE password (pre-shared secret)
+ * \param pw_len   length of pw in bytes
+ *
+ * \return         0 on success, or a negative error code.
+ */
+int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
+                                         const unsigned char *pw,
+                                         size_t pw_len );
+#endif /*MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+/**
+ * \brief          Set the supported Application Layer Protocols.
+ *
+ * \param conf     SSL configuration
+ * \param protos   Pointer to a NULL-terminated list of supported protocols,
+ *                 in decreasing preference order. The pointer to the list is
+ *                 recorded by the library for later reference as required, so
+ *                 the lifetime of the table must be atleast as long as the
+ *                 lifetime of the SSL configuration structure.
+ *
+ * \return         0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
+ */
+int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos );
+
+/**
+ * \brief          Get the name of the negotiated Application Layer Protocol.
+ *                 This function should be called after the handshake is
+ *                 completed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Protcol name, or NULL if no protocol was negotiated.
+ */
+const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_ALPN */
+
+/**
+ * \brief          Set the maximum supported version sent from the client side
+ *                 and/or accepted at the server side
+ *                 (Default: MBEDTLS_SSL_MAX_MAJOR_VERSION, MBEDTLS_SSL_MAX_MINOR_VERSION)
+ *
+ * \note           This ignores ciphersuites from higher versions.
+ *
+ * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ *
+ * \param conf     SSL configuration
+ * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
+ * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ */
+void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
+
+/**
+ * \brief          Set the minimum accepted SSL/TLS protocol version
+ *                 (Default: TLS 1.0)
+ *
+ * \note           Input outside of the SSL_MAX_XXXXX_VERSION and
+ *                 SSL_MIN_XXXXX_VERSION range is ignored.
+ *
+ * \note           MBEDTLS_SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
+ *
+ * \note           With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
+ *
+ * \param conf     SSL configuration
+ * \param major    Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
+ * \param minor    Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
+ *                 MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
+ *                 MBEDTLS_SSL_MINOR_VERSION_3 supported)
+ */
+void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Set the fallback flag (client-side only).
+ *                 (Default: MBEDTLS_SSL_IS_NOT_FALLBACK).
+ *
+ * \note           Set to MBEDTLS_SSL_IS_FALLBACK when preparing a fallback
+ *                 connection, that is a connection with max_version set to a
+ *                 lower value than the value you're willing to use. Such
+ *                 fallback connections are not recommended but are sometimes
+ *                 necessary to interoperate with buggy (version-intolerant)
+ *                 servers.
+ *
+ * \warning        You should NOT set this to MBEDTLS_SSL_IS_FALLBACK for
+ *                 non-fallback connections! This would appear to work for a
+ *                 while, then cause failures when the server is upgraded to
+ *                 support a newer TLS version.
+ *
+ * \param conf     SSL configuration
+ * \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK
+ */
+void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback );
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+/**
+ * \brief           Enable or disable Encrypt-then-MAC
+ *                  (Default: MBEDTLS_SSL_ETM_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security
+ *                  improvement, and should not cause any interoperability
+ *                  issue (used only if the peer supports it too).
+ *
+ * \param conf      SSL configuration
+ * \param etm       MBEDTLS_SSL_ETM_ENABLED or MBEDTLS_SSL_ETM_DISABLED
+ */
+void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm );
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+/**
+ * \brief           Enable or disable Extended Master Secret negotiation.
+ *                  (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED)
+ *
+ * \note            This should always be enabled, it is a security fix to the
+ *                  protocol, and should not cause any interoperability issue
+ *                  (used only if the peer supports it too).
+ *
+ * \param conf      SSL configuration
+ * \param ems       MBEDTLS_SSL_EXTENDED_MS_ENABLED or MBEDTLS_SSL_EXTENDED_MS_DISABLED
+ */
+void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems );
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_ARC4_C)
+/**
+ * \brief          Disable or enable support for RC4
+ *                 (Default: MBEDTLS_SSL_ARC4_DISABLED)
+ *
+ * \warning        Use of RC4 in DTLS/TLS has been prohibited by RFC 7465
+ *                 for security reasons. Use at your own risk.
+ *
+ * \note           This function is deprecated and will likely be removed in
+ *                 a future version of the library.
+ *                 RC4 is disabled by default at compile time and needs to be
+ *                 actively enabled for use with legacy systems.
+ *
+ * \param conf     SSL configuration
+ * \param arc4     MBEDTLS_SSL_ARC4_ENABLED or MBEDTLS_SSL_ARC4_DISABLED
+ */
+void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+/**
+ * \brief          Whether to send a list of acceptable CAs in
+ *                 CertificateRequest messages.
+ *                 (Default: do send)
+ *
+ * \param conf     SSL configuration
+ * \param cert_req_ca_list   MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
+ *                          MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
+ */
+void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
+                                          char cert_req_ca_list );
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief          Set the maximum fragment length to emit and/or negotiate.
+ *                 (Typical: the smaller of #MBEDTLS_SSL_IN_CONTENT_LEN and
+ *                 #MBEDTLS_SSL_OUT_CONTENT_LEN, usually `2^14` bytes)
+ *                 (Server: set maximum fragment length to emit,
+ *                 usually negotiated by the client during handshake)
+ *                 (Client: set maximum fragment length to emit *and*
+ *                 negotiate with the server during handshake)
+ *                 (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
+ *
+ * \note           On the client side, the maximum fragment length extension
+ *                 *will not* be used, unless the maximum fragment length has
+ *                 been set via this function to a value different than
+ *                 #MBEDTLS_SSL_MAX_FRAG_LEN_NONE.
+ *
+ * \note           This sets the maximum length for a record's payload,
+ *                 excluding record overhead that will be added to it, see
+ *                 \c mbedtls_ssl_get_record_expansion().
+ *
+ * \note           With TLS, this currently only affects ApplicationData (sent
+ *                 with \c mbedtls_ssl_read()), not handshake messages.
+ *                 With DTLS, this affects both ApplicationData and handshake.
+ *
+ * \note           For DTLS, it is also possible to set a limit for the total
+ *                 size of daragrams passed to the transport layer, including
+ *                 record overhead, see \c mbedtls_ssl_set_mtu().
+ *
+ * \param conf     SSL configuration
+ * \param mfl_code Code for maximum fragment length (allowed values:
+ *                 MBEDTLS_SSL_MAX_FRAG_LEN_512,  MBEDTLS_SSL_MAX_FRAG_LEN_1024,
+ *                 MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096)
+ *
+ * \return         0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+ */
+int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+/**
+ * \brief          Activate negotiation of truncated HMAC
+ *                 (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
+ *
+ * \param conf     SSL configuration
+ * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
+ *                                    MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
+ */
+void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate );
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+/**
+ * \brief          Enable / Disable 1/n-1 record splitting
+ *                 (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED)
+ *
+ * \note           Only affects SSLv3 and TLS 1.0, not higher versions.
+ *                 Does not affect non-CBC ciphersuites in any version.
+ *
+ * \param conf     SSL configuration
+ * \param split    MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or
+ *                 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
+ */
+void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split );
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Enable / Disable session tickets (client only).
+ *                 (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
+ *
+ * \note           On server, use \c mbedtls_ssl_conf_session_tickets_cb().
+ *
+ * \param conf     SSL configuration
+ * \param use_tickets   Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
+ *                                         MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
+ */
+void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets );
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Enable / Disable renegotiation support for connection when
+ *                 initiated by peer
+ *                 (Default: MBEDTLS_SSL_RENEGOTIATION_DISABLED)
+ *
+ * \warning        It is recommended to always disable renegotation unless you
+ *                 know you need it and you know what you're doing. In the
+ *                 past, there have been several issues associated with
+ *                 renegotiation or a poor understanding of its properties.
+ *
+ * \note           Server-side, enabling renegotiation also makes the server
+ *                 susceptible to a resource DoS by a malicious client.
+ *
+ * \param conf    SSL configuration
+ * \param renegotiation     Enable or disable (MBEDTLS_SSL_RENEGOTIATION_ENABLED or
+ *                                             MBEDTLS_SSL_RENEGOTIATION_DISABLED)
+ */
+void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation );
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Prevent or allow legacy renegotiation.
+ *                 (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
+ *
+ *                 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION allows connections to
+ *                 be established even if the peer does not support
+ *                 secure renegotiation, but does not allow renegotiation
+ *                 to take place if not secure.
+ *                 (Interoperable and secure option)
+ *
+ *                 MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION allows renegotiations
+ *                 with non-upgraded peers. Allowing legacy renegotiation
+ *                 makes the connection vulnerable to specific man in the
+ *                 middle attacks. (See RFC 5746)
+ *                 (Most interoperable and least secure option)
+ *
+ *                 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE breaks off connections
+ *                 if peer does not support secure renegotiation. Results
+ *                 in interoperability issues with non-upgraded peers
+ *                 that do not support renegotiation altogether.
+ *                 (Most secure option, interoperability issues)
+ *
+ * \param conf     SSL configuration
+ * \param allow_legacy  Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION,
+ *                                        SSL_ALLOW_LEGACY_RENEGOTIATION or
+ *                                        MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE)
+ */
+void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Enforce renegotiation requests.
+ *                 (Default: enforced, max_records = 16)
+ *
+ *                 When we request a renegotiation, the peer can comply or
+ *                 ignore the request. This function allows us to decide
+ *                 whether to enforce our renegotiation requests by closing
+ *                 the connection if the peer doesn't comply.
+ *
+ *                 However, records could already be in transit from the peer
+ *                 when the request is emitted. In order to increase
+ *                 reliability, we can accept a number of records before the
+ *                 expected handshake records.
+ *
+ *                 The optimal value is highly dependent on the specific usage
+ *                 scenario.
+ *
+ * \note           With DTLS and server-initiated renegotiation, the
+ *                 HelloRequest is retransmited every time mbedtls_ssl_read() times
+ *                 out or receives Application Data, until:
+ *                 - max_records records have beens seen, if it is >= 0, or
+ *                 - the number of retransmits that would happen during an
+ *                 actual handshake has been reached.
+ *                 Please remember the request might be lost a few times
+ *                 if you consider setting max_records to a really low value.
+ *
+ * \warning        On client, the grace period can only happen during
+ *                 mbedtls_ssl_read(), as opposed to mbedtls_ssl_write() and mbedtls_ssl_renegotiate()
+ *                 which always behave as if max_record was 0. The reason is,
+ *                 if we receive application data from the server, we need a
+ *                 place to write it, which only happens during mbedtls_ssl_read().
+ *
+ * \param conf     SSL configuration
+ * \param max_records Use MBEDTLS_SSL_RENEGOTIATION_NOT_ENFORCED if you don't want to
+ *                 enforce renegotiation, or a non-negative value to enforce
+ *                 it but allow for a grace period of max_records records.
+ */
+void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records );
+
+/**
+ * \brief          Set record counter threshold for periodic renegotiation.
+ *                 (Default: 2^48 - 1)
+ *
+ *                 Renegotiation is automatically triggered when a record
+ *                 counter (outgoing or ingoing) crosses the defined
+ *                 threshold. The default value is meant to prevent the
+ *                 connection from being closed when the counter is about to
+ *                 reached its maximal value (it is not allowed to wrap).
+ *
+ *                 Lower values can be used to enforce policies such as "keys
+ *                 must be refreshed every N packets with cipher X".
+ *
+ *                 The renegotiation period can be disabled by setting
+ *                 conf->disable_renegotiation to
+ *                 MBEDTLS_SSL_RENEGOTIATION_DISABLED.
+ *
+ * \note           When the configured transport is
+ *                 MBEDTLS_SSL_TRANSPORT_DATAGRAM the maximum renegotiation
+ *                 period is 2^48 - 1, and for MBEDTLS_SSL_TRANSPORT_STREAM,
+ *                 the maximum renegotiation period is 2^64 - 1.
+ *
+ * \param conf     SSL configuration
+ * \param period   The threshold value: a big-endian 64-bit number.
+ */
+void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
+                                   const unsigned char period[8] );
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Check if there is data already read from the
+ *                 underlying transport but not yet processed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if nothing's pending, 1 otherwise.
+ *
+ * \note           This is different in purpose and behaviour from
+ *                 \c mbedtls_ssl_get_bytes_avail in that it considers
+ *                 any kind of unprocessed data, not only unread
+ *                 application data. If \c mbedtls_ssl_get_bytes
+ *                 returns a non-zero value, this function will
+ *                 also signal pending data, but the converse does
+ *                 not hold. For example, in DTLS there might be
+ *                 further records waiting to be processed from
+ *                 the current underlying transport's datagram.
+ *
+ * \note           If this function returns 1 (data pending), this
+ *                 does not imply that a subsequent call to
+ *                 \c mbedtls_ssl_read will provide any data;
+ *                 e.g., the unprocessed data might turn out
+ *                 to be an alert or a handshake message.
+ *
+ * \note           This function is useful in the following situation:
+ *                 If the SSL/TLS module successfully returns from an
+ *                 operation - e.g. a handshake or an application record
+ *                 read - and you're awaiting incoming data next, you
+ *                 must not immediately idle on the underlying transport
+ *                 to have data ready, but you need to check the value
+ *                 of this function first. The reason is that the desired
+ *                 data might already be read but not yet processed.
+ *                 If, in contrast, a previous call to the SSL/TLS module
+ *                 returned MBEDTLS_ERR_SSL_WANT_READ, it is not necessary
+ *                 to call this function, as the latter error code entails
+ *                 that all internal data has been processed.
+ *
+ */
+int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the number of application data bytes
+ *                 remaining to be read from the current record.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         How many bytes are available in the application
+ *                 data record read buffer.
+ *
+ * \note           When working over a datagram transport, this is
+ *                 useful to detect the current datagram's boundary
+ *                 in case \c mbedtls_ssl_read has written the maximal
+ *                 amount of data fitting into the input buffer.
+ *
+ */
+size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the result of the certificate verification
+ *
+ * \param ssl      The SSL context to use.
+ *
+ * \return         \c 0 if the certificate verification was successful.
+ * \return         \c -1u if the result is not available. This may happen
+ *                 e.g. if the handshake aborts early, or a verification
+ *                 callback returned a fatal error.
+ * \return         A bitwise combination of \c MBEDTLS_X509_BADCERT_XXX
+ *                 and \c MBEDTLS_X509_BADCRL_XXX failure flags; see x509.h.
+ */
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the name of the current ciphersuite
+ *
+ * \param ssl      SSL context
+ *
+ * \return         a string containing the ciphersuite name
+ */
+const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the current SSL version (SSLv3/TLSv1/etc)
+ *
+ * \param ssl      SSL context
+ *
+ * \return         a string containing the SSL version
+ */
+const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Return the (maximum) number of bytes added by the record
+ *                 layer: header + encryption/MAC overhead (inc. padding)
+ *
+ * \note           This function is not available (always returns an error)
+ *                 when record compression is enabled.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum record expansion in bytes, or
+ *                 MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if compression is
+ *                 enabled, which makes expansion much less predictable
+ */
+int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/**
+ * \brief          Return the maximum fragment length (payload, in bytes).
+ *                 This is the value negotiated with peer if any,
+ *                 or the locally configured value.
+ *
+ * \sa             mbedtls_ssl_conf_max_frag_len()
+ * \sa             mbedtls_ssl_get_max_record_payload()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum fragment length.
+ */
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+/**
+ * \brief          Return the current maximum outgoing record payload in bytes.
+ *                 This takes into account the config.h setting \c
+ *                 MBEDTLS_SSL_OUT_CONTENT_LEN, the configured and negotiated
+ *                 max fragment length extension if used, and for DTLS the
+ *                 path MTU as configured and current record expansion.
+ *
+ * \note           With DTLS, \c mbedtls_ssl_write() will return an error if
+ *                 called with a larger length value.
+ *                 With TLS, \c mbedtls_ssl_write() will fragment the input if
+ *                 necessary and return the number of bytes written; it is up
+ *                 to the caller to call \c mbedtls_ssl_write() again in
+ *                 order to send the remaining bytes if any.
+ *
+ * \note           This function is not available (always returns an error)
+ *                 when record compression is enabled.
+ *
+ * \sa             mbedtls_ssl_set_mtu()
+ * \sa             mbedtls_ssl_get_max_frag_len()
+ * \sa             mbedtls_ssl_get_record_expansion()
+ *
+ * \param ssl      SSL context
+ *
+ * \return         Current maximum payload for an outgoing record,
+ *                 or a negative error code.
+ */
+int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * \brief          Return the peer certificate from the current connection
+ *
+ *                 Note: Can be NULL in case no certificate was sent during
+ *                 the handshake. Different calls for the same connection can
+ *                 return the same or different pointers for the same
+ *                 certificate and even a different certificate altogether.
+ *                 The peer cert CAN change in a single connection if
+ *                 renegotiation is performed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         the current peer certificate
+ */
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+/**
+ * \brief          Save session in order to resume it later (client-side only)
+ *                 Session data is copied to presented session structure.
+ *
+ *
+ * \param ssl      SSL context
+ * \param session  session context
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed,
+ *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or
+ *                 arguments are otherwise invalid.
+ *
+ * \note           Only the server certificate is copied, and not the full chain,
+ *                 so you should not attempt to validate the certificate again
+ *                 by calling \c mbedtls_x509_crt_verify() on it.
+ *                 Instead, you should use the results from the verification
+ *                 in the original handshake by calling \c mbedtls_ssl_get_verify_result()
+ *                 after loading the session again into a new SSL context
+ *                 using \c mbedtls_ssl_set_session().
+ *
+ * \note           Once the session object is not needed anymore, you should
+ *                 free it by calling \c mbedtls_ssl_session_free().
+ *
+ * \sa             mbedtls_ssl_set_session()
+ */
+int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *session );
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/**
+ * \brief          Perform the SSL handshake
+ *
+ * \param ssl      SSL context
+ *
+ * \return         \c 0 if successful.
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
+ *                 and the client did not demonstrate reachability yet - in
+ *                 this case you must stop using the context (see below).
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           If DTLS is in use, then you may choose to handle
+ *                 #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED specially for logging
+ *                 purposes, as it is an expected return value rather than an
+ *                 actual error, but you still need to reset/free the context.
+ *
+ * \note           Remarks regarding event-driven DTLS:
+ *                 If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ *                 from the underlying transport layer is currently being processed,
+ *                 and it is safe to idle until the timer or the underlying transport
+ *                 signal a new event. This is not true for a successful handshake,
+ *                 in which case the datagram of the underlying transport that is
+ *                 currently being processed might or might not contain further
+ *                 DTLS records.
+ */
+int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Perform a single step of the SSL handshake
+ *
+ * \note           The state of the context (ssl->state) will be at
+ *                 the next state after this function returns \c 0. Do not
+ *                 call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         See mbedtls_ssl_handshake().
+ *
+ * \warning        If this function returns something other than \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ *                 the SSL context for reading or writing, and either free it
+ *                 or call \c mbedtls_ssl_session_reset() on it before
+ *                 re-using it for a new connection; the current connection
+ *                 must be closed.
+ */
+int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+/**
+ * \brief          Initiate an SSL renegotiation on the running connection.
+ *                 Client: perform the renegotiation right now.
+ *                 Server: request renegotiation, which will be performed
+ *                 during the next call to mbedtls_ssl_read() if honored by
+ *                 client.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         0 if successful, or any mbedtls_ssl_handshake() return
+ *                 value except #MBEDTLS_ERR_SSL_CLIENT_RECONNECT that can't
+ *                 happen during a renegotiation.
+ *
+ * \warning        If this function returns something other than \c 0,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS, you must stop using
+ *                 the SSL context for reading or writing, and either free it
+ *                 or call \c mbedtls_ssl_session_reset() on it before
+ *                 re-using it for a new connection; the current connection
+ *                 must be closed.
+ *
+ */
+int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl );
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/**
+ * \brief          Read at most 'len' application data bytes
+ *
+ * \param ssl      SSL context
+ * \param buf      buffer that will hold the data
+ * \param len      maximum number of bytes to read
+ *
+ * \return         The (positive) number of bytes read if successful.
+ * \return         \c 0 if the read end of the underlying transport was closed
+ *                 - in this case you must stop using the context (see below).
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
+ *                 side of a DTLS connection and the client is initiating a
+ *                 new connection using the same source port. See below.
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 a positive value,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CLIENT_RECONNECT,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           When this function returns #MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ *                 (which can only happen server-side), it means that a client
+ *                 is initiating a new connection using the same source port.
+ *                 You can either treat that as a connection close and wait
+ *                 for the client to resend a ClientHello, or directly
+ *                 continue with \c mbedtls_ssl_handshake() with the same
+ *                 context (as it has been reset internally). Either way, you
+ *                 must make sure this is seen by the application as a new
+ *                 connection: application state, if any, should be reset, and
+ *                 most importantly the identity of the client must be checked
+ *                 again. WARNING: not validating the identity of the client
+ *                 again, or not transmitting the new identity to the
+ *                 application layer, would allow authentication bypass!
+ *
+ * \note           Remarks regarding event-driven DTLS:
+ *                 - If the function returns #MBEDTLS_ERR_SSL_WANT_READ, no datagram
+ *                   from the underlying transport layer is currently being processed,
+ *                   and it is safe to idle until the timer or the underlying transport
+ *                   signal a new event.
+ *                 - This function may return MBEDTLS_ERR_SSL_WANT_READ even if data was
+ *                   initially available on the underlying transport, as this data may have
+ *                   been only e.g. duplicated messages or a renegotiation request.
+ *                   Therefore, you must be prepared to receive MBEDTLS_ERR_SSL_WANT_READ even
+ *                   when reacting to an incoming-data event from the underlying transport.
+ *                 - On success, the datagram of the underlying transport that is currently
+ *                   being processed may contain further DTLS records. You should call
+ *                   \c mbedtls_ssl_check_pending to check for remaining records.
+ *
+ */
+int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len );
+
+/**
+ * \brief          Try to write exactly 'len' application data bytes
+ *
+ * \warning        This function will do partial writes in some cases. If the
+ *                 return value is non-negative but less than length, the
+ *                 function must be called again with updated arguments:
+ *                 buf + ret, len - ret (if ret is the return value) until
+ *                 it returns a value equal to the last 'len' argument.
+ *
+ * \param ssl      SSL context
+ * \param buf      buffer holding the data
+ * \param len      how many bytes must be written
+ *
+ * \return         The (non-negative) number of bytes actually written if
+ *                 successful (may be less than \p len).
+ * \return         #MBEDTLS_ERR_SSL_WANT_READ or #MBEDTLS_ERR_SSL_WANT_WRITE
+ *                 if the handshake is incomplete and waiting for data to
+ *                 be available for reading from or writing to the underlying
+ *                 transport - in this case you must call this function again
+ *                 when the underlying transport is ready for the operation.
+ * \return         #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS if an asynchronous
+ *                 operation is in progress (see
+ *                 mbedtls_ssl_conf_async_private_cb()) - in this case you
+ *                 must call this function again when the operation is ready.
+ * \return         #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS if a cryptographic
+ *                 operation is in progress (see mbedtls_ecp_set_max_ops()) -
+ *                 in this case you must call this function again to complete
+ *                 the handshake when you're done attending other tasks.
+ * \return         Another SSL error code - in this case you must stop using
+ *                 the context (see below).
+ *
+ * \warning        If this function returns something other than
+ *                 a non-negative value,
+ *                 #MBEDTLS_ERR_SSL_WANT_READ,
+ *                 #MBEDTLS_ERR_SSL_WANT_WRITE,
+ *                 #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
+ *                 #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
+ *                 you must stop using the SSL context for reading or writing,
+ *                 and either free it or call \c mbedtls_ssl_session_reset()
+ *                 on it before re-using it for a new connection; the current
+ *                 connection must be closed.
+ *
+ * \note           When this function returns #MBEDTLS_ERR_SSL_WANT_WRITE/READ,
+ *                 it must be called later with the *same* arguments,
+ *                 until it returns a value greater that or equal to 0. When
+ *                 the function returns #MBEDTLS_ERR_SSL_WANT_WRITE there may be
+ *                 some partial data in the output buffer, however this is not
+ *                 yet sent.
+ *
+ * \note           If the requested length is greater than the maximum
+ *                 fragment length (either the built-in limit or the one set
+ *                 or negotiated with the peer), then:
+ *                 - with TLS, less bytes than requested are written.
+ *                 - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned.
+ *                 \c mbedtls_ssl_get_max_frag_len() may be used to query the
+ *                 active maximum fragment length.
+ *
+ * \note           Attempting to write 0 bytes will result in an empty TLS
+ *                 application record being sent.
+ */
+int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len );
+
+/**
+ * \brief           Send an alert message
+ *
+ * \param ssl       SSL context
+ * \param level     The alert level of the message
+ *                  (MBEDTLS_SSL_ALERT_LEVEL_WARNING or MBEDTLS_SSL_ALERT_LEVEL_FATAL)
+ * \param message   The alert message (SSL_ALERT_MSG_*)
+ *
+ * \return          0 if successful, or a specific SSL error code.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
+ *                 the SSL context for reading or writing, and either free it or
+ *                 call \c mbedtls_ssl_session_reset() on it before re-using it
+ *                 for a new connection; the current connection must be closed.
+ */
+int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
+                            unsigned char level,
+                            unsigned char message );
+/**
+ * \brief          Notify the peer that the connection is being closed
+ *
+ * \param ssl      SSL context
+ *
+ * \return          0 if successful, or a specific SSL error code.
+ *
+ * \note           If this function returns something other than 0 or
+ *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, you must stop using
+ *                 the SSL context for reading or writing, and either free it or
+ *                 call \c mbedtls_ssl_session_reset() on it before re-using it
+ *                 for a new connection; the current connection must be closed.
+ */
+int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Free referenced items in an SSL context and clear memory
+ *
+ * \param ssl      SSL context
+ */
+void mbedtls_ssl_free( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief          Initialize an SSL configuration context
+ *                 Just makes the context ready for
+ *                 mbedtls_ssl_config_defaults() or mbedtls_ssl_config_free().
+ *
+ * \note           You need to call mbedtls_ssl_config_defaults() unless you
+ *                 manually set all of the relevant fields yourself.
+ *
+ * \param conf     SSL configuration context
+ */
+void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
+
+/**
+ * \brief          Load reasonnable default SSL configuration values.
+ *                 (You need to call mbedtls_ssl_config_init() first.)
+ *
+ * \param conf     SSL configuration context
+ * \param endpoint MBEDTLS_SSL_IS_CLIENT or MBEDTLS_SSL_IS_SERVER
+ * \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or
+ *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS
+ * \param preset   a MBEDTLS_SSL_PRESET_XXX value
+ *
+ * \note           See \c mbedtls_ssl_conf_transport() for notes on DTLS.
+ *
+ * \return         0 if successful, or
+ *                 MBEDTLS_ERR_XXX_ALLOC_FAILED on memory allocation error.
+ */
+int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
+                                 int endpoint, int transport, int preset );
+
+/**
+ * \brief          Free an SSL configuration context
+ *
+ * \param conf     SSL configuration context
+ */
+void mbedtls_ssl_config_free( mbedtls_ssl_config *conf );
+
+/**
+ * \brief          Initialize SSL session structure
+ *
+ * \param session  SSL session
+ */
+void mbedtls_ssl_session_init( mbedtls_ssl_session *session );
+
+/**
+ * \brief          Free referenced items in an SSL session including the
+ *                 peer certificate and clear memory
+ *
+ * \note           A session object can be freed even if the SSL context
+ *                 that was used to retrieve the session is still in use.
+ *
+ * \param session  SSL session
+ */
+void mbedtls_ssl_session_free( mbedtls_ssl_session *session );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ssl_cache.h b/makerom/deps/libmbedtls/include/mbedtls/ssl_cache.h
new file mode 100644
index 00000000..52ba0948
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ssl_cache.h
@@ -0,0 +1,150 @@
+/**
+ * \file ssl_cache.h
+ *
+ * \brief SSL session cache implementation
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_CACHE_H
+#define MBEDTLS_SSL_CACHE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+
+#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT)
+#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT       86400   /*!< 1 day  */
+#endif
+
+#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES)
+#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES      50   /*!< Maximum entries in cache */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct mbedtls_ssl_cache_context mbedtls_ssl_cache_context;
+typedef struct mbedtls_ssl_cache_entry mbedtls_ssl_cache_entry;
+
+/**
+ * \brief   This structure is used for storing cache entries
+ */
+struct mbedtls_ssl_cache_entry
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t timestamp;           /*!< entry timestamp    */
+#endif
+    mbedtls_ssl_session session;        /*!< entry session      */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_x509_buf peer_cert;         /*!< entry peer_cert    */
+#endif
+    mbedtls_ssl_cache_entry *next;      /*!< chain pointer      */
+};
+
+/**
+ * \brief Cache context
+ */
+struct mbedtls_ssl_cache_context
+{
+    mbedtls_ssl_cache_entry *chain;     /*!< start of the chain     */
+    int timeout;                /*!< cache entry timeout    */
+    int max_entries;            /*!< maximum entries        */
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;    /*!< mutex                  */
+#endif
+};
+
+/**
+ * \brief          Initialize an SSL cache context
+ *
+ * \param cache    SSL cache context
+ */
+void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache );
+
+/**
+ * \brief          Cache get callback implementation
+ *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data     SSL cache context
+ * \param session  session to retrieve entry for
+ */
+int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session );
+
+/**
+ * \brief          Cache set callback implementation
+ *                 (Thread-safe if MBEDTLS_THREADING_C is enabled)
+ *
+ * \param data     SSL cache context
+ * \param session  session to store entry for
+ */
+int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session );
+
+#if defined(MBEDTLS_HAVE_TIME)
+/**
+ * \brief          Set the cache timeout
+ *                 (Default: MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT (1 day))
+ *
+ *                 A timeout of 0 indicates no timeout.
+ *
+ * \param cache    SSL cache context
+ * \param timeout  cache entry timeout in seconds
+ */
+void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout );
+#endif /* MBEDTLS_HAVE_TIME */
+
+/**
+ * \brief          Set the maximum number of cache entries
+ *                 (Default: MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES (50))
+ *
+ * \param cache    SSL cache context
+ * \param max      cache entry maximum
+ */
+void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max );
+
+/**
+ * \brief          Free referenced items in a cache context and clear memory
+ *
+ * \param cache    SSL cache context
+ */
+void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_cache.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ssl_ciphersuites.h b/makerom/deps/libmbedtls/include/mbedtls/ssl_ciphersuites.h
new file mode 100644
index 00000000..71053e5b
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ssl_ciphersuites.h
@@ -0,0 +1,540 @@
+/**
+ * \file ssl_ciphersuites.h
+ *
+ * \brief SSL Ciphersuites for mbed TLS
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_CIPHERSUITES_H
+#define MBEDTLS_SSL_CIPHERSUITES_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "pk.h"
+#include "cipher.h"
+#include "md.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Supported ciphersuites (Official IANA names)
+ */
+#define MBEDTLS_TLS_RSA_WITH_NULL_MD5                    0x01   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_NULL_SHA                    0x02   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_WITH_RC4_128_MD5                 0x04
+#define MBEDTLS_TLS_RSA_WITH_RC4_128_SHA                 0x05
+#define MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA                 0x09   /**< Weak! Not in TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA            0x0A
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA             0x15   /**< Weak! Not in TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA        0x16
+
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA                    0x2C   /**< Weak! */
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA                0x2D   /**< Weak! */
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA                0x2E   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA             0x2F
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA         0x33
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA             0x35
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA         0x39
+
+#define MBEDTLS_TLS_RSA_WITH_NULL_SHA256                 0x3B   /**< Weak! */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256          0x3C   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256          0x3D   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA        0x41
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA    0x45
+
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256      0x67   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256      0x6B   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA        0x84
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA    0x88
+
+#define MBEDTLS_TLS_PSK_WITH_RC4_128_SHA                 0x8A
+#define MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA            0x8B
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA             0x8C
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA             0x8D
+
+#define MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA             0x8E
+#define MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA        0x8F
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA         0x90
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA         0x91
+
+#define MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA             0x92
+#define MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA        0x93
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA         0x94
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA         0x95
+
+#define MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256          0x9C   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384          0x9D   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      0x9E   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      0x9F   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256          0xA8   /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384          0xA9   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256      0xAA   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384      0xAB   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256      0xAC   /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384      0xAD   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256          0xAE
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384          0xAF
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA256                 0xB0   /**< Weak! */
+#define MBEDTLS_TLS_PSK_WITH_NULL_SHA384                 0xB1   /**< Weak! */
+
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256      0xB2
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384      0xB3
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256             0xB4   /**< Weak! */
+#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384             0xB5   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256      0xB6
+#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384      0xB7
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256             0xB8   /**< Weak! */
+#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384             0xB9   /**< Weak! */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256     0xBA   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256     0xC0   /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4   /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA             0xC001 /**< Weak! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA          0xC002 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA     0xC003 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA      0xC004 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA      0xC005 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA            0xC006 /**< Weak! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA         0xC007 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA    0xC008 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA     0xC009 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA     0xC00A /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA               0xC00B /**< Weak! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA            0xC00C /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA       0xC00D /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA        0xC00E /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA        0xC00F /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA              0xC010 /**< Weak! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA           0xC011 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA      0xC012 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA       0xC013 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA       0xC014 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256  0xC023 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  0xC024 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   0xC025 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   0xC026 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256    0xC027 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384    0xC028 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256     0xC029 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384     0xC02A /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  0xC02B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  0xC02C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256   0xC02D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384   0xC02E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256    0xC02F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    0xC030 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256     0xC031 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384     0xC032 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA           0xC033 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA      0xC034 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA       0xC035 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA       0xC036 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0xC037 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384    0xC038 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA              0xC039 /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256           0xC03A /**< Weak! No SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384           0xC03B /**< Weak! No SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256         0xC03C /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384         0xC03D /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256     0xC044 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384     0xC045 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256  0xC04A /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384  0xC04B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256   0xC04C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384   0xC04D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256    0xC04E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384    0xC04F /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256         0xC050 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384         0xC051 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256     0xC052 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384     0xC053 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256  0xC05E /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384  0xC05F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256   0xC060 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384   0xC061 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256    0xC062 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384    0xC063 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256         0xC064 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384         0xC065 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256     0xC066 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384     0xC067 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256     0xC068 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384     0xC069 /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256         0xC06A /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384         0xC06B /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256     0xC06C /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384     0xC06D /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256     0xC06E /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384     0xC06F /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256   0xC070 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384   0xC071 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  0xC074 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  0xC075 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   0xC076 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   0xC077 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    0xC078 /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    0xC079 /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256         0xC07A /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384         0xC07B /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256     0xC07C /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384     0xC07D /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC086 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC087 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256  0xC088 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384  0xC089 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256   0xC08A /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384   0xC08B /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256    0xC08C /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384    0xC08D /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256       0xC08E /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384       0xC08F /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256   0xC090 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384   0xC091 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256   0xC092 /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384   0xC093 /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256       0xC094
+#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384       0xC095
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256   0xC096
+#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC097
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256   0xC098
+#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384   0xC099
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC09A /**< Not in SSL3! */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC09B /**< Not in SSL3! */
+
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM                0xC09C  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM                0xC09D  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM            0xC09E  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM            0xC09F  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8              0xC0A0  /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8              0xC0A1  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8          0xC0A2  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8          0xC0A3  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM                0xC0A4  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM                0xC0A5  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM            0xC0A6  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM            0xC0A7  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8              0xC0A8  /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8              0xC0A9  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8          0xC0AA  /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8          0xC0AB  /**< TLS 1.2 */
+/* The last two are named with PSK_DHE in the RFC, which looks like a typo */
+
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM        0xC0AC  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM        0xC0AD  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8      0xC0AE  /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8      0xC0AF  /**< TLS 1.2 */
+
+#define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8          0xC0FF  /**< experimental */
+
+/* RFC 7905 */
+#define MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   0xCCA8 /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     0xCCAA /**< TLS 1.2 */
+#define MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256         0xCCAB /**< TLS 1.2 */
+#define MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256   0xCCAC /**< TLS 1.2 */
+#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAD /**< TLS 1.2 */
+#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256     0xCCAE /**< TLS 1.2 */
+
+/* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
+ * Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
+ */
+typedef enum {
+    MBEDTLS_KEY_EXCHANGE_NONE = 0,
+    MBEDTLS_KEY_EXCHANGE_RSA,
+    MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+    MBEDTLS_KEY_EXCHANGE_PSK,
+    MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+    MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+    MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+    MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+    MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+    MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+} mbedtls_key_exchange_type_t;
+
+/* Key exchanges using a certificate */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
+#endif
+
+/* Key exchanges allowing client certificate requests */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)    ||       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED
+#endif
+
+/* Key exchanges involving server signature in ServerKeyExchange */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED
+#endif
+
+/* Key exchanges using ECDH */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)      || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED
+#endif
+
+/* Key exchanges that don't involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED
+#endif
+
+/* Key exchanges that involve ephemeral keys */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED
+#endif
+
+/* Key exchanges using a PSK */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)           || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
+#endif
+
+/* Key exchanges using DHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)       || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED
+#endif
+
+/* Key exchanges using ECDHE */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)     || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
+#endif
+
+typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t;
+
+#define MBEDTLS_CIPHERSUITE_WEAK       0x01    /**< Weak ciphersuite flag  */
+#define MBEDTLS_CIPHERSUITE_SHORT_TAG  0x02    /**< Short authentication tag,
+                                                     eg for CCM_8 */
+#define MBEDTLS_CIPHERSUITE_NODTLS     0x04    /**< Can't be used with DTLS */
+
+/**
+ * \brief   This structure is used for storing ciphersuite information
+ */
+struct mbedtls_ssl_ciphersuite_t
+{
+    int id;
+    const char * name;
+
+    mbedtls_cipher_type_t cipher;
+    mbedtls_md_type_t mac;
+    mbedtls_key_exchange_type_t key_exchange;
+
+    int min_major_ver;
+    int min_minor_ver;
+    int max_major_ver;
+    int max_minor_ver;
+
+    unsigned char flags;
+};
+
+const int *mbedtls_ssl_list_ciphersuites( void );
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name );
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id );
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info );
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info );
+#endif
+
+int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info );
+int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+
+static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_ciphersuites.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ssl_cookie.h b/makerom/deps/libmbedtls/include/mbedtls/ssl_cookie.h
new file mode 100644
index 00000000..e34760ae
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ssl_cookie.h
@@ -0,0 +1,115 @@
+/**
+ * \file ssl_cookie.h
+ *
+ * \brief DTLS cookie callbacks implementation
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_COOKIE_H
+#define MBEDTLS_SSL_COOKIE_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+/**
+ * \name SECTION: Module settings
+ *
+ * The configuration options you can set for this module are in this section.
+ * Either change them in config.h or define them on the compiler command line.
+ * \{
+ */
+#ifndef MBEDTLS_SSL_COOKIE_TIMEOUT
+#define MBEDTLS_SSL_COOKIE_TIMEOUT     60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
+#endif
+
+/* \} name SECTION: Module settings */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief          Context for the default cookie functions.
+ */
+typedef struct mbedtls_ssl_cookie_ctx
+{
+    mbedtls_md_context_t    hmac_ctx;   /*!< context for the HMAC portion   */
+#if !defined(MBEDTLS_HAVE_TIME)
+    unsigned long   serial;     /*!< serial number for expiration   */
+#endif
+    unsigned long   timeout;    /*!< timeout delay, in seconds if HAVE_TIME,
+                                     or in number of tickets issued */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+} mbedtls_ssl_cookie_ctx;
+
+/**
+ * \brief          Initialize cookie context
+ */
+void mbedtls_ssl_cookie_init( mbedtls_ssl_cookie_ctx *ctx );
+
+/**
+ * \brief          Setup cookie context (generate keys)
+ */
+int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng );
+
+/**
+ * \brief          Set expiration delay for cookies
+ *                 (Default MBEDTLS_SSL_COOKIE_TIMEOUT)
+ *
+ * \param ctx      Cookie contex
+ * \param delay    Delay, in seconds if HAVE_TIME, or in number of cookies
+ *                 issued in the meantime.
+ *                 0 to disable expiration (NOT recommended)
+ */
+void mbedtls_ssl_cookie_set_timeout( mbedtls_ssl_cookie_ctx *ctx, unsigned long delay );
+
+/**
+ * \brief          Free cookie context
+ */
+void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx );
+
+/**
+ * \brief          Generate cookie, see \c mbedtls_ssl_cookie_write_t
+ */
+mbedtls_ssl_cookie_write_t mbedtls_ssl_cookie_write;
+
+/**
+ * \brief          Verify cookie, see \c mbedtls_ssl_cookie_write_t
+ */
+mbedtls_ssl_cookie_check_t mbedtls_ssl_cookie_check;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_cookie.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ssl_internal.h b/makerom/deps/libmbedtls/include/mbedtls/ssl_internal.h
new file mode 100644
index 00000000..bd5ad94d
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ssl_internal.h
@@ -0,0 +1,782 @@
+/**
+ * \file ssl_internal.h
+ *
+ * \brief Internal functions shared by the SSL modules
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_INTERNAL_H
+#define MBEDTLS_SSL_INTERNAL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "ssl.h"
+#include "cipher.h"
+
+#if defined(MBEDTLS_MD5_C)
+#include "md5.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "sha512.h"
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#include "ecjpake.h"
+#endif
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Determine minimum supported version */
+#define MBEDTLS_SSL_MIN_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_MIN_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1   */
+#endif /* MBEDTLS_SSL_PROTO_SSL3   */
+
+#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
+#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
+
+/* Determine maximum supported version */
+#define MBEDTLS_SSL_MAX_MAJOR_VERSION           MBEDTLS_SSL_MAJOR_VERSION_3
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_3
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_2
+#else
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_1
+#else
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define MBEDTLS_SSL_MAX_MINOR_VERSION           MBEDTLS_SSL_MINOR_VERSION_0
+#endif /* MBEDTLS_SSL_PROTO_SSL3   */
+#endif /* MBEDTLS_SSL_PROTO_TLS1   */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+/* Shorthand for restartable ECC */
+#if defined(MBEDTLS_ECP_RESTARTABLE) && \
+    defined(MBEDTLS_SSL_CLI_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_SSL__ECP_RESTARTABLE
+#endif
+
+#define MBEDTLS_SSL_INITIAL_HANDSHAKE           0
+#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS   1   /* In progress */
+#define MBEDTLS_SSL_RENEGOTIATION_DONE          2   /* Done or aborted */
+#define MBEDTLS_SSL_RENEGOTIATION_PENDING       3   /* Requested (server only) */
+
+/*
+ * DTLS retransmission states, see RFC 6347 4.2.4
+ *
+ * The SENDING state is merged in PREPARING for initial sends,
+ * but is distinct for resends.
+ *
+ * Note: initial state is wrong for server, but is not used anyway.
+ */
+#define MBEDTLS_SSL_RETRANS_PREPARING       0
+#define MBEDTLS_SSL_RETRANS_SENDING         1
+#define MBEDTLS_SSL_RETRANS_WAITING         2
+#define MBEDTLS_SSL_RETRANS_FINISHED        3
+
+/*
+ * Allow extra bytes for record, authentication and encryption overhead:
+ * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
+ * and allow for a maximum of 1024 of compression expansion if
+ * enabled.
+ */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+#define MBEDTLS_SSL_COMPRESSION_ADD          1024
+#else
+#define MBEDTLS_SSL_COMPRESSION_ADD             0
+#endif
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
+/* Ciphersuites using HMAC */
+#if defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_SSL_MAC_ADD                 48  /* SHA-384 used for HMAC */
+#elif defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_SSL_MAC_ADD                 32  /* SHA-256 used for HMAC */
+#else
+#define MBEDTLS_SSL_MAC_ADD                 20  /* SHA-1   used for HMAC */
+#endif
+#else
+/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
+#define MBEDTLS_SSL_MAC_ADD                 16
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define MBEDTLS_SSL_PADDING_ADD            256
+#else
+#define MBEDTLS_SSL_PADDING_ADD              0
+#endif
+
+#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD +    \
+                                       MBEDTLS_MAX_IV_LENGTH +          \
+                                       MBEDTLS_SSL_MAC_ADD +            \
+                                       MBEDTLS_SSL_PADDING_ADD          \
+                                       )
+
+#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+                                     ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
+
+#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
+                                      ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
+
+/* The maximum number of buffered handshake messages. */
+#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
+
+/* Maximum length we can advertise as our max content length for
+   RFC 6066 max_fragment_length extension negotiation purposes
+   (the lesser of both sizes, if they are unequal.)
+ */
+#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN (                            \
+        (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN)   \
+        ? ( MBEDTLS_SSL_OUT_CONTENT_LEN )                            \
+        : ( MBEDTLS_SSL_IN_CONTENT_LEN )                             \
+        )
+
+/*
+ * Check that we obey the standard's message size bounds
+ */
+
+#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
+#error "Bad configuration - record content too large."
+#endif
+
+#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
+#endif
+
+#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
+#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
+#endif
+
+#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - incoming protected record payload too large."
+#endif
+
+#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
+#error "Bad configuration - outgoing protected record payload too large."
+#endif
+
+/* Calculate buffer sizes */
+
+/* Note: Even though the TLS record header is only 5 bytes
+   long, we're internally using 8 bytes to store the
+   implicit sequence number. */
+#define MBEDTLS_SSL_HEADER_LEN 13
+
+#define MBEDTLS_SSL_IN_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
+
+#define MBEDTLS_SSL_OUT_BUFFER_LEN  \
+    ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
+
+#ifdef MBEDTLS_ZLIB_SUPPORT
+/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
+#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN (                               \
+        ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN )      \
+        ? MBEDTLS_SSL_IN_BUFFER_LEN                                     \
+        : MBEDTLS_SSL_OUT_BUFFER_LEN                                    \
+        )
+#endif
+
+/*
+ * TLS extension flags (for extensions with outgoing ServerHello content
+ * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
+ * of state of the renegotiation flag, so no indicator is required)
+ */
+#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
+#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK                 (1 << 1)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Abstraction for a grid of allowed signature-hash-algorithm pairs.
+ */
+struct mbedtls_ssl_sig_hash_set_t
+{
+    /* At the moment, we only need to remember a single suitable
+     * hash algorithm per signature algorithm. As long as that's
+     * the case - and we don't need a general lookup function -
+     * we can implement the sig-hash-set as a map from signatures
+     * to hash algorithms. */
+    mbedtls_md_type_t rsa;
+    mbedtls_md_type_t ecdsa;
+};
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+/*
+ * This structure contains the parameters only needed during handshake.
+ */
+struct mbedtls_ssl_handshake_params
+{
+    /*
+     * Handshake specific crypto variables
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_ssl_sig_hash_set_t hash_algs;             /*!<  Set of suitable sig-hash pairs */
+#endif
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_context dhm_ctx;                /*!<  DHM key exchange        */
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_context ecdh_ctx;              /*!<  ECDH key exchange       */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_context ecjpake_ctx;        /*!< EC J-PAKE key exchange */
+#if defined(MBEDTLS_SSL_CLI_C)
+    unsigned char *ecjpake_cache;               /*!< Cache for ClientHello ext */
+    size_t ecjpake_cache_len;                   /*!< Length of cached data */
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    const mbedtls_ecp_curve_info **curves;      /*!<  Supported elliptic curves */
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    unsigned char *psk;                 /*!<  PSK from the callback         */
+    size_t psk_len;                     /*!<  Length of PSK from callback   */
+#endif
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_ssl_key_cert *key_cert;     /*!< chosen key/cert pair (server)  */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    int sni_authmode;                   /*!< authmode from SNI callback     */
+    mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI         */
+    mbedtls_x509_crt *sni_ca_chain;     /*!< trusted CAs from SNI callback  */
+    mbedtls_x509_crl *sni_ca_crl;       /*!< trusted CAs CRLs from SNI      */
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    int ecrs_enabled;                   /*!< Handshake supports EC restart? */
+    mbedtls_x509_crt_restart_ctx ecrs_ctx;  /*!< restart context            */
+    enum { /* this complements ssl->state with info on intra-state operations */
+        ssl_ecrs_none = 0,              /*!< nothing going on (yet)         */
+        ssl_ecrs_crt_verify,            /*!< Certificate: crt_verify()      */
+        ssl_ecrs_ske_start_processing,  /*!< ServerKeyExchange: pk_verify() */
+        ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
+        ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
+    } ecrs_state;                       /*!< current (or last) operation    */
+    size_t ecrs_n;                      /*!< place for saving a length      */
+#endif
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
+    unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
+
+    unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
+                                              Srv: unused                    */
+    unsigned char verify_cookie_len;    /*!<  Cli: cookie length
+                                              Srv: flag for sending a cookie */
+
+    uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
+    unsigned char retransmit_state;     /*!<  Retransmission state           */
+    mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
+    mbedtls_ssl_flight_item *cur_msg;   /*!<  Current message in flight      */
+    unsigned char *cur_msg_p;           /*!<  Position in current message    */
+    unsigned int in_flight_start_seq;   /*!<  Minimum message sequence in the
+                                              flight being received          */
+    mbedtls_ssl_transform *alt_transform_out;   /*!<  Alternative transform for
+                                              resending messages             */
+    unsigned char alt_out_ctr[8];       /*!<  Alternative record epoch/counter
+                                              for resending messages         */
+
+    struct
+    {
+        size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
+                                      *   buffers used for message buffering. */
+
+        uint8_t seen_ccs;               /*!< Indicates if a CCS message has
+                                         *   been seen in the current flight. */
+
+        struct mbedtls_ssl_hs_buffer
+        {
+            unsigned is_valid      : 1;
+            unsigned is_fragmented : 1;
+            unsigned is_complete   : 1;
+            unsigned char *data;
+            size_t data_len;
+        } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
+
+        struct
+        {
+            unsigned char *data;
+            size_t len;
+            unsigned epoch;
+        } future_record;
+
+    } buffering;
+
+    uint16_t mtu;                       /*!<  Handshake mtu, used to fragment outgoing messages */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Checksum contexts
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+       mbedtls_md5_context fin_md5;
+      mbedtls_sha1_context fin_sha1;
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_context fin_sha256;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_context fin_sha512;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
+    void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
+    void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
+    int  (*tls_prf)(const unsigned char *, size_t, const char *,
+                    const unsigned char *, size_t,
+                    unsigned char *, size_t);
+
+    size_t pmslen;                      /*!<  premaster length        */
+
+    unsigned char randbytes[64];        /*!<  random bytes            */
+    unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
+                                        /*!<  premaster secret        */
+
+    int resume;                         /*!<  session resume indicator*/
+    int max_major_ver;                  /*!< max. major version client*/
+    int max_minor_ver;                  /*!< max. minor version client*/
+    int cli_exts;                       /*!< client extension presence*/
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    int new_session_ticket;             /*!< use NewSessionTicket?    */
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    int extended_ms;                    /*!< use Extended Master Secret? */
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /** Asynchronous operation context. This field is meant for use by the
+     * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
+     * mbedtls_ssl_config::f_async_decrypt_start,
+     * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
+     * The library does not use it internally. */
+    void *user_async_ctx;
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+};
+
+typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
+
+/*
+ * This structure contains a full set of runtime transform parameters
+ * either in negotiation or active.
+ */
+struct mbedtls_ssl_transform
+{
+    /*
+     * Session specific crypto layer
+     */
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+                                        /*!<  Chosen cipersuite_info  */
+    unsigned int keylen;                /*!<  symmetric key length (bytes)  */
+    size_t minlen;                      /*!<  min. ciphertext length  */
+    size_t ivlen;                       /*!<  IV length               */
+    size_t fixed_ivlen;                 /*!<  Fixed part of IV (AEAD) */
+    size_t maclen;                      /*!<  MAC length              */
+
+    unsigned char iv_enc[16];           /*!<  IV (encryption)         */
+    unsigned char iv_dec[16];           /*!<  IV (decryption)         */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    /* Needed only for SSL v3.0 secret */
+    unsigned char mac_enc[20];          /*!<  SSL v3.0 secret (enc)   */
+    unsigned char mac_dec[20];          /*!<  SSL v3.0 secret (dec)   */
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+    mbedtls_md_context_t md_ctx_enc;            /*!<  MAC (encryption)        */
+    mbedtls_md_context_t md_ctx_dec;            /*!<  MAC (decryption)        */
+
+    mbedtls_cipher_context_t cipher_ctx_enc;    /*!<  encryption context      */
+    mbedtls_cipher_context_t cipher_ctx_dec;    /*!<  decryption context      */
+
+    /*
+     * Session specific compression layer
+     */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    z_stream ctx_deflate;               /*!<  compression context     */
+    z_stream ctx_inflate;               /*!<  decompression context   */
+#endif
+};
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * List of certificate + private key pairs
+ */
+struct mbedtls_ssl_key_cert
+{
+    mbedtls_x509_crt *cert;                 /*!< cert                       */
+    mbedtls_pk_context *key;                /*!< private key                */
+    mbedtls_ssl_key_cert *next;             /*!< next key/cert pair         */
+};
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * List of handshake messages kept around for resending
+ */
+struct mbedtls_ssl_flight_item
+{
+    unsigned char *p;       /*!< message, including handshake headers   */
+    size_t len;             /*!< length of p                            */
+    unsigned char type;     /*!< type of the message: handshake or CCS  */
+    mbedtls_ssl_flight_item *next;  /*!< next handshake message(s)              */
+};
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
+                                                 mbedtls_pk_type_t sig_alg );
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
+                                   mbedtls_pk_type_t sig_alg,
+                                   mbedtls_md_type_t md_alg );
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
+                                          mbedtls_md_type_t md_alg );
+
+/* Setup an empty signature-hash set */
+static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
+{
+    mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+/**
+ * \brief           Free referenced items in an SSL transform context and clear
+ *                  memory
+ *
+ * \param transform SSL transform context
+ */
+void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
+
+/**
+ * \brief           Free referenced items in an SSL handshake context and clear
+ *                  memory
+ *
+ * \param ssl       SSL context
+ */
+void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
+
+void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
+
+/**
+ * \brief       Update record layer
+ *
+ *              This function roughly separates the implementation
+ *              of the logic of (D)TLS from the implementation
+ *              of the secure transport.
+ *
+ * \param  ssl              The SSL context to use.
+ * \param  update_hs_digest This indicates if the handshake digest
+ *                          should be automatically updated in case
+ *                          a handshake message is found.
+ *
+ * \return      0 or non-zero error code.
+ *
+ * \note        A clarification on what is called 'record layer' here
+ *              is in order, as many sensible definitions are possible:
+ *
+ *              The record layer takes as input an untrusted underlying
+ *              transport (stream or datagram) and transforms it into
+ *              a serially multiplexed, secure transport, which
+ *              conceptually provides the following:
+ *
+ *              (1) Three datagram based, content-agnostic transports
+ *                  for handshake, alert and CCS messages.
+ *              (2) One stream- or datagram-based transport
+ *                  for application data.
+ *              (3) Functionality for changing the underlying transform
+ *                  securing the contents.
+ *
+ *              The interface to this functionality is given as follows:
+ *
+ *              a Updating
+ *                [Currently implemented by mbedtls_ssl_read_record]
+ *
+ *                Check if and on which of the four 'ports' data is pending:
+ *                Nothing, a controlling datagram of type (1), or application
+ *                data (2). In any case data is present, internal buffers
+ *                provide access to the data for the user to process it.
+ *                Consumption of type (1) datagrams is done automatically
+ *                on the next update, invalidating that the internal buffers
+ *                for previous datagrams, while consumption of application
+ *                data (2) is user-controlled.
+ *
+ *              b Reading of application data
+ *                [Currently manual adaption of ssl->in_offt pointer]
+ *
+ *                As mentioned in the last paragraph, consumption of data
+ *                is different from the automatic consumption of control
+ *                datagrams (1) because application data is treated as a stream.
+ *
+ *              c Tracking availability of application data
+ *                [Currently manually through decreasing ssl->in_msglen]
+ *
+ *                For efficiency and to retain datagram semantics for
+ *                application data in case of DTLS, the record layer
+ *                provides functionality for checking how much application
+ *                data is still available in the internal buffer.
+ *
+ *              d Changing the transformation securing the communication.
+ *
+ *              Given an opaque implementation of the record layer in the
+ *              above sense, it should be possible to implement the logic
+ *              of (D)TLS on top of it without the need to know anything
+ *              about the record layer's internals. This is done e.g.
+ *              in all the handshake handling functions, and in the
+ *              application data reading function mbedtls_ssl_read.
+ *
+ * \note        The above tries to give a conceptual picture of the
+ *              record layer, but the current implementation deviates
+ *              from it in some places. For example, our implementation of
+ *              the update functionality through mbedtls_ssl_read_record
+ *              discards datagrams depending on the current state, which
+ *              wouldn't fall under the record layer's responsibility
+ *              following the above definition.
+ *
+ */
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
+                             unsigned update_hs_digest );
+int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
+
+int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
+int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
+
+void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
+                            const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
+#endif
+
+#if defined(MBEDTLS_PK_C)
+unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
+unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
+#endif
+
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
+unsigned char mbedtls_ssl_hash_from_md_alg( int md );
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
+
+#if defined(MBEDTLS_ECP_C)
+int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
+                                mbedtls_md_type_t md );
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_key_cert *key_cert;
+
+    if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
+        key_cert = ssl->handshake->key_cert;
+    else
+        key_cert = ssl->conf->key_cert;
+
+    return( key_cert == NULL ? NULL : key_cert->key );
+}
+
+static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_key_cert *key_cert;
+
+    if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
+        key_cert = ssl->handshake->key_cert;
+    else
+        key_cert = ssl->conf->key_cert;
+
+    return( key_cert == NULL ? NULL : key_cert->cert );
+}
+
+/*
+ * Check usage of a certificate wrt extensions:
+ * keyUsage, extendedKeyUsage (later), and nSCertType (later).
+ *
+ * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
+ * check a cert we received from them)!
+ *
+ * Return 0 if everything is OK, -1 if not.
+ */
+int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
+                          const mbedtls_ssl_ciphersuite_t *ciphersuite,
+                          int cert_endpoint,
+                          uint32_t *flags );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_write_version( int major, int minor, int transport,
+                        unsigned char ver[2] );
+void mbedtls_ssl_read_version( int *major, int *minor, int transport,
+                       const unsigned char ver[2] );
+
+static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 13 );
+#else
+    ((void) ssl);
+#endif
+    return( 5 );
+}
+
+static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 12 );
+#else
+    ((void) ssl);
+#endif
+    return( 4 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
+int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
+#endif
+
+/* Visible for testing purposes only */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
+void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
+#endif
+
+/* constant-time buffer comparison */
+static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+    {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+    return( diff );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        unsigned char *data, size_t data_len );
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
+                                            unsigned char *hash, size_t *hashlen,
+                                            unsigned char *data, size_t data_len,
+                                            mbedtls_md_type_t md_alg );
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_internal.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/ssl_ticket.h b/makerom/deps/libmbedtls/include/mbedtls/ssl_ticket.h
new file mode 100644
index 00000000..774a007a
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/ssl_ticket.h
@@ -0,0 +1,142 @@
+/**
+ * \file ssl_ticket.h
+ *
+ * \brief TLS server ticket callbacks implementation
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_SSL_TICKET_H
+#define MBEDTLS_SSL_TICKET_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/*
+ * This implementation of the session ticket callbacks includes key
+ * management, rotating the keys periodically in order to preserve forward
+ * secrecy, when MBEDTLS_HAVE_TIME is defined.
+ */
+
+#include "ssl.h"
+#include "cipher.h"
+
+#if defined(MBEDTLS_THREADING_C)
+#include "threading.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \brief   Information for session ticket protection
+ */
+typedef struct mbedtls_ssl_ticket_key
+{
+    unsigned char name[4];          /*!< random key identifier              */
+    uint32_t generation_time;       /*!< key generation timestamp (seconds) */
+    mbedtls_cipher_context_t ctx;   /*!< context for auth enc/decryption    */
+}
+mbedtls_ssl_ticket_key;
+
+/**
+ * \brief   Context for session ticket handling functions
+ */
+typedef struct mbedtls_ssl_ticket_context
+{
+    mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys             */
+    unsigned char active;           /*!< index of the currently active key  */
+
+    uint32_t ticket_lifetime;       /*!< lifetime of tickets in seconds     */
+
+    /** Callback for getting (pseudo-)random numbers                        */
+    int  (*f_rng)(void *, unsigned char *, size_t);
+    void *p_rng;                    /*!< context for the RNG function       */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t mutex;
+#endif
+}
+mbedtls_ssl_ticket_context;
+
+/**
+ * \brief           Initialize a ticket context.
+ *                  (Just make it ready for mbedtls_ssl_ticket_setup()
+ *                  or mbedtls_ssl_ticket_free().)
+ *
+ * \param ctx       Context to be initialized
+ */
+void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
+
+/**
+ * \brief           Prepare context to be actually used
+ *
+ * \param ctx       Context to be set up
+ * \param f_rng     RNG callback function
+ * \param p_rng     RNG callback context
+ * \param cipher    AEAD cipher to use for ticket protection.
+ *                  Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
+ * \param lifetime  Tickets lifetime in seconds
+ *                  Recommended value: 86400 (one day).
+ *
+ * \note            It is highly recommended to select a cipher that is at
+ *                  least as strong as the the strongest ciphersuite
+ *                  supported. Usually that means a 256-bit key.
+ *
+ * \note            The lifetime of the keys is twice the lifetime of tickets.
+ *                  It is recommended to pick a reasonnable lifetime so as not
+ *                  to negate the benefits of forward secrecy.
+ *
+ * \return          0 if successful,
+ *                  or a specific MBEDTLS_ERR_XXX error code
+ */
+int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+    mbedtls_cipher_type_t cipher,
+    uint32_t lifetime );
+
+/**
+ * \brief           Implementation of the ticket write callback
+ *
+ * \note            See \c mbedtls_ssl_ticket_write_t for description
+ */
+mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;
+
+/**
+ * \brief           Implementation of the ticket parse callback
+ *
+ * \note            See \c mbedtls_ssl_ticket_parse_t for description
+ */
+mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;
+
+/**
+ * \brief           Free a context's content and zeroize it.
+ *
+ * \param ctx       Context to be cleaned up
+ */
+void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ssl_ticket.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/threading.h b/makerom/deps/libmbedtls/include/mbedtls/threading.h
new file mode 100644
index 00000000..92e6e6b9
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/threading.h
@@ -0,0 +1,122 @@
+/**
+ * \file threading.h
+ *
+ * \brief Threading abstraction layer
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_THREADING_H
+#define MBEDTLS_THREADING_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdlib.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE is deprecated and should not be
+ * used. */
+#define MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE         -0x001A  /**< The selected feature is not available. */
+
+#define MBEDTLS_ERR_THREADING_BAD_INPUT_DATA              -0x001C  /**< Bad input parameters to function. */
+#define MBEDTLS_ERR_THREADING_MUTEX_ERROR                 -0x001E  /**< Locking / unlocking / free failed with error code. */
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+#include <pthread.h>
+typedef struct mbedtls_threading_mutex_t
+{
+    pthread_mutex_t mutex;
+    char is_valid;
+} mbedtls_threading_mutex_t;
+#endif
+
+#if defined(MBEDTLS_THREADING_ALT)
+/* You should define the mbedtls_threading_mutex_t type in your header */
+#include "threading_alt.h"
+
+/**
+ * \brief           Set your alternate threading implementation function
+ *                  pointers and initialize global mutexes. If used, this
+ *                  function must be called once in the main thread before any
+ *                  other mbed TLS function is called, and
+ *                  mbedtls_threading_free_alt() must be called once in the main
+ *                  thread after all other mbed TLS functions.
+ *
+ * \note            mutex_init() and mutex_free() don't return a status code.
+ *                  If mutex_init() fails, it should leave its argument (the
+ *                  mutex) in a state such that mutex_lock() will fail when
+ *                  called with this argument.
+ *
+ * \param mutex_init    the init function implementation
+ * \param mutex_free    the free function implementation
+ * \param mutex_lock    the lock function implementation
+ * \param mutex_unlock  the unlock function implementation
+ */
+void mbedtls_threading_set_alt( void (*mutex_init)( mbedtls_threading_mutex_t * ),
+                       void (*mutex_free)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_lock)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_unlock)( mbedtls_threading_mutex_t * ) );
+
+/**
+ * \brief               Free global mutexes.
+ */
+void mbedtls_threading_free_alt( void );
+#endif /* MBEDTLS_THREADING_ALT */
+
+#if defined(MBEDTLS_THREADING_C)
+/*
+ * The function pointers for mutex_init, mutex_free, mutex_ and mutex_unlock
+ *
+ * All these functions are expected to work or the result will be undefined.
+ */
+extern void (*mbedtls_mutex_init)( mbedtls_threading_mutex_t *mutex );
+extern void (*mbedtls_mutex_free)( mbedtls_threading_mutex_t *mutex );
+extern int (*mbedtls_mutex_lock)( mbedtls_threading_mutex_t *mutex );
+extern int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t *mutex );
+
+/*
+ * Global mutexes
+ */
+#if defined(MBEDTLS_FS_IO)
+extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex;
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+/* This mutex may or may not be used in the default definition of
+ * mbedtls_platform_gmtime_r(), but in order to determine that,
+ * we need to check POSIX features, hence modify _POSIX_C_SOURCE.
+ * With the current approach, this declaration is orphaned, lacking
+ * an accompanying definition, in case mbedtls_platform_gmtime_r()
+ * doesn't need it, but that's not a problem. */
+extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex;
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+#endif /* MBEDTLS_THREADING_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* threading.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/timing.h b/makerom/deps/libmbedtls/include/mbedtls/timing.h
new file mode 100644
index 00000000..a965fe0d
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/timing.h
@@ -0,0 +1,153 @@
+/**
+ * \file timing.h
+ *
+ * \brief Portable interface to timeouts and to the CPU cycle counter
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_TIMING_H
+#define MBEDTLS_TIMING_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_TIMING_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          timer structure
+ */
+struct mbedtls_timing_hr_time
+{
+    unsigned char opaque[32];
+};
+
+/**
+ * \brief          Context for mbedtls_timing_set/get_delay()
+ */
+typedef struct mbedtls_timing_delay_context
+{
+    struct mbedtls_timing_hr_time   timer;
+    uint32_t                        int_ms;
+    uint32_t                        fin_ms;
+} mbedtls_timing_delay_context;
+
+#else  /* MBEDTLS_TIMING_ALT */
+#include "timing_alt.h"
+#endif /* MBEDTLS_TIMING_ALT */
+
+extern volatile int mbedtls_timing_alarmed;
+
+/**
+ * \brief          Return the CPU cycle counter value
+ *
+ * \warning        This is only a best effort! Do not rely on this!
+ *                 In particular, it is known to be unreliable on virtual
+ *                 machines.
+ *
+ * \note           This value starts at an unspecified origin and
+ *                 may wrap around.
+ */
+unsigned long mbedtls_timing_hardclock( void );
+
+/**
+ * \brief          Return the elapsed time in milliseconds
+ *
+ * \param val      points to a timer structure
+ * \param reset    If 0, query the elapsed time. Otherwise (re)start the timer.
+ *
+ * \return         Elapsed time since the previous reset in ms. When
+ *                 restarting, this is always 0.
+ *
+ * \note           To initialize a timer, call this function with reset=1.
+ *
+ *                 Determining the elapsed time and resetting the timer is not
+ *                 atomic on all platforms, so after the sequence
+ *                 `{ get_timer(1); ...; time1 = get_timer(1); ...; time2 =
+ *                 get_timer(0) }` the value time1+time2 is only approximately
+ *                 the delay since the first reset.
+ */
+unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset );
+
+/**
+ * \brief          Setup an alarm clock
+ *
+ * \param seconds  delay before the "mbedtls_timing_alarmed" flag is set
+ *                 (must be >=0)
+ *
+ * \warning        Only one alarm at a time  is supported. In a threaded
+ *                 context, this means one for the whole process, not one per
+ *                 thread.
+ */
+void mbedtls_set_alarm( int seconds );
+
+/**
+ * \brief          Set a pair of delays to watch
+ *                 (See \c mbedtls_timing_get_delay().)
+ *
+ * \param data     Pointer to timing data.
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ * \param int_ms   First (intermediate) delay in milliseconds.
+ *                 The effect if int_ms > fin_ms is unspecified.
+ * \param fin_ms   Second (final) delay in milliseconds.
+ *                 Pass 0 to cancel the current delay.
+ *
+ * \note           To set a single delay, either use \c mbedtls_timing_set_timer
+ *                 directly or use this function with int_ms == fin_ms.
+ */
+void mbedtls_timing_set_delay( void *data, uint32_t int_ms, uint32_t fin_ms );
+
+/**
+ * \brief          Get the status of delays
+ *                 (Memory helper: number of delays passed.)
+ *
+ * \param data     Pointer to timing data
+ *                 Must point to a valid \c mbedtls_timing_delay_context struct.
+ *
+ * \return         -1 if cancelled (fin_ms = 0),
+ *                  0 if none of the delays are passed,
+ *                  1 if only the intermediate delay is passed,
+ *                  2 if the final delay is passed.
+ */
+int mbedtls_timing_get_delay( void *data );
+
+#if defined(MBEDTLS_SELF_TEST)
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if a test failed
+ */
+int mbedtls_timing_self_test( int verbose );
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* timing.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/version.h b/makerom/deps/libmbedtls/include/mbedtls/version.h
new file mode 100644
index 00000000..8e2ce03c
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/version.h
@@ -0,0 +1,112 @@
+/**
+ * \file version.h
+ *
+ * \brief Run-time version information
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * This set of compile-time defines and run-time variables can be used to
+ * determine the version number of the mbed TLS library used.
+ */
+#ifndef MBEDTLS_VERSION_H
+#define MBEDTLS_VERSION_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/**
+ * The version number x.y.z is split into three parts.
+ * Major, Minor, Patchlevel
+ */
+#define MBEDTLS_VERSION_MAJOR  2
+#define MBEDTLS_VERSION_MINOR  16
+#define MBEDTLS_VERSION_PATCH  5
+
+/**
+ * The single version number has the following structure:
+ *    MMNNPP00
+ *    Major version | Minor version | Patch version
+ */
+#define MBEDTLS_VERSION_NUMBER         0x02100500
+#define MBEDTLS_VERSION_STRING         "2.16.5"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.16.5"
+
+#if defined(MBEDTLS_VERSION_C)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * Get the version number.
+ *
+ * \return          The constructed version number in the format
+ *                  MMNNPP00 (Major, Minor, Patch).
+ */
+unsigned int mbedtls_version_get_number( void );
+
+/**
+ * Get the version string ("x.y.z").
+ *
+ * \param string    The string that will receive the value.
+ *                  (Should be at least 9 bytes in size)
+ */
+void mbedtls_version_get_string( char *string );
+
+/**
+ * Get the full version string ("mbed TLS x.y.z").
+ *
+ * \param string    The string that will receive the value. The mbed TLS version
+ *                  string will use 18 bytes AT MOST including a terminating
+ *                  null byte.
+ *                  (So the buffer should be at least 18 bytes to receive this
+ *                  version string).
+ */
+void mbedtls_version_get_string_full( char *string );
+
+/**
+ * \brief           Check if support for a feature was compiled into this
+ *                  mbed TLS binary. This allows you to see at runtime if the
+ *                  library was for instance compiled with or without
+ *                  Multi-threading support.
+ *
+ * \note            only checks against defines in the sections "System
+ *                  support", "mbed TLS modules" and "mbed TLS feature
+ *                  support" in config.h
+ *
+ * \param feature   The string for the define to check (e.g. "MBEDTLS_AES_C")
+ *
+ * \return          0 if the feature is present,
+ *                  -1 if the feature is not present and
+ *                  -2 if support for feature checking as a whole was not
+ *                  compiled in.
+ */
+int mbedtls_version_check_feature( const char *feature );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_VERSION_C */
+
+#endif /* version.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/x509.h b/makerom/deps/libmbedtls/include/mbedtls/x509.h
new file mode 100644
index 00000000..63aae32d
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/x509.h
@@ -0,0 +1,337 @@
+/**
+ * \file x509.h
+ *
+ * \brief X.509 generic defines and structures
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_X509_H
+#define MBEDTLS_X509_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "asn1.h"
+#include "pk.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "rsa.h"
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{
+ */
+
+#if !defined(MBEDTLS_X509_MAX_INTERMEDIATE_CA)
+/**
+ * Maximum number of intermediate CAs in a verification chain.
+ * That is, maximum length of the chain, excluding the end-entity certificate
+ * and the trusted root certificate.
+ *
+ * Set this to a low value to prevent an adversary from making you waste
+ * resources verifying an overlong certificate chain.
+ */
+#define MBEDTLS_X509_MAX_INTERMEDIATE_CA   8
+#endif
+
+/**
+ * \name X509 Error codes
+ * \{
+ */
+#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE              -0x2080  /**< Unavailable feature, e.g. RSA hashing/encryption combination. */
+#define MBEDTLS_ERR_X509_UNKNOWN_OID                      -0x2100  /**< Requested OID is unknown. */
+#define MBEDTLS_ERR_X509_INVALID_FORMAT                   -0x2180  /**< The CRT/CRL/CSR format is invalid, e.g. different type expected. */
+#define MBEDTLS_ERR_X509_INVALID_VERSION                  -0x2200  /**< The CRT/CRL/CSR version element is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_SERIAL                   -0x2280  /**< The serial tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_ALG                      -0x2300  /**< The algorithm tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_NAME                     -0x2380  /**< The name tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_DATE                     -0x2400  /**< The date tag or value is invalid. */
+#define MBEDTLS_ERR_X509_INVALID_SIGNATURE                -0x2480  /**< The signature tag or value invalid. */
+#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS               -0x2500  /**< The extension tag or value is invalid. */
+#define MBEDTLS_ERR_X509_UNKNOWN_VERSION                  -0x2580  /**< CRT/CRL/CSR has an unsupported version number. */
+#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG                  -0x2600  /**< Signature algorithm (oid) is unsupported. */
+#define MBEDTLS_ERR_X509_SIG_MISMATCH                     -0x2680  /**< Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */
+#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               -0x2700  /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
+#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2780  /**< Format not recognized as DER or PEM. */
+#define MBEDTLS_ERR_X509_BAD_INPUT_DATA                   -0x2800  /**< Input invalid. */
+#define MBEDTLS_ERR_X509_ALLOC_FAILED                     -0x2880  /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_X509_FILE_IO_ERROR                    -0x2900  /**< Read/write of file failed. */
+#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL                 -0x2980  /**< Destination buffer is too small. */
+#define MBEDTLS_ERR_X509_FATAL_ERROR                      -0x3000  /**< A fatal error occurred, eg the chain is too long or the vrfy callback failed. */
+/* \} name */
+
+/**
+ * \name X509 Verify codes
+ * \{
+ */
+/* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */
+#define MBEDTLS_X509_BADCERT_EXPIRED             0x01  /**< The certificate validity has expired. */
+#define MBEDTLS_X509_BADCERT_REVOKED             0x02  /**< The certificate has been revoked (is on a CRL). */
+#define MBEDTLS_X509_BADCERT_CN_MISMATCH         0x04  /**< The certificate Common Name (CN) does not match with the expected CN. */
+#define MBEDTLS_X509_BADCERT_NOT_TRUSTED         0x08  /**< The certificate is not correctly signed by the trusted CA. */
+#define MBEDTLS_X509_BADCRL_NOT_TRUSTED          0x10  /**< The CRL is not correctly signed by the trusted CA. */
+#define MBEDTLS_X509_BADCRL_EXPIRED              0x20  /**< The CRL is expired. */
+#define MBEDTLS_X509_BADCERT_MISSING             0x40  /**< Certificate was missing. */
+#define MBEDTLS_X509_BADCERT_SKIP_VERIFY         0x80  /**< Certificate verification was skipped. */
+#define MBEDTLS_X509_BADCERT_OTHER             0x0100  /**< Other reason (can be used by verify callback) */
+#define MBEDTLS_X509_BADCERT_FUTURE            0x0200  /**< The certificate validity starts in the future. */
+#define MBEDTLS_X509_BADCRL_FUTURE             0x0400  /**< The CRL is from the future */
+#define MBEDTLS_X509_BADCERT_KEY_USAGE         0x0800  /**< Usage does not match the keyUsage extension. */
+#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE     0x1000  /**< Usage does not match the extendedKeyUsage extension. */
+#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE      0x2000  /**< Usage does not match the nsCertType extension. */
+#define MBEDTLS_X509_BADCERT_BAD_MD            0x4000  /**< The certificate is signed with an unacceptable hash. */
+#define MBEDTLS_X509_BADCERT_BAD_PK            0x8000  /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
+#define MBEDTLS_X509_BADCERT_BAD_KEY         0x010000  /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */
+#define MBEDTLS_X509_BADCRL_BAD_MD           0x020000  /**< The CRL is signed with an unacceptable hash. */
+#define MBEDTLS_X509_BADCRL_BAD_PK           0x040000  /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
+#define MBEDTLS_X509_BADCRL_BAD_KEY          0x080000  /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+/*
+ * X.509 v3 Key Usage Extension flags
+ * Reminder: update x509_info_key_usage() when adding new flags.
+ */
+#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE            (0x80)  /* bit 0 */
+#define MBEDTLS_X509_KU_NON_REPUDIATION              (0x40)  /* bit 1 */
+#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT             (0x20)  /* bit 2 */
+#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT            (0x10)  /* bit 3 */
+#define MBEDTLS_X509_KU_KEY_AGREEMENT                (0x08)  /* bit 4 */
+#define MBEDTLS_X509_KU_KEY_CERT_SIGN                (0x04)  /* bit 5 */
+#define MBEDTLS_X509_KU_CRL_SIGN                     (0x02)  /* bit 6 */
+#define MBEDTLS_X509_KU_ENCIPHER_ONLY                (0x01)  /* bit 7 */
+#define MBEDTLS_X509_KU_DECIPHER_ONLY              (0x8000)  /* bit 8 */
+
+/*
+ * Netscape certificate types
+ * (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
+ */
+
+#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT         (0x80)  /* bit 0 */
+#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER         (0x40)  /* bit 1 */
+#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL              (0x20)  /* bit 2 */
+#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING     (0x10)  /* bit 3 */
+#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED           (0x08)  /* bit 4 */
+#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA             (0x04)  /* bit 5 */
+#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA           (0x02)  /* bit 6 */
+#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA  (0x01)  /* bit 7 */
+
+/*
+ * X.509 extension types
+ *
+ * Comments refer to the status for using certificates. Status can be
+ * different for writing certificates or reading CRLs or CSRs.
+ */
+#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER    (1 << 0)
+#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER      (1 << 1)
+#define MBEDTLS_X509_EXT_KEY_USAGE                   (1 << 2)
+#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES        (1 << 3)
+#define MBEDTLS_X509_EXT_POLICY_MAPPINGS             (1 << 4)
+#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME            (1 << 5)    /* Supported (DNS) */
+#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME             (1 << 6)
+#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS     (1 << 7)
+#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS           (1 << 8)    /* Supported */
+#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS            (1 << 9)
+#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS          (1 << 10)
+#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE          (1 << 11)
+#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS     (1 << 12)
+#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY          (1 << 13)
+#define MBEDTLS_X509_EXT_FRESHEST_CRL                (1 << 14)
+
+#define MBEDTLS_X509_EXT_NS_CERT_TYPE                (1 << 16)
+
+/*
+ * Storage format identifiers
+ * Recognized formats: PEM and DER
+ */
+#define MBEDTLS_X509_FORMAT_DER                 1
+#define MBEDTLS_X509_FORMAT_PEM                 2
+
+#define MBEDTLS_X509_MAX_DN_NAME_SIZE         256 /**< Maximum value size of a DN entry */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures for parsing X.509 certificates, CRLs and CSRs
+ * \{
+ */
+
+/**
+ * Type-length-value structure that allows for ASN1 using DER.
+ */
+typedef mbedtls_asn1_buf mbedtls_x509_buf;
+
+/**
+ * Container for ASN1 bit strings.
+ */
+typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring;
+
+/**
+ * Container for ASN1 named information objects.
+ * It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
+ */
+typedef mbedtls_asn1_named_data mbedtls_x509_name;
+
+/**
+ * Container for a sequence of ASN.1 items
+ */
+typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
+
+/** Container for date and time (precision in seconds). */
+typedef struct mbedtls_x509_time
+{
+    int year, mon, day;         /**< Date. */
+    int hour, min, sec;         /**< Time. */
+}
+mbedtls_x509_time;
+
+/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
+/** \} addtogroup x509_module */
+
+/**
+ * \brief          Store the certificate DN in printable form into buf;
+ *                 no more than size characters will be written.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param dn       The X509 name to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn );
+
+/**
+ * \brief          Store the certificate serial in printable form into buf;
+ *                 no more than size characters will be written.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param serial   The X509 serial to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial );
+
+/**
+ * \brief          Check a given mbedtls_x509_time against the system time
+ *                 and tell if it's in the past.
+ *
+ * \note           Intended usage is "if( is_past( valid_to ) ) ERROR".
+ *                 Hence the return value of 1 if on internal errors.
+ *
+ * \param to       mbedtls_x509_time to check
+ *
+ * \return         1 if the given time is in the past or an error occurred,
+ *                 0 otherwise.
+ */
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to );
+
+/**
+ * \brief          Check a given mbedtls_x509_time against the system time
+ *                 and tell if it's in the future.
+ *
+ * \note           Intended usage is "if( is_future( valid_from ) ) ERROR".
+ *                 Hence the return value of 1 if on internal errors.
+ *
+ * \param from     mbedtls_x509_time to check
+ *
+ * \return         1 if the given time is in the future or an error occurred,
+ *                 0 otherwise.
+ */
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from );
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_x509_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+/*
+ * Internal module functions. You probably do not want to use these unless you
+ * know you do.
+ */
+int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
+                   mbedtls_x509_name *cur );
+int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
+                       mbedtls_x509_buf *alg );
+int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
+                  mbedtls_x509_buf *alg, mbedtls_x509_buf *params );
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params,
+                                mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+                                int *salt_len );
+#endif
+int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig );
+int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+                      mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+                      void **sig_opts );
+int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
+                   mbedtls_x509_time *t );
+int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
+                     mbedtls_x509_buf *serial );
+int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
+                  mbedtls_x509_buf *ext, int tag );
+int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+                       mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                       const void *sig_opts );
+int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name );
+int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name );
+int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+                        int critical, const unsigned char *val,
+                        size_t val_len );
+int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
+                           mbedtls_asn1_named_data *first );
+int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
+                      mbedtls_asn1_named_data *first );
+int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len,
+                    unsigned char *sig, size_t size );
+
+#define MBEDTLS_X509_SAFE_SNPRINTF                          \
+    do {                                                    \
+        if( ret < 0 || (size_t) ret >= n )                  \
+            return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );    \
+                                                            \
+        n -= (size_t) ret;                                  \
+        p += (size_t) ret;                                  \
+    } while( 0 )
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* x509.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/x509_crl.h b/makerom/deps/libmbedtls/include/mbedtls/x509_crl.h
new file mode 100644
index 00000000..fa838d68
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/x509_crl.h
@@ -0,0 +1,174 @@
+/**
+ * \file x509_crl.h
+ *
+ * \brief X.509 certificate revocation list parsing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_X509_CRL_H
+#define MBEDTLS_X509_CRL_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "x509.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures and functions for parsing CRLs
+ * \{
+ */
+
+/**
+ * Certificate revocation list entry.
+ * Contains the CA-specific serial numbers and revocation dates.
+ */
+typedef struct mbedtls_x509_crl_entry
+{
+    mbedtls_x509_buf raw;
+
+    mbedtls_x509_buf serial;
+
+    mbedtls_x509_time revocation_date;
+
+    mbedtls_x509_buf entry_ext;
+
+    struct mbedtls_x509_crl_entry *next;
+}
+mbedtls_x509_crl_entry;
+
+/**
+ * Certificate revocation list structure.
+ * Every CRL may have multiple entries.
+ */
+typedef struct mbedtls_x509_crl
+{
+    mbedtls_x509_buf raw;           /**< The raw certificate data (DER). */
+    mbedtls_x509_buf tbs;           /**< The raw certificate body (DER). The part that is To Be Signed. */
+
+    int version;            /**< CRL version (1=v1, 2=v2) */
+    mbedtls_x509_buf sig_oid;       /**< CRL signature type identifier */
+
+    mbedtls_x509_buf issuer_raw;    /**< The raw issuer data (DER). */
+
+    mbedtls_x509_name issuer;       /**< The parsed issuer data (named information object). */
+
+    mbedtls_x509_time this_update;
+    mbedtls_x509_time next_update;
+
+    mbedtls_x509_crl_entry entry;   /**< The CRL entries containing the certificate revocation times for this CA. */
+
+    mbedtls_x509_buf crl_ext;
+
+    mbedtls_x509_buf sig_oid2;
+    mbedtls_x509_buf sig;
+    mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+
+    struct mbedtls_x509_crl *next;
+}
+mbedtls_x509_crl;
+
+/**
+ * \brief          Parse a DER-encoded CRL and append it to the chained list
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the CRL data in DER format
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
+                        const unsigned char *buf, size_t buflen );
+/**
+ * \brief          Parse one or more CRLs and append them to the chained list
+ *
+ * \note           Multiple CRLs are accepted only if using PEM format
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the CRL data in PEM or DER format
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load one or more CRLs and append them to the chained list
+ *
+ * \note           Multiple CRLs are accepted only if using PEM format
+ *
+ * \param chain    points to the start of the chain
+ * \param path     filename to read the CRLs from (in PEM or DER encoding)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the CRL.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param crl      The X509 CRL to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crl *crl );
+
+/**
+ * \brief          Initialize a CRL (chain)
+ *
+ * \param crl      CRL chain to initialize
+ */
+void mbedtls_x509_crl_init( mbedtls_x509_crl *crl );
+
+/**
+ * \brief          Unallocate all CRL data
+ *
+ * \param crl      CRL chain to free
+ */
+void mbedtls_x509_crl_free( mbedtls_x509_crl *crl );
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_crl.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/x509_crt.h b/makerom/deps/libmbedtls/include/mbedtls/x509_crt.h
new file mode 100644
index 00000000..670bd10d
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/x509_crt.h
@@ -0,0 +1,785 @@
+/**
+ * \file x509_crt.h
+ *
+ * \brief X.509 certificate parsing and writing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_X509_CRT_H
+#define MBEDTLS_X509_CRT_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "x509.h"
+#include "x509_crl.h"
+
+/**
+ * \addtogroup x509_module
+ * \{
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \name Structures and functions for parsing and writing X.509 certificates
+ * \{
+ */
+
+/**
+ * Container for an X.509 certificate. The certificate may be chained.
+ */
+typedef struct mbedtls_x509_crt
+{
+    mbedtls_x509_buf raw;               /**< The raw certificate data (DER). */
+    mbedtls_x509_buf tbs;               /**< The raw certificate body (DER). The part that is To Be Signed. */
+
+    int version;                /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
+    mbedtls_x509_buf serial;            /**< Unique id for certificate issued by a specific CA. */
+    mbedtls_x509_buf sig_oid;           /**< Signature algorithm, e.g. sha1RSA */
+
+    mbedtls_x509_buf issuer_raw;        /**< The raw issuer data (DER). Used for quick comparison. */
+    mbedtls_x509_buf subject_raw;       /**< The raw subject data (DER). Used for quick comparison. */
+
+    mbedtls_x509_name issuer;           /**< The parsed issuer data (named information object). */
+    mbedtls_x509_name subject;          /**< The parsed subject data (named information object). */
+
+    mbedtls_x509_time valid_from;       /**< Start time of certificate validity. */
+    mbedtls_x509_time valid_to;         /**< End time of certificate validity. */
+
+    mbedtls_pk_context pk;              /**< Container for the public key context. */
+
+    mbedtls_x509_buf issuer_id;         /**< Optional X.509 v2/v3 issuer unique identifier. */
+    mbedtls_x509_buf subject_id;        /**< Optional X.509 v2/v3 subject unique identifier. */
+    mbedtls_x509_buf v3_ext;            /**< Optional X.509 v3 extensions.  */
+    mbedtls_x509_sequence subject_alt_names;    /**< Optional list of Subject Alternative Names (Only dNSName supported). */
+
+    int ext_types;              /**< Bit string containing detected and parsed extensions */
+    int ca_istrue;              /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
+    int max_pathlen;            /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
+
+    unsigned int key_usage;     /**< Optional key usage extension value: See the values in x509.h */
+
+    mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
+
+    unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
+
+    mbedtls_x509_buf sig;               /**< Signature: hash of the tbs part signed with the private key. */
+    mbedtls_md_type_t sig_md;           /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;           /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;             /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+
+    struct mbedtls_x509_crt *next;     /**< Next certificate in the CA-chain. */
+}
+mbedtls_x509_crt;
+
+/**
+ * Build flag from an algorithm/curve identifier (pk, md, ecp)
+ * Since 0 is always XXX_NONE, ignore it.
+ */
+#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( (id) - 1 ) )
+
+/**
+ * Security profile for certificate verification.
+ *
+ * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
+ */
+typedef struct mbedtls_x509_crt_profile
+{
+    uint32_t allowed_mds;       /**< MDs for signatures         */
+    uint32_t allowed_pks;       /**< PK algs for signatures     */
+    uint32_t allowed_curves;    /**< Elliptic curves for ECDSA  */
+    uint32_t rsa_min_bitlen;    /**< Minimum size for RSA keys  */
+}
+mbedtls_x509_crt_profile;
+
+#define MBEDTLS_X509_CRT_VERSION_1              0
+#define MBEDTLS_X509_CRT_VERSION_2              1
+#define MBEDTLS_X509_CRT_VERSION_3              2
+
+#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
+#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN   15
+
+#if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
+#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
+#endif
+
+/**
+ * Container for writing a certificate (CRT)
+ */
+typedef struct mbedtls_x509write_cert
+{
+    int version;
+    mbedtls_mpi serial;
+    mbedtls_pk_context *subject_key;
+    mbedtls_pk_context *issuer_key;
+    mbedtls_asn1_named_data *subject;
+    mbedtls_asn1_named_data *issuer;
+    mbedtls_md_type_t md_alg;
+    char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
+    char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
+    mbedtls_asn1_named_data *extensions;
+}
+mbedtls_x509write_cert;
+
+/**
+ * Item in a verification chain: cert and flags for it
+ */
+typedef struct {
+    mbedtls_x509_crt *crt;
+    uint32_t flags;
+} mbedtls_x509_crt_verify_chain_item;
+
+/**
+ * Max size of verification chain: end-entity + intermediates + trusted root
+ */
+#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE  ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
+
+/**
+ * Verification chain as built by \c mbedtls_crt_verify_chain()
+ */
+typedef struct
+{
+    mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
+    unsigned len;
+} mbedtls_x509_crt_verify_chain;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+
+/**
+ * \brief       Context for resuming X.509 verify operations
+ */
+typedef struct
+{
+    /* for check_signature() */
+    mbedtls_pk_restart_ctx pk;
+
+    /* for find_parent_in() */
+    mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
+    mbedtls_x509_crt *fallback_parent;
+    int fallback_signature_is_good;
+
+    /* for find_parent() */
+    int parent_is_trusted; /* -1 if find_parent is not in progress */
+
+    /* for verify_chain() */
+    enum {
+        x509_crt_rs_none,
+        x509_crt_rs_find_parent,
+    } in_progress;  /* none if no operation is in progress */
+    int self_cnt;
+    mbedtls_x509_crt_verify_chain ver_chain;
+
+} mbedtls_x509_crt_restart_ctx;
+
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/* Now we can declare functions that take a pointer to that */
+typedef void mbedtls_x509_crt_restart_ctx;
+
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/**
+ * Default security profile. Should provide a good balance between security
+ * and compatibility with current deployments.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
+
+/**
+ * Expected next default profile. Recommended for new deployments.
+ * Currently targets a 128-bit security level, except for RSA-2048.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
+
+/**
+ * NSA Suite B profile.
+ */
+extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
+
+/**
+ * \brief          Parse a single DER formatted certificate and add it
+ *                 to the chained list.
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the certificate DER data
+ * \param buflen   size of the buffer
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
+                        size_t buflen );
+
+/**
+ * \brief          Parse one DER-encoded or one or more concatenated PEM-encoded
+ *                 certificates and add them to the chained list.
+ *
+ *                 For CRTs in PEM encoding, the function parses permissively:
+ *                 if at least one certificate can be parsed, the function
+ *                 returns the number of certificates for which parsing failed
+ *                 (hence \c 0 if all certificates were parsed successfully).
+ *                 If no certificate could be parsed, the function returns
+ *                 the first (negative) error encountered during parsing.
+ *
+ *                 PEM encoded certificates may be interleaved by other data
+ *                 such as human readable descriptions of their content, as
+ *                 long as the certificates are enclosed in the PEM specific
+ *                 '-----{BEGIN/END} CERTIFICATE-----' delimiters.
+ *
+ * \param chain    The chain to which to add the parsed certificates.
+ * \param buf      The buffer holding the certificate data in PEM or DER format.
+ *                 For certificates in PEM encoding, this may be a concatenation
+ *                 of multiple certificates; for DER encoding, the buffer must
+ *                 comprise exactly one certificate.
+ * \param buflen   The size of \p buf, including the terminating \c NULL byte
+ *                 in case of PEM encoded data.
+ *
+ * \return         \c 0 if all certificates were parsed successfully.
+ * \return         The (positive) number of certificates that couldn't
+ *                 be parsed if parsing was partly successful (see above).
+ * \return         A negative X509 or PEM error code otherwise.
+ *
+ */
+int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load one or more certificates and add them
+ *                 to the chained list. Parses permissively. If some
+ *                 certificates can be parsed, the result is the number
+ *                 of failed certificates it encountered. If none complete
+ *                 correctly, the first error is returned.
+ *
+ * \param chain    points to the start of the chain
+ * \param path     filename to read the certificates from
+ *
+ * \return         0 if all certificates parsed successfully, a positive number
+ *                 if partly successful or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
+
+/**
+ * \brief          Load one or more certificate files from a path and add them
+ *                 to the chained list. Parses permissively. If some
+ *                 certificates can be parsed, the result is the number
+ *                 of failed certificates it encountered. If none complete
+ *                 correctly, the first error is returned.
+ *
+ * \param chain    points to the start of the chain
+ * \param path     directory / folder to read the certificate files from
+ *
+ * \return         0 if all certificates parsed successfully, a positive number
+ *                 if partly successful or a specific X509 or PEM error code
+ */
+int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the
+ *                 certificate.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param crt      The X509 certificate to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crt *crt );
+
+/**
+ * \brief          Returns an informational string about the
+ *                 verification status of a certificate.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param flags    Verification flags created by mbedtls_x509_crt_verify()
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+                          uint32_t flags );
+
+/**
+ * \brief          Verify the certificate signature
+ *
+ *                 The verify callback is a user-supplied callback that
+ *                 can clear / modify / add flags for a certificate. If set,
+ *                 the verification callback is called for each
+ *                 certificate in the chain (from the trust-ca down to the
+ *                 presented crt). The parameters for the callback are:
+ *                 (void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
+ *                 int *flags). With the flags representing current flags for
+ *                 that specific certificate and the certificate depth from
+ *                 the bottom (Peer cert depth = 0).
+ *
+ *                 All flags left after returning from the callback
+ *                 are also returned to the application. The function should
+ *                 return 0 for anything (including invalid certificates)
+ *                 other than fatal error, as a non-zero return code
+ *                 immediately aborts the verification process. For fatal
+ *                 errors, a specific error code should be used (different
+ *                 from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
+ *                 be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
+ *                 can be used if no better code is available.
+ *
+ * \note           In case verification failed, the results can be displayed
+ *                 using \c mbedtls_x509_crt_verify_info()
+ *
+ * \note           Same as \c mbedtls_x509_crt_verify_with_profile() with the
+ *                 default security profile.
+ *
+ * \note           It is your responsibility to provide up-to-date CRLs for
+ *                 all trusted CAs. If no CRL is provided for the CA that was
+ *                 used to sign the certificate, CRL verification is skipped
+ *                 silently, that is *without* setting any flag.
+ *
+ * \note           The \c trust_ca list can contain two types of certificates:
+ *                 (1) those of trusted root CAs, so that certificates
+ *                 chaining up to those CAs will be trusted, and (2)
+ *                 self-signed end-entity certificates to be trusted (for
+ *                 specific peers you know) - in that case, the self-signed
+ *                 certificate doesn't need to have the CA bit set.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs (see note above)
+ * \param ca_crl   the list of CRLs for trusted CAs (see note above)
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ *
+ * \return         0 (and flags set to 0) if the chain was verified and valid,
+ *                 MBEDTLS_ERR_X509_CERT_VERIFY_FAILED if the chain was verified
+ *                 but found to be invalid, in which case *flags will have one
+ *                 or more MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX
+ *                 flags set, or another error (and flags set to 0xffffffff)
+ *                 in case of a fatal error encountered during the
+ *                 verification process.
+ */
+int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+
+/**
+ * \brief          Verify the certificate signature according to profile
+ *
+ * \note           Same as \c mbedtls_x509_crt_verify(), but with explicit
+ *                 security profile.
+ *
+ * \note           The restrictions on keys (RSA minimum size, allowed curves
+ *                 for ECDSA) apply to all certificates: trusted root,
+ *                 intermediate CAs if any, and end entity certificate.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl   the list of CRLs for trusted CAs
+ * \param profile  security profile for verification
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ *
+ * \return         0 if successful or MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
+ *                 in which case *flags will have one or more
+ *                 MBEDTLS_X509_BADCERT_XXX or MBEDTLS_X509_BADCRL_XXX flags
+ *                 set,
+ *                 or another error in case of a fatal error encountered
+ *                 during the verification process.
+ */
+int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy );
+
+/**
+ * \brief          Restartable version of \c mbedtls_crt_verify_with_profile()
+ *
+ * \note           Performs the same job as \c mbedtls_crt_verify_with_profile()
+ *                 but can return early and restart according to the limit
+ *                 set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl   the list of CRLs for trusted CAs
+ * \param profile  security profile for verification
+ * \param cn       expected Common Name (can be set to
+ *                 NULL if the CN must not be verified)
+ * \param flags    result of the verification
+ * \param f_vrfy   verification function
+ * \param p_vrfy   verification parameter
+ * \param rs_ctx   restart context (NULL to disable restart)
+ *
+ * \return         See \c mbedtls_crt_verify_with_profile(), or
+ * \return         #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ *                 operations was reached: see \c mbedtls_ecp_set_max_ops().
+ */
+int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy,
+                     mbedtls_x509_crt_restart_ctx *rs_ctx );
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+/**
+ * \brief          Check usage of certificate against keyUsage extension.
+ *
+ * \param crt      Leaf certificate used.
+ * \param usage    Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT
+ *                 before using the certificate to perform an RSA key
+ *                 exchange).
+ *
+ * \note           Except for decipherOnly and encipherOnly, a bit set in the
+ *                 usage argument means this bit MUST be set in the
+ *                 certificate. For decipherOnly and encipherOnly, it means
+ *                 that bit MAY be set.
+ *
+ * \return         0 is these uses of the certificate are allowed,
+ *                 MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
+ *                 is present but does not match the usage argument.
+ *
+ * \note           You should only call this function on leaf certificates, on
+ *                 (intermediate) CAs the keyUsage extension is automatically
+ *                 checked by \c mbedtls_x509_crt_verify().
+ */
+int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
+                                      unsigned int usage );
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+/**
+ * \brief           Check usage of certificate against extendedKeyUsage.
+ *
+ * \param crt       Leaf certificate used.
+ * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or
+ *                  MBEDTLS_OID_CLIENT_AUTH).
+ * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
+ *
+ * \return          0 if this use of the certificate is allowed,
+ *                  MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
+ *
+ * \note            Usually only makes sense on leaf certificates.
+ */
+int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
+                                               const char *usage_oid,
+                                               size_t usage_len );
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+/**
+ * \brief          Verify the certificate revocation status
+ *
+ * \param crt      a certificate to be verified
+ * \param crl      the CRL to verify against
+ *
+ * \return         1 if the certificate is revoked, 0 otherwise
+ *
+ */
+int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl );
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+
+/**
+ * \brief          Initialize a certificate (chain)
+ *
+ * \param crt      Certificate chain to initialize
+ */
+void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
+
+/**
+ * \brief          Unallocate all certificate data
+ *
+ * \param crt      Certificate chain to free
+ */
+void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/**
+ * \brief           Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx );
+
+/**
+ * \brief           Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx );
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+/**
+ * \brief           Initialize a CRT writing context
+ *
+ * \param ctx       CRT context to initialize
+ */
+void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx );
+
+/**
+ * \brief           Set the verion for a Certificate
+ *                  Default: MBEDTLS_X509_CRT_VERSION_3
+ *
+ * \param ctx       CRT context to use
+ * \param version   version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or
+ *                                  MBEDTLS_X509_CRT_VERSION_3)
+ */
+void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version );
+
+/**
+ * \brief           Set the serial number for a Certificate.
+ *
+ * \param ctx       CRT context to use
+ * \param serial    serial number to set
+ *
+ * \return          0 if successful
+ */
+int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial );
+
+/**
+ * \brief           Set the validity period for a Certificate
+ *                  Timestamps should be in string format for UTC timezone
+ *                  i.e. "YYYYMMDDhhmmss"
+ *                  e.g. "20131231235959" for December 31st 2013
+ *                       at 23:59:59
+ *
+ * \param ctx       CRT context to use
+ * \param not_before    not_before timestamp
+ * \param not_after     not_after timestamp
+ *
+ * \return          0 if timestamp was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
+                                const char *not_after );
+
+/**
+ * \brief           Set the issuer name for a Certificate
+ *                  Issuer names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS CA"
+ *
+ * \param ctx           CRT context to use
+ * \param issuer_name   issuer name to set
+ *
+ * \return          0 if issuer name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
+                                   const char *issuer_name );
+
+/**
+ * \brief           Set the subject name for a Certificate
+ *                  Subject names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
+ *
+ * \param ctx           CRT context to use
+ * \param subject_name  subject name to set
+ *
+ * \return          0 if subject name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
+                                    const char *subject_name );
+
+/**
+ * \brief           Set the subject public key for the certificate
+ *
+ * \param ctx       CRT context to use
+ * \param key       public key to include
+ */
+void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
+
+/**
+ * \brief           Set the issuer key used for signing the certificate
+ *
+ * \param ctx       CRT context to use
+ * \param key       private key to sign with
+ */
+void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
+
+/**
+ * \brief           Set the MD algorithm to use for the signature
+ *                  (e.g. MBEDTLS_MD_SHA1)
+ *
+ * \param ctx       CRT context to use
+ * \param md_alg    MD algorithm to use
+ */
+void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg );
+
+/**
+ * \brief           Generic function to add to or replace an extension in the
+ *                  CRT
+ *
+ * \param ctx       CRT context to use
+ * \param oid       OID of the extension
+ * \param oid_len   length of the OID
+ * \param critical  if the extension is critical (per the RFC's definition)
+ * \param val       value of the extension OCTET STRING
+ * \param val_len   length of the value data
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
+                                 const char *oid, size_t oid_len,
+                                 int critical,
+                                 const unsigned char *val, size_t val_len );
+
+/**
+ * \brief           Set the basicConstraints extension for a CRT
+ *
+ * \param ctx       CRT context to use
+ * \param is_ca     is this a CA certificate
+ * \param max_pathlen   maximum length of certificate chains below this
+ *                      certificate (only for CA certificates, -1 is
+ *                      inlimited)
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
+                                         int is_ca, int max_pathlen );
+
+#if defined(MBEDTLS_SHA1_C)
+/**
+ * \brief           Set the subjectKeyIdentifier extension for a CRT
+ *                  Requires that mbedtls_x509write_crt_set_subject_key() has been
+ *                  called before
+ *
+ * \param ctx       CRT context to use
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx );
+
+/**
+ * \brief           Set the authorityKeyIdentifier extension for a CRT
+ *                  Requires that mbedtls_x509write_crt_set_issuer_key() has been
+ *                  called before
+ *
+ * \param ctx       CRT context to use
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
+#endif /* MBEDTLS_SHA1_C */
+
+/**
+ * \brief           Set the Key Usage Extension flags
+ *                  (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
+ *
+ * \param ctx       CRT context to use
+ * \param key_usage key usage flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage );
+
+/**
+ * \brief           Set the Netscape Cert Type flags
+ *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
+ *
+ * \param ctx           CRT context to use
+ * \param ns_cert_type  Netscape Cert Type flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
+                                    unsigned char ns_cert_type );
+
+/**
+ * \brief           Free the contents of a CRT write context
+ *
+ * \param ctx       CRT context to free
+ */
+void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx );
+
+/**
+ * \brief           Write a built up certificate to a X509 DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       certificate to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a built up certificate to a X509 PEM string
+ *
+ * \param ctx       certificate to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful, or a specific error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_crt.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/x509_csr.h b/makerom/deps/libmbedtls/include/mbedtls/x509_csr.h
new file mode 100644
index 00000000..a3c28048
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/x509_csr.h
@@ -0,0 +1,307 @@
+/**
+ * \file x509_csr.h
+ *
+ * \brief X.509 certificate signing request parsing and writing
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_X509_CSR_H
+#define MBEDTLS_X509_CSR_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "x509.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * \addtogroup x509_module
+ * \{ */
+
+/**
+ * \name Structures and functions for X.509 Certificate Signing Requests (CSR)
+ * \{
+ */
+
+/**
+ * Certificate Signing Request (CSR) structure.
+ */
+typedef struct mbedtls_x509_csr
+{
+    mbedtls_x509_buf raw;           /**< The raw CSR data (DER). */
+    mbedtls_x509_buf cri;           /**< The raw CertificateRequestInfo body (DER). */
+
+    int version;            /**< CSR version (1=v1). */
+
+    mbedtls_x509_buf  subject_raw;  /**< The raw subject data (DER). */
+    mbedtls_x509_name subject;      /**< The parsed subject data (named information object). */
+
+    mbedtls_pk_context pk;          /**< Container for the public key context. */
+
+    mbedtls_x509_buf sig_oid;
+    mbedtls_x509_buf sig;
+    mbedtls_md_type_t sig_md;       /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
+    mbedtls_pk_type_t sig_pk;       /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
+    void *sig_opts;         /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
+}
+mbedtls_x509_csr;
+
+/**
+ * Container for writing a CSR
+ */
+typedef struct mbedtls_x509write_csr
+{
+    mbedtls_pk_context *key;
+    mbedtls_asn1_named_data *subject;
+    mbedtls_md_type_t md_alg;
+    mbedtls_asn1_named_data *extensions;
+}
+mbedtls_x509write_csr;
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+/**
+ * \brief          Load a Certificate Signing Request (CSR) in DER format
+ *
+ * \note           CSR attributes (if any) are currently silently ignored.
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ *
+ * \return         0 if successful, or a specific X509 error code
+ */
+int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
+                        const unsigned char *buf, size_t buflen );
+
+/**
+ * \brief          Load a Certificate Signing Request (CSR), DER or PEM format
+ *
+ * \note           See notes for \c mbedtls_x509_csr_parse_der()
+ *
+ * \param csr      CSR context to fill
+ * \param buf      buffer holding the CRL data
+ * \param buflen   size of the buffer
+ *                 (including the terminating null byte for PEM data)
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen );
+
+#if defined(MBEDTLS_FS_IO)
+/**
+ * \brief          Load a Certificate Signing Request (CSR)
+ *
+ * \note           See notes for \c mbedtls_x509_csr_parse()
+ *
+ * \param csr      CSR context to fill
+ * \param path     filename to read the CSR from
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
+#endif /* MBEDTLS_FS_IO */
+
+/**
+ * \brief          Returns an informational string about the
+ *                 CSR.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param csr      The X509 CSR to represent
+ *
+ * \return         The length of the string written (not including the
+ *                 terminated nul byte), or a negative error code.
+ */
+int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_csr *csr );
+
+/**
+ * \brief          Initialize a CSR
+ *
+ * \param csr      CSR to initialize
+ */
+void mbedtls_x509_csr_init( mbedtls_x509_csr *csr );
+
+/**
+ * \brief          Unallocate all CSR data
+ *
+ * \param csr      CSR to free
+ */
+void mbedtls_x509_csr_free( mbedtls_x509_csr *csr );
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+
+/* \} name */
+/* \} addtogroup x509_module */
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+/**
+ * \brief           Initialize a CSR context
+ *
+ * \param ctx       CSR context to initialize
+ */
+void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx );
+
+/**
+ * \brief           Set the subject name for a CSR
+ *                  Subject names should contain a comma-separated list
+ *                  of OID types and values:
+ *                  e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
+ *
+ * \param ctx           CSR context to use
+ * \param subject_name  subject name to set
+ *
+ * \return          0 if subject name was parsed successfully, or
+ *                  a specific error code
+ */
+int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
+                                    const char *subject_name );
+
+/**
+ * \brief           Set the key for a CSR (public key will be included,
+ *                  private key used to sign the CSR when writing it)
+ *
+ * \param ctx       CSR context to use
+ * \param key       Asymetric key to include
+ */
+void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key );
+
+/**
+ * \brief           Set the MD algorithm to use for the signature
+ *                  (e.g. MBEDTLS_MD_SHA1)
+ *
+ * \param ctx       CSR context to use
+ * \param md_alg    MD algorithm to use
+ */
+void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg );
+
+/**
+ * \brief           Set the Key Usage Extension flags
+ *                  (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
+ *
+ * \param ctx       CSR context to use
+ * \param key_usage key usage flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note            The <code>decipherOnly</code> flag from the Key Usage
+ *                  extension is represented by bit 8 (i.e.
+ *                  <code>0x8000</code>), which cannot typically be represented
+ *                  in an unsigned char. Therefore, the flag
+ *                  <code>decipherOnly</code> (i.e.
+ *                  #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
+ *                  function.
+ */
+int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );
+
+/**
+ * \brief           Set the Netscape Cert Type flags
+ *                  (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
+ *
+ * \param ctx           CSR context to use
+ * \param ns_cert_type  Netscape Cert Type flags to set
+ *
+ * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
+                                    unsigned char ns_cert_type );
+
+/**
+ * \brief           Generic function to add to or replace an extension in the
+ *                  CSR
+ *
+ * \param ctx       CSR context to use
+ * \param oid       OID of the extension
+ * \param oid_len   length of the OID
+ * \param val       value of the extension OCTET STRING
+ * \param val_len   length of the value data
+ *
+ * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ */
+int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
+                                 const char *oid, size_t oid_len,
+                                 const unsigned char *val, size_t val_len );
+
+/**
+ * \brief           Free the contents of a CSR context
+ *
+ * \param ctx       CSR context to free
+ */
+void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx );
+
+/**
+ * \brief           Write a CSR (Certificate Signing Request) to a
+ *                  DER structure
+ *                  Note: data is written at the end of the buffer! Use the
+ *                        return value to determine where you should start
+ *                        using the buffer
+ *
+ * \param ctx       CSR to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          length of data written if successful, or a specific
+ *                  error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+/**
+ * \brief           Write a CSR (Certificate Signing Request) to a
+ *                  PEM string
+ *
+ * \param ctx       CSR to write away
+ * \param buf       buffer to write to
+ * \param size      size of the buffer
+ * \param f_rng     RNG function (for signature, see note)
+ * \param p_rng     RNG parameter
+ *
+ * \return          0 if successful, or a specific error code
+ *
+ * \note            f_rng may be NULL if RSA is used for signature and the
+ *                  signature is made offline (otherwise f_rng is desirable
+ *                  for countermeasures against timing attacks).
+ *                  ECDSA signatures always require a non-NULL f_rng.
+ */
+int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng );
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* mbedtls_x509_csr.h */
diff --git a/makerom/deps/libmbedtls/include/mbedtls/xtea.h b/makerom/deps/libmbedtls/include/mbedtls/xtea.h
new file mode 100644
index 00000000..b47f5535
--- /dev/null
+++ b/makerom/deps/libmbedtls/include/mbedtls/xtea.h
@@ -0,0 +1,139 @@
+/**
+ * \file xtea.h
+ *
+ * \brief XTEA block cipher (32-bit)
+ */
+/*
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_XTEA_H
+#define MBEDTLS_XTEA_H
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define MBEDTLS_XTEA_ENCRYPT     1
+#define MBEDTLS_XTEA_DECRYPT     0
+
+#define MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH             -0x0028  /**< The data input has an invalid length. */
+
+/* MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED is deprecated and should not be used. */
+#define MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED                  -0x0029  /**< XTEA hardware accelerator failed. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(MBEDTLS_XTEA_ALT)
+// Regular implementation
+//
+
+/**
+ * \brief          XTEA context structure
+ */
+typedef struct mbedtls_xtea_context
+{
+    uint32_t k[4];       /*!< key */
+}
+mbedtls_xtea_context;
+
+#else  /* MBEDTLS_XTEA_ALT */
+#include "xtea_alt.h"
+#endif /* MBEDTLS_XTEA_ALT */
+
+/**
+ * \brief          Initialize XTEA context
+ *
+ * \param ctx      XTEA context to be initialized
+ */
+void mbedtls_xtea_init( mbedtls_xtea_context *ctx );
+
+/**
+ * \brief          Clear XTEA context
+ *
+ * \param ctx      XTEA context to be cleared
+ */
+void mbedtls_xtea_free( mbedtls_xtea_context *ctx );
+
+/**
+ * \brief          XTEA key schedule
+ *
+ * \param ctx      XTEA context to be initialized
+ * \param key      the secret key
+ */
+void mbedtls_xtea_setup( mbedtls_xtea_context *ctx, const unsigned char key[16] );
+
+/**
+ * \brief          XTEA cipher function
+ *
+ * \param ctx      XTEA context
+ * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
+ * \param input    8-byte input block
+ * \param output   8-byte output block
+ *
+ * \return         0 if successful
+ */
+int mbedtls_xtea_crypt_ecb( mbedtls_xtea_context *ctx,
+                    int mode,
+                    const unsigned char input[8],
+                    unsigned char output[8] );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/**
+ * \brief          XTEA CBC cipher function
+ *
+ * \param ctx      XTEA context
+ * \param mode     MBEDTLS_XTEA_ENCRYPT or MBEDTLS_XTEA_DECRYPT
+ * \param length   the length of input, multiple of 8
+ * \param iv       initialization vector for CBC mode
+ * \param input    input block
+ * \param output   output block
+ *
+ * \return         0 if successful,
+ *                 MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH if the length % 8 != 0
+ */
+int mbedtls_xtea_crypt_cbc( mbedtls_xtea_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[8],
+                    const unsigned char *input,
+                    unsigned char *output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_xtea_self_test( int verbose );
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* xtea.h */
diff --git a/makerom/deps/libmbedtls/makefile b/makerom/deps/libmbedtls/makefile
new file mode 100644
index 00000000..3f2d0ca7
--- /dev/null
+++ b/makerom/deps/libmbedtls/makefile
@@ -0,0 +1,197 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 6 (20211110)
+
+# Project Name
+PROJECT_NAME = libmbedtls
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+PROJECT_INCLUDE_PATH = include
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Shared Library Definitions
+PROJECT_SO_VER_MAJOR = 0
+PROJECT_SO_VER_MINOR = 2
+PROJECT_SO_VER_PATCH = 0
+PROJECT_SONAME = $(PROJECT_NAME).so.$(PROJECT_SO_VER_MAJOR)
+PROJECT_SO_FILENAME = $(PROJECT_SONAME).$(PROJECT_SO_VER_MINOR).$(PROJECT_SO_VER_PATCH)
+
+# Project Dependencies
+PROJECT_DEPEND =
+PROJECT_DEPEND_LOCAL_DIR =
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
+	INC +=
+	LIB +=
+	ARFLAGS = rc	
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building static library
+#	- 'shared_lib' for building shared library
+#	- 'program' for building the program
+#	- 'test_program' for building the test program
+# These can typically be used together however *_lib and program should not be used together
+all: static_lib
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+shared_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)
+	@gcc -shared -Wl,-soname,$(PROJECT_SONAME) -o "$(PROJECT_BIN_PATH)/$(PROJECT_SO_FILENAME)" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/makerom/deps/libmbedtls/src/aes.c b/makerom/deps/libmbedtls/src/aes.c
new file mode 100644
index 00000000..02a7986b
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/aes.c
@@ -0,0 +1,2233 @@
+/*
+ *  FIPS-197 compliant AES implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
+ *
+ *  http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
+ *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_AES_C)
+
+#include <string.h>
+
+#include "mbedtls/aes.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+#if defined(MBEDTLS_PADLOCK_C)
+#include "mbedtls/padlock.h"
+#endif
+#if defined(MBEDTLS_AESNI_C)
+#include "mbedtls/aesni.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_AES_ALT)
+
+/* Parameter validation macros based on platform_util.h */
+#define AES_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
+#define AES_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) &&                      \
+    ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
+static int aes_padlock_ace = -1;
+#endif
+
+#if defined(MBEDTLS_AES_ROM_TABLES)
+/*
+ * Forward S-box
+ */
+static const unsigned char FSb[256] =
+{
+    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
+    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
+    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
+    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
+    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
+    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
+    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
+    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
+    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
+    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
+    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
+    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
+    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
+    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
+    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
+    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
+    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
+    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
+    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
+    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
+    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
+    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
+};
+
+/*
+ * Forward tables
+ */
+#define FT \
+\
+    V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
+    V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
+    V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
+    V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
+    V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
+    V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
+    V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
+    V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
+    V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
+    V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
+    V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
+    V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
+    V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
+    V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
+    V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
+    V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
+    V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
+    V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
+    V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
+    V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
+    V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
+    V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
+    V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
+    V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
+    V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
+    V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
+    V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
+    V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
+    V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
+    V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
+    V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
+    V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
+    V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
+    V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
+    V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
+    V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
+    V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
+    V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
+    V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
+    V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
+    V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
+    V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
+    V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
+    V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
+    V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
+    V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
+    V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
+    V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
+    V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
+    V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
+    V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
+    V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
+    V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
+    V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
+    V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
+    V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
+    V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
+    V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
+    V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
+    V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
+    V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
+    V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
+    V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
+    V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
+
+#define V(a,b,c,d) 0x##a##b##c##d
+static const uint32_t FT0[256] = { FT };
+#undef V
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+
+#define V(a,b,c,d) 0x##b##c##d##a
+static const uint32_t FT1[256] = { FT };
+#undef V
+
+#define V(a,b,c,d) 0x##c##d##a##b
+static const uint32_t FT2[256] = { FT };
+#undef V
+
+#define V(a,b,c,d) 0x##d##a##b##c
+static const uint32_t FT3[256] = { FT };
+#undef V
+
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+#undef FT
+
+/*
+ * Reverse S-box
+ */
+static const unsigned char RSb[256] =
+{
+    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
+    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
+    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
+    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
+    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
+    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
+    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
+    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
+    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
+    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
+    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
+    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
+    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
+    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
+    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
+    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
+    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
+    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
+    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
+    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
+    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
+    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
+};
+
+/*
+ * Reverse tables
+ */
+#define RT \
+\
+    V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
+    V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
+    V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
+    V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
+    V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
+    V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
+    V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
+    V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
+    V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
+    V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
+    V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
+    V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
+    V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
+    V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
+    V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
+    V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
+    V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
+    V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
+    V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
+    V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
+    V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
+    V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
+    V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
+    V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
+    V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
+    V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
+    V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
+    V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
+    V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
+    V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
+    V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
+    V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
+    V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
+    V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
+    V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
+    V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
+    V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
+    V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
+    V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
+    V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
+    V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
+    V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
+    V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
+    V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
+    V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
+    V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
+    V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
+    V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
+    V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
+    V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
+    V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
+    V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
+    V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
+    V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
+    V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
+    V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
+    V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
+    V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
+    V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
+    V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
+    V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
+    V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
+    V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
+    V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
+
+#define V(a,b,c,d) 0x##a##b##c##d
+static const uint32_t RT0[256] = { RT };
+#undef V
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+
+#define V(a,b,c,d) 0x##b##c##d##a
+static const uint32_t RT1[256] = { RT };
+#undef V
+
+#define V(a,b,c,d) 0x##c##d##a##b
+static const uint32_t RT2[256] = { RT };
+#undef V
+
+#define V(a,b,c,d) 0x##d##a##b##c
+static const uint32_t RT3[256] = { RT };
+#undef V
+
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+#undef RT
+
+/*
+ * Round constants
+ */
+static const uint32_t RCON[10] =
+{
+    0x00000001, 0x00000002, 0x00000004, 0x00000008,
+    0x00000010, 0x00000020, 0x00000040, 0x00000080,
+    0x0000001B, 0x00000036
+};
+
+#else /* MBEDTLS_AES_ROM_TABLES */
+
+/*
+ * Forward S-box & tables
+ */
+static unsigned char FSb[256];
+static uint32_t FT0[256];
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+static uint32_t FT1[256];
+static uint32_t FT2[256];
+static uint32_t FT3[256];
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+/*
+ * Reverse S-box & tables
+ */
+static unsigned char RSb[256];
+static uint32_t RT0[256];
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+static uint32_t RT1[256];
+static uint32_t RT2[256];
+static uint32_t RT3[256];
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+/*
+ * Round constants
+ */
+static uint32_t RCON[10];
+
+/*
+ * Tables generation code
+ */
+#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
+#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
+#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
+
+static int aes_init_done = 0;
+
+static void aes_gen_tables( void )
+{
+    int i, x, y, z;
+    int pow[256];
+    int log[256];
+
+    /*
+     * compute pow and log tables over GF(2^8)
+     */
+    for( i = 0, x = 1; i < 256; i++ )
+    {
+        pow[i] = x;
+        log[x] = i;
+        x = ( x ^ XTIME( x ) ) & 0xFF;
+    }
+
+    /*
+     * calculate the round constants
+     */
+    for( i = 0, x = 1; i < 10; i++ )
+    {
+        RCON[i] = (uint32_t) x;
+        x = XTIME( x ) & 0xFF;
+    }
+
+    /*
+     * generate the forward and reverse S-boxes
+     */
+    FSb[0x00] = 0x63;
+    RSb[0x63] = 0x00;
+
+    for( i = 1; i < 256; i++ )
+    {
+        x = pow[255 - log[i]];
+
+        y  = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
+        x ^= y ^ 0x63;
+
+        FSb[i] = (unsigned char) x;
+        RSb[x] = (unsigned char) i;
+    }
+
+    /*
+     * generate the forward and reverse tables
+     */
+    for( i = 0; i < 256; i++ )
+    {
+        x = FSb[i];
+        y = XTIME( x ) & 0xFF;
+        z =  ( y ^ x ) & 0xFF;
+
+        FT0[i] = ( (uint32_t) y       ) ^
+                 ( (uint32_t) x <<  8 ) ^
+                 ( (uint32_t) x << 16 ) ^
+                 ( (uint32_t) z << 24 );
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+        FT1[i] = ROTL8( FT0[i] );
+        FT2[i] = ROTL8( FT1[i] );
+        FT3[i] = ROTL8( FT2[i] );
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+
+        x = RSb[i];
+
+        RT0[i] = ( (uint32_t) MUL( 0x0E, x )       ) ^
+                 ( (uint32_t) MUL( 0x09, x ) <<  8 ) ^
+                 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
+                 ( (uint32_t) MUL( 0x0B, x ) << 24 );
+
+#if !defined(MBEDTLS_AES_FEWER_TABLES)
+        RT1[i] = ROTL8( RT0[i] );
+        RT2[i] = ROTL8( RT1[i] );
+        RT3[i] = ROTL8( RT2[i] );
+#endif /* !MBEDTLS_AES_FEWER_TABLES */
+    }
+}
+
+#undef ROTL8
+
+#endif /* MBEDTLS_AES_ROM_TABLES */
+
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+
+#define ROTL8(x)  ( (uint32_t)( ( x ) <<  8 ) + (uint32_t)( ( x ) >> 24 ) )
+#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
+#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >>  8 ) )
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) ROTL8(  RT0[idx] )
+#define AES_RT2(idx) ROTL16( RT0[idx] )
+#define AES_RT3(idx) ROTL24( RT0[idx] )
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) ROTL8(  FT0[idx] )
+#define AES_FT2(idx) ROTL16( FT0[idx] )
+#define AES_FT3(idx) ROTL24( FT0[idx] )
+
+#else /* MBEDTLS_AES_FEWER_TABLES */
+
+#define AES_RT0(idx) RT0[idx]
+#define AES_RT1(idx) RT1[idx]
+#define AES_RT2(idx) RT2[idx]
+#define AES_RT3(idx) RT3[idx]
+
+#define AES_FT0(idx) FT0[idx]
+#define AES_FT1(idx) FT1[idx]
+#define AES_FT2(idx) FT2[idx]
+#define AES_FT3(idx) FT3[idx]
+
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+
+void mbedtls_aes_init( mbedtls_aes_context *ctx )
+{
+    AES_VALIDATE( ctx != NULL );
+
+    memset( ctx, 0, sizeof( mbedtls_aes_context ) );
+}
+
+void mbedtls_aes_free( mbedtls_aes_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
+{
+    AES_VALIDATE( ctx != NULL );
+
+    mbedtls_aes_init( &ctx->crypt );
+    mbedtls_aes_init( &ctx->tweak );
+}
+
+void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_aes_free( &ctx->crypt );
+    mbedtls_aes_free( &ctx->tweak );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/*
+ * AES key schedule (encryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits )
+{
+    unsigned int i;
+    uint32_t *RK;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    switch( keybits )
+    {
+        case 128: ctx->nr = 10; break;
+        case 192: ctx->nr = 12; break;
+        case 256: ctx->nr = 14; break;
+        default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+    }
+
+#if !defined(MBEDTLS_AES_ROM_TABLES)
+    if( aes_init_done == 0 )
+    {
+        aes_gen_tables();
+        aes_init_done = 1;
+    }
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
+    if( aes_padlock_ace == -1 )
+        aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
+
+    if( aes_padlock_ace )
+        ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
+    else
+#endif
+    ctx->rk = RK = ctx->buf;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+        return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
+#endif
+
+    for( i = 0; i < ( keybits >> 5 ); i++ )
+    {
+        GET_UINT32_LE( RK[i], key, i << 2 );
+    }
+
+    switch( ctx->nr )
+    {
+        case 10:
+
+            for( i = 0; i < 10; i++, RK += 4 )
+            {
+                RK[4]  = RK[0] ^ RCON[i] ^
+                ( (uint32_t) FSb[ ( RK[3] >>  8 ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[3]       ) & 0xFF ] << 24 );
+
+                RK[5]  = RK[1] ^ RK[4];
+                RK[6]  = RK[2] ^ RK[5];
+                RK[7]  = RK[3] ^ RK[6];
+            }
+            break;
+
+        case 12:
+
+            for( i = 0; i < 8; i++, RK += 6 )
+            {
+                RK[6]  = RK[0] ^ RCON[i] ^
+                ( (uint32_t) FSb[ ( RK[5] >>  8 ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[5]       ) & 0xFF ] << 24 );
+
+                RK[7]  = RK[1] ^ RK[6];
+                RK[8]  = RK[2] ^ RK[7];
+                RK[9]  = RK[3] ^ RK[8];
+                RK[10] = RK[4] ^ RK[9];
+                RK[11] = RK[5] ^ RK[10];
+            }
+            break;
+
+        case 14:
+
+            for( i = 0; i < 7; i++, RK += 8 )
+            {
+                RK[8]  = RK[0] ^ RCON[i] ^
+                ( (uint32_t) FSb[ ( RK[7] >>  8 ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[7]       ) & 0xFF ] << 24 );
+
+                RK[9]  = RK[1] ^ RK[8];
+                RK[10] = RK[2] ^ RK[9];
+                RK[11] = RK[3] ^ RK[10];
+
+                RK[12] = RK[4] ^
+                ( (uint32_t) FSb[ ( RK[11]       ) & 0xFF ]       ) ^
+                ( (uint32_t) FSb[ ( RK[11] >>  8 ) & 0xFF ] <<  8 ) ^
+                ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
+                ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
+
+                RK[13] = RK[5] ^ RK[12];
+                RK[14] = RK[6] ^ RK[13];
+                RK[15] = RK[7] ^ RK[14];
+            }
+            break;
+    }
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
+
+/*
+ * AES key schedule (decryption)
+ */
+#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
+int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
+                    unsigned int keybits )
+{
+    int i, j, ret;
+    mbedtls_aes_context cty;
+    uint32_t *RK;
+    uint32_t *SK;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    mbedtls_aes_init( &cty );
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
+    if( aes_padlock_ace == -1 )
+        aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
+
+    if( aes_padlock_ace )
+        ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
+    else
+#endif
+    ctx->rk = RK = ctx->buf;
+
+    /* Also checks keybits */
+    if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
+        goto exit;
+
+    ctx->nr = cty.nr;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+    {
+        mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
+                           (const unsigned char *) cty.rk, ctx->nr );
+        goto exit;
+    }
+#endif
+
+    SK = cty.rk + cty.nr * 4;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+    for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
+    {
+        for( j = 0; j < 4; j++, SK++ )
+        {
+            *RK++ = AES_RT0( FSb[ ( *SK       ) & 0xFF ] ) ^
+                    AES_RT1( FSb[ ( *SK >>  8 ) & 0xFF ] ) ^
+                    AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
+                    AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
+        }
+    }
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+exit:
+    mbedtls_aes_free( &cty );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
+                                        unsigned int keybits,
+                                        const unsigned char **key1,
+                                        unsigned int *key1bits,
+                                        const unsigned char **key2,
+                                        unsigned int *key2bits )
+{
+    const unsigned int half_keybits = keybits / 2;
+    const unsigned int half_keybytes = half_keybits / 8;
+
+    switch( keybits )
+    {
+        case 256: break;
+        case 512: break;
+        default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+    }
+
+    *key1bits = half_keybits;
+    *key2bits = half_keybits;
+    *key1 = &key[0];
+    *key2 = &key[half_keybytes];
+
+    return 0;
+}
+
+int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits)
+{
+    int ret;
+    const unsigned char *key1, *key2;
+    unsigned int key1bits, key2bits;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
+                                       &key2, &key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set the tweak key. Always set tweak key for the encryption mode. */
+    ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set crypt key for encryption. */
+    return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
+}
+
+int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
+                                const unsigned char *key,
+                                unsigned int keybits)
+{
+    int ret;
+    const unsigned char *key1, *key2;
+    unsigned int key1bits, key2bits;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
+                                       &key2, &key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set the tweak key. Always set tweak key for encryption. */
+    ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
+    if( ret != 0 )
+        return( ret );
+
+    /* Set crypt key for decryption. */
+    return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
+
+#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                     \
+    do                                                          \
+    {                                                           \
+        (X0) = *RK++ ^ AES_FT0( ( (Y0)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y1) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y3) >> 24 ) & 0xFF );        \
+                                                                \
+        (X1) = *RK++ ^ AES_FT0( ( (Y1)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y2) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y0) >> 24 ) & 0xFF );        \
+                                                                \
+        (X2) = *RK++ ^ AES_FT0( ( (Y2)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y3) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y1) >> 24 ) & 0xFF );        \
+                                                                \
+        (X3) = *RK++ ^ AES_FT0( ( (Y3)       ) & 0xFF ) ^       \
+                       AES_FT1( ( (Y0) >>  8 ) & 0xFF ) ^       \
+                       AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^       \
+                       AES_FT3( ( (Y2) >> 24 ) & 0xFF );        \
+    } while( 0 )
+
+#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                 \
+    do                                                      \
+    {                                                       \
+        (X0) = *RK++ ^ AES_RT0( ( (Y0)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y3) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y1) >> 24 ) & 0xFF );    \
+                                                            \
+        (X1) = *RK++ ^ AES_RT0( ( (Y1)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y0) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y2) >> 24 ) & 0xFF );    \
+                                                            \
+        (X2) = *RK++ ^ AES_RT0( ( (Y2)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y1) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y3) >> 24 ) & 0xFF );    \
+                                                            \
+        (X3) = *RK++ ^ AES_RT0( ( (Y3)       ) & 0xFF ) ^   \
+                       AES_RT1( ( (Y2) >>  8 ) & 0xFF ) ^   \
+                       AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^   \
+                       AES_RT3( ( (Y0) >> 24 ) & 0xFF );    \
+    } while( 0 )
+
+/*
+ * AES-ECB block encryption
+ */
+#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
+int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] )
+{
+    int i;
+    uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
+
+    RK = ctx->rk;
+
+    GET_UINT32_LE( X0, input,  0 ); X0 ^= *RK++;
+    GET_UINT32_LE( X1, input,  4 ); X1 ^= *RK++;
+    GET_UINT32_LE( X2, input,  8 ); X2 ^= *RK++;
+    GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
+
+    for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
+    {
+        AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+        AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
+    }
+
+    AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+
+    X0 = *RK++ ^ \
+            ( (uint32_t) FSb[ ( Y0       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
+
+    X1 = *RK++ ^ \
+            ( (uint32_t) FSb[ ( Y1       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
+
+    X2 = *RK++ ^ \
+            ( (uint32_t) FSb[ ( Y2       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
+
+    X3 = *RK++ ^ \
+            ( (uint32_t) FSb[ ( Y3       ) & 0xFF ]       ) ^
+            ( (uint32_t) FSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
+
+    PUT_UINT32_LE( X0, output,  0 );
+    PUT_UINT32_LE( X1, output,  4 );
+    PUT_UINT32_LE( X2, output,  8 );
+    PUT_UINT32_LE( X3, output, 12 );
+
+    mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_platform_zeroize( &RK, sizeof( RK ) );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
+                          const unsigned char input[16],
+                          unsigned char output[16] )
+{
+    mbedtls_internal_aes_encrypt( ctx, input, output );
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * AES-ECB block decryption
+ */
+#if !defined(MBEDTLS_AES_DECRYPT_ALT)
+int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
+                                  const unsigned char input[16],
+                                  unsigned char output[16] )
+{
+    int i;
+    uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
+
+    RK = ctx->rk;
+
+    GET_UINT32_LE( X0, input,  0 ); X0 ^= *RK++;
+    GET_UINT32_LE( X1, input,  4 ); X1 ^= *RK++;
+    GET_UINT32_LE( X2, input,  8 ); X2 ^= *RK++;
+    GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
+
+    for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
+    {
+        AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+        AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
+    }
+
+    AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+
+    X0 = *RK++ ^ \
+            ( (uint32_t) RSb[ ( Y0       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
+
+    X1 = *RK++ ^ \
+            ( (uint32_t) RSb[ ( Y1       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
+
+    X2 = *RK++ ^ \
+            ( (uint32_t) RSb[ ( Y2       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
+
+    X3 = *RK++ ^ \
+            ( (uint32_t) RSb[ ( Y3       ) & 0xFF ]       ) ^
+            ( (uint32_t) RSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
+            ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
+            ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
+
+    PUT_UINT32_LE( X0, output,  0 );
+    PUT_UINT32_LE( X1, output,  4 );
+    PUT_UINT32_LE( X2, output,  8 );
+    PUT_UINT32_LE( X3, output, 12 );
+
+    mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
+    mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
+    mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
+    mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
+
+    mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
+    mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
+    mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
+    mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
+
+    mbedtls_platform_zeroize( &RK, sizeof( RK ) );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_AES_DECRYPT_ALT */
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
+                          const unsigned char input[16],
+                          unsigned char output[16] )
+{
+    mbedtls_internal_aes_decrypt( ctx, input, output );
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * AES-ECB block encryption/decryption
+ */
+int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
+                           int mode,
+                           const unsigned char input[16],
+                           unsigned char output[16] )
+{
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
+        return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+    if( aes_padlock_ace )
+    {
+        if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
+            return( 0 );
+
+        // If padlock data misaligned, we just fall back to
+        // unaccelerated mode
+        //
+    }
+#endif
+
+    if( mode == MBEDTLS_AES_ENCRYPT )
+        return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
+    else
+        return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * AES-CBC buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[16];
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    if( length % 16 )
+        return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
+
+#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
+    if( aes_padlock_ace )
+    {
+        if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
+            return( 0 );
+
+        // If padlock data misaligned, we just fall back to
+        // unaccelerated mode
+        //
+    }
+#endif
+
+    if( mode == MBEDTLS_AES_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 16 );
+            mbedtls_aes_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_aes_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+
+/* Endianess with 64 bits values */
+#ifndef GET_UINT64_LE
+#define GET_UINT64_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint64_t) (b)[(i) + 7] << 56 )             \
+        | ( (uint64_t) (b)[(i) + 6] << 48 )             \
+        | ( (uint64_t) (b)[(i) + 5] << 40 )             \
+        | ( (uint64_t) (b)[(i) + 4] << 32 )             \
+        | ( (uint64_t) (b)[(i) + 3] << 24 )             \
+        | ( (uint64_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint64_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint64_t) (b)[(i)    ]       );            \
+}
+#endif
+
+#ifndef PUT_UINT64_LE
+#define PUT_UINT64_LE(n,b,i)                            \
+{                                                       \
+    (b)[(i) + 7] = (unsigned char) ( (n) >> 56 );       \
+    (b)[(i) + 6] = (unsigned char) ( (n) >> 48 );       \
+    (b)[(i) + 5] = (unsigned char) ( (n) >> 40 );       \
+    (b)[(i) + 4] = (unsigned char) ( (n) >> 32 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i)    ] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+typedef unsigned char mbedtls_be128[16];
+
+/*
+ * GF(2^128) multiplication function
+ *
+ * This function multiplies a field element by x in the polynomial field
+ * representation. It uses 64-bit word operations to gain speed but compensates
+ * for machine endianess and hence works correctly on both big and little
+ * endian machines.
+ */
+static void mbedtls_gf128mul_x_ble( unsigned char r[16],
+                                    const unsigned char x[16] )
+{
+    uint64_t a, b, ra, rb;
+
+    GET_UINT64_LE( a, x, 0 );
+    GET_UINT64_LE( b, x, 8 );
+
+    ra = ( a << 1 )  ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
+    rb = ( a >> 63 ) | ( b << 1 );
+
+    PUT_UINT64_LE( ra, r, 0 );
+    PUT_UINT64_LE( rb, r, 8 );
+}
+
+/*
+ * AES-XTS buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
+                           int mode,
+                           size_t length,
+                           const unsigned char data_unit[16],
+                           const unsigned char *input,
+                           unsigned char *output )
+{
+    int ret;
+    size_t blocks = length / 16;
+    size_t leftover = length % 16;
+    unsigned char tweak[16];
+    unsigned char prev_tweak[16];
+    unsigned char tmp[16];
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( data_unit != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    /* Data units must be at least 16 bytes long. */
+    if( length < 16 )
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+
+    /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
+    if( length > ( 1 << 20 ) * 16 )
+        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
+
+    /* Compute the tweak. */
+    ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
+                                 data_unit, tweak );
+    if( ret != 0 )
+        return( ret );
+
+    while( blocks-- )
+    {
+        size_t i;
+
+        if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
+        {
+            /* We are on the last block in a decrypt operation that has
+             * leftover bytes, so we need to use the next tweak for this block,
+             * and this tweak for the lefover bytes. Save the current tweak for
+             * the leftovers and then update the current tweak for use on this,
+             * the last full block. */
+            memcpy( prev_tweak, tweak, sizeof( tweak ) );
+            mbedtls_gf128mul_x_ble( tweak, tweak );
+        }
+
+        for( i = 0; i < 16; i++ )
+            tmp[i] = input[i] ^ tweak[i];
+
+        ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
+        if( ret != 0 )
+            return( ret );
+
+        for( i = 0; i < 16; i++ )
+            output[i] = tmp[i] ^ tweak[i];
+
+        /* Update the tweak for the next block. */
+        mbedtls_gf128mul_x_ble( tweak, tweak );
+
+        output += 16;
+        input += 16;
+    }
+
+    if( leftover )
+    {
+        /* If we are on the leftover bytes in a decrypt operation, we need to
+         * use the previous tweak for these bytes (as saved in prev_tweak). */
+        unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
+
+        /* We are now on the final part of the data unit, which doesn't divide
+         * evenly by 16. It's time for ciphertext stealing. */
+        size_t i;
+        unsigned char *prev_output = output - 16;
+
+        /* Copy ciphertext bytes from the previous block to our output for each
+         * byte of cyphertext we won't steal. At the same time, copy the
+         * remainder of the input for this final round (since the loop bounds
+         * are the same). */
+        for( i = 0; i < leftover; i++ )
+        {
+            output[i] = prev_output[i];
+            tmp[i] = input[i] ^ t[i];
+        }
+
+        /* Copy ciphertext bytes from the previous block for input in this
+         * round. */
+        for( ; i < 16; i++ )
+            tmp[i] = prev_output[i] ^ t[i];
+
+        ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
+        if( ret != 0 )
+            return ret;
+
+        /* Write the result back to the previous block, overriding the previous
+         * output we copied. */
+        for( i = 0; i < 16; i++ )
+            prev_output[i] = tmp[i] ^ t[i];
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c;
+    size_t n;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( iv_off != NULL );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    n = *iv_off;
+
+    if( n > 15 )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+
+    if( mode == MBEDTLS_AES_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+
+            c = *input++;
+            *output++ = (unsigned char)( c ^ iv[n] );
+            iv[n] = (unsigned char) c;
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+
+/*
+ * AES-CFB8 buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
+                            int mode,
+                            size_t length,
+                            unsigned char iv[16],
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    unsigned char c;
+    unsigned char ov[17];
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
+                      mode == MBEDTLS_AES_DECRYPT );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+    while( length-- )
+    {
+        memcpy( ov, iv, 16 );
+        mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+            ov[16] = *input;
+
+        c = *output++ = (unsigned char)( iv[0] ^ *input++ );
+
+        if( mode == MBEDTLS_AES_ENCRYPT )
+            ov[16] = c;
+
+        memcpy( iv, ov + 1, 16 );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB (Output Feedback Mode) buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
+                           size_t length,
+                           size_t *iv_off,
+                           unsigned char iv[16],
+                           const unsigned char *input,
+                           unsigned char *output )
+{
+    int ret = 0;
+    size_t n;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( iv_off != NULL );
+    AES_VALIDATE_RET( iv != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    n = *iv_off;
+
+    if( n > 15 )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 )
+        {
+            ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
+            if( ret != 0 )
+                goto exit;
+        }
+        *output++ =  *input++ ^ iv[n];
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *iv_off = n;
+
+exit:
+    return( ret );
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c, i;
+    size_t n;
+
+    AES_VALIDATE_RET( ctx != NULL );
+    AES_VALIDATE_RET( nc_off != NULL );
+    AES_VALIDATE_RET( nonce_counter != NULL );
+    AES_VALIDATE_RET( stream_block != NULL );
+    AES_VALIDATE_RET( input != NULL );
+    AES_VALIDATE_RET( output != NULL );
+
+    n = *nc_off;
+
+    if ( n > 0x0F )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
+
+            for( i = 16; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#endif /* !MBEDTLS_AES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * AES test vectors from:
+ *
+ * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
+ */
+static const unsigned char aes_test_ecb_dec[3][16] =
+{
+    { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
+      0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
+    { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
+      0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
+    { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
+      0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
+};
+
+static const unsigned char aes_test_ecb_enc[3][16] =
+{
+    { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
+      0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
+    { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
+      0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
+    { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
+      0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char aes_test_cbc_dec[3][16] =
+{
+    { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
+      0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
+    { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
+      0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
+    { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
+      0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
+};
+
+static const unsigned char aes_test_cbc_enc[3][16] =
+{
+    { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
+      0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
+    { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
+      0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
+    { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
+      0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * AES-CFB128 test vectors from:
+ *
+ * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
+ */
+static const unsigned char aes_test_cfb128_key[3][32] =
+{
+    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char aes_test_cfb128_iv[16] =
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_cfb128_pt[64] =
+{
+    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_cfb128_ct[3][64] =
+{
+    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+      0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
+      0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
+      0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
+      0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
+      0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
+      0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
+    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+      0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
+      0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
+      0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
+      0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
+      0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
+      0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
+    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+      0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
+      0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
+      0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
+      0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
+      0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
+      0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+/*
+ * AES-OFB test vectors from:
+ *
+ * https://csrc.nist.gov/publications/detail/sp/800-38a/final
+ */
+static const unsigned char aes_test_ofb_key[3][32] =
+{
+    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
+    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
+    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char aes_test_ofb_iv[16] =
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
+};
+
+static const unsigned char aes_test_ofb_pt[64] =
+{
+    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
+    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
+    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
+    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
+    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
+};
+
+static const unsigned char aes_test_ofb_ct[3][64] =
+{
+    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
+      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
+      0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
+      0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
+      0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
+      0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
+      0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
+      0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
+    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
+      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
+      0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
+      0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
+      0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
+      0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
+      0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
+      0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
+    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
+      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
+      0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
+      0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
+      0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
+      0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
+      0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
+      0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * AES-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc3686.html
+ */
+
+static const unsigned char aes_test_ctr_key[3][16] =
+{
+    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char aes_test_ctr_nonce_counter[3][16] =
+{
+    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char aes_test_ctr_pt[3][48] =
+{
+    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+      0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char aes_test_ctr_ct[3][48] =
+{
+    { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
+      0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
+    { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
+      0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
+      0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
+      0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
+    { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
+      0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
+      0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
+      0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
+      0x25, 0xB2, 0x07, 0x2F }
+};
+
+static const int aes_test_ctr_len[3] =
+    { 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/*
+ * AES-XTS test vectors from:
+ *
+ * IEEE P1619/D16 Annex B
+ * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
+ * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
+ */
+static const unsigned char aes_test_xts_key[][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+      0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+    { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
+      0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
+};
+
+static const unsigned char aes_test_xts_pt32[][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
+      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
+};
+
+static const unsigned char aes_test_xts_ct32[][32] =
+{
+    { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
+      0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
+      0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
+      0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
+    { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
+      0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
+      0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
+      0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
+    { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
+      0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
+      0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
+      0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
+};
+
+static const unsigned char aes_test_xts_data_unit[][16] =
+{
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+   { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+   { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+};
+
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aes_self_test( int verbose )
+{
+    int ret = 0, i, j, u, mode;
+    unsigned int keybits;
+    unsigned char key[32];
+    unsigned char buf[64];
+    const unsigned char *aes_tests;
+#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
+    unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char prv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_OFB)
+    size_t offset;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
+    int len;
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    unsigned char nonce_counter[16];
+    unsigned char stream_block[16];
+#endif
+    mbedtls_aes_context ctx;
+
+    memset( key, 0, 32 );
+    mbedtls_aes_init( &ctx );
+
+    /*
+     * ECB mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-ECB-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memset( buf, 0, 16 );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
+            aes_tests = aes_test_ecb_dec[u];
+        }
+        else
+        {
+            ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+            aes_tests = aes_test_ecb_enc[u];
+        }
+
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        for( j = 0; j < 10000; j++ )
+        {
+            ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
+            if( ret != 0 )
+                goto exit;
+        }
+
+        if( memcmp( buf, aes_tests, 16 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-CBC-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memset( iv , 0, 16 );
+        memset( prv, 0, 16 );
+        memset( buf, 0, 16 );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
+            aes_tests = aes_test_cbc_dec[u];
+        }
+        else
+        {
+            ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+            aes_tests = aes_test_cbc_enc[u];
+        }
+
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        for( j = 0; j < 10000; j++ )
+        {
+            if( mode == MBEDTLS_AES_ENCRYPT )
+            {
+                unsigned char tmp[16];
+
+                memcpy( tmp, prv, 16 );
+                memcpy( prv, buf, 16 );
+                memcpy( buf, tmp, 16 );
+            }
+
+            ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
+            if( ret != 0 )
+                goto exit;
+
+        }
+
+        if( memcmp( buf, aes_tests, 16 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    /*
+     * CFB128 mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-CFB128-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( iv,  aes_test_cfb128_iv, 16 );
+        memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
+
+        offset = 0;
+        ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            memcpy( buf, aes_test_cfb128_ct[u], 64 );
+            aes_tests = aes_test_cfb128_pt;
+        }
+        else
+        {
+            memcpy( buf, aes_test_cfb128_pt, 64 );
+            aes_tests = aes_test_cfb128_ct[u];
+        }
+
+        ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, 64 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    /*
+     * OFB mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        keybits = 128 + u * 64;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-OFB-%3d (%s): ", keybits,
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( iv,  aes_test_ofb_iv, 16 );
+        memcpy( key, aes_test_ofb_key[u], keybits / 8 );
+
+        offset = 0;
+        ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
+        /*
+         * AES-192 is an optional feature that may be unavailable when
+         * there is an alternative underlying implementation i.e. when
+         * MBEDTLS_AES_ALT is defined.
+         */
+        if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
+        {
+            mbedtls_printf( "skipped\n" );
+            continue;
+        }
+        else if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            memcpy( buf, aes_test_ofb_ct[u], 64 );
+            aes_tests = aes_test_ofb_pt;
+        }
+        else
+        {
+            memcpy( buf, aes_test_ofb_pt, 64 );
+            aes_tests = aes_test_ofb_ct[u];
+        }
+
+        ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, 64 ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /*
+     * CTR mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-CTR-128 (%s): ",
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
+        memcpy( key, aes_test_ctr_key[u], 16 );
+
+        offset = 0;
+        if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
+            goto exit;
+
+        len = aes_test_ctr_len[u];
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            memcpy( buf, aes_test_ctr_ct[u], len );
+            aes_tests = aes_test_ctr_pt[u];
+        }
+        else
+        {
+            memcpy( buf, aes_test_ctr_pt[u], len );
+            aes_tests = aes_test_ctr_ct[u];
+        }
+
+        ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
+                                     stream_block, buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, len ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    {
+    static const int num_tests =
+        sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
+    mbedtls_aes_xts_context ctx_xts;
+
+    /*
+     * XTS mode
+     */
+    mbedtls_aes_xts_init( &ctx_xts );
+
+    for( i = 0; i < num_tests << 1; i++ )
+    {
+        const unsigned char *data_unit;
+        u = i >> 1;
+        mode = i & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  AES-XTS-128 (%s): ",
+                            ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
+
+        memset( key, 0, sizeof( key ) );
+        memcpy( key, aes_test_xts_key[u], 32 );
+        data_unit = aes_test_xts_data_unit[u];
+
+        len = sizeof( *aes_test_xts_ct32 );
+
+        if( mode == MBEDTLS_AES_DECRYPT )
+        {
+            ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
+            if( ret != 0)
+                goto exit;
+            memcpy( buf, aes_test_xts_ct32[u], len );
+            aes_tests = aes_test_xts_pt32[u];
+        }
+        else
+        {
+            ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
+            if( ret != 0)
+                goto exit;
+            memcpy( buf, aes_test_xts_pt32[u], len );
+            aes_tests = aes_test_xts_ct32[u];
+        }
+
+
+        ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
+                                     buf, buf );
+        if( ret != 0 )
+            goto exit;
+
+        if( memcmp( buf, aes_tests, len ) != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    mbedtls_aes_xts_free( &ctx_xts );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+    ret = 0;
+
+exit:
+    if( ret != 0 && verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    mbedtls_aes_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_AES_C */
diff --git a/makerom/deps/libmbedtls/src/aesni.c b/makerom/deps/libmbedtls/src/aesni.c
new file mode 100644
index 00000000..062708b0
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/aesni.c
@@ -0,0 +1,470 @@
+/*
+ *  AES-NI support functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * [AES-WP] http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set
+ * [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_AESNI_C)
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#warning "MBEDTLS_AESNI_C is known to cause spurious error reports with some memory sanitizers as they do not understand the assembly code."
+#endif
+#endif
+
+#include "mbedtls/aesni.h"
+
+#include <string.h>
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(MBEDTLS_HAVE_X86_64)
+
+/*
+ * AES-NI support detection routine
+ */
+int mbedtls_aesni_has_support( unsigned int what )
+{
+    static int done = 0;
+    static unsigned int c = 0;
+
+    if( ! done )
+    {
+        asm( "movl  $1, %%eax   \n\t"
+             "cpuid             \n\t"
+             : "=c" (c)
+             :
+             : "eax", "ebx", "edx" );
+        done = 1;
+    }
+
+    return( ( c & what ) != 0 );
+}
+
+/*
+ * Binutils needs to be at least 2.19 to support AES-NI instructions.
+ * Unfortunately, a lot of users have a lower version now (2014-04).
+ * Emit bytecode directly in order to support "old" version of gas.
+ *
+ * Opcodes from the Intel architecture reference manual, vol. 3.
+ * We always use registers, so we don't need prefixes for memory operands.
+ * Operand macros are in gas order (src, dst) as opposed to Intel order
+ * (dst, src) in order to blend better into the surrounding assembly code.
+ */
+#define AESDEC      ".byte 0x66,0x0F,0x38,0xDE,"
+#define AESDECLAST  ".byte 0x66,0x0F,0x38,0xDF,"
+#define AESENC      ".byte 0x66,0x0F,0x38,0xDC,"
+#define AESENCLAST  ".byte 0x66,0x0F,0x38,0xDD,"
+#define AESIMC      ".byte 0x66,0x0F,0x38,0xDB,"
+#define AESKEYGENA  ".byte 0x66,0x0F,0x3A,0xDF,"
+#define PCLMULQDQ   ".byte 0x66,0x0F,0x3A,0x44,"
+
+#define xmm0_xmm0   "0xC0"
+#define xmm0_xmm1   "0xC8"
+#define xmm0_xmm2   "0xD0"
+#define xmm0_xmm3   "0xD8"
+#define xmm0_xmm4   "0xE0"
+#define xmm1_xmm0   "0xC1"
+#define xmm1_xmm2   "0xD1"
+
+/*
+ * AES-NI AES-ECB block en(de)cryption
+ */
+int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
+                     int mode,
+                     const unsigned char input[16],
+                     unsigned char output[16] )
+{
+    asm( "movdqu    (%3), %%xmm0    \n\t" // load input
+         "movdqu    (%1), %%xmm1    \n\t" // load round key 0
+         "pxor      %%xmm1, %%xmm0  \n\t" // round 0
+         "add       $16, %1         \n\t" // point to next round key
+         "subl      $1, %0          \n\t" // normal rounds = nr - 1
+         "test      %2, %2          \n\t" // mode?
+         "jz        2f              \n\t" // 0 = decrypt
+
+         "1:                        \n\t" // encryption loop
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESENC     xmm1_xmm0      "\n\t" // do round
+         "add       $16, %1         \n\t" // point to next round key
+         "subl      $1, %0          \n\t" // loop
+         "jnz       1b              \n\t"
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESENCLAST xmm1_xmm0      "\n\t" // last round
+         "jmp       3f              \n\t"
+
+         "2:                        \n\t" // decryption loop
+         "movdqu    (%1), %%xmm1    \n\t"
+         AESDEC     xmm1_xmm0      "\n\t" // do round
+         "add       $16, %1         \n\t"
+         "subl      $1, %0          \n\t"
+         "jnz       2b              \n\t"
+         "movdqu    (%1), %%xmm1    \n\t" // load round key
+         AESDECLAST xmm1_xmm0      "\n\t" // last round
+
+         "3:                        \n\t"
+         "movdqu    %%xmm0, (%4)    \n\t" // export output
+         :
+         : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output)
+         : "memory", "cc", "xmm0", "xmm1" );
+
+
+    return( 0 );
+}
+
+/*
+ * GCM multiplication: c = a times b in GF(2^128)
+ * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
+ */
+void mbedtls_aesni_gcm_mult( unsigned char c[16],
+                     const unsigned char a[16],
+                     const unsigned char b[16] )
+{
+    unsigned char aa[16], bb[16], cc[16];
+    size_t i;
+
+    /* The inputs are in big-endian order, so byte-reverse them */
+    for( i = 0; i < 16; i++ )
+    {
+        aa[i] = a[15 - i];
+        bb[i] = b[15 - i];
+    }
+
+    asm( "movdqu (%0), %%xmm0               \n\t" // a1:a0
+         "movdqu (%1), %%xmm1               \n\t" // b1:b0
+
+         /*
+          * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
+          * using [CLMUL-WP] algorithm 1 (p. 13).
+          */
+         "movdqa %%xmm1, %%xmm2             \n\t" // copy of b1:b0
+         "movdqa %%xmm1, %%xmm3             \n\t" // same
+         "movdqa %%xmm1, %%xmm4             \n\t" // same
+         PCLMULQDQ xmm0_xmm1 ",0x00         \n\t" // a0*b0 = c1:c0
+         PCLMULQDQ xmm0_xmm2 ",0x11         \n\t" // a1*b1 = d1:d0
+         PCLMULQDQ xmm0_xmm3 ",0x10         \n\t" // a0*b1 = e1:e0
+         PCLMULQDQ xmm0_xmm4 ",0x01         \n\t" // a1*b0 = f1:f0
+         "pxor %%xmm3, %%xmm4               \n\t" // e1+f1:e0+f0
+         "movdqa %%xmm4, %%xmm3             \n\t" // same
+         "psrldq $8, %%xmm4                 \n\t" // 0:e1+f1
+         "pslldq $8, %%xmm3                 \n\t" // e0+f0:0
+         "pxor %%xmm4, %%xmm2               \n\t" // d1:d0+e1+f1
+         "pxor %%xmm3, %%xmm1               \n\t" // c1+e0+f1:c0
+
+         /*
+          * Now shift the result one bit to the left,
+          * taking advantage of [CLMUL-WP] eq 27 (p. 20)
+          */
+         "movdqa %%xmm1, %%xmm3             \n\t" // r1:r0
+         "movdqa %%xmm2, %%xmm4             \n\t" // r3:r2
+         "psllq $1, %%xmm1                  \n\t" // r1<<1:r0<<1
+         "psllq $1, %%xmm2                  \n\t" // r3<<1:r2<<1
+         "psrlq $63, %%xmm3                 \n\t" // r1>>63:r0>>63
+         "psrlq $63, %%xmm4                 \n\t" // r3>>63:r2>>63
+         "movdqa %%xmm3, %%xmm5             \n\t" // r1>>63:r0>>63
+         "pslldq $8, %%xmm3                 \n\t" // r0>>63:0
+         "pslldq $8, %%xmm4                 \n\t" // r2>>63:0
+         "psrldq $8, %%xmm5                 \n\t" // 0:r1>>63
+         "por %%xmm3, %%xmm1                \n\t" // r1<<1|r0>>63:r0<<1
+         "por %%xmm4, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1
+         "por %%xmm5, %%xmm2                \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
+
+         /*
+          * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
+          * using [CLMUL-WP] algorithm 5 (p. 20).
+          * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
+          */
+         /* Step 2 (1) */
+         "movdqa %%xmm1, %%xmm3             \n\t" // x1:x0
+         "movdqa %%xmm1, %%xmm4             \n\t" // same
+         "movdqa %%xmm1, %%xmm5             \n\t" // same
+         "psllq $63, %%xmm3                 \n\t" // x1<<63:x0<<63 = stuff:a
+         "psllq $62, %%xmm4                 \n\t" // x1<<62:x0<<62 = stuff:b
+         "psllq $57, %%xmm5                 \n\t" // x1<<57:x0<<57 = stuff:c
+
+         /* Step 2 (2) */
+         "pxor %%xmm4, %%xmm3               \n\t" // stuff:a+b
+         "pxor %%xmm5, %%xmm3               \n\t" // stuff:a+b+c
+         "pslldq $8, %%xmm3                 \n\t" // a+b+c:0
+         "pxor %%xmm3, %%xmm1               \n\t" // x1+a+b+c:x0 = d:x0
+
+         /* Steps 3 and 4 */
+         "movdqa %%xmm1,%%xmm0              \n\t" // d:x0
+         "movdqa %%xmm1,%%xmm4              \n\t" // same
+         "movdqa %%xmm1,%%xmm5              \n\t" // same
+         "psrlq $1, %%xmm0                  \n\t" // e1:x0>>1 = e1:e0'
+         "psrlq $2, %%xmm4                  \n\t" // f1:x0>>2 = f1:f0'
+         "psrlq $7, %%xmm5                  \n\t" // g1:x0>>7 = g1:g0'
+         "pxor %%xmm4, %%xmm0               \n\t" // e1+f1:e0'+f0'
+         "pxor %%xmm5, %%xmm0               \n\t" // e1+f1+g1:e0'+f0'+g0'
+         // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
+         // bits carried from d. Now get those\t bits back in.
+         "movdqa %%xmm1,%%xmm3              \n\t" // d:x0
+         "movdqa %%xmm1,%%xmm4              \n\t" // same
+         "movdqa %%xmm1,%%xmm5              \n\t" // same
+         "psllq $63, %%xmm3                 \n\t" // d<<63:stuff
+         "psllq $62, %%xmm4                 \n\t" // d<<62:stuff
+         "psllq $57, %%xmm5                 \n\t" // d<<57:stuff
+         "pxor %%xmm4, %%xmm3               \n\t" // d<<63+d<<62:stuff
+         "pxor %%xmm5, %%xmm3               \n\t" // missing bits of d:stuff
+         "psrldq $8, %%xmm3                 \n\t" // 0:missing bits of d
+         "pxor %%xmm3, %%xmm0               \n\t" // e1+f1+g1:e0+f0+g0
+         "pxor %%xmm1, %%xmm0               \n\t" // h1:h0
+         "pxor %%xmm2, %%xmm0               \n\t" // x3+h1:x2+h0
+
+         "movdqu %%xmm0, (%2)               \n\t" // done
+         :
+         : "r" (aa), "r" (bb), "r" (cc)
+         : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5" );
+
+    /* Now byte-reverse the outputs */
+    for( i = 0; i < 16; i++ )
+        c[i] = cc[15 - i];
+
+    return;
+}
+
+/*
+ * Compute decryption round keys from encryption round keys
+ */
+void mbedtls_aesni_inverse_key( unsigned char *invkey,
+                        const unsigned char *fwdkey, int nr )
+{
+    unsigned char *ik = invkey;
+    const unsigned char *fk = fwdkey + 16 * nr;
+
+    memcpy( ik, fk, 16 );
+
+    for( fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16 )
+        asm( "movdqu (%0), %%xmm0       \n\t"
+             AESIMC  xmm0_xmm0         "\n\t"
+             "movdqu %%xmm0, (%1)       \n\t"
+             :
+             : "r" (fk), "r" (ik)
+             : "memory", "xmm0" );
+
+    memcpy( ik, fk, 16 );
+}
+
+/*
+ * Key expansion, 128-bit case
+ */
+static void aesni_setkey_enc_128( unsigned char *rk,
+                                  const unsigned char *key )
+{
+    asm( "movdqu (%1), %%xmm0               \n\t" // copy the original key
+         "movdqu %%xmm0, (%0)               \n\t" // as round key 0
+         "jmp 2f                            \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next round key.
+          *
+          * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
+          * with X = rot( sub( r3 ) ) ^ RCON.
+          *
+          * On exit, xmm0 is r7:r6:r5:r4
+          * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
+          * and those are written to the round key buffer.
+          */
+         "1:                                \n\t"
+         "pshufd $0xff, %%xmm1, %%xmm1      \n\t" // X:X:X:X
+         "pxor %%xmm0, %%xmm1               \n\t" // X+r3:X+r2:X+r1:r4
+         "pslldq $4, %%xmm0                 \n\t" // r2:r1:r0:0
+         "pxor %%xmm0, %%xmm1               \n\t" // X+r3+r2:X+r2+r1:r5:r4
+         "pslldq $4, %%xmm0                 \n\t" // etc
+         "pxor %%xmm0, %%xmm1               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm1, %%xmm0               \n\t" // update xmm0 for next time!
+         "add $16, %0                       \n\t" // point to next round key
+         "movdqu %%xmm0, (%0)               \n\t" // write it
+         "ret                               \n\t"
+
+         /* Main "loop" */
+         "2:                                \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x01        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x02        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x04        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x08        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x10        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x20        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x40        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x80        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x1B        \n\tcall 1b \n\t"
+         AESKEYGENA xmm0_xmm1 ",0x36        \n\tcall 1b \n\t"
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0" );
+}
+
+/*
+ * Key expansion, 192-bit case
+ */
+static void aesni_setkey_enc_192( unsigned char *rk,
+                                  const unsigned char *key )
+{
+    asm( "movdqu (%1), %%xmm0   \n\t" // copy original round key
+         "movdqu %%xmm0, (%0)   \n\t"
+         "add $16, %0           \n\t"
+         "movq 16(%1), %%xmm1   \n\t"
+         "movq %%xmm1, (%0)     \n\t"
+         "add $8, %0            \n\t"
+         "jmp 2f                \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next 6 quarter-keys.
+          *
+          * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
+          * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
+          *
+          * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
+          * and those are written to the round key buffer.
+          */
+         "1:                            \n\t"
+         "pshufd $0x55, %%xmm2, %%xmm2  \n\t" // X:X:X:X
+         "pxor %%xmm0, %%xmm2           \n\t" // X+r3:X+r2:X+r1:r4
+         "pslldq $4, %%xmm0             \n\t" // etc
+         "pxor %%xmm0, %%xmm2           \n\t"
+         "pslldq $4, %%xmm0             \n\t"
+         "pxor %%xmm0, %%xmm2           \n\t"
+         "pslldq $4, %%xmm0             \n\t"
+         "pxor %%xmm2, %%xmm0           \n\t" // update xmm0 = r9:r8:r7:r6
+         "movdqu %%xmm0, (%0)           \n\t"
+         "add $16, %0                   \n\t"
+         "pshufd $0xff, %%xmm0, %%xmm2  \n\t" // r9:r9:r9:r9
+         "pxor %%xmm1, %%xmm2           \n\t" // stuff:stuff:r9+r5:r10
+         "pslldq $4, %%xmm1             \n\t" // r2:r1:r0:0
+         "pxor %%xmm2, %%xmm1           \n\t" // xmm1 = stuff:stuff:r11:r10
+         "movq %%xmm1, (%0)             \n\t"
+         "add $8, %0                    \n\t"
+         "ret                           \n\t"
+
+         "2:                            \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x01    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x02    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x04    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x08    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x10    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x20    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x40    \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x80    \n\tcall 1b \n\t"
+
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0" );
+}
+
+/*
+ * Key expansion, 256-bit case
+ */
+static void aesni_setkey_enc_256( unsigned char *rk,
+                                  const unsigned char *key )
+{
+    asm( "movdqu (%1), %%xmm0           \n\t"
+         "movdqu %%xmm0, (%0)           \n\t"
+         "add $16, %0                   \n\t"
+         "movdqu 16(%1), %%xmm1         \n\t"
+         "movdqu %%xmm1, (%0)           \n\t"
+         "jmp 2f                        \n\t" // skip auxiliary routine
+
+         /*
+          * Finish generating the next two round keys.
+          *
+          * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
+          * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
+          *
+          * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
+          * and those have been written to the output buffer.
+          */
+         "1:                                \n\t"
+         "pshufd $0xff, %%xmm2, %%xmm2      \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm0, %%xmm2               \n\t"
+         "pslldq $4, %%xmm0                 \n\t"
+         "pxor %%xmm2, %%xmm0               \n\t"
+         "add $16, %0                       \n\t"
+         "movdqu %%xmm0, (%0)               \n\t"
+
+         /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
+          * and proceed to generate next round key from there */
+         AESKEYGENA xmm0_xmm2 ",0x00        \n\t"
+         "pshufd $0xaa, %%xmm2, %%xmm2      \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm1, %%xmm2               \n\t"
+         "pslldq $4, %%xmm1                 \n\t"
+         "pxor %%xmm2, %%xmm1               \n\t"
+         "add $16, %0                       \n\t"
+         "movdqu %%xmm1, (%0)               \n\t"
+         "ret                               \n\t"
+
+         /*
+          * Main "loop" - Generating one more key than necessary,
+          * see definition of mbedtls_aes_context.buf
+          */
+         "2:                                \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x01        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x02        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x04        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x08        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x10        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x20        \n\tcall 1b \n\t"
+         AESKEYGENA xmm1_xmm2 ",0x40        \n\tcall 1b \n\t"
+         :
+         : "r" (rk), "r" (key)
+         : "memory", "cc", "0" );
+}
+
+/*
+ * Key expansion, wrapper
+ */
+int mbedtls_aesni_setkey_enc( unsigned char *rk,
+                      const unsigned char *key,
+                      size_t bits )
+{
+    switch( bits )
+    {
+        case 128: aesni_setkey_enc_128( rk, key ); break;
+        case 192: aesni_setkey_enc_192( rk, key ); break;
+        case 256: aesni_setkey_enc_256( rk, key ); break;
+        default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_HAVE_X86_64 */
+
+#endif /* MBEDTLS_AESNI_C */
diff --git a/makerom/deps/libmbedtls/src/arc4.c b/makerom/deps/libmbedtls/src/arc4.c
new file mode 100644
index 00000000..b8998ac6
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/arc4.c
@@ -0,0 +1,201 @@
+/*
+ *  An implementation of the ARCFOUR algorithm
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ARCFOUR algorithm was publicly disclosed on 94/09.
+ *
+ *  http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+
+#include "mbedtls/arc4.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_ARC4_ALT)
+
+void mbedtls_arc4_init( mbedtls_arc4_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_arc4_context ) );
+}
+
+void mbedtls_arc4_free( mbedtls_arc4_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_arc4_context ) );
+}
+
+/*
+ * ARC4 key schedule
+ */
+void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key,
+                 unsigned int keylen )
+{
+    int i, j, a;
+    unsigned int k;
+    unsigned char *m;
+
+    ctx->x = 0;
+    ctx->y = 0;
+    m = ctx->m;
+
+    for( i = 0; i < 256; i++ )
+        m[i] = (unsigned char) i;
+
+    j = k = 0;
+
+    for( i = 0; i < 256; i++, k++ )
+    {
+        if( k >= keylen ) k = 0;
+
+        a = m[i];
+        j = ( j + a + key[k] ) & 0xFF;
+        m[i] = m[j];
+        m[j] = (unsigned char) a;
+    }
+}
+
+/*
+ * ARC4 cipher function
+ */
+int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input,
+                unsigned char *output )
+{
+    int x, y, a, b;
+    size_t i;
+    unsigned char *m;
+
+    x = ctx->x;
+    y = ctx->y;
+    m = ctx->m;
+
+    for( i = 0; i < length; i++ )
+    {
+        x = ( x + 1 ) & 0xFF; a = m[x];
+        y = ( y + a ) & 0xFF; b = m[y];
+
+        m[x] = (unsigned char) b;
+        m[y] = (unsigned char) a;
+
+        output[i] = (unsigned char)
+            ( input[i] ^ m[(unsigned char)( a + b )] );
+    }
+
+    ctx->x = x;
+    ctx->y = y;
+
+    return( 0 );
+}
+
+#endif /* !MBEDTLS_ARC4_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * ARC4 tests vectors as posted by Eric Rescorla in sep. 1994:
+ *
+ * http://groups.google.com/group/comp.security.misc/msg/10a300c9d21afca0
+ */
+static const unsigned char arc4_test_key[3][8] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char arc4_test_pt[3][8] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF },
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char arc4_test_ct[3][8] =
+{
+    { 0x75, 0xB7, 0x87, 0x80, 0x99, 0xE0, 0xC5, 0x96 },
+    { 0x74, 0x94, 0xC2, 0xE7, 0x10, 0x4B, 0x08, 0x79 },
+    { 0xDE, 0x18, 0x89, 0x41, 0xA3, 0x37, 0x5D, 0x3A }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_arc4_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char ibuf[8];
+    unsigned char obuf[8];
+    mbedtls_arc4_context ctx;
+
+    mbedtls_arc4_init( &ctx );
+
+    for( i = 0; i < 3; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  ARC4 test #%d: ", i + 1 );
+
+        memcpy( ibuf, arc4_test_pt[i], 8 );
+
+        mbedtls_arc4_setup( &ctx, arc4_test_key[i], 8 );
+        mbedtls_arc4_crypt( &ctx, 8, ibuf, obuf );
+
+        if( memcmp( obuf, arc4_test_ct[i], 8 ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_arc4_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARC4_C */
diff --git a/makerom/deps/libmbedtls/src/aria.c b/makerom/deps/libmbedtls/src/aria.c
new file mode 100644
index 00000000..aff66d66
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/aria.c
@@ -0,0 +1,1079 @@
+/*
+ *  ARIA implementation
+ *
+ *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * This implementation is based on the following standards:
+ * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
+ * [2] https://tools.ietf.org/html/rfc5794
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+
+#include "mbedtls/aria.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_ARIA_ALT)
+
+#include "mbedtls/platform_util.h"
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define ARIA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ARIA_BAD_INPUT_DATA )
+#define ARIA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE( n, b, i )                \
+{                                               \
+    (n) = ( (uint32_t) (b)[(i)    ]       )     \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )     \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )     \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );    \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE( n, b, i )                                \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
+ *
+ * This is submatrix P1 in [1] Appendix B.1
+ *
+ * Common compilers fail to translate this to minimal number of instructions,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev16 available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+    __ARM_ARCH >= 6
+static inline uint32_t aria_p1( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
+    return( r );
+}
+#define ARIA_P1 aria_p1
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p1( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev16 r, x" );
+    return( r );
+}
+#define ARIA_P1 aria_p1
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+/* I couldn't find an Intel equivalent of rev16, so two instructions */
+#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P1)
+#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
+#endif
+
+/*
+ * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
+ *
+ * This is submatrix P2 in [1] Appendix B.1
+ *
+ * Common compilers will translate this to a single instruction.
+ */
+#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
+
+/*
+ * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
+ *
+ * This is submatrix P3 in [1] Appendix B.1
+ *
+ * Some compilers fail to translate this to a single instruction,
+ * so let's provide asm versions for common platforms with C fallback.
+ */
+#if defined(MBEDTLS_HAVE_ASM)
+#if defined(__arm__) /* rev available from v6 up */
+/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
+#if defined(__GNUC__) && \
+    ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
+    __ARM_ARCH >= 6
+static inline uint32_t aria_p3( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
+    return( r );
+}
+#define ARIA_P3 aria_p3
+#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
+    ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
+static inline uint32_t aria_p3( uint32_t x )
+{
+    uint32_t r;
+    __asm( "rev r, x" );
+    return( r );
+}
+#define ARIA_P3 aria_p3
+#endif
+#endif /* arm */
+#if defined(__GNUC__) && \
+    defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
+static inline uint32_t aria_p3( uint32_t x )
+{
+    __asm( "bswap %0" : "=r" (x) : "0" (x) );
+    return( x );
+}
+#define ARIA_P3 aria_p3
+#endif /* x86 gnuc */
+#endif /* MBEDTLS_HAVE_ASM && GNUC */
+#if !defined(ARIA_P3)
+#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
+#endif
+
+/*
+ * ARIA Affine Transform
+ * (a, b, c, d) = state in/out
+ *
+ * If we denote the first byte of input by 0, ..., the last byte by f,
+ * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
+ *
+ * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
+ * rearrangements on adjacent pairs, output is:
+ *
+ * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
+ *   = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
+ * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
+ *   = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
+ * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
+ *   = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
+ * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
+ *   = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
+ *
+ * Note: another presentation of the A transform can be found as the first
+ * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
+ * The implementation below uses only P1 and P2 as they are sufficient.
+ */
+static inline void aria_a( uint32_t *a, uint32_t *b,
+                           uint32_t *c, uint32_t *d )
+{
+    uint32_t ta, tb, tc;
+    ta  =  *b;                      // 4567
+    *b  =  *a;                      // 0123
+    *a  =  ARIA_P2( ta );           // 6745
+    tb  =  ARIA_P2( *d );           // efcd
+    *d  =  ARIA_P1( *c );           // 98ba
+    *c  =  ARIA_P1( tb );           // fedc
+    ta  ^= *d;                      // 4567+98ba
+    tc  =  ARIA_P2( *b );           // 2301
+    ta  =  ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
+    tb  ^= ARIA_P2( *d );           // ba98+efcd
+    tc  ^= ARIA_P1( *a );           // 2301+7654
+    *b  ^= ta ^ tb;                 // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
+    tb  =  ARIA_P2( tb ) ^ ta;      // 2301+5476+89ab+98ba+cdef+fedc
+    *a  ^= ARIA_P1( tb );           // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
+    ta  =  ARIA_P2( ta );           // 0123+7654+ab89+dcfe
+    *d  ^= ARIA_P1( ta ) ^ tc;      // 1032+2301+6745+7654+98ba+ba98+cdef OUT
+    tc  =  ARIA_P2( tc );           // 0123+5476
+    *c  ^= ARIA_P1( tc ) ^ ta;      // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
+}
+
+/*
+ * ARIA Substitution Layer SL1 / SL2
+ * (a, b, c, d) = state in/out
+ * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
+ *
+ * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
+ * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
+ */
+static inline void aria_sl( uint32_t *a, uint32_t *b,
+                            uint32_t *c, uint32_t *d,
+                            const uint8_t sa[256], const uint8_t sb[256],
+                            const uint8_t sc[256], const uint8_t sd[256] )
+{
+    *a = ( (uint32_t) sa[ *a        & 0xFF]       ) ^
+         (((uint32_t) sb[(*a >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *a >> 24        ]) << 24);
+    *b = ( (uint32_t) sa[ *b        & 0xFF]       ) ^
+         (((uint32_t) sb[(*b >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *b >> 24        ]) << 24);
+    *c = ( (uint32_t) sa[ *c        & 0xFF]       ) ^
+         (((uint32_t) sb[(*c >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *c >> 24        ]) << 24);
+    *d = ( (uint32_t) sa[ *d        & 0xFF]       ) ^
+         (((uint32_t) sb[(*d >>  8) & 0xFF]) <<  8) ^
+         (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
+         (((uint32_t) sd[ *d >> 24        ]) << 24);
+}
+
+/*
+ * S-Boxes
+ */
+static const uint8_t aria_sb1[256] =
+{
+    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
+    0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
+    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
+    0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
+    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
+    0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
+    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
+    0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
+    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
+    0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
+    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
+    0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
+    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
+    0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
+    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
+    0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
+    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
+    0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
+    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
+    0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
+    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
+    0xB0, 0x54, 0xBB, 0x16
+};
+
+static const uint8_t aria_sb2[256] =
+{
+    0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
+    0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
+    0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
+    0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
+    0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
+    0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
+    0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
+    0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
+    0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
+    0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
+    0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
+    0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
+    0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
+    0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
+    0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
+    0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
+    0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
+    0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
+    0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
+    0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
+    0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
+    0xAF, 0xBA, 0xB5, 0x81
+};
+
+static const uint8_t aria_is1[256] =
+{
+    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
+    0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
+    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
+    0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
+    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
+    0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
+    0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
+    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
+    0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
+    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
+    0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
+    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
+    0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
+    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
+    0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
+    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
+    0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
+    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
+    0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
+    0x55, 0x21, 0x0C, 0x7D
+};
+
+static const uint8_t aria_is2[256] =
+{
+    0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
+    0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
+    0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
+    0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
+    0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
+    0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
+    0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
+    0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
+    0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
+    0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
+    0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
+    0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
+    0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
+    0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
+    0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
+    0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
+    0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
+    0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
+    0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
+    0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
+    0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
+    0x03, 0xA2, 0xAC, 0x60
+};
+
+/*
+ * Helper for key schedule: r = FO( p, k ) ^ x
+ */
+static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
+                         const uint32_t k[4], const uint32_t x[4] )
+{
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
+    aria_a( &a, &b, &c, &d );
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Helper for key schedule: r = FE( p, k ) ^ x
+ */
+static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
+                         const uint32_t k[4], const uint32_t x[4] )
+{
+    uint32_t a, b, c, d;
+
+    a = p[0] ^ k[0];
+    b = p[1] ^ k[1];
+    c = p[2] ^ k[2];
+    d = p[3] ^ k[3];
+
+    aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
+    aria_a( &a, &b, &c, &d );
+
+    r[0] = a ^ x[0];
+    r[1] = b ^ x[1];
+    r[2] = c ^ x[2];
+    r[3] = d ^ x[3];
+}
+
+/*
+ * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
+ *
+ * We chose to store bytes into 32-bit words in little-endian format (see
+ * GET/PUT_UINT32_LE) so we need to reverse bytes here.
+ */
+static void aria_rot128( uint32_t r[4], const uint32_t a[4],
+                         const uint32_t b[4], uint8_t n )
+{
+    uint8_t i, j;
+    uint32_t t, u;
+
+    const uint8_t n1 = n % 32;              // bit offset
+    const uint8_t n2 = n1 ? 32 - n1 : 0;    // reverse bit offset
+
+    j = ( n / 32 ) % 4;                     // initial word offset
+    t = ARIA_P3( b[j] );                    // big endian
+    for( i = 0; i < 4; i++ )
+    {
+        j = ( j + 1 ) % 4;                  // get next word, big endian
+        u = ARIA_P3( b[j] );
+        t <<= n1;                           // rotate
+        t |= u >> n2;
+        t = ARIA_P3( t );                   // back to little endian
+        r[i] = a[i] ^ t;                    // store
+        t = u;                              // move to next word
+    }
+}
+
+/*
+ * Set encryption key
+ */
+int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
+                             const unsigned char *key, unsigned int keybits )
+{
+    /* round constant masks */
+    const uint32_t rc[3][4] =
+    {
+        {   0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA  },
+        {   0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF  },
+        {   0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804  }
+    };
+
+    int i;
+    uint32_t w[4][4], *w2;
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( key != NULL );
+
+    if( keybits != 128 && keybits != 192 && keybits != 256 )
+        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
+
+    /* Copy key to W0 (and potential remainder to W1) */
+    GET_UINT32_LE( w[0][0], key,  0 );
+    GET_UINT32_LE( w[0][1], key,  4 );
+    GET_UINT32_LE( w[0][2], key,  8 );
+    GET_UINT32_LE( w[0][3], key, 12 );
+
+    memset( w[1], 0, 16 );
+    if( keybits >= 192 )
+    {
+        GET_UINT32_LE( w[1][0], key, 16 );  // 192 bit key
+        GET_UINT32_LE( w[1][1], key, 20 );
+    }
+    if( keybits == 256 )
+    {
+        GET_UINT32_LE( w[1][2], key, 24 );  // 256 bit key
+        GET_UINT32_LE( w[1][3], key, 28 );
+    }
+
+    i = ( keybits - 128 ) >> 6;             // index: 0, 1, 2
+    ctx->nr = 12 + 2 * i;                   // no. rounds: 12, 14, 16
+
+    aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
+    i = i < 2 ? i + 1 : 0;
+    aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
+    i = i < 2 ? i + 1 : 0;
+    aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
+
+    for( i = 0; i < 4; i++ )                // create round keys
+    {
+        w2 = w[(i + 1) & 3];
+        aria_rot128( ctx->rk[i     ], w[i], w2, 128 - 19 );
+        aria_rot128( ctx->rk[i +  4], w[i], w2, 128 - 31 );
+        aria_rot128( ctx->rk[i +  8], w[i], w2,       61 );
+        aria_rot128( ctx->rk[i + 12], w[i], w2,       31 );
+    }
+    aria_rot128( ctx->rk[16], w[0], w[1], 19 );
+
+    /* w holds enough info to reconstruct the round keys */
+    mbedtls_platform_zeroize( w, sizeof( w ) );
+
+    return( 0 );
+}
+
+/*
+ * Set decryption key
+ */
+int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
+                             const unsigned char *key, unsigned int keybits )
+{
+    int i, j, k, ret;
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
+    if( ret != 0 )
+        return( ret );
+
+    /* flip the order of round keys */
+    for( i = 0, j = ctx->nr; i < j; i++, j-- )
+    {
+        for( k = 0; k < 4; k++ )
+        {
+            uint32_t t = ctx->rk[i][k];
+            ctx->rk[i][k] = ctx->rk[j][k];
+            ctx->rk[j][k] = t;
+        }
+    }
+
+    /* apply affine transform to middle keys */
+    for( i = 1; i < ctx->nr; i++ )
+    {
+        aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
+                &ctx->rk[i][2], &ctx->rk[i][3] );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Encrypt a block
+ */
+int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
+                            const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
+{
+    int i;
+
+    uint32_t a, b, c, d;
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( input != NULL );
+    ARIA_VALIDATE_RET( output != NULL );
+
+    GET_UINT32_LE( a, input,  0 );
+    GET_UINT32_LE( b, input,  4 );
+    GET_UINT32_LE( c, input,  8 );
+    GET_UINT32_LE( d, input, 12 );
+
+    i = 0;
+    while( 1 )
+    {
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
+        aria_a( &a, &b, &c, &d );
+
+        a ^= ctx->rk[i][0];
+        b ^= ctx->rk[i][1];
+        c ^= ctx->rk[i][2];
+        d ^= ctx->rk[i][3];
+        i++;
+
+        aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
+        if( i >= ctx->nr )
+            break;
+        aria_a( &a, &b, &c, &d );
+    }
+
+    /* final key mixing */
+    a ^= ctx->rk[i][0];
+    b ^= ctx->rk[i][1];
+    c ^= ctx->rk[i][2];
+    d ^= ctx->rk[i][3];
+
+    PUT_UINT32_LE( a, output,  0 );
+    PUT_UINT32_LE( b, output,  4 );
+    PUT_UINT32_LE( c, output,  8 );
+    PUT_UINT32_LE( d, output, 12 );
+
+    return( 0 );
+}
+
+/* Initialize context */
+void mbedtls_aria_init( mbedtls_aria_context *ctx )
+{
+    ARIA_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_aria_context ) );
+}
+
+/* Clear context */
+void mbedtls_aria_free( mbedtls_aria_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aria_context ) );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * ARIA-CBC buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
+                            int mode,
+                            size_t length,
+                            unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    int i;
+    unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
+
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
+                       mode == MBEDTLS_ARIA_DECRYPT );
+    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
+    ARIA_VALIDATE_RET( length == 0 || output != NULL );
+    ARIA_VALIDATE_RET( iv != NULL );
+
+    if( length % MBEDTLS_ARIA_BLOCKSIZE )
+        return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_ARIA_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
+            mbedtls_aria_crypt_ecb( ctx, input, output );
+
+            for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_aria_crypt_ecb( ctx, output, output );
+            memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
+
+            input  += MBEDTLS_ARIA_BLOCKSIZE;
+            output += MBEDTLS_ARIA_BLOCKSIZE;
+            length -= MBEDTLS_ARIA_BLOCKSIZE;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * ARIA-CFB128 buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
+                               int mode,
+                               size_t length,
+                               size_t *iv_off,
+                               unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
+                               const unsigned char *input,
+                               unsigned char *output )
+{
+    unsigned char c;
+    size_t n;
+
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( mode == MBEDTLS_ARIA_ENCRYPT ||
+                       mode == MBEDTLS_ARIA_DECRYPT );
+    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
+    ARIA_VALIDATE_RET( length == 0 || output != NULL );
+    ARIA_VALIDATE_RET( iv != NULL );
+    ARIA_VALIDATE_RET( iv_off != NULL );
+
+    n = *iv_off;
+
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. Therefore, guard against this
+     * outside of parameter validation. */
+    if( n >= MBEDTLS_ARIA_BLOCKSIZE )
+        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
+
+    if( mode == MBEDTLS_ARIA_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aria_crypt_ecb( ctx, iv, iv );
+
+            c = *input++;
+            *output++ = c ^ iv[n];
+            iv[n] = c;
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_aria_crypt_ecb( ctx, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * ARIA-CTR buffer encryption/decryption
+ */
+int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
+                            size_t length,
+                            size_t *nc_off,
+                            unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
+                            unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    int c, i;
+    size_t n;
+
+    ARIA_VALIDATE_RET( ctx != NULL );
+    ARIA_VALIDATE_RET( length == 0 || input  != NULL );
+    ARIA_VALIDATE_RET( length == 0 || output != NULL );
+    ARIA_VALIDATE_RET( nonce_counter != NULL );
+    ARIA_VALIDATE_RET( stream_block  != NULL );
+    ARIA_VALIDATE_RET( nc_off != NULL );
+
+    n = *nc_off;
+    /* An overly large value of n can lead to an unlimited
+     * buffer overflow. Therefore, guard against this
+     * outside of parameter validation. */
+    if( n >= MBEDTLS_ARIA_BLOCKSIZE )
+        return( MBEDTLS_ERR_ARIA_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_aria_crypt_ecb( ctx, nonce_counter,
+                                stream_block );
+
+            for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_ARIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Basic ARIA ECB test vectors from RFC 5794
+ */
+static const uint8_t aria_test1_ecb_key[32] =           // test key
+{
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,     // 128 bit
+    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,     // 192 bit
+    0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F      // 256 bit
+};
+
+static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] =            // plaintext
+{
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // same for all
+    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF      // key sizes
+};
+
+static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] =         // ciphertext
+{
+    { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73,   // 128 bit
+      0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
+    { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA,   // 192 bit
+      0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
+    { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F,   // 256 bit
+      0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
+};
+
+/*
+ * Mode tests from "Test Vectors for ARIA"  Version 1.0
+ * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
+ */
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
+    defined(MBEDTLS_CIPHER_MODE_CTR))
+static const uint8_t aria_test2_key[32] =
+{
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 128 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,     // 192 bit
+    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff      // 256 bit
+};
+
+static const uint8_t aria_test2_pt[48] =
+{
+    0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa,     // same for all
+    0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
+    0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
+    0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
+    0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
+    0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
+};
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
+static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
+{
+    0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78,     // same for CBC, CFB
+    0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0      // CTR has zero IV
+};
+#endif
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const uint8_t aria_test2_cbc_ct[3][48] =         // CBC ciphertext
+{
+    { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10,   // 128-bit key
+      0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
+      0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
+      0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
+      0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
+      0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
+    { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c,   // 192-bit key
+      0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
+      0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
+      0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
+      0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
+      0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
+    { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1,   // 256-bit key
+      0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
+      0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
+      0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
+      0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
+      0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const uint8_t aria_test2_cfb_ct[3][48] =         // CFB ciphertext
+{
+    { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38,   // 128-bit key
+      0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
+      0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
+      0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
+      0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
+      0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
+    { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54,   // 192-bit key
+      0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
+      0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
+      0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
+      0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
+      0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
+    { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2,   // 256-bit key
+      0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
+      0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
+      0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
+      0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
+      0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const uint8_t aria_test2_ctr_ct[3][48] =         // CTR ciphertext
+{
+    { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c,   // 128-bit key
+      0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
+      0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
+      0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
+      0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
+      0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
+    { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19,   // 192-bit key
+      0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
+      0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
+      0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
+      0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
+      0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
+    { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17,   // 256-bit key
+      0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
+      0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
+      0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
+      0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
+      0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#define ARIA_SELF_TEST_IF_FAIL              \
+        {                                   \
+            if( verbose )                   \
+                mbedtls_printf( "failed\n" );       \
+            return( 1 );                    \
+        } else {                            \
+            if( verbose )                   \
+                mbedtls_printf( "passed\n" );       \
+        }
+
+/*
+ * Checkup routine
+ */
+int mbedtls_aria_self_test( int verbose )
+{
+    int i;
+    uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
+    mbedtls_aria_context ctx;
+
+#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
+    size_t j;
+#endif
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
+     defined(MBEDTLS_CIPHER_MODE_CFB) || \
+     defined(MBEDTLS_CIPHER_MODE_CTR))
+    uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
+#endif
+
+    /*
+     * Test set 1
+     */
+    for( i = 0; i < 3; i++ )
+    {
+        /* test ECB encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-ECB-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
+        mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
+        if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* test ECB decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-ECB-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
+        mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
+        if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+
+    /*
+     * Test set 2
+     */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    for( i = 0; i < 3; i++ )
+    {
+        /* Test CBC encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CBC-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0x55, sizeof( buf ) );
+        mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
+            aria_test2_pt, buf );
+        if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CBC decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CBC-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0xAA, sizeof( buf ) );
+        mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
+            aria_test2_cbc_ct[i], buf );
+        if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    for( i = 0; i < 3; i++ )
+    {
+        /* Test CFB encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CFB-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0x55, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
+            aria_test2_pt, buf );
+        if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CFB decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CFB-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
+        memset( buf, 0xAA, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
+            iv, aria_test2_cfb_ct[i], buf );
+        if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    for( i = 0; i < 3; i++ )
+    {
+        /* Test CTR encryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CTR-%d (enc): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
+        memset( buf, 0x55, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
+            aria_test2_pt, buf );
+        if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+
+        /* Test CTR decryption */
+        if( verbose )
+            mbedtls_printf( "  ARIA-CTR-%d (dec): ", 128 + 64 * i );
+        mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
+        memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE );                    // IV = 0
+        memset( buf, 0xAA, sizeof( buf ) );
+        j = 0;
+        mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
+            aria_test2_ctr_ct[i], buf );
+        if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
+            ARIA_SELF_TEST_IF_FAIL;
+    }
+    if( verbose )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ARIA_C */
diff --git a/makerom/deps/libmbedtls/src/asn1parse.c b/makerom/deps/libmbedtls/src/asn1parse.c
new file mode 100644
index 00000000..171c340b
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/asn1parse.c
@@ -0,0 +1,389 @@
+/*
+ *  Generic ASN.1 parsing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+#include "mbedtls/asn1.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+/*
+ * ASN.1 DER decoding routines
+ */
+int mbedtls_asn1_get_len( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len )
+{
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( ( **p & 0x80 ) == 0 )
+        *len = *(*p)++;
+    else
+    {
+        switch( **p & 0x7F )
+        {
+        case 1:
+            if( ( end - *p ) < 2 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = (*p)[1];
+            (*p) += 2;
+            break;
+
+        case 2:
+            if( ( end - *p ) < 3 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = ( (size_t)(*p)[1] << 8 ) | (*p)[2];
+            (*p) += 3;
+            break;
+
+        case 3:
+            if( ( end - *p ) < 4 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = ( (size_t)(*p)[1] << 16 ) |
+                   ( (size_t)(*p)[2] << 8  ) | (*p)[3];
+            (*p) += 4;
+            break;
+
+        case 4:
+            if( ( end - *p ) < 5 )
+                return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+            *len = ( (size_t)(*p)[1] << 24 ) | ( (size_t)(*p)[2] << 16 ) |
+                   ( (size_t)(*p)[3] << 8  ) |           (*p)[4];
+            (*p) += 5;
+            break;
+
+        default:
+            return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+        }
+    }
+
+    if( *len > (size_t) ( end - *p ) )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_tag( unsigned char **p,
+                  const unsigned char *end,
+                  size_t *len, int tag )
+{
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( **p != tag )
+        return( MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    (*p)++;
+
+    return( mbedtls_asn1_get_len( p, end, len ) );
+}
+
+int mbedtls_asn1_get_bool( unsigned char **p,
+                   const unsigned char *end,
+                   int *val )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_BOOLEAN ) ) != 0 )
+        return( ret );
+
+    if( len != 1 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    *val = ( **p != 0 ) ? 1 : 0;
+    (*p)++;
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_int( unsigned char **p,
+                  const unsigned char *end,
+                  int *val )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( ret );
+
+    if( len == 0 || len > sizeof( int ) || ( **p & 0x80 ) != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    *val = 0;
+
+    while( len-- > 0 )
+    {
+        *val = ( *val << 8 ) | **p;
+        (*p)++;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_get_mpi( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_mpi *X )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_mpi_read_binary( X, *p, len );
+
+    *p += len;
+
+    return( ret );
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_get_bitstring( unsigned char **p, const unsigned char *end,
+                        mbedtls_asn1_bitstring *bs)
+{
+    int ret;
+
+    /* Certificate type is a single byte bitstring */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &bs->len, MBEDTLS_ASN1_BIT_STRING ) ) != 0 )
+        return( ret );
+
+    /* Check length, subtract one for actual bit string length */
+    if( bs->len < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+    bs->len -= 1;
+
+    /* Get number of unused bits, ensure unused bits <= 7 */
+    bs->unused_bits = **p;
+    if( bs->unused_bits > 7 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+    (*p)++;
+
+    /* Get actual bitstring */
+    bs->p = *p;
+    *p += bs->len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * Get a bit string without unused bits
+ */
+int mbedtls_asn1_get_bitstring_null( unsigned char **p, const unsigned char *end,
+                             size_t *len )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, len, MBEDTLS_ASN1_BIT_STRING ) ) != 0 )
+        return( ret );
+
+    if( (*len)-- < 2 || *(*p)++ != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_DATA );
+
+    return( 0 );
+}
+
+
+
+/*
+ *  Parses and splits an ASN.1 "SEQUENCE OF <tag>"
+ */
+int mbedtls_asn1_get_sequence_of( unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_asn1_sequence *cur,
+                          int tag)
+{
+    int ret;
+    size_t len;
+    mbedtls_asn1_buf *buf;
+
+    /* Get main sequence tag */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    while( *p < end )
+    {
+        buf = &(cur->buf);
+        buf->tag = **p;
+
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &buf->len, tag ) ) != 0 )
+            return( ret );
+
+        buf->p = *p;
+        *p += buf->len;
+
+        /* Allocate and assign next pointer */
+        if( *p < end )
+        {
+            cur->next = (mbedtls_asn1_sequence*)mbedtls_calloc( 1,
+                                            sizeof( mbedtls_asn1_sequence ) );
+
+            if( cur->next == NULL )
+                return( MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+
+            cur = cur->next;
+        }
+    }
+
+    /* Set final sequence entry's next pointer to NULL */
+    cur->next = NULL;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_alg( unsigned char **p,
+                  const unsigned char *end,
+                  mbedtls_asn1_buf *alg, mbedtls_asn1_buf *params )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    alg->tag = **p;
+    end = *p + len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &alg->len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( ret );
+
+    alg->p = *p;
+    *p += alg->len;
+
+    if( *p == end )
+    {
+        mbedtls_platform_zeroize( params, sizeof(mbedtls_asn1_buf) );
+        return( 0 );
+    }
+
+    params->tag = **p;
+    (*p)++;
+
+    if( ( ret = mbedtls_asn1_get_len( p, end, &params->len ) ) != 0 )
+        return( ret );
+
+    params->p = *p;
+    *p += params->len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+int mbedtls_asn1_get_alg_null( unsigned char **p,
+                       const unsigned char *end,
+                       mbedtls_asn1_buf *alg )
+{
+    int ret;
+    mbedtls_asn1_buf params;
+
+    memset( &params, 0, sizeof(mbedtls_asn1_buf) );
+
+    if( ( ret = mbedtls_asn1_get_alg( p, end, alg, &params ) ) != 0 )
+        return( ret );
+
+    if( ( params.tag != MBEDTLS_ASN1_NULL && params.tag != 0 ) || params.len != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_DATA );
+
+    return( 0 );
+}
+
+void mbedtls_asn1_free_named_data( mbedtls_asn1_named_data *cur )
+{
+    if( cur == NULL )
+        return;
+
+    mbedtls_free( cur->oid.p );
+    mbedtls_free( cur->val.p );
+
+    mbedtls_platform_zeroize( cur, sizeof( mbedtls_asn1_named_data ) );
+}
+
+void mbedtls_asn1_free_named_data_list( mbedtls_asn1_named_data **head )
+{
+    mbedtls_asn1_named_data *cur;
+
+    while( ( cur = *head ) != NULL )
+    {
+        *head = cur->next;
+        mbedtls_asn1_free_named_data( cur );
+        mbedtls_free( cur );
+    }
+}
+
+mbedtls_asn1_named_data *mbedtls_asn1_find_named_data( mbedtls_asn1_named_data *list,
+                                       const char *oid, size_t len )
+{
+    while( list != NULL )
+    {
+        if( list->oid.len == len &&
+            memcmp( list->oid.p, oid, len ) == 0 )
+        {
+            break;
+        }
+
+        list = list->next;
+    }
+
+    return( list );
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
diff --git a/makerom/deps/libmbedtls/src/asn1write.c b/makerom/deps/libmbedtls/src/asn1write.c
new file mode 100644
index 00000000..c0b4622d
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/asn1write.c
@@ -0,0 +1,421 @@
+/*
+ * ASN.1 buffer writing functionality
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ASN1_WRITE_C)
+
+#include "mbedtls/asn1write.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+int mbedtls_asn1_write_len( unsigned char **p, unsigned char *start, size_t len )
+{
+    if( len < 0x80 )
+    {
+        if( *p - start < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = (unsigned char) len;
+        return( 1 );
+    }
+
+    if( len <= 0xFF )
+    {
+        if( *p - start < 2 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = (unsigned char) len;
+        *--(*p) = 0x81;
+        return( 2 );
+    }
+
+    if( len <= 0xFFFF )
+    {
+        if( *p - start < 3 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = ( len       ) & 0xFF;
+        *--(*p) = ( len >>  8 ) & 0xFF;
+        *--(*p) = 0x82;
+        return( 3 );
+    }
+
+    if( len <= 0xFFFFFF )
+    {
+        if( *p - start < 4 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = ( len       ) & 0xFF;
+        *--(*p) = ( len >>  8 ) & 0xFF;
+        *--(*p) = ( len >> 16 ) & 0xFF;
+        *--(*p) = 0x83;
+        return( 4 );
+    }
+
+#if SIZE_MAX > 0xFFFFFFFF
+    if( len <= 0xFFFFFFFF )
+#endif
+    {
+        if( *p - start < 5 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = ( len       ) & 0xFF;
+        *--(*p) = ( len >>  8 ) & 0xFF;
+        *--(*p) = ( len >> 16 ) & 0xFF;
+        *--(*p) = ( len >> 24 ) & 0xFF;
+        *--(*p) = 0x84;
+        return( 5 );
+    }
+
+#if SIZE_MAX > 0xFFFFFFFF
+    return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+#endif
+}
+
+int mbedtls_asn1_write_tag( unsigned char **p, unsigned char *start, unsigned char tag )
+{
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *--(*p) = tag;
+
+    return( 1 );
+}
+
+int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
+                           const unsigned char *buf, size_t size )
+{
+    size_t len = 0;
+
+    if( *p < start || (size_t)( *p - start ) < size )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len = size;
+    (*p) -= len;
+    memcpy( *p, buf, len );
+
+    return( (int) len );
+}
+
+#if defined(MBEDTLS_BIGNUM_C)
+int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedtls_mpi *X )
+{
+    int ret;
+    size_t len = 0;
+
+    // Write the MPI
+    //
+    len = mbedtls_mpi_size( X );
+
+    if( *p < start || (size_t)( *p - start ) < len )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    (*p) -= len;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( X, *p, len ) );
+
+    // DER format assumes 2s complement for numbers, so the leftmost bit
+    // should be 0 for positive numbers and 1 for negative numbers.
+    //
+    if( X->s ==1 && **p & 0x80 )
+    {
+        if( *p - start < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = 0x00;
+        len += 1;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_INTEGER ) );
+
+    ret = (int) len;
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+int mbedtls_asn1_write_null( unsigned char **p, unsigned char *start )
+{
+    int ret;
+    size_t len = 0;
+
+    // Write NULL
+    //
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, 0) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_NULL ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_oid( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                                  (const unsigned char *) oid, oid_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len , mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len , mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OID ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_algorithm_identifier( unsigned char **p, unsigned char *start,
+                                     const char *oid, size_t oid_len,
+                                     size_t par_len )
+{
+    int ret;
+    size_t len = 0;
+
+    if( par_len == 0 )
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_null( p, start ) );
+    else
+        len += par_len;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid, oid_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
+                                       MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_bool( unsigned char **p, unsigned char *start, int boolean )
+{
+    int ret;
+    size_t len = 0;
+
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *--(*p) = (boolean) ? 255 : 0;
+    len++;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BOOLEAN ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_int( unsigned char **p, unsigned char *start, int val )
+{
+    int ret;
+    size_t len = 0;
+
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len += 1;
+    *--(*p) = val;
+
+    if( val > 0 && **p & 0x80 )
+    {
+        if( *p - start < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+        *--(*p) = 0x00;
+        len += 1;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_INTEGER ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_tagged_string( unsigned char **p, unsigned char *start, int tag,
+    const char *text, size_t text_len )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+        (const unsigned char *) text, text_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, tag ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_utf8_string( unsigned char **p, unsigned char *start,
+    const char *text, size_t text_len )
+{
+    return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_UTF8_STRING, text, text_len) );
+}
+
+int mbedtls_asn1_write_printable_string( unsigned char **p, unsigned char *start,
+                                 const char *text, size_t text_len )
+{
+    return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_PRINTABLE_STRING, text, text_len) );
+}
+
+int mbedtls_asn1_write_ia5_string( unsigned char **p, unsigned char *start,
+                           const char *text, size_t text_len )
+{
+    return( mbedtls_asn1_write_tagged_string(p, start, MBEDTLS_ASN1_IA5_STRING, text, text_len) );
+}
+
+int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
+                          const unsigned char *buf, size_t bits )
+{
+    int ret;
+    size_t len = 0;
+    size_t unused_bits, byte_len;
+
+    byte_len = ( bits + 7 ) / 8;
+    unused_bits = ( byte_len * 8 ) - bits;
+
+    if( *p < start || (size_t)( *p - start ) < byte_len + 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len = byte_len + 1;
+
+    /* Write the bitstring. Ensure the unused bits are zeroed */
+    if( byte_len > 0 )
+    {
+        byte_len--;
+        *--( *p ) = buf[byte_len] & ~( ( 0x1 << unused_bits ) - 1 );
+        ( *p ) -= byte_len;
+        memcpy( *p, buf, byte_len );
+    }
+
+    /* Write unused bits */
+    *--( *p ) = (unsigned char)unused_bits;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
+
+    return( (int) len );
+}
+
+int mbedtls_asn1_write_octet_string( unsigned char **p, unsigned char *start,
+                             const unsigned char *buf, size_t size )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, buf, size ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OCTET_STRING ) );
+
+    return( (int) len );
+}
+
+
+/* This is a copy of the ASN.1 parsing function mbedtls_asn1_find_named_data(),
+ * which is replicated to avoid a dependency ASN1_WRITE_C on ASN1_PARSE_C. */
+static mbedtls_asn1_named_data *asn1_find_named_data(
+                                               mbedtls_asn1_named_data *list,
+                                               const char *oid, size_t len )
+{
+    while( list != NULL )
+    {
+        if( list->oid.len == len &&
+            memcmp( list->oid.p, oid, len ) == 0 )
+        {
+            break;
+        }
+
+        list = list->next;
+    }
+
+    return( list );
+}
+
+mbedtls_asn1_named_data *mbedtls_asn1_store_named_data(
+                                        mbedtls_asn1_named_data **head,
+                                        const char *oid, size_t oid_len,
+                                        const unsigned char *val,
+                                        size_t val_len )
+{
+    mbedtls_asn1_named_data *cur;
+
+    if( ( cur = asn1_find_named_data( *head, oid, oid_len ) ) == NULL )
+    {
+        // Add new entry if not present yet based on OID
+        //
+        cur = (mbedtls_asn1_named_data*)mbedtls_calloc( 1,
+                                            sizeof(mbedtls_asn1_named_data) );
+        if( cur == NULL )
+            return( NULL );
+
+        cur->oid.len = oid_len;
+        cur->oid.p = mbedtls_calloc( 1, oid_len );
+        if( cur->oid.p == NULL )
+        {
+            mbedtls_free( cur );
+            return( NULL );
+        }
+
+        memcpy( cur->oid.p, oid, oid_len );
+
+        cur->val.len = val_len;
+        cur->val.p = mbedtls_calloc( 1, val_len );
+        if( cur->val.p == NULL )
+        {
+            mbedtls_free( cur->oid.p );
+            mbedtls_free( cur );
+            return( NULL );
+        }
+
+        cur->next = *head;
+        *head = cur;
+    }
+    else if( cur->val.len < val_len )
+    {
+        /*
+         * Enlarge existing value buffer if needed
+         * Preserve old data until the allocation succeeded, to leave list in
+         * a consistent state in case allocation fails.
+         */
+        void *p = mbedtls_calloc( 1, val_len );
+        if( p == NULL )
+            return( NULL );
+
+        mbedtls_free( cur->val.p );
+        cur->val.p = p;
+        cur->val.len = val_len;
+    }
+
+    if( val != NULL )
+        memcpy( cur->val.p, val, val_len );
+
+    return( cur );
+}
+#endif /* MBEDTLS_ASN1_WRITE_C */
diff --git a/makerom/polarssl/base64.c b/makerom/deps/libmbedtls/src/base64.c
similarity index 52%
rename from makerom/polarssl/base64.c
rename to makerom/deps/libmbedtls/src/base64.c
index 5a98fa9f..f06b57b3 100644
--- a/makerom/polarssl/base64.c
+++ b/makerom/deps/libmbedtls/src/base64.c
@@ -1,40 +1,45 @@
 /*
  *  RFC 1521 base64 encoding/decoding
  *
- *  Copyright (C) 2006-2010, Brainspark B.V.
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
  *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
  *
- *  All rights reserved.
+ *  http://www.apache.org/licenses/LICENSE-2.0
  *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
-#include "polarssl/config.h"
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_BASE64_C)
 
-#if defined(POLARSSL_BASE64_C)
+#include "mbedtls/base64.h"
 
-#include "polarssl/base64.h"
+#include <stdint.h>
 
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
+#if defined(MBEDTLS_SELF_TEST)
+#include <string.h>
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
 #else
-#include <inttypes.h>
-#endif
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
 
 static const unsigned char base64_enc_map[64] =
 {
@@ -64,10 +69,12 @@ static const unsigned char base64_dec_map[128] =
      49,  50,  51, 127, 127, 127, 127, 127
 };
 
+#define BASE64_SIZE_T_MAX   ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
+
 /*
  * Encode a buffer into base64 format
  */
-int base64_encode( unsigned char *dst, size_t *dlen,
+int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
                    const unsigned char *src, size_t slen )
 {
     size_t i, n;
@@ -75,24 +82,28 @@ int base64_encode( unsigned char *dst, size_t *dlen,
     unsigned char *p;
 
     if( slen == 0 )
+    {
+        *olen = 0;
         return( 0 );
+    }
 
-    n = (slen << 3) / 6;
+    n = slen / 3 + ( slen % 3 != 0 );
 
-    switch( (slen << 3) - (n * 6) )
+    if( n > ( BASE64_SIZE_T_MAX - 1 ) / 4 )
     {
-        case  2: n += 3; break;
-        case  4: n += 2; break;
-        default: break;
+        *olen = BASE64_SIZE_T_MAX;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
     }
 
-    if( *dlen < n + 1 )
+    n *= 4;
+
+    if( ( dlen < n + 1 ) || ( NULL == dst ) )
     {
-        *dlen = n + 1;
-        return( POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL );
+        *olen = n + 1;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
     }
 
-    n = (slen / 3) * 3;
+    n = ( slen / 3 ) * 3;
 
     for( i = 0, p = dst; i < n; i += 3 )
     {
@@ -109,19 +120,19 @@ int base64_encode( unsigned char *dst, size_t *dlen,
     if( i < slen )
     {
         C1 = *src++;
-        C2 = ((i + 1) < slen) ? *src++ : 0;
+        C2 = ( ( i + 1 ) < slen ) ? *src++ : 0;
 
         *p++ = base64_enc_map[(C1 >> 2) & 0x3F];
         *p++ = base64_enc_map[(((C1 & 3) << 4) + (C2 >> 4)) & 0x3F];
 
-        if( (i + 1) < slen )
+        if( ( i + 1 ) < slen )
              *p++ = base64_enc_map[((C2 & 15) << 2) & 0x3F];
         else *p++ = '=';
 
         *p++ = '=';
     }
 
-    *dlen = p - dst;
+    *olen = p - dst;
     *p = 0;
 
     return( 0 );
@@ -130,15 +141,28 @@ int base64_encode( unsigned char *dst, size_t *dlen,
 /*
  * Decode a base64-formatted buffer
  */
-int base64_decode( unsigned char *dst, size_t *dlen,
+int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
                    const unsigned char *src, size_t slen )
 {
     size_t i, n;
     uint32_t j, x;
     unsigned char *p;
 
-    for( i = j = n = 0; i < slen; i++ )
+    /* First pass: check for validity and get output length */
+    for( i = n = j = 0; i < slen; i++ )
     {
+        /* Skip spaces before checking for EOL */
+        x = 0;
+        while( i < slen && src[i] == ' ' )
+        {
+            ++i;
+            ++x;
+        }
+
+        /* Spaces at end of buffer are OK */
+        if( i == slen )
+            break;
+
         if( ( slen - i ) >= 2 &&
             src[i] == '\r' && src[i + 1] == '\n' )
             continue;
@@ -146,43 +170,48 @@ int base64_decode( unsigned char *dst, size_t *dlen,
         if( src[i] == '\n' )
             continue;
 
-        if( src[i] == '=' && ++j > 2 ){
-			printf("err 0 char[%lu] = '%c' (0x%x)\n",i,src[i],src[i]);
-            return( POLARSSL_ERR_BASE64_INVALID_CHARACTER );
-		}
+        /* Space inside a line is an error */
+        if( x != 0 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
 
-        if( src[i] > 127 || base64_dec_map[src[i]] == 127 ){
-			printf("err 1 char[%lu] = '%c' (0x%x)\n",i,src[i],src[i]);
-            return( POLARSSL_ERR_BASE64_INVALID_CHARACTER );
-		}
+        if( src[i] == '=' && ++j > 2 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
 
-        if( base64_dec_map[src[i]] < 64 && j != 0 ){
-			printf("err 2 char[%lu] = '%c' (0x%x)\n",i,src[i],src[i]);
-            return( POLARSSL_ERR_BASE64_INVALID_CHARACTER );
-		}
+        if( src[i] > 127 || base64_dec_map[src[i]] == 127 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
+
+        if( base64_dec_map[src[i]] < 64 && j != 0 )
+            return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
 
         n++;
     }
 
     if( n == 0 )
+    {
+        *olen = 0;
         return( 0 );
+    }
 
-		
-    n = ((n * 6) + 7) >> 3;
-	
-    if( (*dlen+4) < n )
+    /* The following expression is to calculate the following formula without
+     * risk of integer overflow in n:
+     *     n = ( ( n * 6 ) + 7 ) >> 3;
+     */
+    n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
+    n -= j;
+
+    if( dst == NULL || dlen < n )
     {
-        *dlen = n;
-        return( POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL );
+        *olen = n;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
     }
 
    for( j = 3, n = x = 0, p = dst; i > 0; i--, src++ )
    {
-        if( *src == '\r' || *src == '\n' )
+        if( *src == '\r' || *src == '\n' || *src == ' ' )
             continue;
 
         j -= ( base64_dec_map[*src] == 64 );
-        x  = (x << 6) | ( base64_dec_map[*src] & 0x3F );
+        x  = ( x << 6 ) | ( base64_dec_map[*src] & 0x3F );
 
         if( ++n == 4 )
         {
@@ -193,15 +222,12 @@ int base64_decode( unsigned char *dst, size_t *dlen,
         }
     }
 
-    *dlen = p - dst;
+    *olen = p - dst;
 
     return( 0 );
 }
 
-#if defined(POLARSSL_SELF_TEST)
-
-#include <string.h>
-#include <stdio.h>
+#if defined(MBEDTLS_SELF_TEST)
 
 static const unsigned char base64_test_dec[64] =
 {
@@ -222,48 +248,46 @@ static const unsigned char base64_test_enc[] =
 /*
  * Checkup routine
  */
-int base64_self_test( int verbose )
+int mbedtls_base64_self_test( int verbose )
 {
     size_t len;
     const unsigned char *src;
     unsigned char buffer[128];
 
     if( verbose != 0 )
-        printf( "  Base64 encoding test: " );
+        mbedtls_printf( "  Base64 encoding test: " );
 
-    len = sizeof( buffer );
     src = base64_test_dec;
 
-    if( base64_encode( buffer, &len, src, 64 ) != 0 ||
+    if( mbedtls_base64_encode( buffer, sizeof( buffer ), &len, src, 64 ) != 0 ||
          memcmp( base64_test_enc, buffer, 88 ) != 0 )
     {
         if( verbose != 0 )
-            printf( "failed\n" );
+            mbedtls_printf( "failed\n" );
 
         return( 1 );
     }
 
     if( verbose != 0 )
-        printf( "passed\n  Base64 decoding test: " );
+        mbedtls_printf( "passed\n  Base64 decoding test: " );
 
-    len = sizeof( buffer );
     src = base64_test_enc;
 
-    if( base64_decode( buffer, &len, src, 88 ) != 0 ||
+    if( mbedtls_base64_decode( buffer, sizeof( buffer ), &len, src, 88 ) != 0 ||
          memcmp( base64_test_dec, buffer, 64 ) != 0 )
     {
         if( verbose != 0 )
-            printf( "failed\n" );
+            mbedtls_printf( "failed\n" );
 
         return( 1 );
     }
 
     if( verbose != 0 )
-        printf( "passed\n\n" );
+        mbedtls_printf( "passed\n\n" );
 
     return( 0 );
 }
 
-#endif
+#endif /* MBEDTLS_SELF_TEST */
 
-#endif
+#endif /* MBEDTLS_BASE64_C */
diff --git a/makerom/deps/libmbedtls/src/bignum.c b/makerom/deps/libmbedtls/src/bignum.c
new file mode 100644
index 00000000..87ccf42f
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/bignum.c
@@ -0,0 +1,2866 @@
+/*
+ *  Multi-precision integer library
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ *  The following sources were referenced in the design of this Multi-precision
+ *  Integer library:
+ *
+ *  [1] Handbook of Applied Cryptography - 1997
+ *      Menezes, van Oorschot and Vanstone
+ *
+ *  [2] Multi-Precision Math
+ *      Tom St Denis
+ *      https://github.com/libtom/libtommath/blob/develop/tommath.pdf
+ *
+ *  [3] GNU Multi-Precision Arithmetic Library
+ *      https://gmplib.org/manual/index.html
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+
+#include "mbedtls/bignum.h"
+#include "mbedtls/bn_mul.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#define MPI_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
+#define MPI_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define ciL    (sizeof(mbedtls_mpi_uint))         /* chars in limb  */
+#define biL    (ciL << 3)               /* bits  in limb  */
+#define biH    (ciL << 2)               /* half limb size */
+
+#define MPI_SIZE_T_MAX  ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
+
+/*
+ * Convert between bits/chars and number of limbs
+ * Divide first in order to avoid potential overflows
+ */
+#define BITS_TO_LIMBS(i)  ( (i) / biL + ( (i) % biL != 0 ) )
+#define CHARS_TO_LIMBS(i) ( (i) / ciL + ( (i) % ciL != 0 ) )
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n )
+{
+    mbedtls_platform_zeroize( v, ciL * n );
+}
+
+/*
+ * Initialize one MPI
+ */
+void mbedtls_mpi_init( mbedtls_mpi *X )
+{
+    MPI_VALIDATE( X != NULL );
+
+    X->s = 1;
+    X->n = 0;
+    X->p = NULL;
+}
+
+/*
+ * Unallocate one MPI
+ */
+void mbedtls_mpi_free( mbedtls_mpi *X )
+{
+    if( X == NULL )
+        return;
+
+    if( X->p != NULL )
+    {
+        mbedtls_mpi_zeroize( X->p, X->n );
+        mbedtls_free( X->p );
+    }
+
+    X->s = 1;
+    X->n = 0;
+    X->p = NULL;
+}
+
+/*
+ * Enlarge to the specified number of limbs
+ */
+int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs )
+{
+    mbedtls_mpi_uint *p;
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    if( X->n < nblimbs )
+    {
+        if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL )
+            return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+        if( X->p != NULL )
+        {
+            memcpy( p, X->p, X->n * ciL );
+            mbedtls_mpi_zeroize( X->p, X->n );
+            mbedtls_free( X->p );
+        }
+
+        X->n = nblimbs;
+        X->p = p;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Resize down as much as possible,
+ * while keeping at least the specified number of limbs
+ */
+int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs )
+{
+    mbedtls_mpi_uint *p;
+    size_t i;
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( nblimbs > MBEDTLS_MPI_MAX_LIMBS )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    /* Actually resize up if there are currently fewer than nblimbs limbs. */
+    if( X->n <= nblimbs )
+        return( mbedtls_mpi_grow( X, nblimbs ) );
+    /* After this point, then X->n > nblimbs and in particular X->n > 0. */
+
+    for( i = X->n - 1; i > 0; i-- )
+        if( X->p[i] != 0 )
+            break;
+    i++;
+
+    if( i < nblimbs )
+        i = nblimbs;
+
+    if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL ) ) == NULL )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    if( X->p != NULL )
+    {
+        memcpy( p, X->p, i * ciL );
+        mbedtls_mpi_zeroize( X->p, X->n );
+        mbedtls_free( X->p );
+    }
+
+    X->n = i;
+    X->p = p;
+
+    return( 0 );
+}
+
+/*
+ * Copy the contents of Y into X
+ */
+int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
+{
+    int ret = 0;
+    size_t i;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    if( X == Y )
+        return( 0 );
+
+    if( Y->n == 0 )
+    {
+        mbedtls_mpi_free( X );
+        return( 0 );
+    }
+
+    for( i = Y->n - 1; i > 0; i-- )
+        if( Y->p[i] != 0 )
+            break;
+    i++;
+
+    X->s = Y->s;
+
+    if( X->n < i )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i ) );
+    }
+    else
+    {
+        memset( X->p + i, 0, ( X->n - i ) * ciL );
+    }
+
+    memcpy( X->p, Y->p, i * ciL );
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Swap the contents of X and Y
+ */
+void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
+{
+    mbedtls_mpi T;
+    MPI_VALIDATE( X != NULL );
+    MPI_VALIDATE( Y != NULL );
+
+    memcpy( &T,  X, sizeof( mbedtls_mpi ) );
+    memcpy(  X,  Y, sizeof( mbedtls_mpi ) );
+    memcpy(  Y, &T, sizeof( mbedtls_mpi ) );
+}
+
+/*
+ * Conditionally assign X = Y, without leaking information
+ * about whether the assignment was made or not.
+ * (Leaking information about the respective sizes of X and Y is ok however.)
+ */
+int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned char assign )
+{
+    int ret = 0;
+    size_t i;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    /* make sure assign is 0 or 1 in a time-constant manner */
+    assign = (assign | (unsigned char)-assign) >> 7;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
+
+    X->s = X->s * ( 1 - assign ) + Y->s * assign;
+
+    for( i = 0; i < Y->n; i++ )
+        X->p[i] = X->p[i] * ( 1 - assign ) + Y->p[i] * assign;
+
+    for( ; i < X->n; i++ )
+        X->p[i] *= ( 1 - assign );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Conditionally swap X and Y, without leaking information
+ * about whether the swap was made or not.
+ * Here it is not ok to simply swap the pointers, which whould lead to
+ * different memory access patterns when X and Y are used afterwards.
+ */
+int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X, mbedtls_mpi *Y, unsigned char swap )
+{
+    int ret, s;
+    size_t i;
+    mbedtls_mpi_uint tmp;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    if( X == Y )
+        return( 0 );
+
+    /* make sure swap is 0 or 1 in a time-constant manner */
+    swap = (swap | (unsigned char)-swap) >> 7;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
+
+    s = X->s;
+    X->s = X->s * ( 1 - swap ) + Y->s * swap;
+    Y->s = Y->s * ( 1 - swap ) +    s * swap;
+
+
+    for( i = 0; i < X->n; i++ )
+    {
+        tmp = X->p[i];
+        X->p[i] = X->p[i] * ( 1 - swap ) + Y->p[i] * swap;
+        Y->p[i] = Y->p[i] * ( 1 - swap ) +     tmp * swap;
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Set value from integer
+ */
+int mbedtls_mpi_lset( mbedtls_mpi *X, mbedtls_mpi_sint z )
+{
+    int ret;
+    MPI_VALIDATE_RET( X != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, 1 ) );
+    memset( X->p, 0, X->n * ciL );
+
+    X->p[0] = ( z < 0 ) ? -z : z;
+    X->s    = ( z < 0 ) ? -1 : 1;
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Get a specific bit
+ */
+int mbedtls_mpi_get_bit( const mbedtls_mpi *X, size_t pos )
+{
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( X->n * biL <= pos )
+        return( 0 );
+
+    return( ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01 );
+}
+
+/* Get a specific byte, without range checks. */
+#define GET_BYTE( X, i )                                \
+    ( ( ( X )->p[( i ) / ciL] >> ( ( ( i ) % ciL ) * 8 ) ) & 0xff )
+
+/*
+ * Set a bit to a specific value of 0 or 1
+ */
+int mbedtls_mpi_set_bit( mbedtls_mpi *X, size_t pos, unsigned char val )
+{
+    int ret = 0;
+    size_t off = pos / biL;
+    size_t idx = pos % biL;
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( val != 0 && val != 1 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( X->n * biL <= pos )
+    {
+        if( val == 0 )
+            return( 0 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, off + 1 ) );
+    }
+
+    X->p[off] &= ~( (mbedtls_mpi_uint) 0x01 << idx );
+    X->p[off] |= (mbedtls_mpi_uint) val << idx;
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Return the number of less significant zero-bits
+ */
+size_t mbedtls_mpi_lsb( const mbedtls_mpi *X )
+{
+    size_t i, j, count = 0;
+    MBEDTLS_INTERNAL_VALIDATE_RET( X != NULL, 0 );
+
+    for( i = 0; i < X->n; i++ )
+        for( j = 0; j < biL; j++, count++ )
+            if( ( ( X->p[i] >> j ) & 1 ) != 0 )
+                return( count );
+
+    return( 0 );
+}
+
+/*
+ * Count leading zero bits in a given integer
+ */
+static size_t mbedtls_clz( const mbedtls_mpi_uint x )
+{
+    size_t j;
+    mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
+
+    for( j = 0; j < biL; j++ )
+    {
+        if( x & mask ) break;
+
+        mask >>= 1;
+    }
+
+    return j;
+}
+
+/*
+ * Return the number of bits
+ */
+size_t mbedtls_mpi_bitlen( const mbedtls_mpi *X )
+{
+    size_t i, j;
+
+    if( X->n == 0 )
+        return( 0 );
+
+    for( i = X->n - 1; i > 0; i-- )
+        if( X->p[i] != 0 )
+            break;
+
+    j = biL - mbedtls_clz( X->p[i] );
+
+    return( ( i * biL ) + j );
+}
+
+/*
+ * Return the total size in bytes
+ */
+size_t mbedtls_mpi_size( const mbedtls_mpi *X )
+{
+    return( ( mbedtls_mpi_bitlen( X ) + 7 ) >> 3 );
+}
+
+/*
+ * Convert an ASCII character to digit value
+ */
+static int mpi_get_digit( mbedtls_mpi_uint *d, int radix, char c )
+{
+    *d = 255;
+
+    if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
+    if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
+    if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
+
+    if( *d >= (mbedtls_mpi_uint) radix )
+        return( MBEDTLS_ERR_MPI_INVALID_CHARACTER );
+
+    return( 0 );
+}
+
+/*
+ * Import from an ASCII string
+ */
+int mbedtls_mpi_read_string( mbedtls_mpi *X, int radix, const char *s )
+{
+    int ret;
+    size_t i, j, slen, n;
+    mbedtls_mpi_uint d;
+    mbedtls_mpi T;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( s != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &T );
+
+    slen = strlen( s );
+
+    if( radix == 16 )
+    {
+        if( slen > MPI_SIZE_T_MAX >> 2 )
+            return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+        n = BITS_TO_LIMBS( slen << 2 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+        for( i = slen, j = 0; i > 0; i--, j++ )
+        {
+            if( i == 1 && s[i - 1] == '-' )
+            {
+                X->s = -1;
+                break;
+            }
+
+            MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
+            X->p[j / ( 2 * ciL )] |= d << ( ( j % ( 2 * ciL ) ) << 2 );
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+        for( i = 0; i < slen; i++ )
+        {
+            if( i == 0 && s[i] == '-' )
+            {
+                X->s = -1;
+                continue;
+            }
+
+            MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T, X, radix ) );
+
+            if( X->s == 1 )
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, &T, d ) );
+            }
+            else
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( X, &T, d ) );
+            }
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &T );
+
+    return( ret );
+}
+
+/*
+ * Helper to write the digits high-order first.
+ */
+static int mpi_write_hlp( mbedtls_mpi *X, int radix,
+                          char **p, const size_t buflen )
+{
+    int ret;
+    mbedtls_mpi_uint r;
+    size_t length = 0;
+    char *p_end = *p + buflen;
+
+    do
+    {
+        if( length >= buflen )
+        {
+            return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, radix ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_div_int( X, NULL, X, radix ) );
+        /*
+         * Write the residue in the current position, as an ASCII character.
+         */
+        if( r < 0xA )
+            *(--p_end) = (char)( '0' + r );
+        else
+            *(--p_end) = (char)( 'A' + ( r - 0xA ) );
+
+        length++;
+    } while( mbedtls_mpi_cmp_int( X, 0 ) != 0 );
+
+    memmove( *p, p_end, length );
+    *p += length;
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Export into an ASCII string
+ */
+int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
+                              char *buf, size_t buflen, size_t *olen )
+{
+    int ret = 0;
+    size_t n;
+    char *p;
+    mbedtls_mpi T;
+    MPI_VALIDATE_RET( X    != NULL );
+    MPI_VALIDATE_RET( olen != NULL );
+    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    n = mbedtls_mpi_bitlen( X ); /* Number of bits necessary to present `n`. */
+    if( radix >=  4 ) n >>= 1;   /* Number of 4-adic digits necessary to present
+                                  * `n`. If radix > 4, this might be a strict
+                                  * overapproximation of the number of
+                                  * radix-adic digits needed to present `n`. */
+    if( radix >= 16 ) n >>= 1;   /* Number of hexadecimal digits necessary to
+                                  * present `n`. */
+
+    n += 1; /* Terminating null byte */
+    n += 1; /* Compensate for the divisions above, which round down `n`
+             * in case it's not even. */
+    n += 1; /* Potential '-'-sign. */
+    n += ( n & 1 ); /* Make n even to have enough space for hexadecimal writing,
+                     * which always uses an even number of hex-digits. */
+
+    if( buflen < n )
+    {
+        *olen = n;
+        return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+    }
+
+    p = buf;
+    mbedtls_mpi_init( &T );
+
+    if( X->s == -1 )
+    {
+        *p++ = '-';
+        buflen--;
+    }
+
+    if( radix == 16 )
+    {
+        int c;
+        size_t i, j, k;
+
+        for( i = X->n, k = 0; i > 0; i-- )
+        {
+            for( j = ciL; j > 0; j-- )
+            {
+                c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
+
+                if( c == 0 && k == 0 && ( i + j ) != 2 )
+                    continue;
+
+                *(p++) = "0123456789ABCDEF" [c / 16];
+                *(p++) = "0123456789ABCDEF" [c % 16];
+                k = 1;
+            }
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T, X ) );
+
+        if( T.s == -1 )
+            T.s = 1;
+
+        MBEDTLS_MPI_CHK( mpi_write_hlp( &T, radix, &p, buflen ) );
+    }
+
+    *p++ = '\0';
+    *olen = p - buf;
+
+cleanup:
+
+    mbedtls_mpi_free( &T );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Read X from an opened file
+ */
+int mbedtls_mpi_read_file( mbedtls_mpi *X, int radix, FILE *fin )
+{
+    mbedtls_mpi_uint d;
+    size_t slen;
+    char *p;
+    /*
+     * Buffer should have space for (short) label and decimal formatted MPI,
+     * newline characters and '\0'
+     */
+    char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
+
+    MPI_VALIDATE_RET( X   != NULL );
+    MPI_VALIDATE_RET( fin != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    memset( s, 0, sizeof( s ) );
+    if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
+        return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
+
+    slen = strlen( s );
+    if( slen == sizeof( s ) - 2 )
+        return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+
+    if( slen > 0 && s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
+    if( slen > 0 && s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
+
+    p = s + slen;
+    while( p-- > s )
+        if( mpi_get_digit( &d, radix, *p ) != 0 )
+            break;
+
+    return( mbedtls_mpi_read_string( X, radix, p + 1 ) );
+}
+
+/*
+ * Write X into an opened file (or stdout if fout == NULL)
+ */
+int mbedtls_mpi_write_file( const char *p, const mbedtls_mpi *X, int radix, FILE *fout )
+{
+    int ret;
+    size_t n, slen, plen;
+    /*
+     * Buffer should have space for (short) label and decimal formatted MPI,
+     * newline characters and '\0'
+     */
+    char s[ MBEDTLS_MPI_RW_BUFFER_SIZE ];
+    MPI_VALIDATE_RET( X != NULL );
+
+    if( radix < 2 || radix > 16 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    memset( s, 0, sizeof( s ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_string( X, radix, s, sizeof( s ) - 2, &n ) );
+
+    if( p == NULL ) p = "";
+
+    plen = strlen( p );
+    slen = strlen( s );
+    s[slen++] = '\r';
+    s[slen++] = '\n';
+
+    if( fout != NULL )
+    {
+        if( fwrite( p, 1, plen, fout ) != plen ||
+            fwrite( s, 1, slen, fout ) != slen )
+            return( MBEDTLS_ERR_MPI_FILE_IO_ERROR );
+    }
+    else
+        mbedtls_printf( "%s%s", p, s );
+
+cleanup:
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+
+/* Convert a big-endian byte array aligned to the size of mbedtls_mpi_uint
+ * into the storage form used by mbedtls_mpi. */
+
+static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x )
+{
+    uint8_t i;
+    unsigned char *x_ptr;
+    mbedtls_mpi_uint tmp = 0;
+
+    for( i = 0, x_ptr = (unsigned char*) &x; i < ciL; i++, x_ptr++ )
+    {
+        tmp <<= CHAR_BIT;
+        tmp |= (mbedtls_mpi_uint) *x_ptr;
+    }
+
+    return( tmp );
+}
+
+static mbedtls_mpi_uint mpi_uint_bigendian_to_host( mbedtls_mpi_uint x )
+{
+#if defined(__BYTE_ORDER__)
+
+/* Nothing to do on bigendian systems. */
+#if ( __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ )
+    return( x );
+#endif /* __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ */
+
+#if ( __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ )
+
+/* For GCC and Clang, have builtins for byte swapping. */
+#if defined(__GNUC__) && defined(__GNUC_PREREQ)
+#if __GNUC_PREREQ(4,3)
+#define have_bswap
+#endif
+#endif
+
+#if defined(__clang__) && defined(__has_builtin)
+#if __has_builtin(__builtin_bswap32)  &&                 \
+    __has_builtin(__builtin_bswap64)
+#define have_bswap
+#endif
+#endif
+
+#if defined(have_bswap)
+    /* The compiler is hopefully able to statically evaluate this! */
+    switch( sizeof(mbedtls_mpi_uint) )
+    {
+        case 4:
+            return( __builtin_bswap32(x) );
+        case 8:
+            return( __builtin_bswap64(x) );
+    }
+#endif
+#endif /* __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ */
+#endif /* __BYTE_ORDER__ */
+
+    /* Fall back to C-based reordering if we don't know the byte order
+     * or we couldn't use a compiler-specific builtin. */
+    return( mpi_uint_bigendian_to_host_c( x ) );
+}
+
+static void mpi_bigendian_to_host( mbedtls_mpi_uint * const p, size_t limbs )
+{
+    mbedtls_mpi_uint *cur_limb_left;
+    mbedtls_mpi_uint *cur_limb_right;
+    if( limbs == 0 )
+        return;
+
+    /*
+     * Traverse limbs and
+     * - adapt byte-order in each limb
+     * - swap the limbs themselves.
+     * For that, simultaneously traverse the limbs from left to right
+     * and from right to left, as long as the left index is not bigger
+     * than the right index (it's not a problem if limbs is odd and the
+     * indices coincide in the last iteration).
+     */
+    for( cur_limb_left = p, cur_limb_right = p + ( limbs - 1 );
+         cur_limb_left <= cur_limb_right;
+         cur_limb_left++, cur_limb_right-- )
+    {
+        mbedtls_mpi_uint tmp;
+        /* Note that if cur_limb_left == cur_limb_right,
+         * this code effectively swaps the bytes only once. */
+        tmp             = mpi_uint_bigendian_to_host( *cur_limb_left  );
+        *cur_limb_left  = mpi_uint_bigendian_to_host( *cur_limb_right );
+        *cur_limb_right = tmp;
+    }
+}
+
+/*
+ * Import X from unsigned binary data, big endian
+ */
+int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
+{
+    int ret;
+    size_t const limbs    = CHARS_TO_LIMBS( buflen );
+    size_t const overhead = ( limbs * ciL ) - buflen;
+    unsigned char *Xp;
+
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    if( X->n != limbs )
+    {
+        mbedtls_mpi_free( X );
+        mbedtls_mpi_init( X );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
+    }
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+    /* Avoid calling `memcpy` with NULL source argument,
+     * even if buflen is 0. */
+    if( buf != NULL )
+    {
+        Xp = (unsigned char*) X->p;
+        memcpy( Xp + overhead, buf, buflen );
+
+        mpi_bigendian_to_host( X->p, limbs );
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Export X into unsigned binary data, big endian
+ */
+int mbedtls_mpi_write_binary( const mbedtls_mpi *X,
+                              unsigned char *buf, size_t buflen )
+{
+    size_t stored_bytes;
+    size_t bytes_to_copy;
+    unsigned char *p;
+    size_t i;
+
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
+
+    stored_bytes = X->n * ciL;
+
+    if( stored_bytes < buflen )
+    {
+        /* There is enough space in the output buffer. Write initial
+         * null bytes and record the position at which to start
+         * writing the significant bytes. In this case, the execution
+         * trace of this function does not depend on the value of the
+         * number. */
+        bytes_to_copy = stored_bytes;
+        p = buf + buflen - stored_bytes;
+        memset( buf, 0, buflen - stored_bytes );
+    }
+    else
+    {
+        /* The output buffer is smaller than the allocated size of X.
+         * However X may fit if its leading bytes are zero. */
+        bytes_to_copy = buflen;
+        p = buf;
+        for( i = bytes_to_copy; i < stored_bytes; i++ )
+        {
+            if( GET_BYTE( X, i ) != 0 )
+                return( MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL );
+        }
+    }
+
+    for( i = 0; i < bytes_to_copy; i++ )
+        p[bytes_to_copy - i - 1] = GET_BYTE( X, i );
+
+    return( 0 );
+}
+
+/*
+ * Left-shift: X <<= count
+ */
+int mbedtls_mpi_shift_l( mbedtls_mpi *X, size_t count )
+{
+    int ret;
+    size_t i, v0, t1;
+    mbedtls_mpi_uint r0 = 0, r1;
+    MPI_VALIDATE_RET( X != NULL );
+
+    v0 = count / (biL    );
+    t1 = count & (biL - 1);
+
+    i = mbedtls_mpi_bitlen( X ) + count;
+
+    if( X->n * biL < i )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, BITS_TO_LIMBS( i ) ) );
+
+    ret = 0;
+
+    /*
+     * shift by count / limb_size
+     */
+    if( v0 > 0 )
+    {
+        for( i = X->n; i > v0; i-- )
+            X->p[i - 1] = X->p[i - v0 - 1];
+
+        for( ; i > 0; i-- )
+            X->p[i - 1] = 0;
+    }
+
+    /*
+     * shift by count % limb_size
+     */
+    if( t1 > 0 )
+    {
+        for( i = v0; i < X->n; i++ )
+        {
+            r1 = X->p[i] >> (biL - t1);
+            X->p[i] <<= t1;
+            X->p[i] |= r0;
+            r0 = r1;
+        }
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Right-shift: X >>= count
+ */
+int mbedtls_mpi_shift_r( mbedtls_mpi *X, size_t count )
+{
+    size_t i, v0, v1;
+    mbedtls_mpi_uint r0 = 0, r1;
+    MPI_VALIDATE_RET( X != NULL );
+
+    v0 = count /  biL;
+    v1 = count & (biL - 1);
+
+    if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
+        return mbedtls_mpi_lset( X, 0 );
+
+    /*
+     * shift by count / limb_size
+     */
+    if( v0 > 0 )
+    {
+        for( i = 0; i < X->n - v0; i++ )
+            X->p[i] = X->p[i + v0];
+
+        for( ; i < X->n; i++ )
+            X->p[i] = 0;
+    }
+
+    /*
+     * shift by count % limb_size
+     */
+    if( v1 > 0 )
+    {
+        for( i = X->n; i > 0; i-- )
+        {
+            r1 = X->p[i - 1] << (biL - v1);
+            X->p[i - 1] >>= v1;
+            X->p[i - 1] |= r0;
+            r0 = r1;
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Compare unsigned values
+ */
+int mbedtls_mpi_cmp_abs( const mbedtls_mpi *X, const mbedtls_mpi *Y )
+{
+    size_t i, j;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    for( i = X->n; i > 0; i-- )
+        if( X->p[i - 1] != 0 )
+            break;
+
+    for( j = Y->n; j > 0; j-- )
+        if( Y->p[j - 1] != 0 )
+            break;
+
+    if( i == 0 && j == 0 )
+        return( 0 );
+
+    if( i > j ) return(  1 );
+    if( j > i ) return( -1 );
+
+    for( ; i > 0; i-- )
+    {
+        if( X->p[i - 1] > Y->p[i - 1] ) return(  1 );
+        if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_mpi( const mbedtls_mpi *X, const mbedtls_mpi *Y )
+{
+    size_t i, j;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+
+    for( i = X->n; i > 0; i-- )
+        if( X->p[i - 1] != 0 )
+            break;
+
+    for( j = Y->n; j > 0; j-- )
+        if( Y->p[j - 1] != 0 )
+            break;
+
+    if( i == 0 && j == 0 )
+        return( 0 );
+
+    if( i > j ) return(  X->s );
+    if( j > i ) return( -Y->s );
+
+    if( X->s > 0 && Y->s < 0 ) return(  1 );
+    if( Y->s > 0 && X->s < 0 ) return( -1 );
+
+    for( ; i > 0; i-- )
+    {
+        if( X->p[i - 1] > Y->p[i - 1] ) return(  X->s );
+        if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
+    }
+
+    return( 0 );
+}
+
+/** Decide if an integer is less than the other, without branches.
+ *
+ * \param x         First integer.
+ * \param y         Second integer.
+ *
+ * \return          1 if \p x is less than \p y, 0 otherwise
+ */
+static unsigned ct_lt_mpi_uint( const mbedtls_mpi_uint x,
+        const mbedtls_mpi_uint y )
+{
+    mbedtls_mpi_uint ret;
+    mbedtls_mpi_uint cond;
+
+    /*
+     * Check if the most significant bits (MSB) of the operands are different.
+     */
+    cond = ( x ^ y );
+    /*
+     * If the MSB are the same then the difference x-y will be negative (and
+     * have its MSB set to 1 during conversion to unsigned) if and only if x<y.
+     */
+    ret = ( x - y ) & ~cond;
+    /*
+     * If the MSB are different, then the operand with the MSB of 1 is the
+     * bigger. (That is if y has MSB of 1, then x<y is true and it is false if
+     * the MSB of y is 0.)
+     */
+    ret |= y & cond;
+
+
+    ret = ret >> ( biL - 1 );
+
+    return (unsigned) ret;
+}
+
+/*
+ * Compare signed values in constant time
+ */
+int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, const mbedtls_mpi *Y,
+        unsigned *ret )
+{
+    size_t i;
+    /* The value of any of these variables is either 0 or 1 at all times. */
+    unsigned cond, done, X_is_negative, Y_is_negative;
+
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( Y != NULL );
+    MPI_VALIDATE_RET( ret != NULL );
+
+    if( X->n != Y->n )
+        return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+    /*
+     * Set sign_N to 1 if N >= 0, 0 if N < 0.
+     * We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
+     */
+    X_is_negative = ( X->s & 2 ) >> 1;
+    Y_is_negative = ( Y->s & 2 ) >> 1;
+
+    /*
+     * If the signs are different, then the positive operand is the bigger.
+     * That is if X is negative (X_is_negative == 1), then X < Y is true and it
+     * is false if X is positive (X_is_negative == 0).
+     */
+    cond = ( X_is_negative ^ Y_is_negative );
+    *ret = cond & X_is_negative;
+
+    /*
+     * This is a constant-time function. We might have the result, but we still
+     * need to go through the loop. Record if we have the result already.
+     */
+    done = cond;
+
+    for( i = X->n; i > 0; i-- )
+    {
+        /*
+         * If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
+         * X and Y are negative.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint( Y->p[i - 1], X->p[i - 1] );
+        *ret |= cond & ( 1 - done ) & X_is_negative;
+        done |= cond;
+
+        /*
+         * If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
+         * X and Y are positive.
+         *
+         * Again even if we can make a decision, we just mark the result and
+         * the fact that we are done and continue looping.
+         */
+        cond = ct_lt_mpi_uint( X->p[i - 1], Y->p[i - 1] );
+        *ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
+        done |= cond;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Compare signed values
+ */
+int mbedtls_mpi_cmp_int( const mbedtls_mpi *X, mbedtls_mpi_sint z )
+{
+    mbedtls_mpi Y;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+
+    *p  = ( z < 0 ) ? -z : z;
+    Y.s = ( z < 0 ) ? -1 : 1;
+    Y.n = 1;
+    Y.p = p;
+
+    return( mbedtls_mpi_cmp_mpi( X, &Y ) );
+}
+
+/*
+ * Unsigned addition: X = |A| + |B|  (HAC 14.7)
+ */
+int mbedtls_mpi_add_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t i, j;
+    mbedtls_mpi_uint *o, *p, c, tmp;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    if( X == B )
+    {
+        const mbedtls_mpi *T = A; A = X; B = T;
+    }
+
+    if( X != A )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
+
+    /*
+     * X should always be positive as a result of unsigned additions.
+     */
+    X->s = 1;
+
+    for( j = B->n; j > 0; j-- )
+        if( B->p[j - 1] != 0 )
+            break;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
+
+    o = B->p; p = X->p; c = 0;
+
+    /*
+     * tmp is used because it might happen that p == o
+     */
+    for( i = 0; i < j; i++, o++, p++ )
+    {
+        tmp= *o;
+        *p +=  c; c  = ( *p <  c );
+        *p += tmp; c += ( *p < tmp );
+    }
+
+    while( c != 0 )
+    {
+        if( i >= X->n )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + 1 ) );
+            p = X->p + i;
+        }
+
+        *p += c; c = ( *p < c ); i++; p++;
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Helper for mbedtls_mpi subtraction
+ */
+static void mpi_sub_hlp( size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d )
+{
+    size_t i;
+    mbedtls_mpi_uint c, z;
+
+    for( i = c = 0; i < n; i++, s++, d++ )
+    {
+        z = ( *d <  c );     *d -=  c;
+        c = ( *d < *s ) + z; *d -= *s;
+    }
+
+    while( c != 0 )
+    {
+        z = ( *d < c ); *d -= c;
+        c = z; d++;
+    }
+}
+
+/*
+ * Unsigned subtraction: X = |A| - |B|  (HAC 14.9)
+ */
+int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    mbedtls_mpi TB;
+    int ret;
+    size_t n;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
+        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+    mbedtls_mpi_init( &TB );
+
+    if( X == B )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
+        B = &TB;
+    }
+
+    if( X != A )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
+
+    /*
+     * X should always be positive as a result of unsigned subtractions.
+     */
+    X->s = 1;
+
+    ret = 0;
+
+    for( n = B->n; n > 0; n-- )
+        if( B->p[n - 1] != 0 )
+            break;
+
+    mpi_sub_hlp( n, B->p, X->p );
+
+cleanup:
+
+    mbedtls_mpi_free( &TB );
+
+    return( ret );
+}
+
+/*
+ * Signed addition: X = A + B
+ */
+int mbedtls_mpi_add_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret, s;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    s = A->s;
+    if( A->s * B->s < 0 )
+    {
+        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
+            X->s =  s;
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
+            X->s = -s;
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
+        X->s = s;
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Signed subtraction: X = A - B
+ */
+int mbedtls_mpi_sub_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret, s;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    s = A->s;
+    if( A->s * B->s > 0 )
+    {
+        if( mbedtls_mpi_cmp_abs( A, B ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, A, B ) );
+            X->s =  s;
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( X, B, A ) );
+            X->s = -s;
+        }
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( X, A, B ) );
+        X->s = s;
+    }
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Signed addition: X = A + b
+ */
+int mbedtls_mpi_add_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+
+    p[0] = ( b < 0 ) ? -b : b;
+    _B.s = ( b < 0 ) ? -1 : 1;
+    _B.n = 1;
+    _B.p = p;
+
+    return( mbedtls_mpi_add_mpi( X, A, &_B ) );
+}
+
+/*
+ * Signed subtraction: X = A - b
+ */
+int mbedtls_mpi_sub_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+
+    p[0] = ( b < 0 ) ? -b : b;
+    _B.s = ( b < 0 ) ? -1 : 1;
+    _B.n = 1;
+    _B.p = p;
+
+    return( mbedtls_mpi_sub_mpi( X, A, &_B ) );
+}
+
+/*
+ * Helper for mbedtls_mpi multiplication
+ */
+static
+#if defined(__APPLE__) && defined(__arm__)
+/*
+ * Apple LLVM version 4.2 (clang-425.0.24) (based on LLVM 3.2svn)
+ * appears to need this to prevent bad ARM code generation at -O3.
+ */
+__attribute__ ((noinline))
+#endif
+void mpi_mul_hlp( size_t i, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d, mbedtls_mpi_uint b )
+{
+    mbedtls_mpi_uint c = 0, t = 0;
+
+#if defined(MULADDC_HUIT)
+    for( ; i >= 8; i -= 8 )
+    {
+        MULADDC_INIT
+        MULADDC_HUIT
+        MULADDC_STOP
+    }
+
+    for( ; i > 0; i-- )
+    {
+        MULADDC_INIT
+        MULADDC_CORE
+        MULADDC_STOP
+    }
+#else /* MULADDC_HUIT */
+    for( ; i >= 16; i -= 16 )
+    {
+        MULADDC_INIT
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_STOP
+    }
+
+    for( ; i >= 8; i -= 8 )
+    {
+        MULADDC_INIT
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_CORE   MULADDC_CORE
+        MULADDC_STOP
+    }
+
+    for( ; i > 0; i-- )
+    {
+        MULADDC_INIT
+        MULADDC_CORE
+        MULADDC_STOP
+    }
+#endif /* MULADDC_HUIT */
+
+    t++;
+
+    do {
+        *d += c; c = ( *d < c ); d++;
+    }
+    while( c != 0 );
+}
+
+/*
+ * Baseline multiplication: X = A * B  (HAC 14.12)
+ */
+int mbedtls_mpi_mul_mpi( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t i, j;
+    mbedtls_mpi TA, TB;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
+
+    if( X == A ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) ); A = &TA; }
+    if( X == B ) { MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) ); B = &TB; }
+
+    for( i = A->n; i > 0; i-- )
+        if( A->p[i - 1] != 0 )
+            break;
+
+    for( j = B->n; j > 0; j-- )
+        if( B->p[j - 1] != 0 )
+            break;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + j ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+    for( ; j > 0; j-- )
+        mpi_mul_hlp( i, A->p, X->p + j - 1, B->p[j - 1] );
+
+    X->s = A->s * B->s;
+
+cleanup:
+
+    mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TA );
+
+    return( ret );
+}
+
+/*
+ * Baseline multiplication: X = A * b
+ */
+int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+
+    _B.s = 1;
+    _B.n = 1;
+    _B.p = p;
+    p[0] = b;
+
+    return( mbedtls_mpi_mul_mpi( X, A, &_B ) );
+}
+
+/*
+ * Unsigned integer divide - double mbedtls_mpi_uint dividend, u1/u0, and
+ * mbedtls_mpi_uint divisor, d
+ */
+static mbedtls_mpi_uint mbedtls_int_div_int( mbedtls_mpi_uint u1,
+            mbedtls_mpi_uint u0, mbedtls_mpi_uint d, mbedtls_mpi_uint *r )
+{
+#if defined(MBEDTLS_HAVE_UDBL)
+    mbedtls_t_udbl dividend, quotient;
+#else
+    const mbedtls_mpi_uint radix = (mbedtls_mpi_uint) 1 << biH;
+    const mbedtls_mpi_uint uint_halfword_mask = ( (mbedtls_mpi_uint) 1 << biH ) - 1;
+    mbedtls_mpi_uint d0, d1, q0, q1, rAX, r0, quotient;
+    mbedtls_mpi_uint u0_msw, u0_lsw;
+    size_t s;
+#endif
+
+    /*
+     * Check for overflow
+     */
+    if( 0 == d || u1 >= d )
+    {
+        if (r != NULL) *r = ~0;
+
+        return ( ~0 );
+    }
+
+#if defined(MBEDTLS_HAVE_UDBL)
+    dividend  = (mbedtls_t_udbl) u1 << biL;
+    dividend |= (mbedtls_t_udbl) u0;
+    quotient = dividend / d;
+    if( quotient > ( (mbedtls_t_udbl) 1 << biL ) - 1 )
+        quotient = ( (mbedtls_t_udbl) 1 << biL ) - 1;
+
+    if( r != NULL )
+        *r = (mbedtls_mpi_uint)( dividend - (quotient * d ) );
+
+    return (mbedtls_mpi_uint) quotient;
+#else
+
+    /*
+     * Algorithm D, Section 4.3.1 - The Art of Computer Programming
+     *   Vol. 2 - Seminumerical Algorithms, Knuth
+     */
+
+    /*
+     * Normalize the divisor, d, and dividend, u0, u1
+     */
+    s = mbedtls_clz( d );
+    d = d << s;
+
+    u1 = u1 << s;
+    u1 |= ( u0 >> ( biL - s ) ) & ( -(mbedtls_mpi_sint)s >> ( biL - 1 ) );
+    u0 =  u0 << s;
+
+    d1 = d >> biH;
+    d0 = d & uint_halfword_mask;
+
+    u0_msw = u0 >> biH;
+    u0_lsw = u0 & uint_halfword_mask;
+
+    /*
+     * Find the first quotient and remainder
+     */
+    q1 = u1 / d1;
+    r0 = u1 - d1 * q1;
+
+    while( q1 >= radix || ( q1 * d0 > radix * r0 + u0_msw ) )
+    {
+        q1 -= 1;
+        r0 += d1;
+
+        if ( r0 >= radix ) break;
+    }
+
+    rAX = ( u1 * radix ) + ( u0_msw - q1 * d );
+    q0 = rAX / d1;
+    r0 = rAX - q0 * d1;
+
+    while( q0 >= radix || ( q0 * d0 > radix * r0 + u0_lsw ) )
+    {
+        q0 -= 1;
+        r0 += d1;
+
+        if ( r0 >= radix ) break;
+    }
+
+    if (r != NULL)
+        *r = ( rAX * radix + u0_lsw - q0 * d ) >> s;
+
+    quotient = q1 * radix + q0;
+
+    return quotient;
+#endif
+}
+
+/*
+ * Division by mbedtls_mpi: A = Q * B + R  (HAC 14.20)
+ */
+int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A,
+                         const mbedtls_mpi *B )
+{
+    int ret;
+    size_t i, n, t, k;
+    mbedtls_mpi X, Y, Z, T1, T2;
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    if( mbedtls_mpi_cmp_int( B, 0 ) == 0 )
+        return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
+
+    mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
+    mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 );
+
+    if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
+    {
+        if( Q != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_lset( Q, 0 ) );
+        if( R != NULL ) MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, A ) );
+        return( 0 );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &X, A ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, B ) );
+    X.s = Y.s = 1;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &Z, A->n + 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Z,  0 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T1, 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T2, 3 ) );
+
+    k = mbedtls_mpi_bitlen( &Y ) % biL;
+    if( k < biL - 1 )
+    {
+        k = biL - 1 - k;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &X, k ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, k ) );
+    }
+    else k = 0;
+
+    n = X.n - 1;
+    t = Y.n - 1;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &Y, biL * ( n - t ) ) );
+
+    while( mbedtls_mpi_cmp_mpi( &X, &Y ) >= 0 )
+    {
+        Z.p[n - t]++;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &Y ) );
+    }
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, biL * ( n - t ) ) );
+
+    for( i = n; i > t ; i-- )
+    {
+        if( X.p[i] >= Y.p[t] )
+            Z.p[i - t - 1] = ~0;
+        else
+        {
+            Z.p[i - t - 1] = mbedtls_int_div_int( X.p[i], X.p[i - 1],
+                                                            Y.p[t], NULL);
+        }
+
+        Z.p[i - t - 1]++;
+        do
+        {
+            Z.p[i - t - 1]--;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T1, 0 ) );
+            T1.p[0] = ( t < 1 ) ? 0 : Y.p[t - 1];
+            T1.p[1] = Y.p[t];
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &T2, 0 ) );
+            T2.p[0] = ( i < 2 ) ? 0 : X.p[i - 2];
+            T2.p[1] = ( i < 1 ) ? 0 : X.p[i - 1];
+            T2.p[2] = X.p[i];
+        }
+        while( mbedtls_mpi_cmp_mpi( &T1, &T2 ) > 0 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1,  biL * ( i - t - 1 ) ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X, &X, &T1 ) );
+
+        if( mbedtls_mpi_cmp_int( &X, 0 ) < 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &T1, &Y ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T1, biL * ( i - t - 1 ) ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &X, &X, &T1 ) );
+            Z.p[i - t - 1]--;
+        }
+    }
+
+    if( Q != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( Q, &Z ) );
+        Q->s = A->s * B->s;
+    }
+
+    if( R != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &X, k ) );
+        X.s = A->s;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( R, &X ) );
+
+        if( mbedtls_mpi_cmp_int( R, 0 ) == 0 )
+            R->s = 1;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
+    mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 );
+
+    return( ret );
+}
+
+/*
+ * Division by int: A = Q * b + R
+ */
+int mbedtls_mpi_div_int( mbedtls_mpi *Q, mbedtls_mpi *R,
+                         const mbedtls_mpi *A,
+                         mbedtls_mpi_sint b )
+{
+    mbedtls_mpi _B;
+    mbedtls_mpi_uint p[1];
+    MPI_VALIDATE_RET( A != NULL );
+
+    p[0] = ( b < 0 ) ? -b : b;
+    _B.s = ( b < 0 ) ? -1 : 1;
+    _B.n = 1;
+    _B.p = p;
+
+    return( mbedtls_mpi_div_mpi( Q, R, A, &_B ) );
+}
+
+/*
+ * Modulo: R = A mod B
+ */
+int mbedtls_mpi_mod_mpi( mbedtls_mpi *R, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    MPI_VALIDATE_RET( R != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    if( mbedtls_mpi_cmp_int( B, 0 ) < 0 )
+        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( NULL, R, A, B ) );
+
+    while( mbedtls_mpi_cmp_int( R, 0 ) < 0 )
+      MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( R, R, B ) );
+
+    while( mbedtls_mpi_cmp_mpi( R, B ) >= 0 )
+      MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( R, R, B ) );
+
+cleanup:
+
+    return( ret );
+}
+
+/*
+ * Modulo: r = A mod b
+ */
+int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_sint b )
+{
+    size_t i;
+    mbedtls_mpi_uint x, y, z;
+    MPI_VALIDATE_RET( r != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+
+    if( b == 0 )
+        return( MBEDTLS_ERR_MPI_DIVISION_BY_ZERO );
+
+    if( b < 0 )
+        return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
+
+    /*
+     * handle trivial cases
+     */
+    if( b == 1 )
+    {
+        *r = 0;
+        return( 0 );
+    }
+
+    if( b == 2 )
+    {
+        *r = A->p[0] & 1;
+        return( 0 );
+    }
+
+    /*
+     * general case
+     */
+    for( i = A->n, y = 0; i > 0; i-- )
+    {
+        x  = A->p[i - 1];
+        y  = ( y << biH ) | ( x >> biH );
+        z  = y / b;
+        y -= z * b;
+
+        x <<= biH;
+        y  = ( y << biH ) | ( x >> biH );
+        z  = y / b;
+        y -= z * b;
+    }
+
+    /*
+     * If A is negative, then the current y represents a negative value.
+     * Flipping it to the positive side.
+     */
+    if( A->s < 0 && y != 0 )
+        y = b - y;
+
+    *r = y;
+
+    return( 0 );
+}
+
+/*
+ * Fast Montgomery initialization (thanks to Tom St Denis)
+ */
+static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
+{
+    mbedtls_mpi_uint x, m0 = N->p[0];
+    unsigned int i;
+
+    x  = m0;
+    x += ( ( m0 + 2 ) & 4 ) << 1;
+
+    for( i = biL; i >= 8; i /= 2 )
+        x *= ( 2 - ( m0 * x ) );
+
+    *mm = ~x + 1;
+}
+
+/*
+ * Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
+ */
+static int mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
+                         const mbedtls_mpi *T )
+{
+    size_t i, n, m;
+    mbedtls_mpi_uint u0, u1, *d;
+
+    if( T->n < N->n + 1 || T->p == NULL )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    memset( T->p, 0, T->n * ciL );
+
+    d = T->p;
+    n = N->n;
+    m = ( B->n < n ) ? B->n : n;
+
+    for( i = 0; i < n; i++ )
+    {
+        /*
+         * T = (T + u0*B + u1*N) / 2^biL
+         */
+        u0 = A->p[i];
+        u1 = ( d[0] + u0 * B->p[0] ) * mm;
+
+        mpi_mul_hlp( m, B->p, d, u0 );
+        mpi_mul_hlp( n, N->p, d, u1 );
+
+        *d++ = u0; d[n + 1] = 0;
+    }
+
+    memcpy( A->p, d, ( n + 1 ) * ciL );
+
+    if( mbedtls_mpi_cmp_abs( A, N ) >= 0 )
+        mpi_sub_hlp( n, N->p, A->p );
+    else
+        /* prevent timing attacks */
+        mpi_sub_hlp( n, A->p, T->p );
+
+    return( 0 );
+}
+
+/*
+ * Montgomery reduction: A = A * R^-1 mod N
+ */
+static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
+                        mbedtls_mpi_uint mm, const mbedtls_mpi *T )
+{
+    mbedtls_mpi_uint z = 1;
+    mbedtls_mpi U;
+
+    U.n = U.s = (int) z;
+    U.p = &z;
+
+    return( mpi_montmul( A, &U, N, mm, T ) );
+}
+
+/*
+ * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
+ */
+int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
+                         const mbedtls_mpi *E, const mbedtls_mpi *N,
+                         mbedtls_mpi *_RR )
+{
+    int ret;
+    size_t wbits, wsize, one = 1;
+    size_t i, j, nblimbs;
+    size_t bufsize, nbits;
+    mbedtls_mpi_uint ei, mm, state;
+    mbedtls_mpi RR, T, W[ 2 << MBEDTLS_MPI_WINDOW_SIZE ], Apos;
+    int neg;
+
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( E != NULL );
+    MPI_VALIDATE_RET( N != NULL );
+
+    if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 || ( N->p[0] & 1 ) == 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( E, 0 ) < 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    /*
+     * Init temps and window size
+     */
+    mpi_montg_init( &mm, N );
+    mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &T );
+    mbedtls_mpi_init( &Apos );
+    memset( W, 0, sizeof( W ) );
+
+    i = mbedtls_mpi_bitlen( E );
+
+    wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
+            ( i >  79 ) ? 4 : ( i >  23 ) ? 3 : 1;
+
+#if( MBEDTLS_MPI_WINDOW_SIZE < 6 )
+    if( wsize > MBEDTLS_MPI_WINDOW_SIZE )
+        wsize = MBEDTLS_MPI_WINDOW_SIZE;
+#endif
+
+    j = N->n + 1;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1],  j ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
+
+    /*
+     * Compensate for negative A (and correct at the end)
+     */
+    neg = ( A->s == -1 );
+    if( neg )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Apos, A ) );
+        Apos.s = 1;
+        A = &Apos;
+    }
+
+    /*
+     * If 1st call, pre-compute R^2 mod N
+     */
+    if( _RR == NULL || _RR->p == NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &RR, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &RR, N->n * 2 * biL ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &RR, &RR, N ) );
+
+        if( _RR != NULL )
+            memcpy( _RR, &RR, sizeof( mbedtls_mpi ) );
+    }
+    else
+        memcpy( &RR, _RR, sizeof( mbedtls_mpi ) );
+
+    /*
+     * W[1] = A * R^2 * R^-1 mod N = A * R mod N
+     */
+    if( mbedtls_mpi_cmp_mpi( A, N ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &W[1], A, N ) );
+    else
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
+
+    MBEDTLS_MPI_CHK( mpi_montmul( &W[1], &RR, N, mm, &T ) );
+
+    /*
+     * X = R^2 * R^-1 mod N = R mod N
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
+    MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
+
+    if( wsize > 1 )
+    {
+        /*
+         * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
+         */
+        j =  one << ( wsize - 1 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[j], N->n + 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1]    ) );
+
+        for( i = 0; i < wsize - 1; i++ )
+            MBEDTLS_MPI_CHK( mpi_montmul( &W[j], &W[j], N, mm, &T ) );
+
+        /*
+         * W[i] = W[i - 1] * W[1]
+         */
+        for( i = j + 1; i < ( one << wsize ); i++ )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
+
+            MBEDTLS_MPI_CHK( mpi_montmul( &W[i], &W[1], N, mm, &T ) );
+        }
+    }
+
+    nblimbs = E->n;
+    bufsize = 0;
+    nbits   = 0;
+    wbits   = 0;
+    state   = 0;
+
+    while( 1 )
+    {
+        if( bufsize == 0 )
+        {
+            if( nblimbs == 0 )
+                break;
+
+            nblimbs--;
+
+            bufsize = sizeof( mbedtls_mpi_uint ) << 3;
+        }
+
+        bufsize--;
+
+        ei = (E->p[nblimbs] >> bufsize) & 1;
+
+        /*
+         * skip leading 0s
+         */
+        if( ei == 0 && state == 0 )
+            continue;
+
+        if( ei == 0 && state == 1 )
+        {
+            /*
+             * out of window, square X
+             */
+            MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
+            continue;
+        }
+
+        /*
+         * add ei to current window
+         */
+        state = 2;
+
+        nbits++;
+        wbits |= ( ei << ( wsize - nbits ) );
+
+        if( nbits == wsize )
+        {
+            /*
+             * X = X^wsize R^-1 mod N
+             */
+            for( i = 0; i < wsize; i++ )
+                MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
+
+            /*
+             * X = X * W[wbits] R^-1 mod N
+             */
+            MBEDTLS_MPI_CHK( mpi_montmul( X, &W[wbits], N, mm, &T ) );
+
+            state--;
+            nbits = 0;
+            wbits = 0;
+        }
+    }
+
+    /*
+     * process the remaining bits
+     */
+    for( i = 0; i < nbits; i++ )
+    {
+        MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
+
+        wbits <<= 1;
+
+        if( ( wbits & ( one << wsize ) ) != 0 )
+            MBEDTLS_MPI_CHK( mpi_montmul( X, &W[1], N, mm, &T ) );
+    }
+
+    /*
+     * X = A^E * R * R^-1 mod N = A^E mod N
+     */
+    MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
+
+    if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
+    {
+        X->s = -1;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) );
+    }
+
+cleanup:
+
+    for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ )
+        mbedtls_mpi_free( &W[i] );
+
+    mbedtls_mpi_free( &W[1] ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos );
+
+    if( _RR == NULL || _RR->p == NULL )
+        mbedtls_mpi_free( &RR );
+
+    return( ret );
+}
+
+/*
+ * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
+ */
+int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A, const mbedtls_mpi *B )
+{
+    int ret;
+    size_t lz, lzt;
+    mbedtls_mpi TG, TA, TB;
+
+    MPI_VALIDATE_RET( G != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( B != NULL );
+
+    mbedtls_mpi_init( &TG ); mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TB );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TA, A ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
+
+    lz = mbedtls_mpi_lsb( &TA );
+    lzt = mbedtls_mpi_lsb( &TB );
+
+    if( lzt < lz )
+        lz = lzt;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, lz ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, lz ) );
+
+    TA.s = TB.s = 1;
+
+    while( mbedtls_mpi_cmp_int( &TA, 0 ) != 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, mbedtls_mpi_lsb( &TA ) ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, mbedtls_mpi_lsb( &TB ) ) );
+
+        if( mbedtls_mpi_cmp_mpi( &TA, &TB ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TA, &TA, &TB ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, 1 ) );
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TB, &TB, &TA ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, 1 ) );
+        }
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &TB, lz ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( G, &TB ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &TG ); mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TB );
+
+    return( ret );
+}
+
+/*
+ * Fill X with size bytes of random.
+ *
+ * Use a temporary bytes representation to make sure the result is the same
+ * regardless of the platform endianness (useful when f_rng is actually
+ * deterministic, eg for tests).
+ */
+int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+    size_t const limbs = CHARS_TO_LIMBS( size );
+    size_t const overhead = ( limbs * ciL ) - size;
+    unsigned char *Xp;
+
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    /* Ensure that target MPI has exactly the necessary number of limbs */
+    if( X->n != limbs )
+    {
+        mbedtls_mpi_free( X );
+        mbedtls_mpi_init( X );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
+    }
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+
+    Xp = (unsigned char*) X->p;
+    f_rng( p_rng, Xp + overhead, size );
+
+    mpi_bigendian_to_host( X->p, limbs );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Modular inverse: X = A^-1 mod N  (HAC 14.61 / 14.64)
+ */
+int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *N )
+{
+    int ret;
+    mbedtls_mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
+    MPI_VALIDATE_RET( X != NULL );
+    MPI_VALIDATE_RET( A != NULL );
+    MPI_VALIDATE_RET( N != NULL );
+
+    if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &TA ); mbedtls_mpi_init( &TU ); mbedtls_mpi_init( &U1 ); mbedtls_mpi_init( &U2 );
+    mbedtls_mpi_init( &G ); mbedtls_mpi_init( &TB ); mbedtls_mpi_init( &TV );
+    mbedtls_mpi_init( &V1 ); mbedtls_mpi_init( &V2 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, A, N ) );
+
+    if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &TA, A, N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TU, &TA ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TV, N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U1, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &U2, 0 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V1, 0 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &V2, 1 ) );
+
+    do
+    {
+        while( ( TU.p[0] & 1 ) == 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TU, 1 ) );
+
+            if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &U1, &U1, &TB ) );
+                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &TA ) );
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U1, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &U2, 1 ) );
+        }
+
+        while( ( TV.p[0] & 1 ) == 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TV, 1 ) );
+
+            if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
+            {
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, &TB ) );
+                MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &TA ) );
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V1, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &V2, 1 ) );
+        }
+
+        if( mbedtls_mpi_cmp_mpi( &TU, &TV ) >= 0 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TU, &TU, &TV ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U1, &U1, &V1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U2, &U2, &V2 ) );
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &TV, &TV, &TU ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, &U1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V2, &V2, &U2 ) );
+        }
+    }
+    while( mbedtls_mpi_cmp_int( &TU, 0 ) != 0 );
+
+    while( mbedtls_mpi_cmp_int( &V1, 0 ) < 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &V1, &V1, N ) );
+
+    while( mbedtls_mpi_cmp_mpi( &V1, N ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &V1, &V1, N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &V1 ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &TA ); mbedtls_mpi_free( &TU ); mbedtls_mpi_free( &U1 ); mbedtls_mpi_free( &U2 );
+    mbedtls_mpi_free( &G ); mbedtls_mpi_free( &TB ); mbedtls_mpi_free( &TV );
+    mbedtls_mpi_free( &V1 ); mbedtls_mpi_free( &V2 );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_GENPRIME)
+
+static const int small_prime[] =
+{
+        3,    5,    7,   11,   13,   17,   19,   23,
+       29,   31,   37,   41,   43,   47,   53,   59,
+       61,   67,   71,   73,   79,   83,   89,   97,
+      101,  103,  107,  109,  113,  127,  131,  137,
+      139,  149,  151,  157,  163,  167,  173,  179,
+      181,  191,  193,  197,  199,  211,  223,  227,
+      229,  233,  239,  241,  251,  257,  263,  269,
+      271,  277,  281,  283,  293,  307,  311,  313,
+      317,  331,  337,  347,  349,  353,  359,  367,
+      373,  379,  383,  389,  397,  401,  409,  419,
+      421,  431,  433,  439,  443,  449,  457,  461,
+      463,  467,  479,  487,  491,  499,  503,  509,
+      521,  523,  541,  547,  557,  563,  569,  571,
+      577,  587,  593,  599,  601,  607,  613,  617,
+      619,  631,  641,  643,  647,  653,  659,  661,
+      673,  677,  683,  691,  701,  709,  719,  727,
+      733,  739,  743,  751,  757,  761,  769,  773,
+      787,  797,  809,  811,  821,  823,  827,  829,
+      839,  853,  857,  859,  863,  877,  881,  883,
+      887,  907,  911,  919,  929,  937,  941,  947,
+      953,  967,  971,  977,  983,  991,  997, -103
+};
+
+/*
+ * Small divisors test (X must be positive)
+ *
+ * Return values:
+ * 0: no small factor (possible prime, more tests needed)
+ * 1: certain prime
+ * MBEDTLS_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
+ * other negative: error
+ */
+static int mpi_check_small_factors( const mbedtls_mpi *X )
+{
+    int ret = 0;
+    size_t i;
+    mbedtls_mpi_uint r;
+
+    if( ( X->p[0] & 1 ) == 0 )
+        return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+
+    for( i = 0; small_prime[i] > 0; i++ )
+    {
+        if( mbedtls_mpi_cmp_int( X, small_prime[i] ) <= 0 )
+            return( 1 );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, small_prime[i] ) );
+
+        if( r == 0 )
+            return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Miller-Rabin pseudo-primality test  (HAC 4.24)
+ */
+static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng )
+{
+    int ret, count;
+    size_t i, j, k, s;
+    mbedtls_mpi W, R, T, A, RR;
+
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    mbedtls_mpi_init( &W ); mbedtls_mpi_init( &R );
+    mbedtls_mpi_init( &T ); mbedtls_mpi_init( &A );
+    mbedtls_mpi_init( &RR );
+
+    /*
+     * W = |X| - 1
+     * R = W >> lsb( W )
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &W, X, 1 ) );
+    s = mbedtls_mpi_lsb( &W );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R, &W ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &R, s ) );
+
+    for( i = 0; i < rounds; i++ )
+    {
+        /*
+         * pick a random A, 1 < A < |X| - 1
+         */
+        count = 0;
+        do {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
+
+            j = mbedtls_mpi_bitlen( &A );
+            k = mbedtls_mpi_bitlen( &W );
+            if (j > k) {
+                A.p[A.n - 1] &= ( (mbedtls_mpi_uint) 1 << ( k - ( A.n - 1 ) * biL - 1 ) ) - 1;
+            }
+
+            if (count++ > 30) {
+                ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+                goto cleanup;
+            }
+
+        } while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 ||
+                  mbedtls_mpi_cmp_int( &A, 1 )  <= 0    );
+
+        /*
+         * A = A^R mod |X|
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &A, &A, &R, X, &RR ) );
+
+        if( mbedtls_mpi_cmp_mpi( &A, &W ) == 0 ||
+            mbedtls_mpi_cmp_int( &A,  1 ) == 0 )
+            continue;
+
+        j = 1;
+        while( j < s && mbedtls_mpi_cmp_mpi( &A, &W ) != 0 )
+        {
+            /*
+             * A = A * A mod |X|
+             */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &A, &A ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &A, &T, X  ) );
+
+            if( mbedtls_mpi_cmp_int( &A, 1 ) == 0 )
+                break;
+
+            j++;
+        }
+
+        /*
+         * not prime if A != |X| - 1 or A == 1
+         */
+        if( mbedtls_mpi_cmp_mpi( &A, &W ) != 0 ||
+            mbedtls_mpi_cmp_int( &A,  1 ) == 0 )
+        {
+            ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+            break;
+        }
+    }
+
+cleanup:
+    mbedtls_mpi_free( &W ); mbedtls_mpi_free( &R );
+    mbedtls_mpi_free( &T ); mbedtls_mpi_free( &A );
+    mbedtls_mpi_free( &RR );
+
+    return( ret );
+}
+
+/*
+ * Pseudo-primality test: small factors, then Miller-Rabin
+ */
+int mbedtls_mpi_is_prime_ext( const mbedtls_mpi *X, int rounds,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int ret;
+    mbedtls_mpi XX;
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    XX.s = 1;
+    XX.n = X->n;
+    XX.p = X->p;
+
+    if( mbedtls_mpi_cmp_int( &XX, 0 ) == 0 ||
+        mbedtls_mpi_cmp_int( &XX, 1 ) == 0 )
+        return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+
+    if( mbedtls_mpi_cmp_int( &XX, 2 ) == 0 )
+        return( 0 );
+
+    if( ( ret = mpi_check_small_factors( &XX ) ) != 0 )
+    {
+        if( ret == 1 )
+            return( 0 );
+
+        return( ret );
+    }
+
+    return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/*
+ * Pseudo-primality test, error probability 2^-80
+ */
+int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng )
+{
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    /*
+     * In the past our key generation aimed for an error rate of at most
+     * 2^-80. Since this function is deprecated, aim for the same certainty
+     * here as well.
+     */
+    return( mbedtls_mpi_is_prime_ext( X, 40, f_rng, p_rng ) );
+}
+#endif
+
+/*
+ * Prime number generation
+ *
+ * To generate an RSA key in a way recommended by FIPS 186-4, both primes must
+ * be either 1024 bits or 1536 bits long, and flags must contain
+ * MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR.
+ */
+int mbedtls_mpi_gen_prime( mbedtls_mpi *X, size_t nbits, int flags,
+                   int (*f_rng)(void *, unsigned char *, size_t),
+                   void *p_rng )
+{
+#ifdef MBEDTLS_HAVE_INT64
+// ceil(2^63.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f333f9de6485ULL
+#else
+// ceil(2^31.5)
+#define CEIL_MAXUINT_DIV_SQRT2 0xb504f334U
+#endif
+    int ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+    size_t k, n;
+    int rounds;
+    mbedtls_mpi_uint r;
+    mbedtls_mpi Y;
+
+    MPI_VALIDATE_RET( X     != NULL );
+    MPI_VALIDATE_RET( f_rng != NULL );
+
+    if( nbits < 3 || nbits > MBEDTLS_MPI_MAX_BITS )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &Y );
+
+    n = BITS_TO_LIMBS( nbits );
+
+    if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR ) == 0 )
+    {
+        /*
+         * 2^-80 error probability, number of rounds chosen per HAC, table 4.4
+         */
+        rounds = ( ( nbits >= 1300 ) ?  2 : ( nbits >=  850 ) ?  3 :
+                   ( nbits >=  650 ) ?  4 : ( nbits >=  350 ) ?  8 :
+                   ( nbits >=  250 ) ? 12 : ( nbits >=  150 ) ? 18 : 27 );
+    }
+    else
+    {
+        /*
+         * 2^-100 error probability, number of rounds computed based on HAC,
+         * fact 4.48
+         */
+        rounds = ( ( nbits >= 1450 ) ?  4 : ( nbits >=  1150 ) ?  5 :
+                   ( nbits >= 1000 ) ?  6 : ( nbits >=   850 ) ?  7 :
+                   ( nbits >=  750 ) ?  8 : ( nbits >=   500 ) ? 13 :
+                   ( nbits >=  250 ) ? 28 : ( nbits >=   150 ) ? 40 : 51 );
+    }
+
+    while( 1 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
+        /* make sure generated number is at least (nbits-1)+0.5 bits (FIPS 186-4 §B.3.3 steps 4.4, 5.5) */
+        if( X->p[n-1] < CEIL_MAXUINT_DIV_SQRT2 ) continue;
+
+        k = n * biL;
+        if( k > nbits ) MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, k - nbits ) );
+        X->p[0] |= 1;
+
+        if( ( flags & MBEDTLS_MPI_GEN_PRIME_FLAG_DH ) == 0 )
+        {
+            ret = mbedtls_mpi_is_prime_ext( X, rounds, f_rng, p_rng );
+
+            if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+                goto cleanup;
+        }
+        else
+        {
+            /*
+             * An necessary condition for Y and X = 2Y + 1 to be prime
+             * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
+             * Make sure it is satisfied, while keeping X = 3 mod 4
+             */
+
+            X->p[0] |= 2;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_int( &r, X, 3 ) );
+            if( r == 0 )
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 8 ) );
+            else if( r == 1 )
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, X, 4 ) );
+
+            /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Y, X ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Y, 1 ) );
+
+            while( 1 )
+            {
+                /*
+                 * First, check small factors for X and Y
+                 * before doing Miller-Rabin on any of them
+                 */
+                if( ( ret = mpi_check_small_factors(  X         ) ) == 0 &&
+                    ( ret = mpi_check_small_factors( &Y         ) ) == 0 &&
+                    ( ret = mpi_miller_rabin(  X, rounds, f_rng, p_rng  ) )
+                                                                    == 0 &&
+                    ( ret = mpi_miller_rabin( &Y, rounds, f_rng, p_rng  ) )
+                                                                    == 0 )
+                    goto cleanup;
+
+                if( ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+                    goto cleanup;
+
+                /*
+                 * Next candidates. We want to preserve Y = (X-1) / 2 and
+                 * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
+                 * so up Y by 6 and X by 12.
+                 */
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int(  X,  X, 12 ) );
+                MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &Y, &Y, 6  ) );
+            }
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &Y );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#define GCD_PAIR_COUNT  3
+
+static const int gcd_pairs[GCD_PAIR_COUNT][3] =
+{
+    { 693, 609, 21 },
+    { 1764, 868, 28 },
+    { 768454923, 542167814, 1 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_mpi_self_test( int verbose )
+{
+    int ret, i;
+    mbedtls_mpi A, E, N, X, Y, U, V;
+
+    mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N ); mbedtls_mpi_init( &X );
+    mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &U ); mbedtls_mpi_init( &V );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &A, 16,
+        "EFE021C2645FD1DC586E69184AF4A31E" \
+        "D5F53E93B5F123FA41680867BA110131" \
+        "944FE7952E2517337780CB0DB80E61AA" \
+        "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &E, 16,
+        "B2E7EFD37075B9F03FF989C7C5051C20" \
+        "34D2A323810251127E7BF8625A4F49A5" \
+        "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
+        "5B5C25763222FEFCCFC38B832366C29E" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &N, 16,
+        "0066A198186C18C10B2F5ED9B522752A" \
+        "9830B69916E535C8F047518A889A43A5" \
+        "94B6BED27A168D31D4A52F88925AA8F5" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X, &A, &N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "602AB7ECA597A3D6B56FF9829A5E8B85" \
+        "9E857EA95A03512E2BAE7391688D264A" \
+        "A5663B0341DB9CCFD2C4C5F421FEC814" \
+        "8001B72E848A38CAE1C65F78E56ABDEF" \
+        "E12D3C039B8A02D6BE593F0BBBDA56F1" \
+        "ECF677152EF804370C1A305CAF3B5BF1" \
+        "30879B56C61DE584A0F53A2447A51E" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #1 (mul_mpi): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &X, &Y, &A, &N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "256567336059E52CAE22925474705F39A94" ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &V, 16,
+        "6613F26162223DF488E9CD48CC132C7A" \
+        "0AC93C701B001B092E4E5B9F73BCD27B" \
+        "9EE50D0657C77F374E903CDFA4C642" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #2 (div_mpi): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 ||
+        mbedtls_mpi_cmp_mpi( &Y, &V ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &X, &A, &E, &N, NULL ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "36E139AEA55215609D2816998ED020BB" \
+        "BD96C37890F65171D948E9BC7CBAA4D9" \
+        "325D24D6A3C12710F10A09FA08AB87" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #3 (exp_mod): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &X, &A, &N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &U, 16,
+        "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
+        "C3DBA76456363A10869622EAC2DD84EC" \
+        "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #4 (inv_mod): " );
+
+    if( mbedtls_mpi_cmp_mpi( &X, &U ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MPI test #5 (simple gcd): " );
+
+    for( i = 0; i < GCD_PAIR_COUNT; i++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &X, gcd_pairs[i][0] ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Y, gcd_pairs[i][1] ) );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &A, &X, &Y ) );
+
+        if( mbedtls_mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed at %d\n", i );
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+
+    if( ret != 0 && verbose != 0 )
+        mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
+
+    mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &X );
+    mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &U ); mbedtls_mpi_free( &V );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_BIGNUM_C */
diff --git a/makerom/deps/libmbedtls/src/blowfish.c b/makerom/deps/libmbedtls/src/blowfish.c
new file mode 100644
index 00000000..cbf92382
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/blowfish.c
@@ -0,0 +1,696 @@
+/*
+ *  Blowfish implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The Blowfish block cipher was designed by Bruce Schneier in 1993.
+ *  http://www.schneier.com/blowfish.html
+ *  http://en.wikipedia.org/wiki/Blowfish_%28cipher%29
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+
+#include "mbedtls/blowfish.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_BLOWFISH_ALT)
+
+/* Parameter validation macros */
+#define BLOWFISH_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA )
+#define BLOWFISH_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+static const uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2] = {
+        0x243F6A88L, 0x85A308D3L, 0x13198A2EL, 0x03707344L,
+        0xA4093822L, 0x299F31D0L, 0x082EFA98L, 0xEC4E6C89L,
+        0x452821E6L, 0x38D01377L, 0xBE5466CFL, 0x34E90C6CL,
+        0xC0AC29B7L, 0xC97C50DDL, 0x3F84D5B5L, 0xB5470917L,
+        0x9216D5D9L, 0x8979FB1BL
+};
+
+/* declarations of data at the end of this file */
+static const uint32_t S[4][256];
+
+static uint32_t F( mbedtls_blowfish_context *ctx, uint32_t x )
+{
+   unsigned short a, b, c, d;
+   uint32_t  y;
+
+   d = (unsigned short)(x & 0xFF);
+   x >>= 8;
+   c = (unsigned short)(x & 0xFF);
+   x >>= 8;
+   b = (unsigned short)(x & 0xFF);
+   x >>= 8;
+   a = (unsigned short)(x & 0xFF);
+   y = ctx->S[0][a] + ctx->S[1][b];
+   y = y ^ ctx->S[2][c];
+   y = y + ctx->S[3][d];
+
+   return( y );
+}
+
+static void blowfish_enc( mbedtls_blowfish_context *ctx, uint32_t *xl, uint32_t *xr )
+{
+    uint32_t  Xl, Xr, temp;
+    short i;
+
+    Xl = *xl;
+    Xr = *xr;
+
+    for( i = 0; i < MBEDTLS_BLOWFISH_ROUNDS; ++i )
+    {
+        Xl = Xl ^ ctx->P[i];
+        Xr = F( ctx, Xl ) ^ Xr;
+
+        temp = Xl;
+        Xl = Xr;
+        Xr = temp;
+    }
+
+    temp = Xl;
+    Xl = Xr;
+    Xr = temp;
+
+    Xr = Xr ^ ctx->P[MBEDTLS_BLOWFISH_ROUNDS];
+    Xl = Xl ^ ctx->P[MBEDTLS_BLOWFISH_ROUNDS + 1];
+
+    *xl = Xl;
+    *xr = Xr;
+}
+
+static void blowfish_dec( mbedtls_blowfish_context *ctx, uint32_t *xl, uint32_t *xr )
+{
+    uint32_t  Xl, Xr, temp;
+    short i;
+
+    Xl = *xl;
+    Xr = *xr;
+
+    for( i = MBEDTLS_BLOWFISH_ROUNDS + 1; i > 1; --i )
+    {
+        Xl = Xl ^ ctx->P[i];
+        Xr = F( ctx, Xl ) ^ Xr;
+
+        temp = Xl;
+        Xl = Xr;
+        Xr = temp;
+    }
+
+    temp = Xl;
+    Xl = Xr;
+    Xr = temp;
+
+    Xr = Xr ^ ctx->P[1];
+    Xl = Xl ^ ctx->P[0];
+
+    *xl = Xl;
+    *xr = Xr;
+}
+
+void mbedtls_blowfish_init( mbedtls_blowfish_context *ctx )
+{
+    BLOWFISH_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_blowfish_context ) );
+}
+
+void mbedtls_blowfish_free( mbedtls_blowfish_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_blowfish_context ) );
+}
+
+/*
+ * Blowfish key schedule
+ */
+int mbedtls_blowfish_setkey( mbedtls_blowfish_context *ctx,
+                             const unsigned char *key,
+                             unsigned int keybits )
+{
+    unsigned int i, j, k;
+    uint32_t data, datal, datar;
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( key != NULL );
+
+    if( keybits < MBEDTLS_BLOWFISH_MIN_KEY_BITS    ||
+        keybits > MBEDTLS_BLOWFISH_MAX_KEY_BITS    ||
+        keybits % 8 != 0 )
+    {
+        return( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA );
+    }
+
+    keybits >>= 3;
+
+    for( i = 0; i < 4; i++ )
+    {
+        for( j = 0; j < 256; j++ )
+            ctx->S[i][j] = S[i][j];
+    }
+
+    j = 0;
+    for( i = 0; i < MBEDTLS_BLOWFISH_ROUNDS + 2; ++i )
+    {
+        data = 0x00000000;
+        for( k = 0; k < 4; ++k )
+        {
+            data = ( data << 8 ) | key[j++];
+            if( j >= keybits )
+                j = 0;
+        }
+        ctx->P[i] = P[i] ^ data;
+    }
+
+    datal = 0x00000000;
+    datar = 0x00000000;
+
+    for( i = 0; i < MBEDTLS_BLOWFISH_ROUNDS + 2; i += 2 )
+    {
+        blowfish_enc( ctx, &datal, &datar );
+        ctx->P[i] = datal;
+        ctx->P[i + 1] = datar;
+    }
+
+    for( i = 0; i < 4; i++ )
+    {
+       for( j = 0; j < 256; j += 2 )
+       {
+            blowfish_enc( ctx, &datal, &datar );
+            ctx->S[i][j] = datal;
+            ctx->S[i][j + 1] = datar;
+        }
+    }
+    return( 0 );
+}
+
+/*
+ * Blowfish-ECB block encryption/decryption
+ */
+int mbedtls_blowfish_crypt_ecb( mbedtls_blowfish_context *ctx,
+                    int mode,
+                    const unsigned char input[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                    unsigned char output[MBEDTLS_BLOWFISH_BLOCKSIZE] )
+{
+    uint32_t X0, X1;
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                           mode == MBEDTLS_BLOWFISH_DECRYPT );
+    BLOWFISH_VALIDATE_RET( input  != NULL );
+    BLOWFISH_VALIDATE_RET( output != NULL );
+
+    GET_UINT32_BE( X0, input,  0 );
+    GET_UINT32_BE( X1, input,  4 );
+
+    if( mode == MBEDTLS_BLOWFISH_DECRYPT )
+    {
+        blowfish_dec( ctx, &X0, &X1 );
+    }
+    else /* MBEDTLS_BLOWFISH_ENCRYPT */
+    {
+        blowfish_enc( ctx, &X0, &X1 );
+    }
+
+    PUT_UINT32_BE( X0, output,  0 );
+    PUT_UINT32_BE( X1, output,  4 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * Blowfish-CBC buffer encryption/decryption
+ */
+int mbedtls_blowfish_crypt_cbc( mbedtls_blowfish_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[MBEDTLS_BLOWFISH_BLOCKSIZE];
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                           mode == MBEDTLS_BLOWFISH_DECRYPT );
+    BLOWFISH_VALIDATE_RET( iv != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || input  != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || output != NULL );
+
+    if( length % MBEDTLS_BLOWFISH_BLOCKSIZE )
+        return( MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_BLOWFISH_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, MBEDTLS_BLOWFISH_BLOCKSIZE );
+            mbedtls_blowfish_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < MBEDTLS_BLOWFISH_BLOCKSIZE;i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, MBEDTLS_BLOWFISH_BLOCKSIZE );
+
+            input  += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            output += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            length -= MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < MBEDTLS_BLOWFISH_BLOCKSIZE; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_blowfish_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, MBEDTLS_BLOWFISH_BLOCKSIZE );
+
+            input  += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            output += MBEDTLS_BLOWFISH_BLOCKSIZE;
+            length -= MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * Blowfish CFB buffer encryption/decryption
+ */
+int mbedtls_blowfish_crypt_cfb64( mbedtls_blowfish_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c;
+    size_t n;
+
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( mode == MBEDTLS_BLOWFISH_ENCRYPT ||
+                           mode == MBEDTLS_BLOWFISH_DECRYPT );
+    BLOWFISH_VALIDATE_RET( iv     != NULL );
+    BLOWFISH_VALIDATE_RET( iv_off != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || input  != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *iv_off;
+    if( n >= 8 )
+        return( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA );
+
+    if( mode == MBEDTLS_BLOWFISH_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_blowfish_crypt_ecb( ctx, MBEDTLS_BLOWFISH_ENCRYPT, iv, iv );
+
+            c = *input++;
+            *output++ = (unsigned char)( c ^ iv[n] );
+            iv[n] = (unsigned char) c;
+
+            n = ( n + 1 ) % MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_blowfish_crypt_ecb( ctx, MBEDTLS_BLOWFISH_ENCRYPT, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) % MBEDTLS_BLOWFISH_BLOCKSIZE;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+#endif /*MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Blowfish CTR buffer encryption/decryption
+ */
+int mbedtls_blowfish_crypt_ctr( mbedtls_blowfish_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                       unsigned char stream_block[MBEDTLS_BLOWFISH_BLOCKSIZE],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c, i;
+    size_t n;
+    BLOWFISH_VALIDATE_RET( ctx != NULL );
+    BLOWFISH_VALIDATE_RET( nonce_counter != NULL );
+    BLOWFISH_VALIDATE_RET( stream_block  != NULL );
+    BLOWFISH_VALIDATE_RET( nc_off != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || input  != NULL );
+    BLOWFISH_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *nc_off;
+    if( n >= 8 )
+        return( MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_blowfish_crypt_ecb( ctx, MBEDTLS_BLOWFISH_ENCRYPT, nonce_counter,
+                                stream_block );
+
+            for( i = MBEDTLS_BLOWFISH_BLOCKSIZE; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) % MBEDTLS_BLOWFISH_BLOCKSIZE;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static const uint32_t S[4][256] = {
+    {   0xD1310BA6L, 0x98DFB5ACL, 0x2FFD72DBL, 0xD01ADFB7L,
+        0xB8E1AFEDL, 0x6A267E96L, 0xBA7C9045L, 0xF12C7F99L,
+        0x24A19947L, 0xB3916CF7L, 0x0801F2E2L, 0x858EFC16L,
+        0x636920D8L, 0x71574E69L, 0xA458FEA3L, 0xF4933D7EL,
+        0x0D95748FL, 0x728EB658L, 0x718BCD58L, 0x82154AEEL,
+        0x7B54A41DL, 0xC25A59B5L, 0x9C30D539L, 0x2AF26013L,
+        0xC5D1B023L, 0x286085F0L, 0xCA417918L, 0xB8DB38EFL,
+        0x8E79DCB0L, 0x603A180EL, 0x6C9E0E8BL, 0xB01E8A3EL,
+        0xD71577C1L, 0xBD314B27L, 0x78AF2FDAL, 0x55605C60L,
+        0xE65525F3L, 0xAA55AB94L, 0x57489862L, 0x63E81440L,
+        0x55CA396AL, 0x2AAB10B6L, 0xB4CC5C34L, 0x1141E8CEL,
+        0xA15486AFL, 0x7C72E993L, 0xB3EE1411L, 0x636FBC2AL,
+        0x2BA9C55DL, 0x741831F6L, 0xCE5C3E16L, 0x9B87931EL,
+        0xAFD6BA33L, 0x6C24CF5CL, 0x7A325381L, 0x28958677L,
+        0x3B8F4898L, 0x6B4BB9AFL, 0xC4BFE81BL, 0x66282193L,
+        0x61D809CCL, 0xFB21A991L, 0x487CAC60L, 0x5DEC8032L,
+        0xEF845D5DL, 0xE98575B1L, 0xDC262302L, 0xEB651B88L,
+        0x23893E81L, 0xD396ACC5L, 0x0F6D6FF3L, 0x83F44239L,
+        0x2E0B4482L, 0xA4842004L, 0x69C8F04AL, 0x9E1F9B5EL,
+        0x21C66842L, 0xF6E96C9AL, 0x670C9C61L, 0xABD388F0L,
+        0x6A51A0D2L, 0xD8542F68L, 0x960FA728L, 0xAB5133A3L,
+        0x6EEF0B6CL, 0x137A3BE4L, 0xBA3BF050L, 0x7EFB2A98L,
+        0xA1F1651DL, 0x39AF0176L, 0x66CA593EL, 0x82430E88L,
+        0x8CEE8619L, 0x456F9FB4L, 0x7D84A5C3L, 0x3B8B5EBEL,
+        0xE06F75D8L, 0x85C12073L, 0x401A449FL, 0x56C16AA6L,
+        0x4ED3AA62L, 0x363F7706L, 0x1BFEDF72L, 0x429B023DL,
+        0x37D0D724L, 0xD00A1248L, 0xDB0FEAD3L, 0x49F1C09BL,
+        0x075372C9L, 0x80991B7BL, 0x25D479D8L, 0xF6E8DEF7L,
+        0xE3FE501AL, 0xB6794C3BL, 0x976CE0BDL, 0x04C006BAL,
+        0xC1A94FB6L, 0x409F60C4L, 0x5E5C9EC2L, 0x196A2463L,
+        0x68FB6FAFL, 0x3E6C53B5L, 0x1339B2EBL, 0x3B52EC6FL,
+        0x6DFC511FL, 0x9B30952CL, 0xCC814544L, 0xAF5EBD09L,
+        0xBEE3D004L, 0xDE334AFDL, 0x660F2807L, 0x192E4BB3L,
+        0xC0CBA857L, 0x45C8740FL, 0xD20B5F39L, 0xB9D3FBDBL,
+        0x5579C0BDL, 0x1A60320AL, 0xD6A100C6L, 0x402C7279L,
+        0x679F25FEL, 0xFB1FA3CCL, 0x8EA5E9F8L, 0xDB3222F8L,
+        0x3C7516DFL, 0xFD616B15L, 0x2F501EC8L, 0xAD0552ABL,
+        0x323DB5FAL, 0xFD238760L, 0x53317B48L, 0x3E00DF82L,
+        0x9E5C57BBL, 0xCA6F8CA0L, 0x1A87562EL, 0xDF1769DBL,
+        0xD542A8F6L, 0x287EFFC3L, 0xAC6732C6L, 0x8C4F5573L,
+        0x695B27B0L, 0xBBCA58C8L, 0xE1FFA35DL, 0xB8F011A0L,
+        0x10FA3D98L, 0xFD2183B8L, 0x4AFCB56CL, 0x2DD1D35BL,
+        0x9A53E479L, 0xB6F84565L, 0xD28E49BCL, 0x4BFB9790L,
+        0xE1DDF2DAL, 0xA4CB7E33L, 0x62FB1341L, 0xCEE4C6E8L,
+        0xEF20CADAL, 0x36774C01L, 0xD07E9EFEL, 0x2BF11FB4L,
+        0x95DBDA4DL, 0xAE909198L, 0xEAAD8E71L, 0x6B93D5A0L,
+        0xD08ED1D0L, 0xAFC725E0L, 0x8E3C5B2FL, 0x8E7594B7L,
+        0x8FF6E2FBL, 0xF2122B64L, 0x8888B812L, 0x900DF01CL,
+        0x4FAD5EA0L, 0x688FC31CL, 0xD1CFF191L, 0xB3A8C1ADL,
+        0x2F2F2218L, 0xBE0E1777L, 0xEA752DFEL, 0x8B021FA1L,
+        0xE5A0CC0FL, 0xB56F74E8L, 0x18ACF3D6L, 0xCE89E299L,
+        0xB4A84FE0L, 0xFD13E0B7L, 0x7CC43B81L, 0xD2ADA8D9L,
+        0x165FA266L, 0x80957705L, 0x93CC7314L, 0x211A1477L,
+        0xE6AD2065L, 0x77B5FA86L, 0xC75442F5L, 0xFB9D35CFL,
+        0xEBCDAF0CL, 0x7B3E89A0L, 0xD6411BD3L, 0xAE1E7E49L,
+        0x00250E2DL, 0x2071B35EL, 0x226800BBL, 0x57B8E0AFL,
+        0x2464369BL, 0xF009B91EL, 0x5563911DL, 0x59DFA6AAL,
+        0x78C14389L, 0xD95A537FL, 0x207D5BA2L, 0x02E5B9C5L,
+        0x83260376L, 0x6295CFA9L, 0x11C81968L, 0x4E734A41L,
+        0xB3472DCAL, 0x7B14A94AL, 0x1B510052L, 0x9A532915L,
+        0xD60F573FL, 0xBC9BC6E4L, 0x2B60A476L, 0x81E67400L,
+        0x08BA6FB5L, 0x571BE91FL, 0xF296EC6BL, 0x2A0DD915L,
+        0xB6636521L, 0xE7B9F9B6L, 0xFF34052EL, 0xC5855664L,
+        0x53B02D5DL, 0xA99F8FA1L, 0x08BA4799L, 0x6E85076AL   },
+    {   0x4B7A70E9L, 0xB5B32944L, 0xDB75092EL, 0xC4192623L,
+        0xAD6EA6B0L, 0x49A7DF7DL, 0x9CEE60B8L, 0x8FEDB266L,
+        0xECAA8C71L, 0x699A17FFL, 0x5664526CL, 0xC2B19EE1L,
+        0x193602A5L, 0x75094C29L, 0xA0591340L, 0xE4183A3EL,
+        0x3F54989AL, 0x5B429D65L, 0x6B8FE4D6L, 0x99F73FD6L,
+        0xA1D29C07L, 0xEFE830F5L, 0x4D2D38E6L, 0xF0255DC1L,
+        0x4CDD2086L, 0x8470EB26L, 0x6382E9C6L, 0x021ECC5EL,
+        0x09686B3FL, 0x3EBAEFC9L, 0x3C971814L, 0x6B6A70A1L,
+        0x687F3584L, 0x52A0E286L, 0xB79C5305L, 0xAA500737L,
+        0x3E07841CL, 0x7FDEAE5CL, 0x8E7D44ECL, 0x5716F2B8L,
+        0xB03ADA37L, 0xF0500C0DL, 0xF01C1F04L, 0x0200B3FFL,
+        0xAE0CF51AL, 0x3CB574B2L, 0x25837A58L, 0xDC0921BDL,
+        0xD19113F9L, 0x7CA92FF6L, 0x94324773L, 0x22F54701L,
+        0x3AE5E581L, 0x37C2DADCL, 0xC8B57634L, 0x9AF3DDA7L,
+        0xA9446146L, 0x0FD0030EL, 0xECC8C73EL, 0xA4751E41L,
+        0xE238CD99L, 0x3BEA0E2FL, 0x3280BBA1L, 0x183EB331L,
+        0x4E548B38L, 0x4F6DB908L, 0x6F420D03L, 0xF60A04BFL,
+        0x2CB81290L, 0x24977C79L, 0x5679B072L, 0xBCAF89AFL,
+        0xDE9A771FL, 0xD9930810L, 0xB38BAE12L, 0xDCCF3F2EL,
+        0x5512721FL, 0x2E6B7124L, 0x501ADDE6L, 0x9F84CD87L,
+        0x7A584718L, 0x7408DA17L, 0xBC9F9ABCL, 0xE94B7D8CL,
+        0xEC7AEC3AL, 0xDB851DFAL, 0x63094366L, 0xC464C3D2L,
+        0xEF1C1847L, 0x3215D908L, 0xDD433B37L, 0x24C2BA16L,
+        0x12A14D43L, 0x2A65C451L, 0x50940002L, 0x133AE4DDL,
+        0x71DFF89EL, 0x10314E55L, 0x81AC77D6L, 0x5F11199BL,
+        0x043556F1L, 0xD7A3C76BL, 0x3C11183BL, 0x5924A509L,
+        0xF28FE6EDL, 0x97F1FBFAL, 0x9EBABF2CL, 0x1E153C6EL,
+        0x86E34570L, 0xEAE96FB1L, 0x860E5E0AL, 0x5A3E2AB3L,
+        0x771FE71CL, 0x4E3D06FAL, 0x2965DCB9L, 0x99E71D0FL,
+        0x803E89D6L, 0x5266C825L, 0x2E4CC978L, 0x9C10B36AL,
+        0xC6150EBAL, 0x94E2EA78L, 0xA5FC3C53L, 0x1E0A2DF4L,
+        0xF2F74EA7L, 0x361D2B3DL, 0x1939260FL, 0x19C27960L,
+        0x5223A708L, 0xF71312B6L, 0xEBADFE6EL, 0xEAC31F66L,
+        0xE3BC4595L, 0xA67BC883L, 0xB17F37D1L, 0x018CFF28L,
+        0xC332DDEFL, 0xBE6C5AA5L, 0x65582185L, 0x68AB9802L,
+        0xEECEA50FL, 0xDB2F953BL, 0x2AEF7DADL, 0x5B6E2F84L,
+        0x1521B628L, 0x29076170L, 0xECDD4775L, 0x619F1510L,
+        0x13CCA830L, 0xEB61BD96L, 0x0334FE1EL, 0xAA0363CFL,
+        0xB5735C90L, 0x4C70A239L, 0xD59E9E0BL, 0xCBAADE14L,
+        0xEECC86BCL, 0x60622CA7L, 0x9CAB5CABL, 0xB2F3846EL,
+        0x648B1EAFL, 0x19BDF0CAL, 0xA02369B9L, 0x655ABB50L,
+        0x40685A32L, 0x3C2AB4B3L, 0x319EE9D5L, 0xC021B8F7L,
+        0x9B540B19L, 0x875FA099L, 0x95F7997EL, 0x623D7DA8L,
+        0xF837889AL, 0x97E32D77L, 0x11ED935FL, 0x16681281L,
+        0x0E358829L, 0xC7E61FD6L, 0x96DEDFA1L, 0x7858BA99L,
+        0x57F584A5L, 0x1B227263L, 0x9B83C3FFL, 0x1AC24696L,
+        0xCDB30AEBL, 0x532E3054L, 0x8FD948E4L, 0x6DBC3128L,
+        0x58EBF2EFL, 0x34C6FFEAL, 0xFE28ED61L, 0xEE7C3C73L,
+        0x5D4A14D9L, 0xE864B7E3L, 0x42105D14L, 0x203E13E0L,
+        0x45EEE2B6L, 0xA3AAABEAL, 0xDB6C4F15L, 0xFACB4FD0L,
+        0xC742F442L, 0xEF6ABBB5L, 0x654F3B1DL, 0x41CD2105L,
+        0xD81E799EL, 0x86854DC7L, 0xE44B476AL, 0x3D816250L,
+        0xCF62A1F2L, 0x5B8D2646L, 0xFC8883A0L, 0xC1C7B6A3L,
+        0x7F1524C3L, 0x69CB7492L, 0x47848A0BL, 0x5692B285L,
+        0x095BBF00L, 0xAD19489DL, 0x1462B174L, 0x23820E00L,
+        0x58428D2AL, 0x0C55F5EAL, 0x1DADF43EL, 0x233F7061L,
+        0x3372F092L, 0x8D937E41L, 0xD65FECF1L, 0x6C223BDBL,
+        0x7CDE3759L, 0xCBEE7460L, 0x4085F2A7L, 0xCE77326EL,
+        0xA6078084L, 0x19F8509EL, 0xE8EFD855L, 0x61D99735L,
+        0xA969A7AAL, 0xC50C06C2L, 0x5A04ABFCL, 0x800BCADCL,
+        0x9E447A2EL, 0xC3453484L, 0xFDD56705L, 0x0E1E9EC9L,
+        0xDB73DBD3L, 0x105588CDL, 0x675FDA79L, 0xE3674340L,
+        0xC5C43465L, 0x713E38D8L, 0x3D28F89EL, 0xF16DFF20L,
+        0x153E21E7L, 0x8FB03D4AL, 0xE6E39F2BL, 0xDB83ADF7L   },
+    {   0xE93D5A68L, 0x948140F7L, 0xF64C261CL, 0x94692934L,
+        0x411520F7L, 0x7602D4F7L, 0xBCF46B2EL, 0xD4A20068L,
+        0xD4082471L, 0x3320F46AL, 0x43B7D4B7L, 0x500061AFL,
+        0x1E39F62EL, 0x97244546L, 0x14214F74L, 0xBF8B8840L,
+        0x4D95FC1DL, 0x96B591AFL, 0x70F4DDD3L, 0x66A02F45L,
+        0xBFBC09ECL, 0x03BD9785L, 0x7FAC6DD0L, 0x31CB8504L,
+        0x96EB27B3L, 0x55FD3941L, 0xDA2547E6L, 0xABCA0A9AL,
+        0x28507825L, 0x530429F4L, 0x0A2C86DAL, 0xE9B66DFBL,
+        0x68DC1462L, 0xD7486900L, 0x680EC0A4L, 0x27A18DEEL,
+        0x4F3FFEA2L, 0xE887AD8CL, 0xB58CE006L, 0x7AF4D6B6L,
+        0xAACE1E7CL, 0xD3375FECL, 0xCE78A399L, 0x406B2A42L,
+        0x20FE9E35L, 0xD9F385B9L, 0xEE39D7ABL, 0x3B124E8BL,
+        0x1DC9FAF7L, 0x4B6D1856L, 0x26A36631L, 0xEAE397B2L,
+        0x3A6EFA74L, 0xDD5B4332L, 0x6841E7F7L, 0xCA7820FBL,
+        0xFB0AF54EL, 0xD8FEB397L, 0x454056ACL, 0xBA489527L,
+        0x55533A3AL, 0x20838D87L, 0xFE6BA9B7L, 0xD096954BL,
+        0x55A867BCL, 0xA1159A58L, 0xCCA92963L, 0x99E1DB33L,
+        0xA62A4A56L, 0x3F3125F9L, 0x5EF47E1CL, 0x9029317CL,
+        0xFDF8E802L, 0x04272F70L, 0x80BB155CL, 0x05282CE3L,
+        0x95C11548L, 0xE4C66D22L, 0x48C1133FL, 0xC70F86DCL,
+        0x07F9C9EEL, 0x41041F0FL, 0x404779A4L, 0x5D886E17L,
+        0x325F51EBL, 0xD59BC0D1L, 0xF2BCC18FL, 0x41113564L,
+        0x257B7834L, 0x602A9C60L, 0xDFF8E8A3L, 0x1F636C1BL,
+        0x0E12B4C2L, 0x02E1329EL, 0xAF664FD1L, 0xCAD18115L,
+        0x6B2395E0L, 0x333E92E1L, 0x3B240B62L, 0xEEBEB922L,
+        0x85B2A20EL, 0xE6BA0D99L, 0xDE720C8CL, 0x2DA2F728L,
+        0xD0127845L, 0x95B794FDL, 0x647D0862L, 0xE7CCF5F0L,
+        0x5449A36FL, 0x877D48FAL, 0xC39DFD27L, 0xF33E8D1EL,
+        0x0A476341L, 0x992EFF74L, 0x3A6F6EABL, 0xF4F8FD37L,
+        0xA812DC60L, 0xA1EBDDF8L, 0x991BE14CL, 0xDB6E6B0DL,
+        0xC67B5510L, 0x6D672C37L, 0x2765D43BL, 0xDCD0E804L,
+        0xF1290DC7L, 0xCC00FFA3L, 0xB5390F92L, 0x690FED0BL,
+        0x667B9FFBL, 0xCEDB7D9CL, 0xA091CF0BL, 0xD9155EA3L,
+        0xBB132F88L, 0x515BAD24L, 0x7B9479BFL, 0x763BD6EBL,
+        0x37392EB3L, 0xCC115979L, 0x8026E297L, 0xF42E312DL,
+        0x6842ADA7L, 0xC66A2B3BL, 0x12754CCCL, 0x782EF11CL,
+        0x6A124237L, 0xB79251E7L, 0x06A1BBE6L, 0x4BFB6350L,
+        0x1A6B1018L, 0x11CAEDFAL, 0x3D25BDD8L, 0xE2E1C3C9L,
+        0x44421659L, 0x0A121386L, 0xD90CEC6EL, 0xD5ABEA2AL,
+        0x64AF674EL, 0xDA86A85FL, 0xBEBFE988L, 0x64E4C3FEL,
+        0x9DBC8057L, 0xF0F7C086L, 0x60787BF8L, 0x6003604DL,
+        0xD1FD8346L, 0xF6381FB0L, 0x7745AE04L, 0xD736FCCCL,
+        0x83426B33L, 0xF01EAB71L, 0xB0804187L, 0x3C005E5FL,
+        0x77A057BEL, 0xBDE8AE24L, 0x55464299L, 0xBF582E61L,
+        0x4E58F48FL, 0xF2DDFDA2L, 0xF474EF38L, 0x8789BDC2L,
+        0x5366F9C3L, 0xC8B38E74L, 0xB475F255L, 0x46FCD9B9L,
+        0x7AEB2661L, 0x8B1DDF84L, 0x846A0E79L, 0x915F95E2L,
+        0x466E598EL, 0x20B45770L, 0x8CD55591L, 0xC902DE4CL,
+        0xB90BACE1L, 0xBB8205D0L, 0x11A86248L, 0x7574A99EL,
+        0xB77F19B6L, 0xE0A9DC09L, 0x662D09A1L, 0xC4324633L,
+        0xE85A1F02L, 0x09F0BE8CL, 0x4A99A025L, 0x1D6EFE10L,
+        0x1AB93D1DL, 0x0BA5A4DFL, 0xA186F20FL, 0x2868F169L,
+        0xDCB7DA83L, 0x573906FEL, 0xA1E2CE9BL, 0x4FCD7F52L,
+        0x50115E01L, 0xA70683FAL, 0xA002B5C4L, 0x0DE6D027L,
+        0x9AF88C27L, 0x773F8641L, 0xC3604C06L, 0x61A806B5L,
+        0xF0177A28L, 0xC0F586E0L, 0x006058AAL, 0x30DC7D62L,
+        0x11E69ED7L, 0x2338EA63L, 0x53C2DD94L, 0xC2C21634L,
+        0xBBCBEE56L, 0x90BCB6DEL, 0xEBFC7DA1L, 0xCE591D76L,
+        0x6F05E409L, 0x4B7C0188L, 0x39720A3DL, 0x7C927C24L,
+        0x86E3725FL, 0x724D9DB9L, 0x1AC15BB4L, 0xD39EB8FCL,
+        0xED545578L, 0x08FCA5B5L, 0xD83D7CD3L, 0x4DAD0FC4L,
+        0x1E50EF5EL, 0xB161E6F8L, 0xA28514D9L, 0x6C51133CL,
+        0x6FD5C7E7L, 0x56E14EC4L, 0x362ABFCEL, 0xDDC6C837L,
+        0xD79A3234L, 0x92638212L, 0x670EFA8EL, 0x406000E0L  },
+    {   0x3A39CE37L, 0xD3FAF5CFL, 0xABC27737L, 0x5AC52D1BL,
+        0x5CB0679EL, 0x4FA33742L, 0xD3822740L, 0x99BC9BBEL,
+        0xD5118E9DL, 0xBF0F7315L, 0xD62D1C7EL, 0xC700C47BL,
+        0xB78C1B6BL, 0x21A19045L, 0xB26EB1BEL, 0x6A366EB4L,
+        0x5748AB2FL, 0xBC946E79L, 0xC6A376D2L, 0x6549C2C8L,
+        0x530FF8EEL, 0x468DDE7DL, 0xD5730A1DL, 0x4CD04DC6L,
+        0x2939BBDBL, 0xA9BA4650L, 0xAC9526E8L, 0xBE5EE304L,
+        0xA1FAD5F0L, 0x6A2D519AL, 0x63EF8CE2L, 0x9A86EE22L,
+        0xC089C2B8L, 0x43242EF6L, 0xA51E03AAL, 0x9CF2D0A4L,
+        0x83C061BAL, 0x9BE96A4DL, 0x8FE51550L, 0xBA645BD6L,
+        0x2826A2F9L, 0xA73A3AE1L, 0x4BA99586L, 0xEF5562E9L,
+        0xC72FEFD3L, 0xF752F7DAL, 0x3F046F69L, 0x77FA0A59L,
+        0x80E4A915L, 0x87B08601L, 0x9B09E6ADL, 0x3B3EE593L,
+        0xE990FD5AL, 0x9E34D797L, 0x2CF0B7D9L, 0x022B8B51L,
+        0x96D5AC3AL, 0x017DA67DL, 0xD1CF3ED6L, 0x7C7D2D28L,
+        0x1F9F25CFL, 0xADF2B89BL, 0x5AD6B472L, 0x5A88F54CL,
+        0xE029AC71L, 0xE019A5E6L, 0x47B0ACFDL, 0xED93FA9BL,
+        0xE8D3C48DL, 0x283B57CCL, 0xF8D56629L, 0x79132E28L,
+        0x785F0191L, 0xED756055L, 0xF7960E44L, 0xE3D35E8CL,
+        0x15056DD4L, 0x88F46DBAL, 0x03A16125L, 0x0564F0BDL,
+        0xC3EB9E15L, 0x3C9057A2L, 0x97271AECL, 0xA93A072AL,
+        0x1B3F6D9BL, 0x1E6321F5L, 0xF59C66FBL, 0x26DCF319L,
+        0x7533D928L, 0xB155FDF5L, 0x03563482L, 0x8ABA3CBBL,
+        0x28517711L, 0xC20AD9F8L, 0xABCC5167L, 0xCCAD925FL,
+        0x4DE81751L, 0x3830DC8EL, 0x379D5862L, 0x9320F991L,
+        0xEA7A90C2L, 0xFB3E7BCEL, 0x5121CE64L, 0x774FBE32L,
+        0xA8B6E37EL, 0xC3293D46L, 0x48DE5369L, 0x6413E680L,
+        0xA2AE0810L, 0xDD6DB224L, 0x69852DFDL, 0x09072166L,
+        0xB39A460AL, 0x6445C0DDL, 0x586CDECFL, 0x1C20C8AEL,
+        0x5BBEF7DDL, 0x1B588D40L, 0xCCD2017FL, 0x6BB4E3BBL,
+        0xDDA26A7EL, 0x3A59FF45L, 0x3E350A44L, 0xBCB4CDD5L,
+        0x72EACEA8L, 0xFA6484BBL, 0x8D6612AEL, 0xBF3C6F47L,
+        0xD29BE463L, 0x542F5D9EL, 0xAEC2771BL, 0xF64E6370L,
+        0x740E0D8DL, 0xE75B1357L, 0xF8721671L, 0xAF537D5DL,
+        0x4040CB08L, 0x4EB4E2CCL, 0x34D2466AL, 0x0115AF84L,
+        0xE1B00428L, 0x95983A1DL, 0x06B89FB4L, 0xCE6EA048L,
+        0x6F3F3B82L, 0x3520AB82L, 0x011A1D4BL, 0x277227F8L,
+        0x611560B1L, 0xE7933FDCL, 0xBB3A792BL, 0x344525BDL,
+        0xA08839E1L, 0x51CE794BL, 0x2F32C9B7L, 0xA01FBAC9L,
+        0xE01CC87EL, 0xBCC7D1F6L, 0xCF0111C3L, 0xA1E8AAC7L,
+        0x1A908749L, 0xD44FBD9AL, 0xD0DADECBL, 0xD50ADA38L,
+        0x0339C32AL, 0xC6913667L, 0x8DF9317CL, 0xE0B12B4FL,
+        0xF79E59B7L, 0x43F5BB3AL, 0xF2D519FFL, 0x27D9459CL,
+        0xBF97222CL, 0x15E6FC2AL, 0x0F91FC71L, 0x9B941525L,
+        0xFAE59361L, 0xCEB69CEBL, 0xC2A86459L, 0x12BAA8D1L,
+        0xB6C1075EL, 0xE3056A0CL, 0x10D25065L, 0xCB03A442L,
+        0xE0EC6E0EL, 0x1698DB3BL, 0x4C98A0BEL, 0x3278E964L,
+        0x9F1F9532L, 0xE0D392DFL, 0xD3A0342BL, 0x8971F21EL,
+        0x1B0A7441L, 0x4BA3348CL, 0xC5BE7120L, 0xC37632D8L,
+        0xDF359F8DL, 0x9B992F2EL, 0xE60B6F47L, 0x0FE3F11DL,
+        0xE54CDA54L, 0x1EDAD891L, 0xCE6279CFL, 0xCD3E7E6FL,
+        0x1618B166L, 0xFD2C1D05L, 0x848FD2C5L, 0xF6FB2299L,
+        0xF523F357L, 0xA6327623L, 0x93A83531L, 0x56CCCD02L,
+        0xACF08162L, 0x5A75EBB5L, 0x6E163697L, 0x88D273CCL,
+        0xDE966292L, 0x81B949D0L, 0x4C50901BL, 0x71C65614L,
+        0xE6C6C7BDL, 0x327A140AL, 0x45E1D006L, 0xC3F27B9AL,
+        0xC9AA53FDL, 0x62A80F00L, 0xBB25BFE2L, 0x35BDD2F6L,
+        0x71126905L, 0xB2040222L, 0xB6CBCF7CL, 0xCD769C2BL,
+        0x53113EC0L, 0x1640E3D3L, 0x38ABBD60L, 0x2547ADF0L,
+        0xBA38209CL, 0xF746CE76L, 0x77AFA1C5L, 0x20756060L,
+        0x85CBFE4EL, 0x8AE88DD8L, 0x7AAAF9B0L, 0x4CF9AA7EL,
+        0x1948C25CL, 0x02FB8A8CL, 0x01C36AE4L, 0xD6EBE1F9L,
+        0x90D4F869L, 0xA65CDEA0L, 0x3F09252DL, 0xC208E69FL,
+        0xB74E6132L, 0xCE77E25BL, 0x578FDFE3L, 0x3AC372E6L  }
+};
+
+#endif /* !MBEDTLS_BLOWFISH_ALT */
+#endif /* MBEDTLS_BLOWFISH_C */
diff --git a/makerom/deps/libmbedtls/src/camellia.c b/makerom/deps/libmbedtls/src/camellia.c
new file mode 100644
index 00000000..22262b89
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/camellia.c
@@ -0,0 +1,1114 @@
+/*
+ *  Camellia implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The Camellia block cipher was designed by NTT and Mitsubishi Electric
+ *  Corporation.
+ *
+ *  http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+#include "mbedtls/camellia.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CAMELLIA_ALT)
+
+/* Parameter validation macros */
+#define CAMELLIA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA )
+#define CAMELLIA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+static const unsigned char SIGMA_CHARS[6][8] =
+{
+    { 0xa0, 0x9e, 0x66, 0x7f, 0x3b, 0xcc, 0x90, 0x8b },
+    { 0xb6, 0x7a, 0xe8, 0x58, 0x4c, 0xaa, 0x73, 0xb2 },
+    { 0xc6, 0xef, 0x37, 0x2f, 0xe9, 0x4f, 0x82, 0xbe },
+    { 0x54, 0xff, 0x53, 0xa5, 0xf1, 0xd3, 0x6f, 0x1c },
+    { 0x10, 0xe5, 0x27, 0xfa, 0xde, 0x68, 0x2d, 0x1d },
+    { 0xb0, 0x56, 0x88, 0xc2, 0xb3, 0xe6, 0xc1, 0xfd }
+};
+
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+
+static const unsigned char FSb[256] =
+{
+    112,130, 44,236,179, 39,192,229,228,133, 87, 53,234, 12,174, 65,
+     35,239,107,147, 69, 25,165, 33,237, 14, 79, 78, 29,101,146,189,
+    134,184,175,143,124,235, 31,206, 62, 48,220, 95, 94,197, 11, 26,
+    166,225, 57,202,213, 71, 93, 61,217,  1, 90,214, 81, 86,108, 77,
+    139, 13,154,102,251,204,176, 45,116, 18, 43, 32,240,177,132,153,
+    223, 76,203,194, 52,126,118,  5,109,183,169, 49,209, 23,  4,215,
+     20, 88, 58, 97,222, 27, 17, 28, 50, 15,156, 22, 83, 24,242, 34,
+    254, 68,207,178,195,181,122,145, 36,  8,232,168, 96,252,105, 80,
+    170,208,160,125,161,137, 98,151, 84, 91, 30,149,224,255,100,210,
+     16,196,  0, 72,163,247,117,219,138,  3,230,218,  9, 63,221,148,
+    135, 92,131,  2,205, 74,144, 51,115,103,246,243,157,127,191,226,
+     82,155,216, 38,200, 55,198, 59,129,150,111, 75, 19,190, 99, 46,
+    233,121,167,140,159,110,188,142, 41,245,249,182, 47,253,180, 89,
+    120,152,  6,106,231, 70,113,186,212, 37,171, 66,136,162,141,250,
+    114,  7,185, 85,248,238,172, 10, 54, 73, 42,104, 60, 56,241,164,
+     64, 40,211,123,187,201, 67,193, 21,227,173,244,119,199,128,158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) (unsigned char)((FSb[(n)] >> 7 ^ FSb[(n)] << 1) & 0xff)
+#define SBOX3(n) (unsigned char)((FSb[(n)] >> 1 ^ FSb[(n)] << 7) & 0xff)
+#define SBOX4(n) FSb[((n) << 1 ^ (n) >> 7) &0xff]
+
+#else /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char FSb[256] =
+{
+ 112, 130,  44, 236, 179,  39, 192, 229, 228, 133,  87,  53, 234,  12, 174,  65,
+  35, 239, 107, 147,  69,  25, 165,  33, 237,  14,  79,  78,  29, 101, 146, 189,
+ 134, 184, 175, 143, 124, 235,  31, 206,  62,  48, 220,  95,  94, 197,  11,  26,
+ 166, 225,  57, 202, 213,  71,  93,  61, 217,   1,  90, 214,  81,  86, 108,  77,
+ 139,  13, 154, 102, 251, 204, 176,  45, 116,  18,  43,  32, 240, 177, 132, 153,
+ 223,  76, 203, 194,  52, 126, 118,   5, 109, 183, 169,  49, 209,  23,   4, 215,
+  20,  88,  58,  97, 222,  27,  17,  28,  50,  15, 156,  22,  83,  24, 242,  34,
+ 254,  68, 207, 178, 195, 181, 122, 145,  36,   8, 232, 168,  96, 252, 105,  80,
+ 170, 208, 160, 125, 161, 137,  98, 151,  84,  91,  30, 149, 224, 255, 100, 210,
+  16, 196,   0,  72, 163, 247, 117, 219, 138,   3, 230, 218,   9,  63, 221, 148,
+ 135,  92, 131,   2, 205,  74, 144,  51, 115, 103, 246, 243, 157, 127, 191, 226,
+  82, 155, 216,  38, 200,  55, 198,  59, 129, 150, 111,  75,  19, 190,  99,  46,
+ 233, 121, 167, 140, 159, 110, 188, 142,  41, 245, 249, 182,  47, 253, 180,  89,
+ 120, 152,   6, 106, 231,  70, 113, 186, 212,  37, 171,  66, 136, 162, 141, 250,
+ 114,   7, 185,  85, 248, 238, 172,  10,  54,  73,  42, 104,  60,  56, 241, 164,
+ 64,  40, 211, 123, 187, 201,  67, 193,  21, 227, 173, 244, 119, 199, 128, 158
+};
+
+static const unsigned char FSb2[256] =
+{
+ 224,   5,  88, 217, 103,  78, 129, 203, 201,  11, 174, 106, 213,  24,  93, 130,
+  70, 223, 214,  39, 138,  50,  75,  66, 219,  28, 158, 156,  58, 202,  37, 123,
+  13, 113,  95,  31, 248, 215,  62, 157, 124,  96, 185, 190, 188, 139,  22,  52,
+  77, 195, 114, 149, 171, 142, 186, 122, 179,   2, 180, 173, 162, 172, 216, 154,
+  23,  26,  53, 204, 247, 153,  97,  90, 232,  36,  86,  64, 225,  99,   9,  51,
+ 191, 152, 151, 133, 104, 252, 236,  10, 218, 111,  83,  98, 163,  46,   8, 175,
+  40, 176, 116, 194, 189,  54,  34,  56, 100,  30,  57,  44, 166,  48, 229,  68,
+ 253, 136, 159, 101, 135, 107, 244,  35,  72,  16, 209,  81, 192, 249, 210, 160,
+  85, 161,  65, 250,  67,  19, 196,  47, 168, 182,  60,  43, 193, 255, 200, 165,
+  32, 137,   0, 144,  71, 239, 234, 183,  21,   6, 205, 181,  18, 126, 187,  41,
+  15, 184,   7,   4, 155, 148,  33, 102, 230, 206, 237, 231,  59, 254, 127, 197,
+ 164,  55, 177,  76, 145, 110, 141, 118,   3,  45, 222, 150,  38, 125, 198,  92,
+ 211, 242,  79,  25,  63, 220, 121,  29,  82, 235, 243, 109,  94, 251, 105, 178,
+ 240,  49,  12, 212, 207, 140, 226, 117, 169,  74,  87, 132,  17,  69,  27, 245,
+ 228,  14, 115, 170, 241, 221,  89,  20, 108, 146,  84, 208, 120, 112, 227,  73,
+ 128,  80, 167, 246, 119, 147, 134, 131,  42, 199,  91, 233, 238, 143,   1,  61
+};
+
+static const unsigned char FSb3[256] =
+{
+  56,  65,  22, 118, 217, 147,  96, 242, 114, 194, 171, 154, 117,   6,  87, 160,
+ 145, 247, 181, 201, 162, 140, 210, 144, 246,   7, 167,  39, 142, 178,  73, 222,
+  67,  92, 215, 199,  62, 245, 143, 103,  31,  24, 110, 175,  47, 226, 133,  13,
+  83, 240, 156, 101, 234, 163, 174, 158, 236, 128,  45, 107, 168,  43,  54, 166,
+ 197, 134,  77,  51, 253, 102,  88, 150,  58,   9, 149,  16, 120, 216,  66, 204,
+ 239,  38, 229,  97,  26,  63,  59, 130, 182, 219, 212, 152, 232, 139,   2, 235,
+  10,  44,  29, 176, 111, 141, 136,  14,  25, 135,  78,  11, 169,  12, 121,  17,
+ 127,  34, 231,  89, 225, 218,  61, 200,  18,   4, 116,  84,  48, 126, 180,  40,
+  85, 104,  80, 190, 208, 196,  49, 203,  42, 173,  15, 202, 112, 255,  50, 105,
+   8,  98,   0,  36, 209, 251, 186, 237,  69, 129, 115, 109, 132, 159, 238,  74,
+ 195,  46, 193,   1, 230,  37,  72, 153, 185, 179, 123, 249, 206, 191, 223, 113,
+  41, 205, 108,  19, 100, 155,  99, 157, 192,  75, 183, 165, 137,  95, 177,  23,
+ 244, 188, 211,  70, 207,  55,  94,  71, 148, 250, 252,  91, 151, 254,  90, 172,
+  60,  76,   3,  53, 243,  35, 184,  93, 106, 146, 213,  33,  68,  81, 198, 125,
+  57, 131, 220, 170, 124, 119,  86,   5,  27, 164,  21,  52,  30,  28, 248,  82,
+  32,  20, 233, 189, 221, 228, 161, 224, 138, 241, 214, 122, 187, 227,  64,  79
+};
+
+static const unsigned char FSb4[256] =
+{
+ 112,  44, 179, 192, 228,  87, 234, 174,  35, 107,  69, 165, 237,  79,  29, 146,
+ 134, 175, 124,  31,  62, 220,  94,  11, 166,  57, 213,  93, 217,  90,  81, 108,
+ 139, 154, 251, 176, 116,  43, 240, 132, 223, 203,  52, 118, 109, 169, 209,   4,
+  20,  58, 222,  17,  50, 156,  83, 242, 254, 207, 195, 122,  36, 232,  96, 105,
+ 170, 160, 161,  98,  84,  30, 224, 100,  16,   0, 163, 117, 138, 230,   9, 221,
+ 135, 131, 205, 144, 115, 246, 157, 191,  82, 216, 200, 198, 129, 111,  19,  99,
+ 233, 167, 159, 188,  41, 249,  47, 180, 120,   6, 231, 113, 212, 171, 136, 141,
+ 114, 185, 248, 172,  54,  42,  60, 241,  64, 211, 187,  67,  21, 173, 119, 128,
+ 130, 236,  39, 229, 133,  53,  12,  65, 239, 147,  25,  33,  14,  78, 101, 189,
+ 184, 143, 235, 206,  48,  95, 197,  26, 225, 202,  71,  61,   1, 214,  86,  77,
+  13, 102, 204,  45,  18,  32, 177, 153,  76, 194, 126,   5, 183,  49,  23, 215,
+  88,  97,  27,  28,  15,  22,  24,  34,  68, 178, 181, 145,   8, 168, 252,  80,
+ 208, 125, 137, 151,  91, 149, 255, 210, 196,  72, 247, 219,   3, 218,  63, 148,
+  92,   2,  74,  51, 103, 243, 127, 226, 155,  38,  55,  59, 150,  75, 190,  46,
+ 121, 140, 110, 142, 245, 182, 253,  89, 152, 106,  70, 186,  37,  66, 162, 250,
+  7,  85, 238,  10,  73, 104,  56, 164,  40, 123, 201, 193, 227, 244, 199, 158
+};
+
+#define SBOX1(n) FSb[(n)]
+#define SBOX2(n) FSb2[(n)]
+#define SBOX3(n) FSb3[(n)]
+#define SBOX4(n) FSb4[(n)]
+
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+
+static const unsigned char shifts[2][4][4] =
+{
+    {
+        { 1, 1, 1, 1 }, /* KL */
+        { 0, 0, 0, 0 }, /* KR */
+        { 1, 1, 1, 1 }, /* KA */
+        { 0, 0, 0, 0 }  /* KB */
+    },
+    {
+        { 1, 0, 1, 1 }, /* KL */
+        { 1, 1, 0, 1 }, /* KR */
+        { 1, 1, 1, 0 }, /* KA */
+        { 1, 1, 0, 1 }  /* KB */
+    }
+};
+
+static const signed char indexes[2][4][20] =
+{
+    {
+        {  0,  1,  2,  3,  8,  9, 10, 11, 38, 39,
+          36, 37, 23, 20, 21, 22, 27, -1, -1, 26 }, /* KL -> RK */
+        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }, /* KR -> RK */
+        {  4,  5,  6,  7, 12, 13, 14, 15, 16, 17,
+          18, 19, -1, 24, 25, -1, 31, 28, 29, 30 }, /* KA -> RK */
+        { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+          -1, -1, -1, -1, -1, -1, -1, -1, -1, -1 }  /* KB -> RK */
+    },
+    {
+        {  0,  1,  2,  3, 61, 62, 63, 60, -1, -1,
+          -1, -1, 27, 24, 25, 26, 35, 32, 33, 34 }, /* KL -> RK */
+        { -1, -1, -1, -1,  8,  9, 10, 11, 16, 17,
+          18, 19, -1, -1, -1, -1, 39, 36, 37, 38 }, /* KR -> RK */
+        { -1, -1, -1, -1, 12, 13, 14, 15, 58, 59,
+          56, 57, 31, 28, 29, 30, -1, -1, -1, -1 }, /* KA -> RK */
+        {  4,  5,  6,  7, 65, 66, 67, 64, 20, 21,
+          22, 23, -1, -1, -1, -1, 43, 40, 41, 42 }  /* KB -> RK */
+    }
+};
+
+static const signed char transposes[2][20] =
+{
+    {
+        21, 22, 23, 20,
+        -1, -1, -1, -1,
+        18, 19, 16, 17,
+        11,  8,  9, 10,
+        15, 12, 13, 14
+    },
+    {
+        25, 26, 27, 24,
+        29, 30, 31, 28,
+        18, 19, 16, 17,
+        -1, -1, -1, -1,
+        -1, -1, -1, -1
+    }
+};
+
+/* Shift macro for 128 bit strings with rotation smaller than 32 bits (!) */
+#define ROTL(DEST, SRC, SHIFT)                                      \
+{                                                                   \
+    (DEST)[0] = (SRC)[0] << (SHIFT) ^ (SRC)[1] >> (32 - (SHIFT));   \
+    (DEST)[1] = (SRC)[1] << (SHIFT) ^ (SRC)[2] >> (32 - (SHIFT));   \
+    (DEST)[2] = (SRC)[2] << (SHIFT) ^ (SRC)[3] >> (32 - (SHIFT));   \
+    (DEST)[3] = (SRC)[3] << (SHIFT) ^ (SRC)[0] >> (32 - (SHIFT));   \
+}
+
+#define FL(XL, XR, KL, KR)                                          \
+{                                                                   \
+    (XR) = ((((XL) & (KL)) << 1) | (((XL) & (KL)) >> 31)) ^ (XR);   \
+    (XL) = ((XR) | (KR)) ^ (XL);                                    \
+}
+
+#define FLInv(YL, YR, KL, KR)                                       \
+{                                                                   \
+    (YL) = ((YR) | (KR)) ^ (YL);                                    \
+    (YR) = ((((YL) & (KL)) << 1) | (((YL) & (KL)) >> 31)) ^ (YR);   \
+}
+
+#define SHIFT_AND_PLACE(INDEX, OFFSET)                      \
+{                                                           \
+    TK[0] = KC[(OFFSET) * 4 + 0];                           \
+    TK[1] = KC[(OFFSET) * 4 + 1];                           \
+    TK[2] = KC[(OFFSET) * 4 + 2];                           \
+    TK[3] = KC[(OFFSET) * 4 + 3];                           \
+                                                            \
+    for( i = 1; i <= 4; i++ )                               \
+        if( shifts[(INDEX)][(OFFSET)][i -1] )               \
+            ROTL(TK + i * 4, TK, ( 15 * i ) % 32);          \
+                                                            \
+    for( i = 0; i < 20; i++ )                               \
+        if( indexes[(INDEX)][(OFFSET)][i] != -1 ) {         \
+            RK[indexes[(INDEX)][(OFFSET)][i]] = TK[ i ];    \
+        }                                                   \
+}
+
+static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
+                              uint32_t z[2])
+{
+    uint32_t I0, I1;
+    I0 = x[0] ^ k[0];
+    I1 = x[1] ^ k[1];
+
+    I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
+         ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
+         ((uint32_t) SBOX3((I0 >>  8) & 0xFF) <<  8) |
+         ((uint32_t) SBOX4((I0      ) & 0xFF)      );
+    I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
+         ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
+         ((uint32_t) SBOX4((I1 >>  8) & 0xFF) <<  8) |
+         ((uint32_t) SBOX1((I1      ) & 0xFF)      );
+
+    I0 ^= (I1 << 8) | (I1 >> 24);
+    I1 ^= (I0 << 16) | (I0 >> 16);
+    I0 ^= (I1 >> 8) | (I1 << 24);
+    I1 ^= (I0 >> 8) | (I0 << 24);
+
+    z[0] ^= I1;
+    z[1] ^= I0;
+}
+
+void mbedtls_camellia_init( mbedtls_camellia_context *ctx )
+{
+    CAMELLIA_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_camellia_context ) );
+}
+
+void mbedtls_camellia_free( mbedtls_camellia_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_camellia_context ) );
+}
+
+/*
+ * Camellia key schedule (encryption)
+ */
+int mbedtls_camellia_setkey_enc( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits )
+{
+    int idx;
+    size_t i;
+    uint32_t *RK;
+    unsigned char t[64];
+    uint32_t SIGMA[6][2];
+    uint32_t KC[16];
+    uint32_t TK[20];
+
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( key != NULL );
+
+    RK = ctx->rk;
+
+    memset( t, 0, 64 );
+    memset( RK, 0, sizeof(ctx->rk) );
+
+    switch( keybits )
+    {
+        case 128: ctx->nr = 3; idx = 0; break;
+        case 192:
+        case 256: ctx->nr = 4; idx = 1; break;
+        default : return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
+    }
+
+    for( i = 0; i < keybits / 8; ++i )
+        t[i] = key[i];
+
+    if( keybits == 192 ) {
+        for( i = 0; i < 8; i++ )
+            t[24 + i] = ~t[16 + i];
+    }
+
+    /*
+     * Prepare SIGMA values
+     */
+    for( i = 0; i < 6; i++ ) {
+        GET_UINT32_BE( SIGMA[i][0], SIGMA_CHARS[i], 0 );
+        GET_UINT32_BE( SIGMA[i][1], SIGMA_CHARS[i], 4 );
+    }
+
+    /*
+     * Key storage in KC
+     * Order: KL, KR, KA, KB
+     */
+    memset( KC, 0, sizeof(KC) );
+
+    /* Store KL, KR */
+    for( i = 0; i < 8; i++ )
+        GET_UINT32_BE( KC[i], t, i * 4 );
+
+    /* Generate KA */
+    for( i = 0; i < 4; ++i )
+        KC[8 + i] = KC[i] ^ KC[4 + i];
+
+    camellia_feistel( KC + 8, SIGMA[0], KC + 10 );
+    camellia_feistel( KC + 10, SIGMA[1], KC + 8 );
+
+    for( i = 0; i < 4; ++i )
+        KC[8 + i] ^= KC[i];
+
+    camellia_feistel( KC + 8, SIGMA[2], KC + 10 );
+    camellia_feistel( KC + 10, SIGMA[3], KC + 8 );
+
+    if( keybits > 128 ) {
+        /* Generate KB */
+        for( i = 0; i < 4; ++i )
+            KC[12 + i] = KC[4 + i] ^ KC[8 + i];
+
+        camellia_feistel( KC + 12, SIGMA[4], KC + 14 );
+        camellia_feistel( KC + 14, SIGMA[5], KC + 12 );
+    }
+
+    /*
+     * Generating subkeys
+     */
+
+    /* Manipulating KL */
+    SHIFT_AND_PLACE( idx, 0 );
+
+    /* Manipulating KR */
+    if( keybits > 128 ) {
+        SHIFT_AND_PLACE( idx, 1 );
+    }
+
+    /* Manipulating KA */
+    SHIFT_AND_PLACE( idx, 2 );
+
+    /* Manipulating KB */
+    if( keybits > 128 ) {
+        SHIFT_AND_PLACE( idx, 3 );
+    }
+
+    /* Do transpositions */
+    for( i = 0; i < 20; i++ ) {
+        if( transposes[idx][i] != -1 ) {
+            RK[32 + 12 * idx + i] = RK[transposes[idx][i]];
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Camellia key schedule (decryption)
+ */
+int mbedtls_camellia_setkey_dec( mbedtls_camellia_context *ctx,
+                                 const unsigned char *key,
+                                 unsigned int keybits )
+{
+    int idx, ret;
+    size_t i;
+    mbedtls_camellia_context cty;
+    uint32_t *RK;
+    uint32_t *SK;
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( key != NULL );
+
+    mbedtls_camellia_init( &cty );
+
+    /* Also checks keybits */
+    if( ( ret = mbedtls_camellia_setkey_enc( &cty, key, keybits ) ) != 0 )
+        goto exit;
+
+    ctx->nr = cty.nr;
+    idx = ( ctx->nr == 4 );
+
+    RK = ctx->rk;
+    SK = cty.rk + 24 * 2 + 8 * idx * 2;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+    for( i = 22 + 8 * idx, SK -= 6; i > 0; i--, SK -= 4 )
+    {
+        *RK++ = *SK++;
+        *RK++ = *SK++;
+    }
+
+    SK -= 2;
+
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+    *RK++ = *SK++;
+
+exit:
+    mbedtls_camellia_free( &cty );
+
+    return( ret );
+}
+
+/*
+ * Camellia-ECB block encryption/decryption
+ */
+int mbedtls_camellia_crypt_ecb( mbedtls_camellia_context *ctx,
+                    int mode,
+                    const unsigned char input[16],
+                    unsigned char output[16] )
+{
+    int NR;
+    uint32_t *RK, X[4];
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                           mode == MBEDTLS_CAMELLIA_DECRYPT );
+    CAMELLIA_VALIDATE_RET( input  != NULL );
+    CAMELLIA_VALIDATE_RET( output != NULL );
+
+    ( (void) mode );
+
+    NR = ctx->nr;
+    RK = ctx->rk;
+
+    GET_UINT32_BE( X[0], input,  0 );
+    GET_UINT32_BE( X[1], input,  4 );
+    GET_UINT32_BE( X[2], input,  8 );
+    GET_UINT32_BE( X[3], input, 12 );
+
+    X[0] ^= *RK++;
+    X[1] ^= *RK++;
+    X[2] ^= *RK++;
+    X[3] ^= *RK++;
+
+    while( NR ) {
+        --NR;
+        camellia_feistel( X, RK, X + 2 );
+        RK += 2;
+        camellia_feistel( X + 2, RK, X );
+        RK += 2;
+        camellia_feistel( X, RK, X + 2 );
+        RK += 2;
+        camellia_feistel( X + 2, RK, X );
+        RK += 2;
+        camellia_feistel( X, RK, X + 2 );
+        RK += 2;
+        camellia_feistel( X + 2, RK, X );
+        RK += 2;
+
+        if( NR ) {
+            FL(X[0], X[1], RK[0], RK[1]);
+            RK += 2;
+            FLInv(X[2], X[3], RK[0], RK[1]);
+            RK += 2;
+        }
+    }
+
+    X[2] ^= *RK++;
+    X[3] ^= *RK++;
+    X[0] ^= *RK++;
+    X[1] ^= *RK++;
+
+    PUT_UINT32_BE( X[2], output,  0 );
+    PUT_UINT32_BE( X[3], output,  4 );
+    PUT_UINT32_BE( X[0], output,  8 );
+    PUT_UINT32_BE( X[1], output, 12 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * Camellia-CBC buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cbc( mbedtls_camellia_context *ctx,
+                                int mode,
+                                size_t length,
+                                unsigned char iv[16],
+                                const unsigned char *input,
+                                unsigned char *output )
+{
+    int i;
+    unsigned char temp[16];
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                           mode == MBEDTLS_CAMELLIA_DECRYPT );
+    CAMELLIA_VALIDATE_RET( iv != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
+
+    if( length % 16 )
+        return( MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_CAMELLIA_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 16 );
+            mbedtls_camellia_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 16; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_camellia_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, 16 );
+
+            input  += 16;
+            output += 16;
+            length -= 16;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+/*
+ * Camellia-CFB128 buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_cfb128( mbedtls_camellia_context *ctx,
+                       int mode,
+                       size_t length,
+                       size_t *iv_off,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c;
+    size_t n;
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( mode == MBEDTLS_CAMELLIA_ENCRYPT ||
+                           mode == MBEDTLS_CAMELLIA_DECRYPT );
+    CAMELLIA_VALIDATE_RET( iv     != NULL );
+    CAMELLIA_VALIDATE_RET( iv_off != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *iv_off;
+    if( n >= 16 )
+        return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
+
+    if( mode == MBEDTLS_CAMELLIA_DECRYPT )
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
+
+            c = *input++;
+            *output++ = (unsigned char)( c ^ iv[n] );
+            iv[n] = (unsigned char) c;
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+    else
+    {
+        while( length-- )
+        {
+            if( n == 0 )
+                mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, iv, iv );
+
+            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
+
+            n = ( n + 1 ) & 0x0F;
+        }
+    }
+
+    *iv_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR buffer encryption/decryption
+ */
+int mbedtls_camellia_crypt_ctr( mbedtls_camellia_context *ctx,
+                       size_t length,
+                       size_t *nc_off,
+                       unsigned char nonce_counter[16],
+                       unsigned char stream_block[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int c, i;
+    size_t n;
+    CAMELLIA_VALIDATE_RET( ctx != NULL );
+    CAMELLIA_VALIDATE_RET( nonce_counter != NULL );
+    CAMELLIA_VALIDATE_RET( stream_block  != NULL );
+    CAMELLIA_VALIDATE_RET( nc_off != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || input  != NULL );
+    CAMELLIA_VALIDATE_RET( length == 0 || output != NULL );
+
+    n = *nc_off;
+    if( n >= 16 )
+        return( MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA );
+
+    while( length-- )
+    {
+        if( n == 0 ) {
+            mbedtls_camellia_crypt_ecb( ctx, MBEDTLS_CAMELLIA_ENCRYPT, nonce_counter,
+                                stream_block );
+
+            for( i = 16; i > 0; i-- )
+                if( ++nonce_counter[i - 1] != 0 )
+                    break;
+        }
+        c = *input++;
+        *output++ = (unsigned char)( c ^ stream_block[n] );
+
+        n = ( n + 1 ) & 0x0F;
+    }
+
+    *nc_off = n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* !MBEDTLS_CAMELLIA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Camellia test vectors from:
+ *
+ * http://info.isl.ntt.co.jp/crypt/eng/camellia/technology.html:
+ *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/intermediate.txt
+ *   http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/cryptrec/t_camellia.txt
+ *                      (For each bitlength: Key 0, Nr 39)
+ */
+#define CAMELLIA_TESTS_ECB  2
+
+static const unsigned char camellia_test_ecb_key[3][CAMELLIA_TESTS_ECB][32] =
+{
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+    {
+        { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+          0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
+          0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+          0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff },
+        { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+          0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+    },
+};
+
+static const unsigned char camellia_test_ecb_plain[CAMELLIA_TESTS_ECB][16] =
+{
+    { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
+      0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10 },
+    { 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char camellia_test_ecb_cipher[3][CAMELLIA_TESTS_ECB][16] =
+{
+    {
+        { 0x67, 0x67, 0x31, 0x38, 0x54, 0x96, 0x69, 0x73,
+          0x08, 0x57, 0x06, 0x56, 0x48, 0xea, 0xbe, 0x43 },
+        { 0x38, 0x3C, 0x6C, 0x2A, 0xAB, 0xEF, 0x7F, 0xDE,
+          0x25, 0xCD, 0x47, 0x0B, 0xF7, 0x74, 0xA3, 0x31 }
+    },
+    {
+        { 0xb4, 0x99, 0x34, 0x01, 0xb3, 0xe9, 0x96, 0xf8,
+          0x4e, 0xe5, 0xce, 0xe7, 0xd7, 0x9b, 0x09, 0xb9 },
+        { 0xD1, 0x76, 0x3F, 0xC0, 0x19, 0xD7, 0x7C, 0xC9,
+          0x30, 0xBF, 0xF2, 0xA5, 0x6F, 0x7C, 0x93, 0x64 }
+    },
+    {
+        { 0x9a, 0xcc, 0x23, 0x7d, 0xff, 0x16, 0xd7, 0x6c,
+          0x20, 0xef, 0x7c, 0x91, 0x9e, 0x3a, 0x75, 0x09 },
+        { 0x05, 0x03, 0xFB, 0x10, 0xAB, 0x24, 0x1E, 0x7C,
+          0xF4, 0x5D, 0x8C, 0xDE, 0xEE, 0x47, 0x43, 0x35 }
+    }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#define CAMELLIA_TESTS_CBC  3
+
+static const unsigned char camellia_test_cbc_key[3][32] =
+{
+        { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
+          0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }
+    ,
+        { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
+          0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
+          0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }
+    ,
+        { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
+          0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
+          0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
+          0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
+};
+
+static const unsigned char camellia_test_cbc_iv[16] =
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F }
+;
+
+static const unsigned char camellia_test_cbc_plain[CAMELLIA_TESTS_CBC][16] =
+{
+    { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
+      0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A },
+    { 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
+      0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51 },
+    { 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
+      0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF }
+
+};
+
+static const unsigned char camellia_test_cbc_cipher[3][CAMELLIA_TESTS_CBC][16] =
+{
+    {
+        { 0x16, 0x07, 0xCF, 0x49, 0x4B, 0x36, 0xBB, 0xF0,
+          0x0D, 0xAE, 0xB0, 0xB5, 0x03, 0xC8, 0x31, 0xAB },
+        { 0xA2, 0xF2, 0xCF, 0x67, 0x16, 0x29, 0xEF, 0x78,
+          0x40, 0xC5, 0xA5, 0xDF, 0xB5, 0x07, 0x48, 0x87 },
+        { 0x0F, 0x06, 0x16, 0x50, 0x08, 0xCF, 0x8B, 0x8B,
+          0x5A, 0x63, 0x58, 0x63, 0x62, 0x54, 0x3E, 0x54 }
+    },
+    {
+        { 0x2A, 0x48, 0x30, 0xAB, 0x5A, 0xC4, 0xA1, 0xA2,
+          0x40, 0x59, 0x55, 0xFD, 0x21, 0x95, 0xCF, 0x93 },
+        { 0x5D, 0x5A, 0x86, 0x9B, 0xD1, 0x4C, 0xE5, 0x42,
+          0x64, 0xF8, 0x92, 0xA6, 0xDD, 0x2E, 0xC3, 0xD5 },
+        { 0x37, 0xD3, 0x59, 0xC3, 0x34, 0x98, 0x36, 0xD8,
+          0x84, 0xE3, 0x10, 0xAD, 0xDF, 0x68, 0xC4, 0x49 }
+    },
+    {
+        { 0xE6, 0xCF, 0xA3, 0x5F, 0xC0, 0x2B, 0x13, 0x4A,
+          0x4D, 0x2C, 0x0B, 0x67, 0x37, 0xAC, 0x3E, 0xDA },
+        { 0x36, 0xCB, 0xEB, 0x73, 0xBD, 0x50, 0x4B, 0x40,
+          0x70, 0xB1, 0xB7, 0xDE, 0x2B, 0x21, 0xEB, 0x50 },
+        { 0xE3, 0x1A, 0x60, 0x55, 0x29, 0x7D, 0x96, 0xCA,
+          0x33, 0x30, 0xCD, 0xF1, 0xB1, 0x86, 0x0A, 0x83 }
+    }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+/*
+ * Camellia-CTR test vectors from:
+ *
+ * http://www.faqs.org/rfcs/rfc5528.html
+ */
+
+static const unsigned char camellia_test_ctr_key[3][16] =
+{
+    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
+      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
+    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
+      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
+    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
+      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
+};
+
+static const unsigned char camellia_test_ctr_nonce_counter[3][16] =
+{
+    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
+      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
+    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
+      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
+};
+
+static const unsigned char camellia_test_ctr_pt[3][48] =
+{
+    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
+      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
+
+    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+      0x20, 0x21, 0x22, 0x23 }
+};
+
+static const unsigned char camellia_test_ctr_ct[3][48] =
+{
+    { 0xD0, 0x9D, 0xC2, 0x9A, 0x82, 0x14, 0x61, 0x9A,
+      0x20, 0x87, 0x7C, 0x76, 0xDB, 0x1F, 0x0B, 0x3F },
+    { 0xDB, 0xF3, 0xC7, 0x8D, 0xC0, 0x83, 0x96, 0xD4,
+      0xDA, 0x7C, 0x90, 0x77, 0x65, 0xBB, 0xCB, 0x44,
+      0x2B, 0x8E, 0x8E, 0x0F, 0x31, 0xF0, 0xDC, 0xA7,
+      0x2C, 0x74, 0x17, 0xE3, 0x53, 0x60, 0xE0, 0x48 },
+    { 0xB1, 0x9D, 0x1F, 0xCD, 0xCB, 0x75, 0xEB, 0x88,
+      0x2F, 0x84, 0x9C, 0xE2, 0x4D, 0x85, 0xCF, 0x73,
+      0x9C, 0xE6, 0x4B, 0x2B, 0x5C, 0x9D, 0x73, 0xF1,
+      0x4F, 0x2D, 0x5D, 0x9D, 0xCE, 0x98, 0x89, 0xCD,
+      0xDF, 0x50, 0x86, 0x96 }
+};
+
+static const int camellia_test_ctr_len[3] =
+    { 16, 32, 36 };
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_camellia_self_test( int verbose )
+{
+    int i, j, u, v;
+    unsigned char key[32];
+    unsigned char buf[64];
+    unsigned char src[16];
+    unsigned char dst[16];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char iv[16];
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    size_t offset, len;
+    unsigned char nonce_counter[16];
+    unsigned char stream_block[16];
+#endif
+
+    mbedtls_camellia_context ctx;
+
+    memset( key, 0, 32 );
+
+    for( j = 0; j < 6; j++ ) {
+        u = j >> 1;
+    v = j & 1;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  CAMELLIA-ECB-%3d (%s): ", 128 + u * 64,
+                         (v == MBEDTLS_CAMELLIA_DECRYPT) ? "dec" : "enc");
+
+    for( i = 0; i < CAMELLIA_TESTS_ECB; i++ ) {
+        memcpy( key, camellia_test_ecb_key[u][i], 16 + 8 * u );
+
+        if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
+            mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
+            memcpy( src, camellia_test_ecb_cipher[u][i], 16 );
+            memcpy( dst, camellia_test_ecb_plain[i], 16 );
+        } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
+            mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
+            memcpy( src, camellia_test_ecb_plain[i], 16 );
+            memcpy( dst, camellia_test_ecb_cipher[u][i], 16 );
+        }
+
+        mbedtls_camellia_crypt_ecb( &ctx, v, src, buf );
+
+        if( memcmp( buf, dst, 16 ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( 1 );
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for( j = 0; j < 6; j++ )
+    {
+        u = j >> 1;
+        v = j  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  CAMELLIA-CBC-%3d (%s): ", 128 + u * 64,
+                             ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( src, camellia_test_cbc_iv, 16 );
+        memcpy( dst, camellia_test_cbc_iv, 16 );
+        memcpy( key, camellia_test_cbc_key[u], 16 + 8 * u );
+
+        if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
+            mbedtls_camellia_setkey_dec( &ctx, key, 128 + u * 64 );
+        } else {
+            mbedtls_camellia_setkey_enc( &ctx, key, 128 + u * 64 );
+        }
+
+        for( i = 0; i < CAMELLIA_TESTS_CBC; i++ ) {
+
+            if( v == MBEDTLS_CAMELLIA_DECRYPT ) {
+                memcpy( iv , src, 16 );
+                memcpy( src, camellia_test_cbc_cipher[u][i], 16 );
+                memcpy( dst, camellia_test_cbc_plain[i], 16 );
+            } else { /* MBEDTLS_CAMELLIA_ENCRYPT */
+                memcpy( iv , dst, 16 );
+                memcpy( src, camellia_test_cbc_plain[i], 16 );
+                memcpy( dst, camellia_test_cbc_cipher[u][i], 16 );
+            }
+
+            mbedtls_camellia_crypt_cbc( &ctx, v, 16, iv, src, buf );
+
+            if( memcmp( buf, dst, 16 ) != 0 )
+            {
+                if( verbose != 0 )
+                    mbedtls_printf( "failed\n" );
+
+                return( 1 );
+            }
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    /*
+     * CTR mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        v = i  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  CAMELLIA-CTR-128 (%s): ",
+                             ( v == MBEDTLS_CAMELLIA_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( nonce_counter, camellia_test_ctr_nonce_counter[u], 16 );
+        memcpy( key, camellia_test_ctr_key[u], 16 );
+
+        offset = 0;
+        mbedtls_camellia_setkey_enc( &ctx, key, 128 );
+
+        if( v == MBEDTLS_CAMELLIA_DECRYPT )
+        {
+            len = camellia_test_ctr_len[u];
+            memcpy( buf, camellia_test_ctr_ct[u], len );
+
+            mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
+                                buf, buf );
+
+            if( memcmp( buf, camellia_test_ctr_pt[u], len ) != 0 )
+            {
+                if( verbose != 0 )
+                    mbedtls_printf( "failed\n" );
+
+                return( 1 );
+            }
+        }
+        else
+        {
+            len = camellia_test_ctr_len[u];
+            memcpy( buf, camellia_test_ctr_pt[u], len );
+
+            mbedtls_camellia_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
+                                buf, buf );
+
+            if( memcmp( buf, camellia_test_ctr_ct[u], len ) != 0 )
+            {
+                if( verbose != 0 )
+                    mbedtls_printf( "failed\n" );
+
+                return( 1 );
+            }
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CAMELLIA_C */
diff --git a/makerom/deps/libmbedtls/src/ccm.c b/makerom/deps/libmbedtls/src/ccm.c
new file mode 100644
index 00000000..c6211ee7
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ccm.c
@@ -0,0 +1,545 @@
+/*
+ *  NIST SP800-38C compliant CCM implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Definition of CCM:
+ * http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
+ * RFC 3610 "Counter with CBC-MAC (CCM)"
+ *
+ * Related:
+ * RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+
+#include "mbedtls/ccm.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_CCM_ALT)
+
+#define CCM_VALIDATE_RET( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CCM_BAD_INPUT )
+#define CCM_VALIDATE( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define CCM_ENCRYPT 0
+#define CCM_DECRYPT 1
+
+/*
+ * Initialize context
+ */
+void mbedtls_ccm_init( mbedtls_ccm_context *ctx )
+{
+    CCM_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_ccm_context ) );
+}
+
+int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( key != NULL );
+
+    cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    if( cipher_info->block_size != 16 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+                               MBEDTLS_ENCRYPT ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ccm_free( mbedtls_ccm_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ccm_context ) );
+}
+
+/*
+ * Macros for common operations.
+ * Results in smaller compiled code than static inline functions.
+ */
+
+/*
+ * Update the CBC-MAC state in y using a block in b
+ * (Always using b as the source helps the compiler optimise a bit better.)
+ */
+#define UPDATE_CBC_MAC                                                      \
+    for( i = 0; i < 16; i++ )                                               \
+        y[i] ^= b[i];                                                       \
+                                                                            \
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, y, 16, y, &olen ) ) != 0 ) \
+        return( ret );
+
+/*
+ * Encrypt or decrypt a partial block with CTR
+ * Warning: using b for temporary storage! src and dst must not be b!
+ * This avoids allocating one more 16 bytes buffer while allowing src == dst.
+ */
+#define CTR_CRYPT( dst, src, len  )                                            \
+    do                                                                  \
+    {                                                                   \
+        if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctr,       \
+                                           16, b, &olen ) ) != 0 )      \
+        {                                                               \
+            return( ret );                                              \
+        }                                                               \
+                                                                        \
+        for( i = 0; i < (len); i++ )                                    \
+            (dst)[i] = (src)[i] ^ b[i];                                 \
+    } while( 0 )
+
+/*
+ * Authenticated encryption or decryption
+ */
+static int ccm_auth_crypt( mbedtls_ccm_context *ctx, int mode, size_t length,
+                           const unsigned char *iv, size_t iv_len,
+                           const unsigned char *add, size_t add_len,
+                           const unsigned char *input, unsigned char *output,
+                           unsigned char *tag, size_t tag_len )
+{
+    int ret;
+    unsigned char i;
+    unsigned char q;
+    size_t len_left, olen;
+    unsigned char b[16];
+    unsigned char y[16];
+    unsigned char ctr[16];
+    const unsigned char *src;
+    unsigned char *dst;
+
+    /*
+     * Check length requirements: SP800-38C A.1
+     * Additional requirement: a < 2^16 - 2^8 to simplify the code.
+     * 'length' checked later (when writing it to the first block)
+     *
+     * Also, loosen the requirements to enable support for CCM* (IEEE 802.15.4).
+     */
+    if( tag_len == 2 || tag_len > 16 || tag_len % 2 != 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    /* Also implies q is within bounds */
+    if( iv_len < 7 || iv_len > 13 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    if( add_len > 0xFF00 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    q = 16 - 1 - (unsigned char) iv_len;
+
+    /*
+     * First block B_0:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)
+     * iv_len+1 .. 15       length
+     *
+     * With flags as (bits):
+     * 7        0
+     * 6        add present?
+     * 5 .. 3   (t - 2) / 2
+     * 2 .. 0   q - 1
+     */
+    b[0] = 0;
+    b[0] |= ( add_len > 0 ) << 6;
+    b[0] |= ( ( tag_len - 2 ) / 2 ) << 3;
+    b[0] |= q - 1;
+
+    memcpy( b + 1, iv, iv_len );
+
+    for( i = 0, len_left = length; i < q; i++, len_left >>= 8 )
+        b[15-i] = (unsigned char)( len_left & 0xFF );
+
+    if( len_left > 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+
+    /* Start CBC-MAC with first block */
+    memset( y, 0, 16 );
+    UPDATE_CBC_MAC;
+
+    /*
+     * If there is additional data, update CBC-MAC with
+     * add_len, add, 0 (padding to a block boundary)
+     */
+    if( add_len > 0 )
+    {
+        size_t use_len;
+        len_left = add_len;
+        src = add;
+
+        memset( b, 0, 16 );
+        b[0] = (unsigned char)( ( add_len >> 8 ) & 0xFF );
+        b[1] = (unsigned char)( ( add_len      ) & 0xFF );
+
+        use_len = len_left < 16 - 2 ? len_left : 16 - 2;
+        memcpy( b + 2, src, use_len );
+        len_left -= use_len;
+        src += use_len;
+
+        UPDATE_CBC_MAC;
+
+        while( len_left > 0 )
+        {
+            use_len = len_left > 16 ? 16 : len_left;
+
+            memset( b, 0, 16 );
+            memcpy( b, src, use_len );
+            UPDATE_CBC_MAC;
+
+            len_left -= use_len;
+            src += use_len;
+        }
+    }
+
+    /*
+     * Prepare counter block for encryption:
+     * 0        .. 0        flags
+     * 1        .. iv_len   nonce (aka iv)
+     * iv_len+1 .. 15       counter (initially 1)
+     *
+     * With flags as (bits):
+     * 7 .. 3   0
+     * 2 .. 0   q - 1
+     */
+    ctr[0] = q - 1;
+    memcpy( ctr + 1, iv, iv_len );
+    memset( ctr + 1 + iv_len, 0, q );
+    ctr[15] = 1;
+
+    /*
+     * Authenticate and {en,de}crypt the message.
+     *
+     * The only difference between encryption and decryption is
+     * the respective order of authentication and {en,de}cryption.
+     */
+    len_left = length;
+    src = input;
+    dst = output;
+
+    while( len_left > 0 )
+    {
+        size_t use_len = len_left > 16 ? 16 : len_left;
+
+        if( mode == CCM_ENCRYPT )
+        {
+            memset( b, 0, 16 );
+            memcpy( b, src, use_len );
+            UPDATE_CBC_MAC;
+        }
+
+        CTR_CRYPT( dst, src, use_len );
+
+        if( mode == CCM_DECRYPT )
+        {
+            memset( b, 0, 16 );
+            memcpy( b, dst, use_len );
+            UPDATE_CBC_MAC;
+        }
+
+        dst += use_len;
+        src += use_len;
+        len_left -= use_len;
+
+        /*
+         * Increment counter.
+         * No need to check for overflow thanks to the length check above.
+         */
+        for( i = 0; i < q; i++ )
+            if( ++ctr[15-i] != 0 )
+                break;
+    }
+
+    /*
+     * Authentication: reset counter and crypt/mask internal tag
+     */
+    for( i = 0; i < q; i++ )
+        ctr[15-i] = 0;
+
+    CTR_CRYPT( y, y, 16 );
+    memcpy( tag, y, tag_len );
+
+    return( 0 );
+}
+
+/*
+ * Authenticated encryption
+ */
+int mbedtls_ccm_star_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len )
+{
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    return( ccm_auth_crypt( ctx, CCM_ENCRYPT, length, iv, iv_len,
+                            add, add_len, input, output, tag, tag_len ) );
+}
+
+int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *add, size_t add_len,
+                         const unsigned char *input, unsigned char *output,
+                         unsigned char *tag, size_t tag_len )
+{
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    if( tag_len == 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    return( mbedtls_ccm_star_encrypt_and_tag( ctx, length, iv, iv_len, add,
+                add_len, input, output, tag, tag_len ) );
+}
+
+/*
+ * Authenticated decryption
+ */
+int mbedtls_ccm_star_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len )
+{
+    int ret;
+    unsigned char check_tag[16];
+    unsigned char i;
+    int diff;
+
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+    if( ( ret = ccm_auth_crypt( ctx, CCM_DECRYPT, length,
+                                iv, iv_len, add, add_len,
+                                input, output, check_tag, tag_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < tag_len; i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        mbedtls_platform_zeroize( output, length );
+        return( MBEDTLS_ERR_CCM_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
+                      const unsigned char *iv, size_t iv_len,
+                      const unsigned char *add, size_t add_len,
+                      const unsigned char *input, unsigned char *output,
+                      const unsigned char *tag, size_t tag_len )
+{
+    CCM_VALIDATE_RET( ctx != NULL );
+    CCM_VALIDATE_RET( iv != NULL );
+    CCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    CCM_VALIDATE_RET( length == 0 || input != NULL );
+    CCM_VALIDATE_RET( length == 0 || output != NULL );
+    CCM_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+    if( tag_len == 0 )
+        return( MBEDTLS_ERR_CCM_BAD_INPUT );
+
+    return( mbedtls_ccm_star_auth_decrypt( ctx, length, iv, iv_len, add,
+                add_len, input, output, tag, tag_len ) );
+}
+#endif /* !MBEDTLS_CCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/*
+ * Examples 1 to 3 from SP800-38C Appendix C
+ */
+
+#define NB_TESTS 3
+#define CCM_SELFTEST_PT_MAX_LEN 24
+#define CCM_SELFTEST_CT_MAX_LEN 32
+/*
+ * The data is the same for all tests, only the used length changes
+ */
+static const unsigned char key[] = {
+    0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+    0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f
+};
+
+static const unsigned char iv[] = {
+    0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+    0x18, 0x19, 0x1a, 0x1b
+};
+
+static const unsigned char ad[] = {
+    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char msg[CCM_SELFTEST_PT_MAX_LEN] = {
+    0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+    0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+    0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+};
+
+static const size_t iv_len [NB_TESTS] = { 7, 8,  12 };
+static const size_t add_len[NB_TESTS] = { 8, 16, 20 };
+static const size_t msg_len[NB_TESTS] = { 4, 16, 24 };
+static const size_t tag_len[NB_TESTS] = { 4, 6,  8  };
+
+static const unsigned char res[NB_TESTS][CCM_SELFTEST_CT_MAX_LEN] = {
+    {   0x71, 0x62, 0x01, 0x5b, 0x4d, 0xac, 0x25, 0x5d },
+    {   0xd2, 0xa1, 0xf0, 0xe0, 0x51, 0xea, 0x5f, 0x62,
+        0x08, 0x1a, 0x77, 0x92, 0x07, 0x3d, 0x59, 0x3d,
+        0x1f, 0xc6, 0x4f, 0xbf, 0xac, 0xcd },
+    {   0xe3, 0xb2, 0x01, 0xa9, 0xf5, 0xb7, 0x1a, 0x7a,
+        0x9b, 0x1c, 0xea, 0xec, 0xcd, 0x97, 0xe7, 0x0b,
+        0x61, 0x76, 0xaa, 0xd9, 0xa4, 0x42, 0x8a, 0xa5,
+        0x48, 0x43, 0x92, 0xfb, 0xc1, 0xb0, 0x99, 0x51 }
+};
+
+int mbedtls_ccm_self_test( int verbose )
+{
+    mbedtls_ccm_context ctx;
+    /*
+     * Some hardware accelerators require the input and output buffers
+     * would be in RAM, because the flash is not accessible.
+     * Use buffers on the stack to hold the test vectors data.
+     */
+    unsigned char plaintext[CCM_SELFTEST_PT_MAX_LEN];
+    unsigned char ciphertext[CCM_SELFTEST_CT_MAX_LEN];
+    size_t i;
+    int ret;
+
+    mbedtls_ccm_init( &ctx );
+
+    if( mbedtls_ccm_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, key, 8 * sizeof key ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  CCM: setup failed" );
+
+        return( 1 );
+    }
+
+    for( i = 0; i < NB_TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  CCM-AES #%u: ", (unsigned int) i + 1 );
+
+        memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
+        memset( ciphertext, 0, CCM_SELFTEST_CT_MAX_LEN );
+        memcpy( plaintext, msg, msg_len[i] );
+
+        ret = mbedtls_ccm_encrypt_and_tag( &ctx, msg_len[i],
+                                           iv, iv_len[i], ad, add_len[i],
+                                           plaintext, ciphertext,
+                                           ciphertext + msg_len[i], tag_len[i] );
+
+        if( ret != 0 ||
+            memcmp( ciphertext, res[i], msg_len[i] + tag_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( 1 );
+        }
+        memset( plaintext, 0, CCM_SELFTEST_PT_MAX_LEN );
+
+        ret = mbedtls_ccm_auth_decrypt( &ctx, msg_len[i],
+                                        iv, iv_len[i], ad, add_len[i],
+                                        ciphertext, plaintext,
+                                        ciphertext + msg_len[i], tag_len[i] );
+
+        if( ret != 0 ||
+            memcmp( plaintext, msg, msg_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( 1 );
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    mbedtls_ccm_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_CCM_C */
diff --git a/makerom/deps/libmbedtls/src/certs.c b/makerom/deps/libmbedtls/src/certs.c
new file mode 100644
index 00000000..80ab0b9d
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/certs.c
@@ -0,0 +1,1753 @@
+/*
+ *  X.509 test certificates
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/certs.h"
+
+#if defined(MBEDTLS_CERTS_C)
+
+/*
+ * Test CA Certificates
+ *
+ * We define test CA certificates for each choice of the following parameters:
+ * - PEM or DER encoding
+ * - SHA-1 or SHA-256 hash
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - multiple EC curve types
+ *
+ */
+
+/* This is taken from tests/data_files/test-ca2.crt */
+/* BEGIN FILE string macro TEST_CA_CRT_EC_PEM tests/data_files/test-ca2.crt */
+#define TEST_CA_CRT_EC_PEM                                                 \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIICBDCCAYigAwIBAgIJAMFD4n5iQ8zoMAwGCCqGSM49BAMCBQAwPjELMAkGA1UE\r\n" \
+    "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
+    "IEVDIENBMB4XDTE5MDIxMDE0NDQwMFoXDTI5MDIxMDE0NDQwMFowPjELMAkGA1UE\r\n" \
+    "BhMCTkwxETAPBgNVBAoMCFBvbGFyU1NMMRwwGgYDVQQDDBNQb2xhcnNzbCBUZXN0\r\n" \
+    "IEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEw9orNEE3WC+HVv78ibopQ0tO\r\n" \
+    "4G7DDldTMzlY1FK0kZU5CyPfXxckYkj8GpUpziwth8KIUoCv1mqrId240xxuWLjK\r\n" \
+    "6LJpjvNBrSnDtF91p0dv1RkpVWmaUzsgtGYWYDMeo1AwTjAMBgNVHRMEBTADAQH/\r\n" \
+    "MB0GA1UdDgQWBBSdbSAkSQE/K8t4tRm8fiTJ2/s2fDAfBgNVHSMEGDAWgBSdbSAk\r\n" \
+    "SQE/K8t4tRm8fiTJ2/s2fDAMBggqhkjOPQQDAgUAA2gAMGUCMFHKrjAPpHB0BN1a\r\n" \
+    "LH8TwcJ3vh0AxeKZj30mRdOKBmg/jLS3rU3g8VQBHpn8sOTTBwIxANxPO5AerimZ\r\n" \
+    "hCjMe0d4CTHf1gFZMF70+IqEP+o5VHsIp2Cqvflb0VGWFC5l9a4cQg==\r\n"         \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/test-ca2.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_CRT_EC_DER tests/data_files/test-ca2.crt.der */
+#define TEST_CA_CRT_EC_DER {                                                 \
+  0x30, 0x82, 0x02, 0x04, 0x30, 0x82, 0x01, 0x88, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8,    \
+  0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,    \
+  0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,    \
+  0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55,    \
+  0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50,    \
+  0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74,    \
+  0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x39,    \
+  0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x17,    \
+  0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30,    \
+  0x30, 0x5a, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,    \
+  0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55,    \
+  0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x50,    \
+  0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74,    \
+  0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07,    \
+  0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04,    \
+  0x00, 0x22, 0x03, 0x62, 0x00, 0x04, 0xc3, 0xda, 0x2b, 0x34, 0x41, 0x37,    \
+  0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89, 0xba, 0x29, 0x43, 0x4b, 0x4e,    \
+  0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33, 0x39, 0x58, 0xd4, 0x52, 0xb4,    \
+  0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f, 0x17, 0x24, 0x62, 0x48, 0xfc,    \
+  0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87, 0xc2, 0x88, 0x52, 0x80, 0xaf,    \
+  0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3, 0x1c, 0x6e, 0x58, 0xb8, 0xca,    \
+  0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad, 0x29, 0xc3, 0xb4, 0x5f, 0x75,    \
+  0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55, 0x69, 0x9a, 0x53, 0x3b, 0x20,    \
+  0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x0c,    \
+  0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff,    \
+  0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x9d,    \
+  0x6d, 0x20, 0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc,    \
+  0x7e, 0x24, 0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x1f, 0x06, 0x03, 0x55,    \
+  0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24,    \
+  0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9,    \
+  0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,    \
+  0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, 0x30, 0x65, 0x02,    \
+  0x30, 0x51, 0xca, 0xae, 0x30, 0x0f, 0xa4, 0x70, 0x74, 0x04, 0xdd, 0x5a,    \
+  0x2c, 0x7f, 0x13, 0xc1, 0xc2, 0x77, 0xbe, 0x1d, 0x00, 0xc5, 0xe2, 0x99,    \
+  0x8f, 0x7d, 0x26, 0x45, 0xd3, 0x8a, 0x06, 0x68, 0x3f, 0x8c, 0xb4, 0xb7,    \
+  0xad, 0x4d, 0xe0, 0xf1, 0x54, 0x01, 0x1e, 0x99, 0xfc, 0xb0, 0xe4, 0xd3,    \
+  0x07, 0x02, 0x31, 0x00, 0xdc, 0x4f, 0x3b, 0x90, 0x1e, 0xae, 0x29, 0x99,    \
+  0x84, 0x28, 0xcc, 0x7b, 0x47, 0x78, 0x09, 0x31, 0xdf, 0xd6, 0x01, 0x59,    \
+  0x30, 0x5e, 0xf4, 0xf8, 0x8a, 0x84, 0x3f, 0xea, 0x39, 0x54, 0x7b, 0x08,    \
+  0xa7, 0x60, 0xaa, 0xbd, 0xf9, 0x5b, 0xd1, 0x51, 0x96, 0x14, 0x2e, 0x65,    \
+  0xf5, 0xae, 0x1c, 0x42                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca2.key.enc */
+/* BEGIN FILE string macro TEST_CA_KEY_EC_PEM tests/data_files/test-ca2.key.enc */
+#define TEST_CA_KEY_EC_PEM                                                 \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "Proc-Type: 4,ENCRYPTED\r\n"                                           \
+    "DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"                          \
+    "\r\n"                                                                 \
+    "IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n" \
+    "ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n" \
+    "UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n" \
+    "a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"                                 \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+#define TEST_CA_PWD_EC_PEM "PolarSSLTest"
+
+/* This is generated from tests/data_files/test-ca2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_KEY_EC_DER tests/data_files/test-ca2.key.der */
+#define TEST_CA_KEY_EC_DER {                                                 \
+    0x30, 0x81, 0xa4, 0x02, 0x01, 0x01, 0x04, 0x30, 0x83, 0xd9, 0x15, 0x0e,  \
+    0xa0, 0x71, 0xf0, 0x57, 0x10, 0x33, 0xa3, 0x38, 0xb8, 0x86, 0xc1, 0xa6,  \
+    0x11, 0x5d, 0x6d, 0xb4, 0x03, 0xe1, 0x29, 0x76, 0x45, 0xd7, 0x87, 0x6f,  \
+    0x23, 0xab, 0x44, 0x20, 0xea, 0x64, 0x7b, 0x85, 0xb1, 0x76, 0xe7, 0x85,  \
+    0x95, 0xaa, 0x74, 0xd6, 0xd1, 0xa4, 0x5e, 0xea, 0xa0, 0x07, 0x06, 0x05,  \
+    0x2b, 0x81, 0x04, 0x00, 0x22, 0xa1, 0x64, 0x03, 0x62, 0x00, 0x04, 0xc3,  \
+    0xda, 0x2b, 0x34, 0x41, 0x37, 0x58, 0x2f, 0x87, 0x56, 0xfe, 0xfc, 0x89,  \
+    0xba, 0x29, 0x43, 0x4b, 0x4e, 0xe0, 0x6e, 0xc3, 0x0e, 0x57, 0x53, 0x33,  \
+    0x39, 0x58, 0xd4, 0x52, 0xb4, 0x91, 0x95, 0x39, 0x0b, 0x23, 0xdf, 0x5f,  \
+    0x17, 0x24, 0x62, 0x48, 0xfc, 0x1a, 0x95, 0x29, 0xce, 0x2c, 0x2d, 0x87,  \
+    0xc2, 0x88, 0x52, 0x80, 0xaf, 0xd6, 0x6a, 0xab, 0x21, 0xdd, 0xb8, 0xd3,  \
+    0x1c, 0x6e, 0x58, 0xb8, 0xca, 0xe8, 0xb2, 0x69, 0x8e, 0xf3, 0x41, 0xad,  \
+    0x29, 0xc3, 0xb4, 0x5f, 0x75, 0xa7, 0x47, 0x6f, 0xd5, 0x19, 0x29, 0x55,  \
+    0x69, 0x9a, 0x53, 0x3b, 0x20, 0xb4, 0x66, 0x16, 0x60, 0x33, 0x1e         \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha256.crt. */
+/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA256_PEM tests/data_files/test-ca-sha256.crt */
+#define TEST_CA_CRT_RSA_SHA256_PEM                                         \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
+    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
+    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
+    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
+    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
+    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
+    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
+    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n" \
+    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBCwUA\r\n" \
+    "A4IBAQA4qFSCth2q22uJIdE4KGHJsJjVEfw2/xn+MkTvCMfxVrvmRvqCtjE4tKDl\r\n" \
+    "oK4MxFOek07oDZwvtAT9ijn1hHftTNS7RH9zd/fxNpfcHnMZXVC4w4DNA1fSANtW\r\n" \
+    "5sY1JB5Je9jScrsLSS+mAjyv0Ow3Hb2Bix8wu7xNNrV5fIf7Ubm+wt6SqEBxu3Kb\r\n" \
+    "+EfObAT4huf3czznhH3C17ed6NSbXwoXfby7stWUDeRJv08RaFOykf/Aae7bY5PL\r\n" \
+    "yTVrkAnikMntJ9YI+hNNYt3inqq11A5cN0+rVTst8UKCxzQ4GpvroSwPKTFkbMw4\r\n" \
+    "/anT1dVxr/BtwJfiESoK3/4CeXR1\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/test-ca-sha256.crt.der
+ * using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA256_DER tests/data_files/test-ca-sha256.crt.der */
+#define TEST_CA_CRT_RSA_SHA256_DER {                                         \
+  0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65,    \
+  0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,    \
+  0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f,    \
+  0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1,    \
+  0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec,    \
+  0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b,    \
+  0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9,    \
+  0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2,    \
+  0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40,    \
+  0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8,    \
+  0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1,    \
+  0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27,    \
+  0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84,    \
+  0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5,    \
+  0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e,    \
+  0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb,    \
+  0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab,    \
+  0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62,    \
+  0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37,    \
+  0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e,    \
+  0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64,    \
+  0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b,    \
+  0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32,    \
+  0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,    \
+  0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,    \
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,    \
+  0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52,    \
+  0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff,    \
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,    \
+  0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5,    \
+  0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x01, 0x00, 0x38, 0xa8, 0x54, 0x82, 0xb6, 0x1d, 0xaa,    \
+  0xdb, 0x6b, 0x89, 0x21, 0xd1, 0x38, 0x28, 0x61, 0xc9, 0xb0, 0x98, 0xd5,    \
+  0x11, 0xfc, 0x36, 0xff, 0x19, 0xfe, 0x32, 0x44, 0xef, 0x08, 0xc7, 0xf1,    \
+  0x56, 0xbb, 0xe6, 0x46, 0xfa, 0x82, 0xb6, 0x31, 0x38, 0xb4, 0xa0, 0xe5,    \
+  0xa0, 0xae, 0x0c, 0xc4, 0x53, 0x9e, 0x93, 0x4e, 0xe8, 0x0d, 0x9c, 0x2f,    \
+  0xb4, 0x04, 0xfd, 0x8a, 0x39, 0xf5, 0x84, 0x77, 0xed, 0x4c, 0xd4, 0xbb,    \
+  0x44, 0x7f, 0x73, 0x77, 0xf7, 0xf1, 0x36, 0x97, 0xdc, 0x1e, 0x73, 0x19,    \
+  0x5d, 0x50, 0xb8, 0xc3, 0x80, 0xcd, 0x03, 0x57, 0xd2, 0x00, 0xdb, 0x56,    \
+  0xe6, 0xc6, 0x35, 0x24, 0x1e, 0x49, 0x7b, 0xd8, 0xd2, 0x72, 0xbb, 0x0b,    \
+  0x49, 0x2f, 0xa6, 0x02, 0x3c, 0xaf, 0xd0, 0xec, 0x37, 0x1d, 0xbd, 0x81,    \
+  0x8b, 0x1f, 0x30, 0xbb, 0xbc, 0x4d, 0x36, 0xb5, 0x79, 0x7c, 0x87, 0xfb,    \
+  0x51, 0xb9, 0xbe, 0xc2, 0xde, 0x92, 0xa8, 0x40, 0x71, 0xbb, 0x72, 0x9b,    \
+  0xf8, 0x47, 0xce, 0x6c, 0x04, 0xf8, 0x86, 0xe7, 0xf7, 0x73, 0x3c, 0xe7,    \
+  0x84, 0x7d, 0xc2, 0xd7, 0xb7, 0x9d, 0xe8, 0xd4, 0x9b, 0x5f, 0x0a, 0x17,    \
+  0x7d, 0xbc, 0xbb, 0xb2, 0xd5, 0x94, 0x0d, 0xe4, 0x49, 0xbf, 0x4f, 0x11,    \
+  0x68, 0x53, 0xb2, 0x91, 0xff, 0xc0, 0x69, 0xee, 0xdb, 0x63, 0x93, 0xcb,    \
+  0xc9, 0x35, 0x6b, 0x90, 0x09, 0xe2, 0x90, 0xc9, 0xed, 0x27, 0xd6, 0x08,    \
+  0xfa, 0x13, 0x4d, 0x62, 0xdd, 0xe2, 0x9e, 0xaa, 0xb5, 0xd4, 0x0e, 0x5c,    \
+  0x37, 0x4f, 0xab, 0x55, 0x3b, 0x2d, 0xf1, 0x42, 0x82, 0xc7, 0x34, 0x38,    \
+  0x1a, 0x9b, 0xeb, 0xa1, 0x2c, 0x0f, 0x29, 0x31, 0x64, 0x6c, 0xcc, 0x38,    \
+  0xfd, 0xa9, 0xd3, 0xd5, 0xd5, 0x71, 0xaf, 0xf0, 0x6d, 0xc0, 0x97, 0xe2,    \
+  0x11, 0x2a, 0x0a, 0xdf, 0xfe, 0x02, 0x79, 0x74, 0x75                       \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha1.crt. */
+/* BEGIN FILE string macro TEST_CA_CRT_RSA_SHA1_PEM tests/data_files/test-ca-sha1.crt */
+#define TEST_CA_CRT_RSA_SHA1_PEM                                           \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDQTCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDAwWhcNMjkwMjEwMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
+    "CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
+    "mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
+    "50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
+    "YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
+    "R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
+    "KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
+    "UDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/\r\n" \
+    "MB8GA1UdIwQYMBaAFLRa5KWz3tJS9rnVppUP6z68x/3/MA0GCSqGSIb3DQEBBQUA\r\n" \
+    "A4IBAQB0ZiNRFdia6kskaPnhrqejIRq8YMEGAf2oIPnyZ78xoyERgc35lHGyMtsL\r\n" \
+    "hWicNjP4d/hS9As4j5KA2gdNGi5ETA1X7SowWOGsryivSpMSHVy1+HdfWlsYQOzm\r\n" \
+    "8o+faQNUm8XzPVmttfAVspxeHSxJZ36Oo+QWZ5wZlCIEyjEdLUId+Tm4Bz3B5jRD\r\n" \
+    "zZa/SaqDokq66N2zpbgKKAl3GU2O++fBqP2dSkdQykmTxhLLWRN8FJqhYATyQntZ\r\n" \
+    "0QSi3W9HfSZPnFTcPIXeoiPd2pLlxt1hZu8dws2LTXE63uP6MM4LHvWxiuJaWkP/\r\n" \
+    "mtxyUALj2pQxRitopORFQdn7AOY5\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca-sha1.crt.der. */
+/* BEGIN FILE binary macro TEST_CA_CRT_RSA_SHA1_DER tests/data_files/test-ca-sha1.crt.der */
+#define TEST_CA_CRT_RSA_SHA1_DER {                                           \
+  0x30, 0x82, 0x03, 0x41, 0x30, 0x82, 0x02, 0x29, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x03, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x30,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x30, 0x5a, 0x30, 0x3b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x54, 0x65,    \
+  0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01,    \
+  0x01, 0x00, 0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f,    \
+  0x86, 0xde, 0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1,    \
+  0x99, 0xd4, 0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec,    \
+  0x9b, 0xc5, 0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b,    \
+  0xc0, 0x8d, 0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9,    \
+  0x93, 0xe8, 0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2,    \
+  0xe7, 0x40, 0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40,    \
+  0xf9, 0x3e, 0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8,    \
+  0x29, 0x00, 0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1,    \
+  0xbd, 0x83, 0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27,    \
+  0x60, 0xc3, 0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84,    \
+  0x32, 0xbe, 0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5,    \
+  0xfb, 0xf5, 0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e,    \
+  0xee, 0xe2, 0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb,    \
+  0x47, 0xb1, 0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab,    \
+  0xf1, 0x79, 0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62,    \
+  0x6f, 0x27, 0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37,    \
+  0xa1, 0x30, 0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e,    \
+  0x28, 0xd1, 0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64,    \
+  0x09, 0xea, 0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b,    \
+  0xc9, 0xab, 0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32,    \
+  0x9e, 0x99, 0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,    \
+  0x50, 0x30, 0x4e, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05,    \
+  0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,    \
+  0x04, 0x16, 0x04, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52,    \
+  0xf6, 0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff,    \
+  0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,    \
+  0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5,    \
+  0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06,    \
+  0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00,    \
+  0x03, 0x82, 0x01, 0x01, 0x00, 0x74, 0x66, 0x23, 0x51, 0x15, 0xd8, 0x9a,    \
+  0xea, 0x4b, 0x24, 0x68, 0xf9, 0xe1, 0xae, 0xa7, 0xa3, 0x21, 0x1a, 0xbc,    \
+  0x60, 0xc1, 0x06, 0x01, 0xfd, 0xa8, 0x20, 0xf9, 0xf2, 0x67, 0xbf, 0x31,    \
+  0xa3, 0x21, 0x11, 0x81, 0xcd, 0xf9, 0x94, 0x71, 0xb2, 0x32, 0xdb, 0x0b,    \
+  0x85, 0x68, 0x9c, 0x36, 0x33, 0xf8, 0x77, 0xf8, 0x52, 0xf4, 0x0b, 0x38,    \
+  0x8f, 0x92, 0x80, 0xda, 0x07, 0x4d, 0x1a, 0x2e, 0x44, 0x4c, 0x0d, 0x57,    \
+  0xed, 0x2a, 0x30, 0x58, 0xe1, 0xac, 0xaf, 0x28, 0xaf, 0x4a, 0x93, 0x12,    \
+  0x1d, 0x5c, 0xb5, 0xf8, 0x77, 0x5f, 0x5a, 0x5b, 0x18, 0x40, 0xec, 0xe6,    \
+  0xf2, 0x8f, 0x9f, 0x69, 0x03, 0x54, 0x9b, 0xc5, 0xf3, 0x3d, 0x59, 0xad,    \
+  0xb5, 0xf0, 0x15, 0xb2, 0x9c, 0x5e, 0x1d, 0x2c, 0x49, 0x67, 0x7e, 0x8e,    \
+  0xa3, 0xe4, 0x16, 0x67, 0x9c, 0x19, 0x94, 0x22, 0x04, 0xca, 0x31, 0x1d,    \
+  0x2d, 0x42, 0x1d, 0xf9, 0x39, 0xb8, 0x07, 0x3d, 0xc1, 0xe6, 0x34, 0x43,    \
+  0xcd, 0x96, 0xbf, 0x49, 0xaa, 0x83, 0xa2, 0x4a, 0xba, 0xe8, 0xdd, 0xb3,    \
+  0xa5, 0xb8, 0x0a, 0x28, 0x09, 0x77, 0x19, 0x4d, 0x8e, 0xfb, 0xe7, 0xc1,    \
+  0xa8, 0xfd, 0x9d, 0x4a, 0x47, 0x50, 0xca, 0x49, 0x93, 0xc6, 0x12, 0xcb,    \
+  0x59, 0x13, 0x7c, 0x14, 0x9a, 0xa1, 0x60, 0x04, 0xf2, 0x42, 0x7b, 0x59,    \
+  0xd1, 0x04, 0xa2, 0xdd, 0x6f, 0x47, 0x7d, 0x26, 0x4f, 0x9c, 0x54, 0xdc,    \
+  0x3c, 0x85, 0xde, 0xa2, 0x23, 0xdd, 0xda, 0x92, 0xe5, 0xc6, 0xdd, 0x61,    \
+  0x66, 0xef, 0x1d, 0xc2, 0xcd, 0x8b, 0x4d, 0x71, 0x3a, 0xde, 0xe3, 0xfa,    \
+  0x30, 0xce, 0x0b, 0x1e, 0xf5, 0xb1, 0x8a, 0xe2, 0x5a, 0x5a, 0x43, 0xff,    \
+  0x9a, 0xdc, 0x72, 0x50, 0x02, 0xe3, 0xda, 0x94, 0x31, 0x46, 0x2b, 0x68,    \
+  0xa4, 0xe4, 0x45, 0x41, 0xd9, 0xfb, 0x00, 0xe6, 0x39                       \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/test-ca.key */
+/* BEGIN FILE string macro TEST_CA_KEY_RSA_PEM tests/data_files/test-ca.key */
+#define TEST_CA_KEY_RSA_PEM                                                \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "Proc-Type: 4,ENCRYPTED\r\n"                                           \
+    "DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"                          \
+    "\r\n"                                                                 \
+    "9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n" \
+    "7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n" \
+    "Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n" \
+    "PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n" \
+    "GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n" \
+    "gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n" \
+    "QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n" \
+    "PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n" \
+    "vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n" \
+    "WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n" \
+    "JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n" \
+    "KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n" \
+    "Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n" \
+    "9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n" \
+    "iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n" \
+    "tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n" \
+    "P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n" \
+    "1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n" \
+    "nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n" \
+    "X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n" \
+    "rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n" \
+    "L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n" \
+    "I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n" \
+    "wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n" \
+    "P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n" \
+    "-----END RSA PRIVATE KEY-----\r\n"
+/* END FILE */
+
+#define TEST_CA_PWD_RSA_PEM "PolarSSLTest"
+
+/* This was generated from test-ca.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CA_KEY_RSA_DER tests/data_files/test-ca.key.der */
+#define TEST_CA_KEY_RSA_DER {                                                \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc0, 0xdf, 0x37, 0xfc, 0x17, 0xbb, 0xe0, 0x96, 0x9d, 0x3f, 0x86, 0xde,  \
+    0x96, 0x32, 0x7d, 0x44, 0xa5, 0x16, 0xa0, 0xcd, 0x21, 0xf1, 0x99, 0xd4,  \
+    0xec, 0xea, 0xcb, 0x7c, 0x18, 0x58, 0x08, 0x94, 0xa5, 0xec, 0x9b, 0xc5,  \
+    0x8b, 0xdf, 0x1a, 0x1e, 0x99, 0x38, 0x99, 0x87, 0x1e, 0x7b, 0xc0, 0x8d,  \
+    0x39, 0xdf, 0x38, 0x5d, 0x70, 0x78, 0x07, 0xd3, 0x9e, 0xd9, 0x93, 0xe8,  \
+    0xb9, 0x72, 0x51, 0xc5, 0xce, 0xa3, 0x30, 0x52, 0xa9, 0xf2, 0xe7, 0x40,  \
+    0x70, 0x14, 0xcb, 0x44, 0xa2, 0x72, 0x0b, 0xc2, 0xe5, 0x40, 0xf9, 0x3e,  \
+    0xe5, 0xa6, 0x0e, 0xb3, 0xf9, 0xec, 0x4a, 0x63, 0xc0, 0xb8, 0x29, 0x00,  \
+    0x74, 0x9c, 0x57, 0x3b, 0xa8, 0xa5, 0x04, 0x90, 0x71, 0xf1, 0xbd, 0x83,  \
+    0xd9, 0x3f, 0xd6, 0xa5, 0xe2, 0x3c, 0x2a, 0x8f, 0xef, 0x27, 0x60, 0xc3,  \
+    0xc6, 0x9f, 0xcb, 0xba, 0xec, 0x60, 0x7d, 0xb7, 0xe6, 0x84, 0x32, 0xbe,  \
+    0x4f, 0xfb, 0x58, 0x26, 0x22, 0x03, 0x5b, 0xd4, 0xb4, 0xd5, 0xfb, 0xf5,  \
+    0xe3, 0x96, 0x2e, 0x70, 0xc0, 0xe4, 0x2e, 0xbd, 0xfc, 0x2e, 0xee, 0xe2,  \
+    0x41, 0x55, 0xc0, 0x34, 0x2e, 0x7d, 0x24, 0x72, 0x69, 0xcb, 0x47, 0xb1,  \
+    0x14, 0x40, 0x83, 0x7d, 0x67, 0xf4, 0x86, 0xf6, 0x31, 0xab, 0xf1, 0x79,  \
+    0xa4, 0xb2, 0xb5, 0x2e, 0x12, 0xf9, 0x84, 0x17, 0xf0, 0x62, 0x6f, 0x27,  \
+    0x3e, 0x13, 0x58, 0xb1, 0x54, 0x0d, 0x21, 0x9a, 0x73, 0x37, 0xa1, 0x30,  \
+    0xcf, 0x6f, 0x92, 0xdc, 0xf6, 0xe9, 0xfc, 0xac, 0xdb, 0x2e, 0x28, 0xd1,  \
+    0x7e, 0x02, 0x4b, 0x23, 0xa0, 0x15, 0xf2, 0x38, 0x65, 0x64, 0x09, 0xea,  \
+    0x0c, 0x6e, 0x8e, 0x1b, 0x17, 0xa0, 0x71, 0xc8, 0xb3, 0x9b, 0xc9, 0xab,  \
+    0xe9, 0xc3, 0xf2, 0xcf, 0x87, 0x96, 0x8f, 0x80, 0x02, 0x32, 0x9e, 0x99,  \
+    0x58, 0x6f, 0xa2, 0xd5, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x00, 0x3f, 0xf7, 0x07, 0xd3, 0x34, 0x6f, 0xdb, 0xc9, 0x37, 0xb7, 0x84,  \
+    0xdc, 0x37, 0x45, 0xe1, 0x63, 0xad, 0xb8, 0xb6, 0x75, 0xb1, 0xc7, 0x35,  \
+    0xb4, 0x77, 0x2a, 0x5b, 0x77, 0xf9, 0x7e, 0xe0, 0xc1, 0xa3, 0xd1, 0xb7,  \
+    0xcb, 0xa9, 0x5a, 0xc1, 0x87, 0xda, 0x5a, 0xfa, 0x17, 0xe4, 0xd5, 0x38,  \
+    0x03, 0xde, 0x68, 0x98, 0x81, 0xec, 0xb5, 0xf2, 0x2a, 0x8d, 0xe9, 0x2c,  \
+    0xf3, 0xa6, 0xe5, 0x32, 0x17, 0x7f, 0x33, 0x81, 0xe8, 0x38, 0x72, 0xd5,  \
+    0x9c, 0xfa, 0x4e, 0xfb, 0x26, 0xf5, 0x15, 0x0b, 0xaf, 0x84, 0x66, 0xab,  \
+    0x02, 0xe0, 0x18, 0xd5, 0x91, 0x7c, 0xd6, 0x8f, 0xc9, 0x4b, 0x76, 0x08,  \
+    0x2b, 0x1d, 0x81, 0x68, 0x30, 0xe1, 0xfa, 0x70, 0x6c, 0x13, 0x4e, 0x10,  \
+    0x03, 0x35, 0x3e, 0xc5, 0xca, 0x58, 0x20, 0x8a, 0x21, 0x18, 0x38, 0xa0,  \
+    0x0f, 0xed, 0xc4, 0xbb, 0x45, 0x6f, 0xf5, 0x84, 0x5b, 0xb0, 0xcf, 0x4e,  \
+    0x9d, 0x58, 0x13, 0x6b, 0x35, 0x35, 0x69, 0xa1, 0xd2, 0xc4, 0xf2, 0xc1,  \
+    0x48, 0x04, 0x20, 0x51, 0xb9, 0x6b, 0xa4, 0x5d, 0xa5, 0x4b, 0x84, 0x88,  \
+    0x43, 0x48, 0x99, 0x2c, 0xbb, 0xa4, 0x97, 0xd6, 0xd6, 0x18, 0xf6, 0xec,  \
+    0x5c, 0xd1, 0x31, 0x49, 0xc9, 0xf2, 0x8f, 0x0b, 0x4d, 0xef, 0x09, 0x02,  \
+    0xfe, 0x7d, 0xfd, 0xbb, 0xaf, 0x2b, 0x83, 0x94, 0x22, 0xc4, 0xa7, 0x3e,  \
+    0x66, 0xf5, 0xe0, 0x57, 0xdc, 0xf2, 0xed, 0x2c, 0x3e, 0x81, 0x74, 0x76,  \
+    0x1e, 0x96, 0x6f, 0x74, 0x1e, 0x32, 0x0e, 0x14, 0x31, 0xd0, 0x74, 0xf0,  \
+    0xf4, 0x07, 0xbd, 0xc3, 0xd1, 0x22, 0xc2, 0xa8, 0x95, 0x92, 0x06, 0x7f,  \
+    0x43, 0x02, 0x91, 0xbc, 0xdd, 0x23, 0x01, 0x89, 0x94, 0x20, 0x44, 0x64,  \
+    0xf5, 0x1d, 0x67, 0xd2, 0x8f, 0xe8, 0x69, 0xa5, 0x29, 0x25, 0xe6, 0x50,  \
+    0x9c, 0xe3, 0xe9, 0xcb, 0x75, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x29, 0x3e,  \
+    0xaa, 0x6b, 0xd5, 0x59, 0x1e, 0x9c, 0xe6, 0x47, 0xd5, 0xb6, 0xd7, 0xe3,  \
+    0xf1, 0x8e, 0x9e, 0xe9, 0x83, 0x5f, 0x10, 0x9f, 0x63, 0xec, 0x04, 0x44,  \
+    0xcc, 0x3f, 0xf8, 0xd9, 0x3a, 0x17, 0xe0, 0x4f, 0xfe, 0xd8, 0x4d, 0xcd,  \
+    0x46, 0x54, 0x74, 0xbf, 0x0a, 0xc4, 0x67, 0x9c, 0xa7, 0xd8, 0x89, 0x65,  \
+    0x4c, 0xfd, 0x58, 0x2a, 0x47, 0x0f, 0xf4, 0x37, 0xb6, 0x55, 0xb0, 0x1d,  \
+    0xed, 0xa7, 0x39, 0xfc, 0x4f, 0xa3, 0xc4, 0x75, 0x3a, 0xa3, 0x98, 0xa7,  \
+    0x45, 0xf5, 0x66, 0xcb, 0x7c, 0x65, 0xfb, 0x80, 0x23, 0xe6, 0xff, 0xfd,  \
+    0x99, 0x1f, 0x8e, 0x6b, 0xff, 0x5e, 0x93, 0x66, 0xdf, 0x6c, 0x6f, 0xc3,  \
+    0xf6, 0x38, 0x2e, 0xff, 0x69, 0xb5, 0xac, 0xae, 0xbb, 0xc6, 0x71, 0x16,  \
+    0x6b, 0xd0, 0xf8, 0x22, 0xd9, 0xf8, 0xa2, 0x72, 0x20, 0xd2, 0xe2, 0x3a,  \
+    0x70, 0x4b, 0xde, 0xab, 0x2f, 0x02, 0x81, 0x81, 0x00, 0xda, 0x51, 0x9b,  \
+    0xb8, 0xb2, 0x2a, 0x14, 0x75, 0x58, 0x40, 0x8d, 0x27, 0x70, 0xfa, 0x31,  \
+    0x48, 0xb0, 0x20, 0x21, 0x34, 0xfa, 0x4c, 0x57, 0xa8, 0x11, 0x88, 0xf3,  \
+    0xa7, 0xae, 0x21, 0xe9, 0xb6, 0x2b, 0xd1, 0xcd, 0xa7, 0xf8, 0xd8, 0x0c,  \
+    0x8a, 0x76, 0x22, 0x35, 0x44, 0xce, 0x3f, 0x25, 0x29, 0x83, 0x7d, 0x79,  \
+    0xa7, 0x31, 0xd6, 0xec, 0xb2, 0xbf, 0xda, 0x34, 0xb6, 0xf6, 0xb2, 0x3b,  \
+    0xf3, 0x78, 0x5a, 0x04, 0x83, 0x33, 0x3e, 0xa2, 0xe2, 0x81, 0x82, 0x13,  \
+    0xd4, 0x35, 0x17, 0x63, 0x9b, 0x9e, 0xc4, 0x8d, 0x91, 0x4c, 0x03, 0x77,  \
+    0xc7, 0x71, 0x5b, 0xee, 0x83, 0x6d, 0xd5, 0x78, 0x88, 0xf6, 0x2c, 0x79,  \
+    0xc2, 0x4a, 0xb4, 0x79, 0x90, 0x70, 0xbf, 0xdf, 0x34, 0x56, 0x96, 0x71,  \
+    0xe3, 0x0e, 0x68, 0x91, 0xbc, 0xea, 0xcb, 0x33, 0xc0, 0xbe, 0x45, 0xd7,  \
+    0xfc, 0x30, 0xfd, 0x01, 0x3b, 0x02, 0x81, 0x81, 0x00, 0xd2, 0x9f, 0x2a,  \
+    0xb7, 0x38, 0x19, 0xc7, 0x17, 0x95, 0x73, 0x78, 0xae, 0xf5, 0xcb, 0x75,  \
+    0x83, 0x7f, 0x19, 0x4b, 0xcb, 0x86, 0xfb, 0x4a, 0x15, 0x9a, 0xb6, 0x17,  \
+    0x04, 0x49, 0x07, 0x8d, 0xf6, 0x66, 0x4a, 0x06, 0xf6, 0x05, 0xa7, 0xdf,  \
+    0x66, 0x82, 0x3c, 0xff, 0xb6, 0x1d, 0x57, 0x89, 0x33, 0x5f, 0x9c, 0x05,  \
+    0x75, 0x7f, 0xf3, 0x5d, 0xdc, 0x34, 0x65, 0x72, 0x85, 0x22, 0xa4, 0x14,  \
+    0x1b, 0x41, 0xc3, 0xe4, 0xd0, 0x9e, 0x69, 0xd5, 0xeb, 0x38, 0x74, 0x70,  \
+    0x43, 0xdc, 0xd9, 0x50, 0xe4, 0x97, 0x6d, 0x73, 0xd6, 0xfb, 0xc8, 0xa7,  \
+    0xfa, 0xb4, 0xc2, 0xc4, 0x9d, 0x5d, 0x0c, 0xd5, 0x9f, 0x79, 0xb3, 0x54,  \
+    0xc2, 0xb7, 0x6c, 0x3d, 0x7d, 0xcb, 0x2d, 0xf8, 0xc4, 0xf3, 0x78, 0x5a,  \
+    0x33, 0x2a, 0xb8, 0x0c, 0x6d, 0x06, 0xfa, 0xf2, 0x62, 0xd3, 0x42, 0xd0,  \
+    0xbd, 0xc8, 0x4a, 0xa5, 0x0d, 0x02, 0x81, 0x81, 0x00, 0xd4, 0xa9, 0x90,  \
+    0x15, 0xde, 0xbf, 0x2c, 0xc4, 0x8d, 0x9d, 0xfb, 0xa1, 0xc2, 0xe4, 0x83,  \
+    0xe3, 0x79, 0x65, 0x22, 0xd3, 0xb7, 0x49, 0x6c, 0x4d, 0x94, 0x1f, 0x22,  \
+    0xb1, 0x60, 0xe7, 0x3a, 0x00, 0xb1, 0x38, 0xa2, 0xab, 0x0f, 0xb4, 0x6c,  \
+    0xaa, 0xe7, 0x9e, 0x34, 0xe3, 0x7c, 0x40, 0x78, 0x53, 0xb2, 0xf9, 0x23,  \
+    0xea, 0xa0, 0x9a, 0xea, 0x60, 0xc8, 0x8f, 0xa6, 0xaf, 0xdf, 0x29, 0x09,  \
+    0x4b, 0x06, 0x1e, 0x31, 0xad, 0x17, 0xda, 0xd8, 0xd1, 0xe9, 0x33, 0xab,  \
+    0x5b, 0x18, 0x08, 0x5b, 0x87, 0xf8, 0xa5, 0x1f, 0xfd, 0xbb, 0xdc, 0xd8,  \
+    0xed, 0x97, 0x57, 0xe4, 0xc3, 0x73, 0xd6, 0xf0, 0x9e, 0x01, 0xa6, 0x9b,  \
+    0x48, 0x8e, 0x7a, 0xb4, 0xbb, 0xe5, 0x88, 0x91, 0xc5, 0x2a, 0xdf, 0x4b,  \
+    0xba, 0xd0, 0x8b, 0x3e, 0x03, 0x97, 0x77, 0x2f, 0x47, 0x7e, 0x51, 0x0c,  \
+    0xae, 0x65, 0x8d, 0xde, 0x87, 0x02, 0x81, 0x80, 0x20, 0x24, 0x0f, 0xd2,  \
+    0xaf, 0xc2, 0x28, 0x3b, 0x97, 0x20, 0xb2, 0x92, 0x49, 0xeb, 0x09, 0x68,  \
+    0x40, 0xb2, 0xbe, 0xd1, 0xc3, 0x83, 0x94, 0x34, 0x38, 0xd6, 0xc9, 0xec,  \
+    0x34, 0x09, 0xf9, 0x41, 0x6d, 0x5c, 0x42, 0x94, 0xf7, 0x04, 0xfc, 0x32,  \
+    0x39, 0x69, 0xbc, 0x1c, 0xfb, 0x3e, 0x61, 0x98, 0xc0, 0x80, 0xd8, 0x36,  \
+    0x47, 0xc3, 0x6d, 0xc2, 0x2e, 0xe7, 0x81, 0x2a, 0x17, 0x34, 0x64, 0x30,  \
+    0x4e, 0x96, 0xbb, 0x26, 0x16, 0xb9, 0x41, 0x36, 0xfe, 0x8a, 0xd6, 0x53,  \
+    0x7c, 0xaa, 0xec, 0x39, 0x42, 0x50, 0xef, 0xe3, 0xb3, 0x01, 0x28, 0x32,  \
+    0xca, 0x6d, 0xf5, 0x9a, 0x1e, 0x9f, 0x37, 0xbe, 0xfe, 0x38, 0x20, 0x22,  \
+    0x91, 0x8c, 0xcd, 0x95, 0x02, 0xf2, 0x4d, 0x6f, 0x1a, 0xb4, 0x43, 0xf0,  \
+    0x19, 0xdf, 0x65, 0xc0, 0x92, 0xe7, 0x9d, 0x2f, 0x09, 0xe7, 0xec, 0x69,  \
+    0xa8, 0xc2, 0x8f, 0x0d                                                   \
+}
+/* END FILE */
+
+/*
+ * Test server Certificates
+ *
+ * Test server certificates are defined for each choice
+ * of the following parameters:
+ * - PEM or DER encoding
+ * - SHA-1 or SHA-256 hash
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - multiple EC curve types
+ */
+
+/* This is taken from tests/data_files/server5.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_EC_PEM tests/data_files/server5.crt */
+#define TEST_SRV_CRT_EC_PEM                                                \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n" \
+    "MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n" \
+    "CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n" \
+    "2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n" \
+    "BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n" \
+    "PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n" \
+    "clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n" \
+    "CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n" \
+    "C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n" \
+    "fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/server5.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_EC_DER tests/data_files/server5.crt.der */
+#define TEST_SRV_CRT_EC_DER {                                                \
+    0x30, 0x82, 0x02, 0x1f, 0x30, 0x82, 0x01, 0xa5, 0xa0, 0x03, 0x02, 0x01,  \
+    0x02, 0x02, 0x01, 0x09, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,  \
+    0x3d, 0x04, 0x03, 0x02, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65,  \
+    0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,  \
+    0x31, 0x33, 0x30, 0x39, 0x32, 0x34, 0x31, 0x35, 0x35, 0x32, 0x30, 0x34,  \
+    0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x39, 0x32, 0x32, 0x31, 0x35, 0x35,  \
+    0x32, 0x30, 0x34, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,  \
+    0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,  \
+    0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,  \
+    0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,  \
+    0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x59,  \
+    0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06,  \
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,  \
+    0x04, 0x37, 0xcc, 0x56, 0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7,  \
+    0x59, 0x2d, 0xff, 0x20, 0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0,  \
+    0xad, 0x14, 0xb5, 0xf7, 0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00,  \
+    0xd8, 0x23, 0x11, 0xff, 0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd,  \
+    0x8a, 0x88, 0xc2, 0x6b, 0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa,  \
+    0x01, 0xc8, 0xb4, 0xed, 0xff, 0xa3, 0x81, 0x9d, 0x30, 0x81, 0x9a, 0x30,  \
+    0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d,  \
+    0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x50, 0x61, 0xa5,  \
+    0x8f, 0xd4, 0x07, 0xd9, 0xd7, 0x82, 0x01, 0x0c, 0xe5, 0x65, 0x7f, 0x8c,  \
+    0x63, 0x46, 0xa7, 0x13, 0xbe, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23,  \
+    0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01,  \
+    0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb,  \
+    0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,  \
+    0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,  \
+    0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61,  \
+    0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,  \
+    0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20,  \
+    0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09,  \
+    0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0a, 0x06,  \
+    0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x68, 0x00,  \
+    0x30, 0x65, 0x02, 0x31, 0x00, 0x9a, 0x2c, 0x5c, 0xd7, 0xa6, 0xdb, 0xa2,  \
+    0xe5, 0x64, 0x0d, 0xf0, 0xb9, 0x4e, 0xdd, 0xd7, 0x61, 0xd6, 0x13, 0x31,  \
+    0xc7, 0xab, 0x73, 0x80, 0xbb, 0xd3, 0xd3, 0x73, 0x13, 0x54, 0xad, 0x92,  \
+    0x0b, 0x5d, 0xab, 0xd0, 0xbc, 0xf7, 0xae, 0x2f, 0xe6, 0xa1, 0x21, 0x29,  \
+    0x35, 0x95, 0xaa, 0x3e, 0x39, 0x02, 0x30, 0x21, 0x36, 0x7f, 0x9d, 0xc6,  \
+    0x5d, 0xc6, 0x0b, 0xab, 0x27, 0xf2, 0x25, 0x1d, 0x3b, 0xf1, 0xcf, 0xf1,  \
+    0x35, 0x25, 0x14, 0xe7, 0xe5, 0xf1, 0x97, 0xb5, 0x59, 0xe3, 0x5e, 0x15,  \
+    0x7c, 0x66, 0xb9, 0x90, 0x7b, 0xc7, 0x01, 0x10, 0x4f, 0x73, 0xc6, 0x00,  \
+    0x21, 0x52, 0x2a, 0x0e, 0xf1, 0xc7, 0xd5                                 \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server5.key. */
+/* BEGIN FILE string macro TEST_SRV_KEY_EC_PEM tests/data_files/server5.key */
+#define TEST_SRV_KEY_EC_PEM                                                \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n" \
+    "AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n" \
+    "6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"                             \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/server5.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_KEY_EC_DER tests/data_files/server5.key.der */
+#define TEST_SRV_KEY_EC_DER {                                                \
+    0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf1, 0x2a, 0x13, 0x20, 0x76,  \
+    0x02, 0x70, 0xa8, 0x3c, 0xbf, 0xfd, 0x53, 0xf6, 0x03, 0x1e, 0xf7, 0x6a,  \
+    0x5d, 0x86, 0xc8, 0xa2, 0x04, 0xf2, 0xc3, 0x0c, 0xa9, 0xeb, 0xf5, 0x1f,  \
+    0x0f, 0x0e, 0xa7, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x37, 0xcc, 0x56,  \
+    0xd9, 0x76, 0x09, 0x1e, 0x5a, 0x72, 0x3e, 0xc7, 0x59, 0x2d, 0xff, 0x20,  \
+    0x6e, 0xee, 0x7c, 0xf9, 0x06, 0x91, 0x74, 0xd0, 0xad, 0x14, 0xb5, 0xf7,  \
+    0x68, 0x22, 0x59, 0x62, 0x92, 0x4e, 0xe5, 0x00, 0xd8, 0x23, 0x11, 0xff,  \
+    0xea, 0x2f, 0xd2, 0x34, 0x5d, 0x5d, 0x16, 0xbd, 0x8a, 0x88, 0xc2, 0x6b,  \
+    0x77, 0x0d, 0x55, 0xcd, 0x8a, 0x2a, 0x0e, 0xfa, 0x01, 0xc8, 0xb4, 0xed,  \
+    0xff                                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2-sha256.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA256_PEM tests/data_files/server2-sha256.crt */
+#define TEST_SRV_CRT_RSA_SHA256_PEM                                        \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJh\r\n" \
+    "Pqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6U\r\n" \
+    "HoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq9\r\n" \
+    "1C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sv\r\n" \
+    "a1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0\r\n" \
+    "e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbo\r\n" \
+    "pMZqLmbBm/7WPLc=\r\n"                                                 \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/server2-sha256.crt.der. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA256_DER tests/data_files/server2-sha256.crt.der */
+#define TEST_SRV_CRT_RSA_SHA256_DER {                                        \
+  0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82,    \
+  0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,    \
+  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,    \
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7,    \
+  0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78,    \
+  0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd,    \
+  0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90,    \
+  0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24,    \
+  0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda,    \
+  0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3,    \
+  0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4,    \
+  0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d,    \
+  0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49,    \
+  0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c,    \
+  0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b,    \
+  0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08,    \
+  0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa,    \
+  0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f,    \
+  0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7,    \
+  0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5,    \
+  0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde,    \
+  0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a,    \
+  0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96,    \
+  0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0,    \
+  0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02,    \
+  0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,    \
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc,    \
+  0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b,    \
+  0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,    \
+  0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6,    \
+  0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30,    \
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,    \
+  0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x2e, 0x3a, 0xe4, 0x52, 0x61,    \
+  0x3e, 0xa7, 0xa5, 0xef, 0x32, 0x67, 0x80, 0x72, 0x07, 0x26, 0xba, 0xa3,    \
+  0xff, 0x05, 0x40, 0xc4, 0x60, 0x05, 0x39, 0x31, 0x77, 0xf7, 0xa5, 0xca,    \
+  0x01, 0x31, 0x80, 0xa7, 0xe1, 0xd1, 0x0a, 0xa2, 0x7c, 0xd5, 0x1c, 0xba,    \
+  0xd0, 0x23, 0x4a, 0xd6, 0x30, 0xf3, 0x93, 0xc7, 0x6f, 0xe8, 0xce, 0x94,    \
+  0x1e, 0x84, 0xbb, 0x44, 0x81, 0x62, 0x33, 0xff, 0x6b, 0x5d, 0x00, 0x9b,    \
+  0x25, 0xf8, 0x8f, 0x0f, 0x9c, 0x4c, 0x4d, 0xe8, 0xd9, 0xa7, 0x99, 0xf9,    \
+  0x51, 0x81, 0xc0, 0x9b, 0x1b, 0x31, 0x0d, 0xa6, 0xb3, 0x7c, 0x0e, 0x45,    \
+  0xb8, 0x18, 0x64, 0x7e, 0x89, 0x0a, 0x2b, 0xa8, 0xc3, 0xe0, 0x4a, 0xbd,    \
+  0xd4, 0x2f, 0x78, 0xc4, 0x62, 0x9b, 0xe9, 0x7e, 0x3f, 0x56, 0x46, 0x8f,    \
+  0x17, 0xb7, 0x2a, 0xa0, 0x10, 0x70, 0xfd, 0xb1, 0xf1, 0x6b, 0x05, 0xdc,    \
+  0xd1, 0x41, 0x0f, 0x8e, 0xa6, 0xb2, 0x88, 0x1a, 0x42, 0x61, 0x4f, 0xeb,    \
+  0x26, 0x85, 0x59, 0x80, 0xba, 0x85, 0x54, 0xfe, 0xcf, 0xc7, 0x7b, 0x2f,    \
+  0x6b, 0x59, 0xce, 0xac, 0xdc, 0x7c, 0xac, 0xf3, 0xc8, 0xd6, 0x12, 0x7e,    \
+  0x64, 0xe8, 0x3c, 0x99, 0xa8, 0x8f, 0x4f, 0x11, 0xd9, 0x9c, 0x15, 0x4b,    \
+  0x6a, 0x44, 0x92, 0x2d, 0x0c, 0xbf, 0xb1, 0x67, 0x96, 0xc9, 0xac, 0xce,    \
+  0xd5, 0x19, 0xeb, 0x6f, 0x18, 0xeb, 0x6e, 0x04, 0x2d, 0x60, 0xac, 0xf4,    \
+  0x7b, 0x79, 0xf0, 0x1a, 0x9b, 0xb5, 0xc3, 0x5d, 0xef, 0x7d, 0xc9, 0x05,    \
+  0x99, 0x44, 0x81, 0x84, 0x75, 0xc7, 0xec, 0x00, 0x12, 0xfc, 0x7a, 0x4a,    \
+  0x0b, 0x82, 0x07, 0xec, 0x6d, 0x86, 0x02, 0x4d, 0xfe, 0x9f, 0xc8, 0x92,    \
+  0x48, 0xde, 0xf5, 0xb1, 0x9c, 0xe9, 0xc6, 0x89, 0xd0, 0xc1, 0x56, 0xe8,    \
+  0xa4, 0xc6, 0x6a, 0x2e, 0x66, 0xc1, 0x9b, 0xfe, 0xd6, 0x3c, 0xb7           \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.crt. */
+/* BEGIN FILE string macro TEST_SRV_CRT_RSA_SHA1_PEM tests/data_files/server2.crt */
+#define TEST_SRV_CRT_RSA_SHA1_PEM                                          \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
+    "AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
+    "owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
+    "NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
+    "tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
+    "hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
+    "HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
+    "VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
+    "FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAJklg3Q4\r\n" \
+    "cB7v7BzsxM/vLyKccO6op0/gZzM4ghuLq2Y32kl0sM6kSNUUmduuq3u/+GmUZN2A\r\n" \
+    "O/7c+Hw7hDFEIvZk98aBGjCLqn3DmgHIv8ToQ67nellQxx2Uj309PdgjNi/r9HOc\r\n" \
+    "KNAYPbBcg6MJGWWj2TI6vNaceios/DhOYx5V0j5nfqSJ/pnU0g9Ign2LAhgYpGJE\r\n" \
+    "iEM9wW7hEMkwmk0h/sqZsrJsGH5YsF/VThSq/JVO1e2mZH2vruyZKJVBq+8tDNYp\r\n" \
+    "HkK6tSyVYQhzIt3StMJWKMl/o5k2AYz6tSC164+1oG+ML3LWg8XrGKa91H4UOKap\r\n" \
+    "Awgk0+4m0T25cNs=\r\n"                                                 \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.crt.der. */
+/* BEGIN FILE binary macro TEST_SRV_CRT_RSA_SHA1_DER tests/data_files/server2.crt.der */
+#define TEST_SRV_CRT_RSA_SHA1_DER {                                          \
+  0x30, 0x82, 0x03, 0x37, 0x30, 0x82, 0x02, 0x1f, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x02, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x36, 0x5a, 0x30, 0x34, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82,    \
+  0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,    \
+  0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,    \
+  0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xc1, 0x4d, 0xa3, 0xdd, 0xe7,    \
+  0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72, 0xb8, 0x99, 0xac, 0x0e, 0x78,    \
+  0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13, 0x16, 0xd0, 0x5a, 0xe4, 0xcd,    \
+  0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b, 0x96, 0xa7, 0x52, 0xb4, 0x90,    \
+  0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a, 0xfc, 0xb6, 0x34, 0xac, 0x24,    \
+  0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c, 0xb0, 0x28, 0x7d, 0xa1, 0xda,    \
+  0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc, 0xfe, 0xc1, 0x04, 0x52, 0xb3,    \
+  0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76, 0xd8, 0x90, 0xc1, 0x61, 0xb4,    \
+  0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa, 0xab, 0x74, 0x5e, 0x07, 0x7d,    \
+  0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0, 0xd9, 0x0d, 0x1c, 0x2d, 0x49,    \
+  0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8, 0x0b, 0x8a, 0x4f, 0x69, 0x0c,    \
+  0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10, 0x66, 0x7d, 0xae, 0x54, 0x2b,    \
+  0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61, 0xc3, 0xcd, 0x40, 0x49, 0x08,    \
+  0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2, 0x46, 0xbf, 0xd0, 0xb8, 0xaa,    \
+  0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a, 0x1e, 0x44, 0x18, 0x0f, 0x0f,    \
+  0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2, 0x18, 0xc6, 0x62, 0x2f, 0xc7,    \
+  0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3, 0x27, 0x89, 0x29, 0x01, 0xc5,    \
+  0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8, 0x4a, 0x0e, 0xef, 0xd6, 0xde,    \
+  0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d, 0x7a, 0xc4, 0x02, 0x3c, 0x9a,    \
+  0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b, 0xcb, 0x73, 0x4b, 0x52, 0x96,    \
+  0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69, 0x39, 0x5a, 0xd3, 0x0f, 0xb0,    \
+  0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea, 0x12, 0x01, 0x30, 0x97, 0x02,    \
+  0x03, 0x01, 0x00, 0x01, 0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,    \
+  0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xa5, 0x05, 0xe8, 0x64, 0xb8, 0xdc,    \
+  0xdf, 0x60, 0x0f, 0x50, 0x12, 0x4d, 0x60, 0xa8, 0x64, 0xaf, 0x4d, 0x8b,    \
+  0x43, 0x93, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30,    \
+  0x16, 0x80, 0x14, 0xb4, 0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6,    \
+  0xb9, 0xd5, 0xa6, 0x95, 0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30,    \
+  0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,    \
+  0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x99, 0x25, 0x83, 0x74, 0x38,    \
+  0x70, 0x1e, 0xef, 0xec, 0x1c, 0xec, 0xc4, 0xcf, 0xef, 0x2f, 0x22, 0x9c,    \
+  0x70, 0xee, 0xa8, 0xa7, 0x4f, 0xe0, 0x67, 0x33, 0x38, 0x82, 0x1b, 0x8b,    \
+  0xab, 0x66, 0x37, 0xda, 0x49, 0x74, 0xb0, 0xce, 0xa4, 0x48, 0xd5, 0x14,    \
+  0x99, 0xdb, 0xae, 0xab, 0x7b, 0xbf, 0xf8, 0x69, 0x94, 0x64, 0xdd, 0x80,    \
+  0x3b, 0xfe, 0xdc, 0xf8, 0x7c, 0x3b, 0x84, 0x31, 0x44, 0x22, 0xf6, 0x64,    \
+  0xf7, 0xc6, 0x81, 0x1a, 0x30, 0x8b, 0xaa, 0x7d, 0xc3, 0x9a, 0x01, 0xc8,    \
+  0xbf, 0xc4, 0xe8, 0x43, 0xae, 0xe7, 0x7a, 0x59, 0x50, 0xc7, 0x1d, 0x94,    \
+  0x8f, 0x7d, 0x3d, 0x3d, 0xd8, 0x23, 0x36, 0x2f, 0xeb, 0xf4, 0x73, 0x9c,    \
+  0x28, 0xd0, 0x18, 0x3d, 0xb0, 0x5c, 0x83, 0xa3, 0x09, 0x19, 0x65, 0xa3,    \
+  0xd9, 0x32, 0x3a, 0xbc, 0xd6, 0x9c, 0x7a, 0x2a, 0x2c, 0xfc, 0x38, 0x4e,    \
+  0x63, 0x1e, 0x55, 0xd2, 0x3e, 0x67, 0x7e, 0xa4, 0x89, 0xfe, 0x99, 0xd4,    \
+  0xd2, 0x0f, 0x48, 0x82, 0x7d, 0x8b, 0x02, 0x18, 0x18, 0xa4, 0x62, 0x44,    \
+  0x88, 0x43, 0x3d, 0xc1, 0x6e, 0xe1, 0x10, 0xc9, 0x30, 0x9a, 0x4d, 0x21,    \
+  0xfe, 0xca, 0x99, 0xb2, 0xb2, 0x6c, 0x18, 0x7e, 0x58, 0xb0, 0x5f, 0xd5,    \
+  0x4e, 0x14, 0xaa, 0xfc, 0x95, 0x4e, 0xd5, 0xed, 0xa6, 0x64, 0x7d, 0xaf,    \
+  0xae, 0xec, 0x99, 0x28, 0x95, 0x41, 0xab, 0xef, 0x2d, 0x0c, 0xd6, 0x29,    \
+  0x1e, 0x42, 0xba, 0xb5, 0x2c, 0x95, 0x61, 0x08, 0x73, 0x22, 0xdd, 0xd2,    \
+  0xb4, 0xc2, 0x56, 0x28, 0xc9, 0x7f, 0xa3, 0x99, 0x36, 0x01, 0x8c, 0xfa,    \
+  0xb5, 0x20, 0xb5, 0xeb, 0x8f, 0xb5, 0xa0, 0x6f, 0x8c, 0x2f, 0x72, 0xd6,    \
+  0x83, 0xc5, 0xeb, 0x18, 0xa6, 0xbd, 0xd4, 0x7e, 0x14, 0x38, 0xa6, 0xa9,    \
+  0x03, 0x08, 0x24, 0xd3, 0xee, 0x26, 0xd1, 0x3d, 0xb9, 0x70, 0xdb           \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/server2.key. */
+/* BEGIN FILE string macro TEST_SRV_KEY_RSA_PEM tests/data_files/server2.key */
+#define TEST_SRV_KEY_RSA_PEM                                               \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n" \
+    "lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n" \
+    "2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n" \
+    "Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n" \
+    "GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n" \
+    "y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n" \
+    "++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n" \
+    "Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n" \
+    "/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n" \
+    "WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n" \
+    "GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n" \
+    "TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n" \
+    "CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n" \
+    "nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n" \
+    "AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n" \
+    "sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n" \
+    "mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n" \
+    "BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n" \
+    "whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n" \
+    "vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n" \
+    "3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n" \
+    "3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n" \
+    "ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n" \
+    "4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n" \
+    "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"         \
+    "-----END RSA PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This was generated from tests/data_files/server2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_SRV_KEY_RSA_DER tests/data_files/server2.key.der */
+#define TEST_SRV_KEY_RSA_DER {                                               \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc1, 0x4d, 0xa3, 0xdd, 0xe7, 0xcd, 0x1d, 0xd1, 0x04, 0xd7, 0x49, 0x72,  \
+    0xb8, 0x99, 0xac, 0x0e, 0x78, 0xe4, 0x3a, 0x3c, 0x4a, 0xcf, 0x3a, 0x13,  \
+    0x16, 0xd0, 0x5a, 0xe4, 0xcd, 0xa3, 0x00, 0x88, 0xa7, 0xee, 0x1e, 0x6b,  \
+    0x96, 0xa7, 0x52, 0xb4, 0x90, 0xef, 0x2d, 0x72, 0x7a, 0x3e, 0x24, 0x9a,  \
+    0xfc, 0xb6, 0x34, 0xac, 0x24, 0xf5, 0x77, 0xe0, 0x26, 0x64, 0x8c, 0x9c,  \
+    0xb0, 0x28, 0x7d, 0xa1, 0xda, 0xea, 0x8c, 0xe6, 0xc9, 0x1c, 0x96, 0xbc,  \
+    0xfe, 0xc1, 0x04, 0x52, 0xb3, 0x36, 0xd4, 0xa3, 0xfa, 0xe1, 0xb1, 0x76,  \
+    0xd8, 0x90, 0xc1, 0x61, 0xb4, 0x66, 0x52, 0x36, 0xa2, 0x26, 0x53, 0xaa,  \
+    0xab, 0x74, 0x5e, 0x07, 0x7d, 0x19, 0x82, 0xdb, 0x2a, 0xd8, 0x1f, 0xa0,  \
+    0xd9, 0x0d, 0x1c, 0x2d, 0x49, 0x66, 0xf7, 0x5b, 0x25, 0x73, 0x46, 0xe8,  \
+    0x0b, 0x8a, 0x4f, 0x69, 0x0c, 0xb5, 0x00, 0x90, 0xe1, 0xda, 0x82, 0x10,  \
+    0x66, 0x7d, 0xae, 0x54, 0x2b, 0x8b, 0x65, 0x79, 0x91, 0xa1, 0xe2, 0x61,  \
+    0xc3, 0xcd, 0x40, 0x49, 0x08, 0xee, 0x68, 0x0c, 0xf1, 0x8b, 0x86, 0xd2,  \
+    0x46, 0xbf, 0xd0, 0xb8, 0xaa, 0x11, 0x03, 0x1e, 0x7f, 0x56, 0xa8, 0x1a,  \
+    0x1e, 0x44, 0x18, 0x0f, 0x0f, 0x85, 0x8b, 0xda, 0x8b, 0x44, 0x5e, 0xe2,  \
+    0x18, 0xc6, 0x62, 0x2f, 0xc7, 0x66, 0x8d, 0xfa, 0x5d, 0xd8, 0x7d, 0xf3,  \
+    0x27, 0x89, 0x29, 0x01, 0xc5, 0x90, 0x0e, 0x3f, 0x27, 0xf1, 0x30, 0xc8,  \
+    0x4a, 0x0e, 0xef, 0xd6, 0xde, 0xc7, 0xc7, 0x27, 0x6b, 0xc7, 0x05, 0x3d,  \
+    0x7a, 0xc4, 0x02, 0x3c, 0x9a, 0x1d, 0x3e, 0x0f, 0xe8, 0x34, 0x98, 0x5b,  \
+    0xcb, 0x73, 0x4b, 0x52, 0x96, 0xd8, 0x11, 0xa2, 0x2c, 0x80, 0x88, 0x69,  \
+    0x39, 0x5a, 0xd3, 0x0f, 0xb0, 0xde, 0x59, 0x2f, 0x11, 0xc7, 0xf7, 0xea,  \
+    0x12, 0x01, 0x30, 0x97, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x01, 0x00, 0x97, 0x47, 0x44, 0xbc, 0x10, 0x81, 0xc5, 0x18, 0xe4, 0x59,  \
+    0xfb, 0xe0, 0x2d, 0x3a, 0x0e, 0x9e, 0x10, 0xdc, 0x43, 0xfb, 0x15, 0x6c,  \
+    0xd1, 0xfd, 0x48, 0x78, 0x6c, 0xf9, 0xed, 0x38, 0xe8, 0xdd, 0x09, 0xd7,  \
+    0x5f, 0xb5, 0x41, 0x64, 0xd7, 0x63, 0xfa, 0x9d, 0x44, 0x0a, 0xf8, 0x42,  \
+    0x13, 0xf1, 0xbb, 0x5e, 0x79, 0x20, 0x53, 0x98, 0x4b, 0x65, 0x7f, 0x86,  \
+    0x67, 0x48, 0xe4, 0xcf, 0xfb, 0x6a, 0x24, 0xe2, 0x34, 0xbd, 0x14, 0x9d,  \
+    0x2c, 0x16, 0xe2, 0xa4, 0x79, 0xd6, 0xa2, 0xec, 0x81, 0x43, 0x87, 0xbf,  \
+    0x03, 0x5c, 0x88, 0x25, 0xd9, 0x41, 0xb6, 0xa5, 0xf1, 0x27, 0x52, 0x84,  \
+    0xfe, 0x2b, 0x6e, 0x1d, 0x16, 0xcd, 0x73, 0x88, 0xf8, 0x90, 0xbf, 0x19,  \
+    0xfe, 0xbe, 0xa9, 0xbf, 0x09, 0xd3, 0x23, 0x43, 0xd2, 0xc7, 0x61, 0x2a,  \
+    0xb3, 0x4e, 0x3c, 0x61, 0xd4, 0xbd, 0xd8, 0xb4, 0xfa, 0xa8, 0x0b, 0xf8,  \
+    0x7e, 0x56, 0xcd, 0x0f, 0x13, 0x27, 0xda, 0xe6, 0x3b, 0xb3, 0x8c, 0x9c,  \
+    0x4b, 0x84, 0x3c, 0xc3, 0x52, 0x57, 0x9c, 0x27, 0x9a, 0x02, 0x76, 0x26,  \
+    0x59, 0x82, 0x39, 0xc3, 0x13, 0xbe, 0x6e, 0xf4, 0x44, 0x2d, 0x1d, 0x8c,  \
+    0x73, 0x3e, 0x43, 0x99, 0x59, 0xcb, 0xf2, 0x34, 0x72, 0x9a, 0x5e, 0xa5,  \
+    0xeb, 0x9f, 0x36, 0x6d, 0x2b, 0xf9, 0xa2, 0xe7, 0xd1, 0x78, 0x52, 0x1b,  \
+    0xc8, 0xf6, 0x5b, 0x41, 0x69, 0x57, 0x81, 0x89, 0xe9, 0xbb, 0xa1, 0xde,  \
+    0x19, 0x37, 0x3b, 0x13, 0x5c, 0xca, 0x61, 0x01, 0x86, 0xff, 0xdf, 0x83,  \
+    0x41, 0x49, 0x7f, 0xd6, 0xf4, 0x2e, 0x08, 0xfa, 0x90, 0xc2, 0x7c, 0xb4,  \
+    0xb5, 0x0a, 0x17, 0xdb, 0x0e, 0x6d, 0x75, 0x8a, 0x5d, 0x31, 0xd5, 0x66,  \
+    0xfb, 0x39, 0x0b, 0xb5, 0xb6, 0xa3, 0xcd, 0xd4, 0xef, 0x88, 0x92, 0x5a,  \
+    0x4d, 0x6c, 0xcb, 0xea, 0x5b, 0x79, 0x02, 0x81, 0x81, 0x00, 0xdf, 0x3a,  \
+    0xf9, 0x25, 0x5e, 0x24, 0x37, 0x26, 0x40, 0x97, 0x2f, 0xe0, 0x4a, 0xba,  \
+    0x52, 0x1b, 0x51, 0xaf, 0x84, 0x06, 0x32, 0x24, 0x0c, 0xcf, 0x44, 0xa8,  \
+    0x77, 0xa7, 0xad, 0xb5, 0x8c, 0x58, 0xcc, 0xc8, 0x31, 0xb7, 0x0d, 0xbc,  \
+    0x08, 0x8a, 0xe0, 0xa6, 0x8c, 0xc2, 0x73, 0xe5, 0x1a, 0x64, 0x92, 0xe8,  \
+    0xed, 0x4c, 0x6f, 0x0b, 0xa6, 0xa7, 0xf3, 0x9a, 0xf5, 0x6f, 0x69, 0xca,  \
+    0x3c, 0x22, 0xd0, 0x15, 0xa8, 0x20, 0x27, 0x41, 0xf8, 0x43, 0x42, 0x7f,  \
+    0xb1, 0x93, 0xa1, 0x04, 0x85, 0xda, 0xa0, 0x1c, 0xd6, 0xc6, 0xf7, 0x8a,  \
+    0x9e, 0xea, 0x5c, 0x78, 0xa7, 0x55, 0xc4, 0x6b, 0x05, 0x8b, 0xc0, 0x83,  \
+    0xcb, 0xce, 0x83, 0x05, 0xf8, 0xb2, 0x16, 0x2b, 0xdf, 0x06, 0x3f, 0xb8,  \
+    0xec, 0x16, 0xda, 0x43, 0x33, 0xc1, 0x8f, 0xb0, 0xb8, 0xac, 0xae, 0xd4,  \
+    0x94, 0xb8, 0xda, 0x6f, 0x6a, 0xc3, 0x02, 0x81, 0x81, 0x00, 0xdd, 0xae,  \
+    0x00, 0xcd, 0xa0, 0x72, 0x1a, 0x05, 0x8a, 0xee, 0x2f, 0xd4, 0x71, 0x4b,  \
+    0xf0, 0x3e, 0xe5, 0xc1, 0xe1, 0x29, 0x8b, 0xa6, 0x67, 0x30, 0x98, 0xe7,  \
+    0x12, 0xef, 0xdd, 0x12, 0x01, 0x90, 0x24, 0x58, 0xf0, 0x76, 0x92, 0xe7,  \
+    0x3d, 0xbb, 0x23, 0xe1, 0xce, 0xf9, 0xa1, 0xd4, 0x38, 0x1b, 0x3f, 0x20,  \
+    0xb3, 0x0f, 0x65, 0x6a, 0x8f, 0x55, 0x57, 0x36, 0xee, 0xb2, 0x84, 0x44,  \
+    0xfc, 0x91, 0x88, 0xe1, 0xa4, 0xdd, 0x3b, 0x4a, 0x40, 0x4d, 0x7c, 0x86,  \
+    0xed, 0xe1, 0xb5, 0x42, 0xef, 0xb9, 0x61, 0xcd, 0x58, 0x19, 0x77, 0x02,  \
+    0xae, 0x58, 0x80, 0xdb, 0x13, 0x3d, 0xc7, 0x1f, 0x9d, 0xed, 0xff, 0xac,  \
+    0x98, 0xfc, 0xcd, 0xf9, 0x62, 0x04, 0x83, 0x91, 0x89, 0x0d, 0x86, 0x43,  \
+    0x8c, 0x0c, 0xc7, 0x1b, 0x90, 0x4d, 0xbe, 0x2f, 0xc5, 0x7c, 0xcd, 0x42,  \
+    0xf5, 0xd3, 0xad, 0x8e, 0xfd, 0x9d, 0x02, 0x81, 0x80, 0x17, 0x4b, 0x79,  \
+    0x2a, 0x6c, 0x1b, 0x8d, 0x61, 0xc1, 0x85, 0xc5, 0x6a, 0x3b, 0x82, 0x1c,  \
+    0x05, 0x5b, 0xcd, 0xdc, 0x12, 0x25, 0x73, 0x5b, 0x9e, 0xd9, 0x84, 0x57,  \
+    0x10, 0x39, 0x71, 0x63, 0x96, 0xf4, 0xaf, 0xc3, 0x78, 0x5d, 0xc7, 0x8c,  \
+    0x80, 0xa9, 0x96, 0xd7, 0xc3, 0x87, 0x02, 0x96, 0x71, 0x7e, 0x5f, 0x2e,  \
+    0x3c, 0x36, 0xae, 0x59, 0x92, 0xd7, 0x3a, 0x09, 0x78, 0xb9, 0xea, 0x6f,  \
+    0xc2, 0x16, 0x42, 0xdc, 0x4b, 0x96, 0xad, 0x2c, 0xb2, 0x20, 0x23, 0x61,  \
+    0x2d, 0x8d, 0xb5, 0x02, 0x1e, 0xe1, 0x6c, 0x81, 0x01, 0x3c, 0x5d, 0xcb,  \
+    0xdd, 0x9b, 0x0e, 0xc0, 0x2f, 0x94, 0x12, 0xb2, 0xfe, 0x75, 0x75, 0x8b,  \
+    0x74, 0x1e, 0x7a, 0x26, 0x0c, 0xb7, 0x81, 0x96, 0x81, 0x79, 0x6e, 0xdb,  \
+    0xbc, 0x3a, 0xc4, 0x9e, 0x87, 0x09, 0x6e, 0xa0, 0xa6, 0xec, 0x8b, 0xa4,  \
+    0x85, 0x71, 0xce, 0x04, 0xaf, 0x02, 0x81, 0x81, 0x00, 0xc2, 0xa7, 0x47,  \
+    0x07, 0x48, 0x6a, 0xc8, 0xd4, 0xb3, 0x20, 0xe1, 0x98, 0xee, 0xff, 0x5a,  \
+    0x6f, 0x30, 0x7a, 0xa5, 0x47, 0x40, 0xdc, 0x16, 0x62, 0x42, 0xf1, 0x2c,  \
+    0xdc, 0xb8, 0xc7, 0x55, 0xde, 0x07, 0x3c, 0x9d, 0xb1, 0xd0, 0xdf, 0x02,  \
+    0x82, 0xb0, 0x48, 0x58, 0xe1, 0x34, 0xab, 0xcf, 0xb4, 0x85, 0x23, 0x26,  \
+    0x78, 0x4f, 0x7a, 0x59, 0x6f, 0xfb, 0x8c, 0x3d, 0xdf, 0x3d, 0x6c, 0x02,  \
+    0x47, 0x9c, 0xe5, 0x5e, 0x49, 0xf1, 0x05, 0x0b, 0x1f, 0xbf, 0x48, 0x0f,  \
+    0xdc, 0x10, 0xb9, 0x3d, 0x1d, 0x10, 0x77, 0x2a, 0x73, 0xf9, 0xdf, 0xbd,  \
+    0xcd, 0xf3, 0x1f, 0xeb, 0x6e, 0x64, 0xca, 0x2b, 0x78, 0x4f, 0xf8, 0x73,  \
+    0xc2, 0x10, 0xef, 0x79, 0x95, 0x33, 0x1e, 0x79, 0x35, 0x09, 0xff, 0x88,  \
+    0x1b, 0xb4, 0x3e, 0x4c, 0xe1, 0x27, 0x2e, 0x75, 0x80, 0x58, 0x11, 0x03,  \
+    0x21, 0x23, 0x96, 0x9a, 0xb5, 0x02, 0x81, 0x80, 0x05, 0x12, 0x64, 0x71,  \
+    0x83, 0x00, 0x1c, 0xfe, 0xef, 0x83, 0xea, 0xdd, 0x2c, 0xc8, 0x2c, 0x00,  \
+    0x62, 0x1e, 0x8f, 0x3a, 0xdb, 0x1c, 0xab, 0xd6, 0x34, 0x8b, 0xd1, 0xb2,  \
+    0x5a, 0x4f, 0x3d, 0x37, 0x38, 0x02, 0xe0, 0xd7, 0x70, 0xc1, 0xb0, 0x47,  \
+    0xe0, 0x08, 0x1a, 0x84, 0xec, 0x48, 0xc5, 0x7c, 0x76, 0x83, 0x12, 0x67,  \
+    0xab, 0x7c, 0x9f, 0x90, 0x97, 0xc8, 0x8f, 0x07, 0xf4, 0xb3, 0x60, 0xf2,  \
+    0x3f, 0x49, 0x18, 0xdb, 0x2e, 0x94, 0x6b, 0x53, 0x9e, 0xa2, 0x63, 0xde,  \
+    0x63, 0xd9, 0xab, 0x21, 0x2e, 0x2d, 0x0a, 0xe0, 0xd0, 0xe8, 0xba, 0xc4,  \
+    0x4c, 0x1e, 0xa5, 0xf5, 0x51, 0xa8, 0xc4, 0x92, 0xf8, 0x7f, 0x21, 0xe7,  \
+    0x65, 0xbf, 0x0b, 0xe6, 0x01, 0xaf, 0x9c, 0x1d, 0x5b, 0x6c, 0x3f, 0x1c,  \
+    0x2f, 0xa6, 0x0f, 0x68, 0x38, 0x8e, 0x85, 0xc4, 0x6c, 0x78, 0x2f, 0x6f,  \
+    0x06, 0x21, 0x2e, 0x56                                                   \
+}
+/* END FILE */
+
+/*
+ * Test client Certificates
+ *
+ * Test client certificates are defined for each choice
+ * of the following parameters:
+ * - PEM or DER encoding
+ * - RSA or EC key
+ *
+ * Things to add:
+ * - hash type
+ * - multiple EC curve types
+ */
+
+/* This is taken from tests/data_files/cli2.crt. */
+/* BEGIN FILE string macro TEST_CLI_CRT_EC_PEM tests/data_files/cli2.crt */
+#define TEST_CLI_CRT_EC_PEM                                                \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIB3zCCAWOgAwIBAgIBDTAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw\r\n" \
+    "DwYDVQQKDAhQb2xhclNTTDEcMBoGA1UEAwwTUG9sYXJTU0wgVGVzdCBFQyBDQTAe\r\n" \
+    "Fw0xOTAyMTAxNDQ0MDBaFw0yOTAyMTAxNDQ0MDBaMEExCzAJBgNVBAYTAk5MMREw\r\n" \
+    "DwYDVQQKDAhQb2xhclNTTDEfMB0GA1UEAwwWUG9sYXJTU0wgVGVzdCBDbGllbnQg\r\n" \
+    "MjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFflrrFz39Osu5O4gf8Sru7mU6zO\r\n" \
+    "VVP2NA7MLuNjJQvfmOLzXGA2lsDVGBRw5X+f1UtFGOWwbNVc+JaPh3Cj5MejTTBL\r\n" \
+    "MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMB8GA1Ud\r\n" \
+    "IwQYMBaAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8MAwGCCqGSM49BAMCBQADaAAwZQIx\r\n" \
+    "AMqme4DKMldUlplDET9Q6Eptre7uUWKhsLOF+zPkKDlfzpIkJYEFgcloDHGYw80u\r\n" \
+    "IgIwNftyPXsabTqMM7iEHgVpX/GRozKklY9yQI/5eoA6gGW7Y+imuGR/oao5ySOb\r\n" \
+    "a9Vk\r\n"                                                             \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/cli2.crt.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_CRT_EC_DER tests/data_files/cli2.crt.der */
+#define TEST_CLI_CRT_EC_DER {                                                \
+  0x30, 0x82, 0x01, 0xdf, 0x30, 0x82, 0x01, 0x63, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x0d, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,    \
+  0x3d, 0x04, 0x03, 0x02, 0x05, 0x00, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,    \
+  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,    \
+  0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61,    \
+  0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,    \
+  0x03, 0x0c, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20,    \
+  0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e,    \
+  0x17, 0x0d, 0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34,    \
+  0x30, 0x30, 0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31,    \
+  0x34, 0x34, 0x34, 0x30, 0x30, 0x5a, 0x30, 0x41, 0x31, 0x0b, 0x30, 0x09,    \
+  0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,    \
+  0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61,    \
+  0x72, 0x53, 0x53, 0x4c, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,    \
+  0x03, 0x0c, 0x16, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20,    \
+  0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20,    \
+  0x32, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,    \
+  0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,    \
+  0x03, 0x42, 0x00, 0x04, 0x57, 0xe5, 0xae, 0xb1, 0x73, 0xdf, 0xd3, 0xac,    \
+  0xbb, 0x93, 0xb8, 0x81, 0xff, 0x12, 0xae, 0xee, 0xe6, 0x53, 0xac, 0xce,    \
+  0x55, 0x53, 0xf6, 0x34, 0x0e, 0xcc, 0x2e, 0xe3, 0x63, 0x25, 0x0b, 0xdf,    \
+  0x98, 0xe2, 0xf3, 0x5c, 0x60, 0x36, 0x96, 0xc0, 0xd5, 0x18, 0x14, 0x70,    \
+  0xe5, 0x7f, 0x9f, 0xd5, 0x4b, 0x45, 0x18, 0xe5, 0xb0, 0x6c, 0xd5, 0x5c,    \
+  0xf8, 0x96, 0x8f, 0x87, 0x70, 0xa3, 0xe4, 0xc7, 0xa3, 0x4d, 0x30, 0x4b,    \
+  0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30,    \
+  0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x7a, 0x00,    \
+  0x5f, 0x86, 0x64, 0xfc, 0xe0, 0x5d, 0xe5, 0x11, 0x10, 0x3b, 0xb2, 0xe6,    \
+  0x3b, 0xc4, 0x26, 0x3f, 0xcf, 0xe2, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,    \
+  0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49,    \
+  0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb,    \
+  0xfb, 0x36, 0x7c, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,    \
+  0x04, 0x03, 0x02, 0x05, 0x00, 0x03, 0x68, 0x00, 0x30, 0x65, 0x02, 0x31,    \
+  0x00, 0xca, 0xa6, 0x7b, 0x80, 0xca, 0x32, 0x57, 0x54, 0x96, 0x99, 0x43,    \
+  0x11, 0x3f, 0x50, 0xe8, 0x4a, 0x6d, 0xad, 0xee, 0xee, 0x51, 0x62, 0xa1,    \
+  0xb0, 0xb3, 0x85, 0xfb, 0x33, 0xe4, 0x28, 0x39, 0x5f, 0xce, 0x92, 0x24,    \
+  0x25, 0x81, 0x05, 0x81, 0xc9, 0x68, 0x0c, 0x71, 0x98, 0xc3, 0xcd, 0x2e,    \
+  0x22, 0x02, 0x30, 0x35, 0xfb, 0x72, 0x3d, 0x7b, 0x1a, 0x6d, 0x3a, 0x8c,    \
+  0x33, 0xb8, 0x84, 0x1e, 0x05, 0x69, 0x5f, 0xf1, 0x91, 0xa3, 0x32, 0xa4,    \
+  0x95, 0x8f, 0x72, 0x40, 0x8f, 0xf9, 0x7a, 0x80, 0x3a, 0x80, 0x65, 0xbb,    \
+  0x63, 0xe8, 0xa6, 0xb8, 0x64, 0x7f, 0xa1, 0xaa, 0x39, 0xc9, 0x23, 0x9b,    \
+  0x6b, 0xd5, 0x64                                                           \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli2.key. */
+/* BEGIN FILE string macro TEST_CLI_KEY_EC_PEM tests/data_files/cli2.key */
+#define TEST_CLI_KEY_EC_PEM                                                \
+    "-----BEGIN EC PRIVATE KEY-----\r\n"                                   \
+    "MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n" \
+    "AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n" \
+    "wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"                             \
+    "-----END EC PRIVATE KEY-----\r\n"
+/* END FILE */
+
+/* This is generated from tests/data_files/cli2.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_KEY_EC_DER tests/data_files/cli2.key.der */
+#define TEST_CLI_KEY_EC_DER {                                                \
+    0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0xf6, 0xf7, 0x86, 0x64, 0xf1,  \
+    0x67, 0x7f, 0xe6, 0x64, 0x8d, 0xef, 0xca, 0x4e, 0xe9, 0xdd, 0x4d, 0xf0,  \
+    0x05, 0xff, 0x96, 0x22, 0x8a, 0x7a, 0x84, 0x38, 0x64, 0x17, 0x32, 0x61,  \
+    0x98, 0xb7, 0x2a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,  \
+    0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0x57, 0xe5, 0xae,  \
+    0xb1, 0x73, 0xdf, 0xd3, 0xac, 0xbb, 0x93, 0xb8, 0x81, 0xff, 0x12, 0xae,  \
+    0xee, 0xe6, 0x53, 0xac, 0xce, 0x55, 0x53, 0xf6, 0x34, 0x0e, 0xcc, 0x2e,  \
+    0xe3, 0x63, 0x25, 0x0b, 0xdf, 0x98, 0xe2, 0xf3, 0x5c, 0x60, 0x36, 0x96,  \
+    0xc0, 0xd5, 0x18, 0x14, 0x70, 0xe5, 0x7f, 0x9f, 0xd5, 0x4b, 0x45, 0x18,  \
+    0xe5, 0xb0, 0x6c, 0xd5, 0x5c, 0xf8, 0x96, 0x8f, 0x87, 0x70, 0xa3, 0xe4,  \
+    0xc7                                                                     \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli-rsa-sha256.crt. */
+/* BEGIN FILE string macro TEST_CLI_CRT_RSA_PEM tests/data_files/cli-rsa-sha256.crt */
+#define TEST_CLI_CRT_RSA_PEM                                               \
+    "-----BEGIN CERTIFICATE-----\r\n"                                      \
+    "MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
+    "MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
+    "MTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n" \
+    "A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n" \
+    "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n" \
+    "M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n" \
+    "1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n" \
+    "MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n" \
+    "4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n" \
+    "/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n" \
+    "o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n" \
+    "BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n" \
+    "AQEAXidv1d4pLlBiKWED95rMycBdgDcgyNqJxakFkRfRyA2y1mlyTn7uBXRkNLY5\r\n" \
+    "ZFzK82GCjk2Q2OD4RZSCPAJJqLpHHU34t71ciffvy2KK81YvrxczRhMAE64i+qna\r\n" \
+    "yP3Td2XuWJR05PVPoSemsNELs9gWttdnYy3ce+EY2Y0n7Rsi7982EeLIAA7H6ca4\r\n" \
+    "2Es/NUH//JZJT32OP0doMxeDRA+vplkKqTLLWf7dX26LIriBkBaRCgR5Yv9LBPFc\r\n" \
+    "NOtpzu/LbrY7QFXKJMI+JXDudCsOn8KCmiA4d6Emisqfh3V3485l7HEQNcvLTxlD\r\n" \
+    "6zDQyi0/ykYUYZkwQTK1N2Nvlw==\r\n"                                     \
+    "-----END CERTIFICATE-----\r\n"
+/* END FILE */
+
+/* This was generated from tests/data_files/cli-rsa-sha256.crt.der
+   using `xxd -i.` */
+/* BEGIN FILE binary macro TEST_CLI_CRT_RSA_DER tests/data_files/cli-rsa-sha256.crt.der */
+#define TEST_CLI_CRT_RSA_DER {                                               \
+  0x30, 0x82, 0x03, 0x3f, 0x30, 0x82, 0x02, 0x27, 0xa0, 0x03, 0x02, 0x01,    \
+  0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,    \
+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3b, 0x31, 0x0b, 0x30,    \
+  0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11,    \
+  0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c,    \
+  0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55,    \
+  0x04, 0x03, 0x0c, 0x10, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c,    \
+  0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d,    \
+  0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34, 0x34, 0x30, 0x36,    \
+  0x5a, 0x17, 0x0d, 0x32, 0x39, 0x30, 0x32, 0x31, 0x30, 0x31, 0x34, 0x34,    \
+  0x34, 0x30, 0x36, 0x5a, 0x30, 0x3c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,    \
+  0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06,    \
+  0x03, 0x55, 0x04, 0x0a, 0x0c, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53,    \
+  0x53, 0x4c, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,    \
+  0x11, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x20, 0x43, 0x6c,    \
+  0x69, 0x65, 0x6e, 0x74, 0x20, 0x32, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,    \
+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,    \
+  0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,    \
+  0x01, 0x01, 0x00, 0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9,    \
+  0x45, 0xd9, 0x14, 0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f,    \
+  0x33, 0xad, 0x0d, 0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9,    \
+  0xcc, 0x66, 0x85, 0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63,    \
+  0x9e, 0x0a, 0x6e, 0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10,    \
+  0x93, 0x86, 0x49, 0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e,    \
+  0xd4, 0x2f, 0x77, 0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95,    \
+  0x48, 0x70, 0xf5, 0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed,    \
+  0xe6, 0x43, 0xea, 0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4,    \
+  0x57, 0x4e, 0xa9, 0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30,    \
+  0x32, 0x30, 0xd5, 0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2,    \
+  0x5f, 0xf9, 0x3d, 0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d,    \
+  0xfb, 0xe5, 0x0c, 0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2,    \
+  0x7f, 0xca, 0xad, 0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f,    \
+  0xe0, 0x9b, 0xf8, 0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34,    \
+  0x04, 0x66, 0xc7, 0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a,    \
+  0x06, 0x67, 0xf4, 0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe,    \
+  0x3c, 0x8b, 0x35, 0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f,    \
+  0xfc, 0x36, 0x6b, 0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d,    \
+  0x00, 0xcf, 0xaf, 0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4,    \
+  0xe7, 0x50, 0x71, 0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8,    \
+  0xe4, 0xc4, 0xfd, 0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01,    \
+  0xa3, 0x4d, 0x30, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,    \
+  0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,    \
+  0x04, 0x14, 0x71, 0xa1, 0x00, 0x73, 0x72, 0x40, 0x2f, 0x54, 0x76, 0x5e,    \
+  0x33, 0xfc, 0x52, 0x8f, 0xbc, 0xf1, 0xdd, 0x6b, 0x46, 0x21, 0x30, 0x1f,    \
+  0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xb4,    \
+  0x5a, 0xe4, 0xa5, 0xb3, 0xde, 0xd2, 0x52, 0xf6, 0xb9, 0xd5, 0xa6, 0x95,    \
+  0x0f, 0xeb, 0x3e, 0xbc, 0xc7, 0xfd, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a,    \
+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82,    \
+  0x01, 0x01, 0x00, 0x5e, 0x27, 0x6f, 0xd5, 0xde, 0x29, 0x2e, 0x50, 0x62,    \
+  0x29, 0x61, 0x03, 0xf7, 0x9a, 0xcc, 0xc9, 0xc0, 0x5d, 0x80, 0x37, 0x20,    \
+  0xc8, 0xda, 0x89, 0xc5, 0xa9, 0x05, 0x91, 0x17, 0xd1, 0xc8, 0x0d, 0xb2,    \
+  0xd6, 0x69, 0x72, 0x4e, 0x7e, 0xee, 0x05, 0x74, 0x64, 0x34, 0xb6, 0x39,    \
+  0x64, 0x5c, 0xca, 0xf3, 0x61, 0x82, 0x8e, 0x4d, 0x90, 0xd8, 0xe0, 0xf8,    \
+  0x45, 0x94, 0x82, 0x3c, 0x02, 0x49, 0xa8, 0xba, 0x47, 0x1d, 0x4d, 0xf8,    \
+  0xb7, 0xbd, 0x5c, 0x89, 0xf7, 0xef, 0xcb, 0x62, 0x8a, 0xf3, 0x56, 0x2f,    \
+  0xaf, 0x17, 0x33, 0x46, 0x13, 0x00, 0x13, 0xae, 0x22, 0xfa, 0xa9, 0xda,    \
+  0xc8, 0xfd, 0xd3, 0x77, 0x65, 0xee, 0x58, 0x94, 0x74, 0xe4, 0xf5, 0x4f,    \
+  0xa1, 0x27, 0xa6, 0xb0, 0xd1, 0x0b, 0xb3, 0xd8, 0x16, 0xb6, 0xd7, 0x67,    \
+  0x63, 0x2d, 0xdc, 0x7b, 0xe1, 0x18, 0xd9, 0x8d, 0x27, 0xed, 0x1b, 0x22,    \
+  0xef, 0xdf, 0x36, 0x11, 0xe2, 0xc8, 0x00, 0x0e, 0xc7, 0xe9, 0xc6, 0xb8,    \
+  0xd8, 0x4b, 0x3f, 0x35, 0x41, 0xff, 0xfc, 0x96, 0x49, 0x4f, 0x7d, 0x8e,    \
+  0x3f, 0x47, 0x68, 0x33, 0x17, 0x83, 0x44, 0x0f, 0xaf, 0xa6, 0x59, 0x0a,    \
+  0xa9, 0x32, 0xcb, 0x59, 0xfe, 0xdd, 0x5f, 0x6e, 0x8b, 0x22, 0xb8, 0x81,    \
+  0x90, 0x16, 0x91, 0x0a, 0x04, 0x79, 0x62, 0xff, 0x4b, 0x04, 0xf1, 0x5c,    \
+  0x34, 0xeb, 0x69, 0xce, 0xef, 0xcb, 0x6e, 0xb6, 0x3b, 0x40, 0x55, 0xca,    \
+  0x24, 0xc2, 0x3e, 0x25, 0x70, 0xee, 0x74, 0x2b, 0x0e, 0x9f, 0xc2, 0x82,    \
+  0x9a, 0x20, 0x38, 0x77, 0xa1, 0x26, 0x8a, 0xca, 0x9f, 0x87, 0x75, 0x77,    \
+  0xe3, 0xce, 0x65, 0xec, 0x71, 0x10, 0x35, 0xcb, 0xcb, 0x4f, 0x19, 0x43,    \
+  0xeb, 0x30, 0xd0, 0xca, 0x2d, 0x3f, 0xca, 0x46, 0x14, 0x61, 0x99, 0x30,    \
+  0x41, 0x32, 0xb5, 0x37, 0x63, 0x6f, 0x97                                   \
+}
+/* END FILE */
+
+/* This is taken from tests/data_files/cli-rsa.key. */
+/* BEGIN FILE string macro TEST_CLI_KEY_RSA_PEM tests/data_files/cli-rsa.key */
+#define TEST_CLI_KEY_RSA_PEM                                               \
+    "-----BEGIN RSA PRIVATE KEY-----\r\n"                                  \
+    "MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n" \
+    "B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n" \
+    "bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n" \
+    "Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n" \
+    "7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n" \
+    "dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n" \
+    "yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n" \
+    "4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n" \
+    "ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n" \
+    "zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n" \
+    "l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n" \
+    "DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n" \
+    "VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n" \
+    "Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n" \
+    "wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n" \
+    "c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n" \
+    "33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n" \
+    "ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n" \
+    "BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n" \
+    "KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n" \
+    "UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n" \
+    "7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n" \
+    "gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n" \
+    "bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n" \
+    "8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"         \
+    "-----END RSA PRIVATE KEY-----\r\n"/* END FILE */
+
+/* This was generated from tests/data_files/cli-rsa.key.der using `xxd -i`. */
+/* BEGIN FILE binary macro TEST_CLI_KEY_RSA_DER tests/data_files/cli-rsa.key.der */
+#define TEST_CLI_KEY_RSA_DER {                                               \
+    0x30, 0x82, 0x04, 0xa4, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,  \
+    0xc8, 0x74, 0xc4, 0xcc, 0xb9, 0xf9, 0xb5, 0x79, 0xe9, 0x45, 0xd9, 0x14,  \
+    0x60, 0xb0, 0x7d, 0xbb, 0x93, 0xf2, 0x6b, 0x1e, 0x9f, 0x33, 0xad, 0x0d,  \
+    0x8f, 0x8a, 0x3c, 0x56, 0x65, 0xe5, 0xdc, 0x44, 0xd9, 0xcc, 0x66, 0x85,  \
+    0x07, 0xd5, 0xf8, 0x27, 0xb0, 0x4a, 0x35, 0xd0, 0x63, 0x9e, 0x0a, 0x6e,  \
+    0x1b, 0xb7, 0xda, 0xf0, 0x7e, 0xab, 0xee, 0x0c, 0x10, 0x93, 0x86, 0x49,  \
+    0x18, 0x34, 0xf3, 0xa8, 0x2a, 0xd2, 0x57, 0xf5, 0x2e, 0xd4, 0x2f, 0x77,  \
+    0x29, 0x84, 0x61, 0x4d, 0x82, 0x50, 0x8f, 0xa7, 0x95, 0x48, 0x70, 0xf5,  \
+    0x6e, 0x4d, 0xb2, 0xd5, 0x13, 0xc3, 0xd2, 0x1a, 0xed, 0xe6, 0x43, 0xea,  \
+    0x42, 0x14, 0xeb, 0x74, 0xea, 0xc0, 0xed, 0x1f, 0xd4, 0x57, 0x4e, 0xa9,  \
+    0xf3, 0xa8, 0xed, 0xd2, 0xe0, 0xc1, 0x30, 0x71, 0x30, 0x32, 0x30, 0xd5,  \
+    0xd3, 0xf6, 0x08, 0xd0, 0x56, 0x4f, 0x46, 0x8e, 0xf2, 0x5f, 0xf9, 0x3d,  \
+    0x67, 0x91, 0x88, 0x30, 0x2e, 0x42, 0xb2, 0xdf, 0x7d, 0xfb, 0xe5, 0x0c,  \
+    0x77, 0xff, 0xec, 0x31, 0xc0, 0x78, 0x8f, 0xbf, 0xc2, 0x7f, 0xca, 0xad,  \
+    0x6c, 0x21, 0xd6, 0x8d, 0xd9, 0x8b, 0x6a, 0x8e, 0x6f, 0xe0, 0x9b, 0xf8,  \
+    0x10, 0x56, 0xcc, 0xb3, 0x8e, 0x13, 0x15, 0xe6, 0x34, 0x04, 0x66, 0xc7,  \
+    0xee, 0xf9, 0x36, 0x0e, 0x6a, 0x95, 0xf6, 0x09, 0x9a, 0x06, 0x67, 0xf4,  \
+    0x65, 0x71, 0xf8, 0xca, 0xa4, 0xb1, 0x25, 0xe0, 0xfe, 0x3c, 0x8b, 0x35,  \
+    0x04, 0x67, 0xba, 0xe0, 0x4f, 0x76, 0x85, 0xfc, 0x7f, 0xfc, 0x36, 0x6b,  \
+    0xb5, 0xe9, 0xcd, 0x2d, 0x03, 0x62, 0x4e, 0xb3, 0x3d, 0x00, 0xcf, 0xaf,  \
+    0x76, 0xa0, 0x69, 0x56, 0x83, 0x6a, 0xd2, 0xa8, 0xd4, 0xe7, 0x50, 0x71,  \
+    0xe6, 0xb5, 0x36, 0x05, 0x77, 0x05, 0x6d, 0x7b, 0xc8, 0xe4, 0xc4, 0xfd,  \
+    0x4c, 0xd5, 0x21, 0x5f, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,  \
+    0x00, 0x67, 0x4d, 0xb5, 0xf6, 0x03, 0x89, 0xaa, 0x7a, 0x6f, 0x3b, 0x2d,  \
+    0xca, 0x10, 0xa2, 0x23, 0xc9, 0xbd, 0x4e, 0xda, 0xe1, 0x67, 0x0e, 0x0c,  \
+    0x8a, 0xc6, 0x84, 0x68, 0xdf, 0xe5, 0x97, 0x75, 0xd2, 0x8d, 0xa3, 0x86,  \
+    0xd9, 0xdb, 0xd5, 0xeb, 0x13, 0x19, 0x08, 0xc5, 0x7e, 0xe5, 0x37, 0x97,  \
+    0x0c, 0x73, 0x80, 0x66, 0x76, 0x35, 0xf1, 0x88, 0xb5, 0xf2, 0xfc, 0xf3,  \
+    0xe1, 0x4b, 0x76, 0x4e, 0x73, 0x45, 0xce, 0x2c, 0xc2, 0x10, 0x26, 0x0d,  \
+    0x68, 0x0d, 0x9f, 0x49, 0x3d, 0xd6, 0x80, 0x89, 0xe7, 0xc5, 0x49, 0x15,  \
+    0xdd, 0x85, 0xc0, 0xc8, 0xfe, 0x82, 0x37, 0x12, 0x5a, 0x0a, 0x6b, 0xf6,  \
+    0x68, 0x0d, 0x32, 0x16, 0xbd, 0xa4, 0x15, 0x54, 0x9e, 0x68, 0xa1, 0xad,  \
+    0xca, 0x6b, 0xe5, 0x8c, 0xda, 0x76, 0x35, 0x59, 0x2f, 0x9b, 0xb4, 0xe1,  \
+    0xf1, 0xf0, 0x50, 0x04, 0xee, 0xc8, 0xec, 0x05, 0xe1, 0xcf, 0x8d, 0xe4,  \
+    0xd2, 0x64, 0x7b, 0x5e, 0x63, 0xe0, 0x7b, 0x07, 0xbc, 0x02, 0x96, 0x4e,  \
+    0x1b, 0x78, 0x6c, 0xb6, 0x43, 0x9a, 0x32, 0xf6, 0xd6, 0x02, 0xf5, 0x80,  \
+    0xcc, 0x26, 0x6e, 0xa5, 0xd0, 0xe3, 0x65, 0x88, 0xce, 0x26, 0xa9, 0x40,  \
+    0xe1, 0xe1, 0x00, 0xe0, 0x7f, 0x3f, 0xc3, 0xb1, 0x7c, 0xde, 0xbe, 0x42,  \
+    0xba, 0x07, 0x81, 0x13, 0xc2, 0xe0, 0x11, 0x11, 0x23, 0x2c, 0xf8, 0xb2,  \
+    0x7a, 0x3a, 0xd4, 0xe4, 0x7d, 0x5f, 0xb9, 0xb1, 0x18, 0xfa, 0x1d, 0x1d,  \
+    0x97, 0x91, 0xd9, 0x04, 0x9e, 0xbc, 0xc9, 0xb4, 0xd7, 0x7d, 0x0e, 0x54,  \
+    0xf6, 0x8f, 0xd0, 0x28, 0x0d, 0xdd, 0x77, 0x4b, 0x68, 0x04, 0x48, 0x61,  \
+    0x75, 0x15, 0x03, 0x1b, 0x35, 0xad, 0x8e, 0xfc, 0x24, 0x11, 0x07, 0xea,  \
+    0x17, 0x5a, 0xde, 0x19, 0x68, 0xff, 0xb6, 0x87, 0x7f, 0x80, 0x2a, 0x5f,  \
+    0x0c, 0x58, 0xba, 0x5f, 0x41, 0x02, 0x81, 0x81, 0x00, 0xe3, 0x03, 0xaf,  \
+    0xfe, 0x98, 0xd2, 0x0b, 0x7b, 0x72, 0xe9, 0x3b, 0x8e, 0xbc, 0xa5, 0xf6,  \
+    0xac, 0xe5, 0x22, 0x06, 0xb2, 0xd7, 0x5e, 0xfd, 0x89, 0x4b, 0x16, 0x67,  \
+    0x32, 0x83, 0x22, 0x58, 0x8e, 0x62, 0xa4, 0xb4, 0x2d, 0xf9, 0x16, 0x13,  \
+    0x54, 0xf6, 0x9f, 0x2f, 0xf9, 0xbb, 0x0e, 0x7e, 0x8c, 0x6f, 0x08, 0xda,  \
+    0xc8, 0xe9, 0x1c, 0x66, 0x10, 0x70, 0x93, 0x90, 0x8d, 0xcf, 0x90, 0x3a,  \
+    0x43, 0x89, 0x49, 0xeb, 0x83, 0x2a, 0xfe, 0x5a, 0x87, 0xce, 0x74, 0x42,  \
+    0x41, 0x0d, 0x8c, 0x73, 0x51, 0xbc, 0x7b, 0x20, 0xc5, 0xfd, 0xf6, 0x0b,  \
+    0x65, 0xed, 0xa9, 0x2e, 0xfc, 0x0f, 0xf5, 0x50, 0xf9, 0x8d, 0x37, 0x36,  \
+    0x9a, 0x20, 0xdf, 0xc3, 0xe3, 0x27, 0xbc, 0x98, 0x72, 0xc1, 0x14, 0x4b,  \
+    0x71, 0xe9, 0x83, 0x14, 0xff, 0x24, 0xe2, 0x14, 0x15, 0xb6, 0x6f, 0x0f,  \
+    0x32, 0x9d, 0xd9, 0x98, 0xd1, 0x02, 0x81, 0x81, 0x00, 0xe2, 0x0c, 0xfb,  \
+    0xc3, 0x33, 0x9b, 0x47, 0x88, 0x27, 0xf2, 0x26, 0xde, 0xeb, 0x5e, 0xee,  \
+    0x40, 0xf6, 0x63, 0x5b, 0x35, 0x23, 0xf5, 0xd5, 0x07, 0x61, 0xdf, 0xa2,  \
+    0x9f, 0x58, 0x30, 0x04, 0x22, 0x2b, 0xb4, 0xd9, 0xda, 0x46, 0x7f, 0x48,  \
+    0xf5, 0x4f, 0xd0, 0xea, 0xd7, 0xa0, 0x45, 0x8a, 0x62, 0x8b, 0x8c, 0xac,  \
+    0x73, 0x5e, 0xfa, 0x36, 0x65, 0x3e, 0xba, 0x6c, 0xba, 0x5e, 0x6b, 0x92,  \
+    0x29, 0x5e, 0x6a, 0x0f, 0xd6, 0xd2, 0xa5, 0x95, 0x86, 0xda, 0x72, 0xc5,  \
+    0x9e, 0xc9, 0x6b, 0x37, 0x5e, 0x4b, 0x9b, 0x77, 0xe1, 0x67, 0x1a, 0x1e,  \
+    0x30, 0xd8, 0x41, 0x68, 0x40, 0xd3, 0x9c, 0xb4, 0xf6, 0xeb, 0x2a, 0x22,  \
+    0xdf, 0x78, 0x29, 0xd2, 0x64, 0x92, 0x5b, 0x2f, 0x78, 0x64, 0x4a, 0xa2,  \
+    0xa6, 0x6b, 0x3e, 0x50, 0xb1, 0x7a, 0xb1, 0x8d, 0x59, 0xb4, 0x55, 0xba,  \
+    0xb6, 0x91, 0x85, 0xa3, 0x2f, 0x02, 0x81, 0x80, 0x10, 0x1e, 0x19, 0xe7,  \
+    0xbc, 0x97, 0xe5, 0x22, 0xcd, 0xa4, 0xcb, 0x8a, 0xb5, 0xd0, 0x1e, 0xb4,  \
+    0x65, 0xcc, 0x45, 0xa7, 0x7a, 0xed, 0x0e, 0x99, 0x29, 0xd0, 0x9c, 0x61,  \
+    0x14, 0xb8, 0x62, 0x8b, 0x31, 0x6b, 0xba, 0x33, 0x2d, 0x65, 0x28, 0xd8,  \
+    0x36, 0x6e, 0x54, 0xec, 0xa9, 0x20, 0x3d, 0x51, 0xe1, 0x2c, 0x42, 0xc4,  \
+    0x52, 0xf0, 0xa6, 0x3a, 0x72, 0x93, 0xb7, 0x86, 0xa9, 0xfe, 0xf6, 0x74,  \
+    0x07, 0x12, 0x4d, 0x7b, 0x51, 0x99, 0x1f, 0x7a, 0x56, 0xe9, 0x20, 0x2f,  \
+    0x18, 0x34, 0x29, 0x97, 0xdb, 0x06, 0xee, 0xeb, 0xbf, 0xbd, 0x31, 0x4f,  \
+    0xfa, 0x50, 0xb1, 0xba, 0x49, 0xb3, 0xc4, 0x1d, 0x03, 0xae, 0xb0, 0xdc,  \
+    0xbe, 0x8a, 0xc4, 0x90, 0xa3, 0x28, 0x9b, 0xb6, 0x42, 0x09, 0x1b, 0xd6,  \
+    0x29, 0x9b, 0x19, 0xe9, 0x87, 0x87, 0xd9, 0x9f, 0x35, 0x05, 0xab, 0x91,  \
+    0x8f, 0x6d, 0x7c, 0x91, 0x02, 0x81, 0x81, 0x00, 0x94, 0x57, 0xf0, 0xe0,  \
+    0x28, 0xfd, 0xbd, 0xf3, 0x9c, 0x43, 0x4d, 0x3e, 0xfd, 0x37, 0x4f, 0x23,  \
+    0x52, 0x8d, 0xe1, 0x4c, 0xfe, 0x4c, 0x55, 0x80, 0x82, 0xba, 0x3f, 0xfe,  \
+    0x51, 0xe1, 0x30, 0xd5, 0x3b, 0xd9, 0x73, 0x1d, 0xcb, 0x25, 0xbc, 0xbb,  \
+    0x3f, 0xa5, 0xda, 0x77, 0xa6, 0xb5, 0xfc, 0x1a, 0xaf, 0x79, 0xa1, 0xb2,  \
+    0x14, 0xa2, 0x1f, 0x10, 0x52, 0x1a, 0x05, 0x40, 0x48, 0xb6, 0x4f, 0x34,  \
+    0xd6, 0xc0, 0xc3, 0xa4, 0x36, 0x98, 0x73, 0x88, 0x0b, 0xd3, 0x45, 0xdc,  \
+    0xee, 0x51, 0x6e, 0x04, 0x73, 0x99, 0x93, 0x12, 0x58, 0x96, 0xcb, 0x39,  \
+    0x42, 0xb1, 0xa9, 0xb8, 0xe1, 0x25, 0xf5, 0x9c, 0x14, 0xb7, 0x92, 0x2b,  \
+    0x14, 0xb0, 0x5d, 0x61, 0xa2, 0xaa, 0x34, 0x7c, 0xcd, 0x54, 0x2d, 0x69,  \
+    0x08, 0xf7, 0xdb, 0xfc, 0x9c, 0x87, 0xe8, 0x3a, 0xf6, 0x1d, 0x4c, 0x6a,  \
+    0x83, 0x15, 0x30, 0x01, 0x02, 0x81, 0x81, 0x00, 0x9c, 0x53, 0xa1, 0xb6,  \
+    0x2f, 0xc0, 0x06, 0xf5, 0xdf, 0x5c, 0xd1, 0x4a, 0x4e, 0xc8, 0xbd, 0x6d,  \
+    0x32, 0xf1, 0x5e, 0xe5, 0x3b, 0x70, 0xd0, 0xa8, 0xe5, 0x41, 0x57, 0x6c,  \
+    0x87, 0x53, 0x0f, 0xeb, 0x28, 0xa0, 0x62, 0x8f, 0x43, 0x62, 0xec, 0x2e,  \
+    0x6c, 0x71, 0x55, 0x5b, 0x6a, 0xf4, 0x74, 0x14, 0xea, 0x7a, 0x03, 0xf6,  \
+    0xfc, 0xa4, 0xce, 0xc4, 0xac, 0xda, 0x1d, 0xf0, 0xb5, 0xa9, 0xfd, 0x11,  \
+    0x18, 0x3b, 0x14, 0xa0, 0x90, 0x8d, 0x26, 0xb7, 0x75, 0x73, 0x0a, 0x02,  \
+    0x2c, 0x6f, 0x0f, 0xd8, 0x41, 0x78, 0xc3, 0x73, 0x81, 0xac, 0xaa, 0xaf,  \
+    0xf2, 0xee, 0x32, 0xb5, 0x8d, 0x05, 0xf9, 0x59, 0x5a, 0x9e, 0x3e, 0x65,  \
+    0x9b, 0x74, 0xda, 0xa0, 0x74, 0x95, 0x17, 0x5f, 0x8d, 0x58, 0xfc, 0x8e,  \
+    0x4e, 0x2c, 0x1e, 0xbc, 0x81, 0x02, 0x18, 0xac, 0x12, 0xc6, 0xf9, 0x64,  \
+    0x8b, 0x87, 0xc3, 0x00                                                   \
+}
+/* END FILE */
+
+/*
+ *
+ * Test certificates and keys as C variables
+ *
+ */
+
+/*
+ * CA
+ */
+
+const char mbedtls_test_ca_crt_ec_pem[]           = TEST_CA_CRT_EC_PEM;
+const char mbedtls_test_ca_key_ec_pem[]           = TEST_CA_KEY_EC_PEM;
+const char mbedtls_test_ca_pwd_ec_pem[]           = TEST_CA_PWD_EC_PEM;
+const char mbedtls_test_ca_key_rsa_pem[]          = TEST_CA_KEY_RSA_PEM;
+const char mbedtls_test_ca_pwd_rsa_pem[]          = TEST_CA_PWD_RSA_PEM;
+const char mbedtls_test_ca_crt_rsa_sha1_pem[]     = TEST_CA_CRT_RSA_SHA1_PEM;
+const char mbedtls_test_ca_crt_rsa_sha256_pem[]   = TEST_CA_CRT_RSA_SHA256_PEM;
+
+const unsigned char mbedtls_test_ca_crt_ec_der[]   = TEST_CA_CRT_EC_DER;
+const unsigned char mbedtls_test_ca_key_ec_der[]   = TEST_CA_KEY_EC_DER;
+const unsigned char mbedtls_test_ca_key_rsa_der[]  = TEST_CA_KEY_RSA_DER;
+const unsigned char mbedtls_test_ca_crt_rsa_sha1_der[]   =
+    TEST_CA_CRT_RSA_SHA1_DER;
+const unsigned char mbedtls_test_ca_crt_rsa_sha256_der[] =
+    TEST_CA_CRT_RSA_SHA256_DER;
+
+const size_t mbedtls_test_ca_crt_ec_pem_len =
+    sizeof( mbedtls_test_ca_crt_ec_pem );
+const size_t mbedtls_test_ca_key_ec_pem_len =
+    sizeof( mbedtls_test_ca_key_ec_pem );
+const size_t mbedtls_test_ca_pwd_ec_pem_len =
+    sizeof( mbedtls_test_ca_pwd_ec_pem ) - 1;
+const size_t mbedtls_test_ca_key_rsa_pem_len =
+    sizeof( mbedtls_test_ca_key_rsa_pem );
+const size_t mbedtls_test_ca_pwd_rsa_pem_len =
+    sizeof( mbedtls_test_ca_pwd_rsa_pem ) - 1;
+const size_t mbedtls_test_ca_crt_rsa_sha1_pem_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha1_pem );
+const size_t mbedtls_test_ca_crt_rsa_sha256_pem_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha256_pem );
+
+const size_t mbedtls_test_ca_crt_ec_der_len =
+    sizeof( mbedtls_test_ca_crt_ec_der );
+const size_t mbedtls_test_ca_key_ec_der_len =
+    sizeof( mbedtls_test_ca_key_ec_der );
+const size_t mbedtls_test_ca_pwd_ec_der_len = 0;
+const size_t mbedtls_test_ca_key_rsa_der_len =
+    sizeof( mbedtls_test_ca_key_rsa_der );
+const size_t mbedtls_test_ca_pwd_rsa_der_len = 0;
+const size_t mbedtls_test_ca_crt_rsa_sha1_der_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha1_der );
+const size_t mbedtls_test_ca_crt_rsa_sha256_der_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha256_der );
+
+/*
+ * Server
+ */
+
+const char mbedtls_test_srv_crt_ec_pem[]           = TEST_SRV_CRT_EC_PEM;
+const char mbedtls_test_srv_key_ec_pem[]           = TEST_SRV_KEY_EC_PEM;
+const char mbedtls_test_srv_pwd_ec_pem[]           = "";
+const char mbedtls_test_srv_key_rsa_pem[]          = TEST_SRV_KEY_RSA_PEM;
+const char mbedtls_test_srv_pwd_rsa_pem[]          = "";
+const char mbedtls_test_srv_crt_rsa_sha1_pem[]     = TEST_SRV_CRT_RSA_SHA1_PEM;
+const char mbedtls_test_srv_crt_rsa_sha256_pem[]   = TEST_SRV_CRT_RSA_SHA256_PEM;
+
+const unsigned char mbedtls_test_srv_crt_ec_der[]   = TEST_SRV_CRT_EC_DER;
+const unsigned char mbedtls_test_srv_key_ec_der[]   = TEST_SRV_KEY_EC_DER;
+const unsigned char mbedtls_test_srv_key_rsa_der[]  = TEST_SRV_KEY_RSA_DER;
+const unsigned char mbedtls_test_srv_crt_rsa_sha1_der[]   =
+    TEST_SRV_CRT_RSA_SHA1_DER;
+const unsigned char mbedtls_test_srv_crt_rsa_sha256_der[] =
+    TEST_SRV_CRT_RSA_SHA256_DER;
+
+const size_t mbedtls_test_srv_crt_ec_pem_len =
+    sizeof( mbedtls_test_srv_crt_ec_pem );
+const size_t mbedtls_test_srv_key_ec_pem_len =
+    sizeof( mbedtls_test_srv_key_ec_pem );
+const size_t mbedtls_test_srv_pwd_ec_pem_len =
+    sizeof( mbedtls_test_srv_pwd_ec_pem ) - 1;
+const size_t mbedtls_test_srv_key_rsa_pem_len =
+    sizeof( mbedtls_test_srv_key_rsa_pem );
+const size_t mbedtls_test_srv_pwd_rsa_pem_len =
+    sizeof( mbedtls_test_srv_pwd_rsa_pem ) - 1;
+const size_t mbedtls_test_srv_crt_rsa_sha1_pem_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha1_pem );
+const size_t mbedtls_test_srv_crt_rsa_sha256_pem_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha256_pem );
+
+const size_t mbedtls_test_srv_crt_ec_der_len =
+    sizeof( mbedtls_test_srv_crt_ec_der );
+const size_t mbedtls_test_srv_key_ec_der_len =
+    sizeof( mbedtls_test_srv_key_ec_der );
+const size_t mbedtls_test_srv_pwd_ec_der_len = 0;
+const size_t mbedtls_test_srv_key_rsa_der_len =
+    sizeof( mbedtls_test_srv_key_rsa_der );
+const size_t mbedtls_test_srv_pwd_rsa_der_len = 0;
+const size_t mbedtls_test_srv_crt_rsa_sha1_der_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha1_der );
+const size_t mbedtls_test_srv_crt_rsa_sha256_der_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha256_der );
+
+/*
+ * Client
+ */
+
+const char mbedtls_test_cli_crt_ec_pem[]   = TEST_CLI_CRT_EC_PEM;
+const char mbedtls_test_cli_key_ec_pem[]   = TEST_CLI_KEY_EC_PEM;
+const char mbedtls_test_cli_pwd_ec_pem[]   = "";
+const char mbedtls_test_cli_key_rsa_pem[]  = TEST_CLI_KEY_RSA_PEM;
+const char mbedtls_test_cli_pwd_rsa_pem[]  = "";
+const char mbedtls_test_cli_crt_rsa_pem[]  = TEST_CLI_CRT_RSA_PEM;
+
+const unsigned char mbedtls_test_cli_crt_ec_der[]   = TEST_CLI_CRT_EC_DER;
+const unsigned char mbedtls_test_cli_key_ec_der[]   = TEST_CLI_KEY_EC_DER;
+const unsigned char mbedtls_test_cli_key_rsa_der[]  = TEST_CLI_KEY_RSA_DER;
+const unsigned char mbedtls_test_cli_crt_rsa_der[]  = TEST_CLI_CRT_RSA_DER;
+
+const size_t mbedtls_test_cli_crt_ec_pem_len =
+    sizeof( mbedtls_test_cli_crt_ec_pem );
+const size_t mbedtls_test_cli_key_ec_pem_len =
+    sizeof( mbedtls_test_cli_key_ec_pem );
+const size_t mbedtls_test_cli_pwd_ec_pem_len =
+    sizeof( mbedtls_test_cli_pwd_ec_pem ) - 1;
+const size_t mbedtls_test_cli_key_rsa_pem_len =
+    sizeof( mbedtls_test_cli_key_rsa_pem );
+const size_t mbedtls_test_cli_pwd_rsa_pem_len =
+    sizeof( mbedtls_test_cli_pwd_rsa_pem ) - 1;
+const size_t mbedtls_test_cli_crt_rsa_pem_len =
+    sizeof( mbedtls_test_cli_crt_rsa_pem );
+
+const size_t mbedtls_test_cli_crt_ec_der_len =
+    sizeof( mbedtls_test_cli_crt_ec_der );
+const size_t mbedtls_test_cli_key_ec_der_len =
+    sizeof( mbedtls_test_cli_key_ec_der );
+const size_t mbedtls_test_cli_key_rsa_der_len =
+    sizeof( mbedtls_test_cli_key_rsa_der );
+const size_t mbedtls_test_cli_crt_rsa_der_len =
+    sizeof( mbedtls_test_cli_crt_rsa_der );
+
+/*
+ *
+ * Definitions of test CRTs without specification of all parameters, choosing
+ * them automatically according to the config. For example, mbedtls_test_ca_crt
+ * is one of mbedtls_test_ca_crt_{rsa|ec}_{sha1|sha256}_{pem|der}.
+ *
+ */
+
+/*
+ * Dispatch between PEM and DER according to config
+ */
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+
+/* PEM encoded test CA certificates and keys */
+
+#define TEST_CA_KEY_RSA        TEST_CA_KEY_RSA_PEM
+#define TEST_CA_PWD_RSA        TEST_CA_PWD_RSA_PEM
+#define TEST_CA_CRT_RSA_SHA256 TEST_CA_CRT_RSA_SHA256_PEM
+#define TEST_CA_CRT_RSA_SHA1   TEST_CA_CRT_RSA_SHA1_PEM
+#define TEST_CA_KEY_EC         TEST_CA_KEY_EC_PEM
+#define TEST_CA_PWD_EC         TEST_CA_PWD_EC_PEM
+#define TEST_CA_CRT_EC         TEST_CA_CRT_EC_PEM
+
+/* PEM encoded test server certificates and keys */
+
+#define TEST_SRV_KEY_RSA        TEST_SRV_KEY_RSA_PEM
+#define TEST_SRV_PWD_RSA        ""
+#define TEST_SRV_CRT_RSA_SHA256 TEST_SRV_CRT_RSA_SHA256_PEM
+#define TEST_SRV_CRT_RSA_SHA1   TEST_SRV_CRT_RSA_SHA1_PEM
+#define TEST_SRV_KEY_EC         TEST_SRV_KEY_EC_PEM
+#define TEST_SRV_PWD_EC         ""
+#define TEST_SRV_CRT_EC         TEST_SRV_CRT_EC_PEM
+
+/* PEM encoded test client certificates and keys */
+
+#define TEST_CLI_KEY_RSA  TEST_CLI_KEY_RSA_PEM
+#define TEST_CLI_PWD_RSA  ""
+#define TEST_CLI_CRT_RSA  TEST_CLI_CRT_RSA_PEM
+#define TEST_CLI_KEY_EC   TEST_CLI_KEY_EC_PEM
+#define TEST_CLI_PWD_EC   ""
+#define TEST_CLI_CRT_EC   TEST_CLI_CRT_EC_PEM
+
+#else /* MBEDTLS_PEM_PARSE_C */
+
+/* DER encoded test CA certificates and keys */
+
+#define TEST_CA_KEY_RSA        TEST_CA_KEY_RSA_DER
+#define TEST_CA_PWD_RSA        ""
+#define TEST_CA_CRT_RSA_SHA256 TEST_CA_CRT_RSA_SHA256_DER
+#define TEST_CA_CRT_RSA_SHA1   TEST_CA_CRT_RSA_SHA1_DER
+#define TEST_CA_KEY_EC         TEST_CA_KEY_EC_DER
+#define TEST_CA_PWD_EC         ""
+#define TEST_CA_CRT_EC         TEST_CA_CRT_EC_DER
+
+/* DER encoded test server certificates and keys */
+
+#define TEST_SRV_KEY_RSA        TEST_SRV_KEY_RSA_DER
+#define TEST_SRV_PWD_RSA        ""
+#define TEST_SRV_CRT_RSA_SHA256 TEST_SRV_CRT_RSA_SHA256_DER
+#define TEST_SRV_CRT_RSA_SHA1   TEST_SRV_CRT_RSA_SHA1_DER
+#define TEST_SRV_KEY_EC         TEST_SRV_KEY_EC_DER
+#define TEST_SRV_PWD_EC         ""
+#define TEST_SRV_CRT_EC         TEST_SRV_CRT_EC_DER
+
+/* DER encoded test client certificates and keys */
+
+#define TEST_CLI_KEY_RSA  TEST_CLI_KEY_RSA_DER
+#define TEST_CLI_PWD_RSA  ""
+#define TEST_CLI_CRT_RSA  TEST_CLI_CRT_RSA_DER
+#define TEST_CLI_KEY_EC   TEST_CLI_KEY_EC_DER
+#define TEST_CLI_PWD_EC   ""
+#define TEST_CLI_CRT_EC   TEST_CLI_CRT_EC_DER
+
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+const char mbedtls_test_ca_key_rsa[]         = TEST_CA_KEY_RSA;
+const char mbedtls_test_ca_pwd_rsa[]         = TEST_CA_PWD_RSA;
+const char mbedtls_test_ca_crt_rsa_sha256[]  = TEST_CA_CRT_RSA_SHA256;
+const char mbedtls_test_ca_crt_rsa_sha1[]    = TEST_CA_CRT_RSA_SHA1;
+const char mbedtls_test_ca_key_ec[]          = TEST_CA_KEY_EC;
+const char mbedtls_test_ca_pwd_ec[]          = TEST_CA_PWD_EC;
+const char mbedtls_test_ca_crt_ec[]          = TEST_CA_CRT_EC;
+
+const char mbedtls_test_srv_key_rsa[]        = TEST_SRV_KEY_RSA;
+const char mbedtls_test_srv_pwd_rsa[]        = TEST_SRV_PWD_RSA;
+const char mbedtls_test_srv_crt_rsa_sha256[] = TEST_SRV_CRT_RSA_SHA256;
+const char mbedtls_test_srv_crt_rsa_sha1[]   = TEST_SRV_CRT_RSA_SHA1;
+const char mbedtls_test_srv_key_ec[]         = TEST_SRV_KEY_EC;
+const char mbedtls_test_srv_pwd_ec[]         = TEST_SRV_PWD_EC;
+const char mbedtls_test_srv_crt_ec[]         = TEST_SRV_CRT_EC;
+
+const char mbedtls_test_cli_key_rsa[]        = TEST_CLI_KEY_RSA;
+const char mbedtls_test_cli_pwd_rsa[]        = TEST_CLI_PWD_RSA;
+const char mbedtls_test_cli_crt_rsa[]        = TEST_CLI_CRT_RSA;
+const char mbedtls_test_cli_key_ec[]         = TEST_CLI_KEY_EC;
+const char mbedtls_test_cli_pwd_ec[]         = TEST_CLI_PWD_EC;
+const char mbedtls_test_cli_crt_ec[]         = TEST_CLI_CRT_EC;
+
+const size_t mbedtls_test_ca_key_rsa_len =
+    sizeof( mbedtls_test_ca_key_rsa );
+const size_t mbedtls_test_ca_pwd_rsa_len =
+    sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
+const size_t mbedtls_test_ca_crt_rsa_sha256_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha256 );
+const size_t mbedtls_test_ca_crt_rsa_sha1_len =
+    sizeof( mbedtls_test_ca_crt_rsa_sha1 );
+const size_t mbedtls_test_ca_key_ec_len =
+    sizeof( mbedtls_test_ca_key_ec );
+const size_t mbedtls_test_ca_pwd_ec_len =
+    sizeof( mbedtls_test_ca_pwd_ec ) - 1;
+const size_t mbedtls_test_ca_crt_ec_len =
+    sizeof( mbedtls_test_ca_crt_ec );
+
+const size_t mbedtls_test_srv_key_rsa_len =
+    sizeof( mbedtls_test_srv_key_rsa );
+const size_t mbedtls_test_srv_pwd_rsa_len =
+    sizeof( mbedtls_test_srv_pwd_rsa ) -1;
+const size_t mbedtls_test_srv_crt_rsa_sha256_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha256 );
+const size_t mbedtls_test_srv_crt_rsa_sha1_len =
+    sizeof( mbedtls_test_srv_crt_rsa_sha1 );
+const size_t mbedtls_test_srv_key_ec_len =
+    sizeof( mbedtls_test_srv_key_ec );
+const size_t mbedtls_test_srv_pwd_ec_len =
+    sizeof( mbedtls_test_srv_pwd_ec ) - 1;
+const size_t mbedtls_test_srv_crt_ec_len =
+    sizeof( mbedtls_test_srv_crt_ec );
+
+const size_t mbedtls_test_cli_key_rsa_len =
+    sizeof( mbedtls_test_cli_key_rsa );
+const size_t mbedtls_test_cli_pwd_rsa_len =
+    sizeof( mbedtls_test_cli_pwd_rsa ) - 1;
+const size_t mbedtls_test_cli_crt_rsa_len =
+    sizeof( mbedtls_test_cli_crt_rsa );
+const size_t mbedtls_test_cli_key_ec_len =
+    sizeof( mbedtls_test_cli_key_ec );
+const size_t mbedtls_test_cli_pwd_ec_len =
+    sizeof( mbedtls_test_cli_pwd_ec ) - 1;
+const size_t mbedtls_test_cli_crt_ec_len =
+    sizeof( mbedtls_test_cli_crt_ec );
+
+/*
+ * Dispatch between SHA-1 and SHA-256
+ */
+
+#if defined(MBEDTLS_SHA256_C)
+#define TEST_CA_CRT_RSA  TEST_CA_CRT_RSA_SHA256
+#define TEST_SRV_CRT_RSA TEST_SRV_CRT_RSA_SHA256
+#else
+#define TEST_CA_CRT_RSA  TEST_CA_CRT_RSA_SHA1
+#define TEST_SRV_CRT_RSA TEST_SRV_CRT_RSA_SHA1
+#endif /* MBEDTLS_SHA256_C */
+
+const char mbedtls_test_ca_crt_rsa[]  = TEST_CA_CRT_RSA;
+const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA;
+
+const size_t mbedtls_test_ca_crt_rsa_len =
+    sizeof( mbedtls_test_ca_crt_rsa );
+const size_t mbedtls_test_srv_crt_rsa_len =
+    sizeof( mbedtls_test_srv_crt_rsa );
+
+/*
+ * Dispatch between RSA and EC
+ */
+
+#if defined(MBEDTLS_RSA_C)
+
+#define TEST_CA_KEY TEST_CA_KEY_RSA
+#define TEST_CA_PWD TEST_CA_PWD_RSA
+#define TEST_CA_CRT TEST_CA_CRT_RSA
+
+#define TEST_SRV_KEY TEST_SRV_KEY_RSA
+#define TEST_SRV_PWD TEST_SRV_PWD_RSA
+#define TEST_SRV_CRT TEST_SRV_CRT_RSA
+
+#define TEST_CLI_KEY TEST_CLI_KEY_RSA
+#define TEST_CLI_PWD TEST_CLI_PWD_RSA
+#define TEST_CLI_CRT TEST_CLI_CRT_RSA
+
+#else /* no RSA, so assume ECDSA */
+
+#define TEST_CA_KEY TEST_CA_KEY_EC
+#define TEST_CA_PWD TEST_CA_PWD_EC
+#define TEST_CA_CRT TEST_CA_CRT_EC
+
+#define TEST_SRV_KEY TEST_SRV_KEY_EC
+#define TEST_SRV_PWD TEST_SRV_PWD_EC
+#define TEST_SRV_CRT TEST_SRV_CRT_EC
+
+#define TEST_CLI_KEY TEST_CLI_KEY_EC
+#define TEST_CLI_PWD TEST_CLI_PWD_EC
+#define TEST_CLI_CRT TEST_CLI_CRT_EC
+
+#endif /* MBEDTLS_RSA_C */
+
+/* API stability forces us to declare
+ *   mbedtls_test_{ca|srv|cli}_{key|pwd|crt}
+ * as pointers. */
+static const char test_ca_key[] = TEST_CA_KEY;
+static const char test_ca_pwd[] = TEST_CA_PWD;
+static const char test_ca_crt[] = TEST_CA_CRT;
+
+static const char test_srv_key[] = TEST_SRV_KEY;
+static const char test_srv_pwd[] = TEST_SRV_PWD;
+static const char test_srv_crt[] = TEST_SRV_CRT;
+
+static const char test_cli_key[] = TEST_CLI_KEY;
+static const char test_cli_pwd[] = TEST_CLI_PWD;
+static const char test_cli_crt[] = TEST_CLI_CRT;
+
+const char *mbedtls_test_ca_key = test_ca_key;
+const char *mbedtls_test_ca_pwd = test_ca_pwd;
+const char *mbedtls_test_ca_crt = test_ca_crt;
+
+const char *mbedtls_test_srv_key = test_srv_key;
+const char *mbedtls_test_srv_pwd = test_srv_pwd;
+const char *mbedtls_test_srv_crt = test_srv_crt;
+
+const char *mbedtls_test_cli_key = test_cli_key;
+const char *mbedtls_test_cli_pwd = test_cli_pwd;
+const char *mbedtls_test_cli_crt = test_cli_crt;
+
+const size_t mbedtls_test_ca_key_len =
+    sizeof( test_ca_key );
+const size_t mbedtls_test_ca_pwd_len =
+    sizeof( test_ca_pwd ) - 1;
+const size_t mbedtls_test_ca_crt_len =
+    sizeof( test_ca_crt );
+
+const size_t mbedtls_test_srv_key_len =
+    sizeof( test_srv_key );
+const size_t mbedtls_test_srv_pwd_len =
+    sizeof( test_srv_pwd ) - 1;
+const size_t mbedtls_test_srv_crt_len =
+    sizeof( test_srv_crt );
+
+const size_t mbedtls_test_cli_key_len =
+    sizeof( test_cli_key );
+const size_t mbedtls_test_cli_pwd_len =
+    sizeof( test_cli_pwd ) - 1;
+const size_t mbedtls_test_cli_crt_len =
+    sizeof( test_cli_crt );
+
+/*
+ *
+ * Lists of certificates
+ *
+ */
+
+/* List of CAs in PEM or DER, depending on config */
+const char * mbedtls_test_cas[] = {
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA1_C)
+    mbedtls_test_ca_crt_rsa_sha1,
+#endif
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
+    mbedtls_test_ca_crt_rsa_sha256,
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    mbedtls_test_ca_crt_ec,
+#endif
+    NULL
+};
+const size_t mbedtls_test_cas_len[] = {
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA1_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha1 ),
+#endif
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_SHA256_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha256 ),
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    sizeof( mbedtls_test_ca_crt_ec ),
+#endif
+    0
+};
+
+/* List of all available CA certificates in DER format */
+const unsigned char * mbedtls_test_cas_der[] = {
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_test_ca_crt_rsa_sha256_der,
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    mbedtls_test_ca_crt_rsa_sha1_der,
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    mbedtls_test_ca_crt_ec_der,
+#endif /* MBEDTLS_ECDSA_C */
+    NULL
+};
+
+const size_t mbedtls_test_cas_der_len[] = {
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha256_der ),
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    sizeof( mbedtls_test_ca_crt_rsa_sha1_der ),
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    sizeof( mbedtls_test_ca_crt_ec_der ),
+#endif /* MBEDTLS_ECDSA_C */
+    0
+};
+
+/* Concatenation of all available CA certificates in PEM format */
+#if defined(MBEDTLS_PEM_PARSE_C)
+const char mbedtls_test_cas_pem[] =
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_SHA256_C)
+    TEST_CA_CRT_RSA_SHA256_PEM
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA1_C)
+    TEST_CA_CRT_RSA_SHA1_PEM
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+    TEST_CA_CRT_EC_PEM
+#endif /* MBEDTLS_ECDSA_C */
+    "";
+const size_t mbedtls_test_cas_pem_len = sizeof( mbedtls_test_cas_pem );
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#endif /* MBEDTLS_CERTS_C */
diff --git a/makerom/deps/libmbedtls/src/chacha20.c b/makerom/deps/libmbedtls/src/chacha20.c
new file mode 100644
index 00000000..8a3610f0
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/chacha20.c
@@ -0,0 +1,570 @@
+/**
+ * \file chacha20.c
+ *
+ * \brief ChaCha20 cipher.
+ *
+ * \author Daniel King <damaki.gh@gmail.com>
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+#include "mbedtls/chacha20.h"
+#include "mbedtls/platform_util.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHA20_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define CHACHA20_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA )
+#define CHACHA20_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define BYTES_TO_U32_LE( data, offset )                           \
+    ( (uint32_t) (data)[offset]                                   \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 )     \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 )    \
+      | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 )    \
+    )
+
+#define ROTL32( value, amount ) \
+    ( (uint32_t) ( (value) << (amount) ) | ( (value) >> ( 32 - (amount) ) ) )
+
+#define CHACHA20_CTR_INDEX ( 12U )
+
+#define CHACHA20_BLOCK_SIZE_BYTES ( 4U * 16U )
+
+/**
+ * \brief           ChaCha20 quarter round operation.
+ *
+ *                  The quarter round is defined as follows (from RFC 7539):
+ *                      1.  a += b; d ^= a; d <<<= 16;
+ *                      2.  c += d; b ^= c; b <<<= 12;
+ *                      3.  a += b; d ^= a; d <<<= 8;
+ *                      4.  c += d; b ^= c; b <<<= 7;
+ *
+ * \param state     ChaCha20 state to modify.
+ * \param a         The index of 'a' in the state.
+ * \param b         The index of 'b' in the state.
+ * \param c         The index of 'c' in the state.
+ * \param d         The index of 'd' in the state.
+ */
+static inline void chacha20_quarter_round( uint32_t state[16],
+                                           size_t a,
+                                           size_t b,
+                                           size_t c,
+                                           size_t d )
+{
+    /* a += b; d ^= a; d <<<= 16; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32( state[d], 16 );
+
+    /* c += d; b ^= c; b <<<= 12 */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32( state[b], 12 );
+
+    /* a += b; d ^= a; d <<<= 8; */
+    state[a] += state[b];
+    state[d] ^= state[a];
+    state[d] = ROTL32( state[d], 8 );
+
+    /* c += d; b ^= c; b <<<= 7; */
+    state[c] += state[d];
+    state[b] ^= state[c];
+    state[b] = ROTL32( state[b], 7 );
+}
+
+/**
+ * \brief           Perform the ChaCha20 inner block operation.
+ *
+ *                  This function performs two rounds: the column round and the
+ *                  diagonal round.
+ *
+ * \param state     The ChaCha20 state to update.
+ */
+static void chacha20_inner_block( uint32_t state[16] )
+{
+    chacha20_quarter_round( state, 0, 4, 8,  12 );
+    chacha20_quarter_round( state, 1, 5, 9,  13 );
+    chacha20_quarter_round( state, 2, 6, 10, 14 );
+    chacha20_quarter_round( state, 3, 7, 11, 15 );
+
+    chacha20_quarter_round( state, 0, 5, 10, 15 );
+    chacha20_quarter_round( state, 1, 6, 11, 12 );
+    chacha20_quarter_round( state, 2, 7, 8,  13 );
+    chacha20_quarter_round( state, 3, 4, 9,  14 );
+}
+
+/**
+ * \brief               Generates a keystream block.
+ *
+ * \param initial_state The initial ChaCha20 state (key, nonce, counter).
+ * \param keystream     Generated keystream bytes are written to this buffer.
+ */
+static void chacha20_block( const uint32_t initial_state[16],
+                            unsigned char keystream[64] )
+{
+    uint32_t working_state[16];
+    size_t i;
+
+    memcpy( working_state,
+            initial_state,
+            CHACHA20_BLOCK_SIZE_BYTES );
+
+    for( i = 0U; i < 10U; i++ )
+        chacha20_inner_block( working_state );
+
+    working_state[ 0] += initial_state[ 0];
+    working_state[ 1] += initial_state[ 1];
+    working_state[ 2] += initial_state[ 2];
+    working_state[ 3] += initial_state[ 3];
+    working_state[ 4] += initial_state[ 4];
+    working_state[ 5] += initial_state[ 5];
+    working_state[ 6] += initial_state[ 6];
+    working_state[ 7] += initial_state[ 7];
+    working_state[ 8] += initial_state[ 8];
+    working_state[ 9] += initial_state[ 9];
+    working_state[10] += initial_state[10];
+    working_state[11] += initial_state[11];
+    working_state[12] += initial_state[12];
+    working_state[13] += initial_state[13];
+    working_state[14] += initial_state[14];
+    working_state[15] += initial_state[15];
+
+    for( i = 0U; i < 16; i++ )
+    {
+        size_t offset = i * 4U;
+
+        keystream[offset     ] = (unsigned char)( working_state[i]       );
+        keystream[offset + 1U] = (unsigned char)( working_state[i] >>  8 );
+        keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 );
+        keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 );
+    }
+
+    mbedtls_platform_zeroize( working_state, sizeof( working_state ) );
+}
+
+void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx )
+{
+    CHACHA20_VALIDATE( ctx != NULL );
+
+    mbedtls_platform_zeroize( ctx->state, sizeof( ctx->state ) );
+    mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+}
+
+void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx )
+{
+    if( ctx != NULL )
+    {
+        mbedtls_platform_zeroize( ctx, sizeof( mbedtls_chacha20_context ) );
+    }
+}
+
+int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
+                            const unsigned char key[32] )
+{
+    CHACHA20_VALIDATE_RET( ctx != NULL );
+    CHACHA20_VALIDATE_RET( key != NULL );
+
+    /* ChaCha20 constants - the string "expand 32-byte k" */
+    ctx->state[0] = 0x61707865;
+    ctx->state[1] = 0x3320646e;
+    ctx->state[2] = 0x79622d32;
+    ctx->state[3] = 0x6b206574;
+
+    /* Set key */
+    ctx->state[4]  = BYTES_TO_U32_LE( key, 0 );
+    ctx->state[5]  = BYTES_TO_U32_LE( key, 4 );
+    ctx->state[6]  = BYTES_TO_U32_LE( key, 8 );
+    ctx->state[7]  = BYTES_TO_U32_LE( key, 12 );
+    ctx->state[8]  = BYTES_TO_U32_LE( key, 16 );
+    ctx->state[9]  = BYTES_TO_U32_LE( key, 20 );
+    ctx->state[10] = BYTES_TO_U32_LE( key, 24 );
+    ctx->state[11] = BYTES_TO_U32_LE( key, 28 );
+
+    return( 0 );
+}
+
+int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
+                             const unsigned char nonce[12],
+                             uint32_t counter )
+{
+    CHACHA20_VALIDATE_RET( ctx != NULL );
+    CHACHA20_VALIDATE_RET( nonce != NULL );
+
+    /* Counter */
+    ctx->state[12] = counter;
+
+    /* Nonce */
+    ctx->state[13] = BYTES_TO_U32_LE( nonce, 0 );
+    ctx->state[14] = BYTES_TO_U32_LE( nonce, 4 );
+    ctx->state[15] = BYTES_TO_U32_LE( nonce, 8 );
+
+    mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
+
+    /* Initially, there's no keystream bytes available */
+    ctx->keystream_bytes_used = CHACHA20_BLOCK_SIZE_BYTES;
+
+    return( 0 );
+}
+
+int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
+                              size_t size,
+                              const unsigned char *input,
+                              unsigned char *output )
+{
+    size_t offset = 0U;
+    size_t i;
+
+    CHACHA20_VALIDATE_RET( ctx != NULL );
+    CHACHA20_VALIDATE_RET( size == 0 || input  != NULL );
+    CHACHA20_VALIDATE_RET( size == 0 || output != NULL );
+
+    /* Use leftover keystream bytes, if available */
+    while( size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES )
+    {
+        output[offset] = input[offset]
+                       ^ ctx->keystream8[ctx->keystream_bytes_used];
+
+        ctx->keystream_bytes_used++;
+        offset++;
+        size--;
+    }
+
+    /* Process full blocks */
+    while( size >= CHACHA20_BLOCK_SIZE_BYTES )
+    {
+        /* Generate new keystream block and increment counter */
+        chacha20_block( ctx->state, ctx->keystream8 );
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        for( i = 0U; i < 64U; i += 8U )
+        {
+            output[offset + i  ] = input[offset + i  ] ^ ctx->keystream8[i  ];
+            output[offset + i+1] = input[offset + i+1] ^ ctx->keystream8[i+1];
+            output[offset + i+2] = input[offset + i+2] ^ ctx->keystream8[i+2];
+            output[offset + i+3] = input[offset + i+3] ^ ctx->keystream8[i+3];
+            output[offset + i+4] = input[offset + i+4] ^ ctx->keystream8[i+4];
+            output[offset + i+5] = input[offset + i+5] ^ ctx->keystream8[i+5];
+            output[offset + i+6] = input[offset + i+6] ^ ctx->keystream8[i+6];
+            output[offset + i+7] = input[offset + i+7] ^ ctx->keystream8[i+7];
+        }
+
+        offset += CHACHA20_BLOCK_SIZE_BYTES;
+        size   -= CHACHA20_BLOCK_SIZE_BYTES;
+    }
+
+    /* Last (partial) block */
+    if( size > 0U )
+    {
+        /* Generate new keystream block and increment counter */
+        chacha20_block( ctx->state, ctx->keystream8 );
+        ctx->state[CHACHA20_CTR_INDEX]++;
+
+        for( i = 0U; i < size; i++)
+        {
+            output[offset + i] = input[offset + i] ^ ctx->keystream8[i];
+        }
+
+        ctx->keystream_bytes_used = size;
+
+    }
+
+    return( 0 );
+}
+
+int mbedtls_chacha20_crypt( const unsigned char key[32],
+                            const unsigned char nonce[12],
+                            uint32_t counter,
+                            size_t data_len,
+                            const unsigned char* input,
+                            unsigned char* output )
+{
+    mbedtls_chacha20_context ctx;
+    int ret;
+
+    CHACHA20_VALIDATE_RET( key != NULL );
+    CHACHA20_VALIDATE_RET( nonce != NULL );
+    CHACHA20_VALIDATE_RET( data_len == 0 || input  != NULL );
+    CHACHA20_VALIDATE_RET( data_len == 0 || output != NULL );
+
+    mbedtls_chacha20_init( &ctx );
+
+    ret = mbedtls_chacha20_setkey( &ctx, key );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chacha20_starts( &ctx, nonce, counter );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chacha20_update( &ctx, data_len, input, output );
+
+cleanup:
+    mbedtls_chacha20_free( &ctx );
+    return( ret );
+}
+
+#endif /* !MBEDTLS_CHACHA20_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
+    }
+};
+
+static const unsigned char test_nonces[2][12] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x02
+    }
+};
+
+static const uint32_t test_counters[2] =
+{
+    0U,
+    1U
+};
+
+static const unsigned char test_input[2][375] =
+{
+    {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    },
+    {
+        0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
+        0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
+        0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
+        0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
+        0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
+        0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
+        0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
+        0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
+        0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
+        0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
+        0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+        0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
+        0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
+        0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+        0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
+        0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
+        0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
+        0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
+        0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
+        0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
+        0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
+        0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
+        0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
+        0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
+        0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
+        0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
+        0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
+        0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
+        0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
+        0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
+        0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
+        0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
+        0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
+        0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
+        0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
+        0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
+        0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
+        0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
+        0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
+        0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f
+    }
+};
+
+static const unsigned char test_output[2][375] =
+{
+    {
+        0x76, 0xb8, 0xe0, 0xad, 0xa0, 0xf1, 0x3d, 0x90,
+        0x40, 0x5d, 0x6a, 0xe5, 0x53, 0x86, 0xbd, 0x28,
+        0xbd, 0xd2, 0x19, 0xb8, 0xa0, 0x8d, 0xed, 0x1a,
+        0xa8, 0x36, 0xef, 0xcc, 0x8b, 0x77, 0x0d, 0xc7,
+        0xda, 0x41, 0x59, 0x7c, 0x51, 0x57, 0x48, 0x8d,
+        0x77, 0x24, 0xe0, 0x3f, 0xb8, 0xd8, 0x4a, 0x37,
+        0x6a, 0x43, 0xb8, 0xf4, 0x15, 0x18, 0xa1, 0x1c,
+        0xc3, 0x87, 0xb6, 0x69, 0xb2, 0xee, 0x65, 0x86
+    },
+    {
+        0xa3, 0xfb, 0xf0, 0x7d, 0xf3, 0xfa, 0x2f, 0xde,
+        0x4f, 0x37, 0x6c, 0xa2, 0x3e, 0x82, 0x73, 0x70,
+        0x41, 0x60, 0x5d, 0x9f, 0x4f, 0x4f, 0x57, 0xbd,
+        0x8c, 0xff, 0x2c, 0x1d, 0x4b, 0x79, 0x55, 0xec,
+        0x2a, 0x97, 0x94, 0x8b, 0xd3, 0x72, 0x29, 0x15,
+        0xc8, 0xf3, 0xd3, 0x37, 0xf7, 0xd3, 0x70, 0x05,
+        0x0e, 0x9e, 0x96, 0xd6, 0x47, 0xb7, 0xc3, 0x9f,
+        0x56, 0xe0, 0x31, 0xca, 0x5e, 0xb6, 0x25, 0x0d,
+        0x40, 0x42, 0xe0, 0x27, 0x85, 0xec, 0xec, 0xfa,
+        0x4b, 0x4b, 0xb5, 0xe8, 0xea, 0xd0, 0x44, 0x0e,
+        0x20, 0xb6, 0xe8, 0xdb, 0x09, 0xd8, 0x81, 0xa7,
+        0xc6, 0x13, 0x2f, 0x42, 0x0e, 0x52, 0x79, 0x50,
+        0x42, 0xbd, 0xfa, 0x77, 0x73, 0xd8, 0xa9, 0x05,
+        0x14, 0x47, 0xb3, 0x29, 0x1c, 0xe1, 0x41, 0x1c,
+        0x68, 0x04, 0x65, 0x55, 0x2a, 0xa6, 0xc4, 0x05,
+        0xb7, 0x76, 0x4d, 0x5e, 0x87, 0xbe, 0xa8, 0x5a,
+        0xd0, 0x0f, 0x84, 0x49, 0xed, 0x8f, 0x72, 0xd0,
+        0xd6, 0x62, 0xab, 0x05, 0x26, 0x91, 0xca, 0x66,
+        0x42, 0x4b, 0xc8, 0x6d, 0x2d, 0xf8, 0x0e, 0xa4,
+        0x1f, 0x43, 0xab, 0xf9, 0x37, 0xd3, 0x25, 0x9d,
+        0xc4, 0xb2, 0xd0, 0xdf, 0xb4, 0x8a, 0x6c, 0x91,
+        0x39, 0xdd, 0xd7, 0xf7, 0x69, 0x66, 0xe9, 0x28,
+        0xe6, 0x35, 0x55, 0x3b, 0xa7, 0x6c, 0x5c, 0x87,
+        0x9d, 0x7b, 0x35, 0xd4, 0x9e, 0xb2, 0xe6, 0x2b,
+        0x08, 0x71, 0xcd, 0xac, 0x63, 0x89, 0x39, 0xe2,
+        0x5e, 0x8a, 0x1e, 0x0e, 0xf9, 0xd5, 0x28, 0x0f,
+        0xa8, 0xca, 0x32, 0x8b, 0x35, 0x1c, 0x3c, 0x76,
+        0x59, 0x89, 0xcb, 0xcf, 0x3d, 0xaa, 0x8b, 0x6c,
+        0xcc, 0x3a, 0xaf, 0x9f, 0x39, 0x79, 0xc9, 0x2b,
+        0x37, 0x20, 0xfc, 0x88, 0xdc, 0x95, 0xed, 0x84,
+        0xa1, 0xbe, 0x05, 0x9c, 0x64, 0x99, 0xb9, 0xfd,
+        0xa2, 0x36, 0xe7, 0xe8, 0x18, 0xb0, 0x4b, 0x0b,
+        0xc3, 0x9c, 0x1e, 0x87, 0x6b, 0x19, 0x3b, 0xfe,
+        0x55, 0x69, 0x75, 0x3f, 0x88, 0x12, 0x8c, 0xc0,
+        0x8a, 0xaa, 0x9b, 0x63, 0xd1, 0xa1, 0x6f, 0x80,
+        0xef, 0x25, 0x54, 0xd7, 0x18, 0x9c, 0x41, 0x1f,
+        0x58, 0x69, 0xca, 0x52, 0xc5, 0xb8, 0x3f, 0xa3,
+        0x6f, 0xf2, 0x16, 0xb9, 0xc1, 0xd3, 0x00, 0x62,
+        0xbe, 0xbc, 0xfd, 0x2d, 0xc5, 0xbc, 0xe0, 0x91,
+        0x19, 0x34, 0xfd, 0xa7, 0x9a, 0x86, 0xf6, 0xe6,
+        0x98, 0xce, 0xd7, 0x59, 0xc3, 0xff, 0x9b, 0x64,
+        0x77, 0x33, 0x8f, 0x3d, 0xa4, 0xf9, 0xcd, 0x85,
+        0x14, 0xea, 0x99, 0x82, 0xcc, 0xaf, 0xb3, 0x41,
+        0xb2, 0x38, 0x4d, 0xd9, 0x02, 0xf3, 0xd1, 0xab,
+        0x7a, 0xc6, 0x1d, 0xd2, 0x9c, 0x6f, 0x21, 0xba,
+        0x5b, 0x86, 0x2f, 0x37, 0x30, 0xe3, 0x7c, 0xfd,
+        0xc4, 0xfd, 0x80, 0x6c, 0x22, 0xf2, 0x21
+    }
+};
+
+static const size_t test_lengths[2] =
+{
+    64U,
+    375U
+};
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_chacha20_self_test( int verbose )
+{
+    unsigned char output[381];
+    unsigned i;
+    int ret;
+
+    for( i = 0U; i < 2U; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  ChaCha20 test %u ", i );
+
+        ret = mbedtls_chacha20_crypt( test_keys[i],
+                                      test_nonces[i],
+                                      test_counters[i],
+                                      test_lengths[i],
+                                      test_input[i],
+                                      output );
+
+        ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
+
+        ASSERT( 0 == memcmp( output, test_output[i], test_lengths[i] ),
+                ( "failed (output)\n" ) );
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_CHACHA20_C */
diff --git a/makerom/deps/libmbedtls/src/chachapoly.c b/makerom/deps/libmbedtls/src/chachapoly.c
new file mode 100644
index 00000000..dc643dd6
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/chachapoly.c
@@ -0,0 +1,540 @@
+/**
+ * \file chachapoly.c
+ *
+ * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+#include "mbedtls/chachapoly.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_CHACHAPOLY_ALT)
+
+/* Parameter validation macros */
+#define CHACHAPOLY_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
+#define CHACHAPOLY_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define CHACHAPOLY_STATE_INIT       ( 0 )
+#define CHACHAPOLY_STATE_AAD        ( 1 )
+#define CHACHAPOLY_STATE_CIPHERTEXT ( 2 ) /* Encrypting or decrypting */
+#define CHACHAPOLY_STATE_FINISHED   ( 3 )
+
+/**
+ * \brief           Adds nul bytes to pad the AAD for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_aad( mbedtls_chachapoly_context *ctx )
+{
+    uint32_t partial_block_len = (uint32_t) ( ctx->aad_len % 16U );
+    unsigned char zeroes[15];
+
+    if( partial_block_len == 0U )
+        return( 0 );
+
+    memset( zeroes, 0, sizeof( zeroes ) );
+
+    return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
+                                     zeroes,
+                                     16U - partial_block_len ) );
+}
+
+/**
+ * \brief           Adds nul bytes to pad the ciphertext for Poly1305.
+ *
+ * \param ctx       The ChaCha20-Poly1305 context.
+ */
+static int chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx )
+{
+    uint32_t partial_block_len = (uint32_t) ( ctx->ciphertext_len % 16U );
+    unsigned char zeroes[15];
+
+    if( partial_block_len == 0U )
+        return( 0 );
+
+    memset( zeroes, 0, sizeof( zeroes ) );
+    return( mbedtls_poly1305_update( &ctx->poly1305_ctx,
+                                     zeroes,
+                                     16U - partial_block_len ) );
+}
+
+void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx )
+{
+    CHACHAPOLY_VALIDATE( ctx != NULL );
+
+    mbedtls_chacha20_init( &ctx->chacha20_ctx );
+    mbedtls_poly1305_init( &ctx->poly1305_ctx );
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_chacha20_free( &ctx->chacha20_ctx );
+    mbedtls_poly1305_free( &ctx->poly1305_ctx );
+    ctx->aad_len        = 0U;
+    ctx->ciphertext_len = 0U;
+    ctx->state          = CHACHAPOLY_STATE_INIT;
+    ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
+}
+
+int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
+                               const unsigned char key[32] )
+{
+    int ret;
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( key != NULL );
+
+    ret = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
+
+    return( ret );
+}
+
+int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
+                               const unsigned char nonce[12],
+                               mbedtls_chachapoly_mode_t mode  )
+{
+    int ret;
+    unsigned char poly1305_key[64];
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( nonce != NULL );
+
+    /* Set counter = 0, will be update to 1 when generating Poly1305 key */
+    ret = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U );
+    if( ret != 0 )
+        goto cleanup;
+
+    /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
+     * counter = 0.  This is the same as encrypting a buffer of zeroes.
+     * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
+     * The other 256 bits are discarded.
+     */
+    memset( poly1305_key, 0, sizeof( poly1305_key ) );
+    ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ),
+                                      poly1305_key, poly1305_key );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_poly1305_starts( &ctx->poly1305_ctx, poly1305_key );
+
+    if( ret == 0 )
+    {
+        ctx->aad_len        = 0U;
+        ctx->ciphertext_len = 0U;
+        ctx->state          = CHACHAPOLY_STATE_AAD;
+        ctx->mode           = mode;
+    }
+
+cleanup:
+    mbedtls_platform_zeroize( poly1305_key, 64U );
+    return( ret );
+}
+
+int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
+                                   const unsigned char *aad,
+                                   size_t aad_len )
+{
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad != NULL );
+
+    if( ctx->state != CHACHAPOLY_STATE_AAD )
+        return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+
+    ctx->aad_len += aad_len;
+
+    return( mbedtls_poly1305_update( &ctx->poly1305_ctx, aad, aad_len ) );
+}
+
+int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
+                               size_t len,
+                               const unsigned char *input,
+                               unsigned char *output )
+{
+    int ret;
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( len == 0 || input != NULL );
+    CHACHAPOLY_VALIDATE_RET( len == 0 || output != NULL );
+
+    if( ( ctx->state != CHACHAPOLY_STATE_AAD ) &&
+        ( ctx->state != CHACHAPOLY_STATE_CIPHERTEXT ) )
+    {
+        return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    }
+
+    if( ctx->state == CHACHAPOLY_STATE_AAD )
+    {
+        ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
+
+        ret = chachapoly_pad_aad( ctx );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    ctx->ciphertext_len += len;
+
+    if( ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT )
+    {
+        ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+        if( ret != 0 )
+            return( ret );
+
+        ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, output, len );
+        if( ret != 0 )
+            return( ret );
+    }
+    else /* DECRYPT */
+    {
+        ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, input, len );
+        if( ret != 0 )
+            return( ret );
+
+        ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
+                               unsigned char mac[16] )
+{
+    int ret;
+    unsigned char len_block[16];
+    CHACHAPOLY_VALIDATE_RET( ctx != NULL );
+    CHACHAPOLY_VALIDATE_RET( mac != NULL );
+
+    if( ctx->state == CHACHAPOLY_STATE_INIT )
+    {
+        return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
+    }
+
+    if( ctx->state == CHACHAPOLY_STATE_AAD )
+    {
+        ret = chachapoly_pad_aad( ctx );
+        if( ret != 0 )
+            return( ret );
+    }
+    else if( ctx->state == CHACHAPOLY_STATE_CIPHERTEXT )
+    {
+        ret = chachapoly_pad_ciphertext( ctx );
+        if( ret != 0 )
+            return( ret );
+    }
+
+    ctx->state = CHACHAPOLY_STATE_FINISHED;
+
+    /* The lengths of the AAD and ciphertext are processed by
+     * Poly1305 as the final 128-bit block, encoded as little-endian integers.
+     */
+    len_block[ 0] = (unsigned char)( ctx->aad_len       );
+    len_block[ 1] = (unsigned char)( ctx->aad_len >>  8 );
+    len_block[ 2] = (unsigned char)( ctx->aad_len >> 16 );
+    len_block[ 3] = (unsigned char)( ctx->aad_len >> 24 );
+    len_block[ 4] = (unsigned char)( ctx->aad_len >> 32 );
+    len_block[ 5] = (unsigned char)( ctx->aad_len >> 40 );
+    len_block[ 6] = (unsigned char)( ctx->aad_len >> 48 );
+    len_block[ 7] = (unsigned char)( ctx->aad_len >> 56 );
+    len_block[ 8] = (unsigned char)( ctx->ciphertext_len       );
+    len_block[ 9] = (unsigned char)( ctx->ciphertext_len >>  8 );
+    len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 );
+    len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 );
+    len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 );
+    len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 );
+    len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 );
+    len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 );
+
+    ret = mbedtls_poly1305_update( &ctx->poly1305_ctx, len_block, 16U );
+    if( ret != 0 )
+        return( ret );
+
+    ret = mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac );
+
+    return( ret );
+}
+
+static int chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                     mbedtls_chachapoly_mode_t mode,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char *input,
+                                     unsigned char *output,
+                                     unsigned char tag[16] )
+{
+    int ret;
+
+    ret = mbedtls_chachapoly_starts( ctx, nonce, mode );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_update_aad( ctx, aad, aad_len );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_update( ctx, length, input, output );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_chachapoly_finish( ctx, tag );
+
+cleanup:
+    return( ret );
+}
+
+int mbedtls_chachapoly_encrypt_and_tag( mbedtls_chachapoly_context *ctx,
+                                        size_t length,
+                                        const unsigned char nonce[12],
+                                        const unsigned char *aad,
+                                        size_t aad_len,
+                                        const unsigned char *input,
+                                        unsigned char *output,
+                                        unsigned char tag[16] )
+{
+    CHACHAPOLY_VALIDATE_RET( ctx   != NULL );
+    CHACHAPOLY_VALIDATE_RET( nonce != NULL );
+    CHACHAPOLY_VALIDATE_RET( tag   != NULL );
+    CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad    != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || input  != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || output != NULL );
+
+    return( chachapoly_crypt_and_tag( ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
+                                      length, nonce, aad, aad_len,
+                                      input, output, tag ) );
+}
+
+int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
+                                     size_t length,
+                                     const unsigned char nonce[12],
+                                     const unsigned char *aad,
+                                     size_t aad_len,
+                                     const unsigned char tag[16],
+                                     const unsigned char *input,
+                                     unsigned char *output )
+{
+    int ret;
+    unsigned char check_tag[16];
+    size_t i;
+    int diff;
+    CHACHAPOLY_VALIDATE_RET( ctx   != NULL );
+    CHACHAPOLY_VALIDATE_RET( nonce != NULL );
+    CHACHAPOLY_VALIDATE_RET( tag   != NULL );
+    CHACHAPOLY_VALIDATE_RET( aad_len == 0 || aad    != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || input  != NULL );
+    CHACHAPOLY_VALIDATE_RET( length  == 0 || output != NULL );
+
+    if( ( ret = chachapoly_crypt_and_tag( ctx,
+                        MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
+                        aad, aad_len, input, output, check_tag ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < sizeof( check_tag ); i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        mbedtls_platform_zeroize( output, length );
+        return( MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_key[1][32] =
+{
+    {
+        0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+        0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+        0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+        0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
+    }
+};
+
+static const unsigned char test_nonce[1][12] =
+{
+    {
+        0x07, 0x00, 0x00, 0x00,                         /* 32-bit common part */
+        0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47  /* 64-bit IV */
+    }
+};
+
+static const unsigned char test_aad[1][12] =
+{
+    {
+        0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
+        0xc4, 0xc5, 0xc6, 0xc7
+    }
+};
+
+static const size_t test_aad_len[1] =
+{
+    12U
+};
+
+static const unsigned char test_input[1][114] =
+{
+    {
+        0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
+        0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
+        0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
+        0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
+        0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
+        0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
+        0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
+        0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
+        0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
+        0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
+        0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
+        0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
+        0x74, 0x2e
+    }
+};
+
+static const unsigned char test_output[1][114] =
+{
+    {
+        0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
+        0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
+        0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
+        0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
+        0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
+        0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
+        0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
+        0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
+        0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
+        0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
+        0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
+        0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
+        0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
+        0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
+        0x61, 0x16
+    }
+};
+
+static const size_t test_input_len[1] =
+{
+    114U
+};
+
+static const unsigned char test_mac[1][16] =
+{
+    {
+        0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
+        0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
+    }
+};
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_chachapoly_self_test( int verbose )
+{
+    mbedtls_chachapoly_context ctx;
+    unsigned i;
+    int ret;
+    unsigned char output[200];
+    unsigned char mac[16];
+
+    for( i = 0U; i < 1U; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  ChaCha20-Poly1305 test %u ", i );
+
+        mbedtls_chachapoly_init( &ctx );
+
+        ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
+        ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) );
+
+        ret = mbedtls_chachapoly_encrypt_and_tag( &ctx,
+                                                  test_input_len[i],
+                                                  test_nonce[i],
+                                                  test_aad[i],
+                                                  test_aad_len[i],
+                                                  test_input[i],
+                                                  output,
+                                                  mac );
+
+        ASSERT( 0 == ret, ( "crypt_and_tag() error code: %i\n", ret ) );
+
+        ASSERT( 0 == memcmp( output, test_output[i], test_input_len[i] ),
+                ( "failure (wrong output)\n" ) );
+
+        ASSERT( 0 == memcmp( mac, test_mac[i], 16U ),
+                ( "failure (wrong MAC)\n" ) );
+
+        mbedtls_chachapoly_free( &ctx );
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CHACHAPOLY_C */
diff --git a/makerom/deps/libmbedtls/src/cipher.c b/makerom/deps/libmbedtls/src/cipher.c
new file mode 100644
index 00000000..8d010b59
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/cipher.c
@@ -0,0 +1,1158 @@
+/**
+ * \file cipher.c
+ *
+ * \brief Generic cipher wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "mbedtls/cipher.h"
+#include "mbedtls/cipher_internal.h"
+#include "mbedtls/platform_util.h"
+
+#include <stdlib.h>
+#include <string.h>
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+#include "mbedtls/cmac.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+#define CIPHER_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA )
+#define CIPHER_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+/* Compare the contents of two buffers in constant time.
+ * Returns 0 if the contents are bitwise identical, otherwise returns
+ * a non-zero value.
+ * This is currently only used by GCM and ChaCha20+Poly1305.
+ */
+static int mbedtls_constant_time_memcmp( const void *v1, const void *v2, size_t len )
+{
+    const unsigned char *p1 = (const unsigned char*) v1;
+    const unsigned char *p2 = (const unsigned char*) v2;
+    size_t i;
+    unsigned char diff;
+
+    for( diff = 0, i = 0; i < len; i++ )
+        diff |= p1[i] ^ p2[i];
+
+    return( (int)diff );
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+static int supported_init = 0;
+
+const int *mbedtls_cipher_list( void )
+{
+    const mbedtls_cipher_definition_t *def;
+    int *type;
+
+    if( ! supported_init )
+    {
+        def = mbedtls_cipher_definitions;
+        type = mbedtls_cipher_supported;
+
+        while( def->type != 0 )
+            *type++ = (*def++).type;
+
+        *type = 0;
+
+        supported_init = 1;
+    }
+
+    return( mbedtls_cipher_supported );
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type )
+{
+    const mbedtls_cipher_definition_t *def;
+
+    for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
+        if( def->type == cipher_type )
+            return( def->info );
+
+    return( NULL );
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name )
+{
+    const mbedtls_cipher_definition_t *def;
+
+    if( NULL == cipher_name )
+        return( NULL );
+
+    for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
+        if( !  strcmp( def->info->name, cipher_name ) )
+            return( def->info );
+
+    return( NULL );
+}
+
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id,
+                                              int key_bitlen,
+                                              const mbedtls_cipher_mode_t mode )
+{
+    const mbedtls_cipher_definition_t *def;
+
+    for( def = mbedtls_cipher_definitions; def->info != NULL; def++ )
+        if( def->info->base->cipher == cipher_id &&
+            def->info->key_bitlen == (unsigned) key_bitlen &&
+            def->info->mode == mode )
+            return( def->info );
+
+    return( NULL );
+}
+
+void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx )
+{
+    CIPHER_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
+}
+
+void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_CMAC_C)
+    if( ctx->cmac_ctx )
+    {
+       mbedtls_platform_zeroize( ctx->cmac_ctx,
+                                 sizeof( mbedtls_cmac_context_t ) );
+       mbedtls_free( ctx->cmac_ctx );
+    }
+#endif
+
+    if( ctx->cipher_ctx )
+        ctx->cipher_info->base->ctx_free_func( ctx->cipher_ctx );
+
+    mbedtls_platform_zeroize( ctx, sizeof(mbedtls_cipher_context_t) );
+}
+
+int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    memset( ctx, 0, sizeof( mbedtls_cipher_context_t ) );
+
+    if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
+        return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
+
+    ctx->cipher_info = cipher_info;
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+    /*
+     * Ignore possible errors caused by a cipher mode that doesn't use padding
+     */
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_PKCS7 );
+#else
+    (void) mbedtls_cipher_set_padding_mode( ctx, MBEDTLS_PADDING_NONE );
+#endif
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+    return( 0 );
+}
+
+int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *key,
+                           int key_bitlen,
+                           const mbedtls_operation_t operation )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( key != NULL );
+    CIPHER_VALIDATE_RET( operation == MBEDTLS_ENCRYPT ||
+                         operation == MBEDTLS_DECRYPT );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN ) == 0 &&
+        (int) ctx->cipher_info->key_bitlen != key_bitlen )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    ctx->key_bitlen = key_bitlen;
+    ctx->operation = operation;
+
+    /*
+     * For OFB, CFB and CTR mode always use the encryption key schedule
+     */
+    if( MBEDTLS_ENCRYPT == operation ||
+        MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_CTR == ctx->cipher_info->mode )
+    {
+        return( ctx->cipher_info->base->setkey_enc_func( ctx->cipher_ctx, key,
+                                                         ctx->key_bitlen ) );
+    }
+
+    if( MBEDTLS_DECRYPT == operation )
+        return( ctx->cipher_info->base->setkey_dec_func( ctx->cipher_ctx, key,
+                                                         ctx->key_bitlen ) );
+
+    return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+}
+
+int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx,
+                           const unsigned char *iv,
+                           size_t iv_len )
+{
+    size_t actual_iv_size;
+
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /* avoid buffer overflow in ctx->iv */
+    if( iv_len > MBEDTLS_MAX_IV_LENGTH )
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+
+    if( ( ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN ) != 0 )
+        actual_iv_size = iv_len;
+    else
+    {
+        actual_iv_size = ctx->cipher_info->iv_size;
+
+        /* avoid reading past the end of input buffer */
+        if( actual_iv_size > iv_len )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_CHACHA20_C)
+    if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20 )
+    {
+        if ( 0 != mbedtls_chacha20_starts( (mbedtls_chacha20_context*)ctx->cipher_ctx,
+                                           iv,
+                                           0U ) ) /* Initial counter value */
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+    }
+#endif
+
+    if ( actual_iv_size != 0 )
+    {
+        memcpy( ctx->iv, iv, actual_iv_size );
+        ctx->iv_size = actual_iv_size;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    ctx->unprocessed_len = 0;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *ad, size_t ad_len )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        return( mbedtls_gcm_starts( (mbedtls_gcm_context *) ctx->cipher_ctx, ctx->operation,
+                                    ctx->iv, ctx->iv_size, ad, ad_len ) );
+    }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        int result;
+        mbedtls_chachapoly_mode_t mode;
+
+        mode = ( ctx->operation == MBEDTLS_ENCRYPT )
+                ? MBEDTLS_CHACHAPOLY_ENCRYPT
+                : MBEDTLS_CHACHAPOLY_DECRYPT;
+
+        result = mbedtls_chachapoly_starts( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                                        ctx->iv,
+                                                        mode );
+        if ( result != 0 )
+            return( result );
+
+        return( mbedtls_chachapoly_update_aad( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                               ad, ad_len ) );
+    }
+#endif
+
+    return( 0 );
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input,
+                   size_t ilen, unsigned char *output, size_t *olen )
+{
+    int ret;
+    size_t block_size;
+
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *olen = 0;
+    block_size = mbedtls_cipher_get_block_size( ctx );
+    if ( 0 == block_size )
+    {
+        return( MBEDTLS_ERR_CIPHER_INVALID_CONTEXT );
+    }
+
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_ECB )
+    {
+        if( ilen != block_size )
+            return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+
+        *olen = ilen;
+
+        if( 0 != ( ret = ctx->cipher_info->base->ecb_func( ctx->cipher_ctx,
+                    ctx->operation, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_GCM_C)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_GCM )
+    {
+        *olen = ilen;
+        return( mbedtls_gcm_update( (mbedtls_gcm_context *) ctx->cipher_ctx, ilen, input,
+                                    output ) );
+    }
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 )
+    {
+        *olen = ilen;
+        return( mbedtls_chachapoly_update( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                           ilen, input, output ) );
+    }
+#endif
+
+    if( input == output &&
+       ( ctx->unprocessed_len != 0 || ilen % block_size ) )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_CBC )
+    {
+        size_t copy_len = 0;
+
+        /*
+         * If there is not enough data for a full block, cache it.
+         */
+        if( ( ctx->operation == MBEDTLS_DECRYPT && NULL != ctx->add_padding &&
+                ilen <= block_size - ctx->unprocessed_len ) ||
+            ( ctx->operation == MBEDTLS_DECRYPT && NULL == ctx->add_padding &&
+                ilen < block_size - ctx->unprocessed_len ) ||
+             ( ctx->operation == MBEDTLS_ENCRYPT &&
+                ilen < block_size - ctx->unprocessed_len ) )
+        {
+            memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
+                    ilen );
+
+            ctx->unprocessed_len += ilen;
+            return( 0 );
+        }
+
+        /*
+         * Process cached data first
+         */
+        if( 0 != ctx->unprocessed_len )
+        {
+            copy_len = block_size - ctx->unprocessed_len;
+
+            memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
+                    copy_len );
+
+            if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
+                    ctx->operation, block_size, ctx->iv,
+                    ctx->unprocessed_data, output ) ) )
+            {
+                return( ret );
+            }
+
+            *olen += block_size;
+            output += block_size;
+            ctx->unprocessed_len = 0;
+
+            input += copy_len;
+            ilen -= copy_len;
+        }
+
+        /*
+         * Cache final, incomplete block
+         */
+        if( 0 != ilen )
+        {
+            /* Encryption: only cache partial blocks
+             * Decryption w/ padding: always keep at least one whole block
+             * Decryption w/o padding: only cache partial blocks
+             */
+            copy_len = ilen % block_size;
+            if( copy_len == 0 &&
+                ctx->operation == MBEDTLS_DECRYPT &&
+                NULL != ctx->add_padding)
+            {
+                copy_len = block_size;
+            }
+
+            memcpy( ctx->unprocessed_data, &( input[ilen - copy_len] ),
+                    copy_len );
+
+            ctx->unprocessed_len += copy_len;
+            ilen -= copy_len;
+        }
+
+        /*
+         * Process remaining full blocks
+         */
+        if( ilen )
+        {
+            if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
+                    ctx->operation, ilen, ctx->iv, input, output ) ) )
+            {
+                return( ret );
+            }
+
+            *olen += ilen;
+        }
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_CFB )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->cfb_func( ctx->cipher_ctx,
+                ctx->operation, ilen, &ctx->unprocessed_len, ctx->iv,
+                input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_OFB )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->ofb_func( ctx->cipher_ctx,
+                ilen, &ctx->unprocessed_len, ctx->iv, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_CTR )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->ctr_func( ctx->cipher_ctx,
+                ilen, &ctx->unprocessed_len, ctx->iv,
+                ctx->unprocessed_data, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_XTS )
+    {
+        if( ctx->unprocessed_len > 0 ) {
+            /* We can only process an entire data unit at a time. */
+            return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+        }
+
+        ret = ctx->cipher_info->base->xts_func( ctx->cipher_ctx,
+                ctx->operation, ilen, ctx->iv, input, output );
+        if( ret != 0 )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    if( ctx->cipher_info->mode == MBEDTLS_MODE_STREAM )
+    {
+        if( 0 != ( ret = ctx->cipher_info->base->stream_func( ctx->cipher_ctx,
+                                                    ilen, input, output ) ) )
+        {
+            return( ret );
+        }
+
+        *olen = ilen;
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_STREAM */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+/*
+ * PKCS7 (and PKCS5) padding: fill with ll bytes, with ll = padding_len
+ */
+static void add_pkcs_padding( unsigned char *output, size_t output_len,
+        size_t data_len )
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i;
+
+    for( i = 0; i < padding_len; i++ )
+        output[data_len + i] = (unsigned char) padding_len;
+}
+
+static int get_pkcs_padding( unsigned char *input, size_t input_len,
+        size_t *data_len )
+{
+    size_t i, pad_idx;
+    unsigned char padding_len, bad = 0;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    padding_len = input[input_len - 1];
+    *data_len = input_len - padding_len;
+
+    /* Avoid logical || since it results in a branch */
+    bad |= padding_len > input_len;
+    bad |= padding_len == 0;
+
+    /* The number of bytes checked must be independent of padding_len,
+     * so pick input_len, which is usually 8 or 16 (one block) */
+    pad_idx = input_len - padding_len;
+    for( i = 0; i < input_len; i++ )
+        bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
+
+    return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
+}
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+/*
+ * One and zeros padding: fill with 80 00 ... 00
+ */
+static void add_one_and_zeros_padding( unsigned char *output,
+                                       size_t output_len, size_t data_len )
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i = 0;
+
+    output[data_len] = 0x80;
+    for( i = 1; i < padding_len; i++ )
+        output[data_len + i] = 0x00;
+}
+
+static int get_one_and_zeros_padding( unsigned char *input, size_t input_len,
+                                      size_t *data_len )
+{
+    size_t i;
+    unsigned char done = 0, prev_done, bad;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    bad = 0x80;
+    *data_len = 0;
+    for( i = input_len; i > 0; i-- )
+    {
+        prev_done = done;
+        done |= ( input[i - 1] != 0 );
+        *data_len |= ( i - 1 ) * ( done != prev_done );
+        bad ^= input[i - 1] * ( done != prev_done );
+    }
+
+    return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
+
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+/*
+ * Zeros and len padding: fill with 00 ... 00 ll, where ll is padding length
+ */
+static void add_zeros_and_len_padding( unsigned char *output,
+                                       size_t output_len, size_t data_len )
+{
+    size_t padding_len = output_len - data_len;
+    unsigned char i = 0;
+
+    for( i = 1; i < padding_len; i++ )
+        output[data_len + i - 1] = 0x00;
+    output[output_len - 1] = (unsigned char) padding_len;
+}
+
+static int get_zeros_and_len_padding( unsigned char *input, size_t input_len,
+                                      size_t *data_len )
+{
+    size_t i, pad_idx;
+    unsigned char padding_len, bad = 0;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    padding_len = input[input_len - 1];
+    *data_len = input_len - padding_len;
+
+    /* Avoid logical || since it results in a branch */
+    bad |= padding_len > input_len;
+    bad |= padding_len == 0;
+
+    /* The number of bytes checked must be independent of padding_len */
+    pad_idx = input_len - padding_len;
+    for( i = 0; i < input_len - 1; i++ )
+        bad |= input[i] * ( i >= pad_idx );
+
+    return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+/*
+ * Zero padding: fill with 00 ... 00
+ */
+static void add_zeros_padding( unsigned char *output,
+                               size_t output_len, size_t data_len )
+{
+    size_t i;
+
+    for( i = data_len; i < output_len; i++ )
+        output[i] = 0x00;
+}
+
+static int get_zeros_padding( unsigned char *input, size_t input_len,
+                              size_t *data_len )
+{
+    size_t i;
+    unsigned char done = 0, prev_done;
+
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *data_len = 0;
+    for( i = input_len; i > 0; i-- )
+    {
+        prev_done = done;
+        done |= ( input[i-1] != 0 );
+        *data_len |= i * ( done != prev_done );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+
+/*
+ * No padding: don't pad :)
+ *
+ * There is no add_padding function (check for NULL in mbedtls_cipher_finish)
+ * but a trivial get_padding function
+ */
+static int get_no_padding( unsigned char *input, size_t input_len,
+                              size_t *data_len )
+{
+    if( NULL == input || NULL == data_len )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *data_len = input_len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx,
+                   unsigned char *output, size_t *olen )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    *olen = 0;
+
+    if( MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
+        MBEDTLS_MODE_STREAM == ctx->cipher_info->mode )
+    {
+        return( 0 );
+    }
+
+    if ( ( MBEDTLS_CIPHER_CHACHA20          == ctx->cipher_info->type ) ||
+         ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type ) )
+    {
+        return( 0 );
+    }
+
+    if( MBEDTLS_MODE_ECB == ctx->cipher_info->mode )
+    {
+        if( ctx->unprocessed_len != 0 )
+            return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( MBEDTLS_MODE_CBC == ctx->cipher_info->mode )
+    {
+        int ret = 0;
+
+        if( MBEDTLS_ENCRYPT == ctx->operation )
+        {
+            /* check for 'no padding' mode */
+            if( NULL == ctx->add_padding )
+            {
+                if( 0 != ctx->unprocessed_len )
+                    return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+
+                return( 0 );
+            }
+
+            ctx->add_padding( ctx->unprocessed_data, mbedtls_cipher_get_iv_size( ctx ),
+                    ctx->unprocessed_len );
+        }
+        else if( mbedtls_cipher_get_block_size( ctx ) != ctx->unprocessed_len )
+        {
+            /*
+             * For decrypt operations, expect a full block,
+             * or an empty block if no padding
+             */
+            if( NULL == ctx->add_padding && 0 == ctx->unprocessed_len )
+                return( 0 );
+
+            return( MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED );
+        }
+
+        /* cipher block */
+        if( 0 != ( ret = ctx->cipher_info->base->cbc_func( ctx->cipher_ctx,
+                ctx->operation, mbedtls_cipher_get_block_size( ctx ), ctx->iv,
+                ctx->unprocessed_data, output ) ) )
+        {
+            return( ret );
+        }
+
+        /* Set output size for decryption */
+        if( MBEDTLS_DECRYPT == ctx->operation )
+            return( ctx->get_padding( output, mbedtls_cipher_get_block_size( ctx ),
+                                      olen ) );
+
+        /* Set output size for encryption */
+        *olen = mbedtls_cipher_get_block_size( ctx );
+        return( 0 );
+    }
+#else
+    ((void) output);
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
+int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx,
+                                     mbedtls_cipher_padding_t mode )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+
+    if( NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    switch( mode )
+    {
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    case MBEDTLS_PADDING_PKCS7:
+        ctx->add_padding = add_pkcs_padding;
+        ctx->get_padding = get_pkcs_padding;
+        break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+    case MBEDTLS_PADDING_ONE_AND_ZEROS:
+        ctx->add_padding = add_one_and_zeros_padding;
+        ctx->get_padding = get_one_and_zeros_padding;
+        break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+    case MBEDTLS_PADDING_ZEROS_AND_LEN:
+        ctx->add_padding = add_zeros_and_len_padding;
+        ctx->get_padding = get_zeros_and_len_padding;
+        break;
+#endif
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+    case MBEDTLS_PADDING_ZEROS:
+        ctx->add_padding = add_zeros_padding;
+        ctx->get_padding = get_zeros_padding;
+        break;
+#endif
+    case MBEDTLS_PADDING_NONE:
+        ctx->add_padding = NULL;
+        ctx->get_padding = get_no_padding;
+        break;
+
+    default:
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
+
+#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
+int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx,
+                      unsigned char *tag, size_t tag_len )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( MBEDTLS_ENCRYPT != ctx->operation )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+        return( mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
+                                    tag, tag_len ) );
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        /* Don't allow truncated MAC for Poly1305 */
+        if ( tag_len != 16U )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+        return( mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                           tag ) );
+    }
+#endif
+
+    return( 0 );
+}
+
+int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
+                      const unsigned char *tag, size_t tag_len )
+{
+    unsigned char check_tag[16];
+    int ret;
+
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+    if( ctx->cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( MBEDTLS_DECRYPT != ctx->operation )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        if( tag_len > sizeof( check_tag ) )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+        if( 0 != ( ret = mbedtls_gcm_finish( (mbedtls_gcm_context *) ctx->cipher_ctx,
+                                     check_tag, tag_len ) ) )
+        {
+            return( ret );
+        }
+
+        /* Check the tag in "constant-time" */
+        if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
+            return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        /* Don't allow truncated MAC for Poly1305 */
+        if ( tag_len != sizeof( check_tag ) )
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+        ret = mbedtls_chachapoly_finish( (mbedtls_chachapoly_context*) ctx->cipher_ctx,
+                                                     check_tag );
+        if ( ret != 0 )
+        {
+            return( ret );
+        }
+
+        /* Check the tag in "constant-time" */
+        if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
+            return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
+
+        return( 0 );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+    return( 0 );
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
+
+/*
+ * Packet-oriented wrapper for non-AEAD modes
+ */
+int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
+                  const unsigned char *iv, size_t iv_len,
+                  const unsigned char *input, size_t ilen,
+                  unsigned char *output, size_t *olen )
+{
+    int ret;
+    size_t finish_olen;
+
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+
+    if( ( ret = mbedtls_cipher_set_iv( ctx, iv, iv_len ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_reset( ctx ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_update( ctx, input, ilen, output, olen ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_finish( ctx, output + *olen, &finish_olen ) ) != 0 )
+        return( ret );
+
+    *olen += finish_olen;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+/*
+ * Packet-oriented encryption for AEAD modes
+ */
+int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         unsigned char *tag, size_t tag_len )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv != NULL );
+    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        *olen = ilen;
+        return( mbedtls_gcm_crypt_and_tag( ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT, ilen,
+                                   iv, iv_len, ad, ad_len, input, output,
+                                   tag_len, tag ) );
+    }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+    if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
+    {
+        *olen = ilen;
+        return( mbedtls_ccm_encrypt_and_tag( ctx->cipher_ctx, ilen,
+                                     iv, iv_len, ad, ad_len, input, output,
+                                     tag, tag_len ) );
+    }
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        /* ChachaPoly has fixed length nonce and MAC (tag) */
+        if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+             ( tag_len != 16U ) )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        *olen = ilen;
+        return( mbedtls_chachapoly_encrypt_and_tag( ctx->cipher_ctx,
+                                ilen, iv, ad, ad_len, input, output, tag ) );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+/*
+ * Packet-oriented decryption for AEAD modes
+ */
+int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
+                         const unsigned char *iv, size_t iv_len,
+                         const unsigned char *ad, size_t ad_len,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output, size_t *olen,
+                         const unsigned char *tag, size_t tag_len )
+{
+    CIPHER_VALIDATE_RET( ctx != NULL );
+    CIPHER_VALIDATE_RET( iv != NULL );
+    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+    CIPHER_VALIDATE_RET( output != NULL );
+    CIPHER_VALIDATE_RET( olen != NULL );
+    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+#if defined(MBEDTLS_GCM_C)
+    if( MBEDTLS_MODE_GCM == ctx->cipher_info->mode )
+    {
+        int ret;
+
+        *olen = ilen;
+        ret = mbedtls_gcm_auth_decrypt( ctx->cipher_ctx, ilen,
+                                iv, iv_len, ad, ad_len,
+                                tag, tag_len, input, output );
+
+        if( ret == MBEDTLS_ERR_GCM_AUTH_FAILED )
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+        return( ret );
+    }
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_CCM_C)
+    if( MBEDTLS_MODE_CCM == ctx->cipher_info->mode )
+    {
+        int ret;
+
+        *olen = ilen;
+        ret = mbedtls_ccm_auth_decrypt( ctx->cipher_ctx, ilen,
+                                iv, iv_len, ad, ad_len,
+                                input, output, tag, tag_len );
+
+        if( ret == MBEDTLS_ERR_CCM_AUTH_FAILED )
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+        return( ret );
+    }
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if ( MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type )
+    {
+        int ret;
+
+        /* ChachaPoly has fixed length nonce and MAC (tag) */
+        if ( ( iv_len != ctx->cipher_info->iv_size ) ||
+             ( tag_len != 16U ) )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        *olen = ilen;
+        ret = mbedtls_chachapoly_auth_decrypt( ctx->cipher_ctx, ilen,
+                                iv, ad, ad_len, tag, input, output );
+
+        if( ret == MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED )
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+
+        return( ret );
+    }
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+    return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/makerom/deps/libmbedtls/src/cipher_wrap.c b/makerom/deps/libmbedtls/src/cipher_wrap.c
new file mode 100644
index 00000000..6dd8c5d3
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/cipher_wrap.c
@@ -0,0 +1,2272 @@
+/**
+ * \file cipher_wrap.c
+ *
+ * \brief Generic cipher wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+
+#include "mbedtls/cipher_internal.h"
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+#include "mbedtls/arc4.h"
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+#include "mbedtls/blowfish.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#include <string.h>
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+/* shared by all GCM ciphers */
+static void *gcm_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_gcm_context ) );
+
+    if( ctx != NULL )
+        mbedtls_gcm_init( (mbedtls_gcm_context *) ctx );
+
+    return( ctx );
+}
+
+static void gcm_ctx_free( void *ctx )
+{
+    mbedtls_gcm_free( ctx );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+/* shared by all CCM ciphers */
+static void *ccm_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ccm_context ) );
+
+    if( ctx != NULL )
+        mbedtls_ccm_init( (mbedtls_ccm_context *) ctx );
+
+    return( ctx );
+}
+
+static void ccm_ctx_free( void *ctx )
+{
+    mbedtls_ccm_free( ctx );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_AES_C)
+
+static int aes_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_ecb( (mbedtls_aes_context *) ctx, operation, input, output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aes_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_cbc( (mbedtls_aes_context *) ctx, operation, length, iv, input,
+                          output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aes_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_cfb128( (mbedtls_aes_context *) ctx, operation, length, iv_off, iv,
+                             input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static int aes_crypt_ofb_wrap( void *ctx, size_t length, size_t *iv_off,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_ofb( (mbedtls_aes_context *) ctx, length, iv_off,
+                                    iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aes_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aes_crypt_ctr( (mbedtls_aes_context *) ctx, length, nc_off, nonce_counter,
+                          stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int aes_crypt_xts_wrap( void *ctx, mbedtls_operation_t operation,
+                               size_t length,
+                               const unsigned char data_unit[16],
+                               const unsigned char *input,
+                               unsigned char *output )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    int mode;
+
+    switch( operation )
+    {
+        case MBEDTLS_ENCRYPT:
+            mode = MBEDTLS_AES_ENCRYPT;
+            break;
+        case MBEDTLS_DECRYPT:
+            mode = MBEDTLS_AES_DECRYPT;
+            break;
+        default:
+            return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+    }
+
+    return mbedtls_aes_crypt_xts( xts_ctx, mode, length,
+                                  data_unit, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+static int aes_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_aes_setkey_dec( (mbedtls_aes_context *) ctx, key, key_bitlen );
+}
+
+static int aes_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_aes_setkey_enc( (mbedtls_aes_context *) ctx, key, key_bitlen );
+}
+
+static void * aes_ctx_alloc( void )
+{
+    mbedtls_aes_context *aes = mbedtls_calloc( 1, sizeof( mbedtls_aes_context ) );
+
+    if( aes == NULL )
+        return( NULL );
+
+    mbedtls_aes_init( aes );
+
+    return( aes );
+}
+
+static void aes_ctx_free( void *ctx )
+{
+    mbedtls_aes_free( (mbedtls_aes_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    aes_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    aes_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    aes_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    aes_crypt_ofb_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    aes_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    aes_setkey_enc_wrap,
+    aes_setkey_dec_wrap,
+    aes_ctx_alloc,
+    aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_ecb_info = {
+    MBEDTLS_CIPHER_AES_128_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "AES-128-ECB",
+    0,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ecb_info = {
+    MBEDTLS_CIPHER_AES_192_ECB,
+    MBEDTLS_MODE_ECB,
+    192,
+    "AES-192-ECB",
+    0,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ecb_info = {
+    MBEDTLS_CIPHER_AES_256_ECB,
+    MBEDTLS_MODE_ECB,
+    256,
+    "AES-256-ECB",
+    0,
+    0,
+    16,
+    &aes_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aes_128_cbc_info = {
+    MBEDTLS_CIPHER_AES_128_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "AES-128-CBC",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_cbc_info = {
+    MBEDTLS_CIPHER_AES_192_CBC,
+    MBEDTLS_MODE_CBC,
+    192,
+    "AES-192-CBC",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_cbc_info = {
+    MBEDTLS_CIPHER_AES_256_CBC,
+    MBEDTLS_MODE_CBC,
+    256,
+    "AES-256-CBC",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aes_128_cfb128_info = {
+    MBEDTLS_CIPHER_AES_128_CFB128,
+    MBEDTLS_MODE_CFB,
+    128,
+    "AES-128-CFB128",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_cfb128_info = {
+    MBEDTLS_CIPHER_AES_192_CFB128,
+    MBEDTLS_MODE_CFB,
+    192,
+    "AES-192-CFB128",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_cfb128_info = {
+    MBEDTLS_CIPHER_AES_256_CFB128,
+    MBEDTLS_MODE_CFB,
+    256,
+    "AES-256-CFB128",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+static const mbedtls_cipher_info_t aes_128_ofb_info = {
+    MBEDTLS_CIPHER_AES_128_OFB,
+    MBEDTLS_MODE_OFB,
+    128,
+    "AES-128-OFB",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ofb_info = {
+    MBEDTLS_CIPHER_AES_192_OFB,
+    MBEDTLS_MODE_OFB,
+    192,
+    "AES-192-OFB",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ofb_info = {
+    MBEDTLS_CIPHER_AES_256_OFB,
+    MBEDTLS_MODE_OFB,
+    256,
+    "AES-256-OFB",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aes_128_ctr_info = {
+    MBEDTLS_CIPHER_AES_128_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "AES-128-CTR",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ctr_info = {
+    MBEDTLS_CIPHER_AES_192_CTR,
+    MBEDTLS_MODE_CTR,
+    192,
+    "AES-192-CTR",
+    16,
+    0,
+    16,
+    &aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ctr_info = {
+    MBEDTLS_CIPHER_AES_256_CTR,
+    MBEDTLS_MODE_CTR,
+    256,
+    "AES-256-CTR",
+    16,
+    0,
+    16,
+    &aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+static int xts_aes_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    return( mbedtls_aes_xts_setkey_enc( xts_ctx, key, key_bitlen ) );
+}
+
+static int xts_aes_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                    unsigned int key_bitlen )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+    return( mbedtls_aes_xts_setkey_dec( xts_ctx, key, key_bitlen ) );
+}
+
+static void *xts_aes_ctx_alloc( void )
+{
+    mbedtls_aes_xts_context *xts_ctx = mbedtls_calloc( 1, sizeof( *xts_ctx ) );
+
+    if( xts_ctx != NULL )
+        mbedtls_aes_xts_init( xts_ctx );
+
+    return( xts_ctx );
+}
+
+static void xts_aes_ctx_free( void *ctx )
+{
+    mbedtls_aes_xts_context *xts_ctx = ctx;
+
+    if( xts_ctx == NULL )
+        return;
+
+    mbedtls_aes_xts_free( xts_ctx );
+    mbedtls_free( xts_ctx );
+}
+
+static const mbedtls_cipher_base_t xts_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    aes_crypt_xts_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    xts_aes_setkey_enc_wrap,
+    xts_aes_setkey_dec_wrap,
+    xts_aes_ctx_alloc,
+    xts_aes_ctx_free
+};
+
+static const mbedtls_cipher_info_t aes_128_xts_info = {
+    MBEDTLS_CIPHER_AES_128_XTS,
+    MBEDTLS_MODE_XTS,
+    256,
+    "AES-128-XTS",
+    16,
+    0,
+    16,
+    &xts_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_xts_info = {
+    MBEDTLS_CIPHER_AES_256_XTS,
+    MBEDTLS_MODE_XTS,
+    512,
+    "AES-256-XTS",
+    16,
+    0,
+    16,
+    &xts_aes_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_aes_setkey_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_aes_setkey_wrap,
+    gcm_aes_setkey_wrap,
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aes_128_gcm_info = {
+    MBEDTLS_CIPHER_AES_128_GCM,
+    MBEDTLS_MODE_GCM,
+    128,
+    "AES-128-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_gcm_info = {
+    MBEDTLS_CIPHER_AES_192_GCM,
+    MBEDTLS_MODE_GCM,
+    192,
+    "AES-192-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_gcm_info = {
+    MBEDTLS_CIPHER_AES_256_GCM,
+    MBEDTLS_MODE_GCM,
+    256,
+    "AES-256-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aes_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_aes_setkey_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_AES,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_aes_info = {
+    MBEDTLS_CIPHER_ID_AES,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_aes_setkey_wrap,
+    ccm_aes_setkey_wrap,
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aes_128_ccm_info = {
+    MBEDTLS_CIPHER_AES_128_CCM,
+    MBEDTLS_MODE_CCM,
+    128,
+    "AES-128-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ccm_info = {
+    MBEDTLS_CIPHER_AES_192_CCM,
+    MBEDTLS_MODE_CCM,
+    192,
+    "AES-192-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aes_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ccm_info = {
+    MBEDTLS_CIPHER_AES_256_CCM,
+    MBEDTLS_MODE_CCM,
+    256,
+    "AES-256-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aes_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+
+static int camellia_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_ecb( (mbedtls_camellia_context *) ctx, operation, input,
+                               output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int camellia_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_cbc( (mbedtls_camellia_context *) ctx, operation, length, iv,
+                               input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int camellia_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_cfb128( (mbedtls_camellia_context *) ctx, operation, length,
+                                  iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int camellia_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_camellia_crypt_ctr( (mbedtls_camellia_context *) ctx, length, nc_off,
+                               nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int camellia_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_camellia_setkey_dec( (mbedtls_camellia_context *) ctx, key, key_bitlen );
+}
+
+static int camellia_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_camellia_setkey_enc( (mbedtls_camellia_context *) ctx, key, key_bitlen );
+}
+
+static void * camellia_ctx_alloc( void )
+{
+    mbedtls_camellia_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_camellia_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_camellia_init( ctx );
+
+    return( ctx );
+}
+
+static void camellia_ctx_free( void *ctx )
+{
+    mbedtls_camellia_free( (mbedtls_camellia_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    camellia_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    camellia_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    camellia_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    camellia_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    camellia_setkey_enc_wrap,
+    camellia_setkey_dec_wrap,
+    camellia_ctx_alloc,
+    camellia_ctx_free
+};
+
+static const mbedtls_cipher_info_t camellia_128_ecb_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "CAMELLIA-128-ECB",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_ecb_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_ECB,
+    MBEDTLS_MODE_ECB,
+    192,
+    "CAMELLIA-192-ECB",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_ecb_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_ECB,
+    MBEDTLS_MODE_ECB,
+    256,
+    "CAMELLIA-256-ECB",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t camellia_128_cbc_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "CAMELLIA-128-CBC",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_cbc_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CBC,
+    MBEDTLS_MODE_CBC,
+    192,
+    "CAMELLIA-192-CBC",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_cbc_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CBC,
+    MBEDTLS_MODE_CBC,
+    256,
+    "CAMELLIA-256-CBC",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t camellia_128_cfb128_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CFB128,
+    MBEDTLS_MODE_CFB,
+    128,
+    "CAMELLIA-128-CFB128",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_cfb128_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CFB128,
+    MBEDTLS_MODE_CFB,
+    192,
+    "CAMELLIA-192-CFB128",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_cfb128_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CFB128,
+    MBEDTLS_MODE_CFB,
+    256,
+    "CAMELLIA-256-CFB128",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t camellia_128_ctr_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "CAMELLIA-128-CTR",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_ctr_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CTR,
+    MBEDTLS_MODE_CTR,
+    192,
+    "CAMELLIA-192-CTR",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_ctr_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CTR,
+    MBEDTLS_MODE_CTR,
+    256,
+    "CAMELLIA-256-CTR",
+    16,
+    0,
+    16,
+    &camellia_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_camellia_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_camellia_setkey_wrap,
+    gcm_camellia_setkey_wrap,
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_gcm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_GCM,
+    MBEDTLS_MODE_GCM,
+    128,
+    "CAMELLIA-128-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_gcm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_GCM,
+    MBEDTLS_MODE_GCM,
+    192,
+    "CAMELLIA-192-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_gcm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_GCM,
+    MBEDTLS_MODE_GCM,
+    256,
+    "CAMELLIA-256-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_camellia_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_camellia_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_CAMELLIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_camellia_info = {
+    MBEDTLS_CIPHER_ID_CAMELLIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_camellia_setkey_wrap,
+    ccm_camellia_setkey_wrap,
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t camellia_128_ccm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_128_CCM,
+    MBEDTLS_MODE_CCM,
+    128,
+    "CAMELLIA-128-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_192_ccm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_192_CCM,
+    MBEDTLS_MODE_CCM,
+    192,
+    "CAMELLIA-192-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_camellia_info
+};
+
+static const mbedtls_cipher_info_t camellia_256_ccm_info = {
+    MBEDTLS_CIPHER_CAMELLIA_256_CCM,
+    MBEDTLS_MODE_CCM,
+    256,
+    "CAMELLIA-256-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_camellia_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_ARIA_C)
+
+static int aria_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    (void) operation;
+    return mbedtls_aria_crypt_ecb( (mbedtls_aria_context *) ctx, input,
+                               output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int aria_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aria_crypt_cbc( (mbedtls_aria_context *) ctx, operation, length, iv,
+                               input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int aria_crypt_cfb128_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aria_crypt_cfb128( (mbedtls_aria_context *) ctx, operation, length,
+                                  iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int aria_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_aria_crypt_ctr( (mbedtls_aria_context *) ctx, length, nc_off,
+                               nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int aria_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_aria_setkey_dec( (mbedtls_aria_context *) ctx, key, key_bitlen );
+}
+
+static int aria_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_aria_setkey_enc( (mbedtls_aria_context *) ctx, key, key_bitlen );
+}
+
+static void * aria_ctx_alloc( void )
+{
+    mbedtls_aria_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_aria_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_aria_init( ctx );
+
+    return( ctx );
+}
+
+static void aria_ctx_free( void *ctx )
+{
+    mbedtls_aria_free( (mbedtls_aria_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    aria_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    aria_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    aria_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    aria_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    aria_setkey_enc_wrap,
+    aria_setkey_dec_wrap,
+    aria_ctx_alloc,
+    aria_ctx_free
+};
+
+static const mbedtls_cipher_info_t aria_128_ecb_info = {
+    MBEDTLS_CIPHER_ARIA_128_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "ARIA-128-ECB",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ecb_info = {
+    MBEDTLS_CIPHER_ARIA_192_ECB,
+    MBEDTLS_MODE_ECB,
+    192,
+    "ARIA-192-ECB",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ecb_info = {
+    MBEDTLS_CIPHER_ARIA_256_ECB,
+    MBEDTLS_MODE_ECB,
+    256,
+    "ARIA-256-ECB",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t aria_128_cbc_info = {
+    MBEDTLS_CIPHER_ARIA_128_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "ARIA-128-CBC",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_cbc_info = {
+    MBEDTLS_CIPHER_ARIA_192_CBC,
+    MBEDTLS_MODE_CBC,
+    192,
+    "ARIA-192-CBC",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_cbc_info = {
+    MBEDTLS_CIPHER_ARIA_256_CBC,
+    MBEDTLS_MODE_CBC,
+    256,
+    "ARIA-256-CBC",
+    16,
+    0,
+    16,
+    &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t aria_128_cfb128_info = {
+    MBEDTLS_CIPHER_ARIA_128_CFB128,
+    MBEDTLS_MODE_CFB,
+    128,
+    "ARIA-128-CFB128",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_cfb128_info = {
+    MBEDTLS_CIPHER_ARIA_192_CFB128,
+    MBEDTLS_MODE_CFB,
+    192,
+    "ARIA-192-CFB128",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_cfb128_info = {
+    MBEDTLS_CIPHER_ARIA_256_CFB128,
+    MBEDTLS_MODE_CFB,
+    256,
+    "ARIA-256-CFB128",
+    16,
+    0,
+    16,
+    &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t aria_128_ctr_info = {
+    MBEDTLS_CIPHER_ARIA_128_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "ARIA-128-CTR",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ctr_info = {
+    MBEDTLS_CIPHER_ARIA_192_CTR,
+    MBEDTLS_MODE_CTR,
+    192,
+    "ARIA-192-CTR",
+    16,
+    0,
+    16,
+    &aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ctr_info = {
+    MBEDTLS_CIPHER_ARIA_256_CTR,
+    MBEDTLS_MODE_CTR,
+    256,
+    "ARIA-256-CTR",
+    16,
+    0,
+    16,
+    &aria_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+#if defined(MBEDTLS_GCM_C)
+static int gcm_aria_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_gcm_setkey( (mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t gcm_aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    gcm_aria_setkey_wrap,
+    gcm_aria_setkey_wrap,
+    gcm_ctx_alloc,
+    gcm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_gcm_info = {
+    MBEDTLS_CIPHER_ARIA_128_GCM,
+    MBEDTLS_MODE_GCM,
+    128,
+    "ARIA-128-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_gcm_info = {
+    MBEDTLS_CIPHER_ARIA_192_GCM,
+    MBEDTLS_MODE_GCM,
+    192,
+    "ARIA-192-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_gcm_info = {
+    MBEDTLS_CIPHER_ARIA_256_GCM,
+    MBEDTLS_MODE_GCM,
+    256,
+    "ARIA-256-GCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &gcm_aria_info
+};
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CCM_C)
+static int ccm_aria_setkey_wrap( void *ctx, const unsigned char *key,
+                                     unsigned int key_bitlen )
+{
+    return mbedtls_ccm_setkey( (mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_ARIA,
+                     key, key_bitlen );
+}
+
+static const mbedtls_cipher_base_t ccm_aria_info = {
+    MBEDTLS_CIPHER_ID_ARIA,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    ccm_aria_setkey_wrap,
+    ccm_aria_setkey_wrap,
+    ccm_ctx_alloc,
+    ccm_ctx_free,
+};
+
+static const mbedtls_cipher_info_t aria_128_ccm_info = {
+    MBEDTLS_CIPHER_ARIA_128_CCM,
+    MBEDTLS_MODE_CCM,
+    128,
+    "ARIA-128-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_192_ccm_info = {
+    MBEDTLS_CIPHER_ARIA_192_CCM,
+    MBEDTLS_MODE_CCM,
+    192,
+    "ARIA-192-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aria_info
+};
+
+static const mbedtls_cipher_info_t aria_256_ccm_info = {
+    MBEDTLS_CIPHER_ARIA_256_CCM,
+    MBEDTLS_MODE_CCM,
+    256,
+    "ARIA-256-CCM",
+    12,
+    MBEDTLS_CIPHER_VARIABLE_IV_LEN,
+    16,
+    &ccm_aria_info
+};
+#endif /* MBEDTLS_CCM_C */
+
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_DES_C)
+
+static int des_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    ((void) operation);
+    return mbedtls_des_crypt_ecb( (mbedtls_des_context *) ctx, input, output );
+}
+
+static int des3_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    ((void) operation);
+    return mbedtls_des3_crypt_ecb( (mbedtls_des3_context *) ctx, input, output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_des_crypt_cbc( (mbedtls_des_context *) ctx, operation, length, iv, input,
+                          output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int des3_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation, size_t length,
+        unsigned char *iv, const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_des3_crypt_cbc( (mbedtls_des3_context *) ctx, operation, length, iv, input,
+                           output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static int des_setkey_dec_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des_setkey_dec( (mbedtls_des_context *) ctx, key );
+}
+
+static int des_setkey_enc_wrap( void *ctx, const unsigned char *key,
+                                unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des_setkey_enc( (mbedtls_des_context *) ctx, key );
+}
+
+static int des3_set2key_dec_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set2key_dec( (mbedtls_des3_context *) ctx, key );
+}
+
+static int des3_set2key_enc_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set2key_enc( (mbedtls_des3_context *) ctx, key );
+}
+
+static int des3_set3key_dec_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set3key_dec( (mbedtls_des3_context *) ctx, key );
+}
+
+static int des3_set3key_enc_wrap( void *ctx, const unsigned char *key,
+                                  unsigned int key_bitlen )
+{
+    ((void) key_bitlen);
+
+    return mbedtls_des3_set3key_enc( (mbedtls_des3_context *) ctx, key );
+}
+
+static void * des_ctx_alloc( void )
+{
+    mbedtls_des_context *des = mbedtls_calloc( 1, sizeof( mbedtls_des_context ) );
+
+    if( des == NULL )
+        return( NULL );
+
+    mbedtls_des_init( des );
+
+    return( des );
+}
+
+static void des_ctx_free( void *ctx )
+{
+    mbedtls_des_free( (mbedtls_des_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void * des3_ctx_alloc( void )
+{
+    mbedtls_des3_context *des3;
+    des3 = mbedtls_calloc( 1, sizeof( mbedtls_des3_context ) );
+
+    if( des3 == NULL )
+        return( NULL );
+
+    mbedtls_des3_init( des3 );
+
+    return( des3 );
+}
+
+static void des3_ctx_free( void *ctx )
+{
+    mbedtls_des3_free( (mbedtls_des3_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t des_info = {
+    MBEDTLS_CIPHER_ID_DES,
+    des_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des_setkey_enc_wrap,
+    des_setkey_dec_wrap,
+    des_ctx_alloc,
+    des_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ecb_info = {
+    MBEDTLS_CIPHER_DES_ECB,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_KEY_LENGTH_DES,
+    "DES-ECB",
+    8,
+    0,
+    8,
+    &des_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_cbc_info = {
+    MBEDTLS_CIPHER_DES_CBC,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_KEY_LENGTH_DES,
+    "DES-CBC",
+    8,
+    0,
+    8,
+    &des_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede_info = {
+    MBEDTLS_CIPHER_ID_DES,
+    des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des3_set2key_enc_wrap,
+    des3_set2key_dec_wrap,
+    des3_ctx_alloc,
+    des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede_ecb_info = {
+    MBEDTLS_CIPHER_DES_EDE_ECB,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_KEY_LENGTH_DES_EDE,
+    "DES-EDE-ECB",
+    8,
+    0,
+    8,
+    &des_ede_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede_cbc_info = {
+    MBEDTLS_CIPHER_DES_EDE_CBC,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_KEY_LENGTH_DES_EDE,
+    "DES-EDE-CBC",
+    8,
+    0,
+    8,
+    &des_ede_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+static const mbedtls_cipher_base_t des_ede3_info = {
+    MBEDTLS_CIPHER_ID_3DES,
+    des3_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    des3_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    des3_set3key_enc_wrap,
+    des3_set3key_dec_wrap,
+    des3_ctx_alloc,
+    des3_ctx_free
+};
+
+static const mbedtls_cipher_info_t des_ede3_ecb_info = {
+    MBEDTLS_CIPHER_DES_EDE3_ECB,
+    MBEDTLS_MODE_ECB,
+    MBEDTLS_KEY_LENGTH_DES_EDE3,
+    "DES-EDE3-ECB",
+    8,
+    0,
+    8,
+    &des_ede3_info
+};
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t des_ede3_cbc_info = {
+    MBEDTLS_CIPHER_DES_EDE3_CBC,
+    MBEDTLS_MODE_CBC,
+    MBEDTLS_KEY_LENGTH_DES_EDE3,
+    "DES-EDE3-CBC",
+    8,
+    0,
+    8,
+    &des_ede3_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_BLOWFISH_C)
+
+static int blowfish_crypt_ecb_wrap( void *ctx, mbedtls_operation_t operation,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_ecb( (mbedtls_blowfish_context *) ctx, operation, input,
+                               output );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static int blowfish_crypt_cbc_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, unsigned char *iv, const unsigned char *input,
+        unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_cbc( (mbedtls_blowfish_context *) ctx, operation, length, iv,
+                               input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static int blowfish_crypt_cfb64_wrap( void *ctx, mbedtls_operation_t operation,
+        size_t length, size_t *iv_off, unsigned char *iv,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_cfb64( (mbedtls_blowfish_context *) ctx, operation, length,
+                                 iv_off, iv, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static int blowfish_crypt_ctr_wrap( void *ctx, size_t length, size_t *nc_off,
+        unsigned char *nonce_counter, unsigned char *stream_block,
+        const unsigned char *input, unsigned char *output )
+{
+    return mbedtls_blowfish_crypt_ctr( (mbedtls_blowfish_context *) ctx, length, nc_off,
+                               nonce_counter, stream_block, input, output );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+
+static int blowfish_setkey_wrap( void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen )
+{
+    return mbedtls_blowfish_setkey( (mbedtls_blowfish_context *) ctx, key, key_bitlen );
+}
+
+static void * blowfish_ctx_alloc( void )
+{
+    mbedtls_blowfish_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_blowfish_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_blowfish_init( ctx );
+
+    return( ctx );
+}
+
+static void blowfish_ctx_free( void *ctx )
+{
+    mbedtls_blowfish_free( (mbedtls_blowfish_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t blowfish_info = {
+    MBEDTLS_CIPHER_ID_BLOWFISH,
+    blowfish_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    blowfish_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    blowfish_crypt_cfb64_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    blowfish_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    blowfish_setkey_wrap,
+    blowfish_setkey_wrap,
+    blowfish_ctx_alloc,
+    blowfish_ctx_free
+};
+
+static const mbedtls_cipher_info_t blowfish_ecb_info = {
+    MBEDTLS_CIPHER_BLOWFISH_ECB,
+    MBEDTLS_MODE_ECB,
+    128,
+    "BLOWFISH-ECB",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const mbedtls_cipher_info_t blowfish_cbc_info = {
+    MBEDTLS_CIPHER_BLOWFISH_CBC,
+    MBEDTLS_MODE_CBC,
+    128,
+    "BLOWFISH-CBC",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+static const mbedtls_cipher_info_t blowfish_cfb64_info = {
+    MBEDTLS_CIPHER_BLOWFISH_CFB64,
+    MBEDTLS_MODE_CFB,
+    128,
+    "BLOWFISH-CFB64",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+static const mbedtls_cipher_info_t blowfish_ctr_info = {
+    MBEDTLS_CIPHER_BLOWFISH_CTR,
+    MBEDTLS_MODE_CTR,
+    128,
+    "BLOWFISH-CTR",
+    8,
+    MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
+    8,
+    &blowfish_info
+};
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_ARC4_C)
+static int arc4_crypt_stream_wrap( void *ctx, size_t length,
+                                   const unsigned char *input,
+                                   unsigned char *output )
+{
+    return( mbedtls_arc4_crypt( (mbedtls_arc4_context *) ctx, length, input, output ) );
+}
+
+static int arc4_setkey_wrap( void *ctx, const unsigned char *key,
+                             unsigned int key_bitlen )
+{
+    /* we get key_bitlen in bits, arc4 expects it in bytes */
+    if( key_bitlen % 8 != 0 )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    mbedtls_arc4_setup( (mbedtls_arc4_context *) ctx, key, key_bitlen / 8 );
+    return( 0 );
+}
+
+static void * arc4_ctx_alloc( void )
+{
+    mbedtls_arc4_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_arc4_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_arc4_init( ctx );
+
+    return( ctx );
+}
+
+static void arc4_ctx_free( void *ctx )
+{
+    mbedtls_arc4_free( (mbedtls_arc4_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t arc4_base_info = {
+    MBEDTLS_CIPHER_ID_ARC4,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    arc4_crypt_stream_wrap,
+#endif
+    arc4_setkey_wrap,
+    arc4_setkey_wrap,
+    arc4_ctx_alloc,
+    arc4_ctx_free
+};
+
+static const mbedtls_cipher_info_t arc4_128_info = {
+    MBEDTLS_CIPHER_ARC4_128,
+    MBEDTLS_MODE_STREAM,
+    128,
+    "ARC4-128",
+    0,
+    0,
+    1,
+    &arc4_base_info
+};
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+
+static int chacha20_setkey_wrap( void *ctx, const unsigned char *key,
+                                 unsigned int key_bitlen )
+{
+    if( key_bitlen != 256U )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if ( 0 != mbedtls_chacha20_setkey( (mbedtls_chacha20_context*)ctx, key ) )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+static int chacha20_stream_wrap( void *ctx,  size_t length,
+                                 const unsigned char *input,
+                                 unsigned char *output )
+{
+    int ret;
+
+    ret = mbedtls_chacha20_update( ctx, length, input, output );
+    if( ret == MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    return( ret );
+}
+
+static void * chacha20_ctx_alloc( void )
+{
+    mbedtls_chacha20_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_chacha20_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_chacha20_init( ctx );
+
+    return( ctx );
+}
+
+static void chacha20_ctx_free( void *ctx )
+{
+    mbedtls_chacha20_free( (mbedtls_chacha20_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t chacha20_base_info = {
+    MBEDTLS_CIPHER_ID_CHACHA20,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    chacha20_stream_wrap,
+#endif
+    chacha20_setkey_wrap,
+    chacha20_setkey_wrap,
+    chacha20_ctx_alloc,
+    chacha20_ctx_free
+};
+static const mbedtls_cipher_info_t chacha20_info = {
+    MBEDTLS_CIPHER_CHACHA20,
+    MBEDTLS_MODE_STREAM,
+    256,
+    "CHACHA20",
+    12,
+    0,
+    1,
+    &chacha20_base_info
+};
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+
+static int chachapoly_setkey_wrap( void *ctx,
+                                   const unsigned char *key,
+                                   unsigned int key_bitlen )
+{
+    if( key_bitlen != 256U )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if ( 0 != mbedtls_chachapoly_setkey( (mbedtls_chachapoly_context*)ctx, key ) )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+static void * chachapoly_ctx_alloc( void )
+{
+    mbedtls_chachapoly_context *ctx;
+    ctx = mbedtls_calloc( 1, sizeof( mbedtls_chachapoly_context ) );
+
+    if( ctx == NULL )
+        return( NULL );
+
+    mbedtls_chachapoly_init( ctx );
+
+    return( ctx );
+}
+
+static void chachapoly_ctx_free( void *ctx )
+{
+    mbedtls_chachapoly_free( (mbedtls_chachapoly_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static const mbedtls_cipher_base_t chachapoly_base_info = {
+    MBEDTLS_CIPHER_ID_CHACHA20,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    NULL,
+#endif
+    chachapoly_setkey_wrap,
+    chachapoly_setkey_wrap,
+    chachapoly_ctx_alloc,
+    chachapoly_ctx_free
+};
+static const mbedtls_cipher_info_t chachapoly_info = {
+    MBEDTLS_CIPHER_CHACHA20_POLY1305,
+    MBEDTLS_MODE_CHACHAPOLY,
+    256,
+    "CHACHA20-POLY1305",
+    12,
+    0,
+    1,
+    &chachapoly_base_info
+};
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+static int null_crypt_stream( void *ctx, size_t length,
+                              const unsigned char *input,
+                              unsigned char *output )
+{
+    ((void) ctx);
+    memmove( output, input, length );
+    return( 0 );
+}
+
+static int null_setkey( void *ctx, const unsigned char *key,
+                        unsigned int key_bitlen )
+{
+    ((void) ctx);
+    ((void) key);
+    ((void) key_bitlen);
+
+    return( 0 );
+}
+
+static void * null_ctx_alloc( void )
+{
+    return( (void *) 1 );
+}
+
+static void null_ctx_free( void *ctx )
+{
+    ((void) ctx);
+}
+
+static const mbedtls_cipher_base_t null_base_info = {
+    MBEDTLS_CIPHER_ID_NULL,
+    NULL,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+    null_crypt_stream,
+#endif
+    null_setkey,
+    null_setkey,
+    null_ctx_alloc,
+    null_ctx_free
+};
+
+static const mbedtls_cipher_info_t null_cipher_info = {
+    MBEDTLS_CIPHER_NULL,
+    MBEDTLS_MODE_STREAM,
+    0,
+    "NULL",
+    0,
+    0,
+    1,
+    &null_base_info
+};
+#endif /* defined(MBEDTLS_CIPHER_NULL_CIPHER) */
+
+const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
+{
+#if defined(MBEDTLS_AES_C)
+    { MBEDTLS_CIPHER_AES_128_ECB,          &aes_128_ecb_info },
+    { MBEDTLS_CIPHER_AES_192_ECB,          &aes_192_ecb_info },
+    { MBEDTLS_CIPHER_AES_256_ECB,          &aes_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_AES_128_CBC,          &aes_128_cbc_info },
+    { MBEDTLS_CIPHER_AES_192_CBC,          &aes_192_cbc_info },
+    { MBEDTLS_CIPHER_AES_256_CBC,          &aes_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_AES_128_CFB128,       &aes_128_cfb128_info },
+    { MBEDTLS_CIPHER_AES_192_CFB128,       &aes_192_cfb128_info },
+    { MBEDTLS_CIPHER_AES_256_CFB128,       &aes_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    { MBEDTLS_CIPHER_AES_128_OFB,          &aes_128_ofb_info },
+    { MBEDTLS_CIPHER_AES_192_OFB,          &aes_192_ofb_info },
+    { MBEDTLS_CIPHER_AES_256_OFB,          &aes_256_ofb_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_AES_128_CTR,          &aes_128_ctr_info },
+    { MBEDTLS_CIPHER_AES_192_CTR,          &aes_192_ctr_info },
+    { MBEDTLS_CIPHER_AES_256_CTR,          &aes_256_ctr_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    { MBEDTLS_CIPHER_AES_128_XTS,          &aes_128_xts_info },
+    { MBEDTLS_CIPHER_AES_256_XTS,          &aes_256_xts_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_AES_128_GCM,          &aes_128_gcm_info },
+    { MBEDTLS_CIPHER_AES_192_GCM,          &aes_192_gcm_info },
+    { MBEDTLS_CIPHER_AES_256_GCM,          &aes_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_AES_128_CCM,          &aes_128_ccm_info },
+    { MBEDTLS_CIPHER_AES_192_CCM,          &aes_192_ccm_info },
+    { MBEDTLS_CIPHER_AES_256_CCM,          &aes_256_ccm_info },
+#endif
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+    { MBEDTLS_CIPHER_ARC4_128,             &arc4_128_info },
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+    { MBEDTLS_CIPHER_BLOWFISH_ECB,         &blowfish_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_BLOWFISH_CBC,         &blowfish_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_BLOWFISH_CFB64,       &blowfish_cfb64_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_BLOWFISH_CTR,         &blowfish_ctr_info },
+#endif
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_ECB,     &camellia_128_ecb_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_ECB,     &camellia_192_ecb_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_ECB,     &camellia_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CBC,     &camellia_128_cbc_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CBC,     &camellia_192_cbc_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CBC,     &camellia_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CFB128,  &camellia_128_cfb128_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CFB128,  &camellia_192_cfb128_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CFB128,  &camellia_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CTR,     &camellia_128_ctr_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CTR,     &camellia_192_ctr_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CTR,     &camellia_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_GCM,     &camellia_128_gcm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_GCM,     &camellia_192_gcm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_GCM,     &camellia_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_CAMELLIA_128_CCM,     &camellia_128_ccm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_192_CCM,     &camellia_192_ccm_info },
+    { MBEDTLS_CIPHER_CAMELLIA_256_CCM,     &camellia_256_ccm_info },
+#endif
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_ARIA_C)
+    { MBEDTLS_CIPHER_ARIA_128_ECB,     &aria_128_ecb_info },
+    { MBEDTLS_CIPHER_ARIA_192_ECB,     &aria_192_ecb_info },
+    { MBEDTLS_CIPHER_ARIA_256_ECB,     &aria_256_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_ARIA_128_CBC,     &aria_128_cbc_info },
+    { MBEDTLS_CIPHER_ARIA_192_CBC,     &aria_192_cbc_info },
+    { MBEDTLS_CIPHER_ARIA_256_CBC,     &aria_256_cbc_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    { MBEDTLS_CIPHER_ARIA_128_CFB128,  &aria_128_cfb128_info },
+    { MBEDTLS_CIPHER_ARIA_192_CFB128,  &aria_192_cfb128_info },
+    { MBEDTLS_CIPHER_ARIA_256_CFB128,  &aria_256_cfb128_info },
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    { MBEDTLS_CIPHER_ARIA_128_CTR,     &aria_128_ctr_info },
+    { MBEDTLS_CIPHER_ARIA_192_CTR,     &aria_192_ctr_info },
+    { MBEDTLS_CIPHER_ARIA_256_CTR,     &aria_256_ctr_info },
+#endif
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_CIPHER_ARIA_128_GCM,     &aria_128_gcm_info },
+    { MBEDTLS_CIPHER_ARIA_192_GCM,     &aria_192_gcm_info },
+    { MBEDTLS_CIPHER_ARIA_256_GCM,     &aria_256_gcm_info },
+#endif
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_CIPHER_ARIA_128_CCM,     &aria_128_ccm_info },
+    { MBEDTLS_CIPHER_ARIA_192_CCM,     &aria_192_ccm_info },
+    { MBEDTLS_CIPHER_ARIA_256_CCM,     &aria_256_ccm_info },
+#endif
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_DES_C)
+    { MBEDTLS_CIPHER_DES_ECB,              &des_ecb_info },
+    { MBEDTLS_CIPHER_DES_EDE_ECB,          &des_ede_ecb_info },
+    { MBEDTLS_CIPHER_DES_EDE3_ECB,         &des_ede3_ecb_info },
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_CIPHER_DES_CBC,              &des_cbc_info },
+    { MBEDTLS_CIPHER_DES_EDE_CBC,          &des_ede_cbc_info },
+    { MBEDTLS_CIPHER_DES_EDE3_CBC,         &des_ede3_cbc_info },
+#endif
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+    { MBEDTLS_CIPHER_CHACHA20,             &chacha20_info },
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    { MBEDTLS_CIPHER_CHACHA20_POLY1305,    &chachapoly_info },
+#endif
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    { MBEDTLS_CIPHER_NULL,                 &null_cipher_info },
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+    { MBEDTLS_CIPHER_NONE, NULL }
+};
+
+#define NUM_CIPHERS sizeof mbedtls_cipher_definitions / sizeof mbedtls_cipher_definitions[0]
+int mbedtls_cipher_supported[NUM_CIPHERS];
+
+#endif /* MBEDTLS_CIPHER_C */
diff --git a/makerom/deps/libmbedtls/src/cmac.c b/makerom/deps/libmbedtls/src/cmac.c
new file mode 100644
index 00000000..5d101e1c
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/cmac.c
@@ -0,0 +1,1078 @@
+/**
+ * \file cmac.c
+ *
+ * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
+ *      CMAC Mode for Authentication
+ *   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
+ *
+ * - RFC 4493 - The AES-CMAC Algorithm
+ *   https://tools.ietf.org/html/rfc4493
+ *
+ * - RFC 4615 - The Advanced Encryption Standard-Cipher-based Message
+ *      Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128)
+ *      Algorithm for the Internet Key Exchange Protocol (IKE)
+ *   https://tools.ietf.org/html/rfc4615
+ *
+ *   Additional test vectors: ISO/IEC 9797-1
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+
+#include "mbedtls/cmac.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc     calloc
+#define mbedtls_free       free
+#if defined(MBEDTLS_SELF_TEST)
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_SELF_TEST */
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Multiplication by u in the Galois field of GF(2^n)
+ *
+ * As explained in NIST SP 800-38B, this can be computed:
+ *
+ *   If MSB(p) = 0, then p = (p << 1)
+ *   If MSB(p) = 1, then p = (p << 1) ^ R_n
+ *   with R_64 = 0x1B and  R_128 = 0x87
+ *
+ * Input and output MUST NOT point to the same buffer
+ * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
+ */
+static int cmac_multiply_by_u( unsigned char *output,
+                               const unsigned char *input,
+                               size_t blocksize )
+{
+    const unsigned char R_128 = 0x87;
+    const unsigned char R_64 = 0x1B;
+    unsigned char R_n, mask;
+    unsigned char overflow = 0x00;
+    int i;
+
+    if( blocksize == MBEDTLS_AES_BLOCK_SIZE )
+    {
+        R_n = R_128;
+    }
+    else if( blocksize == MBEDTLS_DES3_BLOCK_SIZE )
+    {
+        R_n = R_64;
+    }
+    else
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    for( i = (int)blocksize - 1; i >= 0; i-- )
+    {
+        output[i] = input[i] << 1 | overflow;
+        overflow = input[i] >> 7;
+    }
+
+    /* mask = ( input[0] >> 7 ) ? 0xff : 0x00
+     * using bit operations to avoid branches */
+
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    mask = - ( input[0] >> 7 );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    output[ blocksize - 1 ] ^= R_n & mask;
+
+    return( 0 );
+}
+
+/*
+ * Generate subkeys
+ *
+ * - as specified by RFC 4493, section 2.3 Subkey Generation Algorithm
+ */
+static int cmac_generate_subkeys( mbedtls_cipher_context_t *ctx,
+                                  unsigned char* K1, unsigned char* K2 )
+{
+    int ret;
+    unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    size_t olen, block_size;
+
+    mbedtls_platform_zeroize( L, sizeof( L ) );
+
+    block_size = ctx->cipher_info->block_size;
+
+    /* Calculate Ek(0) */
+    if( ( ret = mbedtls_cipher_update( ctx, L, block_size, L, &olen ) ) != 0 )
+        goto exit;
+
+    /*
+     * Generate K1 and K2
+     */
+    if( ( ret = cmac_multiply_by_u( K1, L , block_size ) ) != 0 )
+        goto exit;
+
+    if( ( ret = cmac_multiply_by_u( K2, K1 , block_size ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_platform_zeroize( L, sizeof( L ) );
+
+    return( ret );
+}
+#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */
+
+#if !defined(MBEDTLS_CMAC_ALT)
+static void cmac_xor_block( unsigned char *output, const unsigned char *input1,
+                            const unsigned char *input2,
+                            const size_t block_size )
+{
+    size_t idx;
+
+    for( idx = 0; idx < block_size; idx++ )
+        output[ idx ] = input1[ idx ] ^ input2[ idx ];
+}
+
+/*
+ * Create padded last block from (partial) last block.
+ *
+ * We can't use the padding option from the cipher layer, as it only works for
+ * CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
+ */
+static void cmac_pad( unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
+                      size_t padded_block_len,
+                      const unsigned char *last_block,
+                      size_t last_block_len )
+{
+    size_t j;
+
+    for( j = 0; j < padded_block_len; j++ )
+    {
+        if( j < last_block_len )
+            padded_block[j] = last_block[j];
+        else if( j == last_block_len )
+            padded_block[j] = 0x80;
+        else
+            padded_block[j] = 0x00;
+    }
+}
+
+int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *key, size_t keybits )
+{
+    mbedtls_cipher_type_t type;
+    mbedtls_cmac_context_t *cmac_ctx;
+    int retval;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
+                                          MBEDTLS_ENCRYPT ) ) != 0 )
+        return( retval );
+
+    type = ctx->cipher_info->type;
+
+    switch( type )
+    {
+        case MBEDTLS_CIPHER_AES_128_ECB:
+        case MBEDTLS_CIPHER_AES_192_ECB:
+        case MBEDTLS_CIPHER_AES_256_ECB:
+        case MBEDTLS_CIPHER_DES_EDE3_ECB:
+            break;
+        default:
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    /* Allocated and initialise in the cipher context memory for the CMAC
+     * context */
+    cmac_ctx = mbedtls_calloc( 1, sizeof( mbedtls_cmac_context_t ) );
+    if( cmac_ctx == NULL )
+        return( MBEDTLS_ERR_CIPHER_ALLOC_FAILED );
+
+    ctx->cmac_ctx = cmac_ctx;
+
+    mbedtls_platform_zeroize( cmac_ctx->state, sizeof( cmac_ctx->state ) );
+
+    return 0;
+}
+
+int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *input, size_t ilen )
+{
+    mbedtls_cmac_context_t* cmac_ctx;
+    unsigned char *state;
+    int ret = 0;
+    size_t n, j, olen, block_size;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
+        ctx->cmac_ctx == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cmac_ctx = ctx->cmac_ctx;
+    block_size = ctx->cipher_info->block_size;
+    state = ctx->cmac_ctx->state;
+
+    /* Is there data still to process from the last call, that's greater in
+     * size than a block? */
+    if( cmac_ctx->unprocessed_len > 0 &&
+        ilen > block_size - cmac_ctx->unprocessed_len )
+    {
+        memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+                input,
+                block_size - cmac_ctx->unprocessed_len );
+
+        cmac_xor_block( state, cmac_ctx->unprocessed_block, state, block_size );
+
+        if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
+                                           &olen ) ) != 0 )
+        {
+           goto exit;
+        }
+
+        input += block_size - cmac_ctx->unprocessed_len;
+        ilen -= block_size - cmac_ctx->unprocessed_len;
+        cmac_ctx->unprocessed_len = 0;
+    }
+
+    /* n is the number of blocks including any final partial block */
+    n = ( ilen + block_size - 1 ) / block_size;
+
+    /* Iterate across the input data in block sized chunks, excluding any
+     * final partial or complete block */
+    for( j = 1; j < n; j++ )
+    {
+        cmac_xor_block( state, input, state, block_size );
+
+        if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
+                                           &olen ) ) != 0 )
+           goto exit;
+
+        ilen -= block_size;
+        input += block_size;
+    }
+
+    /* If there is data left over that wasn't aligned to a block */
+    if( ilen > 0 )
+    {
+        memcpy( &cmac_ctx->unprocessed_block[cmac_ctx->unprocessed_len],
+                input,
+                ilen );
+        cmac_ctx->unprocessed_len += ilen;
+    }
+
+exit:
+    return( ret );
+}
+
+int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
+                                unsigned char *output )
+{
+    mbedtls_cmac_context_t* cmac_ctx;
+    unsigned char *state, *last_block;
+    unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    int ret;
+    size_t olen, block_size;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL ||
+        output == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cmac_ctx = ctx->cmac_ctx;
+    block_size = ctx->cipher_info->block_size;
+    state = cmac_ctx->state;
+
+    mbedtls_platform_zeroize( K1, sizeof( K1 ) );
+    mbedtls_platform_zeroize( K2, sizeof( K2 ) );
+    cmac_generate_subkeys( ctx, K1, K2 );
+
+    last_block = cmac_ctx->unprocessed_block;
+
+    /* Calculate last block */
+    if( cmac_ctx->unprocessed_len < block_size )
+    {
+        cmac_pad( M_last, block_size, last_block, cmac_ctx->unprocessed_len );
+        cmac_xor_block( M_last, M_last, K2, block_size );
+    }
+    else
+    {
+        /* Last block is complete block */
+        cmac_xor_block( M_last, last_block, K1, block_size );
+    }
+
+
+    cmac_xor_block( state, M_last, state, block_size );
+    if( ( ret = mbedtls_cipher_update( ctx, state, block_size, state,
+                                       &olen ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    memcpy( output, state, block_size );
+
+exit:
+    /* Wipe the generated keys on the stack, and any other transients to avoid
+     * side channel leakage */
+    mbedtls_platform_zeroize( K1, sizeof( K1 ) );
+    mbedtls_platform_zeroize( K2, sizeof( K2 ) );
+
+    cmac_ctx->unprocessed_len = 0;
+    mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
+                              sizeof( cmac_ctx->unprocessed_block ) );
+
+    mbedtls_platform_zeroize( state, MBEDTLS_CIPHER_BLKSIZE_MAX );
+    return( ret );
+}
+
+int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx )
+{
+    mbedtls_cmac_context_t* cmac_ctx;
+
+    if( ctx == NULL || ctx->cipher_info == NULL || ctx->cmac_ctx == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cmac_ctx = ctx->cmac_ctx;
+
+    /* Reset the internal state */
+    cmac_ctx->unprocessed_len = 0;
+    mbedtls_platform_zeroize( cmac_ctx->unprocessed_block,
+                              sizeof( cmac_ctx->unprocessed_block ) );
+    mbedtls_platform_zeroize( cmac_ctx->state,
+                              sizeof( cmac_ctx->state ) );
+
+    return( 0 );
+}
+
+int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output )
+{
+    mbedtls_cipher_context_t ctx;
+    int ret;
+
+    if( cipher_info == NULL || key == NULL || input == NULL || output == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    mbedtls_cipher_init( &ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_starts( &ctx, key, keylen );
+    if( ret != 0 )
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_update( &ctx, input, ilen );
+    if( ret != 0 )
+        goto exit;
+
+    ret = mbedtls_cipher_cmac_finish( &ctx, output );
+
+exit:
+    mbedtls_cipher_free( &ctx );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Implementation of AES-CMAC-PRF-128 defined in RFC 4615
+ */
+int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
+                              const unsigned char *input, size_t in_len,
+                              unsigned char *output )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+    unsigned char zero_key[MBEDTLS_AES_BLOCK_SIZE];
+    unsigned char int_key[MBEDTLS_AES_BLOCK_SIZE];
+
+    if( key == NULL || input == NULL || output == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    cipher_info = mbedtls_cipher_info_from_type( MBEDTLS_CIPHER_AES_128_ECB );
+    if( cipher_info == NULL )
+    {
+        /* Failing at this point must be due to a build issue */
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto exit;
+    }
+
+    if( key_length == MBEDTLS_AES_BLOCK_SIZE )
+    {
+        /* Use key as is */
+        memcpy( int_key, key, MBEDTLS_AES_BLOCK_SIZE );
+    }
+    else
+    {
+        memset( zero_key, 0, MBEDTLS_AES_BLOCK_SIZE );
+
+        ret = mbedtls_cipher_cmac( cipher_info, zero_key, 128, key,
+                                   key_length, int_key );
+        if( ret != 0 )
+            goto exit;
+    }
+
+    ret = mbedtls_cipher_cmac( cipher_info, int_key, 128, input, in_len,
+                               output );
+
+exit:
+    mbedtls_platform_zeroize( int_key, sizeof( int_key ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_AES_C */
+
+#endif /* !MBEDTLS_CMAC_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * CMAC test data for SP800-38B
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
+ *
+ * AES-CMAC-PRF-128 test data from RFC 4615
+ * https://tools.ietf.org/html/rfc4615#page-4
+ */
+
+#define NB_CMAC_TESTS_PER_KEY 4
+#define NB_PRF_TESTS 3
+
+#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
+/* All CMAC test inputs are truncated from the same 64 byte buffer. */
+static const unsigned char test_message[] = {
+    /* PT */
+    0x6b, 0xc1, 0xbe, 0xe2,     0x2e, 0x40, 0x9f, 0x96,
+    0xe9, 0x3d, 0x7e, 0x11,     0x73, 0x93, 0x17, 0x2a,
+    0xae, 0x2d, 0x8a, 0x57,     0x1e, 0x03, 0xac, 0x9c,
+    0x9e, 0xb7, 0x6f, 0xac,     0x45, 0xaf, 0x8e, 0x51,
+    0x30, 0xc8, 0x1c, 0x46,     0xa3, 0x5c, 0xe4, 0x11,
+    0xe5, 0xfb, 0xc1, 0x19,     0x1a, 0x0a, 0x52, 0xef,
+    0xf6, 0x9f, 0x24, 0x45,     0xdf, 0x4f, 0x9b, 0x17,
+    0xad, 0x2b, 0x41, 0x7b,     0xe6, 0x6c, 0x37, 0x10
+};
+#endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* Truncation point of message for AES CMAC tests  */
+static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+    /* Mlen */
+    0,
+    16,
+    20,
+    64
+};
+
+/* CMAC-AES128 Test Data */
+static const unsigned char aes_128_key[16] = {
+    0x2b, 0x7e, 0x15, 0x16,     0x28, 0xae, 0xd2, 0xa6,
+    0xab, 0xf7, 0x15, 0x88,     0x09, 0xcf, 0x4f, 0x3c
+};
+static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0xfb, 0xee, 0xd6, 0x18,     0x35, 0x71, 0x33, 0x66,
+        0x7c, 0x85, 0xe0, 0x8f,     0x72, 0x36, 0xa8, 0xde
+    },
+    {
+        /* K2 */
+        0xf7, 0xdd, 0xac, 0x30,     0x6a, 0xe2, 0x66, 0xcc,
+        0xf9, 0x0b, 0xc1, 0x1e,     0xe4, 0x6d, 0x51, 0x3b
+    }
+};
+static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* Example #1 */
+        0xbb, 0x1d, 0x69, 0x29,     0xe9, 0x59, 0x37, 0x28,
+        0x7f, 0xa3, 0x7d, 0x12,     0x9b, 0x75, 0x67, 0x46
+    },
+    {
+        /* Example #2 */
+        0x07, 0x0a, 0x16, 0xb4,     0x6b, 0x4d, 0x41, 0x44,
+        0xf7, 0x9b, 0xdd, 0x9d,     0xd0, 0x4a, 0x28, 0x7c
+    },
+    {
+        /* Example #3 */
+        0x7d, 0x85, 0x44, 0x9e,     0xa6, 0xea, 0x19, 0xc8,
+        0x23, 0xa7, 0xbf, 0x78,     0x83, 0x7d, 0xfa, 0xde
+    },
+    {
+        /* Example #4 */
+        0x51, 0xf0, 0xbe, 0xbf,     0x7e, 0x3b, 0x9d, 0x92,
+        0xfc, 0x49, 0x74, 0x17,     0x79, 0x36, 0x3c, 0xfe
+    }
+};
+
+/* CMAC-AES192 Test Data */
+static const unsigned char aes_192_key[24] = {
+    0x8e, 0x73, 0xb0, 0xf7,     0xda, 0x0e, 0x64, 0x52,
+    0xc8, 0x10, 0xf3, 0x2b,     0x80, 0x90, 0x79, 0xe5,
+    0x62, 0xf8, 0xea, 0xd2,     0x52, 0x2c, 0x6b, 0x7b
+};
+static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0x44, 0x8a, 0x5b, 0x1c,     0x93, 0x51, 0x4b, 0x27,
+        0x3e, 0xe6, 0x43, 0x9d,     0xd4, 0xda, 0xa2, 0x96
+    },
+    {
+        /* K2 */
+        0x89, 0x14, 0xb6, 0x39,     0x26, 0xa2, 0x96, 0x4e,
+        0x7d, 0xcc, 0x87, 0x3b,     0xa9, 0xb5, 0x45, 0x2c
+    }
+};
+static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* Example #1 */
+        0xd1, 0x7d, 0xdf, 0x46,     0xad, 0xaa, 0xcd, 0xe5,
+        0x31, 0xca, 0xc4, 0x83,     0xde, 0x7a, 0x93, 0x67
+    },
+    {
+        /* Example #2 */
+        0x9e, 0x99, 0xa7, 0xbf,     0x31, 0xe7, 0x10, 0x90,
+        0x06, 0x62, 0xf6, 0x5e,     0x61, 0x7c, 0x51, 0x84
+    },
+    {
+        /* Example #3 */
+        0x3d, 0x75, 0xc1, 0x94,     0xed, 0x96, 0x07, 0x04,
+        0x44, 0xa9, 0xfa, 0x7e,     0xc7, 0x40, 0xec, 0xf8
+    },
+    {
+        /* Example #4 */
+        0xa1, 0xd5, 0xdf, 0x0e,     0xed, 0x79, 0x0f, 0x79,
+        0x4d, 0x77, 0x58, 0x96,     0x59, 0xf3, 0x9a, 0x11
+    }
+};
+
+/* CMAC-AES256 Test Data */
+static const unsigned char aes_256_key[32] = {
+    0x60, 0x3d, 0xeb, 0x10,     0x15, 0xca, 0x71, 0xbe,
+    0x2b, 0x73, 0xae, 0xf0,     0x85, 0x7d, 0x77, 0x81,
+    0x1f, 0x35, 0x2c, 0x07,     0x3b, 0x61, 0x08, 0xd7,
+    0x2d, 0x98, 0x10, 0xa3,     0x09, 0x14, 0xdf, 0xf4
+};
+static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* K1 */
+        0xca, 0xd1, 0xed, 0x03,     0x29, 0x9e, 0xed, 0xac,
+        0x2e, 0x9a, 0x99, 0x80,     0x86, 0x21, 0x50, 0x2f
+    },
+    {
+        /* K2 */
+        0x95, 0xa3, 0xda, 0x06,     0x53, 0x3d, 0xdb, 0x58,
+        0x5d, 0x35, 0x33, 0x01,     0x0c, 0x42, 0xa0, 0xd9
+    }
+};
+static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
+    {
+        /* Example #1 */
+        0x02, 0x89, 0x62, 0xf6,     0x1b, 0x7b, 0xf8, 0x9e,
+        0xfc, 0x6b, 0x55, 0x1f,     0x46, 0x67, 0xd9, 0x83
+    },
+    {
+        /* Example #2 */
+        0x28, 0xa7, 0x02, 0x3f,     0x45, 0x2e, 0x8f, 0x82,
+        0xbd, 0x4b, 0xf2, 0x8d,     0x8c, 0x37, 0xc3, 0x5c
+    },
+    {
+        /* Example #3 */
+        0x15, 0x67, 0x27, 0xdc,     0x08, 0x78, 0x94, 0x4a,
+        0x02, 0x3c, 0x1f, 0xe0,     0x3b, 0xad, 0x6d, 0x93
+    },
+    {
+        /* Example #4 */
+        0xe1, 0x99, 0x21, 0x90,     0x54, 0x9f, 0x6e, 0xd5,
+        0x69, 0x6a, 0x2c, 0x05,     0x6c, 0x31, 0x54, 0x10
+    }
+};
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+/* Truncation point of message for 3DES CMAC tests  */
+static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+    0,
+    16,
+    20,
+    32
+};
+
+/* CMAC-TDES (Generation) - 2 Key Test Data */
+static const unsigned char des3_2key_key[24] = {
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xEF, 0x01,
+    /* Key3 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef
+};
+static const unsigned char des3_2key_subkeys[2][8] = {
+    {
+        /* K1 */
+        0x0d, 0xd2, 0xcb, 0x7a,     0x3d, 0x88, 0x88, 0xd9
+    },
+    {
+        /* K2 */
+        0x1b, 0xa5, 0x96, 0xf4,     0x7b, 0x11, 0x11, 0xb2
+    }
+};
+static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
+    {
+        /* Sample #1 */
+        0x79, 0xce, 0x52, 0xa7,     0xf7, 0x86, 0xa9, 0x60
+    },
+    {
+        /* Sample #2 */
+        0xcc, 0x18, 0xa0, 0xb7,     0x9a, 0xf2, 0x41, 0x3b
+    },
+    {
+        /* Sample #3 */
+        0xc0, 0x6d, 0x37, 0x7e,     0xcd, 0x10, 0x19, 0x69
+    },
+    {
+        /* Sample #4 */
+        0x9c, 0xd3, 0x35, 0x80,     0xf9, 0xb6, 0x4d, 0xfb
+    }
+};
+
+/* CMAC-TDES (Generation) - 3 Key Test Data */
+static const unsigned char des3_3key_key[24] = {
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xaa, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xef, 0x01,
+    /* Key3 */
+    0x45, 0x67, 0x89, 0xab,     0xcd, 0xef, 0x01, 0x23
+};
+static const unsigned char des3_3key_subkeys[2][8] = {
+    {
+        /* K1 */
+        0x9d, 0x74, 0xe7, 0x39,     0x33, 0x17, 0x96, 0xc0
+    },
+    {
+        /* K2 */
+        0x3a, 0xe9, 0xce, 0x72,     0x66, 0x2f, 0x2d, 0x9b
+    }
+};
+static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
+    {
+        /* Sample #1 */
+        0x7d, 0xb0, 0xd3, 0x7d,     0xf9, 0x36, 0xc5, 0x50
+    },
+    {
+        /* Sample #2 */
+        0x30, 0x23, 0x9c, 0xf1,     0xf5, 0x2e, 0x66, 0x09
+    },
+    {
+        /* Sample #3 */
+        0x6c, 0x9f, 0x3e, 0xe4,     0x92, 0x3f, 0x6b, 0xe2
+    },
+    {
+        /* Sample #4 */
+        0x99, 0x42, 0x9b, 0xd0,     0xbF, 0x79, 0x04, 0xe5
+    }
+};
+
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/* AES AES-CMAC-PRF-128 Test Data */
+static const unsigned char PRFK[] = {
+    /* Key */
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
+    0xed, 0xcb
+};
+
+/* Sizes in bytes */
+static const size_t PRFKlen[NB_PRF_TESTS] = {
+    18,
+    16,
+    10
+};
+
+/* Message */
+static const unsigned char PRFM[] = {
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
+    0x10, 0x11, 0x12, 0x13
+};
+
+static const unsigned char PRFT[NB_PRF_TESTS][16] = {
+    {
+        0x84, 0xa3, 0x48, 0xa4,     0xa4, 0x5d, 0x23, 0x5b,
+        0xab, 0xff, 0xfc, 0x0d,     0x2b, 0x4d, 0xa0, 0x9a
+    },
+    {
+        0x98, 0x0a, 0xe8, 0x7b,     0x5f, 0x4c, 0x9c, 0x52,
+        0x14, 0xf5, 0xb6, 0xa8,     0x45, 0x5e, 0x4c, 0x2d
+    },
+    {
+        0x29, 0x0d, 0x9e, 0x11,     0x2e, 0xdb, 0x09, 0xee,
+        0x14, 0x1f, 0xcf, 0x64,     0xc0, 0xb7, 0x2f, 0x3d
+    }
+};
+#endif /* MBEDTLS_AES_C */
+
+static int cmac_test_subkeys( int verbose,
+                              const char* testname,
+                              const unsigned char* key,
+                              int keybits,
+                              const unsigned char* subkeys,
+                              mbedtls_cipher_type_t cipher_type,
+                              int block_size,
+                              int num_tests )
+{
+    int i, ret = 0;
+    mbedtls_cipher_context_t ctx;
+    const mbedtls_cipher_info_t *cipher_info;
+    unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
+    unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_type );
+    if( cipher_info == NULL )
+    {
+        /* Failing at this point must be due to a build issue */
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+    }
+
+    for( i = 0; i < num_tests; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  %s CMAC subkey #%u: ", testname, i + 1 );
+
+        mbedtls_cipher_init( &ctx );
+
+        if( ( ret = mbedtls_cipher_setup( &ctx, cipher_info ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "test execution failed\n" );
+
+            goto cleanup;
+        }
+
+        if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
+                                       MBEDTLS_ENCRYPT ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "test execution failed\n" );
+
+            goto cleanup;
+        }
+
+        ret = cmac_generate_subkeys( &ctx, K1, K2 );
+        if( ret != 0 )
+        {
+           if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            goto cleanup;
+        }
+
+        if( ( ret = memcmp( K1, subkeys, block_size ) ) != 0  ||
+            ( ret = memcmp( K2, &subkeys[block_size], block_size ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            goto cleanup;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+
+        mbedtls_cipher_free( &ctx );
+    }
+
+    ret = 0;
+    goto exit;
+
+cleanup:
+    mbedtls_cipher_free( &ctx );
+
+exit:
+    return( ret );
+}
+
+static int cmac_test_wth_cipher( int verbose,
+                                 const char* testname,
+                                 const unsigned char* key,
+                                 int keybits,
+                                 const unsigned char* messages,
+                                 const unsigned int message_lengths[4],
+                                 const unsigned char* expected_result,
+                                 mbedtls_cipher_type_t cipher_type,
+                                 int block_size,
+                                 int num_tests )
+{
+    const mbedtls_cipher_info_t *cipher_info;
+    int i, ret = 0;
+    unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_type );
+    if( cipher_info == NULL )
+    {
+        /* Failing at this point must be due to a build issue */
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto exit;
+    }
+
+    for( i = 0; i < num_tests; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  %s CMAC #%u: ", testname, i + 1 );
+
+        if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
+                                         message_lengths[i], output ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+            goto exit;
+        }
+
+        if( ( ret = memcmp( output, &expected_result[i * block_size], block_size ) ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+    ret = 0;
+
+exit:
+    return( ret );
+}
+
+#if defined(MBEDTLS_AES_C)
+static int test_aes128_cmac_prf( int verbose )
+{
+    int i;
+    int ret;
+    unsigned char output[MBEDTLS_AES_BLOCK_SIZE];
+
+    for( i = 0; i < NB_PRF_TESTS; i++ )
+    {
+        mbedtls_printf( "  AES CMAC 128 PRF #%u: ", i );
+        ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
+        if( ret != 0 ||
+            memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
+        {
+
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            return( ret );
+        }
+        else if( verbose != 0 )
+        {
+            mbedtls_printf( "passed\n" );
+        }
+    }
+    return( ret );
+}
+#endif /* MBEDTLS_AES_C */
+
+int mbedtls_cmac_self_test( int verbose )
+{
+    int ret;
+
+#if defined(MBEDTLS_AES_C)
+    /* AES-128 */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "AES 128",
+                                   aes_128_key,
+                                   128,
+                                   (const unsigned char*)aes_128_subkeys,
+                                   MBEDTLS_CIPHER_AES_128_ECB,
+                                   MBEDTLS_AES_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "AES 128",
+                                      aes_128_key,
+                                      128,
+                                      test_message,
+                                      aes_message_lengths,
+                                      (const unsigned char*)aes_128_expected_result,
+                                      MBEDTLS_CIPHER_AES_128_ECB,
+                                      MBEDTLS_AES_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* AES-192 */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "AES 192",
+                                   aes_192_key,
+                                   192,
+                                   (const unsigned char*)aes_192_subkeys,
+                                   MBEDTLS_CIPHER_AES_192_ECB,
+                                   MBEDTLS_AES_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "AES 192",
+                                      aes_192_key,
+                                      192,
+                                      test_message,
+                                      aes_message_lengths,
+                                      (const unsigned char*)aes_192_expected_result,
+                                      MBEDTLS_CIPHER_AES_192_ECB,
+                                      MBEDTLS_AES_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* AES-256 */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "AES 256",
+                                   aes_256_key,
+                                   256,
+                                   (const unsigned char*)aes_256_subkeys,
+                                   MBEDTLS_CIPHER_AES_256_ECB,
+                                   MBEDTLS_AES_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher ( verbose,
+                                       "AES 256",
+                                       aes_256_key,
+                                       256,
+                                       test_message,
+                                       aes_message_lengths,
+                                       (const unsigned char*)aes_256_expected_result,
+                                       MBEDTLS_CIPHER_AES_256_ECB,
+                                       MBEDTLS_AES_BLOCK_SIZE,
+                                       NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_DES_C)
+    /* 3DES 2 key */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "3DES 2 key",
+                                   des3_2key_key,
+                                   192,
+                                   (const unsigned char*)des3_2key_subkeys,
+                                   MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                   MBEDTLS_DES3_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "3DES 2 key",
+                                      des3_2key_key,
+                                      192,
+                                      test_message,
+                                      des3_message_lengths,
+                                      (const unsigned char*)des3_2key_expected_result,
+                                      MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                      MBEDTLS_DES3_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* 3DES 3 key */
+    if( ( ret = cmac_test_subkeys( verbose,
+                                   "3DES 3 key",
+                                   des3_3key_key,
+                                   192,
+                                   (const unsigned char*)des3_3key_subkeys,
+                                   MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                   MBEDTLS_DES3_BLOCK_SIZE,
+                                   NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = cmac_test_wth_cipher( verbose,
+                                      "3DES 3 key",
+                                      des3_3key_key,
+                                      192,
+                                      test_message,
+                                      des3_message_lengths,
+                                      (const unsigned char*)des3_3key_expected_result,
+                                      MBEDTLS_CIPHER_DES_EDE3_ECB,
+                                      MBEDTLS_DES3_BLOCK_SIZE,
+                                      NB_CMAC_TESTS_PER_KEY ) ) != 0 )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+    if( ( ret = test_aes128_cmac_prf( verbose ) ) != 0 )
+        return( ret );
+#endif /* MBEDTLS_AES_C */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CMAC_C */
diff --git a/makerom/deps/libmbedtls/src/ctr_drbg.c b/makerom/deps/libmbedtls/src/ctr_drbg.c
new file mode 100644
index 00000000..ad0a1936
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ctr_drbg.c
@@ -0,0 +1,722 @@
+/*
+ *  CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The NIST SP 800-90 DRBGs are described in the following publication.
+ *
+ *  http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+/*
+ * CTR_DRBG context initialization
+ */
+void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ctr_drbg_context ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+    mbedtls_aes_free( &ctx->aes_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
+}
+
+void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance )
+{
+    ctx->prediction_resistance = resistance;
+}
+
+void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len )
+{
+    ctx->entropy_len = len;
+}
+
+void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval )
+{
+    ctx->reseed_interval = interval;
+}
+
+static int block_cipher_df( unsigned char *output,
+                            const unsigned char *data, size_t data_len )
+{
+    unsigned char buf[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16];
+    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+    unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+    unsigned char *p, *iv;
+    mbedtls_aes_context aes_ctx;
+    int ret = 0;
+
+    int i, j;
+    size_t buf_len, use_len;
+
+    if( data_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    memset( buf, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + MBEDTLS_CTR_DRBG_BLOCKSIZE + 16 );
+    mbedtls_aes_init( &aes_ctx );
+
+    /*
+     * Construct IV (16 bytes) and S in buffer
+     * IV = Counter (in 32-bits) padded to 16 with zeroes
+     * S = Length input string (in 32-bits) || Length of output (in 32-bits) ||
+     *     data || 0x80
+     *     (Total is padded to a multiple of 16-bytes with zeroes)
+     */
+    p = buf + MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    *p++ = ( data_len >> 24 ) & 0xff;
+    *p++ = ( data_len >> 16 ) & 0xff;
+    *p++ = ( data_len >> 8  ) & 0xff;
+    *p++ = ( data_len       ) & 0xff;
+    p += 3;
+    *p++ = MBEDTLS_CTR_DRBG_SEEDLEN;
+    memcpy( p, data, data_len );
+    p[data_len] = 0x80;
+
+    buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1;
+
+    for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ )
+        key[i] = i;
+
+    if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    /*
+     * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data
+     */
+    for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
+    {
+        p = buf;
+        memset( chain, 0, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+        use_len = buf_len;
+
+        while( use_len > 0 )
+        {
+            for( i = 0; i < MBEDTLS_CTR_DRBG_BLOCKSIZE; i++ )
+                chain[i] ^= p[i];
+            p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+            use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ?
+                       MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
+
+            if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain ) ) != 0 )
+            {
+                goto exit;
+            }
+        }
+
+        memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+
+        /*
+         * Update IV
+         */
+        buf[3]++;
+    }
+
+    /*
+     * Do final encryption with reduced data
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        goto exit;
+    }
+    iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
+    p = output;
+
+    for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
+    {
+        if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv ) ) != 0 )
+        {
+            goto exit;
+        }
+        memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    }
+exit:
+    mbedtls_aes_free( &aes_ctx );
+    /*
+    * tidy up the stack
+    */
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+    mbedtls_platform_zeroize( chain, sizeof( chain ) );
+    if( 0 != ret )
+    {
+        /*
+        * wipe partial seed from memory
+        */
+        mbedtls_platform_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN );
+    }
+
+    return( ret );
+}
+
+/* CTR_DRBG_Update (SP 800-90A &sect;10.2.1.2)
+ * ctr_drbg_update_internal(ctx, provided_data)
+ * implements
+ * CTR_DRBG_Update(provided_data, Key, V)
+ * with inputs and outputs
+ *   ctx->aes_ctx = Key
+ *   ctx->counter = V
+ */
+static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx,
+                              const unsigned char data[MBEDTLS_CTR_DRBG_SEEDLEN] )
+{
+    unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char *p = tmp;
+    int i, j;
+    int ret = 0;
+
+    memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
+
+    for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE )
+    {
+        /*
+         * Increase counter
+         */
+        for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
+            if( ++ctx->counter[i - 1] != 0 )
+                break;
+
+        /*
+         * Crypt counter block
+         */
+        if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p ) ) != 0 )
+            goto exit;
+
+        p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
+    }
+
+    for( i = 0; i < MBEDTLS_CTR_DRBG_SEEDLEN; i++ )
+        tmp[i] ^= data[i];
+
+    /*
+     * Update key and counter
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+        goto exit;
+    memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE );
+
+exit:
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    return( ret );
+}
+
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_update(ctx, additional, add_len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   ctx->counter = all-bits-0
+ *   ctx->aes_ctx = context from all-bits-0 key
+ *   additional[:add_len] = entropy_input || nonce || personalization_string
+ * and with outputs
+ *   ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
+                                 const unsigned char *additional,
+                                 size_t add_len )
+{
+    unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+    int ret;
+
+    if( add_len == 0 )
+        return( 0 );
+
+    if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
+        goto exit;
+    if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
+                              const unsigned char *additional,
+                              size_t add_len )
+{
+    /* MAX_INPUT would be more logical here, but we have to match
+     * block_cipher_df()'s limits since we can't propagate errors */
+    if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
+        add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
+    (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
+ * mbedtls_ctr_drbg_reseed(ctx, additional, len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional_input)
+ *                -> new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   additional[:len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * and with output
+ *   ctx contains new_working_state
+ */
+int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
+                     const unsigned char *additional, size_t len )
+{
+    unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
+    size_t seedlen = 0;
+    int ret;
+
+    if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
+        len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
+
+    /*
+     * Gather entropy_len bytes of entropy to seed state
+     */
+    if( 0 != ctx->f_entropy( ctx->p_entropy, seed,
+                             ctx->entropy_len ) )
+    {
+        return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
+    }
+
+    seedlen += ctx->entropy_len;
+
+    /*
+     * Add additional data
+     */
+    if( additional && len )
+    {
+        memcpy( seed + seedlen, additional, len );
+        seedlen += len;
+    }
+
+    /*
+     * Reduce to 384 bits
+     */
+    if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 )
+        goto exit;
+
+    /*
+     * Update state
+     */
+    if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 )
+        goto exit;
+    ctx->reseed_counter = 1;
+
+exit:
+    mbedtls_platform_zeroize( seed, sizeof( seed ) );
+    return( ret );
+}
+
+/* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
+ * mbedtls_ctr_drbg_seed(ctx, f_entropy, p_entropy, custom, len)
+ * implements
+ * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
+ *                      security_strength) -> initial_working_state
+ * with inputs
+ *   custom[:len] = nonce || personalization_string
+ * where entropy_input comes from f_entropy for ctx->entropy_len bytes
+ * and with outputs
+ *   ctx = initial_working_state
+ */
+int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
+                           int (*f_entropy)(void *, unsigned char *, size_t),
+                           void *p_entropy,
+                           const unsigned char *custom,
+                           size_t len )
+{
+    int ret;
+    unsigned char key[MBEDTLS_CTR_DRBG_KEYSIZE];
+
+    memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
+
+    mbedtls_aes_init( &ctx->aes_ctx );
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    if( ctx->entropy_len == 0 )
+        ctx->entropy_len = MBEDTLS_CTR_DRBG_ENTROPY_LEN;
+    ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+
+    /*
+     * Initialize with an empty key
+     */
+    if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 )
+    {
+        return( ret );
+    }
+    return( 0 );
+}
+
+/* Backward compatibility wrapper */
+int mbedtls_ctr_drbg_seed_entropy_len(
+    mbedtls_ctr_drbg_context *ctx,
+    int (*f_entropy)(void *, unsigned char *, size_t), void *p_entropy,
+    const unsigned char *custom, size_t len,
+    size_t entropy_len )
+{
+    mbedtls_ctr_drbg_set_entropy_len( ctx, entropy_len );
+    return( mbedtls_ctr_drbg_seed( ctx, f_entropy, p_entropy, custom, len ) );
+}
+
+/* CTR_DRBG_Generate with derivation function (SP 800-90A &sect;10.2.1.5.2)
+ * mbedtls_ctr_drbg_random_with_add(ctx, output, output_len, additional, add_len)
+ * implements
+ * CTR_DRBG_Reseed(working_state, entropy_input, additional[:add_len])
+ *                -> working_state_after_reseed
+ *                if required, then
+ * CTR_DRBG_Generate(working_state_after_reseed,
+ *                   requested_number_of_bits, additional_input)
+ *                -> status, returned_bits, new_working_state
+ * with inputs
+ *   ctx contains working_state
+ *   requested_number_of_bits = 8 * output_len
+ *   additional[:add_len] = additional_input
+ * and entropy_input comes from calling ctx->f_entropy
+ * and with outputs
+ *   status = SUCCESS (this function does the reseed internally)
+ *   returned_bits = output[:output_len]
+ *   ctx contains new_working_state
+ */
+int mbedtls_ctr_drbg_random_with_add( void *p_rng,
+                              unsigned char *output, size_t output_len,
+                              const unsigned char *additional, size_t add_len )
+{
+    int ret = 0;
+    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+    unsigned char add_input[MBEDTLS_CTR_DRBG_SEEDLEN];
+    unsigned char *p = output;
+    unsigned char tmp[MBEDTLS_CTR_DRBG_BLOCKSIZE];
+    int i;
+    size_t use_len;
+
+    if( output_len > MBEDTLS_CTR_DRBG_MAX_REQUEST )
+        return( MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG );
+
+    if( add_len > MBEDTLS_CTR_DRBG_MAX_INPUT )
+        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
+
+    memset( add_input, 0, MBEDTLS_CTR_DRBG_SEEDLEN );
+
+    if( ctx->reseed_counter > ctx->reseed_interval ||
+        ctx->prediction_resistance )
+    {
+        if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 )
+        {
+            return( ret );
+        }
+        add_len = 0;
+    }
+
+    if( add_len > 0 )
+    {
+        if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 )
+            goto exit;
+        if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
+            goto exit;
+    }
+
+    while( output_len > 0 )
+    {
+        /*
+         * Increase counter
+         */
+        for( i = MBEDTLS_CTR_DRBG_BLOCKSIZE; i > 0; i-- )
+            if( ++ctx->counter[i - 1] != 0 )
+                break;
+
+        /*
+         * Crypt counter block
+         */
+        if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp ) ) != 0 )
+            goto exit;
+
+        use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE :
+                                                       output_len;
+        /*
+         * Copy random block to destination
+         */
+        memcpy( p, tmp, use_len );
+        p += use_len;
+        output_len -= use_len;
+    }
+
+    if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 )
+        goto exit;
+
+    ctx->reseed_counter++;
+
+exit:
+    mbedtls_platform_zeroize( add_input, sizeof( add_input ) );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    return( ret );
+}
+
+int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len )
+{
+    int ret;
+    mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = mbedtls_ctr_drbg_random_with_add( ctx, output, output_len, NULL, 0 );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
+{
+    int ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    FILE *f;
+    unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
+
+    if( ( f = fopen( path, "wb" ) ) == NULL )
+        return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
+
+    if( ( ret = mbedtls_ctr_drbg_random( ctx, buf, MBEDTLS_CTR_DRBG_MAX_INPUT ) ) != 0 )
+        goto exit;
+
+    if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT )
+        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+    else
+        ret = 0;
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    fclose( f );
+    return( ret );
+}
+
+int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path )
+{
+    int ret = 0;
+    FILE *f = NULL;
+    size_t n;
+    unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ];
+    unsigned char c;
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR );
+
+    n = fread( buf, 1, sizeof( buf ), f );
+    if( fread( &c, 1, 1, f ) != 0 )
+    {
+        ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
+        goto exit;
+    }
+    if( n == 0 || ferror( f ) )
+    {
+        ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+    fclose( f );
+    f = NULL;
+
+    ret = mbedtls_ctr_drbg_update_ret( ctx, buf, n );
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    if( f != NULL )
+        fclose( f );
+    if( ret != 0 )
+        return( ret );
+    return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char entropy_source_pr[96] =
+    { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
+      0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
+      0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
+      0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
+      0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
+      0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
+      0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
+      0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
+      0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
+      0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
+      0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
+      0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
+
+static const unsigned char entropy_source_nopr[64] =
+    { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
+      0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
+      0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
+      0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
+      0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
+      0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
+      0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
+      0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
+
+static const unsigned char nonce_pers_pr[16] =
+    { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
+      0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
+
+static const unsigned char nonce_pers_nopr[16] =
+    { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
+      0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
+
+static const unsigned char result_pr[16] =
+    { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
+      0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
+
+static const unsigned char result_nopr[16] =
+    { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
+      0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
+
+static size_t test_offset;
+static int ctr_drbg_self_test_entropy( void *data, unsigned char *buf,
+                                       size_t len )
+{
+    const unsigned char *p = data;
+    memcpy( buf, p + test_offset, len );
+    test_offset += len;
+    return( 0 );
+}
+
+#define CHK( c )    if( (c) != 0 )                          \
+                    {                                       \
+                        if( verbose != 0 )                  \
+                            mbedtls_printf( "failed\n" );  \
+                        return( 1 );                        \
+                    }
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ctr_drbg_self_test( int verbose )
+{
+    mbedtls_ctr_drbg_context ctx;
+    unsigned char buf[16];
+
+    mbedtls_ctr_drbg_init( &ctx );
+
+    /*
+     * Based on a NIST CTR_DRBG test vector (PR = True)
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  CTR_DRBG (PR = TRUE) : " );
+
+    test_offset = 0;
+    mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
+    CHK( mbedtls_ctr_drbg_seed( &ctx,
+                                ctr_drbg_self_test_entropy,
+                                (void *) entropy_source_pr,
+                                nonce_pers_pr, 16 ) );
+    mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+    CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+
+    mbedtls_ctr_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    /*
+     * Based on a NIST CTR_DRBG test vector (PR = FALSE)
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  CTR_DRBG (PR = FALSE): " );
+
+    mbedtls_ctr_drbg_init( &ctx );
+
+    test_offset = 0;
+    mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
+    CHK( mbedtls_ctr_drbg_seed( &ctx,
+                                ctr_drbg_self_test_entropy,
+                                (void *) entropy_source_nopr,
+                                nonce_pers_nopr, 16 ) );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
+    CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
+    CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
+    CHK( memcmp( buf, result_nopr, 16 ) );
+
+    mbedtls_ctr_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+            mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_CTR_DRBG_C */
diff --git a/makerom/deps/libmbedtls/src/debug.c b/makerom/deps/libmbedtls/src/debug.c
new file mode 100644
index 00000000..36510cdd
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/debug.c
@@ -0,0 +1,450 @@
+/*
+ *  Debugging routines
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_DEBUG_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc      calloc
+#define mbedtls_free        free
+#define mbedtls_time_t      time_t
+#define mbedtls_snprintf    snprintf
+#endif
+
+#include "mbedtls/debug.h"
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <string.h>
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#define DEBUG_BUF_SIZE      512
+
+static int debug_threshold = 0;
+
+void mbedtls_debug_set_threshold( int threshold )
+{
+    debug_threshold = threshold;
+}
+
+/*
+ * All calls to f_dbg must be made via this function
+ */
+static inline void debug_send_line( const mbedtls_ssl_context *ssl, int level,
+                                    const char *file, int line,
+                                    const char *str )
+{
+    /*
+     * If in a threaded environment, we need a thread identifier.
+     * Since there is no portable way to get one, use the address of the ssl
+     * context instead, as it shouldn't be shared between threads.
+     */
+#if defined(MBEDTLS_THREADING_C)
+    char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */
+    mbedtls_snprintf( idstr, sizeof( idstr ), "%p: %s", (void*)ssl, str );
+    ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, idstr );
+#else
+    ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str );
+#endif
+}
+
+void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
+                              const char *file, int line,
+                              const char *format, ... )
+{
+    va_list argp;
+    char str[DEBUG_BUF_SIZE];
+    int ret;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    va_start( argp, format );
+#if defined(_WIN32)
+#if defined(_TRUNCATE) && !defined(__MINGW32__)
+    ret = _vsnprintf_s( str, DEBUG_BUF_SIZE, _TRUNCATE, format, argp );
+#else
+    ret = _vsnprintf( str, DEBUG_BUF_SIZE, format, argp );
+    if( ret < 0 || (size_t) ret == DEBUG_BUF_SIZE )
+    {
+        str[DEBUG_BUF_SIZE-1] = '\0';
+        ret = -1;
+    }
+#endif
+#else
+    ret = vsnprintf( str, DEBUG_BUF_SIZE, format, argp );
+#endif
+    va_end( argp );
+
+    if( ret >= 0 && ret < DEBUG_BUF_SIZE - 1 )
+    {
+        str[ret]     = '\n';
+        str[ret + 1] = '\0';
+    }
+
+    debug_send_line( ssl, level, file, line, str );
+}
+
+void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, int ret )
+{
+    char str[DEBUG_BUF_SIZE];
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    /*
+     * With non-blocking I/O and examples that just retry immediately,
+     * the logs would be quickly flooded with WANT_READ, so ignore that.
+     * Don't ignore WANT_WRITE however, since is is usually rare.
+     */
+    if( ret == MBEDTLS_ERR_SSL_WANT_READ )
+        return;
+
+    mbedtls_snprintf( str, sizeof( str ), "%s() returned %d (-0x%04x)\n",
+              text, ret, -ret );
+
+    debug_send_line( ssl, level, file, line, str );
+}
+
+void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line, const char *text,
+                      const unsigned char *buf, size_t len )
+{
+    char str[DEBUG_BUF_SIZE];
+    char txt[17];
+    size_t i, idx = 0;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n",
+              text, (unsigned int) len );
+
+    debug_send_line( ssl, level, file, line, str );
+
+    idx = 0;
+    memset( txt, 0, sizeof( txt ) );
+    for( i = 0; i < len; i++ )
+    {
+        if( i >= 4096 )
+            break;
+
+        if( i % 16 == 0 )
+        {
+            if( i > 0 )
+            {
+                mbedtls_snprintf( str + idx, sizeof( str ) - idx, "  %s\n", txt );
+                debug_send_line( ssl, level, file, line, str );
+
+                idx = 0;
+                memset( txt, 0, sizeof( txt ) );
+            }
+
+            idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, "%04x: ",
+                             (unsigned int) i );
+
+        }
+
+        idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x",
+                         (unsigned int) buf[i] );
+        txt[i % 16] = ( buf[i] > 31 && buf[i] < 127 ) ? buf[i] : '.' ;
+    }
+
+    if( len > 0 )
+    {
+        for( /* i = i */; i % 16 != 0; i++ )
+            idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, "   " );
+
+        mbedtls_snprintf( str + idx, sizeof( str ) - idx, "  %s\n", txt );
+        debug_send_line( ssl, level, file, line, str );
+    }
+}
+
+#if defined(MBEDTLS_ECP_C)
+void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_ecp_point *X )
+{
+    char str[DEBUG_BUF_SIZE];
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    mbedtls_snprintf( str, sizeof( str ), "%s(X)", text );
+    mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->X );
+
+    mbedtls_snprintf( str, sizeof( str ), "%s(Y)", text );
+    mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->Y );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_mpi *X )
+{
+    char str[DEBUG_BUF_SIZE];
+    int j, k, zeros = 1;
+    size_t i, n, idx = 0;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        NULL == X                ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    for( n = X->n - 1; n > 0; n-- )
+        if( X->p[n] != 0 )
+            break;
+
+    for( j = ( sizeof(mbedtls_mpi_uint) << 3 ) - 1; j >= 0; j-- )
+        if( ( ( X->p[n] >> j ) & 1 ) != 0 )
+            break;
+
+    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n",
+              text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) );
+
+    debug_send_line( ssl, level, file, line, str );
+
+    idx = 0;
+    for( i = n + 1, j = 0; i > 0; i-- )
+    {
+        if( zeros && X->p[i - 1] == 0 )
+            continue;
+
+        for( k = sizeof( mbedtls_mpi_uint ) - 1; k >= 0; k-- )
+        {
+            if( zeros && ( ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF ) == 0 )
+                continue;
+            else
+                zeros = 0;
+
+            if( j % 16 == 0 )
+            {
+                if( j > 0 )
+                {
+                    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
+                    debug_send_line( ssl, level, file, line, str );
+                    idx = 0;
+                }
+            }
+
+            idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", (unsigned int)
+                             ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF );
+
+            j++;
+        }
+
+    }
+
+    if( zeros == 1 )
+        idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" );
+
+    mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
+    debug_send_line( ssl, level, file, line, str );
+}
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void debug_print_pk( const mbedtls_ssl_context *ssl, int level,
+                            const char *file, int line,
+                            const char *text, const mbedtls_pk_context *pk )
+{
+    size_t i;
+    mbedtls_pk_debug_item items[MBEDTLS_PK_DEBUG_MAX_ITEMS];
+    char name[16];
+
+    memset( items, 0, sizeof( items ) );
+
+    if( mbedtls_pk_debug( pk, items ) != 0 )
+    {
+        debug_send_line( ssl, level, file, line,
+                          "invalid PK context\n" );
+        return;
+    }
+
+    for( i = 0; i < MBEDTLS_PK_DEBUG_MAX_ITEMS; i++ )
+    {
+        if( items[i].type == MBEDTLS_PK_DEBUG_NONE )
+            return;
+
+        mbedtls_snprintf( name, sizeof( name ), "%s%s", text, items[i].name );
+        name[sizeof( name ) - 1] = '\0';
+
+        if( items[i].type == MBEDTLS_PK_DEBUG_MPI )
+            mbedtls_debug_print_mpi( ssl, level, file, line, name, items[i].value );
+        else
+#if defined(MBEDTLS_ECP_C)
+        if( items[i].type == MBEDTLS_PK_DEBUG_ECP )
+            mbedtls_debug_print_ecp( ssl, level, file, line, name, items[i].value );
+        else
+#endif
+            debug_send_line( ssl, level, file, line,
+                              "should not happen\n" );
+    }
+}
+
+static void debug_print_line_by_line( const mbedtls_ssl_context *ssl, int level,
+                                      const char *file, int line, const char *text )
+{
+    char str[DEBUG_BUF_SIZE];
+    const char *start, *cur;
+
+    start = text;
+    for( cur = text; *cur != '\0'; cur++ )
+    {
+        if( *cur == '\n' )
+        {
+            size_t len = cur - start + 1;
+            if( len > DEBUG_BUF_SIZE - 1 )
+                len = DEBUG_BUF_SIZE - 1;
+
+            memcpy( str, start, len );
+            str[len] = '\0';
+
+            debug_send_line( ssl, level, file, line, str );
+
+            start = cur + 1;
+        }
+    }
+}
+
+void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
+                      const char *file, int line,
+                      const char *text, const mbedtls_x509_crt *crt )
+{
+    char str[DEBUG_BUF_SIZE];
+    int i = 0;
+
+    if( NULL == ssl              ||
+        NULL == ssl->conf        ||
+        NULL == ssl->conf->f_dbg ||
+        NULL == crt              ||
+        level > debug_threshold )
+    {
+        return;
+    }
+
+    while( crt != NULL )
+    {
+        char buf[1024];
+
+        mbedtls_snprintf( str, sizeof( str ), "%s #%d:\n", text, ++i );
+        debug_send_line( ssl, level, file, line, str );
+
+        mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
+        debug_print_line_by_line( ssl, level, file, line, buf );
+
+        debug_print_pk( ssl, level, file, line, "crt->", &crt->pk );
+
+        crt = crt->next;
+    }
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_ECDH_C)
+static void mbedtls_debug_printf_ecdh_internal( const mbedtls_ssl_context *ssl,
+                                                int level, const char *file,
+                                                int line,
+                                                const mbedtls_ecdh_context *ecdh,
+                                                mbedtls_debug_ecdh_attr attr )
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    const mbedtls_ecdh_context* ctx = ecdh;
+#else
+    const mbedtls_ecdh_context_mbed* ctx = &ecdh->ctx.mbed_ecdh;
+#endif
+
+    switch( attr )
+    {
+        case MBEDTLS_DEBUG_ECDH_Q:
+            mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Q",
+                                     &ctx->Q );
+            break;
+        case MBEDTLS_DEBUG_ECDH_QP:
+            mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Qp",
+                                     &ctx->Qp );
+            break;
+        case MBEDTLS_DEBUG_ECDH_Z:
+            mbedtls_debug_print_mpi( ssl, level, file, line, "ECDH: z",
+                                     &ctx->z );
+            break;
+        default:
+            break;
+    }
+}
+
+void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
+                                const char *file, int line,
+                                const mbedtls_ecdh_context *ecdh,
+                                mbedtls_debug_ecdh_attr attr )
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh, attr );
+#else
+    switch( ecdh->var )
+    {
+        default:
+            mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh,
+                                                attr );
+    }
+#endif
+}
+#endif /* MBEDTLS_ECDH_C */
+
+#endif /* MBEDTLS_DEBUG_C */
diff --git a/makerom/deps/libmbedtls/src/des.c b/makerom/deps/libmbedtls/src/des.c
new file mode 100644
index 00000000..8a33d82e
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/des.c
@@ -0,0 +1,1064 @@
+/*
+ *  FIPS-46-3 compliant Triple-DES implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  DES, on which TDES is based, was originally designed by Horst Feistel
+ *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
+ *
+ *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_DES_C)
+
+#include "mbedtls/des.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_DES_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+/*
+ * Expanded DES S-boxes
+ */
+static const uint32_t SB1[64] =
+{
+    0x01010400, 0x00000000, 0x00010000, 0x01010404,
+    0x01010004, 0x00010404, 0x00000004, 0x00010000,
+    0x00000400, 0x01010400, 0x01010404, 0x00000400,
+    0x01000404, 0x01010004, 0x01000000, 0x00000004,
+    0x00000404, 0x01000400, 0x01000400, 0x00010400,
+    0x00010400, 0x01010000, 0x01010000, 0x01000404,
+    0x00010004, 0x01000004, 0x01000004, 0x00010004,
+    0x00000000, 0x00000404, 0x00010404, 0x01000000,
+    0x00010000, 0x01010404, 0x00000004, 0x01010000,
+    0x01010400, 0x01000000, 0x01000000, 0x00000400,
+    0x01010004, 0x00010000, 0x00010400, 0x01000004,
+    0x00000400, 0x00000004, 0x01000404, 0x00010404,
+    0x01010404, 0x00010004, 0x01010000, 0x01000404,
+    0x01000004, 0x00000404, 0x00010404, 0x01010400,
+    0x00000404, 0x01000400, 0x01000400, 0x00000000,
+    0x00010004, 0x00010400, 0x00000000, 0x01010004
+};
+
+static const uint32_t SB2[64] =
+{
+    0x80108020, 0x80008000, 0x00008000, 0x00108020,
+    0x00100000, 0x00000020, 0x80100020, 0x80008020,
+    0x80000020, 0x80108020, 0x80108000, 0x80000000,
+    0x80008000, 0x00100000, 0x00000020, 0x80100020,
+    0x00108000, 0x00100020, 0x80008020, 0x00000000,
+    0x80000000, 0x00008000, 0x00108020, 0x80100000,
+    0x00100020, 0x80000020, 0x00000000, 0x00108000,
+    0x00008020, 0x80108000, 0x80100000, 0x00008020,
+    0x00000000, 0x00108020, 0x80100020, 0x00100000,
+    0x80008020, 0x80100000, 0x80108000, 0x00008000,
+    0x80100000, 0x80008000, 0x00000020, 0x80108020,
+    0x00108020, 0x00000020, 0x00008000, 0x80000000,
+    0x00008020, 0x80108000, 0x00100000, 0x80000020,
+    0x00100020, 0x80008020, 0x80000020, 0x00100020,
+    0x00108000, 0x00000000, 0x80008000, 0x00008020,
+    0x80000000, 0x80100020, 0x80108020, 0x00108000
+};
+
+static const uint32_t SB3[64] =
+{
+    0x00000208, 0x08020200, 0x00000000, 0x08020008,
+    0x08000200, 0x00000000, 0x00020208, 0x08000200,
+    0x00020008, 0x08000008, 0x08000008, 0x00020000,
+    0x08020208, 0x00020008, 0x08020000, 0x00000208,
+    0x08000000, 0x00000008, 0x08020200, 0x00000200,
+    0x00020200, 0x08020000, 0x08020008, 0x00020208,
+    0x08000208, 0x00020200, 0x00020000, 0x08000208,
+    0x00000008, 0x08020208, 0x00000200, 0x08000000,
+    0x08020200, 0x08000000, 0x00020008, 0x00000208,
+    0x00020000, 0x08020200, 0x08000200, 0x00000000,
+    0x00000200, 0x00020008, 0x08020208, 0x08000200,
+    0x08000008, 0x00000200, 0x00000000, 0x08020008,
+    0x08000208, 0x00020000, 0x08000000, 0x08020208,
+    0x00000008, 0x00020208, 0x00020200, 0x08000008,
+    0x08020000, 0x08000208, 0x00000208, 0x08020000,
+    0x00020208, 0x00000008, 0x08020008, 0x00020200
+};
+
+static const uint32_t SB4[64] =
+{
+    0x00802001, 0x00002081, 0x00002081, 0x00000080,
+    0x00802080, 0x00800081, 0x00800001, 0x00002001,
+    0x00000000, 0x00802000, 0x00802000, 0x00802081,
+    0x00000081, 0x00000000, 0x00800080, 0x00800001,
+    0x00000001, 0x00002000, 0x00800000, 0x00802001,
+    0x00000080, 0x00800000, 0x00002001, 0x00002080,
+    0x00800081, 0x00000001, 0x00002080, 0x00800080,
+    0x00002000, 0x00802080, 0x00802081, 0x00000081,
+    0x00800080, 0x00800001, 0x00802000, 0x00802081,
+    0x00000081, 0x00000000, 0x00000000, 0x00802000,
+    0x00002080, 0x00800080, 0x00800081, 0x00000001,
+    0x00802001, 0x00002081, 0x00002081, 0x00000080,
+    0x00802081, 0x00000081, 0x00000001, 0x00002000,
+    0x00800001, 0x00002001, 0x00802080, 0x00800081,
+    0x00002001, 0x00002080, 0x00800000, 0x00802001,
+    0x00000080, 0x00800000, 0x00002000, 0x00802080
+};
+
+static const uint32_t SB5[64] =
+{
+    0x00000100, 0x02080100, 0x02080000, 0x42000100,
+    0x00080000, 0x00000100, 0x40000000, 0x02080000,
+    0x40080100, 0x00080000, 0x02000100, 0x40080100,
+    0x42000100, 0x42080000, 0x00080100, 0x40000000,
+    0x02000000, 0x40080000, 0x40080000, 0x00000000,
+    0x40000100, 0x42080100, 0x42080100, 0x02000100,
+    0x42080000, 0x40000100, 0x00000000, 0x42000000,
+    0x02080100, 0x02000000, 0x42000000, 0x00080100,
+    0x00080000, 0x42000100, 0x00000100, 0x02000000,
+    0x40000000, 0x02080000, 0x42000100, 0x40080100,
+    0x02000100, 0x40000000, 0x42080000, 0x02080100,
+    0x40080100, 0x00000100, 0x02000000, 0x42080000,
+    0x42080100, 0x00080100, 0x42000000, 0x42080100,
+    0x02080000, 0x00000000, 0x40080000, 0x42000000,
+    0x00080100, 0x02000100, 0x40000100, 0x00080000,
+    0x00000000, 0x40080000, 0x02080100, 0x40000100
+};
+
+static const uint32_t SB6[64] =
+{
+    0x20000010, 0x20400000, 0x00004000, 0x20404010,
+    0x20400000, 0x00000010, 0x20404010, 0x00400000,
+    0x20004000, 0x00404010, 0x00400000, 0x20000010,
+    0x00400010, 0x20004000, 0x20000000, 0x00004010,
+    0x00000000, 0x00400010, 0x20004010, 0x00004000,
+    0x00404000, 0x20004010, 0x00000010, 0x20400010,
+    0x20400010, 0x00000000, 0x00404010, 0x20404000,
+    0x00004010, 0x00404000, 0x20404000, 0x20000000,
+    0x20004000, 0x00000010, 0x20400010, 0x00404000,
+    0x20404010, 0x00400000, 0x00004010, 0x20000010,
+    0x00400000, 0x20004000, 0x20000000, 0x00004010,
+    0x20000010, 0x20404010, 0x00404000, 0x20400000,
+    0x00404010, 0x20404000, 0x00000000, 0x20400010,
+    0x00000010, 0x00004000, 0x20400000, 0x00404010,
+    0x00004000, 0x00400010, 0x20004010, 0x00000000,
+    0x20404000, 0x20000000, 0x00400010, 0x20004010
+};
+
+static const uint32_t SB7[64] =
+{
+    0x00200000, 0x04200002, 0x04000802, 0x00000000,
+    0x00000800, 0x04000802, 0x00200802, 0x04200800,
+    0x04200802, 0x00200000, 0x00000000, 0x04000002,
+    0x00000002, 0x04000000, 0x04200002, 0x00000802,
+    0x04000800, 0x00200802, 0x00200002, 0x04000800,
+    0x04000002, 0x04200000, 0x04200800, 0x00200002,
+    0x04200000, 0x00000800, 0x00000802, 0x04200802,
+    0x00200800, 0x00000002, 0x04000000, 0x00200800,
+    0x04000000, 0x00200800, 0x00200000, 0x04000802,
+    0x04000802, 0x04200002, 0x04200002, 0x00000002,
+    0x00200002, 0x04000000, 0x04000800, 0x00200000,
+    0x04200800, 0x00000802, 0x00200802, 0x04200800,
+    0x00000802, 0x04000002, 0x04200802, 0x04200000,
+    0x00200800, 0x00000000, 0x00000002, 0x04200802,
+    0x00000000, 0x00200802, 0x04200000, 0x00000800,
+    0x04000002, 0x04000800, 0x00000800, 0x00200002
+};
+
+static const uint32_t SB8[64] =
+{
+    0x10001040, 0x00001000, 0x00040000, 0x10041040,
+    0x10000000, 0x10001040, 0x00000040, 0x10000000,
+    0x00040040, 0x10040000, 0x10041040, 0x00041000,
+    0x10041000, 0x00041040, 0x00001000, 0x00000040,
+    0x10040000, 0x10000040, 0x10001000, 0x00001040,
+    0x00041000, 0x00040040, 0x10040040, 0x10041000,
+    0x00001040, 0x00000000, 0x00000000, 0x10040040,
+    0x10000040, 0x10001000, 0x00041040, 0x00040000,
+    0x00041040, 0x00040000, 0x10041000, 0x00001000,
+    0x00000040, 0x10040040, 0x00001000, 0x00041040,
+    0x10001000, 0x00000040, 0x10000040, 0x10040000,
+    0x10040040, 0x10000000, 0x00040000, 0x10001040,
+    0x00000000, 0x10041040, 0x00040040, 0x10000040,
+    0x10040000, 0x10001000, 0x10001040, 0x00000000,
+    0x10041040, 0x00041000, 0x00041000, 0x00001040,
+    0x00001040, 0x00040040, 0x10000000, 0x10041000
+};
+
+/*
+ * PC1: left and right halves bit-swap
+ */
+static const uint32_t LHs[16] =
+{
+    0x00000000, 0x00000001, 0x00000100, 0x00000101,
+    0x00010000, 0x00010001, 0x00010100, 0x00010101,
+    0x01000000, 0x01000001, 0x01000100, 0x01000101,
+    0x01010000, 0x01010001, 0x01010100, 0x01010101
+};
+
+static const uint32_t RHs[16] =
+{
+    0x00000000, 0x01000000, 0x00010000, 0x01010000,
+    0x00000100, 0x01000100, 0x00010100, 0x01010100,
+    0x00000001, 0x01000001, 0x00010001, 0x01010001,
+    0x00000101, 0x01000101, 0x00010101, 0x01010101,
+};
+
+/*
+ * Initial Permutation macro
+ */
+#define DES_IP(X,Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
+        (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
+    } while( 0 )
+
+/*
+ * Final Permutation macro
+ */
+#define DES_FP(X,Y)                                                       \
+    do                                                                    \
+    {                                                                     \
+        (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
+        T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
+        (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
+        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
+        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
+        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
+        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
+    } while( 0 )
+
+/*
+ * DES round macro
+ */
+#define DES_ROUND(X,Y)                              \
+    do                                              \
+    {                                               \
+        T = *SK++ ^ (X);                            \
+        (Y) ^= SB8[ (T      ) & 0x3F ] ^            \
+               SB6[ (T >>  8) & 0x3F ] ^            \
+               SB4[ (T >> 16) & 0x3F ] ^            \
+               SB2[ (T >> 24) & 0x3F ];             \
+                                                    \
+        T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
+        (Y) ^= SB7[ (T      ) & 0x3F ] ^            \
+               SB5[ (T >>  8) & 0x3F ] ^            \
+               SB3[ (T >> 16) & 0x3F ] ^            \
+               SB1[ (T >> 24) & 0x3F ];             \
+    } while( 0 )
+
+#define SWAP(a,b)                                       \
+    do                                                  \
+    {                                                   \
+        uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
+    } while( 0 )
+
+void mbedtls_des_init( mbedtls_des_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_des_context ) );
+}
+
+void mbedtls_des_free( mbedtls_des_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
+}
+
+void mbedtls_des3_init( mbedtls_des3_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_des3_context ) );
+}
+
+void mbedtls_des3_free( mbedtls_des3_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
+}
+
+static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
+        11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
+        47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
+        82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
+        115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
+        143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
+        171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
+        199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
+        227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
+        254 };
+
+void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
+        key[i] = odd_parity_table[key[i] / 2];
+}
+
+/*
+ * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
+ */
+int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
+        if( key[i] != odd_parity_table[key[i] / 2] )
+            return( 1 );
+
+    return( 0 );
+}
+
+/*
+ * Table of weak and semi-weak keys
+ *
+ * Source: http://en.wikipedia.org/wiki/Weak_key
+ *
+ * Weak:
+ * Alternating ones + zeros (0x0101010101010101)
+ * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
+ * '0xE0E0E0E0F1F1F1F1'
+ * '0x1F1F1F1F0E0E0E0E'
+ *
+ * Semi-weak:
+ * 0x011F011F010E010E and 0x1F011F010E010E01
+ * 0x01E001E001F101F1 and 0xE001E001F101F101
+ * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
+ * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
+ * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
+ * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
+ *
+ */
+
+#define WEAK_KEY_COUNT 16
+
+static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
+{
+    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
+    { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
+    { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
+    { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
+
+    { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
+    { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
+    { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
+    { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
+    { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
+    { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
+    { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
+    { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
+    { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
+    { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
+    { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
+    { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
+};
+
+int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    for( i = 0; i < WEAK_KEY_COUNT; i++ )
+        if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
+            return( 1 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DES_SETKEY_ALT)
+void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+    uint32_t X, Y, T;
+
+    GET_UINT32_BE( X, key, 0 );
+    GET_UINT32_BE( Y, key, 4 );
+
+    /*
+     * Permuted Choice 1
+     */
+    T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
+    T =  ((Y      ) ^ X) & 0x10101010;  X ^= T; Y ^= (T      );
+
+    X =   (LHs[ (X      ) & 0xF] << 3) | (LHs[ (X >>  8) & 0xF ] << 2)
+        | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ]     )
+        | (LHs[ (X >>  5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
+        | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
+
+    Y =   (RHs[ (Y >>  1) & 0xF] << 3) | (RHs[ (Y >>  9) & 0xF ] << 2)
+        | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ]     )
+        | (RHs[ (Y >>  4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
+        | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
+
+    X &= 0x0FFFFFFF;
+    Y &= 0x0FFFFFFF;
+
+    /*
+     * calculate subkeys
+     */
+    for( i = 0; i < 16; i++ )
+    {
+        if( i < 2 || i == 8 || i == 15 )
+        {
+            X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
+            Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
+        }
+        else
+        {
+            X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
+            Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
+        }
+
+        *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
+                | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
+                | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
+                | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
+                | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
+                | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
+                | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
+                | ((Y >> 14) & 0x00000200) | ((Y      ) & 0x00000100)
+                | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
+                | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
+                | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
+
+        *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
+                | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
+                | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
+                | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
+                | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
+                | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
+                | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
+                | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
+                | ((Y      ) & 0x00000200) | ((Y <<  7) & 0x00000100)
+                | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
+                | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
+    }
+}
+#endif /* !MBEDTLS_DES_SETKEY_ALT */
+
+/*
+ * DES key schedule (56-bit, encryption)
+ */
+int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    mbedtls_des_setkey( ctx->sk, key );
+
+    return( 0 );
+}
+
+/*
+ * DES key schedule (56-bit, decryption)
+ */
+int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
+{
+    int i;
+
+    mbedtls_des_setkey( ctx->sk, key );
+
+    for( i = 0; i < 16; i += 2 )
+    {
+        SWAP( ctx->sk[i    ], ctx->sk[30 - i] );
+        SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
+    }
+
+    return( 0 );
+}
+
+static void des3_set2key( uint32_t esk[96],
+                          uint32_t dsk[96],
+                          const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
+{
+    int i;
+
+    mbedtls_des_setkey( esk, key );
+    mbedtls_des_setkey( dsk + 32, key + 8 );
+
+    for( i = 0; i < 32; i += 2 )
+    {
+        dsk[i     ] = esk[30 - i];
+        dsk[i +  1] = esk[31 - i];
+
+        esk[i + 32] = dsk[62 - i];
+        esk[i + 33] = dsk[63 - i];
+
+        esk[i + 64] = esk[i    ];
+        esk[i + 65] = esk[i + 1];
+
+        dsk[i + 64] = dsk[i    ];
+        dsk[i + 65] = dsk[i + 1];
+    }
+}
+
+/*
+ * Triple-DES key schedule (112-bit, encryption)
+ */
+int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
+{
+    uint32_t sk[96];
+
+    des3_set2key( ctx->sk, sk, key );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+/*
+ * Triple-DES key schedule (112-bit, decryption)
+ */
+int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
+{
+    uint32_t sk[96];
+
+    des3_set2key( sk, ctx->sk, key );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+static void des3_set3key( uint32_t esk[96],
+                          uint32_t dsk[96],
+                          const unsigned char key[24] )
+{
+    int i;
+
+    mbedtls_des_setkey( esk, key );
+    mbedtls_des_setkey( dsk + 32, key +  8 );
+    mbedtls_des_setkey( esk + 64, key + 16 );
+
+    for( i = 0; i < 32; i += 2 )
+    {
+        dsk[i     ] = esk[94 - i];
+        dsk[i +  1] = esk[95 - i];
+
+        esk[i + 32] = dsk[62 - i];
+        esk[i + 33] = dsk[63 - i];
+
+        dsk[i + 64] = esk[30 - i];
+        dsk[i + 65] = esk[31 - i];
+    }
+}
+
+/*
+ * Triple-DES key schedule (168-bit, encryption)
+ */
+int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
+{
+    uint32_t sk[96];
+
+    des3_set3key( ctx->sk, sk, key );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+/*
+ * Triple-DES key schedule (168-bit, decryption)
+ */
+int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
+                      const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
+{
+    uint32_t sk[96];
+
+    des3_set3key( sk, ctx->sk, key );
+    mbedtls_platform_zeroize( sk,  sizeof( sk ) );
+
+    return( 0 );
+}
+
+/*
+ * DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
+                    const unsigned char input[8],
+                    unsigned char output[8] )
+{
+    int i;
+    uint32_t X, Y, T, *SK;
+
+    SK = ctx->sk;
+
+    GET_UINT32_BE( X, input, 0 );
+    GET_UINT32_BE( Y, input, 4 );
+
+    DES_IP( X, Y );
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( Y, X );
+        DES_ROUND( X, Y );
+    }
+
+    DES_FP( Y, X );
+
+    PUT_UINT32_BE( Y, output, 0 );
+    PUT_UINT32_BE( X, output, 4 );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
+                    int mode,
+                    size_t length,
+                    unsigned char iv[8],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    int i;
+    unsigned char temp[8];
+
+    if( length % 8 )
+        return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_DES_ENCRYPT )
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_des_crypt_ecb( ctx, output, output );
+            memcpy( iv, output, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    else /* MBEDTLS_DES_DECRYPT */
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 8 );
+            mbedtls_des_crypt_ecb( ctx, input, output );
+
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * 3DES-ECB block encryption/decryption
+ */
+#if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
+                     const unsigned char input[8],
+                     unsigned char output[8] )
+{
+    int i;
+    uint32_t X, Y, T, *SK;
+
+    SK = ctx->sk;
+
+    GET_UINT32_BE( X, input, 0 );
+    GET_UINT32_BE( Y, input, 4 );
+
+    DES_IP( X, Y );
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( Y, X );
+        DES_ROUND( X, Y );
+    }
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( X, Y );
+        DES_ROUND( Y, X );
+    }
+
+    for( i = 0; i < 8; i++ )
+    {
+        DES_ROUND( Y, X );
+        DES_ROUND( X, Y );
+    }
+
+    DES_FP( Y, X );
+
+    PUT_UINT32_BE( Y, output, 0 );
+    PUT_UINT32_BE( X, output, 4 );
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * 3DES-CBC buffer encryption/decryption
+ */
+int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
+                     int mode,
+                     size_t length,
+                     unsigned char iv[8],
+                     const unsigned char *input,
+                     unsigned char *output )
+{
+    int i;
+    unsigned char temp[8];
+
+    if( length % 8 )
+        return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_DES_ENCRYPT )
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_des3_crypt_ecb( ctx, output, output );
+            memcpy( iv, output, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    else /* MBEDTLS_DES_DECRYPT */
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 8 );
+            mbedtls_des3_crypt_ecb( ctx, input, output );
+
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#endif /* !MBEDTLS_DES_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * DES and 3DES test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
+ */
+static const unsigned char des3_test_keys[24] =
+{
+    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
+    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
+    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
+};
+
+static const unsigned char des3_test_buf[8] =
+{
+    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
+};
+
+static const unsigned char des3_test_ecb_dec[3][8] =
+{
+    { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
+    { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
+    { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
+};
+
+static const unsigned char des3_test_ecb_enc[3][8] =
+{
+    { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
+    { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
+    { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
+};
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+static const unsigned char des3_test_iv[8] =
+{
+    0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
+};
+
+static const unsigned char des3_test_cbc_dec[3][8] =
+{
+    { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
+    { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
+    { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
+};
+
+static const unsigned char des3_test_cbc_enc[3][8] =
+{
+    { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
+    { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
+    { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
+};
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_des_self_test( int verbose )
+{
+    int i, j, u, v, ret = 0;
+    mbedtls_des_context ctx;
+    mbedtls_des3_context ctx3;
+    unsigned char buf[8];
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    unsigned char prv[8];
+    unsigned char iv[8];
+#endif
+
+    mbedtls_des_init( &ctx );
+    mbedtls_des3_init( &ctx3 );
+    /*
+     * ECB mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        v = i  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  DES%c-ECB-%3d (%s): ",
+                             ( u == 0 ) ? ' ' : '3', 56 + u * 56,
+                             ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( buf, des3_test_buf, 8 );
+
+        switch( i )
+        {
+        case 0:
+            mbedtls_des_setkey_dec( &ctx, des3_test_keys );
+            break;
+
+        case 1:
+            mbedtls_des_setkey_enc( &ctx, des3_test_keys );
+            break;
+
+        case 2:
+            mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 3:
+            mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
+            break;
+
+        case 4:
+            mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 5:
+            mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
+            break;
+
+        default:
+            return( 1 );
+        }
+
+        for( j = 0; j < 10000; j++ )
+        {
+            if( u == 0 )
+                mbedtls_des_crypt_ecb( &ctx, buf, buf );
+            else
+                mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
+        }
+
+        if( ( v == MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
+            ( v != MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    /*
+     * CBC mode
+     */
+    for( i = 0; i < 6; i++ )
+    {
+        u = i >> 1;
+        v = i  & 1;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  DES%c-CBC-%3d (%s): ",
+                             ( u == 0 ) ? ' ' : '3', 56 + u * 56,
+                             ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
+
+        memcpy( iv,  des3_test_iv,  8 );
+        memcpy( prv, des3_test_iv,  8 );
+        memcpy( buf, des3_test_buf, 8 );
+
+        switch( i )
+        {
+        case 0:
+            mbedtls_des_setkey_dec( &ctx, des3_test_keys );
+            break;
+
+        case 1:
+            mbedtls_des_setkey_enc( &ctx, des3_test_keys );
+            break;
+
+        case 2:
+            mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 3:
+            mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
+            break;
+
+        case 4:
+            mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
+            break;
+
+        case 5:
+            mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
+            break;
+
+        default:
+            return( 1 );
+        }
+
+        if( v == MBEDTLS_DES_DECRYPT )
+        {
+            for( j = 0; j < 10000; j++ )
+            {
+                if( u == 0 )
+                    mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
+                else
+                    mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
+            }
+        }
+        else
+        {
+            for( j = 0; j < 10000; j++ )
+            {
+                unsigned char tmp[8];
+
+                if( u == 0 )
+                    mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
+                else
+                    mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
+
+                memcpy( tmp, prv, 8 );
+                memcpy( prv, buf, 8 );
+                memcpy( buf, tmp, 8 );
+            }
+
+            memcpy( buf, prv, 8 );
+        }
+
+        if( ( v == MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
+            ( v != MBEDTLS_DES_DECRYPT &&
+                memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_des_free( &ctx );
+    mbedtls_des3_free( &ctx3 );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DES_C */
diff --git a/makerom/deps/libmbedtls/src/dhm.c b/makerom/deps/libmbedtls/src/dhm.c
new file mode 100644
index 00000000..8255632a
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/dhm.c
@@ -0,0 +1,712 @@
+/*
+ *  Diffie-Hellman-Merkle key exchange
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the Diffie-Hellman-Merkle algorithm:
+ *
+ *  [1] Handbook of Applied Cryptography - 1997, Chapter 12
+ *      Menezes, van Oorschot and Vanstone
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+
+#include "mbedtls/dhm.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if !defined(MBEDTLS_DHM_ALT)
+
+#define DHM_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_DHM_BAD_INPUT_DATA )
+#define DHM_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * helper to validate the mbedtls_mpi size and import it
+ */
+static int dhm_read_bignum( mbedtls_mpi *X,
+                            unsigned char **p,
+                            const unsigned char *end )
+{
+    int ret, n;
+
+    if( end - *p < 2 )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    n = ( (*p)[0] << 8 ) | (*p)[1];
+    (*p) += 2;
+
+    if( (int)( end - *p ) < n )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_mpi_read_binary( X, *p, n ) ) != 0 )
+        return( MBEDTLS_ERR_DHM_READ_PARAMS_FAILED + ret );
+
+    (*p) += n;
+
+    return( 0 );
+}
+
+/*
+ * Verify sanity of parameter with regards to P
+ *
+ * Parameter should be: 2 <= public_param <= P - 2
+ *
+ * This means that we need to return an error if
+ *              public_param < 2 or public_param > P-2
+ *
+ * For more information on the attack, see:
+ *  http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
+ *  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
+ */
+static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P )
+{
+    mbedtls_mpi L, U;
+    int ret = 0;
+
+    mbedtls_mpi_init( &L ); mbedtls_mpi_init( &U );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &L, 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &U, P, 2 ) );
+
+    if( mbedtls_mpi_cmp_mpi( param, &L ) < 0 ||
+        mbedtls_mpi_cmp_mpi( param, &U ) > 0 )
+    {
+        ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
+    }
+
+cleanup:
+    mbedtls_mpi_free( &L ); mbedtls_mpi_free( &U );
+    return( ret );
+}
+
+void mbedtls_dhm_init( mbedtls_dhm_context *ctx )
+{
+    DHM_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_dhm_context ) );
+}
+
+/*
+ * Parse the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx,
+                     unsigned char **p,
+                     const unsigned char *end )
+{
+    int ret;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( p != NULL && *p != NULL );
+    DHM_VALIDATE_RET( end != NULL );
+
+    if( ( ret = dhm_read_bignum( &ctx->P,  p, end ) ) != 0 ||
+        ( ret = dhm_read_bignum( &ctx->G,  p, end ) ) != 0 ||
+        ( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 )
+        return( ret );
+
+    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
+        return( ret );
+
+    ctx->len = mbedtls_mpi_size( &ctx->P );
+
+    return( 0 );
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret, count = 0;
+    size_t n1, n2, n3;
+    unsigned char *p;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( output != NULL );
+    DHM_VALIDATE_RET( olen != NULL );
+    DHM_VALIDATE_RET( f_rng != NULL );
+
+    if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    /*
+     * Generate X as large as possible ( < P )
+     */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED );
+    }
+    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
+
+    /*
+     * Calculate GX = G^X mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
+                          &ctx->P , &ctx->RP ) );
+
+    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
+        return( ret );
+
+    /*
+     * export P, G, GX
+     */
+#define DHM_MPI_EXPORT( X, n )                                          \
+    do {                                                                \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( ( X ),               \
+                                                   p + 2,               \
+                                                   ( n ) ) );           \
+        *p++ = (unsigned char)( ( n ) >> 8 );                           \
+        *p++ = (unsigned char)( ( n )      );                           \
+        p += ( n );                                                     \
+    } while( 0 )
+
+    n1 = mbedtls_mpi_size( &ctx->P  );
+    n2 = mbedtls_mpi_size( &ctx->G  );
+    n3 = mbedtls_mpi_size( &ctx->GX );
+
+    p = output;
+    DHM_MPI_EXPORT( &ctx->P , n1 );
+    DHM_MPI_EXPORT( &ctx->G , n2 );
+    DHM_MPI_EXPORT( &ctx->GX, n3 );
+
+    *olen = p - output;
+
+    ctx->len = n1;
+
+cleanup:
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Set prime modulus and generator
+ */
+int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx,
+                           const mbedtls_mpi *P,
+                           const mbedtls_mpi *G )
+{
+    int ret;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( P != NULL );
+    DHM_VALIDATE_RET( G != NULL );
+
+    if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_DHM_SET_GROUP_FAILED + ret );
+    }
+
+    ctx->len = mbedtls_mpi_size( &ctx->P );
+    return( 0 );
+}
+
+/*
+ * Import the peer's public value G^Y
+ */
+int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx,
+                     const unsigned char *input, size_t ilen )
+{
+    int ret;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( input != NULL );
+
+    if( ilen < 1 || ilen > ctx->len )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
+        return( MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Create own private value X and export G^X
+ */
+int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size,
+                     unsigned char *output, size_t olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret, count = 0;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( output != NULL );
+    DHM_VALIDATE_RET( f_rng != NULL );
+
+    if( olen < 1 || olen > ctx->len )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    /*
+     * generate X and calculate GX = G^X mod P
+     */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED );
+    }
+    while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
+                          &ctx->P , &ctx->RP ) );
+
+    if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
+        return( ret );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->GX, output, olen ) );
+
+cleanup:
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Use the blinding method and optimisation suggested in section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int dhm_update_blinding( mbedtls_dhm_context *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret, count;
+
+    /*
+     * Don't use any blinding the first time a particular X is used,
+     * but remember it to use blinding next time.
+     */
+    if( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->pX ) != 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &ctx->pX, &ctx->X ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vi, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->Vf, 1 ) );
+
+        return( 0 );
+    }
+
+    /*
+     * Ok, we need blinding. Can we re-use existing values?
+     * If yes, just update them by squaring them.
+     */
+    if( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->P ) );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+
+        return( 0 );
+    }
+
+    /*
+     * We need to generate blinding values from scratch
+     */
+
+    /* Vi = random( 2, P-1 ) */
+    count = 0;
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->Vi, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+    }
+    while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
+
+    /* Vf = Vi^-X mod P */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Derive and export the shared secret (G^Y)^X mod P
+ */
+int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx,
+                     unsigned char *output, size_t output_size, size_t *olen,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+    mbedtls_mpi GYb;
+    DHM_VALIDATE_RET( ctx != NULL );
+    DHM_VALIDATE_RET( output != NULL );
+    DHM_VALIDATE_RET( olen != NULL );
+
+    if( output_size < ctx->len )
+        return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+
+    if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
+        return( ret );
+
+    mbedtls_mpi_init( &GYb );
+
+    /* Blind peer's value */
+    if( f_rng != NULL )
+    {
+        MBEDTLS_MPI_CHK( dhm_update_blinding( ctx, f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &GYb, &ctx->GY, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &GYb, &GYb, &ctx->P ) );
+    }
+    else
+        MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &GYb, &ctx->GY ) );
+
+    /* Do modular exponentiation */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->K, &GYb, &ctx->X,
+                          &ctx->P, &ctx->RP ) );
+
+    /* Unblind secret value */
+    if( f_rng != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->K, &ctx->K, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
+    }
+
+    *olen = mbedtls_mpi_size( &ctx->K );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->K, output, *olen ) );
+
+cleanup:
+    mbedtls_mpi_free( &GYb );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_DHM_CALC_SECRET_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Free the components of a DHM key
+ */
+void mbedtls_dhm_free( mbedtls_dhm_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->pX );
+    mbedtls_mpi_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->Vi );
+    mbedtls_mpi_free( &ctx->RP );
+    mbedtls_mpi_free( &ctx->K  );
+    mbedtls_mpi_free( &ctx->GY );
+    mbedtls_mpi_free( &ctx->GX );
+    mbedtls_mpi_free( &ctx->X  );
+    mbedtls_mpi_free( &ctx->G  );
+    mbedtls_mpi_free( &ctx->P  );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_dhm_context ) );
+}
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+/*
+ * Parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin,
+                   size_t dhminlen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p, *end;
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_context pem;
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+    DHM_VALIDATE_RET( dhm != NULL );
+    DHM_VALIDATE_RET( dhmin != NULL );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_init( &pem );
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( dhminlen == 0 || dhmin[dhminlen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN DH PARAMETERS-----",
+                               "-----END DH PARAMETERS-----",
+                               dhmin, NULL, 0, &dhminlen );
+
+    if( ret == 0 )
+    {
+        /*
+         * Was PEM encoded
+         */
+        dhminlen = pem.buflen;
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        goto exit;
+
+    p = ( ret == 0 ) ? pem.buf : (unsigned char *) dhmin;
+#else
+    p = (unsigned char *) dhmin;
+#endif /* MBEDTLS_PEM_PARSE_C */
+    end = p + dhminlen;
+
+    /*
+     *  DHParams ::= SEQUENCE {
+     *      prime              INTEGER,  -- P
+     *      generator          INTEGER,  -- g
+     *      privateValueLength INTEGER OPTIONAL
+     *  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+        goto exit;
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->P  ) ) != 0 ||
+        ( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+        goto exit;
+    }
+
+    if( p != end )
+    {
+        /* This might be the optional privateValueLength.
+         * If so, we can cleanly discard it */
+        mbedtls_mpi rec;
+        mbedtls_mpi_init( &rec );
+        ret = mbedtls_asn1_get_mpi( &p, end, &rec );
+        mbedtls_mpi_free( &rec );
+        if ( ret != 0 )
+        {
+            ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+            goto exit;
+        }
+        if ( p != end )
+        {
+            ret = MBEDTLS_ERR_DHM_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+            goto exit;
+        }
+    }
+
+    ret = 0;
+
+    dhm->len = mbedtls_mpi_size( &dhm->P );
+
+exit:
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_free( &pem );
+#endif
+    if( ret != 0 )
+        mbedtls_dhm_free( dhm );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+static int load_file( const char *path, unsigned char **buf, size_t *n )
+{
+    FILE *f;
+    long size;
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    if( ( size = ftell( f ) ) == -1 )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+    }
+    fseek( f, 0, SEEK_SET );
+
+    *n = (size_t) size;
+
+    if( *n + 1 == 0 ||
+        ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_DHM_ALLOC_FAILED );
+    }
+
+    if( fread( *buf, 1, *n, f ) != *n )
+    {
+        fclose( f );
+
+        mbedtls_platform_zeroize( *buf, *n + 1 );
+        mbedtls_free( *buf );
+
+        return( MBEDTLS_ERR_DHM_FILE_IO_ERROR );
+    }
+
+    fclose( f );
+
+    (*buf)[*n] = '\0';
+
+    if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
+        ++*n;
+
+    return( 0 );
+}
+
+/*
+ * Load and parse DHM parameters
+ */
+int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+    DHM_VALIDATE_RET( dhm != NULL );
+    DHM_VALIDATE_RET( path != NULL );
+
+    if( ( ret = load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_dhm_parse_dhm( dhm, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#endif /* MBEDTLS_DHM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+static const char mbedtls_test_dhm_params[] =
+"-----BEGIN DH PARAMETERS-----\r\n"
+"MIGHAoGBAJ419DBEOgmQTzo5qXl5fQcN9TN455wkOL7052HzxxRVMyhYmwQcgJvh\r\n"
+"1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n"
+"9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
+"-----END DH PARAMETERS-----\r\n";
+#else /* MBEDTLS_PEM_PARSE_C */
+static const char mbedtls_test_dhm_params[] = {
+  0x30, 0x81, 0x87, 0x02, 0x81, 0x81, 0x00, 0x9e, 0x35, 0xf4, 0x30, 0x44,
+  0x3a, 0x09, 0x90, 0x4f, 0x3a, 0x39, 0xa9, 0x79, 0x79, 0x7d, 0x07, 0x0d,
+  0xf5, 0x33, 0x78, 0xe7, 0x9c, 0x24, 0x38, 0xbe, 0xf4, 0xe7, 0x61, 0xf3,
+  0xc7, 0x14, 0x55, 0x33, 0x28, 0x58, 0x9b, 0x04, 0x1c, 0x80, 0x9b, 0xe1,
+  0xd6, 0xc6, 0xb5, 0xf1, 0xfc, 0x9f, 0x47, 0xd3, 0xa2, 0x54, 0x43, 0x18,
+  0x82, 0x53, 0xa9, 0x92, 0xa5, 0x68, 0x18, 0xb3, 0x7b, 0xa9, 0xde, 0x5a,
+  0x40, 0xd3, 0x62, 0xe5, 0x6e, 0xff, 0x0b, 0xe5, 0x41, 0x74, 0x74, 0xc1,
+  0x25, 0xc1, 0x99, 0x27, 0x2c, 0x8f, 0xe4, 0x1d, 0xea, 0x73, 0x3d, 0xf6,
+  0xf6, 0x62, 0xc9, 0x2a, 0xe7, 0x65, 0x56, 0xe7, 0x55, 0xd1, 0x0c, 0x64,
+  0xe6, 0xa5, 0x09, 0x68, 0xf6, 0x7f, 0xc6, 0xea, 0x73, 0xd0, 0xdc, 0xa8,
+  0x56, 0x9b, 0xe2, 0xba, 0x20, 0x4e, 0x23, 0x58, 0x0d, 0x8b, 0xca, 0x2f,
+  0x49, 0x75, 0xb3, 0x02, 0x01, 0x02 };
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+static const size_t mbedtls_test_dhm_params_len = sizeof( mbedtls_test_dhm_params );
+
+/*
+ * Checkup routine
+ */
+int mbedtls_dhm_self_test( int verbose )
+{
+    int ret;
+    mbedtls_dhm_context dhm;
+
+    mbedtls_dhm_init( &dhm );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  DHM parameter load: " );
+
+    if( ( ret = mbedtls_dhm_parse_dhm( &dhm,
+                    (const unsigned char *) mbedtls_test_dhm_params,
+                    mbedtls_test_dhm_params_len ) ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto exit;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n\n" );
+
+exit:
+    mbedtls_dhm_free( &dhm );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_DHM_C */
diff --git a/makerom/deps/libmbedtls/src/ecdh.c b/makerom/deps/libmbedtls/src/ecdh.c
new file mode 100644
index 00000000..c5726877
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ecdh.c
@@ -0,0 +1,676 @@
+/*
+ *  Elliptic curve Diffie-Hellman
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ * RFC 4492
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECDH_C)
+
+#include "mbedtls/ecdh.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+/* Parameter validation macros based on platform_util.h */
+#define ECDH_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECDH_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+typedef mbedtls_ecdh_context mbedtls_ecdh_context_mbed;
+#endif
+
+static mbedtls_ecp_group_id mbedtls_ecdh_grp_id(
+    const mbedtls_ecdh_context *ctx )
+{
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ctx->grp.id );
+#else
+    return( ctx->grp_id );
+#endif
+}
+
+#if !defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+/*
+ * Generate public key (restartable version)
+ *
+ * Note: this internal function relies on its caller preserving the value of
+ * the output parameter 'd' across continuation calls. This would not be
+ * acceptable for a public function but is OK here as we control call sites.
+ */
+static int ecdh_gen_public_restartable( mbedtls_ecp_group *grp,
+                    mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                    int (*f_rng)(void *, unsigned char *, size_t),
+                    void *p_rng,
+                    mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+
+    /* If multiplication is in progress, we already generated a privkey */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx == NULL || rs_ctx->rsm == NULL )
+#endif
+        MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, Q, d, &grp->G,
+                                                  f_rng, p_rng, rs_ctx ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate public key
+ */
+int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    ECDH_VALIDATE_RET( grp != NULL );
+    ECDH_VALIDATE_RET( d != NULL );
+    ECDH_VALIDATE_RET( Q != NULL );
+    ECDH_VALIDATE_RET( f_rng != NULL );
+    return( ecdh_gen_public_restartable( grp, d, Q, f_rng, p_rng, NULL ) );
+}
+#endif /* !MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+
+#if !defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+static int ecdh_compute_shared_restartable( mbedtls_ecp_group *grp,
+                         mbedtls_mpi *z,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_ecp_point P;
+
+    mbedtls_ecp_point_init( &P );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &P, d, Q,
+                                                  f_rng, p_rng, rs_ctx ) );
+
+    if( mbedtls_ecp_is_zero( &P ) )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( z, &P.X ) );
+
+cleanup:
+    mbedtls_ecp_point_free( &P );
+
+    return( ret );
+}
+
+/*
+ * Compute shared secret (SEC1 3.3.1)
+ */
+int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z,
+                         const mbedtls_ecp_point *Q, const mbedtls_mpi *d,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng )
+{
+    ECDH_VALIDATE_RET( grp != NULL );
+    ECDH_VALIDATE_RET( Q != NULL );
+    ECDH_VALIDATE_RET( d != NULL );
+    ECDH_VALIDATE_RET( z != NULL );
+    return( ecdh_compute_shared_restartable( grp, z, Q, d,
+                                             f_rng, p_rng, NULL ) );
+}
+#endif /* !MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+
+static void ecdh_init_internal( mbedtls_ecdh_context_mbed *ctx )
+{
+    mbedtls_ecp_group_init( &ctx->grp );
+    mbedtls_mpi_init( &ctx->d  );
+    mbedtls_ecp_point_init( &ctx->Q   );
+    mbedtls_ecp_point_init( &ctx->Qp  );
+    mbedtls_mpi_init( &ctx->z  );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_init( &ctx->rs );
+#endif
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx )
+{
+    ECDH_VALIDATE( ctx != NULL );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    ecdh_init_internal( ctx );
+    mbedtls_ecp_point_init( &ctx->Vi  );
+    mbedtls_ecp_point_init( &ctx->Vf  );
+    mbedtls_mpi_init( &ctx->_d );
+#else
+    memset( ctx, 0, sizeof( mbedtls_ecdh_context ) );
+
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+#endif
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ctx->restart_enabled = 0;
+#endif
+}
+
+static int ecdh_setup_internal( mbedtls_ecdh_context_mbed *ctx,
+                                mbedtls_ecp_group_id grp_id )
+{
+    int ret;
+
+    ret = mbedtls_ecp_group_load( &ctx->grp, grp_id );
+    if( ret != 0 )
+    {
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecdh_setup( mbedtls_ecdh_context *ctx, mbedtls_ecp_group_id grp_id )
+{
+    ECDH_VALIDATE_RET( ctx != NULL );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_setup_internal( ctx, grp_id ) );
+#else
+    switch( grp_id )
+    {
+        default:
+            ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+            ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
+            ctx->grp_id = grp_id;
+            ecdh_init_internal( &ctx->ctx.mbed_ecdh );
+            return( ecdh_setup_internal( &ctx->ctx.mbed_ecdh, grp_id ) );
+    }
+#endif
+}
+
+static void ecdh_free_internal( mbedtls_ecdh_context_mbed *ctx )
+{
+    mbedtls_ecp_group_free( &ctx->grp );
+    mbedtls_mpi_free( &ctx->d  );
+    mbedtls_ecp_point_free( &ctx->Q   );
+    mbedtls_ecp_point_free( &ctx->Qp  );
+    mbedtls_mpi_free( &ctx->z  );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_free( &ctx->rs );
+#endif
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Enable restartable operations for context
+ */
+void mbedtls_ecdh_enable_restart( mbedtls_ecdh_context *ctx )
+{
+    ECDH_VALIDATE( ctx != NULL );
+
+    ctx->restart_enabled = 1;
+}
+#endif
+
+/*
+ * Free context
+ */
+void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    mbedtls_ecp_point_free( &ctx->Vi );
+    mbedtls_ecp_point_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->_d );
+    ecdh_free_internal( ctx );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            ecdh_free_internal( &ctx->ctx.mbed_ecdh );
+            break;
+        default:
+            break;
+    }
+
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+    ctx->var = MBEDTLS_ECDH_VARIANT_NONE;
+    ctx->grp_id = MBEDTLS_ECP_DP_NONE;
+#endif
+}
+
+static int ecdh_make_params_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      size_t *olen, int point_format,
+                                      unsigned char *buf, size_t blen,
+                                      int (*f_rng)(void *,
+                                                   unsigned char *,
+                                                   size_t),
+                                      void *p_rng,
+                                      int restart_enabled )
+{
+    int ret;
+    size_t grp_len, pt_len;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if( ctx->grp.pbits == 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( restart_enabled )
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ( ret = ecdh_gen_public_restartable( &ctx->grp, &ctx->d, &ctx->Q,
+                                             f_rng, p_rng, rs_ctx ) ) != 0 )
+        return( ret );
+#else
+    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q,
+                                         f_rng, p_rng ) ) != 0 )
+        return( ret );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    if( ( ret = mbedtls_ecp_tls_write_group( &ctx->grp, &grp_len, buf,
+                                             blen ) ) != 0 )
+        return( ret );
+
+    buf += grp_len;
+    blen -= grp_len;
+
+    if( ( ret = mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, point_format,
+                                             &pt_len, buf, blen ) ) != 0 )
+        return( ret );
+
+    *olen = grp_len + pt_len;
+    return( 0 );
+}
+
+/*
+ * Setup and write the ServerKeyExhange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen,
+                              unsigned char *buf, size_t blen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( olen != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+    ECDH_VALIDATE_RET( f_rng != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_make_params_internal( ctx, olen, ctx->point_format, buf, blen,
+                                       f_rng, p_rng, restart_enabled ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_make_params_internal( &ctx->ctx.mbed_ecdh, olen,
+                                               ctx->point_format, buf, blen,
+                                               f_rng, p_rng,
+                                               restart_enabled ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_read_params_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      const unsigned char **buf,
+                                      const unsigned char *end )
+{
+    return( mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, buf,
+                                        end - *buf ) );
+}
+
+/*
+ * Read the ServerKeyExhange parameters (RFC 4492)
+ *      struct {
+ *          ECParameters    curve_params;
+ *          ECPoint         public;
+ *      } ServerECDHParams;
+ */
+int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx,
+                              const unsigned char **buf,
+                              const unsigned char *end )
+{
+    int ret;
+    mbedtls_ecp_group_id grp_id;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+    ECDH_VALIDATE_RET( *buf != NULL );
+    ECDH_VALIDATE_RET( end != NULL );
+
+    if( ( ret = mbedtls_ecp_tls_read_group_id( &grp_id, buf, end - *buf ) )
+            != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_ecdh_setup( ctx, grp_id ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_read_params_internal( ctx, buf, end ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_read_params_internal( &ctx->ctx.mbed_ecdh,
+                                               buf, end ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_get_params_internal( mbedtls_ecdh_context_mbed *ctx,
+                                     const mbedtls_ecp_keypair *key,
+                                     mbedtls_ecdh_side side )
+{
+    int ret;
+
+    /* If it's not our key, just import the public part as Qp */
+    if( side == MBEDTLS_ECDH_THEIRS )
+        return( mbedtls_ecp_copy( &ctx->Qp, &key->Q ) );
+
+    /* Our key: import public (as Q) and private parts */
+    if( side != MBEDTLS_ECDH_OURS )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Get parameters from a keypair
+ */
+int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx,
+                             const mbedtls_ecp_keypair *key,
+                             mbedtls_ecdh_side side )
+{
+    int ret;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( key != NULL );
+    ECDH_VALIDATE_RET( side == MBEDTLS_ECDH_OURS ||
+                       side == MBEDTLS_ECDH_THEIRS );
+
+    if( mbedtls_ecdh_grp_id( ctx ) == MBEDTLS_ECP_DP_NONE )
+    {
+        /* This is the first call to get_params(). Set up the context
+         * for use with the group. */
+        if( ( ret = mbedtls_ecdh_setup( ctx, key->grp.id ) ) != 0 )
+            return( ret );
+    }
+    else
+    {
+        /* This is not the first call to get_params(). Check that the
+         * current key's group is the same as the context's, which was set
+         * from the first key's group. */
+        if( mbedtls_ecdh_grp_id( ctx ) != key->grp.id )
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_get_params_internal( ctx, key, side ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_get_params_internal( &ctx->ctx.mbed_ecdh,
+                                              key, side ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_make_public_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      size_t *olen, int point_format,
+                                      unsigned char *buf, size_t blen,
+                                      int (*f_rng)(void *,
+                                                   unsigned char *,
+                                                   size_t),
+                                      void *p_rng,
+                                      int restart_enabled )
+{
+    int ret;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if( ctx->grp.pbits == 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( restart_enabled )
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ( ret = ecdh_gen_public_restartable( &ctx->grp, &ctx->d, &ctx->Q,
+                                             f_rng, p_rng, rs_ctx ) ) != 0 )
+        return( ret );
+#else
+    if( ( ret = mbedtls_ecdh_gen_public( &ctx->grp, &ctx->d, &ctx->Q,
+                                         f_rng, p_rng ) ) != 0 )
+        return( ret );
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    return mbedtls_ecp_tls_write_point( &ctx->grp, &ctx->Q, point_format, olen,
+                                        buf, blen );
+}
+
+/*
+ * Setup and export the client public value
+ */
+int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen,
+                              unsigned char *buf, size_t blen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( olen != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+    ECDH_VALIDATE_RET( f_rng != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_make_public_internal( ctx, olen, ctx->point_format, buf, blen,
+                                       f_rng, p_rng, restart_enabled ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_make_public_internal( &ctx->ctx.mbed_ecdh, olen,
+                                               ctx->point_format, buf, blen,
+                                               f_rng, p_rng,
+                                               restart_enabled ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_read_public_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      const unsigned char *buf, size_t blen )
+{
+    int ret;
+    const unsigned char *p = buf;
+
+    if( ( ret = mbedtls_ecp_tls_read_point( &ctx->grp, &ctx->Qp, &p,
+                                            blen ) ) != 0 )
+        return( ret );
+
+    if( (size_t)( p - buf ) != blen )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+/*
+ * Parse and import the client's public value
+ */
+int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx,
+                              const unsigned char *buf, size_t blen )
+{
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_read_public_internal( ctx, buf, blen ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_read_public_internal( &ctx->ctx.mbed_ecdh,
+                                                       buf, blen ) );
+        default:
+            return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    }
+#endif
+}
+
+static int ecdh_calc_secret_internal( mbedtls_ecdh_context_mbed *ctx,
+                                      size_t *olen, unsigned char *buf,
+                                      size_t blen,
+                                      int (*f_rng)(void *,
+                                                   unsigned char *,
+                                                   size_t),
+                                      void *p_rng,
+                                      int restart_enabled )
+{
+    int ret;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    mbedtls_ecp_restart_ctx *rs_ctx = NULL;
+#endif
+
+    if( ctx == NULL || ctx->grp.pbits == 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( restart_enabled )
+        rs_ctx = &ctx->rs;
+#else
+    (void) restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ( ret = ecdh_compute_shared_restartable( &ctx->grp, &ctx->z, &ctx->Qp,
+                                                 &ctx->d, f_rng, p_rng,
+                                                 rs_ctx ) ) != 0 )
+    {
+        return( ret );
+    }
+#else
+    if( ( ret = mbedtls_ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp,
+                                             &ctx->d, f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    if( mbedtls_mpi_size( &ctx->z ) > blen )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    *olen = ctx->grp.pbits / 8 + ( ( ctx->grp.pbits % 8 ) != 0 );
+    return mbedtls_mpi_write_binary( &ctx->z, buf, *olen );
+}
+
+/*
+ * Derive and export the shared secret
+ */
+int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen,
+                              unsigned char *buf, size_t blen,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int restart_enabled = 0;
+    ECDH_VALIDATE_RET( ctx != NULL );
+    ECDH_VALIDATE_RET( olen != NULL );
+    ECDH_VALIDATE_RET( buf != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    restart_enabled = ctx->restart_enabled;
+#endif
+
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    return( ecdh_calc_secret_internal( ctx, olen, buf, blen, f_rng, p_rng,
+                                       restart_enabled ) );
+#else
+    switch( ctx->var )
+    {
+        case MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0:
+            return( ecdh_calc_secret_internal( &ctx->ctx.mbed_ecdh, olen, buf,
+                                               blen, f_rng, p_rng,
+                                               restart_enabled ) );
+        default:
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+#endif
+}
+
+#endif /* MBEDTLS_ECDH_C */
diff --git a/makerom/deps/libmbedtls/src/ecdsa.c b/makerom/deps/libmbedtls/src/ecdsa.c
new file mode 100644
index 00000000..6b72e0d9
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ecdsa.c
@@ -0,0 +1,991 @@
+/*
+ *  Elliptic curve DSA
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+
+#include "mbedtls/ecdsa.h"
+#include "mbedtls/asn1write.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#include "mbedtls/hmac_drbg.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include "mbedtls/platform_util.h"
+
+/* Parameter validation macros based on platform_util.h */
+#define ECDSA_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECDSA_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+/*
+ * Sub-context for ecdsa_verify()
+ */
+struct mbedtls_ecdsa_restart_ver
+{
+    mbedtls_mpi u1, u2;     /* intermediate values  */
+    enum {                  /* what to do next?     */
+        ecdsa_ver_init = 0, /* getting started      */
+        ecdsa_ver_muladd,   /* muladd step          */
+    } state;
+};
+
+/*
+ * Init verify restart sub-context
+ */
+static void ecdsa_restart_ver_init( mbedtls_ecdsa_restart_ver_ctx *ctx )
+{
+    mbedtls_mpi_init( &ctx->u1 );
+    mbedtls_mpi_init( &ctx->u2 );
+    ctx->state = ecdsa_ver_init;
+}
+
+/*
+ * Free the components of a verify restart sub-context
+ */
+static void ecdsa_restart_ver_free( mbedtls_ecdsa_restart_ver_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->u1 );
+    mbedtls_mpi_free( &ctx->u2 );
+
+    ecdsa_restart_ver_init( ctx );
+}
+
+/*
+ * Sub-context for ecdsa_sign()
+ */
+struct mbedtls_ecdsa_restart_sig
+{
+    int sign_tries;
+    int key_tries;
+    mbedtls_mpi k;          /* per-signature random */
+    mbedtls_mpi r;          /* r value              */
+    enum {                  /* what to do next?     */
+        ecdsa_sig_init = 0, /* getting started      */
+        ecdsa_sig_mul,      /* doing ecp_mul()      */
+        ecdsa_sig_modn,     /* mod N computations   */
+    } state;
+};
+
+/*
+ * Init verify sign sub-context
+ */
+static void ecdsa_restart_sig_init( mbedtls_ecdsa_restart_sig_ctx *ctx )
+{
+    ctx->sign_tries = 0;
+    ctx->key_tries = 0;
+    mbedtls_mpi_init( &ctx->k );
+    mbedtls_mpi_init( &ctx->r );
+    ctx->state = ecdsa_sig_init;
+}
+
+/*
+ * Free the components of a sign restart sub-context
+ */
+static void ecdsa_restart_sig_free( mbedtls_ecdsa_restart_sig_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->k );
+    mbedtls_mpi_free( &ctx->r );
+}
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Sub-context for ecdsa_sign_det()
+ */
+struct mbedtls_ecdsa_restart_det
+{
+    mbedtls_hmac_drbg_context rng_ctx;  /* DRBG state   */
+    enum {                      /* what to do next?     */
+        ecdsa_det_init = 0,     /* getting started      */
+        ecdsa_det_sign,         /* make signature       */
+    } state;
+};
+
+/*
+ * Init verify sign_det sub-context
+ */
+static void ecdsa_restart_det_init( mbedtls_ecdsa_restart_det_ctx *ctx )
+{
+    mbedtls_hmac_drbg_init( &ctx->rng_ctx );
+    ctx->state = ecdsa_det_init;
+}
+
+/*
+ * Free the components of a sign_det restart sub-context
+ */
+static void ecdsa_restart_det_free( mbedtls_ecdsa_restart_det_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_hmac_drbg_free( &ctx->rng_ctx );
+
+    ecdsa_restart_det_init( ctx );
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#define ECDSA_RS_ECP    ( rs_ctx == NULL ? NULL : &rs_ctx->ecp )
+
+/* Utility macro for checking and updating ops budget */
+#define ECDSA_BUDGET( ops )   \
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, ECDSA_RS_ECP, ops ) );
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECDSA_RS_ENTER( SUB )   do {                                 \
+    /* reset ops count for this call if top-level */                 \
+    if( rs_ctx != NULL && rs_ctx->ecp.depth++ == 0 )                 \
+        rs_ctx->ecp.ops_done = 0;                                    \
+                                                                     \
+    /* set up our own sub-context if needed */                       \
+    if( mbedtls_ecp_restart_is_enabled() &&                          \
+        rs_ctx != NULL && rs_ctx->SUB == NULL )                      \
+    {                                                                \
+        rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) );   \
+        if( rs_ctx->SUB == NULL )                                    \
+            return( MBEDTLS_ERR_ECP_ALLOC_FAILED );                  \
+                                                                     \
+        ecdsa_restart_## SUB ##_init( rs_ctx->SUB );                 \
+    }                                                                \
+} while( 0 )
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECDSA_RS_LEAVE( SUB )   do {                                 \
+    /* clear our sub-context when not in progress (done or error) */ \
+    if( rs_ctx != NULL && rs_ctx->SUB != NULL &&                     \
+        ret != MBEDTLS_ERR_ECP_IN_PROGRESS )                         \
+    {                                                                \
+        ecdsa_restart_## SUB ##_free( rs_ctx->SUB );                 \
+        mbedtls_free( rs_ctx->SUB );                                 \
+        rs_ctx->SUB = NULL;                                          \
+    }                                                                \
+                                                                     \
+    if( rs_ctx != NULL )                                             \
+        rs_ctx->ecp.depth--;                                         \
+} while( 0 )
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECDSA_RS_ECP    NULL
+
+#define ECDSA_BUDGET( ops )   /* no-op; for compatibility */
+
+#define ECDSA_RS_ENTER( SUB )   (void) rs_ctx
+#define ECDSA_RS_LEAVE( SUB )   (void) rs_ctx
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Derive a suitable integer for group grp from a buffer of length len
+ * SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
+ */
+static int derive_mpi( const mbedtls_ecp_group *grp, mbedtls_mpi *x,
+                       const unsigned char *buf, size_t blen )
+{
+    int ret;
+    size_t n_size = ( grp->nbits + 7 ) / 8;
+    size_t use_size = blen > n_size ? n_size : blen;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( x, buf, use_size ) );
+    if( use_size * 8 > grp->nbits )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( x, use_size * 8 - grp->nbits ) );
+
+    /* While at it, reduce modulo N */
+    if( mbedtls_mpi_cmp_mpi( x, &grp->N ) >= 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( x, x, &grp->N ) );
+
+cleanup:
+    return( ret );
+}
+
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/*
+ * Compute ECDSA signature of a hashed message (SEC1 4.1.3)
+ * Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
+ */
+static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
+                mbedtls_mpi *r, mbedtls_mpi *s,
+                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                int (*f_rng_blind)(void *, unsigned char *, size_t),
+                void *p_rng_blind,
+                mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret, key_tries, sign_tries;
+    int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
+    mbedtls_ecp_point R;
+    mbedtls_mpi k, e, t;
+    mbedtls_mpi *pk = &k, *pr = r;
+
+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if( grp->N.p == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /* Make sure d is in range 1..n-1 */
+    if( mbedtls_mpi_cmp_int( d, 1 ) < 0 || mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    mbedtls_ecp_point_init( &R );
+    mbedtls_mpi_init( &k ); mbedtls_mpi_init( &e ); mbedtls_mpi_init( &t );
+
+    ECDSA_RS_ENTER( sig );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->sig != NULL )
+    {
+        /* redirect to our context */
+        p_sign_tries = &rs_ctx->sig->sign_tries;
+        p_key_tries = &rs_ctx->sig->key_tries;
+        pk = &rs_ctx->sig->k;
+        pr = &rs_ctx->sig->r;
+
+        /* jump to current step */
+        if( rs_ctx->sig->state == ecdsa_sig_mul )
+            goto mul;
+        if( rs_ctx->sig->state == ecdsa_sig_modn )
+            goto modn;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    *p_sign_tries = 0;
+    do
+    {
+        if( (*p_sign_tries)++ > 10 )
+        {
+            ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+            goto cleanup;
+        }
+
+        /*
+         * Steps 1-3: generate a suitable ephemeral keypair
+         * and set r = xR mod n
+         */
+        *p_key_tries = 0;
+        do
+        {
+            if( (*p_key_tries)++ > 10 )
+            {
+                ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+                goto cleanup;
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, pk, f_rng, p_rng ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+            if( rs_ctx != NULL && rs_ctx->sig != NULL )
+                rs_ctx->sig->state = ecdsa_sig_mul;
+
+mul:
+#endif
+            MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G,
+                                                          f_rng_blind,
+                                                          p_rng_blind,
+                                                          ECDSA_RS_ECP ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) );
+        }
+        while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && rs_ctx->sig != NULL )
+            rs_ctx->sig->state = ecdsa_sig_modn;
+
+modn:
+#endif
+        /*
+         * Accounting for everything up to the end of the loop
+         * (step 6, but checking now avoids saving e and t)
+         */
+        ECDSA_BUDGET( MBEDTLS_ECP_OPS_INV + 4 );
+
+        /*
+         * Step 5: derive MPI from hashed message
+         */
+        MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
+
+        /*
+         * Generate a random value to blind inv_mod in next step,
+         * avoiding a potential timing leak.
+         */
+        MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng_blind,
+                                                  p_rng_blind ) );
+
+        /*
+         * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, pr, d ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &e, &e, s ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &e, &e, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pk, pk, &t ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pk, pk, &grp->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( s, pk, &grp->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( s, s, &e ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( s, s, &grp->N ) );
+    }
+    while( mbedtls_mpi_cmp_int( s, 0 ) == 0 );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->sig != NULL )
+        mbedtls_mpi_copy( r, pr );
+#endif
+
+cleanup:
+    mbedtls_ecp_point_free( &R );
+    mbedtls_mpi_free( &k ); mbedtls_mpi_free( &e ); mbedtls_mpi_free( &t );
+
+    ECDSA_RS_LEAVE( sig );
+
+    return( ret );
+}
+
+/*
+ * Compute ECDSA signature of a hashed message
+ */
+int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    ECDSA_VALIDATE_RET( grp   != NULL );
+    ECDSA_VALIDATE_RET( r     != NULL );
+    ECDSA_VALIDATE_RET( s     != NULL );
+    ECDSA_VALIDATE_RET( d     != NULL );
+    ECDSA_VALIDATE_RET( f_rng != NULL );
+    ECDSA_VALIDATE_RET( buf   != NULL || blen == 0 );
+
+    /* Use the same RNG for both blinding and ephemeral key generation */
+    return( ecdsa_sign_restartable( grp, r, s, d, buf, blen,
+                                    f_rng, p_rng, f_rng, p_rng, NULL ) );
+}
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+/*
+ * Deterministic signature wrapper
+ */
+static int ecdsa_sign_det_restartable( mbedtls_ecp_group *grp,
+                    mbedtls_mpi *r, mbedtls_mpi *s,
+                    const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                    mbedtls_md_type_t md_alg,
+                    int (*f_rng_blind)(void *, unsigned char *, size_t),
+                    void *p_rng_blind,
+                    mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_hmac_drbg_context rng_ctx;
+    mbedtls_hmac_drbg_context *p_rng = &rng_ctx;
+    unsigned char data[2 * MBEDTLS_ECP_MAX_BYTES];
+    size_t grp_len = ( grp->nbits + 7 ) / 8;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_mpi h;
+
+    if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &h );
+    mbedtls_hmac_drbg_init( &rng_ctx );
+
+    ECDSA_RS_ENTER( det );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->det != NULL )
+    {
+        /* redirect to our context */
+        p_rng = &rs_ctx->det->rng_ctx;
+
+        /* jump to current step */
+        if( rs_ctx->det->state == ecdsa_det_sign )
+            goto sign;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    /* Use private key and message hash (reduced) to initialize HMAC_DRBG */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, data, grp_len ) );
+    MBEDTLS_MPI_CHK( derive_mpi( grp, &h, buf, blen ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, data + grp_len, grp_len ) );
+    mbedtls_hmac_drbg_seed_buf( p_rng, md_info, data, 2 * grp_len );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->det != NULL )
+        rs_ctx->det->state = ecdsa_det_sign;
+
+sign:
+#endif
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen,
+                              mbedtls_hmac_drbg_random, p_rng );
+#else
+    if( f_rng_blind != NULL )
+        ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
+                                      mbedtls_hmac_drbg_random, p_rng,
+                                      f_rng_blind, p_rng_blind, rs_ctx );
+    else
+    {
+        mbedtls_hmac_drbg_context *p_rng_blind_det;
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+        /*
+         * To avoid reusing rng_ctx and risking incorrect behavior we seed a
+         * second HMAC-DRBG with the same seed. We also apply a label to avoid
+         * reusing the bits of the ephemeral key for blinding and eliminate the
+         * risk that they leak this way.
+         */
+        const char* blind_label = "BLINDING CONTEXT";
+        mbedtls_hmac_drbg_context rng_ctx_blind;
+
+        mbedtls_hmac_drbg_init( &rng_ctx_blind );
+        p_rng_blind_det = &rng_ctx_blind;
+
+        mbedtls_hmac_drbg_seed_buf( p_rng_blind_det, md_info,
+                                    data, 2 * grp_len );
+        ret = mbedtls_hmac_drbg_update_ret( p_rng_blind_det,
+                                            (const unsigned char*) blind_label,
+                                            strlen( blind_label ) );
+        if( ret != 0 )
+        {
+            mbedtls_hmac_drbg_free( &rng_ctx_blind );
+            goto cleanup;
+        }
+#else
+        /*
+         * In the case of restartable computations we would either need to store
+         * the second RNG in the restart context too or set it up at every
+         * restart. The first option would penalize the correct application of
+         * the function and the second would defeat the purpose of the
+         * restartable feature.
+         *
+         * Therefore in this case we reuse the original RNG. This comes with the
+         * price that the resulting signature might not be a valid deterministic
+         * ECDSA signature with a very low probability (same magnitude as
+         * successfully guessing the private key). However even then it is still
+         * a valid ECDSA signature.
+         */
+        p_rng_blind_det = p_rng;
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+        /*
+         * Since the output of the RNGs is always the same for the same key and
+         * message, this limits the efficiency of blinding and leaks information
+         * through side channels. After mbedtls_ecdsa_sign_det() is removed NULL
+         * won't be a valid value for f_rng_blind anymore. Therefore it should
+         * be checked by the caller and this branch and check can be removed.
+         */
+        ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
+                                      mbedtls_hmac_drbg_random, p_rng,
+                                      mbedtls_hmac_drbg_random, p_rng_blind_det,
+                                      rs_ctx );
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+        mbedtls_hmac_drbg_free( &rng_ctx_blind );
+#endif
+    }
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+
+cleanup:
+    mbedtls_hmac_drbg_free( &rng_ctx );
+    mbedtls_mpi_free( &h );
+
+    ECDSA_RS_LEAVE( det );
+
+    return( ret );
+}
+
+/*
+ * Deterministic signature wrappers
+ */
+int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                            mbedtls_mpi *s, const mbedtls_mpi *d,
+                            const unsigned char *buf, size_t blen,
+                            mbedtls_md_type_t md_alg )
+{
+    ECDSA_VALIDATE_RET( grp   != NULL );
+    ECDSA_VALIDATE_RET( r     != NULL );
+    ECDSA_VALIDATE_RET( s     != NULL );
+    ECDSA_VALIDATE_RET( d     != NULL );
+    ECDSA_VALIDATE_RET( buf   != NULL || blen == 0 );
+
+    return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg,
+                                        NULL, NULL, NULL ) );
+}
+
+int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
+                                mbedtls_mpi *s, const mbedtls_mpi *d,
+                                const unsigned char *buf, size_t blen,
+                                mbedtls_md_type_t md_alg,
+                                int (*f_rng_blind)(void *, unsigned char *,
+                                                   size_t),
+                                void *p_rng_blind )
+{
+    ECDSA_VALIDATE_RET( grp   != NULL );
+    ECDSA_VALIDATE_RET( r     != NULL );
+    ECDSA_VALIDATE_RET( s     != NULL );
+    ECDSA_VALIDATE_RET( d     != NULL );
+    ECDSA_VALIDATE_RET( buf   != NULL || blen == 0 );
+    ECDSA_VALIDATE_RET( f_rng_blind != NULL );
+
+    return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg,
+                                        f_rng_blind, p_rng_blind, NULL ) );
+}
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/*
+ * Verify ECDSA signature of hashed message (SEC1 4.1.4)
+ * Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
+ */
+static int ecdsa_verify_restartable( mbedtls_ecp_group *grp,
+                                     const unsigned char *buf, size_t blen,
+                                     const mbedtls_ecp_point *Q,
+                                     const mbedtls_mpi *r, const mbedtls_mpi *s,
+                                     mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_mpi e, s_inv, u1, u2;
+    mbedtls_ecp_point R;
+    mbedtls_mpi *pu1 = &u1, *pu2 = &u2;
+
+    mbedtls_ecp_point_init( &R );
+    mbedtls_mpi_init( &e ); mbedtls_mpi_init( &s_inv );
+    mbedtls_mpi_init( &u1 ); mbedtls_mpi_init( &u2 );
+
+    /* Fail cleanly on curves such as Curve25519 that can't be used for ECDSA */
+    if( grp->N.p == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    ECDSA_RS_ENTER( ver );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ver != NULL )
+    {
+        /* redirect to our context */
+        pu1 = &rs_ctx->ver->u1;
+        pu2 = &rs_ctx->ver->u2;
+
+        /* jump to current step */
+        if( rs_ctx->ver->state == ecdsa_ver_muladd )
+            goto muladd;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    /*
+     * Step 1: make sure r and s are in range 1..n-1
+     */
+    if( mbedtls_mpi_cmp_int( r, 1 ) < 0 || mbedtls_mpi_cmp_mpi( r, &grp->N ) >= 0 ||
+        mbedtls_mpi_cmp_int( s, 1 ) < 0 || mbedtls_mpi_cmp_mpi( s, &grp->N ) >= 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    /*
+     * Step 3: derive MPI from hashed message
+     */
+    MBEDTLS_MPI_CHK( derive_mpi( grp, &e, buf, blen ) );
+
+    /*
+     * Step 4: u1 = e / s mod n, u2 = r / s mod n
+     */
+    ECDSA_BUDGET( MBEDTLS_ECP_OPS_CHK + MBEDTLS_ECP_OPS_INV + 2 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &s_inv, s, &grp->N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu1, &e, &s_inv ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu1, pu1, &grp->N ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( pu2, r, &s_inv ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pu2, pu2, &grp->N ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ver != NULL )
+        rs_ctx->ver->state = ecdsa_ver_muladd;
+
+muladd:
+#endif
+    /*
+     * Step 5: R = u1 G + u2 Q
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd_restartable( grp,
+                     &R, pu1, &grp->G, pu2, Q, ECDSA_RS_ECP ) );
+
+    if( mbedtls_ecp_is_zero( &R ) )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    /*
+     * Step 6: convert xR to an integer (no-op)
+     * Step 7: reduce xR mod n (gives v)
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &R.X, &R.X, &grp->N ) );
+
+    /*
+     * Step 8: check if v (that is, R.X) is equal to r
+     */
+    if( mbedtls_mpi_cmp_mpi( &R.X, r ) != 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free( &R );
+    mbedtls_mpi_free( &e ); mbedtls_mpi_free( &s_inv );
+    mbedtls_mpi_free( &u1 ); mbedtls_mpi_free( &u2 );
+
+    ECDSA_RS_LEAVE( ver );
+
+    return( ret );
+}
+
+/*
+ * Verify ECDSA signature of hashed message
+ */
+int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
+                          const unsigned char *buf, size_t blen,
+                          const mbedtls_ecp_point *Q,
+                          const mbedtls_mpi *r,
+                          const mbedtls_mpi *s)
+{
+    ECDSA_VALIDATE_RET( grp != NULL );
+    ECDSA_VALIDATE_RET( Q   != NULL );
+    ECDSA_VALIDATE_RET( r   != NULL );
+    ECDSA_VALIDATE_RET( s   != NULL );
+    ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
+
+    return( ecdsa_verify_restartable( grp, buf, blen, Q, r, s, NULL ) );
+}
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
+
+/*
+ * Convert a signature (given by context) to ASN.1
+ */
+static int ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
+                                    unsigned char *sig, size_t *slen )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_ECDSA_MAX_LEN];
+    unsigned char *p = buf + sizeof( buf );
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, s ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &p, buf, r ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &p, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &p, buf,
+                                       MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+    memcpy( sig, p, len );
+    *slen = len;
+
+    return( 0 );
+}
+
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
+                           mbedtls_md_type_t md_alg,
+                           const unsigned char *hash, size_t hlen,
+                           unsigned char *sig, size_t *slen,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_mpi r, s;
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    ECDSA_VALIDATE_RET( slen != NULL );
+
+    mbedtls_mpi_init( &r );
+    mbedtls_mpi_init( &s );
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    MBEDTLS_MPI_CHK( ecdsa_sign_det_restartable( &ctx->grp, &r, &s, &ctx->d,
+                                                 hash, hlen, md_alg, f_rng,
+                                                 p_rng, rs_ctx ) );
+#else
+    (void) md_alg;
+
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
+                         hash, hlen, f_rng, p_rng ) );
+#else
+    /* Use the same RNG for both blinding and ephemeral key generation */
+    MBEDTLS_MPI_CHK( ecdsa_sign_restartable( &ctx->grp, &r, &s, &ctx->d,
+                                             hash, hlen, f_rng, p_rng, f_rng,
+                                             p_rng, rs_ctx ) );
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+    MBEDTLS_MPI_CHK( ecdsa_signature_to_asn1( &r, &s, sig, slen ) );
+
+cleanup:
+    mbedtls_mpi_free( &r );
+    mbedtls_mpi_free( &s );
+
+    return( ret );
+}
+
+/*
+ * Compute and write signature
+ */
+int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx,
+                                 mbedtls_md_type_t md_alg,
+                                 const unsigned char *hash, size_t hlen,
+                                 unsigned char *sig, size_t *slen,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng )
+{
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    ECDSA_VALIDATE_RET( slen != NULL );
+    return( mbedtls_ecdsa_write_signature_restartable(
+                ctx, md_alg, hash, hlen, sig, slen, f_rng, p_rng, NULL ) );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED) && \
+    defined(MBEDTLS_ECDSA_DETERMINISTIC)
+int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
+                               const unsigned char *hash, size_t hlen,
+                               unsigned char *sig, size_t *slen,
+                               mbedtls_md_type_t md_alg )
+{
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    ECDSA_VALIDATE_RET( slen != NULL );
+    return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen,
+                                   NULL, NULL ) );
+}
+#endif
+
+/*
+ * Read and check signature
+ */
+int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen )
+{
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+    return( mbedtls_ecdsa_read_signature_restartable(
+                ctx, hash, hlen, sig, slen, NULL ) );
+}
+
+/*
+ * Restartable read and check signature
+ */
+int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx,
+                          const unsigned char *hash, size_t hlen,
+                          const unsigned char *sig, size_t slen,
+                          mbedtls_ecdsa_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char *p = (unsigned char *) sig;
+    const unsigned char *end = sig + slen;
+    size_t len;
+    mbedtls_mpi r, s;
+    ECDSA_VALIDATE_RET( ctx  != NULL );
+    ECDSA_VALIDATE_RET( hash != NULL );
+    ECDSA_VALIDATE_RET( sig  != NULL );
+
+    mbedtls_mpi_init( &r );
+    mbedtls_mpi_init( &s );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    if( p + len != end )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
+              MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+        goto cleanup;
+    }
+
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 ||
+        ( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 )
+    {
+        ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+    if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen,
+                                      &ctx->Q, &r, &s ) ) != 0 )
+        goto cleanup;
+#else
+    if( ( ret = ecdsa_verify_restartable( &ctx->grp, hash, hlen,
+                              &ctx->Q, &r, &s, rs_ctx ) ) != 0 )
+        goto cleanup;
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+
+    /* At this point we know that the buffer starts with a valid signature.
+     * Return 0 if the buffer just contains the signature, and a specific
+     * error code if the valid signature is followed by more data. */
+    if( p != end )
+        ret = MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH;
+
+cleanup:
+    mbedtls_mpi_free( &r );
+    mbedtls_mpi_free( &s );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_ECDSA_GENKEY_ALT)
+/*
+ * Generate key pair
+ */
+int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret = 0;
+    ECDSA_VALIDATE_RET( ctx   != NULL );
+    ECDSA_VALIDATE_RET( f_rng != NULL );
+
+    ret = mbedtls_ecp_group_load( &ctx->grp, gid );
+    if( ret != 0 )
+        return( ret );
+
+   return( mbedtls_ecp_gen_keypair( &ctx->grp, &ctx->d,
+                                    &ctx->Q, f_rng, p_rng ) );
+}
+#endif /* !MBEDTLS_ECDSA_GENKEY_ALT */
+
+/*
+ * Set context from an mbedtls_ecp_keypair
+ */
+int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key )
+{
+    int ret;
+    ECDSA_VALIDATE_RET( ctx != NULL );
+    ECDSA_VALIDATE_RET( key != NULL );
+
+    if( ( ret = mbedtls_ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &ctx->d, &key->d ) ) != 0 ||
+        ( ret = mbedtls_ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
+    {
+        mbedtls_ecdsa_free( ctx );
+    }
+
+    return( ret );
+}
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx )
+{
+    ECDSA_VALIDATE( ctx != NULL );
+
+    mbedtls_ecp_keypair_init( ctx );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_keypair_free( ctx );
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx )
+{
+    ECDSA_VALIDATE( ctx != NULL );
+
+    mbedtls_ecp_restart_init( &ctx->ecp );
+
+    ctx->ver = NULL;
+    ctx->sig = NULL;
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ctx->det = NULL;
+#endif
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_restart_free( &ctx->ecp );
+
+    ecdsa_restart_ver_free( ctx->ver );
+    mbedtls_free( ctx->ver );
+    ctx->ver = NULL;
+
+    ecdsa_restart_sig_free( ctx->sig );
+    mbedtls_free( ctx->sig );
+    ctx->sig = NULL;
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    ecdsa_restart_det_free( ctx->det );
+    mbedtls_free( ctx->det );
+    ctx->det = NULL;
+#endif
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#endif /* MBEDTLS_ECDSA_C */
diff --git a/makerom/deps/libmbedtls/src/ecjpake.c b/makerom/deps/libmbedtls/src/ecjpake.c
new file mode 100644
index 00000000..1845c936
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ecjpake.c
@@ -0,0 +1,1140 @@
+/*
+ *  Elliptic curve J-PAKE
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References in the code are to the Thread v1.0 Specification,
+ * available to members of the Thread Group http://threadgroup.org/
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECJPAKE_C)
+
+#include "mbedtls/ecjpake.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
+/* Parameter validation macros based on platform_util.h */
+#define ECJPAKE_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECJPAKE_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * Convert a mbedtls_ecjpake_role to identifier string
+ */
+static const char * const ecjpake_id[] = {
+    "client",
+    "server"
+};
+
+#define ID_MINE     ( ecjpake_id[ ctx->role ] )
+#define ID_PEER     ( ecjpake_id[ 1 - ctx->role ] )
+
+/*
+ * Initialize context
+ */
+void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx )
+{
+    ECJPAKE_VALIDATE( ctx != NULL );
+
+    ctx->md_info = NULL;
+    mbedtls_ecp_group_init( &ctx->grp );
+    ctx->point_format = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    mbedtls_ecp_point_init( &ctx->Xm1 );
+    mbedtls_ecp_point_init( &ctx->Xm2 );
+    mbedtls_ecp_point_init( &ctx->Xp1 );
+    mbedtls_ecp_point_init( &ctx->Xp2 );
+    mbedtls_ecp_point_init( &ctx->Xp  );
+
+    mbedtls_mpi_init( &ctx->xm1 );
+    mbedtls_mpi_init( &ctx->xm2 );
+    mbedtls_mpi_init( &ctx->s   );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    ctx->md_info = NULL;
+    mbedtls_ecp_group_free( &ctx->grp );
+
+    mbedtls_ecp_point_free( &ctx->Xm1 );
+    mbedtls_ecp_point_free( &ctx->Xm2 );
+    mbedtls_ecp_point_free( &ctx->Xp1 );
+    mbedtls_ecp_point_free( &ctx->Xp2 );
+    mbedtls_ecp_point_free( &ctx->Xp  );
+
+    mbedtls_mpi_free( &ctx->xm1 );
+    mbedtls_mpi_free( &ctx->xm2 );
+    mbedtls_mpi_free( &ctx->s   );
+}
+
+/*
+ * Setup context
+ */
+int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx,
+                           mbedtls_ecjpake_role role,
+                           mbedtls_md_type_t hash,
+                           mbedtls_ecp_group_id curve,
+                           const unsigned char *secret,
+                           size_t len )
+{
+    int ret;
+
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+    ECJPAKE_VALIDATE_RET( role == MBEDTLS_ECJPAKE_CLIENT ||
+                          role == MBEDTLS_ECJPAKE_SERVER );
+    ECJPAKE_VALIDATE_RET( secret != NULL || len == 0 );
+
+    ctx->role = role;
+
+    if( ( ctx->md_info = mbedtls_md_info_from_type( hash ) ) == NULL )
+        return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ctx->grp, curve ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->s, secret, len ) );
+
+cleanup:
+    if( ret != 0 )
+        mbedtls_ecjpake_free( ctx );
+
+    return( ret );
+}
+
+/*
+ * Check if context is ready for use
+ */
+int mbedtls_ecjpake_check( const mbedtls_ecjpake_context *ctx )
+{
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+
+    if( ctx->md_info == NULL ||
+        ctx->grp.id == MBEDTLS_ECP_DP_NONE ||
+        ctx->s.p == NULL )
+    {
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Write a point plus its length to a buffer
+ */
+static int ecjpake_write_len_point( unsigned char **p,
+                                    const unsigned char *end,
+                                    const mbedtls_ecp_group *grp,
+                                    const int pf,
+                                    const mbedtls_ecp_point *P )
+{
+    int ret;
+    size_t len;
+
+    /* Need at least 4 for length plus 1 for point */
+    if( end < *p || end - *p < 5 )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    ret = mbedtls_ecp_point_write_binary( grp, P, pf,
+                                          &len, *p + 4, end - ( *p + 4 ) );
+    if( ret != 0 )
+        return( ret );
+
+    (*p)[0] = (unsigned char)( ( len >> 24 ) & 0xFF );
+    (*p)[1] = (unsigned char)( ( len >> 16 ) & 0xFF );
+    (*p)[2] = (unsigned char)( ( len >>  8 ) & 0xFF );
+    (*p)[3] = (unsigned char)( ( len       ) & 0xFF );
+
+    *p += 4 + len;
+
+    return( 0 );
+}
+
+/*
+ * Size of the temporary buffer for ecjpake_hash:
+ * 3 EC points plus their length, plus ID and its length (4 + 6 bytes)
+ */
+#define ECJPAKE_HASH_BUF_LEN    ( 3 * ( 4 + MBEDTLS_ECP_MAX_PT_LEN ) + 4 + 6 )
+
+/*
+ * Compute hash for ZKP (7.4.2.2.2.1)
+ */
+static int ecjpake_hash( const mbedtls_md_info_t *md_info,
+                         const mbedtls_ecp_group *grp,
+                         const int pf,
+                         const mbedtls_ecp_point *G,
+                         const mbedtls_ecp_point *V,
+                         const mbedtls_ecp_point *X,
+                         const char *id,
+                         mbedtls_mpi *h )
+{
+    int ret;
+    unsigned char buf[ECJPAKE_HASH_BUF_LEN];
+    unsigned char *p = buf;
+    const unsigned char *end = buf + sizeof( buf );
+    const size_t id_len = strlen( id );
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+    /* Write things to temporary buffer */
+    MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, G ) );
+    MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, V ) );
+    MBEDTLS_MPI_CHK( ecjpake_write_len_point( &p, end, grp, pf, X ) );
+
+    if( end - p < 4 )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    *p++ = (unsigned char)( ( id_len >> 24 ) & 0xFF );
+    *p++ = (unsigned char)( ( id_len >> 16 ) & 0xFF );
+    *p++ = (unsigned char)( ( id_len >>  8 ) & 0xFF );
+    *p++ = (unsigned char)( ( id_len       ) & 0xFF );
+
+    if( end < p || (size_t)( end - p ) < id_len )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    memcpy( p, id, id_len );
+    p += id_len;
+
+    /* Compute hash */
+    MBEDTLS_MPI_CHK( mbedtls_md( md_info, buf, p - buf, hash ) );
+
+    /* Turn it into an integer mod n */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( h, hash,
+                                        mbedtls_md_get_size( md_info ) ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( h, h, &grp->N ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Parse a ECShnorrZKP (7.4.2.2.2) and verify it (7.4.2.3.3)
+ */
+static int ecjpake_zkp_read( const mbedtls_md_info_t *md_info,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             const mbedtls_ecp_point *X,
+                             const char *id,
+                             const unsigned char **p,
+                             const unsigned char *end )
+{
+    int ret;
+    mbedtls_ecp_point V, VV;
+    mbedtls_mpi r, h;
+    size_t r_len;
+
+    mbedtls_ecp_point_init( &V );
+    mbedtls_ecp_point_init( &VV );
+    mbedtls_mpi_init( &r );
+    mbedtls_mpi_init( &h );
+
+    /*
+     * struct {
+     *     ECPoint V;
+     *     opaque r<1..2^8-1>;
+     * } ECSchnorrZKP;
+     */
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, &V, p, end - *p ) );
+
+    if( end < *p || (size_t)( end - *p ) < 1 )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    r_len = *(*p)++;
+
+    if( end < *p || (size_t)( end - *p ) < r_len )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &r, *p, r_len ) );
+    *p += r_len;
+
+    /*
+     * Verification
+     */
+    MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( (mbedtls_ecp_group *) grp,
+                     &VV, &h, X, &r, G ) );
+
+    if( mbedtls_ecp_point_cmp( &VV, &V ) != 0 )
+    {
+        ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free( &V );
+    mbedtls_ecp_point_free( &VV );
+    mbedtls_mpi_free( &r );
+    mbedtls_mpi_free( &h );
+
+    return( ret );
+}
+
+/*
+ * Generate ZKP (7.4.2.3.2) and write it as ECSchnorrZKP (7.4.2.2.2)
+ */
+static int ecjpake_zkp_write( const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              const mbedtls_mpi *x,
+                              const mbedtls_ecp_point *X,
+                              const char *id,
+                              unsigned char **p,
+                              const unsigned char *end,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point V;
+    mbedtls_mpi v;
+    mbedtls_mpi h; /* later recycled to hold r */
+    size_t len;
+
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    mbedtls_ecp_point_init( &V );
+    mbedtls_mpi_init( &v );
+    mbedtls_mpi_init( &h );
+
+    /* Compute signature */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp,
+                                                   G, &v, &V, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( ecjpake_hash( md_info, grp, pf, G, &V, X, id, &h ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &h, &h, x ) ); /* x*h */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &h, &v, &h ) ); /* v - x*h */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &h, &h, &grp->N ) ); /* r */
+
+    /* Write it out */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, &V,
+                pf, &len, *p, end - *p ) );
+    *p += len;
+
+    len = mbedtls_mpi_size( &h ); /* actually r */
+    if( end < *p || (size_t)( end - *p ) < 1 + len || len > 255 )
+    {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+
+    *(*p)++ = (unsigned char)( len & 0xFF );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &h, *p, len ) ); /* r */
+    *p += len;
+
+cleanup:
+    mbedtls_ecp_point_free( &V );
+    mbedtls_mpi_free( &v );
+    mbedtls_mpi_free( &h );
+
+    return( ret );
+}
+
+/*
+ * Parse a ECJPAKEKeyKP (7.4.2.2.1) and check proof
+ * Output: verified public key X
+ */
+static int ecjpake_kkp_read( const mbedtls_md_info_t *md_info,
+                             const mbedtls_ecp_group *grp,
+                             const int pf,
+                             const mbedtls_ecp_point *G,
+                             mbedtls_ecp_point *X,
+                             const char *id,
+                             const unsigned char **p,
+                             const unsigned char *end )
+{
+    int ret;
+
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * struct {
+     *     ECPoint X;
+     *     ECSchnorrZKP zkp;
+     * } ECJPAKEKeyKP;
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_point( grp, X, p, end - *p ) );
+    if( mbedtls_ecp_is_zero( X ) )
+    {
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( ecjpake_zkp_read( md_info, grp, pf, G, X, id, p, end ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate an ECJPAKEKeyKP
+ * Output: the serialized structure, plus private/public key pair
+ */
+static int ecjpake_kkp_write( const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              mbedtls_mpi *x,
+                              mbedtls_ecp_point *X,
+                              const char *id,
+                              unsigned char **p,
+                              const unsigned char *end,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng )
+{
+    int ret;
+    size_t len;
+
+    if( end < *p )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    /* Generate key (7.4.2.3.1) and write it out */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_keypair_base( (mbedtls_ecp_group *) grp, G, x, X,
+                                                   f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( grp, X,
+                pf, &len, *p, end - *p ) );
+    *p += len;
+
+    /* Generate and write proof */
+    MBEDTLS_MPI_CHK( ecjpake_zkp_write( md_info, grp, pf, G, x, X, id,
+                                        p, end, f_rng, p_rng ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Read a ECJPAKEKeyKPPairList (7.4.2.3) and check proofs
+ * Ouputs: verified peer public keys Xa, Xb
+ */
+static int ecjpake_kkpp_read( const mbedtls_md_info_t *md_info,
+                              const mbedtls_ecp_group *grp,
+                              const int pf,
+                              const mbedtls_ecp_point *G,
+                              mbedtls_ecp_point *Xa,
+                              mbedtls_ecp_point *Xb,
+                              const char *id,
+                              const unsigned char *buf,
+                              size_t len )
+{
+    int ret;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    /*
+     * struct {
+     *     ECJPAKEKeyKP ecjpake_key_kp_pair_list[2];
+     * } ECJPAKEKeyKPPairList;
+     */
+    MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xa, id, &p, end ) );
+    MBEDTLS_MPI_CHK( ecjpake_kkp_read( md_info, grp, pf, G, Xb, id, &p, end ) );
+
+    if( p != end )
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate a ECJPAKEKeyKPPairList
+ * Outputs: the serialized structure, plus two private/public key pairs
+ */
+static int ecjpake_kkpp_write( const mbedtls_md_info_t *md_info,
+                               const mbedtls_ecp_group *grp,
+                               const int pf,
+                               const mbedtls_ecp_point *G,
+                               mbedtls_mpi *xm1,
+                               mbedtls_ecp_point *Xa,
+                               mbedtls_mpi *xm2,
+                               mbedtls_ecp_point *Xb,
+                               const char *id,
+                               unsigned char *buf,
+                               size_t len,
+                               size_t *olen,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
+{
+    int ret;
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+
+    MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm1, Xa, id,
+                &p, end, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( ecjpake_kkp_write( md_info, grp, pf, G, xm2, Xb, id,
+                &p, end, f_rng, p_rng ) );
+
+    *olen = p - buf;
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Read and process the first round message
+ */
+int mbedtls_ecjpake_read_round_one( mbedtls_ecjpake_context *ctx,
+                                    const unsigned char *buf,
+                                    size_t len )
+{
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+    ECJPAKE_VALIDATE_RET( buf != NULL );
+
+    return( ecjpake_kkpp_read( ctx->md_info, &ctx->grp, ctx->point_format,
+                               &ctx->grp.G,
+                               &ctx->Xp1, &ctx->Xp2, ID_PEER,
+                               buf, len ) );
+}
+
+/*
+ * Generate and write the first round message
+ */
+int mbedtls_ecjpake_write_round_one( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng )
+{
+    ECJPAKE_VALIDATE_RET( ctx   != NULL );
+    ECJPAKE_VALIDATE_RET( buf   != NULL );
+    ECJPAKE_VALIDATE_RET( olen  != NULL );
+    ECJPAKE_VALIDATE_RET( f_rng != NULL );
+
+    return( ecjpake_kkpp_write( ctx->md_info, &ctx->grp, ctx->point_format,
+                                &ctx->grp.G,
+                                &ctx->xm1, &ctx->Xm1, &ctx->xm2, &ctx->Xm2,
+                                ID_MINE, buf, len, olen, f_rng, p_rng ) );
+}
+
+/*
+ * Compute the sum of three points R = A + B + C
+ */
+static int ecjpake_ecp_add3( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                             const mbedtls_ecp_point *A,
+                             const mbedtls_ecp_point *B,
+                             const mbedtls_ecp_point *C )
+{
+    int ret;
+    mbedtls_mpi one;
+
+    mbedtls_mpi_init( &one );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, R, &one, A, &one, B ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( grp, R, &one, R, &one, C ) );
+
+cleanup:
+    mbedtls_mpi_free( &one );
+
+    return( ret );
+}
+
+/*
+ * Read and process second round message (C: 7.4.2.5, S: 7.4.2.6)
+ */
+int mbedtls_ecjpake_read_round_two( mbedtls_ecjpake_context *ctx,
+                                            const unsigned char *buf,
+                                            size_t len )
+{
+    int ret;
+    const unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point G;    /* C: GB, S: GA */
+
+    ECJPAKE_VALIDATE_RET( ctx != NULL );
+    ECJPAKE_VALIDATE_RET( buf != NULL );
+
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_ecp_point_init( &G );
+
+    /*
+     * Server: GA = X3  + X4  + X1      (7.4.2.6.1)
+     * Client: GB = X1  + X2  + X3      (7.4.2.5.1)
+     * Unified: G = Xm1 + Xm2 + Xp1
+     * We need that before parsing in order to check Xp as we read it
+     */
+    MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &G,
+                                       &ctx->Xm1, &ctx->Xm2, &ctx->Xp1 ) );
+
+    /*
+     * struct {
+     *     ECParameters curve_params;   // only client reading server msg
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if( ctx->role == MBEDTLS_ECJPAKE_CLIENT )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_tls_read_group( &grp, &p, len ) );
+        if( grp.id != ctx->grp.id )
+        {
+            ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+            goto cleanup;
+        }
+    }
+
+    MBEDTLS_MPI_CHK( ecjpake_kkp_read( ctx->md_info, &ctx->grp,
+                            ctx->point_format,
+                            &G, &ctx->Xp, ID_PEER, &p, end ) );
+
+    if( p != end )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_ecp_point_free( &G );
+
+    return( ret );
+}
+
+/*
+ * Compute R = +/- X * S mod N, taking care not to leak S
+ */
+static int ecjpake_mul_secret( mbedtls_mpi *R, int sign,
+                               const mbedtls_mpi *X,
+                               const mbedtls_mpi *S,
+                               const mbedtls_mpi *N,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng )
+{
+    int ret;
+    mbedtls_mpi b; /* Blinding value, then s + N * blinding */
+
+    mbedtls_mpi_init( &b );
+
+    /* b = s + rnd-128-bit * N */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &b, 16, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &b, &b, N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &b, &b, S ) );
+
+    /* R = sign * X * b mod N */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( R, X, &b ) );
+    R->s *= sign;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( R, R, N ) );
+
+cleanup:
+    mbedtls_mpi_free( &b );
+
+    return( ret );
+}
+
+/*
+ * Generate and write the second round message (S: 7.4.2.5, C: 7.4.2.6)
+ */
+int mbedtls_ecjpake_write_round_two( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point G;    /* C: GA, S: GB */
+    mbedtls_ecp_point Xm;   /* C: Xc, S: Xs */
+    mbedtls_mpi xm;         /* C: xc, S: xs */
+    unsigned char *p = buf;
+    const unsigned char *end = buf + len;
+    size_t ec_len;
+
+    ECJPAKE_VALIDATE_RET( ctx   != NULL );
+    ECJPAKE_VALIDATE_RET( buf   != NULL );
+    ECJPAKE_VALIDATE_RET( olen  != NULL );
+    ECJPAKE_VALIDATE_RET( f_rng != NULL );
+
+    mbedtls_ecp_point_init( &G );
+    mbedtls_ecp_point_init( &Xm );
+    mbedtls_mpi_init( &xm );
+
+    /*
+     * First generate private/public key pair (S: 7.4.2.5.1, C: 7.4.2.6.1)
+     *
+     * Client:  GA = X1  + X3  + X4  | xs = x2  * s | Xc = xc * GA
+     * Server:  GB = X3  + X1  + X2  | xs = x4  * s | Xs = xs * GB
+     * Unified: G  = Xm1 + Xp1 + Xp2 | xm = xm2 * s | Xm = xm * G
+     */
+    MBEDTLS_MPI_CHK( ecjpake_ecp_add3( &ctx->grp, &G,
+                                       &ctx->Xp1, &ctx->Xp2, &ctx->Xm1 ) );
+    MBEDTLS_MPI_CHK( ecjpake_mul_secret( &xm, 1, &ctx->xm2, &ctx->s,
+                                         &ctx->grp.N, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &Xm, &xm, &G, f_rng, p_rng ) );
+
+    /*
+     * Now write things out
+     *
+     * struct {
+     *     ECParameters curve_params;   // only server writing its message
+     *     ECJPAKEKeyKP ecjpake_key_kp;
+     * } Client/ServerECJPAKEParams;
+     */
+    if( ctx->role == MBEDTLS_ECJPAKE_SERVER )
+    {
+        if( end < p )
+        {
+            ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+            goto cleanup;
+        }
+        MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_group( &ctx->grp, &ec_len,
+                                                      p, end - p ) );
+        p += ec_len;
+    }
+
+    if( end < p )
+    {
+        ret = MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+        goto cleanup;
+    }
+    MBEDTLS_MPI_CHK( mbedtls_ecp_tls_write_point( &ctx->grp, &Xm,
+                     ctx->point_format, &ec_len, p, end - p ) );
+    p += ec_len;
+
+    MBEDTLS_MPI_CHK( ecjpake_zkp_write( ctx->md_info, &ctx->grp,
+                                        ctx->point_format,
+                                        &G, &xm, &Xm, ID_MINE,
+                                        &p, end, f_rng, p_rng ) );
+
+    *olen = p - buf;
+
+cleanup:
+    mbedtls_ecp_point_free( &G );
+    mbedtls_ecp_point_free( &Xm );
+    mbedtls_mpi_free( &xm );
+
+    return( ret );
+}
+
+/*
+ * Derive PMS (7.4.2.7 / 7.4.2.8)
+ */
+int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx,
+                            unsigned char *buf, size_t len, size_t *olen,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng )
+{
+    int ret;
+    mbedtls_ecp_point K;
+    mbedtls_mpi m_xm2_s, one;
+    unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
+    size_t x_bytes;
+
+    ECJPAKE_VALIDATE_RET( ctx   != NULL );
+    ECJPAKE_VALIDATE_RET( buf   != NULL );
+    ECJPAKE_VALIDATE_RET( olen  != NULL );
+    ECJPAKE_VALIDATE_RET( f_rng != NULL );
+
+    *olen = mbedtls_md_get_size( ctx->md_info );
+    if( len < *olen )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    mbedtls_ecp_point_init( &K );
+    mbedtls_mpi_init( &m_xm2_s );
+    mbedtls_mpi_init( &one );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &one, 1 ) );
+
+    /*
+     * Client:  K = ( Xs - X4  * x2  * s ) * x2
+     * Server:  K = ( Xc - X2  * x4  * s ) * x4
+     * Unified: K = ( Xp - Xp2 * xm2 * s ) * xm2
+     */
+    MBEDTLS_MPI_CHK( ecjpake_mul_secret( &m_xm2_s, -1, &ctx->xm2, &ctx->s,
+                                         &ctx->grp.N, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_muladd( &ctx->grp, &K,
+                                         &one, &ctx->Xp,
+                                         &m_xm2_s, &ctx->Xp2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &K, &ctx->xm2, &K,
+                                      f_rng, p_rng ) );
+
+    /* PMS = SHA-256( K.X ) */
+    x_bytes = ( ctx->grp.pbits + 7 ) / 8;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &K.X, kx, x_bytes ) );
+    MBEDTLS_MPI_CHK( mbedtls_md( ctx->md_info, kx, x_bytes, buf ) );
+
+cleanup:
+    mbedtls_ecp_point_free( &K );
+    mbedtls_mpi_free( &m_xm2_s );
+    mbedtls_mpi_free( &one );
+
+    return( ret );
+}
+
+#undef ID_MINE
+#undef ID_PEER
+
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif
+
+#if !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+    !defined(MBEDTLS_SHA256_C)
+int mbedtls_ecjpake_self_test( int verbose )
+{
+    (void) verbose;
+    return( 0 );
+}
+#else
+
+static const unsigned char ecjpake_test_password[] = {
+    0x74, 0x68, 0x72, 0x65, 0x61, 0x64, 0x6a, 0x70, 0x61, 0x6b, 0x65, 0x74,
+    0x65, 0x73, 0x74
+};
+
+static const unsigned char ecjpake_test_x1[] = {
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
+    0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+    0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21
+};
+
+static const unsigned char ecjpake_test_x2[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x3[] = {
+    0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
+    0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
+    0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
+};
+
+static const unsigned char ecjpake_test_x4[] = {
+    0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc,
+    0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8,
+    0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1
+};
+
+static const unsigned char ecjpake_test_cli_one[] = {
+    0x41, 0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19,
+    0x33, 0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44,
+    0xe5, 0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad,
+    0xa7, 0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62,
+    0x1f, 0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9,
+    0x06, 0x07, 0x31, 0xf6, 0x94, 0xa4, 0x41, 0x04, 0x1d, 0xd0, 0xbd, 0x5d,
+    0x45, 0x66, 0xc9, 0xbe, 0xd9, 0xce, 0x7d, 0xe7, 0x01, 0xb5, 0xe8, 0x2e,
+    0x08, 0xe8, 0x4b, 0x73, 0x04, 0x66, 0x01, 0x8a, 0xb9, 0x03, 0xc7, 0x9e,
+    0xb9, 0x82, 0x17, 0x22, 0x36, 0xc0, 0xc1, 0x72, 0x8a, 0xe4, 0xbf, 0x73,
+    0x61, 0x0d, 0x34, 0xde, 0x44, 0x24, 0x6e, 0xf3, 0xd9, 0xc0, 0x5a, 0x22,
+    0x36, 0xfb, 0x66, 0xa6, 0x58, 0x3d, 0x74, 0x49, 0x30, 0x8b, 0xab, 0xce,
+    0x20, 0x72, 0xfe, 0x16, 0x66, 0x29, 0x92, 0xe9, 0x23, 0x5c, 0x25, 0x00,
+    0x2f, 0x11, 0xb1, 0x50, 0x87, 0xb8, 0x27, 0x38, 0xe0, 0x3c, 0x94, 0x5b,
+    0xf7, 0xa2, 0x99, 0x5d, 0xda, 0x1e, 0x98, 0x34, 0x58, 0x41, 0x04, 0x7e,
+    0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7, 0x92, 0x62,
+    0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40, 0x9a, 0xc5,
+    0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79, 0x0a, 0xeb,
+    0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1, 0xc3, 0x35,
+    0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3, 0x2b, 0xb0,
+    0x13, 0xbb, 0x2b, 0x41, 0x04, 0xa4, 0x95, 0x58, 0xd3, 0x2e, 0xd1, 0xeb,
+    0xfc, 0x18, 0x16, 0xaf, 0x4f, 0xf0, 0x9b, 0x55, 0xfc, 0xb4, 0xca, 0x47,
+    0xb2, 0xa0, 0x2d, 0x1e, 0x7c, 0xaf, 0x11, 0x79, 0xea, 0x3f, 0xe1, 0x39,
+    0x5b, 0x22, 0xb8, 0x61, 0x96, 0x40, 0x16, 0xfa, 0xba, 0xf7, 0x2c, 0x97,
+    0x56, 0x95, 0xd9, 0x3d, 0x4d, 0xf0, 0xe5, 0x19, 0x7f, 0xe9, 0xf0, 0x40,
+    0x63, 0x4e, 0xd5, 0x97, 0x64, 0x93, 0x77, 0x87, 0xbe, 0x20, 0xbc, 0x4d,
+    0xee, 0xbb, 0xf9, 0xb8, 0xd6, 0x0a, 0x33, 0x5f, 0x04, 0x6c, 0xa3, 0xaa,
+    0x94, 0x1e, 0x45, 0x86, 0x4c, 0x7c, 0xad, 0xef, 0x9c, 0xf7, 0x5b, 0x3d,
+    0x8b, 0x01, 0x0e, 0x44, 0x3e, 0xf0
+};
+
+static const unsigned char ecjpake_test_srv_one[] = {
+    0x41, 0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb,
+    0xd7, 0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18,
+    0x40, 0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47,
+    0x79, 0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f,
+    0xd1, 0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7,
+    0xe3, 0x2b, 0xb0, 0x13, 0xbb, 0x2b, 0x41, 0x04, 0x09, 0xf8, 0x5b, 0x3d,
+    0x20, 0xeb, 0xd7, 0x88, 0x5c, 0xe4, 0x64, 0xc0, 0x8d, 0x05, 0x6d, 0x64,
+    0x28, 0xfe, 0x4d, 0xd9, 0x28, 0x7a, 0xa3, 0x65, 0xf1, 0x31, 0xf4, 0x36,
+    0x0f, 0xf3, 0x86, 0xd8, 0x46, 0x89, 0x8b, 0xc4, 0xb4, 0x15, 0x83, 0xc2,
+    0xa5, 0x19, 0x7f, 0x65, 0xd7, 0x87, 0x42, 0x74, 0x6c, 0x12, 0xa5, 0xec,
+    0x0a, 0x4f, 0xfe, 0x2f, 0x27, 0x0a, 0x75, 0x0a, 0x1d, 0x8f, 0xb5, 0x16,
+    0x20, 0x93, 0x4d, 0x74, 0xeb, 0x43, 0xe5, 0x4d, 0xf4, 0x24, 0xfd, 0x96,
+    0x30, 0x6c, 0x01, 0x17, 0xbf, 0x13, 0x1a, 0xfa, 0xbf, 0x90, 0xa9, 0xd3,
+    0x3d, 0x11, 0x98, 0xd9, 0x05, 0x19, 0x37, 0x35, 0x14, 0x41, 0x04, 0x19,
+    0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79, 0xee, 0x0f,
+    0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf, 0x70, 0xf8,
+    0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb, 0xfe, 0xc7,
+    0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f, 0xc4, 0xea,
+    0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4, 0x1a, 0xc5,
+    0x6a, 0x56, 0x12, 0x41, 0x04, 0x36, 0x0a, 0x1c, 0xea, 0x33, 0xfc, 0xe6,
+    0x41, 0x15, 0x64, 0x58, 0xe0, 0xa4, 0xea, 0xc2, 0x19, 0xe9, 0x68, 0x31,
+    0xe6, 0xae, 0xbc, 0x88, 0xb3, 0xf3, 0x75, 0x2f, 0x93, 0xa0, 0x28, 0x1d,
+    0x1b, 0xf1, 0xfb, 0x10, 0x60, 0x51, 0xdb, 0x96, 0x94, 0xa8, 0xd6, 0xe8,
+    0x62, 0xa5, 0xef, 0x13, 0x24, 0xa3, 0xd9, 0xe2, 0x78, 0x94, 0xf1, 0xee,
+    0x4f, 0x7c, 0x59, 0x19, 0x99, 0x65, 0xa8, 0xdd, 0x4a, 0x20, 0x91, 0x84,
+    0x7d, 0x2d, 0x22, 0xdf, 0x3e, 0xe5, 0x5f, 0xaa, 0x2a, 0x3f, 0xb3, 0x3f,
+    0xd2, 0xd1, 0xe0, 0x55, 0xa0, 0x7a, 0x7c, 0x61, 0xec, 0xfb, 0x8d, 0x80,
+    0xec, 0x00, 0xc2, 0xc9, 0xeb, 0x12
+};
+
+static const unsigned char ecjpake_test_srv_two[] = {
+    0x03, 0x00, 0x17, 0x41, 0x04, 0x0f, 0xb2, 0x2b, 0x1d, 0x5d, 0x11, 0x23,
+    0xe0, 0xef, 0x9f, 0xeb, 0x9d, 0x8a, 0x2e, 0x59, 0x0a, 0x1f, 0x4d, 0x7c,
+    0xed, 0x2c, 0x2b, 0x06, 0x58, 0x6e, 0x8f, 0x2a, 0x16, 0xd4, 0xeb, 0x2f,
+    0xda, 0x43, 0x28, 0xa2, 0x0b, 0x07, 0xd8, 0xfd, 0x66, 0x76, 0x54, 0xca,
+    0x18, 0xc5, 0x4e, 0x32, 0xa3, 0x33, 0xa0, 0x84, 0x54, 0x51, 0xe9, 0x26,
+    0xee, 0x88, 0x04, 0xfd, 0x7a, 0xf0, 0xaa, 0xa7, 0xa6, 0x41, 0x04, 0x55,
+    0x16, 0xea, 0x3e, 0x54, 0xa0, 0xd5, 0xd8, 0xb2, 0xce, 0x78, 0x6b, 0x38,
+    0xd3, 0x83, 0x37, 0x00, 0x29, 0xa5, 0xdb, 0xe4, 0x45, 0x9c, 0x9d, 0xd6,
+    0x01, 0xb4, 0x08, 0xa2, 0x4a, 0xe6, 0x46, 0x5c, 0x8a, 0xc9, 0x05, 0xb9,
+    0xeb, 0x03, 0xb5, 0xd3, 0x69, 0x1c, 0x13, 0x9e, 0xf8, 0x3f, 0x1c, 0xd4,
+    0x20, 0x0f, 0x6c, 0x9c, 0xd4, 0xec, 0x39, 0x22, 0x18, 0xa5, 0x9e, 0xd2,
+    0x43, 0xd3, 0xc8, 0x20, 0xff, 0x72, 0x4a, 0x9a, 0x70, 0xb8, 0x8c, 0xb8,
+    0x6f, 0x20, 0xb4, 0x34, 0xc6, 0x86, 0x5a, 0xa1, 0xcd, 0x79, 0x06, 0xdd,
+    0x7c, 0x9b, 0xce, 0x35, 0x25, 0xf5, 0x08, 0x27, 0x6f, 0x26, 0x83, 0x6c
+};
+
+static const unsigned char ecjpake_test_cli_two[] = {
+    0x41, 0x04, 0x69, 0xd5, 0x4e, 0xe8, 0x5e, 0x90, 0xce, 0x3f, 0x12, 0x46,
+    0x74, 0x2d, 0xe5, 0x07, 0xe9, 0x39, 0xe8, 0x1d, 0x1d, 0xc1, 0xc5, 0xcb,
+    0x98, 0x8b, 0x58, 0xc3, 0x10, 0xc9, 0xfd, 0xd9, 0x52, 0x4d, 0x93, 0x72,
+    0x0b, 0x45, 0x54, 0x1c, 0x83, 0xee, 0x88, 0x41, 0x19, 0x1d, 0xa7, 0xce,
+    0xd8, 0x6e, 0x33, 0x12, 0xd4, 0x36, 0x23, 0xc1, 0xd6, 0x3e, 0x74, 0x98,
+    0x9a, 0xba, 0x4a, 0xff, 0xd1, 0xee, 0x41, 0x04, 0x07, 0x7e, 0x8c, 0x31,
+    0xe2, 0x0e, 0x6b, 0xed, 0xb7, 0x60, 0xc1, 0x35, 0x93, 0xe6, 0x9f, 0x15,
+    0xbe, 0x85, 0xc2, 0x7d, 0x68, 0xcd, 0x09, 0xcc, 0xb8, 0xc4, 0x18, 0x36,
+    0x08, 0x91, 0x7c, 0x5c, 0x3d, 0x40, 0x9f, 0xac, 0x39, 0xfe, 0xfe, 0xe8,
+    0x2f, 0x72, 0x92, 0xd3, 0x6f, 0x0d, 0x23, 0xe0, 0x55, 0x91, 0x3f, 0x45,
+    0xa5, 0x2b, 0x85, 0xdd, 0x8a, 0x20, 0x52, 0xe9, 0xe1, 0x29, 0xbb, 0x4d,
+    0x20, 0x0f, 0x01, 0x1f, 0x19, 0x48, 0x35, 0x35, 0xa6, 0xe8, 0x9a, 0x58,
+    0x0c, 0x9b, 0x00, 0x03, 0xba, 0xf2, 0x14, 0x62, 0xec, 0xe9, 0x1a, 0x82,
+    0xcc, 0x38, 0xdb, 0xdc, 0xae, 0x60, 0xd9, 0xc5, 0x4c
+};
+
+static const unsigned char ecjpake_test_pms[] = {
+    0xf3, 0xd4, 0x7f, 0x59, 0x98, 0x44, 0xdb, 0x92, 0xa5, 0x69, 0xbb, 0xe7,
+    0x98, 0x1e, 0x39, 0xd9, 0x31, 0xfd, 0x74, 0x3b, 0xf2, 0x2e, 0x98, 0xf9,
+    0xb4, 0x38, 0xf7, 0x19, 0xd3, 0xc4, 0xf3, 0x51
+};
+
+/* Load my private keys and generate the corresponding public keys */
+static int ecjpake_test_load( mbedtls_ecjpake_context *ctx,
+                              const unsigned char *xm1, size_t len1,
+                              const unsigned char *xm2, size_t len2 )
+{
+    int ret;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm1, xm1, len1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm2, xm2, len2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &ctx->Xm1, &ctx->xm1,
+                                      &ctx->grp.G, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &ctx->grp, &ctx->Xm2, &ctx->xm2,
+                                      &ctx->grp.G, NULL, NULL ) );
+
+cleanup:
+    return( ret );
+}
+
+/* For tests we don't need a secure RNG;
+ * use the LGC from Numerical Recipes for simplicity */
+static int ecjpake_lgc( void *p, unsigned char *out, size_t len )
+{
+    static uint32_t x = 42;
+    (void) p;
+
+    while( len > 0 )
+    {
+        size_t use_len = len > 4 ? 4 : len;
+        x = 1664525 * x + 1013904223;
+        memcpy( out, &x, use_len );
+        out += use_len;
+        len -= use_len;
+    }
+
+    return( 0 );
+}
+
+#define TEST_ASSERT( x )    \
+    do {                    \
+        if( x )             \
+            ret = 0;        \
+        else                \
+        {                   \
+            ret = 1;        \
+            goto cleanup;   \
+        }                   \
+    } while( 0 )
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecjpake_self_test( int verbose )
+{
+    int ret;
+    mbedtls_ecjpake_context cli;
+    mbedtls_ecjpake_context srv;
+    unsigned char buf[512], pms[32];
+    size_t len, pmslen;
+
+    mbedtls_ecjpake_init( &cli );
+    mbedtls_ecjpake_init( &srv );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECJPAKE test #0 (setup): " );
+
+    TEST_ASSERT( mbedtls_ecjpake_setup( &cli, MBEDTLS_ECJPAKE_CLIENT,
+                    MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                    ecjpake_test_password,
+            sizeof( ecjpake_test_password ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_setup( &srv, MBEDTLS_ECJPAKE_SERVER,
+                    MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1,
+                    ecjpake_test_password,
+            sizeof( ecjpake_test_password ) ) == 0 );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECJPAKE test #1 (random handshake): " );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_one( &cli,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_one( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_two( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &cli,
+                 pms, sizeof( pms ), &pmslen, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_write_round_two( &cli,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv, buf, len ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( len == pmslen );
+    TEST_ASSERT( memcmp( buf, pms, len ) == 0 );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECJPAKE test #2 (reference handshake): " );
+
+    /* Simulate generation of round one */
+    MBEDTLS_MPI_CHK( ecjpake_test_load( &cli,
+                ecjpake_test_x1, sizeof( ecjpake_test_x1 ),
+                ecjpake_test_x2, sizeof( ecjpake_test_x2 ) ) );
+
+    MBEDTLS_MPI_CHK( ecjpake_test_load( &srv,
+                ecjpake_test_x3, sizeof( ecjpake_test_x3 ),
+                ecjpake_test_x4, sizeof( ecjpake_test_x4 ) ) );
+
+    /* Read round one */
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &srv,
+                                    ecjpake_test_cli_one,
+                            sizeof( ecjpake_test_cli_one ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_one( &cli,
+                                    ecjpake_test_srv_one,
+                            sizeof( ecjpake_test_srv_one ) ) == 0 );
+
+    /* Skip generation of round two, read round two */
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &cli,
+                                    ecjpake_test_srv_two,
+                            sizeof( ecjpake_test_srv_two ) ) == 0 );
+
+    TEST_ASSERT( mbedtls_ecjpake_read_round_two( &srv,
+                                    ecjpake_test_cli_two,
+                            sizeof( ecjpake_test_cli_two ) ) == 0 );
+
+    /* Server derives PMS */
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &srv,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( len == sizeof( ecjpake_test_pms ) );
+    TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 );
+
+    memset( buf, 0, len ); /* Avoid interferences with next step */
+
+    /* Client derives PMS */
+    TEST_ASSERT( mbedtls_ecjpake_derive_secret( &cli,
+                 buf, sizeof( buf ), &len, ecjpake_lgc, NULL ) == 0 );
+
+    TEST_ASSERT( len == sizeof( ecjpake_test_pms ) );
+    TEST_ASSERT( memcmp( buf, ecjpake_test_pms, len ) == 0 );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+    mbedtls_ecjpake_free( &cli );
+    mbedtls_ecjpake_free( &srv );
+
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#undef TEST_ASSERT
+
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_SHA256_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ECJPAKE_C */
diff --git a/makerom/deps/libmbedtls/src/ecp.c b/makerom/deps/libmbedtls/src/ecp.c
new file mode 100644
index 00000000..040c20bd
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ecp.c
@@ -0,0 +1,2999 @@
+/*
+ *  Elliptic curves over GF(p): generic functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * References:
+ *
+ * SEC1 http://www.secg.org/index.php?action=secg,docs_secg
+ * GECC = Guide to Elliptic Curve Cryptography - Hankerson, Menezes, Vanstone
+ * FIPS 186-3 http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf
+ * RFC 4492 for the related TLS structures and constants
+ * RFC 7748 for the Curve448 and Curve25519 curve definitions
+ *
+ * [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
+ *
+ * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
+ *     for elliptic curve cryptosystems. In : Cryptographic Hardware and
+ *     Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
+ *     <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
+ *
+ * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
+ *     render ECC resistant against Side Channel Attacks. IACR Cryptology
+ *     ePrint Archive, 2004, vol. 2004, p. 342.
+ *     <http://eprint.iacr.org/2004/342.pdf>
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+/**
+ * \brief Function level alternative implementation.
+ *
+ * The MBEDTLS_ECP_INTERNAL_ALT macro enables alternative implementations to
+ * replace certain functions in this module. The alternative implementations are
+ * typically hardware accelerators and need to activate the hardware before the
+ * computation starts and deactivate it after it finishes. The
+ * mbedtls_internal_ecp_init() and mbedtls_internal_ecp_free() functions serve
+ * this purpose.
+ *
+ * To preserve the correct functionality the following conditions must hold:
+ *
+ * - The alternative implementation must be activated by
+ *   mbedtls_internal_ecp_init() before any of the replaceable functions is
+ *   called.
+ * - mbedtls_internal_ecp_free() must \b only be called when the alternative
+ *   implementation is activated.
+ * - mbedtls_internal_ecp_init() must \b not be called when the alternative
+ *   implementation is activated.
+ * - Public functions must not return while the alternative implementation is
+ *   activated.
+ * - Replaceable functions are guarded by \c MBEDTLS_ECP_XXX_ALT macros and
+ *   before calling them an \code if( mbedtls_internal_ecp_grp_capable( grp ) )
+ *   \endcode ensures that the alternative implementation supports the current
+ *   group.
+ */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/threading.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECP_ALT)
+
+/* Parameter validation macros based on platform_util.h */
+#define ECP_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECP_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_printf     printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include "mbedtls/ecp_internal.h"
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Counts of point addition and doubling, and field multiplications.
+ * Used to test resistance of point multiplication to simple timing attacks.
+ */
+static unsigned long add_count, dbl_count, mul_count;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Maximum number of "basic operations" to be done in a row.
+ *
+ * Default value 0 means that ECC operations will not yield.
+ * Note that regardless of the value of ecp_max_ops, always at
+ * least one step is performed before yielding.
+ *
+ * Setting ecp_max_ops=1 can be suitable for testing purposes
+ * as it will interrupt computation at all possible points.
+ */
+static unsigned ecp_max_ops = 0;
+
+/*
+ * Set ecp_max_ops
+ */
+void mbedtls_ecp_set_max_ops( unsigned max_ops )
+{
+    ecp_max_ops = max_ops;
+}
+
+/*
+ * Check if restart is enabled
+ */
+int mbedtls_ecp_restart_is_enabled( void )
+{
+    return( ecp_max_ops != 0 );
+}
+
+/*
+ * Restart sub-context for ecp_mul_comb()
+ */
+struct mbedtls_ecp_restart_mul
+{
+    mbedtls_ecp_point R;    /* current intermediate result                  */
+    size_t i;               /* current index in various loops, 0 outside    */
+    mbedtls_ecp_point *T;   /* table for precomputed points                 */
+    unsigned char T_size;   /* number of points in table T                  */
+    enum {                  /* what were we doing last time we returned?    */
+        ecp_rsm_init = 0,       /* nothing so far, dummy initial state      */
+        ecp_rsm_pre_dbl,        /* precompute 2^n multiples                 */
+        ecp_rsm_pre_norm_dbl,   /* normalize precomputed 2^n multiples      */
+        ecp_rsm_pre_add,        /* precompute remaining points by adding    */
+        ecp_rsm_pre_norm_add,   /* normalize all precomputed points         */
+        ecp_rsm_comb_core,      /* ecp_mul_comb_core()                      */
+        ecp_rsm_final_norm,     /* do the final normalization               */
+    } state;
+};
+
+/*
+ * Init restart_mul sub-context
+ */
+static void ecp_restart_rsm_init( mbedtls_ecp_restart_mul_ctx *ctx )
+{
+    mbedtls_ecp_point_init( &ctx->R );
+    ctx->i = 0;
+    ctx->T = NULL;
+    ctx->T_size = 0;
+    ctx->state = ecp_rsm_init;
+}
+
+/*
+ * Free the components of a restart_mul sub-context
+ */
+static void ecp_restart_rsm_free( mbedtls_ecp_restart_mul_ctx *ctx )
+{
+    unsigned char i;
+
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_point_free( &ctx->R );
+
+    if( ctx->T != NULL )
+    {
+        for( i = 0; i < ctx->T_size; i++ )
+            mbedtls_ecp_point_free( ctx->T + i );
+        mbedtls_free( ctx->T );
+    }
+
+    ecp_restart_rsm_init( ctx );
+}
+
+/*
+ * Restart context for ecp_muladd()
+ */
+struct mbedtls_ecp_restart_muladd
+{
+    mbedtls_ecp_point mP;       /* mP value                             */
+    mbedtls_ecp_point R;        /* R intermediate result                */
+    enum {                      /* what should we do next?              */
+        ecp_rsma_mul1 = 0,      /* first multiplication                 */
+        ecp_rsma_mul2,          /* second multiplication                */
+        ecp_rsma_add,           /* addition                             */
+        ecp_rsma_norm,          /* normalization                        */
+    } state;
+};
+
+/*
+ * Init restart_muladd sub-context
+ */
+static void ecp_restart_ma_init( mbedtls_ecp_restart_muladd_ctx *ctx )
+{
+    mbedtls_ecp_point_init( &ctx->mP );
+    mbedtls_ecp_point_init( &ctx->R );
+    ctx->state = ecp_rsma_mul1;
+}
+
+/*
+ * Free the components of a restart_muladd sub-context
+ */
+static void ecp_restart_ma_free( mbedtls_ecp_restart_muladd_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_ecp_point_free( &ctx->mP );
+    mbedtls_ecp_point_free( &ctx->R );
+
+    ecp_restart_ma_init( ctx );
+}
+
+/*
+ * Initialize a restart context
+ */
+void mbedtls_ecp_restart_init( mbedtls_ecp_restart_ctx *ctx )
+{
+    ECP_VALIDATE( ctx != NULL );
+    ctx->ops_done = 0;
+    ctx->depth = 0;
+    ctx->rsm = NULL;
+    ctx->ma = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_ecp_restart_free( mbedtls_ecp_restart_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    ecp_restart_rsm_free( ctx->rsm );
+    mbedtls_free( ctx->rsm );
+
+    ecp_restart_ma_free( ctx->ma );
+    mbedtls_free( ctx->ma );
+
+    mbedtls_ecp_restart_init( ctx );
+}
+
+/*
+ * Check if we can do the next step
+ */
+int mbedtls_ecp_check_budget( const mbedtls_ecp_group *grp,
+                              mbedtls_ecp_restart_ctx *rs_ctx,
+                              unsigned ops )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+
+    if( rs_ctx != NULL && ecp_max_ops != 0 )
+    {
+        /* scale depending on curve size: the chosen reference is 256-bit,
+         * and multiplication is quadratic. Round to the closest integer. */
+        if( grp->pbits >= 512 )
+            ops *= 4;
+        else if( grp->pbits >= 384 )
+            ops *= 2;
+
+        /* Avoid infinite loops: always allow first step.
+         * Because of that, however, it's not generally true
+         * that ops_done <= ecp_max_ops, so the check
+         * ops_done > ecp_max_ops below is mandatory. */
+        if( ( rs_ctx->ops_done != 0 ) &&
+            ( rs_ctx->ops_done > ecp_max_ops ||
+              ops > ecp_max_ops - rs_ctx->ops_done ) )
+        {
+            return( MBEDTLS_ERR_ECP_IN_PROGRESS );
+        }
+
+        /* update running count */
+        rs_ctx->ops_done += ops;
+    }
+
+    return( 0 );
+}
+
+/* Call this when entering a function that needs its own sub-context */
+#define ECP_RS_ENTER( SUB )   do {                                      \
+    /* reset ops count for this call if top-level */                    \
+    if( rs_ctx != NULL && rs_ctx->depth++ == 0 )                        \
+        rs_ctx->ops_done = 0;                                           \
+                                                                        \
+    /* set up our own sub-context if needed */                          \
+    if( mbedtls_ecp_restart_is_enabled() &&                             \
+        rs_ctx != NULL && rs_ctx->SUB == NULL )                         \
+    {                                                                   \
+        rs_ctx->SUB = mbedtls_calloc( 1, sizeof( *rs_ctx->SUB ) );      \
+        if( rs_ctx->SUB == NULL )                                       \
+            return( MBEDTLS_ERR_ECP_ALLOC_FAILED );                     \
+                                                                        \
+        ecp_restart_## SUB ##_init( rs_ctx->SUB );                      \
+    }                                                                   \
+} while( 0 )
+
+/* Call this when leaving a function that needs its own sub-context */
+#define ECP_RS_LEAVE( SUB )   do {                                      \
+    /* clear our sub-context when not in progress (done or error) */    \
+    if( rs_ctx != NULL && rs_ctx->SUB != NULL &&                        \
+        ret != MBEDTLS_ERR_ECP_IN_PROGRESS )                            \
+    {                                                                   \
+        ecp_restart_## SUB ##_free( rs_ctx->SUB );                      \
+        mbedtls_free( rs_ctx->SUB );                                    \
+        rs_ctx->SUB = NULL;                                             \
+    }                                                                   \
+                                                                        \
+    if( rs_ctx != NULL )                                                \
+        rs_ctx->depth--;                                                \
+} while( 0 )
+
+#else /* MBEDTLS_ECP_RESTARTABLE */
+
+#define ECP_RS_ENTER( sub )     (void) rs_ctx;
+#define ECP_RS_LEAVE( sub )     (void) rs_ctx;
+
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)   ||   \
+    defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define ECP_SHORTWEIERSTRASS
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
+    defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define ECP_MONTGOMERY
+#endif
+
+/*
+ * Curve types: internal for now, might be exposed later
+ */
+typedef enum
+{
+    ECP_TYPE_NONE = 0,
+    ECP_TYPE_SHORT_WEIERSTRASS,    /* y^2 = x^3 + a x + b      */
+    ECP_TYPE_MONTGOMERY,           /* y^2 = x^3 + a x^2 + x    */
+} ecp_curve_type;
+
+/*
+ * List of supported curves:
+ *  - internal ID
+ *  - TLS NamedCurve ID (RFC 4492 sec. 5.1.1, RFC 7071 sec. 2)
+ *  - size in bits
+ *  - readable name
+ *
+ * Curves are listed in order: largest curves first, and for a given size,
+ * fastest curves first. This provides the default order for the SSL module.
+ *
+ * Reminder: update profiles in x509_crt.c when adding a new curves!
+ */
+static const mbedtls_ecp_curve_info ecp_supported_curves[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP521R1,    25,     521,    "secp521r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP512R1,      28,     512,    "brainpoolP512r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP384R1,    24,     384,    "secp384r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP384R1,      27,     384,    "brainpoolP384r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP256R1,    23,     256,    "secp256r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP256K1,    22,     256,    "secp256k1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    { MBEDTLS_ECP_DP_BP256R1,      26,     256,    "brainpoolP256r1"   },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP224R1,    21,     224,    "secp224r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP224K1,    20,     224,    "secp224k1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP192R1,    19,     192,    "secp192r1"         },
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    { MBEDTLS_ECP_DP_SECP192K1,    18,     192,    "secp192k1"         },
+#endif
+    { MBEDTLS_ECP_DP_NONE,          0,     0,      NULL                },
+};
+
+#define ECP_NB_CURVES   sizeof( ecp_supported_curves ) /    \
+                        sizeof( ecp_supported_curves[0] )
+
+static mbedtls_ecp_group_id ecp_supported_grp_id[ECP_NB_CURVES];
+
+/*
+ * List of supported curves and associated info
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_list( void )
+{
+    return( ecp_supported_curves );
+}
+
+/*
+ * List of supported curves, group ID only
+ */
+const mbedtls_ecp_group_id *mbedtls_ecp_grp_id_list( void )
+{
+    static int init_done = 0;
+
+    if( ! init_done )
+    {
+        size_t i = 0;
+        const mbedtls_ecp_curve_info *curve_info;
+
+        for( curve_info = mbedtls_ecp_curve_list();
+             curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+             curve_info++ )
+        {
+            ecp_supported_grp_id[i++] = curve_info->grp_id;
+        }
+        ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
+
+        init_done = 1;
+    }
+
+    return( ecp_supported_grp_id );
+}
+
+/*
+ * Get the curve info for the internal identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_grp_id( mbedtls_ecp_group_id grp_id )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    for( curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++ )
+    {
+        if( curve_info->grp_id == grp_id )
+            return( curve_info );
+    }
+
+    return( NULL );
+}
+
+/*
+ * Get the curve info from the TLS identifier
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_tls_id( uint16_t tls_id )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    for( curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++ )
+    {
+        if( curve_info->tls_id == tls_id )
+            return( curve_info );
+    }
+
+    return( NULL );
+}
+
+/*
+ * Get the curve info from the name
+ */
+const mbedtls_ecp_curve_info *mbedtls_ecp_curve_info_from_name( const char *name )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+
+    if( name == NULL )
+        return( NULL );
+
+    for( curve_info = mbedtls_ecp_curve_list();
+         curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
+         curve_info++ )
+    {
+        if( strcmp( curve_info->name, name ) == 0 )
+            return( curve_info );
+    }
+
+    return( NULL );
+}
+
+/*
+ * Get the type of a curve
+ */
+static inline ecp_curve_type ecp_get_type( const mbedtls_ecp_group *grp )
+{
+    if( grp->G.X.p == NULL )
+        return( ECP_TYPE_NONE );
+
+    if( grp->G.Y.p == NULL )
+        return( ECP_TYPE_MONTGOMERY );
+    else
+        return( ECP_TYPE_SHORT_WEIERSTRASS );
+}
+
+/*
+ * Initialize (the components of) a point
+ */
+void mbedtls_ecp_point_init( mbedtls_ecp_point *pt )
+{
+    ECP_VALIDATE( pt != NULL );
+
+    mbedtls_mpi_init( &pt->X );
+    mbedtls_mpi_init( &pt->Y );
+    mbedtls_mpi_init( &pt->Z );
+}
+
+/*
+ * Initialize (the components of) a group
+ */
+void mbedtls_ecp_group_init( mbedtls_ecp_group *grp )
+{
+    ECP_VALIDATE( grp != NULL );
+
+    grp->id = MBEDTLS_ECP_DP_NONE;
+    mbedtls_mpi_init( &grp->P );
+    mbedtls_mpi_init( &grp->A );
+    mbedtls_mpi_init( &grp->B );
+    mbedtls_ecp_point_init( &grp->G );
+    mbedtls_mpi_init( &grp->N );
+    grp->pbits = 0;
+    grp->nbits = 0;
+    grp->h = 0;
+    grp->modp = NULL;
+    grp->t_pre = NULL;
+    grp->t_post = NULL;
+    grp->t_data = NULL;
+    grp->T = NULL;
+    grp->T_size = 0;
+}
+
+/*
+ * Initialize (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_init( mbedtls_ecp_keypair *key )
+{
+    ECP_VALIDATE( key != NULL );
+
+    mbedtls_ecp_group_init( &key->grp );
+    mbedtls_mpi_init( &key->d );
+    mbedtls_ecp_point_init( &key->Q );
+}
+
+/*
+ * Unallocate (the components of) a point
+ */
+void mbedtls_ecp_point_free( mbedtls_ecp_point *pt )
+{
+    if( pt == NULL )
+        return;
+
+    mbedtls_mpi_free( &( pt->X ) );
+    mbedtls_mpi_free( &( pt->Y ) );
+    mbedtls_mpi_free( &( pt->Z ) );
+}
+
+/*
+ * Unallocate (the components of) a group
+ */
+void mbedtls_ecp_group_free( mbedtls_ecp_group *grp )
+{
+    size_t i;
+
+    if( grp == NULL )
+        return;
+
+    if( grp->h != 1 )
+    {
+        mbedtls_mpi_free( &grp->P );
+        mbedtls_mpi_free( &grp->A );
+        mbedtls_mpi_free( &grp->B );
+        mbedtls_ecp_point_free( &grp->G );
+        mbedtls_mpi_free( &grp->N );
+    }
+
+    if( grp->T != NULL )
+    {
+        for( i = 0; i < grp->T_size; i++ )
+            mbedtls_ecp_point_free( &grp->T[i] );
+        mbedtls_free( grp->T );
+    }
+
+    mbedtls_platform_zeroize( grp, sizeof( mbedtls_ecp_group ) );
+}
+
+/*
+ * Unallocate (the components of) a key pair
+ */
+void mbedtls_ecp_keypair_free( mbedtls_ecp_keypair *key )
+{
+    if( key == NULL )
+        return;
+
+    mbedtls_ecp_group_free( &key->grp );
+    mbedtls_mpi_free( &key->d );
+    mbedtls_ecp_point_free( &key->Q );
+}
+
+/*
+ * Copy the contents of a point
+ */
+int mbedtls_ecp_copy( mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
+{
+    int ret;
+    ECP_VALIDATE_RET( P != NULL );
+    ECP_VALIDATE_RET( Q != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->X, &Q->X ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Y, &Q->Y ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &P->Z, &Q->Z ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Copy the contents of a group object
+ */
+int mbedtls_ecp_group_copy( mbedtls_ecp_group *dst, const mbedtls_ecp_group *src )
+{
+    ECP_VALIDATE_RET( dst != NULL );
+    ECP_VALIDATE_RET( src != NULL );
+
+    return( mbedtls_ecp_group_load( dst, src->id ) );
+}
+
+/*
+ * Set point to zero
+ */
+int mbedtls_ecp_set_zero( mbedtls_ecp_point *pt )
+{
+    int ret;
+    ECP_VALIDATE_RET( pt != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->X , 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Y , 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z , 0 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Tell if a point is zero
+ */
+int mbedtls_ecp_is_zero( mbedtls_ecp_point *pt )
+{
+    ECP_VALIDATE_RET( pt != NULL );
+
+    return( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 );
+}
+
+/*
+ * Compare two points lazily
+ */
+int mbedtls_ecp_point_cmp( const mbedtls_ecp_point *P,
+                           const mbedtls_ecp_point *Q )
+{
+    ECP_VALIDATE_RET( P != NULL );
+    ECP_VALIDATE_RET( Q != NULL );
+
+    if( mbedtls_mpi_cmp_mpi( &P->X, &Q->X ) == 0 &&
+        mbedtls_mpi_cmp_mpi( &P->Y, &Q->Y ) == 0 &&
+        mbedtls_mpi_cmp_mpi( &P->Z, &Q->Z ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+}
+
+/*
+ * Import a non-zero point from ASCII strings
+ */
+int mbedtls_ecp_point_read_string( mbedtls_ecp_point *P, int radix,
+                           const char *x, const char *y )
+{
+    int ret;
+    ECP_VALIDATE_RET( P != NULL );
+    ECP_VALIDATE_RET( x != NULL );
+    ECP_VALIDATE_RET( y != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->X, radix, x ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &P->Y, radix, y ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Export a point into unsigned binary data (SEC1 2.3.3)
+ */
+int mbedtls_ecp_point_write_binary( const mbedtls_ecp_group *grp,
+                                    const mbedtls_ecp_point *P,
+                                    int format, size_t *olen,
+                                    unsigned char *buf, size_t buflen )
+{
+    int ret = 0;
+    size_t plen;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( P    != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                      format == MBEDTLS_ECP_PF_COMPRESSED );
+
+    /*
+     * Common case: P == 0
+     */
+    if( mbedtls_mpi_cmp_int( &P->Z, 0 ) == 0 )
+    {
+        if( buflen < 1 )
+            return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+        buf[0] = 0x00;
+        *olen = 1;
+
+        return( 0 );
+    }
+
+    plen = mbedtls_mpi_size( &grp->P );
+
+    if( format == MBEDTLS_ECP_PF_UNCOMPRESSED )
+    {
+        *olen = 2 * plen + 1;
+
+        if( buflen < *olen )
+            return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+        buf[0] = 0x04;
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->X, buf + 1, plen ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->Y, buf + 1 + plen, plen ) );
+    }
+    else if( format == MBEDTLS_ECP_PF_COMPRESSED )
+    {
+        *olen = plen + 1;
+
+        if( buflen < *olen )
+            return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+        buf[0] = 0x02 + mbedtls_mpi_get_bit( &P->Y, 0 );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &P->X, buf + 1, plen ) );
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Import a point from unsigned binary data (SEC1 2.3.4)
+ */
+int mbedtls_ecp_point_read_binary( const mbedtls_ecp_group *grp,
+                                   mbedtls_ecp_point *pt,
+                                   const unsigned char *buf, size_t ilen )
+{
+    int ret;
+    size_t plen;
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( pt  != NULL );
+    ECP_VALIDATE_RET( buf != NULL );
+
+    if( ilen < 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( buf[0] == 0x00 )
+    {
+        if( ilen == 1 )
+            return( mbedtls_ecp_set_zero( pt ) );
+        else
+            return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    plen = mbedtls_mpi_size( &grp->P );
+
+    if( buf[0] != 0x04 )
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    if( ilen != 2 * plen + 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &pt->X, buf + 1, plen ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &pt->Y, buf + 1 + plen, plen ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Import a point from a TLS ECPoint record (RFC 4492)
+ *      struct {
+ *          opaque point <1..2^8-1>;
+ *      } ECPoint;
+ */
+int mbedtls_ecp_tls_read_point( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point *pt,
+                                const unsigned char **buf, size_t buf_len )
+{
+    unsigned char data_len;
+    const unsigned char *buf_start;
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( pt  != NULL );
+    ECP_VALIDATE_RET( buf != NULL );
+    ECP_VALIDATE_RET( *buf != NULL );
+
+    /*
+     * We must have at least two bytes (1 for length, at least one for data)
+     */
+    if( buf_len < 2 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    data_len = *(*buf)++;
+    if( data_len < 1 || data_len > buf_len - 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * Save buffer start for read_binary and update buf
+     */
+    buf_start = *buf;
+    *buf += data_len;
+
+    return( mbedtls_ecp_point_read_binary( grp, pt, buf_start, data_len ) );
+}
+
+/*
+ * Export a point as a TLS ECPoint record (RFC 4492)
+ *      struct {
+ *          opaque point <1..2^8-1>;
+ *      } ECPoint;
+ */
+int mbedtls_ecp_tls_write_point( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt,
+                         int format, size_t *olen,
+                         unsigned char *buf, size_t blen )
+{
+    int ret;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( pt   != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( format == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+                      format == MBEDTLS_ECP_PF_COMPRESSED );
+
+    /*
+     * buffer length must be at least one, for our length byte
+     */
+    if( blen < 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_ecp_point_write_binary( grp, pt, format,
+                    olen, buf + 1, blen - 1) ) != 0 )
+        return( ret );
+
+    /*
+     * write length to the first byte and update total length
+     */
+    buf[0] = (unsigned char) *olen;
+    ++*olen;
+
+    return( 0 );
+}
+
+/*
+ * Set a group from an ECParameters record (RFC 4492)
+ */
+int mbedtls_ecp_tls_read_group( mbedtls_ecp_group *grp,
+                                const unsigned char **buf, size_t len )
+{
+    int ret;
+    mbedtls_ecp_group_id grp_id;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( *buf != NULL );
+
+    if( ( ret = mbedtls_ecp_tls_read_group_id( &grp_id, buf, len ) ) != 0 )
+        return( ret );
+
+    return( mbedtls_ecp_group_load( grp, grp_id ) );
+}
+
+/*
+ * Read a group id from an ECParameters record (RFC 4492) and convert it to
+ * mbedtls_ecp_group_id.
+ */
+int mbedtls_ecp_tls_read_group_id( mbedtls_ecp_group_id *grp,
+                                   const unsigned char **buf, size_t len )
+{
+    uint16_t tls_id;
+    const mbedtls_ecp_curve_info *curve_info;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( *buf != NULL );
+
+    /*
+     * We expect at least three bytes (see below)
+     */
+    if( len < 3 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * First byte is curve_type; only named_curve is handled
+     */
+    if( *(*buf)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * Next two bytes are the namedcurve value
+     */
+    tls_id = *(*buf)++;
+    tls_id <<= 8;
+    tls_id |= *(*buf)++;
+
+    if( ( curve_info = mbedtls_ecp_curve_info_from_tls_id( tls_id ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    *grp = curve_info->grp_id;
+
+    return( 0 );
+}
+
+/*
+ * Write the ECParameters record corresponding to a group (RFC 4492)
+ */
+int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
+                         unsigned char *buf, size_t blen )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+    ECP_VALIDATE_RET( grp  != NULL );
+    ECP_VALIDATE_RET( buf  != NULL );
+    ECP_VALIDATE_RET( olen != NULL );
+
+    if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( grp->id ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /*
+     * We are going to write 3 bytes (see below)
+     */
+    *olen = 3;
+    if( blen < *olen )
+        return( MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL );
+
+    /*
+     * First byte is curve_type, always named_curve
+     */
+    *buf++ = MBEDTLS_ECP_TLS_NAMED_CURVE;
+
+    /*
+     * Next two bytes are the namedcurve value
+     */
+    buf[0] = curve_info->tls_id >> 8;
+    buf[1] = curve_info->tls_id & 0xFF;
+
+    return( 0 );
+}
+
+/*
+ * Wrapper around fast quasi-modp functions, with fall-back to mbedtls_mpi_mod_mpi.
+ * See the documentation of struct mbedtls_ecp_group.
+ *
+ * This function is in the critial loop for mbedtls_ecp_mul, so pay attention to perf.
+ */
+static int ecp_modp( mbedtls_mpi *N, const mbedtls_ecp_group *grp )
+{
+    int ret;
+
+    if( grp->modp == NULL )
+        return( mbedtls_mpi_mod_mpi( N, N, &grp->P ) );
+
+    /* N->s < 0 is a much faster test, which fails only if N is 0 */
+    if( ( N->s < 0 && mbedtls_mpi_cmp_int( N, 0 ) != 0 ) ||
+        mbedtls_mpi_bitlen( N ) > 2 * grp->pbits )
+    {
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    MBEDTLS_MPI_CHK( grp->modp( N ) );
+
+    /* N->s < 0 is a much faster test, which fails only if N is 0 */
+    while( N->s < 0 && mbedtls_mpi_cmp_int( N, 0 ) != 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &grp->P ) );
+
+    while( mbedtls_mpi_cmp_mpi( N, &grp->P ) >= 0 )
+        /* we known P, N and the result are positive */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, N, &grp->P ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Fast mod-p functions expect their argument to be in the 0..p^2 range.
+ *
+ * In order to guarantee that, we need to ensure that operands of
+ * mbedtls_mpi_mul_mpi are in the 0..p range. So, after each operation we will
+ * bring the result back to this range.
+ *
+ * The following macros are shortcuts for doing that.
+ */
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, general case, to use after mbedtls_mpi_mul_mpi
+ */
+#if defined(MBEDTLS_SELF_TEST)
+#define INC_MUL_COUNT   mul_count++;
+#else
+#define INC_MUL_COUNT
+#endif
+
+#define MOD_MUL( N )                                                    \
+    do                                                                  \
+    {                                                                   \
+        MBEDTLS_MPI_CHK( ecp_modp( &(N), grp ) );                       \
+        INC_MUL_COUNT                                                   \
+    } while( 0 )
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_sub_mpi
+ * N->s < 0 is a very fast test, which fails only if N is 0
+ */
+#define MOD_SUB( N )                                                    \
+    while( (N).s < 0 && mbedtls_mpi_cmp_int( &(N), 0 ) != 0 )           \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &(N), &(N), &grp->P ) )
+
+/*
+ * Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
+ * We known P, N and the result are positive, so sub_abs is correct, and
+ * a bit faster.
+ */
+#define MOD_ADD( N )                                                    \
+    while( mbedtls_mpi_cmp_mpi( &(N), &grp->P ) >= 0 )                  \
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &(N), &(N), &grp->P ) )
+
+#if defined(ECP_SHORTWEIERSTRASS)
+/*
+ * For curves in short Weierstrass form, we do all the internal operations in
+ * Jacobian coordinates.
+ *
+ * For multiplication, we'll use a comb method with coutermeasueres against
+ * SPA, hence timing attacks.
+ */
+
+/*
+ * Normalize jacobian coordinates so that Z == 0 || Z == 1  (GECC 3.2.1)
+ * Cost: 1N := 1I + 3M + 1S
+ */
+static int ecp_normalize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt )
+{
+    int ret;
+    mbedtls_mpi Zi, ZZi;
+
+    if( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 )
+        return( 0 );
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_normalize_jac( grp, pt ) );
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+
+    mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
+
+    /*
+     * X = X / Z^2  mod p
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &Zi,      &pt->Z,     &grp->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ZZi,     &Zi,        &Zi     ) ); MOD_MUL( ZZi );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->X,   &pt->X,     &ZZi    ) ); MOD_MUL( pt->X );
+
+    /*
+     * Y = Y / Z^3  mod p
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &ZZi    ) ); MOD_MUL( pt->Y );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &Zi     ) ); MOD_MUL( pt->Y );
+
+    /*
+     * Z = 1
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
+
+    return( ret );
+}
+
+/*
+ * Normalize jacobian coordinates of an array of (pointers to) points,
+ * using Montgomery's trick to perform only one inversion mod P.
+ * (See for example Cohen's "A Course in Computational Algebraic Number
+ * Theory", Algorithm 10.3.4.)
+ *
+ * Warning: fails (returning an error) if one of the points is zero!
+ * This should never happen, see choice of w in ecp_mul_comb().
+ *
+ * Cost: 1N(t) := 1I + (6t - 3)M + 1S
+ */
+static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
+                                   mbedtls_ecp_point *T[], size_t T_size )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi *c, u, Zi, ZZi;
+
+    if( T_size < 2 )
+        return( ecp_normalize_jac( grp, *T ) );
+
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_normalize_jac_many( grp, T, T_size ) );
+#endif
+
+    if( ( c = mbedtls_calloc( T_size, sizeof( mbedtls_mpi ) ) ) == NULL )
+        return( MBEDTLS_ERR_ECP_ALLOC_FAILED );
+
+    for( i = 0; i < T_size; i++ )
+        mbedtls_mpi_init( &c[i] );
+
+    mbedtls_mpi_init( &u ); mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
+
+    /*
+     * c[i] = Z_0 * ... * Z_i
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &c[0], &T[0]->Z ) );
+    for( i = 1; i < T_size; i++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &c[i], &c[i-1], &T[i]->Z ) );
+        MOD_MUL( c[i] );
+    }
+
+    /*
+     * u = 1 / (Z_0 * ... * Z_n) mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &u, &c[T_size-1], &grp->P ) );
+
+    for( i = T_size - 1; ; i-- )
+    {
+        /*
+         * Zi = 1 / Z_i mod p
+         * u = 1 / (Z_0 * ... * Z_i) mod P
+         */
+        if( i == 0 ) {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &Zi, &u ) );
+        }
+        else
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &Zi, &u, &c[i-1]  ) ); MOD_MUL( Zi );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &u,  &u, &T[i]->Z ) ); MOD_MUL( u );
+        }
+
+        /*
+         * proceed as in normalize()
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ZZi,     &Zi,      &Zi  ) ); MOD_MUL( ZZi );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->X, &T[i]->X, &ZZi ) ); MOD_MUL( T[i]->X );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->Y, &T[i]->Y, &ZZi ) ); MOD_MUL( T[i]->Y );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T[i]->Y, &T[i]->Y, &Zi  ) ); MOD_MUL( T[i]->Y );
+
+        /*
+         * Post-precessing: reclaim some memory by shrinking coordinates
+         * - not storing Z (always 1)
+         * - shrinking other coordinates, but still keeping the same number of
+         *   limbs as P, as otherwise it will too likely be regrown too fast.
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shrink( &T[i]->X, grp->P.n ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shrink( &T[i]->Y, grp->P.n ) );
+        mbedtls_mpi_free( &T[i]->Z );
+
+        if( i == 0 )
+            break;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &u ); mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
+    for( i = 0; i < T_size; i++ )
+        mbedtls_mpi_free( &c[i] );
+    mbedtls_free( c );
+
+    return( ret );
+}
+
+/*
+ * Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
+ * "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
+ */
+static int ecp_safe_invert_jac( const mbedtls_ecp_group *grp,
+                            mbedtls_ecp_point *Q,
+                            unsigned char inv )
+{
+    int ret;
+    unsigned char nonzero;
+    mbedtls_mpi mQY;
+
+    mbedtls_mpi_init( &mQY );
+
+    /* Use the fact that -Q.Y mod P = P - Q.Y unless Q.Y == 0 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mQY, &grp->P, &Q->Y ) );
+    nonzero = mbedtls_mpi_cmp_int( &Q->Y, 0 ) != 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &Q->Y, &mQY, inv & nonzero ) );
+
+cleanup:
+    mbedtls_mpi_free( &mQY );
+
+    return( ret );
+}
+
+/*
+ * Point doubling R = 2 P, Jacobian coordinates
+ *
+ * Based on http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-1998-cmo-2 .
+ *
+ * We follow the variable naming fairly closely. The formula variations that trade a MUL for a SQR
+ * (plus a few ADDs) aren't useful as our bignum implementation doesn't distinguish squaring.
+ *
+ * Standard optimizations are applied when curve parameter A is one of { 0, -3 }.
+ *
+ * Cost: 1D := 3M + 4S          (A ==  0)
+ *             4M + 4S          (A == -3)
+ *             3M + 6S + 1a     otherwise
+ */
+static int ecp_double_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                           const mbedtls_ecp_point *P )
+{
+    int ret;
+    mbedtls_mpi M, S, T, U;
+
+#if defined(MBEDTLS_SELF_TEST)
+    dbl_count++;
+#endif
+
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_double_jac( grp, R, P ) );
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+
+    mbedtls_mpi_init( &M ); mbedtls_mpi_init( &S ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &U );
+
+    /* Special case for A = -3 */
+    if( grp->A.p == NULL )
+    {
+        /* M = 3(X + Z^2)(X - Z^2) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->Z,  &P->Z   ) ); MOD_MUL( S );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T,  &P->X,  &S      ) ); MOD_ADD( T );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &U,  &P->X,  &S      ) ); MOD_SUB( U );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &T,     &U      ) ); MOD_MUL( S );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M,  &S,     3       ) ); MOD_ADD( M );
+    }
+    else
+    {
+        /* M = 3.X^2 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->X,  &P->X   ) ); MOD_MUL( S );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M,  &S,     3       ) ); MOD_ADD( M );
+
+        /* Optimize away for "koblitz" curves with A = 0 */
+        if( mbedtls_mpi_cmp_int( &grp->A, 0 ) != 0 )
+        {
+            /* M += A.Z^4 */
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->Z,  &P->Z   ) ); MOD_MUL( S );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &S,     &S      ) ); MOD_MUL( T );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &T,     &grp->A ) ); MOD_MUL( S );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M,  &M,     &S      ) ); MOD_ADD( M );
+        }
+    }
+
+    /* S = 4.X.Y^2 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &P->Y,  &P->Y   ) ); MOD_MUL( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &T,  1               ) ); MOD_ADD( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &P->X,  &T      ) ); MOD_MUL( S );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &S,  1               ) ); MOD_ADD( S );
+
+    /* U = 8.Y^4 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &U,  &T,     &T      ) ); MOD_MUL( U );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &U,  1               ) ); MOD_ADD( U );
+
+    /* T = M^2 - 2.S */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T,  &M,     &M      ) ); MOD_MUL( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T,  &T,     &S      ) ); MOD_SUB( T );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T,  &T,     &S      ) ); MOD_SUB( T );
+
+    /* S = M(S - T) - U */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S,  &S,     &T      ) ); MOD_SUB( S );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S,  &S,     &M      ) ); MOD_MUL( S );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S,  &S,     &U      ) ); MOD_SUB( S );
+
+    /* U = 2.Y.Z */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &U,  &P->Y,  &P->Z   ) ); MOD_MUL( U );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &U,  1               ) ); MOD_ADD( U );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->X, &T ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Y, &S ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Z, &U ) );
+
+cleanup:
+    mbedtls_mpi_free( &M ); mbedtls_mpi_free( &S ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &U );
+
+    return( ret );
+}
+
+/*
+ * Addition: R = P + Q, mixed affine-Jacobian coordinates (GECC 3.22)
+ *
+ * The coordinates of Q must be normalized (= affine),
+ * but those of P don't need to. R is not normalized.
+ *
+ * Special cases: (1) P or Q is zero, (2) R is zero, (3) P == Q.
+ * None of these cases can happen as intermediate step in ecp_mul_comb():
+ * - at each step, P, Q and R are multiples of the base point, the factor
+ *   being less than its order, so none of them is zero;
+ * - Q is an odd multiple of the base point, P an even multiple,
+ *   due to the choice of precomputed points in the modified comb method.
+ * So branches for these cases do not leak secret information.
+ *
+ * We accept Q->Z being unset (saving memory in tables) as meaning 1.
+ *
+ * Cost: 1A := 8M + 3S
+ */
+static int ecp_add_mixed( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                          const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
+{
+    int ret;
+    mbedtls_mpi T1, T2, T3, T4, X, Y, Z;
+
+#if defined(MBEDTLS_SELF_TEST)
+    add_count++;
+#endif
+
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_add_mixed( grp, R, P, Q ) );
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+
+    /*
+     * Trivial cases: P == 0 or Q == 0 (case 1)
+     */
+    if( mbedtls_mpi_cmp_int( &P->Z, 0 ) == 0 )
+        return( mbedtls_ecp_copy( R, Q ) );
+
+    if( Q->Z.p != NULL && mbedtls_mpi_cmp_int( &Q->Z, 0 ) == 0 )
+        return( mbedtls_ecp_copy( R, P ) );
+
+    /*
+     * Make sure Q coordinates are normalized
+     */
+    if( Q->Z.p != NULL && mbedtls_mpi_cmp_int( &Q->Z, 1 ) != 0 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); mbedtls_mpi_init( &T3 ); mbedtls_mpi_init( &T4 );
+    mbedtls_mpi_init( &X ); mbedtls_mpi_init( &Y ); mbedtls_mpi_init( &Z );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1,  &P->Z,  &P->Z ) );  MOD_MUL( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T2,  &T1,    &P->Z ) );  MOD_MUL( T2 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T1,  &T1,    &Q->X ) );  MOD_MUL( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T2,  &T2,    &Q->Y ) );  MOD_MUL( T2 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T1,  &T1,    &P->X ) );  MOD_SUB( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T2,  &T2,    &P->Y ) );  MOD_SUB( T2 );
+
+    /* Special cases (2) and (3) */
+    if( mbedtls_mpi_cmp_int( &T1, 0 ) == 0 )
+    {
+        if( mbedtls_mpi_cmp_int( &T2, 0 ) == 0 )
+        {
+            ret = ecp_double_jac( grp, R, P );
+            goto cleanup;
+        }
+        else
+        {
+            ret = mbedtls_ecp_set_zero( R );
+            goto cleanup;
+        }
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &Z,   &P->Z,  &T1   ) );  MOD_MUL( Z  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T1,    &T1   ) );  MOD_MUL( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T4,  &T3,    &T1   ) );  MOD_MUL( T4 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T3,    &P->X ) );  MOD_MUL( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T1,  &T3,    2     ) );  MOD_ADD( T1 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &X,   &T2,    &T2   ) );  MOD_MUL( X  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X,   &X,     &T1   ) );  MOD_SUB( X  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &X,   &X,     &T4   ) );  MOD_SUB( X  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T3,  &T3,    &X    ) );  MOD_SUB( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T3,  &T3,    &T2   ) );  MOD_MUL( T3 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T4,  &T4,    &P->Y ) );  MOD_MUL( T4 );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &Y,   &T3,    &T4   ) );  MOD_SUB( Y  );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->X, &X ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Y, &Y ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &R->Z, &Z ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); mbedtls_mpi_free( &T3 ); mbedtls_mpi_free( &T4 );
+    mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
+
+    return( ret );
+}
+
+/*
+ * Randomize jacobian coordinates:
+ * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_jac().
+ *
+ * This countermeasure was first suggested in [2].
+ */
+static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_mpi l, ll;
+    size_t p_size;
+    int count = 0;
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_randomize_jac( grp, pt, f_rng, p_rng ) );
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+
+    p_size = ( grp->pbits + 7 ) / 8;
+    mbedtls_mpi_init( &l ); mbedtls_mpi_init( &ll );
+
+    /* Generate l such that 1 < l < p */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+    }
+    while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
+
+    /* Z = l * Z */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Z,   &pt->Z,     &l  ) ); MOD_MUL( pt->Z );
+
+    /* X = l^2 * X */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ll,      &l,         &l  ) ); MOD_MUL( ll );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->X,   &pt->X,     &ll ) ); MOD_MUL( pt->X );
+
+    /* Y = l^3 * Y */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ll,      &ll,        &l  ) ); MOD_MUL( ll );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &pt->Y,   &pt->Y,     &ll ) ); MOD_MUL( pt->Y );
+
+cleanup:
+    mbedtls_mpi_free( &l ); mbedtls_mpi_free( &ll );
+
+    return( ret );
+}
+
+/*
+ * Check and define parameters used by the comb method (see below for details)
+ */
+#if MBEDTLS_ECP_WINDOW_SIZE < 2 || MBEDTLS_ECP_WINDOW_SIZE > 7
+#error "MBEDTLS_ECP_WINDOW_SIZE out of bounds"
+#endif
+
+/* d = ceil( n / w ) */
+#define COMB_MAX_D      ( MBEDTLS_ECP_MAX_BITS + 1 ) / 2
+
+/* number of precomputed points */
+#define COMB_MAX_PRE    ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
+
+/*
+ * Compute the representation of m that will be used with our comb method.
+ *
+ * The basic comb method is described in GECC 3.44 for example. We use a
+ * modified version that provides resistance to SPA by avoiding zero
+ * digits in the representation as in [3]. We modify the method further by
+ * requiring that all K_i be odd, which has the small cost that our
+ * representation uses one more K_i, due to carries, but saves on the size of
+ * the precomputed table.
+ *
+ * Summary of the comb method and its modifications:
+ *
+ * - The goal is to compute m*P for some w*d-bit integer m.
+ *
+ * - The basic comb method splits m into the w-bit integers
+ *   x[0] .. x[d-1] where x[i] consists of the bits in m whose
+ *   index has residue i modulo d, and computes m * P as
+ *   S[x[0]] + 2 * S[x[1]] + .. + 2^(d-1) S[x[d-1]], where
+ *   S[i_{w-1} .. i_0] := i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + i_0 P.
+ *
+ * - If it happens that, say, x[i+1]=0 (=> S[x[i+1]]=0), one can replace the sum by
+ *    .. + 2^{i-1} S[x[i-1]] - 2^i S[x[i]] + 2^{i+1} S[x[i]] + 2^{i+2} S[x[i+2]] ..,
+ *   thereby successively converting it into a form where all summands
+ *   are nonzero, at the cost of negative summands. This is the basic idea of [3].
+ *
+ * - More generally, even if x[i+1] != 0, we can first transform the sum as
+ *   .. - 2^i S[x[i]] + 2^{i+1} ( S[x[i]] + S[x[i+1]] ) + 2^{i+2} S[x[i+2]] ..,
+ *   and then replace S[x[i]] + S[x[i+1]] = S[x[i] ^ x[i+1]] + 2 S[x[i] & x[i+1]].
+ *   Performing and iterating this procedure for those x[i] that are even
+ *   (keeping track of carry), we can transform the original sum into one of the form
+ *   S[x'[0]] +- 2 S[x'[1]] +- .. +- 2^{d-1} S[x'[d-1]] + 2^d S[x'[d]]
+ *   with all x'[i] odd. It is therefore only necessary to know S at odd indices,
+ *   which is why we are only computing half of it in the first place in
+ *   ecp_precompute_comb and accessing it with index abs(i) / 2 in ecp_select_comb.
+ *
+ * - For the sake of compactness, only the seven low-order bits of x[i]
+ *   are used to represent its absolute value (K_i in the paper), and the msb
+ *   of x[i] encodes the sign (s_i in the paper): it is set if and only if
+ *   if s_i == -1;
+ *
+ * Calling conventions:
+ * - x is an array of size d + 1
+ * - w is the size, ie number of teeth, of the comb, and must be between
+ *   2 and 7 (in practice, between 2 and MBEDTLS_ECP_WINDOW_SIZE)
+ * - m is the MPI, expected to be odd and such that bitlength(m) <= w * d
+ *   (the result will be incorrect if these assumptions are not satisfied)
+ */
+static void ecp_comb_recode_core( unsigned char x[], size_t d,
+                                  unsigned char w, const mbedtls_mpi *m )
+{
+    size_t i, j;
+    unsigned char c, cc, adjust;
+
+    memset( x, 0, d+1 );
+
+    /* First get the classical comb values (except for x_d = 0) */
+    for( i = 0; i < d; i++ )
+        for( j = 0; j < w; j++ )
+            x[i] |= mbedtls_mpi_get_bit( m, i + d * j ) << j;
+
+    /* Now make sure x_1 .. x_d are odd */
+    c = 0;
+    for( i = 1; i <= d; i++ )
+    {
+        /* Add carry and update it */
+        cc   = x[i] & c;
+        x[i] = x[i] ^ c;
+        c = cc;
+
+        /* Adjust if needed, avoiding branches */
+        adjust = 1 - ( x[i] & 0x01 );
+        c   |= x[i] & ( x[i-1] * adjust );
+        x[i] = x[i] ^ ( x[i-1] * adjust );
+        x[i-1] |= adjust << 7;
+    }
+}
+
+/*
+ * Precompute points for the adapted comb method
+ *
+ * Assumption: T must be able to hold 2^{w - 1} elements.
+ *
+ * Operation: If i = i_{w-1} ... i_1 is the binary representation of i,
+ *            sets T[i] = i_{w-1} 2^{(w-1)d} P + ... + i_1 2^d P + P.
+ *
+ * Cost: d(w-1) D + (2^{w-1} - 1) A + 1 N(w-1) + 1 N(2^{w-1} - 1)
+ *
+ * Note: Even comb values (those where P would be omitted from the
+ *       sum defining T[i] above) are not needed in our adaption
+ *       the comb method. See ecp_comb_recode_core().
+ *
+ * This function currently works in four steps:
+ * (1) [dbl]      Computation of intermediate T[i] for 2-power values of i
+ * (2) [norm_dbl] Normalization of coordinates of these T[i]
+ * (3) [add]      Computation of all T[i]
+ * (4) [norm_add] Normalization of all T[i]
+ *
+ * Step 1 can be interrupted but not the others; together with the final
+ * coordinate normalization they are the largest steps done at once, depending
+ * on the window size. Here are operation counts for P-256:
+ *
+ * step     (2)     (3)     (4)
+ * w = 5    142     165     208
+ * w = 4    136      77     160
+ * w = 3    130      33     136
+ * w = 2    124      11     124
+ *
+ * So if ECC operations are blocking for too long even with a low max_ops
+ * value, it's useful to set MBEDTLS_ECP_WINDOW_SIZE to a lower value in order
+ * to minimize maximum blocking time.
+ */
+static int ecp_precompute_comb( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point T[], const mbedtls_ecp_point *P,
+                                unsigned char w, size_t d,
+                                mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char i;
+    size_t j = 0;
+    const unsigned char T_size = 1U << ( w - 1 );
+    mbedtls_ecp_point *cur, *TT[COMB_MAX_PRE - 1];
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+    {
+        if( rs_ctx->rsm->state == ecp_rsm_pre_dbl )
+            goto dbl;
+        if( rs_ctx->rsm->state == ecp_rsm_pre_norm_dbl )
+            goto norm_dbl;
+        if( rs_ctx->rsm->state == ecp_rsm_pre_add )
+            goto add;
+        if( rs_ctx->rsm->state == ecp_rsm_pre_norm_add )
+            goto norm_add;
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+    {
+        rs_ctx->rsm->state = ecp_rsm_pre_dbl;
+
+        /* initial state for the loop */
+        rs_ctx->rsm->i = 0;
+    }
+
+dbl:
+#endif
+    /*
+     * Set T[0] = P and
+     * T[2^{l-1}] = 2^{dl} P for l = 1 .. w-1 (this is not the final value)
+     */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &T[0], P ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0 )
+        j = rs_ctx->rsm->i;
+    else
+#endif
+        j = 0;
+
+    for( ; j < d * ( w - 1 ); j++ )
+    {
+        MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_DBL );
+
+        i = 1U << ( j / d );
+        cur = T + i;
+
+        if( j % d == 0 )
+            MBEDTLS_MPI_CHK( mbedtls_ecp_copy( cur, T + ( i >> 1 ) ) );
+
+        MBEDTLS_MPI_CHK( ecp_double_jac( grp, cur, cur ) );
+    }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_dbl;
+
+norm_dbl:
+#endif
+    /*
+     * Normalize current elements in T. As T has holes,
+     * use an auxiliary array of pointers to elements in T.
+     */
+    j = 0;
+    for( i = 1; i < T_size; i <<= 1 )
+        TT[j++] = T + i;
+
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV + 6 * j - 2 );
+
+    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, j ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_pre_add;
+
+add:
+#endif
+    /*
+     * Compute the remaining ones using the minimal number of additions
+     * Be careful to update T[2^l] only after using it!
+     */
+    MBEDTLS_ECP_BUDGET( ( T_size - 1 ) * MBEDTLS_ECP_OPS_ADD );
+
+    for( i = 1; i < T_size; i <<= 1 )
+    {
+        j = i;
+        while( j-- )
+            MBEDTLS_MPI_CHK( ecp_add_mixed( grp, &T[i + j], &T[j], &T[i] ) );
+    }
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_pre_norm_add;
+
+norm_add:
+#endif
+    /*
+     * Normalize final elements in T. Even though there are no holes now, we
+     * still need the auxiliary array for homogeneity with the previous
+     * call. Also, skip T[0] which is already normalised, being a copy of P.
+     */
+    for( j = 0; j + 1 < T_size; j++ )
+        TT[j] = T + j + 1;
+
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV + 6 * j - 2 );
+
+    MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, j ) );
+
+cleanup:
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+    {
+        if( rs_ctx->rsm->state == ecp_rsm_pre_dbl )
+            rs_ctx->rsm->i = j;
+    }
+#endif
+
+    return( ret );
+}
+
+/*
+ * Select precomputed point: R = sign(i) * T[ abs(i) / 2 ]
+ *
+ * See ecp_comb_recode_core() for background
+ */
+static int ecp_select_comb( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                            const mbedtls_ecp_point T[], unsigned char T_size,
+                            unsigned char i )
+{
+    int ret;
+    unsigned char ii, j;
+
+    /* Ignore the "sign" bit and scale down */
+    ii =  ( i & 0x7Fu ) >> 1;
+
+    /* Read the whole table to thwart cache-based timing attacks */
+    for( j = 0; j < T_size; j++ )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->X, &T[j].X, j == ii ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &R->Y, &T[j].Y, j == ii ) );
+    }
+
+    /* Safely invert result if i is "negative" */
+    MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, R, i >> 7 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Core multiplication algorithm for the (modified) comb method.
+ * This part is actually common with the basic comb method (GECC 3.44)
+ *
+ * Cost: d A + d D + 1 R
+ */
+static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                              const mbedtls_ecp_point T[], unsigned char T_size,
+                              const unsigned char x[], size_t d,
+                              int (*f_rng)(void *, unsigned char *, size_t),
+                              void *p_rng,
+                              mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_ecp_point Txi;
+    size_t i;
+
+    mbedtls_ecp_point_init( &Txi );
+
+#if !defined(MBEDTLS_ECP_RESTARTABLE)
+    (void) rs_ctx;
+#endif
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        rs_ctx->rsm->state != ecp_rsm_comb_core )
+    {
+        rs_ctx->rsm->i = 0;
+        rs_ctx->rsm->state = ecp_rsm_comb_core;
+    }
+
+    /* new 'if' instead of nested for the sake of the 'else' branch */
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->i != 0 )
+    {
+        /* restore current index (R already pointing to rs_ctx->rsm->R) */
+        i = rs_ctx->rsm->i;
+    }
+    else
+#endif
+    {
+        /* Start with a non-zero point and randomize its coordinates */
+        i = d;
+        MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, T_size, x[i] ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
+        if( f_rng != 0 )
+            MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
+    }
+
+    while( i != 0 )
+    {
+        MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_DBL + MBEDTLS_ECP_OPS_ADD );
+        --i;
+
+        MBEDTLS_MPI_CHK( ecp_double_jac( grp, R, R ) );
+        MBEDTLS_MPI_CHK( ecp_select_comb( grp, &Txi, T, T_size, x[i] ) );
+        MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, R, &Txi ) );
+    }
+
+cleanup:
+
+    mbedtls_ecp_point_free( &Txi );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL &&
+        ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+    {
+        rs_ctx->rsm->i = i;
+        /* no need to save R, already pointing to rs_ctx->rsm->R */
+    }
+#endif
+
+    return( ret );
+}
+
+/*
+ * Recode the scalar to get constant-time comb multiplication
+ *
+ * As the actual scalar recoding needs an odd scalar as a starting point,
+ * this wrapper ensures that by replacing m by N - m if necessary, and
+ * informs the caller that the result of multiplication will be negated.
+ *
+ * This works because we only support large prime order for Short Weierstrass
+ * curves, so N is always odd hence either m or N - m is.
+ *
+ * See ecp_comb_recode_core() for background.
+ */
+static int ecp_comb_recode_scalar( const mbedtls_ecp_group *grp,
+                                   const mbedtls_mpi *m,
+                                   unsigned char k[COMB_MAX_D + 1],
+                                   size_t d,
+                                   unsigned char w,
+                                   unsigned char *parity_trick )
+{
+    int ret;
+    mbedtls_mpi M, mm;
+
+    mbedtls_mpi_init( &M );
+    mbedtls_mpi_init( &mm );
+
+    /* N is always odd (see above), just make extra sure */
+    if( mbedtls_mpi_get_bit( &grp->N, 0 ) != 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    /* do we need the parity trick? */
+    *parity_trick = ( mbedtls_mpi_get_bit( m, 0 ) == 0 );
+
+    /* execute parity fix in constant time */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &M, m ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &mm, &grp->N, m ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( &M, &mm, *parity_trick ) );
+
+    /* actual scalar recoding */
+    ecp_comb_recode_core( k, d, w, &M );
+
+cleanup:
+    mbedtls_mpi_free( &mm );
+    mbedtls_mpi_free( &M );
+
+    return( ret );
+}
+
+/*
+ * Perform comb multiplication (for short Weierstrass curves)
+ * once the auxiliary table has been pre-computed.
+ *
+ * Scalar recoding may use a parity trick that makes us compute -m * P,
+ * if that is the case we'll need to recover m * P at the end.
+ */
+static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
+                                mbedtls_ecp_point *R,
+                                const mbedtls_mpi *m,
+                                const mbedtls_ecp_point *T,
+                                unsigned char T_size,
+                                unsigned char w,
+                                size_t d,
+                                int (*f_rng)(void *, unsigned char *, size_t),
+                                void *p_rng,
+                                mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char parity_trick;
+    unsigned char k[COMB_MAX_D + 1];
+    mbedtls_ecp_point *RR = R;
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+    {
+        RR = &rs_ctx->rsm->R;
+
+        if( rs_ctx->rsm->state == ecp_rsm_final_norm )
+            goto final_norm;
+    }
+#endif
+
+    MBEDTLS_MPI_CHK( ecp_comb_recode_scalar( grp, m, k, d, w,
+                                            &parity_trick ) );
+    MBEDTLS_MPI_CHK( ecp_mul_comb_core( grp, RR, T, T_size, k, d,
+                                        f_rng, p_rng, rs_ctx ) );
+    MBEDTLS_MPI_CHK( ecp_safe_invert_jac( grp, RR, parity_trick ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        rs_ctx->rsm->state = ecp_rsm_final_norm;
+
+final_norm:
+#endif
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
+    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, RR ) );
+#endif
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Pick window size based on curve size and whether we optimize for base point
+ */
+static unsigned char ecp_pick_window_size( const mbedtls_ecp_group *grp,
+                                           unsigned char p_eq_g )
+{
+    unsigned char w;
+
+    /*
+     * Minimize the number of multiplications, that is minimize
+     * 10 * d * w + 18 * 2^(w-1) + 11 * d + 7 * w, with d = ceil( nbits / w )
+     * (see costs of the various parts, with 1S = 1M)
+     */
+    w = grp->nbits >= 384 ? 5 : 4;
+
+    /*
+     * If P == G, pre-compute a bit more, since this may be re-used later.
+     * Just adding one avoids upping the cost of the first mul too much,
+     * and the memory cost too.
+     */
+    if( p_eq_g )
+        w++;
+
+    /*
+     * Make sure w is within bounds.
+     * (The last test is useful only for very small curves in the test suite.)
+     */
+    if( w > MBEDTLS_ECP_WINDOW_SIZE )
+        w = MBEDTLS_ECP_WINDOW_SIZE;
+    if( w >= grp->nbits )
+        w = 2;
+
+    return( w );
+}
+
+/*
+ * Multiplication using the comb method - for curves in short Weierstrass form
+ *
+ * This function is mainly responsible for administrative work:
+ * - managing the restart context if enabled
+ * - managing the table of precomputed points (passed between the below two
+ *   functions): allocation, computation, ownership tranfer, freeing.
+ *
+ * It delegates the actual arithmetic work to:
+ *      ecp_precompute_comb() and ecp_mul_comb_with_precomp()
+ *
+ * See comments on ecp_comb_recode_core() regarding the computation strategy.
+ */
+static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                         const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    unsigned char w, p_eq_g, i;
+    size_t d;
+    unsigned char T_size, T_ok;
+    mbedtls_ecp_point *T;
+
+    ECP_RS_ENTER( rsm );
+
+    /* Is P the base point ? */
+#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
+    p_eq_g = ( mbedtls_mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
+               mbedtls_mpi_cmp_mpi( &P->X, &grp->G.X ) == 0 );
+#else
+    p_eq_g = 0;
+#endif
+
+    /* Pick window size and deduce related sizes */
+    w = ecp_pick_window_size( grp, p_eq_g );
+    T_size = 1U << ( w - 1 );
+    d = ( grp->nbits + w - 1 ) / w;
+
+    /* Pre-computed table: do we have it already for the base point? */
+    if( p_eq_g && grp->T != NULL )
+    {
+        /* second pointer to the same table, will be deleted on exit */
+        T = grp->T;
+        T_ok = 1;
+    }
+    else
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* Pre-computed table: do we have one in progress? complete? */
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && rs_ctx->rsm->T != NULL )
+    {
+        /* transfer ownership of T from rsm to local function */
+        T = rs_ctx->rsm->T;
+        rs_ctx->rsm->T = NULL;
+        rs_ctx->rsm->T_size = 0;
+
+        /* This effectively jumps to the call to mul_comb_after_precomp() */
+        T_ok = rs_ctx->rsm->state >= ecp_rsm_comb_core;
+    }
+    else
+#endif
+    /* Allocate table if we didn't have any */
+    {
+        T = mbedtls_calloc( T_size, sizeof( mbedtls_ecp_point ) );
+        if( T == NULL )
+        {
+            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+            goto cleanup;
+        }
+
+        for( i = 0; i < T_size; i++ )
+            mbedtls_ecp_point_init( &T[i] );
+
+        T_ok = 0;
+    }
+
+    /* Compute table (or finish computing it) if not done already */
+    if( !T_ok )
+    {
+        MBEDTLS_MPI_CHK( ecp_precompute_comb( grp, T, P, w, d, rs_ctx ) );
+
+        if( p_eq_g )
+        {
+            /* almost transfer ownership of T to the group, but keep a copy of
+             * the pointer to use for calling the next function more easily */
+            grp->T = T;
+            grp->T_size = T_size;
+        }
+    }
+
+    /* Actual comb multiplication using precomputed points */
+    MBEDTLS_MPI_CHK( ecp_mul_comb_after_precomp( grp, R, m,
+                                                 T, T_size, w, d,
+                                                 f_rng, p_rng, rs_ctx ) );
+
+cleanup:
+
+    /* does T belong to the group? */
+    if( T == grp->T )
+        T = NULL;
+
+    /* does T belong to the restart context? */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->rsm != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS && T != NULL )
+    {
+        /* transfer ownership of T from local function to rsm */
+        rs_ctx->rsm->T_size = T_size;
+        rs_ctx->rsm->T = T;
+        T = NULL;
+    }
+#endif
+
+    /* did T belong to us? then let's destroy it! */
+    if( T != NULL )
+    {
+        for( i = 0; i < T_size; i++ )
+            mbedtls_ecp_point_free( &T[i] );
+        mbedtls_free( T );
+    }
+
+    /* don't free R while in progress in case R == P */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+#endif
+    /* prevent caller from using invalid value */
+    if( ret != 0 )
+        mbedtls_ecp_point_free( R );
+
+    ECP_RS_LEAVE( rsm );
+
+    return( ret );
+}
+
+#endif /* ECP_SHORTWEIERSTRASS */
+
+#if defined(ECP_MONTGOMERY)
+/*
+ * For Montgomery curves, we do all the internal arithmetic in projective
+ * coordinates. Import/export of points uses only the x coordinates, which is
+ * internaly represented as X / Z.
+ *
+ * For scalar multiplication, we'll use a Montgomery ladder.
+ */
+
+/*
+ * Normalize Montgomery x/z coordinates: X = X/Z, Z = 1
+ * Cost: 1M + 1I
+ */
+static int ecp_normalize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P )
+{
+    int ret;
+
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_normalize_mxz( grp, P ) );
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &P->Z, &P->Z, &grp->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->X, &P->X, &P->Z ) ); MOD_MUL( P->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Randomize projective x/z coordinates:
+ * (X, Z) -> (l X, l Z) for random l
+ * This is sort of the reverse operation of ecp_normalize_mxz().
+ *
+ * This countermeasure was first suggested in [2].
+ * Cost: 2M
+ */
+static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_mpi l;
+    size_t p_size;
+    int count = 0;
+
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_randomize_mxz( grp, P, f_rng, p_rng );
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+
+    p_size = ( grp->pbits + 7 ) / 8;
+    mbedtls_mpi_init( &l );
+
+    /* Generate l such that 1 < l < p */
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
+
+        while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
+
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+    }
+    while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->X, &P->X, &l ) ); MOD_MUL( P->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->Z, &P->Z, &l ) ); MOD_MUL( P->Z );
+
+cleanup:
+    mbedtls_mpi_free( &l );
+
+    return( ret );
+}
+
+/*
+ * Double-and-add: R = 2P, S = P + Q, with d = X(P - Q),
+ * for Montgomery curves in x/z coordinates.
+ *
+ * http://www.hyperelliptic.org/EFD/g1p/auto-code/montgom/xz/ladder/mladd-1987-m.op3
+ * with
+ * d =  X1
+ * P = (X2, Z2)
+ * Q = (X3, Z3)
+ * R = (X4, Z4)
+ * S = (X5, Z5)
+ * and eliminating temporary variables tO, ..., t4.
+ *
+ * Cost: 5M + 4S
+ */
+static int ecp_double_add_mxz( const mbedtls_ecp_group *grp,
+                               mbedtls_ecp_point *R, mbedtls_ecp_point *S,
+                               const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
+                               const mbedtls_mpi *d )
+{
+    int ret;
+    mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB;
+
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    if( mbedtls_internal_ecp_grp_capable( grp ) )
+        return( mbedtls_internal_ecp_double_add_mxz( grp, R, S, P, Q, d ) );
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+
+    mbedtls_mpi_init( &A ); mbedtls_mpi_init( &AA ); mbedtls_mpi_init( &B );
+    mbedtls_mpi_init( &BB ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &C );
+    mbedtls_mpi_init( &D ); mbedtls_mpi_init( &DA ); mbedtls_mpi_init( &CB );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &A,    &P->X,   &P->Z ) ); MOD_ADD( A    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &AA,   &A,      &A    ) ); MOD_MUL( AA   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &B,    &P->X,   &P->Z ) ); MOD_SUB( B    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &BB,   &B,      &B    ) ); MOD_MUL( BB   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &E,    &AA,     &BB   ) ); MOD_SUB( E    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &C,    &Q->X,   &Q->Z ) ); MOD_ADD( C    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &D,    &Q->X,   &Q->Z ) ); MOD_SUB( D    );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DA,   &D,      &A    ) ); MOD_MUL( DA   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &CB,   &C,      &B    ) ); MOD_MUL( CB   );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &S->X, &DA,     &CB   ) ); MOD_MUL( S->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->X, &S->X,   &S->X ) ); MOD_MUL( S->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &S->Z, &DA,     &CB   ) ); MOD_SUB( S->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->Z, &S->Z,   &S->Z ) ); MOD_MUL( S->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &S->Z, d,       &S->Z ) ); MOD_MUL( S->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->X, &AA,     &BB   ) ); MOD_MUL( R->X );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->Z, &grp->A, &E    ) ); MOD_MUL( R->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &R->Z, &BB,     &R->Z ) ); MOD_ADD( R->Z );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &R->Z, &E,      &R->Z ) ); MOD_MUL( R->Z );
+
+cleanup:
+    mbedtls_mpi_free( &A ); mbedtls_mpi_free( &AA ); mbedtls_mpi_free( &B );
+    mbedtls_mpi_free( &BB ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &C );
+    mbedtls_mpi_free( &D ); mbedtls_mpi_free( &DA ); mbedtls_mpi_free( &CB );
+
+    return( ret );
+}
+
+/*
+ * Multiplication with Montgomery ladder in x/z coordinates,
+ * for curves in Montgomery form
+ */
+static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+                        const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+                        int (*f_rng)(void *, unsigned char *, size_t),
+                        void *p_rng )
+{
+    int ret;
+    size_t i;
+    unsigned char b;
+    mbedtls_ecp_point RP;
+    mbedtls_mpi PX;
+
+    mbedtls_ecp_point_init( &RP ); mbedtls_mpi_init( &PX );
+
+    /* Save PX and read from P before writing to R, in case P == R */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &PX, &P->X ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &RP, P ) );
+
+    /* Set R to zero in modified x/z coordinates */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->X, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 0 ) );
+    mbedtls_mpi_free( &R->Y );
+
+    /* RP.X might be sligtly larger than P, so reduce it */
+    MOD_ADD( RP.X );
+
+    /* Randomize coordinates of the starting point */
+    if( f_rng != NULL )
+        MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
+
+    /* Loop invariant: R = result so far, RP = R + P */
+    i = mbedtls_mpi_bitlen( m ); /* one past the (zero-based) most significant bit */
+    while( i-- > 0 )
+    {
+        b = mbedtls_mpi_get_bit( m, i );
+        /*
+         *  if (b) R = 2R + P else R = 2R,
+         * which is:
+         *  if (b) double_add( RP, R, RP, R )
+         *  else   double_add( R, RP, R, RP )
+         * but using safe conditional swaps to avoid leaks
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->X, &RP.X, b ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
+        MBEDTLS_MPI_CHK( ecp_double_add_mxz( grp, R, &RP, R, &RP, &PX ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->X, &RP.X, b ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_swap( &R->Z, &RP.Z, b ) );
+    }
+
+    MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
+
+cleanup:
+    mbedtls_ecp_point_free( &RP ); mbedtls_mpi_free( &PX );
+
+    return( ret );
+}
+
+#endif /* ECP_MONTGOMERY */
+
+/*
+ * Restartable multiplication R = m * P
+ */
+int mbedtls_ecp_mul_restartable( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    char is_grp_capable = 0;
+#endif
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* reset ops count for this call if top-level */
+    if( rs_ctx != NULL && rs_ctx->depth++ == 0 )
+        rs_ctx->ops_done = 0;
+#endif
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) )
+        MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    /* skip argument check when restarting */
+    if( rs_ctx == NULL || rs_ctx->rsm == NULL )
+#endif
+    {
+        /* check_privkey is free */
+        MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_CHK );
+
+        /* Common sanity checks */
+        MBEDTLS_MPI_CHK( mbedtls_ecp_check_privkey( grp, m ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_check_pubkey( grp, P ) );
+    }
+
+    ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+        MBEDTLS_MPI_CHK( ecp_mul_mxz( grp, R, m, P, f_rng, p_rng ) );
+#endif
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+        MBEDTLS_MPI_CHK( ecp_mul_comb( grp, R, m, P, f_rng, p_rng, rs_ctx ) );
+#endif
+
+cleanup:
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( is_grp_capable )
+        mbedtls_internal_ecp_free( grp );
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL )
+        rs_ctx->depth--;
+#endif
+
+    return( ret );
+}
+
+/*
+ * Multiplication R = m * P
+ */
+int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+    return( mbedtls_ecp_mul_restartable( grp, R, m, P, f_rng, p_rng, NULL ) );
+}
+
+#if defined(ECP_SHORTWEIERSTRASS)
+/*
+ * Check that an affine point is valid as a public key,
+ * short weierstrass curves (SEC1 3.2.3.1)
+ */
+static int ecp_check_pubkey_sw( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
+{
+    int ret;
+    mbedtls_mpi YY, RHS;
+
+    /* pt coordinates must be normalized for our checks */
+    if( mbedtls_mpi_cmp_int( &pt->X, 0 ) < 0 ||
+        mbedtls_mpi_cmp_int( &pt->Y, 0 ) < 0 ||
+        mbedtls_mpi_cmp_mpi( &pt->X, &grp->P ) >= 0 ||
+        mbedtls_mpi_cmp_mpi( &pt->Y, &grp->P ) >= 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    mbedtls_mpi_init( &YY ); mbedtls_mpi_init( &RHS );
+
+    /*
+     * YY = Y^2
+     * RHS = X (X^2 + A) + B = X^3 + A X + B
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &YY,  &pt->Y,   &pt->Y  ) );  MOD_MUL( YY  );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &RHS, &pt->X,   &pt->X  ) );  MOD_MUL( RHS );
+
+    /* Special case for A = -3 */
+    if( grp->A.p == NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &RHS, &RHS, 3       ) );  MOD_SUB( RHS );
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &RHS, &RHS, &grp->A ) );  MOD_ADD( RHS );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &RHS, &RHS,     &pt->X  ) );  MOD_MUL( RHS );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &RHS, &RHS,     &grp->B ) );  MOD_ADD( RHS );
+
+    if( mbedtls_mpi_cmp_mpi( &YY, &RHS ) != 0 )
+        ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+
+cleanup:
+
+    mbedtls_mpi_free( &YY ); mbedtls_mpi_free( &RHS );
+
+    return( ret );
+}
+#endif /* ECP_SHORTWEIERSTRASS */
+
+/*
+ * R = m * P with shortcuts for m == 1 and m == -1
+ * NOT constant-time - ONLY for short Weierstrass!
+ */
+static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
+                                      mbedtls_ecp_point *R,
+                                      const mbedtls_mpi *m,
+                                      const mbedtls_ecp_point *P,
+                                      mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+
+    if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
+    }
+    else if( mbedtls_mpi_cmp_int( m, -1 ) == 0 )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
+        if( mbedtls_mpi_cmp_int( &R->Y, 0 ) != 0 )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &R->Y, &grp->P, &R->Y ) );
+    }
+    else
+    {
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, R, m, P,
+                                                      NULL, NULL, rs_ctx ) );
+    }
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Restartable linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd_restartable(
+             mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
+             mbedtls_ecp_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_ecp_point mP;
+    mbedtls_ecp_point *pmP = &mP;
+    mbedtls_ecp_point *pR = R;
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    char is_grp_capable = 0;
+#endif
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+    ECP_VALIDATE_RET( n   != NULL );
+    ECP_VALIDATE_RET( Q   != NULL );
+
+    if( ecp_get_type( grp ) != ECP_TYPE_SHORT_WEIERSTRASS )
+        return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    mbedtls_ecp_point_init( &mP );
+
+    ECP_RS_ENTER( ma );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+    {
+        /* redirect intermediate results to restart context */
+        pmP = &rs_ctx->ma->mP;
+        pR  = &rs_ctx->ma->R;
+
+        /* jump to next operation */
+        if( rs_ctx->ma->state == ecp_rsma_mul2 )
+            goto mul2;
+        if( rs_ctx->ma->state == ecp_rsma_add )
+            goto add;
+        if( rs_ctx->ma->state == ecp_rsma_norm )
+            goto norm;
+    }
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, pmP, m, P, rs_ctx ) );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        rs_ctx->ma->state = ecp_rsma_mul2;
+
+mul2:
+#endif
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, pR,  n, Q, rs_ctx ) );
+
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) )
+        MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) );
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        rs_ctx->ma->state = ecp_rsma_add;
+
+add:
+#endif
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_ADD );
+    MBEDTLS_MPI_CHK( ecp_add_mixed( grp, pR, pmP, pR ) );
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        rs_ctx->ma->state = ecp_rsma_norm;
+
+norm:
+#endif
+    MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
+    MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, pR ) );
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && rs_ctx->ma != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, pR ) );
+#endif
+
+cleanup:
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    if( is_grp_capable )
+        mbedtls_internal_ecp_free( grp );
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+
+    mbedtls_ecp_point_free( &mP );
+
+    ECP_RS_LEAVE( ma );
+
+    return( ret );
+}
+
+/*
+ * Linear combination
+ * NOT constant-time
+ */
+int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
+             const mbedtls_mpi *m, const mbedtls_ecp_point *P,
+             const mbedtls_mpi *n, const mbedtls_ecp_point *Q )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( R   != NULL );
+    ECP_VALIDATE_RET( m   != NULL );
+    ECP_VALIDATE_RET( P   != NULL );
+    ECP_VALIDATE_RET( n   != NULL );
+    ECP_VALIDATE_RET( Q   != NULL );
+    return( mbedtls_ecp_muladd_restartable( grp, R, m, P, n, Q, NULL ) );
+}
+
+#if defined(ECP_MONTGOMERY)
+/*
+ * Check validity of a public key for Montgomery curves with x-only schemes
+ */
+static int ecp_check_pubkey_mx( const mbedtls_ecp_group *grp, const mbedtls_ecp_point *pt )
+{
+    /* [Curve25519 p. 5] Just check X is the correct number of bytes */
+    /* Allow any public value, if it's too big then we'll just reduce it mod p
+     * (RFC 7748 sec. 5 para. 3). */
+    if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    return( 0 );
+}
+#endif /* ECP_MONTGOMERY */
+
+/*
+ * Check that a point is valid as a public key
+ */
+int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
+                              const mbedtls_ecp_point *pt )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( pt  != NULL );
+
+    /* Must use affine coordinates */
+    if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 )
+        return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+        return( ecp_check_pubkey_mx( grp, pt ) );
+#endif
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+        return( ecp_check_pubkey_sw( grp, pt ) );
+#endif
+    return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+}
+
+/*
+ * Check that an mbedtls_mpi is valid as a private key
+ */
+int mbedtls_ecp_check_privkey( const mbedtls_ecp_group *grp,
+                               const mbedtls_mpi *d )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    ECP_VALIDATE_RET( d   != NULL );
+
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+    {
+        /* see RFC 7748 sec. 5 para. 5 */
+        if( mbedtls_mpi_get_bit( d, 0 ) != 0 ||
+            mbedtls_mpi_get_bit( d, 1 ) != 0 ||
+            mbedtls_mpi_bitlen( d ) - 1 != grp->nbits ) /* mbedtls_mpi_bitlen is one-based! */
+            return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+        /* see [Curve25519] page 5 */
+        if( grp->nbits == 254 && mbedtls_mpi_get_bit( d, 2 ) != 0 )
+            return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+        return( 0 );
+    }
+#endif /* ECP_MONTGOMERY */
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+    {
+        /* see SEC1 3.2 */
+        if( mbedtls_mpi_cmp_int( d, 1 ) < 0 ||
+            mbedtls_mpi_cmp_mpi( d, &grp->N ) >= 0 )
+            return( MBEDTLS_ERR_ECP_INVALID_KEY );
+        else
+            return( 0 );
+    }
+#endif /* ECP_SHORTWEIERSTRASS */
+
+    return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+}
+
+/*
+ * Generate a private key
+ */
+int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
+                     mbedtls_mpi *d,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+    size_t n_size;
+
+    ECP_VALIDATE_RET( grp   != NULL );
+    ECP_VALIDATE_RET( d     != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    n_size = ( grp->nbits + 7 ) / 8;
+
+#if defined(ECP_MONTGOMERY)
+    if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY )
+    {
+        /* [M225] page 5 */
+        size_t b;
+
+        do {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
+        } while( mbedtls_mpi_bitlen( d ) == 0);
+
+        /* Make sure the most significant bit is nbits */
+        b = mbedtls_mpi_bitlen( d ) - 1; /* mbedtls_mpi_bitlen is one-based */
+        if( b > grp->nbits )
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, b - grp->nbits ) );
+        else
+            MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, grp->nbits, 1 ) );
+
+        /* Make sure the last two bits are unset for Curve448, three bits for
+           Curve25519 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 0, 0 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 1, 0 ) );
+        if( grp->nbits == 254 )
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 2, 0 ) );
+        }
+    }
+#endif /* ECP_MONTGOMERY */
+
+#if defined(ECP_SHORTWEIERSTRASS)
+    if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS )
+    {
+        /* SEC1 3.2.1: Generate d such that 1 <= n < N */
+        int count = 0;
+        unsigned cmp = 0;
+
+        /*
+         * Match the procedure given in RFC 6979 (deterministic ECDSA):
+         * - use the same byte ordering;
+         * - keep the leftmost nbits bits of the generated octet string;
+         * - try until result is in the desired range.
+         * This also avoids any biais, which is especially important for ECDSA.
+         */
+        do
+        {
+            MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
+
+            /*
+             * Each try has at worst a probability 1/2 of failing (the msb has
+             * a probability 1/2 of being 0, and then the result will be < N),
+             * so after 30 tries failure probability is a most 2**(-30).
+             *
+             * For most curves, 1 try is enough with overwhelming probability,
+             * since N starts with a lot of 1s in binary, but some curves
+             * such as secp224k1 are actually very close to the worst case.
+             */
+            if( ++count > 30 )
+                return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+
+            ret = mbedtls_mpi_lt_mpi_ct( d, &grp->N, &cmp );
+            if( ret != 0 )
+            {
+                goto cleanup;
+            }
+        }
+        while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || cmp != 1 );
+    }
+#endif /* ECP_SHORTWEIERSTRASS */
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate a keypair with configurable base point
+ */
+int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp,
+                     const mbedtls_ecp_point *G,
+                     mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                     int (*f_rng)(void *, unsigned char *, size_t),
+                     void *p_rng )
+{
+    int ret;
+    ECP_VALIDATE_RET( grp   != NULL );
+    ECP_VALIDATE_RET( d     != NULL );
+    ECP_VALIDATE_RET( G     != NULL );
+    ECP_VALIDATE_RET( Q     != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, d, f_rng, p_rng ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, Q, d, G, f_rng, p_rng ) );
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Generate key pair, wrapper for conventional base point
+ */
+int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp,
+                             mbedtls_mpi *d, mbedtls_ecp_point *Q,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng )
+{
+    ECP_VALIDATE_RET( grp   != NULL );
+    ECP_VALIDATE_RET( d     != NULL );
+    ECP_VALIDATE_RET( Q     != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    return( mbedtls_ecp_gen_keypair_base( grp, &grp->G, d, Q, f_rng, p_rng ) );
+}
+
+/*
+ * Generate a keypair, prettier wrapper
+ */
+int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    ECP_VALIDATE_RET( key   != NULL );
+    ECP_VALIDATE_RET( f_rng != NULL );
+
+    if( ( ret = mbedtls_ecp_group_load( &key->grp, grp_id ) ) != 0 )
+        return( ret );
+
+    return( mbedtls_ecp_gen_keypair( &key->grp, &key->d, &key->Q, f_rng, p_rng ) );
+}
+
+/*
+ * Check a public-private key pair
+ */
+int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv )
+{
+    int ret;
+    mbedtls_ecp_point Q;
+    mbedtls_ecp_group grp;
+    ECP_VALIDATE_RET( pub != NULL );
+    ECP_VALIDATE_RET( prv != NULL );
+
+    if( pub->grp.id == MBEDTLS_ECP_DP_NONE ||
+        pub->grp.id != prv->grp.id ||
+        mbedtls_mpi_cmp_mpi( &pub->Q.X, &prv->Q.X ) ||
+        mbedtls_mpi_cmp_mpi( &pub->Q.Y, &prv->Q.Y ) ||
+        mbedtls_mpi_cmp_mpi( &pub->Q.Z, &prv->Q.Z ) )
+    {
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    }
+
+    mbedtls_ecp_point_init( &Q );
+    mbedtls_ecp_group_init( &grp );
+
+    /* mbedtls_ecp_mul() needs a non-const group... */
+    mbedtls_ecp_group_copy( &grp, &prv->grp );
+
+    /* Also checks d is valid */
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &Q, &prv->d, &prv->grp.G, NULL, NULL ) );
+
+    if( mbedtls_mpi_cmp_mpi( &Q.X, &prv->Q.X ) ||
+        mbedtls_mpi_cmp_mpi( &Q.Y, &prv->Q.Y ) ||
+        mbedtls_mpi_cmp_mpi( &Q.Z, &prv->Q.Z ) )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+cleanup:
+    mbedtls_ecp_point_free( &Q );
+    mbedtls_ecp_group_free( &grp );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ecp_self_test( int verbose )
+{
+    int ret;
+    size_t i;
+    mbedtls_ecp_group grp;
+    mbedtls_ecp_point R, P;
+    mbedtls_mpi m;
+    unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
+    /* exponents especially adapted for secp192r1 */
+    const char *exponents[] =
+    {
+        "000000000000000000000000000000000000000000000001", /* one */
+        "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", /* N - 1 */
+        "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
+        "400000000000000000000000000000000000000000000000", /* one and zeros */
+        "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
+        "555555555555555555555555555555555555555555555555", /* 101010... */
+    };
+
+    mbedtls_ecp_group_init( &grp );
+    mbedtls_ecp_point_init( &R );
+    mbedtls_ecp_point_init( &P );
+    mbedtls_mpi_init( &m );
+
+    /* Use secp192r1 if available, or any available curve */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP192R1 ) );
+#else
+    MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, mbedtls_ecp_curve_list()->grp_id ) );
+#endif
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECP test #1 (constant op_count, base point G): " );
+
+    /* Do a dummy multiplication first to trigger precomputation */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &m, 2 ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &P, &m, &grp.G, NULL, NULL ) );
+
+    add_count = 0;
+    dbl_count = 0;
+    mul_count = 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
+
+    for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
+    {
+        add_c_prev = add_count;
+        dbl_c_prev = dbl_count;
+        mul_c_prev = mul_count;
+        add_count = 0;
+        dbl_count = 0;
+        mul_count = 0;
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
+
+        if( add_count != add_c_prev ||
+            dbl_count != dbl_c_prev ||
+            mul_count != mul_c_prev )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed (%u)\n", (unsigned int) i );
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ECP test #2 (constant op_count, other point): " );
+    /* We computed P = 2G last time, use it */
+
+    add_count = 0;
+    dbl_count = 0;
+    mul_count = 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
+
+    for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
+    {
+        add_c_prev = add_count;
+        dbl_c_prev = dbl_count;
+        mul_c_prev = mul_count;
+        add_count = 0;
+        dbl_count = 0;
+        mul_count = 0;
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
+
+        if( add_count != add_c_prev ||
+            dbl_count != dbl_c_prev ||
+            mul_count != mul_c_prev )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed (%u)\n", (unsigned int) i );
+
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+
+    if( ret < 0 && verbose != 0 )
+        mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
+
+    mbedtls_ecp_group_free( &grp );
+    mbedtls_ecp_point_free( &R );
+    mbedtls_ecp_point_free( &P );
+    mbedtls_mpi_free( &m );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* !MBEDTLS_ECP_ALT */
+
+#endif /* MBEDTLS_ECP_C */
diff --git a/makerom/deps/libmbedtls/src/ecp_curves.c b/makerom/deps/libmbedtls/src/ecp_curves.c
new file mode 100644
index 00000000..282481d0
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ecp_curves.c
@@ -0,0 +1,1470 @@
+/*
+ *  Elliptic curves over GF(p): curve-specific data and functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if !defined(MBEDTLS_ECP_ALT)
+
+/* Parameter validation macros based on platform_util.h */
+#define ECP_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_ECP_BAD_INPUT_DATA )
+#define ECP_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/*
+ * Conversion macros for embedded constants:
+ * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
+ */
+#if defined(MBEDTLS_HAVE_INT32)
+
+#define BYTES_TO_T_UINT_4( a, b, c, d )                       \
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 )
+
+#define BYTES_TO_T_UINT_2( a, b )                   \
+    BYTES_TO_T_UINT_4( a, b, 0, 0 )
+
+#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
+    BYTES_TO_T_UINT_4( a, b, c, d ),                \
+    BYTES_TO_T_UINT_4( e, f, g, h )
+
+#else /* 64-bits */
+
+#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
+    ( (mbedtls_mpi_uint) (a) <<  0 ) |                        \
+    ( (mbedtls_mpi_uint) (b) <<  8 ) |                        \
+    ( (mbedtls_mpi_uint) (c) << 16 ) |                        \
+    ( (mbedtls_mpi_uint) (d) << 24 ) |                        \
+    ( (mbedtls_mpi_uint) (e) << 32 ) |                        \
+    ( (mbedtls_mpi_uint) (f) << 40 ) |                        \
+    ( (mbedtls_mpi_uint) (g) << 48 ) |                        \
+    ( (mbedtls_mpi_uint) (h) << 56 )
+
+#define BYTES_TO_T_UINT_4( a, b, c, d )             \
+    BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
+
+#define BYTES_TO_T_UINT_2( a, b )                   \
+    BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
+
+#endif /* bits in mbedtls_mpi_uint */
+
+/*
+ * Note: the constants are in little-endian order
+ * to be directly usable in MPIs
+ */
+
+/*
+ * Domain parameters for secp192r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static const mbedtls_mpi_uint secp192r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp192r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
+    BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
+    BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
+};
+static const mbedtls_mpi_uint secp192r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
+    BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
+};
+static const mbedtls_mpi_uint secp192r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
+    BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
+    BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
+};
+static const mbedtls_mpi_uint secp192r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
+    BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+/*
+ * Domain parameters for secp224r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static const mbedtls_mpi_uint secp224r1_p[] = {
+    BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp224r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
+    BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
+    BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
+    BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
+};
+static const mbedtls_mpi_uint secp224r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
+    BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
+    BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
+    BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
+};
+static const mbedtls_mpi_uint secp224r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
+    BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
+    BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
+    BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
+};
+static const mbedtls_mpi_uint secp224r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
+    BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+/*
+ * Domain parameters for secp256r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static const mbedtls_mpi_uint secp256r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp256r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
+    BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
+    BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
+    BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
+};
+static const mbedtls_mpi_uint secp256r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
+    BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
+    BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
+    BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
+};
+static const mbedtls_mpi_uint secp256r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
+    BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
+    BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
+    BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
+};
+static const mbedtls_mpi_uint secp256r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
+    BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+/*
+ * Domain parameters for secp384r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static const mbedtls_mpi_uint secp384r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp384r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
+    BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
+    BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
+    BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
+    BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
+    BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
+};
+static const mbedtls_mpi_uint secp384r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
+    BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
+    BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
+    BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
+    BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
+    BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
+};
+static const mbedtls_mpi_uint secp384r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
+    BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
+    BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
+    BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
+    BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
+    BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
+};
+static const mbedtls_mpi_uint secp384r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
+    BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
+    BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+/*
+ * Domain parameters for secp521r1
+ */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static const mbedtls_mpi_uint secp521r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
+};
+static const mbedtls_mpi_uint secp521r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
+    BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
+    BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
+    BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
+    BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
+    BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
+    BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
+    BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
+    BYTES_TO_T_UINT_2( 0x51, 0x00 ),
+};
+static const mbedtls_mpi_uint secp521r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
+    BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
+    BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
+    BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
+    BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
+    BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
+    BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
+    BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
+    BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
+};
+static const mbedtls_mpi_uint secp521r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
+    BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
+    BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
+    BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
+    BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
+    BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
+    BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
+    BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
+    BYTES_TO_T_UINT_2( 0x18, 0x01 ),
+};
+static const mbedtls_mpi_uint secp521r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
+    BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
+    BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
+    BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
+    BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static const mbedtls_mpi_uint secp192k1_p[] = {
+    BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp192k1_a[] = {
+    BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp192k1_b[] = {
+    BYTES_TO_T_UINT_2( 0x03, 0x00 ),
+};
+static const mbedtls_mpi_uint secp192k1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
+    BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
+    BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
+};
+static const mbedtls_mpi_uint secp192k1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
+    BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
+    BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
+};
+static const mbedtls_mpi_uint secp192k1_n[] = {
+    BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
+    BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static const mbedtls_mpi_uint secp224k1_p[] = {
+    BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp224k1_a[] = {
+    BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp224k1_b[] = {
+    BYTES_TO_T_UINT_2( 0x05, 0x00 ),
+};
+static const mbedtls_mpi_uint secp224k1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
+    BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
+    BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
+    BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
+};
+static const mbedtls_mpi_uint secp224k1_gy[] = {
+    BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
+    BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
+    BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
+    BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
+};
+static const mbedtls_mpi_uint secp224k1_n[] = {
+    BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
+    BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+    BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static const mbedtls_mpi_uint secp256k1_p[] = {
+    BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+static const mbedtls_mpi_uint secp256k1_a[] = {
+    BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+};
+static const mbedtls_mpi_uint secp256k1_b[] = {
+    BYTES_TO_T_UINT_2( 0x07, 0x00 ),
+};
+static const mbedtls_mpi_uint secp256k1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
+    BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
+    BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
+    BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
+};
+static const mbedtls_mpi_uint secp256k1_gy[] = {
+    BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
+    BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
+    BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
+    BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
+};
+static const mbedtls_mpi_uint secp256k1_n[] = {
+    BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
+    BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
+    BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+    BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+};
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP256r1 (RFC 5639 3.4)
+ */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
+    BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
+    BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
+    BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
+    BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
+    BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
+    BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
+    BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
+    BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
+    BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
+    BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
+    BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
+    BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
+    BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
+    BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
+    BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
+    BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
+    BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
+    BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
+};
+static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
+    BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
+    BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
+    BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
+    BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
+};
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP384r1 (RFC 5639 3.6)
+ */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
+    BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
+    BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
+    BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
+    BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
+    BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
+    BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
+    BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
+    BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
+    BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
+    BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
+    BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
+    BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
+    BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
+    BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
+    BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
+    BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
+    BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
+    BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
+    BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
+    BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
+    BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
+    BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
+    BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
+    BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
+    BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
+    BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
+    BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
+};
+static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
+    BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
+    BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
+    BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
+    BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
+    BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
+};
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+/*
+ * Domain parameters for brainpoolP512r1 (RFC 5639 3.7)
+ */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
+    BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
+    BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
+    BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
+    BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
+    BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
+    BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
+    BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
+    BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
+    BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
+    BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
+    BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
+    BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
+    BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
+    BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
+    BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
+    BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
+    BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
+    BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
+    BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
+    BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
+    BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
+    BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
+    BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
+    BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
+    BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
+    BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
+    BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
+    BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
+    BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
+    BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
+    BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
+    BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
+    BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
+    BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
+    BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
+    BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
+    BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
+    BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
+    BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
+    BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
+};
+static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
+    BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
+    BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
+    BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
+    BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
+    BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
+    BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
+    BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
+    BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
+};
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+/*
+ * Create an MPI from embedded constants
+ * (assumes len is an exact multiple of sizeof mbedtls_mpi_uint)
+ */
+static inline void ecp_mpi_load( mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len )
+{
+    X->s = 1;
+    X->n = len / sizeof( mbedtls_mpi_uint );
+    X->p = (mbedtls_mpi_uint *) p;
+}
+
+/*
+ * Set an MPI to static value 1
+ */
+static inline void ecp_mpi_set1( mbedtls_mpi *X )
+{
+    static mbedtls_mpi_uint one[] = { 1 };
+    X->s = 1;
+    X->n = 1;
+    X->p = one;
+}
+
+/*
+ * Make group available from embedded constants
+ */
+static int ecp_group_load( mbedtls_ecp_group *grp,
+                           const mbedtls_mpi_uint *p,  size_t plen,
+                           const mbedtls_mpi_uint *a,  size_t alen,
+                           const mbedtls_mpi_uint *b,  size_t blen,
+                           const mbedtls_mpi_uint *gx, size_t gxlen,
+                           const mbedtls_mpi_uint *gy, size_t gylen,
+                           const mbedtls_mpi_uint *n,  size_t nlen)
+{
+    ecp_mpi_load( &grp->P, p, plen );
+    if( a != NULL )
+        ecp_mpi_load( &grp->A, a, alen );
+    ecp_mpi_load( &grp->B, b, blen );
+    ecp_mpi_load( &grp->N, n, nlen );
+
+    ecp_mpi_load( &grp->G.X, gx, gxlen );
+    ecp_mpi_load( &grp->G.Y, gy, gylen );
+    ecp_mpi_set1( &grp->G.Z );
+
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+    grp->nbits = mbedtls_mpi_bitlen( &grp->N );
+
+    grp->h = 1;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/* Forward declarations */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+static int ecp_mod_p192( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+static int ecp_mod_p224( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+static int ecp_mod_p256( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+static int ecp_mod_p384( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+static int ecp_mod_p521( mbedtls_mpi * );
+#endif
+
+#define NIST_MODP( P )      grp->modp = ecp_mod_ ## P;
+#else
+#define NIST_MODP( P )
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+/* Additional forward declarations */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+static int ecp_mod_p255( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+static int ecp_mod_p448( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+static int ecp_mod_p192k1( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+static int ecp_mod_p224k1( mbedtls_mpi * );
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+static int ecp_mod_p256k1( mbedtls_mpi * );
+#endif
+
+#define LOAD_GROUP_A( G )   ecp_group_load( grp,            \
+                            G ## _p,  sizeof( G ## _p  ),   \
+                            G ## _a,  sizeof( G ## _a  ),   \
+                            G ## _b,  sizeof( G ## _b  ),   \
+                            G ## _gx, sizeof( G ## _gx ),   \
+                            G ## _gy, sizeof( G ## _gy ),   \
+                            G ## _n,  sizeof( G ## _n  ) )
+
+#define LOAD_GROUP( G )     ecp_group_load( grp,            \
+                            G ## _p,  sizeof( G ## _p  ),   \
+                            NULL,     0,                    \
+                            G ## _b,  sizeof( G ## _b  ),   \
+                            G ## _gx, sizeof( G ## _gx ),   \
+                            G ## _gy, sizeof( G ## _gy ),   \
+                            G ## _n,  sizeof( G ## _n  ) )
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/*
+ * Specialized function for creating the Curve25519 group
+ */
+static int ecp_use_curve25519( mbedtls_ecp_group *grp )
+{
+    int ret;
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "01DB42" ) );
+
+    /* P = 2^255 - 19 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 255 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 19 ) );
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+
+    /* N = 2^252 + 27742317777372353535851937790883648493 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->N, 16,
+                                              "14DEF9DEA2F79CD65812631A5CF5D3ED" ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) );
+
+    /* Y intentionally not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 9 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
+    mbedtls_mpi_free( &grp->G.Y );
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 254;
+
+cleanup:
+    if( ret != 0 )
+        mbedtls_ecp_group_free( grp );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/*
+ * Specialized function for creating the Curve448 group
+ */
+static int ecp_use_curve448( mbedtls_ecp_group *grp )
+{
+    mbedtls_mpi Ns;
+    int ret;
+
+    mbedtls_mpi_init( &Ns );
+
+    /* Actually ( A + 2 ) / 4 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "98AA" ) );
+
+    /* P = 2^448 - 2^224 - 1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &grp->P, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &grp->P, &grp->P, 1 ) );
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+
+    /* Y intentionally not set, since we use x/z coordinates.
+     * This is used as a marker to identify Montgomery curves! */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.X, 5 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->G.Z, 1 ) );
+    mbedtls_mpi_free( &grp->G.Y );
+
+    /* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &Ns, 16,
+                                              "8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D" ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) );
+
+    /* Actually, the required msb for private keys */
+    grp->nbits = 447;
+
+cleanup:
+    mbedtls_mpi_free( &Ns );
+    if( ret != 0 )
+        mbedtls_ecp_group_free( grp );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+/*
+ * Set a group using well-known domain parameters
+ */
+int mbedtls_ecp_group_load( mbedtls_ecp_group *grp, mbedtls_ecp_group_id id )
+{
+    ECP_VALIDATE_RET( grp != NULL );
+    mbedtls_ecp_group_free( grp );
+
+    grp->id = id;
+
+    switch( id )
+    {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192R1:
+            NIST_MODP( p192 );
+            return( LOAD_GROUP( secp192r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224R1:
+            NIST_MODP( p224 );
+            return( LOAD_GROUP( secp224r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256R1:
+            NIST_MODP( p256 );
+            return( LOAD_GROUP( secp256r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP384R1:
+            NIST_MODP( p384 );
+            return( LOAD_GROUP( secp384r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP521R1:
+            NIST_MODP( p521 );
+            return( LOAD_GROUP( secp521r1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP192K1:
+            grp->modp = ecp_mod_p192k1;
+            return( LOAD_GROUP_A( secp192k1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP224K1:
+            grp->modp = ecp_mod_p224k1;
+            return( LOAD_GROUP_A( secp224k1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+        case MBEDTLS_ECP_DP_SECP256K1:
+            grp->modp = ecp_mod_p256k1;
+            return( LOAD_GROUP_A( secp256k1 ) );
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP256R1:
+            return( LOAD_GROUP_A( brainpoolP256r1 ) );
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP384R1:
+            return( LOAD_GROUP_A( brainpoolP384r1 ) );
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+        case MBEDTLS_ECP_DP_BP512R1:
+            return( LOAD_GROUP_A( brainpoolP512r1 ) );
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE25519:
+            grp->modp = ecp_mod_p255;
+            return( ecp_use_curve25519( grp ) );
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+        case MBEDTLS_ECP_DP_CURVE448:
+            grp->modp = ecp_mod_p448;
+            return( ecp_use_curve448( grp ) );
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+        default:
+            mbedtls_ecp_group_free( grp );
+            return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+    }
+}
+
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+/*
+ * Fast reduction modulo the primes used by the NIST curves.
+ *
+ * These functions are critical for speed, but not needed for correct
+ * operations. So, we make the choice to heavily rely on the internals of our
+ * bignum library, which creates a tight coupling between these functions and
+ * our MPI implementation.  However, the coupling between the ECP module and
+ * MPI remains loose, since these functions can be deactivated at will.
+ */
+
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+/*
+ * Compared to the way things are presented in FIPS 186-3 D.2,
+ * we proceed in columns, from right (least significant chunk) to left,
+ * adding chunks to N in place, and keeping a carry for the next chunk.
+ * This avoids moving things around in memory, and uselessly adding zeros,
+ * compared to the more straightforward, line-oriented approach.
+ *
+ * For this prime we need to handle data in chunks of 64 bits.
+ * Since this is always a multiple of our basic mbedtls_mpi_uint, we can
+ * use a mbedtls_mpi_uint * to designate such a chunk, and small loops to handle it.
+ */
+
+/* Add 64-bit chunks (dst += src) and update carry */
+static inline void add64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *src, mbedtls_mpi_uint *carry )
+{
+    unsigned char i;
+    mbedtls_mpi_uint c = 0;
+    for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++, src++ )
+    {
+        *dst += c;      c  = ( *dst < c );
+        *dst += *src;   c += ( *dst < *src );
+    }
+    *carry += c;
+}
+
+/* Add carry to a 64-bit chunk and update carry */
+static inline void carry64( mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry )
+{
+    unsigned char i;
+    for( i = 0; i < 8 / sizeof( mbedtls_mpi_uint ); i++, dst++ )
+    {
+        *dst += *carry;
+        *carry  = ( *dst < *carry );
+    }
+}
+
+#define WIDTH       8 / sizeof( mbedtls_mpi_uint )
+#define A( i )      N->p + (i) * WIDTH
+#define ADD( i )    add64( p, A( i ), &c )
+#define NEXT        p += WIDTH; carry64( p, &c )
+#define LAST        p += WIDTH; *p = c; while( ++p < end ) *p = 0
+
+/*
+ * Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ */
+static int ecp_mod_p192( mbedtls_mpi *N )
+{
+    int ret;
+    mbedtls_mpi_uint c = 0;
+    mbedtls_mpi_uint *p, *end;
+
+    /* Make sure we have enough blocks so that A(5) is legal */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, 6 * WIDTH ) );
+
+    p = N->p;
+    end = p + N->n;
+
+    ADD( 3 ); ADD( 5 );             NEXT; // A0 += A3 + A5
+    ADD( 3 ); ADD( 4 ); ADD( 5 );   NEXT; // A1 += A3 + A4 + A5
+    ADD( 4 ); ADD( 5 );             LAST; // A2 += A4 + A5
+
+cleanup:
+    return( ret );
+}
+
+#undef WIDTH
+#undef A
+#undef ADD
+#undef NEXT
+#undef LAST
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * The reader is advised to first understand ecp_mod_p192() since the same
+ * general structure is used here, but with additional complications:
+ * (1) chunks of 32 bits, and (2) subtractions.
+ */
+
+/*
+ * For these primes, we need to handle data in chunks of 32 bits.
+ * This makes it more complicated if we use 64 bits limbs in MPI,
+ * which prevents us from using a uniform access method as for p192.
+ *
+ * So, we define a mini abstraction layer to access 32 bit chunks,
+ * load them in 'cur' for work, and store them back from 'cur' when done.
+ *
+ * While at it, also define the size of N in terms of 32-bit chunks.
+ */
+#define LOAD32      cur = A( i );
+
+#if defined(MBEDTLS_HAVE_INT32)  /* 32 bit */
+
+#define MAX32       N->n
+#define A( j )      N->p[j]
+#define STORE32     N->p[i] = cur;
+
+#else                               /* 64-bit */
+
+#define MAX32       N->n * 2
+#define A( j ) (j) % 2 ? (uint32_t)( N->p[(j)/2] >> 32 ) : \
+                         (uint32_t)( N->p[(j)/2] )
+#define STORE32                                   \
+    if( i % 2 ) {                                 \
+        N->p[i/2] &= 0x00000000FFFFFFFF;          \
+        N->p[i/2] |= ((mbedtls_mpi_uint) cur) << 32;        \
+    } else {                                      \
+        N->p[i/2] &= 0xFFFFFFFF00000000;          \
+        N->p[i/2] |= (mbedtls_mpi_uint) cur;                \
+    }
+
+#endif /* sizeof( mbedtls_mpi_uint ) */
+
+/*
+ * Helpers for addition and subtraction of chunks, with signed carry.
+ */
+static inline void add32( uint32_t *dst, uint32_t src, signed char *carry )
+{
+    *dst += src;
+    *carry += ( *dst < src );
+}
+
+static inline void sub32( uint32_t *dst, uint32_t src, signed char *carry )
+{
+    *carry -= ( *dst < src );
+    *dst -= src;
+}
+
+#define ADD( j )    add32( &cur, A( j ), &c );
+#define SUB( j )    sub32( &cur, A( j ), &c );
+
+/*
+ * Helpers for the main 'loop'
+ * (see fix_negative for the motivation of C)
+ */
+#define INIT( b )                                                       \
+    int ret;                                                            \
+    signed char c = 0, cc;                                              \
+    uint32_t cur;                                                       \
+    size_t i = 0, bits = (b);                                           \
+    mbedtls_mpi C;                                                      \
+    mbedtls_mpi_uint Cp[ (b) / 8 / sizeof( mbedtls_mpi_uint) + 1 ];     \
+                                                                        \
+    C.s = 1;                                                            \
+    C.n = (b) / 8 / sizeof( mbedtls_mpi_uint) + 1;                      \
+    C.p = Cp;                                                           \
+    memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) );                  \
+                                                                        \
+    MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, (b) * 2 / 8 /                 \
+                                       sizeof( mbedtls_mpi_uint ) ) );  \
+    LOAD32;
+
+#define NEXT                    \
+    STORE32; i++; LOAD32;       \
+    cc = c; c = 0;              \
+    if( cc < 0 )                \
+        sub32( &cur, -cc, &c ); \
+    else                        \
+        add32( &cur, cc, &c );  \
+
+#define LAST                                    \
+    STORE32; i++;                               \
+    cur = c > 0 ? c : 0; STORE32;               \
+    cur = 0; while( ++i < MAX32 ) { STORE32; }  \
+    if( c < 0 ) fix_negative( N, c, &C, bits );
+
+/*
+ * If the result is negative, we get it in the form
+ * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
+ */
+static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits )
+{
+    int ret;
+
+    /* C = - c * 2^(bits + 32) */
+#if !defined(MBEDTLS_HAVE_INT64)
+    ((void) bits);
+#else
+    if( bits == 224 )
+        C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32;
+    else
+#endif
+        C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c;
+
+    /* N = - ( C - N ) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) );
+    N->s = -1;
+
+cleanup:
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224 (FIPS 186-3 D.2.2)
+ */
+static int ecp_mod_p224( mbedtls_mpi *N )
+{
+    INIT( 224 );
+
+    SUB(  7 ); SUB( 11 );               NEXT; // A0 += -A7 - A11
+    SUB(  8 ); SUB( 12 );               NEXT; // A1 += -A8 - A12
+    SUB(  9 ); SUB( 13 );               NEXT; // A2 += -A9 - A13
+    SUB( 10 ); ADD(  7 ); ADD( 11 );    NEXT; // A3 += -A10 + A7 + A11
+    SUB( 11 ); ADD(  8 ); ADD( 12 );    NEXT; // A4 += -A11 + A8 + A12
+    SUB( 12 ); ADD(  9 ); ADD( 13 );    NEXT; // A5 += -A12 + A9 + A13
+    SUB( 13 ); ADD( 10 );               LAST; // A6 += -A13 + A10
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256 (FIPS 186-3 D.2.3)
+ */
+static int ecp_mod_p256( mbedtls_mpi *N )
+{
+    INIT( 256 );
+
+    ADD(  8 ); ADD(  9 );
+    SUB( 11 ); SUB( 12 ); SUB( 13 ); SUB( 14 );             NEXT; // A0
+
+    ADD(  9 ); ADD( 10 );
+    SUB( 12 ); SUB( 13 ); SUB( 14 ); SUB( 15 );             NEXT; // A1
+
+    ADD( 10 ); ADD( 11 );
+    SUB( 13 ); SUB( 14 ); SUB( 15 );                        NEXT; // A2
+
+    ADD( 11 ); ADD( 11 ); ADD( 12 ); ADD( 12 ); ADD( 13 );
+    SUB( 15 ); SUB(  8 ); SUB(  9 );                        NEXT; // A3
+
+    ADD( 12 ); ADD( 12 ); ADD( 13 ); ADD( 13 ); ADD( 14 );
+    SUB(  9 ); SUB( 10 );                                   NEXT; // A4
+
+    ADD( 13 ); ADD( 13 ); ADD( 14 ); ADD( 14 ); ADD( 15 );
+    SUB( 10 ); SUB( 11 );                                   NEXT; // A5
+
+    ADD( 14 ); ADD( 14 ); ADD( 15 ); ADD( 15 ); ADD( 14 ); ADD( 13 );
+    SUB(  8 ); SUB(  9 );                                   NEXT; // A6
+
+    ADD( 15 ); ADD( 15 ); ADD( 15 ); ADD( 8 );
+    SUB( 10 ); SUB( 11 ); SUB( 12 ); SUB( 13 );             LAST; // A7
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p384 (FIPS 186-3 D.2.4)
+ */
+static int ecp_mod_p384( mbedtls_mpi *N )
+{
+    INIT( 384 );
+
+    ADD( 12 ); ADD( 21 ); ADD( 20 );
+    SUB( 23 );                                              NEXT; // A0
+
+    ADD( 13 ); ADD( 22 ); ADD( 23 );
+    SUB( 12 ); SUB( 20 );                                   NEXT; // A2
+
+    ADD( 14 ); ADD( 23 );
+    SUB( 13 ); SUB( 21 );                                   NEXT; // A2
+
+    ADD( 15 ); ADD( 12 ); ADD( 20 ); ADD( 21 );
+    SUB( 14 ); SUB( 22 ); SUB( 23 );                        NEXT; // A3
+
+    ADD( 21 ); ADD( 21 ); ADD( 16 ); ADD( 13 ); ADD( 12 ); ADD( 20 ); ADD( 22 );
+    SUB( 15 ); SUB( 23 ); SUB( 23 );                        NEXT; // A4
+
+    ADD( 22 ); ADD( 22 ); ADD( 17 ); ADD( 14 ); ADD( 13 ); ADD( 21 ); ADD( 23 );
+    SUB( 16 );                                              NEXT; // A5
+
+    ADD( 23 ); ADD( 23 ); ADD( 18 ); ADD( 15 ); ADD( 14 ); ADD( 22 );
+    SUB( 17 );                                              NEXT; // A6
+
+    ADD( 19 ); ADD( 16 ); ADD( 15 ); ADD( 23 );
+    SUB( 18 );                                              NEXT; // A7
+
+    ADD( 20 ); ADD( 17 ); ADD( 16 );
+    SUB( 19 );                                              NEXT; // A8
+
+    ADD( 21 ); ADD( 18 ); ADD( 17 );
+    SUB( 20 );                                              NEXT; // A9
+
+    ADD( 22 ); ADD( 19 ); ADD( 18 );
+    SUB( 21 );                                              NEXT; // A10
+
+    ADD( 23 ); ADD( 20 ); ADD( 19 );
+    SUB( 22 );                                              LAST; // A11
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#undef A
+#undef LOAD32
+#undef STORE32
+#undef MAX32
+#undef INIT
+#undef NEXT
+#undef LAST
+
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP256R1_ENABLED ||
+          MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+/*
+ * Here we have an actual Mersenne prime, so things are more straightforward.
+ * However, chunks are aligned on a 'weird' boundary (521 bits).
+ */
+
+/* Size of p521 in terms of mbedtls_mpi_uint */
+#define P521_WIDTH      ( 521 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
+
+/* Bits to keep in the most significant mbedtls_mpi_uint */
+#define P521_MASK       0x01FF
+
+/*
+ * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
+ * Write N as A1 + 2^521 A0, return A0 + A1
+ */
+static int ecp_mod_p521( mbedtls_mpi *N )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M;
+    mbedtls_mpi_uint Mp[P521_WIDTH + 1];
+    /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
+     * we need to hold bits 513 to 1056, which is 34 limbs, that is
+     * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
+
+    if( N->n < P521_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P521_WIDTH - 1 );
+    if( M.n > P521_WIDTH + 1 )
+        M.n = P521_WIDTH + 1;
+    M.p = Mp;
+    memcpy( Mp, N->p + P521_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 521 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
+
+    /* N = A0 */
+    N->p[P521_WIDTH - 1] &= P521_MASK;
+    for( i = P521_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+
+#undef P521_WIDTH
+#undef P521_MASK
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+
+/* Size of p255 in terms of mbedtls_mpi_uint */
+#define P255_WIDTH      ( 255 / 8 / sizeof( mbedtls_mpi_uint ) + 1 )
+
+/*
+ * Fast quasi-reduction modulo p255 = 2^255 - 19
+ * Write N as A0 + 2^255 A1, return A0 + 19 * A1
+ */
+static int ecp_mod_p255( mbedtls_mpi *N )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M;
+    mbedtls_mpi_uint Mp[P255_WIDTH + 2];
+
+    if( N->n < P255_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P255_WIDTH - 1 );
+    if( M.n > P255_WIDTH + 1 )
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    M.p = Mp;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + P255_WIDTH - 1, M.n * sizeof( mbedtls_mpi_uint ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, 255 % ( 8 * sizeof( mbedtls_mpi_uint ) ) ) );
+    M.n++; /* Make room for multiplication by 19 */
+
+    /* N = A0 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( N, 255, 0 ) );
+    for( i = P255_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + 19 * A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &M, &M, 19 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+
+/* Size of p448 in terms of mbedtls_mpi_uint */
+#define P448_WIDTH      ( 448 / 8 / sizeof( mbedtls_mpi_uint ) )
+
+/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
+#define DIV_ROUND_UP( X, Y ) ( ( ( X ) + ( Y ) - 1 ) / ( Y ) )
+#define P224_WIDTH_MIN   ( 28 / sizeof( mbedtls_mpi_uint ) )
+#define P224_WIDTH_MAX   DIV_ROUND_UP( 28, sizeof( mbedtls_mpi_uint ) )
+#define P224_UNUSED_BITS ( ( P224_WIDTH_MAX * sizeof( mbedtls_mpi_uint ) * 8 ) - 224 )
+
+/*
+ * Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
+ * Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
+ * A0 + A1 + B1 + (B0 + B1) * 2^224.  This is different to the reference
+ * implementation of Curve448, which uses its own special 56-bit limbs rather
+ * than a generic bignum library.  We could squeeze some extra speed out on
+ * 32-bit machines by splitting N up into 32-bit limbs and doing the
+ * arithmetic using the limbs directly as we do for the NIST primes above,
+ * but for 64-bit targets it should use half the number of operations if we do
+ * the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
+ */
+static int ecp_mod_p448( mbedtls_mpi *N )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M, Q;
+    mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
+
+    if( N->n <= P448_WIDTH )
+        return( 0 );
+
+    /* M = A1 */
+    M.s = 1;
+    M.n = N->n - ( P448_WIDTH );
+    if( M.n > P448_WIDTH )
+        /* Shouldn't be called with N larger than 2^896! */
+        return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+    M.p = Mp;
+    memset( Mp, 0, sizeof( Mp ) );
+    memcpy( Mp, N->p + P448_WIDTH, M.n * sizeof( mbedtls_mpi_uint ) );
+
+    /* N = A0 */
+    for( i = P448_WIDTH; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N += A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
+
+    /* Q = B1, N += B1 */
+    Q = M;
+    Q.p = Qp;
+    memcpy( Qp, Mp, sizeof( Qp ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &Q, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &Q ) );
+
+    /* M = (B0 + B1) * 2^224, N += M */
+    if( sizeof( mbedtls_mpi_uint ) > 4 )
+        Mp[P224_WIDTH_MIN] &= ( (mbedtls_mpi_uint)-1 ) >> ( P224_UNUSED_BITS );
+    for( i = P224_WIDTH_MAX; i < M.n; ++i )
+        Mp[i] = 0;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &M, &M, &Q ) );
+    M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &M, 224 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||   \
+    defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo P = 2^s - R,
+ * with R about 33 bits, used by the Koblitz curves.
+ *
+ * Write N as A0 + 2^224 A1, return A0 + R * A1.
+ * Actually do two passes, since R is big.
+ */
+#define P_KOBLITZ_MAX   ( 256 / 8 / sizeof( mbedtls_mpi_uint ) )  // Max limbs in P
+#define P_KOBLITZ_R     ( 8 / sizeof( mbedtls_mpi_uint ) )        // Limbs in R
+static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
+                                   size_t adjust, size_t shift, mbedtls_mpi_uint mask )
+{
+    int ret;
+    size_t i;
+    mbedtls_mpi M, R;
+    mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
+
+    if( N->n < p_limbs )
+        return( 0 );
+
+    /* Init R */
+    R.s = 1;
+    R.p = Rp;
+    R.n = P_KOBLITZ_R;
+
+    /* Common setup for M */
+    M.s = 1;
+    M.p = Mp;
+
+    /* M = A1 */
+    M.n = N->n - ( p_limbs - adjust );
+    if( M.n > p_limbs + adjust )
+        M.n = p_limbs + adjust;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
+    if( shift != 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
+    M.n += R.n; /* Make room for multiplication by R */
+
+    /* N = A0 */
+    if( mask != 0 )
+        N->p[p_limbs - 1] &= mask;
+    for( i = p_limbs; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + R * A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+    /* Second pass */
+
+    /* M = A1 */
+    M.n = N->n - ( p_limbs - adjust );
+    if( M.n > p_limbs + adjust )
+        M.n = p_limbs + adjust;
+    memset( Mp, 0, sizeof Mp );
+    memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
+    if( shift != 0 )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
+    M.n += R.n; /* Make room for multiplication by R */
+
+    /* N = A0 */
+    if( mask != 0 )
+        N->p[p_limbs - 1] &= mask;
+    for( i = p_limbs; i < N->n; i++ )
+        N->p[i] = 0;
+
+    /* N = A0 + R * A1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &M, &M, &R ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_abs( N, N, &M ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
+          MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p192k1 = 2^192 - R,
+ * with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
+ */
+static int ecp_mod_p192k1( mbedtls_mpi *N )
+{
+    static mbedtls_mpi_uint Rp[] = {
+        BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+
+    return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+}
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p224k1 = 2^224 - R,
+ * with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
+ */
+static int ecp_mod_p224k1( mbedtls_mpi *N )
+{
+    static mbedtls_mpi_uint Rp[] = {
+        BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+
+#if defined(MBEDTLS_HAVE_INT64)
+    return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
+#else
+    return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+#endif
+}
+
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/*
+ * Fast quasi-reduction modulo p256k1 = 2^256 - R,
+ * with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
+ */
+static int ecp_mod_p256k1( mbedtls_mpi *N )
+{
+    static mbedtls_mpi_uint Rp[] = {
+        BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+    return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+}
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+
+#endif /* !MBEDTLS_ECP_ALT */
+
+#endif /* MBEDTLS_ECP_C */
diff --git a/makerom/deps/libmbedtls/src/entropy.c b/makerom/deps/libmbedtls/src/entropy.c
new file mode 100644
index 00000000..f8db1a55
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/entropy.c
@@ -0,0 +1,721 @@
+/*
+ *  Entropy accumulator implementation
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+#warning "**** WARNING!  MBEDTLS_TEST_NULL_ENTROPY defined! "
+#warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES "
+#warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE "
+#endif
+
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls/platform.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if defined(MBEDTLS_HAVEGE_C)
+#include "mbedtls/havege.h"
+#endif
+
+#define ENTROPY_MAX_LOOP    256     /**< Maximum amount to loop before error */
+
+void mbedtls_entropy_init( mbedtls_entropy_context *ctx )
+{
+    ctx->source_count = 0;
+    memset( ctx->source, 0, sizeof( ctx->source ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+
+    ctx->accumulator_started = 0;
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_init( &ctx->accumulator );
+#else
+    mbedtls_sha256_init( &ctx->accumulator );
+#endif
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_havege_init( &ctx->havege_data );
+#endif
+
+    /* Reminder: Update ENTROPY_HAVE_STRONG in the test files
+     *           when adding more strong entropy sources here. */
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    mbedtls_entropy_add_source( ctx, mbedtls_null_entropy_poll, NULL,
+                                1, MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+
+#if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+    mbedtls_entropy_add_source( ctx, mbedtls_platform_entropy_poll, NULL,
+                                MBEDTLS_ENTROPY_MIN_PLATFORM,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+#if defined(MBEDTLS_TIMING_C)
+    mbedtls_entropy_add_source( ctx, mbedtls_hardclock_poll, NULL,
+                                MBEDTLS_ENTROPY_MIN_HARDCLOCK,
+                                MBEDTLS_ENTROPY_SOURCE_WEAK );
+#endif
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_entropy_add_source( ctx, mbedtls_havege_poll, &ctx->havege_data,
+                                MBEDTLS_ENTROPY_MIN_HAVEGE,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    mbedtls_entropy_add_source( ctx, mbedtls_hardware_poll, NULL,
+                                MBEDTLS_ENTROPY_MIN_HARDWARE,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    mbedtls_entropy_add_source( ctx, mbedtls_nv_seed_poll, NULL,
+                                MBEDTLS_ENTROPY_BLOCK_SIZE,
+                                MBEDTLS_ENTROPY_SOURCE_STRONG );
+    ctx->initial_entropy_run = 0;
+#endif
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+}
+
+void mbedtls_entropy_free( mbedtls_entropy_context *ctx )
+{
+#if defined(MBEDTLS_HAVEGE_C)
+    mbedtls_havege_free( &ctx->havege_data );
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    mbedtls_sha512_free( &ctx->accumulator );
+#else
+    mbedtls_sha256_free( &ctx->accumulator );
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    ctx->initial_entropy_run = 0;
+#endif
+    ctx->source_count = 0;
+    mbedtls_platform_zeroize( ctx->source, sizeof( ctx->source ) );
+    ctx->accumulator_started = 0;
+}
+
+int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx,
+                        mbedtls_entropy_f_source_ptr f_source, void *p_source,
+                        size_t threshold, int strong )
+{
+    int idx, ret = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    idx = ctx->source_count;
+    if( idx >= MBEDTLS_ENTROPY_MAX_SOURCES )
+    {
+        ret = MBEDTLS_ERR_ENTROPY_MAX_SOURCES;
+        goto exit;
+    }
+
+    ctx->source[idx].f_source  = f_source;
+    ctx->source[idx].p_source  = p_source;
+    ctx->source[idx].threshold = threshold;
+    ctx->source[idx].strong    = strong;
+
+    ctx->source_count++;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Entropy accumulator update
+ */
+static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id,
+                           const unsigned char *data, size_t len )
+{
+    unsigned char header[2];
+    unsigned char tmp[MBEDTLS_ENTROPY_BLOCK_SIZE];
+    size_t use_len = len;
+    const unsigned char *p = data;
+    int ret = 0;
+
+    if( use_len > MBEDTLS_ENTROPY_BLOCK_SIZE )
+    {
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+        if( ( ret = mbedtls_sha512_ret( data, len, tmp, 0 ) ) != 0 )
+            goto cleanup;
+#else
+        if( ( ret = mbedtls_sha256_ret( data, len, tmp, 0 ) ) != 0 )
+            goto cleanup;
+#endif
+        p = tmp;
+        use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+    }
+
+    header[0] = source_id;
+    header[1] = use_len & 0xFF;
+
+    /*
+     * Start the accumulator if this has not already happened. Note that
+     * it is sufficient to start the accumulator here only because all calls to
+     * gather entropy eventually execute this code.
+     */
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    if( ctx->accumulator_started == 0 &&
+        ( ret = mbedtls_sha512_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto cleanup;
+    else
+        ctx->accumulator_started = 1;
+    if( ( ret = mbedtls_sha512_update_ret( &ctx->accumulator, header, 2 ) ) != 0 )
+        goto cleanup;
+    ret = mbedtls_sha512_update_ret( &ctx->accumulator, p, use_len );
+#else
+    if( ctx->accumulator_started == 0 &&
+        ( ret = mbedtls_sha256_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto cleanup;
+    else
+        ctx->accumulator_started = 1;
+    if( ( ret = mbedtls_sha256_update_ret( &ctx->accumulator, header, 2 ) ) != 0 )
+        goto cleanup;
+    ret = mbedtls_sha256_update_ret( &ctx->accumulator, p, use_len );
+#endif
+
+cleanup:
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+
+    return( ret );
+}
+
+int mbedtls_entropy_update_manual( mbedtls_entropy_context *ctx,
+                           const unsigned char *data, size_t len )
+{
+    int ret;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = entropy_update( ctx, MBEDTLS_ENTROPY_SOURCE_MANUAL, data, len );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Run through the different sources to add entropy to our accumulator
+ */
+static int entropy_gather_internal( mbedtls_entropy_context *ctx )
+{
+    int ret, i, have_one_strong = 0;
+    unsigned char buf[MBEDTLS_ENTROPY_MAX_GATHER];
+    size_t olen;
+
+    if( ctx->source_count == 0 )
+        return( MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED );
+
+    /*
+     * Run through our entropy sources
+     */
+    for( i = 0; i < ctx->source_count; i++ )
+    {
+        if( ctx->source[i].strong == MBEDTLS_ENTROPY_SOURCE_STRONG )
+            have_one_strong = 1;
+
+        olen = 0;
+        if( ( ret = ctx->source[i].f_source( ctx->source[i].p_source,
+                        buf, MBEDTLS_ENTROPY_MAX_GATHER, &olen ) ) != 0 )
+        {
+            goto cleanup;
+        }
+
+        /*
+         * Add if we actually gathered something
+         */
+        if( olen > 0 )
+        {
+            if( ( ret = entropy_update( ctx, (unsigned char) i,
+                                        buf, olen ) ) != 0 )
+                return( ret );
+            ctx->source[i].size += olen;
+        }
+    }
+
+    if( have_one_strong == 0 )
+        ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE;
+
+cleanup:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+
+/*
+ * Thread-safe wrapper for entropy_gather_internal()
+ */
+int mbedtls_entropy_gather( mbedtls_entropy_context *ctx )
+{
+    int ret;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = entropy_gather_internal( ctx );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+int mbedtls_entropy_func( void *data, unsigned char *output, size_t len )
+{
+    int ret, count = 0, i, done;
+    mbedtls_entropy_context *ctx = (mbedtls_entropy_context *) data;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    if( len > MBEDTLS_ENTROPY_BLOCK_SIZE )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    /* Update the NV entropy seed before generating any entropy for outside
+     * use.
+     */
+    if( ctx->initial_entropy_run == 0 )
+    {
+        ctx->initial_entropy_run = 1;
+        if( ( ret = mbedtls_entropy_update_nv_seed( ctx ) ) != 0 )
+            return( ret );
+    }
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    /*
+     * Always gather extra entropy before a call
+     */
+    do
+    {
+        if( count++ > ENTROPY_MAX_LOOP )
+        {
+            ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+            goto exit;
+        }
+
+        if( ( ret = entropy_gather_internal( ctx ) ) != 0 )
+            goto exit;
+
+        done = 1;
+        for( i = 0; i < ctx->source_count; i++ )
+            if( ctx->source[i].size < ctx->source[i].threshold )
+                done = 0;
+    }
+    while( ! done );
+
+    memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE );
+
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
+    /*
+     * Note that at this stage it is assumed that the accumulator was started
+     * in a previous call to entropy_update(). If this is not guaranteed, the
+     * code below will fail.
+     */
+    if( ( ret = mbedtls_sha512_finish_ret( &ctx->accumulator, buf ) ) != 0 )
+        goto exit;
+
+    /*
+     * Reset accumulator and counters and recycle existing entropy
+     */
+    mbedtls_sha512_free( &ctx->accumulator );
+    mbedtls_sha512_init( &ctx->accumulator );
+    if( ( ret = mbedtls_sha512_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_sha512_update_ret( &ctx->accumulator, buf,
+                                           MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        goto exit;
+
+    /*
+     * Perform second SHA-512 on entropy
+     */
+    if( ( ret = mbedtls_sha512_ret( buf, MBEDTLS_ENTROPY_BLOCK_SIZE,
+                                    buf, 0 ) ) != 0 )
+        goto exit;
+#else /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
+    if( ( ret = mbedtls_sha256_finish_ret( &ctx->accumulator, buf ) ) != 0 )
+        goto exit;
+
+    /*
+     * Reset accumulator and counters and recycle existing entropy
+     */
+    mbedtls_sha256_free( &ctx->accumulator );
+    mbedtls_sha256_init( &ctx->accumulator );
+    if( ( ret = mbedtls_sha256_starts_ret( &ctx->accumulator, 0 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_sha256_update_ret( &ctx->accumulator, buf,
+                                           MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        goto exit;
+
+    /*
+     * Perform second SHA-256 on entropy
+     */
+    if( ( ret = mbedtls_sha256_ret( buf, MBEDTLS_ENTROPY_BLOCK_SIZE,
+                                    buf, 0 ) ) != 0 )
+        goto exit;
+#endif /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */
+
+    for( i = 0; i < ctx->source_count; i++ )
+        ctx->source[i].size = 0;
+
+    memcpy( output, buf, len );
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_entropy_update_nv_seed( mbedtls_entropy_context *ctx )
+{
+    int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    /* Read new seed  and write it to NV */
+    if( ( ret = mbedtls_entropy_func( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        return( ret );
+
+    if( mbedtls_nv_seed_write( buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) < 0 )
+        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+
+    /* Manually update the remaining stream with a separator value to diverge */
+    memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE );
+    ret = mbedtls_entropy_update_manual( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *path )
+{
+    int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    FILE *f;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+    if( ( f = fopen( path, "wb" ) ) == NULL )
+        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+
+    if( ( ret = mbedtls_entropy_func( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+        goto exit;
+
+    if( fwrite( buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f ) != MBEDTLS_ENTROPY_BLOCK_SIZE )
+    {
+        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    fclose( f );
+    return( ret );
+}
+
+int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *path )
+{
+    int ret = 0;
+    FILE *f;
+    size_t n;
+    unsigned char buf[ MBEDTLS_ENTROPY_MAX_SEED_SIZE ];
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    n = (size_t) ftell( f );
+    fseek( f, 0, SEEK_SET );
+
+    if( n > MBEDTLS_ENTROPY_MAX_SEED_SIZE )
+        n = MBEDTLS_ENTROPY_MAX_SEED_SIZE;
+
+    if( fread( buf, 1, n, f ) != n )
+        ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+    else
+        ret = mbedtls_entropy_update_manual( ctx, buf, n );
+
+    fclose( f );
+
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( mbedtls_entropy_write_seed_file( ctx, path ) );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_SELF_TEST)
+#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
+/*
+ * Dummy source function
+ */
+static int entropy_dummy_source( void *data, unsigned char *output,
+                                 size_t len, size_t *olen )
+{
+    ((void) data);
+
+    memset( output, 0x2a, len );
+    *olen = len;
+
+    return( 0 );
+}
+#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+
+static int mbedtls_entropy_source_self_test_gather( unsigned char *buf, size_t buf_len )
+{
+    int ret = 0;
+    size_t entropy_len = 0;
+    size_t olen = 0;
+    size_t attempts = buf_len;
+
+    while( attempts > 0 && entropy_len < buf_len )
+    {
+        if( ( ret = mbedtls_hardware_poll( NULL, buf + entropy_len,
+            buf_len - entropy_len, &olen ) ) != 0 )
+            return( ret );
+
+        entropy_len += olen;
+        attempts--;
+    }
+
+    if( entropy_len < buf_len )
+    {
+        ret = 1;
+    }
+
+    return( ret );
+}
+
+
+static int mbedtls_entropy_source_self_test_check_bits( const unsigned char *buf,
+                                                        size_t buf_len )
+{
+    unsigned char set= 0xFF;
+    unsigned char unset = 0x00;
+    size_t i;
+
+    for( i = 0; i < buf_len; i++ )
+    {
+        set &= buf[i];
+        unset |= buf[i];
+    }
+
+    return( set == 0xFF || unset == 0x00 );
+}
+
+/*
+ * A test to ensure hat the entropy sources are functioning correctly
+ * and there is no obvious failure. The test performs the following checks:
+ *  - The entropy source is not providing only 0s (all bits unset) or 1s (all
+ *    bits set).
+ *  - The entropy source is not providing values in a pattern. Because the
+ *    hardware could be providing data in an arbitrary length, this check polls
+ *    the hardware entropy source twice and compares the result to ensure they
+ *    are not equal.
+ *  - The error code returned by the entropy source is not an error.
+ */
+int mbedtls_entropy_source_self_test( int verbose )
+{
+    int ret = 0;
+    unsigned char buf0[2 * sizeof( unsigned long long int )];
+    unsigned char buf1[2 * sizeof( unsigned long long int )];
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ENTROPY_BIAS test: " );
+
+    memset( buf0, 0x00, sizeof( buf0 ) );
+    memset( buf1, 0x00, sizeof( buf1 ) );
+
+    if( ( ret = mbedtls_entropy_source_self_test_gather( buf0, sizeof( buf0 ) ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_entropy_source_self_test_gather( buf1, sizeof( buf1 ) ) ) != 0 )
+        goto cleanup;
+
+    /* Make sure that the returned values are not all 0 or 1 */
+    if( ( ret = mbedtls_entropy_source_self_test_check_bits( buf0, sizeof( buf0 ) ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_entropy_source_self_test_check_bits( buf1, sizeof( buf1 ) ) ) != 0 )
+        goto cleanup;
+
+    /* Make sure that the entropy source is not returning values in a
+     * pattern */
+    ret = memcmp( buf0, buf1, sizeof( buf0 ) ) == 0;
+
+cleanup:
+    if( verbose != 0 )
+    {
+        if( ret != 0 )
+            mbedtls_printf( "failed\n" );
+        else
+            mbedtls_printf( "passed\n" );
+
+        mbedtls_printf( "\n" );
+    }
+
+    return( ret != 0 );
+}
+
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+
+/*
+ * The actual entropy quality is hard to test, but we can at least
+ * test that the functions don't cause errors and write the correct
+ * amount of data to buffers.
+ */
+int mbedtls_entropy_self_test( int verbose )
+{
+    int ret = 1;
+#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
+    mbedtls_entropy_context ctx;
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+    unsigned char acc[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
+    size_t i, j;
+#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
+
+    if( verbose != 0 )
+        mbedtls_printf( "  ENTROPY test: " );
+
+#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
+    mbedtls_entropy_init( &ctx );
+
+    /* First do a gather to make sure we have default sources */
+    if( ( ret = mbedtls_entropy_gather( &ctx ) ) != 0 )
+        goto cleanup;
+
+    ret = mbedtls_entropy_add_source( &ctx, entropy_dummy_source, NULL, 16,
+                                      MBEDTLS_ENTROPY_SOURCE_WEAK );
+    if( ret != 0 )
+        goto cleanup;
+
+    if( ( ret = mbedtls_entropy_update_manual( &ctx, buf, sizeof buf ) ) != 0 )
+        goto cleanup;
+
+    /*
+     * To test that mbedtls_entropy_func writes correct number of bytes:
+     * - use the whole buffer and rely on ASan to detect overruns
+     * - collect entropy 8 times and OR the result in an accumulator:
+     *   any byte should then be 0 with probably 2^(-64), so requiring
+     *   each of the 32 or 64 bytes to be non-zero has a false failure rate
+     *   of at most 2^(-58) which is acceptable.
+     */
+    for( i = 0; i < 8; i++ )
+    {
+        if( ( ret = mbedtls_entropy_func( &ctx, buf, sizeof( buf ) ) ) != 0 )
+            goto cleanup;
+
+        for( j = 0; j < sizeof( buf ); j++ )
+            acc[j] |= buf[j];
+    }
+
+    for( j = 0; j < sizeof( buf ); j++ )
+    {
+        if( acc[j] == 0 )
+        {
+            ret = 1;
+            goto cleanup;
+        }
+    }
+
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    if( ( ret = mbedtls_entropy_source_self_test( 0 ) ) != 0 )
+        goto cleanup;
+#endif
+
+cleanup:
+    mbedtls_entropy_free( &ctx );
+#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
+
+    if( verbose != 0 )
+    {
+        if( ret != 0 )
+            mbedtls_printf( "failed\n" );
+        else
+            mbedtls_printf( "passed\n" );
+
+        mbedtls_printf( "\n" );
+    }
+
+    return( ret != 0 );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/makerom/deps/libmbedtls/src/entropy_poll.c b/makerom/deps/libmbedtls/src/entropy_poll.c
new file mode 100644
index 00000000..4556f88a
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/entropy_poll.c
@@ -0,0 +1,236 @@
+/*
+ *  Platform-specific and custom entropy polling functions
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if defined(__linux__)
+/* Ensure that syscall() is available even when compiling with -std=c99 */
+#define _GNU_SOURCE
+#endif
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_ENTROPY_C)
+
+#include "mbedtls/entropy.h"
+#include "mbedtls/entropy_poll.h"
+
+#if defined(MBEDTLS_TIMING_C)
+#include "mbedtls/timing.h"
+#endif
+#if defined(MBEDTLS_HAVEGE_C)
+#include "mbedtls/havege.h"
+#endif
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#include "mbedtls/platform.h"
+#endif
+
+#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__)
+#error "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#if !defined(_WIN32_WINNT)
+#define _WIN32_WINNT 0x0400
+#endif
+#include <windows.h>
+#include <wincrypt.h>
+
+int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len,
+                           size_t *olen )
+{
+    HCRYPTPROV provider;
+    ((void) data);
+    *olen = 0;
+
+    if( CryptAcquireContext( &provider, NULL, NULL,
+                              PROV_RSA_FULL, CRYPT_VERIFYCONTEXT ) == FALSE )
+    {
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    }
+
+    if( CryptGenRandom( provider, (DWORD) len, output ) == FALSE )
+    {
+        CryptReleaseContext( provider, 0 );
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    }
+
+    CryptReleaseContext( provider, 0 );
+    *olen = len;
+
+    return( 0 );
+}
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Test for Linux getrandom() support.
+ * Since there is no wrapper in the libc yet, use the generic syscall wrapper
+ * available in GNU libc and compatible libc's (eg uClibc).
+ */
+#if defined(__linux__) && defined(__GLIBC__)
+#include <unistd.h>
+#include <sys/syscall.h>
+#if defined(SYS_getrandom)
+#define HAVE_GETRANDOM
+#include <errno.h>
+
+static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
+{
+    /* MemSan cannot understand that the syscall writes to the buffer */
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+    memset( buf, 0, buflen );
+#endif
+#endif
+    return( syscall( SYS_getrandom, buf, buflen, flags ) );
+}
+#endif /* SYS_getrandom */
+#endif /* __linux__ */
+
+#include <stdio.h>
+
+int mbedtls_platform_entropy_poll( void *data,
+                           unsigned char *output, size_t len, size_t *olen )
+{
+    FILE *file;
+    size_t read_len;
+    int ret;
+    ((void) data);
+
+#if defined(HAVE_GETRANDOM)
+    ret = getrandom_wrapper( output, len, 0 );
+    if( ret >= 0 )
+    {
+        *olen = ret;
+        return( 0 );
+    }
+    else if( errno != ENOSYS )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    /* Fall through if the system call isn't known. */
+#else
+    ((void) ret);
+#endif /* HAVE_GETRANDOM */
+
+    *olen = 0;
+
+    file = fopen( "/dev/urandom", "rb" );
+    if( file == NULL )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+    read_len = fread( output, 1, len, file );
+    if( read_len != len )
+    {
+        fclose( file );
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+    }
+
+    fclose( file );
+    *olen = len;
+
+    return( 0 );
+}
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
+
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+int mbedtls_null_entropy_poll( void *data,
+                    unsigned char *output, size_t len, size_t *olen )
+{
+    ((void) data);
+    ((void) output);
+    *olen = 0;
+
+    if( len < sizeof(unsigned char) )
+        return( 0 );
+
+    *olen = sizeof(unsigned char);
+
+    return( 0 );
+}
+#endif
+
+#if defined(MBEDTLS_TIMING_C)
+int mbedtls_hardclock_poll( void *data,
+                    unsigned char *output, size_t len, size_t *olen )
+{
+    unsigned long timer = mbedtls_timing_hardclock();
+    ((void) data);
+    *olen = 0;
+
+    if( len < sizeof(unsigned long) )
+        return( 0 );
+
+    memcpy( output, &timer, sizeof(unsigned long) );
+    *olen = sizeof(unsigned long);
+
+    return( 0 );
+}
+#endif /* MBEDTLS_TIMING_C */
+
+#if defined(MBEDTLS_HAVEGE_C)
+int mbedtls_havege_poll( void *data,
+                 unsigned char *output, size_t len, size_t *olen )
+{
+    mbedtls_havege_state *hs = (mbedtls_havege_state *) data;
+    *olen = 0;
+
+    if( mbedtls_havege_random( hs, output, len ) != 0 )
+        return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+    *olen = len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_HAVEGE_C */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+int mbedtls_nv_seed_poll( void *data,
+                          unsigned char *output, size_t len, size_t *olen )
+{
+    unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+    size_t use_len = MBEDTLS_ENTROPY_BLOCK_SIZE;
+    ((void) data);
+
+    memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE );
+
+    if( mbedtls_nv_seed_read( buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) < 0 )
+      return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+
+    if( len < use_len )
+      use_len = len;
+
+    memcpy( output, buf, use_len );
+    *olen = use_len;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#endif /* MBEDTLS_ENTROPY_C */
diff --git a/makerom/deps/libmbedtls/src/error.c b/makerom/deps/libmbedtls/src/error.c
new file mode 100644
index 00000000..c596f0bc
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/error.c
@@ -0,0 +1,916 @@
+/*
+ *  Error message information
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_ERROR_C) || defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+#include "mbedtls/error.h"
+#include <string.h>
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf snprintf
+#define mbedtls_time_t   time_t
+#endif
+
+#if defined(MBEDTLS_ERROR_C)
+
+#include <stdio.h>
+
+#if defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+#include "mbedtls/arc4.h"
+#endif
+
+#if defined(MBEDTLS_ARIA_C)
+#include "mbedtls/aria.h"
+#endif
+
+#if defined(MBEDTLS_BASE64_C)
+#include "mbedtls/base64.h"
+#endif
+
+#if defined(MBEDTLS_BIGNUM_C)
+#include "mbedtls/bignum.h"
+#endif
+
+#if defined(MBEDTLS_BLOWFISH_C)
+#include "mbedtls/blowfish.h"
+#endif
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#include "mbedtls/camellia.h"
+#endif
+
+#if defined(MBEDTLS_CCM_C)
+#include "mbedtls/ccm.h"
+#endif
+
+#if defined(MBEDTLS_CHACHA20_C)
+#include "mbedtls/chacha20.h"
+#endif
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+#include "mbedtls/chachapoly.h"
+#endif
+
+#if defined(MBEDTLS_CIPHER_C)
+#include "mbedtls/cipher.h"
+#endif
+
+#if defined(MBEDTLS_CMAC_C)
+#include "mbedtls/cmac.h"
+#endif
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+#include "mbedtls/dhm.h"
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ENTROPY_C)
+#include "mbedtls/entropy.h"
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+#include "mbedtls/gcm.h"
+#endif
+
+#if defined(MBEDTLS_HKDF_C)
+#include "mbedtls/hkdf.h"
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#endif
+
+#if defined(MBEDTLS_MD_C)
+#include "mbedtls/md.h"
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+#include "mbedtls/md2.h"
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+#include "mbedtls/md4.h"
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+#include "mbedtls/md5.h"
+#endif
+
+#if defined(MBEDTLS_NET_C)
+#include "mbedtls/net_sockets.h"
+#endif
+
+#if defined(MBEDTLS_OID_C)
+#include "mbedtls/oid.h"
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C)
+#include "mbedtls/padlock.h"
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk.h"
+#endif
+
+#if defined(MBEDTLS_PKCS12_C)
+#include "mbedtls/pkcs12.h"
+#endif
+
+#if defined(MBEDTLS_PKCS5_C)
+#include "mbedtls/pkcs5.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+#include "mbedtls/poly1305.h"
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#include "mbedtls/ripemd160.h"
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "mbedtls/sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "mbedtls/sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "mbedtls/sha512.h"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+#include "mbedtls/ssl.h"
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "mbedtls/x509.h"
+#endif
+
+#if defined(MBEDTLS_XTEA_C)
+#include "mbedtls/xtea.h"
+#endif
+
+
+void mbedtls_strerror( int ret, char *buf, size_t buflen )
+{
+    size_t len;
+    int use_ret;
+
+    if( buflen == 0 )
+        return;
+
+    memset( buf, 0x00, buflen );
+
+    if( ret < 0 )
+        ret = -ret;
+
+    if( ret & 0xFF80 )
+    {
+        use_ret = ret & 0xFF80;
+
+        // High level error codes
+        //
+        // BEGIN generated code
+#if defined(MBEDTLS_CIPHER_C)
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - The selected feature is not available" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Bad input parameters" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Failed to allocate memory" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_PADDING) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Input data contains invalid padding and is rejected" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Decryption of block requires a full block" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_AUTH_FAILED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Authentication failed (for AEAD modes)" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - The context is invalid. For example, because it was freed" );
+        if( use_ret == -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "CIPHER - Cipher hardware accelerator failed" );
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_DHM_C)
+        if( use_ret == -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "DHM - Bad input parameters" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Reading of the DHM parameters failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Making of the DHM parameters failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Reading of the public values failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Making of the public value failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Calculation of the DHM secret failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "DHM - The ASN.1 data is not formatted correctly" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Allocation of memory failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "DHM - Read or write of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - DHM hardware accelerator failed" );
+        if( use_ret == -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED) )
+            mbedtls_snprintf( buf, buflen, "DHM - Setting the modulus and generator failed" );
+#endif /* MBEDTLS_DHM_C */
+
+#if defined(MBEDTLS_ECP_C)
+        if( use_ret == -(MBEDTLS_ERR_ECP_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "ECP - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL) )
+            mbedtls_snprintf( buf, buflen, "ECP - The buffer is too small to write to" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "ECP - The requested feature is not available, for example, the requested curve is not supported" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - The signature is not valid" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - Memory allocation failed" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_RANDOM_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - Generation of random value, such as ephemeral key, failed" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_INVALID_KEY) )
+            mbedtls_snprintf( buf, buflen, "ECP - Invalid private or public key" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "ECP - The buffer contains a valid signature followed by more data" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "ECP - The ECP hardware accelerator failed" );
+        if( use_ret == -(MBEDTLS_ERR_ECP_IN_PROGRESS) )
+            mbedtls_snprintf( buf, buflen, "ECP - Operation in progress, call again with the same parameters to continue" );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_MD_C)
+        if( use_ret == -(MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "MD - The selected feature is not available" );
+        if( use_ret == -(MBEDTLS_ERR_MD_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "MD - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_MD_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "MD - Failed to allocate memory" );
+        if( use_ret == -(MBEDTLS_ERR_MD_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "MD - Opening or reading of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_MD_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "MD - MD hardware accelerator failed" );
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+        if( use_ret == -(MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) )
+            mbedtls_snprintf( buf, buflen, "PEM - No PEM header or footer found" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_INVALID_DATA) )
+            mbedtls_snprintf( buf, buflen, "PEM - PEM string is not as expected" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "PEM - Failed to allocate memory" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_INVALID_ENC_IV) )
+            mbedtls_snprintf( buf, buflen, "PEM - RSA IV is not in hex-format" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG) )
+            mbedtls_snprintf( buf, buflen, "PEM - Unsupported key encryption algorithm" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "PEM - Private key password can't be empty" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PEM - Given private key password does not allow for correct decryption" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PEM - Unavailable feature, e.g. hashing/encryption combination" );
+        if( use_ret == -(MBEDTLS_ERR_PEM_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PEM - Bad input parameters to function" );
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
+
+#if defined(MBEDTLS_PK_C)
+        if( use_ret == -(MBEDTLS_ERR_PK_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "PK - Memory allocation failed" );
+        if( use_ret == -(MBEDTLS_ERR_PK_TYPE_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" );
+        if( use_ret == -(MBEDTLS_ERR_PK_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PK - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_PK_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "PK - Read/write of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_VERSION) )
+            mbedtls_snprintf( buf, buflen, "PK - Unsupported key version" );
+        if( use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "PK - Invalid key tag or value" );
+        if( use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_PK_ALG) )
+            mbedtls_snprintf( buf, buflen, "PK - Key algorithm is unsupported (only RSA and EC are supported)" );
+        if( use_ret == -(MBEDTLS_ERR_PK_PASSWORD_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "PK - Private key password can't be empty" );
+        if( use_ret == -(MBEDTLS_ERR_PK_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PK - Given private key password does not allow for correct decryption" );
+        if( use_ret == -(MBEDTLS_ERR_PK_INVALID_PUBKEY) )
+            mbedtls_snprintf( buf, buflen, "PK - The pubkey tag or value is invalid (only RSA and EC are supported)" );
+        if( use_ret == -(MBEDTLS_ERR_PK_INVALID_ALG) )
+            mbedtls_snprintf( buf, buflen, "PK - The algorithm tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE) )
+            mbedtls_snprintf( buf, buflen, "PK - Elliptic curve is unsupported (only NIST curves are supported)" );
+        if( use_ret == -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PK - Unavailable feature, e.g. RSA disabled for RSA key" );
+        if( use_ret == -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PK - The buffer contains a valid signature followed by more data" );
+        if( use_ret == -(MBEDTLS_ERR_PK_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "PK - PK hardware accelerator failed" );
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - Feature not available, e.g. unsupported encryption scheme" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - PBE ASN.1 data not as expected" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PKCS12 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS12_C */
+
+#if defined(MBEDTLS_PKCS5_C)
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Unexpected ASN.1 data" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Requested encryption or digest alg not available" );
+        if( use_ret == -(MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "PKCS5 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS5_C */
+
+#if defined(MBEDTLS_RSA_C)
+        if( use_ret == -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "RSA - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_INVALID_PADDING) )
+            mbedtls_snprintf( buf, buflen, "RSA - Input data contains invalid padding and is rejected" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - Something failed during generation of a key" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - Key failed to pass the validity check of the library" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_PUBLIC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The public key operation failed" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_PRIVATE_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The private key operation failed" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The PKCS#1 verification failed" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE) )
+            mbedtls_snprintf( buf, buflen, "RSA - The output buffer for decryption is not large enough" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) )
+            mbedtls_snprintf( buf, buflen, "RSA - The implementation does not offer the requested operation, for example, because of security violations or lack of functionality" );
+        if( use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "RSA - RSA hardware accelerator failed" );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_SSL_TLS_C)
+        if( use_ret == -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "SSL - The requested feature is not available" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "SSL - Bad input parameters to function" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_MAC) )
+            mbedtls_snprintf( buf, buflen, "SSL - Verification of the message MAC failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_RECORD) )
+            mbedtls_snprintf( buf, buflen, "SSL - An invalid SSL record was received" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CONN_EOF) )
+            mbedtls_snprintf( buf, buflen, "SSL - The connection indicated an EOF" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER) )
+            mbedtls_snprintf( buf, buflen, "SSL - An unknown cipher was received" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN) )
+            mbedtls_snprintf( buf, buflen, "SSL - The server has no ciphersuites in common with the client" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_RNG) )
+            mbedtls_snprintf( buf, buflen, "SSL - No RNG was provided to the SSL module" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE) )
+            mbedtls_snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - The own private key or pre-shared key is not set, but needed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - No CA Chain is set, but required to operate" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - An unexpected message was received from our peer" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE) )
+        {
+            mbedtls_snprintf( buf, buflen, "SSL - A fatal alert message was received from our peer" );
+            return;
+        }
+        if( use_ret == -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Verification of our peer failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) )
+            mbedtls_snprintf( buf, buflen, "SSL - The peer notified us that the connection is going to be closed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientHello handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHello handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the Certificate handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateRequest handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerKeyExchange handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHelloDone handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateVerify handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the ChangeCipherSpec handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the Finished handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Memory allocation failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function returned with error" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) )
+            mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function skipped / left alone data" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
+            mbedtls_snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
+            mbedtls_snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - Session ticket has expired" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) )
+            mbedtls_snprintf( buf, buflen, "SSL - Unknown identity received (eg, PSK identity)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INTERNAL_ERROR) )
+            mbedtls_snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING) )
+            mbedtls_snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO) )
+            mbedtls_snprintf( buf, buflen, "SSL - Unexpected message at ServerHello in renegotiation" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) )
+            mbedtls_snprintf( buf, buflen, "SSL - DTLS client must retry for hello verification" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) )
+            mbedtls_snprintf( buf, buflen, "SSL - A buffer is too small to receive or write a message" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) )
+            mbedtls_snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_WANT_READ) )
+            mbedtls_snprintf( buf, buflen, "SSL - No data of requested type currently available on underlying transport" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Connection requires a write call" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT) )
+            mbedtls_snprintf( buf, buflen, "SSL - The operation timed out" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT) )
+            mbedtls_snprintf( buf, buflen, "SSL - The client initiated a reconnect from the same port" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) )
+            mbedtls_snprintf( buf, buflen, "SSL - Record header looks valid but is not expected" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_NON_FATAL) )
+            mbedtls_snprintf( buf, buflen, "SSL - The alert message received indicates a non-fatal error" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH) )
+            mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) )
+            mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) )
+            mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_EARLY_MESSAGE) )
+            mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" );
+        if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
+            mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
+#endif /* MBEDTLS_SSL_TLS_C */
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+        if( use_ret == -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) )
+            mbedtls_snprintf( buf, buflen, "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
+        if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_OID) )
+            mbedtls_snprintf( buf, buflen, "X509 - Requested OID is unknown" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_VERSION) )
+            mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR version element is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SERIAL) )
+            mbedtls_snprintf( buf, buflen, "X509 - The serial tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_ALG) )
+            mbedtls_snprintf( buf, buflen, "X509 - The algorithm tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_NAME) )
+            mbedtls_snprintf( buf, buflen, "X509 - The name tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_DATE) )
+            mbedtls_snprintf( buf, buflen, "X509 - The date tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SIGNATURE) )
+            mbedtls_snprintf( buf, buflen, "X509 - The signature tag or value invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS) )
+            mbedtls_snprintf( buf, buflen, "X509 - The extension tag or value is invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_VERSION) )
+            mbedtls_snprintf( buf, buflen, "X509 - CRT/CRL/CSR has an unsupported version number" );
+        if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG) )
+            mbedtls_snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
+        if( use_ret == -(MBEDTLS_ERR_X509_SIG_MISMATCH) )
+            mbedtls_snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)" );
+        if( use_ret == -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) )
+            mbedtls_snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
+        if( use_ret == -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT) )
+            mbedtls_snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" );
+        if( use_ret == -(MBEDTLS_ERR_X509_BAD_INPUT_DATA) )
+            mbedtls_snprintf( buf, buflen, "X509 - Input invalid" );
+        if( use_ret == -(MBEDTLS_ERR_X509_ALLOC_FAILED) )
+            mbedtls_snprintf( buf, buflen, "X509 - Allocation of memory failed" );
+        if( use_ret == -(MBEDTLS_ERR_X509_FILE_IO_ERROR) )
+            mbedtls_snprintf( buf, buflen, "X509 - Read/write of file failed" );
+        if( use_ret == -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL) )
+            mbedtls_snprintf( buf, buflen, "X509 - Destination buffer is too small" );
+        if( use_ret == -(MBEDTLS_ERR_X509_FATAL_ERROR) )
+            mbedtls_snprintf( buf, buflen, "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed" );
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+        // END generated code
+
+        if( strlen( buf ) == 0 )
+            mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
+    }
+
+    use_ret = ret & ~0xFF80;
+
+    if( use_ret == 0 )
+        return;
+
+    // If high level code is present, make a concatenation between both
+    // error strings.
+    //
+    len = strlen( buf );
+
+    if( len > 0 )
+    {
+        if( buflen - len < 5 )
+            return;
+
+        mbedtls_snprintf( buf + len, buflen - len, " : " );
+
+        buf += len + 3;
+        buflen -= len + 3;
+    }
+
+    // Low level error codes
+    //
+    // BEGIN generated code
+#if defined(MBEDTLS_AES_C)
+    if( use_ret == -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "AES - Invalid key length" );
+    if( use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_AES_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "AES - Invalid input data" );
+    if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "AES - Feature not available. For example, an unsupported AES key size" );
+    if( use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "AES - AES hardware accelerator failed" );
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+    if( use_ret == -(MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ARC4 - ARC4 hardware accelerator failed" );
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_ARIA_C)
+    if( use_ret == -(MBEDTLS_ERR_ARIA_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "ARIA - Bad input data" );
+    if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "ARIA - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "ARIA - Feature not available. For example, an unsupported ARIA key size" );
+    if( use_ret == -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ARIA - ARIA hardware accelerator failed" );
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+    if( use_ret == -(MBEDTLS_ERR_ASN1_OUT_OF_DATA) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - ASN1 tag was of an unexpected value" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_INVALID_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Error when trying to determine the length or invalid length" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_LENGTH_MISMATCH) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Actual length differs from expected length" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_INVALID_DATA) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Data is invalid. (not used)" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_ALLOC_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Memory allocation failed" );
+    if( use_ret == -(MBEDTLS_ERR_ASN1_BUF_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "ASN1 - Buffer too small when writing ASN.1 data structure" );
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_BASE64_C)
+    if( use_ret == -(MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "BASE64 - Output buffer too small" );
+    if( use_ret == -(MBEDTLS_ERR_BASE64_INVALID_CHARACTER) )
+        mbedtls_snprintf( buf, buflen, "BASE64 - Invalid character in input" );
+#endif /* MBEDTLS_BASE64_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+    if( use_ret == -(MBEDTLS_ERR_MPI_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - An error occurred while reading from or writing to a file" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - Bad input parameters to function" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_INVALID_CHARACTER) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - There is an invalid character in the digit string" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The buffer is too small to write to" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_NEGATIVE_VALUE) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The input arguments are negative or result in illegal output" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_DIVISION_BY_ZERO) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The input argument for division is zero, which is not allowed" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - The input arguments are not acceptable" );
+    if( use_ret == -(MBEDTLS_ERR_MPI_ALLOC_FAILED) )
+        mbedtls_snprintf( buf, buflen, "BIGNUM - Memory allocation failed" );
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_BLOWFISH_C)
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Bad input data" );
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "BLOWFISH - Blowfish hardware accelerator failed" );
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Bad input data" );
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Invalid data input length" );
+    if( use_ret == -(MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CAMELLIA - Camellia hardware accelerator failed" );
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_CCM_C)
+    if( use_ret == -(MBEDTLS_ERR_CCM_BAD_INPUT) )
+        mbedtls_snprintf( buf, buflen, "CCM - Bad input parameters to the function" );
+    if( use_ret == -(MBEDTLS_ERR_CCM_AUTH_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CCM - Authenticated decryption failed" );
+    if( use_ret == -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CCM - CCM hardware accelerator failed" );
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+    if( use_ret == -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "CHACHA20 - Invalid input parameter(s)" );
+    if( use_ret == -(MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "CHACHA20 - Feature not available. For example, s part of the API is not implemented" );
+    if( use_ret == -(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CHACHA20 - Chacha20 hardware accelerator failed" );
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE) )
+        mbedtls_snprintf( buf, buflen, "CHACHAPOLY - The requested operation is not permitted in the current state" );
+    if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CHACHAPOLY - Authenticated decryption failed: data was not authentic" );
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CMAC_C)
+    if( use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CMAC - CMAC hardware accelerator failed" );
+#endif /* MBEDTLS_CMAC_C */
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - The entropy source failed" );
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - The requested random buffer length is too big" );
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - The input (entropy + additional data) is too large" );
+    if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "CTR_DRBG - Read or write error in file" );
+#endif /* MBEDTLS_CTR_DRBG_C */
+
+#if defined(MBEDTLS_DES_C)
+    if( use_ret == -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "DES - The data input has an invalid length" );
+    if( use_ret == -(MBEDTLS_ERR_DES_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "DES - DES hardware accelerator failed" );
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ENTROPY_C)
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - Critical entropy source failure" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_MAX_SOURCES) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - No more sources can be added" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - No sources have been added to poll" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - No strong sources have been added to poll" );
+    if( use_ret == -(MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "ENTROPY - Read/write error in file" );
+#endif /* MBEDTLS_ENTROPY_C */
+
+#if defined(MBEDTLS_GCM_C)
+    if( use_ret == -(MBEDTLS_ERR_GCM_AUTH_FAILED) )
+        mbedtls_snprintf( buf, buflen, "GCM - Authenticated decryption failed" );
+    if( use_ret == -(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "GCM - GCM hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_GCM_BAD_INPUT) )
+        mbedtls_snprintf( buf, buflen, "GCM - Bad input parameters to function" );
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_HKDF_C)
+    if( use_ret == -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "HKDF - Bad input parameters to function" );
+#endif /* MBEDTLS_HKDF_C */
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Too many random requested in single call" );
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Input too large (Entropy + additional)" );
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Read/write error in file" );
+    if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED) )
+        mbedtls_snprintf( buf, buflen, "HMAC_DRBG - The entropy source failed" );
+#endif /* MBEDTLS_HMAC_DRBG_C */
+
+#if defined(MBEDTLS_MD2_C)
+    if( use_ret == -(MBEDTLS_ERR_MD2_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "MD2 - MD2 hardware accelerator failed" );
+#endif /* MBEDTLS_MD2_C */
+
+#if defined(MBEDTLS_MD4_C)
+    if( use_ret == -(MBEDTLS_ERR_MD4_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "MD4 - MD4 hardware accelerator failed" );
+#endif /* MBEDTLS_MD4_C */
+
+#if defined(MBEDTLS_MD5_C)
+    if( use_ret == -(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "MD5 - MD5 hardware accelerator failed" );
+#endif /* MBEDTLS_MD5_C */
+
+#if defined(MBEDTLS_NET_C)
+    if( use_ret == -(MBEDTLS_ERR_NET_SOCKET_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Failed to open a socket" );
+    if( use_ret == -(MBEDTLS_ERR_NET_CONNECT_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - The connection to the given server / port failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_BIND_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Binding of the socket failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_LISTEN_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Could not listen on the socket" );
+    if( use_ret == -(MBEDTLS_ERR_NET_ACCEPT_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Could not accept the incoming connection" );
+    if( use_ret == -(MBEDTLS_ERR_NET_RECV_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Reading information from the socket failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_SEND_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Sending information through the socket failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_CONN_RESET) )
+        mbedtls_snprintf( buf, buflen, "NET - Connection was reset by peer" );
+    if( use_ret == -(MBEDTLS_ERR_NET_UNKNOWN_HOST) )
+        mbedtls_snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" );
+    if( use_ret == -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "NET - Buffer is too small to hold the data" );
+    if( use_ret == -(MBEDTLS_ERR_NET_INVALID_CONTEXT) )
+        mbedtls_snprintf( buf, buflen, "NET - The context is invalid, eg because it was free()ed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_POLL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "NET - Polling the net context failed" );
+    if( use_ret == -(MBEDTLS_ERR_NET_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "NET - Input invalid" );
+#endif /* MBEDTLS_NET_C */
+
+#if defined(MBEDTLS_OID_C)
+    if( use_ret == -(MBEDTLS_ERR_OID_NOT_FOUND) )
+        mbedtls_snprintf( buf, buflen, "OID - OID is not found" );
+    if( use_ret == -(MBEDTLS_ERR_OID_BUF_TOO_SMALL) )
+        mbedtls_snprintf( buf, buflen, "OID - output buffer is too small" );
+#endif /* MBEDTLS_OID_C */
+
+#if defined(MBEDTLS_PADLOCK_C)
+    if( use_ret == -(MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED) )
+        mbedtls_snprintf( buf, buflen, "PADLOCK - Input data should be aligned" );
+#endif /* MBEDTLS_PADLOCK_C */
+
+#if defined(MBEDTLS_PLATFORM_C)
+    if( use_ret == -(MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "PLATFORM - Hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED) )
+        mbedtls_snprintf( buf, buflen, "PLATFORM - The requested feature is not supported by the platform" );
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if defined(MBEDTLS_POLY1305_C)
+    if( use_ret == -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "POLY1305 - Invalid input parameter(s)" );
+    if( use_ret == -(MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "POLY1305 - Feature not available. For example, s part of the API is not implemented" );
+    if( use_ret == -(MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "POLY1305 - Poly1305 hardware accelerator failed" );
+#endif /* MBEDTLS_POLY1305_C */
+
+#if defined(MBEDTLS_RIPEMD160_C)
+    if( use_ret == -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "RIPEMD160 - RIPEMD160 hardware accelerator failed" );
+#endif /* MBEDTLS_RIPEMD160_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    if( use_ret == -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_SHA1_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 input data was malformed" );
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    if( use_ret == -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_SHA256_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 input data was malformed" );
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    if( use_ret == -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 hardware accelerator failed" );
+    if( use_ret == -(MBEDTLS_ERR_SHA512_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 input data was malformed" );
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_THREADING_C)
+    if( use_ret == -(MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE) )
+        mbedtls_snprintf( buf, buflen, "THREADING - The selected feature is not available" );
+    if( use_ret == -(MBEDTLS_ERR_THREADING_BAD_INPUT_DATA) )
+        mbedtls_snprintf( buf, buflen, "THREADING - Bad input parameters to function" );
+    if( use_ret == -(MBEDTLS_ERR_THREADING_MUTEX_ERROR) )
+        mbedtls_snprintf( buf, buflen, "THREADING - Locking / unlocking / free failed with error code" );
+#endif /* MBEDTLS_THREADING_C */
+
+#if defined(MBEDTLS_XTEA_C)
+    if( use_ret == -(MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH) )
+        mbedtls_snprintf( buf, buflen, "XTEA - The data input has an invalid length" );
+    if( use_ret == -(MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED) )
+        mbedtls_snprintf( buf, buflen, "XTEA - XTEA hardware accelerator failed" );
+#endif /* MBEDTLS_XTEA_C */
+    // END generated code
+
+    if( strlen( buf ) != 0 )
+        return;
+
+    mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
+}
+
+#else /* MBEDTLS_ERROR_C */
+
+#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+
+/*
+ * Provide an non-function in case MBEDTLS_ERROR_C is not defined
+ */
+void mbedtls_strerror( int ret, char *buf, size_t buflen )
+{
+    ((void) ret);
+
+    if( buflen > 0 )
+        buf[0] = '\0';
+}
+
+#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
+
+#endif /* MBEDTLS_ERROR_C */
diff --git a/makerom/deps/libmbedtls/src/gcm.c b/makerom/deps/libmbedtls/src/gcm.c
new file mode 100644
index 00000000..675926a5
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/gcm.c
@@ -0,0 +1,994 @@
+/*
+ *  NIST SP800-38D compliant GCM implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
+ *
+ * See also:
+ * [MGV] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
+ *
+ * We use the algorithm described as Shoup's method with 4-bit tables in
+ * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_GCM_C)
+
+#include "mbedtls/gcm.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_AESNI_C)
+#include "mbedtls/aesni.h"
+#endif
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#include "mbedtls/aes.h"
+#include "mbedtls/platform.h"
+#if !defined(MBEDTLS_PLATFORM_C)
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_GCM_ALT)
+
+/* Parameter validation macros */
+#define GCM_VALIDATE_RET( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_GCM_BAD_INPUT )
+#define GCM_VALIDATE( cond ) \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+/*
+ * Initialize a context
+ */
+void mbedtls_gcm_init( mbedtls_gcm_context *ctx )
+{
+    GCM_VALIDATE( ctx != NULL );
+    memset( ctx, 0, sizeof( mbedtls_gcm_context ) );
+}
+
+/*
+ * Precompute small multiples of H, that is set
+ *      HH[i] || HL[i] = H times i,
+ * where i is seen as a field element as in [MGV], ie high-order bits
+ * correspond to low powers of P. The result is stored in the same way, that
+ * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL
+ * corresponds to P^127.
+ */
+static int gcm_gen_table( mbedtls_gcm_context *ctx )
+{
+    int ret, i, j;
+    uint64_t hi, lo;
+    uint64_t vl, vh;
+    unsigned char h[16];
+    size_t olen = 0;
+
+    memset( h, 0, 16 );
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, h, 16, h, &olen ) ) != 0 )
+        return( ret );
+
+    /* pack h as two 64-bits ints, big-endian */
+    GET_UINT32_BE( hi, h,  0  );
+    GET_UINT32_BE( lo, h,  4  );
+    vh = (uint64_t) hi << 32 | lo;
+
+    GET_UINT32_BE( hi, h,  8  );
+    GET_UINT32_BE( lo, h,  12 );
+    vl = (uint64_t) hi << 32 | lo;
+
+    /* 8 = 1000 corresponds to 1 in GF(2^128) */
+    ctx->HL[8] = vl;
+    ctx->HH[8] = vh;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    /* With CLMUL support, we need only h, not the rest of the table */
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) )
+        return( 0 );
+#endif
+
+    /* 0 corresponds to 0 in GF(2^128) */
+    ctx->HH[0] = 0;
+    ctx->HL[0] = 0;
+
+    for( i = 4; i > 0; i >>= 1 )
+    {
+        uint32_t T = ( vl & 1 ) * 0xe1000000U;
+        vl  = ( vh << 63 ) | ( vl >> 1 );
+        vh  = ( vh >> 1 ) ^ ( (uint64_t) T << 32);
+
+        ctx->HL[i] = vl;
+        ctx->HH[i] = vh;
+    }
+
+    for( i = 2; i <= 8; i *= 2 )
+    {
+        uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i;
+        vh = *HiH;
+        vl = *HiL;
+        for( j = 1; j < i; j++ )
+        {
+            HiH[j] = vh ^ ctx->HH[j];
+            HiL[j] = vl ^ ctx->HL[j];
+        }
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
+                        mbedtls_cipher_id_t cipher,
+                        const unsigned char *key,
+                        unsigned int keybits )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( key != NULL );
+    GCM_VALIDATE_RET( keybits == 128 || keybits == 192 || keybits == 256 );
+
+    cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    if( cipher_info->block_size != 16 )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+                               MBEDTLS_ENCRYPT ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = gcm_gen_table( ctx ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Shoup's method for multiplication use this table with
+ *      last4[x] = x times P^128
+ * where x and last4[x] are seen as elements of GF(2^128) as in [MGV]
+ */
+static const uint64_t last4[16] =
+{
+    0x0000, 0x1c20, 0x3840, 0x2460,
+    0x7080, 0x6ca0, 0x48c0, 0x54e0,
+    0xe100, 0xfd20, 0xd940, 0xc560,
+    0x9180, 0x8da0, 0xa9c0, 0xb5e0
+};
+
+/*
+ * Sets output to x times H using the precomputed tables.
+ * x and output are seen as elements of GF(2^128) as in [MGV].
+ */
+static void gcm_mult( mbedtls_gcm_context *ctx, const unsigned char x[16],
+                      unsigned char output[16] )
+{
+    int i = 0;
+    unsigned char lo, hi, rem;
+    uint64_t zh, zl;
+
+#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
+    if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) ) {
+        unsigned char h[16];
+
+        PUT_UINT32_BE( ctx->HH[8] >> 32, h,  0 );
+        PUT_UINT32_BE( ctx->HH[8],       h,  4 );
+        PUT_UINT32_BE( ctx->HL[8] >> 32, h,  8 );
+        PUT_UINT32_BE( ctx->HL[8],       h, 12 );
+
+        mbedtls_aesni_gcm_mult( output, x, h );
+        return;
+    }
+#endif /* MBEDTLS_AESNI_C && MBEDTLS_HAVE_X86_64 */
+
+    lo = x[15] & 0xf;
+
+    zh = ctx->HH[lo];
+    zl = ctx->HL[lo];
+
+    for( i = 15; i >= 0; i-- )
+    {
+        lo = x[i] & 0xf;
+        hi = x[i] >> 4;
+
+        if( i != 15 )
+        {
+            rem = (unsigned char) zl & 0xf;
+            zl = ( zh << 60 ) | ( zl >> 4 );
+            zh = ( zh >> 4 );
+            zh ^= (uint64_t) last4[rem] << 48;
+            zh ^= ctx->HH[lo];
+            zl ^= ctx->HL[lo];
+
+        }
+
+        rem = (unsigned char) zl & 0xf;
+        zl = ( zh << 60 ) | ( zl >> 4 );
+        zh = ( zh >> 4 );
+        zh ^= (uint64_t) last4[rem] << 48;
+        zh ^= ctx->HH[hi];
+        zl ^= ctx->HL[hi];
+    }
+
+    PUT_UINT32_BE( zh >> 32, output, 0 );
+    PUT_UINT32_BE( zh, output, 4 );
+    PUT_UINT32_BE( zl >> 32, output, 8 );
+    PUT_UINT32_BE( zl, output, 12 );
+}
+
+int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
+                int mode,
+                const unsigned char *iv,
+                size_t iv_len,
+                const unsigned char *add,
+                size_t add_len )
+{
+    int ret;
+    unsigned char work_buf[16];
+    size_t i;
+    const unsigned char *p;
+    size_t use_len, olen = 0;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( iv != NULL );
+    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
+
+    /* IV and AD are limited to 2^64 bits, so 2^61 bytes */
+    /* IV is not allowed to be zero length */
+    if( iv_len == 0 ||
+      ( (uint64_t) iv_len  ) >> 61 != 0 ||
+      ( (uint64_t) add_len ) >> 61 != 0 )
+    {
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+    }
+
+    memset( ctx->y, 0x00, sizeof(ctx->y) );
+    memset( ctx->buf, 0x00, sizeof(ctx->buf) );
+
+    ctx->mode = mode;
+    ctx->len = 0;
+    ctx->add_len = 0;
+
+    if( iv_len == 12 )
+    {
+        memcpy( ctx->y, iv, iv_len );
+        ctx->y[15] = 1;
+    }
+    else
+    {
+        memset( work_buf, 0x00, 16 );
+        PUT_UINT32_BE( iv_len * 8, work_buf, 12 );
+
+        p = iv;
+        while( iv_len > 0 )
+        {
+            use_len = ( iv_len < 16 ) ? iv_len : 16;
+
+            for( i = 0; i < use_len; i++ )
+                ctx->y[i] ^= p[i];
+
+            gcm_mult( ctx, ctx->y, ctx->y );
+
+            iv_len -= use_len;
+            p += use_len;
+        }
+
+        for( i = 0; i < 16; i++ )
+            ctx->y[i] ^= work_buf[i];
+
+        gcm_mult( ctx, ctx->y, ctx->y );
+    }
+
+    if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->base_ectr,
+                             &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    ctx->add_len = add_len;
+    p = add;
+    while( add_len > 0 )
+    {
+        use_len = ( add_len < 16 ) ? add_len : 16;
+
+        for( i = 0; i < use_len; i++ )
+            ctx->buf[i] ^= p[i];
+
+        gcm_mult( ctx, ctx->buf, ctx->buf );
+
+        add_len -= use_len;
+        p += use_len;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
+                size_t length,
+                const unsigned char *input,
+                unsigned char *output )
+{
+    int ret;
+    unsigned char ectr[16];
+    size_t i;
+    const unsigned char *p;
+    unsigned char *out_p = output;
+    size_t use_len, olen = 0;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( length == 0 || input != NULL );
+    GCM_VALIDATE_RET( length == 0 || output != NULL );
+
+    if( output > input && (size_t) ( output - input ) < length )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
+     * Also check for possible overflow */
+    if( ctx->len + length < ctx->len ||
+        (uint64_t) ctx->len + length > 0xFFFFFFFE0ull )
+    {
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+    }
+
+    ctx->len += length;
+
+    p = input;
+    while( length > 0 )
+    {
+        use_len = ( length < 16 ) ? length : 16;
+
+        for( i = 16; i > 12; i-- )
+            if( ++ctx->y[i - 1] != 0 )
+                break;
+
+        if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ectr,
+                                   &olen ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        for( i = 0; i < use_len; i++ )
+        {
+            if( ctx->mode == MBEDTLS_GCM_DECRYPT )
+                ctx->buf[i] ^= p[i];
+            out_p[i] = ectr[i] ^ p[i];
+            if( ctx->mode == MBEDTLS_GCM_ENCRYPT )
+                ctx->buf[i] ^= out_p[i];
+        }
+
+        gcm_mult( ctx, ctx->buf, ctx->buf );
+
+        length -= use_len;
+        p += use_len;
+        out_p += use_len;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
+                unsigned char *tag,
+                size_t tag_len )
+{
+    unsigned char work_buf[16];
+    size_t i;
+    uint64_t orig_len;
+    uint64_t orig_add_len;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( tag != NULL );
+
+    orig_len = ctx->len * 8;
+    orig_add_len = ctx->add_len * 8;
+
+    if( tag_len > 16 || tag_len < 4 )
+        return( MBEDTLS_ERR_GCM_BAD_INPUT );
+
+    memcpy( tag, ctx->base_ectr, tag_len );
+
+    if( orig_len || orig_add_len )
+    {
+        memset( work_buf, 0x00, 16 );
+
+        PUT_UINT32_BE( ( orig_add_len >> 32 ), work_buf, 0  );
+        PUT_UINT32_BE( ( orig_add_len       ), work_buf, 4  );
+        PUT_UINT32_BE( ( orig_len     >> 32 ), work_buf, 8  );
+        PUT_UINT32_BE( ( orig_len           ), work_buf, 12 );
+
+        for( i = 0; i < 16; i++ )
+            ctx->buf[i] ^= work_buf[i];
+
+        gcm_mult( ctx, ctx->buf, ctx->buf );
+
+        for( i = 0; i < tag_len; i++ )
+            tag[i] ^= ctx->buf[i];
+    }
+
+    return( 0 );
+}
+
+int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
+                       int mode,
+                       size_t length,
+                       const unsigned char *iv,
+                       size_t iv_len,
+                       const unsigned char *add,
+                       size_t add_len,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t tag_len,
+                       unsigned char *tag )
+{
+    int ret;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( iv != NULL );
+    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    GCM_VALIDATE_RET( length == 0 || input != NULL );
+    GCM_VALIDATE_RET( length == 0 || output != NULL );
+    GCM_VALIDATE_RET( tag != NULL );
+
+    if( ( ret = mbedtls_gcm_starts( ctx, mode, iv, iv_len, add, add_len ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_gcm_update( ctx, length, input, output ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_gcm_finish( ctx, tag, tag_len ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
+                      size_t length,
+                      const unsigned char *iv,
+                      size_t iv_len,
+                      const unsigned char *add,
+                      size_t add_len,
+                      const unsigned char *tag,
+                      size_t tag_len,
+                      const unsigned char *input,
+                      unsigned char *output )
+{
+    int ret;
+    unsigned char check_tag[16];
+    size_t i;
+    int diff;
+
+    GCM_VALIDATE_RET( ctx != NULL );
+    GCM_VALIDATE_RET( iv != NULL );
+    GCM_VALIDATE_RET( add_len == 0 || add != NULL );
+    GCM_VALIDATE_RET( tag != NULL );
+    GCM_VALIDATE_RET( length == 0 || input != NULL );
+    GCM_VALIDATE_RET( length == 0 || output != NULL );
+
+    if( ( ret = mbedtls_gcm_crypt_and_tag( ctx, MBEDTLS_GCM_DECRYPT, length,
+                                   iv, iv_len, add, add_len,
+                                   input, output, tag_len, check_tag ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Check tag in "constant-time" */
+    for( diff = 0, i = 0; i < tag_len; i++ )
+        diff |= tag[i] ^ check_tag[i];
+
+    if( diff != 0 )
+    {
+        mbedtls_platform_zeroize( output, length );
+        return( MBEDTLS_ERR_GCM_AUTH_FAILED );
+    }
+
+    return( 0 );
+}
+
+void mbedtls_gcm_free( mbedtls_gcm_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_gcm_context ) );
+}
+
+#endif /* !MBEDTLS_GCM_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+/*
+ * AES-GCM test vectors from:
+ *
+ * http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
+ */
+#define MAX_TESTS   6
+
+static const int key_index[MAX_TESTS] =
+    { 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char key[MAX_TESTS][32] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+      0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+      0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 },
+};
+
+static const size_t iv_len[MAX_TESTS] =
+    { 12, 12, 12, 12, 8, 60 };
+
+static const int iv_index[MAX_TESTS] =
+    { 0, 0, 1, 1, 1, 2 };
+
+static const unsigned char iv[MAX_TESTS][64] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00 },
+    { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+      0xde, 0xca, 0xf8, 0x88 },
+    { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
+      0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
+      0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
+      0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
+      0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
+      0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
+      0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
+      0xa6, 0x37, 0xb3, 0x9b },
+};
+
+static const size_t add_len[MAX_TESTS] =
+    { 0, 0, 0, 20, 20, 20 };
+
+static const int add_index[MAX_TESTS] =
+    { 0, 0, 0, 1, 1, 1 };
+
+static const unsigned char additional[MAX_TESTS][64] =
+{
+    { 0x00 },
+    { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+      0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+      0xab, 0xad, 0xda, 0xd2 },
+};
+
+static const size_t pt_len[MAX_TESTS] =
+    { 0, 16, 64, 60, 60, 60 };
+
+static const int pt_index[MAX_TESTS] =
+    { 0, 0, 1, 1, 1, 1 };
+
+static const unsigned char pt[MAX_TESTS][64] =
+{
+    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+      0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+      0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+      0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+      0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+      0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+      0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+      0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
+};
+
+static const unsigned char ct[MAX_TESTS * 3][64] =
+{
+    { 0x00 },
+    { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
+      0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
+    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+      0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 },
+    { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+      0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+      0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+      0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+      0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+      0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+      0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+      0x3d, 0x58, 0xe0, 0x91 },
+    { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
+      0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
+      0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
+      0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
+      0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
+      0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
+      0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
+      0xc2, 0x3f, 0x45, 0x98 },
+    { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
+      0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
+      0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
+      0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
+      0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
+      0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
+      0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
+      0x4c, 0x34, 0xae, 0xe5 },
+    { 0x00 },
+    { 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
+      0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 },
+    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+      0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 },
+    { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
+      0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
+      0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
+      0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
+      0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
+      0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
+      0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
+      0xcc, 0xda, 0x27, 0x10 },
+    { 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
+      0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
+      0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
+      0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
+      0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
+      0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
+      0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
+      0xa0, 0xf0, 0x62, 0xf7 },
+    { 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
+      0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
+      0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
+      0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
+      0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
+      0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
+      0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
+      0xe9, 0xb7, 0x37, 0x3b },
+    { 0x00 },
+    { 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
+      0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 },
+    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+      0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad },
+    { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
+      0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
+      0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
+      0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
+      0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
+      0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
+      0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
+      0xbc, 0xc9, 0xf6, 0x62 },
+    { 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
+      0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
+      0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
+      0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
+      0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
+      0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
+      0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
+      0xf4, 0x7c, 0x9b, 0x1f },
+    { 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
+      0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
+      0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
+      0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
+      0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
+      0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
+      0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
+      0x44, 0xae, 0x7e, 0x3f },
+};
+
+static const unsigned char tag[MAX_TESTS * 3][16] =
+{
+    { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
+      0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
+    { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
+      0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf },
+    { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
+      0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 },
+    { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
+      0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 },
+    { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
+      0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
+    { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
+      0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
+    { 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
+      0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
+    { 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
+      0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb },
+    { 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
+      0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 },
+    { 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
+      0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c },
+    { 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
+      0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 },
+    { 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
+      0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 },
+    { 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
+      0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b },
+    { 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
+      0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 },
+    { 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
+      0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c },
+    { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
+      0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b },
+    { 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
+      0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 },
+    { 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
+      0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a },
+};
+
+int mbedtls_gcm_self_test( int verbose )
+{
+    mbedtls_gcm_context ctx;
+    unsigned char buf[64];
+    unsigned char tag_buf[16];
+    int i, j, ret;
+    mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
+
+    for( j = 0; j < 3; j++ )
+    {
+        int key_len = 128 + 64 * j;
+
+        for( i = 0; i < MAX_TESTS; i++ )
+        {
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d (%s): ",
+                                key_len, i, "enc" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            /*
+             * AES-192 is an optional feature that may be unavailable when
+             * there is an alternative underlying implementation i.e. when
+             * MBEDTLS_AES_ALT is defined.
+             */
+            if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && key_len == 192 )
+            {
+                mbedtls_printf( "skipped\n" );
+                break;
+            }
+            else if( ret != 0 )
+            {
+                goto exit;
+            }
+
+            ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT,
+                                        pt_len[i],
+                                        iv[iv_index[i]], iv_len[i],
+                                        additional[add_index[i]], add_len[i],
+                                        pt[pt_index[i]], buf, 16, tag_buf );
+            if( ret != 0 )
+                goto exit;
+
+            if ( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 ||
+                 memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d (%s): ",
+                                key_len, i, "dec" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            if( ret != 0 )
+                goto exit;
+
+            ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_DECRYPT,
+                                        pt_len[i],
+                                        iv[iv_index[i]], iv_len[i],
+                                        additional[add_index[i]], add_len[i],
+                                        ct[j * 6 + i], buf, 16, tag_buf );
+
+            if( ret != 0 )
+                goto exit;
+
+            if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 ||
+                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d split (%s): ",
+                                key_len, i, "enc" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            if( ret != 0 )
+                goto exit;
+
+            ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_ENCRYPT,
+                                      iv[iv_index[i]], iv_len[i],
+                                      additional[add_index[i]], add_len[i] );
+            if( ret != 0 )
+                goto exit;
+
+            if( pt_len[i] > 32 )
+            {
+                size_t rest_len = pt_len[i] - 32;
+                ret = mbedtls_gcm_update( &ctx, 32, pt[pt_index[i]], buf );
+                if( ret != 0 )
+                    goto exit;
+
+                ret = mbedtls_gcm_update( &ctx, rest_len, pt[pt_index[i]] + 32,
+                                  buf + 32 );
+                if( ret != 0 )
+                    goto exit;
+            }
+            else
+            {
+                ret = mbedtls_gcm_update( &ctx, pt_len[i], pt[pt_index[i]], buf );
+                if( ret != 0 )
+                    goto exit;
+            }
+
+            ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 );
+            if( ret != 0 )
+                goto exit;
+
+            if( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 ||
+                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+
+            mbedtls_gcm_init( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "  AES-GCM-%3d #%d split (%s): ",
+                                key_len, i, "dec" );
+
+            ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]],
+                                      key_len );
+            if( ret != 0 )
+                goto exit;
+
+            ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_DECRYPT,
+                              iv[iv_index[i]], iv_len[i],
+                              additional[add_index[i]], add_len[i] );
+            if( ret != 0 )
+                goto exit;
+
+            if( pt_len[i] > 32 )
+            {
+                size_t rest_len = pt_len[i] - 32;
+                ret = mbedtls_gcm_update( &ctx, 32, ct[j * 6 + i], buf );
+                if( ret != 0 )
+                    goto exit;
+
+                ret = mbedtls_gcm_update( &ctx, rest_len, ct[j * 6 + i] + 32,
+                                          buf + 32 );
+                if( ret != 0 )
+                    goto exit;
+            }
+            else
+            {
+                ret = mbedtls_gcm_update( &ctx, pt_len[i], ct[j * 6 + i],
+                                          buf );
+                if( ret != 0 )
+                    goto exit;
+            }
+
+            ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 );
+            if( ret != 0 )
+                goto exit;
+
+            if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 ||
+                memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_gcm_free( &ctx );
+
+            if( verbose != 0 )
+                mbedtls_printf( "passed\n" );
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    ret = 0;
+
+exit:
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+        mbedtls_gcm_free( &ctx );
+    }
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_GCM_C */
diff --git a/makerom/deps/libmbedtls/src/havege.c b/makerom/deps/libmbedtls/src/havege.c
new file mode 100644
index 00000000..c139e1db
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/havege.c
@@ -0,0 +1,253 @@
+/**
+ *  \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The HAVEGE RNG was designed by Andre Seznec in 2002.
+ *
+ *  http://www.irisa.fr/caps/projects/hipsor/publi.php
+ *
+ *  Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HAVEGE_C)
+
+#include "mbedtls/havege.h"
+#include "mbedtls/timing.h"
+#include "mbedtls/platform_util.h"
+
+#include <limits.h>
+#include <string.h>
+
+/* If int isn't capable of storing 2^32 distinct values, the code of this
+ * module may cause a processor trap or a miscalculation. If int is more
+ * than 32 bits, the code may not calculate the intended values. */
+#if INT_MIN + 1 != -0x7fffffff
+#error "The HAVEGE module requires int to be exactly 32 bits, with INT_MIN = -2^31."
+#endif
+#if UINT_MAX != 0xffffffff
+#error "The HAVEGE module requires unsigned to be exactly 32 bits."
+#endif
+
+/* ------------------------------------------------------------------------
+ * On average, one iteration accesses two 8-word blocks in the havege WALK
+ * table, and generates 16 words in the RES array.
+ *
+ * The data read in the WALK table is updated and permuted after each use.
+ * The result of the hardware clock counter read is used  for this update.
+ *
+ * 25 conditional tests are present.  The conditional tests are grouped in
+ * two nested  groups of 12 conditional tests and 1 test that controls the
+ * permutation; on average, there should be 6 tests executed and 3 of them
+ * should be mispredicted.
+ * ------------------------------------------------------------------------
+ */
+
+#define SWAP(X,Y) { unsigned *T = (X); (X) = (Y); (Y) = T; }
+
+#define TST1_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
+#define TST2_ENTER if( PTEST & 1 ) { PTEST ^= 3; PTEST >>= 1;
+
+#define TST1_LEAVE U1++; }
+#define TST2_LEAVE U2++; }
+
+#define ONE_ITERATION                                   \
+                                                        \
+    PTEST = PT1 >> 20;                                  \
+                                                        \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+    TST1_ENTER  TST1_ENTER  TST1_ENTER  TST1_ENTER      \
+                                                        \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+    TST1_LEAVE  TST1_LEAVE  TST1_LEAVE  TST1_LEAVE      \
+                                                        \
+    PTX = (PT1 >> 18) & 7;                              \
+    PT1 &= 0x1FFF;                                      \
+    PT2 &= 0x1FFF;                                      \
+    CLK = (unsigned) mbedtls_timing_hardclock();        \
+                                                        \
+    i = 0;                                              \
+    A = &WALK[PT1    ]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2    ]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 1]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 4]; RES[i++] ^= *D;                 \
+                                                        \
+    IN = (*A >> (1)) ^ (*A << (31)) ^ CLK;              \
+    *A = (*B >> (2)) ^ (*B << (30)) ^ CLK;              \
+    *B = IN ^ U1;                                       \
+    *C = (*C >> (3)) ^ (*C << (29)) ^ CLK;              \
+    *D = (*D >> (4)) ^ (*D << (28)) ^ CLK;              \
+                                                        \
+    A = &WALK[PT1 ^ 2]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2 ^ 2]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 3]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 6]; RES[i++] ^= *D;                 \
+                                                        \
+    if( PTEST & 1 ) SWAP( A, C );                       \
+                                                        \
+    IN = (*A >> (5)) ^ (*A << (27)) ^ CLK;              \
+    *A = (*B >> (6)) ^ (*B << (26)) ^ CLK;              \
+    *B = IN; CLK = (unsigned) mbedtls_timing_hardclock(); \
+    *C = (*C >> (7)) ^ (*C << (25)) ^ CLK;              \
+    *D = (*D >> (8)) ^ (*D << (24)) ^ CLK;              \
+                                                        \
+    A = &WALK[PT1 ^ 4];                                 \
+    B = &WALK[PT2 ^ 1];                                 \
+                                                        \
+    PTEST = PT2 >> 1;                                   \
+                                                        \
+    PT2 = (RES[(i - 8) ^ PTY] ^ WALK[PT2 ^ PTY ^ 7]);   \
+    PT2 = ((PT2 & 0x1FFF) & (~8)) ^ ((PT1 ^ 8) & 0x8);  \
+    PTY = (PT2 >> 10) & 7;                              \
+                                                        \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+    TST2_ENTER  TST2_ENTER  TST2_ENTER  TST2_ENTER      \
+                                                        \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+    TST2_LEAVE  TST2_LEAVE  TST2_LEAVE  TST2_LEAVE      \
+                                                        \
+    C = &WALK[PT1 ^ 5];                                 \
+    D = &WALK[PT2 ^ 5];                                 \
+                                                        \
+    RES[i++] ^= *A;                                     \
+    RES[i++] ^= *B;                                     \
+    RES[i++] ^= *C;                                     \
+    RES[i++] ^= *D;                                     \
+                                                        \
+    IN = (*A >> ( 9)) ^ (*A << (23)) ^ CLK;             \
+    *A = (*B >> (10)) ^ (*B << (22)) ^ CLK;             \
+    *B = IN ^ U2;                                       \
+    *C = (*C >> (11)) ^ (*C << (21)) ^ CLK;             \
+    *D = (*D >> (12)) ^ (*D << (20)) ^ CLK;             \
+                                                        \
+    A = &WALK[PT1 ^ 6]; RES[i++] ^= *A;                 \
+    B = &WALK[PT2 ^ 3]; RES[i++] ^= *B;                 \
+    C = &WALK[PT1 ^ 7]; RES[i++] ^= *C;                 \
+    D = &WALK[PT2 ^ 7]; RES[i++] ^= *D;                 \
+                                                        \
+    IN = (*A >> (13)) ^ (*A << (19)) ^ CLK;             \
+    *A = (*B >> (14)) ^ (*B << (18)) ^ CLK;             \
+    *B = IN;                                            \
+    *C = (*C >> (15)) ^ (*C << (17)) ^ CLK;             \
+    *D = (*D >> (16)) ^ (*D << (16)) ^ CLK;             \
+                                                        \
+    PT1 = ( RES[( i - 8 ) ^ PTX] ^                      \
+            WALK[PT1 ^ PTX ^ 7] ) & (~1);               \
+    PT1 ^= (PT2 ^ 0x10) & 0x10;                         \
+                                                        \
+    for( n++, i = 0; i < 16; i++ )                      \
+        POOL[n % MBEDTLS_HAVEGE_COLLECT_SIZE] ^= RES[i];
+
+/*
+ * Entropy gathering function
+ */
+static void havege_fill( mbedtls_havege_state *hs )
+{
+    unsigned i, n = 0;
+    unsigned  U1,  U2, *A, *B, *C, *D;
+    unsigned PT1, PT2, *WALK, *POOL, RES[16];
+    unsigned PTX, PTY, CLK, PTEST, IN;
+
+    WALK = (unsigned *) hs->WALK;
+    POOL = (unsigned *) hs->pool;
+    PT1  = hs->PT1;
+    PT2  = hs->PT2;
+
+    PTX  = U1 = 0;
+    PTY  = U2 = 0;
+
+    (void)PTX;
+
+    memset( RES, 0, sizeof( RES ) );
+
+    while( n < MBEDTLS_HAVEGE_COLLECT_SIZE * 4 )
+    {
+        ONE_ITERATION
+        ONE_ITERATION
+        ONE_ITERATION
+        ONE_ITERATION
+    }
+
+    hs->PT1 = PT1;
+    hs->PT2 = PT2;
+
+    hs->offset[0] = 0;
+    hs->offset[1] = MBEDTLS_HAVEGE_COLLECT_SIZE / 2;
+}
+
+/*
+ * HAVEGE initialization
+ */
+void mbedtls_havege_init( mbedtls_havege_state *hs )
+{
+    memset( hs, 0, sizeof( mbedtls_havege_state ) );
+
+    havege_fill( hs );
+}
+
+void mbedtls_havege_free( mbedtls_havege_state *hs )
+{
+    if( hs == NULL )
+        return;
+
+    mbedtls_platform_zeroize( hs, sizeof( mbedtls_havege_state ) );
+}
+
+/*
+ * HAVEGE rand function
+ */
+int mbedtls_havege_random( void *p_rng, unsigned char *buf, size_t len )
+{
+    int val;
+    size_t use_len;
+    mbedtls_havege_state *hs = (mbedtls_havege_state *) p_rng;
+    unsigned char *p = buf;
+
+    while( len > 0 )
+    {
+        use_len = len;
+        if( use_len > sizeof(int) )
+            use_len = sizeof(int);
+
+        if( hs->offset[1] >= MBEDTLS_HAVEGE_COLLECT_SIZE )
+            havege_fill( hs );
+
+        val  = hs->pool[hs->offset[0]++];
+        val ^= hs->pool[hs->offset[1]++];
+
+        memcpy( p, &val, use_len );
+
+        len -= use_len;
+        p += use_len;
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_HAVEGE_C */
diff --git a/makerom/deps/libmbedtls/src/hkdf.c b/makerom/deps/libmbedtls/src/hkdf.c
new file mode 100644
index 00000000..82d8a429
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/hkdf.c
@@ -0,0 +1,192 @@
+/*
+ *  HKDF implementation -- RFC 5869
+ *
+ *  Copyright (C) 2016-2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HKDF_C)
+
+#include <string.h>
+#include "mbedtls/hkdf.h"
+#include "mbedtls/platform_util.h"
+
+int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
+                  size_t salt_len, const unsigned char *ikm, size_t ikm_len,
+                  const unsigned char *info, size_t info_len,
+                  unsigned char *okm, size_t okm_len )
+{
+    int ret;
+    unsigned char prk[MBEDTLS_MD_MAX_SIZE];
+
+    ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, prk );
+
+    if( ret == 0 )
+    {
+        ret = mbedtls_hkdf_expand( md, prk, mbedtls_md_get_size( md ),
+                                   info, info_len, okm, okm_len );
+    }
+
+    mbedtls_platform_zeroize( prk, sizeof( prk ) );
+
+    return( ret );
+}
+
+int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
+                          const unsigned char *salt, size_t salt_len,
+                          const unsigned char *ikm, size_t ikm_len,
+                          unsigned char *prk )
+{
+    unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
+
+    if( salt == NULL )
+    {
+        size_t hash_len;
+
+        if( salt_len != 0 )
+        {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        hash_len = mbedtls_md_get_size( md );
+
+        if( hash_len == 0 )
+        {
+            return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
+        }
+
+        salt = null_salt;
+        salt_len = hash_len;
+    }
+
+    return( mbedtls_md_hmac( md, salt, salt_len, ikm, ikm_len, prk ) );
+}
+
+int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
+                         size_t prk_len, const unsigned char *info,
+                         size_t info_len, unsigned char *okm, size_t okm_len )
+{
+    size_t hash_len;
+    size_t where = 0;
+    size_t n;
+    size_t t_len = 0;
+    size_t i;
+    int ret = 0;
+    mbedtls_md_context_t ctx;
+    unsigned char t[MBEDTLS_MD_MAX_SIZE];
+
+    if( okm == NULL )
+    {
+        return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+    }
+
+    hash_len = mbedtls_md_get_size( md );
+
+    if( prk_len < hash_len || hash_len == 0 )
+    {
+        return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+    }
+
+    if( info == NULL )
+    {
+        info = (const unsigned char *) "";
+        info_len = 0;
+    }
+
+    n = okm_len / hash_len;
+
+    if( (okm_len % hash_len) != 0 )
+    {
+        n++;
+    }
+
+    /*
+     * Per RFC 5869 Section 2.3, okm_len must not exceed
+     * 255 times the hash length
+     */
+    if( n > 255 )
+    {
+        return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
+    }
+
+    mbedtls_md_init( &ctx );
+
+    if( (ret = mbedtls_md_setup( &ctx, md, 1) ) != 0 )
+    {
+        goto exit;
+    }
+
+    /*
+     * Compute T = T(1) | T(2) | T(3) | ... | T(N)
+     * Where T(N) is defined in RFC 5869 Section 2.3
+     */
+    for( i = 1; i <= n; i++ )
+    {
+        size_t num_to_copy;
+        unsigned char c = i & 0xff;
+
+        ret = mbedtls_md_hmac_starts( &ctx, prk, prk_len );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update( &ctx, t, t_len );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_update( &ctx, info, info_len );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        /* The constant concatenated to the end of each T(n) is a single octet.
+         * */
+        ret = mbedtls_md_hmac_update( &ctx, &c, 1 );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        ret = mbedtls_md_hmac_finish( &ctx, t );
+        if( ret != 0 )
+        {
+            goto exit;
+        }
+
+        num_to_copy = i != n ? hash_len : okm_len - where;
+        memcpy( okm + where, t, num_to_copy );
+        where += hash_len;
+        t_len = hash_len;
+    }
+
+exit:
+    mbedtls_md_free( &ctx );
+    mbedtls_platform_zeroize( t, sizeof( t ) );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_HKDF_C */
diff --git a/makerom/deps/libmbedtls/src/hmac_drbg.c b/makerom/deps/libmbedtls/src/hmac_drbg.c
new file mode 100644
index 00000000..284c9b4e
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/hmac_drbg.c
@@ -0,0 +1,625 @@
+/*
+ *  HMAC_DRBG implementation (NIST SP 800-90)
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ *  The NIST SP 800-90A DRBGs are described in the following publication.
+ *  http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
+ *  References below are based on rev. 1 (January 2012).
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+
+#include "mbedtls/hmac_drbg.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_SELF_TEST */
+#endif /* MBEDTLS_PLATFORM_C */
+
+/*
+ * HMAC_DRBG context initialization
+ */
+void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+/*
+ * HMAC_DRBG update, using optional additional data (10.1.2.2)
+ */
+int mbedtls_hmac_drbg_update_ret( mbedtls_hmac_drbg_context *ctx,
+                                  const unsigned char *additional,
+                                  size_t add_len )
+{
+    size_t md_len = mbedtls_md_get_size( ctx->md_ctx.md_info );
+    unsigned char rounds = ( additional != NULL && add_len != 0 ) ? 2 : 1;
+    unsigned char sep[1];
+    unsigned char K[MBEDTLS_MD_MAX_SIZE];
+    int ret;
+
+    for( sep[0] = 0; sep[0] < rounds; sep[0]++ )
+    {
+        /* Step 1 or 4 */
+        if( ( ret = mbedtls_md_hmac_reset( &ctx->md_ctx ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            ctx->V, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            sep, 1 ) ) != 0 )
+            goto exit;
+        if( rounds == 2 )
+        {
+            if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                                additional, add_len ) ) != 0 )
+            goto exit;
+        }
+        if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, K ) ) != 0 )
+            goto exit;
+
+        /* Step 2 or 5 */
+        if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, K, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            ctx->V, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V ) ) != 0 )
+            goto exit;
+    }
+
+exit:
+    mbedtls_platform_zeroize( K, sizeof( K ) );
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
+                               const unsigned char *additional,
+                               size_t add_len )
+{
+    (void) mbedtls_hmac_drbg_update_ret( ctx, additional, add_len );
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/*
+ * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
+ */
+int mbedtls_hmac_drbg_seed_buf( mbedtls_hmac_drbg_context *ctx,
+                        const mbedtls_md_info_t * md_info,
+                        const unsigned char *data, size_t data_len )
+{
+    int ret;
+
+    if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, ctx->V,
+                                        mbedtls_md_get_size( md_info ) ) ) != 0 )
+        return( ret );
+    memset( ctx->V, 0x01, mbedtls_md_get_size( md_info ) );
+
+    if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, data, data_len ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Internal function used both for seeding and reseeding the DRBG.
+ * Comments starting with arabic numbers refer to section 10.1.2.4
+ * of SP800-90A, while roman numbers refer to section 9.2.
+ */
+static int hmac_drbg_reseed_core( mbedtls_hmac_drbg_context *ctx,
+                                  const unsigned char *additional, size_t len,
+                                  int use_nonce )
+{
+    unsigned char seed[MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT];
+    size_t seedlen = 0;
+    int ret;
+
+    {
+        size_t total_entropy_len;
+
+        if( use_nonce == 0 )
+            total_entropy_len = ctx->entropy_len;
+        else
+            total_entropy_len = ctx->entropy_len * 3 / 2;
+
+        /* III. Check input length */
+        if( len > MBEDTLS_HMAC_DRBG_MAX_INPUT ||
+            total_entropy_len + len > MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT )
+        {
+            return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+        }
+    }
+
+    memset( seed, 0, MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT );
+
+    /* IV. Gather entropy_len bytes of entropy for the seed */
+    if( ( ret = ctx->f_entropy( ctx->p_entropy,
+                                seed, ctx->entropy_len ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+    }
+    seedlen += ctx->entropy_len;
+
+    /* For initial seeding, allow adding of nonce generated
+     * from the entropy source. See Sect 8.6.7 in SP800-90A. */
+    if( use_nonce )
+    {
+        /* Note: We don't merge the two calls to f_entropy() in order
+         *       to avoid requesting too much entropy from f_entropy()
+         *       at once. Specifically, if the underlying digest is not
+         *       SHA-1, 3 / 2 * entropy_len is at least 36 Bytes, which
+         *       is larger than the maximum of 32 Bytes that our own
+         *       entropy source implementation can emit in a single
+         *       call in configurations disabling SHA-512. */
+        if( ( ret = ctx->f_entropy( ctx->p_entropy,
+                                    seed + seedlen,
+                                    ctx->entropy_len / 2 ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED );
+        }
+
+        seedlen += ctx->entropy_len / 2;
+    }
+
+
+    /* 1. Concatenate entropy and additional data if any */
+    if( additional != NULL && len != 0 )
+    {
+        memcpy( seed + seedlen, additional, len );
+        seedlen += len;
+    }
+
+    /* 2. Update state */
+    if( ( ret = mbedtls_hmac_drbg_update_ret( ctx, seed, seedlen ) ) != 0 )
+        goto exit;
+
+    /* 3. Reset reseed_counter */
+    ctx->reseed_counter = 1;
+
+exit:
+    /* 4. Done */
+    mbedtls_platform_zeroize( seed, seedlen );
+    return( ret );
+}
+
+/*
+ * HMAC_DRBG reseeding: 10.1.2.4 + 9.2
+ */
+int mbedtls_hmac_drbg_reseed( mbedtls_hmac_drbg_context *ctx,
+                      const unsigned char *additional, size_t len )
+{
+    return( hmac_drbg_reseed_core( ctx, additional, len, 0 ) );
+}
+
+/*
+ * HMAC_DRBG initialisation (10.1.2.3 + 9.1)
+ *
+ * The nonce is not passed as a separate parameter but extracted
+ * from the entropy source as suggested in 8.6.7.
+ */
+int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
+                    const mbedtls_md_info_t * md_info,
+                    int (*f_entropy)(void *, unsigned char *, size_t),
+                    void *p_entropy,
+                    const unsigned char *custom,
+                    size_t len )
+{
+    int ret;
+    size_t md_size;
+
+    if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    md_size = mbedtls_md_get_size( md_info );
+
+    /*
+     * Set initial working state.
+     * Use the V memory location, which is currently all 0, to initialize the
+     * MD context with an all-zero key. Then set V to its initial value.
+     */
+    if( ( ret = mbedtls_md_hmac_starts( &ctx->md_ctx, ctx->V, md_size ) ) != 0 )
+        return( ret );
+    memset( ctx->V, 0x01, md_size );
+
+    ctx->f_entropy = f_entropy;
+    ctx->p_entropy = p_entropy;
+
+    ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
+
+    if( ctx->entropy_len == 0 )
+    {
+        /*
+         * See SP800-57 5.6.1 (p. 65-66) for the security strength provided by
+         * each hash function, then according to SP800-90A rev1 10.1 table 2,
+         * min_entropy_len (in bits) is security_strength.
+         *
+         * (This also matches the sizes used in the NIST test vectors.)
+         */
+        ctx->entropy_len = md_size <= 20 ? 16 : /* 160-bits hash -> 128 bits */
+                           md_size <= 28 ? 24 : /* 224-bits hash -> 192 bits */
+                           32;  /* better (256+) -> 256 bits */
+    }
+
+    if( ( ret = hmac_drbg_reseed_core( ctx, custom, len,
+                                       1 /* add nonce */ ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Set prediction resistance
+ */
+void mbedtls_hmac_drbg_set_prediction_resistance( mbedtls_hmac_drbg_context *ctx,
+                                          int resistance )
+{
+    ctx->prediction_resistance = resistance;
+}
+
+/*
+ * Set entropy length grabbed for seeding
+ */
+void mbedtls_hmac_drbg_set_entropy_len( mbedtls_hmac_drbg_context *ctx, size_t len )
+{
+    ctx->entropy_len = len;
+}
+
+/*
+ * Set reseed interval
+ */
+void mbedtls_hmac_drbg_set_reseed_interval( mbedtls_hmac_drbg_context *ctx, int interval )
+{
+    ctx->reseed_interval = interval;
+}
+
+/*
+ * HMAC_DRBG random function with optional additional data:
+ * 10.1.2.5 (arabic) + 9.3 (Roman)
+ */
+int mbedtls_hmac_drbg_random_with_add( void *p_rng,
+                               unsigned char *output, size_t out_len,
+                               const unsigned char *additional, size_t add_len )
+{
+    int ret;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+    size_t md_len = mbedtls_md_get_size( ctx->md_ctx.md_info );
+    size_t left = out_len;
+    unsigned char *out = output;
+
+    /* II. Check request length */
+    if( out_len > MBEDTLS_HMAC_DRBG_MAX_REQUEST )
+        return( MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG );
+
+    /* III. Check input length */
+    if( add_len > MBEDTLS_HMAC_DRBG_MAX_INPUT )
+        return( MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG );
+
+    /* 1. (aka VII and IX) Check reseed counter and PR */
+    if( ctx->f_entropy != NULL && /* For no-reseeding instances */
+        ( ctx->prediction_resistance == MBEDTLS_HMAC_DRBG_PR_ON ||
+          ctx->reseed_counter > ctx->reseed_interval ) )
+    {
+        if( ( ret = mbedtls_hmac_drbg_reseed( ctx, additional, add_len ) ) != 0 )
+            return( ret );
+
+        add_len = 0; /* VII.4 */
+    }
+
+    /* 2. Use additional data if any */
+    if( additional != NULL && add_len != 0 )
+    {
+        if( ( ret = mbedtls_hmac_drbg_update_ret( ctx,
+                                                  additional, add_len ) ) != 0 )
+            goto exit;
+    }
+
+    /* 3, 4, 5. Generate bytes */
+    while( left != 0 )
+    {
+        size_t use_len = left > md_len ? md_len : left;
+
+        if( ( ret = mbedtls_md_hmac_reset( &ctx->md_ctx ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_update( &ctx->md_ctx,
+                                            ctx->V, md_len ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_hmac_finish( &ctx->md_ctx, ctx->V ) ) != 0 )
+            goto exit;
+
+        memcpy( out, ctx->V, use_len );
+        out += use_len;
+        left -= use_len;
+    }
+
+    /* 6. Update */
+    if( ( ret = mbedtls_hmac_drbg_update_ret( ctx,
+                                              additional, add_len ) ) != 0 )
+        goto exit;
+
+    /* 7. Update reseed counter */
+    ctx->reseed_counter++;
+
+exit:
+    /* 8. Done */
+    return( ret );
+}
+
+/*
+ * HMAC_DRBG random function
+ */
+int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len )
+{
+    int ret;
+    mbedtls_hmac_drbg_context *ctx = (mbedtls_hmac_drbg_context *) p_rng;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    ret = mbedtls_hmac_drbg_random_with_add( ctx, output, out_len, NULL, 0 );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Free an HMAC_DRBG context
+ */
+void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+    mbedtls_md_free( &ctx->md_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_hmac_drbg_context ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
+{
+    int ret;
+    FILE *f;
+    unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
+
+    if( ( f = fopen( path, "wb" ) ) == NULL )
+        return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
+
+    if( ( ret = mbedtls_hmac_drbg_random( ctx, buf, sizeof( buf ) ) ) != 0 )
+        goto exit;
+
+    if( fwrite( buf, 1, sizeof( buf ), f ) != sizeof( buf ) )
+    {
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+
+    ret = 0;
+
+exit:
+    fclose( f );
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+
+int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path )
+{
+    int ret = 0;
+    FILE *f = NULL;
+    size_t n;
+    unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ];
+    unsigned char c;
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR );
+
+    n = fread( buf, 1, sizeof( buf ), f );
+    if( fread( &c, 1, 1, f ) != 0 )
+    {
+        ret = MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG;
+        goto exit;
+    }
+    if( n == 0 || ferror( f ) )
+    {
+        ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR;
+        goto exit;
+    }
+    fclose( f );
+    f = NULL;
+
+    ret = mbedtls_hmac_drbg_update_ret( ctx, buf, n );
+
+exit:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    if( f != NULL )
+        fclose( f );
+    if( ret != 0 )
+        return( ret );
+    return( mbedtls_hmac_drbg_write_seed_file( ctx, path ) );
+}
+#endif /* MBEDTLS_FS_IO */
+
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_SHA1_C)
+/* Dummy checkup routine */
+int mbedtls_hmac_drbg_self_test( int verbose )
+{
+    (void) verbose;
+    return( 0 );
+}
+#else
+
+#define OUTPUT_LEN  80
+
+/* From a NIST PR=true test vector */
+static const unsigned char entropy_pr[] = {
+    0xa0, 0xc9, 0xab, 0x58, 0xf1, 0xe2, 0xe5, 0xa4, 0xde, 0x3e, 0xbd, 0x4f,
+    0xf7, 0x3e, 0x9c, 0x5b, 0x64, 0xef, 0xd8, 0xca, 0x02, 0x8c, 0xf8, 0x11,
+    0x48, 0xa5, 0x84, 0xfe, 0x69, 0xab, 0x5a, 0xee, 0x42, 0xaa, 0x4d, 0x42,
+    0x17, 0x60, 0x99, 0xd4, 0x5e, 0x13, 0x97, 0xdc, 0x40, 0x4d, 0x86, 0xa3,
+    0x7b, 0xf5, 0x59, 0x54, 0x75, 0x69, 0x51, 0xe4 };
+static const unsigned char result_pr[OUTPUT_LEN] = {
+    0x9a, 0x00, 0xa2, 0xd0, 0x0e, 0xd5, 0x9b, 0xfe, 0x31, 0xec, 0xb1, 0x39,
+    0x9b, 0x60, 0x81, 0x48, 0xd1, 0x96, 0x9d, 0x25, 0x0d, 0x3c, 0x1e, 0x94,
+    0x10, 0x10, 0x98, 0x12, 0x93, 0x25, 0xca, 0xb8, 0xfc, 0xcc, 0x2d, 0x54,
+    0x73, 0x19, 0x70, 0xc0, 0x10, 0x7a, 0xa4, 0x89, 0x25, 0x19, 0x95, 0x5e,
+    0x4b, 0xc6, 0x00, 0x1d, 0x7f, 0x4e, 0x6a, 0x2b, 0xf8, 0xa3, 0x01, 0xab,
+    0x46, 0x05, 0x5c, 0x09, 0xa6, 0x71, 0x88, 0xf1, 0xa7, 0x40, 0xee, 0xf3,
+    0xe1, 0x5c, 0x02, 0x9b, 0x44, 0xaf, 0x03, 0x44 };
+
+/* From a NIST PR=false test vector */
+static const unsigned char entropy_nopr[] = {
+    0x79, 0x34, 0x9b, 0xbf, 0x7c, 0xdd, 0xa5, 0x79, 0x95, 0x57, 0x86, 0x66,
+    0x21, 0xc9, 0x13, 0x83, 0x11, 0x46, 0x73, 0x3a, 0xbf, 0x8c, 0x35, 0xc8,
+    0xc7, 0x21, 0x5b, 0x5b, 0x96, 0xc4, 0x8e, 0x9b, 0x33, 0x8c, 0x74, 0xe3,
+    0xe9, 0x9d, 0xfe, 0xdf };
+static const unsigned char result_nopr[OUTPUT_LEN] = {
+    0xc6, 0xa1, 0x6a, 0xb8, 0xd4, 0x20, 0x70, 0x6f, 0x0f, 0x34, 0xab, 0x7f,
+    0xec, 0x5a, 0xdc, 0xa9, 0xd8, 0xca, 0x3a, 0x13, 0x3e, 0x15, 0x9c, 0xa6,
+    0xac, 0x43, 0xc6, 0xf8, 0xa2, 0xbe, 0x22, 0x83, 0x4a, 0x4c, 0x0a, 0x0a,
+    0xff, 0xb1, 0x0d, 0x71, 0x94, 0xf1, 0xc1, 0xa5, 0xcf, 0x73, 0x22, 0xec,
+    0x1a, 0xe0, 0x96, 0x4e, 0xd4, 0xbf, 0x12, 0x27, 0x46, 0xe0, 0x87, 0xfd,
+    0xb5, 0xb3, 0xe9, 0x1b, 0x34, 0x93, 0xd5, 0xbb, 0x98, 0xfa, 0xed, 0x49,
+    0xe8, 0x5f, 0x13, 0x0f, 0xc8, 0xa4, 0x59, 0xb7 };
+
+/* "Entropy" from buffer */
+static size_t test_offset;
+static int hmac_drbg_self_test_entropy( void *data,
+                                        unsigned char *buf, size_t len )
+{
+    const unsigned char *p = data;
+    memcpy( buf, p + test_offset, len );
+    test_offset += len;
+    return( 0 );
+}
+
+#define CHK( c )    if( (c) != 0 )                          \
+                    {                                       \
+                        if( verbose != 0 )                  \
+                            mbedtls_printf( "failed\n" );  \
+                        return( 1 );                        \
+                    }
+
+/*
+ * Checkup routine for HMAC_DRBG with SHA-1
+ */
+int mbedtls_hmac_drbg_self_test( int verbose )
+{
+    mbedtls_hmac_drbg_context ctx;
+    unsigned char buf[OUTPUT_LEN];
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
+
+    mbedtls_hmac_drbg_init( &ctx );
+
+    /*
+     * PR = True
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  HMAC_DRBG (PR = True) : " );
+
+    test_offset = 0;
+    CHK( mbedtls_hmac_drbg_seed( &ctx, md_info,
+                         hmac_drbg_self_test_entropy, (void *) entropy_pr,
+                         NULL, 0 ) );
+    mbedtls_hmac_drbg_set_prediction_resistance( &ctx, MBEDTLS_HMAC_DRBG_PR_ON );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( memcmp( buf, result_pr, OUTPUT_LEN ) );
+    mbedtls_hmac_drbg_free( &ctx );
+
+    mbedtls_hmac_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    /*
+     * PR = False
+     */
+    if( verbose != 0 )
+        mbedtls_printf( "  HMAC_DRBG (PR = False) : " );
+
+    mbedtls_hmac_drbg_init( &ctx );
+
+    test_offset = 0;
+    CHK( mbedtls_hmac_drbg_seed( &ctx, md_info,
+                         hmac_drbg_self_test_entropy, (void *) entropy_nopr,
+                         NULL, 0 ) );
+    CHK( mbedtls_hmac_drbg_reseed( &ctx, NULL, 0 ) );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
+    CHK( memcmp( buf, result_nopr, OUTPUT_LEN ) );
+    mbedtls_hmac_drbg_free( &ctx );
+
+    mbedtls_hmac_drbg_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_HMAC_DRBG_C */
diff --git a/makerom/deps/libmbedtls/src/md.c b/makerom/deps/libmbedtls/src/md.c
new file mode 100644
index 00000000..303cdcbe
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/md.c
@@ -0,0 +1,475 @@
+/**
+ * \file mbedtls_md.c
+ *
+ * \brief Generic message digest wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD_C)
+
+#include "mbedtls/md.h"
+#include "mbedtls/md_internal.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#endif
+
+/*
+ * Reminder: update profiles in x509_crt.c when adding a new hash!
+ */
+static const int supported_digests[] = {
+
+#if defined(MBEDTLS_SHA512_C)
+        MBEDTLS_MD_SHA512,
+        MBEDTLS_MD_SHA384,
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+        MBEDTLS_MD_SHA256,
+        MBEDTLS_MD_SHA224,
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+        MBEDTLS_MD_SHA1,
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+        MBEDTLS_MD_RIPEMD160,
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+        MBEDTLS_MD_MD5,
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+        MBEDTLS_MD_MD4,
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+        MBEDTLS_MD_MD2,
+#endif
+
+        MBEDTLS_MD_NONE
+};
+
+const int *mbedtls_md_list( void )
+{
+    return( supported_digests );
+}
+
+const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name )
+{
+    if( NULL == md_name )
+        return( NULL );
+
+    /* Get the appropriate digest information */
+#if defined(MBEDTLS_MD2_C)
+    if( !strcmp( "MD2", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_MD2 );
+#endif
+#if defined(MBEDTLS_MD4_C)
+    if( !strcmp( "MD4", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_MD4 );
+#endif
+#if defined(MBEDTLS_MD5_C)
+    if( !strcmp( "MD5", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_MD5 );
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+    if( !strcmp( "RIPEMD160", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_RIPEMD160 );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+    if( !strcmp( "SHA1", md_name ) || !strcmp( "SHA", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    if( !strcmp( "SHA224", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA224 );
+    if( !strcmp( "SHA256", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    if( !strcmp( "SHA384", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA384 );
+    if( !strcmp( "SHA512", md_name ) )
+        return mbedtls_md_info_from_type( MBEDTLS_MD_SHA512 );
+#endif
+    return( NULL );
+}
+
+const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type )
+{
+    switch( md_type )
+    {
+#if defined(MBEDTLS_MD2_C)
+        case MBEDTLS_MD_MD2:
+            return( &mbedtls_md2_info );
+#endif
+#if defined(MBEDTLS_MD4_C)
+        case MBEDTLS_MD_MD4:
+            return( &mbedtls_md4_info );
+#endif
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return( &mbedtls_md5_info );
+#endif
+#if defined(MBEDTLS_RIPEMD160_C)
+        case MBEDTLS_MD_RIPEMD160:
+            return( &mbedtls_ripemd160_info );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return( &mbedtls_sha1_info );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return( &mbedtls_sha224_info );
+        case MBEDTLS_MD_SHA256:
+            return( &mbedtls_sha256_info );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA384:
+            return( &mbedtls_sha384_info );
+        case MBEDTLS_MD_SHA512:
+            return( &mbedtls_sha512_info );
+#endif
+        default:
+            return( NULL );
+    }
+}
+
+void mbedtls_md_init( mbedtls_md_context_t *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md_context_t ) );
+}
+
+void mbedtls_md_free( mbedtls_md_context_t *ctx )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return;
+
+    if( ctx->md_ctx != NULL )
+        ctx->md_info->ctx_free_func( ctx->md_ctx );
+
+    if( ctx->hmac_ctx != NULL )
+    {
+        mbedtls_platform_zeroize( ctx->hmac_ctx,
+                                  2 * ctx->md_info->block_size );
+        mbedtls_free( ctx->hmac_ctx );
+    }
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md_context_t ) );
+}
+
+int mbedtls_md_clone( mbedtls_md_context_t *dst,
+                      const mbedtls_md_context_t *src )
+{
+    if( dst == NULL || dst->md_info == NULL ||
+        src == NULL || src->md_info == NULL ||
+        dst->md_info != src->md_info )
+    {
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+    }
+
+    dst->md_info->clone_func( dst->md_ctx, src->md_ctx );
+
+    return( 0 );
+}
+
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info )
+{
+    return mbedtls_md_setup( ctx, md_info, 1 );
+}
+#endif
+
+int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac )
+{
+    if( md_info == NULL || ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    if( ( ctx->md_ctx = md_info->ctx_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_MD_ALLOC_FAILED );
+
+    if( hmac != 0 )
+    {
+        ctx->hmac_ctx = mbedtls_calloc( 2, md_info->block_size );
+        if( ctx->hmac_ctx == NULL )
+        {
+            md_info->ctx_free_func( ctx->md_ctx );
+            return( MBEDTLS_ERR_MD_ALLOC_FAILED );
+        }
+    }
+
+    ctx->md_info = md_info;
+
+    return( 0 );
+}
+
+int mbedtls_md_starts( mbedtls_md_context_t *ctx )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->starts_func( ctx->md_ctx ) );
+}
+
+int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->update_func( ctx->md_ctx, input, ilen ) );
+}
+
+int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->finish_func( ctx->md_ctx, output ) );
+}
+
+int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
+            unsigned char *output )
+{
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( md_info->digest_func( input, ilen, output ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigned char *output )
+{
+    int ret;
+    FILE *f;
+    size_t n;
+    mbedtls_md_context_t ctx;
+    unsigned char buf[1024];
+
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_MD_FILE_IO_ERROR );
+
+    mbedtls_md_init( &ctx );
+
+    if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
+        goto cleanup;
+
+    if( ( ret = md_info->starts_func( ctx.md_ctx ) ) != 0 )
+        goto cleanup;
+
+    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
+        if( ( ret = md_info->update_func( ctx.md_ctx, buf, n ) ) != 0 )
+            goto cleanup;
+
+    if( ferror( f ) != 0 )
+        ret = MBEDTLS_ERR_MD_FILE_IO_ERROR;
+    else
+        ret = md_info->finish_func( ctx.md_ctx, output );
+
+cleanup:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    fclose( f );
+    mbedtls_md_free( &ctx );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen )
+{
+    int ret;
+    unsigned char sum[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *ipad, *opad;
+    size_t i;
+
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    if( keylen > (size_t) ctx->md_info->block_size )
+    {
+        if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+            goto cleanup;
+        if( ( ret = ctx->md_info->update_func( ctx->md_ctx, key, keylen ) ) != 0 )
+            goto cleanup;
+        if( ( ret = ctx->md_info->finish_func( ctx->md_ctx, sum ) ) != 0 )
+            goto cleanup;
+
+        keylen = ctx->md_info->size;
+        key = sum;
+    }
+
+    ipad = (unsigned char *) ctx->hmac_ctx;
+    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+    memset( ipad, 0x36, ctx->md_info->block_size );
+    memset( opad, 0x5C, ctx->md_info->block_size );
+
+    for( i = 0; i < keylen; i++ )
+    {
+        ipad[i] = (unsigned char)( ipad[i] ^ key[i] );
+        opad[i] = (unsigned char)( opad[i] ^ key[i] );
+    }
+
+    if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+        goto cleanup;
+    if( ( ret = ctx->md_info->update_func( ctx->md_ctx, ipad,
+                                           ctx->md_info->block_size ) ) != 0 )
+        goto cleanup;
+
+cleanup:
+    mbedtls_platform_zeroize( sum, sizeof( sum ) );
+
+    return( ret );
+}
+
+int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen )
+{
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->update_func( ctx->md_ctx, input, ilen ) );
+}
+
+int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output )
+{
+    int ret;
+    unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *opad;
+
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
+
+    if( ( ret = ctx->md_info->finish_func( ctx->md_ctx, tmp ) ) != 0 )
+        return( ret );
+    if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+        return( ret );
+    if( ( ret = ctx->md_info->update_func( ctx->md_ctx, opad,
+                                           ctx->md_info->block_size ) ) != 0 )
+        return( ret );
+    if( ( ret = ctx->md_info->update_func( ctx->md_ctx, tmp,
+                                           ctx->md_info->size ) ) != 0 )
+        return( ret );
+    return( ctx->md_info->finish_func( ctx->md_ctx, output ) );
+}
+
+int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx )
+{
+    int ret;
+    unsigned char *ipad;
+
+    if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    ipad = (unsigned char *) ctx->hmac_ctx;
+
+    if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 )
+        return( ret );
+    return( ctx->md_info->update_func( ctx->md_ctx, ipad,
+                                       ctx->md_info->block_size ) );
+}
+
+int mbedtls_md_hmac( const mbedtls_md_info_t *md_info,
+                     const unsigned char *key, size_t keylen,
+                     const unsigned char *input, size_t ilen,
+                     unsigned char *output )
+{
+    mbedtls_md_context_t ctx;
+    int ret;
+
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    mbedtls_md_init( &ctx );
+
+    if( ( ret = mbedtls_md_setup( &ctx, md_info, 1 ) ) != 0 )
+        goto cleanup;
+
+    if( ( ret = mbedtls_md_hmac_starts( &ctx, key, keylen ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_md_hmac_update( &ctx, input, ilen ) ) != 0 )
+        goto cleanup;
+    if( ( ret = mbedtls_md_hmac_finish( &ctx, output ) ) != 0 )
+        goto cleanup;
+
+cleanup:
+    mbedtls_md_free( &ctx );
+
+    return( ret );
+}
+
+int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data )
+{
+    if( ctx == NULL || ctx->md_info == NULL )
+        return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+
+    return( ctx->md_info->process_func( ctx->md_ctx, data ) );
+}
+
+unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info )
+{
+    if( md_info == NULL )
+        return( 0 );
+
+    return md_info->size;
+}
+
+mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info )
+{
+    if( md_info == NULL )
+        return( MBEDTLS_MD_NONE );
+
+    return md_info->type;
+}
+
+const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info )
+{
+    if( md_info == NULL )
+        return( NULL );
+
+    return md_info->name;
+}
+
+#endif /* MBEDTLS_MD_C */
diff --git a/makerom/deps/libmbedtls/src/md2.c b/makerom/deps/libmbedtls/src/md2.c
new file mode 100644
index 00000000..1c0b3df5
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/md2.c
@@ -0,0 +1,363 @@
+/*
+ *  RFC 1115/1319 compliant MD2 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The MD2 algorithm was designed by Ron Rivest in 1989.
+ *
+ *  http://www.ietf.org/rfc/rfc1115.txt
+ *  http://www.ietf.org/rfc/rfc1319.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+
+#include "mbedtls/md2.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD2_ALT)
+
+static const unsigned char PI_SUBST[256] =
+{
+    0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01, 0x3D, 0x36,
+    0x54, 0xA1, 0xEC, 0xF0, 0x06, 0x13, 0x62, 0xA7, 0x05, 0xF3,
+    0xC0, 0xC7, 0x73, 0x8C, 0x98, 0x93, 0x2B, 0xD9, 0xBC, 0x4C,
+    0x82, 0xCA, 0x1E, 0x9B, 0x57, 0x3C, 0xFD, 0xD4, 0xE0, 0x16,
+    0x67, 0x42, 0x6F, 0x18, 0x8A, 0x17, 0xE5, 0x12, 0xBE, 0x4E,
+    0xC4, 0xD6, 0xDA, 0x9E, 0xDE, 0x49, 0xA0, 0xFB, 0xF5, 0x8E,
+    0xBB, 0x2F, 0xEE, 0x7A, 0xA9, 0x68, 0x79, 0x91, 0x15, 0xB2,
+    0x07, 0x3F, 0x94, 0xC2, 0x10, 0x89, 0x0B, 0x22, 0x5F, 0x21,
+    0x80, 0x7F, 0x5D, 0x9A, 0x5A, 0x90, 0x32, 0x27, 0x35, 0x3E,
+    0xCC, 0xE7, 0xBF, 0xF7, 0x97, 0x03, 0xFF, 0x19, 0x30, 0xB3,
+    0x48, 0xA5, 0xB5, 0xD1, 0xD7, 0x5E, 0x92, 0x2A, 0xAC, 0x56,
+    0xAA, 0xC6, 0x4F, 0xB8, 0x38, 0xD2, 0x96, 0xA4, 0x7D, 0xB6,
+    0x76, 0xFC, 0x6B, 0xE2, 0x9C, 0x74, 0x04, 0xF1, 0x45, 0x9D,
+    0x70, 0x59, 0x64, 0x71, 0x87, 0x20, 0x86, 0x5B, 0xCF, 0x65,
+    0xE6, 0x2D, 0xA8, 0x02, 0x1B, 0x60, 0x25, 0xAD, 0xAE, 0xB0,
+    0xB9, 0xF6, 0x1C, 0x46, 0x61, 0x69, 0x34, 0x40, 0x7E, 0x0F,
+    0x55, 0x47, 0xA3, 0x23, 0xDD, 0x51, 0xAF, 0x3A, 0xC3, 0x5C,
+    0xF9, 0xCE, 0xBA, 0xC5, 0xEA, 0x26, 0x2C, 0x53, 0x0D, 0x6E,
+    0x85, 0x28, 0x84, 0x09, 0xD3, 0xDF, 0xCD, 0xF4, 0x41, 0x81,
+    0x4D, 0x52, 0x6A, 0xDC, 0x37, 0xC8, 0x6C, 0xC1, 0xAB, 0xFA,
+    0x24, 0xE1, 0x7B, 0x08, 0x0C, 0xBD, 0xB1, 0x4A, 0x78, 0x88,
+    0x95, 0x8B, 0xE3, 0x63, 0xE8, 0x6D, 0xE9, 0xCB, 0xD5, 0xFE,
+    0x3B, 0x00, 0x1D, 0x39, 0xF2, 0xEF, 0xB7, 0x0E, 0x66, 0x58,
+    0xD0, 0xE4, 0xA6, 0x77, 0x72, 0xF8, 0xEB, 0x75, 0x4B, 0x0A,
+    0x31, 0x44, 0x50, 0xB4, 0x8F, 0xED, 0x1F, 0x1A, 0xDB, 0x99,
+    0x8D, 0x33, 0x9F, 0x11, 0x83, 0x14
+};
+
+void mbedtls_md2_init( mbedtls_md2_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md2_context ) );
+}
+
+void mbedtls_md2_free( mbedtls_md2_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md2_context ) );
+}
+
+void mbedtls_md2_clone( mbedtls_md2_context *dst,
+                        const mbedtls_md2_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * MD2 context setup
+ */
+int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx )
+{
+    memset( ctx->cksum, 0, 16 );
+    memset( ctx->state, 0, 46 );
+    memset( ctx->buffer, 0, 16 );
+    ctx->left = 0;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_starts( mbedtls_md2_context *ctx )
+{
+    mbedtls_md2_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_MD2_PROCESS_ALT)
+int mbedtls_internal_md2_process( mbedtls_md2_context *ctx )
+{
+    int i, j;
+    unsigned char t = 0;
+
+    for( i = 0; i < 16; i++ )
+    {
+        ctx->state[i + 16] = ctx->buffer[i];
+        ctx->state[i + 32] =
+            (unsigned char)( ctx->buffer[i] ^ ctx->state[i]);
+    }
+
+    for( i = 0; i < 18; i++ )
+    {
+        for( j = 0; j < 48; j++ )
+        {
+            ctx->state[j] = (unsigned char)
+               ( ctx->state[j] ^ PI_SUBST[t] );
+            t  = ctx->state[j];
+        }
+
+        t = (unsigned char)( t + i );
+    }
+
+    t = ctx->cksum[15];
+
+    for( i = 0; i < 16; i++ )
+    {
+        ctx->cksum[i] = (unsigned char)
+           ( ctx->cksum[i] ^ PI_SUBST[ctx->buffer[i] ^ t] );
+        t  = ctx->cksum[i];
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_process( mbedtls_md2_context *ctx )
+{
+    mbedtls_internal_md2_process( ctx );
+}
+#endif
+#endif /* !MBEDTLS_MD2_PROCESS_ALT */
+
+/*
+ * MD2 process buffer
+ */
+int mbedtls_md2_update_ret( mbedtls_md2_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    int ret;
+    size_t fill;
+
+    while( ilen > 0 )
+    {
+        if( ilen > 16 - ctx->left )
+            fill = 16 - ctx->left;
+        else
+            fill = ilen;
+
+        memcpy( ctx->buffer + ctx->left, input, fill );
+
+        ctx->left += fill;
+        input += fill;
+        ilen  -= fill;
+
+        if( ctx->left == 16 )
+        {
+            ctx->left = 0;
+            if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 )
+                return( ret );
+        }
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_update( mbedtls_md2_context *ctx,
+                         const unsigned char *input,
+                         size_t ilen )
+{
+    mbedtls_md2_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * MD2 final digest
+ */
+int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx,
+                            unsigned char output[16] )
+{
+    int ret;
+    size_t i;
+    unsigned char x;
+
+    x = (unsigned char)( 16 - ctx->left );
+
+    for( i = ctx->left; i < 16; i++ )
+        ctx->buffer[i] = x;
+
+    if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 )
+        return( ret );
+
+    memcpy( ctx->buffer, ctx->cksum, 16 );
+    if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 )
+        return( ret );
+
+    memcpy( output, ctx->state, 16 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2_finish( mbedtls_md2_context *ctx,
+                         unsigned char output[16] )
+{
+    mbedtls_md2_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_MD2_ALT */
+
+/*
+ * output = MD2( input buffer )
+ */
+int mbedtls_md2_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] )
+{
+    int ret;
+    mbedtls_md2_context ctx;
+
+    mbedtls_md2_init( &ctx );
+
+    if( ( ret = mbedtls_md2_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md2_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md2_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md2_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md2( const unsigned char *input,
+                  size_t ilen,
+                  unsigned char output[16] )
+{
+    mbedtls_md2_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * RFC 1319 test vectors
+ */
+static const unsigned char md2_test_str[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" }
+};
+
+static const size_t md2_test_strlen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md2_test_sum[7][16] =
+{
+    { 0x83, 0x50, 0xE5, 0xA3, 0xE2, 0x4C, 0x15, 0x3D,
+      0xF2, 0x27, 0x5C, 0x9F, 0x80, 0x69, 0x27, 0x73 },
+    { 0x32, 0xEC, 0x01, 0xEC, 0x4A, 0x6D, 0xAC, 0x72,
+      0xC0, 0xAB, 0x96, 0xFB, 0x34, 0xC0, 0xB5, 0xD1 },
+    { 0xDA, 0x85, 0x3B, 0x0D, 0x3F, 0x88, 0xD9, 0x9B,
+      0x30, 0x28, 0x3A, 0x69, 0xE6, 0xDE, 0xD6, 0xBB },
+    { 0xAB, 0x4F, 0x49, 0x6B, 0xFB, 0x2A, 0x53, 0x0B,
+      0x21, 0x9F, 0xF3, 0x30, 0x31, 0xFE, 0x06, 0xB0 },
+    { 0x4E, 0x8D, 0xDF, 0xF3, 0x65, 0x02, 0x92, 0xAB,
+      0x5A, 0x41, 0x08, 0xC3, 0xAA, 0x47, 0x94, 0x0B },
+    { 0xDA, 0x33, 0xDE, 0xF2, 0xA4, 0x2D, 0xF1, 0x39,
+      0x75, 0x35, 0x28, 0x46, 0xC3, 0x03, 0x38, 0xCD },
+    { 0xD5, 0x97, 0x6F, 0x79, 0xD8, 0x3D, 0x3A, 0x0D,
+      0xC9, 0x80, 0x6C, 0x3C, 0x66, 0xF3, 0xEF, 0xD8 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md2_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char md2sum[16];
+
+    for( i = 0; i < 7; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  MD2 test #%d: ", i + 1 );
+
+        ret = mbedtls_md2_ret( md2_test_str[i], md2_test_strlen[i], md2sum );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( md2sum, md2_test_sum[i], 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD2_C */
diff --git a/makerom/deps/libmbedtls/src/md4.c b/makerom/deps/libmbedtls/src/md4.c
new file mode 100644
index 00000000..828fd429
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/md4.c
@@ -0,0 +1,484 @@
+/*
+ *  RFC 1186/1320 compliant MD4 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The MD4 algorithm was designed by Ron Rivest in 1990.
+ *
+ *  http://www.ietf.org/rfc/rfc1186.txt
+ *  http://www.ietf.org/rfc/rfc1320.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+
+#include "mbedtls/md4.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD4_ALT)
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_md4_init( mbedtls_md4_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md4_context ) );
+}
+
+void mbedtls_md4_free( mbedtls_md4_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md4_context ) );
+}
+
+void mbedtls_md4_clone( mbedtls_md4_context *dst,
+                        const mbedtls_md4_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * MD4 context setup
+ */
+int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_starts( mbedtls_md4_context *ctx )
+{
+    mbedtls_md4_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_MD4_PROCESS_ALT)
+int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
+                                  const unsigned char data[64] )
+{
+    uint32_t X[16], A, B, C, D;
+
+    GET_UINT32_LE( X[ 0], data,  0 );
+    GET_UINT32_LE( X[ 1], data,  4 );
+    GET_UINT32_LE( X[ 2], data,  8 );
+    GET_UINT32_LE( X[ 3], data, 12 );
+    GET_UINT32_LE( X[ 4], data, 16 );
+    GET_UINT32_LE( X[ 5], data, 20 );
+    GET_UINT32_LE( X[ 6], data, 24 );
+    GET_UINT32_LE( X[ 7], data, 28 );
+    GET_UINT32_LE( X[ 8], data, 32 );
+    GET_UINT32_LE( X[ 9], data, 36 );
+    GET_UINT32_LE( X[10], data, 40 );
+    GET_UINT32_LE( X[11], data, 44 );
+    GET_UINT32_LE( X[12], data, 48 );
+    GET_UINT32_LE( X[13], data, 52 );
+    GET_UINT32_LE( X[14], data, 56 );
+    GET_UINT32_LE( X[15], data, 60 );
+
+#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+
+#define F(x, y, z) (((x) & (y)) | ((~(x)) & (z)))
+#define P(a,b,c,d,x,s)                           \
+    do                                           \
+    {                                            \
+        (a) += F((b),(c),(d)) + (x);             \
+        (a) = S((a),(s));                        \
+    } while( 0 )
+
+
+    P( A, B, C, D, X[ 0],  3 );
+    P( D, A, B, C, X[ 1],  7 );
+    P( C, D, A, B, X[ 2], 11 );
+    P( B, C, D, A, X[ 3], 19 );
+    P( A, B, C, D, X[ 4],  3 );
+    P( D, A, B, C, X[ 5],  7 );
+    P( C, D, A, B, X[ 6], 11 );
+    P( B, C, D, A, X[ 7], 19 );
+    P( A, B, C, D, X[ 8],  3 );
+    P( D, A, B, C, X[ 9],  7 );
+    P( C, D, A, B, X[10], 11 );
+    P( B, C, D, A, X[11], 19 );
+    P( A, B, C, D, X[12],  3 );
+    P( D, A, B, C, X[13],  7 );
+    P( C, D, A, B, X[14], 11 );
+    P( B, C, D, A, X[15], 19 );
+
+#undef P
+#undef F
+
+#define F(x,y,z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
+#define P(a,b,c,d,x,s)                          \
+    do                                          \
+    {                                           \
+        (a) += F((b),(c),(d)) + (x) + 0x5A827999;       \
+        (a) = S((a),(s));                               \
+    } while( 0 )
+
+    P( A, B, C, D, X[ 0],  3 );
+    P( D, A, B, C, X[ 4],  5 );
+    P( C, D, A, B, X[ 8],  9 );
+    P( B, C, D, A, X[12], 13 );
+    P( A, B, C, D, X[ 1],  3 );
+    P( D, A, B, C, X[ 5],  5 );
+    P( C, D, A, B, X[ 9],  9 );
+    P( B, C, D, A, X[13], 13 );
+    P( A, B, C, D, X[ 2],  3 );
+    P( D, A, B, C, X[ 6],  5 );
+    P( C, D, A, B, X[10],  9 );
+    P( B, C, D, A, X[14], 13 );
+    P( A, B, C, D, X[ 3],  3 );
+    P( D, A, B, C, X[ 7],  5 );
+    P( C, D, A, B, X[11],  9 );
+    P( B, C, D, A, X[15], 13 );
+
+#undef P
+#undef F
+
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+#define P(a,b,c,d,x,s)                                  \
+    do                                                  \
+    {                                                   \
+        (a) += F((b),(c),(d)) + (x) + 0x6ED9EBA1;       \
+        (a) = S((a),(s));                               \
+    } while( 0 )
+
+    P( A, B, C, D, X[ 0],  3 );
+    P( D, A, B, C, X[ 8],  9 );
+    P( C, D, A, B, X[ 4], 11 );
+    P( B, C, D, A, X[12], 15 );
+    P( A, B, C, D, X[ 2],  3 );
+    P( D, A, B, C, X[10],  9 );
+    P( C, D, A, B, X[ 6], 11 );
+    P( B, C, D, A, X[14], 15 );
+    P( A, B, C, D, X[ 1],  3 );
+    P( D, A, B, C, X[ 9],  9 );
+    P( C, D, A, B, X[ 5], 11 );
+    P( B, C, D, A, X[13], 15 );
+    P( A, B, C, D, X[ 3],  3 );
+    P( D, A, B, C, X[11],  9 );
+    P( C, D, A, B, X[ 7], 11 );
+    P( B, C, D, A, X[15], 15 );
+
+#undef F
+#undef P
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_process( mbedtls_md4_context *ctx,
+                          const unsigned char data[64] )
+{
+    mbedtls_internal_md4_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_MD4_PROCESS_ALT */
+
+/*
+ * MD4 process buffer
+ */
+int mbedtls_md4_update_ret( mbedtls_md4_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left),
+                (void *) input, fill );
+
+        if( ( ret = mbedtls_internal_md4_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_md4_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+    {
+        memcpy( (void *) (ctx->buffer + left),
+                (void *) input, ilen );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_update( mbedtls_md4_context *ctx,
+                         const unsigned char *input,
+                         size_t ilen )
+{
+    mbedtls_md4_update_ret( ctx, input, ilen );
+}
+#endif
+
+static const unsigned char md4_padding[64] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * MD4 final digest
+ */
+int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx,
+                            unsigned char output[16] )
+{
+    int ret;
+    uint32_t last, padn;
+    uint32_t high, low;
+    unsigned char msglen[8];
+
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_LE( low,  msglen, 0 );
+    PUT_UINT32_LE( high, msglen, 4 );
+
+    last = ctx->total[0] & 0x3F;
+    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
+
+    ret = mbedtls_md4_update_ret( ctx, (unsigned char *)md4_padding, padn );
+    if( ret != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_md4_update_ret( ctx, msglen, 8 ) ) != 0 )
+        return( ret );
+
+
+    PUT_UINT32_LE( ctx->state[0], output,  0 );
+    PUT_UINT32_LE( ctx->state[1], output,  4 );
+    PUT_UINT32_LE( ctx->state[2], output,  8 );
+    PUT_UINT32_LE( ctx->state[3], output, 12 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4_finish( mbedtls_md4_context *ctx,
+                         unsigned char output[16] )
+{
+    mbedtls_md4_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_MD4_ALT */
+
+/*
+ * output = MD4( input buffer )
+ */
+int mbedtls_md4_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] )
+{
+    int ret;
+    mbedtls_md4_context ctx;
+
+    mbedtls_md4_init( &ctx );
+
+    if( ( ret = mbedtls_md4_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md4_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md4_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md4_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md4( const unsigned char *input,
+                  size_t ilen,
+                  unsigned char output[16] )
+{
+    mbedtls_md4_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * RFC 1320 test vectors
+ */
+static const unsigned char md4_test_str[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" }
+};
+
+static const size_t md4_test_strlen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md4_test_sum[7][16] =
+{
+    { 0x31, 0xD6, 0xCF, 0xE0, 0xD1, 0x6A, 0xE9, 0x31,
+      0xB7, 0x3C, 0x59, 0xD7, 0xE0, 0xC0, 0x89, 0xC0 },
+    { 0xBD, 0xE5, 0x2C, 0xB3, 0x1D, 0xE3, 0x3E, 0x46,
+      0x24, 0x5E, 0x05, 0xFB, 0xDB, 0xD6, 0xFB, 0x24 },
+    { 0xA4, 0x48, 0x01, 0x7A, 0xAF, 0x21, 0xD8, 0x52,
+      0x5F, 0xC1, 0x0A, 0xE8, 0x7A, 0xA6, 0x72, 0x9D },
+    { 0xD9, 0x13, 0x0A, 0x81, 0x64, 0x54, 0x9F, 0xE8,
+      0x18, 0x87, 0x48, 0x06, 0xE1, 0xC7, 0x01, 0x4B },
+    { 0xD7, 0x9E, 0x1C, 0x30, 0x8A, 0xA5, 0xBB, 0xCD,
+      0xEE, 0xA8, 0xED, 0x63, 0xDF, 0x41, 0x2D, 0xA9 },
+    { 0x04, 0x3F, 0x85, 0x82, 0xF2, 0x41, 0xDB, 0x35,
+      0x1C, 0xE6, 0x27, 0xE1, 0x53, 0xE7, 0xF0, 0xE4 },
+    { 0xE3, 0x3B, 0x4D, 0xDC, 0x9C, 0x38, 0xF2, 0x19,
+      0x9C, 0x3E, 0x7B, 0x16, 0x4F, 0xCC, 0x05, 0x36 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md4_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char md4sum[16];
+
+    for( i = 0; i < 7; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  MD4 test #%d: ", i + 1 );
+
+        ret = mbedtls_md4_ret( md4_test_str[i], md4_test_strlen[i], md4sum );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( md4sum, md4_test_sum[i], 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD4_C */
diff --git a/makerom/deps/libmbedtls/src/md5.c b/makerom/deps/libmbedtls/src/md5.c
new file mode 100644
index 00000000..a93da8a0
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/md5.c
@@ -0,0 +1,498 @@
+/*
+ *  RFC 1321 compliant MD5 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The MD5 algorithm was designed by Ron Rivest in 1991.
+ *
+ *  http://www.ietf.org/rfc/rfc1321.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+
+#include "mbedtls/md5.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_MD5_ALT)
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_md5_init( mbedtls_md5_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_md5_context ) );
+}
+
+void mbedtls_md5_free( mbedtls_md5_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md5_context ) );
+}
+
+void mbedtls_md5_clone( mbedtls_md5_context *dst,
+                        const mbedtls_md5_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * MD5 context setup
+ */
+int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_starts( mbedtls_md5_context *ctx )
+{
+    mbedtls_md5_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_MD5_PROCESS_ALT)
+int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
+                                  const unsigned char data[64] )
+{
+    uint32_t X[16], A, B, C, D;
+
+    GET_UINT32_LE( X[ 0], data,  0 );
+    GET_UINT32_LE( X[ 1], data,  4 );
+    GET_UINT32_LE( X[ 2], data,  8 );
+    GET_UINT32_LE( X[ 3], data, 12 );
+    GET_UINT32_LE( X[ 4], data, 16 );
+    GET_UINT32_LE( X[ 5], data, 20 );
+    GET_UINT32_LE( X[ 6], data, 24 );
+    GET_UINT32_LE( X[ 7], data, 28 );
+    GET_UINT32_LE( X[ 8], data, 32 );
+    GET_UINT32_LE( X[ 9], data, 36 );
+    GET_UINT32_LE( X[10], data, 40 );
+    GET_UINT32_LE( X[11], data, 44 );
+    GET_UINT32_LE( X[12], data, 48 );
+    GET_UINT32_LE( X[13], data, 52 );
+    GET_UINT32_LE( X[14], data, 56 );
+    GET_UINT32_LE( X[15], data, 60 );
+
+#define S(x,n)                                                          \
+    ( ( (x) << (n) ) | ( ( (x) & 0xFFFFFFFF) >> ( 32 - (n) ) ) )
+
+#define P(a,b,c,d,k,s,t)                                        \
+    do                                                          \
+    {                                                           \
+        (a) += F((b),(c),(d)) + X[(k)] + (t);                   \
+        (a) = S((a),(s)) + (b);                                 \
+    } while( 0 )
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+
+#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
+
+    P( A, B, C, D,  0,  7, 0xD76AA478 );
+    P( D, A, B, C,  1, 12, 0xE8C7B756 );
+    P( C, D, A, B,  2, 17, 0x242070DB );
+    P( B, C, D, A,  3, 22, 0xC1BDCEEE );
+    P( A, B, C, D,  4,  7, 0xF57C0FAF );
+    P( D, A, B, C,  5, 12, 0x4787C62A );
+    P( C, D, A, B,  6, 17, 0xA8304613 );
+    P( B, C, D, A,  7, 22, 0xFD469501 );
+    P( A, B, C, D,  8,  7, 0x698098D8 );
+    P( D, A, B, C,  9, 12, 0x8B44F7AF );
+    P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
+    P( B, C, D, A, 11, 22, 0x895CD7BE );
+    P( A, B, C, D, 12,  7, 0x6B901122 );
+    P( D, A, B, C, 13, 12, 0xFD987193 );
+    P( C, D, A, B, 14, 17, 0xA679438E );
+    P( B, C, D, A, 15, 22, 0x49B40821 );
+
+#undef F
+
+#define F(x,y,z) ((y) ^ ((z) & ((x) ^ (y))))
+
+    P( A, B, C, D,  1,  5, 0xF61E2562 );
+    P( D, A, B, C,  6,  9, 0xC040B340 );
+    P( C, D, A, B, 11, 14, 0x265E5A51 );
+    P( B, C, D, A,  0, 20, 0xE9B6C7AA );
+    P( A, B, C, D,  5,  5, 0xD62F105D );
+    P( D, A, B, C, 10,  9, 0x02441453 );
+    P( C, D, A, B, 15, 14, 0xD8A1E681 );
+    P( B, C, D, A,  4, 20, 0xE7D3FBC8 );
+    P( A, B, C, D,  9,  5, 0x21E1CDE6 );
+    P( D, A, B, C, 14,  9, 0xC33707D6 );
+    P( C, D, A, B,  3, 14, 0xF4D50D87 );
+    P( B, C, D, A,  8, 20, 0x455A14ED );
+    P( A, B, C, D, 13,  5, 0xA9E3E905 );
+    P( D, A, B, C,  2,  9, 0xFCEFA3F8 );
+    P( C, D, A, B,  7, 14, 0x676F02D9 );
+    P( B, C, D, A, 12, 20, 0x8D2A4C8A );
+
+#undef F
+
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+
+    P( A, B, C, D,  5,  4, 0xFFFA3942 );
+    P( D, A, B, C,  8, 11, 0x8771F681 );
+    P( C, D, A, B, 11, 16, 0x6D9D6122 );
+    P( B, C, D, A, 14, 23, 0xFDE5380C );
+    P( A, B, C, D,  1,  4, 0xA4BEEA44 );
+    P( D, A, B, C,  4, 11, 0x4BDECFA9 );
+    P( C, D, A, B,  7, 16, 0xF6BB4B60 );
+    P( B, C, D, A, 10, 23, 0xBEBFBC70 );
+    P( A, B, C, D, 13,  4, 0x289B7EC6 );
+    P( D, A, B, C,  0, 11, 0xEAA127FA );
+    P( C, D, A, B,  3, 16, 0xD4EF3085 );
+    P( B, C, D, A,  6, 23, 0x04881D05 );
+    P( A, B, C, D,  9,  4, 0xD9D4D039 );
+    P( D, A, B, C, 12, 11, 0xE6DB99E5 );
+    P( C, D, A, B, 15, 16, 0x1FA27CF8 );
+    P( B, C, D, A,  2, 23, 0xC4AC5665 );
+
+#undef F
+
+#define F(x,y,z) ((y) ^ ((x) | ~(z)))
+
+    P( A, B, C, D,  0,  6, 0xF4292244 );
+    P( D, A, B, C,  7, 10, 0x432AFF97 );
+    P( C, D, A, B, 14, 15, 0xAB9423A7 );
+    P( B, C, D, A,  5, 21, 0xFC93A039 );
+    P( A, B, C, D, 12,  6, 0x655B59C3 );
+    P( D, A, B, C,  3, 10, 0x8F0CCC92 );
+    P( C, D, A, B, 10, 15, 0xFFEFF47D );
+    P( B, C, D, A,  1, 21, 0x85845DD1 );
+    P( A, B, C, D,  8,  6, 0x6FA87E4F );
+    P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
+    P( C, D, A, B,  6, 15, 0xA3014314 );
+    P( B, C, D, A, 13, 21, 0x4E0811A1 );
+    P( A, B, C, D,  4,  6, 0xF7537E82 );
+    P( D, A, B, C, 11, 10, 0xBD3AF235 );
+    P( C, D, A, B,  2, 15, 0x2AD7D2BB );
+    P( B, C, D, A,  9, 21, 0xEB86D391 );
+
+#undef F
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_process( mbedtls_md5_context *ctx,
+                          const unsigned char data[64] )
+{
+    mbedtls_internal_md5_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_MD5_PROCESS_ALT */
+
+/*
+ * MD5 process buffer
+ */
+int mbedtls_md5_update_ret( mbedtls_md5_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+        if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_md5_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_update( mbedtls_md5_context *ctx,
+                         const unsigned char *input,
+                         size_t ilen )
+{
+    mbedtls_md5_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * MD5 final digest
+ */
+int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx,
+                            unsigned char output[16] )
+{
+    int ret;
+    uint32_t used;
+    uint32_t high, low;
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 56 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 56 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 64 - used );
+
+        if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 56 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_LE( low,  ctx->buffer, 56 );
+    PUT_UINT32_LE( high, ctx->buffer, 60 );
+
+    if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT32_LE( ctx->state[0], output,  0 );
+    PUT_UINT32_LE( ctx->state[1], output,  4 );
+    PUT_UINT32_LE( ctx->state[2], output,  8 );
+    PUT_UINT32_LE( ctx->state[3], output, 12 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5_finish( mbedtls_md5_context *ctx,
+                         unsigned char output[16] )
+{
+    mbedtls_md5_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_MD5_ALT */
+
+/*
+ * output = MD5( input buffer )
+ */
+int mbedtls_md5_ret( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[16] )
+{
+    int ret;
+    mbedtls_md5_context ctx;
+
+    mbedtls_md5_init( &ctx );
+
+    if( ( ret = mbedtls_md5_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md5_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_md5_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md5_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_md5( const unsigned char *input,
+                  size_t ilen,
+                  unsigned char output[16] )
+{
+    mbedtls_md5_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * RFC 1321 test vectors
+ */
+static const unsigned char md5_test_buf[7][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" }
+};
+
+static const size_t md5_test_buflen[7] =
+{
+    0, 1, 3, 14, 26, 62, 80
+};
+
+static const unsigned char md5_test_sum[7][16] =
+{
+    { 0xD4, 0x1D, 0x8C, 0xD9, 0x8F, 0x00, 0xB2, 0x04,
+      0xE9, 0x80, 0x09, 0x98, 0xEC, 0xF8, 0x42, 0x7E },
+    { 0x0C, 0xC1, 0x75, 0xB9, 0xC0, 0xF1, 0xB6, 0xA8,
+      0x31, 0xC3, 0x99, 0xE2, 0x69, 0x77, 0x26, 0x61 },
+    { 0x90, 0x01, 0x50, 0x98, 0x3C, 0xD2, 0x4F, 0xB0,
+      0xD6, 0x96, 0x3F, 0x7D, 0x28, 0xE1, 0x7F, 0x72 },
+    { 0xF9, 0x6B, 0x69, 0x7D, 0x7C, 0xB7, 0x93, 0x8D,
+      0x52, 0x5A, 0x2F, 0x31, 0xAA, 0xF1, 0x61, 0xD0 },
+    { 0xC3, 0xFC, 0xD3, 0xD7, 0x61, 0x92, 0xE4, 0x00,
+      0x7D, 0xFB, 0x49, 0x6C, 0xCA, 0x67, 0xE1, 0x3B },
+    { 0xD1, 0x74, 0xAB, 0x98, 0xD2, 0x77, 0xD9, 0xF5,
+      0xA5, 0x61, 0x1C, 0x2C, 0x9F, 0x41, 0x9D, 0x9F },
+    { 0x57, 0xED, 0xF4, 0xA2, 0x2B, 0xE3, 0xC9, 0x55,
+      0xAC, 0x49, 0xDA, 0x2E, 0x21, 0x07, 0xB6, 0x7A }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_md5_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char md5sum[16];
+
+    for( i = 0; i < 7; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  MD5 test #%d: ", i + 1 );
+
+        ret = mbedtls_md5_ret( md5_test_buf[i], md5_test_buflen[i], md5sum );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( md5sum, md5_test_sum[i], 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MD5_C */
diff --git a/makerom/deps/libmbedtls/src/md_wrap.c b/makerom/deps/libmbedtls/src/md_wrap.c
new file mode 100644
index 00000000..32f08719
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/md_wrap.c
@@ -0,0 +1,586 @@
+/**
+ * \file md_wrap.c
+ *
+ * \brief Generic message digest wrapper for mbed TLS
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MD_C)
+
+#include "mbedtls/md_internal.h"
+
+#if defined(MBEDTLS_MD2_C)
+#include "mbedtls/md2.h"
+#endif
+
+#if defined(MBEDTLS_MD4_C)
+#include "mbedtls/md4.h"
+#endif
+
+#if defined(MBEDTLS_MD5_C)
+#include "mbedtls/md5.h"
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+#include "mbedtls/ripemd160.h"
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+#include "mbedtls/sha1.h"
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+#include "mbedtls/sha256.h"
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+#include "mbedtls/sha512.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_MD2_C)
+
+static int md2_starts_wrap( void *ctx )
+{
+    return( mbedtls_md2_starts_ret( (mbedtls_md2_context *) ctx ) );
+}
+
+static int md2_update_wrap( void *ctx, const unsigned char *input,
+                             size_t ilen )
+{
+    return( mbedtls_md2_update_ret( (mbedtls_md2_context *) ctx, input, ilen ) );
+}
+
+static int md2_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_md2_finish_ret( (mbedtls_md2_context *) ctx, output ) );
+}
+
+static void *md2_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_md2_context ) );
+
+    if( ctx != NULL )
+        mbedtls_md2_init( (mbedtls_md2_context *) ctx );
+
+    return( ctx );
+}
+
+static void md2_ctx_free( void *ctx )
+{
+    mbedtls_md2_free( (mbedtls_md2_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void md2_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_md2_clone( (mbedtls_md2_context *) dst,
+                 (const mbedtls_md2_context *) src );
+}
+
+static int md2_process_wrap( void *ctx, const unsigned char *data )
+{
+    ((void) data);
+
+    return( mbedtls_internal_md2_process( (mbedtls_md2_context *) ctx ) );
+}
+
+const mbedtls_md_info_t mbedtls_md2_info = {
+    MBEDTLS_MD_MD2,
+    "MD2",
+    16,
+    16,
+    md2_starts_wrap,
+    md2_update_wrap,
+    md2_finish_wrap,
+    mbedtls_md2_ret,
+    md2_ctx_alloc,
+    md2_ctx_free,
+    md2_clone_wrap,
+    md2_process_wrap,
+};
+
+#endif /* MBEDTLS_MD2_C */
+
+#if defined(MBEDTLS_MD4_C)
+
+static int md4_starts_wrap( void *ctx )
+{
+    return( mbedtls_md4_starts_ret( (mbedtls_md4_context *) ctx ) );
+}
+
+static int md4_update_wrap( void *ctx, const unsigned char *input,
+                             size_t ilen )
+{
+    return( mbedtls_md4_update_ret( (mbedtls_md4_context *) ctx, input, ilen ) );
+}
+
+static int md4_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_md4_finish_ret( (mbedtls_md4_context *) ctx, output ) );
+}
+
+static void *md4_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_md4_context ) );
+
+    if( ctx != NULL )
+        mbedtls_md4_init( (mbedtls_md4_context *) ctx );
+
+    return( ctx );
+}
+
+static void md4_ctx_free( void *ctx )
+{
+    mbedtls_md4_free( (mbedtls_md4_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void md4_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_md4_clone( (mbedtls_md4_context *) dst,
+                       (const mbedtls_md4_context *) src );
+}
+
+static int md4_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_md4_process( (mbedtls_md4_context *) ctx, data ) );
+}
+
+const mbedtls_md_info_t mbedtls_md4_info = {
+    MBEDTLS_MD_MD4,
+    "MD4",
+    16,
+    64,
+    md4_starts_wrap,
+    md4_update_wrap,
+    md4_finish_wrap,
+    mbedtls_md4_ret,
+    md4_ctx_alloc,
+    md4_ctx_free,
+    md4_clone_wrap,
+    md4_process_wrap,
+};
+
+#endif /* MBEDTLS_MD4_C */
+
+#if defined(MBEDTLS_MD5_C)
+
+static int md5_starts_wrap( void *ctx )
+{
+    return( mbedtls_md5_starts_ret( (mbedtls_md5_context *) ctx ) );
+}
+
+static int md5_update_wrap( void *ctx, const unsigned char *input,
+                             size_t ilen )
+{
+    return( mbedtls_md5_update_ret( (mbedtls_md5_context *) ctx, input, ilen ) );
+}
+
+static int md5_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_md5_finish_ret( (mbedtls_md5_context *) ctx, output ) );
+}
+
+static void *md5_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_md5_context ) );
+
+    if( ctx != NULL )
+        mbedtls_md5_init( (mbedtls_md5_context *) ctx );
+
+    return( ctx );
+}
+
+static void md5_ctx_free( void *ctx )
+{
+    mbedtls_md5_free( (mbedtls_md5_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void md5_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_md5_clone( (mbedtls_md5_context *) dst,
+                       (const mbedtls_md5_context *) src );
+}
+
+static int md5_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_md5_process( (mbedtls_md5_context *) ctx, data ) );
+}
+
+const mbedtls_md_info_t mbedtls_md5_info = {
+    MBEDTLS_MD_MD5,
+    "MD5",
+    16,
+    64,
+    md5_starts_wrap,
+    md5_update_wrap,
+    md5_finish_wrap,
+    mbedtls_md5_ret,
+    md5_ctx_alloc,
+    md5_ctx_free,
+    md5_clone_wrap,
+    md5_process_wrap,
+};
+
+#endif /* MBEDTLS_MD5_C */
+
+#if defined(MBEDTLS_RIPEMD160_C)
+
+static int ripemd160_starts_wrap( void *ctx )
+{
+    return( mbedtls_ripemd160_starts_ret( (mbedtls_ripemd160_context *) ctx ) );
+}
+
+static int ripemd160_update_wrap( void *ctx, const unsigned char *input,
+                                   size_t ilen )
+{
+    return( mbedtls_ripemd160_update_ret( (mbedtls_ripemd160_context *) ctx,
+                                          input, ilen ) );
+}
+
+static int ripemd160_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_ripemd160_finish_ret( (mbedtls_ripemd160_context *) ctx,
+                                          output ) );
+}
+
+static void *ripemd160_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ripemd160_context ) );
+
+    if( ctx != NULL )
+        mbedtls_ripemd160_init( (mbedtls_ripemd160_context *) ctx );
+
+    return( ctx );
+}
+
+static void ripemd160_ctx_free( void *ctx )
+{
+    mbedtls_ripemd160_free( (mbedtls_ripemd160_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void ripemd160_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_ripemd160_clone( (mbedtls_ripemd160_context *) dst,
+                       (const mbedtls_ripemd160_context *) src );
+}
+
+static int ripemd160_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_ripemd160_process(
+                                (mbedtls_ripemd160_context *) ctx, data ) );
+}
+
+const mbedtls_md_info_t mbedtls_ripemd160_info = {
+    MBEDTLS_MD_RIPEMD160,
+    "RIPEMD160",
+    20,
+    64,
+    ripemd160_starts_wrap,
+    ripemd160_update_wrap,
+    ripemd160_finish_wrap,
+    mbedtls_ripemd160_ret,
+    ripemd160_ctx_alloc,
+    ripemd160_ctx_free,
+    ripemd160_clone_wrap,
+    ripemd160_process_wrap,
+};
+
+#endif /* MBEDTLS_RIPEMD160_C */
+
+#if defined(MBEDTLS_SHA1_C)
+
+static int sha1_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha1_starts_ret( (mbedtls_sha1_context *) ctx ) );
+}
+
+static int sha1_update_wrap( void *ctx, const unsigned char *input,
+                              size_t ilen )
+{
+    return( mbedtls_sha1_update_ret( (mbedtls_sha1_context *) ctx,
+                                     input, ilen ) );
+}
+
+static int sha1_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_sha1_finish_ret( (mbedtls_sha1_context *) ctx, output ) );
+}
+
+static void *sha1_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_sha1_context ) );
+
+    if( ctx != NULL )
+        mbedtls_sha1_init( (mbedtls_sha1_context *) ctx );
+
+    return( ctx );
+}
+
+static void sha1_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_sha1_clone( (mbedtls_sha1_context *) dst,
+                  (const mbedtls_sha1_context *) src );
+}
+
+static void sha1_ctx_free( void *ctx )
+{
+    mbedtls_sha1_free( (mbedtls_sha1_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static int sha1_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_sha1_process( (mbedtls_sha1_context *) ctx,
+                                           data ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha1_info = {
+    MBEDTLS_MD_SHA1,
+    "SHA1",
+    20,
+    64,
+    sha1_starts_wrap,
+    sha1_update_wrap,
+    sha1_finish_wrap,
+    mbedtls_sha1_ret,
+    sha1_ctx_alloc,
+    sha1_ctx_free,
+    sha1_clone_wrap,
+    sha1_process_wrap,
+};
+
+#endif /* MBEDTLS_SHA1_C */
+
+/*
+ * Wrappers for generic message digests
+ */
+#if defined(MBEDTLS_SHA256_C)
+
+static int sha224_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha256_starts_ret( (mbedtls_sha256_context *) ctx, 1 ) );
+}
+
+static int sha224_update_wrap( void *ctx, const unsigned char *input,
+                                size_t ilen )
+{
+    return( mbedtls_sha256_update_ret( (mbedtls_sha256_context *) ctx,
+                                       input, ilen ) );
+}
+
+static int sha224_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_sha256_finish_ret( (mbedtls_sha256_context *) ctx,
+                                       output ) );
+}
+
+static int sha224_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha256_ret( input, ilen, output, 1 ) );
+}
+
+static void *sha224_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_sha256_context ) );
+
+    if( ctx != NULL )
+        mbedtls_sha256_init( (mbedtls_sha256_context *) ctx );
+
+    return( ctx );
+}
+
+static void sha224_ctx_free( void *ctx )
+{
+    mbedtls_sha256_free( (mbedtls_sha256_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void sha224_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_sha256_clone( (mbedtls_sha256_context *) dst,
+                    (const mbedtls_sha256_context *) src );
+}
+
+static int sha224_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_sha256_process( (mbedtls_sha256_context *) ctx,
+                                             data ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha224_info = {
+    MBEDTLS_MD_SHA224,
+    "SHA224",
+    28,
+    64,
+    sha224_starts_wrap,
+    sha224_update_wrap,
+    sha224_finish_wrap,
+    sha224_wrap,
+    sha224_ctx_alloc,
+    sha224_ctx_free,
+    sha224_clone_wrap,
+    sha224_process_wrap,
+};
+
+static int sha256_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha256_starts_ret( (mbedtls_sha256_context *) ctx, 0 ) );
+}
+
+static int sha256_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha256_ret( input, ilen, output, 0 ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha256_info = {
+    MBEDTLS_MD_SHA256,
+    "SHA256",
+    32,
+    64,
+    sha256_starts_wrap,
+    sha224_update_wrap,
+    sha224_finish_wrap,
+    sha256_wrap,
+    sha224_ctx_alloc,
+    sha224_ctx_free,
+    sha224_clone_wrap,
+    sha224_process_wrap,
+};
+
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+
+static int sha384_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha512_starts_ret( (mbedtls_sha512_context *) ctx, 1 ) );
+}
+
+static int sha384_update_wrap( void *ctx, const unsigned char *input,
+                               size_t ilen )
+{
+    return( mbedtls_sha512_update_ret( (mbedtls_sha512_context *) ctx,
+                                       input, ilen ) );
+}
+
+static int sha384_finish_wrap( void *ctx, unsigned char *output )
+{
+    return( mbedtls_sha512_finish_ret( (mbedtls_sha512_context *) ctx,
+                                       output ) );
+}
+
+static int sha384_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha512_ret( input, ilen, output, 1 ) );
+}
+
+static void *sha384_ctx_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_sha512_context ) );
+
+    if( ctx != NULL )
+        mbedtls_sha512_init( (mbedtls_sha512_context *) ctx );
+
+    return( ctx );
+}
+
+static void sha384_ctx_free( void *ctx )
+{
+    mbedtls_sha512_free( (mbedtls_sha512_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void sha384_clone_wrap( void *dst, const void *src )
+{
+    mbedtls_sha512_clone( (mbedtls_sha512_context *) dst,
+                    (const mbedtls_sha512_context *) src );
+}
+
+static int sha384_process_wrap( void *ctx, const unsigned char *data )
+{
+    return( mbedtls_internal_sha512_process( (mbedtls_sha512_context *) ctx,
+                                             data ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha384_info = {
+    MBEDTLS_MD_SHA384,
+    "SHA384",
+    48,
+    128,
+    sha384_starts_wrap,
+    sha384_update_wrap,
+    sha384_finish_wrap,
+    sha384_wrap,
+    sha384_ctx_alloc,
+    sha384_ctx_free,
+    sha384_clone_wrap,
+    sha384_process_wrap,
+};
+
+static int sha512_starts_wrap( void *ctx )
+{
+    return( mbedtls_sha512_starts_ret( (mbedtls_sha512_context *) ctx, 0 ) );
+}
+
+static int sha512_wrap( const unsigned char *input, size_t ilen,
+                        unsigned char *output )
+{
+    return( mbedtls_sha512_ret( input, ilen, output, 0 ) );
+}
+
+const mbedtls_md_info_t mbedtls_sha512_info = {
+    MBEDTLS_MD_SHA512,
+    "SHA512",
+    64,
+    128,
+    sha512_starts_wrap,
+    sha384_update_wrap,
+    sha384_finish_wrap,
+    sha512_wrap,
+    sha384_ctx_alloc,
+    sha384_ctx_free,
+    sha384_clone_wrap,
+    sha384_process_wrap,
+};
+
+#endif /* MBEDTLS_SHA512_C */
+
+#endif /* MBEDTLS_MD_C */
diff --git a/makerom/deps/libmbedtls/src/memory_buffer_alloc.c b/makerom/deps/libmbedtls/src/memory_buffer_alloc.c
new file mode 100644
index 00000000..51ea7c41
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/memory_buffer_alloc.c
@@ -0,0 +1,750 @@
+/*
+ *  Buffer-based memory allocator
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+
+/* No need for the header guard as MBEDTLS_MEMORY_BUFFER_ALLOC_C
+   is dependent upon MBEDTLS_PLATFORM_C */
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+#include <execinfo.h>
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#define MAGIC1       0xFF00AA55
+#define MAGIC2       0xEE119966
+#define MAX_BT 20
+
+typedef struct _memory_header memory_header;
+struct _memory_header
+{
+    size_t          magic1;
+    size_t          size;
+    size_t          alloc;
+    memory_header   *prev;
+    memory_header   *next;
+    memory_header   *prev_free;
+    memory_header   *next_free;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    char            **trace;
+    size_t          trace_count;
+#endif
+    size_t          magic2;
+};
+
+typedef struct
+{
+    unsigned char   *buf;
+    size_t          len;
+    memory_header   *first;
+    memory_header   *first_free;
+    int             verify;
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    size_t          alloc_count;
+    size_t          free_count;
+    size_t          total_used;
+    size_t          maximum_used;
+    size_t          header_count;
+    size_t          maximum_header_count;
+#endif
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_threading_mutex_t   mutex;
+#endif
+}
+buffer_alloc_ctx;
+
+static buffer_alloc_ctx heap;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+static void debug_header( memory_header *hdr )
+{
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    size_t i;
+#endif
+
+    mbedtls_fprintf( stderr, "HDR:  PTR(%10zu), PREV(%10zu), NEXT(%10zu), "
+                              "ALLOC(%zu), SIZE(%10zu)\n",
+                      (size_t) hdr, (size_t) hdr->prev, (size_t) hdr->next,
+                      hdr->alloc, hdr->size );
+    mbedtls_fprintf( stderr, "      FPREV(%10zu), FNEXT(%10zu)\n",
+                      (size_t) hdr->prev_free, (size_t) hdr->next_free );
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    mbedtls_fprintf( stderr, "TRACE: \n" );
+    for( i = 0; i < hdr->trace_count; i++ )
+        mbedtls_fprintf( stderr, "%s\n", hdr->trace[i] );
+    mbedtls_fprintf( stderr, "\n" );
+#endif
+}
+
+static void debug_chain( void )
+{
+    memory_header *cur = heap.first;
+
+    mbedtls_fprintf( stderr, "\nBlock list\n" );
+    while( cur != NULL )
+    {
+        debug_header( cur );
+        cur = cur->next;
+    }
+
+    mbedtls_fprintf( stderr, "Free list\n" );
+    cur = heap.first_free;
+
+    while( cur != NULL )
+    {
+        debug_header( cur );
+        cur = cur->next_free;
+    }
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+static int verify_header( memory_header *hdr )
+{
+    if( hdr->magic1 != MAGIC1 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: MAGIC1 mismatch\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->magic2 != MAGIC2 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: MAGIC2 mismatch\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->alloc > 1 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: alloc has illegal value\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->prev != NULL && hdr->prev == hdr->next )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: prev == next\n" );
+#endif
+        return( 1 );
+    }
+
+    if( hdr->prev_free != NULL && hdr->prev_free == hdr->next_free )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: prev_free == next_free\n" );
+#endif
+        return( 1 );
+    }
+
+    return( 0 );
+}
+
+static int verify_chain( void )
+{
+    memory_header *prv = heap.first, *cur;
+
+    if( prv == NULL || verify_header( prv ) != 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: verification of first header "
+                                  "failed\n" );
+#endif
+        return( 1 );
+    }
+
+    if( heap.first->prev != NULL )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: verification failed: "
+                                  "first->prev != NULL\n" );
+#endif
+        return( 1 );
+    }
+
+    cur = heap.first->next;
+
+    while( cur != NULL )
+    {
+        if( verify_header( cur ) != 0 )
+        {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf( stderr, "FATAL: verification of header "
+                                      "failed\n" );
+#endif
+            return( 1 );
+        }
+
+        if( cur->prev != prv )
+        {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+            mbedtls_fprintf( stderr, "FATAL: verification failed: "
+                                      "cur->prev != prv\n" );
+#endif
+            return( 1 );
+        }
+
+        prv = cur;
+        cur = cur->next;
+    }
+
+    return( 0 );
+}
+
+static void *buffer_alloc_calloc( size_t n, size_t size )
+{
+    memory_header *new, *cur = heap.first_free;
+    unsigned char *p;
+    void *ret;
+    size_t original_len, len;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    void *trace_buffer[MAX_BT];
+    size_t trace_cnt;
+#endif
+
+    if( heap.buf == NULL || heap.first == NULL )
+        return( NULL );
+
+    original_len = len = n * size;
+
+    if( n == 0 || size == 0 || len / n != size )
+        return( NULL );
+    else if( len > (size_t)-MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+        return( NULL );
+
+    if( len % MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+    {
+        len -= len % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        len += MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    // Find block that fits
+    //
+    while( cur != NULL )
+    {
+        if( cur->size >= len )
+            break;
+
+        cur = cur->next_free;
+    }
+
+    if( cur == NULL )
+        return( NULL );
+
+    if( cur->alloc != 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: block in free_list but allocated "
+                                  "data\n" );
+#endif
+        mbedtls_exit( 1 );
+    }
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.alloc_count++;
+#endif
+
+    // Found location, split block if > memory_header + 4 room left
+    //
+    if( cur->size - len < sizeof(memory_header) +
+                          MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+    {
+        cur->alloc = 1;
+
+        // Remove from free_list
+        //
+        if( cur->prev_free != NULL )
+            cur->prev_free->next_free = cur->next_free;
+        else
+            heap.first_free = cur->next_free;
+
+        if( cur->next_free != NULL )
+            cur->next_free->prev_free = cur->prev_free;
+
+        cur->prev_free = NULL;
+        cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used += cur->size;
+        if( heap.total_used > heap.maximum_used )
+            heap.maximum_used = heap.total_used;
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+        trace_cnt = backtrace( trace_buffer, MAX_BT );
+        cur->trace = backtrace_symbols( trace_buffer, trace_cnt );
+        cur->trace_count = trace_cnt;
+#endif
+
+        if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC ) && verify_chain() != 0 )
+            mbedtls_exit( 1 );
+
+        ret = (unsigned char *) cur + sizeof( memory_header );
+        memset( ret, 0, original_len );
+
+        return( ret );
+    }
+
+    p = ( (unsigned char *) cur ) + sizeof(memory_header) + len;
+    new = (memory_header *) p;
+
+    new->size = cur->size - len - sizeof(memory_header);
+    new->alloc = 0;
+    new->prev = cur;
+    new->next = cur->next;
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    new->trace = NULL;
+    new->trace_count = 0;
+#endif
+    new->magic1 = MAGIC1;
+    new->magic2 = MAGIC2;
+
+    if( new->next != NULL )
+        new->next->prev = new;
+
+    // Replace cur with new in free_list
+    //
+    new->prev_free = cur->prev_free;
+    new->next_free = cur->next_free;
+    if( new->prev_free != NULL )
+        new->prev_free->next_free = new;
+    else
+        heap.first_free = new;
+
+    if( new->next_free != NULL )
+        new->next_free->prev_free = new;
+
+    cur->alloc = 1;
+    cur->size = len;
+    cur->next = new;
+    cur->prev_free = NULL;
+    cur->next_free = NULL;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.header_count++;
+    if( heap.header_count > heap.maximum_header_count )
+        heap.maximum_header_count = heap.header_count;
+    heap.total_used += cur->size;
+    if( heap.total_used > heap.maximum_used )
+        heap.maximum_used = heap.total_used;
+#endif
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    trace_cnt = backtrace( trace_buffer, MAX_BT );
+    cur->trace = backtrace_symbols( trace_buffer, trace_cnt );
+    cur->trace_count = trace_cnt;
+#endif
+
+    if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_ALLOC ) && verify_chain() != 0 )
+        mbedtls_exit( 1 );
+
+    ret = (unsigned char *) cur + sizeof( memory_header );
+    memset( ret, 0, original_len );
+
+    return( ret );
+}
+
+static void buffer_alloc_free( void *ptr )
+{
+    memory_header *hdr, *old = NULL;
+    unsigned char *p = (unsigned char *) ptr;
+
+    if( ptr == NULL || heap.buf == NULL || heap.first == NULL )
+        return;
+
+    if( p < heap.buf || p >= heap.buf + heap.len )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: mbedtls_free() outside of managed "
+                                  "space\n" );
+#endif
+        mbedtls_exit( 1 );
+    }
+
+    p -= sizeof(memory_header);
+    hdr = (memory_header *) p;
+
+    if( verify_header( hdr ) != 0 )
+        mbedtls_exit( 1 );
+
+    if( hdr->alloc != 1 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        mbedtls_fprintf( stderr, "FATAL: mbedtls_free() on unallocated "
+                                  "data\n" );
+#endif
+        mbedtls_exit( 1 );
+    }
+
+    hdr->alloc = 0;
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    heap.free_count++;
+    heap.total_used -= hdr->size;
+#endif
+
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    free( hdr->trace );
+    hdr->trace = NULL;
+    hdr->trace_count = 0;
+#endif
+
+    // Regroup with block before
+    //
+    if( hdr->prev != NULL && hdr->prev->alloc == 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->prev->size += sizeof(memory_header) + hdr->size;
+        hdr->prev->next = hdr->next;
+        old = hdr;
+        hdr = hdr->prev;
+
+        if( hdr->next != NULL )
+            hdr->next->prev = hdr;
+
+        memset( old, 0, sizeof(memory_header) );
+    }
+
+    // Regroup with block after
+    //
+    if( hdr->next != NULL && hdr->next->alloc == 0 )
+    {
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.header_count--;
+#endif
+        hdr->size += sizeof(memory_header) + hdr->next->size;
+        old = hdr->next;
+        hdr->next = hdr->next->next;
+
+        if( hdr->prev_free != NULL || hdr->next_free != NULL )
+        {
+            if( hdr->prev_free != NULL )
+                hdr->prev_free->next_free = hdr->next_free;
+            else
+                heap.first_free = hdr->next_free;
+
+            if( hdr->next_free != NULL )
+                hdr->next_free->prev_free = hdr->prev_free;
+        }
+
+        hdr->prev_free = old->prev_free;
+        hdr->next_free = old->next_free;
+
+        if( hdr->prev_free != NULL )
+            hdr->prev_free->next_free = hdr;
+        else
+            heap.first_free = hdr;
+
+        if( hdr->next_free != NULL )
+            hdr->next_free->prev_free = hdr;
+
+        if( hdr->next != NULL )
+            hdr->next->prev = hdr;
+
+        memset( old, 0, sizeof(memory_header) );
+    }
+
+    // Prepend to free_list if we have not merged
+    // (Does not have to stay in same order as prev / next list)
+    //
+    if( old == NULL )
+    {
+        hdr->next_free = heap.first_free;
+        if( heap.first_free != NULL )
+            heap.first_free->prev_free = hdr;
+        heap.first_free = hdr;
+    }
+
+    if( ( heap.verify & MBEDTLS_MEMORY_VERIFY_FREE ) && verify_chain() != 0 )
+        mbedtls_exit( 1 );
+}
+
+void mbedtls_memory_buffer_set_verify( int verify )
+{
+    heap.verify = verify;
+}
+
+int mbedtls_memory_buffer_alloc_verify( void )
+{
+    return verify_chain();
+}
+
+#if defined(MBEDTLS_MEMORY_DEBUG)
+void mbedtls_memory_buffer_alloc_status( void )
+{
+    mbedtls_fprintf( stderr,
+                      "Current use: %zu blocks / %zu bytes, max: %zu blocks / "
+                      "%zu bytes (total %zu bytes), alloc / free: %zu / %zu\n",
+                      heap.header_count, heap.total_used,
+                      heap.maximum_header_count, heap.maximum_used,
+                      heap.maximum_header_count * sizeof( memory_header )
+                      + heap.maximum_used,
+                      heap.alloc_count, heap.free_count );
+
+    if( heap.first->next == NULL )
+    {
+        mbedtls_fprintf( stderr, "All memory de-allocated in stack buffer\n" );
+    }
+    else
+    {
+        mbedtls_fprintf( stderr, "Memory currently allocated:\n" );
+        debug_chain();
+    }
+}
+
+void mbedtls_memory_buffer_alloc_max_get( size_t *max_used, size_t *max_blocks )
+{
+    *max_used   = heap.maximum_used;
+    *max_blocks = heap.maximum_header_count;
+}
+
+void mbedtls_memory_buffer_alloc_max_reset( void )
+{
+    heap.maximum_used = 0;
+    heap.maximum_header_count = 0;
+}
+
+void mbedtls_memory_buffer_alloc_cur_get( size_t *cur_used, size_t *cur_blocks )
+{
+    *cur_used   = heap.total_used;
+    *cur_blocks = heap.header_count;
+}
+#endif /* MBEDTLS_MEMORY_DEBUG */
+
+#if defined(MBEDTLS_THREADING_C)
+static void *buffer_alloc_calloc_mutexed( size_t n, size_t size )
+{
+    void *buf;
+    if( mbedtls_mutex_lock( &heap.mutex ) != 0 )
+        return( NULL );
+    buf = buffer_alloc_calloc( n, size );
+    if( mbedtls_mutex_unlock( &heap.mutex ) )
+        return( NULL );
+    return( buf );
+}
+
+static void buffer_alloc_free_mutexed( void *ptr )
+{
+    /* We have to good option here, but corrupting the heap seems
+     * worse than loosing memory. */
+    if( mbedtls_mutex_lock( &heap.mutex ) )
+        return;
+    buffer_alloc_free( ptr );
+    (void) mbedtls_mutex_unlock( &heap.mutex );
+}
+#endif /* MBEDTLS_THREADING_C */
+
+void mbedtls_memory_buffer_alloc_init( unsigned char *buf, size_t len )
+{
+    memset( &heap, 0, sizeof( buffer_alloc_ctx ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &heap.mutex );
+    mbedtls_platform_set_calloc_free( buffer_alloc_calloc_mutexed,
+                              buffer_alloc_free_mutexed );
+#else
+    mbedtls_platform_set_calloc_free( buffer_alloc_calloc, buffer_alloc_free );
+#endif
+
+    if( len < sizeof( memory_header ) + MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+        return;
+    else if( (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+    {
+        /* Adjust len first since buf is used in the computation */
+        len -= MBEDTLS_MEMORY_ALIGN_MULTIPLE
+             - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+        buf += MBEDTLS_MEMORY_ALIGN_MULTIPLE
+             - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+    }
+
+    memset( buf, 0, len );
+
+    heap.buf = buf;
+    heap.len = len;
+
+    heap.first = (memory_header *)buf;
+    heap.first->size = len - sizeof( memory_header );
+    heap.first->magic1 = MAGIC1;
+    heap.first->magic2 = MAGIC2;
+    heap.first_free = heap.first;
+}
+
+void mbedtls_memory_buffer_alloc_free( void )
+{
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &heap.mutex );
+#endif
+    mbedtls_platform_zeroize( &heap, sizeof(buffer_alloc_ctx) );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+static int check_pointer( void *p )
+{
+    if( p == NULL )
+        return( -1 );
+
+    if( (size_t) p % MBEDTLS_MEMORY_ALIGN_MULTIPLE != 0 )
+        return( -1 );
+
+    return( 0 );
+}
+
+static int check_all_free( void )
+{
+    if(
+#if defined(MBEDTLS_MEMORY_DEBUG)
+        heap.total_used != 0 ||
+#endif
+        heap.first != heap.first_free ||
+        (void *) heap.first != (void *) heap.buf )
+    {
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+#define TEST_ASSERT( condition )            \
+    if( ! (condition) )                     \
+    {                                       \
+        if( verbose != 0 )                  \
+            mbedtls_printf( "failed\n" );  \
+                                            \
+        ret = 1;                            \
+        goto cleanup;                       \
+    }
+
+int mbedtls_memory_buffer_alloc_self_test( int verbose )
+{
+    unsigned char buf[1024];
+    unsigned char *p, *q, *r, *end;
+    int ret = 0;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MBA test #1 (basic alloc-free cycle): " );
+
+    mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+    p = mbedtls_calloc( 1, 1 );
+    q = mbedtls_calloc( 1, 128 );
+    r = mbedtls_calloc( 1, 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 &&
+                 check_pointer( q ) == 0 &&
+                 check_pointer( r ) == 0 );
+
+    mbedtls_free( r );
+    mbedtls_free( q );
+    mbedtls_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    /* Memorize end to compare with the next test */
+    end = heap.buf + heap.len;
+
+    mbedtls_memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MBA test #2 (buf not aligned): " );
+
+    mbedtls_memory_buffer_alloc_init( buf + 1, sizeof( buf ) - 1 );
+
+    TEST_ASSERT( heap.buf + heap.len == end );
+
+    p = mbedtls_calloc( 1, 1 );
+    q = mbedtls_calloc( 1, 128 );
+    r = mbedtls_calloc( 1, 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 &&
+                 check_pointer( q ) == 0 &&
+                 check_pointer( r ) == 0 );
+
+    mbedtls_free( r );
+    mbedtls_free( q );
+    mbedtls_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    mbedtls_memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  MBA test #3 (full): " );
+
+    mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+
+    p = mbedtls_calloc( 1, sizeof( buf ) - sizeof( memory_header ) );
+
+    TEST_ASSERT( check_pointer( p ) == 0 );
+    TEST_ASSERT( mbedtls_calloc( 1, 1 ) == NULL );
+
+    mbedtls_free( p );
+
+    p = mbedtls_calloc( 1, sizeof( buf ) - 2 * sizeof( memory_header ) - 16 );
+    q = mbedtls_calloc( 1, 16 );
+
+    TEST_ASSERT( check_pointer( p ) == 0 && check_pointer( q ) == 0 );
+    TEST_ASSERT( mbedtls_calloc( 1, 1 ) == NULL );
+
+    mbedtls_free( q );
+
+    TEST_ASSERT( mbedtls_calloc( 1, 17 ) == NULL );
+
+    mbedtls_free( p );
+
+    TEST_ASSERT( check_all_free( ) == 0 );
+
+    mbedtls_memory_buffer_alloc_free( );
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+cleanup:
+    mbedtls_memory_buffer_alloc_free( );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
diff --git a/makerom/deps/libmbedtls/src/net_sockets.c b/makerom/deps/libmbedtls/src/net_sockets.c
new file mode 100644
index 00000000..5d538bfd
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/net_sockets.c
@@ -0,0 +1,668 @@
+/*
+ *  TCP/IP or UDP/IP networking functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
+ * be set before config.h, which pulls in glibc's features.h indirectly.
+ * Harmless on other platforms. */
+#define _POSIX_C_SOURCE 200112L
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_NET_C)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__)
+#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/net_sockets.h"
+
+#include <string.h>
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+    !defined(EFI32)
+
+#define IS_EINTR( ret ) ( ( ret ) == WSAEINTR )
+
+#if !defined(_WIN32_WINNT) || (_WIN32_WINNT < 0x0501)
+#undef _WIN32_WINNT
+/* Enables getaddrinfo() & Co */
+#define _WIN32_WINNT 0x0501
+#endif
+
+#include <ws2tcpip.h>
+
+#include <winsock2.h>
+#include <windows.h>
+
+#if defined(_MSC_VER)
+#if defined(_WIN32_WCE)
+#pragma comment( lib, "ws2.lib" )
+#else
+#pragma comment( lib, "ws2_32.lib" )
+#endif
+#endif /* _MSC_VER */
+
+#define read(fd,buf,len)        recv( fd, (char*)( buf ), (int)( len ), 0 )
+#define write(fd,buf,len)       send( fd, (char*)( buf ), (int)( len ), 0 )
+#define close(fd)               closesocket(fd)
+
+static int wsa_init_done = 0;
+
+#else /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <netdb.h>
+#include <errno.h>
+
+#define IS_EINTR( ret ) ( ( ret ) == EINTR )
+
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/* Some MS functions want int and MSVC warns if we pass size_t,
+ * but the standard functions use socklen_t, so cast only for MSVC */
+#if defined(_MSC_VER)
+#define MSVC_INT_CAST   (int)
+#else
+#define MSVC_INT_CAST
+#endif
+
+#include <stdio.h>
+
+#include <time.h>
+
+#include <stdint.h>
+
+/*
+ * Prepare for using the sockets interface
+ */
+static int net_prepare( void )
+{
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    WSADATA wsaData;
+
+    if( wsa_init_done == 0 )
+    {
+        if( WSAStartup( MAKEWORD(2,0), &wsaData ) != 0 )
+            return( MBEDTLS_ERR_NET_SOCKET_FAILED );
+
+        wsa_init_done = 1;
+    }
+#else
+#if !defined(EFIX64) && !defined(EFI32)
+    signal( SIGPIPE, SIG_IGN );
+#endif
+#endif
+    return( 0 );
+}
+
+/*
+ * Initialize a context
+ */
+void mbedtls_net_init( mbedtls_net_context *ctx )
+{
+    ctx->fd = -1;
+}
+
+/*
+ * Initiate a TCP connection with host:port and the given protocol
+ */
+int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host,
+                         const char *port, int proto )
+{
+    int ret;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if( ( ret = net_prepare() ) != 0 )
+        return( ret );
+
+    /* Do name resolution with both IPv6 and IPv4 */
+    memset( &hints, 0, sizeof( hints ) );
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+
+    if( getaddrinfo( host, port, &hints, &addr_list ) != 0 )
+        return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
+
+    /* Try the sockaddrs until a connection succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for( cur = addr_list; cur != NULL; cur = cur->ai_next )
+    {
+        ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
+                            cur->ai_protocol );
+        if( ctx->fd < 0 )
+        {
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if( connect( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) == 0 )
+        {
+            ret = 0;
+            break;
+        }
+
+        close( ctx->fd );
+        ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
+    }
+
+    freeaddrinfo( addr_list );
+
+    return( ret );
+}
+
+/*
+ * Create a listening socket on bind_ip:port
+ */
+int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto )
+{
+    int n, ret;
+    struct addrinfo hints, *addr_list, *cur;
+
+    if( ( ret = net_prepare() ) != 0 )
+        return( ret );
+
+    /* Bind to IPv6 and/or IPv4, but only in the desired protocol */
+    memset( &hints, 0, sizeof( hints ) );
+    hints.ai_family = AF_UNSPEC;
+    hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
+    hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
+    if( bind_ip == NULL )
+        hints.ai_flags = AI_PASSIVE;
+
+    if( getaddrinfo( bind_ip, port, &hints, &addr_list ) != 0 )
+        return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
+
+    /* Try the sockaddrs until a binding succeeds */
+    ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
+    for( cur = addr_list; cur != NULL; cur = cur->ai_next )
+    {
+        ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
+                            cur->ai_protocol );
+        if( ctx->fd < 0 )
+        {
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        n = 1;
+        if( setsockopt( ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                        (const char *) &n, sizeof( n ) ) != 0 )
+        {
+            close( ctx->fd );
+            ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
+            continue;
+        }
+
+        if( bind( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) != 0 )
+        {
+            close( ctx->fd );
+            ret = MBEDTLS_ERR_NET_BIND_FAILED;
+            continue;
+        }
+
+        /* Listen only makes sense for TCP */
+        if( proto == MBEDTLS_NET_PROTO_TCP )
+        {
+            if( listen( ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG ) != 0 )
+            {
+                close( ctx->fd );
+                ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
+                continue;
+            }
+        }
+
+        /* Bind was successful */
+        ret = 0;
+        break;
+    }
+
+    freeaddrinfo( addr_list );
+
+    return( ret );
+
+}
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ */
+static int net_would_block( const mbedtls_net_context *ctx )
+{
+    ((void) ctx);
+    return( WSAGetLastError() == WSAEWOULDBLOCK );
+}
+#else
+/*
+ * Check if the requested operation would be blocking on a non-blocking socket
+ * and thus 'failed' with a negative return value.
+ *
+ * Note: on a blocking socket this function always returns 0!
+ */
+static int net_would_block( const mbedtls_net_context *ctx )
+{
+    int err = errno;
+
+    /*
+     * Never return 'WOULD BLOCK' on a blocking socket
+     */
+    if( ( fcntl( ctx->fd, F_GETFL ) & O_NONBLOCK ) != O_NONBLOCK )
+    {
+        errno = err;
+        return( 0 );
+    }
+
+    switch( errno = err )
+    {
+#if defined EAGAIN
+        case EAGAIN:
+#endif
+#if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
+        case EWOULDBLOCK:
+#endif
+            return( 1 );
+    }
+    return( 0 );
+}
+#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
+
+/*
+ * Accept a connection from a remote client
+ */
+int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
+                        mbedtls_net_context *client_ctx,
+                        void *client_ip, size_t buf_size, size_t *ip_len )
+{
+    int ret;
+    int type;
+
+    struct sockaddr_storage client_addr;
+
+#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) ||  \
+    defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t)
+    socklen_t n = (socklen_t) sizeof( client_addr );
+    socklen_t type_len = (socklen_t) sizeof( type );
+#else
+    int n = (int) sizeof( client_addr );
+    int type_len = (int) sizeof( type );
+#endif
+
+    /* Is this a TCP or UDP socket? */
+    if( getsockopt( bind_ctx->fd, SOL_SOCKET, SO_TYPE,
+                    (void *) &type, &type_len ) != 0 ||
+        ( type != SOCK_STREAM && type != SOCK_DGRAM ) )
+    {
+        return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+    }
+
+    if( type == SOCK_STREAM )
+    {
+        /* TCP: actual accept() */
+        ret = client_ctx->fd = (int) accept( bind_ctx->fd,
+                                             (struct sockaddr *) &client_addr, &n );
+    }
+    else
+    {
+        /* UDP: wait for a message, but keep it in the queue */
+        char buf[1] = { 0 };
+
+        ret = (int) recvfrom( bind_ctx->fd, buf, sizeof( buf ), MSG_PEEK,
+                        (struct sockaddr *) &client_addr, &n );
+
+#if defined(_WIN32)
+        if( ret == SOCKET_ERROR &&
+            WSAGetLastError() == WSAEMSGSIZE )
+        {
+            /* We know buf is too small, thanks, just peeking here */
+            ret = 0;
+        }
+#endif
+    }
+
+    if( ret < 0 )
+    {
+        if( net_would_block( bind_ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+
+        return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+    }
+
+    /* UDP: hijack the listening socket to communicate with the client,
+     * then bind a new socket to accept new connections */
+    if( type != SOCK_STREAM )
+    {
+        struct sockaddr_storage local_addr;
+        int one = 1;
+
+        if( connect( bind_ctx->fd, (struct sockaddr *) &client_addr, n ) != 0 )
+            return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
+
+        client_ctx->fd = bind_ctx->fd;
+        bind_ctx->fd   = -1; /* In case we exit early */
+
+        n = sizeof( struct sockaddr_storage );
+        if( getsockname( client_ctx->fd,
+                         (struct sockaddr *) &local_addr, &n ) != 0 ||
+            ( bind_ctx->fd = (int) socket( local_addr.ss_family,
+                                           SOCK_DGRAM, IPPROTO_UDP ) ) < 0 ||
+            setsockopt( bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
+                        (const char *) &one, sizeof( one ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_NET_SOCKET_FAILED );
+        }
+
+        if( bind( bind_ctx->fd, (struct sockaddr *) &local_addr, n ) != 0 )
+        {
+            return( MBEDTLS_ERR_NET_BIND_FAILED );
+        }
+    }
+
+    if( client_ip != NULL )
+    {
+        if( client_addr.ss_family == AF_INET )
+        {
+            struct sockaddr_in *addr4 = (struct sockaddr_in *) &client_addr;
+            *ip_len = sizeof( addr4->sin_addr.s_addr );
+
+            if( buf_size < *ip_len )
+                return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
+
+            memcpy( client_ip, &addr4->sin_addr.s_addr, *ip_len );
+        }
+        else
+        {
+            struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &client_addr;
+            *ip_len = sizeof( addr6->sin6_addr.s6_addr );
+
+            if( buf_size < *ip_len )
+                return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
+
+            memcpy( client_ip, &addr6->sin6_addr.s6_addr, *ip_len);
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Set the socket blocking or non-blocking
+ */
+int mbedtls_net_set_block( mbedtls_net_context *ctx )
+{
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    u_long n = 0;
+    return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
+#else
+    return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) & ~O_NONBLOCK ) );
+#endif
+}
+
+int mbedtls_net_set_nonblock( mbedtls_net_context *ctx )
+{
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+    u_long n = 1;
+    return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
+#else
+    return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) | O_NONBLOCK ) );
+#endif
+}
+
+/*
+ * Check if data is available on the socket
+ */
+
+int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout )
+{
+    int ret;
+    struct timeval tv;
+
+    fd_set read_fds;
+    fd_set write_fds;
+
+    int fd = ctx->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+    /* Ensure that memory sanitizers consider read_fds and write_fds as
+     * initialized even on platforms such as Glibc/x86_64 where FD_ZERO
+     * is implemented in assembly. */
+    memset( &read_fds, 0, sizeof( read_fds ) );
+    memset( &write_fds, 0, sizeof( write_fds ) );
+#endif
+#endif
+
+    FD_ZERO( &read_fds );
+    if( rw & MBEDTLS_NET_POLL_READ )
+    {
+        rw &= ~MBEDTLS_NET_POLL_READ;
+        FD_SET( fd, &read_fds );
+    }
+
+    FD_ZERO( &write_fds );
+    if( rw & MBEDTLS_NET_POLL_WRITE )
+    {
+        rw &= ~MBEDTLS_NET_POLL_WRITE;
+        FD_SET( fd, &write_fds );
+    }
+
+    if( rw != 0 )
+        return( MBEDTLS_ERR_NET_BAD_INPUT_DATA );
+
+    tv.tv_sec  = timeout / 1000;
+    tv.tv_usec = ( timeout % 1000 ) * 1000;
+
+    do
+    {
+        ret = select( fd + 1, &read_fds, &write_fds, NULL,
+                      timeout == (uint32_t) -1 ? NULL : &tv );
+    }
+    while( IS_EINTR( ret ) );
+
+    if( ret < 0 )
+        return( MBEDTLS_ERR_NET_POLL_FAILED );
+
+    ret = 0;
+    if( FD_ISSET( fd, &read_fds ) )
+        ret |= MBEDTLS_NET_POLL_READ;
+    if( FD_ISSET( fd, &write_fds ) )
+        ret |= MBEDTLS_NET_POLL_WRITE;
+
+    return( ret );
+}
+
+/*
+ * Portable usleep helper
+ */
+void mbedtls_net_usleep( unsigned long usec )
+{
+#if defined(_WIN32)
+    Sleep( ( usec + 999 ) / 1000 );
+#else
+    struct timeval tv;
+    tv.tv_sec  = usec / 1000000;
+#if defined(__unix__) || defined(__unix) || \
+    ( defined(__APPLE__) && defined(__MACH__) )
+    tv.tv_usec = (suseconds_t) usec % 1000000;
+#else
+    tv.tv_usec = usec % 1000000;
+#endif
+    select( 0, NULL, NULL, NULL, &tv );
+#endif
+}
+
+/*
+ * Read at most 'len' characters
+ */
+int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
+{
+    int ret;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    ret = (int) read( fd, buf, len );
+
+    if( ret < 0 )
+    {
+        if( net_would_block( ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+#else
+        if( errno == EPIPE || errno == ECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+    }
+
+    return( ret );
+}
+
+/*
+ * Read at most 'len' characters, blocking for at most 'timeout' ms
+ */
+int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf,
+                              size_t len, uint32_t timeout )
+{
+    int ret;
+    struct timeval tv;
+    fd_set read_fds;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    FD_ZERO( &read_fds );
+    FD_SET( fd, &read_fds );
+
+    tv.tv_sec  = timeout / 1000;
+    tv.tv_usec = ( timeout % 1000 ) * 1000;
+
+    ret = select( fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv );
+
+    /* Zero fds ready means we timed out */
+    if( ret == 0 )
+        return( MBEDTLS_ERR_SSL_TIMEOUT );
+
+    if( ret < 0 )
+    {
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAEINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#else
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+
+        return( MBEDTLS_ERR_NET_RECV_FAILED );
+    }
+
+    /* This call will not block */
+    return( mbedtls_net_recv( ctx, buf, len ) );
+}
+
+/*
+ * Write at most 'len' characters
+ */
+int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
+{
+    int ret;
+    int fd = ((mbedtls_net_context *) ctx)->fd;
+
+    if( fd < 0 )
+        return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+    ret = (int) write( fd, buf, len );
+
+    if( ret < 0 )
+    {
+        if( net_would_block( ctx ) != 0 )
+            return( MBEDTLS_ERR_SSL_WANT_WRITE );
+
+#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
+    !defined(EFI32)
+        if( WSAGetLastError() == WSAECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+#else
+        if( errno == EPIPE || errno == ECONNRESET )
+            return( MBEDTLS_ERR_NET_CONN_RESET );
+
+        if( errno == EINTR )
+            return( MBEDTLS_ERR_SSL_WANT_WRITE );
+#endif
+
+        return( MBEDTLS_ERR_NET_SEND_FAILED );
+    }
+
+    return( ret );
+}
+
+/*
+ * Gracefully close the connection
+ */
+void mbedtls_net_free( mbedtls_net_context *ctx )
+{
+    if( ctx->fd == -1 )
+        return;
+
+    shutdown( ctx->fd, 2 );
+    close( ctx->fd );
+
+    ctx->fd = -1;
+}
+
+#endif /* MBEDTLS_NET_C */
diff --git a/makerom/deps/libmbedtls/src/nist_kw.c b/makerom/deps/libmbedtls/src/nist_kw.c
new file mode 100644
index 00000000..317a2426
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/nist_kw.c
@@ -0,0 +1,755 @@
+/*
+ *  Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
+ *  only
+ *
+ *  Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * Definition of Key Wrapping:
+ * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
+ * RFC 3394 "Advanced Encryption Standard (AES) Key Wrap Algorithm"
+ * RFC 5649 "Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm"
+ *
+ * Note: RFC 3394 defines different methodology for intermediate operations for
+ * the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_NIST_KW_C)
+
+#include "mbedtls/nist_kw.h"
+#include "mbedtls/platform_util.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#if !defined(MBEDTLS_NIST_KW_ALT)
+
+#define KW_SEMIBLOCK_LENGTH    8
+#define MIN_SEMIBLOCKS_COUNT   3
+
+/* constant-time buffer comparison */
+static inline unsigned char mbedtls_nist_kw_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    volatile const unsigned char *A = (volatile const unsigned char *) a;
+    volatile const unsigned char *B = (volatile const unsigned char *) b;
+    volatile unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+    {
+        /* Read volatile data in order before computing diff.
+         * This avoids IAR compiler warning:
+         * 'the order of volatile accesses is undefined ..' */
+        unsigned char x = A[i], y = B[i];
+        diff |= x ^ y;
+    }
+
+    return( diff );
+}
+
+/*! The 64-bit default integrity check value (ICV) for KW mode. */
+static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
+/*! The 32-bit default integrity check value (ICV) for KWP mode. */
+static const  unsigned char NIST_KW_ICV2[] = {0xA6, 0x59, 0x59, 0xA6};
+
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+} while( 0 )
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+} while( 0 )
+#endif
+
+/*
+ * Initialize context
+ */
+void mbedtls_nist_kw_init( mbedtls_nist_kw_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_nist_kw_context ) );
+}
+
+int mbedtls_nist_kw_setkey( mbedtls_nist_kw_context *ctx,
+                            mbedtls_cipher_id_t cipher,
+                            const unsigned char *key,
+                            unsigned int keybits,
+                            const int is_wrap )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    cipher_info = mbedtls_cipher_info_from_values( cipher,
+                                                   keybits,
+                                                   MBEDTLS_MODE_ECB );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    if( cipher_info->block_size != 16 )
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+    /*
+     * SP 800-38F currently defines AES cipher as the only block cipher allowed:
+     * "For KW and KWP, the underlying block cipher shall be approved, and the
+     *  block size shall be 128 bits. Currently, the AES block cipher, with key
+     *  lengths of 128, 192, or 256 bits, is the only block cipher that fits
+     *  this profile."
+     *  Currently we don't support other 128 bit block ciphers for key wrapping,
+     *  such as Camellia and Aria.
+     */
+    if( cipher != MBEDTLS_CIPHER_ID_AES )
+        return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
+                                       is_wrap ? MBEDTLS_ENCRYPT :
+                                                 MBEDTLS_DECRYPT )
+                                                                   ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_nist_kw_free( mbedtls_nist_kw_context *ctx )
+{
+    mbedtls_cipher_free( &ctx->cipher_ctx );
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_nist_kw_context ) );
+}
+
+/*
+ * Helper function for Xoring the uint64_t "t" with the encrypted A.
+ * Defined in NIST SP 800-38F section 6.1
+ */
+static void calc_a_xor_t( unsigned char A[KW_SEMIBLOCK_LENGTH], uint64_t t )
+{
+    size_t i = 0;
+    for( i = 0; i < sizeof( t ); i++ )
+    {
+        A[i] ^= ( t >> ( ( sizeof( t ) - 1 - i ) * 8 ) ) & 0xff;
+    }
+}
+
+/*
+ * KW-AE as defined in SP 800-38F section 6.2
+ * KWP-AE as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_wrap( mbedtls_nist_kw_context *ctx,
+                          mbedtls_nist_kw_mode_t mode,
+                          const unsigned char *input, size_t in_len,
+                          unsigned char *output, size_t *out_len, size_t out_size )
+{
+    int ret = 0;
+    size_t semiblocks = 0;
+    size_t s;
+    size_t olen, padlen = 0;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
+    unsigned char *A = output;
+
+    *out_len = 0;
+    /*
+     * Generate the String to work on
+     */
+    if( mode == MBEDTLS_KW_MODE_KW )
+    {
+        if( out_size < in_len + KW_SEMIBLOCK_LENGTH )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KW
+         * must be between 2 to 2^54-1 semiblocks inclusive.
+         */
+        if( in_len < 16 ||
+#if SIZE_MAX > 0x1FFFFFFFFFFFFF8
+            in_len > 0x1FFFFFFFFFFFFF8 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0 )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        memcpy( output, NIST_KW_ICV1, KW_SEMIBLOCK_LENGTH );
+        memmove( output + KW_SEMIBLOCK_LENGTH, input, in_len );
+    }
+    else
+    {
+        if( in_len % 8 != 0 )
+        {
+            padlen = ( 8 - ( in_len % 8 ) );
+        }
+
+        if( out_size < in_len + KW_SEMIBLOCK_LENGTH + padlen )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        /*
+         * According to SP 800-38F Table 1, the plaintext length for KWP
+         * must be between 1 and 2^32-1 octets inclusive.
+         */
+        if( in_len < 1
+#if SIZE_MAX > 0xFFFFFFFF
+            || in_len > 0xFFFFFFFF
+#endif
+          )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        memcpy( output, NIST_KW_ICV2, KW_SEMIBLOCK_LENGTH / 2 );
+        PUT_UINT32_BE( ( in_len & 0xffffffff ), output,
+                       KW_SEMIBLOCK_LENGTH / 2 );
+
+        memcpy( output + KW_SEMIBLOCK_LENGTH, input, in_len );
+        memset( output + KW_SEMIBLOCK_LENGTH + in_len, 0, padlen );
+    }
+    semiblocks = ( ( in_len + padlen ) / KW_SEMIBLOCK_LENGTH ) + 1;
+
+    s = 6 * ( semiblocks - 1 );
+
+    if( mode == MBEDTLS_KW_MODE_KWP
+        && in_len <= KW_SEMIBLOCK_LENGTH )
+    {
+        memcpy( inbuff, output, 16 );
+        ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                     inbuff, 16, output, &olen );
+        if( ret != 0 )
+            goto cleanup;
+    }
+    else
+    {
+        /*
+         * Do the wrapping function W, as defined in RFC 3394 section 2.2.1
+         */
+        if( semiblocks < MIN_SEMIBLOCKS_COUNT )
+        {
+            ret = MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        /* Calculate intermediate values */
+        for( t = 1; t <= s; t++ )
+        {
+            memcpy( inbuff, A, KW_SEMIBLOCK_LENGTH );
+            memcpy( inbuff + KW_SEMIBLOCK_LENGTH, R2, KW_SEMIBLOCK_LENGTH );
+
+            ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                         inbuff, 16, outbuff, &olen );
+            if( ret != 0 )
+                goto cleanup;
+
+            memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+            calc_a_xor_t( A, t );
+
+            memcpy( R2, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+            R2 += KW_SEMIBLOCK_LENGTH;
+            if( R2 >= output + ( semiblocks * KW_SEMIBLOCK_LENGTH ) )
+                R2 = output + KW_SEMIBLOCK_LENGTH;
+        }
+    }
+
+    *out_len = semiblocks * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+
+    if( ret != 0)
+    {
+        memset( output, 0, semiblocks * KW_SEMIBLOCK_LENGTH );
+    }
+    mbedtls_platform_zeroize( inbuff, KW_SEMIBLOCK_LENGTH * 2 );
+    mbedtls_platform_zeroize( outbuff, KW_SEMIBLOCK_LENGTH * 2 );
+
+    return( ret );
+}
+
+/*
+ * W-1 function as defined in RFC 3394 section 2.2.2
+ * This function assumes the following:
+ * 1. Output buffer is at least of size ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH.
+ * 2. The input buffer is of size semiblocks * KW_SEMIBLOCK_LENGTH.
+ * 3. Minimal number of semiblocks is 3.
+ * 4. A is a buffer to hold the first semiblock of the input buffer.
+ */
+static int unwrap( mbedtls_nist_kw_context *ctx,
+                   const unsigned char *input, size_t semiblocks,
+                   unsigned char A[KW_SEMIBLOCK_LENGTH],
+                   unsigned char *output, size_t* out_len )
+{
+    int ret = 0;
+    const size_t s = 6 * ( semiblocks - 1 );
+    size_t olen;
+    uint64_t t = 0;
+    unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
+    unsigned char *R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
+    *out_len = 0;
+
+    if( semiblocks < MIN_SEMIBLOCKS_COUNT )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    memcpy( A, input, KW_SEMIBLOCK_LENGTH );
+    memmove( output, input + KW_SEMIBLOCK_LENGTH, ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH );
+
+    /* Calculate intermediate values */
+    for( t = s; t >= 1; t-- )
+    {
+        calc_a_xor_t( A, t );
+
+        memcpy( inbuff, A, KW_SEMIBLOCK_LENGTH );
+        memcpy( inbuff + KW_SEMIBLOCK_LENGTH, R, KW_SEMIBLOCK_LENGTH );
+
+        ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                     inbuff, 16, outbuff, &olen );
+        if( ret != 0 )
+            goto cleanup;
+
+        memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+
+        /* Set R as LSB64 of outbuff */
+        memcpy( R, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+
+        if( R == output )
+            R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
+        else
+            R -= KW_SEMIBLOCK_LENGTH;
+    }
+
+    *out_len = ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH;
+
+cleanup:
+    if( ret != 0)
+        memset( output, 0, ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH );
+    mbedtls_platform_zeroize( inbuff, sizeof( inbuff )  );
+    mbedtls_platform_zeroize( outbuff, sizeof( outbuff ) );
+
+    return( ret );
+}
+
+/*
+ * KW-AD as defined in SP 800-38F section 6.2
+ * KWP-AD as defined in SP 800-38F section 6.3
+ */
+int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx,
+                            mbedtls_nist_kw_mode_t mode,
+                            const unsigned char *input, size_t in_len,
+                            unsigned char *output, size_t *out_len, size_t out_size )
+{
+    int ret = 0;
+    size_t i, olen;
+    unsigned char A[KW_SEMIBLOCK_LENGTH];
+    unsigned char diff, bad_padding = 0;
+
+    *out_len = 0;
+    if( out_size < in_len - KW_SEMIBLOCK_LENGTH )
+    {
+        return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+    }
+
+    if( mode == MBEDTLS_KW_MODE_KW )
+    {
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KW
+         * must be between 3 to 2^54 semiblocks inclusive.
+         */
+        if( in_len < 24 ||
+#if SIZE_MAX > 0x200000000000000
+            in_len > 0x200000000000000 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0 )
+        {
+            return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        ret = unwrap( ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                      A, output, out_len );
+        if( ret != 0 )
+            goto cleanup;
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH );
+
+        if( diff != 0 )
+        {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+            goto cleanup;
+        }
+
+    }
+    else if( mode == MBEDTLS_KW_MODE_KWP )
+    {
+        size_t padlen = 0;
+        uint32_t Plen;
+        /*
+         * According to SP 800-38F Table 1, the ciphertext length for KWP
+         * must be between 2 to 2^29 semiblocks inclusive.
+         */
+        if( in_len < KW_SEMIBLOCK_LENGTH * 2 ||
+#if SIZE_MAX > 0x100000000
+            in_len > 0x100000000 ||
+#endif
+            in_len % KW_SEMIBLOCK_LENGTH != 0 )
+        {
+            return(  MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+        }
+
+        if( in_len == KW_SEMIBLOCK_LENGTH * 2 )
+        {
+            unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
+            ret = mbedtls_cipher_update( &ctx->cipher_ctx,
+                                         input, 16, outbuff, &olen );
+            if( ret != 0 )
+                goto cleanup;
+
+            memcpy( A, outbuff, KW_SEMIBLOCK_LENGTH );
+            memcpy( output, outbuff + KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH );
+            mbedtls_platform_zeroize( outbuff, sizeof( outbuff ) );
+            *out_len = KW_SEMIBLOCK_LENGTH;
+        }
+        else
+        {
+            /* in_len >=  KW_SEMIBLOCK_LENGTH * 3 */
+            ret = unwrap( ctx, input, in_len / KW_SEMIBLOCK_LENGTH,
+                          A, output, out_len );
+            if( ret != 0 )
+                goto cleanup;
+        }
+
+        /* Check ICV in "constant-time" */
+        diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 );
+
+        if( diff != 0 )
+        {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        GET_UINT32_BE( Plen, A, KW_SEMIBLOCK_LENGTH / 2 );
+
+        /*
+         * Plen is the length of the plaintext, when the input is valid.
+         * If Plen is larger than the plaintext and padding, padlen will be
+         * larger than 8, because of the type wrap around.
+         */
+        padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
+        if ( padlen > 7 )
+        {
+            padlen &= 7;
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        /* Check padding in "constant-time" */
+        for( diff = 0, i = 0; i < KW_SEMIBLOCK_LENGTH; i++ )
+        {
+             if( i >= KW_SEMIBLOCK_LENGTH - padlen )
+                 diff |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+             else
+                 bad_padding |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
+        }
+
+        if( diff != 0 )
+        {
+            ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
+        }
+
+        if( ret != 0 )
+        {
+            goto cleanup;
+        }
+        memset( output + Plen, 0, padlen );
+        *out_len = Plen;
+    }
+    else
+    {
+        ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
+        goto cleanup;
+    }
+
+cleanup:
+    if( ret != 0 )
+    {
+        memset( output, 0, *out_len );
+        *out_len = 0;
+    }
+
+    mbedtls_platform_zeroize( &bad_padding, sizeof( bad_padding) );
+    mbedtls_platform_zeroize( &diff, sizeof( diff ) );
+    mbedtls_platform_zeroize( A, sizeof( A ) );
+
+    return( ret );
+}
+
+#endif /* !MBEDTLS_NIST_KW_ALT */
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
+
+#define KW_TESTS 3
+
+/*
+ * Test vectors taken from NIST
+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#KW
+ */
+static const unsigned int key_len[KW_TESTS] = { 16, 24, 32 };
+
+static const unsigned char kw_key[KW_TESTS][32] = {
+    { 0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2,
+      0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, 0xa6 },
+    { 0x2d, 0x85, 0x26, 0x08, 0x1d, 0x02, 0xfb, 0x5b,
+      0x85, 0xf6, 0x9a, 0xc2, 0x86, 0xec, 0xd5, 0x7d,
+      0x40, 0xdf, 0x5d, 0xf3, 0x49, 0x47, 0x44, 0xd3 },
+    { 0x11, 0x2a, 0xd4, 0x1b, 0x48, 0x56, 0xc7, 0x25,
+      0x4a, 0x98, 0x48, 0xd3, 0x0f, 0xdd, 0x78, 0x33,
+      0x5b, 0x03, 0x9a, 0x48, 0xa8, 0x96, 0x2c, 0x4d,
+      0x1c, 0xb7, 0x8e, 0xab, 0xd5, 0xda, 0xd7, 0x88 }
+};
+
+static const unsigned char kw_msg[KW_TESTS][40] = {
+    { 0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea,
+      0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, 0x3f },
+    { 0x95, 0xc1, 0x1b, 0xf5, 0x35, 0x3a, 0xfe, 0xdb,
+      0x98, 0xfd, 0xd6, 0xc8, 0xca, 0x6f, 0xdb, 0x6d,
+      0xa5, 0x4b, 0x74, 0xb4, 0x99, 0x0f, 0xdc, 0x45,
+      0xc0, 0x9d, 0x15, 0x8f, 0x51, 0xce, 0x62, 0x9d,
+      0xe2, 0xaf, 0x26, 0xe3, 0x25, 0x0e, 0x6b, 0x4c },
+    { 0x1b, 0x20, 0xbf, 0x19, 0x90, 0xb0, 0x65, 0xd7,
+      0x98, 0xe1, 0xb3, 0x22, 0x64, 0xad, 0x50, 0xa8,
+      0x74, 0x74, 0x92, 0xba, 0x09, 0xa0, 0x4d, 0xd1 }
+};
+
+static const size_t kw_msg_len[KW_TESTS] = { 16, 40, 24 };
+static const size_t kw_out_len[KW_TESTS] = { 24, 48, 32 };
+static const unsigned char kw_res[KW_TESTS][48] = {
+    { 0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d,
+      0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, 0xa3,
+      0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb },
+    { 0x44, 0x3c, 0x6f, 0x15, 0x09, 0x83, 0x71, 0x91,
+      0x3e, 0x5c, 0x81, 0x4c, 0xa1, 0xa0, 0x42, 0xec,
+      0x68, 0x2f, 0x7b, 0x13, 0x6d, 0x24, 0x3a, 0x4d,
+      0x6c, 0x42, 0x6f, 0xc6, 0x97, 0x15, 0x63, 0xe8,
+      0xa1, 0x4a, 0x55, 0x8e, 0x09, 0x64, 0x16, 0x19,
+      0xbf, 0x03, 0xfc, 0xaf, 0x90, 0xb1, 0xfc, 0x2d },
+    { 0xba, 0x8a, 0x25, 0x9a, 0x47, 0x1b, 0x78, 0x7d,
+      0xd5, 0xd5, 0x40, 0xec, 0x25, 0xd4, 0x3d, 0x87,
+      0x20, 0x0f, 0xda, 0xdc, 0x6d, 0x1f, 0x05, 0xd9,
+      0x16, 0x58, 0x4f, 0xa9, 0xf6, 0xcb, 0xf5, 0x12 }
+};
+
+static const unsigned char kwp_key[KW_TESTS][32] = {
+    { 0x78, 0x65, 0xe2, 0x0f, 0x3c, 0x21, 0x65, 0x9a,
+      0xb4, 0x69, 0x0b, 0x62, 0x9c, 0xdf, 0x3c, 0xc4 },
+    { 0xf5, 0xf8, 0x96, 0xa3, 0xbd, 0x2f, 0x4a, 0x98,
+      0x23, 0xef, 0x16, 0x2b, 0x00, 0xb8, 0x05, 0xd7,
+      0xde, 0x1e, 0xa4, 0x66, 0x26, 0x96, 0xa2, 0x58 },
+    { 0x95, 0xda, 0x27, 0x00, 0xca, 0x6f, 0xd9, 0xa5,
+      0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, 0x6f,
+      0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae,
+      0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, 0x22, 0x5a }
+};
+
+static const unsigned char kwp_msg[KW_TESTS][31] = {
+    { 0xbd, 0x68, 0x43, 0xd4, 0x20, 0x37, 0x8d, 0xc8,
+      0x96 },
+    { 0x6c, 0xcd, 0xd5, 0x85, 0x18, 0x40, 0x97, 0xeb,
+      0xd5, 0xc3, 0xaf, 0x3e, 0x47, 0xd0, 0x2c, 0x19,
+      0x14, 0x7b, 0x4d, 0x99, 0x5f, 0x96, 0x43, 0x66,
+      0x91, 0x56, 0x75, 0x8c, 0x13, 0x16, 0x8f },
+    { 0xd1 }
+};
+static const size_t kwp_msg_len[KW_TESTS] = { 9, 31, 1 };
+
+static const unsigned char kwp_res[KW_TESTS][48] = {
+    { 0x41, 0xec, 0xa9, 0x56, 0xd4, 0xaa, 0x04, 0x7e,
+      0xb5, 0xcf, 0x4e, 0xfe, 0x65, 0x96, 0x61, 0xe7,
+      0x4d, 0xb6, 0xf8, 0xc5, 0x64, 0xe2, 0x35, 0x00 },
+    { 0x4e, 0x9b, 0xc2, 0xbc, 0xbc, 0x6c, 0x1e, 0x13,
+      0xd3, 0x35, 0xbc, 0xc0, 0xf7, 0x73, 0x6a, 0x88,
+      0xfa, 0x87, 0x53, 0x66, 0x15, 0xbb, 0x8e, 0x63,
+      0x8b, 0xcc, 0x81, 0x66, 0x84, 0x68, 0x17, 0x90,
+      0x67, 0xcf, 0xa9, 0x8a, 0x9d, 0x0e, 0x33, 0x26 },
+    { 0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd,
+      0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, 0xc4  }
+};
+static const size_t kwp_out_len[KW_TESTS] = { 24, 40, 16 };
+
+int mbedtls_nist_kw_self_test( int verbose )
+{
+    mbedtls_nist_kw_context ctx;
+    unsigned char out[48];
+    size_t olen;
+    int i;
+    int ret = 0;
+    mbedtls_nist_kw_init( &ctx );
+
+    for( i = 0; i < KW_TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  KW-AES-%u ", (unsigned int) key_len[i] * 8 );
+
+        ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                      kw_key[i], key_len[i] * 8, 1 );
+        if( ret != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KW: setup failed " );
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_wrap( &ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
+                                    kw_msg_len[i], out, &olen, sizeof( out ) );
+        if( ret != 0 || kw_out_len[i] != olen ||
+            memcmp( out, kw_res[i], kw_out_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if( ( ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                            kw_key[i], key_len[i] * 8, 0 ) )
+              != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KW: setup failed ");
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_unwrap( &ctx, MBEDTLS_KW_MODE_KW,
+                                      out, olen, out, &olen, sizeof( out ) );
+
+        if( ret != 0 || olen != kw_msg_len[i] ||
+            memcmp( out, kw_msg[i], kw_msg_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto end;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( " passed\n" );
+    }
+
+    for( i = 0; i < KW_TESTS; i++ )
+    {
+        olen = sizeof( out );
+        if( verbose != 0 )
+            mbedtls_printf( "  KWP-AES-%u ", (unsigned int) key_len[i] * 8 );
+
+        ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
+                                      key_len[i] * 8, 1 );
+        if( ret  != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KWP: setup failed " );
+
+            goto end;
+        }
+        ret = mbedtls_nist_kw_wrap( &ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
+                                    kwp_msg_len[i], out, &olen, sizeof( out ) );
+
+        if( ret != 0 || kwp_out_len[i] != olen ||
+            memcmp( out, kwp_res[i], kwp_out_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if( ( ret = mbedtls_nist_kw_setkey( &ctx, MBEDTLS_CIPHER_ID_AES,
+                                            kwp_key[i], key_len[i] * 8, 0 ) )
+              != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "  KWP: setup failed ");
+
+            goto end;
+        }
+
+        ret = mbedtls_nist_kw_unwrap(  &ctx, MBEDTLS_KW_MODE_KWP, out,
+                                       olen, out, &olen, sizeof( out ) );
+
+        if( ret != 0 || olen != kwp_msg_len[i] ||
+            memcmp( out, kwp_msg[i], kwp_msg_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed. ");
+
+            ret = 1;
+            goto end;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( " passed\n" );
+    }
+end:
+    mbedtls_nist_kw_free( &ctx );
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_NIST_KW_C */
diff --git a/makerom/deps/libmbedtls/src/oid.c b/makerom/deps/libmbedtls/src/oid.c
new file mode 100644
index 00000000..33f437cb
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/oid.c
@@ -0,0 +1,758 @@
+/**
+ * \file oid.c
+ *
+ * \brief Object Identifier (OID) database
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_OID_C)
+
+#include "mbedtls/oid.h"
+#include "mbedtls/rsa.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_snprintf snprintf
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+#include "mbedtls/x509.h"
+#endif
+
+/*
+ * Macro to automatically add the size of #define'd OIDs
+ */
+#define ADD_LEN(s)      s, MBEDTLS_OID_SIZE(s)
+
+/*
+ * Macro to generate an internal function for oid_XXX_from_asn1() (used by
+ * the other functions)
+ */
+#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST )                    \
+    static const TYPE_T * oid_ ## NAME ## _from_asn1(                   \
+                                      const mbedtls_asn1_buf *oid )     \
+    {                                                                   \
+        const TYPE_T *p = (LIST);                                       \
+        const mbedtls_oid_descriptor_t *cur =                           \
+            (const mbedtls_oid_descriptor_t *) p;                       \
+        if( p == NULL || oid == NULL ) return( NULL );                  \
+        while( cur->asn1 != NULL ) {                                    \
+            if( cur->asn1_len == oid->len &&                            \
+                memcmp( cur->asn1, oid->p, oid->len ) == 0 ) {          \
+                return( p );                                            \
+            }                                                           \
+            p++;                                                        \
+            cur = (const mbedtls_oid_descriptor_t *) p;                 \
+        }                                                               \
+        return( NULL );                                                 \
+    }
+
+/*
+ * Macro to generate a function for retrieving a single attribute from the
+ * descriptor of an mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_DESCRIPTOR_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
+{                                                                       \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
+    *ATTR1 = data->descriptor.ATTR1;                                    \
+    return( 0 );                                                        \
+}
+
+/*
+ * Macro to generate a function for retrieving a single attribute from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 )                  \
+{                                                                       \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );        \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );            \
+    *ATTR1 = data->ATTR1;                                               \
+    return( 0 );                                                        \
+}
+
+/*
+ * Macro to generate a function for retrieving two attributes from an
+ * mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_ATTR2(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1,     \
+                         ATTR2_TYPE, ATTR2)                                 \
+int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1,               \
+                                          ATTR2_TYPE * ATTR2 )              \
+{                                                                           \
+    const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid );            \
+    if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND );                 \
+    *(ATTR1) = data->ATTR1;                                                 \
+    *(ATTR2) = data->ATTR2;                                                 \
+    return( 0 );                                                            \
+}
+
+/*
+ * Macro to generate a function for retrieving the OID based on a single
+ * attribute from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR1(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1)   \
+int FN_NAME( ATTR1_TYPE ATTR1, const char **oid, size_t *olen )             \
+{                                                                           \
+    const TYPE_T *cur = (LIST);                                             \
+    while( cur->descriptor.asn1 != NULL ) {                                 \
+        if( cur->ATTR1 == (ATTR1) ) {                                       \
+            *oid = cur->descriptor.asn1;                                    \
+            *olen = cur->descriptor.asn1_len;                               \
+            return( 0 );                                                    \
+        }                                                                   \
+        cur++;                                                              \
+    }                                                                       \
+    return( MBEDTLS_ERR_OID_NOT_FOUND );                                    \
+}
+
+/*
+ * Macro to generate a function for retrieving the OID based on two
+ * attributes from a mbedtls_oid_descriptor_t wrapper.
+ */
+#define FN_OID_GET_OID_BY_ATTR2(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1,   \
+                                ATTR2_TYPE, ATTR2)                          \
+int FN_NAME( ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid ,         \
+             size_t *olen )                                                 \
+{                                                                           \
+    const TYPE_T *cur = (LIST);                                             \
+    while( cur->descriptor.asn1 != NULL ) {                                 \
+        if( cur->ATTR1 == (ATTR1) && cur->ATTR2 == (ATTR2) ) {              \
+            *oid = cur->descriptor.asn1;                                    \
+            *olen = cur->descriptor.asn1_len;                               \
+            return( 0 );                                                    \
+        }                                                                   \
+        cur++;                                                              \
+    }                                                                       \
+    return( MBEDTLS_ERR_OID_NOT_FOUND );                                   \
+}
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+/*
+ * For X520 attribute types
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    const char          *short_name;
+} oid_x520_attr_t;
+
+static const oid_x520_attr_t oid_x520_attr_type[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_CN ),          "id-at-commonName",               "Common Name" },
+        "CN",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_COUNTRY ),     "id-at-countryName",              "Country" },
+        "C",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_LOCALITY ),    "id-at-locality",                 "Locality" },
+        "L",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_STATE ),       "id-at-state",                    "State" },
+        "ST",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_ORGANIZATION ),"id-at-organizationName",         "Organization" },
+        "O",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_ORG_UNIT ),    "id-at-organizationalUnitName",   "Org Unit" },
+        "OU",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS9_EMAIL ),    "emailAddress",                   "E-mail address" },
+        "emailAddress",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_SERIAL_NUMBER ),"id-at-serialNumber",            "Serial number" },
+        "serialNumber",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_POSTAL_ADDRESS ),"id-at-postalAddress",          "Postal address" },
+        "postalAddress",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_POSTAL_CODE ), "id-at-postalCode",               "Postal code" },
+        "postalCode",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_SUR_NAME ),    "id-at-surName",                  "Surname" },
+        "SN",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_GIVEN_NAME ),  "id-at-givenName",                "Given name" },
+        "GN",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_INITIALS ),    "id-at-initials",                 "Initials" },
+        "initials",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_GENERATION_QUALIFIER ), "id-at-generationQualifier", "Generation qualifier" },
+        "generationQualifier",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_TITLE ),       "id-at-title",                    "Title" },
+        "title",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_DN_QUALIFIER ),"id-at-dnQualifier",              "Distinguished Name qualifier" },
+        "dnQualifier",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_PSEUDONYM ),   "id-at-pseudonym",                "Pseudonym" },
+        "pseudonym",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DOMAIN_COMPONENT ), "id-domainComponent",           "Domain component" },
+        "DC",
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_AT_UNIQUE_IDENTIFIER ), "id-at-uniqueIdentifier",    "Unique Identifier" },
+        "uniqueIdentifier",
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        NULL,
+    }
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x520_attr_t, x520_attr, oid_x520_attr_type)
+FN_OID_GET_ATTR1(mbedtls_oid_get_attr_short_name, oid_x520_attr_t, x520_attr, const char *, short_name)
+
+/*
+ * For X509 extensions
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    int                 ext_type;
+} oid_x509_ext_t;
+
+static const oid_x509_ext_t oid_x509_ext[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_BASIC_CONSTRAINTS ),    "id-ce-basicConstraints",   "Basic Constraints" },
+        MBEDTLS_X509_EXT_BASIC_CONSTRAINTS,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_KEY_USAGE ),            "id-ce-keyUsage",           "Key Usage" },
+        MBEDTLS_X509_EXT_KEY_USAGE,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EXTENDED_KEY_USAGE ),   "id-ce-extKeyUsage",        "Extended Key Usage" },
+        MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_SUBJECT_ALT_NAME ),     "id-ce-subjectAltName",     "Subject Alt Name" },
+        MBEDTLS_X509_EXT_SUBJECT_ALT_NAME,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_NS_CERT_TYPE ),         "id-netscape-certtype",     "Netscape Certificate Type" },
+        MBEDTLS_X509_EXT_NS_CERT_TYPE,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        0,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
+FN_OID_GET_ATTR1(mbedtls_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
+
+static const mbedtls_oid_descriptor_t oid_ext_key_usage[] =
+{
+    { ADD_LEN( MBEDTLS_OID_SERVER_AUTH ),      "id-kp-serverAuth",      "TLS Web Server Authentication" },
+    { ADD_LEN( MBEDTLS_OID_CLIENT_AUTH ),      "id-kp-clientAuth",      "TLS Web Client Authentication" },
+    { ADD_LEN( MBEDTLS_OID_CODE_SIGNING ),     "id-kp-codeSigning",     "Code Signing" },
+    { ADD_LEN( MBEDTLS_OID_EMAIL_PROTECTION ), "id-kp-emailProtection", "E-mail Protection" },
+    { ADD_LEN( MBEDTLS_OID_TIME_STAMPING ),    "id-kp-timeStamping",    "Time Stamping" },
+    { ADD_LEN( MBEDTLS_OID_OCSP_SIGNING ),     "id-kp-OCSPSigning",     "OCSP Signing" },
+    { NULL, 0, NULL, NULL },
+};
+
+FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, ext_key_usage, oid_ext_key_usage)
+FN_OID_GET_ATTR1(mbedtls_oid_get_extended_key_usage, mbedtls_oid_descriptor_t, ext_key_usage, const char *, description)
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+
+#if defined(MBEDTLS_MD_C)
+/*
+ * For SignatureAlgorithmIdentifier
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+    mbedtls_pk_type_t           pk_alg;
+} oid_sig_alg_t;
+
+static const oid_sig_alg_t oid_sig_alg[] =
+{
+#if defined(MBEDTLS_RSA_C)
+#if defined(MBEDTLS_MD2_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_MD2 ),        "md2WithRSAEncryption",     "RSA with MD2" },
+        MBEDTLS_MD_MD2,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_MD4 ),        "md4WithRSAEncryption",     "RSA with MD4" },
+        MBEDTLS_MD_MD4,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_MD5 ),        "md5WithRSAEncryption",     "RSA with MD5" },
+        MBEDTLS_MD_MD5,      MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA1 ),       "sha-1WithRSAEncryption",   "RSA with SHA1" },
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA224 ),     "sha224WithRSAEncryption",  "RSA with SHA-224" },
+        MBEDTLS_MD_SHA224,   MBEDTLS_PK_RSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA256 ),     "sha256WithRSAEncryption",  "RSA with SHA-256" },
+        MBEDTLS_MD_SHA256,   MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA384 ),     "sha384WithRSAEncryption",  "RSA with SHA-384" },
+        MBEDTLS_MD_SHA384,   MBEDTLS_PK_RSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_SHA512 ),     "sha512WithRSAEncryption",  "RSA with SHA-512" },
+        MBEDTLS_MD_SHA512,   MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_RSA_SHA_OBS ),      "sha-1WithRSAEncryption",   "RSA with SHA1" },
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_RSA,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA1 ),       "ecdsa-with-SHA1",      "ECDSA with SHA1" },
+        MBEDTLS_MD_SHA1,     MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA224 ),     "ecdsa-with-SHA224",    "ECDSA with SHA224" },
+        MBEDTLS_MD_SHA224,   MBEDTLS_PK_ECDSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA256 ),     "ecdsa-with-SHA256",    "ECDSA with SHA256" },
+        MBEDTLS_MD_SHA256,   MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA384 ),     "ecdsa-with-SHA384",    "ECDSA with SHA384" },
+        MBEDTLS_MD_SHA384,   MBEDTLS_PK_ECDSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_ECDSA_SHA512 ),     "ecdsa-with-SHA512",    "ECDSA with SHA512" },
+        MBEDTLS_MD_SHA512,   MBEDTLS_PK_ECDSA,
+    },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_ECDSA_C */
+#if defined(MBEDTLS_RSA_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_RSASSA_PSS ),        "RSASSA-PSS",           "RSASSA-PSS" },
+        MBEDTLS_MD_NONE,     MBEDTLS_PK_RSASSA_PSS,
+    },
+#endif /* MBEDTLS_RSA_C */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE, MBEDTLS_PK_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_sig_alg_t, sig_alg, oid_sig_alg)
+FN_OID_GET_DESCRIPTOR_ATTR1(mbedtls_oid_get_sig_alg_desc, oid_sig_alg_t, sig_alg, const char *, description)
+FN_OID_GET_ATTR2(mbedtls_oid_get_sig_alg, oid_sig_alg_t, sig_alg, mbedtls_md_type_t, md_alg, mbedtls_pk_type_t, pk_alg)
+FN_OID_GET_OID_BY_ATTR2(mbedtls_oid_get_oid_by_sig_alg, oid_sig_alg_t, oid_sig_alg, mbedtls_pk_type_t, pk_alg, mbedtls_md_type_t, md_alg)
+#endif /* MBEDTLS_MD_C */
+
+/*
+ * For PublicKeyInfo (PKCS1, RFC 5480)
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_pk_type_t           pk_alg;
+} oid_pk_alg_t;
+
+static const oid_pk_alg_t oid_pk_alg[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS1_RSA ),      "rsaEncryption",   "RSA" },
+        MBEDTLS_PK_RSA,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_ALG_UNRESTRICTED ),  "id-ecPublicKey",   "Generic EC key" },
+        MBEDTLS_PK_ECKEY,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_ALG_ECDH ),          "id-ecDH",          "EC key for ECDH" },
+        MBEDTLS_PK_ECKEY_DH,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_PK_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pk_alg_t, pk_alg, oid_pk_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_pk_alg, oid_pk_alg_t, pk_alg, mbedtls_pk_type_t, pk_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_pk_alg, oid_pk_alg_t, oid_pk_alg, mbedtls_pk_type_t, pk_alg)
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * For namedCurve (RFC 5480)
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_ecp_group_id        grp_id;
+} oid_ecp_grp_t;
+
+static const oid_ecp_grp_t oid_ecp_grp[] =
+{
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP192R1 ), "secp192r1",    "secp192r1" },
+        MBEDTLS_ECP_DP_SECP192R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP224R1 ), "secp224r1",    "secp224r1" },
+        MBEDTLS_ECP_DP_SECP224R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP256R1 ), "secp256r1",    "secp256r1" },
+        MBEDTLS_ECP_DP_SECP256R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP384R1 ), "secp384r1",    "secp384r1" },
+        MBEDTLS_ECP_DP_SECP384R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP521R1 ), "secp521r1",    "secp521r1" },
+        MBEDTLS_ECP_DP_SECP521R1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP192K1 ), "secp192k1",    "secp192k1" },
+        MBEDTLS_ECP_DP_SECP192K1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP224K1 ), "secp224k1",    "secp224k1" },
+        MBEDTLS_ECP_DP_SECP224K1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_SECP256K1 ), "secp256k1",    "secp256k1" },
+        MBEDTLS_ECP_DP_SECP256K1,
+    },
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_BP256R1 ),   "brainpoolP256r1","brainpool256r1" },
+        MBEDTLS_ECP_DP_BP256R1,
+    },
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_BP384R1 ),   "brainpoolP384r1","brainpool384r1" },
+        MBEDTLS_ECP_DP_BP384R1,
+    },
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    {
+        { ADD_LEN( MBEDTLS_OID_EC_GRP_BP512R1 ),   "brainpoolP512r1","brainpool512r1" },
+        MBEDTLS_ECP_DP_BP512R1,
+    },
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_ECP_DP_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_t, grp_id, oid_ecp_grp)
+FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp, oid_ecp_grp_t, grp_id, mbedtls_ecp_group_id, grp_id)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp, oid_ecp_grp_t, oid_ecp_grp, mbedtls_ecp_group_id, grp_id)
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_CIPHER_C)
+/*
+ * For PKCS#5 PBES2 encryption algorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_cipher_type_t       cipher_alg;
+} oid_cipher_alg_t;
+
+static const oid_cipher_alg_t oid_cipher_alg[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_DES_CBC ),              "desCBC",       "DES-CBC" },
+        MBEDTLS_CIPHER_DES_CBC,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DES_EDE3_CBC ),         "des-ede3-cbc", "DES-EDE3-CBC" },
+        MBEDTLS_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_CIPHER_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_cipher_alg, oid_cipher_alg_t, cipher_alg, mbedtls_cipher_type_t, cipher_alg)
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_MD_C)
+/*
+ * For digestAlgorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+} oid_md_alg_t;
+
+static const oid_md_alg_t oid_md_alg[] =
+{
+#if defined(MBEDTLS_MD2_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_MD2 ),       "id-md2",       "MD2" },
+        MBEDTLS_MD_MD2,
+    },
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_MD4 ),       "id-md4",       "MD4" },
+        MBEDTLS_MD_MD4,
+    },
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_MD5 ),       "id-md5",       "MD5" },
+        MBEDTLS_MD_MD5,
+    },
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA1 ),      "id-sha1",      "SHA-1" },
+        MBEDTLS_MD_SHA1,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA224 ),    "id-sha224",    "SHA-224" },
+        MBEDTLS_MD_SHA224,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA256 ),    "id-sha256",    "SHA-256" },
+        MBEDTLS_MD_SHA256,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA384 ),    "id-sha384",    "SHA-384" },
+        MBEDTLS_MD_SHA384,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_DIGEST_ALG_SHA512 ),    "id-sha512",    "SHA-512" },
+        MBEDTLS_MD_SHA512,
+    },
+#endif /* MBEDTLS_SHA512_C */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_alg_t, md_alg, oid_md_alg)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_alg, oid_md_alg_t, md_alg, mbedtls_md_type_t, md_alg)
+FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_md, oid_md_alg_t, oid_md_alg, mbedtls_md_type_t, md_alg)
+
+/*
+ * For HMAC digestAlgorithm
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_hmac;
+} oid_md_hmac_t;
+
+static const oid_md_hmac_t oid_md_hmac[] =
+{
+#if defined(MBEDTLS_SHA1_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA1 ),      "hmacSHA1",      "HMAC-SHA-1" },
+        MBEDTLS_MD_SHA1,
+    },
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA224 ),    "hmacSHA224",    "HMAC-SHA-224" },
+        MBEDTLS_MD_SHA224,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA256 ),    "hmacSHA256",    "HMAC-SHA-256" },
+        MBEDTLS_MD_SHA256,
+    },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA384 ),    "hmacSHA384",    "HMAC-SHA-384" },
+        MBEDTLS_MD_SHA384,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_HMAC_SHA512 ),    "hmacSHA512",    "HMAC-SHA-512" },
+        MBEDTLS_MD_SHA512,
+    },
+#endif /* MBEDTLS_SHA512_C */
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_md_hmac_t, md_hmac, oid_md_hmac)
+FN_OID_GET_ATTR1(mbedtls_oid_get_md_hmac, oid_md_hmac_t, md_hmac, mbedtls_md_type_t, md_hmac)
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+/*
+ * For PKCS#12 PBEs
+ */
+typedef struct {
+    mbedtls_oid_descriptor_t    descriptor;
+    mbedtls_md_type_t           md_alg;
+    mbedtls_cipher_type_t       cipher_alg;
+} oid_pkcs12_pbe_alg_t;
+
+static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
+{
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC ), "pbeWithSHAAnd3-KeyTripleDES-CBC", "PBE with SHA1 and 3-Key 3DES" },
+        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE3_CBC,
+    },
+    {
+        { ADD_LEN( MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC ), "pbeWithSHAAnd2-KeyTripleDES-CBC", "PBE with SHA1 and 2-Key 3DES" },
+        MBEDTLS_MD_SHA1,      MBEDTLS_CIPHER_DES_EDE_CBC,
+    },
+    {
+        { NULL, 0, NULL, NULL },
+        MBEDTLS_MD_NONE, MBEDTLS_CIPHER_NONE,
+    },
+};
+
+FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg)
+FN_OID_GET_ATTR2(mbedtls_oid_get_pkcs12_pbe_alg, oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, mbedtls_md_type_t, md_alg, mbedtls_cipher_type_t, cipher_alg)
+#endif /* MBEDTLS_PKCS12_C */
+
+#define OID_SAFE_SNPRINTF                               \
+    do {                                                \
+        if( ret < 0 || (size_t) ret >= n )              \
+            return( MBEDTLS_ERR_OID_BUF_TOO_SMALL );    \
+                                                        \
+        n -= (size_t) ret;                              \
+        p += (size_t) ret;                              \
+    } while( 0 )
+
+/* Return the x.y.z.... style numeric string for the given OID */
+int mbedtls_oid_get_numeric_string( char *buf, size_t size,
+                            const mbedtls_asn1_buf *oid )
+{
+    int ret;
+    size_t i, n;
+    unsigned int value;
+    char *p;
+
+    p = buf;
+    n = size;
+
+    /* First byte contains first two dots */
+    if( oid->len > 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "%d.%d", oid->p[0] / 40, oid->p[0] % 40 );
+        OID_SAFE_SNPRINTF;
+    }
+
+    value = 0;
+    for( i = 1; i < oid->len; i++ )
+    {
+        /* Prevent overflow in value. */
+        if( ( ( value << 7 ) >> 7 ) != value )
+            return( MBEDTLS_ERR_OID_BUF_TOO_SMALL );
+
+        value <<= 7;
+        value += oid->p[i] & 0x7F;
+
+        if( !( oid->p[i] & 0x80 ) )
+        {
+            /* Last byte */
+            ret = mbedtls_snprintf( p, n, ".%d", value );
+            OID_SAFE_SNPRINTF;
+            value = 0;
+        }
+    }
+
+    return( (int) ( size - n ) );
+}
+
+#endif /* MBEDTLS_OID_C */
diff --git a/makerom/deps/libmbedtls/src/padlock.c b/makerom/deps/libmbedtls/src/padlock.c
new file mode 100644
index 00000000..b85ff9cd
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/padlock.c
@@ -0,0 +1,170 @@
+/*
+ *  VIA PadLock support functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  This implementation is based on the VIA PadLock Programming Guide:
+ *
+ *  http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/
+ *  programming_guide.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PADLOCK_C)
+
+#include "mbedtls/padlock.h"
+
+#include <string.h>
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(MBEDTLS_HAVE_X86)
+
+/*
+ * PadLock detection routine
+ */
+int mbedtls_padlock_has_support( int feature )
+{
+    static int flags = -1;
+    int ebx = 0, edx = 0;
+
+    if( flags == -1 )
+    {
+        asm( "movl  %%ebx, %0           \n\t"
+             "movl  $0xC0000000, %%eax  \n\t"
+             "cpuid                     \n\t"
+             "cmpl  $0xC0000001, %%eax  \n\t"
+             "movl  $0, %%edx           \n\t"
+             "jb    unsupported         \n\t"
+             "movl  $0xC0000001, %%eax  \n\t"
+             "cpuid                     \n\t"
+             "unsupported:              \n\t"
+             "movl  %%edx, %1           \n\t"
+             "movl  %2, %%ebx           \n\t"
+             : "=m" (ebx), "=m" (edx)
+             :  "m" (ebx)
+             : "eax", "ecx", "edx" );
+
+        flags = edx;
+    }
+
+    return( flags & feature );
+}
+
+/*
+ * PadLock AES-ECB block en(de)cryption
+ */
+int mbedtls_padlock_xcryptecb( mbedtls_aes_context *ctx,
+                       int mode,
+                       const unsigned char input[16],
+                       unsigned char output[16] )
+{
+    int ebx = 0;
+    uint32_t *rk;
+    uint32_t *blk;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    rk  = ctx->rk;
+    blk = MBEDTLS_PADLOCK_ALIGN16( buf );
+    memcpy( blk, input, 16 );
+
+     ctrl = blk + 4;
+    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + ( mode^1 ) - 10 ) << 9 );
+
+    asm( "pushfl                        \n\t"
+         "popfl                         \n\t"
+         "movl    %%ebx, %0             \n\t"
+         "movl    $1, %%ecx             \n\t"
+         "movl    %2, %%edx             \n\t"
+         "movl    %3, %%ebx             \n\t"
+         "movl    %4, %%esi             \n\t"
+         "movl    %4, %%edi             \n\t"
+         ".byte  0xf3,0x0f,0xa7,0xc8    \n\t"
+         "movl    %1, %%ebx             \n\t"
+         : "=m" (ebx)
+         :  "m" (ebx), "m" (ctrl), "m" (rk), "m" (blk)
+         : "memory", "ecx", "edx", "esi", "edi" );
+
+    memcpy( output, blk, 16 );
+
+    return( 0 );
+}
+
+/*
+ * PadLock AES-CBC buffer en(de)cryption
+ */
+int mbedtls_padlock_xcryptcbc( mbedtls_aes_context *ctx,
+                       int mode,
+                       size_t length,
+                       unsigned char iv[16],
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    int ebx = 0;
+    size_t count;
+    uint32_t *rk;
+    uint32_t *iw;
+    uint32_t *ctrl;
+    unsigned char buf[256];
+
+    if( ( (long) input  & 15 ) != 0 ||
+        ( (long) output & 15 ) != 0 )
+        return( MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED );
+
+    rk = ctx->rk;
+    iw = MBEDTLS_PADLOCK_ALIGN16( buf );
+    memcpy( iw, iv, 16 );
+
+     ctrl = iw + 4;
+    *ctrl = 0x80 | ctx->nr | ( ( ctx->nr + ( mode ^ 1 ) - 10 ) << 9 );
+
+    count = ( length + 15 ) >> 4;
+
+    asm( "pushfl                        \n\t"
+         "popfl                         \n\t"
+         "movl    %%ebx, %0             \n\t"
+         "movl    %2, %%ecx             \n\t"
+         "movl    %3, %%edx             \n\t"
+         "movl    %4, %%ebx             \n\t"
+         "movl    %5, %%esi             \n\t"
+         "movl    %6, %%edi             \n\t"
+         "movl    %7, %%eax             \n\t"
+         ".byte  0xf3,0x0f,0xa7,0xd0    \n\t"
+         "movl    %1, %%ebx             \n\t"
+         : "=m" (ebx)
+         :  "m" (ebx), "m" (count), "m" (ctrl),
+            "m"  (rk), "m" (input), "m" (output), "m" (iw)
+         : "memory", "eax", "ecx", "edx", "esi", "edi" );
+
+    memcpy( iv, iw, 16 );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_HAVE_X86 */
+
+#endif /* MBEDTLS_PADLOCK_C */
diff --git a/makerom/deps/libmbedtls/src/pem.c b/makerom/deps/libmbedtls/src/pem.c
new file mode 100644
index 00000000..897c8a0d
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/pem.c
@@ -0,0 +1,490 @@
+/*
+ *  Privacy Enhanced Mail (PEM) decoding
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+
+#include "mbedtls/pem.h"
+#include "mbedtls/base64.h"
+#include "mbedtls/des.h"
+#include "mbedtls/aes.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+void mbedtls_pem_init( mbedtls_pem_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_pem_context ) );
+}
+
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+/*
+ * Read a 16-byte hex string and convert it to binary
+ */
+static int pem_get_iv( const unsigned char *s, unsigned char *iv,
+                       size_t iv_len )
+{
+    size_t i, j, k;
+
+    memset( iv, 0, iv_len );
+
+    for( i = 0; i < iv_len * 2; i++, s++ )
+    {
+        if( *s >= '0' && *s <= '9' ) j = *s - '0'; else
+        if( *s >= 'A' && *s <= 'F' ) j = *s - '7'; else
+        if( *s >= 'a' && *s <= 'f' ) j = *s - 'W'; else
+            return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+        k = ( ( i & 1 ) != 0 ) ? j : j << 4;
+
+        iv[i >> 1] = (unsigned char)( iv[i >> 1] | k );
+    }
+
+    return( 0 );
+}
+
+static int pem_pbkdf1( unsigned char *key, size_t keylen,
+                       unsigned char *iv,
+                       const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_md5_context md5_ctx;
+    unsigned char md5sum[16];
+    size_t use_len;
+    int ret;
+
+    mbedtls_md5_init( &md5_ctx );
+
+    /*
+     * key[ 0..15] = MD5(pwd || IV)
+     */
+    if( ( ret = mbedtls_md5_starts_ret( &md5_ctx ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, pwd, pwdlen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, iv,  8 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_finish_ret( &md5_ctx, md5sum ) ) != 0 )
+        goto exit;
+
+    if( keylen <= 16 )
+    {
+        memcpy( key, md5sum, keylen );
+        goto exit;
+    }
+
+    memcpy( key, md5sum, 16 );
+
+    /*
+     * key[16..23] = MD5(key[ 0..15] || pwd || IV])
+     */
+    if( ( ret = mbedtls_md5_starts_ret( &md5_ctx ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, md5sum, 16 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, pwd, pwdlen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_update_ret( &md5_ctx, iv, 8 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md5_finish_ret( &md5_ctx, md5sum ) ) != 0 )
+        goto exit;
+
+    use_len = 16;
+    if( keylen < 32 )
+        use_len = keylen - 16;
+
+    memcpy( key + 16, md5sum, use_len );
+
+exit:
+    mbedtls_md5_free( &md5_ctx );
+    mbedtls_platform_zeroize( md5sum, 16 );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_DES_C)
+/*
+ * Decrypt with DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des_decrypt( unsigned char des_iv[8],
+                            unsigned char *buf, size_t buflen,
+                            const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_des_context des_ctx;
+    unsigned char des_key[8];
+    int ret;
+
+    mbedtls_des_init( &des_ctx );
+
+    if( ( ret = pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_des_setkey_dec( &des_ctx, des_key ) ) != 0 )
+        goto exit;
+    ret = mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen,
+                     des_iv, buf, buf );
+
+exit:
+    mbedtls_des_free( &des_ctx );
+    mbedtls_platform_zeroize( des_key, 8 );
+
+    return( ret );
+}
+
+/*
+ * Decrypt with 3DES-CBC, using PBKDF1 for key derivation
+ */
+static int pem_des3_decrypt( unsigned char des3_iv[8],
+                             unsigned char *buf, size_t buflen,
+                             const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_des3_context des3_ctx;
+    unsigned char des3_key[24];
+    int ret;
+
+    mbedtls_des3_init( &des3_ctx );
+
+    if( ( ret = pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_des3_set3key_dec( &des3_ctx, des3_key ) ) != 0 )
+        goto exit;
+    ret = mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen,
+                     des3_iv, buf, buf );
+
+exit:
+    mbedtls_des3_free( &des3_ctx );
+    mbedtls_platform_zeroize( des3_key, 24 );
+
+    return( ret );
+}
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+/*
+ * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation
+ */
+static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen,
+                            unsigned char *buf, size_t buflen,
+                            const unsigned char *pwd, size_t pwdlen )
+{
+    mbedtls_aes_context aes_ctx;
+    unsigned char aes_key[32];
+    int ret;
+
+    mbedtls_aes_init( &aes_ctx );
+
+    if( ( ret = pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ) ) != 0 )
+        goto exit;
+    ret = mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen,
+                     aes_iv, buf, buf );
+
+exit:
+    mbedtls_aes_free( &aes_ctx );
+    mbedtls_platform_zeroize( aes_key, keylen );
+
+    return( ret );
+}
+#endif /* MBEDTLS_AES_C */
+
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const char *footer,
+                     const unsigned char *data, const unsigned char *pwd,
+                     size_t pwdlen, size_t *use_len )
+{
+    int ret, enc;
+    size_t len;
+    unsigned char *buf;
+    const unsigned char *s1, *s2, *end;
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+    unsigned char pem_iv[16];
+    mbedtls_cipher_type_t enc_alg = MBEDTLS_CIPHER_NONE;
+#else
+    ((void) pwd);
+    ((void) pwdlen);
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+    if( ctx == NULL )
+        return( MBEDTLS_ERR_PEM_BAD_INPUT_DATA );
+
+    s1 = (unsigned char *) strstr( (const char *) data, header );
+
+    if( s1 == NULL )
+        return( MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
+
+    s2 = (unsigned char *) strstr( (const char *) data, footer );
+
+    if( s2 == NULL || s2 <= s1 )
+        return( MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
+
+    s1 += strlen( header );
+    if( *s1 == ' '  ) s1++;
+    if( *s1 == '\r' ) s1++;
+    if( *s1 == '\n' ) s1++;
+    else return( MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT );
+
+    end = s2;
+    end += strlen( footer );
+    if( *end == ' '  ) end++;
+    if( *end == '\r' ) end++;
+    if( *end == '\n' ) end++;
+    *use_len = end - data;
+
+    enc = 0;
+
+    if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
+    {
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+        enc++;
+
+        s1 += 22;
+        if( *s1 == '\r' ) s1++;
+        if( *s1 == '\n' ) s1++;
+        else return( MBEDTLS_ERR_PEM_INVALID_DATA );
+
+
+#if defined(MBEDTLS_DES_C)
+        if( s2 - s1 >= 23 && memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
+        {
+            enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
+
+            s1 += 23;
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8 ) != 0 )
+                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 16;
+        }
+        else if( s2 - s1 >= 18 && memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
+        {
+            enc_alg = MBEDTLS_CIPHER_DES_CBC;
+
+            s1 += 18;
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8) != 0 )
+                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 16;
+        }
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+        if( s2 - s1 >= 14 && memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
+        {
+            if( s2 - s1 < 22 )
+                return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+            else if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
+                enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
+            else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
+                enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
+            else if( memcmp( s1, "DEK-Info: AES-256-CBC,", 22 ) == 0 )
+                enc_alg = MBEDTLS_CIPHER_AES_256_CBC;
+            else
+                return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+
+            s1 += 22;
+            if( s2 - s1 < 32 || pem_get_iv( s1, pem_iv, 16 ) != 0 )
+                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
+
+            s1 += 32;
+        }
+#endif /* MBEDTLS_AES_C */
+
+        if( enc_alg == MBEDTLS_CIPHER_NONE )
+            return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+
+        if( *s1 == '\r' ) s1++;
+        if( *s1 == '\n' ) s1++;
+        else return( MBEDTLS_ERR_PEM_INVALID_DATA );
+#else
+        return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+    }
+
+    if( s1 >= s2 )
+        return( MBEDTLS_ERR_PEM_INVALID_DATA );
+
+    ret = mbedtls_base64_decode( NULL, 0, &len, s1, s2 - s1 );
+
+    if( ret == MBEDTLS_ERR_BASE64_INVALID_CHARACTER )
+        return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
+
+    if( ( buf = mbedtls_calloc( 1, len ) ) == NULL )
+        return( MBEDTLS_ERR_PEM_ALLOC_FAILED );
+
+    if( ( ret = mbedtls_base64_decode( buf, len, &len, s1, s2 - s1 ) ) != 0 )
+    {
+        mbedtls_platform_zeroize( buf, len );
+        mbedtls_free( buf );
+        return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
+    }
+
+    if( enc != 0 )
+    {
+#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
+    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
+        if( pwd == NULL )
+        {
+            mbedtls_platform_zeroize( buf, len );
+            mbedtls_free( buf );
+            return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED );
+        }
+
+        ret = 0;
+
+#if defined(MBEDTLS_DES_C)
+        if( enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC )
+            ret = pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen );
+        else if( enc_alg == MBEDTLS_CIPHER_DES_CBC )
+            ret = pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen );
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_AES_C)
+        if( enc_alg == MBEDTLS_CIPHER_AES_128_CBC )
+            ret = pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen );
+        else if( enc_alg == MBEDTLS_CIPHER_AES_192_CBC )
+            ret = pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen );
+        else if( enc_alg == MBEDTLS_CIPHER_AES_256_CBC )
+            ret = pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen );
+#endif /* MBEDTLS_AES_C */
+
+        if( ret != 0 )
+        {
+            mbedtls_free( buf );
+            return( ret );
+        }
+
+        /*
+         * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3
+         * length bytes (allow 4 to be sure) in all known use cases.
+         *
+         * Use that as a heuristic to try to detect password mismatches.
+         */
+        if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 )
+        {
+            mbedtls_platform_zeroize( buf, len );
+            mbedtls_free( buf );
+            return( MBEDTLS_ERR_PEM_PASSWORD_MISMATCH );
+        }
+#else
+        mbedtls_platform_zeroize( buf, len );
+        mbedtls_free( buf );
+        return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+    }
+
+    ctx->buf = buf;
+    ctx->buflen = len;
+
+    return( 0 );
+}
+
+void mbedtls_pem_free( mbedtls_pem_context *ctx )
+{
+    if ( ctx->buf != NULL )
+    {
+        mbedtls_platform_zeroize( ctx->buf, ctx->buflen );
+        mbedtls_free( ctx->buf );
+    }
+    mbedtls_free( ctx->info );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_pem_context ) );
+}
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_pem_write_buffer( const char *header, const char *footer,
+                      const unsigned char *der_data, size_t der_len,
+                      unsigned char *buf, size_t buf_len, size_t *olen )
+{
+    int ret;
+    unsigned char *encode_buf = NULL, *c, *p = buf;
+    size_t len = 0, use_len, add_len = 0;
+
+    mbedtls_base64_encode( NULL, 0, &use_len, der_data, der_len );
+    add_len = strlen( header ) + strlen( footer ) + ( use_len / 64 ) + 1;
+
+    if( use_len + add_len > buf_len )
+    {
+        *olen = use_len + add_len;
+        return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
+    }
+
+    if( use_len != 0 &&
+        ( ( encode_buf = mbedtls_calloc( 1, use_len ) ) == NULL ) )
+        return( MBEDTLS_ERR_PEM_ALLOC_FAILED );
+
+    if( ( ret = mbedtls_base64_encode( encode_buf, use_len, &use_len, der_data,
+                               der_len ) ) != 0 )
+    {
+        mbedtls_free( encode_buf );
+        return( ret );
+    }
+
+    memcpy( p, header, strlen( header ) );
+    p += strlen( header );
+    c = encode_buf;
+
+    while( use_len )
+    {
+        len = ( use_len > 64 ) ? 64 : use_len;
+        memcpy( p, c, len );
+        use_len -= len;
+        p += len;
+        c += len;
+        *p++ = '\n';
+    }
+
+    memcpy( p, footer, strlen( footer ) );
+    p += strlen( footer );
+
+    *p++ = '\0';
+    *olen = p - buf;
+
+    mbedtls_free( encode_buf );
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
diff --git a/makerom/deps/libmbedtls/src/pk.c b/makerom/deps/libmbedtls/src/pk.c
new file mode 100644
index 00000000..bac685dc
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/pk.c
@@ -0,0 +1,546 @@
+/*
+ *  Public Key abstraction layer
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk.h"
+#include "mbedtls/pk_internal.h"
+
+#include "mbedtls/platform_util.h"
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#include <limits.h>
+#include <stdint.h>
+
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+/*
+ * Initialise a mbedtls_pk_context
+ */
+void mbedtls_pk_init( mbedtls_pk_context *ctx )
+{
+    PK_VALIDATE( ctx != NULL );
+
+    ctx->pk_info = NULL;
+    ctx->pk_ctx = NULL;
+}
+
+/*
+ * Free (the components of) a mbedtls_pk_context
+ */
+void mbedtls_pk_free( mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    if ( ctx->pk_info != NULL )
+        ctx->pk_info->ctx_free_func( ctx->pk_ctx );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_pk_context ) );
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_pk_restart_init( mbedtls_pk_restart_ctx *ctx )
+{
+    PK_VALIDATE( ctx != NULL );
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL ||
+        ctx->pk_info->rs_free_func == NULL )
+    {
+        return;
+    }
+
+    ctx->pk_info->rs_free_func( ctx->rs_ctx );
+
+    ctx->pk_info = NULL;
+    ctx->rs_ctx = NULL;
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Get pk_info structure from type
+ */
+const mbedtls_pk_info_t * mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type )
+{
+    switch( pk_type ) {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_PK_RSA:
+            return( &mbedtls_rsa_info );
+#endif
+#if defined(MBEDTLS_ECP_C)
+        case MBEDTLS_PK_ECKEY:
+            return( &mbedtls_eckey_info );
+        case MBEDTLS_PK_ECKEY_DH:
+            return( &mbedtls_eckeydh_info );
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+        case MBEDTLS_PK_ECDSA:
+            return( &mbedtls_ecdsa_info );
+#endif
+        /* MBEDTLS_PK_RSA_ALT omitted on purpose */
+        default:
+            return( NULL );
+    }
+}
+
+/*
+ * Initialise context
+ */
+int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    if( info == NULL || ctx->pk_info != NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+    ctx->pk_info = info;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Initialize an RSA-alt context
+ */
+int mbedtls_pk_setup_rsa_alt( mbedtls_pk_context *ctx, void * key,
+                         mbedtls_pk_rsa_alt_decrypt_func decrypt_func,
+                         mbedtls_pk_rsa_alt_sign_func sign_func,
+                         mbedtls_pk_rsa_alt_key_len_func key_len_func )
+{
+    mbedtls_rsa_alt_context *rsa_alt;
+    const mbedtls_pk_info_t *info = &mbedtls_rsa_alt_info;
+
+    PK_VALIDATE_RET( ctx != NULL );
+    if( ctx->pk_info != NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+    ctx->pk_info = info;
+
+    rsa_alt = (mbedtls_rsa_alt_context *) ctx->pk_ctx;
+
+    rsa_alt->key = key;
+    rsa_alt->decrypt_func = decrypt_func;
+    rsa_alt->sign_func = sign_func;
+    rsa_alt->key_len_func = key_len_func;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+/*
+ * Tell if a PK can do the operations of the given type
+ */
+int mbedtls_pk_can_do( const mbedtls_pk_context *ctx, mbedtls_pk_type_t type )
+{
+    /* A context with null pk_info is not set up yet and can't do anything.
+     * For backward compatibility, also accept NULL instead of a context
+     * pointer. */
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( 0 );
+
+    return( ctx->pk_info->can_do( type ) );
+}
+
+/*
+ * Helper for mbedtls_pk_sign and mbedtls_pk_verify
+ */
+static inline int pk_hashlen_helper( mbedtls_md_type_t md_alg, size_t *hash_len )
+{
+    const mbedtls_md_info_t *md_info;
+
+    if( *hash_len != 0 )
+        return( 0 );
+
+    if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
+        return( -1 );
+
+    *hash_len = mbedtls_md_get_size( md_info );
+    return( 0 );
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Helper to set up a restart context if needed
+ */
+static int pk_restart_setup( mbedtls_pk_restart_ctx *ctx,
+                             const mbedtls_pk_info_t *info )
+{
+    /* Don't do anything if already set up or invalid */
+    if( ctx == NULL || ctx->pk_info != NULL )
+        return( 0 );
+
+    /* Should never happen when we're called */
+    if( info->rs_alloc_func == NULL || info->rs_free_func == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ( ctx->rs_ctx = info->rs_alloc_func() ) == NULL )
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+    ctx->pk_info = info;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+/*
+ * Verify a signature (restartable)
+ */
+int mbedtls_pk_verify_restartable( mbedtls_pk_context *ctx,
+               mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len,
+               mbedtls_pk_restart_ctx *rs_ctx )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
+                     hash != NULL );
+    PK_VALIDATE_RET( sig != NULL );
+
+    if( ctx->pk_info == NULL ||
+        pk_hashlen_helper( md_alg, &hash_len ) != 0 )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if( rs_ctx != NULL &&
+        mbedtls_ecp_restart_is_enabled() &&
+        ctx->pk_info->verify_rs_func != NULL )
+    {
+        int ret;
+
+        if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
+            return( ret );
+
+        ret = ctx->pk_info->verify_rs_func( ctx->pk_ctx,
+                   md_alg, hash, hash_len, sig, sig_len, rs_ctx->rs_ctx );
+
+        if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+            mbedtls_pk_restart_free( rs_ctx );
+
+        return( ret );
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    if( ctx->pk_info->verify_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->verify_func( ctx->pk_ctx, md_alg, hash, hash_len,
+                                       sig, sig_len ) );
+}
+
+/*
+ * Verify a signature
+ */
+int mbedtls_pk_verify( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+               const unsigned char *hash, size_t hash_len,
+               const unsigned char *sig, size_t sig_len )
+{
+    return( mbedtls_pk_verify_restartable( ctx, md_alg, hash, hash_len,
+                                           sig, sig_len, NULL ) );
+}
+
+/*
+ * Verify a signature with options
+ */
+int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
+                   mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   const unsigned char *sig, size_t sig_len )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
+                     hash != NULL );
+    PK_VALIDATE_RET( sig != NULL );
+
+    if( ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ! mbedtls_pk_can_do( ctx, type ) )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    if( type == MBEDTLS_PK_RSASSA_PSS )
+    {
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
+        int ret;
+        const mbedtls_pk_rsassa_pss_options *pss_opts;
+
+#if SIZE_MAX > UINT_MAX
+        if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+        if( options == NULL )
+            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+        pss_opts = (const mbedtls_pk_rsassa_pss_options *) options;
+
+        if( sig_len < mbedtls_pk_get_len( ctx ) )
+            return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+
+        ret = mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_pk_rsa( *ctx ),
+                NULL, NULL, MBEDTLS_RSA_PUBLIC,
+                md_alg, (unsigned int) hash_len, hash,
+                pss_opts->mgf1_hash_id,
+                pss_opts->expected_salt_len,
+                sig );
+        if( ret != 0 )
+            return( ret );
+
+        if( sig_len > mbedtls_pk_get_len( ctx ) )
+            return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+        return( 0 );
+#else
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
+    }
+
+    /* General case: no options */
+    if( options != NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    return( mbedtls_pk_verify( ctx, md_alg, hash, hash_len, sig, sig_len ) );
+}
+
+/*
+ * Make a signature (restartable)
+ */
+int mbedtls_pk_sign_restartable( mbedtls_pk_context *ctx,
+             mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+             mbedtls_pk_restart_ctx *rs_ctx )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hash_len == 0 ) ||
+                     hash != NULL );
+    PK_VALIDATE_RET( sig != NULL );
+
+    if( ctx->pk_info == NULL ||
+        pk_hashlen_helper( md_alg, &hash_len ) != 0 )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* optimization: use non-restartable version if restart disabled */
+    if( rs_ctx != NULL &&
+        mbedtls_ecp_restart_is_enabled() &&
+        ctx->pk_info->sign_rs_func != NULL )
+    {
+        int ret;
+
+        if( ( ret = pk_restart_setup( rs_ctx, ctx->pk_info ) ) != 0 )
+            return( ret );
+
+        ret = ctx->pk_info->sign_rs_func( ctx->pk_ctx, md_alg,
+                hash, hash_len, sig, sig_len, f_rng, p_rng, rs_ctx->rs_ctx );
+
+        if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+            mbedtls_pk_restart_free( rs_ctx );
+
+        return( ret );
+    }
+#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+    (void) rs_ctx;
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    if( ctx->pk_info->sign_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->sign_func( ctx->pk_ctx, md_alg, hash, hash_len,
+                                     sig, sig_len, f_rng, p_rng ) );
+}
+
+/*
+ * Make a signature
+ */
+int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
+             const unsigned char *hash, size_t hash_len,
+             unsigned char *sig, size_t *sig_len,
+             int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    return( mbedtls_pk_sign_restartable( ctx, md_alg, hash, hash_len,
+                                         sig, sig_len, f_rng, p_rng, NULL ) );
+}
+
+/*
+ * Decrypt message
+ */
+int mbedtls_pk_decrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( input != NULL || ilen == 0 );
+    PK_VALIDATE_RET( output != NULL || osize == 0 );
+    PK_VALIDATE_RET( olen != NULL );
+
+    if( ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->decrypt_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->decrypt_func( ctx->pk_ctx, input, ilen,
+                output, olen, osize, f_rng, p_rng ) );
+}
+
+/*
+ * Encrypt message
+ */
+int mbedtls_pk_encrypt( mbedtls_pk_context *ctx,
+                const unsigned char *input, size_t ilen,
+                unsigned char *output, size_t *olen, size_t osize,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( input != NULL || ilen == 0 );
+    PK_VALIDATE_RET( output != NULL || osize == 0 );
+    PK_VALIDATE_RET( olen != NULL );
+
+    if( ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->encrypt_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    return( ctx->pk_info->encrypt_func( ctx->pk_ctx, input, ilen,
+                output, olen, osize, f_rng, p_rng ) );
+}
+
+/*
+ * Check public-private key pair
+ */
+int mbedtls_pk_check_pair( const mbedtls_pk_context *pub, const mbedtls_pk_context *prv )
+{
+    PK_VALIDATE_RET( pub != NULL );
+    PK_VALIDATE_RET( prv != NULL );
+
+    if( pub->pk_info == NULL ||
+        prv->pk_info == NULL ||
+        prv->pk_info->check_pair_func == NULL )
+    {
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+    }
+
+    if( prv->pk_info->type == MBEDTLS_PK_RSA_ALT )
+    {
+        if( pub->pk_info->type != MBEDTLS_PK_RSA )
+            return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+    }
+    else
+    {
+        if( pub->pk_info != prv->pk_info )
+            return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+    }
+
+    return( prv->pk_info->check_pair_func( pub->pk_ctx, prv->pk_ctx ) );
+}
+
+/*
+ * Get key size in bits
+ */
+size_t mbedtls_pk_get_bitlen( const mbedtls_pk_context *ctx )
+{
+    /* For backward compatibility, accept NULL or a context that
+     * isn't set up yet, and return a fake value that should be safe. */
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( 0 );
+
+    return( ctx->pk_info->get_bitlen( ctx->pk_ctx ) );
+}
+
+/*
+ * Export debug information
+ */
+int mbedtls_pk_debug( const mbedtls_pk_context *ctx, mbedtls_pk_debug_item *items )
+{
+    PK_VALIDATE_RET( ctx != NULL );
+    if( ctx->pk_info == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    if( ctx->pk_info->debug_func == NULL )
+        return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
+
+    ctx->pk_info->debug_func( ctx->pk_ctx, items );
+    return( 0 );
+}
+
+/*
+ * Access the PK type name
+ */
+const char *mbedtls_pk_get_name( const mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( "invalid PK" );
+
+    return( ctx->pk_info->name );
+}
+
+/*
+ * Access the PK type
+ */
+mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx )
+{
+    if( ctx == NULL || ctx->pk_info == NULL )
+        return( MBEDTLS_PK_NONE );
+
+    return( ctx->pk_info->type );
+}
+
+#endif /* MBEDTLS_PK_C */
diff --git a/makerom/deps/libmbedtls/src/pk_wrap.c b/makerom/deps/libmbedtls/src/pk_wrap.c
new file mode 100644
index 00000000..87806be3
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/pk_wrap.c
@@ -0,0 +1,719 @@
+/*
+ *  Public Key abstraction layer: wrapper functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_C)
+#include "mbedtls/pk_internal.h"
+
+/* Even if RSA not activated, for the sake of RSA-alt */
+#include "mbedtls/rsa.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+#include "mbedtls/platform_util.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <limits.h>
+#include <stdint.h>
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_RSA ||
+            type == MBEDTLS_PK_RSASSA_PSS );
+}
+
+static size_t rsa_get_bitlen( const void *ctx )
+{
+    const mbedtls_rsa_context * rsa = (const mbedtls_rsa_context *) ctx;
+    return( 8 * mbedtls_rsa_get_len( rsa ) );
+}
+
+static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   const unsigned char *sig, size_t sig_len )
+{
+    int ret;
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+    size_t rsa_len = mbedtls_rsa_get_len( rsa );
+
+#if SIZE_MAX > UINT_MAX
+    if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+    if( sig_len < rsa_len )
+        return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
+
+    if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL,
+                                  MBEDTLS_RSA_PUBLIC, md_alg,
+                                  (unsigned int) hash_len, hash, sig ) ) != 0 )
+        return( ret );
+
+    /* The buffer contains a valid signature followed by extra data.
+     * We have a special error code for that so that so that callers can
+     * use mbedtls_pk_verify() to check "Does the buffer start with a
+     * valid signature?" and not just "Does the buffer contain a valid
+     * signature?". */
+    if( sig_len > rsa_len )
+        return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+    return( 0 );
+}
+
+static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+
+#if SIZE_MAX > UINT_MAX
+    if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+    *sig_len = mbedtls_rsa_get_len( rsa );
+
+    return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
+                md_alg, (unsigned int) hash_len, hash, sig ) );
+}
+
+static int rsa_decrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+
+    if( ilen != mbedtls_rsa_get_len( rsa ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    return( mbedtls_rsa_pkcs1_decrypt( rsa, f_rng, p_rng,
+                MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
+}
+
+static int rsa_encrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_context * rsa = (mbedtls_rsa_context *) ctx;
+    *olen = mbedtls_rsa_get_len( rsa );
+
+    if( *olen > osize )
+        return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+
+    return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC,
+                                       ilen, input, output ) );
+}
+
+static int rsa_check_pair_wrap( const void *pub, const void *prv )
+{
+    return( mbedtls_rsa_check_pub_priv( (const mbedtls_rsa_context *) pub,
+                                (const mbedtls_rsa_context *) prv ) );
+}
+
+static void *rsa_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_context ) );
+
+    if( ctx != NULL )
+        mbedtls_rsa_init( (mbedtls_rsa_context *) ctx, 0, 0 );
+
+    return( ctx );
+}
+
+static void rsa_free_wrap( void *ctx )
+{
+    mbedtls_rsa_free( (mbedtls_rsa_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void rsa_debug( const void *ctx, mbedtls_pk_debug_item *items )
+{
+    items->type = MBEDTLS_PK_DEBUG_MPI;
+    items->name = "rsa.N";
+    items->value = &( ((mbedtls_rsa_context *) ctx)->N );
+
+    items++;
+
+    items->type = MBEDTLS_PK_DEBUG_MPI;
+    items->name = "rsa.E";
+    items->value = &( ((mbedtls_rsa_context *) ctx)->E );
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_info = {
+    MBEDTLS_PK_RSA,
+    "RSA",
+    rsa_get_bitlen,
+    rsa_can_do,
+    rsa_verify_wrap,
+    rsa_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    rsa_decrypt_wrap,
+    rsa_encrypt_wrap,
+    rsa_check_pair_wrap,
+    rsa_alloc_wrap,
+    rsa_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    rsa_debug,
+};
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Generic EC key
+ */
+static int eckey_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_ECKEY ||
+            type == MBEDTLS_PK_ECKEY_DH ||
+            type == MBEDTLS_PK_ECDSA );
+}
+
+static size_t eckey_get_bitlen( const void *ctx )
+{
+    return( ((mbedtls_ecp_keypair *) ctx)->grp.pbits );
+}
+
+#if defined(MBEDTLS_ECDSA_C)
+/* Forward declarations */
+static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len );
+
+static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+
+static int eckey_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len )
+{
+    int ret;
+    mbedtls_ecdsa_context ecdsa;
+
+    mbedtls_ecdsa_init( &ecdsa );
+
+    if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
+        ret = ecdsa_verify_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len );
+
+    mbedtls_ecdsa_free( &ecdsa );
+
+    return( ret );
+}
+
+static int eckey_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret;
+    mbedtls_ecdsa_context ecdsa;
+
+    mbedtls_ecdsa_init( &ecdsa );
+
+    if( ( ret = mbedtls_ecdsa_from_keypair( &ecdsa, ctx ) ) == 0 )
+        ret = ecdsa_sign_wrap( &ecdsa, md_alg, hash, hash_len, sig, sig_len,
+                               f_rng, p_rng );
+
+    mbedtls_ecdsa_free( &ecdsa );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+/* Forward declarations */
+static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len,
+                       void *rs_ctx );
+
+static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                   void *rs_ctx );
+
+/*
+ * Restart context for ECDSA operations with ECKEY context
+ *
+ * We need to store an actual ECDSA context, as we need to pass the same to
+ * the underlying ecdsa function, so we can't create it on the fly every time.
+ */
+typedef struct
+{
+    mbedtls_ecdsa_restart_ctx ecdsa_rs;
+    mbedtls_ecdsa_context ecdsa_ctx;
+} eckey_restart_ctx;
+
+static void *eckey_rs_alloc( void )
+{
+    eckey_restart_ctx *rs_ctx;
+
+    void *ctx = mbedtls_calloc( 1, sizeof( eckey_restart_ctx ) );
+
+    if( ctx != NULL )
+    {
+        rs_ctx = ctx;
+        mbedtls_ecdsa_restart_init( &rs_ctx->ecdsa_rs );
+        mbedtls_ecdsa_init( &rs_ctx->ecdsa_ctx );
+    }
+
+    return( ctx );
+}
+
+static void eckey_rs_free( void *ctx )
+{
+    eckey_restart_ctx *rs_ctx;
+
+    if( ctx == NULL)
+        return;
+
+    rs_ctx = ctx;
+    mbedtls_ecdsa_restart_free( &rs_ctx->ecdsa_rs );
+    mbedtls_ecdsa_free( &rs_ctx->ecdsa_ctx );
+
+    mbedtls_free( ctx );
+}
+
+static int eckey_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len,
+                       void *rs_ctx )
+{
+    int ret;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if( rs == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if( rs->ecdsa_ctx.grp.pbits == 0 )
+        MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
+
+    MBEDTLS_MPI_CHK( ecdsa_verify_rs_wrap( &rs->ecdsa_ctx,
+                                           md_alg, hash, hash_len,
+                                           sig, sig_len, &rs->ecdsa_rs ) );
+
+cleanup:
+    return( ret );
+}
+
+static int eckey_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                       void *rs_ctx )
+{
+    int ret;
+    eckey_restart_ctx *rs = rs_ctx;
+
+    /* Should never happen */
+    if( rs == NULL )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+
+    /* set up our own sub-context if needed (that is, on first run) */
+    if( rs->ecdsa_ctx.grp.pbits == 0 )
+        MBEDTLS_MPI_CHK( mbedtls_ecdsa_from_keypair( &rs->ecdsa_ctx, ctx ) );
+
+    MBEDTLS_MPI_CHK( ecdsa_sign_rs_wrap( &rs->ecdsa_ctx, md_alg,
+                                         hash, hash_len, sig, sig_len,
+                                         f_rng, p_rng, &rs->ecdsa_rs ) );
+
+cleanup:
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#endif /* MBEDTLS_ECDSA_C */
+
+static int eckey_check_pair( const void *pub, const void *prv )
+{
+    return( mbedtls_ecp_check_pub_priv( (const mbedtls_ecp_keypair *) pub,
+                                (const mbedtls_ecp_keypair *) prv ) );
+}
+
+static void *eckey_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecp_keypair ) );
+
+    if( ctx != NULL )
+        mbedtls_ecp_keypair_init( ctx );
+
+    return( ctx );
+}
+
+static void eckey_free_wrap( void *ctx )
+{
+    mbedtls_ecp_keypair_free( (mbedtls_ecp_keypair *) ctx );
+    mbedtls_free( ctx );
+}
+
+static void eckey_debug( const void *ctx, mbedtls_pk_debug_item *items )
+{
+    items->type = MBEDTLS_PK_DEBUG_ECP;
+    items->name = "eckey.Q";
+    items->value = &( ((mbedtls_ecp_keypair *) ctx)->Q );
+}
+
+const mbedtls_pk_info_t mbedtls_eckey_info = {
+    MBEDTLS_PK_ECKEY,
+    "EC",
+    eckey_get_bitlen,
+    eckey_can_do,
+#if defined(MBEDTLS_ECDSA_C)
+    eckey_verify_wrap,
+    eckey_sign_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    eckey_verify_rs_wrap,
+    eckey_sign_rs_wrap,
+#endif
+#else /* MBEDTLS_ECDSA_C */
+    NULL,
+    NULL,
+#endif /* MBEDTLS_ECDSA_C */
+    NULL,
+    NULL,
+    eckey_check_pair,
+    eckey_alloc_wrap,
+    eckey_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    eckey_rs_alloc,
+    eckey_rs_free,
+#endif
+    eckey_debug,
+};
+
+/*
+ * EC key restricted to ECDH
+ */
+static int eckeydh_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_ECKEY ||
+            type == MBEDTLS_PK_ECKEY_DH );
+}
+
+const mbedtls_pk_info_t mbedtls_eckeydh_info = {
+    MBEDTLS_PK_ECKEY_DH,
+    "EC_DH",
+    eckey_get_bitlen,         /* Same underlying key structure */
+    eckeydh_can_do,
+    NULL,
+    NULL,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    NULL,
+    NULL,
+    eckey_check_pair,
+    eckey_alloc_wrap,       /* Same underlying key structure */
+    eckey_free_wrap,        /* Same underlying key structure */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    eckey_debug,            /* Same underlying key structure */
+};
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_ECDSA_C)
+static int ecdsa_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_ECDSA );
+}
+
+static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len )
+{
+    int ret;
+    ((void) md_alg);
+
+    ret = mbedtls_ecdsa_read_signature( (mbedtls_ecdsa_context *) ctx,
+                                hash, hash_len, sig, sig_len );
+
+    if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
+        return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+    return( ret );
+}
+
+static int ecdsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    return( mbedtls_ecdsa_write_signature( (mbedtls_ecdsa_context *) ctx,
+                md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng ) );
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+static int ecdsa_verify_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                       const unsigned char *hash, size_t hash_len,
+                       const unsigned char *sig, size_t sig_len,
+                       void *rs_ctx )
+{
+    int ret;
+    ((void) md_alg);
+
+    ret = mbedtls_ecdsa_read_signature_restartable(
+            (mbedtls_ecdsa_context *) ctx,
+            hash, hash_len, sig, sig_len,
+            (mbedtls_ecdsa_restart_ctx *) rs_ctx );
+
+    if( ret == MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH )
+        return( MBEDTLS_ERR_PK_SIG_LEN_MISMATCH );
+
+    return( ret );
+}
+
+static int ecdsa_sign_rs_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                   void *rs_ctx )
+{
+    return( mbedtls_ecdsa_write_signature_restartable(
+                (mbedtls_ecdsa_context *) ctx,
+                md_alg, hash, hash_len, sig, sig_len, f_rng, p_rng,
+                (mbedtls_ecdsa_restart_ctx *) rs_ctx ) );
+
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+static void *ecdsa_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_context ) );
+
+    if( ctx != NULL )
+        mbedtls_ecdsa_init( (mbedtls_ecdsa_context *) ctx );
+
+    return( ctx );
+}
+
+static void ecdsa_free_wrap( void *ctx )
+{
+    mbedtls_ecdsa_free( (mbedtls_ecdsa_context *) ctx );
+    mbedtls_free( ctx );
+}
+
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+static void *ecdsa_rs_alloc( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_ecdsa_restart_ctx ) );
+
+    if( ctx != NULL )
+        mbedtls_ecdsa_restart_init( ctx );
+
+    return( ctx );
+}
+
+static void ecdsa_rs_free( void *ctx )
+{
+    mbedtls_ecdsa_restart_free( ctx );
+    mbedtls_free( ctx );
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
+const mbedtls_pk_info_t mbedtls_ecdsa_info = {
+    MBEDTLS_PK_ECDSA,
+    "ECDSA",
+    eckey_get_bitlen,     /* Compatible key structures */
+    ecdsa_can_do,
+    ecdsa_verify_wrap,
+    ecdsa_sign_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ecdsa_verify_rs_wrap,
+    ecdsa_sign_rs_wrap,
+#endif
+    NULL,
+    NULL,
+    eckey_check_pair,   /* Compatible key structures */
+    ecdsa_alloc_wrap,
+    ecdsa_free_wrap,
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    ecdsa_rs_alloc,
+    ecdsa_rs_free,
+#endif
+    eckey_debug,        /* Compatible key structures */
+};
+#endif /* MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+/*
+ * Support for alternative RSA-private implementations
+ */
+
+static int rsa_alt_can_do( mbedtls_pk_type_t type )
+{
+    return( type == MBEDTLS_PK_RSA );
+}
+
+static size_t rsa_alt_get_bitlen( const void *ctx )
+{
+    const mbedtls_rsa_alt_context *rsa_alt = (const mbedtls_rsa_alt_context *) ctx;
+
+    return( 8 * rsa_alt->key_len_func( rsa_alt->key ) );
+}
+
+static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
+                   const unsigned char *hash, size_t hash_len,
+                   unsigned char *sig, size_t *sig_len,
+                   int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
+
+#if SIZE_MAX > UINT_MAX
+    if( UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* SIZE_MAX > UINT_MAX */
+
+    *sig_len = rsa_alt->key_len_func( rsa_alt->key );
+
+    return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
+                md_alg, (unsigned int) hash_len, hash, sig ) );
+}
+
+static int rsa_alt_decrypt_wrap( void *ctx,
+                    const unsigned char *input, size_t ilen,
+                    unsigned char *output, size_t *olen, size_t osize,
+                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
+
+    ((void) f_rng);
+    ((void) p_rng);
+
+    if( ilen != rsa_alt->key_len_func( rsa_alt->key ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    return( rsa_alt->decrypt_func( rsa_alt->key,
+                MBEDTLS_RSA_PRIVATE, olen, input, output, osize ) );
+}
+
+#if defined(MBEDTLS_RSA_C)
+static int rsa_alt_check_pair( const void *pub, const void *prv )
+{
+    unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char hash[32];
+    size_t sig_len = 0;
+    int ret;
+
+    if( rsa_alt_get_bitlen( prv ) != rsa_get_bitlen( pub ) )
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+
+    memset( hash, 0x2a, sizeof( hash ) );
+
+    if( ( ret = rsa_alt_sign_wrap( (void *) prv, MBEDTLS_MD_NONE,
+                                   hash, sizeof( hash ),
+                                   sig, &sig_len, NULL, NULL ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( rsa_verify_wrap( (void *) pub, MBEDTLS_MD_NONE,
+                         hash, sizeof( hash ), sig, sig_len ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_RSA_C */
+
+static void *rsa_alt_alloc_wrap( void )
+{
+    void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_rsa_alt_context ) );
+
+    if( ctx != NULL )
+        memset( ctx, 0, sizeof( mbedtls_rsa_alt_context ) );
+
+    return( ctx );
+}
+
+static void rsa_alt_free_wrap( void *ctx )
+{
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_rsa_alt_context ) );
+    mbedtls_free( ctx );
+}
+
+const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
+    MBEDTLS_PK_RSA_ALT,
+    "RSA-alt",
+    rsa_alt_get_bitlen,
+    rsa_alt_can_do,
+    NULL,
+    rsa_alt_sign_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    rsa_alt_decrypt_wrap,
+    NULL,
+#if defined(MBEDTLS_RSA_C)
+    rsa_alt_check_pair,
+#else
+    NULL,
+#endif
+    rsa_alt_alloc_wrap,
+    rsa_alt_free_wrap,
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    NULL,
+    NULL,
+#endif
+    NULL,
+};
+
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+
+#endif /* MBEDTLS_PK_C */
diff --git a/makerom/deps/libmbedtls/src/pkcs11.c b/makerom/deps/libmbedtls/src/pkcs11.c
new file mode 100644
index 00000000..0ea64252
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/pkcs11.c
@@ -0,0 +1,240 @@
+/**
+ * \file pkcs11.c
+ *
+ * \brief Wrapper for PKCS#11 library libpkcs11-helper
+ *
+ * \author Adriaan de Jong <dejong@fox-it.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#include "mbedtls/pkcs11.h"
+
+#if defined(MBEDTLS_PKCS11_C)
+
+#include "mbedtls/md.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/x509_crt.h"
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+#include <string.h>
+
+void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_pkcs11_context ) );
+}
+
+int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11_cert )
+{
+    int ret = 1;
+    unsigned char *cert_blob = NULL;
+    size_t cert_blob_size = 0;
+
+    if( cert == NULL )
+    {
+        ret = 2;
+        goto cleanup;
+    }
+
+    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL,
+                                                &cert_blob_size ) != CKR_OK )
+    {
+        ret = 3;
+        goto cleanup;
+    }
+
+    cert_blob = mbedtls_calloc( 1, cert_blob_size );
+    if( NULL == cert_blob )
+    {
+        ret = 4;
+        goto cleanup;
+    }
+
+    if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob,
+                                                &cert_blob_size ) != CKR_OK )
+    {
+        ret = 5;
+        goto cleanup;
+    }
+
+    if( 0 != mbedtls_x509_crt_parse( cert, cert_blob, cert_blob_size ) )
+    {
+        ret = 6;
+        goto cleanup;
+    }
+
+    ret = 0;
+
+cleanup:
+    if( NULL != cert_blob )
+        mbedtls_free( cert_blob );
+
+    return( ret );
+}
+
+
+int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
+        pkcs11h_certificate_t pkcs11_cert )
+{
+    int ret = 1;
+    mbedtls_x509_crt cert;
+
+    mbedtls_x509_crt_init( &cert );
+
+    if( priv_key == NULL )
+        goto cleanup;
+
+    if( 0 != mbedtls_pkcs11_x509_cert_bind( &cert, pkcs11_cert ) )
+        goto cleanup;
+
+    priv_key->len = mbedtls_pk_get_len( &cert.pk );
+    priv_key->pkcs11h_cert = pkcs11_cert;
+
+    ret = 0;
+
+cleanup:
+    mbedtls_x509_crt_free( &cert );
+
+    return( ret );
+}
+
+void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key )
+{
+    if( NULL != priv_key )
+        pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
+}
+
+int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len )
+{
+    size_t input_len, output_len;
+
+    if( NULL == ctx )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( MBEDTLS_RSA_PRIVATE != mode )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    output_len = input_len = ctx->len;
+
+    if( input_len < 16 || input_len > output_max_len )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /* Determine size of output buffer */
+    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
+            input_len, NULL, &output_len ) != CKR_OK )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    if( output_len > output_max_len )
+        return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
+
+    if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
+            input_len, output, &output_len ) != CKR_OK )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+    *olen = output_len;
+    return( 0 );
+}
+
+int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig )
+{
+    size_t sig_len = 0, asn_len = 0, oid_size = 0;
+    unsigned char *p = sig;
+    const char *oid;
+
+    if( NULL == ctx )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( MBEDTLS_RSA_PRIVATE != mode )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+        asn_len = 10 + oid_size;
+    }
+
+    sig_len = ctx->len;
+    if( hashlen > sig_len || asn_len > sig_len ||
+        hashlen + asn_len > sig_len )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        /*
+         * DigestInfo ::= SEQUENCE {
+         *   digestAlgorithm DigestAlgorithmIdentifier,
+         *   digest Digest }
+         *
+         * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+         *
+         * Digest ::= OCTET STRING
+         */
+        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+        *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
+        *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+        *p++ = (unsigned char) ( 0x04 + oid_size );
+        *p++ = MBEDTLS_ASN1_OID;
+        *p++ = oid_size & 0xFF;
+        memcpy( p, oid, oid_size );
+        p += oid_size;
+        *p++ = MBEDTLS_ASN1_NULL;
+        *p++ = 0x00;
+        *p++ = MBEDTLS_ASN1_OCTET_STRING;
+        *p++ = hashlen;
+    }
+
+    memcpy( p, hash, hashlen );
+
+    if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
+            asn_len + hashlen, sig, &sig_len ) != CKR_OK )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    return( 0 );
+}
+
+#endif /* defined(MBEDTLS_PKCS11_C) */
diff --git a/makerom/deps/libmbedtls/src/pkcs12.c b/makerom/deps/libmbedtls/src/pkcs12.c
new file mode 100644
index 00000000..7edf064c
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/pkcs12.c
@@ -0,0 +1,365 @@
+/*
+ *  PKCS#12 Personal Information Exchange Syntax
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The PKCS #12 Personal Information Exchange Syntax Standard v1.1
+ *
+ *  http://www.rsa.com/rsalabs/pkcs/files/h11301-wp-pkcs-12v1-1-personal-information-exchange-syntax.pdf
+ *  ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS12_C)
+
+#include "mbedtls/pkcs12.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ARC4_C)
+#include "mbedtls/arc4.h"
+#endif
+
+#if defined(MBEDTLS_DES_C)
+#include "mbedtls/des.h"
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+
+static int pkcs12_parse_pbe_params( mbedtls_asn1_buf *params,
+                                    mbedtls_asn1_buf *salt, int *iterations )
+{
+    int ret;
+    unsigned char **p = &params->p;
+    const unsigned char *end = params->p + params->len;
+
+    /*
+     *  pkcs-12PbeParams ::= SEQUENCE {
+     *    salt          OCTET STRING,
+     *    iterations    INTEGER
+     *  }
+     *
+     */
+    if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
+
+    salt->p = *p;
+    *p += salt->len;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, iterations ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+#define PKCS12_MAX_PWDLEN 128
+
+static int pkcs12_pbe_derive_key_iv( mbedtls_asn1_buf *pbe_params, mbedtls_md_type_t md_type,
+                                     const unsigned char *pwd,  size_t pwdlen,
+                                     unsigned char *key, size_t keylen,
+                                     unsigned char *iv,  size_t ivlen )
+{
+    int ret, iterations = 0;
+    mbedtls_asn1_buf salt;
+    size_t i;
+    unsigned char unipwd[PKCS12_MAX_PWDLEN * 2 + 2];
+
+    if( pwdlen > PKCS12_MAX_PWDLEN )
+        return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA );
+
+    memset( &salt, 0, sizeof(mbedtls_asn1_buf) );
+    memset( &unipwd, 0, sizeof(unipwd) );
+
+    if( ( ret = pkcs12_parse_pbe_params( pbe_params, &salt,
+                                         &iterations ) ) != 0 )
+        return( ret );
+
+    for( i = 0; i < pwdlen; i++ )
+        unipwd[i * 2 + 1] = pwd[i];
+
+    if( ( ret = mbedtls_pkcs12_derivation( key, keylen, unipwd, pwdlen * 2 + 2,
+                                   salt.p, salt.len, md_type,
+                                   MBEDTLS_PKCS12_DERIVE_KEY, iterations ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( iv == NULL || ivlen == 0 )
+        return( 0 );
+
+    if( ( ret = mbedtls_pkcs12_derivation( iv, ivlen, unipwd, pwdlen * 2 + 2,
+                                   salt.p, salt.len, md_type,
+                                   MBEDTLS_PKCS12_DERIVE_IV, iterations ) ) != 0 )
+    {
+        return( ret );
+    }
+    return( 0 );
+}
+
+#undef PKCS12_MAX_PWDLEN
+
+int mbedtls_pkcs12_pbe_sha1_rc4_128( mbedtls_asn1_buf *pbe_params, int mode,
+                             const unsigned char *pwd,  size_t pwdlen,
+                             const unsigned char *data, size_t len,
+                             unsigned char *output )
+{
+#if !defined(MBEDTLS_ARC4_C)
+    ((void) pbe_params);
+    ((void) mode);
+    ((void) pwd);
+    ((void) pwdlen);
+    ((void) data);
+    ((void) len);
+    ((void) output);
+    return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE );
+#else
+    int ret;
+    unsigned char key[16];
+    mbedtls_arc4_context ctx;
+    ((void) mode);
+
+    mbedtls_arc4_init( &ctx );
+
+    if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, MBEDTLS_MD_SHA1,
+                                          pwd, pwdlen,
+                                          key, 16, NULL, 0 ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    mbedtls_arc4_setup( &ctx, key, 16 );
+    if( ( ret = mbedtls_arc4_crypt( &ctx, len, data, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+    mbedtls_arc4_free( &ctx );
+
+    return( ret );
+#endif /* MBEDTLS_ARC4_C */
+}
+
+int mbedtls_pkcs12_pbe( mbedtls_asn1_buf *pbe_params, int mode,
+                mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
+                const unsigned char *pwd,  size_t pwdlen,
+                const unsigned char *data, size_t len,
+                unsigned char *output )
+{
+    int ret, keylen = 0;
+    unsigned char key[32];
+    unsigned char iv[16];
+    const mbedtls_cipher_info_t *cipher_info;
+    mbedtls_cipher_context_t cipher_ctx;
+    size_t olen = 0;
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_type );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE );
+
+    keylen = cipher_info->key_bitlen / 8;
+
+    if( ( ret = pkcs12_pbe_derive_key_iv( pbe_params, md_type, pwd, pwdlen,
+                                          key, keylen,
+                                          iv, cipher_info->iv_size ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    mbedtls_cipher_init( &cipher_ctx );
+
+    if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_set_iv( &cipher_ctx, iv, cipher_info->iv_size ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_reset( &cipher_ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_update( &cipher_ctx, data, len,
+                                output, &olen ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_cipher_finish( &cipher_ctx, output + olen, &olen ) ) != 0 )
+        ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
+
+exit:
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+    mbedtls_platform_zeroize( iv,  sizeof( iv  ) );
+    mbedtls_cipher_free( &cipher_ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+static void pkcs12_fill_buffer( unsigned char *data, size_t data_len,
+                                const unsigned char *filler, size_t fill_len )
+{
+    unsigned char *p = data;
+    size_t use_len;
+
+    while( data_len > 0 )
+    {
+        use_len = ( data_len > fill_len ) ? fill_len : data_len;
+        memcpy( p, filler, use_len );
+        p += use_len;
+        data_len -= use_len;
+    }
+}
+
+int mbedtls_pkcs12_derivation( unsigned char *data, size_t datalen,
+                       const unsigned char *pwd, size_t pwdlen,
+                       const unsigned char *salt, size_t saltlen,
+                       mbedtls_md_type_t md_type, int id, int iterations )
+{
+    int ret;
+    unsigned int j;
+
+    unsigned char diversifier[128];
+    unsigned char salt_block[128], pwd_block[128], hash_block[128];
+    unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
+    unsigned char *p;
+    unsigned char c;
+
+    size_t hlen, use_len, v, i;
+
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    // This version only allows max of 64 bytes of password or salt
+    if( datalen > 128 || pwdlen > 64 || saltlen > 64 )
+        return( MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA );
+
+    md_info = mbedtls_md_info_from_type( md_type );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE );
+
+    mbedtls_md_init( &md_ctx );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        return( ret );
+    hlen = mbedtls_md_get_size( md_info );
+
+    if( hlen <= 32 )
+        v = 64;
+    else
+        v = 128;
+
+    memset( diversifier, (unsigned char) id, v );
+
+    pkcs12_fill_buffer( salt_block, v, salt, saltlen );
+    pkcs12_fill_buffer( pwd_block,  v, pwd,  pwdlen  );
+
+    p = data;
+    while( datalen > 0 )
+    {
+        // Calculate hash( diversifier || salt_block || pwd_block )
+        if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_update( &md_ctx, diversifier, v ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_update( &md_ctx, salt_block, v ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_update( &md_ctx, pwd_block, v ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md_finish( &md_ctx, hash_output ) ) != 0 )
+            goto exit;
+
+        // Perform remaining ( iterations - 1 ) recursive hash calculations
+        for( i = 1; i < (size_t) iterations; i++ )
+        {
+            if( ( ret = mbedtls_md( md_info, hash_output, hlen, hash_output ) ) != 0 )
+                goto exit;
+        }
+
+        use_len = ( datalen > hlen ) ? hlen : datalen;
+        memcpy( p, hash_output, use_len );
+        datalen -= use_len;
+        p += use_len;
+
+        if( datalen == 0 )
+            break;
+
+        // Concatenating copies of hash_output into hash_block (B)
+        pkcs12_fill_buffer( hash_block, v, hash_output, hlen );
+
+        // B += 1
+        for( i = v; i > 0; i-- )
+            if( ++hash_block[i - 1] != 0 )
+                break;
+
+        // salt_block += B
+        c = 0;
+        for( i = v; i > 0; i-- )
+        {
+            j = salt_block[i - 1] + hash_block[i - 1] + c;
+            c = (unsigned char) (j >> 8);
+            salt_block[i - 1] = j & 0xFF;
+        }
+
+        // pwd_block  += B
+        c = 0;
+        for( i = v; i > 0; i-- )
+        {
+            j = pwd_block[i - 1] + hash_block[i - 1] + c;
+            c = (unsigned char) (j >> 8);
+            pwd_block[i - 1] = j & 0xFF;
+        }
+    }
+
+    ret = 0;
+
+exit:
+    mbedtls_platform_zeroize( salt_block, sizeof( salt_block ) );
+    mbedtls_platform_zeroize( pwd_block, sizeof( pwd_block ) );
+    mbedtls_platform_zeroize( hash_block, sizeof( hash_block ) );
+    mbedtls_platform_zeroize( hash_output, sizeof( hash_output ) );
+
+    mbedtls_md_free( &md_ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_PKCS12_C */
diff --git a/makerom/deps/libmbedtls/src/pkcs5.c b/makerom/deps/libmbedtls/src/pkcs5.c
new file mode 100644
index 00000000..50133435
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/pkcs5.c
@@ -0,0 +1,411 @@
+/**
+ * \file pkcs5.c
+ *
+ * \brief PKCS#5 functions
+ *
+ * \author Mathias Olsson <mathias@kompetensum.com>
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * PKCS#5 includes PBKDF2 and more
+ *
+ * http://tools.ietf.org/html/rfc2898 (Specification)
+ * http://tools.ietf.org/html/rfc6070 (Test vectors)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PKCS5_C)
+
+#include "mbedtls/pkcs5.h"
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#include "mbedtls/cipher.h"
+#include "mbedtls/oid.h"
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#include <string.h>
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params,
+                                      mbedtls_asn1_buf *salt, int *iterations,
+                                      int *keylen, mbedtls_md_type_t *md_type )
+{
+    int ret;
+    mbedtls_asn1_buf prf_alg_oid;
+    unsigned char *p = params->p;
+    const unsigned char *end = params->p + params->len;
+
+    if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+    /*
+     *  PBKDF2-params ::= SEQUENCE {
+     *    salt              OCTET STRING,
+     *    iterationCount    INTEGER,
+     *    keyLength         INTEGER OPTIONAL
+     *    prf               AlgorithmIdentifier DEFAULT algid-hmacWithSHA1
+     *  }
+     *
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    salt->p = p;
+    p += salt->len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, iterations ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    if( p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, keylen ) ) != 0 )
+    {
+        if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+    }
+
+    if( p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_alg_null( &p, end, &prf_alg_oid ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    if( mbedtls_oid_get_md_hmac( &prf_alg_oid, md_type ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    if( p != end )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
+                 const unsigned char *pwd,  size_t pwdlen,
+                 const unsigned char *data, size_t datalen,
+                 unsigned char *output )
+{
+    int ret, iterations = 0, keylen = 0;
+    unsigned char *p, *end;
+    mbedtls_asn1_buf kdf_alg_oid, enc_scheme_oid, kdf_alg_params, enc_scheme_params;
+    mbedtls_asn1_buf salt;
+    mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
+    unsigned char key[32], iv[32];
+    size_t olen = 0;
+    const mbedtls_md_info_t *md_info;
+    const mbedtls_cipher_info_t *cipher_info;
+    mbedtls_md_context_t md_ctx;
+    mbedtls_cipher_type_t cipher_alg;
+    mbedtls_cipher_context_t cipher_ctx;
+
+    p = pbe_params->p;
+    end = p + pbe_params->len;
+
+    /*
+     *  PBES2-params ::= SEQUENCE {
+     *    keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
+     *    encryptionScheme AlgorithmIdentifier {{PBES2-Encs}}
+     *  }
+     */
+    if( pbe_params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    if( ( ret = mbedtls_asn1_get_alg( &p, end, &kdf_alg_oid, &kdf_alg_params ) ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+
+    // Only PBKDF2 supported at the moment
+    //
+    if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    if( ( ret = pkcs5_parse_pbkdf2_params( &kdf_alg_params,
+                                           &salt, &iterations, &keylen,
+                                           &md_type ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    md_info = mbedtls_md_info_from_type( md_type );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    if( ( ret = mbedtls_asn1_get_alg( &p, end, &enc_scheme_oid,
+                              &enc_scheme_params ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+    }
+
+    if( mbedtls_oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher_alg );
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
+
+    /*
+     * The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
+     * since it is optional and we don't know if it was set or not
+     */
+    keylen = cipher_info->key_bitlen / 8;
+
+    if( enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
+        enc_scheme_params.len != cipher_info->iv_size )
+    {
+        return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT );
+    }
+
+    mbedtls_md_init( &md_ctx );
+    mbedtls_cipher_init( &cipher_ctx );
+
+    memcpy( iv, enc_scheme_params.p, enc_scheme_params.len );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len,
+                                   iterations, keylen, key ) ) != 0 )
+    {
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen, (mbedtls_operation_t) mode ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_cipher_crypt( &cipher_ctx, iv, enc_scheme_params.len,
+                              data, datalen, output, &olen ) ) != 0 )
+        ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
+
+exit:
+    mbedtls_md_free( &md_ctx );
+    mbedtls_cipher_free( &cipher_ctx );
+
+    return( ret );
+}
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password,
+                       size_t plen, const unsigned char *salt, size_t slen,
+                       unsigned int iteration_count,
+                       uint32_t key_length, unsigned char *output )
+{
+    int ret, j;
+    unsigned int i;
+    unsigned char md1[MBEDTLS_MD_MAX_SIZE];
+    unsigned char work[MBEDTLS_MD_MAX_SIZE];
+    unsigned char md_size = mbedtls_md_get_size( ctx->md_info );
+    size_t use_len;
+    unsigned char *out_p = output;
+    unsigned char counter[4];
+
+    memset( counter, 0, 4 );
+    counter[3] = 1;
+
+#if UINT_MAX > 0xFFFFFFFF
+    if( iteration_count > 0xFFFFFFFF )
+        return( MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA );
+#endif
+
+    while( key_length )
+    {
+        // U1 ends up in work
+        //
+        if( ( ret = mbedtls_md_hmac_starts( ctx, password, plen ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_md_hmac_update( ctx, salt, slen ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_md_hmac_update( ctx, counter, 4 ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_md_hmac_finish( ctx, work ) ) != 0 )
+            return( ret );
+
+        memcpy( md1, work, md_size );
+
+        for( i = 1; i < iteration_count; i++ )
+        {
+            // U2 ends up in md1
+            //
+            if( ( ret = mbedtls_md_hmac_starts( ctx, password, plen ) ) != 0 )
+                return( ret );
+
+            if( ( ret = mbedtls_md_hmac_update( ctx, md1, md_size ) ) != 0 )
+                return( ret );
+
+            if( ( ret = mbedtls_md_hmac_finish( ctx, md1 ) ) != 0 )
+                return( ret );
+
+            // U1 xor U2
+            //
+            for( j = 0; j < md_size; j++ )
+                work[j] ^= md1[j];
+        }
+
+        use_len = ( key_length < md_size ) ? key_length : md_size;
+        memcpy( out_p, work, use_len );
+
+        key_length -= (uint32_t) use_len;
+        out_p += use_len;
+
+        for( i = 4; i > 0; i-- )
+            if( ++counter[i - 1] != 0 )
+                break;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#if !defined(MBEDTLS_SHA1_C)
+int mbedtls_pkcs5_self_test( int verbose )
+{
+    if( verbose != 0 )
+        mbedtls_printf( "  PBKDF2 (SHA1): skipped\n\n" );
+
+    return( 0 );
+}
+#else
+
+#define MAX_TESTS   6
+
+static const size_t plen[MAX_TESTS] =
+    { 8, 8, 8, 24, 9 };
+
+static const unsigned char password[MAX_TESTS][32] =
+{
+    "password",
+    "password",
+    "password",
+    "passwordPASSWORDpassword",
+    "pass\0word",
+};
+
+static const size_t slen[MAX_TESTS] =
+    { 4, 4, 4, 36, 5 };
+
+static const unsigned char salt[MAX_TESTS][40] =
+{
+    "salt",
+    "salt",
+    "salt",
+    "saltSALTsaltSALTsaltSALTsaltSALTsalt",
+    "sa\0lt",
+};
+
+static const uint32_t it_cnt[MAX_TESTS] =
+    { 1, 2, 4096, 4096, 4096 };
+
+static const uint32_t key_len[MAX_TESTS] =
+    { 20, 20, 20, 25, 16 };
+
+static const unsigned char result_key[MAX_TESTS][32] =
+{
+    { 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
+      0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
+      0x2f, 0xe0, 0x37, 0xa6 },
+    { 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
+      0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
+      0xd8, 0xde, 0x89, 0x57 },
+    { 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
+      0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
+      0x65, 0xa4, 0x29, 0xc1 },
+    { 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
+      0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
+      0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
+      0x38 },
+    { 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
+      0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
+};
+
+int mbedtls_pkcs5_self_test( int verbose )
+{
+    mbedtls_md_context_t sha1_ctx;
+    const mbedtls_md_info_t *info_sha1;
+    int ret, i;
+    unsigned char key[64];
+
+    mbedtls_md_init( &sha1_ctx );
+
+    info_sha1 = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
+    if( info_sha1 == NULL )
+    {
+        ret = 1;
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_md_setup( &sha1_ctx, info_sha1, 1 ) ) != 0 )
+    {
+        ret = 1;
+        goto exit;
+    }
+
+    for( i = 0; i < MAX_TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  PBKDF2 (SHA1) #%d: ", i );
+
+        ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password[i], plen[i], salt[i],
+                                  slen[i], it_cnt[i], key_len[i], key );
+        if( ret != 0 ||
+            memcmp( result_key[i], key, key_len[i] ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_md_free( &sha1_ctx );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SHA1_C */
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_PKCS5_C */
diff --git a/makerom/deps/libmbedtls/src/pkparse.c b/makerom/deps/libmbedtls/src/pkparse.c
new file mode 100644
index 00000000..d5004577
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/pkparse.c
@@ -0,0 +1,1538 @@
+/*
+ *  Public Key layer for parsing key files and structures
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+#if defined(MBEDTLS_PKCS5_C)
+#include "mbedtls/pkcs5.h"
+#endif
+#if defined(MBEDTLS_PKCS12_C)
+#include "mbedtls/pkcs12.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load all data from a file into a given buffer.
+ *
+ * The file is expected to contain either PEM or DER encoded data.
+ * A terminating null byte is always appended. It is included in the announced
+ * length only if the data looks like it is PEM encoded.
+ */
+int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n )
+{
+    FILE *f;
+    long size;
+
+    PK_VALIDATE_RET( path != NULL );
+    PK_VALIDATE_RET( buf != NULL );
+    PK_VALIDATE_RET( n != NULL );
+
+    if( ( f = fopen( path, "rb" ) ) == NULL )
+        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+
+    fseek( f, 0, SEEK_END );
+    if( ( size = ftell( f ) ) == -1 )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+    }
+    fseek( f, 0, SEEK_SET );
+
+    *n = (size_t) size;
+
+    if( *n + 1 == 0 ||
+        ( *buf = mbedtls_calloc( 1, *n + 1 ) ) == NULL )
+    {
+        fclose( f );
+        return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+    }
+
+    if( fread( *buf, 1, *n, f ) != *n )
+    {
+        fclose( f );
+
+        mbedtls_platform_zeroize( *buf, *n );
+        mbedtls_free( *buf );
+
+        return( MBEDTLS_ERR_PK_FILE_IO_ERROR );
+    }
+
+    fclose( f );
+
+    (*buf)[*n] = '\0';
+
+    if( strstr( (const char *) *buf, "-----BEGIN " ) != NULL )
+        ++*n;
+
+    return( 0 );
+}
+
+/*
+ * Load and parse a private key
+ */
+int mbedtls_pk_parse_keyfile( mbedtls_pk_context *ctx,
+                      const char *path, const char *pwd )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( path != NULL );
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    if( pwd == NULL )
+        ret = mbedtls_pk_parse_key( ctx, buf, n, NULL, 0 );
+    else
+        ret = mbedtls_pk_parse_key( ctx, buf, n,
+                (const unsigned char *) pwd, strlen( pwd ) );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+/*
+ * Load and parse a public key
+ */
+int mbedtls_pk_parse_public_keyfile( mbedtls_pk_context *ctx, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    PK_VALIDATE_RET( ctx != NULL );
+    PK_VALIDATE_RET( path != NULL );
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_pk_parse_public_key( ctx, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#if defined(MBEDTLS_ECP_C)
+/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
+ *
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
+ *   -- implicitCurve   NULL
+ * }
+ */
+static int pk_get_ecparams( unsigned char **p, const unsigned char *end,
+                            mbedtls_asn1_buf *params )
+{
+    int ret;
+
+    if ( end - *p < 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    /* Tag may be either OID or SEQUENCE */
+    params->tag = **p;
+    if( params->tag != MBEDTLS_ASN1_OID
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+            && params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE )
+#endif
+            )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+    }
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &params->len, params->tag ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    params->p = *p;
+    *p += params->len;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it.
+ * WARNING: the resulting group should only be used with
+ * pk_group_id_from_specified(), since its base point may not be set correctly
+ * if it was encoded compressed.
+ *
+ *  SpecifiedECDomain ::= SEQUENCE {
+ *      version SpecifiedECDomainVersion(ecdpVer1 | ecdpVer2 | ecdpVer3, ...),
+ *      fieldID FieldID {{FieldTypes}},
+ *      curve Curve,
+ *      base ECPoint,
+ *      order INTEGER,
+ *      cofactor INTEGER OPTIONAL,
+ *      hash HashAlgorithm OPTIONAL,
+ *      ...
+ *  }
+ *
+ * We only support prime-field as field type, and ignore hash and cofactor.
+ */
+static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
+{
+    int ret;
+    unsigned char *p = params->p;
+    const unsigned char * const end = params->p + params->len;
+    const unsigned char *end_field, *end_curve;
+    size_t len;
+    int ver;
+
+    /* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ver < 1 || ver > 3 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    /*
+     * FieldID { FIELD-ID:IOSet } ::= SEQUENCE { -- Finite field
+     *       fieldType FIELD-ID.&id({IOSet}),
+     *       parameters FIELD-ID.&Type({IOSet}{@fieldType})
+     * }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    end_field = p + len;
+
+    /*
+     * FIELD-ID ::= TYPE-IDENTIFIER
+     * FieldTypes FIELD-ID ::= {
+     *       { Prime-p IDENTIFIED BY prime-field } |
+     *       { Characteristic-two IDENTIFIED BY characteristic-two-field }
+     * }
+     * prime-field OBJECT IDENTIFIER ::= { id-fieldType 1 }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( ret );
+
+    if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) ||
+        memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+    }
+
+    p += len;
+
+    /* Prime-p ::= INTEGER -- Field of size p. */
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    grp->pbits = mbedtls_mpi_bitlen( &grp->P );
+
+    if( p != end_field )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /*
+     * Curve ::= SEQUENCE {
+     *       a FieldElement,
+     *       b FieldElement,
+     *       seed BIT STRING OPTIONAL
+     *       -- Shall be present if used in SpecifiedECDomain
+     *       -- with version equal to ecdpVer2 or ecdpVer3
+     * }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( ret );
+
+    end_curve = p + len;
+
+    /*
+     * FieldElement ::= OCTET STRING
+     * containing an integer in the case of a prime field
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    /* Ignore seed BIT STRING OPTIONAL */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_BIT_STRING ) ) == 0 )
+        p += len;
+
+    if( p != end_curve )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /*
+     * ECPoint ::= OCTET STRING
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
+                                      ( const unsigned char *) p, len ) ) != 0 )
+    {
+        /*
+         * If we can't read the point because it's compressed, cheat by
+         * reading only the X coordinate and the parity bit of Y.
+         */
+        if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ||
+            ( p[0] != 0x02 && p[0] != 0x03 ) ||
+            len != mbedtls_mpi_size( &grp->P ) + 1 ||
+            mbedtls_mpi_read_binary( &grp->G.X, p + 1, len - 1 ) != 0 ||
+            mbedtls_mpi_lset( &grp->G.Y, p[0] - 2 ) != 0 ||
+            mbedtls_mpi_lset( &grp->G.Z, 1 ) != 0 )
+        {
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+        }
+    }
+
+    p += len;
+
+    /*
+     * order INTEGER
+     */
+    if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    grp->nbits = mbedtls_mpi_bitlen( &grp->N );
+
+    /*
+     * Allow optional elements by purposefully not enforcing p == end here.
+     */
+
+    return( 0 );
+}
+
+/*
+ * Find the group id associated with an (almost filled) group as generated by
+ * pk_group_from_specified(), or return an error if unknown.
+ */
+static int pk_group_id_from_group( const mbedtls_ecp_group *grp, mbedtls_ecp_group_id *grp_id )
+{
+    int ret = 0;
+    mbedtls_ecp_group ref;
+    const mbedtls_ecp_group_id *id;
+
+    mbedtls_ecp_group_init( &ref );
+
+    for( id = mbedtls_ecp_grp_id_list(); *id != MBEDTLS_ECP_DP_NONE; id++ )
+    {
+        /* Load the group associated to that id */
+        mbedtls_ecp_group_free( &ref );
+        MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ref, *id ) );
+
+        /* Compare to the group we were given, starting with easy tests */
+        if( grp->pbits == ref.pbits && grp->nbits == ref.nbits &&
+            mbedtls_mpi_cmp_mpi( &grp->P, &ref.P ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->A, &ref.A ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->B, &ref.B ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->N, &ref.N ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->G.X, &ref.G.X ) == 0 &&
+            mbedtls_mpi_cmp_mpi( &grp->G.Z, &ref.G.Z ) == 0 &&
+            /* For Y we may only know the parity bit, so compare only that */
+            mbedtls_mpi_get_bit( &grp->G.Y, 0 ) == mbedtls_mpi_get_bit( &ref.G.Y, 0 ) )
+        {
+            break;
+        }
+
+    }
+
+cleanup:
+    mbedtls_ecp_group_free( &ref );
+
+    *grp_id = *id;
+
+    if( ret == 0 && *id == MBEDTLS_ECP_DP_NONE )
+        ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+    return( ret );
+}
+
+/*
+ * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID
+ */
+static int pk_group_id_from_specified( const mbedtls_asn1_buf *params,
+                                       mbedtls_ecp_group_id *grp_id )
+{
+    int ret;
+    mbedtls_ecp_group grp;
+
+    mbedtls_ecp_group_init( &grp );
+
+    if( ( ret = pk_group_from_specified( params, &grp ) ) != 0 )
+        goto cleanup;
+
+    ret = pk_group_id_from_group( &grp, grp_id );
+
+cleanup:
+    mbedtls_ecp_group_free( &grp );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+
+/*
+ * Use EC parameters to initialise an EC group
+ *
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ *   specifiedCurve     SpecifiedECDomain -- = SEQUENCE { ... }
+ *   -- implicitCurve   NULL
+ */
+static int pk_use_ecparams( const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp )
+{
+    int ret;
+    mbedtls_ecp_group_id grp_id;
+
+    if( params->tag == MBEDTLS_ASN1_OID )
+    {
+        if( mbedtls_oid_get_ec_grp( params, &grp_id ) != 0 )
+            return( MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE );
+    }
+    else
+    {
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+        if( ( ret = pk_group_id_from_specified( params, &grp_id ) ) != 0 )
+            return( ret );
+#else
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+#endif
+    }
+
+    /*
+     * grp may already be initilialized; if so, make sure IDs match
+     */
+    if( grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    if( ( ret = mbedtls_ecp_group_load( grp, grp_id ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * EC public key is an EC point
+ *
+ * The caller is responsible for clearing the structure upon failure if
+ * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE
+ * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
+ */
+static int pk_get_ecpubkey( unsigned char **p, const unsigned char *end,
+                            mbedtls_ecp_keypair *key )
+{
+    int ret;
+
+    if( ( ret = mbedtls_ecp_point_read_binary( &key->grp, &key->Q,
+                    (const unsigned char *) *p, end - *p ) ) == 0 )
+    {
+        ret = mbedtls_ecp_check_pubkey( &key->grp, &key->Q );
+    }
+
+    /*
+     * We know mbedtls_ecp_point_read_binary consumed all bytes or failed
+     */
+    *p = (unsigned char *) end;
+
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ *  RSAPublicKey ::= SEQUENCE {
+ *      modulus           INTEGER,  -- n
+ *      publicExponent    INTEGER   -- e
+ *  }
+ */
+static int pk_get_rsapubkey( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_rsa_context *rsa )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    /* Import N */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0,
+                                        NULL, 0, NULL, 0 ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
+
+    *p += len;
+
+    /* Import E */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
+                                        NULL, 0, *p, len ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
+
+    *p += len;
+
+    if( mbedtls_rsa_complete( rsa ) != 0 ||
+        mbedtls_rsa_check_pubkey( rsa ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY );
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_RSA_C */
+
+/* Get a PK algorithm identifier
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ */
+static int pk_get_pk_alg( unsigned char **p,
+                          const unsigned char *end,
+                          mbedtls_pk_type_t *pk_alg, mbedtls_asn1_buf *params )
+{
+    int ret;
+    mbedtls_asn1_buf alg_oid;
+
+    memset( params, 0, sizeof(mbedtls_asn1_buf) );
+
+    if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_ALG + ret );
+
+    if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    /*
+     * No parameters with RSA (only for EC)
+     */
+    if( *pk_alg == MBEDTLS_PK_RSA &&
+            ( ( params->tag != MBEDTLS_ASN1_NULL && params->tag != 0 ) ||
+                params->len != 0 ) )
+    {
+        return( MBEDTLS_ERR_PK_INVALID_ALG );
+    }
+
+    return( 0 );
+}
+
+/*
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *       algorithm            AlgorithmIdentifier,
+ *       subjectPublicKey     BIT STRING }
+ */
+int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
+                        mbedtls_pk_context *pk )
+{
+    int ret;
+    size_t len;
+    mbedtls_asn1_buf alg_params;
+    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+    const mbedtls_pk_info_t *pk_info;
+
+    PK_VALIDATE_RET( p != NULL );
+    PK_VALIDATE_RET( *p != NULL );
+    PK_VALIDATE_RET( end != NULL );
+    PK_VALIDATE_RET( pk != NULL );
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = *p + len;
+
+    if( ( ret = pk_get_pk_alg( p, end, &pk_alg, &alg_params ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_RSA_C)
+    if( pk_alg == MBEDTLS_PK_RSA )
+    {
+        ret = pk_get_rsapubkey( p, end, mbedtls_pk_rsa( *pk ) );
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_C)
+    if( pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY )
+    {
+        ret = pk_use_ecparams( &alg_params, &mbedtls_pk_ec( *pk )->grp );
+        if( ret == 0 )
+            ret = pk_get_ecpubkey( p, end, mbedtls_pk_ec( *pk ) );
+    } else
+#endif /* MBEDTLS_ECP_C */
+        ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
+
+    if( ret == 0 && *p != end )
+        ret = MBEDTLS_ERR_PK_INVALID_PUBKEY
+              MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+
+    if( ret != 0 )
+        mbedtls_pk_free( pk );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ * Wrapper around mbedtls_asn1_get_mpi() that rejects zero.
+ *
+ * The value zero is:
+ * - never a valid value for an RSA parameter
+ * - interpreted as "omitted, please reconstruct" by mbedtls_rsa_complete().
+ *
+ * Since values can't be omitted in PKCS#1, passing a zero value to
+ * rsa_complete() would be incorrect, so reject zero values early.
+ */
+static int asn1_get_nonzero_mpi( unsigned char **p,
+                                 const unsigned char *end,
+                                 mbedtls_mpi *X )
+{
+    int ret;
+
+    ret = mbedtls_asn1_get_mpi( p, end, X );
+    if( ret != 0 )
+        return( ret );
+
+    if( mbedtls_mpi_cmp_int( X, 0 ) == 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
+    return( 0 );
+}
+
+/*
+ * Parse a PKCS#1 encoded private RSA key
+ */
+static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa,
+                                   const unsigned char *key,
+                                   size_t keylen )
+{
+    int ret, version;
+    size_t len;
+    unsigned char *p, *end;
+
+    mbedtls_mpi T;
+    mbedtls_mpi_init( &T );
+
+    p = (unsigned char *) key;
+    end = p + keylen;
+
+    /*
+     * This function parses the RSAPrivateKey (PKCS#1)
+     *
+     *  RSAPrivateKey ::= SEQUENCE {
+     *      version           Version,
+     *      modulus           INTEGER,  -- n
+     *      publicExponent    INTEGER,  -- e
+     *      privateExponent   INTEGER,  -- d
+     *      prime1            INTEGER,  -- p
+     *      prime2            INTEGER,  -- q
+     *      exponent1         INTEGER,  -- d mod (p-1)
+     *      exponent2         INTEGER,  -- d mod (q-1)
+     *      coefficient       INTEGER,  -- (inverse of q) mod p
+     *      otherPrimeInfos   OtherPrimeInfos OPTIONAL
+     *  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    if( version != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
+    }
+
+    /* Import N */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, &T, NULL, NULL,
+                                        NULL, NULL ) ) != 0 )
+        goto cleanup;
+
+    /* Import E */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
+                                        NULL, &T ) ) != 0 )
+        goto cleanup;
+
+    /* Import D */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, NULL, NULL,
+                                        &T, NULL ) ) != 0 )
+        goto cleanup;
+
+    /* Import P */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, &T, NULL,
+                                        NULL, NULL ) ) != 0 )
+        goto cleanup;
+
+    /* Import Q */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_rsa_import( rsa, NULL, NULL, &T,
+                                        NULL, NULL ) ) != 0 )
+        goto cleanup;
+
+#if !defined(MBEDTLS_RSA_NO_CRT) && !defined(MBEDTLS_RSA_ALT)
+    /*
+    * The RSA CRT parameters DP, DQ and QP are nominally redundant, in
+    * that they can be easily recomputed from D, P and Q. However by
+    * parsing them from the PKCS1 structure it is possible to avoid
+    * recalculating them which both reduces the overhead of loading
+    * RSA private keys into memory and also avoids side channels which
+    * can arise when computing those values, since all of D, P, and Q
+    * are secret. See https://eprint.iacr.org/2020/055 for a
+    * description of one such attack.
+    */
+
+    /* Import DP */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &rsa->DP, &T ) ) != 0 )
+       goto cleanup;
+
+    /* Import DQ */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &rsa->DQ, &T ) ) != 0 )
+       goto cleanup;
+
+    /* Import QP */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &rsa->QP, &T ) ) != 0 )
+       goto cleanup;
+
+#else
+    /* Verify existance of the CRT params */
+    if( ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 ||
+        ( ret = asn1_get_nonzero_mpi( &p, end, &T ) ) != 0 )
+       goto cleanup;
+#endif
+
+    /* rsa_complete() doesn't complete anything with the default
+     * implementation but is still called:
+     * - for the benefit of alternative implementation that may want to
+     *   pre-compute stuff beyond what's provided (eg Montgomery factors)
+     * - as is also sanity-checks the key
+     *
+     * Furthermore, we also check the public part for consistency with
+     * mbedtls_pk_parse_pubkey(), as it includes size minima for example.
+     */
+    if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ||
+        ( ret = mbedtls_rsa_check_pubkey( rsa ) ) != 0 )
+    {
+        goto cleanup;
+    }
+
+    if( p != end )
+    {
+        ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+              MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ;
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &T );
+
+    if( ret != 0 )
+    {
+        /* Wrap error code if it's coming from a lower level */
+        if( ( ret & 0xff80 ) == 0 )
+            ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret;
+        else
+            ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
+
+        mbedtls_rsa_free( rsa );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Parse a SEC1 encoded private EC key
+ */
+static int pk_parse_key_sec1_der( mbedtls_ecp_keypair *eck,
+                                  const unsigned char *key,
+                                  size_t keylen )
+{
+    int ret;
+    int version, pubkey_done;
+    size_t len;
+    mbedtls_asn1_buf params;
+    unsigned char *p = (unsigned char *) key;
+    unsigned char *end = p + keylen;
+    unsigned char *end2;
+
+    /*
+     * RFC 5915, or SEC1 Appendix C.4
+     *
+     * ECPrivateKey ::= SEQUENCE {
+     *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+     *      privateKey     OCTET STRING,
+     *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+     *      publicKey  [1] BIT STRING OPTIONAL
+     *    }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( version != 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 )
+    {
+        mbedtls_ecp_keypair_free( eck );
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    pubkey_done = 0;
+    if( p != end )
+    {
+        /*
+         * Is 'parameters' present?
+         */
+        if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
+        {
+            if( ( ret = pk_get_ecparams( &p, p + len, &params) ) != 0 ||
+                ( ret = pk_use_ecparams( &params, &eck->grp )  ) != 0 )
+            {
+                mbedtls_ecp_keypair_free( eck );
+                return( ret );
+            }
+        }
+        else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            mbedtls_ecp_keypair_free( eck );
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+        }
+    }
+
+    if( p != end )
+    {
+        /*
+         * Is 'publickey' present? If not, or if we can't read it (eg because it
+         * is compressed), create it from the private key.
+         */
+        if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                        MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
+        {
+            end2 = p + len;
+
+            if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
+                return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+            if( p + len != end2 )
+                return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                        MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+            if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
+                pubkey_done = 1;
+            else
+            {
+                /*
+                 * The only acceptable failure mode of pk_get_ecpubkey() above
+                 * is if the point format is not recognized.
+                 */
+                if( ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE )
+                    return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+            }
+        }
+        else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            mbedtls_ecp_keypair_free( eck );
+            return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+        }
+    }
+
+    if( ! pubkey_done &&
+        ( ret = mbedtls_ecp_mul( &eck->grp, &eck->Q, &eck->d, &eck->grp.G,
+                                                      NULL, NULL ) ) != 0 )
+    {
+        mbedtls_ecp_keypair_free( eck );
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
+    {
+        mbedtls_ecp_keypair_free( eck );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECP_C */
+
+/*
+ * Parse an unencrypted PKCS#8 encoded private key
+ *
+ * Notes:
+ *
+ * - This function does not own the key buffer. It is the
+ *   responsibility of the caller to take care of zeroizing
+ *   and freeing it after use.
+ *
+ * - The function is responsible for freeing the provided
+ *   PK context on failure.
+ *
+ */
+static int pk_parse_key_pkcs8_unencrypted_der(
+                                    mbedtls_pk_context *pk,
+                                    const unsigned char* key,
+                                    size_t keylen )
+{
+    int ret, version;
+    size_t len;
+    mbedtls_asn1_buf params;
+    unsigned char *p = (unsigned char *) key;
+    unsigned char *end = p + keylen;
+    mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+    const mbedtls_pk_info_t *pk_info;
+
+    /*
+     * This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
+     *
+     *    PrivateKeyInfo ::= SEQUENCE {
+     *      version                   Version,
+     *      privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
+     *      privateKey                PrivateKey,
+     *      attributes           [0]  IMPLICIT Attributes OPTIONAL }
+     *
+     *    Version ::= INTEGER
+     *    PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
+     *    PrivateKey ::= OCTET STRING
+     *
+     *  The PrivateKey OCTET STRING is a SEC1 ECPrivateKey
+     */
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( version != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret );
+
+    if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, &params ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( len < 1 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_RSA_C)
+    if( pk_alg == MBEDTLS_PK_RSA )
+    {
+        if( ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), p, len ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+            return( ret );
+        }
+    } else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_C)
+    if( pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH )
+    {
+        if( ( ret = pk_use_ecparams( &params, &mbedtls_pk_ec( *pk )->grp ) ) != 0 ||
+            ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ), p, len )  ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+            return( ret );
+        }
+    } else
+#endif /* MBEDTLS_ECP_C */
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    return( 0 );
+}
+
+/*
+ * Parse an encrypted PKCS#8 encoded private key
+ *
+ * To save space, the decryption happens in-place on the given key buffer.
+ * Also, while this function may modify the keybuffer, it doesn't own it,
+ * and instead it is the responsibility of the caller to zeroize and properly
+ * free it after use.
+ *
+ */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+static int pk_parse_key_pkcs8_encrypted_der(
+                                    mbedtls_pk_context *pk,
+                                    unsigned char *key, size_t keylen,
+                                    const unsigned char *pwd, size_t pwdlen )
+{
+    int ret, decrypted = 0;
+    size_t len;
+    unsigned char *buf;
+    unsigned char *p, *end;
+    mbedtls_asn1_buf pbe_alg_oid, pbe_params;
+#if defined(MBEDTLS_PKCS12_C)
+    mbedtls_cipher_type_t cipher_alg;
+    mbedtls_md_type_t md_alg;
+#endif
+
+    p = key;
+    end = p + keylen;
+
+    if( pwdlen == 0 )
+        return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
+
+    /*
+     * This function parses the EncryptedPrivateKeyInfo object (PKCS#8)
+     *
+     *  EncryptedPrivateKeyInfo ::= SEQUENCE {
+     *    encryptionAlgorithm  EncryptionAlgorithmIdentifier,
+     *    encryptedData        EncryptedData
+     *  }
+     *
+     *  EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+     *
+     *  EncryptedData ::= OCTET STRING
+     *
+     *  The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo
+     *
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+
+    if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+
+    buf = p;
+
+    /*
+     * Decrypt EncryptedData with appropriate PBE
+     */
+#if defined(MBEDTLS_PKCS12_C)
+    if( mbedtls_oid_get_pkcs12_pbe_alg( &pbe_alg_oid, &md_alg, &cipher_alg ) == 0 )
+    {
+        if( ( ret = mbedtls_pkcs12_pbe( &pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
+                                cipher_alg, md_alg,
+                                pwd, pwdlen, p, len, buf ) ) != 0 )
+        {
+            if( ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH )
+                return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+
+            return( ret );
+        }
+
+        decrypted = 1;
+    }
+    else if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS12_PBE_SHA1_RC4_128, &pbe_alg_oid ) == 0 )
+    {
+        if( ( ret = mbedtls_pkcs12_pbe_sha1_rc4_128( &pbe_params,
+                                             MBEDTLS_PKCS12_PBE_DECRYPT,
+                                             pwd, pwdlen,
+                                             p, len, buf ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        // Best guess for password mismatch when using RC4. If first tag is
+        // not MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE
+        //
+        if( *buf != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+            return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+
+        decrypted = 1;
+    }
+    else
+#endif /* MBEDTLS_PKCS12_C */
+#if defined(MBEDTLS_PKCS5_C)
+    if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid ) == 0 )
+    {
+        if( ( ret = mbedtls_pkcs5_pbes2( &pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
+                                  p, len, buf ) ) != 0 )
+        {
+            if( ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH )
+                return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+
+            return( ret );
+        }
+
+        decrypted = 1;
+    }
+    else
+#endif /* MBEDTLS_PKCS5_C */
+    {
+        ((void) pwd);
+    }
+
+    if( decrypted == 0 )
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    return( pk_parse_key_pkcs8_unencrypted_der( pk, buf, len ) );
+}
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+/*
+ * Parse a private key
+ */
+int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
+                  const unsigned char *key, size_t keylen,
+                  const unsigned char *pwd, size_t pwdlen )
+{
+    int ret;
+    const mbedtls_pk_info_t *pk_info;
+#if defined(MBEDTLS_PEM_PARSE_C)
+    size_t len;
+    mbedtls_pem_context pem;
+#endif
+
+    PK_VALIDATE_RET( pk != NULL );
+    if( keylen == 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+    PK_VALIDATE_RET( key != NULL );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+   mbedtls_pem_init( &pem );
+
+#if defined(MBEDTLS_RSA_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN RSA PRIVATE KEY-----",
+                               "-----END RSA PRIVATE KEY-----",
+                               key, pwd, pwdlen, &len );
+
+    if( ret == 0 )
+    {
+        pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
+        if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+            ( ret = pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ),
+                                            pem.buf, pem.buflen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
+        return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
+        return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN EC PRIVATE KEY-----",
+                               "-----END EC PRIVATE KEY-----",
+                               key, pwd, pwdlen, &len );
+    if( ret == 0 )
+    {
+        pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
+
+        if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 ||
+            ( ret = pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
+                                           pem.buf, pem.buflen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_MISMATCH )
+        return( MBEDTLS_ERR_PK_PASSWORD_MISMATCH );
+    else if( ret == MBEDTLS_ERR_PEM_PASSWORD_REQUIRED )
+        return( MBEDTLS_ERR_PK_PASSWORD_REQUIRED );
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+#endif /* MBEDTLS_ECP_C */
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN PRIVATE KEY-----",
+                               "-----END PRIVATE KEY-----",
+                               key, NULL, 0, &len );
+    if( ret == 0 )
+    {
+        if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk,
+                                                pem.buf, pem.buflen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN ENCRYPTED PRIVATE KEY-----",
+                               "-----END ENCRYPTED PRIVATE KEY-----",
+                               key, NULL, 0, &len );
+    if( ret == 0 )
+    {
+        if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk,
+                                                      pem.buf, pem.buflen,
+                                                      pwd, pwdlen ) ) != 0 )
+        {
+            mbedtls_pk_free( pk );
+        }
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        return( ret );
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+#else
+    ((void) pwd);
+    ((void) pwdlen);
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+    /*
+     * At this point we only know it's not a PEM formatted key. Could be any
+     * of the known DER encoded private key formats
+     *
+     * We try the different DER format parsers to see if one passes without
+     * error
+     */
+#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
+    {
+        unsigned char *key_copy;
+
+        if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
+            return( MBEDTLS_ERR_PK_ALLOC_FAILED );
+
+        memcpy( key_copy, key, keylen );
+
+        ret = pk_parse_key_pkcs8_encrypted_der( pk, key_copy, keylen,
+                                                pwd, pwdlen );
+
+        mbedtls_platform_zeroize( key_copy, keylen );
+        mbedtls_free( key_copy );
+    }
+
+    if( ret == 0 )
+        return( 0 );
+
+    mbedtls_pk_free( pk );
+    mbedtls_pk_init( pk );
+
+    if( ret == MBEDTLS_ERR_PK_PASSWORD_MISMATCH )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
+
+    if( ( ret = pk_parse_key_pkcs8_unencrypted_der( pk, key, keylen ) ) == 0 )
+        return( 0 );
+
+    mbedtls_pk_free( pk );
+    mbedtls_pk_init( pk );
+
+#if defined(MBEDTLS_RSA_C)
+
+    pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA );
+    if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
+        pk_parse_key_pkcs1_der( mbedtls_pk_rsa( *pk ), key, keylen ) == 0 )
+    {
+        return( 0 );
+    }
+
+    mbedtls_pk_free( pk );
+    mbedtls_pk_init( pk );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+    pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_ECKEY );
+    if( mbedtls_pk_setup( pk, pk_info ) == 0 &&
+        pk_parse_key_sec1_der( mbedtls_pk_ec( *pk ),
+                               key, keylen ) == 0 )
+    {
+        return( 0 );
+    }
+    mbedtls_pk_free( pk );
+#endif /* MBEDTLS_ECP_C */
+
+    /* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
+     * it is ok to leave the PK context initialized but not
+     * freed: It is the caller's responsibility to call pk_init()
+     * before calling this function, and to call pk_free()
+     * when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
+     * isn't, this leads to mbedtls_pk_free() being called
+     * twice, once here and once by the caller, but this is
+     * also ok and in line with the mbedtls_pk_free() calls
+     * on failed PEM parsing attempts. */
+
+    return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+}
+
+/*
+ * Parse a public key
+ */
+int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
+                         const unsigned char *key, size_t keylen )
+{
+    int ret;
+    unsigned char *p;
+#if defined(MBEDTLS_RSA_C)
+    const mbedtls_pk_info_t *pk_info;
+#endif
+#if defined(MBEDTLS_PEM_PARSE_C)
+    size_t len;
+    mbedtls_pem_context pem;
+#endif
+
+    PK_VALIDATE_RET( ctx != NULL );
+    if( keylen == 0 )
+        return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+    PK_VALIDATE_RET( key != NULL || keylen == 0 );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    mbedtls_pem_init( &pem );
+#if defined(MBEDTLS_RSA_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                               "-----BEGIN RSA PUBLIC KEY-----",
+                               "-----END RSA PUBLIC KEY-----",
+                               key, NULL, 0, &len );
+
+    if( ret == 0 )
+    {
+        p = pem.buf;
+        if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
+            return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+        if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
+            return( ret );
+
+        if ( ( ret = pk_get_rsapubkey( &p, p + pem.buflen, mbedtls_pk_rsa( *ctx ) ) ) != 0 )
+            mbedtls_pk_free( ctx );
+
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+    {
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+#endif /* MBEDTLS_RSA_C */
+
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( key[keylen - 1] != '\0' )
+        ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+    else
+        ret = mbedtls_pem_read_buffer( &pem,
+                "-----BEGIN PUBLIC KEY-----",
+                "-----END PUBLIC KEY-----",
+                key, NULL, 0, &len );
+
+    if( ret == 0 )
+    {
+        /*
+         * Was PEM encoded
+         */
+        p = pem.buf;
+
+        ret = mbedtls_pk_parse_subpubkey( &p,  p + pem.buflen, ctx );
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+    {
+        mbedtls_pem_free( &pem );
+        return( ret );
+    }
+    mbedtls_pem_free( &pem );
+#endif /* MBEDTLS_PEM_PARSE_C */
+
+#if defined(MBEDTLS_RSA_C)
+    if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
+        return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
+
+    if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
+        return( ret );
+
+    p = (unsigned char *)key;
+    ret = pk_get_rsapubkey( &p, p + keylen, mbedtls_pk_rsa( *ctx ) );
+    if( ret == 0 )
+    {
+        return( ret );
+    }
+    mbedtls_pk_free( ctx );
+    if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+    {
+        return( ret );
+    }
+#endif /* MBEDTLS_RSA_C */
+    p = (unsigned char *) key;
+
+    ret = mbedtls_pk_parse_subpubkey( &p, p + keylen, ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_PK_PARSE_C */
diff --git a/makerom/deps/libmbedtls/src/pkwrite.c b/makerom/deps/libmbedtls/src/pkwrite.c
new file mode 100644
index 00000000..03d14f2f
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/pkwrite.c
@@ -0,0 +1,566 @@
+/*
+ *  Public Key layer for writing key files and structures
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PK_WRITE_C)
+
+#include "mbedtls/pk.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_RSA_C)
+#include "mbedtls/rsa.h"
+#endif
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/bignum.h"
+#include "mbedtls/ecp.h"
+#include "mbedtls/platform_util.h"
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+#include "mbedtls/ecdsa.h"
+#endif
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif
+
+/* Parameter validation macros based on platform_util.h */
+#define PK_VALIDATE_RET( cond )    \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_PK_BAD_INPUT_DATA )
+#define PK_VALIDATE( cond )        \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ *  RSAPublicKey ::= SEQUENCE {
+ *      modulus           INTEGER,  -- n
+ *      publicExponent    INTEGER   -- e
+ *  }
+ */
+static int pk_write_rsa_pubkey( unsigned char **p, unsigned char *start,
+                                mbedtls_rsa_context *rsa )
+{
+    int ret;
+    size_t len = 0;
+    mbedtls_mpi T;
+
+    mbedtls_mpi_init( &T );
+
+    /* Export E */
+    if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL, NULL, NULL, &T ) ) != 0 ||
+         ( ret = mbedtls_asn1_write_mpi( p, start, &T ) ) < 0 )
+        goto end_of_export;
+    len += ret;
+
+    /* Export N */
+    if ( ( ret = mbedtls_rsa_export( rsa, &T, NULL, NULL, NULL, NULL ) ) != 0 ||
+         ( ret = mbedtls_asn1_write_mpi( p, start, &T ) ) < 0 )
+        goto end_of_export;
+    len += ret;
+
+end_of_export:
+
+    mbedtls_mpi_free( &T );
+    if( ret < 0 )
+        return( ret );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * EC public key is an EC point
+ */
+static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start,
+                               mbedtls_ecp_keypair *ec )
+{
+    int ret;
+    size_t len = 0;
+    unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
+
+    if( ( ret = mbedtls_ecp_point_write_binary( &ec->grp, &ec->Q,
+                                        MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                        &len, buf, sizeof( buf ) ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( *p < start || (size_t)( *p - start ) < len )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *p -= len;
+    memcpy( *p, buf, len );
+
+    return( (int) len );
+}
+
+/*
+ * ECParameters ::= CHOICE {
+ *   namedCurve         OBJECT IDENTIFIER
+ * }
+ */
+static int pk_write_ec_param( unsigned char **p, unsigned char *start,
+                              mbedtls_ecp_keypair *ec )
+{
+    int ret;
+    size_t len = 0;
+    const char *oid;
+    size_t oid_len;
+
+    if( ( ret = mbedtls_oid_get_oid_by_ec_grp( ec->grp.id, &oid, &oid_len ) ) != 0 )
+        return( ret );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid, oid_len ) );
+
+    return( (int) len );
+}
+
+/*
+ * privateKey  OCTET STRING -- always of length ceil(log2(n)/8)
+ */
+static int pk_write_ec_private( unsigned char **p, unsigned char *start,
+                                mbedtls_ecp_keypair *ec )
+{
+    int ret;
+    size_t byte_length = ( ec->grp.pbits + 7 ) / 8;
+    unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
+
+    ret = mbedtls_mpi_write_binary( &ec->d, tmp, byte_length );
+    if( ret != 0 )
+        goto exit;
+    ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length );
+
+exit:
+    mbedtls_platform_zeroize( tmp, byte_length );
+    return( ret );
+}
+#endif /* MBEDTLS_ECP_C */
+
+int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
+                             const mbedtls_pk_context *key )
+{
+    int ret;
+    size_t len = 0;
+
+    PK_VALIDATE_RET( p != NULL );
+    PK_VALIDATE_RET( *p != NULL );
+    PK_VALIDATE_RET( start != NULL );
+    PK_VALIDATE_RET( key != NULL );
+
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
+        MBEDTLS_ASN1_CHK_ADD( len, pk_write_rsa_pubkey( p, start, mbedtls_pk_rsa( *key ) ) );
+    else
+#endif
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+        MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_pubkey( p, start, mbedtls_pk_ec( *key ) ) );
+    else
+#endif
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    return( (int) len );
+}
+
+int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char *c;
+    size_t len = 0, par_len = 0, oid_len;
+    const char *oid;
+
+    PK_VALIDATE_RET( key != NULL );
+    if( size == 0 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+    PK_VALIDATE_RET( buf != NULL );
+
+    c = buf + size;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, key ) );
+
+    if( c - buf < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    /*
+     *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+     *       algorithm            AlgorithmIdentifier,
+     *       subjectPublicKey     BIT STRING }
+     */
+    *--c = 0;
+    len += 1;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_BIT_STRING ) );
+
+    if( ( ret = mbedtls_oid_get_oid_by_pk_alg( mbedtls_pk_get_type( key ),
+                                       &oid, &oid_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    {
+        MBEDTLS_ASN1_CHK_ADD( par_len, pk_write_ec_param( &c, buf, mbedtls_pk_ec( *key ) ) );
+    }
+#endif
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, buf, oid, oid_len,
+                                                        par_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+int mbedtls_pk_write_key_der( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char *c;
+    size_t len = 0;
+
+    PK_VALIDATE_RET( key != NULL );
+    if( size == 0 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+    PK_VALIDATE_RET( buf != NULL );
+
+    c = buf + size;
+
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
+    {
+        mbedtls_mpi T; /* Temporary holding the exported parameters */
+        mbedtls_rsa_context *rsa = mbedtls_pk_rsa( *key );
+
+        /*
+         * Export the parameters one after another to avoid simultaneous copies.
+         */
+
+        mbedtls_mpi_init( &T );
+
+        /* Export QP */
+        if( ( ret = mbedtls_rsa_export_crt( rsa, NULL, NULL, &T ) ) != 0 ||
+            ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export DQ */
+        if( ( ret = mbedtls_rsa_export_crt( rsa, NULL, &T, NULL ) ) != 0 ||
+            ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export DP */
+        if( ( ret = mbedtls_rsa_export_crt( rsa, &T, NULL, NULL ) ) != 0 ||
+            ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export Q */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL,
+                                         &T, NULL, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export P */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, &T,
+                                         NULL, NULL, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export D */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL,
+                                         NULL, &T, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export E */
+        if ( ( ret = mbedtls_rsa_export( rsa, NULL, NULL,
+                                         NULL, NULL, &T ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+        /* Export N */
+        if ( ( ret = mbedtls_rsa_export( rsa, &T, NULL,
+                                         NULL, NULL, NULL ) ) != 0 ||
+             ( ret = mbedtls_asn1_write_mpi( &c, buf, &T ) ) < 0 )
+            goto end_of_export;
+        len += ret;
+
+    end_of_export:
+
+        mbedtls_mpi_free( &T );
+        if( ret < 0 )
+            return( ret );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 0 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c,
+                                               buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                               MBEDTLS_ASN1_SEQUENCE ) );
+    }
+    else
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    {
+        mbedtls_ecp_keypair *ec = mbedtls_pk_ec( *key );
+        size_t pub_len = 0, par_len = 0;
+
+        /*
+         * RFC 5915, or SEC1 Appendix C.4
+         *
+         * ECPrivateKey ::= SEQUENCE {
+         *      version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+         *      privateKey     OCTET STRING,
+         *      parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+         *      publicKey  [1] BIT STRING OPTIONAL
+         *    }
+         */
+
+        /* publicKey */
+        MBEDTLS_ASN1_CHK_ADD( pub_len, pk_write_ec_pubkey( &c, buf, ec ) );
+
+        if( c - buf < 1 )
+            return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+        *--c = 0;
+        pub_len += 1;
+
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_len( &c, buf, pub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_BIT_STRING ) );
+
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_len( &c, buf, pub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_asn1_write_tag( &c, buf,
+                            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) );
+        len += pub_len;
+
+        /* parameters */
+        MBEDTLS_ASN1_CHK_ADD( par_len, pk_write_ec_param( &c, buf, ec ) );
+
+        MBEDTLS_ASN1_CHK_ADD( par_len, mbedtls_asn1_write_len( &c, buf, par_len ) );
+        MBEDTLS_ASN1_CHK_ADD( par_len, mbedtls_asn1_write_tag( &c, buf,
+                            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+        len += par_len;
+
+        /* privateKey */
+        MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_private( &c, buf, ec ) );
+
+        /* version */
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 1 ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+    }
+    else
+#endif /* MBEDTLS_ECP_C */
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    return( (int) len );
+}
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+
+#define PEM_BEGIN_PUBLIC_KEY    "-----BEGIN PUBLIC KEY-----\n"
+#define PEM_END_PUBLIC_KEY      "-----END PUBLIC KEY-----\n"
+
+#define PEM_BEGIN_PRIVATE_KEY_RSA   "-----BEGIN RSA PRIVATE KEY-----\n"
+#define PEM_END_PRIVATE_KEY_RSA     "-----END RSA PRIVATE KEY-----\n"
+#define PEM_BEGIN_PRIVATE_KEY_EC    "-----BEGIN EC PRIVATE KEY-----\n"
+#define PEM_END_PRIVATE_KEY_EC      "-----END EC PRIVATE KEY-----\n"
+
+/*
+ * Max sizes of key per types. Shown as tag + len (+ content).
+ */
+
+#if defined(MBEDTLS_RSA_C)
+/*
+ * RSA public keys:
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {          1 + 3
+ *       algorithm            AlgorithmIdentifier,  1 + 1 (sequence)
+ *                                                + 1 + 1 + 9 (rsa oid)
+ *                                                + 1 + 1 (params null)
+ *       subjectPublicKey     BIT STRING }          1 + 3 + (1 + below)
+ *  RSAPublicKey ::= SEQUENCE {                     1 + 3
+ *      modulus           INTEGER,  -- n            1 + 3 + MPI_MAX + 1
+ *      publicExponent    INTEGER   -- e            1 + 3 + MPI_MAX + 1
+ *  }
+ */
+#define RSA_PUB_DER_MAX_BYTES   38 + 2 * MBEDTLS_MPI_MAX_SIZE
+
+/*
+ * RSA private keys:
+ *  RSAPrivateKey ::= SEQUENCE {                    1 + 3
+ *      version           Version,                  1 + 1 + 1
+ *      modulus           INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      publicExponent    INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      privateExponent   INTEGER,                  1 + 3 + MPI_MAX + 1
+ *      prime1            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      prime2            INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      exponent1         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      exponent2         INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      coefficient       INTEGER,                  1 + 3 + MPI_MAX / 2 + 1
+ *      otherPrimeInfos   OtherPrimeInfos OPTIONAL  0 (not supported)
+ *  }
+ */
+#define MPI_MAX_SIZE_2          MBEDTLS_MPI_MAX_SIZE / 2 + \
+                                MBEDTLS_MPI_MAX_SIZE % 2
+#define RSA_PRV_DER_MAX_BYTES   47 + 3 * MBEDTLS_MPI_MAX_SIZE \
+                                   + 5 * MPI_MAX_SIZE_2
+
+#else /* MBEDTLS_RSA_C */
+
+#define RSA_PUB_DER_MAX_BYTES   0
+#define RSA_PRV_DER_MAX_BYTES   0
+
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * EC public keys:
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {      1 + 2
+ *    algorithm         AlgorithmIdentifier,    1 + 1 (sequence)
+ *                                            + 1 + 1 + 7 (ec oid)
+ *                                            + 1 + 1 + 9 (namedCurve oid)
+ *    subjectPublicKey  BIT STRING              1 + 2 + 1               [1]
+ *                                            + 1 (point format)        [1]
+ *                                            + 2 * ECP_MAX (coords)    [1]
+ *  }
+ */
+#define ECP_PUB_DER_MAX_BYTES   30 + 2 * MBEDTLS_ECP_MAX_BYTES
+
+/*
+ * EC private keys:
+ * ECPrivateKey ::= SEQUENCE {                  1 + 2
+ *      version        INTEGER ,                1 + 1 + 1
+ *      privateKey     OCTET STRING,            1 + 1 + ECP_MAX
+ *      parameters [0] ECParameters OPTIONAL,   1 + 1 + (1 + 1 + 9)
+ *      publicKey  [1] BIT STRING OPTIONAL      1 + 2 + [1] above
+ *    }
+ */
+#define ECP_PRV_DER_MAX_BYTES   29 + 3 * MBEDTLS_ECP_MAX_BYTES
+
+#else /* MBEDTLS_ECP_C */
+
+#define ECP_PUB_DER_MAX_BYTES   0
+#define ECP_PRV_DER_MAX_BYTES   0
+
+#endif /* MBEDTLS_ECP_C */
+
+#define PUB_DER_MAX_BYTES   RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
+                            RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES
+#define PRV_DER_MAX_BYTES   RSA_PRV_DER_MAX_BYTES > ECP_PRV_DER_MAX_BYTES ? \
+                            RSA_PRV_DER_MAX_BYTES : ECP_PRV_DER_MAX_BYTES
+
+int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char output_buf[PUB_DER_MAX_BYTES];
+    size_t olen = 0;
+
+    PK_VALIDATE_RET( key != NULL );
+    PK_VALIDATE_RET( buf != NULL || size == 0 );
+
+    if( ( ret = mbedtls_pk_write_pubkey_der( key, output_buf,
+                                     sizeof(output_buf) ) ) < 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_pk_write_key_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size )
+{
+    int ret;
+    unsigned char output_buf[PRV_DER_MAX_BYTES];
+    const char *begin, *end;
+    size_t olen = 0;
+
+    PK_VALIDATE_RET( key != NULL );
+    PK_VALIDATE_RET( buf != NULL || size == 0 );
+
+    if( ( ret = mbedtls_pk_write_key_der( key, output_buf, sizeof(output_buf) ) ) < 0 )
+        return( ret );
+
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
+    {
+        begin = PEM_BEGIN_PRIVATE_KEY_RSA;
+        end = PEM_END_PRIVATE_KEY_RSA;
+    }
+    else
+#endif
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
+    {
+        begin = PEM_BEGIN_PRIVATE_KEY_EC;
+        end = PEM_END_PRIVATE_KEY_EC;
+    }
+    else
+#endif
+        return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+
+    if( ( ret = mbedtls_pem_write_buffer( begin, end,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_PK_WRITE_C */
diff --git a/makerom/deps/libmbedtls/src/platform.c b/makerom/deps/libmbedtls/src/platform.c
new file mode 100644
index 00000000..73a6db9e
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/platform.c
@@ -0,0 +1,348 @@
+/*
+ *  Platform abstraction layer
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+
+#include "mbedtls/platform.h"
+#include "mbedtls/platform_util.h"
+
+/* The compile time configuration of memory allocation via the macros
+ * MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO takes precedence over the runtime
+ * configuration via mbedtls_platform_set_calloc_free(). So, omit everything
+ * related to the latter if MBEDTLS_PLATFORM_{FREE/CALLOC}_MACRO are defined. */
+#if defined(MBEDTLS_PLATFORM_MEMORY) &&                 \
+    !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&        \
+       defined(MBEDTLS_PLATFORM_FREE_MACRO) )
+
+#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
+static void *platform_calloc_uninit( size_t n, size_t size )
+{
+    ((void) n);
+    ((void) size);
+    return( NULL );
+}
+
+#define MBEDTLS_PLATFORM_STD_CALLOC   platform_calloc_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_CALLOC */
+
+#if !defined(MBEDTLS_PLATFORM_STD_FREE)
+static void platform_free_uninit( void *ptr )
+{
+    ((void) ptr);
+}
+
+#define MBEDTLS_PLATFORM_STD_FREE     platform_free_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FREE */
+
+static void * (*mbedtls_calloc_func)( size_t, size_t ) = MBEDTLS_PLATFORM_STD_CALLOC;
+static void (*mbedtls_free_func)( void * ) = MBEDTLS_PLATFORM_STD_FREE;
+
+void * mbedtls_calloc( size_t nmemb, size_t size )
+{
+    return (*mbedtls_calloc_func)( nmemb, size );
+}
+
+void mbedtls_free( void * ptr )
+{
+    (*mbedtls_free_func)( ptr );
+}
+
+int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
+                              void (*free_func)( void * ) )
+{
+    mbedtls_calloc_func = calloc_func;
+    mbedtls_free_func = free_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_MEMORY &&
+          !( defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&
+             defined(MBEDTLS_PLATFORM_FREE_MACRO) ) */
+
+#if defined(_WIN32)
+#include <stdarg.h>
+int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... )
+{
+    int ret;
+    va_list argp;
+
+    /* Avoid calling the invalid parameter handler by checking ourselves */
+    if( s == NULL || n == 0 || fmt == NULL )
+        return( -1 );
+
+    va_start( argp, fmt );
+#if defined(_TRUNCATE) && !defined(__MINGW32__)
+    ret = _vsnprintf_s( s, n, _TRUNCATE, fmt, argp );
+#else
+    ret = _vsnprintf( s, n, fmt, argp );
+    if( ret < 0 || (size_t) ret == n )
+    {
+        s[n-1] = '\0';
+        ret = -1;
+    }
+#endif
+    va_end( argp );
+
+    return( ret );
+}
+#endif
+
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_snprintf_uninit( char * s, size_t n,
+                                     const char * format, ... )
+{
+    ((void) s);
+    ((void) n);
+    ((void) format);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_SNPRINTF    platform_snprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_SNPRINTF */
+
+int (*mbedtls_snprintf)( char * s, size_t n,
+                          const char * format,
+                          ... ) = MBEDTLS_PLATFORM_STD_SNPRINTF;
+
+int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
+                                                 const char * format,
+                                                 ... ) )
+{
+    mbedtls_snprintf = snprintf_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_printf_uninit( const char *format, ... )
+{
+    ((void) format);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_PRINTF    platform_printf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_PRINTF */
+
+int (*mbedtls_printf)( const char *, ... ) = MBEDTLS_PLATFORM_STD_PRINTF;
+
+int mbedtls_platform_set_printf( int (*printf_func)( const char *, ... ) )
+{
+    mbedtls_printf = printf_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_fprintf_uninit( FILE *stream, const char *format, ... )
+{
+    ((void) stream);
+    ((void) format);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_FPRINTF   platform_fprintf_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_FPRINTF */
+
+int (*mbedtls_fprintf)( FILE *, const char *, ... ) =
+                                        MBEDTLS_PLATFORM_STD_FPRINTF;
+
+int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *, const char *, ... ) )
+{
+    mbedtls_fprintf = fprintf_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static void platform_exit_uninit( int status )
+{
+    ((void) status);
+}
+
+#define MBEDTLS_PLATFORM_STD_EXIT   platform_exit_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_EXIT */
+
+void (*mbedtls_exit)( int status ) = MBEDTLS_PLATFORM_STD_EXIT;
+
+int mbedtls_platform_set_exit( void (*exit_func)( int status ) )
+{
+    mbedtls_exit = exit_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+
+#if defined(MBEDTLS_HAVE_TIME)
+
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_TIME)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static mbedtls_time_t platform_time_uninit( mbedtls_time_t* timer )
+{
+    ((void) timer);
+    return( 0 );
+}
+
+#define MBEDTLS_PLATFORM_STD_TIME   platform_time_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_TIME */
+
+mbedtls_time_t (*mbedtls_time)( mbedtls_time_t* timer ) = MBEDTLS_PLATFORM_STD_TIME;
+
+int mbedtls_platform_set_time( mbedtls_time_t (*time_func)( mbedtls_time_t* timer ) )
+{
+    mbedtls_time = time_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+
+#endif /* MBEDTLS_HAVE_TIME */
+
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO)
+/* Default implementations for the platform independent seed functions use
+ * standard libc file functions to read from and write to a pre-defined filename
+ */
+int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len )
+{
+    FILE *file;
+    size_t n;
+
+    if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "rb" ) ) == NULL )
+        return( -1 );
+
+    if( ( n = fread( buf, 1, buf_len, file ) ) != buf_len )
+    {
+        fclose( file );
+        mbedtls_platform_zeroize( buf, buf_len );
+        return( -1 );
+    }
+
+    fclose( file );
+    return( (int)n );
+}
+
+int mbedtls_platform_std_nv_seed_write( unsigned char *buf, size_t buf_len )
+{
+    FILE *file;
+    size_t n;
+
+    if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "w" ) ) == NULL )
+        return -1;
+
+    if( ( n = fwrite( buf, 1, buf_len, file ) ) != buf_len )
+    {
+        fclose( file );
+        return -1;
+    }
+
+    fclose( file );
+    return( (int)n );
+}
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_read_uninit( unsigned char *buf, size_t buf_len )
+{
+    ((void) buf);
+    ((void) buf_len);
+    return( -1 );
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_READ   platform_nv_seed_read_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_READ */
+
+#if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_WRITE)
+/*
+ * Make dummy function to prevent NULL pointer dereferences
+ */
+static int platform_nv_seed_write_uninit( unsigned char *buf, size_t buf_len )
+{
+    ((void) buf);
+    ((void) buf_len);
+    return( -1 );
+}
+
+#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE   platform_nv_seed_write_uninit
+#endif /* !MBEDTLS_PLATFORM_STD_NV_SEED_WRITE */
+
+int (*mbedtls_nv_seed_read)( unsigned char *buf, size_t buf_len ) =
+            MBEDTLS_PLATFORM_STD_NV_SEED_READ;
+int (*mbedtls_nv_seed_write)( unsigned char *buf, size_t buf_len ) =
+            MBEDTLS_PLATFORM_STD_NV_SEED_WRITE;
+
+int mbedtls_platform_set_nv_seed(
+        int (*nv_seed_read_func)( unsigned char *buf, size_t buf_len ),
+        int (*nv_seed_write_func)( unsigned char *buf, size_t buf_len ) )
+{
+    mbedtls_nv_seed_read = nv_seed_read_func;
+    mbedtls_nv_seed_write = nv_seed_write_func;
+    return( 0 );
+}
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+
+#if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+/*
+ * Placeholder platform setup that does nothing by default
+ */
+int mbedtls_platform_setup( mbedtls_platform_context *ctx )
+{
+    (void)ctx;
+
+    return( 0 );
+}
+
+/*
+ * Placeholder platform teardown that does nothing by default
+ */
+void mbedtls_platform_teardown( mbedtls_platform_context *ctx )
+{
+    (void)ctx;
+}
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+
+#endif /* MBEDTLS_PLATFORM_C */
diff --git a/makerom/deps/libmbedtls/src/platform_util.c b/makerom/deps/libmbedtls/src/platform_util.c
new file mode 100644
index 00000000..b1f74509
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/platform_util.c
@@ -0,0 +1,139 @@
+/*
+ * Common and shared functions used by multiple modules in the Mbed TLS
+ * library.
+ *
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of Mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#include "mbedtls/platform_util.h"
+#include "mbedtls/platform.h"
+#include "mbedtls/threading.h"
+
+#include <stddef.h>
+#include <string.h>
+
+#if !defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
+/*
+ * This implementation should never be optimized out by the compiler
+ *
+ * This implementation for mbedtls_platform_zeroize() was inspired from Colin
+ * Percival's blog article at:
+ *
+ * http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
+ *
+ * It uses a volatile function pointer to the standard memset(). Because the
+ * pointer is volatile the compiler expects it to change at
+ * any time and will not optimize out the call that could potentially perform
+ * other operations on the input buffer instead of just setting it to 0.
+ * Nevertheless, as pointed out by davidtgoldblatt on Hacker News
+ * (refer to http://www.daemonology.net/blog/2014-09-05-erratum.html for
+ * details), optimizations of the following form are still possible:
+ *
+ * if( memset_func != memset )
+ *     memset_func( buf, 0, len );
+ *
+ * Note that it is extremely difficult to guarantee that
+ * mbedtls_platform_zeroize() will not be optimized out by aggressive compilers
+ * in a portable way. For this reason, Mbed TLS also provides the configuration
+ * option MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
+ * mbedtls_platform_zeroize() to use a suitable implementation for their
+ * platform and needs.
+ */
+static void * (* const volatile memset_func)( void *, int, size_t ) = memset;
+
+void mbedtls_platform_zeroize( void *buf, size_t len )
+{
+    MBEDTLS_INTERNAL_VALIDATE( len == 0 || buf != NULL );
+
+    if( len > 0 )
+        memset_func( buf, 0, len );
+}
+#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+#include <time.h>
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__)) */
+
+#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+       ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+         _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) )
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+#if ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) )
+#define PLATFORM_UTIL_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) ) */
+
+struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
+                                      struct tm *tm_buf )
+{
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+    return( ( gmtime_s( tm_buf, tt ) == 0 ) ? tm_buf : NULL );
+#elif !defined(PLATFORM_UTIL_USE_GMTIME)
+    return( gmtime_r( tt, tm_buf ) );
+#else
+    struct tm *lt;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_lock( &mbedtls_threading_gmtime_mutex ) != 0 )
+        return( NULL );
+#endif /* MBEDTLS_THREADING_C */
+
+    lt = gmtime( tt );
+
+    if( lt != NULL )
+    {
+        memcpy( tm_buf, lt, sizeof( struct tm ) );
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &mbedtls_threading_gmtime_mutex ) != 0 )
+        return( NULL );
+#endif /* MBEDTLS_THREADING_C */
+
+    return( ( lt == NULL ) ? NULL : tm_buf );
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE && MBEDTLS_PLATFORM_GMTIME_R_ALT */
diff --git a/makerom/deps/libmbedtls/src/poly1305.c b/makerom/deps/libmbedtls/src/poly1305.c
new file mode 100644
index 00000000..2b56c5f7
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/poly1305.c
@@ -0,0 +1,559 @@
+/**
+ * \file poly1305.c
+ *
+ * \brief Poly1305 authentication algorithm.
+ *
+ *  Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_POLY1305_C)
+
+#include "mbedtls/poly1305.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_POLY1305_ALT)
+
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+    !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
+/* Parameter validation macros */
+#define POLY1305_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
+#define POLY1305_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#define POLY1305_BLOCK_SIZE_BYTES ( 16U )
+
+#define BYTES_TO_U32_LE( data, offset )                           \
+    ( (uint32_t) (data)[offset]                                     \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 )   \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 )  \
+          | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 )  \
+    )
+
+/*
+ * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
+ * However we provided an alternative for platforms without such a multiplier.
+ */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+static uint64_t mul64( uint32_t a, uint32_t b )
+{
+    /* a = al + 2**16 ah, b = bl + 2**16 bh */
+    const uint16_t al = (uint16_t) a;
+    const uint16_t bl = (uint16_t) b;
+    const uint16_t ah = a >> 16;
+    const uint16_t bh = b >> 16;
+
+    /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */
+    const uint32_t lo = (uint32_t) al * bl;
+    const uint64_t me = (uint64_t)( (uint32_t) ah * bl ) + (uint32_t) al * bh;
+    const uint32_t hi = (uint32_t) ah * bh;
+
+    return( lo + ( me << 16 ) + ( (uint64_t) hi << 32 ) );
+}
+#else
+static inline uint64_t mul64( uint32_t a, uint32_t b )
+{
+    return( (uint64_t) a * b );
+}
+#endif
+
+
+/**
+ * \brief                   Process blocks with Poly1305.
+ *
+ * \param ctx               The Poly1305 context.
+ * \param nblocks           Number of blocks to process. Note that this
+ *                          function only processes full blocks.
+ * \param input             Buffer containing the input block(s).
+ * \param needs_padding     Set to 0 if the padding bit has already been
+ *                          applied to the input data before calling this
+ *                          function.  Otherwise, set this parameter to 1.
+ */
+static void poly1305_process( mbedtls_poly1305_context *ctx,
+                              size_t nblocks,
+                              const unsigned char *input,
+                              uint32_t needs_padding )
+{
+    uint64_t d0, d1, d2, d3;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t r0, r1, r2, r3;
+    uint32_t rs1, rs2, rs3;
+    size_t offset  = 0U;
+    size_t i;
+
+    r0 = ctx->r[0];
+    r1 = ctx->r[1];
+    r2 = ctx->r[2];
+    r3 = ctx->r[3];
+
+    rs1 = r1 + ( r1 >> 2U );
+    rs2 = r2 + ( r2 >> 2U );
+    rs3 = r3 + ( r3 >> 2U );
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Process full blocks */
+    for( i = 0U; i < nblocks; i++ )
+    {
+        /* The input block is treated as a 128-bit little-endian integer */
+        d0   = BYTES_TO_U32_LE( input, offset + 0  );
+        d1   = BYTES_TO_U32_LE( input, offset + 4  );
+        d2   = BYTES_TO_U32_LE( input, offset + 8  );
+        d3   = BYTES_TO_U32_LE( input, offset + 12 );
+
+        /* Compute: acc += (padded) block as a 130-bit integer */
+        d0  += (uint64_t) acc0;
+        d1  += (uint64_t) acc1 + ( d0 >> 32U );
+        d2  += (uint64_t) acc2 + ( d1 >> 32U );
+        d3  += (uint64_t) acc3 + ( d2 >> 32U );
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 += (uint32_t) ( d3 >> 32U ) + needs_padding;
+
+        /* Compute: acc *= r */
+        d0 = mul64( acc0, r0  ) +
+             mul64( acc1, rs3 ) +
+             mul64( acc2, rs2 ) +
+             mul64( acc3, rs1 );
+        d1 = mul64( acc0, r1  ) +
+             mul64( acc1, r0  ) +
+             mul64( acc2, rs3 ) +
+             mul64( acc3, rs2 ) +
+             mul64( acc4, rs1 );
+        d2 = mul64( acc0, r2  ) +
+             mul64( acc1, r1  ) +
+             mul64( acc2, r0  ) +
+             mul64( acc3, rs3 ) +
+             mul64( acc4, rs2 );
+        d3 = mul64( acc0, r3  ) +
+             mul64( acc1, r2  ) +
+             mul64( acc2, r1  ) +
+             mul64( acc3, r0  ) +
+             mul64( acc4, rs3 );
+        acc4 *= r0;
+
+        /* Compute: acc %= (2^130 - 5) (partial remainder) */
+        d1 += ( d0 >> 32 );
+        d2 += ( d1 >> 32 );
+        d3 += ( d2 >> 32 );
+        acc0 = (uint32_t) d0;
+        acc1 = (uint32_t) d1;
+        acc2 = (uint32_t) d2;
+        acc3 = (uint32_t) d3;
+        acc4 = (uint32_t) ( d3 >> 32 ) + acc4;
+
+        d0 = (uint64_t) acc0 + ( acc4 >> 2 ) + ( acc4 & 0xFFFFFFFCU );
+        acc4 &= 3U;
+        acc0 = (uint32_t) d0;
+        d0 = (uint64_t) acc1 + ( d0 >> 32U );
+        acc1 = (uint32_t) d0;
+        d0 = (uint64_t) acc2 + ( d0 >> 32U );
+        acc2 = (uint32_t) d0;
+        d0 = (uint64_t) acc3 + ( d0 >> 32U );
+        acc3 = (uint32_t) d0;
+        d0 = (uint64_t) acc4 + ( d0 >> 32U );
+        acc4 = (uint32_t) d0;
+
+        offset    += POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    ctx->acc[0] = acc0;
+    ctx->acc[1] = acc1;
+    ctx->acc[2] = acc2;
+    ctx->acc[3] = acc3;
+    ctx->acc[4] = acc4;
+}
+
+/**
+ * \brief                   Compute the Poly1305 MAC
+ *
+ * \param ctx               The Poly1305 context.
+ * \param mac               The buffer to where the MAC is written. Must be
+ *                          big enough to contain the 16-byte MAC.
+ */
+static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx,
+                                  unsigned char mac[16] )
+{
+    uint64_t d;
+    uint32_t g0, g1, g2, g3, g4;
+    uint32_t acc0, acc1, acc2, acc3, acc4;
+    uint32_t mask;
+    uint32_t mask_inv;
+
+    acc0 = ctx->acc[0];
+    acc1 = ctx->acc[1];
+    acc2 = ctx->acc[2];
+    acc3 = ctx->acc[3];
+    acc4 = ctx->acc[4];
+
+    /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
+     * We do this by calculating acc - (2^130 - 5), then checking if
+     * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
+     */
+
+    /* Calculate acc + -(2^130 - 5) */
+    d  = ( (uint64_t) acc0 + 5U );
+    g0 = (uint32_t) d;
+    d  = ( (uint64_t) acc1 + ( d >> 32 ) );
+    g1 = (uint32_t) d;
+    d  = ( (uint64_t) acc2 + ( d >> 32 ) );
+    g2 = (uint32_t) d;
+    d  = ( (uint64_t) acc3 + ( d >> 32 ) );
+    g3 = (uint32_t) d;
+    g4 = acc4 + (uint32_t) ( d >> 32U );
+
+    /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
+    mask = (uint32_t) 0U - ( g4 >> 2U );
+    mask_inv = ~mask;
+
+    /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
+    acc0 = ( acc0 & mask_inv ) | ( g0 & mask );
+    acc1 = ( acc1 & mask_inv ) | ( g1 & mask );
+    acc2 = ( acc2 & mask_inv ) | ( g2 & mask );
+    acc3 = ( acc3 & mask_inv ) | ( g3 & mask );
+
+    /* Add 's' */
+    d = (uint64_t) acc0 + ctx->s[0];
+    acc0 = (uint32_t) d;
+    d = (uint64_t) acc1 + ctx->s[1] + ( d >> 32U );
+    acc1 = (uint32_t) d;
+    d = (uint64_t) acc2 + ctx->s[2] + ( d >> 32U );
+    acc2 = (uint32_t) d;
+    acc3 += ctx->s[3] + (uint32_t) ( d >> 32U );
+
+    /* Compute MAC (128 least significant bits of the accumulator) */
+    mac[ 0] = (unsigned char)( acc0       );
+    mac[ 1] = (unsigned char)( acc0 >>  8 );
+    mac[ 2] = (unsigned char)( acc0 >> 16 );
+    mac[ 3] = (unsigned char)( acc0 >> 24 );
+    mac[ 4] = (unsigned char)( acc1       );
+    mac[ 5] = (unsigned char)( acc1 >>  8 );
+    mac[ 6] = (unsigned char)( acc1 >> 16 );
+    mac[ 7] = (unsigned char)( acc1 >> 24 );
+    mac[ 8] = (unsigned char)( acc2       );
+    mac[ 9] = (unsigned char)( acc2 >>  8 );
+    mac[10] = (unsigned char)( acc2 >> 16 );
+    mac[11] = (unsigned char)( acc2 >> 24 );
+    mac[12] = (unsigned char)( acc3       );
+    mac[13] = (unsigned char)( acc3 >>  8 );
+    mac[14] = (unsigned char)( acc3 >> 16 );
+    mac[15] = (unsigned char)( acc3 >> 24 );
+}
+
+void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
+{
+    POLY1305_VALIDATE( ctx != NULL );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
+}
+
+void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
+}
+
+int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
+                             const unsigned char key[32] )
+{
+    POLY1305_VALIDATE_RET( ctx != NULL );
+    POLY1305_VALIDATE_RET( key != NULL );
+
+    /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
+    ctx->r[0] = BYTES_TO_U32_LE( key, 0 )  & 0x0FFFFFFFU;
+    ctx->r[1] = BYTES_TO_U32_LE( key, 4 )  & 0x0FFFFFFCU;
+    ctx->r[2] = BYTES_TO_U32_LE( key, 8 )  & 0x0FFFFFFCU;
+    ctx->r[3] = BYTES_TO_U32_LE( key, 12 ) & 0x0FFFFFFCU;
+
+    ctx->s[0] = BYTES_TO_U32_LE( key, 16 );
+    ctx->s[1] = BYTES_TO_U32_LE( key, 20 );
+    ctx->s[2] = BYTES_TO_U32_LE( key, 24 );
+    ctx->s[3] = BYTES_TO_U32_LE( key, 28 );
+
+    /* Initial accumulator state */
+    ctx->acc[0] = 0U;
+    ctx->acc[1] = 0U;
+    ctx->acc[2] = 0U;
+    ctx->acc[3] = 0U;
+    ctx->acc[4] = 0U;
+
+    /* Queue initially empty */
+    mbedtls_platform_zeroize( ctx->queue, sizeof( ctx->queue ) );
+    ctx->queue_len = 0U;
+
+    return( 0 );
+}
+
+int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen )
+{
+    size_t offset    = 0U;
+    size_t remaining = ilen;
+    size_t queue_free_len;
+    size_t nblocks;
+    POLY1305_VALIDATE_RET( ctx != NULL );
+    POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) )
+    {
+        queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
+
+        if( ilen < queue_free_len )
+        {
+            /* Not enough data to complete the block.
+             * Store this data with the other leftovers.
+             */
+            memcpy( &ctx->queue[ctx->queue_len],
+                    input,
+                    ilen );
+
+            ctx->queue_len += ilen;
+
+            remaining = 0U;
+        }
+        else
+        {
+            /* Enough data to produce a complete block */
+            memcpy( &ctx->queue[ctx->queue_len],
+                    input,
+                    queue_free_len );
+
+            ctx->queue_len = 0U;
+
+            poly1305_process( ctx, 1U, ctx->queue, 1U ); /* add padding bit */
+
+            offset    += queue_free_len;
+            remaining -= queue_free_len;
+        }
+    }
+
+    if( remaining >= POLY1305_BLOCK_SIZE_BYTES )
+    {
+        nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
+
+        poly1305_process( ctx, nblocks, &input[offset], 1U );
+
+        offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
+        remaining %= POLY1305_BLOCK_SIZE_BYTES;
+    }
+
+    if( remaining > 0U )
+    {
+        /* Store partial block */
+        ctx->queue_len = remaining;
+        memcpy( ctx->queue, &input[offset], remaining );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
+                             unsigned char mac[16] )
+{
+    POLY1305_VALIDATE_RET( ctx != NULL );
+    POLY1305_VALIDATE_RET( mac != NULL );
+
+    /* Process any leftover data */
+    if( ctx->queue_len > 0U )
+    {
+        /* Add padding bit */
+        ctx->queue[ctx->queue_len] = 1U;
+        ctx->queue_len++;
+
+        /* Pad with zeroes */
+        memset( &ctx->queue[ctx->queue_len],
+                0,
+                POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
+
+        poly1305_process( ctx, 1U,          /* Process 1 block */
+                          ctx->queue, 0U ); /* Already padded above */
+    }
+
+    poly1305_compute_mac( ctx, mac );
+
+    return( 0 );
+}
+
+int mbedtls_poly1305_mac( const unsigned char key[32],
+                          const unsigned char *input,
+                          size_t ilen,
+                          unsigned char mac[16] )
+{
+    mbedtls_poly1305_context ctx;
+    int ret;
+    POLY1305_VALIDATE_RET( key != NULL );
+    POLY1305_VALIDATE_RET( mac != NULL );
+    POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    mbedtls_poly1305_init( &ctx );
+
+    ret = mbedtls_poly1305_starts( &ctx, key );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_poly1305_update( &ctx, input, ilen );
+    if( ret != 0 )
+        goto cleanup;
+
+    ret = mbedtls_poly1305_finish( &ctx, mac );
+
+cleanup:
+    mbedtls_poly1305_free( &ctx );
+    return( ret );
+}
+
+#endif /* MBEDTLS_POLY1305_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+static const unsigned char test_keys[2][32] =
+{
+    {
+        0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
+        0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
+        0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
+        0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
+    },
+    {
+        0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
+        0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
+        0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
+        0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
+    }
+};
+
+static const unsigned char test_data[2][127] =
+{
+    {
+        0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
+        0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
+        0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
+        0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
+        0x75, 0x70
+    },
+    {
+        0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
+        0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
+        0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+        0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
+        0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
+        0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
+        0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
+        0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
+        0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
+        0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
+        0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
+        0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
+        0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
+        0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
+        0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
+        0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
+    }
+};
+
+static const size_t test_data_len[2] =
+{
+    34U,
+    127U
+};
+
+static const unsigned char test_mac[2][16] =
+{
+    {
+        0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
+        0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
+    },
+    {
+        0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
+        0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
+    }
+};
+
+#define ASSERT( cond, args )            \
+    do                                  \
+    {                                   \
+        if( ! ( cond ) )                \
+        {                               \
+            if( verbose != 0 )          \
+                mbedtls_printf args;    \
+                                        \
+            return( -1 );               \
+        }                               \
+    }                                   \
+    while( 0 )
+
+int mbedtls_poly1305_self_test( int verbose )
+{
+    unsigned char mac[16];
+    unsigned i;
+    int ret;
+
+    for( i = 0U; i < 2U; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  Poly1305 test %u ", i );
+
+        ret = mbedtls_poly1305_mac( test_keys[i],
+                                    test_data[i],
+                                    test_data_len[i],
+                                    mac );
+        ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
+
+        ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_POLY1305_C */
diff --git a/makerom/deps/libmbedtls/src/ripemd160.c b/makerom/deps/libmbedtls/src/ripemd160.c
new file mode 100644
index 00000000..0791ae4c
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ripemd160.c
@@ -0,0 +1,559 @@
+/*
+ *  RIPE MD-160 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ *  The RIPEMD-160 algorithm was designed by RIPE in 1996
+ *  http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html
+ *  http://ehash.iaik.tugraz.at/wiki/RIPEMD-160
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_RIPEMD160_C)
+
+#include "mbedtls/ripemd160.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_RIPEMD160_ALT)
+
+/*
+ * 32-bit integer manipulation macros (little endian)
+ */
+#ifndef GET_UINT32_LE
+#define GET_UINT32_LE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ]       )             \
+        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
+}
+#endif
+
+#ifndef PUT_UINT32_LE
+#define PUT_UINT32_LE(n,b,i)                                    \
+{                                                               \
+    (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
+    (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
+    (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
+    (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
+}
+#endif
+
+void mbedtls_ripemd160_init( mbedtls_ripemd160_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ripemd160_context ) );
+}
+
+void mbedtls_ripemd160_free( mbedtls_ripemd160_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ripemd160_context ) );
+}
+
+void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst,
+                        const mbedtls_ripemd160_context *src )
+{
+    *dst = *src;
+}
+
+/*
+ * RIPEMD-160 context setup
+ */
+int mbedtls_ripemd160_starts_ret( mbedtls_ripemd160_context *ctx )
+{
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx )
+{
+    mbedtls_ripemd160_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+/*
+ * Process one block
+ */
+int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
+                                        const unsigned char data[64] )
+{
+    uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
+
+    GET_UINT32_LE( X[ 0], data,  0 );
+    GET_UINT32_LE( X[ 1], data,  4 );
+    GET_UINT32_LE( X[ 2], data,  8 );
+    GET_UINT32_LE( X[ 3], data, 12 );
+    GET_UINT32_LE( X[ 4], data, 16 );
+    GET_UINT32_LE( X[ 5], data, 20 );
+    GET_UINT32_LE( X[ 6], data, 24 );
+    GET_UINT32_LE( X[ 7], data, 28 );
+    GET_UINT32_LE( X[ 8], data, 32 );
+    GET_UINT32_LE( X[ 9], data, 36 );
+    GET_UINT32_LE( X[10], data, 40 );
+    GET_UINT32_LE( X[11], data, 44 );
+    GET_UINT32_LE( X[12], data, 48 );
+    GET_UINT32_LE( X[13], data, 52 );
+    GET_UINT32_LE( X[14], data, 56 );
+    GET_UINT32_LE( X[15], data, 60 );
+
+    A = Ap = ctx->state[0];
+    B = Bp = ctx->state[1];
+    C = Cp = ctx->state[2];
+    D = Dp = ctx->state[3];
+    E = Ep = ctx->state[4];
+
+#define F1( x, y, z )   ( (x) ^ (y) ^ (z) )
+#define F2( x, y, z )   ( ( (x) & (y) ) | ( ~(x) & (z) ) )
+#define F3( x, y, z )   ( ( (x) | ~(y) ) ^ (z) )
+#define F4( x, y, z )   ( ( (x) & (z) ) | ( (y) & ~(z) ) )
+#define F5( x, y, z )   ( (x) ^ ( (y) | ~(z) ) )
+
+#define S( x, n ) ( ( (x) << (n) ) | ( (x) >> (32 - (n)) ) )
+
+#define P( a, b, c, d, e, r, s, f, k )                \
+    do                                                \
+    {                                                 \
+        (a) += f( (b), (c), (d) ) + X[r] + (k);       \
+        (a) = S( (a), (s) ) + (e);                    \
+        (c) = S( (c), 10 );                           \
+    } while( 0 )
+
+#define P2( a, b, c, d, e, r, s, rp, sp )                               \
+    do                                                                  \
+    {                                                                   \
+        P( (a), (b), (c), (d), (e), (r), (s), F, K );                   \
+        P( a ## p, b ## p, c ## p, d ## p, e ## p,                      \
+           (rp), (sp), Fp, Kp );                                        \
+    } while( 0 )
+
+#define F   F1
+#define K   0x00000000
+#define Fp  F5
+#define Kp  0x50A28BE6
+    P2( A, B, C, D, E,  0, 11,  5,  8 );
+    P2( E, A, B, C, D,  1, 14, 14,  9 );
+    P2( D, E, A, B, C,  2, 15,  7,  9 );
+    P2( C, D, E, A, B,  3, 12,  0, 11 );
+    P2( B, C, D, E, A,  4,  5,  9, 13 );
+    P2( A, B, C, D, E,  5,  8,  2, 15 );
+    P2( E, A, B, C, D,  6,  7, 11, 15 );
+    P2( D, E, A, B, C,  7,  9,  4,  5 );
+    P2( C, D, E, A, B,  8, 11, 13,  7 );
+    P2( B, C, D, E, A,  9, 13,  6,  7 );
+    P2( A, B, C, D, E, 10, 14, 15,  8 );
+    P2( E, A, B, C, D, 11, 15,  8, 11 );
+    P2( D, E, A, B, C, 12,  6,  1, 14 );
+    P2( C, D, E, A, B, 13,  7, 10, 14 );
+    P2( B, C, D, E, A, 14,  9,  3, 12 );
+    P2( A, B, C, D, E, 15,  8, 12,  6 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F2
+#define K   0x5A827999
+#define Fp  F4
+#define Kp  0x5C4DD124
+    P2( E, A, B, C, D,  7,  7,  6,  9 );
+    P2( D, E, A, B, C,  4,  6, 11, 13 );
+    P2( C, D, E, A, B, 13,  8,  3, 15 );
+    P2( B, C, D, E, A,  1, 13,  7,  7 );
+    P2( A, B, C, D, E, 10, 11,  0, 12 );
+    P2( E, A, B, C, D,  6,  9, 13,  8 );
+    P2( D, E, A, B, C, 15,  7,  5,  9 );
+    P2( C, D, E, A, B,  3, 15, 10, 11 );
+    P2( B, C, D, E, A, 12,  7, 14,  7 );
+    P2( A, B, C, D, E,  0, 12, 15,  7 );
+    P2( E, A, B, C, D,  9, 15,  8, 12 );
+    P2( D, E, A, B, C,  5,  9, 12,  7 );
+    P2( C, D, E, A, B,  2, 11,  4,  6 );
+    P2( B, C, D, E, A, 14,  7,  9, 15 );
+    P2( A, B, C, D, E, 11, 13,  1, 13 );
+    P2( E, A, B, C, D,  8, 12,  2, 11 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F3
+#define K   0x6ED9EBA1
+#define Fp  F3
+#define Kp  0x6D703EF3
+    P2( D, E, A, B, C,  3, 11, 15,  9 );
+    P2( C, D, E, A, B, 10, 13,  5,  7 );
+    P2( B, C, D, E, A, 14,  6,  1, 15 );
+    P2( A, B, C, D, E,  4,  7,  3, 11 );
+    P2( E, A, B, C, D,  9, 14,  7,  8 );
+    P2( D, E, A, B, C, 15,  9, 14,  6 );
+    P2( C, D, E, A, B,  8, 13,  6,  6 );
+    P2( B, C, D, E, A,  1, 15,  9, 14 );
+    P2( A, B, C, D, E,  2, 14, 11, 12 );
+    P2( E, A, B, C, D,  7,  8,  8, 13 );
+    P2( D, E, A, B, C,  0, 13, 12,  5 );
+    P2( C, D, E, A, B,  6,  6,  2, 14 );
+    P2( B, C, D, E, A, 13,  5, 10, 13 );
+    P2( A, B, C, D, E, 11, 12,  0, 13 );
+    P2( E, A, B, C, D,  5,  7,  4,  7 );
+    P2( D, E, A, B, C, 12,  5, 13,  5 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F4
+#define K   0x8F1BBCDC
+#define Fp  F2
+#define Kp  0x7A6D76E9
+    P2( C, D, E, A, B,  1, 11,  8, 15 );
+    P2( B, C, D, E, A,  9, 12,  6,  5 );
+    P2( A, B, C, D, E, 11, 14,  4,  8 );
+    P2( E, A, B, C, D, 10, 15,  1, 11 );
+    P2( D, E, A, B, C,  0, 14,  3, 14 );
+    P2( C, D, E, A, B,  8, 15, 11, 14 );
+    P2( B, C, D, E, A, 12,  9, 15,  6 );
+    P2( A, B, C, D, E,  4,  8,  0, 14 );
+    P2( E, A, B, C, D, 13,  9,  5,  6 );
+    P2( D, E, A, B, C,  3, 14, 12,  9 );
+    P2( C, D, E, A, B,  7,  5,  2, 12 );
+    P2( B, C, D, E, A, 15,  6, 13,  9 );
+    P2( A, B, C, D, E, 14,  8,  9, 12 );
+    P2( E, A, B, C, D,  5,  6,  7,  5 );
+    P2( D, E, A, B, C,  6,  5, 10, 15 );
+    P2( C, D, E, A, B,  2, 12, 14,  8 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+#define F   F5
+#define K   0xA953FD4E
+#define Fp  F1
+#define Kp  0x00000000
+    P2( B, C, D, E, A,  4,  9, 12,  8 );
+    P2( A, B, C, D, E,  0, 15, 15,  5 );
+    P2( E, A, B, C, D,  5,  5, 10, 12 );
+    P2( D, E, A, B, C,  9, 11,  4,  9 );
+    P2( C, D, E, A, B,  7,  6,  1, 12 );
+    P2( B, C, D, E, A, 12,  8,  5,  5 );
+    P2( A, B, C, D, E,  2, 13,  8, 14 );
+    P2( E, A, B, C, D, 10, 12,  7,  6 );
+    P2( D, E, A, B, C, 14,  5,  6,  8 );
+    P2( C, D, E, A, B,  1, 12,  2, 13 );
+    P2( B, C, D, E, A,  3, 13, 13,  6 );
+    P2( A, B, C, D, E,  8, 14, 14,  5 );
+    P2( E, A, B, C, D, 11, 11,  0, 15 );
+    P2( D, E, A, B, C,  6,  8,  3, 13 );
+    P2( C, D, E, A, B, 15,  5,  9, 11 );
+    P2( B, C, D, E, A, 13,  6, 11, 11 );
+#undef F
+#undef K
+#undef Fp
+#undef Kp
+
+    C             = ctx->state[1] + C + Dp;
+    ctx->state[1] = ctx->state[2] + D + Ep;
+    ctx->state[2] = ctx->state[3] + E + Ap;
+    ctx->state[3] = ctx->state[4] + A + Bp;
+    ctx->state[4] = ctx->state[0] + B + Cp;
+    ctx->state[0] = C;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_process( mbedtls_ripemd160_context *ctx,
+                                const unsigned char data[64] )
+{
+    mbedtls_internal_ripemd160_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_RIPEMD160_PROCESS_ALT */
+
+/*
+ * RIPEMD-160 process buffer
+ */
+int mbedtls_ripemd160_update_ret( mbedtls_ripemd160_context *ctx,
+                                  const unsigned char *input,
+                                  size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_ripemd160_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_ripemd160_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_update( mbedtls_ripemd160_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen )
+{
+    mbedtls_ripemd160_update_ret( ctx, input, ilen );
+}
+#endif
+
+static const unsigned char ripemd160_padding[64] =
+{
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+/*
+ * RIPEMD-160 final digest
+ */
+int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx,
+                                  unsigned char output[20] )
+{
+    int ret;
+    uint32_t last, padn;
+    uint32_t high, low;
+    unsigned char msglen[8];
+
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_LE( low,  msglen, 0 );
+    PUT_UINT32_LE( high, msglen, 4 );
+
+    last = ctx->total[0] & 0x3F;
+    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
+
+    ret = mbedtls_ripemd160_update_ret( ctx, ripemd160_padding, padn );
+    if( ret != 0 )
+        return( ret );
+
+    ret = mbedtls_ripemd160_update_ret( ctx, msglen, 8 );
+    if( ret != 0 )
+        return( ret );
+
+    PUT_UINT32_LE( ctx->state[0], output,  0 );
+    PUT_UINT32_LE( ctx->state[1], output,  4 );
+    PUT_UINT32_LE( ctx->state[2], output,  8 );
+    PUT_UINT32_LE( ctx->state[3], output, 12 );
+    PUT_UINT32_LE( ctx->state[4], output, 16 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx,
+                               unsigned char output[20] )
+{
+    mbedtls_ripemd160_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* ! MBEDTLS_RIPEMD160_ALT */
+
+/*
+ * output = RIPEMD-160( input buffer )
+ */
+int mbedtls_ripemd160_ret( const unsigned char *input,
+                           size_t ilen,
+                           unsigned char output[20] )
+{
+    int ret;
+    mbedtls_ripemd160_context ctx;
+
+    mbedtls_ripemd160_init( &ctx );
+
+    if( ( ret = mbedtls_ripemd160_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_ripemd160_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_ripemd160_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_ripemd160_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_ripemd160( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[20] )
+{
+    mbedtls_ripemd160_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * Test vectors from the RIPEMD-160 paper and
+ * http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html#HMAC
+ */
+#define TESTS   8
+static const unsigned char ripemd160_test_str[TESTS][81] =
+{
+    { "" },
+    { "a" },
+    { "abc" },
+    { "message digest" },
+    { "abcdefghijklmnopqrstuvwxyz" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
+    { "12345678901234567890123456789012345678901234567890123456789012"
+      "345678901234567890" },
+};
+
+static const size_t ripemd160_test_strlen[TESTS] =
+{
+    0, 1, 3, 14, 26, 56, 62, 80
+};
+
+static const unsigned char ripemd160_test_md[TESTS][20] =
+{
+    { 0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54, 0x61, 0x28,
+      0x08, 0x97, 0x7e, 0xe8, 0xf5, 0x48, 0xb2, 0x25, 0x8d, 0x31 },
+    { 0x0b, 0xdc, 0x9d, 0x2d, 0x25, 0x6b, 0x3e, 0xe9, 0xda, 0xae,
+      0x34, 0x7b, 0xe6, 0xf4, 0xdc, 0x83, 0x5a, 0x46, 0x7f, 0xfe },
+    { 0x8e, 0xb2, 0x08, 0xf7, 0xe0, 0x5d, 0x98, 0x7a, 0x9b, 0x04,
+      0x4a, 0x8e, 0x98, 0xc6, 0xb0, 0x87, 0xf1, 0x5a, 0x0b, 0xfc },
+    { 0x5d, 0x06, 0x89, 0xef, 0x49, 0xd2, 0xfa, 0xe5, 0x72, 0xb8,
+      0x81, 0xb1, 0x23, 0xa8, 0x5f, 0xfa, 0x21, 0x59, 0x5f, 0x36 },
+    { 0xf7, 0x1c, 0x27, 0x10, 0x9c, 0x69, 0x2c, 0x1b, 0x56, 0xbb,
+      0xdc, 0xeb, 0x5b, 0x9d, 0x28, 0x65, 0xb3, 0x70, 0x8d, 0xbc },
+    { 0x12, 0xa0, 0x53, 0x38, 0x4a, 0x9c, 0x0c, 0x88, 0xe4, 0x05,
+      0xa0, 0x6c, 0x27, 0xdc, 0xf4, 0x9a, 0xda, 0x62, 0xeb, 0x2b },
+    { 0xb0, 0xe2, 0x0b, 0x6e, 0x31, 0x16, 0x64, 0x02, 0x86, 0xed,
+      0x3a, 0x87, 0xa5, 0x71, 0x30, 0x79, 0xb2, 0x1f, 0x51, 0x89 },
+    { 0x9b, 0x75, 0x2e, 0x45, 0x57, 0x3d, 0x4b, 0x39, 0xf4, 0xdb,
+      0xd3, 0x32, 0x3c, 0xab, 0x82, 0xbf, 0x63, 0x32, 0x6b, 0xfb },
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_ripemd160_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char output[20];
+
+    memset( output, 0, sizeof output );
+
+    for( i = 0; i < TESTS; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  RIPEMD-160 test #%d: ", i + 1 );
+
+        ret = mbedtls_ripemd160_ret( ripemd160_test_str[i],
+                                     ripemd160_test_strlen[i], output );
+        if( ret != 0 )
+            goto fail;
+
+        if( memcmp( output, ripemd160_test_md[i], 20 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RIPEMD160_C */
diff --git a/makerom/deps/libmbedtls/src/rsa.c b/makerom/deps/libmbedtls/src/rsa.c
new file mode 100644
index 00000000..09fd379f
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/rsa.c
@@ -0,0 +1,2729 @@
+/*
+ *  The RSA public-key cryptosystem
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ *  The following sources were referenced in the design of this implementation
+ *  of the RSA algorithm:
+ *
+ *  [1] A method for obtaining digital signatures and public-key cryptosystems
+ *      R Rivest, A Shamir, and L Adleman
+ *      http://people.csail.mit.edu/rivest/pubs.html#RSA78
+ *
+ *  [2] Handbook of Applied Cryptography - 1997, Chapter 8
+ *      Menezes, van Oorschot and Vanstone
+ *
+ *  [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks
+ *      Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and
+ *      Stefan Mangard
+ *      https://arxiv.org/abs/1702.08719v2
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/rsa_internal.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PKCS1_V21)
+#include "mbedtls/md.h"
+#endif
+
+#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
+#include <stdlib.h>
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#define mbedtls_calloc calloc
+#define mbedtls_free   free
+#endif
+
+#if !defined(MBEDTLS_RSA_ALT)
+
+/* Parameter validation macros */
+#define RSA_VALIDATE_RET( cond )                                       \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
+#define RSA_VALIDATE( cond )                                           \
+    MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if defined(MBEDTLS_PKCS1_V15)
+/* constant-time buffer comparison */
+static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    const unsigned char *A = (const unsigned char *) a;
+    const unsigned char *B = (const unsigned char *) b;
+    unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+        diff |= A[i] ^ B[i];
+
+    return( diff );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+int mbedtls_rsa_import( mbedtls_rsa_context *ctx,
+                        const mbedtls_mpi *N,
+                        const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                        const mbedtls_mpi *D, const mbedtls_mpi *E )
+{
+    int ret;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    if( ( N != NULL && ( ret = mbedtls_mpi_copy( &ctx->N, N ) ) != 0 ) ||
+        ( P != NULL && ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ) ||
+        ( Q != NULL && ( ret = mbedtls_mpi_copy( &ctx->Q, Q ) ) != 0 ) ||
+        ( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||
+        ( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+
+    if( N != NULL )
+        ctx->len = mbedtls_mpi_size( &ctx->N );
+
+    return( 0 );
+}
+
+int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx,
+                            unsigned char const *N, size_t N_len,
+                            unsigned char const *P, size_t P_len,
+                            unsigned char const *Q, size_t Q_len,
+                            unsigned char const *D, size_t D_len,
+                            unsigned char const *E, size_t E_len )
+{
+    int ret = 0;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    if( N != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->N, N, N_len ) );
+        ctx->len = mbedtls_mpi_size( &ctx->N );
+    }
+
+    if( P != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->P, P, P_len ) );
+
+    if( Q != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->Q, Q, Q_len ) );
+
+    if( D != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->D, D, D_len ) );
+
+    if( E != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->E, E, E_len ) );
+
+cleanup:
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+
+    return( 0 );
+}
+
+/*
+ * Checks whether the context fields are set in such a way
+ * that the RSA primitives will be able to execute without error.
+ * It does *not* make guarantees for consistency of the parameters.
+ */
+static int rsa_check_context( mbedtls_rsa_context const *ctx, int is_priv,
+                              int blinding_needed )
+{
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* blinding_needed is only used for NO_CRT to decide whether
+     * P,Q need to be present or not. */
+    ((void) blinding_needed);
+#endif
+
+    if( ctx->len != mbedtls_mpi_size( &ctx->N ) ||
+        ctx->len > MBEDTLS_MPI_MAX_SIZE )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    /*
+     * 1. Modular exponentiation needs positive, odd moduli.
+     */
+
+    /* Modular exponentiation wrt. N is always used for
+     * RSA public key operations. */
+    if( mbedtls_mpi_cmp_int( &ctx->N, 0 ) <= 0 ||
+        mbedtls_mpi_get_bit( &ctx->N, 0 ) == 0  )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Modular exponentiation for P and Q is only
+     * used for private key operations and if CRT
+     * is used. */
+    if( is_priv &&
+        ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
+          mbedtls_mpi_get_bit( &ctx->P, 0 ) == 0 ||
+          mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ||
+          mbedtls_mpi_get_bit( &ctx->Q, 0 ) == 0  ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif /* !MBEDTLS_RSA_NO_CRT */
+
+    /*
+     * 2. Exponents must be positive
+     */
+
+    /* Always need E for public key operations */
+    if( mbedtls_mpi_cmp_int( &ctx->E, 0 ) <= 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    /* For private key operations, use D or DP & DQ
+     * as (unblinded) exponents. */
+    if( is_priv && mbedtls_mpi_cmp_int( &ctx->D, 0 ) <= 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+#else
+    if( is_priv &&
+        ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) <= 0 ||
+          mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) <= 0  ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Blinding shouldn't make exponents negative either,
+     * so check that P, Q >= 1 if that hasn't yet been
+     * done as part of 1. */
+#if defined(MBEDTLS_RSA_NO_CRT)
+    if( is_priv && blinding_needed &&
+        ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) <= 0 ||
+          mbedtls_mpi_cmp_int( &ctx->Q, 0 ) <= 0 ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif
+
+    /* It wouldn't lead to an error if it wasn't satisfied,
+     * but check for QP >= 1 nonetheless. */
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    if( is_priv &&
+        mbedtls_mpi_cmp_int( &ctx->QP, 0 ) <= 0 )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+#endif
+
+    return( 0 );
+}
+
+int mbedtls_rsa_complete( mbedtls_rsa_context *ctx )
+{
+    int ret = 0;
+    int have_N, have_P, have_Q, have_D, have_E;
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    int have_DP, have_DQ, have_QP;
+#endif
+    int n_missing, pq_missing, d_missing, is_pub, is_priv;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    have_N = ( mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 );
+    have_P = ( mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 );
+    have_Q = ( mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 );
+    have_D = ( mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 );
+    have_E = ( mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0 );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    have_DP = ( mbedtls_mpi_cmp_int( &ctx->DP, 0 ) != 0 );
+    have_DQ = ( mbedtls_mpi_cmp_int( &ctx->DQ, 0 ) != 0 );
+    have_QP = ( mbedtls_mpi_cmp_int( &ctx->QP, 0 ) != 0 );
+#endif
+
+    /*
+     * Check whether provided parameters are enough
+     * to deduce all others. The following incomplete
+     * parameter sets for private keys are supported:
+     *
+     * (1) P, Q missing.
+     * (2) D and potentially N missing.
+     *
+     */
+
+    n_missing  =              have_P &&  have_Q &&  have_D && have_E;
+    pq_missing =   have_N && !have_P && !have_Q &&  have_D && have_E;
+    d_missing  =              have_P &&  have_Q && !have_D && have_E;
+    is_pub     =   have_N && !have_P && !have_Q && !have_D && have_E;
+
+    /* These three alternatives are mutually exclusive */
+    is_priv = n_missing || pq_missing || d_missing;
+
+    if( !is_priv && !is_pub )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * Step 1: Deduce N if P, Q are provided.
+     */
+
+    if( !have_N && have_P && have_Q )
+    {
+        if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
+                                         &ctx->Q ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+        }
+
+        ctx->len = mbedtls_mpi_size( &ctx->N );
+    }
+
+    /*
+     * Step 2: Deduce and verify all remaining core parameters.
+     */
+
+    if( pq_missing )
+    {
+        ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
+                                         &ctx->P, &ctx->Q );
+        if( ret != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+
+    }
+    else if( d_missing )
+    {
+        if( ( ret = mbedtls_rsa_deduce_private_exponent( &ctx->P,
+                                                         &ctx->Q,
+                                                         &ctx->E,
+                                                         &ctx->D ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+        }
+    }
+
+    /*
+     * Step 3: Deduce all additional parameters specific
+     *         to our current RSA implementation.
+     */
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    if( is_priv && ! ( have_DP && have_DQ && have_QP ) )
+    {
+        ret = mbedtls_rsa_deduce_crt( &ctx->P,  &ctx->Q,  &ctx->D,
+                                      &ctx->DP, &ctx->DQ, &ctx->QP );
+        if( ret != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /*
+     * Step 3: Basic sanity checks
+     */
+
+    return( rsa_check_context( ctx, is_priv, 1 ) );
+}
+
+int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx,
+                            unsigned char *N, size_t N_len,
+                            unsigned char *P, size_t P_len,
+                            unsigned char *Q, size_t Q_len,
+                            unsigned char *D, size_t D_len,
+                            unsigned char *E, size_t E_len )
+{
+    int ret = 0;
+    int is_priv;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    /* Check if key is private or public */
+    is_priv =
+        mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
+
+    if( !is_priv )
+    {
+        /* If we're trying to export private parameters for a public key,
+         * something must be wrong. */
+        if( P != NULL || Q != NULL || D != NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    }
+
+    if( N != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->N, N, N_len ) );
+
+    if( P != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->P, P, P_len ) );
+
+    if( Q != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->Q, Q, Q_len ) );
+
+    if( D != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->D, D, D_len ) );
+
+    if( E != NULL )
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->E, E, E_len ) );
+
+cleanup:
+
+    return( ret );
+}
+
+int mbedtls_rsa_export( const mbedtls_rsa_context *ctx,
+                        mbedtls_mpi *N, mbedtls_mpi *P, mbedtls_mpi *Q,
+                        mbedtls_mpi *D, mbedtls_mpi *E )
+{
+    int ret;
+    int is_priv;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    /* Check if key is private or public */
+    is_priv =
+        mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
+
+    if( !is_priv )
+    {
+        /* If we're trying to export private parameters for a public key,
+         * something must be wrong. */
+        if( P != NULL || Q != NULL || D != NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    }
+
+    /* Export all requested core parameters. */
+
+    if( ( N != NULL && ( ret = mbedtls_mpi_copy( N, &ctx->N ) ) != 0 ) ||
+        ( P != NULL && ( ret = mbedtls_mpi_copy( P, &ctx->P ) ) != 0 ) ||
+        ( Q != NULL && ( ret = mbedtls_mpi_copy( Q, &ctx->Q ) ) != 0 ) ||
+        ( D != NULL && ( ret = mbedtls_mpi_copy( D, &ctx->D ) ) != 0 ) ||
+        ( E != NULL && ( ret = mbedtls_mpi_copy( E, &ctx->E ) ) != 0 ) )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Export CRT parameters
+ * This must also be implemented if CRT is not used, for being able to
+ * write DER encoded RSA keys. The helper function mbedtls_rsa_deduce_crt
+ * can be used in this case.
+ */
+int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx,
+                            mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP )
+{
+    int ret;
+    int is_priv;
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    /* Check if key is private or public */
+    is_priv =
+        mbedtls_mpi_cmp_int( &ctx->N, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->P, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->Q, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->D, 0 ) != 0 &&
+        mbedtls_mpi_cmp_int( &ctx->E, 0 ) != 0;
+
+    if( !is_priv )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Export all requested blinding parameters. */
+    if( ( DP != NULL && ( ret = mbedtls_mpi_copy( DP, &ctx->DP ) ) != 0 ) ||
+        ( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
+        ( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+#else
+    if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                        DP, DQ, QP ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+    }
+#endif
+
+    return( 0 );
+}
+
+/*
+ * Initialize an RSA context
+ */
+void mbedtls_rsa_init( mbedtls_rsa_context *ctx,
+               int padding,
+               int hash_id )
+{
+    RSA_VALIDATE( ctx != NULL );
+    RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
+                  padding == MBEDTLS_RSA_PKCS_V21 );
+
+    memset( ctx, 0, sizeof( mbedtls_rsa_context ) );
+
+    mbedtls_rsa_set_padding( ctx, padding, hash_id );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+/*
+ * Set padding for an existing RSA context
+ */
+void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding,
+                              int hash_id )
+{
+    RSA_VALIDATE( ctx != NULL );
+    RSA_VALIDATE( padding == MBEDTLS_RSA_PKCS_V15 ||
+                  padding == MBEDTLS_RSA_PKCS_V21 );
+
+    ctx->padding = padding;
+    ctx->hash_id = hash_id;
+}
+
+/*
+ * Get length in bytes of RSA modulus
+ */
+
+size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx )
+{
+    return( ctx->len );
+}
+
+
+#if defined(MBEDTLS_GENPRIME)
+
+/*
+ * Generate an RSA keypair
+ *
+ * This generation method follows the RSA key pair generation procedure of
+ * FIPS 186-4 if 2^16 < exponent < 2^256 and nbits = 2048 or nbits = 3072.
+ */
+int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t),
+                 void *p_rng,
+                 unsigned int nbits, int exponent )
+{
+    int ret;
+    mbedtls_mpi H, G, L;
+    int prime_quality = 0;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( f_rng != NULL );
+
+    if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * If the modulus is 1024 bit long or shorter, then the security strength of
+     * the RSA algorithm is less than or equal to 80 bits and therefore an error
+     * rate of 2^-80 is sufficient.
+     */
+    if( nbits > 1024 )
+        prime_quality = MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR;
+
+    mbedtls_mpi_init( &H );
+    mbedtls_mpi_init( &G );
+    mbedtls_mpi_init( &L );
+
+    /*
+     * find primes P and Q with Q < P so that:
+     * 1.  |P-Q| > 2^( nbits / 2 - 100 )
+     * 2.  GCD( E, (P-1)*(Q-1) ) == 1
+     * 3.  E^-1 mod LCM(P-1, Q-1) > 2^( nbits / 2 )
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &ctx->E, exponent ) );
+
+    do
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->P, nbits >> 1,
+                                                prime_quality, f_rng, p_rng ) );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gen_prime( &ctx->Q, nbits >> 1,
+                                                prime_quality, f_rng, p_rng ) );
+
+        /* make sure the difference between p and q is not too small (FIPS 186-4 §B.3.3 step 5.4) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &H, &ctx->P, &ctx->Q ) );
+        if( mbedtls_mpi_bitlen( &H ) <= ( ( nbits >= 200 ) ? ( ( nbits >> 1 ) - 99 ) : 0 ) )
+            continue;
+
+        /* not required by any standards, but some users rely on the fact that P > Q */
+        if( H.s < 0 )
+            mbedtls_mpi_swap( &ctx->P, &ctx->Q );
+
+        /* Temporarily replace P,Q by P-1, Q-1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->P, &ctx->P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &ctx->Q, &ctx->Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &H, &ctx->P, &ctx->Q ) );
+
+        /* check GCD( E, (P-1)*(Q-1) ) == 1 (FIPS 186-4 §B.3.1 criterion 2(a)) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->E, &H  ) );
+        if( mbedtls_mpi_cmp_int( &G, 1 ) != 0 )
+            continue;
+
+        /* compute smallest possible D = E^-1 mod LCM(P-1, Q-1) (FIPS 186-4 §B.3.1 criterion 3(b)) */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &G, &ctx->P, &ctx->Q ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &L, NULL, &H, &G ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->D, &ctx->E, &L ) );
+
+        if( mbedtls_mpi_bitlen( &ctx->D ) <= ( ( nbits + 1 ) / 2 ) ) // (FIPS 186-4 §B.3.1 criterion 3(a))
+            continue;
+
+        break;
+    }
+    while( 1 );
+
+    /* Restore P,Q */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->P,  &ctx->P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &ctx->Q,  &ctx->Q, 1 ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
+
+    ctx->len = mbedtls_mpi_size( &ctx->N );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /*
+     * DP = D mod (P - 1)
+     * DQ = D mod (Q - 1)
+     * QP = Q^-1 mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                             &ctx->DP, &ctx->DQ, &ctx->QP ) );
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Double-check */
+    MBEDTLS_MPI_CHK( mbedtls_rsa_check_privkey( ctx ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &H );
+    mbedtls_mpi_free( &G );
+    mbedtls_mpi_free( &L );
+
+    if( ret != 0 )
+    {
+        mbedtls_rsa_free( ctx );
+        return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
+    }
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_GENPRIME */
+
+/*
+ * Check a public RSA key
+ */
+int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) != 0 )
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+
+    if( mbedtls_mpi_bitlen( &ctx->N ) < 128 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    if( mbedtls_mpi_get_bit( &ctx->E, 0 ) == 0 ||
+        mbedtls_mpi_bitlen( &ctx->E )     < 2  ||
+        mbedtls_mpi_cmp_mpi( &ctx->E, &ctx->N ) >= 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Check for the consistency of all fields in an RSA private key context
+ */
+int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+
+    if( mbedtls_rsa_check_pubkey( ctx ) != 0 ||
+        rsa_check_context( ctx, 1 /* private */, 1 /* blinding */ ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    if( mbedtls_rsa_validate_params( &ctx->N, &ctx->P, &ctx->Q,
+                                     &ctx->D, &ctx->E, NULL, NULL ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    else if( mbedtls_rsa_validate_crt( &ctx->P, &ctx->Q, &ctx->D,
+                                       &ctx->DP, &ctx->DQ, &ctx->QP ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+#endif
+
+    return( 0 );
+}
+
+/*
+ * Check if contexts holding a public and private key match
+ */
+int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub,
+                                const mbedtls_rsa_context *prv )
+{
+    RSA_VALIDATE_RET( pub != NULL );
+    RSA_VALIDATE_RET( prv != NULL );
+
+    if( mbedtls_rsa_check_pubkey( pub )  != 0 ||
+        mbedtls_rsa_check_privkey( prv ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    if( mbedtls_mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
+        mbedtls_mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_KEY_CHECK_FAILED );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Do an RSA public key operation
+ */
+int mbedtls_rsa_public( mbedtls_rsa_context *ctx,
+                const unsigned char *input,
+                unsigned char *output )
+{
+    int ret;
+    size_t olen;
+    mbedtls_mpi T;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( output != NULL );
+
+    if( rsa_check_context( ctx, 0 /* public */, 0 /* no blinding */ ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    mbedtls_mpi_init( &T );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
+
+    if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    olen = ctx->len;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    mbedtls_mpi_free( &T );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
+
+    return( 0 );
+}
+
+/*
+ * Generate or update blinding values, see section 10 of:
+ *  KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
+ *  DSS, and other systems. In : Advances in Cryptology-CRYPTO'96. Springer
+ *  Berlin Heidelberg, 1996. p. 104-113.
+ */
+static int rsa_prepare_blinding( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret, count = 0;
+
+    if( ctx->Vf.p != NULL )
+    {
+        /* We already have blinding values, just update them by squaring */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
+
+        goto cleanup;
+    }
+
+    /* Unblinding value: Vf = random number, invertible mod N */
+    do {
+        if( count++ > 10 )
+            return( MBEDTLS_ERR_RSA_RNG_FAILED );
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
+    } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
+
+    /* Blinding value: Vi =  Vf^(-e) mod N */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
+
+
+cleanup:
+    return( ret );
+}
+
+/*
+ * Exponent blinding supposed to prevent side-channel attacks using multiple
+ * traces of measurements to recover the RSA key. The more collisions are there,
+ * the more bits of the key can be recovered. See [3].
+ *
+ * Collecting n collisions with m bit long blinding value requires 2^(m-m/n)
+ * observations on avarage.
+ *
+ * For example with 28 byte blinding to achieve 2 collisions the adversary has
+ * to make 2^112 observations on avarage.
+ *
+ * (With the currently (as of 2017 April) known best algorithms breaking 2048
+ * bit RSA requires approximately as much time as trying out 2^112 random keys.
+ * Thus in this sense with 28 byte blinding the security is not reduced by
+ * side-channel attacks like the one in [3])
+ *
+ * This countermeasure does not help if the key recovery is possible with a
+ * single trace.
+ */
+#define RSA_EXPONENT_BLINDING 28
+
+/*
+ * Do an RSA private key operation
+ */
+int mbedtls_rsa_private( mbedtls_rsa_context *ctx,
+                 int (*f_rng)(void *, unsigned char *, size_t),
+                 void *p_rng,
+                 const unsigned char *input,
+                 unsigned char *output )
+{
+    int ret;
+    size_t olen;
+
+    /* Temporary holding the result */
+    mbedtls_mpi T;
+
+    /* Temporaries holding P-1, Q-1 and the
+     * exponent blinding factor, respectively. */
+    mbedtls_mpi P1, Q1, R;
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    /* Temporaries holding the results mod p resp. mod q. */
+    mbedtls_mpi TP, TQ;
+
+    /* Temporaries holding the blinded exponents for
+     * the mod p resp. mod q computation (if used). */
+    mbedtls_mpi DP_blind, DQ_blind;
+
+    /* Pointers to actual exponents to be used - either the unblinded
+     * or the blinded ones, depending on the presence of a PRNG. */
+    mbedtls_mpi *DP = &ctx->DP;
+    mbedtls_mpi *DQ = &ctx->DQ;
+#else
+    /* Temporary holding the blinded exponent (if used). */
+    mbedtls_mpi D_blind;
+
+    /* Pointer to actual exponent to be used - either the unblinded
+     * or the blinded one, depending on the presence of a PRNG. */
+    mbedtls_mpi *D = &ctx->D;
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    /* Temporaries holding the initial input and the double
+     * checked result; should be the same in the end. */
+    mbedtls_mpi I, C;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( input  != NULL );
+    RSA_VALIDATE_RET( output != NULL );
+
+    if( rsa_check_context( ctx, 1             /* private key checks */,
+                                f_rng != NULL /* blinding y/n       */ ) != 0 )
+    {
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    /* MPI Initialization */
+    mbedtls_mpi_init( &T );
+
+    mbedtls_mpi_init( &P1 );
+    mbedtls_mpi_init( &Q1 );
+    mbedtls_mpi_init( &R );
+
+    if( f_rng != NULL )
+    {
+#if defined(MBEDTLS_RSA_NO_CRT)
+        mbedtls_mpi_init( &D_blind );
+#else
+        mbedtls_mpi_init( &DP_blind );
+        mbedtls_mpi_init( &DQ_blind );
+#endif
+    }
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_init( &TP ); mbedtls_mpi_init( &TQ );
+#endif
+
+    mbedtls_mpi_init( &I );
+    mbedtls_mpi_init( &C );
+
+    /* End of MPI initialization */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &T, input, ctx->len ) );
+    if( mbedtls_mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &I, &T ) );
+
+    if( f_rng != NULL )
+    {
+        /*
+         * Blinding
+         * T = T * Vi mod N
+         */
+        MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
+
+        /*
+         * Exponent blinding
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) );
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+        /*
+         * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+                         f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) );
+
+        D = &D_blind;
+#else
+        /*
+         * DP_blind = ( P - 1 ) * R + DP
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+                         f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind,
+                    &ctx->DP ) );
+
+        DP = &DP_blind;
+
+        /*
+         * DQ_blind = ( Q - 1 ) * R + DQ
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING,
+                         f_rng, p_rng ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind,
+                    &ctx->DQ ) );
+
+        DQ = &DQ_blind;
+#endif /* MBEDTLS_RSA_NO_CRT */
+    }
+
+#if defined(MBEDTLS_RSA_NO_CRT)
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) );
+#else
+    /*
+     * Faster decryption using the CRT
+     *
+     * TP = input ^ dP mod P
+     * TQ = input ^ dQ mod Q
+     */
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TP, &T, DP, &ctx->P, &ctx->RP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &TQ, &T, DQ, &ctx->Q, &ctx->RQ ) );
+
+    /*
+     * T = (TP - TQ) * (Q^-1 mod P) mod P
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &T, &TP, &TQ ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->QP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &TP, &ctx->P ) );
+
+    /*
+     * T = TQ + T * Q
+     */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &TP, &T, &ctx->Q ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &T, &TQ, &TP ) );
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+    if( f_rng != NULL )
+    {
+        /*
+         * Unblind
+         * T = T * Vf mod N
+         */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vf ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) );
+    }
+
+    /* Verify the result to prevent glitching attacks. */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &C, &T, &ctx->E,
+                                          &ctx->N, &ctx->RN ) );
+    if( mbedtls_mpi_cmp_mpi( &C, &I ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+    olen = ctx->len;
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &T, output, olen ) );
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    mbedtls_mpi_free( &P1 );
+    mbedtls_mpi_free( &Q1 );
+    mbedtls_mpi_free( &R );
+
+    if( f_rng != NULL )
+    {
+#if defined(MBEDTLS_RSA_NO_CRT)
+        mbedtls_mpi_free( &D_blind );
+#else
+        mbedtls_mpi_free( &DP_blind );
+        mbedtls_mpi_free( &DQ_blind );
+#endif
+    }
+
+    mbedtls_mpi_free( &T );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_free( &TP ); mbedtls_mpi_free( &TQ );
+#endif
+
+    mbedtls_mpi_free( &C );
+    mbedtls_mpi_free( &I );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/**
+ * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
+ *
+ * \param dst       buffer to mask
+ * \param dlen      length of destination buffer
+ * \param src       source of the mask generation
+ * \param slen      length of the source buffer
+ * \param md_ctx    message digest context to use
+ */
+static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src,
+                      size_t slen, mbedtls_md_context_t *md_ctx )
+{
+    unsigned char mask[MBEDTLS_MD_MAX_SIZE];
+    unsigned char counter[4];
+    unsigned char *p;
+    unsigned int hlen;
+    size_t i, use_len;
+    int ret = 0;
+
+    memset( mask, 0, MBEDTLS_MD_MAX_SIZE );
+    memset( counter, 0, 4 );
+
+    hlen = mbedtls_md_get_size( md_ctx->md_info );
+
+    /* Generate and apply dbMask */
+    p = dst;
+
+    while( dlen > 0 )
+    {
+        use_len = hlen;
+        if( dlen < hlen )
+            use_len = dlen;
+
+        if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 )
+            goto exit;
+
+        for( i = 0; i < use_len; ++i )
+            *p++ ^= mask[i];
+
+        counter[3]++;
+
+        dlen -= use_len;
+    }
+
+exit:
+    mbedtls_platform_zeroize( mask, sizeof( mask ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t ilen,
+                            const unsigned char *input,
+                            unsigned char *output )
+{
+    size_t olen;
+    int ret;
+    unsigned char *p = output;
+    unsigned int hlen;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( label_len == 0 || label != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( f_rng == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    olen = ctx->len;
+    hlen = mbedtls_md_get_size( md_info );
+
+    /* first comparison checks for overflow */
+    if( ilen + 2 * hlen + 2 < ilen || olen < ilen + 2 * hlen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    memset( output, 0, olen );
+
+    *p++ = 0;
+
+    /* Generate a random octet string seed */
+    if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
+        return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
+    p += hlen;
+
+    /* Construct DB */
+    if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 )
+        return( ret );
+    p += hlen;
+    p += olen - 2 * hlen - 2 - ilen;
+    *p++ = 1;
+    memcpy( p, input, ilen );
+
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        goto exit;
+
+    /* maskedDB: Apply dbMask to DB */
+    if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
+                          &md_ctx ) ) != 0 )
+        goto exit;
+
+    /* maskedSeed: Apply seedMask to seed */
+    if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
+                          &md_ctx ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_md_free( &md_ctx );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( ( mode == MBEDTLS_RSA_PUBLIC )
+            ? mbedtls_rsa_public(  ctx, output, output )
+            : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t ilen,
+                                 const unsigned char *input,
+                                 unsigned char *output )
+{
+    size_t nb_pad, olen;
+    int ret;
+    unsigned char *p = output;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    olen = ctx->len;
+
+    /* first comparison checks for overflow */
+    if( ilen + 11 < ilen || olen < ilen + 11 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    nb_pad = olen - 3 - ilen;
+
+    *p++ = 0;
+    if( mode == MBEDTLS_RSA_PUBLIC )
+    {
+        if( f_rng == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        *p++ = MBEDTLS_RSA_CRYPT;
+
+        while( nb_pad-- > 0 )
+        {
+            int rng_dl = 100;
+
+            do {
+                ret = f_rng( p_rng, p, 1 );
+            } while( *p == 0 && --rng_dl && ret == 0 );
+
+            /* Check if RNG failed to generate data */
+            if( rng_dl == 0 || ret != 0 )
+                return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
+            p++;
+        }
+    }
+    else
+    {
+        *p++ = MBEDTLS_RSA_SIGN;
+
+        while( nb_pad-- > 0 )
+            *p++ = 0xFF;
+    }
+
+    *p++ = 0;
+    memcpy( p, input, ilen );
+
+    return( ( mode == MBEDTLS_RSA_PUBLIC )
+            ? mbedtls_rsa_public(  ctx, output, output )
+            : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Add the message padding, then do an RSA operation
+ */
+int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t ilen,
+                       const unsigned char *input,
+                       unsigned char *output )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
+                                                input, output );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
+                                           ilen, input, output );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
+                            int (*f_rng)(void *, unsigned char *, size_t),
+                            void *p_rng,
+                            int mode,
+                            const unsigned char *label, size_t label_len,
+                            size_t *olen,
+                            const unsigned char *input,
+                            unsigned char *output,
+                            size_t output_max_len )
+{
+    int ret;
+    size_t ilen, i, pad_len;
+    unsigned char *p, bad, pad_done;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
+    unsigned int hlen;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
+    RSA_VALIDATE_RET( label_len == 0 || label != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( olen != NULL );
+
+    /*
+     * Parameters sanity checks
+     */
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    ilen = ctx->len;
+
+    if( ilen < 16 || ilen > sizeof( buf ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    hlen = mbedtls_md_get_size( md_info );
+
+    // checking for integer underflow
+    if( 2 * hlen + 2 > ilen )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * RSA operation
+     */
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, input, buf )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
+
+    if( ret != 0 )
+        goto cleanup;
+
+    /*
+     * Unmask data and generate lHash
+     */
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+    {
+        mbedtls_md_free( &md_ctx );
+        goto cleanup;
+    }
+
+    /* seed: Apply seedMask to maskedSeed */
+    if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
+                          &md_ctx ) ) != 0 ||
+    /* DB: Apply dbMask to maskedDB */
+        ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
+                          &md_ctx ) ) != 0 )
+    {
+        mbedtls_md_free( &md_ctx );
+        goto cleanup;
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    /* Generate lHash */
+    if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 )
+        goto cleanup;
+
+    /*
+     * Check contents, in "constant-time"
+     */
+    p = buf;
+    bad = 0;
+
+    bad |= *p++; /* First byte must be 0 */
+
+    p += hlen; /* Skip seed */
+
+    /* Check lHash */
+    for( i = 0; i < hlen; i++ )
+        bad |= lhash[i] ^ *p++;
+
+    /* Get zero-padding len, but always read till end of buffer
+     * (minus one, for the 01 byte) */
+    pad_len = 0;
+    pad_done = 0;
+    for( i = 0; i < ilen - 2 * hlen - 2; i++ )
+    {
+        pad_done |= p[i];
+        pad_len += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
+    }
+
+    p += pad_len;
+    bad |= *p++ ^ 0x01;
+
+    /*
+     * The only information "leaked" is whether the padding was correct or not
+     * (eg, no data is copied if it was not correct). This meets the
+     * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
+     * the different error conditions.
+     */
+    if( bad != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto cleanup;
+    }
+
+    if( ilen - ( p - buf ) > output_max_len )
+    {
+        ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
+        goto cleanup;
+    }
+
+    *olen = ilen - (p - buf);
+    memcpy( output, p, *olen );
+    ret = 0;
+
+cleanup:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+    mbedtls_platform_zeroize( lhash, sizeof( lhash ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/** Turn zero-or-nonzero into zero-or-all-bits-one, without branches.
+ *
+ * \param value     The value to analyze.
+ * \return          Zero if \p value is zero, otherwise all-bits-one.
+ */
+static unsigned all_or_nothing_int( unsigned value )
+{
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+}
+
+/** Check whether a size is out of bounds, without branches.
+ *
+ * This is equivalent to `size > max`, but is likely to be compiled to
+ * to code using bitwise operation rather than a branch.
+ *
+ * \param size      Size to check.
+ * \param max       Maximum desired value for \p size.
+ * \return          \c 0 if `size <= max`.
+ * \return          \c 1 if `size > max`.
+ */
+static unsigned size_greater_than( size_t size, size_t max )
+{
+    /* Return the sign bit (1 for negative) of (max - size). */
+    return( ( max - size ) >> ( sizeof( size_t ) * 8 - 1 ) );
+}
+
+/** Choose between two integer values, without branches.
+ *
+ * This is equivalent to `cond ? if1 : if0`, but is likely to be compiled
+ * to code using bitwise operation rather than a branch.
+ *
+ * \param cond      Condition to test.
+ * \param if1       Value to use if \p cond is nonzero.
+ * \param if0       Value to use if \p cond is zero.
+ * \return          \c if1 if \p cond is nonzero, otherwise \c if0.
+ */
+static unsigned if_int( unsigned cond, unsigned if1, unsigned if0 )
+{
+    unsigned mask = all_or_nothing_int( cond );
+    return( ( mask & if1 ) | (~mask & if0 ) );
+}
+
+/** Shift some data towards the left inside a buffer without leaking
+ * the length of the data through side channels.
+ *
+ * `mem_move_to_left(start, total, offset)` is functionally equivalent to
+ * ```
+ * memmove(start, start + offset, total - offset);
+ * memset(start + offset, 0, total - offset);
+ * ```
+ * but it strives to use a memory access pattern (and thus total timing)
+ * that does not depend on \p offset. This timing independence comes at
+ * the expense of performance.
+ *
+ * \param start     Pointer to the start of the buffer.
+ * \param total     Total size of the buffer.
+ * \param offset    Offset from which to copy \p total - \p offset bytes.
+ */
+static void mem_move_to_left( void *start,
+                              size_t total,
+                              size_t offset )
+{
+    volatile unsigned char *buf = start;
+    size_t i, n;
+    if( total == 0 )
+        return;
+    for( i = 0; i < total; i++ )
+    {
+        unsigned no_op = size_greater_than( total - offset, i );
+        /* The first `total - offset` passes are a no-op. The last
+         * `offset` passes shift the data one byte to the left and
+         * zero out the last byte. */
+        for( n = 0; n < total - 1; n++ )
+        {
+            unsigned char current = buf[n];
+            unsigned char next = buf[n+1];
+            buf[n] = if_int( no_op, current, next );
+        }
+        buf[total-1] = if_int( no_op, buf[total-1], 0 );
+    }
+}
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
+ */
+int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode, size_t *olen,
+                                 const unsigned char *input,
+                                 unsigned char *output,
+                                 size_t output_max_len )
+{
+    int ret;
+    size_t ilen, i, plaintext_max_size;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    /* The following variables take sensitive values: their value must
+     * not leak into the observable behavior of the function other than
+     * the designated outputs (output, olen, return value). Otherwise
+     * this would open the execution of the function to
+     * side-channel-based variants of the Bleichenbacher padding oracle
+     * attack. Potential side channels include overall timing, memory
+     * access patterns (especially visible to an adversary who has access
+     * to a shared memory cache), and branches (especially visible to
+     * an adversary who has access to a shared code cache or to a shared
+     * branch predictor). */
+    size_t pad_count = 0;
+    unsigned bad = 0;
+    unsigned char pad_done = 0;
+    size_t plaintext_size = 0;
+    unsigned output_too_large;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( olen != NULL );
+
+    ilen = ctx->len;
+    plaintext_max_size = ( output_max_len > ilen - 11 ?
+                           ilen - 11 :
+                           output_max_len );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( ilen < 16 || ilen > sizeof( buf ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, input, buf )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
+
+    if( ret != 0 )
+        goto cleanup;
+
+    /* Check and get padding length in constant time and constant
+     * memory trace. The first byte must be 0. */
+    bad |= buf[0];
+
+    if( mode == MBEDTLS_RSA_PRIVATE )
+    {
+        /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
+         * where PS must be at least 8 nonzero bytes. */
+        bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
+
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count. */
+        for( i = 2; i < ilen; i++ )
+        {
+            pad_done  |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
+            pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
+        }
+    }
+    else
+    {
+        /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
+         * where PS must be at least 8 bytes with the value 0xFF. */
+        bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
+
+        /* Read the whole buffer. Set pad_done to nonzero if we find
+         * the 0x00 byte and remember the padding length in pad_count.
+         * If there's a non-0xff byte in the padding, the padding is bad. */
+        for( i = 2; i < ilen; i++ )
+        {
+            pad_done |= if_int( buf[i], 0, 1 );
+            pad_count += if_int( pad_done, 0, 1 );
+            bad |= if_int( pad_done, 0, buf[i] ^ 0xFF );
+        }
+    }
+
+    /* If pad_done is still zero, there's no data, only unfinished padding. */
+    bad |= if_int( pad_done, 0, 1 );
+
+    /* There must be at least 8 bytes of padding. */
+    bad |= size_greater_than( 8, pad_count );
+
+    /* If the padding is valid, set plaintext_size to the number of
+     * remaining bytes after stripping the padding. If the padding
+     * is invalid, avoid leaking this fact through the size of the
+     * output: use the maximum message size that fits in the output
+     * buffer. Do it without branches to avoid leaking the padding
+     * validity through timing. RSA keys are small enough that all the
+     * size_t values involved fit in unsigned int. */
+    plaintext_size = if_int( bad,
+                             (unsigned) plaintext_max_size,
+                             (unsigned) ( ilen - pad_count - 3 ) );
+
+    /* Set output_too_large to 0 if the plaintext fits in the output
+     * buffer and to 1 otherwise. */
+    output_too_large = size_greater_than( plaintext_size,
+                                          plaintext_max_size );
+
+    /* Set ret without branches to avoid timing attacks. Return:
+     * - INVALID_PADDING if the padding is bad (bad != 0).
+     * - OUTPUT_TOO_LARGE if the padding is good but the decrypted
+     *   plaintext does not fit in the output buffer.
+     * - 0 if the padding is correct. */
+    ret = - (int) if_int( bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
+                  if_int( output_too_large, - MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
+                          0 ) );
+
+    /* If the padding is bad or the plaintext is too large, zero the
+     * data that we're about to copy to the output buffer.
+     * We need to copy the same amount of data
+     * from the same buffer whether the padding is good or not to
+     * avoid leaking the padding validity through overall timing or
+     * through memory or cache access patterns. */
+    bad = all_or_nothing_int( bad | output_too_large );
+    for( i = 11; i < ilen; i++ )
+        buf[i] &= ~bad;
+
+    /* If the plaintext is too large, truncate it to the buffer size.
+     * Copy anyway to avoid revealing the length through timing, because
+     * revealing the length is as bad as revealing the padding validity
+     * for a Bleichenbacher attack. */
+    plaintext_size = if_int( output_too_large,
+                             (unsigned) plaintext_max_size,
+                             (unsigned) plaintext_size );
+
+    /* Move the plaintext to the leftmost position where it can start in
+     * the working buffer, i.e. make it start plaintext_max_size from
+     * the end of the buffer. Do this with a memory access trace that
+     * does not depend on the plaintext size. After this move, the
+     * starting location of the plaintext is no longer sensitive
+     * information. */
+    mem_move_to_left( buf + ilen - plaintext_max_size,
+                      plaintext_max_size,
+                      plaintext_max_size - plaintext_size );
+
+    /* Finally copy the decrypted plaintext plus trailing zeros
+     * into the output buffer. */
+    memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size );
+
+    /* Report the amount of data we copied to the output buffer. In case
+     * of errors (bad padding or output too large), the value of *olen
+     * when this function returns is not specified. Making it equivalent
+     * to the good case limits the risks of leaking the padding validity. */
+    *olen = plaintext_size;
+
+cleanup:
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation, then remove the message padding
+ */
+int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng,
+                       int mode, size_t *olen,
+                       const unsigned char *input,
+                       unsigned char *output,
+                       size_t output_max_len)
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
+    RSA_VALIDATE_RET( input != NULL );
+    RSA_VALIDATE_RET( olen != NULL );
+
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsaes_pkcs1_v15_decrypt( ctx, f_rng, p_rng, mode, olen,
+                                                input, output, output_max_len );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsaes_oaep_decrypt( ctx, f_rng, p_rng, mode, NULL, 0,
+                                           olen, input, output,
+                                           output_max_len );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
+ */
+int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+                         int (*f_rng)(void *, unsigned char *, size_t),
+                         void *p_rng,
+                         int mode,
+                         mbedtls_md_type_t md_alg,
+                         unsigned int hashlen,
+                         const unsigned char *hash,
+                         unsigned char *sig )
+{
+    size_t olen;
+    unsigned char *p = sig;
+    unsigned char salt[MBEDTLS_MD_MAX_SIZE];
+    size_t slen, min_slen, hlen, offset = 0;
+    int ret;
+    size_t msb;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+    RSA_VALIDATE_RET( sig != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    if( f_rng == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    olen = ctx->len;
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        /* Gather length of hash to sign */
+        md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+    }
+
+    md_info = mbedtls_md_info_from_type( (mbedtls_md_type_t) ctx->hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    hlen = mbedtls_md_get_size( md_info );
+
+    /* Calculate the largest possible salt length. Normally this is the hash
+     * length, which is the maximum length the salt can have. If there is not
+     * enough room, use the maximum salt length that fits. The constraint is
+     * that the hash length plus the salt length plus 2 bytes must be at most
+     * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
+     * (PKCS#1 v2.2) §9.1.1 step 3. */
+    min_slen = hlen - 2;
+    if( olen < hlen + min_slen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    else if( olen >= hlen + hlen + 2 )
+        slen = hlen;
+    else
+        slen = olen - hlen - 2;
+
+    memset( sig, 0, olen );
+
+    /* Generate salt of length slen */
+    if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
+        return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+
+    /* Note: EMSA-PSS encoding is over the length of N - 1 bits */
+    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
+    p += olen - hlen - slen - 2;
+    *p++ = 0x01;
+    memcpy( p, salt, slen );
+    p += slen;
+
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        goto exit;
+
+    /* Generate H = Hash( M' ) */
+    if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 )
+        goto exit;
+    if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 )
+        goto exit;
+
+    /* Compensate for boundary condition when applying mask */
+    if( msb % 8 == 0 )
+        offset = 1;
+
+    /* maskedDB: Apply dbMask to DB */
+    if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen,
+                          &md_ctx ) ) != 0 )
+        goto exit;
+
+    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
+    sig[0] &= 0xFF >> ( olen * 8 - msb );
+
+    p += hlen;
+    *p++ = 0xBC;
+
+    mbedtls_platform_zeroize( salt, sizeof( salt ) );
+
+exit:
+    mbedtls_md_free( &md_ctx );
+
+    if( ret != 0 )
+        return( ret );
+
+    return( ( mode == MBEDTLS_RSA_PUBLIC )
+            ? mbedtls_rsa_public(  ctx, sig, sig )
+            : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
+ */
+
+/* Construct a PKCS v1.5 encoding of a hashed message
+ *
+ * This is used both for signature generation and verification.
+ *
+ * Parameters:
+ * - md_alg:  Identifies the hash algorithm used to generate the given hash;
+ *            MBEDTLS_MD_NONE if raw data is signed.
+ * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE.
+ * - hash:    Buffer containing the hashed message or the raw data.
+ * - dst_len: Length of the encoded message.
+ * - dst:     Buffer to hold the encoded message.
+ *
+ * Assumptions:
+ * - hash has size hashlen if md_alg == MBEDTLS_MD_NONE.
+ * - hash has size corresponding to md_alg if md_alg != MBEDTLS_MD_NONE.
+ * - dst points to a buffer of size at least dst_len.
+ *
+ */
+static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg,
+                                        unsigned int hashlen,
+                                        const unsigned char *hash,
+                                        size_t dst_len,
+                                        unsigned char *dst )
+{
+    size_t oid_size  = 0;
+    size_t nb_pad    = dst_len;
+    unsigned char *p = dst;
+    const char *oid  = NULL;
+
+    /* Are we signing hashed or raw data? */
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+
+        /* Double-check that 8 + hashlen + oid_size can be used as a
+         * 1-byte ASN.1 length encoding and that there's no overflow. */
+        if( 8 + hashlen + oid_size  >= 0x80         ||
+            10 + hashlen            <  hashlen      ||
+            10 + hashlen + oid_size <  10 + hashlen )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        /*
+         * Static bounds check:
+         * - Need 10 bytes for five tag-length pairs.
+         *   (Insist on 1-byte length encodings to protect against variants of
+         *    Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification)
+         * - Need hashlen bytes for hash
+         * - Need oid_size bytes for hash alg OID.
+         */
+        if( nb_pad < 10 + hashlen + oid_size )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+        nb_pad -= 10 + hashlen + oid_size;
+    }
+    else
+    {
+        if( nb_pad < hashlen )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        nb_pad -= hashlen;
+    }
+
+    /* Need space for signature header and padding delimiter (3 bytes),
+     * and 8 bytes for the minimal padding */
+    if( nb_pad < 3 + 8 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    nb_pad -= 3;
+
+    /* Now nb_pad is the amount of memory to be filled
+     * with padding, and at least 8 bytes long. */
+
+    /* Write signature header and padding */
+    *p++ = 0;
+    *p++ = MBEDTLS_RSA_SIGN;
+    memset( p, 0xFF, nb_pad );
+    p += nb_pad;
+    *p++ = 0;
+
+    /* Are we signing raw data? */
+    if( md_alg == MBEDTLS_MD_NONE )
+    {
+        memcpy( p, hash, hashlen );
+        return( 0 );
+    }
+
+    /* Signing hashed data, add corresponding ASN.1 structure
+     *
+     * DigestInfo ::= SEQUENCE {
+     *   digestAlgorithm DigestAlgorithmIdentifier,
+     *   digest Digest }
+     * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+     * Digest ::= OCTET STRING
+     *
+     * Schematic:
+     * TAG-SEQ + LEN [ TAG-SEQ + LEN [ TAG-OID  + LEN [ OID  ]
+     *                                 TAG-NULL + LEN [ NULL ] ]
+     *                 TAG-OCTET + LEN [ HASH ] ]
+     */
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char)( 0x08 + oid_size + hashlen );
+    *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
+    *p++ = (unsigned char)( 0x04 + oid_size );
+    *p++ = MBEDTLS_ASN1_OID;
+    *p++ = (unsigned char) oid_size;
+    memcpy( p, oid, oid_size );
+    p += oid_size;
+    *p++ = MBEDTLS_ASN1_NULL;
+    *p++ = 0x00;
+    *p++ = MBEDTLS_ASN1_OCTET_STRING;
+    *p++ = (unsigned char) hashlen;
+    memcpy( p, hash, hashlen );
+    p += hashlen;
+
+    /* Just a sanity-check, should be automatic
+     * after the initial bounds check. */
+    if( p != dst + dst_len )
+    {
+        mbedtls_platform_zeroize( dst, dst_len );
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               unsigned char *sig )
+{
+    int ret;
+    unsigned char *sig_try = NULL, *verif = NULL;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+    RSA_VALIDATE_RET( sig != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * Prepare PKCS1-v1.5 encoding (padding and hash identifier)
+     */
+
+    if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash,
+                                             ctx->len, sig ) ) != 0 )
+        return( ret );
+
+    /*
+     * Call respective RSA primitive
+     */
+
+    if( mode == MBEDTLS_RSA_PUBLIC )
+    {
+        /* Skip verification on a public key operation */
+        return( mbedtls_rsa_public( ctx, sig, sig ) );
+    }
+
+    /* Private key operation
+     *
+     * In order to prevent Lenstra's attack, make the signature in a
+     * temporary buffer and check it before returning it.
+     */
+
+    sig_try = mbedtls_calloc( 1, ctx->len );
+    if( sig_try == NULL )
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+
+    verif = mbedtls_calloc( 1, ctx->len );
+    if( verif == NULL )
+    {
+        mbedtls_free( sig_try );
+        return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
+
+    if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
+        goto cleanup;
+    }
+
+    memcpy( sig, sig_try, ctx->len );
+
+cleanup:
+    mbedtls_free( sig_try );
+    mbedtls_free( verif );
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation to sign the message digest
+ */
+int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
+                    int (*f_rng)(void *, unsigned char *, size_t),
+                    void *p_rng,
+                    int mode,
+                    mbedtls_md_type_t md_alg,
+                    unsigned int hashlen,
+                    const unsigned char *hash,
+                    unsigned char *sig )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+    RSA_VALIDATE_RET( sig != NULL );
+
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg,
+                                              hashlen, hash, sig );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
+                                        hashlen, hash, sig );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+#if defined(MBEDTLS_PKCS1_V21)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
+                               int (*f_rng)(void *, unsigned char *, size_t),
+                               void *p_rng,
+                               int mode,
+                               mbedtls_md_type_t md_alg,
+                               unsigned int hashlen,
+                               const unsigned char *hash,
+                               mbedtls_md_type_t mgf1_hash_id,
+                               int expected_salt_len,
+                               const unsigned char *sig )
+{
+    int ret;
+    size_t siglen;
+    unsigned char *p;
+    unsigned char *hash_start;
+    unsigned char result[MBEDTLS_MD_MAX_SIZE];
+    unsigned char zeros[8];
+    unsigned int hlen;
+    size_t observed_salt_len, msb;
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    siglen = ctx->len;
+
+    if( siglen < 16 || siglen > sizeof( buf ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, sig, buf )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf );
+
+    if( ret != 0 )
+        return( ret );
+
+    p = buf;
+
+    if( buf[siglen - 1] != 0xBC )
+        return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+
+    if( md_alg != MBEDTLS_MD_NONE )
+    {
+        /* Gather length of hash to sign */
+        md_info = mbedtls_md_info_from_type( md_alg );
+        if( md_info == NULL )
+            return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = mbedtls_md_get_size( md_info );
+    }
+
+    md_info = mbedtls_md_info_from_type( mgf1_hash_id );
+    if( md_info == NULL )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    hlen = mbedtls_md_get_size( md_info );
+
+    memset( zeros, 0, 8 );
+
+    /*
+     * Note: EMSA-PSS verification is over the length of N - 1 bits
+     */
+    msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
+
+    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /* Compensate for boundary condition when applying mask */
+    if( msb % 8 == 0 )
+    {
+        p++;
+        siglen -= 1;
+    }
+
+    if( siglen < hlen + 2 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+    hash_start = p + siglen - hlen - 1;
+
+    mbedtls_md_init( &md_ctx );
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 )
+        goto exit;
+
+    ret = mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx );
+    if( ret != 0 )
+        goto exit;
+
+    buf[0] &= 0xFF >> ( siglen * 8 - msb );
+
+    while( p < hash_start - 1 && *p == 0 )
+        p++;
+
+    if( *p++ != 0x01 )
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto exit;
+    }
+
+    observed_salt_len = hash_start - p;
+
+    if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY &&
+        observed_salt_len != (size_t) expected_salt_len )
+    {
+        ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
+        goto exit;
+    }
+
+    /*
+     * Generate H = Hash( M' )
+     */
+    ret = mbedtls_md_starts( &md_ctx );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_update( &md_ctx, zeros, 8 );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_update( &md_ctx, hash, hashlen );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_update( &md_ctx, p, observed_salt_len );
+    if ( ret != 0 )
+        goto exit;
+    ret = mbedtls_md_finish( &md_ctx, result );
+    if ( ret != 0 )
+        goto exit;
+
+    if( memcmp( hash_start, result, hlen ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto exit;
+    }
+
+exit:
+    mbedtls_md_free( &md_ctx );
+
+    return( ret );
+}
+
+/*
+ * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
+                           int (*f_rng)(void *, unsigned char *, size_t),
+                           void *p_rng,
+                           int mode,
+                           mbedtls_md_type_t md_alg,
+                           unsigned int hashlen,
+                           const unsigned char *hash,
+                           const unsigned char *sig )
+{
+    mbedtls_md_type_t mgf1_hash_id;
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    mgf1_hash_id = ( ctx->hash_id != MBEDTLS_MD_NONE )
+                             ? (mbedtls_md_type_t) ctx->hash_id
+                             : md_alg;
+
+    return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode,
+                                       md_alg, hashlen, hash,
+                                       mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY,
+                                       sig ) );
+
+}
+#endif /* MBEDTLS_PKCS1_V21 */
+
+#if defined(MBEDTLS_PKCS1_V15)
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
+ */
+int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng,
+                                 int mode,
+                                 mbedtls_md_type_t md_alg,
+                                 unsigned int hashlen,
+                                 const unsigned char *hash,
+                                 const unsigned char *sig )
+{
+    int ret = 0;
+    size_t sig_len;
+    unsigned char *encoded = NULL, *encoded_expected = NULL;
+
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    sig_len = ctx->len;
+
+    if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
+        return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+
+    /*
+     * Prepare expected PKCS1 v1.5 encoding of hash.
+     */
+
+    if( ( encoded          = mbedtls_calloc( 1, sig_len ) ) == NULL ||
+        ( encoded_expected = mbedtls_calloc( 1, sig_len ) ) == NULL )
+    {
+        ret = MBEDTLS_ERR_MPI_ALLOC_FAILED;
+        goto cleanup;
+    }
+
+    if( ( ret = rsa_rsassa_pkcs1_v15_encode( md_alg, hashlen, hash, sig_len,
+                                             encoded_expected ) ) != 0 )
+        goto cleanup;
+
+    /*
+     * Apply RSA primitive to get what should be PKCS1 encoded hash.
+     */
+
+    ret = ( mode == MBEDTLS_RSA_PUBLIC )
+          ? mbedtls_rsa_public(  ctx, sig, encoded )
+          : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded );
+    if( ret != 0 )
+        goto cleanup;
+
+    /*
+     * Compare
+     */
+
+    if( ( ret = mbedtls_safer_memcmp( encoded, encoded_expected,
+                                      sig_len ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_VERIFY_FAILED;
+        goto cleanup;
+    }
+
+cleanup:
+
+    if( encoded != NULL )
+    {
+        mbedtls_platform_zeroize( encoded, sig_len );
+        mbedtls_free( encoded );
+    }
+
+    if( encoded_expected != NULL )
+    {
+        mbedtls_platform_zeroize( encoded_expected, sig_len );
+        mbedtls_free( encoded_expected );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Do an RSA operation and check the message digest
+ */
+int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng,
+                      int mode,
+                      mbedtls_md_type_t md_alg,
+                      unsigned int hashlen,
+                      const unsigned char *hash,
+                      const unsigned char *sig )
+{
+    RSA_VALIDATE_RET( ctx != NULL );
+    RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
+                      mode == MBEDTLS_RSA_PUBLIC );
+    RSA_VALIDATE_RET( sig != NULL );
+    RSA_VALIDATE_RET( ( md_alg  == MBEDTLS_MD_NONE &&
+                        hashlen == 0 ) ||
+                      hash != NULL );
+
+    switch( ctx->padding )
+    {
+#if defined(MBEDTLS_PKCS1_V15)
+        case MBEDTLS_RSA_PKCS_V15:
+            return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg,
+                                                hashlen, hash, sig );
+#endif
+
+#if defined(MBEDTLS_PKCS1_V21)
+        case MBEDTLS_RSA_PKCS_V21:
+            return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg,
+                                          hashlen, hash, sig );
+#endif
+
+        default:
+            return( MBEDTLS_ERR_RSA_INVALID_PADDING );
+    }
+}
+
+/*
+ * Copy the components of an RSA key
+ */
+int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src )
+{
+    int ret;
+    RSA_VALIDATE_RET( dst != NULL );
+    RSA_VALIDATE_RET( src != NULL );
+
+    dst->ver = src->ver;
+    dst->len = src->len;
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->E, &src->E ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->D, &src->D ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->P, &src->P ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Q, &src->Q ) );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DP, &src->DP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->DQ, &src->DQ ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->QP, &src->QP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RP, &src->RP ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RQ, &src->RQ ) );
+#endif
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->RN, &src->RN ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vi, &src->Vi ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->Vf, &src->Vf ) );
+
+    dst->padding = src->padding;
+    dst->hash_id = src->hash_id;
+
+cleanup:
+    if( ret != 0 )
+        mbedtls_rsa_free( dst );
+
+    return( ret );
+}
+
+/*
+ * Free the components of an RSA key
+ */
+void mbedtls_rsa_free( mbedtls_rsa_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_mpi_free( &ctx->Vi );
+    mbedtls_mpi_free( &ctx->Vf );
+    mbedtls_mpi_free( &ctx->RN );
+    mbedtls_mpi_free( &ctx->D  );
+    mbedtls_mpi_free( &ctx->Q  );
+    mbedtls_mpi_free( &ctx->P  );
+    mbedtls_mpi_free( &ctx->E  );
+    mbedtls_mpi_free( &ctx->N  );
+
+#if !defined(MBEDTLS_RSA_NO_CRT)
+    mbedtls_mpi_free( &ctx->RQ );
+    mbedtls_mpi_free( &ctx->RP );
+    mbedtls_mpi_free( &ctx->QP );
+    mbedtls_mpi_free( &ctx->DQ );
+    mbedtls_mpi_free( &ctx->DP );
+#endif /* MBEDTLS_RSA_NO_CRT */
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+}
+
+#endif /* !MBEDTLS_RSA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#include "mbedtls/sha1.h"
+
+/*
+ * Example RSA-1024 keypair, for test purposes
+ */
+#define KEY_LEN 128
+
+#define RSA_N   "9292758453063D803DD603D5E777D788" \
+                "8ED1D5BF35786190FA2F23EBC0848AEA" \
+                "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
+                "7130B9CED7ACDF54CFC7555AC14EEBAB" \
+                "93A89813FBF3C4F8066D2D800F7C38A8" \
+                "1AE31942917403FF4946B0A83D3D3E05" \
+                "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
+                "5E94BB77B07507233A0BC7BAC8F90F79"
+
+#define RSA_E   "10001"
+
+#define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
+                "66CA472BC44D253102F8B4A9D3BFA750" \
+                "91386C0077937FE33FA3252D28855837" \
+                "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
+                "DF79C5CE07EE72C7F123142198164234" \
+                "CABB724CF78B8173B9F880FC86322407" \
+                "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
+                "071513A1E85B5DFA031F21ECAE91A34D"
+
+#define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
+                "2C01CAD19EA484A87EA4377637E75500" \
+                "FCB2005C5C7DD6EC4AC023CDA285D796" \
+                "C3D9E75E1EFC42488BB4F1D13AC30A57"
+
+#define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
+                "E211C2B9E5DB1ED0BF61D0D9899620F4" \
+                "910E4168387E3C30AA1E00C339A79508" \
+                "8452DD96A9A5EA5D9DCA68DA636032AF"
+
+#define PT_LEN  24
+#define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
+                "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
+
+#if defined(MBEDTLS_PKCS1_V15)
+static int myrand( void *rng_state, unsigned char *output, size_t len )
+{
+#if !defined(__OpenBSD__)
+    size_t i;
+
+    if( rng_state != NULL )
+        rng_state  = NULL;
+
+    for( i = 0; i < len; ++i )
+        output[i] = rand();
+#else
+    if( rng_state != NULL )
+        rng_state = NULL;
+
+    arc4random_buf( output, len );
+#endif /* !OpenBSD */
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PKCS1_V15 */
+
+/*
+ * Checkup routine
+ */
+int mbedtls_rsa_self_test( int verbose )
+{
+    int ret = 0;
+#if defined(MBEDTLS_PKCS1_V15)
+    size_t len;
+    mbedtls_rsa_context rsa;
+    unsigned char rsa_plaintext[PT_LEN];
+    unsigned char rsa_decrypted[PT_LEN];
+    unsigned char rsa_ciphertext[KEY_LEN];
+#if defined(MBEDTLS_SHA1_C)
+    unsigned char sha1sum[20];
+#endif
+
+    mbedtls_mpi K;
+
+    mbedtls_mpi_init( &K );
+    mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_N  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, &K, NULL, NULL, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_P  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, &K, NULL, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_Q  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, &K, NULL, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_D  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, &K, NULL ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &K, 16, RSA_E  ) );
+    MBEDTLS_MPI_CHK( mbedtls_rsa_import( &rsa, NULL, NULL, NULL, NULL, &K ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_rsa_complete( &rsa ) );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  RSA key validation: " );
+
+    if( mbedtls_rsa_check_pubkey(  &rsa ) != 0 ||
+        mbedtls_rsa_check_privkey( &rsa ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  PKCS#1 encryption : " );
+
+    memcpy( rsa_plaintext, RSA_PT, PT_LEN );
+
+    if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC,
+                                   PT_LEN, rsa_plaintext,
+                                   rsa_ciphertext ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  PKCS#1 decryption : " );
+
+    if( mbedtls_rsa_pkcs1_decrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE,
+                                   &len, rsa_ciphertext, rsa_decrypted,
+                                   sizeof(rsa_decrypted) ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+#if defined(MBEDTLS_SHA1_C)
+    if( verbose != 0 )
+        mbedtls_printf( "  PKCS#1 data sign  : " );
+
+    if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        return( 1 );
+    }
+
+    if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL,
+                                MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0,
+                                sha1sum, rsa_ciphertext ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  PKCS#1 sig. verify: " );
+
+    if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL,
+                                  MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0,
+                                  sha1sum, rsa_ciphertext ) != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        ret = 1;
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+#endif /* MBEDTLS_SHA1_C */
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+cleanup:
+    mbedtls_mpi_free( &K );
+    mbedtls_rsa_free( &rsa );
+#else /* MBEDTLS_PKCS1_V15 */
+    ((void) verbose);
+#endif /* MBEDTLS_PKCS1_V15 */
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/makerom/deps/libmbedtls/src/rsa_internal.c b/makerom/deps/libmbedtls/src/rsa_internal.c
new file mode 100644
index 00000000..9a42d47c
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/rsa_internal.c
@@ -0,0 +1,492 @@
+/*
+ *  Helper functions for the RSA module
+ *
+ *  Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ *
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_RSA_C)
+
+#include "mbedtls/rsa.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/rsa_internal.h"
+
+/*
+ * Compute RSA prime factors from public and private exponents
+ *
+ * Summary of algorithm:
+ * Setting F := lcm(P-1,Q-1), the idea is as follows:
+ *
+ * (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)
+ *     is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the
+ *     square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four
+ *     possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)
+ *     or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime
+ *     factors of N.
+ *
+ * (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same
+ *     construction still applies since (-)^K is the identity on the set of
+ *     roots of 1 in Z/NZ.
+ *
+ * The public and private key primitives (-)^E and (-)^D are mutually inverse
+ * bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.
+ * if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.
+ * Splitting L = 2^t * K with K odd, we have
+ *
+ *   DE - 1 = FL = (F/2) * (2^(t+1)) * K,
+ *
+ * so (F / 2) * K is among the numbers
+ *
+ *   (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord
+ *
+ * where ord is the order of 2 in (DE - 1).
+ * We can therefore iterate through these numbers apply the construction
+ * of (a) and (b) above to attempt to factor N.
+ *
+ */
+int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N,
+                     mbedtls_mpi const *E, mbedtls_mpi const *D,
+                     mbedtls_mpi *P, mbedtls_mpi *Q )
+{
+    int ret = 0;
+
+    uint16_t attempt;  /* Number of current attempt  */
+    uint16_t iter;     /* Number of squares computed in the current attempt */
+
+    uint16_t order;    /* Order of 2 in DE - 1 */
+
+    mbedtls_mpi T;  /* Holds largest odd divisor of DE - 1     */
+    mbedtls_mpi K;  /* Temporary holding the current candidate */
+
+    const unsigned char primes[] = { 2,
+           3,    5,    7,   11,   13,   17,   19,   23,
+          29,   31,   37,   41,   43,   47,   53,   59,
+          61,   67,   71,   73,   79,   83,   89,   97,
+         101,  103,  107,  109,  113,  127,  131,  137,
+         139,  149,  151,  157,  163,  167,  173,  179,
+         181,  191,  193,  197,  199,  211,  223,  227,
+         229,  233,  239,  241,  251
+    };
+
+    const size_t num_primes = sizeof( primes ) / sizeof( *primes );
+
+    if( P == NULL || Q == NULL || P->p != NULL || Q->p != NULL )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 ||
+        mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
+        mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
+    {
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+    }
+
+    /*
+     * Initializations and temporary changes
+     */
+
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &T );
+
+    /* T := DE - 1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, D,  E ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &T, &T, 1 ) );
+
+    if( ( order = (uint16_t) mbedtls_mpi_lsb( &T ) ) == 0 )
+    {
+        ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /* After this operation, T holds the largest odd divisor of DE - 1. */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &T, order ) );
+
+    /*
+     * Actual work
+     */
+
+    /* Skip trying 2 if N == 1 mod 8 */
+    attempt = 0;
+    if( N->p[0] % 8 == 1 )
+        attempt = 1;
+
+    for( ; attempt < num_primes; ++attempt )
+    {
+        mbedtls_mpi_lset( &K, primes[attempt] );
+
+        /* Check if gcd(K,N) = 1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
+        if( mbedtls_mpi_cmp_int( P, 1 ) != 0 )
+            continue;
+
+        /* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...
+         * and check whether they have nontrivial GCD with N. */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &K, &K, &T, N,
+                             Q /* temporarily use Q for storing Montgomery
+                                * multiplication helper values */ ) );
+
+        for( iter = 1; iter <= order; ++iter )
+        {
+            /* If we reach 1 prematurely, there's no point
+             * in continuing to square K */
+            if( mbedtls_mpi_cmp_int( &K, 1 ) == 0 )
+                break;
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
+
+            if( mbedtls_mpi_cmp_int( P, 1 ) ==  1 &&
+                mbedtls_mpi_cmp_mpi( P, N ) == -1 )
+            {
+                /*
+                 * Have found a nontrivial divisor P of N.
+                 * Set Q := N / P.
+                 */
+
+                MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( Q, NULL, N, P ) );
+                goto cleanup;
+            }
+
+            MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &K ) );
+            MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );
+        }
+
+        /*
+         * If we get here, then either we prematurely aborted the loop because
+         * we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
+         * be 1 if D,E,N were consistent.
+         * Check if that's the case and abort if not, to avoid very long,
+         * yet eventually failing, computations if N,D,E were not sane.
+         */
+        if( mbedtls_mpi_cmp_int( &K, 1 ) != 0 )
+        {
+            break;
+        }
+    }
+
+    ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+
+cleanup:
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &T );
+    return( ret );
+}
+
+/*
+ * Given P, Q and the public exponent E, deduce D.
+ * This is essentially a modular inversion.
+ */
+int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
+                                         mbedtls_mpi const *Q,
+                                         mbedtls_mpi const *E,
+                                         mbedtls_mpi *D )
+{
+    int ret = 0;
+    mbedtls_mpi K, L;
+
+    if( D == NULL || mbedtls_mpi_cmp_int( D, 0 ) != 0 )
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+    if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||
+        mbedtls_mpi_cmp_int( E, 0 ) == 0 )
+    {
+        return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+    }
+
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /* Temporarily put K := P-1 and L := Q-1 */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
+
+    /* Temporarily put D := gcd(P-1, Q-1) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( D, &K, &L ) );
+
+    /* K := LCM(P-1, Q-1) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &L ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &K, NULL, &K, D ) );
+
+    /* Compute modular inverse of E in LCM(P-1, Q-1) */
+    MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( D, E, &K ) );
+
+cleanup:
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    return( ret );
+}
+
+/*
+ * Check that RSA CRT parameters are in accordance with core parameters.
+ */
+int mbedtls_rsa_validate_crt( const mbedtls_mpi *P,  const mbedtls_mpi *Q,
+                              const mbedtls_mpi *D,  const mbedtls_mpi *DP,
+                              const mbedtls_mpi *DQ, const mbedtls_mpi *QP )
+{
+    int ret = 0;
+
+    mbedtls_mpi K, L;
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /* Check that DP - D == 0 mod P - 1 */
+    if( DP != NULL )
+    {
+        if( P == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
+
+        if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /* Check that DQ - D == 0 mod Q - 1 */
+    if( DQ != NULL )
+    {
+        if( Q == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
+
+        if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /* Check that QP * Q - 1 == 0 mod P */
+    if( QP != NULL )
+    {
+        if( P == NULL || Q == NULL )
+        {
+            ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    /* Wrap MPI error codes by RSA check failure error code */
+    if( ret != 0 &&
+        ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
+        ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
+    {
+        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    return( ret );
+}
+
+/*
+ * Check that core RSA parameters are sane.
+ */
+int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
+                                 const mbedtls_mpi *Q, const mbedtls_mpi *D,
+                                 const mbedtls_mpi *E,
+                                 int (*f_rng)(void *, unsigned char *, size_t),
+                                 void *p_rng )
+{
+    int ret = 0;
+    mbedtls_mpi K, L;
+
+    mbedtls_mpi_init( &K );
+    mbedtls_mpi_init( &L );
+
+    /*
+     * Step 1: If PRNG provided, check that P and Q are prime
+     */
+
+#if defined(MBEDTLS_GENPRIME)
+    /*
+     * When generating keys, the strongest security we support aims for an error
+     * rate of at most 2^-100 and we are aiming for the same certainty here as
+     * well.
+     */
+    if( f_rng != NULL && P != NULL &&
+        ( ret = mbedtls_mpi_is_prime_ext( P, 50, f_rng, p_rng ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+        goto cleanup;
+    }
+
+    if( f_rng != NULL && Q != NULL &&
+        ( ret = mbedtls_mpi_is_prime_ext( Q, 50, f_rng, p_rng ) ) != 0 )
+    {
+        ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+        goto cleanup;
+    }
+#else
+    ((void) f_rng);
+    ((void) p_rng);
+#endif /* MBEDTLS_GENPRIME */
+
+    /*
+     * Step 2: Check that 1 < N = P * Q
+     */
+
+    if( P != NULL && Q != NULL && N != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );
+        if( mbedtls_mpi_cmp_int( N, 1 )  <= 0 ||
+            mbedtls_mpi_cmp_mpi( &K, N ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /*
+     * Step 3: Check and 1 < D, E < N if present.
+     */
+
+    if( N != NULL && D != NULL && E != NULL )
+    {
+        if ( mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
+             mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
+             mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
+             mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+    /*
+     * Step 4: Check that D, E are inverse modulo P-1 and Q-1
+     */
+
+    if( P != NULL && Q != NULL && D != NULL && E != NULL )
+    {
+        if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
+            mbedtls_mpi_cmp_int( Q, 1 ) <= 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+
+        /* Compute DE-1 mod P-1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, P, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+
+        /* Compute DE-1 mod Q-1 */
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
+        if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
+        {
+            ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+            goto cleanup;
+        }
+    }
+
+cleanup:
+
+    mbedtls_mpi_free( &K );
+    mbedtls_mpi_free( &L );
+
+    /* Wrap MPI error codes by RSA check failure error code */
+    if( ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
+    {
+        ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
+    }
+
+    return( ret );
+}
+
+int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
+                            const mbedtls_mpi *D, mbedtls_mpi *DP,
+                            mbedtls_mpi *DQ, mbedtls_mpi *QP )
+{
+    int ret = 0;
+    mbedtls_mpi K;
+    mbedtls_mpi_init( &K );
+
+    /* DP = D mod P-1 */
+    if( DP != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1  ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, D, &K ) );
+    }
+
+    /* DQ = D mod Q-1 */
+    if( DQ != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1  ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, D, &K ) );
+    }
+
+    /* QP = Q^{-1} mod P */
+    if( QP != NULL )
+    {
+        MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( QP, Q, P ) );
+    }
+
+cleanup:
+    mbedtls_mpi_free( &K );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_RSA_C */
diff --git a/makerom/deps/libmbedtls/src/sha1.c b/makerom/deps/libmbedtls/src/sha1.c
new file mode 100644
index 00000000..355c83d2
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/sha1.c
@@ -0,0 +1,573 @@
+/*
+ *  FIPS-180-1 compliant SHA-1 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The SHA-1 standard was published by NIST in 1993.
+ *
+ *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+
+#include "mbedtls/sha1.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#define SHA1_VALIDATE_RET(cond)                             \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA1_BAD_INPUT_DATA )
+
+#define SHA1_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if !defined(MBEDTLS_SHA1_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
+{
+    SHA1_VALIDATE( ctx != NULL );
+
+    memset( ctx, 0, sizeof( mbedtls_sha1_context ) );
+}
+
+void mbedtls_sha1_free( mbedtls_sha1_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha1_context ) );
+}
+
+void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
+                         const mbedtls_sha1_context *src )
+{
+    SHA1_VALIDATE( dst != NULL );
+    SHA1_VALIDATE( src != NULL );
+
+    *dst = *src;
+}
+
+/*
+ * SHA-1 context setup
+ */
+int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx )
+{
+    SHA1_VALIDATE_RET( ctx != NULL );
+
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    ctx->state[0] = 0x67452301;
+    ctx->state[1] = 0xEFCDAB89;
+    ctx->state[2] = 0x98BADCFE;
+    ctx->state[3] = 0x10325476;
+    ctx->state[4] = 0xC3D2E1F0;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_starts( mbedtls_sha1_context *ctx )
+{
+    mbedtls_sha1_starts_ret( ctx );
+}
+#endif
+
+#if !defined(MBEDTLS_SHA1_PROCESS_ALT)
+int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
+                                   const unsigned char data[64] )
+{
+    uint32_t temp, W[16], A, B, C, D, E;
+
+    SHA1_VALIDATE_RET( ctx != NULL );
+    SHA1_VALIDATE_RET( (const unsigned char *)data != NULL );
+
+    GET_UINT32_BE( W[ 0], data,  0 );
+    GET_UINT32_BE( W[ 1], data,  4 );
+    GET_UINT32_BE( W[ 2], data,  8 );
+    GET_UINT32_BE( W[ 3], data, 12 );
+    GET_UINT32_BE( W[ 4], data, 16 );
+    GET_UINT32_BE( W[ 5], data, 20 );
+    GET_UINT32_BE( W[ 6], data, 24 );
+    GET_UINT32_BE( W[ 7], data, 28 );
+    GET_UINT32_BE( W[ 8], data, 32 );
+    GET_UINT32_BE( W[ 9], data, 36 );
+    GET_UINT32_BE( W[10], data, 40 );
+    GET_UINT32_BE( W[11], data, 44 );
+    GET_UINT32_BE( W[12], data, 48 );
+    GET_UINT32_BE( W[13], data, 52 );
+    GET_UINT32_BE( W[14], data, 56 );
+    GET_UINT32_BE( W[15], data, 60 );
+
+#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
+
+#define R(t)                                                    \
+    (                                                           \
+        temp = W[( (t) -  3 ) & 0x0F] ^ W[( (t) - 8 ) & 0x0F] ^ \
+               W[( (t) - 14 ) & 0x0F] ^ W[  (t)       & 0x0F],  \
+        ( W[(t) & 0x0F] = S(temp,1) )                           \
+    )
+
+#define P(a,b,c,d,e,x)                                          \
+    do                                                          \
+    {                                                           \
+        (e) += S((a),5) + F((b),(c),(d)) + K + (x);             \
+        (b) = S((b),30);                                        \
+    } while( 0 )
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+    E = ctx->state[4];
+
+#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
+#define K 0x5A827999
+
+    P( A, B, C, D, E, W[0]  );
+    P( E, A, B, C, D, W[1]  );
+    P( D, E, A, B, C, W[2]  );
+    P( C, D, E, A, B, W[3]  );
+    P( B, C, D, E, A, W[4]  );
+    P( A, B, C, D, E, W[5]  );
+    P( E, A, B, C, D, W[6]  );
+    P( D, E, A, B, C, W[7]  );
+    P( C, D, E, A, B, W[8]  );
+    P( B, C, D, E, A, W[9]  );
+    P( A, B, C, D, E, W[10] );
+    P( E, A, B, C, D, W[11] );
+    P( D, E, A, B, C, W[12] );
+    P( C, D, E, A, B, W[13] );
+    P( B, C, D, E, A, W[14] );
+    P( A, B, C, D, E, W[15] );
+    P( E, A, B, C, D, R(16) );
+    P( D, E, A, B, C, R(17) );
+    P( C, D, E, A, B, R(18) );
+    P( B, C, D, E, A, R(19) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+#define K 0x6ED9EBA1
+
+    P( A, B, C, D, E, R(20) );
+    P( E, A, B, C, D, R(21) );
+    P( D, E, A, B, C, R(22) );
+    P( C, D, E, A, B, R(23) );
+    P( B, C, D, E, A, R(24) );
+    P( A, B, C, D, E, R(25) );
+    P( E, A, B, C, D, R(26) );
+    P( D, E, A, B, C, R(27) );
+    P( C, D, E, A, B, R(28) );
+    P( B, C, D, E, A, R(29) );
+    P( A, B, C, D, E, R(30) );
+    P( E, A, B, C, D, R(31) );
+    P( D, E, A, B, C, R(32) );
+    P( C, D, E, A, B, R(33) );
+    P( B, C, D, E, A, R(34) );
+    P( A, B, C, D, E, R(35) );
+    P( E, A, B, C, D, R(36) );
+    P( D, E, A, B, C, R(37) );
+    P( C, D, E, A, B, R(38) );
+    P( B, C, D, E, A, R(39) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define K 0x8F1BBCDC
+
+    P( A, B, C, D, E, R(40) );
+    P( E, A, B, C, D, R(41) );
+    P( D, E, A, B, C, R(42) );
+    P( C, D, E, A, B, R(43) );
+    P( B, C, D, E, A, R(44) );
+    P( A, B, C, D, E, R(45) );
+    P( E, A, B, C, D, R(46) );
+    P( D, E, A, B, C, R(47) );
+    P( C, D, E, A, B, R(48) );
+    P( B, C, D, E, A, R(49) );
+    P( A, B, C, D, E, R(50) );
+    P( E, A, B, C, D, R(51) );
+    P( D, E, A, B, C, R(52) );
+    P( C, D, E, A, B, R(53) );
+    P( B, C, D, E, A, R(54) );
+    P( A, B, C, D, E, R(55) );
+    P( E, A, B, C, D, R(56) );
+    P( D, E, A, B, C, R(57) );
+    P( C, D, E, A, B, R(58) );
+    P( B, C, D, E, A, R(59) );
+
+#undef K
+#undef F
+
+#define F(x,y,z) ((x) ^ (y) ^ (z))
+#define K 0xCA62C1D6
+
+    P( A, B, C, D, E, R(60) );
+    P( E, A, B, C, D, R(61) );
+    P( D, E, A, B, C, R(62) );
+    P( C, D, E, A, B, R(63) );
+    P( B, C, D, E, A, R(64) );
+    P( A, B, C, D, E, R(65) );
+    P( E, A, B, C, D, R(66) );
+    P( D, E, A, B, C, R(67) );
+    P( C, D, E, A, B, R(68) );
+    P( B, C, D, E, A, R(69) );
+    P( A, B, C, D, E, R(70) );
+    P( E, A, B, C, D, R(71) );
+    P( D, E, A, B, C, R(72) );
+    P( C, D, E, A, B, R(73) );
+    P( B, C, D, E, A, R(74) );
+    P( A, B, C, D, E, R(75) );
+    P( E, A, B, C, D, R(76) );
+    P( D, E, A, B, C, R(77) );
+    P( C, D, E, A, B, R(78) );
+    P( B, C, D, E, A, R(79) );
+
+#undef K
+#undef F
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+    ctx->state[4] += E;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
+                           const unsigned char data[64] )
+{
+    mbedtls_internal_sha1_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_SHA1_PROCESS_ALT */
+
+/*
+ * SHA-1 process buffer
+ */
+int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
+                             const unsigned char *input,
+                             size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    SHA1_VALIDATE_RET( ctx != NULL );
+    SHA1_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_sha1_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
+                          const unsigned char *input,
+                          size_t ilen )
+{
+    mbedtls_sha1_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * SHA-1 final digest
+ */
+int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
+                             unsigned char output[20] )
+{
+    int ret;
+    uint32_t used;
+    uint32_t high, low;
+
+    SHA1_VALIDATE_RET( ctx != NULL );
+    SHA1_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 56 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 56 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 64 - used );
+
+        if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 56 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_BE( high, ctx->buffer, 56 );
+    PUT_UINT32_BE( low,  ctx->buffer, 60 );
+
+    if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT32_BE( ctx->state[0], output,  0 );
+    PUT_UINT32_BE( ctx->state[1], output,  4 );
+    PUT_UINT32_BE( ctx->state[2], output,  8 );
+    PUT_UINT32_BE( ctx->state[3], output, 12 );
+    PUT_UINT32_BE( ctx->state[4], output, 16 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
+                          unsigned char output[20] )
+{
+    mbedtls_sha1_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_SHA1_ALT */
+
+/*
+ * output = SHA-1( input buffer )
+ */
+int mbedtls_sha1_ret( const unsigned char *input,
+                      size_t ilen,
+                      unsigned char output[20] )
+{
+    int ret;
+    mbedtls_sha1_context ctx;
+
+    SHA1_VALIDATE_RET( ilen == 0 || input != NULL );
+    SHA1_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    mbedtls_sha1_init( &ctx );
+
+    if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha1_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha1_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_sha1_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha1( const unsigned char *input,
+                   size_t ilen,
+                   unsigned char output[20] )
+{
+    mbedtls_sha1_ret( input, ilen, output );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-1 test vectors
+ */
+static const unsigned char sha1_test_buf[3][57] =
+{
+    { "abc" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "" }
+};
+
+static const size_t sha1_test_buflen[3] =
+{
+    3, 56, 1000
+};
+
+static const unsigned char sha1_test_sum[3][20] =
+{
+    { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
+      0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
+    { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
+      0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
+    { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
+      0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha1_self_test( int verbose )
+{
+    int i, j, buflen, ret = 0;
+    unsigned char buf[1024];
+    unsigned char sha1sum[20];
+    mbedtls_sha1_context ctx;
+
+    mbedtls_sha1_init( &ctx );
+
+    /*
+     * SHA-1
+     */
+    for( i = 0; i < 3; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  SHA-1 test #%d: ", i + 1 );
+
+        if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )
+            goto fail;
+
+        if( i == 2 )
+        {
+            memset( buf, 'a', buflen = 1000 );
+
+            for( j = 0; j < 1000; j++ )
+            {
+                ret = mbedtls_sha1_update_ret( &ctx, buf, buflen );
+                if( ret != 0 )
+                    goto fail;
+            }
+        }
+        else
+        {
+            ret = mbedtls_sha1_update_ret( &ctx, sha1_test_buf[i],
+                                           sha1_test_buflen[i] );
+            if( ret != 0 )
+                goto fail;
+        }
+
+        if( ( ret = mbedtls_sha1_finish_ret( &ctx, sha1sum ) ) != 0 )
+            goto fail;
+
+        if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    goto exit;
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+exit:
+    mbedtls_sha1_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA1_C */
diff --git a/makerom/deps/libmbedtls/src/sha256.c b/makerom/deps/libmbedtls/src/sha256.c
new file mode 100644
index 00000000..2dc0e1a2
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/sha256.c
@@ -0,0 +1,586 @@
+/*
+ *  FIPS-180-2 compliant SHA-256 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
+ *
+ *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+
+#include "mbedtls/sha256.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#define SHA256_VALIDATE_RET(cond)                           \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA )
+#define SHA256_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if !defined(MBEDTLS_SHA256_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+} while( 0 )
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+do {                                                    \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+} while( 0 )
+#endif
+
+void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
+{
+    SHA256_VALIDATE( ctx != NULL );
+
+    memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
+}
+
+void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
+}
+
+void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
+                           const mbedtls_sha256_context *src )
+{
+    SHA256_VALIDATE( dst != NULL );
+    SHA256_VALIDATE( src != NULL );
+
+    *dst = *src;
+}
+
+/*
+ * SHA-256 context setup
+ */
+int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 )
+{
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
+
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    if( is224 == 0 )
+    {
+        /* SHA-256 */
+        ctx->state[0] = 0x6A09E667;
+        ctx->state[1] = 0xBB67AE85;
+        ctx->state[2] = 0x3C6EF372;
+        ctx->state[3] = 0xA54FF53A;
+        ctx->state[4] = 0x510E527F;
+        ctx->state[5] = 0x9B05688C;
+        ctx->state[6] = 0x1F83D9AB;
+        ctx->state[7] = 0x5BE0CD19;
+    }
+    else
+    {
+        /* SHA-224 */
+        ctx->state[0] = 0xC1059ED8;
+        ctx->state[1] = 0x367CD507;
+        ctx->state[2] = 0x3070DD17;
+        ctx->state[3] = 0xF70E5939;
+        ctx->state[4] = 0xFFC00B31;
+        ctx->state[5] = 0x68581511;
+        ctx->state[6] = 0x64F98FA7;
+        ctx->state[7] = 0xBEFA4FA4;
+    }
+
+    ctx->is224 = is224;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
+                            int is224 )
+{
+    mbedtls_sha256_starts_ret( ctx, is224 );
+}
+#endif
+
+#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
+static const uint32_t K[] =
+{
+    0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
+    0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
+    0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
+    0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
+    0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
+    0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
+    0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
+    0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
+    0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
+    0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
+    0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
+    0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
+    0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
+    0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
+    0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
+    0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
+};
+
+#define  SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
+#define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
+
+#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^  SHR(x, 3))
+#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^  SHR(x,10))
+
+#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
+#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
+
+#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
+
+#define R(t)                                    \
+    (                                           \
+        W[t] = S1(W[(t) -  2]) + W[(t) -  7] +  \
+               S0(W[(t) - 15]) + W[(t) - 16]    \
+    )
+
+#define P(a,b,c,d,e,f,g,h,x,K)                          \
+    do                                                  \
+    {                                                   \
+        temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x);      \
+        temp2 = S2(a) + F0((a),(b),(c));                        \
+        (d) += temp1; (h) = temp1 + temp2;              \
+    } while( 0 )
+
+int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
+                                const unsigned char data[64] )
+{
+    uint32_t temp1, temp2, W[64];
+    uint32_t A[8];
+    unsigned int i;
+
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
+
+    for( i = 0; i < 8; i++ )
+        A[i] = ctx->state[i];
+
+#if defined(MBEDTLS_SHA256_SMALLER)
+    for( i = 0; i < 64; i++ )
+    {
+        if( i < 16 )
+            GET_UINT32_BE( W[i], data, 4 * i );
+        else
+            R( i );
+
+        P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
+
+        temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
+        A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
+    }
+#else /* MBEDTLS_SHA256_SMALLER */
+    for( i = 0; i < 16; i++ )
+        GET_UINT32_BE( W[i], data, 4 * i );
+
+    for( i = 0; i < 16; i += 8 )
+    {
+        P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
+        P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
+        P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
+        P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
+        P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
+        P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
+        P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
+        P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
+    }
+
+    for( i = 16; i < 64; i += 8 )
+    {
+        P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
+        P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
+        P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
+        P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
+        P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
+        P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
+        P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
+        P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
+    }
+#endif /* MBEDTLS_SHA256_SMALLER */
+
+    for( i = 0; i < 8; i++ )
+        ctx->state[i] += A[i];
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
+                             const unsigned char data[64] )
+{
+    mbedtls_internal_sha256_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_SHA256_PROCESS_ALT */
+
+/*
+ * SHA-256 process buffer
+ */
+int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen )
+{
+    int ret;
+    size_t fill;
+    uint32_t left;
+
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += (uint32_t) ilen;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if( ctx->total[0] < (uint32_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 64 )
+    {
+        if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 64;
+        ilen  -= 64;
+    }
+
+    if( ilen > 0 )
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    mbedtls_sha256_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * SHA-256 final digest
+ */
+int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
+                               unsigned char output[32] )
+{
+    int ret;
+    uint32_t used;
+    uint32_t high, low;
+
+    SHA256_VALIDATE_RET( ctx != NULL );
+    SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    /*
+     * Add padding: 0x80 then 0x00 until 8 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x3F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 56 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 56 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 64 - used );
+
+        if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 56 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 29 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT32_BE( high, ctx->buffer, 56 );
+    PUT_UINT32_BE( low,  ctx->buffer, 60 );
+
+    if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT32_BE( ctx->state[0], output,  0 );
+    PUT_UINT32_BE( ctx->state[1], output,  4 );
+    PUT_UINT32_BE( ctx->state[2], output,  8 );
+    PUT_UINT32_BE( ctx->state[3], output, 12 );
+    PUT_UINT32_BE( ctx->state[4], output, 16 );
+    PUT_UINT32_BE( ctx->state[5], output, 20 );
+    PUT_UINT32_BE( ctx->state[6], output, 24 );
+
+    if( ctx->is224 == 0 )
+        PUT_UINT32_BE( ctx->state[7], output, 28 );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
+                            unsigned char output[32] )
+{
+    mbedtls_sha256_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_SHA256_ALT */
+
+/*
+ * output = SHA-256( input buffer )
+ */
+int mbedtls_sha256_ret( const unsigned char *input,
+                        size_t ilen,
+                        unsigned char output[32],
+                        int is224 )
+{
+    int ret;
+    mbedtls_sha256_context ctx;
+
+    SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
+    SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
+    SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    mbedtls_sha256_init( &ctx );
+
+    if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_sha256_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha256( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[32],
+                     int is224 )
+{
+    mbedtls_sha256_ret( input, ilen, output, is224 );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha256_test_buf[3][57] =
+{
+    { "abc" },
+    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
+    { "" }
+};
+
+static const size_t sha256_test_buflen[3] =
+{
+    3, 56, 1000
+};
+
+static const unsigned char sha256_test_sum[6][32] =
+{
+    /*
+     * SHA-224 test vectors
+     */
+    { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
+      0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
+      0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
+      0xE3, 0x6C, 0x9D, 0xA7 },
+    { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
+      0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
+      0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
+      0x52, 0x52, 0x25, 0x25 },
+    { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
+      0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
+      0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
+      0x4E, 0xE7, 0xAD, 0x67 },
+
+    /*
+     * SHA-256 test vectors
+     */
+    { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
+      0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
+      0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
+      0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
+    { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
+      0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
+      0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
+      0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
+    { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
+      0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
+      0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
+      0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha256_self_test( int verbose )
+{
+    int i, j, k, buflen, ret = 0;
+    unsigned char *buf;
+    unsigned char sha256sum[32];
+    mbedtls_sha256_context ctx;
+
+    buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+    if( NULL == buf )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "Buffer allocation failed\n" );
+
+        return( 1 );
+    }
+
+    mbedtls_sha256_init( &ctx );
+
+    for( i = 0; i < 6; i++ )
+    {
+        j = i % 3;
+        k = i < 3;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  SHA-%d test #%d: ", 256 - k * 32, j + 1 );
+
+        if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 )
+            goto fail;
+
+        if( j == 2 )
+        {
+            memset( buf, 'a', buflen = 1000 );
+
+            for( j = 0; j < 1000; j++ )
+            {
+                ret = mbedtls_sha256_update_ret( &ctx, buf, buflen );
+                if( ret != 0 )
+                    goto fail;
+            }
+
+        }
+        else
+        {
+            ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j],
+                                             sha256_test_buflen[j] );
+            if( ret != 0 )
+                 goto fail;
+        }
+
+        if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 )
+            goto fail;
+
+
+        if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    goto exit;
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+exit:
+    mbedtls_sha256_free( &ctx );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA256_C */
diff --git a/makerom/deps/libmbedtls/src/sha512.c b/makerom/deps/libmbedtls/src/sha512.c
new file mode 100644
index 00000000..bdd20b28
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/sha512.c
@@ -0,0 +1,636 @@
+/*
+ *  FIPS-180-2 compliant SHA-384/512 implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The SHA-512 Secure Hash Standard was published by NIST in 2002.
+ *
+ *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+
+#include "mbedtls/sha512.h"
+#include "mbedtls/platform_util.h"
+
+#if defined(_MSC_VER) || defined(__WATCOMC__)
+  #define UL64(x) x##ui64
+#else
+  #define UL64(x) x##ULL
+#endif
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_printf printf
+#define mbedtls_calloc    calloc
+#define mbedtls_free       free
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#define SHA512_VALIDATE_RET(cond)                           \
+    MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA512_BAD_INPUT_DATA )
+#define SHA512_VALIDATE(cond)  MBEDTLS_INTERNAL_VALIDATE( cond )
+
+#if !defined(MBEDTLS_SHA512_ALT)
+
+/*
+ * 64-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT64_BE
+#define GET_UINT64_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint64_t) (b)[(i)    ] << 56 )       \
+        | ( (uint64_t) (b)[(i) + 1] << 48 )       \
+        | ( (uint64_t) (b)[(i) + 2] << 40 )       \
+        | ( (uint64_t) (b)[(i) + 3] << 32 )       \
+        | ( (uint64_t) (b)[(i) + 4] << 24 )       \
+        | ( (uint64_t) (b)[(i) + 5] << 16 )       \
+        | ( (uint64_t) (b)[(i) + 6] <<  8 )       \
+        | ( (uint64_t) (b)[(i) + 7]       );      \
+}
+#endif /* GET_UINT64_BE */
+
+#ifndef PUT_UINT64_BE
+#define PUT_UINT64_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 56 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 48 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >> 40 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n) >> 32 );       \
+    (b)[(i) + 4] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 5] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 6] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 7] = (unsigned char) ( (n)       );       \
+}
+#endif /* PUT_UINT64_BE */
+
+void mbedtls_sha512_init( mbedtls_sha512_context *ctx )
+{
+    SHA512_VALIDATE( ctx != NULL );
+
+    memset( ctx, 0, sizeof( mbedtls_sha512_context ) );
+}
+
+void mbedtls_sha512_free( mbedtls_sha512_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha512_context ) );
+}
+
+void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
+                           const mbedtls_sha512_context *src )
+{
+    SHA512_VALIDATE( dst != NULL );
+    SHA512_VALIDATE( src != NULL );
+
+    *dst = *src;
+}
+
+/*
+ * SHA-512 context setup
+ */
+int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 )
+{
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 );
+
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
+
+    if( is384 == 0 )
+    {
+        /* SHA-512 */
+        ctx->state[0] = UL64(0x6A09E667F3BCC908);
+        ctx->state[1] = UL64(0xBB67AE8584CAA73B);
+        ctx->state[2] = UL64(0x3C6EF372FE94F82B);
+        ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
+        ctx->state[4] = UL64(0x510E527FADE682D1);
+        ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
+        ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
+        ctx->state[7] = UL64(0x5BE0CD19137E2179);
+    }
+    else
+    {
+        /* SHA-384 */
+        ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
+        ctx->state[1] = UL64(0x629A292A367CD507);
+        ctx->state[2] = UL64(0x9159015A3070DD17);
+        ctx->state[3] = UL64(0x152FECD8F70E5939);
+        ctx->state[4] = UL64(0x67332667FFC00B31);
+        ctx->state[5] = UL64(0x8EB44A8768581511);
+        ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
+        ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
+    }
+
+    ctx->is384 = is384;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
+                            int is384 )
+{
+    mbedtls_sha512_starts_ret( ctx, is384 );
+}
+#endif
+
+#if !defined(MBEDTLS_SHA512_PROCESS_ALT)
+
+/*
+ * Round constants
+ */
+static const uint64_t K[80] =
+{
+    UL64(0x428A2F98D728AE22),  UL64(0x7137449123EF65CD),
+    UL64(0xB5C0FBCFEC4D3B2F),  UL64(0xE9B5DBA58189DBBC),
+    UL64(0x3956C25BF348B538),  UL64(0x59F111F1B605D019),
+    UL64(0x923F82A4AF194F9B),  UL64(0xAB1C5ED5DA6D8118),
+    UL64(0xD807AA98A3030242),  UL64(0x12835B0145706FBE),
+    UL64(0x243185BE4EE4B28C),  UL64(0x550C7DC3D5FFB4E2),
+    UL64(0x72BE5D74F27B896F),  UL64(0x80DEB1FE3B1696B1),
+    UL64(0x9BDC06A725C71235),  UL64(0xC19BF174CF692694),
+    UL64(0xE49B69C19EF14AD2),  UL64(0xEFBE4786384F25E3),
+    UL64(0x0FC19DC68B8CD5B5),  UL64(0x240CA1CC77AC9C65),
+    UL64(0x2DE92C6F592B0275),  UL64(0x4A7484AA6EA6E483),
+    UL64(0x5CB0A9DCBD41FBD4),  UL64(0x76F988DA831153B5),
+    UL64(0x983E5152EE66DFAB),  UL64(0xA831C66D2DB43210),
+    UL64(0xB00327C898FB213F),  UL64(0xBF597FC7BEEF0EE4),
+    UL64(0xC6E00BF33DA88FC2),  UL64(0xD5A79147930AA725),
+    UL64(0x06CA6351E003826F),  UL64(0x142929670A0E6E70),
+    UL64(0x27B70A8546D22FFC),  UL64(0x2E1B21385C26C926),
+    UL64(0x4D2C6DFC5AC42AED),  UL64(0x53380D139D95B3DF),
+    UL64(0x650A73548BAF63DE),  UL64(0x766A0ABB3C77B2A8),
+    UL64(0x81C2C92E47EDAEE6),  UL64(0x92722C851482353B),
+    UL64(0xA2BFE8A14CF10364),  UL64(0xA81A664BBC423001),
+    UL64(0xC24B8B70D0F89791),  UL64(0xC76C51A30654BE30),
+    UL64(0xD192E819D6EF5218),  UL64(0xD69906245565A910),
+    UL64(0xF40E35855771202A),  UL64(0x106AA07032BBD1B8),
+    UL64(0x19A4C116B8D2D0C8),  UL64(0x1E376C085141AB53),
+    UL64(0x2748774CDF8EEB99),  UL64(0x34B0BCB5E19B48A8),
+    UL64(0x391C0CB3C5C95A63),  UL64(0x4ED8AA4AE3418ACB),
+    UL64(0x5B9CCA4F7763E373),  UL64(0x682E6FF3D6B2B8A3),
+    UL64(0x748F82EE5DEFB2FC),  UL64(0x78A5636F43172F60),
+    UL64(0x84C87814A1F0AB72),  UL64(0x8CC702081A6439EC),
+    UL64(0x90BEFFFA23631E28),  UL64(0xA4506CEBDE82BDE9),
+    UL64(0xBEF9A3F7B2C67915),  UL64(0xC67178F2E372532B),
+    UL64(0xCA273ECEEA26619C),  UL64(0xD186B8C721C0C207),
+    UL64(0xEADA7DD6CDE0EB1E),  UL64(0xF57D4F7FEE6ED178),
+    UL64(0x06F067AA72176FBA),  UL64(0x0A637DC5A2C898A6),
+    UL64(0x113F9804BEF90DAE),  UL64(0x1B710B35131C471B),
+    UL64(0x28DB77F523047D84),  UL64(0x32CAAB7B40C72493),
+    UL64(0x3C9EBE0A15C9BEBC),  UL64(0x431D67C49C100D4C),
+    UL64(0x4CC5D4BECB3E42B6),  UL64(0x597F299CFC657E2A),
+    UL64(0x5FCB6FAB3AD6FAEC),  UL64(0x6C44198C4A475817)
+};
+
+int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
+                                     const unsigned char data[128] )
+{
+    int i;
+    uint64_t temp1, temp2, W[80];
+    uint64_t A, B, C, D, E, F, G, H;
+
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( (const unsigned char *)data != NULL );
+
+#define  SHR(x,n) ((x) >> (n))
+#define ROTR(x,n) (SHR((x),(n)) | ((x) << (64 - (n))))
+
+#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^  SHR(x, 7))
+#define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^  SHR(x, 6))
+
+#define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
+#define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
+
+#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
+#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
+
+#define P(a,b,c,d,e,f,g,h,x,K)                                  \
+    do                                                          \
+    {                                                           \
+        temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x);      \
+        temp2 = S2(a) + F0((a),(b),(c));                        \
+        (d) += temp1; (h) = temp1 + temp2;                      \
+    } while( 0 )
+
+    for( i = 0; i < 16; i++ )
+    {
+        GET_UINT64_BE( W[i], data, i << 3 );
+    }
+
+    for( ; i < 80; i++ )
+    {
+        W[i] = S1(W[i -  2]) + W[i -  7] +
+               S0(W[i - 15]) + W[i - 16];
+    }
+
+    A = ctx->state[0];
+    B = ctx->state[1];
+    C = ctx->state[2];
+    D = ctx->state[3];
+    E = ctx->state[4];
+    F = ctx->state[5];
+    G = ctx->state[6];
+    H = ctx->state[7];
+    i = 0;
+
+    do
+    {
+        P( A, B, C, D, E, F, G, H, W[i], K[i] ); i++;
+        P( H, A, B, C, D, E, F, G, W[i], K[i] ); i++;
+        P( G, H, A, B, C, D, E, F, W[i], K[i] ); i++;
+        P( F, G, H, A, B, C, D, E, W[i], K[i] ); i++;
+        P( E, F, G, H, A, B, C, D, W[i], K[i] ); i++;
+        P( D, E, F, G, H, A, B, C, W[i], K[i] ); i++;
+        P( C, D, E, F, G, H, A, B, W[i], K[i] ); i++;
+        P( B, C, D, E, F, G, H, A, W[i], K[i] ); i++;
+    }
+    while( i < 80 );
+
+    ctx->state[0] += A;
+    ctx->state[1] += B;
+    ctx->state[2] += C;
+    ctx->state[3] += D;
+    ctx->state[4] += E;
+    ctx->state[5] += F;
+    ctx->state[6] += G;
+    ctx->state[7] += H;
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_process( mbedtls_sha512_context *ctx,
+                             const unsigned char data[128] )
+{
+    mbedtls_internal_sha512_process( ctx, data );
+}
+#endif
+#endif /* !MBEDTLS_SHA512_PROCESS_ALT */
+
+/*
+ * SHA-512 process buffer
+ */
+int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
+                               const unsigned char *input,
+                               size_t ilen )
+{
+    int ret;
+    size_t fill;
+    unsigned int left;
+
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( ilen == 0 || input != NULL );
+
+    if( ilen == 0 )
+        return( 0 );
+
+    left = (unsigned int) (ctx->total[0] & 0x7F);
+    fill = 128 - left;
+
+    ctx->total[0] += (uint64_t) ilen;
+
+    if( ctx->total[0] < (uint64_t) ilen )
+        ctx->total[1]++;
+
+    if( left && ilen >= fill )
+    {
+        memcpy( (void *) (ctx->buffer + left), input, fill );
+
+        if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        input += fill;
+        ilen  -= fill;
+        left = 0;
+    }
+
+    while( ilen >= 128 )
+    {
+        if( ( ret = mbedtls_internal_sha512_process( ctx, input ) ) != 0 )
+            return( ret );
+
+        input += 128;
+        ilen  -= 128;
+    }
+
+    if( ilen > 0 )
+        memcpy( (void *) (ctx->buffer + left), input, ilen );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
+                            const unsigned char *input,
+                            size_t ilen )
+{
+    mbedtls_sha512_update_ret( ctx, input, ilen );
+}
+#endif
+
+/*
+ * SHA-512 final digest
+ */
+int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
+                               unsigned char output[64] )
+{
+    int ret;
+    unsigned used;
+    uint64_t high, low;
+
+    SHA512_VALIDATE_RET( ctx != NULL );
+    SHA512_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    /*
+     * Add padding: 0x80 then 0x00 until 16 bytes remain for the length
+     */
+    used = ctx->total[0] & 0x7F;
+
+    ctx->buffer[used++] = 0x80;
+
+    if( used <= 112 )
+    {
+        /* Enough room for padding + length in current block */
+        memset( ctx->buffer + used, 0, 112 - used );
+    }
+    else
+    {
+        /* We'll need an extra block */
+        memset( ctx->buffer + used, 0, 128 - used );
+
+        if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
+            return( ret );
+
+        memset( ctx->buffer, 0, 112 );
+    }
+
+    /*
+     * Add message length
+     */
+    high = ( ctx->total[0] >> 61 )
+         | ( ctx->total[1] <<  3 );
+    low  = ( ctx->total[0] <<  3 );
+
+    PUT_UINT64_BE( high, ctx->buffer, 112 );
+    PUT_UINT64_BE( low,  ctx->buffer, 120 );
+
+    if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
+        return( ret );
+
+    /*
+     * Output final state
+     */
+    PUT_UINT64_BE( ctx->state[0], output,  0 );
+    PUT_UINT64_BE( ctx->state[1], output,  8 );
+    PUT_UINT64_BE( ctx->state[2], output, 16 );
+    PUT_UINT64_BE( ctx->state[3], output, 24 );
+    PUT_UINT64_BE( ctx->state[4], output, 32 );
+    PUT_UINT64_BE( ctx->state[5], output, 40 );
+
+    if( ctx->is384 == 0 )
+    {
+        PUT_UINT64_BE( ctx->state[6], output, 48 );
+        PUT_UINT64_BE( ctx->state[7], output, 56 );
+    }
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
+                            unsigned char output[64] )
+{
+    mbedtls_sha512_finish_ret( ctx, output );
+}
+#endif
+
+#endif /* !MBEDTLS_SHA512_ALT */
+
+/*
+ * output = SHA-512( input buffer )
+ */
+int mbedtls_sha512_ret( const unsigned char *input,
+                    size_t ilen,
+                    unsigned char output[64],
+                    int is384 )
+{
+    int ret;
+    mbedtls_sha512_context ctx;
+
+    SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 );
+    SHA512_VALIDATE_RET( ilen == 0 || input != NULL );
+    SHA512_VALIDATE_RET( (unsigned char *)output != NULL );
+
+    mbedtls_sha512_init( &ctx );
+
+    if( ( ret = mbedtls_sha512_starts_ret( &ctx, is384 ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha512_update_ret( &ctx, input, ilen ) ) != 0 )
+        goto exit;
+
+    if( ( ret = mbedtls_sha512_finish_ret( &ctx, output ) ) != 0 )
+        goto exit;
+
+exit:
+    mbedtls_sha512_free( &ctx );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+void mbedtls_sha512( const unsigned char *input,
+                     size_t ilen,
+                     unsigned char output[64],
+                     int is384 )
+{
+    mbedtls_sha512_ret( input, ilen, output, is384 );
+}
+#endif
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * FIPS-180-2 test vectors
+ */
+static const unsigned char sha512_test_buf[3][113] =
+{
+    { "abc" },
+    { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
+      "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
+    { "" }
+};
+
+static const size_t sha512_test_buflen[3] =
+{
+    3, 112, 1000
+};
+
+static const unsigned char sha512_test_sum[6][64] =
+{
+    /*
+     * SHA-384 test vectors
+     */
+    { 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
+      0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
+      0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
+      0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
+      0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
+      0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
+    { 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
+      0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
+      0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
+      0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
+      0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
+      0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
+    { 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
+      0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
+      0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
+      0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
+      0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
+      0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
+
+    /*
+     * SHA-512 test vectors
+     */
+    { 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
+      0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
+      0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
+      0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
+      0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
+      0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
+      0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
+      0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
+    { 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
+      0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
+      0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
+      0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
+      0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
+      0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
+      0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
+      0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
+    { 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
+      0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
+      0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
+      0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
+      0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
+      0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
+      0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
+      0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_sha512_self_test( int verbose )
+{
+    int i, j, k, buflen, ret = 0;
+    unsigned char *buf;
+    unsigned char sha512sum[64];
+    mbedtls_sha512_context ctx;
+
+    buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
+    if( NULL == buf )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "Buffer allocation failed\n" );
+
+        return( 1 );
+    }
+
+    mbedtls_sha512_init( &ctx );
+
+    for( i = 0; i < 6; i++ )
+    {
+        j = i % 3;
+        k = i < 3;
+
+        if( verbose != 0 )
+            mbedtls_printf( "  SHA-%d test #%d: ", 512 - k * 128, j + 1 );
+
+        if( ( ret = mbedtls_sha512_starts_ret( &ctx, k ) ) != 0 )
+            goto fail;
+
+        if( j == 2 )
+        {
+            memset( buf, 'a', buflen = 1000 );
+
+            for( j = 0; j < 1000; j++ )
+            {
+                ret = mbedtls_sha512_update_ret( &ctx, buf, buflen );
+                if( ret != 0 )
+                    goto fail;
+            }
+        }
+        else
+        {
+            ret = mbedtls_sha512_update_ret( &ctx, sha512_test_buf[j],
+                                             sha512_test_buflen[j] );
+            if( ret != 0 )
+                goto fail;
+        }
+
+        if( ( ret = mbedtls_sha512_finish_ret( &ctx, sha512sum ) ) != 0 )
+            goto fail;
+
+        if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 )
+        {
+            ret = 1;
+            goto fail;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    goto exit;
+
+fail:
+    if( verbose != 0 )
+        mbedtls_printf( "failed\n" );
+
+exit:
+    mbedtls_sha512_free( &ctx );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_SHA512_C */
diff --git a/makerom/deps/libmbedtls/src/ssl_cache.c b/makerom/deps/libmbedtls/src/ssl_cache.c
new file mode 100644
index 00000000..47867f13
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ssl_cache.c
@@ -0,0 +1,327 @@
+/*
+ *  SSL session cache implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_CACHE_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_cache.h"
+
+#include <string.h>
+
+void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache )
+{
+    memset( cache, 0, sizeof( mbedtls_ssl_cache_context ) );
+
+    cache->timeout = MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT;
+    cache->max_entries = MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &cache->mutex );
+#endif
+}
+
+int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
+{
+    int ret = 1;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t = mbedtls_time( NULL );
+#endif
+    mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+    mbedtls_ssl_cache_entry *cur, *entry;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_lock( &cache->mutex ) != 0 )
+        return( 1 );
+#endif
+
+    cur = cache->chain;
+    entry = NULL;
+
+    while( cur != NULL )
+    {
+        entry = cur;
+        cur = cur->next;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if( cache->timeout != 0 &&
+            (int) ( t - entry->timestamp ) > cache->timeout )
+            continue;
+#endif
+
+        if( session->ciphersuite != entry->session.ciphersuite ||
+            session->compression != entry->session.compression ||
+            session->id_len != entry->session.id_len )
+            continue;
+
+        if( memcmp( session->id, entry->session.id,
+                    entry->session.id_len ) != 0 )
+            continue;
+
+        memcpy( session->master, entry->session.master, 48 );
+
+        session->verify_result = entry->session.verify_result;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+        /*
+         * Restore peer certificate (without rest of the original chain)
+         */
+        if( entry->peer_cert.p != NULL )
+        {
+            if( ( session->peer_cert = mbedtls_calloc( 1,
+                                 sizeof(mbedtls_x509_crt) ) ) == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            mbedtls_x509_crt_init( session->peer_cert );
+            if( mbedtls_x509_crt_parse( session->peer_cert, entry->peer_cert.p,
+                                entry->peer_cert.len ) != 0 )
+            {
+                mbedtls_free( session->peer_cert );
+                session->peer_cert = NULL;
+                ret = 1;
+                goto exit;
+            }
+        }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+        ret = 0;
+        goto exit;
+    }
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
+        ret = 1;
+#endif
+
+    return( ret );
+}
+
+int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
+{
+    int ret = 1;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t = mbedtls_time( NULL ), oldest = 0;
+    mbedtls_ssl_cache_entry *old = NULL;
+#endif
+    mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
+    mbedtls_ssl_cache_entry *cur, *prv;
+    int count = 0;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &cache->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    cur = cache->chain;
+    prv = NULL;
+
+    while( cur != NULL )
+    {
+        count++;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if( cache->timeout != 0 &&
+            (int) ( t - cur->timestamp ) > cache->timeout )
+        {
+            cur->timestamp = t;
+            break; /* expired, reuse this slot, update timestamp */
+        }
+#endif
+
+        if( memcmp( session->id, cur->session.id, cur->session.id_len ) == 0 )
+            break; /* client reconnected, keep timestamp for session id */
+
+#if defined(MBEDTLS_HAVE_TIME)
+        if( oldest == 0 || cur->timestamp < oldest )
+        {
+            oldest = cur->timestamp;
+            old = cur;
+        }
+#endif
+
+        prv = cur;
+        cur = cur->next;
+    }
+
+    if( cur == NULL )
+    {
+#if defined(MBEDTLS_HAVE_TIME)
+        /*
+         * Reuse oldest entry if max_entries reached
+         */
+        if( count >= cache->max_entries )
+        {
+            if( old == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            cur = old;
+        }
+#else /* MBEDTLS_HAVE_TIME */
+        /*
+         * Reuse first entry in chain if max_entries reached,
+         * but move to last place
+         */
+        if( count >= cache->max_entries )
+        {
+            if( cache->chain == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            cur = cache->chain;
+            cache->chain = cur->next;
+            cur->next = NULL;
+            prv->next = cur;
+        }
+#endif /* MBEDTLS_HAVE_TIME */
+        else
+        {
+            /*
+             * max_entries not reached, create new entry
+             */
+            cur = mbedtls_calloc( 1, sizeof(mbedtls_ssl_cache_entry) );
+            if( cur == NULL )
+            {
+                ret = 1;
+                goto exit;
+            }
+
+            if( prv == NULL )
+                cache->chain = cur;
+            else
+                prv->next = cur;
+        }
+
+#if defined(MBEDTLS_HAVE_TIME)
+        cur->timestamp = t;
+#endif
+    }
+
+    memcpy( &cur->session, session, sizeof( mbedtls_ssl_session ) );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /*
+     * If we're reusing an entry, free its certificate first
+     */
+    if( cur->peer_cert.p != NULL )
+    {
+        mbedtls_free( cur->peer_cert.p );
+        memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
+    }
+
+    /*
+     * Store peer certificate
+     */
+    if( session->peer_cert != NULL )
+    {
+        cur->peer_cert.p = mbedtls_calloc( 1, session->peer_cert->raw.len );
+        if( cur->peer_cert.p == NULL )
+        {
+            ret = 1;
+            goto exit;
+        }
+
+        memcpy( cur->peer_cert.p, session->peer_cert->raw.p,
+                session->peer_cert->raw.len );
+        cur->peer_cert.len = session->peer_cert->raw.len;
+
+        cur->session.peer_cert = NULL;
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    ret = 0;
+
+exit:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
+        ret = 1;
+#endif
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_HAVE_TIME)
+void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout )
+{
+    if( timeout < 0 ) timeout = 0;
+
+    cache->timeout = timeout;
+}
+#endif /* MBEDTLS_HAVE_TIME */
+
+void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max )
+{
+    if( max < 0 ) max = 0;
+
+    cache->max_entries = max;
+}
+
+void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache )
+{
+    mbedtls_ssl_cache_entry *cur, *prv;
+
+    cur = cache->chain;
+
+    while( cur != NULL )
+    {
+        prv = cur;
+        cur = cur->next;
+
+        mbedtls_ssl_session_free( &prv->session );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+        mbedtls_free( prv->peer_cert.p );
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+        mbedtls_free( prv );
+    }
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &cache->mutex );
+#endif
+    cache->chain = NULL;
+}
+
+#endif /* MBEDTLS_SSL_CACHE_C */
diff --git a/makerom/deps/libmbedtls/src/ssl_ciphersuites.c b/makerom/deps/libmbedtls/src/ssl_ciphersuites.c
new file mode 100644
index 00000000..518f7dde
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ssl_ciphersuites.c
@@ -0,0 +1,2373 @@
+/**
+ * \file ssl_ciphersuites.c
+ *
+ * \brief SSL ciphersuites for mbed TLS
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#endif
+
+#include "mbedtls/ssl_ciphersuites.h"
+#include "mbedtls/ssl.h"
+
+#include <string.h>
+
+/*
+ * Ordered from most preferred to least preferred in terms of security.
+ *
+ * Current rule (except RC4 and 3DES, weak and null which come last):
+ * 1. By key exchange:
+ *    Forward-secure non-PSK > forward-secure PSK > ECJPAKE > other non-PSK > other PSK
+ * 2. By key length and cipher:
+ *    ChaCha > AES-256 > Camellia-256 > ARIA-256 > AES-128 > Camellia-128 > ARIA-128
+ * 3. By cipher mode when relevant GCM > CCM > CBC > CCM_8
+ * 4. By hash function used when relevant
+ * 5. By key exchange/auth again: EC > non-EC
+ */
+static const int ciphersuite_preference[] =
+{
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+    MBEDTLS_SSL_CIPHERSUITES,
+#else
+    /* Chacha-Poly ephemeral suites */
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+
+    /* All AES-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8,
+
+    /* All CAMELLIA-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+
+    /* All ARIA-256 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+
+    /* All AES-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
+
+    /* All CAMELLIA-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+
+    /* All ARIA-128 ephemeral suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+
+    /* The PSK ephemeral suites */
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+
+    /* The ECJPAKE suite */
+    MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
+
+    /* All AES-256 suites */
+    MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8,
+
+    /* All CAMELLIA-256 suites */
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+
+    /* All ARIA-256 suites */
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+
+    /* All AES-128 suites */
+    MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8,
+
+    /* All CAMELLIA-128 suites */
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+
+    /* All ARIA-128 suites */
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+
+    /* The RSA PSK suites */
+    MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+
+    /* The PSK suites */
+    MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+    MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
+    MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+    MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+
+    MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CCM,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+    MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
+    MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+    MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+
+    /* 3DES suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
+
+    /* RC4 suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_MD5,
+    MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_PSK_WITH_RC4_128_SHA,
+
+    /* Weak suites */
+    MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA,
+
+    /* NULL suites */
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA,
+
+    MBEDTLS_TLS_RSA_WITH_NULL_SHA256,
+    MBEDTLS_TLS_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_RSA_WITH_NULL_MD5,
+    MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA384,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA256,
+    MBEDTLS_TLS_PSK_WITH_NULL_SHA,
+
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+    0
+};
+
+static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
+{
+#if defined(MBEDTLS_CHACHAPOLY_C) && \
+    defined(MBEDTLS_SHA256_C) && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    { MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-ECDHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-DHE-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256,
+      "TLS-RSA-PSK-WITH-CHACHA20-POLY1305-SHA256",
+      MBEDTLS_CIPHER_CHACHA20_POLY1305, MBEDTLS_MD_SHA256,
+      MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#endif /* MBEDTLS_CHACHAPOLY_C &&
+          MBEDTLS_SHA256_C &&
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA, "TLS-ECDHE-ECDSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS-ECDHE-RSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA, "TLS-ECDHE-RSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "TLS-DHE-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM, "TLS-DHE-RSA-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8, "TLS-DHE-RSA-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM, "TLS-DHE-RSA-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, "TLS-DHE-RSA-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS-RSA-WITH-AES-256-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, "TLS-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, "TLS-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CCM, "TLS-RSA-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8, "TLS-RSA-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CCM, "TLS-RSA-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8, "TLS-RSA-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_MD5_C)
+    { MBEDTLS_TLS_RSA_WITH_RC4_128_MD5, "TLS-RSA-WITH-RC4-128-MD5",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_RC4_128_SHA, "TLS-RSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA, "TLS-ECDH-RSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, "TLS-ECDH-RSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_GCM_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "TLS-ECDH-ECDSA-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS-ECDH-ECDSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, "TLS-PSK-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, "TLS-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA, "TLS-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CCM, "TLS-PSK-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8, "TLS-PSK-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CCM, "TLS-PSK-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8, "TLS-PSK-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_RC4_128_SHA, "TLS-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256, "TLS-DHE-PSK-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM, "TLS-DHE-PSK-WITH-AES-256-CCM",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8, "TLS-DHE-PSK-WITH-AES-256-CCM-8",
+      MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM, "TLS-DHE-PSK-WITH-AES-128-CCM",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+    { MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8, "TLS-DHE-PSK-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-DHE-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-DHE-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA, "TLS-DHE-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-ECDHE-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-ECDHE-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA, "TLS-ECDHE-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256, "TLS-RSA-PSK-WITH-AES-128-GCM-SHA256",
+      MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384",
+      MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA256",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
+      MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+
+    { MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA",
+      MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+#if defined(MBEDTLS_GCM_C)
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256, "TLS-RSA-PSK-WITH-CAMELLIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_GCM_C */
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA, "TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA",
+      MBEDTLS_CIPHER_DES_EDE3_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA, "TLS-RSA-PSK-WITH-RC4-128-SHA",
+      MBEDTLS_CIPHER_ARC4_128, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_NODTLS },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_ARC4_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#if defined(MBEDTLS_AES_C)
+#if defined(MBEDTLS_CCM_C)
+    { MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, "TLS-ECJPAKE-WITH-AES-128-CCM-8",
+      MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECJPAKE,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_SHORT_TAG },
+#endif /* MBEDTLS_CCM_C */
+#endif /* MBEDTLS_AES_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_MD5_C)
+    { MBEDTLS_TLS_RSA_WITH_NULL_MD5, "TLS-RSA-WITH-NULL-MD5",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_MD5, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_NULL_SHA, "TLS-RSA-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_WITH_NULL_SHA256, "TLS-RSA-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_PSK_WITH_NULL_SHA, "TLS-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_PSK_WITH_NULL_SHA256, "TLS-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA, "TLS-DHE-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256, "TLS-DHE-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, "TLS-ECDHE-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256, "TLS-ECDHE-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384, "TLS-ECDHE-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA, "TLS-RSA-PSK-WITH-NULL-SHA",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256, "TLS-RSA-PSK-WITH-NULL-SHA256",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+    { MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
+      MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+
+#if defined(MBEDTLS_DES_C)
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA, "TLS-DHE-RSA-WITH-DES-CBC-SHA",
+      MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+#if defined(MBEDTLS_SHA1_C)
+    { MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA, "TLS-RSA-WITH-DES-CBC-SHA",
+      MBEDTLS_CIPHER_DES_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_CIPHERSUITE_WEAK },
+#endif /* MBEDTLS_SHA1_C */
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* MBEDTLS_DES_C */
+#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+
+#if defined(MBEDTLS_ARIA_C)
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+             "TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+             "TLS-RSA-PSK-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-RSA-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+             "TLS-PSK-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384,MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+             "TLS-PSK-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDHE-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDHE-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
+             "TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+             "TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
+             "TLS-DHE-RSA-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+             "TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
+             "TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+             "TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
+      MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
+             "TLS-DHE-PSK-WITH-ARIA-128-GCM-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA256_C))
+    { MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+             "TLS-DHE-PSK-WITH-ARIA-128-CBC-SHA256",
+      MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
+      0 },
+#endif
+
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#endif /* MBEDTLS_ARIA_C */
+
+
+    { 0, "",
+      MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE,
+      0, 0, 0, 0, 0 }
+};
+
+#if defined(MBEDTLS_SSL_CIPHERSUITES)
+const int *mbedtls_ssl_list_ciphersuites( void )
+{
+    return( ciphersuite_preference );
+}
+#else
+#define MAX_CIPHERSUITES    sizeof( ciphersuite_definitions     ) /         \
+                            sizeof( ciphersuite_definitions[0]  )
+static int supported_ciphersuites[MAX_CIPHERSUITES];
+static int supported_init = 0;
+
+static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
+{
+    (void)cs_info;
+
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+        return( 1 );
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
+        cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
+    {
+        return( 1 );
+    }
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+
+    return( 0 );
+}
+
+const int *mbedtls_ssl_list_ciphersuites( void )
+{
+    /*
+     * On initial call filter out all ciphersuites not supported by current
+     * build based on presence in the ciphersuite_definitions.
+     */
+    if( supported_init == 0 )
+    {
+        const int *p;
+        int *q;
+
+        for( p = ciphersuite_preference, q = supported_ciphersuites;
+             *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
+             p++ )
+        {
+            const mbedtls_ssl_ciphersuite_t *cs_info;
+            if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL &&
+                !ciphersuite_is_removed( cs_info ) )
+            {
+                *(q++) = *p;
+            }
+        }
+        *q = 0;
+
+        supported_init = 1;
+    }
+
+    return( supported_ciphersuites );
+}
+#endif /* MBEDTLS_SSL_CIPHERSUITES */
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
+                                                const char *ciphersuite_name )
+{
+    const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+    if( NULL == ciphersuite_name )
+        return( NULL );
+
+    while( cur->id != 0 )
+    {
+        if( 0 == strcmp( cur->name, ciphersuite_name ) )
+            return( cur );
+
+        cur++;
+    }
+
+    return( NULL );
+}
+
+const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite )
+{
+    const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
+
+    while( cur->id != 0 )
+    {
+        if( cur->id == ciphersuite )
+            return( cur );
+
+        cur++;
+    }
+
+    return( NULL );
+}
+
+const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id )
+{
+    const mbedtls_ssl_ciphersuite_t *cur;
+
+    cur = mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
+
+    if( cur == NULL )
+        return( "unknown" );
+
+    return( cur->name );
+}
+
+int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name )
+{
+    const mbedtls_ssl_ciphersuite_t *cur;
+
+    cur = mbedtls_ssl_ciphersuite_from_string( ciphersuite_name );
+
+    if( cur == NULL )
+        return( 0 );
+
+    return( cur->id );
+}
+
+#if defined(MBEDTLS_PK_C)
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+            return( MBEDTLS_PK_RSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+            return( MBEDTLS_PK_ECKEY );
+
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
+
+mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+            return( MBEDTLS_PK_RSA );
+
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
+
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+        case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+        case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info )
+{
+    switch( info->key_exchange )
+    {
+        case MBEDTLS_KEY_EXCHANGE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+        case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+        case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            return( 1 );
+
+        default:
+            return( 0 );
+    }
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/makerom/deps/libmbedtls/src/ssl_cli.c b/makerom/deps/libmbedtls/src/ssl_cli.c
new file mode 100644
index 00000000..afced7a9
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ssl_cli.c
@@ -0,0 +1,3636 @@
+/*
+ *  SSLv3/TLSv1 client-side functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_CLI_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+
+#include <string.h>
+
+#include <stdint.h>
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#include "mbedtls/platform_util.h"
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
+                                    unsigned char *buf,
+                                    size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t hostname_len;
+
+    *olen = 0;
+
+    if( ssl->hostname == NULL )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
+                   ssl->hostname ) );
+
+    hostname_len = strlen( ssl->hostname );
+
+    if( end < p || (size_t)( end - p ) < hostname_len + 9 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    /*
+     * Sect. 3, RFC 6066 (TLS Extensions Definitions)
+     *
+     * In order to provide any of the server names, clients MAY include an
+     * extension of type "server_name" in the (extended) client hello. The
+     * "extension_data" field of this extension SHALL contain
+     * "ServerNameList" where:
+     *
+     * struct {
+     *     NameType name_type;
+     *     select (name_type) {
+     *         case host_name: HostName;
+     *     } name;
+     * } ServerName;
+     *
+     * enum {
+     *     host_name(0), (255)
+     * } NameType;
+     *
+     * opaque HostName<1..2^16-1>;
+     *
+     * struct {
+     *     ServerName server_name_list<1..2^16-1>
+     * } ServerNameList;
+     *
+     */
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( (hostname_len + 5) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( (hostname_len + 5)      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( (hostname_len + 3) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( (hostname_len + 3)      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME ) & 0xFF );
+    *p++ = (unsigned char)( ( hostname_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( hostname_len      ) & 0xFF );
+
+    memcpy( p, ssl->hostname, hostname_len );
+
+    *olen = hostname_len + 9;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    /* We're always including an TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
+     * initial ClientHello, in which case also adding the renegotiation
+     * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
+    if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    /*
+     * Secure renegotiation
+     */
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
+    *p++ = ssl->verify_data_len & 0xFF;
+
+    memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
+
+    *olen = 5 + ssl->verify_data_len;
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Only if we handle at least one key exchange that needs signatures.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
+                                                unsigned char *buf,
+                                                size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t sig_alg_len = 0;
+    const int *md;
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
+    unsigned char *sig_alg_list = buf + 6;
+#endif
+
+    *olen = 0;
+
+    if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
+
+    for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
+    {
+#if defined(MBEDTLS_ECDSA_C)
+        sig_alg_len += 2;
+#endif
+#if defined(MBEDTLS_RSA_C)
+        sig_alg_len += 2;
+#endif
+    }
+
+    if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    /*
+     * Prepare signature_algorithms extension (TLS 1.2)
+     */
+    sig_alg_len = 0;
+
+    for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
+    {
+#if defined(MBEDTLS_ECDSA_C)
+        sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
+        sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
+#endif
+#if defined(MBEDTLS_RSA_C)
+        sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg( *md );
+        sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
+#endif
+    }
+
+    /*
+     * enum {
+     *     none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
+     *     sha512(6), (255)
+     * } HashAlgorithm;
+     *
+     * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
+     *   SignatureAlgorithm;
+     *
+     * struct {
+     *     HashAlgorithm hash;
+     *     SignatureAlgorithm signature;
+     * } SignatureAndHashAlgorithm;
+     *
+     * SignatureAndHashAlgorithm
+     *   supported_signature_algorithms<2..2^16-2>;
+     */
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SIG_ALG      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( ( sig_alg_len + 2 ) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( ( sig_alg_len + 2 )      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( sig_alg_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( sig_alg_len      ) & 0xFF );
+
+    *olen = 6 + sig_alg_len;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
+                                                     unsigned char *buf,
+                                                     size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    unsigned char *elliptic_curve_list = p + 6;
+    size_t elliptic_curve_len = 0;
+    const mbedtls_ecp_curve_info *info;
+#if defined(MBEDTLS_ECP_C)
+    const mbedtls_ecp_group_id *grp_id;
+#else
+    ((void) ssl);
+#endif
+
+    *olen = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
+
+#if defined(MBEDTLS_ECP_C)
+    for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
+#else
+    for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
+#endif
+    {
+#if defined(MBEDTLS_ECP_C)
+        info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
+#endif
+        if( info == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
+            return;
+        }
+
+        elliptic_curve_len += 2;
+    }
+
+    if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    elliptic_curve_len = 0;
+
+#if defined(MBEDTLS_ECP_C)
+    for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
+#else
+    for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
+#endif
+    {
+#if defined(MBEDTLS_ECP_C)
+        info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
+#endif
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
+    }
+
+    if( elliptic_curve_len == 0 )
+        return;
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( ( elliptic_curve_len + 2 )      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( ( elliptic_curve_len     ) >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( ( elliptic_curve_len     )      ) & 0xFF );
+
+    *olen = 6 + elliptic_curve_len;
+}
+
+static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+                                                   unsigned char *buf,
+                                                   size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 6 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 2;
+
+    *p++ = 1;
+    *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    *olen = 6;
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        size_t *olen )
+{
+    int ret;
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t kkpp_len;
+
+    *olen = 0;
+
+    /* Skip costly extension if we can't use EC J-PAKE anyway */
+    if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
+
+    if( end - p < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP      ) & 0xFF );
+
+    /*
+     * We may need to send ClientHello multiple times for Hello verification.
+     * We don't want to compute fresh values every time (both for performance
+     * and consistency reasons), so cache the extension content.
+     */
+    if( ssl->handshake->ecjpake_cache == NULL ||
+        ssl->handshake->ecjpake_cache_len == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
+
+        ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
+                                        p + 2, end - p - 2, &kkpp_len,
+                                        ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
+            return;
+        }
+
+        ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
+        if( ssl->handshake->ecjpake_cache == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
+            return;
+        }
+
+        memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
+        ssl->handshake->ecjpake_cache_len = kkpp_len;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
+
+        kkpp_len = ssl->handshake->ecjpake_cache_len;
+
+        if( (size_t)( end - p - 2 ) < kkpp_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+            return;
+        }
+
+        memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
+    }
+
+    *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( kkpp_len      ) & 0xFF );
+
+    *olen = kkpp_len + 4;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                               unsigned char *buf,
+                                               size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 5 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 1;
+
+    *p++ = ssl->conf->mfl_code;
+
+    *olen = 5;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                       unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+        ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
+                        "extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                       unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+    *olen = 0;
+
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+        ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
+                        "extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t tlen = ssl->session_negotiate->ticket_len;
+
+    *olen = 0;
+
+    if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
+
+    if( end < p || (size_t)( end - p ) < 4 + tlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET      ) & 0xFF );
+
+    *p++ = (unsigned char)( ( tlen >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( tlen      ) & 0xFF );
+
+    *olen = 4;
+
+    if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
+
+    memcpy( p, ssl->session_negotiate->ticket, tlen );
+
+    *olen += tlen;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
+                                unsigned char *buf, size_t *olen )
+{
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t alpnlen = 0;
+    const char **cur;
+
+    *olen = 0;
+
+    if( ssl->conf->alpn_list == NULL )
+    {
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
+
+    for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
+        alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
+
+    if( end < p || (size_t)( end - p ) < 6 + alpnlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN      ) & 0xFF );
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     */
+
+    /* Skip writing extension and list length for now */
+    p += 4;
+
+    for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
+    {
+        *p = (unsigned char)( strlen( *cur ) & 0xFF );
+        memcpy( p + 1, *cur, *p );
+        p += 1 + *p;
+    }
+
+    *olen = p - buf;
+
+    /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
+    buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
+    buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
+
+    /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
+    buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
+    buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+/*
+ * Generate random bytes for ClientHello
+ */
+static int ssl_generate_random( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *p = ssl->handshake->randbytes;
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t;
+#endif
+
+    /*
+     * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->verify_cookie != NULL )
+    {
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = mbedtls_time( NULL );
+    *p++ = (unsigned char)( t >> 24 );
+    *p++ = (unsigned char)( t >> 16 );
+    *p++ = (unsigned char)( t >>  8 );
+    *p++ = (unsigned char)( t       );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
+#else
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
+        return( ret );
+
+    p += 4;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/**
+ * \brief           Validate cipher suite against config in SSL context.
+ *
+ * \param suite_info    cipher suite to validate
+ * \param ssl           SSL context
+ * \param min_minor_ver Minimal minor version to accept a cipher suite
+ * \param max_minor_ver Maximal minor version to accept a cipher suite
+ *
+ * \return          0 if valid, else 1
+ */
+static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
+                                     const mbedtls_ssl_context * ssl,
+                                     int min_minor_ver, int max_minor_ver )
+{
+    (void) ssl;
+    if( suite_info == NULL )
+        return( 1 );
+
+    if( suite_info->min_minor_ver > max_minor_ver ||
+            suite_info->max_minor_ver < min_minor_ver )
+        return( 1 );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
+        return( 1 );
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
+            suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+        return( 1 );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+            mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+        return( 1 );
+#endif
+
+    return( 0 );
+}
+
+static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t i, n, olen, ext_len = 0;
+    unsigned char *buf;
+    unsigned char *p, *q;
+    unsigned char offer_compress;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    int uses_ec = 0;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
+
+    if( ssl->conf->f_rng == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
+        return( MBEDTLS_ERR_SSL_NO_RNG );
+    }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        ssl->major_ver = ssl->conf->min_major_ver;
+        ssl->minor_ver = ssl->conf->min_minor_ver;
+    }
+
+    if( ssl->conf->max_major_ver == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
+                            "consider using mbedtls_ssl_config_defaults()" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   highest version supported
+     *     6  .   9   current UNIX time
+     *    10  .  37   random bytes
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
+                       ssl->conf->transport, p );
+    p += 2;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
+                   buf[4], buf[5] ) );
+
+    if( ( ret = ssl_generate_random( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_generate_random", ret );
+        return( ret );
+    }
+
+    memcpy( p, ssl->handshake->randbytes, 32 );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", p, 32 );
+    p += 32;
+
+    /*
+     *    38  .  38   session id length
+     *    39  . 39+n  session id
+     *   39+n . 39+n  DTLS only: cookie length (1 byte)
+     *   40+n .  ..   DTSL only: cookie
+     *   ..   . ..    ciphersuitelist length (2 bytes)
+     *   ..   . ..    ciphersuitelist
+     *   ..   . ..    compression methods length (1 byte)
+     *   ..   . ..    compression methods
+     *   ..   . ..    extensions length (2 bytes)
+     *   ..   . ..    extensions
+     */
+    n = ssl->session_negotiate->id_len;
+
+    if( n < 16 || n > 32 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+        ssl->handshake->resume == 0 )
+    {
+        n = 0;
+    }
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    /*
+     * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
+     * generate and include a Session ID in the TLS ClientHello."
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        if( ssl->session_negotiate->ticket != NULL &&
+                ssl->session_negotiate->ticket_len != 0 )
+        {
+            ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
+
+            if( ret != 0 )
+                return( ret );
+
+            ssl->session_negotiate->id_len = n = 32;
+        }
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+    *p++ = (unsigned char) n;
+
+    for( i = 0; i < n; i++ )
+        *p++ = ssl->session_negotiate->id[i];
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "client hello, session id", buf + 39, n );
+
+    /*
+     * DTLS cookie
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( ssl->handshake->verify_cookie == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
+            *p++ = 0;
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
+                              ssl->handshake->verify_cookie,
+                              ssl->handshake->verify_cookie_len );
+
+            *p++ = ssl->handshake->verify_cookie_len;
+            memcpy( p, ssl->handshake->verify_cookie,
+                       ssl->handshake->verify_cookie_len );
+            p += ssl->handshake->verify_cookie_len;
+        }
+    }
+#endif
+
+    /*
+     * Ciphersuite list
+     */
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+
+    /* Skip writing ciphersuite length for now */
+    n = 0;
+    q = p;
+    p += 2;
+
+    for( i = 0; ciphersuites[i] != 0; i++ )
+    {
+        ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
+
+        if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
+                                      ssl->conf->min_minor_ver,
+                                      ssl->conf->max_minor_ver ) != 0 )
+            continue;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
+                                    ciphersuites[i] ) );
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
+#endif
+
+        n++;
+        *p++ = (unsigned char)( ciphersuites[i] >> 8 );
+        *p++ = (unsigned char)( ciphersuites[i]      );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
+
+    /*
+     * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
+        *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
+        *p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO      );
+        n++;
+    }
+
+    /* Some versions of OpenSSL don't handle it correctly if not at end */
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
+        *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
+        *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      );
+        n++;
+    }
+#endif
+
+    *q++ = (unsigned char)( n >> 7 );
+    *q++ = (unsigned char)( n << 1 );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    offer_compress = 1;
+#else
+    offer_compress = 0;
+#endif
+
+    /*
+     * We don't support compression with DTLS right now: if many records come
+     * in the same datagram, uncompressing one could overwrite the next one.
+     * We don't want to add complexity for handling that case unless there is
+     * an actual need for it.
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        offer_compress = 0;
+#endif
+
+    if( offer_compress )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
+                            MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
+
+        *p++ = 2;
+        *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
+        *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 1 ) );
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
+                            MBEDTLS_SSL_COMPRESS_NULL ) );
+
+        *p++ = 1;
+        *p++ = MBEDTLS_SSL_COMPRESS_NULL;
+    }
+
+    // First write extensions, then the total length
+    //
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+    /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
+     * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( uses_ec )
+    {
+        ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
+        ext_len += olen;
+
+        ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
+        ext_len += olen;
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+    /* olen unused if all extensions are disabled */
+    ((void) olen);
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
+                   ext_len ) );
+
+    if( ext_len > 0 )
+    {
+        *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
+        *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
+        p += ext_len;
+    }
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CLIENT_HELLO;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_send_flight_completed( ssl );
+#endif
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client hello" ) );
+
+    return( 0 );
+}
+
+static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        /* Check verify-data in constant-time. The length OTOH is no secret */
+        if( len    != 1 + ssl->verify_data_len * 2 ||
+            buf[0] !=     ssl->verify_data_len * 2 ||
+            mbedtls_ssl_safer_memcmp( buf + 1,
+                          ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
+            mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
+                          ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        if( len != 1 || buf[0] != 0x00 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+
+        ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len )
+{
+    /*
+     * server should use the extension only if we did,
+     * and if so the server's value should match ours (and len is always 1)
+     */
+    if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
+        len != 1 ||
+        buf[0] != ssl->conf->mfl_code )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
+        len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    ((void) buf);
+
+    ssl->handshake->new_session_ticket = 1;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+                                                  const unsigned char *buf,
+                                                  size_t len )
+{
+    size_t list_size;
+    const unsigned char *p;
+
+    if( len == 0 || (size_t)( buf[0] + 1 ) != len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+    list_size = buf[0];
+
+    p = buf + 1;
+    while( list_size > 0 )
+    {
+        if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+            p[0] == MBEDTLS_ECP_PF_COMPRESSED )
+        {
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+            ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            ssl->handshake->ecjpake_ctx.point_format = p[0];
+#endif
+            MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
+            return( 0 );
+        }
+
+        list_size--;
+        p++;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "no point format in common" ) );
+    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+    return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
+                                   const unsigned char *buf,
+                                   size_t len )
+{
+    int ret;
+
+    if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
+        MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
+        return( 0 );
+    }
+
+    /* If we got here, we no longer need our cached extension */
+    mbedtls_free( ssl->handshake->ecjpake_cache );
+    ssl->handshake->ecjpake_cache = NULL;
+    ssl->handshake->ecjpake_cache_len = 0;
+
+    if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
+                                                buf, len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
+                               const unsigned char *buf, size_t len )
+{
+    size_t list_len, name_len;
+    const char **p;
+
+    /* If we didn't send it, the server shouldn't send it */
+    if( ssl->conf->alpn_list == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     *
+     * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
+     */
+
+    /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
+    if( len < 4 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    list_len = ( buf[0] << 8 ) | buf[1];
+    if( list_len != len - 2 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    name_len = buf[2];
+    if( name_len != list_len - 1 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /* Check that the server chosen protocol was in our list and save it */
+    for( p = ssl->conf->alpn_list; *p != NULL; p++ )
+    {
+        if( name_len == strlen( *p ) &&
+            memcmp( buf + 3, *p, name_len ) == 0 )
+        {
+            ssl->alpn_chosen = *p;
+            return( 0 );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "ALPN extension: no matching protocol" ) );
+    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+    return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+/*
+ * Parse HelloVerifyRequest.  Only called after verifying the HS type.
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
+{
+    const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+    int major_ver, minor_ver;
+    unsigned char cookie_len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );
+
+    /*
+     * struct {
+     *   ProtocolVersion server_version;
+     *   opaque cookie<0..2^8-1>;
+     * } HelloVerifyRequest;
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
+    mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p );
+    p += 2;
+
+    /*
+     * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
+     * even is lower than our min version.
+     */
+    if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
+        minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
+        major_ver > ssl->conf->max_major_ver  ||
+        minor_ver > ssl->conf->max_minor_ver  )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
+
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    cookie_len = *p++;
+    MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
+
+    if( ( ssl->in_msg + ssl->in_msglen ) - p < cookie_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1,
+            ( "cookie length does not match incoming message size" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    mbedtls_free( ssl->handshake->verify_cookie );
+
+    ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
+    if( ssl->handshake->verify_cookie  == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    memcpy( ssl->handshake->verify_cookie, p, cookie_len );
+    ssl->handshake->verify_cookie_len = cookie_len;
+
+    /* Start over at ClientHello */
+    ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+    mbedtls_ssl_reset_checksum( ssl );
+
+    mbedtls_ssl_recv_flight_completed( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse hello verify request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
+{
+    int ret, i;
+    size_t n;
+    size_t ext_len;
+    unsigned char *buf, *ext;
+    unsigned char comp;
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    int accept_comp;
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renegotiation_info_seen = 0;
+#endif
+    int handshake_failure = 0;
+    const mbedtls_ssl_ciphersuite_t *suite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
+
+    buf = ssl->in_msg;
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        /* No alert on a read error. */
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+        {
+            ssl->renego_records_seen++;
+
+            if( ssl->conf->renego_max_records >= 0 &&
+                ssl->renego_records_seen > ssl->conf->renego_max_records )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
+                                    "but not honored by server" ) );
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
+
+            ssl->keep_current_message = 1;
+            return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
+        }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "received hello verify request" ) );
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
+            return( ssl_parse_hello_verify_request( ssl ) );
+        }
+        else
+        {
+            /* We made it through the verification process */
+            mbedtls_free( ssl->handshake->verify_cookie );
+            ssl->handshake->verify_cookie = NULL;
+            ssl->handshake->verify_cookie_len = 0;
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if( ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len( ssl ) ||
+        buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /*
+     *  0   .  1    server_version
+     *  2   . 33    random (maybe including 4 bytes of Unix time)
+     * 34   . 34    session_id length = n
+     * 35   . 34+n  session_id
+     * 35+n . 36+n  cipher_suite
+     * 37+n . 37+n  compression_method
+     *
+     * 38+n . 39+n  extensions length (optional)
+     * 40+n .  ..   extensions
+     */
+    buf += mbedtls_ssl_hs_hdr_len( ssl );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
+    mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
+                      ssl->conf->transport, buf + 0 );
+
+    if( ssl->major_ver < ssl->conf->min_major_ver ||
+        ssl->minor_ver < ssl->conf->min_minor_ver ||
+        ssl->major_ver > ssl->conf->max_major_ver ||
+        ssl->minor_ver > ssl->conf->max_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
+                            " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
+                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
+                            ssl->major_ver, ssl->minor_ver,
+                            ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
+
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
+                           ( (uint32_t) buf[2] << 24 ) |
+                           ( (uint32_t) buf[3] << 16 ) |
+                           ( (uint32_t) buf[4] <<  8 ) |
+                           ( (uint32_t) buf[5]       ) ) );
+
+    memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
+
+    n = buf[34];
+
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, random bytes", buf + 2, 32 );
+
+    if( n > 32 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    if( ssl->in_hslen > mbedtls_ssl_hs_hdr_len( ssl ) + 39 + n )
+    {
+        ext_len = ( ( buf[38 + n] <<  8 )
+                  | ( buf[39 + n]       ) );
+
+        if( ( ext_len > 0 && ext_len < 4 ) ||
+            ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+    }
+    else if( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) + 38 + n )
+    {
+        ext_len = 0;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    /* ciphersuite (used later) */
+    i = ( buf[35 + n] << 8 ) | buf[36 + n];
+
+    /*
+     * Read and check compression
+     */
+    comp = buf[37 + n];
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    /* See comments in ssl_write_client_hello() */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        accept_comp = 0;
+    else
+#endif
+        accept_comp = 1;
+
+    if( comp != MBEDTLS_SSL_COMPRESS_NULL &&
+        ( comp != MBEDTLS_SSL_COMPRESS_DEFLATE || accept_comp == 0 ) )
+#else /* MBEDTLS_ZLIB_SUPPORT */
+    if( comp != MBEDTLS_SSL_COMPRESS_NULL )
+#endif/* MBEDTLS_ZLIB_SUPPORT */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    /*
+     * Initialize update checksum functions
+     */
+    ssl->transform_negotiate->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
+
+    if( ssl->transform_negotiate->ciphersuite_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    mbedtls_ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 35, n );
+
+    /*
+     * Check if the session can be resumed
+     */
+    if( ssl->handshake->resume == 0 || n == 0 ||
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
+#endif
+        ssl->session_negotiate->ciphersuite != i ||
+        ssl->session_negotiate->compression != comp ||
+        ssl->session_negotiate->id_len != n ||
+        memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
+    {
+        ssl->state++;
+        ssl->handshake->resume = 0;
+#if defined(MBEDTLS_HAVE_TIME)
+        ssl->session_negotiate->start = mbedtls_time( NULL );
+#endif
+        ssl->session_negotiate->ciphersuite = i;
+        ssl->session_negotiate->compression = comp;
+        ssl->session_negotiate->id_len = n;
+        memcpy( ssl->session_negotiate->id, buf + 35, n );
+    }
+    else
+    {
+        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+        if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+            return( ret );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
+                   ssl->handshake->resume ? "a" : "no" ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
+
+    /*
+     * Perform cipher suite validation in same way as in ssl_write_client_hello.
+     */
+    i = 0;
+    while( 1 )
+    {
+        if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+
+        if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
+            ssl->session_negotiate->ciphersuite )
+        {
+            break;
+        }
+    }
+
+    suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
+    if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        ssl->handshake->ecrs_enabled = 1;
+    }
+#endif
+
+    if( comp != MBEDTLS_SSL_COMPRESS_NULL
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+        && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
+#endif
+      )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+    ssl->session_negotiate->compression = comp;
+
+    ext = buf + 40 + n;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
+
+    while( ext_len )
+    {
+        unsigned int ext_id   = ( ( ext[0] <<  8 )
+                                | ( ext[1]       ) );
+        unsigned int ext_size = ( ( ext[2] <<  8 )
+                                | ( ext[3]       ) );
+
+        if( ext_size + 4 > ext_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+
+        switch( ext_id )
+        {
+        case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            renegotiation_info_seen = 1;
+#endif
+
+            if( ( ret = ssl_parse_renegotiation_info( ssl, ext + 4,
+                                                      ext_size ) ) != 0 )
+                return( ret );
+
+            break;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+        case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
+
+            if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+        case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
+
+            if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
+
+            if( ( ret = ssl_parse_encrypt_then_mac_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+        case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
+
+            if( ( ret = ssl_parse_extended_ms_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        case MBEDTLS_TLS_EXT_SESSION_TICKET:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session_ticket extension" ) );
+
+            if( ( ret = ssl_parse_session_ticket_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
+
+            if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+        case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake_kkpp extension" ) );
+
+            if( ( ret = ssl_parse_ecjpake_kkpp( ssl,
+                            ext + 4, ext_size ) ) != 0 )
+            {
+                return( ret );
+            }
+
+            break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN)
+        case MBEDTLS_TLS_EXT_ALPN:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
+
+            if( ( ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ) ) != 0 )
+                return( ret );
+
+            break;
+#endif /* MBEDTLS_SSL_ALPN */
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
+                           ext_id ) );
+        }
+
+        ext_len -= 4 + ext_size;
+        ext += 4 + ext_size;
+
+        if( ext_len > 0 && ext_len < 4 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+        }
+    }
+
+    /*
+     * Renegotiation security checks
+     */
+    if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+        ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
+        handshake_failure = 1;
+    }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+             renegotiation_info_seen == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             renegotiation_info_seen == 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    if( handshake_failure == 1 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
+                                       unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    /*
+     * Ephemeral DH parameters:
+     *
+     * struct {
+     *     opaque dh_p<1..2^16-1>;
+     *     opaque dh_g<1..2^16-1>;
+     *     opaque dh_Ys<1..2^16-1>;
+     * } ServerDHParams;
+     */
+    if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
+        return( ret );
+    }
+
+    if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
+                                    ssl->handshake->dhm_ctx.len * 8,
+                                    ssl->conf->dhm_min_bitlen ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ecp_curve_info *curve_info;
+    mbedtls_ecp_group_id grp_id;
+#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
+    grp_id = ssl->handshake->ecdh_ctx.grp.id;
+#else
+    grp_id = ssl->handshake->ecdh_ctx.grp_id;
+#endif
+
+    curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
+    if( curve_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
+
+#if defined(MBEDTLS_ECP_C)
+    if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
+#else
+    if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
+        ssl->handshake->ecdh_ctx.grp.nbits > 521 )
+#endif
+        return( -1 );
+
+    MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                            MBEDTLS_DEBUG_ECDH_QP );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+static int ssl_parse_server_ecdh_params( mbedtls_ssl_context *ssl,
+                                         unsigned char **p,
+                                         unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    /*
+     * Ephemeral ECDH parameters:
+     *
+     * struct {
+     *     ECParameters curve_params;
+     *     ECPoint      public;
+     * } ServerECDHParams;
+     */
+    if( ( ret = mbedtls_ecdh_read_params( &ssl->handshake->ecdh_ctx,
+                                  (const unsigned char **) p, end ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+        return( ret );
+    }
+
+    if( ssl_check_server_ecdh_params( ssl ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+static int ssl_parse_server_psk_hint( mbedtls_ssl_context *ssl,
+                                      unsigned char **p,
+                                      unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t  len;
+    ((void) ssl);
+
+    /*
+     * PSK parameters:
+     *
+     * opaque psk_identity_hint<0..2^16-1>;
+     */
+    if( end - (*p) < 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
+                                    "(psk_identity_hint length)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+    len = (*p)[0] << 8 | (*p)[1];
+    *p += 2;
+
+    if( end - (*p) < (int) len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
+                                    "(psk_identity_hint length)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    /*
+     * Note: we currently ignore the PKS identity hint, as we only allow one
+     * PSK to be provisionned on the client. This could be changed later if
+     * someone needs that feature.
+     */
+    *p += len;
+    ret = 0;
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+/*
+ * Generate a pre-master secret and encrypt it with the server's RSA key
+ */
+static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
+                                    size_t offset, size_t *olen,
+                                    size_t pms_offset )
+{
+    int ret;
+    size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
+    unsigned char *p = ssl->handshake->premaster + pms_offset;
+
+    if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) );
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+    }
+
+    /*
+     * Generate (part of) the pre-master as
+     *  struct {
+     *      ProtocolVersion client_version;
+     *      opaque random[46];
+     *  } PreMasterSecret;
+     */
+    mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
+                       ssl->conf->transport, p );
+
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "f_rng", ret );
+        return( ret );
+    }
+
+    ssl->handshake->pmslen = 48;
+
+    if( ssl->session_negotiate->peer_cert == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /*
+     * Now write it out, encrypted
+     */
+    if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                MBEDTLS_PK_RSA ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) );
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk,
+                            p, ssl->handshake->pmslen,
+                            ssl->out_msg + offset + len_bytes, olen,
+                            MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
+                            ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_rsa_pkcs1_encrypt", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( len_bytes == 2 )
+    {
+        ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 );
+        ssl->out_msg[offset+1] = (unsigned char)( *olen      );
+        *olen += 2;
+    }
+#endif
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
+                                          unsigned char **p,
+                                          unsigned char *end,
+                                          mbedtls_md_type_t *md_alg,
+                                          mbedtls_pk_type_t *pk_alg )
+{
+    ((void) ssl);
+    *md_alg = MBEDTLS_MD_NONE;
+    *pk_alg = MBEDTLS_PK_NONE;
+
+    /* Only in TLS 1.2 */
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        return( 0 );
+    }
+
+    if( (*p) + 2 > end )
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+
+    /*
+     * Get hash algorithm
+     */
+    if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
+                            "HashAlgorithm %d", *(p)[0] ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    /*
+     * Get signature algorithm
+     */
+    if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
+                            "SignatureAlgorithm %d", (*p)[1] ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    /*
+     * Check if the hash is acceptable
+     */
+    if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
+                                    *(p)[0] ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
+    *p += 2;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ecp_keypair *peer_key;
+
+    if( ssl->session_negotiate->peer_cert == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                     MBEDTLS_PK_ECKEY ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk );
+
+    if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key,
+                                 MBEDTLS_ECDH_THEIRS ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
+        return( ret );
+    }
+
+    if( ssl_check_server_ecdh_params( ssl ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server certificate (ECDH curve)" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    unsigned char *p = NULL, *end = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+    ((void) p);
+    ((void) end);
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+    {
+        if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+    ((void) p);
+    ((void) end);
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing )
+    {
+        goto start_processing;
+    }
+#endif
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /*
+     * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
+     * doesn't use a psk_identity_hint
+     */
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
+    {
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+            ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+        {
+            /* Current message is probably either
+             * CertificateRequest or ServerHelloDone */
+            ssl->keep_current_message = 1;
+            goto exit;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
+                                    "not be skipped" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled )
+        ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
+
+start_processing:
+#endif
+    p   = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+    end = ssl->in_msg + ssl->in_hslen;
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server key exchange", p, end - p );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    } /* FALLTROUGH */
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+        ; /* nothing more to do */
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+    {
+        if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+    {
+        if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
+                                              p, end - p );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
+    {
+        size_t sig_len, hashlen;
+        unsigned char hash[64];
+        mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+        mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
+        unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+        size_t params_len = p - params;
+        void *rs_ctx = NULL;
+
+        /*
+         * Handle the digitally-signed structure
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            if( ssl_parse_signature_algorithm( ssl, &p, end,
+                                               &md_alg, &pk_alg ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+                return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+            }
+
+            if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+                return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+
+            /* Default hash for ECDSA is SHA-1 */
+            if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE )
+                md_alg = MBEDTLS_MD_SHA1;
+        }
+        else
+#endif
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Read signature
+         */
+
+        if( p > end - 2 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+        sig_len = ( p[0] << 8 ) | p[1];
+        p += 2;
+
+        if( p != end - sig_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "signature", p, sig_len );
+
+        /*
+         * Compute the hash that has been signed
+         */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( md_alg == MBEDTLS_MD_NONE )
+        {
+            hashlen = 36;
+            ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params,
+                                                           params_len );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( md_alg != MBEDTLS_MD_NONE )
+        {
+            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
+                                                          params, params_len,
+                                                          md_alg );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
+
+        if( ssl->session_negotiate->peer_cert == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "certificate required" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+        }
+
+        /*
+         * Verify signature
+         */
+        if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+        }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_enabled )
+            rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+#endif
+
+        if( ( ret = mbedtls_pk_verify_restartable(
+                        &ssl->session_negotiate->peer_cert->pk,
+                        md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
+        {
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+#endif
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+exit:
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server key exchange" ) );
+
+    return( 0 );
+}
+
+#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
+static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
+
+    if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
+static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *buf;
+    size_t n = 0;
+    size_t cert_type_len = 0, dn_len = 0;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
+
+    if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    ssl->state++;
+    ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
+                        ssl->client_auth ? "a" : "no" ) );
+
+    if( ssl->client_auth == 0 )
+    {
+        /* Current message is probably the ServerHelloDone */
+        ssl->keep_current_message = 1;
+        goto exit;
+    }
+
+    /*
+     *  struct {
+     *      ClientCertificateType certificate_types<1..2^8-1>;
+     *      SignatureAndHashAlgorithm
+     *        supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
+     *      DistinguishedName certificate_authorities<0..2^16-1>;
+     *  } CertificateRequest;
+     *
+     *  Since we only support a single certificate on clients, let's just
+     *  ignore all the information that's supposed to help us pick a
+     *  certificate.
+     *
+     *  We could check that our certificate matches the request, and bail out
+     *  if it doesn't, but it's simpler to just send the certificate anyway,
+     *  and give the server the opportunity to decide if it should terminate
+     *  the connection when it doesn't like our certificate.
+     *
+     *  Same goes for the hash in TLS 1.2's signature_algorithms: at this
+     *  point we only have one hash available (see comments in
+     *  write_certificate_verify), so let's just use what we have.
+     *
+     *  However, we still minimally parse the message to check it is at least
+     *  superficially sane.
+     */
+    buf = ssl->in_msg;
+
+    /* certificate_types */
+    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+    }
+    cert_type_len = buf[mbedtls_ssl_hs_hdr_len( ssl )];
+    n = cert_type_len;
+
+    /*
+     * In the subsequent code there are two paths that read from buf:
+     *     * the length of the signature algorithms field (if minor version of
+     *       SSL is 3),
+     *     * distinguished name length otherwise.
+     * Both reach at most the index:
+     *    ...hdr_len + 2 + n,
+     * therefore the buffer length at this point must be greater than that
+     * regardless of the actual code path.
+     */
+    if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+    }
+
+    /* supported_signature_algorithms */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] <<  8 )
+                             | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n]       ) );
+#if defined(MBEDTLS_DEBUG_C)
+        unsigned char* sig_alg;
+        size_t i;
+#endif
+
+        /*
+         * The furthest access in buf is in the loop few lines below:
+         *     sig_alg[i + 1],
+         * where:
+         *     sig_alg = buf + ...hdr_len + 3 + n,
+         *     max(i) = sig_alg_len - 1.
+         * Therefore the furthest access is:
+         *     buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
+         * which reduces to:
+         *     buf[...hdr_len + 3 + n + sig_alg_len],
+         * which is one less than we need the buf to be.
+         */
+        if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+        }
+
+#if defined(MBEDTLS_DEBUG_C)
+        sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
+        for( i = 0; i < sig_alg_len; i += 2 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
+                                        ",%d", sig_alg[i], sig_alg[i + 1]  ) );
+        }
+#endif
+
+        n += 2 + sig_alg_len;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    /* certificate_authorities */
+    dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] <<  8 )
+             | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n]       ) );
+
+    n += dn_len;
+    if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
+    }
+
+exit:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */
+
+static int ssl_parse_server_hello_done( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) ||
+        ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
+    }
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_recv_flight_completed( ssl );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse server hello done" ) );
+
+    return( 0 );
+}
+
+static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t i, n;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
+    {
+        /*
+         * DHM key exchange -- send G^X mod P
+         */
+        n = ssl->handshake->dhm_ctx.len;
+
+        ssl->out_msg[4] = (unsigned char)( n >> 8 );
+        ssl->out_msg[5] = (unsigned char)( n      );
+        i = 6;
+
+        ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
+                                (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                               &ssl->out_msg[i], n,
+                                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
+
+        if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+                                      ssl->handshake->premaster,
+                                      MBEDTLS_PREMASTER_SIZE,
+                                     &ssl->handshake->pmslen,
+                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+    {
+        /*
+         * ECDH key exchange -- send client public value
+         */
+        i = 4;
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_enabled )
+        {
+            if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret )
+                goto ecdh_calc_secret;
+
+            mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx );
+        }
+#endif
+
+        ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
+                                &n,
+                                &ssl->out_msg[i], 1000,
+                                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Q );
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ssl->handshake->ecrs_enabled )
+        {
+            ssl->handshake->ecrs_n = n;
+            ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
+        }
+
+ecdh_calc_secret:
+        if( ssl->handshake->ecrs_enabled )
+            n = ssl->handshake->ecrs_n;
+#endif
+        if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
+                                      &ssl->handshake->pmslen,
+                                       ssl->handshake->premaster,
+                                       MBEDTLS_MPI_MAX_SIZE,
+                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+            if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+                ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Z );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) )
+    {
+        /*
+         * opaque psk_identity<0..2^16-1>;
+         */
+        if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) );
+            return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+        }
+
+        i = 4;
+        n = ssl->conf->psk_identity_len;
+
+        if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
+                                        "SSL buffer too short" ) );
+            return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+        }
+
+        ssl->out_msg[i++] = (unsigned char)( n >> 8 );
+        ssl->out_msg[i++] = (unsigned char)( n      );
+
+        memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len );
+        i += ssl->conf->psk_identity_len;
+
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
+        {
+            n = 0;
+        }
+        else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+        {
+            if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
+                return( ret );
+        }
+        else
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+        {
+            /*
+             * ClientDiffieHellmanPublic public (DHM send G^X mod P)
+             */
+            n = ssl->handshake->dhm_ctx.len;
+
+            if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
+                                            " or SSL buffer too short" ) );
+                return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+            }
+
+            ssl->out_msg[i++] = (unsigned char)( n >> 8 );
+            ssl->out_msg[i++] = (unsigned char)( n      );
+
+            ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
+                    (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                    &ssl->out_msg[i], n,
+                    ssl->conf->f_rng, ssl->conf->p_rng );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
+                return( ret );
+            }
+        }
+        else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+        {
+            /*
+             * ClientECDiffieHellmanPublic public;
+             */
+            ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n,
+                    &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i,
+                    ssl->conf->f_rng, ssl->conf->p_rng );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
+                return( ret );
+            }
+
+            MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                    MBEDTLS_DEBUG_ECDH_Q );
+        }
+        else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
+    {
+        i = 4;
+        if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
+            return( ret );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        i = 4;
+
+        ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx,
+                ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n,
+                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
+            return( ret );
+        }
+
+        ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
+                ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+    {
+        ((void) ciphersuite_info);
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    ssl->out_msglen  = i + n;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
+
+    if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+        return( ret );
+    }
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else
+static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    size_t n = 0, offset = 0;
+    unsigned char hash[48];
+    unsigned char *hash_start = hash;
+    mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
+    unsigned int hashlen;
+    void *rs_ctx = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign )
+    {
+        goto sign;
+    }
+#endif
+
+    if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+        return( ret );
+    }
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( mbedtls_ssl_own_key( ssl ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for certificate" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    /*
+     * Make a signature of the handshake digests
+     */
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled )
+        ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
+
+sign:
+#endif
+
+    ssl->handshake->calc_verify( ssl, hash );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        /*
+         * digitally-signed struct {
+         *     opaque md5_hash[16];
+         *     opaque sha_hash[20];
+         * };
+         *
+         * md5_hash
+         *     MD5(handshake_messages);
+         *
+         * sha_hash
+         *     SHA(handshake_messages);
+         */
+        hashlen = 36;
+        md_alg = MBEDTLS_MD_NONE;
+
+        /*
+         * For ECDSA, default hash is SHA-1 only
+         */
+        if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) )
+        {
+            hash_start += 16;
+            hashlen -= 16;
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        /*
+         * digitally-signed struct {
+         *     opaque handshake_messages[handshake_messages_length];
+         * };
+         *
+         * Taking shortcut here. We assume that the server always allows the
+         * PRF Hash function and has sent it in the allowed signature
+         * algorithms list received in the Certificate Request message.
+         *
+         * Until we encounter a server that does not, we will take this
+         * shortcut.
+         *
+         * Reason: Otherwise we should have running hashes for SHA512 and SHA224
+         *         in order to satisfy 'weird' needs from the server side.
+         */
+        if( ssl->transform_negotiate->ciphersuite_info->mac ==
+            MBEDTLS_MD_SHA384 )
+        {
+            md_alg = MBEDTLS_MD_SHA384;
+            ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
+        }
+        else
+        {
+            md_alg = MBEDTLS_MD_SHA256;
+            ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
+        }
+        ssl->out_msg[5] = mbedtls_ssl_sig_from_pk( mbedtls_ssl_own_key( ssl ) );
+
+        /* Info from md_alg will be used instead */
+        hashlen = 0;
+        offset = 2;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled )
+        rs_ctx = &ssl->handshake->ecrs_ctx.pk;
+#endif
+
+    if( ( ret = mbedtls_pk_sign_restartable( mbedtls_ssl_own_key( ssl ),
+                         md_alg, hash_start, hashlen,
+                         ssl->out_msg + 6 + offset, &n,
+                         ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
+        return( ret );
+    }
+
+    ssl->out_msg[4 + offset] = (unsigned char)( n >> 8 );
+    ssl->out_msg[5 + offset] = (unsigned char)( n      );
+
+    ssl->out_msglen  = 6 + n + offset;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate verify" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    uint32_t lifetime;
+    size_t ticket_len;
+    unsigned char *ticket;
+    const unsigned char *msg;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse new session ticket" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /*
+     * struct {
+     *     uint32 ticket_lifetime_hint;
+     *     opaque ticket<0..2^16-1>;
+     * } NewSessionTicket;
+     *
+     * 0  .  3   ticket_lifetime_hint
+     * 4  .  5   ticket_len (n)
+     * 6  .  5+n ticket content
+     */
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
+        ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
+    }
+
+    msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+
+    lifetime = ( ((uint32_t) msg[0]) << 24 ) | ( msg[1] << 16 ) |
+               ( msg[2] << 8 ) | ( msg[3] );
+
+    ticket_len = ( msg[4] << 8 ) | ( msg[5] );
+
+    if( ticket_len + 6 + mbedtls_ssl_hs_hdr_len( ssl ) != ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
+
+    /* We're not waiting for a NewSessionTicket message any more */
+    ssl->handshake->new_session_ticket = 0;
+    ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+    /*
+     * Zero-length ticket means the server changed his mind and doesn't want
+     * to send a ticket after all, so just forget it
+     */
+    if( ticket_len == 0 )
+        return( 0 );
+
+    mbedtls_platform_zeroize( ssl->session_negotiate->ticket,
+                              ssl->session_negotiate->ticket_len );
+    mbedtls_free( ssl->session_negotiate->ticket );
+    ssl->session_negotiate->ticket = NULL;
+    ssl->session_negotiate->ticket_len = 0;
+
+    if( ( ticket = mbedtls_calloc( 1, ticket_len ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "ticket alloc failed" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    memcpy( ticket, msg + 6, ticket_len );
+
+    ssl->session_negotiate->ticket = ticket;
+    ssl->session_negotiate->ticket_len = ticket_len;
+    ssl->session_negotiate->ticket_lifetime = lifetime;
+
+    /*
+     * RFC 5077 section 3.4:
+     * "If the client receives a session ticket from the server, then it
+     * discards any Session ID that was sent in the ServerHello."
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket in use, discarding session id" ) );
+    ssl->session_negotiate->id_len = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse new session ticket" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- client side -- single step
+ */
+int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "client state: %d", ssl->state ) );
+
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+            return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
+     * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
+        ssl->handshake->new_session_ticket != 0 )
+    {
+        ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
+    }
+#endif
+
+    switch( ssl->state )
+    {
+        case MBEDTLS_SSL_HELLO_REQUEST:
+            ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+            break;
+
+       /*
+        *  ==>   ClientHello
+        */
+       case MBEDTLS_SSL_CLIENT_HELLO:
+           ret = ssl_write_client_hello( ssl );
+           break;
+
+       /*
+        *  <==   ServerHello
+        *        Certificate
+        *      ( ServerKeyExchange  )
+        *      ( CertificateRequest )
+        *        ServerHelloDone
+        */
+       case MBEDTLS_SSL_SERVER_HELLO:
+           ret = ssl_parse_server_hello( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_CERTIFICATE:
+           ret = mbedtls_ssl_parse_certificate( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+           ret = ssl_parse_server_key_exchange( ssl );
+           break;
+
+       case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+           ret = ssl_parse_certificate_request( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_HELLO_DONE:
+           ret = ssl_parse_server_hello_done( ssl );
+           break;
+
+       /*
+        *  ==> ( Certificate/Alert  )
+        *        ClientKeyExchange
+        *      ( CertificateVerify  )
+        *        ChangeCipherSpec
+        *        Finished
+        */
+       case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+           ret = mbedtls_ssl_write_certificate( ssl );
+           break;
+
+       case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+           ret = ssl_write_client_key_exchange( ssl );
+           break;
+
+       case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+           ret = ssl_write_certificate_verify( ssl );
+           break;
+
+       case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+           ret = mbedtls_ssl_write_change_cipher_spec( ssl );
+           break;
+
+       case MBEDTLS_SSL_CLIENT_FINISHED:
+           ret = mbedtls_ssl_write_finished( ssl );
+           break;
+
+       /*
+        *  <==   ( NewSessionTicket )
+        *        ChangeCipherSpec
+        *        Finished
+        */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+       case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
+           ret = ssl_parse_new_session_ticket( ssl );
+           break;
+#endif
+
+       case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+           ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
+           break;
+
+       case MBEDTLS_SSL_SERVER_FINISHED:
+           ret = mbedtls_ssl_parse_finished( ssl );
+           break;
+
+       case MBEDTLS_SSL_FLUSH_BUFFERS:
+           MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
+           ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+           break;
+
+       case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+           mbedtls_ssl_handshake_wrapup( ssl );
+           break;
+
+       default:
+           MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
+           return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+   }
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
diff --git a/makerom/deps/libmbedtls/src/ssl_cookie.c b/makerom/deps/libmbedtls/src/ssl_cookie.c
new file mode 100644
index 00000000..56e9bdd2
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ssl_cookie.c
@@ -0,0 +1,256 @@
+/*
+ *  DTLS cookie callbacks implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_COOKIE_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_cookie.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+/*
+ * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
+ * available. Try SHA-256 first, 512 wastes resources since we need to stay
+ * with max 32 bytes of cookie for DTLS 1.0
+ */
+#if defined(MBEDTLS_SHA256_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA224
+#define COOKIE_MD_OUTLEN    32
+#define COOKIE_HMAC_LEN     28
+#elif defined(MBEDTLS_SHA512_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA384
+#define COOKIE_MD_OUTLEN    48
+#define COOKIE_HMAC_LEN     28
+#elif defined(MBEDTLS_SHA1_C)
+#define COOKIE_MD           MBEDTLS_MD_SHA1
+#define COOKIE_MD_OUTLEN    20
+#define COOKIE_HMAC_LEN     20
+#else
+#error "DTLS hello verify needs SHA-1 or SHA-2"
+#endif
+
+/*
+ * Cookies are formed of a 4-bytes timestamp (or serial number) and
+ * an HMAC of timestemp and client ID.
+ */
+#define COOKIE_LEN      ( 4 + COOKIE_HMAC_LEN )
+
+void mbedtls_ssl_cookie_init( mbedtls_ssl_cookie_ctx *ctx )
+{
+    mbedtls_md_init( &ctx->hmac_ctx );
+#if !defined(MBEDTLS_HAVE_TIME)
+    ctx->serial = 0;
+#endif
+    ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+void mbedtls_ssl_cookie_set_timeout( mbedtls_ssl_cookie_ctx *ctx, unsigned long delay )
+{
+    ctx->timeout = delay;
+}
+
+void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx )
+{
+    mbedtls_md_free( &ctx->hmac_ctx );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_cookie_ctx ) );
+}
+
+int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
+                      int (*f_rng)(void *, unsigned char *, size_t),
+                      void *p_rng )
+{
+    int ret;
+    unsigned char key[COOKIE_MD_OUTLEN];
+
+    if( ( ret = f_rng( p_rng, key, sizeof( key ) ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_md_setup( &ctx->hmac_ctx, mbedtls_md_info_from_type( COOKIE_MD ), 1 );
+    if( ret != 0 )
+        return( ret );
+
+    ret = mbedtls_md_hmac_starts( &ctx->hmac_ctx, key, sizeof( key ) );
+    if( ret != 0 )
+        return( ret );
+
+    mbedtls_platform_zeroize( key, sizeof( key ) );
+
+    return( 0 );
+}
+
+/*
+ * Generate the HMAC part of a cookie
+ */
+static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx,
+                            const unsigned char time[4],
+                            unsigned char **p, unsigned char *end,
+                            const unsigned char *cli_id, size_t cli_id_len )
+{
+    unsigned char hmac_out[COOKIE_MD_OUTLEN];
+
+    if( (size_t)( end - *p ) < COOKIE_HMAC_LEN )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    if( mbedtls_md_hmac_reset(  hmac_ctx ) != 0 ||
+        mbedtls_md_hmac_update( hmac_ctx, time, 4 ) != 0 ||
+        mbedtls_md_hmac_update( hmac_ctx, cli_id, cli_id_len ) != 0 ||
+        mbedtls_md_hmac_finish( hmac_ctx, hmac_out ) != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    memcpy( *p, hmac_out, COOKIE_HMAC_LEN );
+    *p += COOKIE_HMAC_LEN;
+
+    return( 0 );
+}
+
+/*
+ * Generate cookie for DTLS ClientHello verification
+ */
+int mbedtls_ssl_cookie_write( void *p_ctx,
+                      unsigned char **p, unsigned char *end,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    int ret;
+    mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+    unsigned long t;
+
+    if( ctx == NULL || cli_id == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( (size_t)( end - *p ) < COOKIE_LEN )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = (unsigned long) mbedtls_time( NULL );
+#else
+    t = ctx->serial++;
+#endif
+
+    (*p)[0] = (unsigned char)( t >> 24 );
+    (*p)[1] = (unsigned char)( t >> 16 );
+    (*p)[2] = (unsigned char)( t >>  8 );
+    (*p)[3] = (unsigned char)( t       );
+    *p += 4;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
+#endif
+
+    ret = ssl_cookie_hmac( &ctx->hmac_ctx, *p - 4,
+                           p, end, cli_id, cli_id_len );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
+                MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Check a cookie
+ */
+int mbedtls_ssl_cookie_check( void *p_ctx,
+                      const unsigned char *cookie, size_t cookie_len,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    unsigned char ref_hmac[COOKIE_HMAC_LEN];
+    int ret = 0;
+    unsigned char *p = ref_hmac;
+    mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
+    unsigned long cur_time, cookie_time;
+
+    if( ctx == NULL || cli_id == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( cookie_len != COOKIE_LEN )
+        return( -1 );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
+#endif
+
+    if( ssl_cookie_hmac( &ctx->hmac_ctx, cookie,
+                         &p, p + sizeof( ref_hmac ),
+                         cli_id, cli_id_len ) != 0 )
+        ret = -1;
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
+                MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    if( ret != 0 )
+        return( ret );
+
+    if( mbedtls_ssl_safer_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 )
+        return( -1 );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    cur_time = (unsigned long) mbedtls_time( NULL );
+#else
+    cur_time = ctx->serial;
+#endif
+
+    cookie_time = ( (unsigned long) cookie[0] << 24 ) |
+                  ( (unsigned long) cookie[1] << 16 ) |
+                  ( (unsigned long) cookie[2] <<  8 ) |
+                  ( (unsigned long) cookie[3]       );
+
+    if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
+        return( -1 );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_COOKIE_C */
diff --git a/makerom/deps/libmbedtls/src/ssl_srv.c b/makerom/deps/libmbedtls/src/ssl_srv.c
new file mode 100644
index 00000000..5825970c
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ssl_srv.c
@@ -0,0 +1,4379 @@
+/*
+ *  SSLv3/TLSv1 server-side functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_ECP_C)
+#include "mbedtls/ecp.h"
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl,
+                                 const unsigned char *info,
+                                 size_t ilen )
+{
+    if( ssl->conf->endpoint != MBEDTLS_SSL_IS_SERVER )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    mbedtls_free( ssl->cli_id );
+
+    if( ( ssl->cli_id = mbedtls_calloc( 1, ilen ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    memcpy( ssl->cli_id, info, ilen );
+    ssl->cli_id_len = ilen;
+
+    return( 0 );
+}
+
+void mbedtls_ssl_conf_dtls_cookies( mbedtls_ssl_config *conf,
+                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+                           void *p_cookie )
+{
+    conf->f_cookie_write = f_cookie_write;
+    conf->f_cookie_check = f_cookie_check;
+    conf->p_cookie       = p_cookie;
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
+                                     const unsigned char *buf,
+                                     size_t len )
+{
+    int ret;
+    size_t servername_list_size, hostname_len;
+    const unsigned char *p;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "parse ServerName extension" ) );
+
+    if( len < 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    servername_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
+    if( servername_list_size + 2 != len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    p = buf + 2;
+    while( servername_list_size > 2 )
+    {
+        hostname_len = ( ( p[1] << 8 ) | p[2] );
+        if( hostname_len + 3 > servername_list_size )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
+        {
+            ret = ssl->conf->f_sni( ssl->conf->p_sni,
+                                    ssl, p + 3, hostname_len );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                        MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+            return( 0 );
+        }
+
+        servername_list_size -= hostname_len + 3;
+        p += hostname_len + 3;
+    }
+
+    if( servername_list_size != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        /* Check verify-data in constant-time. The length OTOH is no secret */
+        if( len    != 1 + ssl->verify_data_len ||
+            buf[0] !=     ssl->verify_data_len ||
+            mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
+                          ssl->verify_data_len ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        if( len != 1 || buf[0] != 0x0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+    }
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/*
+ * Status of the implementation of signature-algorithms extension:
+ *
+ * Currently, we are only considering the signature-algorithm extension
+ * to pick a ciphersuite which allows us to send the ServerKeyExchange
+ * message with a signature-hash combination that the user allows.
+ *
+ * We do *not* check whether all certificates in our certificate
+ * chain are signed with an allowed signature-hash pair.
+ * This needs to be done at a later stage.
+ *
+ */
+static int ssl_parse_signature_algorithms_ext( mbedtls_ssl_context *ssl,
+                                               const unsigned char *buf,
+                                               size_t len )
+{
+    size_t sig_alg_list_size;
+
+    const unsigned char *p;
+    const unsigned char *end = buf + len;
+
+    mbedtls_md_type_t md_cur;
+    mbedtls_pk_type_t sig_cur;
+
+    if ( len < 2 ) {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    sig_alg_list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
+    if( sig_alg_list_size + 2 != len ||
+        sig_alg_list_size % 2 != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* Currently we only guarantee signing the ServerKeyExchange message according
+     * to the constraints specified in this extension (see above), so it suffices
+     * to remember only one suitable hash for each possible signature algorithm.
+     *
+     * This will change when we also consider certificate signatures,
+     * in which case we will need to remember the whole signature-hash
+     * pair list from the extension.
+     */
+
+    for( p = buf + 2; p < end; p += 2 )
+    {
+        /* Silently ignore unknown signature or hash algorithms. */
+
+        if( ( sig_cur = mbedtls_ssl_pk_alg_from_sig( p[1] ) ) == MBEDTLS_PK_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext"
+                                        " unknown sig alg encoding %d", p[1] ) );
+            continue;
+        }
+
+        /* Check if we support the hash the user proposes */
+        md_cur = mbedtls_ssl_md_alg_from_hash( p[0] );
+        if( md_cur == MBEDTLS_MD_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
+                                        " unknown hash alg encoding %d", p[0] ) );
+            continue;
+        }
+
+        if( mbedtls_ssl_check_sig_hash( ssl, md_cur ) == 0 )
+        {
+            mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
+                                        " match sig %d and hash %d",
+                                        sig_cur, md_cur ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
+                                        "hash alg %d not supported", md_cur ) );
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl,
+                                                const unsigned char *buf,
+                                                size_t len )
+{
+    size_t list_size, our_size;
+    const unsigned char *p;
+    const mbedtls_ecp_curve_info *curve_info, **curves;
+
+    if ( len < 2 ) {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                       MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    list_size = ( ( buf[0] << 8 ) | ( buf[1] ) );
+    if( list_size + 2 != len ||
+        list_size % 2 != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* Should never happen unless client duplicates the extension */
+    if( ssl->handshake->curves != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* Don't allow our peer to make us allocate too much memory,
+     * and leave room for a final 0 */
+    our_size = list_size / 2 + 1;
+    if( our_size > MBEDTLS_ECP_DP_MAX )
+        our_size = MBEDTLS_ECP_DP_MAX;
+
+    if( ( curves = mbedtls_calloc( our_size, sizeof( *curves ) ) ) == NULL )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    ssl->handshake->curves = curves;
+
+    p = buf + 2;
+    while( list_size > 0 && our_size > 1 )
+    {
+        curve_info = mbedtls_ecp_curve_info_from_tls_id( ( p[0] << 8 ) | p[1] );
+
+        if( curve_info != NULL )
+        {
+            *curves++ = curve_info;
+            our_size--;
+        }
+
+        list_size -= 2;
+        p += 2;
+    }
+
+    return( 0 );
+}
+
+static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len )
+{
+    size_t list_size;
+    const unsigned char *p;
+
+    if( len == 0 || (size_t)( buf[0] + 1 ) != len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+    list_size = buf[0];
+
+    p = buf + 1;
+    while( list_size > 0 )
+    {
+        if( p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
+            p[0] == MBEDTLS_ECP_PF_COMPRESSED )
+        {
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+            ssl->handshake->ecdh_ctx.point_format = p[0];
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            ssl->handshake->ecjpake_ctx.point_format = p[0];
+#endif
+            MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
+            return( 0 );
+        }
+
+        list_size--;
+        p++;
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
+                                   const unsigned char *buf,
+                                   size_t len )
+{
+    int ret;
+
+    if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
+        return( 0 );
+    }
+
+    if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
+                                                buf, len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( ret );
+    }
+
+    /* Only mark the extension as OK when we're sure it is */
+    ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                              const unsigned char *buf,
+                                              size_t len )
+{
+    if( len != 1 || buf[0] >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ssl->session_negotiate->mfl_code = buf[0];
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf,
+                                         size_t len )
+{
+    if( len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
+        ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                      const unsigned char *buf,
+                                      size_t len )
+{
+    if( len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
+        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                      const unsigned char *buf,
+                                      size_t len )
+{
+    if( len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ((void) buf);
+
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t len )
+{
+    int ret;
+    mbedtls_ssl_session session;
+
+    mbedtls_ssl_session_init( &session );
+
+    if( ssl->conf->f_ticket_parse == NULL ||
+        ssl->conf->f_ticket_write == NULL )
+    {
+        return( 0 );
+    }
+
+    /* Remember the client asked us to send a new ticket */
+    ssl->handshake->new_session_ticket = 1;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
+
+    if( len == 0 )
+        return( 0 );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    /*
+     * Failures are ok: just ignore the ticket and proceed.
+     */
+    if( ( ret = ssl->conf->f_ticket_parse( ssl->conf->p_ticket, &session,
+                                           buf, len ) ) != 0 )
+    {
+        mbedtls_ssl_session_free( &session );
+
+        if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is not authentic" ) );
+        else if( ret == MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED )
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket is expired" ) );
+        else
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_parse", ret );
+
+        return( 0 );
+    }
+
+    /*
+     * Keep the session ID sent by the client, since we MUST send it back to
+     * inform them we're accepting the ticket  (RFC 5077 section 3.4)
+     */
+    session.id_len = ssl->session_negotiate->id_len;
+    memcpy( &session.id, ssl->session_negotiate->id, session.id_len );
+
+    mbedtls_ssl_session_free( ssl->session_negotiate );
+    memcpy( ssl->session_negotiate, &session, sizeof( mbedtls_ssl_session ) );
+
+    /* Zeroize instead of free as we copied the content */
+    mbedtls_platform_zeroize( &session, sizeof( mbedtls_ssl_session ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
+
+    ssl->handshake->resume = 1;
+
+    /* Don't send a new ticket after all, this one is OK */
+    ssl->handshake->new_session_ticket = 0;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
+                               const unsigned char *buf, size_t len )
+{
+    size_t list_len, cur_len, ours_len;
+    const unsigned char *theirs, *start, *end;
+    const char **ours;
+
+    /* If ALPN not configured, just ignore the extension */
+    if( ssl->conf->alpn_list == NULL )
+        return( 0 );
+
+    /*
+     * opaque ProtocolName<1..2^8-1>;
+     *
+     * struct {
+     *     ProtocolName protocol_name_list<2..2^16-1>
+     * } ProtocolNameList;
+     */
+
+    /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
+    if( len < 4 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    list_len = ( buf[0] << 8 ) | buf[1];
+    if( list_len != len - 2 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Validate peer's list (lengths)
+     */
+    start = buf + 2;
+    end = buf + len;
+    for( theirs = start; theirs != end; theirs += cur_len )
+    {
+        cur_len = *theirs++;
+
+        /* Current identifier must fit in list */
+        if( cur_len > (size_t)( end - theirs ) )
+        {
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        /* Empty strings MUST NOT be included */
+        if( cur_len == 0 )
+        {
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+    }
+
+    /*
+     * Use our order of preference
+     */
+    for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ )
+    {
+        ours_len = strlen( *ours );
+        for( theirs = start; theirs != end; theirs += cur_len )
+        {
+            cur_len = *theirs++;
+
+            if( cur_len == ours_len &&
+                memcmp( theirs, *ours, cur_len ) == 0 )
+            {
+                ssl->alpn_chosen = *ours;
+                return( 0 );
+            }
+        }
+    }
+
+    /* If we get there, no match was found */
+    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                            MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL );
+    return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+/*
+ * Auxiliary functions for ServerHello parsing and related actions
+ */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/*
+ * Return 0 if the given key uses one of the acceptable curves, -1 otherwise
+ */
+#if defined(MBEDTLS_ECDSA_C)
+static int ssl_check_key_curve( mbedtls_pk_context *pk,
+                                const mbedtls_ecp_curve_info **curves )
+{
+    const mbedtls_ecp_curve_info **crv = curves;
+    mbedtls_ecp_group_id grp_id = mbedtls_pk_ec( *pk )->grp.id;
+
+    while( *crv != NULL )
+    {
+        if( (*crv)->grp_id == grp_id )
+            return( 0 );
+        crv++;
+    }
+
+    return( -1 );
+}
+#endif /* MBEDTLS_ECDSA_C */
+
+/*
+ * Try picking a certificate for this ciphersuite,
+ * return 0 on success and -1 on failure.
+ */
+static int ssl_pick_cert( mbedtls_ssl_context *ssl,
+                          const mbedtls_ssl_ciphersuite_t * ciphersuite_info )
+{
+    mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
+    mbedtls_pk_type_t pk_alg =
+        mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+    uint32_t flags;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if( ssl->handshake->sni_key_cert != NULL )
+        list = ssl->handshake->sni_key_cert;
+    else
+#endif
+        list = ssl->conf->key_cert;
+
+    if( pk_alg == MBEDTLS_PK_NONE )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
+
+    if( list == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "server has no certificate" ) );
+        return( -1 );
+    }
+
+    for( cur = list; cur != NULL; cur = cur->next )
+    {
+        MBEDTLS_SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
+                          cur->cert );
+
+        if( ! mbedtls_pk_can_do( &cur->cert->pk, pk_alg ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
+            continue;
+        }
+
+        /*
+         * This avoids sending the client a cert it'll reject based on
+         * keyUsage or other extensions.
+         *
+         * It also allows the user to provision different certificates for
+         * different uses based on keyUsage, eg if they want to avoid signing
+         * and decrypting with the same RSA key.
+         */
+        if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
+                                  MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
+                                "(extended) key usage extension" ) );
+            continue;
+        }
+
+#if defined(MBEDTLS_ECDSA_C)
+        if( pk_alg == MBEDTLS_PK_ECDSA &&
+            ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
+            continue;
+        }
+#endif
+
+        /*
+         * Try to select a SHA-1 certificate for pre-1.2 clients, but still
+         * present them a SHA-higher cert rather than failing if it's the only
+         * one we got that satisfies the other conditions.
+         */
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 &&
+            cur->cert->sig_md != MBEDTLS_MD_SHA1 )
+        {
+            if( fallback == NULL )
+                fallback = cur;
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
+                                    "sha-2 with pre-TLS 1.2 client" ) );
+            continue;
+            }
+        }
+
+        /* If we get there, we got a winner */
+        break;
+    }
+
+    if( cur == NULL )
+        cur = fallback;
+
+    /* Do not update ssl->handshake->key_cert unless there is a match */
+    if( cur != NULL )
+    {
+        ssl->handshake->key_cert = cur;
+        MBEDTLS_SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
+                          ssl->handshake->key_cert->cert );
+        return( 0 );
+    }
+
+    return( -1 );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/*
+ * Check if a given ciphersuite is suitable for use with our config/keys/etc
+ * Sets ciphersuite_info only if the suite matches.
+ */
+static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
+                                  const mbedtls_ssl_ciphersuite_t **ciphersuite_info )
+{
+    const mbedtls_ssl_ciphersuite_t *suite_info;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_pk_type_t sig_type;
+#endif
+
+    suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
+    if( suite_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
+
+    if( suite_info->min_minor_ver > ssl->minor_ver ||
+        suite_info->max_minor_ver < ssl->minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
+        return( 0 );
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
+            suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+        ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
+                                    "not configured or ext missing" ) );
+        return( 0 );
+    }
+#endif
+
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
+    if( mbedtls_ssl_ciphersuite_uses_ec( suite_info ) &&
+        ( ssl->handshake->curves == NULL ||
+          ssl->handshake->curves[0] == NULL ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
+                            "no common elliptic curve" ) );
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    /* If the ciphersuite requires a pre-shared key and we don't
+     * have one, skip it now rather than failing later */
+    if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
+        ssl->conf->f_psk == NULL &&
+        ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
+          ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    /* If the ciphersuite requires signing, check whether
+     * a suitable hash algorithm is present. */
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
+        if( sig_type != MBEDTLS_PK_NONE &&
+            mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
+                                        "for signature algorithm %d", sig_type ) );
+            return( 0 );
+        }
+    }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /*
+     * Final check: if ciphersuite requires us to have a
+     * certificate/key of a particular type:
+     * - select the appropriate certificate if we have one, or
+     * - try the next ciphersuite if we don't
+     * This must be done last since we modify the key_cert list.
+     */
+    if( ssl_pick_cert( ssl, suite_info ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
+                            "no suitable certificate" ) );
+        return( 0 );
+    }
+#endif
+
+    *ciphersuite_info = suite_info;
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
+{
+    int ret, got_common_suite;
+    unsigned int i, j;
+    size_t n;
+    unsigned int ciph_len, sess_len, chal_len;
+    unsigned char *buf, *p;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    buf = ssl->in_hdr;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, 5 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message type: %d",
+                   buf[2] ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, message len.: %d",
+                   ( ( buf[0] & 0x7F ) << 8 ) | buf[1] ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v2, max. version: [%d:%d]",
+                   buf[3], buf[4] ) );
+
+    /*
+     * SSLv2 Client Hello
+     *
+     * Record layer:
+     *     0  .   1   message length
+     *
+     * SSL layer:
+     *     2  .   2   message type
+     *     3  .   4   protocol version
+     */
+    if( buf[2] != MBEDTLS_SSL_HS_CLIENT_HELLO ||
+        buf[3] != MBEDTLS_SSL_MAJOR_VERSION_3 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    n = ( ( buf[0] << 8 ) | buf[1] ) & 0x7FFF;
+
+    if( n < 17 || n > 512 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+    ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
+                     ? buf[4]  : ssl->conf->max_minor_ver;
+
+    if( ssl->minor_ver < ssl->conf->min_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]",
+                            ssl->major_ver, ssl->minor_ver,
+                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    ssl->handshake->max_major_ver = buf[3];
+    ssl->handshake->max_minor_ver = buf[4];
+
+    if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+        return( ret );
+    }
+
+    ssl->handshake->update_checksum( ssl, buf + 2, n );
+
+    buf = ssl->in_msg;
+    n = ssl->in_left - 5;
+
+    /*
+     *    0  .   1   ciphersuitelist length
+     *    2  .   3   session id length
+     *    4  .   5   challenge length
+     *    6  .  ..   ciphersuitelist
+     *   ..  .  ..   session id
+     *   ..  .  ..   challenge
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, n );
+
+    ciph_len = ( buf[0] << 8 ) | buf[1];
+    sess_len = ( buf[2] << 8 ) | buf[3];
+    chal_len = ( buf[4] << 8 ) | buf[5];
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
+                   ciph_len, sess_len, chal_len ) );
+
+    /*
+     * Make sure each parameter length is valid
+     */
+    if( ciph_len < 3 || ( ciph_len % 3 ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    if( sess_len > 32 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    if( chal_len < 8 || chal_len > 32 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    if( n != 6 + ciph_len + sess_len + chal_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
+                   buf + 6, ciph_len );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id",
+                   buf + 6 + ciph_len, sess_len );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, challenge",
+                   buf + 6 + ciph_len + sess_len, chal_len );
+
+    p = buf + 6 + ciph_len;
+    ssl->session_negotiate->id_len = sess_len;
+    memset( ssl->session_negotiate->id, 0,
+            sizeof( ssl->session_negotiate->id ) );
+    memcpy( ssl->session_negotiate->id, p, ssl->session_negotiate->id_len );
+
+    p += sess_len;
+    memset( ssl->handshake->randbytes, 0, 64 );
+    memcpy( ssl->handshake->randbytes + 32 - chal_len, p, chal_len );
+
+    /*
+     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+    for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
+    {
+        if( p[0] == 0 && p[1] == 0 && p[2] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
+                                    "during renegotiation" ) );
+
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+            ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+            break;
+        }
+    }
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
+    {
+        if( p[0] == 0 &&
+            p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
+            p[2] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
+
+            if( ssl->minor_ver < ssl->conf->max_minor_ver )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
+
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
+
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            break;
+        }
+    }
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+
+    got_common_suite = 0;
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+    ciphersuite_info = NULL;
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
+        for( i = 0; ciphersuites[i] != 0; i++ )
+#else
+    for( i = 0; ciphersuites[i] != 0; i++ )
+        for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
+#endif
+        {
+            if( p[0] != 0 ||
+                p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
+                p[2] != ( ( ciphersuites[i]      ) & 0xFF ) )
+                continue;
+
+            got_common_suite = 1;
+
+            if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
+                                               &ciphersuite_info ) ) != 0 )
+                return( ret );
+
+            if( ciphersuite_info != NULL )
+                goto have_ciphersuite_v2;
+        }
+
+    if( got_common_suite )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
+                            "but none of them usable" ) );
+        return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
+        return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
+    }
+
+have_ciphersuite_v2:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
+
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
+    ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
+
+    /*
+     * SSLv2 Client Hello relevant renegotiation security checks
+     */
+    if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+        ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    ssl->in_left = 0;
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello v2" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+
+/* This function doesn't alert on errors that happen early during
+   ClientHello parsing because they might indicate that the client is
+   not talking SSL/TLS at all and would not understand our alert. */
+static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
+{
+    int ret, got_common_suite;
+    size_t i, j;
+    size_t ciph_offset, comp_offset, ext_offset;
+    size_t msg_len, ciph_len, sess_len, comp_len, ext_len;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    size_t cookie_offset, cookie_len;
+#endif
+    unsigned char *buf, *p, *ext;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    int renegotiation_info_seen = 0;
+#endif
+    int handshake_failure = 0;
+    const int *ciphersuites;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    int major, minor;
+
+    /* If there is no signature-algorithm extension present,
+     * we need to fall back to the default values for allowed
+     * signature-hash pairs. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    int sig_hash_alg_ext_present = 0;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+read_record_header:
+#endif
+    /*
+     * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
+     * otherwise read it ourselves manually in order to support SSLv2
+     * ClientHello, which doesn't use the same record layer format.
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
+#endif
+    {
+        if( ( ret = mbedtls_ssl_fetch_input( ssl, 5 ) ) != 0 )
+        {
+            /* No alert on a read error. */
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+            return( ret );
+        }
+    }
+
+    buf = ssl->in_hdr;
+
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
+#endif
+        if( ( buf[0] & 0x80 ) != 0 )
+            return( ssl_parse_client_hello_v2( ssl ) );
+#endif
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record header", buf, mbedtls_ssl_hdr_len( ssl ) );
+
+    /*
+     * SSLv3/TLS Client Hello
+     *
+     * Record layer:
+     *     0  .   0   message type
+     *     1  .   2   protocol version
+     *     3  .   11  DTLS: epoch + record sequence number
+     *     3  .   4   message length
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message type: %d",
+                   buf[0] ) );
+
+    if( buf[0] != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, message len.: %d",
+                   ( ssl->in_len[0] << 8 ) | ssl->in_len[1] ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, protocol version: [%d:%d]",
+                   buf[1], buf[2] ) );
+
+    mbedtls_ssl_read_version( &major, &minor, ssl->conf->transport, buf + 1 );
+
+    /* According to RFC 5246 Appendix E.1, the version here is typically
+     * "{03,00}, the lowest version number supported by the client, [or] the
+     * value of ClientHello.client_version", so the only meaningful check here
+     * is the major version shouldn't be less than 3 */
+    if( major < MBEDTLS_SSL_MAJOR_VERSION_3 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /* For DTLS if this is the initial handshake, remember the client sequence
+     * number to use it in our next message (RFC 6347 4.2.1) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+        )
+    {
+        /* Epoch should be 0 for initial handshakes */
+        if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        memcpy( ssl->cur_out_ctr + 2, ssl->in_ctr + 2, 6 );
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
+            ssl->next_record_offset = 0;
+            ssl->in_left = 0;
+            goto read_record_header;
+        }
+
+        /* No MAC to check yet, so we can update right now */
+        mbedtls_ssl_dtls_replay_update( ssl );
+#endif
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    msg_len = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        /* Set by mbedtls_ssl_read_record() */
+        msg_len = ssl->in_hslen;
+    }
+    else
+#endif
+    {
+        if( msg_len > MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        if( ( ret = mbedtls_ssl_fetch_input( ssl,
+                       mbedtls_ssl_hdr_len( ssl ) + msg_len ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+            return( ret );
+        }
+
+    /* Done reading this record, get ready for the next one */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+            ssl->next_record_offset = msg_len + mbedtls_ssl_hdr_len( ssl );
+        else
+#endif
+            ssl->in_left = 0;
+    }
+
+    buf = ssl->in_msg;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "record contents", buf, msg_len );
+
+    ssl->handshake->update_checksum( ssl, buf, msg_len );
+
+    /*
+     * Handshake layer:
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   DTLS only: message seqence number
+     *     6  .   8   DTLS only: fragment offset
+     *     9  .  11   DTLS only: fragment length
+     */
+    if( msg_len < mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake type: %d", buf[0] ) );
+
+    if( buf[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, handshake len.: %d",
+                   ( buf[1] << 16 ) | ( buf[2] << 8 ) | buf[3] ) );
+
+    /* We don't support fragmentation of ClientHello (yet?) */
+    if( buf[1] != 0 ||
+        msg_len != mbedtls_ssl_hs_hdr_len( ssl ) + ( ( buf[2] << 8 ) | buf[3] ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        /*
+         * Copy the client's handshake message_seq on initial handshakes,
+         * check sequence number on renego.
+         */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+        {
+            /* This couldn't be done in ssl_prepare_handshake_record() */
+            unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
+                                         ssl->in_msg[5];
+
+            if( cli_msg_seq != ssl->handshake->in_msg_seq )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
+                                    "%d (expected %d)", cli_msg_seq,
+                                    ssl->handshake->in_msg_seq ) );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            ssl->handshake->in_msg_seq++;
+        }
+        else
+#endif
+        {
+            unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
+                                         ssl->in_msg[5];
+            ssl->handshake->out_msg_seq = cli_msg_seq;
+            ssl->handshake->in_msg_seq  = cli_msg_seq + 1;
+        }
+
+        /*
+         * For now we don't support fragmentation, so make sure
+         * fragment_offset == 0 and fragment_length == length
+         */
+        if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
+            memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    buf += mbedtls_ssl_hs_hdr_len( ssl );
+    msg_len -= mbedtls_ssl_hs_hdr_len( ssl );
+
+    /*
+     * ClientHello layer:
+     *     0  .   1   protocol version
+     *     2  .  33   random bytes (starting with 4 bytes of Unix time)
+     *    34  .  35   session id length (1 byte)
+     *    35  . 34+x  session id
+     *   35+x . 35+x  DTLS only: cookie length (1 byte)
+     *   36+x .  ..   DTLS only: cookie
+     *    ..  .  ..   ciphersuite list length (2 bytes)
+     *    ..  .  ..   ciphersuite list
+     *    ..  .  ..   compression alg. list length (1 byte)
+     *    ..  .  ..   compression alg. list
+     *    ..  .  ..   extensions length (2 bytes, optional)
+     *    ..  .  ..   extensions (optional)
+     */
+
+    /*
+     * Minimal length (with everything empty and extensions omitted) is
+     * 2 + 32 + 1 + 2 + 1 = 38 bytes. Check that first, so that we can
+     * read at least up to session id length without worrying.
+     */
+    if( msg_len < 38 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Check and save the protocol version
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
+
+    mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
+                      ssl->conf->transport, buf );
+
+    ssl->handshake->max_major_ver = ssl->major_ver;
+    ssl->handshake->max_minor_ver = ssl->minor_ver;
+
+    if( ssl->major_ver < ssl->conf->min_major_ver ||
+        ssl->minor_ver < ssl->conf->min_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
+                            " [%d:%d] < [%d:%d]",
+                            ssl->major_ver, ssl->minor_ver,
+                            ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                     MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+        return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
+    }
+
+    if( ssl->major_ver > ssl->conf->max_major_ver )
+    {
+        ssl->major_ver = ssl->conf->max_major_ver;
+        ssl->minor_ver = ssl->conf->max_minor_ver;
+    }
+    else if( ssl->minor_ver > ssl->conf->max_minor_ver )
+        ssl->minor_ver = ssl->conf->max_minor_ver;
+
+    /*
+     * Save client random (inc. Unix time)
+     */
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", buf + 2, 32 );
+
+    memcpy( ssl->handshake->randbytes, buf + 2, 32 );
+
+    /*
+     * Check the session ID length and save session ID
+     */
+    sess_len = buf[34];
+
+    if( sess_len > sizeof( ssl->session_negotiate->id ) ||
+        sess_len + 34 + 2 > msg_len ) /* 2 for cipherlist length field */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 35, sess_len );
+
+    ssl->session_negotiate->id_len = sess_len;
+    memset( ssl->session_negotiate->id, 0,
+            sizeof( ssl->session_negotiate->id ) );
+    memcpy( ssl->session_negotiate->id, buf + 35,
+            ssl->session_negotiate->id_len );
+
+    /*
+     * Check the cookie length and content
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        cookie_offset = 35 + sess_len;
+        cookie_len = buf[cookie_offset];
+
+        if( cookie_offset + 1 + cookie_len + 2 > msg_len )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
+                       buf + cookie_offset + 1, cookie_len );
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+        if( ssl->conf->f_cookie_check != NULL
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE
+#endif
+            )
+        {
+            if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
+                                     buf + cookie_offset + 1, cookie_len,
+                                     ssl->cli_id, ssl->cli_id_len ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
+                ssl->handshake->verify_cookie_len = 1;
+            }
+            else
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
+                ssl->handshake->verify_cookie_len = 0;
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+        {
+            /* We know we didn't send a cookie, so it should be empty */
+            if( cookie_len != 0 )
+            {
+                /* This may be an attacker's probe, so don't send an alert */
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
+        }
+
+    /*
+     * Check the ciphersuitelist length (will be parsed later)
+     */
+        ciph_offset = cookie_offset + 1 + cookie_len;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+        ciph_offset = 35 + sess_len;
+
+    ciph_len = ( buf[ciph_offset + 0] << 8 )
+             | ( buf[ciph_offset + 1]      );
+
+    if( ciph_len < 2 ||
+        ciph_len + 2 + ciph_offset + 1 > msg_len || /* 1 for comp. alg. len */
+        ( ciph_len % 2 ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
+                   buf + ciph_offset + 2,  ciph_len );
+
+    /*
+     * Check the compression algorithms length and pick one
+     */
+    comp_offset = ciph_offset + 2 + ciph_len;
+
+    comp_len = buf[comp_offset];
+
+    if( comp_len < 1 ||
+        comp_len > 16 ||
+        comp_len + comp_offset + 1 > msg_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, compression",
+                      buf + comp_offset + 1, comp_len );
+
+    ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    for( i = 0; i < comp_len; ++i )
+    {
+        if( buf[comp_offset + 1 + i] == MBEDTLS_SSL_COMPRESS_DEFLATE )
+        {
+            ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_DEFLATE;
+            break;
+        }
+    }
+#endif
+
+    /* See comments in ssl_write_client_hello() */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
+#endif
+
+    /* Do not parse the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    {
+#endif
+        /*
+         * Check the extension length
+         */
+        ext_offset = comp_offset + 1 + comp_len;
+        if( msg_len > ext_offset )
+        {
+            if( msg_len < ext_offset + 2 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            ext_len = ( buf[ext_offset + 0] << 8 )
+                    | ( buf[ext_offset + 1]      );
+
+            if( ( ext_len > 0 && ext_len < 4 ) ||
+                msg_len != ext_offset + 2 + ext_len )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+        }
+        else
+            ext_len = 0;
+
+        ext = buf + ext_offset + 2;
+        MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
+
+        while( ext_len != 0 )
+        {
+            unsigned int ext_id;
+            unsigned int ext_size;
+            if ( ext_len < 4 ) {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                               MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+            ext_id   = ( ( ext[0] <<  8 ) | ( ext[1] ) );
+            ext_size = ( ( ext[2] <<  8 ) | ( ext[3] ) );
+
+            if( ext_size + 4 > ext_len )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+            switch( ext_id )
+            {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+            case MBEDTLS_TLS_EXT_SERVERNAME:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
+                if( ssl->conf->f_sni == NULL )
+                    break;
+
+                ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+            case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+                renegotiation_info_seen = 1;
+#endif
+
+                ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+            case MBEDTLS_TLS_EXT_SIG_ALG:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
+
+                ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+
+                sig_hash_alg_ext_present = 1;
+                break;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
+
+                ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+
+            case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
+                ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
+
+                ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+            case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
+
+                ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+            case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
+
+                ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+            case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
+
+                ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+            case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
+
+                ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+            case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
+
+                ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            case MBEDTLS_TLS_EXT_SESSION_TICKET:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
+
+                ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_ALPN)
+            case MBEDTLS_TLS_EXT_ALPN:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
+
+                ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
+                if( ret != 0 )
+                    return( ret );
+                break;
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+            default:
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
+                               ext_id ) );
+            }
+
+            ext_len -= 4 + ext_size;
+            ext += 4 + ext_size;
+
+            if( ext_len > 0 && ext_len < 4 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+        }
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
+    {
+        if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) &&
+            p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE      ) & 0xff ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
+
+            if( ssl->minor_ver < ssl->conf->max_minor_ver )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
+
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
+
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+
+            break;
+        }
+    }
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+    /*
+     * Try to fall back to default hash SHA1 if the client
+     * hasn't provided any preferred signature-hash combinations.
+     */
+    if( sig_hash_alg_ext_present == 0 )
+    {
+        mbedtls_md_type_t md_default = MBEDTLS_MD_SHA1;
+
+        if( mbedtls_ssl_check_sig_hash( ssl, md_default ) != 0 )
+            md_default = MBEDTLS_MD_NONE;
+
+        mbedtls_ssl_sig_hash_set_const_hash( &ssl->handshake->hash_algs, md_default );
+    }
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+    /*
+     * Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+     */
+    for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 )
+    {
+        if( p[0] == 0 && p[1] == MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
+                                            "during renegotiation" ) );
+                mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+                return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+            }
+#endif
+            ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
+            break;
+        }
+    }
+
+    /*
+     * Renegotiation security checks
+     */
+    if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+        ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
+        handshake_failure = 1;
+    }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
+             renegotiation_info_seen == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
+        handshake_failure = 1;
+    }
+    else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+             ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+             renegotiation_info_seen == 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+    if( handshake_failure == 1 )
+    {
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    /*
+     * Search for a matching ciphersuite
+     * (At the end because we need information from the EC-based extensions
+     * and certificate from the SNI callback triggered by the SNI extension.)
+     */
+    got_common_suite = 0;
+    ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
+    ciphersuite_info = NULL;
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
+        for( i = 0; ciphersuites[i] != 0; i++ )
+#else
+    for( i = 0; ciphersuites[i] != 0; i++ )
+        for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
+#endif
+        {
+            if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
+                p[1] != ( ( ciphersuites[i]      ) & 0xFF ) )
+                continue;
+
+            got_common_suite = 1;
+
+            if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
+                                               &ciphersuite_info ) ) != 0 )
+                return( ret );
+
+            if( ciphersuite_info != NULL )
+                goto have_ciphersuite;
+        }
+
+    if( got_common_suite )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got ciphersuites in common, "
+                            "but none of them usable" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE );
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no ciphersuites in common" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+        return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
+    }
+
+have_ciphersuite:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
+
+    ssl->session_negotiate->ciphersuite = ciphersuites[i];
+    ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_recv_flight_completed( ssl );
+#endif
+
+    /* Debugging-only output for testsuite */
+#if defined(MBEDTLS_DEBUG_C)                         && \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)                && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
+        if( sig_alg != MBEDTLS_PK_NONE )
+        {
+            mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
+                                                                  sig_alg );
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: %d",
+                                        mbedtls_ssl_hash_from_md_alg( md_alg ) ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
+                                        "%d - should not happen", sig_alg ) );
+        }
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client hello" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf,
+                                          size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+                                            unsigned char *buf,
+                                            size_t *olen )
+{
+    unsigned char *p = buf;
+    const mbedtls_ssl_ciphersuite_t *suite = NULL;
+    const mbedtls_cipher_info_t *cipher = NULL;
+
+    if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    /*
+     * RFC 7366: "If a server receives an encrypt-then-MAC request extension
+     * from a client and then selects a stream or Authenticated Encryption
+     * with Associated Data (AEAD) ciphersuite, it MUST NOT send an
+     * encrypt-then-MAC response extension back to the client."
+     */
+    if( ( suite = mbedtls_ssl_ciphersuite_from_id(
+                    ssl->session_negotiate->ciphersuite ) ) == NULL ||
+        ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
+        cipher->mode != MBEDTLS_MODE_CBC )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding encrypt then mac extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
+                                       unsigned char *buf,
+                                       size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding extended master secret "
+                        "extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
+                                          unsigned char *buf,
+                                          size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->handshake->new_session_ticket == 0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding session ticket extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 0x00;
+
+    *olen = 4;
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
+                                         unsigned char *buf,
+                                         size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->secure_renegotiation != MBEDTLS_SSL_SECURE_RENEGOTIATION )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, secure renegotiation extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      ) & 0xFF );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+    {
+        *p++ = 0x00;
+        *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
+        *p++ = ssl->verify_data_len * 2 & 0xFF;
+
+        memcpy( p, ssl->peer_verify_data, ssl->verify_data_len );
+        p += ssl->verify_data_len;
+        memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
+        p += ssl->verify_data_len;
+    }
+    else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+    {
+        *p++ = 0x00;
+        *p++ = 0x01;
+        *p++ = 0x00;
+    }
+
+    *olen = p - buf;
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+                                               unsigned char *buf,
+                                               size_t *olen )
+{
+    unsigned char *p = buf;
+
+    if( ssl->session_negotiate->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, max_fragment_length extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 1;
+
+    *p++ = ssl->session_negotiate->mfl_code;
+
+    *olen = 5;
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+                                                   unsigned char *buf,
+                                                   size_t *olen )
+{
+    unsigned char *p = buf;
+    ((void) ssl);
+
+    if( ( ssl->handshake->cli_exts &
+          MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS      ) & 0xFF );
+
+    *p++ = 0x00;
+    *p++ = 2;
+
+    *p++ = 1;
+    *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
+
+    *olen = 6;
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
+                                        unsigned char *buf,
+                                        size_t *olen )
+{
+    int ret;
+    unsigned char *p = buf;
+    const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    size_t kkpp_len;
+
+    *olen = 0;
+
+    /* Skip costly computation if not needed */
+    if( ssl->transform_negotiate->ciphersuite_info->key_exchange !=
+        MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
+
+    if( end - p < 4 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP      ) & 0xFF );
+
+    ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
+                                        p + 2, end - p - 2, &kkpp_len,
+                                        ssl->conf->f_rng, ssl->conf->p_rng );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
+        return;
+    }
+
+    *p++ = (unsigned char)( ( kkpp_len >> 8 ) & 0xFF );
+    *p++ = (unsigned char)( ( kkpp_len      ) & 0xFF );
+
+    *olen = kkpp_len + 4;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_SSL_ALPN )
+static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
+                                unsigned char *buf, size_t *olen )
+{
+    if( ssl->alpn_chosen == NULL )
+    {
+        *olen = 0;
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding alpn extension" ) );
+
+    /*
+     * 0 . 1    ext identifier
+     * 2 . 3    ext length
+     * 4 . 5    protocol list length
+     * 6 . 6    protocol name length
+     * 7 . 7+n  protocol name
+     */
+    buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
+    buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN      ) & 0xFF );
+
+    *olen = 7 + strlen( ssl->alpn_chosen );
+
+    buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
+    buf[3] = (unsigned char)( ( ( *olen - 4 )      ) & 0xFF );
+
+    buf[4] = (unsigned char)( ( ( *olen - 6 ) >> 8 ) & 0xFF );
+    buf[5] = (unsigned char)( ( ( *olen - 6 )      ) & 0xFF );
+
+    buf[6] = (unsigned char)( ( ( *olen - 7 )      ) & 0xFF );
+
+    memcpy( buf + 7, ssl->alpn_chosen, *olen - 7 );
+}
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *p = ssl->out_msg + 4;
+    unsigned char *cookie_len_byte;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello verify request" ) );
+
+    /*
+     * struct {
+     *   ProtocolVersion server_version;
+     *   opaque cookie<0..2^8-1>;
+     * } HelloVerifyRequest;
+     */
+
+    /* The RFC is not clear on this point, but sending the actual negotiated
+     * version looks like the most interoperable thing to do. */
+    mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                       ssl->conf->transport, p );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
+    p += 2;
+
+    /* If we get here, f_cookie_check is not null */
+    if( ssl->conf->f_cookie_write == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* Skip length byte until we know the length */
+    cookie_len_byte = p++;
+
+    if( ( ret = ssl->conf->f_cookie_write( ssl->conf->p_cookie,
+                                     &p, ssl->out_buf + MBEDTLS_SSL_OUT_BUFFER_LEN,
+                                     ssl->cli_id, ssl->cli_id_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "f_cookie_write", ret );
+        return( ret );
+    }
+
+    *cookie_len_byte = (unsigned char)( p - ( cookie_len_byte + 1 ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "cookie sent", cookie_len_byte + 1, *cookie_len_byte );
+
+    ssl->out_msglen  = p - ssl->out_msg;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+
+    ssl->state = MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello verify request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_HAVE_TIME)
+    mbedtls_time_t t;
+#endif
+    int ret;
+    size_t olen, ext_len = 0, n;
+    unsigned char *buf, *p;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->verify_cookie_len != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) );
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
+
+        return( ssl_write_hello_verify_request( ssl ) );
+    }
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+
+    if( ssl->conf->f_rng == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "no RNG provided") );
+        return( MBEDTLS_ERR_SSL_NO_RNG );
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   5   protocol version
+     *     6  .   9   UNIX time()
+     *    10  .  37   random bytes
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                       ssl->conf->transport, p );
+    p += 2;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
+                        buf[4], buf[5] ) );
+
+#if defined(MBEDTLS_HAVE_TIME)
+    t = mbedtls_time( NULL );
+    *p++ = (unsigned char)( t >> 24 );
+    *p++ = (unsigned char)( t >> 16 );
+    *p++ = (unsigned char)( t >>  8 );
+    *p++ = (unsigned char)( t       );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
+#else
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
+        return( ret );
+
+    p += 4;
+#endif /* MBEDTLS_HAVE_TIME */
+
+    if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 28 ) ) != 0 )
+        return( ret );
+
+    p += 28;
+
+    memcpy( ssl->handshake->randbytes + 32, buf + 6, 32 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
+
+    /*
+     * Resume is 0  by default, see ssl_handshake_init().
+     * It may be already set to 1 by ssl_parse_session_ticket_ext().
+     * If not, try looking up session ID in our cache.
+     */
+    if( ssl->handshake->resume == 0 &&
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
+#endif
+        ssl->session_negotiate->id_len != 0 &&
+        ssl->conf->f_get_cache != NULL &&
+        ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
+        ssl->handshake->resume = 1;
+    }
+
+    if( ssl->handshake->resume == 0 )
+    {
+        /*
+         * New session, create a new session id,
+         * unless we're about to issue a session ticket
+         */
+        ssl->state++;
+
+#if defined(MBEDTLS_HAVE_TIME)
+        ssl->session_negotiate->start = mbedtls_time( NULL );
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        if( ssl->handshake->new_session_ticket != 0 )
+        {
+            ssl->session_negotiate->id_len = n = 0;
+            memset( ssl->session_negotiate->id, 0, 32 );
+        }
+        else
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+        {
+            ssl->session_negotiate->id_len = n = 32;
+            if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id,
+                                    n ) ) != 0 )
+                return( ret );
+        }
+    }
+    else
+    {
+        /*
+         * Resuming a session
+         */
+        n = ssl->session_negotiate->id_len;
+        ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
+
+        if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+            return( ret );
+        }
+    }
+
+    /*
+     *    38  .  38     session id length
+     *    39  . 38+n    session id
+     *   39+n . 40+n    chosen ciphersuite
+     *   41+n . 41+n    chosen compression alg.
+     *   42+n . 43+n    extensions length
+     *   44+n . 43+n+m  extensions
+     */
+    *p++ = (unsigned char) ssl->session_negotiate->id_len;
+    memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
+    p += ssl->session_negotiate->id_len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3,   "server hello, session id", buf + 39, n );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
+                   ssl->handshake->resume ? "a" : "no" ) );
+
+    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
+    *p++ = (unsigned char)( ssl->session_negotiate->ciphersuite      );
+    *p++ = (unsigned char)( ssl->session_negotiate->compression      );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
+           mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
+                   ssl->session_negotiate->compression ) );
+
+    /* Do not write the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+    {
+#endif
+
+    /*
+     *  First write extensions, then the total length
+     */
+    ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if ( mbedtls_ssl_ciphersuite_uses_ec(
+         mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
+    {
+        ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
+        ext_len += olen;
+    }
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_ALPN)
+    ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
+    ext_len += olen;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
+
+    if( ext_len > 0 )
+    {
+        *p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
+        *p++ = (unsigned char)( ( ext_len      ) & 0xFF );
+        p += ext_len;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    }
+#endif
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO;
+
+    ret = mbedtls_ssl_write_handshake_msg( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello" ) );
+
+    return( ret );
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else
+static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+    size_t dn_size, total_dn_size; /* excluding length bytes */
+    size_t ct_len, sa_len; /* including length bytes */
+    unsigned char *buf, *p;
+    const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+    const mbedtls_x509_crt *crt;
+    int authmode;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
+        authmode = ssl->handshake->sni_authmode;
+    else
+#endif
+        authmode = ssl->conf->authmode;
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
+        authmode == MBEDTLS_SSL_VERIFY_NONE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate request" ) );
+        return( 0 );
+    }
+
+    /*
+     *     0  .   0   handshake type
+     *     1  .   3   handshake length
+     *     4  .   4   cert type count
+     *     5  .. m-1  cert types
+     *     m  .. m+1  sig alg length (TLS 1.2 only)
+     *    m+1 .. n-1  SignatureAndHashAlgorithms (TLS 1.2 only)
+     *     n  .. n+1  length of all DNs
+     *    n+2 .. n+3  length of DN 1
+     *    n+4 .. ...  Distinguished Name #1
+     *    ... .. ...  length of DN 2, etc.
+     */
+    buf = ssl->out_msg;
+    p = buf + 4;
+
+    /*
+     * Supported certificate types
+     *
+     *     ClientCertificateType certificate_types<1..2^8-1>;
+     *     enum { (255) } ClientCertificateType;
+     */
+    ct_len = 0;
+
+#if defined(MBEDTLS_RSA_C)
+    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
+#endif
+
+    p[0] = (unsigned char) ct_len++;
+    p += ct_len;
+
+    sa_len = 0;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    /*
+     * Add signature_algorithms for verify (TLS 1.2)
+     *
+     *     SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
+     *
+     *     struct {
+     *           HashAlgorithm hash;
+     *           SignatureAlgorithm signature;
+     *     } SignatureAndHashAlgorithm;
+     *
+     *     enum { (255) } HashAlgorithm;
+     *     enum { (255) } SignatureAlgorithm;
+     */
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        const int *cur;
+
+        /*
+         * Supported signature algorithms
+         */
+        for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
+        {
+            unsigned char hash = mbedtls_ssl_hash_from_md_alg( *cur );
+
+            if( MBEDTLS_SSL_HASH_NONE == hash || mbedtls_ssl_set_calc_verify_md( ssl, hash ) )
+                continue;
+
+#if defined(MBEDTLS_RSA_C)
+            p[2 + sa_len++] = hash;
+            p[2 + sa_len++] = MBEDTLS_SSL_SIG_RSA;
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+            p[2 + sa_len++] = hash;
+            p[2 + sa_len++] = MBEDTLS_SSL_SIG_ECDSA;
+#endif
+        }
+
+        p[0] = (unsigned char)( sa_len >> 8 );
+        p[1] = (unsigned char)( sa_len      );
+        sa_len += 2;
+        p += sa_len;
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    /*
+     * DistinguishedName certificate_authorities<0..2^16-1>;
+     * opaque DistinguishedName<1..2^16-1>;
+     */
+    p += 2;
+
+    total_dn_size = 0;
+
+    if( ssl->conf->cert_req_ca_list ==  MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
+    {
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        if( ssl->handshake->sni_ca_chain != NULL )
+            crt = ssl->handshake->sni_ca_chain;
+        else
+#endif
+            crt = ssl->conf->ca_chain;
+
+        while( crt != NULL && crt->version != 0 )
+        {
+            dn_size = crt->subject_raw.len;
+
+            if( end < p ||
+                (size_t)( end - p ) < dn_size ||
+                (size_t)( end - p ) < 2 + dn_size )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
+                break;
+            }
+
+            *p++ = (unsigned char)( dn_size >> 8 );
+            *p++ = (unsigned char)( dn_size      );
+            memcpy( p, crt->subject_raw.p, dn_size );
+            p += dn_size;
+
+            MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size );
+
+            total_dn_size += 2 + dn_size;
+            crt = crt->next;
+        }
+    }
+
+    ssl->out_msglen  = p - buf;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_REQUEST;
+    ssl->out_msg[4 + ct_len + sa_len] = (unsigned char)( total_dn_size  >> 8 );
+    ssl->out_msg[5 + ct_len + sa_len] = (unsigned char)( total_dn_size       );
+
+    ret = mbedtls_ssl_write_handshake_msg( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    if( ! mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECKEY ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) );
+        return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx,
+                                 mbedtls_pk_ec( *mbedtls_ssl_own_key( ssl ) ),
+                                 MBEDTLS_ECDH_OURS ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_get_params" ), ret );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
+                                           size_t *signature_len )
+{
+    /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+     * signature length which will be added in ssl_write_server_key_exchange
+     * after the call to ssl_prepare_server_key_exchange.
+     * ssl_write_server_key_exchange also takes care of incrementing
+     * ssl->out_msglen. */
+    unsigned char *sig_start = ssl->out_msg + ssl->out_msglen + 2;
+    size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_OUT_CONTENT_LEN
+                           - sig_start );
+    int ret = ssl->conf->f_async_resume( ssl,
+                                         sig_start, signature_len, sig_max_len );
+    if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+    {
+        ssl->handshake->async_in_progress = 0;
+        mbedtls_ssl_set_async_operation_data( ssl, NULL );
+    }
+    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret );
+    return( ret );
+}
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+
+/* Prepare the ServerKeyExchange message, up to and including
+ * calculating the signature if any, but excluding formatting the
+ * signature and sending the message. */
+static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
+                                            size_t *signature_len )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+                            ssl->transform_negotiate->ciphersuite_info;
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    unsigned char *dig_signed = NULL;
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
+
+    (void) ciphersuite_info; /* unused in some configurations */
+#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    (void) signature_len;
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+    ssl->out_msglen = 4; /* header (type:1, length:3) to be written later */
+
+    /*
+     *
+     * Part 1: Provide key exchange parameters for chosen ciphersuite.
+     *
+     */
+
+    /*
+     * - ECJPAKE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        int ret;
+        size_t len = 0;
+
+        ret = mbedtls_ecjpake_write_round_two(
+            &ssl->handshake->ecjpake_ctx,
+            ssl->out_msg + ssl->out_msglen,
+            MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen, &len,
+            ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret );
+            return( ret );
+        }
+
+        ssl->out_msglen += len;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+    /*
+     * For (EC)DHE key exchanges with PSK, parameters are prefixed by support
+     * identity hint (RFC 4279, Sec. 3). Until someone needs this feature,
+     * we use empty support identity hints here.
+     **/
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)   || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        ssl->out_msg[ssl->out_msglen++] = 0x00;
+        ssl->out_msg[ssl->out_msglen++] = 0x00;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+
+    /*
+     * - DHE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
+    {
+        int ret;
+        size_t len = 0;
+
+        if( ssl->conf->dhm_P.p == NULL || ssl->conf->dhm_G.p == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "no DH parameters set" ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+        }
+
+        /*
+         * Ephemeral DH parameters:
+         *
+         * struct {
+         *     opaque dh_p<1..2^16-1>;
+         *     opaque dh_g<1..2^16-1>;
+         *     opaque dh_Ys<1..2^16-1>;
+         * } ServerDHParams;
+         */
+        if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx,
+                                           &ssl->conf->dhm_P,
+                                           &ssl->conf->dhm_G ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_dhm_make_params(
+                  &ssl->handshake->dhm_ctx,
+                  (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+                  ssl->out_msg + ssl->out_msglen, &len,
+                  ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_params", ret );
+            return( ret );
+        }
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+        dig_signed = ssl->out_msg + ssl->out_msglen;
+#endif
+
+        ssl->out_msglen += len;
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: P ", &ssl->handshake->dhm_ctx.P  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: G ", &ssl->handshake->dhm_ctx.G  );
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
+
+    /*
+     * - ECDHE key exchanges
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
+    {
+        /*
+         * Ephemeral ECDH parameters:
+         *
+         * struct {
+         *     ECParameters curve_params;
+         *     ECPoint      public;
+         * } ServerECDHParams;
+         */
+        const mbedtls_ecp_curve_info **curve = NULL;
+        const mbedtls_ecp_group_id *gid;
+        int ret;
+        size_t len = 0;
+
+        /* Match our preference list against the offered curves */
+        for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
+            for( curve = ssl->handshake->curves; *curve != NULL; curve++ )
+                if( (*curve)->grp_id == *gid )
+                    goto curve_matching_done;
+
+curve_matching_done:
+        if( curve == NULL || *curve == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching curve for ECDHE" ) );
+            return( MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
+
+        if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
+                                        (*curve)->grp_id ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_ecdh_make_params(
+                  &ssl->handshake->ecdh_ctx, &len,
+                  ssl->out_msg + ssl->out_msglen,
+                  MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen,
+                  ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_params", ret );
+            return( ret );
+        }
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+        dig_signed = ssl->out_msg + ssl->out_msglen;
+#endif
+
+        ssl->out_msglen += len;
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Q );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
+
+    /*
+     *
+     * Part 2: For key exchanges involving the server signing the
+     *         exchange parameters, compute and add the signature here.
+     *
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
+    {
+        size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
+        size_t hashlen = 0;
+        unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+        int ret;
+
+        /*
+         * 2.1: Choose hash algorithm:
+         * A: For TLS 1.2, obey signature-hash-algorithm extension
+         *    to choose appropriate hash.
+         * B: For SSL3, TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1
+         *    (RFC 4492, Sec. 5.4)
+         * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3)
+         */
+
+        mbedtls_md_type_t md_alg;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        mbedtls_pk_type_t sig_alg =
+            mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            /* A: For TLS 1.2, obey signature-hash-algorithm extension
+             *    (RFC 5246, Sec. 7.4.1.4.1). */
+            if( sig_alg == MBEDTLS_PK_NONE ||
+                ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
+                                                          sig_alg ) ) == MBEDTLS_MD_NONE )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                /* (... because we choose a cipher suite
+                 *      only if there is a matching hash.) */
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
+        {
+            /* B: Default hash SHA1 */
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+        {
+            /* C: MD5 + SHA1 */
+            md_alg = MBEDTLS_MD_NONE;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
+
+        /*
+         * 2.2: Compute the hash to be signed
+         */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+        if( md_alg == MBEDTLS_MD_NONE )
+        {
+            hashlen = 36;
+            ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash,
+                                                           dig_signed,
+                                                           dig_signed_len );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( md_alg != MBEDTLS_MD_NONE )
+        {
+            ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
+                                                          dig_signed,
+                                                          dig_signed_len,
+                                                          md_alg );
+            if( ret != 0 )
+                return( ret );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
+
+        /*
+         * 2.3: Compute and add the signature
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+        {
+            /*
+             * For TLS 1.2, we need to specify signature and hash algorithm
+             * explicitly through a prefix to the signature.
+             *
+             * struct {
+             *    HashAlgorithm hash;
+             *    SignatureAlgorithm signature;
+             * } SignatureAndHashAlgorithm;
+             *
+             * struct {
+             *    SignatureAndHashAlgorithm algorithm;
+             *    opaque signature<0..2^16-1>;
+             * } DigitallySigned;
+             *
+             */
+
+            ssl->out_msg[ssl->out_msglen++] =
+                mbedtls_ssl_hash_from_md_alg( md_alg );
+            ssl->out_msg[ssl->out_msglen++] =
+                mbedtls_ssl_sig_from_pk_alg( sig_alg );
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if( ssl->conf->f_async_sign_start != NULL )
+        {
+            ret = ssl->conf->f_async_sign_start( ssl,
+                                                 mbedtls_ssl_own_cert( ssl ),
+                                                 md_alg, hash, hashlen );
+            switch( ret )
+            {
+            case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+                /* act as if f_async_sign was null */
+                break;
+            case 0:
+                ssl->handshake->async_in_progress = 1;
+                return( ssl_resume_server_key_exchange( ssl, signature_len ) );
+            case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+                ssl->handshake->async_in_progress = 1;
+                return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+            default:
+                MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret );
+                return( ret );
+            }
+        }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+        if( mbedtls_ssl_own_key( ssl ) == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key" ) );
+            return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+        }
+
+        /* Append the signature to ssl->out_msg, leaving 2 bytes for the
+         * signature length which will be added in ssl_write_server_key_exchange
+         * after the call to ssl_prepare_server_key_exchange.
+         * ssl_write_server_key_exchange also takes care of incrementing
+         * ssl->out_msglen. */
+        if( ( ret = mbedtls_pk_sign( mbedtls_ssl_own_key( ssl ),
+                                     md_alg, hash, hashlen,
+                                     ssl->out_msg + ssl->out_msglen + 2,
+                                     signature_len,
+                                     ssl->conf->f_rng,
+                                     ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+    return( 0 );
+}
+
+/* Prepare the ServerKeyExchange message and send it. For ciphersuites
+ * that do not include a ServerKeyExchange message, do nothing. Either
+ * way, if successful, move on to the next step in the SSL state
+ * machine. */
+static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t signature_len = 0;
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+                            ssl->transform_negotiate->ciphersuite_info;
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
+    /* Extract static ECDH parameters and abort if ServerKeyExchange
+     * is not needed. */
+    if( mbedtls_ssl_ciphersuite_no_pfs( ciphersuite_info ) )
+    {
+        /* For suites involving ECDH, extract DH parameters
+         * from certificate at this point. */
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
+        if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
+        {
+            ssl_get_ecdh_params_from_cert( ssl );
+        }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
+
+        /* Key exchanges not involving ephemeral keys don't use
+         * ServerKeyExchange, so end here. */
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write server key exchange" ) );
+        ssl->state++;
+        return( 0 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) && \
+    defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /* If we have already prepared the message and there is an ongoing
+     * signature operation, resume signing. */
+    if( ssl->handshake->async_in_progress != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) );
+        ret = ssl_resume_server_key_exchange( ssl, &signature_len );
+    }
+    else
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) &&
+          defined(MBEDTLS_SSL_ASYNC_PRIVATE) */
+    {
+        /* ServerKeyExchange is needed. Prepare the message. */
+        ret = ssl_prepare_server_key_exchange( ssl, &signature_len );
+    }
+
+    if( ret != 0 )
+    {
+        /* If we're starting to write a new message, set ssl->out_msglen
+         * to 0. But if we're resuming after an asynchronous message,
+         * out_msglen is the amount of data written so far and mst be
+         * preserved. */
+        if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange (pending)" ) );
+        else
+            ssl->out_msglen = 0;
+        return( ret );
+    }
+
+    /* If there is a signature, write its length.
+     * ssl_prepare_server_key_exchange already wrote the signature
+     * itself at its proper place in the output buffer. */
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
+    if( signature_len != 0 )
+    {
+        ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len >> 8 );
+        ssl->out_msg[ssl->out_msglen++] = (unsigned char)( signature_len      );
+
+        MBEDTLS_SSL_DEBUG_BUF( 3, "my signature",
+                               ssl->out_msg + ssl->out_msglen,
+                               signature_len );
+
+        /* Skip over the already-written signature */
+        ssl->out_msglen += signature_len;
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
+
+    /* Add header and send. */
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server key exchange" ) );
+    return( 0 );
+}
+
+static int ssl_write_server_hello_done( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server hello done" ) );
+
+    ssl->out_msglen  = 4;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_SERVER_HELLO_DONE;
+
+    ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_send_flight_completed( ssl );
+#endif
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write server hello done" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) ||                       \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+static int ssl_parse_client_dh_public( mbedtls_ssl_context *ssl, unsigned char **p,
+                                       const unsigned char *end )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t n;
+
+    /*
+     * Receive G^Y mod P, premaster = (G^Y)^X mod P
+     */
+    if( *p + 2 > end )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    n = ( (*p)[0] << 8 ) | (*p)[1];
+    *p += 2;
+
+    if( *p + n > end )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    if( ( ret = mbedtls_dhm_read_public( &ssl->handshake->dhm_ctx, *p, n ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_read_public", ret );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
+    }
+
+    *p += n;
+
+    MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GY", &ssl->handshake->dhm_ctx.GY );
+
+    return( ret );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) ||                           \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl,
+                                   unsigned char *peer_pms,
+                                   size_t *peer_pmslen,
+                                   size_t peer_pmssize )
+{
+    int ret = ssl->conf->f_async_resume( ssl,
+                                         peer_pms, peer_pmslen, peer_pmssize );
+    if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+    {
+        ssl->handshake->async_in_progress = 0;
+        mbedtls_ssl_set_async_operation_data( ssl, NULL );
+    }
+    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret );
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
+                                      const unsigned char *p,
+                                      const unsigned char *end,
+                                      unsigned char *peer_pms,
+                                      size_t *peer_pmslen,
+                                      size_t peer_pmssize )
+{
+    int ret;
+    mbedtls_pk_context *private_key = mbedtls_ssl_own_key( ssl );
+    mbedtls_pk_context *public_key = &mbedtls_ssl_own_cert( ssl )->pk;
+    size_t len = mbedtls_pk_get_len( public_key );
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    /* If we have already started decoding the message and there is an ongoing
+     * decryption operation, resume signing. */
+    if( ssl->handshake->async_in_progress != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) );
+        return( ssl_resume_decrypt_pms( ssl,
+                                        peer_pms, peer_pmslen, peer_pmssize ) );
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    /*
+     * Prepare to decrypt the premaster using own private RSA key
+     */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if ( p + 2 > end ) {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+        if( *p++ != ( ( len >> 8 ) & 0xFF ) ||
+            *p++ != ( ( len      ) & 0xFF ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+    }
+#endif
+
+    if( p + len != end )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    /*
+     * Decrypt the premaster secret
+     */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if( ssl->conf->f_async_decrypt_start != NULL )
+    {
+        ret = ssl->conf->f_async_decrypt_start( ssl,
+                                                mbedtls_ssl_own_cert( ssl ),
+                                                p, len );
+        switch( ret )
+        {
+        case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH:
+            /* act as if f_async_decrypt_start was null */
+            break;
+        case 0:
+            ssl->handshake->async_in_progress = 1;
+            return( ssl_resume_decrypt_pms( ssl,
+                                            peer_pms,
+                                            peer_pmslen,
+                                            peer_pmssize ) );
+        case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS:
+            ssl->handshake->async_in_progress = 1;
+            return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+        default:
+            MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    if( ! mbedtls_pk_can_do( private_key, MBEDTLS_PK_RSA ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no RSA private key" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    ret = mbedtls_pk_decrypt( private_key, p, len,
+                              peer_pms, peer_pmslen, peer_pmssize,
+                              ssl->conf->f_rng, ssl->conf->p_rng );
+    return( ret );
+}
+
+static int ssl_parse_encrypted_pms( mbedtls_ssl_context *ssl,
+                                    const unsigned char *p,
+                                    const unsigned char *end,
+                                    size_t pms_offset )
+{
+    int ret;
+    unsigned char *pms = ssl->handshake->premaster + pms_offset;
+    unsigned char ver[2];
+    unsigned char fake_pms[48], peer_pms[48];
+    unsigned char mask;
+    size_t i, peer_pmslen;
+    unsigned int diff;
+
+    /* In case of a failure in decryption, the decryption may write less than
+     * 2 bytes of output, but we always read the first two bytes. It doesn't
+     * matter in the end because diff will be nonzero in that case due to
+     * peer_pmslen being less than 48, and we only care whether diff is 0.
+     * But do initialize peer_pms for robustness anyway. This also makes
+     * memory analyzers happy (don't access uninitialized memory, even
+     * if it's an unsigned char). */
+    peer_pms[0] = peer_pms[1] = ~0;
+
+    ret = ssl_decrypt_encrypted_pms( ssl, p, end,
+                                     peer_pms,
+                                     &peer_pmslen,
+                                     sizeof( peer_pms ) );
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if ( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+        return( ret );
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+    mbedtls_ssl_write_version( ssl->handshake->max_major_ver,
+                               ssl->handshake->max_minor_ver,
+                               ssl->conf->transport, ver );
+
+    /* Avoid data-dependent branches while checking for invalid
+     * padding, to protect against timing-based Bleichenbacher-type
+     * attacks. */
+    diff  = (unsigned int) ret;
+    diff |= peer_pmslen ^ 48;
+    diff |= peer_pms[0] ^ ver[0];
+    diff |= peer_pms[1] ^ ver[1];
+
+    /* mask = diff ? 0xff : 0x00 using bit operations to avoid branches */
+    /* MSVC has a warning about unary minus on unsigned, but this is
+     * well-defined and precisely what we want to do here */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+    mask = - ( ( diff | - diff ) >> ( sizeof( unsigned int ) * 8 - 1 ) );
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+    /*
+     * Protection against Bleichenbacher's attack: invalid PKCS#1 v1.5 padding
+     * must not cause the connection to end immediately; instead, send a
+     * bad_record_mac later in the handshake.
+     * To protect against timing-based variants of the attack, we must
+     * not have any branch that depends on whether the decryption was
+     * successful. In particular, always generate the fake premaster secret,
+     * regardless of whether it will ultimately influence the output or not.
+     */
+    ret = ssl->conf->f_rng( ssl->conf->p_rng, fake_pms, sizeof( fake_pms ) );
+    if( ret != 0 )
+    {
+        /* It's ok to abort on an RNG failure, since this does not reveal
+         * anything about the RSA decryption. */
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    if( diff != 0 )
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+#endif
+
+    if( sizeof( ssl->handshake->premaster ) < pms_offset ||
+        sizeof( ssl->handshake->premaster ) - pms_offset < 48 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+    ssl->handshake->pmslen = 48;
+
+    /* Set pms to either the true or the fake PMS, without
+     * data-dependent branches. */
+    for( i = 0; i < ssl->handshake->pmslen; i++ )
+        pms[i] = ( mask & fake_pms[i] ) | ( (~mask) & peer_pms[i] );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned char **p,
+                                          const unsigned char *end )
+{
+    int ret = 0;
+    size_t n;
+
+    if( ssl->conf->f_psk == NULL &&
+        ( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ||
+          ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0 ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) );
+        return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+    }
+
+    /*
+     * Receive client pre-shared key identity name
+     */
+    if( end - *p < 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    n = ( (*p)[0] << 8 ) | (*p)[1];
+    *p += 2;
+
+    if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    if( ssl->conf->f_psk != NULL )
+    {
+        if( ssl->conf->f_psk( ssl->conf->p_psk, ssl, *p, n ) != 0 )
+            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+    }
+    else
+    {
+        /* Identity is not a big secret since clients send it in the clear,
+         * but treat it carefully anyway, just in case */
+        if( n != ssl->conf->psk_identity_len ||
+            mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
+        {
+            ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
+        }
+    }
+
+    if( ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY )
+    {
+        MBEDTLS_SSL_DEBUG_BUF( 3, "Unknown PSK identity", *p, n );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY );
+        return( MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY );
+    }
+
+    *p += n;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+    unsigned char *p, *end;
+
+    ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
+    ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+      defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
+    if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+          ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
+        ( ssl->handshake->async_in_progress != 0 ) )
+    {
+        /* We've already read a record and there is an asynchronous
+         * operation in progress to decrypt it. So skip reading the
+         * record. */
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "will resume decryption of previously-read record" ) );
+    }
+    else
+#endif
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
+    end = ssl->in_msg + ssl->in_hslen;
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+    }
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
+    {
+        if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
+            return( ret );
+        }
+
+        if( p != end )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+
+        if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+                                      ssl->handshake->premaster,
+                                      MBEDTLS_PREMASTER_SIZE,
+                                     &ssl->handshake->pmslen,
+                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
+        }
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) ||                     \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ||                   \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||                      \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
+    {
+        if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
+                                      p, end - p) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_QP );
+
+        if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
+                                      &ssl->handshake->pmslen,
+                                       ssl->handshake->premaster,
+                                       MBEDTLS_MPI_MAX_SIZE,
+                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Z );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
+          MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+
+        if( p != end )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+        if ( ssl->handshake->async_in_progress != 0 )
+        {
+            /* There is an asynchronous operation in progress to
+             * decrypt the encrypted premaster secret, so skip
+             * directly to resuming this operation. */
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "PSK identity already parsed" ) );
+            /* Update p to skip the PSK identity. ssl_parse_encrypted_pms
+             * won't actually use it, but maintain p anyway for robustness. */
+            p += ssl->conf->psk_identity_len + 2;
+        }
+        else
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+
+        if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 2 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_encrypted_pms" ), ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+        if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_dh_public" ), ret );
+            return( ret );
+        }
+
+        if( p != end )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
+        }
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_client_psk_identity" ), ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
+                                       p, end - p ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_read_public", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
+        }
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_QP );
+
+        if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
+                        ciphersuite_info->key_exchange ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
+    {
+        if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_parse_parse_encrypted_pms_secret" ), ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
+                                              p, end - p );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
+            return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
+        }
+
+        ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx,
+                ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
+                ssl->conf->f_rng, ssl->conf->p_rng );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret );
+            return( ret );
+        }
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
+        return( ret );
+    }
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse client key exchange" ) );
+
+    return( 0 );
+}
+
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)       && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)  && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)&& \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+#else
+static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t i, sig_len;
+    unsigned char hash[48];
+    unsigned char *hash_start = hash;
+    size_t hashlen;
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    mbedtls_pk_type_t pk_alg;
+#endif
+    mbedtls_md_type_t md_alg;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ||
+        ssl->session_negotiate->peer_cert == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    /* Read the message without adding it to the checksum */
+    ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ );
+    if( 0 != ret )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record" ), ret );
+        return( ret );
+    }
+
+    ssl->state++;
+
+    /* Process the message contents */
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
+        ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE_VERIFY )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
+    i = mbedtls_ssl_hs_hdr_len( ssl );
+
+    /*
+     *  struct {
+     *     SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
+     *     opaque signature<0..2^16-1>;
+     *  } DigitallySigned;
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        md_alg = MBEDTLS_MD_NONE;
+        hashlen = 36;
+
+        /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
+        if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk,
+                        MBEDTLS_PK_ECDSA ) )
+        {
+            hash_start += 16;
+            hashlen -= 16;
+            md_alg = MBEDTLS_MD_SHA1;
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        if( i + 2 > ssl->in_hslen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+        /*
+         * Hash
+         */
+        md_alg = mbedtls_ssl_md_alg_from_hash( ssl->in_msg[i] );
+
+        if( md_alg == MBEDTLS_MD_NONE || mbedtls_ssl_set_calc_verify_md( ssl, ssl->in_msg[i] ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
+                                " for verify message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+#if !defined(MBEDTLS_MD_SHA1)
+        if( MBEDTLS_MD_SHA1 == md_alg )
+            hash_start += 16;
+#endif
+
+        /* Info from md_alg will be used instead */
+        hashlen = 0;
+
+        i++;
+
+        /*
+         * Signature
+         */
+        if( ( pk_alg = mbedtls_ssl_pk_alg_from_sig( ssl->in_msg[i] ) )
+                        == MBEDTLS_PK_NONE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
+                                " for verify message" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+        /*
+         * Check the certificate's key type matches the signature alg
+         */
+        if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+        }
+
+        i++;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( i + 2 > ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
+    sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
+    i += 2;
+
+    if( i + sig_len != ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
+    }
+
+    /* Calculate hash and verify signature */
+    ssl->handshake->calc_verify( ssl, hash );
+
+    if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk,
+                           md_alg, hash_start, hashlen,
+                           ssl->in_msg + i, sig_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
+        return( ret );
+    }
+
+    mbedtls_ssl_update_handshake_status( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED &&
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+static int ssl_write_new_session_ticket( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t tlen;
+    uint32_t lifetime;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write new session ticket" ) );
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_NEW_SESSION_TICKET;
+
+    /*
+     * struct {
+     *     uint32 ticket_lifetime_hint;
+     *     opaque ticket<0..2^16-1>;
+     * } NewSessionTicket;
+     *
+     * 4  .  7   ticket_lifetime_hint (0 = unspecified)
+     * 8  .  9   ticket_len (n)
+     * 10 .  9+n ticket content
+     */
+
+    if( ( ret = ssl->conf->f_ticket_write( ssl->conf->p_ticket,
+                                ssl->session_negotiate,
+                                ssl->out_msg + 10,
+                                ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
+                                &tlen, &lifetime ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_ticket_write", ret );
+        tlen = 0;
+    }
+
+    ssl->out_msg[4] = ( lifetime >> 24 ) & 0xFF;
+    ssl->out_msg[5] = ( lifetime >> 16 ) & 0xFF;
+    ssl->out_msg[6] = ( lifetime >>  8 ) & 0xFF;
+    ssl->out_msg[7] = ( lifetime       ) & 0xFF;
+
+    ssl->out_msg[8] = (unsigned char)( ( tlen >> 8 ) & 0xFF );
+    ssl->out_msg[9] = (unsigned char)( ( tlen      ) & 0xFF );
+
+    ssl->out_msglen = 10 + tlen;
+
+    /*
+     * Morally equivalent to updating ssl->state, but NewSessionTicket and
+     * ChangeCipherSpec share the same state.
+     */
+    ssl->handshake->new_session_ticket = 0;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write new session ticket" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+/*
+ * SSL handshake -- server side -- single step
+ */
+int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "server state: %d", ssl->state ) );
+
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        return( ret );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+            return( ret );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    switch( ssl->state )
+    {
+        case MBEDTLS_SSL_HELLO_REQUEST:
+            ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
+            break;
+
+        /*
+         *  <==   ClientHello
+         */
+        case MBEDTLS_SSL_CLIENT_HELLO:
+            ret = ssl_parse_client_hello( ssl );
+            break;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
+            return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
+#endif
+
+        /*
+         *  ==>   ServerHello
+         *        Certificate
+         *      ( ServerKeyExchange  )
+         *      ( CertificateRequest )
+         *        ServerHelloDone
+         */
+        case MBEDTLS_SSL_SERVER_HELLO:
+            ret = ssl_write_server_hello( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_CERTIFICATE:
+            ret = mbedtls_ssl_write_certificate( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+            ret = ssl_write_server_key_exchange( ssl );
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_REQUEST:
+            ret = ssl_write_certificate_request( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_HELLO_DONE:
+            ret = ssl_write_server_hello_done( ssl );
+            break;
+
+        /*
+         *  <== ( Certificate/Alert  )
+         *        ClientKeyExchange
+         *      ( CertificateVerify  )
+         *        ChangeCipherSpec
+         *        Finished
+         */
+        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+            ret = mbedtls_ssl_parse_certificate( ssl );
+            break;
+
+        case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+            ret = ssl_parse_client_key_exchange( ssl );
+            break;
+
+        case MBEDTLS_SSL_CERTIFICATE_VERIFY:
+            ret = ssl_parse_certificate_verify( ssl );
+            break;
+
+        case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+            ret = mbedtls_ssl_parse_change_cipher_spec( ssl );
+            break;
+
+        case MBEDTLS_SSL_CLIENT_FINISHED:
+            ret = mbedtls_ssl_parse_finished( ssl );
+            break;
+
+        /*
+         *  ==> ( NewSessionTicket )
+         *        ChangeCipherSpec
+         *        Finished
+         */
+        case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+            if( ssl->handshake->new_session_ticket != 0 )
+                ret = ssl_write_new_session_ticket( ssl );
+            else
+#endif
+                ret = mbedtls_ssl_write_change_cipher_spec( ssl );
+            break;
+
+        case MBEDTLS_SSL_SERVER_FINISHED:
+            ret = mbedtls_ssl_write_finished( ssl );
+            break;
+
+        case MBEDTLS_SSL_FLUSH_BUFFERS:
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+            break;
+
+        case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
+            mbedtls_ssl_handshake_wrapup( ssl );
+            break;
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_SRV_C */
diff --git a/makerom/deps/libmbedtls/src/ssl_ticket.c b/makerom/deps/libmbedtls/src/ssl_ticket.c
new file mode 100644
index 00000000..8492c19a
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ssl_ticket.c
@@ -0,0 +1,485 @@
+/*
+ *  TLS server tickets callbacks implementation
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_TICKET_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/ssl_ticket.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+/*
+ * Initialze context
+ */
+void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_init( &ctx->mutex );
+#endif
+}
+
+#define MAX_KEY_BYTES 32    /* 256 bits */
+
+/*
+ * Generate/update a key
+ */
+static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
+                               unsigned char index )
+{
+    int ret;
+    unsigned char buf[MAX_KEY_BYTES];
+    mbedtls_ssl_ticket_key *key = ctx->keys + index;
+
+#if defined(MBEDTLS_HAVE_TIME)
+    key->generation_time = (uint32_t) mbedtls_time( NULL );
+#endif
+
+    if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
+        return( ret );
+
+    if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
+        return( ret );
+
+    /* With GCM and CCM, same context can encrypt & decrypt */
+    ret = mbedtls_cipher_setkey( &key->ctx, buf,
+                                 mbedtls_cipher_get_key_bitlen( &key->ctx ),
+                                 MBEDTLS_ENCRYPT );
+
+    mbedtls_platform_zeroize( buf, sizeof( buf ) );
+
+    return( ret );
+}
+
+/*
+ * Rotate/generate keys if necessary
+ */
+static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
+{
+#if !defined(MBEDTLS_HAVE_TIME)
+    ((void) ctx);
+#else
+    if( ctx->ticket_lifetime != 0 )
+    {
+        uint32_t current_time = (uint32_t) mbedtls_time( NULL );
+        uint32_t key_time = ctx->keys[ctx->active].generation_time;
+
+        if( current_time >= key_time &&
+            current_time - key_time < ctx->ticket_lifetime )
+        {
+            return( 0 );
+        }
+
+        ctx->active = 1 - ctx->active;
+
+        return( ssl_ticket_gen_key( ctx, ctx->active ) );
+    }
+    else
+#endif /* MBEDTLS_HAVE_TIME */
+        return( 0 );
+}
+
+/*
+ * Setup context for actual use
+ */
+int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
+    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+    mbedtls_cipher_type_t cipher,
+    uint32_t lifetime )
+{
+    int ret;
+    const mbedtls_cipher_info_t *cipher_info;
+
+    ctx->f_rng = f_rng;
+    ctx->p_rng = p_rng;
+
+    ctx->ticket_lifetime = lifetime;
+
+    cipher_info = mbedtls_cipher_info_from_type( cipher);
+    if( cipher_info == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( cipher_info->mode != MBEDTLS_MODE_GCM &&
+        cipher_info->mode != MBEDTLS_MODE_CCM )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 ||
+        ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
+        ( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Serialize a session in the following format:
+ *  0   .   n-1     session structure, n = sizeof(mbedtls_ssl_session)
+ *  n   .   n+2     peer_cert length = m (0 if no certificate)
+ *  n+3 .   n+2+m   peer cert ASN.1
+ */
+static int ssl_save_session( const mbedtls_ssl_session *session,
+                             unsigned char *buf, size_t buf_len,
+                             size_t *olen )
+{
+    unsigned char *p = buf;
+    size_t left = buf_len;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    size_t cert_len;
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if( left < sizeof( mbedtls_ssl_session ) )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    memcpy( p, session, sizeof( mbedtls_ssl_session ) );
+    p += sizeof( mbedtls_ssl_session );
+    left -= sizeof( mbedtls_ssl_session );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( session->peer_cert == NULL )
+        cert_len = 0;
+    else
+        cert_len = session->peer_cert->raw.len;
+
+    if( left < 3 + cert_len )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    *p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
+    *p++ = (unsigned char)( ( cert_len >>  8 ) & 0xFF );
+    *p++ = (unsigned char)( ( cert_len       ) & 0xFF );
+
+    if( session->peer_cert != NULL )
+        memcpy( p, session->peer_cert->raw.p, cert_len );
+
+    p += cert_len;
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    *olen = p - buf;
+
+    return( 0 );
+}
+
+/*
+ * Unserialise session, see ssl_save_session()
+ */
+static int ssl_load_session( mbedtls_ssl_session *session,
+                             const unsigned char *buf, size_t len )
+{
+    const unsigned char *p = buf;
+    const unsigned char * const end = buf + len;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    size_t cert_len;
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    memcpy( session, p, sizeof( mbedtls_ssl_session ) );
+    p += sizeof( mbedtls_ssl_session );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( 3 > (size_t)( end - p ) )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
+    p += 3;
+
+    if( cert_len == 0 )
+    {
+        session->peer_cert = NULL;
+    }
+    else
+    {
+        int ret;
+
+        if( cert_len > (size_t)( end - p ) )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
+
+        if( session->peer_cert == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        mbedtls_x509_crt_init( session->peer_cert );
+
+        if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
+                                                p, cert_len ) ) != 0 )
+        {
+            mbedtls_x509_crt_free( session->peer_cert );
+            mbedtls_free( session->peer_cert );
+            session->peer_cert = NULL;
+            return( ret );
+        }
+
+        p += cert_len;
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+    if( p != end )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+
+/*
+ * Create session ticket, with the following structure:
+ *
+ *    struct {
+ *        opaque key_name[4];
+ *        opaque iv[12];
+ *        opaque encrypted_state<0..2^16-1>;
+ *        opaque tag[16];
+ *    } ticket;
+ *
+ * The key_name, iv, and length of encrypted_state are the additional
+ * authenticated data.
+ */
+int mbedtls_ssl_ticket_write( void *p_ticket,
+                              const mbedtls_ssl_session *session,
+                              unsigned char *start,
+                              const unsigned char *end,
+                              size_t *tlen,
+                              uint32_t *ticket_lifetime )
+{
+    int ret;
+    mbedtls_ssl_ticket_context *ctx = p_ticket;
+    mbedtls_ssl_ticket_key *key;
+    unsigned char *key_name = start;
+    unsigned char *iv = start + 4;
+    unsigned char *state_len_bytes = iv + 12;
+    unsigned char *state = state_len_bytes + 2;
+    unsigned char *tag;
+    size_t clear_len, ciph_len;
+
+    *tlen = 0;
+
+    if( ctx == NULL || ctx->f_rng == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
+     * in addition to session itself, that will be checked when writing it. */
+    if( end - start < 4 + 12 + 2 + 16 )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
+        goto cleanup;
+
+    key = &ctx->keys[ctx->active];
+
+    *ticket_lifetime = ctx->ticket_lifetime;
+
+    memcpy( key_name, key->name, 4 );
+
+    if( ( ret = ctx->f_rng( ctx->p_rng, iv, 12 ) ) != 0 )
+        goto cleanup;
+
+    /* Dump session state */
+    if( ( ret = ssl_save_session( session,
+                                  state, end - state, &clear_len ) ) != 0 ||
+        (unsigned long) clear_len > 65535 )
+    {
+         goto cleanup;
+    }
+    state_len_bytes[0] = ( clear_len >> 8 ) & 0xff;
+    state_len_bytes[1] = ( clear_len      ) & 0xff;
+
+    /* Encrypt and authenticate */
+    tag = state + clear_len;
+    if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
+                    iv, 12, key_name, 4 + 12 + 2,
+                    state, clear_len, state, &ciph_len, tag, 16 ) ) != 0 )
+    {
+        goto cleanup;
+    }
+    if( ciph_len != clear_len )
+    {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
+    }
+
+    *tlen = 4 + 12 + 2 + 16 + ciph_len;
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Select key based on name
+ */
+static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
+        mbedtls_ssl_ticket_context *ctx,
+        const unsigned char name[4] )
+{
+    unsigned char i;
+
+    for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
+        if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
+            return( &ctx->keys[i] );
+
+    return( NULL );
+}
+
+/*
+ * Load session ticket (see mbedtls_ssl_ticket_write for structure)
+ */
+int mbedtls_ssl_ticket_parse( void *p_ticket,
+                              mbedtls_ssl_session *session,
+                              unsigned char *buf,
+                              size_t len )
+{
+    int ret;
+    mbedtls_ssl_ticket_context *ctx = p_ticket;
+    mbedtls_ssl_ticket_key *key;
+    unsigned char *key_name = buf;
+    unsigned char *iv = buf + 4;
+    unsigned char *enc_len_p = iv + 12;
+    unsigned char *ticket = enc_len_p + 2;
+    unsigned char *tag;
+    size_t enc_len, clear_len;
+
+    if( ctx == NULL || ctx->f_rng == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /* See mbedtls_ssl_ticket_write() */
+    if( len < 4 + 12 + 2 + 16 )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
+        return( ret );
+#endif
+
+    if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
+        goto cleanup;
+
+    enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
+    tag = ticket + enc_len;
+
+    if( len != 4 + 12 + 2 + enc_len + 16 )
+    {
+        ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    /* Select key */
+    if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
+    {
+        /* We can't know for sure but this is a likely option unless we're
+         * under attack - this is only informative anyway */
+        ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+        goto cleanup;
+    }
+
+    /* Decrypt and authenticate */
+    if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, iv, 12,
+                    key_name, 4 + 12 + 2, ticket, enc_len,
+                    ticket, &clear_len, tag, 16 ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
+            ret = MBEDTLS_ERR_SSL_INVALID_MAC;
+
+        goto cleanup;
+    }
+    if( clear_len != enc_len )
+    {
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
+    }
+
+    /* Actually load session */
+    if( ( ret = ssl_load_session( session, ticket, clear_len ) ) != 0 )
+        goto cleanup;
+
+#if defined(MBEDTLS_HAVE_TIME)
+    {
+        /* Check for expiration */
+        mbedtls_time_t current_time = mbedtls_time( NULL );
+
+        if( current_time < session->start ||
+            (uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
+        {
+            ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
+            goto cleanup;
+        }
+    }
+#endif
+
+cleanup:
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Free context
+ */
+void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
+{
+    mbedtls_cipher_free( &ctx->keys[0].ctx );
+    mbedtls_cipher_free( &ctx->keys[1].ctx );
+
+#if defined(MBEDTLS_THREADING_C)
+    mbedtls_mutex_free( &ctx->mutex );
+#endif
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
+}
+
+#endif /* MBEDTLS_SSL_TICKET_C */
diff --git a/makerom/deps/libmbedtls/src/ssl_tls.c b/makerom/deps/libmbedtls/src/ssl_tls.c
new file mode 100644
index 00000000..b8f35fec
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/ssl_tls.c
@@ -0,0 +1,9791 @@
+/*
+ *  SSLv3/TLSv1 shared functions
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The SSL 3.0 specification was drafted by Netscape in 1996,
+ *  and became an IETF standard in 1999.
+ *
+ *  http://wp.netscape.com/eng/ssl3/
+ *  http://www.ietf.org/rfc/rfc2246.txt
+ *  http://www.ietf.org/rfc/rfc4346.txt
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C)
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc    calloc
+#define mbedtls_free      free
+#endif
+
+#include "mbedtls/debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_internal.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#include "mbedtls/oid.h"
+#endif
+
+static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
+static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
+
+/* Length of the "epoch" field in the record header */
+static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 2 );
+#else
+    ((void) ssl);
+#endif
+    return( 0 );
+}
+
+/*
+ * Start a timer.
+ * Passing millisecs = 0 cancels a running timer.
+ */
+static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
+{
+    if( ssl->f_set_timer == NULL )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
+    ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
+}
+
+/*
+ * Return -1 is timer is expired, 0 if it isn't.
+ */
+static int ssl_check_timer( mbedtls_ssl_context *ssl )
+{
+    if( ssl->f_get_timer == NULL )
+        return( 0 );
+
+    if( ssl->f_get_timer( ssl->p_timer ) == 2 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
+                                     mbedtls_ssl_transform *transform );
+static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
+                                    mbedtls_ssl_transform *transform );
+
+#define SSL_DONT_FORCE_FLUSH 0
+#define SSL_FORCE_FLUSH      1
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+/* Forward declarations for functions related to message buffering. */
+static void ssl_buffering_free( mbedtls_ssl_context *ssl );
+static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
+                                     uint8_t slot );
+static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
+static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
+static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
+static int ssl_buffer_message( mbedtls_ssl_context *ssl );
+static int ssl_buffer_future_record( mbedtls_ssl_context *ssl );
+static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
+
+static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
+static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
+{
+    size_t mtu = ssl_get_current_mtu( ssl );
+
+    if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
+        return( mtu );
+
+    return( MBEDTLS_SSL_OUT_BUFFER_LEN );
+}
+
+static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
+{
+    size_t const bytes_written = ssl->out_left;
+    size_t const mtu           = ssl_get_maximum_datagram_size( ssl );
+
+    /* Double-check that the write-index hasn't gone
+     * past what we can transmit in a single datagram. */
+    if( bytes_written > mtu )
+    {
+        /* Should never happen... */
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    return( (int) ( mtu - bytes_written ) );
+}
+
+static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
+{
+    int ret;
+    size_t remaining, expansion;
+    size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
+
+    if( max_len > mfl )
+        max_len = mfl;
+
+    /* By the standard (RFC 6066 Sect. 4), the MFL extension
+     * only limits the maximum record payload size, so in theory
+     * we would be allowed to pack multiple records of payload size
+     * MFL into a single datagram. However, this would mean that there's
+     * no way to explicitly communicate MTU restrictions to the peer.
+     *
+     * The following reduction of max_len makes sure that we never
+     * write datagrams larger than MFL + Record Expansion Overhead.
+     */
+    if( max_len <= ssl->out_left )
+        return( 0 );
+
+    max_len -= ssl->out_left;
+#endif
+
+    ret = ssl_get_remaining_space_in_datagram( ssl );
+    if( ret < 0 )
+        return( ret );
+    remaining = (size_t) ret;
+
+    ret = mbedtls_ssl_get_record_expansion( ssl );
+    if( ret < 0 )
+        return( ret );
+    expansion = (size_t) ret;
+
+    if( remaining <= expansion )
+        return( 0 );
+
+    remaining -= expansion;
+    if( remaining >= max_len )
+        remaining = max_len;
+
+    return( (int) remaining );
+}
+
+/*
+ * Double the retransmit timeout value, within the allowed range,
+ * returning -1 if the maximum value has already been reached.
+ */
+static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
+{
+    uint32_t new_timeout;
+
+    if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
+        return( -1 );
+
+    /* Implement the final paragraph of RFC 6347 section 4.1.1.1
+     * in the following way: after the initial transmission and a first
+     * retransmission, back off to a temporary estimated MTU of 508 bytes.
+     * This value is guaranteed to be deliverable (if not guaranteed to be
+     * delivered) of any compliant IPv4 (and IPv6) network, and should work
+     * on most non-IP stacks too. */
+    if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
+    {
+        ssl->handshake->mtu = 508;
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
+    }
+
+    new_timeout = 2 * ssl->handshake->retransmit_timeout;
+
+    /* Avoid arithmetic overflow and range overflow */
+    if( new_timeout < ssl->handshake->retransmit_timeout ||
+        new_timeout > ssl->conf->hs_timeout_max )
+    {
+        new_timeout = ssl->conf->hs_timeout_max;
+    }
+
+    ssl->handshake->retransmit_timeout = new_timeout;
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
+                        ssl->handshake->retransmit_timeout ) );
+
+    return( 0 );
+}
+
+static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
+{
+    ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
+                        ssl->handshake->retransmit_timeout ) );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+/*
+ * Convert max_fragment_length codes to length.
+ * RFC 6066 says:
+ *    enum{
+ *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
+ *    } MaxFragmentLength;
+ * and we add 0 -> extension unused
+ */
+static unsigned int ssl_mfl_code_to_length( int mfl )
+{
+    switch( mfl )
+    {
+    case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
+        return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
+    case MBEDTLS_SSL_MAX_FRAG_LEN_512:
+        return 512;
+    case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
+        return 1024;
+    case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
+        return 2048;
+    case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
+        return 4096;
+    default:
+        return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
+    }
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src )
+{
+    mbedtls_ssl_session_free( dst );
+    memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( src->peer_cert != NULL )
+    {
+        int ret;
+
+        dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
+        if( dst->peer_cert == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        mbedtls_x509_crt_init( dst->peer_cert );
+
+        if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
+                                        src->peer_cert->raw.len ) ) != 0 )
+        {
+            mbedtls_free( dst->peer_cert );
+            dst->peer_cert = NULL;
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    if( src->ticket != NULL )
+    {
+        dst->ticket = mbedtls_calloc( 1, src->ticket_len );
+        if( dst->ticket == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        memcpy( dst->ticket, src->ticket, src->ticket_len );
+    }
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
+                     const unsigned char *key_enc, const unsigned char *key_dec,
+                     size_t keylen,
+                     const unsigned char *iv_enc,  const unsigned char *iv_dec,
+                     size_t ivlen,
+                     const unsigned char *mac_enc, const unsigned char *mac_dec,
+                     size_t maclen ) = NULL;
+int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
+int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
+int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
+int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
+int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+/*
+ * Key material generation
+ */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static int ssl3_prf( const unsigned char *secret, size_t slen,
+                     const char *label,
+                     const unsigned char *random, size_t rlen,
+                     unsigned char *dstbuf, size_t dlen )
+{
+    int ret = 0;
+    size_t i;
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+    unsigned char padding[16];
+    unsigned char sha1sum[20];
+    ((void)label);
+
+    mbedtls_md5_init(  &md5  );
+    mbedtls_sha1_init( &sha1 );
+
+    /*
+     *  SSLv3:
+     *    block =
+     *      MD5( secret + SHA1( 'A'    + secret + random ) ) +
+     *      MD5( secret + SHA1( 'BB'   + secret + random ) ) +
+     *      MD5( secret + SHA1( 'CCC'  + secret + random ) ) +
+     *      ...
+     */
+    for( i = 0; i < dlen / 16; i++ )
+    {
+        memset( padding, (unsigned char) ('A' + i), 1 + i );
+
+        if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
+            goto exit;
+
+        if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
+            goto exit;
+        if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
+            goto exit;
+    }
+
+exit:
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    mbedtls_platform_zeroize( padding, sizeof( padding ) );
+    mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static int tls1_prf( const unsigned char *secret, size_t slen,
+                     const char *label,
+                     const unsigned char *random, size_t rlen,
+                     unsigned char *dstbuf, size_t dlen )
+{
+    size_t nb, hs;
+    size_t i, j, k;
+    const unsigned char *S1, *S2;
+    unsigned char tmp[128];
+    unsigned char h_i[20];
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    int ret;
+
+    mbedtls_md_init( &md_ctx );
+
+    if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    hs = ( slen + 1 ) / 2;
+    S1 = secret;
+    S2 = secret + slen - hs;
+
+    nb = strlen( label );
+    memcpy( tmp + 20, label, nb );
+    memcpy( tmp + 20 + nb, random, rlen );
+    nb += rlen;
+
+    /*
+     * First compute P_md5(secret,label+random)[0..dlen]
+     */
+    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    mbedtls_md_hmac_starts( &md_ctx, S1, hs );
+    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
+    mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+
+    for( i = 0; i < dlen; i += 16 )
+    {
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
+        mbedtls_md_hmac_finish( &md_ctx, h_i );
+
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
+        mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
+
+        k = ( i + 16 > dlen ) ? dlen % 16 : 16;
+
+        for( j = 0; j < k; j++ )
+            dstbuf[i + j]  = h_i[j];
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    /*
+     * XOR out with P_sha1(secret,label+random)[0..dlen]
+     */
+    if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    mbedtls_md_hmac_starts( &md_ctx, S2, hs );
+    mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
+    mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+    for( i = 0; i < dlen; i += 20 )
+    {
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
+        mbedtls_md_hmac_finish( &md_ctx, h_i );
+
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
+        mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+        k = ( i + 20 > dlen ) ? dlen % 20 : 20;
+
+        for( j = 0; j < k; j++ )
+            dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+static int tls_prf_generic( mbedtls_md_type_t md_type,
+                            const unsigned char *secret, size_t slen,
+                            const char *label,
+                            const unsigned char *random, size_t rlen,
+                            unsigned char *dstbuf, size_t dlen )
+{
+    size_t nb;
+    size_t i, j, k, md_len;
+    unsigned char tmp[128];
+    unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
+    const mbedtls_md_info_t *md_info;
+    mbedtls_md_context_t md_ctx;
+    int ret;
+
+    mbedtls_md_init( &md_ctx );
+
+    if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    md_len = mbedtls_md_get_size( md_info );
+
+    if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    nb = strlen( label );
+    memcpy( tmp + md_len, label, nb );
+    memcpy( tmp + md_len + nb, random, rlen );
+    nb += rlen;
+
+    /*
+     * Compute P_<hash>(secret, label + random)[0..dlen]
+     */
+    if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
+        return( ret );
+
+    mbedtls_md_hmac_starts( &md_ctx, secret, slen );
+    mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
+    mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+    for( i = 0; i < dlen; i += md_len )
+    {
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
+        mbedtls_md_hmac_finish( &md_ctx, h_i );
+
+        mbedtls_md_hmac_reset ( &md_ctx );
+        mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
+        mbedtls_md_hmac_finish( &md_ctx, tmp );
+
+        k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
+
+        for( j = 0; j < k; j++ )
+            dstbuf[i + j]  = h_i[j];
+    }
+
+    mbedtls_md_free( &md_ctx );
+
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+    mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SHA256_C)
+static int tls_prf_sha256( const unsigned char *secret, size_t slen,
+                           const char *label,
+                           const unsigned char *random, size_t rlen,
+                           unsigned char *dstbuf, size_t dlen )
+{
+    return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
+                             label, random, rlen, dstbuf, dlen ) );
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+static int tls_prf_sha384( const unsigned char *secret, size_t slen,
+                           const char *label,
+                           const unsigned char *random, size_t rlen,
+                           unsigned char *dstbuf, size_t dlen )
+{
+    return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
+                             label, random, rlen, dstbuf, dlen ) );
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
+static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );
+static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
+static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
+static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+    unsigned char tmp[64];
+    unsigned char keyblk[256];
+    unsigned char *key1;
+    unsigned char *key2;
+    unsigned char *mac_enc;
+    unsigned char *mac_dec;
+    size_t mac_key_len;
+    size_t iv_copy_len;
+    const mbedtls_cipher_info_t *cipher_info;
+    const mbedtls_md_info_t *md_info;
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    mbedtls_ssl_transform *transform = ssl->transform_negotiate;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
+
+    cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
+    if( cipher_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
+                            transform->ciphersuite_info->cipher ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
+    if( md_info == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
+                            transform->ciphersuite_info->mac ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /*
+     * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
+     */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        handshake->tls_prf = ssl3_prf;
+        handshake->calc_verify = ssl_calc_verify_ssl;
+        handshake->calc_finished = ssl_calc_finished_ssl;
+    }
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        handshake->tls_prf = tls1_prf;
+        handshake->calc_verify = ssl_calc_verify_tls;
+        handshake->calc_finished = ssl_calc_finished_tls;
+    }
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
+        transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+    {
+        handshake->tls_prf = tls_prf_sha384;
+        handshake->calc_verify = ssl_calc_verify_tls_sha384;
+        handshake->calc_finished = ssl_calc_finished_tls_sha384;
+    }
+    else
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+    {
+        handshake->tls_prf = tls_prf_sha256;
+        handshake->calc_verify = ssl_calc_verify_tls_sha256;
+        handshake->calc_finished = ssl_calc_finished_tls_sha256;
+    }
+    else
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /*
+     * SSLv3:
+     *   master =
+     *     MD5( premaster + SHA1( 'A'   + premaster + randbytes ) ) +
+     *     MD5( premaster + SHA1( 'BB'  + premaster + randbytes ) ) +
+     *     MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
+     *
+     * TLSv1+:
+     *   master = PRF( premaster, "master secret", randbytes )[0..47]
+     */
+    if( handshake->resume == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
+                       handshake->pmslen );
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+        if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
+        {
+            unsigned char session_hash[48];
+            size_t hash_len;
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
+
+            ssl->handshake->calc_verify( ssl, session_hash );
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+            {
+#if defined(MBEDTLS_SHA512_C)
+                if( ssl->transform_negotiate->ciphersuite_info->mac ==
+                    MBEDTLS_MD_SHA384 )
+                {
+                    hash_len = 48;
+                }
+                else
+#endif
+                    hash_len = 32;
+            }
+            else
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+                hash_len = 36;
+
+            MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
+
+            ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
+                                      "extended master secret",
+                                      session_hash, hash_len,
+                                      session->master, 48 );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
+                return( ret );
+            }
+
+        }
+        else
+#endif
+        ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
+                                  "master secret",
+                                  handshake->randbytes, 64,
+                                  session->master, 48 );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
+            return( ret );
+        }
+
+        mbedtls_platform_zeroize( handshake->premaster,
+                                  sizeof(handshake->premaster) );
+    }
+    else
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
+
+    /*
+     * Swap the client and server random values.
+     */
+    memcpy( tmp, handshake->randbytes, 64 );
+    memcpy( handshake->randbytes, tmp + 32, 32 );
+    memcpy( handshake->randbytes + 32, tmp, 32 );
+    mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
+
+    /*
+     *  SSLv3:
+     *    key block =
+     *      MD5( master + SHA1( 'A'    + master + randbytes ) ) +
+     *      MD5( master + SHA1( 'BB'   + master + randbytes ) ) +
+     *      MD5( master + SHA1( 'CCC'  + master + randbytes ) ) +
+     *      MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
+     *      ...
+     *
+     *  TLSv1:
+     *    key block = PRF( master, "key expansion", randbytes )
+     */
+    ret = handshake->tls_prf( session->master, 48, "key expansion",
+                              handshake->randbytes, 64, keyblk, 256 );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
+                   mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
+    MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
+    MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
+
+    mbedtls_platform_zeroize( handshake->randbytes,
+                              sizeof( handshake->randbytes ) );
+
+    /*
+     * Determine the appropriate key, IV and MAC length.
+     */
+
+    transform->keylen = cipher_info->key_bitlen / 8;
+
+    if( cipher_info->mode == MBEDTLS_MODE_GCM ||
+        cipher_info->mode == MBEDTLS_MODE_CCM ||
+        cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+    {
+        size_t taglen, explicit_ivlen;
+
+        transform->maclen = 0;
+        mac_key_len = 0;
+
+        /* All modes haves 96-bit IVs;
+         * GCM and CCM has 4 implicit and 8 explicit bytes
+         * ChachaPoly has all 12 bytes implicit
+         */
+        transform->ivlen = 12;
+        if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+            transform->fixed_ivlen = 12;
+        else
+            transform->fixed_ivlen = 4;
+
+        /* All modes have 128-bit tags, except CCM_8 (ciphersuite flag) */
+        taglen = transform->ciphersuite_info->flags &
+                  MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+
+
+        /* Minimum length of encrypted record */
+        explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
+        transform->minlen = explicit_ivlen + taglen;
+    }
+    else
+    {
+        /* Initialize HMAC contexts */
+        if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
+            ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
+            return( ret );
+        }
+
+        /* Get MAC length */
+        mac_key_len = mbedtls_md_get_size( md_info );
+        transform->maclen = mac_key_len;
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+        /*
+         * If HMAC is to be truncated, we shall keep the leftmost bytes,
+         * (rfc 6066 page 13 or rfc 2104 section 4),
+         * so we only need to adjust the length here.
+         */
+        if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
+        {
+            transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+            /* Fall back to old, non-compliant version of the truncated
+             * HMAC implementation which also truncates the key
+             * (Mbed TLS versions from 1.3 to 2.6.0) */
+            mac_key_len = transform->maclen;
+#endif
+        }
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+        /* IV length */
+        transform->ivlen = cipher_info->iv_size;
+
+        /* Minimum length */
+        if( cipher_info->mode == MBEDTLS_MODE_STREAM )
+            transform->minlen = transform->maclen;
+        else
+        {
+            /*
+             * GenericBlockCipher:
+             * 1. if EtM is in use: one block plus MAC
+             *    otherwise: * first multiple of blocklen greater than maclen
+             * 2. IV except for SSL3 and TLS 1.0
+             */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+            if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
+            {
+                transform->minlen = transform->maclen
+                                  + cipher_info->block_size;
+            }
+            else
+#endif
+            {
+                transform->minlen = transform->maclen
+                                  + cipher_info->block_size
+                                  - transform->maclen % cipher_info->block_size;
+            }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
+                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
+                ; /* No need to adjust minlen */
+            else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
+                ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
+            {
+                transform->minlen += transform->ivlen;
+            }
+            else
+#endif
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
+                   transform->keylen, transform->minlen, transform->ivlen,
+                   transform->maclen ) );
+
+    /*
+     * Finally setup the cipher contexts, IVs and MAC secrets.
+     */
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        key1 = keyblk + mac_key_len * 2;
+        key2 = keyblk + mac_key_len * 2 + transform->keylen;
+
+        mac_enc = keyblk;
+        mac_dec = keyblk + mac_key_len;
+
+        /*
+         * This is not used in TLS v1.1.
+         */
+        iv_copy_len = ( transform->fixed_ivlen ) ?
+                            transform->fixed_ivlen : transform->ivlen;
+        memcpy( transform->iv_enc, key2 + transform->keylen,  iv_copy_len );
+        memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
+                iv_copy_len );
+    }
+    else
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        key1 = keyblk + mac_key_len * 2 + transform->keylen;
+        key2 = keyblk + mac_key_len * 2;
+
+        mac_enc = keyblk + mac_key_len;
+        mac_dec = keyblk;
+
+        /*
+         * This is not used in TLS v1.1.
+         */
+        iv_copy_len = ( transform->fixed_ivlen ) ?
+                            transform->fixed_ivlen : transform->ivlen;
+        memcpy( transform->iv_dec, key1 + transform->keylen,  iv_copy_len );
+        memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
+                iv_copy_len );
+    }
+    else
+#endif /* MBEDTLS_SSL_SRV_C */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if( mac_key_len > sizeof transform->mac_enc )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        memcpy( transform->mac_enc, mac_enc, mac_key_len );
+        memcpy( transform->mac_dec, mac_dec, mac_key_len );
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+    {
+        /* For HMAC-based ciphersuites, initialize the HMAC transforms.
+           For AEAD-based ciphersuites, there is nothing to do here. */
+        if( mac_key_len != 0 )
+        {
+            mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
+            mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
+        }
+    }
+    else
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_init != NULL )
+    {
+        int ret = 0;
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
+
+        if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
+                                        transform->iv_enc, transform->iv_dec,
+                                        iv_copy_len,
+                                        mac_enc, mac_dec,
+                                        mac_key_len ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    if( ssl->conf->f_export_keys != NULL )
+    {
+        ssl->conf->f_export_keys( ssl->conf->p_export_keys,
+                                  session->master, keyblk,
+                                  mac_key_len, transform->keylen,
+                                  iv_copy_len );
+    }
+#endif
+
+    if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
+                                 cipher_info ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
+                                 cipher_info ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
+                               cipher_info->key_bitlen,
+                               MBEDTLS_ENCRYPT ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
+                               cipher_info->key_bitlen,
+                               MBEDTLS_DECRYPT ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    if( cipher_info->mode == MBEDTLS_MODE_CBC )
+    {
+        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
+                                             MBEDTLS_PADDING_NONE ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
+            return( ret );
+        }
+
+        if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
+                                             MBEDTLS_PADDING_NONE ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+
+    mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    // Initialize compression
+    //
+    if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ssl->compress_buf == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
+            ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
+            if( ssl->compress_buf == NULL )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
+                                    MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
+                return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+            }
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
+
+        memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
+        memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
+
+        if( deflateInit( &transform->ctx_deflate,
+                         Z_DEFAULT_COMPRESSION )   != Z_OK ||
+            inflateInit( &transform->ctx_inflate ) != Z_OK )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
+            return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
+        }
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )
+{
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+    unsigned char pad_1[48];
+    unsigned char pad_2[48];
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+    memset( pad_1, 0x36, 48 );
+    memset( pad_2, 0x5C, 48 );
+
+    mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
+    mbedtls_md5_update_ret( &md5, pad_1, 48 );
+    mbedtls_md5_finish_ret( &md5, hash );
+
+    mbedtls_md5_starts_ret( &md5 );
+    mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
+    mbedtls_md5_update_ret( &md5, pad_2, 48 );
+    mbedtls_md5_update_ret( &md5, hash,  16 );
+    mbedtls_md5_finish_ret( &md5, hash );
+
+    mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
+    mbedtls_sha1_finish_ret( &sha1, hash + 16 );
+
+    mbedtls_sha1_starts_ret( &sha1 );
+    mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
+    mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
+    mbedtls_sha1_finish_ret( &sha1, hash + 16 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    return;
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )
+{
+    mbedtls_md5_context md5;
+    mbedtls_sha1_context sha1;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+     mbedtls_md5_finish_ret( &md5,  hash );
+    mbedtls_sha1_finish_ret( &sha1, hash + 16 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    return;
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )
+{
+    mbedtls_sha256_context sha256;
+
+    mbedtls_sha256_init( &sha256 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
+
+    mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
+    mbedtls_sha256_finish_ret( &sha256, hash );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_sha256_free( &sha256 );
+
+    return;
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )
+{
+    mbedtls_sha512_context sha512;
+
+    mbedtls_sha512_init( &sha512 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
+
+    mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
+    mbedtls_sha512_finish_ret( &sha512, hash );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
+
+    mbedtls_sha512_free( &sha512 );
+
+    return;
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
+{
+    unsigned char *p = ssl->handshake->premaster;
+    unsigned char *end = p + sizeof( ssl->handshake->premaster );
+    const unsigned char *psk = ssl->conf->psk;
+    size_t psk_len = ssl->conf->psk_len;
+
+    /* If the psk callback was called, use its result */
+    if( ssl->handshake->psk != NULL )
+    {
+        psk = ssl->handshake->psk;
+        psk_len = ssl->handshake->psk_len;
+    }
+
+    /*
+     * PMS = struct {
+     *     opaque other_secret<0..2^16-1>;
+     *     opaque psk<0..2^16-1>;
+     * };
+     * with "other_secret" depending on the particular key exchange
+     */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
+    {
+        if( end - p < 2 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        *(p++) = (unsigned char)( psk_len >> 8 );
+        *(p++) = (unsigned char)( psk_len      );
+
+        if( end < p || (size_t)( end - p ) < psk_len )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        memset( p, 0, psk_len );
+        p += psk_len;
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+        /*
+         * other_secret already set by the ClientKeyExchange message,
+         * and is 48 bytes long
+         */
+        if( end - p < 2 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        *p++ = 0;
+        *p++ = 48;
+        p += 48;
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
+    {
+        int ret;
+        size_t len;
+
+        /* Write length only when we know the actual value */
+        if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
+                                      p + 2, end - ( p + 2 ), &len,
+                                      ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
+            return( ret );
+        }
+        *(p++) = (unsigned char)( len >> 8 );
+        *(p++) = (unsigned char)( len );
+        p += len;
+
+        MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K  );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
+    {
+        int ret;
+        size_t zlen;
+
+        if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
+                                       p + 2, end - ( p + 2 ),
+                                       ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+            return( ret );
+        }
+
+        *(p++) = (unsigned char)( zlen >> 8 );
+        *(p++) = (unsigned char)( zlen      );
+        p += zlen;
+
+        MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
+                                MBEDTLS_DEBUG_ECDH_Z );
+    }
+    else
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* opaque psk<0..2^16-1>; */
+    if( end - p < 2 )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    *(p++) = (unsigned char)( psk_len >> 8 );
+    *(p++) = (unsigned char)( psk_len      );
+
+    if( end < p || (size_t)( end - p ) < psk_len )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    memcpy( p, psk, psk_len );
+    p += psk_len;
+
+    ssl->handshake->pmslen = p - ssl->handshake->premaster;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+/*
+ * SSLv3.0 MAC functions
+ */
+#define SSL_MAC_MAX_BYTES   20  /* MD-5 or SHA-1 */
+static void ssl_mac( mbedtls_md_context_t *md_ctx,
+                     const unsigned char *secret,
+                     const unsigned char *buf, size_t len,
+                     const unsigned char *ctr, int type,
+                     unsigned char out[SSL_MAC_MAX_BYTES] )
+{
+    unsigned char header[11];
+    unsigned char padding[48];
+    int padlen;
+    int md_size = mbedtls_md_get_size( md_ctx->md_info );
+    int md_type = mbedtls_md_get_type( md_ctx->md_info );
+
+    /* Only MD5 and SHA-1 supported */
+    if( md_type == MBEDTLS_MD_MD5 )
+        padlen = 48;
+    else
+        padlen = 40;
+
+    memcpy( header, ctr, 8 );
+    header[ 8] = (unsigned char)  type;
+    header[ 9] = (unsigned char)( len >> 8 );
+    header[10] = (unsigned char)( len      );
+
+    memset( padding, 0x36, padlen );
+    mbedtls_md_starts( md_ctx );
+    mbedtls_md_update( md_ctx, secret,  md_size );
+    mbedtls_md_update( md_ctx, padding, padlen  );
+    mbedtls_md_update( md_ctx, header,  11      );
+    mbedtls_md_update( md_ctx, buf,     len     );
+    mbedtls_md_finish( md_ctx, out              );
+
+    memset( padding, 0x5C, padlen );
+    mbedtls_md_starts( md_ctx );
+    mbedtls_md_update( md_ctx, secret,    md_size );
+    mbedtls_md_update( md_ctx, padding,   padlen  );
+    mbedtls_md_update( md_ctx, out,       md_size );
+    mbedtls_md_finish( md_ctx, out                );
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) ||     \
+    ( defined(MBEDTLS_CIPHER_MODE_CBC) &&                                  \
+      ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C)) )
+#define SSL_SOME_MODES_USE_MAC
+#endif
+
+/* The function below is only used in the Lucky 13 counter-measure in
+ * ssl_decrypt_buf(). These are the defines that guard the call site. */
+#if defined(SSL_SOME_MODES_USE_MAC) && \
+    ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
+      defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+      defined(MBEDTLS_SSL_PROTO_TLS1_2) )
+/* This function makes sure every byte in the memory region is accessed
+ * (in ascending addresses order) */
+static void ssl_read_memory( unsigned char *p, size_t len )
+{
+    unsigned char acc = 0;
+    volatile unsigned char force;
+
+    for( ; len != 0; p++, len-- )
+        acc ^= *p;
+
+    force = acc;
+    (void) force;
+}
+#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
+
+/*
+ * Encryption/decryption functions
+ */
+static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
+{
+    mbedtls_cipher_mode_t mode;
+    int auth_done = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
+
+    if( ssl->session_out == NULL || ssl->transform_out == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
+                      ssl->out_msg, ssl->out_msglen );
+
+    /*
+     * Add MAC before if needed
+     */
+#if defined(SSL_SOME_MODES_USE_MAC)
+    if( mode == MBEDTLS_MODE_STREAM ||
+        ( mode == MBEDTLS_MODE_CBC
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+          && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
+#endif
+        ) )
+    {
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            unsigned char mac[SSL_MAC_MAX_BYTES];
+
+            ssl_mac( &ssl->transform_out->md_ctx_enc,
+                      ssl->transform_out->mac_enc,
+                      ssl->out_msg, ssl->out_msglen,
+                      ssl->out_ctr, ssl->out_msgtype,
+                      mac );
+
+            memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
+        }
+        else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+        defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+        {
+            unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
+                             ssl->out_msg, ssl->out_msglen );
+            mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
+            mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
+
+            memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
+        }
+        else
+#endif
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
+                       ssl->out_msg + ssl->out_msglen,
+                       ssl->transform_out->maclen );
+
+        ssl->out_msglen += ssl->transform_out->maclen;
+        auth_done++;
+    }
+#endif /* AEAD not the only option */
+
+    /*
+     * Encrypt
+     */
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    if( mode == MBEDTLS_MODE_STREAM )
+    {
+        int ret;
+        size_t olen = 0;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+                            "including %d bytes of padding",
+                       ssl->out_msglen, 0 ) );
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
+                                   ssl->transform_out->iv_enc,
+                                   ssl->transform_out->ivlen,
+                                   ssl->out_msg, ssl->out_msglen,
+                                   ssl->out_msg, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( ssl->out_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+    else
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_GCM_C) || \
+    defined(MBEDTLS_CCM_C) || \
+    defined(MBEDTLS_CHACHAPOLY_C)
+    if( mode == MBEDTLS_MODE_GCM ||
+        mode == MBEDTLS_MODE_CCM ||
+        mode == MBEDTLS_MODE_CHACHAPOLY )
+    {
+        int ret;
+        size_t enc_msglen, olen;
+        unsigned char *enc_msg;
+        unsigned char add_data[13];
+        unsigned char iv[12];
+        mbedtls_ssl_transform *transform = ssl->transform_out;
+        unsigned char taglen = transform->ciphersuite_info->flags &
+                               MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+        size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
+
+        /*
+         * Prepare additional authenticated data
+         */
+        memcpy( add_data, ssl->out_ctr, 8 );
+        add_data[8]  = ssl->out_msgtype;
+        mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                           ssl->conf->transport, add_data + 9 );
+        add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
+        add_data[12] = ssl->out_msglen & 0xFF;
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
+
+        /*
+         * Generate IV
+         */
+        if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+        {
+            /* GCM and CCM: fixed || explicit (=seqnum) */
+            memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+            memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 );
+            memcpy( ssl->out_iv, ssl->out_ctr, 8 );
+
+        }
+        else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
+        {
+            /* ChachaPoly: fixed XOR sequence number */
+            unsigned char i;
+
+            memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+
+            for( i = 0; i < 8; i++ )
+                iv[i+4] ^= ssl->out_ctr[i];
+        }
+        else
+        {
+            /* Reminder if we ever add an AEAD mode with a different size */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
+                                  iv, transform->ivlen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
+                                  ssl->out_iv, explicit_ivlen );
+
+        /*
+         * Fix message length with added IV
+         */
+        enc_msg = ssl->out_msg;
+        enc_msglen = ssl->out_msglen;
+        ssl->out_msglen += explicit_ivlen;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+                                    "including 0 bytes of padding",
+                                    ssl->out_msglen ) );
+
+        /*
+         * Encrypt and authenticate
+         */
+        if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
+                                         iv, transform->ivlen,
+                                         add_data, 13,
+                                         enc_msg, enc_msglen,
+                                         enc_msg, &olen,
+                                         enc_msg + enc_msglen, taglen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
+            return( ret );
+        }
+
+        if( olen != enc_msglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->out_msglen += taglen;
+        auth_done++;
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
+    }
+    else
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
+    ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
+    if( mode == MBEDTLS_MODE_CBC )
+    {
+        int ret;
+        unsigned char *enc_msg;
+        size_t enc_msglen, padlen, olen = 0, i;
+
+        padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
+                 ssl->transform_out->ivlen;
+        if( padlen == ssl->transform_out->ivlen )
+            padlen = 0;
+
+        for( i = 0; i <= padlen; i++ )
+            ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
+
+        ssl->out_msglen += padlen + 1;
+
+        enc_msglen = ssl->out_msglen;
+        enc_msg = ssl->out_msg;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * Prepend per-record IV for block cipher in TLS v1.1 and up as per
+         * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            /*
+             * Generate IV
+             */
+            ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
+                                  ssl->transform_out->ivlen );
+            if( ret != 0 )
+                return( ret );
+
+            memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
+                    ssl->transform_out->ivlen );
+
+            /*
+             * Fix pointer positions and message length with added IV
+             */
+            enc_msg = ssl->out_msg;
+            enc_msglen = ssl->out_msglen;
+            ssl->out_msglen += ssl->transform_out->ivlen;
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+                            "including %d bytes of IV and %d bytes of padding",
+                            ssl->out_msglen, ssl->transform_out->ivlen,
+                            padlen + 1 ) );
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
+                                   ssl->transform_out->iv_enc,
+                                   ssl->transform_out->ivlen,
+                                   enc_msg, enc_msglen,
+                                   enc_msg, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( enc_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            /*
+             * Save IV in SSL3 and TLS1
+             */
+            memcpy( ssl->transform_out->iv_enc,
+                    ssl->transform_out->cipher_ctx_enc.iv,
+                    ssl->transform_out->ivlen );
+        }
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        if( auth_done == 0 )
+        {
+            unsigned char mac[MBEDTLS_SSL_MAC_ADD];
+
+            /*
+             * MAC(MAC_write_key, seq_num +
+             *     TLSCipherText.type +
+             *     TLSCipherText.version +
+             *     length_of( (IV +) ENC(...) ) +
+             *     IV + // except for TLS 1.0
+             *     ENC(content + padding + padding_length));
+             */
+            unsigned char pseudo_hdr[13];
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
+
+            memcpy( pseudo_hdr +  0, ssl->out_ctr, 8 );
+            memcpy( pseudo_hdr +  8, ssl->out_hdr, 3 );
+            pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
+            pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen      ) & 0xFF );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
+
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
+            mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
+                             ssl->out_iv, ssl->out_msglen );
+            mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
+            mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
+
+            memcpy( ssl->out_iv + ssl->out_msglen, mac,
+                    ssl->transform_out->maclen );
+
+            ssl->out_msglen += ssl->transform_out->maclen;
+            auth_done++;
+        }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+    }
+    else
+#endif /* MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /* Make extra sure authentication was performed, exactly once */
+    if( auth_done != 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
+
+    return( 0 );
+}
+
+static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
+{
+    mbedtls_cipher_mode_t mode;
+    int auth_done = 0;
+#if defined(SSL_SOME_MODES_USE_MAC)
+    size_t padlen = 0, correct = 1;
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
+
+    if( ssl->session_in == NULL || ssl->transform_in == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
+
+    if( ssl->in_msglen < ssl->transform_in->minlen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
+                       ssl->in_msglen, ssl->transform_in->minlen ) );
+        return( MBEDTLS_ERR_SSL_INVALID_MAC );
+    }
+
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    if( mode == MBEDTLS_MODE_STREAM )
+    {
+        int ret;
+        size_t olen = 0;
+
+        padlen = 0;
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
+                                   ssl->transform_in->iv_dec,
+                                   ssl->transform_in->ivlen,
+                                   ssl->in_msg, ssl->in_msglen,
+                                   ssl->in_msg, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( ssl->in_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+    else
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_GCM_C) || \
+    defined(MBEDTLS_CCM_C) || \
+    defined(MBEDTLS_CHACHAPOLY_C)
+    if( mode == MBEDTLS_MODE_GCM ||
+        mode == MBEDTLS_MODE_CCM ||
+        mode == MBEDTLS_MODE_CHACHAPOLY )
+    {
+        int ret;
+        size_t dec_msglen, olen;
+        unsigned char *dec_msg;
+        unsigned char *dec_msg_result;
+        unsigned char add_data[13];
+        unsigned char iv[12];
+        mbedtls_ssl_transform *transform = ssl->transform_in;
+        unsigned char taglen = transform->ciphersuite_info->flags &
+                               MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
+        size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
+
+        /*
+         * Compute and update sizes
+         */
+        if( ssl->in_msglen < explicit_iv_len + taglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
+                                "+ taglen (%d)", ssl->in_msglen,
+                                explicit_iv_len, taglen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+        dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
+
+        dec_msg = ssl->in_msg;
+        dec_msg_result = ssl->in_msg;
+        ssl->in_msglen = dec_msglen;
+
+        /*
+         * Prepare additional authenticated data
+         */
+        memcpy( add_data, ssl->in_ctr, 8 );
+        add_data[8]  = ssl->in_msgtype;
+        mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                           ssl->conf->transport, add_data + 9 );
+        add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
+        add_data[12] = ssl->in_msglen & 0xFF;
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
+
+        /*
+         * Prepare IV
+         */
+        if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
+        {
+            /* GCM and CCM: fixed || explicit (transmitted) */
+            memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
+            memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 );
+
+        }
+        else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
+        {
+            /* ChachaPoly: fixed XOR sequence number */
+            unsigned char i;
+
+            memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
+
+            for( i = 0; i < 8; i++ )
+                iv[i+4] ^= ssl->in_ctr[i];
+        }
+        else
+        {
+            /* Reminder if we ever add an AEAD mode with a different size */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
+
+        /*
+         * Decrypt and authenticate
+         */
+        if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
+                                         iv, transform->ivlen,
+                                         add_data, 13,
+                                         dec_msg, dec_msglen,
+                                         dec_msg_result, &olen,
+                                         dec_msg + dec_msglen, taglen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
+
+            if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
+                return( MBEDTLS_ERR_SSL_INVALID_MAC );
+
+            return( ret );
+        }
+        auth_done++;
+
+        if( olen != dec_msglen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+    else
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CIPHER_MODE_CBC) &&                                    \
+    ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
+    if( mode == MBEDTLS_MODE_CBC )
+    {
+        /*
+         * Decrypt and check the padding
+         */
+        int ret;
+        unsigned char *dec_msg;
+        unsigned char *dec_msg_result;
+        size_t dec_msglen;
+        size_t minlen = 0;
+        size_t olen = 0;
+
+        /*
+         * Check immediate ciphertext sanity
+         */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+            minlen += ssl->transform_in->ivlen;
+#endif
+
+        if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
+            ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
+                                "+ 1 ) ( + expl IV )", ssl->in_msglen,
+                                ssl->transform_in->ivlen,
+                                ssl->transform_in->maclen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+
+        dec_msglen = ssl->in_msglen;
+        dec_msg = ssl->in_msg;
+        dec_msg_result = ssl->in_msg;
+
+        /*
+         * Authenticate before decrypt if enabled
+         */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
+        {
+            unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+            unsigned char pseudo_hdr[13];
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
+
+            dec_msglen -= ssl->transform_in->maclen;
+            ssl->in_msglen -= ssl->transform_in->maclen;
+
+            memcpy( pseudo_hdr +  0, ssl->in_ctr, 8 );
+            memcpy( pseudo_hdr +  8, ssl->in_hdr, 3 );
+            pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
+            pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen      ) & 0xFF );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
+
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
+                             ssl->in_iv, ssl->in_msglen );
+            mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
+            mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", ssl->in_iv + ssl->in_msglen,
+                                              ssl->transform_in->maclen );
+            MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
+                                              ssl->transform_in->maclen );
+
+            if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
+                                          ssl->transform_in->maclen ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
+
+                return( MBEDTLS_ERR_SSL_INVALID_MAC );
+            }
+            auth_done++;
+        }
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+
+        /*
+         * Check length sanity
+         */
+        if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
+                           ssl->in_msglen, ssl->transform_in->ivlen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * Initialize for prepended IV for block cipher in TLS v1.1 and up
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            unsigned char i;
+            dec_msglen -= ssl->transform_in->ivlen;
+            ssl->in_msglen -= ssl->transform_in->ivlen;
+
+            for( i = 0; i < ssl->transform_in->ivlen; i++ )
+                ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
+                                   ssl->transform_in->iv_dec,
+                                   ssl->transform_in->ivlen,
+                                   dec_msg, dec_msglen,
+                                   dec_msg_result, &olen ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
+            return( ret );
+        }
+
+        if( dec_msglen != olen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
+        if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
+        {
+            /*
+             * Save IV in SSL3 and TLS1
+             */
+            memcpy( ssl->transform_in->iv_dec,
+                    ssl->transform_in->cipher_ctx_dec.iv,
+                    ssl->transform_in->ivlen );
+        }
+#endif
+
+        padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
+
+        if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
+            auth_done == 0 )
+        {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
+                        ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
+#endif
+            padlen = 0;
+            correct = 0;
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            if( padlen > ssl->transform_in->ivlen )
+            {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
+                                    "should be no more than %d",
+                               padlen, ssl->transform_in->ivlen ) );
+#endif
+                correct = 0;
+            }
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            /*
+             * TLSv1+: always check the padding up to the first failure
+             * and fake check up to 256 bytes of padding
+             */
+            size_t pad_count = 0, real_count = 1;
+            size_t padding_idx = ssl->in_msglen - padlen;
+            size_t i;
+
+            /*
+             * Padding is guaranteed to be incorrect if:
+             *   1. padlen > ssl->in_msglen
+             *
+             *   2. padding_idx > MBEDTLS_SSL_IN_CONTENT_LEN +
+             *                     ssl->transform_in->maclen
+             *
+             * In both cases we reset padding_idx to a safe value (0) to
+             * prevent out-of-buffer reads.
+             */
+            correct &= ( padlen <= ssl->in_msglen );
+            correct &= ( padding_idx <= MBEDTLS_SSL_IN_CONTENT_LEN +
+                                       ssl->transform_in->maclen );
+
+            padding_idx *= correct;
+
+            for( i = 0; i < 256; i++ )
+            {
+                real_count &= ( i < padlen );
+                pad_count += real_count *
+                             ( ssl->in_msg[padding_idx + i] == padlen - 1 );
+            }
+
+            correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            if( padlen > 0 && correct == 0 )
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
+#endif
+            padlen &= correct * 0x1FF;
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->in_msglen -= padlen;
+    }
+    else
+#endif /* MBEDTLS_CIPHER_MODE_CBC &&
+          ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
+                   ssl->in_msg, ssl->in_msglen );
+#endif
+
+    /*
+     * Authenticate if not done yet.
+     * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
+     */
+#if defined(SSL_SOME_MODES_USE_MAC)
+    if( auth_done == 0 )
+    {
+        unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+
+        ssl->in_msglen -= ssl->transform_in->maclen;
+
+        ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
+        ssl->in_len[1] = (unsigned char)( ssl->in_msglen      );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            ssl_mac( &ssl->transform_in->md_ctx_dec,
+                      ssl->transform_in->mac_dec,
+                      ssl->in_msg, ssl->in_msglen,
+                      ssl->in_ctr, ssl->in_msgtype,
+                      mac_expect );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+        defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            /*
+             * Process MAC and always update for padlen afterwards to make
+             * total time independent of padlen.
+             *
+             * Known timing attacks:
+             *  - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
+             *
+             * To compensate for different timings for the MAC calculation
+             * depending on how much padding was removed (which is determined
+             * by padlen), process extra_run more blocks through the hash
+             * function.
+             *
+             * The formula in the paper is
+             *   extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
+             * where L1 is the size of the header plus the decrypted message
+             * plus CBC padding and L2 is the size of the header plus the
+             * decrypted message. This is for an underlying hash function
+             * with 64-byte blocks.
+             * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
+             * correctly. We round down instead of up, so -56 is the correct
+             * value for our calculations instead of -55.
+             *
+             * Repeat the formula rather than defining a block_size variable.
+             * This avoids requiring division by a variable at runtime
+             * (which would be marginally less efficient and would require
+             * linking an extra division function in some builds).
+             */
+            size_t j, extra_run = 0;
+
+            /*
+             * The next two sizes are the minimum and maximum values of
+             * in_msglen over all padlen values.
+             *
+             * They're independent of padlen, since we previously did
+             * in_msglen -= padlen.
+             *
+             * Note that max_len + maclen is never more than the buffer
+             * length, as we previously did in_msglen -= maclen too.
+             */
+            const size_t max_len = ssl->in_msglen + padlen;
+            const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
+
+            switch( ssl->transform_in->ciphersuite_info->mac )
+            {
+#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
+    defined(MBEDTLS_SHA256_C)
+                case MBEDTLS_MD_MD5:
+                case MBEDTLS_MD_SHA1:
+                case MBEDTLS_MD_SHA256:
+                    /* 8 bytes of message size, 64-byte compression blocks */
+                    extra_run = ( 13 + ssl->in_msglen + padlen + 8 ) / 64 -
+                                ( 13 + ssl->in_msglen          + 8 ) / 64;
+                    break;
+#endif
+#if defined(MBEDTLS_SHA512_C)
+                case MBEDTLS_MD_SHA384:
+                    /* 16 bytes of message size, 128-byte compression blocks */
+                    extra_run = ( 13 + ssl->in_msglen + padlen + 16 ) / 128 -
+                                ( 13 + ssl->in_msglen          + 16 ) / 128;
+                    break;
+#endif
+                default:
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            extra_run &= correct * 0xFF;
+
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_ctr, 8 );
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_hdr, 3 );
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 );
+            mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg,
+                             ssl->in_msglen );
+            /* Make sure we access everything even when padlen > 0. This
+             * makes the synchronisation requirements for just-in-time
+             * Prime+Probe attacks much tighter and hopefully impractical. */
+            ssl_read_memory( ssl->in_msg + ssl->in_msglen, padlen );
+            mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
+
+            /* Call mbedtls_md_process at least once due to cache attacks
+             * that observe whether md_process() was called of not */
+            for( j = 0; j < extra_run + 1; j++ )
+                mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg );
+
+            mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
+
+            /* Make sure we access all the memory that could contain the MAC,
+             * before we check it in the next code block. This makes the
+             * synchronisation requirements for just-in-time Prime+Probe
+             * attacks much tighter and hopefully impractical. */
+            ssl_read_memory( ssl->in_msg + min_len,
+                                 max_len - min_len + ssl->transform_in->maclen );
+        }
+        else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+              MBEDTLS_SSL_PROTO_TLS1_2 */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+        MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
+        MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", ssl->in_msg + ssl->in_msglen,
+                               ssl->transform_in->maclen );
+#endif
+
+        if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect,
+                                      ssl->transform_in->maclen ) != 0 )
+        {
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
+#endif
+            correct = 0;
+        }
+        auth_done++;
+    }
+
+    /*
+     * Finally check the correct flag
+     */
+    if( correct == 0 )
+        return( MBEDTLS_ERR_SSL_INVALID_MAC );
+#endif /* SSL_SOME_MODES_USE_MAC */
+
+    /* Make extra sure authentication was performed, exactly once */
+    if( auth_done != 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    if( ssl->in_msglen == 0 )
+    {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
+            && ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+        {
+            /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        ssl->nb_zero++;
+
+        /*
+         * Three or more empty messages may be a DoS attack
+         * (excessive CPU consumption).
+         */
+        if( ssl->nb_zero > 3 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
+                                "messages, possible DoS attack" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_MAC );
+        }
+    }
+    else
+        ssl->nb_zero = 0;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ; /* in_ctr read from peer, not maintained internally */
+    }
+    else
+#endif
+    {
+        unsigned char i;
+        for( i = 8; i > ssl_ep_len( ssl ); i-- )
+            if( ++ssl->in_ctr[i - 1] != 0 )
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if( i == ssl_ep_len( ssl ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
+
+    return( 0 );
+}
+
+#undef MAC_NONE
+#undef MAC_PLAINTEXT
+#undef MAC_CIPHERTEXT
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+/*
+ * Compression/decompression functions
+ */
+static int ssl_compress_buf( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *msg_post = ssl->out_msg;
+    ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
+    size_t len_pre = ssl->out_msglen;
+    unsigned char *msg_pre = ssl->compress_buf;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
+
+    if( len_pre == 0 )
+        return( 0 );
+
+    memcpy( msg_pre, ssl->out_msg, len_pre );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
+                   ssl->out_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
+                   ssl->out_msg, ssl->out_msglen );
+
+    ssl->transform_out->ctx_deflate.next_in = msg_pre;
+    ssl->transform_out->ctx_deflate.avail_in = len_pre;
+    ssl->transform_out->ctx_deflate.next_out = msg_post;
+    ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
+
+    ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
+    if( ret != Z_OK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
+        return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
+    }
+
+    ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
+                      ssl->transform_out->ctx_deflate.avail_out - bytes_written;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
+                   ssl->out_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
+                   ssl->out_msg, ssl->out_msglen );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
+
+    return( 0 );
+}
+
+static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *msg_post = ssl->in_msg;
+    ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
+    size_t len_pre = ssl->in_msglen;
+    unsigned char *msg_pre = ssl->compress_buf;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
+
+    if( len_pre == 0 )
+        return( 0 );
+
+    memcpy( msg_pre, ssl->in_msg, len_pre );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
+                   ssl->in_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
+                   ssl->in_msg, ssl->in_msglen );
+
+    ssl->transform_in->ctx_inflate.next_in = msg_pre;
+    ssl->transform_in->ctx_inflate.avail_in = len_pre;
+    ssl->transform_in->ctx_inflate.next_out = msg_post;
+    ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
+                                               header_bytes;
+
+    ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
+    if( ret != Z_OK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
+        return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
+    }
+
+    ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
+                     ssl->transform_in->ctx_inflate.avail_out - header_bytes;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
+                   ssl->in_msglen ) );
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
+                   ssl->in_msg, ssl->in_msglen );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
+{
+    /* If renegotiation is not enforced, retransmit until we would reach max
+     * timeout if we were using the usual handshake doubling scheme */
+    if( ssl->conf->renego_max_records < 0 )
+    {
+        uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
+        unsigned char doublings = 1;
+
+        while( ratio != 0 )
+        {
+            ++doublings;
+            ratio >>= 1;
+        }
+
+        if( ++ssl->renego_records_seen > doublings )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
+            return( 0 );
+        }
+    }
+
+    return( ssl_write_hello_request( ssl ) );
+}
+#endif
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Fill the input message buffer by appending data to it.
+ * The amount of data already fetched is in ssl->in_left.
+ *
+ * If we return 0, is it guaranteed that (at least) nb_want bytes are
+ * available (from this read and/or a previous one). Otherwise, an error code
+ * is returned (possibly EOF or WANT_READ).
+ *
+ * With stream transport (TLS) on success ssl->in_left == nb_want, but
+ * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
+ * since we always read a whole datagram at once.
+ *
+ * For DTLS, it is up to the caller to set ssl->next_record_offset when
+ * they're done reading a record.
+ */
+int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
+{
+    int ret;
+    size_t len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
+
+    if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
+                            "or mbedtls_ssl_set_bio()" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        uint32_t timeout;
+
+        /* Just to be sure */
+        if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
+                        "mbedtls_ssl_set_timer_cb() for DTLS" ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+        }
+
+        /*
+         * The point is, we need to always read a full datagram at once, so we
+         * sometimes read more then requested, and handle the additional data.
+         * It could be the rest of the current record (while fetching the
+         * header) and/or some other records in the same datagram.
+         */
+
+        /*
+         * Move to the next record in the already read datagram if applicable
+         */
+        if( ssl->next_record_offset != 0 )
+        {
+            if( ssl->in_left < ssl->next_record_offset )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            ssl->in_left -= ssl->next_record_offset;
+
+            if( ssl->in_left != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
+                                    ssl->next_record_offset ) );
+                memmove( ssl->in_hdr,
+                         ssl->in_hdr + ssl->next_record_offset,
+                         ssl->in_left );
+            }
+
+            ssl->next_record_offset = 0;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+                       ssl->in_left, nb_want ) );
+
+        /*
+         * Done if we already have enough data.
+         */
+        if( nb_want <= ssl->in_left)
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
+            return( 0 );
+        }
+
+        /*
+         * A record can't be split across datagrams. If we need to read but
+         * are not at the beginning of a new record, the caller did something
+         * wrong.
+         */
+        if( ssl->in_left != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Don't even try to read if time's out already.
+         * This avoids by-passing the timer when repeatedly receiving messages
+         * that will end up being dropped.
+         */
+        if( ssl_check_timer( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
+            ret = MBEDTLS_ERR_SSL_TIMEOUT;
+        }
+        else
+        {
+            len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
+
+            if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+                timeout = ssl->handshake->retransmit_timeout;
+            else
+                timeout = ssl->conf->read_timeout;
+
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
+
+            if( ssl->f_recv_timeout != NULL )
+                ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
+                                                                    timeout );
+            else
+                ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
+
+            MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
+
+            if( ret == 0 )
+                return( MBEDTLS_ERR_SSL_CONN_EOF );
+        }
+
+        if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
+            ssl_set_timer( ssl, 0 );
+
+            if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+            {
+                if( ssl_double_retransmit_timeout( ssl ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
+                    return( MBEDTLS_ERR_SSL_TIMEOUT );
+                }
+
+                if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
+                    return( ret );
+                }
+
+                return( MBEDTLS_ERR_SSL_WANT_READ );
+            }
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+            else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                     ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+            {
+                if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
+                    return( ret );
+                }
+
+                return( MBEDTLS_ERR_SSL_WANT_READ );
+            }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+        }
+
+        if( ret < 0 )
+            return( ret );
+
+        ssl->in_left = ret;
+    }
+    else
+#endif
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+                       ssl->in_left, nb_want ) );
+
+        while( ssl->in_left < nb_want )
+        {
+            len = nb_want - ssl->in_left;
+
+            if( ssl_check_timer( ssl ) != 0 )
+                ret = MBEDTLS_ERR_SSL_TIMEOUT;
+            else
+            {
+                if( ssl->f_recv_timeout != NULL )
+                {
+                    ret = ssl->f_recv_timeout( ssl->p_bio,
+                                               ssl->in_hdr + ssl->in_left, len,
+                                               ssl->conf->read_timeout );
+                }
+                else
+                {
+                    ret = ssl->f_recv( ssl->p_bio,
+                                       ssl->in_hdr + ssl->in_left, len );
+                }
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+                                        ssl->in_left, nb_want ) );
+            MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
+
+            if( ret == 0 )
+                return( MBEDTLS_ERR_SSL_CONN_EOF );
+
+            if( ret < 0 )
+                return( ret );
+
+            if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1,
+                    ( "f_recv returned %d bytes but only %lu were requested",
+                    ret, (unsigned long)len ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            ssl->in_left += ret;
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
+
+    return( 0 );
+}
+
+/*
+ * Flush any data not yet written
+ */
+int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned char *buf;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
+
+    if( ssl->f_send == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
+                            "or mbedtls_ssl_set_bio()" ) );
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /* Avoid incrementing counter if data is flushed */
+    if( ssl->out_left == 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
+        return( 0 );
+    }
+
+    while( ssl->out_left > 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
+                       mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
+
+        buf = ssl->out_hdr - ssl->out_left;
+        ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
+
+        MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
+
+        if( ret <= 0 )
+            return( ret );
+
+        if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1,
+                ( "f_send returned %d bytes but only %lu bytes were sent",
+                ret, (unsigned long)ssl->out_left ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        ssl->out_left -= ret;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->out_hdr = ssl->out_buf;
+    }
+    else
+#endif
+    {
+        ssl->out_hdr = ssl->out_buf + 8;
+    }
+    ssl_update_out_pointers( ssl, ssl->transform_out );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
+
+    return( 0 );
+}
+
+/*
+ * Functions to handle the DTLS retransmission state machine
+ */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+/*
+ * Append current handshake message to current outgoing flight
+ */
+static int ssl_flight_append( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_flight_item *msg;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
+    MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
+                           ssl->out_msg, ssl->out_msglen );
+
+    /* Allocate space for current message */
+    if( ( msg = mbedtls_calloc( 1, sizeof(  mbedtls_ssl_flight_item ) ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
+                            sizeof( mbedtls_ssl_flight_item ) ) );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
+        mbedtls_free( msg );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    /* Copy current handshake message with headers */
+    memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
+    msg->len = ssl->out_msglen;
+    msg->type = ssl->out_msgtype;
+    msg->next = NULL;
+
+    /* Append to the current flight */
+    if( ssl->handshake->flight == NULL )
+        ssl->handshake->flight = msg;
+    else
+    {
+        mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
+        while( cur->next != NULL )
+            cur = cur->next;
+        cur->next = msg;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
+    return( 0 );
+}
+
+/*
+ * Free the current flight of handshake messages
+ */
+static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
+{
+    mbedtls_ssl_flight_item *cur = flight;
+    mbedtls_ssl_flight_item *next;
+
+    while( cur != NULL )
+    {
+        next = cur->next;
+
+        mbedtls_free( cur->p );
+        mbedtls_free( cur );
+
+        cur = next;
+    }
+}
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
+#endif
+
+/*
+ * Swap transform_out and out_ctr with the alternative ones
+ */
+static void ssl_swap_epochs( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_transform *tmp_transform;
+    unsigned char tmp_out_ctr[8];
+
+    if( ssl->transform_out == ssl->handshake->alt_transform_out )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
+        return;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
+
+    /* Swap transforms */
+    tmp_transform                     = ssl->transform_out;
+    ssl->transform_out                = ssl->handshake->alt_transform_out;
+    ssl->handshake->alt_transform_out = tmp_transform;
+
+    /* Swap epoch + sequence_number */
+    memcpy( tmp_out_ctr,                 ssl->cur_out_ctr,            8 );
+    memcpy( ssl->cur_out_ctr,            ssl->handshake->alt_out_ctr, 8 );
+    memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,                 8 );
+
+    /* Adjust to the newly activated transform */
+    ssl_update_out_pointers( ssl, ssl->transform_out );
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_activate != NULL )
+    {
+        if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+}
+
+/*
+ * Retransmit the current flight of messages.
+ */
+int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
+
+    ret = mbedtls_ssl_flight_transmit( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
+
+    return( ret );
+}
+
+/*
+ * Transmit or retransmit the current flight of messages.
+ *
+ * Need to remember the current message in case flush_output returns
+ * WANT_WRITE, causing us to exit this function and come back later.
+ * This function must be called until state is no longer SENDING.
+ */
+int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
+
+    if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
+
+        ssl->handshake->cur_msg = ssl->handshake->flight;
+        ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
+        ssl_swap_epochs( ssl );
+
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
+    }
+
+    while( ssl->handshake->cur_msg != NULL )
+    {
+        size_t max_frag_len;
+        const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
+
+        int const is_finished =
+            ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
+              cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
+
+        uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
+            SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
+
+        /* Swap epochs before sending Finished: we can't do it after
+         * sending ChangeCipherSpec, in case write returns WANT_READ.
+         * Must be done before copying, may change out_msg pointer */
+        if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
+            ssl_swap_epochs( ssl );
+        }
+
+        ret = ssl_get_remaining_payload_in_datagram( ssl );
+        if( ret < 0 )
+            return( ret );
+        max_frag_len = (size_t) ret;
+
+        /* CCS is copied as is, while HS messages may need fragmentation */
+        if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+        {
+            if( max_frag_len == 0 )
+            {
+                if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+                    return( ret );
+
+                continue;
+            }
+
+            memcpy( ssl->out_msg, cur->p, cur->len );
+            ssl->out_msglen  = cur->len;
+            ssl->out_msgtype = cur->type;
+
+            /* Update position inside current message */
+            ssl->handshake->cur_msg_p += cur->len;
+        }
+        else
+        {
+            const unsigned char * const p = ssl->handshake->cur_msg_p;
+            const size_t hs_len = cur->len - 12;
+            const size_t frag_off = p - ( cur->p + 12 );
+            const size_t rem_len = hs_len - frag_off;
+            size_t cur_hs_frag_len, max_hs_frag_len;
+
+            if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
+            {
+                if( is_finished )
+                    ssl_swap_epochs( ssl );
+
+                if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+                    return( ret );
+
+                continue;
+            }
+            max_hs_frag_len = max_frag_len - 12;
+
+            cur_hs_frag_len = rem_len > max_hs_frag_len ?
+                max_hs_frag_len : rem_len;
+
+            if( frag_off == 0 && cur_hs_frag_len != hs_len )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
+                                            (unsigned) cur_hs_frag_len,
+                                            (unsigned) max_hs_frag_len ) );
+            }
+
+            /* Messages are stored with handshake headers as if not fragmented,
+             * copy beginning of headers then fill fragmentation fields.
+             * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
+            memcpy( ssl->out_msg, cur->p, 6 );
+
+            ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
+            ssl->out_msg[7] = ( ( frag_off >>  8 ) & 0xff );
+            ssl->out_msg[8] = ( ( frag_off       ) & 0xff );
+
+            ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
+            ssl->out_msg[10] = ( ( cur_hs_frag_len >>  8 ) & 0xff );
+            ssl->out_msg[11] = ( ( cur_hs_frag_len       ) & 0xff );
+
+            MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
+
+            /* Copy the handshake message content and set records fields */
+            memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
+            ssl->out_msglen = cur_hs_frag_len + 12;
+            ssl->out_msgtype = cur->type;
+
+            /* Update position inside current message */
+            ssl->handshake->cur_msg_p += cur_hs_frag_len;
+        }
+
+        /* If done with the current message move to the next one if any */
+        if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
+        {
+            if( cur->next != NULL )
+            {
+                ssl->handshake->cur_msg = cur->next;
+                ssl->handshake->cur_msg_p = cur->next->p + 12;
+            }
+            else
+            {
+                ssl->handshake->cur_msg = NULL;
+                ssl->handshake->cur_msg_p = NULL;
+            }
+        }
+
+        /* Actually send the message out */
+        if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+            return( ret );
+        }
+    }
+
+    if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        return( ret );
+
+    /* Update state and set timer */
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    else
+    {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+        ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
+
+    return( 0 );
+}
+
+/*
+ * To be called when the last message of an incoming flight is received.
+ */
+void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
+{
+    /* We won't need to resend that one any more */
+    ssl_flight_free( ssl->handshake->flight );
+    ssl->handshake->flight = NULL;
+    ssl->handshake->cur_msg = NULL;
+
+    /* The next incoming flight will start with this msg_seq */
+    ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
+
+    /* We don't want to remember CCS's across flight boundaries. */
+    ssl->handshake->buffering.seen_ccs = 0;
+
+    /* Clear future message buffering structure. */
+    ssl_buffering_free( ssl );
+
+    /* Cancel timer */
+    ssl_set_timer( ssl, 0 );
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+        ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
+    {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    }
+    else
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+}
+
+/*
+ * To be called when the last message of an outgoing flight is send.
+ */
+void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
+{
+    ssl_reset_retransmit_timeout( ssl );
+    ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+        ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
+    {
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
+    }
+    else
+        ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+/*
+ * Handshake layer functions
+ */
+
+/*
+ * Write (DTLS: or queue) current handshake (including CCS) message.
+ *
+ *  - fill in handshake headers
+ *  - update handshake checksum
+ *  - DTLS: save message for resending
+ *  - then pass to the record layer
+ *
+ * DTLS: except for HelloRequest, messages are only queued, and will only be
+ * actually sent when calling flight_transmit() or resend().
+ *
+ * Inputs:
+ *  - ssl->out_msglen: 4 + actual handshake message len
+ *      (4 is the size of handshake headers for TLS)
+ *  - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
+ *  - ssl->out_msg + 4: the handshake message body
+ *
+ * Outputs, ie state before passing to flight_append() or write_record():
+ *   - ssl->out_msglen: the length of the record contents
+ *      (including handshake headers but excluding record headers)
+ *   - ssl->out_msg: the record contents (handshake headers + content)
+ */
+int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const size_t hs_len = ssl->out_msglen - 4;
+    const unsigned char hs_type = ssl->out_msg[0];
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
+
+    /*
+     * Sanity checks
+     */
+    if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE          &&
+        ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+    {
+        /* In SSLv3, the client might send a NoCertificate alert. */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
+        if( ! ( ssl->minor_ver      == MBEDTLS_SSL_MINOR_VERSION_0 &&
+                ssl->out_msgtype    == MBEDTLS_SSL_MSG_ALERT       &&
+                ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+    }
+
+    /* Whenever we send anything different from a
+     * HelloRequest we should be in a handshake - double check. */
+    if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
+        ssl->handshake == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL &&
+        ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+#endif
+
+    /* Double-check that we did not exceed the bounds
+     * of the outgoing record buffer.
+     * This should never fail as the various message
+     * writing functions must obey the bounds of the
+     * outgoing record buffer, but better be safe.
+     *
+     * Note: We deliberately do not check for the MTU or MFL here.
+     */
+    if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
+                                    "size %u, maximum %u",
+                                    (unsigned) ssl->out_msglen,
+                                    (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    /*
+     * Fill handshake headers
+     */
+    if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
+        ssl->out_msg[2] = (unsigned char)( hs_len >>  8 );
+        ssl->out_msg[3] = (unsigned char)( hs_len       );
+
+        /*
+         * DTLS has additional fields in the Handshake layer,
+         * between the length field and the actual payload:
+         *      uint16 message_seq;
+         *      uint24 fragment_offset;
+         *      uint24 fragment_length;
+         */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            /* Make room for the additional DTLS fields */
+            if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
+                              "size %u, maximum %u",
+                               (unsigned) ( hs_len ),
+                               (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
+                return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+            }
+
+            memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
+            ssl->out_msglen += 8;
+
+            /* Write message_seq and update it, except for HelloRequest */
+            if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
+            {
+                ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
+                ssl->out_msg[5] = ( ssl->handshake->out_msg_seq      ) & 0xFF;
+                ++( ssl->handshake->out_msg_seq );
+            }
+            else
+            {
+                ssl->out_msg[4] = 0;
+                ssl->out_msg[5] = 0;
+            }
+
+            /* Handshake hashes are computed without fragmentation,
+             * so set frag_offset = 0 and frag_len = hs_len for now */
+            memset( ssl->out_msg + 6, 0x00, 3 );
+            memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
+        }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        /* Update running hashes of handshake messages seen */
+        if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
+            ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
+    }
+
+    /* Either send now, or just save to be sent (and resent) later */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
+    {
+        if( ( ret = ssl_flight_append( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
+            return( ret );
+        }
+    }
+    else
+#endif
+    {
+        if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
+            return( ret );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
+
+    return( 0 );
+}
+
+/*
+ * Record layer functions
+ */
+
+/*
+ * Write current record.
+ *
+ * Uses:
+ *  - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
+ *  - ssl->out_msglen: length of the record content (excl headers)
+ *  - ssl->out_msg: record content
+ */
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
+{
+    int ret, done = 0;
+    size_t len = ssl->out_msglen;
+    uint8_t flush = force_flush;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->transform_out != NULL &&
+        ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
+            return( ret );
+        }
+
+        len = ssl->out_msglen;
+    }
+#endif /*MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_write != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
+
+        ret = mbedtls_ssl_hw_record_write( ssl );
+        if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+
+        if( ret == 0 )
+            done = 1;
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+    if( !done )
+    {
+        unsigned i;
+        size_t protected_record_size;
+
+        ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
+        mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
+                           ssl->conf->transport, ssl->out_hdr + 1 );
+
+        memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
+        ssl->out_len[0] = (unsigned char)( len >> 8 );
+        ssl->out_len[1] = (unsigned char)( len      );
+
+        if( ssl->transform_out != NULL )
+        {
+            if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
+                return( ret );
+            }
+
+            len = ssl->out_msglen;
+            ssl->out_len[0] = (unsigned char)( len >> 8 );
+            ssl->out_len[1] = (unsigned char)( len      );
+        }
+
+        protected_record_size = len + mbedtls_ssl_hdr_len( ssl );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* In case of DTLS, double-check that we don't exceed
+         * the remaining space in the datagram. */
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            ret = ssl_get_remaining_space_in_datagram( ssl );
+            if( ret < 0 )
+                return( ret );
+
+            if( protected_record_size > (size_t) ret )
+            {
+                /* Should never happen */
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+        }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
+                                    "version = [%d:%d], msglen = %d",
+                                    ssl->out_hdr[0], ssl->out_hdr[1],
+                                    ssl->out_hdr[2], len ) );
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
+                               ssl->out_hdr, protected_record_size );
+
+        ssl->out_left += protected_record_size;
+        ssl->out_hdr  += protected_record_size;
+        ssl_update_out_pointers( ssl, ssl->transform_out );
+
+        for( i = 8; i > ssl_ep_len( ssl ); i-- )
+            if( ++ssl->cur_out_ctr[i - 1] != 0 )
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if( i == ssl_ep_len( ssl ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        flush == SSL_DONT_FORCE_FLUSH )
+    {
+        size_t remaining;
+        ret = ssl_get_remaining_payload_in_datagram( ssl );
+        if( ret < 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
+                                   ret );
+            return( ret );
+        }
+
+        remaining = (size_t) ret;
+        if( remaining == 0 )
+        {
+            flush = SSL_FORCE_FLUSH;
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if( ( flush == SSL_FORCE_FLUSH ) &&
+        ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_msglen < ssl->in_hslen ||
+        memcmp( ssl->in_msg + 6, "\0\0\0",        3 ) != 0 ||
+        memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
+    {
+        return( 1 );
+    }
+    return( 0 );
+}
+
+static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
+{
+    return( ( ssl->in_msg[9] << 16  ) |
+            ( ssl->in_msg[10] << 8  ) |
+              ssl->in_msg[11] );
+}
+
+static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
+{
+    return( ( ssl->in_msg[6] << 16 ) |
+            ( ssl->in_msg[7] << 8  ) |
+              ssl->in_msg[8] );
+}
+
+static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
+{
+    uint32_t msg_len, frag_off, frag_len;
+
+    msg_len  = ssl_get_hs_total_len( ssl );
+    frag_off = ssl_get_hs_frag_off( ssl );
+    frag_len = ssl_get_hs_frag_len( ssl );
+
+    if( frag_off > msg_len )
+        return( -1 );
+
+    if( frag_len > msg_len - frag_off )
+        return( -1 );
+
+    if( frag_len + 12 > ssl->in_msglen )
+        return( -1 );
+
+    return( 0 );
+}
+
+/*
+ * Mark bits in bitmask (used for DTLS HS reassembly)
+ */
+static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
+{
+    unsigned int start_bits, end_bits;
+
+    start_bits = 8 - ( offset % 8 );
+    if( start_bits != 8 )
+    {
+        size_t first_byte_idx = offset / 8;
+
+        /* Special case */
+        if( len <= start_bits )
+        {
+            for( ; len != 0; len-- )
+                mask[first_byte_idx] |= 1 << ( start_bits - len );
+
+            /* Avoid potential issues with offset or len becoming invalid */
+            return;
+        }
+
+        offset += start_bits; /* Now offset % 8 == 0 */
+        len -= start_bits;
+
+        for( ; start_bits != 0; start_bits-- )
+            mask[first_byte_idx] |= 1 << ( start_bits - 1 );
+    }
+
+    end_bits = len % 8;
+    if( end_bits != 0 )
+    {
+        size_t last_byte_idx = ( offset + len ) / 8;
+
+        len -= end_bits; /* Now len % 8 == 0 */
+
+        for( ; end_bits != 0; end_bits-- )
+            mask[last_byte_idx] |= 1 << ( 8 - end_bits );
+    }
+
+    memset( mask + offset / 8, 0xFF, len / 8 );
+}
+
+/*
+ * Check that bitmask is full
+ */
+static int ssl_bitmask_check( unsigned char *mask, size_t len )
+{
+    size_t i;
+
+    for( i = 0; i < len / 8; i++ )
+        if( mask[i] != 0xFF )
+            return( -1 );
+
+    for( i = 0; i < len % 8; i++ )
+        if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
+            return( -1 );
+
+    return( 0 );
+}
+
+/* msg_len does not include the handshake header */
+static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
+                                              unsigned add_bitmap )
+{
+    size_t alloc_len;
+
+    alloc_len  = 12;                                 /* Handshake header */
+    alloc_len += msg_len;                            /* Content buffer   */
+
+    if( add_bitmap )
+        alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap       */
+
+    return( alloc_len );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
+{
+    return( ( ssl->in_msg[1] << 16 ) |
+            ( ssl->in_msg[2] << 8  ) |
+              ssl->in_msg[3] );
+}
+
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
+                            ssl->in_msglen ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
+                        " %d, type = %d, hslen = %d",
+                        ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        int ret;
+        unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
+
+        if( ssl_check_hs_header( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+        if( ssl->handshake != NULL &&
+            ( ( ssl->state   != MBEDTLS_SSL_HANDSHAKE_OVER &&
+                recv_msg_seq != ssl->handshake->in_msg_seq ) ||
+              ( ssl->state  == MBEDTLS_SSL_HANDSHAKE_OVER &&
+                ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
+        {
+            if( recv_msg_seq > ssl->handshake->in_msg_seq )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
+                                            recv_msg_seq,
+                                            ssl->handshake->in_msg_seq ) );
+                return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+            }
+
+            /* Retransmit only on last message from previous flight, to avoid
+             * too many retransmissions.
+             * Besides, No sane server ever retransmits HelloVerifyRequest */
+            if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
+                ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
+                                    "message_seq = %d, start_of_flight = %d",
+                                    recv_msg_seq,
+                                    ssl->handshake->in_flight_start_seq ) );
+
+                if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
+                    return( ret );
+                }
+            }
+            else
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
+                                    "message_seq = %d, expected = %d",
+                                    recv_msg_seq,
+                                    ssl->handshake->in_msg_seq ) );
+            }
+
+            return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
+        }
+        /* Wait until message completion to increment in_msg_seq */
+
+        /* Message reassembly is handled alongside buffering of future
+         * messages; the commonality is that both handshake fragments and
+         * future messages cannot be forwarded immediately to the
+         * handshake logic layer. */
+        if( ssl_hs_is_proper_fragment( ssl ) == 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
+            return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    /* With TLS we don't handle fragmentation (for now) */
+    if( ssl->in_msglen < ssl->in_hslen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    }
+
+    return( 0 );
+}
+
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
+    {
+        ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
+    }
+
+    /* Handshake message is complete, increment counter */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL )
+    {
+        unsigned offset;
+        mbedtls_ssl_hs_buffer *hs_buf;
+
+        /* Increment handshake sequence number */
+        hs->in_msg_seq++;
+
+        /*
+         * Clear up handshake buffering and reassembly structure.
+         */
+
+        /* Free first entry */
+        ssl_buffering_free_slot( ssl, 0 );
+
+        /* Shift all other entries */
+        for( offset = 0, hs_buf = &hs->buffering.hs[0];
+             offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
+             offset++, hs_buf++ )
+        {
+            *hs_buf = *(hs_buf + 1);
+        }
+
+        /* Create a fresh last entry */
+        memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
+    }
+#endif
+}
+
+/*
+ * DTLS anti-replay: RFC 6347 4.1.2.6
+ *
+ * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
+ * Bit n is set iff record number in_window_top - n has been seen.
+ *
+ * Usually, in_window_top is the last record number seen and the lsb of
+ * in_window is set. The only exception is the initial state (record number 0
+ * not seen yet).
+ */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
+{
+    ssl->in_window_top = 0;
+    ssl->in_window = 0;
+}
+
+static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
+{
+    return( ( (uint64_t) buf[0] << 40 ) |
+            ( (uint64_t) buf[1] << 32 ) |
+            ( (uint64_t) buf[2] << 24 ) |
+            ( (uint64_t) buf[3] << 16 ) |
+            ( (uint64_t) buf[4] <<  8 ) |
+            ( (uint64_t) buf[5]       ) );
+}
+
+/*
+ * Return 0 if sequence number is acceptable, -1 otherwise
+ */
+int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
+{
+    uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
+    uint64_t bit;
+
+    if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+        return( 0 );
+
+    if( rec_seqnum > ssl->in_window_top )
+        return( 0 );
+
+    bit = ssl->in_window_top - rec_seqnum;
+
+    if( bit >= 64 )
+        return( -1 );
+
+    if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
+        return( -1 );
+
+    return( 0 );
+}
+
+/*
+ * Update replay window on new validated record
+ */
+void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
+{
+    uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
+
+    if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
+        return;
+
+    if( rec_seqnum > ssl->in_window_top )
+    {
+        /* Update window_top and the contents of the window */
+        uint64_t shift = rec_seqnum - ssl->in_window_top;
+
+        if( shift >= 64 )
+            ssl->in_window = 1;
+        else
+        {
+            ssl->in_window <<= shift;
+            ssl->in_window |= 1;
+        }
+
+        ssl->in_window_top = rec_seqnum;
+    }
+    else
+    {
+        /* Mark that number as seen in the current window */
+        uint64_t bit = ssl->in_window_top - rec_seqnum;
+
+        if( bit < 64 ) /* Always true, but be extra sure */
+            ssl->in_window |= (uint64_t) 1 << bit;
+    }
+}
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+/* Forward declaration */
+static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
+
+/*
+ * Without any SSL context, check if a datagram looks like a ClientHello with
+ * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
+ * Both input and output include full DTLS headers.
+ *
+ * - if cookie is valid, return 0
+ * - if ClientHello looks superficially valid but cookie is not,
+ *   fill obuf and set olen, then
+ *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+ * - otherwise return a specific error code
+ */
+static int ssl_check_dtls_clihlo_cookie(
+                           mbedtls_ssl_cookie_write_t *f_cookie_write,
+                           mbedtls_ssl_cookie_check_t *f_cookie_check,
+                           void *p_cookie,
+                           const unsigned char *cli_id, size_t cli_id_len,
+                           const unsigned char *in, size_t in_len,
+                           unsigned char *obuf, size_t buf_len, size_t *olen )
+{
+    size_t sid_len, cookie_len;
+    unsigned char *p;
+
+    if( f_cookie_write == NULL || f_cookie_check == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /*
+     * Structure of ClientHello with record and handshake headers,
+     * and expected values. We don't need to check a lot, more checks will be
+     * done when actually parsing the ClientHello - skipping those checks
+     * avoids code duplication and does not make cookie forging any easier.
+     *
+     *  0-0  ContentType type;                  copied, must be handshake
+     *  1-2  ProtocolVersion version;           copied
+     *  3-4  uint16 epoch;                      copied, must be 0
+     *  5-10 uint48 sequence_number;            copied
+     * 11-12 uint16 length;                     (ignored)
+     *
+     * 13-13 HandshakeType msg_type;            (ignored)
+     * 14-16 uint24 length;                     (ignored)
+     * 17-18 uint16 message_seq;                copied
+     * 19-21 uint24 fragment_offset;            copied, must be 0
+     * 22-24 uint24 fragment_length;            (ignored)
+     *
+     * 25-26 ProtocolVersion client_version;    (ignored)
+     * 27-58 Random random;                     (ignored)
+     * 59-xx SessionID session_id;              1 byte len + sid_len content
+     * 60+   opaque cookie<0..2^8-1>;           1 byte len + content
+     *       ...
+     *
+     * Minimum length is 61 bytes.
+     */
+    if( in_len < 61 ||
+        in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
+        in[3] != 0 || in[4] != 0 ||
+        in[19] != 0 || in[20] != 0 || in[21] != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+    }
+
+    sid_len = in[59];
+    if( sid_len > in_len - 61 )
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+
+    cookie_len = in[60 + sid_len];
+    if( cookie_len > in_len - 60 )
+        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+
+    if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
+                        cli_id, cli_id_len ) == 0 )
+    {
+        /* Valid cookie */
+        return( 0 );
+    }
+
+    /*
+     * If we get here, we've got an invalid cookie, let's prepare HVR.
+     *
+     *  0-0  ContentType type;                  copied
+     *  1-2  ProtocolVersion version;           copied
+     *  3-4  uint16 epoch;                      copied
+     *  5-10 uint48 sequence_number;            copied
+     * 11-12 uint16 length;                     olen - 13
+     *
+     * 13-13 HandshakeType msg_type;            hello_verify_request
+     * 14-16 uint24 length;                     olen - 25
+     * 17-18 uint16 message_seq;                copied
+     * 19-21 uint24 fragment_offset;            copied
+     * 22-24 uint24 fragment_length;            olen - 25
+     *
+     * 25-26 ProtocolVersion server_version;    0xfe 0xff
+     * 27-27 opaque cookie<0..2^8-1>;           cookie_len = olen - 27, cookie
+     *
+     * Minimum length is 28.
+     */
+    if( buf_len < 28 )
+        return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+
+    /* Copy most fields and adapt others */
+    memcpy( obuf, in, 25 );
+    obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
+    obuf[25] = 0xfe;
+    obuf[26] = 0xff;
+
+    /* Generate and write actual cookie */
+    p = obuf + 28;
+    if( f_cookie_write( p_cookie,
+                        &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
+    {
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    *olen = p - obuf;
+
+    /* Go back and fill length fields */
+    obuf[27] = (unsigned char)( *olen - 28 );
+
+    obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
+    obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >>  8 );
+    obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 )       );
+
+    obuf[11] = (unsigned char)( ( *olen - 13 ) >>  8 );
+    obuf[12] = (unsigned char)( ( *olen - 13 )       );
+
+    return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
+}
+
+/*
+ * Handle possible client reconnect with the same UDP quadruplet
+ * (RFC 6347 Section 4.2.8).
+ *
+ * Called by ssl_parse_record_header() in case we receive an epoch 0 record
+ * that looks like a ClientHello.
+ *
+ * - if the input looks like a ClientHello without cookies,
+ *   send back HelloVerifyRequest, then
+ *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
+ * - if the input looks like a ClientHello with a valid cookie,
+ *   reset the session of the current context, and
+ *   return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
+ * - if anything goes wrong, return a specific error code
+ *
+ * mbedtls_ssl_read_record() will ignore the record if anything else than
+ * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
+ * cannot not return 0.
+ */
+static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t len;
+
+    ret = ssl_check_dtls_clihlo_cookie(
+            ssl->conf->f_cookie_write,
+            ssl->conf->f_cookie_check,
+            ssl->conf->p_cookie,
+            ssl->cli_id, ssl->cli_id_len,
+            ssl->in_buf, ssl->in_left,
+            ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
+
+    MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
+
+    if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
+    {
+        /* Don't check write errors as we can't do anything here.
+         * If the error is permanent we'll catch it later,
+         * if it's not, then hopefully it'll work next time. */
+        (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
+
+        return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
+    }
+
+    if( ret == 0 )
+    {
+        /* Got a valid cookie, partially reset context */
+        if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
+            return( ret );
+        }
+
+        return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
+    }
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+
+/*
+ * ContentType type;
+ * ProtocolVersion version;
+ * uint16 epoch;            // DTLS only
+ * uint48 sequence_number;  // DTLS only
+ * uint16 length;
+ *
+ * Return 0 if header looks sane (and, for DTLS, the record is expected)
+ * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
+ * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
+ *
+ * With DTLS, mbedtls_ssl_read_record() will:
+ * 1. proceed with the record if this function returns 0
+ * 2. drop only the current record if this function returns UNEXPECTED_RECORD
+ * 3. return CLIENT_RECONNECT if this function return that value
+ * 4. drop the whole datagram if this function returns anything else.
+ * Point 2 is needed when the peer is resending, and we have already received
+ * the first record from a datagram but are still waiting for the others.
+ */
+static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
+{
+    int major_ver, minor_ver;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
+
+    ssl->in_msgtype =  ssl->in_hdr[0];
+    ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
+    mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
+                        "version = [%d:%d], msglen = %d",
+                        ssl->in_msgtype,
+                        major_ver, minor_ver, ssl->in_msglen ) );
+
+    /* Check record type */
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* Silently ignore invalid DTLS records as recommended by RFC 6347
+         * Section 4.1.2.7 */
+        if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                    MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    /* Check version */
+    if( major_ver != ssl->major_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    if( minor_ver > ssl->conf->max_minor_ver )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    /* Check length against the size of our buffer */
+    if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
+                         - (size_t)( ssl->in_msg - ssl->in_buf ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+        return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+    }
+
+    /*
+     * DTLS-related tests.
+     * Check epoch before checking length constraint because
+     * the latter varies with the epoch. E.g., if a ChangeCipherSpec
+     * message gets duplicated before the corresponding Finished message,
+     * the second ChangeCipherSpec should be discarded because it belongs
+     * to an old epoch, but not because its length is shorter than
+     * the minimum record length for packets using the new record transform.
+     * Note that these two kinds of failures are handled differently,
+     * as an unexpected record is silently skipped but an invalid
+     * record leads to the entire datagram being dropped.
+     */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
+
+        /* Check epoch (and sequence number) with DTLS */
+        if( rec_epoch != ssl->in_epoch )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
+                                        "expected %d, received %d",
+                                        ssl->in_epoch, rec_epoch ) );
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+            /*
+             * Check for an epoch 0 ClientHello. We can't use in_msg here to
+             * access the first byte of record content (handshake type), as we
+             * have an active transform (possibly iv_len != 0), so use the
+             * fact that the record header len is 13 instead.
+             */
+            if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
+                rec_epoch == 0 &&
+                ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+                ssl->in_left > 13 &&
+                ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
+                                            "from the same port" ) );
+                return( ssl_handle_possible_reconnect( ssl ) );
+            }
+            else
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+            {
+                /* Consider buffering the record. */
+                if( rec_epoch == (unsigned int) ssl->in_epoch + 1 )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
+                    return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+                }
+
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+            }
+        }
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        /* Replay detection only works for the current epoch */
+        if( rec_epoch == ssl->in_epoch &&
+            mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
+#endif
+
+        /* Drop unexpected ApplicationData records,
+         * except at the beginning of renegotiations */
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
+            ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
+                   ssl->state == MBEDTLS_SSL_SERVER_HELLO )
+#endif
+            )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+
+    /* Check length against bounds of the current transform and version */
+    if( ssl->transform_in == NULL )
+    {
+        if( ssl->in_msglen < 1 ||
+            ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+    }
+    else
+    {
+        if( ssl->in_msglen < ssl->transform_in->minlen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+            ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        /*
+         * TLS encrypted messages can have up to 256 bytes of padding
+         */
+        if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
+            ssl->in_msglen > ssl->transform_in->minlen +
+                             MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+#endif
+    }
+
+    return( 0 );
+}
+
+/*
+ * If applicable, decrypt (and decompress) record content
+ */
+static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
+{
+    int ret, done = 0;
+
+    MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
+                   ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_read != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
+
+        ret = mbedtls_ssl_hw_record_read( ssl );
+        if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+
+        if( ret == 0 )
+            done = 1;
+    }
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+    if( !done && ssl->transform_in != NULL )
+    {
+        if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
+            return( ret );
+        }
+
+        MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
+                       ssl->in_msg, ssl->in_msglen );
+
+        if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+    }
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->transform_in != NULL &&
+        ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
+    {
+        if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        mbedtls_ssl_dtls_replay_update( ssl );
+    }
+#endif
+
+    return( 0 );
+}
+
+static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
+
+/*
+ * Read a record.
+ *
+ * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
+ * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
+ *
+ */
+
+/* Helper functions for mbedtls_ssl_read_record(). */
+static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
+static int ssl_get_next_record( mbedtls_ssl_context *ssl );
+static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
+
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
+                             unsigned update_hs_digest )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
+
+    if( ssl->keep_current_message == 0 )
+    {
+        do {
+
+            ret = ssl_consume_current_message( ssl );
+            if( ret != 0 )
+                return( ret );
+
+            if( ssl_record_is_in_progress( ssl ) == 0 )
+            {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                int have_buffered = 0;
+
+                /* We only check for buffered messages if the
+                 * current datagram is fully consumed. */
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+                    ssl_next_record_is_in_datagram( ssl ) == 0 )
+                {
+                    if( ssl_load_buffered_message( ssl ) == 0 )
+                        have_buffered = 1;
+                }
+
+                if( have_buffered == 0 )
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+                {
+                    ret = ssl_get_next_record( ssl );
+                    if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
+                        continue;
+
+                    if( ret != 0 )
+                    {
+                        MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
+                        return( ret );
+                    }
+                }
+            }
+
+            ret = mbedtls_ssl_handle_message_type( ssl );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+            if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
+            {
+                /* Buffer future message */
+                ret = ssl_buffer_message( ssl );
+                if( ret != 0 )
+                    return( ret );
+
+                ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
+            }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+        } while( MBEDTLS_ERR_SSL_NON_FATAL           == ret  ||
+                 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
+
+        if( 0 != ret )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
+            return( ret );
+        }
+
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
+            update_hs_digest == 1 )
+        {
+            mbedtls_ssl_update_handshake_status( ssl );
+        }
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
+        ssl->keep_current_message = 0;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_left > ssl->next_record_offset )
+        return( 1 );
+
+    return( 0 );
+}
+
+static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    mbedtls_ssl_hs_buffer * hs_buf;
+    int ret = 0;
+
+    if( hs == NULL )
+        return( -1 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
+
+    if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
+        ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+    {
+        /* Check if we have seen a ChangeCipherSpec before.
+         * If yes, synthesize a CCS record. */
+        if( !hs->buffering.seen_ccs )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
+            ret = -1;
+            goto exit;
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
+        ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+        ssl->in_msglen = 1;
+        ssl->in_msg[0] = 1;
+
+        /* As long as they are equal, the exact value doesn't matter. */
+        ssl->in_left            = 0;
+        ssl->next_record_offset = 0;
+
+        hs->buffering.seen_ccs = 0;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_DEBUG_C)
+    /* Debug only */
+    {
+        unsigned offset;
+        for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
+        {
+            hs_buf = &hs->buffering.hs[offset];
+            if( hs_buf->is_valid == 1 )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
+                            hs->in_msg_seq + offset,
+                            hs_buf->is_complete ? "fully" : "partially" ) );
+            }
+        }
+    }
+#endif /* MBEDTLS_DEBUG_C */
+
+    /* Check if we have buffered and/or fully reassembled the
+     * next handshake message. */
+    hs_buf = &hs->buffering.hs[0];
+    if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
+    {
+        /* Synthesize a record containing the buffered HS message. */
+        size_t msg_len = ( hs_buf->data[1] << 16 ) |
+                         ( hs_buf->data[2] << 8  ) |
+                           hs_buf->data[3];
+
+        /* Double-check that we haven't accidentally buffered
+         * a message that doesn't fit into the input buffer. */
+        if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
+        MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
+                               hs_buf->data, msg_len + 12 );
+
+        ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+        ssl->in_hslen   = msg_len + 12;
+        ssl->in_msglen  = msg_len + 12;
+        memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
+
+        ret = 0;
+        goto exit;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
+                                    hs->in_msg_seq ) );
+    }
+
+    ret = -1;
+
+exit:
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
+    return( ret );
+}
+
+static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
+                                  size_t desired )
+{
+    int offset;
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
+                                (unsigned) desired ) );
+
+    /* Get rid of future records epoch first, if such exist. */
+    ssl_free_buffered_record( ssl );
+
+    /* Check if we have enough space available now. */
+    if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                     hs->buffering.total_bytes_buffered ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
+        return( 0 );
+    }
+
+    /* We don't have enough space to buffer the next expected handshake
+     * message. Remove buffers used for future messages to gain space,
+     * starting with the most distant one. */
+    for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
+         offset >= 0; offset-- )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
+                                    offset ) );
+
+        ssl_buffering_free_slot( ssl, (uint8_t) offset );
+
+        /* Check if we have enough space available now. */
+        if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                         hs->buffering.total_bytes_buffered ) )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
+            return( 0 );
+        }
+    }
+
+    return( -1 );
+}
+
+static int ssl_buffer_message( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+    if( hs == NULL )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
+
+    switch( ssl->in_msgtype )
+    {
+        case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
+
+            hs->buffering.seen_ccs = 1;
+            break;
+
+        case MBEDTLS_SSL_MSG_HANDSHAKE:
+        {
+            unsigned recv_msg_seq_offset;
+            unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
+            mbedtls_ssl_hs_buffer *hs_buf;
+            size_t msg_len = ssl->in_hslen - 12;
+
+            /* We should never receive an old handshake
+             * message - double-check nonetheless. */
+            if( recv_msg_seq < ssl->handshake->in_msg_seq )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            }
+
+            recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
+            if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
+            {
+                /* Silently ignore -- message too far in the future */
+                MBEDTLS_SSL_DEBUG_MSG( 2,
+                 ( "Ignore future HS message with sequence number %u, "
+                   "buffering window %u - %u",
+                   recv_msg_seq, ssl->handshake->in_msg_seq,
+                   ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
+
+                goto exit;
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
+                                        recv_msg_seq, recv_msg_seq_offset ) );
+
+            hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
+
+            /* Check if the buffering for this seq nr has already commenced. */
+            if( !hs_buf->is_valid )
+            {
+                size_t reassembly_buf_sz;
+
+                hs_buf->is_fragmented =
+                    ( ssl_hs_is_proper_fragment( ssl ) == 1 );
+
+                /* We copy the message back into the input buffer
+                 * after reassembly, so check that it's not too large.
+                 * This is an implementation-specific limitation
+                 * and not one from the standard, hence it is not
+                 * checked in ssl_check_hs_header(). */
+                if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
+                {
+                    /* Ignore message */
+                    goto exit;
+                }
+
+                /* Check if we have enough space to buffer the message. */
+                if( hs->buffering.total_bytes_buffered >
+                    MBEDTLS_SSL_DTLS_MAX_BUFFERING )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+                }
+
+                reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
+                                                       hs_buf->is_fragmented );
+
+                if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                                          hs->buffering.total_bytes_buffered ) )
+                {
+                    if( recv_msg_seq_offset > 0 )
+                    {
+                        /* If we can't buffer a future message because
+                         * of space limitations -- ignore. */
+                        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
+                             (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                             (unsigned) hs->buffering.total_bytes_buffered ) );
+                        goto exit;
+                    }
+                    else
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
+                             (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                             (unsigned) hs->buffering.total_bytes_buffered ) );
+                    }
+
+                    if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
+                    {
+                        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
+                             (unsigned) msg_len,
+                             (unsigned) reassembly_buf_sz,
+                             MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                             (unsigned) hs->buffering.total_bytes_buffered ) );
+                        ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
+                        goto exit;
+                    }
+                }
+
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
+                                            msg_len ) );
+
+                hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
+                if( hs_buf->data == NULL )
+                {
+                    ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+                    goto exit;
+                }
+                hs_buf->data_len = reassembly_buf_sz;
+
+                /* Prepare final header: copy msg_type, length and message_seq,
+                 * then add standardised fragment_offset and fragment_length */
+                memcpy( hs_buf->data, ssl->in_msg, 6 );
+                memset( hs_buf->data + 6, 0, 3 );
+                memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
+
+                hs_buf->is_valid = 1;
+
+                hs->buffering.total_bytes_buffered += reassembly_buf_sz;
+            }
+            else
+            {
+                /* Make sure msg_type and length are consistent */
+                if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
+                    /* Ignore */
+                    goto exit;
+                }
+            }
+
+            if( !hs_buf->is_complete )
+            {
+                size_t frag_len, frag_off;
+                unsigned char * const msg = hs_buf->data + 12;
+
+                /*
+                 * Check and copy current fragment
+                 */
+
+                /* Validation of header fields already done in
+                 * mbedtls_ssl_prepare_handshake_record(). */
+                frag_off = ssl_get_hs_frag_off( ssl );
+                frag_len = ssl_get_hs_frag_len( ssl );
+
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
+                                            frag_off, frag_len ) );
+                memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
+
+                if( hs_buf->is_fragmented )
+                {
+                    unsigned char * const bitmask = msg + msg_len;
+                    ssl_bitmask_set( bitmask, frag_off, frag_len );
+                    hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
+                                                               msg_len ) == 0 );
+                }
+                else
+                {
+                    hs_buf->is_complete = 1;
+                }
+
+                MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
+                                   hs_buf->is_complete ? "" : "not yet " ) );
+            }
+
+            break;
+        }
+
+        default:
+            /* We don't buffer other types of messages. */
+            break;
+    }
+
+exit:
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
+{
+    /*
+     * Consume last content-layer message and potentially
+     * update in_msglen which keeps track of the contents'
+     * consumption state.
+     *
+     * (1) Handshake messages:
+     *     Remove last handshake message, move content
+     *     and adapt in_msglen.
+     *
+     * (2) Alert messages:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     * (3) Change cipher spec:
+     *     Consume whole record content, in_msglen = 0.
+     *
+     * (4) Application data:
+     *     Don't do anything - the record layer provides
+     *     the application data as a stream transport
+     *     and consumes through mbedtls_ssl_read only.
+     *
+     */
+
+    /* Case (1): Handshake messages */
+    if( ssl->in_hslen != 0 )
+    {
+        /* Hard assertion to be sure that no application data
+         * is in flight, as corrupting ssl->in_msglen during
+         * ssl->in_offt != NULL is fatal. */
+        if( ssl->in_offt != NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        }
+
+        /*
+         * Get next Handshake message in the current record
+         */
+
+        /* Notes:
+         * (1) in_hslen is not necessarily the size of the
+         *     current handshake content: If DTLS handshake
+         *     fragmentation is used, that's the fragment
+         *     size instead. Using the total handshake message
+         *     size here is faulty and should be changed at
+         *     some point.
+         * (2) While it doesn't seem to cause problems, one
+         *     has to be very careful not to assume that in_hslen
+         *     is always <= in_msglen in a sensible communication.
+         *     Again, it's wrong for DTLS handshake fragmentation.
+         *     The following check is therefore mandatory, and
+         *     should not be treated as a silently corrected assertion.
+         *     Additionally, ssl->in_hslen might be arbitrarily out of
+         *     bounds after handling a DTLS message with an unexpected
+         *     sequence number, see mbedtls_ssl_prepare_handshake_record.
+         */
+        if( ssl->in_hslen < ssl->in_msglen )
+        {
+            ssl->in_msglen -= ssl->in_hslen;
+            memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
+                     ssl->in_msglen );
+
+            MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
+                                   ssl->in_msg, ssl->in_msglen );
+        }
+        else
+        {
+            ssl->in_msglen = 0;
+        }
+
+        ssl->in_hslen   = 0;
+    }
+    /* Case (4): Application data */
+    else if( ssl->in_offt != NULL )
+    {
+        return( 0 );
+    }
+    /* Everything else (CCS & Alerts) */
+    else
+    {
+        ssl->in_msglen = 0;
+    }
+
+    return( 0 );
+}
+
+static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
+{
+    if( ssl->in_msglen > 0 )
+        return( 1 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    if( hs == NULL )
+        return;
+
+    if( hs->buffering.future_record.data != NULL )
+    {
+        hs->buffering.total_bytes_buffered -=
+            hs->buffering.future_record.len;
+
+        mbedtls_free( hs->buffering.future_record.data );
+        hs->buffering.future_record.data = NULL;
+    }
+}
+
+static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    unsigned char * rec;
+    size_t rec_len;
+    unsigned rec_epoch;
+
+    if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        return( 0 );
+
+    if( hs == NULL )
+        return( 0 );
+
+    rec       = hs->buffering.future_record.data;
+    rec_len   = hs->buffering.future_record.len;
+    rec_epoch = hs->buffering.future_record.epoch;
+
+    if( rec == NULL )
+        return( 0 );
+
+    /* Only consider loading future records if the
+     * input buffer is empty. */
+    if( ssl_next_record_is_in_datagram( ssl ) == 1 )
+        return( 0 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
+
+    if( rec_epoch != ssl->in_epoch )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
+        goto exit;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
+
+    /* Double-check that the record is not too large */
+    if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -
+        (size_t)( ssl->in_hdr - ssl->in_buf ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    memcpy( ssl->in_hdr, rec, rec_len );
+    ssl->in_left = rec_len;
+    ssl->next_record_offset = 0;
+
+    ssl_free_buffered_record( ssl );
+
+exit:
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
+    return( 0 );
+}
+
+static int ssl_buffer_future_record( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    size_t const rec_hdr_len = 13;
+    size_t const total_buf_sz = rec_hdr_len + ssl->in_msglen;
+
+    /* Don't buffer future records outside handshakes. */
+    if( hs == NULL )
+        return( 0 );
+
+    /* Only buffer handshake records (we are only interested
+     * in Finished messages). */
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+        return( 0 );
+
+    /* Don't buffer more than one future epoch record. */
+    if( hs->buffering.future_record.data != NULL )
+        return( 0 );
+
+    /* Don't buffer record if there's not enough buffering space remaining. */
+    if( total_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
+                         hs->buffering.total_bytes_buffered ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
+                        (unsigned) total_buf_sz, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+                        (unsigned) hs->buffering.total_bytes_buffered ) );
+        return( 0 );
+    }
+
+    /* Buffer record */
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
+                                ssl->in_epoch + 1 ) );
+    MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", ssl->in_hdr,
+                           rec_hdr_len + ssl->in_msglen );
+
+    /* ssl_parse_record_header() only considers records
+     * of the next epoch as candidates for buffering. */
+    hs->buffering.future_record.epoch = ssl->in_epoch + 1;
+    hs->buffering.future_record.len   = total_buf_sz;
+
+    hs->buffering.future_record.data =
+        mbedtls_calloc( 1, hs->buffering.future_record.len );
+    if( hs->buffering.future_record.data == NULL )
+    {
+        /* If we run out of RAM trying to buffer a
+         * record from the next epoch, just ignore. */
+        return( 0 );
+    }
+
+    memcpy( hs->buffering.future_record.data, ssl->in_hdr, total_buf_sz );
+
+    hs->buffering.total_bytes_buffered += total_buf_sz;
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+static int ssl_get_next_record( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    /* We might have buffered a future record; if so,
+     * and if the epoch matches now, load it.
+     * On success, this call will set ssl->in_left to
+     * the length of the buffered record, so that
+     * the calls to ssl_fetch_input() below will
+     * essentially be no-ops. */
+    ret = ssl_load_buffered_record( ssl );
+    if( ret != 0 )
+        return( ret );
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+        return( ret );
+    }
+
+    if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
+        {
+            if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
+            {
+                ret = ssl_buffer_future_record( ssl );
+                if( ret != 0 )
+                    return( ret );
+
+                /* Fall through to handling of unexpected records */
+                ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
+            }
+
+            if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
+            {
+                /* Skip unexpected record (but not whole datagram) */
+                ssl->next_record_offset = ssl->in_msglen
+                                        + mbedtls_ssl_hdr_len( ssl );
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
+                                            "(header)" ) );
+            }
+            else
+            {
+                /* Skip invalid record and the rest of the datagram */
+                ssl->next_record_offset = 0;
+                ssl->in_left = 0;
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
+                                            "(header)" ) );
+            }
+
+            /* Get next record */
+            return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
+        }
+#endif
+        return( ret );
+    }
+
+    /*
+     * Read and optionally decrypt the message contents
+     */
+    if( ( ret = mbedtls_ssl_fetch_input( ssl,
+                                 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
+        return( ret );
+    }
+
+    /* Done reading this record, get ready for the next one */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
+        if( ssl->next_record_offset < ssl->in_left )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
+        }
+    }
+    else
+#endif
+        ssl->in_left = 0;
+
+    if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            /* Silently discard invalid records */
+            if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
+                ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+            {
+                /* Except when waiting for Finished as a bad mac here
+                 * probably means something went wrong in the handshake
+                 * (eg wrong psk used, mitm downgrade attempt, etc.) */
+                if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
+                    ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
+                {
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+                    if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+                    {
+                        mbedtls_ssl_send_alert_message( ssl,
+                                MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
+                    }
+#endif
+                    return( ret );
+                }
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+                if( ssl->conf->badmac_limit != 0 &&
+                    ++ssl->badmac_seen >= ssl->conf->badmac_limit )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
+                    return( MBEDTLS_ERR_SSL_INVALID_MAC );
+                }
+#endif
+
+                /* As above, invalid records cause
+                 * dismissal of the whole datagram. */
+
+                ssl->next_record_offset = 0;
+                ssl->in_left = 0;
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
+                return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
+            }
+
+            return( ret );
+        }
+        else
+#endif
+        {
+            /* Error out (and send alert) on invalid records */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+            if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
+            {
+                mbedtls_ssl_send_alert_message( ssl,
+                        MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                        MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
+            }
+#endif
+            return( ret );
+        }
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    /*
+     * Handle particular types of records
+     */
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
+        {
+            return( ret );
+        }
+    }
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+    {
+        if( ssl->in_msglen != 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
+                           ssl->in_msglen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+        if( ssl->in_msg[0] != 1 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
+                                        ssl->in_msg[0] ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+            ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC    &&
+            ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
+        {
+            if( ssl->handshake == NULL )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
+            }
+
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
+            return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
+        }
+#endif
+    }
+
+    if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
+    {
+        if( ssl->in_msglen != 2 )
+        {
+            /* Note: Standard allows for more than one 2 byte alert
+               to be packed in a single message, but Mbed TLS doesn't
+               currently support this. */
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
+                           ssl->in_msglen ) );
+            return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+        }
+
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
+                       ssl->in_msg[0], ssl->in_msg[1] ) );
+
+        /*
+         * Ignore non-fatal alerts, except close_notify and no_renegotiation
+         */
+        if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
+                           ssl->in_msg[1] ) );
+            return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
+        }
+
+        if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
+            return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
+        }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
+        if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
+            /* Will be handled when trying to parse ServerHello */
+            return( 0 );
+        }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
+        if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
+            ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+            ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
+            /* Will be handled in mbedtls_ssl_parse_certificate() */
+            return( 0 );
+        }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
+
+        /* Silently ignore: fetch new message */
+        return MBEDTLS_ERR_SSL_NON_FATAL;
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake != NULL &&
+        ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER  )
+    {
+        ssl_handshake_wrapup_free_hs_transform( ssl );
+    }
+#endif
+
+    return( 0 );
+}
+
+int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+                    MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
+                            unsigned char level,
+                            unsigned char message )
+{
+    int ret;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
+    ssl->out_msglen = 2;
+    ssl->out_msg[0] = level;
+    ssl->out_msg[1] = message;
+
+    if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+        return( ret );
+    }
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
+
+    return( 0 );
+}
+
+/*
+ * Handshake functions
+ */
+#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)         && \
+    !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)     && \
+    !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)     && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)   && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)    && \
+    !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+/* No certificate support -> dummy functions */
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+}
+
+#else
+/* Some certificate support -> implement write and parse */
+
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+    size_t i, n;
+    const mbedtls_x509_crt *crt;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        if( ssl->client_auth == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
+            ssl->state++;
+            return( 0 );
+        }
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+        /*
+         * If using SSLv3 and got no cert, send an Alert message
+         * (otherwise an empty Certificate message will be sent).
+         */
+        if( mbedtls_ssl_own_cert( ssl )  == NULL &&
+            ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        {
+            ssl->out_msglen  = 2;
+            ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
+            ssl->out_msg[0]  = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
+            ssl->out_msg[1]  = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
+
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
+            goto write_msg;
+        }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        if( mbedtls_ssl_own_cert( ssl ) == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
+            return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
+        }
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
+
+    /*
+     *     0  .  0    handshake type
+     *     1  .  3    handshake length
+     *     4  .  6    length of all certs
+     *     7  .  9    length of cert. 1
+     *    10  . n-1   peer certificate
+     *     n  . n+2   length of cert. 2
+     *    n+3 . ...   upper level cert, etc.
+     */
+    i = 7;
+    crt = mbedtls_ssl_own_cert( ssl );
+
+    while( crt != NULL )
+    {
+        n = crt->raw.len;
+        if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
+                           i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
+            return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
+        }
+
+        ssl->out_msg[i    ] = (unsigned char)( n >> 16 );
+        ssl->out_msg[i + 1] = (unsigned char)( n >>  8 );
+        ssl->out_msg[i + 2] = (unsigned char)( n       );
+
+        i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
+        i += n; crt = crt->next;
+    }
+
+    ssl->out_msg[4]  = (unsigned char)( ( i - 7 ) >> 16 );
+    ssl->out_msg[5]  = (unsigned char)( ( i - 7 ) >>  8 );
+    ssl->out_msg[6]  = (unsigned char)( ( i - 7 )       );
+
+    ssl->out_msglen  = i;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE;
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
+write_msg:
+#endif
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
+
+    return( ret );
+}
+
+/*
+ * Once the certificate message is read, parse it into a cert chain and
+ * perform basic checks, but leave actual verification to the caller
+ */
+static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    size_t i, n;
+    uint8_t alert;
+
+#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    /*
+     * Check if the client sent an empty certificate
+     */
+    if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
+        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if( ssl->in_msglen  == 2                        &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT            &&
+            ssl->in_msg[0]  == MBEDTLS_SSL_ALERT_LEVEL_WARNING  &&
+            ssl->in_msg[1]  == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
+
+            /* The client was asked for a certificate but didn't send
+               one. The client should know what's going on, so we
+               don't send an alert. */
+            ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
+            return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->conf->endpoint  == MBEDTLS_SSL_IS_SERVER &&
+        ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
+    {
+        if( ssl->in_hslen   == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE    &&
+            ssl->in_msg[0]  == MBEDTLS_SSL_HS_CERTIFICATE   &&
+            memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
+
+            /* The client was asked for a certificate but didn't send
+               one. The client should know what's going on, so we
+               don't send an alert. */
+            ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
+            return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
+        }
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+#endif /* MBEDTLS_SSL_SRV_C */
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
+        ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+    }
+
+    i = mbedtls_ssl_hs_hdr_len( ssl );
+
+    /*
+     * Same message structure as in mbedtls_ssl_write_certificate()
+     */
+    n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
+
+    if( ssl->in_msg[i] != 0 ||
+        ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+    }
+
+    /* In case we tried to reuse a session but it failed */
+    if( ssl->session_negotiate->peer_cert != NULL )
+    {
+        mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
+        mbedtls_free( ssl->session_negotiate->peer_cert );
+    }
+
+    if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
+                    sizeof( mbedtls_x509_crt ) ) ) == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
+                       sizeof( mbedtls_x509_crt ) ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
+
+    i += 3;
+
+    while( i < ssl->in_hslen )
+    {
+        if ( i + 3 > ssl->in_hslen ) {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                           MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+        if( ssl->in_msg[i] != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+
+        n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
+            | (unsigned int) ssl->in_msg[i + 2];
+        i += 3;
+
+        if( n < 128 || i + n > ssl->in_hslen )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+
+        ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
+                                  ssl->in_msg + i, n );
+        switch( ret )
+        {
+        case 0: /*ok*/
+        case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
+            /* Ignore certificate with an unknown algorithm: maybe a
+               prior certificate was already trusted. */
+            break;
+
+        case MBEDTLS_ERR_X509_ALLOC_FAILED:
+            alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
+            goto crt_parse_der_failed;
+
+        case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
+            alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            goto crt_parse_der_failed;
+
+        default:
+            alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+        crt_parse_der_failed:
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
+            MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
+            return( ret );
+        }
+
+        i += n;
+    }
+
+    MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
+
+    /*
+     * On client, make sure the server cert doesn't change during renego to
+     * avoid "triple handshake" attack: https://secure-resumption.com/
+     */
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+        ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+    {
+        if( ssl->session->peer_cert == NULL )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+
+        if( ssl->session->peer_cert->raw.len !=
+            ssl->session_negotiate->peer_cert->raw.len ||
+            memcmp( ssl->session->peer_cert->raw.p,
+                    ssl->session_negotiate->peer_cert->raw.p,
+                    ssl->session->peer_cert->raw.len ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
+            return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
+        }
+    }
+#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
+
+    return( 0 );
+}
+
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
+          ssl->transform_negotiate->ciphersuite_info;
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+                       ? ssl->handshake->sni_authmode
+                       : ssl->conf->authmode;
+#else
+    const int authmode = ssl->conf->authmode;
+#endif
+    void *rs_ctx = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
+
+    if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+        ssl->state++;
+        return( 0 );
+    }
+
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+        authmode == MBEDTLS_SSL_VERIFY_NONE )
+    {
+        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+
+        ssl->state++;
+        return( 0 );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
+    {
+        goto crt_verify;
+    }
+#endif
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        /* mbedtls_ssl_read_record may have sent an alert already. We
+           let it decide whether to alert. */
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 )
+    {
+#if defined(MBEDTLS_SSL_SRV_C)
+        if( ret == MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE &&
+            authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
+        {
+            ret = 0;
+        }
+#endif
+
+        ssl->state++;
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled)
+        ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
+
+crt_verify:
+    if( ssl->handshake->ecrs_enabled)
+        rs_ctx = &ssl->handshake->ecrs_ctx;
+#endif
+
+    if( authmode != MBEDTLS_SSL_VERIFY_NONE )
+    {
+        mbedtls_x509_crt *ca_chain;
+        mbedtls_x509_crl *ca_crl;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+        if( ssl->handshake->sni_ca_chain != NULL )
+        {
+            ca_chain = ssl->handshake->sni_ca_chain;
+            ca_crl   = ssl->handshake->sni_ca_crl;
+        }
+        else
+#endif
+        {
+            ca_chain = ssl->conf->ca_chain;
+            ca_crl   = ssl->conf->ca_crl;
+        }
+
+        /*
+         * Main check: verify certificate
+         */
+        ret = mbedtls_x509_crt_verify_restartable(
+                                ssl->session_negotiate->peer_cert,
+                                ca_chain, ca_crl,
+                                ssl->conf->cert_profile,
+                                ssl->hostname,
+                               &ssl->session_negotiate->verify_result,
+                                ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
+
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
+        }
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
+#endif
+
+        /*
+         * Secondary checks: always done, but change 'ret' only if it was 0
+         */
+
+#if defined(MBEDTLS_ECP_C)
+        {
+            const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
+
+            /* If certificate uses an EC key, make sure the curve is OK */
+            if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
+                mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
+            {
+                ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
+                if( ret == 0 )
+                    ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+            }
+        }
+#endif /* MBEDTLS_ECP_C */
+
+        if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
+                                 ciphersuite_info,
+                                 ! ssl->conf->endpoint,
+                                 &ssl->session_negotiate->verify_result ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
+            if( ret == 0 )
+                ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
+        }
+
+        /* mbedtls_x509_crt_verify_with_profile is supposed to report a
+         * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
+         * with details encoded in the verification flags. All other kinds
+         * of error codes, including those from the user provided f_vrfy
+         * functions, are treated as fatal and lead to a failure of
+         * ssl_parse_certificate even if verification was optional. */
+        if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
+            ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
+              ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
+        {
+            ret = 0;
+        }
+
+        if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
+            ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
+        }
+
+        if( ret != 0 )
+        {
+            uint8_t alert;
+
+            /* The certificate may have been rejected for several reasons.
+               Pick one and send the corresponding alert. Which alert to send
+               may be a subject of debate in some cases. */
+            if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
+                alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
+                alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
+                alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
+                alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
+            else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
+                alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
+            else
+                alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            alert );
+        }
+
+#if defined(MBEDTLS_DEBUG_C)
+        if( ssl->session_negotiate->verify_result != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
+                                        ssl->session_negotiate->verify_result ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
+        }
+#endif /* MBEDTLS_DEBUG_C */
+    }
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
+
+    return( ret );
+}
+#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+          !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+
+int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
+
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
+    ssl->out_msglen  = 1;
+    ssl->out_msg[0]  = 1;
+
+    ssl->state++;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
+
+    return( 0 );
+}
+
+int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /* CCS records are only accepted if they have length 1 and content '1',
+     * so we don't need to check this here. */
+
+    /*
+     * Switch to our negotiated transform and session parameters for inbound
+     * data.
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
+    ssl->transform_in = ssl->transform_negotiate;
+    ssl->session_in = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+        ssl_dtls_replay_reset( ssl );
+#endif
+
+        /* Increment epoch */
+        if( ++ssl->in_epoch == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
+            /* This is highly unlikely to happen for legitimate reasons, so
+               treat it as an attack and don't send an alert. */
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    memset( ssl->in_ctr, 0, 8 );
+
+    ssl_update_in_pointers( ssl, ssl->transform_negotiate );
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_activate != NULL )
+    {
+        if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
+            mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                            MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
+
+    return( 0 );
+}
+
+void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
+                            const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
+{
+    ((void) ciphersuite_info);
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
+        ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
+    else
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA512_C)
+    if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
+        ssl->handshake->update_checksum = ssl_update_checksum_sha384;
+    else
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
+        ssl->handshake->update_checksum = ssl_update_checksum_sha256;
+    else
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+        return;
+    }
+}
+
+void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+     mbedtls_md5_starts_ret( &ssl->handshake->fin_md5  );
+    mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
+                                       const unsigned char *buf, size_t len )
+{
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+     mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
+    mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
+                                         const unsigned char *buf, size_t len )
+{
+     mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
+    mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
+}
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf, size_t len )
+{
+    mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
+}
+#endif
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
+                                        const unsigned char *buf, size_t len )
+{
+    mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
+}
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+static void ssl_calc_finished_ssl(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    const char *sender;
+    mbedtls_md5_context  md5;
+    mbedtls_sha1_context sha1;
+
+    unsigned char padbuf[48];
+    unsigned char md5sum[16];
+    unsigned char sha1sum[20];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished ssl" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+    /*
+     * SSLv3:
+     *   hash =
+     *      MD5( master + pad2 +
+     *          MD5( handshake + sender + master + pad1 ) )
+     *   + SHA1( master + pad2 +
+     *         SHA1( handshake + sender + master + pad1 ) )
+     */
+
+#if !defined(MBEDTLS_MD5_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
+                    md5.state, sizeof(  md5.state ) );
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
+                   sha1.state, sizeof( sha1.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
+                                       : "SRVR";
+
+    memset( padbuf, 0x36, 48 );
+
+    mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
+    mbedtls_md5_update_ret( &md5, session->master, 48 );
+    mbedtls_md5_update_ret( &md5, padbuf, 48 );
+    mbedtls_md5_finish_ret( &md5, md5sum );
+
+    mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
+    mbedtls_sha1_update_ret( &sha1, session->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
+    mbedtls_sha1_finish_ret( &sha1, sha1sum );
+
+    memset( padbuf, 0x5C, 48 );
+
+    mbedtls_md5_starts_ret( &md5 );
+    mbedtls_md5_update_ret( &md5, session->master, 48 );
+    mbedtls_md5_update_ret( &md5, padbuf, 48 );
+    mbedtls_md5_update_ret( &md5, md5sum, 16 );
+    mbedtls_md5_finish_ret( &md5, buf );
+
+    mbedtls_sha1_starts_ret( &sha1 );
+    mbedtls_sha1_update_ret( &sha1, session->master, 48 );
+    mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
+    mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
+    mbedtls_sha1_finish_ret( &sha1, buf + 16 );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
+    mbedtls_platform_zeroize(  md5sum, sizeof(  md5sum ) );
+    mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+static void ssl_calc_finished_tls(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    int len = 12;
+    const char *sender;
+    mbedtls_md5_context  md5;
+    mbedtls_sha1_context sha1;
+    unsigned char padbuf[36];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls" ) );
+
+    mbedtls_md5_init( &md5 );
+    mbedtls_sha1_init( &sha1 );
+
+    mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
+    mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
+
+    /*
+     * TLSv1:
+     *   hash = PRF( master, finished_label,
+     *               MD5( handshake ) + SHA1( handshake ) )[0..11]
+     */
+
+#if !defined(MBEDTLS_MD5_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished  md5 state", (unsigned char *)
+                    md5.state, sizeof(  md5.state ) );
+#endif
+
+#if !defined(MBEDTLS_SHA1_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
+                   sha1.state, sizeof( sha1.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT )
+             ? "client finished"
+             : "server finished";
+
+    mbedtls_md5_finish_ret(  &md5, padbuf );
+    mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
+
+    ssl->handshake->tls_prf( session->master, 48, sender,
+                             padbuf, 36, buf, len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
+
+    mbedtls_md5_free(  &md5  );
+    mbedtls_sha1_free( &sha1 );
+
+    mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+static void ssl_calc_finished_tls_sha256(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    int len = 12;
+    const char *sender;
+    mbedtls_sha256_context sha256;
+    unsigned char padbuf[32];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    mbedtls_sha256_init( &sha256 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha256" ) );
+
+    mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
+
+    /*
+     * TLSv1.2:
+     *   hash = PRF( master, finished_label,
+     *               Hash( handshake ) )[0.11]
+     */
+
+#if !defined(MBEDTLS_SHA256_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
+                   sha256.state, sizeof( sha256.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT )
+             ? "client finished"
+             : "server finished";
+
+    mbedtls_sha256_finish_ret( &sha256, padbuf );
+
+    ssl->handshake->tls_prf( session->master, 48, sender,
+                             padbuf, 32, buf, len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
+
+    mbedtls_sha256_free( &sha256 );
+
+    mbedtls_platform_zeroize(  padbuf, sizeof(  padbuf ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+static void ssl_calc_finished_tls_sha384(
+                mbedtls_ssl_context *ssl, unsigned char *buf, int from )
+{
+    int len = 12;
+    const char *sender;
+    mbedtls_sha512_context sha512;
+    unsigned char padbuf[48];
+
+    mbedtls_ssl_session *session = ssl->session_negotiate;
+    if( !session )
+        session = ssl->session;
+
+    mbedtls_sha512_init( &sha512 );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc  finished tls sha384" ) );
+
+    mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
+
+    /*
+     * TLSv1.2:
+     *   hash = PRF( master, finished_label,
+     *               Hash( handshake ) )[0.11]
+     */
+
+#if !defined(MBEDTLS_SHA512_ALT)
+    MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
+                   sha512.state, sizeof( sha512.state ) );
+#endif
+
+    sender = ( from == MBEDTLS_SSL_IS_CLIENT )
+             ? "client finished"
+             : "server finished";
+
+    mbedtls_sha512_finish_ret( &sha512, padbuf );
+
+    ssl->handshake->tls_prf( session->master, 48, sender,
+                             padbuf, 48, buf, len );
+
+    MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
+
+    mbedtls_sha512_free( &sha512 );
+
+    mbedtls_platform_zeroize(  padbuf, sizeof( padbuf ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc  finished" ) );
+}
+#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
+{
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
+
+    /*
+     * Free our handshake params
+     */
+    mbedtls_ssl_handshake_free( ssl );
+    mbedtls_free( ssl->handshake );
+    ssl->handshake = NULL;
+
+    /*
+     * Free the previous transform and swith in the current one
+     */
+    if( ssl->transform )
+    {
+        mbedtls_ssl_transform_free( ssl->transform );
+        mbedtls_free( ssl->transform );
+    }
+    ssl->transform = ssl->transform_negotiate;
+    ssl->transform_negotiate = NULL;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
+}
+
+void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
+{
+    int resume = ssl->handshake->resume;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+    {
+        ssl->renego_status =  MBEDTLS_SSL_RENEGOTIATION_DONE;
+        ssl->renego_records_seen = 0;
+    }
+#endif
+
+    /*
+     * Free the previous session and switch in the current one
+     */
+    if( ssl->session )
+    {
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+        /* RFC 7366 3.1: keep the EtM state */
+        ssl->session_negotiate->encrypt_then_mac =
+                  ssl->session->encrypt_then_mac;
+#endif
+
+        mbedtls_ssl_session_free( ssl->session );
+        mbedtls_free( ssl->session );
+    }
+    ssl->session = ssl->session_negotiate;
+    ssl->session_negotiate = NULL;
+
+    /*
+     * Add cache entry
+     */
+    if( ssl->conf->f_set_cache != NULL &&
+        ssl->session->id_len != 0 &&
+        resume == 0 )
+    {
+        if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->handshake->flight != NULL )
+    {
+        /* Cancel handshake timer */
+        ssl_set_timer( ssl, 0 );
+
+        /* Keep last flight around in case we need to resend it:
+         * we need the handshake and transform structures for that */
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
+    }
+    else
+#endif
+        ssl_handshake_wrapup_free_hs_transform( ssl );
+
+    ssl->state++;
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
+}
+
+int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
+{
+    int ret, hash_len;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
+
+    ssl_update_out_pointers( ssl, ssl->transform_negotiate );
+
+    ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
+
+    /*
+     * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
+     * may define some other value. Currently (early 2016), no defined
+     * ciphersuite does this (and this is unlikely to change as activity has
+     * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
+     */
+    hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->verify_data_len = hash_len;
+    memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
+#endif
+
+    ssl->out_msglen  = 4 + hash_len;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_FINISHED;
+
+    /*
+     * In case of session resuming, invert the client and server
+     * ChangeCipherSpec messages order.
+     */
+    if( ssl->handshake->resume != 0 )
+    {
+#if defined(MBEDTLS_SSL_CLI_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+            ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+#endif
+    }
+    else
+        ssl->state++;
+
+    /*
+     * Switch to our negotiated transform and session parameters for outbound
+     * data.
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        unsigned char i;
+
+        /* Remember current epoch settings for resending */
+        ssl->handshake->alt_transform_out = ssl->transform_out;
+        memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
+
+        /* Set sequence_number to zero */
+        memset( ssl->cur_out_ctr + 2, 0, 6 );
+
+        /* Increment epoch */
+        for( i = 2; i > 0; i-- )
+            if( ++ssl->cur_out_ctr[i - 1] != 0 )
+                break;
+
+        /* The loop goes to its end iff the counter is wrapping */
+        if( i == 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
+            return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
+        }
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    memset( ssl->cur_out_ctr, 0, 8 );
+
+    ssl->transform_out = ssl->transform_negotiate;
+    ssl->session_out = ssl->session_negotiate;
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_activate != NULL )
+    {
+        if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_send_flight_completed( ssl );
+#endif
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
+        return( ret );
+    }
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+#define SSL_MAX_HASH_LEN 36
+#else
+#define SSL_MAX_HASH_LEN 12
+#endif
+
+int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
+{
+    int ret;
+    unsigned int hash_len;
+    unsigned char buf[SSL_MAX_HASH_LEN];
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
+
+    ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
+
+    if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+        return( ret );
+    }
+
+    if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+        return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+    }
+
+    /* There is currently no ciphersuite using another length with TLS 1.2 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        hash_len = 36;
+    else
+#endif
+        hash_len = 12;
+
+    if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
+        ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
+    }
+
+    if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
+                      buf, hash_len ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+        return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
+    }
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->verify_data_len = hash_len;
+    memcpy( ssl->peer_verify_data, buf, hash_len );
+#endif
+
+    if( ssl->handshake->resume != 0 )
+    {
+#if defined(MBEDTLS_SSL_CLI_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+            ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
+#endif
+    }
+    else
+        ssl->state++;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        mbedtls_ssl_recv_flight_completed( ssl );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
+
+    return( 0 );
+}
+
+static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
+{
+    memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+     mbedtls_md5_init(   &handshake->fin_md5  );
+    mbedtls_sha1_init(   &handshake->fin_sha1 );
+     mbedtls_md5_starts_ret( &handshake->fin_md5  );
+    mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_init(   &handshake->fin_sha256    );
+    mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_init(   &handshake->fin_sha512    );
+    mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    handshake->update_checksum = ssl_update_checksum_start;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_init( &handshake->dhm_ctx );
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_init( &handshake->ecdh_ctx );
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
+#if defined(MBEDTLS_SSL_CLI_C)
+    handshake->ecjpake_cache = NULL;
+    handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
+#endif
+}
+
+static void ssl_transform_init( mbedtls_ssl_transform *transform )
+{
+    memset( transform, 0, sizeof(mbedtls_ssl_transform) );
+
+    mbedtls_cipher_init( &transform->cipher_ctx_enc );
+    mbedtls_cipher_init( &transform->cipher_ctx_dec );
+
+    mbedtls_md_init( &transform->md_ctx_enc );
+    mbedtls_md_init( &transform->md_ctx_dec );
+}
+
+void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
+{
+    memset( session, 0, sizeof(mbedtls_ssl_session) );
+}
+
+static int ssl_handshake_init( mbedtls_ssl_context *ssl )
+{
+    /* Clear old handshake information if present */
+    if( ssl->transform_negotiate )
+        mbedtls_ssl_transform_free( ssl->transform_negotiate );
+    if( ssl->session_negotiate )
+        mbedtls_ssl_session_free( ssl->session_negotiate );
+    if( ssl->handshake )
+        mbedtls_ssl_handshake_free( ssl );
+
+    /*
+     * Either the pointers are now NULL or cleared properly and can be freed.
+     * Now allocate missing structures.
+     */
+    if( ssl->transform_negotiate == NULL )
+    {
+        ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
+    }
+
+    if( ssl->session_negotiate == NULL )
+    {
+        ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
+    }
+
+    if( ssl->handshake == NULL )
+    {
+        ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
+    }
+
+    /* All pointers should exist and can be directly freed without issue */
+    if( ssl->handshake == NULL ||
+        ssl->transform_negotiate == NULL ||
+        ssl->session_negotiate == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
+
+        mbedtls_free( ssl->handshake );
+        mbedtls_free( ssl->transform_negotiate );
+        mbedtls_free( ssl->session_negotiate );
+
+        ssl->handshake = NULL;
+        ssl->transform_negotiate = NULL;
+        ssl->session_negotiate = NULL;
+
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    /* Initialize structures */
+    mbedtls_ssl_session_init( ssl->session_negotiate );
+    ssl_transform_init( ssl->transform_negotiate );
+    ssl_handshake_params_init( ssl->handshake );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->handshake->alt_transform_out = ssl->transform_out;
+
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+        else
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+
+        ssl_set_timer( ssl, 0 );
+    }
+#endif
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+/* Dummy cookie callbacks for defaults */
+static int ssl_cookie_write_dummy( void *ctx,
+                      unsigned char **p, unsigned char *end,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    ((void) ctx);
+    ((void) p);
+    ((void) end);
+    ((void) cli_id);
+    ((void) cli_id_len);
+
+    return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+}
+
+static int ssl_cookie_check_dummy( void *ctx,
+                      const unsigned char *cookie, size_t cookie_len,
+                      const unsigned char *cli_id, size_t cli_id_len )
+{
+    ((void) ctx);
+    ((void) cookie);
+    ((void) cookie_len);
+    ((void) cli_id);
+    ((void) cli_id_len);
+
+    return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+}
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
+
+/* Once ssl->out_hdr as the address of the beginning of the
+ * next outgoing record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ *       (entering MAC computation) in the 8 bytes before ssl->out_hdr,
+ *       and the caller has to make sure there's space for this.
+ */
+
+static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
+                                     mbedtls_ssl_transform *transform )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->out_ctr = ssl->out_hdr +  3;
+        ssl->out_len = ssl->out_hdr + 11;
+        ssl->out_iv  = ssl->out_hdr + 13;
+    }
+    else
+#endif
+    {
+        ssl->out_ctr = ssl->out_hdr - 8;
+        ssl->out_len = ssl->out_hdr + 3;
+        ssl->out_iv  = ssl->out_hdr + 5;
+    }
+
+    /* Adjust out_msg to make space for explicit IV, if used. */
+    if( transform != NULL &&
+        ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+    {
+        ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
+    }
+    else
+        ssl->out_msg = ssl->out_iv;
+}
+
+/* Once ssl->in_hdr as the address of the beginning of the
+ * next incoming record is set, deduce the other pointers.
+ *
+ * Note: For TLS, we save the implicit record sequence number
+ *       (entering MAC computation) in the 8 bytes before ssl->in_hdr,
+ *       and the caller has to make sure there's space for this.
+ */
+
+static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
+                                    mbedtls_ssl_transform *transform )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->in_ctr = ssl->in_hdr +  3;
+        ssl->in_len = ssl->in_hdr + 11;
+        ssl->in_iv  = ssl->in_hdr + 13;
+    }
+    else
+#endif
+    {
+        ssl->in_ctr = ssl->in_hdr - 8;
+        ssl->in_len = ssl->in_hdr + 3;
+        ssl->in_iv  = ssl->in_hdr + 5;
+    }
+
+    /* Offset in_msg from in_iv to allow space for explicit IV, if used. */
+    if( transform != NULL &&
+        ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+    {
+        ssl->in_msg = ssl->in_iv + transform->ivlen - transform->fixed_ivlen;
+    }
+    else
+        ssl->in_msg = ssl->in_iv;
+}
+
+/*
+ * Initialize an SSL context
+ */
+void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
+{
+    memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
+}
+
+/*
+ * Setup an SSL context
+ */
+
+static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
+{
+    /* Set the incoming and outgoing record pointers. */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->out_hdr = ssl->out_buf;
+        ssl->in_hdr  = ssl->in_buf;
+    }
+    else
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    {
+        ssl->out_hdr = ssl->out_buf + 8;
+        ssl->in_hdr  = ssl->in_buf  + 8;
+    }
+
+    /* Derive other internal pointers. */
+    ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
+    ssl_update_in_pointers ( ssl, NULL /* no transform enabled */ );
+}
+
+int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
+                       const mbedtls_ssl_config *conf )
+{
+    int ret;
+
+    ssl->conf = conf;
+
+    /*
+     * Prepare base structures
+     */
+
+    /* Set to NULL in case of an error condition */
+    ssl->out_buf = NULL;
+
+    ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
+    if( ssl->in_buf == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto error;
+    }
+
+    ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
+    if( ssl->out_buf == NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto error;
+    }
+
+    ssl_reset_in_out_pointers( ssl );
+
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
+        goto error;
+
+    return( 0 );
+
+error:
+    mbedtls_free( ssl->in_buf );
+    mbedtls_free( ssl->out_buf );
+
+    ssl->conf = NULL;
+
+    ssl->in_buf = NULL;
+    ssl->out_buf = NULL;
+
+    ssl->in_hdr = NULL;
+    ssl->in_ctr = NULL;
+    ssl->in_len = NULL;
+    ssl->in_iv = NULL;
+    ssl->in_msg = NULL;
+
+    ssl->out_hdr = NULL;
+    ssl->out_ctr = NULL;
+    ssl->out_len = NULL;
+    ssl->out_iv = NULL;
+    ssl->out_msg = NULL;
+
+    return( ret );
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ *
+ * If partial is non-zero, keep data in the input buffer and client ID.
+ * (Use when a DTLS client reconnects from the same port.)
+ */
+static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
+{
+    int ret;
+
+#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) ||     \
+    !defined(MBEDTLS_SSL_SRV_C)
+    ((void) partial);
+#endif
+
+    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+
+    /* Cancel any possibly running timer */
+    ssl_set_timer( ssl, 0 );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
+    ssl->renego_records_seen = 0;
+
+    ssl->verify_data_len = 0;
+    memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
+    memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
+#endif
+    ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
+
+    ssl->in_offt = NULL;
+    ssl_reset_in_out_pointers( ssl );
+
+    ssl->in_msgtype = 0;
+    ssl->in_msglen = 0;
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    ssl->next_record_offset = 0;
+    ssl->in_epoch = 0;
+#endif
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    ssl_dtls_replay_reset( ssl );
+#endif
+
+    ssl->in_hslen = 0;
+    ssl->nb_zero = 0;
+
+    ssl->keep_current_message = 0;
+
+    ssl->out_msgtype = 0;
+    ssl->out_msglen = 0;
+    ssl->out_left = 0;
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
+        ssl->split_done = 0;
+#endif
+
+    memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
+
+    ssl->transform_in = NULL;
+    ssl->transform_out = NULL;
+
+    ssl->session_in = NULL;
+    ssl->session_out = NULL;
+
+    memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
+
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
+    if( partial == 0 )
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
+    {
+        ssl->in_left = 0;
+        memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
+    }
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_reset != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
+        if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
+            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        }
+    }
+#endif
+
+    if( ssl->transform )
+    {
+        mbedtls_ssl_transform_free( ssl->transform );
+        mbedtls_free( ssl->transform );
+        ssl->transform = NULL;
+    }
+
+    if( ssl->session )
+    {
+        mbedtls_ssl_session_free( ssl->session );
+        mbedtls_free( ssl->session );
+        ssl->session = NULL;
+    }
+
+#if defined(MBEDTLS_SSL_ALPN)
+    ssl->alpn_chosen = NULL;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+    if( partial == 0 )
+#endif
+    {
+        mbedtls_free( ssl->cli_id );
+        ssl->cli_id = NULL;
+        ssl->cli_id_len = 0;
+    }
+#endif
+
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+/*
+ * Reset an initialized and used SSL context for re-use while retaining
+ * all application-set variables, function pointers and data.
+ */
+int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
+{
+    return( ssl_session_reset_int( ssl, 0 ) );
+}
+
+/*
+ * SSL set accessors
+ */
+void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
+{
+    conf->endpoint   = endpoint;
+}
+
+void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
+{
+    conf->transport = transport;
+}
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
+{
+    conf->anti_replay = mode;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
+{
+    conf->badmac_limit = limit;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
+                                       unsigned allow_packing )
+{
+    ssl->disable_datagram_packing = !allow_packing;
+}
+
+void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
+                                         uint32_t min, uint32_t max )
+{
+    conf->hs_timeout_min = min;
+    conf->hs_timeout_max = max;
+}
+#endif
+
+void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
+{
+    conf->authmode   = authmode;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    conf->f_vrfy      = f_vrfy;
+    conf->p_vrfy      = p_vrfy;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng )
+{
+    conf->f_rng      = f_rng;
+    conf->p_rng      = p_rng;
+}
+
+void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
+                  void (*f_dbg)(void *, int, const char *, int, const char *),
+                  void  *p_dbg )
+{
+    conf->f_dbg      = f_dbg;
+    conf->p_dbg      = p_dbg;
+}
+
+void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
+        void *p_bio,
+        mbedtls_ssl_send_t *f_send,
+        mbedtls_ssl_recv_t *f_recv,
+        mbedtls_ssl_recv_timeout_t *f_recv_timeout )
+{
+    ssl->p_bio          = p_bio;
+    ssl->f_send         = f_send;
+    ssl->f_recv         = f_recv;
+    ssl->f_recv_timeout = f_recv_timeout;
+}
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
+{
+    ssl->mtu = mtu;
+}
+#endif
+
+void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
+{
+    conf->read_timeout   = timeout;
+}
+
+void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
+                               void *p_timer,
+                               mbedtls_ssl_set_timer_t *f_set_timer,
+                               mbedtls_ssl_get_timer_t *f_get_timer )
+{
+    ssl->p_timer        = p_timer;
+    ssl->f_set_timer    = f_set_timer;
+    ssl->f_get_timer    = f_get_timer;
+
+    /* Make sure we start with no timer running */
+    ssl_set_timer( ssl, 0 );
+}
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
+        void *p_cache,
+        int (*f_get_cache)(void *, mbedtls_ssl_session *),
+        int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
+{
+    conf->p_cache = p_cache;
+    conf->f_get_cache = f_get_cache;
+    conf->f_set_cache = f_set_cache;
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
+{
+    int ret;
+
+    if( ssl == NULL ||
+        session == NULL ||
+        ssl->session_negotiate == NULL ||
+        ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
+        return( ret );
+
+    ssl->handshake->resume = 1;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
+                                   const int *ciphersuites )
+{
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
+    conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
+}
+
+void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
+                                       const int *ciphersuites,
+                                       int major, int minor )
+{
+    if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
+        return;
+
+    if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
+        return;
+
+    conf->ciphersuite_list[minor] = ciphersuites;
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
+                                    const mbedtls_x509_crt_profile *profile )
+{
+    conf->cert_profile = profile;
+}
+
+/* Append a new keycert entry to a (possibly empty) list */
+static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
+                                mbedtls_x509_crt *cert,
+                                mbedtls_pk_context *key )
+{
+    mbedtls_ssl_key_cert *new_cert;
+
+    new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
+    if( new_cert == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    new_cert->cert = cert;
+    new_cert->key  = key;
+    new_cert->next = NULL;
+
+    /* Update head is the list was null, else add to the end */
+    if( *head == NULL )
+    {
+        *head = new_cert;
+    }
+    else
+    {
+        mbedtls_ssl_key_cert *cur = *head;
+        while( cur->next != NULL )
+            cur = cur->next;
+        cur->next = new_cert;
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
+                              mbedtls_x509_crt *own_cert,
+                              mbedtls_pk_context *pk_key )
+{
+    return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
+}
+
+void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
+                               mbedtls_x509_crt *ca_chain,
+                               mbedtls_x509_crl *ca_crl )
+{
+    conf->ca_chain   = ca_chain;
+    conf->ca_crl     = ca_crl;
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
+                                 mbedtls_x509_crt *own_cert,
+                                 mbedtls_pk_context *pk_key )
+{
+    return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
+                                 own_cert, pk_key ) );
+}
+
+void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
+                                  mbedtls_x509_crt *ca_chain,
+                                  mbedtls_x509_crl *ca_crl )
+{
+    ssl->handshake->sni_ca_chain   = ca_chain;
+    ssl->handshake->sni_ca_crl     = ca_crl;
+}
+
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
+                                  int authmode )
+{
+    ssl->handshake->sni_authmode = authmode;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+/*
+ * Set EC J-PAKE password for current handshake
+ */
+int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
+                                         const unsigned char *pw,
+                                         size_t pw_len )
+{
+    mbedtls_ecjpake_role role;
+
+    if( ssl->handshake == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+        role = MBEDTLS_ECJPAKE_SERVER;
+    else
+        role = MBEDTLS_ECJPAKE_CLIENT;
+
+    return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
+                                   role,
+                                   MBEDTLS_MD_SHA256,
+                                   MBEDTLS_ECP_DP_SECP256R1,
+                                   pw, pw_len ) );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
+                const unsigned char *psk, size_t psk_len,
+                const unsigned char *psk_identity, size_t psk_identity_len )
+{
+    if( psk == NULL || psk_identity == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( psk_len > MBEDTLS_PSK_MAX_LEN )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    /* Identity len will be encoded on two bytes */
+    if( ( psk_identity_len >> 16 ) != 0 ||
+        psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    if( conf->psk != NULL )
+    {
+        mbedtls_platform_zeroize( conf->psk, conf->psk_len );
+
+        mbedtls_free( conf->psk );
+        conf->psk = NULL;
+        conf->psk_len = 0;
+    }
+    if( conf->psk_identity != NULL )
+    {
+        mbedtls_free( conf->psk_identity );
+        conf->psk_identity = NULL;
+        conf->psk_identity_len = 0;
+    }
+
+    if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ||
+        ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
+    {
+        mbedtls_free( conf->psk );
+        mbedtls_free( conf->psk_identity );
+        conf->psk = NULL;
+        conf->psk_identity = NULL;
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    conf->psk_len = psk_len;
+    conf->psk_identity_len = psk_identity_len;
+
+    memcpy( conf->psk, psk, conf->psk_len );
+    memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
+
+    return( 0 );
+}
+
+int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
+                            const unsigned char *psk, size_t psk_len )
+{
+    if( psk == NULL || ssl->handshake == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( psk_len > MBEDTLS_PSK_MAX_LEN )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    if( ssl->handshake->psk != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->handshake->psk,
+                                  ssl->handshake->psk_len );
+        mbedtls_free( ssl->handshake->psk );
+        ssl->handshake->psk_len = 0;
+    }
+
+    if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    ssl->handshake->psk_len = psk_len;
+    memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
+
+    return( 0 );
+}
+
+void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
+                     int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
+                     size_t),
+                     void *p_psk )
+{
+    conf->f_psk = f_psk;
+    conf->p_psk = p_psk;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
+    {
+        mbedtls_mpi_free( &conf->dhm_P );
+        mbedtls_mpi_free( &conf->dhm_G );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
+                                   const unsigned char *dhm_P, size_t P_len,
+                                   const unsigned char *dhm_G, size_t G_len )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
+        ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
+    {
+        mbedtls_mpi_free( &conf->dhm_P );
+        mbedtls_mpi_free( &conf->dhm_G );
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ||
+        ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
+    {
+        mbedtls_mpi_free( &conf->dhm_P );
+        mbedtls_mpi_free( &conf->dhm_G );
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+/*
+ * Set the minimum length for Diffie-Hellman parameters
+ */
+void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
+                                      unsigned int bitlen )
+{
+    conf->dhm_min_bitlen = bitlen;
+}
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Set allowed/preferred hashes for handshake signatures
+ */
+void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
+                                  const int *hashes )
+{
+    conf->sig_hashes = hashes;
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Set the allowed elliptic curves
+ */
+void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
+                             const mbedtls_ecp_group_id *curve_list )
+{
+    conf->curve_list = curve_list;
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
+{
+    /* Initialize to suppress unnecessary compiler warning */
+    size_t hostname_len = 0;
+
+    /* Check if new hostname is valid before
+     * making any change to current one */
+    if( hostname != NULL )
+    {
+        hostname_len = strlen( hostname );
+
+        if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    /* Now it's clear that we will overwrite the old hostname,
+     * so we can free it safely */
+
+    if( ssl->hostname != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+        mbedtls_free( ssl->hostname );
+    }
+
+    /* Passing NULL as hostname shall clear the old one */
+
+    if( hostname == NULL )
+    {
+        ssl->hostname = NULL;
+    }
+    else
+    {
+        ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
+        if( ssl->hostname == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        memcpy( ssl->hostname, hostname, hostname_len );
+
+        ssl->hostname[hostname_len] = '\0';
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
+                  int (*f_sni)(void *, mbedtls_ssl_context *,
+                                const unsigned char *, size_t),
+                  void *p_sni )
+{
+    conf->f_sni = f_sni;
+    conf->p_sni = p_sni;
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL_ALPN)
+int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
+{
+    size_t cur_len, tot_len;
+    const char **p;
+
+    /*
+     * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
+     * MUST NOT be truncated."
+     * We check lengths now rather than later.
+     */
+    tot_len = 0;
+    for( p = protos; *p != NULL; p++ )
+    {
+        cur_len = strlen( *p );
+        tot_len += cur_len;
+
+        if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    conf->alpn_list = protos;
+
+    return( 0 );
+}
+
+const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
+{
+    return( ssl->alpn_chosen );
+}
+#endif /* MBEDTLS_SSL_ALPN */
+
+void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
+{
+    conf->max_major_ver = major;
+    conf->max_minor_ver = minor;
+}
+
+void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
+{
+    conf->min_major_ver = major;
+    conf->min_minor_ver = minor;
+}
+
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
+void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
+{
+    conf->fallback = fallback;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
+                                          char cert_req_ca_list )
+{
+    conf->cert_req_ca_list = cert_req_ca_list;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
+{
+    conf->encrypt_then_mac = etm;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
+{
+    conf->extended_ms = ems;
+}
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
+{
+    conf->arc4_disabled = arc4;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
+{
+    if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
+        ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    conf->mfl_code = mfl_code;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
+{
+    conf->trunc_hmac = truncate;
+}
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
+{
+    conf->cbc_record_splitting = split;
+}
+#endif
+
+void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
+{
+    conf->allow_legacy_renegotiation = allow_legacy;
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
+{
+    conf->disable_renegotiation = renegotiation;
+}
+
+void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
+{
+    conf->renego_max_records = max_records;
+}
+
+void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
+                                   const unsigned char period[8] )
+{
+    memcpy( conf->renego_period, period, 8 );
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if defined(MBEDTLS_SSL_CLI_C)
+void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
+{
+    conf->session_tickets = use_tickets;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_ticket_write_t *f_ticket_write,
+        mbedtls_ssl_ticket_parse_t *f_ticket_parse,
+        void *p_ticket )
+{
+    conf->f_ticket_write = f_ticket_write;
+    conf->f_ticket_parse = f_ticket_parse;
+    conf->p_ticket       = p_ticket;
+}
+#endif
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
+        mbedtls_ssl_export_keys_t *f_export_keys,
+        void *p_export_keys )
+{
+    conf->f_export_keys = f_export_keys;
+    conf->p_export_keys = p_export_keys;
+}
+#endif
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+void mbedtls_ssl_conf_async_private_cb(
+    mbedtls_ssl_config *conf,
+    mbedtls_ssl_async_sign_t *f_async_sign,
+    mbedtls_ssl_async_decrypt_t *f_async_decrypt,
+    mbedtls_ssl_async_resume_t *f_async_resume,
+    mbedtls_ssl_async_cancel_t *f_async_cancel,
+    void *async_config_data )
+{
+    conf->f_async_sign_start = f_async_sign;
+    conf->f_async_decrypt_start = f_async_decrypt;
+    conf->f_async_resume = f_async_resume;
+    conf->f_async_cancel = f_async_cancel;
+    conf->p_async_config_data = async_config_data;
+}
+
+void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
+{
+    return( conf->p_async_config_data );
+}
+
+void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
+{
+    if( ssl->handshake == NULL )
+        return( NULL );
+    else
+        return( ssl->handshake->user_async_ctx );
+}
+
+void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
+                                 void *ctx )
+{
+    if( ssl->handshake != NULL )
+        ssl->handshake->user_async_ctx = ctx;
+}
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+/*
+ * SSL get accessors
+ */
+size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
+{
+    return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
+}
+
+int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
+{
+    /*
+     * Case A: We're currently holding back
+     * a message for further processing.
+     */
+
+    if( ssl->keep_current_message == 1 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
+        return( 1 );
+    }
+
+    /*
+     * Case B: Further records are pending in the current datagram.
+     */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->in_left > ssl->next_record_offset )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
+        return( 1 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+    /*
+     * Case C: A handshake message is being processed.
+     */
+
+    if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
+        return( 1 );
+    }
+
+    /*
+     * Case D: An application data message is being processed
+     */
+    if( ssl->in_offt != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
+        return( 1 );
+    }
+
+    /*
+     * In all other cases, the rest of the message can be dropped.
+     * As in ssl_get_next_record, this needs to be adapted if
+     * we implement support for multiple alerts in single records.
+     */
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
+    return( 0 );
+}
+
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
+{
+    if( ssl->session != NULL )
+        return( ssl->session->verify_result );
+
+    if( ssl->session_negotiate != NULL )
+        return( ssl->session_negotiate->verify_result );
+
+    return( 0xFFFFFFFF );
+}
+
+const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
+{
+    if( ssl == NULL || ssl->session == NULL )
+        return( NULL );
+
+    return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
+}
+
+const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        switch( ssl->minor_ver )
+        {
+            case MBEDTLS_SSL_MINOR_VERSION_2:
+                return( "DTLSv1.0" );
+
+            case MBEDTLS_SSL_MINOR_VERSION_3:
+                return( "DTLSv1.2" );
+
+            default:
+                return( "unknown (DTLS)" );
+        }
+    }
+#endif
+
+    switch( ssl->minor_ver )
+    {
+        case MBEDTLS_SSL_MINOR_VERSION_0:
+            return( "SSLv3.0" );
+
+        case MBEDTLS_SSL_MINOR_VERSION_1:
+            return( "TLSv1.0" );
+
+        case MBEDTLS_SSL_MINOR_VERSION_2:
+            return( "TLSv1.1" );
+
+        case MBEDTLS_SSL_MINOR_VERSION_3:
+            return( "TLSv1.2" );
+
+        default:
+            return( "unknown" );
+    }
+}
+
+int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
+{
+    size_t transform_expansion = 0;
+    const mbedtls_ssl_transform *transform = ssl->transform_out;
+    unsigned block_size;
+
+    if( transform == NULL )
+        return( (int) mbedtls_ssl_hdr_len( ssl ) );
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
+        return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+#endif
+
+    switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
+    {
+        case MBEDTLS_MODE_GCM:
+        case MBEDTLS_MODE_CCM:
+        case MBEDTLS_MODE_CHACHAPOLY:
+        case MBEDTLS_MODE_STREAM:
+            transform_expansion = transform->minlen;
+            break;
+
+        case MBEDTLS_MODE_CBC:
+
+            block_size = mbedtls_cipher_get_block_size(
+                &transform->cipher_ctx_enc );
+
+            /* Expansion due to the addition of the MAC. */
+            transform_expansion += transform->maclen;
+
+            /* Expansion due to the addition of CBC padding;
+             * Theoretically up to 256 bytes, but we never use
+             * more than the block size of the underlying cipher. */
+            transform_expansion += block_size;
+
+            /* For TLS 1.1 or higher, an explicit IV is added
+             * after the record header. */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
+            if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
+                transform_expansion += block_size;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
+
+            break;
+
+        default:
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
+
+    return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
+}
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
+{
+    size_t max_len;
+
+    /*
+     * Assume mfl_code is correct since it was checked when set
+     */
+    max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
+
+    /* Check if a smaller max length was negotiated */
+    if( ssl->session_out != NULL &&
+        ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
+    {
+        max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
+    }
+
+    /* During a handshake, use the value being negotiated */
+    if( ssl->session_negotiate != NULL &&
+        ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
+    {
+        max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
+    }
+
+    return( max_len );
+}
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
+{
+    /* Return unlimited mtu for client hello messages to avoid fragmentation. */
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+        ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
+          ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
+        return ( 0 );
+
+    if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
+        return( ssl->mtu );
+
+    if( ssl->mtu == 0 )
+        return( ssl->handshake->mtu );
+
+    return( ssl->mtu < ssl->handshake->mtu ?
+            ssl->mtu : ssl->handshake->mtu );
+}
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
+{
+    size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
+    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    (void) ssl;
+#endif
+
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
+
+    if( max_len > mfl )
+        max_len = mfl;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl_get_current_mtu( ssl ) != 0 )
+    {
+        const size_t mtu = ssl_get_current_mtu( ssl );
+        const int ret = mbedtls_ssl_get_record_expansion( ssl );
+        const size_t overhead = (size_t) ret;
+
+        if( ret < 0 )
+            return( ret );
+
+        if( mtu <= overhead )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
+            return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+        }
+
+        if( max_len > mtu - overhead )
+            max_len = mtu - overhead;
+    }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) &&        \
+    !defined(MBEDTLS_SSL_PROTO_DTLS)
+    ((void) ssl);
+#endif
+
+    return( (int) max_len );
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
+{
+    if( ssl == NULL || ssl->session == NULL )
+        return( NULL );
+
+    return( ssl->session->peer_cert );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst )
+{
+    if( ssl == NULL ||
+        dst == NULL ||
+        ssl->session == NULL ||
+        ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
+    {
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    }
+
+    return( ssl_session_copy( dst, ssl->session ) );
+}
+#endif /* MBEDTLS_SSL_CLI_C */
+
+/*
+ * Perform a single step of the SSL handshake
+ */
+int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+        ret = mbedtls_ssl_handshake_client_step( ssl );
+#endif
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+        ret = mbedtls_ssl_handshake_server_step( ssl );
+#endif
+
+    return( ret );
+}
+
+/*
+ * Perform the SSL handshake
+ */
+int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
+
+    while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        ret = mbedtls_ssl_handshake_step( ssl );
+
+        if( ret != 0 )
+            break;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
+
+    return( ret );
+}
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+#if defined(MBEDTLS_SSL_SRV_C)
+/*
+ * Write HelloRequest to request renegotiation on server
+ */
+static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
+
+    ssl->out_msglen  = 4;
+    ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
+    ssl->out_msg[0]  = MBEDTLS_SSL_HS_HELLO_REQUEST;
+
+    if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SRV_C */
+
+/*
+ * Actually renegotiate current connection, triggered by either:
+ * - any side: calling mbedtls_ssl_renegotiate(),
+ * - client: receiving a HelloRequest during mbedtls_ssl_read(),
+ * - server: receiving any handshake message on server during mbedtls_ssl_read() after
+ *   the initial handshake is completed.
+ * If the handshake doesn't complete due to waiting for I/O, it will continue
+ * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
+ */
+static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
+
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
+        return( ret );
+
+    /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
+     * the ServerHello will have message_seq = 1" */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+        ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+    {
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+            ssl->handshake->out_msg_seq = 1;
+        else
+            ssl->handshake->in_msg_seq = 1;
+    }
+#endif
+
+    ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
+    ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
+
+    if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+        return( ret );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
+
+    return( 0 );
+}
+
+/*
+ * Renegotiate current connection on client,
+ * or request renegotiation on server
+ */
+int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    /* On server, just send the request */
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+
+        /* Did we already try/start sending HelloRequest? */
+        if( ssl->out_left != 0 )
+            return( mbedtls_ssl_flush_output( ssl ) );
+
+        return( ssl_write_hello_request( ssl ) );
+    }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+    /*
+     * On client, either start the renegotiation process or,
+     * if already in progress, continue the handshake
+     */
+    if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+    {
+        if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+        if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
+            return( ret );
+        }
+    }
+    else
+    {
+        if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+            return( ret );
+        }
+    }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+    return( ret );
+}
+
+/*
+ * Check record counters and renegotiate if they're above the limit.
+ */
+static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
+{
+    size_t ep_len = ssl_ep_len( ssl );
+    int in_ctr_cmp;
+    int out_ctr_cmp;
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
+        ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
+        ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
+    {
+        return( 0 );
+    }
+
+    in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
+                        ssl->conf->renego_period + ep_len, 8 - ep_len );
+    out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
+                          ssl->conf->renego_period + ep_len, 8 - ep_len );
+
+    if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
+    {
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
+    return( mbedtls_ssl_renegotiate( ssl ) );
+}
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+/*
+ * Receive application data decrypted from the SSL layer
+ */
+int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
+{
+    int ret;
+    size_t n;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+            return( ret );
+
+        if( ssl->handshake != NULL &&
+            ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
+        {
+            if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
+                return( ret );
+        }
+    }
+#endif
+
+    /*
+     * Check if renegotiation is necessary and/or handshake is
+     * in process. If yes, perform/continue, and fall through
+     * if an unexpected packet is received while the client
+     * is waiting for the ServerHello.
+     *
+     * (There is no equivalent to the last condition on
+     *  the server-side as it is not treated as within
+     *  a handshake while waiting for the ClientHello
+     *  after a renegotiation request.)
+     */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    ret = ssl_check_ctr_renegotiate( ssl );
+    if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+        ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
+        return( ret );
+    }
+#endif
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        ret = mbedtls_ssl_handshake( ssl );
+        if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+            ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+            return( ret );
+        }
+    }
+
+    /* Loop as long as no application data record is available */
+    while( ssl->in_offt == NULL )
+    {
+        /* Start timer if not already running */
+        if( ssl->f_get_timer != NULL &&
+            ssl->f_get_timer( ssl->p_timer ) == -1 )
+        {
+            ssl_set_timer( ssl, ssl->conf->read_timeout );
+        }
+
+        if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+        {
+            if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
+                return( 0 );
+
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+            return( ret );
+        }
+
+        if( ssl->in_msglen  == 0 &&
+            ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
+        {
+            /*
+             * OpenSSL sends empty messages to randomize the IV
+             */
+            if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
+            {
+                if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
+                    return( 0 );
+
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
+                return( ret );
+            }
+        }
+
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
+
+            /*
+             * - For client-side, expect SERVER_HELLO_REQUEST.
+             * - For server-side, expect CLIENT_HELLO.
+             * - Fail (TLS) or silently drop record (DTLS) in other cases.
+             */
+
+#if defined(MBEDTLS_SSL_CLI_C)
+            if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+                ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
+                  ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) ) )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                {
+                    continue;
+                }
+#endif
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+            if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+                ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
+            {
+                MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                {
+                    continue;
+                }
+#endif
+                return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+#endif /* MBEDTLS_SSL_SRV_C */
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+            /* Determine whether renegotiation attempt should be accepted */
+            if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
+                    ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
+                      ssl->conf->allow_legacy_renegotiation ==
+                                                   MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
+            {
+                /*
+                 * Accept renegotiation request
+                 */
+
+                /* DTLS clients need to know renego is server-initiated */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+                if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+                    ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+                {
+                    ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
+                }
+#endif
+                ret = ssl_start_renegotiation( ssl );
+                if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+                    ret != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
+                    return( ret );
+                }
+            }
+            else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+            {
+                /*
+                 * Refuse renegotiation
+                 */
+
+                MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+                if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+                {
+                    /* SSLv3 does not have a "no_renegotiation" warning, so
+                       we send a fatal alert and abort the connection. */
+                    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                                    MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+                    return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+                }
+                else
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+                if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
+                {
+                    if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+                                    MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+                                    MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
+                    {
+                        return( ret );
+                    }
+                }
+                else
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+                    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+                }
+            }
+
+            /* At this point, we don't know whether the renegotiation has been
+             * completed or not. The cases to consider are the following:
+             * 1) The renegotiation is complete. In this case, no new record
+             *    has been read yet.
+             * 2) The renegotiation is incomplete because the client received
+             *    an application data record while awaiting the ServerHello.
+             * 3) The renegotiation is incomplete because the client received
+             *    a non-handshake, non-application data message while awaiting
+             *    the ServerHello.
+             * In each of these case, looping will be the proper action:
+             * - For 1), the next iteration will read a new record and check
+             *   if it's application data.
+             * - For 2), the loop condition isn't satisfied as application data
+             *   is present, hence continue is the same as break
+             * - For 3), the loop condition is satisfied and read_record
+             *   will re-deliver the message that was held back by the client
+             *   when expecting the ServerHello.
+             */
+            continue;
+        }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+        else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+        {
+            if( ssl->conf->renego_max_records >= 0 )
+            {
+                if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
+                {
+                    MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
+                                        "but not honored by client" ) );
+                    return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+                }
+            }
+        }
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+
+        /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
+        if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
+            return( MBEDTLS_ERR_SSL_WANT_READ );
+        }
+
+        if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
+            return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
+        }
+
+        ssl->in_offt = ssl->in_msg;
+
+        /* We're going to return something now, cancel timer,
+         * except if handshake (renegotiation) is in progress */
+        if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+            ssl_set_timer( ssl, 0 );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        /* If we requested renego but received AppData, resend HelloRequest.
+         * Do it now, after setting in_offt, to avoid taking this branch
+         * again if ssl_write_hello_request() returns WANT_WRITE */
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
+            ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
+        {
+            if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
+                return( ret );
+            }
+        }
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+    }
+
+    n = ( len < ssl->in_msglen )
+        ? len : ssl->in_msglen;
+
+    memcpy( buf, ssl->in_offt, n );
+    ssl->in_msglen -= n;
+
+    if( ssl->in_msglen == 0 )
+    {
+        /* all bytes consumed */
+        ssl->in_offt = NULL;
+        ssl->keep_current_message = 0;
+    }
+    else
+    {
+        /* more data available */
+        ssl->in_offt += n;
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
+
+    return( (int) n );
+}
+
+/*
+ * Send application data to be encrypted by the SSL layer, taking care of max
+ * fragment length and buffer size.
+ *
+ * According to RFC 5246 Section 6.2.1:
+ *
+ *      Zero-length fragments of Application data MAY be sent as they are
+ *      potentially useful as a traffic analysis countermeasure.
+ *
+ * Therefore, it is possible that the input message length is 0 and the
+ * corresponding return code is 0 on success.
+ */
+static int ssl_write_real( mbedtls_ssl_context *ssl,
+                           const unsigned char *buf, size_t len )
+{
+    int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
+    const size_t max_len = (size_t) ret;
+
+    if( ret < 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
+        return( ret );
+    }
+
+    if( len > max_len )
+    {
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+        if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
+                                "maximum fragment length: %d > %d",
+                                len, max_len ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+        }
+        else
+#endif
+            len = max_len;
+    }
+
+    if( ssl->out_left != 0 )
+    {
+        /*
+         * The user has previously tried to send the data and
+         * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
+         * written. In this case, we expect the high-level write function
+         * (e.g. mbedtls_ssl_write()) to be called with the same parameters
+         */
+        if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
+            return( ret );
+        }
+    }
+    else
+    {
+        /*
+         * The user is trying to send a message the first time, so we need to
+         * copy the data into the internal buffers and setup the data structure
+         * to keep track of partial writes
+         */
+        ssl->out_msglen  = len;
+        ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+        memcpy( ssl->out_msg, buf, len );
+
+        if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
+            return( ret );
+        }
+    }
+
+    return( (int) len );
+}
+
+/*
+ * Write application data, doing 1/n-1 splitting if necessary.
+ *
+ * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
+ * then the caller will call us again with the same arguments, so
+ * remember whether we already did the split or not.
+ */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+static int ssl_write_split( mbedtls_ssl_context *ssl,
+                            const unsigned char *buf, size_t len )
+{
+    int ret;
+
+    if( ssl->conf->cbc_record_splitting ==
+            MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
+        len <= 1 ||
+        ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
+        mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
+                                != MBEDTLS_MODE_CBC )
+    {
+        return( ssl_write_real( ssl, buf, len ) );
+    }
+
+    if( ssl->split_done == 0 )
+    {
+        if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
+            return( ret );
+        ssl->split_done = 1;
+    }
+
+    if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
+        return( ret );
+    ssl->split_done = 0;
+
+    return( ret + 1 );
+}
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+
+/*
+ * Write application data (public-facing wrapper)
+ */
+int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
+{
+    int ret;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
+        return( ret );
+    }
+#endif
+
+    if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
+            return( ret );
+        }
+    }
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    ret = ssl_write_split( ssl, buf, len );
+#else
+    ret = ssl_write_real( ssl, buf, len );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
+
+    return( ret );
+}
+
+/*
+ * Notify the peer that the connection is being closed
+ */
+int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
+{
+    int ret;
+
+    if( ssl == NULL || ssl->conf == NULL )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
+
+    if( ssl->out_left != 0 )
+        return( mbedtls_ssl_flush_output( ssl ) );
+
+    if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
+    {
+        if( ( ret = mbedtls_ssl_send_alert_message( ssl,
+                        MBEDTLS_SSL_ALERT_LEVEL_WARNING,
+                        MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
+            return( ret );
+        }
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
+
+    return( 0 );
+}
+
+void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
+{
+    if( transform == NULL )
+        return;
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    deflateEnd( &transform->ctx_deflate );
+    inflateEnd( &transform->ctx_inflate );
+#endif
+
+    mbedtls_cipher_free( &transform->cipher_ctx_enc );
+    mbedtls_cipher_free( &transform->cipher_ctx_dec );
+
+    mbedtls_md_free( &transform->md_ctx_enc );
+    mbedtls_md_free( &transform->md_ctx_dec );
+
+    mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
+}
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
+{
+    mbedtls_ssl_key_cert *cur = key_cert, *next;
+
+    while( cur != NULL )
+    {
+        next = cur->next;
+        mbedtls_free( cur );
+        cur = next;
+    }
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+
+static void ssl_buffering_free( mbedtls_ssl_context *ssl )
+{
+    unsigned offset;
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+
+    if( hs == NULL )
+        return;
+
+    ssl_free_buffered_record( ssl );
+
+    for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
+        ssl_buffering_free_slot( ssl, offset );
+}
+
+static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
+                                     uint8_t slot )
+{
+    mbedtls_ssl_handshake_params * const hs = ssl->handshake;
+    mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
+
+    if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
+        return;
+
+    if( hs_buf->is_valid == 1 )
+    {
+        hs->buffering.total_bytes_buffered -= hs_buf->data_len;
+        mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
+        mbedtls_free( hs_buf->data );
+        memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
+    }
+}
+
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
+void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
+{
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;
+
+    if( handshake == NULL )
+        return;
+
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
+    {
+        ssl->conf->f_async_cancel( ssl );
+        handshake->async_in_progress = 0;
+    }
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_free(    &handshake->fin_md5  );
+    mbedtls_sha1_free(   &handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_free(   &handshake->fin_sha256    );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_free(   &handshake->fin_sha512    );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_free( &handshake->dhm_ctx );
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_free( &handshake->ecdh_ctx );
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
+#if defined(MBEDTLS_SSL_CLI_C)
+    mbedtls_free( handshake->ecjpake_cache );
+    handshake->ecjpake_cache = NULL;
+    handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    /* explicit void pointer cast for buggy MS compiler */
+    mbedtls_free( (void *) handshake->curves );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( handshake->psk != NULL )
+    {
+        mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
+        mbedtls_free( handshake->psk );
+    }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    /*
+     * Free only the linked list wrapper, not the keys themselves
+     * since the belong to the SNI callback
+     */
+    if( handshake->sni_key_cert != NULL )
+    {
+        mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
+
+        while( cur != NULL )
+        {
+            next = cur->next;
+            mbedtls_free( cur );
+            cur = next;
+        }
+    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    mbedtls_free( handshake->verify_cookie );
+    ssl_flight_free( handshake->flight );
+    ssl_buffering_free( ssl );
+#endif
+
+    mbedtls_platform_zeroize( handshake,
+                              sizeof( mbedtls_ssl_handshake_params ) );
+}
+
+void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
+{
+    if( session == NULL )
+        return;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( session->peer_cert != NULL )
+    {
+        mbedtls_x509_crt_free( session->peer_cert );
+        mbedtls_free( session->peer_cert );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+    mbedtls_free( session->ticket );
+#endif
+
+    mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
+}
+
+/*
+ * Free an SSL context
+ */
+void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
+{
+    if( ssl == NULL )
+        return;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
+
+    if( ssl->out_buf != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
+        mbedtls_free( ssl->out_buf );
+    }
+
+    if( ssl->in_buf != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
+        mbedtls_free( ssl->in_buf );
+    }
+
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    if( ssl->compress_buf != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
+        mbedtls_free( ssl->compress_buf );
+    }
+#endif
+
+    if( ssl->transform )
+    {
+        mbedtls_ssl_transform_free( ssl->transform );
+        mbedtls_free( ssl->transform );
+    }
+
+    if( ssl->handshake )
+    {
+        mbedtls_ssl_handshake_free( ssl );
+        mbedtls_ssl_transform_free( ssl->transform_negotiate );
+        mbedtls_ssl_session_free( ssl->session_negotiate );
+
+        mbedtls_free( ssl->handshake );
+        mbedtls_free( ssl->transform_negotiate );
+        mbedtls_free( ssl->session_negotiate );
+    }
+
+    if( ssl->session )
+    {
+        mbedtls_ssl_session_free( ssl->session );
+        mbedtls_free( ssl->session );
+    }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    if( ssl->hostname != NULL )
+    {
+        mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+        mbedtls_free( ssl->hostname );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    if( mbedtls_ssl_hw_record_finish != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
+        mbedtls_ssl_hw_record_finish( ssl );
+    }
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    mbedtls_free( ssl->cli_id );
+#endif
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
+
+    /* Actually clear after last debug message */
+    mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
+}
+
+/*
+ * Initialze mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
+{
+    memset( conf, 0, sizeof( mbedtls_ssl_config ) );
+}
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static int ssl_preset_default_hashes[] = {
+#if defined(MBEDTLS_SHA512_C)
+    MBEDTLS_MD_SHA512,
+    MBEDTLS_MD_SHA384,
+#endif
+#if defined(MBEDTLS_SHA256_C)
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA224,
+#endif
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
+    MBEDTLS_MD_SHA1,
+#endif
+    MBEDTLS_MD_NONE
+};
+#endif
+
+static int ssl_preset_suiteb_ciphersuites[] = {
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+    MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+    0
+};
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+static int ssl_preset_suiteb_hashes[] = {
+    MBEDTLS_MD_SHA256,
+    MBEDTLS_MD_SHA384,
+    MBEDTLS_MD_NONE
+};
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    MBEDTLS_ECP_DP_SECP256R1,
+#endif
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    MBEDTLS_ECP_DP_SECP384R1,
+#endif
+    MBEDTLS_ECP_DP_NONE
+};
+#endif
+
+/*
+ * Load default in mbedtls_ssl_config
+ */
+int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
+                                 int endpoint, int transport, int preset )
+{
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+    int ret;
+#endif
+
+    /* Use the functions here so that they are covered in tests,
+     * but otherwise access member directly for efficiency */
+    mbedtls_ssl_conf_endpoint( conf, endpoint );
+    mbedtls_ssl_conf_transport( conf, transport );
+
+    /*
+     * Things that are common to all presets
+     */
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+        conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
+#endif
+    }
+#endif
+
+#if defined(MBEDTLS_ARC4_C)
+    conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
+    conf->f_cookie_write = ssl_cookie_write_dummy;
+    conf->f_cookie_check = ssl_cookie_check_dummy;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
+#endif
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
+    conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
+#endif
+
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
+    memset( conf->renego_period,     0x00, 2 );
+    memset( conf->renego_period + 2, 0xFF, 6 );
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
+            if( endpoint == MBEDTLS_SSL_IS_SERVER )
+            {
+                const unsigned char dhm_p[] =
+                    MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
+                const unsigned char dhm_g[] =
+                    MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
+
+                if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
+                                               dhm_p, sizeof( dhm_p ),
+                                               dhm_g, sizeof( dhm_g ) ) ) != 0 )
+                {
+                    return( ret );
+                }
+            }
+#endif
+
+    /*
+     * Preset-specific defaults
+     */
+    switch( preset )
+    {
+        /*
+         * NSA Suite B
+         */
+        case MBEDTLS_SSL_PRESET_SUITEB:
+            conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
+            conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                                   ssl_preset_suiteb_ciphersuites;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+            conf->sig_hashes = ssl_preset_suiteb_hashes;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = ssl_preset_suiteb_curves;
+#endif
+            break;
+
+        /*
+         * Default
+         */
+        default:
+            conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
+                                    MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
+                                    MBEDTLS_SSL_MIN_MAJOR_VERSION :
+                                    MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
+            conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
+                                    MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
+                                    MBEDTLS_SSL_MIN_MINOR_VERSION :
+                                    MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
+            conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
+            conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+            if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+                conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
+#endif
+
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
+            conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
+                                   mbedtls_ssl_list_ciphersuites();
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+            conf->cert_profile = &mbedtls_x509_crt_profile_default;
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+            conf->sig_hashes = ssl_preset_default_hashes;
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+            conf->curve_list = mbedtls_ecp_grp_id_list();
+#endif
+
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
+            conf->dhm_min_bitlen = 1024;
+#endif
+    }
+
+    return( 0 );
+}
+
+/*
+ * Free mbedtls_ssl_config
+ */
+void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
+{
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_mpi_free( &conf->dhm_P );
+    mbedtls_mpi_free( &conf->dhm_G );
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+    if( conf->psk != NULL )
+    {
+        mbedtls_platform_zeroize( conf->psk, conf->psk_len );
+        mbedtls_free( conf->psk );
+        conf->psk = NULL;
+        conf->psk_len = 0;
+    }
+
+    if( conf->psk_identity != NULL )
+    {
+        mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
+        mbedtls_free( conf->psk_identity );
+        conf->psk_identity = NULL;
+        conf->psk_identity_len = 0;
+    }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    ssl_key_cert_free( conf->key_cert );
+#endif
+
+    mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
+}
+
+#if defined(MBEDTLS_PK_C) && \
+    ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
+/*
+ * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
+ */
+unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
+{
+#if defined(MBEDTLS_RSA_C)
+    if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
+        return( MBEDTLS_SSL_SIG_RSA );
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+    if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
+        return( MBEDTLS_SSL_SIG_ECDSA );
+#endif
+    return( MBEDTLS_SSL_SIG_ANON );
+}
+
+unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
+{
+    switch( type ) {
+        case MBEDTLS_PK_RSA:
+            return( MBEDTLS_SSL_SIG_RSA );
+        case MBEDTLS_PK_ECDSA:
+        case MBEDTLS_PK_ECKEY:
+            return( MBEDTLS_SSL_SIG_ECDSA );
+        default:
+            return( MBEDTLS_SSL_SIG_ANON );
+    }
+}
+
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
+{
+    switch( sig )
+    {
+#if defined(MBEDTLS_RSA_C)
+        case MBEDTLS_SSL_SIG_RSA:
+            return( MBEDTLS_PK_RSA );
+#endif
+#if defined(MBEDTLS_ECDSA_C)
+        case MBEDTLS_SSL_SIG_ECDSA:
+            return( MBEDTLS_PK_ECDSA );
+#endif
+        default:
+            return( MBEDTLS_PK_NONE );
+    }
+}
+#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+
+/* Find an entry in a signature-hash set matching a given hash algorithm. */
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
+                                                 mbedtls_pk_type_t sig_alg )
+{
+    switch( sig_alg )
+    {
+        case MBEDTLS_PK_RSA:
+            return( set->rsa );
+        case MBEDTLS_PK_ECDSA:
+            return( set->ecdsa );
+        default:
+            return( MBEDTLS_MD_NONE );
+    }
+}
+
+/* Add a signature-hash-pair to a signature-hash set */
+void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
+                                   mbedtls_pk_type_t sig_alg,
+                                   mbedtls_md_type_t md_alg )
+{
+    switch( sig_alg )
+    {
+        case MBEDTLS_PK_RSA:
+            if( set->rsa == MBEDTLS_MD_NONE )
+                set->rsa = md_alg;
+            break;
+
+        case MBEDTLS_PK_ECDSA:
+            if( set->ecdsa == MBEDTLS_MD_NONE )
+                set->ecdsa = md_alg;
+            break;
+
+        default:
+            break;
+    }
+}
+
+/* Allow exactly one hash algorithm for each signature. */
+void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
+                                          mbedtls_md_type_t md_alg )
+{
+    set->rsa   = md_alg;
+    set->ecdsa = md_alg;
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
+          MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+/*
+ * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
+ */
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
+{
+    switch( hash )
+    {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_SSL_HASH_MD5:
+            return( MBEDTLS_MD_MD5 );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_SSL_HASH_SHA1:
+            return( MBEDTLS_MD_SHA1 );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_HASH_SHA224:
+            return( MBEDTLS_MD_SHA224 );
+        case MBEDTLS_SSL_HASH_SHA256:
+            return( MBEDTLS_MD_SHA256 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_HASH_SHA384:
+            return( MBEDTLS_MD_SHA384 );
+        case MBEDTLS_SSL_HASH_SHA512:
+            return( MBEDTLS_MD_SHA512 );
+#endif
+        default:
+            return( MBEDTLS_MD_NONE );
+    }
+}
+
+/*
+ * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
+ */
+unsigned char mbedtls_ssl_hash_from_md_alg( int md )
+{
+    switch( md )
+    {
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_MD_MD5:
+            return( MBEDTLS_SSL_HASH_MD5 );
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_MD_SHA1:
+            return( MBEDTLS_SSL_HASH_SHA1 );
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_MD_SHA224:
+            return( MBEDTLS_SSL_HASH_SHA224 );
+        case MBEDTLS_MD_SHA256:
+            return( MBEDTLS_SSL_HASH_SHA256 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_MD_SHA384:
+            return( MBEDTLS_SSL_HASH_SHA384 );
+        case MBEDTLS_MD_SHA512:
+            return( MBEDTLS_SSL_HASH_SHA512 );
+#endif
+        default:
+            return( MBEDTLS_SSL_HASH_NONE );
+    }
+}
+
+#if defined(MBEDTLS_ECP_C)
+/*
+ * Check if a curve proposed by the peer is in our list.
+ * Return 0 if we're willing to use it, -1 otherwise.
+ */
+int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
+{
+    const mbedtls_ecp_group_id *gid;
+
+    if( ssl->conf->curve_list == NULL )
+        return( -1 );
+
+    for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
+        if( *gid == grp_id )
+            return( 0 );
+
+    return( -1 );
+}
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+/*
+ * Check if a hash proposed by the peer is in our list.
+ * Return 0 if we're willing to use it, -1 otherwise.
+ */
+int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
+                                mbedtls_md_type_t md )
+{
+    const int *cur;
+
+    if( ssl->conf->sig_hashes == NULL )
+        return( -1 );
+
+    for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
+        if( *cur == (int) md )
+            return( 0 );
+
+    return( -1 );
+}
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
+                          const mbedtls_ssl_ciphersuite_t *ciphersuite,
+                          int cert_endpoint,
+                          uint32_t *flags )
+{
+    int ret = 0;
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    int usage = 0;
+#endif
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    const char *ext_oid;
+    size_t ext_len;
+#endif
+
+#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) &&          \
+    !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    ((void) cert);
+    ((void) cert_endpoint);
+    ((void) flags);
+#endif
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        /* Server part of the key exchange */
+        switch( ciphersuite->key_exchange )
+        {
+            case MBEDTLS_KEY_EXCHANGE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
+                usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
+                break;
+
+            case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
+                usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+                break;
+
+            case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
+            case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
+                usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
+                break;
+
+            /* Don't use default: we want warnings when adding new values */
+            case MBEDTLS_KEY_EXCHANGE_NONE:
+            case MBEDTLS_KEY_EXCHANGE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
+            case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
+                usage = 0;
+        }
+    }
+    else
+    {
+        /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
+        usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
+    }
+
+    if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
+    {
+        *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
+        ret = -1;
+    }
+#else
+    ((void) ciphersuite);
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        ext_oid = MBEDTLS_OID_SERVER_AUTH;
+        ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
+    }
+    else
+    {
+        ext_oid = MBEDTLS_OID_CLIENT_AUTH;
+        ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
+    }
+
+    if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
+    {
+        *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
+        ret = -1;
+    }
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+    return( ret );
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+/*
+ * Convert version numbers to/from wire format
+ * and, for DTLS, to/from TLS equivalent.
+ *
+ * For TLS this is the identity.
+ * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
+ * 1.0 <-> 3.2      (DTLS 1.0 is based on TLS 1.1)
+ * 1.x <-> 3.x+1    for x != 0 (DTLS 1.2 based on TLS 1.2)
+ */
+void mbedtls_ssl_write_version( int major, int minor, int transport,
+                        unsigned char ver[2] )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
+            --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+
+        ver[0] = (unsigned char)( 255 - ( major - 2 ) );
+        ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
+    }
+    else
+#else
+    ((void) transport);
+#endif
+    {
+        ver[0] = (unsigned char) major;
+        ver[1] = (unsigned char) minor;
+    }
+}
+
+void mbedtls_ssl_read_version( int *major, int *minor, int transport,
+                       const unsigned char ver[2] )
+{
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        *major = 255 - ver[0] + 2;
+        *minor = 255 - ver[1] + 1;
+
+        if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
+            ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
+    }
+    else
+#else
+    ((void) transport);
+#endif
+    {
+        *major = ver[0];
+        *minor = ver[1];
+    }
+}
+
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
+        return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+
+    switch( md )
+    {
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
+#if defined(MBEDTLS_MD5_C)
+        case MBEDTLS_SSL_HASH_MD5:
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif
+#if defined(MBEDTLS_SHA1_C)
+        case MBEDTLS_SSL_HASH_SHA1:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls;
+            break;
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SHA512_C)
+        case MBEDTLS_SSL_HASH_SHA384:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
+            break;
+#endif
+#if defined(MBEDTLS_SHA256_C)
+        case MBEDTLS_SSL_HASH_SHA256:
+            ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
+            break;
+#endif
+        default:
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+    }
+
+    return 0;
+#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
+    (void) ssl;
+    (void) md;
+
+    return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
+                                        unsigned char *output,
+                                        unsigned char *data, size_t data_len )
+{
+    int ret = 0;
+    mbedtls_md5_context mbedtls_md5;
+    mbedtls_sha1_context mbedtls_sha1;
+
+    mbedtls_md5_init( &mbedtls_md5 );
+    mbedtls_sha1_init( &mbedtls_sha1 );
+
+    /*
+     * digitally-signed struct {
+     *     opaque md5_hash[16];
+     *     opaque sha_hash[20];
+     * };
+     *
+     * md5_hash
+     *     MD5(ClientHello.random + ServerHello.random
+     *                            + ServerParams);
+     * sha_hash
+     *     SHA(ClientHello.random + ServerHello.random
+     *                            + ServerParams);
+     */
+    if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
+                                        ssl->handshake->randbytes, 64 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
+        goto exit;
+    }
+
+    if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
+                                         ssl->handshake->randbytes, 64 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
+                                         data_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
+                                         output + 16 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
+        goto exit;
+    }
+
+exit:
+    mbedtls_md5_free( &mbedtls_md5 );
+    mbedtls_sha1_free( &mbedtls_sha1 );
+
+    if( ret != 0 )
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+
+    return( ret );
+
+}
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
+          MBEDTLS_SSL_PROTO_TLS1_1 */
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_2)
+int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
+                                            unsigned char *hash, size_t *hashlen,
+                                            unsigned char *data, size_t data_len,
+                                            mbedtls_md_type_t md_alg )
+{
+    int ret = 0;
+    mbedtls_md_context_t ctx;
+    const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
+    *hashlen = mbedtls_md_get_size( md_info );
+
+    mbedtls_md_init( &ctx );
+
+    /*
+     * digitally-signed struct {
+     *     opaque client_random[32];
+     *     opaque server_random[32];
+     *     ServerDHParams params;
+     * };
+     */
+    if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
+        goto exit;
+    }
+    if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
+        goto exit;
+    }
+
+exit:
+    mbedtls_md_free( &ctx );
+
+    if( ret != 0 )
+        mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                                        MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+
+    return( ret );
+}
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
+          MBEDTLS_SSL_PROTO_TLS1_2 */
+
+#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/makerom/deps/libmbedtls/src/threading.c b/makerom/deps/libmbedtls/src/threading.c
new file mode 100644
index 00000000..7c90c7c5
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/threading.c
@@ -0,0 +1,187 @@
+/*
+ *  Threading abstraction layer
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+/*
+ * Ensure gmtime_r is available even with -std=c99; must be defined before
+ * config.h, which pulls in glibc's features.h. Harmless on other platforms.
+ */
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 200112L
+#endif
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+
+#include "mbedtls/threading.h"
+
+#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
+
+#if !defined(_WIN32) && (defined(unix) || \
+    defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
+    defined(__MACH__)))
+#include <unistd.h>
+#endif /* !_WIN32 && (unix || __unix || __unix__ ||
+        * (__APPLE__ && __MACH__)) */
+
+#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+       ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+         _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) )
+/*
+ * This is a convenience shorthand macro to avoid checking the long
+ * preprocessor conditions above. Ideally, we could expose this macro in
+ * platform_util.h and simply use it in platform_util.c, threading.c and
+ * threading.h. However, this macro is not part of the Mbed TLS public API, so
+ * we keep it private by only defining it in this file
+ */
+
+#if ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) )
+#define THREADING_USE_GMTIME
+#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
+
+#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) ||     \
+             ( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) &&                     \
+                _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) ) */
+
+#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
+
+#if defined(MBEDTLS_THREADING_PTHREAD)
+static void threading_mutex_init_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL )
+        return;
+
+    mutex->is_valid = pthread_mutex_init( &mutex->mutex, NULL ) == 0;
+}
+
+static void threading_mutex_free_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL || !mutex->is_valid )
+        return;
+
+    (void) pthread_mutex_destroy( &mutex->mutex );
+    mutex->is_valid = 0;
+}
+
+static int threading_mutex_lock_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL || ! mutex->is_valid )
+        return( MBEDTLS_ERR_THREADING_BAD_INPUT_DATA );
+
+    if( pthread_mutex_lock( &mutex->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+
+    return( 0 );
+}
+
+static int threading_mutex_unlock_pthread( mbedtls_threading_mutex_t *mutex )
+{
+    if( mutex == NULL || ! mutex->is_valid )
+        return( MBEDTLS_ERR_THREADING_BAD_INPUT_DATA );
+
+    if( pthread_mutex_unlock( &mutex->mutex ) != 0 )
+        return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+
+    return( 0 );
+}
+
+void (*mbedtls_mutex_init)( mbedtls_threading_mutex_t * ) = threading_mutex_init_pthread;
+void (*mbedtls_mutex_free)( mbedtls_threading_mutex_t * ) = threading_mutex_free_pthread;
+int (*mbedtls_mutex_lock)( mbedtls_threading_mutex_t * ) = threading_mutex_lock_pthread;
+int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t * ) = threading_mutex_unlock_pthread;
+
+/*
+ * With phtreads we can statically initialize mutexes
+ */
+#define MUTEX_INIT  = { PTHREAD_MUTEX_INITIALIZER, 1 }
+
+#endif /* MBEDTLS_THREADING_PTHREAD */
+
+#if defined(MBEDTLS_THREADING_ALT)
+static int threading_mutex_fail( mbedtls_threading_mutex_t *mutex )
+{
+    ((void) mutex );
+    return( MBEDTLS_ERR_THREADING_BAD_INPUT_DATA );
+}
+static void threading_mutex_dummy( mbedtls_threading_mutex_t *mutex )
+{
+    ((void) mutex );
+    return;
+}
+
+void (*mbedtls_mutex_init)( mbedtls_threading_mutex_t * ) = threading_mutex_dummy;
+void (*mbedtls_mutex_free)( mbedtls_threading_mutex_t * ) = threading_mutex_dummy;
+int (*mbedtls_mutex_lock)( mbedtls_threading_mutex_t * ) = threading_mutex_fail;
+int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t * ) = threading_mutex_fail;
+
+/*
+ * Set functions pointers and initialize global mutexes
+ */
+void mbedtls_threading_set_alt( void (*mutex_init)( mbedtls_threading_mutex_t * ),
+                       void (*mutex_free)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_lock)( mbedtls_threading_mutex_t * ),
+                       int (*mutex_unlock)( mbedtls_threading_mutex_t * ) )
+{
+    mbedtls_mutex_init = mutex_init;
+    mbedtls_mutex_free = mutex_free;
+    mbedtls_mutex_lock = mutex_lock;
+    mbedtls_mutex_unlock = mutex_unlock;
+
+#if defined(MBEDTLS_FS_IO)
+    mbedtls_mutex_init( &mbedtls_threading_readdir_mutex );
+#endif
+#if defined(THREADING_USE_GMTIME)
+    mbedtls_mutex_init( &mbedtls_threading_gmtime_mutex );
+#endif
+}
+
+/*
+ * Free global mutexes
+ */
+void mbedtls_threading_free_alt( void )
+{
+#if defined(MBEDTLS_FS_IO)
+    mbedtls_mutex_free( &mbedtls_threading_readdir_mutex );
+#endif
+#if defined(THREADING_USE_GMTIME)
+    mbedtls_mutex_free( &mbedtls_threading_gmtime_mutex );
+#endif
+}
+#endif /* MBEDTLS_THREADING_ALT */
+
+/*
+ * Define global mutexes
+ */
+#ifndef MUTEX_INIT
+#define MUTEX_INIT
+#endif
+#if defined(MBEDTLS_FS_IO)
+mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT;
+#endif
+#if defined(THREADING_USE_GMTIME)
+mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT;
+#endif
+
+#endif /* MBEDTLS_THREADING_C */
diff --git a/makerom/deps/libmbedtls/src/timing.c b/makerom/deps/libmbedtls/src/timing.c
new file mode 100644
index 00000000..009516a6
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/timing.c
@@ -0,0 +1,536 @@
+/*
+ *  Portable interface to the CPU cycle counter
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf     printf
+#endif
+
+#if defined(MBEDTLS_TIMING_C)
+
+#include "mbedtls/timing.h"
+
+#if !defined(MBEDTLS_TIMING_ALT)
+
+#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
+    !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
+    !defined(__HAIKU__)
+#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in config.h"
+#endif
+
+#ifndef asm
+#define asm __asm
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+#include <windows.h>
+#include <process.h>
+
+struct _hr_time
+{
+    LARGE_INTEGER start;
+};
+
+#else
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <signal.h>
+#include <time.h>
+
+struct _hr_time
+{
+    struct timeval start;
+};
+
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    ( defined(_MSC_VER) && defined(_M_IX86) ) || defined(__WATCOMC__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tsc;
+    __asm   rdtsc
+    __asm   mov  [tsc], eax
+    return( tsc );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          ( _MSC_VER && _M_IX86 ) || __WATCOMC__ */
+
+/* some versions of mingw-64 have 32-bit longs even on x84_64 */
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && ( defined(__i386__) || (                       \
+    ( defined(__amd64__) || defined( __x86_64__) ) && __SIZEOF_LONG__ == 4 ) )
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long lo, hi;
+    asm volatile( "rdtsc" : "=a" (lo), "=d" (hi) );
+    return( lo );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __i386__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && ( defined(__amd64__) || defined(__x86_64__) )
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long lo, hi;
+    asm volatile( "rdtsc" : "=a" (lo), "=d" (hi) );
+    return( lo | ( hi << 32 ) );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && ( __amd64__ || __x86_64__ ) */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && ( defined(__powerpc__) || defined(__ppc__) )
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tbl, tbu0, tbu1;
+
+    do
+    {
+        asm volatile( "mftbu %0" : "=r" (tbu0) );
+        asm volatile( "mftb  %0" : "=r" (tbl ) );
+        asm volatile( "mftbu %0" : "=r" (tbu1) );
+    }
+    while( tbu0 != tbu1 );
+
+    return( tbl );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && ( __powerpc__ || __ppc__ ) */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && defined(__sparc64__)
+
+#if defined(__OpenBSD__)
+#warning OpenBSD does not allow access to tick register using software version instead
+#else
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tick;
+    asm volatile( "rdpr %%tick, %0;" : "=&r" (tick) );
+    return( tick );
+}
+#endif /* __OpenBSD__ */
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __sparc64__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&  \
+    defined(__GNUC__) && defined(__sparc__) && !defined(__sparc64__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long tick;
+    asm volatile( ".byte 0x83, 0x41, 0x00, 0x00" );
+    asm volatile( "mov   %%g1, %0" : "=r" (tick) );
+    return( tick );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __sparc__ && !__sparc64__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&      \
+    defined(__GNUC__) && defined(__alpha__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long cc;
+    asm volatile( "rpcc %0" : "=r" (cc) );
+    return( cc & 0xFFFFFFFF );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __alpha__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(MBEDTLS_HAVE_ASM) &&      \
+    defined(__GNUC__) && defined(__ia64__)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    unsigned long itc;
+    asm volatile( "mov %0 = ar.itc" : "=r" (itc) );
+    return( itc );
+}
+#endif /* !HAVE_HARDCLOCK && MBEDTLS_HAVE_ASM &&
+          __GNUC__ && __ia64__ */
+
+#if !defined(HAVE_HARDCLOCK) && defined(_MSC_VER) && \
+    !defined(EFIX64) && !defined(EFI32)
+
+#define HAVE_HARDCLOCK
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    LARGE_INTEGER offset;
+
+    QueryPerformanceCounter( &offset );
+
+    return( (unsigned long)( offset.QuadPart ) );
+}
+#endif /* !HAVE_HARDCLOCK && _MSC_VER && !EFIX64 && !EFI32 */
+
+#if !defined(HAVE_HARDCLOCK)
+
+#define HAVE_HARDCLOCK
+
+static int hardclock_init = 0;
+static struct timeval tv_init;
+
+unsigned long mbedtls_timing_hardclock( void )
+{
+    struct timeval tv_cur;
+
+    if( hardclock_init == 0 )
+    {
+        gettimeofday( &tv_init, NULL );
+        hardclock_init = 1;
+    }
+
+    gettimeofday( &tv_cur, NULL );
+    return( ( tv_cur.tv_sec  - tv_init.tv_sec  ) * 1000000
+          + ( tv_cur.tv_usec - tv_init.tv_usec ) );
+}
+#endif /* !HAVE_HARDCLOCK */
+
+volatile int mbedtls_timing_alarmed = 0;
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+
+unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset )
+{
+    struct _hr_time *t = (struct _hr_time *) val;
+
+    if( reset )
+    {
+        QueryPerformanceCounter( &t->start );
+        return( 0 );
+    }
+    else
+    {
+        unsigned long delta;
+        LARGE_INTEGER now, hfreq;
+        QueryPerformanceCounter(  &now );
+        QueryPerformanceFrequency( &hfreq );
+        delta = (unsigned long)( ( now.QuadPart - t->start.QuadPart ) * 1000ul
+                                 / hfreq.QuadPart );
+        return( delta );
+    }
+}
+
+/* It's OK to use a global because alarm() is supposed to be global anyway */
+static DWORD alarmMs;
+
+static void TimerProc( void *TimerContext )
+{
+    (void) TimerContext;
+    Sleep( alarmMs );
+    mbedtls_timing_alarmed = 1;
+    /* _endthread will be called implicitly on return
+     * That ensures execution of thread funcition's epilogue */
+}
+
+void mbedtls_set_alarm( int seconds )
+{
+    if( seconds == 0 )
+    {
+        /* No need to create a thread for this simple case.
+         * Also, this shorcut is more reliable at least on MinGW32 */
+        mbedtls_timing_alarmed = 1;
+        return;
+    }
+
+    mbedtls_timing_alarmed = 0;
+    alarmMs = seconds * 1000;
+    (void) _beginthread( TimerProc, 0, NULL );
+}
+
+#else /* _WIN32 && !EFIX64 && !EFI32 */
+
+unsigned long mbedtls_timing_get_timer( struct mbedtls_timing_hr_time *val, int reset )
+{
+    struct _hr_time *t = (struct _hr_time *) val;
+
+    if( reset )
+    {
+        gettimeofday( &t->start, NULL );
+        return( 0 );
+    }
+    else
+    {
+        unsigned long delta;
+        struct timeval now;
+        gettimeofday( &now, NULL );
+        delta = ( now.tv_sec  - t->start.tv_sec  ) * 1000ul
+              + ( now.tv_usec - t->start.tv_usec ) / 1000;
+        return( delta );
+    }
+}
+
+static void sighandler( int signum )
+{
+    mbedtls_timing_alarmed = 1;
+    signal( signum, sighandler );
+}
+
+void mbedtls_set_alarm( int seconds )
+{
+    mbedtls_timing_alarmed = 0;
+    signal( SIGALRM, sighandler );
+    alarm( seconds );
+    if( seconds == 0 )
+    {
+        /* alarm(0) cancelled any previous pending alarm, but the
+           handler won't fire, so raise the flag straight away. */
+        mbedtls_timing_alarmed = 1;
+    }
+}
+
+#endif /* _WIN32 && !EFIX64 && !EFI32 */
+
+/*
+ * Set delays to watch
+ */
+void mbedtls_timing_set_delay( void *data, uint32_t int_ms, uint32_t fin_ms )
+{
+    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+
+    ctx->int_ms = int_ms;
+    ctx->fin_ms = fin_ms;
+
+    if( fin_ms != 0 )
+        (void) mbedtls_timing_get_timer( &ctx->timer, 1 );
+}
+
+/*
+ * Get number of delays expired
+ */
+int mbedtls_timing_get_delay( void *data )
+{
+    mbedtls_timing_delay_context *ctx = (mbedtls_timing_delay_context *) data;
+    unsigned long elapsed_ms;
+
+    if( ctx->fin_ms == 0 )
+        return( -1 );
+
+    elapsed_ms = mbedtls_timing_get_timer( &ctx->timer, 0 );
+
+    if( elapsed_ms >= ctx->fin_ms )
+        return( 2 );
+
+    if( elapsed_ms >= ctx->int_ms )
+        return( 1 );
+
+    return( 0 );
+}
+
+#endif /* !MBEDTLS_TIMING_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * Busy-waits for the given number of milliseconds.
+ * Used for testing mbedtls_timing_hardclock.
+ */
+static void busy_msleep( unsigned long msec )
+{
+    struct mbedtls_timing_hr_time hires;
+    unsigned long i = 0; /* for busy-waiting */
+    volatile unsigned long j; /* to prevent optimisation */
+
+    (void) mbedtls_timing_get_timer( &hires, 1 );
+
+    while( mbedtls_timing_get_timer( &hires, 0 ) < msec )
+        i++;
+
+    j = i;
+    (void) j;
+}
+
+#define FAIL    do                                                      \
+    {                                                                   \
+        if( verbose != 0 )                                              \
+        {                                                               \
+            mbedtls_printf( "failed at line %d\n", __LINE__ );          \
+            mbedtls_printf( " cycles=%lu ratio=%lu millisecs=%lu secs=%lu hardfail=%d a=%lu b=%lu\n", \
+                            cycles, ratio, millisecs, secs, hardfail,   \
+                            (unsigned long) a, (unsigned long) b );     \
+            mbedtls_printf( " elapsed(hires)=%lu elapsed(ctx)=%lu status(ctx)=%d\n", \
+                            mbedtls_timing_get_timer( &hires, 0 ),      \
+                            mbedtls_timing_get_timer( &ctx.timer, 0 ),  \
+                            mbedtls_timing_get_delay( &ctx ) );         \
+        }                                                               \
+        return( 1 );                                                    \
+    } while( 0 )
+
+/*
+ * Checkup routine
+ *
+ * Warning: this is work in progress, some tests may not be reliable enough
+ * yet! False positives may happen.
+ */
+int mbedtls_timing_self_test( int verbose )
+{
+    unsigned long cycles = 0, ratio = 0;
+    unsigned long millisecs = 0, secs = 0;
+    int hardfail = 0;
+    struct mbedtls_timing_hr_time hires;
+    uint32_t a = 0, b = 0;
+    mbedtls_timing_delay_context ctx;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING tests note: will take some time!\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING test #1 (set_alarm / get_timer): " );
+
+    {
+        secs = 1;
+
+        (void) mbedtls_timing_get_timer( &hires, 1 );
+
+        mbedtls_set_alarm( (int) secs );
+        while( !mbedtls_timing_alarmed )
+            ;
+
+        millisecs = mbedtls_timing_get_timer( &hires, 0 );
+
+        /* For some reason on Windows it looks like alarm has an extra delay
+         * (maybe related to creating a new thread). Allow some room here. */
+        if( millisecs < 800 * secs || millisecs > 1200 * secs + 300 )
+            FAIL;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING test #2 (set/get_delay        ): " );
+
+    {
+        a = 800;
+        b = 400;
+        mbedtls_timing_set_delay( &ctx, a, a + b );          /* T = 0 */
+
+        busy_msleep( a - a / 4 );                      /* T = a - a/4 */
+        if( mbedtls_timing_get_delay( &ctx ) != 0 )
+            FAIL;
+
+        busy_msleep( a / 4 + b / 4 );                  /* T = a + b/4 */
+        if( mbedtls_timing_get_delay( &ctx ) != 1 )
+            FAIL;
+
+        busy_msleep( b );                          /* T = a + b + b/4 */
+        if( mbedtls_timing_get_delay( &ctx ) != 2 )
+            FAIL;
+    }
+
+    mbedtls_timing_set_delay( &ctx, 0, 0 );
+    busy_msleep( 200 );
+    if( mbedtls_timing_get_delay( &ctx ) != -1 )
+        FAIL;
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+    if( verbose != 0 )
+        mbedtls_printf( "  TIMING test #3 (hardclock / get_timer): " );
+
+    /*
+     * Allow one failure for possible counter wrapping.
+     * On a 4Ghz 32-bit machine the cycle counter wraps about once per second;
+     * since the whole test is about 10ms, it shouldn't happen twice in a row.
+     */
+
+hard_test:
+    if( hardfail > 1 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed (ignored)\n" );
+
+        goto hard_test_done;
+    }
+
+    /* Get a reference ratio cycles/ms */
+    millisecs = 1;
+    cycles = mbedtls_timing_hardclock();
+    busy_msleep( millisecs );
+    cycles = mbedtls_timing_hardclock() - cycles;
+    ratio = cycles / millisecs;
+
+    /* Check that the ratio is mostly constant */
+    for( millisecs = 2; millisecs <= 4; millisecs++ )
+    {
+        cycles = mbedtls_timing_hardclock();
+        busy_msleep( millisecs );
+        cycles = mbedtls_timing_hardclock() - cycles;
+
+        /* Allow variation up to 20% */
+        if( cycles / millisecs < ratio - ratio / 5 ||
+            cycles / millisecs > ratio + ratio / 5 )
+        {
+            hardfail++;
+            goto hard_test;
+        }
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n" );
+
+hard_test_done:
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+    return( 0 );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_TIMING_C */
diff --git a/makerom/deps/libmbedtls/src/version.c b/makerom/deps/libmbedtls/src/version.c
new file mode 100644
index 00000000..fd967508
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/version.c
@@ -0,0 +1,50 @@
+/*
+ *  Version information
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+#include <string.h>
+
+unsigned int mbedtls_version_get_number( void )
+{
+    return( MBEDTLS_VERSION_NUMBER );
+}
+
+void mbedtls_version_get_string( char *string )
+{
+    memcpy( string, MBEDTLS_VERSION_STRING,
+            sizeof( MBEDTLS_VERSION_STRING ) );
+}
+
+void mbedtls_version_get_string_full( char *string )
+{
+    memcpy( string, MBEDTLS_VERSION_STRING_FULL,
+            sizeof( MBEDTLS_VERSION_STRING_FULL ) );
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/makerom/deps/libmbedtls/src/version_features.c b/makerom/deps/libmbedtls/src/version_features.c
new file mode 100644
index 00000000..3b67b2be
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/version_features.c
@@ -0,0 +1,785 @@
+/*
+ *  Version feature information
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_VERSION_C)
+
+#include "mbedtls/version.h"
+
+#include <string.h>
+
+static const char *features[] = {
+#if defined(MBEDTLS_VERSION_FEATURES)
+#if defined(MBEDTLS_HAVE_ASM)
+    "MBEDTLS_HAVE_ASM",
+#endif /* MBEDTLS_HAVE_ASM */
+#if defined(MBEDTLS_NO_UDBL_DIVISION)
+    "MBEDTLS_NO_UDBL_DIVISION",
+#endif /* MBEDTLS_NO_UDBL_DIVISION */
+#if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
+    "MBEDTLS_NO_64BIT_MULTIPLICATION",
+#endif /* MBEDTLS_NO_64BIT_MULTIPLICATION */
+#if defined(MBEDTLS_HAVE_SSE2)
+    "MBEDTLS_HAVE_SSE2",
+#endif /* MBEDTLS_HAVE_SSE2 */
+#if defined(MBEDTLS_HAVE_TIME)
+    "MBEDTLS_HAVE_TIME",
+#endif /* MBEDTLS_HAVE_TIME */
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+    "MBEDTLS_HAVE_TIME_DATE",
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+#if defined(MBEDTLS_PLATFORM_MEMORY)
+    "MBEDTLS_PLATFORM_MEMORY",
+#endif /* MBEDTLS_PLATFORM_MEMORY */
+#if defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
+    "MBEDTLS_PLATFORM_NO_STD_FUNCTIONS",
+#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
+#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
+    "MBEDTLS_PLATFORM_EXIT_ALT",
+#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+    "MBEDTLS_PLATFORM_TIME_ALT",
+#endif /* MBEDTLS_PLATFORM_TIME_ALT */
+#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
+    "MBEDTLS_PLATFORM_FPRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
+    "MBEDTLS_PLATFORM_PRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
+    "MBEDTLS_PLATFORM_SNPRINTF_ALT",
+#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#if defined(MBEDTLS_PLATFORM_NV_SEED_ALT)
+    "MBEDTLS_PLATFORM_NV_SEED_ALT",
+#endif /* MBEDTLS_PLATFORM_NV_SEED_ALT */
+#if defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT)
+    "MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT",
+#endif /* MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+    "MBEDTLS_DEPRECATED_WARNING",
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+    "MBEDTLS_DEPRECATED_REMOVED",
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#if defined(MBEDTLS_CHECK_PARAMS)
+    "MBEDTLS_CHECK_PARAMS",
+#endif /* MBEDTLS_CHECK_PARAMS */
+#if defined(MBEDTLS_CHECK_PARAMS_ASSERT)
+    "MBEDTLS_CHECK_PARAMS_ASSERT",
+#endif /* MBEDTLS_CHECK_PARAMS_ASSERT */
+#if defined(MBEDTLS_TIMING_ALT)
+    "MBEDTLS_TIMING_ALT",
+#endif /* MBEDTLS_TIMING_ALT */
+#if defined(MBEDTLS_AES_ALT)
+    "MBEDTLS_AES_ALT",
+#endif /* MBEDTLS_AES_ALT */
+#if defined(MBEDTLS_ARC4_ALT)
+    "MBEDTLS_ARC4_ALT",
+#endif /* MBEDTLS_ARC4_ALT */
+#if defined(MBEDTLS_ARIA_ALT)
+    "MBEDTLS_ARIA_ALT",
+#endif /* MBEDTLS_ARIA_ALT */
+#if defined(MBEDTLS_BLOWFISH_ALT)
+    "MBEDTLS_BLOWFISH_ALT",
+#endif /* MBEDTLS_BLOWFISH_ALT */
+#if defined(MBEDTLS_CAMELLIA_ALT)
+    "MBEDTLS_CAMELLIA_ALT",
+#endif /* MBEDTLS_CAMELLIA_ALT */
+#if defined(MBEDTLS_CCM_ALT)
+    "MBEDTLS_CCM_ALT",
+#endif /* MBEDTLS_CCM_ALT */
+#if defined(MBEDTLS_CHACHA20_ALT)
+    "MBEDTLS_CHACHA20_ALT",
+#endif /* MBEDTLS_CHACHA20_ALT */
+#if defined(MBEDTLS_CHACHAPOLY_ALT)
+    "MBEDTLS_CHACHAPOLY_ALT",
+#endif /* MBEDTLS_CHACHAPOLY_ALT */
+#if defined(MBEDTLS_CMAC_ALT)
+    "MBEDTLS_CMAC_ALT",
+#endif /* MBEDTLS_CMAC_ALT */
+#if defined(MBEDTLS_DES_ALT)
+    "MBEDTLS_DES_ALT",
+#endif /* MBEDTLS_DES_ALT */
+#if defined(MBEDTLS_DHM_ALT)
+    "MBEDTLS_DHM_ALT",
+#endif /* MBEDTLS_DHM_ALT */
+#if defined(MBEDTLS_ECJPAKE_ALT)
+    "MBEDTLS_ECJPAKE_ALT",
+#endif /* MBEDTLS_ECJPAKE_ALT */
+#if defined(MBEDTLS_GCM_ALT)
+    "MBEDTLS_GCM_ALT",
+#endif /* MBEDTLS_GCM_ALT */
+#if defined(MBEDTLS_NIST_KW_ALT)
+    "MBEDTLS_NIST_KW_ALT",
+#endif /* MBEDTLS_NIST_KW_ALT */
+#if defined(MBEDTLS_MD2_ALT)
+    "MBEDTLS_MD2_ALT",
+#endif /* MBEDTLS_MD2_ALT */
+#if defined(MBEDTLS_MD4_ALT)
+    "MBEDTLS_MD4_ALT",
+#endif /* MBEDTLS_MD4_ALT */
+#if defined(MBEDTLS_MD5_ALT)
+    "MBEDTLS_MD5_ALT",
+#endif /* MBEDTLS_MD5_ALT */
+#if defined(MBEDTLS_POLY1305_ALT)
+    "MBEDTLS_POLY1305_ALT",
+#endif /* MBEDTLS_POLY1305_ALT */
+#if defined(MBEDTLS_RIPEMD160_ALT)
+    "MBEDTLS_RIPEMD160_ALT",
+#endif /* MBEDTLS_RIPEMD160_ALT */
+#if defined(MBEDTLS_RSA_ALT)
+    "MBEDTLS_RSA_ALT",
+#endif /* MBEDTLS_RSA_ALT */
+#if defined(MBEDTLS_SHA1_ALT)
+    "MBEDTLS_SHA1_ALT",
+#endif /* MBEDTLS_SHA1_ALT */
+#if defined(MBEDTLS_SHA256_ALT)
+    "MBEDTLS_SHA256_ALT",
+#endif /* MBEDTLS_SHA256_ALT */
+#if defined(MBEDTLS_SHA512_ALT)
+    "MBEDTLS_SHA512_ALT",
+#endif /* MBEDTLS_SHA512_ALT */
+#if defined(MBEDTLS_XTEA_ALT)
+    "MBEDTLS_XTEA_ALT",
+#endif /* MBEDTLS_XTEA_ALT */
+#if defined(MBEDTLS_ECP_ALT)
+    "MBEDTLS_ECP_ALT",
+#endif /* MBEDTLS_ECP_ALT */
+#if defined(MBEDTLS_MD2_PROCESS_ALT)
+    "MBEDTLS_MD2_PROCESS_ALT",
+#endif /* MBEDTLS_MD2_PROCESS_ALT */
+#if defined(MBEDTLS_MD4_PROCESS_ALT)
+    "MBEDTLS_MD4_PROCESS_ALT",
+#endif /* MBEDTLS_MD4_PROCESS_ALT */
+#if defined(MBEDTLS_MD5_PROCESS_ALT)
+    "MBEDTLS_MD5_PROCESS_ALT",
+#endif /* MBEDTLS_MD5_PROCESS_ALT */
+#if defined(MBEDTLS_RIPEMD160_PROCESS_ALT)
+    "MBEDTLS_RIPEMD160_PROCESS_ALT",
+#endif /* MBEDTLS_RIPEMD160_PROCESS_ALT */
+#if defined(MBEDTLS_SHA1_PROCESS_ALT)
+    "MBEDTLS_SHA1_PROCESS_ALT",
+#endif /* MBEDTLS_SHA1_PROCESS_ALT */
+#if defined(MBEDTLS_SHA256_PROCESS_ALT)
+    "MBEDTLS_SHA256_PROCESS_ALT",
+#endif /* MBEDTLS_SHA256_PROCESS_ALT */
+#if defined(MBEDTLS_SHA512_PROCESS_ALT)
+    "MBEDTLS_SHA512_PROCESS_ALT",
+#endif /* MBEDTLS_SHA512_PROCESS_ALT */
+#if defined(MBEDTLS_DES_SETKEY_ALT)
+    "MBEDTLS_DES_SETKEY_ALT",
+#endif /* MBEDTLS_DES_SETKEY_ALT */
+#if defined(MBEDTLS_DES_CRYPT_ECB_ALT)
+    "MBEDTLS_DES_CRYPT_ECB_ALT",
+#endif /* MBEDTLS_DES_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
+    "MBEDTLS_DES3_CRYPT_ECB_ALT",
+#endif /* MBEDTLS_DES3_CRYPT_ECB_ALT */
+#if defined(MBEDTLS_AES_SETKEY_ENC_ALT)
+    "MBEDTLS_AES_SETKEY_ENC_ALT",
+#endif /* MBEDTLS_AES_SETKEY_ENC_ALT */
+#if defined(MBEDTLS_AES_SETKEY_DEC_ALT)
+    "MBEDTLS_AES_SETKEY_DEC_ALT",
+#endif /* MBEDTLS_AES_SETKEY_DEC_ALT */
+#if defined(MBEDTLS_AES_ENCRYPT_ALT)
+    "MBEDTLS_AES_ENCRYPT_ALT",
+#endif /* MBEDTLS_AES_ENCRYPT_ALT */
+#if defined(MBEDTLS_AES_DECRYPT_ALT)
+    "MBEDTLS_AES_DECRYPT_ALT",
+#endif /* MBEDTLS_AES_DECRYPT_ALT */
+#if defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT)
+    "MBEDTLS_ECDH_GEN_PUBLIC_ALT",
+#endif /* MBEDTLS_ECDH_GEN_PUBLIC_ALT */
+#if defined(MBEDTLS_ECDH_COMPUTE_SHARED_ALT)
+    "MBEDTLS_ECDH_COMPUTE_SHARED_ALT",
+#endif /* MBEDTLS_ECDH_COMPUTE_SHARED_ALT */
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+    "MBEDTLS_ECDSA_VERIFY_ALT",
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+    "MBEDTLS_ECDSA_SIGN_ALT",
+#endif /* MBEDTLS_ECDSA_SIGN_ALT */
+#if defined(MBEDTLS_ECDSA_GENKEY_ALT)
+    "MBEDTLS_ECDSA_GENKEY_ALT",
+#endif /* MBEDTLS_ECDSA_GENKEY_ALT */
+#if defined(MBEDTLS_ECP_INTERNAL_ALT)
+    "MBEDTLS_ECP_INTERNAL_ALT",
+#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+    "MBEDTLS_ECP_RANDOMIZE_JAC_ALT",
+#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+    "MBEDTLS_ECP_ADD_MIXED_ALT",
+#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+    "MBEDTLS_ECP_DOUBLE_JAC_ALT",
+#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+    "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+    "MBEDTLS_ECP_NORMALIZE_JAC_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+    "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT",
+#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+    "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT",
+#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
+#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+    "MBEDTLS_ECP_NORMALIZE_MXZ_ALT",
+#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+#if defined(MBEDTLS_TEST_NULL_ENTROPY)
+    "MBEDTLS_TEST_NULL_ENTROPY",
+#endif /* MBEDTLS_TEST_NULL_ENTROPY */
+#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
+    "MBEDTLS_ENTROPY_HARDWARE_ALT",
+#endif /* MBEDTLS_ENTROPY_HARDWARE_ALT */
+#if defined(MBEDTLS_AES_ROM_TABLES)
+    "MBEDTLS_AES_ROM_TABLES",
+#endif /* MBEDTLS_AES_ROM_TABLES */
+#if defined(MBEDTLS_AES_FEWER_TABLES)
+    "MBEDTLS_AES_FEWER_TABLES",
+#endif /* MBEDTLS_AES_FEWER_TABLES */
+#if defined(MBEDTLS_CAMELLIA_SMALL_MEMORY)
+    "MBEDTLS_CAMELLIA_SMALL_MEMORY",
+#endif /* MBEDTLS_CAMELLIA_SMALL_MEMORY */
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+    "MBEDTLS_CIPHER_MODE_CBC",
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+    "MBEDTLS_CIPHER_MODE_CFB",
+#endif /* MBEDTLS_CIPHER_MODE_CFB */
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+    "MBEDTLS_CIPHER_MODE_CTR",
+#endif /* MBEDTLS_CIPHER_MODE_CTR */
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+    "MBEDTLS_CIPHER_MODE_OFB",
+#endif /* MBEDTLS_CIPHER_MODE_OFB */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    "MBEDTLS_CIPHER_MODE_XTS",
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+#if defined(MBEDTLS_CIPHER_NULL_CIPHER)
+    "MBEDTLS_CIPHER_NULL_CIPHER",
+#endif /* MBEDTLS_CIPHER_NULL_CIPHER */
+#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
+    "MBEDTLS_CIPHER_PADDING_PKCS7",
+#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
+#if defined(MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS)
+    "MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS",
+#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN)
+    "MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN",
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
+#if defined(MBEDTLS_CIPHER_PADDING_ZEROS)
+    "MBEDTLS_CIPHER_PADDING_ZEROS",
+#endif /* MBEDTLS_CIPHER_PADDING_ZEROS */
+#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
+    "MBEDTLS_CTR_DRBG_USE_128_BIT_KEY",
+#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
+#if defined(MBEDTLS_ENABLE_WEAK_CIPHERSUITES)
+    "MBEDTLS_ENABLE_WEAK_CIPHERSUITES",
+#endif /* MBEDTLS_ENABLE_WEAK_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
+    "MBEDTLS_REMOVE_ARC4_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
+#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
+    "MBEDTLS_REMOVE_3DES_CIPHERSUITES",
+#endif /* MBEDTLS_REMOVE_3DES_CIPHERSUITES */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP192R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP224R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP256R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP384R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP521R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP192K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP224K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+    "MBEDTLS_ECP_DP_SECP256K1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP256R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP384R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+    "MBEDTLS_ECP_DP_BP512R1_ENABLED",
+#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+    "MBEDTLS_ECP_DP_CURVE25519_ENABLED",
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+    "MBEDTLS_ECP_DP_CURVE448_ENABLED",
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+#if defined(MBEDTLS_ECP_NIST_OPTIM)
+    "MBEDTLS_ECP_NIST_OPTIM",
+#endif /* MBEDTLS_ECP_NIST_OPTIM */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+    "MBEDTLS_ECP_RESTARTABLE",
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+    "MBEDTLS_ECDSA_DETERMINISTIC",
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED",
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED)
+    "MBEDTLS_PK_PARSE_EC_EXTENDED",
+#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
+#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+    "MBEDTLS_ERROR_STRERROR_DUMMY",
+#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
+#if defined(MBEDTLS_GENPRIME)
+    "MBEDTLS_GENPRIME",
+#endif /* MBEDTLS_GENPRIME */
+#if defined(MBEDTLS_FS_IO)
+    "MBEDTLS_FS_IO",
+#endif /* MBEDTLS_FS_IO */
+#if defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+    "MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES",
+#endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */
+#if defined(MBEDTLS_NO_PLATFORM_ENTROPY)
+    "MBEDTLS_NO_PLATFORM_ENTROPY",
+#endif /* MBEDTLS_NO_PLATFORM_ENTROPY */
+#if defined(MBEDTLS_ENTROPY_FORCE_SHA256)
+    "MBEDTLS_ENTROPY_FORCE_SHA256",
+#endif /* MBEDTLS_ENTROPY_FORCE_SHA256 */
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+    "MBEDTLS_ENTROPY_NV_SEED",
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
+#if defined(MBEDTLS_MEMORY_DEBUG)
+    "MBEDTLS_MEMORY_DEBUG",
+#endif /* MBEDTLS_MEMORY_DEBUG */
+#if defined(MBEDTLS_MEMORY_BACKTRACE)
+    "MBEDTLS_MEMORY_BACKTRACE",
+#endif /* MBEDTLS_MEMORY_BACKTRACE */
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+    "MBEDTLS_PK_RSA_ALT_SUPPORT",
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
+#if defined(MBEDTLS_PKCS1_V15)
+    "MBEDTLS_PKCS1_V15",
+#endif /* MBEDTLS_PKCS1_V15 */
+#if defined(MBEDTLS_PKCS1_V21)
+    "MBEDTLS_PKCS1_V21",
+#endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_RSA_NO_CRT)
+    "MBEDTLS_RSA_NO_CRT",
+#endif /* MBEDTLS_RSA_NO_CRT */
+#if defined(MBEDTLS_SELF_TEST)
+    "MBEDTLS_SELF_TEST",
+#endif /* MBEDTLS_SELF_TEST */
+#if defined(MBEDTLS_SHA256_SMALLER)
+    "MBEDTLS_SHA256_SMALLER",
+#endif /* MBEDTLS_SHA256_SMALLER */
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
+    "MBEDTLS_SSL_ALL_ALERT_MESSAGES",
+#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
+    "MBEDTLS_SSL_ASYNC_PRIVATE",
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
+#if defined(MBEDTLS_SSL_DEBUG_ALL)
+    "MBEDTLS_SSL_DEBUG_ALL",
+#endif /* MBEDTLS_SSL_DEBUG_ALL */
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+    "MBEDTLS_SSL_ENCRYPT_THEN_MAC",
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    "MBEDTLS_SSL_EXTENDED_MASTER_SECRET",
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
+    "MBEDTLS_SSL_FALLBACK_SCSV",
+#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+    "MBEDTLS_SSL_HW_RECORD_ACCEL",
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+    "MBEDTLS_SSL_CBC_RECORD_SPLITTING",
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+    "MBEDTLS_SSL_RENEGOTIATION",
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
+#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
+    "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO",
+#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
+#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
+    "MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE",
+#endif /* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE */
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+    "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH",
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+    "MBEDTLS_SSL_PROTO_SSL3",
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1)
+    "MBEDTLS_SSL_PROTO_TLS1",
+#endif /* MBEDTLS_SSL_PROTO_TLS1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    "MBEDTLS_SSL_PROTO_TLS1_1",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    "MBEDTLS_SSL_PROTO_TLS1_2",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    "MBEDTLS_SSL_PROTO_DTLS",
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_ALPN)
+    "MBEDTLS_SSL_ALPN",
+#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
+    "MBEDTLS_SSL_DTLS_ANTI_REPLAY",
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
+    "MBEDTLS_SSL_DTLS_HELLO_VERIFY",
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
+    "MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE",
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE */
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
+    "MBEDTLS_SSL_DTLS_BADMAC_LIMIT",
+#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+    "MBEDTLS_SSL_SESSION_TICKETS",
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)
+    "MBEDTLS_SSL_EXPORT_KEYS",
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    "MBEDTLS_SSL_SERVER_NAME_INDICATION",
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+    "MBEDTLS_SSL_TRUNCATED_HMAC",
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
+    "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT",
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */
+#if defined(MBEDTLS_THREADING_ALT)
+    "MBEDTLS_THREADING_ALT",
+#endif /* MBEDTLS_THREADING_ALT */
+#if defined(MBEDTLS_THREADING_PTHREAD)
+    "MBEDTLS_THREADING_PTHREAD",
+#endif /* MBEDTLS_THREADING_PTHREAD */
+#if defined(MBEDTLS_VERSION_FEATURES)
+    "MBEDTLS_VERSION_FEATURES",
+#endif /* MBEDTLS_VERSION_FEATURES */
+#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
+    "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3",
+#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */
+#if defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+    "MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION",
+#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    "MBEDTLS_X509_CHECK_KEY_USAGE",
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+    "MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE",
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    "MBEDTLS_X509_RSASSA_PSS_SUPPORT",
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+#if defined(MBEDTLS_ZLIB_SUPPORT)
+    "MBEDTLS_ZLIB_SUPPORT",
+#endif /* MBEDTLS_ZLIB_SUPPORT */
+#if defined(MBEDTLS_AESNI_C)
+    "MBEDTLS_AESNI_C",
+#endif /* MBEDTLS_AESNI_C */
+#if defined(MBEDTLS_AES_C)
+    "MBEDTLS_AES_C",
+#endif /* MBEDTLS_AES_C */
+#if defined(MBEDTLS_ARC4_C)
+    "MBEDTLS_ARC4_C",
+#endif /* MBEDTLS_ARC4_C */
+#if defined(MBEDTLS_ASN1_PARSE_C)
+    "MBEDTLS_ASN1_PARSE_C",
+#endif /* MBEDTLS_ASN1_PARSE_C */
+#if defined(MBEDTLS_ASN1_WRITE_C)
+    "MBEDTLS_ASN1_WRITE_C",
+#endif /* MBEDTLS_ASN1_WRITE_C */
+#if defined(MBEDTLS_BASE64_C)
+    "MBEDTLS_BASE64_C",
+#endif /* MBEDTLS_BASE64_C */
+#if defined(MBEDTLS_BIGNUM_C)
+    "MBEDTLS_BIGNUM_C",
+#endif /* MBEDTLS_BIGNUM_C */
+#if defined(MBEDTLS_BLOWFISH_C)
+    "MBEDTLS_BLOWFISH_C",
+#endif /* MBEDTLS_BLOWFISH_C */
+#if defined(MBEDTLS_CAMELLIA_C)
+    "MBEDTLS_CAMELLIA_C",
+#endif /* MBEDTLS_CAMELLIA_C */
+#if defined(MBEDTLS_ARIA_C)
+    "MBEDTLS_ARIA_C",
+#endif /* MBEDTLS_ARIA_C */
+#if defined(MBEDTLS_CCM_C)
+    "MBEDTLS_CCM_C",
+#endif /* MBEDTLS_CCM_C */
+#if defined(MBEDTLS_CERTS_C)
+    "MBEDTLS_CERTS_C",
+#endif /* MBEDTLS_CERTS_C */
+#if defined(MBEDTLS_CHACHA20_C)
+    "MBEDTLS_CHACHA20_C",
+#endif /* MBEDTLS_CHACHA20_C */
+#if defined(MBEDTLS_CHACHAPOLY_C)
+    "MBEDTLS_CHACHAPOLY_C",
+#endif /* MBEDTLS_CHACHAPOLY_C */
+#if defined(MBEDTLS_CIPHER_C)
+    "MBEDTLS_CIPHER_C",
+#endif /* MBEDTLS_CIPHER_C */
+#if defined(MBEDTLS_CMAC_C)
+    "MBEDTLS_CMAC_C",
+#endif /* MBEDTLS_CMAC_C */
+#if defined(MBEDTLS_CTR_DRBG_C)
+    "MBEDTLS_CTR_DRBG_C",
+#endif /* MBEDTLS_CTR_DRBG_C */
+#if defined(MBEDTLS_DEBUG_C)
+    "MBEDTLS_DEBUG_C",
+#endif /* MBEDTLS_DEBUG_C */
+#if defined(MBEDTLS_DES_C)
+    "MBEDTLS_DES_C",
+#endif /* MBEDTLS_DES_C */
+#if defined(MBEDTLS_DHM_C)
+    "MBEDTLS_DHM_C",
+#endif /* MBEDTLS_DHM_C */
+#if defined(MBEDTLS_ECDH_C)
+    "MBEDTLS_ECDH_C",
+#endif /* MBEDTLS_ECDH_C */
+#if defined(MBEDTLS_ECDSA_C)
+    "MBEDTLS_ECDSA_C",
+#endif /* MBEDTLS_ECDSA_C */
+#if defined(MBEDTLS_ECJPAKE_C)
+    "MBEDTLS_ECJPAKE_C",
+#endif /* MBEDTLS_ECJPAKE_C */
+#if defined(MBEDTLS_ECP_C)
+    "MBEDTLS_ECP_C",
+#endif /* MBEDTLS_ECP_C */
+#if defined(MBEDTLS_ENTROPY_C)
+    "MBEDTLS_ENTROPY_C",
+#endif /* MBEDTLS_ENTROPY_C */
+#if defined(MBEDTLS_ERROR_C)
+    "MBEDTLS_ERROR_C",
+#endif /* MBEDTLS_ERROR_C */
+#if defined(MBEDTLS_GCM_C)
+    "MBEDTLS_GCM_C",
+#endif /* MBEDTLS_GCM_C */
+#if defined(MBEDTLS_HAVEGE_C)
+    "MBEDTLS_HAVEGE_C",
+#endif /* MBEDTLS_HAVEGE_C */
+#if defined(MBEDTLS_HKDF_C)
+    "MBEDTLS_HKDF_C",
+#endif /* MBEDTLS_HKDF_C */
+#if defined(MBEDTLS_HMAC_DRBG_C)
+    "MBEDTLS_HMAC_DRBG_C",
+#endif /* MBEDTLS_HMAC_DRBG_C */
+#if defined(MBEDTLS_NIST_KW_C)
+    "MBEDTLS_NIST_KW_C",
+#endif /* MBEDTLS_NIST_KW_C */
+#if defined(MBEDTLS_MD_C)
+    "MBEDTLS_MD_C",
+#endif /* MBEDTLS_MD_C */
+#if defined(MBEDTLS_MD2_C)
+    "MBEDTLS_MD2_C",
+#endif /* MBEDTLS_MD2_C */
+#if defined(MBEDTLS_MD4_C)
+    "MBEDTLS_MD4_C",
+#endif /* MBEDTLS_MD4_C */
+#if defined(MBEDTLS_MD5_C)
+    "MBEDTLS_MD5_C",
+#endif /* MBEDTLS_MD5_C */
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+    "MBEDTLS_MEMORY_BUFFER_ALLOC_C",
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
+#if defined(MBEDTLS_NET_C)
+    "MBEDTLS_NET_C",
+#endif /* MBEDTLS_NET_C */
+#if defined(MBEDTLS_OID_C)
+    "MBEDTLS_OID_C",
+#endif /* MBEDTLS_OID_C */
+#if defined(MBEDTLS_PADLOCK_C)
+    "MBEDTLS_PADLOCK_C",
+#endif /* MBEDTLS_PADLOCK_C */
+#if defined(MBEDTLS_PEM_PARSE_C)
+    "MBEDTLS_PEM_PARSE_C",
+#endif /* MBEDTLS_PEM_PARSE_C */
+#if defined(MBEDTLS_PEM_WRITE_C)
+    "MBEDTLS_PEM_WRITE_C",
+#endif /* MBEDTLS_PEM_WRITE_C */
+#if defined(MBEDTLS_PK_C)
+    "MBEDTLS_PK_C",
+#endif /* MBEDTLS_PK_C */
+#if defined(MBEDTLS_PK_PARSE_C)
+    "MBEDTLS_PK_PARSE_C",
+#endif /* MBEDTLS_PK_PARSE_C */
+#if defined(MBEDTLS_PK_WRITE_C)
+    "MBEDTLS_PK_WRITE_C",
+#endif /* MBEDTLS_PK_WRITE_C */
+#if defined(MBEDTLS_PKCS5_C)
+    "MBEDTLS_PKCS5_C",
+#endif /* MBEDTLS_PKCS5_C */
+#if defined(MBEDTLS_PKCS11_C)
+    "MBEDTLS_PKCS11_C",
+#endif /* MBEDTLS_PKCS11_C */
+#if defined(MBEDTLS_PKCS12_C)
+    "MBEDTLS_PKCS12_C",
+#endif /* MBEDTLS_PKCS12_C */
+#if defined(MBEDTLS_PLATFORM_C)
+    "MBEDTLS_PLATFORM_C",
+#endif /* MBEDTLS_PLATFORM_C */
+#if defined(MBEDTLS_POLY1305_C)
+    "MBEDTLS_POLY1305_C",
+#endif /* MBEDTLS_POLY1305_C */
+#if defined(MBEDTLS_RIPEMD160_C)
+    "MBEDTLS_RIPEMD160_C",
+#endif /* MBEDTLS_RIPEMD160_C */
+#if defined(MBEDTLS_RSA_C)
+    "MBEDTLS_RSA_C",
+#endif /* MBEDTLS_RSA_C */
+#if defined(MBEDTLS_SHA1_C)
+    "MBEDTLS_SHA1_C",
+#endif /* MBEDTLS_SHA1_C */
+#if defined(MBEDTLS_SHA256_C)
+    "MBEDTLS_SHA256_C",
+#endif /* MBEDTLS_SHA256_C */
+#if defined(MBEDTLS_SHA512_C)
+    "MBEDTLS_SHA512_C",
+#endif /* MBEDTLS_SHA512_C */
+#if defined(MBEDTLS_SSL_CACHE_C)
+    "MBEDTLS_SSL_CACHE_C",
+#endif /* MBEDTLS_SSL_CACHE_C */
+#if defined(MBEDTLS_SSL_COOKIE_C)
+    "MBEDTLS_SSL_COOKIE_C",
+#endif /* MBEDTLS_SSL_COOKIE_C */
+#if defined(MBEDTLS_SSL_TICKET_C)
+    "MBEDTLS_SSL_TICKET_C",
+#endif /* MBEDTLS_SSL_TICKET_C */
+#if defined(MBEDTLS_SSL_CLI_C)
+    "MBEDTLS_SSL_CLI_C",
+#endif /* MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SRV_C)
+    "MBEDTLS_SSL_SRV_C",
+#endif /* MBEDTLS_SSL_SRV_C */
+#if defined(MBEDTLS_SSL_TLS_C)
+    "MBEDTLS_SSL_TLS_C",
+#endif /* MBEDTLS_SSL_TLS_C */
+#if defined(MBEDTLS_THREADING_C)
+    "MBEDTLS_THREADING_C",
+#endif /* MBEDTLS_THREADING_C */
+#if defined(MBEDTLS_TIMING_C)
+    "MBEDTLS_TIMING_C",
+#endif /* MBEDTLS_TIMING_C */
+#if defined(MBEDTLS_VERSION_C)
+    "MBEDTLS_VERSION_C",
+#endif /* MBEDTLS_VERSION_C */
+#if defined(MBEDTLS_X509_USE_C)
+    "MBEDTLS_X509_USE_C",
+#endif /* MBEDTLS_X509_USE_C */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    "MBEDTLS_X509_CRT_PARSE_C",
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+    "MBEDTLS_X509_CRL_PARSE_C",
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+    "MBEDTLS_X509_CSR_PARSE_C",
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
+#if defined(MBEDTLS_X509_CREATE_C)
+    "MBEDTLS_X509_CREATE_C",
+#endif /* MBEDTLS_X509_CREATE_C */
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+    "MBEDTLS_X509_CRT_WRITE_C",
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+    "MBEDTLS_X509_CSR_WRITE_C",
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
+#if defined(MBEDTLS_XTEA_C)
+    "MBEDTLS_XTEA_C",
+#endif /* MBEDTLS_XTEA_C */
+#endif /* MBEDTLS_VERSION_FEATURES */
+    NULL
+};
+
+int mbedtls_version_check_feature( const char *feature )
+{
+    const char **idx = features;
+
+    if( *idx == NULL )
+        return( -2 );
+
+    if( feature == NULL )
+        return( -1 );
+
+    while( *idx != NULL )
+    {
+        if( !strcmp( *idx, feature ) )
+            return( 0 );
+        idx++;
+    }
+    return( -1 );
+}
+
+#endif /* MBEDTLS_VERSION_C */
diff --git a/makerom/deps/libmbedtls/src/x509.c b/makerom/deps/libmbedtls/src/x509.c
new file mode 100644
index 00000000..2e0b0e8f
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/x509.c
@@ -0,0 +1,1072 @@
+/*
+ *  X.509 common functions for parsing and verification
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_USE_C)
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1.h"
+#include "mbedtls/oid.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_free      free
+#define mbedtls_calloc    calloc
+#define mbedtls_printf    printf
+#define mbedtls_snprintf  snprintf
+#endif
+
+#if defined(MBEDTLS_HAVE_TIME)
+#include "mbedtls/platform_time.h"
+#endif
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+#include "mbedtls/platform_util.h"
+#include <time.h>
+#endif
+
+#define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); }
+#define CHECK_RANGE(min, max, val)                      \
+    do                                                  \
+    {                                                   \
+        if( ( val ) < ( min ) || ( val ) > ( max ) )    \
+        {                                               \
+            return( ret );                              \
+        }                                               \
+    } while( 0 )
+
+/*
+ *  CertificateSerialNumber  ::=  INTEGER
+ */
+int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
+                     mbedtls_x509_buf *serial )
+{
+    int ret;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_SERIAL +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( **p != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_PRIMITIVE | 2 ) &&
+        **p !=   MBEDTLS_ASN1_INTEGER )
+        return( MBEDTLS_ERR_X509_INVALID_SERIAL +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    serial->tag = *(*p)++;
+
+    if( ( ret = mbedtls_asn1_get_len( p, end, &serial->len ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_SERIAL + ret );
+
+    serial->p = *p;
+    *p += serial->len;
+
+    return( 0 );
+}
+
+/* Get an algorithm identifier without parameters (eg for signatures)
+ *
+ *  AlgorithmIdentifier  ::=  SEQUENCE  {
+ *       algorithm               OBJECT IDENTIFIER,
+ *       parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ */
+int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
+                       mbedtls_x509_buf *alg )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    return( 0 );
+}
+
+/*
+ * Parse an algorithm identifier with (optional) parameters
+ */
+int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
+                  mbedtls_x509_buf *alg, mbedtls_x509_buf *params )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_alg( p, end, alg, params ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+/*
+ * HashAlgorithm ::= AlgorithmIdentifier
+ *
+ * AlgorithmIdentifier  ::=  SEQUENCE  {
+ *      algorithm               OBJECT IDENTIFIER,
+ *      parameters              ANY DEFINED BY algorithm OPTIONAL  }
+ *
+ * For HashAlgorithm, parameters MUST be NULL or absent.
+ */
+static int x509_get_hash_alg( const mbedtls_x509_buf *alg, mbedtls_md_type_t *md_alg )
+{
+    int ret;
+    unsigned char *p;
+    const unsigned char *end;
+    mbedtls_x509_buf md_oid;
+    size_t len;
+
+    /* Make sure we got a SEQUENCE and setup bounds */
+    if( alg->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    p = (unsigned char *) alg->p;
+    end = p + alg->len;
+
+    if( p >= end )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    /* Parse md_oid */
+    md_oid.tag = *p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &md_oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    md_oid.p = p;
+    p += md_oid.len;
+
+    /* Get md_alg from md_oid */
+    if( ( ret = mbedtls_oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    /* Make sure params is absent of NULL */
+    if( p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_NULL ) ) != 0 || len != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p != end )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ *    RSASSA-PSS-params  ::=  SEQUENCE  {
+ *       hashAlgorithm     [0] HashAlgorithm DEFAULT sha1Identifier,
+ *       maskGenAlgorithm  [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier,
+ *       saltLength        [2] INTEGER DEFAULT 20,
+ *       trailerField      [3] INTEGER DEFAULT 1  }
+ *    -- Note that the tags in this Sequence are explicit.
+ *
+ * RFC 4055 (which defines use of RSASSA-PSS in PKIX) states that the value
+ * of trailerField MUST be 1, and PKCS#1 v2.2 doesn't even define any other
+ * option. Enfore this at parsing time.
+ */
+int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params,
+                                mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
+                                int *salt_len )
+{
+    int ret;
+    unsigned char *p;
+    const unsigned char *end, *end2;
+    size_t len;
+    mbedtls_x509_buf alg_id, alg_params;
+
+    /* First set everything to defaults */
+    *md_alg = MBEDTLS_MD_SHA1;
+    *mgf_md = MBEDTLS_MD_SHA1;
+    *salt_len = 20;
+
+    /* Make sure params is a SEQUENCE and setup bounds */
+    if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    p = (unsigned char *) params->p;
+    end = p + params->len;
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * HashAlgorithm
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) == 0 )
+    {
+        end2 = p + len;
+
+        /* HashAlgorithm ::= AlgorithmIdentifier (without parameters) */
+        if( ( ret = mbedtls_x509_get_alg_null( &p, end2, &alg_id ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * MaskGenAlgorithm
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 1 ) ) == 0 )
+    {
+        end2 = p + len;
+
+        /* MaskGenAlgorithm ::= AlgorithmIdentifier (params = HashAlgorithm) */
+        if( ( ret = mbedtls_x509_get_alg( &p, end2, &alg_id, &alg_params ) ) != 0 )
+            return( ret );
+
+        /* Only MFG1 is recognised for now */
+        if( MBEDTLS_OID_CMP( MBEDTLS_OID_MGF1, &alg_id ) != 0 )
+            return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE +
+                    MBEDTLS_ERR_OID_NOT_FOUND );
+
+        /* Parse HashAlgorithm */
+        if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
+            return( ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * salt_len
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 2 ) ) == 0 )
+    {
+        end2 = p + len;
+
+        if( ( ret = mbedtls_asn1_get_int( &p, end2, salt_len ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p == end )
+        return( 0 );
+
+    /*
+     * trailer_field (if present, must be 1)
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+                    MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 3 ) ) == 0 )
+    {
+        int trailer_field;
+
+        end2 = p + len;
+
+        if( ( ret = mbedtls_asn1_get_int( &p, end2, &trailer_field ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+        if( p != end2 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+        if( trailer_field != 1 )
+            return( MBEDTLS_ERR_X509_INVALID_ALG );
+    }
+    else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+
+    if( p != end )
+        return( MBEDTLS_ERR_X509_INVALID_ALG +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+/*
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ */
+static int x509_get_attr_type_value( unsigned char **p,
+                                     const unsigned char *end,
+                                     mbedtls_x509_name *cur )
+{
+    int ret;
+    size_t len;
+    mbedtls_x509_buf *oid;
+    mbedtls_x509_buf *val;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+    end = *p + len;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    oid = &cur->oid;
+    oid->tag = **p;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &oid->len, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+    oid->p = *p;
+    *p += oid->len;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    if( **p != MBEDTLS_ASN1_BMP_STRING && **p != MBEDTLS_ASN1_UTF8_STRING      &&
+        **p != MBEDTLS_ASN1_T61_STRING && **p != MBEDTLS_ASN1_PRINTABLE_STRING &&
+        **p != MBEDTLS_ASN1_IA5_STRING && **p != MBEDTLS_ASN1_UNIVERSAL_STRING &&
+        **p != MBEDTLS_ASN1_BIT_STRING )
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    val = &cur->val;
+    val->tag = *(*p)++;
+
+    if( ( ret = mbedtls_asn1_get_len( p, end, &val->len ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+    val->p = *p;
+    *p += val->len;
+
+    if( *p != end )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_NAME +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    cur->next = NULL;
+
+    return( 0 );
+}
+
+/*
+ *  Name ::= CHOICE { -- only one possibility for now --
+ *       rdnSequence  RDNSequence }
+ *
+ *  RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+ *
+ *  RelativeDistinguishedName ::=
+ *    SET OF AttributeTypeAndValue
+ *
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ *
+ * The data structure is optimized for the common case where each RDN has only
+ * one element, which is represented as a list of AttributeTypeAndValue.
+ * For the general case we still use a flat list, but we mark elements of the
+ * same set so that they are "merged" together in the functions that consume
+ * this list, eg mbedtls_x509_dn_gets().
+ */
+int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
+                   mbedtls_x509_name *cur )
+{
+    int ret;
+    size_t set_len;
+    const unsigned char *end_set;
+
+    /* don't use recursion, we'd risk stack overflow if not optimized */
+    while( 1 )
+    {
+        /*
+         * parse SET
+         */
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &set_len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+
+        end_set  = *p + set_len;
+
+        while( 1 )
+        {
+            if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
+                return( ret );
+
+            if( *p == end_set )
+                break;
+
+            /* Mark this item as being no the only one in a set */
+            cur->next_merged = 1;
+
+            cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );
+
+            if( cur->next == NULL )
+                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+            cur = cur->next;
+        }
+
+        /*
+         * continue until end of SEQUENCE is reached
+         */
+        if( *p == end )
+            return( 0 );
+
+        cur->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_name ) );
+
+        if( cur->next == NULL )
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+        cur = cur->next;
+    }
+}
+
+static int x509_parse_int( unsigned char **p, size_t n, int *res )
+{
+    *res = 0;
+
+    for( ; n > 0; --n )
+    {
+        if( ( **p < '0') || ( **p > '9' ) )
+            return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+        *res *= 10;
+        *res += ( *(*p)++ - '0' );
+    }
+
+    return( 0 );
+}
+
+static int x509_date_is_valid(const mbedtls_x509_time *t )
+{
+    int ret = MBEDTLS_ERR_X509_INVALID_DATE;
+    int month_len;
+
+    CHECK_RANGE( 0, 9999, t->year );
+    CHECK_RANGE( 0, 23,   t->hour );
+    CHECK_RANGE( 0, 59,   t->min  );
+    CHECK_RANGE( 0, 59,   t->sec  );
+
+    switch( t->mon )
+    {
+        case 1: case 3: case 5: case 7: case 8: case 10: case 12:
+            month_len = 31;
+            break;
+        case 4: case 6: case 9: case 11:
+            month_len = 30;
+            break;
+        case 2:
+            if( ( !( t->year % 4 ) && t->year % 100 ) ||
+                !( t->year % 400 ) )
+                month_len = 29;
+            else
+                month_len = 28;
+            break;
+        default:
+            return( ret );
+    }
+    CHECK_RANGE( 1, month_len, t->day );
+
+    return( 0 );
+}
+
+/*
+ * Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4)
+ * field.
+ */
+static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
+                            mbedtls_x509_time *tm )
+{
+    int ret;
+
+    /*
+     * Minimum length is 10 or 12 depending on yearlen
+     */
+    if ( len < yearlen + 8 )
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+    len -= yearlen + 8;
+
+    /*
+     * Parse year, month, day, hour, minute
+     */
+    CHECK( x509_parse_int( p, yearlen, &tm->year ) );
+    if ( 2 == yearlen )
+    {
+        if ( tm->year < 50 )
+            tm->year += 100;
+
+        tm->year += 1900;
+    }
+
+    CHECK( x509_parse_int( p, 2, &tm->mon ) );
+    CHECK( x509_parse_int( p, 2, &tm->day ) );
+    CHECK( x509_parse_int( p, 2, &tm->hour ) );
+    CHECK( x509_parse_int( p, 2, &tm->min ) );
+
+    /*
+     * Parse seconds if present
+     */
+    if ( len >= 2 )
+    {
+        CHECK( x509_parse_int( p, 2, &tm->sec ) );
+        len -= 2;
+    }
+    else
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+    /*
+     * Parse trailing 'Z' if present
+     */
+    if ( 1 == len && 'Z' == **p )
+    {
+        (*p)++;
+        len--;
+    }
+
+    /*
+     * We should have parsed all characters at this point
+     */
+    if ( 0 != len )
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+    CHECK( x509_date_is_valid( tm ) );
+
+    return ( 0 );
+}
+
+/*
+ *  Time ::= CHOICE {
+ *       utcTime        UTCTime,
+ *       generalTime    GeneralizedTime }
+ */
+int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
+                           mbedtls_x509_time *tm )
+{
+    int ret;
+    size_t len, year_len;
+    unsigned char tag;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    tag = **p;
+
+    if( tag == MBEDTLS_ASN1_UTC_TIME )
+        year_len = 2;
+    else if( tag == MBEDTLS_ASN1_GENERALIZED_TIME )
+        year_len = 4;
+    else
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    (*p)++;
+    ret = mbedtls_asn1_get_len( p, end, &len );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+
+    return x509_parse_time( p, len, year_len, tm );
+}
+
+int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig )
+{
+    int ret;
+    size_t len;
+    int tag_type;
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_SIGNATURE +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    tag_type = **p;
+
+    if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_SIGNATURE + ret );
+
+    sig->tag = tag_type;
+    sig->len = len;
+    sig->p = *p;
+
+    *p += len;
+
+    return( 0 );
+}
+
+/*
+ * Get signature algorithm from alg OID and optional parameters
+ */
+int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
+                      mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
+                      void **sig_opts )
+{
+    int ret;
+
+    if( *sig_opts != NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    if( ( ret = mbedtls_oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 )
+        return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + ret );
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    if( *pk_alg == MBEDTLS_PK_RSASSA_PSS )
+    {
+        mbedtls_pk_rsassa_pss_options *pss_opts;
+
+        pss_opts = mbedtls_calloc( 1, sizeof( mbedtls_pk_rsassa_pss_options ) );
+        if( pss_opts == NULL )
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+        ret = mbedtls_x509_get_rsassa_pss_params( sig_params,
+                                          md_alg,
+                                          &pss_opts->mgf1_hash_id,
+                                          &pss_opts->expected_salt_len );
+        if( ret != 0 )
+        {
+            mbedtls_free( pss_opts );
+            return( ret );
+        }
+
+        *sig_opts = (void *) pss_opts;
+    }
+    else
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+    {
+        /* Make sure parameters are absent or NULL */
+        if( ( sig_params->tag != MBEDTLS_ASN1_NULL && sig_params->tag != 0 ) ||
+              sig_params->len != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_ALG );
+    }
+
+    return( 0 );
+}
+
+/*
+ * X.509 Extensions (No parsing of extensions, pointer should
+ * be either manually updated or extensions should be parsed!)
+ */
+int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
+                          mbedtls_x509_buf *ext, int tag )
+{
+    int ret;
+    size_t len;
+
+    /* Extension structure use EXPLICIT tagging. That is, the actual
+     * `Extensions` structure is wrapped by a tag-length pair using
+     * the respective context-specific tag. */
+    ret = mbedtls_asn1_get_tag( p, end, &ext->len,
+              MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag );
+    if( ret != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    ext->tag = MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag;
+    ext->p   = *p;
+    end      = *p + ext->len;
+
+    /*
+     * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+     */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( end != *p + len )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * Store the name in printable form into buf; no more
+ * than size characters will be written
+ */
+int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn )
+{
+    int ret;
+    size_t i, n;
+    unsigned char c, merge = 0;
+    const mbedtls_x509_name *name;
+    const char *short_name = NULL;
+    char s[MBEDTLS_X509_MAX_DN_NAME_SIZE], *p;
+
+    memset( s, 0, sizeof( s ) );
+
+    name = dn;
+    p = buf;
+    n = size;
+
+    while( name != NULL )
+    {
+        if( !name->oid.p )
+        {
+            name = name->next;
+            continue;
+        }
+
+        if( name != dn )
+        {
+            ret = mbedtls_snprintf( p, n, merge ? " + " : ", " );
+            MBEDTLS_X509_SAFE_SNPRINTF;
+        }
+
+        ret = mbedtls_oid_get_attr_short_name( &name->oid, &short_name );
+
+        if( ret == 0 )
+            ret = mbedtls_snprintf( p, n, "%s=", short_name );
+        else
+            ret = mbedtls_snprintf( p, n, "\?\?=" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        for( i = 0; i < name->val.len; i++ )
+        {
+            if( i >= sizeof( s ) - 1 )
+                break;
+
+            c = name->val.p[i];
+            if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
+                 s[i] = '?';
+            else s[i] = c;
+        }
+        s[i] = '\0';
+        ret = mbedtls_snprintf( p, n, "%s", s );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        merge = name->next_merged;
+        name = name->next;
+    }
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Store the serial in printable form into buf; no more
+ * than size characters will be written
+ */
+int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial )
+{
+    int ret;
+    size_t i, n, nr;
+    char *p;
+
+    p = buf;
+    n = size;
+
+    nr = ( serial->len <= 32 )
+        ? serial->len  : 28;
+
+    for( i = 0; i < nr; i++ )
+    {
+        if( i == 0 && nr > 1 && serial->p[i] == 0x0 )
+            continue;
+
+        ret = mbedtls_snprintf( p, n, "%02X%s",
+                serial->p[i], ( i < nr - 1 ) ? ":" : "" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    if( nr != serial->len )
+    {
+        ret = mbedtls_snprintf( p, n, "...." );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Helper for writing signature algorithms
+ */
+int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
+                       mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
+                       const void *sig_opts )
+{
+    int ret;
+    char *p = buf;
+    size_t n = size;
+    const char *desc = NULL;
+
+    ret = mbedtls_oid_get_sig_alg_desc( sig_oid, &desc );
+    if( ret != 0 )
+        ret = mbedtls_snprintf( p, n, "???"  );
+    else
+        ret = mbedtls_snprintf( p, n, "%s", desc );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    if( pk_alg == MBEDTLS_PK_RSASSA_PSS )
+    {
+        const mbedtls_pk_rsassa_pss_options *pss_opts;
+        const mbedtls_md_info_t *md_info, *mgf_md_info;
+
+        pss_opts = (const mbedtls_pk_rsassa_pss_options *) sig_opts;
+
+        md_info = mbedtls_md_info_from_type( md_alg );
+        mgf_md_info = mbedtls_md_info_from_type( pss_opts->mgf1_hash_id );
+
+        ret = mbedtls_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)",
+                              md_info ? mbedtls_md_get_name( md_info ) : "???",
+                              mgf_md_info ? mbedtls_md_get_name( mgf_md_info ) : "???",
+                              pss_opts->expected_salt_len );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+#else
+    ((void) pk_alg);
+    ((void) md_alg);
+    ((void) sig_opts);
+#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
+
+    return( (int)( size - n ) );
+}
+
+/*
+ * Helper for writing "RSA key size", "EC key size", etc
+ */
+int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name )
+{
+    char *p = buf;
+    size_t n = buf_size;
+    int ret;
+
+    ret = mbedtls_snprintf( p, n, "%s key size", name );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_HAVE_TIME_DATE)
+/*
+ * Set the time structure to the current time.
+ * Return 0 on success, non-zero on failure.
+ */
+static int x509_get_current_time( mbedtls_x509_time *now )
+{
+    struct tm *lt, tm_buf;
+    mbedtls_time_t tt;
+    int ret = 0;
+
+    tt = mbedtls_time( NULL );
+    lt = mbedtls_platform_gmtime_r( &tt, &tm_buf );
+
+    if( lt == NULL )
+        ret = -1;
+    else
+    {
+        now->year = lt->tm_year + 1900;
+        now->mon  = lt->tm_mon  + 1;
+        now->day  = lt->tm_mday;
+        now->hour = lt->tm_hour;
+        now->min  = lt->tm_min;
+        now->sec  = lt->tm_sec;
+    }
+
+    return( ret );
+}
+
+/*
+ * Return 0 if before <= after, 1 otherwise
+ */
+static int x509_check_time( const mbedtls_x509_time *before, const mbedtls_x509_time *after )
+{
+    if( before->year  > after->year )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon   > after->mon )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day   > after->day )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day  == after->day  &&
+        before->hour  > after->hour )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day  == after->day  &&
+        before->hour == after->hour &&
+        before->min   > after->min  )
+        return( 1 );
+
+    if( before->year == after->year &&
+        before->mon  == after->mon  &&
+        before->day  == after->day  &&
+        before->hour == after->hour &&
+        before->min  == after->min  &&
+        before->sec   > after->sec  )
+        return( 1 );
+
+    return( 0 );
+}
+
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to )
+{
+    mbedtls_x509_time now;
+
+    if( x509_get_current_time( &now ) != 0 )
+        return( 1 );
+
+    return( x509_check_time( &now, to ) );
+}
+
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from )
+{
+    mbedtls_x509_time now;
+
+    if( x509_get_current_time( &now ) != 0 )
+        return( 1 );
+
+    return( x509_check_time( from, &now ) );
+}
+
+#else  /* MBEDTLS_HAVE_TIME_DATE */
+
+int mbedtls_x509_time_is_past( const mbedtls_x509_time *to )
+{
+    ((void) to);
+    return( 0 );
+}
+
+int mbedtls_x509_time_is_future( const mbedtls_x509_time *from )
+{
+    ((void) from);
+    return( 0 );
+}
+#endif /* MBEDTLS_HAVE_TIME_DATE */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/certs.h"
+
+/*
+ * Checkup routine
+ */
+int mbedtls_x509_self_test( int verbose )
+{
+    int ret = 0;
+#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C)
+    uint32_t flags;
+    mbedtls_x509_crt cacert;
+    mbedtls_x509_crt clicert;
+
+    if( verbose != 0 )
+        mbedtls_printf( "  X.509 certificate load: " );
+
+    mbedtls_x509_crt_init( &cacert );
+    mbedtls_x509_crt_init( &clicert );
+
+    ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
+                           mbedtls_test_cli_crt_len );
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        goto cleanup;
+    }
+
+    ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_ca_crt,
+                          mbedtls_test_ca_crt_len );
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n  X.509 signature verify: ");
+
+    ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
+    if( ret != 0 )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "failed\n" );
+
+        goto cleanup;
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "passed\n\n");
+
+cleanup:
+    mbedtls_x509_crt_free( &cacert  );
+    mbedtls_x509_crt_free( &clicert );
+#else
+    ((void) verbose);
+#endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA1_C */
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_X509_USE_C */
diff --git a/makerom/deps/libmbedtls/src/x509_create.c b/makerom/deps/libmbedtls/src/x509_create.c
new file mode 100644
index 00000000..546e8fa1
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/x509_create.c
@@ -0,0 +1,379 @@
+/*
+ *  X.509 base functions for creating certificates / CSRs
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CREATE_C)
+
+#include "mbedtls/x509.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/oid.h"
+
+#include <string.h>
+
+/* Structure linking OIDs for X.509 DN AttributeTypes to their
+ * string representations and default string encodings used by Mbed TLS. */
+typedef struct {
+   const char *name; /* String representation of AttributeType, e.g.
+                      * "CN" or "emailAddress". */
+   size_t name_len;  /* Length of 'name', without trailing 0 byte. */
+   const char *oid;  /* String representation of OID of AttributeType,
+                      * as per RFC 5280, Appendix A.1. */
+   int default_tag;  /* The default character encoding used for the
+                      * given attribute type, e.g.
+                      * MBEDTLS_ASN1_UTF8_STRING for UTF-8. */
+} x509_attr_descriptor_t;
+
+#define ADD_STRLEN( s )     s, sizeof( s ) - 1
+
+/* X.509 DN attributes from RFC 5280, Appendix A.1. */
+static const x509_attr_descriptor_t x509_attrs[] =
+{
+    { ADD_STRLEN( "CN" ),
+      MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "commonName" ),
+      MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "C" ),
+      MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "countryName" ),
+      MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "O" ),
+      MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "organizationName" ),
+      MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "L" ),
+      MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "locality" ),
+      MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "R" ),
+      MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
+    { ADD_STRLEN( "OU" ),
+      MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "organizationalUnitName" ),
+      MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "ST" ),
+      MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "stateOrProvinceName" ),
+      MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "emailAddress" ),
+      MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
+    { ADD_STRLEN( "serialNumber" ),
+      MBEDTLS_OID_AT_SERIAL_NUMBER, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "postalAddress" ),
+      MBEDTLS_OID_AT_POSTAL_ADDRESS, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "postalCode" ),
+      MBEDTLS_OID_AT_POSTAL_CODE, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "dnQualifier" ),
+      MBEDTLS_OID_AT_DN_QUALIFIER, MBEDTLS_ASN1_PRINTABLE_STRING },
+    { ADD_STRLEN( "title" ),
+      MBEDTLS_OID_AT_TITLE, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "surName" ),
+      MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "SN" ),
+      MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "givenName" ),
+      MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "GN" ),
+      MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "initials" ),
+      MBEDTLS_OID_AT_INITIALS, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "pseudonym" ),
+      MBEDTLS_OID_AT_PSEUDONYM, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "generationQualifier" ),
+      MBEDTLS_OID_AT_GENERATION_QUALIFIER, MBEDTLS_ASN1_UTF8_STRING },
+    { ADD_STRLEN( "domainComponent" ),
+      MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING },
+    { ADD_STRLEN( "DC" ),
+      MBEDTLS_OID_DOMAIN_COMPONENT,   MBEDTLS_ASN1_IA5_STRING },
+    { NULL, 0, NULL, MBEDTLS_ASN1_NULL }
+};
+
+static const x509_attr_descriptor_t *x509_attr_descr_from_name( const char *name, size_t name_len )
+{
+    const x509_attr_descriptor_t *cur;
+
+    for( cur = x509_attrs; cur->name != NULL; cur++ )
+        if( cur->name_len == name_len &&
+            strncmp( cur->name, name, name_len ) == 0 )
+            break;
+
+    if ( cur->name == NULL )
+        return( NULL );
+
+    return( cur );
+}
+
+int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name )
+{
+    int ret = 0;
+    const char *s = name, *c = s;
+    const char *end = s + strlen( s );
+    const char *oid = NULL;
+    const x509_attr_descriptor_t* attr_descr = NULL;
+    int in_tag = 1;
+    char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
+    char *d = data;
+
+    /* Clear existing chain if present */
+    mbedtls_asn1_free_named_data_list( head );
+
+    while( c <= end )
+    {
+        if( in_tag && *c == '=' )
+        {
+            if( ( attr_descr = x509_attr_descr_from_name( s, c - s ) ) == NULL )
+            {
+                ret = MBEDTLS_ERR_X509_UNKNOWN_OID;
+                goto exit;
+            }
+
+            oid = attr_descr->oid;
+            s = c + 1;
+            in_tag = 0;
+            d = data;
+        }
+
+        if( !in_tag && *c == '\\' && c != end )
+        {
+            c++;
+
+            /* Check for valid escaped characters */
+            if( c == end || *c != ',' )
+            {
+                ret = MBEDTLS_ERR_X509_INVALID_NAME;
+                goto exit;
+            }
+        }
+        else if( !in_tag && ( *c == ',' || c == end ) )
+        {
+            mbedtls_asn1_named_data* cur =
+                mbedtls_asn1_store_named_data( head, oid, strlen( oid ),
+                                               (unsigned char *) data,
+                                               d - data );
+
+            if(cur == NULL )
+            {
+                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+            }
+
+            // set tagType
+            cur->val.tag = attr_descr->default_tag;
+
+            while( c < end && *(c + 1) == ' ' )
+                c++;
+
+            s = c + 1;
+            in_tag = 1;
+        }
+
+        if( !in_tag && s != c + 1 )
+        {
+            *(d++) = *c;
+
+            if( d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE )
+            {
+                ret = MBEDTLS_ERR_X509_INVALID_NAME;
+                goto exit;
+            }
+        }
+
+        c++;
+    }
+
+exit:
+
+    return( ret );
+}
+
+/* The first byte of the value in the mbedtls_asn1_named_data structure is reserved
+ * to store the critical boolean for us
+ */
+int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
+                        int critical, const unsigned char *val, size_t val_len )
+{
+    mbedtls_asn1_named_data *cur;
+
+    if( ( cur = mbedtls_asn1_store_named_data( head, oid, oid_len,
+                                       NULL, val_len + 1 ) ) == NULL )
+    {
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+    }
+
+    cur->val.p[0] = critical;
+    memcpy( cur->val.p + 1, val, val_len );
+
+    return( 0 );
+}
+
+/*
+ *  RelativeDistinguishedName ::=
+ *    SET OF AttributeTypeAndValue
+ *
+ *  AttributeTypeAndValue ::= SEQUENCE {
+ *    type     AttributeType,
+ *    value    AttributeValue }
+ *
+ *  AttributeType ::= OBJECT IDENTIFIER
+ *
+ *  AttributeValue ::= ANY DEFINED BY AttributeType
+ */
+static int x509_write_name( unsigned char **p, unsigned char *start, mbedtls_asn1_named_data* cur_name)
+{
+    int ret;
+    size_t len = 0;
+    const char *oid             = (const char*)cur_name->oid.p;
+    size_t oid_len              = cur_name->oid.len;
+    const unsigned char *name   = cur_name->val.p;
+    size_t name_len             = cur_name->val.len;
+
+    // Write correct string tag and value
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tagged_string( p, start,
+                                                       cur_name->val.tag,
+                                                       (const char *) name,
+                                                       name_len ) );
+    // Write OID
+    //
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid,
+                                                       oid_len ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
+                                                    MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
+                                                 MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SET ) );
+
+    return( (int) len );
+}
+
+int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
+                              mbedtls_asn1_named_data *first )
+{
+    int ret;
+    size_t len = 0;
+    mbedtls_asn1_named_data *cur = first;
+
+    while( cur != NULL )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, x509_write_name( p, start, cur ) );
+        cur = cur->next;
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
+                    const char *oid, size_t oid_len,
+                    unsigned char *sig, size_t size )
+{
+    int ret;
+    size_t len = 0;
+
+    if( *p < start || (size_t)( *p - start ) < size )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    len = size;
+    (*p) -= len;
+    memcpy( *p, sig, len );
+
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    *--(*p) = 0;
+    len += 1;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
+
+    // Write OID
+    //
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( p, start, oid,
+                                                        oid_len, 0 ) );
+
+    return( (int) len );
+}
+
+static int x509_write_extension( unsigned char **p, unsigned char *start,
+                                 mbedtls_asn1_named_data *ext )
+{
+    int ret;
+    size_t len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->val.p + 1,
+                                              ext->val.len - 1 ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->val.len - 1 ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OCTET_STRING ) );
+
+    if( ext->val.p[0] != 0 )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( p, start, 1 ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->oid.p,
+                                              ext->oid.len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->oid.len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OID ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+/*
+ * Extension  ::=  SEQUENCE  {
+ *     extnID      OBJECT IDENTIFIER,
+ *     critical    BOOLEAN DEFAULT FALSE,
+ *     extnValue   OCTET STRING
+ *                 -- contains the DER encoding of an ASN.1 value
+ *                 -- corresponding to the extension type identified
+ *                 -- by extnID
+ *     }
+ */
+int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
+                           mbedtls_asn1_named_data *first )
+{
+    int ret;
+    size_t len = 0;
+    mbedtls_asn1_named_data *cur_ext = first;
+
+    while( cur_ext != NULL )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, x509_write_extension( p, start, cur_ext ) );
+        cur_ext = cur_ext->next;
+    }
+
+    return( (int) len );
+}
+
+#endif /* MBEDTLS_X509_CREATE_C */
diff --git a/makerom/deps/libmbedtls/src/x509_crl.c b/makerom/deps/libmbedtls/src/x509_crl.c
new file mode 100644
index 00000000..00f8545d
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/x509_crl.c
@@ -0,0 +1,773 @@
+/*
+ *  X.509 Certidicate Revocation List (CRL) parsing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+
+#include "mbedtls/x509_crl.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#include <windows.h>
+#else
+#include <time.h>
+#endif
+
+#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
+#include <stdio.h>
+#endif
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0), v2(1)  }
+ */
+static int x509_crl_get_version( unsigned char **p,
+                             const unsigned char *end,
+                             int *ver )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            *ver = 0;
+            return( 0 );
+        }
+
+        return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * X.509 CRL v2 extensions
+ *
+ * We currently don't parse any extension's content, but we do check that the
+ * list of extensions is well-formed and abort on critical extensions (that
+ * are unsupported as we don't support any extension so far)
+ */
+static int x509_get_crl_ext( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_buf *ext )
+{
+    int ret;
+
+    if( *p == end )
+        return( 0 );
+
+    /*
+     * crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+     *                              -- if present, version MUST be v2
+     */
+    if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
+        return( ret );
+
+    end = ext->p + ext->len;
+
+    while( *p < end )
+    {
+        /*
+         * Extension  ::=  SEQUENCE  {
+         *      extnID      OBJECT IDENTIFIER,
+         *      critical    BOOLEAN DEFAULT FALSE,
+         *      extnValue   OCTET STRING  }
+         */
+        int is_critical = 0;
+        const unsigned char *end_ext_data;
+        size_t len;
+
+        /* Get enclosing sequence tag */
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        end_ext_data = *p + len;
+
+        /* Get OID (currently ignored) */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
+                                          MBEDTLS_ASN1_OID ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+        }
+        *p += len;
+
+        /* Get optional critical */
+        if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data,
+                                           &is_critical ) ) != 0 &&
+            ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+        }
+
+        /* Data should be octet string type */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
+                MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        /* Ignore data so far and just check its length */
+        *p += len;
+        if( *p != end_ext_data )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+        /* Abort on (unsupported) critical extensions */
+        if( is_critical )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 CRL v2 entry extensions (no extensions parsed yet.)
+ */
+static int x509_get_crl_entry_ext( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_buf *ext )
+{
+    int ret;
+    size_t len = 0;
+
+    /* OPTIONAL */
+    if( end <= *p )
+        return( 0 );
+
+    ext->tag = **p;
+    ext->p = *p;
+
+    /*
+     * Get CRL-entry extension sequence header
+     * crlEntryExtensions      Extensions OPTIONAL  -- if present, MUST be v2
+     */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            ext->p = NULL;
+            return( 0 );
+        }
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+    }
+
+    end = *p + ext->len;
+
+    if( end != *p + ext->len )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    while( *p < end )
+    {
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        *p += len;
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 CRL Entries
+ */
+static int x509_get_entries( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_crl_entry *entry )
+{
+    int ret;
+    size_t entry_len;
+    mbedtls_x509_crl_entry *cur_entry = entry;
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len,
+            MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( 0 );
+
+        return( ret );
+    }
+
+    end = *p + entry_len;
+
+    while( *p < end )
+    {
+        size_t len2;
+        const unsigned char *end2;
+
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
+                MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
+        {
+            return( ret );
+        }
+
+        cur_entry->raw.tag = **p;
+        cur_entry->raw.p = *p;
+        cur_entry->raw.len = len2;
+        end2 = *p + len2;
+
+        if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
+            return( ret );
+
+        if( ( ret = mbedtls_x509_get_time( p, end2,
+                                   &cur_entry->revocation_date ) ) != 0 )
+            return( ret );
+
+        if( ( ret = x509_get_crl_entry_ext( p, end2,
+                                            &cur_entry->entry_ext ) ) != 0 )
+            return( ret );
+
+        if( *p < end )
+        {
+            cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) );
+
+            if( cur_entry->next == NULL )
+                return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+            cur_entry = cur_entry->next;
+        }
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one  CRLs in DER format and append it to the chained list
+ */
+int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
+                        const unsigned char *buf, size_t buflen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p = NULL, *end = NULL;
+    mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
+    mbedtls_x509_crl *crl = chain;
+
+    /*
+     * Check for valid input
+     */
+    if( crl == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
+
+    /*
+     * Add new CRL on the end of the chain if needed.
+     */
+    while( crl->version != 0 && crl->next != NULL )
+        crl = crl->next;
+
+    if( crl->version != 0 && crl->next == NULL )
+    {
+        crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) );
+
+        if( crl->next == NULL )
+        {
+            mbedtls_x509_crl_free( crl );
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+        }
+
+        mbedtls_x509_crl_init( crl->next );
+        crl = crl->next;
+    }
+
+    /*
+     * Copy raw DER-encoded CRL
+     */
+    if( buflen == 0 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    p = mbedtls_calloc( 1, buflen );
+    if( p == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    memcpy( p, buf, buflen );
+
+    crl->raw.p = p;
+    crl->raw.len = buflen;
+
+    end = p + buflen;
+
+    /*
+     * CertificateList  ::=  SEQUENCE  {
+     *      tbsCertList          TBSCertList,
+     *      signatureAlgorithm   AlgorithmIdentifier,
+     *      signatureValue       BIT STRING  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+    }
+
+    if( len != (size_t) ( end - p ) )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    /*
+     * TBSCertList  ::=  SEQUENCE  {
+     */
+    crl->tbs.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+    crl->tbs.len = end - crl->tbs.p;
+
+    /*
+     * Version  ::=  INTEGER  OPTIONAL {  v1(0), v2(1)  }
+     *               -- if present, MUST be v2
+     *
+     * signature            AlgorithmIdentifier
+     */
+    if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
+        ( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( crl->version < 0 || crl->version > 1 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
+    }
+
+    crl->version++;
+
+    if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
+                                  &crl->sig_md, &crl->sig_pk,
+                                  &crl->sig_opts ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
+    }
+
+    /*
+     * issuer               Name
+     */
+    crl->issuer_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    crl->issuer_raw.len = p - crl->issuer_raw.p;
+
+    /*
+     * thisUpdate          Time
+     * nextUpdate          Time OPTIONAL
+     */
+    if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
+    {
+        if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
+                        MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) &&
+            ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
+                        MBEDTLS_ERR_ASN1_OUT_OF_DATA ) )
+        {
+            mbedtls_x509_crl_free( crl );
+            return( ret );
+        }
+    }
+
+    /*
+     * revokedCertificates    SEQUENCE OF SEQUENCE   {
+     *      userCertificate        CertificateSerialNumber,
+     *      revocationDate         Time,
+     *      crlEntryExtensions     Extensions OPTIONAL
+     *                                   -- if present, MUST be v2
+     *                        } OPTIONAL
+     */
+    if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    /*
+     * crlExtensions          EXPLICIT Extensions OPTIONAL
+     *                              -- if present, MUST be v2
+     */
+    if( crl->version == 2 )
+    {
+        ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
+
+        if( ret != 0 )
+        {
+            mbedtls_x509_crl_free( crl );
+            return( ret );
+        }
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    end = crl->raw.p + crl->raw.len;
+
+    /*
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signatureValue       BIT STRING
+     */
+    if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( crl->sig_oid.len != sig_oid2.len ||
+        memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
+        sig_params1.len != sig_params2.len ||
+        ( sig_params1.len != 0 &&
+          memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_SIG_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( ret );
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crl_free( crl );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one or more CRLs and add them to the chained list
+ */
+int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen )
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int ret;
+    size_t use_len;
+    mbedtls_pem_context pem;
+    int is_pem = 0;
+
+    if( chain == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    do
+    {
+        mbedtls_pem_init( &pem );
+
+        // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
+        // string
+        if( buflen == 0 || buf[buflen - 1] != '\0' )
+            ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+        else
+            ret = mbedtls_pem_read_buffer( &pem,
+                                           "-----BEGIN X509 CRL-----",
+                                           "-----END X509 CRL-----",
+                                            buf, NULL, 0, &use_len );
+
+        if( ret == 0 )
+        {
+            /*
+             * Was PEM encoded
+             */
+            is_pem = 1;
+
+            buflen -= use_len;
+            buf += use_len;
+
+            if( ( ret = mbedtls_x509_crl_parse_der( chain,
+                                            pem.buf, pem.buflen ) ) != 0 )
+            {
+                mbedtls_pem_free( &pem );
+                return( ret );
+            }
+        }
+        else if( is_pem )
+        {
+            mbedtls_pem_free( &pem );
+            return( ret );
+        }
+
+        mbedtls_pem_free( &pem );
+    }
+    /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
+     * And a valid CRL cannot be less than 1 byte anyway. */
+    while( is_pem && buflen > 1 );
+
+    if( is_pem )
+        return( 0 );
+    else
+#endif /* MBEDTLS_PEM_PARSE_C */
+        return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load one or more CRLs and add them to the chained list
+ */
+int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_x509_crl_parse( chain, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+/*
+ * Return an informational string about the certificate.
+ */
+#define BEFORE_COLON    14
+#define BC              "14"
+/*
+ * Return an informational string about the CRL.
+ */
+int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crl *crl )
+{
+    int ret;
+    size_t n;
+    char *p;
+    const mbedtls_x509_crl_entry *entry;
+
+    p = buf;
+    n = size;
+
+    ret = mbedtls_snprintf( p, n, "%sCRL version   : %d",
+                               prefix, crl->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sissuer name   : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crl->issuer );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sthis update   : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crl->this_update.year, crl->this_update.mon,
+                   crl->this_update.day,  crl->this_update.hour,
+                   crl->this_update.min,  crl->this_update.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%snext update   : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crl->next_update.year, crl->next_update.mon,
+                   crl->next_update.day,  crl->next_update.hour,
+                   crl->next_update.min,  crl->next_update.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    entry = &crl->entry;
+
+    ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:",
+                               prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    while( entry != NULL && entry->raw.len != 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%sserial number: ",
+                               prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        ret = mbedtls_x509_serial_gets( p, n, &entry->serial );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        ret = mbedtls_snprintf( p, n, " revocation date: " \
+                   "%04d-%02d-%02d %02d:%02d:%02d",
+                   entry->revocation_date.year, entry->revocation_date.mon,
+                   entry->revocation_date.day,  entry->revocation_date.hour,
+                   entry->revocation_date.min,  entry->revocation_date.sec );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        entry = entry->next;
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using  : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
+                             crl->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n" );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Initialize a CRL chain
+ */
+void mbedtls_x509_crl_init( mbedtls_x509_crl *crl )
+{
+    memset( crl, 0, sizeof(mbedtls_x509_crl) );
+}
+
+/*
+ * Unallocate all CRL data
+ */
+void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
+{
+    mbedtls_x509_crl *crl_cur = crl;
+    mbedtls_x509_crl *crl_prv;
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+    mbedtls_x509_crl_entry *entry_cur;
+    mbedtls_x509_crl_entry *entry_prv;
+
+    if( crl == NULL )
+        return;
+
+    do
+    {
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+        mbedtls_free( crl_cur->sig_opts );
+#endif
+
+        name_cur = crl_cur->issuer.next;
+        while( name_cur != NULL )
+        {
+            name_prv = name_cur;
+            name_cur = name_cur->next;
+            mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_free( name_prv );
+        }
+
+        entry_cur = crl_cur->entry.next;
+        while( entry_cur != NULL )
+        {
+            entry_prv = entry_cur;
+            entry_cur = entry_cur->next;
+            mbedtls_platform_zeroize( entry_prv,
+                                      sizeof( mbedtls_x509_crl_entry ) );
+            mbedtls_free( entry_prv );
+        }
+
+        if( crl_cur->raw.p != NULL )
+        {
+            mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len );
+            mbedtls_free( crl_cur->raw.p );
+        }
+
+        crl_cur = crl_cur->next;
+    }
+    while( crl_cur != NULL );
+
+    crl_cur = crl;
+    do
+    {
+        crl_prv = crl_cur;
+        crl_cur = crl_cur->next;
+
+        mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
+        if( crl_prv != crl )
+            mbedtls_free( crl_prv );
+    }
+    while( crl_cur != NULL );
+}
+
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
diff --git a/makerom/deps/libmbedtls/src/x509_crt.c b/makerom/deps/libmbedtls/src/x509_crt.c
new file mode 100644
index 00000000..9c2e3654
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/x509_crt.c
@@ -0,0 +1,2730 @@
+/*
+ *  X.509 certificate parsing and verification
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ *
+ *  [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#include <stdlib.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(MBEDTLS_THREADING_C)
+#include "mbedtls/threading.h"
+#endif
+
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+#include <windows.h>
+#else
+#include <time.h>
+#endif
+
+#if defined(MBEDTLS_FS_IO)
+#include <stdio.h>
+#if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <dirent.h>
+#endif /* !_WIN32 || EFIX64 || EFI32 */
+#endif
+
+/*
+ * Item in a verification chain: cert and flags for it
+ */
+typedef struct {
+    mbedtls_x509_crt *crt;
+    uint32_t flags;
+} x509_crt_verify_chain_item;
+
+/*
+ * Max size of verification chain: end-entity + intermediates + trusted root
+ */
+#define X509_MAX_VERIFY_CHAIN_SIZE    ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
+
+/*
+ * Default profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
+{
+#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
+    /* Allow SHA-1 (weak, but still safe in controlled environments) */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
+#endif
+    /* Only SHA-2 hashes */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    0xFFFFFFF, /* Any PK alg    */
+    0xFFFFFFF, /* Any curve     */
+    2048,
+};
+
+/*
+ * Next-default profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
+{
+    /* Hashes from SHA-256 and above */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+    0xFFFFFFF, /* Any PK alg    */
+#if defined(MBEDTLS_ECP_C)
+    /* Curves at or above 128-bit security level */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP521R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP256R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP384R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_BP512R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256K1 ),
+#else
+    0,
+#endif
+    2048,
+};
+
+/*
+ * NSA Suite B Profile
+ */
+const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
+{
+    /* Only SHA-256 and 384 */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ),
+    /* Only ECDSA */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECDSA ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_PK_ECKEY ),
+#if defined(MBEDTLS_ECP_C)
+    /* Only NIST P-256 and P-384 */
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP256R1 ) |
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_ECP_DP_SECP384R1 ),
+#else
+    0,
+#endif
+    0,
+};
+
+/*
+ * Check md_alg against profile
+ * Return 0 if md_alg is acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
+                                      mbedtls_md_type_t md_alg )
+{
+    if( md_alg == MBEDTLS_MD_NONE )
+        return( -1 );
+
+    if( ( profile->allowed_mds & MBEDTLS_X509_ID_FLAG( md_alg ) ) != 0 )
+        return( 0 );
+
+    return( -1 );
+}
+
+/*
+ * Check pk_alg against profile
+ * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
+                                      mbedtls_pk_type_t pk_alg )
+{
+    if( pk_alg == MBEDTLS_PK_NONE )
+        return( -1 );
+
+    if( ( profile->allowed_pks & MBEDTLS_X509_ID_FLAG( pk_alg ) ) != 0 )
+        return( 0 );
+
+    return( -1 );
+}
+
+/*
+ * Check key against profile
+ * Return 0 if pk is acceptable for this profile, -1 otherwise
+ */
+static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
+                                   const mbedtls_pk_context *pk )
+{
+    const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type( pk );
+
+#if defined(MBEDTLS_RSA_C)
+    if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS )
+    {
+        if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen )
+            return( 0 );
+
+        return( -1 );
+    }
+#endif
+
+#if defined(MBEDTLS_ECP_C)
+    if( pk_alg == MBEDTLS_PK_ECDSA ||
+        pk_alg == MBEDTLS_PK_ECKEY ||
+        pk_alg == MBEDTLS_PK_ECKEY_DH )
+    {
+        const mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
+
+        if( gid == MBEDTLS_ECP_DP_NONE )
+            return( -1 );
+
+        if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 )
+            return( 0 );
+
+        return( -1 );
+    }
+#endif
+
+    return( -1 );
+}
+
+/*
+ * Like memcmp, but case-insensitive and always returns -1 if different
+ */
+static int x509_memcasecmp( const void *s1, const void *s2, size_t len )
+{
+    size_t i;
+    unsigned char diff;
+    const unsigned char *n1 = s1, *n2 = s2;
+
+    for( i = 0; i < len; i++ )
+    {
+        diff = n1[i] ^ n2[i];
+
+        if( diff == 0 )
+            continue;
+
+        if( diff == 32 &&
+            ( ( n1[i] >= 'a' && n1[i] <= 'z' ) ||
+              ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
+        {
+            continue;
+        }
+
+        return( -1 );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Return 0 if name matches wildcard, -1 otherwise
+ */
+static int x509_check_wildcard( const char *cn, const mbedtls_x509_buf *name )
+{
+    size_t i;
+    size_t cn_idx = 0, cn_len = strlen( cn );
+
+    /* We can't have a match if there is no wildcard to match */
+    if( name->len < 3 || name->p[0] != '*' || name->p[1] != '.' )
+        return( -1 );
+
+    for( i = 0; i < cn_len; ++i )
+    {
+        if( cn[i] == '.' )
+        {
+            cn_idx = i;
+            break;
+        }
+    }
+
+    if( cn_idx == 0 )
+        return( -1 );
+
+    if( cn_len - cn_idx == name->len - 1 &&
+        x509_memcasecmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Compare two X.509 strings, case-insensitive, and allowing for some encoding
+ * variations (but not all).
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b )
+{
+    if( a->tag == b->tag &&
+        a->len == b->len &&
+        memcmp( a->p, b->p, b->len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    if( ( a->tag == MBEDTLS_ASN1_UTF8_STRING || a->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
+        ( b->tag == MBEDTLS_ASN1_UTF8_STRING || b->tag == MBEDTLS_ASN1_PRINTABLE_STRING ) &&
+        a->len == b->len &&
+        x509_memcasecmp( a->p, b->p, b->len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Compare two X.509 Names (aka rdnSequence).
+ *
+ * See RFC 5280 section 7.1, though we don't implement the whole algorithm:
+ * we sometimes return unequal when the full algorithm would return equal,
+ * but never the other way. (In particular, we don't do Unicode normalisation
+ * or space folding.)
+ *
+ * Return 0 if equal, -1 otherwise.
+ */
+static int x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *b )
+{
+    /* Avoid recursion, it might not be optimised by the compiler */
+    while( a != NULL || b != NULL )
+    {
+        if( a == NULL || b == NULL )
+            return( -1 );
+
+        /* type */
+        if( a->oid.tag != b->oid.tag ||
+            a->oid.len != b->oid.len ||
+            memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
+        {
+            return( -1 );
+        }
+
+        /* value */
+        if( x509_string_cmp( &a->val, &b->val ) != 0 )
+            return( -1 );
+
+        /* structure of the list of sets */
+        if( a->next_merged != b->next_merged )
+            return( -1 );
+
+        a = a->next;
+        b = b->next;
+    }
+
+    /* a == NULL == b */
+    return( 0 );
+}
+
+/*
+ * Reset (init or clear) a verify_chain
+ */
+static void x509_crt_verify_chain_reset(
+    mbedtls_x509_crt_verify_chain *ver_chain )
+{
+    size_t i;
+
+    for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ )
+    {
+        ver_chain->items[i].crt = NULL;
+        ver_chain->items[i].flags = (uint32_t) -1;
+    }
+
+    ver_chain->len = 0;
+}
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ */
+static int x509_get_version( unsigned char **p,
+                             const unsigned char *end,
+                             int *ver )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            *ver = 0;
+            return( 0 );
+        }
+
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = *p + len;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_VERSION +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ *  Validity ::= SEQUENCE {
+ *       notBefore      Time,
+ *       notAfter       Time }
+ */
+static int x509_get_dates( unsigned char **p,
+                           const unsigned char *end,
+                           mbedtls_x509_time *from,
+                           mbedtls_x509_time *to )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+
+    end = *p + len;
+
+    if( ( ret = mbedtls_x509_get_time( p, end, from ) ) != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_x509_get_time( p, end, to ) ) != 0 )
+        return( ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 v2/v3 unique identifier (not parsed)
+ */
+static int x509_get_uid( unsigned char **p,
+                         const unsigned char *end,
+                         mbedtls_x509_buf *uid, int n )
+{
+    int ret;
+
+    if( *p == end )
+        return( 0 );
+
+    uid->tag = **p;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &uid->len,
+            MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | n ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            return( 0 );
+
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    uid->p = *p;
+    *p += uid->len;
+
+    return( 0 );
+}
+
+static int x509_get_basic_constraints( unsigned char **p,
+                                       const unsigned char *end,
+                                       int *ca_istrue,
+                                       int *max_pathlen )
+{
+    int ret;
+    size_t len;
+
+    /*
+     * BasicConstraints ::= SEQUENCE {
+     *      cA                      BOOLEAN DEFAULT FALSE,
+     *      pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+     */
+    *ca_istrue = 0; /* DEFAULT FALSE */
+    *max_pathlen = 0; /* endless */
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_bool( p, end, ca_istrue ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+            ret = mbedtls_asn1_get_int( p, end, ca_istrue );
+
+        if( ret != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        if( *ca_istrue != 0 )
+            *ca_istrue = 1;
+    }
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, max_pathlen ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    (*max_pathlen)++;
+
+    return( 0 );
+}
+
+static int x509_get_ns_cert_type( unsigned char **p,
+                                       const unsigned char *end,
+                                       unsigned char *ns_cert_type)
+{
+    int ret;
+    mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+    if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( bs.len != 1 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    /* Get actual bitstring */
+    *ns_cert_type = *bs.p;
+    return( 0 );
+}
+
+static int x509_get_key_usage( unsigned char **p,
+                               const unsigned char *end,
+                               unsigned int *key_usage)
+{
+    int ret;
+    size_t i;
+    mbedtls_x509_bitstring bs = { 0, 0, NULL };
+
+    if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( bs.len < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    /* Get actual bitstring */
+    *key_usage = 0;
+    for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ )
+    {
+        *key_usage |= (unsigned int) bs.p[i] << (8*i);
+    }
+
+    return( 0 );
+}
+
+/*
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+ *
+ * KeyPurposeId ::= OBJECT IDENTIFIER
+ */
+static int x509_get_ext_key_usage( unsigned char **p,
+                               const unsigned char *end,
+                               mbedtls_x509_sequence *ext_key_usage)
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_sequence_of( p, end, ext_key_usage, MBEDTLS_ASN1_OID ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    /* Sequence length must be >= 1 */
+    if( ext_key_usage->buf.p == NULL )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+
+    return( 0 );
+}
+
+/*
+ * SubjectAltName ::= GeneralNames
+ *
+ * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+ *
+ * GeneralName ::= CHOICE {
+ *      otherName                       [0]     OtherName,
+ *      rfc822Name                      [1]     IA5String,
+ *      dNSName                         [2]     IA5String,
+ *      x400Address                     [3]     ORAddress,
+ *      directoryName                   [4]     Name,
+ *      ediPartyName                    [5]     EDIPartyName,
+ *      uniformResourceIdentifier       [6]     IA5String,
+ *      iPAddress                       [7]     OCTET STRING,
+ *      registeredID                    [8]     OBJECT IDENTIFIER }
+ *
+ * OtherName ::= SEQUENCE {
+ *      type-id    OBJECT IDENTIFIER,
+ *      value      [0] EXPLICIT ANY DEFINED BY type-id }
+ *
+ * EDIPartyName ::= SEQUENCE {
+ *      nameAssigner            [0]     DirectoryString OPTIONAL,
+ *      partyName               [1]     DirectoryString }
+ *
+ * NOTE: we only parse and use dNSName at this point.
+ */
+static int x509_get_subject_alt_name( unsigned char **p,
+                                      const unsigned char *end,
+                                      mbedtls_x509_sequence *subject_alt_name )
+{
+    int ret;
+    size_t len, tag_len;
+    mbedtls_asn1_buf *buf;
+    unsigned char tag;
+    mbedtls_asn1_sequence *cur = subject_alt_name;
+
+    /* Get main sequence tag */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+    if( *p + len != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    while( *p < end )
+    {
+        if( ( end - *p ) < 1 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+        tag = **p;
+        (*p)++;
+        if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
+                MBEDTLS_ASN1_CONTEXT_SPECIFIC )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+        }
+
+        /* Skip everything but DNS name */
+        if( tag != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2 ) )
+        {
+            *p += tag_len;
+            continue;
+        }
+
+        /* Allocate and assign next pointer */
+        if( cur->buf.p != NULL )
+        {
+            if( cur->next != NULL )
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
+
+            cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
+
+            if( cur->next == NULL )
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                        MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+
+            cur = cur->next;
+        }
+
+        buf = &(cur->buf);
+        buf->tag = tag;
+        buf->p = *p;
+        buf->len = tag_len;
+        *p += buf->len;
+    }
+
+    /* Set final sequence entry's next pointer to NULL */
+    cur->next = NULL;
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * X.509 v3 extensions
+ *
+ */
+static int x509_get_crt_ext( unsigned char **p,
+                             const unsigned char *end,
+                             mbedtls_x509_crt *crt )
+{
+    int ret;
+    size_t len;
+    unsigned char *end_ext_data, *end_ext_octet;
+
+    if( *p == end )
+        return( 0 );
+
+    if( ( ret = mbedtls_x509_get_ext( p, end, &crt->v3_ext, 3 ) ) != 0 )
+        return( ret );
+
+    end = crt->v3_ext.p + crt->v3_ext.len;
+    while( *p < end )
+    {
+        /*
+         * Extension  ::=  SEQUENCE  {
+         *      extnID      OBJECT IDENTIFIER,
+         *      critical    BOOLEAN DEFAULT FALSE,
+         *      extnValue   OCTET STRING  }
+         */
+        mbedtls_x509_buf extn_oid = {0, 0, NULL};
+        int is_critical = 0; /* DEFAULT FALSE */
+        int ext_type = 0;
+
+        if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        end_ext_data = *p + len;
+
+        /* Get extension ID */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len,
+                                          MBEDTLS_ASN1_OID ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        extn_oid.tag = MBEDTLS_ASN1_OID;
+        extn_oid.p = *p;
+        *p += extn_oid.len;
+
+        /* Get optional critical */
+        if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
+            ( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        /* Data should be octet string type */
+        if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
+                MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+
+        end_ext_octet = *p + len;
+
+        if( end_ext_octet != end_ext_data )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                    MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+        /*
+         * Detect supported extensions
+         */
+        ret = mbedtls_oid_get_x509_ext_type( &extn_oid, &ext_type );
+
+        if( ret != 0 )
+        {
+            /* No parser found, skip extension */
+            *p = end_ext_octet;
+
+#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
+            if( is_critical )
+            {
+                /* Data is marked as critical: fail */
+                return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                        MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+            }
+#endif
+            continue;
+        }
+
+        /* Forbid repeated extensions */
+        if( ( crt->ext_types & ext_type ) != 0 )
+            return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS );
+
+        crt->ext_types |= ext_type;
+
+        switch( ext_type )
+        {
+        case MBEDTLS_X509_EXT_BASIC_CONSTRAINTS:
+            /* Parse basic constraints */
+            if( ( ret = x509_get_basic_constraints( p, end_ext_octet,
+                    &crt->ca_istrue, &crt->max_pathlen ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_KEY_USAGE:
+            /* Parse key usage */
+            if( ( ret = x509_get_key_usage( p, end_ext_octet,
+                    &crt->key_usage ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
+            /* Parse extended key usage */
+            if( ( ret = x509_get_ext_key_usage( p, end_ext_octet,
+                    &crt->ext_key_usage ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
+            /* Parse subject alt name */
+            if( ( ret = x509_get_subject_alt_name( p, end_ext_octet,
+                    &crt->subject_alt_names ) ) != 0 )
+                return( ret );
+            break;
+
+        case MBEDTLS_X509_EXT_NS_CERT_TYPE:
+            /* Parse netscape certificate type */
+            if( ( ret = x509_get_ns_cert_type( p, end_ext_octet,
+                    &crt->ns_cert_type ) ) != 0 )
+                return( ret );
+            break;
+
+        default:
+            return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
+        }
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( 0 );
+}
+
+/*
+ * Parse and fill a single X.509 certificate in DER format
+ */
+static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, const unsigned char *buf,
+                                    size_t buflen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p, *end, *crt_end;
+    mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
+
+    memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
+    memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
+
+    /*
+     * Check for valid input
+     */
+    if( crt == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    // Use the original buffer until we figure out actual length
+    p = (unsigned char*) buf;
+    len = buflen;
+    end = p + len;
+
+    /*
+     * Certificate  ::=  SEQUENCE  {
+     *      tbsCertificate       TBSCertificate,
+     *      signatureAlgorithm   AlgorithmIdentifier,
+     *      signatureValue       BIT STRING  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+    }
+
+    if( len > (size_t) ( end - p ) )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+    crt_end = p + len;
+
+    // Create and populate a new buffer for the raw field
+    crt->raw.len = crt_end - buf;
+    crt->raw.p = p = mbedtls_calloc( 1, crt->raw.len );
+    if( p == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    memcpy( p, buf, crt->raw.len );
+
+    // Direct pointers to the new buffer
+    p += crt->raw.len - len;
+    end = crt_end = p + len;
+
+    /*
+     * TBSCertificate  ::=  SEQUENCE  {
+     */
+    crt->tbs.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+    crt->tbs.len = end - crt->tbs.p;
+
+    /*
+     * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     *
+     * CertificateSerialNumber  ::=  INTEGER
+     *
+     * signature            AlgorithmIdentifier
+     */
+    if( ( ret = x509_get_version(  &p, end, &crt->version  ) ) != 0 ||
+        ( ret = mbedtls_x509_get_serial(   &p, end, &crt->serial   ) ) != 0 ||
+        ( ret = mbedtls_x509_get_alg(      &p, end, &crt->sig_oid,
+                                            &sig_params1 ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    if( crt->version < 0 || crt->version > 2 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
+    }
+
+    crt->version++;
+
+    if( ( ret = mbedtls_x509_get_sig_alg( &crt->sig_oid, &sig_params1,
+                                  &crt->sig_md, &crt->sig_pk,
+                                  &crt->sig_opts ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    /*
+     * issuer               Name
+     */
+    crt->issuer_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    crt->issuer_raw.len = p - crt->issuer_raw.p;
+
+    /*
+     * Validity ::= SEQUENCE {
+     *      notBefore      Time,
+     *      notAfter       Time }
+     *
+     */
+    if( ( ret = x509_get_dates( &p, end, &crt->valid_from,
+                                         &crt->valid_to ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    /*
+     * subject              Name
+     */
+    crt->subject_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( len && ( ret = mbedtls_x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    crt->subject_raw.len = p - crt->subject_raw.p;
+
+    /*
+     * SubjectPublicKeyInfo
+     */
+    if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &crt->pk ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    /*
+     *  issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+     *                       -- If present, version shall be v2 or v3
+     *  subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+     *                       -- If present, version shall be v2 or v3
+     *  extensions      [3]  EXPLICIT Extensions OPTIONAL
+     *                       -- If present, version shall be v3
+     */
+    if( crt->version == 2 || crt->version == 3 )
+    {
+        ret = x509_get_uid( &p, end, &crt->issuer_id,  1 );
+        if( ret != 0 )
+        {
+            mbedtls_x509_crt_free( crt );
+            return( ret );
+        }
+    }
+
+    if( crt->version == 2 || crt->version == 3 )
+    {
+        ret = x509_get_uid( &p, end, &crt->subject_id,  2 );
+        if( ret != 0 )
+        {
+            mbedtls_x509_crt_free( crt );
+            return( ret );
+        }
+    }
+
+#if !defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
+    if( crt->version == 3 )
+#endif
+    {
+        ret = x509_get_crt_ext( &p, end, crt );
+        if( ret != 0 )
+        {
+            mbedtls_x509_crt_free( crt );
+            return( ret );
+        }
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    end = crt_end;
+
+    /*
+     *  }
+     *  -- end of TBSCertificate
+     *
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signatureValue       BIT STRING
+     */
+    if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    if( crt->sig_oid.len != sig_oid2.len ||
+        memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 ||
+        sig_params1.len != sig_params2.len ||
+        ( sig_params1.len != 0 &&
+          memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_SIG_MISMATCH );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig( &p, end, &crt->sig ) ) != 0 )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( ret );
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_crt_free( crt );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one X.509 certificate in DER format from a buffer and add them to a
+ * chained list
+ */
+int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *buf,
+                        size_t buflen )
+{
+    int ret;
+    mbedtls_x509_crt *crt = chain, *prev = NULL;
+
+    /*
+     * Check for valid input
+     */
+    if( crt == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    while( crt->version != 0 && crt->next != NULL )
+    {
+        prev = crt;
+        crt = crt->next;
+    }
+
+    /*
+     * Add new certificate on the end of the chain if needed.
+     */
+    if( crt->version != 0 && crt->next == NULL )
+    {
+        crt->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
+
+        if( crt->next == NULL )
+            return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+        prev = crt;
+        mbedtls_x509_crt_init( crt->next );
+        crt = crt->next;
+    }
+
+    if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 )
+    {
+        if( prev )
+            prev->next = NULL;
+
+        if( crt != chain )
+            mbedtls_free( crt );
+
+        return( ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse one or more PEM certificates from a buffer and add them to the chained
+ * list
+ */
+int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen )
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int success = 0, first_error = 0, total_failed = 0;
+    int buf_format = MBEDTLS_X509_FORMAT_DER;
+#endif
+
+    /*
+     * Check for valid input
+     */
+    if( chain == NULL || buf == NULL )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    /*
+     * Determine buffer content. Buffer contains either one DER certificate or
+     * one or more PEM certificates.
+     */
+#if defined(MBEDTLS_PEM_PARSE_C)
+    if( buflen != 0 && buf[buflen - 1] == '\0' &&
+        strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL )
+    {
+        buf_format = MBEDTLS_X509_FORMAT_PEM;
+    }
+
+    if( buf_format == MBEDTLS_X509_FORMAT_DER )
+        return mbedtls_x509_crt_parse_der( chain, buf, buflen );
+#else
+    return mbedtls_x509_crt_parse_der( chain, buf, buflen );
+#endif
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    if( buf_format == MBEDTLS_X509_FORMAT_PEM )
+    {
+        int ret;
+        mbedtls_pem_context pem;
+
+        /* 1 rather than 0 since the terminating NULL byte is counted in */
+        while( buflen > 1 )
+        {
+            size_t use_len;
+            mbedtls_pem_init( &pem );
+
+            /* If we get there, we know the string is null-terminated */
+            ret = mbedtls_pem_read_buffer( &pem,
+                           "-----BEGIN CERTIFICATE-----",
+                           "-----END CERTIFICATE-----",
+                           buf, NULL, 0, &use_len );
+
+            if( ret == 0 )
+            {
+                /*
+                 * Was PEM encoded
+                 */
+                buflen -= use_len;
+                buf += use_len;
+            }
+            else if( ret == MBEDTLS_ERR_PEM_BAD_INPUT_DATA )
+            {
+                return( ret );
+            }
+            else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+            {
+                mbedtls_pem_free( &pem );
+
+                /*
+                 * PEM header and footer were found
+                 */
+                buflen -= use_len;
+                buf += use_len;
+
+                if( first_error == 0 )
+                    first_error = ret;
+
+                total_failed++;
+                continue;
+            }
+            else
+                break;
+
+            ret = mbedtls_x509_crt_parse_der( chain, pem.buf, pem.buflen );
+
+            mbedtls_pem_free( &pem );
+
+            if( ret != 0 )
+            {
+                /*
+                 * Quit parsing on a memory error
+                 */
+                if( ret == MBEDTLS_ERR_X509_ALLOC_FAILED )
+                    return( ret );
+
+                if( first_error == 0 )
+                    first_error = ret;
+
+                total_failed++;
+                continue;
+            }
+
+            success = 1;
+        }
+    }
+
+    if( success )
+        return( total_failed );
+    else if( first_error )
+        return( first_error );
+    else
+        return( MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT );
+#endif /* MBEDTLS_PEM_PARSE_C */
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load one or more certificates and add them to the chained list
+ */
+int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_x509_crt_parse( chain, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+
+int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
+{
+    int ret = 0;
+#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
+    int w_ret;
+    WCHAR szDir[MAX_PATH];
+    char filename[MAX_PATH];
+    char *p;
+    size_t len = strlen( path );
+
+    WIN32_FIND_DATAW file_data;
+    HANDLE hFind;
+
+    if( len > MAX_PATH - 3 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    memset( szDir, 0, sizeof(szDir) );
+    memset( filename, 0, MAX_PATH );
+    memcpy( filename, path, len );
+    filename[len++] = '\\';
+    p = filename + len;
+    filename[len++] = '*';
+
+    w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int)len, szDir,
+                                 MAX_PATH - 3 );
+    if( w_ret == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    hFind = FindFirstFileW( szDir, &file_data );
+    if( hFind == INVALID_HANDLE_VALUE )
+        return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
+
+    len = MAX_PATH - len;
+    do
+    {
+        memset( p, 0, len );
+
+        if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY )
+            continue;
+
+        w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
+                                     lstrlenW( file_data.cFileName ),
+                                     p, (int) len - 1,
+                                     NULL, NULL );
+        if( w_ret == 0 )
+        {
+            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+            goto cleanup;
+        }
+
+        w_ret = mbedtls_x509_crt_parse_file( chain, filename );
+        if( w_ret < 0 )
+            ret++;
+        else
+            ret += w_ret;
+    }
+    while( FindNextFileW( hFind, &file_data ) != 0 );
+
+    if( GetLastError() != ERROR_NO_MORE_FILES )
+        ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+
+cleanup:
+    FindClose( hFind );
+#else /* _WIN32 */
+    int t_ret;
+    int snp_ret;
+    struct stat sb;
+    struct dirent *entry;
+    char entry_name[MBEDTLS_X509_MAX_FILE_PATH_LEN];
+    DIR *dir = opendir( path );
+
+    if( dir == NULL )
+        return( MBEDTLS_ERR_X509_FILE_IO_ERROR );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( ( ret = mbedtls_mutex_lock( &mbedtls_threading_readdir_mutex ) ) != 0 )
+    {
+        closedir( dir );
+        return( ret );
+    }
+#endif /* MBEDTLS_THREADING_C */
+
+    while( ( entry = readdir( dir ) ) != NULL )
+    {
+        snp_ret = mbedtls_snprintf( entry_name, sizeof entry_name,
+                                    "%s/%s", path, entry->d_name );
+
+        if( snp_ret < 0 || (size_t)snp_ret >= sizeof entry_name )
+        {
+            ret = MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+            goto cleanup;
+        }
+        else if( stat( entry_name, &sb ) == -1 )
+        {
+            ret = MBEDTLS_ERR_X509_FILE_IO_ERROR;
+            goto cleanup;
+        }
+
+        if( !S_ISREG( sb.st_mode ) )
+            continue;
+
+        // Ignore parse errors
+        //
+        t_ret = mbedtls_x509_crt_parse_file( chain, entry_name );
+        if( t_ret < 0 )
+            ret++;
+        else
+            ret += t_ret;
+    }
+
+cleanup:
+    closedir( dir );
+
+#if defined(MBEDTLS_THREADING_C)
+    if( mbedtls_mutex_unlock( &mbedtls_threading_readdir_mutex ) != 0 )
+        ret = MBEDTLS_ERR_THREADING_MUTEX_ERROR;
+#endif /* MBEDTLS_THREADING_C */
+
+#endif /* _WIN32 */
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+static int x509_info_subject_alt_name( char **buf, size_t *size,
+                                       const mbedtls_x509_sequence *subject_alt_name )
+{
+    size_t i;
+    size_t n = *size;
+    char *p = *buf;
+    const mbedtls_x509_sequence *cur = subject_alt_name;
+    const char *sep = "";
+    size_t sep_len = 0;
+
+    while( cur != NULL )
+    {
+        if( cur->buf.len + sep_len >= n )
+        {
+            *p = '\0';
+            return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
+        }
+
+        n -= cur->buf.len + sep_len;
+        for( i = 0; i < sep_len; i++ )
+            *p++ = sep[i];
+        for( i = 0; i < cur->buf.len; i++ )
+            *p++ = cur->buf.p[i];
+
+        sep = ", ";
+        sep_len = 2;
+
+        cur = cur->next;
+    }
+
+    *p = '\0';
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+#define PRINT_ITEM(i)                           \
+    {                                           \
+        ret = mbedtls_snprintf( p, n, "%s" i, sep );    \
+        MBEDTLS_X509_SAFE_SNPRINTF;                        \
+        sep = ", ";                             \
+    }
+
+#define CERT_TYPE(type,name)                    \
+    if( ns_cert_type & (type) )                 \
+        PRINT_ITEM( name );
+
+static int x509_info_cert_type( char **buf, size_t *size,
+                                unsigned char ns_cert_type )
+{
+    int ret;
+    size_t n = *size;
+    char *p = *buf;
+    const char *sep = "";
+
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT,         "SSL Client" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER,         "SSL Server" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL,              "Email" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING,     "Object Signing" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_RESERVED,           "Reserved" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_SSL_CA,             "SSL CA" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA,           "Email CA" );
+    CERT_TYPE( MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA,  "Object Signing CA" );
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+#define KEY_USAGE(code,name)    \
+    if( key_usage & (code) )    \
+        PRINT_ITEM( name );
+
+static int x509_info_key_usage( char **buf, size_t *size,
+                                unsigned int key_usage )
+{
+    int ret;
+    size_t n = *size;
+    char *p = *buf;
+    const char *sep = "";
+
+    KEY_USAGE( MBEDTLS_X509_KU_DIGITAL_SIGNATURE,    "Digital Signature" );
+    KEY_USAGE( MBEDTLS_X509_KU_NON_REPUDIATION,      "Non Repudiation" );
+    KEY_USAGE( MBEDTLS_X509_KU_KEY_ENCIPHERMENT,     "Key Encipherment" );
+    KEY_USAGE( MBEDTLS_X509_KU_DATA_ENCIPHERMENT,    "Data Encipherment" );
+    KEY_USAGE( MBEDTLS_X509_KU_KEY_AGREEMENT,        "Key Agreement" );
+    KEY_USAGE( MBEDTLS_X509_KU_KEY_CERT_SIGN,        "Key Cert Sign" );
+    KEY_USAGE( MBEDTLS_X509_KU_CRL_SIGN,             "CRL Sign" );
+    KEY_USAGE( MBEDTLS_X509_KU_ENCIPHER_ONLY,        "Encipher Only" );
+    KEY_USAGE( MBEDTLS_X509_KU_DECIPHER_ONLY,        "Decipher Only" );
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+static int x509_info_ext_key_usage( char **buf, size_t *size,
+                                    const mbedtls_x509_sequence *extended_key_usage )
+{
+    int ret;
+    const char *desc;
+    size_t n = *size;
+    char *p = *buf;
+    const mbedtls_x509_sequence *cur = extended_key_usage;
+    const char *sep = "";
+
+    while( cur != NULL )
+    {
+        if( mbedtls_oid_get_extended_key_usage( &cur->buf, &desc ) != 0 )
+            desc = "???";
+
+        ret = mbedtls_snprintf( p, n, "%s%s", sep, desc );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        sep = ", ";
+
+        cur = cur->next;
+    }
+
+    *size = n;
+    *buf = p;
+
+    return( 0 );
+}
+
+/*
+ * Return an informational string about the certificate.
+ */
+#define BEFORE_COLON    18
+#define BC              "18"
+int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_crt *crt )
+{
+    int ret;
+    size_t n;
+    char *p;
+    char key_size_str[BEFORE_COLON];
+
+    p = buf;
+    n = size;
+
+    if( NULL == crt )
+    {
+        ret = mbedtls_snprintf( p, n, "\nCertificate is uninitialised!\n" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        return( (int) ( size - n ) );
+    }
+
+    ret = mbedtls_snprintf( p, n, "%scert. version     : %d\n",
+                               prefix, crt->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_snprintf( p, n, "%sserial number     : ",
+                               prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_serial_gets( p, n, &crt->serial );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sissuer name       : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crt->issuer  );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssubject name      : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &crt->subject );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sissued  on        : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crt->valid_from.year, crt->valid_from.mon,
+                   crt->valid_from.day,  crt->valid_from.hour,
+                   crt->valid_from.min,  crt->valid_from.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%sexpires on        : " \
+                   "%04d-%02d-%02d %02d:%02d:%02d", prefix,
+                   crt->valid_to.year, crt->valid_to.mon,
+                   crt->valid_to.day,  crt->valid_to.hour,
+                   crt->valid_to.min,  crt->valid_to.sec );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using      : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets( p, n, &crt->sig_oid, crt->sig_pk,
+                             crt->sig_md, crt->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    /* Key size */
+    if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
+                                      mbedtls_pk_get_name( &crt->pk ) ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits", prefix, key_size_str,
+                          (int) mbedtls_pk_get_bitlen( &crt->pk ) );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    /*
+     * Optional extensions
+     */
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_BASIC_CONSTRAINTS )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%sbasic constraints : CA=%s", prefix,
+                        crt->ca_istrue ? "true" : "false" );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( crt->max_pathlen > 0 )
+        {
+            ret = mbedtls_snprintf( p, n, ", max_pathlen=%d", crt->max_pathlen - 1 );
+            MBEDTLS_X509_SAFE_SNPRINTF;
+        }
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%ssubject alt name  : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_subject_alt_name( &p, &n,
+                                            &crt->subject_alt_names ) ) != 0 )
+            return( ret );
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%scert. type        : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_cert_type( &p, &n, crt->ns_cert_type ) ) != 0 )
+            return( ret );
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%skey usage         : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_key_usage( &p, &n, crt->key_usage ) ) != 0 )
+            return( ret );
+    }
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE )
+    {
+        ret = mbedtls_snprintf( p, n, "\n%sext key usage     : ", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+
+        if( ( ret = x509_info_ext_key_usage( &p, &n,
+                                             &crt->ext_key_usage ) ) != 0 )
+            return( ret );
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n" );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( (int) ( size - n ) );
+}
+
+struct x509_crt_verify_string {
+    int code;
+    const char *string;
+};
+
+static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
+    { MBEDTLS_X509_BADCERT_EXPIRED,       "The certificate validity has expired" },
+    { MBEDTLS_X509_BADCERT_REVOKED,       "The certificate has been revoked (is on a CRL)" },
+    { MBEDTLS_X509_BADCERT_CN_MISMATCH,   "The certificate Common Name (CN) does not match with the expected CN" },
+    { MBEDTLS_X509_BADCERT_NOT_TRUSTED,   "The certificate is not correctly signed by the trusted CA" },
+    { MBEDTLS_X509_BADCRL_NOT_TRUSTED,    "The CRL is not correctly signed by the trusted CA" },
+    { MBEDTLS_X509_BADCRL_EXPIRED,        "The CRL is expired" },
+    { MBEDTLS_X509_BADCERT_MISSING,       "Certificate was missing" },
+    { MBEDTLS_X509_BADCERT_SKIP_VERIFY,   "Certificate verification was skipped" },
+    { MBEDTLS_X509_BADCERT_OTHER,         "Other reason (can be used by verify callback)" },
+    { MBEDTLS_X509_BADCERT_FUTURE,        "The certificate validity starts in the future" },
+    { MBEDTLS_X509_BADCRL_FUTURE,         "The CRL is from the future" },
+    { MBEDTLS_X509_BADCERT_KEY_USAGE,     "Usage does not match the keyUsage extension" },
+    { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
+    { MBEDTLS_X509_BADCERT_NS_CERT_TYPE,  "Usage does not match the nsCertType extension" },
+    { MBEDTLS_X509_BADCERT_BAD_MD,        "The certificate is signed with an unacceptable hash." },
+    { MBEDTLS_X509_BADCERT_BAD_PK,        "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+    { MBEDTLS_X509_BADCERT_BAD_KEY,       "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." },
+    { MBEDTLS_X509_BADCRL_BAD_MD,         "The CRL is signed with an unacceptable hash." },
+    { MBEDTLS_X509_BADCRL_BAD_PK,         "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." },
+    { MBEDTLS_X509_BADCRL_BAD_KEY,        "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." },
+    { 0, NULL }
+};
+
+int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+                          uint32_t flags )
+{
+    int ret;
+    const struct x509_crt_verify_string *cur;
+    char *p = buf;
+    size_t n = size;
+
+    for( cur = x509_crt_verify_strings; cur->string != NULL ; cur++ )
+    {
+        if( ( flags & cur->code ) == 0 )
+            continue;
+
+        ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, cur->string );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+        flags ^= cur->code;
+    }
+
+    if( flags != 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "%sUnknown reason "
+                                       "(this should not happen)\n", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    return( (int) ( size - n ) );
+}
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
+                                      unsigned int usage )
+{
+    unsigned int usage_must, usage_may;
+    unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
+                          | MBEDTLS_X509_KU_DECIPHER_ONLY;
+
+    if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 )
+        return( 0 );
+
+    usage_must = usage & ~may_mask;
+
+    if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    usage_may = usage & may_mask;
+
+    if( ( ( crt->key_usage & may_mask ) | usage_may ) != usage_may )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    return( 0 );
+}
+#endif
+
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
+                                       const char *usage_oid,
+                                       size_t usage_len )
+{
+    const mbedtls_x509_sequence *cur;
+
+    /* Extension is not mandatory, absent means no restriction */
+    if( ( crt->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE ) == 0 )
+        return( 0 );
+
+    /*
+     * Look for the requested usage (or wildcard ANY) in our list
+     */
+    for( cur = &crt->ext_key_usage; cur != NULL; cur = cur->next )
+    {
+        const mbedtls_x509_buf *cur_oid = &cur->buf;
+
+        if( cur_oid->len == usage_len &&
+            memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
+        {
+            return( 0 );
+        }
+
+        if( MBEDTLS_OID_CMP( MBEDTLS_OID_ANY_EXTENDED_KEY_USAGE, cur_oid ) == 0 )
+            return( 0 );
+    }
+
+    return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+}
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+/*
+ * Return 1 if the certificate is revoked, or 0 otherwise.
+ */
+int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl )
+{
+    const mbedtls_x509_crl_entry *cur = &crl->entry;
+
+    while( cur != NULL && cur->serial.len != 0 )
+    {
+        if( crt->serial.len == cur->serial.len &&
+            memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
+        {
+            if( mbedtls_x509_time_is_past( &cur->revocation_date ) )
+                return( 1 );
+        }
+
+        cur = cur->next;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Check that the given certificate is not revoked according to the CRL.
+ * Skip validation if no CRL for the given CA is present.
+ */
+static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
+                               mbedtls_x509_crl *crl_list,
+                               const mbedtls_x509_crt_profile *profile )
+{
+    int flags = 0;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+    const mbedtls_md_info_t *md_info;
+
+    if( ca == NULL )
+        return( flags );
+
+    while( crl_list != NULL )
+    {
+        if( crl_list->version == 0 ||
+            x509_name_cmp( &crl_list->issuer, &ca->subject ) != 0 )
+        {
+            crl_list = crl_list->next;
+            continue;
+        }
+
+        /*
+         * Check if the CA is configured to sign CRLs
+         */
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+        if( mbedtls_x509_crt_check_key_usage( ca,
+                                              MBEDTLS_X509_KU_CRL_SIGN ) != 0 )
+        {
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+#endif
+
+        /*
+         * Check if CRL is correctly signed by the trusted CA
+         */
+        if( x509_profile_check_md_alg( profile, crl_list->sig_md ) != 0 )
+            flags |= MBEDTLS_X509_BADCRL_BAD_MD;
+
+        if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 )
+            flags |= MBEDTLS_X509_BADCRL_BAD_PK;
+
+        md_info = mbedtls_md_info_from_type( crl_list->sig_md );
+        if( mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 )
+        {
+            /* Note: this can't happen except after an internal error */
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        if( x509_profile_check_key( profile, &ca->pk ) != 0 )
+            flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+        if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
+                           crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
+                           crl_list->sig.p, crl_list->sig.len ) != 0 )
+        {
+            flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        /*
+         * Check for validity of CRL (Do not drop out)
+         */
+        if( mbedtls_x509_time_is_past( &crl_list->next_update ) )
+            flags |= MBEDTLS_X509_BADCRL_EXPIRED;
+
+        if( mbedtls_x509_time_is_future( &crl_list->this_update ) )
+            flags |= MBEDTLS_X509_BADCRL_FUTURE;
+
+        /*
+         * Check if certificate is revoked
+         */
+        if( mbedtls_x509_crt_is_revoked( crt, crl_list ) )
+        {
+            flags |= MBEDTLS_X509_BADCERT_REVOKED;
+            break;
+        }
+
+        crl_list = crl_list->next;
+    }
+
+    return( flags );
+}
+#endif /* MBEDTLS_X509_CRL_PARSE_C */
+
+/*
+ * Check the signature of a certificate by its parent
+ */
+static int x509_crt_check_signature( const mbedtls_x509_crt *child,
+                                     mbedtls_x509_crt *parent,
+                                     mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    const mbedtls_md_info_t *md_info;
+    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
+
+    md_info = mbedtls_md_info_from_type( child->sig_md );
+    if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
+    {
+        /* Note: this can't happen except after an internal error */
+        return( -1 );
+    }
+
+    /* Skip expensive computation on obvious mismatch */
+    if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
+        return( -1 );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
+    {
+        return( mbedtls_pk_verify_restartable( &parent->pk,
+                    child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                    child->sig.p, child->sig.len, &rs_ctx->pk ) );
+    }
+#else
+    (void) rs_ctx;
+#endif
+
+    return( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent->pk,
+                child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                child->sig.p, child->sig.len ) );
+}
+
+/*
+ * Check if 'parent' is a suitable parent (signing CA) for 'child'.
+ * Return 0 if yes, -1 if not.
+ *
+ * top means parent is a locally-trusted certificate
+ */
+static int x509_crt_check_parent( const mbedtls_x509_crt *child,
+                                  const mbedtls_x509_crt *parent,
+                                  int top )
+{
+    int need_ca_bit;
+
+    /* Parent must be the issuer */
+    if( x509_name_cmp( &child->issuer, &parent->subject ) != 0 )
+        return( -1 );
+
+    /* Parent must have the basicConstraints CA bit set as a general rule */
+    need_ca_bit = 1;
+
+    /* Exception: v1/v2 certificates that are locally trusted. */
+    if( top && parent->version < 3 )
+        need_ca_bit = 0;
+
+    if( need_ca_bit && ! parent->ca_istrue )
+        return( -1 );
+
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
+    if( need_ca_bit &&
+        mbedtls_x509_crt_check_key_usage( parent, MBEDTLS_X509_KU_KEY_CERT_SIGN ) != 0 )
+    {
+        return( -1 );
+    }
+#endif
+
+    return( 0 );
+}
+
+/*
+ * Find a suitable parent for child in candidates, or return NULL.
+ *
+ * Here suitable is defined as:
+ *  1. subject name matches child's issuer
+ *  2. if necessary, the CA bit is set and key usage allows signing certs
+ *  3. for trusted roots, the signature is correct
+ *     (for intermediates, the signature is checked and the result reported)
+ *  4. pathlen constraints are satisfied
+ *
+ * If there's a suitable candidate which is also time-valid, return the first
+ * such. Otherwise, return the first suitable candidate (or NULL if there is
+ * none).
+ *
+ * The rationale for this rule is that someone could have a list of trusted
+ * roots with two versions on the same root with different validity periods.
+ * (At least one user reported having such a list and wanted it to just work.)
+ * The reason we don't just require time-validity is that generally there is
+ * only one version, and if it's expired we want the flags to state that
+ * rather than NOT_TRUSTED, as would be the case if we required it here.
+ *
+ * The rationale for rule 3 (signature for trusted roots) is that users might
+ * have two versions of the same CA with different keys in their list, and the
+ * way we select the correct one is by checking the signature (as we don't
+ * rely on key identifier extensions). (This is one way users might choose to
+ * handle key rollover, another relies on self-issued certs, see [SIRO].)
+ *
+ * Arguments:
+ *  - [in] child: certificate for which we're looking for a parent
+ *  - [in] candidates: chained list of potential parents
+ *  - [out] r_parent: parent found (or NULL)
+ *  - [out] r_signature_is_good: 1 if child signature by parent is valid, or 0
+ *  - [in] top: 1 if candidates consists of trusted roots, ie we're at the top
+ *         of the chain, 0 otherwise
+ *  - [in] path_cnt: number of intermediates seen so far
+ *  - [in] self_cnt: number of self-signed intermediates seen so far
+ *         (will never be greater than path_cnt)
+ *  - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ *  - 0 on success
+ *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
+ */
+static int x509_crt_find_parent_in(
+                        mbedtls_x509_crt *child,
+                        mbedtls_x509_crt *candidates,
+                        mbedtls_x509_crt **r_parent,
+                        int *r_signature_is_good,
+                        int top,
+                        unsigned path_cnt,
+                        unsigned self_cnt,
+                        mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_x509_crt *parent, *fallback_parent;
+    int signature_is_good, fallback_signature_is_good;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* did we have something in progress? */
+    if( rs_ctx != NULL && rs_ctx->parent != NULL )
+    {
+        /* restore saved state */
+        parent = rs_ctx->parent;
+        fallback_parent = rs_ctx->fallback_parent;
+        fallback_signature_is_good = rs_ctx->fallback_signature_is_good;
+
+        /* clear saved state */
+        rs_ctx->parent = NULL;
+        rs_ctx->fallback_parent = NULL;
+        rs_ctx->fallback_signature_is_good = 0;
+
+        /* resume where we left */
+        goto check_signature;
+    }
+#endif
+
+    fallback_parent = NULL;
+    fallback_signature_is_good = 0;
+
+    for( parent = candidates; parent != NULL; parent = parent->next )
+    {
+        /* basic parenting skills (name, CA bit, key usage) */
+        if( x509_crt_check_parent( child, parent, top ) != 0 )
+            continue;
+
+        /* +1 because stored max_pathlen is 1 higher that the actual value */
+        if( parent->max_pathlen > 0 &&
+            (size_t) parent->max_pathlen < 1 + path_cnt - self_cnt )
+        {
+            continue;
+        }
+
+        /* Signature */
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+check_signature:
+#endif
+        ret = x509_crt_check_signature( child, parent, rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+        {
+            /* save state */
+            rs_ctx->parent = parent;
+            rs_ctx->fallback_parent = fallback_parent;
+            rs_ctx->fallback_signature_is_good = fallback_signature_is_good;
+
+            return( ret );
+        }
+#else
+        (void) ret;
+#endif
+
+        signature_is_good = ret == 0;
+        if( top && ! signature_is_good )
+            continue;
+
+        /* optional time check */
+        if( mbedtls_x509_time_is_past( &parent->valid_to ) ||
+            mbedtls_x509_time_is_future( &parent->valid_from ) )
+        {
+            if( fallback_parent == NULL )
+            {
+                fallback_parent = parent;
+                fallback_signature_is_good = signature_is_good;
+            }
+
+            continue;
+        }
+
+        *r_parent = parent;
+        *r_signature_is_good = signature_is_good;
+
+        break;
+    }
+
+    if( parent == NULL )
+    {
+        *r_parent = fallback_parent;
+        *r_signature_is_good = fallback_signature_is_good;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Find a parent in trusted CAs or the provided chain, or return NULL.
+ *
+ * Searches in trusted CAs first, and return the first suitable parent found
+ * (see find_parent_in() for definition of suitable).
+ *
+ * Arguments:
+ *  - [in] child: certificate for which we're looking for a parent, followed
+ *         by a chain of possible intermediates
+ *  - [in] trust_ca: list of locally trusted certificates
+ *  - [out] parent: parent found (or NULL)
+ *  - [out] parent_is_trusted: 1 if returned `parent` is trusted, or 0
+ *  - [out] signature_is_good: 1 if child signature by parent is valid, or 0
+ *  - [in] path_cnt: number of links in the chain so far (EE -> ... -> child)
+ *  - [in] self_cnt: number of self-signed certs in the chain so far
+ *         (will always be no greater than path_cnt)
+ *  - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ *  - 0 on success
+ *  - MBEDTLS_ERR_ECP_IN_PROGRESS otherwise
+ */
+static int x509_crt_find_parent(
+                        mbedtls_x509_crt *child,
+                        mbedtls_x509_crt *trust_ca,
+                        mbedtls_x509_crt **parent,
+                        int *parent_is_trusted,
+                        int *signature_is_good,
+                        unsigned path_cnt,
+                        unsigned self_cnt,
+                        mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_x509_crt *search_list;
+
+    *parent_is_trusted = 1;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* restore then clear saved state if we have some stored */
+    if( rs_ctx != NULL && rs_ctx->parent_is_trusted != -1 )
+    {
+        *parent_is_trusted = rs_ctx->parent_is_trusted;
+        rs_ctx->parent_is_trusted = -1;
+    }
+#endif
+
+    while( 1 ) {
+        search_list = *parent_is_trusted ? trust_ca : child->next;
+
+        ret = x509_crt_find_parent_in( child, search_list,
+                                       parent, signature_is_good,
+                                       *parent_is_trusted,
+                                       path_cnt, self_cnt, rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+        {
+            /* save state */
+            rs_ctx->parent_is_trusted = *parent_is_trusted;
+            return( ret );
+        }
+#else
+        (void) ret;
+#endif
+
+        /* stop here if found or already in second iteration */
+        if( *parent != NULL || *parent_is_trusted == 0 )
+            break;
+
+        /* prepare second iteration */
+        *parent_is_trusted = 0;
+    }
+
+    /* extra precaution against mistakes in the caller */
+    if( *parent == NULL )
+    {
+        *parent_is_trusted = 0;
+        *signature_is_good = 0;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Check if an end-entity certificate is locally trusted
+ *
+ * Currently we require such certificates to be self-signed (actually only
+ * check for self-issued as self-signatures are not checked)
+ */
+static int x509_crt_check_ee_locally_trusted(
+                    mbedtls_x509_crt *crt,
+                    mbedtls_x509_crt *trust_ca )
+{
+    mbedtls_x509_crt *cur;
+
+    /* must be self-issued */
+    if( x509_name_cmp( &crt->issuer, &crt->subject ) != 0 )
+        return( -1 );
+
+    /* look for an exact match with trusted cert */
+    for( cur = trust_ca; cur != NULL; cur = cur->next )
+    {
+        if( crt->raw.len == cur->raw.len &&
+            memcmp( crt->raw.p, cur->raw.p, crt->raw.len ) == 0 )
+        {
+            return( 0 );
+        }
+    }
+
+    /* too bad */
+    return( -1 );
+}
+
+/*
+ * Build and verify a certificate chain
+ *
+ * Given a peer-provided list of certificates EE, C1, ..., Cn and
+ * a list of trusted certs R1, ... Rp, try to build and verify a chain
+ *      EE, Ci1, ... Ciq [, Rj]
+ * such that every cert in the chain is a child of the next one,
+ * jumping to a trusted root as early as possible.
+ *
+ * Verify that chain and return it with flags for all issues found.
+ *
+ * Special cases:
+ * - EE == Rj -> return a one-element list containing it
+ * - EE, Ci1, ..., Ciq cannot be continued with a trusted root
+ *   -> return that chain with NOT_TRUSTED set on Ciq
+ *
+ * Tests for (aspects of) this function should include at least:
+ * - trusted EE
+ * - EE -> trusted root
+ * - EE -> intermediate CA -> trusted root
+ * - if relevant: EE untrusted
+ * - if relevant: EE -> intermediate, untrusted
+ * with the aspect under test checked at each relevant level (EE, int, root).
+ * For some aspects longer chains are required, but usually length 2 is
+ * enough (but length 1 is not in general).
+ *
+ * Arguments:
+ *  - [in] crt: the cert list EE, C1, ..., Cn
+ *  - [in] trust_ca: the trusted list R1, ..., Rp
+ *  - [in] ca_crl, profile: as in verify_with_profile()
+ *  - [out] ver_chain: the built and verified chain
+ *      Only valid when return value is 0, may contain garbage otherwise!
+ *      Restart note: need not be the same when calling again to resume.
+ *  - [in-out] rs_ctx: context for restarting operations
+ *
+ * Return value:
+ *  - non-zero if the chain could not be fully built and examined
+ *  - 0 is the chain was successfully built and examined,
+ *      even if it was found to be invalid
+ */
+static int x509_crt_verify_chain(
+                mbedtls_x509_crt *crt,
+                mbedtls_x509_crt *trust_ca,
+                mbedtls_x509_crl *ca_crl,
+                const mbedtls_x509_crt_profile *profile,
+                mbedtls_x509_crt_verify_chain *ver_chain,
+                mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    /* Don't initialize any of those variables here, so that the compiler can
+     * catch potential issues with jumping ahead when restarting */
+    int ret;
+    uint32_t *flags;
+    mbedtls_x509_crt_verify_chain_item *cur;
+    mbedtls_x509_crt *child;
+    mbedtls_x509_crt *parent;
+    int parent_is_trusted;
+    int child_is_trusted;
+    int signature_is_good;
+    unsigned self_cnt;
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    /* resume if we had an operation in progress */
+    if( rs_ctx != NULL && rs_ctx->in_progress == x509_crt_rs_find_parent )
+    {
+        /* restore saved state */
+        *ver_chain = rs_ctx->ver_chain; /* struct copy */
+        self_cnt = rs_ctx->self_cnt;
+
+        /* restore derived state */
+        cur = &ver_chain->items[ver_chain->len - 1];
+        child = cur->crt;
+        flags = &cur->flags;
+
+        goto find_parent;
+    }
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+    child = crt;
+    self_cnt = 0;
+    parent_is_trusted = 0;
+    child_is_trusted = 0;
+
+    while( 1 ) {
+        /* Add certificate to the verification chain */
+        cur = &ver_chain->items[ver_chain->len];
+        cur->crt = child;
+        cur->flags = 0;
+        ver_chain->len++;
+        flags = &cur->flags;
+
+        /* Check time-validity (all certificates) */
+        if( mbedtls_x509_time_is_past( &child->valid_to ) )
+            *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+
+        if( mbedtls_x509_time_is_future( &child->valid_from ) )
+            *flags |= MBEDTLS_X509_BADCERT_FUTURE;
+
+        /* Stop here for trusted roots (but not for trusted EE certs) */
+        if( child_is_trusted )
+            return( 0 );
+
+        /* Check signature algorithm: MD & PK algs */
+        if( x509_profile_check_md_alg( profile, child->sig_md ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_MD;
+
+        if( x509_profile_check_pk_alg( profile, child->sig_pk ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+
+        /* Special case: EE certs that are locally trusted */
+        if( ver_chain->len == 1 &&
+            x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 )
+        {
+            return( 0 );
+        }
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+find_parent:
+#endif
+        /* Look for a parent in trusted CAs or up the chain */
+        ret = x509_crt_find_parent( child, trust_ca, &parent,
+                                       &parent_is_trusted, &signature_is_good,
+                                       ver_chain->len - 1, self_cnt, rs_ctx );
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+        if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+        {
+            /* save state */
+            rs_ctx->in_progress = x509_crt_rs_find_parent;
+            rs_ctx->self_cnt = self_cnt;
+            rs_ctx->ver_chain = *ver_chain; /* struct copy */
+
+            return( ret );
+        }
+#else
+        (void) ret;
+#endif
+
+        /* No parent? We're done here */
+        if( parent == NULL )
+        {
+            *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+            return( 0 );
+        }
+
+        /* Count intermediate self-issued (not necessarily self-signed) certs.
+         * These can occur with some strategies for key rollover, see [SIRO],
+         * and should be excluded from max_pathlen checks. */
+        if( ver_chain->len != 1 &&
+            x509_name_cmp( &child->issuer, &child->subject ) == 0 )
+        {
+            self_cnt++;
+        }
+
+        /* path_cnt is 0 for the first intermediate CA,
+         * and if parent is trusted it's not an intermediate CA */
+        if( ! parent_is_trusted &&
+            ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA )
+        {
+            /* return immediately to avoid overflow the chain array */
+            return( MBEDTLS_ERR_X509_FATAL_ERROR );
+        }
+
+        /* signature was checked while searching parent */
+        if( ! signature_is_good )
+            *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
+
+        /* check size of signing key */
+        if( x509_profile_check_key( profile, &parent->pk ) != 0 )
+            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+#if defined(MBEDTLS_X509_CRL_PARSE_C)
+        /* Check trusted CA's CRL for the given crt */
+        *flags |= x509_crt_verifycrl( child, parent, ca_crl, profile );
+#else
+        (void) ca_crl;
+#endif
+
+        /* prepare for next iteration */
+        child = parent;
+        parent = NULL;
+        child_is_trusted = parent_is_trusted;
+        signature_is_good = 0;
+    }
+}
+
+/*
+ * Check for CN match
+ */
+static int x509_crt_check_cn( const mbedtls_x509_buf *name,
+                              const char *cn, size_t cn_len )
+{
+    /* try exact match */
+    if( name->len == cn_len &&
+        x509_memcasecmp( cn, name->p, cn_len ) == 0 )
+    {
+        return( 0 );
+    }
+
+    /* try wildcard match */
+    if( x509_check_wildcard( cn, name ) == 0 )
+    {
+        return( 0 );
+    }
+
+    return( -1 );
+}
+
+/*
+ * Verify the requested CN - only call this if cn is not NULL!
+ */
+static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
+                                  const char *cn,
+                                  uint32_t *flags )
+{
+    const mbedtls_x509_name *name;
+    const mbedtls_x509_sequence *cur;
+    size_t cn_len = strlen( cn );
+
+    if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
+    {
+        for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
+        {
+            if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
+                break;
+        }
+
+        if( cur == NULL )
+            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+    }
+    else
+    {
+        for( name = &crt->subject; name != NULL; name = name->next )
+        {
+            if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 &&
+                x509_crt_check_cn( &name->val, cn, cn_len ) == 0 )
+            {
+                break;
+            }
+        }
+
+        if( name == NULL )
+            *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
+    }
+}
+
+/*
+ * Merge the flags for all certs in the chain, after calling callback
+ */
+static int x509_crt_merge_flags_with_cb(
+           uint32_t *flags,
+           const mbedtls_x509_crt_verify_chain *ver_chain,
+           int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+           void *p_vrfy )
+{
+    int ret;
+    unsigned i;
+    uint32_t cur_flags;
+    const mbedtls_x509_crt_verify_chain_item *cur;
+
+    for( i = ver_chain->len; i != 0; --i )
+    {
+        cur = &ver_chain->items[i-1];
+        cur_flags = cur->flags;
+
+        if( NULL != f_vrfy )
+            if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 )
+                return( ret );
+
+        *flags |= cur_flags;
+    }
+
+    return( 0 );
+}
+
+/*
+ * Verify the certificate validity (default profile, not restartable)
+ */
+int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
+                &mbedtls_x509_crt_profile_default, cn, flags,
+                f_vrfy, p_vrfy, NULL ) );
+}
+
+/*
+ * Verify the certificate validity (user-chosen profile, not restartable)
+ */
+int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
+                profile, cn, flags, f_vrfy, p_vrfy, NULL ) );
+}
+
+/*
+ * Verify the certificate validity, with profile, restartable version
+ *
+ * This function:
+ *  - checks the requested CN (if any)
+ *  - checks the type and size of the EE cert's key,
+ *    as that isn't done as part of chain building/verification currently
+ *  - builds and verifies the chain
+ *  - then calls the callback and merges the flags
+ */
+int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
+                     mbedtls_x509_crt *trust_ca,
+                     mbedtls_x509_crl *ca_crl,
+                     const mbedtls_x509_crt_profile *profile,
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy,
+                     mbedtls_x509_crt_restart_ctx *rs_ctx )
+{
+    int ret;
+    mbedtls_pk_type_t pk_type;
+    mbedtls_x509_crt_verify_chain ver_chain;
+    uint32_t ee_flags;
+
+    *flags = 0;
+    ee_flags = 0;
+    x509_crt_verify_chain_reset( &ver_chain );
+
+    if( profile == NULL )
+    {
+        ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+        goto exit;
+    }
+
+    /* check name if requested */
+    if( cn != NULL )
+        x509_crt_verify_name( crt, cn, &ee_flags );
+
+    /* Check the type and size of the key */
+    pk_type = mbedtls_pk_get_type( &crt->pk );
+
+    if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
+
+    if( x509_profile_check_key( profile, &crt->pk ) != 0 )
+        ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
+
+    /* Check the chain */
+    ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
+                                 &ver_chain, rs_ctx );
+
+    if( ret != 0 )
+        goto exit;
+
+    /* Merge end-entity flags */
+    ver_chain.items[0].flags |= ee_flags;
+
+    /* Build final flags, calling callback on the way if any */
+    ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
+
+exit:
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+    if( rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+        mbedtls_x509_crt_restart_free( rs_ctx );
+#endif
+
+    /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
+     * the SSL module for authmode optional, but non-zero return from the
+     * callback means a fatal error so it shouldn't be ignored */
+    if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
+        ret = MBEDTLS_ERR_X509_FATAL_ERROR;
+
+    if( ret != 0 )
+    {
+        *flags = (uint32_t) -1;
+        return( ret );
+    }
+
+    if( *flags != 0 )
+        return( MBEDTLS_ERR_X509_CERT_VERIFY_FAILED );
+
+    return( 0 );
+}
+
+/*
+ * Initialize a certificate chain
+ */
+void mbedtls_x509_crt_init( mbedtls_x509_crt *crt )
+{
+    memset( crt, 0, sizeof(mbedtls_x509_crt) );
+}
+
+/*
+ * Unallocate all certificate data
+ */
+void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
+{
+    mbedtls_x509_crt *cert_cur = crt;
+    mbedtls_x509_crt *cert_prv;
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+    mbedtls_x509_sequence *seq_cur;
+    mbedtls_x509_sequence *seq_prv;
+
+    if( crt == NULL )
+        return;
+
+    do
+    {
+        mbedtls_pk_free( &cert_cur->pk );
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+        mbedtls_free( cert_cur->sig_opts );
+#endif
+
+        name_cur = cert_cur->issuer.next;
+        while( name_cur != NULL )
+        {
+            name_prv = name_cur;
+            name_cur = name_cur->next;
+            mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_free( name_prv );
+        }
+
+        name_cur = cert_cur->subject.next;
+        while( name_cur != NULL )
+        {
+            name_prv = name_cur;
+            name_cur = name_cur->next;
+            mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+            mbedtls_free( name_prv );
+        }
+
+        seq_cur = cert_cur->ext_key_usage.next;
+        while( seq_cur != NULL )
+        {
+            seq_prv = seq_cur;
+            seq_cur = seq_cur->next;
+            mbedtls_platform_zeroize( seq_prv,
+                                      sizeof( mbedtls_x509_sequence ) );
+            mbedtls_free( seq_prv );
+        }
+
+        seq_cur = cert_cur->subject_alt_names.next;
+        while( seq_cur != NULL )
+        {
+            seq_prv = seq_cur;
+            seq_cur = seq_cur->next;
+            mbedtls_platform_zeroize( seq_prv,
+                                      sizeof( mbedtls_x509_sequence ) );
+            mbedtls_free( seq_prv );
+        }
+
+        if( cert_cur->raw.p != NULL )
+        {
+            mbedtls_platform_zeroize( cert_cur->raw.p, cert_cur->raw.len );
+            mbedtls_free( cert_cur->raw.p );
+        }
+
+        cert_cur = cert_cur->next;
+    }
+    while( cert_cur != NULL );
+
+    cert_cur = crt;
+    do
+    {
+        cert_prv = cert_cur;
+        cert_cur = cert_cur->next;
+
+        mbedtls_platform_zeroize( cert_prv, sizeof( mbedtls_x509_crt ) );
+        if( cert_prv != crt )
+            mbedtls_free( cert_prv );
+    }
+    while( cert_cur != NULL );
+}
+
+#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
+/*
+ * Initialize a restart context
+ */
+void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )
+{
+    mbedtls_pk_restart_init( &ctx->pk );
+
+    ctx->parent = NULL;
+    ctx->fallback_parent = NULL;
+    ctx->fallback_signature_is_good = 0;
+
+    ctx->parent_is_trusted = -1;
+
+    ctx->in_progress = x509_crt_rs_none;
+    ctx->self_cnt = 0;
+    x509_crt_verify_chain_reset( &ctx->ver_chain );
+}
+
+/*
+ * Free the components of a restart context
+ */
+void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_pk_restart_free( &ctx->pk );
+    mbedtls_x509_crt_restart_init( ctx );
+}
+#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
+
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
diff --git a/makerom/deps/libmbedtls/src/x509_csr.c b/makerom/deps/libmbedtls/src/x509_csr.c
new file mode 100644
index 00000000..c8c08c87
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/x509_csr.c
@@ -0,0 +1,419 @@
+/*
+ *  X.509 Certificate Signing Request (CSR) parsing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ *  The ITU-T X.509 standard defines a certificate format for PKI.
+ *
+ *  http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
+ *  http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
+ *  http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
+ *
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
+ *  http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CSR_PARSE_C)
+
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+#include "mbedtls/pem.h"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#include <stdio.h>
+#define mbedtls_free       free
+#define mbedtls_calloc    calloc
+#define mbedtls_snprintf   snprintf
+#endif
+
+#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
+#include <stdio.h>
+#endif
+
+/*
+ *  Version  ::=  INTEGER  {  v1(0)  }
+ */
+static int x509_csr_get_version( unsigned char **p,
+                             const unsigned char *end,
+                             int *ver )
+{
+    int ret;
+
+    if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
+    {
+        if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
+        {
+            *ver = 0;
+            return( 0 );
+        }
+
+        return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse a CSR in DER format
+ */
+int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
+                        const unsigned char *buf, size_t buflen )
+{
+    int ret;
+    size_t len;
+    unsigned char *p, *end;
+    mbedtls_x509_buf sig_params;
+
+    memset( &sig_params, 0, sizeof( mbedtls_x509_buf ) );
+
+    /*
+     * Check for valid input
+     */
+    if( csr == NULL || buf == NULL || buflen == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    mbedtls_x509_csr_init( csr );
+
+    /*
+     * first copy the raw DER data
+     */
+    p = mbedtls_calloc( 1, len = buflen );
+
+    if( p == NULL )
+        return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+
+    memcpy( p, buf, buflen );
+
+    csr->raw.p = p;
+    csr->raw.len = len;
+    end = p + len;
+
+    /*
+     *  CertificationRequest ::= SEQUENCE {
+     *       certificationRequestInfo CertificationRequestInfo,
+     *       signatureAlgorithm AlgorithmIdentifier,
+     *       signature          BIT STRING
+     *  }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+    }
+
+    if( len != (size_t) ( end - p ) )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    /*
+     *  CertificationRequestInfo ::= SEQUENCE {
+     */
+    csr->cri.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = p + len;
+    csr->cri.len = end - csr->cri.p;
+
+    /*
+     *  Version  ::=  INTEGER {  v1(0) }
+     */
+    if( ( ret = x509_csr_get_version( &p, end, &csr->version ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    if( csr->version != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
+    }
+
+    csr->version++;
+
+    /*
+     *  subject               Name
+     */
+    csr->subject_raw.p = p;
+
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    csr->subject_raw.len = p - csr->subject_raw.p;
+
+    /*
+     *  subjectPKInfo SubjectPublicKeyInfo
+     */
+    if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &csr->pk ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    /*
+     *  attributes    [0] Attributes
+     *
+     *  The list of possible attributes is open-ended, though RFC 2985
+     *  (PKCS#9) defines a few in section 5.4. We currently don't support any,
+     *  so we just ignore them. This is a safe thing to do as the worst thing
+     *  that could happen is that we issue a certificate that does not match
+     *  the requester's expectations - this cannot cause a violation of our
+     *  signature policies.
+     */
+    if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
+            MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    p += len;
+
+    end = csr->raw.p + csr->raw.len;
+
+    /*
+     *  signatureAlgorithm   AlgorithmIdentifier,
+     *  signature            BIT STRING
+     */
+    if( ( ret = mbedtls_x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig_alg( &csr->sig_oid, &sig_params,
+                                  &csr->sig_md, &csr->sig_pk,
+                                  &csr->sig_opts ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
+    }
+
+    if( ( ret = mbedtls_x509_get_sig( &p, end, &csr->sig ) ) != 0 )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( ret );
+    }
+
+    if( p != end )
+    {
+        mbedtls_x509_csr_free( csr );
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+    }
+
+    return( 0 );
+}
+
+/*
+ * Parse a CSR, allowing for PEM or raw DER encoding
+ */
+int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen )
+{
+#if defined(MBEDTLS_PEM_PARSE_C)
+    int ret;
+    size_t use_len;
+    mbedtls_pem_context pem;
+#endif
+
+    /*
+     * Check for valid input
+     */
+    if( csr == NULL || buf == NULL || buflen == 0 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+#if defined(MBEDTLS_PEM_PARSE_C)
+    /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
+    if( buf[buflen - 1] == '\0' )
+    {
+        mbedtls_pem_init( &pem );
+        ret = mbedtls_pem_read_buffer( &pem,
+                                       "-----BEGIN CERTIFICATE REQUEST-----",
+                                       "-----END CERTIFICATE REQUEST-----",
+                                       buf, NULL, 0, &use_len );
+        if( ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        {
+            ret = mbedtls_pem_read_buffer( &pem,
+                                           "-----BEGIN NEW CERTIFICATE REQUEST-----",
+                                           "-----END NEW CERTIFICATE REQUEST-----",
+                                           buf, NULL, 0, &use_len );
+        }
+
+        if( ret == 0 )
+        {
+            /*
+             * Was PEM encoded, parse the result
+             */
+            ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen );
+        }
+
+        mbedtls_pem_free( &pem );
+        if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+            return( ret );
+    }
+#endif /* MBEDTLS_PEM_PARSE_C */
+    return( mbedtls_x509_csr_parse_der( csr, buf, buflen ) );
+}
+
+#if defined(MBEDTLS_FS_IO)
+/*
+ * Load a CSR into the structure
+ */
+int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path )
+{
+    int ret;
+    size_t n;
+    unsigned char *buf;
+
+    if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
+        return( ret );
+
+    ret = mbedtls_x509_csr_parse( csr, buf, n );
+
+    mbedtls_platform_zeroize( buf, n );
+    mbedtls_free( buf );
+
+    return( ret );
+}
+#endif /* MBEDTLS_FS_IO */
+
+#define BEFORE_COLON    14
+#define BC              "14"
+/*
+ * Return an informational string about the CSR.
+ */
+int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
+                   const mbedtls_x509_csr *csr )
+{
+    int ret;
+    size_t n;
+    char *p;
+    char key_size_str[BEFORE_COLON];
+
+    p = buf;
+    n = size;
+
+    ret = mbedtls_snprintf( p, n, "%sCSR version   : %d",
+                               prefix, csr->version );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssubject name  : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+    ret = mbedtls_x509_dn_gets( p, n, &csr->subject );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_snprintf( p, n, "\n%ssigned using  : ", prefix );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    ret = mbedtls_x509_sig_alg_gets( p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
+                             csr->sig_opts );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
+                                      mbedtls_pk_get_name( &csr->pk ) ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
+                          (int) mbedtls_pk_get_bitlen( &csr->pk ) );
+    MBEDTLS_X509_SAFE_SNPRINTF;
+
+    return( (int) ( size - n ) );
+}
+
+/*
+ * Initialize a CSR
+ */
+void mbedtls_x509_csr_init( mbedtls_x509_csr *csr )
+{
+    memset( csr, 0, sizeof(mbedtls_x509_csr) );
+}
+
+/*
+ * Unallocate all CSR data
+ */
+void mbedtls_x509_csr_free( mbedtls_x509_csr *csr )
+{
+    mbedtls_x509_name *name_cur;
+    mbedtls_x509_name *name_prv;
+
+    if( csr == NULL )
+        return;
+
+    mbedtls_pk_free( &csr->pk );
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
+    mbedtls_free( csr->sig_opts );
+#endif
+
+    name_cur = csr->subject.next;
+    while( name_cur != NULL )
+    {
+        name_prv = name_cur;
+        name_cur = name_cur->next;
+        mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
+        mbedtls_free( name_prv );
+    }
+
+    if( csr->raw.p != NULL )
+    {
+        mbedtls_platform_zeroize( csr->raw.p, csr->raw.len );
+        mbedtls_free( csr->raw.p );
+    }
+
+    mbedtls_platform_zeroize( csr, sizeof( mbedtls_x509_csr ) );
+}
+
+#endif /* MBEDTLS_X509_CSR_PARSE_C */
diff --git a/makerom/deps/libmbedtls/src/x509write_crt.c b/makerom/deps/libmbedtls/src/x509write_crt.c
new file mode 100644
index 00000000..61d7ba44
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/x509write_crt.c
@@ -0,0 +1,522 @@
+/*
+ *  X.509 certificate writing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * References:
+ * - certificates: RFC 5280, updated by RFC 6818
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CRT_WRITE_C)
+
+#include "mbedtls/x509_crt.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/sha1.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+/*
+ * For the currently used signature algorithms the buffer to store any signature
+ * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
+ */
+#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
+#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#else
+#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
+void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
+
+    mbedtls_mpi_init( &ctx->serial );
+    ctx->version = MBEDTLS_X509_CRT_VERSION_3;
+}
+
+void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx )
+{
+    mbedtls_mpi_free( &ctx->serial );
+
+    mbedtls_asn1_free_named_data_list( &ctx->subject );
+    mbedtls_asn1_free_named_data_list( &ctx->issuer );
+    mbedtls_asn1_free_named_data_list( &ctx->extensions );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
+}
+
+void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
+{
+    ctx->version = version;
+}
+
+void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg )
+{
+    ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
+{
+    ctx->subject_key = key;
+}
+
+void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
+{
+    ctx->issuer_key = key;
+}
+
+int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
+                                    const char *subject_name )
+{
+    return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
+}
+
+int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
+                                   const char *issuer_name )
+{
+    return mbedtls_x509_string_to_names( &ctx->issuer, issuer_name );
+}
+
+int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial )
+{
+    int ret;
+
+    if( ( ret = mbedtls_mpi_copy( &ctx->serial, serial ) ) != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
+                                const char *not_after )
+{
+    if( strlen( not_before ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ||
+        strlen( not_after )  != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 )
+    {
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+    }
+    strncpy( ctx->not_before, not_before, MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
+    strncpy( ctx->not_after , not_after , MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
+    ctx->not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+    ctx->not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
+
+    return( 0 );
+}
+
+int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
+                                 const char *oid, size_t oid_len,
+                                 int critical,
+                                 const unsigned char *val, size_t val_len )
+{
+    return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
+                               critical, val, val_len );
+}
+
+int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
+                                         int is_ca, int max_pathlen )
+{
+    int ret;
+    unsigned char buf[9];
+    unsigned char *c = buf + sizeof(buf);
+    size_t len = 0;
+
+    memset( buf, 0, sizeof(buf) );
+
+    if( is_ca && max_pathlen > 127 )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    if( is_ca )
+    {
+        if( max_pathlen >= 0 )
+        {
+            MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) );
+        }
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE ) );
+
+    return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
+                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ),
+                                        0, buf + sizeof(buf) - len, len );
+}
+
+#if defined(MBEDTLS_SHA1_C)
+int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
+    unsigned char *c = buf + sizeof(buf);
+    size_t len = 0;
+
+    memset( buf, 0, sizeof(buf) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) );
+
+    ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
+                            buf + sizeof( buf ) - 20 );
+    if( ret != 0 )
+        return( ret );
+    c = buf + sizeof( buf ) - 20;
+    len = 20;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) );
+
+    return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
+                                        MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ),
+                                        0, buf + sizeof(buf) - len, len );
+}
+
+int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx )
+{
+    int ret;
+    unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
+    unsigned char *c = buf + sizeof( buf );
+    size_t len = 0;
+
+    memset( buf, 0, sizeof(buf) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
+
+    ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
+                            buf + sizeof( buf ) - 20 );
+    if( ret != 0 )
+        return( ret );
+    c = buf + sizeof( buf ) - 20;
+    len = 20;
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                MBEDTLS_ASN1_SEQUENCE ) );
+
+    return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
+                                   MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
+                                   0, buf + sizeof( buf ) - len, len );
+}
+#endif /* MBEDTLS_SHA1_C */
+
+static size_t crt_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+                                                       size_t bit_offset )
+{
+    size_t unused_bits;
+
+     /* Count the unused bits removing trailing 0s */
+    for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+        if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+            break;
+
+     return( unused_bits );
+}
+
+int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
+                                         unsigned int key_usage )
+{
+    unsigned char buf[4], ku;
+    unsigned char *c;
+    int ret;
+    size_t unused_bits;
+    const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
+        MBEDTLS_X509_KU_NON_REPUDIATION   |
+        MBEDTLS_X509_KU_KEY_ENCIPHERMENT  |
+        MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
+        MBEDTLS_X509_KU_KEY_AGREEMENT     |
+        MBEDTLS_X509_KU_KEY_CERT_SIGN     |
+        MBEDTLS_X509_KU_CRL_SIGN;
+
+    /* Check that nothing other than the allowed flags is set */
+    if( ( key_usage & ~allowed_bits ) != 0 )
+        return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
+
+    c = buf + 4;
+    ku = (unsigned char)key_usage;
+    unused_bits = crt_get_unused_bits_for_named_bitstring( ku, 1 );
+    ret = mbedtls_asn1_write_bitstring( &c, buf, &ku, 8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
+                                       1, c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
+                                    unsigned char ns_cert_type )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    size_t unused_bits;
+    int ret;
+
+    c = buf + 4;
+
+    unused_bits = crt_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c,
+                                        buf,
+                                        &ns_cert_type,
+                                        8 - unused_bits );
+    if( ret < 3 || ret > 4 )
+        return( ret );
+
+    ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
+                                       0, c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+static int x509_write_time( unsigned char **p, unsigned char *start,
+                            const char *t, size_t size )
+{
+    int ret;
+    size_t len = 0;
+
+    /*
+     * write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
+     */
+    if( t[0] == '2' && t[1] == '0' && t[2] < '5' )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                                             (const unsigned char *) t + 2,
+                                             size - 2 ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_UTC_TIME ) );
+    }
+    else
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
+                                                  (const unsigned char *) t,
+                                                  size ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_GENERALIZED_TIME ) );
+    }
+
+    return( (int) len );
+}
+
+int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    const char *sig_oid;
+    size_t sig_oid_len = 0;
+    unsigned char *c, *c2;
+    unsigned char hash[64];
+    unsigned char sig[SIGNATURE_MAX_SIZE];
+    unsigned char tmp_buf[2048];
+    size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
+    size_t len = 0;
+    mbedtls_pk_type_t pk_alg;
+
+    /*
+     * Prepare data to be signed in tmp_buf
+     */
+    c = tmp_buf + sizeof( tmp_buf );
+
+    /* Signature algorithm needed in TBS, and later for actual signature */
+
+    /* There's no direct way of extracting a signature algorithm
+     * (represented as an element of mbedtls_pk_type_t) from a PK instance. */
+    if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) )
+        pk_alg = MBEDTLS_PK_RSA;
+    else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) )
+        pk_alg = MBEDTLS_PK_ECDSA;
+    else
+        return( MBEDTLS_ERR_X509_INVALID_ALG );
+
+    if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
+                                          &sig_oid, &sig_oid_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /*
+     *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+     */
+
+    /* Only for v3 */
+    if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                           MBEDTLS_ASN1_SEQUENCE ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
+    }
+
+    /*
+     *  SubjectPublicKeyInfo
+     */
+    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
+                                                tmp_buf, c - tmp_buf ) );
+    c -= pub_len;
+    len += pub_len;
+
+    /*
+     *  Subject  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+
+    /*
+     *  Validity ::= SEQUENCE {
+     *       notBefore      Time,
+     *       notAfter       Time }
+     */
+    sub_len = 0;
+
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+
+    MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
+                                            MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
+
+    len += sub_len;
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+
+    /*
+     *  Issuer  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
+
+    /*
+     *  Signature   ::=  AlgorithmIdentifier
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
+                       sig_oid, strlen( sig_oid ), 0 ) );
+
+    /*
+     *  Serial   ::=  INTEGER
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
+
+    /*
+     *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     */
+
+    /* Can be omitted for v1 */
+    if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
+    {
+        sub_len = 0;
+        MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
+        len += sub_len;
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+                                                           MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                       MBEDTLS_ASN1_SEQUENCE ) );
+
+    /*
+     * Make signature
+     */
+    if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
+                            len, hash ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
+                         f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /*
+     * Write data to output buffer
+     */
+    c2 = buf + size;
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
+                                        sig_oid, sig_oid_len, sig, sig_len ) );
+
+    if( len > (size_t)( c2 - buf ) )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    c2 -= len;
+    memcpy( c2, c, len );
+
+    len += sig_and_oid_len;
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+#define PEM_BEGIN_CRT           "-----BEGIN CERTIFICATE-----\n"
+#define PEM_END_CRT             "-----END CERTIFICATE-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    unsigned char output_buf[4096];
+    size_t olen = 0;
+
+    if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
+                                   f_rng, p_rng ) ) < 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CRT_WRITE_C */
diff --git a/makerom/deps/libmbedtls/src/x509write_csr.c b/makerom/deps/libmbedtls/src/x509write_csr.c
new file mode 100644
index 00000000..7406a975
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/x509write_csr.c
@@ -0,0 +1,302 @@
+/*
+ *  X.509 Certificate Signing Request writing
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * References:
+ * - CSRs: PKCS#10 v1.7 aka RFC 2986
+ * - attributes: PKCS#9 v2.0 aka RFC 2985
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_X509_CSR_WRITE_C)
+
+#include "mbedtls/x509_csr.h"
+#include "mbedtls/oid.h"
+#include "mbedtls/asn1write.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+#include <stdlib.h>
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+#include "mbedtls/pem.h"
+#endif
+
+/*
+ * For the currently used signature algorithms the buffer to store any signature
+ * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
+ */
+#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
+#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
+#else
+#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
+#endif
+
+void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
+}
+
+void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
+{
+    mbedtls_asn1_free_named_data_list( &ctx->subject );
+    mbedtls_asn1_free_named_data_list( &ctx->extensions );
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
+}
+
+void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
+{
+    ctx->md_alg = md_alg;
+}
+
+void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key )
+{
+    ctx->key = key;
+}
+
+int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
+                                    const char *subject_name )
+{
+    return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
+}
+
+int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
+                                 const char *oid, size_t oid_len,
+                                 const unsigned char *val, size_t val_len )
+{
+    return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
+                               0, val, val_len );
+}
+
+static size_t csr_get_unused_bits_for_named_bitstring( unsigned char bitstring,
+                                                       size_t bit_offset )
+{
+    size_t unused_bits;
+
+     /* Count the unused bits removing trailing 0s */
+    for( unused_bits = bit_offset; unused_bits < 8; unused_bits++ )
+        if( ( ( bitstring >> unused_bits ) & 0x1 ) != 0 )
+            break;
+
+     return( unused_bits );
+}
+
+int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    size_t unused_bits;
+    int ret;
+
+    c = buf + 4;
+
+    unused_bits = csr_get_unused_bits_for_named_bitstring( key_usage, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c, buf, &key_usage, 8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
+                                       c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
+                                    unsigned char ns_cert_type )
+{
+    unsigned char buf[4];
+    unsigned char *c;
+    size_t unused_bits;
+    int ret;
+
+    c = buf + 4;
+
+    unused_bits = csr_get_unused_bits_for_named_bitstring( ns_cert_type, 0 );
+    ret = mbedtls_asn1_write_bitstring( &c,
+                                        buf,
+                                        &ns_cert_type,
+                                        8 - unused_bits );
+
+    if( ret < 0 )
+        return( ret );
+    else if( ret < 3 || ret > 4 )
+        return( ret );
+
+    ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
+                                       MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
+                                       c, (size_t)ret );
+    if( ret != 0 )
+        return( ret );
+
+    return( 0 );
+}
+
+int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    const char *sig_oid;
+    size_t sig_oid_len = 0;
+    unsigned char *c, *c2;
+    unsigned char hash[64];
+    unsigned char sig[SIGNATURE_MAX_SIZE];
+    unsigned char tmp_buf[2048];
+    size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
+    size_t len = 0;
+    mbedtls_pk_type_t pk_alg;
+
+    /*
+     * Prepare data to be signed in tmp_buf
+     */
+    c = tmp_buf + sizeof( tmp_buf );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+
+    if( len )
+    {
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                        MBEDTLS_ASN1_SEQUENCE ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                        MBEDTLS_ASN1_SET ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &c, tmp_buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
+                                          MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
+
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+        MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                        MBEDTLS_ASN1_SEQUENCE ) );
+    }
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
+
+    MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->key,
+                                                tmp_buf, c - tmp_buf ) );
+    c -= pub_len;
+    len += pub_len;
+
+    /*
+     *  Subject  ::=  Name
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+
+    /*
+     *  Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+     */
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, tmp_buf, 0 ) );
+
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                    MBEDTLS_ASN1_SEQUENCE ) );
+
+    /*
+     * Prepare signature
+     */
+    ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
+    if( ret != 0 )
+        return( ret );
+
+    if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
+                                 f_rng, p_rng ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
+        pk_alg = MBEDTLS_PK_RSA;
+    else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
+        pk_alg = MBEDTLS_PK_ECDSA;
+    else
+        return( MBEDTLS_ERR_X509_INVALID_ALG );
+
+    if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
+                                                &sig_oid, &sig_oid_len ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /*
+     * Write data to output buffer
+     */
+    c2 = buf + size;
+    MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
+                                        sig_oid, sig_oid_len, sig, sig_len ) );
+
+    if( len > (size_t)( c2 - buf ) )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
+    c2 -= len;
+    memcpy( c2, c, len );
+
+    len += sig_and_oid_len;
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
+    MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
+                                                 MBEDTLS_ASN1_SEQUENCE ) );
+
+    return( (int) len );
+}
+
+#define PEM_BEGIN_CSR           "-----BEGIN CERTIFICATE REQUEST-----\n"
+#define PEM_END_CSR             "-----END CERTIFICATE REQUEST-----\n"
+
+#if defined(MBEDTLS_PEM_WRITE_C)
+int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
+                       int (*f_rng)(void *, unsigned char *, size_t),
+                       void *p_rng )
+{
+    int ret;
+    unsigned char output_buf[4096];
+    size_t olen = 0;
+
+    if( ( ret = mbedtls_x509write_csr_der( ctx, output_buf, sizeof(output_buf),
+                                   f_rng, p_rng ) ) < 0 )
+    {
+        return( ret );
+    }
+
+    if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
+                                  output_buf + sizeof(output_buf) - ret,
+                                  ret, buf, size, &olen ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_PEM_WRITE_C */
+
+#endif /* MBEDTLS_X509_CSR_WRITE_C */
diff --git a/makerom/deps/libmbedtls/src/xtea.c b/makerom/deps/libmbedtls/src/xtea.c
new file mode 100644
index 00000000..a33707bc
--- /dev/null
+++ b/makerom/deps/libmbedtls/src/xtea.c
@@ -0,0 +1,277 @@
+/*
+ *  An 32-bit implementation of the XTEA algorithm
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_XTEA_C)
+
+#include "mbedtls/xtea.h"
+#include "mbedtls/platform_util.h"
+
+#include <string.h>
+
+#if defined(MBEDTLS_SELF_TEST)
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdio.h>
+#define mbedtls_printf printf
+#endif /* MBEDTLS_PLATFORM_C */
+#endif /* MBEDTLS_SELF_TEST */
+
+#if !defined(MBEDTLS_XTEA_ALT)
+
+/*
+ * 32-bit integer manipulation macros (big endian)
+ */
+#ifndef GET_UINT32_BE
+#define GET_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
+        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
+        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
+        | ( (uint32_t) (b)[(i) + 3]       );            \
+}
+#endif
+
+#ifndef PUT_UINT32_BE
+#define PUT_UINT32_BE(n,b,i)                            \
+{                                                       \
+    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
+    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
+    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
+    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
+}
+#endif
+
+void mbedtls_xtea_init( mbedtls_xtea_context *ctx )
+{
+    memset( ctx, 0, sizeof( mbedtls_xtea_context ) );
+}
+
+void mbedtls_xtea_free( mbedtls_xtea_context *ctx )
+{
+    if( ctx == NULL )
+        return;
+
+    mbedtls_platform_zeroize( ctx, sizeof( mbedtls_xtea_context ) );
+}
+
+/*
+ * XTEA key schedule
+ */
+void mbedtls_xtea_setup( mbedtls_xtea_context *ctx, const unsigned char key[16] )
+{
+    int i;
+
+    memset( ctx, 0, sizeof(mbedtls_xtea_context) );
+
+    for( i = 0; i < 4; i++ )
+    {
+        GET_UINT32_BE( ctx->k[i], key, i << 2 );
+    }
+}
+
+/*
+ * XTEA encrypt function
+ */
+int mbedtls_xtea_crypt_ecb( mbedtls_xtea_context *ctx, int mode,
+                    const unsigned char input[8], unsigned char output[8])
+{
+    uint32_t *k, v0, v1, i;
+
+    k = ctx->k;
+
+    GET_UINT32_BE( v0, input, 0 );
+    GET_UINT32_BE( v1, input, 4 );
+
+    if( mode == MBEDTLS_XTEA_ENCRYPT )
+    {
+        uint32_t sum = 0, delta = 0x9E3779B9;
+
+        for( i = 0; i < 32; i++ )
+        {
+            v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
+            sum += delta;
+            v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum>>11) & 3]);
+        }
+    }
+    else /* MBEDTLS_XTEA_DECRYPT */
+    {
+        uint32_t delta = 0x9E3779B9, sum = delta * 32;
+
+        for( i = 0; i < 32; i++ )
+        {
+            v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + k[(sum>>11) & 3]);
+            sum -= delta;
+            v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + k[sum & 3]);
+        }
+    }
+
+    PUT_UINT32_BE( v0, output, 0 );
+    PUT_UINT32_BE( v1, output, 4 );
+
+    return( 0 );
+}
+
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+/*
+ * XTEA-CBC buffer encryption/decryption
+ */
+int mbedtls_xtea_crypt_cbc( mbedtls_xtea_context *ctx, int mode, size_t length,
+                    unsigned char iv[8], const unsigned char *input,
+                    unsigned char *output)
+{
+    int i;
+    unsigned char temp[8];
+
+    if( length % 8 )
+        return( MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH );
+
+    if( mode == MBEDTLS_XTEA_DECRYPT )
+    {
+        while( length > 0 )
+        {
+            memcpy( temp, input, 8 );
+            mbedtls_xtea_crypt_ecb( ctx, mode, input, output );
+
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( output[i] ^ iv[i] );
+
+            memcpy( iv, temp, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+    else
+    {
+        while( length > 0 )
+        {
+            for( i = 0; i < 8; i++ )
+                output[i] = (unsigned char)( input[i] ^ iv[i] );
+
+            mbedtls_xtea_crypt_ecb( ctx, mode, output, output );
+            memcpy( iv, output, 8 );
+
+            input  += 8;
+            output += 8;
+            length -= 8;
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_CBC */
+#endif /* !MBEDTLS_XTEA_ALT */
+
+#if defined(MBEDTLS_SELF_TEST)
+
+/*
+ * XTEA tests vectors (non-official)
+ */
+
+static const unsigned char xtea_test_key[6][16] =
+{
+   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+     0x0c, 0x0d, 0x0e, 0x0f },
+   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+     0x0c, 0x0d, 0x0e, 0x0f },
+   { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+     0x0c, 0x0d, 0x0e, 0x0f },
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00 },
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00 },
+   { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+     0x00, 0x00, 0x00, 0x00 }
+};
+
+static const unsigned char xtea_test_pt[6][8] =
+{
+    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0x5a, 0x5b, 0x6e, 0x27, 0x89, 0x48, 0xd7, 0x7f },
+    { 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0x70, 0xe1, 0x22, 0x5d, 0x6e, 0x4e, 0x76, 0x55 }
+};
+
+static const unsigned char xtea_test_ct[6][8] =
+{
+    { 0x49, 0x7d, 0xf3, 0xd0, 0x72, 0x61, 0x2c, 0xb5 },
+    { 0xe7, 0x8f, 0x2d, 0x13, 0x74, 0x43, 0x41, 0xd8 },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 },
+    { 0xa0, 0x39, 0x05, 0x89, 0xf8, 0xb8, 0xef, 0xa5 },
+    { 0xed, 0x23, 0x37, 0x5a, 0x82, 0x1a, 0x8c, 0x2d },
+    { 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 }
+};
+
+/*
+ * Checkup routine
+ */
+int mbedtls_xtea_self_test( int verbose )
+{
+    int i, ret = 0;
+    unsigned char buf[8];
+    mbedtls_xtea_context ctx;
+
+    mbedtls_xtea_init( &ctx );
+    for( i = 0; i < 6; i++ )
+    {
+        if( verbose != 0 )
+            mbedtls_printf( "  XTEA test #%d: ", i + 1 );
+
+        memcpy( buf, xtea_test_pt[i], 8 );
+
+        mbedtls_xtea_setup( &ctx, xtea_test_key[i] );
+        mbedtls_xtea_crypt_ecb( &ctx, MBEDTLS_XTEA_ENCRYPT, buf, buf );
+
+        if( memcmp( buf, xtea_test_ct[i], 8 ) != 0 )
+        {
+            if( verbose != 0 )
+                mbedtls_printf( "failed\n" );
+
+            ret = 1;
+            goto exit;
+        }
+
+        if( verbose != 0 )
+            mbedtls_printf( "passed\n" );
+    }
+
+    if( verbose != 0 )
+        mbedtls_printf( "\n" );
+
+exit:
+    mbedtls_xtea_free( &ctx );
+
+    return( ret );
+}
+
+#endif /* MBEDTLS_SELF_TEST */
+
+#endif /* MBEDTLS_XTEA_C */
diff --git a/makerom/libyaml/LICENSE b/makerom/deps/libyaml/LICENSE
similarity index 100%
rename from makerom/libyaml/LICENSE
rename to makerom/deps/libyaml/LICENSE
diff --git a/makerom/libyaml/yaml.h b/makerom/deps/libyaml/include/libyaml/yaml.h
similarity index 100%
rename from makerom/libyaml/yaml.h
rename to makerom/deps/libyaml/include/libyaml/yaml.h
diff --git a/makerom/deps/libyaml/makefile b/makerom/deps/libyaml/makefile
new file mode 100644
index 00000000..785e3b8a
--- /dev/null
+++ b/makerom/deps/libyaml/makefile
@@ -0,0 +1,185 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 7 (20220416)
+
+# Project Name
+PROJECT_NAME = libyaml
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+PROJECT_INCLUDE_PATH = include
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Project Dependencies
+PROJECT_DEPEND = 
+PROJECT_DEPEND_LOCAL_DIR = 
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
+	INC +=
+	LIB +=
+	ARFLAGS = rc
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building source as a static library
+#	- 'program' for building source as executable program
+#	- 'test_program' for building the test program
+# test_program can be used with program or static_lib, but program and static_lib cannot be used together
+all: static_lib
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/makerom/libyaml/api.c b/makerom/deps/libyaml/src/api.c
similarity index 99%
rename from makerom/libyaml/api.c
rename to makerom/deps/libyaml/src/api.c
index d2c13d34..2f3c142e 100644
--- a/makerom/libyaml/api.c
+++ b/makerom/deps/libyaml/src/api.c
@@ -1,4 +1,4 @@
-#include "libyaml/yaml_private.h"
+#include "yaml_private.h"
 
 /*
  * Get the library titleVersion.
diff --git a/makerom/libyaml/dumper.c b/makerom/deps/libyaml/src/dumper.c
similarity index 99%
rename from makerom/libyaml/dumper.c
rename to makerom/deps/libyaml/src/dumper.c
index 4f89ab1d..6c2ae6c2 100644
--- a/makerom/libyaml/dumper.c
+++ b/makerom/deps/libyaml/src/dumper.c
@@ -1,5 +1,5 @@
 
-#include "libyaml/yaml_private.h"
+#include "yaml_private.h"
 
 /*
  * API functions.
diff --git a/makerom/libyaml/emitter.c b/makerom/deps/libyaml/src/emitter.c
similarity index 99%
rename from makerom/libyaml/emitter.c
rename to makerom/deps/libyaml/src/emitter.c
index 5beab1fa..3539d3b6 100644
--- a/makerom/libyaml/emitter.c
+++ b/makerom/deps/libyaml/src/emitter.c
@@ -1,5 +1,5 @@
 
-#include "libyaml/yaml_private.h"
+#include "yaml_private.h"
 
 /*
  * Flush the buffer if needed.
diff --git a/makerom/libyaml/loader.c b/makerom/deps/libyaml/src/loader.c
similarity index 99%
rename from makerom/libyaml/loader.c
rename to makerom/deps/libyaml/src/loader.c
index b3bdf253..321155ed 100644
--- a/makerom/libyaml/loader.c
+++ b/makerom/deps/libyaml/src/loader.c
@@ -1,5 +1,5 @@
 
-#include "libyaml/yaml_private.h"
+#include "yaml_private.h"
 
 /*
  * API functions.
diff --git a/makerom/libyaml/parser.c b/makerom/deps/libyaml/src/parser.c
similarity index 99%
rename from makerom/libyaml/parser.c
rename to makerom/deps/libyaml/src/parser.c
index 0649d852..8f44086c 100644
--- a/makerom/libyaml/parser.c
+++ b/makerom/deps/libyaml/src/parser.c
@@ -39,7 +39,7 @@
  * flow_mapping_entry   ::= flow_node | KEY flow_node? (VALUE flow_node?)?
  */
 
-#include "libyaml/yaml_private.h"
+#include "yaml_private.h"
 
 /*
  * Peek the next token in the token queue.
diff --git a/makerom/libyaml/reader.c b/makerom/deps/libyaml/src/reader.c
similarity index 99%
rename from makerom/libyaml/reader.c
rename to makerom/deps/libyaml/src/reader.c
index e7ab27ac..829e32da 100644
--- a/makerom/libyaml/reader.c
+++ b/makerom/deps/libyaml/src/reader.c
@@ -1,5 +1,5 @@
 
-#include "libyaml/yaml_private.h"
+#include "yaml_private.h"
 
 /*
  * Declarations.
diff --git a/makerom/libyaml/scanner.c b/makerom/deps/libyaml/src/scanner.c
similarity index 99%
rename from makerom/libyaml/scanner.c
rename to makerom/deps/libyaml/src/scanner.c
index 0ed7c7bb..6ddf0181 100644
--- a/makerom/libyaml/scanner.c
+++ b/makerom/deps/libyaml/src/scanner.c
@@ -475,7 +475,7 @@
  *      BLOCK-END
  */
 
-#include "libyaml/yaml_private.h"
+#include "yaml_private.h"
 
 /*
  * Ensure that the buffer contains the required number of characters.
diff --git a/makerom/libyaml/writer.c b/makerom/deps/libyaml/src/writer.c
similarity index 99%
rename from makerom/libyaml/writer.c
rename to makerom/deps/libyaml/src/writer.c
index 7fc4754d..b90019f5 100644
--- a/makerom/libyaml/writer.c
+++ b/makerom/deps/libyaml/src/writer.c
@@ -1,5 +1,5 @@
 
-#include "libyaml/yaml_private.h"
+#include "yaml_private.h"
 
 /*
  * Declarations.
diff --git a/makerom/libyaml/yaml_private.h b/makerom/deps/libyaml/src/yaml_private.h
similarity index 99%
rename from makerom/libyaml/yaml_private.h
rename to makerom/deps/libyaml/src/yaml_private.h
index 92bf799c..c9d56160 100644
--- a/makerom/libyaml/yaml_private.h
+++ b/makerom/deps/libyaml/src/yaml_private.h
@@ -3,7 +3,7 @@
 #include <config.h>
 #endif
 
-#include "libyaml/yaml.h"
+#include <libyaml/yaml.h>
 
 #include <assert.h>
 #include <limits.h>
diff --git a/makerom/makefile b/makerom/makefile
new file mode 100644
index 00000000..de32f586
--- /dev/null
+++ b/makerom/makefile
@@ -0,0 +1,185 @@
+# C++/C Recursive Project Makefile 
+# (c) Jack
+# Version 7 (20220416)
+
+# Project Name
+PROJECT_NAME = makerom
+
+# Project Relative Paths
+PROJECT_PATH = $(CURDIR)
+PROJECT_SRC_PATH = src
+PROJECT_SRC_SUBDIRS = $(PROJECT_SRC_PATH)
+#PROJECT_INCLUDE_PATH = include
+#PROJECT_TESTSRC_PATH = test
+#PROJECT_TESTSRC_SUBDIRS = $(PROJECT_TESTSRC_PATH)
+PROJECT_BIN_PATH = bin
+#PROJECT_DOCS_PATH = docs
+#PROJECT_DOXYFILE_PATH = Doxyfile
+
+# Determine if the root makefile has been established, and if not establish this makefile as the root makefile
+ifeq ($(ROOT_PROJECT_NAME),)
+	export ROOT_PROJECT_NAME = $(PROJECT_NAME)
+	export ROOT_PROJECT_PATH = $(PROJECT_PATH)
+	export ROOT_PROJECT_DEPENDENCY_PATH = $(ROOT_PROJECT_PATH)/deps
+endif
+
+# Project Dependencies
+PROJECT_DEPEND = mbedtls blz yaml
+PROJECT_DEPEND_LOCAL_DIR = libmbedtls libblz libyaml
+
+# Generate compiler flags for including project include path
+ifneq ($(PROJECT_INCLUDE_PATH),)
+	INC += -I"$(PROJECT_INCLUDE_PATH)"
+endif
+
+# Generate compiler flags for local included dependencies
+ifneq ($(PROJECT_DEPEND_LOCAL_DIR),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -L"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/bin")
+	INC += $(foreach dep,$(PROJECT_DEPEND_LOCAL_DIR), -I"$(ROOT_PROJECT_DEPENDENCY_PATH)/$(dep)/include")
+endif
+
+# Generate compiler flags for external dependencies
+ifneq ($(PROJECT_DEPEND),)
+	LIB += $(foreach dep,$(PROJECT_DEPEND), -l$(dep))
+endif
+
+# Detect Platform
+ifeq ($(PROJECT_PLATFORM),)
+	ifeq ($(OS), Windows_NT)
+		export PROJECT_PLATFORM = WIN32
+	else
+		UNAME = $(shell uname -s)
+		ifeq ($(UNAME), Darwin)
+			export PROJECT_PLATFORM = MACOS
+		else
+			export PROJECT_PLATFORM = GNU
+		endif
+	endif
+endif
+
+# Detect Architecture
+ifeq ($(PROJECT_PLATFORM_ARCH),)
+	ifeq ($(PROJECT_PLATFORM), WIN32)
+		export PROJECT_PLATFORM_ARCH = x86_64
+	else ifeq ($(PROJECT_PLATFORM), GNU)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else ifeq ($(PROJECT_PLATFORM), MACOS)
+		export PROJECT_PLATFORM_ARCH = $(shell uname -m)
+	else
+		export PROJECT_PLATFORM_ARCH = x86_64
+	endif
+endif
+
+# Generate platform specific compiler flags
+ifeq ($(PROJECT_PLATFORM), WIN32)
+	# Windows Flags/Libs
+	CC = x86_64-w64-mingw32-gcc
+	CXX = x86_64-w64-mingw32-g++
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB += -static
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), GNU)
+	# GNU/Linux Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
+	ARCHFLAGS =
+	INC +=
+	LIB +=
+	ARFLAGS = cr -o
+else ifeq ($(PROJECT_PLATFORM), MACOS)
+	# MacOS Flags/Libs
+	#CC = 
+	#CXX =
+	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
+	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
+	INC +=
+	LIB += -liconv
+	ARFLAGS = rc
+endif
+
+# Compiler Flags
+CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+
+# Object Files
+SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+TESTSRC_OBJ = $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_TESTSRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
+
+# all is the default, user should specify what the default should do
+#	- 'static_lib' for building source as a static library
+#	- 'program' for building source as executable program
+#	- 'test_program' for building the test program
+# test_program can be used with program or static_lib, but program and static_lib cannot be used together
+all: program
+	
+clean: clean_object_files remove_binary_dir
+
+# Object Compile Rules
+%.o: %.c
+	@echo CC $<
+	@$(CC) $(CFLAGS) -c $< -o $@ 
+
+%.o: %.cpp
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+%.o: %.cc
+	@echo CXX $<
+	@$(CXX) $(CXXFLAGS) -c $< -o $@ 
+
+# Binary Directory
+.PHONY: create_binary_dir
+create_binary_dir:
+	@mkdir -p "$(PROJECT_BIN_PATH)"
+
+.PHONY: remove_binary_dir
+remove_binary_dir:
+ifneq ($(PROJECT_BIN_PATH),)
+	@rm -rf "$(PROJECT_BIN_PATH)"
+endif
+
+.PHONY: clean_object_files
+clean_object_files:
+	@rm -f $(SRC_OBJ) $(TESTSRC_OBJ)
+
+# Build Library
+static_lib: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME).a
+	@ar $(ARFLAGS) "$(PROJECT_BIN_PATH)/$(PROJECT_NAME).a" $(SRC_OBJ)
+
+# Build Program
+program: $(SRC_OBJ) create_binary_dir
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)
+	@$(CXX) $(ARCHFLAGS) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)"
+
+# Build Test Program
+test_program: $(TESTSRC_OBJ) $(SRC_OBJ) create_binary_dir
+ifneq ($(PROJECT_TESTSRC_PATH),)
+	@echo LINK $(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test
+	@$(CXX) $(ARCHFLAGS) $(TESTSRC_OBJ) $(SRC_OBJ) $(LIB) -o "$(PROJECT_BIN_PATH)/$(PROJECT_NAME)_test"
+endif
+
+# Documentation
+.PHONY: docs
+docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	doxygen "$(PROJECT_DOXYFILE_PATH)"
+endif
+
+.PHONY: clean_docs
+clean_docs:
+ifneq ($(PROJECT_DOCS_PATH),)
+	@rm -rf "$(PROJECT_DOCS_PATH)"
+endif
+
+# Dependencies
+.PHONY: deps
+deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) static_lib && cd "$(PROJECT_PATH)";)
+
+.PHONY: clean_deps
+clean_deps:
+	@$(foreach lib,$(PROJECT_DEPEND_LOCAL_DIR), cd "$(ROOT_PROJECT_DEPENDENCY_PATH)/$(lib)" && $(MAKE) clean && cd "$(PROJECT_PATH)";)
\ No newline at end of file
diff --git a/makerom/polarssl/aes.c b/makerom/polarssl/aes.c
deleted file mode 100644
index 7c1f0fd1..00000000
--- a/makerom/polarssl/aes.c
+++ /dev/null
@@ -1,1352 +0,0 @@
-/*
- *  FIPS-197 compliant AES implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
- *
- *  http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
- *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_AES_C)
-
-#include "polarssl/aes.h"
-#if defined(POLARSSL_PADLOCK_C)
-#include "polarssl/padlock.h"
-#endif
-
-#if !defined(POLARSSL_AES_ALT)
-
-/*
- * 32-bit integer manipulation macros (little endian)
- */
-#ifndef GET_UINT32_LE
-#define GET_UINT32_LE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ]       )             \
-        | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 2] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 3] << 24 );            \
-}
-#endif
-
-#ifndef PUT_UINT32_LE
-#define PUT_UINT32_LE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n)       );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
-}
-#endif
-
-#if defined(POLARSSL_PADLOCK_C) &&                      \
-    ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
-static int aes_padlock_ace = -1;
-#endif
-
-#if defined(POLARSSL_AES_ROM_TABLES)
-/*
- * Forward S-box
- */
-static const unsigned char FSb[256] =
-{
-    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
-    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
-    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
-    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
-    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
-    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
-    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
-    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
-    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
-    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
-    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
-    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
-    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
-    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
-    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
-    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
-    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
-    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
-    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
-    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
-    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
-    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
-    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
-    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
-    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
-    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
-    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
-    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
-    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
-    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
-    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
-    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
-};
-
-/*
- * Forward tables
- */
-#define FT \
-\
-    V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
-    V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
-    V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
-    V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
-    V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
-    V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
-    V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
-    V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
-    V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
-    V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
-    V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
-    V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
-    V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
-    V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
-    V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
-    V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
-    V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
-    V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
-    V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
-    V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
-    V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
-    V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
-    V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
-    V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
-    V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
-    V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
-    V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
-    V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
-    V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
-    V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
-    V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
-    V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
-    V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
-    V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
-    V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
-    V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
-    V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
-    V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
-    V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
-    V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
-    V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
-    V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
-    V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
-    V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
-    V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
-    V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
-    V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
-    V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
-    V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
-    V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
-    V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
-    V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
-    V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
-    V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
-    V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
-    V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
-    V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
-    V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
-    V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
-    V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
-    V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
-    V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
-    V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
-    V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
-
-#define V(a,b,c,d) 0x##a##b##c##d
-static const uint32_t FT0[256] = { FT };
-#undef V
-
-#define V(a,b,c,d) 0x##b##c##d##a
-static const uint32_t FT1[256] = { FT };
-#undef V
-
-#define V(a,b,c,d) 0x##c##d##a##b
-static const uint32_t FT2[256] = { FT };
-#undef V
-
-#define V(a,b,c,d) 0x##d##a##b##c
-static const uint32_t FT3[256] = { FT };
-#undef V
-
-#undef FT
-
-/*
- * Reverse S-box
- */
-static const unsigned char RSb[256] =
-{
-    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
-    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
-    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
-    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
-    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
-    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
-    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
-    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
-    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
-    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
-    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
-    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
-    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
-    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
-    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
-    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
-    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
-    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
-    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
-    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
-    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
-    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
-    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
-    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
-    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
-    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
-    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
-    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
-    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
-    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
-    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
-    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
-};
-
-/*
- * Reverse tables
- */
-#define RT \
-\
-    V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
-    V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
-    V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
-    V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
-    V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
-    V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
-    V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
-    V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
-    V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
-    V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
-    V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
-    V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
-    V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
-    V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
-    V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
-    V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
-    V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
-    V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
-    V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
-    V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
-    V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
-    V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
-    V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
-    V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
-    V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
-    V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
-    V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
-    V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
-    V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
-    V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
-    V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
-    V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
-    V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
-    V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
-    V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
-    V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
-    V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
-    V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
-    V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
-    V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
-    V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
-    V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
-    V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
-    V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
-    V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
-    V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
-    V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
-    V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
-    V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
-    V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
-    V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
-    V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
-    V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
-    V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
-    V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
-    V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
-    V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
-    V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
-    V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
-    V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
-    V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
-    V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
-    V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
-    V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
-
-#define V(a,b,c,d) 0x##a##b##c##d
-static const uint32_t RT0[256] = { RT };
-#undef V
-
-#define V(a,b,c,d) 0x##b##c##d##a
-static const uint32_t RT1[256] = { RT };
-#undef V
-
-#define V(a,b,c,d) 0x##c##d##a##b
-static const uint32_t RT2[256] = { RT };
-#undef V
-
-#define V(a,b,c,d) 0x##d##a##b##c
-static const uint32_t RT3[256] = { RT };
-#undef V
-
-#undef RT
-
-/*
- * Round constants
- */
-static const uint32_t RCON[10] =
-{
-    0x00000001, 0x00000002, 0x00000004, 0x00000008,
-    0x00000010, 0x00000020, 0x00000040, 0x00000080,
-    0x0000001B, 0x00000036
-};
-
-#else
-
-/*
- * Forward S-box & tables
- */
-static unsigned char FSb[256];
-static uint32_t FT0[256]; 
-static uint32_t FT1[256]; 
-static uint32_t FT2[256]; 
-static uint32_t FT3[256]; 
-
-/*
- * Reverse S-box & tables
- */
-static unsigned char RSb[256];
-static uint32_t RT0[256];
-static uint32_t RT1[256];
-static uint32_t RT2[256];
-static uint32_t RT3[256];
-
-/*
- * Round constants
- */
-static uint32_t RCON[10];
-
-/*
- * Tables generation code
- */
-#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
-#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
-#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
-
-static int aes_init_done = 0;
-
-static void aes_gen_tables( void )
-{
-    int i, x, y, z;
-    int pow[256];
-    int log[256];
-
-    /*
-     * compute pow and log tables over GF(2^8)
-     */
-    for( i = 0, x = 1; i < 256; i++ )
-    {
-        pow[i] = x;
-        log[x] = i;
-        x = ( x ^ XTIME( x ) ) & 0xFF;
-    }
-
-    /*
-     * calculate the round constants
-     */
-    for( i = 0, x = 1; i < 10; i++ )
-    {
-        RCON[i] = (uint32_t) x;
-        x = XTIME( x ) & 0xFF;
-    }
-
-    /*
-     * generate the forward and reverse S-boxes
-     */
-    FSb[0x00] = 0x63;
-    RSb[0x63] = 0x00;
-
-    for( i = 1; i < 256; i++ )
-    {
-        x = pow[255 - log[i]];
-
-        y  = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
-        x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
-        x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
-        x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
-        x ^= y ^ 0x63;
-
-        FSb[i] = (unsigned char) x;
-        RSb[x] = (unsigned char) i;
-    }
-
-    /*
-     * generate the forward and reverse tables
-     */
-    for( i = 0; i < 256; i++ )
-    {
-        x = FSb[i];
-        y = XTIME( x ) & 0xFF;
-        z =  ( y ^ x ) & 0xFF;
-
-        FT0[i] = ( (uint32_t) y       ) ^
-                 ( (uint32_t) x <<  8 ) ^
-                 ( (uint32_t) x << 16 ) ^
-                 ( (uint32_t) z << 24 );
-
-        FT1[i] = ROTL8( FT0[i] );
-        FT2[i] = ROTL8( FT1[i] );
-        FT3[i] = ROTL8( FT2[i] );
-
-        x = RSb[i];
-
-        RT0[i] = ( (uint32_t) MUL( 0x0E, x )       ) ^
-                 ( (uint32_t) MUL( 0x09, x ) <<  8 ) ^
-                 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
-                 ( (uint32_t) MUL( 0x0B, x ) << 24 );
-
-        RT1[i] = ROTL8( RT0[i] );
-        RT2[i] = ROTL8( RT1[i] );
-        RT3[i] = ROTL8( RT2[i] );
-    }
-}
-
-#endif
-
-/*
- * AES key schedule (encryption)
- */
-int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
-{
-    unsigned int i;
-    uint32_t *RK;
-
-#if !defined(POLARSSL_AES_ROM_TABLES)
-    if( aes_init_done == 0 )
-    {
-        aes_gen_tables();
-        aes_init_done = 1;
-
-    }
-#endif
-
-    switch( keysize )
-    {
-        case 128: ctx->nr = 10; break;
-        case 192: ctx->nr = 12; break;
-        case 256: ctx->nr = 14; break;
-        default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
-    }
-
-#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
-    if( aes_padlock_ace == -1 )
-        aes_padlock_ace = padlock_supports( PADLOCK_ACE );
-
-    if( aes_padlock_ace )
-        ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
-    else
-#endif
-    ctx->rk = RK = ctx->buf;
-
-    for( i = 0; i < (keysize >> 5); i++ )
-    {
-        GET_UINT32_LE( RK[i], key, i << 2 );
-    }
-
-    switch( ctx->nr )
-    {
-        case 10:
-
-            for( i = 0; i < 10; i++, RK += 4 )
-            {
-                RK[4]  = RK[0] ^ RCON[i] ^
-                ( (uint32_t) FSb[ ( RK[3] >>  8 ) & 0xFF ]       ) ^
-                ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) FSb[ ( RK[3]       ) & 0xFF ] << 24 );
-
-                RK[5]  = RK[1] ^ RK[4];
-                RK[6]  = RK[2] ^ RK[5];
-                RK[7]  = RK[3] ^ RK[6];
-            }
-            break;
-
-        case 12:
-
-            for( i = 0; i < 8; i++, RK += 6 )
-            {
-                RK[6]  = RK[0] ^ RCON[i] ^
-                ( (uint32_t) FSb[ ( RK[5] >>  8 ) & 0xFF ]       ) ^
-                ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) FSb[ ( RK[5]       ) & 0xFF ] << 24 );
-
-                RK[7]  = RK[1] ^ RK[6];
-                RK[8]  = RK[2] ^ RK[7];
-                RK[9]  = RK[3] ^ RK[8];
-                RK[10] = RK[4] ^ RK[9];
-                RK[11] = RK[5] ^ RK[10];
-            }
-            break;
-
-        case 14:
-
-            for( i = 0; i < 7; i++, RK += 8 )
-            {
-                RK[8]  = RK[0] ^ RCON[i] ^
-                ( (uint32_t) FSb[ ( RK[7] >>  8 ) & 0xFF ]       ) ^
-                ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) FSb[ ( RK[7]       ) & 0xFF ] << 24 );
-
-                RK[9]  = RK[1] ^ RK[8];
-                RK[10] = RK[2] ^ RK[9];
-                RK[11] = RK[3] ^ RK[10];
-
-                RK[12] = RK[4] ^
-                ( (uint32_t) FSb[ ( RK[11]       ) & 0xFF ]       ) ^
-                ( (uint32_t) FSb[ ( RK[11] >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
-
-                RK[13] = RK[5] ^ RK[12];
-                RK[14] = RK[6] ^ RK[13];
-                RK[15] = RK[7] ^ RK[14];
-            }
-            break;
-
-        default:
-
-            break;
-    }
-
-    return( 0 );
-}
-
-/*
- * AES key schedule (decryption)
- */
-int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
-{
-    int i, j;
-    aes_context cty;
-    uint32_t *RK;
-    uint32_t *SK;
-    int ret;
-
-    switch( keysize )
-    {
-        case 128: ctx->nr = 10; break;
-        case 192: ctx->nr = 12; break;
-        case 256: ctx->nr = 14; break;
-        default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
-    }
-
-#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
-    if( aes_padlock_ace == -1 )
-        aes_padlock_ace = padlock_supports( PADLOCK_ACE );
-
-    if( aes_padlock_ace )
-        ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
-    else
-#endif
-    ctx->rk = RK = ctx->buf;
-
-    ret = aes_setkey_enc( &cty, key, keysize );
-    if( ret != 0 )
-        return( ret );
-
-    SK = cty.rk + cty.nr * 4;
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-
-    for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
-    {
-        for( j = 0; j < 4; j++, SK++ )
-        {
-            *RK++ = RT0[ FSb[ ( *SK       ) & 0xFF ] ] ^
-                    RT1[ FSb[ ( *SK >>  8 ) & 0xFF ] ] ^
-                    RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
-                    RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
-        }
-    }
-
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-    *RK++ = *SK++;
-
-    memset( &cty, 0, sizeof( aes_context ) );
-
-    return( 0 );
-}
-
-#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
-{                                               \
-    X0 = *RK++ ^ FT0[ ( Y0       ) & 0xFF ] ^   \
-                 FT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y3 >> 24 ) & 0xFF ];    \
-                                                \
-    X1 = *RK++ ^ FT0[ ( Y1       ) & 0xFF ] ^   \
-                 FT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y0 >> 24 ) & 0xFF ];    \
-                                                \
-    X2 = *RK++ ^ FT0[ ( Y2       ) & 0xFF ] ^   \
-                 FT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y1 >> 24 ) & 0xFF ];    \
-                                                \
-    X3 = *RK++ ^ FT0[ ( Y3       ) & 0xFF ] ^   \
-                 FT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
-                 FT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
-                 FT3[ ( Y2 >> 24 ) & 0xFF ];    \
-}
-
-#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
-{                                               \
-    X0 = *RK++ ^ RT0[ ( Y0       ) & 0xFF ] ^   \
-                 RT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y1 >> 24 ) & 0xFF ];    \
-                                                \
-    X1 = *RK++ ^ RT0[ ( Y1       ) & 0xFF ] ^   \
-                 RT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y2 >> 24 ) & 0xFF ];    \
-                                                \
-    X2 = *RK++ ^ RT0[ ( Y2       ) & 0xFF ] ^   \
-                 RT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y3 >> 24 ) & 0xFF ];    \
-                                                \
-    X3 = *RK++ ^ RT0[ ( Y3       ) & 0xFF ] ^   \
-                 RT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
-                 RT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
-                 RT3[ ( Y0 >> 24 ) & 0xFF ];    \
-}
-
-/*
- * AES-ECB block encryption/decryption
- */
-int aes_crypt_ecb( aes_context *ctx,
-                    int mode,
-                    const unsigned char input[16],
-                    unsigned char output[16] )
-{
-    int i;
-    uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
-
-#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
-    if( aes_padlock_ace )
-    {
-        if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
-            return( 0 );
-
-        // If padlock data misaligned, we just fall back to
-        // unaccelerated mode
-        //
-    }
-#endif
-
-    RK = ctx->rk;
-
-    GET_UINT32_LE( X0, input,  0 ); X0 ^= *RK++;
-    GET_UINT32_LE( X1, input,  4 ); X1 ^= *RK++;
-    GET_UINT32_LE( X2, input,  8 ); X2 ^= *RK++;
-    GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
-
-    if( mode == AES_DECRYPT )
-    {
-        for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
-        {
-            AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
-            AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
-        }
-
-        AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
-
-        X0 = *RK++ ^ \
-                ( (uint32_t) RSb[ ( Y0       ) & 0xFF ]       ) ^
-                ( (uint32_t) RSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
-
-        X1 = *RK++ ^ \
-                ( (uint32_t) RSb[ ( Y1       ) & 0xFF ]       ) ^
-                ( (uint32_t) RSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
-
-        X2 = *RK++ ^ \
-                ( (uint32_t) RSb[ ( Y2       ) & 0xFF ]       ) ^
-                ( (uint32_t) RSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
-
-        X3 = *RK++ ^ \
-                ( (uint32_t) RSb[ ( Y3       ) & 0xFF ]       ) ^
-                ( (uint32_t) RSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
-    }
-    else /* AES_ENCRYPT */
-    {
-        for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
-        {
-            AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
-            AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
-        }
-
-        AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
-
-        X0 = *RK++ ^ \
-                ( (uint32_t) FSb[ ( Y0       ) & 0xFF ]       ) ^
-                ( (uint32_t) FSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
-
-        X1 = *RK++ ^ \
-                ( (uint32_t) FSb[ ( Y1       ) & 0xFF ]       ) ^
-                ( (uint32_t) FSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
-
-        X2 = *RK++ ^ \
-                ( (uint32_t) FSb[ ( Y2       ) & 0xFF ]       ) ^
-                ( (uint32_t) FSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
-
-        X3 = *RK++ ^ \
-                ( (uint32_t) FSb[ ( Y3       ) & 0xFF ]       ) ^
-                ( (uint32_t) FSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
-                ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
-                ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
-    }
-
-    PUT_UINT32_LE( X0, output,  0 );
-    PUT_UINT32_LE( X1, output,  4 );
-    PUT_UINT32_LE( X2, output,  8 );
-    PUT_UINT32_LE( X3, output, 12 );
-
-    return( 0 );
-}
-
-/*
- * AES-CBC buffer encryption/decryption
- */
-int aes_crypt_cbc( aes_context *ctx,
-                    int mode,
-                    uint64_t length,
-                    unsigned char iv[16],
-                    const unsigned char *input,
-                    unsigned char *output )
-{
-    int i;
-    unsigned char temp[16];
-
-    if( length % 16 )
-        return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
-
-#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
-    if( aes_padlock_ace )
-    {
-        if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
-            return( 0 );
-        
-        // If padlock data misaligned, we just fall back to
-        // unaccelerated mode
-        //
-    }
-#endif
-
-    if( mode == AES_DECRYPT )
-    {
-        while( length > 0 )
-        {
-            memcpy( temp, input, 16 );
-            aes_crypt_ecb( ctx, mode, input, output );
-
-            for( i = 0; i < 16; i++ )
-                output[i] = (unsigned char)( output[i] ^ iv[i] );
-
-            memcpy( iv, temp, 16 );
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-    }
-    else
-    {
-        while( length > 0 )
-        {
-            for( i = 0; i < 16; i++ )
-                output[i] = (unsigned char)( input[i] ^ iv[i] );
-
-            aes_crypt_ecb( ctx, mode, output, output );
-            memcpy( iv, output, 16 );
-
-            input  += 16;
-            output += 16;
-            length -= 16;
-        }
-    }
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-/*
- * AES-CFB128 buffer encryption/decryption
- */
-int aes_crypt_cfb128( aes_context *ctx,
-                       int mode,
-                       uint64_t length,
-                       size_t *iv_off,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int c;
-	size_t n = *iv_off;
-
-    if( mode == AES_DECRYPT )
-    {
-        while( length-- )
-        {
-            if( n == 0 )
-                aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
-
-            c = *input++;
-            *output++ = (unsigned char)( c ^ iv[n] );
-            iv[n] = (unsigned char) c;
-
-            n = (n + 1) & 0x0F;
-        }
-    }
-    else
-    {
-        while( length-- )
-        {
-            if( n == 0 )
-                aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
-
-            iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
-
-            n = (n + 1) & 0x0F;
-        }
-    }
-
-    *iv_off = n;
-
-    return( 0 );
-}
-#endif /*POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-/*
- * AES-CTR buffer encryption/decryption
- */
-int aes_crypt_ctr( aes_context *ctx,
-                       uint64_t length,
-                       size_t *nc_off,
-                       unsigned char nonce_counter[16],
-                       unsigned char stream_block[16],
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    int c, i;
-    size_t n = *nc_off;
-
-    while( length-- )
-    {
-        if( n == 0 ) {
-            aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
-
-            for( i = 16; i > 0; i-- )
-                if( ++nonce_counter[i - 1] != 0 )
-                    break;
-        }
-        c = *input++;
-        *output++ = (unsigned char)( c ^ stream_block[n] );
-
-        n = (n + 1) & 0x0F;
-    }
-
-    *nc_off = n;
-
-    return( 0 );
-}
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-#endif /* !POLARSSL_AES_ALT */
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include <stdio.h>
-
-/*
- * AES test vectors from:
- *
- * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
- */
-static const unsigned char aes_test_ecb_dec[3][16] =
-{
-    { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
-      0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
-    { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
-      0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
-    { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
-      0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
-};
-
-static const unsigned char aes_test_ecb_enc[3][16] =
-{
-    { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
-      0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
-    { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
-      0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
-    { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
-      0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
-};
-
-static const unsigned char aes_test_cbc_dec[3][16] =
-{
-    { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
-      0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
-    { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
-      0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
-    { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
-      0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
-};
-
-static const unsigned char aes_test_cbc_enc[3][16] =
-{
-    { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
-      0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
-    { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
-      0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
-    { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
-      0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
-};
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-/*
- * AES-CFB128 test vectors from:
- *
- * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
- */
-static const unsigned char aes_test_cfb128_key[3][32] =
-{
-    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
-      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
-    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
-      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
-      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
-    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
-      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
-      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
-      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
-};
-
-static const unsigned char aes_test_cfb128_iv[16] =
-{
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
-};
-
-static const unsigned char aes_test_cfb128_pt[64] =
-{
-    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
-    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
-    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
-    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
-    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
-    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
-    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
-    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
-};
-
-static const unsigned char aes_test_cfb128_ct[3][64] =
-{
-    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
-      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
-      0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
-      0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
-      0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
-      0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
-      0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
-      0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
-    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
-      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
-      0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
-      0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
-      0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
-      0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
-      0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
-      0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
-    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
-      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
-      0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
-      0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
-      0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
-      0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
-      0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
-      0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
-};
-#endif /* POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-/*
- * AES-CTR test vectors from:
- *
- * http://www.faqs.org/rfcs/rfc3686.html
- */
-
-static const unsigned char aes_test_ctr_key[3][16] =
-{
-    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
-      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
-    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
-      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
-    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
-      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
-};
-
-static const unsigned char aes_test_ctr_nonce_counter[3][16] =
-{
-    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
-      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
-    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
-      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
-    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
-      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
-};
-
-static const unsigned char aes_test_ctr_pt[3][48] =
-{
-    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
-      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
-
-    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
-
-    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
-      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
-      0x20, 0x21, 0x22, 0x23 }
-};
-
-static const unsigned char aes_test_ctr_ct[3][48] =
-{
-    { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
-      0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
-    { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
-      0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
-      0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
-      0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
-    { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
-      0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
-      0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
-      0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
-      0x25, 0xB2, 0x07, 0x2F }
-};
-
-static const int aes_test_ctr_len[3] =
-    { 16, 32, 36 };
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-
-/*
- * Checkup routine
- */
-int aes_self_test( int verbose )
-{
-    int i, j, u, v;
-    unsigned char key[32];
-    unsigned char buf[64];
-    unsigned char prv[16];
-    unsigned char iv[16];
-#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
-    size_t offset;
-#endif
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    int len;
-    unsigned char nonce_counter[16];
-    unsigned char stream_block[16];
-#endif
-    aes_context ctx;
-
-    memset( key, 0, 32 );
-
-    /*
-     * ECB mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  AES-ECB-%3d (%s): ", 128 + u * 64,
-                    ( v == AES_DECRYPT ) ? "dec" : "enc" );
-
-        memset( buf, 0, 16 );
-
-        if( v == AES_DECRYPT )
-        {
-            aes_setkey_dec( &ctx, key, 128 + u * 64 );
-
-            for( j = 0; j < 10000; j++ )
-                aes_crypt_ecb( &ctx, v, buf, buf );
-
-            if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-        else
-        {
-            aes_setkey_enc( &ctx, key, 128 + u * 64 );
-
-            for( j = 0; j < 10000; j++ )
-                aes_crypt_ecb( &ctx, v, buf, buf );
-
-            if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    /*
-     * CBC mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  AES-CBC-%3d (%s): ", 128 + u * 64,
-                    ( v == AES_DECRYPT ) ? "dec" : "enc" );
-
-        memset( iv , 0, 16 );
-        memset( prv, 0, 16 );
-        memset( buf, 0, 16 );
-
-        if( v == AES_DECRYPT )
-        {
-            aes_setkey_dec( &ctx, key, 128 + u * 64 );
-
-            for( j = 0; j < 10000; j++ )
-                aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
-
-            if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-        else
-        {
-            aes_setkey_enc( &ctx, key, 128 + u * 64 );
-
-            for( j = 0; j < 10000; j++ )
-            {
-                unsigned char tmp[16];
-
-                aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
-
-                memcpy( tmp, prv, 16 );
-                memcpy( prv, buf, 16 );
-                memcpy( buf, tmp, 16 );
-            }
-
-            if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-#if defined(POLARSSL_CIPHER_MODE_CFB)
-    /*
-     * CFB128 mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  AES-CFB128-%3d (%s): ", 128 + u * 64,
-                    ( v == AES_DECRYPT ) ? "dec" : "enc" );
-
-        memcpy( iv,  aes_test_cfb128_iv, 16 );
-        memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
-
-        offset = 0;
-        aes_setkey_enc( &ctx, key, 128 + u * 64 );
-
-        if( v == AES_DECRYPT )
-        {
-            memcpy( buf, aes_test_cfb128_ct[u], 64 );
-            aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
-
-            if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-        else
-        {
-            memcpy( buf, aes_test_cfb128_pt, 64 );
-            aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
-
-            if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-#endif /* POLARSSL_CIPHER_MODE_CFB */
-
-#if defined(POLARSSL_CIPHER_MODE_CTR)
-    /*
-     * CTR mode
-     */
-    for( i = 0; i < 6; i++ )
-    {
-        u = i >> 1;
-        v = i  & 1;
-
-        if( verbose != 0 )
-            printf( "  AES-CTR-128 (%s): ",
-                    ( v == AES_DECRYPT ) ? "dec" : "enc" );
-
-        memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
-        memcpy( key, aes_test_ctr_key[u], 16 );
-
-        offset = 0;
-        aes_setkey_enc( &ctx, key, 128 );
-
-        if( v == AES_DECRYPT )
-        {
-            len = aes_test_ctr_len[u];
-            memcpy( buf, aes_test_ctr_ct[u], len );
-
-            aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
-
-            if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-        else
-        {
-            len = aes_test_ctr_len[u];
-            memcpy( buf, aes_test_ctr_pt[u], len );
-
-            aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
-
-            if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
-            {
-                if( verbose != 0 )
-                    printf( "failed\n" );
-
-                return( 1 );
-            }
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-#endif /* POLARSSL_CIPHER_MODE_CTR */
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/aes.h b/makerom/polarssl/aes.h
deleted file mode 100644
index 469bef32..00000000
--- a/makerom/polarssl/aes.h
+++ /dev/null
@@ -1,202 +0,0 @@
-/**
- * \file aes.h
- *
- * \brief AES block cipher
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_AES_H
-#define POLARSSL_AES_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define AES_ENCRYPT     1
-#define AES_DECRYPT     0
-
-#define POLARSSL_ERR_AES_INVALID_KEY_LENGTH                -0x0020  /**< Invalid key length. */
-#define POLARSSL_ERR_AES_INVALID_INPUT_LENGTH              -0x0022  /**< Invalid data input length. */
-
-#if !defined(POLARSSL_AES_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          AES context structure
- */
-typedef struct
-{
-    int nr;                     /*!<  number of rounds  */
-    uint32_t *rk;               /*!<  AES round keys    */
-    uint32_t buf[68];           /*!<  unaligned data    */
-}
-aes_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          AES key schedule (encryption)
- *
- * \param ctx      AES context to be initialized
- * \param key      encryption key
- * \param keysize  must be 128, 192 or 256
- *
- * \return         0 if successful, or POLARSSL_ERR_AES_INVALID_KEY_LENGTH
- */
-int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize );
-
-/**
- * \brief          AES key schedule (decryption)
- *
- * \param ctx      AES context to be initialized
- * \param key      decryption key
- * \param keysize  must be 128, 192 or 256
- *
- * \return         0 if successful, or POLARSSL_ERR_AES_INVALID_KEY_LENGTH
- */
-int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize );
-
-/**
- * \brief          AES-ECB block encryption/decryption
- *
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param input    16-byte input block
- * \param output   16-byte output block
- *
- * \return         0 if successful
- */
-int aes_crypt_ecb( aes_context *ctx,
-                    int mode,
-                    const unsigned char input[16],
-                    unsigned char output[16] );
-
-/**
- * \brief          AES-CBC buffer encryption/decryption
- *                 Length should be a multiple of the block
- *                 size (16 bytes)
- *
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param length   length of the input data
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if successful, or POLARSSL_ERR_AES_INVALID_INPUT_LENGTH
- */
-int aes_crypt_cbc( aes_context *ctx,
-                    int mode,
-                    uint64_t length,
-                    unsigned char iv[16],
-                    const unsigned char *input,
-                    unsigned char *output );
-
-/**
- * \brief          AES-CFB128 buffer encryption/decryption.
- *
- * Note: Due to the nature of CFB you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * aes_setkey_enc() for both AES_ENCRYPT and AES_DECRYPT.
- *
- * both 
- * \param ctx      AES context
- * \param mode     AES_ENCRYPT or AES_DECRYPT
- * \param length   length of the input data
- * \param iv_off   offset in IV (updated after use)
- * \param iv       initialization vector (updated after use)
- * \param input    buffer holding the input data
- * \param output   buffer holding the output data
- *
- * \return         0 if successful
- */
-int aes_crypt_cfb128( aes_context *ctx,
-                       int mode,
-                       uint64_t length,
-                       size_t *iv_off,
-                       unsigned char iv[16],
-                       const unsigned char *input,
-                       unsigned char *output );
-
-/**
- * \brief               AES-CTR buffer encryption/decryption
- *
- * Warning: You have to keep the maximum use of your counter in mind!
- *
- * Note: Due to the nature of CTR you should use the same key schedule for
- * both encryption and decryption. So a context initialized with
- * aes_setkey_enc() for both AES_ENCRYPT and AES_DECRYPT.
- *
- * \param length        The length of the data
- * \param nc_off        The offset in the current stream_block (for resuming
- *                      within current cipher stream). The offset pointer to
- *                      should be 0 at the start of a stream.
- * \param nonce_counter The 128-bit nonce and counter.
- * \param stream_block  The saved stream-block for resuming. Is overwritten
- *                      by the function.
- * \param input         The input data stream
- * \param output        The output data stream
- *
- * \return         0 if successful
- */
-int aes_crypt_ctr( aes_context *ctx,
-                       uint64_t length,
-                       size_t *nc_off,
-                       unsigned char nonce_counter[16],
-                       unsigned char stream_block[16],
-                       const unsigned char *input,
-                       unsigned char *output );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_AES_ALT */
-#include "polarssl/aes_alt.h"
-#endif /* POLARSSL_AES_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int aes_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* aes.h */
diff --git a/makerom/polarssl/base64.h b/makerom/polarssl/base64.h
deleted file mode 100644
index 604893eb..00000000
--- a/makerom/polarssl/base64.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/**
- * \file base64.h
- *
- * \brief RFC 1521 base64 encoding/decoding
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_BASE64_H
-#define POLARSSL_BASE64_H
-
-#include <string.h>
-#include <stdio.h>
-
-#define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL               -0x002A  /**< Output buffer too small. */
-#define POLARSSL_ERR_BASE64_INVALID_CHARACTER              -0x002C  /**< Invalid character in input. */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Encode a buffer into base64 format
- *
- * \param dst      destination buffer
- * \param dlen     size of the buffer
- * \param src      source buffer
- * \param slen     amount of data to be encoded
- *
- * \return         0 if successful, or POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL.
- *                 *dlen is always updated to reflect the amount
- *                 of data that has (or would have) been written.
- *
- * \note           Call this function with *dlen = 0 to obtain the
- *                 required buffer size in *dlen
- */
-int base64_encode( unsigned char *dst, size_t *dlen,
-                   const unsigned char *src, size_t slen );
-
-/**
- * \brief          Decode a base64-formatted buffer
- *
- * \param dst      destination buffer
- * \param dlen     size of the buffer
- * \param src      source buffer
- * \param slen     amount of data to be decoded
- *
- * \return         0 if successful, POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL, or
- *                 POLARSSL_ERR_BASE64_INVALID_CHARACTER if the input data is
- *                 not correct. *dlen is always updated to reflect the amount
- *                 of data that has (or would have) been written.
- *
- * \note           Call this function with *dlen = 0 to obtain the
- *                 required buffer size in *dlen
- */
-int base64_decode( unsigned char *dst, size_t *dlen,
-                   const unsigned char *src, size_t slen );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int base64_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* base64.h */
diff --git a/makerom/polarssl/bignum.c b/makerom/polarssl/bignum.c
deleted file mode 100644
index 5c8f96c2..00000000
--- a/makerom/polarssl/bignum.c
+++ /dev/null
@@ -1,2135 +0,0 @@
-/*
- *  Multi-precision integer library
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  This MPI implementation is based on:
- *
- *  http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf
- *  http://www.stillhq.com/extracted/gnupg-api/mpi/
- *  http://math.libtomcrypt.com/files/tommath.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_BIGNUM_C)
-
-#include "polarssl/bignum.h"
-#include "polarssl/bn_mul.h"
-
-#include <stdlib.h>
-
-#define ciL    (sizeof(t_uint))         /* chars in limb  */
-#define biL    (ciL << 3)               /* bits  in limb  */
-#define biH    (ciL << 2)               /* half limb size */
-
-/*
- * Convert between bits/chars and number of limbs
- */
-#define BITS_TO_LIMBS(i)  (((i) + biL - 1) / biL)
-#define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
-
-/*
- * Initialize one MPI
- */
-void mpi_init( mpi *X )
-{
-    if( X == NULL )
-        return;
-
-    X->s = 1;
-    X->n = 0;
-    X->p = NULL;
-}
-
-/*
- * Unallocate one MPI
- */
-void mpi_free( mpi *X )
-{
-    if( X == NULL )
-        return;
-
-    if( X->p != NULL )
-    {
-        memset( X->p, 0, X->n * ciL );
-        free( X->p );
-    }
-
-    X->s = 1;
-    X->n = 0;
-    X->p = NULL;
-}
-
-/*
- * Enlarge to the specified number of limbs
- */
-int mpi_grow( mpi *X, size_t nblimbs )
-{
-    t_uint *p;
-
-    if( nblimbs > POLARSSL_MPI_MAX_LIMBS )
-        return( POLARSSL_ERR_MPI_MALLOC_FAILED );
-
-    if( X->n < nblimbs )
-    {
-        if( ( p = (t_uint *) malloc( nblimbs * ciL ) ) == NULL )
-            return( POLARSSL_ERR_MPI_MALLOC_FAILED );
-
-        memset( p, 0, nblimbs * ciL );
-
-        if( X->p != NULL )
-        {
-            memcpy( p, X->p, X->n * ciL );
-            memset( X->p, 0, X->n * ciL );
-            free( X->p );
-        }
-
-        X->n = nblimbs;
-        X->p = p;
-    }
-
-    return( 0 );
-}
-
-/*
- * Copy the contents of Y into X
- */
-int mpi_copy( mpi *X, const mpi *Y )
-{
-    int ret;
-    size_t i;
-
-    if( X == Y )
-        return( 0 );
-
-    for( i = Y->n - 1; i > 0; i-- )
-        if( Y->p[i] != 0 )
-            break;
-    i++;
-
-    X->s = Y->s;
-
-    MPI_CHK( mpi_grow( X, i ) );
-
-    memset( X->p, 0, X->n * ciL );
-    memcpy( X->p, Y->p, i * ciL );
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Swap the contents of X and Y
- */
-void mpi_swap( mpi *X, mpi *Y )
-{
-    mpi T;
-
-    memcpy( &T,  X, sizeof( mpi ) );
-    memcpy(  X,  Y, sizeof( mpi ) );
-    memcpy(  Y, &T, sizeof( mpi ) );
-}
-
-/*
- * Set value from integer
- */
-int mpi_lset( mpi *X, t_sint z )
-{
-    int ret;
-
-    MPI_CHK( mpi_grow( X, 1 ) );
-    memset( X->p, 0, X->n * ciL );
-
-    X->p[0] = ( z < 0 ) ? -z : z;
-    X->s    = ( z < 0 ) ? -1 : 1;
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Get a specific bit
- */
-int mpi_get_bit( const mpi *X, size_t pos )
-{
-    if( X->n * biL <= pos )
-        return( 0 );
-
-    return ( X->p[pos / biL] >> ( pos % biL ) ) & 0x01;
-}
-
-/*
- * Set a bit to a specific value of 0 or 1
- */
-int mpi_set_bit( mpi *X, size_t pos, unsigned char val )
-{
-    int ret = 0;
-    size_t off = pos / biL;
-    size_t idx = pos % biL;
-
-    if( val != 0 && val != 1 )
-        return POLARSSL_ERR_MPI_BAD_INPUT_DATA;
-        
-    if( X->n * biL <= pos )
-    {
-        if( val == 0 )
-            return ( 0 );
-
-        MPI_CHK( mpi_grow( X, off + 1 ) );
-    }
-
-    X->p[off] = ( X->p[off] & ~( 0x01 << idx ) ) | ( val << idx );
-
-cleanup:
-    
-    return( ret );
-}
-
-/*
- * Return the number of least significant bits
- */
-size_t mpi_lsb( const mpi *X )
-{
-    size_t i, j, count = 0;
-
-    for( i = 0; i < X->n; i++ )
-        for( j = 0; j < biL; j++, count++ )
-            if( ( ( X->p[i] >> j ) & 1 ) != 0 )
-                return( count );
-
-    return( 0 );
-}
-
-/*
- * Return the number of most significant bits
- */
-size_t mpi_msb( const mpi *X )
-{
-    size_t i, j;
-
-    for( i = X->n - 1; i > 0; i-- )
-        if( X->p[i] != 0 )
-            break;
-
-    for( j = biL; j > 0; j-- )
-        if( ( ( X->p[i] >> ( j - 1 ) ) & 1 ) != 0 )
-            break;
-
-    return( ( i * biL ) + j );
-}
-
-/*
- * Return the total size in bytes
- */
-size_t mpi_size( const mpi *X )
-{
-    return( ( mpi_msb( X ) + 7 ) >> 3 );
-}
-
-/*
- * Convert an ASCII character to digit value
- */
-static int mpi_get_digit( t_uint *d, int radix, char c )
-{
-    *d = 255;
-
-    if( c >= 0x30 && c <= 0x39 ) *d = c - 0x30;
-    if( c >= 0x41 && c <= 0x46 ) *d = c - 0x37;
-    if( c >= 0x61 && c <= 0x66 ) *d = c - 0x57;
-
-    if( *d >= (t_uint) radix )
-        return( POLARSSL_ERR_MPI_INVALID_CHARACTER );
-
-    return( 0 );
-}
-
-/*
- * Import from an ASCII string
- */
-int mpi_read_string( mpi *X, int radix, const char *s )
-{
-    int ret;
-    size_t i, j, slen, n;
-    t_uint d;
-    mpi T;
-
-    if( radix < 2 || radix > 16 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    mpi_init( &T );
-
-    slen = strlen( s );
-
-    if( radix == 16 )
-    {
-        n = BITS_TO_LIMBS( slen << 2 );
-
-        MPI_CHK( mpi_grow( X, n ) );
-        MPI_CHK( mpi_lset( X, 0 ) );
-
-        for( i = slen, j = 0; i > 0; i--, j++ )
-        {
-            if( i == 1 && s[i - 1] == '-' )
-            {
-                X->s = -1;
-                break;
-            }
-
-            MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
-            X->p[j / (2 * ciL)] |= d << ( (j % (2 * ciL)) << 2 );
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_lset( X, 0 ) );
-
-        for( i = 0; i < slen; i++ )
-        {
-            if( i == 0 && s[i] == '-' )
-            {
-                X->s = -1;
-                continue;
-            }
-
-            MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
-            MPI_CHK( mpi_mul_int( &T, X, radix ) );
-
-            if( X->s == 1 )
-            {
-                MPI_CHK( mpi_add_int( X, &T, d ) );
-            }
-            else
-            {
-                MPI_CHK( mpi_sub_int( X, &T, d ) );
-            }
-        }
-    }
-
-cleanup:
-
-    mpi_free( &T );
-
-    return( ret );
-}
-
-/*
- * Helper to write the digits high-order first
- */
-static int mpi_write_hlp( mpi *X, int radix, char **p )
-{
-    int ret;
-    t_uint r;
-
-    if( radix < 2 || radix > 16 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    MPI_CHK( mpi_mod_int( &r, X, radix ) );
-    MPI_CHK( mpi_div_int( X, NULL, X, radix ) );
-
-    if( mpi_cmp_int( X, 0 ) != 0 )
-        MPI_CHK( mpi_write_hlp( X, radix, p ) );
-
-    if( r < 10 )
-        *(*p)++ = (char)( r + 0x30 );
-    else
-        *(*p)++ = (char)( r + 0x37 );
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Export into an ASCII string
- */
-int mpi_write_string( const mpi *X, int radix, char *s, size_t *slen )
-{
-    int ret = 0;
-    size_t n;
-    char *p;
-    mpi T;
-
-    if( radix < 2 || radix > 16 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    n = mpi_msb( X );
-    if( radix >=  4 ) n >>= 1;
-    if( radix >= 16 ) n >>= 1;
-    n += 3;
-
-    if( *slen < n )
-    {
-        *slen = n;
-        return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
-    }
-
-    p = s;
-    mpi_init( &T );
-
-    if( X->s == -1 )
-        *p++ = '-';
-
-    if( radix == 16 )
-    {
-        int c;
-        size_t i, j, k;
-
-        for( i = X->n, k = 0; i > 0; i-- )
-        {
-            for( j = ciL; j > 0; j-- )
-            {
-                c = ( X->p[i - 1] >> ( ( j - 1 ) << 3) ) & 0xFF;
-
-                if( c == 0 && k == 0 && ( i + j + 3 ) != 0 )
-                    continue;
-
-                *(p++) = "0123456789ABCDEF" [c / 16];
-                *(p++) = "0123456789ABCDEF" [c % 16];
-                k = 1;
-            }
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_copy( &T, X ) );
-
-        if( T.s == -1 )
-            T.s = 1;
-
-        MPI_CHK( mpi_write_hlp( &T, radix, &p ) );
-    }
-
-    *p++ = '\0';
-    *slen = p - s;
-
-cleanup:
-
-    mpi_free( &T );
-
-    return( ret );
-}
-
-#if defined(POLARSSL_FS_IO)
-/*
- * Read X from an opened file
- */
-int mpi_read_file( mpi *X, int radix, FILE *fin )
-{
-    t_uint d;
-    size_t slen;
-    char *p;
-    /*
-     * Buffer should have space for (short) label and decimal formatted MPI,
-     * newline characters and '\0'
-     */
-    char s[ POLARSSL_MPI_RW_BUFFER_SIZE ];
-
-    memset( s, 0, sizeof( s ) );
-    if( fgets( s, sizeof( s ) - 1, fin ) == NULL )
-        return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
-
-    slen = strlen( s );
-    if( slen == sizeof( s ) - 2 )
-        return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
-
-    if( s[slen - 1] == '\n' ) { slen--; s[slen] = '\0'; }
-    if( s[slen - 1] == '\r' ) { slen--; s[slen] = '\0'; }
-
-    p = s + slen;
-    while( --p >= s )
-        if( mpi_get_digit( &d, radix, *p ) != 0 )
-            break;
-
-    return( mpi_read_string( X, radix, p + 1 ) );
-}
-
-/*
- * Write X into an opened file (or stdout if fout == NULL)
- */
-int mpi_write_file( const char *p, const mpi *X, int radix, FILE *fout )
-{
-    int ret;
-    size_t n, slen, plen;
-    /*
-     * Buffer should have space for (short) label and decimal formatted MPI,
-     * newline characters and '\0'
-     */
-    char s[ POLARSSL_MPI_RW_BUFFER_SIZE ];
-
-    n = sizeof( s );
-    memset( s, 0, n );
-    n -= 2;
-
-    MPI_CHK( mpi_write_string( X, radix, s, (size_t *) &n ) );
-
-    if( p == NULL ) p = "";
-
-    plen = strlen( p );
-    slen = strlen( s );
-    s[slen++] = '\r';
-    s[slen++] = '\n';
-
-    if( fout != NULL )
-    {
-        if( fwrite( p, 1, plen, fout ) != plen ||
-            fwrite( s, 1, slen, fout ) != slen )
-            return( POLARSSL_ERR_MPI_FILE_IO_ERROR );
-    }
-    else
-        printf( "%s%s", p, s );
-
-cleanup:
-
-    return( ret );
-}
-#endif /* POLARSSL_FS_IO */
-
-/*
- * Import X from unsigned binary data, big endian
- */
-int mpi_read_binary( mpi *X, const unsigned char *buf, size_t buflen )
-{
-    int ret;
-    size_t i, j, n;
-
-    for( n = 0; n < buflen; n++ )
-        if( buf[n] != 0 )
-            break;
-
-    MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
-    MPI_CHK( mpi_lset( X, 0 ) );
-
-    for( i = buflen, j = 0; i > n; i--, j++ )
-        X->p[j / ciL] |= ((t_uint) buf[i - 1]) << ((j % ciL) << 3);
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Export X into unsigned binary data, big endian
- */
-int mpi_write_binary( const mpi *X, unsigned char *buf, size_t buflen )
-{
-    size_t i, j, n;
-
-    n = mpi_size( X );
-
-    if( buflen < n )
-        return( POLARSSL_ERR_MPI_BUFFER_TOO_SMALL );
-
-    memset( buf, 0, buflen );
-
-    for( i = buflen - 1, j = 0; n > 0; i--, j++, n-- )
-        buf[i] = (unsigned char)( X->p[j / ciL] >> ((j % ciL) << 3) );
-
-    return( 0 );
-}
-
-/*
- * Left-shift: X <<= count
- */
-int mpi_shift_l( mpi *X, size_t count )
-{
-    int ret;
-    size_t i, v0, t1;
-    t_uint r0 = 0, r1;
-
-    v0 = count / (biL    );
-    t1 = count & (biL - 1);
-
-    i = mpi_msb( X ) + count;
-
-    if( X->n * biL < i )
-        MPI_CHK( mpi_grow( X, BITS_TO_LIMBS( i ) ) );
-
-    ret = 0;
-
-    /*
-     * shift by count / limb_size
-     */
-    if( v0 > 0 )
-    {
-        for( i = X->n; i > v0; i-- )
-            X->p[i - 1] = X->p[i - v0 - 1];
-
-        for( ; i > 0; i-- )
-            X->p[i - 1] = 0;
-    }
-
-    /*
-     * shift by count % limb_size
-     */
-    if( t1 > 0 )
-    {
-        for( i = v0; i < X->n; i++ )
-        {
-            r1 = X->p[i] >> (biL - t1);
-            X->p[i] <<= t1;
-            X->p[i] |= r0;
-            r0 = r1;
-        }
-    }
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Right-shift: X >>= count
- */
-int mpi_shift_r( mpi *X, size_t count )
-{
-    size_t i, v0, v1;
-    t_uint r0 = 0, r1;
-
-    v0 = count /  biL;
-    v1 = count & (biL - 1);
-
-    if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
-        return mpi_lset( X, 0 );
-
-    /*
-     * shift by count / limb_size
-     */
-    if( v0 > 0 )
-    {
-        for( i = 0; i < X->n - v0; i++ )
-            X->p[i] = X->p[i + v0];
-
-        for( ; i < X->n; i++ )
-            X->p[i] = 0;
-    }
-
-    /*
-     * shift by count % limb_size
-     */
-    if( v1 > 0 )
-    {
-        for( i = X->n; i > 0; i-- )
-        {
-            r1 = X->p[i - 1] << (biL - v1);
-            X->p[i - 1] >>= v1;
-            X->p[i - 1] |= r0;
-            r0 = r1;
-        }
-    }
-
-    return( 0 );
-}
-
-/*
- * Compare unsigned values
- */
-int mpi_cmp_abs( const mpi *X, const mpi *Y )
-{
-    size_t i, j;
-
-    for( i = X->n; i > 0; i-- )
-        if( X->p[i - 1] != 0 )
-            break;
-
-    for( j = Y->n; j > 0; j-- )
-        if( Y->p[j - 1] != 0 )
-            break;
-
-    if( i == 0 && j == 0 )
-        return( 0 );
-
-    if( i > j ) return(  1 );
-    if( j > i ) return( -1 );
-
-    for( ; i > 0; i-- )
-    {
-        if( X->p[i - 1] > Y->p[i - 1] ) return(  1 );
-        if( X->p[i - 1] < Y->p[i - 1] ) return( -1 );
-    }
-
-    return( 0 );
-}
-
-/*
- * Compare signed values
- */
-int mpi_cmp_mpi( const mpi *X, const mpi *Y )
-{
-    size_t i, j;
-
-    for( i = X->n; i > 0; i-- )
-        if( X->p[i - 1] != 0 )
-            break;
-
-    for( j = Y->n; j > 0; j-- )
-        if( Y->p[j - 1] != 0 )
-            break;
-
-    if( i == 0 && j == 0 )
-        return( 0 );
-
-    if( i > j ) return(  X->s );
-    if( j > i ) return( -Y->s );
-
-    if( X->s > 0 && Y->s < 0 ) return(  1 );
-    if( Y->s > 0 && X->s < 0 ) return( -1 );
-
-    for( ; i > 0; i-- )
-    {
-        if( X->p[i - 1] > Y->p[i - 1] ) return(  X->s );
-        if( X->p[i - 1] < Y->p[i - 1] ) return( -X->s );
-    }
-
-    return( 0 );
-}
-
-/*
- * Compare signed values
- */
-int mpi_cmp_int( const mpi *X, t_sint z )
-{
-    mpi Y;
-    t_uint p[1];
-
-    *p  = ( z < 0 ) ? -z : z;
-    Y.s = ( z < 0 ) ? -1 : 1;
-    Y.n = 1;
-    Y.p = p;
-
-    return( mpi_cmp_mpi( X, &Y ) );
-}
-
-/*
- * Unsigned addition: X = |A| + |B|  (HAC 14.7)
- */
-int mpi_add_abs( mpi *X, const mpi *A, const mpi *B )
-{
-    int ret;
-    size_t i, j;
-    t_uint *o, *p, c;
-
-    if( X == B )
-    {
-        const mpi *T = A; A = X; B = T;
-    }
-
-    if( X != A )
-        MPI_CHK( mpi_copy( X, A ) );
-   
-    /*
-     * X should always be positive as a result of unsigned additions.
-     */
-    X->s = 1;
-
-    for( j = B->n; j > 0; j-- )
-        if( B->p[j - 1] != 0 )
-            break;
-
-    MPI_CHK( mpi_grow( X, j ) );
-
-    o = B->p; p = X->p; c = 0;
-
-    for( i = 0; i < j; i++, o++, p++ )
-    {
-        *p +=  c; c  = ( *p <  c );
-        *p += *o; c += ( *p < *o );
-    }
-
-    while( c != 0 )
-    {
-        if( i >= X->n )
-        {
-            MPI_CHK( mpi_grow( X, i + 1 ) );
-            p = X->p + i;
-        }
-
-        *p += c; c = ( *p < c ); i++; p++;
-    }
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Helper for mpi substraction
- */
-static void mpi_sub_hlp( size_t n, t_uint *s, t_uint *d )
-{
-    size_t i;
-    t_uint c, z;
-
-    for( i = c = 0; i < n; i++, s++, d++ )
-    {
-        z = ( *d <  c );     *d -=  c;
-        c = ( *d < *s ) + z; *d -= *s;
-    }
-
-    while( c != 0 )
-    {
-        z = ( *d < c ); *d -= c;
-        c = z; i++; d++;
-    }
-}
-
-/*
- * Unsigned substraction: X = |A| - |B|  (HAC 14.9)
- */
-int mpi_sub_abs( mpi *X, const mpi *A, const mpi *B )
-{
-    mpi TB;
-    int ret;
-    size_t n;
-
-    if( mpi_cmp_abs( A, B ) < 0 )
-        return( POLARSSL_ERR_MPI_NEGATIVE_VALUE );
-
-    mpi_init( &TB );
-
-    if( X == B )
-    {
-        MPI_CHK( mpi_copy( &TB, B ) );
-        B = &TB;
-    }
-
-    if( X != A )
-        MPI_CHK( mpi_copy( X, A ) );
-
-    /*
-     * X should always be positive as a result of unsigned substractions.
-     */
-    X->s = 1;
-
-    ret = 0;
-
-    for( n = B->n; n > 0; n-- )
-        if( B->p[n - 1] != 0 )
-            break;
-
-    mpi_sub_hlp( n, B->p, X->p );
-
-cleanup:
-
-    mpi_free( &TB );
-
-    return( ret );
-}
-
-/*
- * Signed addition: X = A + B
- */
-int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B )
-{
-    int ret, s = A->s;
-
-    if( A->s * B->s < 0 )
-    {
-        if( mpi_cmp_abs( A, B ) >= 0 )
-        {
-            MPI_CHK( mpi_sub_abs( X, A, B ) );
-            X->s =  s;
-        }
-        else
-        {
-            MPI_CHK( mpi_sub_abs( X, B, A ) );
-            X->s = -s;
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_add_abs( X, A, B ) );
-        X->s = s;
-    }
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Signed substraction: X = A - B
- */
-int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B )
-{
-    int ret, s = A->s;
-
-    if( A->s * B->s > 0 )
-    {
-        if( mpi_cmp_abs( A, B ) >= 0 )
-        {
-            MPI_CHK( mpi_sub_abs( X, A, B ) );
-            X->s =  s;
-        }
-        else
-        {
-            MPI_CHK( mpi_sub_abs( X, B, A ) );
-            X->s = -s;
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_add_abs( X, A, B ) );
-        X->s = s;
-    }
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Signed addition: X = A + b
- */
-int mpi_add_int( mpi *X, const mpi *A, t_sint b )
-{
-    mpi _B;
-    t_uint p[1];
-
-    p[0] = ( b < 0 ) ? -b : b;
-    _B.s = ( b < 0 ) ? -1 : 1;
-    _B.n = 1;
-    _B.p = p;
-
-    return( mpi_add_mpi( X, A, &_B ) );
-}
-
-/*
- * Signed substraction: X = A - b
- */
-int mpi_sub_int( mpi *X, const mpi *A, t_sint b )
-{
-    mpi _B;
-    t_uint p[1];
-
-    p[0] = ( b < 0 ) ? -b : b;
-    _B.s = ( b < 0 ) ? -1 : 1;
-    _B.n = 1;
-    _B.p = p;
-
-    return( mpi_sub_mpi( X, A, &_B ) );
-}
-
-/*
- * Helper for mpi multiplication
- */
-static void mpi_mul_hlp( size_t i, t_uint *s, t_uint *d, t_uint b )
-{
-    t_uint c = 0, t = 0;
-
-#if defined(MULADDC_HUIT)
-    for( ; i >= 8; i -= 8 )
-    {
-        MULADDC_INIT
-        MULADDC_HUIT
-        MULADDC_STOP
-    }
-
-    for( ; i > 0; i-- )
-    {
-        MULADDC_INIT
-        MULADDC_CORE
-        MULADDC_STOP
-    }
-#else
-    for( ; i >= 16; i -= 16 )
-    {
-        MULADDC_INIT
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_STOP
-    }
-
-    for( ; i >= 8; i -= 8 )
-    {
-        MULADDC_INIT
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_CORE   MULADDC_CORE
-        MULADDC_STOP
-    }
-
-    for( ; i > 0; i-- )
-    {
-        MULADDC_INIT
-        MULADDC_CORE
-        MULADDC_STOP
-    }
-#endif
-
-    t++;
-
-    do {
-        *d += c; c = ( *d < c ); d++;
-    }
-    while( c != 0 );
-}
-
-/*
- * Baseline multiplication: X = A * B  (HAC 14.12)
- */
-int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B )
-{
-    int ret;
-    size_t i, j;
-    mpi TA, TB;
-
-    mpi_init( &TA ); mpi_init( &TB );
-
-    if( X == A ) { MPI_CHK( mpi_copy( &TA, A ) ); A = &TA; }
-    if( X == B ) { MPI_CHK( mpi_copy( &TB, B ) ); B = &TB; }
-
-    for( i = A->n; i > 0; i-- )
-        if( A->p[i - 1] != 0 )
-            break;
-
-    for( j = B->n; j > 0; j-- )
-        if( B->p[j - 1] != 0 )
-            break;
-
-    MPI_CHK( mpi_grow( X, i + j ) );
-    MPI_CHK( mpi_lset( X, 0 ) );
-
-    for( i++; j > 0; j-- )
-        mpi_mul_hlp( i - 1, A->p, X->p + j - 1, B->p[j - 1] );
-
-    X->s = A->s * B->s;
-
-cleanup:
-
-    mpi_free( &TB ); mpi_free( &TA );
-
-    return( ret );
-}
-
-/*
- * Baseline multiplication: X = A * b
- */
-int mpi_mul_int( mpi *X, const mpi *A, t_sint b )
-{
-    mpi _B;
-    t_uint p[1];
-
-    _B.s = 1;
-    _B.n = 1;
-    _B.p = p;
-    p[0] = b;
-
-    return( mpi_mul_mpi( X, A, &_B ) );
-}
-
-/*
- * Division by mpi: A = Q * B + R  (HAC 14.20)
- */
-int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B )
-{
-    int ret;
-    size_t i, n, t, k;
-    mpi X, Y, Z, T1, T2;
-
-    if( mpi_cmp_int( B, 0 ) == 0 )
-        return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
-
-    mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z );
-    mpi_init( &T1 ); mpi_init( &T2 );
-
-    if( mpi_cmp_abs( A, B ) < 0 )
-    {
-        if( Q != NULL ) MPI_CHK( mpi_lset( Q, 0 ) );
-        if( R != NULL ) MPI_CHK( mpi_copy( R, A ) );
-        return( 0 );
-    }
-
-    MPI_CHK( mpi_copy( &X, A ) );
-    MPI_CHK( mpi_copy( &Y, B ) );
-    X.s = Y.s = 1;
-
-    MPI_CHK( mpi_grow( &Z, A->n + 2 ) );
-    MPI_CHK( mpi_lset( &Z,  0 ) );
-    MPI_CHK( mpi_grow( &T1, 2 ) );
-    MPI_CHK( mpi_grow( &T2, 3 ) );
-
-    k = mpi_msb( &Y ) % biL;
-    if( k < biL - 1 )
-    {
-        k = biL - 1 - k;
-        MPI_CHK( mpi_shift_l( &X, k ) );
-        MPI_CHK( mpi_shift_l( &Y, k ) );
-    }
-    else k = 0;
-
-    n = X.n - 1;
-    t = Y.n - 1;
-    MPI_CHK( mpi_shift_l( &Y, biL * (n - t) ) );
-
-    while( mpi_cmp_mpi( &X, &Y ) >= 0 )
-    {
-        Z.p[n - t]++;
-        mpi_sub_mpi( &X, &X, &Y );
-    }
-    mpi_shift_r( &Y, biL * (n - t) );
-
-    for( i = n; i > t ; i-- )
-    {
-        if( X.p[i] >= Y.p[t] )
-            Z.p[i - t - 1] = ~0;
-        else
-        {
-#if defined(POLARSSL_HAVE_UDBL)
-            t_udbl r;
-
-            r  = (t_udbl) X.p[i] << biL;
-            r |= (t_udbl) X.p[i - 1];
-            r /= Y.p[t];
-            if( r > ((t_udbl) 1 << biL) - 1)
-                r = ((t_udbl) 1 << biL) - 1;
-
-            Z.p[i - t - 1] = (t_uint) r;
-#else
-            /*
-             * __udiv_qrnnd_c, from gmp/longlong.h
-             */
-            t_uint q0, q1, r0, r1;
-            t_uint d0, d1, d, m;
-
-            d  = Y.p[t];
-            d0 = ( d << biH ) >> biH;
-            d1 = ( d >> biH );
-
-            q1 = X.p[i] / d1;
-            r1 = X.p[i] - d1 * q1;
-            r1 <<= biH;
-            r1 |= ( X.p[i - 1] >> biH );
-
-            m = q1 * d0;
-            if( r1 < m )
-            {
-                q1--, r1 += d;
-                while( r1 >= d && r1 < m )
-                    q1--, r1 += d;
-            }
-            r1 -= m;
-
-            q0 = r1 / d1;
-            r0 = r1 - d1 * q0;
-            r0 <<= biH;
-            r0 |= ( X.p[i - 1] << biH ) >> biH;
-
-            m = q0 * d0;
-            if( r0 < m )
-            {
-                q0--, r0 += d;
-                while( r0 >= d && r0 < m )
-                    q0--, r0 += d;
-            }
-            r0 -= m;
-
-            Z.p[i - t - 1] = ( q1 << biH ) | q0;
-#endif
-        }
-
-        Z.p[i - t - 1]++;
-        do
-        {
-            Z.p[i - t - 1]--;
-
-            MPI_CHK( mpi_lset( &T1, 0 ) );
-            T1.p[0] = (t < 1) ? 0 : Y.p[t - 1];
-            T1.p[1] = Y.p[t];
-            MPI_CHK( mpi_mul_int( &T1, &T1, Z.p[i - t - 1] ) );
-
-            MPI_CHK( mpi_lset( &T2, 0 ) );
-            T2.p[0] = (i < 2) ? 0 : X.p[i - 2];
-            T2.p[1] = (i < 1) ? 0 : X.p[i - 1];
-            T2.p[2] = X.p[i];
-        }
-        while( mpi_cmp_mpi( &T1, &T2 ) > 0 );
-
-        MPI_CHK( mpi_mul_int( &T1, &Y, Z.p[i - t - 1] ) );
-        MPI_CHK( mpi_shift_l( &T1,  biL * (i - t - 1) ) );
-        MPI_CHK( mpi_sub_mpi( &X, &X, &T1 ) );
-
-        if( mpi_cmp_int( &X, 0 ) < 0 )
-        {
-            MPI_CHK( mpi_copy( &T1, &Y ) );
-            MPI_CHK( mpi_shift_l( &T1, biL * (i - t - 1) ) );
-            MPI_CHK( mpi_add_mpi( &X, &X, &T1 ) );
-            Z.p[i - t - 1]--;
-        }
-    }
-
-    if( Q != NULL )
-    {
-        mpi_copy( Q, &Z );
-        Q->s = A->s * B->s;
-    }
-
-    if( R != NULL )
-    {
-        mpi_shift_r( &X, k );
-        X.s = A->s;
-        mpi_copy( R, &X );
-
-        if( mpi_cmp_int( R, 0 ) == 0 )
-            R->s = 1;
-    }
-
-cleanup:
-
-    mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z );
-    mpi_free( &T1 ); mpi_free( &T2 );
-
-    return( ret );
-}
-
-/*
- * Division by int: A = Q * b + R
- */
-int mpi_div_int( mpi *Q, mpi *R, const mpi *A, t_sint b )
-{
-    mpi _B;
-    t_uint p[1];
-
-    p[0] = ( b < 0 ) ? -b : b;
-    _B.s = ( b < 0 ) ? -1 : 1;
-    _B.n = 1;
-    _B.p = p;
-
-    return( mpi_div_mpi( Q, R, A, &_B ) );
-}
-
-/*
- * Modulo: R = A mod B
- */
-int mpi_mod_mpi( mpi *R, const mpi *A, const mpi *B )
-{
-    int ret;
-
-    if( mpi_cmp_int( B, 0 ) < 0 )
-        return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
-
-    MPI_CHK( mpi_div_mpi( NULL, R, A, B ) );
-
-    while( mpi_cmp_int( R, 0 ) < 0 )
-      MPI_CHK( mpi_add_mpi( R, R, B ) );
-
-    while( mpi_cmp_mpi( R, B ) >= 0 )
-      MPI_CHK( mpi_sub_mpi( R, R, B ) );
-
-cleanup:
-
-    return( ret );
-}
-
-/*
- * Modulo: r = A mod b
- */
-int mpi_mod_int( t_uint *r, const mpi *A, t_sint b )
-{
-    size_t i;
-    t_uint x, y, z;
-
-    if( b == 0 )
-        return( POLARSSL_ERR_MPI_DIVISION_BY_ZERO );
-
-    if( b < 0 )
-        return POLARSSL_ERR_MPI_NEGATIVE_VALUE;
-
-    /*
-     * handle trivial cases
-     */
-    if( b == 1 )
-    {
-        *r = 0;
-        return( 0 );
-    }
-
-    if( b == 2 )
-    {
-        *r = A->p[0] & 1;
-        return( 0 );
-    }
-
-    /*
-     * general case
-     */
-    for( i = A->n, y = 0; i > 0; i-- )
-    {
-        x  = A->p[i - 1];
-        y  = ( y << biH ) | ( x >> biH );
-        z  = y / b;
-        y -= z * b;
-
-        x <<= biH;
-        y  = ( y << biH ) | ( x >> biH );
-        z  = y / b;
-        y -= z * b;
-    }
-
-    /*
-     * If A is negative, then the current y represents a negative value.
-     * Flipping it to the positive side.
-     */
-    if( A->s < 0 && y != 0 )
-        y = b - y;
-
-    *r = y;
-
-    return( 0 );
-}
-
-/*
- * Fast Montgomery initialization (thanks to Tom St Denis)
- */
-static void mpi_montg_init( t_uint *mm, const mpi *N )
-{
-    t_uint x, m0 = N->p[0];
-
-    x  = m0;
-    x += ( ( m0 + 2 ) & 4 ) << 1;
-    x *= ( 2 - ( m0 * x ) );
-
-    if( biL >= 16 ) x *= ( 2 - ( m0 * x ) );
-    if( biL >= 32 ) x *= ( 2 - ( m0 * x ) );
-    if( biL >= 64 ) x *= ( 2 - ( m0 * x ) );
-
-    *mm = ~x + 1;
-}
-
-/*
- * Montgomery multiplication: A = A * B * R^-1 mod N  (HAC 14.36)
- */
-static void mpi_montmul( mpi *A, const mpi *B, const mpi *N, t_uint mm, const mpi *T )
-{
-    size_t i, n, m;
-    t_uint u0, u1, *d;
-
-    memset( T->p, 0, T->n * ciL );
-
-    d = T->p;
-    n = N->n;
-    m = ( B->n < n ) ? B->n : n;
-
-    for( i = 0; i < n; i++ )
-    {
-        /*
-         * T = (T + u0*B + u1*N) / 2^biL
-         */
-        u0 = A->p[i];
-        u1 = ( d[0] + u0 * B->p[0] ) * mm;
-
-        mpi_mul_hlp( m, B->p, d, u0 );
-        mpi_mul_hlp( n, N->p, d, u1 );
-
-        *d++ = u0; d[n + 1] = 0;
-    }
-
-    memcpy( A->p, d, (n + 1) * ciL );
-
-    if( mpi_cmp_abs( A, N ) >= 0 )
-        mpi_sub_hlp( n, N->p, A->p );
-    else
-        /* prevent timing attacks */
-        mpi_sub_hlp( n, A->p, T->p );
-}
-
-/*
- * Montgomery reduction: A = A * R^-1 mod N
- */
-static void mpi_montred( mpi *A, const mpi *N, t_uint mm, const mpi *T )
-{
-    t_uint z = 1;
-    mpi U;
-
-    U.n = U.s = (int) z;
-    U.p = &z;
-
-    mpi_montmul( A, &U, N, mm, T );
-}
-
-/*
- * Sliding-window exponentiation: X = A^E mod N  (HAC 14.85)
- */
-int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR )
-{
-    int ret;
-    size_t wbits, wsize, one = 1;
-    size_t i, j, nblimbs;
-    size_t bufsize, nbits;
-    t_uint ei, mm, state;
-    mpi RR, T, W[ 2 << POLARSSL_MPI_WINDOW_SIZE ], Apos;
-    int neg;
-
-    if( mpi_cmp_int( N, 0 ) < 0 || ( N->p[0] & 1 ) == 0 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    if( mpi_cmp_int( E, 0 ) < 0 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    /*
-     * Init temps and window size
-     */
-    mpi_montg_init( &mm, N );
-    mpi_init( &RR ); mpi_init( &T );
-    memset( W, 0, sizeof( W ) );
-
-    i = mpi_msb( E );
-
-    wsize = ( i > 671 ) ? 6 : ( i > 239 ) ? 5 :
-            ( i >  79 ) ? 4 : ( i >  23 ) ? 3 : 1;
-
-    if( wsize > POLARSSL_MPI_WINDOW_SIZE )
-        wsize = POLARSSL_MPI_WINDOW_SIZE;
-
-    j = N->n + 1;
-    MPI_CHK( mpi_grow( X, j ) );
-    MPI_CHK( mpi_grow( &W[1],  j ) );
-    MPI_CHK( mpi_grow( &T, j * 2 ) );
-
-    /*
-     * Compensate for negative A (and correct at the end)
-     */
-    neg = ( A->s == -1 );
-
-    mpi_init( &Apos );
-    if( neg )
-    {
-        MPI_CHK( mpi_copy( &Apos, A ) );
-        Apos.s = 1;
-        A = &Apos;
-    }
-
-    /*
-     * If 1st call, pre-compute R^2 mod N
-     */
-    if( _RR == NULL || _RR->p == NULL )
-    {
-        MPI_CHK( mpi_lset( &RR, 1 ) );
-        MPI_CHK( mpi_shift_l( &RR, N->n * 2 * biL ) );
-        MPI_CHK( mpi_mod_mpi( &RR, &RR, N ) );
-
-        if( _RR != NULL )
-            memcpy( _RR, &RR, sizeof( mpi ) );
-    }
-    else
-        memcpy( &RR, _RR, sizeof( mpi ) );
-
-    /*
-     * W[1] = A * R^2 * R^-1 mod N = A * R mod N
-     */
-    if( mpi_cmp_mpi( A, N ) >= 0 )
-        mpi_mod_mpi( &W[1], A, N );
-    else   mpi_copy( &W[1], A );
-
-    mpi_montmul( &W[1], &RR, N, mm, &T );
-
-    /*
-     * X = R^2 * R^-1 mod N = R mod N
-     */
-    MPI_CHK( mpi_copy( X, &RR ) );
-    mpi_montred( X, N, mm, &T );
-
-    if( wsize > 1 )
-    {
-        /*
-         * W[1 << (wsize - 1)] = W[1] ^ (wsize - 1)
-         */
-        j =  one << (wsize - 1);
-
-        MPI_CHK( mpi_grow( &W[j], N->n + 1 ) );
-        MPI_CHK( mpi_copy( &W[j], &W[1]    ) );
-
-        for( i = 0; i < wsize - 1; i++ )
-            mpi_montmul( &W[j], &W[j], N, mm, &T );
-    
-        /*
-         * W[i] = W[i - 1] * W[1]
-         */
-        for( i = j + 1; i < (one << wsize); i++ )
-        {
-            MPI_CHK( mpi_grow( &W[i], N->n + 1 ) );
-            MPI_CHK( mpi_copy( &W[i], &W[i - 1] ) );
-
-            mpi_montmul( &W[i], &W[1], N, mm, &T );
-        }
-    }
-
-    nblimbs = E->n;
-    bufsize = 0;
-    nbits   = 0;
-    wbits   = 0;
-    state   = 0;
-
-    while( 1 )
-    {
-        if( bufsize == 0 )
-        {
-            if( nblimbs-- == 0 )
-                break;
-
-            bufsize = sizeof( t_uint ) << 3;
-        }
-
-        bufsize--;
-
-        ei = (E->p[nblimbs] >> bufsize) & 1;
-
-        /*
-         * skip leading 0s
-         */
-        if( ei == 0 && state == 0 )
-            continue;
-
-        if( ei == 0 && state == 1 )
-        {
-            /*
-             * out of window, square X
-             */
-            mpi_montmul( X, X, N, mm, &T );
-            continue;
-        }
-
-        /*
-         * add ei to current window
-         */
-        state = 2;
-
-        nbits++;
-        wbits |= (ei << (wsize - nbits));
-
-        if( nbits == wsize )
-        {
-            /*
-             * X = X^wsize R^-1 mod N
-             */
-            for( i = 0; i < wsize; i++ )
-                mpi_montmul( X, X, N, mm, &T );
-
-            /*
-             * X = X * W[wbits] R^-1 mod N
-             */
-            mpi_montmul( X, &W[wbits], N, mm, &T );
-
-            state--;
-            nbits = 0;
-            wbits = 0;
-        }
-    }
-
-    /*
-     * process the remaining bits
-     */
-    for( i = 0; i < nbits; i++ )
-    {
-        mpi_montmul( X, X, N, mm, &T );
-
-        wbits <<= 1;
-
-        if( (wbits & (one << wsize)) != 0 )
-            mpi_montmul( X, &W[1], N, mm, &T );
-    }
-
-    /*
-     * X = A^E * R * R^-1 mod N = A^E mod N
-     */
-    mpi_montred( X, N, mm, &T );
-
-    if( neg )
-    {
-        X->s = -1;
-        mpi_add_mpi( X, N, X );
-    }
-
-cleanup:
-
-    for( i = (one << (wsize - 1)); i < (one << wsize); i++ )
-        mpi_free( &W[i] );
-
-    mpi_free( &W[1] ); mpi_free( &T ); mpi_free( &Apos );
-
-    if( _RR == NULL )
-        mpi_free( &RR );
-
-    return( ret );
-}
-
-/*
- * Greatest common divisor: G = gcd(A, B)  (HAC 14.54)
- */
-int mpi_gcd( mpi *G, const mpi *A, const mpi *B )
-{
-    int ret;
-    size_t lz, lzt;
-    mpi TG, TA, TB;
-
-    mpi_init( &TG ); mpi_init( &TA ); mpi_init( &TB );
-
-    MPI_CHK( mpi_copy( &TA, A ) );
-    MPI_CHK( mpi_copy( &TB, B ) );
-
-    lz = mpi_lsb( &TA );
-    lzt = mpi_lsb( &TB );
-
-    if ( lzt < lz )
-        lz = lzt;
-
-    MPI_CHK( mpi_shift_r( &TA, lz ) );
-    MPI_CHK( mpi_shift_r( &TB, lz ) );
-
-    TA.s = TB.s = 1;
-
-    while( mpi_cmp_int( &TA, 0 ) != 0 )
-    {
-        MPI_CHK( mpi_shift_r( &TA, mpi_lsb( &TA ) ) );
-        MPI_CHK( mpi_shift_r( &TB, mpi_lsb( &TB ) ) );
-
-        if( mpi_cmp_mpi( &TA, &TB ) >= 0 )
-        {
-            MPI_CHK( mpi_sub_abs( &TA, &TA, &TB ) );
-            MPI_CHK( mpi_shift_r( &TA, 1 ) );
-        }
-        else
-        {
-            MPI_CHK( mpi_sub_abs( &TB, &TB, &TA ) );
-            MPI_CHK( mpi_shift_r( &TB, 1 ) );
-        }
-    }
-
-    MPI_CHK( mpi_shift_l( &TB, lz ) );
-    MPI_CHK( mpi_copy( G, &TB ) );
-
-cleanup:
-
-    mpi_free( &TG ); mpi_free( &TA ); mpi_free( &TB );
-
-    return( ret );
-}
-
-int mpi_fill_random( mpi *X, size_t size,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng )
-{
-    int ret;
-
-    MPI_CHK( mpi_grow( X, CHARS_TO_LIMBS( size ) ) );
-    MPI_CHK( mpi_lset( X, 0 ) );
-
-    MPI_CHK( f_rng( p_rng, (unsigned char *) X->p, size ) );
-
-cleanup:
-    return( ret );
-}
-
-/*
- * Modular inverse: X = A^-1 mod N  (HAC 14.61 / 14.64)
- */
-int mpi_inv_mod( mpi *X, const mpi *A, const mpi *N )
-{
-    int ret;
-    mpi G, TA, TU, U1, U2, TB, TV, V1, V2;
-
-    if( mpi_cmp_int( N, 0 ) <= 0 )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    mpi_init( &TA ); mpi_init( &TU ); mpi_init( &U1 ); mpi_init( &U2 );
-    mpi_init( &G ); mpi_init( &TB ); mpi_init( &TV );
-    mpi_init( &V1 ); mpi_init( &V2 );
-
-    MPI_CHK( mpi_gcd( &G, A, N ) );
-
-    if( mpi_cmp_int( &G, 1 ) != 0 )
-    {
-        ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
-        goto cleanup;
-    }
-
-    MPI_CHK( mpi_mod_mpi( &TA, A, N ) );
-    MPI_CHK( mpi_copy( &TU, &TA ) );
-    MPI_CHK( mpi_copy( &TB, N ) );
-    MPI_CHK( mpi_copy( &TV, N ) );
-
-    MPI_CHK( mpi_lset( &U1, 1 ) );
-    MPI_CHK( mpi_lset( &U2, 0 ) );
-    MPI_CHK( mpi_lset( &V1, 0 ) );
-    MPI_CHK( mpi_lset( &V2, 1 ) );
-
-    do
-    {
-        while( ( TU.p[0] & 1 ) == 0 )
-        {
-            MPI_CHK( mpi_shift_r( &TU, 1 ) );
-
-            if( ( U1.p[0] & 1 ) != 0 || ( U2.p[0] & 1 ) != 0 )
-            {
-                MPI_CHK( mpi_add_mpi( &U1, &U1, &TB ) );
-                MPI_CHK( mpi_sub_mpi( &U2, &U2, &TA ) );
-            }
-
-            MPI_CHK( mpi_shift_r( &U1, 1 ) );
-            MPI_CHK( mpi_shift_r( &U2, 1 ) );
-        }
-
-        while( ( TV.p[0] & 1 ) == 0 )
-        {
-            MPI_CHK( mpi_shift_r( &TV, 1 ) );
-
-            if( ( V1.p[0] & 1 ) != 0 || ( V2.p[0] & 1 ) != 0 )
-            {
-                MPI_CHK( mpi_add_mpi( &V1, &V1, &TB ) );
-                MPI_CHK( mpi_sub_mpi( &V2, &V2, &TA ) );
-            }
-
-            MPI_CHK( mpi_shift_r( &V1, 1 ) );
-            MPI_CHK( mpi_shift_r( &V2, 1 ) );
-        }
-
-        if( mpi_cmp_mpi( &TU, &TV ) >= 0 )
-        {
-            MPI_CHK( mpi_sub_mpi( &TU, &TU, &TV ) );
-            MPI_CHK( mpi_sub_mpi( &U1, &U1, &V1 ) );
-            MPI_CHK( mpi_sub_mpi( &U2, &U2, &V2 ) );
-        }
-        else
-        {
-            MPI_CHK( mpi_sub_mpi( &TV, &TV, &TU ) );
-            MPI_CHK( mpi_sub_mpi( &V1, &V1, &U1 ) );
-            MPI_CHK( mpi_sub_mpi( &V2, &V2, &U2 ) );
-        }
-    }
-    while( mpi_cmp_int( &TU, 0 ) != 0 );
-
-    while( mpi_cmp_int( &V1, 0 ) < 0 )
-        MPI_CHK( mpi_add_mpi( &V1, &V1, N ) );
-
-    while( mpi_cmp_mpi( &V1, N ) >= 0 )
-        MPI_CHK( mpi_sub_mpi( &V1, &V1, N ) );
-
-    MPI_CHK( mpi_copy( X, &V1 ) );
-
-cleanup:
-
-    mpi_free( &TA ); mpi_free( &TU ); mpi_free( &U1 ); mpi_free( &U2 );
-    mpi_free( &G ); mpi_free( &TB ); mpi_free( &TV );
-    mpi_free( &V1 ); mpi_free( &V2 );
-
-    return( ret );
-}
-
-#if defined(POLARSSL_GENPRIME)
-
-static const int small_prime[] =
-{
-        3,    5,    7,   11,   13,   17,   19,   23,
-       29,   31,   37,   41,   43,   47,   53,   59,
-       61,   67,   71,   73,   79,   83,   89,   97,
-      101,  103,  107,  109,  113,  127,  131,  137,
-      139,  149,  151,  157,  163,  167,  173,  179,
-      181,  191,  193,  197,  199,  211,  223,  227,
-      229,  233,  239,  241,  251,  257,  263,  269,
-      271,  277,  281,  283,  293,  307,  311,  313,
-      317,  331,  337,  347,  349,  353,  359,  367,
-      373,  379,  383,  389,  397,  401,  409,  419,
-      421,  431,  433,  439,  443,  449,  457,  461,
-      463,  467,  479,  487,  491,  499,  503,  509,
-      521,  523,  541,  547,  557,  563,  569,  571,
-      577,  587,  593,  599,  601,  607,  613,  617,
-      619,  631,  641,  643,  647,  653,  659,  661,
-      673,  677,  683,  691,  701,  709,  719,  727,
-      733,  739,  743,  751,  757,  761,  769,  773,
-      787,  797,  809,  811,  821,  823,  827,  829,
-      839,  853,  857,  859,  863,  877,  881,  883,
-      887,  907,  911,  919,  929,  937,  941,  947,
-      953,  967,  971,  977,  983,  991,  997, -103
-};
-
-/*
- * Miller-Rabin primality test  (HAC 4.24)
- */
-int mpi_is_prime( mpi *X,
-                  int (*f_rng)(void *, unsigned char *, size_t),
-                  void *p_rng )
-{
-    int ret, xs;
-    size_t i, j, n, s;
-    mpi W, R, T, A, RR;
-
-    if( mpi_cmp_int( X, 0 ) == 0 ||
-        mpi_cmp_int( X, 1 ) == 0 )
-        return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
-
-    if( mpi_cmp_int( X, 2 ) == 0 )
-        return( 0 );
-
-    mpi_init( &W ); mpi_init( &R ); mpi_init( &T ); mpi_init( &A );
-    mpi_init( &RR );
-
-    xs = X->s; X->s = 1;
-
-    /*
-     * test trivial factors first
-     */
-    if( ( X->p[0] & 1 ) == 0 )
-        return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
-
-    for( i = 0; small_prime[i] > 0; i++ )
-    {
-        t_uint r;
-
-        if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
-            return( 0 );
-
-        MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
-
-        if( r == 0 )
-            return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
-    }
-
-    /*
-     * W = |X| - 1
-     * R = W >> lsb( W )
-     */
-    MPI_CHK( mpi_sub_int( &W, X, 1 ) );
-    s = mpi_lsb( &W );
-    MPI_CHK( mpi_copy( &R, &W ) );
-    MPI_CHK( mpi_shift_r( &R, s ) );
-
-    i = mpi_msb( X );
-    /*
-     * HAC, table 4.4
-     */
-    n = ( ( i >= 1300 ) ?  2 : ( i >=  850 ) ?  3 :
-          ( i >=  650 ) ?  4 : ( i >=  350 ) ?  8 :
-          ( i >=  250 ) ? 12 : ( i >=  150 ) ? 18 : 27 );
-
-    for( i = 0; i < n; i++ )
-    {
-        /*
-         * pick a random A, 1 < A < |X| - 1
-         */
-        MPI_CHK( mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
-
-        if( mpi_cmp_mpi( &A, &W ) >= 0 )
-        {
-            j = mpi_msb( &A ) - mpi_msb( &W );
-            MPI_CHK( mpi_shift_r( &A, j + 1 ) );
-        }
-        A.p[0] |= 3;
-
-        /*
-         * A = A^R mod |X|
-         */
-        MPI_CHK( mpi_exp_mod( &A, &A, &R, X, &RR ) );
-
-        if( mpi_cmp_mpi( &A, &W ) == 0 ||
-            mpi_cmp_int( &A,  1 ) == 0 )
-            continue;
-
-        j = 1;
-        while( j < s && mpi_cmp_mpi( &A, &W ) != 0 )
-        {
-            /*
-             * A = A * A mod |X|
-             */
-            MPI_CHK( mpi_mul_mpi( &T, &A, &A ) );
-            MPI_CHK( mpi_mod_mpi( &A, &T, X  ) );
-
-            if( mpi_cmp_int( &A, 1 ) == 0 )
-                break;
-
-            j++;
-        }
-
-        /*
-         * not prime if A != |X| - 1 or A == 1
-         */
-        if( mpi_cmp_mpi( &A, &W ) != 0 ||
-            mpi_cmp_int( &A,  1 ) == 0 )
-        {
-            ret = POLARSSL_ERR_MPI_NOT_ACCEPTABLE;
-            break;
-        }
-    }
-
-cleanup:
-
-    X->s = xs;
-
-    mpi_free( &W ); mpi_free( &R ); mpi_free( &T ); mpi_free( &A );
-    mpi_free( &RR );
-
-    return( ret );
-}
-
-/*
- * Prime number generation
- */
-int mpi_gen_prime( mpi *X, size_t nbits, int dh_flag,
-                   int (*f_rng)(void *, unsigned char *, size_t),
-                   void *p_rng )
-{
-    int ret;
-    size_t k, n;
-    mpi Y;
-
-    if( nbits < 3 || nbits > POLARSSL_MPI_MAX_BITS )
-        return( POLARSSL_ERR_MPI_BAD_INPUT_DATA );
-
-    mpi_init( &Y );
-
-    n = BITS_TO_LIMBS( nbits );
-
-    MPI_CHK( mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
-
-    k = mpi_msb( X );
-    if( k < nbits ) MPI_CHK( mpi_shift_l( X, nbits - k ) );
-    if( k > nbits ) MPI_CHK( mpi_shift_r( X, k - nbits ) );
-
-    X->p[0] |= 3;
-
-    if( dh_flag == 0 )
-    {
-        while( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) != 0 )
-        {
-            if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
-                goto cleanup;
-
-            MPI_CHK( mpi_add_int( X, X, 2 ) );
-        }
-    }
-    else
-    {
-        MPI_CHK( mpi_sub_int( &Y, X, 1 ) );
-        MPI_CHK( mpi_shift_r( &Y, 1 ) );
-
-        while( 1 )
-        {
-            if( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) == 0 )
-            {
-                if( ( ret = mpi_is_prime( &Y, f_rng, p_rng ) ) == 0 )
-                    break;
-
-                if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
-                    goto cleanup;
-            }
-
-            if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
-                goto cleanup;
-
-            MPI_CHK( mpi_add_int( &Y, X, 1 ) );
-            MPI_CHK( mpi_add_int(  X, X, 2 ) );
-            MPI_CHK( mpi_shift_r( &Y, 1 ) );
-        }
-    }
-
-cleanup:
-
-    mpi_free( &Y );
-
-    return( ret );
-}
-
-#endif
-
-#if defined(POLARSSL_SELF_TEST)
-
-#define GCD_PAIR_COUNT  3
-
-static const int gcd_pairs[GCD_PAIR_COUNT][3] =
-{
-    { 693, 609, 21 },
-    { 1764, 868, 28 },
-    { 768454923, 542167814, 1 }
-};
-
-/*
- * Checkup routine
- */
-int mpi_self_test( int verbose )
-{
-    int ret, i;
-    mpi A, E, N, X, Y, U, V;
-
-    mpi_init( &A ); mpi_init( &E ); mpi_init( &N ); mpi_init( &X );
-    mpi_init( &Y ); mpi_init( &U ); mpi_init( &V );
-
-    MPI_CHK( mpi_read_string( &A, 16,
-        "EFE021C2645FD1DC586E69184AF4A31E" \
-        "D5F53E93B5F123FA41680867BA110131" \
-        "944FE7952E2517337780CB0DB80E61AA" \
-        "E7C8DDC6C5C6AADEB34EB38A2F40D5E6" ) );
-
-    MPI_CHK( mpi_read_string( &E, 16,
-        "B2E7EFD37075B9F03FF989C7C5051C20" \
-        "34D2A323810251127E7BF8625A4F49A5" \
-        "F3E27F4DA8BD59C47D6DAABA4C8127BD" \
-        "5B5C25763222FEFCCFC38B832366C29E" ) );
-
-    MPI_CHK( mpi_read_string( &N, 16,
-        "0066A198186C18C10B2F5ED9B522752A" \
-        "9830B69916E535C8F047518A889A43A5" \
-        "94B6BED27A168D31D4A52F88925AA8F5" ) );
-
-    MPI_CHK( mpi_mul_mpi( &X, &A, &N ) );
-
-    MPI_CHK( mpi_read_string( &U, 16,
-        "602AB7ECA597A3D6B56FF9829A5E8B85" \
-        "9E857EA95A03512E2BAE7391688D264A" \
-        "A5663B0341DB9CCFD2C4C5F421FEC814" \
-        "8001B72E848A38CAE1C65F78E56ABDEF" \
-        "E12D3C039B8A02D6BE593F0BBBDA56F1" \
-        "ECF677152EF804370C1A305CAF3B5BF1" \
-        "30879B56C61DE584A0F53A2447A51E" ) );
-
-    if( verbose != 0 )
-        printf( "  MPI test #1 (mul_mpi): " );
-
-    if( mpi_cmp_mpi( &X, &U ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-    MPI_CHK( mpi_div_mpi( &X, &Y, &A, &N ) );
-
-    MPI_CHK( mpi_read_string( &U, 16,
-        "256567336059E52CAE22925474705F39A94" ) );
-
-    MPI_CHK( mpi_read_string( &V, 16,
-        "6613F26162223DF488E9CD48CC132C7A" \
-        "0AC93C701B001B092E4E5B9F73BCD27B" \
-        "9EE50D0657C77F374E903CDFA4C642" ) );
-
-    if( verbose != 0 )
-        printf( "  MPI test #2 (div_mpi): " );
-
-    if( mpi_cmp_mpi( &X, &U ) != 0 ||
-        mpi_cmp_mpi( &Y, &V ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-    MPI_CHK( mpi_exp_mod( &X, &A, &E, &N, NULL ) );
-
-    MPI_CHK( mpi_read_string( &U, 16,
-        "36E139AEA55215609D2816998ED020BB" \
-        "BD96C37890F65171D948E9BC7CBAA4D9" \
-        "325D24D6A3C12710F10A09FA08AB87" ) );
-
-    if( verbose != 0 )
-        printf( "  MPI test #3 (exp_mod): " );
-
-    if( mpi_cmp_mpi( &X, &U ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-#if defined(POLARSSL_GENPRIME)
-    MPI_CHK( mpi_inv_mod( &X, &A, &N ) );
-
-    MPI_CHK( mpi_read_string( &U, 16,
-        "003A0AAEDD7E784FC07D8F9EC6E3BFD5" \
-        "C3DBA76456363A10869622EAC2DD84EC" \
-        "C5B8A74DAC4D09E03B5E0BE779F2DF61" ) );
-
-    if( verbose != 0 )
-        printf( "  MPI test #4 (inv_mod): " );
-
-    if( mpi_cmp_mpi( &X, &U ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-#endif
-
-    if( verbose != 0 )
-        printf( "  MPI test #5 (simple gcd): " );
-
-    for ( i = 0; i < GCD_PAIR_COUNT; i++)
-    {
-        MPI_CHK( mpi_lset( &X, gcd_pairs[i][0] ) );
-        MPI_CHK( mpi_lset( &Y, gcd_pairs[i][1] ) );
-
-	    MPI_CHK( mpi_gcd( &A, &X, &Y ) );
-
-	    if( mpi_cmp_int( &A, gcd_pairs[i][2] ) != 0 )
-	    {
-		    if( verbose != 0 )
-			    printf( "failed at %d\n", i );
-
-		    return( 1 );
-	    }
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n" );
-
-cleanup:
-
-    if( ret != 0 && verbose != 0 )
-        printf( "Unexpected error, return code = %08X\n", ret );
-
-    mpi_free( &A ); mpi_free( &E ); mpi_free( &N ); mpi_free( &X );
-    mpi_free( &Y ); mpi_free( &U ); mpi_free( &V );
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( ret );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/bignum.h b/makerom/polarssl/bignum.h
deleted file mode 100644
index ad06b572..00000000
--- a/makerom/polarssl/bignum.h
+++ /dev/null
@@ -1,685 +0,0 @@
-/**
- * \file bignum.h
- *
- * \brief  Multi-precision integer library
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_BIGNUM_H
-#define POLARSSL_BIGNUM_H
-
-#include <stdio.h>
-#include <string.h>
-
-#include "polarssl/config.h"
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-#if (_MSC_VER <= 1200)
-typedef   signed short  int16_t;
-typedef unsigned short uint16_t;
-#else
-typedef  INT16  int16_t;
-typedef UINT16 uint16_t;
-#endif
-typedef  INT32  int32_t;
-typedef  INT64  int64_t;
-typedef UINT32 uint32_t;
-typedef UINT64 uint64_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define POLARSSL_ERR_MPI_FILE_IO_ERROR                     -0x0002  /**< An error occurred while reading from or writing to a file. */
-#define POLARSSL_ERR_MPI_BAD_INPUT_DATA                    -0x0004  /**< Bad input parameters to function. */
-#define POLARSSL_ERR_MPI_INVALID_CHARACTER                 -0x0006  /**< There is an invalid character in the digit string. */
-#define POLARSSL_ERR_MPI_BUFFER_TOO_SMALL                  -0x0008  /**< The buffer is too small to write to. */
-#define POLARSSL_ERR_MPI_NEGATIVE_VALUE                    -0x000A  /**< The input arguments are negative or result in illegal output. */
-#define POLARSSL_ERR_MPI_DIVISION_BY_ZERO                  -0x000C  /**< The input argument for division is zero, which is not allowed. */
-#define POLARSSL_ERR_MPI_NOT_ACCEPTABLE                    -0x000E  /**< The input arguments are not acceptable. */
-#define POLARSSL_ERR_MPI_MALLOC_FAILED                     -0x0010  /**< Memory allocation failed. */
-
-#define MPI_CHK(f) if( ( ret = f ) != 0 ) goto cleanup
-
-/*
- * Maximum size MPIs are allowed to grow to in number of limbs.
- */
-#define POLARSSL_MPI_MAX_LIMBS                             10000
-
-#if !defined(POLARSSL_CONFIG_OPTIONS)
-/*
- * Maximum window size used for modular exponentiation. Default: 6
- * Minimum value: 1. Maximum value: 6.
- *
- * Result is an array of ( 2 << POLARSSL_MPI_WINDOW_SIZE ) MPIs used
- * for the sliding window calculation. (So 64 by default)
- *
- * Reduction in size, reduces speed.
- */
-#define POLARSSL_MPI_WINDOW_SIZE                           6        /**< Maximum windows size used. */
-
-/*
- * Maximum size of MPIs allowed in bits and bytes for user-MPIs.
- * ( Default: 512 bytes => 4096 bits, Maximum tested: 2048 bytes => 16384 bits )
- *
- * Note: Calculations can results temporarily in larger MPIs. So the number
- * of limbs required (POLARSSL_MPI_MAX_LIMBS) is higher.
- */
-#define POLARSSL_MPI_MAX_SIZE                              512      /**< Maximum number of bytes for usable MPIs. */
-
-#endif /* !POLARSSL_CONFIG_OPTIONS */
-
-#define POLARSSL_MPI_MAX_BITS                              ( 8 * POLARSSL_MPI_MAX_SIZE )    /**< Maximum number of bits for usable MPIs. */
-
-/*
- * When reading from files with mpi_read_file() and writing to files with
- * mpi_write_file() the buffer should have space
- * for a (short) label, the MPI (in the provided radix), the newline
- * characters and the '\0'.
- *
- * By default we assume at least a 10 char label, a minimum radix of 10
- * (decimal) and a maximum of 4096 bit numbers (1234 decimal chars).
- * Autosized at compile time for at least a 10 char label, a minimum radix
- * of 10 (decimal) for a number of POLARSSL_MPI_MAX_BITS size.
- *
- * This used to be statically sized to 1250 for a maximum of 4096 bit
- * numbers (1234 decimal chars).
- *
- * Calculate using the formula:
- *  POLARSSL_MPI_RW_BUFFER_SIZE = ceil(POLARSSL_MPI_MAX_BITS / ln(10) * ln(2)) +
- *                                LabelSize + 6
- */
-#define POLARSSL_MPI_MAX_BITS_SCALE100          ( 100 * POLARSSL_MPI_MAX_BITS )
-#define LN_2_DIV_LN_10_SCALE100                 332
-#define POLARSSL_MPI_RW_BUFFER_SIZE             ( ((POLARSSL_MPI_MAX_BITS_SCALE100 + LN_2_DIV_LN_10_SCALE100 - 1) / LN_2_DIV_LN_10_SCALE100) + 10 + 6 )
-
-/*
- * Define the base integer type, architecture-wise
- */
-#if defined(POLARSSL_HAVE_INT8)
-typedef   signed char  t_sint;
-typedef unsigned char  t_uint;
-typedef uint16_t       t_udbl;
-#define POLARSSL_HAVE_UDBL
-#else
-#if defined(POLARSSL_HAVE_INT16)
-typedef  int16_t t_sint;
-typedef uint16_t t_uint;
-typedef uint32_t t_udbl;
-#define POLARSSL_HAVE_UDBL
-#else
-  #if ( defined(_MSC_VER) && defined(_M_AMD64) )
-    typedef  int64_t t_sint;
-    typedef uint64_t t_uint;
-  #else
-    #if ( defined(__GNUC__) && (                          \
-          defined(__amd64__) || defined(__x86_64__)    || \
-          defined(__ppc64__) || defined(__powerpc64__) || \
-          defined(__ia64__)  || defined(__alpha__)     || \
-          (defined(__sparc__) && defined(__arch64__))  || \
-          defined(__s390x__) ) )
-       typedef  int64_t t_sint;
-       typedef uint64_t t_uint;
-       typedef unsigned int t_udbl __attribute__((mode(TI)));
-       #define POLARSSL_HAVE_UDBL
-    #else
-       typedef  int32_t t_sint;
-       typedef uint32_t t_uint;
-       #if ( defined(_MSC_VER) && defined(_M_IX86) )
-         typedef uint64_t t_udbl;
-         #define POLARSSL_HAVE_UDBL
-       #else
-         #if defined( POLARSSL_HAVE_LONGLONG )
-           typedef unsigned long long t_udbl;
-           #define POLARSSL_HAVE_UDBL
-         #endif
-       #endif
-    #endif
-  #endif
-#endif /* POLARSSL_HAVE_INT16 */
-#endif /* POLARSSL_HAVE_INT8  */
-
-/**
- * \brief          MPI structure
- */
-typedef struct
-{
-    int s;              /*!<  integer sign      */
-    size_t n;           /*!<  total # of limbs  */
-    t_uint *p;          /*!<  pointer to limbs  */
-}
-mpi;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief           Initialize one MPI
- *
- * \param X         One MPI to initialize.
- */
-void mpi_init( mpi *X );
-
-/**
- * \brief          Unallocate one MPI
- *
- * \param X        One MPI to unallocate.
- */
-void mpi_free( mpi *X );
-
-/**
- * \brief          Enlarge to the specified number of limbs
- *
- * \param X        MPI to grow
- * \param nblimbs  The target number of limbs
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_grow( mpi *X, size_t nblimbs );
-
-/**
- * \brief          Copy the contents of Y into X
- *
- * \param X        Destination MPI
- * \param Y        Source MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_copy( mpi *X, const mpi *Y );
-
-/**
- * \brief          Swap the contents of X and Y
- *
- * \param X        First MPI value
- * \param Y        Second MPI value
- */
-void mpi_swap( mpi *X, mpi *Y );
-
-/**
- * \brief          Set value from integer
- *
- * \param X        MPI to set
- * \param z        Value to use
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_lset( mpi *X, t_sint z );
-
-/**
- * \brief          Get a specific bit from X
- *
- * \param X        MPI to use
- * \param pos      Zero-based index of the bit in X
- *
- * \return         Either a 0 or a 1
- */
-int mpi_get_bit( const mpi *X, size_t pos );
-
-/**
- * \brief          Set a bit of X to a specific value of 0 or 1
- *
- * \note           Will grow X if necessary to set a bit to 1 in a not yet
- *                 existing limb. Will not grow if bit should be set to 0
- *
- * \param X        MPI to use
- * \param pos      Zero-based index of the bit in X
- * \param val      The value to set the bit to (0 or 1)
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_BAD_INPUT_DATA if val is not 0 or 1
- */
-int mpi_set_bit( mpi *X, size_t pos, unsigned char val );
-
-/**
- * \brief          Return the number of zero-bits before the least significant
- *                 '1' bit
- *
- * Note: Thus also the zero-based index of the least significant '1' bit
- *
- * \param X        MPI to use
- */
-size_t mpi_lsb( const mpi *X );
-
-/**
- * \brief          Return the number of bits up to and including the most
- *                 significant '1' bit'
- *
- * Note: Thus also the one-based index of the most significant '1' bit
- *
- * \param X        MPI to use
- */
-size_t mpi_msb( const mpi *X );
-
-/**
- * \brief          Return the total size in bytes
- *
- * \param X        MPI to use
- */
-size_t mpi_size( const mpi *X );
-
-/**
- * \brief          Import from an ASCII string
- *
- * \param X        Destination MPI
- * \param radix    Input numeric base
- * \param s        Null-terminated string buffer
- *
- * \return         0 if successful, or a POLARSSL_ERR_MPI_XXX error code
- */
-int mpi_read_string( mpi *X, int radix, const char *s );
-
-/**
- * \brief          Export into an ASCII string
- *
- * \param X        Source MPI
- * \param radix    Output numeric base
- * \param s        String buffer
- * \param slen     String buffer size
- *
- * \return         0 if successful, or a POLARSSL_ERR_MPI_XXX error code.
- *                 *slen is always updated to reflect the amount
- *                 of data that has (or would have) been written.
- *
- * \note           Call this function with *slen = 0 to obtain the
- *                 minimum required buffer size in *slen.
- */
-int mpi_write_string( const mpi *X, int radix, char *s, size_t *slen );
-
-#if defined(POLARSSL_FS_IO)
-/**
- * \brief          Read X from an opened file
- *
- * \param X        Destination MPI
- * \param radix    Input numeric base
- * \param fin      Input file handle
- *
- * \return         0 if successful, POLARSSL_ERR_MPI_BUFFER_TOO_SMALL if
- *                 the file read buffer is too small or a
- *                 POLARSSL_ERR_MPI_XXX error code
- */
-int mpi_read_file( mpi *X, int radix, FILE *fin );
-
-/**
- * \brief          Write X into an opened file, or stdout if fout is NULL
- *
- * \param p        Prefix, can be NULL
- * \param X        Source MPI
- * \param radix    Output numeric base
- * \param fout     Output file handle (can be NULL)
- *
- * \return         0 if successful, or a POLARSSL_ERR_MPI_XXX error code
- *
- * \note           Set fout == NULL to print X on the console.
- */
-int mpi_write_file( const char *p, const mpi *X, int radix, FILE *fout );
-#endif /* POLARSSL_FS_IO */
-
-/**
- * \brief          Import X from unsigned binary data, big endian
- *
- * \param X        Destination MPI
- * \param buf      Input buffer
- * \param buflen   Input buffer size
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_read_binary( mpi *X, const unsigned char *buf, size_t buflen );
-
-/**
- * \brief          Export X into unsigned binary data, big endian
- *
- * \param X        Source MPI
- * \param buf      Output buffer
- * \param buflen   Output buffer size
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_BUFFER_TOO_SMALL if buf isn't large enough
- */
-int mpi_write_binary( const mpi *X, unsigned char *buf, size_t buflen );
-
-/**
- * \brief          Left-shift: X <<= count
- *
- * \param X        MPI to shift
- * \param count    Amount to shift
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_shift_l( mpi *X, size_t count );
-
-/**
- * \brief          Right-shift: X >>= count
- *
- * \param X        MPI to shift
- * \param count    Amount to shift
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_shift_r( mpi *X, size_t count );
-
-/**
- * \brief          Compare unsigned values
- *
- * \param X        Left-hand MPI
- * \param Y        Right-hand MPI
- *
- * \return         1 if |X| is greater than |Y|,
- *                -1 if |X| is lesser  than |Y| or
- *                 0 if |X| is equal to |Y|
- */
-int mpi_cmp_abs( const mpi *X, const mpi *Y );
-
-/**
- * \brief          Compare signed values
- *
- * \param X        Left-hand MPI
- * \param Y        Right-hand MPI
- *
- * \return         1 if X is greater than Y,
- *                -1 if X is lesser  than Y or
- *                 0 if X is equal to Y
- */
-int mpi_cmp_mpi( const mpi *X, const mpi *Y );
-
-/**
- * \brief          Compare signed values
- *
- * \param X        Left-hand MPI
- * \param z        The integer value to compare to
- *
- * \return         1 if X is greater than z,
- *                -1 if X is lesser  than z or
- *                 0 if X is equal to z
- */
-int mpi_cmp_int( const mpi *X, t_sint z );
-
-/**
- * \brief          Unsigned addition: X = |A| + |B|
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_add_abs( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Unsigned substraction: X = |A| - |B|
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_NEGATIVE_VALUE if B is greater than A
- */
-int mpi_sub_abs( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Signed addition: X = A + B
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Signed substraction: X = A - B
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Signed addition: X = A + b
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to add
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_add_int( mpi *X, const mpi *A, t_sint b );
-
-/**
- * \brief          Signed substraction: X = A - b
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to subtract
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_sub_int( mpi *X, const mpi *A, t_sint b );
-
-/**
- * \brief          Baseline multiplication: X = A * B
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B );
-
-/**
- * \brief          Baseline multiplication: X = A * b
- *                 Note: b is an unsigned integer type, thus
- *                 Negative values of b are ignored.
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param b        The integer value to multiply with
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_mul_int( mpi *X, const mpi *A, t_sint b );
-
-/**
- * \brief          Division by mpi: A = Q * B + R
- *
- * \param Q        Destination MPI for the quotient
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_DIVISION_BY_ZERO if B == 0
- *
- * \note           Either Q or R can be NULL.
- */
-int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B );
-
-/**
- * \brief          Division by int: A = Q * b + R
- *
- * \param Q        Destination MPI for the quotient
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param b        Integer to divide by
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0
- *
- * \note           Either Q or R can be NULL.
- */
-int mpi_div_int( mpi *Q, mpi *R, const mpi *A, t_sint b );
-
-/**
- * \brief          Modulo: R = A mod B
- *
- * \param R        Destination MPI for the rest value
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_DIVISION_BY_ZERO if B == 0,
- *                 POLARSSL_ERR_MPI_NEGATIVE_VALUE if B < 0
- */
-int mpi_mod_mpi( mpi *R, const mpi *A, const mpi *B );
-
-/**
- * \brief          Modulo: r = A mod b
- *
- * \param r        Destination t_uint
- * \param A        Left-hand MPI
- * \param b        Integer to divide by
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0,
- *                 POLARSSL_ERR_MPI_NEGATIVE_VALUE if b < 0
- */
-int mpi_mod_int( t_uint *r, const mpi *A, t_sint b );
-
-/**
- * \brief          Sliding-window exponentiation: X = A^E mod N
- *
- * \param X        Destination MPI 
- * \param A        Left-hand MPI
- * \param E        Exponent MPI
- * \param N        Modular MPI
- * \param _RR      Speed-up MPI used for recalculations
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_BAD_INPUT_DATA if N is negative or even or if
- *                 E is negative
- *
- * \note           _RR is used to avoid re-computing R*R mod N across
- *                 multiple calls, which speeds up things a bit. It can
- *                 be set to NULL if the extra performance is unneeded.
- */
-int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR );
-
-/**
- * \brief          Fill an MPI X with size bytes of random
- *
- * \param X        Destination MPI
- * \param size     Size in bytes
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_fill_random( mpi *X, size_t size,
-                     int (*f_rng)(void *, unsigned char *, size_t),
-                     void *p_rng );
-
-/**
- * \brief          Greatest common divisor: G = gcd(A, B)
- *
- * \param G        Destination MPI
- * \param A        Left-hand MPI
- * \param B        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed
- */
-int mpi_gcd( mpi *G, const mpi *A, const mpi *B );
-
-/**
- * \brief          Modular inverse: X = A^-1 mod N
- *
- * \param X        Destination MPI
- * \param A        Left-hand MPI
- * \param N        Right-hand MPI
- *
- * \return         0 if successful,
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_BAD_INPUT_DATA if N is negative or nil
-                   POLARSSL_ERR_MPI_NOT_ACCEPTABLE if A has no inverse mod N
- */
-int mpi_inv_mod( mpi *X, const mpi *A, const mpi *N );
-
-/**
- * \brief          Miller-Rabin primality test
- *
- * \param X        MPI to check
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- *
- * \return         0 if successful (probably prime),
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_NOT_ACCEPTABLE if X is not prime
- */
-int mpi_is_prime( mpi *X,
-                  int (*f_rng)(void *, unsigned char *, size_t),
-                  void *p_rng );
-
-/**
- * \brief          Prime number generation
- *
- * \param X        Destination MPI
- * \param nbits    Required size of X in bits ( 3 <= nbits <= POLARSSL_MPI_MAX_BITS )
- * \param dh_flag  If 1, then (X-1)/2 will be prime too
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- *
- * \return         0 if successful (probably prime),
- *                 POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed,
- *                 POLARSSL_ERR_MPI_BAD_INPUT_DATA if nbits is < 3
- */
-int mpi_gen_prime( mpi *X, size_t nbits, int dh_flag,
-                   int (*f_rng)(void *, unsigned char *, size_t),
-                   void *p_rng );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int mpi_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* bignum.h */
diff --git a/makerom/polarssl/bn_mul.h b/makerom/polarssl/bn_mul.h
deleted file mode 100644
index 6d6c1821..00000000
--- a/makerom/polarssl/bn_mul.h
+++ /dev/null
@@ -1,864 +0,0 @@
-/**
- * \file bn_mul.h
- *
- * \brief  Multi-precision integer library
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *      Multiply source vector [s] with b, add result
- *       to destination vector [d] and set carry c.
- *
- *      Currently supports:
- *
- *         . IA-32 (386+)         . AMD64 / EM64T
- *         . IA-32 (SSE2)         . Motorola 68000
- *         . PowerPC, 32-bit      . MicroBlaze
- *         . PowerPC, 64-bit      . TriCore
- *         . SPARC v8             . ARM v3+
- *         . Alpha                . MIPS32
- *         . C, longlong          . C, generic
- */
-#ifndef POLARSSL_BN_MUL_H
-#define POLARSSL_BN_MUL_H
-
-#include "polarssl/bignum.h"
-
-#if defined(POLARSSL_HAVE_ASM)
-
-#if defined(__GNUC__)
-#if defined(__i386__)
-
-#define MULADDC_INIT                \
-    __asm__( "                          \
-        movl   %%ebx, %0;           \
-        movl   %5, %%esi;           \
-        movl   %6, %%edi;           \
-        movl   %7, %%ecx;           \
-        movl   %8, %%ebx;           \
-        "
-
-#define MULADDC_CORE                \
-        "                           \
-        lodsl;                      \
-        mull   %%ebx;               \
-        addl   %%ecx,   %%eax;      \
-        adcl   $0,      %%edx;      \
-        addl   (%%edi), %%eax;      \
-        adcl   $0,      %%edx;      \
-        movl   %%edx,   %%ecx;      \
-        stosl;                      \
-        "
-
-#if defined(POLARSSL_HAVE_SSE2)
-
-#define MULADDC_HUIT                    \
-        "                               \
-        movd     %%ecx,     %%mm1;      \
-        movd     %%ebx,     %%mm0;      \
-        movd     (%%edi),   %%mm3;      \
-        paddq    %%mm3,     %%mm1;      \
-        movd     (%%esi),   %%mm2;      \
-        pmuludq  %%mm0,     %%mm2;      \
-        movd     4(%%esi),  %%mm4;      \
-        pmuludq  %%mm0,     %%mm4;      \
-        movd     8(%%esi),  %%mm6;      \
-        pmuludq  %%mm0,     %%mm6;      \
-        movd     12(%%esi), %%mm7;      \
-        pmuludq  %%mm0,     %%mm7;      \
-        paddq    %%mm2,     %%mm1;      \
-        movd     4(%%edi),  %%mm3;      \
-        paddq    %%mm4,     %%mm3;      \
-        movd     8(%%edi),  %%mm5;      \
-        paddq    %%mm6,     %%mm5;      \
-        movd     12(%%edi), %%mm4;      \
-        paddq    %%mm4,     %%mm7;      \
-        movd     %%mm1,     (%%edi);    \
-        movd     16(%%esi), %%mm2;      \
-        pmuludq  %%mm0,     %%mm2;      \
-        psrlq    $32,       %%mm1;      \
-        movd     20(%%esi), %%mm4;      \
-        pmuludq  %%mm0,     %%mm4;      \
-        paddq    %%mm3,     %%mm1;      \
-        movd     24(%%esi), %%mm6;      \
-        pmuludq  %%mm0,     %%mm6;      \
-        movd     %%mm1,     4(%%edi);   \
-        psrlq    $32,       %%mm1;      \
-        movd     28(%%esi), %%mm3;      \
-        pmuludq  %%mm0,     %%mm3;      \
-        paddq    %%mm5,     %%mm1;      \
-        movd     16(%%edi), %%mm5;      \
-        paddq    %%mm5,     %%mm2;      \
-        movd     %%mm1,     8(%%edi);   \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm7,     %%mm1;      \
-        movd     20(%%edi), %%mm5;      \
-        paddq    %%mm5,     %%mm4;      \
-        movd     %%mm1,     12(%%edi);  \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm2,     %%mm1;      \
-        movd     24(%%edi), %%mm5;      \
-        paddq    %%mm5,     %%mm6;      \
-        movd     %%mm1,     16(%%edi);  \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm4,     %%mm1;      \
-        movd     28(%%edi), %%mm5;      \
-        paddq    %%mm5,     %%mm3;      \
-        movd     %%mm1,     20(%%edi);  \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm6,     %%mm1;      \
-        movd     %%mm1,     24(%%edi);  \
-        psrlq    $32,       %%mm1;      \
-        paddq    %%mm3,     %%mm1;      \
-        movd     %%mm1,     28(%%edi);  \
-        addl     $32,       %%edi;      \
-        addl     $32,       %%esi;      \
-        psrlq    $32,       %%mm1;      \
-        movd     %%mm1,     %%ecx;      \
-        "
-
-#define MULADDC_STOP            \
-        "                       \
-        emms;                   \
-        movl   %4, %%ebx;       \
-        movl   %%ecx, %1;       \
-        movl   %%edi, %2;       \
-        movl   %%esi, %3;       \
-        "                       \
-        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
-        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-        : "eax", "ecx", "edx", "esi", "edi"             \
-    );
-
-#else
-
-#define MULADDC_STOP            \
-        "                       \
-        movl   %4, %%ebx;       \
-        movl   %%ecx, %1;       \
-        movl   %%edi, %2;       \
-        movl   %%esi, %3;       \
-        "                       \
-        : "=m" (t), "=m" (c), "=m" (d), "=m" (s)        \
-        : "m" (t), "m" (s), "m" (d), "m" (c), "m" (b)   \
-        : "eax", "ecx", "edx", "esi", "edi"             \
-    );
-#endif /* SSE2 */
-#endif /* i386 */
-
-#if defined(__amd64__) || defined (__x86_64__)
-
-#define MULADDC_INIT                            \
-    __asm__( "movq   %0, %%rsi      " :: "m" (s));  \
-    __asm__( "movq   %0, %%rdi      " :: "m" (d));  \
-    __asm__( "movq   %0, %%rcx      " :: "m" (c));  \
-    __asm__( "movq   %0, %%rbx      " :: "m" (b));  \
-    __asm__( "xorq   %r8, %r8       " );
-
-#define MULADDC_CORE                            \
-    __asm__( "movq  (%rsi),%rax     " );            \
-    __asm__( "mulq   %rbx           " );            \
-    __asm__( "addq   $8,   %rsi     " );            \
-    __asm__( "addq   %rcx, %rax     " );            \
-    __asm__( "movq   %r8,  %rcx     " );            \
-    __asm__( "adcq   $0,   %rdx     " );            \
-    __asm__( "nop                   " );            \
-    __asm__( "addq   %rax, (%rdi)   " );            \
-    __asm__( "adcq   %rdx, %rcx     " );            \
-    __asm__( "addq   $8,   %rdi     " );
-
-#define MULADDC_STOP                            \
-    __asm__( "movq   %%rcx, %0      " : "=m" (c));  \
-    __asm__( "movq   %%rdi, %0      " : "=m" (d));  \
-    __asm__( "movq   %%rsi, %0      " : "=m" (s) :: \
-    "rax", "rcx", "rdx", "rbx", "rsi", "rdi", "r8" );
-
-#endif /* AMD64 */
-
-#if defined(__mc68020__) || defined(__mcpu32__)
-
-#define MULADDC_INIT                            \
-    __asm__( "movl   %0, %%a2       " :: "m" (s));  \
-    __asm__( "movl   %0, %%a3       " :: "m" (d));  \
-    __asm__( "movl   %0, %%d3       " :: "m" (c));  \
-    __asm__( "movl   %0, %%d2       " :: "m" (b));  \
-    __asm__( "moveq  #0, %d0        " );
-
-#define MULADDC_CORE                            \
-    __asm__( "movel  %a2@+, %d1     " );            \
-    __asm__( "mulul  %d2, %d4:%d1   " );            \
-    __asm__( "addl   %d3, %d1       " );            \
-    __asm__( "addxl  %d0, %d4       " );            \
-    __asm__( "moveq  #0,  %d3       " );            \
-    __asm__( "addl   %d1, %a3@+     " );            \
-    __asm__( "addxl  %d4, %d3       " );
-
-#define MULADDC_STOP                            \
-    __asm__( "movl   %%d3, %0       " : "=m" (c));  \
-    __asm__( "movl   %%a3, %0       " : "=m" (d));  \
-    __asm__( "movl   %%a2, %0       " : "=m" (s) :: \
-    "d0", "d1", "d2", "d3", "d4", "a2", "a3" );
-
-#define MULADDC_HUIT                            \
-    __asm__( "movel  %a2@+, %d1     " );            \
-    __asm__( "mulul  %d2, %d4:%d1   " );            \
-    __asm__( "addxl  %d3, %d1       " );            \
-    __asm__( "addxl  %d0, %d4       " );            \
-    __asm__( "addl   %d1, %a3@+     " );            \
-    __asm__( "movel  %a2@+, %d1     " );            \
-    __asm__( "mulul  %d2, %d3:%d1   " );            \
-    __asm__( "addxl  %d4, %d1       " );            \
-    __asm__( "addxl  %d0, %d3       " );            \
-    __asm__( "addl   %d1, %a3@+     " );            \
-    __asm__( "movel  %a2@+, %d1     " );            \
-    __asm__( "mulul  %d2, %d4:%d1   " );            \
-    __asm__( "addxl  %d3, %d1       " );            \
-    __asm__( "addxl  %d0, %d4       " );            \
-    __asm__( "addl   %d1, %a3@+     " );            \
-    __asm__( "movel  %a2@+, %d1     " );            \
-    __asm__( "mulul  %d2, %d3:%d1   " );            \
-    __asm__( "addxl  %d4, %d1       " );            \
-    __asm__( "addxl  %d0, %d3       " );            \
-    __asm__( "addl   %d1, %a3@+     " );            \
-    __asm__( "movel  %a2@+, %d1     " );            \
-    __asm__( "mulul  %d2, %d4:%d1   " );            \
-    __asm__( "addxl  %d3, %d1       " );            \
-    __asm__( "addxl  %d0, %d4       " );            \
-    __asm__( "addl   %d1, %a3@+     " );            \
-    __asm__( "movel  %a2@+, %d1     " );            \
-    __asm__( "mulul  %d2, %d3:%d1   " );            \
-    __asm__( "addxl  %d4, %d1       " );            \
-    __asm__( "addxl  %d0, %d3       " );            \
-    __asm__( "addl   %d1, %a3@+     " );            \
-    __asm__( "movel  %a2@+, %d1     " );            \
-    __asm__( "mulul  %d2, %d4:%d1   " );            \
-    __asm__( "addxl  %d3, %d1       " );            \
-    __asm__( "addxl  %d0, %d4       " );            \
-    __asm__( "addl   %d1, %a3@+     " );            \
-    __asm__( "movel  %a2@+, %d1     " );            \
-    __asm__( "mulul  %d2, %d3:%d1   " );            \
-    __asm__( "addxl  %d4, %d1       " );            \
-    __asm__( "addxl  %d0, %d3       " );            \
-    __asm__( "addl   %d1, %a3@+     " );            \
-    __asm__( "addxl  %d0, %d3       " );
-
-#endif /* MC68000 */
-
-#if defined(__powerpc__)   || defined(__ppc__)
-#if defined(__powerpc64__) || defined(__ppc64__)
-
-#if defined(__MACH__) && defined(__APPLE__)
-
-#define MULADDC_INIT                            \
-    __asm__( "ld     r3, %0         " :: "m" (s));  \
-    __asm__( "ld     r4, %0         " :: "m" (d));  \
-    __asm__( "ld     r5, %0         " :: "m" (c));  \
-    __asm__( "ld     r6, %0         " :: "m" (b));  \
-    __asm__( "addi   r3, r3, -8     " );            \
-    __asm__( "addi   r4, r4, -8     " );            \
-    __asm__( "addic  r5, r5,  0     " );
-
-#define MULADDC_CORE                            \
-    __asm__( "ldu    r7, 8(r3)      " );            \
-    __asm__( "mulld  r8, r7, r6     " );            \
-    __asm__( "mulhdu r9, r7, r6     " );            \
-    __asm__( "adde   r8, r8, r5     " );            \
-    __asm__( "ld     r7, 8(r4)      " );            \
-    __asm__( "addze  r5, r9         " );            \
-    __asm__( "addc   r8, r8, r7     " );            \
-    __asm__( "stdu   r8, 8(r4)      " );
-
-#define MULADDC_STOP                            \
-    __asm__( "addze  r5, r5         " );            \
-    __asm__( "addi   r4, r4, 8      " );            \
-    __asm__( "addi   r3, r3, 8      " );            \
-    __asm__( "std    r5, %0         " : "=m" (c));  \
-    __asm__( "std    r4, %0         " : "=m" (d));  \
-    __asm__( "std    r3, %0         " : "=m" (s) :: \
-    "r3", "r4", "r5", "r6", "r7", "r8", "r9" );
-
-#else
-
-#define MULADDC_INIT                            \
-    __asm__( "ld     %%r3, %0       " :: "m" (s));  \
-    __asm__( "ld     %%r4, %0       " :: "m" (d));  \
-    __asm__( "ld     %%r5, %0       " :: "m" (c));  \
-    __asm__( "ld     %%r6, %0       " :: "m" (b));  \
-    __asm__( "addi   %r3, %r3, -8   " );            \
-    __asm__( "addi   %r4, %r4, -8   " );            \
-    __asm__( "addic  %r5, %r5,  0   " );
-
-#define MULADDC_CORE                            \
-    __asm__( "ldu    %r7, 8(%r3)    " );            \
-    __asm__( "mulld  %r8, %r7, %r6  " );            \
-    __asm__( "mulhdu %r9, %r7, %r6  " );            \
-    __asm__( "adde   %r8, %r8, %r5  " );            \
-    __asm__( "ld     %r7, 8(%r4)    " );            \
-    __asm__( "addze  %r5, %r9       " );            \
-    __asm__( "addc   %r8, %r8, %r7  " );            \
-    __asm__( "stdu   %r8, 8(%r4)    " );
-
-#define MULADDC_STOP                            \
-    __asm__( "addze  %r5, %r5       " );            \
-    __asm__( "addi   %r4, %r4, 8    " );            \
-    __asm__( "addi   %r3, %r3, 8    " );            \
-    __asm__( "std    %%r5, %0       " : "=m" (c));  \
-    __asm__( "std    %%r4, %0       " : "=m" (d));  \
-    __asm__( "std    %%r3, %0       " : "=m" (s) :: \
-    "r3", "r4", "r5", "r6", "r7", "r8", "r9" );
-
-#endif
-
-#else /* PPC32 */
-
-#if defined(__MACH__) && defined(__APPLE__)
-
-#define MULADDC_INIT                            \
-    __asm__( "lwz    r3, %0         " :: "m" (s));  \
-    __asm__( "lwz    r4, %0         " :: "m" (d));  \
-    __asm__( "lwz    r5, %0         " :: "m" (c));  \
-    __asm__( "lwz    r6, %0         " :: "m" (b));  \
-    __asm__( "addi   r3, r3, -4     " );            \
-    __asm__( "addi   r4, r4, -4     " );            \
-    __asm__( "addic  r5, r5,  0     " );
-
-#define MULADDC_CORE                            \
-    __asm__( "lwzu   r7, 4(r3)      " );            \
-    __asm__( "mullw  r8, r7, r6     " );            \
-    __asm__( "mulhwu r9, r7, r6     " );            \
-    __asm__( "adde   r8, r8, r5     " );            \
-    __asm__( "lwz    r7, 4(r4)      " );            \
-    __asm__( "addze  r5, r9         " );            \
-    __asm__( "addc   r8, r8, r7     " );            \
-    __asm__( "stwu   r8, 4(r4)      " );
-
-#define MULADDC_STOP                            \
-    __asm__( "addze  r5, r5         " );            \
-    __asm__( "addi   r4, r4, 4      " );            \
-    __asm__( "addi   r3, r3, 4      " );            \
-    __asm__( "stw    r5, %0         " : "=m" (c));  \
-    __asm__( "stw    r4, %0         " : "=m" (d));  \
-    __asm__( "stw    r3, %0         " : "=m" (s) :: \
-    "r3", "r4", "r5", "r6", "r7", "r8", "r9" );
-
-#else
-
-#define MULADDC_INIT                            \
-    __asm__( "lwz    %%r3, %0       " :: "m" (s));  \
-    __asm__( "lwz    %%r4, %0       " :: "m" (d));  \
-    __asm__( "lwz    %%r5, %0       " :: "m" (c));  \
-    __asm__( "lwz    %%r6, %0       " :: "m" (b));  \
-    __asm__( "addi   %r3, %r3, -4   " );            \
-    __asm__( "addi   %r4, %r4, -4   " );            \
-    __asm__( "addic  %r5, %r5,  0   " );
-
-#define MULADDC_CORE                            \
-    __asm__( "lwzu   %r7, 4(%r3)    " );            \
-    __asm__( "mullw  %r8, %r7, %r6  " );            \
-    __asm__( "mulhwu %r9, %r7, %r6  " );            \
-    __asm__( "adde   %r8, %r8, %r5  " );            \
-    __asm__( "lwz    %r7, 4(%r4)    " );            \
-    __asm__( "addze  %r5, %r9       " );            \
-    __asm__( "addc   %r8, %r8, %r7  " );            \
-    __asm__( "stwu   %r8, 4(%r4)    " );
-
-#define MULADDC_STOP                            \
-    __asm__( "addze  %r5, %r5       " );            \
-    __asm__( "addi   %r4, %r4, 4    " );            \
-    __asm__( "addi   %r3, %r3, 4    " );            \
-    __asm__( "stw    %%r5, %0       " : "=m" (c));  \
-    __asm__( "stw    %%r4, %0       " : "=m" (d));  \
-    __asm__( "stw    %%r3, %0       " : "=m" (s) :: \
-    "r3", "r4", "r5", "r6", "r7", "r8", "r9" );
-
-#endif
-
-#endif /* PPC32 */
-#endif /* PPC64 */
-
-#if defined(__sparc__) && defined(__sparc64__)
-
-#define MULADDC_INIT                            \
-    __asm__(                                        \
-         "                                      \
-                ldx     %3, %%o0;               \
-                ldx     %4, %%o1;               \
-                ld      %5, %%o2;               \
-                ld      %6, %%o3;               \
-         "
-
-#define MULADDC_CORE                            \
-         "                                      \
-                ld      [%%o0], %%o4;           \
-                inc     4, %%o0;                \
-                ld      [%%o1], %%o5;           \
-                umul    %%o3, %%o4, %%o4;       \
-                addcc   %%o4, %%o2, %%o4;       \
-                rd      %%y, %%g1;              \
-                addx    %%g1, 0, %%g1;          \
-                addcc   %%o4, %%o5, %%o4;       \
-                st      %%o4, [%%o1];           \
-                addx    %%g1, 0, %%o2;          \
-                inc     4, %%o1;                \
-        "
-
-#define MULADDC_STOP                            \
-        "                                       \
-                st      %%o2, %0;               \
-                stx     %%o1, %1;               \
-                stx     %%o0, %2;               \
-        "                                       \
-        : "=m" (c), "=m" (d), "=m" (s)          \
-        : "m" (s), "m" (d), "m" (c), "m" (b)    \
-        : "g1", "o0", "o1", "o2", "o3", "o4",   \
-          "o5"                                  \
-        );
-#endif /* SPARCv9 */
-
-#if defined(__sparc__) && !defined(__sparc64__)
-
-#define MULADDC_INIT                            \
-    __asm__(                                        \
-         "                                      \
-                ld      %3, %%o0;               \
-                ld      %4, %%o1;               \
-                ld      %5, %%o2;               \
-                ld      %6, %%o3;               \
-         "
-
-#define MULADDC_CORE                            \
-         "                                      \
-                ld      [%%o0], %%o4;           \
-                inc     4, %%o0;                \
-                ld      [%%o1], %%o5;           \
-                umul    %%o3, %%o4, %%o4;       \
-                addcc   %%o4, %%o2, %%o4;       \
-                rd      %%y, %%g1;              \
-                addx    %%g1, 0, %%g1;          \
-                addcc   %%o4, %%o5, %%o4;       \
-                st      %%o4, [%%o1];           \
-                addx    %%g1, 0, %%o2;          \
-                inc     4, %%o1;                \
-        "
-
-#define MULADDC_STOP                            \
-        "                                       \
-                st      %%o2, %0;               \
-                st      %%o1, %1;               \
-                st      %%o0, %2;               \
-        "                                       \
-        : "=m" (c), "=m" (d), "=m" (s)          \
-        : "m" (s), "m" (d), "m" (c), "m" (b)    \
-        : "g1", "o0", "o1", "o2", "o3", "o4",   \
-          "o5"                                  \
-        );
-
-#endif /* SPARCv8 */
-
-#if defined(__microblaze__) || defined(microblaze)
-
-#define MULADDC_INIT                            \
-    __asm__( "lwi   r3,   %0        " :: "m" (s));  \
-    __asm__( "lwi   r4,   %0        " :: "m" (d));  \
-    __asm__( "lwi   r5,   %0        " :: "m" (c));  \
-    __asm__( "lwi   r6,   %0        " :: "m" (b));  \
-    __asm__( "andi  r7,   r6, 0xffff" );            \
-    __asm__( "bsrli r6,   r6, 16    " );
-
-#define MULADDC_CORE                            \
-    __asm__( "lhui  r8,   r3,   0   " );            \
-    __asm__( "addi  r3,   r3,   2   " );            \
-    __asm__( "lhui  r9,   r3,   0   " );            \
-    __asm__( "addi  r3,   r3,   2   " );            \
-    __asm__( "mul   r10,  r9,  r6   " );            \
-    __asm__( "mul   r11,  r8,  r7   " );            \
-    __asm__( "mul   r12,  r9,  r7   " );            \
-    __asm__( "mul   r13,  r8,  r6   " );            \
-    __asm__( "bsrli  r8, r10,  16   " );            \
-    __asm__( "bsrli  r9, r11,  16   " );            \
-    __asm__( "add   r13, r13,  r8   " );            \
-    __asm__( "add   r13, r13,  r9   " );            \
-    __asm__( "bslli r10, r10,  16   " );            \
-    __asm__( "bslli r11, r11,  16   " );            \
-    __asm__( "add   r12, r12, r10   " );            \
-    __asm__( "addc  r13, r13,  r0   " );            \
-    __asm__( "add   r12, r12, r11   " );            \
-    __asm__( "addc  r13, r13,  r0   " );            \
-    __asm__( "lwi   r10,  r4,   0   " );            \
-    __asm__( "add   r12, r12, r10   " );            \
-    __asm__( "addc  r13, r13,  r0   " );            \
-    __asm__( "add   r12, r12,  r5   " );            \
-    __asm__( "addc   r5, r13,  r0   " );            \
-    __asm__( "swi   r12,  r4,   0   " );            \
-    __asm__( "addi   r4,  r4,   4   " );
-
-#define MULADDC_STOP                            \
-    __asm__( "swi   r5,   %0        " : "=m" (c));  \
-    __asm__( "swi   r4,   %0        " : "=m" (d));  \
-    __asm__( "swi   r3,   %0        " : "=m" (s) :: \
-     "r3", "r4" , "r5" , "r6" , "r7" , "r8" ,   \
-     "r9", "r10", "r11", "r12", "r13" );
-
-#endif /* MicroBlaze */
-
-#if defined(__tricore__)
-
-#define MULADDC_INIT                            \
-    __asm__( "ld.a   %%a2, %0       " :: "m" (s));  \
-    __asm__( "ld.a   %%a3, %0       " :: "m" (d));  \
-    __asm__( "ld.w   %%d4, %0       " :: "m" (c));  \
-    __asm__( "ld.w   %%d1, %0       " :: "m" (b));  \
-    __asm__( "xor    %d5, %d5       " );
-
-#define MULADDC_CORE                            \
-    __asm__( "ld.w   %d0,   [%a2+]      " );        \
-    __asm__( "madd.u %e2, %e4, %d0, %d1 " );        \
-    __asm__( "ld.w   %d0,   [%a3]       " );        \
-    __asm__( "addx   %d2,    %d2,  %d0  " );        \
-    __asm__( "addc   %d3,    %d3,    0  " );        \
-    __asm__( "mov    %d4,    %d3        " );        \
-    __asm__( "st.w  [%a3+],  %d2        " );
-
-#define MULADDC_STOP                            \
-    __asm__( "st.w   %0, %%d4       " : "=m" (c));  \
-    __asm__( "st.a   %0, %%a3       " : "=m" (d));  \
-    __asm__( "st.a   %0, %%a2       " : "=m" (s) :: \
-    "d0", "d1", "e2", "d4", "a2", "a3" );
-
-#endif /* TriCore */
-
-#if defined(__arm__)
-
-#if defined(__thumb__) && !defined(__thumb2__)
-
-#define MULADDC_INIT                            \
-    __asm__(                                        \
-         "                                      \
-            ldr    r0, %3;                      \
-            ldr    r1, %4;                      \
-            ldr    r2, %5;                      \
-            ldr    r3, %6;                      \
-            lsr    r7, r3, #16;                 \
-            mov    r9, r7;                      \
-            lsl    r7, r3, #16;                 \
-            lsr    r7, r7, #16;                 \
-            mov    r8, r7;                      \
-         "
-
-#define MULADDC_CORE                            \
-         "                                      \
-            ldmia  r0!, {r6};                   \
-            lsr    r7, r6, #16;                 \
-            lsl    r6, r6, #16;                 \
-            lsr    r6, r6, #16;                 \
-            mov    r4, r8;                      \
-            mul    r4, r6;                      \
-            mov    r3, r9;                      \
-            mul    r6, r3;                      \
-            mov    r5, r9;                      \
-            mul    r5, r7;                      \
-            mov    r3, r8;                      \
-            mul    r7, r3;                      \
-            lsr    r3, r6, #16;                 \
-            add    r5, r5, r3;                  \
-            lsr    r3, r7, #16;                 \
-            add    r5, r5, r3;                  \
-            add    r4, r4, r2;                  \
-            mov    r2, #0;                      \
-            adc    r5, r2;                      \
-            lsl    r3, r6, #16;                 \
-            add    r4, r4, r3;                  \
-            adc    r5, r2;                      \
-            lsl    r3, r7, #16;                 \
-            add    r4, r4, r3;                  \
-            adc    r5, r2;                      \
-            ldr    r3, [r1];                    \
-            add    r4, r4, r3;                  \
-            adc    r2, r5;                      \
-            stmia  r1!, {r4};                   \
-         "
-
-#define MULADDC_STOP                            \
-         "                                      \
-            str    r2, %0;                      \
-            str    r1, %1;                      \
-            str    r0, %2;                      \
-         "                                      \
-         : "=m" (c),  "=m" (d), "=m" (s)        \
-         : "m" (s), "m" (d), "m" (c), "m" (b)   \
-         : "r0", "r1", "r2", "r3", "r4", "r5",  \
-           "r6", "r7", "r8", "r9", "cc"         \
-         );
-
-#else
-
-#define MULADDC_INIT                            \
-    __asm__(                                        \
-         "                                     \
-            ldr    r0, %3;                      \
-            ldr    r1, %4;                      \
-            ldr    r2, %5;                      \
-            ldr    r3, %6;                      \
-         "
-
-#define MULADDC_CORE                            \
-         "                                      \
-            ldr    r4, [r0], #4;                \
-            mov    r5, #0;                      \
-            ldr    r6, [r1];                    \
-            umlal  r2, r5, r3, r4;              \
-            adds   r7, r6, r2;                  \
-            adc    r2, r5, #0;                  \
-            str    r7, [r1], #4;                \
-         "
-
-#define MULADDC_STOP                            \
-         "                                      \
-            str    r2, %0;                      \
-            str    r1, %1;                      \
-            str    r0, %2;                      \
-         "                                      \
-         : "=m" (c),  "=m" (d), "=m" (s)        \
-         : "m" (s), "m" (d), "m" (c), "m" (b)   \
-         : "r0", "r1", "r2", "r3", "r4", "r5",  \
-           "r6", "r7", "cc"                     \
-         );
-
-#endif /* Thumb */
-
-#endif /* ARMv3 */
-
-#if defined(__alpha__)
-
-#define MULADDC_INIT                            \
-    __asm__( "ldq    $1, %0         " :: "m" (s));  \
-    __asm__( "ldq    $2, %0         " :: "m" (d));  \
-    __asm__( "ldq    $3, %0         " :: "m" (c));  \
-    __asm__( "ldq    $4, %0         " :: "m" (b));
-
-#define MULADDC_CORE                            \
-    __asm__( "ldq    $6,  0($1)     " );            \
-    __asm__( "addq   $1,  8, $1     " );            \
-    __asm__( "mulq   $6, $4, $7     " );            \
-    __asm__( "umulh  $6, $4, $6     " );            \
-    __asm__( "addq   $7, $3, $7     " );            \
-    __asm__( "cmpult $7, $3, $3     " );            \
-    __asm__( "ldq    $5,  0($2)     " );            \
-    __asm__( "addq   $7, $5, $7     " );            \
-    __asm__( "cmpult $7, $5, $5     " );            \
-    __asm__( "stq    $7,  0($2)     " );            \
-    __asm__( "addq   $2,  8, $2     " );            \
-    __asm__( "addq   $6, $3, $3     " );            \
-    __asm__( "addq   $5, $3, $3     " );
-
-#define MULADDC_STOP                            \
-    __asm__( "stq    $3, %0         " : "=m" (c));  \
-    __asm__( "stq    $2, %0         " : "=m" (d));  \
-    __asm__( "stq    $1, %0         " : "=m" (s) :: \
-    "$1", "$2", "$3", "$4", "$5", "$6", "$7" );
-
-#endif /* Alpha */
-
-#if defined(__mips__)
-
-#define MULADDC_INIT                            \
-    __asm__( "lw     $10, %0        " :: "m" (s));  \
-    __asm__( "lw     $11, %0        " :: "m" (d));  \
-    __asm__( "lw     $12, %0        " :: "m" (c));  \
-    __asm__( "lw     $13, %0        " :: "m" (b));
-
-#define MULADDC_CORE                            \
-    __asm__( "lw     $14, 0($10)    " );            \
-    __asm__( "multu  $13, $14       " );            \
-    __asm__( "addi   $10, $10, 4    " );            \
-    __asm__( "mflo   $14            " );            \
-    __asm__( "mfhi   $9             " );            \
-    __asm__( "addu   $14, $12, $14  " );            \
-    __asm__( "lw     $15, 0($11)    " );            \
-    __asm__( "sltu   $12, $14, $12  " );            \
-    __asm__( "addu   $15, $14, $15  " );            \
-    __asm__( "sltu   $14, $15, $14  " );            \
-    __asm__( "addu   $12, $12, $9   " );            \
-    __asm__( "sw     $15, 0($11)    " );            \
-    __asm__( "addu   $12, $12, $14  " );            \
-    __asm__( "addi   $11, $11, 4    " );
-
-#define MULADDC_STOP                            \
-    __asm__( "sw     $12, %0        " : "=m" (c));  \
-    __asm__( "sw     $11, %0        " : "=m" (d));  \
-    __asm__( "sw     $10, %0        " : "=m" (s) :: \
-    "$9", "$10", "$11", "$12", "$13", "$14", "$15" );
-
-#endif /* MIPS */
-#endif /* GNUC */
-
-#if (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
-
-#define MULADDC_INIT                            \
-    ____asm__   mov     esi, s                      \
-    ____asm__   mov     edi, d                      \
-    ____asm__   mov     ecx, c                      \
-    ____asm__   mov     ebx, b
-
-#define MULADDC_CORE                            \
-    ____asm__   lodsd                               \
-    ____asm__   mul     ebx                         \
-    ____asm__   add     eax, ecx                    \
-    ____asm__   adc     edx, 0                      \
-    ____asm__   add     eax, [edi]                  \
-    ____asm__   adc     edx, 0                      \
-    ____asm__   mov     ecx, edx                    \
-    ____asm__   stosd
-
-#if defined(POLARSSL_HAVE_SSE2)
-
-#define EMIT ____asm__ _emit
-
-#define MULADDC_HUIT                            \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0xC9             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0xC3             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x1F             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x16             \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x04  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x08  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x7E  EMIT 0x0C  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xF8             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x5F  EMIT 0x04  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xDC             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x08  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xEE             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x67  EMIT 0x0C  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xFC             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x0F             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x56  EMIT 0x10  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xD0             \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x66  EMIT 0x14  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xE0             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x76  EMIT 0x18  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xF0             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x04  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x5E  EMIT 0x1C  \
-    EMIT 0x0F  EMIT 0xF4  EMIT 0xD8             \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCD             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x10  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xD5             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x08  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCF             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x14  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xE5             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x0C  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCA             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x18  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xF5             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x10  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCC             \
-    EMIT 0x0F  EMIT 0x6E  EMIT 0x6F  EMIT 0x1C  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xDD             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x14  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCE             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x18  \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0xD4  EMIT 0xCB             \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0x4F  EMIT 0x1C  \
-    EMIT 0x83  EMIT 0xC7  EMIT 0x20             \
-    EMIT 0x83  EMIT 0xC6  EMIT 0x20             \
-    EMIT 0x0F  EMIT 0x73  EMIT 0xD1  EMIT 0x20  \
-    EMIT 0x0F  EMIT 0x7E  EMIT 0xC9
-
-#define MULADDC_STOP                            \
-    EMIT 0x0F  EMIT 0x77                        \
-    ____asm__   mov     c, ecx                      \
-    ____asm__   mov     d, edi                      \
-    ____asm__   mov     s, esi                      \
-
-#else
-
-#define MULADDC_STOP                            \
-    ____asm__   mov     c, ecx                      \
-    ____asm__   mov     d, edi                      \
-    ____asm__   mov     s, esi                      \
-
-#endif /* SSE2 */
-#endif /* MSVC */
-
-#endif /* POLARSSL_HAVE_ASM */
-
-#if !defined(MULADDC_CORE)
-#if defined(POLARSSL_HAVE_UDBL)
-
-#define MULADDC_INIT                    \
-{                                       \
-    t_udbl r;                           \
-    t_uint r0, r1;
-
-#define MULADDC_CORE                    \
-    r   = *(s++) * (t_udbl) b;          \
-    r0  = r;                            \
-    r1  = r >> biL;                     \
-    r0 += c;  r1 += (r0 <  c);          \
-    r0 += *d; r1 += (r0 < *d);          \
-    c = r1; *(d++) = r0;
-
-#define MULADDC_STOP                    \
-}
-
-#else
-#define MULADDC_INIT                    \
-{                                       \
-    t_uint s0, s1, b0, b1;              \
-    t_uint r0, r1, rx, ry;              \
-    b0 = ( b << biH ) >> biH;           \
-    b1 = ( b >> biH );
-
-#define MULADDC_CORE                    \
-    s0 = ( *s << biH ) >> biH;          \
-    s1 = ( *s >> biH ); s++;            \
-    rx = s0 * b1; r0 = s0 * b0;         \
-    ry = s1 * b0; r1 = s1 * b1;         \
-    r1 += ( rx >> biH );                \
-    r1 += ( ry >> biH );                \
-    rx <<= biH; ry <<= biH;             \
-    r0 += rx; r1 += (r0 < rx);          \
-    r0 += ry; r1 += (r0 < ry);          \
-    r0 +=  c; r1 += (r0 <  c);          \
-    r0 += *d; r1 += (r0 < *d);          \
-    c = r1; *(d++) = r0;
-
-#define MULADDC_STOP                    \
-}
-
-#endif /* C (generic)  */
-#endif /* C (longlong) */
-
-#endif /* bn_mul.h */
diff --git a/makerom/polarssl/config.h b/makerom/polarssl/config.h
deleted file mode 100644
index 2c43ff4d..00000000
--- a/makerom/polarssl/config.h
+++ /dev/null
@@ -1,1013 +0,0 @@
-/**
- * \file config.h
- *
- * \brief Configuration options (set of defines)
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * This set of compile-time options may be used to enable
- * or disable features selectively, and reduce the global
- * memory footprint.
- */
-#ifndef POLARSSL_CONFIG_H
-#define POLARSSL_CONFIG_H
-
-#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
-#define _CRT_SECURE_NO_DEPRECATE 1
-#endif
-
-/**
- * \name SECTION: System support
- *
- * This section sets system specific settings.
- * \{
- */
-
-/**
- * \def POLARSSL_HAVE_INT8
- *
- * The system uses 8-bit wide native integers.
- *
- * Uncomment if native integers are 8-bit wide.
-#define POLARSSL_HAVE_INT8
- */
-
-/**
- * \def POLARSSL_HAVE_INT16
- *
- * The system uses 16-bit wide native integers.
- *
- * Uncomment if native integers are 16-bit wide.
-#define POLARSSL_HAVE_INT16
- */
-
-/**
- * \def POLARSSL_HAVE_LONGLONG
- *
- * The compiler supports the 'long long' type.
- * (Only used on 32-bit platforms)
- */
-#define POLARSSL_HAVE_LONGLONG
-
-/**
- * \def POLARSSL_HAVE_ASM
- *
- * The compiler has support for asm()
- *
- * Uncomment to enable the use of assembly code.
- *
- * Requires support for asm() in compiler.
- *
- * Used in:
- *      library/timing.c
- *      library/padlock.c
- *      include/polarssl/bn_mul.h
- *
- */
-//#define POLARSSL_HAVE_ASM
-
-/**
- * \def POLARSSL_HAVE_SSE2
- *
- * CPU supports SSE2 instruction set.
- *
- * Uncomment if the CPU supports SSE2 (IA-32 specific).
- *
-#define POLARSSL_HAVE_SSE2
- */
-/* \} name */
-
-/**
- * \name SECTION: PolarSSL feature support
- *
- * This section sets support for features that are or are not needed
- * within the modules that are enabled.
- * \{
- */
-
-/**
- * \def POLARSSL_XXX_ALT
- *
- * Uncomment a macro to let PolarSSL use your alternate core implementation of
- * a symmetric or hash algorithm (e.g. platform specific assembly optimized
- * implementations). Keep in mind that the function prototypes should remain
- * the same.
- *
- * Example: In case you uncomment POLARSSL_AES_ALT, PolarSSL will no longer
- * provide the "struct aes_context" definition and omit the base function
- * declarations and implementations. "aes_alt.h" will be included from
- * "aes.h" to include the new function definitions.
- *
- * Uncomment a macro to enable alternate implementation for core algorithm
- * functions
-#define POLARSSL_AES_ALT
-#define POLARSSL_ARC4_ALT
-#define POLARSSL_BLOWFISH_ALT
-#define POLARSSL_CAMELLIA_ALT
-#define POLARSSL_DES_ALT
-#define POLARSSL_XTEA_ALT
-#define POLARSSL_MD2_ALT
-#define POLARSSL_MD4_ALT
-#define POLARSSL_MD5_ALT
-#define POLARSSL_SHA1_ALT
-#define POLARSSL_SHA2_ALT
-#define POLARSSL_SHA4_ALT
- */
-
-/**
- * \def POLARSSL_AES_ROM_TABLES
- *
- * Store the AES tables in ROM.
- *
- * Uncomment this macro to store the AES tables in ROM.
- *
-#define POLARSSL_AES_ROM_TABLES
- */
-
-/**
- * \def POLARSSL_CIPHER_MODE_CFB
- *
- * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
- */
-//#define POLARSSL_CIPHER_MODE_CFB
-
-/**
- * \def POLARSSL_CIPHER_MODE_CTR
- *
- * Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
- */
-#define POLARSSL_CIPHER_MODE_CTR
-
-/**
- * \def POLARSSL_CIPHER_NULL_CIPHER
- *
- * Enable NULL cipher.
- * Warning: Only do so when you know what you are doing. This allows for
- * encryption or channels without any security!
- *
- * Requires POLARSSL_ENABLE_WEAK_CIPHERSUITES as well to enable
- * the following ciphersuites:
- *      TLS_RSA_WITH_NULL_MD5
- *      TLS_RSA_WITH_NULL_SHA
- *      TLS_RSA_WITH_NULL_SHA256
- *
- * Uncomment this macro to enable the NULL cipher and ciphersuites
-#define POLARSSL_CIPHER_NULL_CIPHER
- */
-
-/**
- * \def POLARSSL_ENABLE_WEAK_CIPHERSUITES
- *
- * Enable weak ciphersuites in SSL / TLS
- * Warning: Only do so when you know what you are doing. This allows for
- * channels with virtually no security at all!
- *
- * This enables the following ciphersuites:
- *      TLS_RSA_WITH_DES_CBC_SHA
- *      TLS_DHE_RSA_WITH_DES_CBC_SHA
- *
- * Uncomment this macro to enable weak ciphersuites
-#define POLARSSL_ENABLE_WEAK_CIPHERSUITES
- */
-
-/**
- * \def POLARSSL_ERROR_STRERROR_DUMMY
- *
- * Enable a dummy error function to make use of error_strerror() in
- * third party libraries easier.
- *
- * Disable if you run into name conflicts and want to really remove the
- * error_strerror()
- */
-//#define POLARSSL_ERROR_STRERROR_DUMMY
-
-/**
- * \def POLARSSL_GENPRIME
- *
- * Requires: POLARSSL_BIGNUM_C, POLARSSL_RSA_C
- *
- * Enable the RSA prime-number generation code.
- */
-//#define POLARSSL_GENPRIME
-
-/**
- * \def POLARSSL_FS_IO
- *
- * Enable functions that use the filesystem.
- */
-//#define POLARSSL_FS_IO
-
-/**
- * \def POLARSSL_NO_DEFAULT_ENTROPY_SOURCES
- *
- * Do not add default entropy sources. These are the platform specific,
- * hardclock and HAVEGE based poll functions.
- *
- * This is useful to have more control over the added entropy sources in an 
- * application.
- *
- * Uncomment this macro to prevent loading of default entropy functions.
-#define POLARSSL_NO_DEFAULT_ENTROPY_SOURCES
- */
-
-/**
- * \def POLARSSL_NO_PLATFORM_ENTROPY
- *
- * Do not use built-in platform entropy functions.
- * This is useful if your platform does not support
- * standards like the /dev/urandom or Windows CryptoAPI.
- *
- * Uncomment this macro to disable the built-in platform entropy functions.
-#define POLARSSL_NO_PLATFORM_ENTROPY
- */
-
-/**
- * \def POLARSSL_PKCS1_V21
- *
- * Requires: POLARSSL_MD_C, POLARSSL_RSA_C
- *
- * Enable support for PKCS#1 v2.1 encoding.
- * This enables support for RSAES-OAEP and RSASSA-PSS operations.
- */
-//#define POLARSSL_PKCS1_V21
-
-/**
- * \def POLARSSL_RSA_NO_CRT
- *
- * Do not use the Chinese Remainder Theorem for the RSA private operation.
- *
- * Uncomment this macro to disable the use of CRT in RSA.
- *
- */
-#define POLARSSL_RSA_NO_CRT
-
-
-/**
- * \def POLARSSL_SELF_TEST
- *
- * Enable the checkup functions (*_self_test).
- */
-//#define POLARSSL_SELF_TEST
-
-/**
- * \def POLARSSL_SSL_ALL_ALERT_MESSAGES
- *
- * Enable sending of alert messages in case of encountered errors as per RFC.
- * If you choose not to send the alert messages, PolarSSL can still communicate
- * with other servers, only debugging of failures is harder.
- *
- * The advantage of not sending alert messages, is that no information is given
- * about reasons for failures thus preventing adversaries of gaining intel.
- *
- * Enable sending of all alert messages
- */
-//#define POLARSSL_SSL_ALERT_MESSAGES
-
-/**
- * \def POLARSSL_SSL_DEBUG_ALL
- *
- * Enable the debug messages in SSL module for all issues.
- * Debug messages have been disabled in some places to prevent timing
- * attacks due to (unbalanced) debugging function calls.
- *
- * If you need all error reporting you should enable this during debugging,
- * but remove this for production servers that should log as well.
- *
- * Uncomment this macro to report all debug messages on errors introducing
- * a timing side-channel.
- *
-#define POLARSSL_SSL_DEBUG_ALL
- */
-
-/**
- * \def POLARSSL_SSL_HW_RECORD_ACCEL
- *
- * Enable hooking functions in SSL module for hardware acceleration of
- * individual records.
- *
- * Uncomment this macro to enable hooking functions.
-#define POLARSSL_SSL_HW_RECORD_ACCEL
- */
-
-/**
- * \def POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
- *
- * Enable support for receiving and parsing SSLv2 Client Hello messages for the
- * SSL Server module (POLARSSL_SSL_SRV_C)
- *
- * Comment this macro to disable support for SSLv2 Client Hello messages.
- */
-//#define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-
-/**
- * \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
- *
- * If set, the X509 parser will not break-off when parsing an X509 certificate
- * and encountering an unknown critical extension.
- *
- * Uncomment to prevent an error.
- *
-#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
- */
-
-/**
- * \def POLARSSL_ZLIB_SUPPORT
- *
- * If set, the SSL/TLS module uses ZLIB to support compression and
- * decompression of packet data.
- *
- * Used in: library/ssl_tls.c
- *          library/ssl_cli.c
- *          library/ssl_srv.c
- *
- * This feature requires zlib library and headers to be present.
- *
- * Uncomment to enable use of ZLIB
-#define POLARSSL_ZLIB_SUPPORT
- */
-/* \} name */
-
-/**
- * \name SECTION: PolarSSL modules
- *
- * This section enables or disables entire modules in PolarSSL
- * \{
- */
-
-/**
- * \def POLARSSL_AES_C
- *
- * Enable the AES block cipher.
- *
- * Module:  library/aes.c
- * Caller:  library/ssl_tls.c
- *          library/pem.c
- *          library/ctr_drbg.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- *      TLS_RSA_WITH_AES_128_CBC_SHA
- *      TLS_RSA_WITH_AES_256_CBC_SHA
- *      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- *      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- *      TLS_RSA_WITH_AES_128_CBC_SHA256
- *      TLS_RSA_WITH_AES_256_CBC_SHA256
- *      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- *      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- *      TLS_RSA_WITH_AES_128_GCM_SHA256
- *      TLS_RSA_WITH_AES_256_GCM_SHA384
- *
- * PEM uses AES for decrypting encrypted keys.
- */
-#define POLARSSL_AES_C
-
-/**
- * \def POLARSSL_ARC4_C
- *
- * Enable the ARCFOUR stream cipher.
- *
- * Module:  library/arc4.c
- * Caller:  library/ssl_tls.c
- *
- * This module enables the following ciphersuites:
- *      TLS_RSA_WITH_RC4_128_MD5
- *      TLS_RSA_WITH_RC4_128_SHA
- */
-//#define POLARSSL_ARC4_C
-
-/**
- * \def POLARSSL_ASN1_PARSE_C
- *
- * Enable the generic ASN1 parser.
- *
- * Module:  library/asn1.c
- * Caller:  library/x509parse.c
- */
-//#define POLARSSL_ASN1_PARSE_C
-
-/**
- * \def POLARSSL_ASN1_WRITE_C
- *
- * Enable the generic ASN1 writer.
- *
- * Module:  library/asn1write.c
- */
-//#define POLARSSL_ASN1_WRITE_C
-
-/**
- * \def POLARSSL_BASE64_C
- *
- * Enable the Base64 module.
- *
- * Module:  library/base64.c
- * Caller:  library/pem.c
- *
- * This module is required for PEM support (required by X.509).
- */
-#define POLARSSL_BASE64_C
-
-/**
- * \def POLARSSL_BIGNUM_C
- *
- * Enable the multi-precision integer library.
- *
- * Module:  library/bignum.c
- * Caller:  library/dhm.c
- *          library/rsa.c
- *          library/ssl_tls.c
- *          library/x509parse.c
- *
- * This module is required for RSA and DHM support.
- */
-#define POLARSSL_BIGNUM_C
-
-/**
- * \def POLARSSL_BLOWFISH_C
- *
- * Enable the Blowfish block cipher.
- *
- * Module:  library/blowfish.c
- */
-//#define POLARSSL_BLOWFISH_C
-
-/**
- * \def POLARSSL_CAMELLIA_C
- *
- * Enable the Camellia block cipher.
- *
- * Module:  library/camellia.c
- * Caller:  library/ssl_tls.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- *      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
- *      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
- *      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- *      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- *      TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
- *      TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
- *      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- *      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
- */
-//#define POLARSSL_CAMELLIA_C
-
-/**
- * \def POLARSSL_CERTS_C
- *
- * Enable the test certificates.
- *
- * Module:  library/certs.c
- * Caller:
- *
- * This module is used for testing (ssl_client/server).
- */
-//#define POLARSSL_CERTS_C
-
-/**
- * \def POLARSSL_CIPHER_C
- *
- * Enable the generic cipher layer.
- *
- * Module:  library/cipher.c
- * Caller:
- *
- * Uncomment to enable generic cipher wrappers.
- */
-//#define POLARSSL_CIPHER_C
-
-/**
- * \def POLARSSL_CTR_DRBG_C
- *
- * Enable the CTR_DRBG AES-256-based random generator
- *
- * Module:  library/ctr_drbg.c
- * Caller:
- *
- * Requires: POLARSSL_AES_C
- *
- * This module provides the CTR_DRBG AES-256 random number generator.
- */
-//#define POLARSSL_CTR_DRBG_C
-
-/**
- * \def POLARSSL_DEBUG_C
- *
- * Enable the debug functions.
- *
- * Module:  library/debug.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *          library/ssl_tls.c
- *
- * This module provides debugging functions.
- */
-//#define POLARSSL_DEBUG_C
-
-/**
- * \def POLARSSL_DES_C
- *
- * Enable the DES block cipher.
- *
- * Module:  library/des.c
- * Caller:  library/pem.c
- *          library/ssl_tls.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- *      TLS_RSA_WITH_3DES_EDE_CBC_SHA
- *      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- *
- * PEM uses DES/3DES for decrypting encrypted keys.
- */
-//#define POLARSSL_DES_C
-
-/**
- * \def POLARSSL_DHM_C
- *
- * Enable the Diffie-Hellman-Merkle key exchange.
- *
- * Module:  library/dhm.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- *      TLS_DHE_RSA_WITH_DES_CBC_SHA
- *      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
- *      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- *      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- *      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- *      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- *      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- *      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- *      TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
- *      TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
- *      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- *      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- */
-//#define POLARSSL_DHM_C
-
-/**
- * \def POLARSSL_ENTROPY_C
- *
- * Enable the platform-specific entropy code.
- *
- * Module:  library/entropy.c
- * Caller:
- *
- * Requires: POLARSSL_SHA4_C
- *
- * This module provides a generic entropy pool
- */
-//#define POLARSSL_ENTROPY_C
-
-/**
- * \def POLARSSL_ERROR_C
- *
- * Enable error code to error string conversion.
- *
- * Module:  library/error.c
- * Caller:
- *
- * This module enables err_strerror().
- */
-//#define POLARSSL_ERROR_C
-
-/**
- * \def POLARSSL_GCM_C
- *
- * Enable the Galois/Counter Mode (GCM) for AES
- *
- * Module:  library/gcm.c
- *
- * Requires: POLARSSL_AES_C
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- *      TLS_RSA_WITH_AES_128_GCM_SHA256
- *      TLS_RSA_WITH_AES_256_GCM_SHA384
- */
-//#define POLARSSL_GCM_C
-
-/**
- * \def POLARSSL_HAVEGE_C
- *
- * Enable the HAVEGE random generator.
- *
- * Warning: the HAVEGE random generator is not suitable for virtualized
- *          environments
- *
- * Warning: the HAVEGE random generator is dependent on timing and specific
- *          processor traits. It is therefore not advised to use HAVEGE as
- *          your applications primary random generator or primary entropy pool
- *          input. As a secondary input to your entropy pool, it IS able add
- *          the (limited) extra entropy it provides.
- *
- * Module:  library/havege.c
- * Caller:
- *
- * Requires: POLARSSL_TIMING_C
- *
- * Uncomment to enable the HAVEGE random generator.
-#define POLARSSL_HAVEGE_C
- */
-
-/**
- * \def POLARSSL_MD_C
- *
- * Enable the generic message digest layer.
- *
- * Module:  library/md.c
- * Caller:
- *
- * Uncomment to enable generic message digest wrappers.
- */
-//#define POLARSSL_MD_C
-
-/**
- * \def POLARSSL_MD2_C
- *
- * Enable the MD2 hash algorithm
- *
- * Module:  library/md2.c
- * Caller:  library/x509parse.c
- *
- * Uncomment to enable support for (rare) MD2-signed X.509 certs.
- *
-#define POLARSSL_MD2_C
- */
-
-/**
- * \def POLARSSL_MD4_C
- *
- * Enable the MD4 hash algorithm
- *
- * Module:  library/md4.c
- * Caller:  library/x509parse.c
- *
- * Uncomment to enable support for (rare) MD4-signed X.509 certs.
- *
-#define POLARSSL_MD4_C
- */
-
-/**
- * \def POLARSSL_MD5_C
- *
- * Enable the MD5 hash algorithm
- *
- * Module:  library/md5.c
- * Caller:  library/pem.c
- *          library/ssl_tls.c
- *          library/x509parse.c
- *
- * This module is required for SSL/TLS and X.509.
- * PEM uses MD5 for decrypting encrypted keys.
- */
-//#define POLARSSL_MD5_C
-
-/**
- * \def POLARSSL_NET_C
- *
- * Enable the TCP/IP networking routines.
- *
- * Module:  library/net.c
- * Caller:
- *
- * This module provides TCP/IP networking routines.
- */
-//#define POLARSSL_NET_C
-
-/**
- * \def POLARSSL_PADLOCK_C
- *
- * Enable VIA Padlock support on x86.
- *
- * Module:  library/padlock.c
- * Caller:  library/aes.c
- *
- * This modules adds support for the VIA PadLock on x86.
- */
-//#define POLARSSL_PADLOCK_C
-
-/**
- * \def POLARSSL_PBKDF2_C
- *
- * Enable PKCS#5 PBKDF2 key derivation function
- * DEPRECATED: Use POLARSSL_PKCS5_C instead
- *
- * Module:  library/pbkdf2.c
- *
- * Requires: POLARSSL_PKCS5_C
- *
- * This module adds support for the PKCS#5 PBKDF2 key derivation function.
-#define POLARSSL_PBKDF2_C
- */
-
-/**
- * \def POLARSSL_PEM_C
- *
- * Enable PEM decoding
- *
- * Module:  library/pem.c
- * Caller:  library/x509parse.c
- *
- * Requires: POLARSSL_BASE64_C
- *
- * This modules adds support for decoding PEM files.
- */
-//#define POLARSSL_PEM_C
-
-/**
- * \def POLARSSL_PKCS5_C
- *
- * Enable PKCS#5 functions
- *
- * Module:  library/pkcs5.c
- *
- * Requires: POLARSSL_MD_C
- *
- * This module adds support for the PKCS#5 functions.
- */
-//#define POLARSSL_PKCS5_C
-
-/**
- * \def POLARSSL_PKCS11_C
- *
- * Enable wrapper for PKCS#11 smartcard support.
- *
- * Module:  library/ssl_srv.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *
- * Requires: POLARSSL_SSL_TLS_C
- *
- * This module enables SSL/TLS PKCS #11 smartcard support.
- * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
-#define POLARSSL_PKCS11_C
- */
-
-/**
- * \def POLARSSL_PKCS12_C
- *
- * Enable PKCS#12 PBE functions
- * Adds algorithms for parsing PKCS#8 encrypted private keys
- *
- * Module:  library/pkcs12.c
- * Caller:  library/x509parse.c
- *
- * Requires: POLARSSL_ASN1_PARSE_C, POLARSSL_CIPHER_C, POLARSSL_MD_C
- * Can use:  POLARSSL_ARC4_C
- *
- * This module enables PKCS#12 functions.
- */
-//#define POLARSSL_PKCS12_C
-
-/**
- * \def POLARSSL_RSA_C
- *
- * Enable the RSA public-key cryptosystem.
- *
- * Module:  library/rsa.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *          library/ssl_tls.c
- *          library/x509.c
- *
- * Requires: POLARSSL_BIGNUM_C
- *
- * This module is required for SSL/TLS and MD5-signed certificates.
- */
-#define POLARSSL_RSA_C
-
-/**
- * \def POLARSSL_SHA1_C
- *
- * Enable the SHA1 cryptographic hash algorithm.
- *
- * Module:  library/sha1.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *          library/ssl_tls.c
- *          library/x509parse.c
- *
- * This module is required for SSL/TLS and SHA1-signed certificates.
- */
-#define POLARSSL_SHA1_C
-
-/**
- * \def POLARSSL_SHA2_C
- *
- * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
- *
- * Module:  library/sha2.c
- * Caller:  library/md_wrap.c
- *          library/x509parse.c
- *
- * This module adds support for SHA-224 and SHA-256.
- * This module is required for the SSL/TLS 1.2 PRF function.
- */
-#define POLARSSL_SHA2_C
-
-/**
- * \def POLARSSL_SHA4_C
- *
- * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
- *
- * Module:  library/sha4.c
- * Caller:  library/md_wrap.c
- *          library/x509parse.c
- *
- * This module adds support for SHA-384 and SHA-512.
- */
-//#define POLARSSL_SHA4_C
-
-/**
- * \def POLARSSL_SSL_CACHE_C
- *
- * Enable simple SSL cache implementation.
- *
- * Module:  library/ssl_cache.c
- * Caller:
- *
- * Requires: POLARSSL_SSL_CACHE_C
- */
-//#define POLARSSL_SSL_CACHE_C
-
-/**
- * \def POLARSSL_SSL_CLI_C
- *
- * Enable the SSL/TLS client code.
- *
- * Module:  library/ssl_cli.c
- * Caller:
- *
- * Requires: POLARSSL_SSL_TLS_C
- *
- * This module is required for SSL/TLS client support.
- */
-//#define POLARSSL_SSL_CLI_C
-
-/**
- * \def POLARSSL_SSL_SRV_C
- *
- * Enable the SSL/TLS server code.
- *
- * Module:  library/ssl_srv.c
- * Caller:
- *
- * Requires: POLARSSL_SSL_TLS_C
- *
- * This module is required for SSL/TLS server support.
- */
-//#define POLARSSL_SSL_SRV_C
-
-/**
- * \def POLARSSL_SSL_TLS_C
- *
- * Enable the generic SSL/TLS code.
- *
- * Module:  library/ssl_tls.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *
- * Requires: POLARSSL_MD5_C, POLARSSL_SHA1_C, POLARSSL_X509_PARSE_C
- *
- * This module is required for SSL/TLS.
- */
-//#define POLARSSL_SSL_TLS_C
-
-/**
- * \def POLARSSL_TIMING_C
- *
- * Enable the portable timing interface.
- *
- * Module:  library/timing.c
- * Caller:  library/havege.c
- *
- * This module is used by the HAVEGE random number generator.
- */
-//#define POLARSSL_TIMING_C
-
-/**
- * \def POLARSSL_VERSION_C
- *
- * Enable run-time version information.
- *
- * Module:  library/version.c
- *
- * This module provides run-time version information.
- */
-//#define POLARSSL_VERSION_C
-
-/**
- * \def POLARSSL_X509_PARSE_C
- *
- * Enable X.509 certificate parsing.
- *
- * Module:  library/x509parse.c
- * Caller:  library/ssl_cli.c
- *          library/ssl_srv.c
- *          library/ssl_tls.c
- *
- * Requires: POLARSSL_ASN1_PARSE_C, POLARSSL_BIGNUM_C, POLARSSL_RSA_C
- *
- * This module is required for X.509 certificate parsing.
- */
-//#define POLARSSL_X509_PARSE_C
-
-/**
- * \def POLARSSL_X509_WRITE_C
- *
- * Enable X.509 buffer writing.
- *
- * Module:  library/x509write.c
- *
- * Requires: POLARSSL_BIGNUM_C, POLARSSL_RSA_C
- *
- * This module is required for X.509 certificate request writing.
- */
-//#define POLARSSL_X509_WRITE_C
-
-/**
- * \def POLARSSL_XTEA_C
- *
- * Enable the XTEA block cipher.
- *
- * Module:  library/xtea.c
- * Caller:
- */
-//#define POLARSSL_XTEA_C
-/* \} name */
-
-/**
- * \name SECTION: Module configuration options
- *
- * This section allows for the setting of module specific sizes and
- * configuration options. The default values are already present in the
- * relevant header files and should suffice for the regular use cases.
- * Our advice is to enable POLARSSL_CONFIG_OPTIONS and change values here
- * only if you have a good reason and know the consequences.
- *
- * If POLARSSL_CONFIG_OPTIONS is undefined here the options in the module
- * header file take precedence.
- *
- * Please check the respective header file for documentation on these
- * parameters (to prevent duplicate documentation).
- *
- * Uncomment POLARSSL_CONFIG_OPTIONS to enable using the values defined here.
- * \{
- */
-//#define POLARSSL_CONFIG_OPTIONS   /**< Enable config.h module value configuration */
-
-#if defined(POLARSSL_CONFIG_OPTIONS)
-
-// MPI / BIGNUM options
-//
-#define POLARSSL_MPI_WINDOW_SIZE            6 /**< Maximum windows size used. */
-#define POLARSSL_MPI_MAX_SIZE             512 /**< Maximum number of bytes for usable MPIs. */
-
-// CTR_DRBG options
-//
-#define CTR_DRBG_ENTROPY_LEN               48 /**< Amount of entropy used per seed by default */
-#define CTR_DRBG_RESEED_INTERVAL        10000 /**< Interval before reseed is performed by default */
-#define CTR_DRBG_MAX_INPUT                256 /**< Maximum number of additional input bytes */
-#define CTR_DRBG_MAX_REQUEST             1024 /**< Maximum number of requested bytes per call */
-#define CTR_DRBG_MAX_SEED_INPUT           384 /**< Maximum size of (re)seed buffer */
-
-// Entropy options
-//
-#define ENTROPY_MAX_SOURCES                20 /**< Maximum number of sources supported */
-#define ENTROPY_MAX_GATHER                128 /**< Maximum amount requested from entropy sources */
-
-// SSL Cache options
-//
-#define SSL_CACHE_DEFAULT_TIMEOUT       86400 /**< 1 day  */
-#define SSL_CACHE_DEFAULT_MAX_ENTRIES      50 /**< Maximum entries in cache */
-
-// SSL options
-//
-#define SSL_MAX_CONTENT_LEN             16384 /**< Size of the input / output buffer */
-
-#endif /* POLARSSL_CONFIG_OPTIONS */
-
-/* \} name */
-#endif /* config.h */
diff --git a/makerom/polarssl/rsa.c b/makerom/polarssl/rsa.c
deleted file mode 100644
index 5b2d6e02..00000000
--- a/makerom/polarssl/rsa.c
+++ /dev/null
@@ -1,1466 +0,0 @@
-/*
- *  The RSA public-key cryptosystem
- *
- *  Copyright (C) 2006-2011, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  RSA was designed by Ron Rivest, Adi Shamir and Len Adleman.
- *
- *  http://theory.lcs.mit.edu/~rivest/rsapaper.pdf
- *  http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_RSA_C)
-
-#include "polarssl/rsa.h"
-
-#if defined(POLARSSL_PKCS1_V21)
-#include "polarssl/md.h"
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-
-/*
- * Initialize an RSA context
- */
-void rsa_init( rsa_context *ctx,
-               int padding,
-               int hash_id )
-{
-    memset( ctx, 0, sizeof( rsa_context ) );
-
-    ctx->padding = padding;
-    ctx->hash_id = hash_id;
-}
-
-#if defined(POLARSSL_GENPRIME)
-
-/*
- * Generate an RSA keypair
- */
-int rsa_gen_key( rsa_context *ctx,
-                 int (*f_rng)(void *, unsigned char *, size_t),
-                 void *p_rng,
-                 unsigned int nbits, int exponent )
-{
-    int ret;
-    mpi P1, Q1, H, G;
-
-    if( f_rng == NULL || nbits < 128 || exponent < 3 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    mpi_init( &P1 ); mpi_init( &Q1 ); mpi_init( &H ); mpi_init( &G );
-
-    /*
-     * find primes P and Q with Q < P so that:
-     * GCD( E, (P-1)*(Q-1) ) == 1
-     */
-    MPI_CHK( mpi_lset( &ctx->E, exponent ) );
-
-    do
-    {
-        MPI_CHK( mpi_gen_prime( &ctx->P, ( nbits + 1 ) >> 1, 0, 
-                                f_rng, p_rng ) );
-
-        MPI_CHK( mpi_gen_prime( &ctx->Q, ( nbits + 1 ) >> 1, 0,
-                                f_rng, p_rng ) );
-
-        if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) < 0 )
-            mpi_swap( &ctx->P, &ctx->Q );
-
-        if( mpi_cmp_mpi( &ctx->P, &ctx->Q ) == 0 )
-            continue;
-
-        MPI_CHK( mpi_mul_mpi( &ctx->N, &ctx->P, &ctx->Q ) );
-        if( mpi_msb( &ctx->N ) != nbits )
-            continue;
-
-        MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
-        MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
-        MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
-        MPI_CHK( mpi_gcd( &G, &ctx->E, &H  ) );
-    }
-    while( mpi_cmp_int( &G, 1 ) != 0 );
-
-    /*
-     * D  = E^-1 mod ((P-1)*(Q-1))
-     * DP = D mod (P - 1)
-     * DQ = D mod (Q - 1)
-     * QP = Q^-1 mod P
-     */
-    MPI_CHK( mpi_inv_mod( &ctx->D , &ctx->E, &H  ) );
-    MPI_CHK( mpi_mod_mpi( &ctx->DP, &ctx->D, &P1 ) );
-    MPI_CHK( mpi_mod_mpi( &ctx->DQ, &ctx->D, &Q1 ) );
-    MPI_CHK( mpi_inv_mod( &ctx->QP, &ctx->Q, &ctx->P ) );
-
-    ctx->len = ( mpi_msb( &ctx->N ) + 7 ) >> 3;
-
-cleanup:
-
-    mpi_free( &P1 ); mpi_free( &Q1 ); mpi_free( &H ); mpi_free( &G );
-
-    if( ret != 0 )
-    {
-        rsa_free( ctx );
-        return( POLARSSL_ERR_RSA_KEY_GEN_FAILED + ret );
-    }
-
-    return( 0 );   
-}
-
-#endif
-
-/*
- * Check a public RSA key
- */
-int rsa_check_pubkey( const rsa_context *ctx )
-{
-    if( !ctx->N.p || !ctx->E.p )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    if( ( ctx->N.p[0] & 1 ) == 0 || 
-        ( ctx->E.p[0] & 1 ) == 0 )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    if( mpi_msb( &ctx->N ) < 128 ||
-        mpi_msb( &ctx->N ) > POLARSSL_MPI_MAX_BITS )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    if( mpi_msb( &ctx->E ) < 2 ||
-        mpi_msb( &ctx->E ) > 64 )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    return( 0 );
-}
-
-/*
- * Check a private RSA key
- */
-int rsa_check_privkey( const rsa_context *ctx )
-{
-    int ret;
-    mpi PQ, DE, P1, Q1, H, I, G, G2, L1, L2, DP, DQ, QP;
-
-    if( ( ret = rsa_check_pubkey( ctx ) ) != 0 )
-        return( ret );
-
-    if( !ctx->P.p || !ctx->Q.p || !ctx->D.p )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
-
-    mpi_init( &PQ ); mpi_init( &DE ); mpi_init( &P1 ); mpi_init( &Q1 );
-    mpi_init( &H  ); mpi_init( &I  ); mpi_init( &G  ); mpi_init( &G2 );
-    mpi_init( &L1 ); mpi_init( &L2 ); mpi_init( &DP ); mpi_init( &DQ );
-    mpi_init( &QP );
-
-    MPI_CHK( mpi_mul_mpi( &PQ, &ctx->P, &ctx->Q ) );
-    MPI_CHK( mpi_mul_mpi( &DE, &ctx->D, &ctx->E ) );
-    MPI_CHK( mpi_sub_int( &P1, &ctx->P, 1 ) );
-    MPI_CHK( mpi_sub_int( &Q1, &ctx->Q, 1 ) );
-    MPI_CHK( mpi_mul_mpi( &H, &P1, &Q1 ) );
-    MPI_CHK( mpi_gcd( &G, &ctx->E, &H  ) );
-
-    MPI_CHK( mpi_gcd( &G2, &P1, &Q1 ) );
-    MPI_CHK( mpi_div_mpi( &L1, &L2, &H, &G2 ) );  
-    MPI_CHK( mpi_mod_mpi( &I, &DE, &L1  ) );
-
-    MPI_CHK( mpi_mod_mpi( &DP, &ctx->D, &P1 ) );
-    MPI_CHK( mpi_mod_mpi( &DQ, &ctx->D, &Q1 ) );
-    MPI_CHK( mpi_inv_mod( &QP, &ctx->Q, &ctx->P ) );
-    /*
-     * Check for a valid PKCS1v2 private key
-     */
-    if( mpi_cmp_mpi( &PQ, &ctx->N ) != 0 ||
-        mpi_cmp_mpi( &DP, &ctx->DP ) != 0 ||
-        mpi_cmp_mpi( &DQ, &ctx->DQ ) != 0 ||
-        mpi_cmp_mpi( &QP, &ctx->QP ) != 0 ||
-        mpi_cmp_int( &L2, 0 ) != 0 ||
-        mpi_cmp_int( &I, 1 ) != 0 ||
-        mpi_cmp_int( &G, 1 ) != 0 )
-    {
-        ret = POLARSSL_ERR_RSA_KEY_CHECK_FAILED;
-    }
-    
-cleanup:
-    mpi_free( &PQ ); mpi_free( &DE ); mpi_free( &P1 ); mpi_free( &Q1 );
-    mpi_free( &H  ); mpi_free( &I  ); mpi_free( &G  ); mpi_free( &G2 );
-    mpi_free( &L1 ); mpi_free( &L2 ); mpi_free( &DP ); mpi_free( &DQ );
-    mpi_free( &QP );
-
-    if( ret == POLARSSL_ERR_RSA_KEY_CHECK_FAILED )
-        return( ret );
-
-    if( ret != 0 )
-        return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED + ret );
-
-    return( 0 );
-}
-
-/*
- * Do an RSA public key operation
- */
-int rsa_public( rsa_context *ctx,
-                const unsigned char *input,
-                unsigned char *output )
-{
-    int ret;
-    size_t olen;
-    mpi T;
-
-    mpi_init( &T );
-
-    MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
-
-    if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
-    {
-        mpi_free( &T );
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    olen = ctx->len;
-    MPI_CHK( mpi_exp_mod( &T, &T, &ctx->E, &ctx->N, &ctx->RN ) );
-    MPI_CHK( mpi_write_binary( &T, output, olen ) );
-
-cleanup:
-
-    mpi_free( &T );
-
-    if( ret != 0 )
-        return( POLARSSL_ERR_RSA_PUBLIC_FAILED + ret );
-
-    return( 0 );
-}
-
-/*
- * Do an RSA private key operation
- */
-int rsa_private( rsa_context *ctx,
-                 const unsigned char *input,
-                 unsigned char *output )
-{
-    int ret;
-    size_t olen;
-    mpi T, T1, T2;
-
-    mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
-
-    MPI_CHK( mpi_read_binary( &T, input, ctx->len ) );
-
-    if( mpi_cmp_mpi( &T, &ctx->N ) >= 0 )
-    {
-        mpi_free( &T );
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-#if defined(POLARSSL_RSA_NO_CRT)
-    MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
-#else
-    /*
-     * faster decryption using the CRT
-     *
-     * T1 = input ^ dP mod P
-     * T2 = input ^ dQ mod Q
-     */
-    MPI_CHK( mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) );
-    MPI_CHK( mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) );
-
-    /*
-     * T = (T1 - T2) * (Q^-1 mod P) mod P
-     */
-    MPI_CHK( mpi_sub_mpi( &T, &T1, &T2 ) );
-    MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->QP ) );
-    MPI_CHK( mpi_mod_mpi( &T, &T1, &ctx->P ) );
-
-    /*
-     * output = T2 + T * Q
-     */
-    MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
-    MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
-#endif
-
-    olen = ctx->len;
-    MPI_CHK( mpi_write_binary( &T, output, olen ) );
-
-cleanup:
-
-    mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
-
-    if( ret != 0 )
-        return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
-
-    return( 0 );
-}
-
-#if defined(POLARSSL_PKCS1_V21)
-/**
- * Generate and apply the MGF1 operation (from PKCS#1 v2.1) to a buffer.
- *
- * \param dst       buffer to mask
- * \param dlen      length of destination buffer
- * \param src       source of the mask generation
- * \param slen      length of the source buffer
- * \param md_ctx    message digest context to use
- */
-static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, size_t slen,  
-                       md_context_t *md_ctx )
-{
-    unsigned char mask[POLARSSL_MD_MAX_SIZE];
-    unsigned char counter[4];
-    unsigned char *p;
-    unsigned int hlen;
-    size_t i, use_len;
-
-    memset( mask, 0, POLARSSL_MD_MAX_SIZE );
-    memset( counter, 0, 4 );
-
-    hlen = md_ctx->md_info->size;
-
-    // Generate and apply dbMask
-    //
-    p = dst;
-
-    while( dlen > 0 )
-    {
-        use_len = hlen;
-        if( dlen < hlen )
-            use_len = dlen;
-
-        md_starts( md_ctx );
-        md_update( md_ctx, src, slen );
-        md_update( md_ctx, counter, 4 );
-        md_finish( md_ctx, mask );
-
-        for( i = 0; i < use_len; ++i )
-            *p++ ^= mask[i];
-
-        counter[3]++;
-
-        dlen -= use_len;
-    }
-}
-#endif
-
-#if defined(POLARSSL_PKCS1_V21)
-/*
- * Implementation of the PKCS#1 v2.1 RSAES-OAEP-ENCRYPT function
- */
-int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng,
-                            int mode,
-                            const unsigned char *label, size_t label_len,
-                            size_t ilen,
-                            const unsigned char *input,
-                            unsigned char *output )
-{
-    size_t olen;
-    int ret;
-    unsigned char *p = output;
-    unsigned int hlen;
-    const md_info_t *md_info;
-    md_context_t md_ctx;
-
-    if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    md_info = md_info_from_type( ctx->hash_id );
-
-    if( md_info == NULL )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    olen = ctx->len;
-    hlen = md_get_size( md_info );
-
-    if( olen < ilen + 2 * hlen + 2 || f_rng == NULL )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    memset( output, 0, olen );
-
-    *p++ = 0;
-
-    // Generate a random octet string seed
-    //
-    if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
-        return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
-
-    p += hlen;
-
-    // Construct DB
-    //
-    md( md_info, label, label_len, p );
-    p += hlen;
-    p += olen - 2 * hlen - 2 - ilen;
-    *p++ = 1;
-    memcpy( p, input, ilen );
-
-    md_init_ctx( &md_ctx, md_info );
-
-    // maskedDB: Apply dbMask to DB
-    //
-    mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen,
-               &md_ctx );
-
-    // maskedSeed: Apply seedMask to seed
-    //
-    mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1,
-               &md_ctx );
-
-    md_free_ctx( &md_ctx );
-
-    return( ( mode == RSA_PUBLIC )
-            ? rsa_public(  ctx, output, output )
-            : rsa_private( ctx, output, output ) );
-}
-#endif /* POLARSSL_PKCS1_V21 */
-
-/*
- * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-ENCRYPT function
- */
-int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
-                                 int (*f_rng)(void *, unsigned char *, size_t),
-                                 void *p_rng,
-                                 int mode, size_t ilen,
-                                 const unsigned char *input,
-                                 unsigned char *output )
-{
-    size_t nb_pad, olen;
-    int ret;
-    unsigned char *p = output;
-
-    if( ctx->padding != RSA_PKCS_V15 || f_rng == NULL )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    olen = ctx->len;
-
-    if( olen < ilen + 11 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    nb_pad = olen - 3 - ilen;
-
-    *p++ = 0;
-    if( mode == RSA_PUBLIC )
-    {
-        *p++ = RSA_CRYPT;
-
-        while( nb_pad-- > 0 )
-        {
-            int rng_dl = 100;
-
-            do {
-                ret = f_rng( p_rng, p, 1 );
-            } while( *p == 0 && --rng_dl && ret == 0 );
-
-            // Check if RNG failed to generate data
-            //
-            if( rng_dl == 0 || ret != 0)
-                return POLARSSL_ERR_RSA_RNG_FAILED + ret;
-
-            p++;
-        }
-    }
-    else
-    {
-        *p++ = RSA_SIGN;
-
-        while( nb_pad-- > 0 )
-            *p++ = 0xFF;
-    }
-
-    *p++ = 0;
-    memcpy( p, input, ilen );
-
-    return( ( mode == RSA_PUBLIC )
-            ? rsa_public(  ctx, output, output )
-            : rsa_private( ctx, output, output ) );
-}
-
-/*
- * Add the message padding, then do an RSA operation
- */
-int rsa_pkcs1_encrypt( rsa_context *ctx,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng,
-                       int mode, size_t ilen,
-                       const unsigned char *input,
-                       unsigned char *output )
-{
-    switch( ctx->padding )
-    {
-        case RSA_PKCS_V15:
-            return rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen,
-                                                input, output );
-
-#if defined(POLARSSL_PKCS1_V21)
-        case RSA_PKCS_V21:
-            return rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0,
-                                           ilen, input, output );
-#endif
-
-        default:
-            return( POLARSSL_ERR_RSA_INVALID_PADDING );
-    }
-}
-
-#if defined(POLARSSL_PKCS1_V21)
-/*
- * Implementation of the PKCS#1 v2.1 RSAES-OAEP-DECRYPT function
- */
-int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
-                            int mode, 
-                            const unsigned char *label, size_t label_len,
-                            size_t *olen,
-                            const unsigned char *input,
-                            unsigned char *output,
-                            size_t output_max_len )
-{
-    int ret;
-    size_t ilen;
-    unsigned char *p;
-    unsigned char buf[POLARSSL_MPI_MAX_SIZE];
-    unsigned char lhash[POLARSSL_MD_MAX_SIZE];
-    unsigned int hlen;
-    const md_info_t *md_info;
-    md_context_t md_ctx;
-
-    if( ctx->padding != RSA_PKCS_V21 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    ilen = ctx->len;
-
-    if( ilen < 16 || ilen > sizeof( buf ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    ret = ( mode == RSA_PUBLIC )
-          ? rsa_public(  ctx, input, buf )
-          : rsa_private( ctx, input, buf );
-
-    if( ret != 0 )
-        return( ret );
-
-    p = buf;
-
-    if( *p++ != 0 )
-        return( POLARSSL_ERR_RSA_INVALID_PADDING );
-
-    md_info = md_info_from_type( ctx->hash_id );
-    if( md_info == NULL )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    hlen = md_get_size( md_info );
-
-    md_init_ctx( &md_ctx, md_info );
-
-    // Generate lHash
-    //
-    md( md_info, label, label_len, lhash );
-
-    // seed: Apply seedMask to maskedSeed
-    //
-    mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1,
-               &md_ctx );
-
-    // DB: Apply dbMask to maskedDB
-    //
-    mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen,
-               &md_ctx );
-
-    p += hlen;
-    md_free_ctx( &md_ctx );
-
-    // Check validity
-    //
-    if( memcmp( lhash, p, hlen ) != 0 )
-        return( POLARSSL_ERR_RSA_INVALID_PADDING );
-
-    p += hlen;
-
-    while( *p == 0 && p < buf + ilen )
-        p++;
-
-    if( p == buf + ilen )
-        return( POLARSSL_ERR_RSA_INVALID_PADDING );
-
-    if( *p++ != 0x01 )
-        return( POLARSSL_ERR_RSA_INVALID_PADDING );
-
-    if (ilen - (p - buf) > output_max_len)
-        return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
-
-    *olen = ilen - (p - buf);
-    memcpy( output, p, *olen );
-
-    return( 0 );
-}
-#endif /* POLARSSL_PKCS1_V21 */
-
-/*
- * Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
- */
-int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
-                                 int mode, size_t *olen,
-                                 const unsigned char *input,
-                                 unsigned char *output,
-                                 size_t output_max_len)
-{
-    int ret, correct = 1;
-    size_t ilen, pad_count = 0;
-    unsigned char *p, *q;
-    unsigned char bt;
-    unsigned char buf[POLARSSL_MPI_MAX_SIZE];
-
-    if( ctx->padding != RSA_PKCS_V15 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    ilen = ctx->len;
-
-    if( ilen < 16 || ilen > sizeof( buf ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    ret = ( mode == RSA_PUBLIC )
-          ? rsa_public(  ctx, input, buf )
-          : rsa_private( ctx, input, buf );
-
-    if( ret != 0 )
-        return( ret );
-
-    p = buf;
-
-    if( *p++ != 0 )
-        correct = 0;
-
-    bt = *p++;
-    if( ( bt != RSA_CRYPT && mode == RSA_PRIVATE ) ||
-        ( bt != RSA_SIGN && mode == RSA_PUBLIC ) )
-    {
-        correct = 0;
-    }
-
-    if( bt == RSA_CRYPT )
-    {
-        while( *p != 0 && p < buf + ilen - 1 )
-            pad_count += ( *p++ != 0 );
-
-        correct &= ( *p == 0 && p < buf + ilen - 1 );
-
-        q = p;
-
-        // Also pass over all other bytes to reduce timing differences
-        //
-        while ( q < buf + ilen - 1 )
-            pad_count += ( *q++ != 0 );
-
-        // Prevent compiler optimization of pad_count
-        //
-        correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
-        p++;
-    }
-    else
-    {
-        while( *p == 0xFF && p < buf + ilen - 1 )
-            pad_count += ( *p++ == 0xFF );
-
-        correct &= ( *p == 0 && p < buf + ilen - 1 );
-
-        q = p;
-
-        // Also pass over all other bytes to reduce timing differences
-        //
-        while ( q < buf + ilen - 1 )
-            pad_count += ( *q++ != 0 );
-
-        // Prevent compiler optimization of pad_count
-        //
-        correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
-        p++;
-    }
-
-    if( correct == 0 )
-        return( POLARSSL_ERR_RSA_INVALID_PADDING );
-
-    if (ilen - (p - buf) > output_max_len)
-        return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
-
-    *olen = ilen - (p - buf);
-    memcpy( output, p, *olen );
-
-    return( 0 );
-}
-
-/*
- * Do an RSA operation, then remove the message padding
- */
-int rsa_pkcs1_decrypt( rsa_context *ctx,
-                       int mode, size_t *olen,
-                       const unsigned char *input,
-                       unsigned char *output,
-                       size_t output_max_len)
-{
-    switch( ctx->padding )
-    {
-        case RSA_PKCS_V15:
-            return rsa_rsaes_pkcs1_v15_decrypt( ctx, mode, olen, input, output,
-                                                output_max_len );
-
-#if defined(POLARSSL_PKCS1_V21)
-        case RSA_PKCS_V21:
-            return rsa_rsaes_oaep_decrypt( ctx, mode, NULL, 0, olen, input,
-                                           output, output_max_len );
-#endif
-
-        default:
-            return( POLARSSL_ERR_RSA_INVALID_PADDING );
-    }
-}
-
-#if defined(POLARSSL_PKCS1_V21)
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
- */
-int rsa_rsassa_pss_sign( rsa_context *ctx,
-                         int (*f_rng)(void *, unsigned char *, size_t),
-                         void *p_rng,
-                         int mode,
-                         int hash_id,
-                         unsigned int hashlen,
-                         const unsigned char *hash,
-                         unsigned char *sig )
-{
-    size_t olen;
-    unsigned char *p = sig;
-    unsigned char salt[POLARSSL_MD_MAX_SIZE];
-    unsigned int slen, hlen, offset = 0;
-    int ret;
-    size_t msb;
-    const md_info_t *md_info;
-    md_context_t md_ctx;
-
-    if( ctx->padding != RSA_PKCS_V21 || f_rng == NULL )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    olen = ctx->len;
-
-    switch( hash_id )
-    {
-        case SIG_RSA_MD2:
-        case SIG_RSA_MD4:
-        case SIG_RSA_MD5:
-            hashlen = 16;
-            break;
-
-        case SIG_RSA_SHA1:
-            hashlen = 20;
-            break;
-
-        case SIG_RSA_SHA224:
-            hashlen = 28;
-            break;
-
-        case SIG_RSA_SHA256:
-            hashlen = 32;
-            break;
-
-        case SIG_RSA_SHA384:
-            hashlen = 48;
-            break;
-
-        case SIG_RSA_SHA512:
-            hashlen = 64;
-            break;
-
-        default:
-            return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    md_info = md_info_from_type( ctx->hash_id );
-    if( md_info == NULL )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    hlen = md_get_size( md_info );
-    slen = hlen;
-
-    if( olen < hlen + slen + 2 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    memset( sig, 0, olen );
-
-    msb = mpi_msb( &ctx->N ) - 1;
-
-    // Generate salt of length slen
-    //
-    if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
-        return( POLARSSL_ERR_RSA_RNG_FAILED + ret );
-
-    // Note: EMSA-PSS encoding is over the length of N - 1 bits
-    //
-    msb = mpi_msb( &ctx->N ) - 1;
-    p += olen - hlen * 2 - 2;
-    *p++ = 0x01;
-    memcpy( p, salt, slen );
-    p += slen;
-
-    md_init_ctx( &md_ctx, md_info );
-
-    // Generate H = Hash( M' )
-    //
-    md_starts( &md_ctx );
-    md_update( &md_ctx, p, 8 );
-    md_update( &md_ctx, hash, hashlen );
-    md_update( &md_ctx, salt, slen );
-    md_finish( &md_ctx, p );
-
-    // Compensate for boundary condition when applying mask
-    //
-    if( msb % 8 == 0 )
-        offset = 1;
-
-    // maskedDB: Apply dbMask to DB
-    //
-    mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx );
-
-    md_free_ctx( &md_ctx );
-
-    msb = mpi_msb( &ctx->N ) - 1;
-    sig[0] &= 0xFF >> ( olen * 8 - msb );
-
-    p += hlen;
-    *p++ = 0xBC;
-
-    return( ( mode == RSA_PUBLIC )
-            ? rsa_public(  ctx, sig, sig )
-            : rsa_private( ctx, sig, sig ) );
-}
-#endif /* POLARSSL_PKCS1_V21 */
-
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-V1_5-SIGN function
- */
-/*
- * Do an RSA operation to sign the message digest
- */
-int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
-                               int mode,
-                               int hash_id,
-                               unsigned int hashlen,
-                               const unsigned char *hash,
-                               unsigned char *sig )
-{
-    size_t nb_pad, olen;
-    unsigned char *p = sig;
-
-    if( ctx->padding != RSA_PKCS_V15 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    olen = ctx->len;
-
-    switch( hash_id )
-    {
-        case SIG_RSA_RAW:
-            nb_pad = olen - 3 - hashlen;
-            break;
-
-        case SIG_RSA_MD2:
-        case SIG_RSA_MD4:
-        case SIG_RSA_MD5:
-            nb_pad = olen - 3 - 34;
-            break;
-
-        case SIG_RSA_SHA1:
-            nb_pad = olen - 3 - 35;
-            break;
-
-        case SIG_RSA_SHA224:
-            nb_pad = olen - 3 - 47;
-            break;
-
-        case SIG_RSA_SHA256:
-            nb_pad = olen - 3 - 51;
-            break;
-
-        case SIG_RSA_SHA384:
-            nb_pad = olen - 3 - 67;
-            break;
-
-        case SIG_RSA_SHA512:
-            nb_pad = olen - 3 - 83;
-            break;
-
-
-        default:
-            return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    if( ( nb_pad < 8 ) || ( nb_pad > olen ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    *p++ = 0;
-    *p++ = RSA_SIGN;
-    memset( p, 0xFF, nb_pad );
-    p += nb_pad;
-    *p++ = 0;
-
-    switch( hash_id )
-    {
-        case SIG_RSA_RAW:
-            memcpy( p, hash, hashlen );
-            break;
-
-        case SIG_RSA_MD2:
-            memcpy( p, ASN1_HASH_MDX, 18 );
-            memcpy( p + 18, hash, 16 );
-            p[13] = 2; break;
-
-        case SIG_RSA_MD4:
-            memcpy( p, ASN1_HASH_MDX, 18 );
-            memcpy( p + 18, hash, 16 );
-            p[13] = 4; break;
-
-        case SIG_RSA_MD5:
-            memcpy( p, ASN1_HASH_MDX, 18 );
-            memcpy( p + 18, hash, 16 );
-            p[13] = 5; break;
-
-        case SIG_RSA_SHA1:
-            memcpy( p, ASN1_HASH_SHA1, 15 );
-            memcpy( p + 15, hash, 20 );
-            break;
-
-        case SIG_RSA_SHA224:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 28 );
-            p[1] += 28; p[14] = 4; p[18] += 28; break;
-
-        case SIG_RSA_SHA256:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 32 );
-            p[1] += 32; p[14] = 1; p[18] += 32; break;
-
-        case SIG_RSA_SHA384:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 48 );
-            p[1] += 48; p[14] = 2; p[18] += 48; break;
-
-        case SIG_RSA_SHA512:
-            memcpy( p, ASN1_HASH_SHA2X, 19 );
-            memcpy( p + 19, hash, 64 );
-            p[1] += 64; p[14] = 3; p[18] += 64; break;
-
-        default:
-            return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    return( ( mode == RSA_PUBLIC )
-            ? rsa_public(  ctx, sig, sig )
-            : rsa_private( ctx, sig, sig ) );
-}
-
-/*
- * Do an RSA operation to sign the message digest
- */
-int rsa_pkcs1_sign( rsa_context *ctx,
-                    int (*f_rng)(void *, unsigned char *, size_t),
-                    void *p_rng,
-                    int mode,
-                    int hash_id,
-                    unsigned int hashlen,
-                    const unsigned char *hash,
-                    unsigned char *sig )
-{
-    switch( ctx->padding )
-    {
-        case RSA_PKCS_V15:
-            return rsa_rsassa_pkcs1_v15_sign( ctx, mode, hash_id,
-                                              hashlen, hash, sig );
-
-#if defined(POLARSSL_PKCS1_V21)
-        case RSA_PKCS_V21:
-            return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, hash_id,
-                                        hashlen, hash, sig );
-#endif
-
-        default:
-            return( POLARSSL_ERR_RSA_INVALID_PADDING );
-    }
-}
-
-#if defined(POLARSSL_PKCS1_V21)
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function
- */
-int rsa_rsassa_pss_verify( rsa_context *ctx,
-                           int mode,
-                           int hash_id,
-                           unsigned int hashlen,
-                           const unsigned char *hash,
-                           const unsigned char *sig )
-{
-    int ret;
-    size_t siglen;
-    unsigned char *p;
-    unsigned char buf[POLARSSL_MPI_MAX_SIZE];
-    unsigned char result[POLARSSL_MD_MAX_SIZE];
-    unsigned char zeros[8];
-    unsigned int hlen;
-    size_t slen, msb;
-    const md_info_t *md_info;
-    md_context_t md_ctx;
-
-    if( ctx->padding != RSA_PKCS_V21 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    siglen = ctx->len;
-
-    if( siglen < 16 || siglen > sizeof( buf ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    ret = ( mode == RSA_PUBLIC )
-          ? rsa_public(  ctx, sig, buf )
-          : rsa_private( ctx, sig, buf );
-
-    if( ret != 0 )
-        return( ret );
-
-    p = buf;
-
-    if( buf[siglen - 1] != 0xBC )
-        return( POLARSSL_ERR_RSA_INVALID_PADDING );
-
-    switch( hash_id )
-    {
-        case SIG_RSA_MD2:
-        case SIG_RSA_MD4:
-        case SIG_RSA_MD5:
-            hashlen = 16;
-            break;
-
-        case SIG_RSA_SHA1:
-            hashlen = 20;
-            break;
-
-        case SIG_RSA_SHA224:
-            hashlen = 28;
-            break;
-
-        case SIG_RSA_SHA256:
-            hashlen = 32;
-            break;
-
-        case SIG_RSA_SHA384:
-            hashlen = 48;
-            break;
-
-        case SIG_RSA_SHA512:
-            hashlen = 64;
-            break;
-
-        default:
-            return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-    }
-
-    md_info = md_info_from_type( ctx->hash_id );
-    if( md_info == NULL )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    hlen = md_get_size( md_info );
-    slen = siglen - hlen - 1;
-
-    memset( zeros, 0, 8 );
-
-    // Note: EMSA-PSS verification is over the length of N - 1 bits
-    //
-    msb = mpi_msb( &ctx->N ) - 1;
-
-    // Compensate for boundary condition when applying mask
-    //
-    if( msb % 8 == 0 )
-    {
-        p++;
-        siglen -= 1;
-    }
-    if( buf[0] >> ( 8 - siglen * 8 + msb ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    md_init_ctx( &md_ctx, md_info );
-
-    mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx );
-
-    buf[0] &= 0xFF >> ( siglen * 8 - msb );
-
-    while( *p == 0 && p < buf + siglen )
-        p++;
-
-    if( p == buf + siglen ||
-        *p++ != 0x01 )
-    {
-        md_free_ctx( &md_ctx );
-        return( POLARSSL_ERR_RSA_INVALID_PADDING );
-    }
-
-    slen -= p - buf;
-
-    // Generate H = Hash( M' )
-    //
-    md_starts( &md_ctx );
-    md_update( &md_ctx, zeros, 8 );
-    md_update( &md_ctx, hash, hashlen );
-    md_update( &md_ctx, p, slen );
-    md_finish( &md_ctx, result );
-
-    md_free_ctx( &md_ctx );
-
-    if( memcmp( p + slen, result, hlen ) == 0 )
-        return( 0 );
-    else
-        return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-}
-#endif /* POLARSSL_PKCS1_V21 */
-
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function
- */
-int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
-                                 int mode,
-                                 int hash_id,
-                                 unsigned int hashlen,
-                                 const unsigned char *hash,
-                                 const unsigned char *sig )
-{
-    int ret;
-    size_t len, siglen;
-    unsigned char *p, c;
-    unsigned char buf[POLARSSL_MPI_MAX_SIZE];
-
-    if( ctx->padding != RSA_PKCS_V15 )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    siglen = ctx->len;
-
-    if( siglen < 16 || siglen > sizeof( buf ) )
-        return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
-
-    ret = ( mode == RSA_PUBLIC )
-          ? rsa_public(  ctx, sig, buf )
-          : rsa_private( ctx, sig, buf );
-
-    if( ret != 0 )
-        return( ret );
-
-    p = buf;
-
-    if( *p++ != 0 || *p++ != RSA_SIGN )
-        return( POLARSSL_ERR_RSA_INVALID_PADDING );
-
-    while( *p != 0 )
-    {
-        if( p >= buf + siglen - 1 || *p != 0xFF )
-            return( POLARSSL_ERR_RSA_INVALID_PADDING );
-        p++;
-    }
-    p++;
-
-    len = siglen - ( p - buf );
-
-    if( len == 33 && hash_id == SIG_RSA_SHA1 )
-    {
-        if( memcmp( p, ASN1_HASH_SHA1_ALT, 13 ) == 0 &&
-                memcmp( p + 13, hash, 20 ) == 0 )
-            return( 0 );
-        else
-            return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-    }
-    if( len == 34 )
-    {
-        c = p[13];
-        p[13] = 0;
-
-        if( memcmp( p, ASN1_HASH_MDX, 18 ) != 0 )
-            return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-
-        if( ( c == 2 && hash_id == SIG_RSA_MD2 ) ||
-                ( c == 4 && hash_id == SIG_RSA_MD4 ) ||
-                ( c == 5 && hash_id == SIG_RSA_MD5 ) )
-        {
-            if( memcmp( p + 18, hash, 16 ) == 0 )
-                return( 0 );
-            else
-                return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-        }
-    }
-
-    if( len == 35 && hash_id == SIG_RSA_SHA1 )
-    {
-        if( memcmp( p, ASN1_HASH_SHA1, 15 ) == 0 &&
-                memcmp( p + 15, hash, 20 ) == 0 )
-            return( 0 );
-        else
-            return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-    }
-    if( ( len == 19 + 28 && p[14] == 4 && hash_id == SIG_RSA_SHA224 ) ||
-            ( len == 19 + 32 && p[14] == 1 && hash_id == SIG_RSA_SHA256 ) ||
-            ( len == 19 + 48 && p[14] == 2 && hash_id == SIG_RSA_SHA384 ) ||
-            ( len == 19 + 64 && p[14] == 3 && hash_id == SIG_RSA_SHA512 ) )
-    {
-        c = p[1] - 17;
-        p[1] = 17;
-        p[14] = 0;
-
-        if( p[18] == c &&
-                memcmp( p, ASN1_HASH_SHA2X, 18 ) == 0 &&
-                memcmp( p + 19, hash, c ) == 0 )
-            return( 0 );
-        else
-            return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-    }
-
-    if( len == hashlen && hash_id == SIG_RSA_RAW )
-    {
-        if( memcmp( p, hash, hashlen ) == 0 )
-            return( 0 );
-        else
-            return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-    }
-
-    return( POLARSSL_ERR_RSA_INVALID_PADDING );
-}
-
-/*
- * Do an RSA operation and check the message digest
- */
-int rsa_pkcs1_verify( rsa_context *ctx,
-                      int mode,
-                      int hash_id,
-                      unsigned int hashlen,
-                      const unsigned char *hash,
-                      const unsigned char *sig )
-{
-    switch( ctx->padding )
-    {
-        case RSA_PKCS_V15:
-            return rsa_rsassa_pkcs1_v15_verify( ctx, mode, hash_id,
-                                                hashlen, hash, sig );
-
-#if defined(POLARSSL_PKCS1_V21)
-        case RSA_PKCS_V21:
-            return rsa_rsassa_pss_verify( ctx, mode, hash_id,
-                                          hashlen, hash, sig );
-#endif
-
-        default:
-            return( POLARSSL_ERR_RSA_INVALID_PADDING );
-    }
-}
-
-/*
- * Free the components of an RSA key
- */
-void rsa_free( rsa_context *ctx )
-{
-    mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
-    mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
-    mpi_free( &ctx->Q  ); mpi_free( &ctx->P  ); mpi_free( &ctx->D );
-    mpi_free( &ctx->E  ); mpi_free( &ctx->N  );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-
-#include "polarssl/sha1.h"
-
-/*
- * Example RSA-1024 keypair, for test purposes
- */
-#define KEY_LEN 128
-
-#define RSA_N   "9292758453063D803DD603D5E777D788" \
-                "8ED1D5BF35786190FA2F23EBC0848AEA" \
-                "DDA92CA6C3D80B32C4D109BE0F36D6AE" \
-                "7130B9CED7ACDF54CFC7555AC14EEBAB" \
-                "93A89813FBF3C4F8066D2D800F7C38A8" \
-                "1AE31942917403FF4946B0A83D3D3E05" \
-                "EE57C6F5F5606FB5D4BC6CD34EE0801A" \
-                "5E94BB77B07507233A0BC7BAC8F90F79"
-
-#define RSA_E   "10001"
-
-#define RSA_D   "24BF6185468786FDD303083D25E64EFC" \
-                "66CA472BC44D253102F8B4A9D3BFA750" \
-                "91386C0077937FE33FA3252D28855837" \
-                "AE1B484A8A9A45F7EE8C0C634F99E8CD" \
-                "DF79C5CE07EE72C7F123142198164234" \
-                "CABB724CF78B8173B9F880FC86322407" \
-                "AF1FEDFDDE2BEB674CA15F3E81A1521E" \
-                "071513A1E85B5DFA031F21ECAE91A34D"
-
-#define RSA_P   "C36D0EB7FCD285223CFB5AABA5BDA3D8" \
-                "2C01CAD19EA484A87EA4377637E75500" \
-                "FCB2005C5C7DD6EC4AC023CDA285D796" \
-                "C3D9E75E1EFC42488BB4F1D13AC30A57"
-
-#define RSA_Q   "C000DF51A7C77AE8D7C7370C1FF55B69" \
-                "E211C2B9E5DB1ED0BF61D0D9899620F4" \
-                "910E4168387E3C30AA1E00C339A79508" \
-                "8452DD96A9A5EA5D9DCA68DA636032AF"
-
-#define RSA_DP  "C1ACF567564274FB07A0BBAD5D26E298" \
-                "3C94D22288ACD763FD8E5600ED4A702D" \
-                "F84198A5F06C2E72236AE490C93F07F8" \
-                "3CC559CD27BC2D1CA488811730BB5725"
-
-#define RSA_DQ  "4959CBF6F8FEF750AEE6977C155579C7" \
-                "D8AAEA56749EA28623272E4F7D0592AF" \
-                "7C1F1313CAC9471B5C523BFE592F517B" \
-                "407A1BD76C164B93DA2D32A383E58357"
-
-#define RSA_QP  "9AE7FBC99546432DF71896FC239EADAE" \
-                "F38D18D2B2F0E2DD275AA977E2BF4411" \
-                "F5A3B2A5D33605AEBBCCBA7FEB9F2D2F" \
-                "A74206CEC169D74BF5A8C50D6F48EA08"
-
-#define PT_LEN  24
-#define RSA_PT  "\xAA\xBB\xCC\x03\x02\x01\x00\xFF\xFF\xFF\xFF\xFF" \
-                "\x11\x22\x33\x0A\x0B\x0C\xCC\xDD\xDD\xDD\xDD\xDD"
-
-static int myrand( void *rng_state, unsigned char *output, size_t len )
-{
-    size_t i;
-
-    if( rng_state != NULL )
-        rng_state  = NULL;
-
-    for( i = 0; i < len; ++i )
-        output[i] = rand();
-    
-    return( 0 );
-}
-
-/*
- * Checkup routine
- */
-int rsa_self_test( int verbose )
-{
-    size_t len;
-    rsa_context rsa;
-    unsigned char rsa_plaintext[PT_LEN];
-    unsigned char rsa_decrypted[PT_LEN];
-    unsigned char rsa_ciphertext[KEY_LEN];
-#if defined(POLARSSL_SHA1_C)
-    unsigned char sha1sum[20];
-#endif
-
-    rsa_init( &rsa, RSA_PKCS_V15, 0 );
-
-    rsa.len = KEY_LEN;
-    mpi_read_string( &rsa.N , 16, RSA_N  );
-    mpi_read_string( &rsa.E , 16, RSA_E  );
-    mpi_read_string( &rsa.D , 16, RSA_D  );
-    mpi_read_string( &rsa.P , 16, RSA_P  );
-    mpi_read_string( &rsa.Q , 16, RSA_Q  );
-    mpi_read_string( &rsa.DP, 16, RSA_DP );
-    mpi_read_string( &rsa.DQ, 16, RSA_DQ );
-    mpi_read_string( &rsa.QP, 16, RSA_QP );
-
-    if( verbose != 0 )
-        printf( "  RSA key validation: " );
-
-    if( rsa_check_pubkey(  &rsa ) != 0 ||
-        rsa_check_privkey( &rsa ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n  PKCS#1 encryption : " );
-
-    memcpy( rsa_plaintext, RSA_PT, PT_LEN );
-
-    if( rsa_pkcs1_encrypt( &rsa, &myrand, NULL, RSA_PUBLIC, PT_LEN,
-                           rsa_plaintext, rsa_ciphertext ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n  PKCS#1 decryption : " );
-
-    if( rsa_pkcs1_decrypt( &rsa, RSA_PRIVATE, &len,
-                           rsa_ciphertext, rsa_decrypted,
-                           sizeof(rsa_decrypted) ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( memcmp( rsa_decrypted, rsa_plaintext, len ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-#if defined(POLARSSL_SHA1_C)
-    if( verbose != 0 )
-        printf( "passed\n  PKCS#1 data sign  : " );
-
-    sha1( rsa_plaintext, PT_LEN, sha1sum );
-
-    if( rsa_pkcs1_sign( &rsa, NULL, NULL, RSA_PRIVATE, SIG_RSA_SHA1, 20,
-                        sha1sum, rsa_ciphertext ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n  PKCS#1 sig. verify: " );
-
-    if( rsa_pkcs1_verify( &rsa, RSA_PUBLIC, SIG_RSA_SHA1, 20,
-                          sha1sum, rsa_ciphertext ) != 0 )
-    {
-        if( verbose != 0 )
-            printf( "failed\n" );
-
-        return( 1 );
-    }
-
-    if( verbose != 0 )
-        printf( "passed\n\n" );
-#endif /* POLARSSL_SHA1_C */
-
-    rsa_free( &rsa );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/rsa.h b/makerom/polarssl/rsa.h
deleted file mode 100644
index 9b9060fa..00000000
--- a/makerom/polarssl/rsa.h
+++ /dev/null
@@ -1,597 +0,0 @@
-/**
- * \file rsa.h
- *
- * \brief The RSA public-key cryptosystem
- *
- *  Copyright (C) 2006-2010, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_RSA_H
-#define POLARSSL_RSA_H
-
-#include "polarssl/bignum.h"
-
-/*
- * RSA Error codes
- */
-#define POLARSSL_ERR_RSA_BAD_INPUT_DATA                    -0x4080  /**< Bad input parameters to function. */
-#define POLARSSL_ERR_RSA_INVALID_PADDING                   -0x4100  /**< Input data contains invalid padding and is rejected. */
-#define POLARSSL_ERR_RSA_KEY_GEN_FAILED                    -0x4180  /**< Something failed during generation of a key. */
-#define POLARSSL_ERR_RSA_KEY_CHECK_FAILED                  -0x4200  /**< Key failed to pass the libraries validity check. */
-#define POLARSSL_ERR_RSA_PUBLIC_FAILED                     -0x4280  /**< The public key operation failed. */
-#define POLARSSL_ERR_RSA_PRIVATE_FAILED                    -0x4300  /**< The private key operation failed. */
-#define POLARSSL_ERR_RSA_VERIFY_FAILED                     -0x4380  /**< The PKCS#1 verification failed. */
-#define POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE                  -0x4400  /**< The output buffer for decryption is not large enough. */
-#define POLARSSL_ERR_RSA_RNG_FAILED                        -0x4480  /**< The random generator failed to generate non-zeros. */
-
-/*
- * PKCS#1 constants
- */
-#define SIG_RSA_RAW     0
-#define SIG_RSA_MD2     2
-#define SIG_RSA_MD4     3
-#define SIG_RSA_MD5     4
-#define SIG_RSA_SHA1    5
-#define SIG_RSA_SHA224 14
-#define SIG_RSA_SHA256 11
-#define SIG_RSA_SHA384 12
-#define SIG_RSA_SHA512 13
-
-#define RSA_PUBLIC      0
-#define RSA_PRIVATE     1
-
-#define RSA_PKCS_V15    0
-#define RSA_PKCS_V21    1
-
-#define RSA_SIGN        1
-#define RSA_CRYPT       2
-
-#define ASN1_STR_CONSTRUCTED_SEQUENCE   "\x30"
-#define ASN1_STR_NULL                   "\x05"
-#define ASN1_STR_OID                    "\x06"
-#define ASN1_STR_OCTET_STRING           "\x04"
-
-#define OID_DIGEST_ALG_MDX              "\x2A\x86\x48\x86\xF7\x0D\x02\x00"
-#define OID_HASH_ALG_SHA1               "\x2b\x0e\x03\x02\x1a"
-#define OID_HASH_ALG_SHA2X              "\x60\x86\x48\x01\x65\x03\x04\x02\x00"
-
-#define OID_ISO_MEMBER_BODIES           "\x2a"
-#define OID_ISO_IDENTIFIED_ORG          "\x2b"
-
-/*
- * ISO Member bodies OID parts
- */
-#define OID_COUNTRY_US                  "\x86\x48"
-#define OID_RSA_DATA_SECURITY           "\x86\xf7\x0d"
-
-/*
- * ISO Identified organization OID parts
- */
-#define OID_OIW_SECSIG_SHA1             "\x0e\x03\x02\x1a"
-
-/*
- * DigestInfo ::= SEQUENCE {
- *   digestAlgorithm DigestAlgorithmIdentifier,
- *   digest Digest }
- *
- * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
- *
- * Digest ::= OCTET STRING
- */
-#define ASN1_HASH_MDX                           \
-(                                               \
-    ASN1_STR_CONSTRUCTED_SEQUENCE "\x20"        \
-      ASN1_STR_CONSTRUCTED_SEQUENCE "\x0C"      \
-        ASN1_STR_OID "\x08"                     \
-      OID_DIGEST_ALG_MDX                        \
-    ASN1_STR_NULL "\x00"                        \
-      ASN1_STR_OCTET_STRING "\x10"              \
-)
-
-#define ASN1_HASH_SHA1                          \
-    ASN1_STR_CONSTRUCTED_SEQUENCE "\x21"        \
-      ASN1_STR_CONSTRUCTED_SEQUENCE "\x09"      \
-        ASN1_STR_OID "\x05"                     \
-      OID_HASH_ALG_SHA1                         \
-        ASN1_STR_NULL "\x00"                    \
-      ASN1_STR_OCTET_STRING "\x14"
-
-#define ASN1_HASH_SHA1_ALT                      \
-    ASN1_STR_CONSTRUCTED_SEQUENCE "\x1F"        \
-      ASN1_STR_CONSTRUCTED_SEQUENCE "\x07"      \
-        ASN1_STR_OID "\x05"                     \
-      OID_HASH_ALG_SHA1                         \
-      ASN1_STR_OCTET_STRING "\x14"
-
-#define ASN1_HASH_SHA2X                         \
-    ASN1_STR_CONSTRUCTED_SEQUENCE "\x11"        \
-      ASN1_STR_CONSTRUCTED_SEQUENCE "\x0d"      \
-        ASN1_STR_OID "\x09"                     \
-      OID_HASH_ALG_SHA2X                        \
-        ASN1_STR_NULL "\x00"                    \
-      ASN1_STR_OCTET_STRING "\x00"
-
-/**
- * \brief          RSA context structure
- */
-typedef struct
-{
-    int ver;                    /*!<  always 0          */
-    size_t len;                 /*!<  size(N) in chars  */
-
-    mpi N;                      /*!<  public modulus    */
-    mpi E;                      /*!<  public exponent   */
-
-    mpi D;                      /*!<  private exponent  */
-    mpi P;                      /*!<  1st prime factor  */
-    mpi Q;                      /*!<  2nd prime factor  */
-    mpi DP;                     /*!<  D % (P - 1)       */
-    mpi DQ;                     /*!<  D % (Q - 1)       */
-    mpi QP;                     /*!<  1 / (Q % P)       */
-
-    mpi RN;                     /*!<  cached R^2 mod N  */
-    mpi RP;                     /*!<  cached R^2 mod P  */
-    mpi RQ;                     /*!<  cached R^2 mod Q  */
-
-    int padding;                /*!<  RSA_PKCS_V15 for 1.5 padding and
-                                      RSA_PKCS_v21 for OAEP/PSS         */
-    int hash_id;                /*!<  Hash identifier of md_type_t as
-                                      specified in the md.h header file
-                                      for the EME-OAEP and EMSA-PSS
-                                      encoding                          */
-}
-rsa_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Initialize an RSA context
- *
- *                 Note: Set padding to RSA_PKCS_V21 for the RSAES-OAEP
- *                 encryption scheme and the RSASSA-PSS signature scheme.
- *
- * \param ctx      RSA context to be initialized
- * \param padding  RSA_PKCS_V15 or RSA_PKCS_V21
- * \param hash_id  RSA_PKCS_V21 hash identifier
- *
- * \note           The hash_id parameter is actually ignored
- *                 when using RSA_PKCS_V15 padding.
- */
-void rsa_init( rsa_context *ctx,
-               int padding,
-               int hash_id);
-
-/**
- * \brief          Generate an RSA keypair
- *
- * \param ctx      RSA context that will hold the key
- * \param f_rng    RNG function
- * \param p_rng    RNG parameter
- * \param nbits    size of the public key in bits
- * \param exponent public exponent (e.g., 65537)
- *
- * \note           rsa_init() must be called beforehand to setup
- *                 the RSA context.
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- */
-int rsa_gen_key( rsa_context *ctx,
-                 int (*f_rng)(void *, unsigned char *, size_t),
-                 void *p_rng,
-                 unsigned int nbits, int exponent );
-
-/**
- * \brief          Check a public RSA key
- *
- * \param ctx      RSA context to be checked
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- */
-int rsa_check_pubkey( const rsa_context *ctx );
-
-/**
- * \brief          Check a private RSA key
- *
- * \param ctx      RSA context to be checked
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- */
-int rsa_check_privkey( const rsa_context *ctx );
-
-/**
- * \brief          Do an RSA public key operation
- *
- * \param ctx      RSA context
- * \param input    input buffer
- * \param output   output buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           This function does NOT take care of message
- *                 padding. Also, be sure to set input[0] = 0 or assure that
- *                 input is smaller than N.
- *
- * \note           The input and output buffers must be large
- *                 enough (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_public( rsa_context *ctx,
-                const unsigned char *input,
-                unsigned char *output );
-
-/**
- * \brief          Do an RSA private key operation
- *
- * \param ctx      RSA context
- * \param input    input buffer
- * \param output   output buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The input and output buffers must be large
- *                 enough (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_private( rsa_context *ctx,
-                 const unsigned char *input,
-                 unsigned char *output );
-
-/**
- * \brief          Generic wrapper to perform a PKCS#1 encryption using the
- *                 mode from the context. Add the message padding, then do an
- *                 RSA operation.
- *
- * \param ctx      RSA context
- * \param f_rng    RNG function (Needed for padding and PKCS#1 v2.1 encoding)
- * \param p_rng    RNG parameter
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param ilen     contains the plaintext length
- * \param input    buffer holding the data to be encrypted
- * \param output   buffer that will hold the ciphertext
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_pkcs1_encrypt( rsa_context *ctx,
-                       int (*f_rng)(void *, unsigned char *, size_t),
-                       void *p_rng,
-                       int mode, size_t ilen,
-                       const unsigned char *input,
-                       unsigned char *output );
-
-/**
- * \brief          Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT)
- *
- * \param ctx      RSA context
- * \param f_rng    RNG function (Needed for padding)
- * \param p_rng    RNG parameter
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param ilen     contains the plaintext length
- * \param input    buffer holding the data to be encrypted
- * \param output   buffer that will hold the ciphertext
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_rsaes_pkcs1_v15_encrypt( rsa_context *ctx,
-                                 int (*f_rng)(void *, unsigned char *, size_t),
-                                 void *p_rng,
-                                 int mode, size_t ilen,
-                                 const unsigned char *input,
-                                 unsigned char *output );
-
-/**
- * \brief          Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT)
- *
- * \param ctx      RSA context
- * \param f_rng    RNG function (Needed for padding and PKCS#1 v2.1 encoding)
- * \param p_rng    RNG parameter
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param label    buffer holding the custom label to use
- * \param label_len contains the label length
- * \param ilen     contains the plaintext length
- * \param input    buffer holding the data to be encrypted
- * \param output   buffer that will hold the ciphertext
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_rsaes_oaep_encrypt( rsa_context *ctx,
-                            int (*f_rng)(void *, unsigned char *, size_t),
-                            void *p_rng,
-                            int mode,
-                            const unsigned char *label, size_t label_len,
-                            size_t ilen,
-                            const unsigned char *input,
-                            unsigned char *output );
-
-/**
- * \brief          Generic wrapper to perform a PKCS#1 decryption using the
- *                 mode from the context. Do an RSA operation, then remove
- *                 the message padding
- *
- * \param ctx      RSA context
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param olen     will contain the plaintext length
- * \param input    buffer holding the encrypted data
- * \param output   buffer that will hold the plaintext
- * \param output_max_len    maximum length of the output buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- *                 an error is thrown.
- */
-int rsa_pkcs1_decrypt( rsa_context *ctx,
-                       int mode, size_t *olen,
-                       const unsigned char *input,
-                       unsigned char *output,
-                       size_t output_max_len );
-
-/**
- * \brief          Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT)
- *
- * \param ctx      RSA context
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param olen     will contain the plaintext length
- * \param input    buffer holding the encrypted data
- * \param output   buffer that will hold the plaintext
- * \param output_max_len    maximum length of the output buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- *                 an error is thrown.
- */
-int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
-                                 int mode, size_t *olen,
-                                 const unsigned char *input,
-                                 unsigned char *output,
-                                 size_t output_max_len );
-
-/**
- * \brief          Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT)
- *
- * \param ctx      RSA context
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param label    buffer holding the custom label to use
- * \param label_len contains the label length
- * \param olen     will contain the plaintext length
- * \param input    buffer holding the encrypted data
- * \param output   buffer that will hold the plaintext
- * \param output_max_len    maximum length of the output buffer
- *
- * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The output buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
- *                 an error is thrown.
- */
-int rsa_rsaes_oaep_decrypt( rsa_context *ctx,
-                            int mode,
-                            const unsigned char *label, size_t label_len,
-                            size_t *olen,
-                            const unsigned char *input,
-                            unsigned char *output,
-                            size_t output_max_len );
-
-/**
- * \brief          Generic wrapper to perform a PKCS#1 signature using the
- *                 mode from the context. Do a private RSA operation to sign
- *                 a message digest
- *
- * \param ctx      RSA context
- * \param f_rng    RNG function (Needed for PKCS#1 v2.1 encoding)
- * \param p_rng    RNG parameter
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen  message digest length (for SIG_RSA_RAW only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer that will hold the ciphertext
- *
- * \return         0 if the signing operation was successful,
- *                 or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- *
- * \note           In case of PKCS#1 v2.1 encoding keep in mind that
- *                 the hash_id in the RSA context is the one used for the
- *                 encoding. hash_id in the function call is the type of hash
- *                 that is encoded. According to RFC 3447 it is advised to
- *                 keep both hashes the same.
- */
-int rsa_pkcs1_sign( rsa_context *ctx,
-                    int (*f_rng)(void *, unsigned char *, size_t),
-                    void *p_rng,
-                    int mode,
-                    int hash_id,
-                    unsigned int hashlen,
-                    const unsigned char *hash,
-                    unsigned char *sig );
-
-/**
- * \brief          Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN)
- *
- * \param ctx      RSA context
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen  message digest length (for SIG_RSA_RAW only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer that will hold the ciphertext
- *
- * \return         0 if the signing operation was successful,
- *                 or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
-                               int mode,
-                               int hash_id,
-                               unsigned int hashlen,
-                               const unsigned char *hash,
-                               unsigned char *sig );
-
-/**
- * \brief          Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN)
- *
- * \param ctx      RSA context
- * \param f_rng    RNG function (Needed for PKCS#1 v2.1 encoding)
- * \param p_rng    RNG parameter
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen  message digest length (for SIG_RSA_RAW only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer that will hold the ciphertext
- *
- * \return         0 if the signing operation was successful,
- *                 or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- *
- * \note           In case of PKCS#1 v2.1 encoding keep in mind that
- *                 the hash_id in the RSA context is the one used for the
- *                 encoding. hash_id in the function call is the type of hash
- *                 that is encoded. According to RFC 3447 it is advised to
- *                 keep both hashes the same.
- */
-int rsa_rsassa_pss_sign( rsa_context *ctx,
-                         int (*f_rng)(void *, unsigned char *, size_t),
-                         void *p_rng,
-                         int mode,
-                         int hash_id,
-                         unsigned int hashlen,
-                         const unsigned char *hash,
-                         unsigned char *sig );
-
-/**
- * \brief          Generic wrapper to perform a PKCS#1 verification using the
- *                 mode from the context. Do a public RSA operation and check
- *                 the message digest
- *
- * \param ctx      points to an RSA public key
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen  message digest length (for SIG_RSA_RAW only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer holding the ciphertext
- *
- * \return         0 if the verify operation was successful,
- *                 or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- *
- * \note           In case of PKCS#1 v2.1 encoding keep in mind that
- *                 the hash_id in the RSA context is the one used for the
- *                 verification. hash_id in the function call is the type of hash
- *                 that is verified. According to RFC 3447 it is advised to
- *                 keep both hashes the same.
- */
-int rsa_pkcs1_verify( rsa_context *ctx,
-                      int mode,
-                      int hash_id,
-                      unsigned int hashlen,
-                      const unsigned char *hash,
-                      const unsigned char *sig );
-
-/**
- * \brief          Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY)
- *
- * \param ctx      points to an RSA public key
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen  message digest length (for SIG_RSA_RAW only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer holding the ciphertext
- *
- * \return         0 if the verify operation was successful,
- *                 or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- */
-int rsa_rsassa_pkcs1_v15_verify( rsa_context *ctx,
-                                 int mode,
-                                 int hash_id,
-                                 unsigned int hashlen,
-                                 const unsigned char *hash,
-                                 const unsigned char *sig );
-
-/**
- * \brief          Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY)
- * \brief          Do a public RSA and check the message digest
- *
- * \param ctx      points to an RSA public key
- * \param mode     RSA_PUBLIC or RSA_PRIVATE
- * \param hash_id  SIG_RSA_RAW, SIG_RSA_MD{2,4,5} or SIG_RSA_SHA{1,224,256,384,512}
- * \param hashlen  message digest length (for SIG_RSA_RAW only)
- * \param hash     buffer holding the message digest
- * \param sig      buffer holding the ciphertext
- *
- * \return         0 if the verify operation was successful,
- *                 or an POLARSSL_ERR_RSA_XXX error code
- *
- * \note           The "sig" buffer must be as large as the size
- *                 of ctx->N (eg. 128 bytes if RSA-1024 is used).
- *
- * \note           In case of PKCS#1 v2.1 encoding keep in mind that
- *                 the hash_id in the RSA context is the one used for the
- *                 verification. hash_id in the function call is the type of hash
- *                 that is verified. According to RFC 3447 it is advised to
- *                 keep both hashes the same.
- */
-int rsa_rsassa_pss_verify( rsa_context *ctx,
-                           int mode,
-                           int hash_id,
-                           unsigned int hashlen,
-                           const unsigned char *hash,
-                           const unsigned char *sig );
-
-/**
- * \brief          Free the components of an RSA key
- *
- * \param ctx      RSA Context to free
- */
-void rsa_free( rsa_context *ctx );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int rsa_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* rsa.h */
diff --git a/makerom/polarssl/sha1.c b/makerom/polarssl/sha1.c
deleted file mode 100644
index b301b097..00000000
--- a/makerom/polarssl/sha1.c
+++ /dev/null
@@ -1,624 +0,0 @@
-/*
- *  FIPS-180-1 compliant SHA-1 implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The SHA-1 standard was published by NIST in 1993.
- *
- *  http://www.itl.nist.gov/fipspubs/fip180-1.htm
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_SHA1_C)
-
-#include "polarssl/sha1.h"
-
-#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
-#include <stdio.h>
-#endif
-
-#if !defined(POLARSSL_SHA1_ALT)
-
-/*
- * 32-bit integer manipulation macros (big endian)
- */
-#ifndef GET_UINT32_BE
-#define GET_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 3]       );            \
-}
-#endif
-
-#ifndef PUT_UINT32_BE
-#define PUT_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-}
-#endif
-
-/*
- * SHA-1 context setup
- */
-void sha1_starts( sha1_context *ctx )
-{
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    ctx->state[0] = 0x67452301;
-    ctx->state[1] = 0xEFCDAB89;
-    ctx->state[2] = 0x98BADCFE;
-    ctx->state[3] = 0x10325476;
-    ctx->state[4] = 0xC3D2E1F0;
-}
-
-void sha1_process( sha1_context *ctx, const unsigned char data[64] )
-{
-    uint32_t temp, W[16], A, B, C, D, E;
-
-    GET_UINT32_BE( W[ 0], data,  0 );
-    GET_UINT32_BE( W[ 1], data,  4 );
-    GET_UINT32_BE( W[ 2], data,  8 );
-    GET_UINT32_BE( W[ 3], data, 12 );
-    GET_UINT32_BE( W[ 4], data, 16 );
-    GET_UINT32_BE( W[ 5], data, 20 );
-    GET_UINT32_BE( W[ 6], data, 24 );
-    GET_UINT32_BE( W[ 7], data, 28 );
-    GET_UINT32_BE( W[ 8], data, 32 );
-    GET_UINT32_BE( W[ 9], data, 36 );
-    GET_UINT32_BE( W[10], data, 40 );
-    GET_UINT32_BE( W[11], data, 44 );
-    GET_UINT32_BE( W[12], data, 48 );
-    GET_UINT32_BE( W[13], data, 52 );
-    GET_UINT32_BE( W[14], data, 56 );
-    GET_UINT32_BE( W[15], data, 60 );
-
-#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
-
-#define R(t)                                            \
-(                                                       \
-    temp = W[(t -  3) & 0x0F] ^ W[(t - 8) & 0x0F] ^     \
-           W[(t - 14) & 0x0F] ^ W[ t      & 0x0F],      \
-    ( W[t & 0x0F] = S(temp,1) )                         \
-)
-
-#define P(a,b,c,d,e,x)                                  \
-{                                                       \
-    e += S(a,5) + F(b,c,d) + K + x; b = S(b,30);        \
-}
-
-    A = ctx->state[0];
-    B = ctx->state[1];
-    C = ctx->state[2];
-    D = ctx->state[3];
-    E = ctx->state[4];
-
-#define F(x,y,z) (z ^ (x & (y ^ z)))
-#define K 0x5A827999
-
-    P( A, B, C, D, E, W[0]  );
-    P( E, A, B, C, D, W[1]  );
-    P( D, E, A, B, C, W[2]  );
-    P( C, D, E, A, B, W[3]  );
-    P( B, C, D, E, A, W[4]  );
-    P( A, B, C, D, E, W[5]  );
-    P( E, A, B, C, D, W[6]  );
-    P( D, E, A, B, C, W[7]  );
-    P( C, D, E, A, B, W[8]  );
-    P( B, C, D, E, A, W[9]  );
-    P( A, B, C, D, E, W[10] );
-    P( E, A, B, C, D, W[11] );
-    P( D, E, A, B, C, W[12] );
-    P( C, D, E, A, B, W[13] );
-    P( B, C, D, E, A, W[14] );
-    P( A, B, C, D, E, W[15] );
-    P( E, A, B, C, D, R(16) );
-    P( D, E, A, B, C, R(17) );
-    P( C, D, E, A, B, R(18) );
-    P( B, C, D, E, A, R(19) );
-
-#undef K
-#undef F
-
-#define F(x,y,z) (x ^ y ^ z)
-#define K 0x6ED9EBA1
-
-    P( A, B, C, D, E, R(20) );
-    P( E, A, B, C, D, R(21) );
-    P( D, E, A, B, C, R(22) );
-    P( C, D, E, A, B, R(23) );
-    P( B, C, D, E, A, R(24) );
-    P( A, B, C, D, E, R(25) );
-    P( E, A, B, C, D, R(26) );
-    P( D, E, A, B, C, R(27) );
-    P( C, D, E, A, B, R(28) );
-    P( B, C, D, E, A, R(29) );
-    P( A, B, C, D, E, R(30) );
-    P( E, A, B, C, D, R(31) );
-    P( D, E, A, B, C, R(32) );
-    P( C, D, E, A, B, R(33) );
-    P( B, C, D, E, A, R(34) );
-    P( A, B, C, D, E, R(35) );
-    P( E, A, B, C, D, R(36) );
-    P( D, E, A, B, C, R(37) );
-    P( C, D, E, A, B, R(38) );
-    P( B, C, D, E, A, R(39) );
-
-#undef K
-#undef F
-
-#define F(x,y,z) ((x & y) | (z & (x | y)))
-#define K 0x8F1BBCDC
-
-    P( A, B, C, D, E, R(40) );
-    P( E, A, B, C, D, R(41) );
-    P( D, E, A, B, C, R(42) );
-    P( C, D, E, A, B, R(43) );
-    P( B, C, D, E, A, R(44) );
-    P( A, B, C, D, E, R(45) );
-    P( E, A, B, C, D, R(46) );
-    P( D, E, A, B, C, R(47) );
-    P( C, D, E, A, B, R(48) );
-    P( B, C, D, E, A, R(49) );
-    P( A, B, C, D, E, R(50) );
-    P( E, A, B, C, D, R(51) );
-    P( D, E, A, B, C, R(52) );
-    P( C, D, E, A, B, R(53) );
-    P( B, C, D, E, A, R(54) );
-    P( A, B, C, D, E, R(55) );
-    P( E, A, B, C, D, R(56) );
-    P( D, E, A, B, C, R(57) );
-    P( C, D, E, A, B, R(58) );
-    P( B, C, D, E, A, R(59) );
-
-#undef K
-#undef F
-
-#define F(x,y,z) (x ^ y ^ z)
-#define K 0xCA62C1D6
-
-    P( A, B, C, D, E, R(60) );
-    P( E, A, B, C, D, R(61) );
-    P( D, E, A, B, C, R(62) );
-    P( C, D, E, A, B, R(63) );
-    P( B, C, D, E, A, R(64) );
-    P( A, B, C, D, E, R(65) );
-    P( E, A, B, C, D, R(66) );
-    P( D, E, A, B, C, R(67) );
-    P( C, D, E, A, B, R(68) );
-    P( B, C, D, E, A, R(69) );
-    P( A, B, C, D, E, R(70) );
-    P( E, A, B, C, D, R(71) );
-    P( D, E, A, B, C, R(72) );
-    P( C, D, E, A, B, R(73) );
-    P( B, C, D, E, A, R(74) );
-    P( A, B, C, D, E, R(75) );
-    P( E, A, B, C, D, R(76) );
-    P( D, E, A, B, C, R(77) );
-    P( C, D, E, A, B, R(78) );
-    P( B, C, D, E, A, R(79) );
-
-#undef K
-#undef F
-
-    ctx->state[0] += A;
-    ctx->state[1] += B;
-    ctx->state[2] += C;
-    ctx->state[3] += D;
-    ctx->state[4] += E;
-}
-
-/*
- * SHA-1 process buffer
- */
-void sha1_update( sha1_context *ctx, const unsigned char *input, size_t ilen )
-{
-    size_t fill;
-    uint32_t left;
-
-    if( ilen <= 0 )
-        return;
-
-    left = ctx->total[0] & 0x3F;
-    fill = 64 - left;
-
-    ctx->total[0] += (uint32_t) ilen;
-    ctx->total[0] &= 0xFFFFFFFF;
-
-    if( ctx->total[0] < (uint32_t) ilen )
-        ctx->total[1]++;
-
-    if( left && ilen >= fill )
-    {
-        memcpy( (void *) (ctx->buffer + left), input, fill );
-        sha1_process( ctx, ctx->buffer );
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while( ilen >= 64 )
-    {
-        sha1_process( ctx, input );
-        input += 64;
-        ilen  -= 64;
-    }
-
-    if( ilen > 0 )
-        memcpy( (void *) (ctx->buffer + left), input, ilen );
-}
-
-static const unsigned char sha1_padding[64] =
-{
- 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/*
- * SHA-1 final digest
- */
-void sha1_finish( sha1_context *ctx, unsigned char output[20] )
-{
-    uint32_t last, padn;
-    uint32_t high, low;
-    unsigned char msglen[8];
-
-    high = ( ctx->total[0] >> 29 )
-         | ( ctx->total[1] <<  3 );
-    low  = ( ctx->total[0] <<  3 );
-
-    PUT_UINT32_BE( high, msglen, 0 );
-    PUT_UINT32_BE( low,  msglen, 4 );
-
-    last = ctx->total[0] & 0x3F;
-    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
-
-    sha1_update( ctx, sha1_padding, padn );
-    sha1_update( ctx, msglen, 8 );
-
-    PUT_UINT32_BE( ctx->state[0], output,  0 );
-    PUT_UINT32_BE( ctx->state[1], output,  4 );
-    PUT_UINT32_BE( ctx->state[2], output,  8 );
-    PUT_UINT32_BE( ctx->state[3], output, 12 );
-    PUT_UINT32_BE( ctx->state[4], output, 16 );
-}
-
-#endif /* !POLARSSL_SHA1_ALT */
-
-/*
- * output = SHA-1( input buffer )
- */
-void sha1( const unsigned char *input, size_t ilen, unsigned char output[20] )
-{
-    sha1_context ctx;
-
-    sha1_starts( &ctx );
-    sha1_update( &ctx, input, ilen );
-    sha1_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha1_context ) );
-}
-
-#if defined(POLARSSL_FS_IO)
-/*
- * output = SHA-1( file contents )
- */
-int sha1_file( const char *path, unsigned char output[20] )
-{
-    FILE *f;
-    size_t n;
-    sha1_context ctx;
-    unsigned char buf[1024];
-
-    if( ( f = fopen( path, "rb" ) ) == NULL )
-        return( POLARSSL_ERR_SHA1_FILE_IO_ERROR );
-
-    sha1_starts( &ctx );
-
-    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
-        sha1_update( &ctx, buf, n );
-
-    sha1_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha1_context ) );
-
-    if( ferror( f ) != 0 )
-    {
-        fclose( f );
-        return( POLARSSL_ERR_SHA1_FILE_IO_ERROR );
-    }
-
-    fclose( f );
-    return( 0 );
-}
-#endif /* POLARSSL_FS_IO */
-
-/*
- * SHA-1 HMAC context setup
- */
-void sha1_hmac_starts( sha1_context *ctx, const unsigned char *key, size_t keylen )
-{
-    size_t i;
-    unsigned char sum[20];
-
-    if( keylen > 64 )
-    {
-        sha1( key, keylen, sum );
-        keylen = 20;
-        key = sum;
-    }
-
-    memset( ctx->ipad, 0x36, 64 );
-    memset( ctx->opad, 0x5C, 64 );
-
-    for( i = 0; i < keylen; i++ )
-    {
-        ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
-        ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
-    }
-
-    sha1_starts( ctx );
-    sha1_update( ctx, ctx->ipad, 64 );
-
-    memset( sum, 0, sizeof( sum ) );
-}
-
-/*
- * SHA-1 HMAC process buffer
- */
-void sha1_hmac_update( sha1_context *ctx, const unsigned char *input, size_t ilen )
-{
-    sha1_update( ctx, input, ilen );
-}
-
-/*
- * SHA-1 HMAC final digest
- */
-void sha1_hmac_finish( sha1_context *ctx, unsigned char output[20] )
-{
-    unsigned char tmpbuf[20];
-
-    sha1_finish( ctx, tmpbuf );
-    sha1_starts( ctx );
-    sha1_update( ctx, ctx->opad, 64 );
-    sha1_update( ctx, tmpbuf, 20 );
-    sha1_finish( ctx, output );
-
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
-}
-
-/*
- * SHA1 HMAC context reset
- */
-void sha1_hmac_reset( sha1_context *ctx )
-{
-    sha1_starts( ctx );
-    sha1_update( ctx, ctx->ipad, 64 );
-}
-
-/*
- * output = HMAC-SHA-1( hmac key, input buffer )
- */
-void sha1_hmac( const unsigned char *key, size_t keylen,
-                const unsigned char *input, size_t ilen,
-                unsigned char output[20] )
-{
-    sha1_context ctx;
-
-    sha1_hmac_starts( &ctx, key, keylen );
-    sha1_hmac_update( &ctx, input, ilen );
-    sha1_hmac_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha1_context ) );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-/*
- * FIPS-180-1 test vectors
- */
-static unsigned char sha1_test_buf[3][57] = 
-{
-    { "abc" },
-    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
-    { "" }
-};
-
-static const int sha1_test_buflen[3] =
-{
-    3, 56, 1000
-};
-
-static const unsigned char sha1_test_sum[3][20] =
-{
-    { 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
-      0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
-    { 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
-      0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
-    { 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
-      0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
-};
-
-/*
- * RFC 2202 test vectors
- */
-static unsigned char sha1_hmac_test_key[7][26] =
-{
-    { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
-      "\x0B\x0B\x0B\x0B" },
-    { "Jefe" },
-    { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
-      "\xAA\xAA\xAA\xAA" },
-    { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
-      "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
-    { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
-      "\x0C\x0C\x0C\x0C" },
-    { "" }, /* 0xAA 80 times */
-    { "" }
-};
-
-static const int sha1_hmac_test_keylen[7] =
-{
-    20, 4, 20, 25, 20, 80, 80
-};
-
-static unsigned char sha1_hmac_test_buf[7][74] =
-{
-    { "Hi There" },
-    { "what do ya want for nothing?" },
-    { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
-    { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
-    { "Test With Truncation" },
-    { "Test Using Larger Than Block-Size Key - Hash Key First" },
-    { "Test Using Larger Than Block-Size Key and Larger"
-      " Than One Block-Size Data" }
-};
-
-static const int sha1_hmac_test_buflen[7] =
-{
-    8, 28, 50, 50, 20, 54, 73
-};
-
-static const unsigned char sha1_hmac_test_sum[7][20] =
-{
-    { 0xB6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64, 0xE2, 0x8B,
-      0xC0, 0xB6, 0xFB, 0x37, 0x8C, 0x8E, 0xF1, 0x46, 0xBE, 0x00 },
-    { 0xEF, 0xFC, 0xDF, 0x6A, 0xE5, 0xEB, 0x2F, 0xA2, 0xD2, 0x74,
-      0x16, 0xD5, 0xF1, 0x84, 0xDF, 0x9C, 0x25, 0x9A, 0x7C, 0x79 },
-    { 0x12, 0x5D, 0x73, 0x42, 0xB9, 0xAC, 0x11, 0xCD, 0x91, 0xA3,
-      0x9A, 0xF4, 0x8A, 0xA1, 0x7B, 0x4F, 0x63, 0xF1, 0x75, 0xD3 },
-    { 0x4C, 0x90, 0x07, 0xF4, 0x02, 0x62, 0x50, 0xC6, 0xBC, 0x84,
-      0x14, 0xF9, 0xBF, 0x50, 0xC8, 0x6C, 0x2D, 0x72, 0x35, 0xDA },
-    { 0x4C, 0x1A, 0x03, 0x42, 0x4B, 0x55, 0xE0, 0x7F, 0xE7, 0xF2,
-      0x7B, 0xE1 },
-    { 0xAA, 0x4A, 0xE5, 0xE1, 0x52, 0x72, 0xD0, 0x0E, 0x95, 0x70,
-      0x56, 0x37, 0xCE, 0x8A, 0x3B, 0x55, 0xED, 0x40, 0x21, 0x12 },
-    { 0xE8, 0xE9, 0x9D, 0x0F, 0x45, 0x23, 0x7D, 0x78, 0x6D, 0x6B,
-      0xBA, 0xA7, 0x96, 0x5C, 0x78, 0x08, 0xBB, 0xFF, 0x1A, 0x91 }
-};
-
-/*
- * Checkup routine
- */
-int sha1_self_test( int verbose )
-{
-    int i, j, buflen;
-    unsigned char buf[1024];
-    unsigned char sha1sum[20];
-    sha1_context ctx;
-
-    /*
-     * SHA-1
-     */
-    for( i = 0; i < 3; i++ )
-    {
-        if( verbose != 0 )
-            printf( "  SHA-1 test #%d: ", i + 1 );
-
-        sha1_starts( &ctx );
-
-        if( i == 2 )
-        {
-            memset( buf, 'a', buflen = 1000 );
-
-            for( j = 0; j < 1000; j++ )
-                sha1_update( &ctx, buf, buflen );
-        }
-        else
-            sha1_update( &ctx, sha1_test_buf[i],
-                               sha1_test_buflen[i] );
-
-        sha1_finish( &ctx, sha1sum );
-
-        if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    for( i = 0; i < 7; i++ )
-    {
-        if( verbose != 0 )
-            printf( "  HMAC-SHA-1 test #%d: ", i + 1 );
-
-        if( i == 5 || i == 6 )
-        {
-            memset( buf, '\xAA', buflen = 80 );
-            sha1_hmac_starts( &ctx, buf, buflen );
-        }
-        else
-            sha1_hmac_starts( &ctx, sha1_hmac_test_key[i],
-                                    sha1_hmac_test_keylen[i] );
-
-        sha1_hmac_update( &ctx, sha1_hmac_test_buf[i],
-                                sha1_hmac_test_buflen[i] );
-
-        sha1_hmac_finish( &ctx, sha1sum );
-
-        buflen = ( i == 4 ) ? 12 : 20;
-
-        if( memcmp( sha1sum, sha1_hmac_test_sum[i], buflen ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/sha1.h b/makerom/polarssl/sha1.h
deleted file mode 100644
index ac7e5d35..00000000
--- a/makerom/polarssl/sha1.h
+++ /dev/null
@@ -1,180 +0,0 @@
-/**
- * \file sha1.h
- *
- * \brief SHA-1 cryptographic hash function
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_SHA1_H
-#define POLARSSL_SHA1_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define POLARSSL_ERR_SHA1_FILE_IO_ERROR                -0x0076  /**< Read/write error in file. */
-
-#if !defined(POLARSSL_SHA1_ALT)
-// Regular implementation
-//
-
-/**
- * \brief          SHA-1 context structure
- */
-typedef struct
-{
-    uint32_t total[2];          /*!< number of bytes processed  */
-    uint32_t state[5];          /*!< intermediate digest state  */
-    unsigned char buffer[64];   /*!< data block being processed */
-
-    unsigned char ipad[64];     /*!< HMAC: inner padding        */
-    unsigned char opad[64];     /*!< HMAC: outer padding        */
-}
-sha1_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          SHA-1 context setup
- *
- * \param ctx      context to be initialized
- */
-void sha1_starts( sha1_context *ctx );
-
-/**
- * \brief          SHA-1 process buffer
- *
- * \param ctx      SHA-1 context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void sha1_update( sha1_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          SHA-1 final digest
- *
- * \param ctx      SHA-1 context
- * \param output   SHA-1 checksum result
- */
-void sha1_finish( sha1_context *ctx, unsigned char output[20] );
-
-/* Internal use */
-void sha1_process( sha1_context *ctx, const unsigned char data[64] );
-
-#ifdef __cplusplus
-}
-#endif
-
-#else  /* POLARSSL_SHA1_ALT */
-#include "polarssl/sha1_alt.h"
-#endif /* POLARSSL_SHA1_ALT */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Output = SHA-1( input buffer )
- *
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   SHA-1 checksum result
- */
-void sha1( const unsigned char *input, size_t ilen, unsigned char output[20] );
-
-/**
- * \brief          Output = SHA-1( file contents )
- *
- * \param path     input file name
- * \param output   SHA-1 checksum result
- *
- * \return         0 if successful, or POLARSSL_ERR_SHA1_FILE_IO_ERROR
- */
-int sha1_file( const char *path, unsigned char output[20] );
-
-/**
- * \brief          SHA-1 HMAC context setup
- *
- * \param ctx      HMAC context to be initialized
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- */
-void sha1_hmac_starts( sha1_context *ctx, const unsigned char *key, size_t keylen );
-
-/**
- * \brief          SHA-1 HMAC process buffer
- *
- * \param ctx      HMAC context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void sha1_hmac_update( sha1_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          SHA-1 HMAC final digest
- *
- * \param ctx      HMAC context
- * \param output   SHA-1 HMAC checksum result
- */
-void sha1_hmac_finish( sha1_context *ctx, unsigned char output[20] );
-
-/**
- * \brief          SHA-1 HMAC context reset
- *
- * \param ctx      HMAC context to be reset
- */
-void sha1_hmac_reset( sha1_context *ctx );
-
-/**
- * \brief          Output = HMAC-SHA-1( hmac key, input buffer )
- *
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   HMAC-SHA-1 result
- */
-void sha1_hmac( const unsigned char *key, size_t keylen,
-                const unsigned char *input, size_t ilen,
-                unsigned char output[20] );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int sha1_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* sha1.h */
diff --git a/makerom/polarssl/sha2.c b/makerom/polarssl/sha2.c
deleted file mode 100644
index 20772eca..00000000
--- a/makerom/polarssl/sha2.c
+++ /dev/null
@@ -1,705 +0,0 @@
-/*
- *  FIPS-180-2 compliant SHA-256 implementation
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-/*
- *  The SHA-256 Secure Hash Standard was published by NIST in 2002.
- *
- *  http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
- */
-
-#include "polarssl/config.h"
-
-#if defined(POLARSSL_SHA2_C)
-
-#include "polarssl/sha2.h"
-
-#if defined(POLARSSL_FS_IO) || defined(POLARSSL_SELF_TEST)
-#include <stdio.h>
-#endif
-
-#if !defined(POLARSSL_SHA2_ALT)
-
-/*
- * 32-bit integer manipulation macros (big endian)
- */
-#ifndef GET_UINT32_BE
-#define GET_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
-        | ( (uint32_t) (b)[(i) + 1] << 16 )             \
-        | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
-        | ( (uint32_t) (b)[(i) + 3]       );            \
-}
-#endif
-
-#ifndef PUT_UINT32_BE
-#define PUT_UINT32_BE(n,b,i)                            \
-{                                                       \
-    (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
-    (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
-    (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
-    (b)[(i) + 3] = (unsigned char) ( (n)       );       \
-}
-#endif
-
-/*
- * SHA-256 context setup
- */
-void sha2_starts( sha2_context *ctx, int is224 )
-{
-    ctx->total[0] = 0;
-    ctx->total[1] = 0;
-
-    if( is224 == 0 )
-    {
-        /* SHA-256 */
-        ctx->state[0] = 0x6A09E667;
-        ctx->state[1] = 0xBB67AE85;
-        ctx->state[2] = 0x3C6EF372;
-        ctx->state[3] = 0xA54FF53A;
-        ctx->state[4] = 0x510E527F;
-        ctx->state[5] = 0x9B05688C;
-        ctx->state[6] = 0x1F83D9AB;
-        ctx->state[7] = 0x5BE0CD19;
-    }
-    else
-    {
-        /* SHA-224 */
-        ctx->state[0] = 0xC1059ED8;
-        ctx->state[1] = 0x367CD507;
-        ctx->state[2] = 0x3070DD17;
-        ctx->state[3] = 0xF70E5939;
-        ctx->state[4] = 0xFFC00B31;
-        ctx->state[5] = 0x68581511;
-        ctx->state[6] = 0x64F98FA7;
-        ctx->state[7] = 0xBEFA4FA4;
-    }
-
-    ctx->is224 = is224;
-}
-
-void sha2_process( sha2_context *ctx, const unsigned char data[64] )
-{
-    uint32_t temp1, temp2, W[64];
-    uint32_t A, B, C, D, E, F, G, H;
-
-    GET_UINT32_BE( W[ 0], data,  0 );
-    GET_UINT32_BE( W[ 1], data,  4 );
-    GET_UINT32_BE( W[ 2], data,  8 );
-    GET_UINT32_BE( W[ 3], data, 12 );
-    GET_UINT32_BE( W[ 4], data, 16 );
-    GET_UINT32_BE( W[ 5], data, 20 );
-    GET_UINT32_BE( W[ 6], data, 24 );
-    GET_UINT32_BE( W[ 7], data, 28 );
-    GET_UINT32_BE( W[ 8], data, 32 );
-    GET_UINT32_BE( W[ 9], data, 36 );
-    GET_UINT32_BE( W[10], data, 40 );
-    GET_UINT32_BE( W[11], data, 44 );
-    GET_UINT32_BE( W[12], data, 48 );
-    GET_UINT32_BE( W[13], data, 52 );
-    GET_UINT32_BE( W[14], data, 56 );
-    GET_UINT32_BE( W[15], data, 60 );
-
-#define  SHR(x,n) ((x & 0xFFFFFFFF) >> n)
-#define ROTR(x,n) (SHR(x,n) | (x << (32 - n)))
-
-#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^  SHR(x, 3))
-#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^  SHR(x,10))
-
-#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
-#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
-
-#define F0(x,y,z) ((x & y) | (z & (x | y)))
-#define F1(x,y,z) (z ^ (x & (y ^ z)))
-
-#define R(t)                                    \
-(                                               \
-    W[t] = S1(W[t -  2]) + W[t -  7] +          \
-           S0(W[t - 15]) + W[t - 16]            \
-)
-
-#define P(a,b,c,d,e,f,g,h,x,K)                  \
-{                                               \
-    temp1 = h + S3(e) + F1(e,f,g) + K + x;      \
-    temp2 = S2(a) + F0(a,b,c);                  \
-    d += temp1; h = temp1 + temp2;              \
-}
-
-    A = ctx->state[0];
-    B = ctx->state[1];
-    C = ctx->state[2];
-    D = ctx->state[3];
-    E = ctx->state[4];
-    F = ctx->state[5];
-    G = ctx->state[6];
-    H = ctx->state[7];
-
-    P( A, B, C, D, E, F, G, H, W[ 0], 0x428A2F98 );
-    P( H, A, B, C, D, E, F, G, W[ 1], 0x71374491 );
-    P( G, H, A, B, C, D, E, F, W[ 2], 0xB5C0FBCF );
-    P( F, G, H, A, B, C, D, E, W[ 3], 0xE9B5DBA5 );
-    P( E, F, G, H, A, B, C, D, W[ 4], 0x3956C25B );
-    P( D, E, F, G, H, A, B, C, W[ 5], 0x59F111F1 );
-    P( C, D, E, F, G, H, A, B, W[ 6], 0x923F82A4 );
-    P( B, C, D, E, F, G, H, A, W[ 7], 0xAB1C5ED5 );
-    P( A, B, C, D, E, F, G, H, W[ 8], 0xD807AA98 );
-    P( H, A, B, C, D, E, F, G, W[ 9], 0x12835B01 );
-    P( G, H, A, B, C, D, E, F, W[10], 0x243185BE );
-    P( F, G, H, A, B, C, D, E, W[11], 0x550C7DC3 );
-    P( E, F, G, H, A, B, C, D, W[12], 0x72BE5D74 );
-    P( D, E, F, G, H, A, B, C, W[13], 0x80DEB1FE );
-    P( C, D, E, F, G, H, A, B, W[14], 0x9BDC06A7 );
-    P( B, C, D, E, F, G, H, A, W[15], 0xC19BF174 );
-    P( A, B, C, D, E, F, G, H, R(16), 0xE49B69C1 );
-    P( H, A, B, C, D, E, F, G, R(17), 0xEFBE4786 );
-    P( G, H, A, B, C, D, E, F, R(18), 0x0FC19DC6 );
-    P( F, G, H, A, B, C, D, E, R(19), 0x240CA1CC );
-    P( E, F, G, H, A, B, C, D, R(20), 0x2DE92C6F );
-    P( D, E, F, G, H, A, B, C, R(21), 0x4A7484AA );
-    P( C, D, E, F, G, H, A, B, R(22), 0x5CB0A9DC );
-    P( B, C, D, E, F, G, H, A, R(23), 0x76F988DA );
-    P( A, B, C, D, E, F, G, H, R(24), 0x983E5152 );
-    P( H, A, B, C, D, E, F, G, R(25), 0xA831C66D );
-    P( G, H, A, B, C, D, E, F, R(26), 0xB00327C8 );
-    P( F, G, H, A, B, C, D, E, R(27), 0xBF597FC7 );
-    P( E, F, G, H, A, B, C, D, R(28), 0xC6E00BF3 );
-    P( D, E, F, G, H, A, B, C, R(29), 0xD5A79147 );
-    P( C, D, E, F, G, H, A, B, R(30), 0x06CA6351 );
-    P( B, C, D, E, F, G, H, A, R(31), 0x14292967 );
-    P( A, B, C, D, E, F, G, H, R(32), 0x27B70A85 );
-    P( H, A, B, C, D, E, F, G, R(33), 0x2E1B2138 );
-    P( G, H, A, B, C, D, E, F, R(34), 0x4D2C6DFC );
-    P( F, G, H, A, B, C, D, E, R(35), 0x53380D13 );
-    P( E, F, G, H, A, B, C, D, R(36), 0x650A7354 );
-    P( D, E, F, G, H, A, B, C, R(37), 0x766A0ABB );
-    P( C, D, E, F, G, H, A, B, R(38), 0x81C2C92E );
-    P( B, C, D, E, F, G, H, A, R(39), 0x92722C85 );
-    P( A, B, C, D, E, F, G, H, R(40), 0xA2BFE8A1 );
-    P( H, A, B, C, D, E, F, G, R(41), 0xA81A664B );
-    P( G, H, A, B, C, D, E, F, R(42), 0xC24B8B70 );
-    P( F, G, H, A, B, C, D, E, R(43), 0xC76C51A3 );
-    P( E, F, G, H, A, B, C, D, R(44), 0xD192E819 );
-    P( D, E, F, G, H, A, B, C, R(45), 0xD6990624 );
-    P( C, D, E, F, G, H, A, B, R(46), 0xF40E3585 );
-    P( B, C, D, E, F, G, H, A, R(47), 0x106AA070 );
-    P( A, B, C, D, E, F, G, H, R(48), 0x19A4C116 );
-    P( H, A, B, C, D, E, F, G, R(49), 0x1E376C08 );
-    P( G, H, A, B, C, D, E, F, R(50), 0x2748774C );
-    P( F, G, H, A, B, C, D, E, R(51), 0x34B0BCB5 );
-    P( E, F, G, H, A, B, C, D, R(52), 0x391C0CB3 );
-    P( D, E, F, G, H, A, B, C, R(53), 0x4ED8AA4A );
-    P( C, D, E, F, G, H, A, B, R(54), 0x5B9CCA4F );
-    P( B, C, D, E, F, G, H, A, R(55), 0x682E6FF3 );
-    P( A, B, C, D, E, F, G, H, R(56), 0x748F82EE );
-    P( H, A, B, C, D, E, F, G, R(57), 0x78A5636F );
-    P( G, H, A, B, C, D, E, F, R(58), 0x84C87814 );
-    P( F, G, H, A, B, C, D, E, R(59), 0x8CC70208 );
-    P( E, F, G, H, A, B, C, D, R(60), 0x90BEFFFA );
-    P( D, E, F, G, H, A, B, C, R(61), 0xA4506CEB );
-    P( C, D, E, F, G, H, A, B, R(62), 0xBEF9A3F7 );
-    P( B, C, D, E, F, G, H, A, R(63), 0xC67178F2 );
-
-    ctx->state[0] += A;
-    ctx->state[1] += B;
-    ctx->state[2] += C;
-    ctx->state[3] += D;
-    ctx->state[4] += E;
-    ctx->state[5] += F;
-    ctx->state[6] += G;
-    ctx->state[7] += H;
-}
-
-/*
- * SHA-256 process buffer
- */
-void sha2_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
-{
-    size_t fill;
-    uint32_t left;
-
-    if( ilen <= 0 )
-        return;
-
-    left = ctx->total[0] & 0x3F;
-    fill = 64 - left;
-
-    ctx->total[0] += (uint32_t) ilen;
-    ctx->total[0] &= 0xFFFFFFFF;
-
-    if( ctx->total[0] < (uint32_t) ilen )
-        ctx->total[1]++;
-
-    if( left && ilen >= fill )
-    {
-        memcpy( (void *) (ctx->buffer + left), input, fill );
-        sha2_process( ctx, ctx->buffer );
-        input += fill;
-        ilen  -= fill;
-        left = 0;
-    }
-
-    while( ilen >= 64 )
-    {
-        sha2_process( ctx, input );
-        input += 64;
-        ilen  -= 64;
-    }
-
-    if( ilen > 0 )
-        memcpy( (void *) (ctx->buffer + left), input, ilen );
-}
-
-static const unsigned char sha2_padding[64] =
-{
- 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-
-/*
- * SHA-256 final digest
- */
-void sha2_finish( sha2_context *ctx, unsigned char output[32] )
-{
-    uint32_t last, padn;
-    uint32_t high, low;
-    unsigned char msglen[8];
-
-    high = ( ctx->total[0] >> 29 )
-         | ( ctx->total[1] <<  3 );
-    low  = ( ctx->total[0] <<  3 );
-
-    PUT_UINT32_BE( high, msglen, 0 );
-    PUT_UINT32_BE( low,  msglen, 4 );
-
-    last = ctx->total[0] & 0x3F;
-    padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
-
-    sha2_update( ctx, sha2_padding, padn );
-    sha2_update( ctx, msglen, 8 );
-
-    PUT_UINT32_BE( ctx->state[0], output,  0 );
-    PUT_UINT32_BE( ctx->state[1], output,  4 );
-    PUT_UINT32_BE( ctx->state[2], output,  8 );
-    PUT_UINT32_BE( ctx->state[3], output, 12 );
-    PUT_UINT32_BE( ctx->state[4], output, 16 );
-    PUT_UINT32_BE( ctx->state[5], output, 20 );
-    PUT_UINT32_BE( ctx->state[6], output, 24 );
-
-    if( ctx->is224 == 0 )
-        PUT_UINT32_BE( ctx->state[7], output, 28 );
-}
-
-#endif /* !POLARSSL_SHA2_ALT */
-
-/*
- * output = SHA-256( input buffer )
- */
-void sha2( const unsigned char *input, size_t ilen,
-           unsigned char output[32], int is224 )
-{
-    sha2_context ctx;
-
-    sha2_starts( &ctx, is224 );
-    sha2_update( &ctx, input, ilen );
-    sha2_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha2_context ) );
-}
-
-#if defined(POLARSSL_FS_IO)
-/*
- * output = SHA-256( file contents )
- */
-int sha2_file( const char *path, unsigned char output[32], int is224 )
-{
-    FILE *f;
-    size_t n;
-    sha2_context ctx;
-    unsigned char buf[1024];
-
-    if( ( f = fopen( path, "rb" ) ) == NULL )
-        return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
-
-    sha2_starts( &ctx, is224 );
-
-    while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
-        sha2_update( &ctx, buf, n );
-
-    sha2_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha2_context ) );
-
-    if( ferror( f ) != 0 )
-    {
-        fclose( f );
-        return( POLARSSL_ERR_SHA2_FILE_IO_ERROR );
-    }
-
-    fclose( f );
-    return( 0 );
-}
-#endif /* POLARSSL_FS_IO */
-
-/*
- * SHA-256 HMAC context setup
- */
-void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, size_t keylen,
-                       int is224 )
-{
-    size_t i;
-    unsigned char sum[32];
-
-    if( keylen > 64 )
-    {
-        sha2( key, keylen, sum, is224 );
-        keylen = ( is224 ) ? 28 : 32;
-        key = sum;
-    }
-
-    memset( ctx->ipad, 0x36, 64 );
-    memset( ctx->opad, 0x5C, 64 );
-
-    for( i = 0; i < keylen; i++ )
-    {
-        ctx->ipad[i] = (unsigned char)( ctx->ipad[i] ^ key[i] );
-        ctx->opad[i] = (unsigned char)( ctx->opad[i] ^ key[i] );
-    }
-
-    sha2_starts( ctx, is224 );
-    sha2_update( ctx, ctx->ipad, 64 );
-
-    memset( sum, 0, sizeof( sum ) );
-}
-
-/*
- * SHA-256 HMAC process buffer
- */
-void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, size_t ilen )
-{
-    sha2_update( ctx, input, ilen );
-}
-
-/*
- * SHA-256 HMAC final digest
- */
-void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] )
-{
-    int is224, hlen;
-    unsigned char tmpbuf[32];
-
-    is224 = ctx->is224;
-    hlen = ( is224 == 0 ) ? 32 : 28;
-
-    sha2_finish( ctx, tmpbuf );
-    sha2_starts( ctx, is224 );
-    sha2_update( ctx, ctx->opad, 64 );
-    sha2_update( ctx, tmpbuf, hlen );
-    sha2_finish( ctx, output );
-
-    memset( tmpbuf, 0, sizeof( tmpbuf ) );
-}
-
-/*
- * SHA-256 HMAC context reset
- */
-void sha2_hmac_reset( sha2_context *ctx )
-{
-    sha2_starts( ctx, ctx->is224 );
-    sha2_update( ctx, ctx->ipad, 64 );
-}
-
-/*
- * output = HMAC-SHA-256( hmac key, input buffer )
- */
-void sha2_hmac( const unsigned char *key, size_t keylen,
-                const unsigned char *input, size_t ilen,
-                unsigned char output[32], int is224 )
-{
-    sha2_context ctx;
-
-    sha2_hmac_starts( &ctx, key, keylen, is224 );
-    sha2_hmac_update( &ctx, input, ilen );
-    sha2_hmac_finish( &ctx, output );
-
-    memset( &ctx, 0, sizeof( sha2_context ) );
-}
-
-#if defined(POLARSSL_SELF_TEST)
-/*
- * FIPS-180-2 test vectors
- */
-static unsigned char sha2_test_buf[3][57] = 
-{
-    { "abc" },
-    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
-    { "" }
-};
-
-static const int sha2_test_buflen[3] =
-{
-    3, 56, 1000
-};
-
-static const unsigned char sha2_test_sum[6][32] =
-{
-    /*
-     * SHA-224 test vectors
-     */
-    { 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
-      0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
-      0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
-      0xE3, 0x6C, 0x9D, 0xA7 },
-    { 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
-      0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
-      0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
-      0x52, 0x52, 0x25, 0x25 },
-    { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
-      0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
-      0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
-      0x4E, 0xE7, 0xAD, 0x67 },
-
-    /*
-     * SHA-256 test vectors
-     */
-    { 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
-      0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
-      0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
-      0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
-    { 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
-      0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
-      0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
-      0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
-    { 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
-      0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
-      0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
-      0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
-};
-
-/*
- * RFC 4231 test vectors
- */
-static unsigned char sha2_hmac_test_key[7][26] =
-{
-    { "\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B"
-      "\x0B\x0B\x0B\x0B" },
-    { "Jefe" },
-    { "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA"
-      "\xAA\xAA\xAA\xAA" },
-    { "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F\x10"
-      "\x11\x12\x13\x14\x15\x16\x17\x18\x19" },
-    { "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C"
-      "\x0C\x0C\x0C\x0C" },
-    { "" }, /* 0xAA 131 times */
-    { "" }
-};
-
-static const int sha2_hmac_test_keylen[7] =
-{
-    20, 4, 20, 25, 20, 131, 131
-};
-
-static unsigned char sha2_hmac_test_buf[7][153] =
-{
-    { "Hi There" },
-    { "what do ya want for nothing?" },
-    { "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
-      "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD" },
-    { "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD"
-      "\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD\xCD" },
-    { "Test With Truncation" },
-    { "Test Using Larger Than Block-Size Key - Hash Key First" },
-    { "This is a test using a larger than block-size key "
-      "and a larger than block-size data. The key needs to "
-      "be hashed before being used by the HMAC algorithm." }
-};
-
-static const int sha2_hmac_test_buflen[7] =
-{
-    8, 28, 50, 50, 20, 54, 152
-};
-
-static const unsigned char sha2_hmac_test_sum[14][32] =
-{
-    /*
-     * HMAC-SHA-224 test vectors
-     */
-    { 0x89, 0x6F, 0xB1, 0x12, 0x8A, 0xBB, 0xDF, 0x19,
-      0x68, 0x32, 0x10, 0x7C, 0xD4, 0x9D, 0xF3, 0x3F,
-      0x47, 0xB4, 0xB1, 0x16, 0x99, 0x12, 0xBA, 0x4F,
-      0x53, 0x68, 0x4B, 0x22 },
-    { 0xA3, 0x0E, 0x01, 0x09, 0x8B, 0xC6, 0xDB, 0xBF,
-      0x45, 0x69, 0x0F, 0x3A, 0x7E, 0x9E, 0x6D, 0x0F,
-      0x8B, 0xBE, 0xA2, 0xA3, 0x9E, 0x61, 0x48, 0x00,
-      0x8F, 0xD0, 0x5E, 0x44 },
-    { 0x7F, 0xB3, 0xCB, 0x35, 0x88, 0xC6, 0xC1, 0xF6,
-      0xFF, 0xA9, 0x69, 0x4D, 0x7D, 0x6A, 0xD2, 0x64,
-      0x93, 0x65, 0xB0, 0xC1, 0xF6, 0x5D, 0x69, 0xD1,
-      0xEC, 0x83, 0x33, 0xEA },
-    { 0x6C, 0x11, 0x50, 0x68, 0x74, 0x01, 0x3C, 0xAC,
-      0x6A, 0x2A, 0xBC, 0x1B, 0xB3, 0x82, 0x62, 0x7C,
-      0xEC, 0x6A, 0x90, 0xD8, 0x6E, 0xFC, 0x01, 0x2D,
-      0xE7, 0xAF, 0xEC, 0x5A },
-    { 0x0E, 0x2A, 0xEA, 0x68, 0xA9, 0x0C, 0x8D, 0x37,
-      0xC9, 0x88, 0xBC, 0xDB, 0x9F, 0xCA, 0x6F, 0xA8 },
-    { 0x95, 0xE9, 0xA0, 0xDB, 0x96, 0x20, 0x95, 0xAD,
-      0xAE, 0xBE, 0x9B, 0x2D, 0x6F, 0x0D, 0xBC, 0xE2,
-      0xD4, 0x99, 0xF1, 0x12, 0xF2, 0xD2, 0xB7, 0x27,
-      0x3F, 0xA6, 0x87, 0x0E },
-    { 0x3A, 0x85, 0x41, 0x66, 0xAC, 0x5D, 0x9F, 0x02,
-      0x3F, 0x54, 0xD5, 0x17, 0xD0, 0xB3, 0x9D, 0xBD,
-      0x94, 0x67, 0x70, 0xDB, 0x9C, 0x2B, 0x95, 0xC9,
-      0xF6, 0xF5, 0x65, 0xD1 },
-
-    /*
-     * HMAC-SHA-256 test vectors
-     */
-    { 0xB0, 0x34, 0x4C, 0x61, 0xD8, 0xDB, 0x38, 0x53,
-      0x5C, 0xA8, 0xAF, 0xCE, 0xAF, 0x0B, 0xF1, 0x2B,
-      0x88, 0x1D, 0xC2, 0x00, 0xC9, 0x83, 0x3D, 0xA7,
-      0x26, 0xE9, 0x37, 0x6C, 0x2E, 0x32, 0xCF, 0xF7 },
-    { 0x5B, 0xDC, 0xC1, 0x46, 0xBF, 0x60, 0x75, 0x4E,
-      0x6A, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xC7,
-      0x5A, 0x00, 0x3F, 0x08, 0x9D, 0x27, 0x39, 0x83,
-      0x9D, 0xEC, 0x58, 0xB9, 0x64, 0xEC, 0x38, 0x43 },
-    { 0x77, 0x3E, 0xA9, 0x1E, 0x36, 0x80, 0x0E, 0x46,
-      0x85, 0x4D, 0xB8, 0xEB, 0xD0, 0x91, 0x81, 0xA7,
-      0x29, 0x59, 0x09, 0x8B, 0x3E, 0xF8, 0xC1, 0x22,
-      0xD9, 0x63, 0x55, 0x14, 0xCE, 0xD5, 0x65, 0xFE },
-    { 0x82, 0x55, 0x8A, 0x38, 0x9A, 0x44, 0x3C, 0x0E,
-      0xA4, 0xCC, 0x81, 0x98, 0x99, 0xF2, 0x08, 0x3A,
-      0x85, 0xF0, 0xFA, 0xA3, 0xE5, 0x78, 0xF8, 0x07,
-      0x7A, 0x2E, 0x3F, 0xF4, 0x67, 0x29, 0x66, 0x5B },
-    { 0xA3, 0xB6, 0x16, 0x74, 0x73, 0x10, 0x0E, 0xE0,
-      0x6E, 0x0C, 0x79, 0x6C, 0x29, 0x55, 0x55, 0x2B },
-    { 0x60, 0xE4, 0x31, 0x59, 0x1E, 0xE0, 0xB6, 0x7F,
-      0x0D, 0x8A, 0x26, 0xAA, 0xCB, 0xF5, 0xB7, 0x7F,
-      0x8E, 0x0B, 0xC6, 0x21, 0x37, 0x28, 0xC5, 0x14,
-      0x05, 0x46, 0x04, 0x0F, 0x0E, 0xE3, 0x7F, 0x54 },
-    { 0x9B, 0x09, 0xFF, 0xA7, 0x1B, 0x94, 0x2F, 0xCB,
-      0x27, 0x63, 0x5F, 0xBC, 0xD5, 0xB0, 0xE9, 0x44,
-      0xBF, 0xDC, 0x63, 0x64, 0x4F, 0x07, 0x13, 0x93,
-      0x8A, 0x7F, 0x51, 0x53, 0x5C, 0x3A, 0x35, 0xE2 }
-};
-
-/*
- * Checkup routine
- */
-int sha2_self_test( int verbose )
-{
-    int i, j, k, buflen;
-    unsigned char buf[1024];
-    unsigned char sha2sum[32];
-    sha2_context ctx;
-
-    for( i = 0; i < 6; i++ )
-    {
-        j = i % 3;
-        k = i < 3;
-
-        if( verbose != 0 )
-            printf( "  SHA-%d test #%d: ", 256 - k * 32, j + 1 );
-
-        sha2_starts( &ctx, k );
-
-        if( j == 2 )
-        {
-            memset( buf, 'a', buflen = 1000 );
-
-            for( j = 0; j < 1000; j++ )
-                sha2_update( &ctx, buf, buflen );
-        }
-        else
-            sha2_update( &ctx, sha2_test_buf[j],
-                               sha2_test_buflen[j] );
-
-        sha2_finish( &ctx, sha2sum );
-
-        if( memcmp( sha2sum, sha2_test_sum[i], 32 - k * 4 ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    for( i = 0; i < 14; i++ )
-    {
-        j = i % 7;
-        k = i < 7;
-
-        if( verbose != 0 )
-            printf( "  HMAC-SHA-%d test #%d: ", 256 - k * 32, j + 1 );
-
-        if( j == 5 || j == 6 )
-        {
-            memset( buf, '\xAA', buflen = 131 );
-            sha2_hmac_starts( &ctx, buf, buflen, k );
-        }
-        else
-            sha2_hmac_starts( &ctx, sha2_hmac_test_key[j],
-                                    sha2_hmac_test_keylen[j], k );
-
-        sha2_hmac_update( &ctx, sha2_hmac_test_buf[j],
-                                sha2_hmac_test_buflen[j] );
-
-        sha2_hmac_finish( &ctx, sha2sum );
-
-        buflen = ( j == 4 ) ? 16 : 32 - k * 4;
-
-        if( memcmp( sha2sum, sha2_hmac_test_sum[i], buflen ) != 0 )
-        {
-            if( verbose != 0 )
-                printf( "failed\n" );
-
-            return( 1 );
-        }
-
-        if( verbose != 0 )
-            printf( "passed\n" );
-    }
-
-    if( verbose != 0 )
-        printf( "\n" );
-
-    return( 0 );
-}
-
-#endif
-
-#endif
diff --git a/makerom/polarssl/sha2.h b/makerom/polarssl/sha2.h
deleted file mode 100644
index cbc0724c..00000000
--- a/makerom/polarssl/sha2.h
+++ /dev/null
@@ -1,183 +0,0 @@
-/**
- * \file sha2.h
- *
- * \brief SHA-224 and SHA-256 cryptographic hash function
- *
- *  Copyright (C) 2006-2013, Brainspark B.V.
- *
- *  This file is part of PolarSSL (http://www.polarssl.org)
- *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
- *
- *  All rights reserved.
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 2 of the License, or
- *  (at your option) any later version.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifndef POLARSSL_SHA2_H
-#define POLARSSL_SHA2_H
-
-#include "polarssl/config.h"
-
-#include <string.h>
-
-#ifdef _MSC_VER
-#include <basetsd.h>
-typedef UINT32 uint32_t;
-#else
-#include <inttypes.h>
-#endif
-
-#define POLARSSL_ERR_SHA2_FILE_IO_ERROR                -0x0078  /**< Read/write error in file. */
-
-// Regular implementation
-//
-
-/**
- * \brief          SHA-256 context structure
- */
-typedef struct
-{
-    uint32_t total[2];          /*!< number of bytes processed  */
-    uint32_t state[8];          /*!< intermediate digest state  */
-    unsigned char buffer[64];   /*!< data block being processed */
-
-    unsigned char ipad[64];     /*!< HMAC: inner padding        */
-    unsigned char opad[64];     /*!< HMAC: outer padding        */
-    int is224;                  /*!< 0 => SHA-256, else SHA-224 */
-}
-sha2_context;
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          SHA-256 context setup
- *
- * \param ctx      context to be initialized
- * \param is224    0 = use SHA256, 1 = use SHA224
- */
-void sha2_starts( sha2_context *ctx, int is224 );
-
-/**
- * \brief          SHA-256 process buffer
- *
- * \param ctx      SHA-256 context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void sha2_update( sha2_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          SHA-256 final digest
- *
- * \param ctx      SHA-256 context
- * \param output   SHA-224/256 checksum result
- */
-void sha2_finish( sha2_context *ctx, unsigned char output[32] );
-
-/* Internal use */
-void sha2_process( sha2_context *ctx, const unsigned char data[64] );
-
-#ifdef __cplusplus
-}
-#endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/**
- * \brief          Output = SHA-256( input buffer )
- *
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   SHA-224/256 checksum result
- * \param is224    0 = use SHA256, 1 = use SHA224
- */
-void sha2( const unsigned char *input, size_t ilen,
-           unsigned char output[32], int is224 );
-
-/**
- * \brief          Output = SHA-256( file contents )
- *
- * \param path     input file name
- * \param output   SHA-224/256 checksum result
- * \param is224    0 = use SHA256, 1 = use SHA224
- *
- * \return         0 if successful, or POLARSSL_ERR_SHA2_FILE_IO_ERROR
- */
-int sha2_file( const char *path, unsigned char output[32], int is224 );
-
-/**
- * \brief          SHA-256 HMAC context setup
- *
- * \param ctx      HMAC context to be initialized
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param is224    0 = use SHA256, 1 = use SHA224
- */
-void sha2_hmac_starts( sha2_context *ctx, const unsigned char *key, size_t keylen,
-                       int is224 );
-
-/**
- * \brief          SHA-256 HMAC process buffer
- *
- * \param ctx      HMAC context
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- */
-void sha2_hmac_update( sha2_context *ctx, const unsigned char *input, size_t ilen );
-
-/**
- * \brief          SHA-256 HMAC final digest
- *
- * \param ctx      HMAC context
- * \param output   SHA-224/256 HMAC checksum result
- */
-void sha2_hmac_finish( sha2_context *ctx, unsigned char output[32] );
-
-/**
- * \brief          SHA-256 HMAC context reset
- *
- * \param ctx      HMAC context to be reset
- */
-void sha2_hmac_reset( sha2_context *ctx );
-
-/**
- * \brief          Output = HMAC-SHA-256( hmac key, input buffer )
- *
- * \param key      HMAC secret key
- * \param keylen   length of the HMAC key
- * \param input    buffer holding the  data
- * \param ilen     length of the input data
- * \param output   HMAC-SHA-224/256 result
- * \param is224    0 = use SHA256, 1 = use SHA224
- */
-void sha2_hmac( const unsigned char *key, size_t keylen,
-                const unsigned char *input, size_t ilen,
-                unsigned char output[32], int is224 );
-
-/**
- * \brief          Checkup routine
- *
- * \return         0 if successful, or 1 if the test failed
- */
-int sha2_self_test( int verbose );
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* sha2.h */
diff --git a/makerom/readme b/makerom/readme
deleted file mode 100644
index 033d4b20..00000000
--- a/makerom/readme
+++ /dev/null
@@ -1,3 +0,0 @@
-CTR MAKEROM
-
-For details on usage see here: http://3dbrew.org/wiki/Makerom
diff --git a/makerom/accessdesc.c b/makerom/src/accessdesc.c
similarity index 90%
rename from makerom/accessdesc.c
rename to makerom/src/accessdesc.c
index 0e44788b..8da8d353 100644
--- a/makerom/accessdesc.c
+++ b/makerom/src/accessdesc.c
@@ -6,8 +6,8 @@
 #include "desc/presets.h"
 #include "desc/dev_sigdata.h"
 
-const int RSF_RSA_DATA_LEN = 344;
-const int RSF_DESC_DATA_LEN = 684;
+const size_t RSF_RSA_DATA_LEN = 344;
+const size_t RSF_DESC_DATA_LEN = 684;
 
 
 int accessdesc_SignWithKey(exheader_settings *exhdrset);
@@ -47,12 +47,20 @@ int accessdesc_SignWithKey(exheader_settings *exhdrset)
 	/* Sign AccessDesc */
 	if (Rsa2048Key_CanSign(&exhdrset->keys->rsa.acex) == false)
 	{
-		printf("[ACEXDESC WARNING] Failed to sign access descriptor\n");
+		printf("[ACEXDESC WARNING] Failed to sign access descriptor (key was incomplete)\n");
 		memset(exhdrset->acexDesc->signature, 0xFF, 0x100);
 		return 0;
 	}
 
-	return SignAccessDesc(exhdrset->acexDesc, exhdrset->keys);
+	int rsa_ret = SignAccessDesc(exhdrset->acexDesc, exhdrset->keys);
+	if (rsa_ret != 0)
+	{
+		printf("[ACEXDESC WARNING] Failed to sign access descriptor (mbedtls error = -0x%x)\n", -rsa_ret);
+		memset(exhdrset->acexDesc->signature, 0xFF, 0x100);
+		return 0;
+	}
+
+	return 0;
 }
 
 int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
@@ -68,7 +76,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 	if(b64_strlen(exhdrset->rsf->CommonHeaderKey.D) != RSF_RSA_DATA_LEN){
-		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/D\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.D));
+		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/D\" has invalid length (%d)\n", (int)b64_strlen(exhdrset->rsf->CommonHeaderKey.D));
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 
@@ -77,7 +85,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 	if(b64_strlen(exhdrset->rsf->CommonHeaderKey.Modulus) != RSF_RSA_DATA_LEN){
-		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/Modulus\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.Modulus));
+		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/Modulus\" has invalid length (%d)\n", (int)b64_strlen(exhdrset->rsf->CommonHeaderKey.Modulus));
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 
@@ -86,7 +94,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 	if(b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescSign) != RSF_RSA_DATA_LEN){
-		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/Signature\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescSign));
+		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/Signature\" has invalid length (%d)\n", (int)b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescSign));
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 
@@ -95,7 +103,7 @@ int accessdesc_GetSignFromRsf(exheader_settings *exhdrset)
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 	if(b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin) != RSF_DESC_DATA_LEN){
-		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/Descriptor\" has invalid length (%d)\n",b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin));
+		fprintf(stderr,"[ACEXDESC ERROR] \"CommonHeaderKey/Descriptor\" has invalid length (%d)\n", (int)b64_strlen(exhdrset->rsf->CommonHeaderKey.AccCtlDescBin));
 		return COMMON_HEADER_KEY_NOT_FOUND;
 	}
 
diff --git a/makerom/accessdesc.h b/makerom/src/accessdesc.h
similarity index 100%
rename from makerom/accessdesc.h
rename to makerom/src/accessdesc.h
diff --git a/makerom/aes_keygen.c b/makerom/src/aes_keygen.c
similarity index 100%
rename from makerom/aes_keygen.c
rename to makerom/src/aes_keygen.c
diff --git a/makerom/aes_keygen.h b/makerom/src/aes_keygen.h
similarity index 100%
rename from makerom/aes_keygen.h
rename to makerom/src/aes_keygen.h
diff --git a/makerom/cardinfo.c b/makerom/src/cardinfo.c
similarity index 68%
rename from makerom/cardinfo.c
rename to makerom/src/cardinfo.c
index 4a278b7a..29d1c069 100644
--- a/makerom/cardinfo.c
+++ b/makerom/src/cardinfo.c
@@ -1,4 +1,8 @@
 #include "lib.h"
+
+#include <mbedtls/ccm.h>
+#include "aes_keygen.h"
+
 #include "ncch_read.h"
 #include "ncsd_build.h"
 #include "cardinfo.h"
@@ -8,8 +12,7 @@ int SetWriteableAddress(cardinfo_hdr *hdr, cci_settings *set);
 int SetCardInfoBitmask(cardinfo_hdr *hdr, cci_settings *set);
 int SetCardInfoNotes(cardinfo_hdr *hdr, cci_settings *set);
 void SetNcchHeader(cardinfo_hdr *hdr, cci_settings *set);
-void SetCardSeedData(cardinfo_hdr *hdr, cci_settings *set);
-void SetDevCardInfo(devcardinfo_hdr *hdr, cci_settings *set);
+void SetCardSeedData(cardinfo_hdr *hdr, devcardinfo_hdr *devhdr, cci_settings *set);
 
 
 int GenCardInfoHdr(cci_settings *set)
@@ -26,30 +29,20 @@ int GenCardInfoHdr(cci_settings *set)
 	if(SetCardInfoNotes(cihdr,set))
 		return GEN_HDR_FAIL;
 	SetNcchHeader(cihdr,set);
-	SetCardSeedData(cihdr,set);
-	
-	if(dcihdr)
-		SetDevCardInfo(dcihdr,set);
+	SetCardSeedData(cihdr,dcihdr,set);
 	
 	return 0;
 }
 
 void InitCardInfoHdr(cardinfo_hdr **cihdr, devcardinfo_hdr **dcihdr, cci_settings *set)
 {
-	set->headers.cardinfohdr.size = sizeof(cardinfo_hdr);
-	if(set->options.useExternalSdkCardInfo)
-		set->headers.cardinfohdr.size += sizeof(devcardinfo_hdr);
-		
+	set->headers.cardinfohdr.size = sizeof(cardinfo_hdr) + sizeof(devcardinfo_hdr);
 	set->headers.cardinfohdr.buffer = calloc(1,set->headers.cardinfohdr.size);
 	
 	*cihdr = (cardinfo_hdr*)set->headers.cardinfohdr.buffer;
+	*dcihdr = (devcardinfo_hdr*)(set->headers.cardinfohdr.buffer+sizeof(cardinfo_hdr));
 	
-	if(set->headers.cardinfohdr.size > sizeof(cardinfo_hdr))
-		*dcihdr = (devcardinfo_hdr*)(set->headers.cardinfohdr.buffer+sizeof(cardinfo_hdr));
-	else
-		*dcihdr = NULL;
-	
-	//clrmem(set->headers.cardinfohdr.buffer, set->headers.cardinfohdr.size);
+	clrmem(set->headers.cardinfohdr.buffer, set->headers.cardinfohdr.size);
 
 	return;
 }
@@ -128,12 +121,12 @@ int SetCardInfoBitmask(cardinfo_hdr *hdr, cci_settings *set)
 
 	char *str = set->rsf->CardInfo.CardType;
 	if(!str) 
-		bitmask |= 0;
+		bitmask |= 0 << 5;
 	else{
 		if(strcasecmp(str,"s1") == 0) 
-			bitmask |= 0;
+			bitmask |= 0 << 5;
 		else if(strcasecmp(str,"s2") == 0) 
-			bitmask |= 0x20;
+			bitmask |= 1 << 5;
 		else {
 			fprintf(stderr,"[CCI ERROR] Invalid CardType: %s\n",str);
 			return INVALID_RSF_OPT;
@@ -143,7 +136,7 @@ int SetCardInfoBitmask(cardinfo_hdr *hdr, cci_settings *set)
 	str = set->rsf->CardInfo.CryptoType;
 	if(!str) {
 		if(set->options.useExternalSdkCardInfo)
-			bitmask |= (3*0x40);
+			bitmask |= (3 << 6);
 		else
 			bitmask |= 0;
 	}
@@ -153,9 +146,14 @@ int SetCardInfoBitmask(cardinfo_hdr *hdr, cci_settings *set)
 			fprintf(stderr,"[CCI ERROR] Invalid CryptoType: %s\n",str);
 			return INVALID_RSF_OPT;
 		}
-		if(val != 3)
-			fprintf(stderr,"[CCI WARNING] Card crypto type = '%d'\n",val);
-		bitmask |= val * 0x40;
+		if(val != 3 && set->keys->keyset == pki_DEVELOPMENT) {
+			fprintf(stderr,"[CCI WARNING] Card crypto type = '%d', this is not supported for development target.\n",val);
+		}
+		if(val == 3 && set->keys->keyset == pki_PRODUCTION) {
+			fprintf(stderr,"[CCI WARNING] Card crypto type = '%d', this is not supported for production target.\n",val);
+		}
+			
+		bitmask |= val << 6;
 	}
 	
 	u32_to_u8(hdr->cardInfoBitmask,bitmask,BE);
@@ -189,7 +187,7 @@ void SetNcchHeader(cardinfo_hdr *hdr, cci_settings *set)
 	return;
 }
 
-void SetCardSeedData(cardinfo_hdr *hdr, cci_settings *set)
+void SetCardSeedData(cardinfo_hdr *hdr, devcardinfo_hdr *devhdr, cci_settings *set)
 {
 	u8 *ncch;
 	ncch_hdr *ncchHdr;
@@ -197,18 +195,81 @@ void SetCardSeedData(cardinfo_hdr *hdr, cci_settings *set)
 	ncch = set->content.data + set->content.dOffset[0];
 	ncchHdr = (ncch_hdr*)ncch;
 
+	/*
 	if (set->options.useExternalSdkCardInfo) {
+		// initial data
+		clrmem(hdr->cardSeedKeyY, 0x10);
 		memcpy(hdr->cardSeedKeyY, ncchHdr->titleId, 8);
 		clrmem(hdr->encCardSeed, 0x10);
 		memcpy(hdr->cardSeedMac, stock_card_seed_mac, 0x10);
 		clrmem(hdr->cardSeedNonce, 0xC);
+		
+		// dev card info
+		memcpy(devhdr->titleKey, stock_title_key, 0x10);
+		
+		return;
+	}
+	*/
+	
+
+	// select title_key
+	u8 title_key[0x10] = {0};
+	if (set->options.useExternalSdkCardInfo)
+	{
+		memcpy(title_key, stock_title_key, 0x10);
+	}
+	else
+	{
+		rndset(title_key, 0x10);
 	}
-	else {
+
+	// generate initial data
+	{
+		// set the keyY
+		clrmem(hdr->cardSeedKeyY, 0x10);
 		memcpy(hdr->cardSeedKeyY, ncchHdr->titleId, 8);
-		rndset(hdr->encCardSeed, 0x10);
-		rndset(hdr->cardSeedMac, 0x10);
-		rndset(hdr->cardSeedNonce, 0xC);
+
+		// use crypto type to determine initial data key
+		uint32_t crypto_type = (u8_to_u32(hdr->cardInfoBitmask, BE) >> 6) & 3;
+		u8 initial_data_key[0x10] = {0};
+		if (crypto_type == 3)
+		{
+			clrmem(initial_data_key, 0x10);
+		}
+		else
+		{
+			ctr_aes_keygen(set->keys->aes.initialDataKeyX, hdr->cardSeedKeyY, initial_data_key);
+		}
+
+		// determine nonce
+		if (set->options.useExternalSdkCardInfo)
+		{
+			clrmem(hdr->cardSeedNonce, 0xC);
+		}
+		else
+		{
+			rndset(hdr->cardSeedNonce, 0xC);
+		}
+
+		// encrypt title key (& generate MAC)
+		mbedtls_ccm_context ccm_ctx;
+		mbedtls_ccm_init(&ccm_ctx);
+		mbedtls_ccm_setkey(&ccm_ctx, MBEDTLS_CIPHER_ID_AES, initial_data_key, 128);
+
+		int ccm_ret = mbedtls_ccm_encrypt_and_tag(&ccm_ctx, sizeof(title_key), hdr->cardSeedNonce, sizeof(hdr->cardSeedNonce), NULL, 0, title_key, hdr->encCardSeed, hdr->cardSeedMac, sizeof(hdr->cardSeedMac));
+		if (ccm_ret != 0)
+		{
+			printf("[CARDINFO WARNING] Failed to encrypt initial data (mbedtls error: -0x%04X)\n", -ccm_ret);
+		}
+
+		mbedtls_ccm_free(&ccm_ctx);
+	}
+
+	// generate dev card info header
+	{
+		memcpy(devhdr->titleKey, title_key, 0x10);
 	}
+	
 		
 	return;
 }
diff --git a/makerom/cardinfo.h b/makerom/src/cardinfo.h
similarity index 100%
rename from makerom/cardinfo.h
rename to makerom/src/cardinfo.h
diff --git a/makerom/certs.c b/makerom/src/certs.c
similarity index 100%
rename from makerom/certs.c
rename to makerom/src/certs.c
diff --git a/makerom/certs.h b/makerom/src/certs.h
similarity index 100%
rename from makerom/certs.h
rename to makerom/src/certs.h
diff --git a/makerom/cia.c b/makerom/src/cia.c
similarity index 97%
rename from makerom/cia.c
rename to makerom/src/cia.c
index 00c7bddd..dcfb62f0 100644
--- a/makerom/cia.c
+++ b/makerom/src/cia.c
@@ -53,7 +53,10 @@ int build_CIA(user_settings *usrset)
 
 	// Get Settings
 	result = GetCiaSettings(ciaset,usrset);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[CIA ERROR] Failed to initialize context.\n");
+		goto finish;
+	}
 
 	// Create Output File
 	ciaset->out = fopen(usrset->common.outFileName,"wb");
@@ -67,23 +70,38 @@ int build_CIA(user_settings *usrset)
 
 	/* Certificate Chain */
 	result = BuildCiaCertChain(ciaset);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[CIA ERROR] Failed to build Certificate Chain\n");
+		goto finish;
+	}
 
 	/* Ticket */
 	result = BuildTicket(ciaset);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[CIA ERROR] Failed to build Ticket\n");
+		goto finish;
+	}
 
 	/* Title Metadata */
 	result = BuildTMD(ciaset);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[CIA ERROR] Failed to build Title Metadata\n");
+		goto finish;
+	}
 
 	/* CIA Header */
 	result = BuildCiaHdr(ciaset);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[CIA ERROR] Failed to build CIA Header\n");
+		goto finish;
+	}
 	
 	/* Write To File */
 	result = WriteCiaToFile(ciaset);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[CIA ERROR] Failed to write CIA to file\n");
+		goto finish;
+	}
 
 finish:
 	if(result != FAILED_TO_CREATE_OUTFILE && ciaset->out) 
diff --git a/makerom/cia.h b/makerom/src/cia.h
similarity index 100%
rename from makerom/cia.h
rename to makerom/src/cia.h
diff --git a/makerom/cia_build.h b/makerom/src/cia_build.h
similarity index 100%
rename from makerom/cia_build.h
rename to makerom/src/cia_build.h
diff --git a/makerom/cia_read.h b/makerom/src/cia_read.h
similarity index 100%
rename from makerom/cia_read.h
rename to makerom/src/cia_read.h
diff --git a/makerom/code.c b/makerom/src/code.c
similarity index 99%
rename from makerom/code.c
rename to makerom/src/code.c
index e7d60c4d..98d8cf78 100644
--- a/makerom/code.c
+++ b/makerom/src/code.c
@@ -1,10 +1,11 @@
 #include "lib.h"
 #include "elf.h"
-#include "blz.h"
 #include "ncch_build.h"
 #include "exheader_read.h"
 #include "code.h"
 
+#include <blz.h>
+
 const u32 CTR_PAGE_SIZE = 0x1000;
 const u32 DEFAULT_STACK_SIZE = 0x4000; // 10KB
 
diff --git a/makerom/code.h b/makerom/src/code.h
similarity index 100%
rename from makerom/code.h
rename to makerom/src/code.h
diff --git a/makerom/crr.h b/makerom/src/crr.h
similarity index 100%
rename from makerom/crr.h
rename to makerom/src/crr.h
diff --git a/makerom/crypto.c b/makerom/src/crypto.c
similarity index 54%
rename from makerom/crypto.c
rename to makerom/src/crypto.c
index 7231edc1..081df25d 100644
--- a/makerom/crypto.c
+++ b/makerom/src/crypto.c
@@ -1,15 +1,14 @@
 #include "lib.h"
 #include "crypto.h"
 
-const u8 RSA_PUB_EXP[0x3] = {0x01,0x00,0x01};
-const int HASH_MAX_LEN = 0x20;
+#include <mbedtls/aes.h>
+#include <mbedtls/rsa.h>
+#include <mbedtls/md.h>
+#include <mbedtls/sha1.h>
+#include <mbedtls/sha256.h>
 
-int ctr_rsa_rsassa_pkcs1_v15_sign( rsa_context *ctx,
-                               int mode,
-                               int hash_id,
-                               unsigned int hashlen,
-                               const unsigned char *hash,
-                               unsigned char *sig );
+static const u8 RSA_PUB_EXP[0x3] = {0x01,0x00,0x01};
+static const int HASH_MAX_LEN = 0x20;
 
 bool VerifySha256(void *data, u64 size, u8 hash[32])
 {
@@ -21,8 +20,8 @@ bool VerifySha256(void *data, u64 size, u8 hash[32])
 void ShaCalc(void *data, u64 size, u8 *hash, int mode)
 {
 	switch(mode){
-		case(CTR_SHA_1): sha1((u8*)data, size, hash); break;
-		case(CTR_SHA_256): sha2((u8*)data, size, hash, 0); break;
+		case(CTR_SHA_1): mbedtls_sha1((u8*)data, size, hash); break;
+		case(CTR_SHA_256): mbedtls_sha256((u8*)data, size, hash, 0); break;
 	}
 }
 
@@ -34,45 +33,44 @@ void SetAesCtrOffset(u8 *ctr, u64 offset)
 void AesCtrCrypt(u8 *key, u8 *ctr, u8 *input, u8 *output, u64 length, u64 offset)
 {
 	u8 stream[16];
-	aes_context aes;
+	mbedtls_aes_context aes;
 	size_t nc_off = 0;
 	
-	clrmem(&aes,sizeof(aes_context));
-	aes_setkey_enc(&aes, key, 128);
+	mbedtls_aes_init(&aes);
+	mbedtls_aes_setkey_enc(&aes, key, 128);
 	SetAesCtrOffset(ctr,offset);
 	
-	aes_crypt_ctr(&aes, length, &nc_off, ctr, stream, input, output);
-	
+	mbedtls_aes_crypt_ctr(&aes, length, &nc_off, ctr, stream, input, output);
 	
 	return;
 }
 
 void AesCbcCrypt(u8 *key, u8 *iv, u8 *input, u8 *output, u64 length, u8 mode)
 {
-	aes_context aes;
-	clrmem(&aes,sizeof(aes_context));
+	mbedtls_aes_context aes;
+	mbedtls_aes_init(&aes);
 	
 	switch(mode){
 		case(ENC): 
-			aes_setkey_enc(&aes, key, 128);
-			aes_crypt_cbc(&aes, AES_ENCRYPT, length, iv, input, output);
+			mbedtls_aes_setkey_enc(&aes, key, 128);
+			mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, length, iv, input, output);
 			return;
 		case(DEC):
-			aes_setkey_dec(&aes, key, 128);
-			aes_crypt_cbc(&aes, AES_DECRYPT, length, iv, input, output); 
+			mbedtls_aes_setkey_dec(&aes, key, 128);
+			mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, length, iv, input, output); 
 			return;
 		default:
 			return;
 	}
 }
 
-bool RsaKeyInit(rsa_context* ctx, u8 *modulus, u8 *private_exp, u8 *exponent, u8 rsa_type)
+bool RsaKeyInit(mbedtls_rsa_context* ctx, const u8 *modulus, const u8 *private_exp, const u8 *public_exp, u8 rsa_type)
 {
 	// Sanity Check
 	if(!ctx)
 		return false;
 	
-	rsa_init(ctx, RSA_PKCS_V15, 0);
+	mbedtls_rsa_init( ctx, MBEDTLS_RSA_PKCS_V15, 0 );
 	
 	u16 n_size = 0;
 	u16 d_size = 0;
@@ -93,18 +91,20 @@ bool RsaKeyInit(rsa_context* ctx, u8 *modulus, u8 *private_exp, u8 *exponent, u8
 			break;
 		default: return false;
 	}
+
+	int ret = mbedtls_rsa_import_raw(ctx, \
+		                       modulus ? modulus : NULL, modulus ? n_size : 0, \
+							   NULL, 0, \
+							   NULL, 0, \
+							   private_exp ? private_exp : NULL, private_exp ? d_size : 0, \
+							   public_exp ? public_exp : NULL, public_exp ? e_size : 0);
 	
-	if (modulus && mpi_read_binary(&ctx->N, modulus, n_size))
-		goto clean;
-	if (exponent && mpi_read_binary(&ctx->E, exponent, e_size))
+	if (ret != 0)
 		goto clean;
-	if (private_exp && mpi_read_binary(&ctx->D, private_exp, d_size))
-		goto clean;
-	
 
 	return true;
 clean:
-	rsa_free(ctx);
+	mbedtls_rsa_free(ctx);
 	return false;
 }
 
@@ -136,32 +136,41 @@ u32 GetSigHashType(u32 sig_type)
 	return 0;
 }
 
-int GetRsaHashType(u32 sig_type)
+u32 GetSigHashLen(u32 sig_type)
 {
 	switch(sig_type){
 		case RSA_4096_SHA1:
 		case RSA_2048_SHA1:
-			return SIG_RSA_SHA1;
+		case ECC_SHA1:
+			return SHA_1_LEN;
 		case RSA_4096_SHA256:
 		case RSA_2048_SHA256:
-			return SIG_RSA_SHA256;
+		case ECC_SHA256:
+			return SHA_256_LEN;
 	}
 	return 0;
 }
 
-u32 GetSigHashLen(u32 sig_type)
+mbedtls_md_type_t getMdWrappedHashType(u32 sig_type)
 {
+	mbedtls_md_type_t md_type = MBEDTLS_MD_NONE;
+
 	switch(sig_type){
 		case RSA_4096_SHA1:
 		case RSA_2048_SHA1:
 		case ECC_SHA1:
-			return SHA_1_LEN;
+			md_type = MBEDTLS_MD_SHA1;
+			break;
 		case RSA_4096_SHA256:
 		case RSA_2048_SHA256:
 		case ECC_SHA256:
-			return SHA_256_LEN;
+			md_type = MBEDTLS_MD_SHA256;
+			break;
+		default:
+			break;
 	}
-	return 0;
+
+	return md_type;
 }
 
 bool CalcHashForSign(void *data, u64 len, u8 *hash, u32 sig_type)
@@ -177,20 +186,25 @@ bool CalcHashForSign(void *data, u64 len, u8 *hash, u32 sig_type)
 int RsaSignVerify(void *data, u64 len, u8 *sign, u8 *mod, u8 *priv_exp, u32 sig_type, u8 rsa_mode)
 {
 	int rsa_result = 0;
-	rsa_context ctx;
+	mbedtls_rsa_context ctx;
 	u8 hash[HASH_MAX_LEN];
 		
-	if(!RsaKeyInit(&ctx, mod, priv_exp, (u8*)RSA_PUB_EXP, GetRsaType(sig_type)))
+	if(!RsaKeyInit(&ctx, mod, priv_exp, RSA_PUB_EXP, GetRsaType(sig_type)))
 		return -1;
 		
 	if(!CalcHashForSign(data, len, hash, sig_type))
 		return -1;		
 
 	if(rsa_mode == CTR_RSA_VERIFY)
-		rsa_result = rsa_pkcs1_verify(&ctx, RSA_PUBLIC, GetRsaHashType(sig_type), 0, hash, sign);
+	{
+		rsa_result = mbedtls_rsa_rsassa_pkcs1_v15_verify(&ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, getMdWrappedHashType(sig_type), GetSigHashLen(sig_type), hash, sign);
+	}
 	else // CTR_RSA_SIGN
-		rsa_result = rsa_rsassa_pkcs1_v15_sign(&ctx, RSA_PRIVATE, GetRsaHashType(sig_type), 0, hash, sign);
+	{
+		rsa_result = mbedtls_rsa_rsassa_pkcs1_v15_sign(&ctx, NULL, NULL, MBEDTLS_RSA_PRIVATE, getMdWrappedHashType(sig_type), GetSigHashLen(sig_type), hash, sign);
+	}
+		
 	
-	rsa_free(&ctx);
+	mbedtls_rsa_free(&ctx);
 	return rsa_result;
 }
\ No newline at end of file
diff --git a/makerom/crypto.h b/makerom/src/crypto.h
similarity index 88%
rename from makerom/crypto.h
rename to makerom/src/crypto.h
index 95b1ea5f..4b7abfde 100644
--- a/makerom/crypto.h
+++ b/makerom/src/crypto.h
@@ -1,11 +1,5 @@
 #pragma once
 
-#include "polarssl/config.h"
-#include "polarssl/aes.h"
-#include "polarssl/rsa.h"
-#include "polarssl/sha1.h"
-#include "polarssl/sha2.h"
-
 typedef enum
 {
 	RSA_4096_SHA1 = 0x00010000,
diff --git a/makerom/ctr_utils.c b/makerom/src/ctr_utils.c
similarity index 100%
rename from makerom/ctr_utils.c
rename to makerom/src/ctr_utils.c
diff --git a/makerom/ctr_utils.h b/makerom/src/ctr_utils.h
similarity index 100%
rename from makerom/ctr_utils.h
rename to makerom/src/ctr_utils.h
diff --git a/makerom/desc/desc.h b/makerom/src/desc/desc.h
similarity index 100%
rename from makerom/desc/desc.h
rename to makerom/src/desc/desc.h
diff --git a/makerom/desc/dev_sigdata.h b/makerom/src/desc/dev_sigdata.h
similarity index 99%
rename from makerom/desc/dev_sigdata.h
rename to makerom/src/desc/dev_sigdata.h
index 267a6f0f..5e02b55b 100644
--- a/makerom/desc/dev_sigdata.h
+++ b/makerom/src/desc/dev_sigdata.h
@@ -1,5 +1,5 @@
 #pragma once
-#include "desc/desc.h"
+#include "desc.h"
 
 static const CtrSdkDescSignData kDevDescSignData[] =
 {
diff --git a/makerom/desc/presets.h b/makerom/src/desc/presets.h
similarity index 99%
rename from makerom/desc/presets.h
rename to makerom/src/desc/presets.h
index 83c71ab3..1380e80e 100644
--- a/makerom/desc/presets.h
+++ b/makerom/src/desc/presets.h
@@ -1,5 +1,5 @@
 #pragma once
-#include "desc/desc.h"
+#include "desc.h"
 
 static const CtrSdkDesc kDescPresets[] =
 {
diff --git a/makerom/elf.c b/makerom/src/elf.c
similarity index 100%
rename from makerom/elf.c
rename to makerom/src/elf.c
diff --git a/makerom/elf.h b/makerom/src/elf.h
similarity index 100%
rename from makerom/elf.h
rename to makerom/src/elf.h
diff --git a/makerom/exefs.c b/makerom/src/exefs.c
similarity index 100%
rename from makerom/exefs.c
rename to makerom/src/exefs.c
diff --git a/makerom/exefs.h b/makerom/src/exefs.h
similarity index 100%
rename from makerom/exefs.h
rename to makerom/src/exefs.h
diff --git a/makerom/exefs_build.h b/makerom/src/exefs_build.h
similarity index 100%
rename from makerom/exefs_build.h
rename to makerom/src/exefs_build.h
diff --git a/makerom/exefs_read.h b/makerom/src/exefs_read.h
similarity index 100%
rename from makerom/exefs_read.h
rename to makerom/src/exefs_read.h
diff --git a/makerom/exheader.c b/makerom/src/exheader.c
similarity index 100%
rename from makerom/exheader.c
rename to makerom/src/exheader.c
diff --git a/makerom/exheader.h b/makerom/src/exheader.h
similarity index 100%
rename from makerom/exheader.h
rename to makerom/src/exheader.h
diff --git a/makerom/exheader_build.h b/makerom/src/exheader_build.h
similarity index 100%
rename from makerom/exheader_build.h
rename to makerom/src/exheader_build.h
diff --git a/makerom/exheader_read.h b/makerom/src/exheader_read.h
similarity index 100%
rename from makerom/exheader_read.h
rename to makerom/src/exheader_read.h
diff --git a/makerom/keyset.c b/makerom/src/keyset.c
similarity index 96%
rename from makerom/keyset.c
rename to makerom/src/keyset.c
index c706c912..b8cd3e08 100644
--- a/makerom/keyset.c
+++ b/makerom/src/keyset.c
@@ -80,6 +80,9 @@ int LoadKeysFromResources(keys_struct *keys)
 		SetNormalKey(keys,zeros_aesKey);
 		SetSystemFixedKey(keys,zeros_aesKey);
 
+		// CCI
+		SetCciInitialDataKeyX(keys, zeros_aesKey);
+
 		/* RSA Keys */
 		// CIA
 		Rsa2048Key_Set(&keys->rsa.xs, tpki_rsa.priv_exponent, tpki_rsa.modulus);
@@ -112,6 +115,9 @@ int LoadKeysFromResources(keys_struct *keys)
 		for(int i = 0; i < 4; i++)
 			SetNcchKeyX(keys, dev_unfixed_ncch_keyX[i],i);
 		
+		// CCI
+		SetCciInitialDataKeyX(keys, dev_initial_data_keyx);
+
 		/* RSA Keys */
 		// CIA
 		Rsa2048Key_Set(&keys->rsa.xs, xs9_dpki_rsa.priv_exponent, xs9_dpki_rsa.modulus);
@@ -143,6 +149,8 @@ int LoadKeysFromResources(keys_struct *keys)
 		for(int i = 0; i < 4; i++)
 			SetNcchKeyX(keys, prod_unfixed_ncch_keyX[i],i);
 		
+		// CCI
+		SetCciInitialDataKeyX(keys, dev_initial_data_keyx);
 
 		/* RSA Keys */
 		// CIA
@@ -362,6 +370,12 @@ int SetSystemFixedKey(keys_struct *keys, const u8 *key)
 	return CopyData(&keys->aes.systemFixedKey,key,16);
 }
 
+int SetCciInitialDataKeyX(keys_struct *keys, const u8 *key)
+{
+	if(!keys) return -1;
+	return CopyData(&keys->aes.initialDataKeyX,key,16);
+}
+
 int SetCaCert(keys_struct *keys, const u8 *cert)
 {
 	if(!keys) return -1;
diff --git a/makerom/keyset.h b/makerom/src/keyset.h
similarity index 94%
rename from makerom/keyset.h
rename to makerom/src/keyset.h
index 887f3de4..47eff79b 100644
--- a/makerom/keyset.h
+++ b/makerom/src/keyset.h
@@ -62,6 +62,9 @@ typedef struct
 		
 		u8 *ncchKey0;
 		u8 *ncchKey1;
+
+		// CCI
+		u8 *initialDataKeyX;
 	} aes;
 	
 	struct
@@ -96,6 +99,7 @@ int SetCommonKey(keys_struct *keys, const u8 *key, u8 Index);
 int SetCurrentCommonKey(keys_struct *keys, u8 Index);
 int SetNormalKey(keys_struct *keys, const u8 *key);
 int SetSystemFixedKey(keys_struct *keys, const u8 *key);
+int SetCciInitialDataKeyX(keys_struct *keys, const u8 *key);
 
 void Rsa2048Key_Alloc(rsa2048_key* key);
 void Rsa2048Key_Free(rsa2048_key* key);
diff --git a/makerom/lib.h b/makerom/src/lib.h
similarity index 100%
rename from makerom/lib.h
rename to makerom/src/lib.h
diff --git a/makerom/makerom.c b/makerom/src/makerom.c
similarity index 92%
rename from makerom/makerom.c
rename to makerom/src/makerom.c
index 321f4aec..90bbcd92 100644
--- a/makerom/makerom.c
+++ b/makerom/src/makerom.c
@@ -68,7 +68,7 @@ int main(int argc, char *argv[])
 		result = build_NCCH(set);
 		if(result < 0) { 
 			//fprintf(stderr,"[ERROR] %s generation failed\n",set->build_ncch_type == CXI? "CXI" : "CFA"); 
-			fprintf(stderr,"[RESULT] Failed to build outfile\n"); 
+			fprintf(stderr,"[RESULT] Failed to build NCCH (ret = %d)\n", result); 
 			goto finish; 
 		}	
 	}
@@ -76,7 +76,7 @@ int main(int argc, char *argv[])
 	if(set->common.outFormat == CCI){
 		result = build_CCI(set);
 		if(result < 0) { 
-			fprintf(stderr,"[RESULT] Failed to build CCI\n");
+			fprintf(stderr,"[RESULT] Failed to build CCI (ret = %d)\n", result); 
 			goto finish; 
 		}
 	}
@@ -84,7 +84,7 @@ int main(int argc, char *argv[])
 	else if(set->common.outFormat == CIA){
 		result = build_CIA(set);
 		if(result < 0) { 
-			fprintf(stderr,"[RESULT] Failed to build CIA\n"); 
+			fprintf(stderr,"[RESULT] Failed to build CIA (ret = %d)\n", result); 
 			goto finish; 
 		}
 	}
diff --git a/makerom/ncch.c b/makerom/src/ncch.c
similarity index 95%
rename from makerom/ncch.c
rename to makerom/src/ncch.c
index da77ff0d..8207e97a 100644
--- a/makerom/ncch.c
+++ b/makerom/src/ncch.c
@@ -38,12 +38,20 @@ int SignCFA(ncch_hdr *hdr, keys_struct *keys)
 {
 	if (Rsa2048Key_CanSign(&keys->rsa.cciCfa) == false)
 	{
-		printf("[NCCH WARNING] Failed to sign CFA header\n");
+		printf("[NCCH WARNING] Failed to sign CFA header (key was incomplete)\n");
 		memset(GetNcchHdrSig(hdr), 0xFF, 0x100);
 		return 0;
 	}
 
-	return RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cciCfa.pub, keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	int rsa_ret = RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cciCfa.pub, keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	if (rsa_ret != 0)
+	{
+		printf("[NCCH WARNING] Failed to sign CFA header (mbedtls error = -0x%x)\n", -rsa_ret);
+		memset(GetNcchHdrSig(hdr), 0xFF, 0x100);
+		return 0;
+	}
+
+	return 0;
 }
 
 int CheckCFASignature(ncch_hdr *hdr, keys_struct *keys)
@@ -55,12 +63,20 @@ int SignCXI(ncch_hdr *hdr, keys_struct *keys)
 {
 	if (Rsa2048Key_CanSign(&keys->rsa.cxi) == false)
 	{
-		printf("[NCCH WARNING] Failed to sign CXI header\n");
+		printf("[NCCH WARNING] Failed to sign CXI header (key was incomplete)\n");
 		memset(GetNcchHdrSig(hdr), 0xFF, 0x100);
 		return 0;
 	}
 
-	return RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cxi.pub, keys->rsa.cxi.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	int rsa_ret = RsaSignVerify(GetNcchHdrData(hdr), GetNcchHdrDataLen(hdr), GetNcchHdrSig(hdr), keys->rsa.cxi.pub, keys->rsa.cxi.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	if (rsa_ret != 0)
+	{
+		printf("[NCCH WARNING] Failed to sign CXI header (mbedtls error = -0x%x)\n", -rsa_ret);
+		memset(GetNcchHdrSig(hdr), 0xFF, 0x100);
+		return 0;
+	}
+
+	return 0;
 }
 
 int CheckCXISignature(ncch_hdr *hdr, u8 *pubk)
@@ -83,49 +99,79 @@ int build_NCCH(user_settings *usrset)
 
 	// Get Settings
 	result = GetNcchSettings(ncchset,usrset);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[NCCH ERROR] Failed to initialize context.\n");
+		goto finish;
+	}
 
 	// Import Data
 	result = ImportNonCodeExeFsSections(ncchset);
-	if(result) return result;
+	if(result) {
+		fprintf(stderr,"[NCCH ERROR] Failed to import non-code ExeFs sections\n");
+		goto finish;
+	}
 	
 	result = ImportLogo(ncchset);
-	if(result) return result;
+	if(result) {
+		fprintf(stderr,"[NCCH ERROR] Failed to import Logo\n");
+		goto finish;
+	}
 
 	if(!ncchset->options.IsCfa){ // CXI Specific Sections
 		// Build ExeFs Code Section\n");
 		result = BuildExeFsCode(ncchset);
-		if(result) goto finish;
+		if(result) {
+			fprintf(stderr,"[NCCH ERROR] Failed to build ExeFs code\n");
+			goto finish;
+		}
 	
 		// Build ExHeader\n");
 		result = BuildExHeader(ncchset);
-		if(result) goto finish;
+		if(result) {
+			fprintf(stderr,"[NCCH ERROR] Failed to build ExHeader\n");
+			goto finish;
+		}
 	}	
 
 	
 	// Build ExeFs\n");
 	result = BuildExeFs(ncchset);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[NCCH ERROR] Failed to build ExeFs\n");
+		goto finish;
+	}
 
 	
 	// Prepare for RomFs\n");
 	romfs_buildctx romfs;
 	memset(&romfs,0,sizeof(romfs_buildctx));
 	result = SetupRomFs(ncchset,&romfs);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[NCCH ERROR] Failed to setup RomFs\n");
+		goto finish;
+	}
 
 	
 	// Setup NCCH including final memory allocation\n");
 	result = SetupNcch(ncchset,&romfs);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[NCCH ERROR] Failed to setup NCCH\n");
+		goto finish;
+	}
 
 	// Build RomFs\n");
 	result = BuildRomFs(&romfs);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[NCCH ERROR] Failed to build RomFs\n");
+		goto finish;
+	}
 	
 	// Finalise NCCH (Hashes/Signatures and crypto)\n");
 	result = FinaliseNcch(ncchset);
-	if(result) goto finish;
+	if(result) {
+		fprintf(stderr,"[NCCH ERROR] Failed to finalize NCCH\n");
+		goto finish;
+	}
 
 finish:
 	if(result) 
diff --git a/makerom/ncch.h b/makerom/src/ncch.h
similarity index 100%
rename from makerom/ncch.h
rename to makerom/src/ncch.h
diff --git a/makerom/ncch_build.h b/makerom/src/ncch_build.h
similarity index 100%
rename from makerom/ncch_build.h
rename to makerom/src/ncch_build.h
diff --git a/makerom/ncch_logo.h b/makerom/src/ncch_logo.h
similarity index 100%
rename from makerom/ncch_logo.h
rename to makerom/src/ncch_logo.h
diff --git a/makerom/ncch_read.h b/makerom/src/ncch_read.h
similarity index 100%
rename from makerom/ncch_read.h
rename to makerom/src/ncch_read.h
diff --git a/makerom/ncsd.c b/makerom/src/ncsd.c
similarity index 98%
rename from makerom/ncsd.c
rename to makerom/src/ncsd.c
index b57d8f9d..697f52ea 100644
--- a/makerom/ncsd.c
+++ b/makerom/src/ncsd.c
@@ -586,7 +586,15 @@ int GenCciHdr(cci_settings *set)
 		return 0;
 	}
 
-	return RsaSignVerify(&hdr->magic, sizeof(cci_hdr) - RSA_2048_KEY_SIZE, hdr->signature, set->keys->rsa.cciCfa.pub, set->keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	int rsa_ret = RsaSignVerify(&hdr->magic, sizeof(cci_hdr) - RSA_2048_KEY_SIZE, hdr->signature, set->keys->rsa.cciCfa.pub, set->keys->rsa.cciCfa.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	if (rsa_ret != 0)
+	{
+		printf("[NCSD WARNING] Failed to sign header (mbedtls error = -0x%x)\n", -rsa_ret);
+		memset(hdr->signature, 0xFF, 0x100);
+		return 0;
+	}
+
+	return 0;
 }
 
 char* GetMediaSizeStr(u64 mediaSize)
diff --git a/makerom/ncsd.h b/makerom/src/ncsd.h
similarity index 100%
rename from makerom/ncsd.h
rename to makerom/src/ncsd.h
diff --git a/makerom/ncsd_build.h b/makerom/src/ncsd_build.h
similarity index 100%
rename from makerom/ncsd_build.h
rename to makerom/src/ncsd_build.h
diff --git a/makerom/ncsd_read.h b/makerom/src/ncsd_read.h
similarity index 100%
rename from makerom/ncsd_read.h
rename to makerom/src/ncsd_read.h
diff --git a/makerom/oschar.c b/makerom/src/oschar.c
similarity index 100%
rename from makerom/oschar.c
rename to makerom/src/oschar.c
diff --git a/makerom/oschar.h b/makerom/src/oschar.h
similarity index 100%
rename from makerom/oschar.h
rename to makerom/src/oschar.h
diff --git a/makerom/pki/dev.h b/makerom/src/pki/dev.h
similarity index 99%
rename from makerom/pki/dev.h
rename to makerom/src/pki/dev.h
index eb793850..a1e787b0 100644
--- a/makerom/pki/dev.h
+++ b/makerom/src/pki/dev.h
@@ -30,6 +30,11 @@ static const unsigned char ctr_common_etd_key_dpki[6][16] =
 	{ 0xAA, 0xDA, 0x4C, 0xA8, 0xF6, 0xE5, 0xA9, 0x77, 0xE0, 0xA0, 0xF9, 0xE4, 0x76, 0xCF, 0x0D, 0x63 }
 };
 
+static const unsigned char dev_initial_data_keyx[16] =
+{
+	0x5C, 0x3D, 0x38, 0xAC, 0x17, 0x40, 0x99, 0x4E, 0xFC, 0x8F, 0xD0, 0xBE, 0x8D, 0x80, 0x97, 0xB3
+};
+
 //RSA Keys
 static const CtrRsa4096Key root_dpki_rsa =
 {
diff --git a/makerom/pki/dev_legacy.h b/makerom/src/pki/dev_legacy.h
similarity index 100%
rename from makerom/pki/dev_legacy.h
rename to makerom/src/pki/dev_legacy.h
diff --git a/makerom/pki/prod.h b/makerom/src/pki/prod.h
similarity index 99%
rename from makerom/pki/prod.h
rename to makerom/src/pki/prod.h
index 790bd4df..07bc638b 100644
--- a/makerom/pki/prod.h
+++ b/makerom/src/pki/prod.h
@@ -23,6 +23,11 @@ static const unsigned char ctr_common_etd_key_ppki[6][16] =
 	{ 0xA5, 0x05, 0x1C, 0xA1, 0xB3, 0x7D, 0xCF, 0x3A, 0xFB, 0xCF, 0x8C, 0xC1, 0xED, 0xD9, 0xCE, 0x02 } , // 5
 };
 
+static const unsigned char prod_initial_data_keyx[16] =
+{
+	0xB5, 0x29, 0x22, 0x1C, 0xDD, 0xB5, 0xDB, 0x5A, 0x1B, 0xF2, 0x6E, 0xFF, 0x20, 0x41, 0xE8, 0x75
+};
+
 // RSA KEYS
 static const CtrRsa4096Key root_ppki_rsa =
 {
diff --git a/makerom/pki/prod_legacy.h b/makerom/src/pki/prod_legacy.h
similarity index 100%
rename from makerom/pki/prod_legacy.h
rename to makerom/src/pki/prod_legacy.h
diff --git a/makerom/pki/rsa_key.h b/makerom/src/pki/rsa_key.h
similarity index 100%
rename from makerom/pki/rsa_key.h
rename to makerom/src/pki/rsa_key.h
diff --git a/makerom/pki/test.h b/makerom/src/pki/test.h
similarity index 100%
rename from makerom/pki/test.h
rename to makerom/src/pki/test.h
diff --git a/makerom/romfs.c b/makerom/src/romfs.c
similarity index 100%
rename from makerom/romfs.c
rename to makerom/src/romfs.c
diff --git a/makerom/romfs.h b/makerom/src/romfs.h
similarity index 100%
rename from makerom/romfs.h
rename to makerom/src/romfs.h
diff --git a/makerom/romfs_fs.c b/makerom/src/romfs_fs.c
similarity index 100%
rename from makerom/romfs_fs.c
rename to makerom/src/romfs_fs.c
diff --git a/makerom/romfs_fs.h b/makerom/src/romfs_fs.h
similarity index 100%
rename from makerom/romfs_fs.h
rename to makerom/src/romfs_fs.h
diff --git a/makerom/romfs_gen.c b/makerom/src/romfs_gen.c
similarity index 100%
rename from makerom/romfs_gen.c
rename to makerom/src/romfs_gen.c
diff --git a/makerom/romfs_gen.h b/makerom/src/romfs_gen.h
similarity index 100%
rename from makerom/romfs_gen.h
rename to makerom/src/romfs_gen.h
diff --git a/makerom/romfs_import.c b/makerom/src/romfs_import.c
similarity index 100%
rename from makerom/romfs_import.c
rename to makerom/src/romfs_import.c
diff --git a/makerom/romfs_import.h b/makerom/src/romfs_import.h
similarity index 100%
rename from makerom/romfs_import.h
rename to makerom/src/romfs_import.h
diff --git a/makerom/rsf_settings.c b/makerom/src/rsf_settings.c
similarity index 100%
rename from makerom/rsf_settings.c
rename to makerom/src/rsf_settings.c
diff --git a/makerom/rsf_settings.h b/makerom/src/rsf_settings.h
similarity index 100%
rename from makerom/rsf_settings.h
rename to makerom/src/rsf_settings.h
diff --git a/makerom/srl.h b/makerom/src/srl.h
similarity index 100%
rename from makerom/srl.h
rename to makerom/src/srl.h
diff --git a/makerom/tik.c b/makerom/src/tik.c
similarity index 93%
rename from makerom/tik.c
rename to makerom/src/tik.c
index df955992..b1742c96 100644
--- a/makerom/tik.c
+++ b/makerom/src/tik.c
@@ -83,12 +83,20 @@ int SignTicketHeader(buffer_struct *tik, keys_struct *keys)
 	
 	if (Rsa2048Key_CanSign(&keys->rsa.xs) == false)
 	{
-		printf("[TIK WARNING] Failed to sign header\n");
+		printf("[TIK WARNING] Failed to sign header (key was incomplete)\n");
 		memset(sig->data, 0xFF, 0x100);
 		return 0;
 	}
 
-	return RsaSignVerify(data, len, sig->data, keys->rsa.xs.pub, keys->rsa.xs.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	int rsa_ret = RsaSignVerify(data, len, sig->data, keys->rsa.xs.pub, keys->rsa.xs.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	if (rsa_ret != 0)
+	{
+		printf("[TIK WARNING] Failed to sign header (mbedtls error = -0x%x)\n", -rsa_ret);
+		memset(sig->data, 0xFF, 0x100);
+		return 0;
+	}
+
+	return 0;
 }
 
 int CryptTitleKey(u8 *input, u8 *output, u8 *titleId, keys_struct *keys, u8 mode)
diff --git a/makerom/tik.h b/makerom/src/tik.h
similarity index 100%
rename from makerom/tik.h
rename to makerom/src/tik.h
diff --git a/makerom/tik_build.h b/makerom/src/tik_build.h
similarity index 100%
rename from makerom/tik_build.h
rename to makerom/src/tik_build.h
diff --git a/makerom/tik_read.h b/makerom/src/tik_read.h
similarity index 100%
rename from makerom/tik_read.h
rename to makerom/src/tik_read.h
diff --git a/makerom/titleid.c b/makerom/src/titleid.c
similarity index 100%
rename from makerom/titleid.c
rename to makerom/src/titleid.c
diff --git a/makerom/titleid.h b/makerom/src/titleid.h
similarity index 100%
rename from makerom/titleid.h
rename to makerom/src/titleid.h
diff --git a/makerom/tmd.c b/makerom/src/tmd.c
similarity index 93%
rename from makerom/tmd.c
rename to makerom/src/tmd.c
index 0b5fa837..077d8c22 100644
--- a/makerom/tmd.c
+++ b/makerom/src/tmd.c
@@ -33,7 +33,7 @@ int BuildTMD(cia_settings *ciaset)
 	result = SetupTMDHeader(hdr,info_record,ciaset);
 	if(result) return result;
 	result = SignTMDHeader(hdr,sig,ciaset->keys);
-	return 0;
+	return result;
 }
 
 int SetupTMDBuffer(buffer_struct *tmd)
@@ -73,12 +73,20 @@ int SignTMDHeader(tmd_hdr *hdr, tmd_signature *sig, keys_struct *keys)
 	
 	if (Rsa2048Key_CanSign(&keys->rsa.cp) == false)
 	{
-		printf("[TMD WARNING] Failed to sign header\n");
+		printf("[TMD WARNING] Failed to sign header (key was incomplete)\n");
 		memset(sig->data, 0xFF, 0x100);
 		return 0;
 	}
 
-	return RsaSignVerify((u8*)hdr, sizeof(tmd_hdr), sig->data, keys->rsa.cp.pub, keys->rsa.cp.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	int rsa_ret = RsaSignVerify((u8*)hdr, sizeof(tmd_hdr), sig->data, keys->rsa.cp.pub, keys->rsa.cp.pvt, RSA_2048_SHA256, CTR_RSA_SIGN);
+	if (rsa_ret != 0)
+	{
+		printf("[TMD WARNING] Failed to sign header (mbedtls error = -0x%x)\n", -rsa_ret);
+		memset(sig->data, 0xFF, 0x100);
+		return 0;
+	}
+
+	return 0;
 }
 
 int SetupTMDInfoRecord(tmd_content_info_record *info_record, u8 *content_record, u16 ContentCount)
diff --git a/makerom/tmd.h b/makerom/src/tmd.h
similarity index 100%
rename from makerom/tmd.h
rename to makerom/src/tmd.h
diff --git a/makerom/tmd_build.h b/makerom/src/tmd_build.h
similarity index 100%
rename from makerom/tmd_build.h
rename to makerom/src/tmd_build.h
diff --git a/makerom/tmd_read.h b/makerom/src/tmd_read.h
similarity index 100%
rename from makerom/tmd_read.h
rename to makerom/src/tmd_read.h
diff --git a/makerom/types.h b/makerom/src/types.h
similarity index 100%
rename from makerom/types.h
rename to makerom/src/types.h
diff --git a/makerom/user_settings.c b/makerom/src/user_settings.c
similarity index 99%
rename from makerom/user_settings.c
rename to makerom/src/user_settings.c
index 469bf381..2ff09fec 100644
--- a/makerom/user_settings.c
+++ b/makerom/src/user_settings.c
@@ -910,7 +910,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.18 (C) 3DSGuy 2021\n");
+	printf("CTR MAKEROM v0.18.1 (C) 3DSGuy 2022\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 
diff --git a/makerom/user_settings.h b/makerom/src/user_settings.h
similarity index 100%
rename from makerom/user_settings.h
rename to makerom/src/user_settings.h
diff --git a/makerom/utils.c b/makerom/src/utils.c
similarity index 94%
rename from makerom/utils.c
rename to makerom/src/utils.c
index 05e4d3c1..0f640b57 100644
--- a/makerom/utils.c
+++ b/makerom/src/utils.c
@@ -1,5 +1,5 @@
 #include "lib.h"
-#include "polarssl/base64.h"
+#include <mbedtls/base64.h>
 
 #define IO_BLOCKSIZE 5*MB
 
@@ -110,10 +110,10 @@ bool IsValidB64Char(char chr)
 	return (isalnum(chr) || chr == '+' || chr == '/' || chr == '=');
 }
 
-u32 b64_strlen(char *str)
+size_t b64_strlen(const char *str)
 {
-	u32 count = 0;
-	u32 i = 0;
+	size_t count = 0;
+	size_t i = 0;
 	while(str[i] != 0x0){
 		if(IsValidB64Char(str[i])) {
 			//printf("Is Valid: %c\n",str[i]);
@@ -125,11 +125,11 @@ u32 b64_strlen(char *str)
 	return count;
 }
 
-void b64_strcpy(char *dst, char *src)
+void b64_strcpy(char *dst, const char *src)
 {
-	u32 src_len = strlen(src);
-	u32 j = 0;
-	for(u32 i = 0; i < src_len; i++){
+	size_t src_len = strlen(src);
+	size_t j = 0;
+	for(size_t i = 0; i < src_len; i++){
 		if(IsValidB64Char(src[i])){
 			dst[j] = src[i];
 			j++;
@@ -141,15 +141,15 @@ void b64_strcpy(char *dst, char *src)
 	//memdump(stdout,"dst: ",(u8*)dst,j+1);
 }
 
-int b64_decode(u8 *dst, char *src, u32 dst_size)
+int b64_decode(u8 *dst, const char *src, size_t dst_size)
 {
 	int ret;
-	u32 size = dst_size;
+	size_t size = dst_size;
 	
-	ret = base64_decode(dst,(size_t*)&size,(const u8*)src,strlen(src));
+	ret = mbedtls_base64_decode(dst, size, &size, (const u8*)src, strlen(src));
 	
 	if(size != dst_size)
-		ret = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL;
+		ret = MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
 	
 	return ret;
 }
diff --git a/makerom/utils.h b/makerom/src/utils.h
similarity index 90%
rename from makerom/utils.h
rename to makerom/src/utils.h
index dc8e27c1..8373a242 100644
--- a/makerom/utils.h
+++ b/makerom/src/utils.h
@@ -23,9 +23,9 @@ char* replace_filextention(const char *input, const char *extention);
 
 // Base64
 bool IsValidB64Char(char chr);
-u32 b64_strlen(char *str);
-void b64_strcpy(char *dst, char *src);
-int b64_decode(u8 *dst, char *src, u32 dst_size);
+size_t b64_strlen(const char *str);
+void b64_strcpy(char *dst, const char *src);
+int b64_decode(u8 *dst, const char *src, size_t dst_size);
 
 // Pseudo-Random Number Generator
 void initRand(void);
diff --git a/makerom/yaml_parser.c b/makerom/src/yaml_parser.c
similarity index 100%
rename from makerom/yaml_parser.c
rename to makerom/src/yaml_parser.c
diff --git a/makerom/yaml_parser.h b/makerom/src/yaml_parser.h
similarity index 98%
rename from makerom/yaml_parser.h
rename to makerom/src/yaml_parser.h
index d9cd5d34..c30aa3f2 100644
--- a/makerom/yaml_parser.h
+++ b/makerom/src/yaml_parser.h
@@ -1,6 +1,6 @@
 #pragma once
 
-#include "libyaml/yaml.h"
+#include <libyaml/yaml.h>
 
 typedef enum
 {

From ea52a5dd000744ea9f02044c3ac3a4e2a447e2bc Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sun, 17 Apr 2022 10:49:45 +0800
Subject: [PATCH 292/317] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3f7f976b..e1be21a4 100644
--- a/README.md
+++ b/README.md
@@ -4,4 +4,4 @@ Project CTR is a collection of custom Nintendo 3DS tools.
 ## Tools
 [ctrtool](ctrtool/README.md) - a tool to read/extract Nintendo 3DS files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/ctrtool-v1.1.0))
 
-[makerom](makerom/README.md) - creates CTR cxi/cfa/cci/cia files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/makerom-v0.18)) 
+[makerom](makerom/README.md) - creates CTR cxi/cfa/cci/cia files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/makerom-v0.18.1)) 

From e9a830f3173d65ef3b0539ce36862d68e9caae5c Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sun, 17 Apr 2022 13:35:48 +0800
Subject: [PATCH 293/317] [MakeROM] Fix InitialData generation bugs (#121)

* [makerom] Correctly initialize prod initial_data_key_x

* [makerom] Properly select CCI CryptoType when not manually specified.

* [makerom] Bump version to v0.18.2
---
 makerom/src/cardinfo.c      | 13 +++++++++----
 makerom/src/keyset.c        |  2 +-
 makerom/src/ncsd.c          |  2 +-
 makerom/src/user_settings.c |  2 +-
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/makerom/src/cardinfo.c b/makerom/src/cardinfo.c
index 29d1c069..ab782920 100644
--- a/makerom/src/cardinfo.c
+++ b/makerom/src/cardinfo.c
@@ -135,10 +135,15 @@ int SetCardInfoBitmask(cardinfo_hdr *hdr, cci_settings *set)
 	
 	str = set->rsf->CardInfo.CryptoType;
 	if(!str) {
-		if(set->options.useExternalSdkCardInfo)
-			bitmask |= (3 << 6);
-		else
-			bitmask |= 0;
+		u32 val = 0;
+		if(set->keys->keyset == pki_DEVELOPMENT) {
+			val = 3;
+		}
+		else{
+			val = 0;
+		}
+
+		bitmask |= (val << 6);
 	}
 	else{
 		int val = strtol(str,NULL,10);
diff --git a/makerom/src/keyset.c b/makerom/src/keyset.c
index b8cd3e08..5adb4b0e 100644
--- a/makerom/src/keyset.c
+++ b/makerom/src/keyset.c
@@ -150,7 +150,7 @@ int LoadKeysFromResources(keys_struct *keys)
 			SetNcchKeyX(keys, prod_unfixed_ncch_keyX[i],i);
 		
 		// CCI
-		SetCciInitialDataKeyX(keys, dev_initial_data_keyx);
+		SetCciInitialDataKeyX(keys, prod_initial_data_keyx);
 
 		/* RSA Keys */
 		// CIA
diff --git a/makerom/src/ncsd.c b/makerom/src/ncsd.c
index 697f52ea..0fe9c4e6 100644
--- a/makerom/src/ncsd.c
+++ b/makerom/src/ncsd.c
@@ -581,7 +581,7 @@ int GenCciHdr(cci_settings *set)
 	// Sign Header
 	if (Rsa2048Key_CanSign(&set->keys->rsa.cciCfa) == false)
 	{
-		printf("[NCSD WARNING] Failed to sign header\n");
+		printf("[NCSD WARNING] Failed to sign header (key was incomplete)\n");
 		memset(hdr->signature, 0xFF, 0x100);
 		return 0;
 	}
diff --git a/makerom/src/user_settings.c b/makerom/src/user_settings.c
index 2ff09fec..c1b45d44 100644
--- a/makerom/src/user_settings.c
+++ b/makerom/src/user_settings.c
@@ -910,7 +910,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.18.1 (C) 3DSGuy 2022\n");
+	printf("CTR MAKEROM v0.18.2 (C) 3DSGuy 2022\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 

From b0783b4f30382b14b40ca00fc84ba78a504bf47f Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sun, 17 Apr 2022 13:38:18 +0800
Subject: [PATCH 294/317] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e1be21a4..f32d4c75 100644
--- a/README.md
+++ b/README.md
@@ -4,4 +4,4 @@ Project CTR is a collection of custom Nintendo 3DS tools.
 ## Tools
 [ctrtool](ctrtool/README.md) - a tool to read/extract Nintendo 3DS files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/ctrtool-v1.1.0))
 
-[makerom](makerom/README.md) - creates CTR cxi/cfa/cci/cia files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/makerom-v0.18.1)) 
+[makerom](makerom/README.md) - creates CTR cxi/cfa/cci/cia files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/makerom-v0.18.2)) 

From ac9c607875ece8f82f83575900c8327ad6c3c406 Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Fri, 22 Apr 2022 19:20:39 +0800
Subject: [PATCH 295/317] Update makefiles to address impl func warnings on
 linux. (#123)

* [makerom] Update makefiles to address impl func warnings on linux.

* [makerom] bump version to v0.18.3
---
 makerom/deps/libblz/makefile  | 9 ++++++---
 makerom/deps/libyaml/makefile | 9 ++++++---
 makerom/makefile              | 9 ++++++---
 makerom/src/user_settings.c   | 2 +-
 4 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/makerom/deps/libblz/makefile b/makerom/deps/libblz/makefile
index 7dc6a33d..cfc7841f 100644
--- a/makerom/deps/libblz/makefile
+++ b/makerom/deps/libblz/makefile
@@ -1,6 +1,6 @@
 # C++/C Recursive Project Makefile 
 # (c) Jack
-# Version 7 (20220416)
+# Version 8 (20220420)
 
 # Project Name
 PROJECT_NAME = libblz
@@ -75,6 +75,7 @@ ifeq ($(PROJECT_PLATFORM), WIN32)
 	# Windows Flags/Libs
 	CC = x86_64-w64-mingw32-gcc
 	CXX = x86_64-w64-mingw32-g++
+	DEFINEFLAGS =
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
 	ARCHFLAGS =
 	INC +=
@@ -84,6 +85,7 @@ else ifeq ($(PROJECT_PLATFORM), GNU)
 	# GNU/Linux Flags/Libs
 	#CC = 
 	#CXX =
+	DEFINEFLAGS =
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
 	ARCHFLAGS =
 	INC +=
@@ -93,6 +95,7 @@ else ifeq ($(PROJECT_PLATFORM), MACOS)
 	# MacOS Flags/Libs
 	#CC = 
 	#CXX =
+	DEFINEFLAGS =
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
 	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
 	INC +=
@@ -101,8 +104,8 @@ else ifeq ($(PROJECT_PLATFORM), MACOS)
 endif
 
 # Compiler Flags
-CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
-CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CXXFLAGS = -std=c++11 $(INC) $(DEFINEFLAGS) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(DEFINEFLAGS) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
 
 # Object Files
 SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
diff --git a/makerom/deps/libyaml/makefile b/makerom/deps/libyaml/makefile
index 785e3b8a..f2c87707 100644
--- a/makerom/deps/libyaml/makefile
+++ b/makerom/deps/libyaml/makefile
@@ -1,6 +1,6 @@
 # C++/C Recursive Project Makefile 
 # (c) Jack
-# Version 7 (20220416)
+# Version 8 (20220420)
 
 # Project Name
 PROJECT_NAME = libyaml
@@ -75,6 +75,7 @@ ifeq ($(PROJECT_PLATFORM), WIN32)
 	# Windows Flags/Libs
 	CC = x86_64-w64-mingw32-gcc
 	CXX = x86_64-w64-mingw32-g++
+	DEFINEFLAGS =
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
 	ARCHFLAGS =
 	INC +=
@@ -84,6 +85,7 @@ else ifeq ($(PROJECT_PLATFORM), GNU)
 	# GNU/Linux Flags/Libs
 	#CC = 
 	#CXX =
+	DEFINEFLAGS = -D_GNU_SOURCE
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
 	ARCHFLAGS =
 	INC +=
@@ -93,6 +95,7 @@ else ifeq ($(PROJECT_PLATFORM), MACOS)
 	# MacOS Flags/Libs
 	#CC = 
 	#CXX =
+	DEFINEFLAGS =
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
 	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
 	INC +=
@@ -101,8 +104,8 @@ else ifeq ($(PROJECT_PLATFORM), MACOS)
 endif
 
 # Compiler Flags
-CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
-CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CXXFLAGS = -std=c++11 $(INC) $(DEFINEFLAGS) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(DEFINEFLAGS) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
 
 # Object Files
 SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
diff --git a/makerom/makefile b/makerom/makefile
index de32f586..546ff976 100644
--- a/makerom/makefile
+++ b/makerom/makefile
@@ -1,6 +1,6 @@
 # C++/C Recursive Project Makefile 
 # (c) Jack
-# Version 7 (20220416)
+# Version 8 (20220420)
 
 # Project Name
 PROJECT_NAME = makerom
@@ -75,6 +75,7 @@ ifeq ($(PROJECT_PLATFORM), WIN32)
 	# Windows Flags/Libs
 	CC = x86_64-w64-mingw32-gcc
 	CXX = x86_64-w64-mingw32-g++
+	DEFINEFLAGS =
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
 	ARCHFLAGS =
 	INC +=
@@ -84,6 +85,7 @@ else ifeq ($(PROJECT_PLATFORM), GNU)
 	# GNU/Linux Flags/Libs
 	#CC = 
 	#CXX =
+	DEFINEFLAGS = -D_GNU_SOURCE
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-but-set-variable
 	ARCHFLAGS =
 	INC +=
@@ -93,6 +95,7 @@ else ifeq ($(PROJECT_PLATFORM), MACOS)
 	# MacOS Flags/Libs
 	#CC = 
 	#CXX =
+	DEFINEFLAGS =
 	WARNFLAGS = -Wall -Wno-unused-value -Wno-unused-private-field
 	ARCHFLAGS = -arch $(PROJECT_PLATFORM_ARCH)
 	INC +=
@@ -101,8 +104,8 @@ else ifeq ($(PROJECT_PLATFORM), MACOS)
 endif
 
 # Compiler Flags
-CXXFLAGS = -std=c++11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
-CFLAGS = -std=c11 $(INC) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CXXFLAGS = -std=c++11 $(INC) $(DEFINEFLAGS) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
+CFLAGS = -std=c11 $(INC) $(DEFINEFLAGS) $(WARNFLAGS) $(ARCHFLAGS) -fPIC
 
 # Object Files
 SRC_OBJ = $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cpp,.o,$(wildcard $(dir)/*.cpp))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .cc,.o,$(wildcard $(dir)/*.cc))) $(foreach dir,$(PROJECT_SRC_SUBDIRS),$(subst .c,.o,$(wildcard $(dir)/*.c)))
diff --git a/makerom/src/user_settings.c b/makerom/src/user_settings.c
index c1b45d44..ffc940f2 100644
--- a/makerom/src/user_settings.c
+++ b/makerom/src/user_settings.c
@@ -910,7 +910,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.18.2 (C) 3DSGuy 2022\n");
+	printf("CTR MAKEROM v0.18.3 (C) 3DSGuy 2022\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 

From 92a4b5f59560a6b3760e0f20c3837d4b008acfef Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Fri, 22 Apr 2022 19:24:27 +0800
Subject: [PATCH 296/317] Update README.md for makerom v0.18.3 release.

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f32d4c75..5443952b 100644
--- a/README.md
+++ b/README.md
@@ -4,4 +4,4 @@ Project CTR is a collection of custom Nintendo 3DS tools.
 ## Tools
 [ctrtool](ctrtool/README.md) - a tool to read/extract Nintendo 3DS files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/ctrtool-v1.1.0))
 
-[makerom](makerom/README.md) - creates CTR cxi/cfa/cci/cia files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/makerom-v0.18.2)) 
+[makerom](makerom/README.md) - creates CTR cxi/cfa/cci/cia files. ([download](https://github.com/3DSGuy/Project_CTR/releases/tag/makerom-v0.18.3)) 

From 334f6f04683e788c1bc9e614a554d078005adc1f Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sun, 19 Jun 2022 13:53:25 +0800
Subject: [PATCH 297/317] [CTRTool] Honour plain flag when processing CIA
 files. (#126)

* Add util functions to CTRTool

* [ctrtool] Honour -p flag when processing CIA files.

* Bump CTRTool version to v1.1.1
---
 .../visualstudio/CTRTool/CTRTool.vcxproj      |  2 +
 .../CTRTool/CTRTool.vcxproj.filters           |  6 +++
 ctrtool/src/CiaProcess.cpp                    | 51 ++++++------------
 ctrtool/src/CiaProcess.h                      |  2 +-
 ctrtool/src/util.cpp                          | 52 +++++++++++++++++++
 ctrtool/src/util.h                            | 15 ++++++
 ctrtool/src/version.h                         |  2 +-
 7 files changed, 92 insertions(+), 38 deletions(-)
 create mode 100644 ctrtool/src/util.cpp
 create mode 100644 ctrtool/src/util.h

diff --git a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj
index c8f7dc3f..3648b455 100644
--- a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj
+++ b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj
@@ -153,6 +153,7 @@
     <ClInclude Include="..\..\..\src\types.h" />
     <ClInclude Include="..\..\..\src\TikProcess.h" />
     <ClInclude Include="..\..\..\src\TmdProcess.h" />
+    <ClInclude Include="..\..\..\src\util.h" />
     <ClInclude Include="..\..\..\src\version.h" />
   </ItemGroup>
   <ItemGroup>
@@ -172,6 +173,7 @@
     <ClCompile Include="..\..\..\src\Settings.cpp" />
     <ClCompile Include="..\..\..\src\TikProcess.cpp" />
     <ClCompile Include="..\..\..\src\TmdProcess.cpp" />
+    <ClCompile Include="..\..\..\src\util.cpp" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\..\..\deps\libfmt\build\visualstudio\libfmt\libfmt.vcxproj">
diff --git a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters
index 91b9ca0f..1955240e 100644
--- a/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters
+++ b/ctrtool/build/visualstudio/CTRTool/CTRTool.vcxproj.filters
@@ -66,6 +66,9 @@
     <ClInclude Include="..\..\..\src\TmdProcess.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\..\..\src\util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
     <ClInclude Include="..\..\..\src\version.h">
       <Filter>Header Files</Filter>
     </ClInclude>
@@ -119,5 +122,8 @@
     <ClCompile Include="..\..\..\src\TmdProcess.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\..\src\util.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>
\ No newline at end of file
diff --git a/ctrtool/src/CiaProcess.cpp b/ctrtool/src/CiaProcess.cpp
index 6b89d7ab..237f3e38 100644
--- a/ctrtool/src/CiaProcess.cpp
+++ b/ctrtool/src/CiaProcess.cpp
@@ -1,4 +1,5 @@
 #include "CiaProcess.h"
+#include "util.h"
 #include <tc/io.h>
 #include <tc/cli.h>
 #include <tc/crypto.h>
@@ -15,6 +16,7 @@ ctrtool::CiaProcess::CiaProcess() :
 	mShowHeaderInfo(false),
 	mVerbose(false),
 	mVerify(false),
+	mPlain(false),
 	mCertExtractPath(),
 	mTikExtractPath(),
 	mTmdExtractPath(),
@@ -103,6 +105,7 @@ void ctrtool::CiaProcess::setRawMode(bool raw)
 
 void ctrtool::CiaProcess::setPlainMode(bool plain)
 {
+	mPlain = plain;
 	mNcchProcess.setPlainMode(plain);
 }
 
@@ -515,7 +518,7 @@ void ctrtool::CiaProcess::verifyContent()
 
 			content_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, itr->second.offset, itr->second.size));
 
-			if (itr->second.is_encrypted && mDecryptedTitleKey.isSet())
+			if (!mPlain && itr->second.is_encrypted && mDecryptedTitleKey.isSet())
 			{
 				tc::crypto::Aes128CbcEncryptedStream::iv_t content_iv;
 				createContentIv(content_iv, itr->second.cindex);
@@ -691,23 +694,22 @@ void ctrtool::CiaProcess::printHeader()
 
 void ctrtool::CiaProcess::extractCia()
 {
+	tc::ByteData cache = tc::ByteData(0x10000);
 	tc::io::Path out_path;
 	std::shared_ptr<tc::io::IStream> in_stream;
-	std::shared_ptr<tc::io::IStream> out_stream;
 
 	if (mCertExtractPath.isSet() && mCertSizeInfo.size > 0)
 	{
 		out_path = mCertExtractPath.get();
 
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mCertSizeInfo.offset, mCertSizeInfo.size));
-		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
 		if (mVerbose)
 		{
 			fmt::print(stderr, "[{} LOG] Saving certs to {}...\n", mModuleLabel, out_path.to_string());
 		}
 		
-		copyStream(in_stream, out_stream);
+		writeStreamToFile(in_stream, out_path, cache);
 	}
 
 	if (mTikExtractPath.isSet() && mTikSizeInfo.size > 0)
@@ -715,13 +717,13 @@ void ctrtool::CiaProcess::extractCia()
 		out_path = mTikExtractPath.get();
 
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTikSizeInfo.offset, mTikSizeInfo.size));
-		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
 		if (mVerbose)
 		{
 			fmt::print(stderr, "[{} LOG] Saving tik to {}...\n", mModuleLabel, out_path.to_string());
 		}
-		copyStream(in_stream, out_stream);
+
+		writeStreamToFile(in_stream, out_path, cache);
 	}
 
 	if (mTmdExtractPath.isSet() && mTmdSizeInfo.size > 0)
@@ -729,13 +731,13 @@ void ctrtool::CiaProcess::extractCia()
 		out_path = mTmdExtractPath.get();
 
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mTmdSizeInfo.offset, mTmdSizeInfo.size));
-		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
 		if (mVerbose)
 		{
 			fmt::print(stderr, "[{} LOG] Saving tmd to {}...\n", mModuleLabel, out_path.to_string());
 		}
-		copyStream(in_stream, out_stream);
+
+		writeStreamToFile(in_stream, out_path, cache);
 	}
 
 	if (mFooterExtractPath.isSet() && mFooterSizeInfo.size > 0)
@@ -743,13 +745,13 @@ void ctrtool::CiaProcess::extractCia()
 		out_path = mFooterExtractPath.get();
 
 		in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mFooterSizeInfo.offset, mFooterSizeInfo.size));
-		out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
 
 		if (mVerbose)
 		{
 			fmt::print(stderr, "[{} LOG] Saving meta to {}...\n", mModuleLabel, out_path.to_string());
 		}
-		copyStream(in_stream, out_stream);
+
+		writeStreamToFile(in_stream, out_path, cache);
 	}
 
 	if (mContentExtractPath.isSet() && mContentInfo.size() > 0)
@@ -761,7 +763,7 @@ void ctrtool::CiaProcess::extractCia()
 
 			in_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, itr->second.offset, itr->second.size));
 
-			if (itr->second.is_encrypted && mDecryptedTitleKey.isSet())
+			if (!mPlain && itr->second.is_encrypted && mDecryptedTitleKey.isSet())
 			{
 				tc::crypto::Aes128CbcEncryptedStream::iv_t content_iv;
 				createContentIv(content_iv, itr->second.cindex);
@@ -769,39 +771,16 @@ void ctrtool::CiaProcess::extractCia()
 				in_stream = std::shared_ptr<tc::crypto::Aes128CbcEncryptedStream>(new tc::crypto::Aes128CbcEncryptedStream(in_stream, mDecryptedTitleKey.get(), content_iv));
 			}
 
-			out_stream = std::shared_ptr<tc::io::FileStream>(new tc::io::FileStream(out_path, tc::io::FileMode::OpenOrCreate, tc::io::FileAccess::Write));
-
 			if (mVerbose)
 			{
 				fmt::print(stderr, "[{} LOG] Saving content {:04x} to {}...\n", mModuleLabel, itr->second.cindex, out_path.to_string());
 			}
 			
-			copyStream(in_stream, out_stream);
+			writeStreamToFile(in_stream, out_path, cache);
 		}
 	}
 }
 
-void ctrtool::CiaProcess::copyStream(const std::shared_ptr<tc::io::IStream>& in, const std::shared_ptr<tc::io::IStream>& out)
-{
-	tc::ByteData cache = tc::ByteData(0x10000);
-	size_t cache_read_len;
-
-	in->seek(0, tc::io::SeekOrigin::Begin);
-	out->seek(0, tc::io::SeekOrigin::Begin);
-	for (int64_t remaining_data = in->length(); remaining_data > 0;)
-	{
-		cache_read_len = in->read(cache.data(), cache.size());
-		if (cache_read_len == 0)
-		{
-			throw tc::io::IOException(mModuleLabel, "Failed to read from source file.");
-		}
-
-		out->write(cache.data(), cache_read_len);
-
-		remaining_data -= int64_t(cache_read_len);
-	}
-}
-
 void ctrtool::CiaProcess::processContent()
 {
 	if (mContentIndex >= ntd::n3ds::CiaHeader::kCiaMaxContentNum)
@@ -813,7 +792,7 @@ void ctrtool::CiaProcess::processContent()
 	{
 		std::shared_ptr<tc::io::IStream> content_stream = std::shared_ptr<tc::io::SubStream>(new tc::io::SubStream(mInputStream, mContentInfo[mContentIndex].offset, mContentInfo[mContentIndex].size));
 		
-		if (mContentInfo[mContentIndex].is_encrypted && mDecryptedTitleKey.isSet())
+		if (!mPlain && mContentInfo[mContentIndex].is_encrypted && mDecryptedTitleKey.isSet())
 		{
 			tc::crypto::Aes128CbcEncryptedStream::iv_t content_iv;
 			createContentIv(content_iv, mContentInfo[mContentIndex].cindex);
diff --git a/ctrtool/src/CiaProcess.h b/ctrtool/src/CiaProcess.h
index 245184eb..c7089368 100644
--- a/ctrtool/src/CiaProcess.h
+++ b/ctrtool/src/CiaProcess.h
@@ -46,6 +46,7 @@ class CiaProcess
 	bool mShowHeaderInfo;
 	bool mVerbose;
 	bool mVerify;
+	bool mPlain;
 	tc::Optional<tc::io::Path> mCertExtractPath;
 	tc::Optional<tc::io::Path> mTikExtractPath;
 	tc::Optional<tc::io::Path> mTmdExtractPath;
@@ -108,7 +109,6 @@ class CiaProcess
 	void verifyContent();
 	void printHeader();
 	void extractCia();
-	void copyStream(const std::shared_ptr<tc::io::IStream>& in, const std::shared_ptr<tc::io::IStream>& out);
 	void processContent();
 
 	void createContentIv(std::array<byte_t, 16>& content_iv, uint16_t index);
diff --git a/ctrtool/src/util.cpp b/ctrtool/src/util.cpp
new file mode 100644
index 00000000..c729587f
--- /dev/null
+++ b/ctrtool/src/util.cpp
@@ -0,0 +1,52 @@
+#include "util.h"
+
+#include <tc/io/FileStream.h>
+#include <tc/io/SubStream.h>
+#include <tc/io/IOUtil.h>
+
+void ctrtool::writeSubStreamToFile(const std::shared_ptr<tc::io::IStream>& in_stream, int64_t offset, int64_t length, const tc::io::Path& out_path, tc::ByteData& cache)
+{
+	writeStreamToStream(std::make_shared<tc::io::SubStream>(tc::io::SubStream(in_stream, offset, length)), std::make_shared<tc::io::FileStream>(tc::io::FileStream(out_path, tc::io::FileMode::Create, tc::io::FileAccess::Write)), cache);
+}
+
+void ctrtool::writeSubStreamToFile(const std::shared_ptr<tc::io::IStream>& in_stream, int64_t offset, int64_t length, const tc::io::Path& out_path, size_t cache_size)
+{
+	writeStreamToStream(std::make_shared<tc::io::SubStream>(tc::io::SubStream(in_stream, offset, length)), std::make_shared<tc::io::FileStream>(tc::io::FileStream(out_path, tc::io::FileMode::Create, tc::io::FileAccess::Write)), cache_size);
+}
+
+void ctrtool::writeStreamToFile(const std::shared_ptr<tc::io::IStream>& in_stream, const tc::io::Path& out_path, tc::ByteData& cache)
+{
+	writeStreamToStream(in_stream, std::make_shared<tc::io::FileStream>(tc::io::FileStream(out_path, tc::io::FileMode::Create, tc::io::FileAccess::Write)), cache);
+}
+
+void ctrtool::writeStreamToFile(const std::shared_ptr<tc::io::IStream>& in_stream, const tc::io::Path& out_path, size_t cache_size)
+{
+	writeStreamToStream(in_stream, std::make_shared<tc::io::FileStream>(tc::io::FileStream(out_path, tc::io::FileMode::Create, tc::io::FileAccess::Write)), cache_size);
+}
+
+void ctrtool::writeStreamToStream(const std::shared_ptr<tc::io::IStream>& in_stream, const std::shared_ptr<tc::io::IStream>& out_stream, tc::ByteData& cache)
+{
+	// iterate thru child files
+	size_t cache_read_len;
+	
+	in_stream->seek(0, tc::io::SeekOrigin::Begin);
+	out_stream->seek(0, tc::io::SeekOrigin::Begin);
+	for (int64_t remaining_data = in_stream->length(); remaining_data > 0;)
+	{
+		cache_read_len = in_stream->read(cache.data(), cache.size());
+		if (cache_read_len == 0)
+		{
+			throw tc::io::IOException("ctrtool::writeStreamToStream()", "Failed to read from source streeam.");
+		}
+
+		out_stream->write(cache.data(), cache_read_len);
+
+		remaining_data -= int64_t(cache_read_len);
+	}
+}
+
+void ctrtool::writeStreamToStream(const std::shared_ptr<tc::io::IStream>& in_stream, const std::shared_ptr<tc::io::IStream>& out_stream, size_t cache_size)
+{
+	tc::ByteData cache = tc::ByteData(cache_size);
+	writeStreamToStream(in_stream, out_stream, cache);
+}
\ No newline at end of file
diff --git a/ctrtool/src/util.h b/ctrtool/src/util.h
new file mode 100644
index 00000000..de4071e2
--- /dev/null
+++ b/ctrtool/src/util.h
@@ -0,0 +1,15 @@
+#pragma once
+#include "types.h"
+#include <tc/io.h>
+
+namespace ctrtool
+{
+
+void writeSubStreamToFile(const std::shared_ptr<tc::io::IStream>& in_stream, int64_t offset, int64_t length, const tc::io::Path& out_path, tc::ByteData& cache);
+void writeSubStreamToFile(const std::shared_ptr<tc::io::IStream>& in_stream, int64_t offset, int64_t length, const tc::io::Path& out_path, size_t cache_size = 0x10000);
+void writeStreamToFile(const std::shared_ptr<tc::io::IStream>& in_stream, const tc::io::Path& out_path, tc::ByteData& cache);
+void writeStreamToFile(const std::shared_ptr<tc::io::IStream>& in_stream, const tc::io::Path& out_path, size_t cache_size = 0x10000);
+void writeStreamToStream(const std::shared_ptr<tc::io::IStream>& in_stream, const std::shared_ptr<tc::io::IStream>& out_stream, tc::ByteData& cache);
+void writeStreamToStream(const std::shared_ptr<tc::io::IStream>& in_stream, const std::shared_ptr<tc::io::IStream>& out_stream, size_t cache_size = 0x10000);
+
+}
\ No newline at end of file
diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
index c59c9ed7..0ae3d8b9 100644
--- a/ctrtool/src/version.h
+++ b/ctrtool/src/version.h
@@ -3,5 +3,5 @@
 #define BIN_NAME	"ctrtool"
 #define VER_MAJOR	1
 #define VER_MINOR	1
-#define VER_PATCH	0
+#define VER_PATCH	1
 #define AUTHORS		"jakcron"
\ No newline at end of file

From 3d09130b91986a808ca81d5a5ea7494ace126386 Mon Sep 17 00:00:00 2001
From: Liam <47696410+liamadvance@users.noreply.github.com>
Date: Sun, 19 Mar 2023 09:22:59 +0000
Subject: [PATCH 298/317] Update for 9.6 CCI changes (#135)

* add 9.6.0 cci changes

* adjust crypto type validation

* ugh

---------

Co-authored-by: Liam <47696410+0Liam@users.noreply.github.com>
---
 .../libnintendo-n3ds/include/ntd/n3ds/cci.h   | 12 ++++++++++-
 ctrtool/src/CciProcess.cpp                    | 20 +++++++++++++++++--
 ctrtool/src/CciProcess.h                      |  1 +
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h
index 57f62fd2..2bde814f 100644
--- a/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h
+++ b/ctrtool/deps/libnintendo-n3ds/include/ntd/n3ds/cci.h
@@ -79,10 +79,20 @@ struct NcsdCommonHeader
 
 	struct GameCardExtendedHeader
 	{
+		struct CryptoType
+		{
+			byte_t enabled : 1;
+			byte_t value : 2;
+			byte_t reserved : 5;
+		};
+
 		// 0x90
 		std::array<tc::bn::le64<uint64_t>, kPartitionNum> partition_id;
 		// 0xD0
-		tc::bn::pad<0x30>                                 reserved;
+		tc::bn::pad<0x2E>                                 reserved;
+		// 0xFE
+		CryptoType                                        crypto_type;
+		byte_t                                            backup_security_version;
 	};
 
 	struct NandExtendedHeader
diff --git a/ctrtool/src/CciProcess.cpp b/ctrtool/src/CciProcess.cpp
index f1bc54d1..01c0510d 100644
--- a/ctrtool/src/CciProcess.cpp
+++ b/ctrtool/src/CciProcess.cpp
@@ -22,6 +22,7 @@ ctrtool::CciProcess::CciProcess() :
 	mUsedImageSize(0),
 	mValidSignature(ValidState::Unchecked),
 	mValidInitialDataMac(ValidState::Unchecked),
+	mValidCryptoType(ValidState::Unchecked),
 	mDecryptedTitleKey(),
 	mNcchProcess(),
 	mFsReader()
@@ -234,6 +235,21 @@ void ctrtool::CciProcess::importHeader()
 		fmt::print(stderr, "[{} ERROR] Failed to determine key to decrypt InitialData.\n", mModuleLabel);
 	}
 
+	// verify crypto type
+	if (mVerify)
+	{
+		// only verify if the enabled bit is set
+		if (mHeader.ncsd_header.card_ext.crypto_type.enabled)
+		{
+			mValidCryptoType = mHeader.card_info.flag.crypto_type == mHeader.ncsd_header.card_ext.crypto_type.value ? ValidState::Good : ValidState::Fail;
+
+			if (mValidCryptoType != ValidState::Good)
+			{
+				fmt::print(stderr, "[{} ERROR] CryptoType was invalid.\n", mModuleLabel);
+			}
+		}
+	}
+
 	// open fs reader
 	mFsReader = std::shared_ptr<tc::io::VirtualFileSystem>(new tc::io::VirtualFileSystem(ntd::n3ds::CciFsShapshotGenerator(mInputStream)));
 }
@@ -294,7 +310,7 @@ void ctrtool::CciProcess::printHeader()
 	}
 	fmt::print(" Flags:                  {}\n", tc::cli::FormatUtil::formatBytesAsString(mHeader.ncsd_header.flags.data(), mHeader.ncsd_header.flags.size(), true, ""));
 	fmt::print("  BackupWriteWaitTime:   {:02x}\n", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_BackupWriteWaitTime]);
-	fmt::print("  BackupSecurityVersion: {:02x}\n", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_BackupSecurityVersion]);
+	fmt::print("  BackupSecurityVersion: {:02x}\n", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_BackupSecurityVersion] + mHeader.ncsd_header.card_ext.backup_security_version);
 	fmt::print("  CardInfo:              {:02x}\n", (uint32_t)mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_CardInfo]);
 	byte_t card_device = (mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_CardDevice] | mHeader.ncsd_header.flags[mHeader.NcsdFlagIndex_CardDevice_Deprecated]);
 	fmt::print("  CardDevice:            {:02x} ({})\n", (uint32_t)card_device, getCardDeviceString(card_device));
@@ -314,7 +330,7 @@ void ctrtool::CciProcess::printHeader()
 	fmt::print("CardInfo:\n");
 	fmt::print(" WriteableRegion:        0x{:08X}\n", mHeader.card_info.writable_region.unwrap());
 	fmt::print(" CardType:               {} ({:X})\n", getCardTypeString(mHeader.card_info.flag.card_type), (uint32_t)mHeader.card_info.flag.card_type);
-	fmt::print(" CryptoType:             {} ({:X})\n", getCryptoTypeString(mHeader.card_info.flag.crypto_type), (uint32_t)mHeader.card_info.flag.crypto_type);
+	fmt::print(" CryptoType: {:6}      {} ({:X})\n", getValidString(mValidCryptoType), getCryptoTypeString(mHeader.card_info.flag.crypto_type), (uint32_t)mHeader.card_info.flag.crypto_type);
 	
 	// mastering metadata
 	fmt::print("MasteringMetadata:\n");
diff --git a/ctrtool/src/CciProcess.h b/ctrtool/src/CciProcess.h
index 7d845617..e6005aef 100644
--- a/ctrtool/src/CciProcess.h
+++ b/ctrtool/src/CciProcess.h
@@ -43,6 +43,7 @@ class CciProcess
 	int64_t mUsedImageSize;
 	byte_t mValidSignature;
 	byte_t mValidInitialDataMac;
+	byte_t mValidCryptoType;
 	ntd::n3ds::CciHeader mHeader;
 	tc::Optional<KeyBag::Aes128Key> mDecryptedTitleKey;
 	ctrtool::NcchProcess mNcchProcess;

From b7889c3e723ec9dbd823a946ed3f3a88996a6a75 Mon Sep 17 00:00:00 2001
From: Steveice10 <1269164+Steveice10@users.noreply.github.com>
Date: Thu, 30 Mar 2023 17:45:20 -0700
Subject: [PATCH 299/317] Remove incorrect ExeFS header hash validation. (#137)

---
 ctrtool/deps/libnintendo-n3ds/src/ExeFsSnapshotGenerator.cpp | 4 ++--
 ctrtool/src/ExeFsProcess.cpp                                 | 4 ++--
 ctrtool/src/NcchProcess.cpp                                  | 3 +--
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/ctrtool/deps/libnintendo-n3ds/src/ExeFsSnapshotGenerator.cpp b/ctrtool/deps/libnintendo-n3ds/src/ExeFsSnapshotGenerator.cpp
index 424e5a6d..72371c85 100644
--- a/ctrtool/deps/libnintendo-n3ds/src/ExeFsSnapshotGenerator.cpp
+++ b/ctrtool/deps/libnintendo-n3ds/src/ExeFsSnapshotGenerator.cpp
@@ -33,7 +33,7 @@ ntd::n3ds::ExeFsSnapshotGenerator::ExeFsSnapshotGenerator(const std::shared_ptr<
 	stream->seek(0, tc::io::SeekOrigin::Begin);
 	stream->read((byte_t*)(&hdr), sizeof(ntd::n3ds::ExeFsHeader));
 
-	if (hdr.file_table[0].name[0] == 0 || hdr.file_table[0].offset.unwrap() != 0 || hdr.hash_table[ntd::n3ds::ExeFsHeader::kFileNum - 1][0] == 0)
+	if (hdr.file_table[0].name[0] == 0 || hdr.file_table[0].offset.unwrap() != 0)
 	{
 		throw tc::ArgumentOutOfRangeException("ntd::n3ds::ExeFsSnapshotGenerator", "ExeFsHeader is corrupted (Bad first entry).");
 	}
@@ -119,4 +119,4 @@ ntd::n3ds::ExeFsSnapshotGenerator::ExeFsSnapshotGenerator(const std::shared_ptr<
 			cur_dir->dir_listing.file_list.push_back(section[i].name);
 		}
 	}
-}
\ No newline at end of file
+}
diff --git a/ctrtool/src/ExeFsProcess.cpp b/ctrtool/src/ExeFsProcess.cpp
index 3d6c62f7..36475ee3 100644
--- a/ctrtool/src/ExeFsProcess.cpp
+++ b/ctrtool/src/ExeFsProcess.cpp
@@ -94,7 +94,7 @@ void ctrtool::ExeFsProcess::importHeader()
 	mInputStream->read((byte_t*)&mHeader, sizeof(ntd::n3ds::ExeFsHeader));
 
 	// do some simple checks to verify if this is an EXEFS header
-	if (mHeader.file_table[0].name[0] == 0 || mHeader.file_table[0].offset.unwrap() != 0 || mHeader.hash_table[ntd::n3ds::ExeFsHeader::kFileNum - 1][0] == 0)
+	if (mHeader.file_table[0].name[0] == 0 || mHeader.file_table[0].offset.unwrap() != 0)
 	{
 		throw tc::ArgumentOutOfRangeException(mModuleLabel, "ExeFsHeader is corrupted (Bad first entry).");
 	}
@@ -281,4 +281,4 @@ std::string ctrtool::ExeFsProcess::getValidString(byte_t validstate)
 	}
 
 	return ret_str;
-}
\ No newline at end of file
+}
diff --git a/ctrtool/src/NcchProcess.cpp b/ctrtool/src/NcchProcess.cpp
index 30417229..e5f1dbc6 100644
--- a/ctrtool/src/NcchProcess.cpp
+++ b/ctrtool/src/NcchProcess.cpp
@@ -489,8 +489,7 @@ void ctrtool::NcchProcess::determineRegionEncryption()
 
 					// quick header validation
 					if (exefs_hdr.file_table[0].name[0] == 0 ||
-					    exefs_hdr.file_table[0].offset.unwrap() != 0 ||
-					    exefs_hdr.getFileHash(0)->operator[](0) == 0)
+					    exefs_hdr.file_table[0].offset.unwrap() != 0)
 					{
 						throw tc::ArgumentOutOfRangeException(mModuleLabel, "ExeFsHeader is corrupted (Bad first entry).");
 					}

From 7e645b2b17f153bb1c2b9d4269f727cce659be5c Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sat, 1 Apr 2023 09:29:39 +0800
Subject: [PATCH 300/317] [ctrtool] Bump version to 1.2.0

---
 ctrtool/src/version.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
index 0ae3d8b9..54ae9f5b 100644
--- a/ctrtool/src/version.h
+++ b/ctrtool/src/version.h
@@ -2,6 +2,6 @@
 #define APP_NAME	"CTRTool"
 #define BIN_NAME	"ctrtool"
 #define VER_MAJOR	1
-#define VER_MINOR	1
-#define VER_PATCH	1
-#define AUTHORS		"jakcron"
\ No newline at end of file
+#define VER_MINOR	2
+#define VER_PATCH	0
+#define AUTHORS		"jakcron"

From ea2390df800f8ae82fb829dfcd79e984b5b81878 Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sat, 30 Sep 2023 16:38:29 +0800
Subject: [PATCH 301/317] [makerom] Change elf processing to no longer strictly
 require data section. (#143)

---
 makerom/src/code.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/makerom/src/code.c b/makerom/src/code.c
index 98d8cf78..15386c4a 100644
--- a/makerom/src/code.c
+++ b/makerom/src/code.c
@@ -168,10 +168,6 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 
 	/* Checking the existence of essential ELF Segments */
 	if (!text.fileSize) return NOT_FIND_TEXT_SEGMENT;
-	if (!rwdata.fileSize) return NOT_FIND_DATA_SEGMENT;
-
-	/* Calculating BSS size */
-	set->codeDetails.bssSize = rwdata.memSize - rwdata.fileSize;
 
 	/* Allocating Buffer for ExeFs Code */
 	bool noCodePadding = set->options.noCodePadding;
@@ -209,7 +205,7 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 		set->exefsSections.code.buffer = code;
 	}
 
-	/* Setting code_segment data and freeing original buffers */
+	/* Setting code_segment data */
 	set->codeDetails.textAddress = text.address;
 	set->codeDetails.textMaxPages = text.pageNum;
 	set->codeDetails.textSize = text.fileSize;
@@ -222,6 +218,14 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 	set->codeDetails.rwMaxPages = rwdata.pageNum;
 	set->codeDetails.rwSize = rwdata.fileSize;
 
+	/* Calculating BSS size */
+	if (rwdata.fileSize) {
+		set->codeDetails.bssSize = rwdata.memSize - rwdata.fileSize;
+	}
+	else {
+		set->codeDetails.bssSize = 0;
+	}
+
 	if (set->rsfSet->SystemControlInfo.StackSize)
 		set->codeDetails.stackSize = strtoul(set->rsfSet->SystemControlInfo.StackSize, NULL, 0);
 	else {

From c0488dcb6c3048e6a519716f2b21e2c65859ca75 Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sat, 30 Sep 2023 16:56:10 +0800
Subject: [PATCH 302/317] [makerom] Bump version to 0.18.4

---
 makerom/src/user_settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/src/user_settings.c b/makerom/src/user_settings.c
index ffc940f2..11922702 100644
--- a/makerom/src/user_settings.c
+++ b/makerom/src/user_settings.c
@@ -910,7 +910,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.18.3 (C) 3DSGuy 2022\n");
+	printf("CTR MAKEROM v0.18.4 (C) 3DSGuy 2023\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 

From 681d17d7986901552d9f1b4346ac591d1b784567 Mon Sep 17 00:00:00 2001
From: TuxSH <1922548+TuxSH@users.noreply.github.com>
Date: Sat, 20 Jul 2024 05:58:11 +0200
Subject: [PATCH 303/317] Add necessary features for LgyBg and Process9
 development (#151)

* [makerom] Add -baremetal flag

This is a workaround to us not supporting multiple phdr per "segment".

K9 and legacy FIRM k11 don't have memory management and have everything
be RWX. We can exploit how they load CIPs to have the segment be
anything, and be able to be loaded at any VMA (first segment defines LMA
and entrypoint, however). With this flag, the first phdr in the .elf
file is always chosen as the "code" segment and so on.

For example, we can have a FCRAM segment where the image is initially
loaded and jumped to, as the first segment, then an AXIWRAM segment. For
TwlBg, Nintendo seems to have a RWX phdr inside the code "segment" that
it relocates to AXIWRAM, but we don't support this.

"-baremetal" implies "-nocodepadding".

* [makerom] Add -pagesize option

Kernel9 uses pagesize=0x100 instead of the usual 0x1000.

* [makerom] Remove 32 interrupt ID limitation
---
 makerom/src/code.c          |  84 +++++++++++++---------
 makerom/src/exheader.c      | 137 ++++++++++++++++++------------------
 makerom/src/ncch.c          |   5 +-
 makerom/src/ncch_build.h    |   6 +-
 makerom/src/user_settings.c |  19 ++++-
 makerom/src/user_settings.h |   5 +-
 6 files changed, 149 insertions(+), 107 deletions(-)

diff --git a/makerom/src/code.c b/makerom/src/code.c
index 15386c4a..fd11df4b 100644
--- a/makerom/src/code.c
+++ b/makerom/src/code.c
@@ -6,8 +6,7 @@
 
 #include <blz.h>
 
-const u32 CTR_PAGE_SIZE = 0x1000;
-const u32 DEFAULT_STACK_SIZE = 0x4000; // 10KB
+static const u32 DEFAULT_STACK_SIZE = 0x4000; // 10KB
 
 typedef struct code_segment
 {
@@ -18,14 +17,14 @@ typedef struct code_segment
 	const u8 *data;
 } code_segment;
 
-u32 SizeToPage(u32 memorySize)
+u32 SizeToPage(u32 memorySize, u32 pageSize)
 {
-	return align(memorySize, CTR_PAGE_SIZE) / CTR_PAGE_SIZE;
+	return align(memorySize, pageSize) / pageSize;
 }
 
-u32 PageToSize(u32 pageNum)
+u32 PageToSize(u32 pageNum, u32 pageSize)
 {
-	return pageNum * CTR_PAGE_SIZE;
+	return pageNum * pageSize;
 }
 
 int ImportPlainRegionFromFile(ncch_settings *set)
@@ -123,10 +122,11 @@ int ImportPlainRegionFromElf(elf_context *elf, ncch_settings *set)
 	return 0;
 }
 
-void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_flags)
+void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_flags, u32 pageSize, bool baremetal, u32 baremetalOrder)
 {
 	u32 segmentNum = elf_SegmentNum(elf);
 	const elf_segment *segments = elf_GetSegments(elf);
+	u16 foundSegmentId = segmentNum;
 
 	/* Initialise struct data */
 	out->address = 0;
@@ -135,24 +135,42 @@ void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_f
 	out->fileSize = 0;
 	out->data = NULL;
 
-	/* Find segment */
-	for (u16 i = 0; i < segmentNum; i++) {
-		/*	Skip SDK ELF .module_id segment
-			The last segment should always be data in valid ELFs, 
-			unless this is an SDK ELF with .module_id segment */
-		if (i == segmentNum-1 && segments[i].flags == PF_RODATA)
-			continue;
-
-		/* Found segment */
-		if ((segments[i].flags & ~PF_CTRSDK) == segment_flags && segments[i].type == PT_LOAD) {
-			out->address = segments[i].vAddr;
-			out->memSize = segments[i].memSize;
-			out->fileSize = segments[i].fileSize;
-			out->pageNum = SizeToPage(out->fileSize);
-			out->data = segments[i].ptr;
-			break;
+	if (baremetal) {
+		/*	With Kernel9 and with LGY firm K11, everything is RWX with no memory management.
+			While it is a bit hard to replicate what Nintendo do with their toolchain, we can
+			abuse how these kernels work and remove meaning from "text segment" etc.
+
+			The other option would be to add support for multiple phdr per "section" and allow
+			for RWX phdrs (and perhaps parse phdr list from .rsf), plus read LMA instead of VMA below,
+			but that's a lot more work compared to this dirty workaround.
+
+			First segment defines entrypoint and LMA for the rest of the image.*/
+		if (baremetalOrder < segmentNum && (segments[baremetalOrder].flags & segment_flags) == segment_flags && segments[baremetalOrder].type == PT_LOAD)
+			foundSegmentId = baremetalOrder;
+	} else {
+		/* Find segment */
+		for (u16 i = 0; i < segmentNum; i++) {
+			/*	Skip SDK ELF .module_id segment
+				The last segment should always be data in valid ELFs,
+				unless this is an SDK ELF with .module_id segment */
+			if (i == segmentNum-1 && segments[i].flags == PF_RODATA)
+				continue;
+
+			/* Found segment */
+			if ((segments[i].flags & ~PF_CTRSDK) == segment_flags && segments[i].type == PT_LOAD) {
+				foundSegmentId = i;
+				break;
+			}
 		}
 	}
+
+	if (foundSegmentId < segmentNum) {
+		out->address = segments[foundSegmentId].vAddr;
+		out->memSize = segments[foundSegmentId].memSize;
+		out->fileSize = segments[foundSegmentId].fileSize;
+		out->pageNum = SizeToPage(out->fileSize, pageSize);
+		out->data = segments[foundSegmentId].ptr;
+	}
 }
 
 int CreateExeFsCode(elf_context *elf, ncch_settings *set)
@@ -162,28 +180,30 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 	code_segment rodata;
 	code_segment rwdata;
 
-	CreateCodeSegmentFromElf(&text, elf, PF_TEXT);
-	CreateCodeSegmentFromElf(&rodata, elf, PF_RODATA);
-	CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA);
+	bool baremetal = set->options.baremetal;
+	u32 pageSize = set->options.pageSize;
+	CreateCodeSegmentFromElf(&text, elf, PF_TEXT, pageSize, baremetal, 0);
+	CreateCodeSegmentFromElf(&rodata, elf, PF_RODATA, pageSize, baremetal, 1);
+	CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA, pageSize, baremetal, 2);
 
 	/* Checking the existence of essential ELF Segments */
 	if (!text.fileSize) return NOT_FIND_TEXT_SEGMENT;
 
 	/* Allocating Buffer for ExeFs Code */
-	bool noCodePadding = set->options.noCodePadding;
+	bool noCodePadding = set->options.noCodePadding || baremetal;
 	u32 size;
 	if (noCodePadding) {
 		size = text.fileSize + rodata.fileSize + rwdata.fileSize;
 	}
 	else {
-		size = PageToSize(text.pageNum + rodata.pageNum + rwdata.pageNum);
+		size = PageToSize(text.pageNum + rodata.pageNum + rwdata.pageNum, pageSize);
 	}
 	u8 *code = calloc(1, size);
 
 	/* Writing Code into Buffer */
 	u8 *textPos = code;
-	u8 *rodataPos = (textPos + (noCodePadding ? text.fileSize : PageToSize(text.pageNum)));
-	u8 *rwdataPos = (rodataPos + (noCodePadding ? rodata.fileSize : PageToSize(rodata.pageNum)));
+	u8 *rodataPos = (textPos + (noCodePadding ? text.fileSize : PageToSize(text.pageNum, pageSize)));
+	u8 *rwdataPos = (rodataPos + (noCodePadding ? rodata.fileSize : PageToSize(rodata.pageNum, pageSize)));
 	if (text.fileSize) memcpy(textPos, text.data, text.fileSize);
 	if (rodata.fileSize) memcpy(rodataPos, rodata.data, rodata.fileSize);
 	if (rwdata.fileSize) memcpy(rwdataPos, rwdata.data, rwdata.fileSize);
@@ -219,7 +239,7 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 	set->codeDetails.rwSize = rwdata.fileSize;
 
 	/* Calculating BSS size */
-	if (rwdata.fileSize) {
+	if (rwdata.fileSize && !baremetal) {
 		set->codeDetails.bssSize = rwdata.memSize - rwdata.fileSize;
 	}
 	else {
@@ -313,7 +333,7 @@ int BuildExeFsCode(ncch_settings *set)
 	default:
 		fprintf(stderr, "[CODE ERROR] Failed to process ELF file (%d)\n", result);
 	}
-	
+
 	elf_Free(&elf);
 	free(elfFile);
 	return result;
diff --git a/makerom/src/exheader.c b/makerom/src/exheader.c
index f84f0981..a4c264d2 100644
--- a/makerom/src/exheader.c
+++ b/makerom/src/exheader.c
@@ -78,7 +78,7 @@ int BuildExHeader(ncch_settings *ncchset)
 
 	exheader_settings *exhdrset = calloc(1,sizeof(exheader_settings));
 	if(!exhdrset) {
-		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n"); 
+		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n");
 		return MEM_ERROR;
 	}
 
@@ -114,14 +114,14 @@ int get_ExHeaderSettingsFromNcchset(exheader_settings *exhdrset, ncch_settings *
 	ncchset->sections.exhdr.size = sizeof(extended_hdr);
 	ncchset->sections.exhdr.buffer = calloc(1,ncchset->sections.exhdr.size);
 	if(!ncchset->sections.exhdr.buffer) {
-		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n"); 
+		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n");
 		return MEM_ERROR;
 	}
-	
+
 	ncchset->sections.acexDesc.size = sizeof(access_descriptor);
 	ncchset->sections.acexDesc.buffer = calloc(1,ncchset->sections.acexDesc.size);
 	if(!ncchset->sections.acexDesc.buffer) {
-		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n"); 
+		fprintf(stderr,"[EXHEADER ERROR] Not enough memory\n");
 		return MEM_ERROR;
 	}
 
@@ -161,27 +161,27 @@ int get_ExHeaderSettingsFromRsf(exheader_settings *exhdrset)
 {
 	int result = 0;
 	if(!exhdrset->useAccessDescPreset){
-		if((result = get_ExHeaderCodeSetInfo(&exhdrset->exHdr->codeSetInfo, exhdrset->rsf))) 
+		if((result = get_ExHeaderCodeSetInfo(&exhdrset->exHdr->codeSetInfo, exhdrset->rsf)))
 			goto finish;
-		if((result = get_ExHeaderDependencyList((u8*)exhdrset->exHdr->dependencyList, exhdrset->rsf))) 
+		if((result = get_ExHeaderDependencyList((u8*)exhdrset->exHdr->dependencyList, exhdrset->rsf)))
 			goto finish;
-		if((result = get_ExHeaderSystemInfo(&exhdrset->exHdr->systemInfo, exhdrset->rsf))) 
+		if((result = get_ExHeaderSystemInfo(&exhdrset->exHdr->systemInfo, exhdrset->rsf)))
 			goto finish;
-		if((result = get_ExHeaderARM11SystemLocalInfo(&exhdrset->exHdr->arm11SystemLocalCapabilities, exhdrset->rsf))) 
+		if((result = get_ExHeaderARM11SystemLocalInfo(&exhdrset->exHdr->arm11SystemLocalCapabilities, exhdrset->rsf)))
 			goto finish;
 		if((result = get_ExHeaderARM11KernelInfo(&exhdrset->exHdr->arm11KernelCapabilities, exhdrset->rsf)))
 			goto finish;
-		if((result = get_ExHeaderARM9AccessControlInfo(&exhdrset->exHdr->arm9AccessControlInfo, exhdrset->rsf))) 
+		if((result = get_ExHeaderARM9AccessControlInfo(&exhdrset->exHdr->arm9AccessControlInfo, exhdrset->rsf)))
 			goto finish;
 	}
 	else{
-		if((result = get_ExHeaderCodeSetInfo(&exhdrset->exHdr->codeSetInfo, exhdrset->rsf))) 
+		if((result = get_ExHeaderCodeSetInfo(&exhdrset->exHdr->codeSetInfo, exhdrset->rsf)))
 			goto finish;
-		if((result = get_ExHeaderSystemInfo(&exhdrset->exHdr->systemInfo, exhdrset->rsf))) 
+		if((result = get_ExHeaderSystemInfo(&exhdrset->exHdr->systemInfo, exhdrset->rsf)))
 			goto finish;
-		if((result = get_ExHeaderARM11SystemLocalInfoLimited(&exhdrset->exHdr->arm11SystemLocalCapabilities, exhdrset->rsf))) 
+		if((result = get_ExHeaderARM11SystemLocalInfoLimited(&exhdrset->exHdr->arm11SystemLocalCapabilities, exhdrset->rsf)))
 			goto finish;
-		if((result = get_ExHeaderARM9AccessControlInfo(&exhdrset->exHdr->arm9AccessControlInfo, exhdrset->rsf))) 
+		if((result = get_ExHeaderARM9AccessControlInfo(&exhdrset->exHdr->arm9AccessControlInfo, exhdrset->rsf)))
 			goto finish;
 	}
 
@@ -196,13 +196,13 @@ int get_ExHeaderCodeSetInfo(exhdr_CodeSetInfo *CodeSetInfo, rsf_settings *rsf)
 		strncpy((char*)CodeSetInfo->name, rsf->BasicInfo.Title, 8);
 	else
 		strncpy((char*)CodeSetInfo->name, DEFAULT_EXHEADER_NAME, 8);
-	
+
 	/* Remaster Version */
 	if(rsf->SystemControlInfo.RemasterVersion)
 		u16_to_u8(CodeSetInfo->remasterVersion, strtol(rsf->SystemControlInfo.RemasterVersion,NULL,0), LE);
 	else
 		u16_to_u8(CodeSetInfo->remasterVersion, 0, LE);
-		
+
 	return 0;
 }
 
@@ -224,20 +224,20 @@ int get_ExHeaderSystemInfo(exhdr_SystemInfo *systemInfo, rsf_settings *rsf)
 	/* SaveDataSize */
 	if(rsf->SystemControlInfo.SaveDataSize){
 		u64 saveSize = 0;
-		if(GetSaveDataSizeFromString(&saveSize,rsf->SystemControlInfo.SaveDataSize,"EXHEADER")) 
+		if(GetSaveDataSizeFromString(&saveSize,rsf->SystemControlInfo.SaveDataSize,"EXHEADER"))
 			return EXHDR_BAD_RSF_OPT;
 		u64_to_u8(systemInfo->savedataSize, saveSize, LE);
 	}
 	else
 		u64_to_u8(systemInfo->savedataSize,0,LE);
-	
+
 	/* Jump Id */
 	if(rsf->SystemControlInfo.JumpId)
 		u64_to_u8(systemInfo->jumpId, strtoull(rsf->SystemControlInfo.JumpId,NULL,0), LE);
-	
+
 	else{
 		u64 jumpId = 0;
-		if(GetProgramID(&jumpId,rsf,false)) 
+		if(GetProgramID(&jumpId,rsf,false))
 			return EXHDR_BAD_RSF_OPT;
 		u64_to_u8(systemInfo->jumpId,jumpId,LE);
 	}
@@ -248,20 +248,20 @@ int get_ExHeaderARM11SystemLocalInfo(exhdr_ARM11SystemLocalCapabilities *arm11,
 {
 	/* Program Id */
 	u64 programId = 0;
-	if(GetProgramID(&programId,rsf,true)) 
+	if(GetProgramID(&programId,rsf,true))
 		return EXHDR_BAD_RSF_OPT;
 	u64_to_u8(arm11->programId,programId,LE);
-	
+
 	/* Flags */
-	if(SetARM11SystemLocalInfoFlags(arm11, rsf)) 
+	if(SetARM11SystemLocalInfoFlags(arm11, rsf))
 		return EXHDR_BAD_RSF_OPT;
 
 	/* Resource Limit Descriptors */
-	if(SetARM11ResLimitDesc(arm11, rsf)) 
+	if(SetARM11ResLimitDesc(arm11, rsf))
 		return EXHDR_BAD_RSF_OPT;
 
 	/* Storage Info */
-	if(SetARM11StorageInfo(arm11, rsf)) 
+	if(SetARM11StorageInfo(arm11, rsf))
 		return EXHDR_BAD_RSF_OPT;
 
 	/* Service Access Control */
@@ -275,7 +275,7 @@ int get_ExHeaderARM11SystemLocalInfo(exhdr_ARM11SystemLocalCapabilities *arm11,
 		else if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"libapplet") == 0) arm11->resourceLimitCategory = resrc_limit_LIB_APPLET;
 		else if(strcasecmp(rsf->AccessControlInfo.ResourceLimitCategory,"other") == 0) arm11->resourceLimitCategory = resrc_limit_OTHER;
 	}
-	
+
 	/* Finish */
 	return 0;
 }
@@ -284,12 +284,12 @@ int get_ExHeaderARM11SystemLocalInfoLimited(exhdr_ARM11SystemLocalCapabilities *
 {
 	/* Program Id */
 	u64 programId = 0;
-	if(GetProgramID(&programId,rsf,true)) 
+	if(GetProgramID(&programId,rsf,true))
 		return EXHDR_BAD_RSF_OPT;
 	u64_to_u8(arm11->programId,programId,LE);
 
 	/* Storage Info */
-	if(SetARM11StorageInfo(arm11, rsf)) 
+	if(SetARM11StorageInfo(arm11, rsf))
 		return EXHDR_BAD_RSF_OPT;
 
 	/* Finish */
@@ -336,12 +336,12 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 			arm11->systemModeExt = sysmode_ext_124MB;
 		else if (strcasecmp(rsf->AccessControlInfo.SystemModeExt, "178MB") == 0)
 			arm11->systemModeExt = sysmode_ext_178MB;
-		
+
 		else {
 			fprintf(stderr, "[EXHEADER ERROR] Unexpected SystemModeExt: %s\n", rsf->AccessControlInfo.SystemModeExt);
 			return EXHDR_BAD_RSF_OPT;
 		}
-	} 
+	}
 
 	/* flag[2] */
 	if(rsf->AccessControlInfo.AffinityMask){
@@ -397,11 +397,11 @@ int SetARM11SystemLocalInfoFlags(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_
 }
 
 int GetAppType(rsf_settings *rsf)
-{	
+{
 	if(rsf->SystemControlInfo.AppType){
-		if(strcasecmp(rsf->SystemControlInfo.AppType,"application") == 0) 
+		if(strcasecmp(rsf->SystemControlInfo.AppType,"application") == 0)
 			return processtype_APPLICATION;
-		else if(strcasecmp(rsf->SystemControlInfo.AppType,"system") == 0) 
+		else if(strcasecmp(rsf->SystemControlInfo.AppType,"system") == 0)
 			return processtype_SYSTEM;
 	}
 	return processtype_APPLICATION;
@@ -418,7 +418,7 @@ int SetARM11ResLimitDesc(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings
 			}
 		}
 	}
-	
+
 	return 0;
 }
 
@@ -438,10 +438,10 @@ int SetARM11StorageInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings
 	}
 
 	/* System Savedata Id */
-	SetARM11StorageInfoSystemSaveDataId(arm11,rsf);	
+	SetARM11StorageInfoSystemSaveDataId(arm11,rsf);
 
 	/* FileSystem Access Info */
-	return SetARM11StorageInfoFsAccessInfo(arm11,rsf);		
+	return SetARM11StorageInfoFsAccessInfo(arm11,rsf);
 }
 
 int SetARM11StorageInfoFsAccessInfo(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
@@ -498,7 +498,7 @@ int SetARM11StorageInfoFsAccessInfo(exhdr_ARM11SystemLocalCapabilities *arm11, r
 		}
 	}
 	u32_to_u8(arm11->storageInfo.accessInfo,accessInfo,LE);
-	
+
 	return 0;
 }
 
@@ -506,7 +506,7 @@ void SetARM11StorageInfoSystemSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm
 {
 	if(rsf->AccessControlInfo.SystemSaveDataId1)
 		u32_to_u8(arm11->storageInfo.systemSavedataId[0], strtoul(rsf->AccessControlInfo.SystemSaveDataId1,NULL,0), LE);
-	
+
 	if(rsf->AccessControlInfo.SystemSaveDataId2)
 		u32_to_u8(arm11->storageInfo.systemSavedataId[1], strtoul(rsf->AccessControlInfo.SystemSaveDataId2,NULL,0), LE);
 }
@@ -519,12 +519,12 @@ void SetARM11StorageInfoExtSaveDataId(exhdr_ARM11SystemLocalCapabilities *arm11,
 		else
 			u32_to_u8(arm11->storageInfo.extSavedataId, GetTidUniqueId(u8_to_u64(arm11->programId,LE)), LE);
 	}
-	
+
 }
 
 void SetARM11StorageInfoOtherUserSaveData(exhdr_ARM11SystemLocalCapabilities *arm11, rsf_settings *rsf)
 {
-	u64 value = 0; 
+	u64 value = 0;
 	if(rsf->AccessControlInfo.OtherUserSaveDataId1)
 		value = 0xffffff & strtoul(rsf->AccessControlInfo.OtherUserSaveDataId1,NULL,0);
 	value = value << 20;
@@ -537,7 +537,7 @@ void SetARM11StorageInfoOtherUserSaveData(exhdr_ARM11SystemLocalCapabilities *ar
 	/* UseOtherVariationSaveData Flag */
 	if(rsf->AccessControlInfo.UseOtherVariationSaveData)
 		value |= 0x1000000000000000;
-	
+
 	u64_to_u8(arm11->storageInfo.storageAccessableUniqueIds,value,LE);
 }
 
@@ -647,13 +647,13 @@ int get_ExHeaderARM11KernelInfo(exhdr_ARM11KernelCapabilities *arm11, rsf_settin
 	totalDesc = 0;
 	for(int i = 0; i < 6; i++)
 		totalDesc += desc[i].num;
-		
+
 	if(totalDesc >= 28){
 		fprintf(stderr,"[EXHEADER ERROR] Too many Kernel Capabilities.\n");
 		result = EXHDR_BAD_RSF_OPT;
 		goto finish;
 	}
-	
+
 	descIndex = 0;
 	for(int i = 0; i < 6; i++){
 		for(int j = 0; j < desc[i].num; j++){
@@ -662,7 +662,7 @@ int get_ExHeaderARM11KernelInfo(exhdr_ARM11KernelCapabilities *arm11, rsf_settin
 		}
 	}
 
-	/* Fill Remaining Descriptors with 0xffffffff */ 
+	/* Fill Remaining Descriptors with 0xffffffff */
 	for(int i = descIndex; i < 28; i++)
 		u32_to_u8(arm11->descriptors[i],0xffffffff,LE);
 
@@ -692,9 +692,9 @@ int SetARM11KernelDescSysCallControl(ARM11KernelCapabilityDescriptor *desc, rsf_
 	// Count Active Syscall Descs
 	activeSysCallDesc = 0;
 	for(int i = 0; i < 8; i++)
-		if((tmp.data[i] & 0x00ffffff) != 0) 
+		if((tmp.data[i] & 0x00ffffff) != 0)
 			activeSysCallDesc++;
-	
+
 	// Transfer Active Syscall Descs to out Descriptor
 	AllocateARM11KernelDescMemory(desc,activeSysCallDesc);
 	sysCallDescPos = 0;
@@ -744,15 +744,15 @@ void DisableSystemCall(ARM11KernelCapabilityDescriptor *desc, int sysCall)
 }
 
 int SetARM11KernelDescInteruptNumList(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
-{	
+{
 	int ret = 0;
 	u16 activeInteruptDesc, interuptDescPos;
-	
+
 	// Create Temporary Descriptor
 	ARM11KernelCapabilityDescriptor tmp;
 	memset(&tmp,0,sizeof(ARM11KernelCapabilityDescriptor));
 
-	AllocateARM11KernelDescMemory(&tmp,8);
+	AllocateARM11KernelDescMemory(&tmp, 80/4);
 
 	// Get Interupts
 	ret = GetARM11Interupts(&tmp,rsf);
@@ -760,14 +760,14 @@ int SetARM11KernelDescInteruptNumList(ARM11KernelCapabilityDescriptor *desc, rsf
 
 	// Count Active Interupt Descs
 	activeInteruptDesc = 0;
-	for(int i = 0; i < 8; i++)
-		if(tmp.data[i]) 
+	for(int i = 0; i < 80/4; i++)
+		if(tmp.data[i])
 			activeInteruptDesc++;
-	
+
 	// Transfer Active Interupt Descs to output Descriptor
 	AllocateARM11KernelDescMemory(desc,activeInteruptDesc);
 	interuptDescPos = 0;
-	for(int i = 0; i < 8; i++){
+	for(int i = 0; i < 80/4; i++){
 		if(tmp.data[i]) {
 			SetARM11KernelDescValue(desc,interuptDescPos,(tmp.data[i] & 0x0fffffff) | desc_InteruptNumList);
 			interuptDescPos++;
@@ -784,9 +784,10 @@ int GetARM11Interupts(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
 	if(!rsf->AccessControlInfo.InterruptNumbers)
 		return 0;
-	
-	if(rsf->AccessControlInfo.InterruptNumbersNum > 32){
-		fprintf(stderr,"[EXHEADER ERROR] Too many Interupts. Maximum is 32\n");
+
+	if(rsf->AccessControlInfo.InterruptNumbersNum > 80){
+		// There are between 80 and 88 valid PPIs on 3DS, and a dozen of them are reserved by kernel (CDMA)
+		fprintf(stderr,"[EXHEADER ERROR] Too many Interupts. Maximum is 80\n");
 		return EXHDR_BAD_RSF_OPT;
 	}
 	for(int i = 0; i < rsf->AccessControlInfo.InterruptNumbersNum; i++){
@@ -813,7 +814,7 @@ int SetARM11KernelDescAddressMapping(ARM11KernelCapabilityDescriptor *desc, rsf_
 {
 	int ret = 0;
 	u16 memMapDescPos;
-	
+
 	// Create Temporary Descriptors
 	ARM11KernelCapabilityDescriptor io_tmp;
 	clrmem(&io_tmp,sizeof(ARM11KernelCapabilityDescriptor));
@@ -851,10 +852,10 @@ int GetARM11IOMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
 	if(!rsf->AccessControlInfo.IORegisterMapping)
 		return 0;
-		
+
 	AllocateARM11KernelDescMemory(desc,rsf->AccessControlInfo.IORegisterMappingNum*2);
 	u16 descUsed = 0;
-	
+
 	for(int i = 0; i < rsf->AccessControlInfo.IORegisterMappingNum; i++){
 		if(strlen(rsf->AccessControlInfo.IORegisterMapping[i])){
 			// Parse Address String
@@ -863,7 +864,7 @@ int GetARM11IOMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 			if(AddressEndStr){
 				if(strlen(AddressEndStr) > 1) // if not just '-'
 					AddressEndStr = (AddressEndStr+1); // Setting the str to the expected start of address string
-				else 
+				else
 					AddressEndStr = NULL;
 			}
 
@@ -916,7 +917,7 @@ int GetARM11StaticMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *
 			char *AddressStartStr = rsf->AccessControlInfo.MemoryMapping[i];
 			char *AddressEndStr = strstr(AddressStartStr,"-");
 			char *ROFlagStr = strstr(AddressStartStr,":");
-			bool IsRO = false; 
+			bool IsRO = false;
 			if(ROFlagStr)
 				IsRO = strcasecmp(ROFlagStr,":r") == 0 ? true : false;
 
@@ -926,7 +927,7 @@ int GetARM11StaticMappings(ARM11KernelCapabilityDescriptor *desc, rsf_settings *
 					if(AddressEndStr == ROFlagStr)
 						AddressEndStr = NULL;
 				}
-				else 
+				else
 					AddressEndStr = NULL;
 			}
 			u32 AddressStart = strtoul(AddressStartStr,NULL,16);
@@ -1000,8 +1001,8 @@ u32 GetMappingDesc(u32 address, u32 prefixVal, s32 numPrefixBits, bool IsRO)
 int SetARM11KernelDescOtherCapabilities(ARM11KernelCapabilityDescriptor *desc, rsf_settings *rsf)
 {
 	u32 otherCapabilities = 0;
-	u32 memType = 0; 
-	
+	u32 memType = 0;
+
 	if(!rsf->AccessControlInfo.DisableDebug)
 		otherCapabilities |= othcap_PERMIT_DEBUG;
 	if(rsf->AccessControlInfo.EnableForceDebug)
@@ -1060,7 +1061,7 @@ int SetARM11KernelDescHandleTableSize(ARM11KernelCapabilityDescriptor *desc, rsf
 	else{
 		ErrorParamNotFound("AccessControlInfo/HandleTableSize");
 		return EXHDR_BAD_RSF_OPT;
-	}	
+	}
 	return 0;
 }
 
@@ -1082,7 +1083,7 @@ int SetARM11KernelDescReleaseKernelVersion(ARM11KernelCapabilityDescriptor *desc
 void SetARM11KernelDescValue(ARM11KernelCapabilityDescriptor *desc, u16 index, u32 value)
 {
 	if(index >= desc->num) return;
-	desc->data[index] |= value; 
+	desc->data[index] |= value;
 }
 
 void SetARM11KernelDescBitmask(ARM11KernelCapabilityDescriptor *desc, u32 bitmask)
@@ -1135,7 +1136,7 @@ int get_ExHeaderARM9AccessControlInfo(exhdr_ARM9AccessControlInfo *arm9, rsf_set
 			return EXHDR_BAD_RSF_OPT;
 		}
 	}
-	
+
 	for(int i = 0; i < rsf->AccessControlInfo.FileSystemAccessNum; i++){
 		if(strcmp(rsf->AccessControlInfo.FileSystemAccess[i],"DirectSdmc") == 0)
 			arm9AccessControl |= arm9cap_USE_DIRECT_SDMC;
@@ -1209,7 +1210,7 @@ int GetDependencyList_frm_exhdr(u8 *Dest, extended_hdr *hdr)
 {
 	if(!Dest) return -1;
 	memcpy(Dest,hdr->dependencyList,0x30*8);
-	
+
 	return 0;
 }
 
@@ -1260,7 +1261,7 @@ int GetSaveDataSizeFromString(u64 *out, char *string, char *moduleName)
 }
 
 int GetSaveDataSize_rsf(u64 *SaveDataSize, user_settings *usrset)
-{	
+{
 
 	if(usrset->common.rsfSet.SystemControlInfo.SaveDataSize){
 		*SaveDataSize = strtoull(usrset->common.rsfSet.SystemControlInfo.SaveDataSize,NULL,10);
diff --git a/makerom/src/ncch.c b/makerom/src/ncch.c
index 8207e97a..6fcd1cf0 100644
--- a/makerom/src/ncch.c
+++ b/makerom/src/ncch.c
@@ -238,6 +238,8 @@ int GetBasicOptions(ncch_settings *ncchset, user_settings *usrset)
 	ncchset->options.IsBuildingCodeSection = (usrset->ncch.elfPath != NULL);
 	ncchset->options.UseRomFS = ((ncchset->rsfSet->RomFs.RootPath && strlen(ncchset->rsfSet->RomFs.RootPath) > 0) || usrset->ncch.romfsPath);
 	ncchset->options.noCodePadding = usrset->ncch.noCodePadding;
+	ncchset->options.baremetal = usrset->ncch.baremetal;
+	ncchset->options.pageSize = usrset->ncch.pageSize;
 	ncchset->options.useSecCrypto = usrset->ncch.useSecCrypto;
 	ncchset->options.keyXID = usrset->ncch.keyXID;
 	
@@ -878,7 +880,6 @@ int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 		if(!acexDesc){ 
 			fprintf(stderr,"[NCCH ERROR] Not enough memory\n"); 
 			free(ncchInfo);
-			free(exHdr);
 			return MEM_ERROR; 
 		}
 		memcpy(acexDesc,ncch+ncchInfo->acexOffset,ncchInfo->acexSize);
@@ -1198,4 +1199,4 @@ void CryptNcchRegion(u8 *buffer, u64 size, u64 src_pos, u64 titleId, u8 key[16],
 	GetNcchAesCounter(ctr,titleId,type);	
 	AesCtrCrypt(key,ctr,buffer,buffer,size,src_pos);
 	return;
-}
\ No newline at end of file
+}
diff --git a/makerom/src/ncch_build.h b/makerom/src/ncch_build.h
index 7aa90957..a8f8a8a0 100644
--- a/makerom/src/ncch_build.h
+++ b/makerom/src/ncch_build.h
@@ -10,6 +10,7 @@ typedef struct
 	struct
 	{
 		u32 blockSize;
+		u32 pageSize;
 		bool verbose;
 		bool IncludeExeFsLogo;
 		bool CompressCode;
@@ -20,7 +21,8 @@ typedef struct
 		bool IsBuildingCodeSection;
 		bool UseRomFS;
 		bool noCodePadding;
-		
+		bool baremetal;
+
 		bool useSecCrypto;
 		u8 keyXID;
 	} options;
@@ -87,4 +89,4 @@ typedef struct
 } ncch_settings;
 
 // NCCH Build Functions
-int build_NCCH(user_settings *usrset);
\ No newline at end of file
+int build_NCCH(user_settings *usrset);
diff --git a/makerom/src/user_settings.c b/makerom/src/user_settings.c
index 11922702..c3f94254 100644
--- a/makerom/src/user_settings.c
+++ b/makerom/src/user_settings.c
@@ -95,6 +95,7 @@ void SetDefaults(user_settings *set)
 	set->common.outFormat = NCCH;
 	set->ncch.ncchType = format_not_set;
 	set->ncch.noCodePadding = false;
+	set->ncch.pageSize = 0x1000;
 
 	// RSF Settings
 	clrmem(&set->common.rsfSet, sizeof(rsf_settings));
@@ -363,6 +364,22 @@ int SetArgument(int argc, int i, char *argv[], user_settings *set)
 		set->ncch.noCodePadding = true;
 		return 1;
 	}
+	else if (strcmp(argv[i], "-baremetal") == 0) {
+		if (ParamNum) {
+			PrintNoNeedParam(argv[i]);
+			return USR_BAD_ARG;
+		}
+		set->ncch.baremetal = true;
+		return 1;
+	} else if (strcmp(argv[i], "-pagesize") == 0) {
+		if (ParamNum != 1) {
+			PrintArgReqParam(argv[i], 1);
+			return USR_BAD_ARG;
+		}
+		u32 pgsz = strtoul(argv[i + 1], NULL, 0);
+		set->ncch.pageSize = pgsz;
+		return 2;
+	}
 
 	// Ncch Rebuild Options
 	else if (strcmp(argv[i], "-code") == 0) {
@@ -1006,4 +1023,4 @@ void DisplayExtendedHelp(char *app_name)
 	printf(" -ccitocia      <cci file>          Convert CCI to CIA\n");
 	printf(" -ciatocci      <cia file>          Convert CIA to CCI\n");
 	printf(" -inclupd                           Include \"Update NCCH\" in CCI to CIA conversion\n");
-}
\ No newline at end of file
+}
diff --git a/makerom/src/user_settings.h b/makerom/src/user_settings.h
index e09ec504..7f8d6d2f 100644
--- a/makerom/src/user_settings.h
+++ b/makerom/src/user_settings.h
@@ -268,7 +268,8 @@ typedef struct
 		char *plainRegionPath; // prebuilt Plain Region
 		char *romfsPath; // Prebuild _cleartext_ romfs binary
 		bool noCodePadding; // do not pad code.bin for sysmodule
-		
+		bool baremetal; // abuse K9/LGY K11's lack of memory management to support arbitrary VMA and RWX phdr
+		u32 pageSize; // Memory page size (256 for Kernel9, 4096 for anything else)
 		bool useSecCrypto;
 		u8 keyXID;
 	} ncch; // Ncch0 Build
@@ -305,4 +306,4 @@ typedef struct
 
 void init_UserSettings(user_settings *set);
 void free_UserSettings(user_settings *set);
-int ParseArgs(int argc, char *argv[], user_settings *usr_settings);
\ No newline at end of file
+int ParseArgs(int argc, char *argv[], user_settings *usr_settings);

From b7b621985d70b9fd2edf420c2a3024f5ef42f66f Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sat, 20 Jul 2024 12:19:10 +0800
Subject: [PATCH 304/317] Add usage help for -baremetal & -pagesize

---
 makerom/src/user_settings.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/makerom/src/user_settings.c b/makerom/src/user_settings.c
index c3f94254..07d906d8 100644
--- a/makerom/src/user_settings.c
+++ b/makerom/src/user_settings.c
@@ -1,5 +1,8 @@
 #include "lib.h"
 
+// Private Constants
+static const u32 DEFAULT_STACK_SIZE = 0x1000;
+
 // Private Prototypes
 void DisplayHelp(char *app_name);
 void DisplayExtendedHelp(char *app_name);
@@ -95,7 +98,8 @@ void SetDefaults(user_settings *set)
 	set->common.outFormat = NCCH;
 	set->ncch.ncchType = format_not_set;
 	set->ncch.noCodePadding = false;
-	set->ncch.pageSize = 0x1000;
+	set->ncch.baremetal = false;
+	set->ncch.pageSize = DEFAULT_STACK_SIZE;
 
 	// RSF Settings
 	clrmem(&set->common.rsfSet, sizeof(rsf_settings));
@@ -995,6 +999,8 @@ void DisplayExtendedHelp(char *app_name)
 	printf(" -desc          <apptype>:<fw>      Specify Access Descriptor template\n");
 	printf(" -exefslogo                         Include Logo in ExeFS (Required for usage on <5.0 systems)\n");
 	printf(" -nocodepadding                     For building sysmodules, do not pad .code segments\n");
+	printf(" -baremetal                         For building Kernel9/11, all segments are all RWX and not padded\n");
+	printf(" -pagesize      <size>              Override page size (default is 0x1000)\n");
 	printf("NCCH REBUILD OPTIONS:\n");
 	printf(" -code          <file>              Decompressed ExeFS \".code\"\n");
 	printf(" -exheader      <file>              Exheader template\n");

From 6337c49a15cc7fcee9a3c9e44758dbce2393b26e Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sat, 20 Jul 2024 12:19:51 +0800
Subject: [PATCH 305/317] Define constants in baremetal processing of elf file

---
 makerom/src/code.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/makerom/src/code.c b/makerom/src/code.c
index fd11df4b..de54b30c 100644
--- a/makerom/src/code.c
+++ b/makerom/src/code.c
@@ -8,6 +8,10 @@
 
 static const u32 DEFAULT_STACK_SIZE = 0x4000; // 10KB
 
+static const u32 BARE_METAL_TEXT_SEGEMENT_ID = 0;
+static const u32 BARE_METAL_RO_SEGEMENT_ID = 1;
+static const u32 BARE_METAL_RW_SEGEMENT_ID = 2;
+
 typedef struct code_segment
 {
 	u32 address;
@@ -122,7 +126,7 @@ int ImportPlainRegionFromElf(elf_context *elf, ncch_settings *set)
 	return 0;
 }
 
-void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_flags, u32 pageSize, bool baremetal, u32 baremetalOrder)
+void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_flags, u32 page_size, bool baremetal, u32 baremetal_segment_id)
 {
 	u32 segmentNum = elf_SegmentNum(elf);
 	const elf_segment *segments = elf_GetSegments(elf);
@@ -145,8 +149,8 @@ void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_f
 			but that's a lot more work compared to this dirty workaround.
 
 			First segment defines entrypoint and LMA for the rest of the image.*/
-		if (baremetalOrder < segmentNum && (segments[baremetalOrder].flags & segment_flags) == segment_flags && segments[baremetalOrder].type == PT_LOAD)
-			foundSegmentId = baremetalOrder;
+		if (baremetal_segment_id < segmentNum && (segments[baremetal_segment_id].flags & segment_flags) == segment_flags && segments[baremetal_segment_id].type == PT_LOAD)
+			foundSegmentId = baremetal_segment_id;
 	} else {
 		/* Find segment */
 		for (u16 i = 0; i < segmentNum; i++) {
@@ -168,7 +172,7 @@ void CreateCodeSegmentFromElf(code_segment *out, elf_context *elf, u64 segment_f
 		out->address = segments[foundSegmentId].vAddr;
 		out->memSize = segments[foundSegmentId].memSize;
 		out->fileSize = segments[foundSegmentId].fileSize;
-		out->pageNum = SizeToPage(out->fileSize, pageSize);
+		out->pageNum = SizeToPage(out->fileSize, page_size);
 		out->data = segments[foundSegmentId].ptr;
 	}
 }
@@ -182,9 +186,9 @@ int CreateExeFsCode(elf_context *elf, ncch_settings *set)
 
 	bool baremetal = set->options.baremetal;
 	u32 pageSize = set->options.pageSize;
-	CreateCodeSegmentFromElf(&text, elf, PF_TEXT, pageSize, baremetal, 0);
-	CreateCodeSegmentFromElf(&rodata, elf, PF_RODATA, pageSize, baremetal, 1);
-	CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA, pageSize, baremetal, 2);
+	CreateCodeSegmentFromElf(&text, elf, PF_TEXT, pageSize, baremetal, BARE_METAL_TEXT_SEGEMENT_ID);
+	CreateCodeSegmentFromElf(&rodata, elf, PF_RODATA, pageSize, baremetal, BARE_METAL_RO_SEGEMENT_ID);
+	CreateCodeSegmentFromElf(&rwdata, elf, PF_DATA, pageSize, baremetal, BARE_METAL_RW_SEGEMENT_ID);
 
 	/* Checking the existence of essential ELF Segments */
 	if (!text.fileSize) return NOT_FIND_TEXT_SEGMENT;

From f5f2d9c685a8ff78100fe8428ba4aa793e58ed22 Mon Sep 17 00:00:00 2001
From: Rairii <2650838+Wack0@users.noreply.github.com>
Date: Sat, 28 Dec 2024 15:43:33 +0000
Subject: [PATCH 306/317] [ctrtool] support more prototype CXIs (#154)

SDK 0.10-era CXIs specify the full exheader size of 0x800 in the NCCH header, so allow that.
---
 ctrtool/src/NcchProcess.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ctrtool/src/NcchProcess.cpp b/ctrtool/src/NcchProcess.cpp
index e5f1dbc6..95b9b696 100644
--- a/ctrtool/src/NcchProcess.cpp
+++ b/ctrtool/src/NcchProcess.cpp
@@ -143,8 +143,13 @@ void ctrtool::NcchProcess::importHeader()
 
 	}
 
-
-	if (mHeader.header.exhdr_size.unwrap() != 0 && mHeader.header.exhdr_size.unwrap() != sizeof(ntd::n3ds::ExtendedHeader))
+	// SDK 0.9.x (and before?) CXIs have the exheader size set to zero, even with an exheader present.
+	// SDK 0.10 CXIs use the full exheader size of 0x800 in the NCCH header.
+	// Either SDK 0.10.1 or 0.10.2 start to allow exheader size of 0x400, although 0x800 is still accepted.
+	// The NCCH format version remained v1 until SDK 0.11 or later.
+	// Therefore, for NCCH format version v1 (prototype) only, a size of 0x800 must also be accepted, alongside zero and 0x400.
+	bool is_proto_exhdr_size = mHeader.header.format_version.unwrap() == ntd::n3ds::NcchCommonHeader::FormatVersion_CXI_PROTOTYPE && mHeader.header.exhdr_size.unwrap() == (sizeof(ntd::n3ds::ExtendedHeader) + sizeof(ntd::n3ds::AccessDescriptor));
+	if (mHeader.header.exhdr_size.unwrap() != 0 && mHeader.header.exhdr_size.unwrap() != sizeof(ntd::n3ds::ExtendedHeader) && !is_proto_exhdr_size)
 	{
 		throw tc::InvalidOperationException(mModuleLabel, fmt::format("NcchHeader has invalid ExHeader size. (0x{:02x})", mHeader.header.exhdr_size.unwrap()));
 	}

From 35aa9ffe2d863c178d07ee885cb4497933695501 Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sat, 28 Dec 2024 23:47:45 +0800
Subject: [PATCH 307/317] Bump GH Workflows

---
 .github/workflows/Build_CTRTool.yml | 10 +++++-----
 .github/workflows/Build_MakeROM.yml |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/Build_CTRTool.yml b/.github/workflows/Build_CTRTool.yml
index 2a509a98..cafc108c 100644
--- a/.github/workflows/Build_CTRTool.yml
+++ b/.github/workflows/Build_CTRTool.yml
@@ -27,13 +27,13 @@ jobs:
            os: macos-latest
            arch: arm64
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Compile ${{ matrix.prog }}
         working-directory: ${{ matrix.prog }}
         run: make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.prog }}-${{ matrix.dist }}
           path: ./${{ matrix.prog }}/bin/${{ matrix.prog }}
@@ -57,14 +57,14 @@ jobs:
            configuration: Release
            build_path: Release
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: Add msbuild to PATH
-      uses: microsoft/setup-msbuild@v1.1
+      uses: microsoft/setup-msbuild@v1.3
     - name: Compile ${{ matrix.prog }}
       run: msbuild .\${{ matrix.prog }}\build\visualstudio\${{ matrix.prog }}.sln /p:configuration=${{ matrix.configuration }} /p:platform=${{ matrix.platform }} 
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@v4
       with:
         name: ${{ matrix.prog }}-${{ matrix.dist }}
         path: .\${{ matrix.prog }}\build\visualstudio\${{ matrix.build_path }}\${{ matrix.prog }}.exe
diff --git a/.github/workflows/Build_MakeROM.yml b/.github/workflows/Build_MakeROM.yml
index 35ac2c2d..ceab0598 100644
--- a/.github/workflows/Build_MakeROM.yml
+++ b/.github/workflows/Build_MakeROM.yml
@@ -32,13 +32,13 @@ jobs:
             arch: x86_64
             binExt: .exe
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Compile ${{ matrix.prog }}
         working-directory: ${{ matrix.prog }}
         run: make PROJECT_PLATFORM_ARCH=${{ matrix.arch }} deps all
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.prog }}-${{ matrix.dist }}
           path: ./${{ matrix.prog }}/bin/${{ matrix.prog }}${{ matrix.binExt }}

From 06ac1b8096b2ef3baf2f9b230359bcd461bfc17d Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sat, 28 Dec 2024 23:51:22 +0800
Subject: [PATCH 308/317] Bump CTRTool version to v1.2.1 for release

---
 ctrtool/src/version.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
index 54ae9f5b..c8a17a55 100644
--- a/ctrtool/src/version.h
+++ b/ctrtool/src/version.h
@@ -3,5 +3,5 @@
 #define BIN_NAME	"ctrtool"
 #define VER_MAJOR	1
 #define VER_MINOR	2
-#define VER_PATCH	0
+#define VER_PATCH	1
 #define AUTHORS		"jakcron"

From 745fc4f1f1665835a53a8519dd1474b445922d9d Mon Sep 17 00:00:00 2001
From: R-YaTian <47445484+R-YaTian@users.noreply.github.com>
Date: Sun, 29 Dec 2024 12:56:58 +0800
Subject: [PATCH 309/317] makerom: Fix too much file handle cause memory leak
 (#153)

---
 makerom/src/cia.c  | 21 ++++++++++-----------
 makerom/src/ncch.c | 13 ++++++++-----
 2 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/makerom/src/cia.c b/makerom/src/cia.c
index dcfb62f0..1576c27a 100644
--- a/makerom/src/cia.c
+++ b/makerom/src/cia.c
@@ -25,7 +25,7 @@ int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset);
 int GetTmdDataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *key);
 int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *key);
 int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset);
-int ImportNcchContent(cia_settings *ciaset);
+int ImportNcchContent(cia_settings *ciaset, user_settings *usrset);
 int GetSettingsFromSrl(cia_settings *ciaset);
 int GetSettingsFromCci(cia_settings *ciaset);
 
@@ -143,7 +143,7 @@ int GetCiaSettings(cia_settings *ciaset, user_settings *usrset)
 			return result;
 		if((result = GetContentFilePtrs(ciaset,usrset)) != 0) 
 			return result;
-		if((result = ImportNcchContent(ciaset)) != 0) 
+		if((result = ImportNcchContent(ciaset,usrset)) != 0) 
 			return result;
 	}
 
@@ -418,7 +418,7 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 			}
 			ciaset->content.fileSize[j] = GetFileSize64(usrset->common.contentPath[i]);
 			ciaset->content.filePtrs[j] = fopen(usrset->common.contentPath[i],"rb");
-			
+
 			if(usrset->cia.contentId[i] > MAX_U32)
 				ciaset->content.id[j] = u32GetRand(); 
 			else 
@@ -428,7 +428,7 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 
 			// Get Data from ncch HDR
 			ReadNcchHdr(hdr,ciaset->content.filePtrs[j]);
-			
+
 			// Get Size
 			u64 calcSize = GetNcchSize(hdr);
 			if(calcSize != ciaset->content.fileSize[j]){
@@ -438,10 +438,10 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 
 			ciaset->content.size[j] = align(calcSize,CIA_CONTENT_ALIGN);
 			ciaset->content.offset[j] = ciaset->content.totalSize;
-			
+
 			ciaset->content.totalSize += ciaset->content.size[j];
-			
 
+			fclose(ciaset->content.filePtrs[j]);
 			// Finish get next content
 			j++;
 		}
@@ -461,7 +461,7 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 	return 0;
 }
 
-int ImportNcchContent(cia_settings *ciaset)
+int ImportNcchContent(cia_settings *ciaset, user_settings *usrset)
 {
 	ciaset->ciaSections.content.buffer = realloc(ciaset->ciaSections.content.buffer,ciaset->content.totalSize);
 	if(!ciaset->ciaSections.content.buffer){
@@ -473,17 +473,16 @@ int ImportNcchContent(cia_settings *ciaset)
 	for(int i = 1; i < ciaset->content.count; i++){
 		// Import
 		u8 *ncchpos = (u8*)(ciaset->ciaSections.content.buffer+ciaset->content.offset[i]);
-
+		ciaset->content.filePtrs[i] = fopen(usrset->common.contentPath[i], "rb");
 		ReadFile64(ncchpos, ciaset->content.fileSize[i], 0, ciaset->content.filePtrs[i]);
 		if(ModifyNcchIds(ncchpos, NULL, ncch0hdr->programId, ciaset->keys) != 0)
 			return -1;
-		
+
 		// Set Additional Flags
 		if(ciaset->content.IsDlc)
 			ciaset->content.flags[i] |= content_Optional;
 
-		//if(unknown condition)
-		//	ciaset->content.flags[i] |= content_Shared;
+		fclose(ciaset->content.filePtrs[i]);
 	}
 
 	ciaset->ciaSections.content.size = ciaset->content.totalSize;
diff --git a/makerom/src/ncch.c b/makerom/src/ncch.c
index 6fcd1cf0..a5bdcd68 100644
--- a/makerom/src/ncch.c
+++ b/makerom/src/ncch.c
@@ -973,10 +973,13 @@ int VerifyNcch(u8 *ncch, keys_struct *keys, bool CheckHash, bool SuppressOutput)
 int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 {
 	if(!IsNcch(NULL,ncch))
+	{
+		fprintf(stderr, "[NCCH ERROR] Content not a valid ncch\n");
 		return -1;
-		
+	}
+
 	ncch_hdr *hdr = (ncch_hdr*)ncch;
-	
+
 	bool titleIdMatches = titleId == NULL? true : memcmp(titleId,hdr->titleId,8) == 0;
 	bool programIdMatches = programId == NULL? true : memcmp(programId,hdr->programId,8) == 0;
 
@@ -990,7 +993,7 @@ int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 
 	ncch_info ncchInfo;
 	u8 *romfs = NULL;
-	
+
 	//Decrypting if necessary
 	if(IsNcchEncrypted(hdr)){
 		GetNcchInfo(&ncchInfo,hdr);
@@ -1001,14 +1004,14 @@ int ModifyNcchIds(u8 *ncch, u8 *titleId, u8 *programId, keys_struct *keys)
 		}
 		CryptNcchRegion(romfs,ncchInfo.romfsSize,0,ncchInfo.titleId,keys->aes.ncchKey1,ncch_romfs);
 	}
-	
+
 	// Editing data and resigning
 	if(titleId)
 		memcpy(hdr->titleId,titleId,8);
 	if(programId)
 		memcpy(hdr->programId,programId,8);
 	SignCFA(hdr,keys);
-	
+
 	// Re-encrypting if necessary
 	if(IsNcchEncrypted(hdr)){
 		GetNcchInfo(&ncchInfo,hdr);

From 1ea3c5b04cc414046ad2e5b80eef2de255c9b5ee Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sun, 29 Dec 2024 13:13:59 +0800
Subject: [PATCH 310/317] Further tweaks to CIA generation for #153

---
 makerom/src/cia.c       | 62 ++++++++++++++++++++++++-----------------
 makerom/src/cia_build.h |  1 -
 2 files changed, 36 insertions(+), 27 deletions(-)

diff --git a/makerom/src/cia.c b/makerom/src/cia.c
index 1576c27a..95eb2c4f 100644
--- a/makerom/src/cia.c
+++ b/makerom/src/cia.c
@@ -24,7 +24,7 @@ int GetSettingsFromUsrset(cia_settings *ciaset, user_settings *usrset);
 int GetSettingsFromNcch0(cia_settings *ciaset, u32 ncch0_offset);
 int GetTmdDataFromNcch(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *key);
 int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_info *ncch_ctx, u8 *key);
-int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset);
+int ProcessContentFiles(cia_settings *ciaset, user_settings *usrset);
 int ImportNcchContent(cia_settings *ciaset, user_settings *usrset);
 int GetSettingsFromSrl(cia_settings *ciaset);
 int GetSettingsFromCci(cia_settings *ciaset);
@@ -114,12 +114,6 @@ int build_CIA(user_settings *usrset)
 
 void FreeCiaSettings(cia_settings *set)
 {
-	if(set->content.filePtrs){
-		for(u32 i = 1; i < set->content.count; i++){
-			fclose(set->content.filePtrs[i]);
-		}
-		free(set->content.filePtrs);
-	}
 	free(set->ciaSections.certChain.buffer);
 	free(set->ciaSections.tik.buffer);
 	free(set->ciaSections.tmd.buffer);
@@ -141,7 +135,7 @@ int GetCiaSettings(cia_settings *ciaset, user_settings *usrset)
 	if(usrset->common.workingFileType == infile_ncch){
 		if((result = GetSettingsFromNcch0(ciaset,0)) != 0) 
 			return result;
-		if((result = GetContentFilePtrs(ciaset,usrset)) != 0) 
+		if((result = ProcessContentFiles(ciaset,usrset)) != 0) 
 			return result;
 		if((result = ImportNcchContent(ciaset,usrset)) != 0) 
 			return result;
@@ -400,14 +394,11 @@ int GetMetaRegion(cia_settings *ciaset, u8 *ncch, ncch_info *info, u8 *key)
 	return 0;
 }
 
-int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
+int ProcessContentFiles(cia_settings *ciaset, user_settings *usrset)
 {
-	ciaset->content.filePtrs = malloc(sizeof(FILE*)*CIA_MAX_CONTENT);
-	if(!ciaset->content.filePtrs){
-		fprintf(stderr,"[CIA ERROR] Not enough memory\n"); 
-		return MEM_ERROR; 
-	}
-	memset(ciaset->content.filePtrs,0,sizeof(FILE*)*CIA_MAX_CONTENT);
+	FILE* tmpFilePtr = NULL;
+
+	// process content files 
 	int j = 1;
 	ncch_hdr *hdr = malloc(sizeof(ncch_hdr));
 	for(int i = 1; i < CIA_MAX_CONTENT; i++){
@@ -416,32 +407,43 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 				fprintf(stderr,"[CIA ERROR] Failed to open \"%s\"\n",usrset->common.contentPath[i]); 
 				return FAILED_TO_OPEN_FILE; 
 			}
-			ciaset->content.fileSize[j] = GetFileSize64(usrset->common.contentPath[i]);
-			ciaset->content.filePtrs[j] = fopen(usrset->common.contentPath[i],"rb");
 
+			// get content file size
+			ciaset->content.fileSize[j] = GetFileSize64(usrset->common.contentPath[i]);
+			
+			// get content id
 			if(usrset->cia.contentId[i] > MAX_U32)
 				ciaset->content.id[j] = u32GetRand(); 
 			else 
 				ciaset->content.id[j] = (u32)usrset->cia.contentId[i];
 
+			// get content index
 			ciaset->content.index[j] = (u16)i;
 
-			// Get Data from ncch HDR
-			ReadNcchHdr(hdr,ciaset->content.filePtrs[j]);
+			// Get Data from NCCH HDR
+			tmpFilePtr = fopen(usrset->common.contentPath[i],"rb");
+			if(!tmpFilePtr){
+				fprintf(stderr,"[CIA ERROR] Failed to open \"%s\"\n",usrset->common.contentPath[i]); 
+				return FAILED_TO_OPEN_FILE; 
+			}
+			ReadNcchHdr(hdr,tmpFilePtr);
+			fclose(tmpFilePtr);
+			tmpFilePtr = NULL;
 
-			// Get Size
+			// Get Size from NCCH HDR
 			u64 calcSize = GetNcchSize(hdr);
 			if(calcSize != ciaset->content.fileSize[j]){
 				fprintf(stderr,"[CIA ERROR] \"%s\" is corrupt\n",usrset->common.contentPath[i]); 
 				return FAILED_TO_OPEN_FILE; 
 			}
 
+			// calculate content size & offset in CIA
 			ciaset->content.size[j] = align(calcSize,CIA_CONTENT_ALIGN);
 			ciaset->content.offset[j] = ciaset->content.totalSize;
 
+			// update CIA total content size
 			ciaset->content.totalSize += ciaset->content.size[j];
-
-			fclose(ciaset->content.filePtrs[j]);
+			
 			// Finish get next content
 			j++;
 		}
@@ -463,6 +465,8 @@ int GetContentFilePtrs(cia_settings *ciaset, user_settings *usrset)
 
 int ImportNcchContent(cia_settings *ciaset, user_settings *usrset)
 {
+	FILE* tmpFilePtr = NULL;
+	
 	ciaset->ciaSections.content.buffer = realloc(ciaset->ciaSections.content.buffer,ciaset->content.totalSize);
 	if(!ciaset->ciaSections.content.buffer){
 		fprintf(stderr,"[CIA ERROR] Not enough memory\n");
@@ -471,10 +475,15 @@ int ImportNcchContent(cia_settings *ciaset, user_settings *usrset)
 
 	ncch_hdr *ncch0hdr = (ncch_hdr*)ciaset->ciaSections.content.buffer;
 	for(int i = 1; i < ciaset->content.count; i++){
-		// Import
+		// Import NCCH into memory
 		u8 *ncchpos = (u8*)(ciaset->ciaSections.content.buffer+ciaset->content.offset[i]);
-		ciaset->content.filePtrs[i] = fopen(usrset->common.contentPath[i], "rb");
-		ReadFile64(ncchpos, ciaset->content.fileSize[i], 0, ciaset->content.filePtrs[i]);
+		
+		// open/read/close file
+		tmpFilePtr = fopen(usrset->common.contentPath[i], "rb");
+		ReadFile64(ncchpos, ciaset->content.fileSize[i], 0, tmpFilePtr);
+		fclose(tmpFilePtr);
+		
+		// Edit NCCH ID if required
 		if(ModifyNcchIds(ncchpos, NULL, ncch0hdr->programId, ciaset->keys) != 0)
 			return -1;
 
@@ -482,7 +491,8 @@ int ImportNcchContent(cia_settings *ciaset, user_settings *usrset)
 		if(ciaset->content.IsDlc)
 			ciaset->content.flags[i] |= content_Optional;
 
-		fclose(ciaset->content.filePtrs[i]);
+		//if(unknown condition)
+		//	ciaset->content.flags[i] |= content_Shared;
 	}
 
 	ciaset->ciaSections.content.size = ciaset->content.totalSize;
diff --git a/makerom/src/cia_build.h b/makerom/src/cia_build.h
index f25f1562..617c10d7 100644
--- a/makerom/src/cia_build.h
+++ b/makerom/src/cia_build.h
@@ -68,7 +68,6 @@ typedef struct
 
 		bool keyFound;
 
-		FILE **filePtrs;
 		u64 fileSize[CIA_MAX_CONTENT];
 
 		/* Misc Records */

From 02f2411d1ad5cf65d02302bbe81d89378026eeb2 Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sun, 29 Dec 2024 13:14:52 +0800
Subject: [PATCH 311/317] Bump makerom version to 0.18.5

---
 makerom/src/user_settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makerom/src/user_settings.c b/makerom/src/user_settings.c
index 07d906d8..d4294317 100644
--- a/makerom/src/user_settings.c
+++ b/makerom/src/user_settings.c
@@ -931,7 +931,7 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.18.4 (C) 3DSGuy 2023\n");
+	printf("CTR MAKEROM v0.18.5 (C) 3DSGuy 2024\n");
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 

From 4339ba014c65ea2b34d173d7504f2a0aed2f76e7 Mon Sep 17 00:00:00 2001
From: ZeroSkill <timmskiller102@outlook.com>
Date: Sun, 24 Aug 2025 07:27:58 +0300
Subject: [PATCH 312/317] Fix inability to parse TMDs with >1024 contents
 (#161)

---
 .../libnintendo-n3ds/src/es/TitleMetaData.cpp | 28 +++++++++++++------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp b/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp
index ca1894f2..ed101050 100644
--- a/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp
+++ b/ctrtool/deps/libnintendo-n3ds/src/es/TitleMetaData.cpp
@@ -49,8 +49,18 @@ ntd::n3ds::es::TitleMetaDataDeserialiser::TitleMetaDataDeserialiser(const std::s
 	*/
 
 	// determine if the TMD is the correct size given expected number of ESV1ContentMeta entries
-	size_t cmd_table_num = tmd->v1Head.cmdGroups[0].nCmds.unwrap();
-	size_t tmd_full_size = sizeof(brd::es::ESV1TitleMeta) + (cmd_table_num * sizeof(brd::es::ESV1ContentMeta));
+	size_t total_contents_num = 0;
+	size_t num_cmd_groups = 0;
+	for (const auto &cmd_group : tmd->v1Head.cmdGroups)
+	{
+		if (cmd_group.nCmds.unwrap())
+		{
+			++num_cmd_groups;
+			total_contents_num += cmd_group.nCmds.unwrap();
+		}
+	}
+
+	size_t tmd_full_size = sizeof(brd::es::ESV1TitleMeta) + (total_contents_num * sizeof(brd::es::ESV1ContentMeta));
 
 	if (tmd_stream->length() < (tmd_full_size))
 	{
@@ -81,10 +91,12 @@ ntd::n3ds::es::TitleMetaDataDeserialiser::TitleMetaDataDeserialiser(const std::s
 	}
 
 	// verify ESV1ContentMeta array
-	tc::crypto::GenerateSha256Hash(hash.data(), (byte_t*)&tmd->contents, cmd_table_num * sizeof(brd::es::ESV1ContentMeta));
-	if (memcmp(hash.data(), tmd->v1Head.cmdGroups[0].groupHash.data(), hash.size()) != 0)
-	{
-		throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had invalid CMD group[0] hash.");
+	for (size_t i = 0; i < num_cmd_groups; i++) {
+		tc::crypto::GenerateSha256Hash(hash.data(), (byte_t*)&tmd->contents[tmd->v1Head.cmdGroups[i].offset], tmd->v1Head.cmdGroups[i].nCmds.unwrap() * sizeof(brd::es::ESV1ContentMeta));
+		if (memcmp(hash.data(), tmd->v1Head.cmdGroups[i].groupHash.data(), hash.size()) != 0)
+		{
+			throw tc::ArgumentOutOfRangeException(mModuleLabel, "TMD had invalid CMD group hash.");
+		}
 	}
 
 	// verify other fields
@@ -129,8 +141,8 @@ ntd::n3ds::es::TitleMetaDataDeserialiser::TitleMetaDataDeserialiser(const std::s
 	this->ctr_custom_data.save_data_size = custom_data->ctr.save_data_size;
 	this->ctr_custom_data.is_snake_only = custom_data->ctr.flag.test(0);
 
-	// process ESV1ContentMeta entries 
-	for (size_t i = 0; i < cmd_table_num; i++)
+	// process ESV1ContentMeta entries
+	for (size_t i = 0; i < total_contents_num; i++)
 	{
 		this->content_info.push_back(ContentInfo(
 			tmd->contents[i].cid.unwrap(),

From f55e0fbc00f12ffb77f7af869f93472bed320ac6 Mon Sep 17 00:00:00 2001
From: Jack <jack@azulon.net>
Date: Sun, 24 Aug 2025 12:52:53 +0800
Subject: [PATCH 313/317] [ctrtool] When processing tickets, skip over
 out-of-range content index values.

---
 ctrtool/deps/libnintendo-n3ds/src/es/Ticket.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ctrtool/deps/libnintendo-n3ds/src/es/Ticket.cpp b/ctrtool/deps/libnintendo-n3ds/src/es/Ticket.cpp
index dc590ebe..4f540f58 100644
--- a/ctrtool/deps/libnintendo-n3ds/src/es/Ticket.cpp
+++ b/ctrtool/deps/libnintendo-n3ds/src/es/Ticket.cpp
@@ -157,6 +157,7 @@ ntd::n3ds::es::TicketDeserialiser::TicketDeserialiser(const std::shared_ptr<tc::
 	}
 
 	// process content index
+	const uint32_t kMax3DSTicketContentIndexOffset = (uint32_t)0xFFFF & ~(uint32_t)0x3FF;
 	for (size_t i = 0; i < tik->v1Head.nSectHdrs.unwrap(); i++)
 	{
 		if (tik->sectHdrs[i].sectionType.unwrap() == (uint32_t)brd::es::ESItemType::CONTENT)
@@ -168,6 +169,13 @@ ntd::n3ds::es::TicketDeserialiser::TicketDeserialiser(const std::shared_ptr<tc::
 			brd::es::ESV1ContentRecord* content_records = (brd::es::ESV1ContentRecord*)(tik_data.data() + sizeof(brd::es::ESTicket) + tik->sectHdrs[i].sectOfst.unwrap());
 			for (size_t j = 0; j < tik->sectHdrs[i].nRecords.unwrap(); j++)
 			{
+				// maximum supported value for 3DS (since content indexes cannot exceed 0xFFFF)
+				if (content_records[j].offset.unwrap() > kMax3DSTicketContentIndexOffset)
+				{
+					fmt::print(stderr, "[{} LOG] Skipping ESV1ContentRecord[{:d}] because offset 0x{:x} was not in legal range (0x{:x} - 0x{:x})\n", mModuleLabel, j, content_records[j].offset.unwrap(), 0x0, kMax3DSTicketContentIndexOffset);
+					continue;
+				}
+
 				tc::bn::bitarray<0x80>* access_mask = (tc::bn::bitarray<0x80>*)content_records[j].accessMask.data();
 				for (size_t bit = 0; bit < access_mask->bit_size(); bit++)
 				{

From 66c90cfebd5e25080475e9a786273d6693cb7708 Mon Sep 17 00:00:00 2001
From: ZeroSkill <timmskiller102@outlook.com>
Date: Sun, 18 Jan 2026 07:45:28 +0300
Subject: [PATCH 314/317] Add support for New3DS bit in Title ID (#162)

---
 makerom/src/ncch.c          | 1 +
 makerom/src/ncch_build.h    | 1 +
 makerom/src/rsf_settings.c  | 1 +
 makerom/src/titleid.c       | 3 +++
 makerom/src/user_settings.c | 1 +
 makerom/src/user_settings.h | 2 ++
 6 files changed, 9 insertions(+)

diff --git a/makerom/src/ncch.c b/makerom/src/ncch.c
index a5bdcd68..6633dd30 100644
--- a/makerom/src/ncch.c
+++ b/makerom/src/ncch.c
@@ -234,6 +234,7 @@ int GetBasicOptions(ncch_settings *ncchset, user_settings *usrset)
 	ncchset->options.UseOnSD = ncchset->rsfSet->Option.UseOnSD;
 	ncchset->options.Encrypt = ncchset->rsfSet->Option.EnableCrypt;
 	ncchset->options.FreeProductCode = ncchset->rsfSet->Option.FreeProductCode;
+	ncchset->options.KtrProgramId = ncchset->rsfSet->Option.UseKtrProgramId;
 	ncchset->options.IsCfa = (usrset->ncch.ncchType == CFA);
 	ncchset->options.IsBuildingCodeSection = (usrset->ncch.elfPath != NULL);
 	ncchset->options.UseRomFS = ((ncchset->rsfSet->RomFs.RootPath && strlen(ncchset->rsfSet->RomFs.RootPath) > 0) || usrset->ncch.romfsPath);
diff --git a/makerom/src/ncch_build.h b/makerom/src/ncch_build.h
index a8f8a8a0..12e1bbc7 100644
--- a/makerom/src/ncch_build.h
+++ b/makerom/src/ncch_build.h
@@ -22,6 +22,7 @@ typedef struct
 		bool UseRomFS;
 		bool noCodePadding;
 		bool baremetal;
+		bool KtrProgramId;
 
 		bool useSecCrypto;
 		u8 keyXID;
diff --git a/makerom/src/rsf_settings.c b/makerom/src/rsf_settings.c
index 99c89ef0..12fe9d49 100644
--- a/makerom/src/rsf_settings.c
+++ b/makerom/src/rsf_settings.c
@@ -64,6 +64,7 @@ void GET_Option(ctr_yaml_context *ctx, rsf_settings *rsf)
 		else if(cmpYamlValue("EnableCompress",ctx)) SetBoolYAMLValue(&rsf->Option.EnableCompress,"EnableCompress",ctx);
 		else if(cmpYamlValue("FreeProductCode",ctx)) SetBoolYAMLValue(&rsf->Option.FreeProductCode,"FreeProductCode",ctx);
 		else if(cmpYamlValue("UseOnSD",ctx)) SetBoolYAMLValue(&rsf->Option.UseOnSD,"UseOnSD",ctx);
+		else if(cmpYamlValue("UseKtrProgramId",ctx)) SetBoolYAMLValue(&rsf->Option.UseKtrProgramId,"UseKtrProgramId",ctx);
 		else{
 			fprintf(stderr,"[RSF ERROR] Unrecognised key '%s'\n",GetYamlString(ctx));
 			ctx->error = YAML_UNKNOWN_KEY;
diff --git a/makerom/src/titleid.c b/makerom/src/titleid.c
index aea6a158..93b59191 100644
--- a/makerom/src/titleid.c
+++ b/makerom/src/titleid.c
@@ -75,6 +75,9 @@ int GetProgramID(u64 *dest, rsf_settings *rsf, bool IsForExheader)
 	programId |= (u64)uniqueId<<8;
 	programId |= (u64)category<<32;
 	programId |= (u64)type<<48;
+	
+	if (rsf->Option.UseKtrProgramId)
+		programId |= 0x20000000;
 
 	*dest = programId;
 
diff --git a/makerom/src/user_settings.c b/makerom/src/user_settings.c
index d4294317..3118d4f1 100644
--- a/makerom/src/user_settings.c
+++ b/makerom/src/user_settings.c
@@ -100,6 +100,7 @@ void SetDefaults(user_settings *set)
 	set->ncch.noCodePadding = false;
 	set->ncch.baremetal = false;
 	set->ncch.pageSize = DEFAULT_STACK_SIZE;
+	set->ncch.ktrProgramId = false;
 
 	// RSF Settings
 	clrmem(&set->common.rsfSet, sizeof(rsf_settings));
diff --git a/makerom/src/user_settings.h b/makerom/src/user_settings.h
index 7f8d6d2f..4555f93b 100644
--- a/makerom/src/user_settings.h
+++ b/makerom/src/user_settings.h
@@ -70,6 +70,7 @@ typedef struct
 		bool EnableCompress;
 		bool FreeProductCode;
 		bool UseOnSD;
+		bool UseKtrProgramId;
 	} Option;
 	
 	struct{
@@ -271,6 +272,7 @@ typedef struct
 		bool baremetal; // abuse K9/LGY K11's lack of memory management to support arbitrary VMA and RWX phdr
 		u32 pageSize; // Memory page size (256 for Kernel9, 4096 for anything else)
 		bool useSecCrypto;
+		bool ktrProgramId;
 		u8 keyXID;
 	} ncch; // Ncch0 Build
 	

From a4c7d256b95ee5682e6d641426fcadd73f0c2244 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 18 Jan 2026 13:07:20 +0800
Subject: [PATCH 315/317] Bump CTRTool version to v1.3.0

---
 ctrtool/src/version.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ctrtool/src/version.h b/ctrtool/src/version.h
index c8a17a55..18696901 100644
--- a/ctrtool/src/version.h
+++ b/ctrtool/src/version.h
@@ -2,6 +2,6 @@
 #define APP_NAME	"CTRTool"
 #define BIN_NAME	"ctrtool"
 #define VER_MAJOR	1
-#define VER_MINOR	2
-#define VER_PATCH	1
+#define VER_MINOR	3
+#define VER_PATCH	0
 #define AUTHORS		"jakcron"

From b6e54bb918c9295cf26cefd5e0955fdd952f7045 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 18 Jan 2026 13:12:38 +0800
Subject: [PATCH 316/317] [makerom] Move version & labels from user_Settings.c
 to version.h

---
 makerom/src/user_settings.c | 15 ++++++++-------
 makerom/src/version.h       |  7 +++++++
 2 files changed, 15 insertions(+), 7 deletions(-)
 create mode 100644 makerom/src/version.h

diff --git a/makerom/src/user_settings.c b/makerom/src/user_settings.c
index 3118d4f1..c0d78f9e 100644
--- a/makerom/src/user_settings.c
+++ b/makerom/src/user_settings.c
@@ -1,11 +1,12 @@
 #include "lib.h"
+#include "version.h"
 
 // Private Constants
 static const u32 DEFAULT_STACK_SIZE = 0x1000;
 
 // Private Prototypes
-void DisplayHelp(char *app_name);
-void DisplayExtendedHelp(char *app_name);
+void DisplayHelp(char *bin_name);
+void DisplayExtendedHelp(char *bin_name);
 void SetDefaults(user_settings *set);
 int SetArgument(int argc, int i, char *argv[], user_settings *set);
 int CheckArgumentCombination(user_settings *set);
@@ -932,14 +933,14 @@ void PrintNoNeedParam(char *arg)
 
 void DisplayBanner(void)
 {
-	printf("CTR MAKEROM v0.18.5 (C) 3DSGuy 2024\n");
+	printf("%s v%d.%d.%d (C) %s\n", APP_NAME, VER_MAJOR, VER_MINOR, VER_PATCH, AUTHORS);
 	printf("Built: %s %s\n\n", __TIME__, __DATE__);
 }
 
-void DisplayHelp(char *app_name)
+void DisplayHelp(char *bin_name)
 {
 	DisplayBanner();
-	printf("Usage: %s [options... ]\n", app_name);
+	printf("Usage: %s [options... ]\n", bin_name);
 	printf("Option          Parameter           Explanation\n");
 	printf("GLOBAL OPTIONS:\n");
 	printf(" -help                              Display this text\n");
@@ -963,10 +964,10 @@ void DisplayHelp(char *app_name)
 	printf(" -ver           <version>           Title Version\n");
 }
 
-void DisplayExtendedHelp(char *app_name)
+void DisplayExtendedHelp(char *bin_name)
 {
 	DisplayBanner();
-	printf("Usage: %s [options... ]\n", app_name);
+	printf("Usage: %s [options... ]\n", bin_name);
 	printf("Option          Parameter           Explanation\n");
 	printf("GLOBAL OPTIONS:\n");
 	printf(" -help                              Display simple usage help\n");
diff --git a/makerom/src/version.h b/makerom/src/version.h
new file mode 100644
index 00000000..c2c6f1b9
--- /dev/null
+++ b/makerom/src/version.h
@@ -0,0 +1,7 @@
+#pragma once
+#define APP_NAME	"CTR MAKEROM"
+#define BIN_NAME	"makerom"
+#define VER_MAJOR	0
+#define VER_MINOR	18
+#define VER_PATCH	5
+#define AUTHORS		"3DSGuy"

From e8f5f529c54ff9b22a2491a480ffa69206bf7b19 Mon Sep 17 00:00:00 2001
From: jakcron <jakcron.dev@gmail.com>
Date: Sun, 18 Jan 2026 13:13:02 +0800
Subject: [PATCH 317/317] [makerom] Bump version to 0.19.0

---
 makerom/src/version.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makerom/src/version.h b/makerom/src/version.h
index c2c6f1b9..c668ce7a 100644
--- a/makerom/src/version.h
+++ b/makerom/src/version.h
@@ -2,6 +2,6 @@
 #define APP_NAME	"CTR MAKEROM"
 #define BIN_NAME	"makerom"
 #define VER_MAJOR	0
-#define VER_MINOR	18
-#define VER_PATCH	5
+#define VER_MINOR	19
+#define VER_PATCH	0
 #define AUTHORS		"3DSGuy"